[Bug analyzer/103533] Enable "taint" state machine with -fanalyzer without requiring -fanalyzer-checker=taint
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103533 --- Comment #10 from GCC Commits --- The master branch has been updated by David Malcolm : https://gcc.gnu.org/g:83b210d55b28461e7604068c5df95a24b21e7081 commit r14-6056-g83b210d55b28461e7604068c5df95a24b21e7081 Author: David Malcolm Date: Fri Dec 1 08:47:41 2023 -0500 docs: remove stray reference to -fanalyzer-checker=taint [PR103533] I missed this one in r14-5464-gcfaaa8b11b8429. gcc/ChangeLog: PR analyzer/103533 * doc/extend.texi: Remove stray reference to -fanalyzer-checker=taint. Signed-off-by: David Malcolm
[Bug analyzer/103533] Enable "taint" state machine with -fanalyzer without requiring -fanalyzer-checker=taint
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103533 David Malcolm changed: What|Removed |Added Resolution|--- |FIXED Status|UNCONFIRMED |RESOLVED --- Comment #9 from David Malcolm --- I've enabled the taint state machine by default (with -fanalyzer) with the above patch, for GCC 14 onwards. PR analyzer/112528 tracks the only known state explosion; integration testing shows no significicant changes in results from -fanalyzer before/after the patch. Closing this bug out.
[Bug analyzer/103533] Enable "taint" state machine with -fanalyzer without requiring -fanalyzer-checker=taint
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103533 --- Comment #8 from CVS Commits --- The master branch has been updated by David Malcolm : https://gcc.gnu.org/g:cfaaa8b11b8429eed5ec44426fc6a20ad5d53d30 commit r14-5464-gcfaaa8b11b8429eed5ec44426fc6a20ad5d53d30 Author: David Malcolm Date: Tue Nov 14 15:51:52 2023 -0500 analyzer: enable taint state machine by default [PR103533] gcc/analyzer/ChangeLog: PR analyzer/103533 * sm-taint.cc: Remove "experimental" from comment. * sm.cc (make_checkers): Always add taint state machine. gcc/ChangeLog: PR analyzer/103533 * doc/invoke.texi (Static Analyzer Options): Add the six -Wanalyzer-tainted-* warnings. Update documentation of each warning to reflect removed requirement to use -fanalyzer-checker=taint. Remove discussion of -fanalyzer-checker=taint. gcc/testsuite/ChangeLog: PR analyzer/103533 * c-c++-common/analyzer/attr-tainted_args-1.c: Remove use of -fanalyzer-checker=taint. * c-c++-common/analyzer/fread-1.c: Likewise. * c-c++-common/analyzer/pr104029.c: Likewise. * gcc.dg/analyzer/pr93032-mztools-signed-char.c: Add params to work around state explosion. * gcc.dg/analyzer/pr93032-mztools-unsigned-char.c: Likewise. * gcc.dg/analyzer/pr93382.c: Remove use of -fanalyzer-checker=taint. * gcc.dg/analyzer/switch-enum-taint-1.c: Likewise. * gcc.dg/analyzer/taint-CVE-2011-2210-1.c: Likewise. * gcc.dg/analyzer/taint-CVE-2020-13143-1.c: Likewise. * gcc.dg/analyzer/taint-CVE-2020-13143-2.c: Likewise. * gcc.dg/analyzer/taint-CVE-2020-13143.h: Likewise. * gcc.dg/analyzer/taint-alloc-1.c: Likewise. * gcc.dg/analyzer/taint-alloc-2.c: Likewise. * gcc.dg/analyzer/taint-alloc-3.c: Likewise. * gcc.dg/analyzer/taint-alloc-4.c: Likewise. * gcc.dg/analyzer/taint-alloc-5.c: Likewise. * gcc.dg/analyzer/taint-assert-BUG_ON.c: Likewise. * gcc.dg/analyzer/taint-assert-macro-expansion.c: Likewise. * gcc.dg/analyzer/taint-assert-system-header.c: Likewise. * gcc.dg/analyzer/taint-assert.c: Likewise. * gcc.dg/analyzer/taint-divisor-1.c: Likewise. * gcc.dg/analyzer/taint-divisor-2.c: Likewise. * gcc.dg/analyzer/taint-merger.c: Likewise. * gcc.dg/analyzer/taint-ops.c: Delete this test: it was a duplicate of material in operations.c and data-model-1.c, with -fanalyzer-checker=taint added. * gcc.dg/analyzer/taint-read-index-1.c: Remove use of -fanalyzer-checker=taint. * gcc.dg/analyzer/taint-read-offset-1.c: Likewise. * gcc.dg/analyzer/taint-realloc.c: Likewise. Add missing dg-warning for leak now that the malloc state machine is also active. * gcc.dg/analyzer/taint-size-1.c: Remove use of -fanalyzer-checker=taint. * gcc.dg/analyzer/taint-size-access-attr-1.c: Likewise. * gcc.dg/analyzer/taint-write-index-1.c: Likewise. * gcc.dg/analyzer/taint-write-offset-1.c: Likewise. * gcc.dg/analyzer/torture/taint-read-index-2.c: Likewise. * gcc.dg/analyzer/torture/taint-read-index-3.c: Likewise. * gcc.dg/plugin/taint-CVE-2011-0521-1-fixed.c: Likewise. Add -Wno-pedantic. * gcc.dg/plugin/taint-CVE-2011-0521-1.c: Likewise. * gcc.dg/plugin/taint-CVE-2011-0521-2-fixed.c: Likewise. * gcc.dg/plugin/taint-CVE-2011-0521-2.c: Likewise. * gcc.dg/plugin/taint-CVE-2011-0521-3-fixed.c: Likewise. * gcc.dg/plugin/taint-CVE-2011-0521-3.c: Likewise. Fix C++-style comment. * gcc.dg/plugin/taint-CVE-2011-0521-4.c: Remove use of -fanalyzer-checker=taint and add -Wno-pedantic. Remove xfail and add missing dg-warning. * gcc.dg/plugin/taint-CVE-2011-0521-5-fixed.c: Remove use of -fanalyzer-checker=taint and add -Wno-pedantic. * gcc.dg/plugin/taint-CVE-2011-0521-5.c: Likewise. * gcc.dg/plugin/taint-CVE-2011-0521-6.c: Likewise. * gcc.dg/plugin/taint-antipatterns-1.c: : Remove use of -fanalyzer-checker=taint. Signed-off-by: David Malcolm
[Bug analyzer/103533] Enable "taint" state machine with -fanalyzer without requiring -fanalyzer-checker=taint
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103533 --- Comment #7 from CVS Commits --- The master branch has been updated by Tobias Burnus : https://gcc.gnu.org/g:748f36a48b506f52e10bcdeb750a7fe9c30c26f3 commit r12-7810-g748f36a48b506f52e10bcdeb750a7fe9c30c26f3 Author: Tobias Burnus Date: Fri Mar 25 10:47:49 2022 +0100 doc/invoke.texi: Move @ignore block out of @gccoptlist [PR103533] With TeX output ("make pdf"), @gccoptlist's content end up in a single line such that TeX does not find the matching '@end ignore' for the '@ignore' block â failing with a runaway error. Solution is to move the @ignore block after the closing '}'. (Follow up to r12-7808-g319ba7e241e7e21f9eb481f075310796f13d2035 ) gcc/ PR analyzer/103533 * doc/invoke.texi (Static Analyzer Options): Move @ignore block after @gccoptlist's '}' for 'make pdf'.
[Bug analyzer/103533] Enable "taint" state machine with -fanalyzer without requiring -fanalyzer-checker=taint
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103533 --- Comment #6 from CVS Commits --- The master branch has been updated by David Malcolm : https://gcc.gnu.org/g:319ba7e241e7e21f9eb481f075310796f13d2035 commit r12-7808-g319ba7e241e7e21f9eb481f075310796f13d2035 Author: Avinash Sonawane Date: Tue Mar 22 07:32:44 2022 +0530 Docs: Document that taint analyzer checker disables some warnings [PR103533] gcc/ChangeLog: PR analyzer/103533 * doc/invoke.texi: Document that enabling taint analyzer checker disables some warnings from `-fanalyzer`. Signed-off-by: Avinash Sonawane
[Bug analyzer/103533] Enable "taint" state machine with -fanalyzer without requiring -fanalyzer-checker=taint
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103533 Avinash Sonawane changed: What|Removed |Added CC||rootkea at gmail dot com --- Comment #5 from Avinash Sonawane --- Since we are not quite there yet we should remove (comment out) the tainted-* checkers listed under -fanalyzer in docs which says "Enabling this option effectively enables the following warnings:". Also, the wording in docs suggest that `-fanalyzer -fanalyzer-checker=taint` enables the taint checkers *in addition* to the default checkers but currently, enabling -fanalyzer-checker=taint stops other checkers. I came to know about this after finding none of other checkers working. We should document this. I just submitted a patch which documents the above fact and comments out the tainted-* checkers under -fanalyzer. When this issue gets fixed we can simply remove the .texi comment commands and drop the line saying other checkers not working with taint checker. https://gcc.gnu.org/pipermail/gcc-patches/2022-March/592144.html
[Bug analyzer/103533] Enable "taint" state machine with -fanalyzer without requiring -fanalyzer-checker=taint
