From patchwork Tue Nov 14 20:56:38 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: David Malcolm X-Patchwork-Id: 165081 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a05:6358:a59:b0:164:83eb:24d7 with SMTP id 25csp2197780rwb; Tue, 14 Nov 2023 12:57:12 -0800 (PST) X-Google-Smtp-Source: AGHT+IGBc+0H3uUKRJsKAUHM5YfjlDy8tQsdDLP8bQ8CTSDewbD/xWTX2qJ2nEN9PKk6Ywz17sat X-Received: by 2002:a05:6870:c03:b0:1f0:36b6:ef26 with SMTP id le3-20020a0568700c0300b001f036b6ef26mr15206724oab.46.1699995432312; Tue, 14 Nov 2023 12:57:12 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1699995432; cv=pass; d=google.com; s=arc-20160816; b=SYK4sGedWvv56zWa/mVzCYWbVNPNLGf49mg6zJOzp9j9T//kf5pJO31X84XsEoOvhh 8iMUijNP5pVLf7UYtBRedpQb6rmsVi99RqRKlchbImYUWVuA67Miaj6fp0qsgRW857Vf DQiInkNvUnPfJnnvrvTBYnvESwm9lAKnVjVqVqRueeJ4gFt9jr8/ZVwQXuRkq2F8nUy1 N1B5cPpFbxp8JwHZkt7DcZR9N149fspUpFwSYBvh8jQ6oCKu9b68+HkWFw1gZzjHnU6m iwR3HhSanIu58mFaUogg+JE8PmYIZ0M8cl5nCuVmTno7iDMwWMWVKIIpLnCTl7cz4JCR 1P8Q== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:message-id:date:subject:cc:to:from:dkim-signature :arc-filter:dmarc-filter:delivered-to; bh=PuXFU+xqWGBRBAlaiITX62kdKTTpht0hh4MAgZoj5dk=; fh=NXemEfxTRbZtBxUkxR2ehQUaYlcDfMdzPkO8MChVQE4=; b=Nl4QN9UyvIqaEIGp9o84vAVTIzdPnO6fijAJWbKDrWo8HP7XYSQUCUWymJBha0hnuF lScSBksay+F1qG13gcgXZ0dXbDItuDBVaqeKet6M+ugPlsqj/1P2qTjygBCegzEemXVz WwPRipiCwGG2nxscpXsZoQ1HKsk+Ef6lkuxUqGmeVMUXiVepQwpDKzZC1t2g10jWHaAC ov0sm08a86ZeGlk8AKwmeTY05E8fGwa0zVZ01MONwxHDrOUXAHgjyTC3gMiTLc7L/eps 1YDKlFtfyvE13qretS8D65ErqMzf0UrfiMxjdKJhqBrZzG1+qXSui9Z7jFMHExjApz+x 9Z8g== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=PsGZiVnF; arc=pass (i=1); spf=pass (google.com: domain of gcc-patches-bounces+ouuuleilei=gmail.com@gcc.gnu.org designates 8.43.85.97 as permitted sender) smtp.mailfrom="gcc-patches-bounces+ouuuleilei=gmail.com@gcc.gnu.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: from server2.sourceware.org (server2.sourceware.org. [8.43.85.97]) by mx.google.com with ESMTPS id p16-20020a05622a049000b004197e89b6e1si7010632qtx.474.2023.11.14.12.57.12 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 14 Nov 2023 12:57:12 -0800 (PST) Received-SPF: pass (google.com: domain of gcc-patches-bounces+ouuuleilei=gmail.com@gcc.gnu.org designates 8.43.85.97 as permitted sender) client-ip=8.43.85.97; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=PsGZiVnF; arc=pass (i=1); spf=pass (google.com: domain of gcc-patches-bounces+ouuuleilei=gmail.com@gcc.gnu.org designates 8.43.85.97 as permitted sender) smtp.mailfrom="gcc-patches-bounces+ouuuleilei=gmail.com@gcc.gnu.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 0BF0F3858C74 for ; Tue, 14 Nov 2023 20:57:12 +0000 (GMT) X-Original-To: gcc-patches@gcc.gnu.org Delivered-To: gcc-patches@gcc.gnu.org Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by sourceware.org (Postfix) with ESMTPS id 38A413858D35 for ; Tue, 14 Nov 2023 20:56:43 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 38A413858D35 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=redhat.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=redhat.com ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 38A413858D35 Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=170.10.129.124 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1699995408; cv=none; b=qMJ5zAMH970e86Hvhcva7Mvy5cvjghK5aNukfSs1DTpzXm0IClCd4EU95xFQSBwPHt/kVnkywgmI6nkmXtD9Gp2RlLd3h1IGAoGK8Lc0r1Vft7A411NamTxLBYUxsOqcRvs5KaRHyWsRKj5AjJL5UtrET3Rtwb3+DMT0fE1TclI= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1699995408; c=relaxed/simple; bh=JsNsawIrkciJqzM2oU9jy/Aj7QJRCFBld+vBFfVeHdo=; h=DKIM-Signature:From:To:Subject:Date:Message-Id:MIME-Version; b=elk5OYdPs1BWOm9cpzKRnsi6bxaoZT0W7HZKnnAkZyzHojzE5/36gSNoKOqTwsZCl7X8wlH/rLQd1RMbsFRfjf0T7yZZapsc9ZKhmqNCEmJrXATydEVuOBnGjY15E6g2RA8klp2N8jF/Adfs82RfYRqTQXTNjpVP+cWS+oXtbwg= ARC-Authentication-Results: i=1; server2.sourceware.org DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1699995402; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=PuXFU+xqWGBRBAlaiITX62kdKTTpht0hh4MAgZoj5dk=; b=PsGZiVnF5qLE64hPCoAGTomxB5MjhhXMBnBiRkR0VztCXQAr2GaEjegtSyRXnE13XVi1lt qNiGPIo+m3air2q/X788XGdMQCWHwa3JLd7rQWy1AjRJG6Mmo12W4+t2vqgBCiO/d6utYf g4eI0zlRDcS5gI4+6koy8+gBddwPTtQ= Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-627-iD9ZY35qPTeiiS62-m9eMQ-1; Tue, 14 Nov 2023 15:56:41 -0500 X-MC-Unique: iD9ZY35qPTeiiS62-m9eMQ-1 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.rdu2.redhat.com [10.11.54.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id B8B65185A781 for ; Tue, 14 Nov 2023 20:56:40 +0000 (UTC) Received: from t14s.localdomain.com (unknown [10.22.10.115]) by smtp.corp.redhat.com (Postfix) with ESMTP id 6592D25C0; Tue, 14 Nov 2023 20:56:40 +0000 (UTC) From: David Malcolm To: gcc-patches@gcc.gnu.org Cc: David Malcolm Subject: [pushed] analyzer: enable taint state machine by default [PR103533] Date: Tue, 14 Nov 2023 15:56:38 -0500 Message-Id: <20231114205638.3720804-1-dmalcolm@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.1 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com X-Spam-Status: No, score=-10.9 required=5.0 tests=BAYES_00, DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, HEXHASH_WORD, RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H4, RCVD_IN_MSPIKE_WL, SPF_HELO_NONE, SPF_NONE, TXREP, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: gcc-patches@gcc.gnu.