| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
|
|
I'm seeing warnings like
../../gcc/analyzer/access-diagram.cc: In member function ‘void ana::bit_size_expr::print(pretty_printer*) const’:
../../gcc/analyzer/access-diagram.cc:399:26: warning: unknown conversion type character ‘E’ in format [-Wformat=]
399 | pp_printf (pp, _("%qE bytes"), bytes_expr);
| ^~~~~~~~~~~
when building stage2/stage3 gcc. While such warnings would be
understandable when building stage1 because one could e.g. have some
older host compiler which doesn't understand some of the format specifiers,
the above seems to be because we have in pretty-print.h
#ifdef GCC_DIAG_STYLE
#define GCC_PPDIAG_STYLE GCC_DIAG_STYLE
#else
#define GCC_PPDIAG_STYLE __gcc_diag__
#endif
and use GCC_PPDIAG_STYLE e.g. for pp_printf, and while
diagnostic-core.h has
#ifndef GCC_DIAG_STYLE
#define GCC_DIAG_STYLE __gcc_tdiag__
#endif
(and similarly various FE headers include their own GCC_DIAG_STYLE)
when including pretty-print.h before diagnostic-core.h we end up
with __gcc_diag__ style rather than __gcc_tdiag__ style, which I think
is the right thing for the analyzer, because analyzer seems to use
default_tree_printer everywhere:
grep pp_format_decoder.*=.default_tree_printer analyzer/* | wc -l
57
The following patch fixes that by making sure diagnostic-core.h is included
before pretty-print.h.
2024-03-07 Jakub Jelinek <jakub@redhat.com>
* access-diagram.cc: Include diagnostic-core.h before including
diagnostic.h or diagnostic-path.h.
* sm-malloc.cc: Likewise.
* diagnostic-manager.cc: Likewise.
* call-summary.cc: Likewise.
* record-layout.cc: Likewise.
|
|
|
|
PR analyzer/114159 reports an ICE inside playback of call summaries
for very low values of --param=analyzer-max-svalue-depth=VAL.
Root cause is that call_summary_edge_info's ctor tries to evaluate
the function ptr of a gimple call stmt and assumes it gets a function *,
but with low values of --param=analyzer-max-svalue-depth=VAL we get
back an UNKNOWN svalue, rather than a pointer to a specific function.
Fix by adding a new call_info ctor that passes a specific
const function & from the call_summary_edge_info, rather than trying
to compute the function.
In doing so, I noticed that the analyzer was using "function *" despite
not modifying functions, and was sloppy about can-be-null versus
must-be-non-null function pointers, so I "constified" the function, and
converted the many places where the function must be non-null to be
"const function &".
gcc/analyzer/ChangeLog:
PR analyzer/114159
* analyzer.cc: Include "tree-dfa.h".
(get_ssa_default_def): New decl.
* analyzer.h (get_ssa_default_def): New.
* call-info.cc (call_info::call_info): New ctor taking an explicit
called_fn.
* call-info.h (call_info::call_info): Likewise.
* call-summary.cc (call_summary_replay::call_summary_replay):
Convert param from function * to const function &.
* call-summary.h (call_summary_replay::call_summary_replay):
Likewise.
* checker-event.h (state_change_event::get_dest_function):
Constify return value.
* engine.cc (point_and_state::validate): Update for conversion to
const function &.
(exploded_node::on_stmt): Likewise.
(call_summary_edge_info::call_summary_edge_info): Likewise.
Pass in called_fn to call_info ctor.
(exploded_node::replay_call_summaries): Update for conversion to
const function &. Convert per_function_data from * to &.
(exploded_node::replay_call_summary): Update for conversion to
const function &.
(exploded_graph::add_function_entry): Likewise.
(toplevel_function_p): Likewise.
(add_tainted_args_callback): Likewise.
(exploded_graph::build_initial_worklist): Likewise.
(exploded_graph::maybe_create_dynamic_call): Likewise.
(maybe_update_for_edge): Likewise.
(exploded_graph::on_escaped_function): Likewise.
* exploded-graph.h (exploded_node::replay_call_summaries):
Likewise.
(exploded_node::replay_call_summary): Likewise.
(exploded_graph::add_function_entry): Likewise.
* program-point.cc (function_point::from_function_entry):
Likewise.
(program_point::from_function_entry): Likewise.
* program-point.h (function_point::from_function_entry): Likewise.
(program_point::from_function_entry): Likewise.
* program-state.cc (program_state::push_frame): Likewise.
(program_state::get_current_function): Constify return type.
* program-state.h (program_state::push_frame): Update for
conversion to const function &.
(program_state::get_current_function): Likewise.
* region-model-manager.cc
(region_model_manager::get_frame_region): Likewise.
* region-model-manager.h
(region_model_manager::get_frame_region): Likewise.
* region-model.cc (region_model::called_from_main_p): Likewise.
(region_model::update_for_gcall): Likewise.
(region_model::push_frame): Likewise.
(region_model::get_current_function): Constify return type.
