2. Overview
• What is -fanalyzer?
• Diagnostic Serialization
• 15 new -Wanalyzer-* warnings (so far)
• Internal Improvements
• -fanalyzer on Linux kernel
4. What is -fanalyzer?
• GCC option: a static analyzer
• Explores “interesting” interprocedural paths
through the code via “symbolic execution” looking
for bugs to warn about
(for some definitions of “interesting” and of
“bugs”)
• Can have false positives and false negatives
• https://gcc.gnu.org/wiki/StaticAnalyzer
5. What is -fanalyzer?
●
GCC 10: 15 new warnings
●
GCC 11: 7 new warnings (22 total)
●
GCC 12: 5 new warnings (27 total)
●
GCC 13: 15 new warnings so far (42 total)
https://gcc.gnu.org/wiki/StaticAnalyzer
9. Diagnostic Serialization: playback using GCC
• Not yet in trunk:
●
[PATCH 00/12] RFC: Replay of serialized
diagnostics
https://gcc.gnu.org/pipermail/gcc-patches/2022-June/597051.html
●
e.g. the results of a javascript linter:
●
19. New warnings in trunk by Tim Lange (GSoC)
• -Wanalyzer-allocation-size
• -Wanalyzer-imprecise-fp-arithmetic
• -Wanalyzer-out-of-bounds
• Tested on coreutils, curl, httpd and openssh.
23. File descriptor support
• GSoC project by Immad Mir
• State machine for tracking state of file descriptors
• In trunk: five new warnings, three new attributes
• -Wanalyzer-fd-use-without-check
• -Wanalyzer-fd-access-mode-mismatch
• -Wanalyzer-fd-double-close
• -Wanalyzer-fd-leak
• -Wanalyzer-fd-use-after-close
• __attribute__((fd_arg(N)))
• __attribute__((fd_arg_read(N)))
• __attribute__((fd_arg_write(N)))
• Special-casing of: open, creat, dup, dup2, dup3, read, write, close
30. New warnings I’m working on
• -Wanalyzer-deref-before-check
• -Wanalyzer-infinite-recursion
• -Wanalyzer-infinite-loop
●
Requires some internal reworking of analyzer
since there might not be a gimple stmt
associated with an infinite loop
31. New warning from Tim: -Wanalyzer-restrict
1) void h(int n, int * restrict p, int * restrict q, int * restrict r)
2) {
3) int i;
4) for (i = 0; i < n; i++)
5) p[i] = q[i] + r[i];
6) }
/path/to/main.c:70:13: warning: passing argument 3 to ‘restrict’-
qualified parameter aliases with argument 4 [-Wrestrict]
70 | h(100, a, b, b);
| ^ ~
• But https://www.open-std.org/jtc1/sc22/wg14/www/docs/n2912 seems to suggest that
the above code is correct
• https://gcc.gnu.org/pipermail/gcc/2022-July/239213.html
33. Internal improvements
• Reimplemented call_string class (done)
• Fixups to how -fanalyzer emits execution paths in
the face of inlined functions (done)
• Ability for GCC plugins to specify the behavior of
a specific function to the analyzer (done)
• Use of std::unique_ptr (in progress: need a
make_unique somewhere)
39. How to specify trust boundaries in kernel?
• Have got part of the way there via a GCC plugin (240
lines)
• Have a v2 of
#pragma GCC custom_address_space
●
(not yet posted to list)
• ...but doing it as an attribute may be preferable from
the kernel point-of-view
• May also want an __attribute__((noderef))
40. Summary
• General diagnostic improvements in GCC 13
●
Serialization
●
Metadata
• Lots of new warnings in -fanalyzer in GCC 13
• -fanalyzer on Linux kernel
• Want to implement a new warning?
●
Lots of ideas in Bugzilla…
●
...or choose your own