https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106286
--- Comment #1 from David Malcolm ---
Compare with e.g.:
gcc/testsuite/gcc.dg/analyzer/file-meaning-1.c
which tests this for the sm-file.cc
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106286
Bug ID: 106286
Summary: fd_diagnostic should implement
get_meaning_for_state_change vfunc
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Severity: normal
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106284
Bug ID: 106284
Summary: False positives from -Wanalyzer-tainted-array-index
with optimized conditionals
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Severity
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106283
Bug ID: 106283
Summary: RFE: analyzer handling of close_range and closefrom
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Compone
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106272
--- Comment #9 from David Malcolm ---
Thanks!
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=91733
David Malcolm changed:
What|Removed |Added
CC||dmalcolm at gcc dot gnu.org
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=96032
--- Comment #4 from David Malcolm ---
I posted a prototype implementation of this here:
"[PATCH 00/12] RFC: Replay of serialized diagnostics"
https://gcc.gnu.org/pipermail/gcc-patches/2022-June/597051.html
(doesn't fully work; see the many
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106235
--- Comment #1 from David Malcolm ---
Juliet 1.3 has various testcases for this in
C/testcases/CWE617_Reachable_Assertion/
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106235
Bug ID: 106235
Summary: RFE: -fanalyzer could complain about tainted data
triggering assertion failure
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Severity:
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106229
Bug ID: 106229
Summary: False positives from -Wanalyzer-tainted-array-index
with unsigned char index
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Severity: n
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106225
--- Comment #3 from David Malcolm ---
Fixed on trunk for gcc 13 by the above commit. Keeping this open to backport
to gcc 12.
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106225
David Malcolm changed:
What|Removed |Added
Last reconfirmed||2022-07-07
Status|UNCONFIRM
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106225
Bug ID: 106225
Summary: False positives from -Wanalyzer-tainted-divisor
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component:
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106218
Bug ID: 106218
Summary: Analyzer false positives with Linux kernel's err.h
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Componen
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106204
--- Comment #4 from David Malcolm ---
Should be fixed on trunk (for gcc 13) by the above commit.
Keeping open to backport to gcc 12.
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106204
David Malcolm changed:
What|Removed |Added
Status|NEW |ASSIGNED
--- Comment #2 from David Malc
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106204
David Malcolm changed:
What|Removed |Added
Status|UNCONFIRMED |NEW
Last reconfirmed|
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106204
Bug ID: 106204
Summary: False positive from
-Wanalyzer-use-of-uninitialized-value with
-ftrivial-auto-var-init=zero
Product: gcc
Version: 12.0
Status
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106000
--- Comment #5 from David Malcolm ---
Consider also:
write (fd, "hello world", 200);
where the write call is definitely going to access beyond the string literal.
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106000
--- Comment #4 from David Malcolm ---
For example, the "classic test" referred to in section 1.2 of
https://open-std.org/JTC1/SC22/WG14/www/docs/n3005.pdf
has:
#include
#include
int y=2, x=1;
int main() {
int *p = &x + 1;
int *q = &y;
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106000
David Malcolm changed:
What|Removed |Added
Summary|RFE: -fanalyzer should |RFE: -fanalyzer should
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106006
David Malcolm changed:
What|Removed |Added
Status|UNCONFIRMED |ASSIGNED
Last reconfirmed|
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106148
Bug ID: 106148
Summary: RFE: warn about =- typos
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Keywords: diagnostic
Severity: normal
Priority: P3
Com
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106147
--- Comment #1 from David Malcolm ---
Possible implementation idea: look at state merging when building the exploded
graph: if we're merging an identical state in a loop, with no variants, then
complain.
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106147
Bug ID: 106147
Summary: RFE: -fanalyzer could complain about some cases of
infinite loops and infinite recursion
Product: gcc
Version: 12.0
Status: UNCONFIRMED
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106140
Bug ID: 106140
Summary: RFE: analyzer could complain about misuses of socket
APIs
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Severity: normal
Pri
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106066
--- Comment #4 from David Malcolm ---
(In reply to David Malcolm from comment #2)
> Thanks for filing this bug.
