https://gcc.gnu.org/bugzilla/show_bug.cgi?id=112975
--- Comment #2 from GCC Commits <cvs-commit at gcc dot gnu.org> --- The master branch has been updated by David Malcolm <dmalc...@gcc.gnu.org>: https://gcc.gnu.org/g:c6cf5789135236c5639075c8f235e7dd461b6ff6 commit r14-9625-gc6cf5789135236c5639075c8f235e7dd461b6ff6 Author: David Malcolm <dmalc...@redhat.com> Date: Fri Mar 22 10:57:25 2024 -0400 analyzer: look through casts in taint sanitization [PR112974,PR112975] PR analyzer/112974 and PR analyzer/112975 record false positives from the analyzer's taint detection where sanitization of the form if (VALUE CMP VALUE-OF-WIDER-TYPE) happens, but wasn't being "noticed" by the taint checker, due to the test being: (WIDER_TYPE)VALUE CMP VALUE-OF-WIDER-TYPE at the gimple level, and thus taint_state_machine recording sanitization of (WIDER_TYPE)VALUE, but not of VALUE. Fix by stripping casts in taint_state_machine::on_condition so that the state machine records sanitization of the underlying value. gcc/analyzer/ChangeLog: PR analyzer/112974 PR analyzer/112975 * sm-taint.cc (taint_state_machine::on_condition): Strip away casts before considering LHS and RHS, to increase the chance of detecting places where sanitization of a value may have happened. gcc/testsuite/ChangeLog: PR analyzer/112974 PR analyzer/112975 * gcc.dg/plugin/plugin.exp (plugin_test_list): Add taint-pr112974.c and taint-pr112975.c to analyzer_kernel_plugin.c. * gcc.dg/plugin/taint-pr112974.c: New test. * gcc.dg/plugin/taint-pr112975.c: New test. Signed-off-by: David Malcolm <dmalc...@redhat.com>
