| blob | 7fe83c8633e9229076770408f387180c21c7687d |
1 2024-09-30 David Malcolm <dmalcolm@redhat.com>
3 PR other/116613
4 * program-point.cc (function_point::print_source_line): Replace
5 call to diagnostic_show_locus with a call to
6 diagnostic_source_print_policy::print.
8 2024-09-30 David Malcolm <dmalcolm@redhat.com>
10 PR other/116613
11 * kf-analyzer.cc: Include "pretty-print-markup.h".
12 (kf_analyzer_dump_escaped::impl_call_pre): Defer colorization
13 choices by eliminating the construction of a intermediate string,
14 replacing it with a new pp_element subclass via "%e".
16 2024-09-20 David Malcolm <dmalcolm@redhat.com>
18 PR other/116613
19 * access-diagram.cc (access_range::dump): Simplify using
20 tree_dump_pretty_printer.
21 * call-details.cc (call_details::dump): Likewise.
22 * call-summary.cc (call_summary::dump): Likewise.
23 (call_summary_replay::dump): Likewise.
24 * checker-event.cc (checker_event::debug): Likewise.
25 * constraint-manager.cc (range::dump): Likewise.
26 (bounded_range::dump): Likewise.
27 (bounded_ranges::dump): Likewise.
28 (constraint_manager::dump): Likewise.
29 * engine.cc (exploded_node::dump): Likewise.
30 (exploded_path::dump): Likewise.
31 * program-point.cc (program_point::dump): Likewise.
32 * program-state.cc (extrinsic_state::dump_to_file): Likewise.
33 (sm_state_map::dump): Likewise.
34 (program_state::dump_to_file): Likewise.
35 * ranges.cc (symbolic_byte_offset::dump): Likewise.
36 (symbolic_byte_range::dump): Likewise.
37 * record-layout.cc (record_layout::dump): Likewise.
38 * region-model-reachability.cc (reachable_regions::dump):
39 Likewise.
40 * region-model.cc (region_to_value_map::dump): Likewise.
41 (region_model::dump): Likewise.
42 (model_merger::dump): Likewise.
43 * region.cc (region_offset::dump): Likewise.
44 (region::dump): Likewise.
45 * sm-malloc.cc (deallocator_set::dump): Likewise.
46 * store.cc (uncertainty_t::dump): Likewise.
47 (binding_key::dump): Likewise.
48 (bit_range::dump): Likewise.
49 (byte_range::dump): Likewise.
50 (binding_map::dump): Likewise.
51 (binding_cluster::dump): Likewise.
52 (store::dump): Likewise.
53 * supergraph.cc (superedge::dump): Likewise.
54 * svalue.cc (svalue::dump): Likewise.
56 2024-09-20 David Malcolm <dmalcolm@redhat.com>
58 PR other/116613
59 * diagnostic-manager.cc (diagnostic_manager::emit_saved_diagnostic):
60 Remove remove redundant 'pp'.
62 2024-09-09 David Malcolm <dmalcolm@redhat.com>
64 PR other/116613
65 * access-diagram.cc (access_range::dump): Rename
66 diagnostic_context's "printer" field to "m_printer".
67 * analyzer-language.cc (on_finish_translation_unit): Likewise.
68 * analyzer.cc (make_label_text): Likewise.
69 (make_label_text_n): Likewise.
70 * call-details.cc (call_details::dump): Likewise.
71 * call-summary.cc (call_summary::dump): Likewise.
72 (call_summary_replay::dump): Likewise.
73 * checker-event.cc (checker_event::debug): Likewise.
74 * constraint-manager.cc (range::dump): Likewise.
75 (bounded_range::dump): Likewise.
76 (bounded_ranges::dump): Likewise.
77 (constraint_manager::dump): Likewise.
78 * diagnostic-manager.cc
79 (diagnostic_manager::emit_saved_diagnostic): Likewise.
80 * engine.cc (exploded_node::dump): Likewise.
81 (exploded_path::dump): Likewise.
82 (run_checkers): Likewise.
83 * kf-analyzer.cc (kf_analyzer_dump_escaped::impl_call_pre):
84 Likewise.
85 * pending-diagnostic.cc (evdesc::event_desc::formatted_print):
86 Likewise.
87 * program-point.cc (function_point::print_source_line): Likewise.
88 (program_point::dump): Likewise.
89 * program-state.cc (extrinsic_state::dump_to_file): Likewise.
90 (sm_state_map::dump): Likewise.
91 (program_state::dump_to_file): Likewise.
92 * ranges.cc (symbolic_byte_offset::dump): Likewise.
93 (symbolic_byte_range::dump): Likewise.
94 * region-model-reachability.cc (reachable_regions::dump): Likewise.
95 * region-model.cc (region_to_value_map::dump): Likewise.
96 (region_model::dump): Likewise.
97 (model_merger::dump): Likewise.
98 * region.cc (region_offset::dump): Likewise.
99 (region::dump): Likewise.
100 * sm-malloc.cc (deallocator_set::dump): Likewise.
101 (sufficiently_similar_p): Likewise.
102 * store.cc (uncertainty_t::dump): Likewise.
103 (binding_key::dump): Likewise.
104 (binding_map::dump): Likewise.
105 (binding_cluster::dump): Likewise.
106 (store::dump): Likewise.
107 * supergraph.cc (supergraph::dump_dot_to_file): Likewise.
108 (superedge::dump): Likewise.
109 * svalue.cc (svalue::dump): Likewise.
111 2024-09-09 David Malcolm <dmalcolm@redhat.com>
113 * call-summary.cc
114 (call_summary_replay::convert_region_from_summary_1): Drop unused
115 local "summary_cast_reg"
117 2024-09-03 David Malcolm <dmalcolm@redhat.com>
119 * analyzer-logging.cc (logger::logger): Prefix all output_buffer
120 fields with "m_".
122 2024-07-24 David Malcolm <dmalcolm@redhat.com>
124 * checker-event.cc (maybe_add_sarif_properties): Update setting
125 of "original_fndecl" to use typesafe unique_ptr variant of
126 json::object::set.
128 2024-07-24 David Malcolm <dmalcolm@redhat.com>
130 * call-string.cc (call_string::to_json): Avoid naked "new".
131 * constraint-manager.cc (bounded_range::set_json_attr): Likewise.
132 (equiv_class::to_json): Likewise.
133 (constraint::to_json): Likewise.
134 (bounded_ranges_constraint::to_json): Likewise.
135 * diagnostic-manager.cc (saved_diagnostic::to_json): Likewise.
136 (saved_diagnostic::maybe_add_sarif_properties): Likewise.
137 * engine.cc (exploded_node::to_json): Likewise.
138 (exploded_edge::to_json): Likewise.
139 * program-point.cc (program_point::to_json): Likewise.
140 * program-state.cc (program_state::to_json): Likewise.
141 * sm.cc (state_machine::to_json): Likewise.
142 * store.cc (binding_cluster::to_json): Likewise.
143 (store::to_json): Likewise.
144 * supergraph.cc (supernode::to_json): Likewise.
145 (superedge::to_json): Likewise.
147 2024-07-24 David Malcolm <dmalcolm@redhat.com>
149 * supergraph.cc (supernode::to_json): Avoid naked "new" by using
150 json::array::append_string.
151 (supernode::to_json): Likewise.
153 2024-07-12 Daniel Bertalan <dani@danielbertalan.dev>
155 * diagnostic-manager.cc (saved_diagnostic::saved_diagnostic):
156 Change NULL to nullptr.
157 (struct null_assignment_sm_context): Likewise.
158 * infinite-loop.cc: Likewise.
159 * infinite-recursion.cc: Likewise.
160 * varargs.cc (va_list_state_machine::on_leak): Likewise.
162 2024-07-04 David Malcolm <dmalcolm@redhat.com>
164 * diagnostic-manager.cc
165 (diagnostic_manager::add_events_for_eedge): Pass sm_ctxt by
166 reference.
167 * engine.cc (impl_region_model_context::on_condition): Likewise.
168 (impl_region_model_context::on_bounded_ranges): Likewise.
169 (impl_region_model_context::on_phi): Likewise.
170 (exploded_node::on_stmt): Likewise.
171 * sm-fd.cc: Update all uses of sm_context * to sm_context &.
172 * sm-file.cc: Likewise.
173 * sm-malloc.cc: Likewise.
174 * sm-pattern-test.cc: Likewise.
175 * sm-sensitive.cc: Likewise.
176 * sm-signal.cc: Likewise.
177 * sm-taint.cc: Likewise.
178 * sm.h: Likewise.
179 * varargs.cc: Likewise.
181 2024-07-04 David Malcolm <dmalcolm@redhat.com>
183 PR analyzer/115724
184 * kf.cc (register_known_functions): Add __error_alias and
185 __error_at_line_alias.
187 2024-06-18 David Malcolm <dmalcolm@redhat.com>
189 * checker-event.h (checker_event::fndecl): Drop "final" and
190 "override", converting from a vfunc implementation to a plain
191 accessor.
192 * checker-path.cc (checker_path::same_function_p): New.
193 * checker-path.h (checker_path::same_function_p): New decl.
195 2024-06-18 David Malcolm <dmalcolm@redhat.com>
197 * checker-path.h: Include "simple-diagnostic-path.h".
199 2024-06-18 Jonathan Wakely <jwakely@redhat.com>
201 * constraint-manager.cc (equiv_class::make_dump_widget): Change
202 return type to match return value and do not use std::move on
203 return value.
204 (bounded_ranges_constraint::make_dump_widget): Likewise.
205 (constraint_manager::make_dump_widget): Likewise.
206 * constraint-manager.h (equiv_class::make_dump_widget): Change
207 return type.
208 (bounded_ranges_constraint::make_dump_widget): Likewise.
209 (constraint_manager::make_dump_widget): Likewise.
210 * program-state.cc (sm_state_map::make_dump_widget): Likewise.
211 (program_state::make_dump_widget): Likewise.
212 * program-state.h (sm_state_map::make_dump_widget): Likewise.
213 (program_state::make_dump_widget): Likewise.
214 * region-model.cc (region_to_value_map::make_dump_widget): Likewise.
215 (region_model::make_dump_widget): Likewise.
216 * region-model.h (region_to_value_map::make_dump_widget): Likewise.
217 (region_model::make_dump_widget): Likewise.
218 * region.cc (region::make_dump_widget): Likewise.
219 * region.h (region::make_dump_widget): Likewise.
220 * store.cc (binding_cluster::make_dump_widget): Likewise.
221 (store::make_dump_widget): Likewise.
222 * store.h (binding_cluster::make_dump_widget): Likewise.
223 (store::make_dump_widget): Likewise.
224 * svalue.cc (svalue::make_dump_widget): Likewise.
225 * svalue.h (svalue::make_dump_widget): Likewise.
227 2024-06-12 David Malcolm <dmalcolm@redhat.com>
229 * access-diagram.cc (access_range::dump): Update for fields of
230 pretty_printer becoming private.
231 * call-details.cc (call_details::dump): Likewise.
232 * call-summary.cc (call_summary::dump): Likewise.
233 (call_summary_replay::dump): Likewise.
234 * checker-event.cc (checker_event::debug): Likewise.
235 * constraint-manager.cc (range::dump): Likewise.
236 (bounded_range::dump): Likewise.
237 (constraint_manager::dump): Likewise.
238 * engine.cc (exploded_node::dump): Likewise.
239 (exploded_path::dump): Likewise.
240 (exploded_path::dump_to_file): Likewise.
241 * feasible-graph.cc (feasible_graph::dump_feasible_path): Likewise.
242 * program-point.cc (program_point::dump): Likewise.
243 * program-state.cc (extrinsic_state::dump_to_file): Likewise.
244 (sm_state_map::dump): Likewise.
245 (program_state::dump_to_file): Likewise.
246 * ranges.cc (symbolic_byte_offset::dump): Likewise.
247 (symbolic_byte_range::dump): Likewise.
248 * record-layout.cc (record_layout::dump): Likewise.
249 * region-model-reachability.cc (reachable_regions::dump): Likewise.
250 * region-model.cc (region_to_value_map::dump): Likewise.
251 (region_model::dump): Likewise.
252 (model_merger::dump): Likewise.
253 * region-model.h (one_way_id_map<T>::dump): Likewise.
254 * region.cc (region_offset::dump): Likewise.
255 (region::dump): Likewise.
256 * sm-malloc.cc (deallocator_set::dump): Likewise.
257 * store.cc (uncertainty_t::dump): Likewise.
258 (binding_key::dump): Likewise.
259 (bit_range::dump): Likewise.
260 (byte_range::dump): Likewise.
261 (binding_map::dump): Likewise.
262 (binding_cluster::dump): Likewise.
263 (store::dump): Likewise.
264 * supergraph.cc (supergraph::dump_dot_to_file): Likewise.
265 (superedge::dump): Likewise.
266 * svalue.cc (svalue::dump): Likewise.
268 2024-06-08 Roger Sayle <roger@nextmovesoftware.com>
270 * constraint-manager.cc (equiv_class::make_dump_widget): Use
271 std::move to return a std::unique_ptr.
272 (bounded_ranges_constraint::make_dump_widget): Likewise.
273 (constraint_manager::make_dump_widget): Likewise.
274 * program-state.cc (sm_state_map::make_dump_widget): Likewise.
275 (program_state::make_dump_widget): Likewise.
276 * region-model.cc (region_to_value_map::make_dump_widget): Likewise.
277 (region_model::make_dump_widget): Likewise.
278 * region.cc (region::make_dump_widget): Likewise.
279 * store.cc (binding_cluster::make_dump_widget): Likewise.
280 (store::make_dump_widget): Likewise.
281 * svalue.cc (svalue::make_dump_widget): Likewise.
283 2024-06-07 David Malcolm <dmalcolm@redhat.com>
285 * engine.cc (impl_region_model_context::on_state_leak): Pass nullptr
286 to get_representative_path_var.
287 * region-model.cc (region_model::get_representative_path_var_1):
288 Add logger param and use it in both overloads.
289 (region_model::get_representative_path_var): Likewise.
290 (region_model::get_representative_tree): Likewise.
291 (selftest::test_get_representative_path_var): Pass nullptr to
292 get_representative_path_var.
293 * region-model.h (region_model::get_representative_tree): Add
294 optional logger param to both overloads.
295 (region_model::get_representative_path_var): Add logger param to
296 both overloads.
297 (region_model::get_representative_path_var_1): Likewise.
298 * store.cc (binding_cluster::get_representative_path_vars): Add
299 logger param and use it.
300 (store::get_representative_path_vars): Likewise.
301 * store.h (binding_cluster::get_representative_path_vars): Add
302 logger param.
303 (store::get_representative_path_vars): Likewise.
305 2024-06-07 David Malcolm <dmalcolm@redhat.com>
307 * call-summary.cc
308 (call_summary_replay::convert_region_from_summary_1): Update
309 for removal of cast_region::m_original_region.
310 * region-model-manager.cc
311 (region_model_manager::get_or_create_initial_value): Likewise.
312 * region-model.cc (region_model::get_store_value): Likewise.
313 * region.cc (region::get_base_region): Likewise.
314 (region::descendent_of_p): Likewise.
315 (region::maybe_get_frame_region): Likewise.
316 (region::get_memory_space): Likewise.
317 (region::calc_offset): Likewise.
318 (cast_region::accept): Delete.
319 (cast_region::dump_to_pp): Update for removal of
320 cast_region::m_original_region.
321 (cast_region::add_dump_widget_children): Delete.
322 * region.h (struct cast_region::key_t): Rename "original_region"
323 to "parent".
324 (cast_region::cast_region): Likewise. Update for removal of
325 cast_region::m_original_region.
326 (cast_region::accept): Delete.
327 (cast_region::add_dump_widget_children): Delete.
328 (cast_region::get_original_region): Delete.
329 (cast_region::m_original_region): Delete.
330 * sm-taint.cc (region_model::check_region_for_taint): Remove
331 special-casing for RK_CAST.
333 2024-06-07 David Malcolm <dmalcolm@redhat.com>
335 PR analyzer/105892
336 * analyzer.opt (Wanalyzer-undefined-behavior-ptrdiff): New option.
337 * analyzer.opt.urls: Regenerate.
338 * region-model.cc (class undefined_ptrdiff_diagnostic): New.
339 (check_for_invalid_ptrdiff): New.
340 (region_model::get_gassign_result): Call it for POINTER_DIFF_EXPR.
342 2024-06-01 David Malcolm <dmalcolm@redhat.com>
344 PR analyzer/106203
345 * checker-event.h: Include "analyzer/event-loc-info.h".
346 (struct event_loc_info): Move to its own header file.
347 * diagnostic-manager.cc
348 (diagnostic_manager::emit_saved_diagnostic): Move creation of
349 event_loc_info here from add_final_event, and if we have a
350 stmt_finder, call its update_event_loc_info method.
351 * engine.cc (leak_stmt_finder::update_event_loc_info): New.
352 (exploded_node::detect_leaks): Likewise.
353 (exploded_node::detect_leaks): Pass nullptr as call_stmt arg to
354 region_model::pop_frame.
355 * event-loc-info.h: New file, with content taken from
356 checker-event.h.
357 * exploded-graph.h (stmt_finder::update_event_loc_info): New pure
358 virtual function.
359 * infinite-loop.cc (infinite_loop_diagnostic::add_final_event):
360 Update for change to vfunc signature.
361 * infinite-recursion.cc
362 (infinite_recursion_diagnostic::add_final_event): Likewise.
363 * pending-diagnostic.cc (pending_diagnostic::add_final_event):
364 Pass in the event_loc_info from the caller, rather than generating
365 it from a gimple stmt and enode.
366 * pending-diagnostic.h (pending_diagnostic::add_final_event):
367 Likewise.
368 * region-model.cc (region_model::on_longjmp): Pass nullptr as
369 call_stmt arg to region_model::pop_frame.
370 (region_model::update_for_return_gcall): Likewise, but pass
371 call_stmt.
372 (class caller_context): New.
373 (region_model::pop_frame): Add "call_stmt" argument. Use it
374 and the frame_region with a caller_context when setting
375 result_dst_reg's value so that any diagnostic is reported at the
376 call stmt in the caller.
377 (selftest::test_stack_frames): Pass nullptr as call_stmt arg to
378 region_model::pop_frame.
379 (selftest::test_alloca): Likewise.
380 * region-model.h (region_model::pop_frame): Add "call_stmt"
381 argument.
383 2024-05-30 David Malcolm <dmalcolm@redhat.com>
385 * infinite-loop.cc (looping_back_event::get_desc): Fix unused
386 parameter warning introduced by me in r15-636-g770657d02c986c.
388 2024-05-30 David Malcolm <dmalcolm@redhat.com>
390 * call-details.cc: Define INCLUDE_VECTOR.
391 * call-info.cc: Likewise.
392 * call-summary.cc: Likewise.
393 * checker-event.cc: Likewise.
394 * checker-path.cc: Likewise.
395 * complexity.cc: Likewise.
396 * constraint-manager.cc: Likewise.
397 (bounded_range::make_dump_widget): New.
398 (bounded_ranges::add_to_dump_widget): New.
399 (equiv_class::make_dump_widget): New.
400 (constraint::make_dump_widget): New.
401 (bounded_ranges_constraint::make_dump_widget): New.
402 (constraint_manager::make_dump_widget): New.
403 * constraint-manager.h (bounded_range::make_dump_widget): New
404 decl.
405 (bounded_ranges::add_to_dump_widget): New decl.
406 (equiv_class::make_dump_widget): New decl.
407 (constraint::make_dump_widget): New decl.
408 (bounded_ranges_constraint::make_dump_widget): New decl.
409 (constraint_manager::make_dump_widget): New decl.
410 * diagnostic-manager.cc: Define INCLUDE_VECTOR.
411 * engine.cc: Likewise. Include "text-art/dump.h".
412 (setjmp_svalue::print_dump_widget_label): New.
413 (setjmp_svalue::add_dump_widget_children): New.
414 (exploded_graph::dump_exploded_nodes): Use text_art::dump_to_file
415 for -fdump-analyzer-exploded-nodes-2 and
416 -fdump-analyzer-exploded-nodes-3. Fix overlong line.
417 * feasible-graph.cc: Define INCLUDE_VECTOR.
418 * infinite-recursion.cc: Likewise.
419 * kf-analyzer.cc: Likewise.
420 * kf-lang-cp.cc: Likewise.
421 * kf.cc: Likewise.
422 * known-function-manager.cc: Likewise.
423 * pending-diagnostic.cc: Likewise.
424 * program-point.cc: Likewise.
425 * program-state.cc: Likewise. Include "text-art/tree-widget" and
426 "text-art/dump.h".
427 (sm_state_map::make_dump_widget): New.
428 (program_state::dump): New.
429 (program_state::make_dump_widget): New.
430 * program-state.h: Include "text-art/widget.h".
431 (sm_state_map::make_dump_widget): New decl.
432 (program_state::dump): New decl.
433 (program_state::make_dump_widget): New decl.
434 * ranges.cc: Define INCLUDE_VECTOR.
435 * record-layout.cc: Likewise.
436 * region-model-asm.cc: Likewise.
437 * region-model-manager.cc: Likewise.
438 * region-model-reachability.cc: Likewise.
439 * region-model.cc: Likewise. Include "text-art/tree-widget.h".
440 (region_to_value_map::make_dump_widget): New.
441 (region_model::dump): New.
442 (region_model::make_dump_widget): New.
443 (selftest::test_dump): Add test of dump_to_pp<region_model>.
444 * region-model.h: Include "text-art/widget.h" and
445 "text-art/dump.h".
446 (region_to_value_map::make_dump_widget): New decl.
447 (region_model::dump): New decl.
448 (region_model::make_dump_widget): New decl.
449 * region.cc: Define INCLUDE_VECTOR and include "text-art/dump.h".
450 (region::dump): New.
451 (region::make_dump_widget): New.
452 (region::add_dump_widget_children): New.
453 (frame_region::print_dump_widget_label): New.
