| blob | 0524750d7a3c0bd8e53c0a488a185e44bf9653d6 |
1 /* The analysis "engine".
2 Copyright (C) 2019-2024 Free Software Foundation, Inc.
3 Contributed by David Malcolm <dmalcolm@redhat.com>.
5 This file is part of GCC.
7 GCC is free software; you can redistribute it and/or modify it
8 under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3, or (at your option)
10 any later version.
12 GCC is distributed in the hope that it will be useful, but
13 WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 General Public License for more details.
17 You should have received a copy of the GNU General Public License
18 along with GCC; see the file COPYING3. If not see
19 <http://www.gnu.org/licenses/>. */
22 #define INCLUDE_MEMORY
23 #define INCLUDE_VECTOR
63 #include <zlib.h>
66 #include <memory>
74 /* For an overview, see gcc/doc/analyzer.texi. */
76 #if ENABLE_ANALYZER
80 /* class impl_region_model_context : public region_model_context. */
102 {
103 }
119 {
120 }
122 bool
125 {
129 {
133 }
135 {
139 m_stmt,
140 curr_stmt_finder);
143 {
145 && terminate_path
149 }
150 }
152 }
154 void
156 {
160 }
162 void
164 {
168 }
170 void
173 {
176 }
178 void
182 {
185 }
187 void
190 {
195 }
197 void
199 {
201 }
203 uncertainty_t *
205 {
207 }
209 /* Purge state involving SVAL. The region_model has already been purged,
210 so we only need to purge other state in the program_state:
211 the sm-state. */
213 void
215 {
220 }
222 void
224 {
227 }
229 void
231 {
234 }
236 /* struct setjmp_record. */
238 int
240 {
245 }
247 /* class setjmp_svalue : public svalue. */
249 /* Implementation of svalue::accept vfunc for setjmp_svalue. */
251 void
253 {
255 }
257 /* Implementation of svalue::dump_to_pp vfunc for setjmp_svalue. */
259 void
261 {
264 else
266 }
268 /* Implementation of svalue::print_dump_widget_label vfunc for
269 setjmp_svalue. */
271 void
273 {
275 }
277 /* Implementation of svalue::add_dump_widget_children vfunc for
278 setjmp_svalue. */
280 void
284 {
285 /* No children. */
286 }
288 /* Get the index of the stored exploded_node. */
290 int
292 {
294 }
296 /* Concrete implementation of sm_context, wiring it up to the rest of this
297 file. */
300 {
321 {
322 }
327 {
328 impl_region_model_context old_ctxt
333 }
336 tree var) final override
337 {
340 /* Use NULL ctxt on this get_rvalue call to avoid triggering
341 uninitialized value warnings. */
348 }
351 {
357 }
361 tree var,
363 tree origin) final override
364 {
372 /* We use the new sval here to avoid issues with uninitialized values. */
378 var,
383 }
388 tree origin) final override
389 {
392 impl_region_model_context old_ctxt
402 {
411 }
414 }
417 tree var,
419 {
425 = (var
434 && terminate_path
437 }
442 {
446 = (sval
455 && terminate_path
458 }
460 /* Hook for picking more readable trees for SSA names of temporaries,
461 so that rather than e.g.
462 "double-free of '<unknown>'"
463 we can print:
464 "double-free of 'inbuf.data'". */
467 {
468 /* Only for SSA_NAMEs of temporaries; otherwise, return EXPR, as it's
469 likely to be the least surprising tree to report. */
477 /* Find trees for all regions storing the value. */
480 else
482 }
485 {
487 }
490 {
492 }
495 {
497 }
500 {
502 }
505 {
508 m_sm_idx);
509 }
512 {
516 impl_region_model_context old_ctxt
525 }
528 {
530 }
533 {
535 }
538 {
540 }
543 {
545 }
547 log_user m_logger;
557 /* Are we handling an external function with unknown side effects? */
559 };
561 bool
568 {
584 {
586 *out_sm_context
588 sm_idx,
590 m_enode_for_diag,
591 m_old_state,
592 m_new_state,
593 old_smap,
594 new_smap,
595 m_path_ctxt,
596 m_stmt_finder,
598 }
600 }
602 /* Subclass of stmt_finder for finding the best stmt to report the leak at,
603 given the emission path. */
606 {
612 {
614 }
617 final override
618 {
623 {
624 /* Locate the final write to this SSA name in the path. */
632 /* What was the next write to the underlying var
633 after the SSA name was set? (if any). */
638 {
642 idx,
651 {
656 }
657 }
658 }
660 not_found:
662 /* Look backwards for the first statement with a location. */
666 {
669 i,
678 }
682 }
685 {
686 /* No-op. */
687 }
691 tree m_var;
692 };
694 /* A measurement of how good EXPR is for presenting to the user, so
695 that e.g. we can say prefer printing
696 "leak of 'tmp.m_ptr'"
697 over:
698 "leak of '<unknown>'". */
700 static int
702 {
703 /* Arbitrarily-chosen "high readability" value. */
708 {
711 /* Impose a slight readability penalty relative to that of
712 operand 0. */
716 {
718 {
720 {
721 /* If we have an SSA name for an artificial var,
722 only use it if it has a debug expr associated with
723 it that fixup_tree_for_diagnostic can use. */
726 }
727 else
728 {
729 /* Slightly favor the underlying var over the SSA name to
730 avoid having them compare equal. */
732 }
733 }
734 /* Avoid printing '<unknown>' for SSA names for temporaries. */
736 }
743 else
744 /* We don't want to print temporaries. For example, the C FE
745 prints them as e.g. "<Uxxxx>" where "xxxx" is the low 16 bits
746 of the tree pointer (see pp_c_tree_decl_identifier). */
750 /* Printing "<return-value>" isn't ideal, but is less awful than
751 trying to print a temporary. */
755 {
756 /* Impose a moderate readability penalty for casts. */
759 }
766 }
769 }
771 /* A qsort comparator for trees to sort them into most user-readable to
772 least user-readable. */
774 int
776 {
783 /* Favor items that are deeper on the stack and hence more recent;
784 this also favors locals over globals. */
789 /* Combine the scores from the tree and from the stack depth.
790 This e.g. lets us have a slightly penalized cast in the most
791 recent stack frame "beat" an uncast value in an older stack frame. */
797 /* Otherwise, more readable trees win. */
801 /* Otherwise, if they have the same readability, then impose an
802 arbitrary deterministic ordering on them. */
808 {
822 }
824 /* TODO: We ought to find ways of sorting such cases. */
826 }
828 /* Return true is SNODE is the EXIT node of a function, or is one
829 of the final snodes within its function.
831 Specifically, handle the final supernodes before the EXIT node,
832 for the case of clobbers that happen immediately before exiting.
833 We need a run of snodes leading to the return_p snode, where all edges are
834 intraprocedural, and every snode has just one successor.
836 We use this when suppressing leak reports at the end of "main". */
838 static bool
840 {
847 {
857 /* Impose a limit to ensure we terminate for pathological cases.
859 We only care about the final 3 nodes, due to cases like:
860 BB:
861 (clobber causing leak)
863 BB:
864 <label>:
865 return _val;
867 EXIT BB.*/
870 }
871 }
873 /* Find the best tree for SVAL and call SM's on_leak vfunc with it.
874 If on_leak returns a pending_diagnostic, queue it up to be reported,
875 so that we potentially complain about a leak of SVAL in the given STATE. */
877 void
881 {
885 {
890 }
895 /* m_old_state also needs to be non-NULL so that the sm_ctxt can look
896 up the old state of SVAL. */
899 /* SVAL has leaked within the new state: it is not used by any reachable
900 regions.
901 We need to convert it back to a tree, but since it's likely no regions
902 use it, we have to find the "best" tree for it in the old_state. */
903 svalue_set visited;
904 path_var leaked_pv
909 /* Strip off top-level casts */
913 /* This might be NULL; the pending_diagnostic subclasses need to cope
914 with this. */
917 {
920 else
922 }
927 /* Don't complain about leaks when returning from "main". */
929 {
932 {
936 }
937 }
942 {
945 m_stmt,
950 }
951 }
953 /* Implementation of region_model_context::on_condition vfunc.