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: Gcc-patches mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: gcc-patches-bounces+ouuuleilei=gmail.com@gcc.gnu.org X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1782574410437945710 X-GMAIL-MSGID: 1782574410437945710 Successfully bootstrapped & regrtested on x86_64-pc-linux-gnu. Integration testing of analyzer shows no significant differences. Pushed to trunk as r14-5464-gcfaaa8b11b8429. gcc/analyzer/ChangeLog: PR analyzer/103533 * sm-taint.cc: Remove "experimental" from comment. * sm.cc (make_checkers): Always add taint state machine. gcc/ChangeLog: PR analyzer/103533 * doc/invoke.texi (Static Analyzer Options): Add the six -Wanalyzer-tainted-* warnings. Update documentation of each warning to reflect removed requirement to use -fanalyzer-checker=taint. Remove discussion of -fanalyzer-checker=taint. gcc/testsuite/ChangeLog: PR analyzer/103533 * c-c++-common/analyzer/attr-tainted_args-1.c: Remove use of -fanalyzer-checker=taint. * c-c++-common/analyzer/fread-1.c: Likewise. * c-c++-common/analyzer/pr104029.c: Likewise. * gcc.dg/analyzer/pr93032-mztools-signed-char.c: Add params to work around state explosion. * gcc.dg/analyzer/pr93032-mztools-unsigned-char.c: Likewise. * gcc.dg/analyzer/pr93382.c: Remove use of -fanalyzer-checker=taint. * gcc.dg/analyzer/switch-enum-taint-1.c: Likewise. * gcc.dg/analyzer/taint-CVE-2011-2210-1.c: Likewise. * gcc.dg/analyzer/taint-CVE-2020-13143-1.c: Likewise. * gcc.dg/analyzer/taint-CVE-2020-13143-2.c: Likewise. * gcc.dg/analyzer/taint-CVE-2020-13143.h: Likewise. * gcc.dg/analyzer/taint-alloc-1.c: Likewise. * gcc.dg/analyzer/taint-alloc-2.c: Likewise. * gcc.dg/analyzer/taint-alloc-3.c: Likewise. * gcc.dg/analyzer/taint-alloc-4.c: Likewise. * gcc.dg/analyzer/taint-alloc-5.c: Likewise. * gcc.dg/analyzer/taint-assert-BUG_ON.c: Likewise. * gcc.dg/analyzer/taint-assert-macro-expansion.c: Likewise. * gcc.dg/analyzer/taint-assert-system-header.c: Likewise. * gcc.dg/analyzer/taint-assert.c: Likewise. * gcc.dg/analyzer/taint-divisor-1.c: Likewise. * gcc.dg/analyzer/taint-divisor-2.c: Likewise. * gcc.dg/analyzer/taint-merger.c: Likewise. * gcc.dg/analyzer/taint-ops.c: Delete this test: it was a duplicate of material in operations.c and data-model-1.c, with -fanalyzer-checker=taint added. * gcc.dg/analyzer/taint-read-index-1.c: Remove use of -fanalyzer-checker=taint. * gcc.dg/analyzer/taint-read-offset-1.c: Likewise. * gcc.dg/analyzer/taint-realloc.c: Likewise. Add missing dg-warning for leak now that the malloc state machine is also active. * gcc.dg/analyzer/taint-size-1.c: Remove use of -fanalyzer-checker=taint. * gcc.dg/analyzer/taint-size-access-attr-1.c: Likewise. * gcc.dg/analyzer/taint-write-index-1.c: Likewise. * gcc.dg/analyzer/taint-write-offset-1.c: Likewise. * gcc.dg/analyzer/torture/taint-read-index-2.c: Likewise. * gcc.dg/analyzer/torture/taint-read-index-3.c: Likewise. * gcc.dg/plugin/taint-CVE-2011-0521-1-fixed.c: Likewise. Add -Wno-pedantic. * gcc.dg/plugin/taint-CVE-2011-0521-1.c: Likewise. * gcc.dg/plugin/taint-CVE-2011-0521-2-fixed.c: Likewise. * gcc.dg/plugin/taint-CVE-2011-0521-2.c: Likewise. * gcc.dg/plugin/taint-CVE-2011-0521-3-fixed.c: Likewise. * gcc.dg/plugin/taint-CVE-2011-0521-3.c: Likewise. Fix C++-style comment. * gcc.dg/plugin/taint-CVE-2011-0521-4.c: Remove use of -fanalyzer-checker=taint and add -Wno-pedantic. Remove xfail and add missing dg-warning. * gcc.dg/plugin/taint-CVE-2011-0521-5-fixed.c: Remove use of -fanalyzer-checker=taint and add -Wno-pedantic. * gcc.dg/plugin/taint-CVE-2011-0521-5.c: Likewise. * gcc.dg/plugin/taint-CVE-2011-0521-6.c: Likewise. * gcc.dg/plugin/taint-antipatterns-1.c: : Remove use of -fanalyzer-checker=taint. Signed-off-by: David Malcolm --- gcc/analyzer/sm-taint.cc | 2 +- gcc/analyzer/sm.cc | 5 +- gcc/doc/invoke.texi | 63 ++--------- .../analyzer/attr-tainted_args-1.c | 3 - gcc/testsuite/c-c++-common/analyzer/fread-1.c | 2 - .../c-c++-common/analyzer/pr104029.c | 3 - .../analyzer/pr93032-mztools-signed-char.c | 3 + .../analyzer/pr93032-mztools-unsigned-char.c | 3 + gcc/testsuite/gcc.dg/analyzer/pr93382.c | 2 - .../gcc.dg/analyzer/switch-enum-taint-1.c | 3 - .../gcc.dg/analyzer/taint-CVE-2011-2210-1.c | 3 - .../gcc.dg/analyzer/taint-CVE-2020-13143-1.c | 3 - .../gcc.dg/analyzer/taint-CVE-2020-13143-2.c | 3 - .../gcc.dg/analyzer/taint-CVE-2020-13143.h | 3 - gcc/testsuite/gcc.dg/analyzer/taint-alloc-1.c | 2 - gcc/testsuite/gcc.dg/analyzer/taint-alloc-2.c | 3 - gcc/testsuite/gcc.dg/analyzer/taint-alloc-3.c | 3 - gcc/testsuite/gcc.dg/analyzer/taint-alloc-4.c | 3 - gcc/testsuite/gcc.dg/analyzer/taint-alloc-5.c | 3 - .../gcc.dg/analyzer/taint-assert-BUG_ON.c | 3 - .../analyzer/taint-assert-macro-expansion.c | 3 - .../analyzer/taint-assert-system-header.c | 3 - gcc/testsuite/gcc.dg/analyzer/taint-assert.c | 3 - .../gcc.dg/analyzer/taint-divisor-1.c | 3 - .../gcc.dg/analyzer/taint-divisor-2.c | 3 - gcc/testsuite/gcc.dg/analyzer/taint-merger.c | 3 - gcc/testsuite/gcc.dg/analyzer/taint-ops.c | 106 ------------------ .../gcc.dg/analyzer/taint-read-index-1.c | 3 - .../gcc.dg/analyzer/taint-read-offset-1.c | 3 - gcc/testsuite/gcc.dg/analyzer/taint-realloc.c | 5 +- gcc/testsuite/gcc.dg/analyzer/taint-size-1.c | 3 - .../analyzer/taint-size-access-attr-1.c | 3 +- .../gcc.dg/analyzer/taint-write-index-1.c | 3 - .../gcc.dg/analyzer/taint-write-offset-1.c | 3 - .../analyzer/torture/taint-read-index-2.c | 2 - .../analyzer/torture/taint-read-index-3.c | 2 - .../plugin/taint-CVE-2011-0521-1-fixed.c | 3 +- .../gcc.dg/plugin/taint-CVE-2011-0521-1.c | 3 +- .../plugin/taint-CVE-2011-0521-2-fixed.c | 6 +- .../gcc.dg/plugin/taint-CVE-2011-0521-2.c | 3 +- .../plugin/taint-CVE-2011-0521-3-fixed.c | 6 +- .../gcc.dg/plugin/taint-CVE-2011-0521-3.c | 5 +- .../gcc.dg/plugin/taint-CVE-2011-0521-4.c | 12 +- .../plugin/taint-CVE-2011-0521-5-fixed.c | 4 +- .../gcc.dg/plugin/taint-CVE-2011-0521-5.c | 4 +- .../gcc.dg/plugin/taint-CVE-2011-0521-6.c | 4 +- .../gcc.dg/plugin/taint-antipatterns-1.c | 3 +- 47 files changed, 41 insertions(+), 281 deletions(-) delete mode 100644 gcc/testsuite/gcc.dg/analyzer/taint-ops.c diff --git a/gcc/analyzer/sm-taint.cc b/gcc/analyzer/sm-taint.cc index 09c1e9368cd..dfd5f7fa5d2 100644 --- a/gcc/analyzer/sm-taint.cc +++ b/gcc/analyzer/sm-taint.cc @@ -1,4 +1,4 @@ -/* An experimental state machine, for tracking "taint": unsanitized uses +/* A state machine for tracking "taint": unsanitized uses of