| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Fixes to exploded_path::feasible_p exposed a pre-existing bug
with pointer NULL-ness for pointers to symbolic_region.
symbolic_region has an "m_possibly_null" flag which if set means
that a region_svalue pointing to that region is treated as possibly
NULL. Adding a constraint of "!= NULL" on an edge records that
the pointer is non-NULL, but doesn't affect other pointers (e.g.
if the first if a void *, but the other pointers are cast to other
pointer types). This showed up in the tests
gcc.dg/analyzer/data-model-5b.c and -5c.c, which malloc a buffer
and test for NULL, but then cast that to a struct * and later test
that struct *: a path for the first test being non-NULL and the
second being NULL was erroneously found to be feasible.
This patch clears the m_possibly_null flag when a "!= NULL" constraint
is added, fixing that erroneous path (but not yet fixing the false
positive in the above tests, which seems to go on to hit a different
issue). It also adds the field to dumps.
gcc/analyzer/ChangeLog:
* program-state.cc (selftest::test_program_state_dumping): Update
expected dump to include symbolic_region's possibly_null field.
* region-model.cc (symbolic_region::print_fields): New vfunc
implementation.
(region_model::add_constraint): Clear m_possibly_null from
symbolic_regions now known to be non-NULL.
(selftest::test_malloc_constraints): New selftest.
(selftest::analyzer_region_model_cc_tests): Call it.
* region-model.h (region::dyn_cast_symbolic_region): Add non-const
overload.
(symbolic_region::dyn_cast_symbolic_region): Implement it.
(symbolic_region::print_fields): New vfunc override decl.
gcc/testsuite/ChangeLog:
* gcc.dg/analyzer/data-model-5b.c: Add xfail for new false
positive leak.
* gcc.dg/analyzer/data-model-5c.c: Likewise.
* gcc.dg/analyzer/malloc-5.c: New test.
|
|
This patch extends -fdump-analyzer-supergraph so that rather than just
dumping a DUMP_BASE_NAME.supergraph.dot at the start of analysis, it
also dumps a DUMP_BASE_NAME.supergraph-eg.dot at the end.
The new dump file contains a concise dump of the exploded_graph,
organized with respect to the supergraph and its statements. The
exploded nodes are colorized to show sm-state, but no other state
is shown. Per exploded_node saved_diagnostics are also shown,
along with feasibility of the paths to reach them.
I've been finding this a useful way of tracking down issues in
exploded_graphs that are sufficiently large that the output of
-fdump-analyzer-exploded-graph becomes unwieldy.
The patch extends feasiblity-testing so that if the exploded_path
for a saved_diagnostic is found to be infeasible, the reason is
saved and written into the saved_diagnostic, so it can be shown in the
dump. I've found this very useful when tracking down feasibility
issues.
I'm keeping the initial dump file as it's useful when tracking down
ICEs within the analyzer (which would stop the second dump file being
written).
gcc/analyzer/ChangeLog:
* analyzer.h (class feasibility_problem): New forward decl.
* diagnostic-manager.cc (saved_diagnostic::saved_diagnostic):
Initialize new fields m_status, m_epath_length, and m_problem.
(saved_diagnostic::~saved_diagnostic): Delete m_problem.
(dedupe_candidate::dedupe_candidate): Convert "sd" param from a
const ref to a mutable ptr.
(dedupe_winners::add): Convert "sd" param from a const ref to a
mutable ptr. Record the length of the exploded_path. Record the
feasibility/infeasibility of sd into sd, capturing a
feasibility_problem when feasible_p fails, and storing it in sd.
(diagnostic_manager::emit_saved_diagnostics): Update for pass by
ptr rather than by const ref.
* diagnostic-manager.h (class saved_diagnostic): Add new enum
status. Add fields m_status, m_epath_length and m_problem.
(saved_diagnostic::set_feasible): New member function.
(saved_diagnostic::set_infeasible): New member function.
(saved_diagnostic::get_feasibility_problem): New accessor.
(saved_diagnostic::get_status): New accessor.
(saved_diagnostic::set_epath_length): New member function.
(saved_diagnostic::get_epath_length): New accessor.
* engine.cc: Include "gimple-pretty-print.h".
(exploded_path::feasible_p): Add OUT param and, if non-NULL, write
a new feasibility_problem to it on failure.
(viz_callgraph_node::dump_dot): Convert begin_tr calls to
begin_trtd. Convert end_tr calls to end_tdtr.
(class exploded_graph_annotator): New subclass of dot_annotator.
(impl_run_checkers): Add a second -fdump-analyzer-supergraph dump
after the analysis runs, using exploded_graph_annotator. dumping
to DUMP_BASE_NAME.supergraph-eg.dot.
* exploded-graph.h (exploded_node::get_dot_fillcolor): Make
public.
(exploded_path::feasible_p): Add OUT param.
(class feasibility_problem): New class.
* state-purge.cc (state_purge_annotator::add_node_annotations):
Return a bool, add a "within_table" param.
(print_vec_of_names): Convert begin_tr calls to begin_trtd.
Convert end_tr calls to end_tdtr.
(state_purge_annotator::add_stmt_annotations): Add "within_row"
param.
* state-purge.h ((state_purge_annotator::add_node_annotations):
Return a bool, add a "within_table" param.
(state_purge_annotator::add_stmt_annotations): Add "within_row"
param.
* supergraph.cc (supernode::dump_dot): Call add_node_annotations
twice: as before, passing false for "within_table", then again
with true when within the TABLE element. Convert some begin_tr
calls to begin_trtd, and some end_tr calls to end_tdtr.
Repeat each add_stmt_annotations call, distinguishing between
calls that add TRs and those that add TDs to an existing TR.
Add a call to add_after_node_annotations.
* supergraph.h (dot_annotator::add_node_annotations): Add a
"within_table" param.
(dot_annotator::add_stmt_annotations): Add a "within_row" param.
(dot_annotator::add_after_node_annotations): New vfunc.
gcc/ChangeLog:
* doc/invoke.texi (-fdump-analyzer-supergraph): Document that this
now emits two .dot files.
* graphviz.cc (graphviz_out::begin_tr): Only emit a TR, not a TD.
(graphviz_out::end_tr): Only close a TR, not a TD.
(graphviz_out::begin_td): New.
(graphviz_out::end_td): New.
(graphviz_out::begin_trtd): New, replacing the old implementation
of graphviz_out::begin_tr.
(graphviz_out::end_tdtr): New, replacing the old implementation
of graphviz_out::end_tr.
* graphviz.h (graphviz_out::begin_td): New decl.
(graphviz_out::end_td): New decl.
(graphviz_out::begin_trtd): New decl.
(graphviz_out::end_tdtr): New decl.
gcc/testsuite/ChangeLog:
* gcc.dg/analyzer/dot-output.c: Check that
dot-output.c.supergraph-eg.dot is valid.
|
|
gcc/analyzer/ChangeLog:
* diagnostic-manager.cc (dedupe_winners::add): Show the
exploded_node index in the log messages.
(diagnostic_manager::emit_saved_diagnostics): Log a summary of
m_saved_diagnostics at entry.
|
|
gcc/analyzer/ChangeLog:
* supergraph.cc (superedge::dump): Add space before description;
move newline to non-pretty_printer overload.
|
|
The previous implementation of summarized dumps within
region_model::dump_to_pp showed only the "top-level" keys within the
current frame and for globals, and thus didn't e.g. show the values
of fields of structs, or elements of arrays.
This patch rewrites it to gather a vec of representative path_vars
for all regions, using this to generate the dump, so that all expressible
lvalues ought to make it to the summarized dump.
gcc/analyzer/ChangeLog:
* region-model.cc: Include "stor-layout.h".
(region_model::dump_to_pp): Rather than calling
dump_summary_of_map on each of the current frame and the globals,
instead get a vec of representative path_vars for all regions,
and then dump a summary of all of them.
(region_model::dump_summary_of_map): Delete, rewriting into...
(region_model::dump_summary_of_rep_path_vars): ...this new
function, working on a vec of path_vars.
