| Message ID | 20230824143903.3161185-1-dmalcolm@redhat.com |
|---|---|
| Headers | show
Return-Path: <gcc-patches-bounces+incoming=patchwork.ozlabs.org@gcc.gnu.org> X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (1024-bit key; unprotected) header.d=gcc.gnu.org header.i=@gcc.gnu.org header.a=rsa-sha256 header.s=default header.b=uCcdSfKP; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=gcc.gnu.org (client-ip=2620:52:3:1:0:246e:9693:128c; helo=server2.sourceware.org; envelope-from=gcc-patches-bounces+incoming=patchwork.ozlabs.org@gcc.gnu.org; receiver=patchwork.ozlabs.org) Received: from server2.sourceware.org (server2.sourceware.org [IPv6:2620:52:3:1:0:246e:9693:128c]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4RWm3F6hR2z1yfF for <incoming@patchwork.ozlabs.org>; Fri, 25 Aug 2023 00:40:41 +1000 (AEST) Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 8A3383853839 for <incoming@patchwork.ozlabs.org>; Thu, 24 Aug 2023 14:40:31 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 8A3383853839 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gcc.gnu.org; s=default; t=1692888031; bh=iWAFq5o1fY1MBum7yPX7ZzoNnlkcwxHJcEN5eoQmLvU=; h=To:Cc:Subject:Date:List-Id:List-Unsubscribe:List-Archive: List-Post:List-Help:List-Subscribe:From:Reply-To:From; b=uCcdSfKPcBGPpx31G8++xV5YAeBz9cZn+IY9uwThgnjBsuEomMhqy7IVWA7yZ+YS3 w9et94zGkPQn53LSPw5GrwCUbWvzVLIIHg4vOxyC0IKh2ROudRhIOpL9zqIevjZVks +hfyIGovAJg9ORIFMwHDxAavbAeS/kfqTRpF64HQ= X-Original-To: gcc-patches@gcc.gnu.org Delivered-To: gcc-patches@gcc.gnu.org Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by sourceware.org (Postfix) with ESMTPS id 2DAC23858C2C for <gcc-patches@gcc.gnu.org>; Thu, 24 Aug 2023 14:39:08 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 2DAC23858C2C Received: from mimecast-mx02.redhat.com (66.187.233.73 [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-216-oTGxKLAAPWSgIGHE0x_mlA-1; Thu, 24 Aug 2023 10:39:06 -0400 X-MC-Unique: oTGxKLAAPWSgIGHE0x_mlA-1 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.rdu2.redhat.com [10.11.54.2]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id C6F083C14AA1 for <gcc-patches@gcc.gnu.org>; Thu, 24 Aug 2023 14:39:05 +0000 (UTC) Received: from t14s.localdomain.com (unknown [10.22.32.117]) by smtp.corp.redhat.com (Postfix) with ESMTP id 9F70B40D2839; Thu, 24 Aug 2023 14:39:05 +0000 (UTC) To: gcc-patches@gcc.gnu.org Cc: David Malcolm <dmalcolm@redhat.com> Subject: [pushed 0/9] analyzer: strlen, strcpy, and strcat [PR105899] Date: Thu, 24 Aug 2023 10:38:54 -0400 Message-Id: <20230824143903.3161185-1-dmalcolm@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.1 on 10.11.54.2 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00, BODY_8BITS, DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H4, RCVD_IN_MSPIKE_WL, SPF_HELO_NONE, SPF_NONE, TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: gcc-patches@gcc.gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Gcc-patches mailing list <gcc-patches.gcc.gnu.org> List-Unsubscribe: <https://gcc.gnu.org/mailman/options/gcc-patches>, <mailto:gcc-patches-request@gcc.gnu.org?subject=unsubscribe> List-Archive: <https://gcc.gnu.org/pipermail/gcc-patches/> List-Post: <mailto:gcc-patches@gcc.gnu.org> List-Help: <mailto:gcc-patches-request@gcc.gnu.org?subject=help> List-Subscribe: <https://gcc.gnu.org/mailman/listinfo/gcc-patches>, <mailto:gcc-patches-request@gcc.gnu.org?subject=subscribe> From: David Malcolm via Gcc-patches <gcc-patches@gcc.gnu.org> Reply-To: David Malcolm <dmalcolm@redhat.com> Errors-To: gcc-patches-bounces+incoming=patchwork.ozlabs.org@gcc.gnu.org Sender: "Gcc-patches" <gcc-patches-bounces+incoming=patchwork.ozlabs.org@gcc.gnu.org> |
| Series |
