[Bug analyzer/106626] Improvements to wording of -Wanalyzer-out-of-bounds

[cvs-commit at gcc dot gnu.org via Gcc-bugs]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106626

--- Comment #2 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by David Malcolm <dmalc...@gcc.gnu.org>:

https://gcc.gnu.org/g:d69a95c12cc91ec10d6a8c78f401bf6720b08fce

commit r13-4426-gd69a95c12cc91ec10d6a8c78f401bf6720b08fce
Author: David Malcolm <dmalc...@redhat.com>
Date:   Wed Nov 30 21:26:42 2022 -0500

    analyzer: fix wording of 'number of bad bytes' note [PR106626]

    Consider -fanalyzer on:

    #include <stdint.h>

    int32_t arr[10];

    void int_arr_write_element_after_end_far(int32_t x)
    {
      arr[100] = x;
    }

    Trunk x86_64: https://godbolt.org/z/7GqEcYGq6

    Currently we emit:

    <source>: In function 'int_arr_write_element_after_end_far':
    <source>:7:12: warning: buffer overflow [CWE-787]
[-Wanalyzer-out-of-bounds]
        7 |   arr[100] = x;
          |   ~~~~~~~~~^~~
      event 1
        |
        |    3 | int32_t arr[10];
        |      |         ^~~
        |      |         |
        |      |         (1) capacity is 40 bytes
        |
        +--> 'int_arr_write_element_after_end_far': events 2-3
               |
               |    5 | void int_arr_write_element_after_end_far(int32_t x)
               |      |      ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
               |      |      |
               |      |      (2) entry to 'int_arr_write_element_after_end_far'
               |    6 | {
               |    7 |   arr[100] = x;
               |      |   ~~~~~~~~~~~~
               |      |            |
               |      |            (3) out-of-bounds write from byte 400 till
byte 403 but 'arr' ends at byte 40
               |
    <source>:7:12: note: write is 4 bytes past the end of 'arr'
        7 |   arr[100] = x;
          |   ~~~~~~~~~^~~

    The wording of the final note:
      "write is 4 bytes past the end of 'arr'"
    reads to me as if the "4 bytes past" is describing where the access
    occurs, which seems wrong, as the write is far beyond the end of the
    array.  Looking at the implementation, it's actually describing the
    number of bytes within the access that are beyond the bounds of the
    buffer.

    This patch updates the wording so that the final note reads
      "write of 4 bytes to beyond the end of 'arr'"
    which more clearly expresses that it's the size of the access
    being described.

    The patch also uses inform_n to avoid emitting "1 bytes".

    gcc/analyzer/ChangeLog:
            PR analyzer/106626
            * bounds-checking.cc (buffer_overflow::emit): Use inform_n.
            Update wording to clarify that we're talking about the size of
            the bad access, rather than its position.
            (buffer_overread::emit): Likewise.

    gcc/testsuite/ChangeLog:
            PR analyzer/106626
            * gcc.dg/analyzer/out-of-bounds-read-char-arr.c: Update for
            changes to expected wording.
            * gcc.dg/analyzer/out-of-bounds-read-int-arr.c: Likewise.
            * gcc.dg/analyzer/out-of-bounds-write-char-arr.c: Likewise.
            * gcc.dg/analyzer/out-of-bounds-write-int-arr.c: Likewise.

    Signed-off-by: David Malcolm <dmalc...@redhat.com>