diff options
| author | David Malcolm <dmalcolm@redhat.com> | 2022-04-14 09:52:00 -0400 |
|---|---|---|
| committer | David Malcolm <dmalcolm@redhat.com> | 2022-04-14 18:42:34 -0400 |
| commit | a358e4b60815b41e27f3508014ceb592f86b9b45 (patch) | |
| tree | cd2325b0d8fb044595e2689284b3d83fc38b4d7b /gcc/analyzer/region-model-reachability.cc | |
| parent | af27d545dc6132dcd67d1ee854372ea9cfd2a225 (diff) | |
| download | gcc-a358e4b60815b41e27f3508014ceb592f86b9b45.zip gcc-a358e4b60815b41e27f3508014ceb592f86b9b45.tar.gz gcc-a358e4b60815b41e27f3508014ceb592f86b9b45.tar.bz2 | |
analyzer: fix escaping of pointer arithmetic [PR105264]
PR analyzer/105264 reports that the analyzer can fail to treat
(PTR + IDX) and PTR[IDX] as referring to the same memory under
some situations.
There are various ways in which this can happen when IDX is a
symbolic value, due to having several ways in which such memory
regions can be referred to symbolically. I attempted to fix this by
being smarter when folding svalues and regions, but this fix
seems too fiddly to attempt in stage 4.
Instead, this less ambitious patch fixes a false positive from
-Wanalyzer-use-of-uninitialized-value by making the analyzer's escape
analysis smarter, so that it treats *PTR as escaping when
(PTR + OFFSET) is passed to an external function, and thus
it treats *PTR as possibly-initialized (the "passing &PTR[IDX]" case
was already working).
gcc/analyzer/ChangeLog:
PR analyzer/105264
* region-model-reachability.cc (reachable_regions::handle_parm):
Use maybe_get_deref_base_region rather than just region_svalue, to
handle pointer arithmetic also.
* svalue.cc (svalue::maybe_get_deref_base_region): New.
* svalue.h (svalue::maybe_get_deref_base_region): New decl.
gcc/testsuite/ChangeLog:
PR analyzer/105264
* gcc.dg/analyzer/torture/symbolic-10.c: New test.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
Diffstat (limited to 'gcc/analyzer/region-model-reachability.cc')
| -rw-r--r-- | gcc/analyzer/region-model-reachability.cc | 8 |
1 files changed, 2 insertions, 6 deletions
diff --git a/gcc/analyzer/region-model-reachability.cc b/gcc/analyzer/region-model-reachability.cc index b876b8f..12d09c3 100644 --- a/gcc/analyzer/region-model-reachability.cc +++ b/gcc/analyzer/region-model-reachability.cc @@ -252,12 +252,8 @@ reachable_regions::handle_parm (const svalue *sval, tree param_type) m_mutable_svals.add (sval); else m_reachable_svals.add (sval); - if (const region_svalue *parm_ptr - = sval->dyn_cast_region_svalue ()) - { - const region *pointee_reg = parm_ptr->get_pointee (); - add (pointee_reg, is_mutable); - } + if (const region *base_reg = sval->maybe_get_deref_base_region ()) + add (base_reg, is_mutable); /* Treat all svalues within a compound_svalue as reachable. */ if (const compound_svalue *compound_sval = sval->dyn_cast_compound_svalue ()) |