454 (globals_region::print_dump_widget_label): New.
455 (code_region::print_dump_widget_label): New.
456 (function_region::print_dump_widget_label): New.
457 (label_region::print_dump_widget_label): New.
458 (stack_region::print_dump_widget_label): New.
459 (heap_region::print_dump_widget_label): New.
460 (root_region::print_dump_widget_label): New.
461 (thread_local_region::print_dump_widget_label): New.
462 (symbolic_region::print_dump_widget_label): New.
463 (symbolic_region::add_dump_widget_children): New.
464 (decl_region::print_dump_widget_label): New.
465 (field_region::print_dump_widget_label): New.
466 (element_region::print_dump_widget_label): New.
467 (element_region::add_dump_widget_children): New.
468 (offset_region::print_dump_widget_label): New.
469 (offset_region::add_dump_widget_children): New.
470 (sized_region::print_dump_widget_label): New.
471 (sized_region::add_dump_widget_children): New.
472 (cast_region::print_dump_widget_label): New.
473 (cast_region::add_dump_widget_children): New.
474 (heap_allocated_region::print_dump_widget_label): New.
475 (alloca_region::print_dump_widget_label): New.
476 (string_region::print_dump_widget_label): New.
477 (bit_range_region::print_dump_widget_label): New.
478 (var_arg_region::print_dump_widget_label): New.
479 (errno_region::print_dump_widget_label): New.
480 (private_region::print_dump_widget_label): New.
481 (unknown_region::print_dump_widget_label): New.
482 * region.h: Include "text-art/widget.h".
483 (region::dump): New decl.
484 (region::make_dump_widget): New decl.
485 (region::add_dump_widget_children): New decl.
486 (frame_region::print_dump_widget_label): New decl.
487 (globals_region::print_dump_widget_label): New decl.
488 (code_region::print_dump_widget_label): New decl.
489 (function_region::print_dump_widget_label): New decl.
490 (label_region::print_dump_widget_label): New decl.
491 (stack_region::print_dump_widget_label): New decl.
492 (heap_region::print_dump_widget_label): New decl.
493 (root_region::print_dump_widget_label): New decl.
494 (thread_local_region::print_dump_widget_label): New decl.
495 (symbolic_region::print_dump_widget_label): New decl.
496 (symbolic_region::add_dump_widget_children): New decl.
497 (decl_region::print_dump_widget_label): New decl.
498 (field_region::print_dump_widget_label): New decl.
499 (element_region::print_dump_widget_label): New decl.
500 (element_region::add_dump_widget_children): New decl.
501 (offset_region::print_dump_widget_label): New decl.
502 (offset_region::add_dump_widget_children): New decl.
503 (sized_region::print_dump_widget_label): New decl.
504 (sized_region::add_dump_widget_children): New decl.
505 (cast_region::print_dump_widget_label): New decl.
506 (cast_region::add_dump_widget_children): New decl.
507 (heap_allocated_region::print_dump_widget_label): New decl.
508 (alloca_region::print_dump_widget_label): New decl.
509 (string_region::print_dump_widget_label): New decl.
510 (bit_range_region::print_dump_widget_label): New decl.
511 (var_arg_region::print_dump_widget_label): New decl.
512 (errno_region::print_dump_widget_label): New decl.
513 (private_region::print_dump_widget_label): New decl.
514 (unknown_region::print_dump_widget_label): New decl.
515 * sm-fd.cc: Define INCLUDE_VECTOR.
516 * sm-file.cc: Likewise.
517 * sm-malloc.cc: Likewise.
518 * sm-pattern-test.cc: Likewise.
519 * sm-signal.cc: Likewise.
520 * sm-taint.cc: Likewise.
521 * sm.cc: Likewise.
522 * state-purge.cc: Likewise.
523 * store.cc: Likewise. Include "text-art/tree-widget.h".
524 (add_binding_to_tree_widget): New.
525 (binding_map::add_to_tree_widget): New.
526 (binding_cluster::make_dump_widget): New.
527 (store::make_dump_widget): New.
528 * store.h: Include "text-art/tree-widget.h".
529 (binding_map::add_to_tree_widget): New decl.
530 (binding_cluster::make_dump_widget): New decl.
531 (store::make_dump_widget): New decl.
532 * svalue.cc: Define INCLUDE_VECTOR. Include "make-unique.h" and
533 "text-art/dump.h".
534 (svalue::dump): New.
535 (svalue::make_dump_widget): New.
536 (region_svalue::print_dump_widget_label): New.
537 (region_svalue::add_dump_widget_children): New.
538 (constant_svalue::print_dump_widget_label): New.
539 (constant_svalue::add_dump_widget_children): New.
540 (unknown_svalue::print_dump_widget_label): New.
541 (unknown_svalue::add_dump_widget_children): New.
542 (poisoned_svalue::print_dump_widget_label): New.
543 (poisoned_svalue::add_dump_widget_children): New.
544 (initial_svalue::print_dump_widget_label): New.
545 (initial_svalue::add_dump_widget_children): New.
546 (unaryop_svalue::print_dump_widget_label): New.
547 (unaryop_svalue::add_dump_widget_children): New.
548 (binop_svalue::print_dump_widget_label): New.
549 (binop_svalue::add_dump_widget_children): New.
550 (sub_svalue::print_dump_widget_label): New.
551 (sub_svalue::add_dump_widget_children): New.
552 (repeated_svalue::print_dump_widget_label): New.
553 (repeated_svalue::add_dump_widget_children): New.
554 (bits_within_svalue::print_dump_widget_label): New.
555 (bits_within_svalue::add_dump_widget_children): New.
556 (widening_svalue::print_dump_widget_label): New.
557 (widening_svalue::add_dump_widget_children): New.
558 (placeholder_svalue::print_dump_widget_label): New.
559 (placeholder_svalue::add_dump_widget_children): New.
560 (unmergeable_svalue::print_dump_widget_label): New.
561 (unmergeable_svalue::add_dump_widget_children): New.
562 (compound_svalue::print_dump_widget_label): New.
563 (compound_svalue::add_dump_widget_children): New.
564 (conjured_svalue::print_dump_widget_label): New.
565 (conjured_svalue::add_dump_widget_children): New.
566 (asm_output_svalue::print_dump_widget_label): New.
567 (asm_output_svalue::add_dump_widget_children): New.
568 (const_fn_result_svalue::print_dump_widget_label): New.
569 (const_fn_result_svalue::add_dump_widget_children): New.
570 * svalue.h: Include "text-art/widget.h". Add "using
571 text_art::dump_widget_info".
572 (svalue::dump): New decl.
573 (svalue::make_dump_widget): New decl.
574 (svalue::print_dump_widget_label): New decl.
575 (svalue::print_dump_widget_label): New decl.
576 (svalue::add_dump_widget_children): New decl.
577 (region_svalue::print_dump_widget_label): New decl.
578 (region_svalue::add_dump_widget_children): New decl.
579 (constant_svalue::print_dump_widget_label): New decl.
580 (constant_svalue::add_dump_widget_children): New decl.
581 (unknown_svalue::print_dump_widget_label): New decl.
582 (unknown_svalue::add_dump_widget_children): New decl.
583 (poisoned_svalue::print_dump_widget_label): New decl.
584 (poisoned_svalue::add_dump_widget_children): New decl.
585 (initial_svalue::print_dump_widget_label): New decl.
586 (initial_svalue::add_dump_widget_children): New decl.
587 (unaryop_svalue::print_dump_widget_label): New decl.
588 (unaryop_svalue::add_dump_widget_children): New decl.
589 (binop_svalue::print_dump_widget_label): New decl.
590 (binop_svalue::add_dump_widget_children): New decl.
591 (sub_svalue::print_dump_widget_label): New decl.
592 (sub_svalue::add_dump_widget_children): New decl.
593 (repeated_svalue::print_dump_widget_label): New decl.
594 (repeated_svalue::add_dump_widget_children): New decl.
595 (bits_within_svalue::print_dump_widget_label): New decl.
596 (bits_within_svalue::add_dump_widget_children): New decl.
597 (widening_svalue::print_dump_widget_label): New decl.
598 (widening_svalue::add_dump_widget_children): New decl.
599 (placeholder_svalue::print_dump_widget_label): New decl.
600 (placeholder_svalue::add_dump_widget_children): New decl.
601 (unmergeable_svalue::print_dump_widget_label): New decl.
602 (unmergeable_svalue::add_dump_widget_children): New decl.
603 (compound_svalue::print_dump_widget_label): New decl.
604 (compound_svalue::add_dump_widget_children): New decl.
605 (conjured_svalue::print_dump_widget_label): New decl.
606 (conjured_svalue::add_dump_widget_children): New decl.
607 (asm_output_svalue::print_dump_widget_label): New decl.
608 (asm_output_svalue::add_dump_widget_children): New decl.
609 (const_fn_result_svalue::print_dump_widget_label): New decl.
610 (const_fn_result_svalue::add_dump_widget_children): New decl.
611 * trimmed-graph.cc: Define INCLUDE_VECTOR.
612 * varargs.cc: Likewise.
614 2024-05-28 David Malcolm <dmalcolm@redhat.com>
616 * region-model.cc: Include "selftest-tree.h".
618 2024-05-17 David Malcolm <dmalcolm@redhat.com>
620 * checker-event.h (checker_event::connect_to_next_event_p):
621 Implement new diagnostic_event::connect_to_next_event_p vfunc.
622 (start_cfg_edge_event::connect_to_next_event_p): Likewise.
623 (start_consolidated_cfg_edges_event::connect_to_next_event_p):
624 Likewise.
625 * infinite-loop.cc (class looping_back_event): New subclass.
626 (infinite_loop_diagnostic::add_final_event): Use it.
628 2024-05-15 David Malcolm <dmalcolm@redhat.com>
630 PR analyzer/114899
631 * access-diagram.cc
632 (written_svalue_spatial_item::get_label_string): Bulletproof
633 against SSA_NAME_VAR being null.
635 2024-05-03 David Malcolm <dmalcolm@redhat.com>
637 PR analyzer/111475
638 * analyzer.cc (is_special_named_call_p): Add "look_in_std" param.
639 (is_std_function_p): Make non-static.
640 * analyzer.h (is_special_named_call_p): Add optional "look_in_std"
641 param.
642 (is_std_function_p): New decl.
643 * engine.cc (stmt_requires_new_enode_p): Look for both "signal"
644 and "std::signal".
645 * kf.cc (register_known_functions): Add various "std::" copies
646 of the known functions.
647 * known-function-manager.cc
648 (known_function_manager::~known_function_manager): Clean up
649 m_std_ns_map_id_to_kf.
650 (known_function_manager::add_std_ns): New.
651 (known_function_manager::get_match): Also look for known "std::"
652 functions.
653 (known_function_manager::get_by_identifier_in_std_ns): New.
654 * known-function-manager.h
655 (known_function_manager::add_std_ns): New decl.
656 (known_function_manager::get_by_identifier_in_std_ns): New decl.
657 (known_function_manager::m_std_ns_map_id_to_kf): New field.
658 * sm-file.cc (register_known_file_functions): Add various "std::"
659 copies of the known functions.
660 * sm-malloc.cc (malloc_state_machine::on_stmt): Handle
661 "std::realloc".
662 * sm-signal.cc (signal_unsafe_p): Consider "std::" copies of the
663 functions as also being async-signal-unsafe.
664 (signal_state_machine::on_stmt): Consider "std::signal".
666 2024-04-12 Stefan Schulze Frielinghaus <stefansf@linux.ibm.com>
668 * region-model.cc (region_model::check_region_size): Bail out
669 early on function pointers.
671 2024-04-10 David Malcolm <dmalcolm@redhat.com>
673 PR analyzer/114472
674 * access-diagram.cc (bit_size_expr::maybe_get_formatted_str):
675 Reject attempts to print sizes that are too large.
676 * region.cc (region_offset::calc_symbolic_bit_offset): Use a
677 typeless svalue for the bit offset.
678 * store.cc (bit_range::intersects_p): Replace assertion with
679 test.
680 (bit_range::exceeds_p): Likewise.
681 (bit_range::falls_short_of_p): Likewise.
683 2024-04-10 David Malcolm <dmalcolm@redhat.com>
685 * infinite-loop.cc: Include "diagnostic-format-sarif.h".
686 (infinite_loop::to_json): New.
687 (infinite_loop_diagnostic::maybe_add_sarif_properties): New.
689 2024-04-10 David Malcolm <dmalcolm@redhat.com>
691 * infinite-recursion.cc: Include "diagnostic-format-sarif.h".
692 (infinite_recursion_diagnostic::maybe_add_sarif_properties): New.
694 2024-04-10 David Malcolm <dmalcolm@redhat.com>
696 * call-details.cc: Include "diagnostic-format-sarif.h".
697 (overlapping_buffers::overlapping_buffers): Add params for new
698 fields.
699 (overlapping_buffers::maybe_add_sarif_properties): New.
700 (overlapping_buffers::m_byte_range_a): New field.
701 (overlapping_buffers::byte_range_b): New field.
702 (overlapping_buffers::m_num_bytes_read_sval): New field.
703 (call_details::complain_about_overlap): Pass new params to
704 overlapping_buffers ctor.
705 * ranges.cc (symbolic_byte_offset::to_json): New.
706 (symbolic_byte_range::to_json): New.
707 * ranges.h (symbolic_byte_offset::to_json): New decl.
708 (symbolic_byte_range::to_json): New decl.
710 2024-04-10 David Malcolm <dmalcolm@redhat.com>
712 * sm-taint.cc (tainted_allocation_size::tainted_allocation_size):
713 Add "size_in_bytes" param.
714 (tainted_allocation_size::maybe_add_sarif_properties): New.
715 (tainted_allocation_size::m_size_in_bytes): New field.
716 (region_model::check_dynamic_size_for_taint): Pass size_in_bytes
717 to tainted_allocation_size ctor.
719 2024-04-09 Jakub Jelinek <jakub@redhat.com>
721 * analyzer.opt (Wanalyzer-undefined-behavior-strtok): Fix duplicated
722 words; in in -> in.
723 * program-state.cc (sm_state_map::replay_call_summary): Fix duplicated
724 words in comment; to to -> to.
725 (program_state::replay_call_summary): Likewise.
726 * region-model.cc (region_model::replay_call_summary): Likewise.
728 2024-04-05 David Malcolm <dmalcolm@redhat.com>
730 PR analyzer/114588
731 * access-diagram.cc (access_diagram_impl::access_diagram_impl):
732 Replace hardcoded colors for valid_style and invalid_style with
733 calls to text_art::get_style_from_color_cap_name.
735 2024-04-02 David Malcolm <dmalcolm@redhat.com>
737 * region-model-manager.cc (maybe_undo_optimize_bit_field_compare):
738 Guard against null types.
739 * region-model.cc (apply_constraints_for_gswitch): Likewise.
741 2024-03-27 David Malcolm <dmalcolm@redhat.com>
743 PR analyzer/114473
744 * call-summary.cc
745 (call_summary_replay::convert_svalue_from_summary): Assert that
746 the types match.
747 (call_summary_replay::convert_region_from_summary): Likewise.
748 (call_summary_replay::convert_region_from_summary_1): Add missing
749 cast for the deref of RK_SYMBOLIC case.
751 2024-03-23 David Malcolm <dmalcolm@redhat.com>
753 PR analyzer/114408
754 * engine.cc (impl_run_checkers): Free up any dominance info that
755 we may have created.
756 * kf.cc (class kf_ubsan_handler): New.
757 (register_sanitizer_builtins): New.
758 (register_known_functions): Call register_sanitizer_builtins.
760 2024-03-22 David Malcolm <dmalcolm@redhat.com>
762 PR analyzer/112974
763 PR analyzer/112975
764 * sm-taint.cc (taint_state_machine::on_condition): Strip away
765 casts before considering LHS and RHS, to increase the chance of
766 detecting places where sanitization of a value may have happened.
768 2024-03-22 David Malcolm <dmalcolm@redhat.com>
770 * sm-taint.cc: Include "diagnostic-format-sarif.h".
771 (bounds_to_str): New.
772 (taint_diagnostic::maybe_add_sarif_properties): New.
773 (tainted_offset::tainted_offset): Add "offset" param.
774 (tainted_offset::maybe_add_sarif_properties): New.
775 (tainted_offset::m_offset): New.
776 (region_model::check_region_for_taint): Pass offset to
777 tainted_offset ctor.
779 2024-03-21 David Malcolm <dmalcolm@redhat.com>
781 PR analyzer/113619
782 * region-model.cc (region_model::eval_condition): Fix
783 cast-handling from r14-3632-ge7b267444045c5 so that if those give
784 an unknown result, we continue trying the constraint manager.
786 2024-03-20 David Malcolm <dmalcolm@redhat.com>
788 PR analyzer/109251
789 * sm-malloc.cc (deref_before_check::emit): Reject cases where the
790 check is in a loop header within a macro expansion.
791 (deref_before_check::loop_header_p): New.
793 2024-03-20 Jakub Jelinek <jakub@redhat.com>
795 * constraint-manager.cc (test_range, test_constraint_conditions,
796 test_constant_comparisons, test_constraint_impl, test_purging,
797 test_bits): Use integer_zero_node instead of
798 build_zero_cst (integer_type_node) or
799 build_int_cst (integer_type_node, 0) and integer_one_node instead of
800 build_int_cst (integer_type_node, 1).
801 * region-model.cc (region_model::get_store_value,
802 append_interesting_constants, test_array_1,
803 test_get_representative_tree, test_unique_constants, test_assignment,
804 test_stack_frames, test_constraint_merging, test_widening_constraints,
805 test_iteration_1, test_array_2): Likewise.
807 2024-03-19 Jakub Jelinek <jakub@redhat.com>
809 PR analyzer/113505
810 * region-model.cc (get_tree_for_byte_offset,
811 region_model::get_representative_path_var_1,
812 test_mem_ref, test_POINTER_PLUS_EXPR_then_MEM_REF): Use
813 char __attribute__((may_alias)) * as type of MEM_REF second argument.
815 2024-03-19 David Malcolm <dmalcolm@redhat.com>
817 PR analyzer/114286
818 * kf.cc (class kf_atomic_exchange): Reimplement based on signature
819 seen in gimple, rather than user-facing signature.
820 (class kf_atomic_load): Likewise.
821 (class kf_atomic_store): New.
822 (register_atomic_builtins): Register kf_atomic_store.
824 2024-03-18 David Malcolm <dmalcolm@redhat.com>
826 PR analyzer/110902
827 PR analyzer/110928
828 PR analyzer/111305
829 PR analyzer/111441
830 * access-diagram.cc: Include "analyzer/analyzer-selftests.h".
831 (get_access_size_str): Reimplement for conversion of
832 implmementation of bit_size_expr from tree to const svalue &. Use
833 svalue::maybe_print_for_user rather than tree printing routines.
834 (remove_ssa_names): Make non-static.
835 (bit_size_expr::get_formatted_str): Rename to...
836 (bit_size_expr::maybe_get_formatted_str): ...this, adding "model"
837 param and converting return type to a unique_ptr. Update for
838 conversion of implementation of bit_size_expr from tree to
839 const svalue &. Use svalue::maybe_print_for_user rather than tree
840 printing routines.
841 (bit_size_expr::print): Rename to...
842 (bit_size_expr::maybe_print_for_user): ...this, adding "model"
843 param and converting return type to bool. Update for
844 conversion of implementation of bit_size_expr from tree to
845 const svalue &. Use svalue::maybe_print_for_user rather than tree
846 printing routines.
847 (bit_size_expr::maybe_get_as_bytes): Add "mgr" param and convert
848 return type from tree to const svalue *; reimplement.
849 (access_range::access_range): Call strip_types when on region_offset
850 intializations.
851 (access_range::get_size): Update for conversion of implementation
852 of bit_size_expr from tree to const svalue &.
853 (access_operation::get_valid_bits): Pass manager to access_range
854 ctor.
855 (access_operation::maybe_get_invalid_before_bits): Likewise.
856 (access_operation::maybe_get_invalid_after_bits): Likewise.
857 (boundaries::add): Likewise.
858 (bit_to_table_map::populate): Add "mgr" param and pass it to
859 access_range ctor.
860 (access_diagram_impl::access_diagram_impl): Pass manager to
861 bit_to_table_map::populate.
862 (access_diagram_impl::maybe_add_gap): Use svalue rather than tree
863 for symbolic bit offsets. Port to new bit_size_expr
864 representation.
865 (access_diagram_impl::add_valid_vs_invalid_ruler): Port to new
866 bit_size_expr representation.
867 (selftest::assert_eq_typeless_integer): New.
868 (ASSERT_EQ_TYPELESS_INTEGER): New.
869 (selftest::test_bit_size_expr_to_bytes): New.
870 (selftest::analyzer_access_diagram_cc_tests): New.
871 * access-diagram.h (class bit_size_expr): Reimplement, converting
872 implementation from tree to const svalue &.
873 (access_range::access_range): Add "mgr" param. Call strip_types
874 on region_offset initializations.
875 (access_range::get_size): Update decl for reimplementation.
876 * analyzer-selftests.cc (selftest::run_analyzer_selftests): Call
877 selftest::analyzer_access_diagram_cc_tests.
878 * analyzer-selftests.h
879 (selftest::analyzer_checker_script_cc_tests): Delete this stray
880 typo.
881 (selftest::analyzer_access_diagram_cc_tests): New decl.
882 * analyzer.h (print_expr_for_user): New decl.
883 (calc_symbolic_bit_offset): Update decl for reimplementation.
884 (strip_types): New decls.
885 (remove_ssa_names): New decl.
886 * bounds-checking.cc (strip_types): New.
887 (region_model::check_symbolic_bounds): Use typeless svalues.
888 * region-model-manager.cc
889 (region_model_manager::get_or_create_constant_svalue): Add "type"
890 param. Add overload with old signature.
891 (region_model_manager::get_or_create_int_cst): Support type being
892 NULL_TREE.
893 (region_model_manager::maybe_fold_unaryop): Gracefully reject folding
894 of casts to NULL_TREE type.
