From patchwork Thu Dec 1 02:41:59 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: David Malcolm X-Patchwork-Id: 28160 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:adf:f944:0:0:0:0:0 with SMTP id q4csp36002wrr; Wed, 30 Nov 2022 18:44:06 -0800 (PST) X-Google-Smtp-Source: AA0mqf40kXRxR2aa9TrJcqmJlDtnnknbNngm8eEICGRJZPdV8QwPqahv93+EYgobyPRH/rfW67mN X-Received: by 2002:a17:906:348d:b0:7bc:4375:1d93 with SMTP id g13-20020a170906348d00b007bc43751d93mr26821458ejb.665.1669862646251; Wed, 30 Nov 2022 18:44:06 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1669862646; cv=none; d=google.com; s=arc-20160816; b=b9gqRy+1QMtknIsTWM7dJ1jaoBUy4bXjAAeQ7BQ9Q/v4tPQVoFJu0cxjKmHixMAmo9 w6/Lv3om9t3G2T/h0j5Z+ed+8PFjn//sTkX9rMwjJ6Wf5fvdrnmzLDCuY8nkG4VLi0VC cYQvoBIxBTronMRM+DN6MhLApsqr2wKVj2v3DEjFekjAF18wOP/bCGVdq8qL83hgGnaT wJB4jc8OoisquA9NiSMJ+tP9CE0Ru6v8nT/hxX/08pd0axp9rxF5DpxJuaRgT8+V4umX a07BVCMH0sgKl8bpF8nsdasxjVjzzwUEYDGJljV1cymZQXft/EyrOsYMJW/jJIfprad9 a7rA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:reply-to:from:list-subscribe:list-help:list-post :list-archive:list-unsubscribe:list-id:precedence :content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:dmarc-filter:delivered-to :dkim-signature:dkim-filter; bh=u+dbsADotQfxrDaM+xHPt8z27v4Yip8akmlZsAi8Mn0=; b=Y88Imi+PmVxhmzGK0FplJ71g1m1aZDqE887erHSQuK9d8XGS/DFUWpBJIq+GZPMkXq iJgz+n7LCxo4gZQ+5/p1+D1GnpguFK4B4bbJ6mJcAKOMuLP4AqNmLKiDlFCoSFEHIcck HejulFJ//nUwxxLjn5tKedbqbe5x9Hr/UpBrUUjia+1e4fbG43qpe+l8Vc+DsntuOhsE H2X2MBJD2x/LyNI5FLQX/rK5gzg4F97gW5mDLp458XmuRecZpArBdnIOLMtyxFPKNe/q ZVLGk3m+Wa4Amd8jLy897HXYWPz7Q5jBON+J1LDLMMqlj+CeP/NWnLqf9PwXIYMmUJ9w MOpA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gcc.gnu.org header.s=default header.b=OjTBgF1x; spf=pass (google.com: domain of gcc-patches-bounces+ouuuleilei=gmail.com@gcc.gnu.org designates 8.43.85.97 as permitted sender) smtp.mailfrom="gcc-patches-bounces+ouuuleilei=gmail.com@gcc.gnu.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=gnu.org Received: from sourceware.org (server2.sourceware.org. [8.43.85.97]) by mx.google.com with ESMTPS id e6-20020a056402190600b0045d8bff7afesi2955832edz.376.2022.11.30.18.44.05 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 30 Nov 2022 18:44:06 -0800 (PST) Received-SPF: pass (google.com: domain of gcc-patches-bounces+ouuuleilei=gmail.com@gcc.gnu.org designates 8.43.85.97 as permitted sender) client-ip=8.43.85.97; Authentication-Results: mx.google.com; dkim=pass header.i=@gcc.gnu.org header.s=default header.b=OjTBgF1x; spf=pass (google.com: domain of gcc-patches-bounces+ouuuleilei=gmail.com@gcc.gnu.org designates 8.43.85.97 as permitted sender) smtp.mailfrom="gcc-patches-bounces+ouuuleilei=gmail.com@gcc.gnu.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=gnu.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id B957A3854552 for ; Thu, 1 Dec 2022 02:43:08 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org B957A3854552 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gcc.gnu.org; s=default; t=1669862588; bh=u+dbsADotQfxrDaM+xHPt8z27v4Yip8akmlZsAi8Mn0=; h=To:Cc:Subject:Date:In-Reply-To:References:List-Id: List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe: From:Reply-To:From; b=OjTBgF1xMmcd5XkMA3xrECnAWXvuwplMaWme0Pk1ONAsYb+h7EjvHGa0deK4sfRD7 t6PfBsZu6JWH6fdnC1Xjtjd+o6pMbWYGG3SRaX5ROghTQTfY4zAngMLUBMY81ZL457 Ntpm1y4uFi5qa0Wge1e5Rbas5FHekb4icOaf+/kA= X-Original-To: gcc-patches@gcc.gnu.org Delivered-To: gcc-patches@gcc.gnu.org Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by sourceware.org (Postfix) with ESMTPS id 68CC03858281 for ; Thu, 1 Dec 2022 02:42:08 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 68CC03858281 Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-118-KpReLODxOVm1G7U-qX6KWw-1; Wed, 