954 Notify all state machines about the condition, which could lead to
955 state transitions. */
957 void
961 {
965 {
971 m_path_ctxt);
973 (m_enode_for_diag
976 m_stmt,
978 }
979 }
981 /* Implementation of region_model_context::on_bounded_ranges vfunc.
982 Notify all state machines about the ranges, which could lead to
983 state transitions. */
985 void
988 {
992 {
998 m_path_ctxt);
1000 (m_enode_for_diag
1004 }
1005 }
1007 /* Implementation of region_model_context::on_pop_frame vfunc.
1008 Notify all state machines about the frame being popped, which
1009 could lead to states being discarded. */
1011 void
1013 {
1017 {
1020 }
1021 }
1023 /* Implementation of region_model_context::on_phi vfunc.
1024 Notify all state machines about the phi, which could lead to
1025 state transitions. */
1027 void
1029 {
1033 {
1039 m_path_ctxt);
1041 }
1042 }
1044 /* Implementation of region_model_context::on_unexpected_tree_code vfunc.
1045 Mark the new state as being invalid for further exploration.
1046 TODO(stage1): introduce a warning for when this occurs. */
1048 void
1051 {
1061 }
1063 /* Implementation of region_model_context::maybe_did_work vfunc.
1064 Mark that "externally visible work" has occurred, and thus we
1065 shouldn't report an infinite loop here. */
1067 void
1069 {
1072 }
1074 /* struct point_and_state. */
1076 /* Assert that this object is sane. */
1078 void
1080 {
1081 /* Skip this in a release build. */
1082 #if !CHECKING_P
1084 #endif
1090 /* Verify that the callstring's model of the stack corresponds to that
1091 of the region_model. */
1092 /* They should have the same depth. */
1095 /* Check the functions in the callstring vs those in the frames
1096 at each depth. */
1100 {
1104 }
1105 }
1107 /* Subroutine of print_enode_indices: print a run of indices from START_IDX
1108 to END_IDX to PP, using and updating *FIRST_RUN. */
1110 static void
1113 {
1119 else
1121 }
1123 /* Print the indices within ENODES to PP, collecting them as
1124 runs/singletons e.g. "EN: 4-7, EN: 20-23, EN: 42". */
1126 static void
1129 {
1136 {
1138 {
1141 }
1142 else
1143 {
1145 /* Continuation of a run. */
1147 else
1148 {
1149 /* Finish existing run, start a new one. */
1155 }
1156 }
1157 }
1158 /* Finish any existing run. */
1160 {
1164 }
1165 }
1167 /* struct eg_traits::dump_args_t. */
1169 /* The <FILENAME>.eg.dot output can quickly become unwieldy if we show
1170 full details for all enodes (both in terms of CPU time to render it,
1171 and in terms of being meaningful to a human viewing it).
1173 If we show just the IDs then the resulting graph is usually viewable,
1174 but then we have to keep switching back and forth between the .dot
1175 view and other dumps.
1177 This function implements a heuristic for showing detail at the enodes
1178 that (we hope) matter, and just the ID at other enodes, fixing the CPU
1179 usage of the .dot viewer, and drawing the attention of the viewer
1180 to these enodes.
1182 Return true if ENODE should be shown in detail in .dot output.
1183 Return false if no detail should be shown for ENODE. */
1185 bool
1187 {
1188 /* If the number of exploded nodes isn't too large, we may as well show
1189 all enodes in full detail in the .dot output. */
1194 /* Otherwise, assume that what's most interesting are state explosions,
1195 and thus the places where this happened.
1196 Expand enodes at program points where we hit the per-enode limit, so we
1197 can investigate what exploded. */
1201 }
1203 /* class exploded_node : public dnode<eg_traits>. */
1207 {
1209 {
1215 }
1216 }
1218 /* exploded_node's ctor. */
1224 {
1226 }
1228 /* Get the stmt that was processed in this enode at index IDX.
1229 IDX is an index within the stmts processed at this enode, rather
1230 than within those of the supernode. */
1234 {
1243 }
1245 /* For use by dump_dot, get a value for the .dot "fillcolor" attribute.
1246 Colorize by sm-state, to make it easier to see how sm-state propagates
1247 through the exploded_graph. */
1251 {
1254 /* We want to be able to easily distinguish the no-sm-state case,
1255 and to be able to distinguish cases where there's a single state
1256 from each other.
1258 Sum the sm_states, and use the result to choose from a table,
1259 modulo table-size, special-casing the "no sm-state" case. */
1264 {
1270 }
1273 {
1274 /* An arbitrarily-picked collection of light colors. */
1281 }
1282 else
1283 /* No sm-state. */
1285 }
1287 /* Implementation of dnode::dump_dot vfunc for exploded_node. */
1289 void
1291 {
1307 {
1318 }
1328 /* It can be hard to locate the saved diagnostics as text within the
1329 enode nodes, so add extra nodes to the graph for each saved_diagnostic,
1330 highlighted in red.
1331 Compare with dump_saved_diagnostics. */
1332 {
1336 {
1339 /* Add edge connecting this enode to the saved_diagnostic. */
1345 }
1346 }
1349 }
1351 /* Show any stmts that were processed within this enode,
1352 and their index within the supernode. */
1353 void
1355 {
1357 {
1366 {
1372 }
1373 }
1374 }
1376 /* Dump any saved_diagnostics at this enode to PP. */
1378 void
1380 {
1384 {
1388 }
1389 }
1391 /* Dump this to PP in a form suitable for use as an id in .dot output. */
1393 void
1395 {
1397 }
1399 /* Dump a multiline representation of this node to PP. */
1401 void
1404 {
1414 }
1416 /* Dump a multiline representation of this node to FILE. */
1418 void
1421 {
1424 }
1426 /* Dump a multiline representation of this node to stderr. */
1428 DEBUG_FUNCTION void
1430 {
1432 }
1434 /* Return a new json::object of the form
1435 {"point" : object for program_point,
1436 "state" : object for program_state,
1437 "status" : str,
1438 "idx" : int,
1439 "processed_stmts" : int}. */
1443 {
1453 }
1457 /* Return true if FNDECL has a gimple body. */
1458 // TODO: is there a pre-canned way to do this?
1460 bool
1462 {
1471 }
1475 /* Modify STATE in place, applying the effects of the stmt at this node's
1476 point. */
1486 {
1490 {
1494 }
1496 /* Update input_location in case of ICE: make it easier to track down which
1497 source construct we're failing to handle. */
1502 /* Preserve the old state. It is used here for looking
1503 up old checker states, for determining state transitions, and
1504 also within impl_region_model_context and impl_sm_context for
1505 going from tree to svalue_id. */
1511 out_could_have_done_work);
1513 /* Handle call summaries here. */
1517 {
1519 per_function_data *called_fn_data
1522 {
1525 snode,
1527 state,
1528 path_ctxt,
1532 }
1533 }
1547 {
1554 unknown_side_effects);
1556 /* Allow the state_machine to handle the stmt. */
1559 }
1567 }
1569 /* Handle the pre-sm-state part of STMT, modifying STATE in-place.
1570 Write true to *OUT_TERMINATE_PATH if the path should be terminated.
1571 Write true to *OUT_UNKNOWN_SIDE_EFFECTS if the stmt has unknown
1572 side effects. */
1574 void
1581 {
1582 /* Handle special-case calls that require the full program_state. */
1584 {
1586 {
1587 /* Handle the builtin "__analyzer_dump" by dumping state
1588 to stderr. */
1591 }
1593 {
1595 ctxt);
1597 }
1599 {
1604 }
1606 {
1612 }
1613 }
1615 /* Otherwise, defer to m_region_model. */
1617 out_unknown_side_effects,
1618 ctxt);
1619 }
1621 /* Handle the post-sm-state part of STMT, modifying STATE in-place. */
1623 void
1628 {
1631 }
1633 /* A concrete call_info subclass representing a replay of a call summary. */
1636 {
1646 {}
1651 {
1652 /* Update STATE based on summary_end_state. */
1657 }
1662 {
1663 /* Update STATE based on summary_end_state. */
1669 }
1672 {
1674 }
1680 };
1682 /* Use PATH_CTXT to bifurcate, which when handled will add custom edges
1683 for a replay of the various feasible summaries in CALLED_FN_DATA. */
1694 {
1698 /* Each summary will call bifurcate on the PATH_CTXT. */
1705 }
1707 /* Use PATH_CTXT to bifurcate, which when handled will add a
1708 custom edge for a replay of SUMMARY, if the summary's
1709 conditions are feasible based on the current state. */
1711 void
1720 {
1736 {
1748 }
1757 called_fn,
1758 summary,
1759 ext_state));
1760 }
1763 /* Consider the effect of following superedge SUCC from this node.