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103533 --- Comment #4 from CVS Commits --- The master branch has been updated by David Malcolm : https://gcc.gnu.org/g:faacafd2306ad7ece721a79dedbb6e44e0d65bdb commit r12-7718-gfaacafd2306ad7ece721a79dedbb6e44e0d65bdb Author: David Malcolm Date: Tue Dec 7 19:22:47 2021 -0500 analyzer: extend state-purging to locals [PR104943] The existing analyzer code attempts to purge the state of SSA names where it can in order to minimize the size of program_state instances, and to increase the chances of being able to reuse exploded_node instances whilst exploring the user's code. PR analyzer/104943 identifies that we fail to purge state of local variables, based on behavior seen in PR analyzer/104954 when attempting to profile slow performance of -fanalyzer on a particular file in the Linux kernel, where that testcase has many temporary "boxed" values of structs containing ints, which are never cleaned up, leading to bloat of the program_state instances (specifically, of the store objects). This patch generalizes the state purging from just being on SSA names to also work on local variables. Doing so requires that we detect where addresses to a local variable (or within them) are taken; we assume that once a pointer has been taken, it's not longer safe to purge the value of that decl at any successor point within the function. Doing so speeds up the PR analyzer/104954 Linux kernel analyzer testcase from taking 254 seconds to "just" 186 seconds (and I have a followup patch in development that seems to further reduce this to 37 seconds). The patch may also help with scaling up taint-detection so that it can eventually be turned on by default, but we're not quite there (this is PR analyzer/103533). gcc/analyzer/ChangeLog: PR analyzer/104943 PR analyzer/104954 PR analyzer/103533 * analyzer.h (class state_purge_per_decl): New forward decl. * engine.cc (impl_run_checkers): Pass region_model_manager to state_purge_map ctor. * program-point.cc (function_point::final_stmt_p): New. (function_point::get_next): New. * program-point.h (function_point::final_stmt_p): New decl. (function_point::get_next): New decl. * program-state.cc (program_state::prune_for_point): Generalize to purge local decls as well as SSA names. (program_state::can_purge_base_region_p): New. * program-state.h (program_state::can_purge_base_region_p): New decl. * region-model.cc (struct append_ssa_names_cb_data): Rename to... (struct append_regions_cb_data): ...this. (region_model::get_ssa_name_regions_for_current_frame): Rename to... (region_model::get_regions_for_current_frame): ...this, updating for other renamings. (region_model::append_ssa_names_cb): Rename to... (region_model::append_regions_cb): ...this, and drop the requirement that the subregion be a SSA name. * region-model.h (struct append_ssa_names_cb_data): Rename decl to... (struct append_regions_cb_data): ...this. (region_model::get_ssa_name_regions_for_current_frame): Rename decl to... (region_model::get_regions_for_current_frame): ...this. (region_model::append_ssa_names_cb): Rename decl to... (region_model::append_regions_cb): ...this. * state-purge.cc: Include "tristate.h", "selftest.h", "analyzer/store.h", "analyzer/region-model.h", and "gimple-walk.h". (get_candidate_for_purging): New. (class gimple_op_visitor): New. (my_load_cb): New. (my_store_cb): New. (my_addr_cb): New. (state_purge_map::state_purge_map): Add "mgr" param. Update for renamings. Find uses of local variables. (state_purge_map::~state_purge_map): Update for renaming of m_map to m_ssa_map. Clean up m_decl_map. (state_purge_map::get_or_create_data_for_decl): New. (state_purge_per_ssa_name::state_purge_per_ssa_name): Update for inheriting from state_purge_per_tree. (state_purge_per_ssa_name::add_to_worklist): Likewise. (state_purge_per_decl::state_purge_per_decl): New. (state_purge_per_decl::add_needed_at): New. (state_purge_per_decl::add_pointed_to_at): New. (state_purge_per_decl::process_worklists): New. (state_purge_per_decl::add_to_worklist): New. (same_binding_p): New. (fully_overwrites_p): New. (state_purge_per_decl::process_point_backwards): New. (state_purge_per_decl::process_point_forwards):
[Bug analyzer/103533] Enable "taint" state machine with -fanalyzer without requiring -fanalyzer-checker=taint
