aboutsummaryrefslogtreecommitdiff
path: root/gcc/analyzer
AgeCommit message (Collapse)AuthorFilesLines
2023-09-02Daily bump.GCC Administrator1-0/+24
2023-09-01analyzer: Add support of placement new and improved operator new ↵benjamin priour8-25/+182
[PR105948,PR94355] Fixed spurious possibly-NULL warning always tagging along throwing operator new despite it never returning NULL. Now operator new is correctly recognized as possibly returning NULL if and only if it is non-throwing or exceptions have been disabled. Different standard signatures of operator new are now properly recognized. Added support of placement new, so that it is now properly recognized, and a 'heap_allocated' region is no longer created for it. Placement new size is also checked and a 'Wanalyzer-allocation-size' is emitted when relevant, as well as always a 'Wanalyzer-out-of-bounds'. 'operator new' non-throwing variants are detected y checking the types of the parameters. Indeed, in a call to new (std::nothrow) () the chosen overload has signature 'operator new (void*, std::nothrow_t&)', where the second parameter is a reference. In a placement new, the second parameter will always be a void pointer. Prior to this patch, some buffers first allocated with 'new', then deleted an thereafter used would result in a 'Wanalyzer-user-after-free' warning. However the wording was "use after 'free'" instead of the expected "use after 'delete'". This patch fixes this by introducing a new kind of poisoned value, namely POISON_KIND_DELETED. Due to how the analyzer sees calls to non-throwing variants of operator new, dereferencing a pointer freshly allocated in this fashion caused both a 'Wanalyzer-use-of-uninitialized-value' and a 'Wanalyzer-null-dereference' to be emitted, while only the latter was relevant. As a result, 'null-dereference' now supersedes 'use-of-uninitialized'. Signed-off-by: benjamin priour <vultkayn@gcc.gnu.org> gcc/analyzer/ChangeLog: PR analyzer/105948 PR analyzer/94355 * analyzer.h (is_placement_new_p): New declaration. * call-details.cc (call_details::deref_ptr_arg): New function. Dereference the argument at given index if possible. * call-details.h: Declaration of the above function. * kf-lang-cp.cc (is_placement_new_p): Returns true if the gcall is recognized as a placement new. (kf_operator_delete::impl_call_post): Unbinding a region and its descendents now poisons with POISON_KIND_DELETED. (register_known_functions_lang_cp): Known function "operator delete" is now registered only once independently of its number of arguments. * region-model.cc (region_model::eval_condition): Now recursively calls itself if any of the operand is wrapped in a cast. * sm-malloc.cc (malloc_state_machine::on_stmt): Add placement new recognition. * svalue.cc (poison_kind_to_str): Wording for the new PK. * svalue.h (enum poison_kind): Add value POISON_KIND_DELETED. gcc/testsuite/ChangeLog: PR analyzer/105948 PR analyzer/94355 * g++.dg/analyzer/out-of-bounds-placement-new.C: Added a directive. * g++.dg/analyzer/placement-new.C: Added tests. * g++.dg/analyzer/new-2.C: New test. * g++.dg/analyzer/noexcept-new.C: New test. * g++.dg/analyzer/placement-new-size.C: New test.
2023-09-01Daily bump.GCC Administrator1-0/+4
2023-08-31Darwin: homogenize spelling of macOSFrancois-Xavier Coudert1-1/+1
gcc/ChangeLog: * config.in: Regenerate. * config/darwin-c.cc: Change spelling to macOS. * config/darwin-driver.cc: Likewise. * config/darwin.h: Likewise. * configure.ac: Likewise. * doc/contrib.texi: Likewise. * doc/extend.texi: Likewise. * doc/invoke.texi: Likewise. * doc/plugins.texi: Likewise. * doc/tm.texi: Regenerate. * doc/tm.texi.in: Change spelling to macOS. * plugin.cc: Likewise. gcc/analyzer/ChangeLog: * kf.cc: Change spelling to macOS. gcc/c-family/ChangeLog: * c.opt: Change spelling to macOS. gcc/fortran/ChangeLog: * gfortran.texi: Likewise. gcc/jit/ChangeLog: * jit-playback.cc: Change spelling to macOS. gcc/objc/ChangeLog: * objc-act.cc: Change spelling to macOS.
2023-08-31Daily bump.GCC Administrator1-0/+17
2023-08-30analyzer: implement reference count checking for CPython plugin [PR107646]Eric Feng4-12/+59
This patch introduces initial support for reference count checking of PyObjects in relation to the Python/C API for the CPython plugin. Additionally, the core analyzer underwent several modifications to accommodate this feature. These include: - Introducing support for callbacks at the end of region_model::pop_frame. This is our current point of validation for the reference count of PyObjects. - An added optional custom stmt_finder parameter to region_model_context::warn. This aids in emitting a diagnostic concerning the reference count, especially when the stmt_finder is NULL, which is currently the case during region_model::pop_frame. The current diagnostic we emit relating to the reference count appears as follows: rc3.c:23:10: warning: expected ‘item’ to have reference count: ‘1’ but ob_refcnt field is: ‘2’ 23 | return list; | ^~~~ ‘create_py_object’: events 1-4 | | 4 | PyObject* item = PyLong_FromLong(3); | | ^~~~~~~~~~~~~~~~~~ | | | | | (1) when ‘PyLong_FromLong’ succeeds | 5 | PyObject* list = PyList_New(1); | | ~~~~~~~~~~~~~ | | | | | (2) when ‘PyList_New’ succeeds |...... | 14 | PyList_Append(list, item); | | ~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (3) when ‘PyList_Append’ succeeds, moving buffer |...... | 23 | return list; | | ~~~~ | | | | | (4) here | This is a WIP in several ways: - Currently, functions returning PyObject * are assumed to always produce a new reference. - The validation of reference count is only for PyObjects created within a function body. Verifying reference counts for PyObjects passed as parameters is not supported in this patch. gcc/analyzer/ChangeLog: PR analyzer/107646 * engine.cc (impl_region_model_context::warn): New optional parameter. * exploded-graph.h (class impl_region_model_context): Likewise. * region-model.cc (region_model::pop_frame): New callback feature for region_model::pop_frame. * region-model.h (struct append_regions_cb_data): Likewise. (class region_model): Likewise. (class region_model_context): New optional parameter. (class region_model_context_decorator): Likewise. gcc/testsuite/ChangeLog: PR analyzer/107646 * gcc.dg/plugin/analyzer_cpython_plugin.c: Implements reference count checking for PyObjects. * gcc.dg/plugin/cpython-plugin-test-2.c: Moved to... * gcc.dg/plugin/cpython-plugin-test-PyList_Append.c: ...here (and added more tests). * gcc.dg/plugin/cpython-plugin-test-1.c: Moved to... * gcc.dg/plugin/cpython-plugin-test-no-Python-h.c: ...here (and added more tests). * gcc.dg/plugin/plugin.exp: New tests. * gcc.dg/plugin/cpython-plugin-test-PyList_New.c: New test. * gcc.dg/plugin/cpython-plugin-test-PyLong_FromLong.c: New test. Signed-off-by: Eric Feng <ef2648@columbia.edu>
2023-08-30Analyzer: include algorithm headerFrancois-Xavier Coudert1-0/+1
gcc/analyzer/ChangeLog: * region-model.cc: Define INCLUDE_ALGORITHM.