895 (get_code_for_cast): Use NOP_EXPR for "casting" svalues to
896 NULL_TREE type.
897 (region_model_manager::get_or_create_cast): Support "casting"
898 svalues to NULL_TREE type.
899 (region_model_manager::maybe_fold_binop): Don't crash on inputs
900 with NULL_TREE type. Handle folding of binops on constants with
901 NULL_TREE type. Add missing cast from PR analyzer/110902.
902 Support enough folding of other ops on NULL_TREE type to support
903 bounds checking.
904 (region_model_manager::get_or_create_const_fn_result_svalue):
905 Remove assertion that type is nonnull.
906 * region-model-manager.h
907 (region_model_manager::get_or_create_constant_svalue): Add
908 overloaded decl taking a type.
909 (region_model_manager::maybe_fold_binop): Make public.
910 (region_model_manager::constants_map_t): Use
911 constant_svalue::key_t for the key, rather than just tree.
912 * region-model.cc (print_expr_for_user): New.
913 (selftest::test_array_2): Handle casts.
914 * region.cc (region_offset::calc_symbolic_bit_offset): Return
915 const svalue & rather than tree, and reimplement accordingly.
916 (region::calc_offset): Use ptrdiff_type_node for types of byte
917 offsets.
918 (region::maybe_print_for_user): New.
919 (element_region::get_relative_symbolic_offset): Use NULL_TREE for
920 types of bit offsets.
921 (offset_region::get_bit_offset): Likewise.
922 (sized_region::get_bit_size_sval): Likewise for bit sizes.
923 * region.h (region::maybe_print_for_user): New decl.
924 * svalue.cc (class auto_add_parens): New.
925 (svalue::maybe_print_for_user): New.
926 (svalue::cmp_ptr): Support typeless constant svalues.
927 (tristate_from_boolean_tree_node): New, taken from...
928 (constant_svalue::eval_condition): ...here. Handle comparison of
929 typeless integer svalue constants.
930 * svalue.h (svalue::maybe_print_for_user): New decl.
931 (class constant_svalue): Support the type of the svalue being
932 NULL_TREE.
933 (struct default_hash_traits<constant_svalue::key_t>): New.
935 2024-03-18 David Malcolm <dmalcolm@redhat.com>
937 * access-diagram.cc (remove_ssa_names): Support operands being
938 NULL_TREE, such as e.g. for COMPONENT_REF's operand 2.
940 2024-03-07 Jakub Jelinek <jakub@redhat.com>
942 * access-diagram.cc: Include diagnostic-core.h before including
943 diagnostic.h or diagnostic-path.h.
944 * sm-malloc.cc: Likewise.
945 * diagnostic-manager.cc: Likewise.
946 * call-summary.cc: Likewise.
947 * record-layout.cc: Likewise.
949 2024-02-29 David Malcolm <dmalcolm@redhat.com>
951 PR analyzer/114159
952 * analyzer.cc: Include "tree-dfa.h".
953 (get_ssa_default_def): New decl.
954 * analyzer.h (get_ssa_default_def): New.
955 * call-info.cc (call_info::call_info): New ctor taking an explicit
956 called_fn.
957 * call-info.h (call_info::call_info): Likewise.
958 * call-summary.cc (call_summary_replay::call_summary_replay):
959 Convert param from function * to const function &.
960 * call-summary.h (call_summary_replay::call_summary_replay):
961 Likewise.
962 * checker-event.h (state_change_event::get_dest_function):
963 Constify return value.
964 * engine.cc (point_and_state::validate): Update for conversion to
965 const function &.
966 (exploded_node::on_stmt): Likewise.
967 (call_summary_edge_info::call_summary_edge_info): Likewise.
968 Pass in called_fn to call_info ctor.
969 (exploded_node::replay_call_summaries): Update for conversion to
970 const function &. Convert per_function_data from * to &.
971 (exploded_node::replay_call_summary): Update for conversion to
972 const function &.
973 (exploded_graph::add_function_entry): Likewise.
974 (toplevel_function_p): Likewise.
975 (add_tainted_args_callback): Likewise.
976 (exploded_graph::build_initial_worklist): Likewise.
977 (exploded_graph::maybe_create_dynamic_call): Likewise.
978 (maybe_update_for_edge): Likewise.
979 (exploded_graph::on_escaped_function): Likewise.
980 * exploded-graph.h (exploded_node::replay_call_summaries):
981 Likewise.
982 (exploded_node::replay_call_summary): Likewise.
983 (exploded_graph::add_function_entry): Likewise.
984 * program-point.cc (function_point::from_function_entry):
985 Likewise.
986 (program_point::from_function_entry): Likewise.
987 * program-point.h (function_point::from_function_entry): Likewise.
988 (program_point::from_function_entry): Likewise.
989 * program-state.cc (program_state::push_frame): Likewise.
990 (program_state::get_current_function): Constify return type.
991 * program-state.h (program_state::push_frame): Update for
992 conversion to const function &.
993 (program_state::get_current_function): Likewise.
994 * region-model-manager.cc
995 (region_model_manager::get_frame_region): Likewise.
996 * region-model-manager.h
997 (region_model_manager::get_frame_region): Likewise.
998 * region-model.cc (region_model::called_from_main_p): Likewise.
999 (region_model::update_for_gcall): Likewise.
1000 (region_model::push_frame): Likewise.
1001 (region_model::get_current_function): Constify return type.
1002 (region_model::pop_frame): Update for conversion to
1003 const function &.
1004 (selftest::test_stack_frames): Likewise.
1005 (selftest::test_get_representative_path_var): Likewise.
1006 (selftest::test_state_merging): Likewise.
1007 (selftest::test_alloca): Likewise.
1008 * region-model.h (region_model::push_frame): Likewise.
1009 (region_model::get_current_function): Likewise.
1010 * region.cc (frame_region::dump_to_pp): Likewise.
1011 (frame_region::get_region_for_local): Likewise.
1012 * region.h (class frame_region): Likewise.
1013 * sm-signal.cc (signal_unsafe_call::describe_state_change):
1014 Likewise.
1015 (update_model_for_signal_handler): Likewise.
1016 (signal_delivery_edge_info_t::update_model): Likewise.
1017 (register_signal_handler::impl_transition): Likewise.
1018 * state-purge.cc (class gimple_op_visitor): Likewise.
1019 (state_purge_map::state_purge_map): Likewise.
1020 (state_purge_map::get_or_create_data_for_decl): Likewise.
1021 (state_purge_per_ssa_name::state_purge_per_ssa_name): Likewise.
1022 (state_purge_per_ssa_name::add_to_worklist): Likewise.
1023 (state_purge_per_ssa_name::process_point): Likewise.
1024 (state_purge_per_decl::add_to_worklist): Likewise.
1025 (state_purge_annotator::print_needed): Likewise.
1026 * state-purge.h
1027 (state_purge_map::get_or_create_data_for_decl): Likewise.
1028 (class state_purge_per_tree): Likewise.
1029 (class state_purge_per_ssa_name): Likewise.
1030 (class state_purge_per_decl): Likewise.
1031 * supergraph.cc (supergraph::dump_dot_to_pp): Likewise.
1032 * supergraph.h
1033 (supergraph::get_node_for_function_entry): Likewise.
1034 (supergraph::get_node_for_function_exit): Likewise.
1036 2024-02-27 David Malcolm <dmalcolm@redhat.com>
1038 PR analyzer/110483
1039 PR analyzer/111802
1040 * access-diagram.cc
1041 (string_literal_spatial_item::add_column_for_byte): Use %wu for
1042 printing unsigned HOST_WIDE_INT.
1044 2024-02-27 David Malcolm <dmalcolm@redhat.com>
1046 PR analyzer/111881
1047 * constraint-manager.cc (bound::ensure_closed): Assert that
1048 m_constant has integral type.
1049 (range::add_bound): Bail out on floating point constants.
1051 2024-02-21 David Malcolm <dmalcolm@redhat.com>
1053 PR analyzer/113999
1054 * analyzer.h (get_string_cst_size): New decl.
1055 * region-model-manager.cc (get_string_cst_size): New.
1056 (region_model_manager::maybe_get_char_from_string_cst): Treat
1057 single-byte accesses within string_cst but beyond
1058 TREE_STRING_LENGTH as being 0.
1059 * region-model.cc (string_cst_has_null_terminator): Likewise.
1061 2024-02-21 David Malcolm <dmalcolm@redhat.com>
1063 PR analyzer/113998
1064 * ranges.cc (symbolic_byte_range::intersection): Handle empty ranges.
1065 (selftest::test_intersects): Add test coverage for empty ranges.
1067 2024-02-19 David Malcolm <dmalcolm@redhat.com>
1069 PR analyzer/111289
1070 * varargs.cc (representable_in_integral_type_p): New.
1071 (va_arg_compatible_types_p): Add "arg_sval" param. Handle integer
1072 types.
1073 (kf_va_arg::impl_call_pre): Pass arg_sval to
1074 va_arg_compatible_types_p.
1076 2024-02-19 Andrew Pinski <quic_apinski@quicinc.com>
1078 PR analyzer/113983
1079 * region-model-manager.cc (maybe_undo_optimize_bit_field_compare): Reject
1080 non integral types.
1082 2024-02-15 David Malcolm <dmalcolm@redhat.com>
1084 PR analyzer/111266
1085 * region.cc (offset_region::get_byte_size_sval): Delete.
1086 (offset_region::get_bit_size_sval): Delete.
1087 * region.h (region::get_byte_size): Add comment clarifying that
1088 this relates to the size of the access, rather than the size
1089 that's valid to access.
1090 (region::get_bit_size): Likewise.
1091 (region::get_byte_size_sval): Likewise.
1092 (region::get_bit_size_sval): Likewise.
1093 (offset_region::get_byte_size_sval): Delete.
1094 (offset_region::get_bit_size_sval): Delete.
1096 2024-02-13 David Malcolm <dmalcolm@redhat.com>
1098 * pending-diagnostic.cc (diagnostic_emission_context::warn):
1099 Update for renaming of emit_diagnostic_valist overload to
1100 emit_diagnostic_valist_meta.
1101 (diagnostic_emission_context::inform): Likewise.
1103 2024-01-31 David Malcolm <dmalcolm@redhat.com>
1105 PR analyzer/113253
1106 * region-model.cc (region_model::on_stmt_pre): Add gcc_unreachable
1107 for debug statements.
1108 * state-purge.cc
1109 (state_purge_per_ssa_name::state_purge_per_ssa_name): Skip any
1110 debug stmts in the FOR_EACH_IMM_USE_FAST list.
1111 * supergraph.cc (supergraph::supergraph): Don't add debug stmts
1112 to the supernodes.
1114 2024-01-31 David Malcolm <dmalcolm@redhat.com>
1116 PR analyzer/113509
1117 * checker-event.cc (state_change_event::get_desc): Don't assume
1118 "var" is non-NULL.
1120 2024-01-30 David Malcolm <dmalcolm@redhat.com>
1122 PR analyzer/113654
1123 * region-model.cc (is_round_up): New.
1124 (is_multiple_p): New.
1125 (is_dubious_capacity): New.
1126 (region_model::check_region_size): Move usage of size_visitor into
1127 is_dubious_capacity.
1129 2024-01-30 David Malcolm <dmalcolm@redhat.com>
1131 * region-model.cc
1132 (dubious_allocation_size::dubious_allocation_size): Add
1133 "capacity_sval" param. Drop unused ctor.
1134 (dubious_allocation_size::maybe_add_sarif_properties): New.
1135 (dubious_allocation_size::m_capacity_sval): New field.
1136 (region_model::check_region_size): Pass capacity svalue to
1137 dubious_allocation_size ctor.
1139 2024-01-25 David Malcolm <dmalcolm@redhat.com>
1141 PR analyzer/112969
1142 * store.cc (binding_cluster::maybe_get_compound_binding): When
1143 populating default_map, express the bit-range of the default key
1144 for REG relative to REG, rather than to the base region.
1146 2024-01-24 David Malcolm <dmalcolm@redhat.com>
1148 PR analyzer/112977
1149 * engine.cc (impl_region_model_context::on_liveness_change): Pass
1150 m_ext_state to sm_state_map::on_liveness_change.
1151 * program-state.cc (sm_state_map::on_svalue_leak): Guard removal
1152 of map entry based on can_purge_p.
1153 (sm_state_map::on_liveness_change): Add ext_state param. Add
1154 workaround for bad interaction between state purging and
1155 alt-inherited sm-state.
1156 * program-state.h (sm_state_map::on_liveness_change): Add
1157 ext_state param.
1158 * sm-taint.cc
1159 (taint_state_machine::has_alt_get_inherited_state_p): New.
1160 (taint_state_machine::can_purge_p): Return false for "has_lb" and
1161 "has_ub".
1162 * sm.h (state_machine::has_alt_get_inherited_state_p): New vfunc.
1164 2024-01-18 David Malcolm <dmalcolm@redhat.com>
1166 PR analyzer/111361
1167 * region-model.cc (svalue_byte_range_has_null_terminator_1): The
1168 initial byte of an all-zeroes SVAL is a zero byte. Remove
1169 gcc_unreachable from SK_CONSTANT for constants that aren't
1170 STRING_CST or INTEGER_CST.
1172 2024-01-18 David Malcolm <dmalcolm@redhat.com>
1174 PR analyzer/112811
1175 * region-model.cc (fragment::dump_to_pp): New.
1176 (fragment::has_null_terminator): Convert to...
1177 (svalue_byte_range_has_null_terminator_1): ...this new function,
1178 updating to use a byte_range relative to the start of the svalue.
1179 (svalue_byte_range_has_null_terminator): New.
1180 (fragment::string_cst_has_null_terminator): Convert to...
1181 (string_cst_has_null_terminator): ...this, updating to use a
1182 byte_range relative to the start of the svalue.
1183 (iterable_cluster::dump_to_pp): New.
1184 (region_model::scan_for_null_terminator): Add logging, moving body
1185 to...
1186 (region_model::scan_for_null_terminator_1): ...this new function,
1187 adding more logging, and updating to use
1188 svalue_byte_range_has_null_terminator.
1189 * region-model.h (region_model::scan_for_null_terminator_1): New
1190 decl.
1192 2024-01-16 David Malcolm <dmalcolm@redhat.com>
1194 PR analyzer/106229
1195 * analyzer.h (compare_constants): New decl.
1196 * constraint-manager.cc (compare_constants): Make non-static.
1197 * sm-taint.cc: Add include "fold-const.h".
1198 (class concrete_range): New.
1199 (get_possible_range): New.
1200 (index_can_be_out_of_bounds_p): New.
1201 (region_model::check_region_for_taint): Reject
1202 -Wanalyzer-tainted-array-index if the type of the value makes it
1203 impossible for it to be out-of-bounds of the array.
1205 2024-01-16 David Malcolm <dmalcolm@redhat.com>
1207 PR analyzer/113333
1208 * region-model-manager.cc
1209 (region_model_manager::maybe_fold_unaryop): Casting all zeroes
1210 should give all zeroes.
1212 2024-01-04 David Malcolm <dmalcolm@redhat.com>
1214 * analyzer.opt.urls: New file, autogenerated by
1215 regenerate-opt-urls.py.
1217 2024-01-04 David Malcolm <dmalcolm@redhat.com>
1219 * checker-event.cc: Include "diagnostic-format-sarif.h" and
1220 "tree-logical-location.h".
1221 (checker_event::maybe_add_sarif_properties): New.
1222 (superedge_event::maybe_add_sarif_properties): New.
1223 (superedge_event::superedge_event): Add comment.
1224 * checker-event.h (checker_event::maybe_add_sarif_properties): New
1225 decl.
1226 (superedge_event::maybe_add_sarif_properties): New decl.
1228 2024-01-04 David Malcolm <dmalcolm@redhat.com>
1230 PR analyzer/112790
1231 * checker-event.cc (class inlining_info): Move to...
1232 * inlining-iterator.h (class inlining_info): ...here.
1233 * sm-malloc.cc: Include "analyzer/inlining-iterator.h".
1234 (maybe_complain_about_deref_before_check): Reject stmts that were
1235 inlined from another function.
1237 2024-01-04 David Malcolm <dmalcolm@redhat.com>
1239 PR analyzer/113222
1240 * access-diagram.cc (valid_region_spatial_item::add_boundaries):
1241 Handle TYPE_DOMAIN being null.
1242 (valid_region_spatial_item::add_array_elements_to_table):
1243 Likewise.
1245 2023-12-16 David Malcolm <dmalcolm@redhat.com>
1247 * analyzer.cc: Include "tree-pretty-print.h" and
1248 "diagnostic-event-id.h".
1249 (tree_to_json): New.
1250 (diagnostic_event_id_to_json): New.
1251 (bit_offset_to_json): New.
1252 (byte_offset_to_json): New.
1253 * analyzer.h (tree_to_json): New decl.
1254 (diagnostic_event_id_to_json): New decl.
1255 (bit_offset_to_json): New decl.
1256 (byte_offset_to_json): New decl.
1257 * bounds-checking.cc: Include "diagnostic-format-sarif.h".
1258 (out_of_bounds::maybe_add_sarif_properties): New.
1259 (concrete_out_of_bounds::maybe_add_sarif_properties): New.
1260 (concrete_past_the_end::maybe_add_sarif_properties): New.
1261 (symbolic_past_the_end::maybe_add_sarif_properties): New.
1262 * region-model.cc (region_to_value_map::to_json): New.
1263 (region_model::to_json): New.
1264 * region-model.h (region_to_value_map::to_json): New decl.
1265 (region_model::to_json): New decl.
1266 * store.cc (bit_range::to_json): New.
1267 (byte_range::to_json): New.
1268 * store.h (bit_range::to_json): New decl.
1269 (byte_range::to_json): New decl.
1271 2023-12-16 David Malcolm <dmalcolm@redhat.com>
1273 PR analyzer/112792
1274 * bounds-checking.cc
1275 (out_of_bounds::oob_region_creation_event_capacity): Rename
1276 "capacity" to "byte_capacity". Layout fix.
1277 (out_of_bounds::::add_region_creation_events): Rename
1278 "capacity" to "byte_capacity".
1279 (class concrete_out_of_bounds): Rename m_out_of_bounds_range to
1280 m_out_of_bounds_bits and convert from a byte_range to a bit_range.
1281 (concrete_out_of_bounds::get_out_of_bounds_bytes): New.
1282 (concrete_past_the_end::concrete_past_the_end): Rename param
1283 "byte_bound" to "bit_bound". Initialize m_byte_bound.
1284 (concrete_past_the_end::subclass_equal_p): Update for renaming
1285 of m_byte_bound to m_bit_bound.
1286 (concrete_past_the_end::m_bit_bound): New field.
1287 (concrete_buffer_overflow::concrete_buffer_overflow): Convert
1288 param "range" from byte_range to bit_range. Rename param
1289 "byte_bound" to "bit_bound".
1290 (concrete_buffer_overflow::emit): Update for bits vs bytes.
1291 (concrete_buffer_overflow::describe_final_event): Split
1292 into...
1293 (concrete_buffer_overflow::describe_final_event_as_bytes): ...this
1294 (concrete_buffer_overflow::describe_final_event_as_bits): ...and
1295 this.
1296 (concrete_buffer_over_read::concrete_buffer_over_read): Convert
1297 param "range" from byte_range to bit_range. Rename param
1298 "byte_bound" to "bit_bound".
1299 (concrete_buffer_over_read::emit): Update for bits vs bytes.
1300 (concrete_buffer_over_read::describe_final_event): Split into...
1301 (concrete_buffer_over_read::describe_final_event_as_bytes):
1302 ...this
1303 (concrete_buffer_over_read::describe_final_event_as_bits): ...and
1304 this.
1305 (concrete_buffer_underwrite::concrete_buffer_underwrite): Convert
1306 param "range" from byte_range to bit_range.
1307 (concrete_buffer_underwrite::describe_final_event): Split into...
1308 (concrete_buffer_underwrite::describe_final_event_as_bytes):
1309 ...this
1310 (concrete_buffer_underwrite::describe_final_event_as_bits): ...and
1311 this.
1312 (concrete_buffer_under_read::concrete_buffer_under_read): Convert
1313 param "range" from byte_range to bit_range.
1314 (concrete_buffer_under_read::describe_final_event): Split into...
1315 (concrete_buffer_under_read::describe_final_event_as_bytes):
1316 ...this
1317 (concrete_buffer_under_read::describe_final_event_as_bits): ...and
1318 this.
1319 (region_model::check_region_bounds): Use bits for concrete values,
1320 and rename locals to indicate whether we're dealing with bits or
1321 bytes. Specifically, replace "num_bytes_sval" with
1322 "num_bits_sval", and get it from reg's "get_bit_size_sval".
1323 Replace "num_bytes_tree" with "num_bits_tree". Rename "capacity"
1324 to "byte_capacity". Rename "cst_capacity_tree" to
1325 "cst_byte_capacity_tree". Replace "offset" and
1326 "num_bytes_unsigned" with "bit_offset" and "num_bits_unsigned"
1327 respectively, converting from byte_offset_t to bit_offset_t.
1328 Replace "out" and "read_bytes" with "bits_outside" and "read_bits"
1329 respectively, converting from byte_range to bit_range. Convert
1330 "buffer" from byte_range to bit_range. Replace "byte_bound" with
1331 "bit_bound".
1332 * region.cc (region::get_bit_size_sval): New.
1333 (offset_region::get_bit_offset): New.
1334 (offset_region::get_bit_size_sval): New.
1335 (sized_region::get_bit_size_sval): New.
1336 (bit_range_region::get_bit_size_sval): New.
1337 * region.h (region::get_bit_size_sval): New vfunc.
1338 (offset_region::get_bit_offset): New decl.
1339 (offset_region::get_bit_size_sval): New decl.
1340 (sized_region::get_bit_size_sval): New decl.
1341 (bit_range_region::get_bit_size_sval): New decl.