1765 Return true if it's feasible to follow the edge, or false
1766 if it's infeasible.
1768 Examples: if it's the "true" branch within
1769 a CFG and we know the conditional is false, we know it's infeasible.
1770 If it's one of multiple interprocedual "return" edges, then only
1771 the edge back to the most recent callsite is feasible.
1773 Update NEXT_STATE accordingly (e.g. to record that a condition was
1774 true or false, or that the NULL-ness of a pointer has been checked,
1775 pushing/popping stack frames, etc).
1777 Update NEXT_POINT accordingly (updating the call string). */
1779 bool
1785 {
1795 }
1797 /* Verify that the stack at LONGJMP_POINT is still valid, given a call
1798 to "setjmp" at SETJMP_POINT - the stack frame that "setjmp" was
1799 called in must still be valid.
1801 Caveat: this merely checks the call_strings in the points; it doesn't
1802 detect the case where a frame returns and is then called again. */
1804 static bool
1807 {
1814 /* Check that the call strings match, up to the depth of the
1815 setjmp point. */
1821 }
1823 /* A pending_diagnostic subclass for complaining about bad longjmps,
1824 where the enclosing function of the "setjmp" has returned (and thus
1825 the stack frame no longer exists). */
1828 {
1834 {}
1837 {
1839 }
1842 {
1846 }
1852 {
1855 }
1857 bool
1860 final override
1861 {
1862 /* Detect exactly when the stack first becomes invalid,
1863 and issue an event then. */
1872 {
1873 /* Compare with diagnostic_manager::add_events_for_superedge. */
1878 src_stack_depth),
1880 emission_path->add_event
1883 }
1885 }
1888 {
1895 else
1900 }
1906 program_point m_setjmp_point;
1908 };
1910 /* Handle LONGJMP_CALL, a call to longjmp or siglongjmp.
1912 Attempt to locate where setjmp/sigsetjmp was called on the jmp_buf and build
1913 an exploded_node and exploded_edge to it representing a rewind to that frame,
1914 handling the various kinds of failure that can occur. */
1916 void
1921 {
1928 ctxt);
1939 /* Build a custom enode and eedge for rewinding from the longjmp/siglongjmp
1940 call back to the setjmp/sigsetjmp. */
1948 /* Verify that the setjmp's call_stack hasn't been popped. */
1950 {
1952 longjmp_call,
1953 setjmp_point));
1955 }
1960 /* Update the state for use by the destination node. */
1962 /* Stash the current number of diagnostics so that we can update
1963 any that this adds to show where the longjmp is rewinding to. */
1971 /* Detect leaks in the new state relative to the old state. */
1975 program_point next_point
1979 exploded_node *next
1982 /* Create custom exploded_edge for a longjmp. */
1984 {
1985 exploded_edge *eedge
1988 longjmp_call));
1990 /* For any diagnostics that were queued here (such as leaks) we want
1991 the checker_path to show the rewinding events after the "final event"
1992 so that the user sees where the longjmp is rewinding to (otherwise the
1993 path is meaningless).
1995 For example, we want to emit something like:
1996 | NN | {
1997 | NN | longjmp (env, 1);
1998 | | ~~~~~~~~~~~~~~~~
1999 | | |
2000 | | (10) 'ptr' leaks here; was allocated at (7)
2001 | | (11) rewinding from 'longjmp' in 'inner'...
2002 |
2003 <-------------+
2004 |
2005 'outer': event 12
2006 |
2007 | NN | i = setjmp(env);
2008 | | ^~~~~~
2009 | | |
2010 | | (12) ...to 'setjmp' in 'outer' (saved at (2))
2012 where the "final" event above is event (10), but we want to append
2013 events (11) and (12) afterwards.
2015 Do this by setting m_trailing_eedge on any diagnostics that were
2016 just saved. */
2019 {
2022 }
2023 }
2024 }
2026 /* Subroutine of exploded_graph::process_node for finding the successors
2027 of the supernode for a function exit basic block.
2029 Ensure that pop_frame is called, potentially queuing diagnostics about
2030 leaks. */
2032 void
2034 {
2039 /* If we're not a "top-level" function, do nothing; pop_frame
2040 will be called when handling the return superedge. */
2044 /* We have a "top-level" function. */
2049 /* Work with a temporary copy of the state: pop the frame, and see
2050 what leaks (via purge_unused_svalues). */
2055 uncertainty_t uncertainty;
2063 }
2065 /* Dump the successors and predecessors of this enode to OUTF. */
2067 void
2069 {
2072 {
2076 pretty_printer pp;
2080 }
2081 {
2085 pretty_printer pp;
2089 }
2090 }
2092 /* class dynamic_call_info_t : public custom_edge_info. */
2094 /* Implementation of custom_edge_info::update_model vfunc
2095 for dynamic_call_info_t.
2097 Update state for a dynamically discovered call (or return), by pushing
2098 or popping the a frame for the appropriate function. */
2100 bool
2104 {
2108 else
2109 {
2112 }
2114 }
2116 /* Implementation of custom_edge_info::add_events_to_path vfunc
2117 for dynamic_call_info_t. */
2119 void
2122 {
2131 emission_path->add_event
2137 dest_stack_depth)));
2138 else
2139 emission_path->add_event
2145 src_stack_depth)));
2146 }
2148 /* class rewind_info_t : public custom_edge_info. */
2150 /* Implementation of custom_edge_info::update_model vfunc
2151 for rewind_info_t.
2153 Update state for the special-case of a rewind of a longjmp
2154 to a setjmp (which doesn't have a superedge, but does affect
2155 state). */
2157 bool
2161 {
2173 }
2175 /* Implementation of custom_edge_info::add_events_to_path vfunc
2176 for rewind_info_t. */
2178 void
2181 {
2189 emission_path->add_event
2194 src_stack_depth),
2196 emission_path->add_event
2201 dst_stack_depth),
2203 }
2205 /* class exploded_edge : public dedge<eg_traits>. */
2207 /* exploded_edge's ctor. */
2215 {
2216 }
2218 /* Implementation of dedge::dump_dot vfunc for exploded_edge.
2219 Use the label of the underlying superedge, if any. */
2221 void
2223 {
2230 }
2232 /* Second half of exploded_edge::dump_dot. This is split out
2233 for use by trimmed_graph::dump_dot and base_feasible_edge::dump_dot. */
2235 void
2237 {
2245 {
2252 //constraint = "false";
2256 //constraint = "false";
2261 }
2263 {
2266 }
2281 //pp_write_text_as_dot_label_to_stream (pp, /*for_record=*/false);
2284 }
2286 /* Return a new json::object of the form
2287 {"src_idx": int, the index of the source exploded edge,
2288 "dst_idx": int, the index of the destination exploded edge,
2289 "sedge": (optional) object for the superedge, if any,
2290 "custom": (optional) str, a description, if this is a custom edge}. */
2294 {
2301 {
2302 pretty_printer pp;
2306 }
2308 }
2310 /* struct stats. */
2312 /* stats' ctor. */
2318 {
2321 }
2323 /* Log these stats in multiline form to LOGGER. */
2325 void
2327 {
2336 m_node_reuse_after_merge_count);
2337 }
2339 /* Dump these stats in multiline form to OUT. */
2341 void
2343 {
2351 m_node_reuse_after_merge_count);
2356 }
2358 /* Return the total number of enodes recorded within this object. */
2360 int
2362 {
2367 }
2369 /* struct per_function_data. */
2372 {
2375 }
2377 void
2379 {
2381 }
2383 /* strongly_connected_components's ctor. Tarjan's SCC algorithm. */
2388 {
2401 }
2403 /* Dump this object to stderr. */
2405 DEBUG_FUNCTION void
2407 {
2409 {
2413 }
2414 }
2416 /* Return a new json::array of per-snode SCC ids. */
2420 {
2425 }
2427 /* Subroutine of strongly_connected_components's ctor, part of Tarjan's
2428 SCC algorithm. */
2430 void
2432 {
2435 /* Set the depth index for v to the smallest unused index. */
2441 index++;
2443 /* Consider successors of v. */
2447 {
2454 {
2455 /* Successor w has not yet been visited; recurse on it. */
2458 }
2460 {
2461 /* Successor w is in stack S and hence in the current SCC
2462 If w is not on stack, then (v, w) is a cross-edge in the DFS
2463 tree and must be ignored. */
2465 }
2466 }
2468 /* If v is a root node, pop the stack and generate an SCC. */
2471 {
2478 }
2479 }
2481 /* worklist's ctor. */
2487 {
2488 }
2490 /* Return the number of nodes in the worklist. */
2492 unsigned
2494 {
2496 }
2498 /* Return the next node in the worklist, removing it. */
2500 exploded_node *
2502 {
2504 }
2506 /* Return the next node in the worklist without removing it. */
2508 exploded_node *
2510 {
2512 }
2514 /* Add ENODE to the worklist. */
2516 void
2518 {
2521 }
2523 /* Comparator for implementing worklist::key_t comparison operators.
