1 /* Warn on problematic uses of alloca and variable length arrays. 2 Copyright (C) 2016-2017 Free Software Foundation, Inc. 3 Contributed by Aldy Hernandez <aldyh@redhat.com>. 4 5 This file is part of GCC. 6 7 GCC is free software; you can redistribute it and/or modify it under 8 the terms of the GNU General Public License as published by the Free 9 Software Foundation; either version 3, or (at your option) any later 10 version. 11 12 GCC is distributed in the hope that it will be useful, but WITHOUT ANY 13 WARRANTY; without even the implied warranty of MERCHANTABILITY or 14 FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 15 for more details. 16 17 You should have received a copy of the GNU General Public License 18 along with GCC; see the file COPYING3. If not see 19 <http://www.gnu.org/licenses/>. */ 20 21 #include "config.h" 22 #include "system.h" 23 #include "coretypes.h" 24 #include "backend.h" 25 #include "tree.h" 26 #include "gimple.h" 27 #include "tree-pass.h" 28 #include "ssa.h" 29 #include "gimple-pretty-print.h" 30 #include "diagnostic-core.h" 31 #include "fold-const.h" 32 #include "gimple-iterator.h" 33 #include "tree-ssa.h" 34 #include "params.h" 35 #include "tree-cfg.h" 36 #include "calls.h" 37 #include "cfgloop.h" 38 #include "intl.h" 39 40 const pass_data pass_data_walloca = { 41 GIMPLE_PASS, 42 "walloca", 43 OPTGROUP_NONE, 44 TV_NONE, 45 PROP_cfg, // properties_required 46 0, // properties_provided 47 0, // properties_destroyed 48 0, // properties_start 49 0, // properties_finish 50 }; 51 52 class pass_walloca : public gimple_opt_pass 53 { 54 public: 55 pass_walloca (gcc::context *ctxt) 56 : gimple_opt_pass(pass_data_walloca, ctxt), first_time_p (false) 57 {} 58 opt_pass *clone () { return new pass_walloca (m_ctxt); } 59 void set_pass_param (unsigned int n, bool param) 60 { 61 gcc_assert (n == 0); 62 first_time_p = param; 63 } 64 virtual bool gate (function *); 65 virtual unsigned int execute (function *); 66 67 private: 68 // Set to TRUE the first time we run this pass on a function. 69 bool first_time_p; 70 }; 71 72 bool 73 pass_walloca::gate (function *fun ATTRIBUTE_UNUSED) 74 { 75 // The first time this pass is called, it is called before 76 // optimizations have been run and range information is unavailable, 77 // so we can only perform strict alloca checking. 78 if (first_time_p) 79 return warn_alloca != 0; 80 81 return ((unsigned HOST_WIDE_INT) warn_alloca_limit > 0 82 || (unsigned HOST_WIDE_INT) warn_vla_limit > 0); 83 } 84 85 // Possible problematic uses of alloca. 86 enum alloca_type { 87 // Alloca argument is within known bounds that are appropriate. 88 ALLOCA_OK, 89 90 // Alloca argument is KNOWN to have a value that is too large. 91 ALLOCA_BOUND_DEFINITELY_LARGE, 92 93 // Alloca argument may be too large. 94 ALLOCA_BOUND_MAYBE_LARGE, 95 96 // Alloca argument is bounded but of an indeterminate size. 97 ALLOCA_BOUND_UNKNOWN, 98 99 // Alloca argument was casted from a signed integer. 100 ALLOCA_CAST_FROM_SIGNED, 101 102 // Alloca appears in a loop. 103 ALLOCA_IN_LOOP, 104 105 // Alloca argument is 0. 106 ALLOCA_ARG_IS_ZERO, 107 108 // Alloca call is unbounded. That is, there is no controlling 109 // predicate for its argument. 110 ALLOCA_UNBOUNDED 111 }; 112 113 // Type of an alloca call with its corresponding limit, if applicable. 114 struct alloca_type_and_limit { 115 enum alloca_type type; 116 // For ALLOCA_BOUND_MAYBE_LARGE and ALLOCA_BOUND_DEFINITELY_LARGE 117 // types, this field indicates the assumed limit if known or 118 // integer_zero_node if unknown. For any other alloca types, this 119 // field is undefined. 