(region_model::pop_frame): Update for conversion to
const function &.
(selftest::test_stack_frames): Likewise.
(selftest::test_get_representative_path_var): Likewise.
(selftest::test_state_merging): Likewise.
(selftest::test_alloca): Likewise.
* region-model.h (region_model::push_frame): Likewise.
(region_model::get_current_function): Likewise.
* region.cc (frame_region::dump_to_pp): Likewise.
(frame_region::get_region_for_local): Likewise.
* region.h (class frame_region): Likewise.
* sm-signal.cc (signal_unsafe_call::describe_state_change):
Likewise.
(update_model_for_signal_handler): Likewise.
(signal_delivery_edge_info_t::update_model): Likewise.
(register_signal_handler::impl_transition): Likewise.
* state-purge.cc (class gimple_op_visitor): Likewise.
(state_purge_map::state_purge_map): Likewise.
(state_purge_map::get_or_create_data_for_decl): Likewise.
(state_purge_per_ssa_name::state_purge_per_ssa_name): Likewise.
(state_purge_per_ssa_name::add_to_worklist): Likewise.
(state_purge_per_ssa_name::process_point): Likewise.
(state_purge_per_decl::add_to_worklist): Likewise.
(state_purge_annotator::print_needed): Likewise.
* state-purge.h
(state_purge_map::get_or_create_data_for_decl): Likewise.
(class state_purge_per_tree): Likewise.
(class state_purge_per_ssa_name): Likewise.
(class state_purge_per_decl): Likewise.
* supergraph.cc (supergraph::dump_dot_to_pp): Likewise.
* supergraph.h
(supergraph::get_node_for_function_entry): Likewise.
(supergraph::get_node_for_function_exit): Likewise.
gcc/ChangeLog:
PR analyzer/114159
* function.cc (function_name): Make param const.
* function.h (function_name): Likewise.
gcc/testsuite/ChangeLog:
PR analyzer/114159
* c-c++-common/analyzer/call-summaries-pr114159.c: New test.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
|
|
|
|
On e.g. gcc211 the use of "%li" with unsigned HOST_WIDE_INT led to this warning:
../../src/gcc/analyzer/access-diagram.cc: In member function ‘void ana::string_literal_spatial_item::add_column_for_byte(text_art::table&, const ana::bit_to_table_map&, text_art::style_manager&, ana::byte_offset_t, ana::byte_offset_t, int, int) const’:
../../src/gcc/analyzer/access-diagram.cc:1909:40: warning: format ‘%li’ expects argument of type ‘long int’, but argument 3 has type ‘long long unsigned int’ [-Wformat=]
byte_idx_within_string.ulow ()));
^
and to all values being erroneously printed as "0".
Fixed thusly.
gcc/analyzer/ChangeLog:
PR analyzer/110483
PR analyzer/111802
* access-diagram.cc
(string_literal_spatial_item::add_column_for_byte): Use %wu for
printing unsigned HOST_WIDE_INT.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
|
|
gcc/analyzer/ChangeLog:
PR analyzer/111881
* constraint-manager.cc (bound::ensure_closed): Assert that
m_constant has integral type.
(range::add_bound): Bail out on floating point constants.
gcc/testsuite/ChangeLog:
PR analyzer/111881
* c-c++-common/analyzer/conditionals-pr111881.c: New test.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
|
|
|
|
gcc/analyzer/ChangeLog:
PR analyzer/113999
* analyzer.h (get_string_cst_size): New decl.
* region-model-manager.cc (get_string_cst_size): New.
(region_model_manager::maybe_get_char_from_string_cst): Treat
single-byte accesses within string_cst but beyond
TREE_STRING_LENGTH as being 0.
* region-model.cc (string_cst_has_null_terminator): Likewise.
gcc/testsuite/ChangeLog:
PR analyzer/113999
* c-c++-common/analyzer/strlen-pr113999.c: New test.
* gcc.dg/analyzer/strlen-1.c: More test coverage.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
|
|
gcc/analyzer/ChangeLog:
PR analyzer/113998
* ranges.cc (symbolic_byte_range::intersection): Handle empty ranges.
(selftest::test_intersects): Add test coverage for empty ranges.
gcc/testsuite/ChangeLog:
PR analyzer/113998
* c-c++-common/analyzer/overlapping-buffers-pr113998.c: New test.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
|
|
|
|
gcc/analyzer/ChangeLog:
PR analyzer/111289
* varargs.cc (representable_in_integral_type_p): New.
(va_arg_compatible_types_p): Add "arg_sval" param. Handle integer
types.
(kf_va_arg::impl_call_pre): Pass arg_sval to
va_arg_compatible_types_p.
gcc/testsuite/ChangeLog:
PR analyzer/111289
* c-c++-common/analyzer/stdarg-pr111289-int.c: New test.
* c-c++-common/analyzer/stdarg-pr111289-ptr.c: New test.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
|
|
[PR113983]
After r14-6419-g4eaaf7f5a378e8, maybe_undo_optimize_bit_field_compare would ICE on
vector CST but this function really should be checking if we had integer types so
reject non-integral types early on (like it was doing for non-char type before r14-6419-g4eaaf7f5a378e8).
