| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
gcc/analyzer/ChangeLog
PR analyzer/113505
* region-model.cc (get_tree_for_byte_offset,
region_model::get_representative_path_var_1,
test_mem_ref, test_POINTER_PLUS_EXPR_then_MEM_REF): Use
char __attribute__((may_alias)) * as type of MEM_REF second argument.
gcc/testsuite/ChangeLog
PR analyzer/113505
* gcc.dg/analyzer/pr113505.c: New test.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
|
|
In r14-1497-gef768035ae8090 I added some support to the analyzer for
__atomic_ builtins (enough to fix false positives I was seeing in
my integration tests).
Unfortunately I messed up the implementation of
__atomic_{exchange,load,store}, leading to ICEs seen in
PR analyzer/114286.
Fixed thusly, fixing the ICEs. Given that we're in stage 4, the patch
doesn't add support for any of the various __atomic_compare_exchange
builtins, so that these continue to fall back to the analyzer's
"anything could happen" handling of unknown functions.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
gcc/analyzer/ChangeLog:
PR analyzer/114286
* kf.cc (class kf_atomic_exchange): Reimplement based on signature
seen in gimple, rather than user-facing signature.
(class kf_atomic_load): Likewise.
(class kf_atomic_store): New.
(register_atomic_builtins): Register kf_atomic_store.
gcc/testsuite/ChangeLog:
PR analyzer/114286
* c-c++-common/analyzer/atomic-builtins-pr114286.c: New test.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
|
|
|
|
[PR110902,PR110928,PR111305,PR111441]
Various analyzer ICEs in our bugzilla relate to sloppy use of types
within bounds-checking.
The bounds-checking code works by comparing symbolic *bit* offsets, and
we don't have a good user-facing type that can represent such an offset
(ptrdiff_type_node is for *byte* offsets).
ana::svalue doesn't enforce valid combinations of types for things like
binary operations. When I added the access diagrams for GCC 14, this
could lead to attempts to generate trees for such svalues, leading to
trees with invalid combinations of types (e.g. PLUS_EXPR or MULT_EXPR of
incompatible types), leading to ICEs inside the tree folding logic.
I tried two approaches to fixing this.
My first approach was to fix the type-handling throughout the
bounds-checking code to use correct types, using size_type_node for
sizes, ptrdiff_type_node for byte offsets, and trying ptrdiff_type_node
for bit offsets. I implemented this, and it fixed the crashes, but
unfortunately it led to:
(a) numerous false negatives from the bounds-checking code, due to it
becoming unable to be sure that the accessed offset was beyond the valid
bounds, due to the expressions involved gaining complicated sets of
nested casts.
(b) ugly access diagrams full of nested casts (for capacities, gap
measurements, etc)
So my second approach, implemented in this patch, is to accept that we
don't have a tree type for representing bit offsets. The patch
represents bit offsets using "typeless" symbolic values i.e. ones for
which get_type () is NULL_TREE, and implements enough support for basic
arithemetic as if these are mathematical integers (albeit ones for which
concrete values within an expression must fit within a signed wide int).
Such values can't be converted to tree, so the patch avoids such
conversions, instead implementing a new svalue::maybe_print_for_user for
printing them to a pretty_printer. The patch uses ptrdiff_type_node for
byte offsets.
Doing so fixes the crashes, whilst appearing to preserve the behavior of
-Wanalyzer-out-of-bounds in my testing.
gcc/analyzer/ChangeLog:
PR analyzer/110902
PR analyzer/110928
PR analyzer/111305
PR analyzer/111441
* access-diagram.cc: Include "analyzer/analyzer-selftests.h".
(get_access_size_str): Reimplement for conversion of
implmementation of bit_size_expr from tree to const svalue &. Use
svalue::maybe_print_for_user rather than tree printing routines.
(remove_ssa_names): Make non-static.
(bit_size_expr::get_formatted_str): Rename to...
(bit_size_expr::maybe_get_formatted_str): ...this, adding "model"
param and converting return type to a unique_ptr. Update for
conversion of implementation of bit_size_expr from tree to
const svalue &. Use svalue::maybe_print_for_user rather than tree
printing routines.
(bit_size_expr::print): Rename to...
(bit_size_expr::maybe_print_for_user): ...this, adding "model"
param and converting return type to bool. Update for
conversion of implementation of bit_size_expr from tree to
const svalue &. Use svalue::maybe_print_for_user rather than tree
printing routines.
(bit_size_expr::maybe_get_as_bytes): Add "mgr" param and convert
return type from tree to const svalue *; reimplement.
(access_range::access_range): Call strip_types when on region_offset
intializations.
(access_range::get_size): Update for conversion of implementation
of bit_size_expr from tree to const svalue &.
(access_operation::get_valid_bits): Pass manager to access_range
ctor.
(access_operation::maybe_get_invalid_before_bits): Likewise.
(access_operation::maybe_get_invalid_after_bits): Likewise.
(boundaries::add): Likewise.
(bit_to_table_map::populate): Add "mgr" param and pass it to
access_range ctor.
(access_diagram_impl::access_diagram_impl): Pass manager to
bit_to_table_map::populate.
(access_diagram_impl::maybe_add_gap): Use svalue rather than tree
for symbolic bit offsets. Port to new bit_size_expr
representation.
(access_diagram_impl::add_valid_vs_invalid_ruler): Port to new
bit_size_expr representation.
(selftest::assert_eq_typeless_integer): New.
(ASSERT_EQ_TYPELESS_INTEGER): New.
(selftest::test_bit_size_expr_to_bytes): New.
(selftest::analyzer_access_diagram_cc_tests): New.
* access-diagram.h (class bit_size_expr): Reimplement, converting
implementation from tree to const svalue &.
(access_range::access_range): Add "mgr" param. Call strip_types
on region_offset initializations.
(access_range::get_size): Update decl for reimplementation.
* analyzer-selftests.cc (selftest::run_analyzer_selftests): Call
selftest::analyzer_access_diagram_cc_tests.