2023-08-30Daily bump.GCC Administrator1-0/+26
2023-08-29analyzer: new warning: -Wanalyzer-overlapping-buffers [PR99860]David Malcolm8-2/+554
gcc/ChangeLog: PR analyzer/99860 * Makefile.in (ANALYZER_OBJS): Add analyzer/ranges.o. gcc/analyzer/ChangeLog: PR analyzer/99860 * analyzer-selftests.cc (selftest::run_analyzer_selftests): Call selftest::analyzer_ranges_cc_tests. * analyzer-selftests.h (selftest::run_analyzer_selftests): New decl. * analyzer.opt (Wanalyzer-overlapping-buffers): New option. * call-details.cc: Include "analyzer/ranges.h" and "make-unique.h". (class overlapping_buffers): New. (call_details::complain_about_overlap): New. * call-details.h (call_details::complain_about_overlap): New decl. * kf.cc (kf_memcpy_memmove::impl_call_pre): Call cd.complain_about_overlap for memcpy and memcpy_chk. (kf_strcat::impl_call_pre): Call cd.complain_about_overlap. (kf_strcpy::impl_call_pre): Likewise. * ranges.cc: New file. * ranges.h: New file. gcc/ChangeLog: PR analyzer/99860 * doc/invoke.texi: Add -Wanalyzer-overlapping-buffers. gcc/testsuite/ChangeLog: PR analyzer/99860 * c-c++-common/analyzer/overlapping-buffers.c: New test. Signed-off-by: David Malcolm <dmalcolm@redhat.com>
2023-08-29analyzer: improve strdup handling [PR105899]David Malcolm1-9/+19
gcc/analyzer/ChangeLog: PR analyzer/105899 * kf.cc (kf_strdup::impl_call_pre): Set size of dynamically-allocated buffer. Simulate copying the string from the source region to the new buffer. gcc/testsuite/ChangeLog: PR analyzer/105899 * c-c++-common/analyzer/pr99193-2.c: Add -Wno-analyzer-too-complex. * gcc.dg/analyzer/strdup-1.c: Include "analyzer-decls.h". (test_concrete_strlen): New. (test_symbolic_strlen): New. Signed-off-by: David Malcolm <dmalcolm@redhat.com>
2023-08-28Daily bump.GCC Administrator1-0/+34
2023-08-27analyzer: Move gcc.dg/analyzer tests to c-c++-common (1) [PR96395]benjamin priour8-108/+351
First batch of moving tests from under gcc.dg/analyzer into c-c++-common/analyzer. C builtins are not recognized as such by C++, therefore this patch no longer uses tree.h:fndecl_built_in_p to recognize a builtin function, but rather the function names. Thus functions named as C builtins - such as calloc, sprintf ... - are recognized as such both in C and C++ sources by the analyzer. For user-declared functions named after builtins, the latters' function_decl tree are now preferred over the function_decl the user declared, even when the FE consider their declaration to mismatch (Wbuiltin-declaration-mismatch emitted). This mainly comes into account in the handling of these function attributes : the analyzer uses the builtin's attributes defined in gcc/builtins.def. Signed-off-by: benjamin priour <priour.be@gmail.com> gcc/analyzer/ChangeLog: PR analyzer/96395 * analyzer.h (class known_function): Add virtual casts to builtin_known_function. (class builtin_known_function): New subclass of known_function for builtins. * kf.cc (class kf_alloca): Now derived from builtin_known_function. (class kf_calloc): Likewise. (class kf_free): Likewise. (class kf_malloc): Likewise. (class kf_memcpy_memmove): Likewise. (class kf_memset): Likewise. (class kf_realloc): Likewise. (class kf_strchr): Likewise. (class kf_sprintf): Likewise. (class kf_strcat): Likewise. (class kf_strcpy): Likewise. (class kf_strdup): Likewise. (class kf_strlen): Likewise. (class kf_strndup): Likewise. (register_known_functions): Builtins are now registered as known_functions by name rather than by their BUILTIN_CODE. * known-function-manager.cc (get_normal_builtin): New overload. * known-function-manager.h: New overload declaration. * region-model.cc (region_model::get_builtin_kf): New function. * region-model.h (class region_model): Add declaration of get_builtin_kf. * sm-fd.cc: For called recognized as builtins, use the attributes of that builtin as defined in gcc/builtins.def rather than the user's. * sm-malloc.cc (malloc_state_machine::on_stmt): Likewise. gcc/testsuite/ChangeLog: PR analyzer/96395 * gcc.dg/analyzer/aliasing-3.c: Moved to... * c-c++-common/analyzer/aliasing-3.c: ...here. * gcc.dg/analyzer/aliasing-pr106473.c: Moved to... * c-c++-common/analyzer/aliasing-pr106473.c: ...here. * gcc.dg/analyzer/asm-x86-dyndbg-2.c: Moved to... * c-c++-common/analyzer/asm-x86-dyndbg-2.c: ...here. * gcc.dg/analyzer/asm-x86-lp64-2.c: Moved to... * c-c++-common/analyzer/asm-x86-lp64-2.c: ...here. * gcc.dg/analyzer/atomic-builtins-haproxy-proxy.c: Moved to... * c-c++-common/analyzer/atomic-builtins-haproxy-proxy.c: ...here. * gcc.dg/analyzer/atomic-builtins-qemu-sockets.c: Moved to... * c-c++-common/analyzer/atomic-builtins-qemu-sockets.c: ...here. * gcc.dg/analyzer/attr-malloc-6.c: Moved to... * c-c++-common/analyzer/attr-malloc-6.c: ...here. * gcc.dg/analyzer/attr-malloc-CVE-2019-19078-usb-leak.c: Moved to... * c-c++-common/analyzer/attr-malloc-CVE-2019-19078-usb-leak.c: ...here. * gcc.dg/analyzer/attr-tainted_args-1.c: Moved to... * c-c++-common/analyzer/attr-tainted_args-1.c: ...here. * gcc.dg/analyzer/call-summaries-pr107158.c: Moved to... * c-c++-common/analyzer/call-summaries-pr107158.c: ...here. * gcc.dg/analyzer/calloc-1.c: Moved to... * c-c++-common/analyzer/calloc-1.c: ...here. * gcc.dg/analyzer/compound-assignment-5.c: Moved to... * c-c++-common/analyzer/compound-assignment-5.c: ...here. * gcc.dg/analyzer/coreutils-cksum-pr108664.c: Moved to... * c-c++-common/analyzer/coreutils-cksum-pr108664.c: ...here. * gcc.dg/analyzer/coreutils-sum-pr108666.c: Moved to... * c-c++-common/analyzer/coreutils-sum-pr108666.c: ...here. * gcc.dg/analyzer/deref-before-check-pr108455-1.c: Moved to... * c-c++-common/analyzer/deref-before-check-pr108455-1.c: ...here. * gcc.dg/analyzer/deref-before-check-pr108455-git-pack-revindex.c: Moved to... * c-c++-common/analyzer/deref-before-check-pr108455-git-pack-revindex.c: ...here. * gcc.dg/analyzer/deref-before-check-pr108475-1.c: Moved to... * c-c++-common/analyzer/deref-before-check-pr108475-1.c: ...here. * gcc.dg/analyzer/deref-before-check-pr108475-haproxy-tcpcheck.c: Moved to... * c-c++-common/analyzer/deref-before-check-pr108475-haproxy-tcpcheck.c: ...here. * gcc.dg/analyzer/deref-before-check-pr109060-haproxy-cfgparse.c: Moved to... * c-c++-common/analyzer/deref-before-check-pr109060-haproxy-cfgparse.c: ...here. * gcc.dg/analyzer/deref-before-check-pr109239-linux-bus.c: Moved to... * c-c++-common/analyzer/deref-before-check-pr109239-linux-bus.c: ...here. * gcc.dg/analyzer/deref-before-check-pr77425.c: Moved to... * c-c++-common/analyzer/deref-before-check-pr77425.c: ...here. * gcc.dg/analyzer/exec-1.c: Moved to... * c-c++-common/analyzer/exec-1.c: ...here. * gcc.dg/analyzer/feasibility-3.c: Moved to... * c-c++-common/analyzer/feasibility-3.c: ...here. * gcc.dg/analyzer/fields.c: Moved to... * c-c++-common/analyzer/fields.c: ...here. * gcc.dg/analyzer/function-ptr-5.c: Moved to... * c-c++-common/analyzer/function-ptr-5.c: ...here. * gcc.dg/analyzer/infinite-recursion-pr108524-1.c: Moved to... * c-c++-common/analyzer/infinite-recursion-pr108524-1.c: ...here. * gcc.dg/analyzer/infinite-recursion-pr108524-2.c: Moved to... * c-c++-common/analyzer/infinite-recursion-pr108524-2.c: ...here. * gcc.dg/analyzer/infinite-recursion-pr108524-qobject-json-parser.c: Moved