12024-06-20 Release Manager 2 3 * GCC 12.4.0 released. 4 52023-05-08 Release Manager 6 7 * GCC 12.3.0 released. 8 92023-03-29 David Malcolm <dmalcolm@redhat.com> 10 11 PR analyzer/109094 12 * region-model.cc (region_model::on_longjmp): Pass false for 13 new "eval_return_svalue" param of pop_frame. 14 (region_model::pop_frame): Add new "eval_return_svalue" param and 15 use it to suppress the call to get_rvalue on the result when 16 needed by on_longjmp. 17 * region-model.h (region_model::pop_frame): Add new 18 "eval_return_svalue" param. 19 202023-03-29 David Malcolm <dmalcolm@redhat.com> 21 22 PR analyzer/108968 23 * region-model.cc (region_model::get_rvalue_1): Handle VAR_DECLs 24 with a DECL_HARD_REGISTER by returning UNKNOWN. 25 262023-03-29 David Malcolm <dmalcolm@redhat.com> 27 28 PR analyzer/108733 29 * state-purge.cc (get_candidate_for_purging): Add ADDR_EXPR 30 and MEM_REF. 31 322023-03-29 David Malcolm <dmalcolm@redhat.com> 33 34 PR analyzer/108704 35 * state-purge.cc (state_purge_per_decl::process_point_backwards): 36 Don't stop processing the decl if it's fully overwritten by 37 this stmt if it's also used by this stmt. 38 392023-03-29 David Malcolm <dmalcolm@redhat.com> 40 41 PR analyzer/106325 42 * region-model-manager.cc 43 (region_model_manager::get_or_create_null_ptr): New. 44 * region-model.cc (region_model::on_top_level_param): Add 45 "nonnull" param and make use of it. 46 (region_model::push_frame): When handling a top-level entrypoint 47 to the analysis, determine which params __attribute__((nonnull)) 48 applies to, and pass to on_top_level_param. 49 * region-model.h (region_model_manager::get_or_create_null_ptr): 50 New decl. 51 (region_model::on_top_level_param): Add "nonnull" param. 52 532023-03-29 David Malcolm <dmalcolm@redhat.com> 54 55 PR analyzer/107948 56 * region-model-manager.cc 57 (region_model_manager::maybe_fold_binop): Fold (0 - VAL) to -VAL. 58 * region-model.cc (region_model::eval_condition): Handle e.g. 59 "-X <= 0" as equivalent to X >= 0". 60 612023-03-29 David Malcolm <dmalcolm@redhat.com> 62 63 PR analyzer/105784 64 * region-model-manager.cc 65 (region_model_manager::maybe_fold_binop): For POINTER_PLUS_EXPR, 66 PLUS_EXPR and MINUS_EXPR, eliminate requirement that the final 67 type matches that of arg0 in favor of a cast. 68 692023-03-29 David Malcolm <dmalcolm@redhat.com> 70 71 PR analyzer/107582 72 * engine.cc (dynamic_call_info_t::update_model): Update the model 73 by pushing or pop a frame, rather than by clobbering it with the 74 model from the exploded_node's state. 75 762023-03-29 David Malcolm <dmalcolm@redhat.com> 77 78 PR analyzer/107345 79 * region-model.cc (region_model::eval_condition_without_cm): 80 Ensure that constants are on the right-hand side before checking 81 for them. 82 832023-03-29 David Malcolm <dmalcolm@redhat.com> 84 85 * region-model-manager.cc 86 (region_model_manager::maybe_fold_unaryop): Fold -(-(VAL)) to VAL. 87 882023-03-29 David Malcolm <dmalcolm@redhat.com> 89 90 PR analyzer/106573 91 * region-model.cc (region_model::on_call_pre): Use check_call_args 92 when ensuring that we call get_arg_svalue on all args. Remove 93 redundant call from handling for stdio builtins. 94 952023-03-29 David Malcolm <dmalcolm@redhat.com> 96 97 PR analyzer/106573 98 * region-model.cc (region_model::on_call_pre): Ensure that we call 99 get_arg_svalue on all arguments. 100 1012022-08-19 Release Manager 102 103 * GCC 12.2.0 released. 104 1052022-07-27 David Malcolm <dmalcolm@redhat.com> 106 107 * region.h (code_region::get_element): Remove stray decl. 108 (function_region::get_element): Likewise. 109 1102022-07-27 David Malcolm <dmalcolm@redhat.com> 111 112 PR analyzer/106225 113 * sm-taint.cc (taint_state_machine::on_stmt): Move handling of 114 assignments from division to... 115 (taint_state_machine::check_for_tainted_divisor): ...this new 116 function. Reject warning when the divisor is known to be non-zero. 117 * sm.cc: Include "analyzer/program-state.h". 118 (sm_context::get_old_region_model): New. 119 * sm.h (sm_context::get_old_region_model): New decl. 120 1212022-07-27 David Malcolm <dmalcolm@redhat.com> 122 123 PR analyzer/106204 124 * region-model.cc (within_short_circuited_stmt_p): Move extraction 125 of assign_stmt to caller. 126 (due_to_ifn_deferred_init_p): New. 127 (region_model::check_for_poison): Move extraction of assign_stmt 128 from within_short_circuited_stmt_p to here. Share logic with 129 call to due_to_ifn_deferred_init_p. 130 1312022-07-27 David Malcolm <dmalcolm@redhat.com> 132 133 * diagnostic-manager.cc (saved_diagnostic::dump_dot_id): New. 134 (saved_diagnostic::dump_as_dot_node): New. 135 * diagnostic-manager.h (saved_diagnostic::dump_dot_id): New decl. 136 (saved_diagnostic::dump_as_dot_node): New decl. 137 * engine.cc (exploded_node::dump_dot): Add nodes for saved 138 diagnostics. 139 1402022-07-27 David Malcolm <dmalcolm@redhat.com> 141 142 * checker-path.cc (state_change_event::get_desc): Call maybe_free 143 on label_text temporaries. 144 * diagnostic-manager.cc 145 (diagnostic_manager::prune_for_sm_diagnostic): Likewise. 146 * engine.cc (exploded_graph::~exploded_graph): Fix leak of 147 m_per_point_data and m_per_call_string_data values. Simplify 148 cleanup of m_per_function_stats and m_per_point_data values. 149 (feasibility_state::maybe_update_for_edge): Fix leak of result of 150 superedge::get_description. 151 * region-model-manager.cc 152 (region_model_manager::~region_model_manager): Move cleanup of 153 m_setjmp_values to match the ordering of the fields within 154 region_model_manager. Fix leak of values within 155 m_repeated_values_map, m_bits_within_values_map, 156 m_asm_output_values_map, and m_const_fn_result_values_map. 157 1582022-07-27 David Malcolm <dmalcolm@redhat.com> 159 160 PR analyzer/105285 161 * store.cc (binding_cluster::get_any_binding): Handle accessing 162 sub_svalues of clusters where the base region has a symbolic 163 binding. 164 1652022-07-27 David Malcolm <dmalcolm@redhat.com> 166 167 * diagnostic-manager.cc (epath_finder::process_worklist_item): 168 Call dump_feasible_path when a path that reaches the the target 169 enode is found. 170 (epath_finder::dump_feasible_path): New. 171 * engine.cc (feasibility_state::dump_to_pp): New. 172 * exploded-graph.h (feasibility_state::dump_to_pp): New decl. 173 * feasible-graph.cc (feasible_graph::dump_feasible_path): New. 174 * feasible-graph.h (feasible_graph::dump_feasible_path): New 175 decls. 176 * program-point.cc (function_point::print): Fix missing trailing 177 newlines. 178 * program-point.h (program_point::print_source_line): Remove 179 unimplemented decl. 180 1812022-05-06 Release Manager 182 183 * GCC 12.1.0 released. 184 1852022-04-25 David Malcolm <dmalcolm@redhat.com> 186 187 PR analyzer/105365 188 PR analyzer/105366 189 * svalue.cc 190 (cmp_cst): Rename to... 191 (cmp_csts_same_type): ...this. Convert all recursive calls to 192 calls to... 193 (cmp_csts_and_types): ....this new function. 194 (svalue::cmp_ptr): Update for renaming of cmp_cst 195 1962022-04-14 David Malcolm <dmalcolm@redhat.com> 197 198 PR analyzer/105264 199 * region-model-reachability.cc (reachable_regions::handle_parm): 200 Use maybe_get_deref_base_region rather than just region_svalue, to 201 handle pointer arithmetic also. 202 * svalue.cc (svalue::maybe_get_deref_base_region): New. 203 * svalue.h (svalue::maybe_get_deref_base_region): New decl. 204 2052022-04-14 David Malcolm <dmalcolm@redhat.com> 206 207 PR analyzer/105252 208 * svalue.cc (cmp_cst): When comparing VECTOR_CSTs, compare the 209 types of the encoded elements before calling cmp_cst on them. 210 2112022-04-09 David Malcolm <dmalcolm@redhat.com> 212 213 PR analyzer/103892 214 * region-model-manager.cc 215 (region_model_manager::get_unknown_symbolic_region): New, 216 extracted from... 217 (region_model_manager::get_field_region): ...here. 218 (region_model_manager::get_element_region): Use it here. 219 (region_model_manager::get_offset_region): Likewise. 220 (region_model_manager::get_sized_region): Likewise. 221 (region_model_manager::get_cast_region): Likewise. 222 (region_model_manager::get_bit_range): Likewise. 223 * region-model.h 224 (region_model_manager::get_unknown_symbolic_region): New decl. 225 * region.cc (symbolic_region::symbolic_region): Handle sval_ptr 226 having NULL type. 227 (symbolic_region::dump_to_pp): Handle having NULL type. 228 2292022-04-07 David Malcolm <dmalcolm@redhat.com> 230 231 PR analyzer/102208 232 * store.cc (binding_map::remove_overlapping_bindings): Add 233 "always_overlap" param, using it to generalize to the case where 234 we want to remove all bindings. Update "uncertainty" logic to 235 only record maybe-bound values for cases where there is a symbolic 236 write involved. 237 (binding_cluster::mark_region_as_unknown): Split param "reg" into 238 "reg_to_bind" and "reg_for_overlap". 239 (binding_cluster::maybe_get_compound_binding): Pass "false" to 240 binding_map::remove_overlapping_bindings new "always_overlap" param. 241 (binding_cluster::remove_overlapping_bindings): Determine 242 "always_overlap" and pass it to 243 binding_map::remove_overlapping_bindings. 244 (store::set_value): Pass uncertainty to remove_overlapping_bindings 245 call. Update for new param of 246 binding_cluster::mark_region_as_unknown, passing both the base 247 region of the iter_cluster, and the lhs_reg. 248 (store::mark_region_as_unknown): Update for new param of 249 binding_cluster::mark_region_as_unknown, passing "reg" for both. 250 (store::remove_overlapping_bindings): Add param "uncertainty", and 251 pass it on to call to 252 binding_cluster::remove_overlapping_bindings. 253 * store.h (binding_map::remove_overlapping_bindings): Add 254 "always_overlap" param. 255 (binding_cluster::mark_region_as_unknown): Split param "reg" into 256 "reg_to_bind" and "reg_for_overlap". 257 (store::remove_overlapping_bindings): Add param "uncertainty". 258 2592022-03-29 David Malcolm <dmalcolm@redhat.com> 260 261 PR testsuite/105085 262 * region-model-manager.cc (dump_untracked_region): Skip decls in 263 the constant pool. 264 2652022-03-29 David Malcolm <dmalcolm@redhat.com> 266 267 PR analyzer/105087 268 * analyzer.h (class conjured_purge): New forward decl. 269 * region-model-asm.cc (region_model::on_asm_stmt): Add 270 conjured_purge param to calls binding_cluster::on_asm and 271 region_model_manager::get_or_create_conjured_svalue. 272 * region-model-impl-calls.cc 273 (call_details::get_or_create_conjured_svalue): Likewise for call 274 to region_model_manager::get_or_create_conjured_svalue. 275 (region_model::impl_call_fgets): Remove call to 276 region_model::purge_state_involving, as this is now done 277 implicitly by call_details::get_or_create_conjured_svalue. 278 (region_model::impl_call_fread): Likewise. 279 (region_model::impl_call_strchr): Pass conjured_purge param to 280 call to region_model_manager::get_or_create_conjured_svalue. 281 * region-model-manager.cc (conjured_purge::purge): New. 282 (region_model_manager::get_or_create_conjured_svalue): Add 283 param "p". Use it to purge state when reusing an existing 284 conjured_svalue. 285 * region-model.cc (region_model::on_call_pre): Replace call to 286 region_model::purge_state_involving with passing conjured_purge 287 to region_model_manager::get_or_create_conjured_svalue. 288 (region_model::handle_unrecognized_call): Pass conjured_purge to 289 store::on_unknown_fncall. 290 * region-model.h 291 (region_model_manager::get_or_create_conjured_svalue): Add param 292 "p". 293 * store.cc (binding_cluster::on_unknown_fncall): Likewise. Pass 294 it on to region_model_manager::get_or_create_conjured_svalue. 295 (binding_cluster::on_asm): Likewise. 296 (store::on_unknown_fncall): Add param "p" and pass it on to 297 binding_cluster::on_unknown_fncall. 298 * store.h (binding_cluster::on_unknown_fncall): Add param p. 299 (binding_cluster::on_asm): Likewise. 300 (store::on_unknown_fncall): Likewise. 301 * svalue.h (class conjured_purge): New. 302 3032022-03-29 David Malcolm <dmalcolm@redhat.com> 304 305 PR analyzer/105074 306 * region.cc (ipa_ref_requires_tracking): Drop "context_fndecl", 307 instead using the ref->referring to get the cgraph node of the 308 caller. 309 (symnode_requires_tracking_p): Likewise. 310 3112022-03-26 David Malcolm <dmalcolm@redhat.com> 312 313 PR analyzer/105057 314 * store.cc (binding_cluster::make_unknown_relative_to): Reject 315 attempts to create a cluster for untracked base regions. 316 (store::set_value): Likewise. 317 (store::fill_region): Likewise. 318 (store::mark_region_as_unknown): Likewise. 319 3202022-03-25 David Malcolm <dmalcolm@redhat.com> 321 322 PR analyzer/104954 323 * analyzer.opt (-fdump-analyzer-untracked): New option. 324 * engine.cc (impl_run_checkers): Handle it. 325 * region-model-asm.cc (region_model::on_asm_stmt): Don't attempt 326 to clobber regions with !tracked_p (). 327 * region-model-manager.cc (dump_untracked_region): New. 328 (region_model_manager::dump_untracked_regions): New. 329 (frame_region::dump_untracked_regions): New. 330 * region-model.h (region_model_manager::dump_untracked_regions): 331 New decl. 332 * region.cc (ipa_ref_requires_tracking): New. 333 (symnode_requires_tracking_p): New. 334 (decl_region::calc_tracked_p): New. 335 * region.h (region::tracked_p): New vfunc. 336 (frame_region::dump_untracked_regions): New decl. 337 (class decl_region): Note that this is also used fo SSA names. 338 (decl_region::decl_region): Initialize m_tracked. 339 (decl_region::tracked_p): New. 340 (decl_region::calc_tracked_p): New decl. 341 (decl_region::m_tracked): New. 342 * store.cc (store::get_or_create_cluster): Assert that we 343 don't try to create clusters for base regions that aren't 344 trackable. 345 (store::mark_as_escaped): Don't mark base regions that we're not 346 tracking. 347 3482022-03-23 David Malcolm <dmalcolm@redhat.com> 349 350 PR analyzer/104979 351 * engine.cc (impl_run_checkers): Create the engine after the 352 supergraph, and pass the supergraph to the engine. 353 * region-model.cc (region_model::get_lvalue_1): Pass ctxt to 354 frame_region::get_region_for_local. 355 (region_model::update_for_return_gcall): Pass the lvalue for the 356 result to pop_frame as a tree, rather than as a region. 357 (region_model::pop_frame): Update for above change, determining 358 the destination region after the frame is popped and thus with 359 respect to the caller frame rather than the called frame. 360 Likewise, set the value of the region to the return value after 361 the frame is popped. 362 (engine::engine): Add supergraph pointer. 363 (selftest::test_stack_frames): Set the DECL_CONTECT of PARM_DECLs. 364 (selftest::test_get_representative_path_var): Likewise. 365 (selftest::test_state_merging): Likewise. 366 * region-model.h (region_model::pop_frame): Convert first param 367 from a const region * to a tree. 368 (engine::engine): Add param "sg". 369 (engine::m_sg): New field. 370 * region.cc: Include "analyzer/sm.h" and 371 "analyzer/program-state.h". 372 (frame_region::get_region_for_local): Add "ctxt" param. 373 Add assertions that VAR_DECLs are locals, and that expr is for the 374 correct function. 375 * region.h (frame_region::get_region_for_local): Add "ctxt" param. 376 3772022-03-23 David Malcolm <dmalcolm@redhat.com> 378 379 PR analyzer/105017 380 * sm-taint.cc (taint_diagnostic::subclass_equal_p): Check 381 m_has_bounds as well as m_arg. 382 (tainted_allocation_size::subclass_equal_p): Chain up to base 383 class implementation. Also check m_mem_space. 384 (tainted_allocation_size::emit): Add note showing stack-based vs 385 heap-based allocations. 386 3872022-03-23 David Malcolm <dmalcolm@redhat.com> 388 389 PR analyzer/104997 390 * diagnostic-manager.cc (diagnostic_manager::add_diagnostic): 391 Convert return type from "void" to "bool", reporting success vs 392 failure to caller, for both overloads. 393 * diagnostic-manager.h (diagnostic_manager::add_diagnostic): 394 Likewise. 395 * engine.cc (impl_region_model_context::warn): Propagate return 396 value from diagnostic_manager::add_diagnostic. 397 3982022-03-18 David Malcolm <dmalcolm@redhat.com> 399 400 PR analyzer/104943 401 PR analyzer/104954 402 PR analyzer/103533 403 * analyzer.h (class state_purge_per_decl): New forward decl. 404 * engine.cc (impl_run_checkers): Pass region_model_manager to 405 state_purge_map ctor. 406 * program-point.cc (function_point::final_stmt_p): New. 407 (function_point::get_next): New. 408 * program-point.h (function_point::final_stmt_p): New decl. 409 (function_point::get_next): New decl. 410 * program-state.cc (program_state::prune_for_point): Generalize to 411 purge local decls as well as SSA names. 412 (program_state::can_purge_base_region_p): New. 413 * program-state.h (program_state::can_purge_base_region_p): New 414 decl. 415 * region-model.cc (struct append_ssa_names_cb_data): Rename to... 416 (struct append_regions_cb_data): ...this. 417 (region_model::get_ssa_name_regions_for_current_frame): Rename 418 to... 419 (region_model::get_regions_for_current_frame): ...this, updating 420 for other renamings. 421 (region_model::append_ssa_names_cb): Rename to... 422 (region_model::append_regions_cb): ...this, and drop the requirement 423 that the subregion be a SSA name. 424 * region-model.h (struct append_ssa_names_cb_data): Rename decl 425 to... 426 (struct append_regions_cb_data): ...this. 427 (region_model::get_ssa_name_regions_for_current_frame): Rename 428 decl to... 429 (region_model::get_regions_for_current_frame): ...this. 430 (region_model::append_ssa_names_cb): Rename decl to... 431 (region_model::append_regions_cb): ...this. 432 * state-purge.cc: Include "tristate.h", "selftest.h", 433 "analyzer/store.h", "analyzer/region-model.h", and 434 "gimple-walk.h". 435 (get_candidate_for_purging): New. 436 (class gimple_op_visitor): New. 437 (my_load_cb): New. 438 (my_store_cb): New. 439 (my_addr_cb): New. 440 (state_purge_map::state_purge_map): Add "mgr" param. Update for 441 renamings. Find uses of local variables. 442 (state_purge_map::~state_purge_map): Update for renaming of m_map 443 to m_ssa_map. Clean up m_decl_map. 444 (state_purge_map::get_or_create_data_for_decl): New. 445 (state_purge_per_ssa_name::state_purge_per_ssa_name): Update for 446 inheriting from state_purge_per_tree. 447 (state_purge_per_ssa_name::add_to_worklist): Likewise. 448 (state_purge_per_decl::state_purge_per_decl): New. 449 (state_purge_per_decl::add_needed_at): New. 450 (state_purge_per_decl::add_pointed_to_at): New. 451 (state_purge_per_decl::process_worklists): New. 452 (state_purge_per_decl::add_to_worklist): New. 453 (same_binding_p): New. 454 (fully_overwrites_p): New. 455 (state_purge_per_decl::process_point_backwards): New. 456 (state_purge_per_decl::process_point_forwards): New. 457 (state_purge_per_decl::needed_at_point_p): New. 458 (state_purge_annotator::print_needed): Generalize to print local 459 decls as well as SSA names. 460 * state-purge.h (class state_purge_map): Update leading comment. 461 (state_purge_map::map_t): Rename to... 462 (state_purge_map::ssa_map_t): ...this. 463 (state_purge_map::iterator): Rename to... 464 (state_purge_map::ssa_iterator): ...this. 465 (state_purge_map::decl_map_t): New typedef. 466 (state_purge_map::decl_iterator): New typedef. 467 (state_purge_map::state_purge_map): Add "mgr" param. 468 (state_purge_map::get_data_for_ssa_name): Update for renaming. 469 (state_purge_map::get_any_data_for_decl): New. 470 (state_purge_map::get_or_create_data_for_decl): New decl. 471 (state_purge_map::begin): Rename to... 472 (state_purge_map::begin_ssas): ...this. 473 (state_purge_map::end): Rename to... 474 (state_purge_map::end_ssa): ...this. 475 (state_purge_map::begin_decls): New. 476 (state_purge_map::end_decls): New. 477 (state_purge_map::m_map): Rename to... 478 (state_purge_map::m_ssa_map): ...this. 479 (state_purge_map::m_decl_map): New field. 480 (class state_purge_per_tree): New class. 481 (class state_purge_per_ssa_name): Inherit from state_purge_per_tree. 482 (state_purge_per_ssa_name::get_function): Move to base class. 483 (state_purge_per_ssa_name::point_set_t): Likewise. 484 (state_purge_per_ssa_name::m_fun): Likewise. 485 (class state_purge_per_decl): New. 486 4872022-03-17 David Malcolm <dmalcolm@redhat.com> 488 489 * state-purge.cc (state_purge_annotator::add_node_annotations): 490 Avoid duplicate before-supernode annotations when returning from 491 an interprocedural call. Show after-supernode annotations. 492 4932022-03-17 David Malcolm <dmalcolm@redhat.com> 494 495 * program-point.cc (program_point::get_next): Fix missing 496 increment of index. 497 4982022-03-16 David Malcolm <dmalcolm@redhat.com> 499 500 PR analyzer/104955 501 * diagnostic-manager.cc (get_emission_location): New. 502 (diagnostic_manager::diagnostic_manager): Initialize 503 m_num_disabled_diagnostics. 504 (diagnostic_manager::add_diagnostic): Reject diagnostics that 505 will eventually be rejected due to being disabled. 506 (diagnostic_manager::emit_saved_diagnostics): Log the number 507 of disabled diagnostics. 508 (diagnostic_manager::emit_saved_diagnostic): Split out logic for 509 determining emission location to get_emission_location. 510 * diagnostic-manager.h 511 (diagnostic_manager::m_num_disabled_diagnostics): New field. 512 * engine.cc (stale_jmp_buf::get_controlling_option): New. 513 (stale_jmp_buf::emit): Use it. 514 * pending-diagnostic.h 515 (pending_diagnostic::get_controlling_option): New vfunc. 516 * region-model.cc 517 (poisoned_value_diagnostic::get_controlling_option): New. 518 (poisoned_value_diagnostic::emit): Use it. 519 (shift_count_negative_diagnostic::get_controlling_option): New. 520 (shift_count_negative_diagnostic::emit): Use it. 521 (shift_count_overflow_diagnostic::get_controlling_option): New. 522 (shift_count_overflow_diagnostic::emit): Use it. 523 (dump_path_diagnostic::get_controlling_option): New. 524 (dump_path_diagnostic::emit): Use it. 525 (write_to_const_diagnostic::get_controlling_option): New. 526 (write_to_const_diagnostic::emit): Use it. 527 (write_to_string_literal_diagnostic::get_controlling_option): New. 528 (write_to_string_literal_diagnostic::emit): Use it. 529 * sm-file.cc (double_fclose::get_controlling_option): New. 530 (double_fclose::emit): Use it. 531 (file_leak::get_controlling_option): New. 532 (file_leak::emit): Use it. 533 * sm-malloc.cc (mismatching_deallocation::get_controlling_option): 534 New. 535 (mismatching_deallocation::emit): Use it. 536 (double_free::get_controlling_option): New. 537 (double_free::emit): Use it. 538 (possible_null_deref::get_controlling_option): New. 539 (possible_null_deref::emit): Use it. 540 (possible_null_arg::get_controlling_option): New. 541 (possible_null_arg::emit): Use it. 542 (null_deref::get_controlling_option): New. 543 (null_deref::emit): Use it. 544 (null_arg::get_controlling_option): New. 545 (null_arg::emit): Use it. 546 (use_after_free::get_controlling_option): New. 547 (use_after_free::emit): Use it. 548 (malloc_leak::get_controlling_option): New. 549 (malloc_leak::emit): Use it. 550 (free_of_non_heap::get_controlling_option): New. 551 (free_of_non_heap::emit): Use it. 552 * sm-pattern-test.cc (pattern_match::get_controlling_option): New. 553 (pattern_match::emit): Use it. 554 * sm-sensitive.cc 555 (exposure_through_output_file::get_controlling_option): New. 556 (exposure_through_output_file::emit): Use it. 557 * sm-signal.cc (signal_unsafe_call::get_controlling_option): New. 558 (signal_unsafe_call::emit): Use it. 559 * sm-taint.cc (tainted_array_index::get_controlling_option): New. 560 (tainted_array_index::emit): Use it. 561 (tainted_offset::get_controlling_option): New. 562 (tainted_offset::emit): Use it. 563 (tainted_size::get_controlling_option): New. 564 (tainted_size::emit): Use it. 565 (tainted_divisor::get_controlling_option): New. 566 (tainted_divisor::emit): Use it. 567 (tainted_allocation_size::get_controlling_option): New. 568 (tainted_allocation_size::emit): Use it. 569 5702022-03-15 David Malcolm <dmalcolm@redhat.com> 571 572 * store.cc (store::store): Presize m_cluster_map. 573 5742022-03-10 David Malcolm <dmalcolm@redhat.com> 575 576 PR analyzer/104863 577 * constraint-manager.cc (constraint_manager::add_constraint): 578 Refresh the EC IDs when adding constraints implied by offsets. 579 5802022-03-10 David Malcolm <dmalcolm@redhat.com> 581 582 PR analyzer/104793 583 * analyzer.h (class pending_note): New forward decl. 584 * diagnostic-manager.cc (saved_diagnostic::saved_diagnostic): 585 Initialize m_notes. 586 (saved_diagnostic::operator==): Compare m_notes. 587 (saved_diagnostic::add_note): New. 588 (saved_diagnostic::emit_any_notes): New. 589 (diagnostic_manager::add_note): New. 590 (diagnostic_manager::emit_saved_diagnostic): Call emit_any_notes 591 after emitting the warning. 592 * diagnostic-manager.h (saved_diagnostic::add_note): New decl. 593 (saved_diagnostic::emit_any_notes): New decl. 594 (saved_diagnostic::m_notes): New field. 595 (diagnostic_manager::add_note): New decl. 596 * engine.cc (impl_region_model_context::add_note): New. 597 * exploded-graph.h (impl_region_model_context::add_note): New 598 decl. 599 * pending-diagnostic.h (class pending_note): New. 600 (class pending_note_subclass): New template. 601 * region-model.cc (class reason_attr_access): New. 602 (check_external_function_for_access_attr): Add class 603 annotating_ctxt and use it when checking region. 604 (noop_region_model_context::add_note): New. 605 * region-model.h (region_model_context::add_note): New vfunc. 606 (noop_region_model_context::add_note): New decl. 607 (class region_model_context_decorator): New. 608 (class note_adding_context): New. 609 6102022-03-10 David Malcolm <dmalcolm@redhat.com> 611 612 PR analyzer/104793 613 * region-model.cc 614 (region_model::check_external_function_for_access_attr): New. 615 (region_model::handle_unrecognized_call): Call it. 616 * region-model.h 617 (region_model::check_external_function_for_access_attr): New decl. 618 (region_model::handle_unrecognized_call): New decl. 619 6202022-03-10 David Malcolm <dmalcolm@redhat.com> 621 622 * sm-taint.cc (taint_state_machine::check_for_tainted_size_arg): 623 Avoid generating duplicate saved_diagnostics by only handling the 624 rdwr_map entry for the ptrarg, not the duplicate entry for the 625 sizarg. 626 6272022-03-07 David Malcolm <dmalcolm@redhat.com> 628 629 PR analyzer/101983 630 * engine.cc (returning_from_function_p): New. 631 (impl_region_model_context::on_state_leak): Use it when rejecting 632 leaks at the return from "main". 633 6342022-03-07 Jakub Jelinek <jakub@redhat.com> 635 636 * store.cc: Fix up duplicated word issue in a comment. 637 * analyzer.cc: Likewise. 638 * engine.cc: Likewise. 639 * sm-taint.cc: Likewise. 640 6412022-03-04 David Malcolm <dmalcolm@redhat.com> 642 643 PR analyzer/103521 644 * analyzer.opt (-param=analyzer-max-svalue-depth=): Reduce from 13 645 to 12. 646 6472022-02-23 David Malcolm <dmalcolm@redhat.com> 648 649 PR analyzer/104434 650 * analyzer.h (class const_fn_result_svalue): New decl. 651 * region-model-impl-calls.cc (call_details::get_manager): New. 652 * region-model-manager.cc 653 (region_model_manager::get_or_create_const_fn_result_svalue): New. 654 (region_model_manager::log_stats): Log 655 m_const_fn_result_values_map. 656 * region-model.cc (const_fn_p): New. 657 (maybe_get_const_fn_result): New. 658 (region_model::on_call_pre): Handle fndecls with 659 __attribute__((const)) by calling the above rather than making 660 a conjured_svalue. 661 * region-model.h (visitor::visit_const_fn_result_svalue): New. 662 (region_model_manager::get_or_create_const_fn_result_svalue): New 663 decl. 664 (region_model_manager::const_fn_result_values_map_t): New typedef. 665 (region_model_manager::m_const_fn_result_values_map): New field. 666 (call_details::get_manager): New decl. 667 * svalue.cc (svalue::cmp_ptr): Handle SK_CONST_FN_RESULT. 668 (const_fn_result_svalue::dump_to_pp): New. 669 (const_fn_result_svalue::dump_input): New. 670 (const_fn_result_svalue::accept): New. 671 * svalue.h (enum svalue_kind): Add SK_CONST_FN_RESULT. 672 (svalue::dyn_cast_const_fn_result_svalue): New. 673 (class const_fn_result_svalue): New. 674 (is_a_helper <const const_fn_result_svalue *>::test): New. 675 (template <> struct default_hash_traits<const_fn_result_svalue::key_t>): 676 New. 677 6782022-02-17 David Malcolm <dmalcolm@redhat.com> 679 680 PR analyzer/104576 681 * region-model.cc: Include "calls.h". 682 (region_model::on_call_pre): Use flags_from_decl_or_type to 683 generalize check for DECL_PURE_P to also check for ECF_CONST. 684 6852022-02-16 David Malcolm <dmalcolm@redhat.com> 686 687 PR analyzer/104560 688 * diagnostic-manager.cc (diagnostic_manager::build_emission_path): 689 Add region creation events for globals of interest. 690 (null_assignment_sm_context::get_old_program_state): New. 691 (diagnostic_manager::add_events_for_eedge): Move check for 692 changing dynamic extents from PK_BEFORE_STMT case to after the 693 switch on the dst_point's kind so that we can emit them for the 694 final stmt in a basic block. 695 * engine.cc (impl_sm_context::get_old_program_state): New. 696 * sm-malloc.cc (malloc_state_machine::get_default_state): Rewrite 697 detection of m_non_heap to use get_memory_space. 698 (free_of_non_heap::free_of_non_heap): Add freed_reg param. 699 (free_of_non_heap::subclass_equal_p): Update for changes to 700 fields. 701 (free_of_non_heap::emit): Drop m_kind in favor of 702 get_memory_space. 703 (free_of_non_heap::describe_state_change): Remove logic for 704 detecting alloca. 705 (free_of_non_heap::mark_interesting_stuff): Add region-creation of 706 m_freed_reg. 707 (free_of_non_heap::get_memory_space): New. 708 (free_of_non_heap::kind): Drop enum. 709 (free_of_non_heap::m_freed_reg): New field. 710 (free_of_non_heap::m_kind): Drop field. 711 (malloc_state_machine::on_stmt): Drop transition to m_non_heap. 712 (malloc_state_machine::handle_free_of_non_heap): New function, 713 split out from on_deallocator_call and on_realloc_call, adding 714 detection of the freed region. 715 (malloc_state_machine::on_deallocator_call): Use it. 716 (malloc_state_machine::on_realloc_call): Likewise. 717 * sm.h (sm_context::get_old_program_state): New vfunc. 718 7192022-02-15 David Malcolm <dmalcolm@redhat.com> 720 721 PR analyzer/104524 722 * region-model-manager.cc 723 (region_model_manager::maybe_fold_sub_svalue): Only call 724 get_or_create_cast if type is non-NULL. 725 7262022-02-15 David Malcolm <dmalcolm@redhat.com> 727 728 PR analyzer/102692 729 * exploded-graph.h (impl_region_model_context::get_stmt): New. 730 * region-model.cc: Include "gimple-ssa.h", "tree-phinodes.h", 731 "tree-ssa-operands.h", and "ssa-iterators.h". 732 (within_short_circuited_stmt_p): New. 733 (region_model::check_for_poison): Don't warn about uninit values 734 if within_short_circuited_stmt_p. 735 * region-model.h (region_model_context::get_stmt): New vfunc. 736 (noop_region_model_context::get_stmt): New. 737 7382022-02-11 David Malcolm <dmalcolm@redhat.com> 739 740 PR analyzer/104274 741 * region-model.cc (region_model::check_for_poison): Ignore 742 uninitialized uses of empty types. 743 7442022-02-10 David Malcolm <dmalcolm@redhat.com> 745 746 PR analyzer/98797 747 * region-model-manager.cc 748 (region_model_manager::maybe_fold_sub_svalue): Generalize getting 749 individual chars of a STRING_CST from element_region to any 750 subregion which is a concrete access of a single byte from its 751 parent region. 752 * region.cc (region::get_relative_concrete_byte_range): New. 753 * region.h (region::get_relative_concrete_byte_range): New decl. 754 7552022-02-09 David Malcolm <dmalcolm@redhat.com> 756 757 PR analyzer/104452 758 * region-model.cc (selftest::test_bit_range_regions): New. 759 (selftest::analyzer_region_model_cc_tests): Call it. 760 * region.h (bit_range_region::key_t::hash): Fix hashing of m_bits 761 to avoid using uninitialized data. 762 7632022-02-07 David Malcolm <dmalcolm@redhat.com> 764 765 PR analyzer/104417 766 * sm-taint.cc (tainted_allocation_size::tainted_allocation_size): 767 Remove overzealous assertion. 768 (tainted_allocation_size::emit): Likewise. 769 (region_model::check_dynamic_size_for_taint): Likewise. 770 7712022-02-07 David Malcolm <dmalcolm@redhat.com> 772 773 PR analyzer/103872 774 * region-model-impl-calls.cc (region_model::impl_call_memcpy): 775 Reimplement in terms of a get_store_value followed by a set_value. 776 7772022-02-03 David Malcolm <dmalcolm@redhat.com> 778 779 PR analyzer/104369 780 * engine.cc (exploded_graph::process_node): Use the node for any 781 diagnostics, avoiding ICE if a bifurcation update adds a 782 saved_diagnostic, such as for a tainted realloc size. 783 * region-model-impl-calls.cc 784 (region_model::impl_call_realloc::success_no_move::update_model): 785 Require the old pointer to be non-NULL to be able successfully 786 grow in place. Use model->deref_rvalue rather than maybe_get_region 787 to support the old pointer being symbolic. 788 (region_model::impl_call_realloc::success_with_move::update_model): 789 Likewise. Add a constraint that the new pointer != the old pointer. 790 Use a sized_region when setting the value of the new region. 791 Handle the case where we don't know the dynamic size of the old 792 region by marking the new region as unknown. 793 * sm-taint.cc (tainted_allocation_size::tainted_allocation_size): 794 Update assertion to also allow for MEMSPACE_UNKNOWN. 795 (tainted_allocation_size::emit): Likewise. 796 (region_model::check_dynamic_size_for_taint): Likewise. 797 7982022-02-03 David Malcolm <dmalcolm@redhat.com> 799 800 * region-model-impl-calls.cc (region_model::impl_call_calloc): Use 801 a sized_region when calling zero_fill_region. 802 8032022-02-02 David Malcolm <dmalcolm@redhat.com> 804 805 * region-model.cc (region_model::on_return): Replace usage of 806 copy_region with get_rvalue/set_value pair. 807 (region_model::pop_frame): Likewise. 808 (selftest::test_compound_assignment): Likewise. 809 * region-model.h (region_model::copy_region): Delete decl. 810 * region.cc (region_model::copy_region): Delete. 811 8122022-02-02 David Malcolm <dmalcolm@redhat.com> 813 814 * region.cc (region::calc_offset): Consolidate effectively 815 identical cases. 816 8172022-02-02 David Malcolm <dmalcolm@redhat.com> 818 819 * analyzer.h (class bit_range_region): New forward decl. 820 * region-model-manager.cc (region_model_manager::get_bit_range): 821 New. 822 (region_model_manager::log_stats): Handle m_bit_range_regions. 823 * region-model.cc (region_model::get_lvalue_1): Handle 824 BIT_FIELD_REF. 825 * region-model.h (region_model_manager::get_bit_range): New decl. 826 (region_model_manager::m_bit_range_regions): New field. 827 * region.cc (region::get_base_region): Handle RK_BIT_RANGE. 828 (region::base_region_p): Likewise. 829 (region::calc_offset): Likewise. 830 (bit_range_region::dump_to_pp): New. 831 (bit_range_region::get_byte_size): New. 832 (bit_range_region::get_bit_size): New. 833 (bit_range_region::get_byte_size_sval): New. 834 (bit_range_region::get_relative_concrete_offset): New. 835 * region.h (enum region_kind): Add RK_BIT_RANGE. 836 (region::dyn_cast_bit_range_region): New vfunc. 837 (class bit_range_region): New. 838 (is_a_helper <const bit_range_region *>::test): New. 839 (default_hash_traits<bit_range_region::key_t>): New. 840 8412022-02-02 David Malcolm <dmalcolm@redhat.com> 842 843 PR analyzer/104270 844 * region-model.cc (region_model::on_call_pre): Handle 845 IFN_DEFERRED_INIT. 846 8472022-01-27 David Malcolm <dmalcolm@redhat.com> 848 849 * checker-path.cc (event_kind_to_string): Handle 850 EK_REGION_CREATION. 851 (region_creation_event::region_creation_event): New. 852 (region_creation_event::get_desc): New. 853 (checker_path::add_region_creation_event): New. 854 * checker-path.h (enum event_kind): Add EK_REGION_CREATION. 855 (class region_creation_event): New subclass. 856 (checker_path::add_region_creation_event): New decl. 857 * diagnostic-manager.cc 858 (diagnostic_manager::emit_saved_diagnostic): Pass NULL for new 859 param to add_events_for_eedge when handling trailing eedge. 860 (diagnostic_manager::build_emission_path): Create an interesting_t 861 instance, allow the pending diagnostic to populate it, and pass it 862 to the calls to add_events_for_eedge. 863 (diagnostic_manager::add_events_for_eedge): Add "interest" param. 864 Use it to add region_creation_events for on-stack regions created 865 within at function entry, and when pertinent dynamically-sized 866 regions are created. 867 (diagnostic_manager::prune_for_sm_diagnostic): Add case for 868 EK_REGION_CREATION. 869 * diagnostic-manager.h (diagnostic_manager::add_events_for_eedge): 870 Add "interest" param. 871 * pending-diagnostic.cc: Include "selftest.h", "tristate.h", 872 "analyzer/call-string.h", "analyzer/program-point.h", 873 "analyzer/store.h", and "analyzer/region-model.h". 874 (interesting_t::add_region_creation): New. 875 (interesting_t::dump_to_pp): New. 876 * pending-diagnostic.h (struct interesting_t): New. 877 (pending_diagnostic::mark_interesting_stuff): New vfunc. 878 * region-model.cc 879 (poisoned_value_diagnostic::poisoned_value_diagnostic): Add 880 (poisoned_value_diagnostic::operator==): Compare m_pkind and 881 m_src_region fields. 882 (poisoned_value_diagnostic::mark_interesting_stuff): New. 883 (poisoned_value_diagnostic::m_src_region): New. 884 (region_model::check_for_poison): Call 885 get_region_for_poisoned_expr for uninit values and pass the resul 886 to the diagnostic. 887 (region_model::get_region_for_poisoned_expr): New. 888 (region_model::deref_rvalue): Pass NULL for 889 poisoned_value_diagnostic's src_region. 890 * region-model.h (region_model::get_region_for_poisoned_expr): New 891 decl. 892 * region.h (frame_region::get_fndecl): New. 893 8942022-01-27 Martin Liska <mliska@suse.cz> 895 896 PR analyzer/104247 897 * constraint-manager.cc (bounded_ranges_manager::log_stats): 898 Cast to long for format purpose. 899 * region-model-manager.cc (log_uniq_map): Likewise. 900 9012022-01-26 David Malcolm <dmalcolm@redhat.com> 902 903 PR analyzer/104224 904 * region-model.cc (region_model::check_call_args): New. 905 (region_model::on_call_pre): Call it when ignoring stdio builtins. 906 * region-model.h (region_model::check_call_args): New decl 907 9082022-01-26 David Malcolm <dmalcolm@redhat.com> 909 910 PR analyzer/94362 911 * constraint-manager.cc (range::add_bound): Fix tests for 912 discarding redundant constraints. Perform test for rejecting 913 unsatisfiable constraints earlier so that they don't update 914 the object on failure. 915 (selftest::test_range): New. 916 (selftest::test_constant_comparisons): Add test coverage for 917 existing constraints becoming narrower until they are 918 unsatisfiable. 919 (selftest::run_constraint_manager_tests): Call test_range. 920 9212022-01-22 David Malcolm <dmalcolm@redhat.com> 922 923 PR analyzer/104159 924 * region-model-manager.cc 925 (region_model_manager::get_or_create_cast): Bail out if the types 926 are the same. Don't attempt to handle casts involving vector 927 types. 928 9292022-01-20 David Malcolm <dmalcolm@redhat.com> 930 931 PR analyzer/94362 932 * constraint-manager.cc (bound::ensure_closed): Convert param to 933 enum bound_kind. 934 (range::constrained_to_single_element): Likewise. 935 (range::add_bound): New. 936 (constraint_manager::add_constraint): Handle SVAL + OFFSET 937 compared to a constant. 938 (constraint_manager::get_ec_bounds): Rewrite in terms of 939 range::add_bound. 940 (constraint_manager::eval_condition): Reject if range::add_bound 941 fails. 942 (selftest::test_constant_comparisons): Add test coverage for 943 various impossible combinations of integer comparisons. 944 * constraint-manager.h (enum bound_kind): New. 945 (struct bound): Likewise. 946 (bound::ensure_closed): Convert to param to enum bound_kind. 947 (struct range): Convert to... 948 (class range): ...this, making fields private. 949 (range::add_bound): New decls. 950 * region-model.cc (region_model::add_constraint): Fail if 951 constraint_manager::add_constraint fails. 952 9532022-01-18 David Malcolm <dmalcolm@redhat.com> 954 955 PR analyzer/104089 956 * region-model-manager.cc 957 (region_model_manager::get_or_create_constant_svalue): Assert that 958 we have a CONSTANT_CLASS_P. 959 (region_model_manager::maybe_fold_unaryop): Only fold a constant 960 when fold_unary's result is a constant or a cast of a constant. 961 9622022-01-18 David Malcolm <dmalcolm@redhat.com> 963 964 PR analyzer/104062 965 * region-model-manager.cc 966 (region_model_manager::maybe_fold_sub_svalue): Avoid casting to 967 NULL type when folding access to repeated svalue. 968 9692022-01-17 Martin Liska <mliska@suse.cz> 970 971 * analyzer.cc (is_special_named_call_p): Rename .c names to .cc. 972 (is_named_call_p): Likewise. 973 * region-model-asm.cc (deterministic_p): Likewise. 