* analyzer-selftests.h
(selftest::analyzer_checker_script_cc_tests): Delete this stray
typo.
(selftest::analyzer_access_diagram_cc_tests): New decl.
* analyzer.h (print_expr_for_user): New decl.
(calc_symbolic_bit_offset): Update decl for reimplementation.
(strip_types): New decls.
(remove_ssa_names): New decl.
* bounds-checking.cc (strip_types): New.
(region_model::check_symbolic_bounds): Use typeless svalues.
* region-model-manager.cc
(region_model_manager::get_or_create_constant_svalue): Add "type"
param. Add overload with old signature.
(region_model_manager::get_or_create_int_cst): Support type being
NULL_TREE.
(region_model_manager::maybe_fold_unaryop): Gracefully reject folding
of casts to NULL_TREE type.
(get_code_for_cast): Use NOP_EXPR for "casting" svalues to
NULL_TREE type.
(region_model_manager::get_or_create_cast): Support "casting"
svalues to NULL_TREE type.
(region_model_manager::maybe_fold_binop): Don't crash on inputs
with NULL_TREE type. Handle folding of binops on constants with
NULL_TREE type. Add missing cast from PR analyzer/110902.
Support enough folding of other ops on NULL_TREE type to support
bounds checking.
(region_model_manager::get_or_create_const_fn_result_svalue):
Remove assertion that type is nonnull.
* region-model-manager.h
(region_model_manager::get_or_create_constant_svalue): Add
overloaded decl taking a type.
(region_model_manager::maybe_fold_binop): Make public.
(region_model_manager::constants_map_t): Use
constant_svalue::key_t for the key, rather than just tree.
* region-model.cc (print_expr_for_user): New.
(selftest::test_array_2): Handle casts.
* region.cc (region_offset::calc_symbolic_bit_offset): Return
const svalue & rather than tree, and reimplement accordingly.
(region::calc_offset): Use ptrdiff_type_node for types of byte
offsets.
(region::maybe_print_for_user): New.
(element_region::get_relative_symbolic_offset): Use NULL_TREE for
types of bit offsets.
(offset_region::get_bit_offset): Likewise.
(sized_region::get_bit_size_sval): Likewise for bit sizes.
* region.h (region::maybe_print_for_user): New decl.
* svalue.cc (class auto_add_parens): New.
(svalue::maybe_print_for_user): New.
(svalue::cmp_ptr): Support typeless constant svalues.
(tristate_from_boolean_tree_node): New, taken from...
(constant_svalue::eval_condition): ...here. Handle comparison of
typeless integer svalue constants.
* svalue.h (svalue::maybe_print_for_user): New decl.
(class constant_svalue): Support the type of the svalue being
NULL_TREE.
(struct default_hash_traits<constant_svalue::key_t>): New.
gcc/ChangeLog:
PR analyzer/110902
PR analyzer/110928
PR analyzer/111305
PR analyzer/111441
* selftest.h (ASSERT_NE_AT): New macro.
gcc/testsuite/ChangeLog:
PR analyzer/110902
PR analyzer/110928
PR analyzer/111305
PR analyzer/111441
* c-c++-common/analyzer/out-of-bounds-const-fn.c: New test.
* c-c++-common/analyzer/out-of-bounds-diagram-11.c: Update
expected diagram output.
* c-c++-common/analyzer/out-of-bounds-diagram-pr110928.c: New test.
* c-c++-common/analyzer/out-of-bounds-diagram-pr111305.c: New test.
* c-c++-common/analyzer/out-of-bounds-diagram-pr111441.c: New test.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
|
|
gcc/analyzer/ChangeLog:
* access-diagram.cc (remove_ssa_names): Support operands being
NULL_TREE, such as e.g. for COMPONENT_REF's operand 2.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
|
|
|
|
I'm seeing warnings like
../../gcc/analyzer/access-diagram.cc: In member function ‘void ana::bit_size_expr::print(pretty_printer*) const’:
../../gcc/analyzer/access-diagram.cc:399:26: warning: unknown conversion type character ‘E’ in format [-Wformat=]
399 | pp_printf (pp, _("%qE bytes"), bytes_expr);
| ^~~~~~~~~~~
when building stage2/stage3 gcc. While such warnings would be
understandable when building stage1 because one could e.g. have some
older host compiler which doesn't understand some of the format specifiers,
the above seems to be because we have in pretty-print.h
#ifdef GCC_DIAG_STYLE
#define GCC_PPDIAG_STYLE GCC_DIAG_STYLE
#else
#define GCC_PPDIAG_STYLE __gcc_diag__
#endif
and use GCC_PPDIAG_STYLE e.g. for pp_printf, and while
diagnostic-core.h has
#ifndef GCC_DIAG_STYLE
#define GCC_DIAG_STYLE __gcc_tdiag__
#endif
(and similarly various FE headers include their own GCC_DIAG_STYLE)
when including pretty-print.h before diagnostic-core.h we end up
with __gcc_diag__ style rather than __gcc_tdiag__ style, which I think
is the right thing for the analyzer, because analyzer seems to use
default_tree_printer everywhere:
grep pp_format_decoder.*=.default_tree_printer analyzer/* | wc -l
57
The following patch fixes that by making sure diagnostic-core.h is included
before pretty-print.h.
2024-03-07 Jakub Jelinek <jakub@redhat.com>
* access-diagram.cc: Include diagnostic-core.h before including
diagnostic.h or diagnostic-path.h.
* sm-malloc.cc: Likewise.
* diagnostic-manager.cc: Likewise.
* call-summary.cc: Likewise.
* record-layout.cc: Likewise.
|
|
|
|
PR analyzer/114159 reports an ICE inside playback of call summaries
for very low values of --param=analyzer-max-svalue-depth=VAL.
Root cause is that call_summary_edge_info's ctor tries to evaluate
the function ptr of a gimple call stmt and assumes it gets a function *,
but with low values of --param=analyzer-max-svalue-depth=VAL we get
back an UNKNOWN svalue, rather than a pointer to a specific function.