Committed as obvious after build and tested for aarch64-linux-gnu with no regressions.
PR analyzer/113983
gcc/analyzer/ChangeLog:
* region-model-manager.cc (maybe_undo_optimize_bit_field_compare): Reject
non integral types.
gcc/testsuite/ChangeLog:
* gcc.dg/analyzer/torture/vector-extract-1.c: New test.
Signed-off-by: Andrew Pinski <quic_apinski@quicinc.com>
|
|
|
|
PR analyzer/111266 reports a missing -Wanalyzer-out-of-bounds when
accessing relative to a concrete byte offset.
Root cause is that offset_region::get_{byte,bit}_size_sval were
attempting to compute the size that's valid to access, rather than the
size of the access attempt.
Fixed by removing these vfunc overrides from offset_region as the
base class implementation does the right thing.
gcc/analyzer/ChangeLog:
PR analyzer/111266
* region.cc (offset_region::get_byte_size_sval): Delete.
(offset_region::get_bit_size_sval): Delete.
* region.h (region::get_byte_size): Add comment clarifying that
this relates to the size of the access, rather than the size
that's valid to access.
(region::get_bit_size): Likewise.
(region::get_byte_size_sval): Likewise.
(region::get_bit_size_sval): Likewise.
(offset_region::get_byte_size_sval): Delete.
(offset_region::get_bit_size_sval): Delete.
gcc/testsuite/ChangeLog:
PR analyzer/111266
* c-c++-common/analyzer/out-of-bounds-pr111266.c: New test.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
|
|
|
|
As noted by Joseph, I broke "make gcc.pot" in r14-6057-g12b67d1e13b3cf
by adding an overloaded format API with the format string in a different
position, leading to this failure:
emit_diagnostic_valist used incompatibly as both --keyword=emit_diagnostic_valist:4
--flag=emit_diagnostic_valist:4:gcc-internal-format and --keyword=emit_diagnostic_valist:5
--flag=emit_diagnostic_valist:5:gcc-internal-format
Fix by replacing the overloaded function with one with a different name.
See also r10-6297-g6c8e584430bc5d for previous fixes for this involving
the same function, or r5-6946-g40fecdd62f7d29 and
r5-6959-gdb30e21cbff7b9 for older fixes for similar issues.
gcc/analyzer/ChangeLog:
* pending-diagnostic.cc (diagnostic_emission_context::warn):
Update for renaming of emit_diagnostic_valist overload to
emit_diagnostic_valist_meta.
(diagnostic_emission_context::inform): Likewise.
gcc/ChangeLog:
* diagnostic-core.h (emit_diagnostic_valist): Rename overload
to...
(emit_diagnostic_valist_meta): ...this.
* diagnostic.cc (emit_diagnostic_valist): Likewise, to...
(emit_diagnostic_valist_meta): ...this.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
|
|
|
|
PR analyzer/113253 reports a case where the analyzer output varied
with and without -g enabled.
The root cause was that debug stmts were in the
FOR_EACH_IMM_USE_FAST list for SSA names, leading to the analyzer's
state purging logic differing between the -g and non-debugging cases,
and thus leading to differences in the exploration of the user's code.
Fix by skipping such stmts in the state-purging logic, and removing
debug stmts when constructing the supergraph.
gcc/analyzer/ChangeLog:
PR analyzer/113253
* region-model.cc (region_model::on_stmt_pre): Add gcc_unreachable
for debug statements.
* state-purge.cc
(state_purge_per_ssa_name::state_purge_per_ssa_name): Skip any
debug stmts in the FOR_EACH_IMM_USE_FAST list.
* supergraph.cc (supergraph::supergraph): Don't add debug stmts
to the supernodes.
gcc/testsuite/ChangeLog:
PR analyzer/113253
* gcc.dg/analyzer/deref-before-check-pr113253.c: New test.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
|
|
Avoid ICE with -fanalyzer-verbose-state-changes when
region_model::get_representative_tree returns nullptr in
state_change_event::get_desc.
gcc/analyzer/ChangeLog:
PR analyzer/113509
* checker-event.cc (state_change_event::get_desc): Don't assume
"var" is non-NULL.
gcc/testsuite/ChangeLog:
PR analyzer/113509
* c-c++-common/analyzer/stdarg-pr113509.c: New test.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
|
|
|
|
round_up macro [PR113654]
gcc/analyzer/ChangeLog:
PR analyzer/113654
* region-model.cc (is_round_up): New.
(is_multiple_p): New.
(is_dubious_capacity): New.
(region_model::check_region_size): Move usage of size_visitor into
is_dubious_capacity.
gcc/testsuite/ChangeLog:
PR analyzer/113654
* c-c++-common/analyzer/allocation-size-pr113654-1.c: New test.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
|
|
This is useful for debugging the analyzer.
gcc/analyzer/ChangeLog:
* region-model.cc
(dubious_allocation_size::dubious_allocation_size): Add
"capacity_sval" param. Drop unused ctor.