to... * c-c++-common/analyzer/infinite-recursion-pr108524-qobject-json-parser.c: ...here. * gcc.dg/analyzer/init.c: Moved to... * c-c++-common/analyzer/init.c: ...here. * gcc.dg/analyzer/inlining-3-multiline.c: Moved to... * c-c++-common/analyzer/inlining-3-multiline.c: ...here. * gcc.dg/analyzer/inlining-3.c: Moved to... * c-c++-common/analyzer/inlining-3.c: ...here. * gcc.dg/analyzer/inlining-4-multiline.c: Moved to... * c-c++-common/analyzer/inlining-4-multiline.c: ...here. * gcc.dg/analyzer/inlining-4.c: Moved to... * c-c++-common/analyzer/inlining-4.c: ...here. * gcc.dg/analyzer/leak-pr105906.c: Moved to... * c-c++-common/analyzer/leak-pr105906.c: ...here. * gcc.dg/analyzer/leak-pr108045-with-call-summaries.c: Moved to... * c-c++-common/analyzer/leak-pr108045-with-call-summaries.c: ...here. * gcc.dg/analyzer/leak-pr108045-without-call-summaries.c: Moved to... * c-c++-common/analyzer/leak-pr108045-without-call-summaries.c: ...here. * gcc.dg/analyzer/leak-pr109059-1.c: Moved to... * c-c++-common/analyzer/leak-pr109059-1.c: ...here. * gcc.dg/analyzer/leak-pr109059-2.c: Moved to... * c-c++-common/analyzer/leak-pr109059-2.c: ...here. * gcc.dg/analyzer/malloc-2.c: Moved to... * c-c++-common/analyzer/malloc-2.c: ...here. * gcc.dg/analyzer/memcpy-2.c: Moved to... * c-c++-common/analyzer/memcpy-2.c: ...here. * gcc.dg/analyzer/null-deref-pr108251-smp_fetch_ssl_fc_has_early-O2.c: Moved to... * c-c++-common/analyzer/null-deref-pr108251-smp_fetch_ssl_fc_has_early-O2.c: ...here. * gcc.dg/analyzer/null-deref-pr108251-smp_fetch_ssl_fc_has_early.c: Moved to... * c-c++-common/analyzer/null-deref-pr108251-smp_fetch_ssl_fc_has_early.c: ...here. * gcc.dg/analyzer/null-deref-pr108806-qemu.c: Moved to... * c-c++-common/analyzer/null-deref-pr108806-qemu.c: ...here. * gcc.dg/analyzer/null-deref-pr108830.c: Moved to... * c-c++-common/analyzer/null-deref-pr108830.c: ...here. * gcc.dg/analyzer/pr101962.c: Moved to... * c-c++-common/analyzer/pr101962.c: ...here. * gcc.dg/analyzer/pr103217-2.c: Moved to... * c-c++-common/analyzer/pr103217-2.c: ...here. * gcc.dg/analyzer/pr103217.c: Moved to... * c-c++-common/analyzer/pr103217.c: ...here. * gcc.dg/analyzer/pr104029.c: Moved to... * c-c++-common/analyzer/pr104029.c: ...here. * gcc.dg/analyzer/pr104062.c: Moved to... * c-c++-common/analyzer/pr104062.c: ...here. * gcc.dg/analyzer/pr105783.c: Moved to... * c-c++-common/analyzer/pr105783.c: ...here. * gcc.dg/analyzer/pr107345.c: Moved to... * c-c++-common/analyzer/pr107345.c: ...here. * gcc.dg/analyzer/pr93695-1.c: Moved to... * c-c++-common/analyzer/pr93695-1.c: ...here. * gcc.dg/analyzer/pr94596.c: Moved to... * c-c++-common/analyzer/pr94596.c: ...here. * gcc.dg/analyzer/pr94839.c: Moved to... * c-c++-common/analyzer/pr94839.c: ...here. * gcc.dg/analyzer/pr95152-4.c: C only. * gcc.dg/analyzer/pr95152-5.c: C only. * gcc.dg/analyzer/pr95240.c: Moved to... * c-c++-common/analyzer/pr95240.c: ...here. * gcc.dg/analyzer/pr96639.c: Moved to... * c-c++-common/analyzer/pr96639.c: ...here. * gcc.dg/analyzer/pr96653.c: Moved to... * c-c++-common/analyzer/pr96653.c: ...here. * gcc.dg/analyzer/pr96792.c: Moved to... * c-c++-common/analyzer/pr96792.c: ...here. * gcc.dg/analyzer/pr96841.c: Moved to... * c-c++-common/analyzer/pr96841.c: ...here. * gcc.dg/analyzer/pr98564.c: Moved to... * c-c++-common/analyzer/pr98564.c: ...here. * gcc.dg/analyzer/pr98628.c: Moved to... * c-c++-common/analyzer/pr98628.c: ...here. * gcc.dg/analyzer/pr98969.c: Moved to... * c-c++-common/analyzer/pr98969.c: ...here. * gcc.dg/analyzer/pr99193-2.c: Moved to... * c-c++-common/analyzer/pr99193-2.c: ...here. * gcc.dg/analyzer/pr99193-3.c: Moved to... * c-c++-common/analyzer/pr99193-3.c: ...here. * gcc.dg/analyzer/pr99716-1.c: Moved to... * c-c++-common/analyzer/pr99716-1.c: ...here. * gcc.dg/analyzer/pr99774-1.c: Moved to... * c-c++-common/analyzer/pr99774-1.c: ...here. * gcc.dg/analyzer/realloc-1.c: Moved to... * c-c++-common/analyzer/realloc-1.c: ...here. * gcc.dg/analyzer/realloc-2.c: Moved to... * c-c++-common/analyzer/realloc-2.c: ...here. * gcc.dg/analyzer/realloc-3.c: Moved to... * c-c++-common/analyzer/realloc-3.c: ...here. * gcc.dg/analyzer/realloc-4.c: Moved to... * c-c++-common/analyzer/realloc-4.c: ...here. * gcc.dg/analyzer/realloc-5.c: Moved to... * c-c++-common/analyzer/realloc-5.c: ...here. * gcc.dg/analyzer/realloc-pr110014.c: Moved to... * c-c++-common/analyzer/realloc-pr110014.c: ...here. * gcc.dg/analyzer/snprintf-concat.c: Moved to... * c-c++-common/analyzer/snprintf-concat.c: ...here. * gcc.dg/analyzer/sock-1.c: Moved to... * c-c++-common/analyzer/sock-1.c: ...here. * gcc.dg/analyzer/sprintf-concat.c: Moved to... * c-c++-common/analyzer/sprintf-concat.c: ...here. * gcc.dg/analyzer/string-ops-concat-pair.c: Moved to... * c-c++-common/analyzer/string-ops-concat-pair.c: ...here. * gcc.dg/analyzer/string-ops-dup.c: Moved to... * c-c++-common/analyzer/string-ops-dup.c: ...here. * gcc.dg/analyzer/switch-enum-pr105273-git-vreportf-2.c: Moved to... * c-c++-common/analyzer/switch-enum-pr105273-git-vreportf-2.c: ...here. * gcc.dg/analyzer/symbolic-12.c: Moved to... * c-c++-common/analyzer/symbolic-12.c: ...here. * gcc.dg/analyzer/uninit-alloca.c: Moved to... * c-c++-common/analyzer/uninit-alloca.c: ...here. * gcc.dg/analyzer/untracked-2.c: Moved to... * c-c++-common/analyzer/untracked-2.c: ...here. * gcc.dg/analyzer/vasprintf-1.c: Moved to... * c-c++-common/analyzer/vasprintf-1.c: ...here. * gcc.dg/analyzer/write-to-const-1.c: Moved to... * c-c++-common/analyzer/write-to-const-1.c: ...here. * gcc.dg/analyzer/write-to-function-1.c: C only. * gcc.dg/analyzer/write-to-string-literal-1.c: Moved to... * c-c++-common/analyzer/write-to-string-literal-1.c: ...here. * gcc.dg/analyzer/write-to-string-literal-4-disabled.c: Moved to... * c-c++-common/analyzer/write-to-string-literal-4-disabled.c: ...here. * gcc.dg/analyzer/write-to-string-literal-5.c: Moved to... * c-c++-common/analyzer/write-to-string-literal-5.c: ...here. * g++.dg/analyzer/analyzer.exp: Now also run tests under c-c++-common/analyzer. * gcc.dg/analyzer/analyzer-decls.h: Add NULL definition. * gcc.dg/analyzer/analyzer.exp: Now also run tests under c-c++-common/analyzer. * gcc.dg/analyzer/pr104369-1.c: C only. * gcc.dg/analyzer/pr104369-2.c: Likewise. * gcc.dg/analyzer/pr93355-localealias-feasibility-2.c: Likewise. * gcc.dg/analyzer/sprintf-1.c: Split into C-only and C++-friendly bits. * gcc.dg/analyzer/allocation-size-multiline-1.c: Removed. * gcc.dg/analyzer/allocation-size-multiline-2.c: Removed. * gcc.dg/analyzer/allocation-size-multiline-3.c: Removed. * gcc.dg/analyzer/data-model-11.c: Removed. * gcc.dg/analyzer/pr61861.c: C only. * gcc.dg/analyzer/pr93457.c: Removed. * gcc.dg/analyzer/pr97568.c: Removed. * gcc.dg/analyzer/write-to-string-literal-4.c: Removed. * c-c++-common/analyzer/allocation-size-multiline-1.c: New test. * c-c++-common/analyzer/allocation-size-multiline-2.c: New test. * c-c++-common/analyzer/allocation-size-multiline-3.c: New test. * c-c++-common/analyzer/data-model-11.c: New test. * c-c++-common/analyzer/pr93457.c: New test. * c-c++-common/analyzer/pr97568.c: New test. * c-c++-common/analyzer/sprintf-2.c: C++-friendly bit of previous gcc.dg/analyzer/sprintf-1.c. * c-c++-common/analyzer/write-to-string-literal-4.c: New test.
