analyzer: disable the "taint" checker by default

PR analyzer/93032 tracks a false negative where we fail to report FILE * leaks within zlib/contrib/minizip/mztools.c. The underlying issue is a combinatorial explosion of states within the exploded graph. In particular, the state of the "taint" checker is exploding, leading to the analyzer bailing out. I have a patch kit under construction that fixes the state explosion issue enough for the "file" checker to report the leaks, but doing so requires disabling the "taint" checker. Given that the latter is more of a proof-of-concept, this patch disables it by default, to stop it breaking the other checkers. gcc/analyzer/ChangeLog: PR analyzer/93032 * sm.cc (make_checkers): Require the "taint" checker to be explicitly enabled. gcc/ChangeLog: PR analyzer/93032 * doc/invoke.texi (-Wnanalyzer-tainted-array-index): Note that -fanalyzer-checker=taint is also required. (-fanalyzer-checker=): Note that providing this option enables the given checker, and doing so may be required for checkers that are disabled by default. gcc/testsuite/ChangeLog: PR analyzer/93032 * gcc.dg/analyzer/pr93382.c: Add "-fanalyzer-checker=taint". * gcc.dg/analyzer/taint-1.c: Likewise.

analyzer: disable the "taint" checker by default
PR analyzer/93032 tracks a false negative where we fail to report FILE * leaks within zlib/contrib/minizip/mztools.c. The underlying issue is a combinatorial explosion of states within the exploded graph. In particular, the state of the "taint" checker is exploding, leading to the analyzer bailing out. I have a patch kit under construction that fixes the state explosion issue enough for the "file" checker to report the leaks, but doing so requires disabling the "taint" checker. Given that the latter is more of a proof-of-concept, this patch disables it by default, to stop it breaking the other checkers. gcc/analyzer/ChangeLog: PR analyzer/93032 * sm.cc (make_checkers): Require the "taint" checker to be explicitly enabled. gcc/ChangeLog: PR analyzer/93032 * doc/invoke.texi (-Wnanalyzer-tainted-array-index): Note that -fanalyzer-checker=taint is also required. (-fanalyzer-checker=): Note that providing this option enables the given checker, and doing so may be required for checkers that are disabled by default. gcc/testsuite/ChangeLog: PR analyzer/93032 * gcc.dg/analyzer/pr93382.c: Add "-fanalyzer-checker=taint". * gcc.dg/analyzer/taint-1.c: Likewise.
b3d788a2 · David Malcolm · 3a25f345 · b3d788a2 · b3d788a2 · b3d788a2
Commit b3d788a2 authored Feb 21, 2020 by David Malcolm
Showing with 38 additions and 4 deletions

gcc/ChangeLog
+9 -0

gcc/analyzer/ChangeLog
+6 -0

gcc/analyzer/sm.cc
+4 -1

gcc/doc/invoke.texi
+9 -3

gcc/testsuite/ChangeLog
+6 -0

gcc/testsuite/gcc.dg/analyzer/pr93382.c
+2 -0

gcc/testsuite/gcc.dg/analyzer/taint-1.c
+2 -0

No files found.
--- a/gcc/ChangeLog
+++ b/gcc/ChangeLog
 2020-02-24  David Malcolm  <dmalcolm@redhat.com>

+	PR analyzer/93032
+	* doc/invoke.texi (-Wnanalyzer-tainted-array-index): Note that
+	-fanalyzer-checker=taint is also required.
+	(-fanalyzer-checker=): Note that providing this option enables the
+	given checker, and doing so may be required for checkers that are
+	disabled by default.
+
+2020-02-24  David Malcolm  <dmalcolm@redhat.com>
+
 	* doc/invoke.texi (-fanalyzer-verbosity=): "2" only shows
 	significant control flow events; add a "3" which shows all
 	control flow events; the old "3" becomes "4".

--- a/gcc/analyzer/ChangeLog
+++ b/gcc/analyzer/ChangeLog
 2020-02-24  David Malcolm  <dmalcolm@redhat.com>

+	PR analyzer/93032
+	* sm.cc (make_checkers): Require the "taint" checker to be
+	explicitly enabled.
+
+2020-02-24  David Malcolm  <dmalcolm@redhat.com>
+
 	PR analyzer/93899
 	* engine.cc
 	(impl_region_model_context::impl_region_model_context): Add logger

--- a/gcc/analyzer/sm.cc
+++ b/gcc/analyzer/sm.cc
@@ -111,7 +111,10 @@ make_checkers (auto_delete_vec <state_machine> &out, logger *logger)
 {
  out.safe_push (make_malloc_state_machine (logger));
  out.safe_push (make_fileptr_state_machine (logger));
-  out.safe_push (make_taint_state_machine (logger));
+  /* The "taint" checker must be explicitly enabled (as it currently
+     leads to state explosions that stop the other checkers working).  */
+  if (flag_analyzer_checker)
+    out.safe_push (make_taint_state_machine (logger));
  out.safe_push (make_sensitive_state_machine (logger));
  out.safe_push (make_signal_state_machine (logger));


--- a/gcc/doc/invoke.texi
+++ b/gcc/doc/invoke.texi
@@ -6629,8 +6629,9 @@ no longer exists, and likely lead to a crash (or worse).
 @item -Wno-analyzer-tainted-array-index
 @opindex Wanalyzer-tainted-array-index
 @opindex Wno-analyzer-tainted-array-index
-This warning requires @option{-fanalyzer}, which enables it; use
-@option{-Wno-analyzer-tainted-array-index} to disable it.
+This warning requires both @option{-fanalyzer} and
+@option{-fanalyzer-checker=taint} to enable it;
+use @option{-Wno-analyzer-tainted-array-index} to disable it.

 This diagnostic warns for paths through the code in which a value
 that could be under an attacker's control is used as the index
@@ -8436,7 +8437,12 @@ call site, and that are sufficiently complicated (as per

 @item -fanalyzer-checker=@var{name}
 @opindex fanalyzer-checker
-Restrict the analyzer to run just the named checker.
+Restrict the analyzer to run just the named checker, and enable it.
+
+Some checkers are disabled by default (even with @option{-fanalyzer}),
+such as the @code{taint} checker that implements
+@option{-Wanalyzer-tainted-array-index}, and this option is required
+to enable them.

 @item -fanalyzer-fine-grained
 @opindex fanalyzer-fine-grained
--- a/gcc/testsuite/ChangeLog
+++ b/gcc/testsuite/ChangeLog
 2020-02-24  David Malcolm  <dmalcolm@redhat.com>

+	PR analyzer/93032
+	* gcc.dg/analyzer/pr93382.c: Add "-fanalyzer-checker=taint".
+	* gcc.dg/analyzer/taint-1.c: Likewise.
+
+2020-02-24  David Malcolm  <dmalcolm@redhat.com>
+
 	PR analyzer/93899
 	* g++.dg/analyzer/pr93899.C: New test.


--- a/gcc/testsuite/gcc.dg/analyzer/pr93382.c
+++ b/gcc/testsuite/gcc.dg/analyzer/pr93382.c
+/* { dg-additional-options "-fanalyzer-checker=taint" } */
+
 typedef __SIZE_TYPE__ size_t;

 int idx;

--- a/gcc/testsuite/gcc.dg/analyzer/taint-1.c
+++ b/gcc/testsuite/gcc.dg/analyzer/taint-1.c
+/* { dg-additional-options "-fanalyzer-checker=taint" } */
+
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>