(dubious_allocation_size::maybe_add_sarif_properties): New.
(dubious_allocation_size::m_capacity_sval): New field.
(region_model::check_region_size): Pass capacity svalue to
dubious_allocation_size ctor.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
|
|
|
|
Confusion in binding_cluster::maybe_get_compound_binding about whether
offsets are relative to the start of the region or to the start of the
cluster was leading to incorrect handling of default values, leading
to false positives from -Wanalyzer-use-of-uninitialized-value, from
-Wanalyzer-exposure-through-uninit-copy, and other logic errors.
Fixed thusly.
gcc/analyzer/ChangeLog:
PR analyzer/112969
* store.cc (binding_cluster::maybe_get_compound_binding): When
populating default_map, express the bit-range of the default key
for REG relative to REG, rather than to the base region.
gcc/testsuite/ChangeLog:
PR analyzer/112969
* c-c++-common/analyzer/compound-assignment-5.c (test_3): Remove
xfails, reorder tests.
* c-c++-common/analyzer/compound-assignment-pr112969.c: New test.
* gcc.dg/plugin/infoleak-pr112969.c: New test.
* gcc.dg/plugin/plugin.exp: Add infoleak-pr112969.c to
analyzer_kernel_plugin.c tests.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
|
|
|
|
gcc/analyzer/ChangeLog:
PR analyzer/112977
* engine.cc (impl_region_model_context::on_liveness_change): Pass
m_ext_state to sm_state_map::on_liveness_change.
* program-state.cc (sm_state_map::on_svalue_leak): Guard removal
of map entry based on can_purge_p.
(sm_state_map::on_liveness_change): Add ext_state param. Add
workaround for bad interaction between state purging and
alt-inherited sm-state.
* program-state.h (sm_state_map::on_liveness_change): Add
ext_state param.
* sm-taint.cc
(taint_state_machine::has_alt_get_inherited_state_p): New.
(taint_state_machine::can_purge_p): Return false for "has_lb" and
"has_ub".
* sm.h (state_machine::has_alt_get_inherited_state_p): New vfunc.
gcc/testsuite/ChangeLog:
PR analyzer/112977
* gcc.dg/plugin/plugin.exp: Add taint-pr112977.c.
* gcc.dg/plugin/taint-pr112977.c: New test.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
|
|
|
|
gcc/analyzer/ChangeLog:
PR analyzer/111361
* region-model.cc (svalue_byte_range_has_null_terminator_1): The
initial byte of an all-zeroes SVAL is a zero byte. Remove
gcc_unreachable from SK_CONSTANT for constants that aren't
STRING_CST or INTEGER_CST.
gcc/testsuite/ChangeLog:
PR analyzer/111361
* c-c++-common/analyzer/strlen-pr111361.c: New test.
* c-c++-common/analyzer/strncpy-1.c (test_zero_fill): Remove fixed
xfail.
* c-c++-common/analyzer/strncpy-pr111361.c: New test.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
|
|
PR analyzer/112811 reports an ICE attempting to determine whether a
string is null-terminated.
The root cause is confusion in the code about whether byte offsets are
relative to the start of the base region, or relative to the bound
fragment within the the region.
This patch rewrites the code to enforce a clearer separation between
the kinds of offset, fixing the ICE, and adds logging to help track
down future issues in this area of the code.
gcc/analyzer/ChangeLog:
PR analyzer/112811
* region-model.cc (fragment::dump_to_pp): New.
(fragment::has_null_terminator): Convert to...
(svalue_byte_range_has_null_terminator_1): ...this new function,
updating to use a byte_range relative to the start of the svalue.
(svalue_byte_range_has_null_terminator): New.
(fragment::string_cst_has_null_terminator): Convert to...
(string_cst_has_null_terminator): ...this, updating to use a
byte_range relative to the start of the svalue.
(iterable_cluster::dump_to_pp): New.
(region_model::scan_for_null_terminator): Add logging, moving body
to...
(region_model::scan_for_null_terminator_1): ...this new function,
adding more logging, and updating to use
svalue_byte_range_has_null_terminator.
* region-model.h (region_model::scan_for_null_terminator_1): New
decl.
gcc/testsuite/ChangeLog:
PR analyzer/112811
* c-c++-common/analyzer/strlen-pr112811.c: New test.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
|
|
|
|
char index [PR106229]
gcc/analyzer/ChangeLog:
PR analyzer/106229
* analyzer.h (compare_constants): New decl.
* constraint-manager.cc (compare_constants): Make non-static.
* sm-taint.cc: Add include "fold-const.h".
(class concrete_range): New.
(get_possible_range): New.
(index_can_be_out_of_bounds_p): New.