Fix by adding a new call_info ctor that passes a specific
const function & from the call_summary_edge_info, rather than trying
to compute the function.
In doing so, I noticed that the analyzer was using "function *" despite
not modifying functions, and was sloppy about can-be-null versus
must-be-non-null function pointers, so I "constified" the function, and
converted the many places where the function must be non-null to be
"const function &".
gcc/analyzer/ChangeLog:
PR analyzer/114159
* analyzer.cc: Include "tree-dfa.h".
(get_ssa_default_def): New decl.
* analyzer.h (get_ssa_default_def): New.
* call-info.cc (call_info::call_info): New ctor taking an explicit
called_fn.
* call-info.h (call_info::call_info): Likewise.
* call-summary.cc (call_summary_replay::call_summary_replay):
Convert param from function * to const function &.
* call-summary.h (call_summary_replay::call_summary_replay):
Likewise.
* checker-event.h (state_change_event::get_dest_function):
Constify return value.
* engine.cc (point_and_state::validate): Update for conversion to
const function &.
(exploded_node::on_stmt): Likewise.
(call_summary_edge_info::call_summary_edge_info): Likewise.
Pass in called_fn to call_info ctor.
(exploded_node::replay_call_summaries): Update for conversion to
const function &. Convert per_function_data from * to &.
(exploded_node::replay_call_summary): Update for conversion to
const function &.
(exploded_graph::add_function_entry): Likewise.
(toplevel_function_p): Likewise.
(add_tainted_args_callback): Likewise.
(exploded_graph::build_initial_worklist): Likewise.
(exploded_graph::maybe_create_dynamic_call): Likewise.
(maybe_update_for_edge): Likewise.
(exploded_graph::on_escaped_function): Likewise.
* exploded-graph.h (exploded_node::replay_call_summaries):
Likewise.
(exploded_node::replay_call_summary): Likewise.
(exploded_graph::add_function_entry): Likewise.
* program-point.cc (function_point::from_function_entry):
Likewise.
(program_point::from_function_entry): Likewise.
* program-point.h (function_point::from_function_entry): Likewise.
(program_point::from_function_entry): Likewise.
* program-state.cc (program_state::push_frame): Likewise.
(program_state::get_current_function): Constify return type.
* program-state.h (program_state::push_frame): Update for
conversion to const function &.
(program_state::get_current_function): Likewise.
* region-model-manager.cc
(region_model_manager::get_frame_region): Likewise.
* region-model-manager.h
(region_model_manager::get_frame_region): Likewise.
* region-model.cc (region_model::called_from_main_p): Likewise.
(region_model::update_for_gcall): Likewise.
(region_model::push_frame): Likewise.
(region_model::get_current_function): Constify return type.
(region_model::pop_frame): Update for conversion to
const function &.
(selftest::test_stack_frames): Likewise.
(selftest::test_get_representative_path_var): Likewise.
(selftest::test_state_merging): Likewise.
(selftest::test_alloca): Likewise.
* region-model.h (region_model::push_frame): Likewise.
(region_model::get_current_function): Likewise.
* region.cc (frame_region::dump_to_pp): Likewise.
(frame_region::get_region_for_local): Likewise.
* region.h (class frame_region): Likewise.
* sm-signal.cc (signal_unsafe_call::describe_state_change):
Likewise.
(update_model_for_signal_handler): Likewise.
(signal_delivery_edge_info_t::update_model): Likewise.
(register_signal_handler::impl_transition): Likewise.
* state-purge.cc (class gimple_op_visitor): Likewise.
(state_purge_map::state_purge_map): Likewise.
(state_purge_map::get_or_create_data_for_decl): Likewise.
(state_purge_per_ssa_name::state_purge_per_ssa_name): Likewise.
(state_purge_per_ssa_name::add_to_worklist): Likewise.
(state_purge_per_ssa_name::process_point): Likewise.
(state_purge_per_decl::add_to_worklist): Likewise.
(state_purge_annotator::print_needed): Likewise.
* state-purge.h
(state_purge_map::get_or_create_data_for_decl): Likewise.
(class state_purge_per_tree): Likewise.
(class state_purge_per_ssa_name): Likewise.
(class state_purge_per_decl): Likewise.
* supergraph.cc (supergraph::dump_dot_to_pp): Likewise.
* supergraph.h
(supergraph::get_node_for_function_entry): Likewise.
(supergraph::get_node_for_function_exit): Likewise.
gcc/ChangeLog:
PR analyzer/114159
* function.cc (function_name): Make param const.
* function.h (function_name): Likewise.
gcc/testsuite/ChangeLog:
PR analyzer/114159
* c-c++-common/analyzer/call-summaries-pr114159.c: New test.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
|
|
|
|
On e.g. gcc211 the use of "%li" with unsigned HOST_WIDE_INT led to this warning:
../../src/gcc/analyzer/access-diagram.cc: In member function ‘void ana::string_literal_spatial_item::add_column_for_byte(text_art::table&, const ana::bit_to_table_map&, text_art::style_manager&, ana::byte_offset_t, ana::byte_offset_t, int, int) const’:
../../src/gcc/analyzer/access-diagram.cc:1909:40: warning: format ‘%li’ expects argument of type ‘long int’, but argument 3 has type ‘long long unsigned int’ [-Wformat=]
byte_idx_within_string.ulow ()));
^
and to all values being erroneously printed as "0".
Fixed thusly.
gcc/analyzer/ChangeLog:
PR analyzer/110483
PR analyzer/111802
* access-diagram.cc
(string_literal_spatial_item::add_column_for_byte): Use %wu for
printing unsigned HOST_WIDE_INT.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
|
|
gcc/analyzer/ChangeLog:
PR analyzer/111881
* constraint-manager.cc (bound::ensure_closed): Assert that
m_constant has integral type.
(range::add_bound): Bail out on floating point constants.
gcc/testsuite/ChangeLog:
PR analyzer/111881
* c-c++-common/analyzer/conditionals-pr111881.c: New test.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
|
|
|
|
gcc/analyzer/ChangeLog:
PR analyzer/113999
* analyzer.h (get_string_cst_size): New decl.