2524 Return negative if KA is before KB
2525 Return positive if KA is after KB
2526 Return 0 if they are equal.
2528 The ordering of the worklist is critical for performance and for
2529 avoiding node explosions. Ideally we want all enodes at a CFG join-point
2530 with the same callstring to be sorted next to each other in the worklist
2531 so that a run of consecutive enodes can be merged and processed "in bulk"
2532 rather than individually or pairwise, minimizing the number of new enodes
2533 created. */
2535 int
2537 {
2543 /* Order empty-callstring points with different functions based on the
2544 analysis_plan, so that we generate summaries before they are used. */
2551 {
2555 }
2557 /* Sort by callstring, so that nodes with deeper call strings are processed
2558 before those with shallower call strings.
2559 If we have
2560 splitting BB
2561 / \
2562 / \
2563 fn call no fn call
2564 \ /
2565 \ /
2566 join BB
2567 then we want the path inside the function call to be fully explored up
2568 to the return to the join BB before we explore on the "no fn call" path,
2569 so that both enodes at the join BB reach the front of the worklist at
2570 the same time and thus have a chance of being merged. */
2575 /* Order by SCC. */
2581 /* If in same SCC, order by supernode index (an arbitrary but stable
2582 ordering). */
2586 {
2588 /* One is NULL. */
2590 else
2591 /* Both are NULL. */
2593 }
2595 /* One is NULL. */
2597 /* Neither are NULL. */
2604 /* Order within supernode via program point. */
2605 int within_snode_cmp
2611 /* Otherwise, we ought to have the same program_point. */
2617 /* Sort by sm-state, so that identical sm-states are grouped
2618 together in the worklist. */
2621 {
2627 }
2629 /* Otherwise, we have two enodes at the same program point but with
2630 different states. We don't have a good total ordering on states,
2631 so order them by enode index, so that we have at least have a
2632 stable sort. */
2634 }
2636 /* Return a new json::object of the form
2637 {"scc" : [per-snode-IDs]}, */
2641 {
2646 /* The following field isn't yet being JSONified:
2647 queue_t m_queue; */
2650 }
2652 /* exploded_graph's ctor. */
2668 {
2669 m_origin = get_or_create_node
2674 }
2676 /* exploded_graph's dtor. */
2679 {
2688 }
2690 /* Subroutine for use when implementing __attribute__((tainted_args))
2691 on functions and on function pointer fields in structs.
2693 Called on STATE representing a call to FNDECL.
2694 Mark all params of FNDECL in STATE as "tainted". Mark the value of all
2695 regions pointed to by params of FNDECL as "tainted".
2697 Return true if successful; return false if the "taint" state machine
2698 was not found. */
2700 static bool
2703 {
2719 {
2728 {
2730 /* Mark "*param" as tainted. */
2735 }
2736 }
2739 }
2741 /* Custom event for use by tainted_args_function_info when a function
2742 has been marked with __attribute__((tainted_args)). */
2745 {
2750 {
2751 }
2754 {
2755 return make_label_text
2758 m_fndecl);
2759 }
2762 tree m_fndecl;
2763 };
2765 /* Custom exploded_edge info for top-level calls to a function
2766 marked with __attribute__((tainted_args)). */
2769 {
2773 {}
2776 {
2778 };
2783 {
2784 /* No-op. */
2786 }
2790 {
2791 emission_path->add_event
2794 }
2797 tree m_fndecl;
2798 };
2800 /* Ensure that there is an exploded_node representing an external call to
2801 FUN, adding it to the worklist if creating it.
2803 Add an edge from the origin exploded_node to the function entrypoint
2804 exploded_node.
2806 Return the exploded_node for the entrypoint to the function. */
2808 exploded_node *
2810 {
2813 /* Be idempotent. */
2816 {
2821 }
2823 program_point point
2832 {
2835 }
2849 }
2851 /* Get or create an exploded_node for (POINT, STATE).
2852 If a new node is created, it is added to the worklist.
2854 Use ENODE_FOR_DIAG, a pre-existing enode, for any diagnostics
2855 that need to be emitted (e.g. when purging state *before* we have
2856 a new enode). */
2858 exploded_node *
2862 {
2866 {
2877 }
2879 /* Stop exploring paths for which we don't know how to effectively
2880 model the state. */
2882 {
2886 }
2892 //state.dump (get_ext_state ());
2894 /* Prune state to try to improve the chances of a cache hit,
2895 avoiding generating redundant nodes. */
2896 uncertainty_t uncertainty;
2897 program_state pruned_state
2902 //pruned_state.dump (get_ext_state ());
2905 {
2913 }
2917 stats *per_cs_stats
2923 {
2924 /* An exploded_node for PS already exists. */
2931 }
2933 per_program_point_data *per_point_data
2936 /* Consider merging state with another enode at this program_point. */
2938 {
2942 {
2949 /* This merges successfully within the loop. */
2954 {
2960 /* Try again for a cache hit.
2961 Whether we get one or not, merged_state's value_ids have no
2962 relationship to those of the input state, and thus to those
2963 of CHANGE, so we must purge any svalue_ids from *CHANGE. */
2967 {
2968 /* An exploded_node for PS already exists. */
2975 }
2976 }
2977 else
2981 }
2982 }
2984 /* Impose a limit on the number of enodes per program point, and
2985 simply stop if we exceed it. */
2988 {
2989 pretty_printer pp;
3000 }
3004 /* An exploded_node for "ps" doesn't already exist; create one. */
3009 /* Update per-program_point data. */
3021 {
3033 }
3035 /* Add the new node to the worlist. */
3038 }
3040 /* Add an exploded_edge from SRC to DEST, recording its association
3041 with SEDGE (which may be NULL), and, if non-NULL, taking ownership
3042 of CUSTOM_INFO. COULD_DO_WORK is used for detecting infinite loops.
3043 Return the newly-created eedge. */
3045 exploded_edge *
3049 {
3053 exploded_edge *e
3058 }
3060 /* Ensure that this graph has per-program_point-data for POINT;
3061 borrow a pointer to it. */
3063 per_program_point_data *
3066 {
3073 }
3075 /* Get this graph's per-program-point-data for POINT if there is any,
3076 otherwise NULL. */
3078 per_program_point_data *
3080 {
3086 }
3088 /* Ensure that this graph has per-call_string-data for CS;
3089 borrow a pointer to it. */
3091 per_call_string_data *
3093 {
3099 data);
3101 }
3103 /* Ensure that this graph has per-function-data for FUN;
3104 borrow a pointer to it. */
3106 per_function_data *
3108 {
3115 }
3117 /* Get this graph's per-function-data for FUN if there is any,
3118 otherwise NULL. */
3120 per_function_data *
3122 {
3128 }
3130 /* Return true if FUN should be traversed directly, rather than only as
3131 called via other functions. */
3133 static bool
3135 {
3136 /* Don't directly traverse into functions that have an "__analyzer_"
3137 prefix. Doing so is useful for the analyzer test suite, allowing
3138 us to have functions that are called in traversals, but not directly
3139 explored, thus testing how the analyzer handles calls and returns.