(region_model::check_region_for_taint): Reject
-Wanalyzer-tainted-array-index if the type of the value makes it
impossible for it to be out-of-bounds of the array.
gcc/testsuite/ChangeLog:
PR analyzer/106229
* c-c++-common/analyzer/taint-index-pr106229.c: New test.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
|
|
In particular, accessing the result of *calloc (1, SZ) (if non-NULL)
should be known to be all zeroes.
gcc/analyzer/ChangeLog:
PR analyzer/113333
* region-model-manager.cc
(region_model_manager::maybe_fold_unaryop): Casting all zeroes
should give all zeroes.
gcc/testsuite/ChangeLog:
PR analyzer/113333
* c-c++-common/analyzer/calloc-1.c: Add tests.
* c-c++-common/analyzer/pr96639.c: Update expected results.
* gcc.dg/analyzer/data-model-9.c: Likewise.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
|
|
|
|
Changed in v5: regenerated
Changed in v4: regenerated
Changed in v3: regenerated
Changed in v2: the files now contain some lang-specific URLs.
gcc/ada/ChangeLog:
* gcc-interface/lang.opt.urls: New file, autogenerated by
regenerate-opt-urls.py.
gcc/analyzer/ChangeLog:
* analyzer.opt.urls: New file, autogenerated by
regenerate-opt-urls.py.
gcc/c-family/ChangeLog:
* c.opt.urls: New file, autogenerated by regenerate-opt-urls.py.
gcc/ChangeLog:
* common.opt.urls: New file, autogenerated by
regenerate-opt-urls.py.
* config/aarch64/aarch64.opt.urls: Likewise.
* config/alpha/alpha.opt.urls: Likewise.
* config/alpha/elf.opt.urls: Likewise.
* config/arc/arc-tables.opt.urls: Likewise.
* config/arc/arc.opt.urls: Likewise.
* config/arm/arm-tables.opt.urls: Likewise.
* config/arm/arm.opt.urls: Likewise.
* config/arm/vxworks.opt.urls: Likewise.
* config/avr/avr.opt.urls: Likewise.
* config/bpf/bpf.opt.urls: Likewise.
* config/c6x/c6x-tables.opt.urls: Likewise.
* config/c6x/c6x.opt.urls: Likewise.
* config/cris/cris.opt.urls: Likewise.
* config/cris/elf.opt.urls: Likewise.
* config/csky/csky.opt.urls: Likewise.
* config/csky/csky_tables.opt.urls: Likewise.
* config/darwin.opt.urls: Likewise.
* config/dragonfly.opt.urls: Likewise.
* config/epiphany/epiphany.opt.urls: Likewise.
* config/fr30/fr30.opt.urls: Likewise.
* config/freebsd.opt.urls: Likewise.
* config/frv/frv.opt.urls: Likewise.
* config/ft32/ft32.opt.urls: Likewise.
* config/fused-madd.opt.urls: Likewise.
* config/g.opt.urls: Likewise.
* config/gcn/gcn.opt.urls: Likewise.
* config/gnu-user.opt.urls: Likewise.
* config/h8300/h8300.opt.urls: Likewise.
* config/hpux11.opt.urls: Likewise.
* config/i386/cygming.opt.urls: Likewise.
* config/i386/cygwin.opt.urls: Likewise.
* config/i386/djgpp.opt.urls: Likewise.
* config/i386/i386.opt.urls: Likewise.
* config/i386/mingw-w64.opt.urls: Likewise.
* config/i386/mingw.opt.urls: Likewise.
* config/i386/nto.opt.urls: Likewise.
* config/ia64/ia64.opt.urls: Likewise.
* config/ia64/ilp32.opt.urls: Likewise.
* config/ia64/vms.opt.urls: Likewise.
* config/iq2000/iq2000.opt.urls: Likewise.
* config/linux-android.opt.urls: Likewise.
* config/linux.opt.urls: Likewise.
* config/lm32/lm32.opt.urls: Likewise.
* config/loongarch/loongarch.opt.urls: Likewise.
* config/lynx.opt.urls: Likewise.
* config/m32c/m32c.opt.urls: Likewise.
* config/m32r/m32r.opt.urls: Likewise.
* config/m68k/ieee.opt.urls: Likewise.
* config/m68k/m68k-tables.opt.urls: Likewise.
* config/m68k/m68k.opt.urls: Likewise.
* config/m68k/uclinux.opt.urls: Likewise.
* config/mcore/mcore.opt.urls: Likewise.
* config/microblaze/microblaze.opt.urls: Likewise.
* config/mips/mips-tables.opt.urls: Likewise.
* config/mips/mips.opt.urls: Likewise.
* config/mips/sde.opt.urls: Likewise.
* config/mmix/mmix.opt.urls: Likewise.
* config/mn10300/mn10300.opt.urls: Likewise.
* config/moxie/moxie.opt.urls: Likewise.
* config/msp430/msp430.opt.urls: Likewise.
* config/nds32/nds32-elf.opt.urls: Likewise.
* config/nds32/nds32-linux.opt.urls: Likewise.
* config/nds32/nds32.opt.urls: Likewise.
* config/netbsd-elf.opt.urls: Likewise.
* config/netbsd.opt.urls: Likewise.
* config/nios2/elf.opt.urls: Likewise.