* region-model-manager.cc (get_string_cst_size): New.
(region_model_manager::maybe_get_char_from_string_cst): Treat
single-byte accesses within string_cst but beyond
TREE_STRING_LENGTH as being 0.
* region-model.cc (string_cst_has_null_terminator): Likewise.
gcc/testsuite/ChangeLog:
PR analyzer/113999
* c-c++-common/analyzer/strlen-pr113999.c: New test.
* gcc.dg/analyzer/strlen-1.c: More test coverage.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
|
|
gcc/analyzer/ChangeLog:
PR analyzer/113998
* ranges.cc (symbolic_byte_range::intersection): Handle empty ranges.
(selftest::test_intersects): Add test coverage for empty ranges.
gcc/testsuite/ChangeLog:
PR analyzer/113998
* c-c++-common/analyzer/overlapping-buffers-pr113998.c: New test.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
|
|
|
|
gcc/analyzer/ChangeLog:
PR analyzer/111289
* varargs.cc (representable_in_integral_type_p): New.
(va_arg_compatible_types_p): Add "arg_sval" param. Handle integer
types.
(kf_va_arg::impl_call_pre): Pass arg_sval to
va_arg_compatible_types_p.
gcc/testsuite/ChangeLog:
PR analyzer/111289
* c-c++-common/analyzer/stdarg-pr111289-int.c: New test.
* c-c++-common/analyzer/stdarg-pr111289-ptr.c: New test.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
|
|
[PR113983]
After r14-6419-g4eaaf7f5a378e8, maybe_undo_optimize_bit_field_compare would ICE on
vector CST but this function really should be checking if we had integer types so
reject non-integral types early on (like it was doing for non-char type before r14-6419-g4eaaf7f5a378e8).
Committed as obvious after build and tested for aarch64-linux-gnu with no regressions.
PR analyzer/113983
gcc/analyzer/ChangeLog:
* region-model-manager.cc (maybe_undo_optimize_bit_field_compare): Reject
non integral types.
gcc/testsuite/ChangeLog:
* gcc.dg/analyzer/torture/vector-extract-1.c: New test.
Signed-off-by: Andrew Pinski <quic_apinski@quicinc.com>
|
|
|
|
PR analyzer/111266 reports a missing -Wanalyzer-out-of-bounds when
accessing relative to a concrete byte offset.
Root cause is that offset_region::get_{byte,bit}_size_sval were
attempting to compute the size that's valid to access, rather than the
size of the access attempt.
Fixed by removing these vfunc overrides from offset_region as the
base class implementation does the right thing.
gcc/analyzer/ChangeLog:
PR analyzer/111266
* region.cc (offset_region::get_byte_size_sval): Delete.
(offset_region::get_bit_size_sval): Delete.
* region.h (region::get_byte_size): Add comment clarifying that
this relates to the size of the access, rather than the size
that's valid to access.
(region::get_bit_size): Likewise.
(region::get_byte_size_sval): Likewise.
(region::get_bit_size_sval): Likewise.
(offset_region::get_byte_size_sval): Delete.
(offset_region::get_bit_size_sval): Delete.
gcc/testsuite/ChangeLog:
PR analyzer/111266
* c-c++-common/analyzer/out-of-bounds-pr111266.c: New test.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
|
|
|
|
As noted by Joseph, I broke "make gcc.pot" in r14-6057-g12b67d1e13b3cf
by adding an overloaded format API with the format string in a different
position, leading to this failure:
emit_diagnostic_valist used incompatibly as both --keyword=emit_diagnostic_valist:4
--flag=emit_diagnostic_valist:4:gcc-internal-format and --keyword=emit_diagnostic_valist:5
--flag=emit_diagnostic_valist:5:gcc-internal-format
Fix by replacing the overloaded function with one with a different name.
See also r10-6297-g6c8e584430bc5d for previous fixes for this involving
the same function, or r5-6946-g40fecdd62f7d29 and
r5-6959-gdb30e21cbff7b9 for older fixes for similar issues.
gcc/analyzer/ChangeLog:
* pending-diagnostic.cc (diagnostic_emission_context::warn):
Update for renaming of emit_diagnostic_valist overload to
emit_diagnostic_valist_meta.
(diagnostic_emission_context::inform): Likewise.
gcc/ChangeLog:
* diagnostic-core.h (emit_diagnostic_valist): Rename overload
to...
(emit_diagnostic_valist_meta): ...this.
* diagnostic.cc (emit_diagnostic_valist): Likewise, to...
(emit_diagnostic_valist_meta): ...this.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
|
|
|
|
PR analyzer/113253 reports a case where the analyzer output varied
with and without -g enabled.
The root cause was that debug stmts were in the
FOR_EACH_IMM_USE_FAST list for SSA names, leading to the analyzer's
state purging logic differing between the -g and non-debugging cases,
and thus leading to differences in the exploration of the user's code.
Fix by skipping such stmts in the state-purging logic, and removing
debug stmts when constructing the supergraph.
gcc/analyzer/ChangeLog:
PR analyzer/113253
* region-model.cc (region_model::on_stmt_pre): Add gcc_unreachable
for debug statements.
* state-purge.cc
(state_purge_per_ssa_name::state_purge_per_ssa_name): Skip any
debug stmts in the FOR_EACH_IMM_USE_FAST list.
* supergraph.cc (supergraph::supergraph): Don't add debug stmts
to the supernodes.
gcc/testsuite/ChangeLog:
PR analyzer/113253
* gcc.dg/analyzer/deref-before-check-pr113253.c: New test.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
|
|
Avoid ICE with -fanalyzer-verbose-state-changes when
region_model::get_representative_tree returns nullptr in
state_change_event::get_desc.
gcc/analyzer/ChangeLog:
PR analyzer/113509
* checker-event.cc (state_change_event::get_desc): Don't assume
"var" is non-NULL.
gcc/testsuite/ChangeLog:
PR analyzer/113509
* c-c++-common/analyzer/stdarg-pr113509.c: New test.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
|
|
|
|
round_up macro [PR113654]
gcc/analyzer/ChangeLog:
PR analyzer/113654
* region-model.cc (is_round_up): New.