3140 With this, we can have DejaGnu directives that cover just the case
3141 of where a function is called by another function, without generating
3142 excess messages from the case of the first function being traversed
3143 directly. */
3147 {
3152 }
3158 }
3160 /* Custom event for use by tainted_call_info when a callback field has been
3161 marked with __attribute__((tainted_args)), for labelling the field. */
3164 {
3169 {
3170 }
3173 {
3175 "field %qE of %qT"
3178 }
3181 tree m_field;
3182 };
3184 /* Custom event for use by tainted_call_info when a callback field has been
3185 marked with __attribute__((tainted_args)), for labelling the function used
3186 in that callback. */
3189 {
3192 tree field)
3195 {
3196 }
3199 {
3201 "function %qE used as initializer for field %qE"
3204 }
3207 tree m_field;
3208 };
3210 /* Custom edge info for use when adding a function used by a callback field
3211 marked with '__attribute__((tainted_args))'. */
3214 {
3218 {}
3221 {
3223 };
3228 {
3229 /* No-op. */
3231 }
3235 {
3236 /* Show the field in the struct declaration, e.g.
3237 "(1) field 'store' is marked with '__attribute__((tainted_args))'" */
3238 emission_path->add_event
3241 /* Show the callback in the initializer
3242 e.g.
3243 "(2) function 'gadget_dev_desc_UDC_store' used as initializer
3244 for field 'store' marked with '__attribute__((tainted_args))'". */
3245 emission_path->add_event
3248 m_field));
3249 }
3252 tree m_field;
3253 tree m_fndecl;
3254 location_t m_loc;
3255 };
3257 /* Given an initializer at LOC for FIELD marked with
3258 '__attribute__((tainted_args))' initialized with FNDECL, add an
3259 entrypoint to FNDECL to EG (and to its worklist) where the params to
3260 FNDECL are marked as tainted. */
3262 static void
3264 location_t loc)
3265 {
3278 program_point point
3292 {
3296 else
3297 {
3299 fndecl);
3301 }
3302 }
3306 }
3308 /* Callback for walk_tree for finding callbacks within initializers;
3309 ensure that any callback initializer where the corresponding field is
3310 marked with '__attribute__((tainted_args))' is treated as an entrypoint
3311 to the analysis, special-casing that the inputs to the callback are
3312 untrustworthy. */
3314 static tree
3316 {
3319 {
3320 /* Find fields with the "tainted_args" attribute.
3321 walk_tree only walks the values, not the index values;
3322 look at the index values. */
3327 idx++)
3330 {
3337 }
3338 }
3341 }
3343 /* Add initial nodes to EG, with entrypoints for externally-callable
3344 functions. */
3346 void
3348 {
3354 {
3361 {
3365 else
3367 }
3368 }
3370 /* Find callbacks that are reachable from global initializers. */
3373 {
3379 }
3380 }
3382 /* The main loop of the analysis.
3383 Take freshly-created exploded_nodes from the worklist, calling
3384 process_node on them to explore the <point, state> graph.
3385 Add edges to their successors, potentially creating new successors
3386 (which are also added to the worklist). */
3388 void
3390 {
3396 {
3405 /* If we have a run of nodes that are before-supernode, try merging and
3406 processing them together, rather than pairwise or individually. */
3411 /* Avoid exponential explosions of nodes by attempting to merge
3412 nodes that are at the same program point and which have
3413 sufficiently similar state. */
3416 {
3428 {
3431 {
3435 logger->log_partial
3440 }
3444 /* They shouldn't be equal, or we wouldn't have two
3445 separate nodes. */
3451 {
3457 {
3458 /* Then merge node_2 into node by adding an edge. */
3461 /* Remove node_2 from the worklist. */
3465 /* Continue processing "node" below. */
3466 }
3468 {
3469 /* Then merge node into node_2, and leave node_2
3470 in the worklist, to be processed on the next
3471 iteration. */
3475 }
3476 else
3477 {
3478 /* We have a merged state that differs from
3479 both state and state_2. */
3481 /* Remove node_2 from the worklist. */
3484 /* Create (or get) an exploded node for the merged
3485 states, adding to the worklist. */
3486 exploded_node *merged_enode
3497 /* "node" and "node_2" have both now been removed
3498 from the worklist; we should not process them.
3500 "merged_enode" may be a new node; if so it will be
3501 processed in a subsequent iteration.
3502 Alternatively, "merged_enode" could be an existing
3503 node; one way the latter can
3504 happen is if we end up merging a succession of
3505 similar nodes into one. */
3507 /* If merged_node is one of the two we were merging,
3508 add it back to the worklist to ensure it gets
3509 processed.
3511 Add edges from the merged nodes to it (but not a
3512 self-edge). */
3515 else
3516 {
3519 }
3523 else
3524 {
3527 }
3530 }
3531 }
3533 /* TODO: should we attempt more than two nodes,
3534 or just do pairs of nodes? (and hope that we get
3535 a cascade of mergers). */
3536 }
3537 }
3541 handle_limit:
3542 /* Impose a hard limit on the number of exploded nodes, to ensure
3543 that the analysis terminates in the face of pathological state
3544 explosion (or bugs).
3546 Specifically, the limit is on the number of PK_AFTER_SUPERNODE
3547 exploded nodes, looking at supernode exit events.
3549 We use exit rather than entry since there can be multiple
3550 entry ENs, one per phi; the number of PK_AFTER_SUPERNODE ought
3551 to be equivalent to the number of supernodes multiplied by the
3552 number of states. */
3555 {
3559 OPT_Wanalyzer_too_complex,
3560 "analysis bailed out early"
3565 }
3566 }
3567 }
3569 /* Attempt to process a consecutive run of sufficiently-similar nodes in
3570 the worklist at a CFG join-point (having already popped ENODE from the
3571 head of the worklist).
3573 If ENODE's point is of the form (before-supernode, SNODE) and the next
3574 nodes in the worklist are a consecutive run of enodes of the same form,
3575 for the same supernode as ENODE (but potentially from different in-edges),
3576 process them all together, setting their status to STATUS_BULK_MERGED,
3577 and return true.
3578 Otherwise, return false, in which case ENODE must be processed in the
3579 normal way.
3581 When processing them all together, generate successor states based
3582 on phi nodes for the appropriate CFG edges, and then attempt to merge
3583 these states into a minimal set of merged successor states, partitioning
3584 the inputs by merged successor state.
3586 Create new exploded nodes for all of the merged states, and add edges
3587 connecting the input enodes to the corresponding merger exploded nodes.
3589 We hope we have a much smaller number of merged successor states
3590 compared to the number of input enodes - ideally just one,
3591 if all successor states can be merged.
3593 Processing and merging many together as one operation rather than as
3594 pairs avoids scaling issues where per-pair mergers could bloat the
3595 graph with merger nodes (especially so after switch statements). */
3597 bool
3600 {
3601 /* A struct for tracking per-input state. */
3602 struct item
3603 {
3608 {}
3611 program_state m_processed_state;
3613 };
3628 /* Find a run of enodes in the worklist that are before the same supernode,
3629 but potentially from different in-edges. */
3633 {
3643 {
3646 }
3647 else
3649 }
3651 /* If the only node is ENODE, then give up. */
3659 /* All of these enodes have a shared successor point (even if they
3660 were for different in-edges). */
3663 /* Calculate the successor state for each enode in enodes. */
3668 {
3676 {
3677 uncertainty_t uncertainty;
3686 }
3688 }
3690 /* Attempt to partition the items into a set of merged states.
3691 We hope we have a much smaller number of merged states
3692 compared to the number of input enodes - ideally just one,
3693 if all can be merged. */
3698 {
3703 {
3708 {
3716 }
3717 }
3718 /* If it couldn't be merged with any existing merged_states,
3719 create a new one. */
3721 {
3728 }
3729 got_merger:
3732 }
3734 /* Create merger nodes. */
3738 {
3739 exploded_node *src_enode
3741 exploded_node *next
3743 /* "next" could be NULL; we handle that when adding the edges below. */
3746 {
3749 else
3751 }
3752 }
3754 /* Create edges from each input enode to the appropriate successor enode.