* config/nios2/nios2.opt.urls: Likewise.
* config/nvptx/nvptx-gen.opt.urls: Likewise.
* config/nvptx/nvptx.opt.urls: Likewise.
* config/openbsd.opt.urls: Likewise.
* config/or1k/elf.opt.urls: Likewise.
* config/or1k/or1k.opt.urls: Likewise.
* config/pa/pa-hpux.opt.urls: Likewise.
* config/pa/pa-hpux1010.opt.urls: Likewise.
* config/pa/pa-hpux1111.opt.urls: Likewise.
* config/pa/pa-hpux1131.opt.urls: Likewise.
* config/pa/pa.opt.urls: Likewise.
* config/pa/pa64-hpux.opt.urls: Likewise.
* config/pdp11/pdp11.opt.urls: Likewise.
* config/pru/pru.opt.urls: Likewise.
* config/riscv/riscv.opt.urls: Likewise.
* config/rl78/rl78.opt.urls: Likewise.
* config/rpath.opt.urls: Likewise.
* config/rs6000/476.opt.urls: Likewise.
* config/rs6000/aix64.opt.urls: Likewise.
* config/rs6000/darwin.opt.urls: Likewise.
* config/rs6000/linux64.opt.urls: Likewise.
* config/rs6000/rs6000-tables.opt.urls: Likewise.
* config/rs6000/rs6000.opt.urls: Likewise.
* config/rs6000/sysv4.opt.urls: Likewise.
* config/rtems.opt.urls: Likewise.
* config/rx/elf.opt.urls: Likewise.
* config/rx/rx.opt.urls: Likewise.
* config/s390/s390.opt.urls: Likewise.
* config/s390/tpf.opt.urls: Likewise.
* config/sh/sh.opt.urls: Likewise.
* config/sh/superh.opt.urls: Likewise.
* config/sol2.opt.urls: Likewise.
* config/sparc/long-double-switch.opt.urls: Likewise.
* config/sparc/sparc.opt.urls: Likewise.
* config/stormy16/stormy16.opt.urls: Likewise.
* config/v850/v850.opt.urls: Likewise.
* config/vax/elf.opt.urls: Likewise.
* config/vax/vax.opt.urls: Likewise.
* config/visium/visium.opt.urls: Likewise.
* config/vms/vms.opt.urls: Likewise.
* config/vxworks-smp.opt.urls: Likewise.
* config/vxworks.opt.urls: Likewise.
* config/xtensa/elf.opt.urls: Likewise.
* config/xtensa/uclinux.opt.urls: Likewise.
* config/xtensa/xtensa.opt.urls: Likewise.
gcc/d/ChangeLog:
* lang.opt.urls: New file, autogenerated by
regenerate-opt-urls.py.
gcc/fortran/ChangeLog:
* lang.opt.urls: New file, autogenerated by
regenerate-opt-urls.py.
gcc/go/ChangeLog:
* lang.opt.urls: New file, autogenerated by
regenerate-opt-urls.py.
gcc/lto/ChangeLog:
* lang.opt.urls: New file, autogenerated by
regenerate-opt-urls.py.
gcc/m2/ChangeLog:
* lang.opt.urls: New file, autogenerated by
regenerate-opt-urls.py.
gcc/ChangeLog:
* params.opt.urls: New file, autogenerated by
regenerate-opt-urls.py.
gcc/rust/ChangeLog:
* lang.opt.urls: New file, autogenerated by
regenerate-opt-urls.py.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
|
|
As another followup to r14-6057-g12b67d1e13b3cf, optionally add SARIF
property bags to threadFlowLocation objects when writing out diagnostic
paths, and add analyzer-specific properties to them.
This was useful for debugging PR analyzer/112790.
gcc/analyzer/ChangeLog:
* checker-event.cc: Include "diagnostic-format-sarif.h" and
"tree-logical-location.h".
(checker_event::maybe_add_sarif_properties): New.
(superedge_event::maybe_add_sarif_properties): New.
(superedge_event::superedge_event): Add comment.
* checker-event.h (checker_event::maybe_add_sarif_properties): New
decl.
(superedge_event::maybe_add_sarif_properties): New decl.
gcc/ChangeLog:
* diagnostic-format-sarif.cc
(sarif_builder::make_logical_location_object): Convert to...
(make_sarif_logical_location_object): ...this.
(sarif_builder::set_any_logical_locs_arr): Update for above
change.
(sarif_builder::make_thread_flow_location_object): Call
maybe_add_sarif_properties on each diagnostic_event.
* diagnostic-format-sarif.h (class logical_location): New forward
decl.
(make_sarif_logical_location_object): New decl.
* diagnostic-path.h (class sarif_object): New forward decl.
(diagnostic_event::maybe_add_sarif_properties): New vfunc.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
|
|
gcc/analyzer/ChangeLog:
PR analyzer/112790
* checker-event.cc (class inlining_info): Move to...
* inlining-iterator.h (class inlining_info): ...here.
* sm-malloc.cc: Include "analyzer/inlining-iterator.h".