(is_multiple_p): New.
(is_dubious_capacity): New.
(region_model::check_region_size): Move usage of size_visitor into
is_dubious_capacity.
gcc/testsuite/ChangeLog:
PR analyzer/113654
* c-c++-common/analyzer/allocation-size-pr113654-1.c: New test.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
|
|
This is useful for debugging the analyzer.
gcc/analyzer/ChangeLog:
* region-model.cc
(dubious_allocation_size::dubious_allocation_size): Add
"capacity_sval" param. Drop unused ctor.
(dubious_allocation_size::maybe_add_sarif_properties): New.
(dubious_allocation_size::m_capacity_sval): New field.
(region_model::check_region_size): Pass capacity svalue to
dubious_allocation_size ctor.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
|
|
|
|
Confusion in binding_cluster::maybe_get_compound_binding about whether
offsets are relative to the start of the region or to the start of the
cluster was leading to incorrect handling of default values, leading
to false positives from -Wanalyzer-use-of-uninitialized-value, from
-Wanalyzer-exposure-through-uninit-copy, and other logic errors.
Fixed thusly.
gcc/analyzer/ChangeLog:
PR analyzer/112969
* store.cc (binding_cluster::maybe_get_compound_binding): When
populating default_map, express the bit-range of the default key
for REG relative to REG, rather than to the base region.
gcc/testsuite/ChangeLog:
PR analyzer/112969
* c-c++-common/analyzer/compound-assignment-5.c (test_3): Remove
xfails, reorder tests.
* c-c++-common/analyzer/compound-assignment-pr112969.c: New test.
* gcc.dg/plugin/infoleak-pr112969.c: New test.
* gcc.dg/plugin/plugin.exp: Add infoleak-pr112969.c to
analyzer_kernel_plugin.c tests.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
|
|
|
|
gcc/analyzer/ChangeLog:
PR analyzer/112977
* engine.cc (impl_region_model_context::on_liveness_change): Pass
m_ext_state to sm_state_map::on_liveness_change.
* program-state.cc (sm_state_map::on_svalue_leak): Guard removal
of map entry based on can_purge_p.
(sm_state_map::on_liveness_change): Add ext_state param. Add
workaround for bad interaction between state purging and
alt-inherited sm-state.
* program-state.h (sm_state_map::on_liveness_change): Add
ext_state param.
* sm-taint.cc
(taint_state_machine::has_alt_get_inherited_state_p): New.
(taint_state_machine::can_purge_p): Return false for "has_lb" and
"has_ub".
* sm.h (state_machine::has_alt_get_inherited_state_p): New vfunc.
gcc/testsuite/ChangeLog:
PR analyzer/112977
* gcc.dg/plugin/plugin.exp: Add taint-pr112977.c.
* gcc.dg/plugin/taint-pr112977.c: New test.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
|
|
|
|
gcc/analyzer/ChangeLog:
PR analyzer/111361
* region-model.cc (svalue_byte_range_has_null_terminator_1): The
initial byte of an all-zeroes SVAL is a zero byte. Remove
gcc_unreachable from SK_CONSTANT for constants that aren't
STRING_CST or INTEGER_CST.
gcc/testsuite/ChangeLog:
PR analyzer/111361
* c-c++-common/analyzer/strlen-pr111361.c: New test.
* c-c++-common/analyzer/strncpy-1.c (test_zero_fill): Remove fixed
xfail.
* c-c++-common/analyzer/strncpy-pr111361.c: New test.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
|
|
PR analyzer/112811 reports an ICE attempting to determine whether a
string is null-terminated.
The root cause is confusion in the code about whether byte offsets are
relative to the start of the base region, or relative to the bound
fragment within the the region.
This patch rewrites the code to enforce a clearer separation between
the kinds of offset, fixing the ICE, and adds logging to help track
down future issues in this area of the code.
gcc/analyzer/ChangeLog:
PR analyzer/112811
* region-model.cc (fragment::dump_to_pp): New.
(fragment::has_null_terminator): Convert to...
(svalue_byte_range_has_null_terminator_1): ...this new function,
updating to use a byte_range relative to the start of the svalue.
(svalue_byte_range_has_null_terminator): New.
(fragment::string_cst_has_null_terminator): Convert to...
(string_cst_has_null_terminator): ...this, updating to use a
byte_range relative to the start of the svalue.
(iterable_cluster::dump_to_pp): New.
(region_model::scan_for_null_terminator): Add logging, moving body
to...
(region_model::scan_for_null_terminator_1): ...this new function,
adding more logging, and updating to use
svalue_byte_range_has_null_terminator.
* region-model.h (region_model::scan_for_null_terminator_1): New
decl.
gcc/testsuite/ChangeLog:
PR analyzer/112811
* c-c++-common/analyzer/strlen-pr112811.c: New test.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
|
|
|
|
char index [PR106229]
gcc/analyzer/ChangeLog:
PR analyzer/106229
* analyzer.h (compare_constants): New decl.
* constraint-manager.cc (compare_constants): Make non-static.
* sm-taint.cc: Add include "fold-const.h".
(class concrete_range): New.
(get_possible_range): New.
(index_can_be_out_of_bounds_p): New.
(region_model::check_region_for_taint): Reject
-Wanalyzer-tainted-array-index if the type of the value makes it
impossible for it to be out-of-bounds of the array.
gcc/testsuite/ChangeLog:
PR analyzer/106229
* c-c++-common/analyzer/taint-index-pr106229.c: New test.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
|
|
In particular, accessing the result of *calloc (1, SZ) (if non-NULL)
should be known to be all zeroes.
gcc/analyzer/ChangeLog:
PR analyzer/113333
* region-model-manager.cc
(region_model_manager::maybe_fold_unaryop): Casting all zeroes
should give all zeroes.
gcc/testsuite/ChangeLog:
PR analyzer/113333
* c-c++-common/analyzer/calloc-1.c: Add tests.