974 * region.cc (field_region::get_relative_concrete_offset): Likewise. 975 * sm-malloc.cc (method_p): Likewise. 976 * supergraph.cc (superedge::dump_dot): Likewise. 977 9782022-01-14 David Malcolm <dmalcolm@redhat.com> 979 980 * sm-taint.cc (taint_state_machine::combine_states): Handle combination 981 of has_ub and has_lb. 982 9832022-01-14 David Malcolm <dmalcolm@redhat.com> 984 985 PR analyzer/104029 986 * sm-taint.cc (taint_state_machine::alt_get_inherited_state): 987 Remove gcc_unreachable from default case for unary ops. 988 9892022-01-14 David Malcolm <dmalcolm@redhat.com> 990 991 * engine.cc: Include "stringpool.h", "attribs.h", and 992 "tree-dfa.h". 993 (mark_params_as_tainted): New. 994 (class tainted_args_function_custom_event): New. 995 (class tainted_args_function_info): New. 996 (exploded_graph::add_function_entry): Handle functions with 997 "tainted_args" attribute. 998 (class tainted_args_field_custom_event): New. 999 (class tainted_args_callback_custom_event): New. 1000 (class tainted_args_call_info): New. 1001 (add_tainted_args_callback): New. 1002 (add_any_callbacks): New. 1003 (exploded_graph::build_initial_worklist): Likewise. 1004 (exploded_graph::build_initial_worklist): Find callbacks that are 1005 reachable from global initializers, calling add_any_callbacks on 1006 them. 1007 10082022-01-12 David Malcolm <dmalcolm@redhat.com> 1009 1010 PR analyzer/103940 1011 * engine.cc (impl_sm_context::impl_sm_context): Add 1012 "unknown_side_effects" param and use it to initialize 1013 new m_unknown_side_effects field. 1014 (impl_sm_context::unknown_side_effects_p): New. 1015 (impl_sm_context::m_unknown_side_effects): New. 1016 (exploded_node::on_stmt): Pass unknown_side_effects to sm_ctxt 1017 ctor. 1018 * sm-taint.cc: Include "stringpool.h" and "attribs.h". 1019 (tainted_size::tainted_size): Drop "dir" param. 1020 (tainted_size::get_kind): Drop "FINAL". 1021 (tainted_size::emit): Likewise. 1022 (tainted_size::m_dir): Drop unused field. 1023 (class tainted_access_attrib_size): New subclass. 1024 (taint_state_machine::on_stmt): Call check_for_tainted_size_arg on 1025 external functions with unknown side effects. 1026 (taint_state_machine::check_for_tainted_size_arg): New. 1027 (region_model::check_region_for_taint): Drop "dir" param from 1028 tainted_size ctor. 1029 * sm.h (sm_context::unknown_side_effects_p): New. 1030 10312022-01-11 David Malcolm <dmalcolm@redhat.com> 1032 1033 PR analyzer/102692 1034 * diagnostic-manager.cc 1035 (class auto_disable_complexity_checks): Rename to... 1036 (class auto_checking_feasibility): ...this, updating 1037 the calls accordingly. 1038 (epath_finder::explore_feasible_paths): Update for renaming. 1039 * region-model-manager.cc 1040 (region_model_manager::region_model_manager): Update for change from 1041 m_check_complexity to m_checking_feasibility. 1042 (region_model_manager::reject_if_too_complex): Likewise. 1043 (region_model_manager::get_or_create_unknown_svalue): Handle 1044 m_checking_feasibility. 1045 (region_model_manager::create_unique_svalue): New. 1046 (region_model_manager::maybe_fold_binop): Handle BIT_AND_EXPR and 1047 BIT_IOR_EXPRs on booleans where we know the result. 1048 * region-model.cc (test_binop_svalue_folding): Add test coverage 1049 for the above. 1050 * region-model.h (region_model_manager::create_unique_svalue): New 1051 decl. 1052 (region_model_manager::enable_complexity_check): Replace with... 1053 (region_model_manager::begin_checking_feasibility): ...this. 1054 (region_model_manager::disable_complexity_check): Replace with... 1055 (region_model_manager::end_checking_feasibility): ...this. 1056 (region_model_manager::m_check_complexity): Replace with... 1057 (region_model_manager::m_checking_feasibility): ...this. 1058 (region_model_manager::m_managed_dynamic_svalues): New field. 1059 10602022-01-08 David Malcolm <dmalcolm@redhat.com> 1061 1062 * engine.cc (impl_run_checkers): Pass logger to engine ctor. 1063 * region-model-manager.cc 1064 (region_model_manager::region_model_manager): Add logger param and 1065 use it to initialize m_logger. 1066 * region-model.cc (engine::engine): New. 1067 * region-model.h (region_model_manager::region_model_manager): 1068 Add logger param. 1069 (region_model_manager::get_logger): New. 1070 (region_model_manager::m_logger): New field. 1071 (engine::engine): New. 1072 * store.cc (store_manager::get_logger): New. 1073 (store::set_value): Log scope. Log when marking a cluster as 1074 unknown due to possible aliasing. 1075 * store.h (store_manager::get_logger): New decl. 1076 10772022-01-08 David Malcolm <dmalcolm@redhat.com> 1078 1079 * region-model-impl-calls.cc (cmp_decls): New. 1080 (cmp_decls_ptr_ptr): New. 1081 (region_model::impl_call_analyzer_dump_escaped): New. 1082 * region-model.cc (region_model::on_stmt_pre): Handle 1083 __analyzer_dump_escaped. 1084 * region-model.h (region_model::impl_call_analyzer_dump_escaped): 1085 New decl. 1086 * store.h (binding_cluster::get_base_region): New accessor. 1087 10882022-01-08 David Malcolm <dmalcolm@redhat.com> 1089 1090 * region.cc (region::is_named_decl_p): New. 1091 * region.h (region::is_named_decl_p): New decl. 1092 10932022-01-06 David Malcolm <dmalcolm@redhat.com> 1094 1095 PR analyzer/103546 1096 * store.cc (store::eval_alias_1): Refactor handling of decl 1097 regions, adding a test for may_be_aliased, rejecting those for 1098 which it returns false. 1099 11002021-12-12 Jonathan Wakely <jwakely@redhat.com> 1101 1102 * engine.cc: Define INCLUDE_MEMORY instead of INCLUDE_UNIQUE_PTR. 1103 11042021-12-06 David Malcolm <dmalcolm@redhat.com> 1105 1106 PR analyzer/103533 1107 * constraint-manager.cc (equiv_class::contains_non_constant_p): 1108 New. 1109 (constraint_manager::canonicalize): Call it when determining 1110 redundant ECs. 1111 (selftest::test_purging): New selftest. 1112 (selftest::run_constraint_manager_tests): Likewise. 1113 * constraint-manager.h (equiv_class::contains_non_constant_p): 1114 New decl. 1115 11162021-12-01 David Malcolm <dmalcolm@redhat.com> 1117 1118 PR analyzer/102471 1119 * region-model-reachability.cc (reachable_regions::handle_parm): 1120 Treat all svalues within a compound parm has reachable, and those 1121 wrapped in a cast. 1122 11232021-11-29 David Malcolm <dmalcolm@redhat.com> 1124 1125 PR analyzer/103217 1126 * store.cc (binding_cluster::can_merge_p): For the "key is bound" 1127 vs "key is not bound" merger case, check that the bound svalue 1128 is mergeable before merging it to "unknown", rejecting the merger 1129 otherwise. 1130 11312021-11-19 David Malcolm <dmalcolm@redhat.com> 1132 1133 PR analyzer/103217 1134 * engine.cc (exploded_graph::get_or_create_node): Pass in 1135 m_ext_state to program_state::can_merge_with_p. 1136 (exploded_graph::process_worklist): Likewise. 1137 (exploded_graph::maybe_process_run_of_before_supernode_enodes): 1138 Likewise. 1139 (exploded_graph::process_node): Add missing call to detect_leaks 1140 when handling phi nodes. 1141 * program-state.cc (program_state::can_merge_with_p): Add 1142 "ext_state" param. Pass it and state ptrs to 1143 region_model::can_merge_with_p. 1144 (selftest::test_program_state_merging): Update for new ext_state 1145 param of program_state::can_merge_with_p. 1146 (selftest::test_program_state_merging_2): Likewise. 1147 * program-state.h (program_state::can_purge_p): Make const. 1148 (program_state::can_merge_with_p): Add "ext_state" param. 1149 * region-model.cc: Include "analyzer/program-state.h". 1150 (region_model::can_merge_with_p): Add params "ext_state", 1151 "state_a", and "state_b", use them when creating model_merger 1152 object. 1153 (model_merger::mergeable_svalue_p): New. 1154 * region-model.h (region_model::can_merge_with_p): Add params 1155 "ext_state", "state_a", and "state_b". 1156 (model_merger::model_merger) Likewise, initializing new fields. 1157 (model_merger::mergeable_svalue_p): New decl. 1158 (model_merger::m_ext_state): New field. 1159 (model_merger::m_state_a): New field. 1160 (model_merger::m_state_b): New field. 1161 * svalue.cc (svalue::can_merge_p): Call 1162 model_merger::mergeable_svalue_p on both states and reject the 1163 merger accordingly. 1164 11652021-11-17 David Malcolm <dmalcolm@redhat.com> 1166 1167 PR analyzer/102695 1168 * region-model-impl-calls.cc (region_model::impl_call_strchr): New. 1169 * region-model-manager.cc 1170 (region_model_manager::maybe_fold_unaryop): Simplify cast to 1171 pointer type of an existing pointer to a region. 1172 * region-model.cc (region_model::on_call_pre): Handle 1173 BUILT_IN_STRCHR and "strchr". 1174 (write_to_const_diagnostic::emit): Add auto_diagnostic_group. Add 1175 alternate wordings for functions and labels. 1176 (write_to_const_diagnostic::describe_final_event): Add alternate 1177 wordings for functions and labels. 1178 (region_model::check_for_writable_region): Handle RK_FUNCTION and 1179 RK_LABEL. 1180 * region-model.h (region_model::impl_call_strchr): New decl. 1181 11822021-11-16 David Malcolm <dmalcolm@redhat.com> 1183 1184 PR analyzer/102662 1185 * constraint-manager.cc (bounded_range::operator==): Require the 1186 types to be the same for equality. 1187 11882021-11-13 David Malcolm <dmalcolm@redhat.com> 1189 1190 * analyzer.opt (Wanalyzer-tainted-allocation-size): New. 1191 (Wanalyzer-tainted-divisor): New. 1192 (Wanalyzer-tainted-offset): New. 1193 (Wanalyzer-tainted-size): New. 1194 * engine.cc (impl_region_model_context::get_taint_map): New. 1195 * exploded-graph.h (impl_region_model_context::get_taint_map): 1196 New decl. 1197 * program-state.cc (sm_state_map::get_state): Call 1198 alt_get_inherited_state. 1199 (sm_state_map::impl_set_state): Modify states within 1200 compound svalues. 1201 (program_state::impl_call_analyzer_dump_state): Undo casts. 1202 (selftest::test_program_state_1): Update for new context param of 1203 create_region_for_heap_alloc. 1204 (selftest::test_program_state_merging): Likewise. 1205 * region-model-impl-calls.cc (region_model::impl_call_alloca): 1206 Likewise. 1207 (region_model::impl_call_calloc): Likewise. 1208 (region_model::impl_call_malloc): Likewise. 1209 (region_model::impl_call_operator_new): Likewise. 1210 (region_model::impl_call_realloc): Likewise. 1211 * region-model.cc (region_model::check_region_access): Call 1212 check_region_for_taint. 1213 (region_model::get_representative_path_var_1): Handle binops. 1214 (region_model::create_region_for_heap_alloc): Add "ctxt" param and 1215 pass it to set_dynamic_extents. 1216 (region_model::create_region_for_alloca): Likewise. 1217 (region_model::set_dynamic_extents): Add "ctxt" param and use it 1218 to call check_dynamic_size_for_taint. 1219 (selftest::test_state_merging): Update for new context param of 1220 create_region_for_heap_alloc. 1221 (selftest::test_malloc_constraints): Likewise. 1222 (selftest::test_malloc): Likewise. 1223 (selftest::test_alloca): Likewise for create_region_for_alloca. 1224 * region-model.h (region_model::create_region_for_heap_alloc): Add 1225 "ctxt" param. 1226 (region_model::create_region_for_alloca): Likewise. 1227 (region_model::set_dynamic_extents): Likewise. 1228 (region_model::check_dynamic_size_for_taint): New decl. 1229 (region_model::check_region_for_taint): New decl. 1230 (region_model_context::get_taint_map): New vfunc. 1231 (noop_region_model_context::get_taint_map): New. 1232 * sm-taint.cc: Remove include of "diagnostic-event-id.h"; add 1233 includes of "gimple-iterator.h", "tristate.h", "selftest.h", 1234 "ordered-hash-map.h", "cgraph.h", "cfg.h", "digraph.h", 1235 "analyzer/supergraph.h", "analyzer/call-string.h", 1236 "analyzer/program-point.h", "analyzer/store.h", 1237 "analyzer/region-model.h", and "analyzer/program-state.h". 1238 (enum bounds): Move to top of file. 1239 (class taint_diagnostic): New. 1240 (class tainted_array_index): Convert to subclass of taint_diagnostic. 1241 (tainted_array_index::emit): Add CWE-129. Reword warning to use 1242 "attacker-controlled" rather than "tainted". 1243 (tainted_array_index::describe_state_change): Move to 1244 taint_diagnostic::describe_state_change. 1245 (tainted_array_index::describe_final_event): Reword to use 1246 "attacker-controlled" rather than "tainted". 1247 (class tainted_offset): New. 1248 (class tainted_size): New. 1249 (class tainted_divisor): New. 1250 (class tainted_allocation_size): New. 1251 (taint_state_machine::alt_get_inherited_state): New. 1252 (taint_state_machine::on_stmt): In assignment handling, remove 1253 ARRAY_REF handling in favor of check_region_for_taint. Add 1254 detection of tainted divisors. 1255 (taint_state_machine::get_taint): New. 1256 (taint_state_machine::combine_states): New. 1257 (region_model::check_region_for_taint): New. 1258 (region_model::check_dynamic_size_for_taint): New. 1259 * sm.h (state_machine::alt_get_inherited_state): New. 1260 12612021-11-12 David Malcolm <dmalcolm@redhat.com> 1262 1263 * engine.cc (exploded_node::on_stmt_pre): Return when handling 1264 "__analyzer_dump_state". 1265 12662021-11-11 Richard Biener <rguenther@suse.de> 1267 1268 * supergraph.cc: Include bitmap.h. 1269 12702021-11-04 David Malcolm <dmalcolm@redhat.com> 1271 1272 * program-state.cc (sm_state_map::dump): Use default_tree_printer 1273 as format decoder. 1274 12752021-09-16 Maxim Blinov <maxim.blinov@embecosm.com> 1276 1277 PR bootstrap/102242 1278 * engine.cc (INCLUDE_UNIQUE_PTR): Define. 1279 12802021-09-08 David Malcolm <dmalcolm@redhat.com> 1281 1282 PR analyzer/102225 1283 * analyzer.h (compat_types_p): New decl. 1284 * constraint-manager.cc 1285 (constraint_manager::get_or_add_equiv_class): Guard against NULL 1286 type when checking for pointer types. 1287 * region-model-impl-calls.cc (region_model::impl_call_realloc): 1288 Guard against NULL lhs type/region. Guard against the size value 1289 not being of a compatible type for dynamic extents. 1290 * region-model.cc (compat_types_p): Make non-static. 1291 12922021-08-30 David Malcolm <dmalcolm@redhat.com> 1293 1294 PR analyzer/99260 1295 * analyzer.h (class custom_edge_info): New class, adapted from 1296 exploded_edge::custom_info_t. Make member functions const. 1297 Make update_model return bool, converting edge param from 1298 reference to a pointer, and adding a ctxt param. 1299 (class path_context): New class. 1300 * call-info.cc: New file. 1301 * call-info.h: New file. 1302 * engine.cc: Include "analyzer/call-info.h" and <memory>. 1303 (impl_region_model_context::impl_region_model_context): Update for 1304 new m_path_ctxt field. 1305 (impl_region_model_context::bifurcate): New. 1306 (impl_region_model_context::terminate_path): New. 1307 (impl_region_model_context::get_malloc_map): New. 1308 (impl_sm_context::impl_sm_context): Update for new m_path_ctxt 1309 field. 1310 (impl_sm_context::get_fndecl_for_call): Likewise. 1311 (impl_sm_context::set_next_state): Likewise. 1312 (impl_sm_context::warn): Likewise. 1313 (impl_sm_context::is_zero_assignment): Likewise. 1314 (impl_sm_context::get_path_context): New. 1315 (impl_sm_context::m_path_ctxt): New. 1316 (impl_region_model_context::on_condition): Update for new 1317 path_ctxt param. Handle m_enode_for_diag being NULL. 1318 (impl_region_model_context::on_phi): Update for new path_ctxt 1319 param. 1320 (exploded_node::on_stmt): Add path_ctxt param, updating ctor calls 1321 to use it as necessary. Use it to bail out after sm-handling, 1322 if needed. 1323 (exploded_node::detect_leaks): Update for new path_ctxt param. 1324 (dynamic_call_info_t::update_model): Update for conversion of 1325 exploded_edge::custom_info_t to custom_edge_info. 1326 (dynamic_call_info_t::add_events_to_path): Likewise. 1327 (rewind_info_t::update_model): Likewise. 1328 (rewind_info_t::add_events_to_path): Likewise. 1329 (exploded_edge::exploded_edge): Likewise. 1330 (exploded_graph::add_edge): Likewise. 1331 (exploded_graph::maybe_process_run_of_before_supernode_enodes): 1332 Update for new path_ctxt param. 1333 (class impl_path_context): New. 1334 (exploded_graph::process_node): Update for new path_ctxt param. 1335 Create an impl_path_context and pass it to exploded_node::on_stmt. 1336 Use it to terminate iterating stmts if terminate_path is called 1337 on it. After processing a run of stmts, query path_ctxt to 1338 potentially terminate the analysis path, and/or to "bifurcate" the 1339 analysis into multiple additional paths. 1340 (feasibility_state::maybe_update_for_edge): Update for new 1341 update_model ctxt param. 1342 * exploded-graph.h 1343 (impl_region_model_context::impl_region_model_context): Add 1344 path_ctxt param. 1345 (impl_region_model_context::bifurcate): New. 1346 (impl_region_model_context::terminate_path): New 1347 (impl_region_model_context::get_ext_state): New. 1348 (impl_region_model_context::get_malloc_map): New. 1349 (impl_region_model_context::m_path_ctxt): New field. 1350 (exploded_node::on_stmt): Add path_ctxt param. 1351 (class exploded_edge::custom_info_t): Move to analyzer.h, renaming 1352 to custom_edge_info, and making the changes as noted in analyzer.h 1353 above. 1354 (exploded_edge::exploded_edge): Update for these changes to 1355 exploded_edge::custom_info_t. 1356 (exploded_edge::m_custom_info): Likewise. 1357 (class dynamic_call_info_t): Likewise. 1358 (class rewind_info_t): Likewise. 1359 (exploded_graph::add_edge): Likewise. 1360 * program-state.cc (program_state::on_edge): Update for new 1361 path_ctxt param. 1362 (program_state::push_call): Likewise. 1363 (program_state::returning_call): Likewise. 1364 (program_state::prune_for_point): Likewise. 1365 * region-model-impl-calls.cc: Include "analyzer/call-info.h". 1366 (call_details::get_fndecl_for_call): New. 1367 (region_model::impl_call_realloc): Reimplement. 1368 * region-model.cc (region_model::on_call_pre): Move call to 1369 impl_call_realloc to... 1370 (region_model::on_call_post): ...here. Consolidate creation 1371 of call_details instance. 1372 (noop_region_model_context::bifurcate): New. 1373 (noop_region_model_context::terminate_path): New. 1374 * region-model.h (call_details::get_call_stmt): New. 1375 (call_details::get_fndecl_for_call): New. 1376 (region_model::on_realloc_with_move): New. 1377 (region_model_context::bifurcate): New. 1378 (region_model_context::terminate_path): New. 1379 (region_model_context::get_ext_state): New. 1380 (region_model_context::get_malloc_map): New. 1381 (noop_region_model_context::bifurcate): New. 1382 (noop_region_model_context::terminate_path): New. 1383 (noop_region_model_context::get_ext_state): New. 1384 (noop_region_model_context::get_malloc_map): New. 1385 * sm-malloc.cc: Include "analyzer/program-state.h". 1386 (malloc_state_machine::on_realloc_call): Reimplement. 1387 (malloc_state_machine::on_realloc_with_move): New. 1388 (region_model::on_realloc_with_move): New. 1389 * sm-signal.cc (class signal_delivery_edge_info_t): Update for 1390 conversion from exploded_edge::custom_info_t to custom_edge_info. 1391 * sm.h (sm_context::get_path_context): New. 1392 * svalue.cc (svalue::maybe_get_constant): Call 1393 unwrap_any_unmergeable. 1394 13952021-08-25 Ankur Saini <arsenic@sourceware.org> 1396 1397 PR analyzer/101980 1398 * engine.cc (exploded_graph::maybe_create_dynamic_call): Don't create 1399 calls if max recursion limit is reached. 1400 14012021-08-23 David Malcolm <dmalcolm@redhat.com> 1402 1403 * analyzer.h (struct rejected_constraint): Convert to... 1404 (class rejected_constraint): ...this. 1405 (class bounded_ranges): New forward decl. 1406 (class bounded_ranges_manager): New forward decl. 1407 * constraint-manager.cc: Include "analyzer/analyzer-logging.h" and 1408 "tree-pretty-print.h". 1409 (can_plus_one_p): New. 1410 (plus_one): New. 1411 (can_minus_one_p): New. 1412 (minus_one): New. 1413 (bounded_range::bounded_range): New. 1414 (dump_cst): New. 1415 (bounded_range::dump_to_pp): New. 1416 (bounded_range::dump): New. 1417 (bounded_range::to_json): New. 1418 (bounded_range::set_json_attr): New. 1419 (bounded_range::contains_p): New. 1420 (bounded_range::intersects_p): New. 1421 (bounded_range::operator==): New. 1422 (bounded_range::cmp): New. 1423 (bounded_ranges::bounded_ranges): New. 1424 (bounded_ranges::bounded_ranges): New. 1425 (bounded_ranges::bounded_ranges): New. 1426 (bounded_ranges::canonicalize): New. 1427 (bounded_ranges::validate): New. 1428 (bounded_ranges::operator==): New. 1429 (bounded_ranges::dump_to_pp): New. 1430 (bounded_ranges::dump): New. 1431 (bounded_ranges::to_json): New. 1432 (bounded_ranges::eval_condition): New. 1433 (bounded_ranges::contain_p): New. 1434 (bounded_ranges::cmp): New. 1435 (bounded_ranges_manager::~bounded_ranges_manager): New. 1436 (bounded_ranges_manager::get_or_create_empty): New. 1437 (bounded_ranges_manager::get_or_create_point): New. 1438 (bounded_ranges_manager::get_or_create_range): New. 1439 (bounded_ranges_manager::get_or_create_union): New. 1440 (bounded_ranges_manager::get_or_create_intersection): New. 1441 (bounded_ranges_manager::get_or_create_inverse): New. 1442 (bounded_ranges_manager::consolidate): New. 1443 (bounded_ranges_manager::get_or_create_ranges_for_switch): New. 1444 (bounded_ranges_manager::create_ranges_for_switch): New. 1445 (bounded_ranges_manager::make_case_label_ranges): New. 1446 (bounded_ranges_manager::log_stats): New. 1447 (bounded_ranges_constraint::print): New. 1448 (bounded_ranges_constraint::to_json): New. 1449 (bounded_ranges_constraint::operator==): New. 1450 (bounded_ranges_constraint::add_to_hash): New. 1451 (constraint_manager::constraint_manager): Update for new field 1452 m_bounded_ranges_constraints. 1453 (constraint_manager::operator=): Likewise. 1454 (constraint_manager::hash): Likewise. 1455 (constraint_manager::operator==): Likewise. 1456 (constraint_manager::print): Likewise. 1457 (constraint_manager::dump_to_pp): Likewise. 1458 (constraint_manager::to_json): Likewise. 1459 (constraint_manager::add_unknown_constraint): Update the lhs_ec_id 1460 if necessary in existing constraints when combining equivalence 1461 classes. Add similar code for handling 1462 m_bounded_ranges_constraints. 1463 (constraint_manager::add_constraint_internal): Add comment. 1464 (constraint_manager::add_bounded_ranges): New. 1465 (constraint_manager::eval_condition): Use new field 1466 m_bounded_ranges_constraints. 1467 (constraint_manager::purge): Update bounded_ranges_constraint 1468 instances. 1469 (constraint_manager::canonicalize): Update for new field. 1470 (merger_fact_visitor::on_ranges): New. 1471 (constraint_manager::for_each_fact): Use new field 1472 m_bounded_ranges_constraints. 1473 (constraint_manager::validate): Fix off-by-one error needed due 1474 to bug fixed above in add_unknown_constraint. Validate the EC IDs 1475 in m_bounded_ranges_constraints. 1476 (constraint_manager::get_range_manager): New. 1477 (selftest::assert_dump_bounded_range_eq): New. 1478 (ASSERT_DUMP_BOUNDED_RANGE_EQ): New. 1479 (selftest::test_bounded_range): New. 1480 (selftest::assert_dump_bounded_ranges_eq): New. 1481 (ASSERT_DUMP_BOUNDED_RANGES_EQ): New. 1482 (selftest::test_bounded_ranges): New. 1483 (selftest::run_constraint_manager_tests): Call the new selftests. 1484 * constraint-manager.h (struct bounded_range): New. 1485 (struct bounded_ranges): New. 1486 (template <> struct default_hash_traits<bounded_ranges::key_t>): New. 1487 (class bounded_ranges_manager): New. 1488 (fact_visitor::on_ranges): New pure virtual function. 1489 (class bounded_ranges_constraint): New. 1490 (constraint_manager::add_bounded_ranges): New decl. 1491 (constraint_manager::get_range_manager): New decl. 1492 (constraint_manager::m_bounded_ranges_constraints): New field. 1493 * diagnostic-manager.cc (epath_finder::process_worklist_item): 1494 Transfer ownership of rc to add_feasibility_problem. 1495 * engine.cc (feasibility_problem::dump_to_pp): Use get_model. 1496 * feasible-graph.cc (infeasible_node::dump_dot): Update for 1497 conversion of m_rc to a pointer. 1498 (feasible_graph::add_feasibility_problem): Pass RC by pointer and 1499 take ownership. 1500 * feasible-graph.h (infeasible_node::infeasible_node): Pass RC by 1501 pointer and take ownership. 1502 (infeasible_node::~infeasible_node): New. 1503 (infeasible_node::m_rc): Convert to a pointer. 1504 (feasible_graph::add_feasibility_problem): Pass RC by pointer and 1505 take ownership. 1506 * region-model-manager.cc: Include 1507 "analyzer/constraint-manager.h". 1508 (region_model_manager::region_model_manager): Initializer new 1509 field m_range_mgr. 1510 (region_model_manager::~region_model_manager): Delete it. 1511 (region_model_manager::log_stats): Call log_stats on it. 1512 * region-model.cc (region_model::add_constraint): Use new subclass 1513 rejected_op_constraint. 1514 (region_model::apply_constraints_for_gswitch): Reimplement using 1515 bounded_ranges_manager. 1516 (rejected_constraint::dump_to_pp): Convert to... 1517 (rejected_op_constraint::dump_to_pp): ...this. 1518 (rejected_ranges_constraint::dump_to_pp): New. 1519 * region-model.h (struct purge_stats): Add field 1520 m_num_bounded_ranges_constraints. 1521 (region_model_manager::get_range_manager): New. 1522 (region_model_manager::m_range_mgr): New. 1523 (region_model::get_range_manager): New. 1524 (struct rejected_constraint): Split into... 1525 (class rejected_constraint):...this new abstract base class, 1526 and... 1527 (class rejected_op_constraint): ...this new concrete subclass. 1528 (class rejected_ranges_constraint): New. 1529 * supergraph.cc: Include "tree-cfg.h". 1530 (supergraph::supergraph): Drop idx param from add_cfg_edge. 1531 (supergraph::add_cfg_edge): Drop idx param. 1532 (switch_cfg_superedge::switch_cfg_superedge): Move here from 1533 header. Populate m_case_labels with all cases which go to DST. 1534 (switch_cfg_superedge::dump_label_to_pp): Reimplement to use 1535 m_case_labels. 1536 (switch_cfg_superedge::get_case_label): Delete. 1537 * supergraph.h (supergraphadd_cfg_edge): Drop "idx" param. 1538 (switch_cfg_superedge::switch_cfg_superedge): Drop idx param and 1539 move implementation to supergraph.cc. 1540 (switch_cfg_superedge::get_case_label): Delete. 1541 (switch_cfg_superedge::get_case_labels): New. 1542 (switch_cfg_superedge::m_idx): Delete. 1543 (switch_cfg_superedge::m_case_labels): New field. 1544 15452021-08-23 David Malcolm <dmalcolm@redhat.com> 1546 1547 PR analyzer/101875 1548 * sm-file.cc (file_diagnostic::describe_state_change): Handle 1549 change.m_expr being NULL. 1550 15512021-08-23 David Malcolm <dmalcolm@redhat.com> 1552 1553 PR analyzer/101837 1554 * analyzer.cc (maybe_reconstruct_from_def_stmt): Bail if fn is 1555 NULL, and assert that it's non-NULL before passing it to 1556 build_call_array_loc. 1557 15582021-08-23 David Malcolm <dmalcolm@redhat.com> 1559 1560 PR analyzer/101962 1561 * region-model.cc (region_model::eval_condition_without_cm): 1562 Refactor comparison against zero, adding a check for 1563 POINTER_PLUS_EXPR of non-NULL. 1564 15652021-08-23 David Malcolm <dmalcolm@redhat.com> 1566 1567 * store.cc (bit_range::intersects_p): New overload. 1568 (bit_range::operator-): New. 1569 (binding_cluster::maybe_get_compound_binding): Handle the partial 1570 overlap case. 1571 (selftest::test_bit_range_intersects_p): Add test coverage for 1572 new overload of bit_range::intersects_p. 1573 * store.h (bit_range::intersects_p): New overload. 1574 (bit_range::operator-): New. 1575 15762021-08-23 Ankur Saini <arsenic@sourceware.org> 1577 1578 PR analyzer/102020 1579 * diagnostic-manager.cc 1580 (diagnostic_manager::prune_for_sm_diagnostic)<case EK_CALL_EDGE>: Fix typo. 1581 15822021-08-21 Ankur Saini <arsenic@sourceware.org> 1583 1584 PR analyzer/101980 1585 * diagnostic-manager.cc 1586 (diagnostic_manager::prune_for_sm_diagnostic)<case EK_CALL_EDGE>: Use 1587 caller_model only when the supergraph_edge doesn't exixt. 1588 (diagnostic_manager::prune_for_sm_diagnostic)<case EK_RETURN_EDGE>: 1589 Likewise. 1590 * engine.cc (exploded_graph::create_dynamic_call): Rename to... 1591 (exploded_graph::maybe_create_dynamic_call): ...this, return call 1592 creation status. 1593 (exploded_graph::process_node): Handle calls which were not dynamically 1594 discovered. 1595 * exploded-graph.h (exploded_graph::create_dynamic_call): Rename to... 1596 (exploded_graph::maybe_create_dynamic_call): ...this. 1597 * region-model.cc (region_model::update_for_gcall): New param, use it 1598 to push call to frame. 1599 (region_model::update_for_call_superedge): Pass callee function to 1600 update_for_gcall. 1601 * region-model.h (region_model::update_for_gcall): New param. 1602 16032021-08-18 Ankur Saini <arsenic@sourceware.org> 1604 1605 PR analyzer/97114 1606 * region-model.cc (region_model::get_rvalue_1): Add case for 1607 OBJ_TYPE_REF. 1608 16092021-08-18 Ankur Saini <arsenic@sourceware.org> 1610 1611 PR analyzer/100546 1612 * analysis-plan.cc (analysis_plan::use_summary_p): Don't use call 1613 summaries if there is no callgraph edge 1614 * checker-path.cc (call_event::call_event): Handle calls events that 1615 are not represented by a supergraph call edge 1616 (return_event::return_event): Likewise. 1617 (call_event::get_desc): Work with new call_event structure. 1618 (return_event::get_desc): Likeise. 1619 * checker-path.h (call_event::m_src_snode): New field. 1620 (call_event::m_dest_snode): New field. 1621 (return_event::m_src_snode): New field. 1622 (return_event::m_dest_snode): New field. 1623 * diagnostic-manager.cc 1624 (diagnostic_manager::prune_for_sm_diagnostic)<case EK_CALL_EDGE>: 1625 Refactor to work with edges without callgraph edge. 1626 (diagnostic_manager::prune_for_sm_diagnostic)<case EK_RETURN_EDGE>: 1627 Likewise. 1628 * engine.cc (dynamic_call_info_t::update_model): New function. 1629 (dynamic_call_info_t::add_events_to_path): New function. 1630 (exploded_graph::create_dynamic_call): New function. 1631 (exploded_graph::process_node): Work with dynamically discovered calls. 1632 * exploded-graph.h (class dynamic_call_info_t): New class. 1633 (exploded_graph::create_dynamic_call): New decl. 1634 * program-point.cc (program_point::push_to_call_stack): New function. 1635 (program_point::pop_from_call_stack): New function. 1636 * program-point.h (program_point::push_to_call_stack): New decl. 1637 (program_point::pop_from_call_stack): New decl. 1638 * program-state.cc (program_state::push_call): New function. 1639 (program_state::returning_call): New function. 1640 * program-state.h (program_state::push_call): New decl. 1641 (program_state::returning_call): New decl. 1642 * region-model.cc (region_model::update_for_gcall) New function. 1643 (region_model::update_for_return_gcall): New function. 1644 (egion_model::update_for_call_superedge): Get the underlying gcall and 1645 update for gcall. 1646 (region_model::update_for_return_superedge): Likewise. 1647 * region-model.h (region_model::update_for_gcall): New decl. 1648 (region_model::update_for_return_gcall): New decl. 1649 * state-purge.cc (state_purge_per_ssa_name::process_point): Update to 1650 work with calls without underlying cgraph edge. 1651 * supergraph.cc (supergraph::supergraph) Split snodes at every callsite. 1652 * supergraph.h (supernode::get_returning_call) New accessor. 1653 16542021-08-04 David Malcolm <dmalcolm@redhat.com> 1655 1656 PR analyzer/101570 1657 * analyzer.cc (maybe_reconstruct_from_def_stmt): Add GIMPLE_ASM 1658 case. 1659 * analyzer.h (class asm_output_svalue): New forward decl. 1660 (class reachable_regions): New forward decl. 1661 * complexity.cc (complexity::from_vec_svalue): New. 1662 * complexity.h (complexity::from_vec_svalue): New decl. 1663 * engine.cc (feasibility_state::maybe_update_for_edge): Handle 1664 asm stmts by calling on_asm_stmt. 1665 * region-model-asm.cc: New file. 1666 * region-model-manager.cc 1667 (region_model_manager::maybe_fold_asm_output_svalue): New. 1668 (region_model_manager::get_or_create_asm_output_svalue): New. 1669 (region_model_manager::log_stats): Log m_asm_output_values_map. 1670 * region-model.cc (region_model::on_stmt_pre): Handle GIMPLE_ASM. 1671 * region-model.h (visitor::visit_asm_output_svalue): New. 1672 (region_model_manager::get_or_create_asm_output_svalue): New decl. 1673 (region_model_manager::maybe_fold_asm_output_svalue): New decl. 1674 (region_model_manager::asm_output_values_map_t): New typedef. 1675 (region_model_manager::m_asm_output_values_map): New field. 1676 (region_model::on_asm_stmt): New. 1677 * store.cc (binding_cluster::on_asm): New. 1678 * store.h (binding_cluster::on_asm): New decl. 1679 * svalue.cc (svalue::cmp_ptr): Handle SK_ASM_OUTPUT. 1680 (asm_output_svalue::dump_to_pp): New. 1681 (asm_output_svalue::dump_input): New. 1682 (asm_output_svalue::input_idx_to_asm_idx): New. 1683 (asm_output_svalue::accept): New. 1684 * svalue.h (enum svalue_kind): Add SK_ASM_OUTPUT. 1685 (svalue::dyn_cast_asm_output_svalue): New. 1686 (class asm_output_svalue): New. 1687 (is_a_helper <const asm_output_svalue *>::test): New. 1688 (struct default_hash_traits<asm_output_svalue::key_t>): New. 1689 16902021-08-03 Jakub Jelinek <jakub@redhat.com> 1691 1692 PR analyzer/101721 1693 * sm-malloc.cc (known_allocator_p): Only check DECL_FUNCTION_CODE on 1694 BUILT_IN_NORMAL builtins. 1695 16962021-07-29 Ankur Saini <arsenic@sourceware.org> 1697 1698 * call-string.cc (call_string::element_t::operator==): New operator. 1699 (call_String::element_t::operator!=): New operator. 1700 (call_string::element_t::get_caller_function): New function. 1701 (call_string::element_t::get_callee_function): New function. 1702 (call_string::call_string): Refactor to Initialise m_elements. 1703 (call_string::operator=): Refactor to work with m_elements. 1704 (call_string::operator==): Likewise. 1705 (call_string::to_json): Likewise. 1706 (call_string::hash): Refactor to hash e.m_caller. 1707 (call_string::push_call): Refactor to work with m_elements. 1708 (call_string::push_call): New overload to push call via supernodes. 1709 (call_string::pop): Refactor to work with m_elements. 1710 (call_string::calc_recursion_depth): Likewise. 1711 (call_string::cmp): Likewise. 1712 (call_string::validate): Likewise. 1713 (call_string::operator[]): Likewise. 1714 * call-string.h (class supernode): New forward decl. 1715 (struct call_string::element_t): New struct. 1716 (call_string::call_string): Refactor to initialise m_elements. 1717 (call_string::bool empty_p): Refactor to work with m_elements. 1718 (call_string::get_callee_node): New decl. 1719 (call_string::get_caller_node): New decl. 1720 (m_elements): Replaces m_return_edges. 1721 * program-point.cc (program_point::get_function_at_depth): Refactor to 1722 work with new call-string format. 1723 (program_point::validate): Likewise. 1724 (program_point::on_edge): Likewise. 1725 17262021-07-28 David Malcolm <dmalcolm@redhat.com> 1727 1728 * region-model.cc (region_model::on_call_pre): Treat 1729 IFN_UBSAN_BOUNDS, BUILT_IN_STACK_SAVE, and BUILT_IN_STACK_RESTORE 1730 as no-ops, rather than handling them as unknown functions. 1731 17322021-07-28 David Malcolm <dmalcolm@redhat.com> 1733 1734 * region-model-impl-calls.cc (region_model::impl_call_alloca): 1735 Drop redundant return value. 1736 (region_model::impl_call_builtin_expect): Likewise. 1737 (region_model::impl_call_calloc): Likewise. 1738 (region_model::impl_call_malloc): Likewise. 1739 (region_model::impl_call_memset): Likewise. 1740 (region_model::impl_call_operator_new): Likewise. 1741 (region_model::impl_call_operator_delete): Likewise. 1742 (region_model::impl_call_strlen): Likewise. 1743 * region-model.cc (region_model::on_call_pre): Fix return value of 1744 known functions that don't have unknown side-effects. 1745 * region-model.h (region_model::impl_call_alloca): Drop redundant 1746 return value. 1747 (region_model::impl_call_builtin_expect): Likewise. 1748 (region_model::impl_call_calloc): Likewise. 1749 (region_model::impl_call_malloc): Likewise. 1750 (region_model::impl_call_memset): Likewise. 1751 (region_model::impl_call_strlen): Likewise. 1752 (region_model::impl_call_operator_new): Likewise. 1753 (region_model::impl_call_operator_delete): Likewise. 1754 17552021-07-28 Siddhesh Poyarekar <siddhesh@gotplt.org> 1756 1757 * analyzer.cc (is_named_call_p, is_std_named_call_p): Make 1758 first argument a const_tree. 1759 * analyzer.h (is_named_call_p, -s_std_named_call_p): Likewise. 1760 * sm-malloc.cc (known_allocator_p): New function. 1761 (malloc_state_machine::on_stmt): Use it. 1762 17632021-07-28 Siddhesh Poyarekar <siddhesh@gotplt.org> 1764 1765 * sm-malloc.cc 1766 (malloc_state_machine::get_or_create_deallocator): Recognize 1767 __builtin_free. 1768 17692021-07-26 David Malcolm <dmalcolm@redhat.com> 1770 1771 * region-model.cc (region_model::on_call_pre): Always set conjured 1772 LHS, not just for SSA names. 1773 17742021-07-23 David Malcolm <dmalcolm@redhat.com> 1775 1776 * diagnostic-manager.cc 1777 (class auto_disable_complexity_checks): New. 1778 (epath_finder::explore_feasible_paths): Use it to disable 1779 complexity checks whilst processing the worklist. 1780 * region-model-manager.cc 1781 (region_model_manager::region_model_manager): Initialize 1782 m_check_complexity. 1783 (region_model_manager::reject_if_too_complex): Bail if 1784 m_check_complexity is false. 1785 * region-model.h 1786 (region_model_manager::enable_complexity_check): New. 1787 (region_model_manager::disable_complexity_check): New. 1788 (region_model_manager::m_check_complexity): New. 1789 17902021-07-21 David Malcolm <dmalcolm@redhat.com> 1791 1792 PR analyzer/101547 1793 * sm-file.cc (file_leak::emit): Handle m_arg being NULL. 1794 (file_leak::describe_final_event): Handle ev.m_expr being NULL. 1795 17962021-07-21 David Malcolm <dmalcolm@redhat.com> 1797 1798 PR analyzer/101522 1799 * store.cc (binding_cluster::purge_state_involving): Don't change 1800 m_map whilst iterating through it. 1801 18022021-07-21 David Malcolm <dmalcolm@redhat.com> 1803 1804 * region-model.cc (region_model::handle_phi): Add "old_state" 1805 param and use it. 1806 (region_model::update_for_phis): Update so that all of the phi 1807 stmts are effectively handled simultaneously, rather than in 1808 order. 1809 * region-model.h (region_model::handle_phi): Add "old_state" 1810 param. 1811 * state-purge.cc (self_referential_phi_p): Replace with... 1812 (name_used_by_phis_p): ...this new function. 1813 (state_purge_per_ssa_name::process_point): Update to use the 1814 above, so that all phi stmts at a basic block are effectively 1815 considered simultaneously, and only consider the phi arguments for 1816 the pertinent in-edge. 1817 * supergraph.cc (cfg_superedge::get_phi_arg_idx): New. 1818 (cfg_superedge::get_phi_arg): Use the above. 1819 * supergraph.h (cfg_superedge::get_phi_arg_idx): New decl. 1820 18212021-07-21 David Malcolm <dmalcolm@redhat.com> 1822 1823 * state-purge.cc (state_purge_annotator::add_node_annotations): 1824 Rather than erroneously always using the NULL in-edge, determine 1825 each relevant in-edge, and print the appropriate data for each 1826 in-edge. Use print_needed to print the data as comma-separated 1827 lists of SSA names. 1828 (print_vec_of_names): Add "within_table" param and use it. 1829 (state_purge_annotator::add_stmt_annotations): Factor out 1830 collation and printing code into... 1831 (state_purge_annotator::print_needed): ...this new function. 1832 * state-purge.h (state_purge_annotator::print_needed): New decl. 1833 18342021-07-21 David Malcolm <dmalcolm@redhat.com> 1835 1836 * program-point.cc (function_point::print): Show src BB index at 1837 BEFORE_SUPERNODE. 1838 18392021-07-21 David Malcolm <dmalcolm@redhat.com> 1840 1841 * svalue.cc (infix_p): New. 1842 (binop_svalue::dump_to_pp): Use it to print MIN_EXPR and MAX_EXPR 1843 in prefix form, rather than infix. 1844 18452021-07-19 David Malcolm <dmalcolm@redhat.com> 1846 1847 PR analyzer/101503 1848 * constraint-manager.cc (constraint_manager::add_constraint): Use 1849 can_have_associated_state_p rather than testing for unknown. 1850 (constraint_manager::get_or_add_equiv_class): Likewise. 1851 * program-state.cc (sm_state_map::set_state): Likewise. 1852 (sm_state_map::impl_set_state): Add assertion. 1853 * region-model-manager.cc 1854 (region_model_manager::maybe_fold_unaryop): Handle poisoned 1855 values. 1856 (region_model_manager::maybe_fold_binop): Move handling of unknown 1857 values... 1858 (region_model_manager::get_or_create_binop): ...to here, and 1859 generalize to use can_have_associated_state_p. 1860 (region_model_manager::maybe_fold_sub_svalue): Use 1861 can_have_associated_state_p rather than testing for unknown. 1862 (region_model_manager::maybe_fold_repeated_svalue): Use unknown 1863 when the size or repeated value is "unknown"/"poisoned". 1864 * region-model.cc (region_model::purge_state_involving): Reject 1865 attempts to purge unknown/poisoned svalues, as these svalues 1866 should not have state associated with them. 1867 * svalue.cc (sub_svalue::sub_svalue): Assert that we're building 1868 on top of an svalue with can_have_associated_state_p. 1869 (repeated_svalue::repeated_svalue): Likewise. 