analyzer: fix escaping of pointer arithmetic [PR105264]

PR analyzer/105264 reports that the analyzer can fail to treat
(PTR + IDX) and PTR[IDX] as referring to the same memory under
some situations.

There are various ways in which this can happen when IDX is a
symbolic value, due to having several ways in which such memory
regions can be referred to symbolically.  I attempted to fix this by
being smarter when folding svalues and regions, but this fix
seems too fiddly to attempt in stage 4.

Instead, this less ambitious patch fixes a false positive from
-Wanalyzer-use-of-uninitialized-value by making the analyzer's escape
analysis smarter, so that it treats *PTR as escaping when
(PTR + OFFSET) is passed to an external function, and thus
it treats *PTR as possibly-initialized (the "passing &PTR[IDX]" case
was already working).

gcc/analyzer/ChangeLog:
	PR analyzer/105264
	* region-model-reachability.cc (reachable_regions::handle_parm):
	Use maybe_get_deref_base_region rather than just region_svalue, to
	handle pointer arithmetic also.
	* svalue.cc (svalue::maybe_get_deref_base_region): New.
	* svalue.h (svalue::maybe_get_deref_base_region): New decl.

gcc/testsuite/ChangeLog:
	PR analyzer/105264
	* gcc.dg/analyzer/torture/symbolic-10.c: New test.

Signed-off-by: David Malcolm <dmalcolm@redhat.com>

3 files changed, 46 insertions, 6 deletions

diff --git a/gcc/analyzer/region-model-reachability.cc b/gcc/analyzer/region-model-reachability.cc
index b876b8f..12d09c3 100644
--- a/gcc/analyzer/region-model-reachability.cc
+++ b/gcc/analyzer/region-model-reachability.cc
@@ -252,12 +252,8 @@ reachable_regions::handle_parm (const svalue *sval, tree param_type)
     m_mutable_svals.add (sval);
   else
     m_reachable_svals.add (sval);
-  if (const region_svalue *parm_ptr
-      = sval->dyn_cast_region_svalue ())
-    {
-      const region *pointee_reg = parm_ptr->get_pointee ();
-      add (pointee_reg, is_mutable);
-    }
+  if (const region *base_reg = sval->maybe_get_deref_base_region ())
+    add (base_reg, is_mutable);
   /* Treat all svalues within a compound_svalue as reachable.  */
   if (const compound_svalue *compound_sval
       = sval->dyn_cast_compound_svalue ())
diff --git a/gcc/analyzer/svalue.cc b/gcc/analyzer/svalue.cc
index 536bc28..a1403f0 100644
--- a/gcc/analyzer/svalue.cc
+++ b/gcc/analyzer/svalue.cc
@@ -651,6 +651,48 @@ svalue::all_zeroes_p () const
   return false;
 }
 
+/* If this svalue is a pointer, attempt to determine the base region it points
+   to.  Return NULL on any problems.  */
+
+const region *
+svalue::maybe_get_deref_base_region () const
+{
+  const svalue *iter = this;
+  while (1)
+    {
+      switch (iter->get_kind ())
+	{
+	default:
+	  return NULL;
+
+	case SK_REGION:
+	  {
+	    const region_svalue *region_sval
+	      = as_a <const region_svalue *> (iter);
+	    return region_sval->get_pointee ()->get_base_region ();
+	  }
+
+	case SK_BINOP:
+	  {
+	    const binop_svalue *binop_sval
+	      = as_a <const binop_svalue *> (iter);
+	    switch (binop_sval->get_op ())
+	      {
+	      case POINTER_PLUS_EXPR:
+		/* If we have a symbolic value expressing pointer arithmetic,
+		   use the LHS.  */
+		iter = binop_sval->get_arg0 ();
+		continue;
+
+	      default:
+		return NULL;
+	      }
+	    return NULL;
+	  }
+	}
+    }
+}
+
 /* class region_svalue : public svalue.  */
 
 /* Implementation of svalue::dump_to_pp vfunc for region_svalue.  */
diff --git a/gcc/analyzer/svalue.h b/gcc/analyzer/svalue.h
index 4bbe858..29ea2ee 100644
--- a/gcc/analyzer/svalue.h
+++ b/gcc/analyzer/svalue.h
@@ -175,6 +175,8 @@ public:
      per-type and thus it's meaningless for them to "have state".  */
   virtual bool can_have_associated_state_p () const { return true; }
 
+  const region *maybe_get_deref_base_region () const;
+
  protected:
   svalue (complexity c, tree type)
   : m_complexity (c), m_type (type)