* c-c++-common/analyzer/pr96639.c: Update expected results.
* gcc.dg/analyzer/data-model-9.c: Likewise.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
|
|
|
|
Changed in v5: regenerated
Changed in v4: regenerated
Changed in v3: regenerated
Changed in v2: the files now contain some lang-specific URLs.
gcc/ada/ChangeLog:
* gcc-interface/lang.opt.urls: New file, autogenerated by
regenerate-opt-urls.py.
gcc/analyzer/ChangeLog:
* analyzer.opt.urls: New file, autogenerated by
regenerate-opt-urls.py.
gcc/c-family/ChangeLog:
* c.opt.urls: New file, autogenerated by regenerate-opt-urls.py.
gcc/ChangeLog:
* common.opt.urls: New file, autogenerated by
regenerate-opt-urls.py.
* config/aarch64/aarch64.opt.urls: Likewise.
* config/alpha/alpha.opt.urls: Likewise.
* config/alpha/elf.opt.urls: Likewise.
* config/arc/arc-tables.opt.urls: Likewise.
* config/arc/arc.opt.urls: Likewise.
* config/arm/arm-tables.opt.urls: Likewise.
* config/arm/arm.opt.urls: Likewise.
* config/arm/vxworks.opt.urls: Likewise.
* config/avr/avr.opt.urls: Likewise.
* config/bpf/bpf.opt.urls: Likewise.
* config/c6x/c6x-tables.opt.urls: Likewise.
* config/c6x/c6x.opt.urls: Likewise.
* config/cris/cris.opt.urls: Likewise.
* config/cris/elf.opt.urls: Likewise.
* config/csky/csky.opt.urls: Likewise.
* config/csky/csky_tables.opt.urls: Likewise.
* config/darwin.opt.urls: Likewise.
* config/dragonfly.opt.urls: Likewise.
* config/epiphany/epiphany.opt.urls: Likewise.
* config/fr30/fr30.opt.urls: Likewise.
* config/freebsd.opt.urls: Likewise.
* config/frv/frv.opt.urls: Likewise.
* config/ft32/ft32.opt.urls: Likewise.
* config/fused-madd.opt.urls: Likewise.
* config/g.opt.urls: Likewise.
* config/gcn/gcn.opt.urls: Likewise.
* config/gnu-user.opt.urls: Likewise.
* config/h8300/h8300.opt.urls: Likewise.
* config/hpux11.opt.urls: Likewise.
* config/i386/cygming.opt.urls: Likewise.
* config/i386/cygwin.opt.urls: Likewise.
* config/i386/djgpp.opt.urls: Likewise.
* config/i386/i386.opt.urls: Likewise.
* config/i386/mingw-w64.opt.urls: Likewise.
* config/i386/mingw.opt.urls: Likewise.
* config/i386/nto.opt.urls: Likewise.
* config/ia64/ia64.opt.urls: Likewise.
* config/ia64/ilp32.opt.urls: Likewise.
* config/ia64/vms.opt.urls: Likewise.
* config/iq2000/iq2000.opt.urls: Likewise.
* config/linux-android.opt.urls: Likewise.
* config/linux.opt.urls: Likewise.
* config/lm32/lm32.opt.urls: Likewise.
* config/loongarch/loongarch.opt.urls: Likewise.
* config/lynx.opt.urls: Likewise.
* config/m32c/m32c.opt.urls: Likewise.
* config/m32r/m32r.opt.urls: Likewise.
* config/m68k/ieee.opt.urls: Likewise.
* config/m68k/m68k-tables.opt.urls: Likewise.
* config/m68k/m68k.opt.urls: Likewise.
* config/m68k/uclinux.opt.urls: Likewise.
* config/mcore/mcore.opt.urls: Likewise.
* config/microblaze/microblaze.opt.urls: Likewise.
* config/mips/mips-tables.opt.urls: Likewise.
* config/mips/mips.opt.urls: Likewise.
* config/mips/sde.opt.urls: Likewise.
* config/mmix/mmix.opt.urls: Likewise.
* config/mn10300/mn10300.opt.urls: Likewise.
* config/moxie/moxie.opt.urls: Likewise.
* config/msp430/msp430.opt.urls: Likewise.
* config/nds32/nds32-elf.opt.urls: Likewise.
* config/nds32/nds32-linux.opt.urls: Likewise.
* config/nds32/nds32.opt.urls: Likewise.
* config/netbsd-elf.opt.urls: Likewise.
* config/netbsd.opt.urls: Likewise.
* config/nios2/elf.opt.urls: Likewise.
* config/nios2/nios2.opt.urls: Likewise.
* config/nvptx/nvptx-gen.opt.urls: Likewise.
* config/nvptx/nvptx.opt.urls: Likewise.
* config/openbsd.opt.urls: Likewise.
* config/or1k/elf.opt.urls: Likewise.
* config/or1k/or1k.opt.urls: Likewise.
* config/pa/pa-hpux.opt.urls: Likewise.
* config/pa/pa-hpux1010.opt.urls: Likewise.
* config/pa/pa-hpux1111.opt.urls: Likewise.
* config/pa/pa-hpux1131.opt.urls: Likewise.
* config/pa/pa.opt.urls: Likewise.
* config/pa/pa64-hpux.opt.urls: Likewise.
* config/pdp11/pdp11.opt.urls: Likewise.
* config/pru/pru.opt.urls: Likewise.
* config/riscv/riscv.opt.urls: Likewise.
* config/rl78/rl78.opt.urls: Likewise.
* config/rpath.opt.urls: Likewise.
* config/rs6000/476.opt.urls: Likewise.
* config/rs6000/aix64.opt.urls: Likewise.
* config/rs6000/darwin.opt.urls: Likewise.
* config/rs6000/linux64.opt.urls: Likewise.
* config/rs6000/rs6000-tables.opt.urls: Likewise.
* config/rs6000/rs6000.opt.urls: Likewise.