1870 (bits_within_svalue::bits_within_svalue): Likewise. 1871 * svalue.h (svalue::can_have_associated_state_p): New. 1872 (unknown_svalue::can_have_associated_state_p): New. 1873 (poisoned_svalue::can_have_associated_state_p): New. 1874 (unaryop_svalue::unaryop_svalue): Assert that we're building on 1875 top of an svalue with can_have_associated_state_p. 1876 (binop_svalue::binop_svalue): Likewise. 1877 (widening_svalue::widening_svalue): Likewise. 1878 18792021-07-16 David Malcolm <dmalcolm@redhat.com> 1880 1881 * analyzer.h (enum access_direction): New. 1882 * engine.cc (exploded_node::on_longjmp): Update for new param of 1883 get_store_value. 1884 * program-state.cc (program_state::prune_for_point): Likewise. 1885 * region-model-impl-calls.cc (region_model::impl_call_memcpy): 1886 Replace call to check_for_writable_region with call to 1887 check_region_for_write. 1888 (region_model::impl_call_memset): Likewise. 1889 (region_model::impl_call_strcpy): Likewise. 1890 * region-model-reachability.cc (reachable_regions::add): Update 1891 for new param of get_store_value. 1892 * region-model.cc (region_model::get_rvalue_1): Likewise, also for 1893 get_rvalue_for_bits. 1894 (region_model::get_store_value): Add ctxt param and use it to call 1895 check_region_for_read. 1896 (region_model::get_rvalue_for_bits): Add ctxt param and use it to 1897 call get_store_value. 1898 (region_model::check_region_access): New. 1899 (region_model::check_region_for_write): New. 1900 (region_model::check_region_for_read): New. 1901 (region_model::set_value): Update comment. Replace call to 1902 check_for_writable_region with call to check_region_for_write. 1903 * region-model.h (region_model::get_rvalue_for_bits): Add ctxt 1904 param. 1905 (region_model::get_store_value): Add ctxt param. 1906 (region_model::check_region_access): New decl. 1907 (region_model::check_region_for_write): New decl. 1908 (region_model::check_region_for_read): New decl. 1909 * region.cc (region_model::copy_region): Update call to 1910 get_store_value. 1911 * svalue.cc (initial_svalue::implicitly_live_p): Likewise. 1912 19132021-07-16 David Malcolm <dmalcolm@redhat.com> 1914 1915 * engine.cc (exploded_node::on_stmt_pre): Handle 1916 __analyzer_dump_state. 1917 * program-state.cc (extrinsic_state::get_sm_idx_by_name): New. 1918 (program_state::impl_call_analyzer_dump_state): New. 1919 * program-state.h (extrinsic_state::get_sm_idx_by_name): New decl. 1920 (program_state::impl_call_analyzer_dump_state): New decl. 1921 * region-model-impl-calls.cc 1922 (call_details::get_arg_string_literal): New. 1923 * region-model.h (call_details::get_arg_string_literal): New decl. 1924 19252021-07-16 David Malcolm <dmalcolm@redhat.com> 1926 1927 * program-state.cc (program_state::detect_leaks): Simplify using 1928 svalue::maybe_get_region. 1929 * region-model-impl-calls.cc (region_model::impl_call_fgets): Likewise. 1930 (region_model::impl_call_fread): Likewise. 1931 (region_model::impl_call_free): Likewise. 1932 (region_model::impl_call_operator_delete): Likewise. 1933 * region-model.cc (selftest::test_stack_frames): Likewise. 1934 (selftest::test_state_merging): Likewise. 1935 * svalue.cc (svalue::maybe_get_region): New. 1936 * svalue.h (svalue::maybe_get_region): New decl. 1937 19382021-07-15 David Malcolm <dmalcolm@redhat.com> 1939 1940 * svalue.h (is_a_helper <placeholder_svalue *>::test): Make 1941 param and template param const. 1942 (is_a_helper <widening_svalue *>::test): Likewise. 1943 (is_a_helper <compound_svalue *>::test): Likewise. 1944 (is_a_helper <conjured_svalue *>::test): Likewise. 1945 19462021-07-15 David Malcolm <dmalcolm@redhat.com> 1947 1948 PR analyzer/95006 1949 PR analyzer/94713 1950 PR analyzer/94714 1951 * analyzer.cc (maybe_reconstruct_from_def_stmt): Split out 1952 GIMPLE_ASSIGN case into... 1953 (get_diagnostic_tree_for_gassign_1): New. 1954 (get_diagnostic_tree_for_gassign): New. 1955 * analyzer.h (get_diagnostic_tree_for_gassign): New decl. 1956 * analyzer.opt (Wanalyzer-write-to-string-literal): New. 1957 * constraint-manager.cc (class svalue_purger): New. 1958 (constraint_manager::purge_state_involving): New. 1959 * constraint-manager.h 1960 (constraint_manager::purge_state_involving): New. 1961 * diagnostic-manager.cc (saved_diagnostic::supercedes_p): New. 1962 (dedupe_winners::handle_interactions): New. 1963 (diagnostic_manager::emit_saved_diagnostics): Call it. 1964 * diagnostic-manager.h (saved_diagnostic::supercedes_p): New decl. 1965 * engine.cc (impl_region_model_context::warn): Convert return type 1966 to bool. Return false if the diagnostic isn't saved. 1967 (impl_region_model_context::purge_state_involving): New. 1968 (impl_sm_context::get_state): Use NULL ctxt when querying old 1969 rvalue. 1970 (impl_sm_context::set_next_state): Use new sval when querying old 1971 state. 1972 (class dump_path_diagnostic): Move to region-model.cc 1973 (exploded_node::on_stmt): Move to on_stmt_pre and on_stmt_post. 1974 Remove call to purge_state_involving. 1975 (exploded_node::on_stmt_pre): New, based on the above. Move most 1976 of it to region_model::on_stmt_pre. 1977 (exploded_node::on_stmt_post): Likewise, moving to 1978 region_model::on_stmt_post. 1979 (class stale_jmp_buf): Fix parent class to use curiously recurring 1980 template pattern. 1981 (feasibility_state::maybe_update_for_edge): Call on_call_pre and 1982 on_call_post on gcalls. 1983 * exploded-graph.h (impl_region_model_context::warn): Return bool. 1984 (impl_region_model_context::purge_state_involving): New decl. 1985 (exploded_node::on_stmt_pre): New decl. 1986 (exploded_node::on_stmt_post): New decl. 1987 * pending-diagnostic.h (pending_diagnostic::use_of_uninit_p): New. 1988 (pending_diagnostic::supercedes_p): New. 1989 * program-state.cc (sm_state_map::get_state): Inherit state for 1990 conjured_svalue as well as initial_svalue. 1991 (sm_state_map::purge_state_involving): Also support SK_CONJURED. 1992 * region-model-impl-calls.cc (call_details::get_uncertainty): 1993 Handle m_ctxt being NULL. 1994 (call_details::get_or_create_conjured_svalue): New. 1995 (region_model::impl_call_fgets): New. 1996 (region_model::impl_call_fread): New. 1997 * region-model-manager.cc 1998 (region_model_manager::get_or_create_initial_value): Return an 1999 uninitialized poisoned value for regions that can't have initial 2000 values. 2001 * region-model-reachability.cc 2002 (reachable_regions::mark_escaped_clusters): Handle ctxt being 2003 NULL. 2004 * region-model.cc (region_to_value_map::purge_state_involving): New. 2005 (poisoned_value_diagnostic::use_of_uninit_p): New. 2006 (poisoned_value_diagnostic::emit): Handle POISON_KIND_UNINIT. 2007 (poisoned_value_diagnostic::describe_final_event): Likewise. 2008 (region_model::check_for_poison): New. 2009 (region_model::on_assignment): Call it. 2010 (class dump_path_diagnostic): Move here from engine.cc. 2011 (region_model::on_stmt_pre): New, based on exploded_node::on_stmt. 2012 (region_model::on_call_pre): Move the setting of the LHS to a 2013 conjured svalue to before the checks for specific functions. 2014 Handle "fgets", "fgets_unlocked", and "fread". 2015 (region_model::purge_state_involving): New. 2016 (region_model::handle_unrecognized_call): Handle ctxt being NULL. 2017 (region_model::get_rvalue): Call check_for_poison. 2018 (selftest::test_stack_frames): Use NULL for context when getting 2019 uninitialized rvalue. 2020 (selftest::test_alloca): Likewise. 2021 * region-model.h (region_to_value_map::purge_state_involving): New 2022 decl. 2023 (call_details::get_or_create_conjured_svalue): New decl. 2024 (region_model::on_stmt_pre): New decl. 2025 (region_model::purge_state_involving): New decl. 2026 (region_model::impl_call_fgets): New decl. 2027 (region_model::impl_call_fread): New decl. 2028 (region_model::check_for_poison): New decl. 2029 (region_model_context::warn): Return bool. 2030 (region_model_context::purge_state_involving): New. 2031 (noop_region_model_context::warn): Return bool. 2032 (noop_region_model_context::purge_state_involving): New. 2033 (test_region_model_context:: warn): Return bool. 2034 * region.cc (region::get_memory_space): New. 2035 (region::can_have_initial_svalue_p): New. 2036 (region::involves_p): New. 2037 * region.h (enum memory_space): New. 2038 (region::get_memory_space): New decl. 2039 (region::can_have_initial_svalue_p): New decl. 2040 (region::involves_p): New decl. 2041 * sm-malloc.cc (use_after_free::supercedes_p): New. 2042 * store.cc (binding_cluster::purge_state_involving): New. 2043 (store::purge_state_involving): New. 2044 * store.h (class symbolic_binding): New forward decl. 2045 (binding_key::dyn_cast_symbolic_binding): New. 2046 (symbolic_binding::dyn_cast_symbolic_binding): New. 2047 (binding_cluster::purge_state_involving): New. 2048 (store::purge_state_involving): New. 2049 * svalue.cc (svalue::can_merge_p): Reject attempts to merge 2050 poisoned svalues with other svalues, so that we identify 2051 paths in which a variable is conditionally uninitialized. 2052 (involvement_visitor::visit_conjured_svalue): New. 2053 (svalue::involves_p): Also handle SK_CONJURED. 2054 (poison_kind_to_str): Handle POISON_KIND_UNINIT. 2055 (poisoned_svalue::maybe_fold_bits_within): New. 2056 * svalue.h (enum poison_kind): Add POISON_KIND_UNINIT. 2057 (poisoned_svalue::maybe_fold_bits_within): New decl. 2058 20592021-07-15 David Malcolm <dmalcolm@redhat.com> 2060 2061 * analyzer.opt (fdump-analyzer-exploded-paths): New. 2062 * diagnostic-manager.cc 2063 (diagnostic_manager::emit_saved_diagnostic): Implement it. 2064 * engine.cc (exploded_path::dump_to_pp): Add ext_state param and 2065 use it to dump states if non-NULL. 2066 (exploded_path::dump): Likewise. 2067 (exploded_path::dump_to_file): New. 2068 * exploded-graph.h (exploded_path::dump_to_pp): Add ext_state 2069 param. 2070 (exploded_path::dump): Likewise. 2071 (exploded_path::dump): Likewise. 2072 (exploded_path::dump_to_file): New. 2073 20742021-07-15 David Malcolm <dmalcolm@redhat.com> 2075 2076 * analyzer.cc (fixup_tree_for_diagnostic_1): Use DECL_DEBUG_EXPR 2077 if it's available. 2078 * engine.cc (readability): Likewise. 2079 20802021-07-15 David Malcolm <dmalcolm@redhat.com> 2081 2082 * state-purge.cc (self_referential_phi_p): New. 2083 (state_purge_per_ssa_name::process_point): Don't purge an SSA name 2084 at its def-stmt if the def-stmt is self-referential. 2085 20862021-07-07 David Malcolm <dmalcolm@redhat.com> 2087 2088 * diagnostic-manager.cc (null_assignment_sm_context::get_state): 2089 New overload. 2090 (null_assignment_sm_context::set_next_state): New overload. 2091 (null_assignment_sm_context::get_diagnostic_tree): New. 2092 * engine.cc (impl_sm_context::get_state): New overload. 2093 (impl_sm_context::set_next_state): New overload. 2094 (impl_sm_context::get_diagnostic_tree): New overload. 2095 (impl_region_model_context::on_condition): Convert params from 2096 tree to const svalue *. 2097 * exploded-graph.h (impl_region_model_context::on_condition): 2098 Likewise. 2099 * region-model.cc (region_model::on_call_pre): Move handling of 2100 internal calls to before checking for get_fndecl_for_call. 2101 (region_model::add_constraints_from_binop): New. 2102 (region_model::add_constraint): Split out into a new overload 2103 working on const svalue * rather than tree. Call 2104 add_constraints_from_binop. Drop call to 2105 add_any_constraints_from_ssa_def_stmt. 2106 (region_model::add_any_constraints_from_ssa_def_stmt): Delete. 2107 (region_model::add_any_constraints_from_gassign): Delete. 2108 (region_model::add_any_constraints_from_gcall): Delete. 2109 * region-model.h 2110 (region_model::add_any_constraints_from_ssa_def_stmt): Delete. 2111 (region_model::add_any_constraints_from_gassign): Delete. 2112 (region_model::add_any_constraints_from_gcall): Delete. 2113 (region_model::add_constraint): Add overload decl. 2114 (region_model::add_constraints_from_binop): New decl. 2115 (region_model_context::on_condition): Convert params from tree to 2116 const svalue *. 2117 (noop_region_model_context::on_condition): Likewise. 2118 * sm-file.cc (fileptr_state_machine::condition): Likewise. 2119 * sm-malloc.cc (malloc_state_machine::on_condition): Likewise. 2120 * sm-pattern-test.cc: Include tristate.h, selftest.h, 2121 analyzer/call-string.h, analyzer/program-point.h, 2122 analyzer/store.h, and analyzer/region-model.h. 2123 (pattern_test_state_machine::on_condition): Convert params from tree to 2124 const svalue *. 2125 * sm-sensitive.cc (sensitive_state_machine::on_condition): Delete. 2126 * sm-signal.cc (signal_state_machine::on_condition): Delete. 2127 * sm-taint.cc (taint_state_machine::on_condition): Convert params 2128 from tree to const svalue *. 2129 * sm.cc: Include tristate.h, selftest.h, analyzer/call-string.h, 2130 analyzer/program-point.h, analyzer/store.h, and 2131 analyzer/region-model.h. 2132 (any_pointer_p): Add overload taking const svalue *sval. 2133 * sm.h (any_pointer_p): Add overload taking const svalue *sval. 2134 (state_machine::on_condition): Convert params from tree to 2135 const svalue *. Provide no-op default implementation. 2136 (sm_context::get_state): Add overload taking const svalue *sval. 2137 (sm_context::set_next_state): Likewise. 2138 (sm_context::on_transition): Likewise. 2139 (sm_context::get_diagnostic_tree): Likewise. 2140 * svalue.cc (svalue::all_zeroes_p): New. 2141 (constant_svalue::all_zeroes_p): New. 2142 (repeated_svalue::all_zeroes_p): Convert to vfunc. 2143 * svalue.h (svalue::all_zeroes_p): New decl. 2144 (constant_svalue::all_zeroes_p): New decl. 2145 (repeated_svalue::all_zeroes_p): Convert decl to vfunc. 2146 21472021-06-30 David Malcolm <dmalcolm@redhat.com> 2148 2149 PR analyzer/95006 2150 * analyzer.h (class repeated_svalue): New forward decl. 2151 (class bits_within_svalue): New forward decl. 2152 (class sized_region): New forward decl. 2153 (get_field_at_bit_offset): New forward decl. 2154 * engine.cc (exploded_graph::get_or_create_node): Validate the 2155 merged state. 2156 (exploded_graph::maybe_process_run_of_before_supernode_enodes): 2157 Validate the states at each stage. 2158 * program-state.cc (program_state::validate): Validate 2159 m_region_model. 2160 * region-model-impl-calls.cc (region_model::impl_call_memset): 2161 Replace special-case logic for handling constant sizes with 2162 a call to fill_region of a sized_region with the given fill value. 2163 * region-model-manager.cc (maybe_undo_optimize_bit_field_compare): 2164 Drop DK_direct. 2165 (region_model_manager::maybe_fold_sub_svalue): Fold element-based 2166 subregions of an initial value into initial values of an element. 2167 Fold subvalues of repeated svalues. 2168 (region_model_manager::maybe_fold_repeated_svalue): New. 2169 (region_model_manager::get_or_create_repeated_svalue): New. 2170 (get_bit_range_for_field): New. 2171 (get_byte_range_for_field): New. 2172 (get_field_at_byte_range): New. 2173 (region_model_manager::maybe_fold_bits_within_svalue): New. 2174 (region_model_manager::get_or_create_bits_within): New. 2175 (region_model_manager::get_sized_region): New. 2176 (region_model_manager::log_stats): Update for addition of 2177 m_repeated_values_map, m_bits_within_values_map, and 2178 m_sized_regions. 2179 * region-model.cc (region_model::validate): New. 2180 (region_model::on_assignment): Drop enum binding_kind. 2181 (region_model::get_initial_value_for_global): Likewise. 2182 (region_model::get_rvalue_for_bits): Replace body with call to 2183 get_or_create_bits_within. 2184 (region_model::get_capacity): Handle RK_SIZED. 2185 (region_model::set_value): Drop enum binding_kind. 2186 (region_model::fill_region): New. 2187 (region_model::get_representative_path_var_1): Handle RK_SIZED. 2188 * region-model.h (visitor::visit_repeated_svalue): New. 2189 (visitor::visit_bits_within_svalue): New. 2190 (region_model_manager::get_or_create_repeated_svalue): New decl. 2191 (region_model_manager::get_or_create_bits_within): New decl. 2192 (region_model_manager::get_sized_region): New decl. 2193 (region_model_manager::maybe_fold_repeated_svalue): New decl. 2194 (region_model_manager::maybe_fold_bits_within_svalue): New decl. 2195 (region_model_manager::repeated_values_map_t): New typedef. 2196 (region_model_manager::m_repeated_values_map): New field. 2197 (region_model_manager::bits_within_values_map_t): New typedef. 2198 (region_model_manager::m_bits_within_values_map): New field. 2199 (region_model_manager::m_sized_regions): New field. 2200 (region_model::fill_region): New decl. 2201 * region.cc (region::get_base_region): Handle RK_SIZED. 2202 (region::base_region_p): Likewise. 2203 (region::get_byte_size_sval): New. 2204 (get_field_at_bit_offset): Make non-static. 2205 (region::calc_offset): Move implementation of cases to 2206 get_relative_concrete_offset vfunc implementations. Handle 2207 RK_SIZED. 2208 (region::get_relative_concrete_offset): New. 2209 (decl_region::get_svalue_for_initializer): Drop enum binding_kind. 2210 (field_region::get_relative_concrete_offset): New, from 2211 region::calc_offset. 2212 (element_region::get_relative_concrete_offset): Likewise. 2213 (offset_region::get_relative_concrete_offset): Likewise. 2214 (sized_region::accept): New. 2215 (sized_region::dump_to_pp): New. 2216 (sized_region::get_byte_size): New. 2217 (sized_region::get_bit_size): New. 2218 * region.h (enum region_kind): Add RK_SIZED. 2219 (region::dyn_cast_sized_region): New. 2220 (region::get_byte_size): Make virtual. 2221 (region::get_bit_size): Likewise. 2222 (region::get_byte_size_sval): New decl. 2223 (region::get_relative_concrete_offset): New decl. 2224 (field_region::get_relative_concrete_offset): New decl. 2225 (element_region::get_relative_concrete_offset): Likewise. 2226 (offset_region::get_relative_concrete_offset): Likewise. 2227 (class sized_region): New. 2228 * store.cc (binding_kind_to_string): Delete. 2229 (binding_key::make): Drop enum binding_kind. 2230 (binding_key::dump_to_pp): Delete. 2231 (binding_key::cmp_ptrs): Drop enum binding_kind. 2232 (bit_range::contains_p): New. 2233 (byte_range::dump): New. 2234 (byte_range::contains_p): New. 2235 (byte_range::cmp): New. 2236 (concrete_binding::dump_to_pp): Drop enum binding_kind. 2237 (concrete_binding::cmp_ptr_ptr): Likewise. 2238 (symbolic_binding::dump_to_pp): Likewise. 2239 (symbolic_binding::cmp_ptr_ptr): Likewise. 2240 (binding_map::apply_ctor_val_to_range): Likewise. 2241 (binding_map::apply_ctor_pair_to_child_region): Likewise. 2242 (binding_map::get_overlapping_bindings): New. 2243 (binding_map::remove_overlapping_bindings): New. 2244 (binding_cluster::validate): New. 2245 (binding_cluster::bind): Drop enum binding_kind. 2246 (binding_cluster::bind_compound_sval): Likewise. 2247 (binding_cluster::purge_region): Likewise. 2248 (binding_cluster::zero_fill_region): Reimplement in terms of... 2249 (binding_cluster::fill_region): New. 2250 (binding_cluster::mark_region_as_unknown): Drop enum binding_kind. 2251 (binding_cluster::get_binding): Likewise. 2252 (binding_cluster::get_binding_recursive): Likewise. 2253 (binding_cluster::get_any_binding): Likewise. 2254 (binding_cluster::maybe_get_compound_binding): Reimplement. 2255 (binding_cluster::get_overlapping_bindings): Delete. 2256 (binding_cluster::remove_overlapping_bindings): Reimplement in 2257 terms of binding_map::remove_overlapping_bindings. 2258 (binding_cluster::can_merge_p): Update for removal of 2259 enum binding_kind. 2260 (binding_cluster::on_unknown_fncall): Drop enum binding_kind. 2261 (binding_cluster::maybe_get_simple_value): Likewise. 2262 (store_manager::get_concrete_binding): Likewise. 2263 (store_manager::get_symbolic_binding): Likewise. 2264 (store::validate): New. 2265 (store::set_value): Drop enum binding_kind. 2266 (store::zero_fill_region): Reimplement in terms of... 2267 (store::fill_region): New. 2268 (selftest::test_binding_key_overlap): Drop enum binding_kind. 2269 * store.h (enum binding_kind): Delete. 2270 (binding_kind_to_string): Delete decl. 2271 (binding_key::make): Drop enum binding_kind. 2272 (binding_key::dump_to_pp): Make pure virtual. 2273 (binding_key::get_kind): Delete. 2274 (binding_key::mark_deleted): Delete. 2275 (binding_key::mark_empty): Delete. 2276 (binding_key::is_deleted): Delete. 2277 (binding_key::is_empty): Delete. 2278 (binding_key::binding_key): Delete. 2279 (binding_key::impl_hash): Delete. 2280 (binding_key::impl_eq): Delete. 2281 (binding_key::m_kind): Delete. 2282 (bit_range::get_last_bit_offset): New. 2283 (bit_range::contains_p): New. 2284 (byte_range::contains_p): New. 2285 (byte_range::operator==): New. 2286 (byte_range::get_start_byte_offset): New. 2287 (byte_range::get_next_byte_offset): New. 2288 (byte_range::get_last_byte_offset): New. 2289 (byte_range::as_bit_range): New. 2290 (byte_range::cmp): New. 2291 (concrete_binding::concrete_binding): Drop enum binding_kind. 2292 (concrete_binding::hash): Likewise. 2293 (concrete_binding::operator==): Likewise. 2294 (concrete_binding::mark_deleted): New. 2295 (concrete_binding::mark_empty): New. 2296 (concrete_binding::is_deleted): New. 2297 (concrete_binding::is_empty): New. 2298 (default_hash_traits<ana::concrete_binding>::empty_zero_p): Make false. 2299 (symbolic_binding::symbolic_binding): Drop enum binding_kind. 2300 (symbolic_binding::hash): Likewise. 2301 (symbolic_binding::operator==): Likewise. 2302 (symbolic_binding::mark_deleted): New. 2303 (symbolic_binding::mark_empty): New. 2304 (symbolic_binding::is_deleted): New. 2305 (symbolic_binding::is_empty): New. 2306 (binding_map::remove_overlapping_bindings): New decl. 2307 (binding_map::get_overlapping_bindings): New decl. 2308 (binding_cluster::validate): New decl. 2309 (binding_cluster::bind): Drop enum binding_kind. 2310 (binding_cluster::fill_region): New decl. 2311 (binding_cluster::get_binding): Drop enum binding_kind. 2312 (binding_cluster::get_binding_recursive): Likewise. 2313 (binding_cluster::get_overlapping_bindings): Delete. 2314 (store::validate): New decl. 2315 (store::set_value): Drop enum binding_kind. 2316 (store::fill_region): New decl. 2317 (store_manager::get_concrete_binding): Drop enum binding_kind. 2318 (store_manager::get_symbolic_binding): Likewise. 2319 * svalue.cc (svalue::cmp_ptr): Handle SK_REPEATED and 2320 SK_BITS_WITHIN. 2321 (svalue::extract_bit_range): New. 2322 (svalue::maybe_fold_bits_within): New. 2323 (constant_svalue::maybe_fold_bits_within): New. 2324 (unknown_svalue::maybe_fold_bits_within): New. 2325 (unaryop_svalue::maybe_fold_bits_within): New. 2326 (repeated_svalue::repeated_svalue): New. 2327 (repeated_svalue::dump_to_pp): New. 2328 (repeated_svalue::accept): New. 2329 (repeated_svalue::all_zeroes_p): New. 2330 (repeated_svalue::maybe_fold_bits_within): New. 2331 (bits_within_svalue::bits_within_svalue): New. 2332 (bits_within_svalue::dump_to_pp): New. 2333 (bits_within_svalue::maybe_fold_bits_within): New. 2334 (bits_within_svalue::accept): New. 2335 (bits_within_svalue::implicitly_live_p): New. 2336 (compound_svalue::maybe_fold_bits_within): New. 2337 * svalue.h (enum svalue_kind): Add SK_REPEATED and SK_BITS_WITHIN. 2338 (svalue::dyn_cast_repeated_svalue): New. 2339 (svalue::dyn_cast_bits_within_svalue): New. 2340 (svalue::extract_bit_range): New decl. 2341 (svalue::maybe_fold_bits_within): New vfunc decl. 2342 (region_svalue::key_t::mark_empty): Use 2 rather than NULL_TREE. 2343 (region_svalue::key_t::is_empty): Likewise. 2344 (default_hash_traits<region_svalue::key_t>::empty_zero_p): Make false. 2345 (constant_svalue::maybe_fold_bits_within): New. 2346 (unknown_svalue::maybe_fold_bits_within): New. 2347 (poisoned_svalue::key_t::mark_empty): Use 2 rather than NULL_TREE. 2348 (poisoned_svalue::key_t::is_empty): Likewise. 2349 (default_hash_traits<poisoned_svalue::key_t>::empty_zero_p): Make 2350 false. 2351 (setjmp_svalue::key_t::mark_empty): Use 2 rather than NULL_TREE. 2352 (setjmp_svalue::key_t::is_empty): Likewise. 2353 (default_hash_traits<setjmp_svalue::key_t>::empty_zero_p): Make 2354 false. 2355 (unaryop_svalue::key_t::mark_empty): Use 2 rather than NULL_TREE. 2356 (unaryop_svalue::key_t::is_empty): Likewise. 2357 (unaryop_svalue::maybe_fold_bits_within): New. 2358 (default_hash_traits<unaryop_svalue::key_t>::empty_zero_p): Make 2359 false. 2360 (binop_svalue::key_t::mark_empty): Use 2 rather than NULL_TREE. 2361 (binop_svalue::key_t::is_empty): Likewise. 2362 (default_hash_traits<binop_svalue::key_t>::empty_zero_p): Make 2363 false. 2364 (sub_svalue::key_t::mark_empty): Use 2 rather than NULL_TREE. 2365 (sub_svalue::key_t::is_empty): Likewise. 2366 (default_hash_traits<sub_svalue::key_t>::empty_zero_p): Make 2367 false. 2368 (class repeated_svalue): New. 2369 (is_a_helper <const repeated_svalue *>::test): New. 2370 (struct default_hash_traits<repeated_svalue::key_t>): New. 2371 (class bits_within_svalue): New. 2372 (is_a_helper <const bits_within_svalue *>::test): New. 2373 (struct default_hash_traits<bits_within_svalue::key_t>): New. 2374 (widening_svalue::key_t::mark_empty): Use 2 rather than NULL_TREE. 2375 (widening_svalue::key_t::is_empty): Likewise. 2376 (default_hash_traits<widening_svalue::key_t>::empty_zero_p): Make 2377 false. 2378 (compound_svalue::key_t::mark_empty): Use 2 rather than NULL_TREE. 2379 (compound_svalue::key_t::is_empty): Likewise. 2380 (compound_svalue::maybe_fold_bits_within): New. 2381 (default_hash_traits<compound_svalue::key_t>::empty_zero_p): Make 2382 false. 2383 23842021-06-28 David Malcolm <dmalcolm@redhat.com> 2385 2386 * analyzer.h (byte_offset_t): New typedef. 2387 * store.cc (bit_range::dump_to_pp): Dump as a byte range if 2388 possible. 2389 (bit_range::as_byte_range): New. 2390 (byte_range::dump_to_pp): New. 2391 * store.h (class byte_range): New forward decl. 2392 (struct bit_range): Add comment. 2393 (bit_range::as_byte_range): New decl. 2394 (struct byte_range): New. 2395 23962021-06-22 David Malcolm <dmalcolm@redhat.com> 2397 2398 PR analyzer/101143 2399 * region-model.cc (compat_types_p): New function. 2400 (region_model::create_region_for_heap_alloc): Convert assertion to 2401 an error check. 2402 (region_model::create_region_for_alloca): Likewise. 2403 24042021-06-18 David Malcolm <dmalcolm@redhat.com> 2405 2406 * store.cc (binding_cluster::get_any_binding): Make symbolic reads 2407 from a cluster with concrete bindings return unknown. 2408 24092021-06-18 David Malcolm <dmalcolm@redhat.com> 2410 2411 * region-model-manager.cc 2412 (region_model_manager::get_or_create_int_cst): New. 2413 (region_model_manager::maybe_undo_optimize_bit_field_compare): Use 2414 it to simplify away a local tree. 2415 * region-model.cc (region_model::on_setjmp): Likewise. 2416 (region_model::on_longjmp): Likewise. 2417 * region-model.h (region_model_manager::get_or_create_int_cst): 2418 New decl. 2419 * store.cc (binding_cluster::zero_fill_region): Use it to simplify 2420 away a local tree. 2421 24222021-06-18 David Malcolm <dmalcolm@redhat.com> 2423 2424 * checker-path.cc (class custom_event): Make abstract to allow for 2425 custom vfuncs, splitting existing implementation into... 2426 (class precanned_custom_event): New subclass. 2427 (custom_event::get_desc): Move to... 2428 (precanned_custom_event::get_desc): ...subclass. 2429 * checker-path.h (class custom_event): Make abstract to allow for 2430 custom vfuncs, splitting existing implementation into... 2431 (class precanned_custom_event): New subclass. 2432 * diagnostic-manager.cc (diagnostic_manager::add_events_for_eedge): 2433 Use precanned_custom_event. 2434 * engine.cc 2435 (stale_jmp_buf::maybe_add_custom_events_for_superedge): Likewise. 2436 * sm-signal.cc (signal_delivery_edge_info_t::add_events_to_path): 2437 Likewise. 2438 24392021-06-15 David Malcolm <dmalcolm@redhat.com> 2440 2441 PR analyzer/99212 2442 PR analyzer/101082 2443 * engine.cc: Include "target.h". 2444 (impl_run_checkers): Log BITS_BIG_ENDIAN, BYTES_BIG_ENDIAN, and 2445 WORDS_BIG_ENDIAN. 2446 * region-model-manager.cc 2447 (region_model_manager::maybe_fold_binop): Move support for masking 2448 via ARG0 & CST into... 2449 (region_model_manager::maybe_undo_optimize_bit_field_compare): 2450 ...this new function. Flatten by converting from nested 2451 conditionals to a series of early return statements to reject 2452 failures. Reject if type is not unsigned_char_type_node. 2453 Handle BYTES_BIG_ENDIAN when determining which bits are bound 2454 in the binding_map. 2455 * region-model.h 2456 (region_model_manager::maybe_undo_optimize_bit_field_compare): 2457 New decl. 2458 * store.cc (bit_range::dump): New function. 2459 * store.h (bit_range::dump): New decl. 2460 24612021-06-15 David Malcolm <dmalcolm@redhat.com> 2462 2463 * engine.cc (exploded_node::on_stmt): Handle __analyzer_dump_capacity. 2464 (exploded_node::on_stmt): Drop m_sm_changes from on_stmt_flags. 2465 (state_change_requires_new_enode_p): New function... 2466 (exploded_graph::process_node): Call it, rather than querying 2467 flags.m_sm_changes, so that dynamic-extent differences can also 2468 trigger the splitting of nodes. 2469 * exploded-graph.h (struct on_stmt_flags): Drop field m_sm_changes. 2470 * program-state.cc (program_state::detect_leaks): Purge dead 2471 heap-allocated regions from dynamic extents. 2472 (selftest::test_program_state_1): Fix type of "size_in_bytes". 2473 (selftest::test_program_state_merging): Likewise. 2474 * region-model-impl-calls.cc 2475 (region_model::impl_call_analyzer_dump_capacity): New. 2476 (region_model::impl_call_free): Remove dynamic extents from the 2477 freed region. 2478 * region-model-reachability.h 2479 (reachable_regions::begin_mutable_base_regs): New. 2480 (reachable_regions::end_mutable_base_regs): New. 2481 * region-model.cc: Include "tree-object-size.h". 2482 (region_model::region_model): Support new field m_dynamic_extents. 2483 (region_model::operator=): Likewise. 2484 (region_model::operator==): Likewise. 2485 (region_model::dump_to_pp): Dump sizes of dynamic regions. 2486 (region_model::handle_unrecognized_call): Purge dynamic extents 2487 from any regions that have escaped mutably:. 2488 (region_model::get_capacity): New function. 2489 (region_model::add_constraint): Unset dynamic extents when a 2490 heap-allocated region's address is NULL. 2491 (region_model::unbind_region_and_descendents): Purge dynamic 2492 extents of unbound regions. 2493 (region_model::can_merge_with_p): Call 2494 m_dynamic_extents.can_merge_with_p. 2495 (region_model::create_region_for_heap_alloc): Assert that 2496 size_in_bytes's type is compatible with size_type_node. Update 2497 for renaming of record_dynamic_extents to set_dynamic_extents. 2498 (region_model::create_region_for_alloca): Likewise. 2499 (region_model::record_dynamic_extents): Rename to... 2500 (region_model::set_dynamic_extents): ...this. Assert that 2501 size_in_bytes's type is compatible with size_type_node. Add it 2502 to the m_dynamic_extents map. 2503 (region_model::get_dynamic_extents): New. 2504 (region_model::unset_dynamic_extents): New. 2505 (selftest::test_state_merging): Fix type of "size". 2506 (selftest::test_malloc_constraints): Likewise. 2507 (selftest::test_malloc): Verify dynamic extents. 2508 (selftest::test_alloca): Likewise. 2509 * region-model.h (region_to_value_map::is_empty): New. 2510 (region_model::dynamic_extents_t): New typedef. 2511 (region_model::impl_call_analyzer_dump_capacity): New decl. 2512 (region_model::get_dynamic_extents): New function. 2513 (region_model::get_dynamic_extents): New decl. 2514 (region_model::set_dynamic_extents): New decl. 2515 (region_model::unset_dynamic_extents): New decl. 2516 (region_model::get_capacity): New decl. 2517 (region_model::record_dynamic_extents): Rename to set_dynamic_extents. 2518 (region_model::m_dynamic_extents): New field. 2519 25202021-06-15 David Malcolm <dmalcolm@redhat.com> 2521 2522 * region-model.cc (region_to_value_map::operator=): New. 2523 (region_to_value_map::operator==): New. 2524 (region_to_value_map::dump_to_pp): New. 2525 (region_to_value_map::dump): New. 2526 (region_to_value_map::can_merge_with_p): New. 2527 * region-model.h (class region_to_value_map): New class. 2528 25292021-06-13 Trevor Saunders <tbsaunde@tbsaunde.org> 2530 2531 * call-string.cc (call_string::call_string): Use range based for 2532 to iterate over vec<>. 2533 (call_string::to_json): Likewise. 2534 (call_string::hash): Likewise. 2535 (call_string::calc_recursion_depth): Likewise. 2536 * checker-path.cc (checker_path::fixup_locations): Likewise. 2537 * constraint-manager.cc (equiv_class::equiv_class): Likewise. 2538 (equiv_class::to_json): Likewise. 2539 (equiv_class::hash): Likewise. 2540 (constraint_manager::to_json): Likewise. 2541 * engine.cc (impl_region_model_context::on_svalue_leak): 2542 Likewise. 2543 (on_liveness_change): Likewise. 2544 (impl_region_model_context::on_unknown_change): Likewise. 2545 * program-state.cc (sm_state_map::set_state): Likewise. 2546 * region-model.cc (test_canonicalization_4): Likewise. 2547 25482021-06-11 David Malcolm <dmalcolm@redhat.com> 2549 2550 * engine.cc (worklist::key_t::cmp): Move sort by call_string to 2551 before SCC. 2552 25532021-06-09 David Malcolm <dmalcolm@redhat.com> 2554 2555 * region-model.cc (region_model::get_lvalue_1): Make const. 2556 (region_model::get_lvalue): Likewise. 2557 (region_model::get_rvalue_1): Likewise. 2558 (region_model::get_rvalue): Likewise. 2559 (region_model::deref_rvalue): Likewise. 2560 (region_model::get_rvalue_for_bits): Likewise. 2561 * region-model.h (region_model::get_lvalue): Likewise. 2562 (region_model::get_rvalue): Likewise. 2563 (region_model::deref_rvalue): Likewise. 2564 (region_model::get_rvalue_for_bits): Likewise. 2565 (region_model::get_lvalue_1): Likewise. 2566 (region_model::get_rvalue_1): Likewise. 2567 25682021-06-08 David Malcolm <dmalcolm@redhat.com> 2569 2570 PR analyzer/99212 2571 * region-model-manager.cc 2572 (region_model_manager::maybe_fold_binop): Add support for folding 2573 BIT_AND_EXPR of compound_svalue and a mask constant. 2574 * region-model.cc (region_model::get_rvalue_1): Implement 2575 BIT_FIELD_REF in terms of... 2576 (region_model::get_rvalue_for_bits): New function. 2577 * region-model.h (region_model::get_rvalue_for_bits): New decl. 2578 * store.cc (bit_range::from_mask): New function. 2579 (selftest::test_bit_range_intersects_p): New selftest. 2580 (selftest::assert_bit_range_from_mask_eq): New. 2581 (ASSERT_BIT_RANGE_FROM_MASK_EQ): New macro. 2582 (selftest::assert_no_bit_range_from_mask_eq): New. 2583 (ASSERT_NO_BIT_RANGE_FROM_MASK): New macro. 2584 (selftest::test_bit_range_from_mask): New selftest. 2585 (selftest::analyzer_store_cc_tests): Call the new selftests. 2586 * store.h (bit_range::intersects_p): New. 2587 (bit_range::from_mask): New decl. 2588 (concrete_binding::get_bit_range): New accessor. 2589 (store_manager::get_concrete_binding): New overload taking 2590 const bit_range &. 2591 25922021-06-08 David Malcolm <dmalcolm@redhat.com> 2593 2594 * analyzer.h (int_size_in_bits): New decl. 2595 * region.cc (int_size_in_bits): New function. 2596 (region::get_bit_size): Reimplement in terms of the above. 2597 25982021-06-08 David Malcolm <dmalcolm@redhat.com> 2599 2600 * store.cc (concrete_binding::dump_to_pp): Move bulk of 2601 implementation to... 2602 (bit_range::dump_to_pp): ...this new function. 2603 (bit_range::cmp): New. 2604 (concrete_binding::overlaps_p): Update for use of bit_range. 2605 (concrete_binding::cmp_ptr_ptr): Likewise. 2606 * store.h (struct bit_range): New. 2607 (class concrete_binding): Replace fields m_start_bit_offset and 2608 m_size_in_bits with new field m_bit_range. 2609 26102021-06-08 David Malcolm <dmalcolm@redhat.com> 2611 2612 * svalue.h (conjured_svalue::iterator_t): Delete. 2613 26142021-06-03 David Malcolm <dmalcolm@redhat.com> 2615 2616 * store.h (store::get_direct_binding): Remove unused decl. 2617 (store::get_default_binding): Likewise. 2618 26192021-06-03 David Malcolm <dmalcolm@redhat.com> 2620 2621 * svalue.cc (poisoned_svalue::dump_to_pp): Dump type. 2622 (compound_svalue::dump_to_pp): Dump any type. 2623 26242021-05-18 David Malcolm <dmalcolm@redhat.com> 2625 2626 PR analyzer/100615 2627 * sm-malloc.cc: Include "analyzer/function-set.h". 2628 (malloc_state_machine::on_stmt): Call unaffected_by_call_p and 2629 bail on the functions it recognizes. 2630 (malloc_state_machine::unaffected_by_call_p): New. 2631 26322021-05-10 Martin Liska <mliska@suse.cz> 2633 2634 * sm-file.cc (is_file_using_fn_p): Use startswith 2635 function instead of strncmp. 2636 26372021-05-10 Martin Liska <mliska@suse.cz> 2638 2639 * program-state.cc (program_state::operator=): Remove 2640 __cplusplus >= 201103. 2641 (program_state::program_state): Likewise. 2642 * program-state.h: Likewise. 2643 * region-model.h (class region_model): Remove dead code. 2644 26452021-04-24 David Malcolm <dmalcolm@redhat.com> 2646 2647 PR analyzer/100244 2648 * sm-malloc.cc (free_of_non_heap::describe_state_change): 2649 Bulletproof against change.m_expr being NULL. 2650 26512021-04-13 David Malcolm <dmalcolm@redhat.com> 2652 2653 PR analyzer/98599 2654 * supergraph.cc (saved_uids::make_uid_unique): New. 2655 (saved_uids::restore_uids): New. 2656 (supergraph::supergraph): Replace assignments to stmt->uid with 2657 calls to m_stmt_uids.make_uid_unique. 2658 (supergraph::~supergraph): New. 2659 * supergraph.h (class saved_uids): New. 2660 (supergraph::~supergraph): New decl. 2661 (supergraph::m_stmt_uids): New field. 2662 26632021-04-10 David Malcolm <dmalcolm@redhat.com> 2664 2665 PR analyzer/100011 2666 * region-model.cc (region_model::on_assignment): Avoid NULL 2667 dereference if ctxt is NULL when assigning from a STRING_CST. 2668 26692021-04-08 David Malcolm <dmalcolm@redhat.com> 2670 2671 PR analyzer/99042 2672 PR analyzer/99774 2673 * engine.cc 2674 (impl_region_model_context::impl_region_model_context): Add 2675 uncertainty param and use it to initialize m_uncertainty. 2676 (impl_region_model_context::get_uncertainty): New. 2677 (impl_sm_context::get_fndecl_for_call): Add NULL for new 2678 uncertainty param when constructing impl_region_model_context. 2679 (impl_sm_context::get_state): Likewise. 2680 (impl_sm_context::set_next_state): Likewise. 2681 (impl_sm_context::warn): Likewise. 2682 (exploded_node::on_stmt): Add uncertainty param 2683 and use it when constructing impl_region_model_context. 2684 (exploded_node::on_edge): Add uncertainty param and pass 2685 to on_edge call. 2686 (exploded_node::detect_leaks): Create uncertainty_t and pass to 2687 impl_region_model_context. 2688 (exploded_graph::get_or_create_node): Create uncertainty_t and 2689 pass to prune_for_point. 2690 (maybe_process_run_of_before_supernode_enodes): Create 2691 uncertainty_t and pass to impl_region_model_context. 2692 (exploded_graph::process_node): Create uncertainty_t instances and 2693 pass around as needed. 2694 * exploded-graph.h 2695 (impl_region_model_context::impl_region_model_context): Add 2696 uncertainty param. 2697 (impl_region_model_context::get_uncertainty): New decl. 2698 (impl_region_model_context::m_uncertainty): New field. 2699 (exploded_node::on_stmt): Add uncertainty param. 2700 (exploded_node::on_edge): Likewise. 2701 * program-state.cc (sm_state_map::on_liveness_change): Get 2702 uncertainty from context and use it to unset sm-state from 2703 svalues as appropriate. 2704 (program_state::on_edge): Add uncertainty param and use it when 2705 constructing impl_region_model_context. Fix indentation. 2706 (program_state::prune_for_point): Add uncertainty param and use it 2707 when constructing impl_region_model_context. 2708 (program_state::detect_leaks): Get any uncertainty from ctxt and 2709 use it to get maybe-live svalues for dest_state, rather than 2710 definitely-live ones; use this when determining which svalues 2711 have leaked. 2712 (selftest::test_program_state_merging): Create uncertainty_t and 2713 pass to impl_region_model_context. 2714 * program-state.h (program_state::on_edge): Add uncertainty param. 2715 (program_state::prune_for_point): Likewise. 2716 * region-model-impl-calls.cc (call_details::get_uncertainty): New. 2717 (region_model::impl_call_memcpy): Pass uncertainty to 2718 mark_region_as_unknown call. 2719 (region_model::impl_call_memset): Likewise. 2720 (region_model::impl_call_strcpy): Likewise. 2721 * region-model-reachability.cc (reachable_regions::handle_sval): 2722 Also add sval to m_mutable_svals. 2723 * region-model.cc (region_model::on_assignment): Pass any 2724 uncertainty from ctxt to the store::set_value call. 2725 (region_model::handle_unrecognized_call): Get any uncertainty from 2726 ctxt and use it to record mutable svalues at the unknown call. 2727 (region_model::get_reachable_svalues): Add uncertainty param and 2728 use it to mark any maybe-bound svalues as being reachable. 