3755 Update the status of the now-processed input enodes. */
3757 {
3763 }
3770 }
3772 /* Return true if STMT must appear at the start of its exploded node, and
3773 thus we can't consolidate its effects within a run of other statements,
3774 where PREV_STMT was the previous statement. */
3776 static bool
3779 {
3781 {
3782 /* Stop consolidating at calls to
3783 "__analyzer_dump_exploded_nodes", so they always appear at the
3784 start of an exploded_node. */
3789 /* sm-signal.cc injects an additional custom eedge at "signal" calls
3790 from the registration enode to the handler enode, separate from the
3791 regular next state, which defeats the "detect state change" logic
3792 in process_node. Work around this via special-casing, to ensure
3793 we split the enode immediately before any "signal" call. */
3796 }
3798 /* If we had a PREV_STMT with an unknown location, and this stmt
3799 has a known location, then if a state change happens here, it
3800 could be consolidated into PREV_STMT, giving us an event with
3801 no location. Ensure that STMT gets its own exploded_node to
3802 avoid this. */
3808 }
3810 /* Return true if OLD_STATE and NEW_STATE are sufficiently different that
3811 we should split enodes and create an exploded_edge separating them
3812 (which makes it easier to identify state changes of intereset when
3813 constructing checker_paths). */
3815 static bool
3818 {
3819 /* Changes in dynamic extents signify creations of heap/alloca regions
3820 and resizings of heap regions; likely to be of interest in
3821 diagnostic paths. */
3826 /* Changes in sm-state are of interest. */
3830 {
3835 }
3838 }
3840 /* Create enodes and eedges for the function calls that doesn't have an
3841 underlying call superedge.
3843 Such case occurs when GCC's middle end didn't know which function to
3844 call but the analyzer does (with the help of current state).
3846 Some example such calls are dynamically dispatched calls to virtual
3847 functions or calls that happen via function pointer. */
3849 bool
3851 tree fn_decl,
3853 program_state next_state,
3857 {
3863 {
3868 program_point new_point
3870 NULL,
3876 /* Impose a maximum recursion depth and don't analyze paths
3877 that exceed it further.
3878 This is something of a blunt workaround, but it only
3879 applies to recursion (and mutual recursion), not to
3880 general call stacks. */
3883 {
3887 }
3892 {
3900 next_state,
3901 node);
3907 }
3908 }
3910 }
3912 /* Subclass of path_context for use within exploded_graph::process_node,
3913 so that we can split states e.g. at "realloc" calls. */
3916 {
3923 {
3924 }
3927 {
3929 }
3932 {
3935 }
3937 void
3939 {
3944 /* Verify that the state at bifurcation is consistent when we
3945 split into multiple out-edges. */
3947 else
3948 /* Take a copy of the cur_state at the moment when bifurcation
3949 happens. */
3950 m_state_at_bifurcation
3953 /* Take ownership of INFO. */
3955 }
3958 {
3962 }
3965 {
3967 }
3970 {
3972 }
3979 /* Lazily-created copy of the state before the split. */
3985 };
3987 /* A subclass of pending_diagnostic for complaining about jumps through NULL
3988 function pointers. */
3991 {
3995 {}
3998 {
4000 }
4003 {
4005 }
4008 {
4010 }
4013 {
4015 }
4018 {
4020 }
4024 };
4026 /* The core of exploded_graph::process_worklist (the main analysis loop),
4027 handling one node in the worklist.
4029 Get successor <point, state> pairs for NODE, calling get_or_create on
4030 them, and adding an exploded_edge to each successors.
4032 Freshly-created nodes will be added to the worklist. */
4034 void
4036 {
4044 /* Update cfun and input_location in case of an ICE: make it easier to
4045 track down which source construct we're failing to handle. */
4053 {
4061 }
4064 {
4068 /* This node exists to simplify finding the shortest path
4069 to an exploded_node. */
4073 {
4075 uncertainty_t uncertainty;
4078 {
4087 last_cfg_superedge,
4091 }
4098 }
4101 {
4102 /* Determine the effect of a run of one or more statements
4103 within one supernode, generating an edge to the program_point
4104 after the last statement that's processed.
4106 Stop iterating statements and thus consolidating into one enode
4107 when:
4108 - reaching the end of the statements in the supernode
4109 - if an sm-state-change occurs (so that it gets its own
4110 exploded_node)
4111 - if "-fanalyzer-fine-grained" is active
4112 - encountering certain statements must appear at the start of
4113 their enode (for which stmt_requires_new_enode_p returns true)
4115 Update next_state in-place, to get the result of the one
4116 or more stmts that are processed.
4118 Split the node in-place if an sm-state-change occurs, so that
4119 the sm-state-change occurs on an edge where the src enode has
4120 exactly one stmt, the one that caused the change. */
4126 uncertainty_t uncertainty;
4132 stmt_idx++)
4133 {
4138 {
4139 stmt_idx--;
4141 }
4146 /* Process the stmt. */
4152 /* If flags.m_terminate_path, stop analyzing; any nodes/edges
4153 will have been added by on_stmt (e.g. for handling longjmp). */
4158 {
4164 }
4167 program_point next_point
4180 {
4181 program_point split_point
4183 stmt_idx,
4186 {
4187 /* If we're not at the start of NODE, split the enode at
4188 this stmt, so we have:
4189 node -> split_enode
4190 so that when split_enode is processed the next edge
4191 we add will be:
4192 split_enode -> next
4193 and any state change will effectively occur on that
4194 latter edge, and split_enode will contain just stmt. */
4197 exploded_node *split_enode
4201 /* "stmt" will be reprocessed when split_enode is
4202 processed. */
4208 }
4209 else
4210 /* If we're at the start of NODE, stop iterating,
4211 so that an edge will be created from NODE to
4212 (next_point, next_state) below. */
4214 }
4215 }
4217 program_point next_point
4224 {
4227 }
4228 else
4229 {
4230 exploded_node *next
4234 }
4236 /* If we have custom edge infos, "bifurcate" the state
4237 accordingly, potentially creating a new state/enode/eedge
4238 instances. For example, to handle a "realloc" call, we
4239 might split into 3 states, for the "failure",
4240 "resizing in place", and "moving to a new buffer" cases. */
4242 {
4243 /* Take ownership of the edge infos from the path_ctxt. */
4246 {
4251 }
4252 program_state bifurcated_new_state
4255 /* Apply edge_info to state. */
4256 impl_region_model_context
4263 stmt);
4267 {
4268 exploded_node *next2
4274 }
4275 else
4276 {
4279 }
4280 }
4281 }
4284 {
4287 /* If this is an EXIT BB, detect leaks, and potentially
4288 create a function summary. */
4290 {
4295 {
4296 /* TODO: create function summary
4297 There can be more than one; each corresponds to a different
4298 final enode in the function. */
4300 {
4303 logger->log_partial
4308 }
4309 per_function_data *per_fn_data
4312 }
4313 }
4314 /* Traverse into successors of the supernode. */
4318 {
4321 {
4326 }
4328 program_point next_point
4332 uncertainty_t uncertainty;
4334 /* Make use the current state and try to discover and analyse
4335 indirect function calls (a call that doesn't have an underlying
4336 cgraph edge representing call).
4338 Some examples of such calls are virtual function calls
4339 and calls that happen via a function pointer. */
4342 {
4347 node,
4351 NULL,
4359 fn_decl,
4360 node,
4361 next_state,
4362 next_point,
4364 logger);
4366 {
4367 /* Check for jump through NULL. */
4369 {
4374 }
4376 /* An unknown function or a special function was called
4377 at this point, in such case, don't terminate the
4378 analysis of the current function.
4380 The analyzer handles calls to such functions while
4381 analysing the stmt itself, so the function call
4382 must have been handled by the anlyzer till now. */
4383 exploded_node *next
4385 next_state,
4386 node);
4390 }
4391 }
4395 {
4400 }
4402 node);
4404 {
4407 /* We might have a function entrypoint. */
4409 }
4410 }
4412 /* Return from the calls which doesn't have a return superedge.
4413 Such case occurs when GCC's middle end didn't knew which function to
4414 call but analyzer did. */
4417 {
4419 program_point next_point
4421 NULL,
4422 cs);
4424 uncertainty_t uncertainty;
4433 {
4436 next_state,
4437 node);
4441 }
4442 }
4443 }
4445 }
4446 }
4448 /* Ensure that this graph has a stats instance for FN, return it.