(region_model::set_value): New overload.
(region_model::get_representative_path_var): Rename
"parent_region" local to "parent_reg" and consolidate with other
local. Guard test for grandparent being stack on parent_reg being
non-NULL. Move handling for parent being an array_region to
within guard for parent_reg being non-NULL.
(selftest::make_test_compound_type): New function.
(selftest::test_dump_2): New selftest.
(selftest::test_dump_3): New selftest.
(selftest::test_stack_frames): Update expected output from
simplified dump to show "a" and "b" from parent frame and "y" in
child frame.
(selftest::analyzer_region_model_cc_tests): Call test_dump_2 and
test_dump_3.
* region-model.h (region_model::set_value): New overload decl.
(region_model::dump_summary_of_map): Delete.
(region_model::dump_summary_of_rep_path_vars): New.
|
|
tentative_region_model_context and test_region_model_context are both
forced to implement numerous pure virtual vfuncs of the abstract
region_model_context.
This patch adds a noop_region_model_context which provides empty
implementations of all of region_model_context's pure virtual functions,
and subclasses the above classes from that, rather than from
region_model_context directly.
gcc/analyzer/ChangeLog:
* region-model.h (class noop_region_model_context): New subclass
of region_model_context.
(class tentative_region_model_context): Inherit from
noop_region_model_context rather than from region_model_context;
drop redundant vfunc implementations.
(class test_region_model_context): Likewise.
|
|
I have followup work that touches this, so it's easiest to get this
cleanup in first.
gcc/analyzer/ChangeLog:
* engine.cc (exploded_node::exploded_node): Move implementation
here from header; accept point_and_state by const reference rather
than by value.
* exploded-graph.h (exploded_node::exploded_node): Pass
point_and_state by const reference rather than by value. Move
body to engine.cc.
|
|
Another set of duplicated word fixes for things I've missed last time.
These include e.g. *.cc files I forgot about, or duplicated words at the start
or end of line.
2020-03-18 Jakub Jelinek <jakub@redhat.com>
* asan.c (get_mem_refs_of_builtin_call): Fix up duplicated word issue
in a comment.
* config/arc/arc.c (frame_stack_add): Likewise.
* gimple-loop-versioning.cc (loop_versioning::analyze_arbitrary_term):
Likewise.
* ipa-predicate.c (predicate::remap_after_inlining): Likewise.
* tree-ssa-strlen.h (handle_printf_call): Likewise.
* tree-ssa-strlen.c (is_strlen_related_p): Likewise.
* optinfo-emit-json.cc (optrecord_json_writer::add_record): Likewise.
analyzer/
* sm-malloc.cc (malloc_state_machine::on_stmt): Fix up duplicated word
issue in a comment.
* region-model.cc (region_model::make_region_for_unexpected_tree_code,
region_model::delete_region_and_descendents): Likewise.
* engine.cc (class exploded_cluster): Likewise.
* diagnostic-manager.cc (class path_builder): Likewise.
cp/
* constraint.cc (resolve_function_concept_check, subsumes_constraints,
strictly_subsumes): Fix up duplicated word issue in a comment.
* coroutines.cc (build_init_or_final_await, captures_temporary):
Likewise.
* logic.cc (dnf_size_r, cnf_size_r): Likewise.
* pt.c (append_type_to_template_for_access_check): Likewise.
d/
* expr.cc (ExprVisitor::visit (CatAssignExp *)): Fix up duplicated
word issue in a comment.
* d-target.cc (Target::FPTypeProperties<T>::max): Likewise.
fortran/
* class.c (generate_finalization_wrapper): Fix up duplicated word
issue in a comment.
* trans-types.c (gfc_get_nodesc_array_type): Likewise.
|
|
PR analyzer/94099 and PR analyzer/94105 both report ICEs relating to
calling region_model::get_lvalue on a NOP_EXPR.
PR analyzer/94099's ICE happens when generating a checker_path when
encountering an unhandled tree code (NOP_EXPR) in get_lvalue with a
NULL context (from for_each_state_change).
PR analyzer/94105 ICE happens when handling an ARRAY_REF where the
first operand is a NOP_EXPR: the unhandled tree code gives us
a symbolic_region, but the case for ARRAY_REF assumes we have an
array_region.
This patch fixes the ICEs by handling NOP_EXPR within
region_model::get_lvalue, and bulletproofs both of the above sources
of failure.
gcc/analyzer/ChangeLog:
PR analyzer/94099
PR analyzer/94105
* diagnostic-manager.cc (for_each_state_change): Bulletproof
against errors in get_rvalue by passing a
tentative_region_model_context and rejecting if there's an error.
* region-model.cc (region_model::get_lvalue_1): When handling
ARRAY_REF, handle results of error-handling. Handle NOP_EXPR.
gcc/testsuite/ChangeLog:
PR analyzer/94099
PR analyzer/94105
* gcc.dg/analyzer/pr94099.c: New test.
* gcc.dg/analyzer/pr94105.c: New test.
|
|
This patch extends region_model::get_representative_tree so that dumps
are able to refer to string literals, which I've found useful in
investigating a state-bloat issue.
Doing so uncovered a bug in the handling of views I introduced in
r10-7024-ge516294a1acb28aaaad44cfd583cc6a80354044e where the code was
erroneously using TREE_TYPE on the view region's type, rather than just
using its type, which the patch also fixes.
gcc/analyzer/ChangeLog:
* analyzer.h (class array_region): New forward decl.
* program-state.cc (selftest::test_program_state_dumping_2): New.
(selftest::analyzer_program_state_cc_tests): Call it.
* region-model.cc (array_region::constant_from_key): New.
(region_model::get_representative_tree): Handle region_svalue by
generating an ADDR_EXPR.
(region_model::get_representative_path_var): In view handling,
remove erroneous TREE_TYPE when determining the type of the tree.
Handle array regions and STRING_CST.
(selftest::assert_dump_tree_eq): New.
(ASSERT_DUMP_TREE_EQ): New macro.
(selftest::test_get_representative_tree): New selftest.
(selftest::analyzer_region_model_cc_tests): Call it.
* region-model.h (region::dyn_cast_array_region): New vfunc.
(array_region::dyn_cast_array_region): New vfunc implementation.
(array_region::constant_from_key): New decl.
gcc/testsuite/ChangeLog:
* gcc.dg/analyzer/malloc-4.c: Update expected output of leak to
reflect fix to region_model::get_representative_path_var, adding
the missing "*" from the cast.
|
|
This patch fixes a bug in which summarized state dumps involving a
non-NULL pointer to a region for which get_representative_path_var
returned NULL were erroneously dumped as "NULL".
It also extends sm-state dumps so that they show representative tree
values, where available.
Finally, it adds some selftest coverage for such dumps. Doing so
requires replacing some %qE with a dump_quoted_tree, to avoid
C vs C++ differences between "make selftest-c" and "make selftest-c++".
gcc/analyzer/ChangeLog:
* analyzer.h (dump_quoted_tree): New decl.
* engine.cc (exploded_node::dump_dot): Pass region model to
sm_state_map::print.
* program-state.cc: Include diagnostic-core.h.
(sm_state_map::print): Add "model" param and use it to print
representative trees. Only print origin information if non-null.
(sm_state_map::dump): Pass NULL for model to print call.
(program_state::print): Pass region model to sm_state_map::print.
(program_state::dump_to_pp): Use spaces rather than newlines when
summarizing. Pass region_model to sm_state_map::print.
(ana::selftest::assert_dump_eq): New function.
(ASSERT_DUMP_EQ): New macro.
(ana::selftest::test_program_state_dumping): New function.
(ana::selftest::analyzer_program_state_cc_tests): Call it.
* program-state.h (program_state::print): Add model param.
* region-model.cc (dump_quoted_tree): New function.
(map_region::print_fields): Use dump_quoted_tree rather than
%qE to avoid lang-dependent output.
(map_region::dump_child_label): Likewise.
(region_model::dump_summary_of_map): For SK_REGION, when
get_representative_path_var fails, print the region id rather than
erroneously printing NULL.