30 Nov 2022 21:42:06 -0500 X-MC-Unique: KpReLODxOVm1G7U-qX6KWw-1 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 4EF07101A52A for ; Thu, 1 Dec 2022 02:42:06 +0000 (UTC) Received: from t14s.localdomain.com (unknown [10.2.16.65]) by smtp.corp.redhat.com (Postfix) with ESMTP id 2A270200D8C3; Thu, 1 Dec 2022 02:42:06 +0000 (UTC) To: gcc-patches@gcc.gnu.org Cc: David Malcolm Subject: [committed 6/7] analyzer: unify bounds-checking class hierarchies Date: Wed, 30 Nov 2022 21:41:59 -0500 Message-Id: <20221201024200.3722982-6-dmalcolm@redhat.com> In-Reply-To: <20221201024200.3722982-1-dmalcolm@redhat.com> References: <20221201024200.3722982-1-dmalcolm@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.1 on 10.11.54.4 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com X-Spam-Status: No, score=-11.4 required=5.0 tests=BAYES_00, DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2, SPF_HELO_NONE, SPF_NONE, TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: gcc-patches@gcc.gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Gcc-patches mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: David Malcolm via Gcc-patches From: David Malcolm Reply-To: David Malcolm Errors-To: gcc-patches-bounces+ouuuleilei=gmail.com@gcc.gnu.org Sender: "Gcc-patches" X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1750977893831395882?= X-GMAIL-MSGID: =?utf-8?q?1750977893831395882?= Convert out-of-bounds class hierarchy from: pending_diagnostic out_of_bounds past_the_end buffer_overflow (*) buffer_over_read (*) buffer_underwrite (*) buffer_under_read (*) symbolic_past_the_end symbolic_buffer_overflow (*) symbolic_buffer_over_read (*) to: pending_diagnostic out_of_bounds concrete_out_of_bounds concrete_past_the_end concrete_buffer_overflow (*) concrete_buffer_over_read (*) concrete_buffer_underwrite (*) concrete_buffer_under_read (*) symbolic_past_the_end symbolic_buffer_overflow (*) symbolic_buffer_over_read (*) where the concrete classes (i.e. the instantiable ones) are marked with a (*). Doing so undercovered a bug where, for CWE-131-examples.c, we were emitting an extra: warning: heap-based buffer over-read [CWE-122] [-Wanalyzer-out-of-bounds] at the: WidgetList[numWidgets] = NULL; The issue was that within set_next_state we get the rvalue for the LHS, which looks like a read to the bounds-checker. The patch fixes this by passing NULL as the region_model_context * for such accesses. Successfully bootstrapped & regrtested on x86_64-pc-linux-gnu. Pushed to trunk as r13-4430-g8bc9e4ee874ea3. gcc/analyzer/ChangeLog: * bounds-checking.cc (class out_of_bounds): Split out from... (class concrete_out_of_bounds): New abstract subclass. (class past_the_end): Rename to... (class concrete_past_the_end): ...this, and make a subclass of concrete_out_of_bounds. (class buffer_overflow): Rename to... (class concrete_buffer_overflow): ...this, and make a subclass of concrete_past_the_end. (class buffer_over_read): Rename to... (class concrete_buffer_over_read): ...this, and make a subclass of concrete_past_the_end. (class buffer_underwrite): Rename to... (class concrete_buffer_underwrite): ...this, and make a subclass of concrete_out_of_bounds. (class buffer_under_read): Rename to... (class concrete_buffer_under_read): ...this, and make a subclass of concrete_out_of_bounds. (class symbolic_past_the_end): Convert to a subclass of out_of_bounds. (symbolic_buffer_overflow::get_kind): New. (symbolic_buffer_over_read::get_kind): New. (region_model::check_region_bounds): Update for renamings. * engine.cc (impl_sm_context::set_next_state): Eliminate "new_ctxt", passing NULL to get_rvalue instead. (impl_sm_context::warn): Likewise. Signed-off-by: David Malcolm --- gcc/analyzer/bounds-checking.cc | 185 +++++++++++++++++++------------- gcc/analyzer/engine.cc | 24 +---- 2 files changed, 115 insertions(+), 94 deletions(-) diff --git a/gcc/analyzer/bounds-checking.cc b/gcc/analyzer/bounds-checking.cc index bc7d2dd17ae..aaf3f22109b 100644 --- a/gcc/analyzer/bounds-checking.cc +++ b/gcc/analyzer/bounds-checking.cc @@ -37,27 +37,21 @@ along with GCC; see the file COPYING3. If not see namespace ana { -/* Abstract base class for all out-of-bounds warnings with concrete values. */ +/* Abstract base class for all out-of-bounds warnings. */ -class out_of_bounds : public pending_diagnostic_subclass +class out_of_bounds : public pending_diagnostic { public: - out_of_bounds (const region *reg, tree diag_arg, - byte_range out_of_bounds_range) - : m_reg (reg), m_diag_arg (diag_arg), - m_out_of_bounds_range (out_of_bounds_range) + out_of_bounds (const region *reg, tree diag_arg) + : m_reg (reg), m_diag_arg (diag_arg) {} - const char *get_kind () const final override - { - return "out_of_bounds_diagnostic"; - } - - bool operator== (const out_of_bounds &other) const + bool subclass_equal_p (const pending_diagnostic &base_other) const override { - return m_reg == other.m_reg - && m_out_of_bounds_range == other.m_out_of_bounds_range - && pending_diagnostic::same_tree_p (m_diag_arg, other.m_diag_arg); + const out_of_bounds &other + (static_cast (base_other)); + return (m_reg == other.m_reg + && pending_diagnostic::same_tree_p (m_diag_arg, other.m_diag_arg)); } int get_controlling_option () const final override @@ -106,25 +100,51 @@ protected: const region *m_reg; tree m_diag_arg; +}; + +/* Abstract base class for all out-of-bounds warnings where the + out-of-bounds range is concrete. */ + +class concrete_out_of_bounds : public out_of_bounds +{ +public: + concrete_out_of_bounds (const region *reg, tree diag_arg, + byte_range out_of_bounds_range) + : out_of_bounds (reg, diag_arg), + m_out_of_bounds_range (out_of_bounds_range) + {} + + bool subclass_equal_p (const pending_diagnostic &base_other) const override + { + const concrete_out_of_bounds &other + (static_cast (base_other)); + return (out_of_bounds::subclass_equal_p (other) + && m_out_of_bounds_range == other.m_out_of_bounds_range); + } + +protected: byte_range m_out_of_bounds_range; }; -/* Abstract subclass to complaing about out-of-bounds +/* Abstract subclass to complaing about concrete out-of-bounds past the end of the buffer. */ -class past_the_end : public out_of_bounds +class concrete_past_the_end : public concrete_out_of_bounds { public: - past_the_end (const region *reg, tree diag_arg, byte_range range, - tree byte_bound) - : out_of_bounds (reg, diag_arg, range), m_byte_bound (byte_bound) + concrete_past_the_end (const region *reg, tree diag_arg, byte_range range, + tree byte_bound) + : concrete_out_of_bounds (reg, diag_arg, range), m_byte_bound (byte_bound) {} - bool operator== (const past_the_end &other) const + bool + subclass_equal_p (const pending_diagnostic &base_other) const final override { - return out_of_bounds::operator== (other) - && pending_diagnostic::same_tree_p (m_byte_bound, - other.m_byte_bound); + const concrete_past_the_end &other + (static_cast (base_other)); + return (concrete_out_of_bounds::subclass_equal_p (other) + && pending_diagnostic::same_tree_p (m_byte_bound, + other.m_byte_bound)); } label_text @@ -143,14 +163,19 @@ protected: /* Concrete subclass to complain about buffer overflows. */ -class buffer_overflow : public past_the_end +class concrete_buffer_overflow : public concrete_past_the_end { public: - buffer_overflow (const region *reg, tree diag_arg, + concrete_buffer_overflow (const region *reg, tree diag_arg, byte_range range, tree