2729 (region_model::set_value): Pass any uncertainty from ctxt to the 2730 store::set_value call. 2731 (region_model::mark_region_as_unknown): Add uncertainty param and 2732 pass it on to the store::mark_region_as_unknown call. 2733 (region_model::update_for_call_summary): Add uncertainty param and 2734 pass it on to the region_model::mark_region_as_unknown call. 2735 * region-model.h (call_details::get_uncertainty): New decl. 2736 (region_model::get_reachable_svalues): Add uncertainty param. 2737 (region_model::mark_region_as_unknown): Add uncertainty param. 2738 (region_model_context::get_uncertainty): New vfunc. 2739 (noop_region_model_context::get_uncertainty): New vfunc 2740 implementation. 2741 * store.cc (dump_svalue_set): New. 2742 (uncertainty_t::dump_to_pp): New. 2743 (uncertainty_t::dump): New. 2744 (binding_cluster::clobber_region): Pass NULL for uncertainty to 2745 remove_overlapping_bindings. 2746 (binding_cluster::mark_region_as_unknown): Add uncertainty param 2747 and pass it to remove_overlapping_bindings. 2748 (binding_cluster::remove_overlapping_bindings): Add uncertainty param. 2749 Use it to record any svalues that were in clobbered bindings. 2750 (store::set_value): Add uncertainty param. Pass it to 2751 binding_cluster::mark_region_as_unknown when handling symbolic 2752 regions. 2753 (store::mark_region_as_unknown): Add uncertainty param and pass it 2754 to binding_cluster::mark_region_as_unknown. 2755 (store::remove_overlapping_bindings): Add uncertainty param and 2756 pass it to binding_cluster::remove_overlapping_bindings. 2757 * store.h (binding_cluster::mark_region_as_unknown): Add 2758 uncertainty param. 2759 (binding_cluster::remove_overlapping_bindings): Likewise. 2760 (store::set_value): Likewise. 2761 (store::mark_region_as_unknown): Likewise. 2762 27632021-04-05 David Malcolm <dmalcolm@redhat.com> 2764 2765 PR analyzer/99906 2766 * analyzer.cc (maybe_reconstruct_from_def_stmt): Fix NULL 2767 dereference on calls with zero arguments. 2768 * sm-malloc.cc (malloc_state_machine::on_stmt): When handling 2769 __attribute__((nonnull)), only call get_diagnostic_tree if the 2770 result will be used. 2771 27722021-04-05 David Malcolm <dmalcolm@redhat.com> 2773 2774 PR analyzer/99886 2775 * diagnostic-manager.cc 2776 (diagnostic_manager::prune_interproc_events): Use signed integers 2777 when subtracting one from path->num_events (). 2778 (diagnostic_manager::consolidate_conditions): Likewise. Convert 2779 next_idx to a signed int. 2780 27812021-04-01 David Malcolm <dmalcolm@redhat.com> 2782 2783 * diagnostic-manager.cc (diagnostic_manager::add_diagnostic): Make 2784 enode param non-constant, and call add_diagnostic on it. Add 2785 enode index to log message. 2786 (diagnostic_manager::add_diagnostic): Make enode param 2787 non-constant. 2788 * diagnostic-manager.h (diagnostic_manager::add_diagnostic): 2789 Likewise for both decls. 2790 * engine.cc 2791 (impl_region_model_context::impl_region_model_context): Likewise 2792 for enode_for_diag. 2793 (impl_sm_context::impl_sm_context): Likewise. 2794 (impl_sm_context::m_enode_for_diag): Likewise. 2795 (exploded_node::dump_dot): Don't pass the diagnostic manager 2796 to dump_saved_diagnostics. 2797 (exploded_node::dump_saved_diagnostics): Drop param. Iterate 2798 directly through all saved diagnostics for the enode, rather 2799 than all saved diagnostics in the diagnostic_manager and 2800 filtering. 2801 (exploded_node::on_stmt): Make non-const. 2802 (exploded_node::on_edge): Likewise. 2803 (exploded_node::on_longjmp): Likewise. 2804 (exploded_node::detect_leaks): Likewise. 2805 (exploded_graph::get_or_create_node): Make enode_for_diag param 2806 non-const. 2807 (exploded_graph_annotator::print_enode): Iterate 2808 directly through all saved diagnostics for the enode, rather 2809 than all saved diagnostics in the diagnostic_manager and 2810 filtering. 2811 * exploded-graph.h 2812 (impl_region_model_context::impl_region_model_context): Make 2813 enode_for_diag param non-constant. 2814 (impl_region_model_context::m_enode_for_diag): Likewise. 2815 (exploded_node::dump_saved_diagnostics): Drop param. 2816 (exploded_node::on_stmt): Make non-const. 2817 (exploded_node::on_edge): Likewise. 2818 (exploded_node::on_longjmp): Likewise. 2819 (exploded_node::detect_leaks): Likewise. 2820 (exploded_node::add_diagnostic): New. 2821 (exploded_node::get_num_diagnostics): New. 2822 (exploded_node::get_saved_diagnostic): New. 2823 (exploded_node::m_saved_diagnostics): New. 2824 (exploded_graph::get_or_create_node): Make enode_for_diag param 2825 non-constant. 2826 * feasible-graph.cc (feasible_node::dump_dot): Drop 2827 diagnostic_manager from call to dump_saved_diagnostics. 2828 * program-state.cc (program_state::on_edge): Convert enode param 2829 to non-const pointer. 2830 (program_state::prune_for_point): Likewise for enode_for_diag 2831 param. 2832 * program-state.h (program_state::on_edge): Convert enode param 2833 to non-const pointer. 2834 (program_state::prune_for_point): Likewise for enode_for_diag 2835 param. 2836 28372021-03-31 David Malcolm <dmalcolm@redhat.com> 2838 2839 PR analyzer/99771 2840 * analyzer.cc (maybe_reconstruct_from_def_stmt): New. 2841 (fixup_tree_for_diagnostic_1): New. 2842 (fixup_tree_for_diagnostic): New. 2843 * analyzer.h (fixup_tree_for_diagnostic): New decl. 2844 * checker-path.cc (call_event::get_desc): Call 2845 fixup_tree_for_diagnostic and use it for the call_with_state call. 2846 (warning_event::get_desc): Likewise for the final_event and 2847 make_label_text calls. 2848 * engine.cc (impl_region_model_context::on_state_leak): Likewise 2849 for the on_leak and add_diagnostic calls. 2850 * region-model.cc (region_model::get_representative_tree): 2851 Likewise for the result. 2852 28532021-03-30 David Malcolm <dmalcolm@redhat.com> 2854 2855 * region.h (region::dump_to_pp): Remove old decl. 2856 28572021-03-30 David Malcolm <dmalcolm@redhat.com> 2858 2859 * sm-file.cc (fileptr_state_machine::on_stmt): Only call 2860 get_diagnostic_tree if the result will be used. 2861 * sm-malloc.cc (malloc_state_machine::on_stmt): Likewise. 2862 (malloc_state_machine::on_deallocator_call): Likewise. 2863 (malloc_state_machine::on_realloc_call): Likewise. 2864 (malloc_state_machine::on_realloc_call): Likewise. 2865 * sm-sensitive.cc 2866 (sensitive_state_machine::warn_for_any_exposure): Likewise. 2867 * sm-taint.cc (taint_state_machine::on_stmt): Likewise. 2868 28692021-03-25 David Malcolm <dmalcolm@redhat.com> 2870 2871 PR analyzer/93695 2872 PR analyzer/99044 2873 PR analyzer/99716 2874 * engine.cc (exploded_node::on_stmt): Clear sm-state involving 2875 an SSA name at the def-stmt of that SSA name. 2876 * program-state.cc (sm_state_map::purge_state_involving): New. 2877 * program-state.h (sm_state_map::purge_state_involving): New decl. 2878 * region-model.cc (selftest::test_involves_p): New. 2879 (selftest::analyzer_region_model_cc_tests): Call it. 2880 * svalue.cc (class involvement_visitor): New class 2881 (svalue::involves_p): New. 2882 * svalue.h (svalue::involves_p): New decl. 2883 28842021-03-19 David Malcolm <dmalcolm@redhat.com> 2885 2886 PR analyzer/99614 2887 * diagnostic-manager.cc (class epath_finder): Add 2888 DISABLE_COPY_AND_ASSIGN. 2889 28902021-03-15 Martin Liska <mliska@suse.cz> 2891 2892 * sm-file.cc (get_file_using_fns): Add missing comma in initializer. 2893 28942021-03-11 David Malcolm <dmalcolm@redhat.com> 2895 2896 PR analyzer/96374 2897 * analyzer.opt (-param=analyzer-max-infeasible-edges=): New param. 2898 (fdump-analyzer-feasibility): New flag. 2899 * diagnostic-manager.cc: Include "analyzer/trimmed-graph.h" and 2900 "analyzer/feasible-graph.h". 2901 (epath_finder::epath_finder): Convert m_sep to a pointer and 2902 only create it if !flag_analyzer_feasibility. 2903 (epath_finder::~epath_finder): New. 2904 (epath_finder::m_sep): Convert to a pointer. 2905 (epath_finder::get_best_epath): Add param "diag_idx" and use it 2906 when logging. Rather than finding the shortest path and then 2907 checking feasibility, instead use explore_feasible_paths unless 2908 !flag_analyzer_feasibility, in which case simply use the shortest 2909 path, and note if it is infeasible. Update for m_sep becoming a 2910 pointer. 2911 (class feasible_worklist): New. 2912 (epath_finder::explore_feasible_paths): New. 2913 (epath_finder::process_worklist_item): New. 2914 (class dump_eg_with_shortest_path): New. 2915 (epath_finder::dump_trimmed_graph): New. 2916 (epath_finder::dump_feasible_graph): New. 2917 (saved_diagnostic::saved_diagnostic): Add "idx" param, using it 2918 on new field m_idx. 2919 (saved_diagnostic::to_json): Dump m_idx. 2920 (saved_diagnostic::calc_best_epath): Pass m_idx to get_best_epath. 2921 Remove assertion that m_problem was set when m_best_epath is NULL. 2922 (diagnostic_manager::add_diagnostic): Pass an index when created 2923 saved_diagnostic instances. 2924 * diagnostic-manager.h (saved_diagnostic::saved_diagnostic): Add 2925 "idx" param. 2926 (saved_diagnostic::get_index): New accessor. 2927 (saved_diagnostic::m_idx): New field. 2928 * engine.cc (exploded_node::dump_dot): Call args.dump_extra_info. 2929 Move code to... 2930 (exploded_node::dump_processed_stmts): ...this new function and... 2931 (exploded_node::dump_saved_diagnostics): ...this new function. 2932 Add index of each diagnostic. 2933 (exploded_edge::dump_dot): Move bulk of code to... 2934 (exploded_edge::dump_dot_label): ...this new function. 2935 * exploded-graph.h (eg_traits::dump_args_t::dump_extra_info): New 2936 vfunc. 2937 (exploded_node::dump_processed_stmts): New decl. 2938 (exploded_node::dump_saved_diagnostics): New decl. 2939 (exploded_edge::dump_dot_label): New decl. 2940 * feasible-graph.cc: New file. 2941 * feasible-graph.h: New file. 2942 * trimmed-graph.cc: New file. 2943 * trimmed-graph.h: New file. 2944 29452021-03-11 David Malcolm <dmalcolm@redhat.com> 2946 2947 * diagnostic-manager.cc (epath_finder::epath_finder): 2948 Update shortest_paths init for new param. 2949 29502021-03-10 David Malcolm <dmalcolm@redhat.com> 2951 2952 PR analyzer/96374 2953 * engine.cc (exploded_path::feasible_p): Move "snodes_visited" and 2954 "model" locals into a new class feasibility_state. Move heart 2955 of per-edge processing into 2956 feasibility_state::maybe_update_for_edge. 2957 (feasibility_state::feasibility_state): New. 2958 (feasibility_state::maybe_update_for_edge): New, based on loop 2959 body in exploded_path::feasible_p. 2960 * exploded-graph.h (class feasibility_state): New. 2961 29622021-03-10 David Malcolm <dmalcolm@redhat.com> 2963 2964 * supergraph.h 2965 (callgraph_superedge::dyn_cast_callgraph_superedge): New. 2966 (call_superedge::dyn_cast_callgraph_superedge): Delete. 2967 (return_superedge::dyn_cast_callgraph_superedge): Delete. 2968 29692021-03-02 Martin Liska <mliska@suse.cz> 2970 2971 * diagnostic-manager.cc (diagnostic_manager::emit_saved_diagnostics): 2972 Do not pass engine. 2973 29742021-02-26 David Malcolm <dmalcolm@redhat.com> 2975 2976 * engine.cc (exploded_path::exploded_path): New copy-ctor. 2977 * exploded-graph.h (exploded_path::operator=): Drop decl. 2978 29792021-02-26 David Malcolm <dmalcolm@redhat.com> 2980 2981 PR analyzer/96374 2982 * diagnostic-manager.cc (class epath_finder): New. 2983 (epath_finder::get_best_epath): New. 2984 (saved_diagnostic::saved_diagnostic): Update for replacement of 2985 m_state and m_epath_length with m_best_epath. 2986 (saved_diagnostic::~saved_diagnostic): Delete m_best_epath. 2987 (saved_diagnostic::to_json): Update "path_length" to be optional. 2988 (saved_diagnostic::calc_best_epath): New, based on 2989 dedupe_winners::add and parts of dedupe_key::dedupe_key. 2990 (saved_diagnostic::get_epath_length): New. 2991 (saved_diagnostic::add_duplicate): New. 2992 (dedupe_key::dedupe_key): Drop epath param. Move invocation of 2993 stmt_finder to saved_diagnostic::calc_best_epath. 2994 (class dedupe_candidate): Delete. 2995 (class dedupe_hash_map_traits): Update to use saved_diagnotic * 2996 rather than dedupe_candidate * as the value_type/compare_type. 2997 (dedupe_winners::~dedupe_winners): Don't delete the values. 2998 (dedupe_winners::add): Convert param from shortest_exploded_paths to 2999 epath_finder. Drop "eg" param. Drop dedupe_candidate, moving 3000 path generation and feasiblity checking to 3001 epath_finder::get_best_epath. Update winner-selection for move 3002 of epaths from dedupe_candidate to saved_diagnostic. 3003 (dedupe_winners::emit_best): Update for removal of class 3004 dedupe_candidate. 3005 (dedupe_winners::map_t): Update to use saved_diagnotic * rather 3006 than dedupe_candidate * as the value_type/compare_type. 3007 (diagnostic_manager::emit_saved_diagnostics): Move 3008 shortest_exploded_paths instance into epath_finder and pass that 3009 around instead. 3010 (diagnostic_manager::emit_saved_diagnostic): Drop epath, stmt 3011 and num_dupes params, instead getting these from the 3012 saved_diagnostic. Use correct location in inform_n call. 3013 * diagnostic-manager.h (class epath_finder): New forward decl. 3014 (saved_diagnostic::status): Drop enum. 3015 (saved_diagnostic::set_feasible): Drop. 3016 (saved_diagnostic::set_infeasible): Drop. 3017 (saved_diagnostic::get_status): Drop. 3018 (saved_diagnostic::calc_best_epath): New decl. 3019 (saved_diagnostic::get_best_epath): New decl. 3020 (saved_diagnostic::get_epath_length): New decl. 3021 (saved_diagnostic::set_epath_length): Drop. 3022 (saved_diagnostic::get_epath_length): Drop inline implementation. 3023 (saved_diagnostic::add_duplicate): New. 3024 (saved_diagnostic::get_num_dupes): New. 3025 (saved_diagnostic::m_d): Document ownership. 3026 (saved_diagnostic::m_trailing_eedge): Make const. 3027 (saved_diagnostic::m_status): Drop field. 3028 (saved_diagnostic::m_epath_length): Drop field. 3029 (saved_diagnostic::m_best_epath): New field. 3030 (saved_diagnostic::m_problem): Document ownership. 3031 (saved_diagnostic::m_duplicates): New field. 3032 (diagnostic_manager::emit_saved_diagnostic): Drop params epath, 3033 stmt, and num_dupes. 3034 * engine.cc (exploded_graph_annotator::print_saved_diagnostic): 3035 Update for changes to saved_diagnostic class. 3036 * exploded-graph.h (exploded_path::feasible_p): Drop unused 3037 overloaded decl. 3038 30392021-02-25 David Malcolm <dmalcolm@redhat.com> 3040 3041 PR analyzer/99193 3042 * region-model-impl-calls.cc (region_model::impl_call_realloc): New. 3043 * region-model.cc (region_model::on_call_pre): Call it. 3044 * region-model.h (region_model::impl_call_realloc): New decl. 3045 * sm-malloc.cc (enum wording): Add WORDING_REALLOCATED. 3046 (malloc_state_machine::m_realloc): New field. 3047 (use_after_free::describe_state_change): Add case for 3048 WORDING_REALLOCATED. 3049 (use_after_free::describe_final_event): Likewise. 3050 (malloc_state_machine::malloc_state_machine): Initialize 3051 m_realloc. 3052 (malloc_state_machine::on_stmt): Handle realloc by calling... 3053 (malloc_state_machine::on_realloc_call): New. 3054 30552021-02-22 David Malcolm <dmalcolm@redhat.com> 3056 3057 PR analyzer/99196 3058 * engine.cc (exploded_node::on_stmt): Provide terminate_path 3059 flag as a way for on_call_pre to terminate the current analysis 3060 path. 3061 * region-model-impl-calls.cc (call_details::num_args): New. 3062 (region_model::impl_call_error): New. 3063 * region-model.cc (region_model::on_call_pre): Add param 3064 "out_terminate_path". Handle "error" and "error_at_line". 3065 * region-model.h (call_details::num_args): New decl. 3066 (region_model::on_call_pre): Add param "out_terminate_path". 3067 (region_model::impl_call_error): New decl. 3068 30692021-02-17 David Malcolm <dmalcolm@redhat.com> 3070 3071 PR analyzer/98969 3072 * constraint-manager.cc (dead_svalue_purger::should_purge_p): 3073 Update for change to svalue::live_p. 3074 * program-state.cc (sm_state_map::on_liveness_change): Likewise. 3075 (program_state::detect_leaks): Likewise. 3076 * region-model-reachability.cc (reachable_regions::init_cluster): 3077 When dealing with a symbolic region, if the underlying pointer is 3078 implicitly live, add the region to the reachable regions. 3079 * region-model.cc (region_model::compare_initial_and_pointer): 3080 Move logic for detecting initial values of params to 3081 initial_svalue::initial_value_of_param_p. 3082 * svalue.cc (svalue::live_p): Convert "live_svalues" from a 3083 reference to a pointer; support it being NULL. 3084 (svalue::implicitly_live_p): Convert first param from a 3085 refererence to a pointer. 3086 (region_svalue::implicitly_live_p): Likewise. 3087 (constant_svalue::implicitly_live_p): Likewise. 3088 (initial_svalue::implicitly_live_p): Likewise. Treat the initial 3089 values of params for the top level frame as still live. 3090 (initial_svalue::initial_value_of_param_p): New function, taken 3091 from a test in region_model::compare_initial_and_pointer. 3092 (unaryop_svalue::implicitly_live_p): Convert first param from a 3093 refererence to a pointer. 3094 (binop_svalue::implicitly_live_p): Likewise. 3095 (sub_svalue::implicitly_live_p): Likewise. 3096 (unmergeable_svalue::implicitly_live_p): Likewise. 3097 * svalue.h (svalue::live_p): Likewise. 3098 (svalue::implicitly_live_p): Likewise. 3099 (region_svalue::implicitly_live_p): Likewise. 3100 (constant_svalue::implicitly_live_p): Likewise. 3101 (initial_svalue::implicitly_live_p): Likewise. 3102 (initial_svalue::initial_value_of_param_p): New decl. 3103 (unaryop_svalue::implicitly_live_p): Convert first param from a 3104 refererence to a pointer. 3105 (binop_svalue::implicitly_live_p): Likewise. 3106 (sub_svalue::implicitly_live_p): Likewise. 3107 (unmergeable_svalue::implicitly_live_p): Likewise. 3108 31092021-02-12 David Malcolm <dmalcolm@redhat.com> 3110 3111 PR analyzer/98969 3112 * engine.cc (readability): Add names for the various arbitrary 3113 values. Handle NOP_EXPR and INTEGER_CST. 3114 (readability_comparator): Combine the readability tests for 3115 tree and stack depth, rather than performing them sequentially. 3116 (impl_region_model_context::on_state_leak): Strip off top-level 3117 casts. 3118 * region-model.cc (region_model::get_representative_path_var): Add 3119 type-checking, moving the bulk of the implementation to... 3120 (region_model::get_representative_path_var_1): ...here. Respect 3121 types in casts by recursing and re-adding the cast, rather than 3122 merely stripping them off. Use the correct type when handling 3123 region_svalue. 3124 (region_model::get_representative_tree): Strip off any top-level 3125 cast. 3126 (region_model::get_representative_path_var): Add type-checking, 3127 moving the bulk of the implementation to... 3128 (region_model::get_representative_path_var_1): ...here. 3129 * region-model.h (region_model::get_representative_path_var_1): 3130 New decl 3131 (region_model::get_representative_path_var_1): New decl. 3132 * store.cc (append_pathvar_with_type): New. 3133 (binding_cluster::get_representative_path_vars): Cast path_vars 3134 to the correct type when adding them to *OUT_PVS. 3135 31362021-02-09 David Malcolm <dmalcolm@redhat.com> 3137 3138 PR analyzer/98575 3139 * sm-file.cc (is_file_using_fn_p): Support "_IO_"-prefixed 3140 variants. 3141 31422021-02-09 David Malcolm <dmalcolm@redhat.com> 3143 3144 PR analyzer/98575 3145 * store.cc (store::set_value): Treat a pointer written to *UNKNOWN 3146 as having escaped. 3147 31482021-02-02 David Malcolm <dmalcolm@redhat.com> 3149 3150 PR analyzer/93355 3151 PR analyzer/96374 3152 * engine.cc (toplevel_function_p): Simplify so that 3153 we only reject functions with a "__analyzer_" prefix. 3154 (add_any_callbacks): Delete. 3155 (exploded_graph::build_initial_worklist): Update for 3156 dropped param of toplevel_function_p. 3157 (exploded_graph::build_initial_worklist): Don't bother 3158 looking for callbacks that are reachable from global 3159 initializers. 3160 31612021-02-01 David Malcolm <dmalcolm@redhat.com> 3162 3163 PR analyzer/98918 3164 * region-model-manager.cc 3165 (region_model_manager::get_or_create_initial_value): 3166 Fold the initial value of *UNKNOWN_PTR to an UNKNOWN value. 3167 (region_model_manager::get_field_region): Fold the value 3168 of UNKNOWN_PTR->FIELD to *UNKNOWN_PTR_OF_&FIELD_TYPE. 3169 31702021-01-29 David Malcolm <dmalcolm@redhat.com> 3171 3172 * checker-path.cc (event_kind_to_string): Handle 3173 EK_START_CONSOLIDATED_CFG_EDGES and 3174 EK_END_CONSOLIDATED_CFG_EDGES. 3175 (start_consolidated_cfg_edges_event::get_desc): New. 3176 (checker_path::cfg_edge_pair_at_p): New. 3177 * checker-path.h (enum event_kind): Add 3178 EK_START_CONSOLIDATED_CFG_EDGES and 3179 EK_END_CONSOLIDATED_CFG_EDGES. 3180 (class start_consolidated_cfg_edges_event): New class. 3181 (class end_consolidated_cfg_edges_event): New class. 3182 (checker_path::delete_events): New. 3183 (checker_path::replace_event): New. 3184 (checker_path::cfg_edge_pair_at_p): New decl. 3185 * diagnostic-manager.cc (diagnostic_manager::prune_path): Call 3186 consolidate_conditions. 3187 (same_line_as_p): New. 3188 (diagnostic_manager::consolidate_conditions): New. 3189 * diagnostic-manager.h 3190 (diagnostic_manager::consolidate_conditions): New decl. 3191 31922021-01-18 David Malcolm <dmalcolm@redhat.com> 3193 3194 * analyzer.h (is_std_named_call_p): New decl. 3195 * diagnostic-manager.cc (path_builder::get_sm): New. 3196 (state_change_event_creator::state_change_event_creator): Add "pb" 3197 param. 3198 (state_change_event_creator::on_global_state_change): Don't consider 3199 state changes affecting other state_machines. 3200 (state_change_event_creator::on_state_change): Likewise. 3201 (state_change_event_creator::m_pb): New field. 3202 (diagnostic_manager::add_events_for_eedge): Pass pb to visitor 3203 ctor. 3204 * region-model-impl-calls.cc 3205 (region_model::impl_deallocation_call): New. 3206 * region-model.cc: Include "attribs.h". 3207 (region_model::on_call_post): Handle fndecls referenced by 3208 __attribute__((deallocated_by(FOO))). 3209 * region-model.h (region_model::impl_deallocation_call): New decl. 3210 * sm-malloc.cc: Include "stringpool.h" and "attribs.h". Add 3211 leading comment. 3212 (class api): Delete. 3213 (enum resource_state): Update comment for change from api to 3214 deallocator and deallocator_set. 3215 (allocation_state::allocation_state): Drop api param. Add 3216 "deallocators" and "deallocator". 3217 (allocation_state::m_api): Drop field in favor of... 3218 (allocation_state::m_deallocators): New field. 3219 (allocation_state::m_deallocator): New field. 3220 (enum wording): Add WORDING_DEALLOCATED. 3221 (struct deallocator): New. 3222 (struct standard_deallocator): New. 3223 (struct custom_deallocator): New. 3224 (struct deallocator_set): New. 3225 (struct custom_deallocator_set): New. 3226 (struct standard_deallocator_set): New. 3227 (struct deallocator_set_map_traits): New. 3228 (malloc_state_machine::m_malloc): Drop field 3229 (malloc_state_machine::m_scalar_new): Likewise. 3230 (malloc_state_machine::m_vector_new): Likewise. 3231 (malloc_state_machine::m_free): New field 3232 (malloc_state_machine::m_scalar_delete): Likewise. 3233 (malloc_state_machine::m_vector_delete): Likewise. 3234 (malloc_state_machine::deallocator_map_t): New typedef. 3235 (malloc_state_machine::m_deallocator_map): New field. 3236 (malloc_state_machine::deallocator_set_cache_t): New typedef. 3237 (malloc_state_machine::m_custom_deallocator_set_cache): New field. 3238 (malloc_state_machine::custom_deallocator_set_map_t): New typedef. 3239 (malloc_state_machine::m_custom_deallocator_set_map): New field. 3240 (malloc_state_machine::m_dynamic_sets): New field. 3241 (malloc_state_machine::m_dynamic_deallocators): New field. 3242 (api::api): Delete. 3243 (deallocator::deallocator): New ctor. 3244 (deallocator::hash): New. 3245 (deallocator::dump_to_pp): New. 3246 (deallocator::cmp): New. 3247 (deallocator::cmp_ptr_ptr): New. 3248 (standard_deallocator::standard_deallocator): New ctor. 3249 (deallocator_set::deallocator_set): New ctor. 3250 (deallocator_set::dump): New. 3251 (custom_deallocator_set::custom_deallocator_set): New ctor. 3252 (custom_deallocator_set::contains_p): New. 3253 (custom_deallocator_set::maybe_get_single): New. 3254 (custom_deallocator_set::dump_to_pp): New. 3255 (standard_deallocator_set::standard_deallocator_set): New ctor. 3256 (standard_deallocator_set::contains_p): New. 3257 (standard_deallocator_set::maybe_get_single): New. 3258 (standard_deallocator_set::dump_to_pp): New. 3259 (start_p): New. 3260 (class mismatching_deallocation): Update for conversion from api 3261 to deallocator_set and deallocator. 3262 (double_free::emit): Use %qs. 3263 (class use_after_free): Update for conversion from api to 3264 deallocator_set and deallocator. 3265 (malloc_leak::describe_state_change): Only emit "allocated here" on 3266 a start->nonnull transition, rather than on other transitions to 3267 nonnull. 3268 (allocation_state::dump_to_pp): Update for conversion from api to 3269 deallocator_set. 3270 (allocation_state::get_nonnull): Likewise. 3271 (malloc_state_machine::malloc_state_machine): Likewise. 3272 (malloc_state_machine::~malloc_state_machine): New. 3273 (malloc_state_machine::add_state): Update for conversion from api 3274 to deallocator_set. 3275 (malloc_state_machine::get_or_create_custom_deallocator_set): New. 3276 (malloc_state_machine::maybe_create_custom_deallocator_set): New. 3277 (malloc_state_machine::get_or_create_deallocator): New. 3278 (malloc_state_machine::on_stmt): Update for conversion from api 3279 to deallocator_set. Handle "__attribute__((malloc(FOO)))", and 3280 the special attribute set on FOO. 3281 (malloc_state_machine::on_allocator_call): Update for conversion 3282 from api to deallocator_set. Add "returns_nonnull" param and use 3283 it to affect which state to transition to. 3284 (malloc_state_machine::on_deallocator_call): Update for conversion 3285 from api to deallocator_set. 3286 32872021-01-14 David Malcolm <dmalcolm@redhat.com> 3288 3289 * engine.cc (strongly_connected_components::to_json): New. 3290 (worklist::to_json): New. 3291 (exploded_graph::to_json): JSON-ify the worklist. 3292 * exploded-graph.h (strongly_connected_components::to_json): New 3293 decl. 3294 (worklist::to_json): New decl. 3295 * store.cc (store::to_json): Fix comment. 3296 * supergraph.cc (supernode::to_json): Fix reference to 3297 "returning_call" in comment. Add optional "fun" to JSON. 3298 (edge_kind_to_string): New. 3299 (superedge::to_json): Add "kind" to JSON. 3300 33012021-01-14 David Malcolm <dmalcolm@redhat.com> 3302 3303 PR analyzer/98679 3304 * analyzer.h (region_offset::operator==): Make const. 3305 * pending-diagnostic.h (pending_diagnostic::equal_p): Likewise. 3306 * store.h (binding_cluster::for_each_value): Likewise. 3307 (binding_cluster::for_each_binding): Likewise. 3308 33092021-01-12 David Malcolm <dmalcolm@redhat.com> 3310 3311 PR analyzer/98628 3312 * store.cc (binding_cluster::make_unknown_relative_to): Don't mark 3313 dereferenced unknown pointers as having escaped. 3314 33152021-01-07 David Malcolm <dmalcolm@redhat.com> 3316 3317 PR analyzer/98580 3318 * region.cc (decl_region::get_svalue_for_initializer): Gracefully 3319 handle when LTO writes out DECL_INITIAL as error_mark_node. 3320 33212021-01-07 David Malcolm <dmalcolm@redhat.com> 3322 3323 PR analyzer/97074 3324 * store.cc (binding_cluster::can_merge_p): Add "out_store" param 3325 and pass to calls to binding_cluster::make_unknown_relative_to. 3326 (binding_cluster::make_unknown_relative_to): Add "out_store" 3327 param. Use it to mark base regions that are pointed to by 3328 pointers that become unknown as having escaped. 3329 (store::can_merge_p): Pass out_store to 3330 binding_cluster::can_merge_p. 3331 * store.h (binding_cluster::can_merge_p): Add "out_store" param. 3332 (binding_cluster::make_unknown_relative_to): Likewise. 3333 * svalue.cc (region_svalue::implicitly_live_p): New vfunc. 3334 * svalue.h (region_svalue::implicitly_live_p): New vfunc decl. 3335 33362021-01-07 David Malcolm <dmalcolm@redhat.com> 3337 3338 PR analyzer/98564 3339 * engine.cc (exploded_path::feasible_p): Add missing call to 3340 bitmap_clear. 3341 33422021-01-06 David Malcolm <dmalcolm@redhat.com> 3343 3344 PR analyzer/97072 3345 * region-model-reachability.cc (reachable_regions::init_cluster): 3346 Convert symbolic region handling to a switch statement. Add cases 3347 to handle SK_UNKNOWN and SK_CONJURED. 3348 33492021-01-05 David Malcolm <dmalcolm@redhat.com> 3350 3351 PR analyzer/98293 3352 * store.cc (binding_map::apply_ctor_to_region): When "index" is 3353 NULL, iterate through the fields for RECORD_TYPEs, rather than 3354 creating an INTEGER_CST index. 3355 33562020-11-30 David Malcolm <dmalcolm@redhat.com> 3357 3358 * analyzer-pass.cc: Include "analyzer/analyzer.h" for the 3359 declaration of sorry_no_analyzer; include "tree.h" and 3360 "function.h" as these are needed by it. 3361 33622020-11-30 David Malcolm <dmalcolm@redhat.com> 3363 3364 * analyzer-pass.cc (pass_analyzer::execute): Move sorry call to... 3365 (sorry_no_analyzer): New. 3366 * analyzer.h (class state_machine): New forward decl. 3367 (class logger): New forward decl. 3368 (class plugin_analyzer_init_iface): New. 3369 (sorry_no_analyzer): New decl. 3370 * checker-path.cc (checker_path::fixup_locations): New. 3371 * checker-path.h (checker_event::set_location): New. 3372 (checker_path::fixup_locations): New decl. 3373 * diagnostic-manager.cc 3374 (diagnostic_manager::emit_saved_diagnostic): Call 3375 checker_path::fixup_locations, and call fixup_location 3376 on the primary location. 3377 * engine.cc: Include "plugin.h". 3378 (class plugin_analyzer_init_impl): New. 3379 (impl_run_checkers): Invoke PLUGIN_ANALYZER_INIT callbacks. 3380 * pending-diagnostic.h (pending_diagnostic::fixup_location): New 3381 vfunc. 3382 33832020-11-18 David Malcolm <dmalcolm@redhat.com> 3384 3385 PR analyzer/97893 3386 * sm-malloc.cc (null_deref::emit): Use CWE-476 rather than 3387 CWE-690, as this isn't due to an unchecked return value. 3388 (null_arg::emit): Likewise. 3389 33902020-11-12 David Malcolm <dmalcolm@redhat.com> 3391 3392 * checker-path.h (checker_event::get_id_ptr): New. 3393 * diagnostic-manager.cc (path_builder::path_builder): Add "sd" 3394 param and use it to initialize new field "m_sd". 3395 (path_builder::get_pending_diagnostic): New. 3396 (path_builder::m_sd): New field. 3397 (diagnostic_manager::emit_saved_diagnostic): Pass sd to 3398 path_builder ctor. 3399 (diagnostic_manager::add_events_for_superedge): Call new 3400 maybe_add_custom_events_for_superedge vfunc. 3401 * engine.cc (stale_jmp_buf::stale_jmp_buf): Add "setjmp_point" 3402 param and use it to initialize new field "m_setjmp_point". 3403 Initialize new field "m_stack_pop_event". 3404 (stale_jmp_buf::maybe_add_custom_events_for_superedge): New vfunc 3405 implementation. 3406 (stale_jmp_buf::describe_final_event): New vfunc implementation. 3407 (stale_jmp_buf::m_setjmp_point): New field. 3408 (stale_jmp_buf::m_stack_pop_event): New field. 3409 (exploded_node::on_longjmp): Pass setjmp_point to stale_jmp_buf 3410 ctor. 3411 * pending-diagnostic.h 3412 (pending_diagnostic::maybe_add_custom_events_for_superedge): New 3413 vfunc. 3414 34152020-11-12 David Malcolm <dmalcolm@redhat.com> 3416 3417 PR tree-optimization/97424 3418 * analyzer.opt (Wanalyzer-shift-count-negative): New. 3419 (Wanalyzer-shift-count-overflow): New. 3420 * region-model.cc (class shift_count_negative_diagnostic): New. 3421 (class shift_count_overflow_diagnostic): New. 3422 (region_model::get_gassign_result): Complain about shift counts that 3423 are negative or are >= the operand's type's width. 3424 34252020-11-10 Martin Liska <mliska@suse.cz> 3426 3427 * constraint-manager.cc (constraint_manager::merge): Remove 3428 unused code. 3429 * constraint-manager.h: Likewise. 3430 * program-state.cc (sm_state_map::sm_state_map): Likewise. 3431 (program_state::program_state): Likewise. 3432 (test_sm_state_map): Likewise. 3433 * program-state.h: Likewise. 3434 * region-model-reachability.cc (reachable_regions::reachable_regions): Likewise. 3435 * region-model-reachability.h: Likewise. 3436 * region-model.cc (region_model::handle_unrecognized_call): Likewise. 3437 (region_model::get_reachable_svalues): Likewise. 3438 (region_model::can_merge_with_p): Likewise. 3439 34402020-11-05 David Malcolm <dmalcolm@redhat.com> 3441 3442 PR analyzer/97668 3443 * svalue.cc (cmp_cst): Handle COMPLEX_CST. 3444 34452020-10-29 David Malcolm <dmalcolm@redhat.com> 3446 3447 * program-state.cc (sm_state_map::on_liveness_change): Sort the 3448 leaking svalues before calling on_state_leak. 3449 (program_state::detect_leaks): Likewise when calling 3450 on_svalue_leak. 3451 * region-model-reachability.cc 3452 (reachable_regions::mark_escaped_clusters): Likewise when 3453 calling on_escaped_function. 3454 34552020-10-29 David Malcolm <dmalcolm@redhat.com> 3456 3457 PR analyzer/97608 3458 * region-model-reachability.cc (reachable_regions::handle_sval): 3459 Operands of reachable reversible operations are reachable. 3460 34612020-10-29 David Malcolm <dmalcolm@redhat.com> 3462 3463 * analyzer.h (class state_machine): New forward decl. 3464 (class logger): Likewise. 3465 (class visitor): Likewise. 3466 * complexity.cc: New file, taken from svalue.cc. 3467 * complexity.h: New file, taken from region-model.h. 3468 * region-model.h: Include "analyzer/svalue.h" and 3469 "analyzer/region.h". Move struct complexity to complexity.h. 3470 Move svalue, its subclasses and supporting decls to svalue.h. 3471 Move region, its subclasses and supporting decls to region.h. 3472 * region.cc: Include "analyzer/region.h". 3473 (symbolic_region::symbolic_region): Move here from region-model.h. 3474 * region.h: New file, based on material from region-model.h. 3475 * svalue.cc: Include "analyzer/svalue.h". 3476 (complexity::complexity): Move to complexity.cc. 3477 (complexity::from_pair): Likewise. 3478 * svalue.h: New file, based on material from region-model.h. 3479 34802020-10-29 David Malcolm <dmalcolm@redhat.com> 3481 3482 * program-state.cc (sm_state_map::print): Guard the printing of 3483 the origin pointer with !flag_dump_noaddr. 3484 * region.cc (string_region::dump_to_pp): Likewise for 3485 m_string_cst. 3486 34872020-10-27 David Malcolm <dmalcolm@redhat.com> 3488 3489 PR analyzer/97568 3490 * region-model.cc (region_model::get_initial_value_for_global): 3491 Move check that !DECL_EXTERNAL from here to... 3492 * region.cc (decl_region::get_svalue_for_initializer): ...here, 3493 using it to reject zero initialization. 3494 34952020-10-27 Markus Böck <markus.boeck02@gmail.com> 3496 3497 PR analyzer/96608 3498 * store.h (hash): Cast to intptr_t instead of long 3499 35002020-10-27 David Malcolm <dmalcolm@redhat.com> 3501 3502 * constraint-manager.cc (svalue_cmp_by_ptr): Delete. 3503 (equiv_class::canonicalize): Use svalue::cmp_ptr_ptr instead. 3504 (equiv_class_cmp): Eliminate pointer comparison. 3505 * diagnostic-manager.cc (dedupe_key::comparator): If they are at 3506 the same location, also compare epath ength and pending_diagnostic 3507 kind. 3508 * engine.cc (readability_comparator): If two path_vars have the 3509 same readability, then impose an arbitrary ordering on them. 3510 (worklist::key_t::cmp): If two points have the same plan ordering, 3511 continue the comparison. Call sm_state_map::cmp rather than 3512 comparing hash values. 3513 * program-state.cc (sm_state_map::entry_t::cmp): New. 3514 (sm_state_map::cmp): New. 3515 * program-state.h (sm_state_map::entry_t::cmp): New decl. 3516 (sm_state_map::elements): New. 3517 (sm_state_map::cmp): New. 3518 35192020-10-27 David Malcolm <dmalcolm@redhat.com> 3520 3521 * engine.cc (setjmp_record::cmp): New. 3522 (supernode_cluster::dump_dot): Avoid embedding pointer in cluster 3523 name. 3524 (supernode_cluster::cmp_ptr_ptr): New. 3525 (function_call_string_cluster::dump_dot): Avoid embedding pointer 3526 in cluster name. Sort m_map when dumping child clusters. 3527 (function_call_string_cluster::cmp_ptr_ptr): New. 3528 (root_cluster::dump_dot): Sort m_map when dumping child clusters. 3529 * program-point.cc (function_point::cmp): New. 3530 (function_point::cmp_ptr): New. 3531 * program-point.h (function_point::cmp): New decl. 3532 (function_point::cmp_ptr): New decl. 3533 * program-state.cc (sm_state_map::print): Sort the values. Guard 3534 the printing of pointers with !flag_dump_noaddr. 3535 (program_state::prune_for_point): Sort the regions. 3536 (log_set_of_svalues): Sort the values. Guard the printing of 3537 pointers with !flag_dump_noaddr. 3538 * region-model-manager.cc (log_uniq_map): Sort the values. 3539 * region-model-reachability.cc (dump_set): New function template. 3540 (reachable_regions::dump_to_pp): Use it. 3541 * region-model.h (svalue::cmp_ptr): New decl. 3542 (svalue::cmp_ptr_ptr): New decl. 3543 (setjmp_record::cmp): New decl. 3544 (placeholder_svalue::get_name): New accessor. 3545 (widening_svalue::get_point): New accessor. 3546 (compound_svalue::get_map): New accessor. 3547 (conjured_svalue::get_stmt): New accessor. 3548 (conjured_svalue::get_id_region): New accessor. 3549 (region::cmp_ptrs): Rename to... 3550 (region::cmp_ptr_ptr): ...this. 3551 * region.cc (region::cmp_ptrs): Rename to... 3552 (region::cmp_ptr_ptr): ...this. 3553 * state-purge.cc 3554 (state_purge_per_ssa_name::state_purge_per_ssa_name): Sort 3555 m_points_needing_name when dumping. 3556 * store.cc (concrete_binding::cmp_ptr_ptr): New. 3557 (symbolic_binding::cmp_ptr_ptr): New. 3558 (binding_map::cmp): New. 3559 (get_sorted_parent_regions): Update for renaming of 3560 region::cmp_ptrs to region::cmp_ptr_ptr. 3561 (store::dump_to_pp): Likewise. 3562 (store::to_json): Likewise. 3563 (store::can_merge_p): Sort the base regions before considering 3564 them. 3565 * store.h (concrete_binding::cmp_ptr_ptr): New decl. 3566 (symbolic_binding::cmp_ptr_ptr): New decl. 3567 (binding_map::cmp): New decl. 3568 * supergraph.cc (supergraph::supergraph): Assign UIDs to the 3569 gimple stmts. 3570 * svalue.cc (cmp_cst): New. 3571 (svalue::cmp_ptr): New. 3572 (svalue::cmp_ptr_ptr): New. 3573 35742020-10-27 David Malcolm <dmalcolm@redhat.com> 3575 3576 * engine.cc (exploded_graph::get_or_create_node): Fix off-by-one 3577 when imposing param_analyzer_max_enodes_per_program_point limit. 3578 35792020-10-27 David Malcolm <dmalcolm@redhat.com> 3580 3581 * region-model.cc (region_model::get_representative_path_var): 3582 Implement case RK_LABEL. 3583 * region-model.h (label_region::get_label): New accessor. 3584 35852020-10-22 David Malcolm <dmalcolm@redhat.com> 3586 3587 PR analyzer/97514 3588 * engine.cc (exploded_graph::add_function_entry): Handle failure 3589 to create an enode, rather than asserting. 3590 35912020-10-22 David Malcolm <dmalcolm@redhat.com> 3592 3593 PR analyzer/97489 3594 * engine.cc (exploded_graph::add_function_entry): Assert that we 3595 have a function body. 3596 (exploded_graph::on_escaped_function): Reject fndecls that don't 3597 have a function body. 3598 35992020-10-14 David Malcolm <dmalcolm@redhat.com> 3600 3601 PR analyzer/93388 3602 * region-model.cc (region_model::get_initial_value_for_global): 3603 Fall back to returning an initial_svalue if 3604 decl_region::get_svalue_for_initializer fails. 3605 * region.cc (decl_region::get_svalue_for_initializer): Don't 3606 attempt to create a compound_svalue if the region has an unknown 3607 size. 3608 36092020-10-14 David Malcolm <dmalcolm@redhat.com> 3610 3611 PR analyzer/93723 3612 * store.cc (binding_map::apply_ctor_to_region): Remove redundant 3613 assertion. 3614 36152020-10-12 David Malcolm <dmalcolm@redhat.com> 3616 3617 PR analyzer/97258 3618 * engine.cc (impl_region_model_context::on_escaped_function): New 3619 vfunc. 3620 (exploded_graph::add_function_entry): Use m_functions_with_enodes 3621 to implement idempotency. 3622 (add_any_callbacks): New. 3623 (exploded_graph::build_initial_worklist): Use the above to find 3624 callbacks that are reachable from global initializers. 3625 (exploded_graph::on_escaped_function): New. 3626 * exploded-graph.h 3627 (impl_region_model_context::on_escaped_function): New decl. 3628 (exploded_graph::on_escaped_function): New decl. 3629 (exploded_graph::m_functions_with_enodes): New field. 3630 * region-model-reachability.cc 3631 (reachable_regions::reachable_regions): Replace "store" param with 3632 "model" param; use it to initialize m_model. 3633 (reachable_regions::add): When getting the svalue for the region, 3634 call get_store_value on the model rather than using an initial 3635 value. 3636 (reachable_regions::mark_escaped_clusters): Add ctxt param and 3637 use it to call on_escaped_function when a function_region escapes. 3638 * region-model-reachability.h 3639 (reachable_regions::reachable_regions): Replace "store" param with 3640 "model" param. 3641 (reachable_regions::mark_escaped_clusters): Add ctxt param. 3642 (reachable_regions::m_model): New field. 