sm.cc: make_checkers currently has: /* The "taint" checker must be explicitly enabled (as it currently leads to state explosions that stop the other checkers working). */ if (flag_analyzer_checker) out.safe_push (make_taint_state_machine (logger)); and all of the various testcases for the "taint" state machine have: // TODO: remove need for this option: /* { dg-additional-options "-fanalyzer-checker=taint" } */ and with notes in the docs of the form: This warning requires both @option{-fanalyzer} and @option{-fanalyzer-checker=taint} to enable it; I'm opening this bug to track removing the need for this, so that the the taint checker can be enabled directly by -fanalyzer. Currently removing this leads to: * ICE in alt_get_inherited_state in abs-1.c, data-model-1.c, data-model-19.c, pr101570.c, pr99771-1.c, zlib-2.c, zlib-3.c, torture/pr93450.c; all of which seems to be for a UNARY_OP that isn't a NOP_EXPR; replacing that gcc_unreachable with break, so it returns NULL fixes all of these. * state explosion and failure in pr93032-mztools.c, with: ../../src/gcc/testsuite/gcc.dg/analyzer/pr93032-mztools.c: In function ‘unzRepair’: ../../src/gcc/testsuite/gcc.dg/analyzer/pr93032-mztools.c:252:16: warning: terminating analysis for this program point: callstring: [] after SN: 52EN: 270-271, EN: 526-527, EN: 782-783, EN: 1038-1039 [-Wanalyzer-too-complex] 252 | entries++; | ~~~~~~~^~ ../../src/gcc/testsuite/gcc.dg/analyzer/pr93032-mztools.c:252:16: warning: terminating analysis for this program point: callstring: [] after SN: 52EN: 270-271, EN: 526-527, EN: 782-783, EN: 1038-1039 [-Wanalyzer-too-complex] ../../src/gcc/testsuite/gcc.dg/analyzer/pr93032-mztools.c:299:31: warning: terminating analysis for this program point: callstring: [] before (SN: 68 stmt: 0): _325 = fread (&buffer, 1, 8192, fpOutCD_522);EN: 1302-1308, EN: 1329 [-Wanalyzer-too-complex] 299 | while ( (nRead = (int)fread(buffer, 1, sizeof(buffer), fpOutCD)) > 0) { | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ../../src/gcc/testsuite/gcc.dg/analyzer/pr93032-mztools.c:299:31: warning: terminating analysis for this program point: callstring: [] before (SN: 68 stmt: 0): _325 = fread (&buffer, 1, 8192, fpOutCD_522);EN: 1302-1308, EN: 1329 [-Wanalyzer-too-complex] ../../src/gcc/testsuite/gcc.dg/analyzer/pr93032-mztools.c:299:31: warning: terminating analysis for this program point: callstring: [] before (SN: 68 stmt: 0): _325 = fread (&buffer, 1, 8192, fpOutCD_522);EN: 1302-1308, EN: 1329 [-Wanalyzer-too-complex] ../../src/gcc/testsuite/gcc.dg/analyzer/pr93032-mztools.c:299:31: warning: terminating analysis for this program point: callstring: [] before (SN: 68 stmt: 0): _325 = fread (&buffer, 1, 8192, fpOutCD_522);EN: 1302-1308, EN: 1329 [-Wanalyzer-too-complex] ../../src/gcc/testsuite/gcc.dg/analyzer/pr93032-mztools.c:299:31: warning: terminating analysis for this program point: callstring: [] before (SN: 68 stmt: 0): _325 = fread (&buffer, 1, 8192, fpOutCD_522);EN: 1302-1308, EN: 1329 [-Wanalyzer-too-complex] ../../src/gcc/testsuite/gcc.dg/analyzer/pr93032-mztools.c:299:31: warning: terminating analysis for this program point: callstring: [] before (SN: 68 stmt: 0): _325 = fread (&buffer, 1, 8192, fpOutCD_522);EN: 1302-1308, EN: 1329 [-Wanalyzer-too-complex] ../../src/gcc/testsuite/gcc.dg/analyzer/pr93032-mztools.c:299:31: warning: terminating analysis for this program point: callstring: [] before (SN: 68 stmt: 0): _325 = fread (&buffer, 1, 8192, fpOutCD_522);EN: 1302-1308, EN: 1329 [-Wanalyzer-too-complex] ../../src/gcc/testsuite/gcc.dg/analyzer/pr93032-mztools.c: At top level: ../../src/gcc/testsuite/gcc.dg/analyzer/pr93032-mztools.c:319:21: warning: analysis bailed out early (401 'after-snode' enodes; 1506 enodes) [-Wanalyzer-too-complex] 319 | *nRecovered = entries; | ~~~~~~~~~~~~^~~~~~~~~ Interestingly, PR analyzer/103521 reports this as now failing on powerpc64 (without turning on taint detection), although the explosion is in a different place.