byte_bound) - : past_the_end (reg, diag_arg, range, byte_bound) + : concrete_past_the_end (reg, diag_arg, range, byte_bound) {} + const char *get_kind () const final override + { + return "concrete_buffer_overflow"; + } + bool emit (rich_location *rich_loc) final override { diagnostic_metadata m; @@ -241,14 +266,19 @@ public: /* Concrete subclass to complain about buffer over-reads. */ -class buffer_over_read : public past_the_end +class concrete_buffer_over_read : public concrete_past_the_end { public: - buffer_over_read (const region *reg, tree diag_arg, - byte_range range, tree byte_bound) - : past_the_end (reg, diag_arg, range, byte_bound) + concrete_buffer_over_read (const region *reg, tree diag_arg, + byte_range range, tree byte_bound) + : concrete_past_the_end (reg, diag_arg, range, byte_bound) {} + const char *get_kind () const final override + { + return "concrete_buffer_over_read"; + } + bool emit (rich_location *rich_loc) final override { diagnostic_metadata m; @@ -337,13 +367,19 @@ public: /* Concrete subclass to complain about buffer underwrites. */ -class buffer_underwrite : public out_of_bounds +class concrete_buffer_underwrite : public concrete_out_of_bounds { public: - buffer_underwrite (const region *reg, tree diag_arg, byte_range range) - : out_of_bounds (reg, diag_arg, range) + concrete_buffer_underwrite (const region *reg, tree diag_arg, + byte_range range) + : concrete_out_of_bounds (reg, diag_arg, range) {} + const char *get_kind () const final override + { + return "concrete_buffer_underwrite"; + } + bool emit (rich_location *rich_loc) final override { diagnostic_metadata m; @@ -403,13 +439,19 @@ public: /* Concrete subclass to complain about buffer under-reads. */ -class buffer_under_read : public out_of_bounds +class concrete_buffer_under_read : public concrete_out_of_bounds { public: - buffer_under_read (const region *reg, tree diag_arg, byte_range range) - : out_of_bounds (reg, diag_arg, range) + concrete_buffer_under_read (const region *reg, tree diag_arg, + byte_range range) + : concrete_out_of_bounds (reg, diag_arg, range) {} + const char *get_kind () const final override + { + return "concrete_buffer_under_read"; + } + bool emit (rich_location *rich_loc) final override { diagnostic_metadata m; @@ -470,38 +512,26 @@ public: /* Abstract class to complain about out-of-bounds read/writes where the values are symbolic. */ -class symbolic_past_the_end - : public pending_diagnostic_subclass +class symbolic_past_the_end : public out_of_bounds { public: symbolic_past_the_end (const region *reg, tree diag_arg, tree offset, tree num_bytes, tree capacity) - : m_reg (reg), m_diag_arg (diag_arg), m_offset (offset), - m_num_bytes (num_bytes), m_capacity (capacity) + : out_of_bounds (reg, diag_arg), + m_offset (offset), + m_num_bytes (num_bytes), + m_capacity (capacity) {} - const char *get_kind () const final override - { - return "symbolic_past_the_end"; - } - - bool operator== (const symbolic_past_the_end &other) const - { - return m_reg == other.m_reg - && pending_diagnostic::same_tree_p (m_diag_arg, other.m_diag_arg) - && pending_diagnostic::same_tree_p (m_offset, other.m_offset) - && pending_diagnostic::same_tree_p (m_num_bytes, other.m_num_bytes) - && pending_diagnostic::same_tree_p (m_capacity, other.m_capacity); - } - - int get_controlling_option () const final override - { - return OPT_Wanalyzer_out_of_bounds; - } - - void mark_interesting_stuff (interesting_t *interest) final override + bool + subclass_equal_p (const pending_diagnostic &base_other) const final override { - interest->add_region_creation (m_reg); + const symbolic_past_the_end &other + (static_cast (base_other)); + return (out_of_bounds::subclass_equal_p (other) + && pending_diagnostic::same_tree_p (m_offset, other.m_offset) + && pending_diagnostic::same_tree_p (m_num_bytes, other.m_num_bytes) + && pending_diagnostic::same_tree_p (m_capacity, other.m_capacity)); } label_text @@ -566,13 +596,6 @@ public: } protected: - enum memory_space get_memory_space () const - { - return m_reg->get_memory_space (); - } - - const region *m_reg; - tree m_diag_arg; tree m_offset; tree m_num_bytes; tree m_capacity; @@ -591,6 +614,11 @@ public: m_dir_str = "write"; } + const char *get_kind () const final override + { + return "symbolic_buffer_overflow"; + } + bool emit (rich_location *rich_loc) final override { diagnostic_metadata m; @@ -624,6 +652,11 @@ public: m_dir_str = "read"; } + const char *get_kind () const final override + { + return "symbolic_buffer_over_read"; + } + bool emit (rich_location *rich_loc) final override { diagnostic_metadata m; @@ -776,10 +809,12 @@ region_model::check_region_bounds (const region *reg, gcc_unreachable (); break; case DIR_READ: - ctxt->warn (make_unique (reg, diag_arg, out)); + ctxt->warn (make_unique (reg, diag_arg, + out)); break; case DIR_WRITE: - ctxt->warn (make_unique (reg, diag_arg, out)); + ctxt->warn (make_unique (reg, diag_arg, + out)); break; } } @@ -804,12 +839,12 @@ region_model::check_region_bounds (const region *reg, gcc_unreachable (); break; case DIR_READ: - ctxt->warn (make_unique (reg, diag_arg, - out, byte_bound)); + ctxt->warn (make_unique (reg, diag_arg, + out, byte_bound)); break; case DIR_WRITE: - ctxt->warn (make_unique (reg, diag_arg, - out, byte_bound)); + ctxt->warn (make_unique (reg, diag_arg, + out, byte_bound)); break; } } diff --git a/gcc/analyzer/engine.cc b/gcc/analyzer/engine.cc index 0c49bb26872..991b592b828 100644 --- a/gcc/analyzer/engine.cc +++ b/gcc/analyzer/engine.cc @@ -310,21 +310,17 @@ public: } - void set_next_state (const gimple *stmt, + void set_next_state (const gimple *, tree var, state_machine::state_t to, tree origin) final override { logger * const logger = get_logger (); LOG_FUNC (logger); - impl_region_model_context new_ctxt (m_eg, m_enode_for_diag, - m_old_state, m_new_state, - NULL, NULL, - stmt); const svalue *var_new_sval - = m_new_state->m_region_model->get_rvalue (var, &new_ctxt); + = m_new_state->m_region_model->get_rvalue (var, NULL); const svalue *origin_new_sval - = m_new_state->m_region_model->get_rvalue (origin, &new_ctxt); + = m_new_state->m_region_model->get_rvalue (origin, NULL); /* We use the new sval here to avoid issues with uninitialized values. */ state_machine::state_t current @@ -350,12 +346,8 @@ public: (m_eg, m_enode_for_diag, NULL, NULL, NULL/*m_enode->get_state ()*/, NULL, stmt); - impl_region_model_context new_ctxt (m_eg, m_enode_for_diag, - m_old_state, m_new_state, - NULL, NULL, - stmt); const svalue *origin_new_sval - = m_new_state->m_region_model->get_rvalue (origin, &new_ctxt); + = m_new_state->m_region_model->get_rvalue (origin, NULL); state_machine::state_t current = m_old_smap->get_state (sval, m_eg.get_ext_state ()); @@ -380,11 +372,8 @@ public: { LOG_FUNC (get_logger ()); gcc_assert (d); - impl_region_model_context old_ctxt - (m_eg, m_enode_for_diag, m_old_state, m_new_state, NULL, NULL, NULL); - const svalue *var_old_sval - = m_old_state->m_region_model->get_rvalue (var, &old_ctxt); + = m_old_state->m_region_model->get_rvalue (var, NULL); state_machine::state_t current = (var ? m_old_smap->get_state (var_old_sval, m_eg.get_ext_state ()) @@ -400,9 +389,6 @@ public: { LOG_FUNC (get_logger ()); gcc_assert (d); - impl_region_model_context old_ctxt - (m_eg, m_enode_for_diag, m_old_state, m_new_state, NULL, NULL, NULL); - state_machine::state_t current = (sval ? m_old_smap->get_state (sval, m_eg.get_ext_state ())