* sm.cc (state_machine::get_state_by_name): New function.
* sm.h (state_machine::get_state_by_name): New decl.
|
|
This patch converts region::validate to a vfunc, implementing
additional checking per subclass: verifying that various
region_id fields within map_region, array_region, stack_region and
root_region are valid, rather than just those within the base class.
Doing so caught bugs earlier in follow-up work I have on
canonicalization and purging of region_model.
gcc/analyzer/ChangeLog:
* region-model.cc (region::validate): Convert model param from ptr
to reference. Update comment to reflect that it's now a vfunc.
(map_region::validate): New vfunc implementation.
(array_region::validate): New vfunc implementation.
(stack_region::validate): New vfunc implementation.
(root_region::validate): New vfunc implementation.
(region_model::validate): Pass a reference rather than a pointer
to the region::validate vfunc.
* region-model.h (region::validate): Make virtual. Convert model
param from ptr to reference.
(map_region::validate): New vfunc decl.
(array_region::validate): New vfunc decl.
(stack_region::validate): New vfunc decl.
(root_region::validate): New vfunc decl.
|
|
The false warning:
pr93993.f90:19:0:
19 | allocate (tm) ! { dg-warning "dereference of possibly-NULL" }
|
Warning: dereference of possibly-NULL ‘_6’ [CWE-690] [-Wanalyzer-possible-null-dereference]
in the reproducer for PR analyzer/93993 is due to a BUILTIN_EXPECT in
the chain of SSA expressions between the malloc and the condition
guarding the edge: the analyzer didn't "know" about the relationship
between initial argument to BUILTIN_EXPECT and the return value.
This patch implements support for BUILTIN_EXPECT so that the return
value is known to be equal to the initial argument. This adds
constraints when exploring the CFG edges, eliminating the above
false positive.
Doing so also eliminated the leak warning from the reproducer. The
issue was that leaked_pvs was empty within
impl_region_model_context::on_state_leak, due to the leaking region
being a view, of type struct Pdtet_8 *, of a region of type
struct pdtet_8 *, which led region_model::get_representative_path_var to
return a NULL_TREE value.
Hence the patch also implements view support for
region_model::get_representative_path_var, restoring the leak
diagnostic, albeit changing the wording to:
Warning: leak of ‘(struct Pdtet_8) qb’ [CWE-401] [-Wanalyzer-malloc-leak]
It's not clear to me if we should emit leaks at a fortran "end program"
(currently we suppress them for leaks at the end of main).
gcc/analyzer/ChangeLog:
PR analyzer/93993
* region-model.cc (region_model::on_call_pre): Handle
BUILT_IN_EXPECT and its variants.
(region_model::add_any_constraints_from_ssa_def_stmt): Split out
gassign handling into add_any_constraints_from_gassign; add gcall
handling.
(region_model::add_any_constraints_from_gassign): New function,
based on the above. Add handling for NOP_EXPR.
(region_model::add_any_constraints_from_gcall): New function.
(region_model::get_representative_path_var): Handle views.
* region-model.h
(region_model::add_any_constraints_from_ssa_def_stmt): New decl.
(region_model::add_any_constraints_from_gassign): New decl.
gcc/testsuite/ChangeLog:
PR analyzer/93993
* gcc.dg/analyzer/expect-1.c: New test.
* gcc.dg/analyzer/malloc-4.c: New test.
* gfortran.dg/analyzer/pr93993.f90: Remove xfail from dg-bogus.
Move location of leak warning and update message.
|
|
PR analyzer/93993 reports another ICE within
diagnostic_manager::prune_for_sm_diagnostic in which the expression
of interest becomes a non-lvalue (similar to PR 93544, PR 93647, and
PR 93950), due to attempting to get an lvalue for a non-lvalue with a
NULL context, leading to an ICE when the failure is reported to
make_region_for_unexpected_tree_code. The tree in question is
an ADDR_EXPR of a VAR_DECL, due to:
event 11: switching var of interest from ‘tm’ in callee to ‘&qb’ in caller
This patch adds more bulletproofing to the routine by introducing
a tentative_region_model_context class that can be passed in such
circumstances which records that an error occurred, and then
checking to see if an error was recorded, thus avoiding the ICE.
This is papering over the problem, but a better solution seems more
like stage 1 material.
The patch also refactors the error-checking for CONSTANT_CLASS_P.
The testcase pr93993.f90 has a false positive:
pr93993.f90:19:0:
19 | allocate (tm) ! { dg-warning "dereference of possibly-NULL" }
|
Warning: dereference of possibly-NULL ‘_6’ [CWE-690] [-Wanalyzer-possible-null-dereference]
which appears to be a pre-existing bug affecting any allocate call in
Fortran, which I will fix in a followup.
gcc/analyzer/ChangeLog:
PR analyzer/93993
* checker-path.h (state_change_event::get_lvalue): Add ctxt param
and pass it to region_model::get_value call.
* diagnostic-manager.cc (get_any_origin): Pass a
tentative_region_model_context to the calls to get_lvalue and reject
the comparison if errors occur.
(can_be_expr_of_interest_p): New function.
(diagnostic_manager::prune_for_sm_diagnostic): Replace checks for
CONSTANT_CLASS_P with calls to update_for_unsuitable_sm_exprs.
Pass a tentative_region_model_context to the calls to
state_change_event::get_lvalue and reject the comparison if errors
occur.
(diagnostic_manager::update_for_unsuitable_sm_exprs): New.
* diagnostic-manager.h
(diagnostic_manager::update_for_unsuitable_sm_exprs): New decl.
* region-model.h (class tentative_region_model_context): New class.
gcc/testsuite/ChangeLog:
PR analyzer/93993
* gfortran.dg/analyzer/pr93993.f90: New test.
|
|
gcc/analyzer/ChangeLog:
* engine.cc (worklist::worklist): Remove unused field m_eg.
(class viz_callgraph_edge): Remove unused field m_call_sedge.
(class viz_callgraph): Remove unused field m_sg.
* exploded-graph.h (worklist::::m_eg): Remove unused field.
|
|
The note about duplicates attached to analyzer diagnostics feels like an
implementation detail; it's likely just noise from the perspective of an
end-user.
This patch disables it by default, introducing a flag to re-enable it.
gcc/analyzer/ChangeLog:
* analyzer.opt (fanalyzer-show-duplicate-count): New option.
* diagnostic-manager.cc
(diagnostic_manager::emit_saved_diagnostic): Use the above to
guard the printing of the duplicate count.
gcc/ChangeLog:
* doc/invoke.texi (-fanalyzer-show-duplicate-count): New.
gcc/testsuite/ChangeLog:
* gcc.dg/analyzer/CVE-2005-1689-dedupe-issue.c: Add
-fanalyzer-show-duplicate-count.
|
|
PR analyzer/93959 reported that g++.dg/analyzer/malloc.C was failing
with no output on Solaris.
The issue is that <stdlib.h> there has "using std::free;", converting
all the "free" calls to std::free, which fails the name-matching via
is_named_call_p.
This patch implements an is_std_named_call_p variant of is_named_call_p
to check for the name within "std", and uses it in sm-malloc.c to check
for std::malloc, std::calloc, and std::free.
gcc/analyzer/ChangeLog:
PR analyzer/93959
* analyzer.cc (is_std_function_p): New function.
(is_std_named_call_p): New functions.
* analyzer.h (is_std_named_call_p): New decl.
* sm-malloc.cc (malloc_state_machine::on_stmt): Check for "std::"
variants when checking for malloc, calloc and free.
gcc/testsuite/ChangeLog:
PR analyzer/93959
* g++.dg/analyzer/cstdlib-2.C: New test.
* g++.dg/analyzer/cstdlib.C: New test.
|
|
PR analyzer/93950 reports an ICE when pruning the path of a
-Wanalyzer-null-dereference diagnostic.
The root cause is a bug in the state-tracking code, in which the
variable of interest is tracked from the callee to a "nullptr" param
at the caller, whereupon we have an INTEGER_CST "variable", and
the attempt to look up its lvalue fails.