1342 * store.cc (bit_range::intersects_p): New, based on
1343 byte_range::intersects_p.
1344 (bit_range::exceeds_p): New, based on byte_range::exceeds_p.
1345 (bit_range::falls_short_of_p): New, based on
1346 byte_range::falls_short_of_p.
1347 (byte_range::intersects_p): Delete.
1348 (byte_range::exceeds_p): Delete.
1349 (byte_range::falls_short_of_p): Delete.
1350 * store.h (bit_range::intersects_p): New overload.
1351 (bit_range::exceeds_p): New.
1352 (bit_range::falls_short_of_p): New.
1353 (byte_range::intersects_p): Delete.
1354 (byte_range::exceeds_p): Delete.
1355 (byte_range::falls_short_of_p): Delete.
1357 2023-12-14 David Malcolm <dmalcolm@redhat.com>
1359 PR analyzer/112655
1360 * infinite-loop.cc (infinite_loop::infinite_loop): Pass eedges
1361 via rvalue reference rather than by value.
1362 (starts_infinite_loop_p): Move eedges when constructing an
1363 infinite_loop instance.
1364 * sm-file.cc (fileptr_state_machine::fileptr_state_machine): Use
1365 initializer list for states.
1366 * sm-sensitive.cc
1367 (sensitive_state_machine::sensitive_state_machine): Likewise.
1368 * sm-signal.cc (signal_state_machine::signal_state_machine):
1369 Likewise.
1370 * sm-taint.cc (taint_state_machine::taint_state_machine):
1371 Likewise.
1372 * varargs.cc (va_list_state_machine::va_list_state_machine): Likewise.
1374 2023-12-11 David Malcolm <dmalcolm@redhat.com>
1376 PR analyzer/112955
1377 * engine.cc (feasibility_state::feasibility_state): Initialize
1378 m_snodes_visited.
1380 2023-12-11 Andrew Pinski <apinski@marvell.com>
1382 * region-model-manager.cc (maybe_undo_optimize_bit_field_compare): Remove
1383 the check for type being unsigned_char_type_node.
1385 2023-12-08 David Malcolm <dmalcolm@redhat.com>
1387 * sm-taint.cc (taint_state_machine::alt_get_inherited_state): Fix
1388 handling of TRUNC_MOD_EXPR.
1390 2023-12-08 David Malcolm <dmalcolm@redhat.com>
1392 * region-model.cc (contains_uninit_p): Only check for
1393 svalues that the infoleak warning can handle.
1395 2023-12-08 David Malcolm <dmalcolm@redhat.com>
1397 PR analyzer/112889
1398 * store.h (concrete_binding::concrete_binding): Strengthen
1399 assertion to require size to be be positive, rather than just
1400 non-zero.
1401 (concrete_binding::mark_deleted): Use size rather than start bit
1402 offset.
1403 (concrete_binding::mark_empty): Likewise.
1404 (concrete_binding::is_deleted): Likewise.
1405 (concrete_binding::is_empty): Likewise.
1407 2023-12-07 Alexandre Oliva <oliva@adacore.com>
1409 * region-model.cc (has_nondefault_case_for_value_p): Take
1410 enumerate type as a parameter.
1411 (region_model::apply_constraints_for_gswitch): Cope with
1412 integral promotion type casts.
1414 2023-12-07 David Malcolm <dmalcolm@redhat.com>
1416 PR analyzer/103546
1417 PR analyzer/112850
1418 * analyzer.opt (-param=analyzer-max-svalue-depth=): Increase from
1419 12 to 18.
1420 (Wanalyzer-symbol-too-complex): New.
1421 * diagnostic-manager.cc
1422 (null_assignment_sm_context::clear_all_per_svalue_state): New.
1423 * engine.cc (impl_sm_context::clear_all_per_svalue_state): New.
1424 * program-state.cc (sm_state_map::clear_all_per_svalue_state):
1425 New.
1426 * program-state.h (sm_state_map::clear_all_per_svalue_state): New
1427 decl.
1428 * region-model-manager.cc
1429 (region_model_manager::reject_if_too_complex): Add
1430 -Wanalyzer-symbol-too-complex.
1431 * sm-taint.cc (taint_state_machine::on_condition): Handle
1432 comparisons against UNKNOWN.
1433 * sm.h (sm_context::clear_all_per_svalue_state): New.
1435 2023-12-06 David Malcolm <dmalcolm@redhat.com>
1437 * engine.cc (dump_analyzer_json): Use
1438 flag_diagnostics_json_formatting.
1440 2023-12-01 David Malcolm <dmalcolm@redhat.com>
1442 * analyzer.h (class saved_diagnostic): New forward decl.
1443 * bounds-checking.cc: Update for changes to
1444 pending_diagnostic::emit.
1445 * call-details.cc: Likewise.
1446 * diagnostic-manager.cc: Include "diagnostic-format-sarif.h".
1447 (saved_diagnostic::maybe_add_sarif_properties): New.
1448 (class pending_diagnostic_metadata): New.
1449 (diagnostic_manager::emit_saved_diagnostic): Create a
1450 pending_diagnostic_metadata and a diagnostic_emission_context.
1451 Pass the latter to the pending_diagnostic::emit vfunc.
1452 * diagnostic-manager.h
1453 (saved_diagnostic::maybe_add_sarif_properties): New decl.
1454 * engine.cc: Update for changes to pending_diagnostic::emit.
1455 * infinite-loop.cc: Likewise.
1456 * infinite-recursion.cc: Likewise.
1457 * kf-analyzer.cc: Likewise.
1458 * kf.cc: Likewise.
1459 * pending-diagnostic.cc
1460 (diagnostic_emission_context::get_pending_diagnostic): New.
1461 (diagnostic_emission_context::warn): New.
1462 (diagnostic_emission_context::inform): New.
1463 * pending-diagnostic.h (class diagnostic_emission_context): New.
1464 (pending_diagnostic::emit): Update params.
1465 (pending_diagnostic::maybe_add_sarif_properties): New vfunc.
1466 * region.cc: Don't include "diagnostic-metadata.h".
1467 * region-model.cc: Include "diagnostic-format-sarif.h". Update
1468 for changes to pending_diagnostic::emit.
1469 (exposure_through_uninit_copy::maybe_add_sarif_properties): New.
1470 * sm-fd.cc: Update for changes to pending_diagnostic::emit.
1471 * sm-file.cc: Likewise.
1472 * sm-malloc.cc: Likewise.
1473 * sm-pattern-test.cc: Likewise.
1474 * sm-sensitive.cc: Likewise.
1475 * sm-signal.cc: Likewise.
1476 * sm-taint.cc: Likewise.
1477 * store.cc: Don't include "diagnostic-metadata.h".
1478 * varargs.cc: Update for changes to pending_diagnostic::emit.
1480 2023-11-19 David Malcolm <dmalcolm@redhat.com>
1482 * analyzer.h: Include "rich-location.h".
1484 2023-11-19 David Malcolm <dmalcolm@redhat.com>
1486 PR analyzer/107573
1487 * analyzer.h (register_known_functions): Add region_model_manager
1488 param.
1489 * analyzer.opt (Wanalyzer-undefined-behavior-strtok): New.
1490 * call-summary.cc
1491 (call_summary_replay::convert_region_from_summary_1): Handle
1492 RK_PRIVATE.
1493 * engine.cc (impl_run_checkers): Pass model manager to
1494 register_known_functions.
1495 * kf.cc (class undefined_function_behavior): New.
1496 (class kf_strtok): New.
1497 (register_known_functions): Add region_model_manager param.
1498 Use it to register "strtok".
1499 * region-model-manager.cc
1500 (region_model_manager::get_or_create_conjured_svalue): Add "idx"
1501 param.
1502 * region-model-manager.h
1503 (region_model_manager::get_or_create_conjured_svalue): Add "idx"
1504 param.
1505 (region_model_manager::get_root_region): New accessor.
1506 * region-model.cc (region_model::scan_for_null_terminator): Handle
1507 "expr" being null.
1508 (region_model::get_representative_path_var_1): Handle RK_PRIVATE.
1509 * region-model.h (region_model::called_from_main_p): Make public.
1510 * region.cc (region::get_memory_space): Handle RK_PRIVATE.
1511 (region::can_have_initial_svalue_p): Handle MEMSPACE_PRIVATE.
1512 (private_region::dump_to_pp): New.
1513 * region.h (MEMSPACE_PRIVATE): New.
1514 (RK_PRIVATE): New.
1515 (class private_region): New.
1516 (is_a_helper <const private_region *>::test): New.
1517 * store.cc (store::replay_call_summary_cluster): Handle
1518 RK_PRIVATE.
1519 * svalue.h (struct conjured_svalue::key_t): Add "idx" param to
1520 ctor and "m_idx" field.
1521 (class conjured_svalue::conjured_svalue): Likewise.
1523 2023-11-18 David Malcolm <dmalcolm@redhat.com>
1525 PR analyzer/106147
1526 * analyzer.opt (Wanalyzer-infinite-loop): New option.
1527 (fdump-analyzer-infinite-loop): New option.
1528 * checker-event.h (start_cfg_edge_event::get_desc): Drop "final".
1529 (start_cfg_edge_event::maybe_describe_condition): Convert from
1530 private to protected.
1531 * checker-path.h (checker_path::get_logger): New.
1532 * diagnostic-manager.cc (process_worklist_item): Update for
1533 new context param of maybe_update_for_edge.
1534 * engine.cc
1535 (impl_region_model_context::impl_region_model_context): Add
1536 out_could_have_done_work param to both ctors and use it to
1537 initialize mm_out_could_have_done_work.
1538 (impl_region_model_context::maybe_did_work): New vfunc
1539 implementation.
1540 (exploded_node::on_stmt): Add out_could_have_done_work param and
1541 pass to ctxt ctor.
1542 (exploded_node::on_stmt_pre): Treat setjmp and longjmp as "doing
1543 work".
1544 (exploded_node::on_longjmp): Likewise.
1545 (exploded_edge::exploded_edge): Add "could_do_work" param and use
1546 it to initialize m_could_do_work_p.
1547 (exploded_edge::dump_dot_label): Add result of could_do_work_p.
1548 (exploded_graph::add_function_entry): Mark edge as doing no work.
1549 (exploded_graph::add_edge): Add "could_do_work" param and pass to
1550 exploded_edge ctor.
1551 (add_tainted_args_callback): Treat as doing no work.
1552 (exploded_graph::process_worklist): Likewise when merging nodes.
1553 (maybe_process_run_of_before_supernode_enodes::item): Likewise.
1554 (exploded_graph::maybe_create_dynamic_call): Likewise.
1555 (exploded_graph::process_node): Likewise for phi nodes.
1556 Pass in a "could_have_done_work" bool when handling stmts and use
1557 when creating edges. Assume work is done at bifurcation.
1558 (exploded_path::feasible_p): Update for new context param of
1559 maybe_update_for_edge.
1560 (feasibility_state::feasibility_state): New ctor.
1561 (feasibility_state::operator=): New.
1562 (feasibility_state::maybe_update_for_edge): Add ctxt param and use
1563 it. Fix missing newline when logging state.
1564 (impl_run_checkers): Call exploded_graph::detect_infinite_loops.
1565 * exploded-graph.h
1566 (impl_region_model_context::impl_region_model_context): Add
1567 out_could_have_done_work param to both ctors.
1568 (impl_region_model_context::maybe_did_work): New decl.
1569 (impl_region_model_context::checking_for_infinite_loop_p): New.
1570 (impl_region_model_context::on_unusable_in_infinite_loop): New.
1571 (impl_region_model_context::m_out_could_have_done_work): New
1572 field.
1573 (exploded_node::on_stmt): Add "out_could_have_done_work" param.
1574 (exploded_edge::exploded_edge): Add "could_do_work" param.
1575 (exploded_edge::could_do_work_p): New accessor.
1576 (exploded_edge::m_could_do_work_p): New field.
1577 (exploded_graph::add_edge): Add "could_do_work" param.
1578 (exploded_graph::detect_infinite_loops): New decl.
1579 (feasibility_state::feasibility_state): New ctor.
1580 (feasibility_state::operator=): New decl.
1581 (feasibility_state::maybe_update_for_edge): Add ctxt param.
1582 * infinite-loop.cc: New file.
1583 * program-state.cc (program_state::on_edge): Log the rejected
1584 constraint when region_model::maybe_update_for_edge fails.
1585 * region-model.cc (region_model::on_assignment): Treat any writes
1586 other than to the stack as "doing work".
1587 (region_model::on_stmt_pre): Treat all asm stmts as "doing work".
1588 (region_model::on_call_post): Likewise for all calls to functions
1589 with unknown side effects.
1590 (region_model::handle_phi): Add svals_changing_meaning param.
1591 Mark widening svalue in phi nodes as changing meaning.
1592 (unusable_in_infinite_loop_constraint_p): New.
1593 (region_model::add_constraint): If we're checking for an infinite
1594 loop, bail out on unusable svalues, or if we don't have a definite
1595 true/false for the constraint.
1596 (region_model::update_for_phis): Gather all svalues changing
1597 meaning in phi nodes, and purge constraints involving them.
1598 (region_model::replay_call_summary): Treat all call summaries as
1599 doing work.
1600 (region_model::can_merge_with_p): Purge constraints involving
1601 svalues that change meaning.
1602 (model_merger::on_widening_reuse): New.
1603 (test_iteration_1): Likewise.
1604 (selftest::test_iteration_1): Remove assertion that model6 "knows"
1605 that i < 157.
1606 * region-model.h (region_model::handle_phi): Add
1607 svals_changing_meaning param
1608 (region_model_context::maybe_did_work): New pure virtual func.
1609 (region_model_context::checking_for_infinite_loop_p): Likewise.
1610 (region_model_context::on_unusable_in_infinite_loop): Likewise.
1611 (noop_region_model_context::maybe_did_work): Implement.
1612 (noop_region_model_context::checking_for_infinite_loop_p):
1613 Likewise.
1614 (noop_region_model_context::on_unusable_in_infinite_loop):
1615 Likewise.
1616 (region_model_context_decorator::maybe_did_work): Implement.
1617 (region_model_context_decorator::checking_for_infinite_loop_p):
1618 Likewise.
1619 (region_model_context_decorator::on_unusable_in_infinite_loop):
1620 Likewise.
1621 (model_merger::on_widening_reuse): New decl.
1622 (model_merger::m_svals_changing_meaning): New field.
1623 * sm-signal.cc (register_signal_handler::impl_transition): Assume
1624 the edge "does work".
1625 * supergraph.cc (supernode::get_start_location): Use CFG edge's
1626 goto_locus if available.
1627 (supernode::get_end_location): Likewise.
1628 (cfg_superedge::dump_label_to_pp): Dump edges with a "goto_locus"
1629 * supergraph.h (cfg_superedge::get_goto_locus): New.
1630 * svalue.cc (svalue::can_merge_p): Call on_widening_reuse for
1631 widening values.
1632 (involvement_visitor::visit_widening_svalue): New.
1633 (svalue::involves_p): Update assertion to allow widening svalues.
1635 2023-11-14 David Malcolm <dmalcolm@redhat.com>
1637 PR analyzer/103533
1638 * sm-taint.cc: Remove "experimental" from comment.
1639 * sm.cc (make_checkers): Always add taint state machine.
1641 2023-11-04 David Malcolm <dmalcolm@redhat.com>
1643 * bounds-checking.cc: Update for changes to diagnostic_context.
1645 2023-11-02 David Malcolm <dmalcolm@redhat.com>
1647 PR analyzer/112317
1648 * access-diagram.cc (class x_aligned_x_ruler_widget): Eliminate
1649 unused field "m_col_widths".
1650 (access_diagram_impl::add_valid_vs_invalid_ruler): Update for
1651 above change.
1652 * region-model.cc
1653 (check_one_function_attr_null_terminated_string_arg): Remove
1654 unused variables "cd_unchecked", "strlen_sval", and
1655 "limited_sval".
1656 * region-model.h (region_model_context_decorator::warn): Add
1657 missing "override".
1659 2023-10-31 David Malcolm <dmalcolm@redhat.com>
1661 * record-layout.cc: New file, based on material in region-model.cc.
1662 * record-layout.h: Likewise.
1663 * region-model.cc: Include "analyzer/record-layout.h".
1664 (class record_layout): Move to record-layout.cc and .h
1666 2023-10-26 David Malcolm <dmalcolm@redhat.com>
1668 * region-model.cc
1669 (region_model::check_external_function_for_access_attr): Split
1670 out, replacing with...
1671 (region_model::check_function_attr_access): ...this new function
1672 and...
1673 (region_model::check_function_attrs): ...this new function.
1674 (region_model::check_one_function_attr_null_terminated_string_arg):
1675 New.
1676 (region_model::check_function_attr_null_terminated_string_arg):
1677 New.
1678 (region_model::handle_unrecognized_call): Update for renaming of
1679 check_external_function_for_access_attr to check_function_attrs.
1680 (region_model::check_for_null_terminated_string_arg): Add return
1681 value to one overload. Make both overloads const.
1682 * region-model.h: Include "stringpool.h" and "attribs.h".
1683 (region_model::check_for_null_terminated_string_arg): Add return
1684 value to one overload. Make both overloads const.
1685 (region_model::check_external_function_for_access_attr): Delete
1686 decl.
1687 (region_model::check_function_attr_access): New decl.
1688 (region_model::check_function_attr_null_terminated_string_arg):
1689 New decl.
1690 (region_model::check_one_function_attr_null_terminated_string_arg):
1691 New decl.
1692 (region_model::check_function_attrs): New decl.
1694 2023-10-09 David Malcolm <dmalcolm@redhat.com>
1696 * access-diagram.cc (boundaries::add): Explicitly state
1697 "boundaries::" scope for "kind" enum.
1699 2023-10-08 David Malcolm <dmalcolm@redhat.com>
1701 PR analyzer/111155
1702 * access-diagram.cc (boundaries::boundaries): Add logger param
1703 (boundaries::add): Add logging.
1704 (boundaries::get_hard_boundaries_in_range): New.
1705 (boundaries::m_logger): New field.
1706 (boundaries::get_table_x_for_offset): Make public.
1707 (class svalue_spatial_item): New.
1708 (class compound_svalue_spatial_item): New.
1709 (add_ellipsis_to_gaps): New.
1710 (valid_region_spatial_item::valid_region_spatial_item): Add theme
1711 param. Initialize m_boundaries, m_existing_sval, and
1712 m_existing_sval_spatial_item.
1713 (valid_region_spatial_item::add_boundaries): Set m_boundaries.
1714 Add boundaries for any m_existing_sval_spatial_item.
1715 (valid_region_spatial_item::add_array_elements_to_table): Rewrite
1716 creation of min/max index in terms of
1717 maybe_add_array_index_to_table. Rewrite ellipsis code using
1718 add_ellipsis_to_gaps. Add index values for any hard boundaries
1719 within the valid region.
1720 (valid_region_spatial_item::maybe_add_array_index_to_table): New,
1721 based on code formerly in add_array_elements_to_table.
1722 (valid_region_spatial_item::make_table): Make use of
1723 m_existing_sval_spatial_item, if any.
1724 (valid_region_spatial_item::m_boundaries): New field.
1725 (valid_region_spatial_item::m_existing_sval): New field.
1726 (valid_region_spatial_item::m_existing_sval_spatial_item): New
1727 field.
1728 (class svalue_spatial_item): Rename to...
1729 (class written_svalue_spatial_item): ...this.
1730 (class string_region_spatial_item): Rename to..
1731 (class string_literal_spatial_item): ...this. Add "kind".
1732 (string_literal_spatial_item::add_boundaries): Use m_kind to
1733 determine kind of boundary. Update for renaming of m_actual_bits
1734 to m_bits.
1735 (string_literal_spatial_item::make_table): Likewise. Support not
1736 displaying a row for byte indexes, and not displaying a row for
1737 the type.
1738 (string_literal_spatial_item::add_column_for_byte): Make byte index
1739 row optional.
1740 (svalue_spatial_item::make): Convert to...
1741 (make_written_svalue_spatial_item): ...this.
1742 (make_existing_svalue_spatial_item): New.
1743 (access_diagram_impl::access_diagram_impl): Pass theme to
1744 m_valid_region_spatial_item ctor. Update for renaming of
1745 m_svalue_spatial_item.
1746 (access_diagram_impl::find_boundaries): Pass logger to boundaries.
1747 Update for renaming of...
1748 (access_diagram_impl::m_svalue_spatial_item): Rename to...
1749 (access_diagram_impl::m_written_svalue_spatial_item): ...this.
1751 2023-10-03 David Malcolm <dmalcolm@redhat.com>
1753 * analyzer-logging.cc (logger::log_va_partial): Use text_info
1754 ctor.
1755 * analyzer.cc (make_label_text): Likewise.
1756 (make_label_text_n): Likewise.
1757 * pending-diagnostic.cc (evdesc::event_desc::formatted_print):
1758 Likewise.
1760 2023-10-02 David Malcolm <dmalcolm@redhat.com>
1762 * program-point.cc: Update for grouping of source printing fields
1763 within diagnostic_context.
1765 2023-09-15 David Malcolm <dmalcolm@redhat.com>
1767 * analyzer.cc (get_stmt_location): Handle null stmt.
1768 * diagnostic-manager.cc (saved_diagnostic::saved_diagnostic): Copy
1769 m_loc from ploc.
1770 (saved_diagnostic::operator==): Compare m_loc.
1771 (saved_diagnostic::calc_best_epath): Only use m_stmt_finder if
1772 m_loc is unknown.
1773 (dedupe_key::dedupe_key): Initialize m_loc.
1774 (dedupe_key::operator==): Compare m_loc.
1775 (dedupe_key::get_location): Use m_loc if it's known.
1776 (dedupe_key::m_loc): New field.
1777 (diagnostic_manager::emit_saved_diagnostic): Only call
1778 get_emission_location if m_loc is unknown, preferring to use m_loc
1779 if it's available.
1780 * diagnostic-manager.h (saved_diagnostic::m_loc): New field.
