https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103533
Bug ID: 103533
Summary: Enable "taint" state machine with -fanalyzer without
requiring -fanalyzer-checker=taint
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: analyzer
Assignee: dmalcolm at gcc dot gnu.org
Reporter: dmalcolm at gcc dot gnu.org
Target Milestone: ---
sm.cc: make_checkers currently has:
/* The "taint" checker must be explicitly enabled (as it currently
leads to state explosions that stop the other checkers working). */
if (flag_analyzer_checker)
out.safe_push (make_taint_state_machine (logger));
and all of the various testcases for the "taint" state machine have:
// TODO: remove need for this option:
/* { dg-additional-options "-fanalyzer-checker=taint" } */
and with notes in the docs of the form:
This warning requires both @option{-fanalyzer} and
@option{-fanalyzer-checker=taint} to enable it;
I'm opening this bug to track removing the need for this, so that the the taint
checker can be enabled directly by -fanalyzer.
Currently removing this leads to:
* ICE in alt_get_inherited_state in abs-1.c, data-model-1.c, data-model-19.c,
pr101570.c, pr99771-1.c, zlib-2.c, zlib-3.c, torture/pr93450.c; all of which
seems to be for a UNARY_OP that isn't a NOP_EXPR; replacing that
gcc_unreachable with break, so it returns NULL fixes all of these.
* state explosion and failure in pr93032-mztools.c, with:
../../src/gcc/testsuite/gcc.dg/analyzer/pr93032-mztools.c: In function
‘unzRepair’:
../../src/gcc/testsuite/gcc.dg/analyzer/pr93032-mztools.c:252:16: warning:
terminating analysis for this program point: callstring: [] after SN: 52EN:
270-271, EN: 526-527, EN: 782-783, EN: 1038-1039 [-Wanalyzer-too-complex]
252 | entries++;
| ~~~~~~~^~
../../src/gcc/testsuite/gcc.dg/analyzer/pr93032-mztools.c:252:16: warning:
terminating analysis for this program point: callstring: [] after SN: 52EN:
270-271, EN: 526-527, EN: 782-783, EN: 1038-1039 [-Wanalyzer-too-complex]
../../src/gcc/testsuite/gcc.dg/analyzer/pr93032-mztools.c:299:31: warning:
terminating analysis for this program point: callstring: [] before (SN: 68
stmt: 0): _325 = fread (&buffer, 1, 8192, fpOutCD_522);EN: 1302-1308, EN: 1329
[-Wanalyzer-too-complex]
299 | while ( (nRead = (int)fread(buffer, 1, sizeof(buffer),
fpOutCD)) > 0) {
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../../src/gcc/testsuite/gcc.dg/analyzer/pr93032-mztools.c:299:31: warning:
terminating analysis for this program point: callstring: [] before (SN: 68
stmt: 0): _325 = fread (&buffer, 1, 8192, fpOutCD_522);EN: 1302-1308, EN: 1329
[-Wanalyzer-too-complex]
../../src/gcc/testsuite/gcc.dg/analyzer/pr93032-mztools.c:299:31: warning:
terminating analysis for this program point: callstring: [] before (SN: 68
stmt: 0): _325 = fread (&buffer, 1, 8192, fpOutCD_522);EN: 1302-1308, EN: 1329
[-Wanalyzer-too-complex]
../../src/gcc/testsuite/gcc.dg/analyzer/pr93032-mztools.c:299:31: warning:
terminating analysis for this program point: callstring: [] before (SN: 68
stmt: 0): _325 = fread (&buffer, 1, 8192, fpOutCD_522);EN: 1302-1308, EN: 1329
[-Wanalyzer-too-complex]
../../src/gcc/testsuite/gcc.dg/analyzer/pr93032-mztools.c:299:31: warning:
terminating analysis for this program point: callstring: [] before (SN: 68
stmt: 0): _325 = fread (&buffer, 1, 8192, fpOutCD_522);EN: 1302-1308, EN: 1329
[-Wanalyzer-too-complex]
../../src/gcc/testsuite/gcc.dg/analyzer/pr93032-mztools.c:299:31: warning:
terminating analysis for this program point: callstring: [] before (SN: 68
stmt: 0): _325 = fread (&buffer, 1, 8192, fpOutCD_522);EN: 1302-1308, EN: 1329
[-Wanalyzer-too-complex]
../../src/gcc/testsuite/gcc.dg/analyzer/pr93032-mztools.c:299:31: warning:
terminating analysis for this program point: callstring: [] before (SN: 68
stmt: 0): _325 = fread (&buffer, 1, 8192, fpOutCD_522);EN: 1302-1308, EN: 1329
[-Wanalyzer-too-complex]
../../src/gcc/testsuite/gcc.dg/analyzer/pr93032-mztools.c: At top level:
../../src/gcc/testsuite/gcc.dg/analyzer/pr93032-mztools.c:319:21: warning:
analysis bailed out early (401 'after-snode' enodes; 1506 enodes)
[-Wanalyzer-too-complex]
319 | *nRecovered = entries;
| ~~~~~~~~~~~~^~~~~~~~~
Interestingly, PR analyzer/103521 reports this as now failing on powerpc64
(without turning on taint detection), although the explosion is in a different
place.