This code could use a rewrite; in the meantime this patch extends
the bulletproofing from g:8525d1f5f57b11fe04a97674cc2fc2b7727621d0
for PR analyzer/93544 to all of the various places where var can
be updated, fixing the ICE.
gcc/analyzer/ChangeLog:
PR analyzer/93950
* diagnostic-manager.cc
(diagnostic_manager::prune_for_sm_diagnostic): Assert that var is
either NULL or not a constant. When updating var, bulletproof
against constant values.
gcc/testsuite/ChangeLog:
PR analyzer/93950
* g++.dg/analyzer/pr93950.C: New test.
|
|
PR analyzer/93947 reports an ICE at -O1 when attempting to analyze a
call that has been optimized away as unreachable.
The root cause is a NULL dereference due to the fndecl having a NULL
cgraph_node: the cgraph_node was created by
pass_build_cgraph_edges::execute, but was later removed by
symbol_table::remove_unreachable_nodes before the analyzer pass.
This patch fixes it by checking for NULL before handling the
cgraph_node.
The reproducer demonstrates a weakness in the analyzer's constraint
handling, where region_model::apply_constraints_for_gswitch fails
to spot when the cases fully cover the data type, and thus make the
default impossible. For now this is xfail-ed in the testcase.
gcc/analyzer/ChangeLog:
PR analyzer/93947
* region-model.cc (region_model::get_fndecl_for_call): Gracefully
fail for fn_decls that don't have a cgraph_node.
gcc/testsuite/ChangeLog:
PR analyzer/93947
* gcc.dg/analyzer/torture/pr93947.c: New test.
|
|
This patch adds various information to -fdump-analyzer and
-fdump-analyzer-stderr to make it easier to track down
problems with state explosions in the exploded_graph.
It logs the number of unprocessed nodes in the worklist, for
the case where the upper limit on exploded nodes is reached.
It prints:
[a] a bar chart showing the number of exploded nodes by function, and
[b] bar charts for each function showing the number of exploded nodes
per supernode/BB, and
[c] bar charts for each function showing the number of excess exploded
nodes per supernode/BB beyond the limit
(--param=analyzer-max-enodes-per-program-point), where that limit
was reached
I've found these helpful in finding exactly where we fail to consolidate
state, leading to state explosions and false negatives due to the
thresholds being reached.
The patch also adds a "superedge::dump" member function I found myself
needing.
gcc/ChangeLog:
* Makefile.in (ANALYZER_OBJS): Add analyzer/bar-chart.o.
gcc/analyzer/ChangeLog:
* bar-chart.cc: New file.
* bar-chart.h: New file.
* engine.cc: Include "analyzer/bar-chart.h".
(stats::log): Only log the m_num_nodes kinds that are non-zero.
(stats::dump): Likewise when dumping.
(stats::get_total_enodes): New.
(exploded_graph::get_or_create_node): Increment the per-point-data
m_excess_enodes when hitting the per-program-point limit on
enodes.
(exploded_graph::print_bar_charts): New.
(exploded_graph::log_stats): Log the number of unprocessed enodes
in the worklist. Call print_bar_charts.
(exploded_graph::dump_stats): Print the number of unprocessed
enodes in the worklist.
* exploded-graph.h (stats::get_total_enodes): New decl.
(struct per_program_point_data): Add field m_excess_enodes.
(exploded_graph::print_bar_charts): New decl.
* supergraph.cc (superedge::dump): New.
(superedge::dump): New.
* supergraph.h (supernode::get_function): New.
(superedge::dump): New decl.
(superedge::dump): New decl.
|
|
This patch fixes a bug with -fdump-analyzer, which is meant to write
purely a dumpfile, but was erroneously sending part of the dump to
stderr.
gcc/analyzer/ChangeLog:
* engine.cc (exploded_graph::get_or_create_node): Dump the
program_state to the pp, rather than to stderr.
|
|
PR analyzer/93032 tracks a false negative where we fail to report
FILE * leaks within zlib/contrib/minizip/mztools.c.
The underlying issue is a combinatorial explosion of states within the
exploded graph. In particular, the state of the "taint" checker is
exploding, leading to the analyzer bailing out.
I have a patch kit under construction that fixes the state explosion
issue enough for the "file" checker to report the leaks, but doing so
requires disabling the "taint" checker. Given that the latter is more
of a proof-of-concept, this patch disables it by default, to stop it
breaking the other checkers.
gcc/analyzer/ChangeLog:
PR analyzer/93032
* sm.cc (make_checkers): Require the "taint" checker to be
explicitly enabled.
gcc/ChangeLog:
PR analyzer/93032
* doc/invoke.texi (-Wnanalyzer-tainted-array-index): Note that
-fanalyzer-checker=taint is also required.
(-fanalyzer-checker=): Note that providing this option enables the
given checker, and doing so may be required for checkers that are
disabled by default.
gcc/testsuite/ChangeLog:
PR analyzer/93032
* gcc.dg/analyzer/pr93382.c: Add "-fanalyzer-checker=taint".
* gcc.dg/analyzer/taint-1.c: Likewise.
|
|
PR analyzer/93899 reports an ICE within make_region_for_type when
handling a param of type OFFSET_TYPE within
exploded_graph::add_function_entry.
This patch fixes the ICE by further generalizing the "give up on this
tree code" logic from
r10-6667-gf76a88ebf089871dcce215aa0cb1956ccc060895
for PR analyzer/93388 and
r10-6695-g2e6233935c77b56a68e939c629702f960b8e6fb2
for PR analyzer/93778
by replacing the gcc_unreachable in make_region_for_type with a return
of NULL, and handling this in add_region_for_type by notifying the ctxt.
Doing so means that numerous places that create regions now need to have
a context passed to them, so most of the patch is churn involved in
passing a context around to where it's needed.
gcc/analyzer/ChangeLog:
PR analyzer/93899
* engine.cc
(impl_region_model_context::impl_region_model_context): Add logger
param.
* engine.cc (exploded_graph::add_function_entry): Create an
impl_region_model_context and pass it to the push_frame call.
Bail if the resulting state is invalid.
(exploded_graph::build_initial_worklist): Likewise.
(exploded_graph::build_initial_worklist): Handle the case where
add_function_entry fails.
* exploded-graph.h
(impl_region_model_context::impl_region_model_context): Add logger
param.
* region-model.cc (map_region::get_or_create): Add ctxt param and
pass it to add_region_for_type.
(map_region::can_merge_p): Pass NULL as a ctxt to call to
get_or_create.
(array_region::get_element): Pass ctxt to call to get_or_create.
(array_region::get_or_create): Add ctxt param and pass it to
add_region_for_type.
(root_region::push_frame): Pass ctxt to get_or_create calls.
(region_model::get_lvalue_1): Likewise.
(region_model::make_region_for_unexpected_tree_code): Assert that
ctxt is non-NULL.
(region_model::get_rvalue_1): Pass ctxt to get_svalue_for_fndecl
and get_svalue_for_label calls.
(region_model::get_svalue_for_fndecl): Add ctxt param and pass it
to get_region_for_fndecl.
(region_model::get_region_for_fndecl): Add ctxt param and pass it
to get_or_create.
(region_model::get_svalue_for_label): Add ctxt param and pass it
to get_region_for_label.
(region_model::get_region_for_label): Add ctxt param and pass it
to get_region_for_fndecl and get_or_create.
(region_model::get_field_region): Add ctxt param and pass it to
get_or_create_view and get_or_create.
(make_region_for_type): Replace gcc_unreachable with return NULL.
(region_model::add_region_for_type): Add ctxt param. Handle a
return of NULL from make_region_for_type by calling
make_region_for_unexpected_tree_code.
(region_model::get_or_create_mem_ref): Pass ctxt to calls to
get_or_create_view.
(region_model::get_or_create_view): Add ctxt param and pass it to
add_region_for_type.
(selftest::test_state_merging): Pass ctxt to get_or_create_view.
* region-model.h (region_model::get_or_create): Add ctxt param.
(region_model::add_region_for_type): Likewise.
(region_model::get_svalue_for_fndecl): Likewise.
