This patch kit makes improvements to the analyzer's new strlen implementation, and wires it up to strcpy and strcat.
For example, given: #include <string.h> void test (void) { char buf[10]; strcpy (buf, "hello world!"); } we now emit: demo.c: In function ‘test’: demo.c:6:3: warning: stack-based buffer overflow [CWE-121] [-Wanalyzer-out-of-bounds] 6 | strcpy (buf, "hello world!"); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~ ‘test’: events 1-2 | | 5 | char buf[10]; | | ^~~ | | | | | (1) capacity: 10 bytes | 6 | strcpy (buf, "hello world!"); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (2) out-of-bounds write from byte 10 till byte 12 but ‘buf’ ends at byte 10 | demo.c:6:3: note: write of 3 bytes to beyond the end of ‘buf’ 6 | strcpy (buf, "hello world!"); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~ demo.c:6:3: note: valid subscripts for ‘buf’ are ‘[0]’ to ‘[9]’ ┌─────┬─────┬────┬────┬────┬────┬────┬────┬────┬────┐┌─────┬─────┬─────┐ │ [0] │ [1] │[2] │[3] │[4] │[5] │[6] │[7] │[8] │[9] ││[10] │[11] │[12] │ ├─────┼─────┼────┼────┼────┼────┼────┼────┼────┼────┤├─────┼─────┼─────┤ │ ‘h’ │ ‘e’ │‘l’ │‘l’ │‘o’ │‘ ’ │‘w’ │‘o’ │‘r’ │‘l’ ││ ‘d’ │ ‘!’ │ NUL │ ├─────┴─────┴────┴────┴────┴────┴────┴────┴────┴────┴┴─────┴─────┴─────┤ │ string literal (type: ‘char[13]’) │ └──────────────────────────────────────────────────────────────────────┘ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ v v v v v v v v v v v v v ┌─────┬────────────────────────────────────────┬────┐┌─────────────────┐ │ [0] │ ... │[9] ││ │ ├─────┴────────────────────────────────────────┴────┤│after valid range│ │ ‘buf’ (type: ‘char[10]’) ││ │ └───────────────────────────────────────────────────┘└─────────────────┘ ├─────────────────────────┬─────────────────────────┤├────────┬────────┤ │ │ ╭─────────┴────────╮ ╭───────────┴──────────╮ │capacity: 10 bytes│ │⚠️ overflow of 3 bytes│ ╰──────────────────╯ ╰──────────────────────╯ in addition to the pre-existing: demo.c:6:3: warning: ‘__builtin_memcpy’ writing 13 bytes into a region of size 10 overflows the destination [-Wstringop-overflow=] demo.c:5:8: note: destination object ‘buf’ of size 10 5 | char buf[10]; | ^~~ Successfully bootstrapped & regrtested on x86_64-pc-linux-gnu. Pushed to trunk as r14-3461-g9aaec66917c96a through to r14-3469-gbbdc0e0d0042ae. David Malcolm (9): analyzer: add logging to impl_path_context analyzer: handle symbolic bindings in scan_for_null_terminator [PR105899] analyzer: reimplement kf_strcpy [PR105899] analyzer: eliminate region_model::get_string_size [PR105899] analyzer: reimplement kf_memcpy_memmove analyzer: handle strlen(INIT_VAL(STRING_REG)) [PR105899] analyzer: handle INIT_VAL(ELEMENT_REG(STRING_REG), CONSTANT_SVAL) [PR105899] analyzer: handle strlen(BITS_WITHIN) [PR105899] analyzer: implement kf_strcat [PR105899] gcc/analyzer/call-details.cc | 12 +- gcc/analyzer/call-details.h | 5 +- gcc/analyzer/engine.cc | 13 +- gcc/analyzer/kf.cc | 116 +++++--- gcc/analyzer/region-model-manager.cc | 19 ++ gcc/analyzer/region-model.cc | 261 +++++++++++++----- gcc/analyzer/region-model.h | 22 +- gcc/doc/invoke.texi | 1 + .../analyzer/out-of-bounds-diagram-16.c | 31 +++ gcc/testsuite/gcc.dg/analyzer/sprintf-1.c | 11 + gcc/testsuite/gcc.dg/analyzer/strcat-1.c | 136 +++++++++ gcc/testsuite/gcc.dg/analyzer/strcpy-1.c | 22 ++ gcc/testsuite/gcc.dg/analyzer/strcpy-3.c | 8 + gcc/testsuite/gcc.dg/analyzer/strcpy-4.c | 51 ++++ 14 files changed, 601 insertions(+), 107 deletions(-) create mode 100644 gcc/testsuite/gcc.dg/analyzer/out-of-bounds-diagram-16.c create mode 100644 gcc/testsuite/gcc.dg/analyzer/strcat-1.c create mode 100644 gcc/testsuite/gcc.dg/analyzer/strcpy-4.c -- 2.26.3