120 wide_int limit; 121 alloca_type_and_limit (); 122 alloca_type_and_limit (enum alloca_type type, 123 wide_int i) : type(type), limit(i) { } 124 alloca_type_and_limit (enum alloca_type type) : type(type) { } 125 }; 126 127 // NOTE: When we get better range info, this entire function becomes 128 // irrelevant, as it should be possible to get range info for an SSA 129 // name at any point in the program. 130 // 131 // We have a few heuristics up our sleeve to determine if a call to 132 // alloca() is within bounds. Try them out and return the type of 133 // alloca call with its assumed limit (if applicable). 134 // 135 // Given a known argument (ARG) to alloca() and an EDGE (E) 136 // calculating said argument, verify that the last statement in the BB 137 // in E->SRC is a gate comparing ARG to an acceptable bound for 138 // alloca(). See examples below. 139 // 140 // If set, ARG_CASTED is the possible unsigned argument to which ARG 141 // was casted to. This is to handle cases where the controlling 142 // predicate is looking at a casted value, not the argument itself. 143 // arg_casted = (size_t) arg; 144 // if (arg_casted < N) 145 // goto bb3; 146 // else 147 // goto bb5; 148 // 149 // MAX_SIZE is WARN_ALLOCA= adjusted for VLAs. It is the maximum size 150 // in bytes we allow for arg. 151 152 static struct alloca_type_and_limit 153 alloca_call_type_by_arg (tree arg, tree arg_casted, edge e, unsigned max_size) 154 { 155 basic_block bb = e->src; 156 gimple_stmt_iterator gsi = gsi_last_bb (bb); 157 gimple *last = gsi_stmt (gsi); 158 if (!last || gimple_code (last) != GIMPLE_COND) 159 return alloca_type_and_limit (ALLOCA_UNBOUNDED); 160 161 enum tree_code cond_code = gimple_cond_code (last); 162 if (e->flags & EDGE_TRUE_VALUE) 163 ; 164 else if (e->flags & EDGE_FALSE_VALUE) 165 cond_code = invert_tree_comparison (cond_code, false); 166 else 167 return alloca_type_and_limit (ALLOCA_UNBOUNDED); 168 169 // Check for: 170 // if (ARG .COND. N) 171 // goto <bb 3>; 172 // else 173 // goto <bb 4>; 174 // <bb 3>: 175 // alloca(ARG); 176 if ((cond_code == LE_EXPR 177 || cond_code == LT_EXPR 178 || cond_code == GT_EXPR 179 || cond_code == GE_EXPR) 180 && (gimple_cond_lhs (last) == arg 181 || gimple_cond_lhs (last) == arg_casted)) 182 { 183 if (TREE_CODE (gimple_cond_rhs (last)) == INTEGER_CST) 184 { 185 tree rhs = gimple_cond_rhs (last); 186 int tst = wi::cmpu (wi::to_widest (rhs), max_size); 187 if ((cond_code == LT_EXPR && tst == -1) 188 || (cond_code == LE_EXPR && (tst == -1 || tst == 0))) 189 return alloca_type_and_limit (ALLOCA_OK); 190 else 191 { 192 // Let's not get too specific as to how large the limit 193 // may be. Someone's clearly an idiot when things 194 // degrade into "if (N > Y) alloca(N)". 195 if (cond_code == GT_EXPR || cond_code == GE_EXPR) 196 rhs = integer_zero_node; 197 return alloca_type_and_limit (ALLOCA_BOUND_MAYBE_LARGE, rhs); 198 } 199 } 200 else 201 return alloca_type_and_limit (ALLOCA_BOUND_UNKNOWN); 202 } 203 204 // Similarly, but check for a comparison with an unknown LIMIT. 205 // if (LIMIT .COND. ARG) 206 // alloca(arg); 207 // 208 // Where LIMIT has a bound of unknown range. 209 // 210 // Note: All conditions of the form (ARG .COND. XXXX) where covered 211 // by the previous check above, so we only need to look for (LIMIT 212 // .COND. ARG) here. 213 tree limit = gimple_cond_lhs (last); 214 if ((gimple_cond_rhs (last) == arg 215 || gimple_cond_rhs (last) == arg_casted) 216 && TREE_CODE (limit) == SSA_NAME) 217 { 218 wide_int min, max; 219 value_range_type range_type = get_range_info (limit, &min, &max); 220 221 if (range_type == VR_UNDEFINED || range_type == VR_VARYING) 222 return alloca_type_and_limit (ALLOCA_BOUND_UNKNOWN); 223 224 // ?? It looks like the above `if' is unnecessary, as we never 225 // get any VR_RANGE or VR_ANTI_RANGE here. If we had a range 226 // for LIMIT, I suppose we would have taken care of it in 227 // alloca_call_type(), or handled above where we handle (ARG .COND. N). 