From patchwork Thu Jan 25 15:09:26 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: David Malcolm X-Patchwork-Id: 192123 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a05:7300:e09d:b0:103:945f:af90 with SMTP id gm29csp40143dyb; Thu, 25 Jan 2024 07:10:22 -0800 (PST) X-Google-Smtp-Source: AGHT+IFy5V5NoidffPhUhoVReGlpIn9WkiRZE6JzeoOU6G6npfeDPBF4AuedKu+hiUVooCtPFqj8 X-Received: by 2002:a05:6214:ac9:b0:686:1c06:4436 with SMTP id g9-20020a0562140ac900b006861c064436mr1392629qvi.48.1706195421583; Thu, 25 Jan 2024 07:10:21 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1706195421; cv=pass; d=google.com; s=arc-20160816; b=B8LcrEmJBQAuZDytAPmTO4GTif3LR4OBU2hZYdWc8Fixb2oo2XnNtX1qQvNDVkjppo 9/mSFLSHgTobqYH8wmwmlD+GzhWiwT5bj4THxUZT29P7mt4l+h+8kw3YYxsvYQw4vtZh l4vl9UnLYAD95n/UYfyFQOW4I4cnxxjz/2hasa38SE+KPd7fC546jiyaopNnJHTaSFgT OhiiuhBBBu8/d8PMs94ag2QvoWWZ2MxMJNIxLd8Ng5+f3vffeIBDqb4sh85dXD1Uf3aY GYEeqyRs1+EnpjFW+d4jhhFY2Ydbx2ERHUT428InMuRh8hAKLjzK/RDzbNZiyxYXeFWj Q3BQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:message-id:date:subject:cc:to:from:dkim-signature :arc-filter:dmarc-filter:delivered-to; bh=rblAZxOAZnmbvFKsni7Eef/brzxIgWBp+8XFxF7yTtk=; fh=NXemEfxTRbZtBxUkxR2ehQUaYlcDfMdzPkO8MChVQE4=; b=kD5rfdVc1dXVm42DLf1uv77f3bC0UCcBweXX17PMea2+a3lsMVk34Lpj0naOhmPKTg Oet6Or0Q+o5biI4vFDJJB6Ogd+N/U3umxYrdJYv/UZ9fUSdwKtXTwCzL3H4wzp3Uc5lc kvzAVrSP+SEo5FYfRXiyl9FtDgaCo73OXq7PnypL99g/nMHse+oUoFj6CPwhZtLK9FGz Im2v1nT0X05Kuvnu1Tir8wiI33j/Orn/GRN/hqA1VppASjnK/YXMQmHrOj3Lm3YdJDXt JTuoYSexgNdp8yiWuJkQuZaZhNQk/I9XBCJQZEN6n+2xQCn7V8TWblzBBCXWWel/U1CS vKjQ== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=YPwfr0g+; arc=pass (i=1); spf=pass (google.com: domain of gcc-patches-bounces+ouuuleilei=gmail.com@gcc.gnu.org designates 8.43.85.97 as permitted sender) smtp.mailfrom="gcc-patches-bounces+ouuuleilei=gmail.com@gcc.gnu.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: from server2.sourceware.org (server2.sourceware.org. [8.43.85.97]) by mx.google.com with ESMTPS id u20-20020a0cb414000000b006869c9dde09si7227926qve.611.2024.01.25.07.10.21 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 25 Jan 2024 07:10:21 -0800 (PST) Received-SPF: pass (google.com: domain of gcc-patches-bounces+ouuuleilei=gmail.com@gcc.gnu.org designates 8.43.85.97 as permitted sender) client-ip=8.43.85.97; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=YPwfr0g+; arc=pass (i=1); spf=pass (google.com: domain of gcc-patches-bounces+ouuuleilei=gmail.com@gcc.gnu.org designates 8.43.85.97 as permitted sender) smtp.mailfrom="gcc-patches-bounces+ouuuleilei=gmail.com@gcc.gnu.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 48FB53857709 for ; Thu, 25 Jan 2024 15:10:21 +0000 (GMT) X-Original-To: gcc-patches@gcc.gnu.org Delivered-To: gcc-patches@gcc.gnu.org Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by sourceware.org (Postfix) with ESMTPS id 30F5C385840C for ; Thu, 25 Jan 2024 15:09:30 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 30F5C385840C Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=redhat.