Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GSA evaluates __analyzer_eval((((c) + 1) == ((&b[0]) + 1))) to be FLASE with the fact c == &b[0] #55

Open
0-0x41 opened this issue Jan 28, 2023 · 1 comment
Open

GSA evaluates __analyzer_eval((((c) + 1) == ((&b[0]) + 1))) to be FLASE with the fact c == &b[0] #55

0-0x41 opened this issue Jan 28, 2023 · 1 comment
Labels
false negative static oracle status: confirmed tool: gsa

Comments

@0-0x41
Copy link
Collaborator

0-0x41 commented Jan 28, 2023
edited by Geoffrey1014
Loading

date: 2023-1-28
commit: 8c8ca873216387bc26046615c806b96f0345ff9d
args: -O0 -fanalyzer
test:

#include "stdio.h"
void __analyzer_eval();
void __analyzer_dump();

void main()
{
    int *b[1] = {};
    int **c = &b[0];
    if (c == &b[0])
    {
        __analyzer_dump();
        int *p = (int *)0;
        __analyzer_describe(1, c+1);
        __analyzer_describe(1, (&b[0]) + 1);
        __analyzer_eval((((c) + 1) == ((&b[0]) + 1)));
        if (((c) + 1) == ((&b[0]) + 1))
        {
            *p = 42;
        }
    }
}

report: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109199
fix:
original:
@0-0x41
Copy link
Collaborator Author

0-0x41 commented Jan 28, 2023
edited by Geoffrey1014
Loading

GSA evaluates __analyzer_eval((((c) + 1) == ((&b[0]) + 1))) to be FLASE with the fact c == &b[0]. However, the analyzer evaluates both __analyzer_describe(0, c+1); and __analyzer_describe(0, (&b[0]) + 1); to be '(&b[(int)0]+(sizetype)8)'.

See it live:
GSA: https://godbolt.org/z/1sbKEfv43
CSA: https://godbolt.org/z/hzsjPcKh7

Input:

#include "stdio.h"
void __analyzer_eval();
void __analyzer_dump();
void __analyzer_describe();

void main()
{
    int *b[1] = {};
    int **c = &b[0];
    if (c == &b[0])
    {
        __analyzer_dump();
        int *p = (int *)0;
        __analyzer_describe(0, c+1);
        __analyzer_describe(0, (&b[0]) + 1);
        __analyzer_eval((((c) + 1) == ((&b[0]) + 1)));
        if (((c) + 1) == ((&b[0]) + 1))
        {
            *p = 42;
        }
    }
}

Output:

rmodel:
stack depth: 1
  frame (index 0): frame: 'main'@1
clusters within frame: 'main'@1
  cluster for: b: CAST(int *[1], (char)0)
  cluster for: c_8: &b[(int)0]
m_called_unknown_fn: FALSE
constraint_manager:
  equiv classes:
  constraints:
<source>: In function 'main':
<source>:14:9: warning: svalue: '(&b[(int)0]+(sizetype)8)'
   14 |         __analyzer_describe(0, c+1);
      |         ^~~~~~~~~~~~~~~~~~~~~~~~~~~
<source>:15:9: warning: svalue: '(&b[(int)0]+(sizetype)8)'
   15 |         __analyzer_describe(0, (&b[0]) + 1);
      |         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<source>:16:9: warning: FALSE
   16 |         __analyzer_eval((((c) + 1) == ((&b[0]) + 1)));
      |         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Compiler returned: 0

@0-0x41 0-0x41 mentioned this issue Jan 29, 2023
Closed
@Geoffrey1014 Geoffrey1014 changed the title GCC --Wanalyzer-null-dereference false negative with *p = 42 GSA evaluates __analyzer_eval((((c) + 1) == ((&b[0]) + 1))) to be FLASE with the fact c == &b[0] Mar 19, 2023
@0x21af 0x21af changed the title GSA evaluates __analyzer_eval((((c) + 1) == ((&b[0]) + 1))) to be FLASE with the fact c == &b[0] GSA evaluates __analyzer_eval((((c) + 1) == ((&b[0]) + 1))) to be FLASE with the fact c == &b[0] Dec 21, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
false negative static oracle status: confirmed tool: gsa
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Geoffrey1014 @0-0x41