* config/rs6000/sysv4.opt.urls: Likewise.
* config/rtems.opt.urls: Likewise.
* config/rx/elf.opt.urls: Likewise.
* config/rx/rx.opt.urls: Likewise.
* config/s390/s390.opt.urls: Likewise.
* config/s390/tpf.opt.urls: Likewise.
* config/sh/sh.opt.urls: Likewise.
* config/sh/superh.opt.urls: Likewise.
* config/sol2.opt.urls: Likewise.
* config/sparc/long-double-switch.opt.urls: Likewise.
* config/sparc/sparc.opt.urls: Likewise.
* config/stormy16/stormy16.opt.urls: Likewise.
* config/v850/v850.opt.urls: Likewise.
* config/vax/elf.opt.urls: Likewise.
* config/vax/vax.opt.urls: Likewise.
* config/visium/visium.opt.urls: Likewise.
* config/vms/vms.opt.urls: Likewise.
* config/vxworks-smp.opt.urls: Likewise.
* config/vxworks.opt.urls: Likewise.
* config/xtensa/elf.opt.urls: Likewise.
* config/xtensa/uclinux.opt.urls: Likewise.
* config/xtensa/xtensa.opt.urls: Likewise.
gcc/d/ChangeLog:
* lang.opt.urls: New file, autogenerated by
regenerate-opt-urls.py.
gcc/fortran/ChangeLog:
* lang.opt.urls: New file, autogenerated by
regenerate-opt-urls.py.
gcc/go/ChangeLog:
* lang.opt.urls: New file, autogenerated by
regenerate-opt-urls.py.
gcc/lto/ChangeLog:
* lang.opt.urls: New file, autogenerated by
regenerate-opt-urls.py.
gcc/m2/ChangeLog:
* lang.opt.urls: New file, autogenerated by
regenerate-opt-urls.py.
gcc/ChangeLog:
* params.opt.urls: New file, autogenerated by
regenerate-opt-urls.py.
gcc/rust/ChangeLog:
* lang.opt.urls: New file, autogenerated by
regenerate-opt-urls.py.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
|
|
As another followup to r14-6057-g12b67d1e13b3cf, optionally add SARIF
property bags to threadFlowLocation objects when writing out diagnostic
paths, and add analyzer-specific properties to them.
This was useful for debugging PR analyzer/112790.
gcc/analyzer/ChangeLog:
* checker-event.cc: Include "diagnostic-format-sarif.h" and
"tree-logical-location.h".
(checker_event::maybe_add_sarif_properties): New.
(superedge_event::maybe_add_sarif_properties): New.
(superedge_event::superedge_event): Add comment.
* checker-event.h (checker_event::maybe_add_sarif_properties): New
decl.
(superedge_event::maybe_add_sarif_properties): New decl.
gcc/ChangeLog:
* diagnostic-format-sarif.cc
(sarif_builder::make_logical_location_object): Convert to...
(make_sarif_logical_location_object): ...this.
(sarif_builder::set_any_logical_locs_arr): Update for above
change.
(sarif_builder::make_thread_flow_location_object): Call
maybe_add_sarif_properties on each diagnostic_event.
* diagnostic-format-sarif.h (class logical_location): New forward
decl.
(make_sarif_logical_location_object): New decl.
* diagnostic-path.h (class sarif_object): New forward decl.
(diagnostic_event::maybe_add_sarif_properties): New vfunc.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
|
|
gcc/analyzer/ChangeLog:
PR analyzer/112790
* checker-event.cc (class inlining_info): Move to...
* inlining-iterator.h (class inlining_info): ...here.
* sm-malloc.cc: Include "analyzer/inlining-iterator.h".
(maybe_complain_about_deref_before_check): Reject stmts that were
inlined from another function.
gcc/testsuite/ChangeLog:
PR analyzer/112790
* c-c++-common/analyzer/deref-before-check-pr112790.c: New test.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
|
|
gcc/analyzer/ChangeLog:
PR analyzer/113222
* access-diagram.cc (valid_region_spatial_item::add_boundaries):
Handle TYPE_DOMAIN being null.
(valid_region_spatial_item::add_array_elements_to_table):
Likewise.
gcc/testsuite/ChangeLog:
PR analyzer/113222
* gcc.dg/analyzer/out-of-bounds-diagram-pr113222.c: New test.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
|
|
|
|
2023 -> 2024
|
|
|
|
As a followup to r14-6057-g12b67d1e13b3cf, add SARIF property bags
for -Wanalyzer-out-of-bounds, to help with debugging these warnings.
This was very helpful with PR analyzer/112792.
gcc/analyzer/ChangeLog:
* analyzer.cc: Include "tree-pretty-print.h" and
"diagnostic-event-id.h".
(tree_to_json): New.
(diagnostic_event_id_to_json): New.
(bit_offset_to_json): New.
(byte_offset_to_json): New.
* analyzer.h (tree_to_json): New decl.
(diagnostic_event_id_to_json): New decl.
(bit_offset_to_json): New decl.
(byte_offset_to_json): New decl.
* bounds-checking.cc: Include "diagnostic-format-sarif.h".
(out_of_bounds::maybe_add_sarif_properties): New.
(concrete_out_of_bounds::maybe_add_sarif_properties): New.
(concrete_past_the_end::maybe_add_sarif_properties): New.
(symbolic_past_the_end::maybe_add_sarif_properties): New.
* region-model.cc (region_to_value_map::to_json): New.
(region_model::to_json): New.
* region-model.h (region_to_value_map::to_json): New decl.
(region_model::to_json): New decl.
* store.cc (bit_range::to_json): New.
(byte_range::to_json): New.
* store.h (bit_range::to_json): New decl.
(byte_range::to_json): New decl.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
|
|
PR analyzer/112792 reports false positives from -fanalyzer's
bounds-checking on certain packed structs containing bitfields e.g.
in the Linux kernel's drivers/dma/idxd/device.c:
union msix_perm {
struct {
u32 rsvd2 : 8;
u32 pasid : 20;
};
u32 bits;
} __attribute__((__packed__));
The root cause is that the bounds-checking is done using byte offsets
and ranges; in the above, an access of "pasid" is treated as a 32-bit
access starting one byte inside the union, thus accessing byte offsets
1-4 when only offsets 0-3 are valid.