3643 * region-model.cc (region_model::handle_unrecognized_call): Update 3644 for change in reachable_regions ctor. 3645 (region_model::handle_unrecognized_call): Pass ctxt to 3646 mark_escaped_clusters. 3647 (region_model::get_reachable_svalues): Update for change in 3648 reachable_regions ctor. 3649 (region_model::get_initial_value_for_global): Read-only variables 3650 keep their initial values. 3651 * region-model.h (region_model_context::on_escaped_function): New 3652 vfunc. 3653 (noop_region_model_context::on_escaped_function): New. 3654 36552020-10-12 David Malcolm <dmalcolm@redhat.com> 3656 3657 * analyzer.opt (Wanalyzer-write-to-const): New. 3658 (Wanalyzer-write-to-string-literal): New. 3659 * region-model-impl-calls.cc (region_model::impl_call_memcpy): 3660 Call check_for_writable_region. 3661 (region_model::impl_call_memset): Likewise. 3662 (region_model::impl_call_strcpy): Likewise. 3663 * region-model.cc (class write_to_const_diagnostic): New. 3664 (class write_to_string_literal_diagnostic): New. 3665 (region_model::check_for_writable_region): New. 3666 (region_model::set_value): Call check_for_writable_region. 3667 * region-model.h (region_model::check_for_writable_region): New 3668 decl. 3669 36702020-10-07 David Malcolm <dmalcolm@redhat.com> 3671 3672 PR analyzer/97116 3673 * sm-malloc.cc (method_p): New. 3674 (describe_argument_index): New. 3675 (inform_nonnull_attribute): Use describe_argument_index. 3676 (possible_null_arg::describe_final_event): Likewise. 3677 (null_arg::describe_final_event): Likewise. 3678 36792020-09-29 David Malcolm <dmalcolm@redhat.com> 3680 3681 PR analyzer/95188 3682 * engine.cc (stmt_requires_new_enode_p): Split enodes before 3683 "signal" calls. 3684 36852020-09-29 David Malcolm <dmalcolm@redhat.com> 3686 3687 * constraint-manager.cc 3688 (constraint_manager::add_constraint_internal): Whitespace fixes. 3689 Silence -Wsign-compare warning. 3690 * engine.cc (maybe_process_run_of_before_supernode_enodes): 3691 Silence -Wsign-compare warning. 3692 36932020-09-28 David Malcolm <dmalcolm@redhat.com> 3694 3695 * region-model.h (binop_svalue::dyn_cast_binop_svalue): Remove 3696 redundant "virtual". Add FINAL OVERRIDE. 3697 (widening_svalue::dyn_cast_widening_svalue): Add FINAL OVERRIDE. 3698 (compound_svalue::dyn_cast_compound_svalue): Likewise. 3699 (conjured_svalue::dyn_cast_conjured_svalue): Likewise. 3700 37012020-09-28 David Malcolm <dmalcolm@redhat.com> 3702 3703 * diagnostic-manager.cc (null_assignment_sm_context::m_visitor): 3704 Remove unused field. 3705 37062020-09-28 David Malcolm <dmalcolm@redhat.com> 3707 3708 PR analyzer/97233 3709 * analyzer.cc (is_longjmp_call_p): Require the initial argument 3710 to be a pointer. 3711 * engine.cc (exploded_node::on_longjmp): Likewise. 3712 37132020-09-28 David Malcolm <dmalcolm@redhat.com> 3714 3715 * program-state.cc (sm_state_map::print): Update check 3716 for m_global_state being the start state. 3717 37182020-09-26 David Malcolm <dmalcolm@redhat.com> 3719 3720 PR analyzer/96646 3721 PR analyzer/96841 3722 * region-model.cc (region_model::get_representative_path_var): 3723 When handling offset_region, wrap the MEM_REF's first argument in 3724 an ADDR_EXPR of pointer type, rather than simply using the tree 3725 for the parent region. Require the MEM_REF's second argument to 3726 be an integer constant. 3727 37282020-09-24 David Malcolm <dmalcolm@redhat.com> 3729 3730 * analyzer.h (struct rejected_constraint): New decl. 3731 * analyzer.opt (fanalyzer-feasibility): New option. 3732 * diagnostic-manager.cc (path_builder::path_builder): Add 3733 "problem" param and use it to initialize new field. 3734 (path_builder::get_feasibility_problem): New accessor. 3735 (path_builder::m_feasibility_problem): New field. 3736 (dedupe_winners::add): Remove inversion of logic in "if" clause, 3737 swapping if/else suites. In the !feasible_p suite, inspect 3738 flag_analyzer_feasibility and add code to handle when this 3739 is off, accepting the infeasible path, but recording the 3740 feasibility_problem. 3741 (diagnostic_manager::emit_saved_diagnostic): Pass the 3742 feasibility_problem to the path_builder. 3743 (diagnostic_manager::add_events_for_eedge): If we have 3744 a feasibility_problem at this edge, use it to add a custom event. 3745 * engine.cc (exploded_path::feasible_p): Pass a 3746 rejected_constraint ** to model.maybe_update_for_edge and transfer 3747 ownership of any created instance to any feasibility_problem. 3748 (feasibility_problem::dump_to_pp): New. 3749 * exploded-graph.h (feasibility_problem::feasibility_problem): 3750 Drop "model" param; add rejected_constraint * param. 3751 (feasibility_problem::~feasibility_problem): New. 3752 (feasibility_problem::dump_to_pp): New decl. 3753 (feasibility_problem::m_model): Drop field. 3754 (feasibility_problem::m_rc): New field. 3755 * program-point.cc (function_point::get_location): Handle 3756 PK_BEFORE_SUPERNODE and PK_AFTER_SUPERNODE. 3757 * program-state.cc (program_state::on_edge): Pass NULL to new 3758 param of region_model::maybe_update_for_edge. 3759 * region-model.cc (region_model::add_constraint): New overload 3760 adding a rejected_constraint ** param. 3761 (region_model::maybe_update_for_edge): Add rejected_constraint ** 3762 param and pass it to the various apply_constraints_for_ calls. 3763 (region_model::apply_constraints_for_gcond): Add 3764 rejected_constraint ** param and pass it to add_constraint calls. 3765 (region_model::apply_constraints_for_gswitch): Likewise. 3766 (region_model::apply_constraints_for_exception): Likewise. 3767 (rejected_constraint::dump_to_pp): New. 3768 * region-model.h (region_model::maybe_update_for_edge): 3769 Add rejected_constraint ** param. 3770 (region_model::add_constraint): New overload adding a 3771 rejected_constraint ** param. 3772 (region_model::apply_constraints_for_gcond): Add 3773 rejected_constraint ** param. 3774 (region_model::apply_constraints_for_gswitch): Likewise. 3775 (region_model::apply_constraints_for_exception): Likewise. 3776 (struct rejected_constraint): New. 3777 37782020-09-23 David Malcolm <dmalcolm@redhat.com> 3779 3780 PR analyzer/97178 3781 * engine.cc (impl_run_checkers): Update for change to ext_state 3782 ctor. 3783 * program-state.cc (selftest::test_sm_state_map): Pass an engine 3784 instance to ext_state ctor. 3785 (selftest::test_program_state_1): Likewise. 3786 (selftest::test_program_state_2): Likewise. 3787 (selftest::test_program_state_merging): Likewise. 3788 (selftest::test_program_state_merging_2): Likewise. 3789 * program-state.h (extrinsic_state::extrinsic_state): Remove NULL 3790 default value for "eng" param. 3791 37922020-09-23 Tobias Burnus <tobias@codesourcery.com> 3793 3794 * analyzer-logging.cc: Guard '#pragma ... ignored "-Wformat-diag"' 3795 by '#if __GNUC__ >= 10' 3796 * analyzer.h: Likewise. 3797 * call-string.cc: Likewise. 3798 37992020-09-23 David Malcolm <dmalcolm@redhat.com> 3800 3801 * engine.cc (exploded_node::on_stmt): Replace sequence of dyn_cast 3802 with switch. 3803 38042020-09-22 David Malcolm <dmalcolm@redhat.com> 3805 3806 * analysis-plan.cc: Include "json.h". 3807 * analyzer.opt (fdump-analyzer-json): New. 3808 * call-string.cc: Include "json.h". 3809 (call_string::to_json): New. 3810 * call-string.h (call_string::to_json): New decl. 3811 * checker-path.cc: Include "json.h". 3812 * constraint-manager.cc: Include "json.h". 3813 (equiv_class::to_json): New. 3814 (constraint::to_json): New. 3815 (constraint_manager::to_json): New. 3816 * constraint-manager.h (equiv_class::to_json): New decl. 3817 (constraint::to_json): New decl. 3818 (constraint_manager::to_json): New decl. 3819 * diagnostic-manager.cc: Include "json.h". 3820 (saved_diagnostic::to_json): New. 3821 (diagnostic_manager::to_json): New. 3822 * diagnostic-manager.h (saved_diagnostic::to_json): New decl. 3823 (diagnostic_manager::to_json): New decl. 3824 * engine.cc: Include "json.h", <zlib.h>. 3825 (exploded_node::status_to_str): New. 3826 (exploded_node::to_json): New. 3827 (exploded_edge::to_json): New. 3828 (exploded_graph::to_json): New. 3829 (dump_analyzer_json): New. 3830 (impl_run_checkers): Call it. 3831 * exploded-graph.h (exploded_node::status_to_str): New decl. 3832 (exploded_node::to_json): New. 3833 (exploded_edge::to_json): New. 3834 (exploded_graph::to_json): New. 3835 * pending-diagnostic.cc: Include "json.h". 3836 * program-point.cc: Include "json.h". 3837 (program_point::to_json): New. 3838 * program-point.h (program_point::to_json): New decl. 3839 * program-state.cc: Include "json.h". 3840 (extrinsic_state::to_json): New. 3841 (sm_state_map::to_json): New. 3842 (program_state::to_json): New. 3843 * program-state.h (extrinsic_state::to_json): New decl. 3844 (sm_state_map::to_json): New decl. 3845 (program_state::to_json): New decl. 3846 * region-model-impl-calls.cc: Include "json.h". 3847 * region-model-manager.cc: Include "json.h". 3848 * region-model-reachability.cc: Include "json.h". 3849 * region-model.cc: Include "json.h". 3850 * region-model.h (svalue::to_json): New decl. 3851 (region::to_json): New decl. 3852 * region.cc: Include "json.h". 3853 (region::to_json: New. 3854 * sm-file.cc: Include "json.h". 3855 * sm-malloc.cc: Include "json.h". 3856 * sm-pattern-test.cc: Include "json.h". 3857 * sm-sensitive.cc: Include "json.h". 3858 * sm-signal.cc: Include "json.h". 3859 (signal_delivery_edge_info_t::to_json): New. 3860 * sm-taint.cc: Include "json.h". 3861 * sm.cc: Include "diagnostic.h", "tree-diagnostic.h", and 3862 "json.h". 3863 (state_machine::state::to_json): New. 3864 (state_machine::to_json): New. 3865 * sm.h (state_machine::state::to_json): New. 3866 (state_machine::to_json): New. 3867 * state-purge.cc: Include "json.h". 3868 * store.cc: Include "json.h". 3869 (binding_key::get_desc): New. 3870 (binding_map::to_json): New. 3871 (binding_cluster::to_json): New. 3872 (store::to_json): New. 3873 * store.h (binding_key::get_desc): New decl. 3874 (binding_map::to_json): New decl. 3875 (binding_cluster::to_json): New decl. 3876 (store::to_json): New decl. 3877 * supergraph.cc: Include "json.h". 3878 (supergraph::to_json): New. 3879 (supernode::to_json): New. 3880 (superedge::to_json): New. 3881 * supergraph.h (supergraph::to_json): New decl. 3882 (supernode::to_json): New decl. 3883 (superedge::to_json): New decl. 3884 * svalue.cc: Include "json.h". 3885 (svalue::to_json): New. 3886 38872020-09-21 David Malcolm <dmalcolm@redhat.com> 3888 3889 PR analyzer/97130 3890 * region-model-impl-calls.cc (call_details::get_arg_type): New. 3891 * region-model.cc (region_model::on_call_pre): Check that the 3892 initial arg is a pointer before calling impl_call_memset and 3893 impl_call_strlen. 3894 * region-model.h (call_details::get_arg_type): New decl. 3895 38962020-09-21 David Malcolm <dmalcolm@redhat.com> 3897 3898 PR analyzer/93355 3899 * sm-malloc.cc (malloc_state_machine::get_default_state): Look at 3900 the base region when considering pointers. Treat pointers to 3901 decls as being non-heap. 3902 39032020-09-18 David Malcolm <dmalcolm@redhat.com> 3904 3905 * checker-path.cc (warning_event::get_desc): Handle global state 3906 changes. 3907 39082020-09-18 David Malcolm <dmalcolm@redhat.com> 3909 3910 * sm-malloc.cc (malloc_state_machine::on_stmt): Handle strdup and 3911 strndup as being malloc-like allocators. 3912 39132020-09-16 David Malcolm <dmalcolm@redhat.com> 3914 3915 * engine.cc (strongly_connected_components::strong_connect): Only 3916 consider intraprocedural edges when creating SCCs. 3917 (worklist::key_t::cmp): Add comment. Treat call_string 3918 differences as more important than differences of program_point 3919 within a supernode. 3920 39212020-09-16 David Malcolm <dmalcolm@redhat.com> 3922 3923 * engine.cc (supernode_cluster::dump_dot): Show the SCC id 3924 in the per-supernode clusters in FILENAME.eg.dot output. 3925 (exploded_graph_annotator::add_node_annotations): 3926 Show the SCC of the supernode in FILENAME.supernode.eg.dot output. 3927 * exploded-graph.h (worklist::scc_id): New. 3928 (exploded_graph::get_scc_id): New. 3929 39302020-09-16 David Malcolm <dmalcolm@redhat.com> 3931 3932 * engine.cc (exploded_node::dump_dot): Show STATUS_BULK_MERGED. 3933 (exploded_graph::process_worklist): Call 3934 maybe_process_run_of_before_supernode_enodes. 3935 (exploded_graph::maybe_process_run_of_before_supernode_enodes): 3936 New. 3937 (exploded_graph_annotator::print_enode): Show STATUS_BULK_MERGED. 3938 * exploded-graph.h (enum exploded_node::status): Add 3939 STATUS_BULK_MERGED. 3940 39412020-09-16 David Malcolm <dmalcolm@redhat.com> 3942 3943 * engine.cc 3944 (exploded_graph::process_node) <case PK_BEFORE_SUPERNODE>: 3945 Simplify by using program_point::get_next. 3946 * program-point.cc (program_point::get_next): New. 3947 * program-point.h (program_point::get_next): New decl. 3948 39492020-09-16 David Malcolm <dmalcolm@redhat.com> 3950 3951 * engine.cc (exploded_graph::get_or_create_node): Show the 3952 program point when issuing -Wanalyzer-too-complex due to hitting 3953 the per-program-point limit. 3954 39552020-09-16 David Malcolm <dmalcolm@redhat.com> 3956 3957 * region-model.cc (region_model::on_call_pre): Treat getchar as 3958 having no side-effects. 3959 39602020-09-15 David Malcolm <dmalcolm@redhat.com> 3961 3962 PR analyzer/96650 3963 * constraint-manager.cc (merger_fact_visitor::on_fact): Replace 3964 assertion that add_constraint succeeded with an assertion that 3965 if it fails, -fanalyzer-transitivity is off. 3966 39672020-09-14 David Malcolm <dmalcolm@redhat.com> 3968 3969 * analyzer.opt (-param=analyzer-max-constraints=): New param. 3970 * constraint-manager.cc 3971 (constraint_manager::add_constraint_internal): Silently reject 3972 attempts to add constraints when the above limit is reached. 3973 39742020-09-14 David Malcolm <dmalcolm@redhat.com> 3975 3976 PR analyzer/96653 3977 * constraint-manager.cc 3978 (constraint_manager::get_or_add_equiv_class): Don't accumulate 3979 transitive closure of all constraints on constants. 3980 39812020-09-14 David Malcolm <dmalcolm@redhat.com> 3982 3983 PR analyzer/97029 3984 * analyzer.cc (is_setjmp_call_p): Require the initial arg to be a 3985 pointer. 3986 * region-model.cc (region_model::deref_rvalue): Assert that the 3987 svalue is of pointer type. 3988 39892020-09-11 David Malcolm <dmalcolm@redhat.com> 3990 3991 PR analyzer/96798 3992 * region-model-impl-calls.cc (region_model::impl_call_memcpy): 3993 New. 3994 (region_model::impl_call_strcpy): New. 3995 * region-model.cc (region_model::on_call_pre): Flag unhandled 3996 builtins that are non-pure as having unknown side-effects. 3997 Implement BUILT_IN_MEMCPY, BUILT_IN_MEMCPY_CHK, BUILT_IN_STRCPY, 3998 BUILT_IN_STRCPY_CHK, BUILT_IN_FPRINTF, BUILT_IN_FPRINTF_UNLOCKED, 3999 BUILT_IN_PUTC, BUILT_IN_PUTC_UNLOCKED, BUILT_IN_FPUTC, 4000 BUILT_IN_FPUTC_UNLOCKED, BUILT_IN_FPUTS, BUILT_IN_FPUTS_UNLOCKED, 4001 BUILT_IN_FWRITE, BUILT_IN_FWRITE_UNLOCKED, BUILT_IN_PRINTF, 4002 BUILT_IN_PRINTF_UNLOCKED, BUILT_IN_PUTCHAR, 4003 BUILT_IN_PUTCHAR_UNLOCKED, BUILT_IN_PUTS, BUILT_IN_PUTS_UNLOCKED, 4004 BUILT_IN_VFPRINTF, BUILT_IN_VPRINTF. 4005 * region-model.h (region_model::impl_call_memcpy): New decl. 4006 (region_model::impl_call_strcpy): New decl. 4007 40082020-09-09 David Malcolm <dmalcolm@redhat.com> 4009 4010 PR analyzer/94355 4011 * analyzer.opt (Wanalyzer-mismatching-deallocation): New warning. 4012 * region-model-impl-calls.cc 4013 (region_model::impl_call_operator_new): New. 4014 (region_model::impl_call_operator_delete): New. 4015 * region-model.cc (region_model::on_call_pre): Detect operator new 4016 and operator delete. 4017 (region_model::on_call_post): Likewise. 4018 (region_model::maybe_update_for_edge): Detect EH edges and call... 4019 (region_model::apply_constraints_for_exception): New function. 4020 * region-model.h (region_model::impl_call_operator_new): New decl. 4021 (region_model::impl_call_operator_delete): New decl. 4022 (region_model::apply_constraints_for_exception): New decl. 4023 * sm-malloc.cc (enum resource_state): New. 4024 (struct allocation_state): New state subclass. 4025 (enum wording): New. 4026 (struct api): New. 4027 (malloc_state_machine::custom_data_t): New typedef. 4028 (malloc_state_machine::add_state): New decl. 4029 (malloc_state_machine::m_unchecked) 4030 (malloc_state_machine::m_nonnull) 4031 (malloc_state_machine::m_freed): Delete these states in favor 4032 of... 4033 (malloc_state_machine::m_malloc) 4034 (malloc_state_machine::m_scalar_new) 4035 (malloc_state_machine::m_vector_new): ...this new api instances, 4036 which own their own versions of these states. 4037 (malloc_state_machine::on_allocator_call): New decl. 4038 (malloc_state_machine::on_deallocator_call): New decl. 4039 (api::api): New ctor. 4040 (dyn_cast_allocation_state): New. 4041 (as_a_allocation_state): New. 4042 (get_rs): New. 4043 (unchecked_p): New. 4044 (nonnull_p): New. 4045 (freed_p): New. 4046 (malloc_diagnostic::describe_state_change): Use unchecked_p and 4047 nonnull_p. 4048 (class mismatching_deallocation): New. 4049 (double_free::double_free): Add funcname param for initializing 4050 m_funcname. 4051 (double_free::emit): Use m_funcname in warning message rather 4052 than hardcoding "free". 4053 (double_free::describe_state_change): Likewise. Use freed_p. 4054 (double_free::describe_call_with_state): Use freed_p. 4055 (double_free::describe_final_event): Use m_funcname in message 4056 rather than hardcoding "free". 4057 (double_free::m_funcname): New field. 4058 (possible_null::describe_state_change): Use unchecked_p. 4059 (possible_null::describe_return_of_state): Likewise. 4060 (use_after_free::use_after_free): Add param for initializing m_api. 4061 (use_after_free::emit): Use m_api->m_dealloc_funcname in message 4062 rather than hardcoding "free". 4063 (use_after_free::describe_state_change): Use freed_p. Change the 4064 wording of the message based on the API. 4065 (use_after_free::describe_final_event): Use 4066 m_api->m_dealloc_funcname in message rather than hardcoding 4067 "free". Change the wording of the message based on the API. 4068 (use_after_free::m_api): New field. 4069 (malloc_leak::describe_state_change): Use unchecked_p. Update 4070 for renaming of m_malloc_event to m_alloc_event. 4071 (malloc_leak::describe_final_event): Update for renaming of 4072 m_malloc_event to m_alloc_event. 4073 (malloc_leak::m_malloc_event): Rename... 4074 (malloc_leak::m_alloc_event): ...to this. 4075 (free_of_non_heap::free_of_non_heap): Add param for initializing 4076 m_funcname. 4077 (free_of_non_heap::emit): Use m_funcname in message rather than 4078 hardcoding "free". 4079 (free_of_non_heap::describe_final_event): Likewise. 4080 (free_of_non_heap::m_funcname): New field. 4081 (allocation_state::dump_to_pp): New. 4082 (allocation_state::get_nonnull): New. 4083 (malloc_state_machine::malloc_state_machine): Update for changes 4084 to state fields and new api fields. 4085 (malloc_state_machine::add_state): New. 4086 (malloc_state_machine::on_stmt): Move malloc/calloc handling to 4087 on_allocator_call and call it, passing in the API pointer. 4088 Likewise for free, moving it to on_deallocator_call. Handle calls 4089 to operator new and delete in an analogous way. Use unchecked_p 4090 when testing for possibly-null-arg and possibly-null-deref, and 4091 transition to the non-null for the correct API. Remove redundant 4092 node param from call to on_zero_assignment. Use freed_p for 4093 use-after-free check, and pass in API. 4094 (malloc_state_machine::on_allocator_call): New, based on code in 4095 on_stmt. 4096 (malloc_state_machine::on_deallocator_call): Likewise. 4097 (malloc_state_machine::on_phi): Mark node param with 4098 ATTRIBUTE_UNUSED; don't pass it to on_zero_assignment. 4099 (malloc_state_machine::on_condition): Mark node param with 4100 ATTRIBUTE_UNUSED. Replace on_transition calls with get_state and 4101 set_next_state pairs, transitioning to the non-null state for the 4102 appropriate API. 4103 (malloc_state_machine::can_purge_p): Port to new state approach. 4104 (malloc_state_machine::on_zero_assignment): Replace on_transition 4105 calls with get_state and set_next_state pairs. Drop redundant 4106 node param. 4107 * sm.h (state_machine::add_custom_state): New. 4108 41092020-09-09 David Malcolm <dmalcolm@redhat.com> 4110 4111 * diagnostic-manager.cc 4112 (null_assignment_sm_context::warn_for_state): Replace with... 4113 (null_assignment_sm_context::warn): ...this. 4114 * engine.cc (impl_sm_context::warn_for_state): Replace with... 4115 (impl_sm_context::warn): ...this. 4116 * sm-file.cc (fileptr_state_machine::on_stmt): Replace 4117 warn_for_state and on_transition calls with a get_state 4118 test guarding warn and set_next_state calls. 4119 * sm-malloc.cc (malloc_state_machine::on_stmt): Likewise. 4120 * sm-pattern-test.cc (pattern_test_state_machine::on_condition): 4121 Replace warn_for_state call with warn call. 4122 * sm-sensitive.cc 4123 (sensitive_state_machine::warn_for_any_exposure): Replace 4124 warn_for_state call with a get_state test guarding a warn call. 4125 * sm-signal.cc (signal_state_machine::on_stmt): Likewise. 4126 * sm-taint.cc (taint_state_machine::on_stmt): Replace 4127 warn_for_state and on_transition calls with a get_state 4128 test guarding warn and set_next_state calls. 4129 * sm.h (sm_context::warn_for_state): Replace with... 4130 (sm_context::warn): ...this. 4131 41322020-09-09 David Malcolm <dmalcolm@redhat.com> 4133 4134 * diagnostic-manager.cc 4135 (null_assignment_sm_context::null_assignment_sm_context): Add old_state 4136 and ext_state params, initializing m_old_state and m_ext_state. 4137 (null_assignment_sm_context::on_transition): Split into... 4138 (null_assignment_sm_context::get_state): ...this new vfunc 4139 implementation and... 4140 (null_assignment_sm_context::set_next_state): ...this new vfunc 4141 implementation. 4142 (null_assignment_sm_context::m_old_state): New field. 4143 (null_assignment_sm_context::m_ext_state): New field. 4144 (diagnostic_manager::add_events_for_eedge): Pass in old state and 4145 ext_state when creating sm_ctxt. 4146 * engine.cc (impl_sm_context::on_transition): Split into... 4147 (impl_sm_context::get_state): ...this new vfunc 4148 implementation and... 4149 (impl_sm_context::set_next_state): ...this new vfunc 4150 implementation. 4151 * sm.h (sm_context::get_state): New pure virtual function. 4152 (sm_context::set_next_state): Likewise. 4153 (sm_context::on_transition): Convert from a pure virtual function 4154 to a regular function implemented in terms of get_state and 4155 set_next_state. 4156 41572020-09-09 David Malcolm <dmalcolm@redhat.com> 4158 4159 * checker-path.cc (state_change_event::get_desc): Update 4160 state_machine::get_state_name calls to state::get_name. 4161 (warning_event::get_desc): Likewise. 4162 * diagnostic-manager.cc 4163 (null_assignment_sm_context::on_transition): Update comparison 4164 against 0 with comparison with m_sm.get_start_state. 4165 (diagnostic_manager::prune_for_sm_diagnostic): Update 4166 state_machine::get_state_name calls to state::get_name. 4167 * engine.cc (impl_sm_context::on_transition): Likewise. 4168 (exploded_node::get_dot_fillcolor): Use get_id when summing 4169 the sm states. 4170 * program-state.cc (sm_state_map::sm_state_map): Don't hardcode 4171 0 as the start state when initializing m_global_state. 4172 (sm_state_map::print): Use dump_to_pp rather than get_state_name 4173 when dumping states. 4174 (sm_state_map::is_empty_p): Don't hardcode 0 as the start state 4175 when examining m_global_state. 4176 (sm_state_map::hash): Use get_id when hashing states. 4177 (selftest::test_sm_state_map): Use state objects rather than 4178 arbitrary hardcoded integers. 4179 (selftest::test_program_state_merging): Likewise. 4180 (selftest::test_program_state_merging_2): Likewise. 4181 * sm-file.cc (fileptr_state_machine::m_start): Move to base class. 4182 (file_diagnostic::describe_state_change): Use get_start_state. 4183 (fileptr_state_machine::fileptr_state_machine): Drop m_start 4184 initialization. 4185 * sm-malloc.cc (malloc_state_machine::m_start): Move to base 4186 class. 4187 (malloc_diagnostic::describe_state_change): Use get_start_state. 4188 (possible_null::describe_state_change): Likewise. 4189 (malloc_state_machine::malloc_state_machine): Drop m_start 4190 initialization. 4191 * sm-pattern-test.cc (pattern_test_state_machine::m_start): Move 4192 to base class. 4193 (pattern_test_state_machine::pattern_test_state_machine): Drop 4194 m_start initialization. 4195 * sm-sensitive.cc (sensitive_state_machine::m_start): Move to base 4196 class. 4197 (sensitive_state_machine::sensitive_state_machine): Drop m_start 4198 initialization. 4199 * sm-signal.cc (signal_state_machine::m_start): Move to base 4200 class. 4201 (signal_state_machine::signal_state_machine): Drop m_start 4202 initialization. 4203 * sm-taint.cc (taint_state_machine::m_start): Move to base class. 4204 (taint_state_machine::taint_state_machine): Drop m_start 4205 initialization. 4206 * sm.cc (state_machine::state::dump_to_pp): New. 4207 (state_machine::state_machine): Move here from sm.h. Initialize 4208 m_next_state_id and m_start. 4209 (state_machine::add_state): Reimplement in terms of state objects. 4210 (state_machine::get_state_name): Delete. 4211 (state_machine::get_state_by_name): Reimplement in terms of state 4212 objects. Make const. 4213 (state_machine::validate): Delete. 4214 (state_machine::dump_to_pp): Reimplement in terms of state 4215 objects. 4216 * sm.h (state_machine::state): New class. 4217 (state_machine::state_t): Convert typedef from "unsigned" to 4218 "const state_machine::state *". 4219 (state_machine::state_machine): Move to sm.cc. 4220 (state_machine::get_default_state): Use m_start rather than 4221 hardcoding 0. 4222 (state_machine::get_state_name): Delete. 4223 (state_machine::get_state_by_name): Make const. 4224 (state_machine::get_start_state): New accessor. 4225 (state_machine::alloc_state_id): New. 4226 (state_machine::m_state_names): Drop in favor of... 4227 (state_machine::m_states): New field 4228 (state_machine::m_start): New field 4229 (start_start_p): Delete. 4230 42312020-09-08 David Malcolm <dmalcolm@redhat.com> 4232 4233 PR analyzer/96949 4234 * store.cc (binding_map::apply_ctor_val_to_range): Add 4235 error-handling for the cases where we have symbolic offsets. 4236 42372020-09-08 David Malcolm <dmalcolm@redhat.com> 4238 4239 PR analyzer/96950 4240 * store.cc (binding_map::apply_ctor_to_region): Handle RANGE_EXPR 4241 where min_index == max_index. 4242 (binding_map::apply_ctor_val_to_range): Replace assertion that we 4243 don't have a CONSTRUCTOR value with error-handling. 4244 42452020-09-08 David Malcolm <dmalcolm@redhat.com> 4246 4247 PR analyzer/96962 4248 * region-model.cc (region_model::on_call_pre): Fix guard on switch 4249 on built-ins to only consider BUILT_IN_NORMAL, rather than other 4250 kinds of build-ins. 4251 42522020-09-01 David Malcolm <dmalcolm@redhat.com> 4253 4254 PR analyzer/96792 4255 * region-model.cc (region_model::deref_rvalue): Add the constraint 4256 that PTR_SVAL is non-NULL. 4257 42582020-08-31 David Malcolm <dmalcolm@redhat.com> 4259 4260 PR analyzer/96798 4261 * region-model.cc (region_model::on_call_pre): Handle 4262 BUILT_IN_MEMSET_CHK. 4263 42642020-08-31 David Malcolm <dmalcolm@redhat.com> 4265 4266 * region-model.cc (region_model::on_call_pre): Gather handling of 4267 builtins and of internal fns into switch statements. Handle 4268 "alloca" and BUILT_IN_ALLOCA_WITH_ALIGN. 4269 42702020-08-31 David Malcolm <dmalcolm@redhat.com> 4271 4272 PR analyzer/96860 4273 * region.cc (decl_region::get_svalue_for_constructor): Support 4274 apply_ctor_to_region failing. 4275 * store.cc (binding_map::apply_ctor_to_region): Add failure 4276 handling. 4277 (binding_map::apply_ctor_val_to_range): Likewise. 4278 (binding_map::apply_ctor_pair_to_child_region): Likewise. Replace 4279 assertion that child_base_offset is not symbolic with error 4280 handling. 4281 * store.h (binding_map::apply_ctor_to_region): Convert return type 4282 from void to bool. 4283 (binding_map::apply_ctor_val_to_range): Likewise. 4284 (binding_map::apply_ctor_pair_to_child_region): Likewise. 4285 42862020-08-31 David Malcolm <dmalcolm@redhat.com> 4287 4288 PR analyzer/96763 4289 * store.cc (binding_map::apply_ctor_to_region): Handle RANGE_EXPR 4290 by calling a new binding_map::apply_ctor_val_to_range subroutine. 4291 Split out the existing non-CONSTRUCTOR-handling code to a new 4292 apply_ctor_pair_to_child_region subroutine. 4293 (binding_map::apply_ctor_val_to_range): New. 4294 (binding_map::apply_ctor_pair_to_child_region): New, split out 4295 from binding_map::apply_ctor_to_region as noted above. 4296 * store.h (binding_map::apply_ctor_val_to_range): New decl. 4297 (binding_map::apply_ctor_pair_to_child_region): New decl. 4298 42992020-08-31 David Malcolm <dmalcolm@redhat.com> 4300 4301 PR analyzer/96764 4302 * region-model-manager.cc 4303 (region_model_manager::maybe_fold_unaryop): Handle VIEW_CONVERT_EXPR. 4304 (region_model_manager::get_or_create_cast): Move logic for 4305 real->integer casting to... 4306 (get_code_for_cast): ...this new function, and add logic for 4307 real->non-integer casts. 4308 (region_model_manager::maybe_fold_sub_svalue): Handle 4309 VIEW_CONVERT_EXPR. 4310 * region-model.cc 4311 (region_model::add_any_constraints_from_gassign): Likewise. 4312 * svalue.cc (svalue::maybe_undo_cast): Likewise. 4313 (unaryop_svalue::dump_to_pp): Likewise. 4314 43152020-08-26 David Malcolm <dmalcolm@redhat.com> 4316 4317 PR analyzer/94858 4318 * region-model-manager.cc 4319 (region_model_manager::get_or_create_widening_svalue): Assert that 4320 neither of the inputs are themselves widenings. 4321 * store.cc (store::eval_alias_1): The initial value of a pointer 4322 can't point to a region that was allocated on the heap after the 4323 beginning of the path. A widened pointer value can't alias anything 4324 that the initial pointer value can't alias. 4325 * svalue.cc (svalue::can_merge_p): Merge BINOP (X, OP, CST) with X 4326 to a widening svalue. Merge 4327 BINOP(WIDENING(BASE, BINOP(BASE, X)), X) and BINOP(BASE, X) to 4328 to the LHS of the first BINOP. 4329 43302020-08-26 David Malcolm <dmalcolm@redhat.com> 4331 4332 PR analyzer/96777 4333 * region-model.h (class compound_svalue): Document that all keys 4334 must be concrete. 4335 (compound_svalue::compound_svalue): Move definition to svalue.cc. 4336 * store.cc (binding_map::apply_ctor_to_region): Handle 4337 initializers for trailing arrays with incomplete size. 4338 * svalue.cc (compound_svalue::compound_svalue): Move definition 4339 here from region-model.h. Add assertion that all keys are 4340 concrete. 4341 43422020-08-22 David Malcolm <dmalcolm@redhat.com> 4343 4344 PR analyzer/94851 4345 * region-model-manager.cc 4346 (region_model_manager::maybe_fold_binop): Fold bitwise "& 0" to 0. 4347 43482020-08-22 David Malcolm <dmalcolm@redhat.com> 4349 4350 * store.cc (store::eval_alias): Make const. Split out 2nd half 4351 into store::eval_alias_1 and call it twice for symmetry, avoiding 4352 test duplication. 4353 (store::eval_alias_1): New function, split out from the above. 4354 * store.h (store::eval_alias): Make const. 4355 (store::eval_alias_1): New decl. 4356 43572020-08-22 David Malcolm <dmalcolm@redhat.com> 4358 4359 * region-model.cc (region_model::push_frame): Bind the default 4360 SSA name for each parm if it exists, falling back to the parm 4361 itself otherwise, rather than doing both. 4362 43632020-08-20 David Malcolm <dmalcolm@redhat.com> 4364 4365 PR analyzer/96723 4366 * region-model-manager.cc 4367 (region_model_manager::get_field_region): Assert that field is a 4368 FIELD_DECL. 4369 * region.cc (region::get_subregions_for_binding): In 4370 union-handling, filter the TYPE_FIELDS traversal to just FIELD_DECLs. 4371 43722020-08-20 David Malcolm <dmalcolm@redhat.com> 4373 4374 PR analyzer/96713 4375 * region-model.cc (region_model::get_gassign_result): For 4376 comparisons, only use eval_condition when the lhs has boolean 4377 type, and use get_or_create_constant_svalue on the boolean 4378 constants directly rather than via get_rvalue. 4379 43802020-08-19 David Malcolm <dmalcolm@redhat.com> 4381 4382 PR analyzer/96643 4383 * region-model.cc (region_model::deref_rvalue): Rather than 4384 attempting to handle all svalue kinds in the switch, only cover 4385 the special cases, and move symbolic-region handling to after 4386 the switch, thus implicitly handling the missing case SK_COMPOUND. 4387 43882020-08-19 David Malcolm <dmalcolm@redhat.com> 4389 4390 PR analyzer/96705 4391 * region-model-manager.cc 4392 (region_model_manager::maybe_fold_binop): Check that we have an 4393 integral type before calling build_int_cst. 4394 43952020-08-19 David Malcolm <dmalcolm@redhat.com> 4396 4397 PR analyzer/96699 4398 * region-model-manager.cc 4399 (region_model_manager::get_or_create_cast): Use FIX_TRUNC_EXPR for 4400 casting from REAL_TYPE to INTEGER_TYPE. 4401 44022020-08-19 David Malcolm <dmalcolm@redhat.com> 4403 4404 PR analyzer/96651 4405 * region-model.cc (region_model::called_from_main_p): New. 4406 (region_model::get_store_value): Move handling for globals into... 4407 (region_model::get_initial_value_for_global): ...this new 4408 function, and add logic for extracting values from decl 4409 initializers. 4410 * region-model.h (decl_region::get_svalue_for_constructor): New 4411 decl. 4412 (decl_region::get_svalue_for_initializer): New decl. 4413 (region_model::called_from_main_p): New decl. 4414 (region_model::get_initial_value_for_global): New. 4415 * region.cc (decl_region::maybe_get_constant_value): Move logic 4416 for getting an svalue from a CONSTRUCTOR node to... 4417 (decl_region::get_svalue_for_constructor): ...this new function. 4418 (decl_region::get_svalue_for_initializer): New. 4419 * store.cc (get_svalue_for_ctor_val): Rewrite in terms of 4420 region_model::get_rvalue. 4421 * store.h (binding_cluster::get_map): New accessor. 4422 44232020-08-19 David Malcolm <dmalcolm@redhat.com> 4424 4425 PR analyzer/96648 4426 * region.cc (get_field_at_bit_offset): Gracefully handle negative 4427 values for bit_offset. 4428 44292020-08-18 David Malcolm <dmalcolm@redhat.com> 4430 4431 * region-model.cc (region_model::get_rvalue_1): Fix name of local. 4432 44332020-08-18 David Malcolm <dmalcolm@redhat.com> 4434 4435 PR analyzer/96641 4436 * region-model.cc (region_model::get_rvalue_1): Handle 4437 unrecognized tree codes by returning "UNKNOWN. 4438 44392020-08-18 David Malcolm <dmalcolm@redhat.com> 4440 4441 PR analyzer/96640 4442 * region-model.cc (region_model::get_gassign_result): Handle various 4443 VEC_* tree codes by returning UNKNOWN. 4444 (region_model::on_assignment): Handle unrecognized tree codes by 4445 setting lhs to an unknown value, rather than issuing a "sorry" and 4446 asserting. 4447 44482020-08-17 David Malcolm <dmalcolm@redhat.com> 4449 4450 PR analyzer/96644 4451 * region-model-manager.cc (get_region_for_unexpected_tree_code): 4452 Handle ctxt being NULL. 4453 44542020-08-17 David Malcolm <dmalcolm@redhat.com> 4455 4456 PR analyzer/96639 4457 * region.cc (region::get_subregions_for_binding): Check for "type" 4458 being NULL. 4459 44602020-08-17 David Malcolm <dmalcolm@redhat.com> 4461 4462 PR analyzer/96642 4463 * store.cc (get_svalue_for_ctor_val): New. 4464 (binding_map::apply_ctor_to_region): Call it. 4465 44662020-08-14 David Malcolm <dmalcolm@redhat.com> 4467 4468 PR testsuite/96609 4469 PR analyzer/96616 4470 * region-model.cc (region_model::get_store_value): Call 4471 maybe_get_constant_value on decl_regions first. 4472 * region-model.h (decl_region::maybe_get_constant_value): New decl. 4473 * region.cc (decl_region::get_stack_depth): Likewise. 4474 (decl_region::maybe_get_constant_value): New. 4475 * store.cc (get_subregion_within_ctor): New. 4476 (binding_map::apply_ctor_to_region): New. 4477 * store.h (binding_map::apply_ctor_to_region): New decl. 4478 44792020-08-14 David Malcolm <dmalcolm@redhat.com> 4480 4481 PR analyzer/96611 4482 * store.cc (store::mark_as_escaped): Reject attempts to 4483 get a cluster for an unknown pointer. 4484 44852020-08-13 David Malcolm <dmalcolm@redhat.com> 4486 4487 PR analyzer/93032 4488 PR analyzer/93938 4489 PR analyzer/94011 4490 PR analyzer/94099 4491 PR analyzer/94399 4492 PR analyzer/94458 4493 PR analyzer/94503 4494 PR analyzer/94640 4495 PR analyzer/94688 4496 PR analyzer/94689 4497 PR analyzer/94839 4498 PR analyzer/95026 4499 PR analyzer/95042 4500 PR analyzer/95240 4501 * analyzer-logging.cc: Ignore "-Wformat-diag". 4502 (logger::enter_scope): Use inc_indent in both overloads. 4503 (logger::exit_scope): Use dec_indent. 4504 * analyzer-logging.h (logger::inc_indent): New. 4505 (logger::dec_indent): New. 4506 * analyzer-selftests.cc (run_analyzer_selftests): Call 4507 analyzer_store_cc_tests. 4508 * analyzer-selftests.h (analyzer_store_cc_tests): New decl. 4509 * analyzer.cc (get_stmt_location): New function. 4510 * analyzer.h (class initial_svalue): New forward decl. 4511 (class unaryop_svalue): New forward decl. 4512 (class binop_svalue): New forward decl. 4513 (class sub_svalue): New forward decl. 4514 (class unmergeable_svalue): New forward decl. 4515 (class placeholder_svalue): New forward decl. 4516 (class widening_svalue): New forward decl. 4517 (class compound_svalue): New forward decl. 4518 (class conjured_svalue): New forward decl. 4519 (svalue_set): New typedef. 4520 (class map_region): Delete. 4521 (class array_region): Delete. 4522 (class frame_region): New forward decl. 4523 (class function_region): New forward decl. 4524 (class label_region): New forward decl. 4525 (class decl_region): New forward decl. 4526 (class element_region): New forward decl. 4527 (class offset_region): New forward decl. 4528 (class cast_region): New forward decl. 4529 (class field_region): New forward decl. 4530 (class string_region): New forward decl. 4531 (class region_model_manager): New forward decl. 4532 (class store_manager): New forward decl. 4533 (class store): New forward decl. 4534 (class call_details): New forward decl. 4535 (struct svalue_id_merger_mapping): Delete. 4536 (struct canonicalization): Delete. 4537 (class function_point): New forward decl. 4538 (class engine): New forward decl. 4539 (dump_tree): New function decl. 4540 (print_quoted_type): New function decl. 4541 (readability_comparator): New function decl. 4542 (tree_cmp): New function decl. 4543 (class path_var): Move here from region-model.h 4544 (bit_offset_t, bit_size_t, byte_size_t): New typedefs. 4545 (class region_offset): New class. 4546 (get_stmt_location): New decl. 4547 (struct member_function_hash_traits): New struct. 4548 (class consolidation_map): New class. 4549 Ignore "-Wformat-diag". 4550 * analyzer.opt (-param=analyzer-max-svalue-depth=): New param. 4551 (-param=analyzer-max-enodes-for-full-dump=): New param. 4552 * call-string.cc: Ignore -Wformat-diag. 4553 * checker-path.cc: Move includes of "analyzer/call-string.h" and 4554 "analyzer/program-point.h" to before "analyzer/region-model.h", 4555 and also include "analyzer/store.h" before it. 4556 (state_change_event::state_change_event): Replace "tree var" param 4557 with "const svalue *sval". Convert "origin" param from tree to 4558 "const svalue *". 4559 (state_change_event::get_desc): Call get_representative_tree to 4560 convert the var and origin from const svalue * to tree. Use 4561 svalue::get_desc rather than %qE when describing state changes. 4562 (checker_path::add_final_event): Use get_stmt_location. 4563 * checker-path.h (state_change_event::state_change_event): Port 4564 from tree to const svalue *. 4565 (state_change_event::get_lvalue): Delete. 4566 (state_change_event::get_dest_function): New. 4567 (state_change_event::m_var): Replace with... 4568 (state_change_event::m_sval): ...this. 4569 (state_change_event::m_origin): Convert from tree to 4570 const svalue *. 4571 * constraint-manager.cc: Include "analyzer/call-string.h", 4572 "analyzer/program-point.h", and "analyzer/store.h" before 4573 "analyzer/region-model.h". 4574 (struct bound, struct range): Move to constraint-manager.h. 4575 (compare_constants): New function. 4576 (range::dump): Rename to... 4577 (range::dump_to_pp): ...this. Support NULL constants. 4578 (range::dump): Reintroduce for dumping to stderr. 4579 (range::constrained_to_single_element): Return result, rather than 4580 writing to *OUT. 4581 (range::eval_condition): New. 4582 (range::below_lower_bound): New. 4583 (range::above_upper_bound): New. 4584 (equiv_class::equiv_class): Port from svalue_id to const svalue *. 4585 (equiv_class::print): Likewise. 4586 (equiv_class::hash): Likewise. 4587 (equiv_class::operator==): Port from svalue_id to const svalue *. 4588 (equiv_class::add): Port from svalue_id to const svalue *. Drop 4589 "cm" param. 4590 (equiv_class::del): Port from svalue_id to const svalue *. 