1781 (pending_location::pending_location): Initialize m_loc. Add
1782 overload taking a location_t rather than a stmt/stmt_finder.
1783 (pending_location::m_loc): New field.
1785 2023-09-15 David Malcolm <dmalcolm@redhat.com>
1787 * analyzer.h (struct pending_location): New forward decl.
1788 * diagnostic-manager.cc (saved_diagnostic::saved_diagnostic):
1789 Replace params "enode", "snode", "stmt", and "stmt_finder" with
1790 "ploc".
1791 (diagnostic_manager::add_diagnostic): Likewise for both overloads.
1792 * diagnostic-manager.h (saved_diagnostic::saved_diagnostic):
1793 Likewise.
1794 (struct pending_location): New.
1795 (diagnostic_manager::add_diagnostic): Replace params "enode",
1796 "snode", "stmt", and "stmt_finder" with "ploc".
1797 * engine.cc (impl_region_model_context::warn): Update call to
1798 add_diagnostic for above change.
1799 (impl_sm_context::warn): Likewise.
1800 (impl_region_model_context::on_state_leak): Likewise.
1801 * infinite-recursion.cc
1802 (exploded_graph::detect_infinite_recursion): Likewise.
1804 2023-09-15 David Malcolm <dmalcolm@redhat.com>
1806 * region-model.cc (region_model::get_gassign_result): Handle
1807 volatile ops by using a conjured_svalue.
1809 2023-09-14 David Malcolm <dmalcolm@redhat.com>
1811 * checker-event.h (checker_event::get_thread_id): New.
1812 * checker-path.h (class checker_path): Implement thread-related
1813 vfuncs via a single simple_diagnostic_thread instance named
1814 "main".
1816 2023-09-14 David Malcolm <dmalcolm@redhat.com>
1818 * diagnostic-manager.cc (compatible_epath_p): Fix missing return.
1820 2023-09-14 David Malcolm <dmalcolm@redhat.com>
1822 * diagnostic-manager.cc (process_worklist_item): Use
1823 std::unique_ptr rather than plain rejected_constraint *.
1824 * engine.cc (exploded_path::feasible_p): Likewise.
1825 (feasibility_state::maybe_update_for_edge): Likewise.
1826 * exploded-graph.h (feasibility_problem::feasibility_problem):
1827 Likewise.
1828 (feasibility_problem::~feasibility_problem): Delete.
1829 (feasibility_problem::m_rc): Use std::unique_ptr.
1830 (feasibility_state::maybe_update_for_edge): Likewise.
1831 * feasible-graph.cc (feasible_graph::add_feasibility_problem):
1832 Likewise.
1833 * feasible-graph.h (class infeasible_node): Likewise.
1834 (feasible_graph::add_feasibility_problem): Likewise.
1835 * region-model.cc (region_model::add_constraint): Likewise.
1836 (region_model::maybe_update_for_edge): Likewise.
1837 (region_model::apply_constraints_for_gcond): Likewise.
1838 (region_model::apply_constraints_for_gswitch): Likewise.
1839 (region_model::apply_constraints_for_exception): Likewise.
1840 * region-model.h (class region_model): Likewise for decls.
1842 2023-09-09 benjamin priour <vultkayn@gcc.gnu.org>
1844 PR analyzer/96395
1845 * region-model.cc
1846 (region_model::add_constraints_from_binop): binop_svalues around
1847 LT_EXPR, LE_EXPR, GT_EXPR, GE_EXPR are now unwrapped.
1849 2023-09-07 David Malcolm <dmalcolm@redhat.com>
1851 PR analyzer/110529
1852 * program-point.cc (program_point::on_edge): Don't reject
1853 EDGE_ABNORMAL for computed gotos.
1854 * region-model.cc (region_model::maybe_update_for_edge): Handle
1855 computed goto statements.
1856 (region_model::apply_constraints_for_ggoto): New.
1857 * region-model.h (region_model::apply_constraints_for_ggoto): New decl.
1858 * supergraph.cc (supernode::get_label): New.
1859 * supergraph.h (supernode::get_label): New decl.
1861 2023-09-07 benjamin priour <vultkayn@gcc.gnu.org>
1862 David Malcolm <dmalcolm@redhat.com>
1864 PR analyzer/110830
1865 * diagnostic-manager.cc
1866 (compatible_epaths_p): New function.
1867 (saved_diagnostic::supercedes_p): Now calls the above
1868 to determine if the diagnostics do overlap and the superseding
1869 may proceed.
1871 2023-09-07 David Malcolm <dmalcolm@redhat.com>
1873 * region-model.h: fix -Wunused-parameter warnings
1875 2023-09-06 David Malcolm <dmalcolm@redhat.com>
1877 PR analyzer/105899
1878 * kf.cc (class kf_strstr): New.
1879 (kf_strstr::impl_call_post): New.
1880 (register_known_functions): Register it.
1882 2023-09-06 David Malcolm <dmalcolm@redhat.com>
1884 PR analyzer/105899
1885 * kf.cc (class kf_strncpy): New.
1886 (kf_strncpy::impl_call_post): New.
1887 (register_known_functions): Register it.
1888 * region-model.cc (region_model::read_bytes): Handle unknown
1889 number of bytes.
1891 2023-09-06 David Malcolm <dmalcolm@redhat.com>
1893 * kf.cc (kf_calloc::impl_call_pre): Pass ctxt to zero_fill_region.
1894 (kf_memset::impl_call_pre): Move responsibility for calling
1895 check_region_for_write to fill_region.
1896 * region-model.cc (region_model::on_assignment): Pass ctxt to
1897 zero_fill_region.
1898 (region_model::fill_region): Add "ctxt" param, using it to call
1899 check_region_for_write.
1900 (region_model::zero_fill_region): Likewise.
1901 * region-model.h (region_model::fill_region): Add "ctxt" param.
1902 (region_model::zero_fill_region): Likewise.
1904 2023-09-01 benjamin priour <priour.be@gmail.com>
1906 PR analyzer/105948
1907 PR analyzer/94355
1908 * analyzer.h (is_placement_new_p): New declaration.
1909 * call-details.cc
1910 (call_details::deref_ptr_arg): New function.
1911 Dereference the argument at given index if possible.
1912 * call-details.h: Declaration of the above function.
1913 * kf-lang-cp.cc (is_placement_new_p): Returns true if the gcall
1914 is recognized as a placement new.
1915 (kf_operator_delete::impl_call_post): Unbinding a region and its
1916 descendents now poisons with POISON_KIND_DELETED.
1917 (register_known_functions_lang_cp): Known function "operator
1918 delete" is now registered only once independently of its number of
1919 arguments.
1920 * region-model.cc (region_model::eval_condition): Now
1921 recursively calls itself if any of the operand is wrapped in a
1922 cast.
1923 * sm-malloc.cc (malloc_state_machine::on_stmt):
1924 Add placement new recognition.
1925 * svalue.cc (poison_kind_to_str): Wording for the new PK.
1926 * svalue.h (enum poison_kind): Add value POISON_KIND_DELETED.
1928 2023-08-31 Francois-Xavier Coudert <fxcoudert@gcc.gnu.org>
1930 * kf.cc: Change spelling to macOS.
1932 2023-08-30 Eric Feng <ef2648@columbia.edu>
1934 PR analyzer/107646
1935 * engine.cc (impl_region_model_context::warn): New optional
1936 parameter.
1937 * exploded-graph.h (class impl_region_model_context): Likewise.
1938 * region-model.cc (region_model::pop_frame): New callback
1939 feature for region_model::pop_frame.
1940 * region-model.h (struct append_regions_cb_data): Likewise.
1941 (class region_model): Likewise.
1942 (class region_model_context): New optional parameter.
1943 (class region_model_context_decorator): Likewise.
1945 2023-08-30 Francois-Xavier Coudert <fxcoudert@gcc.gnu.org>
1947 * region-model.cc: Define INCLUDE_ALGORITHM.
1949 2023-08-29 David Malcolm <dmalcolm@redhat.com>
1951 PR analyzer/99860
1952 * analyzer-selftests.cc (selftest::run_analyzer_selftests): Call
1953 selftest::analyzer_ranges_cc_tests.
1954 * analyzer-selftests.h (selftest::run_analyzer_selftests): New
1955 decl.
1956 * analyzer.opt (Wanalyzer-overlapping-buffers): New option.
1957 * call-details.cc: Include "analyzer/ranges.h" and "make-unique.h".
1958 (class overlapping_buffers): New.
1959 (call_details::complain_about_overlap): New.
1960 * call-details.h (call_details::complain_about_overlap): New decl.
1961 * kf.cc (kf_memcpy_memmove::impl_call_pre): Call
1962 cd.complain_about_overlap for memcpy and memcpy_chk.
1963 (kf_strcat::impl_call_pre): Call cd.complain_about_overlap.
1964 (kf_strcpy::impl_call_pre): Likewise.
1965 * ranges.cc: New file.
1966 * ranges.h: New file.
1968 2023-08-29 David Malcolm <dmalcolm@redhat.com>
1970 PR analyzer/105899
1971 * kf.cc (kf_strdup::impl_call_pre): Set size of
1972 dynamically-allocated buffer. Simulate copying the string from
1973 the source region to the new buffer.
1975 2023-08-27 benjamin priour <vultkayn@gcc.gnu.org>
1977 PR analyzer/96395
1978 * analyzer.h (class known_function): Add virtual casts
1979 to builtin_known_function.
1980 (class builtin_known_function): New subclass of known_function
1981 for builtins.
1982 * kf.cc (class kf_alloca): Now derived from
1983 builtin_known_function.
1984 (class kf_calloc): Likewise.
1985 (class kf_free): Likewise.
1986 (class kf_malloc): Likewise.
1987 (class kf_memcpy_memmove): Likewise.
1988 (class kf_memset): Likewise.
1989 (class kf_realloc): Likewise.
1990 (class kf_strchr): Likewise.
1991 (class kf_sprintf): Likewise.
1992 (class kf_strcat): Likewise.
1993 (class kf_strcpy): Likewise.
1994 (class kf_strdup): Likewise.
1995 (class kf_strlen): Likewise.
1996 (class kf_strndup): Likewise.
1997 (register_known_functions): Builtins are now registered as
1998 known_functions by name rather than by their BUILTIN_CODE.
1999 * known-function-manager.cc (get_normal_builtin): New overload.
2000 * known-function-manager.h: New overload declaration.
2001 * region-model.cc (region_model::get_builtin_kf): New function.
2002 * region-model.h (class region_model): Add declaration of
2003 get_builtin_kf.
2004 * sm-fd.cc: For called recognized as builtins, use the
2005 attributes of that builtin as defined in gcc/builtins.def
2006 rather than the user's.
2007 * sm-malloc.cc (malloc_state_machine::on_stmt): Likewise.
2009 2023-08-25 David Malcolm <dmalcolm@redhat.com>
2011 * access-diagram.cc (class string_region_spatial_item): Remove
2012 assumption that the string is written to the start of the cluster.
2014 2023-08-24 David Malcolm <dmalcolm@redhat.com>
2016 PR analyzer/105899
2017 * call-details.cc
2018 (call_details::check_for_null_terminated_string_arg): Split into
2019 overloads, one taking just an arg_idx, the other a new
2020 "include_terminator" param.
2021 * call-details.h: Likewise.
2022 * kf.cc (class kf_strcat): New.
2023 (kf_strcpy::impl_call_pre): Update for change to
2024 check_for_null_terminated_string_arg.
2025 (register_known_functions): Register kf_strcat.
2026 * region-model.cc
2027 (region_model::check_for_null_terminated_string_arg): Split into
2028 overloads, one taking just an arg_idx, the other a new
2029 "include_terminator" param. When returning an svalue, handle
2030 "include_terminator" being false by subtracting one.
2031 * region-model.h
2032 (region_model::check_for_null_terminated_string_arg): Split into
2033 overloads, one taking just an arg_idx, the other a new
2034 "include_terminator" param.
2036 2023-08-24 David Malcolm <dmalcolm@redhat.com>
2038 PR analyzer/105899
2039 * region-model.cc (fragment::has_null_terminator): Handle
2040 SK_BITS_WITHIN.
2042 2023-08-24 David Malcolm <dmalcolm@redhat.com>
2044 PR analyzer/105899
2045 * region-model-manager.cc
2046 (region_model_manager::get_or_create_initial_value): Simplify
2047 INIT_VAL(ELEMENT_REG(STRING_REG), CONSTANT_SVAL) to
2048 CONSTANT_SVAL(STRING[N]).
2050 2023-08-24 David Malcolm <dmalcolm@redhat.com>
2052 PR analyzer/105899
2053 * region-model.cc (fragment::has_null_terminator): Move STRING_CST
2054 handling to fragment::string_cst_has_null_terminator; also use it to
2055 handle INIT_VAL(STRING_REG).
2056 (fragment::string_cst_has_null_terminator): New, from above.
2058 2023-08-24 David Malcolm <dmalcolm@redhat.com>
2060 * kf.cc (kf_memcpy_memmove::impl_call_pre): Reimplement using
2061 region_model::copy_bytes.
2062 * region-model.cc (region_model::read_bytes): New.
2063 (region_model::copy_bytes): New.
2064 * region-model.h (region_model::read_bytes): New decl.
2065 (region_model::copy_bytes): New decl.
2067 2023-08-24 David Malcolm <dmalcolm@redhat.com>
2069 PR analyzer/105899
2070 * region-model.cc (region_model::get_string_size): Delete both.
2071 * region-model.h (region_model::get_string_size): Delete both
2072 decls.
2074 2023-08-24 David Malcolm <dmalcolm@redhat.com>
2076 PR analyzer/105899
2077 * kf.cc (kf_strcpy::impl_call_pre): Reimplement using
2078 check_for_null_terminated_string_arg.
2079 * region-model.cc (region_model::get_store_bytes): Shortcut
2080 reading all of a string_region.
2081 (region_model::scan_for_null_terminator): Use get_store_value for
2082 the bytes rather than "unknown" when returning an unknown length.
2083 (region_model::write_bytes): New.
2084 * region-model.h (region_model::write_bytes): New decl.
2086 2023-08-24 David Malcolm <dmalcolm@redhat.com>
2088 PR analyzer/105899
2089 * region-model.cc (iterable_cluster::iterable_cluster): Add
2090 symbolic binding keys to m_symbolic_bindings.
2091 (iterable_cluster::has_symbolic_bindings_p): New.
2092 (iterable_cluster::m_symbolic_bindings): New field.
2093 (region_model::scan_for_null_terminator): Treat clusters with
2094 symbolic bindings as having unknown strlen.
2096 2023-08-24 David Malcolm <dmalcolm@redhat.com>
2098 * engine.cc (impl_path_context::impl_path_context): Add logger
2099 param.
2100 (impl_path_context::bifurcate): Add log message.
2101 (impl_path_context::terminate_path): Likewise.
2102 (impl_path_context::m_logger): New field.
2103 (exploded_graph::process_node): Pass logger to path_ctxt ctor.
2105 2023-08-22 David Malcolm <dmalcolm@redhat.com>
2107 PR analyzer/105899
2108 * kf-analyzer.cc (class kf_analyzer_get_strlen): Move to kf.cc.
2109 (register_known_analyzer_functions): Use make_kf_strlen.
2110 * kf.cc (class kf_strlen::impl_call_pre): Replace with
2111 implementation of kf_analyzer_get_strlen from kf-analyzer.cc.
2112 Handle "UNKNOWN" return from check_for_null_terminated_string_arg
2113 by falling back to a conjured svalue.
2114 (make_kf_strlen): New.
2115 (register_known_functions): Use make_kf_strlen.
2116 * known-function-manager.h (make_kf_strlen): New decl.
2118 2023-08-22 David Malcolm <dmalcolm@redhat.com>
2120 PR analyzer/105899
2121 * call-details.cc (call_details::call_details): New ctor.
2122 * call-details.h (call_details::call_details): New ctor decl.
2123 (struct call_arg_details): Move here from region-model.cc.
2124 * region-model.cc (region_model::check_call_format_attr): New.
2125 (region_model::check_call_args): Call it.
2126 (struct call_arg_details): Move it to call-details.h.
2127 * region-model.h (region_model::check_call_format_attr): New decl.
2129 2023-08-22 David Malcolm <dmalcolm@redhat.com>
2131 * kf.cc (class kf_fopen): New.
2132 (register_known_functions): Register it.
2134 2023-08-22 David Malcolm <dmalcolm@redhat.com>
2136 PR analyzer/105899
2137 * analyzer.opt (Wanalyzer-unterminated-string): Delete.
2138 * call-details.cc
2139 (call_details::check_for_null_terminated_string_arg): Convert
2140 return type from void to const svalue *. Add param "out_sval".
2141 * call-details.h
2142 (call_details::check_for_null_terminated_string_arg): Likewise.
2143 * kf-analyzer.cc (kf_analyzer_get_strlen::impl_call_pre): Wire up
2144 to result of check_for_null_terminated_string_arg.
2145 * region-model.cc (get_strlen): Delete.
2146 (class unterminated_string_arg): Delete.
2147 (struct fragment): New.
2148 (class iterable_cluster): New.
2149 (region_model::get_store_bytes): New.
2150 (get_tree_for_byte_offset): New.
2151 (region_model::scan_for_null_terminator): New.
2152 (region_model::check_for_null_terminated_string_arg): Convert
2153 return type from void to const svalue *. Add param "out_sval".
2154 Reimplement in terms of scan_for_null_terminator, dropping the
2155 special-case for -Wanalyzer-unterminated-string.
2156 * region-model.h (region_model::get_store_bytes): New decl.
2157 (region_model::scan_for_null_terminator): New decl.
2158 (region_model::check_for_null_terminated_string_arg): Convert
2159 return type from void to const svalue *. Add param "out_sval".
2160 * store.cc (concrete_binding::get_byte_range): New.
2161 * store.h (concrete_binding::get_byte_range): New decl.
2162 (store_manager::get_concrete_binding): New overload.
2164 2023-08-22 David Malcolm <dmalcolm@redhat.com>
2166 * region-model.cc (region_model_context_decorator::add_event):
2167 Handle m_inner being NULL.
2168 * region-model.h (class region_model_context_decorator): Likewise.
2169 (annotating_context::warn): Likewise.
2171 2023-08-22 David Malcolm <dmalcolm@redhat.com>
2173 * diagnostic-manager.cc (saved_diagnostic::add_event): New.
2174 (saved_diagnostic::add_any_saved_events): New.
2175 (diagnostic_manager::add_event): New.
2176 (dedupe_winners::emit_best): New.
2177 (diagnostic_manager::emit_saved_diagnostic): Make "sd" param
2178 non-const. Call saved_diagnostic::add_any_saved_events.
2179 * diagnostic-manager.h (saved_diagnostic::add_event): New decl.
2180 (saved_diagnostic::add_any_saved_events): New decl.
2181 (saved_diagnostic::m_saved_events): New field.
2182 (diagnostic_manager::add_event): New decl.
2183 (diagnostic_manager::emit_saved_diagnostic): Make "sd" param
2184 non-const.
2185 * engine.cc (impl_region_model_context::add_event): New.
2186 * exploded-graph.h (impl_region_model_context::add_event): New decl.
2187 * region-model.cc
2188 (noop_region_model_context::add_event): New.
2189 (region_model_context_decorator::add_event): New.
2190 * region-model.h (region_model_context::add_event): New vfunc.
2191 (noop_region_model_context::add_event): New decl.
2192 (region_model_context_decorator::add_event): New decl.
2194 2023-08-22 David Malcolm <dmalcolm@redhat.com>
2196 * region-model.cc
2197 (class check_external_function_for_access_attr::annotating_ctxt):
2198 Convert to an annotating_context.
2199 * region-model.h (class note_adding_context): Rename to...
2200 (class annotating_context): ...this, updating the "warn" method.
2201 (note_adding_context::make_note): Replace with...
2202 (annotating_context::add_annotations): ...this.
2204 2023-08-14 benjamin priour <vultkayn@gcc.gnu.org>
2206 PR analyzer/110543
2207 * analyzer.opt: Add new option.
2208 * diagnostic-manager.cc
2209 (diagnostic_manager::prune_path): Call prune_system_headers.
2210 (prune_frame): New function that deletes all events in a frame.
2211 (diagnostic_manager::prune_system_headers): New function.
2212 * diagnostic-manager.h: Add prune_system_headers declaration.
2214 2023-08-11 David Malcolm <dmalcolm@redhat.com>
2216 PR analyzer/105899
2217 * analyzer.opt (Wanalyzer-unterminated-string): New.
2218 * call-details.cc
2219 (call_details::check_for_null_terminated_string_arg): New.
2220 * call-details.h
2221 (call_details::check_for_null_terminated_string_arg): New decl.
2222 * kf-analyzer.cc (class kf_analyzer_get_strlen): New.
2223 (register_known_analyzer_functions): Register it.
2224 * kf.cc (kf_error::impl_call_pre): Check that format arg is a
2225 valid null-terminated string.
2226 (kf_putenv::impl_call_pre): Likewise for the sole param.
2227 (kf_strchr::impl_call_pre): Likewise for the first param.
2228 (kf_strcpy::impl_call_pre): Likewise for the second param.
2229 (kf_strdup::impl_call_pre): Likewise for the sole param.
2230 * region-model.cc (get_strlen): New.
2231 (struct call_arg_details): New.
2232 (inform_about_expected_null_terminated_string_arg): New.
2233 (class unterminated_string_arg): New.
2234 (region_model::check_for_null_terminated_string_arg): New.
2235 * region-model.h
2236 (region_model::check_for_null_terminated_string_arg): New decl.
2238 2023-08-11 Eric Feng <ef2648@columbia.edu>
2240 PR analyzer/107646
2241 * call-details.h: New function.
2242 * region-model.cc (region_model::get_or_create_region_for_heap_alloc):
2243 New optional parameters.
2244 * region-model.h (class region_model): New optional parameters.
2245 * sm-malloc.cc (on_realloc_with_move): New function.
