From patchwork Thu Feb 15 21:04:53 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: David Malcolm <dmalcolm@redhat.com>
X-Patchwork-Id: 201748
Return-Path: <gcc-patches-bounces+ouuuleilei=gmail.com@gcc.gnu.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:7300:c619:b0:108:e6aa:91d0 with SMTP id
 hn25csp120956dyb;
        Thu, 15 Feb 2024 13:05:39 -0800 (PST)
X-Forwarded-Encrypted: i=3;
 AJvYcCVerIQsZ9kLeYpMX8VnSpq/VR2+W7Ojgqp7q/0+gZlEZkNCU1Y9Di8xshXqB0qvUp1mot3u6CBycOiP+Y7QjwYfipWRXg==
X-Google-Smtp-Source: 
 AGHT+IEE2V5Mi1p/zb2JphvuGshYQBDFh2gA8JYWP0DbMQObSIdDsz7s/IQvuqPbiQ+0H5WeAlU2
X-Received: by 2002:a0c:ca10:0:b0:68c:d43d:6cc1 with SMTP id
 c16-20020a0cca10000000b0068cd43d6cc1mr2809845qvk.4.1708031139008;
        Thu, 15 Feb 2024 13:05:39 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1708031138; cv=pass;
        d=google.com; s=arc-20160816;
        b=nzjel0ESzh8UrXO0JZWwlthyg+GHAmy3u+Idwg2aFXwol8hVxzeosJ53GsG441eu2E
         kiIi+U3fLMebTs515xce1rAMC8HiRSXM/XYnGuhy3XKXTwExKh0fwvzfILWfYIcoOSWH
         5U9iWyA0a8MHygOEm+hDSpWJt71l9CvMAeDn++xY0NOcYxO0HTGBfR//VD2jTTkPIurN
         pxtQya5Eq77Me2IUslnE9Yd06TviqqXI1Vp21jvfLEwwvqFHnF/7i1pHyTofxFzvErGQ
         OdYKmPSI6sYC7hE8MiV7RO5F6eQStebotYy8WfwKuC/u35Rvo0cCGk3VmOshwZSbX5nC
         51Wg==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=errors-to:list-subscribe:list-help:list-post:list-archive
         :list-unsubscribe:list-id:precedence:content-transfer-encoding
         :mime-version:message-id:date:subject:cc:to:from:dkim-signature
         :arc-filter:dmarc-filter:delivered-to;
        bh=fCnqh5Z+/zTb8EvOjJ8vI/ywFrCXulMt+HAT6fNpRos=;
        fh=NXemEfxTRbZtBxUkxR2ehQUaYlcDfMdzPkO8MChVQE4=;
        b=0rK3vFEe8DM4LdQjQozEyzk4x8XITOY9gjtyedPy9mQ3tWTsCSabdkXWWrDCHmT+lE
         8xsGqqpZgLHHZguearj4JRQL3J9Bz/0kU6FB5Wvy5dfjuzx8GdFjsd3qOmfCSQG41Owk
         8d6XtlNJoAnopQS23/bvR9nhxhWYkJSy6+tsidkIV8sbgJNb9MSm6UPFTHHAKq/vrjDU
         Q/nNlD8lIqUfQLPEpjgaY4WSEd46W/4uhBCs5bBdJcmFV3OaQxVzkUATQBadt9ScimH+
         T3MwV7NxkMBQw4sOhFKKrReRHLK0Yprdic32rsOSqTE+HDqBXs0RVuyP48PsCZk/mfJb
         w9CA==;
        dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@redhat.com header.s=mimecast20190719
 header.b="KG82BG/S";
       arc=pass (i=1);
       spf=pass (google.com: domain of
 gcc-patches-bounces+ouuuleilei=gmail.com@gcc.gnu.org designates 8.43.85.97 as
 permitted sender)
 smtp.mailfrom="gcc-patches-bounces+ouuuleilei=gmail.com@gcc.gnu.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Received: from server2.sourceware.org (server2.sourceware.org. [8.43.85.97])
        by mx.google.com with ESMTPS id
 m15-20020a0562141bcf00b0068f13129ab3si2290005qvc.350.2024.02.15.13.05.38
        for <ouuuleilei@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 15 Feb 2024 13:05:38 -0800 (PST)
Received-SPF: pass (google.com: domain of
 gcc-patches-bounces+ouuuleilei=gmail.com@gcc.gnu.org designates 8.43.85.97 as
 permitted sender) client-ip=8.43.85.97;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@redhat.com header.s=mimecast20190719
 header.b="KG82BG/S";
       arc=pass (i=1);
       spf=pass (google.com: domain of
 gcc-patches-bounces+ouuuleilei=gmail.com@gcc.gnu.org designates 8.43.85.97 as
 permitted sender)
 smtp.mailfrom="gcc-patches-bounces+ouuuleilei=gmail.com@gcc.gnu.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Received: from server2.sourceware.org (localhost [IPv6:::1])
	by sourceware.org (Postfix) with ESMTP id B25AD386EC04
	for <ouuuleilei@gmail.com>; Thu, 15 Feb 2024 21:05:38 +0000 (GMT)
X-Original-To: gcc-patches@gcc.gnu.org
Delivered-To: gcc-patches@gcc.gnu.org
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.129.124])