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103533 --- Comment #3 from CVS Commits --- The master branch has been updated by David Malcolm : https://gcc.gnu.org/g:2c16dfe6268eeeb4b7924ff423e274fa00894a4d commit r12-6526-g2c16dfe6268eeeb4b7924ff423e274fa00894a4d Author: David Malcolm Date: Tue Jan 11 15:57:39 2022 -0500 analyzer: complain about tainted sizes with "access" attribute [PR103940] GCC 10 gained the "access" function and type attribute, which optionally can take a size-index param: https://gcc.gnu.org/onlinedocs/gcc/Common-Function-Attributes.html -fanalyzer in trunk (for GCC 12) has gained a -Wanalyzer-tainted-size to complain about attacker-controlled size values, but this was only being used deep inside the region-model code when handling the hardcoded known behavior of certain functions (memset, IIRC). This patch extends -Wanalyzer-tainted-size to also complain about unsanitized attacker-controlled values being passed to function parameters marked as a size via the "access" attribute. Note that -fanalyzer-checker=taint is currently required in addition to -fanalyzer to use this warning, due to scaling issues (see bug 103533). gcc/analyzer/ChangeLog: PR analyzer/103940 * engine.cc (impl_sm_context::impl_sm_context): Add "unknown_side_effects" param and use it to initialize new m_unknown_side_effects field. (impl_sm_context::unknown_side_effects_p): New. (impl_sm_context::m_unknown_side_effects): New. (exploded_node::on_stmt): Pass unknown_side_effects to sm_ctxt ctor. * sm-taint.cc: Include "stringpool.h" and "attribs.h". (tainted_size::tainted_size): Drop "dir" param. (tainted_size::get_kind): Drop "FINAL". (tainted_size::emit): Likewise. (tainted_size::m_dir): Drop unused field. (class tainted_access_attrib_size): New subclass. (taint_state_machine::on_stmt): Call check_for_tainted_size_arg on external functions with unknown side effects. (taint_state_machine::check_for_tainted_size_arg): New. (region_model::check_region_for_taint): Drop "dir" param from tainted_size ctor. * sm.h (sm_context::unknown_side_effects_p): New. gcc/testsuite/ChangeLog: PR analyzer/103940 * gcc.dg/analyzer/taint-size-access-attr-1.c: New test. Signed-off-by: David Malcolm
[Bug analyzer/103533] Enable "taint" state machine with -fanalyzer without requiring -fanalyzer-checker=taint
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103533 --- Comment #2 from David Malcolm --- Note that as well as the scaling issues, there currently aren't that many sources of taint (currently just a hardcoded one for the result fread); a lot more would be added by [PATCH 0/6] RFC: adding support to GCC for detecting trust boundaries https://gcc.gnu.org/pipermail/gcc-patches/2021-November/584372.html but that patch kit isn't in yet.
[Bug analyzer/103533] Enable "taint" state machine with -fanalyzer without requiring -fanalyzer-checker=taint
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103533 --- Comment #1 from CVS Commits --- The master branch has been updated by David Malcolm : https://gcc.gnu.org/g:c9543403c19fdc3c3b5a8db8546340de085bd14e commit r12-5815-gc9543403c19fdc3c3b5a8db8546340de085bd14e Author: David Malcolm Date: Mon Dec 6 14:04:35 2021 -0500 analyzer: fix equivalence class state purging [PR103533] Whilst debugging state explosions seen when enabling taint detection with -fanalyzer (PR analyzer/103533), I noticed that constraint manager instances could contain stray, redundant constants, such as this instance: constraint_manager: equiv classes: ec0: {(int)0 == [m_constant]â0â} ec1: {(size_t)4 == [m_constant]â4â} constraints: where there are two equivalence classes, each just containing a constant, with no constraints using them. This patch makes constraint_manager::canonicalize more aggressive about purging state, handling the case of purging a redundant EC containing just a constant. gcc/analyzer/ChangeLog: PR analyzer/103533 * constraint-manager.cc (equiv_class::contains_non_constant_p): New. (constraint_manager::canonicalize): Call it when determining redundant ECs. (selftest::test_purging): New selftest. (selftest::run_constraint_manager_tests): Likewise. * constraint-manager.h (equiv_class::contains_non_constant_p): New decl. Signed-off-by: David Malcolm