4449 FN can be NULL, in which case a stats instances is returned covering
4450 "functionless" parts of the graph (the origin node). */
4452 stats *
4454 {
4460 else
4461 {
4463 /* not quite the num supernodes, but nearly. */
4467 }
4468 }
4470 /* Print bar charts to PP showing:
4471 - the number of enodes per function, and
4472 - for each function:
4473 - the number of enodes per supernode/BB
4474 - the number of excess enodes per supernode/BB beyond the
4475 per-program-point limit, if there were any. */
4477 void
4479 {
4484 bar_chart enodes_per_function;
4486 {
4492 }
4495 /* Accumulate number of enodes per supernode. */
4502 {
4507 }
4509 /* Accumulate excess enodes per supernode. */
4515 {
4523 }
4525 /* Show per-function bar_charts of enodes per supernode/BB. */
4529 {
4534 bar_chart enodes_per_snode;
4535 bar_chart excess_enodes_per_snode;
4538 {
4542 pretty_printer tmp_pp;
4547 const int num_excess
4550 num_excess);
4553 }
4556 {
4560 }
4561 }
4562 }
4564 /* Write all stats information to this graph's logger, if any. */
4566 void
4568 {
4588 {
4592 }
4595 }
4597 /* Dump all stats information to OUT. */
4599 void
4601 {
4613 {
4617 }
4622 }
4624 void
4627 {
4633 {
4637 {
4638 pretty_printer pp;
4644 }
4645 }
4648 }
4650 /* Return a new json::object of the form
4651 {"nodes" : [objs for enodes],
4652 "edges" : [objs for eedges],
4653 "ext_state": object for extrinsic_state,
4654 "diagnostic_manager": object for diagnostic_manager}. */
4658 {
4661 /* Nodes. */
4662 {
4669 }
4671 /* Edges. */
4672 {
4679 }
4681 /* m_sg is JSONified at the top-level. */
4687 /* The following fields aren't yet being JSONified:
4688 const state_purge_map *const m_purge_map;
4689 const analysis_plan &m_plan;
4690 stats m_global_stats;
4691 function_stat_map_t m_per_function_stats;
4692 stats m_functionless_stats;
4693 call_string_data_map_t m_per_call_string_data;
4694 auto_vec<int> m_PK_AFTER_SUPERNODE_per_snode; */
4697 }
4699 /* class exploded_path. */
4701 /* Copy ctor. */
4705 {
4710 }
4712 /* Look for the last use of SEARCH_STMT within this path.
4713 If found write the edge's index to *OUT_IDX and return true, otherwise
4714 return false. */
4716 bool
4719 {
4723 {
4728 {
4731 }
4732 }
4734 }
4736 /* Get the final exploded_node in this path, which must be non-empty. */
4738 exploded_node *
4740 {
4743 }
4745 /* Check state along this path, returning true if it is feasible.
4746 If OUT is non-NULL, and the path is infeasible, write a new
4747 feasibility_problem to *OUT. */
4749 bool
4753 {
4759 /* Traverse the path, updating this state. */
4761 {
4765 edge_idx,
4771 {
4774 {
4780 last_stmt,
4782 }
4784 }
4787 {
4789 edge_idx,
4795 }
4796 }
4799 }
4801 /* Dump this path in multiline form to PP.
4802 If EXT_STATE is non-NULL, then show the nodes. */
4804 void
4807 {
4809 {
4812 i,
4819 }
4820 }
4822 /* Dump this path in multiline form to FP. */
4824 void
4826 {
4829 }
4831 /* Dump this path in multiline form to stderr. */
4833 DEBUG_FUNCTION void
4835 {
4837 }
4839 /* Dump this path verbosely to FILENAME. */
4841 void
4844 {
4848 pretty_printer pp;
4854 }
4856 /* class feasibility_problem. */
4858 void
4860 {
4864 {
4869 }
4870 }
4872 /* class feasibility_state. */
4874 /* Ctor for feasibility_state, at the beginning of a path. */
4880 {
4882 }
4884 /* Copy ctor for feasibility_state, for extending a path. */
4889 {
4891 }
4897 {
4899 }
4901 feasibility_state &
4903 {
4907 }
4909 /* The heart of feasibility-checking.
4911 Attempt to update this state in-place based on traversing EEDGE
4912 in a path.
4913 Update the model for the stmts in the src enode.
4914 Attempt to add constraints for EEDGE.
4916 If feasible, return true.
4917 Otherwise, return false and write to *OUT_RC. */
4919 bool
4925 {
4929 {
4933 }
4935 /* Update state for the stmts that were processed in each enode. */
4937 stmt_idx++)
4938 {
4941 /* Update cfun and input_location in case of ICE: make it easier to
4942 track down which source construct we're failing to handle. */
4947 }
4951 {
4953 {
4959 }
4963 {
4965 {
4970 }
4972 }
4973 }
4974 else
4975 {
4976 /* Special-case the initial eedge from the origin node to the
4977 initial function by pushing a frame for it. */
4979 {
4988 }
4990 {
4992 }
4993 }
4995 /* Handle phi nodes on an edge leaving a PK_BEFORE_SUPERNODE (to
4996 a PK_BEFORE_STMT, or a PK_AFTER_SUPERNODE if no stmts).
4997 This will typically not be associated with a superedge. */
4999 {
5005 {
5009 last_cfg_superedge,
5010 ctxt);
5011 /* If we've entering an snode that we've already visited on this
5012 epath, then we need do fix things up for loops; see the
5013 comment for store::loop_replay_fixup.
5014 Perhaps we should probably also verify the callstring,
5015 and track program_points, but hopefully doing it by supernode
5016 is good enough. */
5019 }
5021 }
5023 }
5025 /* Update this object for the effects of STMT. */
5027 void
5029 {
5035 {
5038 }
5041 }
5043 /* Dump this object to PP. */
5045 void
5048 {
5050 }
5052 /* A family of cluster subclasses for use when generating .dot output for
5053 exploded graphs (-fdump-analyzer-exploded-graph), for grouping the
5054 enodes into hierarchical boxes.
5056 All functionless enodes appear in the top-level graph.
5057 Every (function, call_string) pair gets its own cluster. Within that
5058 cluster, each supernode gets its own cluster.
5060 Hence all enodes relating to a particular function with a particular
5061 callstring will be in a cluster together; all enodes for the same
5062 function but with a different callstring will be in a different
5063 cluster. */
5065 /* Base class of cluster for clustering exploded_node instances in .dot
5066 output, based on various subclass-specific criteria. */
5069 {
5070 };
5072 /* Cluster containing all exploded_node instances for one supernode. */
5075 {
5079 // TODO: dtor?
5082 {
5095 /* Terminate subgraph. */
5098 }
5101 {
5103 }
5105 /* Comparator for use by auto_vec<supernode_cluster *>::qsort. */
5108 {
5114 }
5119 };
5121 /* Cluster containing all supernode_cluster instances for one
5122 (function, call_string) pair. */
5125 {
5131 {
5136 }
5139 {
5151 /* Dump m_map, sorting it to avoid churn when comparing dumps. */
5165 /* Terminate subgraph. */
5168 }
5171 {
5177 else
5178 {
5182 }
5183 }
5185 /* Comparator for use by auto_vec<function_call_string_cluster *>. */
5188 {
5198 }
5204 map_t m_map;
5205 };
5207 /* Keys for root_cluster. */
5209 struct function_call_string
5210 {
5213 {
5216 }
5220 };
5226 {
5228 };
5231 inline hashval_t
5233 {
5236 }
5242 {
5244 }
5248 {
5250 }
5254 {
5256 }
5260 {
5262 }
5266 {
5268 }
5272 /* Top-level cluster for generating .dot output for exploded graphs,
5273 handling the functionless nodes, and grouping the remaining nodes by
5274 callstring. */
5277 {
5280 {
5285 }
5288 {
5294 /* Dump m_map, sorting it to avoid churn when comparing dumps. */
5306 }
5309 {
5312 {
5315 }
5322 else
5323 {
5324 function_call_string_cluster *child
5328 }
5329 }
5333 map_t m_map;
5335 /* This should just be the origin exploded_node. */
5337 };
5339 /* Subclass of range_label for use within
5340 exploded_graph::dump_exploded_nodes for implementing
5341 -fdump-analyzer-exploded-nodes: a label for a specific
5342 exploded_node. */
5345 {
5352 {
5353 pretty_printer pp;
5358 }
5363 };
5365 /* Postprocessing support for dumping the exploded nodes.