(region_model::get_svalue_for_label): Likewise.
(region_model::get_region_for_fndecl): Likewise.
(region_model::get_region_for_label): Likewise.
(region_model::get_field_region): Likewise.
(region_model::get_or_create_view): Likewise.
gcc/testsuite/ChangeLog:
PR analyzer/93899
* g++.dg/analyzer/pr93899.C: New test.
|
|
Paths emitted by the analyzer can be quite verbose at the default of
-fanalyzer-verbosity=2.
Consider the double-free in this example:
#include <stdlib.h>
int foo ();
int bar ();
void test (int a, int b, int c)
{
void *p = malloc (1024);
while (a)
foo ();
if (b)
foo ();
else
bar ();
if (c)
free (p);
free (p);
}
Previously, the analyzer would emit a checker_path containing all
control-flow information on the exploded_path leading to the
double-free:
test.c: In function 'test':
test.c:17:3: warning: double-'free' of 'p' [CWE-415] [-Wanalyzer-double-free]
17 | free (p);
| ^~~~~~~~
'test': events 1-9
|
| 8 | void *p = malloc (1024);
| | ^~~~~~~~~~~~~
| | |
| | (1) allocated here
| 9 | while (a)
| | ~
| | |
| | (2) following 'false' branch (when 'a == 0')...
| 10 | foo ();
| 11 | if (b)
| | ~
| | |
| | (3) ...to here
| | (4) following 'false' branch (when 'b == 0')...
|......
| 14 | bar ();
| | ~~~~~~
| | |
| | (5) ...to here
| 15 | if (c)
| | ~
| | |
| | (6) following 'true' branch (when 'c != 0')...
| 16 | free (p);
| | ~~~~~~~~
| | |
| | (7) ...to here
| | (8) first 'free' here
| 17 | free (p);
| | ~~~~~~~~
| | |
| | (9) second 'free' here; first 'free' was at (8)
|
despite the fact that only the "if (c)" is relevant to triggering the
double-free.
This patch implements pruning of control flow events at
-fanalyzer-verbosity=2, based on reachability information within the
exploded_graph.
The diagnostic_manager pre-computes reachability information about
which exploded_nodes can reach the exploded_node of the diagnostic,
and uses this to prune irrelvent control flow edges.
The patch also adds a -fanalyzer-verbosity=3 to preserve these edges,
so that the "show me everything" debugging level becomes
-fanalyzer-verbosity=4.
With these changes, the "while (a)" and "if (b)" edges are pruned from
the above example, leading to:
test.c: In function 'test':
test.c:17:3: warning: double-'free' of 'p' [CWE-415] [-Wanalyzer-double-free]
17 | free (p);
| ^~~~~~~~
'test': events 1-5
|
| 8 | void *p = malloc (1024);
| | ^~~~~~~~~~~~~
| | |
| | (1) allocated here
|......
| 15 | if (c)
| | ~
| | |
| | (2) following 'true' branch (when 'c != 0')...
| 16 | free (p);
| | ~~~~~~~~
| | |
| | (3) ...to here
| | (4) first 'free' here
| 17 | free (p);
| | ~~~~~~~~
| | |
| | (5) second 'free' here; first 'free' was at (4)
|
The above example is gcc.dg/analyzer/edges-2.c.
gcc/analyzer/ChangeLog:
* checker-path.cc (superedge_event::should_filter_p): Update
filter for empty descriptions to cover verbosity level 3 as well
as 2.
* diagnostic-manager.cc: Include "analyzer/reachability.h".
(class path_builder): New class.
(diagnostic_manager::emit_saved_diagnostic): Create a path_builder
and pass it to build_emission_path, rather passing eg; similarly
for add_events_for_eedge and ext_state.
(diagnostic_manager::build_emission_path): Replace "eg" param
with a path_builder, pass it to add_events_for_eedge.
(diagnostic_manager::add_events_for_eedge): Replace ext_state
param with path_builder; pass it to add_events_for_superedge.
(diagnostic_manager::significant_edge_p): New.
(diagnostic_manager::add_events_for_superedge): Add path_builder
param. Reject insignificant edges at verbosity levels below 3.
(diagnostic_manager::prune_for_sm_diagnostic): Update highest
verbosity level to 4.
* diagnostic-manager.h (class path_builder): New forward decl.
(diagnostic_manager::build_emission_path): Replace "eg" param
with a path_builder.
(diagnostic_manager::add_events_for_eedge): Replace ext_state
param with path_builder.
(diagnostic_manager::significant_edge_p): New.
(diagnostic_manager::add_events_for_superedge): Add path_builder
param.
* reachability.h: New file.
gcc/ChangeLog:
* doc/invoke.texi (-fanalyzer-verbosity=): "2" only shows
significant control flow events; add a "3" which shows all
control flow events; the old "3" becomes "4".
gcc/testsuite/ChangeLog:
* gcc.dg/analyzer/analyzer-verbosity-2a.c: New test.
* gcc.dg/analyzer/analyzer-verbosity-3.c: New test, based on
analyzer-verbosity-2.c
* gcc.dg/analyzer/analyzer-verbosity-3a.c: New test.
* gcc.dg/analyzer/edges-1.c: New test.
* gcc.dg/analyzer/edges-2.c: New test.
* gcc.dg/analyzer/file-paths-1.c: Add -fanalyzer-verbosity=3.
|
|
gcc/analyzer/ChangeLog:
PR analyzer/93692
* analyzer.opt (fdump-analyzer-callgraph): Rewrite description.
|
|
PR analyzer/93777 reports ICEs in a Fortran and C++ case involving
a cast of a NULL pointer to a REFERENCE_TYPE.
In both cases the call to build_cast fails and returns a NULL type, but
region_model::maybe_cast_1 asserts that a non-NULL type was returned.
This patch fixes the ICEs by converting the assertion to a conditional.
gcc/analyzer/ChangeLog:
PR analyzer/93777
* region-model.cc (region_model::maybe_cast_1): Replace assertion
that build_cast returns non-NULL with a conditional, falling
through to the logic which returns a new unknown value of the
desired type if it fails.
gcc/testsuite/ChangeLog:
PR analyzer/93777
* g++.dg/analyzer/pr93777.C: New test.
* gfortran.dg/analyzer/pr93777.f90: New test.
|
|
PR analyzer/93778 reports an ICE with -fanalyzer on a gfortran test case
at this gimple stmt:
_gfortran_st_set_nml_var (&dt_parm.0, &ro.xi.jq, &"ro%xi%jq"[1]{lb: 1 sz: 1}, 4, 0, D.3913);
where ro.xi.jq is a COMPONENT_REF, but ro.xi is of type "struct bl[3]".
The analyzer's handling of COMPONENT_REF assumes that the type of the
1st argument is a RECORD_TYPE or UNION_TYPE, whereas in this case it's
an ARRAY_TYPE, leading to a failed as_a inside
region_model::get_field_region.
This patch fixes the ICE by generalizing the "give up on this tree code"
logic from r10-6667-gf76a88ebf089871dcce215aa0cb1956ccc060895 for
PR analyzer/93388, so that the analyzer gives up when it needs to get an
lvalue for a COMPONENT_REF on something other than a RECORD_TYPE or
UNION_TYPE.
gcc/analyzer/ChangeLog:
PR analyzer/93778
* engine.cc (impl_region_model_context::on_unknown_tree_code):
Rename to...
(impl_region_model_context::on_unexpected_tree_code): ...this and
convert first argument from path_var to tree.
(exploded_node::on_stmt): Pass ctxt to purge_for_unknown_fncall.
* exploded-graph.h (region_model_context::on_unknown_tree_code):
Rename to...
(region_model_context::on_unexpected_tree_code): ...this and
convert first argument from path_var to tree.
* program-state.cc (sm_state_map::purge_for_unknown_fncall): Add
ctxt param and pass on to calls to get_rvalue.
* program-state.h (sm_state_map::purge_for_unknown_fncall): Add
ctxt param.
* region-model.cc (region_model::handle_unrecognized_call): Pass
ctxt on to call to get_rvalue.