data potentially under an attacker's control. Copyright (C) 2019-2023 Free Software Foundation, Inc. diff --git a/gcc/analyzer/sm.cc b/gcc/analyzer/sm.cc index 2b88430c012..c030c272ccc 100644 --- a/gcc/analyzer/sm.cc +++ b/gcc/analyzer/sm.cc @@ -188,10 +188,7 @@ make_checkers (auto_delete_vec &out, logger *logger) out.safe_push (make_malloc_state_machine (logger)); out.safe_push (make_fileptr_state_machine (logger)); out.safe_push (make_fd_state_machine (logger)); - /* The "taint" checker must be explicitly enabled (as it currently - leads to state explosions that stop the other checkers working). */ - if (flag_analyzer_checker) - out.safe_push (make_taint_state_machine (logger)); + out.safe_push (make_taint_state_machine (logger)); out.safe_push (make_sensitive_state_machine (logger)); out.safe_push (make_signal_state_machine (logger)); out.safe_push (make_va_list_state_machine (logger)); diff --git a/gcc/doc/invoke.texi b/gcc/doc/invoke.texi index f1a5722675f..f7fd9d0c1af 100644 --- a/gcc/doc/invoke.texi +++ b/gcc/doc/invoke.texi @@ -10415,6 +10415,12 @@ Enabling this option effectively enables the following warnings: -Wanalyzer-shift-count-negative -Wanalyzer-shift-count-overflow -Wanalyzer-stale-setjmp-buffer +-Wanalyzer-tainted-allocation-size +-Wanalyzer-tainted-array-index +-Wanalyzer-tainted-assertion +-Wanalyzer-tainted-divisor +-Wanalyzer-tainted-offset +-Wanalyzer-tainted-size -Wanalyzer-unsafe-call-within-signal-handler -Wanalyzer-use-after-free -Wanalyzer-use-of-pointer-in-stale-stack-frame @@ -10426,13 +10432,6 @@ Enabling this option effectively enables the following warnings: -Wanalyzer-write-to-const -Wanalyzer-write-to-string-literal } -@ignore --Wanalyzer-tainted-allocation-size --Wanalyzer-tainted-array-index --Wanalyzer-tainted-divisor --Wanalyzer-tainted-offset --Wanalyzer-tainted-size -@end ignore This option is only available if GCC was configured with analyzer support enabled. @@ -10880,8 +10879,7 @@ no longer exists, and likely lead to a crash (or worse). @opindex Wanalyzer-tainted-allocation-size @opindex Wno-analyzer-tainted-allocation-size @item -Wno-analyzer-tainted-allocation-size -This warning requires both @option{-fanalyzer} and -@option{-fanalyzer-checker=taint} to enable it; +This warning requires @option{-fanalyzer} which enables it; use @option{-Wno-analyzer-tainted-allocation-size} to disable it. This diagnostic warns for paths through the code in which a value @@ -10896,8 +10894,7 @@ See @uref{https://cwe.mitre.org/data/definitions/789.html, CWE-789: Memory Alloc @opindex Wno-analyzer-tainted-assertion @item -Wno-analyzer-tainted-assertion -This warning requires both @option{-fanalyzer} and -@option{-fanalyzer-checker=taint} to enable it; +This warning requires @option{-fanalyzer} which enables it; use @option{-Wno-analyzer-tainted-assertion} to disable it. This diagnostic warns for paths through the code in which a value @@ -10958,8 +10955,7 @@ despite the above not being an assertion failure, strictly speaking. @opindex Wanalyzer-tainted-array-index @opindex Wno-analyzer-tainted-array-index @item -Wno-analyzer-tainted-array-index -This warning requires both @option{-fanalyzer} and -@option{-fanalyzer-checker=taint} to enable it; +This warning requires @option{-fanalyzer} which enables it; use @option{-Wno-analyzer-tainted-array-index} to disable it. This diagnostic warns for paths through the code in which a value @@ -10972,8 +10968,7 @@ See @uref{https://cwe.mitre.org/data/definitions/129.html, CWE-129: Improper Val @opindex Wanalyzer-tainted-divisor @opindex Wno-analyzer-tainted-divisor @item -Wno-analyzer-tainted-divisor -This warning requires both @option{-fanalyzer} and -@option{-fanalyzer-checker=taint} to enable it; +This warning requires @option{-fanalyzer} which enables it; use @option{-Wno-analyzer-tainted-divisor} to disable it. This diagnostic warns for paths through the code in which a value @@ -10986,8 +10981,7 @@ See @uref{https://cwe.mitre.org/data/definitions/369.html, CWE-369: Divide By Ze @opindex Wanalyzer-tainted-offset @opindex Wno-analyzer-tainted-offset @item -Wno-analyzer-tainted-offset -This warning requires both @option{-fanalyzer} and -@option{-fanalyzer-checker=taint} to enable it; +This warning requires @option{-fanalyzer} which enables it; use @option{-Wno-analyzer-tainted-offset} to disable it. This diagnostic warns for paths through the code in which a value @@ -11000,8 +10994,7 @@ See @uref{https://cwe.mitre.org/data/definitions/823.html, CWE-823: Use of Out-o @opindex Wanalyzer-tainted-size @opindex Wno-analyzer-tainted-size @item -Wno-analyzer-tainted-size -This warning requires both @option{-fanalyzer} and -@option{-fanalyzer-checker=taint} to enable it; +This warning requires @option{-fanalyzer} which enables it; use @option{-Wno-analyzer-tainted-size} to disable it. This diagnostic warns for paths through the code in which a value @@ -11251,38 +11244,6 @@ call site, and that are sufficiently complicated (as per @item -fanalyzer-checker=@var{name} Restrict the analyzer to run just the named checker, and enable it. -Some checkers are disabled by default (even with @option{-fanalyzer}), -such as the @code{taint} checker that implements -@option{-Wanalyzer-tainted-array-index}, and this option is required -to enable them. - -@emph{Note:} currently, @option{-fanalyzer-checker=taint} disables the -following warnings from @option{-fanalyzer}: - -@gccoptlist{ --Wanalyzer-deref-before-check --Wanalyzer-double-fclose --Wanalyzer-double-free --Wanalyzer-exposure-through-output-file --Wanalyzer-fd-access-mode-mismatch --Wanalyzer-fd-double-close --Wanalyzer-fd-leak --Wanalyzer-fd-use-after-close --Wanalyzer-fd-use-without-check --Wanalyzer-file-leak --Wanalyzer-free-of-non-heap --Wanalyzer-malloc-leak --Wanalyzer-mismatching-deallocation --Wanalyzer-null-argument --Wanalyzer-null-dereference --Wanalyzer-possible-null-argument --Wanalyzer-possible-null-dereference --Wanalyzer-unsafe-call-within-signal-handler --Wanalyzer-use-after-free --Wanalyzer-va-list-leak --Wanalyzer-va-list-use-after-va-end -} - @opindex fanalyzer-debug-text-art @opindex fno-analyzer-debug-text-art @item -fanalyzer-debug-text-art-headings diff --git a/gcc/testsuite/c-c++-common/analyzer/attr-tainted_args-1.c b/gcc/testsuite/c-c++-common/analyzer/attr-tainted_args-1.c index 0ff34469967..3525e84b94b 100644 --- a/gcc/testsuite/c-c++-common/analyzer/attr-tainted_args-1.c +++ b/gcc/testsuite/c-c++-common/analyzer/attr-tainted_args-1.c @@ -1,6 +1,3 @@ -// TODO: remove need for this option -/* { dg-additional-options "-fanalyzer-checker=taint" } */ - #include "../../gcc.dg/analyzer/analyzer-decls.h" struct arg_buf diff --git a/gcc/testsuite/c-c++-common/analyzer/fread-1.c b/gcc/testsuite/c-c++-common/analyzer/fread-1.c index 593cb7f4aa0..467467ee8a6 100644 --- a/gcc/testsuite/c-c++-common/analyzer/fread-1.c +++ b/gcc/testsuite/c-c++-common/analyzer/fread-1.c @@ -1,5 +1,3 @@ -/* { dg-additional-options "-fanalyzer-checker=taint" } */ - typedef __SIZE_TYPE__ size_t; extern size_t fread (void *, size_t, size_t, void *); diff --git a/gcc/testsuite/c-c++-common/analyzer/pr104029.c b/gcc/testsuite/c-c++-common/analyzer/pr104029.c index 873f0eb16b7..04b9ef872a3 100644 --- a/gcc/testsuite/c-c++-common/analyzer/pr104029.c +++ b/gcc/testsuite/c-c++-common/analyzer/pr104029.c @@ -1,6 +1,3 @@ -// TODO: remove need for this option -/* { dg-additional-options "-fanalyzer-checker=taint" } */ - typedef __SIZE_TYPE__ size_t; typedef const void *t_comptype; typedef int (*t_compfunc)(t_comptype, t_comptype); diff --git a/gcc/testsuite/gcc.dg/analyzer/pr93032-mztools-signed-char.c b/gcc/testsuite/gcc.dg/analyzer/pr93032-mztools-signed-char.c index 1f3df7c211f..45599e228b8 100644 --- a/gcc/testsuite/gcc.dg/analyzer/pr93032-mztools-signed-char.c +++ b/gcc/testsuite/gcc.dg/analyzer/pr93032-mztools-signed-char.c @@ -6,6 +6,9 @@ /* { dg-do "compile" } */ /* { dg-additional-options "-fsigned-char" } */ +/* TODO (PR analyzer/112528): remove need for this. */ +/* { dg-additional-options "--param analyzer-max-enodes-per-program-point=40 --param analyzer-bb-explosion-factor=10" } */ + /* Minimal replacement of system headers. */ typedef __SIZE_TYPE__ size_t; diff --git a/gcc/testsuite/gcc.dg/analyzer/pr93032-mztools-unsigned-char.c b/gcc/testsuite/gcc.dg/analyzer/pr93032-mztools-unsigned-char.c index db9678d1caa..a59fc49c2b3 100644 --- a/gcc/testsuite/gcc.dg/analyzer/pr93032-mztools-unsigned-char.c +++ b/gcc/testsuite/gcc.dg/analyzer/pr93032-mztools-unsigned-char.c @@ -6,6 +6,9 @@ /* { dg-do "compile" } */ /* { dg-additional-options "-funsigned-char" } */ +/* TODO (PR analyzer/112528): remove need for this. */ +/* { dg-additional-options "--param analyzer-max-enodes-per-program-point=40 --param analyzer-bb-explosion-factor=10" } */ + /* Minimal replacement of system headers. */ typedef __SIZE_TYPE__ size_t; diff --git a/gcc/testsuite/gcc.dg/analyzer/pr93382.c b/gcc/testsuite/gcc.dg/analyzer/pr93382.c index 1e6612ddc05..91eab2192ad 100644 --- a/gcc/testsuite/gcc.dg/analyzer/pr93382.c +++ b/gcc/testsuite/gcc.dg/analyzer/pr93382.c @@ -1,5 +1,3 @@ -/* { dg-additional-options "-fanalyzer-checker=taint" } */ - typedef __SIZE_TYPE__ size_t; int idx; diff --git a/gcc/testsuite/gcc.dg/analyzer/switch-enum-taint-1.c b/gcc/testsuite/gcc.dg/analyzer/switch-enum-taint-1.c index db3bb5b4947..d20b33e090b 100644 --- a/gcc/testsuite/gcc.dg/analyzer/switch-enum-taint-1.c +++ b/gcc/testsuite/gcc.dg/analyzer/switch-enum-taint-1.c @@ -1,6 +1,3 @@ -// TODO: remove need for this option -/* { dg-additional-options "-fanalyzer-checker=taint" } */ - #include "analyzer-decls.h" /* Verify the handling of "switch (enum_value)". */ diff --git a/gcc/testsuite/gcc.dg/analyzer/taint-CVE-2011-2210-1.c b/gcc/testsuite/gcc.dg/analyzer/taint-CVE-2011-2210-1.c index b44be993568..fa89bda6f0f 100644 --- a/gcc/testsuite/gcc.dg/analyzer/taint-CVE-2011-2210-1.c +++ b/gcc/testsuite/gcc.dg/analyzer/taint-CVE-2011-2210-1.c @@ -7,9 +7,6 @@ Fixed in 3d0475119d8722798db5e88f26493f6547a4bb5b on linux-2.6.39.y in linux-stable. */ -// TODO: remove need for this option: -/* { dg-additional-options "-fanalyzer-checker=taint" } */ - #include "analyzer-decls.h" #include "test-uaccess.h" diff --git a/gcc/testsuite/gcc.dg/analyzer/taint-CVE-2020-13143-1.c b/gcc/testsuite/gcc.dg/analyzer/taint-CVE-2020-13143-1.c index 328c5799145..1b81c1bb1f8 100644 --- a/gcc/testsuite/gcc.dg/analyzer/taint-CVE-2020-13143-1.c +++ b/gcc/testsuite/gcc.dg/analyzer/taint-CVE-2020-13143-1.c @@ -1,9 +1,6 @@ /* See notes in this header. */ #include "taint-CVE-2020-13143.h" -// TODO: remove need for this option -/* { dg-additional-options "-fanalyzer-checker=taint" } */ - struct configfs_attribute { /* [...snip...] */ ssize_t (*store)(struct config_item *, const char *, size_t) /* { dg-message "\\(1\\) field 'store' of 'struct configfs_attribute' is marked with '__attribute__\\(\\(tainted_args\\)\\)'" } */ diff --git a/gcc/testsuite/gcc.dg/analyzer/taint-CVE-2020-13143-2.c b/gcc/testsuite/gcc.dg/analyzer/taint-CVE-2020-13143-2.c index c74a460b01e..f53e42bd6aa 100644 --- a/gcc/testsuite/gcc.dg/analyzer/taint-CVE-2020-13143-2.c +++ b/gcc/testsuite/gcc.dg/analyzer/taint-CVE-2020-13143-2.c @@ -1,9 +1,6 @@ /* See notes in this header. */ #include "taint-CVE-2020-13143.h" -// TODO: remove need for this option -/* { dg-additional-options "-fanalyzer-checker=taint" } */ - struct configfs_attribute { /* [...snip...] */ ssize_t (*store)(struct config_item *, const char *, size_t) /* { dg-message "\\(1\\) field 'store' of 'struct configfs_attribute' is marked with '__attribute__\\(\\(tainted_args\\)\\)'" } */ diff --git a/gcc/testsuite/gcc.dg/analyzer/taint-CVE-2020-13143.h b/gcc/testsuite/gcc.dg/analyzer/taint-CVE-2020-13143.h index 0ba023539af..93f90d49013 100644 --- a/gcc/testsuite/gcc.dg/analyzer/taint-CVE-2020-13143.h +++ b/gcc/testsuite/gcc.dg/analyzer/taint-CVE-2020-13143.h @@ -8,9 +8,6 @@ Fixed by 15753588bcd4bbffae1cca33c8ced5722477fe1f on linux-5.7.y in linux-stable. */ -// TODO: remove need for this option -/* { dg-additional-options "-fanalyzer-checker=taint" } */ - #include /* Adapted from include/uapi/asm-generic/posix_types.h */ diff --git a/gcc/testsuite/gcc.dg/analyzer/taint-alloc-1.c b/gcc/testsuite/gcc.dg/analyzer/taint-alloc-1.c index cb2db6c69cf..dfb585bc613 100644 --- a/gcc/testsuite/gcc.dg/analyzer/taint-alloc-1.c +++ b/gcc/testsuite/gcc.dg/analyzer/taint-alloc-1.c @@ -1,5 +1,3 @@ -// TODO: remove need for this option -/* { dg-additional-options "-fanalyzer-checker=taint" } */ /* { dg-require-effective-target alloca } */ #include "analyzer-decls.h" diff --git a/gcc/testsuite/gcc.dg/analyzer/taint-alloc-2.c b/gcc/testsuite/gcc.dg/analyzer/taint-alloc-2.c index 72dbca5cbf0..68fbce9188c 100644 --- a/gcc/testsuite/gcc.dg/analyzer/taint-alloc-2.c +++ b/gcc/testsuite/gcc.dg/analyzer/taint-alloc-2.c @@ -1,6 +1,3 @@ -// TODO: remove need for this option: -/* { dg-additional-options "-fanalyzer-checker=taint" } */ - #include "analyzer-decls.h" #include #include diff --git a/gcc/testsuite/gcc.dg/analyzer/taint-alloc-3.c b/gcc/testsuite/gcc.dg/analyzer/taint-alloc-3.c index 80d8f0b8247..ce6a3271d2a 100644 --- a/gcc/testsuite/gcc.dg/analyzer/taint-alloc-3.c +++ b/gcc/testsuite/gcc.dg/analyzer/taint-alloc-3.c @@ -1,6 +1,3 @@ -// TODO: remove need for this option: -/* { dg-additional-options "-fanalyzer-checker=taint" } */ - #include "analyzer-decls.h" #include #include diff --git a/gcc/testsuite/gcc.dg/analyzer/taint-alloc-4.c b/gcc/testsuite/gcc.dg/analyzer/taint-alloc-4.c index bd47097b1d5..9df9422491c 100644 --- a/gcc/testsuite/gcc.dg/analyzer/taint-alloc-4.c +++ b/gcc/testsuite/gcc.dg/analyzer/taint-alloc-4.c @@ -1,6 +1,3 @@ -// TODO: remove need for this option: -/* { dg-additional-options "-fanalyzer-checker=taint" } */ - #include "analyzer-decls.h" #include #include diff --git a/gcc/testsuite/gcc.dg/analyzer/taint-alloc-5.c b/gcc/testsuite/gcc.dg/analyzer/taint-alloc-5.c index 9a159800c61..18dbff0298e 100644 --- a/gcc/testsuite/gcc.dg/analyzer/taint-alloc-5.c +++ b/gcc/testsuite/gcc.dg/analyzer/taint-alloc-5.c @@ -1,6 +1,3 @@ -// TODO: remove need for this option -/* { dg-additional-options "-fanalyzer-checker=taint" } */ - #include "analyzer-decls.h" struct foo diff --git a/gcc/testsuite/gcc.dg/analyzer/taint-assert-BUG_ON.c b/gcc/testsuite/gcc.dg/analyzer/taint-assert-BUG_ON.c index 8aef0a44a6d..328940d2983 100644 --- a/gcc/testsuite/gcc.dg/analyzer/taint-assert-BUG_ON.c +++ b/gcc/testsuite/gcc.dg/analyzer/taint-assert-BUG_ON.c @@ -1,6 +1,3 @@ -// TODO: remove need for this option -/* { dg-additional-options "-fanalyzer-checker=taint" } */ - /* We need this, otherwise the warnings are emitted inside the macros, which makes it hard to write the DejaGnu directives. */ /* { dg-additional-options " -ftrack-macro-expansion=0" } */ diff --git a/gcc/testsuite/gcc.dg/analyzer/taint-assert-macro-expansion.c b/gcc/testsuite/gcc.dg/analyzer/taint-assert-macro-expansion.c index 24b175a0973..78357ae62b8 100644 --- a/gcc/testsuite/gcc.dg/analyzer/taint-assert-macro-expansion.c +++ b/gcc/testsuite/gcc.dg/analyzer/taint-assert-macro-expansion.c @@ -2,9 +2,6 @@ -Wanalyzer-tainted-assertion with macro-tracking enabled (the default). */ -// TODO: remove need for this option -/* { dg-additional-options "-fanalyzer-checker=taint" } */ - /* { dg-additional-options "-fdiagnostics-show-path-depths" } */ /* { dg-additional-options "-fdiagnostics-path-format=inline-events -fdiagnostics-show-caret" } */ diff --git a/gcc/testsuite/gcc.dg/analyzer/taint-assert-system-header.c b/gcc/testsuite/gcc.dg/analyzer/taint-assert-system-header.c index a65853c7886..bd47ab79188 100644 --- a/gcc/testsuite/gcc.dg/analyzer/taint-assert-system-header.c +++ b/gcc/testsuite/gcc.dg/analyzer/taint-assert-system-header.c @@ -3,9 +3,6 @@ (the default), where the assertion macro is defined in a system header. */ -// TODO: remove need for this option -/* { dg-additional-options "-fanalyzer-checker=taint" } */ - /* { dg-additional-options "-fdiagnostics-show-path-depths" } */ /* { dg-additional-options "-fdiagnostics-path-format=inline-events -fdiagnostics-show-caret" } */ diff --git a/gcc/testsuite/gcc.dg/analyzer/taint-assert.c b/gcc/testsuite/gcc.dg/analyzer/taint-assert.c index b09f8c51a16..855ed5f705f 100644 --- a/gcc/testsuite/gcc.dg/analyzer/taint-assert.c +++ b/gcc/testsuite/gcc.dg/analyzer/taint-assert.c @@ -1,6 +1,3 @@ -// TODO: remove need for this option -/* { dg-additional-options "-fanalyzer-checker=taint" } */ - /* We need this, otherwise the warnings are emitted inside the macros, which makes it hard to write the DejaGnu directives. */ /* { dg-additional-options " -ftrack-macro-expansion=0" } */ diff --git a/gcc/testsuite/gcc.dg/analyzer/taint-divisor-1.c b/gcc/testsuite/gcc.dg/analyzer/taint-divisor-1.c index b7c1faef1c4..438a2095382 100644 --- a/gcc/testsuite/gcc.dg/analyzer/taint-divisor-1.c +++ b/gcc/testsuite/gcc.dg/analyzer/taint-divisor-1.c @@ -1,6 +1,3 @@ -// TODO: remove need for this option: -/* { dg-additional-options "-fanalyzer-checker=taint" } */ - #include "analyzer-decls.h" #include diff --git a/gcc/testsuite/gcc.dg/analyzer/taint-divisor-2.c b/gcc/testsuite/gcc.dg/analyzer/taint-divisor-2.c index de9a1cb3a46..770258418fa 100644 --- a/gcc/testsuite/gcc.dg/analyzer/taint-divisor-2.c +++ b/gcc/testsuite/gcc.dg/analyzer/taint-divisor-2.c @@ -1,6 +1,3 @@ -// TODO: remove need for this option: -/* { dg-additional-options "-fanalyzer-checker=taint" } */ - #include "analyzer-decls.h" __attribute__ ((tainted_args)) diff --git a/gcc/testsuite/gcc.dg/analyzer/taint-merger.c b/gcc/testsuite/gcc.dg/analyzer/taint-merger.c index e4e48f3db03..b7d562b9704 100644 --- a/gcc/testsuite/gcc.dg/analyzer/taint-merger.c +++ b/gcc/testsuite/gcc.dg/analyzer/taint-merger.c @@ -1,6 +1,3 @@ -/* { dg-additional-options "-fanalyzer-checker=taint" } */ -// TODO: remove need for this option - #include "analyzer-decls.h" int v_start; diff --git a/gcc/testsuite/gcc.dg/analyzer/taint-ops.c b/gcc/testsuite/gcc.dg/analyzer/taint-ops.c deleted file mode 100644 index 729dbe53a0c..00000000000 --- a/gcc/testsuite/gcc.dg/analyzer/taint-ops.c +++ /dev/null @@ -1,106 +0,0 @@ -/* { dg-additional-options "-fanalyzer-checker=taint" } */ -// TODO: remove need for this option -/* This test can probably be removed when -fanalyzer enables - the taint checker by default. */ - -#include "analyzer-decls.h" - -void -test_1 (char a) -{ - char b = -a; -} - -/* Copies of code from data-model-1.c. */ - -void test_20 (int i, int j) -{ - __analyzer_eval (i + 1); /* { dg-warning "UNKNOWN" } */ - __analyzer_eval (i + j); /* { dg-warning "UNKNOWN" } */ - - __analyzer_eval (i - 1); /* { dg-warning "UNKNOWN" } */ - __analyzer_eval (i - j); /* { dg-warning "UNKNOWN" } */ - - __analyzer_eval (i * 2); /* { dg-warning "UNKNOWN" } */ - __analyzer_eval (i * j); /* { dg-warning "UNKNOWN" } */ - - __analyzer_eval (i / 2); /* { dg-warning "UNKNOWN" } */ - __analyzer_eval (i / j); /* { dg-warning "UNKNOWN" } */ - - __analyzer_eval (i % 2); /* { dg-warning "UNKNOWN" } */ - __analyzer_eval (i % j); /* { dg-warning "UNKNOWN" } */ - - __analyzer_eval (i & 1); /* { dg-warning "UNKNOWN" } */ - __analyzer_eval (i & j); /* { dg-warning "UNKNOWN" } */ - - __analyzer_eval (i | 1); /* { dg-warning "UNKNOWN" } */ - __analyzer_eval (i | j); /* { dg-warning "UNKNOWN" } */ - - __analyzer_eval (i ^ 1); /* { dg-warning "UNKNOWN" } */ - __analyzer_eval (i ^ j); /* { dg-warning "UNKNOWN" } */ - - __analyzer_eval (i >> 1); /* { dg-warning "UNKNOWN" } */ - __analyzer_eval (i >> j); /* { dg-warning "UNKNOWN" } */ - - __analyzer_eval (i << 1); /* { dg-warning "UNKNOWN" } */ - __analyzer_eval (i << j); /* { dg-warning "UNKNOWN" } */ - - __analyzer_eval (i && 0); /* { dg-warning "FALSE" } */ - __analyzer_eval (i && 1); /* { dg-warning "UNKNOWN" } */ - __analyzer_eval (i && j); /* { dg-warning "UNKNOWN" } */ - - __analyzer_eval (i || 0); /* { dg-warning "UNKNOWN" } */ - - __analyzer_eval (i || 1); /* { dg-warning "TRUE" } */ - __analyzer_eval (i || j); /* { dg-warning "UNKNOWN" } */ - - __analyzer_eval (~i); /* { dg-warning "UNKNOWN" } */ - __analyzer_eval (-i); /* { dg-warning "UNKNOWN" } */ - __analyzer_eval (+i); /* { dg-warning "UNKNOWN" } */ - - /* Anything added above should be added to the next function also. */ -} - -void test_21 (void) -{ - int i, j, zero; - int *pi = &i; - int *pj = &j; - int *pzero = &zero; - *pi = 5; - *pj = 3; - *pzero = 0; - - __analyzer_eval (i + j == 8); /* { dg-warning "TRUE" } */ - __analyzer_eval (i - j == 2); /* { dg-warning "TRUE" } */ - __analyzer_eval (i * j == 15); /* { dg-warning "TRUE" } */ - __analyzer_eval (i / j == 1); /* { dg-warning "TRUE" } */ - __analyzer_eval (i % j == 2); /* { dg-warning "TRUE" } */ - - /* Division by zero. */ - // TODO: should we warn for this? - __analyzer_eval (i / zero); /* { dg-warning "UNKNOWN" } */ - __analyzer_eval (i % zero); /* { dg-warning "UNKNOWN" } */ - - __analyzer_eval ((i & 1) == (5 & 1)); /* { dg-warning "TRUE" } */ - __analyzer_eval ((i & j) == (5 & 3)); /* { dg-warning "TRUE" } */ - __analyzer_eval ((i | 1) == (5 | 1)); /* { dg-warning "TRUE" } */ - __analyzer_eval ((i | j) == (5 | 3)); /* { dg-warning "TRUE" } */ - __analyzer_eval ((i ^ 1) == (5 ^ 1)); /* { dg-warning "TRUE" } */ - __analyzer_eval ((i ^ j) == (5 ^ 3)); /* { dg-warning "TRUE" } */ - __analyzer_eval ((i >> 1) == (5 >> 1)); /* { dg-warning "TRUE" } */ - __analyzer_eval ((i >> j) == (5 >> 3)); /* { dg-warning "TRUE" } */ - __analyzer_eval ((i << 1) == (5 << 1)); /* { dg-warning "TRUE" } */ - __analyzer_eval ((i << j) == (5 << 3)); /* { dg-warning "TRUE" } */ - __analyzer_eval (i && 0); /* { dg-warning "FALSE" } */ - __analyzer_eval (i && 1); /* { dg-warning "TRUE" } */ - __analyzer_eval (i && j); /* { dg-warning "TRUE" } */ - - __analyzer_eval (i || 0); /* { dg-warning "TRUE" } */ - __analyzer_eval (i || 1); /* { dg-warning "TRUE" } */ - __analyzer_eval (i || j); /* { dg-warning "TRUE" } */ - - __analyzer_eval (~i == ~5); /* { dg-warning "TRUE" } */ - __analyzer_eval (-i == -5); /* { dg-warning "TRUE" } */ - __analyzer_eval (+i == +5); /* { dg-warning "TRUE" } */ -} diff --git a/gcc/testsuite/gcc.dg/analyzer/taint-read-index-1.c b/gcc/testsuite/gcc.dg/analyzer/taint-read-index-1.c index 71c0816fd1f..1ec78b52629 100644 --- a/gcc/testsuite/gcc.dg/analyzer/taint-read-index-1.c +++ b/gcc/testsuite/gcc.dg/analyzer/taint-read-index-1.c @@ -1,6 +1,3 @@ -// TODO: remove need for this option: -/* { dg-additional-options "-fanalyzer-checker=taint" } */ - #include #include #include diff --git a/gcc/testsuite/gcc.dg/analyzer/taint-read-offset-1.c b/gcc/testsuite/gcc.dg/analyzer/taint-read-offset-1.c index 6db59bcc615..bb5d0930cdb 100644 --- a/gcc/testsuite/gcc.dg/analyzer/taint-read-offset-1.c +++ b/gcc/testsuite/gcc.dg/analyzer/taint-read-offset-1.c @@ -1,6 +1,3 @@ -// TODO: remove need for this option: -/* { dg-additional-options "-fanalyzer-checker=taint" } */ - #include #include #include diff --git a/gcc/testsuite/gcc.dg/analyzer/taint-realloc.c b/gcc/testsuite/gcc.dg/analyzer/taint-realloc.c index bd0ed0010fb..aeefb7da2c1 100644 --- a/gcc/testsuite/gcc.dg/analyzer/taint-realloc.c +++ b/gcc/testsuite/gcc.dg/analyzer/taint-realloc.c @@ -1,6 +1,3 @@ -// TODO: remove need for this option: -/* { dg-additional-options "-fanalyzer-checker=taint" } */ - #include "analyzer-decls.h" #include #include @@ -18,4 +15,4 @@ test_1 (size_t sz) /* { dg-message "\\(1\\) function 'test_1' marked with '__att __analyzer_dump_state ("taint", sz); /* { dg-warning "state: 'tainted'" } */ q = realloc (p, sz); /* { dg-warning "use of attacker-controlled value 'sz' as allocation size without upper-bounds checking" } */ -} +} /* { dg-warning "leak of 'q'" } */ diff --git