The master branch has been updated by David Malcolm <dmalcolm@gcc.gnu.org>: https://gcc.gnu.org/g:c9543403c19fdc3c3b5a8db8546340de085bd14e commit r12-5815-gc9543403c19fdc3c3b5a8db8546340de085bd14e Author: David Malcolm <dmalcolm@redhat.com> Date: Mon Dec 6 14:04:35 2021 -0500 analyzer: fix equivalence class state purging [PR103533] Whilst debugging state explosions seen when enabling taint detection with -fanalyzer (PR analyzer/103533), I noticed that constraint manager instances could contain stray, redundant constants, such as this instance: constraint_manager: equiv classes: ec0: {(int)0 == [m_constant]â0â} ec1: {(size_t)4 == [m_constant]â4â} constraints: where there are two equivalence classes, each just containing a constant, with no constraints using them. This patch makes constraint_manager::canonicalize more aggressive about purging state, handling the case of purging a redundant EC containing just a constant. gcc/analyzer/ChangeLog: PR analyzer/103533 * constraint-manager.cc (equiv_class::contains_non_constant_p): New. (constraint_manager::canonicalize): Call it when determining redundant ECs. (selftest::test_purging): New selftest. (selftest::run_constraint_manager_tests): Likewise. * constraint-manager.h (equiv_class::contains_non_constant_p): New decl. Signed-off-by: David Malcolm <dmalcolm@redhat.com>
Note that as well as the scaling issues, there currently aren't that many sources of taint (currently just a hardcoded one for the result fread); a lot more would be added by [PATCH 0/6] RFC: adding support to GCC for detecting trust boundaries https://gcc.gnu.org/pipermail/gcc-patches/2021-November/584372.html but that patch kit isn't in yet.
The master branch has been updated by David Malcolm <dmalcolm@gcc.gnu.org>: https://gcc.gnu.org/g:2c16dfe6268eeeb4b7924ff423e274fa00894a4d commit r12-6526-g2c16dfe6268eeeb4b7924ff423e274fa00894a4d Author: David Malcolm <dmalcolm@redhat.com> Date: Tue Jan 11 15:57:39 2022 -0500 analyzer: complain about tainted sizes with "access" attribute [PR103940] GCC 10 gained the "access" function and type attribute, which optionally can take a size-index param: https://gcc.gnu.org/onlinedocs/gcc/Common-Function-Attributes.html -fanalyzer in trunk (for GCC 12) has gained a -Wanalyzer-tainted-size to complain about attacker-controlled size values, but this was only being used deep inside the region-model code when handling the hardcoded known behavior of certain functions (memset, IIRC). This patch extends -Wanalyzer-tainted-size to also complain about unsanitized attacker-controlled values being passed to function parameters marked as a size via the "access" attribute. Note that -fanalyzer-checker=taint is currently required in addition to -fanalyzer to use this warning, due to scaling issues (see bug 103533). gcc/analyzer/ChangeLog: PR analyzer/103940 * engine.cc (impl_sm_context::impl_sm_context): Add "unknown_side_effects" param and use it to initialize new m_unknown_side_effects field. (impl_sm_context::unknown_side_effects_p): New. (impl_sm_context::m_unknown_side_effects): New. (exploded_node::on_stmt): Pass unknown_side_effects to sm_ctxt ctor. * sm-taint.cc: Include "stringpool.h" and "attribs.h". (tainted_size::tainted_size): Drop "dir" param. (tainted_size::get_kind): Drop "FINAL". (tainted_size::emit): Likewise. (tainted_size::m_dir): Drop unused field. (class tainted_access_attrib_size): New subclass. (taint_state_machine::on_stmt): Call check_for_tainted_size_arg on external functions with unknown side effects. (taint_state_machine::check_for_tainted_size_arg): New. (region_model::check_region_for_taint): Drop "dir" param from tainted_size ctor. * sm.h (sm_context::unknown_side_effects_p): New. gcc/testsuite/ChangeLog: PR analyzer/103940 * gcc.dg/analyzer/taint-size-access-attr-1.c: New test. Signed-off-by: David Malcolm <dmalcolm@redhat.com>
The master branch has been updated by David Malcolm <dmalcolm@gcc.gnu.org>: https://gcc.gnu.org/g:faacafd2306ad7ece721a79dedbb6e44e0d65bdb commit r12-7718-gfaacafd2306ad7ece721a79dedbb6e44e0d65bdb Author: David Malcolm <dmalcolm@redhat.com> Date: Tue Dec 7 19:22:47 2021 -0500 analyzer: extend state-purging to locals [PR104943] The existing analyzer code attempts to purge the state of SSA names where it can in order to minimize the size of program_state instances, and to increase the chances of being able to reuse exploded_node instances whilst exploring the user's code. PR analyzer/104943 identifies that we fail to purge state of local variables, based on behavior seen in PR analyzer/104954 when attempting to profile slow performance of -fanalyzer on a particular file in the Linux kernel, where that testcase has many temporary "boxed" values of structs containing ints, which are never cleaned up, leading to bloat of the program_state instances (specifically, of the store objects). This patch generalizes the state purging from just being on SSA names to also work on local variables. Doing so requires that we detect where addresses to a local variable (or within them) are taken; we assume that once a pointer has been taken, it's not longer safe to purge the value of that decl at any successor point within the function. Doing so speeds up the PR analyzer/104954 Linux kernel analyzer testcase from taking 254 seconds to "just" 186 seconds (and I have a followup patch in development that seems to further reduce this to 37 seconds). The patch may also help with scaling up taint-detection so that it can eventually be turned on by default, but we're not quite there (this is PR analyzer/103533). gcc/analyzer/ChangeLog: PR analyzer/104943 PR analyzer/104954 PR analyzer/103533 * analyzer.h (class state_purge_per_decl): New forward decl. * engine.cc (impl_run_checkers): Pass region_model_manager to state_purge_map ctor. * program-point.cc (function_point::final_stmt_p): New. (function_point::get_next): New. * program-point.h (function_point::final_stmt_p): New decl. (function_point::get_next): New decl. * program-state.cc (program_state::prune_for_point): Generalize to purge local decls as well as SSA names. (program_state::can_purge_base_region_p): New. * program-state.h (program_state::can_purge_base_region_p): New decl. * region-model.cc (struct append_ssa_names_cb_data): Rename to... (struct append_regions_cb_data): ...this. (region_model::get_ssa_name_regions_for_current_frame): Rename to... (region_model::get_regions_for_current_frame): ...this, updating for other renamings. (region_model::append_ssa_names_cb): Rename