(region_model::get_lvalue_1): Move body of default case to
region_model::make_region_for_unexpected_tree_code and call it.
Within COMPONENT_REF case, reject attempts to handle types other
than RECORD_TYPE and UNION_TYPE.
(region_model::make_region_for_unexpected_tree_code): New
function, based on default case of region_model::get_lvalue_1.
* region-model.h
(region_model::make_region_for_unexpected_tree_code): New decl.
(region_model::on_unknown_tree_code): Rename to...
(region_model::on_unexpected_tree_code): ...this and convert first
argument from path_var to tree.
(class test_region_model_context): Update vfunc implementation for
above change.
gcc/testsuite/ChangeLog:
PR analyzer/93778
* gfortran.dg/analyzer/pr93778.f90: New test.
|
|
PR analyzer/93774 reports an ICE in gfortran with -fanalyzer within
region_model::convert_byte_offset_to_array_index on a pointer of
incomplete type ("character(kind=1)[0:][1:0] * restrict").
This patch bulletproofs the routine against incomplete types, fixing
the ICE.
gcc/analyzer/ChangeLog:
PR analyzer/93774
* region-model.cc
(region_model::convert_byte_offset_to_array_index): Use
int_size_in_bytes before calling size_in_bytes, to gracefully fail
on incomplete types.
gcc/testsuite/ChangeLog:
PR analyzer/93774
* gfortran.dg/analyzer/deferred_character_25.f90: New test,
based on gfortran.dg/deferred_character_25.f90.
|
|
PR analyzer/93775 reports an ICE in cgraph_node::get when -fanalyzer is
used on code that calls a function pointer that was generated via a cast
from a non-function.
This patch fixes it by bulletproofing region_model::get_fndecl_for_call
for the case where the code_region's get_tree_for_child_region returns
NULL.
gcc/analyzer/ChangeLog:
PR analyzer/93775
* region-model.cc (region_model::get_fndecl_for_call): Handle the
case where the code_region's get_tree_for_child_region returns
NULL.
gcc/testsuite/ChangeLog:
PR analyzer/93775
* gcc.dg/analyzer/20020129-1.c: New test.
|
|
There have been various ICEs with -fanalyzer involving unhandled tree
codes in region_model::get_lvalue_1; PR analyzer/93388 reports various
others e.g. for IMAGPART_EXPR, REALPART_EXPR, and VIEW_CONVERT_EXPR seen
when running the testsuite with -fanalyzer forcibly enabled.
Whilst we could implement lvalue-handling in the region model for every
tree code, for some of these we're straying far from my primary goal for
GCC 10 of implementing a double-free checker for C.
This patch implements a fallback for unimplemented tree codes: create a
dummy region, but mark the new state as being invalid, and stop
exploring state along this path. It also implements VIEW_CONVERT_EXPR.
Doing so fixes the ICEs, whilst effectively turning off the analyzer
along code paths that use such tree codes. Hopefully this compromise
is sensible for GCC 10.
gcc/analyzer/ChangeLog:
PR analyzer/93388
* engine.cc (impl_region_model_context::on_unknown_tree_code):
New.
(exploded_graph::get_or_create_node): Reject invalid states.
* exploded-graph.h
(impl_region_model_context::on_unknown_tree_code): New decl.
(point_and_state::point_and_state): Assert that the state is
valid.
* program-state.cc (program_state::program_state): Initialize
m_valid to true.
(program_state::operator=): Copy m_valid.
(program_state::program_state): Likewise for move constructor.
(program_state::print): Print m_valid.
(program_state::dump_to_pp): Likewise.
* program-state.h (program_state::m_valid): New field.
* region-model.cc (region_model::get_lvalue_1): Implement the
default case by returning a new symbolic region and calling
the context's on_unknown_tree_code, rather than issuing an
internal_error. Implement VIEW_CONVERT_EXPR.
* region-model.h (region_model_context::on_unknown_tree_code): New
vfunc.
(test_region_model_context::on_unknown_tree_code): New.
gcc/testsuite/ChangeLog:
PR analyzer/93388
* gcc.dg/analyzer/torture/20060625-1.c: New test.
* gcc.dg/analyzer/torture/pr51628-30.c: New test.
* gcc.dg/analyzer/torture/pr59037.c: New test.
|
|
This patch improves the wording of the state-transition event (1) in
the -Wanalyzer-null-dereference diagnostic for:
void test (void)
{
int *p = NULL;
*p = 1;
}
taking the path description from:
‘test’: events 1-2
|
| 5 | int *p = NULL;
| | ^
| | |
| | (1) assuming ‘p’ is NULL
| 6 | *p = 1;
| | ~~~~~~
| | |
| | (2) dereference of NULL ‘p’
|
to:
‘test’: events 1-2
|
| 5 | int *p = NULL;
| | ^
| | |
| | (1) ‘p’ is NULL
| 6 | *p = 1;
| | ~~~~~~
| | |
| | (2) dereference of NULL ‘p’
|
since the "assuming" at (1) only makes sense for state transitions
due to comparisons, not for assignments.
gcc/analyzer/ChangeLog:
* sm-malloc.cc (malloc_diagnostic::describe_state_change): For
transition to the "null" state, only say "assuming" when
transitioning from the "unchecked" state.
gcc/testsuite/ChangeLog:
* gcc.dg/analyzer/malloc-1.c (test_48): New.
|
|
gcc/analyzer/ChangeLog:
* diagnostic-manager.h (diagnostic_manager::get_saved_diagnostic):
Add const overload.
* engine.cc (exploded_node::dump_dot): Dump saved_diagnostics.
* exploded-graph.h (exploded_graph::get_diagnostic_manager): Add
const overload.
|
|
PR analyzer/93288 reports an ICE in a C++ testcase when calling a
constructor.
The issue is that when building the supergraph, we encounter the
cgraph edge to "__ct_comp ", the DECL_COMPLETE_CONSTRUCTOR_P, and
this node's DECL_STRUCT_FUNCTION has a NULL CFG, which the analyzer
reads through, leading to the ICE.
This patch reworks function and fndecl lookup at calls throughout the
analyzer so that it looks for the ultimate_alias_target of the callee.
In the case above, this means using the "__ct_base " for the ctor,
which has a CFG, fixing the ICE.
Getting this right allows for some simple C++ cases involving ctors to
work, so the patch also adds some test coverage for that.
gcc/analyzer/ChangeLog:
PR analyzer/93288
* analysis-plan.cc (analysis_plan::use_summary_p): Look through
the ultimate_alias_target when getting the called function.
* engine.cc (exploded_node::on_stmt): Rename second "ctxt" to
"sm_ctxt". Use the region_model's get_fndecl_for_call rather than
gimple_call_fndecl.
* region-model.cc (region_model::get_fndecl_for_call): Use
ultimate_alias_target on fndecl.
* supergraph.cc (get_ultimate_function_for_cgraph_edge): New
function.
(supergraph_call_edge): Use it when rejecting edges without
functions.
(supergraph::supergraph): Use it to get the function for the
cgraph_edge when building interprocedural superedges.
(callgraph_superedge::get_callee_function): Use it.
* supergraph.h (supergraph::get_num_snodes): Make param const.
(supergraph::function_to_num_snodes_t): Make first type param
const.
gcc/testsuite/ChangeLog:
PR analyzer/93288
* g++.dg/analyzer/malloc.C: Add test coverage for a double-free
called in a constructor.
* g++.dg/analyzer/pr93288.C: New test.
|
|
PR analyzer/93374 reports an ICE within state_change::validate due to an
m_new_sid in a recorded state-change being out of range of the svalues
of the region_model of the new state.
During get_or_create_node we attempt to merge the new state with the
state of each of the existing enodes at the program point (in the
absence of sm-state differences), simplifying the state at each
attempt, and potentially reusing a node if we get a match.
This state-merging invalidates any svalue_ids within any state_change
object.
The root cause is that, although the code was purging any such
svalue_ids for the case where no match was found during merging, it was
failing to purge them for the case where a matching enode *was* found
for the merged state, leading to an invalid state_change along the
exploded_edge to the reused enode.