5366 Handle -fdump-analyzer-exploded-nodes,
5367 -fdump-analyzer-exploded-nodes-2, and the
5368 "__analyzer_dump_exploded_nodes" builtin. */
5370 void
5372 {
5373 // TODO
5374 /* Locate calls to __analyzer_dump_exploded_nodes. */
5375 // Print how many egs there are for them?
5376 /* Better: log them as we go, and record the exploded nodes
5377 in question. */
5379 /* Show every enode. */
5381 /* Gather them by stmt, so that we can more clearly see the
5382 "hotspots" requiring numerous exploded nodes. */
5384 /* Alternatively, simply throw them all into one big rich_location
5385 and see if the label-printing will sort it out...
5386 This requires them all to be in the same source file. */
5389 {
5395 {
5397 {
5400 else
5402 SHOW_RANGE_WITHOUT_CARET,
5404 }
5405 }
5408 /* Repeat the warning without all the labels, so that message is visible
5409 (the other one may well have scrolled past the terminal limit). */
5416 }
5418 /* Dump the egraph in textual form to a dump file. */
5420 {
5436 {
5439 pretty_printer pp;
5443 }
5446 }
5448 /* Dump the egraph in textual form to multiple dump files, one per enode. */
5450 {
5456 {
5462 filename);
5467 pretty_printer pp;
5473 }
5474 }
5476 /* Emit a warning at any call to "__analyzer_dump_exploded_nodes",
5477 giving the number of processed exploded nodes for "before-stmt",
5478 and the IDs of processed, merger, and worklist enodes.
5480 We highlight the count of *processed* enodes since this is of most
5481 interest in DejaGnu tests for ensuring that state merger has
5482 happened.
5484 We don't show the count of merger and worklist enodes, as this is
5485 more of an implementation detail of the merging/worklist that we
5486 don't want to bake into our expected DejaGnu messages. */
5492 {
5500 {
5507 /* This is O(N^2). */
5511 {
5516 {
5528 }
5529 }
5531 pretty_printer pp;
5535 {
5538 }
5540 {
5543 }
5552 /* If the argument is non-zero, then print all of the states
5553 of the various enodes. */
5556 {
5560 }
5563 {
5566 {
5571 /* Dump state. */
5573 }
5574 }
5575 }
5576 }
5577 }
5579 DEBUG_FUNCTION exploded_node *
5581 {
5585 }
5587 /* Ensure that there is an exploded_node for a top-level call to FNDECL. */
5589 void
5591 {
5608 {
5612 else
5614 }
5615 }
5617 /* A collection of classes for visualizing the callgraph in .dot form
5618 (as represented in the supergraph). */
5620 /* Forward decls. */
5626 /* Traits for using "digraph.h" to visualize the callgraph. */
5628 struct viz_callgraph_traits
5629 {
5633 struct dump_args_t
5634 {
5637 };
5639 };
5641 /* Subclass of dnode representing a function within the callgraph. */
5644 {
5650 {
5652 }
5655 {
5673 {
5678 {
5680 num_enodes++;
5681 }
5685 // TODO: also show the per-callstring breakdown
5692 {
5694 //per_call_string_data *data = (*iter).second;
5697 {
5700 num_enodes++;
5701 }
5703 {
5706 }
5707 }
5709 /* Show any summaries. */
5712 {
5716 {
5722 }
5723 }
5724 }
5729 }
5732 {
5734 }
5741 };
5743 /* Subclass of dedge representing a callgraph edge. */
5746 {
5750 {}
5753 final override
5754 {
5770 }
5771 };
5773 /* Subclass of digraph representing the callgraph. */
5776 {
5781 {
5783 }
5786 {
5788 }
5792 };
5794 /* Placeholder subclass of cluster. */
5797 {
5798 };
5800 /* viz_callgraph's ctor. */
5803 {
5806 {
5808 viz_callgraph_node *vcg_node
5812 }
5817 {
5822 {
5824 viz_callgraph_edge *vcg_edge
5827 }
5828 }
5832 {
5835 }
5836 }
5838 /* Dump the callgraph to FILENAME. */
5840 static void
5843 {
5848 // TODO
5853 }
5855 /* Dump the callgraph to "<srcfile>.callgraph.dot". */
5857 static void
5859 {
5864 }
5866 /* Subclass of dot_annotator for implementing
5867 DUMP_BASE_NAME.supergraph-eg.dot, a post-analysis dump of the supergraph.
5869 Annotate the supergraph nodes by printing the exploded nodes in concise
5870 form within them, next to their pertinent statements where appropriate,
5871 colorizing the exploded nodes based on sm-state.
5872 Also show saved diagnostics within the exploded nodes, giving information
5873 on whether they were feasible, and, if infeasible, where the problem
5874 was. */
5877 {
5881 {
5882 /* Avoid O(N^2) by prepopulating m_enodes_per_snodes. */
5891 }
5893 /* Show exploded nodes for BEFORE_SUPERNODE points before N. */
5896 const final override
5897 {
5912 {
5919 }
5925 }
5927 /* Show exploded nodes for STMT. */
5930 const final override
5931 {
5942 {
5950 }
5953 {
5956 }
5957 }
5959 /* Show exploded nodes for AFTER_SUPERNODE points after N. */
5961 const final override
5962 {
5973 {
5979 }
5983 }
5986 /* Concisely print a TD element for ENODE, showing the index, status,
5987 and any saved_diagnostics at the enode. Colorize it to show sm-state.
5989 Ideally we'd dump ENODE's state here, hidden behind some kind of
5990 interactive disclosure method like a tooltip, so that the states
5991 can be explored without overwhelming the graph.
5992 However, I wasn't able to get graphviz/xdot to show tooltips on
5993 individual elements within a HTML-like label. */
5995 {
6003 {
6017 }
6020 /* Dump any saved_diagnostics at this enode. */
6022 {
6025 }
6028 }
6030 /* Print a TABLE element for SD, showing the kind, the length of the
6031 exploded_path, whether the path was feasible, and if infeasible,
6032 what the problem was. */
6035 {
6046 else
6050 {
6066 /* Ideally we'd print p->m_model here; see the notes above about
6067 tooltips. */
6068 }
6071 }
6075 };
6077 /* Implement -fdump-analyzer-json. */
6079 static void
6082 {
6087 {
6091 }
6097 pretty_printer pp;
6108 }
6110 /* Concrete subclass of plugin_analyzer_init_iface, allowing plugins
6111 to register new state machines. */
6114 {
6122 {}
6125 {
6128 }
6132 {
6135 }
6138 {
6140 }
6146 };
6148 /* Run the analysis "engine". */
6150 void
6152 {
6156 {
6161 }
6163 /* If using LTO, ensure that the cgraph nodes have function bodies. */
6168 /* Create the supergraph. */
6179 {
6180 /* Dump supergraph pre-analysis. */
6186 }
6189 {
6196 }
6206 logger);
6210 {
6215 }
6217 /* Extrinsic state shared by nodes in the graph. */
6222 /* The exploded graph. */
6224 analyzer_verbosity);
6226 /* Add entrypoints to the graph for externally-callable functions. */
6229 /* Now process the worklist, exploring the <point, state> graph. */
6236 {
6241 root_cluster c;
6244 }
6246 /* Now emit any saved diagnostics. */
6257 {
6258 /* Dump post-analysis form of supergraph. */
6265 }
6275 /* Free up any dominance info that we may have created. */
6277 {
6280 }
6281 }
6283 /* Handle -fdump-analyzer and -fdump-analyzer-stderr. */
6286 /* Track if we're responsible for closing dump_fout. */
6289 /* If dumping is enabled, attempt to create dump_fout if it hasn't already
6290 been opened. Return it. */
6294 {
6296 {
6300 {
6306 }
6307 }
6309 }
6311 /* External entrypoint to the analysis "engine".
6312 Set up any dumps, then call impl_run_checkers. */
6314 void
6316 {
6317 /* Save input_location. */
6320 {
6330 /* end of lifetime of the_logger (so that dump file is closed after the
6331 various dtors run). */
6332 }
6335 {
6339 }
6341 /* Restore input_location. Subsequent passes may assume that input_location
6342 is some arbitrary value *not* in the block tree, which might be violated
6343 if we didn't restore it. */
6345 }