 by sourceware.org (Postfix) with ESMTPS id 2E3DA386C5B0
 for <gcc-patches@gcc.gnu.org>; Thu, 15 Feb 2024 21:04:57 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 2E3DA386C5B0
Authentication-Results: sourceware.org;
 dmarc=pass (p=none dis=none) header.from=redhat.com
Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=redhat.com
ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 2E3DA386C5B0
Authentication-Results: server2.sourceware.org;
 arc=none smtp.remote-ip=170.10.129.124
ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1708031098; cv=none;
 b=lJQK/pD7UiE16zzTxNSUnjUfYQ4hDkZXGDMa6a0dyfCc9I2O/BRb+nw5bDIt6CAoskfNNG8wxLUKj7bgxaYRdy+wv6dBl6ca/Rwoedmr12Edj8TcGpBem0lc0JiOxmmPmBFVblQiWJ0ZLY15vse/iI74g2XZb7XOERYTofMUcWU=
ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key;
 t=1708031098; c=relaxed/simple;
 bh=atksdms2z3cNmF5Z0sAfGXxbhqZxai9VOTCEoAjr04c=;
 h=DKIM-Signature:From:To:Subject:Date:Message-Id:MIME-Version;
 b=HnlbZGt3VxmsYFV5kQo0NqggqmPmGXc8FNcBQohAq6wFA/9r0ZShI0wBEYDhQNByohjrF7nNnt9Zy3b87ivdyfq8Gu4u6dTchA4ObeQlReMmC0Bj32xP9cntts30OZcSPOsOqvaqVPNeNN95mf/Cv+ajsH2FsuNSPCL7/LknILY=
ARC-Authentication-Results: i=1; server2.sourceware.org
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
 s=mimecast20190719; t=1708031096;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding;
 bh=fCnqh5Z+/zTb8EvOjJ8vI/ywFrCXulMt+HAT6fNpRos=;
 b=KG82BG/StrfRTWX/VGd11VzESlfKs0jTlny5fDOcKvcTk9Su4abKru0vNDIM7YtNuAaUqG
 gfQS82yDL4RIDjWQf+L1AetOvq7Rp1tTwXtMrb/Mftqfnmylj6HDqaQpAJAFpnmbPD3C58
 vTRxB182C3aeFPNqDV+ex2GUjHj9rDQ=
Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com
 [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id
 us-mta-55-MI6QWDWZNciOprAGlS2n-w-1; Thu, 15 Feb 2024 16:04:55 -0500
X-MC-Unique: MI6QWDWZNciOprAGlS2n-w-1
Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.rdu2.redhat.com
 [10.11.54.7])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
 (No client certificate requested)
 by mimecast-mx02.redhat.com (Postfix) with ESMTPS id F0CBD185A781
 for <gcc-patches@gcc.gnu.org>; Thu, 15 Feb 2024 21:04:54 +0000 (UTC)
Received: from t14s.localdomain.com (unknown [10.22.34.1])
 by smtp.corp.redhat.com (Postfix) with ESMTP id C821C1C06532;
 Thu, 15 Feb 2024 21:04:54 +0000 (UTC)
From: David Malcolm <dmalcolm@redhat.com>
To: gcc-patches@gcc.gnu.org
Cc: David Malcolm <dmalcolm@redhat.com>
Subject: [pushed] analyzer: remove offset_region size overloads [PR111266]
Date: Thu, 15 Feb 2024 16:04:53 -0500
Message-Id: <20240215210453.2830550-1-dmalcolm@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.7
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
X-Spam-Status: No, score=-11.1 required=5.0 tests=BAYES_00, DKIMWL_WL_HIGH,
 DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0,
 RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2, SPF_HELO_NONE, SPF_NONE, TXREP,
 T_SCC_BODY_TEXT_LINE,
 URIBL_BLACK autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
 server2.sourceware.org
X-BeenThere: gcc-patches@gcc.gnu.org
X-Mailman-Version: 2.1.30
Precedence: list
List-Id: Gcc-patches mailing list <gcc-patches.gcc.gnu.org>
List-Unsubscribe: <https://gcc.gnu.org/mailman/options/gcc-patches>,
 <mailto:gcc-patches-request@gcc.gnu.org?subject=unsubscribe>
List-Archive: <https://gcc.gnu.org/pipermail/gcc-patches/>
List-Post: <mailto:gcc-patches@gcc.gnu.org>
List-Help: <mailto:gcc-patches-request@gcc.gnu.org?subject=help>
List-Subscribe: <https://gcc.gnu.org/mailman/listinfo/gcc-patches>,
 <mailto:gcc-patches-request@gcc.gnu.org?subject=subscribe>
Errors-To: gcc-patches-bounces+ouuuleilei=gmail.com@gcc.gnu.org
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1791000459452356048
X-GMAIL-MSGID: 1791000459452356048

