PR analyzer/93032 tracks a false negative where we fail to report
FILE * leaks within zlib/contrib/minizip/mztools.c.
The underlying issue is a combinatorial explosion of states within the
exploded graph. In particular, the state of the "taint" checker is
exploding, leading to the analyzer bailing out.
I have a patch kit under construction that fixes the state explosion
issue enough for the "file" checker to report the leaks, but doing so
requires disabling the "taint" checker. Given that the latter is more
of a proof-of-concept, this patch disables it by default, to stop it
breaking the other checkers.
Successfully bootstrapped & regrtested on x86_64-pc-linux-gnu.
Pushed to master as r10-6828-gb3d788a2cd35c734a683444c976abe14afc5c1c1.
gcc/analyzer/ChangeLog:
PR analyzer/93032
* sm.cc (make_checkers): Require the "taint" checker to be
explicitly enabled.
gcc/ChangeLog:
PR analyzer/93032
* doc/invoke.texi (-Wnanalyzer-tainted-array-index): Note that
-fanalyzer-checker=taint is also required.
(-fanalyzer-checker=): Note that providing this option enables the
given checker, and doing so may be required for checkers that are
disabled by default.
gcc/testsuite/ChangeLog:
PR analyzer/93032
* gcc.dg/analyzer/pr93382.c: Add "-fanalyzer-checker=taint".
* gcc.dg/analyzer/taint-1.c: Likewise.
---
gcc/analyzer/sm.cc | 5 ++++-
gcc/doc/invoke.texi | 12 +++++++++---
gcc/testsuite/gcc.dg/analyzer/pr93382.c | 2 ++
gcc/testsuite/gcc.dg/analyzer/taint-1.c | 2 ++
4 files changed, 17 insertions(+), 4 deletions(-)
diff --git a/gcc/analyzer/sm.cc b/gcc/analyzer/sm.cc
index e94c691c16c..b1f156fecc9 100644
--- a/gcc/analyzer/sm.cc
+++ b/gcc/analyzer/sm.cc
@@ -111,7 +111,10 @@ make_checkers (auto_delete_vec <state_machine> &out,
logger *logger)
{
out.safe_push (make_malloc_state_machine (logger));
out.safe_push (make_fileptr_state_machine (logger));
- out.safe_push (make_taint_state_machine (logger));
+ /* The "taint" checker must be explicitly enabled (as it currently
+ leads to state explosions that stop the other checkers working). */
+ if (flag_analyzer_checker)
+ out.safe_push (make_taint_state_machine (logger));
out.safe_push (make_sensitive_state_machine (logger));
out.safe_push (make_signal_state_machine (logger));
diff --git a/gcc/doc/invoke.texi b/gcc/doc/invoke.texi
index 3591404055b..11ff45ed23e 100644
--- a/gcc/doc/invoke.texi
+++ b/gcc/doc/invoke.texi
@@ -6629,8 +6629,9 @@ no longer exists, and likely lead to a crash (or worse).
@item -Wno-analyzer-tainted-array-index
@opindex Wanalyzer-tainted-array-index
@opindex Wno-analyzer-tainted-array-index
-This warning requires @option{-fanalyzer}, which enables it; use
-@option{-Wno-analyzer-tainted-array-index} to disable it.
+This warning requires both @option{-fanalyzer} and
+@option{-fanalyzer-checker=taint} to enable it;
+use @option{-Wno-analyzer-tainted-array-index} to disable it.
This diagnostic warns for paths through the code in which a value
that could be under an attacker's control is used as the index
@@ -8436,7 +8437,12 @@ call site, and that are sufficiently complicated (as per
@item -fanalyzer-checker=@var{name}
@opindex fanalyzer-checker
-Restrict the analyzer to run just the named checker.
+Restrict the analyzer to run just the named checker, and enable it.
+
+Some checkers are disabled by default (even with @option{-fanalyzer}),
+such as the @code{taint} checker that implements
+@option{-Wanalyzer-tainted-array-index}, and this option is required
+to enable them.
@item -fanalyzer-fine-grained
@opindex fanalyzer-fine-grained
diff --git a/gcc/testsuite/gcc.dg/analyzer/pr93382.c
b/gcc/testsuite/gcc.dg/analyzer/pr93382.c
index 7d18d16e444..dae32f5a2bb 100644
--- a/gcc/testsuite/gcc.dg/analyzer/pr93382.c
+++ b/gcc/testsuite/gcc.dg/analyzer/pr93382.c
@@ -1,3 +1,5 @@
+/* { dg-additional-options "-fanalyzer-checker=taint" } */
+
typedef __SIZE_TYPE__ size_t;
int idx;
diff --git a/gcc/testsuite/gcc.dg/analyzer/taint-1.c
b/gcc/testsuite/gcc.dg/analyzer/taint-1.c
index 293ce286819..549e2660284 100644
--- a/gcc/testsuite/gcc.dg/analyzer/taint-1.c
+++ b/gcc/testsuite/gcc.dg/analyzer/taint-1.c
@@ -1,3 +1,5 @@
+/* { dg-additional-options "-fanalyzer-checker=taint" } */
+
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
--
2.21.0