2246 (region_model::transition_ptr_sval_non_null): New function.
2248 2023-08-09 David Malcolm <dmalcolm@redhat.com>
2250 * analyzer.h (class pure_known_function_with_default_return): New
2251 subclass.
2252 * call-details.cc (const_fn_p): Move here from region-model.cc.
2253 (maybe_get_const_fn_result): Likewise.
2254 (get_result_size_in_bytes): Likewise.
2255 (call_details::set_any_lhs_with_defaults): New function, based on
2256 code in region_model::on_call_pre.
2257 * call-details.h (call_details::set_any_lhs_with_defaults): New
2258 decl.
2259 * diagnostic-manager.cc
2260 (diagnostic_manager::emit_saved_diagnostic): Log the index of the
2261 saved_diagnostic.
2262 * kf.cc (pure_known_function_with_default_return::impl_call_pre):
2263 New.
2264 (kf_memset::impl_call_pre): Set the LHS to the first param.
2265 (kf_putenv::impl_call_pre): Call cd.set_any_lhs_with_defaults.
2266 (kf_sprintf::impl_call_pre): Call cd.set_any_lhs_with_defaults.
2267 (class kf_stack_restore): Derive from
2268 pure_known_function_with_default_return.
2269 (class kf_stack_save): Likewise.
2270 (kf_strlen::impl_call_pre): Call cd.set_any_lhs_with_defaults.
2271 * region-model-reachability.cc (reachable_regions::handle_sval):
2272 Remove logic for symbolic regions for pointers.
2273 * region-model.cc (region_model::canonicalize): Remove purging of
2274 dynamic extents workaround for surplus values from
2275 region_model::on_call_pre's default LHS code.
2276 (const_fn_p): Move to call-details.cc.
2277 (maybe_get_const_fn_result): Likewise.
2278 (get_result_size_in_bytes): Likewise.
2279 (region_model::update_for_nonzero_return): Call
2280 cd.set_any_lhs_with_defaults.
2281 (region_model::on_call_pre): Remove the assignment to the LHS of a
2282 default return value, instead requiring all known_function
2283 implementations to write to any LHS of the call. Use
2284 cd.set_any_lhs_with_defaults on the non-kf paths.
2285 * sm-fd.cc (kf_socket::outcome_of_socket::update_model): Use
2286 cd.set_any_lhs_with_defaults when failing to get at fd state.
2287 (kf_bind::outcome_of_bind::update_model): Likewise.
2288 (kf_listen::outcome_of_listen::update_model): Likewise.
2289 (kf_accept::outcome_of_accept::update_model): Likewise.
2290 (kf_connect::outcome_of_connect::update_model): Likewise.
2291 (kf_read::impl_call_pre): Use cd.set_any_lhs_with_defaults.
2292 * sm-file.cc (class kf_stdio_output_fn): Derive from
2293 pure_known_function_with_default_return.
2294 (class kf_ferror): Likewise.
2295 (class kf_fileno): Likewise.
2296 (kf_fgets::impl_call_pre): Use cd.set_any_lhs_with_defaults.
2297 (kf_read::impl_call_pre): Likewise.
2298 (class kf_getc): Derive from
2299 pure_known_function_with_default_return.
2300 (class kf_getchar): Likewise.
2301 * varargs.cc (kf_va_arg::impl_call_pre): Use
2302 cd.set_any_lhs_with_defaults.
2304 2023-08-04 David Malcolm <dmalcolm@redhat.com>
2306 PR analyzer/110426
2307 * bounds-checking.cc (region_model::check_region_bounds): Handle
2308 symbolic base regions.
2309 * call-details.cc: Include "stringpool.h" and "attribs.h".
2310 (call_details::lookup_function_attribute): New function.
2311 * call-details.h (call_details::lookup_function_attribute): New
2312 function decl.
2313 * region-model-manager.cc
2314 (region_model_manager::maybe_fold_binop): Add reference to
2315 PR analyzer/110902.
2316 * region-model-reachability.cc (reachable_regions::handle_sval):
2317 Add symbolic regions for pointers that are conjured svalues for
2318 the LHS of a stmt.
2319 * region-model.cc (region_model::canonicalize): Purge dynamic
2320 extents for regions that aren't referenced.
2321 (get_result_size_in_bytes): New function.
2322 (region_model::on_call_pre): Use get_result_size_in_bytes and
2323 potentially set the dynamic extents of the region pointed to by
2324 the return value.
2325 (region_model::deref_rvalue): Add param "add_nonnull_constraint"
2326 and use it to conditionalize adding the constraint.
2327 (pending_diagnostic_subclass::dubious_allocation_size): Add "stmt"
2328 param to both ctors and use it to initialize new "m_stmt" field.
2329 (pending_diagnostic_subclass::operator==): Use m_stmt; don't use
2330 m_lhs or m_rhs.
2331 (pending_diagnostic_subclass::m_stmt): New field.
2332 (region_model::check_region_size): Generalize to any kind of
2333 pointer svalue by using deref_rvalue rather than checking for
2334 region_svalue. Pass stmt to dubious_allocation_size ctor.
2335 * region-model.h (region_model::deref_rvalue): Add param
2336 "add_nonnull_constraint".
2337 * svalue.cc (conjured_svalue::lhs_value_p): New function.
2338 * svalue.h (conjured_svalue::lhs_value_p): New decl.
2340 2023-08-04 David Malcolm <dmalcolm@redhat.com>
2342 * svalue.cc (region_svalue::dump_to_pp): Support NULL type.
2343 (constant_svalue::dump_to_pp): Likewise.
2344 (initial_svalue::dump_to_pp): Likewise.
2345 (conjured_svalue::dump_to_pp): Likewise. Fix missing print of the
2346 type.
2348 2023-08-03 David Malcolm <dmalcolm@redhat.com>
2350 PR analyzer/110882
2351 * region.cc (int_size_in_bits): Fail on zero-sized types.
2353 2023-08-02 Eric Feng <ef2648@columbia.edu>
2355 PR analyzer/107646
2356 * analyzer-language.cc (run_callbacks): New function.
2357 (on_finish_translation_unit): New function.
2358 * analyzer-language.h (GCC_ANALYZER_LANGUAGE_H): New include.
2359 (class translation_unit): New vfuncs.
2361 2023-07-26 David Malcolm <dmalcolm@redhat.com>
2363 PR analyzer/104940
2364 * region-model-manager.cc
2365 (region_model_manager::region_model_manager): Update for
2366 generalizing region ids to also cover svalues.
2367 (region_model_manager::get_or_create_constant_svalue): Likewise.
2368 (region_model_manager::get_or_create_unknown_svalue): Likewise.
2369 (region_model_manager::create_unique_svalue): Likewise.
2370 (region_model_manager::get_or_create_initial_value): Likewise.
2371 (region_model_manager::get_or_create_setjmp_svalue): Likewise.
2372 (region_model_manager::get_or_create_poisoned_svalue): Likewise.
2373 (region_model_manager::get_ptr_svalue): Likewise.
2374 (region_model_manager::get_or_create_unaryop): Likewise.
2375 (region_model_manager::get_or_create_binop): Likewise.
2376 (region_model_manager::get_or_create_sub_svalue): Likewise.
2377 (region_model_manager::get_or_create_repeated_svalue): Likewise.
2378 (region_model_manager::get_or_create_bits_within): Likewise.
2379 (region_model_manager::get_or_create_unmergeable): Likewise.
2380 (region_model_manager::get_or_create_widening_svalue): Likewise.
2381 (region_model_manager::get_or_create_compound_svalue): Likewise.
2382 (region_model_manager::get_or_create_conjured_svalue): Likewise.
2383 (region_model_manager::get_or_create_asm_output_svalue): Likewise.
2384 (region_model_manager::get_or_create_const_fn_result_svalue):
2385 Likewise.
2386 (region_model_manager::get_region_for_fndecl): Likewise.
2387 (region_model_manager::get_region_for_label): Likewise.
2388 (region_model_manager::get_region_for_global): Likewise.
2389 (region_model_manager::get_field_region): Likewise.
2390 (region_model_manager::get_element_region): Likewise.
2391 (region_model_manager::get_offset_region): Likewise.
2392 (region_model_manager::get_sized_region): Likewise.
2393 (region_model_manager::get_cast_region): Likewise.
2394 (region_model_manager::get_frame_region): Likewise.
2395 (region_model_manager::get_symbolic_region): Likewise.
2396 (region_model_manager::get_region_for_string): Likewise.
2397 (region_model_manager::get_bit_range): Likewise.
2398 (region_model_manager::get_var_arg_region): Likewise.
2399 (region_model_manager::get_region_for_unexpected_tree_code):
2400 Likewise.
2401 (region_model_manager::get_or_create_region_for_heap_alloc):
2402 Likewise.
2403 (region_model_manager::create_region_for_alloca): Likewise.
2404 (region_model_manager::log_stats): Likewise.
2405 * region-model-manager.h (region_model_manager::get_num_regions):
2406 Replace with...
2407 (region_model_manager::get_num_symbols): ...this.
2408 (region_model_manager::alloc_region_id): Replace with...
2409 (region_model_manager::alloc_symbol_id): ...this.
2410 (region_model_manager::m_next_region_id): Replace with...
2411 (region_model_manager::m_next_symbol_id): ...this.
2412 * region-model.cc (selftest::test_get_representative_tree): Update
2413 for generalizing region ids to also cover svalues.
2414 (selftest::test_binop_svalue_folding): Likewise.
2415 (selftest::test_state_merging): Likewise.
2416 * region.cc (region::cmp_ids): Delete, in favor of
2417 symbol::cmp_ids.
2418 (region::region): Update for introduction of symbol base class.
2419 (frame_region::get_region_for_local): Likewise.
2420 (root_region::root_region): Likewise.
2421 (symbolic_region::symbolic_region): Likewise.
2422 * region.h: Replace include of "analyzer/complexity.h" with
2423 "analyzer/symbol.h".
2424 (class region): Make a subclass of symbol.
2425 (region::get_id): Delete in favor of symbol::get_id.
2426 (region::cmp_ids): Delete in favor of symbol::cmp_ids.
2427 (region::get_complexity): Delete in favor of
2428 symbol::get_complexity.
2429 (region::region): Use symbol::id_t for "id" param.
2430 (region::m_complexity): Move field to symbol base class.
2431 (region::m_id): Likewise.
2432 (space_region::space_region): Use symbol::id_t for "id" param.
2433 (frame_region::frame_region): Likewise.
2434 (globals_region::globals_region): Likewise.
2435 (code_region::code_region): Likewise.
2436 (function_region::function_region): Likewise.
2437 (label_region::label_region): Likewise.
2438 (stack_region::stack_region): Likewise.
2439 (heap_region::heap_region): Likewise.
2440 (thread_local_region::thread_local_region): Likewise.
2441 (root_region::root_region): Likewise.
2442 (symbolic_region::symbolic_region): Likewise.
2443 (decl_region::decl_region): Likewise.
2444 (field_region::field_region): Likewise.
2445 (element_region::element_region): Likewise.
2446 (offset_region::offset_region): Likewise.
2447 (sized_region::sized_region): Likewise.
2448 (cast_region::cast_region): Likewise.
2449 (heap_allocated_region::heap_allocated_region): Likewise.
2450 (alloca_region::alloca_region): Likewise.
2451 (string_region::string_region): Likewise.
2452 (bit_range_region::bit_range_region): Likewise.
2453 (var_arg_region::var_arg_region): Likewise.
2454 (errno_region::errno_region): Likewise.
2455 (unknown_region::unknown_region): Likewise.
2456 * svalue.cc (sub_svalue::sub_svalue): Add symbol::id_t param.
2457 (repeated_svalue::repeated_svalue): Likewise.
2458 (bits_within_svalue::bits_within_svalue): Likewise.
2459 (compound_svalue::compound_svalue): Likewise.
2460 * svalue.h: Replace include of "analyzer/complexity.h" with
2461 "analyzer/symbol.h".
2462 (class svalue): Make a subclass of symbol.
2463 (svalue::get_complexity): Delete in favor of
2464 symbol::get_complexity.
2465 (svalue::svalue): Add symbol::id_t param. Update for new base
2466 class.
2467 (svalue::m_complexity): Delete in favor of
2468 symbol::m_complexity.
2469 (region_svalue::region_svalue): Add symbol::id_t param
2470 (constant_svalue::constant_svalue): Likewise.
2471 (unknown_svalue::unknown_svalue): Likewise.
2472 (poisoned_svalue::poisoned_svalue): Likewise.
2473 (setjmp_svalue::setjmp_svalue): Likewise.
2474 (initial_svalue::initial_svalue): Likewise.
2475 (unaryop_svalue::unaryop_svalue): Likewise.
2476 (binop_svalue::binop_svalue): Likewise.
2477 (sub_svalue::sub_svalue): Likewise.
2478 (repeated_svalue::repeated_svalue): Likewise.
2479 (bits_within_svalue::bits_within_svalue): Likewise.
2480 (unmergeable_svalue::unmergeable_svalue): Likewise.
2481 (placeholder_svalue::placeholder_svalue): Likewise.
2482 (widening_svalue::widening_svalue): Likewise.
2483 (compound_svalue::compound_svalue): Likewise.
2484 (conjured_svalue::conjured_svalue): Likewise.
2485 (asm_output_svalue::asm_output_svalue): Likewise.
2486 (const_fn_result_svalue::const_fn_result_svalue): Likewise.
2487 * symbol.cc: New file.
2488 * symbol.h: New file.
2490 2023-07-21 David Malcolm <dmalcolm@redhat.com>
2492 PR analyzer/110455
2493 * region-model.cc (region_model::get_gassign_result): Only check
2494 for bad shift counts when dealing with an integral type.
2496 2023-07-21 David Malcolm <dmalcolm@redhat.com>
2498 PR analyzer/110433
2499 PR middle-end/110612
2500 * access-diagram.cc (class spatial_item): Add virtual dtor.
2502 2023-07-21 David Malcolm <dmalcolm@redhat.com>
2504 PR analyzer/110387
2505 * region.h (struct cast_region::key_t): Support "m_type" being
2506 null by using "m_original_region" for empty/deleted slots.
2508 2023-07-19 David Malcolm <dmalcolm@redhat.com>
2510 PR analyzer/110700
2511 * region-model-manager.cc
2512 (region_model_manager::get_or_create_int_cst): Assert that we have
2513 an integral or pointer type.
2514 * sm-taint.cc (taint_state_machine::check_for_tainted_divisor):
2515 Don't check non-integral types.
2517 2023-06-29 benjamin priour <priour.be@gmail.com>
2519 PR analyzer/110198
2520 * region-model-manager.cc
2521 (region_model_manager::get_or_create_initial_value): Take an
2522 optional boolean value to bypass poisoning checks
2523 * region-model-manager.h: Update declaration of the above function.
2524 * region-model.cc (region_model::get_store_value): No longer returns
2525 on OOB, but rather gives a boolean to get_or_create_initial_value.
2526 (region_model::check_region_access): Update docstring.
2527 (region_model::check_region_for_write): Update docstring.
2529 2023-06-24 David Malcolm <dmalcolm@redhat.com>
2531 * access-diagram.cc: Add #define INCLUDE_VECTOR.
2532 * bounds-checking.cc: Likewise.
2534 2023-06-22 David Malcolm <dmalcolm@redhat.com>
2536 PR analyzer/106626
2537 * access-diagram.cc: New file.
2538 * access-diagram.h: New file.
2539 * analyzer.h (class region_offset): Add default ctor.
2540 (region_offset::make_byte_offset): New decl.
2541 (region_offset::concrete_p): New.
2542 (region_offset::get_concrete_byte_offset): New.
2543 (region_offset::calc_symbolic_bit_offset): New decl.
2544 (region_offset::calc_symbolic_byte_offset): New decl.
2545 (region_offset::dump_to_pp): New decl.
2546 (region_offset::dump): New decl.
2547 (operator<, operator<=, operator>, operator>=): New decls for
2548 region_offset.
2549 * analyzer.opt
2550 (-param=analyzer-text-art-string-ellipsis-threshold=): New.
2551 (-param=analyzer-text-art-string-ellipsis-head-len=): New.
2552 (-param=analyzer-text-art-string-ellipsis-tail-len=): New.
2553 (-param=analyzer-text-art-ideal-canvas-width=): New.
2554 (fanalyzer-debug-text-art): New.
2555 * bounds-checking.cc: Include "intl.h", "diagnostic-diagram.h",
2556 and "analyzer/access-diagram.h".
2557 (class out_of_bounds::oob_region_creation_event_capacity): New.
2558 (out_of_bounds::out_of_bounds): Add "model" and "sval_hint"
2559 params.
2560 (out_of_bounds::mark_interesting_stuff): Use the base region.
2561 (out_of_bounds::add_region_creation_events): Use
2562 oob_region_creation_event_capacity.
2563 (out_of_bounds::get_dir): New pure vfunc.
2564 (out_of_bounds::maybe_show_notes): New.
2565 (out_of_bounds::maybe_show_diagram): New.
2566 (out_of_bounds::make_access_diagram): New.
2567 (out_of_bounds::m_model): New field.
2568 (out_of_bounds::m_sval_hint): New field.
2569 (out_of_bounds::m_region_creation_event_id): New field.
2570 (concrete_out_of_bounds::concrete_out_of_bounds): Update for new
2571 fields.
2572 (concrete_past_the_end::concrete_past_the_end): Likewise.
2573 (concrete_past_the_end::add_region_creation_events): Use
2574 oob_region_creation_event_capacity.
2575 (concrete_buffer_overflow::concrete_buffer_overflow): Update for
2576 new fields.
2577 (concrete_buffer_overflow::emit): Replace call to
2578 maybe_describe_array_bounds with maybe_show_notes.
2579 (concrete_buffer_overflow::get_dir): New.
2580 (concrete_buffer_over_read::concrete_buffer_over_read): Update for
2581 new fields.
2582 (concrete_buffer_over_read::emit): Replace call to
2583 maybe_describe_array_bounds with maybe_show_notes.
2584 (concrete_buffer_overflow::get_dir): New.
2585 (concrete_buffer_underwrite::concrete_buffer_underwrite): Update
2586 for new fields.
2587 (concrete_buffer_underwrite::emit): Replace call to
2588 maybe_describe_array_bounds with maybe_show_notes.
2589 (concrete_buffer_underwrite::get_dir): New.
2590 (concrete_buffer_under_read::concrete_buffer_under_read): Update
2591 for new fields.
2592 (concrete_buffer_under_read::emit): Replace call to
2593 maybe_describe_array_bounds with maybe_show_notes.
2594 (concrete_buffer_under_read::get_dir): New.
2595 (symbolic_past_the_end::symbolic_past_the_end): Update for new
2596 fields.
2597 (symbolic_buffer_overflow::symbolic_buffer_overflow): Likewise.
2598 (symbolic_buffer_overflow::emit): Call maybe_show_notes.
2599 (symbolic_buffer_overflow::get_dir): New.
2600 (symbolic_buffer_over_read::symbolic_buffer_over_read): Update for
2601 new fields.
2602 (symbolic_buffer_over_read::emit): Call maybe_show_notes.
2603 (symbolic_buffer_over_read::get_dir): New.
2604 (region_model::check_symbolic_bounds): Add "sval_hint" param. Pass
2605 it and sized_offset_reg to diagnostics.
2606 (region_model::check_region_bounds): Add "sval_hint" param, passing
2607 it to diagnostics.
2608 * diagnostic-manager.cc
2609 (diagnostic_manager::emit_saved_diagnostic): Pass logger to
2610 pending_diagnostic::emit.
2611 * engine.cc: Add logger param to pending_diagnostic::emit
2612 implementations.
2613 * infinite-recursion.cc: Likewise.
2614 * kf-analyzer.cc: Likewise.
2615 * kf.cc: Likewise. Add nullptr for new param of
2616 check_region_for_write.
2617 * pending-diagnostic.h: Likewise in decl.
2618 * region-model-manager.cc
2619 (region_model_manager::get_or_create_int_cst): Convert param from
2620 poly_int64 to const poly_wide_int_ref &.
2621 (region_model_manager::maybe_fold_binop): Support type being NULL
2622 when checking for floating-point types.
2623 Check for (X + Y) - X => Y. Be less strict about types when folding
2624 associative ops. Check for (X + Y) * CST => (X * CST) + (Y * CST).
2625 * region-model-manager.h
2626 (region_model_manager::get_or_create_int_cst): Convert param from
2627 poly_int64 to const poly_wide_int_ref &.
2628 * region-model.cc: Add logger param to pending_diagnostic::emit
2629 implementations.
2630 (region_model::check_external_function_for_access_attr): Update
2631 for new param of check_region_for_write.
2632 (region_model::deref_rvalue): Use nullptr rather than NULL.
2633 (region_model::get_capacity): Handle RK_STRING.
2634 (region_model::check_region_access): Add "sval_hint" param; pass it to
2635 check_region_bounds.
2636 (region_model::check_region_for_write): Add "sval_hint" param;
2637 pass it to check_region_access.
2638 (region_model::check_region_for_read): Add NULL for new param to
2639 check_region_access.
2640 (region_model::set_value): Pass rhs_sval to
2641 check_region_for_write.
2642 (region_model::get_representative_path_var_1): Handle SK_CONSTANT
2643 in the check for infinite recursion.
2644 * region-model.h (region_model::check_region_for_write): Add
2645 "sval_hint" param.
2646 (region_model::check_region_access): Likewise.
2647 (region_model::check_symbolic_bounds): Likewise.
2648 (region_model::check_region_bounds): Likewise.
2649 * region.cc (region_offset::make_byte_offset): New.
2650 (region_offset::calc_symbolic_bit_offset): New.
2651 (region_offset::calc_symbolic_byte_offset): New.
2652 (region_offset::dump_to_pp): New.
2653 (region_offset::dump): New.
2654 (struct linear_op): New.
2655 (operator<, operator<=, operator>, operator>=): New, for
2656 region_offset.
2657 (region::get_next_offset): New.