2023-08-26Daily bump.GCC Administrator1-0/+5
2023-08-25analyzer: fix ICE in text art strings supportDavid Malcolm1-19/+38
gcc/analyzer/ChangeLog: * access-diagram.cc (class string_region_spatial_item): Remove assumption that the string is written to the start of the cluster. gcc/testsuite/ChangeLog: * gcc.dg/analyzer/out-of-bounds-diagram-17.c: New test. * gcc.dg/analyzer/out-of-bounds-diagram-18.c: New test. * gcc.dg/analyzer/out-of-bounds-diagram-19.c: New test. Signed-off-by: David Malcolm <dmalcolm@redhat.com>
2023-08-25Daily bump.GCC Administrator1-0/+91
2023-08-24analyzer: implement kf_strcat [PR105899]David Malcolm5-20/+138
gcc/analyzer/ChangeLog: PR analyzer/105899 * call-details.cc (call_details::check_for_null_terminated_string_arg): Split into overloads, one taking just an arg_idx, the other a new "include_terminator" param. * call-details.h: Likewise. * kf.cc (class kf_strcat): New. (kf_strcpy::impl_call_pre): Update for change to check_for_null_terminated_string_arg. (register_known_functions): Register kf_strcat. * region-model.cc (region_model::check_for_null_terminated_string_arg): Split into overloads, one taking just an arg_idx, the other a new "include_terminator" param. When returning an svalue, handle "include_terminator" being false by subtracting one. * region-model.h (region_model::check_for_null_terminated_string_arg): Split into overloads, one taking just an arg_idx, the other a new "include_terminator" param. gcc/ChangeLog: PR analyzer/105899 * doc/invoke.texi (Static Analyzer Options): Add "strcat" to the list of functions known to the analyzer. gcc/testsuite/ChangeLog: PR analyzer/105899 * gcc.dg/analyzer/strcat-1.c: New test. Signed-off-by: David Malcolm <dmalcolm@redhat.com>
2023-08-24analyzer: handle strlen(BITS_WITHIN) [PR105899]David Malcolm1-1/+20
gcc/analyzer/ChangeLog: PR analyzer/105899 * region-model.cc (fragment::has_null_terminator): Handle SK_BITS_WITHIN. Signed-off-by: David Malcolm <dmalcolm@redhat.com>
2023-08-24analyzer: handle INIT_VAL(ELEMENT_REG(STRING_REG), CONSTANT_SVAL) [PR105899]David Malcolm1-0/+19
gcc/analyzer/ChangeLog: PR analyzer/105899 * region-model-manager.cc (region_model_manager::get_or_create_initial_value): Simplify INIT_VAL(ELEMENT_REG(STRING_REG), CONSTANT_SVAL) to CONSTANT_SVAL(STRING[N]). Signed-off-by: David Malcolm <dmalcolm@redhat.com>
2023-08-24analyzer: handle strlen(INIT_VAL(STRING_REG)) [PR105899]David Malcolm1-21/+47
gcc/analyzer/ChangeLog: PR analyzer/105899 * region-model.cc (fragment::has_null_terminator): Move STRING_CST handling to fragment::string_cst_has_null_terminator; also use it to handle INIT_VAL(STRING_REG). (fragment::string_cst_has_null_terminator): New, from above. gcc/testsuite/ChangeLog: PR analyzer/105899 * gcc.dg/analyzer/strcpy-3.c (test_2): New. Signed-off-by: David Malcolm <dmalcolm@redhat.com>
2023-08-24analyzer: reimplement kf_memcpy_memmoveDavid Malcolm3-10/+48
gcc/analyzer/ChangeLog: * kf.cc (kf_memcpy_memmove::impl_call_pre): Reimplement using region_model::copy_bytes. * region-model.cc (region_model::read_bytes): New. (region_model::copy_bytes): New. * region-model.h (region_model::read_bytes): New decl. (region_model::copy_bytes): New decl. Signed-off-by: David Malcolm <dmalcolm@redhat.com>
2023-08-24analyzer: eliminate region_model::get_string_size [PR105899]David Malcolm2-32/+0
gcc/analyzer/ChangeLog: PR analyzer/105899 * region-model.cc (region_model::get_string_size): Delete both. * region-model.h (region_model::get_string_size): Delete both decls. Signed-off-by: David Malcolm <dmalcolm@redhat.com>
2023-08-24analyzer: reimplement kf_strcpy [PR105899]David Malcolm3-23/+45
This patch reimplements the analyzer's implementation of strcpy using the region_model::scan_for_null_terminator infrastructure, so that e.g. it can complain about out-of-bounds reads/writes, unterminated strings, etc. gcc/analyzer/ChangeLog: PR analyzer/105899 * kf.cc (kf_strcpy::impl_call_pre): Reimplement using check_for_null_terminated_string_arg. * region-model.cc (region_model::get_store_bytes): Shortcut reading all of a string_region. (region_model::scan_for_null_terminator): Use get_store_value for the bytes rather than "unknown" when returning an unknown length. (region_model::write_bytes): New. * region-model.h (region_model::write_bytes): New decl. gcc/testsuite/ChangeLog: PR analyzer/105899 * gcc.dg/analyzer/out-of-bounds-diagram-16.c: New test. * gcc.dg/analyzer/strcpy-1.c: Add test coverage. * gcc.dg/analyzer/strcpy-3.c: Likewise. * gcc.dg/analyzer/strcpy-4.c: New test. Signed-off-by: David Malcolm <dmalcolm@redhat.com>
2023-08-24analyzer: handle symbolic bindings in scan_for_null_terminator [PR105899]David Malcolm1-0/+15
gcc/analyzer/ChangeLog: PR analyzer/105899 * region-model.cc (iterable_cluster::iterable_cluster): Add symbolic binding keys to m_symbolic_bindings. (iterable_cluster::has_symbolic_bindings_p): New. (iterable_cluster::m_symbolic_bindings): New field. (region_model::scan_for_null_terminator): Treat clusters with symbolic bindings as having unknown strlen. gcc/testsuite/ChangeLog: PR analyzer/105899 * gcc.dg/analyzer/sprintf-1.c: Include "analyzer-decls.h". (test_strlen_1): New. Signed-off-by: David Malcolm <dmalcolm@redhat.com>
2023-08-24analyzer: add logging to impl_path_contextDavid Malcolm1-2/+11
gcc/analyzer/ChangeLog: * engine.cc (impl_path_context::impl_path_context): Add logger param. (impl_path_context::bifurcate): Add log message. (impl_path_context::terminate_path): Likewise. (impl_path_context::m_logger): New field. (exploded_graph::process_node): Pass logger to path_ctxt ctor. Signed-off-by: David Malcolm <dmalcolm@redhat.com>
2023-08-23Daily bump.GCC Administrator1-0/+99
2023-08-22analyzer: reimplement kf_strlen [PR105899]David Malcolm3-59/+29
Reimplement kf_strlen in terms of the new string scanning implementation, sharing strlen's implementation with __analyzer_get_strlen. gcc/analyzer/ChangeLog: PR analyzer/105899 * kf-analyzer.cc (class kf_analyzer_get_strlen): Move to kf.cc. (register_known_analyzer_functions): Use make_kf_strlen. * kf.cc (class kf_strlen::impl_call_pre): Replace with implementation of kf_analyzer_get_strlen from kf-analyzer.cc. Handle "UNKNOWN" return from check_for_null_terminated_string_arg by falling back to a conjured svalue. (make_kf_strlen): New. (register_known_functions): Use make_kf_strlen. * known-function-manager.h (make_kf_strlen): New decl. gcc/testsuite/ChangeLog: PR analyzer/105899 * gcc.dg/analyzer/null-terminated-strings-1.c: Update expected results on symbolic values. * gcc.dg/analyzer/strlen-1.c: New test. Signed-off-by: David Malcolm <dmalcolm@redhat.com>
2023-08-21analyzer: check format strings for null termination [PR105899]David Malcolm4-30/+137
This patch extends -fanalyzer to check the format strings of calls to functions marked with '__attribute__ ((format...))'. The only checking done in this patch is to check that the format string is a valid null-terminated string; this patch doesn't attempt to check the content of the format string. gcc/analyzer/ChangeLog: PR analyzer/105899 * call-details.cc (call_details::call_details): New ctor. * call-details.h (call_details::call_details): New ctor decl. (struct call_arg_details): Move here from region-model.cc. * region-model.cc (region_model::check_call_format_attr): New. (region_model::check_call_args): Call it. (struct call_arg_details): Move it to call-details.h. * region-model.h (region_model::check_call_format_attr): New decl. gcc/testsuite/ChangeLog: PR analyzer/105899 * gcc.dg/analyzer/attr-format-1.c: New test. * gcc.dg/analyzer/sprintf-1.c: Update expected results for now-passing tests. Signed-off-by: David Malcolm <dmalcolm@redhat.com>
2023-08-21analyzer: add kf_fopenDavid Malcolm1-0/+28