(maybe_complain_about_deref_before_check): Reject stmts that were
inlined from another function.
gcc/testsuite/ChangeLog:
PR analyzer/112790
* c-c++-common/analyzer/deref-before-check-pr112790.c: New test.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
|
|
gcc/analyzer/ChangeLog:
PR analyzer/113222
* access-diagram.cc (valid_region_spatial_item::add_boundaries):
Handle TYPE_DOMAIN being null.
(valid_region_spatial_item::add_array_elements_to_table):
Likewise.
gcc/testsuite/ChangeLog:
PR analyzer/113222
* gcc.dg/analyzer/out-of-bounds-diagram-pr113222.c: New test.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
|
|
|
|
2023 -> 2024
|
|
|
|
As a followup to r14-6057-g12b67d1e13b3cf, add SARIF property bags
for -Wanalyzer-out-of-bounds, to help with debugging these warnings.
This was very helpful with PR analyzer/112792.
gcc/analyzer/ChangeLog:
* analyzer.cc: Include "tree-pretty-print.h" and
"diagnostic-event-id.h".
(tree_to_json): New.
(diagnostic_event_id_to_json): New.
(bit_offset_to_json): New.
(byte_offset_to_json): New.
* analyzer.h (tree_to_json): New decl.
(diagnostic_event_id_to_json): New decl.
(bit_offset_to_json): New decl.
(byte_offset_to_json): New decl.
* bounds-checking.cc: Include "diagnostic-format-sarif.h".
(out_of_bounds::maybe_add_sarif_properties): New.
(concrete_out_of_bounds::maybe_add_sarif_properties): New.
(concrete_past_the_end::maybe_add_sarif_properties): New.
(symbolic_past_the_end::maybe_add_sarif_properties): New.
* region-model.cc (region_to_value_map::to_json): New.
(region_model::to_json): New.
* region-model.h (region_to_value_map::to_json): New decl.
(region_model::to_json): New decl.
* store.cc (bit_range::to_json): New.
(byte_range::to_json): New.
* store.h (bit_range::to_json): New decl.
(byte_range::to_json): New decl.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
|
|
PR analyzer/112792 reports false positives from -fanalyzer's
bounds-checking on certain packed structs containing bitfields e.g.
in the Linux kernel's drivers/dma/idxd/device.c:
union msix_perm {
struct {
u32 rsvd2 : 8;
u32 pasid : 20;
};
u32 bits;
} __attribute__((__packed__));
The root cause is that the bounds-checking is done using byte offsets
and ranges; in the above, an access of "pasid" is treated as a 32-bit
access starting one byte inside the union, thus accessing byte offsets
1-4 when only offsets 0-3 are valid.
This patch updates the bounds-checking to use bit offsets and ranges
wherever possible - for concrete offsets and capacities. In the above
accessing "pasid" is treated as bits 8-27 of a 32-bit region, fixing the
false positive.
Symbolic offsets and ranges are still handled at byte granularity.
gcc/analyzer/ChangeLog:
PR analyzer/112792
* bounds-checking.cc
(out_of_bounds::oob_region_creation_event_capacity): Rename
"capacity" to "byte_capacity". Layout fix.
(out_of_bounds::::add_region_creation_events): Rename
"capacity" to "byte_capacity".
(class concrete_out_of_bounds): Rename m_out_of_bounds_range to
m_out_of_bounds_bits and convert from a byte_range to a bit_range.
(concrete_out_of_bounds::get_out_of_bounds_bytes): New.
(concrete_past_the_end::concrete_past_the_end): Rename param
"byte_bound" to "bit_bound". Initialize m_byte_bound.
(concrete_past_the_end::subclass_equal_p): Update for renaming
of m_byte_bound to m_bit_bound.
(concrete_past_the_end::m_bit_bound): New field.
(concrete_buffer_overflow::concrete_buffer_overflow): Convert
param "range" from byte_range to bit_range. Rename param
"byte_bound" to "bit_bound".
(concrete_buffer_overflow::emit): Update for bits vs bytes.
(concrete_buffer_overflow::describe_final_event): Split
into...
(concrete_buffer_overflow::describe_final_event_as_bytes): ...this
(concrete_buffer_overflow::describe_final_event_as_bits): ...and
this.
(concrete_buffer_over_read::concrete_buffer_over_read): Convert
param "range" from byte_range to bit_range. Rename param
"byte_bound" to "bit_bound".
(concrete_buffer_over_read::emit): Update for bits vs bytes.
(concrete_buffer_over_read::describe_final_event): Split into...
(concrete_buffer_over_read::describe_final_event_as_bytes):
...this
(concrete_buffer_over_read::describe_final_event_as_bits): ...and
this.
(concrete_buffer_underwrite::concrete_buffer_underwrite): Convert
param "range" from byte_range to bit_range.
(concrete_buffer_underwrite::describe_final_event): Split into...
(concrete_buffer_underwrite::describe_final_event_as_bytes):
...this
(concrete_buffer_underwrite::describe_final_event_as_bits): ...and
this.
