[committed] analyzer: fix duplicates in check_for_tainted_size_arg

Thu, 10 Mar 2022 06:18:34 -0800 

Successfully bootstrapped & regrtested on x86_64-pc-linux-gnu.
Pushed to trunk as r12-7594-g708646de75cba2.

gcc/analyzer/ChangeLog:
        * sm-taint.cc (taint_state_machine::check_for_tainted_size_arg):
        Avoid generating duplicate saved_diagnostics by only handling the
        rdwr_map entry for the ptrarg, not the duplicate entry for the
        sizarg.

gcc/testsuite/ChangeLog:
        * gcc.dg/analyzer/taint-size-access-attr-1.c: Add
        -fanalyzer-show-duplicate-count to options; verify that a
        duplicate was not created for the tainted size.

Signed-off-by: David Malcolm <dmalc...@redhat.com>
---
 gcc/analyzer/sm-taint.cc                                 | 4 ++++
 gcc/testsuite/gcc.dg/analyzer/taint-size-access-attr-1.c | 7 ++++---
 2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/gcc/analyzer/sm-taint.cc b/gcc/analyzer/sm-taint.cc
index c7b28329fca..a13c2fe2cfa 100644
--- a/gcc/analyzer/sm-taint.cc
+++ b/gcc/analyzer/sm-taint.cc
@@ -904,6 +904,10 @@ taint_state_machine::check_for_tainted_size_arg 
(sm_context *sm_ctxt,
       if (!access)
        continue;
 
+      /* Ignore any duplicate entry in the map for the size argument.  */
+      if (access->ptrarg != argno)
+       continue;
+
       if (access->sizarg == UINT_MAX)
        continue;
 
diff --git a/gcc/testsuite/gcc.dg/analyzer/taint-size-access-attr-1.c 
b/gcc/testsuite/gcc.dg/analyzer/taint-size-access-attr-1.c
index 724679a8cf3..7d243a9570f 100644
--- a/gcc/testsuite/gcc.dg/analyzer/taint-size-access-attr-1.c
+++ b/gcc/testsuite/gcc.dg/analyzer/taint-size-access-attr-1.c
@@ -1,8 +1,8 @@
 /* Passing tainted sizes to external functions with attribute ((access)) with
    a size-index.  */
 
-// TODO: remove need for this option:
-/* { dg-additional-options "-fanalyzer-checker=taint" } */
+// TODO: remove need for the explicit taint option:
+/* { dg-additional-options "-fanalyzer-checker=taint 
-fanalyzer-show-duplicate-count" } */
 
 #include "analyzer-decls.h"
 #include <stdio.h>
@@ -27,7 +27,8 @@ void test_fn_read_only (FILE *f, void *p)
     __analyzer_dump_state ("taint", tmp.sz); /* { dg-warning "state: 
'tainted'" } */
     /* { dg-message "\\(\[0-9\]+\\) \\.\\.\\.to here" "event: to here" { 
target *-*-* } .-1 } */
 
-    extern_fn_read_only (p, tmp.sz); /* { dg-warning "use of 
attacker-controlled value 'tmp.sz' as size without upper-bounds checking" } */
+    extern_fn_read_only (p, tmp.sz); /* { dg-warning "use of 
attacker-controlled value 'tmp.sz' as size without upper-bounds checking" 
"warning" } */
+    /* { dg-bogus "duplicate" "duplicate" { target *-*-* } .-1 } */
   }
 }
 
-- 
2.26.3

Reply via email to