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=redhat.com ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 30F5C385840C Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=170.10.133.124 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1706195373; cv=none; b=HrtgE/pSVEu/O/lTiRZhh/VrvGK6eNLvnYGBSQ8YrL1qOsXcGHBr/xK3CrhIwT4/hddGRrMBZKvymciYDWPbtkeaTInp0PeOApPtn+IlMmtapVlEcIQd7LjkLEbwksIl3xqPXskwA9DHvwp2DSYODodngF6qiha7JGnEopx4aww= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1706195373; c=relaxed/simple; bh=4/Ydf7NuWvL63uy6QiyYG2xCEydxh6/rbaeO2/IwYKw=; h=DKIM-Signature:From:To:Subject:Date:Message-Id:MIME-Version; b=Y2gPXFKkMhxP8X2mQWpaF9r971B1JfDBEzh8jtMBG743q7qWrpkcUAvCjx5L9y7kXUUbc5smq2bBt2fai3z255bOKhKU1wahkMePDYw1Gjp3kKXVMNNNX+TvdYzW6td6T5hVqorrzR09vM4RSYDX/JqIQiC0qo3nmRSktc2+tPc= ARC-Authentication-Results: i=1; server2.sourceware.org DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1706195369; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=rblAZxOAZnmbvFKsni7Eef/brzxIgWBp+8XFxF7yTtk=; b=YPwfr0g+rJDiHKV3finmrWI20KqjuuITBmE4AI26Vxtt8/kiXSh6DEFxEgUaTrT/o2F7er xRnUzCfR6NymT8cjRHQpj+msydTaH96kIdscudHfKRipXnXDxRXMPMXCWVMO6Hbn69qIiL Lu4kDwZU9SGiQ8/HSlHt8gQVw0l0XOw= Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-122-t3gzQi28Nr282Qpi5U0vXg-1; Thu, 25 Jan 2024 10:09:28 -0500 X-MC-Unique: t3gzQi28Nr282Qpi5U0vXg-1 Received: from smtp.corp.redhat.com (int-mx09.intmail.prod.int.rdu2.redhat.com [10.11.54.9]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id F41468352A0 for ; Thu, 25 Jan 2024 15:09:27 +0000 (UTC) Received: from t14s.localdomain.com (unknown [10.22.32.139]) by smtp.corp.redhat.com (Postfix) with ESMTP id C9F8F492BC6; Thu, 25 Jan 2024 15:09:27 +0000 (UTC) From: David Malcolm To: gcc-patches@gcc.gnu.org Cc: David Malcolm Subject: [pushed] analyzer: fix defaults in compound assignments from non-zero offsets [PR112969] Date: Thu, 25 Jan 2024 10:09:26 -0500 Message-Id: <20240125150926.1598387-1-dmalcolm@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.9 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com X-Spam-Status: No, score=-11.4 required=5.0 tests=BAYES_00, DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL, SPF_HELO_NONE, SPF_NONE, TXREP, T_SCC_BODY_TEXT_LINE, URIBL_BLACK autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: gcc-patches@gcc.gnu.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: Gcc-patches mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: gcc-patches-bounces+ouuuleilei=gmail.com@gcc.gnu.org X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1789075570331868172 X-GMAIL-MSGID: 1789075570331868172 Confusion in binding_cluster::maybe_get_compound_binding about whether offsets are relative to the start of the region or to the start of the cluster was leading to incorrect handling of default values, leading to false positives from -Wanalyzer-use-of-uninitialized-value, from -Wanalyzer-exposure-through-uninit-copy, and