228 // 229 // If this ever triggers, we should probably figure out why and 230 // handle it, though it is likely to be just an ALLOCA_UNBOUNDED. 231 return alloca_type_and_limit (ALLOCA_UNBOUNDED); 232 } 233 234 return alloca_type_and_limit (ALLOCA_UNBOUNDED); 235 } 236 237 // Return TRUE if SSA's definition is a cast from a signed type. 238 // If so, set *INVALID_CASTED_TYPE to the signed type. 239 240 static bool 241 cast_from_signed_p (tree ssa, tree *invalid_casted_type) 242 { 243 gimple *def = SSA_NAME_DEF_STMT (ssa); 244 if (def 245 && !gimple_nop_p (def) 246 && gimple_assign_cast_p (def) 247 && !TYPE_UNSIGNED (TREE_TYPE (gimple_assign_rhs1 (def)))) 248 { 249 *invalid_casted_type = TREE_TYPE (gimple_assign_rhs1 (def)); 250 return true; 251 } 252 return false; 253 } 254 255 // Return TRUE if X has a maximum range of MAX, basically covering the 256 // entire domain, in which case it's no range at all. 257 258 static bool 259 is_max (tree x, wide_int max) 260 { 261 return wi::max_value (TREE_TYPE (x)) == max; 262 } 263 264 // Analyze the alloca call in STMT and return the alloca type with its 265 // corresponding limit (if applicable). IS_VLA is set if the alloca 266 // call is really a BUILT_IN_ALLOCA_WITH_ALIGN, signifying a VLA. 267 // 268 // If the alloca call may be too large because of a cast from a signed 269 // type to an unsigned type, set *INVALID_CASTED_TYPE to the 270 // problematic signed type. 271 272 static struct alloca_type_and_limit 273 alloca_call_type (gimple *stmt, bool is_vla, tree *invalid_casted_type) 274 { 275 gcc_assert (gimple_alloca_call_p (stmt)); 276 bool tentative_cast_from_signed = false; 277 tree len = gimple_call_arg (stmt, 0); 278 tree len_casted = NULL; 279 wide_int min, max; 280 struct alloca_type_and_limit ret = alloca_type_and_limit (ALLOCA_UNBOUNDED); 281 282 gcc_assert (!is_vla || (unsigned HOST_WIDE_INT) warn_vla_limit > 0); 283 gcc_assert (is_vla || (unsigned HOST_WIDE_INT) warn_alloca_limit > 0); 284 285 // Adjust warn_alloca_max_size for VLAs, by taking the underlying 286 // type into account. 287 unsigned HOST_WIDE_INT max_size; 288 if (is_vla) 289 max_size = (unsigned HOST_WIDE_INT) warn_vla_limit; 290 else 291 max_size = (unsigned HOST_WIDE_INT) warn_alloca_limit; 292 293 // Check for the obviously bounded case. 294 if (TREE_CODE (len) == INTEGER_CST) 295 { 296 if (tree_to_uhwi (len) > max_size) 297 return alloca_type_and_limit (ALLOCA_BOUND_DEFINITELY_LARGE, len); 298 if (integer_zerop (len)) 299 return alloca_type_and_limit (ALLOCA_ARG_IS_ZERO); 300 ret = alloca_type_and_limit (ALLOCA_OK); 301 } 302 // Check the range info if available. 303 else if (TREE_CODE (len) == SSA_NAME) 304 { 305 value_range_type range_type = get_range_info (len, &min, &max); 306 if (range_type == VR_RANGE) 307 { 308 if (wi::leu_p (max, max_size)) 309 ret = alloca_type_and_limit (ALLOCA_OK); 310 else 311 { 312 // A cast may have created a range we don't care 313 // about. For instance, a cast from 16-bit to 314 // 32-bit creates a range of 0..65535, even if there 315 // is not really a determinable range in the 316 // underlying code. In this case, look through the 317 // cast at the original argument, and fall through 318 // to look at other alternatives. 