This patch moves the invalidation code to cover both cases, fixing the
ICE. It also extends state_change validation so that states are also
checked.
gcc/analyzer/ChangeLog:
PR analyzer/93374
* engine.cc (exploded_edge::exploded_edge): Add ext_state param
and pass it to change.validate.
(exploded_graph::get_or_create_node): Move purging of change
svalues to also cover the case of reusing an existing enode.
(exploded_graph::add_edge): Pass m_ext_state to exploded_edge's
ctor.
* exploded-graph.h (exploded_edge::exploded_edge): Add ext_state
param.
* program-state.cc (state_change::sm_change::validate): Likewise.
Assert that m_sm_idx is sane. Use ext_state to validate
m_old_state and m_new_state.
(state_change::validate): Add ext_state param and pass it to
the sm_change validate calls.
* program-state.h (state_change::sm_change::validate): Add
ext_state param.
(state_change::validate): Likewise.
gcc/testsuite/ChangeLog:
PR analyzer/93374
* gcc.dg/analyzer/torture/pr93374.c: New test.
|
|
(PR 93669)
gcc/analyzer/ChangeLog:
PR analyzer/93669
* engine.cc (exploded_graph::dump_exploded_nodes): Handle missing
case of STATUS_WORKLIST in implementation of
"__analyzer_dump_exploded_nodes".
gcc/testsuite/ChangeLog:
PR analyzer/93669
* gcc.dg/analyzer/pr93669.c: New test.
|
|
gcc/analyzer/ChangeLog:
PR analyzer/93649
* constraint-manager.cc (constraint_manager::add_constraint): When
merging equivalence classes and updating m_constant, also update
m_cst_sid.
(constraint_manager::validate): If m_constant is non-NULL assert
that m_cst_sid is non-null and is valid.
gcc/testsuite/ChangeLog:
PR analyzer/93649
* gcc.dg/analyzer/torture/pr93649.c: New test.
|
|
gcc/analyzer/ChangeLog:
PR analyzer/93657
* analyzer.opt (fdump-analyzer): Reword description.
(fdump-analyzer-stderr): Likewise.
|
|
The dumps from the analyzer sometimes contain garbled output.
The root cause is due to nesting of calls to pp_printf: I'm using
pp_printf with %qT to print types with a PP using default_tree_printer.
default_tree_printer handles 'T' (and various other codes) via
dump_generic_node (pp, t, 0, TDF_SLIM, 0);
and dump_generic_node can call pp_printf in various ways, leading
to a pp_printf within a pp_printf, and garbled output.
I don't think it's feasible to fix pp_printf to be reentrant, in
stage 4, at least, so for the moment this patch works around it
in the analyzer.
gcc/analyzer/ChangeLog:
* region-model.cc (print_quoted_type): New function.
(svalue::print): Use it to replace %qT.
(region::dump_to_pp): Likewise.
(region::dump_child_label): Likewise.
(region::print_fields): Likewise.
|
|
gcc/analyzer/ChangeLog:
PR analyzer/93659
* analyzer.opt (-param=analyzer-max-recursion-depth=): Fix "tha"
-> "that" typo.
(Wanalyzer-use-of-uninitialized-value): Fix "initialized" ->
"uninitialized" typo.
|
|
gcc/analyzer/ChangeLog:
PR analyzer/93350
* region-model.cc (region_model::get_lvalue_1):
Handle BIT_FIELD_REF.
(make_region_for_type): Handle VECTOR_TYPE.
gcc/testsuite/ChangeLog:
PR analyzer/93350
* gcc.dg/analyzer/torture/pr93350.c: New test.
|
|
gcc/analyzer/ChangeLog:
PR analyzer/93647
* diagnostic-manager.cc
(diagnostic_manager::prune_for_sm_diagnostic): Bulletproof against
VAR being constant.
* region-model.cc (region_model::get_lvalue_1): Provide a better
error message when encountering an unhandled tree code.
gcc/testsuite/ChangeLog:
PR analyzer/93647
* gcc.dg/analyzer/torture/pr93647.c: New test.
|
|
PR analyzer/93405 reports an ICE with -fanalyzer when passing
a constant "by reference" in gfortran.
The issue is that the constant is passed as an ADDR_EXPR
of a CONST_DECL, and region_model::get_lvalue_1 doesn't
know how to handle CONST_DECL.
This patch implements it for CONST_DECL by providing
a placeholder region, holding the CONST_DECL's value,
fixing the ICE.
gcc/analyzer/ChangeLog:
PR analyzer/93405
* region-model.cc (region_model::get_lvalue_1): Implement
CONST_DECL.
gcc/testsuite/ChangeLog:
PR analyzer/93405
* gfortran.dg/analyzer/pr93405.f90: New test.
|
|
When investigating how the analyzer handles malloc/free of Cray pointers
in gfortran I noticed that that analyzer was losing information on
pointers that were cast to an integer type, and then back to a pointer
type again.
The root cause is that region_model::maybe_cast_1 was only preserving
the region_svalue-ness of the result if both types were pointers,
instead returning an unknown_svalue for a pointer-to-int cast.
This patch updates the above code so that it attempts to use a
region_svalue if *either* type is a pointer
Doing so allows the analyzer to recognize that the same underlying
region is in use through various casts through integer types.
gcc/analyzer/ChangeLog:
* region-model.cc (region_model::maybe_cast_1): Attempt to provide
a region_svalue if either type is a pointer, rather than if both
types are pointers.
gcc/testsuite/ChangeLog:
* gcc.dg/analyzer/torture/intptr_t.c: New test.
|
|
The analyzer recognizes __analyzer_dump_exploded_nodes as a "magic"
function for use in DejaGnu tests: at the end of the pass, it issues
a warning at each such call, dumping the count of exploded nodes seen at
the call, which can be checked in test cases via dg-warning directives,
along with the IDs of the enodes (which is helpful when debugging).
My intent was to give a way of testing the results of the state-merging
code.
The state-merging code can generate duplicate exploded nodes at a point
when state merging occurs, taking a pair of enodes from the worklist
that share a program_point and sufficiently similar state. For these
cases it generates a merged state, and adds edges from those enodes to
the merged-state enode (potentially a new or a pre-existing enode); the
input enodes don't have process_node called on them.
This means that at a CFG join point there can be an unpredictable number
of enodes that we don't care about, where the precise number depends on
the details of the state-merger code, immediately followed by a more
predictable number that we do care about.
I've been papering over this in the analyzer DejaGnu tests somewhat
by adding pairs of __analyzer_dump_exploded_nodes calls at CFG join
points, where the output at the first call is somewhat arbitrary, and
the second has the number we care about; the first number tends to
change "at random" as I tweak the state merging code, in ways that
aren't interesting, but require the tests to be updated.
See e.g. gcc.dg/analyzer/paths-6.c which had:
__analyzer_dump_exploded_nodes (0); /* { dg-warning "2 exploded nodes" } */
// FIXME: the above can vary between 2 and 3 exploded nodes
__analyzer_dump_exploded_nodes (0); /* { dg-warning "1 exploded node" } */
This patch remedies this situation by tracking which enodes are
processed, and which are merely "merger" enodes. It updates the
output for __analyzer_dump_exploded_nodes so that count of enodes
only includes the *processed* enodes, and that the IDs are split
into "processed" and "merger" enodes.
The patch simplifies the testsuite by eliminating the redundant calls
described above; the example above becomes:
__analyzer_dump_exploded_nodes (0); /* { dg-warning "1 processed enode" } */
where the output in question is now:
warning: 1 processed enode: [EN: 94] merger(s): [EN: 93]
The patch also adds various checks on the status of enodes, to ensure
e.g. that each enode is processed at most once.
gcc/analyzer/ChangeLog:
* engine.cc (exploded_node::dump_dot): Show merger enodes.
(worklist::add_node): Assert that the node's m_status is
STATUS_WORKLIST.
(exploded_graph::process_worklist): Likewise for nodes from the
worklist. Set status of merged nodes to STATUS_MERGER.