Add checking to -fanalyzer that both params of calls to "fopen" are valid null-terminated strings. gcc/analyzer/ChangeLog: * kf.cc (class kf_fopen): New. (register_known_functions): Register it. gcc/testsuite/ChangeLog: * gcc.dg/analyzer/fopen-1.c: New test. Signed-off-by: David Malcolm <dmalcolm@redhat.com>
2023-08-21analyzer: replace -Wanalyzer-unterminated-string with ↵David Malcolm8-97/+484
scan_for_null_terminator [PR105899] In r14-3169-g325f9e88802daa I added check_for_null_terminated_string_arg to -fanalyzer, calling it in various places, with a sole check for unterminated string constants, adding -Wanalyzer-unterminated-string for this case. This patch adds region_model::scan_for_null_terminator, which simulates scanning memory for a zero byte, complaining about uninitiliazed bytes and out-of-range accesses seen before any zero byte is seen. This more flexible approach catches the issues we saw before with -Wanalyzer-unterminated-string, and also catches uninitialized runs of bytes, and I believe will be a better way to build checking of C string operations in the analyzer. Given that the patch makes -Wanalyzer-unterminated-string redundant and that this option was only in trunk for 10 days and has no known users, the patch simply removes the option without a compatibility fallback. The patch uses custom events and notes to provide context on where the issues are coming from. For example, given: null-terminated-strings-1.c: In function ‘test_partially_initialized’: null-terminated-strings-1.c:71:3: warning: use of uninitialized value ‘buf[1]’ [CWE-457] [-Wanalyzer-use-of-uninitialized-value] 71 | __analyzer_get_strlen (buf); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~ ‘test_partially_initialized’: events 1-3 | | 69 | char buf[16]; | | ^~~ | | | | | (1) region created on stack here | 70 | buf[0] = 'a'; | 71 | __analyzer_get_strlen (buf); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (2) while looking for null terminator for argument 1 (‘&buf’) of ‘__analyzer_get_strlen’... | | (3) use of uninitialized value ‘buf[1]’ here | analyzer-decls.h:59:22: note: argument 1 of ‘__analyzer_get_strlen’ must be a pointer to a null-terminated string 59 | extern __SIZE_TYPE__ __analyzer_get_strlen (const char *ptr); | ^~~~~~~~~~~~~~~~~~~~~ gcc/analyzer/ChangeLog: PR analyzer/105899 * analyzer.opt (Wanalyzer-unterminated-string): Delete. * call-details.cc (call_details::check_for_null_terminated_string_arg): Convert return type from void to const svalue *. Add param "out_sval". * call-details.h (call_details::check_for_null_terminated_string_arg): Likewise. * kf-analyzer.cc (kf_analyzer_get_strlen::impl_call_pre): Wire up to result of check_for_null_terminated_string_arg. * region-model.cc (get_strlen): Delete. (class unterminated_string_arg): Delete. (struct fragment): New. (class iterable_cluster): New. (region_model::get_store_bytes): New. (get_tree_for_byte_offset): New. (region_model::scan_for_null_terminator): New. (region_model::check_for_null_terminated_string_arg): Convert return type from void to const svalue *. Add param "out_sval". Reimplement in terms of scan_for_null_terminator, dropping the special-case for -Wanalyzer-unterminated-string. * region-model.h (region_model::get_store_bytes): New decl. (region_model::scan_for_null_terminator): New decl. (region_model::check_for_null_terminated_string_arg): Convert return type from void to const svalue *. Add param "out_sval". * store.cc (concrete_binding::get_byte_range): New. * store.h (concrete_binding::get_byte_range): New decl. (store_manager::get_concrete_binding): New overload. gcc/ChangeLog: PR analyzer/105899 * doc/invoke.texi: Remove -Wanalyzer-unterminated-string. gcc/testsuite/ChangeLog: PR analyzer/105899 * gcc.dg/analyzer/error-1.c: Update expected results to reflect reimplementation of unterminated string detection. Add test coverage for uninitialized buffers. * gcc.dg/analyzer/null-terminated-strings-1.c: Likewise. * gcc.dg/analyzer/putenv-1.c: Likewise. * gcc.dg/analyzer/strchr-1.c: Likewise. * gcc.dg/analyzer/strcpy-1.c: Likewise. * gcc.dg/analyzer/strdup-1.c: Likewise. Signed-off-by: David Malcolm <dmalcolm@redhat.com>
2023-08-21analyzer: handle NULL inner context in region_model_context_decoratorDavid Malcolm2-29/+60
gcc/analyzer/ChangeLog: * region-model.cc (region_model_context_decorator::add_event): Handle m_inner being NULL. * region-model.h (class region_model_context_decorator): Likewise. (annotating_context::warn): Likewise. Signed-off-by: David Malcolm <dmalcolm@redhat.com>
2023-08-21analyzer: add ability for context to add events to a saved_diagnosticDavid Malcolm6-3/+82
gcc/analyzer/ChangeLog: * diagnostic-manager.cc (saved_diagnostic::add_event): New. (saved_diagnostic::add_any_saved_events): New. (diagnostic_manager::add_event): New. (dedupe_winners::emit_best): New. (diagnostic_manager::emit_saved_diagnostic): Make "sd" param non-const. Call saved_diagnostic::add_any_saved_events. * diagnostic-manager.h (saved_diagnostic::add_event): New decl. (saved_diagnostic::add_any_saved_events): New decl. (saved_diagnostic::m_saved_events): New field. (diagnostic_manager::add_event): New decl. (diagnostic_manager::emit_saved_diagnostic): Make "sd" param non-const. * engine.cc (impl_region_model_context::add_event): New. * exploded-graph.h (impl_region_model_context::add_event): New decl. * region-model.cc (noop_region_model_context::add_event): New. (region_model_context_decorator::add_event): New. * region-model.h (region_model_context::add_event): New vfunc. (noop_region_model_context::add_event): New decl. (region_model_context_decorator::add_event): New decl. Signed-off-by: David Malcolm <dmalcolm@redhat.com>
2023-08-21analyzer: convert note_adding_context to annotating_contextDavid Malcolm2-13/+13
This is enabling work towards the context being able to inject events into diagnostic paths, rather than just notes after the warning. gcc/analyzer/ChangeLog: * region-model.cc (class check_external_function_for_access_attr::annotating_ctxt): Convert to an annotating_context. * region-model.h (class note_adding_context): Rename to... (class annotating_context): ...this, updating the "warn" method. (note_adding_context::make_note): Replace with... (annotating_context::add_annotations): ...this. Signed-off-by: David Malcolm <dmalcolm@redhat.com>
2023-08-15Daily bump.GCC Administrator1-0/+10
2023-08-14analyzer: New option fanalyzer-show-events-in-system-headers [PR110543]benjamin priour3-0/+101
This patch introduces -fanalyzer-show-events-in-system-headers, disabled by default. This option reduces the noise of the analyzer emitted diagnostics when dealing with system headers. The new option only affects the display of the diagnostics, but doesn't hinder the actual analysis. Given a diagnostics path diving into a system header in the form [ prefix events..., system header call, system header entry, events within system headers..., system header return, suffix events... ] then disabling the option (either by default or explicitly) will shorten the path into: [ prefix events..., system header call, system header return, suffix events... ] Signed-off-by: benjamin priour <priour.be@gmail.com> gcc/analyzer/ChangeLog: PR analyzer/110543 * analyzer.opt: Add new option. * diagnostic-manager.cc (diagnostic_manager::prune_path): Call prune_system_headers. (prune_frame): New function that deletes all events in a frame. (diagnostic_manager::prune_system_headers): New function. * diagnostic-manager.h: Add prune_system_headers declaration. gcc/ChangeLog: PR analyzer/110543 * doc/invoke.texi: Add documentation of fanalyzer-show-events-in-system-headers gcc/testsuite/ChangeLog: PR analyzer/110543 * g++.dg/analyzer/fanalyzer-show-events-in-system-headers-default.C: New test. * g++.dg/analyzer/fanalyzer-show-events-in-system-headers-no.C: New test. * g++.dg/analyzer/fanalyzer-show-events-in-system-headers.C: New test.