a/gcc/testsuite/gcc.dg/analyzer/taint-size-1.c b/gcc/testsuite/gcc.dg/analyzer/taint-size-1.c index 1fd5fd486c0..36083ac5071 100644 --- a/gcc/testsuite/gcc.dg/analyzer/taint-size-1.c +++ b/gcc/testsuite/gcc.dg/analyzer/taint-size-1.c @@ -1,6 +1,3 @@ -// TODO: remove need for this option: -/* { dg-additional-options "-fanalyzer-checker=taint" } */ - #include "analyzer-decls.h" #include #include diff --git a/gcc/testsuite/gcc.dg/analyzer/taint-size-access-attr-1.c b/gcc/testsuite/gcc.dg/analyzer/taint-size-access-attr-1.c index 7d243a9570f..d4da3d77fa1 100644 --- a/gcc/testsuite/gcc.dg/analyzer/taint-size-access-attr-1.c +++ b/gcc/testsuite/gcc.dg/analyzer/taint-size-access-attr-1.c @@ -1,8 +1,7 @@ /* Passing tainted sizes to external functions with attribute ((access)) with a size-index. */ -// TODO: remove need for the explicit taint option: -/* { dg-additional-options "-fanalyzer-checker=taint -fanalyzer-show-duplicate-count" } */ +/* { dg-additional-options "-fanalyzer-show-duplicate-count" } */ #include "analyzer-decls.h" #include diff --git a/gcc/testsuite/gcc.dg/analyzer/taint-write-index-1.c b/gcc/testsuite/gcc.dg/analyzer/taint-write-index-1.c index cc7ab1ca4f6..62222069578 100644 --- a/gcc/testsuite/gcc.dg/analyzer/taint-write-index-1.c +++ b/gcc/testsuite/gcc.dg/analyzer/taint-write-index-1.c @@ -1,6 +1,3 @@ -// TODO: remove need for this option: -/* { dg-additional-options "-fanalyzer-checker=taint" } */ - #include #include #include diff --git a/gcc/testsuite/gcc.dg/analyzer/taint-write-offset-1.c b/gcc/testsuite/gcc.dg/analyzer/taint-write-offset-1.c index d0df6220315..21794ce4cf8 100644 --- a/gcc/testsuite/gcc.dg/analyzer/taint-write-offset-1.c +++ b/gcc/testsuite/gcc.dg/analyzer/taint-write-offset-1.c @@ -1,6 +1,3 @@ -// TODO: remove need for this option: -/* { dg-additional-options "-fanalyzer-checker=taint" } */ - #include #include #include diff --git a/gcc/testsuite/gcc.dg/analyzer/torture/taint-read-index-2.c b/gcc/testsuite/gcc.dg/analyzer/torture/taint-read-index-2.c index b3dc177cb14..81421330e8d 100644 --- a/gcc/testsuite/gcc.dg/analyzer/torture/taint-read-index-2.c +++ b/gcc/testsuite/gcc.dg/analyzer/torture/taint-read-index-2.c @@ -1,5 +1,3 @@ -// TODO: remove need for the taint option: -/* { dg-additional-options "-fanalyzer-checker=taint" } */ /* { dg-skip-if "" { *-*-* } { "-fno-fat-lto-objects" } { "" } } */ #define LOWER_LIMIT 5 diff --git a/gcc/testsuite/gcc.dg/analyzer/torture/taint-read-index-3.c b/gcc/testsuite/gcc.dg/analyzer/torture/taint-read-index-3.c index 8eb6061a08b..86bdedede7e 100644 --- a/gcc/testsuite/gcc.dg/analyzer/torture/taint-read-index-3.c +++ b/gcc/testsuite/gcc.dg/analyzer/torture/taint-read-index-3.c @@ -1,5 +1,3 @@ -// TODO: remove need for the taint option: -/* { dg-additional-options "-fanalyzer-checker=taint" } */ /* { dg-skip-if "" { *-*-* } { "-fno-fat-lto-objects" } { "" } } */ struct raw_ep { diff --git a/gcc/testsuite/gcc.dg/plugin/taint-CVE-2011-0521-1-fixed.c b/gcc/testsuite/gcc.dg/plugin/taint-CVE-2011-0521-1-fixed.c index 0ca8137c3ef..51526b831c0 100644 --- a/gcc/testsuite/gcc.dg/plugin/taint-CVE-2011-0521-1-fixed.c +++ b/gcc/testsuite/gcc.dg/plugin/taint-CVE-2011-0521-1-fixed.c @@ -1,7 +1,6 @@ /* { dg-do compile } */ -// TODO: remove need for -fanalyzer-checker=taint here: -/* { dg-options "-fanalyzer -fanalyzer-checker=taint" } */ /* { dg-require-effective-target analyzer } */ +/* { dg-additional-options "-Wno-pedantic" } */ /* See notes in this header. */ #include "taint-CVE-2011-0521.h" diff --git a/gcc/testsuite/gcc.dg/plugin/taint-CVE-2011-0521-1.c b/gcc/testsuite/gcc.dg/plugin/taint-CVE-2011-0521-1.c index cde12b3b761..3d11a75073c 100644 --- a/gcc/testsuite/gcc.dg/plugin/taint-CVE-2011-0521-1.c +++ b/gcc/testsuite/gcc.dg/plugin/taint-CVE-2011-0521-1.c @@ -1,6 +1,5 @@ /* { dg-do compile } */ -// TODO: remove need for -fanalyzer-checker=taint here: -/* { dg-options "-fanalyzer -fanalyzer-checker=taint" } */ +/* { dg-additional-options "-Wno-pedantic" } */ /* { dg-require-effective-target analyzer } */ /* See notes in this header. */ diff --git a/gcc/testsuite/gcc.dg/plugin/taint-CVE-2011-0521-2-fixed.c b/gcc/testsuite/gcc.dg/plugin/taint-CVE-2011-0521-2-fixed.c index 8a211cefe4e..d035266b16a 100644 --- a/gcc/testsuite/gcc.dg/plugin/taint-CVE-2011-0521-2-fixed.c +++ b/gcc/testsuite/gcc.dg/plugin/taint-CVE-2011-0521-2-fixed.c @@ -1,14 +1,10 @@ /* { dg-do compile } */ -// TODO: remove need for -fanalyzer-checker=taint here: -/* { dg-options "-fanalyzer -fanalyzer-checker=taint" } */ +/* { dg-additional-options "-Wno-pedantic" } */ /* { dg-require-effective-target analyzer } */ /* See notes in this header. */ #include "taint-CVE-2011-0521.h" -// TODO: remove need for this option -/* { dg-additional-options "-fanalyzer-checker=taint" } */ - /* Adapted from drivers/media/dvb/ttpci/av7110_ca.c */ int dvb_ca_ioctl(struct file *file, unsigned int cmd, void *parg) diff --git a/gcc/testsuite/gcc.dg/plugin/taint-CVE-2011-0521-2.c b/gcc/testsuite/gcc.dg/plugin/taint-CVE-2011-0521-2.c index 30cab38e002..5270e22f1a3 100644 --- a/gcc/testsuite/gcc.dg/plugin/taint-CVE-2011-0521-2.c +++ b/gcc/testsuite/gcc.dg/plugin/taint-CVE-2011-0521-2.c @@ -1,7 +1,6 @@ /* { dg-do compile } */ -// TODO: remove need for -fanalyzer-checker=taint here: -/* { dg-options "-fanalyzer -fanalyzer-checker=taint" } */ /* { dg-require-effective-target analyzer } */ +/* { dg-additional-options "-Wno-pedantic" } */ /* See notes in this header. */ #include "taint-CVE-2011-0521.h" diff --git a/gcc/testsuite/gcc.dg/plugin/taint-CVE-2011-0521-3-fixed.c b/gcc/testsuite/gcc.dg/plugin/taint-CVE-2011-0521-3-fixed.c index b7852b40dcf..b8268fa4a82 100644 --- a/gcc/testsuite/gcc.dg/plugin/taint-CVE-2011-0521-3-fixed.c +++ b/gcc/testsuite/gcc.dg/plugin/taint-CVE-2011-0521-3-fixed.c @@ -1,14 +1,10 @@ /* { dg-do compile } */ -// TODO: remove need for -fanalyzer-checker=taint here: -/* { dg-options "-fanalyzer -fanalyzer-checker=taint" } */ /* { dg-require-effective-target analyzer } */ +/* { dg-additional-options "-Wno-pedantic" } */ /* See notes in this header. */ #include "taint-CVE-2011-0521.h" -// TODO: remove need for this option -/* { dg-additional-options "-fanalyzer-checker=taint" } */ - /* Adapted from drivers/media/dvb/ttpci/av7110_ca.c */ int dvb_ca_ioctl(struct file *file, unsigned int cmd, void *parg) diff --git a/gcc/testsuite/gcc.dg/plugin/taint-CVE-2011-0521-3.c b/gcc/testsuite/gcc.dg/plugin/taint-CVE-2011-0521-3.c index 6b9e034eea7..86868a017c4 100644 --- a/gcc/testsuite/gcc.dg/plugin/taint-CVE-2011-0521-3.c +++ b/gcc/testsuite/gcc.dg/plugin/taint-CVE-2011-0521-3.c @@ -1,7 +1,6 @@ /* { dg-do compile } */ -// TODO: remove need for -fanalyzer-checker=taint here: -/* { dg-options "-fanalyzer -fanalyzer-checker=taint" } */ /* { dg-require-effective-target analyzer } */ +/* { dg-additional-options "-Wno-pedantic" } */ /* See notes in this header. */ #include "taint-CVE-2011-0521.h" @@ -21,7 +20,7 @@ int dvb_ca_ioctl(struct file *file, unsigned int cmd, void *parg) if (info->num > 1) return -EINVAL; av7110->ci_slot[info->num].num = info->num; /* { dg-warning "attacker-controlled value" "" { xfail *-*-* } } */ - // TODO(xfail) + /* TODO(xfail). */ av7110->ci_slot[info->num].type = FW_CI_LL_SUPPORT(av7110->arm_app) ? CA_CI_LINK : CA_CI; memcpy(info, &av7110->ci_slot[info->num], sizeof(ca_slot_info_t)); diff --git a/gcc/testsuite/gcc.dg/plugin/taint-CVE-2011-0521-4.c b/gcc/testsuite/gcc.dg/plugin/taint-CVE-2011-0521-4.c index f314c64ce70..06b3468fca5 100644 --- a/gcc/testsuite/gcc.dg/plugin/taint-CVE-2011-0521-4.c +++ b/gcc/testsuite/gcc.dg/plugin/taint-CVE-2011-0521-4.c @@ -1,8 +1,7 @@ /* { dg-do compile } */ -// TODO: remove need for -fanalyzer-checker=taint here: // TODO: remove need for --param=analyzer-max-svalue-depth=25 here: -/* { dg-options "-fanalyzer -fanalyzer-checker=taint --param=analyzer-max-svalue-depth=25" } */ -/* { dg-options "-fanalyzer -fanalyzer-checker=taint" } */ +/* { dg-options "-fanalyzer --param=analyzer-max-svalue-depth=25" } */ +/* { dg-additional-options "-Wno-pedantic" } */ /* { dg-require-effective-target analyzer } */ /* See notes in this header. */ @@ -32,11 +31,10 @@ int test_1(struct file *file, unsigned int cmd, unsigned long arg) if (info->num > 1) return -EINVAL; - av7110->ci_slot[info->num].num = info->num; /* { dg-warning "attacker-controlled value" "" { xfail *-*-* } } */ - // TODO(xfail) - av7110->ci_slot[info->num].type = FW_CI_LL_SUPPORT(av7110->arm_app) ? + av7110->ci_slot[info->num].num = info->num; /* { dg-warning "attacker-controlled value" } */ + av7110->ci_slot[info->num].type = FW_CI_LL_SUPPORT(av7110->arm_app) ? /* { dg-warning "attacker-controlled value" } */ CA_CI_LINK : CA_CI; - memcpy(info, &av7110->ci_slot[info->num], sizeof(ca_slot_info_t)); + memcpy(info, &av7110->ci_slot[info->num], sizeof(ca_slot_info_t)); /* { dg-warning "attacker-controlled value" } */ } copy_to_user((void __user *)arg, parg, sizeof(sbuf)); diff --git a/gcc/testsuite/gcc.dg/plugin/taint-CVE-2011-0521-5-fixed.c b/gcc/testsuite/gcc.dg/plugin/taint-CVE-2011-0521-5-fixed.c index 2e74770a7a3..076ada3a20a 100644 --- a/gcc/testsuite/gcc.dg/plugin/taint-CVE-2011-0521-5-fixed.c +++ b/gcc/testsuite/gcc.dg/plugin/taint-CVE-2011-0521-5-fixed.c @@ -1,7 +1,7 @@ /* { dg-do compile } */ -// TODO: remove need for -fanalyzer-checker=taint here: // TODO: remove need for --param=analyzer-max-svalue-depth=25 here: -/* { dg-options "-fanalyzer -fanalyzer-checker=taint --param=analyzer-max-svalue-depth=25" } */ +/* { dg-options "-fanalyzer --param=analyzer-max-svalue-depth=25" } */ +/* { dg-additional-options "-Wno-pedantic" } */ /* { dg-require-effective-target analyzer } */ /* On darwin, system headers are fortified, which defeats the analysis. Turn it off. */ diff --git a/gcc/testsuite/gcc.dg/plugin/taint-CVE-2011-0521-5.c b/gcc/testsuite/gcc.dg/plugin/taint-CVE-2011-0521-5.c index 021d458b66e..e27ee469df8 100644 --- a/gcc/testsuite/gcc.dg/plugin/taint-CVE-2011-0521-5.c +++ b/gcc/testsuite/gcc.dg/plugin/taint-CVE-2011-0521-5.c @@ -1,7 +1,7 @@ /* { dg-do compile } */ -// TODO: remove need for -fanalyzer-checker=taint here: // TODO: remove need for --param=analyzer-max-svalue-depth=25 here: -/* { dg-options "-fanalyzer -fanalyzer-checker=taint --param=analyzer-max-svalue-depth=25" } */ +/* { dg-options "-fanalyzer --param=analyzer-max-svalue-depth=25" } */ +/* { dg-additional-options "-Wno-pedantic" } */ /* { dg-require-effective-target analyzer } */ /* On darwin, system headers are fortified, which defeats the analysis. Turn it off. */ diff --git a/gcc/testsuite/gcc.dg/plugin/taint-CVE-2011-0521-6.c b/gcc/testsuite/gcc.dg/plugin/taint-CVE-2011-0521-6.c index f27e9eb5f02..fea70ee5761 100644 --- a/gcc/testsuite/gcc.dg/plugin/taint-CVE-2011-0521-6.c +++ b/gcc/testsuite/gcc.dg/plugin/taint-CVE-2011-0521-6.c @@ -1,7 +1,7 @@ /* { dg-do compile } */ -// TODO: remove need for -fanalyzer-checker=taint here: // TODO: remove need for --param=analyzer-max-svalue-depth=25 here: -/* { dg-options "-fanalyzer -fanalyzer-checker=taint --param=analyzer-max-svalue-depth=25" } */ +/* { dg-options "-fanalyzer --param=analyzer-max-svalue-depth=25" } */ +/* { dg-additional-options "-Wno-pedantic" } */ /* { dg-require-effective-target analyzer } */ /* On darwin, system headers are fortified, which defeats the analysis. Turn it off. */ diff --git a/gcc/testsuite/gcc.dg/plugin/taint-antipatterns-1.c b/gcc/testsuite/gcc.dg/plugin/taint-antipatterns-1.c index 6bb6f1be25c..cdd9a4f1f50 100644 --- a/gcc/testsuite/gcc.dg/plugin/taint-antipatterns-1.c +++ b/gcc/testsuite/gcc.dg/plugin/taint-antipatterns-1.c @@ -1,6 +1,5 @@ /* { dg-do compile } */ -// TODO: remove need for -fanalyzer-checker=taint here: -/* { dg-options "-fanalyzer -fanalyzer-checker=taint" } */ +/* { dg-options "-fanalyzer" } */ /* { dg-require-effective-target analyzer } */ #include "test-uaccess.h"