4591 (equiv_class::get_representative): Likewise. 4592 (equiv_class::remap_svalue_ids): Delete. 4593 (svalue_id_cmp_by_id): Rename to... 4594 (svalue_cmp_by_ptr): ...this, porting from svalue_id to 4595 const svalue *. 4596 (equiv_class::canonicalize): Update qsort comparator. 4597 (constraint::implied_by): New. 4598 (constraint_manager::constraint_manager): Copy m_mgr in copy ctor. 4599 (constraint_manager::dump_to_pp): Add "multiline" param 4600 (constraint_manager::dump): Pass "true" for "multiline". 4601 (constraint_manager::add_constraint): Port from svalue_id to 4602 const svalue *. Split out second part into... 4603 (constraint_manager::add_unknown_constraint): ...this new 4604 function. Remove self-constraints when merging equivalence 4605 classes. 4606 (constraint_manager::add_constraint_internal): Remove constraints 4607 that would be implied by the new constraint. Port from svalue_id 4608 to const svalue *. 4609 (constraint_manager::get_equiv_class_by_sid): Rename to... 4610 (constraint_manager::get_equiv_class_by_svalue): ...this, porting 4611 from svalue_id to const svalue *. 4612 (constraint_manager::get_or_add_equiv_class): Port from svalue_id 4613 to const svalue *. 4614 (constraint_manager::eval_condition): Make const. Call 4615 compare_constants and return early if it provides a known result. 4616 (constraint_manager::get_ec_bounds): New. 4617 (constraint_manager::eval_condition): New overloads. Make 4618 existing one const, and use compare_constants. 4619 (constraint_manager::purge): Convert "p" param to a template 4620 rather that an abstract base class. Port from svalue_id to 4621 const svalue *. 4622 (class dead_svalue_purger): New class. 4623 (constraint_manager::remap_svalue_ids): Delete. 4624 (constraint_manager::on_liveness_change): New. 4625 (equiv_class_cmp): Port from svalue_id to const svalue *. 4626 (constraint_manager::canonicalize): Likewise. Combine with 4627 purging of redundant equivalence classes and constraints. 4628 (class cleaned_constraint_manager): Delete. 4629 (class merger_fact_visitor): Make "m_cm_b" const. Add "m_merger" 4630 field. 4631 (merger_fact_visitor::fact): Port from svalue_id to const svalue *. 4632 Add special case for widening. 4633 (constraint_manager::merge): Port from svalue_id to const svalue *. 4634 (constraint_manager::clean_merger_input): Delete. 4635 (constraint_manager::for_each_fact): Port from svalue_id to 4636 const svalue *. 4637 (constraint_manager::validate): Likewise. 4638 (selftest::test_constraint_conditions): Provide a 4639 region_model_manager when creating region_model instances. 4640 Add test for self-equality not creating equivalence classes. 4641 (selftest::test_transitivity): Provide a region_model_manager when 4642 creating region_model instances. Verify that EC-merging happens 4643 when constraints are implied. 4644 (selftest::test_constant_comparisons): Provide a 4645 region_model_manager when creating region_model instances. 4646 (selftest::test_constraint_impl): Likewise. Remove over-specified 4647 assertions. 4648 (selftest::test_equality): Provide a region_model_manager when 4649 creating region_model instances. 4650 (selftest::test_many_constants): Likewise. Provide a 4651 program_point when testing merging. 4652 (selftest::run_constraint_manager_tests): Move call to 4653 test_constant_comparisons to outside the transitivity guard. 4654 * constraint-manager.h (struct bound): Move here from 4655 constraint-manager.cc. 4656 (struct range): Likewise. 4657 (struct::eval_condition): New decl. 4658 (struct::below_lower_bound): New decl. 4659 (struct::above_upper_bound): New decl. 4660 (equiv_class::add): Port from svalue_id to const svalue *. 4661 (equiv_class::del): Likewise. 4662 (equiv_class::get_representative): Likewise. 4663 (equiv_class::remap_svalue_ids): Drop. 4664 (equiv_class::m_cst_sid): Convert to.. 4665 (equiv_class::m_cst_sval): ...this. 4666 (equiv_class::m_vars): Port from svalue_id to const svalue *. 4667 (constraint::bool implied_by): New decl. 4668 (fact_visitor::on_fact): Port from svalue_id to const svalue *. 4669 (constraint_manager::constraint_manager): Add mgr param. 4670 (constraint_manager::clone): Delete. 4671 (constraint_manager::maybe_get_constant): Delete. 4672 (constraint_manager::get_sid_for_constant): Delete. 4673 (constraint_manager::get_num_svalues): Delete. 4674 (constraint_manager::dump_to_pp): Add "multiline" param. 4675 (constraint_manager::get_equiv_class): Port from svalue_id to 4676 const svalue *. 4677 (constraint_manager::add_constraint): Likewise. 4678 (constraint_manager::get_equiv_class_by_sid): Rename to... 4679 (constraint_manager::get_equiv_class_by_svalue): ...this, porting 4680 from svalue_id to const svalue *. 4681 (constraint_manager::add_unknown_constraint): New decl. 4682 (constraint_manager::get_or_add_equiv_class): Port from svalue_id 4683 to const svalue *. 4684 (constraint_manager::eval_condition): Likewise. Add overloads. 4685 (constraint_manager::get_ec_bounds): New decl. 4686 (constraint_manager::purge): Convert to template. 4687 (constraint_manager::remap_svalue_ids): Delete. 4688 (constraint_manager::on_liveness_change): New decl. 4689 (constraint_manager::canonicalize): Drop param. 4690 (constraint_manager::clean_merger_input): Delete. 4691 (constraint_manager::m_mgr): New field. 4692 * diagnostic-manager.cc: Move includes of 4693 "analyzer/call-string.h" and "analyzer/program-point.h" to before 4694 "analyzer/region-model.h", and also include "analyzer/store.h" 4695 before it. 4696 (saved_diagnostic::saved_diagnostic): Add "sval" param. 4697 (diagnostic_manager::diagnostic_manager): Add engine param. 4698 (diagnostic_manager::add_diagnostic): Add "sval" param, passing it 4699 to saved_diagnostic ctor. Update overload to pass NULL for it. 4700 (dedupe_winners::dedupe_winners): Add engine param. 4701 (dedupe_winners::add): Add "eg" param. Pass m_engine to 4702 feasible_p. 4703 (dedupe_winner::m_engine): New field. 4704 (diagnostic_manager::emit_saved_diagnostics): Pass engine to 4705 dedupe_winners. Pass &eg when adding candidates. Pass svalue 4706 rather than tree to prune_path. Use get_stmt_location to get 4707 primary location of diagnostic. 4708 (diagnostic_manager::emit_saved_diagnostic): Likewise. 4709 (get_any_origin): Drop. 4710 (state_change_event_creator::on_global_state_change): Pass NULL 4711 const svalue * rather than NULL_TREE trees to state_change_event 4712 ctor. 4713 (state_change_event_creator::on_state_change): Port from tree and 4714 svalue_id to const svalue *. 4715 (for_each_state_change): Port from svalue_id to const svalue *. 4716 (struct null_assignment_sm_context): New. 4717 (diagnostic_manager::add_events_for_eedge): Add state change 4718 events for assignment to NULL. 4719 (diagnostic_manager::prune_path): Update param from tree to 4720 const svalue *. 4721 (diagnostic_manager::prune_for_sm_diagnostic): Port from tracking 4722 by tree to by const svalue *. 4723 * diagnostic-manager.h (saved_diagnostic::saved_diagnostic): Add sval 4724 param. 4725 (saved_diagnostic::m_sval): New field. 4726 (diagnostic_manager::diagnostic_manager): Add engine param. 4727 (diagnostic_manager::get_engine): New. 4728 (diagnostic_manager::add_diagnostic): Add "sval" param. 4729 (diagnostic_manager::prune_path): Likewise. 4730 (diagnostic_manager::prune_for_sm_diagnostic): New overload. 4731 (diagnostic_manager::m_eng): New field. 4732 * engine.cc: Move includes of "analyzer/call-string.h" and 4733 "analyzer/program-point.h" to before "analyzer/region-model.h", 4734 and also include "analyzer/store.h" before it. 4735 (impl_region_model_context::impl_region_model_context): Update for 4736 removal of m_change field. 4737 (impl_region_model_context::remap_svalue_ids): Delete. 4738 (impl_region_model_context::on_svalue_leak): New. 4739 (impl_region_model_context::on_svalue_purge): Delete. 4740 (impl_region_model_context::on_liveness_change): New. 4741 (impl_region_model_context::on_unknown_change): Update param 4742 from svalue_id to const svalue *. Add is_mutable param. 4743 (setjmp_svalue::compare_fields): Delete. 4744 (setjmp_svalue::accept): New. 4745 (setjmp_svalue::add_to_hash): Delete. 4746 (setjmp_svalue::dump_to_pp): New. 4747 (setjmp_svalue::print_details): Delete. 4748 (impl_sm_context::impl_sm_context): Drop "change" param. 4749 (impl_sm_context::get_fndecl_for_call): Drop "m_change". 4750 (impl_sm_context::on_transition): Drop ATTRIBUTE_UNUSED from 4751 "stmt" param. Drop m_change. Port from svalue_id to 4752 const svalue *. 4753 (impl_sm_context::warn_for_state): Drop m_change. Port from 4754 svalue_id to const svalue *. 4755 (impl_sm_context::get_readable_tree): Rename to... 4756 (impl_sm_context::get_diagnostic_tree): ...this. Port from 4757 svalue_id to const svalue *. 4758 (impl_sm_context::is_zero_assignment): New. 4759 (impl_sm_context::m_change): Delete field. 4760 (leak_stmt_finder::find_stmt): Handle m_var being NULL. 4761 (readability): Increase penalty for MEM_REF. For SSA_NAMEs, 4762 slightly favor the underlying var over the SSA name. Heavily 4763 penalize temporaries. Handle RESULT_DECL. 4764 (readability_comparator): Make non-static. Consider stack depths. 4765 (impl_region_model_context::on_state_leak): Convert from svalue_id 4766 to const svalue *, updating for region_model changes. Use 4767 id_equal. 4768 (impl_region_model_context::on_inherited_svalue): Delete. 4769 (impl_region_model_context::on_cast): Delete. 4770 (impl_region_model_context::on_condition): Drop m_change. 4771 (impl_region_model_context::on_phi): Likewise. 4772 (impl_region_model_context::on_unexpected_tree_code): Handle t 4773 being NULL. 4774 (point_and_state::validate): Update stack checking for 4775 region_model changes. 4776 (eg_traits::dump_args_t::show_enode_details_p): New. 4777 (exploded_node::exploded_node): Initialize m_num_processed_stmts. 4778 (exploded_node::get_processed_stmt): New function. 4779 (exploded_node::get_dot_fillcolor): Add more colors. 4780 (exploded_node::dump_dot): Guard the printing of the point and 4781 state with show_enode_details_p. Print the processed stmts for 4782 this enode after the initial state. 4783 (exploded_node::dump_to_pp): Pass true for new multiline param 4784 of program_state::dump_to_pp. 4785 (exploded_node::on_stmt): Drop "change" param. Log the stmt. 4786 Set input_location. Implement __analyzer_describe. Update 4787 implementation of __analyzer_dump and __analyzer_eval. 4788 Remove purging of sm-state for unknown fncalls from here. 4789 (exploded_node::on_edge): Drop "change" param. 4790 (exploded_node::on_longjmp): Port from region_id/svalue_id to 4791 const region */const svalue *. Call program_state::detect_leaks. 4792 Drop state_change. 4793 (exploded_node::detect_leaks): Update for changes to region_model. 4794 Call program_state::detect_leaks. 4795 (exploded_edge::exploded_edge): Drop ext_state and change params. 4796 (exploded_edge::dump_dot): "args" is no longer used. Drop dumping 4797 of m_change. 4798 (exploded_graph::exploded_graph): Pass engine to 4799 m_diagnostic_manager ctor. Use program_point::origin. 4800 (exploded_graph::add_function_entry): Drop ctxt. Use 4801 program_state::push_frame. Drop state_change. 4802 (exploded_graph::get_or_create_node): Drop "change" param. Add 4803 "enode_for_diag" param. Update dumping calls for API changes. 4804 Pass point to can_merge_with_p. Show enode indices 4805 within -Wanalyzer-too-complex diagnostic for hitting the per-point 4806 limit. 4807 (exploded_graph::add_edge): Drop "change" param. Log which nodes 4808 are being connected. Update for changes to exploded_edge ctor. 4809 (exploded_graph::get_per_program_point_data): New. 4810 (exploded_graph::process_worklist): Pass point to 4811 can_merge_with_p. Drop state_change. Update dumping call for API 4812 change. 4813 (exploded_graph::process_node): Drop state_change. Split the 4814 node in-place if an sm-state-change occurs. Update 4815 m_num_processed_stmts. Update dumping calls for API change. 4816 (exploded_graph::log_stats): Call engine::log_stats. 4817 (exploded_graph::dump_states_for_supernode): Update dumping 4818 call. 4819 (exploded_path::feasible_p): Add "eng" and "eg" params. 4820 Rename "i" to "end_idx". Pass the manager to the region_model 4821 ctor. Update for every processed stmt in the enode, not just the 4822 first. Keep track of which snodes have been visited, and call 4823 loop_replay_fixup when revisiting one. 4824 (enode_label::get_text): Update dump call for new param. 4825 (exploded_graph::dump_exploded_nodes): Likewise. 4826 (exploded_graph::get_node_by_index): New. 4827 (impl_run_checkers): Create engine instance and pass its address 4828 to extrinsic_state ctor. 4829 * exploded-graph.h 4830 (impl_region_model_context::impl_region_model_context): Drop 4831 "change" params. 4832 (impl_region_model_context::void remap_svalue_ids): Delete. 4833 (impl_region_model_context::on_svalue_purge): Delete. 4834 (impl_region_model_context::on_svalue_leak): New. 4835 (impl_region_model_context::on_liveness_change): New. 4836 (impl_region_model_context::on_state_leak): Update signature. 4837 (impl_region_model_context::on_inherited_svalue): Delete. 4838 (impl_region_model_context::on_cast): Delete. 4839 (impl_region_model_context::on_unknown_change): Update signature. 4840 (impl_region_model_context::m_change): Delete. 4841 (eg_traits::dump_args_t::show_enode_details_p): New. 4842 (exploded_node::on_stmt): Drop "change" param. 4843 (exploded_node::on_edge): Likewise. 4844 (exploded_node::get_processed_stmt): New decl. 4845 (exploded_node::m_num_processed_stmts): New field. 4846 (exploded_edge::exploded_edge): Drop ext_state and change params. 4847 (exploded_edge::m_change): Delete. 4848 (exploded_graph::get_engine): New accessor. 4849 (exploded_graph::get_or_create_node): Drop "change" param. Add 4850 "enode_for_diag" param. 4851 (exploded_graph::add_edge): Drop "change" param. 4852 (exploded_graph::get_per_program_point_data): New decl. 4853 (exploded_graph::get_node_by_index): New decl. 4854 (exploded_path::feasible_p): Add "eng" and "eg" params. 4855 * program-point.cc: Include "analyzer/store.h" before including 4856 "analyzer/region-model.h". 4857 (function_point::function_point): Move here from 4858 program-point.h. 4859 (function_point::get_function): Likewise. 4860 (function_point::from_function_entry): Likewise. 4861 (function_point::before_supernode): Likewise. 4862 (function_point::next_stmt): New function. 4863 * program-point.h (function_point::function_point): Move 4864 implementation from here to program-point.cc. 4865 (function_point::get_function): Likewise. 4866 (function_point::from_function_entry): Likewise. 4867 (function_point::before_supernode): Likewise. 4868 (function_point::next_stmt): New decl. 4869 (program_point::operator!=): New. 4870 (program_point::origin): New. 4871 (program_point::next_stmt): New. 4872 (program_point::m_function_point): Make non-const. 4873 * program-state.cc: Move includes of "analyzer/call-string.h" and 4874 "analyzer/program-point.h" to before "analyzer/region-model.h", 4875 and also include "analyzer/store.h" before it. 4876 (extrinsic_state::get_model_manager): New. 4877 (sm_state_map::sm_state_map): Pass in sm and sm_idx to ctor, 4878 rather than pass the around. 4879 (sm_state_map::clone_with_remapping): Delete. 4880 (sm_state_map::print): Remove "sm" param in favor of "m_sm". Add 4881 "simple" and "multiline" params and support multiline vs single 4882 line dumping. 4883 (sm_state_map::dump): Remove "sm" param in favor of "m_sm". Add 4884 "simple" param. 4885 (sm_state_map::hash): Port from svalue_id to const svalue *. 4886 (sm_state_map::operator==): Likewise. 4887 (sm_state_map::get_state): Likewise. Call canonicalize_svalue on 4888 input. Handle inheritance of sm-state. Call get_default_state. 4889 (sm_state_map::get_origin): Port from svalue_id to const svalue *. 4890 (sm_state_map::set_state): Likewise. Pass in ext_state. Reject 4891 attempts to set state on UNKNOWN. 4892 (sm_state_map::impl_set_state): Port from svalue_id to 4893 const svalue *. Pass in ext_state. Call canonicalize_svalue on 4894 input. 4895 (sm_state_map::purge_for_unknown_fncall): Delete. 4896 (sm_state_map::on_svalue_leak): New. 4897 (sm_state_map::remap_svalue_ids): Delete. 4898 (sm_state_map::on_liveness_change): New. 4899 (sm_state_map::on_unknown_change): Reimplement. 4900 (sm_state_map::on_svalue_purge): Delete. 4901 (sm_state_map::on_inherited_svalue): Delete. 4902 (sm_state_map::on_cast): Delete. 4903 (sm_state_map::validate): Delete. 4904 (sm_state_map::canonicalize_svalue): New. 4905 (program_state::program_state): Update to pass manager to 4906 region_model's ctor. Constify num_states and pass state machine 4907 and index to sm_state_map ctor. 4908 (program_state::print): Update for changes to dump API. 4909 (program_state::dump_to_pp): Ignore the summarize param. Add 4910 "multiline" param. 4911 (program_state::dump_to_file): Add "multiline" param. 4912 (program_state::dump): Pass "true" for new "multiline" param. 4913 (program_state::push_frame): New. 4914 (program_state::on_edge): Drop "change" param. Call 4915 program_state::detect_leaks. 4916 (program_state::prune_for_point): Add enode_for_diag param. 4917 Reimplement based on store class. Call detect_leaks 4918 (program_state::remap_svalue_ids): Delete. 4919 (program_state::get_representative_tree): Port from svalue_id to 4920 const svalue *. 4921 (program_state::can_merge_with_p): Add "point" param. Add early 4922 reject for sm-differences. Drop id remapping. 4923 (program_state::validate): Drop region model and sm_state_map 4924 validation. 4925 (state_change::sm_change::dump): Delete. 4926 (state_change::sm_change::remap_svalue_ids): Delete. 4927 (state_change::sm_change::on_svalue_purge): Delete. 4928 (log_set_of_svalues): New. 4929 (state_change::sm_change::validate): Delete. 4930 (state_change::state_change): Delete. 4931 (state_change::add_sm_change): Delete. 4932 (state_change::affects_p): Delete. 4933 (state_change::dump): Delete. 4934 (state_change::remap_svalue_ids): Delete. 4935 (state_change::on_svalue_purge): Delete. 4936 (state_change::validate): Delete. 4937 (selftest::assert_dump_eq): Delete. 4938 (ASSERT_DUMP_EQ): Delete. 4939 (selftest::test_sm_state_map): Update for changes to region_model 4940 and sm_state_map, porting from svalue_id to const svalue *. 4941 (selftest::test_program_state_dumping): Likewise. Drop test of 4942 dumping, renaming to... 4943 (selftest::test_program_state_1): ...this. 4944 (selftest::test_program_state_dumping_2): Likewise, renaming to... 4945 (selftest::test_program_state_2): ...this. 4946 (selftest::test_program_state_merging): Update for changes to 4947 region_model. 4948 (selftest::test_program_state_merging_2): Likewise. 4949 (selftest::analyzer_program_state_cc_tests): Update for renamed 4950 tests. 4951 * program-state.h (extrinsic_state::extrinsic_state): Add logger 4952 and engine params. 4953 (extrinsic_state::get_logger): New accessor. 4954 (extrinsic_state::get_engine): New accessor. 4955 (extrinsic_state::get_model_manager): New accessor. 4956 (extrinsic_state::m_logger): New field. 4957 (extrinsic_state::m_engine): New field. 4958 (struct default_hash_traits<svalue_id>): Delete. 4959 (pod_hash_traits<svalue_id>::hash): Delete. 4960 (pod_hash_traits<svalue_id>::equal): Delete. 4961 (pod_hash_traits<svalue_id>::mark_deleted): Delete. 4962 (pod_hash_traits<svalue_id>::mark_empty): Delete. 4963 (pod_hash_traits<svalue_id>::is_deleted): Delete. 4964 (pod_hash_traits<svalue_id>::is_empty): Delete. 4965 (sm_state_map::entry_t::entry_t): Port from svalue_id to 4966 const svalue *. 4967 (sm_state_map::entry_t::m_origin): Likewise. 4968 (sm_state_map::map_t): Likewise. 4969 (sm_state_map::sm_state_map): Add state_machine and index params. 4970 (sm_state_map::clone_with_remapping): Delete. 4971 (sm_state_map::print): Drop sm param; add simple and multiline 4972 params. 4973 (sm_state_map::dump): Drop sm param; add simple param. 4974 (sm_state_map::get_state): Port from svalue_id to const svalue *. 4975 Add ext_state param. 4976 (sm_state_map::get_origin): Likewise. 4977 (sm_state_map::set_state): Likewise. 4978 (sm_state_map::impl_set_state): Likewise. 4979 (sm_state_map::purge_for_unknown_fncall): Delete. 4980 (sm_state_map::remap_svalue_ids): Delete. 4981 (sm_state_map::on_svalue_purge): Delete. 4982 (sm_state_map::on_svalue_leak): New. 4983 (sm_state_map::on_liveness_change): New. 4984 (sm_state_map::on_inherited_svalue): Delete. 4985 (sm_state_map::on_cast): Delete. 4986 (sm_state_map::validate): Delete. 4987 (sm_state_map::on_unknown_change): Port from svalue_id to 4988 const svalue *. Add is_mutable and ext_state params. 4989 (sm_state_map::canonicalize_svalue): New. 4990 (sm_state_map::m_sm): New field. 4991 (sm_state_map::m_sm_idx): New field. 4992 (program_state::operator=): Delete. 4993 (program_state::dump_to_pp): Drop "summarize" param, adding 4994 "simple" and "multiline". 4995 (program_state::dump_to_file): Likewise. 4996 (program_state::dump): Rename "summarize" to "simple". 4997 (program_state::push_frame): New. 4998 (program_state::get_current_function): New. 4999 (program_state::on_edge): Drop "change" param. 5000 (program_state::prune_for_point): Likewise. Add enode_for_diag 5001 param. 5002 (program_state::remap_svalue_ids): Delete. 5003 (program_state::get_representative_tree): Port from svalue_id to 5004 const svalue *. 5005 (program_state::can_purge_p): Likewise. Pass ext_state to get_state. 5006 (program_state::can_merge_with_p): Add point param. 5007 (program_state::detect_leaks): New. 5008 (state_change_visitor::on_state_change): Port from tree and 5009 svalue_id to a pair of const svalue *. 5010 (class state_change): Delete. 5011 * region.cc: New file. 5012 * region-model-impl-calls.cc: New file. 5013 * region-model-manager.cc: New file. 5014 * region-model-reachability.cc: New file. 5015 * region-model-reachability.h: New file. 5016 * region-model.cc: Include "analyzer/call-string.h", 5017 "analyzer/program-point.h", and "analyzer/store.h" before 5018 "analyzer/region-model.h". Include 5019 "analyzer/region-model-reachability.h". 5020 (dump_tree): Make non-static. 5021 (dump_quoted_tree): Make non-static. 5022 (print_quoted_type): Make non-static. 5023 (path_var::dump): Delete. 5024 (dump_separator): Delete. 5025 (class impl_constraint_manager): Delete. 5026 (svalue_id::print): Delete. 5027 (svalue_id::dump_node_name_to_pp): Delete. 5028 (svalue_id::validate): Delete. 5029 (region_id::print): Delete. 5030 (region_id::dump_node_name_to_pp): Delete. 5031 (region_id::validate): Delete. 5032 (region_id_set::region_id_set): Delete. 5033 (svalue_id_set::svalue_id_set): Delete. 5034 (svalue::operator==): Delete. 5035 (svalue::hash): Delete. 5036 (svalue::print): Delete. 5037 (svalue::dump_dot_to_pp): Delete. 5038 (svalue::remap_region_ids): Delete. 5039 (svalue::walk_for_canonicalization): Delete. 5040 (svalue::get_child_sid): Delete. 5041 (svalue::maybe_get_constant): Delete. 5042 (region_svalue::compare_fields): Delete. 5043 (region_svalue::add_to_hash): Delete. 5044 (region_svalue::print_details): Delete. 5045 (region_svalue::dump_dot_to_pp): Delete. 5046 (region_svalue::remap_region_ids): Delete. 5047 (region_svalue::merge_values): Delete. 5048 (region_svalue::walk_for_canonicalization): Delete. 5049 (region_svalue::eval_condition): Delete. 5050 (constant_svalue::compare_fields): Delete. 5051 (constant_svalue::add_to_hash): Delete. 5052 (constant_svalue::merge_values): Delete. 5053 (constant_svalue::eval_condition): Move to svalue.cc. 5054 (constant_svalue::print_details): Delete. 5055 (constant_svalue::get_child_sid): Delete. 5056 (unknown_svalue::compare_fields): Delete. 5057 (unknown_svalue::add_to_hash): Delete. 5058 (unknown_svalue::print_details): Delete. 5059 (poison_kind_to_str): Move to svalue.cc. 5060 (poisoned_svalue::compare_fields): Delete. 5061 (poisoned_svalue::add_to_hash): Delete. 5062 (poisoned_svalue::print_details): Delete. 5063 (region_kind_to_str): Move to region.cc and reimplement. 5064 (region::operator==): Delete. 5065 (region::get_parent_region): Delete. 5066 (region::set_value): Delete. 5067 (region::become_active_view): Delete. 5068 (region::deactivate_any_active_view): Delete. 5069 (region::deactivate_view): Delete. 5070 (region::get_value): Delete. 5071 (region::get_inherited_child_sid): Delete. 5072 (region_model::copy_region): Delete. 5073 (region_model::copy_struct_region): Delete. 5074 (region_model::copy_union_region): Delete. 5075 (region_model::copy_array_region): Delete. 5076 (region::hash): Delete. 5077 (region::print): Delete. 5078 (region::dump_dot_to_pp): Delete. 5079 (region::dump_to_pp): Delete. 5080 (region::dump_child_label): Delete. 5081 (region::validate): Delete. 5082 (region::remap_svalue_ids): Delete. 5083 (region::remap_region_ids): Delete. 5084 (region::add_view): Delete. 5085 (region::get_view): Delete. 5086 (region::region): Move to region.cc. 5087 (region::add_to_hash): Delete. 5088 (region::print_fields): Delete. 5089 (region::non_null_p): Delete. 5090 (primitive_region::clone): Delete. 5091 (primitive_region::walk_for_canonicalization): Delete. 5092 (map_region::map_region): Delete. 5093 (map_region::compare_fields): Delete. 5094 (map_region::print_fields): Delete. 5095 (map_region::validate): Delete. 5096 (map_region::dump_dot_to_pp): Delete. 5097 (map_region::dump_child_label): Delete. 5098 (map_region::get_or_create): Delete. 5099 (map_region::get): Delete. 5100 (map_region::add_to_hash): Delete. 5101 (map_region::remap_region_ids): Delete. 5102 (map_region::unbind): Delete. 5103 (map_region::get_tree_for_child_region): Delete. 5104 (map_region::get_tree_for_child_region): Delete. 5105 (tree_cmp): Move to region.cc. 5106 (map_region::can_merge_p): Delete. 5107 (map_region::walk_for_canonicalization): Delete. 5108 (map_region::get_value_by_name): Delete. 5109 (struct_or_union_region::valid_key_p): Delete. 5110 (struct_or_union_region::compare_fields): Delete. 5111 (struct_region::clone): Delete. 5112 (struct_region::compare_fields): Delete. 5113 (union_region::clone): Delete. 5114 (union_region::compare_fields): Delete. 5115 (frame_region::compare_fields): Delete. 5116 (frame_region::clone): Delete. 5117 (frame_region::valid_key_p): Delete. 5118 (frame_region::print_fields): Delete. 5119 (frame_region::add_to_hash): Delete. 5120 (globals_region::compare_fields): Delete. 5121 (globals_region::clone): Delete. 5122 (globals_region::valid_key_p): Delete. 5123 (code_region::compare_fields): Delete. 5124 (code_region::clone): Delete. 5125 (code_region::valid_key_p): Delete. 5126 (array_region::array_region): Delete. 5127 (array_region::get_element): Delete. 5128 (array_region::clone): Delete. 5129 (array_region::compare_fields): Delete. 5130 (array_region::print_fields): Delete. 5131 (array_region::validate): Delete. 5132 (array_region::dump_dot_to_pp): Delete. 5133 (array_region::dump_child_label): Delete. 5134 (array_region::get_or_create): Delete. 5135 (array_region::get): Delete. 5136 (array_region::add_to_hash): Delete. 5137 (array_region::remap_region_ids): Delete. 5138 (array_region::get_key_for_child_region): Delete. 5139 (array_region::key_cmp): Delete. 5140 (array_region::walk_for_canonicalization): Delete. 5141 (array_region::key_from_constant): Delete. 5142 (array_region::constant_from_key): Delete. 5143 (function_region::compare_fields): Delete. 5144 (function_region::clone): Delete. 5145 (function_region::valid_key_p): Delete. 5146 (stack_region::stack_region): Delete. 5147 (stack_region::compare_fields): Delete. 5148 (stack_region::clone): Delete. 5149 (stack_region::print_fields): Delete. 5150 (stack_region::dump_child_label): Delete. 5151 (stack_region::validate): Delete. 5152 (stack_region::push_frame): Delete. 5153 (stack_region::get_current_frame_id): Delete. 5154 (stack_region::pop_frame): Delete. 5155 (stack_region::add_to_hash): Delete. 5156 (stack_region::remap_region_ids): Delete. 5157 (stack_region::can_merge_p): Delete. 5158 (stack_region::walk_for_canonicalization): Delete. 5159 (stack_region::get_value_by_name): Delete. 5160 (heap_region::heap_region): Delete. 5161 (heap_region::compare_fields): Delete. 5162 (heap_region::clone): Delete. 5163 (heap_region::walk_for_canonicalization): Delete. 5164 (root_region::root_region): Delete. 5165 (root_region::compare_fields): Delete. 5166 (root_region::clone): Delete. 5167 (root_region::print_fields): Delete. 5168 (root_region::validate): Delete. 5169 (root_region::dump_child_label): Delete. 5170 (root_region::push_frame): Delete. 5171 (root_region::get_current_frame_id): Delete. 5172 (root_region::pop_frame): Delete. 5173 (root_region::ensure_stack_region): Delete. 5174 (root_region::get_stack_region): Delete. 5175 (root_region::ensure_globals_region): Delete. 5176 (root_region::get_code_region): Delete. 5177 (root_region::ensure_code_region): Delete. 5178 (root_region::get_globals_region): Delete. 5179 (root_region::ensure_heap_region): Delete. 5180 (root_region::get_heap_region): Delete. 5181 (root_region::remap_region_ids): Delete. 5182 (root_region::can_merge_p): Delete. 5183 (root_region::add_to_hash): Delete. 5184 (root_region::walk_for_canonicalization): Delete. 5185 (root_region::get_value_by_name): Delete. 5186 (symbolic_region::symbolic_region): Delete. 5187 (symbolic_region::compare_fields): Delete. 5188 (symbolic_region::clone): Delete. 5189 (symbolic_region::walk_for_canonicalization): Delete. 5190 (symbolic_region::print_fields): Delete. 5191 (region_model::region_model): Add region_model_manager * param. 5192 Reimplement in terms of store, dropping impl_constraint_manager 5193 subclass. 5194 (region_model::operator=): Reimplement in terms of store 5195 (region_model::operator==): Likewise. 5196 (region_model::hash): Likewise. 5197 (region_model::print): Delete. 5198 (region_model::print_svalue): Delete. 5199 (region_model::dump_dot_to_pp): Delete. 5200 (region_model::dump_dot_to_file): Delete. 5201 (region_model::dump_dot): Delete. 5202 (region_model::dump_to_pp): Replace "summarize" param with 5203 "simple" and "multiline". Port to store-based implementation. 5204 (region_model::dump): Replace "summarize" param with "simple" and 5205 "multiline". 5206 (dump_vec_of_tree): Delete. 5207 (region_model::dump_summary_of_rep_path_vars): Delete. 5208 (region_model::validate): Delete. 5209 (svalue_id_cmp_by_constant_svalue_model): Delete. 5210 (svalue_id_cmp_by_constant_svalue): Delete. 5211 (region_model::canonicalize): Drop "ctxt" param. Reimplement in 5212 terms of store and constraints. 5213 (region_model::canonicalized_p): Remove NULL arg to canonicalize. 5214 (region_model::loop_replay_fixup): New. 5215 (poisoned_value_diagnostic::emit): Tweak wording of warnings. 5216 (region_model::check_for_poison): Delete. 5217 (region_model::get_gassign_result): New. 5218 (region_model::on_assignment): Port to store-based implementation. 5219 (region_model::on_call_pre): Delete calls to check_for_poison. 5220 Move implementations to region-model-impl-calls.c and port to 5221 store-based implementation. 5222 (region_model::on_call_post): Likewise. 5223 (class reachable_regions): Move to region-model-reachability.h/cc 5224 and port to store-based implementation. 5225 (region_model::handle_unrecognized_call): Port to store-based 5226 implementation. 5227 (region_model::get_reachable_svalues): New. 5228 (region_model::on_setjmp): Port to store-based implementation. 5229 (region_model::on_longjmp): Likewise. 5230 (region_model::handle_phi): Drop is_back_edge param and the logic 5231 using it. 5232 (region_model::get_lvalue_1): Port from region_id to const region *. 5233 (region_model::make_region_for_unexpected_tree_code): Delete. 5234 (assert_compat_types): If the check fails, use internal_error to 5235 show the types. 5236 (region_model::get_lvalue): Port from region_id to const region *. 5237 (region_model::get_rvalue_1): Port from svalue_id to const svalue *. 5238 (region_model::get_rvalue): Likewise. 5239 (region_model::get_or_create_ptr_svalue): Delete. 5240 (region_model::get_or_create_constant_svalue): Delete. 5241 (region_model::get_svalue_for_fndecl): Delete. 5242 (region_model::get_region_for_fndecl): Delete. 5243 (region_model::get_svalue_for_label): Delete. 5244 (region_model::get_region_for_label): Delete. 5245 (build_cast): Delete. 5246 (region_model::maybe_cast_1): Delete. 5247 (region_model::maybe_cast): Delete. 5248 (region_model::get_field_region): Delete. 5249 (region_model::get_store_value): New. 5250 (region_model::region_exists_p): New. 5251 (region_model::deref_rvalue): Port from svalue_id to const svalue *. 5252 (region_model::set_value): Likewise. 5253 (region_model::clobber_region): New. 5254 (region_model::purge_region): New. 5255 (region_model::zero_fill_region): New. 5256 (region_model::mark_region_as_unknown): New. 5257 (region_model::eval_condition): Port from svalue_id to 5258 const svalue *. 5259 (region_model::eval_condition_without_cm): Likewise. 5260 (region_model::compare_initial_and_pointer): New. 5261 (region_model::add_constraint): Port from svalue_id to 5262 const svalue *. 5263 (region_model::maybe_get_constant): Delete. 5264 (region_model::get_representative_path_var): New. 5265 (region_model::add_new_malloc_region): Delete. 5266 (region_model::get_representative_tree): Port to const svalue *. 5267 (region_model::get_representative_path_var): Port to 5268 const region *. 5269 (region_model::get_path_vars_for_svalue): Delete. 5270 (region_model::set_to_new_unknown_value): Delete. 5271 (region_model::update_for_phis): Don't pass is_back_edge to handle_phi. 5272 (region_model::update_for_call_superedge): Port from svalue_id to 5273 const svalue *. 5274 (region_model::update_for_return_superedge): Port to store-based 5275 implementation. 5276 (region_model::update_for_call_summary): Replace 5277 set_to_new_unknown_value with mark_region_as_unknown. 5278 (region_model::get_root_region): Delete. 5279 (region_model::get_stack_region_id): Delete. 5280 (region_model::push_frame): Delete. 5281 (region_model::get_current_frame_id): Delete. 5282 (region_model::get_current_function): Delete. 5283 (region_model::pop_frame): Delete. 5284 (region_model::on_top_level_param): New. 5285 (region_model::get_stack_depth): Delete. 5286 (region_model::get_function_at_depth): Delete. 5287 (region_model::get_globals_region_id): Delete. 5288 (region_model::add_svalue): Delete. 5289 (region_model::replace_svalue): Delete. 5290 (region_model::add_region): Delete. 5291 (region_model::get_svalue): Delete. 5292 (region_model::get_region): Delete. 5293 (make_region_for_type): Delete. 5294 (region_model::add_region_for_type): Delete. 5295 (region_model::on_top_level_param): New. 5296 (class restrict_to_used_svalues): Delete. 5297 (region_model::purge_unused_svalues): Delete. 5298 (region_model::push_frame): New. 5299 (region_model::remap_svalue_ids): Delete. 5300 (region_model::remap_region_ids): Delete. 5301 (region_model::purge_regions): Delete. 5302 (region_model::get_descendents): Delete. 5303 (region_model::delete_region_and_descendents): Delete. 5304 (region_model::poison_any_pointers_to_bad_regions): Delete. 5305 (region_model::can_merge_with_p): Delete. 5306 (region_model::get_current_function): New. 5307 (region_model::get_value_by_name): Delete. 5308 (region_model::convert_byte_offset_to_array_index): Delete. 5309 (region_model::pop_frame): New. 5310 (region_model::get_or_create_mem_ref): Delete. 5311 (region_model::get_stack_depth): New. 5312 (region_model::get_frame_at_index): New. 5313 (region_model::unbind_region_and_descendents): New. 5314 (struct bad_pointer_finder): New. 5315 (region_model::get_or_create_pointer_plus_expr): Delete. 5316 (region_model::poison_any_pointers_to_descendents): New. 5317 (region_model::get_or_create_view): Delete. 5318 (region_model::can_merge_with_p): New. 5319 (region_model::get_fndecl_for_call): Port from svalue_id to 5320 const svalue *. 5321 (struct append_ssa_names_cb_data): New. 5322 (get_ssa_name_regions_for_current_frame): New. 5323 (region_model::append_ssa_names_cb): New. 5324 (model_merger::dump_to_pp): Add "simple" param. Drop dumping of 5325 remappings. 5326 (model_merger::dump): Add "simple" param to both overloads. 5327 (model_merger::can_merge_values_p): Delete. 5328 (model_merger::record_regions): Delete. 5329 (model_merger::record_svalues): Delete. 5330 (svalue_id_merger_mapping::svalue_id_merger_mapping): Delete. 5331 (svalue_id_merger_mapping::dump_to_pp): Delete. 5332 (svalue_id_merger_mapping::dump): Delete. 5333 (region_model::create_region_for_heap_alloc): New. 5334 (region_model::create_region_for_alloca): New. 5335 (region_model::record_dynamic_extents): New. 5336 (canonicalization::canonicalization): Delete. 5337 (canonicalization::walk_rid): Delete. 5338 (canonicalization::walk_sid): Delete. 5339 (canonicalization::dump_to_pp): Delete. 5340 (canonicalization::dump): Delete. 5341 (inchash::add): Delete overloads for svalue_id and region_id. 5342 (engine::log_stats): New. 5343 (assert_condition): Add overload comparing svalues. 5344 (assert_dump_eq): Pass "true" for multiline. 5345 (selftest::test_dump): Update for rewrite of region_model. 5346 (selftest::test_dump_2): Rename to... 5347 (selftest::test_struct): ...this. Provide a region_model_manager 5348 when creating region_model instance. Remove dump test. Add 5349 checks for get_offset. 5350 (selftest::test_dump_3): Rename to... 5351 (selftest::test_array_1): ...this. Provide a region_model_manager 5352 when creating region_model instance. Remove dump test. 5353 (selftest::test_get_representative_tree): Port from svalue_id to 5354 new API. Add test coverage for various expressions. 5355 (selftest::test_unique_constants): Provide a region_model_manager 5356 for the region_model. Add test coverage for comparing const vs 5357 non-const. 5358 (selftest::test_svalue_equality): Delete. 5359 (selftest::test_region_equality): Delete. 5360 (selftest::test_unique_unknowns): New. 5361 (class purge_all_svalue_ids): Delete. 5362 (class purge_one_svalue_id): Delete. 5363 (selftest::test_purging_by_criteria): Delete. 5364 (selftest::test_initial_svalue_folding): New. 5365 (selftest::test_unaryop_svalue_folding): New. 5366 (selftest::test_binop_svalue_folding): New. 5367 (selftest::test_sub_svalue_folding): New. 5368 (selftest::test_purge_unused_svalues): Delete. 5369 (selftest::test_descendent_of_p): New. 5370 (selftest::test_assignment): Provide a region_model_manager for 5371 the region_model. Drop the dump test. 5372 (selftest::test_compound_assignment): Likewise. 5373 (selftest::test_stack_frames): Port to new implementation. 5374 (selftest::test_get_representative_path_var): Likewise. 5375 (selftest::test_canonicalization_1): Rename to... 5376 (selftest::test_equality_1): ...this. Port to new API, and add 5377 (selftest::test_canonicalization_2): Provide a 5378 region_model_manager when creating region_model instances. 5379 Remove redundant canicalization. 5380 (selftest::test_canonicalization_3): Provide a 5381 region_model_manager when creating region_model instances. 5382 Remove param from calls to region_model::canonicalize. 5383 (selftest::test_canonicalization_4): Likewise. 5384 (selftest::assert_region_models_merge): Constify 5385 out_merged_svalue. Port to new API. 5386 (selftest::test_state_merging): Provide a 5387 region_model_manager when creating region_model instances. 5388 Provide a program_point point when merging them. Replace 5389 set_to_new_unknown_value with usage of placeholder_svalues. 5390 Drop get_value_by_name. Port from svalue_id to const svalue *. 5391 Add test of heap allocation. 5392 (selftest::test_constraint_merging): Provide a 5393 region_model_manager when creating region_model instances. 5394 Provide a program_point point when merging them. Eliminate use 5395 of set_to_new_unknown_value. 5396 (selftest::test_widening_constraints): New. 5397 (selftest::test_iteration_1): New. 5398 (selftest::test_malloc_constraints): Port to store-based 5399 implementation. 5400 (selftest::test_var): New test. 5401 (selftest::test_array_2): New test. 5402 (selftest::test_mem_ref): New test. 5403 (selftest::test_POINTER_PLUS_EXPR_then_MEM_REF): New. 5404 (selftest::test_malloc): New. 5405 (selftest::test_alloca): New. 5406 (selftest::analyzer_region_model_cc_tests): Update for renamings. 5407 Call new functions. 5408 * region-model.h (class path_var): Move to analyzer.h. 5409 (class svalue_id): Delete. 5410 (class region_id): Delete. 5411 (class id_map): Delete. 5412 (svalue_id_map): Delete. 5413 (region_id_map): Delete. 5414 (id_map<T>::id_map): Delete. 5415 (id_map<T>::put): Delete. 5416 (id_map<T>::get_dst_for_src): Delete. 5417 (id_map<T>::get_src_for_dst): Delete. 5418 (id_map<T>::dump_to_pp): Delete. 5419 (id_map<T>::dump): Delete. 5420 (id_map<T>::update): Delete. 5421 (one_way_svalue_id_map): Delete. 