(exploded_graph::process_node): Set status of node to
STATUS_PROCESSED.
(exploded_graph::dump_exploded_nodes): Rework handling of
"__analyzer_dump_exploded_nodes", splitting enodes by status into
"processed" and "merger", showing the count of just the processed
enodes at the call, rather than the count of all enodes.
* exploded-graph.h (exploded_node::status): New enum.
(exploded_node::exploded_node): Initialize m_status to
STATUS_WORKLIST.
(exploded_node::get_status): New getter.
(exploded_node::set_status): New setter.
(exploded_node::m_status): New field.
gcc/ChangeLog:
* doc/analyzer.texi
(Special Functions for Debugging the Analyzer): Update description
of __analyzer_dump_exploded_nodes.
gcc/testsuite/ChangeLog:
* gcc.dg/analyzer/data-model-1.c: Update for changed output to
__analyzer_dump_exploded_nodes, dropping redundant call at merger.
* gcc.dg/analyzer/data-model-7.c: Likewise.
* gcc.dg/analyzer/loop-2.c: Update for changed output format.
* gcc.dg/analyzer/loop-2a.c: Likewise.
* gcc.dg/analyzer/loop-4.c: Likewise.
* gcc.dg/analyzer/loop.c: Likewise.
* gcc.dg/analyzer/malloc-paths-10.c: Likewise; drop redundant
call at merger.
* gcc.dg/analyzer/malloc-vs-local-1a.c: Likewise.
* gcc.dg/analyzer/malloc-vs-local-1b.c: Likewise.
* gcc.dg/analyzer/malloc-vs-local-2.c: Likewise.
* gcc.dg/analyzer/malloc-vs-local-3.c: Likewise.
* gcc.dg/analyzer/paths-1.c: Likewise.
* gcc.dg/analyzer/paths-1a.c: Likewise.
* gcc.dg/analyzer/paths-2.c: Likewise.
* gcc.dg/analyzer/paths-3.c: Likewise.
* gcc.dg/analyzer/paths-4.c: Update for changed output format.
* gcc.dg/analyzer/paths-5.c: Likewise.
* gcc.dg/analyzer/paths-6.c: Likewise; drop redundant calls
at merger.
* gcc.dg/analyzer/paths-7.c: Likewise.
* gcc.dg/analyzer/torture/conditionals-2.c: Update for changed
output format.
* gcc.dg/analyzer/zlib-1.c: Likewise; drop redundant calls.
* gcc.dg/analyzer/zlib-5.c: Update for changed output format.
|
|
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=243681 reports a build
failure with clang 9.0.1:
gcc/analyzer/engine.cc:2971:13: error:
reinterpret_cast from 'nullptr_t' to 'function *' is not allowed
v.m_fun = reinterpret_cast<function *> (NULL);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
engine.cc:2983:21: error:
reinterpret_cast from 'nullptr_t' to 'function *' is not allowed
return v.m_fun == reinterpret_cast<function *> (NULL);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The casts appears to be unnecessary; eliminate them.
gcc/analyzer/ChangeLog:
PR analyzer/93543
* engine.cc (pod_hash_traits<function_call_string>::mark_empty):
Eliminate reinterpret_cast.
(pod_hash_traits<function_call_string>::is_empty): Likewise.
|
|
Various places in the analyzer use fold_build2, test the result, then
discard it. It's more efficient to use fold_binary, which avoids
building and GC-ing a redundant tree for the cases where folding fails.
gcc/analyzer/ChangeLog:
* constraint-manager.cc (range::constrained_to_single_element):
Replace fold_build2 with fold_binary. Remove unnecessary newline.
(constraint_manager::get_or_add_equiv_class): Replace fold_build2
with fold_binary in two places, and remove out-of-date comment.
(constraint_manager::eval_condition): Replace fold_build2 with
fold_binary.
* region-model.cc (constant_svalue::eval_condition): Likewise.
(region_model::on_assignment): Likewise.
|
|
PR analyzer/93544 reports an ICE when attempting to report a double-free
within diagnostic_manager::prune_for_sm_diagnostic, in which the
variable of interest has become an INTEGER_CST. Additionally, it picks
a nonsensical path through the function in which the pointer being
double-freed is known to be NULL, which we shouldn't complain about.
The dump shows that it picks the INTEGER_CST when updating var at a phi
node:
considering event 4, with var: ‘iftmp.0_2’, state: ‘start’
updating from ‘iftmp.0_2’ to ‘0B’ based on phi node
phi: iftmp.0_2 = PHI <iftmp.0_6(3), 0B(2)>
considering event 3, with var: ‘0B’, state: ‘start’
and that it has picked the shortest path through the exploded graph,
and on this path the pointer has been assigned NULL.
The root cause is that the state machine's on_stmt isn't called for phi
nodes (and wouldn't make much sense, as we wouldn't know which arg to
choose). malloc state machine::on_stmt "sees" a GIMPLE_ASSIGN to NULL
and handles it by transitioning the lhs to the "null" state, but never
"sees" GIMPLE_PHI nodes.
This patch fixes the ICE by wiring up phi-handling with state machines,
so that state machines have an on_phi vfunc. It updates the only current
user of "is_zero_assignment" (the malloc sm) to implement equivalent
logic for phi nodes. Doing so ensures that the pointer is in a separate
sm-state for the NULL vs non-NULL cases, and so gets separate exploded
nodes, and hence the path-finding logic chooses the correct path, and
the correct non-NULL phi argument.
The patch also adds some bulletproofing to prune_for_sm_diagnostic to
avoid crashing in the event of a bad path.
gcc/analyzer/ChangeLog:
PR analyzer/93544
* diagnostic-manager.cc
(diagnostic_manager::prune_for_sm_diagnostic): Bulletproof
against bad choices due to bad paths.
* engine.cc (impl_region_model_context::on_phi): New.
* exploded-graph.h (impl_region_model_context::on_phi): New decl.
* region-model.cc (region_model::on_longjmp): Likewise.
(region_model::handle_phi): Add phi param. Call the ctxt's on_phi
vfunc.
(region_model::update_for_phis): Pass phi to handle_phi.
* region-model.h (region_model::handle_phi): Add phi param.
(region_model_context::on_phi): New vfunc.
(test_region_model_context::on_phi): New.
* sm-malloc.cc (malloc_state_machine::on_phi): New.
(malloc_state_machine::on_zero_assignment): New.
* sm.h (state_machine::on_phi): New vfunc.
gcc/testsuite/ChangeLog:
PR analyzer/93544
* gcc.dg/analyzer/torture/pr93544.c: New test.
|
|
gcc/analyzer/ChangeLog:
* engine.cc (supernode_cluster::dump_dot): Show BB index as
well as SN index.
* supergraph.cc (supernode::dump_dot): Likewise.
|
|
PR analyzer/93546 reports an ICE within region_model::add_region_for_type
when merging two region_models each containing a label pointer. The
two labels are stored as pointers to symbolic_regions, but these regions
were created with NULL type, leading to an assertion failure when a
merged copy is created.
The labels themselves have void (but not NULL) type.
This patch updates make_region_for_type to use the type of the decl when
creating such regions, rather than implicitly setting the region's type
to NULL, fixing the ICE.
gcc/analyzer/ChangeLog:
PR analyzer/93546
* region-model.cc (region_model::on_call_pre): Update for new
param of symbolic_region ctor.
(region_model::deref_rvalue): Likewise.
(region_model::add_new_malloc_region): Likewise.
(make_region_for_type): Likewise, preserving type.
* region-model.h (symbolic_region::symbolic_region): Add "type"
param and pass it to base class ctor.
gcc/testsuite/ChangeLog:
PR analyzer/93546
* gcc.dg/analyzer/pr93546.c: New test.
|
|
gcc/analyzer/ChangeLog:
PR analyzer/93547
* constraint-manager.cc
(constraint_manager::get_or_add_equiv_class): Ensure types are
compatible before comparing constants.
gcc/testsuite/ChangeLog:
PR analyzer/93547
* gcc.dg/analyzer/pr93547.c: New test.
|