other logic errors. Fixed thusly. Successfully bootstrapped & regrtested on x86_64-pc-linux-gnu. Successful run of analyzer integration tests on x86_64-pc-linux-gnu. Pushed to trunk as r14-8428-g6426d466779fa8. gcc/analyzer/ChangeLog: PR analyzer/112969 * store.cc (binding_cluster::maybe_get_compound_binding): When populating default_map, express the bit-range of the default key for REG relative to REG, rather than to the base region. gcc/testsuite/ChangeLog: PR analyzer/112969 * c-c++-common/analyzer/compound-assignment-5.c (test_3): Remove xfails, reorder tests. * c-c++-common/analyzer/compound-assignment-pr112969.c: New test. * gcc.dg/plugin/infoleak-pr112969.c: New test. * gcc.dg/plugin/plugin.exp: Add infoleak-pr112969.c to analyzer_kernel_plugin.c tests. Signed-off-by: David Malcolm --- gcc/analyzer/store.cc | 11 +++- .../analyzer/compound-assignment-5.c | 3 +- .../analyzer/compound-assignment-pr112969.c | 35 +++++++++++++ .../gcc.dg/plugin/infoleak-pr112969.c | 52 +++++++++++++++++++ gcc/testsuite/gcc.dg/plugin/plugin.exp | 1 + 5 files changed, 99 insertions(+), 3 deletions(-) create mode 100644 gcc/testsuite/c-c++-common/analyzer/compound-assignment-pr112969.c create mode 100644 gcc/testsuite/gcc.dg/plugin/infoleak-pr112969.c diff --git a/gcc/analyzer/store.cc b/gcc/analyzer/store.cc index 67c90b7fce4..e85a19647f7 100644 --- a/gcc/analyzer/store.cc +++ b/gcc/analyzer/store.cc @@ -1759,7 +1759,16 @@ binding_cluster::maybe_get_compound_binding (store_manager *mgr, else default_sval = sval_mgr->get_or_create_initial_value (reg); const binding_key *default_key = binding_key::make (mgr, reg); - default_map.put (default_key, default_sval); + + /* Express the bit-range of the default key for REG relative to REG, + rather than to the base region. */ + const concrete_binding *concrete_default_key + = default_key->dyn_cast_concrete_binding (); + if (!concrete_default_key) + return nullptr; + const concrete_binding *default_key_relative_to_reg + = mgr->get_concrete_binding (0, concrete_default_key->get_size_in_bits ()); + default_map.put (default_key_relative_to_reg, default_sval); for (map_t::iterator iter = m_map.begin (); iter != m_map.end (); ++iter) { diff --git a/gcc/testsuite/c-c++-common/analyzer/compound-assignment-5.c b/gcc/testsuite/c-c++-common/analyzer/compound-assignment-5.c index 3ce2b72c8ff..08f10606d91 100644 --- a/gcc/testsuite/c-c++-common/analyzer/compound-assignment-5.c +++ b/gcc/testsuite/c-c++-common/analyzer/compound-assignment-5.c @@ -48,9 +48,8 @@ void test_3 (void) glob_arr3[7] = arr[3]; // or should the uninit warning be here? - __analyzer_eval (glob_arr3[7].x); /* { dg-warning "uninitialized" "uninit" { xfail *-*-* } } */ - /* { dg-bogus "UNKNOWN" "unknown" { xfail *-*-* } .