>
> I can reproduce both crashes with trunk.
Correction: for src/ssl_crtlist.c I'm seeing the same crash as in comment #0
(in dump_
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106066
--- Comment #3 from David Malcolm ---
Minimal reproducer for crash in comment #0 (crash in dump_mem_ref seen with
_do_poll:
struct s {
unsigned int f;
};
int use(unsigned int);
static struct s *arr;
void test(int n) {
int i;
for (i = 0;
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106066
David Malcolm changed:
What|Removed |Added
Status|UNCONFIRMED |NEW
Last reconfirmed|
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105890
--- Comment #2 from David Malcolm ---
https://pubs.opengroup.org/onlinepubs/009604499/functions/mkstemp.html says:
"The string in template should look like a filename with six trailing 'X's"
https://pubs.opengroup.org/onlinepubs/9699919799/f
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106021
Bug ID: 106021
Summary: RFE: more sources of taint: scanf and its cousins
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106007
Bug ID: 106007
Summary: RFE: analyzer should complain about exec/system of
tainted args
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Severity: normal
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106006
Bug ID: 106006
Summary: RFE: analyzer should treat data from a socket as
"tainted"
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Severity: normal
Pr
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106003
--- Comment #1 from David Malcolm ---
See also this mailing list thread:
https://gcc.gnu.org/pipermail/gcc/2022-June/238801.html
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106003
Bug ID: 106003
Summary: RFE: -fanalyzer could complain about misuse of
file-descriptors
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Severity: normal
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105888
--- Comment #1 from David Malcolm ---
See also CWE-562: Return of Stack Variable Address
https://cwe.mitre.org/data/definitions/562.html
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105892
--- Comment #1 from David Malcolm ---
See also CWE 469: https://cwe.mitre.org/data/definitions/469.html
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106000
--- Comment #2 from David Malcolm ---
See also:
https://cwe.mitre.org/data/definitions/468.html
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105900
--- Comment #2 from David Malcolm ---
See also:
https://cwe.mitre.org/data/definitions/467.html
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106002
Bug ID: 106002
Summary: RFE: complain about incorrect checks of return values
(CWE-253)
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Keywords: diagnostic
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106000
Bug ID: 106000
Summary: RFE: -fanalyzer should complain about definite buffer
overflows/underflows
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Severity: nor
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105900
--- Comment #1 from David Malcolm ---
See https://cwe.mitre.org/data/definitions/131.html e.g. example 5.
See also:
https://clang.llvm.org/docs/analyzer/checkers.html#alpha-security-mallocoverflow-c
(CWE 131's example 2 has a case of this)
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105962
David Malcolm changed:
What|Removed |Added
Resolution|--- |FIXED
Status|ASSIGNED
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105962
David Malcolm changed:
What|Removed |Added
Status|UNCONFIRMED |ASSIGNED
Ever confirmed|0
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105961
--- Comment #4 from David Malcolm ---
As well as the false positive, the diagnostic path is rather unreadable due to
inlining. I've filed a separate bug about this (PR 105962).
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105962
Bug ID: 105962
Summary: Unhelpful diagnostics paths from analyzer in the face
of inlining
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Severity: normal
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105961
David Malcolm changed:
What|Removed |Added
Status|UNCONFIRMED |ASSIGNED
Last reconfirmed|
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105961
--- Comment #1 from David Malcolm ---
(In reply to eggert from comment #0)
[...snip...]
> Compile the attached program (derived from bleeding-edge Emacs) with:
I'm not seeing an attachment - do you still have this file, and can you try
attach
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105958
Bug ID: 105958
Summary: Stray events emitted by state machine tests (e.g.