2023-08-12Daily bump.GCC Administrator1-0/+34
2023-08-11analyzer: new warning: -Wanalyzer-unterminated-string [PR105899]David Malcolm7-0/+208
This patch adds new functions to the analyzer for checking that an argument at a callsite is a pointer to a valid null-terminated string, and uses this for the following known functions: - error (param 3, the format string) - error_at_line (param 5, the format string) - putenv - strchr (1st param) - strcpy (2nd param) - strdup Currently the check merely detects pointers to unterminated string constants, and adds a new -Wanalyzer-unterminated-string to complain about that. I'm experimenting with detecting other ways in which a buffer can fail to be null-terminated, and for other problems with such buffers, but this patch at least adds the framework for wiring up the check to specific parameters of known_functions. gcc/analyzer/ChangeLog: PR analyzer/105899 * analyzer.opt (Wanalyzer-unterminated-string): New. * call-details.cc (call_details::check_for_null_terminated_string_arg): New. * call-details.h (call_details::check_for_null_terminated_string_arg): New decl. * kf-analyzer.cc (class kf_analyzer_get_strlen): New. (register_known_analyzer_functions): Register it. * kf.cc (kf_error::impl_call_pre): Check that format arg is a valid null-terminated string. (kf_putenv::impl_call_pre): Likewise for the sole param. (kf_strchr::impl_call_pre): Likewise for the first param. (kf_strcpy::impl_call_pre): Likewise for the second param. (kf_strdup::impl_call_pre): Likewise for the sole param. * region-model.cc (get_strlen): New. (struct call_arg_details): New. (inform_about_expected_null_terminated_string_arg): New. (class unterminated_string_arg): New. (region_model::check_for_null_terminated_string_arg): New. * region-model.h (region_model::check_for_null_terminated_string_arg): New decl. gcc/ChangeLog: PR analyzer/105899 * doc/analyzer.texi (__analyzer_get_strlen): New. * doc/invoke.texi: Add -Wanalyzer-unterminated-string. gcc/testsuite/ChangeLog: PR analyzer/105899 * gcc.dg/analyzer/analyzer-decls.h (__analyzer_get_strlen): New. * gcc.dg/analyzer/error-1.c (test_error_unterminated): New. (test_error_at_line_unterminated): New. * gcc.dg/analyzer/null-terminated-strings-1.c: New test. * gcc.dg/analyzer/putenv-1.c (test_unterminated): New. * gcc.dg/analyzer/strchr-1.c (test_unterminated): New. * gcc.dg/analyzer/strcpy-1.c (test_unterminated): New. * gcc.dg/analyzer/strdup-1.c (test_unterminated): New. Signed-off-by: David Malcolm <dmalcolm@redhat.com>
2023-08-11analyzer: More features for CPython analyzer plugin [PR107646]Eric Feng4-5/+72
This patch adds known function subclasses for Python/C API functions PyList_New, PyLong_FromLong, and PyList_Append. It also adds new optional parameters for region_model::get_or_create_region_for_heap_alloc, allowing for the newly allocated region to immediately transition from the start state to the assumed non-null state in the malloc state machine if desired. Finally, it adds a new procedure, dg-require-python-h, intended as a directive in Python-related analyzer tests, to append necessary Python flags during the tests' build process. The main warnings we gain in this patch with respect to the known function subclasses mentioned are leak related. For example: rc3.c: In function ‘create_py_object’: │ rc3.c:21:10: warning: leak of ‘item’ [CWE-401] [-Wanalyzer-malloc-leak] │ 21 | return list; │ | ^~~~ │ ‘create_py_object’: events 1-4 │ | │ | 4 | PyObject* item = PyLong_FromLong(10); │ | | ^~~~~~~~~~~~~~~~~~~ │ | | | │ | | (1) allocated here │ | | (2) when ‘PyLong_FromLong’ succeeds │ | 5 | PyObject* list = PyList_New(2); │ | | ~~~~~~~~~~~~~ │ | | | │ | | (3) when ‘PyList_New’ fails │ |...... │ | 21 | return list; │ | | ~~~~ │ | | | │ | | (4) ‘item’ leaks here; was allocated at (1) │ Some concessions were made to simplify the analysis process when comparing kf_PyList_Append with the real implementation. In particular, PyList_Append performs some optimization internally to try and avoid calls to realloc if possible. For simplicity, we assume that realloc is called every time. Also, we grow the size by just 1 (to ensure enough space for adding a new element) rather than abide by the heuristics that the actual implementation follows. gcc/analyzer/ChangeLog: PR analyzer/107646 * call-details.h: New function. * region-model.cc (region_model::get_or_create_region_for_heap_alloc): New optional parameters. * region-model.h (class region_model): New optional parameters. * sm-malloc.cc (on_realloc_with_move): New function. (region_model::transition_ptr_sval_non_null): New function. gcc/testsuite/ChangeLog: PR analyzer/107646 * gcc.dg/plugin/analyzer_cpython_plugin.c: Analyzer support for PyList_New, PyList_Append, PyLong_FromLong * gcc.dg/plugin/plugin.exp: New test. * lib/target-supports.exp: New procedure. * gcc.dg/plugin/cpython-plugin-test-2.c: New test. Signed-off-by: Eric Feng <ef2648@columbia.edu>
2023-08-10Daily bump.GCC Administrator1-0/+56
2023-08-09analyzer: remove default return value from region_model::on_call_preDavid Malcolm10-187/+218
Previously, the code for simulating calls to external functions in region_model::on_call_pre wrote a default svalue to the LHS of the call statement, which could be further overwritten by known_function subclasses. Unfortunately, this led to messy hacks, such as when the default svalue was an allocation: the LHS would be written to with two different heap-allocated regions, requiring special-case cleanups to avoid the stray state from the first heap allocation leading to state explosions; see r14-3001-g021077b94741c9. The following patch eliminates this write of a default svalue to the LHS of callsite. Instead, all known_function implementations that have a return value are now responsible for set the LHS themselves. A new call_details::set_any_lhs_with_defaults function is provided to make it easy to get the old behavior. On working through the various known_function subclasses, I noticed that memset was using the default behavior. That patch updates this so that it's now known to return its first parameter. Cleaning this up eliminates various doubling of saved_diagnostics (e.g. for dubious_allocation_size) where it was generating a diagnostic for both writes to the LHS, deduplicating them to the first diagnostic (with the default LHS), and then failing to create a region_creation_event when emitting the diagnostic, leading to the fallback wording in dubious_allocation_size::describe_final_event, such as: (1) allocated 42 bytes and assigned to ‘int32_t *’ {aka ‘int *’} here; ‘sizeof (int32_t {aka int})’ is ‘4’ Without the double write to the LHS, it creates a region_creation_event, so we get the allocation and the assignment as two separate events in the diagnostic path, e.g.: (1) allocated 42 bytes here (2) assigned to ‘int32_t *’ {aka ‘int *’} here; ‘sizeof (int32_t {aka int})’ is ‘4’ gcc/analyzer/ChangeLog: * analyzer.h (class pure_known_function_with_default_return): New subclass. * call-details.cc (const_fn_p): Move here from region-model.cc. (maybe_get_const_fn_result): Likewise. (get_result_size_in_bytes): Likewise. (call_details::set_any_lhs_with_defaults): New function, based on code in region_model::on_call_pre. * call-details.h (call_details::set_any_lhs_with_defaults): New