Bug 102695 - missing -Wanalyzer-write-to-const for writing to string, function, label, or const member
Summary: missing -Wanalyzer-write-to-const for writing to string, function, label, or ...
Status: RESOLVED FIXED
Alias: None
Product: gcc
Classification: Unclassified
Component: analyzer (show other bugs)
Version: 12.0
: P3 normal
Target Milestone: ---
Assignee: David Malcolm
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-10-11 22:11 UTC by Martin Sebor
Modified: 2021-11-17 02:08 UTC (History)
1 user (show)

See Also:
Host:
Target:
Build:
Known to work:
Known to fail:
Last reconfirmed: 2021-11-16 00:00:00

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Martin Sebor 2021-10-11 22:11:15 UTC 
Below are a few C test cases from my tests for the solution for pr90404 that I noticed the analyzer doesn't issue warnings for but could and probably should.

$ cat z.c && gcc -S -Wall -fanalyzer z.c
extern void* malloc (__SIZE_TYPE__);

const char* write_strchr_literal (int x)
{
  char *p = __builtin_strchr ("123", x);
  *p = 0;   // missing warning
  return p;
}

const char* write_strchr_const_array (int x)
{
  static const char a[] = "123";
  char *p = __builtin_strchr (a, x);
  *p = 0;   // missing warning
  return a;
}

char* write_function (void)
{
  char *p = (char*)malloc /* forgot arguments */;
  __builtin_strcpy (p, "123");   // missing warning
  return p;
}

char* write_label (void)
{
  char *p = (char*)&&L;
  *p = 0;   // missing warning
L:
  return p;
}

struct A { const int i; };

extern /* not const */ struct A a;

void write_const_member (void)
{
  char *p = (char*)&a.i;
  *p = 0;   // missing warning
}
Comment 1 David Malcolm 2021-11-16 21:21:46 UTC 
Am testing a fix
Comment 2 GCC Commits 2021-11-17 02:02:22 UTC 
The master branch has been updated by David Malcolm <dmalcolm@gcc.gnu.org>:

https://gcc.gnu.org/g:111fd515f2894d7cddf62f80c69765c43ae18577

commit r12-5330-g111fd515f2894d7cddf62f80c69765c43ae18577
Author: David Malcolm <dmalcolm@redhat.com>
Date:   Tue Nov 16 10:36:49 2021 -0500

    analyzer: fix missing -Wanalyzer-write-to-const [PR102695]
    
    This patch fixes -Wanalyzer-write-to-const so that it will complain
    about attempts to write to functions, to labels.
    It also "teaches" the analyzer about strchr, in that strchr can either
    return a pointer into the input area (and thus -Wanalyzer-write-to-const
    can now complain about writes into a string literal seen this way),
    or return NULL (and thus the analyzer can complain about NULL
    dereferences if the result is used without a check).
    
    gcc/analyzer/ChangeLog:
            PR analyzer/102695
            * region-model-impl-calls.cc (region_model::impl_call_strchr): New.
            * region-model-manager.cc
            (region_model_manager::maybe_fold_unaryop): Simplify cast to
            pointer type of an existing pointer to a region.
            * region-model.cc (region_model::on_call_pre): Handle
            BUILT_IN_STRCHR and "strchr".
            (write_to_const_diagnostic::emit): Add auto_diagnostic_group.  Add
            alternate wordings for functions and labels.
            (write_to_const_diagnostic::describe_final_event): Add alternate
            wordings for functions and labels.
            (region_model::check_for_writable_region): Handle RK_FUNCTION and
            RK_LABEL.
            * region-model.h (region_model::impl_call_strchr): New decl.
    
    gcc/testsuite/ChangeLog:
            PR analyzer/102695
            * gcc.dg/analyzer/pr102695.c: New test.
            * gcc.dg/analyzer/strchr-1.c: New test.
    
    Signed-off-by: David Malcolm <dmalcolm@redhat.com>
Comment 3 David Malcolm 2021-11-17 02:08:52 UTC 
The above patch implements detection for all of the cases in comment #0 apart from write_const_member; I don't plan to implement detection of that, so marking this as resolved.