"'VAR' is NULL")
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Severity: normal
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105949
Bug ID: 105949
Summary: RFE: analyzer could warn about calls to vfuncs within
a ctor/dtor
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Severity: normal
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99667
David Malcolm changed:
What|Removed |Added
Blocks||105887
--- Comment #1 from David Malcolm
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105948
Bug ID: 105948
Summary: RFE: analyzer could check c++ placement-new sizes
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105947
Bug ID: 105947
Summary: RFE: -fanalyzer should complain about jumps through
NULL function pointers
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Severity: nor
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105916
David Malcolm changed:
What|Removed |Added
Status|UNCONFIRMED |NEW
Ever confirmed|0
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105916
--- Comment #1 from David Malcolm ---
Thanks for filing this.
Reproducable with trunk. On trunk I also see similar behavior with the new
SARIF output format via options:
-fdiagnostics-format=sarif-stderr
-fdiagnostics-format=sarif-file
and
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105906
David Malcolm changed:
What|Removed |Added
Status|UNCONFIRMED |ASSIGNED
Last reconfirmed|
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105909
Bug ID: 105909
Summary: RFE: SARIF output could contain metadata about
limitations of the analysis
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Severity: nor
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105894
--- Comment #1 from David Malcolm ---
(In reply to David Malcolm from comment #0)
> The analyzer's region model might make this fairly easy to implement.
Specifically: the result of the function call would be a conjured_svalue where
the stmt of
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99669
David Malcolm changed:
What|Removed |Added
Blocks||105887
--- Comment #2 from David Malcolm
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105900
Bug ID: 105900
Summary: RFE: -fanalyzer could check malloc sizes when casting
the result to a pointer
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Severity:
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105899
Bug ID: 105899
Summary: RFE: -fanalyzer could complain about misuses of
standard C string APIs
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Severity: normal
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105898
Bug ID: 105898
Summary: RFE: -fanalyzer should complain about overlapping args
to memcpy and mempcpy
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Severity: n
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105897
Bug ID: 105897
Summary: RFE: -fanalyzer could complain about misuses of
pthread API
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Severity: normal
P
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105896
Bug ID: 105896
Summary: RFE: -fanalyzer could complain about improper uses of
"chroot"
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Severity: normal
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105895
Bug ID: 105895
Summary: RFE: -fanalyzer could check constraints on calls to C
standard library
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Severity: normal
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105894
Bug ID: 105894
Summary: RFE: -fanalyzer could complain about misuse of
functions that return pointers to a static buffer
Product: gcc
Version: 12.0
Status: UNCONFIRMED
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105893
Bug ID: 105893
Summary: RFE: -fanalyzer could check putenv calls
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: analyze
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105892
Bug ID: 105892
Summary: RFE: -fanalyzer could complain about pointer
subtraction of pointers to different memory chunks
Product: gcc
Version: 12.0
Status: UNCONFIRMED
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105891
Bug ID: 105891
Summary: RFE: -fanalyzer could complain about pointer
arithmetic on non-arrays
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Severity: normal
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105890
Bug ID: 105890
Summary: RFE: -fanalyzer should complain about mkstemp with not
enough "X"s in format string
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Seve
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105889
Bug ID: 105889
Summary: RFE: -fanalyzer should complain about uses of
inherently unsafe functions
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Severity: norm
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105888
Bug ID: 105888
Summary: RFE: -fanalyzer should complain when an on-stack
address escapes/outlives the function
Product: gcc
Version: 12.0
Status: UNCONFIRMED
S
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105887
Bug ID: 105887
Summary: RFE: clang analyzer warnings that GCC's -fanalyzer
could implement
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Keywords: meta-bug
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105190
David Malcolm changed:
What|Removed |Added
Last reconfirmed||2022-05-17
Ever confirmed|0
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=102471
--- Comment #5 from David Malcolm ---
Another source of possible benchmarks:
https://gitlab.com/sosy-lab/benchmarking/sv-benchmarks
>From SV-COMP: https://sv-comp.sosy-lab.org/
This embeds the Juliet testsuite, but also many other tests.