PR analyzer/111266 reports a missing -Wanalyzer-out-of-bounds when
accessing relative to a concrete byte offset.

Root cause is that offset_region::get_{byte,bit}_size_sval were
attempting to compute the size that's valid to access, rather than the
size of the access attempt.

Fixed by removing these vfunc overrides from offset_region as the
base class implementation does the right thing.

Successfully bootstrapped & regrtested on x86_64-pc-linux-gnu.
Successful run of analyzer integration tests on x86_64-pc-linux-gnu.
Pushed to trunk as r14-9018-g617bd59c659dcf.

gcc/analyzer/ChangeLog:
	PR analyzer/111266
	* region.cc (offset_region::get_byte_size_sval): Delete.
	(offset_region::get_bit_size_sval): Delete.
	* region.h (region::get_byte_size): Add comment clarifying that
	this relates to the size of the access, rather than the size
	that's valid to access.
	(region::get_bit_size): Likewise.
	(region::get_byte_size_sval): Likewise.
	(region::get_bit_size_sval): Likewise.
	(offset_region::get_byte_size_sval): Delete.
	(offset_region::get_bit_size_sval): Delete.

gcc/testsuite/ChangeLog:
	PR analyzer/111266
	* c-c++-common/analyzer/out-of-bounds-pr111266.c: New test.

Signed-off-by: David Malcolm <dmalcolm@redhat.com>
---
 gcc/analyzer/region.cc                        | 48 -------------------
 gcc/analyzer/region.h                         | 20 ++++----
 .../analyzer/out-of-bounds-pr111266.c         | 11 +++++
 3 files changed, 23 insertions(+), 56 deletions(-)
 create mode 100644 gcc/testsuite/c-c++-common/analyzer/out-of-bounds-pr111266.c

diff --git a/gcc/analyzer/region.cc b/gcc/analyzer/region.cc
index 249852a7da8..50821a59230 100644
--- a/gcc/analyzer/region.cc
+++ b/gcc/analyzer/region.cc
@@ -1990,54 +1990,6 @@ offset_region::get_relative_symbolic_offset (region_model_manager *mgr
   return get_byte_offset ();
 }
 