This patch updates the bounds-checking to use bit offsets and ranges
wherever possible - for concrete offsets and capacities. In the above
accessing "pasid" is treated as bits 8-27 of a 32-bit region, fixing the
false positive.
Symbolic offsets and ranges are still handled at byte granularity.
gcc/analyzer/ChangeLog:
PR analyzer/112792
* bounds-checking.cc
(out_of_bounds::oob_region_creation_event_capacity): Rename
"capacity" to "byte_capacity". Layout fix.
(out_of_bounds::::add_region_creation_events): Rename
"capacity" to "byte_capacity".
(class concrete_out_of_bounds): Rename m_out_of_bounds_range to
m_out_of_bounds_bits and convert from a byte_range to a bit_range.
(concrete_out_of_bounds::get_out_of_bounds_bytes): New.
(concrete_past_the_end::concrete_past_the_end): Rename param
"byte_bound" to "bit_bound". Initialize m_byte_bound.
(concrete_past_the_end::subclass_equal_p): Update for renaming
of m_byte_bound to m_bit_bound.
(concrete_past_the_end::m_bit_bound): New field.
(concrete_buffer_overflow::concrete_buffer_overflow): Convert
param "range" from byte_range to bit_range. Rename param
"byte_bound" to "bit_bound".
(concrete_buffer_overflow::emit): Update for bits vs bytes.
(concrete_buffer_overflow::describe_final_event): Split
into...
(concrete_buffer_overflow::describe_final_event_as_bytes): ...this
(concrete_buffer_overflow::describe_final_event_as_bits): ...and
this.
(concrete_buffer_over_read::concrete_buffer_over_read): Convert
param "range" from byte_range to bit_range. Rename param
"byte_bound" to "bit_bound".
(concrete_buffer_over_read::emit): Update for bits vs bytes.
(concrete_buffer_over_read::describe_final_event): Split into...
(concrete_buffer_over_read::describe_final_event_as_bytes):
...this
(concrete_buffer_over_read::describe_final_event_as_bits): ...and
this.
(concrete_buffer_underwrite::concrete_buffer_underwrite): Convert
param "range" from byte_range to bit_range.
(concrete_buffer_underwrite::describe_final_event): Split into...
(concrete_buffer_underwrite::describe_final_event_as_bytes):
...this
(concrete_buffer_underwrite::describe_final_event_as_bits): ...and
this.
(concrete_buffer_under_read::concrete_buffer_under_read): Convert
param "range" from byte_range to bit_range.
(concrete_buffer_under_read::describe_final_event): Split into...
(concrete_buffer_under_read::describe_final_event_as_bytes):
...this
(concrete_buffer_under_read::describe_final_event_as_bits): ...and
this.
(region_model::check_region_bounds): Use bits for concrete values,
and rename locals to indicate whether we're dealing with bits or
bytes. Specifically, replace "num_bytes_sval" with
"num_bits_sval", and get it from reg's "get_bit_size_sval".
Replace "num_bytes_tree" with "num_bits_tree". Rename "capacity"
to "byte_capacity". Rename "cst_capacity_tree" to
"cst_byte_capacity_tree". Replace "offset" and
"num_bytes_unsigned" with "bit_offset" and "num_bits_unsigned"
respectively, converting from byte_offset_t to bit_offset_t.
Replace "out" and "read_bytes" with "bits_outside" and "read_bits"
respectively, converting from byte_range to bit_range. Convert
"buffer" from byte_range to bit_range. Replace "byte_bound" with
"bit_bound".
* region.cc (region::get_bit_size_sval): New.
(offset_region::get_bit_offset): New.
(offset_region::get_bit_size_sval): New.
(sized_region::get_bit_size_sval): New.
(bit_range_region::get_bit_size_sval): New.
* region.h (region::get_bit_size_sval): New vfunc.
(offset_region::get_bit_offset): New decl.
(offset_region::get_bit_size_sval): New decl.
(sized_region::get_bit_size_sval): New decl.
(bit_range_region::get_bit_size_sval): New decl.
* store.cc (bit_range::intersects_p): New, based on
byte_range::intersects_p.
(bit_range::exceeds_p): New, based on byte_range::exceeds_p.
(bit_range::falls_short_of_p): New, based on
byte_range::falls_short_of_p.
(byte_range::intersects_p): Delete.
(byte_range::exceeds_p): Delete.
(byte_range::falls_short_of_p): Delete.
* store.h (bit_range::intersects_p): New overload.
(bit_range::exceeds_p): New.
(bit_range::falls_short_of_p): New.
(byte_range::intersects_p): Delete.
(byte_range::exceeds_p): Delete.
(byte_range::falls_short_of_p): Delete.
gcc/testsuite/ChangeLog:
PR analyzer/112792
* c-c++-common/analyzer/out-of-bounds-pr112792.c: New test.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
|
|
|
|
Avoid copying eedges in infinite_loop::infinite_loop.
Use initializer lists in the various places reported in
PR analyzer/112655 (apart from coord_test's ctor, which
would require nontrivial refactoring).
gcc/analyzer/ChangeLog:
PR analyzer/112655
* infinite-loop.cc (infinite_loop::infinite_loop): Pass eedges
via rvalue reference rather than by value.
(starts_infinite_loop_p): Move eedges when constructing an
infinite_loop instance.
* sm-file.cc (fileptr_state_machine::fileptr_state_machine): Use
initializer list for states.
* sm-sensitive.cc
(sensitive_state_machine::sensitive_state_machine): Likewise.
* sm-signal.cc (signal_state_machine::signal_state_machine):
Likewise.
* sm-taint.cc (taint_state_machine::taint_state_machine):
Likewise.
* varargs.cc (va_list_state_machine::va_list_state_machine): Likewise.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
|