to... (region_model::append_regions_cb): ...this, and drop the requirement that the subregion be a SSA name. * region-model.h (struct append_ssa_names_cb_data): Rename decl to... (struct append_regions_cb_data): ...this. (region_model::get_ssa_name_regions_for_current_frame): Rename decl to... (region_model::get_regions_for_current_frame): ...this. (region_model::append_ssa_names_cb): Rename decl to... (region_model::append_regions_cb): ...this. * state-purge.cc: Include "tristate.h", "selftest.h", "analyzer/store.h", "analyzer/region-model.h", and "gimple-walk.h". (get_candidate_for_purging): New. (class gimple_op_visitor): New. (my_load_cb): New. (my_store_cb): New. (my_addr_cb): New. (state_purge_map::state_purge_map): Add "mgr" param. Update for renamings. Find uses of local variables. (state_purge_map::~state_purge_map): Update for renaming of m_map to m_ssa_map. Clean up m_decl_map. (state_purge_map::get_or_create_data_for_decl): New. (state_purge_per_ssa_name::state_purge_per_ssa_name): Update for inheriting from state_purge_per_tree. (state_purge_per_ssa_name::add_to_worklist): Likewise. (state_purge_per_decl::state_purge_per_decl): New. (state_purge_per_decl::add_needed_at): New. (state_purge_per_decl::add_pointed_to_at): New. (state_purge_per_decl::process_worklists): New. (state_purge_per_decl::add_to_worklist): New. (same_binding_p): New. (fully_overwrites_p): New. (state_purge_per_decl::process_point_backwards): New. (state_purge_per_decl::process_point_forwards): New. (state_purge_per_decl::needed_at_point_p): New. (state_purge_annotator::print_needed): Generalize to print local decls as well as SSA names. * state-purge.h (class state_purge_map): Update leading comment. (state_purge_map::map_t): Rename to... (state_purge_map::ssa_map_t): ...this. (state_purge_map::iterator): Rename to... (state_purge_map::ssa_iterator): ...this. (state_purge_map::decl_map_t): New typedef. (state_purge_map::decl_iterator): New typedef. (state_purge_map::state_purge_map): Add "mgr" param. (state_purge_map::get_data_for_ssa_name): Update for renaming. (state_purge_map::get_any_data_for_decl): New. (state_purge_map::get_or_create_data_for_decl): New decl. (state_purge_map::begin): Rename to... (state_purge_map::begin_ssas): ...this. (state_purge_map::end): Rename to... (state_purge_map::end_ssa): ...this. (state_purge_map::begin_decls): New. (state_purge_map::end_decls): New. (state_purge_map::m_map): Rename to... (state_purge_map::m_ssa_map): ...this. (state_purge_map::m_decl_map): New field. (class state_purge_per_tree): New class. (class state_purge_per_ssa_name): Inherit from state_purge_per_tree. (state_purge_per_ssa_name::get_function): Move to base class. (state_purge_per_ssa_name::point_set_t): Likewise. (state_purge_per_ssa_name::m_fun): Likewise. (class state_purge_per_decl): New. gcc/testsuite/ChangeLog: PR analyzer/104943 PR analyzer/104954 PR analyzer/103533 * gcc.dg/analyzer/torture/boxed-ptr-1.c: Update expected number of exploded nodes to reflect improvements in state purging. Signed-off-by: David Malcolm <dmalcolm@redhat.com>