319 // 320 // We only look at through the cast when its from 321 // unsigned to unsigned, otherwise we may risk 322 // looking at SIGNED_INT < N, which is clearly not 323 // what we want. In this case, we'd be interested 324 // in a VR_RANGE of [0..N]. 325 // 326 // Note: None of this is perfect, and should all go 327 // away with better range information. But it gets 328 // most of the cases. 329 gimple *def = SSA_NAME_DEF_STMT (len); 330 if (gimple_assign_cast_p (def)) 331 { 332 tree rhs1 = gimple_assign_rhs1 (def); 333 tree rhs1type = TREE_TYPE (rhs1); 334 335 // Bail if the argument type is not valid. 336 if (!INTEGRAL_TYPE_P (rhs1type)) 337 return alloca_type_and_limit (ALLOCA_OK); 338 339 if (TYPE_UNSIGNED (rhs1type)) 340 { 341 len_casted = rhs1; 342 range_type = get_range_info (len_casted, &min, &max); 343 } 344 } 345 // An unknown range or a range of the entire domain is 346 // really no range at all. 347 if (range_type == VR_VARYING 348 || (!len_casted && is_max (len, max)) 349 || (len_casted && is_max (len_casted, max))) 350 { 351 // Fall through. 352 } 353 else if (range_type == VR_ANTI_RANGE) 354 return alloca_type_and_limit (ALLOCA_UNBOUNDED); 355 else if (range_type != VR_VARYING) 356 return alloca_type_and_limit (ALLOCA_BOUND_MAYBE_LARGE, max); 357 } 358 } 359 else if (range_type == VR_ANTI_RANGE) 360 { 361 // There may be some wrapping around going on. Catch it 362 // with this heuristic. Hopefully, this VR_ANTI_RANGE 363 // nonsense will go away, and we won't have to catch the 364 // sign conversion problems with this crap. 365 // 366 // This is here to catch things like: 367 // void foo(signed int n) { 368 // if (n < 100) 369 // alloca(n); 370 // ... 371 // } 372 if (cast_from_signed_p (len, invalid_casted_type)) 373 { 374 // Unfortunately this also triggers: 375 // 376 // __SIZE_TYPE__ n = (__SIZE_TYPE__)blah; 377 // if (n < 100) 378 // alloca(n); 379 // 380 // ...which is clearly bounded. So, double check that 381 // the paths leading up to the size definitely don't 382 // have a bound. 383 tentative_cast_from_signed = true; 384 } 385 } 386 // No easily determined range and try other things. 387 } 388 389 // If we couldn't find anything, try a few heuristics for things we 390 // can easily determine. Check these misc cases but only accept 391 // them if all predecessors have a known bound. 392 basic_block bb = gimple_bb (stmt); 393 if (ret.type == ALLOCA_UNBOUNDED) 394 { 395 ret.type = ALLOCA_OK; 396 for (unsigned ix = 0; ix < EDGE_COUNT (bb->preds); ix++) 397 { 398 gcc_assert (!len_casted || TYPE_UNSIGNED (TREE_TYPE (len_casted))); 399 ret = alloca_call_type_by_arg (len, len_casted, 400 EDGE_PRED (bb, ix), max_size); 401 if (ret.type != ALLOCA_OK) 402 break; 403 } 404 } 405 406 if (tentative_cast_from_signed && ret.type != ALLOCA_OK) 407 return alloca_type_and_limit (ALLOCA_CAST_FROM_SIGNED); 408 return ret; 409 } 410 411 // Return TRUE if the alloca call in STMT is in a loop, otherwise 412 // return FALSE. As an exception, ignore alloca calls for VLAs that 413 // occur in a loop since those will be cleaned up when they go out of 414 // scope. 415 416 static bool 417 in_loop_p (bool is_vla, gimple *stmt) 418 { 419 basic_block bb = gimple_bb (stmt); 420 if (bb->loop_father 421 && bb->loop_father->header != ENTRY_BLOCK_PTR_FOR_FN (cfun)) 422 { 423 // Do not warn on VLAs occurring in a loop, since VLAs are 424 // guaranteed to be cleaned up when they go out of scope. 425 // That is, there is a corresponding __builtin_stack_restore 426 // at the end of the scope in which the VLA occurs. 