2658 (region::get_relative_symbolic_offset): Use ptrdiff_type_node.
2659 (field_region::get_relative_symbolic_offset): Likewise.
2660 (element_region::get_relative_symbolic_offset): Likewise.
2661 (bit_range_region::get_relative_symbolic_offset): Likewise.
2662 * region.h (region::get_next_offset): New decl.
2663 * sm-fd.cc: Add logger param to pending_diagnostic::emit
2664 implementations.
2665 * sm-file.cc: Likewise.
2666 * sm-malloc.cc: Likewise.
2667 * sm-pattern-test.cc: Likewise.
2668 * sm-sensitive.cc: Likewise.
2669 * sm-signal.cc: Likewise.
2670 * sm-taint.cc: Likewise.
2671 * store.cc (bit_range::contains_p): Allow "out" to be null.
2672 * store.h (byte_range::get_start_bit_offset): New.
2673 (byte_range::get_next_bit_offset): New.
2674 * varargs.cc: Add logger param to pending_diagnostic::emit
2675 implementations.
2677 2023-06-10 Tim Lange <mail@tim-lange.me>
2679 PR analyzer/109577
2680 * constraint-manager.cc (class sval_finder): Visitor to find
2681 childs in svalue trees.
2682 (constraint_manager::sval_constrained_p): Add new function to
2683 check whether a sval might be part of an constraint.
2684 * constraint-manager.h: Add sval_constrained_p function.
2685 * region-model.cc (class size_visitor): Reverse behavior to not
2686 emit a warning on not explicitly considered cases.
2687 (region_model::check_region_size):
2688 Adapt to size_visitor changes.
2690 2023-06-09 David Malcolm <dmalcolm@redhat.com>
2692 PR analyzer/110112
2693 * region-model.cc (region_model::get_initial_value_for_global):
2694 Move code to region::calc_initial_value_at_main.
2695 * region.cc (region::get_initial_value_at_main): New function.
2696 (region::calc_initial_value_at_main): New function, based on code
2697 in region_model::get_initial_value_for_global.
2698 (region::region): Initialize m_cached_init_sval_at_main.
2699 (decl_region::get_svalue_for_constructor): Add a cache, splitting
2700 out body to...
2701 (decl_region::calc_svalue_for_constructor): ...this new function.
2702 * region.h (region::get_initial_value_at_main): New decl.
2703 (region::calc_initial_value_at_main): New decl.
2704 (region::m_cached_init_sval_at_main): New field.
2705 (decl_region::decl_region): Initialize m_ctor_svalue.
2706 (decl_region::calc_svalue_for_constructor): New decl.
2707 (decl_region::m_ctor_svalue): New field.
2709 2023-06-08 Benjamin Priour <vultkayn@gcc.gnu.org>
2711 * bounds-checking.cc (region_model::check_symbolic_bounds): Returns whether the BASE_REG
2712 region access was OOB.
2713 (region_model::check_region_bounds): Likewise.
2714 * region-model.cc (region_model::get_store_value): Creates an
2715 unknown svalue on OOB-read access to REG.
2716 (region_model::check_region_access): Returns whether an unknown svalue needs be created.
2717 (region_model::check_region_for_read): Passes check_region_access return value.
2718 * region-model.h: Update prior function definitions.
2720 2023-06-02 David Malcolm <dmalcolm@redhat.com>
2722 PR analyzer/109015
2723 * kf.cc (class kf_atomic_exchange): New.
2724 (class kf_atomic_exchange_n): New.
2725 (class kf_atomic_fetch_op): New.
2726 (class kf_atomic_op_fetch): New.
2727 (class kf_atomic_load): New.
2728 (class kf_atomic_load_n): New.
2729 (class kf_atomic_store_n): New.
2730 (register_atomic_builtins): New function.
2731 (register_known_functions): Call register_atomic_builtins.
2733 2023-06-02 David Malcolm <dmalcolm@redhat.com>
2735 * store.cc (store::eval_alias_1): Regions in different memory
2736 spaces can't alias.
2738 2023-05-18 Bernhard Reutner-Fischer <aldot@gcc.gnu.org>
2740 * region-model-manager.cc (get_code_for_cast): Use _P defines from
2741 tree.h.
2742 (region_model_manager::get_or_create_cast): Ditto.
2743 (region_model_manager::get_region_for_global): Ditto.
2744 * region-model.cc (region_model::get_lvalue_1): Ditto.
2745 * region.cc (decl_region::maybe_get_constant_value): Ditto.
2747 2023-03-22 David Malcolm <dmalcolm@redhat.com>
2749 PR analyzer/109239
2750 * program-point.cc: Include "analyzer/inlining-iterator.h".
2751 (program_point::effectively_intraprocedural_p): New function.
2752 * program-point.h (program_point::effectively_intraprocedural_p):
2753 New decl.
2754 * sm-malloc.cc (deref_before_check::emit): Use it when rejecting
2755 interprocedural cases, so that we reject interprocedural cases
2756 that have become intraprocedural due to inlining.
2758 2023-03-18 David Malcolm <dmalcolm@redhat.com>
2760 PR analyzer/109094
2761 * region-model.cc (region_model::on_longjmp): Pass false for
2762 new "eval_return_svalue" param of pop_frame.
2763 (region_model::pop_frame): Add new "eval_return_svalue" param and
2764 use it to suppress the call to get_rvalue on the result when
2765 needed by on_longjmp.
2766 * region-model.h (region_model::pop_frame): Add new
2767 "eval_return_svalue" param.
2769 2023-03-10 David Malcolm <dmalcolm@redhat.com>
2771 PR analyzer/109059
2772 * region-model.cc (region_model::mark_region_as_unknown): Gather a
2773 set of maybe-live svalues and call on_maybe_live_values with it.
2774 * store.cc (binding_map::remove_overlapping_bindings): Add new
2775 "maybe_live_values" param; add any removed svalues to it.
2776 (binding_cluster::clobber_region): Add NULL as new param of
2777 remove_overlapping_bindings.
2778 (binding_cluster::mark_region_as_unknown): Add "maybe_live_values"
2779 param and pass it to remove_overlapping_bindings.
2780 (binding_cluster::maybe_get_compound_binding): Add NULL for new
2781 param of binding_map::remove_overlapping_bindings.
2782 (binding_cluster::remove_overlapping_bindings): Add
2783 "maybe_live_values" param and pass to
2784 binding_map::remove_overlapping_bindings.
2785 (store::set_value): Capture a set of maybe-live svalues, and call
2786 on_maybe_live_values with it.
2787 (store::on_maybe_live_values): New.
2788 (store::mark_region_as_unknown): Add "maybe_live_values" param
2789 and pass it to binding_cluster::mark_region_as_unknown.
2790 (store::remove_overlapping_bindings): Pass NULL for new param of
2791 binding_cluster::remove_overlapping_bindings.
2792 * store.h (binding_map::remove_overlapping_bindings): Add
2793 "maybe_live_values" param.
2794 (binding_cluster::mark_region_as_unknown): Likewise.
2795 (binding_cluster::remove_overlapping_bindings): Likewise.
2796 (store::mark_region_as_unknown): Likewise.
2797 (store::on_maybe_live_values): New decl.
2799 2023-03-10 David Malcolm <dmalcolm@redhat.com>
2801 PR analyzer/108475
2802 PR analyzer/109060
2803 * sm-malloc.cc (deref_before_check::deref_before_check):
2804 Initialize new field m_deref_expr. Assert that arg is non-NULL.
2805 (deref_before_check::emit): Reject cases where the spelling of the
2806 thing that was dereferenced differs from that of what is checked,
2807 or if the dereference expression was not found. Remove code to
2808 handle NULL m_arg.
2809 (deref_before_check::describe_state_change): Remove code to handle
2810 NULL m_arg.
2811 (deref_before_check::describe_final_event): Likewise.
2812 (deref_before_check::sufficiently_similar_p): New.
2813 (deref_before_check::m_deref_expr): New field.
2814 (malloc_state_machine::maybe_complain_about_deref_before_check):
2815 Don't warn if the diag_ptr is NULL.
2817 2023-03-03 David Malcolm <dmalcolm@redhat.com>
2819 * kf.cc (class kf_sprintf): New.
2820 (register_known_functions): Register it.
2822 2023-03-02 David Malcolm <dmalcolm@redhat.com>
2824 PR analyzer/108968
2825 * region-model.cc (region_model::get_rvalue_1): Handle VAR_DECLs
2826 with a DECL_HARD_REGISTER by returning UNKNOWN.
2828 2023-03-02 Hans-Peter Nilsson <hp@axis.com>
2830 * kf.cc (register_known_functions): Add __errno function for newlib.
2832 2023-03-01 David Malcolm <dmalcolm@redhat.com>
2834 PR analyzer/107565
2835 * region-model.cc (region_model::on_call_pre): Flatten logic by
2836 returning early. Consolidate logic for detecting const and pure
2837 functions. When considering whether an unhandled built-in
2838 function has side-effects, consider all kinds of builtin, rather
2839 than just BUILT_IN_NORMAL, and don't require
2840 gimple_builtin_call_types_compatible_p.
2842 2023-03-01 David Malcolm <dmalcolm@redhat.com>
2844 PR analyzer/108935
2845 * infinite-recursion.cc (contains_unknown_p): New.
2846 (sufficiently_different_region_binding_p): New function, splitting
2847 out inner loop from...
2848 (sufficiently_different_p): ...here. Extend detection of unknown
2849 svalues to also include svalues that contain unknown. Treat
2850 changes in frames below the entry to the recursion as being
2851 sufficiently different to reject being an infinite recursion.
2853 2023-02-21 David Malcolm <dmalcolm@redhat.com>
2855 PR analyzer/108830
2856 * analyzer.opt (fanalyzer-suppress-followups): New option.
2857 * engine.cc (impl_region_model_context::warn): Terminate the path
2858 if the diagnostic's terminate_path_p vfunc returns true and
2859 -fanalyzer-suppress-followups is true (the default).
2860 (impl_sm_context::warn): Likewise, for both overloads.
2861 * pending-diagnostic.h (pending_diagnostic::terminate_path_p): New
2862 vfunc.
2863 * program-state.cc (program_state::on_edge): Terminate the path if
2864 the ctxt requests it during updating the edge.
2865 * region-model.cc (poisoned_value_diagnostic::terminate_path_p):
2866 New vfunc.
2867 * sm-malloc.cc (null_deref::terminate_path_p): New vfunc.
2868 (null_arg::terminate_path_p): New vfunc.
2870 2023-02-16 David Malcolm <dmalcolm@redhat.com>
2872 PR analyzer/108806
2873 * constraint-manager.cc (bounded_range::dump_to_pp): Use
2874 bounded_range::singleton_p.
2875 (constraint_manager::add_bounded_ranges): Handle singleton ranges
2876 by adding an EQ_EXPR constraint.
2877 (constraint_manager::impossible_derived_conditions_p): New.
2878 (constraint_manager::eval_condition): Reject EQ_EXPR when it would
2879 imply impossible derived conditions.
2880 (selftest::test_bits): New.
2881 (selftest::run_constraint_manager_tests): Run it.
2882 * constraint-manager.h (bounded_range::singleton_p): New.
2883 (constraint_manager::impossible_derived_conditions_p): New decl.
2884 * region-model.cc (region_model::get_rvalue_1): Handle
2885 BIT_AND_EXPR, BIT_IOR_EXPR, and BIT_XOR_EXPR.
2887 2023-02-15 David Malcolm <dmalcolm@redhat.com>
2889 PR analyzer/108664
2890 PR analyzer/108666
2891 PR analyzer/108725
2892 * diagnostic-manager.cc (epath_finder::get_best_epath): Add
2893 "target_stmt" param.
2894 (epath_finder::explore_feasible_paths): Likewise.
2895 (epath_finder::process_worklist_item): Likewise.
2896 (saved_diagnostic::calc_best_epath): Pass m_stmt to
2897 epath_finder::get_best_epath.
2898 * engine.cc (feasibility_state::maybe_update_for_edge): Move
2899 per-stmt logic to...
2900 (feasibility_state::update_for_stmt): ...this new function.
2901 * exploded-graph.h (feasibility_state::update_for_stmt): New decl.
2902 * feasible-graph.cc (feasible_node::get_state_at_stmt): New.
2903 * feasible-graph.h: Include "analyzer/exploded-graph.h".
2904 (feasible_node::get_state_at_stmt): New decl.
2905 * infinite-recursion.cc
2906 (infinite_recursion_diagnostic::check_valid_fpath_p): Update for
2907 vfunc signature change.
2908 * pending-diagnostic.h (pending_diagnostic::check_valid_fpath_p):
2909 Convert first param to a reference. Add stmt param.
2910 * region-model.cc: Include "analyzer/feasible-graph.h".
2911 (poisoned_value_diagnostic::poisoned_value_diagnostic): Add
2912 "check_expr" param.
2913 (poisoned_value_diagnostic::check_valid_fpath_p): New.
2914 (poisoned_value_diagnostic::m_check_expr): New field.
2915 (region_model::check_for_poison): Attempt to supply a check_expr
2916 to the diagnostic
2917 (region_model::deref_rvalue): Add NULL for new check_expr param
2918 of poisoned_value_diagnostic.
2919 (region_model::get_or_create_region_for_heap_alloc): Don't reuse
2920 regions that are marked as TOUCHED.
2922 2023-02-10 David Malcolm <dmalcolm@redhat.com>
2924 PR analyzer/108745
2925 * sm-malloc.cc (deref_before_check::emit): Reject the warning if
2926 the check occurs within a macro defintion.
2928 2023-02-09 David Malcolm <dmalcolm@redhat.com>
2930 PR analyzer/108733
2931 * state-purge.cc (get_candidate_for_purging): Add ADDR_EXPR
2932 and MEM_REF.
2934 2023-02-08 David Malcolm <dmalcolm@redhat.com>
2936 PR analyzer/108704
2937 * state-purge.cc (state_purge_per_decl::process_point_backwards):
2938 Don't stop processing the decl if it's fully overwritten by
2939 this stmt if it's also used by this stmt.
2941 2023-02-07 David Malcolm <dmalcolm@redhat.com>
2943 PR analyzer/108661
2944 * sm-fd.cc (class kf_read): New.
2945 (register_known_fd_functions): Register "read".
2946 * sm-file.cc (class kf_fread): Update comment.
2948 2023-02-02 David Malcolm <dmalcolm@redhat.com>
2950 PR analyzer/108633
2951 * sm-fd.cc (fd_state_machine::check_for_fd_attrs): Add missing
2952 "continue".
2953 (fd_state_machine::on_listen): Don't issue phase-mismatch or
2954 type-mismatch warnings for the "invalid" state.
2956 2023-02-01 David Malcolm <dmalcolm@redhat.com>
2958 PR analyzer/108616
2959 * pending-diagnostic.cc (fixup_location_in_macro_p): Add "alloca"
2960 to macros that we shouldn't unwind inside.
2962 2023-01-26 David Malcolm <dmalcolm@redhat.com>
2964 PR analyzer/108524
2965 * analyzer.h (class feasible_node): New forward decl.
2966 * diagnostic-manager.cc (epath_finder::get_best_epath): Add "pd"
2967 param.
2968 (epath_finder::explore_feasible_paths): Likewise.
2969 (epath_finder::process_worklist_item): Likewise. Use it to call
2970 pending_diagnostic::check_valid_fpath_p on the final fpath to
2971 give pending_diagnostic a way to add additional restrictions on
2972 feasibility.
2973 (saved_diagnostic::calc_best_epath): Pass pending_diagnostic to
2974 epath_finder::get_best_epath.
2975 * infinite-recursion.cc: Include "analyzer/feasible-graph.h".
2976 (infinite_recursion_diagnostic::check_valid_fpath_p): New.
2977 (infinite_recursion_diagnostic::fedge_uses_conjured_svalue_p): New.
2978 (infinite_recursion_diagnostic::expr_uses_conjured_svalue_p): New.
2979 * pending-diagnostic.h (pending_diagnostic::check_valid_fpath_p):
2980 New vfunc.
2982 2023-01-19 David Malcolm <dmalcolm@redhat.com>
2984 PR analyzer/108455
2985 * analyzer.h (class checker_event): New forward decl.
2986 (class state_change_event): Indent.
2987 (class warning_event): New forward decl.
2988 * checker-event.cc (state_change_event::state_change_event): Add
2989 "enode" param.
2990 (warning_event::get_desc): Update for new param of
2991 evdesc::final_event ctor.
2992 * checker-event.h (state_change_event::state_change_event): Add
2993 "enode" param.
2994 (state_change_event::get_exploded_node): New accessor.
2995 (state_change_event::m_enode): New field.
2996 (warning_event::warning_event): New "enode" param.
2997 (warning_event::get_exploded_node): New accessor.
2998 (warning_event::m_enode): New field.
2999 * diagnostic-manager.cc
3000 (state_change_event_creator::on_global_state_change): Pass
3001 src_node to state_change_event ctor.
3002 (state_change_event_creator::on_state_change): Likewise.
3003 (null_assignment_sm_context::set_next_state): Pass NULL for
3004 new param of state_change_event ctor.
3005 * infinite-recursion.cc
3006 (infinite_recursion_diagnostic::add_final_event): Update for new
3007 param of warning_event ctor.
3008 * pending-diagnostic.cc (pending_diagnostic::add_final_event):
3009 Pass enode to warning_event ctor.
3010 * pending-diagnostic.h (evdesc::final_event): Add reference to
3011 warning_event.
3012 * sm-malloc.cc: Include "analyzer/checker-event.h" and
3013 "analyzer/exploded-graph.h".
3014 (deref_before_check::deref_before_check): Initialize new fields.
3015 (deref_before_check::emit): Reject warnings in which we were
3016 unable to determine the enodes of the dereference and the check.
3017 Reject warnings interprocedural warnings. Reject warnings in which
3018 the dereference doesn't dominate the check.
3019 (deref_before_check::describe_state_change): Set m_deref_enode.
3020 (deref_before_check::describe_final_event): Set m_check_enode.
3021 (deref_before_check::m_deref_enode): New field.
3022 (deref_before_check::m_check_enode): New field.
3024 2023-01-13 David Malcolm <dmalcolm@redhat.com>
3026 PR analyzer/105273
3027 * region-model.cc (has_nondefault_case_for_value_p): New.
3028 (has_nondefault_cases_for_all_enum_values_p): New.
3029 (region_model::apply_constraints_for_gswitch): Skip
3030 implicitly-created "default" when switching on an enum
3031 and all enum values have non-default cases.
3032 (rejected_default_case::dump_to_pp): New.
3033 * region-model.h (region_model_context::possibly_tainted_p): New
3034 decl.
3035 (class rejected_default_case): New.
3036 * sm-taint.cc (region_model_context::possibly_tainted_p): New.
3037 * supergraph.cc (switch_cfg_superedge::dump_label_to_pp): Dump
3038 when implicitly_created_default_p.
3039 (switch_cfg_superedge::implicitly_created_default_p): New.
3040 * supergraph.h
3041 (switch_cfg_superedge::implicitly_created_default_p): New decl.
3043 2023-01-11 David Malcolm <dmalcolm@redhat.com>
3045 PR analyzer/108252
3046 * kf.cc (class kf_strdup): New.
3047 (class kf_strndup): New.
3048 (register_known_functions): Register them.
3049 * region-model.cc (region_model::on_call_pre): Use
3050 &HEAP_ALLOCATED_REGION for the default result of an external
3051 function with the "malloc" attribute, rather than CONJURED_SVALUE.
3052 (region_model::get_or_create_region_for_heap_alloc): Allow
3053 "size_in_bytes" to be NULL.
3054 * store.cc (store::set_value): When handling *UNKNOWN = VAL,
3055 mark VAL as "maybe bound".
3057 2022-12-16 David Malcolm <dmalcolm@redhat.com>
3059 PR analyzer/106479
3060 * kf.cc (kf_memcpy_memmove::impl_call_pre): Pass in source region
3061 to region_model::check_for_poison.
3062 * region-model-asm.cc (region_model::on_asm_stmt): Pass NULL
3063 region to region_model::check_for_poison.
3064 * region-model.cc (region_model::check_for_poison): Add
3065 "src_region" param, and pass it to poisoned_value_diagnostic.
3066 (region_model::on_assignment): Pass NULL region to
3067 region_model::check_for_poison.
3068 (region_model::get_rvalue): Likewise.
3069 * region-model.h (region_model::check_for_poison): Add
3070 "src_region" param.
3071 * sm-fd.cc (fd_state_machine::on_accept): Pass in source region
3072 to region_model::check_for_poison.
3073 * varargs.cc (kf_va_copy::impl_call_pre): Pass NULL region to
3074 region_model::check_for_poison.
3075 (kf_va_arg::impl_call_pre): Pass in source region to
3076 region_model::check_for_poison.
3078 2022-12-14 David Malcolm <dmalcolm@redhat.com>
3080 PR analyzer/108065
3081 * region.cc (decl_region::get_svalue_for_initializer): Bail out to
3082 avoid calling binding_key::make with an empty region.
3083 * store.cc (binding_map::apply_ctor_val_to_range): Likewise.
3084 (binding_map::apply_ctor_pair_to_child_region): Likewise.
3085 (binding_cluster::bind): Likewise.
3086 (binding_cluster::purge_region): Likewise.
3087 (binding_cluster::maybe_get_compound_binding): Likewise.
3088 (binding_cluster::maybe_get_simple_value): Likewise.
3090 2022-12-09 David Malcolm <dmalcolm@redhat.com>
3092 * analyzer.h (class known_function): Expand comment.
3093 * region-model-impl-calls.cc: Rename to...
3094 * kf.cc: ...this.
3095 * known-function-manager.h (class known_function_manager): Add
3096 leading comment.
3098 2022-12-09 David Malcolm <dmalcolm@redhat.com>
3100 PR analyzer/108003
3101 * call-summary.cc
3102 (call_summary_replay::convert_region_from_summary_1): Convert
3103 heap_regs_in_use from auto_sbitmap to auto_bitmap.
