[Bug analyzer/105892] RFE: -fanalyzer could complain about pointer subtraction of pointers to different memory chunks

Fri Jun 7 20:20:24 GMT 2024

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105892

--- Comment #2 from GCC Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by David Malcolm <dmalcolm@gcc.gnu.org>:

https://gcc.gnu.org/g:13dcaf1bb6d4f15665a47b14ac0c12cf454e38a2

commit r15-1107-g13dcaf1bb6d4f15665a47b14ac0c12cf454e38a2
Author: David Malcolm <dmalcolm@redhat.com>
Date:   Fri Jun 7 16:14:28 2024 -0400

    analyzer: new warning: -Wanalyzer-undefined-behavior-ptrdiff (PR
analyzer/105892)

    Add a new warning to complain about pointer subtraction involving
    different chunks of memory.

    For example, given:

      #include <stddef.h>

      int arr[42];
      int sentinel;

      ptrdiff_t
      test_invalid_calc_of_array_size (void)
      {
        return &sentinel - arr;
      }

    this emits:

    demo.c: In function âtest_invalid_calc_of_array_sizeâ:
    demo.c:9:20: warning: undefined behavior when subtracting pointers
[CWE-469] [-Wanalyzer-undefined-behavior-ptrdiff]
        9 |   return &sentinel - arr;
          |                    ^
      events 1-2
        â
        â    3 | int arr[42];
        â      |     ~~~
        â      |     |
        â      |     (2) underlying object for right-hand side of subtraction
created here
        â    4 | int sentinel;
        â      |     ^~~~~~~~
        â      |     |
        â      |     (1) underlying object for left-hand side of subtraction
created here
        â
        âââ> âtest_invalid_calc_of_array_sizeâ: event 3
               â
               â    9 |   return &sentinel - arr;
               â      |                    ^
               â      |                    |
               â      |                    (3) â ï¸  subtraction of
pointers has undefined behavior if they do not point into the same array object
               â

    gcc/analyzer/ChangeLog:
            PR analyzer/105892
            * analyzer.opt (Wanalyzer-undefined-behavior-ptrdiff): New option.
            * analyzer.opt.urls: Regenerate.
            * region-model.cc (class undefined_ptrdiff_diagnostic): New.
            (check_for_invalid_ptrdiff): New.
            (region_model::get_gassign_result): Call it for POINTER_DIFF_EXPR.

    gcc/ChangeLog:
            * doc/invoke.texi: Add -Wanalyzer-undefined-behavior-ptrdiff.

    gcc/testsuite/ChangeLog:
            PR analyzer/105892
            * c-c++-common/analyzer/out-of-bounds-pr110387.c: Add
            expected warnings about pointer subtraction.
            * c-c++-common/analyzer/ptr-subtraction-1.c: New test.
            * c-c++-common/analyzer/ptr-subtraction-CWE-469-example.c: New
test.

    Signed-off-by: David Malcolm <dmalcolm@redhat.com>