(concrete_buffer_under_read::concrete_buffer_under_read): Convert
param "range" from byte_range to bit_range.
(concrete_buffer_under_read::describe_final_event): Split into...
(concrete_buffer_under_read::describe_final_event_as_bytes):
...this
(concrete_buffer_under_read::describe_final_event_as_bits): ...and
this.
(region_model::check_region_bounds): Use bits for concrete values,
and rename locals to indicate whether we're dealing with bits or
bytes. Specifically, replace "num_bytes_sval" with
"num_bits_sval", and get it from reg's "get_bit_size_sval".
Replace "num_bytes_tree" with "num_bits_tree". Rename "capacity"
to "byte_capacity". Rename "cst_capacity_tree" to
"cst_byte_capacity_tree". Replace "offset" and
"num_bytes_unsigned" with "bit_offset" and "num_bits_unsigned"
respectively, converting from byte_offset_t to bit_offset_t.
Replace "out" and "read_bytes" with "bits_outside" and "read_bits"
respectively, converting from byte_range to bit_range. Convert
"buffer" from byte_range to bit_range. Replace "byte_bound" with
"bit_bound".
* region.cc (region::get_bit_size_sval): New.
(offset_region::get_bit_offset): New.
(offset_region::get_bit_size_sval): New.
(sized_region::get_bit_size_sval): New.
(bit_range_region::get_bit_size_sval): New.
* region.h (region::get_bit_size_sval): New vfunc.
(offset_region::get_bit_offset): New decl.
(offset_region::get_bit_size_sval): New decl.
(sized_region::get_bit_size_sval): New decl.
(bit_range_region::get_bit_size_sval): New decl.
* store.cc (bit_range::intersects_p): New, based on
byte_range::intersects_p.
(bit_range::exceeds_p): New, based on byte_range::exceeds_p.
(bit_range::falls_short_of_p): New, based on
byte_range::falls_short_of_p.
(byte_range::intersects_p): Delete.
(byte_range::exceeds_p): Delete.
(byte_range::falls_short_of_p): Delete.
* store.h (bit_range::intersects_p): New overload.
(bit_range::exceeds_p): New.
(bit_range::falls_short_of_p): New.
(byte_range::intersects_p): Delete.
(byte_range::exceeds_p): Delete.
(byte_range::falls_short_of_p): Delete.
gcc/testsuite/ChangeLog:
PR analyzer/112792
* c-c++-common/analyzer/out-of-bounds-pr112792.c: New test.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
|
|
|
|
Avoid copying eedges in infinite_loop::infinite_loop.
Use initializer lists in the various places reported in
PR analyzer/112655 (apart from coord_test's ctor, which
would require nontrivial refactoring).
gcc/analyzer/ChangeLog:
PR analyzer/112655
* infinite-loop.cc (infinite_loop::infinite_loop): Pass eedges
via rvalue reference rather than by value.
(starts_infinite_loop_p): Move eedges when constructing an
infinite_loop instance.
* sm-file.cc (fileptr_state_machine::fileptr_state_machine): Use
initializer list for states.
* sm-sensitive.cc
(sensitive_state_machine::sensitive_state_machine): Likewise.
* sm-signal.cc (signal_state_machine::signal_state_machine):
Likewise.
* sm-taint.cc (taint_state_machine::taint_state_machine):
Likewise.
* varargs.cc (va_list_state_machine::va_list_state_machine): Likewise.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
|
|
|
|
In r14-5566-g841008d3966c0f I added a new ctor for
feasibility_state, but failed to call bitmap_clear
on m_snodes_visited.
Fixed thusly.
gcc/analyzer/ChangeLog:
PR analyzer/112955
* engine.cc (feasibility_state::feasibility_state): Initialize
m_snodes_visited.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
|
|
maybe_undo_optimize_bit_field_compare.
The check for the type seems unnecessary and gets in the way sometimes.
Also with a patch I am working on for match.pd, it causes a failure to happen.
Before my patch the IR was:
_1 = BIT_FIELD_REF <s, 8, 16>;
_2 = _1 & 1;
_3 = _2 != 0;
_4 = (int) _3;
__analyzer_eval (_4);
Where _2 was an unsigned char type.
And After my patch we have:
_1 = BIT_FIELD_REF <s, 8, 16>;
_2 = (int) _1;
_3 = _2 & 1;
__analyzer_eval (_3);
But in this case, the BIT_AND_EXPR is in an int type.
OK? Bootstrapped and tested on x86_64-linux-gnu with no regressions.
gcc/analyzer/ChangeLog:
* region-model-manager.cc (maybe_undo_optimize_bit_field_compare): Remove
the check for type being unsigned_char_type_node.
|
|
|
|
gcc/analyzer/ChangeLog:
* sm-taint.cc (taint_state_machine::alt_get_inherited_state): Fix
handling of TRUNC_MOD_EXPR.
gcc/testsuite/ChangeLog:
* c-c++-common/analyzer/taint-modulus-1.c: New test.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
|