analyzer: strlen, strcpy, and strcat [PR105899]
|
expand
|
This patch kit makes improvements to the analyzer's new strlen implementation, and wires it up to strcpy and strcat. For example, given: #include <string.h> void test (void) { char buf[10]; strcpy (buf, "hello world!"); } we now emit: demo.c: In function ‘test’: demo.c:6:3: warning: stack-based buffer overflow [CWE-121] [-Wanalyzer-out-of-bounds] 6 | strcpy (buf, "hello world!"); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~ ‘test’: events 1-2 | | 5 | char buf[10]; | | ^~~ | | | | | (1) capacity: 10 bytes | 6 | strcpy (buf, "hello world!"); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (2) out-of-bounds write from byte 10 till byte 12 but ‘buf’ ends at byte 10 | demo.c:6:3: note: write of 3 bytes to beyond the end of ‘buf’ 6 | strcpy (buf, "hello world!"); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~ demo.c:6:3: note: valid subscripts for ‘buf’ are ‘[0]’ to ‘[9]’ ┌─────┬─────┬────┬────┬────┬────┬────┬────┬────┬────┐┌─────┬─────┬─────┐ │ [0] │ [1] │[2] │[3] │[4] │[5] │[6] │[7] │[8] │[9] ││[10] │[11] │[12] │ ├─────┼─────┼────┼────┼────┼────┼────┼────┼────┼────┤├─────┼─────┼─────┤ │ ‘h’ │ ‘e’ │‘l’ │‘l’ │‘o’ │‘ ’ │‘w’ │‘o’ │‘r’ │‘l’ ││ ‘d’ │ ‘!’ │ NUL │ ├─────┴─────┴────┴────┴────┴────┴────┴────┴────┴────┴┴─────┴─────┴─────┤ │ string literal (type: ‘char[13]’) │ └──────────────────────────────────────────────────────────────────────┘ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ v v v v v v v v v v v v v ┌─────┬────────────────────────────────────────┬────┐┌─────────────────┐ │ [0] │ ... │[9] ││ │ ├─────┴────────────────────────────────────────┴────┤│after valid range│ │ ‘buf’ (type: ‘char[10]’) ││ │ └───────────────────────────────────────────────────┘└─────────────────┘ ├─────────────────────────┬─────────────────────────┤├────────┬────────┤ │ │ ╭─────────┴────────╮ ╭───────────┴──────────╮ │capacity: 10 bytes│ │⚠️ overflow of 3 bytes│ ╰──────────────────╯ ╰──────────────────────╯ in addition to the pre-existing: demo.c:6:3: warning: ‘__builtin_memcpy’ writing 13 bytes into a region of size 10 overflows the destination [-Wstringop-overflow=] demo.c:5:8: note: destination object ‘buf’ of size 10 5 | char buf[10]; | ^~~ Successfully bootstrapped & regrtested on x86_64-pc-linux-gnu. Pushed to trunk as r14-3461-g9aaec66917c96a through to r14-3469-gbbdc0e0d0042ae. David Malcolm (9): analyzer: add logging to impl_path_context analyzer: handle symbolic bindings in scan_for_null_terminator [PR105899] analyzer: reimplement kf_strcpy [PR105899] analyzer: eliminate region_model::get_string_size [PR105899] analyzer: reimplement kf_memcpy_memmove analyzer: handle strlen(INIT_VAL(STRING_REG)) [PR105899] analyzer: handle INIT_VAL(ELEMENT_REG(STRING_REG), CONSTANT_SVAL) [PR105899] analyzer: handle strlen(BITS_WITHIN) [PR105899] analyzer: implement kf_strcat [PR105899] gcc/analyzer/call-details.cc | 12 +- gcc/analyzer/call-details.h | 5 +- gcc/analyzer/engine.cc | 13 +- gcc/analyzer/kf.cc | 116 +++++--- gcc/analyzer/region-model-manager.cc | 19 ++ gcc/analyzer/region-model.cc | 261 +++++++++++++----- gcc/analyzer/region-model.h | 22 +- gcc/doc/invoke.texi | 1 + .../analyzer/out-of-bounds-diagram-16.c | 31 +++ gcc/testsuite/gcc.dg/analyzer/sprintf-1.c | 11 + gcc/testsuite/gcc.dg/analyzer/strcat-1.c | 136 +++++++++ gcc/testsuite/gcc.dg/analyzer/strcpy-1.c | 22 ++ gcc/testsuite/gcc.dg/analyzer/strcpy-3.c | 8 + gcc/testsuite/gcc.dg/analyzer/strcpy-4.c | 51 ++++ 14 files changed, 601 insertions(+), 107 deletions(-) create mode 100644 gcc/testsuite/gcc.dg/analyzer/out-of-bounds-diagram-16.c create mode 100644 gcc/testsuite/gcc.dg/analyzer/strcat-1.c create mode 100644 gcc/testsuite/gcc.dg/analyzer/strcpy-4.c