decl. * diagnostic-manager.cc (diagnostic_manager::emit_saved_diagnostic): Log the index of the saved_diagnostic. * kf.cc (pure_known_function_with_default_return::impl_call_pre): New. (kf_memset::impl_call_pre): Set the LHS to the first param. (kf_putenv::impl_call_pre): Call cd.set_any_lhs_with_defaults. (kf_sprintf::impl_call_pre): Call cd.set_any_lhs_with_defaults. (class kf_stack_restore): Derive from pure_known_function_with_default_return. (class kf_stack_save): Likewise. (kf_strlen::impl_call_pre): Call cd.set_any_lhs_with_defaults. * region-model-reachability.cc (reachable_regions::handle_sval): Remove logic for symbolic regions for pointers. * region-model.cc (region_model::canonicalize): Remove purging of dynamic extents workaround for surplus values from region_model::on_call_pre's default LHS code. (const_fn_p): Move to call-details.cc. (maybe_get_const_fn_result): Likewise. (get_result_size_in_bytes): Likewise. (region_model::update_for_nonzero_return): Call cd.set_any_lhs_with_defaults. (region_model::on_call_pre): Remove the assignment to the LHS of a default return value, instead requiring all known_function implementations to write to any LHS of the call. Use cd.set_any_lhs_with_defaults on the non-kf paths. * sm-fd.cc (kf_socket::outcome_of_socket::update_model): Use cd.set_any_lhs_with_defaults when failing to get at fd state. (kf_bind::outcome_of_bind::update_model): Likewise. (kf_listen::outcome_of_listen::update_model): Likewise. (kf_accept::outcome_of_accept::update_model): Likewise. (kf_connect::outcome_of_connect::update_model): Likewise. (kf_read::impl_call_pre): Use cd.set_any_lhs_with_defaults. * sm-file.cc (class kf_stdio_output_fn): Derive from pure_known_function_with_default_return. (class kf_ferror): Likewise. (class kf_fileno): Likewise. (kf_fgets::impl_call_pre): Use cd.set_any_lhs_with_defaults. (kf_read::impl_call_pre): Likewise. (class kf_getc): Derive from pure_known_function_with_default_return. (class kf_getchar): Likewise. * varargs.cc (kf_va_arg::impl_call_pre): Use cd.set_any_lhs_with_defaults. gcc/testsuite/ChangeLog: * gcc.dg/analyzer/allocation-size-1.c: Update expected results to reflect splitting of allocation size and assignment messages from a single event into pairs of events * gcc.dg/analyzer/allocation-size-2.c: Likewise. * gcc.dg/analyzer/allocation-size-3.c: Likewise. * gcc.dg/analyzer/allocation-size-4.c: Likewise. * gcc.dg/analyzer/allocation-size-multiline-1.c: Likewise. * gcc.dg/analyzer/allocation-size-multiline-2.c: Likewise. * gcc.dg/analyzer/allocation-size-multiline-3.c: Likewise. * gcc.dg/analyzer/memset-1.c (test_1): Verify that the return value is the initial argument. * gcc.dg/plugin/analyzer_kernel_plugin.c (copy_across_boundary_fn::impl_call_pre): Ensure the LHS is set on the "known zero size" case. * gcc.dg/plugin/analyzer_known_fns_plugin.c (known_function_attempt_to_copy::impl_call_pre): Likewise. Signed-off-by: David Malcolm <dmalcolm@redhat.com>
2023-08-05Daily bump.GCC Administrator1-0/+44
2023-08-04analyzer: handle function attribute "alloc_size" [PR110426]David Malcolm9-27/+155
This patch makes -fanalyzer make use of the function attribute "alloc_size", allowing -fanalyzer to emit -Wanalyzer-allocation-size, -Wanalyzer-out-of-bounds, and -Wanalyzer-tainted-allocation-size on execution paths involving allocations using such functions. gcc/analyzer/ChangeLog: PR analyzer/110426 * bounds-checking.cc (region_model::check_region_bounds): Handle symbolic base regions. * call-details.cc: Include "stringpool.h" and "attribs.h". (call_details::lookup_function_attribute): New function. * call-details.h (call_details::lookup_function_attribute): New function decl. * region-model-manager.cc (region_model_manager::maybe_fold_binop): Add reference to PR analyzer/110902. * region-model-reachability.cc (reachable_regions::handle_sval): Add symbolic regions for pointers that are conjured svalues for the LHS of a stmt. * region-model.cc (region_model::canonicalize): Purge dynamic extents for regions that aren't referenced. (get_result_size_in_bytes): New function. (region_model::on_call_pre): Use get_result_size_in_bytes and potentially set the dynamic extents of the region pointed to by the return value. (region_model::deref_rvalue): Add param "add_nonnull_constraint" and use it to conditionalize adding the constraint. (pending_diagnostic_subclass::dubious_allocation_size): Add "stmt" param to both ctors and use it to initialize new "m_stmt" field. (pending_diagnostic_subclass::operator==): Use m_stmt; don't use m_lhs or m_rhs. (pending_diagnostic_subclass::m_stmt): New field. (region_model::check_region_size): Generalize to any kind of pointer svalue by using deref_rvalue rather than checking for region_svalue. Pass stmt to dubious_allocation_size ctor. * region-model.h (region_model::deref_rvalue): Add param "add_nonnull_constraint". * svalue.cc (conjured_svalue::lhs_value_p): New function. * svalue.h (conjured_svalue::lhs_value_p): New decl. gcc/testsuite/ChangeLog: PR analyzer/110426 * gcc.dg/analyzer/allocation-size-1.c: Update expected message to reflect consolidation of size and assignment into a single event. * gcc.dg/analyzer/allocation-size-2.c: Likewise. * gcc.dg/analyzer/allocation-size-3.c: Likewise. * gcc.dg/analyzer/allocation-size-4.c: Likewise. * gcc.dg/analyzer/allocation-size-multiline-1.c: Likewise. * gcc.dg/analyzer/allocation-size-multiline-2.c: Likewise. * gcc.dg/analyzer/allocation-size-multiline-3.c: Likewise. * gcc.dg/analyzer/attr-alloc_size-1.c: New test. * gcc.dg/analyzer/attr-alloc_size-2.c: New test. * gcc.dg/analyzer/attr-alloc_size-3.c: New test. * gcc.dg/analyzer/explode-4.c: New test. * gcc.dg/analyzer/taint-size-1.c: Add test coverage for __attribute__ alloc_size. Signed-off-by: David Malcolm <dmalcolm@redhat.com>
2023-08-04analyzer: fix some svalue::dump_to_pp implementationsDavid Malcolm1-7/+20
gcc/analyzer/ChangeLog: * svalue.cc (region_svalue::dump_to_pp): Support NULL type. (constant_svalue::dump_to_pp): Likewise. (initial_svalue::dump_to_pp): Likewise. (conjured_svalue::dump_to_pp): Likewise. Fix missing print of the type. Signed-off-by: David Malcolm <dmalcolm@redhat.com>
2023-08-04Daily bump.GCC Administrator1-0/+5
2023-08-03analyzer: fix ICE on zero-sized arrays [PR110882]David Malcolm1-1/+5
gcc/analyzer/ChangeLog: PR analyzer/110882 * region.cc (int_size_in_bits): Fail on zero-sized types. gcc/testsuite/ChangeLog: PR analyzer/110882 * gcc.dg/analyzer/pr110882.c: New test. Signed-off-by: David Malcolm <dmalcolm@redhat.com>
2023-08-03Daily bump.GCC Administrator1-0/+8
2023-08-02analyzer: stash values for CPython plugin [PR107646]Eric Feng2-0/+31
This patch adds a hook to the end of ana::on_finish_translation_unit which calls relevant stashing-related callbacks registered during plugin initialization. This feature is used to stash named types and global variables for a CPython analyzer plugin [PR107646]. gcc/analyzer/ChangeLog: PR analyzer/107646 * analyzer-language.cc (run_callbacks): New function. (on_finish_translation_unit): New function. * analyzer-language.h (GCC_ANALYZER_LANGUAGE_H): New include. (class translation_unit): New vfuncs. gcc/c/ChangeLog: PR analyzer/107646 * c-parser.cc: New functions on stashing values for the analyzer. gcc/testsuite/ChangeLog: PR analyzer/107646 * gcc.dg/plugin/plugin.exp: Add new plugin and test. * gcc.dg/plugin/analyzer_cpython_plugin.c: New plugin. * gcc.dg/plugin/cpython-plugin-test-1.c: New test. Signed-off-by: Eric Feng <ef2648@columbia.edu>