5422 (one_way_region_id_map): Delete. 5423 (class region_id_set): Delete. 5424 (class svalue_id_set): Delete. 5425 (struct complexity): New. 5426 (class visitor): New. 5427 (enum svalue_kind): Add SK_SETJMP, SK_INITIAL, SK_UNARYOP, 5428 SK_BINOP, SK_SUB,SK_UNMERGEABLE, SK_PLACEHOLDER, SK_WIDENING, 5429 SK_COMPOUND, and SK_CONJURED. 5430 (svalue::operator==): Delete. 5431 (svalue::operator!=): Delete. 5432 (svalue::clone): Delete. 5433 (svalue::hash): Delete. 5434 (svalue::dump_dot_to_pp): Delete. 5435 (svalue::dump_to_pp): New. 5436 (svalue::dump): New. 5437 (svalue::get_desc): New. 5438 (svalue::dyn_cast_initial_svalue): New. 5439 (svalue::dyn_cast_unaryop_svalue): New. 5440 (svalue::dyn_cast_binop_svalue): New. 5441 (svalue::dyn_cast_sub_svalue): New. 5442 (svalue::dyn_cast_unmergeable_svalue): New. 5443 (svalue::dyn_cast_widening_svalue): New. 5444 (svalue::dyn_cast_compound_svalue): New. 5445 (svalue::dyn_cast_conjured_svalue): New. 5446 (svalue::maybe_undo_cast): New. 5447 (svalue::unwrap_any_unmergeable): New. 5448 (svalue::remap_region_ids): Delete 5449 (svalue::can_merge_p): New. 5450 (svalue::walk_for_canonicalization): Delete 5451 (svalue::get_complexity): New. 5452 (svalue::get_child_sid): Delete 5453 (svalue::accept): New. 5454 (svalue::live_p): New. 5455 (svalue::implicitly_live_p): New. 5456 (svalue::svalue): Add complexity param. 5457 (svalue::add_to_hash): Delete 5458 (svalue::print_details): Delete 5459 (svalue::m_complexity): New field. 5460 (region_svalue::key_t): New struct. 5461 (region_svalue::region_svalue): Port from region_id to 5462 const region_id *. Add complexity. 5463 (region_svalue::compare_fields): Delete. 5464 (region_svalue::clone): Delete. 5465 (region_svalue::dump_dot_to_pp): Delete. 5466 (region_svalue::get_pointee): Port from region_id to 5467 const region_id *. 5468 (region_svalue::remap_region_ids): Delete. 5469 (region_svalue::merge_values): Delete. 5470 (region_svalue::dump_to_pp): New. 5471 (region_svalue::accept): New. 5472 (region_svalue::walk_for_canonicalization): Delete. 5473 (region_svalue::eval_condition): Make params const. 5474 (region_svalue::add_to_hash): Delete. 5475 (region_svalue::print_details): Delete. 5476 (region_svalue::m_rid): Replace with... 5477 (region_svalue::m_reg): ...this. 5478 (is_a_helper <region_svalue *>::test): Convert to... 5479 (is_a_helper <const region_svalue *>::test): ...this. 5480 (template <> struct default_hash_traits<region_svalue::key_t>): 5481 New. 5482 (constant_svalue::constant_svalue): Add complexity. 5483 (constant_svalue::compare_fields): Delete. 5484 (constant_svalue::clone): Delete. 5485 (constant_svalue::add_to_hash): Delete. 5486 (constant_svalue::dump_to_pp): New. 5487 (constant_svalue::accept): New. 5488 (constant_svalue::implicitly_live_p): New. 5489 (constant_svalue::merge_values): Delete. 5490 (constant_svalue::eval_condition): Make params const. 5491 (constant_svalue::get_child_sid): Delete. 5492 (constant_svalue::print_details): Delete. 5493 (is_a_helper <constant_svalue *>::test): Convert to... 5494 (is_a_helper <const constant_svalue *>::test): ...this. 5495 (class unknown_svalue): Update leading comment. 5496 (unknown_svalue::unknown_svalue): Add complexity. 5497 (unknown_svalue::compare_fields): Delete. 5498 (unknown_svalue::add_to_hash): Delete. 5499 (unknown_svalue::dyn_cast_unknown_svalue): Delete. 5500 (unknown_svalue::print_details): Delete. 5501 (unknown_svalue::dump_to_pp): New. 5502 (unknown_svalue::accept): New. 5503 (poisoned_svalue::key_t): New struct. 5504 (poisoned_svalue::poisoned_svalue): Add complexity. 5505 (poisoned_svalue::compare_fields): Delete. 5506 (poisoned_svalue::clone): Delete. 5507 (poisoned_svalue::add_to_hash): Delete. 5508 (poisoned_svalue::dump_to_pp): New. 5509 (poisoned_svalue::accept): New. 5510 (poisoned_svalue::print_details): Delete. 5511 (is_a_helper <poisoned_svalue *>::test): Convert to... 5512 (is_a_helper <const poisoned_svalue *>::test): ...this. 5513 (template <> struct default_hash_traits<poisoned_svalue::key_t>): 5514 New. 5515 (setjmp_record::add_to_hash): New. 5516 (setjmp_svalue::key_t): New struct. 5517 (setjmp_svalue::compare_fields): Delete. 5518 (setjmp_svalue::clone): Delete. 5519 (setjmp_svalue::add_to_hash): Delete. 5520 (setjmp_svalue::setjmp_svalue): Add complexity. 5521 (setjmp_svalue::dump_to_pp): New. 5522 (setjmp_svalue::accept): New. 5523 (setjmp_svalue::void print_details): Delete. 5524 (is_a_helper <const setjmp_svalue *>::test): New. 5525 (template <> struct default_hash_traits<setjmp_svalue::key_t>): New. 5526 (class initial_svalue : public svalue): New. 5527 (is_a_helper <const initial_svalue *>::test): New. 5528 (class unaryop_svalue): New. 5529 (is_a_helper <const unaryop_svalue *>::test): New. 5530 (template <> struct default_hash_traits<unaryop_svalue::key_t>): New. 5531 (class binop_svalue): New. 5532 (is_a_helper <const binop_svalue *>::test): New. 5533 (template <> struct default_hash_traits<binop_svalue::key_t>): New. 5534 (class sub_svalue): New. 5535 (is_a_helper <const sub_svalue *>::test): New. 5536 (template <> struct default_hash_traits<sub_svalue::key_t>): New. 5537 (class unmergeable_svalue): New. 5538 (is_a_helper <const unmergeable_svalue *>::test): New. 5539 (class placeholder_svalue): New. 5540 (is_a_helper <placeholder_svalue *>::test): New. 5541 (class widening_svalue): New. 5542 (is_a_helper <widening_svalue *>::test): New. 5543 (template <> struct default_hash_traits<widening_svalue::key_t>): New. 5544 (class compound_svalue): New. 5545 (is_a_helper <compound_svalue *>::test): New. 5546 (template <> struct default_hash_traits<compound_svalue::key_t>): New. 5547 (class conjured_svalue): New. 5548 (is_a_helper <conjured_svalue *>::test): New. 5549 (template <> struct default_hash_traits<conjured_svalue::key_t>): New. 5550 (enum region_kind): Delete RK_PRIMITIVE, RK_STRUCT, RK_UNION, and 5551 RK_ARRAY. Add RK_LABEL, RK_DECL, RK_FIELD, RK_ELEMENT, RK_OFFSET, 5552 RK_CAST, RK_HEAP_ALLOCATED, RK_ALLOCA, RK_STRING, and RK_UNKNOWN. 5553 (region_kind_to_str): Delete. 5554 (region::~region): Move implementation to region.cc. 5555 (region::operator==): Delete. 5556 (region::operator!=): Delete. 5557 (region::clone): Delete. 5558 (region::get_id): New. 5559 (region::cmp_ids): New. 5560 (region::dyn_cast_map_region): Delete. 5561 (region::dyn_cast_array_region): Delete. 5562 (region::region_id get_parent): Delete. 5563 (region::get_parent_region): Convert to a simple accessor. 5564 (region::void set_value): Delete. 5565 (region::svalue_id get_value): Delete. 5566 (region::svalue_id get_value_direct): Delete. 5567 (region::svalue_id get_inherited_child_sid): Delete. 5568 (region::dyn_cast_frame_region): New. 5569 (region::dyn_cast_function_region): New. 5570 (region::dyn_cast_decl_region): New. 5571 (region::dyn_cast_field_region): New. 5572 (region::dyn_cast_element_region): New. 5573 (region::dyn_cast_offset_region): New. 5574 (region::dyn_cast_cast_region): New. 5575 (region::dyn_cast_string_region): New. 5576 (region::accept): New. 5577 (region::get_base_region): New. 5578 (region::base_region_p): New. 5579 (region::descendent_of_p): New. 5580 (region::maybe_get_frame_region): New. 5581 (region::maybe_get_decl): New. 5582 (region::hash): Delete. 5583 (region::rint): Delete. 5584 (region::dump_dot_to_pp): Delete. 5585 (region::get_desc): New. 5586 (region::dump_to_pp): Convert to vfunc, changing signature. 5587 (region::dump_child_label): Delete. 5588 (region::remap_svalue_ids): Delete. 5589 (region::remap_region_ids): Delete. 5590 (region::dump): New. 5591 (region::walk_for_canonicalization): Delete. 5592 (region::non_null_p): Drop region_model param. 5593 (region::add_view): Delete. 5594 (region::get_view): Delete. 5595 (region::get_active_view): Delete. 5596 (region::is_view_p): Delete. 5597 (region::cmp_ptrs): New. 5598 (region::validate): Delete. 5599 (region::get_offset): New. 5600 (region::get_byte_size): New. 5601 (region::get_bit_size): New. 5602 (region::get_subregions_for_binding): New. 5603 (region::region): Add complexity param. Convert parent from 5604 region_id to const region *. Drop svalue_id. Drop copy ctor. 5605 (region::symbolic_for_unknown_ptr_p): New. 5606 (region::add_to_hash): Delete. 5607 (region::print_fields): Delete. 5608 (region::get_complexity): New accessor. 5609 (region::become_active_view): Delete. 5610 (region::deactivate_any_active_view): Delete. 5611 (region::deactivate_view): Delete. 5612 (region::calc_offset): New. 5613 (region::m_parent_rid): Delete. 5614 (region::m_sval_id): Delete. 5615 (region::m_complexity): New. 5616 (region::m_id): New. 5617 (region::m_parent): New. 5618 (region::m_view_rids): Delete. 5619 (region::m_is_view): Delete. 5620 (region::m_active_view_rid): Delete. 5621 (region::m_cached_offset): New. 5622 (is_a_helper <region *>::test): Convert to... 5623 (is_a_helper <const region *>::test): ... this. 5624 (class primitive_region): Delete. 5625 (class space_region): New. 5626 (class map_region): Delete. 5627 (is_a_helper <map_region *>::test): Delete. 5628 (class frame_region): Reimplement. 5629 (template <> struct default_hash_traits<frame_region::key_t>): 5630 New. 5631 (class globals_region): Reimplement. 5632 (is_a_helper <globals_region *>::test): Convert to... 5633 (is_a_helper <const globals_region *>::test): ...this. 5634 (class struct_or_union_region): Delete. 5635 (is_a_helper <struct_or_union_region *>::test): Delete. 5636 (class code_region): Reimplement. 5637 (is_a_helper <const code_region *>::test): New. 5638 (class struct_region): Delete. 5639 (is_a_helper <struct_region *>::test): Delete. 5640 (class function_region): Reimplement. 5641 (is_a_helper <function_region *>::test): Convert to... 5642 (is_a_helper <const function_region *>::test): ...this. 5643 (class union_region): Delete. 5644 (is_a_helper <union_region *>::test): Delete. 5645 (class label_region): New. 5646 (is_a_helper <const label_region *>::test): New. 5647 (class scope_region): Delete. 5648 (class stack_region): Reimplement. 5649 (is_a_helper <stack_region *>::test): Convert to... 5650 (is_a_helper <const stack_region *>::test): ...this. 5651 (class heap_region): Reimplement. 5652 (is_a_helper <heap_region *>::test): Convert to... 5653 (is_a_helper <const heap_region *>::test): ...this. 5654 (class root_region): Reimplement. 5655 (is_a_helper <root_region *>::test): Convert to... 5656 (is_a_helper <const root_region *>::test): ...this. 5657 (class symbolic_region): Reimplement. 5658 (is_a_helper <const symbolic_region *>::test): New. 5659 (template <> struct default_hash_traits<symbolic_region::key_t>): 5660 New. 5661 (class decl_region): New. 5662 (is_a_helper <const decl_region *>::test): New. 5663 (class field_region): New. 5664 (template <> struct default_hash_traits<field_region::key_t>): New. 5665 (class array_region): Delete. 5666 (class element_region): New. 5667 (is_a_helper <array_region *>::test): Delete. 5668 (is_a_helper <const element_region *>::test): New. 5669 (template <> struct default_hash_traits<element_region::key_t>): 5670 New. 5671 (class offset_region): New. 5672 (is_a_helper <const offset_region *>::test): New. 5673 (template <> struct default_hash_traits<offset_region::key_t>): 5674 New. 5675 (class cast_region): New. 5676 (is_a_helper <const cast_region *>::test): New. 5677 (template <> struct default_hash_traits<cast_region::key_t>): New. 5678 (class heap_allocated_region): New. 5679 (class alloca_region): New. 5680 (class string_region): New. 5681 (is_a_helper <const string_region *>::test): New. 5682 (class unknown_region): New. 5683 (class region_model_manager): New. 5684 (struct append_ssa_names_cb_data): New. 5685 (class call_details): New. 5686 (region_model::region_model): Add region_model_manager param. 5687 (region_model::print_svalue): Delete. 5688 (region_model::dump_dot_to_pp): Delete. 5689 (region_model::dump_dot_to_file): Delete. 5690 (region_model::dump_dot): Delete. 5691 (region_model::dump_to_pp): Drop summarize param in favor of 5692 simple and multiline. 5693 (region_model::dump): Likewise. 5694 (region_model::summarize_to_pp): Delete. 5695 (region_model::summarize): Delete. 5696 (region_model::void canonicalize): Drop ctxt param. 5697 (region_model::void check_for_poison): Delete. 5698 (region_model::get_gassign_result): New. 5699 (region_model::impl_call_alloca): New. 5700 (region_model::impl_call_analyzer_describe): New. 5701 (region_model::impl_call_analyzer_eval): New. 5702 (region_model::impl_call_builtin_expect): New. 5703 (region_model::impl_call_calloc): New. 5704 (region_model::impl_call_free): New. 5705 (region_model::impl_call_malloc): New. 5706 (region_model::impl_call_memset): New. 5707 (region_model::impl_call_strlen): New. 5708 (region_model::get_reachable_svalues): New. 5709 (region_model::handle_phi): Drop is_back_edge param. 5710 (region_model::region_id get_root_rid): Delete. 5711 (region_model::root_region *get_root_region): Delete. 5712 (region_model::region_id get_stack_region_id): Delete. 5713 (region_model::push_frame): Convert from region_id and svalue_id 5714 to const region * and const svalue *. 5715 (region_model::get_current_frame_id): Replace with... 5716 (region_model::get_current_frame): ...this. 5717 (region_model::pop_frame): Convert from region_id to 5718 const region *. Drop purge and stats param. Add out_result. 5719 (region_model::function *get_function_at_depth): Delete. 5720 (region_model::get_globals_region_id): Delete. 5721 (region_model::add_svalue): Delete. 5722 (region_model::replace_svalue): Delete. 5723 (region_model::add_region): Delete. 5724 (region_model::add_region_for_type): Delete. 5725 (region_model::get_svalue): Delete. 5726 (region_model::get_region): Delete. 5727 (region_model::get_lvalue): Convert from region_id to 5728 const region *. 5729 (region_model::get_rvalue): Convert from svalue_id to 5730 const svalue *. 5731 (region_model::get_or_create_ptr_svalue): Delete. 5732 (region_model::get_or_create_constant_svalue): Delete. 5733 (region_model::get_svalue_for_fndecl): Delete. 5734 (region_model::get_svalue_for_label): Delete. 5735 (region_model::get_region_for_fndecl): Delete. 5736 (region_model::get_region_for_label): Delete. 5737 (region_model::get_frame_at_index (int index) const;): New. 5738 (region_model::maybe_cast): Delete. 5739 (region_model::maybe_cast_1): Delete. 5740 (region_model::get_field_region): Delete. 5741 (region_model::id deref_rvalue): Convert from region_id and 5742 svalue_id to const region * and const svalue *. Drop overload, 5743 passing in both a tree and an svalue. 5744 (region_model::set_value): Convert from region_id and svalue_id to 5745 const region * and const svalue *. 5746 (region_model::set_to_new_unknown_value): Delete. 5747 (region_model::clobber_region (const region *reg);): New. 5748 (region_model::purge_region (const region *reg);): New. 5749 (region_model::zero_fill_region (const region *reg);): New. 5750 (region_model::mark_region_as_unknown (const region *reg);): New. 5751 (region_model::copy_region): Convert from region_id to 5752 const region *. 5753 (region_model::eval_condition): Convert from svalue_id to 5754 const svalue *. 5755 (region_model::eval_condition_without_cm): Likewise. 5756 (region_model::compare_initial_and_pointer): New. 5757 (region_model:maybe_get_constant): Delete. 5758 (region_model::add_new_malloc_region): Delete. 5759 (region_model::get_representative_tree): Convert from svalue_id to 5760 const svalue *. 5761 (region_model::get_representative_path_var): Delete decl taking a 5762 region_id in favor of two decls, for svalue vs region, with an 5763 svalue_set to ensure termination. 5764 (region_model::get_path_vars_for_svalue): Delete. 5765 (region_model::create_region_for_heap_alloc): New. 5766 (region_model::create_region_for_alloca): New. 5767 (region_model::purge_unused_svalues): Delete. 5768 (region_model::remap_svalue_ids): Delete. 5769 (region_model::remap_region_ids): Delete. 5770 (region_model::purge_regions): Delete. 5771 (region_model::get_num_svalues): Delete. 5772 (region_model::get_num_regions): Delete. 5773 (region_model::get_descendents): Delete. 5774 (region_model::get_store): New. 5775 (region_model::delete_region_and_descendents): Delete. 5776 (region_model::get_manager): New. 5777 (region_model::unbind_region_and_descendents): New. 5778 (region_model::can_merge_with_p): Add point param. Drop 5779 svalue_id_merger_mapping. 5780 (region_model::get_value_by_name): Delete. 5781 (region_model::convert_byte_offset_to_array_index): Delete. 5782 (region_model::get_or_create_mem_ref): Delete. 5783 (region_model::get_or_create_pointer_plus_expr): Delete. 5784 (region_model::get_or_create_view): Delete. 5785 (region_model::get_lvalue_1): Convert from region_id to 5786 const region *. 5787 (region_model::get_rvalue_1): Convert from svalue_id to 5788 const svalue *. 5789 (region_model::get_ssa_name_regions_for_current_frame): New. 5790 (region_model::append_ssa_names_cb): New. 5791 (region_model::get_store_value): New. 5792 (region_model::copy_struct_region): Delete. 5793 (region_model::copy_union_region): Delete. 5794 (region_model::copy_array_region): Delete. 5795 (region_model::region_exists_p): New. 5796 (region_model::make_region_for_unexpected_tree_code): Delete. 5797 (region_model::loop_replay_fixup): New. 5798 (region_model::poison_any_pointers_to_bad_regions): Delete. 5799 (region_model::poison_any_pointers_to_descendents): New. 5800 (region_model::dump_summary_of_rep_path_vars): Delete. 5801 (region_model::on_top_level_param): New. 5802 (region_model::record_dynamic_extents): New. 5803 (region_model::m_mgr;): New. 5804 (region_model::m_store;): New. 5805 (region_model::m_svalues;): Delete. 5806 (region_model::m_regions;): Delete. 5807 (region_model::m_root_rid;): Delete. 5808 (region_model::m_current_frame;): New. 5809 (region_model_context::remap_svalue_ids): Delete. 5810 (region_model_context::can_purge_p): Delete. 5811 (region_model_context::on_svalue_leak): New. 5812 (region_model_context::on_svalue_purge): Delete. 5813 (region_model_context::on_liveness_change): New. 5814 (region_model_context::on_inherited_svalue): Delete. 5815 (region_model_context::on_cast): Delete. 5816 (region_model_context::on_unknown_change): Convert from svalue_id to 5817 const svalue * and add is_mutable. 5818 (class noop_region_model_context): Update for region_model_context 5819 changes. 5820 (model_merger::model_merger): Add program_point. Drop 5821 svalue_id_merger_mapping. 5822 (model_merger::dump_to_pp): Add "simple" param. 5823 (model_merger::dump): Likewise. 5824 (model_merger::get_region_a): Delete. 5825 (model_merger::get_region_b): Delete. 5826 (model_merger::can_merge_values_p): Delete. 5827 (model_merger::record_regions): Delete. 5828 (model_merger::record_svalues): Delete. 5829 (model_merger::m_point): New field. 5830 (model_merger::m_map_regions_from_a_to_m): Delete. 5831 (model_merger::m_map_regions_from_b_to_m): Delete. 5832 (model_merger::m_sid_mapping): Delete. 5833 (struct svalue_id_merger_mapping): Delete. 5834 (class engine): New. 5835 (struct canonicalization): Delete. 5836 (inchash::add): Delete decls for hashing svalue_id and region_id. 5837 (test_region_model_context::on_unexpected_tree_code): Require t to 5838 be non-NULL. 5839 (selftest::assert_condition): Add overload comparing a pair of 5840 const svalue *. 5841 * sm-file.cc: Include "tristate.h", "selftest.h", 5842 "analyzer/call-string.h", "analyzer/program-point.h", 5843 "analyzer/store.h", and "analyzer/region-model.h". 5844 (fileptr_state_machine::get_default_state): New. 5845 (fileptr_state_machine::on_stmt): Remove calls to 5846 get_readable_tree in favor of get_diagnostic_tree. 5847 * sm-malloc.cc: Include "tristate.h", "selftest.h", 5848 "analyzer/call-string.h", "analyzer/program-point.h", 5849 "analyzer/store.h", and "analyzer/region-model.h". 5850 (malloc_state_machine::get_default_state): New. 5851 (malloc_state_machine::reset_when_passed_to_unknown_fn_p): New. 5852 (malloc_diagnostic::describe_state_change): Handle change.m_expr 5853 being NULL. 5854 (null_arg::emit): Avoid printing "NULL '0'". 5855 (null_arg::describe_final_event): Avoid printing "(0) NULL". 5856 (malloc_leak::emit): Handle m_arg being NULL. 5857 (malloc_leak::describe_final_event): Handle ev.m_expr being NULL. 5858 (malloc_state_machine::on_stmt): Don't call get_readable_tree. 5859 Call get_diagnostic_tree when creating pending diagnostics. 5860 Update for is_zero_assignment becoming a member function of 5861 sm_ctxt. 5862 Don't transition to m_non_heap for ADDR_EXPR(MEM_REF()). 5863 (malloc_state_machine::reset_when_passed_to_unknown_fn_p): New 5864 vfunc implementation. 5865 * sm-sensitive.cc (sensitive_state_machine::warn_for_any_exposure): Call 5866 get_diagnostic_tree and pass the result to warn_for_state. 5867 * sm-signal.cc: Move includes of "analyzer/call-string.h" and 5868 "analyzer/program-point.h" to before "analyzer/region-model.h", 5869 and also include "analyzer/store.h" before it. 5870 (signal_unsafe_call::describe_state_change): Use 5871 get_dest_function to get handler. 5872 (update_model_for_signal_handler): Pass manager to region_model 5873 ctor. 5874 (register_signal_handler::impl_transition): Update for changes to 5875 get_or_create_node and add_edge. 5876 * sm-taint.cc (taint_state_machine::on_stmt): Remove calls to 5877 get_readable_tree, replacing them when calling warn_for_state with 5878 calls to get_diagnostic_tree. 5879 * sm.cc (is_zero_assignment): Delete. 5880 (any_pointer_p): Move to within namespace ana. 5881 * sm.h (is_zero_assignment): Remove decl. 5882 (any_pointer_p): Move decl to within namespace ana. 5883 (state_machine::get_default_state): New vfunc. 5884 (state_machine::reset_when_passed_to_unknown_fn_p): New vfunc. 5885 (sm_context::get_readable_tree): Rename to... 5886 (sm_context::get_diagnostic_tree): ...this. 5887 (sm_context::is_zero_assignment): New vfunc. 5888 * store.cc: New file. 5889 * store.h: New file. 5890 * svalue.cc: New file. 5891 58922020-05-22 Mark Wielaard <mark@klomp.org> 5893 5894 * sm-signal.cc(signal_unsafe_call::emit): Possibly add 5895 gcc_rich_location note for replacement. 5896 (signal_unsafe_call::get_replacement_fn): New private function. 5897 (get_async_signal_unsafe_fns): Add "exit". 5898 58992020-04-28 David Malcolm <dmalcolm@redhat.com> 5900 5901 PR analyzer/94816 5902 * engine.cc (impl_region_model_context::on_unexpected_tree_code): 5903 Handle NULL tree. 5904 * region-model.cc (region_model::add_region_for_type): Handle 5905 NULL type. 5906 * region-model.h 5907 (test_region_model_context::on_unexpected_tree_code): Handle NULL 5908 tree. 5909 59102020-04-28 David Malcolm <dmalcolm@redhat.com> 5911 5912 PR analyzer/94447 5913 PR analyzer/94639 5914 PR analyzer/94732 5915 PR analyzer/94754 5916 * analyzer.opt (Wanalyzer-use-of-uninitialized-value): Delete. 5917 * program-state.cc (selftest::test_program_state_dumping): Update 5918 expected dump result for removal of "uninit". 5919 * region-model.cc (poison_kind_to_str): Delete POISON_KIND_UNINIT 5920 case. 5921 (root_region::ensure_stack_region): Initialize stack with null 5922 svalue_id rather than with a typeless POISON_KIND_UNINIT value. 5923 (root_region::ensure_heap_region): Likewise for the heap. 5924 (region_model::dump_summary_of_rep_path_vars): Remove 5925 summarization of uninit values. 5926 (region_model::validate): Remove check that the stack has a 5927 POISON_KIND_UNINIT value. 5928 (poisoned_value_diagnostic::emit): Remove POISON_KIND_UNINIT 5929 case. 5930 (poisoned_value_diagnostic::describe_final_event): Likewise. 5931 (selftest::test_dump): Update expected dump result for removal of 5932 "uninit". 5933 (selftest::test_svalue_equality): Remove "uninit" and "freed". 5934 * region-model.h (enum poison_kind): Remove POISON_KIND_UNINIT. 5935 59362020-04-01 David Malcolm <dmalcolm@redhat.com> 5937 5938 PR analyzer/94378 5939 * checker-path.cc: Include "bitmap.h". 5940 * constraint-manager.cc: Likewise. 5941 * diagnostic-manager.cc: Likewise. 5942 * engine.cc: Likewise. 5943 (exploded_node::detect_leaks): Pass null region_id to pop_frame. 5944 * program-point.cc: Include "bitmap.h". 5945 * program-state.cc: Likewise. 5946 * region-model.cc (id_set<region_id>::id_set): Convert to... 5947 (region_id_set::region_id_set): ...this. 5948 (svalue_id_set::svalue_id_set): New ctor. 5949 (region_model::copy_region): New function. 5950 (region_model::copy_struct_region): New function. 5951 (region_model::copy_union_region): New function. 5952 (region_model::copy_array_region): New function. 5953 (stack_region::pop_frame): Drop return value. Add 5954 "result_dst_rid" param; if it is non-null, use copy_region to copy 5955 the result to it. Rather than capture and pass a single "known 5956 used" return value to be used by purge_unused_values, instead 5957 gather and pass a set of known used return values. 5958 (root_region::pop_frame): Drop return value. Add "result_dst_rid" 5959 param. 5960 (region_model::on_assignment): Use copy_region. 5961 (region_model::on_return): Likewise for the result. 5962 (region_model::on_longjmp): Pass null for pop_frame's 5963 result_dst_rid. 5964 (region_model::update_for_return_superedge): Pass the region for the 5965 return value of the call, if any, to pop_frame, rather than setting 5966 the lvalue for the lhs of the result. 5967 (region_model::pop_frame): Drop return value. Add 5968 "result_dst_rid" param. 5969 (region_model::purge_unused_svalues): Convert third param from an 5970 svalue_id * to an svalue_id_set *, updating the initial populating 5971 of the "used" bitmap accordingly. Don't remap it when done. 5972 (struct selftest::coord_test): New selftest fixture, extracted from... 5973 (selftest::test_dump_2): ...here. 5974 (selftest::test_compound_assignment): New selftest. 5975 (selftest::test_stack_frames): Pass null to new param of pop_frame. 5976 (selftest::analyzer_region_model_cc_tests): Call the new selftest. 5977 * region-model.h (class id_set): Delete template. 5978 (class region_id_set): Reimplement, using old id_set implementation. 5979 (class svalue_id_set): Likewise. Convert from auto_sbitmap to 5980 auto_bitmap. 5981 (region::get_active_view): New accessor. 5982 (stack_region::pop_frame): Drop return value. Add 5983 "result_dst_rid" param. 5984 (root_region::pop_frame): Likewise. 5985 (region_model::pop_frame): Likewise. 5986 (region_model::copy_region): New decl. 5987 (region_model::purge_unused_svalues): Convert third param from an 5988 svalue_id * to an svalue_id_set *. 5989 (region_model::copy_struct_region): New decl. 5990 (region_model::copy_union_region): New decl. 5991 (region_model::copy_array_region): New decl. 5992 59932020-03-27 David Malcolm <dmalcolm@redhat.com> 5994 5995 * program-state.cc (selftest::test_program_state_dumping): Update 5996 expected dump to include symbolic_region's possibly_null field. 5997 * region-model.cc (symbolic_region::print_fields): New vfunc 5998 implementation. 5999 (region_model::add_constraint): Clear m_possibly_null from 6000 symbolic_regions now known to be non-NULL. 6001 (selftest::test_malloc_constraints): New selftest. 6002 (selftest::analyzer_region_model_cc_tests): Call it. 6003 * region-model.h (region::dyn_cast_symbolic_region): Add non-const 6004 overload. 6005 (symbolic_region::dyn_cast_symbolic_region): Implement it. 6006 (symbolic_region::print_fields): New vfunc override decl. 6007 60082020-03-27 David Malcolm <dmalcolm@redhat.com> 6009 6010 * analyzer.h (class feasibility_problem): New forward decl. 6011 * diagnostic-manager.cc (saved_diagnostic::saved_diagnostic): 6012 Initialize new fields m_status, m_epath_length, and m_problem. 6013 (saved_diagnostic::~saved_diagnostic): Delete m_problem. 6014 (dedupe_candidate::dedupe_candidate): Convert "sd" param from a 6015 const ref to a mutable ptr. 6016 (dedupe_winners::add): Convert "sd" param from a const ref to a 6017 mutable ptr. Record the length of the exploded_path. Record the 6018 feasibility/infeasibility of sd into sd, capturing a 6019 feasibility_problem when feasible_p fails, and storing it in sd. 6020 (diagnostic_manager::emit_saved_diagnostics): Update for pass by 6021 ptr rather than by const ref. 6022 * diagnostic-manager.h (class saved_diagnostic): Add new enum 6023 status. Add fields m_status, m_epath_length and m_problem. 6024 (saved_diagnostic::set_feasible): New member function. 6025 (saved_diagnostic::set_infeasible): New member function. 6026 (saved_diagnostic::get_feasibility_problem): New accessor. 6027 (saved_diagnostic::get_status): New accessor. 6028 (saved_diagnostic::set_epath_length): New member function. 6029 (saved_diagnostic::get_epath_length): New accessor. 6030 * engine.cc: Include "gimple-pretty-print.h". 6031 (exploded_path::feasible_p): Add OUT param and, if non-NULL, write 6032 a new feasibility_problem to it on failure. 6033 (viz_callgraph_node::dump_dot): Convert begin_tr calls to 6034 begin_trtd. Convert end_tr calls to end_tdtr. 6035 (class exploded_graph_annotator): New subclass of dot_annotator. 6036 (impl_run_checkers): Add a second -fdump-analyzer-supergraph dump 6037 after the analysis runs, using exploded_graph_annotator. dumping 6038 to DUMP_BASE_NAME.supergraph-eg.dot. 6039 * exploded-graph.h (exploded_node::get_dot_fillcolor): Make 6040 public. 6041 (exploded_path::feasible_p): Add OUT param. 6042 (class feasibility_problem): New class. 6043 * state-purge.cc (state_purge_annotator::add_node_annotations): 6044 Return a bool, add a "within_table" param. 6045 (print_vec_of_names): Convert begin_tr calls to begin_trtd. 6046 Convert end_tr calls to end_tdtr. 6047 (state_purge_annotator::add_stmt_annotations): Add "within_row" 6048 param. 6049 * state-purge.h ((state_purge_annotator::add_node_annotations): 6050 Return a bool, add a "within_table" param. 6051 (state_purge_annotator::add_stmt_annotations): Add "within_row" 6052 param. 6053 * supergraph.cc (supernode::dump_dot): Call add_node_annotations 6054 twice: as before, passing false for "within_table", then again 6055 with true when within the TABLE element. Convert some begin_tr 6056 calls to begin_trtd, and some end_tr calls to end_tdtr. 6057 Repeat each add_stmt_annotations call, distinguishing between 6058 calls that add TRs and those that add TDs to an existing TR. 6059 Add a call to add_after_node_annotations. 6060 * supergraph.h (dot_annotator::add_node_annotations): Add a 6061 "within_table" param. 6062 (dot_annotator::add_stmt_annotations): Add a "within_row" param. 6063 (dot_annotator::add_after_node_annotations): New vfunc. 6064 60652020-03-27 David Malcolm <dmalcolm@redhat.com> 6066 6067 * diagnostic-manager.cc (dedupe_winners::add): Show the 6068 exploded_node index in the log messages. 6069 (diagnostic_manager::emit_saved_diagnostics): Log a summary of 6070 m_saved_diagnostics at entry. 6071 60722020-03-27 David Malcolm <dmalcolm@redhat.com> 6073 6074 * supergraph.cc (superedge::dump): Add space before description; 6075 move newline to non-pretty_printer overload. 6076 60772020-03-18 David Malcolm <dmalcolm@redhat.com> 6078 6079 * region-model.cc: Include "stor-layout.h". 6080 (region_model::dump_to_pp): Rather than calling 6081 dump_summary_of_map on each of the current frame and the globals, 6082 instead get a vec of representative path_vars for all regions, 6083 and then dump a summary of all of them. 6084 (region_model::dump_summary_of_map): Delete, rewriting into... 6085 (region_model::dump_summary_of_rep_path_vars): ...this new 6086 function, working on a vec of path_vars. 6087 (region_model::set_value): New overload. 6088 (region_model::get_representative_path_var): Rename 6089 "parent_region" local to "parent_reg" and consolidate with other 6090 local. Guard test for grandparent being stack on parent_reg being 6091 non-NULL. Move handling for parent being an array_region to 6092 within guard for parent_reg being non-NULL. 6093 (selftest::make_test_compound_type): New function. 6094 (selftest::test_dump_2): New selftest. 6095 (selftest::test_dump_3): New selftest. 6096 (selftest::test_stack_frames): Update expected output from 6097 simplified dump to show "a" and "b" from parent frame and "y" in 6098 child frame. 6099 (selftest::analyzer_region_model_cc_tests): Call test_dump_2 and 6100 test_dump_3. 6101 * region-model.h (region_model::set_value): New overload decl. 6102 (region_model::dump_summary_of_map): Delete. 6103 (region_model::dump_summary_of_rep_path_vars): New. 6104 61052020-03-18 David Malcolm <dmalcolm@redhat.com> 6106 6107 * region-model.h (class noop_region_model_context): New subclass 6108 of region_model_context. 6109 (class tentative_region_model_context): Inherit from 6110 noop_region_model_context rather than from region_model_context; 6111 drop redundant vfunc implementations. 6112 (class test_region_model_context): Likewise. 6113 61142020-03-18 David Malcolm <dmalcolm@redhat.com> 6115 6116 * engine.cc (exploded_node::exploded_node): Move implementation 6117 here from header; accept point_and_state by const reference rather 6118 than by value. 6119 * exploded-graph.h (exploded_node::exploded_node): Pass 6120 point_and_state by const reference rather than by value. Move 6121 body to engine.cc. 6122 61232020-03-18 Jakub Jelinek <jakub@redhat.com> 6124 6125 * sm-malloc.cc (malloc_state_machine::on_stmt): Fix up duplicated word 6126 issue in a comment. 6127 * region-model.cc (region_model::make_region_for_unexpected_tree_code, 6128 region_model::delete_region_and_descendents): Likewise. 6129 * engine.cc (class exploded_cluster): Likewise. 6130 * diagnostic-manager.cc (class path_builder): Likewise. 6131 61322020-03-13 David Malcolm <dmalcolm@redhat.com> 6133 6134 PR analyzer/94099 6135 PR analyzer/94105 6136 * diagnostic-manager.cc (for_each_state_change): Bulletproof 6137 against errors in get_rvalue by passing a 6138 tentative_region_model_context and rejecting if there's an error. 6139 * region-model.cc (region_model::get_lvalue_1): When handling 6140 ARRAY_REF, handle results of error-handling. Handle NOP_EXPR. 6141 61422020-03-06 David Malcolm <dmalcolm@redhat.com> 6143 6144 * analyzer.h (class array_region): New forward decl. 6145 * program-state.cc (selftest::test_program_state_dumping_2): New. 6146 (selftest::analyzer_program_state_cc_tests): Call it. 6147 * region-model.cc (array_region::constant_from_key): New. 6148 (region_model::get_representative_tree): Handle region_svalue by 6149 generating an ADDR_EXPR. 6150 (region_model::get_representative_path_var): In view handling, 6151 remove erroneous TREE_TYPE when determining the type of the tree. 6152 Handle array regions and STRING_CST. 6153 (selftest::assert_dump_tree_eq): New. 6154 (ASSERT_DUMP_TREE_EQ): New macro. 6155 (selftest::test_get_representative_tree): New selftest. 6156 (selftest::analyzer_region_model_cc_tests): Call it. 6157 * region-model.h (region::dyn_cast_array_region): New vfunc. 6158 (array_region::dyn_cast_array_region): New vfunc implementation. 6159 (array_region::constant_from_key): New decl. 6160 61612020-03-06 David Malcolm <dmalcolm@redhat.com> 6162 6163 * analyzer.h (dump_quoted_tree): New decl. 6164 * engine.cc (exploded_node::dump_dot): Pass region model to 6165 sm_state_map::print. 6166 * program-state.cc: Include diagnostic-core.h. 6167 (sm_state_map::print): Add "model" param and use it to print 6168 representative trees. Only print origin information if non-null. 6169 (sm_state_map::dump): Pass NULL for model to print call. 6170 (program_state::print): Pass region model to sm_state_map::print. 6171 (program_state::dump_to_pp): Use spaces rather than newlines when 6172 summarizing. Pass region_model to sm_state_map::print. 6173 (ana::selftest::assert_dump_eq): New function. 6174 (ASSERT_DUMP_EQ): New macro. 6175 (ana::selftest::test_program_state_dumping): New function. 6176 (ana::selftest::analyzer_program_state_cc_tests): Call it. 6177 * program-state.h (program_state::print): Add model param. 6178 * region-model.cc (dump_quoted_tree): New function. 6179 (map_region::print_fields): Use dump_quoted_tree rather than 6180 %qE to avoid lang-dependent output. 6181 (map_region::dump_child_label): Likewise. 6182 (region_model::dump_summary_of_map): For SK_REGION, when 6183 get_representative_path_var fails, print the region id rather than 6184 erroneously printing NULL. 6185 * sm.cc (state_machine::get_state_by_name): New function. 6186 * sm.h (state_machine::get_state_by_name): New decl. 6187 61882020-03-04 David Malcolm <dmalcolm@redhat.com> 6189 6190 * region-model.cc (region::validate): Convert model param from ptr 6191 to reference. Update comment to reflect that it's now a vfunc. 6192 (map_region::validate): New vfunc implementation. 6193 (array_region::validate): New vfunc implementation. 6194 (stack_region::validate): New vfunc implementation. 6195 (root_region::validate): New vfunc implementation. 6196 (region_model::validate): Pass a reference rather than a pointer 6197 to the region::validate vfunc. 6198 * region-model.h (region::validate): Make virtual. Convert model 6199 param from ptr to reference. 6200 (map_region::validate): New vfunc decl. 6201 (array_region::validate): New vfunc decl. 6202 (stack_region::validate): New vfunc decl. 6203 (root_region::validate): New vfunc decl. 6204 62052020-03-04 David Malcolm <dmalcolm@redhat.com> 6206 6207 PR analyzer/93993 6208 * region-model.cc (region_model::on_call_pre): Handle 6209 BUILT_IN_EXPECT and its variants. 6210 (region_model::add_any_constraints_from_ssa_def_stmt): Split out 6211 gassign handling into add_any_constraints_from_gassign; add gcall 6212 handling. 6213 (region_model::add_any_constraints_from_gassign): New function, 6214 based on the above. Add handling for NOP_EXPR. 6215 (region_model::add_any_constraints_from_gcall): New function. 6216 (region_model::get_representative_path_var): Handle views. 6217 * region-model.h 6218 (region_model::add_any_constraints_from_ssa_def_stmt): New decl. 6219 (region_model::add_any_constraints_from_gassign): New decl. 6220 62212020-03-04 David Malcolm <dmalcolm@redhat.com> 6222 6223 PR analyzer/93993 6224 * checker-path.h (state_change_event::get_lvalue): Add ctxt param 6225 and pass it to region_model::get_value call. 6226 * diagnostic-manager.cc (get_any_origin): Pass a 6227 tentative_region_model_context to the calls to get_lvalue and reject 6228 the comparison if errors occur. 6229 (can_be_expr_of_interest_p): New function. 6230 (diagnostic_manager::prune_for_sm_diagnostic): Replace checks for 6231 CONSTANT_CLASS_P with calls to update_for_unsuitable_sm_exprs. 6232 Pass a tentative_region_model_context to the calls to 6233 state_change_event::get_lvalue and reject the comparison if errors 6234 occur. 6235 (diagnostic_manager::update_for_unsuitable_sm_exprs): New. 6236 * diagnostic-manager.h 6237 (diagnostic_manager::update_for_unsuitable_sm_exprs): New decl. 6238 * region-model.h (class tentative_region_model_context): New class. 6239 62402020-03-04 David Malcolm <dmalcolm@redhat.com> 6241 6242 * engine.cc (worklist::worklist): Remove unused field m_eg. 6243 (class viz_callgraph_edge): Remove unused field m_call_sedge. 6244 (class viz_callgraph): Remove unused field m_sg. 6245 * exploded-graph.h (worklist::::m_eg): Remove unused field. 6246 62472020-03-02 David Malcolm <dmalcolm@redhat.com> 6248 6249 * analyzer.opt (fanalyzer-show-duplicate-count): New option. 6250 * diagnostic-manager.cc 6251 (diagnostic_manager::emit_saved_diagnostic): Use the above to 6252 guard the printing of the duplicate count. 6253 62542020-03-02 David Malcolm <dmalcolm@redhat.com> 6255 6256 PR analyzer/93959 6257 * analyzer.cc (is_std_function_p): New function. 6258 (is_std_named_call_p): New functions. 6259 * analyzer.h (is_std_named_call_p): New decl. 6260 * sm-malloc.cc (malloc_state_machine::on_stmt): Check for "std::" 6261 variants when checking for malloc, calloc and free. 6262 62632020-02-26 David Malcolm <dmalcolm@redhat.com> 6264 6265 PR analyzer/93950 6266 * diagnostic-manager.cc 6267 (diagnostic_manager::prune_for_sm_diagnostic): Assert that var is 6268 either NULL or not a constant. When updating var, bulletproof 6269 against constant values. 6270 62712020-02-26 David Malcolm <dmalcolm@redhat.com> 6272 6273 PR analyzer/93947 6274 * region-model.cc (region_model::get_fndecl_for_call): Gracefully 6275 fail for fn_decls that don't have a cgraph_node. 6276 62772020-02-26 David Malcolm <dmalcolm@redhat.com> 6278 6279 * bar-chart.cc: New file. 6280 * bar-chart.h: New file. 6281 * engine.cc: Include "analyzer/bar-chart.h". 6282 (stats::log): Only log the m_num_nodes kinds that are non-zero. 6283 (stats::dump): Likewise when dumping. 6284 (stats::get_total_enodes): New. 6285 (exploded_graph::get_or_create_node): Increment the per-point-data 6286 m_excess_enodes when hitting the per-program-point limit on 6287 enodes. 6288 (exploded_graph::print_bar_charts): New. 6289 (exploded_graph::log_stats): Log the number of unprocessed enodes 6290 in the worklist. Call print_bar_charts. 