-/* Implementation of region::get_byte_size_sval vfunc for offset_region.  */
-
-const svalue *
-offset_region::get_byte_size_sval (region_model_manager *mgr) const
-{
-  tree offset_cst = get_byte_offset ()->maybe_get_constant ();
-  byte_size_t byte_size;
-  /* If the offset points in the middle of the region,
-     return the remaining bytes.  */
-  if (get_byte_size (&byte_size) && offset_cst)
-    {
-      byte_size_t offset = wi::to_offset (offset_cst);
-      byte_range r (0, byte_size);
-      if (r.contains_p (offset))
-	{
-	  tree remaining_byte_size = wide_int_to_tree (size_type_node,
-						       byte_size - offset);
-	  return mgr->get_or_create_constant_svalue (remaining_byte_size);
-	}
-    }
-
-  return region::get_byte_size_sval (mgr);
-}
-
-/* Implementation of region::get_bit_size_sval vfunc for offset_region.  */
-
-const svalue *
-offset_region::get_bit_size_sval (region_model_manager *mgr) const
-{
-  tree offset_cst = get_bit_offset (mgr)->maybe_get_constant ();
-  bit_size_t bit_size;
-  /* If the offset points in the middle of the region,
-     return the remaining bits.  */
-  if (get_bit_size (&bit_size) && offset_cst)
-    {
-      bit_size_t offset = wi::to_offset (offset_cst);
-      bit_range r (0, bit_size);
-      if (r.contains_p (offset))
-	{
-	  tree remaining_bit_size = wide_int_to_tree (size_type_node,
-						       bit_size - offset);
-	  return mgr->get_or_create_constant_svalue (remaining_bit_size);
-	}
-    }
-
-  return region::get_bit_size_sval (mgr);
-}
-
 /* class sized_region : public region.  */
 
 /* Implementation of region::accept vfunc for sized_region.  */
diff --git a/gcc/analyzer/region.h b/gcc/analyzer/region.h
index 3d3ff8eccbf..70557babbc0 100644
--- a/gcc/analyzer/region.h
+++ b/gcc/analyzer/region.h
@@ -187,20 +187,28 @@ public:
 
   /* Attempt to get the size of this region as a concrete number of bytes.
      If successful, return true and write the size to *OUT.
-     Otherwise return false.  */
+     Otherwise return false.
+     This is the accessed size, not necessarily the size that's valid to
+     access.  */
   virtual bool get_byte_size (byte_size_t *out) const;
 
   /* Attempt to get the size of this region as a concrete number of bits.
      If successful, return true and write the size to *OUT.
-     Otherwise return false.  */
+     Otherwise return false.
+     This is the accessed size, not necessarily the size that's valid to
+     access.  */
   virtual bool get_bit_size (bit_size_t *out) const;
 
   /* Get a symbolic value describing the size of this region in bytes
-     (which could be "unknown").  */
+     (which could be "unknown").
+     This is the accessed size, not necessarily the size that's valid to
+     access.  */
   virtual const svalue *get_byte_size_sval (region_model_manager *mgr) const;
 
   /* Get a symbolic value describing the size of this region in bits
-     (which could be "unknown").  */
+     (which could be "unknown").
+     This is the accessed size, not necessarily the size that's valid to
+     access.  */
   virtual const svalue *get_bit_size_sval (region_model_manager *mgr) const;
 
   /* Attempt to get the offset in bits of this region relative to its parent.
@@ -978,10 +986,6 @@ public:
   bool get_relative_concrete_offset (bit_offset_t *out) const final override;
   const svalue *get_relative_symbolic_offset (region_model_manager *mgr)
     const final override;
-  const svalue * get_byte_size_sval (region_model_manager *mgr)
-    const final override;
-  const svalue * get_bit_size_sval (region_model_manager *mgr)
-    const final override;
 
 private:
   const svalue *m_byte_offset;
diff --git a/gcc/testsuite/c-c++-common/analyzer/out-of-bounds-pr111266.c b/gcc/testsuite/c-c++-common/analyzer/out-of-bounds-pr111266.c
new file mode 100644
index 00000000000..cee36630baa
--- /dev/null
+++ b/gcc/testsuite/c-c++-common/analyzer/out-of-bounds-pr111266.c
@@ -0,0 +1,11 @@
+#include <stdint.h>
+void *malloc (__SIZE_TYPE__);
+void free (void *);
+
+void test_binop2 ()
+{
+  char *p = (char *) malloc (4);
+  int32_t *i = (int32_t *) (p + 3);
+  *i = 20042; /* { dg-warning "heap-based buffer overflow" } */
+  free (p);
+}