427 tree fndecl = gimple_call_fn (stmt); 428 while (TREE_CODE (fndecl) == ADDR_EXPR) 429 fndecl = TREE_OPERAND (fndecl, 0); 430 if (DECL_BUILT_IN_CLASS (fndecl) == BUILT_IN_NORMAL 431 && is_vla 432 && DECL_FUNCTION_CODE (fndecl) == BUILT_IN_ALLOCA_WITH_ALIGN) 433 return false; 434 435 return true; 436 } 437 return false; 438 } 439 440 unsigned int 441 pass_walloca::execute (function *fun) 442 { 443 basic_block bb; 444 FOR_EACH_BB_FN (bb, fun) 445 { 446 for (gimple_stmt_iterator si = gsi_start_bb (bb); !gsi_end_p (si); 447 gsi_next (&si)) 448 { 449 gimple *stmt = gsi_stmt (si); 450 location_t loc = gimple_location (stmt); 451 452 if (!gimple_alloca_call_p (stmt)) 453 continue; 454 gcc_assert (gimple_call_num_args (stmt) >= 1); 455 456 bool is_vla = gimple_alloca_call_p (stmt) 457 && gimple_call_alloca_for_var_p (as_a <gcall *> (stmt)); 458 459 // Strict mode whining for VLAs is handled by the front-end, 460 // so we can safely ignore this case. Also, ignore VLAs if 461 // the user doesn't care about them. 462 if (is_vla 463 && (warn_vla > 0 || !warn_vla_limit)) 464 continue; 465 466 if (!is_vla && (warn_alloca || !warn_alloca_limit)) 467 { 468 if (warn_alloca) 469 warning_at (loc, OPT_Walloca, G_("use of %<alloca%>")); 470 continue; 471 } 472 473 tree invalid_casted_type = NULL; 474 struct alloca_type_and_limit t 475 = alloca_call_type (stmt, is_vla, &invalid_casted_type); 476 477 // Even if we think the alloca call is OK, make sure it's 478 // not in a loop. 479 if (t.type == ALLOCA_OK && in_loop_p (is_vla, stmt)) 480 t = alloca_type_and_limit (ALLOCA_IN_LOOP); 481 482 enum opt_code wcode 483 = is_vla ? OPT_Wvla_larger_than_ : OPT_Walloca_larger_than_; 484 char buff[WIDE_INT_MAX_PRECISION / 4 + 4]; 485 switch (t.type) 486 { 487 case ALLOCA_OK: 488 break; 489 case ALLOCA_BOUND_MAYBE_LARGE: 490 if (warning_at (loc, wcode, 491 is_vla ? G_("argument to variable-length array " 492 "may be too large") 493 : G_("argument to %<alloca%> may be too large")) 494 && t.limit != integer_zero_node) 495 { 496 print_decu (t.limit, buff); 497 inform (loc, G_("limit is %u bytes, but argument " 498 "may be as large as %s"), 499 is_vla ? warn_vla_limit : warn_alloca_limit, buff); 500 } 501 break; 502 case ALLOCA_BOUND_DEFINITELY_LARGE: 503 if (warning_at (loc, wcode, 504 is_vla ? G_("argument to variable-length array " 505 "is too large") 506 : G_("argument to %<alloca%> is too large")) 507 && t.limit != integer_zero_node) 508 { 509 print_decu (t.limit, buff); 510 inform (loc, G_("limit is %u bytes, but argument is %s"), 511 is_vla ? warn_vla_limit : warn_alloca_limit, buff); 512 } 513 break; 514 case ALLOCA_BOUND_UNKNOWN: 515 warning_at (loc, wcode, 516 is_vla ? G_("variable-length array bound is unknown") 517 : G_("%<alloca%> bound is unknown")); 518 break; 519 case ALLOCA_UNBOUNDED: 520 warning_at (loc, wcode, 521 is_vla ? G_("unbounded use of variable-length array") 522 : G_("unbounded use of %<alloca%>")); 523 break; 524 case ALLOCA_IN_LOOP: 525 gcc_assert (!is_vla); 526 warning_at (loc, wcode, G_("use of %<alloca%> within a loop")); 527 break; 528 case ALLOCA_CAST_FROM_SIGNED: 529 gcc_assert (invalid_casted_type != NULL_TREE); 530 warning_at (loc, wcode, 531 is_vla ? G_("argument to variable-length array " 532 "may be too large due to " 533 "conversion from %qT to %qT") 534 : G_("argument to %<alloca%> may be too large " 535 "due to conversion from %qT to %qT"), 536 invalid_casted_type, size_type_node); 537 break; 538 case ALLOCA_ARG_IS_ZERO: 539 warning_at (loc, wcode, 540 is_vla ? G_("argument to variable-length array " 541 "is zero") 542 : G_("argument to %<alloca%> is zero")); 543 break; 544 default: 545 gcc_unreachable (); 546 } 547 } 548 } 549 return 0; 550 } 551 552 gimple_opt_pass * 553 make_pass_walloca (gcc::context *ctxt) 554 { 555 return new pass_walloca (ctxt); 556 } 557