-1 } */ __analyzer_eval (glob_arr3[7].y == 6); /* { dg-warning "TRUE" } */ + __analyzer_eval (glob_arr3[7].x); /* { dg-warning "uninitialized" "uninit" } */ } /* Symbolic bindings: copying from one array to another. */ diff --git a/gcc/testsuite/c-c++-common/analyzer/compound-assignment-pr112969.c b/gcc/testsuite/c-c++-common/analyzer/compound-assignment-pr112969.c new file mode 100644 index 00000000000..4bc037cb7cf --- /dev/null +++ b/gcc/testsuite/c-c++-common/analyzer/compound-assignment-pr112969.c @@ -0,0 +1,35 @@ +/* Reduced from -Wanalyzer-exposure-through-uninit-copy false positives + seen in Linux kernel in drivers/net/ethernet/intel/ice/ice_ptp.c */ + +#include "analyzer-decls.h" + +/* { dg-do compile } */ + +struct hwtstamp_config +{ + int flags; + int tx_type; + int rx_filter; +}; + +struct ice_ptp +{ + long placeholder; + struct hwtstamp_config tstamp_config; +}; + +struct ice_pf +{ + struct ice_ptp ptp; +}; + +void +ice_ptp_set_ts_config(struct ice_pf* pf) +{ + struct hwtstamp_config config; + pf->ptp.tstamp_config.tx_type = 1; + pf->ptp.tstamp_config.rx_filter = 2; + config = pf->ptp.tstamp_config; + __analyzer_eval (config.flags == pf->ptp.tstamp_config.flags); /* { dg-warning "TRUE" } */ + /* { dg-bogus "use of uninitialized value 'config.flags'" "PR analyzer/112969" { target *-*-* } .-1 } */ +} diff --git a/gcc/testsuite/gcc.dg/plugin/infoleak-pr112969.c b/gcc/testsuite/gcc.dg/plugin/infoleak-pr112969.c new file mode 100644 index 00000000000..e78fe365975 --- /dev/null +++ b/gcc/testsuite/gcc.dg/plugin/infoleak-pr112969.c @@ -0,0 +1,52 @@ +/* Reduced from -Wanalyzer-exposure-through-uninit-copy false positives + seen in Linux kernel in drivers/net/ethernet/intel/ice/ice_ptp.c */ + +/* { dg-do compile } */ +/* { dg-options "-fanalyzer" } */ +/* { dg-require-effective-target analyzer } */ + +extern unsigned long +copy_from_user(void* to, const void* from, unsigned long n); + +extern unsigned long +copy_to_user(void* to, const void* from, unsigned long n); + +struct ifreq +{ + union + { + void* ifru_data; + } ifr_ifru; +}; + +struct hwtstamp_config +{ + int flags; + int tx_type; + int rx_filter; +}; + +struct ice_ptp +{ + long placeholder; + struct hwtstamp_config tstamp_config; +}; + +struct ice_pf +{ + struct ice_ptp ptp; +}; +int +ice_ptp_set_ts_config(struct ice_pf* pf, struct ifreq* ifr) +{ + struct hwtstamp_config config; + int err; + if (copy_from_user(&config, ifr->ifr_ifru.ifru_data, sizeof(config))) + return -14; + pf->ptp.tstamp_config.tx_type = 0; + pf->ptp.tstamp_config.rx_filter = 0; + config = pf->ptp.tstamp_config; + if (copy_to_user(ifr->ifr_ifru.ifru_data, &config, sizeof(config))) /* { dg-bogus "-Wanalyzer-exposure-through-uninit-copy" "PR analyzer/112969" } */ + return -14; + return 0; +} diff --git a/gcc/testsuite/gcc.dg/plugin/plugin.exp b/gcc/testsuite/gcc.dg/plugin/plugin.exp index 8141cc2aa46..c26dda1f324 100644 --- a/gcc/testsuite/gcc.dg/plugin/plugin.exp +++ b/gcc/testsuite/gcc.dg/plugin/plugin.exp @@ -150,6 +150,7 @@ set plugin_test_list [list \ infoleak-CVE-2017-18550-1.c \ infoleak-antipatterns-1.c \ infoleak-fixit-1.c \ + infoleak-pr112969.c \ infoleak-uninit-size-1.c \ infoleak-uninit-size-2.c \ infoleak-net-ethtool-ioctl.c \