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105103
David Malcolm changed:
What|Removed |Added
Status|ASSIGNED|RESOLVED
Resolution|---
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105366
David Malcolm changed:
What|Removed |Added
Status|ASSIGNED|RESOLVED
Resolution|---
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105285
--- Comment #11 from David Malcolm ---
Should be fixed on trunk for GCC 13 by the above commit.
I hope to backport this to GCC 12; keeping this open until that's done.
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105287
David Malcolm changed:
What|Removed |Added
Status|ASSIGNED|RESOLVED
Resolution|---
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105285
David Malcolm changed:
What|Removed |Added
Last reconfirmed||2022-04-27
Ever confirmed|0
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105285
--- Comment #7 from David Malcolm ---
For (b), I'm not convinced git's code is totally correct here.
The early-reject case in reader_get_block returns 0:
if (off >= r->size)
return 0;
but at the caller, the condition is < 0:
err = re
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105285
--- Comment #6 from David Malcolm ---
For (a):
If I'm reading this right:
reader_init_block_reader has:
struct reftable_block block = {((void *)0)};
reader_init_block_reader checks for (next_off >= r->size) and bails out,
otherwise, block
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105285
--- Comment #5 from David Malcolm ---
I've been attempting to debug this.
I think that there is a bug in both (a) the analyzer, and, possibly (b) in the
software under test (git).
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105285
--- Comment #4 from David Malcolm ---
Created attachment 52892
--> https://gcc.gnu.org/bugzilla/attachment.cgi?id=52892&action=edit
Partially reduced reproducer
I reduced the reproducer and am attaching it.
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105382
--- Comment #1 from David Malcolm ---
Looks like the analyzer is assuming that all of the different
_Coro_resume_index values are possible at each entry to f(f()::_Z1fv.Frame*),
but AIUI that value is expressing which basic block the coroutine i
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=104308
David Malcolm changed:
What|Removed |Added
Resolution|--- |FIXED
Status|WAITING
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105366
David Malcolm changed:
What|Removed |Added
Summary|[11/12 Regression] ICE: in |[11 Regression] ICE: in
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105365
David Malcolm changed:
What|Removed |Added
Resolution|--- |FIXED
Status|ASSIGNED
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105287
--- Comment #5 from David Malcolm ---
Thanks. FWIW I've filed PR 105382 to track the various other issues I'm seeing
with -fanalyzer with coroutines (though given that we don't properly support
C++ yet, that's relatively low priority for me).
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105382
Bug ID: 105382
Summary: Support for coroutines in -fanalyzer
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: analyzer
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105366
David Malcolm changed:
What|Removed |Added
Status|NEW |ASSIGNED
--- Comment #2 from David Malc
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105365
David Malcolm changed:
What|Removed |Added
Status|NEW |ASSIGNED
--- Comment #2 from David Malc
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105285
--- Comment #3 from David Malcolm ---
Thanks for filing this bug; I can reproduce it with the initial attachment;
it's unclear to me yet what's going on.
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105287
David Malcolm changed:
What|Removed |Added
Ever confirmed|0 |1
Last reconfirmed|
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105264
--- Comment #8 from David Malcolm ---
The above patch hopefully fixes the false positive you're seeing, but as noted,
there are some deeper issues that it doesn't fix; keeping this bug open.
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105273
--- Comment #4 from David Malcolm ---
Thanks for filing this bug.
IIRC in the initial GCC 10 release of the analyzer, it didn't directly explore
within static functions, and instead only explored them via callsites. I
tweaked the policy for th
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105264
--- Comment #6 from David Malcolm ---
There are some fiddly issues where the analyzer fails to figure out that ptr +
i and &ptr[i] refer to the same memory, for certain symbolic values of i.
I'm testing a partial fix for GCC 12, which at least
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105264
David Malcolm changed:
What|Removed |Added
Ever confirmed|0 |1
Status|UNCONFIRMED
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=104308
David Malcolm changed:
What|Removed |Added
Status|ASSIGNED|WAITING
URL|
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105252
David Malcolm changed:
What|Removed |Added
Resolution|--- |FIXED
Status|ASSIGNED
801 - 900 of 1409 matches
Mail list logo