2023-07-27Daily bump.GCC Administrator1-0/+129
2023-07-26analyzer: add symbol base class, moving region id to there [PR104940]David Malcolm9-150/+262
This patch introduces a "symbol" base class that region and svalue both inherit from, generalizing the ID from the region class so it's also used by svalues. This gives a way of sorting regions and svalues into creation order, which I've found useful in my experiments with adding SMT support (PR analyzer/104940). gcc/ChangeLog: PR analyzer/104940 * Makefile.in (ANALYZER_OBJS): Add analyzer/symbol.o. gcc/analyzer/ChangeLog: PR analyzer/104940 * region-model-manager.cc (region_model_manager::region_model_manager): Update for generalizing region ids to also cover svalues. (region_model_manager::get_or_create_constant_svalue): Likewise. (region_model_manager::get_or_create_unknown_svalue): Likewise. (region_model_manager::create_unique_svalue): Likewise. (region_model_manager::get_or_create_initial_value): Likewise. (region_model_manager::get_or_create_setjmp_svalue): Likewise. (region_model_manager::get_or_create_poisoned_svalue): Likewise. (region_model_manager::get_ptr_svalue): Likewise. (region_model_manager::get_or_create_unaryop): Likewise. (region_model_manager::get_or_create_binop): Likewise. (region_model_manager::get_or_create_sub_svalue): Likewise. (region_model_manager::get_or_create_repeated_svalue): Likewise. (region_model_manager::get_or_create_bits_within): Likewise. (region_model_manager::get_or_create_unmergeable): Likewise. (region_model_manager::get_or_create_widening_svalue): Likewise. (region_model_manager::get_or_create_compound_svalue): Likewise. (region_model_manager::get_or_create_conjured_svalue): Likewise. (region_model_manager::get_or_create_asm_output_svalue): Likewise. (region_model_manager::get_or_create_const_fn_result_svalue): Likewise. (region_model_manager::get_region_for_fndecl): Likewise. (region_model_manager::get_region_for_label): Likewise. (region_model_manager::get_region_for_global): Likewise. (region_model_manager::get_field_region): Likewise. (region_model_manager::get_element_region): Likewise. (region_model_manager::get_offset_region): Likewise. (region_model_manager::get_sized_region): Likewise. (region_model_manager::get_cast_region): Likewise. (region_model_manager::get_frame_region): Likewise. (region_model_manager::get_symbolic_region): Likewise. (region_model_manager::get_region_for_string): Likewise. (region_model_manager::get_bit_range): Likewise. (region_model_manager::get_var_arg_region): Likewise. (region_model_manager::get_region_for_unexpected_tree_code): Likewise. (region_model_manager::get_or_create_region_for_heap_alloc): Likewise. (region_model_manager::create_region_for_alloca): Likewise. (region_model_manager::log_stats): Likewise. * region-model-manager.h (region_model_manager::get_num_regions): Replace with... (region_model_manager::get_num_symbols): ...this. (region_model_manager::alloc_region_id): Replace with... (region_model_manager::alloc_symbol_id): ...this. (region_model_manager::m_next_region_id): Replace with... (region_model_manager::m_next_symbol_id): ...this. * region-model.cc (selftest::test_get_representative_tree): Update for generalizing region ids to also cover svalues. (selftest::test_binop_svalue_folding): Likewise. (selftest::test_state_merging): Likewise. * region.cc (region::cmp_ids): Delete, in favor of symbol::cmp_ids. (region::region): Update for introduction of symbol base class. (frame_region::get_region_for_local): Likewise. (root_region::root_region): Likewise. (symbolic_region::symbolic_region): Likewise. * region.h: Replace include of "analyzer/complexity.h" with "analyzer/symbol.h". (class region): Make a subclass of symbol. (region::get_id): Delete in favor of symbol::get_id. (region::cmp_ids): Delete in favor of symbol::cmp_ids. (region::get_complexity): Delete in favor of symbol::get_complexity. (region::region): Use symbol::id_t for "id" param. (region::m_complexity): Move field to symbol base class. (region::m_id): Likewise. (space_region::space_region): Use symbol::id_t for "id" param. (frame_region::frame_region): Likewise. (globals_region::globals_region): Likewise. (code_region::code_region): Likewise. (function_region::function_region): Likewise. (label_region::label_region): Likewise. (stack_region::stack_region): Likewise. (heap_region::heap_region): Likewise. (thread_local_region::thread_local_region): Likewise. (root_region::root_region): Likewise. (symbolic_region::symbolic_region): Likewise. (decl_region::decl_region): Likewise. (field_region::field_region): Likewise. (element_region::element_region): Likewise. (offset_region::offset_region): Likewise. (sized_region::sized_region): Likewise. (cast_region::cast_region): Likewise. (heap_allocated_region::heap_allocated_region): Likewise. (alloca_region::alloca_region): Likewise. (string_region::string_region): Likewise. (bit_range_region::bit_range_region): Likewise. (var_arg_region::var_arg_region): Likewise. (errno_region::errno_region): Likewise. (unknown_region::unknown_region): Likewise. * svalue.cc (sub_svalue::sub_svalue): Add symbol::id_t param. (repeated_svalue::repeated_svalue): Likewise. (bits_within_svalue::bits_within_svalue): Likewise. (compound_svalue::compound_svalue): Likewise. * svalue.h: Replace include of "analyzer/complexity.h" with "analyzer/symbol.h". (class svalue): Make a subclass of symbol. (svalue::get_complexity): Delete in favor of symbol::get_complexity. (svalue::svalue): Add symbol::id_t param. Update for new base class. (svalue::m_complexity): Delete in favor of symbol::m_complexity. (region_svalue::region_svalue): Add symbol::id_t param (constant_svalue::constant_svalue): Likewise. (unknown_svalue::unknown_svalue): Likewise. (poisoned_svalue::poisoned_svalue): Likewise. (setjmp_svalue::setjmp_svalue): Likewise. (initial_svalue::initial_svalue): Likewise. (unaryop_svalue::unaryop_svalue): Likewise. (binop_svalue::binop_svalue): Likewise. (sub_svalue::sub_svalue): Likewise. (repeated_svalue::repeated_svalue): Likewise. (bits_within_svalue::bits_within_svalue): Likewise. (unmergeable_svalue::unmergeable_svalue): Likewise. (placeholder_svalue::placeholder_svalue): Likewise. (widening_svalue::widening_svalue): Likewise. (compound_svalue::compound_svalue): Likewise. (conjured_svalue::conjured_svalue): Likewise. (asm_output_svalue::asm_output_svalue): Likewise. (const_fn_result_svalue::const_fn_result_svalue): Likewise. * symbol.cc: New file. * symbol.h: New file. Signed-off-by: David Malcolm <dmalcolm@redhat.com>
2023-07-22Daily bump.GCC Administrator1-0/+18
2023-07-20analyzer: avoid usage of TYPE_PRECISION on vector types [PR110455]David Malcolm1-1/+2
gcc/analyzer/ChangeLog: PR analyzer/110455 * region-model.cc (region_model::get_gassign_result): Only check for bad shift counts when dealing with an integral type. gcc/testsuite/ChangeLog: PR analyzer/110455 * gcc.dg/analyzer/pr110455.c: New test. Signed-off-by: David Malcolm <dmalcolm@redhat.com>
generated by cgit v1.1 at 2025-09-22 06:52:58 +0000