6291 (exploded_graph::dump_stats): Print the number of unprocessed 6292 enodes in the worklist. 6293 * exploded-graph.h (stats::get_total_enodes): New decl. 6294 (struct per_program_point_data): Add field m_excess_enodes. 6295 (exploded_graph::print_bar_charts): New decl. 6296 * supergraph.cc (superedge::dump): New. 6297 (superedge::dump): New. 6298 * supergraph.h (supernode::get_function): New. 6299 (superedge::dump): New decl. 6300 (superedge::dump): New decl. 6301 63022020-02-24 David Malcolm <dmalcolm@redhat.com> 6303 6304 * engine.cc (exploded_graph::get_or_create_node): Dump the 6305 program_state to the pp, rather than to stderr. 6306 63072020-02-24 David Malcolm <dmalcolm@redhat.com> 6308 6309 PR analyzer/93032 6310 * sm.cc (make_checkers): Require the "taint" checker to be 6311 explicitly enabled. 6312 63132020-02-24 David Malcolm <dmalcolm@redhat.com> 6314 6315 PR analyzer/93899 6316 * engine.cc 6317 (impl_region_model_context::impl_region_model_context): Add logger 6318 param. 6319 * engine.cc (exploded_graph::add_function_entry): Create an 6320 impl_region_model_context and pass it to the push_frame call. 6321 Bail if the resulting state is invalid. 6322 (exploded_graph::build_initial_worklist): Likewise. 6323 (exploded_graph::build_initial_worklist): Handle the case where 6324 add_function_entry fails. 6325 * exploded-graph.h 6326 (impl_region_model_context::impl_region_model_context): Add logger 6327 param. 6328 * region-model.cc (map_region::get_or_create): Add ctxt param and 6329 pass it to add_region_for_type. 6330 (map_region::can_merge_p): Pass NULL as a ctxt to call to 6331 get_or_create. 6332 (array_region::get_element): Pass ctxt to call to get_or_create. 6333 (array_region::get_or_create): Add ctxt param and pass it to 6334 add_region_for_type. 6335 (root_region::push_frame): Pass ctxt to get_or_create calls. 6336 (region_model::get_lvalue_1): Likewise. 6337 (region_model::make_region_for_unexpected_tree_code): Assert that 6338 ctxt is non-NULL. 6339 (region_model::get_rvalue_1): Pass ctxt to get_svalue_for_fndecl 6340 and get_svalue_for_label calls. 6341 (region_model::get_svalue_for_fndecl): Add ctxt param and pass it 6342 to get_region_for_fndecl. 6343 (region_model::get_region_for_fndecl): Add ctxt param and pass it 6344 to get_or_create. 6345 (region_model::get_svalue_for_label): Add ctxt param and pass it 6346 to get_region_for_label. 6347 (region_model::get_region_for_label): Add ctxt param and pass it 6348 to get_region_for_fndecl and get_or_create. 6349 (region_model::get_field_region): Add ctxt param and pass it to 6350 get_or_create_view and get_or_create. 6351 (make_region_for_type): Replace gcc_unreachable with return NULL. 6352 (region_model::add_region_for_type): Add ctxt param. Handle a 6353 return of NULL from make_region_for_type by calling 6354 make_region_for_unexpected_tree_code. 6355 (region_model::get_or_create_mem_ref): Pass ctxt to calls to 6356 get_or_create_view. 6357 (region_model::get_or_create_view): Add ctxt param and pass it to 6358 add_region_for_type. 6359 (selftest::test_state_merging): Pass ctxt to get_or_create_view. 6360 * region-model.h (region_model::get_or_create): Add ctxt param. 6361 (region_model::add_region_for_type): Likewise. 6362 (region_model::get_svalue_for_fndecl): Likewise. 6363 (region_model::get_svalue_for_label): Likewise. 6364 (region_model::get_region_for_fndecl): Likewise. 6365 (region_model::get_region_for_label): Likewise. 6366 (region_model::get_field_region): Likewise. 6367 (region_model::get_or_create_view): Likewise. 6368 63692020-02-24 David Malcolm <dmalcolm@redhat.com> 6370 6371 * checker-path.cc (superedge_event::should_filter_p): Update 6372 filter for empty descriptions to cover verbosity level 3 as well 6373 as 2. 6374 * diagnostic-manager.cc: Include "analyzer/reachability.h". 6375 (class path_builder): New class. 6376 (diagnostic_manager::emit_saved_diagnostic): Create a path_builder 6377 and pass it to build_emission_path, rather passing eg; similarly 6378 for add_events_for_eedge and ext_state. 6379 (diagnostic_manager::build_emission_path): Replace "eg" param 6380 with a path_builder, pass it to add_events_for_eedge. 6381 (diagnostic_manager::add_events_for_eedge): Replace ext_state 6382 param with path_builder; pass it to add_events_for_superedge. 6383 (diagnostic_manager::significant_edge_p): New. 6384 (diagnostic_manager::add_events_for_superedge): Add path_builder 6385 param. Reject insignificant edges at verbosity levels below 3. 6386 (diagnostic_manager::prune_for_sm_diagnostic): Update highest 6387 verbosity level to 4. 6388 * diagnostic-manager.h (class path_builder): New forward decl. 6389 (diagnostic_manager::build_emission_path): Replace "eg" param 6390 with a path_builder. 6391 (diagnostic_manager::add_events_for_eedge): Replace ext_state 6392 param with path_builder. 6393 (diagnostic_manager::significant_edge_p): New. 6394 (diagnostic_manager::add_events_for_superedge): Add path_builder 6395 param. 6396 * reachability.h: New file. 6397 63982020-02-18 David Malcolm <dmalcolm@redhat.com> 6399 6400 PR analyzer/93692 6401 * analyzer.opt (fdump-analyzer-callgraph): Rewrite description. 6402 64032020-02-18 David Malcolm <dmalcolm@redhat.com> 6404 6405 PR analyzer/93777 6406 * region-model.cc (region_model::maybe_cast_1): Replace assertion 6407 that build_cast returns non-NULL with a conditional, falling 6408 through to the logic which returns a new unknown value of the 6409 desired type if it fails. 6410 64112020-02-18 David Malcolm <dmalcolm@redhat.com> 6412 6413 PR analyzer/93778 6414 * engine.cc (impl_region_model_context::on_unknown_tree_code): 6415 Rename to... 6416 (impl_region_model_context::on_unexpected_tree_code): ...this and 6417 convert first argument from path_var to tree. 6418 (exploded_node::on_stmt): Pass ctxt to purge_for_unknown_fncall. 6419 * exploded-graph.h (region_model_context::on_unknown_tree_code): 6420 Rename to... 6421 (region_model_context::on_unexpected_tree_code): ...this and 6422 convert first argument from path_var to tree. 6423 * program-state.cc (sm_state_map::purge_for_unknown_fncall): Add 6424 ctxt param and pass on to calls to get_rvalue. 6425 * program-state.h (sm_state_map::purge_for_unknown_fncall): Add 6426 ctxt param. 6427 * region-model.cc (region_model::handle_unrecognized_call): Pass 6428 ctxt on to call to get_rvalue. 6429 (region_model::get_lvalue_1): Move body of default case to 6430 region_model::make_region_for_unexpected_tree_code and call it. 6431 Within COMPONENT_REF case, reject attempts to handle types other 6432 than RECORD_TYPE and UNION_TYPE. 6433 (region_model::make_region_for_unexpected_tree_code): New 6434 function, based on default case of region_model::get_lvalue_1. 6435 * region-model.h 6436 (region_model::make_region_for_unexpected_tree_code): New decl. 6437 (region_model::on_unknown_tree_code): Rename to... 6438 (region_model::on_unexpected_tree_code): ...this and convert first 6439 argument from path_var to tree. 6440 (class test_region_model_context): Update vfunc implementation for 6441 above change. 6442 64432020-02-18 David Malcolm <dmalcolm@redhat.com> 6444 6445 PR analyzer/93774 6446 * region-model.cc 6447 (region_model::convert_byte_offset_to_array_index): Use 6448 int_size_in_bytes before calling size_in_bytes, to gracefully fail 6449 on incomplete types. 6450 64512020-02-17 David Malcolm <dmalcolm@redhat.com> 6452 6453 PR analyzer/93775 6454 * region-model.cc (region_model::get_fndecl_for_call): Handle the 6455 case where the code_region's get_tree_for_child_region returns 6456 NULL. 6457 64582020-02-17 David Malcolm <dmalcolm@redhat.com> 6459 6460 PR analyzer/93388 6461 * engine.cc (impl_region_model_context::on_unknown_tree_code): 6462 New. 6463 (exploded_graph::get_or_create_node): Reject invalid states. 6464 * exploded-graph.h 6465 (impl_region_model_context::on_unknown_tree_code): New decl. 6466 (point_and_state::point_and_state): Assert that the state is 6467 valid. 6468 * program-state.cc (program_state::program_state): Initialize 6469 m_valid to true. 6470 (program_state::operator=): Copy m_valid. 6471 (program_state::program_state): Likewise for move constructor. 6472 (program_state::print): Print m_valid. 6473 (program_state::dump_to_pp): Likewise. 6474 * program-state.h (program_state::m_valid): New field. 6475 * region-model.cc (region_model::get_lvalue_1): Implement the 6476 default case by returning a new symbolic region and calling 6477 the context's on_unknown_tree_code, rather than issuing an 6478 internal_error. Implement VIEW_CONVERT_EXPR. 6479 * region-model.h (region_model_context::on_unknown_tree_code): New 6480 vfunc. 6481 (test_region_model_context::on_unknown_tree_code): New. 6482 64832020-02-17 David Malcolm <dmalcolm@redhat.com> 6484 6485 * sm-malloc.cc (malloc_diagnostic::describe_state_change): For 6486 transition to the "null" state, only say "assuming" when 6487 transitioning from the "unchecked" state. 6488 64892020-02-17 David Malcolm <dmalcolm@redhat.com> 6490 6491 * diagnostic-manager.h (diagnostic_manager::get_saved_diagnostic): 6492 Add const overload. 6493 * engine.cc (exploded_node::dump_dot): Dump saved_diagnostics. 6494 * exploded-graph.h (exploded_graph::get_diagnostic_manager): Add 6495 const overload. 6496 64972020-02-11 David Malcolm <dmalcolm@redhat.com> 6498 6499 PR analyzer/93288 6500 * analysis-plan.cc (analysis_plan::use_summary_p): Look through 6501 the ultimate_alias_target when getting the called function. 6502 * engine.cc (exploded_node::on_stmt): Rename second "ctxt" to 6503 "sm_ctxt". Use the region_model's get_fndecl_for_call rather than 6504 gimple_call_fndecl. 6505 * region-model.cc (region_model::get_fndecl_for_call): Use 6506 ultimate_alias_target on fndecl. 6507 * supergraph.cc (get_ultimate_function_for_cgraph_edge): New 6508 function. 6509 (supergraph_call_edge): Use it when rejecting edges without 6510 functions. 6511 (supergraph::supergraph): Use it to get the function for the 6512 cgraph_edge when building interprocedural superedges. 6513 (callgraph_superedge::get_callee_function): Use it. 6514 * supergraph.h (supergraph::get_num_snodes): Make param const. 6515 (supergraph::function_to_num_snodes_t): Make first type param 6516 const. 6517 65182020-02-11 David Malcolm <dmalcolm@redhat.com> 6519 6520 PR analyzer/93374 6521 * engine.cc (exploded_edge::exploded_edge): Add ext_state param 6522 and pass it to change.validate. 6523 (exploded_graph::get_or_create_node): Move purging of change 6524 svalues to also cover the case of reusing an existing enode. 6525 (exploded_graph::add_edge): Pass m_ext_state to exploded_edge's 6526 ctor. 6527 * exploded-graph.h (exploded_edge::exploded_edge): Add ext_state 6528 param. 6529 * program-state.cc (state_change::sm_change::validate): Likewise. 6530 Assert that m_sm_idx is sane. Use ext_state to validate 6531 m_old_state and m_new_state. 6532 (state_change::validate): Add ext_state param and pass it to 6533 the sm_change validate calls. 6534 * program-state.h (state_change::sm_change::validate): Add 6535 ext_state param. 6536 (state_change::validate): Likewise. 6537 65382020-02-11 David Malcolm <dmalcolm@redhat.com> 6539 6540 PR analyzer/93669 6541 * engine.cc (exploded_graph::dump_exploded_nodes): Handle missing 6542 case of STATUS_WORKLIST in implementation of 6543 "__analyzer_dump_exploded_nodes". 6544 65452020-02-11 David Malcolm <dmalcolm@redhat.com> 6546 6547 PR analyzer/93649 6548 * constraint-manager.cc (constraint_manager::add_constraint): When 6549 merging equivalence classes and updating m_constant, also update 6550 m_cst_sid. 6551 (constraint_manager::validate): If m_constant is non-NULL assert 6552 that m_cst_sid is non-null and is valid. 6553 65542020-02-11 David Malcolm <dmalcolm@redhat.com> 6555 6556 PR analyzer/93657 6557 * analyzer.opt (fdump-analyzer): Reword description. 6558 (fdump-analyzer-stderr): Likewise. 6559 65602020-02-11 David Malcolm <dmalcolm@redhat.com> 6561 6562 * region-model.cc (print_quoted_type): New function. 6563 (svalue::print): Use it to replace %qT. 6564 (region::dump_to_pp): Likewise. 6565 (region::dump_child_label): Likewise. 6566 (region::print_fields): Likewise. 6567 65682020-02-10 David Malcolm <dmalcolm@redhat.com> 6569 6570 PR analyzer/93659 6571 * analyzer.opt (-param=analyzer-max-recursion-depth=): Fix "tha" 6572 -> "that" typo. 6573 (Wanalyzer-use-of-uninitialized-value): Fix "initialized" -> 6574 "uninitialized" typo. 6575 65762020-02-10 David Malcolm <dmalcolm@redhat.com> 6577 6578 PR analyzer/93350 6579 * region-model.cc (region_model::get_lvalue_1): 6580 Handle BIT_FIELD_REF. 6581 (make_region_for_type): Handle VECTOR_TYPE. 6582 65832020-02-10 David Malcolm <dmalcolm@redhat.com> 6584 6585 PR analyzer/93647 6586 * diagnostic-manager.cc 6587 (diagnostic_manager::prune_for_sm_diagnostic): Bulletproof against 6588 VAR being constant. 6589 * region-model.cc (region_model::get_lvalue_1): Provide a better 6590 error message when encountering an unhandled tree code. 6591 65922020-02-10 David Malcolm <dmalcolm@redhat.com> 6593 6594 PR analyzer/93405 6595 * region-model.cc (region_model::get_lvalue_1): Implement 6596 CONST_DECL. 6597 65982020-02-06 David Malcolm <dmalcolm@redhat.com> 6599 6600 * region-model.cc (region_model::maybe_cast_1): Attempt to provide 6601 a region_svalue if either type is a pointer, rather than if both 6602 types are pointers. 6603 66042020-02-05 David Malcolm <dmalcolm@redhat.com> 6605 6606 * engine.cc (exploded_node::dump_dot): Show merger enodes. 6607 (worklist::add_node): Assert that the node's m_status is 6608 STATUS_WORKLIST. 6609 (exploded_graph::process_worklist): Likewise for nodes from the 6610 worklist. Set status of merged nodes to STATUS_MERGER. 6611 (exploded_graph::process_node): Set status of node to 6612 STATUS_PROCESSED. 6613 (exploded_graph::dump_exploded_nodes): Rework handling of 6614 "__analyzer_dump_exploded_nodes", splitting enodes by status into 6615 "processed" and "merger", showing the count of just the processed 6616 enodes at the call, rather than the count of all enodes. 6617 * exploded-graph.h (exploded_node::status): New enum. 6618 (exploded_node::exploded_node): Initialize m_status to 6619 STATUS_WORKLIST. 6620 (exploded_node::get_status): New getter. 6621 (exploded_node::set_status): New setter. 6622 66232020-02-04 David Malcolm <dmalcolm@redhat.com> 6624 6625 PR analyzer/93543 6626 * engine.cc (pod_hash_traits<function_call_string>::mark_empty): 6627 Eliminate reinterpret_cast. 6628 (pod_hash_traits<function_call_string>::is_empty): Likewise. 6629 66302020-02-03 David Malcolm <dmalcolm@redhat.com> 6631 6632 * constraint-manager.cc (range::constrained_to_single_element): 6633 Replace fold_build2 with fold_binary. Remove unnecessary newline. 6634 (constraint_manager::get_or_add_equiv_class): Replace fold_build2 6635 with fold_binary in two places, and remove out-of-date comment. 6636 (constraint_manager::eval_condition): Replace fold_build2 with 6637 fold_binary. 6638 * region-model.cc (constant_svalue::eval_condition): Likewise. 6639 (region_model::on_assignment): Likewise. 6640 66412020-02-03 David Malcolm <dmalcolm@redhat.com> 6642 6643 PR analyzer/93544 6644 * diagnostic-manager.cc 6645 (diagnostic_manager::prune_for_sm_diagnostic): Bulletproof 6646 against bad choices due to bad paths. 6647 * engine.cc (impl_region_model_context::on_phi): New. 6648 * exploded-graph.h (impl_region_model_context::on_phi): New decl. 6649 * region-model.cc (region_model::on_longjmp): Likewise. 6650 (region_model::handle_phi): Add phi param. Call the ctxt's on_phi 6651 vfunc. 6652 (region_model::update_for_phis): Pass phi to handle_phi. 6653 * region-model.h (region_model::handle_phi): Add phi param. 6654 (region_model_context::on_phi): New vfunc. 6655 (test_region_model_context::on_phi): New. 6656 * sm-malloc.cc (malloc_state_machine::on_phi): New. 6657 (malloc_state_machine::on_zero_assignment): New. 6658 * sm.h (state_machine::on_phi): New vfunc. 6659 66602020-02-03 David Malcolm <dmalcolm@redhat.com> 6661 6662 * engine.cc (supernode_cluster::dump_dot): Show BB index as 6663 well as SN index. 6664 * supergraph.cc (supernode::dump_dot): Likewise. 6665 66662020-02-03 David Malcolm <dmalcolm@redhat.com> 6667 6668 PR analyzer/93546 6669 * region-model.cc (region_model::on_call_pre): Update for new 6670 param of symbolic_region ctor. 6671 (region_model::deref_rvalue): Likewise. 6672 (region_model::add_new_malloc_region): Likewise. 6673 (make_region_for_type): Likewise, preserving type. 6674 * region-model.h (symbolic_region::symbolic_region): Add "type" 6675 param and pass it to base class ctor. 6676 66772020-02-03 David Malcolm <dmalcolm@redhat.com> 6678 6679 PR analyzer/93547 6680 * constraint-manager.cc 6681 (constraint_manager::get_or_add_equiv_class): Ensure types are 6682 compatible before comparing constants. 6683 66842020-01-31 David Malcolm <dmalcolm@redhat.com> 6685 6686 PR analyzer/93457 6687 * region-model.cc (make_region_for_type): Use VOID_TYPE_P rather 6688 than checking against void_type_node. 6689 66902020-01-31 David Malcolm <dmalcolm@redhat.com> 6691 6692 PR analyzer/93373 6693 * region-model.cc (ASSERT_COMPAT_TYPES): Convert to... 6694 (assert_compat_types): ...this, and bail when either type is NULL, 6695 or when VOID_TYPE_P (dst_type). 6696 (region_model::get_lvalue): Update for above conversion. 6697 (region_model::get_rvalue): Likewise. 6698 66992020-01-31 David Malcolm <dmalcolm@redhat.com> 6700 6701 PR analyzer/93379 6702 * region-model.cc (region_model::update_for_return_superedge): 6703 Move check for null result so that it also guards setting the 6704 lhs. 6705 67062020-01-31 David Malcolm <dmalcolm@redhat.com> 6707 6708 PR analyzer/93438 6709 * region-model.cc (stack_region::can_merge_p): Split into a two 6710 pass approach, creating all stack regions first, then populating 6711 them. 6712 (selftest::test_state_merging): Add test coverage for (a) the case 6713 of self-merging a model in which a local in an older stack frame 6714 points to a local in a more recent stack frame (which previously 6715 would ICE), and (b) the case of self-merging a model in which a 6716 local points to a global (which previously worked OK). 6717 67182020-01-31 David Malcolm <dmalcolm@redhat.com> 6719 6720 * analyzer.cc (is_named_call_p): Replace tests for fndecl being 6721 extern at file scope and having a non-NULL DECL_NAME with a call 6722 to maybe_special_function_p. 6723 * function-set.cc (function_set::contains_decl_p): Add call to 6724 maybe_special_function_p. 6725 67262020-01-31 David Malcolm <dmalcolm@redhat.com> 6727 6728 PR analyzer/93450 6729 * constraint-manager.cc 6730 (constraint_manager::get_or_add_equiv_class): Only compare constants 6731 if their types are compatible. 6732 * region-model.cc (constant_svalue::eval_condition): Replace check 6733 for identical types with call to types_compatible_p. 6734 67352020-01-30 David Malcolm <dmalcolm@redhat.com> 6736 6737 * program-state.cc (extrinsic_state::dump_to_pp): New. 6738 (extrinsic_state::dump_to_file): New. 6739 (extrinsic_state::dump): New. 6740 * program-state.h (extrinsic_state::dump_to_pp): New decl. 6741 (extrinsic_state::dump_to_file): New decl. 6742 (extrinsic_state::dump): New decl. 6743 * sm.cc: Include "pretty-print.h". 6744 (state_machine::dump_to_pp): New. 6745 * sm.h (state_machine::dump_to_pp): New decl. 6746 67472020-01-30 David Malcolm <dmalcolm@redhat.com> 6748 6749 * diagnostic-manager.cc (for_each_state_change): Use 6750 extrinsic_state::get_num_checkers rather than accessing m_checkers 6751 directly. 6752 * program-state.cc (program_state::program_state): Likewise. 6753 * program-state.h (extrinsic_state::m_checkers): Make private. 6754 67552020-01-30 David Malcolm <dmalcolm@redhat.com> 6756 6757 PR analyzer/93356 6758 * region-model.cc (region_model::eval_condition): In both 6759 overloads, bail out immediately on floating-point types. 6760 (region_model::eval_condition_without_cm): Likewise. 6761 (region_model::add_constraint): Likewise. 6762 67632020-01-30 David Malcolm <dmalcolm@redhat.com> 6764 6765 PR analyzer/93450 6766 * program-state.cc (sm_state_map::set_state): For the overload 6767 taking an svalue_id, bail out if the set_state on the ec does 6768 nothing. Convert the latter's return type from void to bool, 6769 returning true if anything changed. 6770 (sm_state_map::impl_set_state): Convert the return type from void 6771 to bool, returning true if the state changed. 6772 * program-state.h (sm_state_map::set_state): Convert return type 6773 from void to bool. 6774 (sm_state_map::impl_set_state): Likewise. 6775 * region-model.cc (constant_svalue::eval_condition): Only call 6776 fold_build2 if the types are the same. 6777 67782020-01-29 Jakub Jelinek <jakub@redhat.com> 6779 6780 * analyzer.h (PUSH_IGNORE_WFORMAT, POP_IGNORE_WFORMAT): Remove. 6781 * constraint-manager.cc: Include diagnostic-core.h before graphviz.h. 6782 (range::dump, equiv_class::print): Don't use PUSH_IGNORE_WFORMAT or 6783 POP_IGNORE_WFORMAT. 6784 * state-purge.cc: Include diagnostic-core.h before 6785 gimple-pretty-print.h. 6786 (state_purge_annotator::add_node_annotations, print_vec_of_names): 6787 Don't use PUSH_IGNORE_WFORMAT or POP_IGNORE_WFORMAT. 6788 * region-model.cc: Move diagnostic-core.h include before graphviz.h. 6789 (path_var::dump, svalue::print, constant_svalue::print_details, 6790 region::dump_to_pp, region::dump_child_label, region::print_fields, 6791 map_region::print_fields, map_region::dump_dot_to_pp, 6792 map_region::dump_child_label, array_region::print_fields, 6793 array_region::dump_dot_to_pp): Don't use PUSH_IGNORE_WFORMAT or 6794 POP_IGNORE_WFORMAT. 6795 67962020-01-28 David Malcolm <dmalcolm@redhat.com> 6797 6798 PR analyzer/93316 6799 * engine.cc (rewind_info_t::update_model): Get the longjmp call 6800 stmt via get_longjmp_call () rather than assuming it is the last 6801 stmt in the longjmp's supernode. 6802 (rewind_info_t::add_events_to_path): Get the location_t for the 6803 rewind_from_longjmp_event via get_longjmp_call () rather than from 6804 the supernode's get_end_location (). 6805 68062020-01-28 David Malcolm <dmalcolm@redhat.com> 6807 6808 * region-model.cc (poisoned_value_diagnostic::emit): Update for 6809 renaming of warning_at overload to warning_meta. 6810 * sm-file.cc (file_leak::emit): Likewise. 6811 * sm-malloc.cc (double_free::emit): Likewise. 6812 (possible_null_deref::emit): Likewise. 6813 (possible_null_arg::emit): Likewise. 6814 (null_deref::emit): Likewise. 6815 (null_arg::emit): Likewise. 6816 (use_after_free::emit): Likewise. 6817 (malloc_leak::emit): Likewise. 6818 (free_of_non_heap::emit): Likewise. 6819 * sm-sensitive.cc (exposure_through_output_file::emit): Likewise. 6820 * sm-signal.cc (signal_unsafe_call::emit): Likewise. 6821 * sm-taint.cc (tainted_array_index::emit): Likewise. 6822 68232020-01-27 David Malcolm <dmalcolm@redhat.com> 6824 6825 PR analyzer/93451 6826 * region-model.cc (tree_cmp): For the REAL_CST case, impose an 6827 arbitrary order on NaNs relative to other NaNs and to non-NaNs; 6828 const-correctness tweak. 6829 (ana::selftests::build_real_cst_from_string): New function. 6830 (ana::selftests::append_interesting_constants): New function. 6831 (ana::selftests::test_tree_cmp_on_constants): New test. 6832 (ana::selftests::test_canonicalization_4): New test. 6833 (ana::selftests::analyzer_region_model_cc_tests): Call the new 6834 tests. 6835 68362020-01-27 David Malcolm <dmalcolm@redhat.com> 6837 6838 PR analyzer/93349 6839 * engine.cc (run_checkers): Save and restore input_location. 6840 68412020-01-27 David Malcolm <dmalcolm@redhat.com> 6842 6843 * call-string.cc (call_string::cmp_1): Delete, moving body to... 6844 (call_string::cmp): ...here. 6845 * call-string.h (call_string::cmp_1): Delete decl. 6846 * engine.cc (worklist::key_t::cmp_1): Delete, moving body to... 6847 (worklist::key_t::cmp): ...here. Implement hash comparisons 6848 via comparison rather than subtraction to avoid overflow issues. 6849 * exploded-graph.h (worklist::key_t::cmp_1): Delete decl. 6850 * region-model.cc (tree_cmp): Eliminate buggy checking for 6851 symmetry. 6852 68532020-01-27 David Malcolm <dmalcolm@redhat.com> 6854 6855 * analyzer.cc (is_named_call_p): Check that fndecl is "extern" 6856 and at file scope. Potentially disregard prefix _ or __ in 6857 fndecl's name. Bail if the identifier is NULL. 6858 (is_setjmp_call_p): Expect a gcall rather than plain gimple. 6859 Remove special-case check for leading prefix, and also check for 6860 sigsetjmp. 6861 (is_longjmp_call_p): Also check for siglongjmp. 6862 (get_user_facing_name): New function. 6863 * analyzer.h (is_setjmp_call_p): Expect a gcall rather than plain 6864 gimple. 6865 (get_user_facing_name): New decl. 6866 * checker-path.cc (setjmp_event::get_desc): Use 6867 get_user_facing_name to avoid hardcoding the function name. 6868 (rewind_event::rewind_event): Add rewind_info param, using it to 6869 initialize new m_rewind_info field, and strengthen the assertion. 6870 (rewind_from_longjmp_event::get_desc): Use get_user_facing_name to 6871 avoid hardcoding the function name. 6872 (rewind_to_setjmp_event::get_desc): Likewise. 6873 * checker-path.h (setjmp_event::setjmp_event): Add setjmp_call 6874 param and use it to initialize... 6875 (setjmp_event::m_setjmp_call): New field. 6876 (rewind_event::rewind_event): Add rewind_info param. 6877 (rewind_event::m_rewind_info): New protected field. 6878 (rewind_from_longjmp_event::rewind_from_longjmp_event): Add 6879 rewind_info param. 6880 (class rewind_to_setjmp_event): Move rewind_info field to parent 6881 class. 6882 * diagnostic-manager.cc (diagnostic_manager::add_events_for_eedge): 6883 Update setjmp-handling for is_setjmp_call_p requiring a gcall; 6884 pass the call to the new setjmp_event. 6885 * engine.cc (exploded_node::on_stmt): Update for is_setjmp_call_p 6886 requiring a gcall. 6887 (stale_jmp_buf::emit): Use get_user_facing_name to avoid 6888 hardcoding the function names. 6889 (exploded_node::on_longjmp): Pass the longjmp_call when 6890 constructing rewind_info. 6891 (rewind_info_t::add_events_to_path): Pass the rewind_info_t to the 6892 rewind_from_longjmp_event's ctor. 6893 * exploded-graph.h (rewind_info_t::rewind_info_t): Add 6894 longjmp_call param. 6895 (rewind_info_t::get_longjmp_call): New. 6896 (rewind_info_t::m_longjmp_call): New. 6897 * region-model.cc (region_model::on_setjmp): Update comment to 6898 indicate this is also for sigsetjmp. 6899 * region-model.h (struct setjmp_record): Likewise. 6900 (class setjmp_svalue): Likewise. 6901 69022020-01-27 David Malcolm <dmalcolm@redhat.com> 6903 6904 PR analyzer/93276 6905 * analyzer.h (PUSH_IGNORE_WFORMAT, POP_IGNORE_WFORMAT): Guard these 6906 macros with GCC_VERSION >= 4006, making them no-op otherwise. 6907 * engine.cc (exploded_edge::exploded_edge): Specify template for 6908 base class initializer. 6909 (exploded_graph::add_edge): Specify template when chaining up to 6910 base class add_edge implementation. 6911 (viz_callgraph_node::dump_dot): Drop redundant "typename". 6912 (viz_callgraph_edge::viz_callgraph_edge): Specify template for 6913 base class initializer. 6914 * program-state.cc (sm_state_map::clone_with_remapping): Drop 6915 redundant "typename". 6916 (sm_state_map::print): Likewise. 6917 (sm_state_map::hash): Likewise. 6918 (sm_state_map::operator==): Likewise. 6919 (sm_state_map::remap_svalue_ids): Likewise. 6920 (sm_state_map::on_svalue_purge): Likewise. 6921 (sm_state_map::validate): Likewise. 6922 * program-state.h (sm_state_map::iterator_t): Likewise. 6923 * supergraph.h (superedge::superedge): Specify template for base 6924 class initializer. 6925 69262020-01-23 David Malcolm <dmalcolm@redhat.com> 6927 6928 PR analyzer/93375 6929 * supergraph.cc (callgraph_superedge::get_arg_for_parm): Fail 6930 gracefully is the number of parameters at the callee exceeds the 6931 number of arguments at the call stmt. 6932 (callgraph_superedge::get_parm_for_arg): Likewise. 6933 69342020-01-22 David Malcolm <dmalcolm@redhat.com> 6935 6936 PR analyzer/93382 6937 * program-state.cc (sm_state_map::on_svalue_purge): If the 6938 entry survives, but the origin is being purged, then reset the 6939 origin to null. 6940 69412020-01-22 David Malcolm <dmalcolm@redhat.com> 6942 6943 * sm-signal.cc: Fix nesting of CHECKING_P and namespace ana. 6944 69452020-01-22 David Malcolm <dmalcolm@redhat.com> 6946 6947 PR analyzer/93378 6948 * engine.cc (setjmp_svalue::compare_fields): Update for 6949 replacement of m_enode with m_setjmp_record. 6950 (setjmp_svalue::add_to_hash): Likewise. 6951 (setjmp_svalue::get_index): Rename... 6952 (setjmp_svalue::get_enode_index): ...to this. 6953 (setjmp_svalue::print_details): Update for replacement of m_enode 6954 with m_setjmp_record. 6955 (exploded_node::on_longjmp): Likewise. 6956 * exploded-graph.h (rewind_info_t::m_enode_origin): Replace... 6957 (rewind_info_t::m_setjmp_record): ...with this. 6958 (rewind_info_t::rewind_info_t): Update for replacement of m_enode 6959 with m_setjmp_record. 6960 (rewind_info_t::get_setjmp_point): Likewise. 6961 (rewind_info_t::get_setjmp_call): Likewise. 6962 * region-model.cc (region_model::dump_summary_of_map): Likewise. 6963 (region_model::on_setjmp): Likewise. 6964 * region-model.h (struct setjmp_record): New struct. 6965 (setjmp_svalue::m_enode): Replace... 6966 (setjmp_svalue::m_setjmp_record): ...with this. 6967 (setjmp_svalue::setjmp_svalue): Update for replacement of m_enode 6968 with m_setjmp_record. 6969 (setjmp_svalue::clone): Likewise. 6970 (setjmp_svalue::get_index): Rename... 6971 (setjmp_svalue::get_enode_index): ...to this. 6972 (setjmp_svalue::get_exploded_node): Replace... 6973 (setjmp_svalue::get_setjmp_record): ...with this. 6974 69752020-01-22 David Malcolm <dmalcolm@redhat.com> 6976 6977 PR analyzer/93316 6978 * analyzer.cc (is_setjmp_call_p): Check for "setjmp" as well as 6979 "_setjmp". 6980 69812020-01-22 David Malcolm <dmalcolm@redhat.com> 6982 6983 PR analyzer/93307 6984 * analysis-plan.h: Wrap everything namespace "ana". 6985 * analyzer-logging.cc: Likewise. 6986 * analyzer-logging.h: Likewise. 6987 * analyzer-pass.cc (pass_analyzer::execute): Update for "ana" 6988 namespace. 6989 * analyzer-selftests.cc: Wrap everything namespace "ana". 6990 * analyzer-selftests.h: Likewise. 6991 * analyzer.h: Likewise for forward decls of types. 6992 * call-string.h: Likewise. 6993 * checker-path.cc: Likewise. 6994 * checker-path.h: Likewise. 6995 * constraint-manager.cc: Likewise. 6996 * constraint-manager.h: Likewise. 6997 * diagnostic-manager.cc: Likewise. 6998 * diagnostic-manager.h: Likewise. 6999 * engine.cc: Likewise. 7000 * engine.h: Likewise. 7001 * exploded-graph.h: Likewise. 7002 * function-set.cc: Likewise. 7003 * function-set.h: Likewise. 7004 * pending-diagnostic.cc: Likewise. 7005 * pending-diagnostic.h: Likewise. 7006 * program-point.cc: Likewise. 7007 * program-point.h: Likewise. 7008 * program-state.cc: Likewise. 7009 * program-state.h: Likewise. 7010 * region-model.cc: Likewise. 7011 * region-model.h: Likewise. 7012 * sm-file.cc: Likewise. 7013 * sm-malloc.cc: Likewise. 7014 * sm-pattern-test.cc: Likewise. 7015 * sm-sensitive.cc: Likewise. 7016 * sm-signal.cc: Likewise. 7017 * sm-taint.cc: Likewise. 7018 * sm.cc: Likewise. 7019 * sm.h: Likewise. 7020 * state-purge.h: Likewise. 7021 * supergraph.cc: Likewise. 7022 * supergraph.h: Likewise. 7023 70242020-01-21 David Malcolm <dmalcolm@redhat.com> 7025 7026 PR analyzer/93352 7027 * region-model.cc (int_cmp): Rename to... 7028 (array_region::key_cmp): ...this, using key_t rather than int. 7029 Rewrite in terms of comparisons rather than subtraction to 7030 ensure qsort is anti-symmetric when handling extreme values. 7031 (array_region::walk_for_canonicalization): Update for above 7032 renaming. 7033 * region-model.h (array_region::key_cmp): New decl. 7034 70352020-01-17 David Malcolm <dmalcolm@redhat.com> 7036 7037 PR analyzer/93290 7038 * region-model.cc (region_model::eval_condition_without_cm): Avoid 7039 gcc_unreachable for unexpected operations for the case where 7040 we're comparing an svalue against itself. 7041 70422020-01-17 David Malcolm <dmalcolm@redhat.com> 7043 7044 PR analyzer/93281 7045 * region-model.cc 7046 (region_model::convert_byte_offset_to_array_index): Convert to 7047 ssizetype before dividing by byte_size. Use fold_binary rather 7048 than fold_build2 to avoid needlessly constructing a tree for the 7049 non-const case. 7050 70512020-01-15 David Malcolm <dmalcolm@redhat.com> 7052 7053 * engine.cc (class impl_region_model_context): Fix comment. 7054 70552020-01-14 David Malcolm <dmalcolm@redhat.com> 7056 7057 PR analyzer/93212 7058 * region-model.cc (make_region_for_type): Use 7059 FUNC_OR_METHOD_TYPE_P rather than comparing against FUNCTION_TYPE. 7060 * region-model.h (function_region::function_region): Likewise. 7061 70622020-01-14 David Malcolm <dmalcolm@redhat.com> 7063 7064 * program-state.cc (sm_state_map::clone_with_remapping): Copy 7065 m_global_state. 7066 (selftest::test_program_state_merging_2): New selftest. 7067 (selftest::analyzer_program_state_cc_tests): Call it. 7068 70692020-01-14 David Malcolm <dmalcolm@redhat.com> 7070 7071 * checker-path.h (checker_path::get_checker_event): New function. 7072 (checker_path): Add DISABLE_COPY_AND_ASSIGN; make fields private. 7073 * diagnostic-manager.cc 7074 (diagnostic_manager::prune_for_sm_diagnostic): Replace direct 7075 access to checker_path::m_events with accessor functions. Fix 7076 overlong line. 7077 (diagnostic_manager::prune_interproc_events): Replace direct 7078 access to checker_path::m_events with accessor functions. 7079 (diagnostic_manager::finish_pruning): Likewise. 7080 70812020-01-14 David Malcolm <dmalcolm@redhat.com> 7082 7083 * checker-path.h (checker_event::clone): Delete vfunc decl. 7084 (debug_event::clone): Delete vfunc impl. 7085 (custom_event::clone): Delete vfunc impl. 7086 (statement_event::clone): Delete vfunc impl. 7087 (function_entry_event::clone): Delete vfunc impl. 7088 (state_change_event::clone): Delete vfunc impl. 7089 (start_cfg_edge_event::clone): Delete vfunc impl. 7090 (end_cfg_edge_event::clone): Delete vfunc impl. 7091 (call_event::clone): Delete vfunc impl. 7092 (return_event::clone): Delete vfunc impl. 7093 (setjmp_event::clone): Delete vfunc impl. 7094 (rewind_from_longjmp_event::clone): Delete vfunc impl. 7095 (rewind_to_setjmp_event::clone): Delete vfunc impl. 7096 (warning_event::clone): Delete vfunc impl. 7097 70982020-01-14 David Malcolm <dmalcolm@redhat.com> 7099 7100 * supergraph.cc (supernode::dump_dot): Ensure that the TABLE 7101 element has at least one TR. 7102 71032020-01-14 David Malcolm <dmalcolm@redhat.com> 7104 7105 PR analyzer/58237 7106 * engine.cc (leak_stmt_finder::find_stmt): Use get_pure_location 7107 when comparing against UNKNOWN_LOCATION. 7108 (stmt_requires_new_enode_p): Likewise. 7109 (exploded_graph::dump_exploded_nodes): Likewise. 7110 * supergraph.cc (supernode::get_start_location): Likewise. 7111 (supernode::get_end_location): Likewise. 7112 71132020-01-14 David Malcolm <dmalcolm@redhat.com> 7114 7115 PR analyzer/58237 7116 * analyzer-selftests.cc (selftest::run_analyzer_selftests): Call 7117 selftest::analyzer_sm_file_cc_tests. 7118 * analyzer-selftests.h (selftest::analyzer_sm_file_cc_tests): New 7119 decl. 7120 * sm-file.cc: Include "analyzer/function-set.h" and 7121 "analyzer/analyzer-selftests.h". 7122 (get_file_using_fns): New function. 7123 (is_file_using_fn_p): New function. 7124 (fileptr_state_machine::on_stmt): Return true for known functions. 7125 (selftest::analyzer_sm_file_cc_tests): New function. 7126 71272020-01-14 David Malcolm <dmalcolm@redhat.com> 7128 7129 * analyzer-selftests.cc (selftest::run_analyzer_selftests): Call 7130 selftest::analyzer_sm_signal_cc_tests. 7131 * analyzer-selftests.h (selftest::analyzer_sm_signal_cc_tests): 7132 New decl. 7133 * sm-signal.cc: Include "analyzer/function-set.h" and 7134 "analyzer/analyzer-selftests.h". 7135 (get_async_signal_unsafe_fns): New function. 7136 (signal_unsafe_p): Reimplement in terms of the above. 7137 (selftest::analyzer_sm_signal_cc_tests): New function. 7138 71392020-01-14 David Malcolm <dmalcolm@redhat.com> 7140 7141 * analyzer-selftests.cc (selftest::run_analyzer_selftests): Call 7142 selftest::analyzer_function_set_cc_tests. 7143 * analyzer-selftests.h (selftest::analyzer_function_set_cc_tests): 7144 New decl. 7145 * function-set.cc: New file. 7146 * function-set.h: New file. 7147 71482020-01-14 David Malcolm <dmalcolm@redhat.com> 7149 7150 * analyzer.h (fndecl_has_gimple_body_p): New decl. 7151 * engine.cc (impl_region_model_context::on_unknown_change): New 7152 function. 7153 (fndecl_has_gimple_body_p): Make non-static. 7154 (exploded_node::on_stmt): Treat __analyzer_dump_exploded_nodes as 7155 known. Track whether we have a call with unknown side-effects and 7156 pass it to on_call_post. 7157 * exploded-graph.h (impl_region_model_context::on_unknown_change): 7158 New decl. 7159 * program-state.cc (sm_state_map::on_unknown_change): New function. 7160 * program-state.h (sm_state_map::on_unknown_change): New decl. 7161 * region-model.cc: Include "bitmap.h". 7162 (region_model::on_call_pre): Return a bool, capturing whether the 7163 call has unknown side effects. 7164 (region_model::on_call_post): Add arg "bool unknown_side_effects" 7165 and if true, call handle_unrecognized_call. 7166 (class reachable_regions): New class. 7167 (region_model::handle_unrecognized_call): New function. 7168 * region-model.h (region_model::on_call_pre): Return a bool. 7169 (region_model::on_call_post): Add arg "bool unknown_side_effects". 7170 (region_model::handle_unrecognized_call): New decl. 7171 (region_model_context::on_unknown_change): New vfunc. 7172 (test_region_model_context::on_unknown_change): New function. 7173 71742020-01-14 David Malcolm <dmalcolm@redhat.com> 7175 7176 * diagnostic-manager.cc (saved_diagnostic::operator==): Move here 7177 from header. Replace pointer equality test on m_var with call to 7178 pending_diagnostic::same_tree_p. 7179 * diagnostic-manager.h (saved_diagnostic::operator==): Move to 7180 diagnostic-manager.cc. 7181 * pending-diagnostic.cc (pending_diagnostic::same_tree_p): New. 7182 * pending-diagnostic.h (pending_diagnostic::same_tree_p): New. 7183 * sm-file.cc (file_diagnostic::subclass_equal_p): Replace pointer 7184 equality on m_arg with call to pending_diagnostic::same_tree_p. 7185 * sm-malloc.cc (malloc_diagnostic::subclass_equal_p): Likewise. 7186 (possible_null_arg::subclass_equal_p): Likewise. 7187 (null_arg::subclass_equal_p): Likewise. 7188 (free_of_non_heap::subclass_equal_p): Likewise. 7189 * sm-pattern-test.cc (pattern_match::operator==): Likewise. 7190 * sm-sensitive.cc (exposure_through_output_file::operator==): 7191 Likewise. 7192 * sm-taint.cc (tainted_array_index::operator==): Likewise. 7193 71942020-01-14 David Malcolm <dmalcolm@redhat.com> 7195 7196 * diagnostic-manager.cc (dedupe_winners::add): Add logging 7197 of deduplication decisions made. 7198 71992020-01-14 David Malcolm <dmalcolm@redhat.com> 7200 7201 * ChangeLog: New file. 7202 * analyzer-selftests.cc: New file. 7203 * analyzer-selftests.h: New file. 7204 * analyzer.opt: New file. 7205 * analysis-plan.cc: New file. 7206 * analysis-plan.h: New file. 7207 * analyzer-logging.cc: New file. 7208 * analyzer-logging.h: New file. 7209 * analyzer-pass.cc: New file. 7210 * analyzer.cc: New file. 7211 * analyzer.h: New file. 7212 * call-string.cc: New file. 7213 * call-string.h: New file. 7214 * checker-path.cc: New file. 7215 * checker-path.h: New file. 7216 * constraint-manager.cc: New file. 7217 * constraint-manager.h: New file. 7218 * diagnostic-manager.cc: New file. 7219 * diagnostic-manager.h: New file. 7220 * engine.cc: New file. 7221 * engine.h: New file. 7222 * exploded-graph.h: New file. 7223 * pending-diagnostic.cc: New file. 7224 * pending-diagnostic.h: New file. 7225 * program-point.cc: New file. 7226 * program-point.h: New file. 7227 * program-state.cc: New file. 7228 * program-state.h: New file. 7229 * region-model.cc: New file. 7230 * region-model.h: New file. 7231 * sm-file.cc: New file. 7232 * sm-malloc.cc: New file. 7233 * sm-malloc.dot: New file. 7234 * sm-pattern-test.cc: New file. 7235 * sm-sensitive.cc: New file. 7236 * sm-signal.cc: New file. 7237 * sm-taint.cc: New file. 7238 * sm.cc: New file. 7239 * sm.h: New file. 7240 * state-purge.cc: New file. 7241 * state-purge.h: New file. 7242 * supergraph.cc: New file. 7243 * supergraph.h: New file. 7244 72452019-12-13 David Malcolm <dmalcolm@redhat.com> 7246 7247 * Initial creation 7248 7249 7250Copyright (C) 2019-2022 Free Software Foundation, Inc. 7251 7252Copying and distribution of this file, with or without modification, 7253are permitted in any medium without royalty provided the copyright 7254notice and this notice are preserved. 7255