Since we are not quite there yet we should remove (comment out) the tainted-* checkers listed under -fanalyzer in docs which says "Enabling this option effectively enables the following warnings:". Also, the wording in docs suggest that `-fanalyzer -fanalyzer-checker=taint` enables the taint checkers *in addition* to the default checkers but currently, enabling -fanalyzer-checker=taint stops other checkers. I came to know about this after finding none of other checkers working. We should document this. I just submitted a patch which documents the above fact and comments out the tainted-* checkers under -fanalyzer. When this issue gets fixed we can simply remove the .texi comment commands and drop the line saying other checkers not working with taint checker. https://gcc.gnu.org/pipermail/gcc-patches/2022-March/592144.html
The master branch has been updated by David Malcolm <dmalcolm@gcc.gnu.org>: https://gcc.gnu.org/g:319ba7e241e7e21f9eb481f075310796f13d2035 commit r12-7808-g319ba7e241e7e21f9eb481f075310796f13d2035 Author: Avinash Sonawane <rootkea@gmail.com> Date: Tue Mar 22 07:32:44 2022 +0530 Docs: Document that taint analyzer checker disables some warnings [PR103533] gcc/ChangeLog: PR analyzer/103533 * doc/invoke.texi: Document that enabling taint analyzer checker disables some warnings from `-fanalyzer`. Signed-off-by: Avinash Sonawane <rootkea@gmail.com>
The master branch has been updated by Tobias Burnus <burnus@gcc.gnu.org>: https://gcc.gnu.org/g:748f36a48b506f52e10bcdeb750a7fe9c30c26f3 commit r12-7810-g748f36a48b506f52e10bcdeb750a7fe9c30c26f3 Author: Tobias Burnus <tobias@codesourcery.com> Date: Fri Mar 25 10:47:49 2022 +0100 doc/invoke.texi: Move @ignore block out of @gccoptlist [PR103533] With TeX output ("make pdf"), @gccoptlist's content end up in a single line such that TeX does not find the matching '@end ignore' for the '@ignore' block â failing with a runaway error. Solution is to move the @ignore block after the closing '}'. (Follow up to r12-7808-g319ba7e241e7e21f9eb481f075310796f13d2035 ) gcc/ PR analyzer/103533 * doc/invoke.texi (Static Analyzer Options): Move @ignore block after @gccoptlist's '}' for 'make pdf'.
The master branch has been updated by David Malcolm <dmalcolm@gcc.gnu.org>: https://gcc.gnu.org/g:cfaaa8b11b8429eed5ec44426fc6a20ad5d53d30 commit r14-5464-gcfaaa8b11b8429eed5ec44426fc6a20ad5d53d30 Author: David Malcolm <dmalcolm@redhat.com> Date: Tue Nov 14 15:51:52 2023 -0500 analyzer: enable taint state machine by default [PR103533] gcc/analyzer/ChangeLog: PR analyzer/103533 * sm-taint.cc: Remove "experimental" from comment. * sm.cc (make_checkers): Always add taint state machine. gcc/ChangeLog: PR analyzer/103533 * doc/invoke.texi (Static Analyzer Options): Add the six -Wanalyzer-tainted-* warnings. Update documentation of each warning to reflect removed requirement to use -fanalyzer-checker=taint. Remove discussion of -fanalyzer-checker=taint. gcc/testsuite/ChangeLog: PR analyzer/103533 * c-c++-common/analyzer/attr-tainted_args-1.c: Remove use of -fanalyzer-checker=taint. * c-c++-common/analyzer/fread-1.c: Likewise. * c-c++-common/analyzer/pr104029.c: Likewise. * gcc.dg/analyzer/pr93032-mztools-signed-char.c: Add params to work around state explosion. * gcc.dg/analyzer/pr93032-mztools-unsigned-char.c: Likewise. * gcc.dg/analyzer/pr93382.c: Remove use of -fanalyzer-checker=taint. * gcc.dg/analyzer/switch-enum-taint-1.c: Likewise. * gcc.dg/analyzer/taint-CVE-2011-2210-1.c: Likewise. * gcc.dg/analyzer/taint-CVE-2020-13143-1.c: Likewise. * gcc.dg/analyzer/taint-CVE-2020-13143-2.c: Likewise. * gcc.dg/analyzer/taint-CVE-2020-13143.h: Likewise. * gcc.dg/analyzer/taint-alloc-1.c: Likewise. * gcc.dg/analyzer/taint-alloc-2.c: Likewise. * gcc.dg/analyzer/taint-alloc-3.c: Likewise. * gcc.dg/analyzer/taint-alloc-4.c: Likewise. * gcc.dg/analyzer/taint-alloc-5.c: Likewise. * gcc.dg/analyzer/taint-assert-BUG_ON.c: Likewise. * gcc.dg/analyzer/taint-assert-macro-expansion.c: Likewise. * gcc.dg/analyzer/taint-assert-system-header.c: Likewise. * gcc.dg/analyzer/taint-assert.c: Likewise. * gcc.dg/analyzer/taint-divisor-1.c: Likewise. * gcc.dg/analyzer/taint-divisor-2.c: Likewise. * gcc.dg/analyzer/taint-merger.c: Likewise. * gcc.dg/analyzer/taint-ops.c: Delete this test: it was a duplicate of material in operations.c and data-model-1.c, with -fanalyzer-checker=taint added. * gcc.dg/analyzer/taint-read-index-1.c: Remove use of -fanalyzer-checker=taint. * gcc.dg/analyzer/taint-read-offset-1.c: Likewise. * gcc.dg/analyzer/taint-realloc.c: Likewise. Add missing dg-warning for leak now that the malloc state machine is also active. * gcc.dg/analyzer/taint-size-1.c: Remove use of -fanalyzer-checker=taint. * gcc.dg/analyzer/taint-size-access-attr-1.c: Likewise. * gcc.dg/analyzer/taint-write-index-1.c: Likewise. * gcc.dg/analyzer/taint-write-offset-1.c: Likewise. * gcc.dg/analyzer/torture/taint-read-index-2.c: Likewise. * gcc.dg/analyzer/torture/taint-read-index-3.c: Likewise. * gcc.dg/plugin/taint-CVE-2011-0521-1-fixed.c: Likewise. Add -Wno-pedantic. * gcc.dg/plugin/taint-CVE-2011-0521-1.c: Likewise. * gcc.dg/plugin/taint-CVE-2011-0521-2-fixed.c: Likewise. * gcc.dg/plugin/taint-CVE-2011-0521-2.c: Likewise. * gcc.dg/plugin/taint-CVE-2011-0521-3-fixed.c: Likewise. * gcc.dg/plugin/taint-CVE-2011-0521-3.c: Likewise. Fix C++-style comment. * gcc.dg/plugin/taint-CVE-2011-0521-4.c: Remove use of -fanalyzer-checker=taint and add -Wno-pedantic. Remove xfail and add missing dg-warning. * gcc.dg/plugin/taint-CVE-2011-0521-5-fixed.c: Remove use of -fanalyzer-checker=taint and add -Wno-pedantic. * gcc.dg/plugin/taint-CVE-2011-0521-5.c: Likewise. * gcc.dg/plugin/taint-CVE-2011-0521-6.c: Likewise. * gcc.dg/plugin/taint-antipatterns-1.c: : Remove use of -fanalyzer-checker=taint. Signed-off-by: David Malcolm <dmalcolm@redhat.com>
I've enabled the taint state machine by default (with -fanalyzer) with the above patch, for GCC 14 onwards. PR analyzer/112528 tracks the only known state explosion; integration testing shows no significicant changes in results from -fanalyzer before/after the patch. Closing this bug out.
The master branch has been updated by David Malcolm <dmalcolm@gcc.gnu.org>: https://gcc.gnu.org/g:83b210d55b28461e7604068c5df95a24b21e7081 commit r14-6056-g83b210d55b28461e7604068c5df95a24b21e7081 Author: David Malcolm <dmalcolm@redhat.com> Date: Fri Dec 1 08:47:41 2023 -0500 docs: remove stray reference to -fanalyzer-checker=taint [PR103533] I missed this one in r14-5464-gcfaaa8b11b8429. gcc/ChangeLog: PR analyzer/103533 * doc/extend.texi: Remove stray reference to -fanalyzer-checker=taint. Signed-off-by: David Malcolm <dmalcolm@redhat.com>