3104 * region-model-manager.cc
3105 (region_model_manager::get_or_create_region_for_heap_alloc):
3106 Convert from sbitmap to bitmap.
3107 * region-model-manager.h: Likewise.
3108 * region-model.cc
3109 (region_model::get_or_create_region_for_heap_alloc): Convert from
3110 auto_sbitmap to auto_bitmap.
3111 (region_model::get_referenced_base_regions): Likewise.
3112 * region-model.h: Include "bitmap.h" rather than "sbitmap.h".
3113 (region_model::get_referenced_base_regions): Convert from
3114 auto_sbitmap to auto_bitmap.
3116 2022-12-09 David Malcolm <dmalcolm@redhat.com>
3118 * region-model-impl-calls.cc (class kf_memcpy): Rename to...
3119 (class kf_memcpy_memmove): ...this.
3120 (kf_memcpy::impl_call_pre): Rename to...
3121 (kf_memcpy_memmove::impl_call_pre): ...this, and check the src for
3122 poison.
3123 (register_known_functions): Update for above renaming, and
3124 register BUILT_IN_MEMMOVE and BUILT_IN_MEMMOVE_CHK.
3126 2022-12-06 David Malcolm <dmalcolm@redhat.com>
3128 PR analyzer/107882
3129 * region-model.cc (region_model::get_store_value): Return an
3130 unknown value for empty regions.
3131 (region_model::set_value): Bail on empty regions.
3132 * region.cc (region::empty_p): New.
3133 * region.h (region::empty_p): New decl.
3134 * state-purge.cc (same_binding_p): Bail if either region is empty.
3135 * store.cc (binding_key::make): Assert that a concrete binding's
3136 bit_size must be > 0.
3137 (binding_cluster::mark_region_as_unknown): Bail on empty regions.
3138 (binding_cluster::get_binding): Likewise.
3139 (binding_cluster::remove_overlapping_bindings): Likewise.
3140 (binding_cluster::on_unknown_fncall): Don't conjure values for
3141 empty regions.
3142 (store::fill_region): Bail on empty regions.
3143 * store.h (class concrete_binding): Update comment to reflect that
3144 the range of bits must be non-empty.
3145 (concrete_binding::concrete_binding): Assert that bit range is
3146 non-empty.
3148 2022-12-06 David Malcolm <dmalcolm@redhat.com>
3150 PR analyzer/106325
3151 * region-model-manager.cc
3152 (region_model_manager::get_or_create_null_ptr): New.
3153 * region-model-manager.h
3154 (region_model_manager::get_or_create_null_ptr): New decl.
3155 * region-model.cc (region_model::on_top_level_param): Add
3156 "nonnull" param and make use of it.
3157 (region_model::push_frame): When handling a top-level entrypoint
3158 to the analysis, determine which params __attribute__((nonnull))
3159 applies to, and pass to on_top_level_param.
3160 * region-model.h (region_model::on_top_level_param): Add "nonnull"
3161 param.
3163 2022-12-06 David Malcolm <dmalcolm@redhat.com>
3165 * analyzer.h (register_known_analyzer_functions): New decl.
3166 (register_known_functions_lang_cp): New decl.
3167 * call-details.cc: New file, split out from
3168 region-model-impl-calls.cc.
3169 * call-details.h: New file, split out from region-model.h.
3170 * call-info.cc: Include "analyzer/call-details.h".
3171 * call-summary.h: Likewise.
3172 * kf-analyzer.cc: New file, split out from
3173 region-model-impl-calls.cc.
3174 * kf-lang-cp.cc: Likewise.
3175 * known-function-manager.cc: Include "analyzer/call-details.h".
3176 * region-model-impl-calls.cc: Move definitions of call_details's
3177 member functions to call-details.cc. Move class kf_analyzer_* to
3178 kf-analyzer.cc. Move kf_operator_new and kf_operator_delete to
3179 kf-lang-cp.cc. Refresh #includes accordingly.
3180 (register_known_functions): Replace registration of __analyzer_*
3181 functions with a call to register_known_analyzer_functions.
3182 Replace registration of C++ support functions with a call to
3183 register_known_functions_lang_cp.
3184 * region-model.h (class call_details): Move to new call-details.h.
3185 * sm-fd.cc: Include "analyzer/call-details.h".
3186 * sm-file.cc: Likewise.
3187 * sm-malloc.cc: Likewise.
3188 * varargs.cc: Likewise.
3190 2022-12-02 David Malcolm <dmalcolm@redhat.com>
3192 * analyzer.h (struct event_loc_info): New forward decl.
3193 * bounds-checking.cc: Use event_loc_info throughout to bundle the
3194 loc, fndecl, depth triples.
3195 * call-info.cc: Likewise.
3196 * checker-event.cc: Likewise.
3197 * checker-event.h (struct event_loc_info): New decl. Use it
3198 throughout to bundle the loc, fndecl, depth triples.
3199 * checker-path.cc: Likewise.
3200 * checker-path.h: Likewise.
3201 * diagnostic-manager.cc: Likewise.
3202 * engine.cc: Likewise.
3203 * infinite-recursion.cc: Likewise.
3204 * pending-diagnostic.cc: Likewise.
3205 * pending-diagnostic.h: Likewise.
3206 * region-model.cc: Likewise.
3207 * sm-signal.cc: Likewise.
3208 * varargs.cc: Likewise.
3210 2022-12-02 David Malcolm <dmalcolm@redhat.com>
3212 PR analyzer/107851
3213 * analyzer.cc (make_label_text_n): Convert param "n" from int to
3214 unsigned HOST_WIDE_INT.
3215 * analyzer.h (make_label_text_n): Likewise for decl.
3216 * bounds-checking.cc: Include "analyzer/checker-event.h" and
3217 "analyzer/checker-path.h".
3218 (out_of_bounds::add_region_creation_events): New.
3219 (concrete_past_the_end::describe_region_creation_event): Replace
3220 with...
3221 (concrete_past_the_end::add_region_creation_events): ...this.
3222 (symbolic_past_the_end::describe_region_creation_event): Delete.
3223 * checker-event.cc (region_creation_event::region_creation_event):
3224 Update for dropping all member data.
3225 (region_creation_event::get_desc): Delete, splitting out into
3226 region_creation_event_memory_space::get_desc,
3227 region_creation_event_capacity::get_desc, and
3228 region_creation_event_debug::get_desc.
3229 (region_creation_event_memory_space::get_desc): New.
3230 (region_creation_event_capacity::get_desc): New.
3231 (region_creation_event_allocation_size::get_desc): New.
3232 (region_creation_event_debug::get_desc): New.
3233 * checker-event.h: Include "analyzer/program-state.h".
3234 (enum rce_kind): Delete.
3235 (class region_creation_event): Drop all member data.
3236 (region_creation_event::region_creation_event): Make protected.
3237 (region_creation_event::get_desc): Delete.
3238 (class region_creation_event_memory_space): New.
3239 (class region_creation_event_capacity): New.
3240 (class region_creation_event_allocation_size): New.
3241 (class region_creation_event_debug): New.
3242 * checker-path.cc (checker_path::add_region_creation_events): Add
3243 "pd" param. Call pending_diangnostic::add_region_creation_events.
3244 Update for conversion of RCE_DEBUG to region_creation_event_debug.
3245 * checker-path.h (checker_path::add_region_creation_events): Add
3246 "pd" param.
3247 * diagnostic-manager.cc (diagnostic_manager::build_emission_path):
3248 Pass pending_diagnostic to
3249 emission_path::add_region_creation_events.
3250 (diagnostic_manager::build_emission_path): Pass path_builder to
3251 add_event_on_final_node.
3252 (diagnostic_manager::add_event_on_final_node): Add "pb" param.
3253 Pass pending_diagnostic to
3254 emission_path::add_region_creation_events.
3255 (diagnostic_manager::add_events_for_eedge): Pass
3256 pending_diagnostic to emission_path::add_region_creation_events.
3257 * diagnostic-manager.h
3258 (diagnostic_manager::add_event_on_final_node): Add "pb" param.
3259 * pending-diagnostic.cc
3260 (pending_diagnostic::add_region_creation_events): New.
3261 * pending-diagnostic.h (struct region_creation): Delete.
3262 (pending_diagnostic::describe_region_creation_event): Delete.
3263 (pending_diagnostic::add_region_creation_events): New vfunc.
3264 * region-model.cc: Include "analyzer/checker-event.h" and
3265 "analyzer/checker-path.h".
3266 (dubious_allocation_size::dubious_allocation_size): Initialize
3267 m_has_allocation_event.
3268 (dubious_allocation_size::describe_region_creation_event): Delete.
3269 (dubious_allocation_size::describe_final_event): Update for
3270 replacement of m_allocation_event with m_has_allocation_event.
3271 (dubious_allocation_size::add_region_creation_events): New.
3272 (dubious_allocation_size::m_allocation_event): Replace with...
3273 (dubious_allocation_size::m_has_allocation_event): ...this.
3275 2022-12-02 David Malcolm <dmalcolm@redhat.com>
3277 PR analyzer/107948
3278 * region-model-manager.cc
3279 (region_model_manager::maybe_fold_binop): Fold (0 - VAL) to -VAL.
3280 * region-model.cc (region_model::eval_condition): Handle e.g.
3281 "-X <= 0" as equivalent to X >= 0".
3283 2022-12-01 David Malcolm <dmalcolm@redhat.com>
3285 PR analyzer/106626
3286 * bounds-checking.cc
3287 (symbolic_past_the_end::describe_final_event): Delete, moving to
3288 symbolic_buffer_overflow::describe_final_event and
3289 symbolic_buffer_over_read::describe_final_event, eliminating
3290 composition of text strings via "byte_str" and "m_dir_str".
3291 (symbolic_past_the_end::m_dir_str): Delete field.
3292 (symbolic_buffer_overflow::symbolic_buffer_overflow): Drop
3293 m_dir_str.
3294 (symbolic_buffer_overflow::describe_final_event): New, as noted
3295 above.
3296 (symbolic_buffer_over_read::symbolic_buffer_overflow): Drop
3297 m_dir_str.
3298 (symbolic_buffer_over_read::describe_final_event): New, as noted
3299 above.
3301 2022-12-01 David Malcolm <dmalcolm@redhat.com>
3303 * bounds-checking.cc (class out_of_bounds): Split out from...
3304 (class concrete_out_of_bounds): New abstract subclass.
3305 (class past_the_end): Rename to...
3306 (class concrete_past_the_end): ...this, and make a subclass of
3307 concrete_out_of_bounds.
3308 (class buffer_overflow): Rename to...
3309 (class concrete_buffer_overflow): ...this, and make a subclass of
3310 concrete_past_the_end.
3311 (class buffer_over_read): Rename to...
3312 (class concrete_buffer_over_read): ...this, and make a subclass of
3313 concrete_past_the_end.
3314 (class buffer_underwrite): Rename to...
3315 (class concrete_buffer_underwrite): ...this, and make a subclass
3316 of concrete_out_of_bounds.
3317 (class buffer_under_read): Rename to...
3318 (class concrete_buffer_under_read): ...this, and make a subclass
3319 of concrete_out_of_bounds.
3320 (class symbolic_past_the_end): Convert to a subclass of
3321 out_of_bounds.
3322 (symbolic_buffer_overflow::get_kind): New.
3323 (symbolic_buffer_over_read::get_kind): New.
3324 (region_model::check_region_bounds): Update for renamings.
3325 * engine.cc (impl_sm_context::set_next_state): Eliminate
3326 "new_ctxt", passing NULL to get_rvalue instead.
3327 (impl_sm_context::warn): Likewise.
3329 2022-12-01 David Malcolm <dmalcolm@redhat.com>
3331 PR analyzer/106626
3332 * bounds-checking.cc (out_of_bounds::get_memory_space): New.
3333 (buffer_overflow::emit): Use it.
3334 (class buffer_overread): Rename to...
3335 (class buffer_over_read): ...this.
3336 (buffer_over_read::emit): Specify which memory space the read is
3337 from, where known. Change "overread" to "over-read".
3338 (class buffer_underflow): Rename to...
3339 (class buffer_underwrite): ...this.
3340 (buffer_underwrite::emit): Specify which memory space the write is
3341 to, where known. Change "underflow" to "underwrite".
3342 (class buffer_underread): Rename to...
3343 (class buffer_under_read): Rename to...
3344 (buffer_under_read::emit): Specify which memory space the read is
3345 from, where known. Change "underread" to "under-read".
3346 (symbolic_past_the_end::get_memory_space): New.
3347 (symbolic_buffer_overflow::emit): Use it.
3348 (class symbolic_buffer_overread): Rename to...
3349 (class symbolic_buffer_over_read): ...this.
3350 (symbolic_buffer_over_read::emit): Specify which memory space the
3351 read is from, where known. Change "overread" to "over-read".
3352 (region_model::check_symbolic_bounds): Update for class renaming.
3353 (region_model::check_region_bounds): Likewise.
3355 2022-12-01 David Malcolm <dmalcolm@redhat.com>
3357 PR analyzer/106626
3358 * bounds-checking.cc (out_of_bounds::maybe_describe_array_bounds):
3359 New.
3360 (buffer_overflow::emit): Call maybe_describe_array_bounds.
3361 (buffer_overread::emit): Likewise.
3362 (buffer_underflow::emit): Likewise.
3363 (buffer_underread::emit): Likewise.
3365 2022-12-01 David Malcolm <dmalcolm@redhat.com>
3367 PR analyzer/106626
3368 * bounds-checking.cc (buffer_overflow::emit): Use inform_n.
3369 Update wording to clarify that we're talking about the size of
3370 the bad access, rather than its position.
3371 (buffer_overread::emit): Likewise.
3373 2022-12-01 David Malcolm <dmalcolm@redhat.com>
3375 * bounds-checking.cc: New file, taken from region-model.cc.
3376 * region-model.cc (class out_of_bounds): Move to
3377 bounds-checking.cc.
3378 (class past_the_end): Likewise.
3379 (class buffer_overflow): Likewise.
3380 (class buffer_overread): Likewise.
3381 (class buffer_underflow): Likewise.
3382 (class buffer_underread): Likewise.
3383 (class symbolic_past_the_end): Likewise.
3384 (class symbolic_buffer_overflow): Likewise.
3385 (class symbolic_buffer_overread): Likewise.
3386 (region_model::check_symbolic_bounds): Likewise.
3387 (maybe_get_integer_cst_tree): Likewise.
3388 (region_model::check_region_bounds): Likewise.
3389 * region-model.h: Add comment.
3391 2022-12-01 David Malcolm <dmalcolm@redhat.com>
3393 PR analyzer/107928
3394 * sm-fd.cc (fd_state_machine::on_bind): Handle m_constant_fd in
3395 the "success" outcome.
3396 (fd_state_machine::on_connect): Likewise.
3397 * sm-fd.dot: Add "constant_fd" state and its transitions.
3399 2022-11-30 David Malcolm <dmalcolm@redhat.com>
3401 * region-model-impl-calls.cc (class kf_fgets): Move to sm-file.cc.
3402 (kf_fgets::impl_call_pre): Likewise.
3403 (class kf_fread): Likewise.
3404 (kf_fread::impl_call_pre): Likewise.
3405 (class kf_getchar): Likewise.
3406 (class kf_stdio_output_fn): Likewise.
3407 (register_known_functions): Move registration of
3408 BUILT_IN_FPRINTF, BUILT_IN_FPRINTF_UNLOCKED, BUILT_IN_FPUTC,
3409 BUILT_IN_FPUTC_UNLOCKED, BUILT_IN_FPUTS, BUILT_IN_FPUTS_UNLOCKED,
3410 BUILT_IN_FWRITE, BUILT_IN_FWRITE_UNLOCKED, BUILT_IN_PRINTF,
3411 BUILT_IN_PRINTF_UNLOCKED, BUILT_IN_PUTC, BUILT_IN_PUTCHAR,
3412 BUILT_IN_PUTCHAR_UNLOCKED, BUILT_IN_PUTC_UNLOCKED, BUILT_IN_PUTS,
3413 BUILT_IN_PUTS_UNLOCKED, BUILT_IN_VFPRINTF, BUILT_IN_VPRINTF,
3414 "getchar", "fgets", "fgets_unlocked", and "fread" to
3415 register_known_file_functions.
3416 * sm-file.cc (class kf_stdio_output_fn): Move here from
3417 region-model-impl-calls.cc.
3418 (class kf_fgets): Likewise.
3419 (class kf_fread): Likewise.
3420 (class kf_getchar): Likewise.
3421 (register_known_file_functions): Move registration of
3422 BUILT_IN_FPRINTF, BUILT_IN_FPRINTF_UNLOCKED, BUILT_IN_FPUTC,
3423 BUILT_IN_FPUTC_UNLOCKED, BUILT_IN_FPUTS, BUILT_IN_FPUTS_UNLOCKED,
3424 BUILT_IN_FWRITE, BUILT_IN_FWRITE_UNLOCKED, BUILT_IN_PRINTF,
3425 BUILT_IN_PRINTF_UNLOCKED, BUILT_IN_PUTC, BUILT_IN_PUTCHAR,
3426 BUILT_IN_PUTCHAR_UNLOCKED, BUILT_IN_PUTC_UNLOCKED, BUILT_IN_PUTS,
3427 BUILT_IN_PUTS_UNLOCKED, BUILT_IN_VFPRINTF, BUILT_IN_VPRINTF,
3428 "fgets", "fgets_unlocked", "fread", and "getchar" to here from
3429 register_known_functions.
3431 2022-11-30 David Malcolm <dmalcolm@redhat.com>
3433 PR analyzer/103546
3434 * analyzer.h (register_known_file_functions): New decl.
3435 * program-state.cc (sm_state_map::replay_call_summary): Rejct
3436 attempts to store sm-state for caller_sval that can't have
3437 associated state.
3438 * region-model-impl-calls.cc (register_known_functions): Call
3439 register_known_file_functions.
3440 * sm-fd.cc (class kf_isatty): New.
3441 (register_known_fd_functions): Register it.
3442 * sm-file.cc (class kf_ferror): New.
3443 (class kf_fileno): New.
3444 (class kf_getc): New.
3445 (register_known_file_functions): New.
3447 2022-11-30 David Malcolm <dmalcolm@redhat.com>
3449 PR analyzer/105784
3450 * region-model-manager.cc
3451 (region_model_manager::maybe_fold_binop): For POINTER_PLUS_EXPR,
3452 PLUS_EXPR and MINUS_EXPR, eliminate requirement that the final
3453 type matches that of arg0 in favor of a cast.
3455 2022-11-24 Martin Liska <mliska@suse.cz>
3457 * varargs.cc: Fix Clang warnings.
3459 2022-11-24 David Malcolm <dmalcolm@redhat.com>
3461 PR analyzer/106473
3462 * call-summary.cc
3463 (call_summary_replay::convert_region_from_summary_1): Update for
3464 change to creation of heap-allocated regions.
3465 * program-state.cc (test_program_state_1): Likewise.
3466 (test_program_state_merging): Likewise.
3467 * region-model-impl-calls.cc (kf_calloc::impl_call_pre): Likewise.
3468 (kf_malloc::impl_call_pre): Likewise.
3469 (kf_operator_new::impl_call_pre): Likewise.
3470 (kf_realloc::impl_call_postsuccess_with_move::update_model): Likewise.
3471 * region-model-manager.cc
3472 (region_model_manager::create_region_for_heap_alloc): Convert
3473 to...
3474 (region_model_manager::get_or_create_region_for_heap_alloc):
3475 ...this, reusing an existing region if it's unreferenced in the
3476 client state.
3477 * region-model-manager.h (region_model_manager::get_num_regions): New.
3478 (region_model_manager::create_region_for_heap_alloc): Convert to...
3479 (region_model_manager::get_or_create_region_for_heap_alloc): ...this.
3480 * region-model.cc (region_to_value_map::can_merge_with_p): Reject
3481 merger when the values are different.
3482 (region_model::create_region_for_heap_alloc): Convert to...
3483 (region_model::get_or_create_region_for_heap_alloc): ...this.
3484 (region_model::get_referenced_base_regions): New.
3485 (selftest::test_state_merging): Update for change to creation of
3486 heap-allocated regions.
3487 (selftest::test_malloc_constraints): Likewise.
3488 (selftest::test_malloc): Likewise.
3489 * region-model.h: Include "sbitmap.h".
3490 (region_model::create_region_for_heap_alloc): Convert to...
3491 (region_model::get_or_create_region_for_heap_alloc): ...this.
3492 (region_model::get_referenced_base_regions): New decl.
3493 * store.cc (store::canonicalize): Don't purge a heap-allocated region
3494 that's been marked as escaping.
3496 2022-11-24 David Malcolm <dmalcolm@redhat.com>
3498 * checker-path.cc (checker_path::inject_any_inlined_call_events):
3499 Don't dump the address of the block when -fdump-noaddr.
3501 2022-11-24 David Malcolm <dmalcolm@redhat.com>
3503 * region-model.h (region_model::on_socket): Delete decl.
3504 (region_model::on_bind): Likewise.
3505 (region_model::on_listen): Likewise.
3506 (region_model::on_accept): Likewise.
3507 (region_model::on_connect): Likewise.
3508 * sm-fd.cc (kf_socket::outcome_of_socket::update_model): Move body
3509 of region_model::on_socket into here, ...
3510 (region_model::on_socket): ...eliminating this function.
3511 (kf_bind::outcome_of_bind::update_model): Likewise for on_bind...
3512 (region_model::on_bind): ...eliminating this function.
3513 (kf_listen::outcome_of_listen::update_model): Likewise fo
3514 on_listen...
3515 (region_model::on_listen): ...eliminating this function.
3516 (kf_accept::outcome_of_accept::update_model): Likewise fo
3517 on_accept...
3518 (region_model::on_accept): ...eliminating this function.
3519 (kf_connect::outcome_of_connect::update_model): Likewise fo
3520 on_connect...
3521 (region_model::on_connect): ...eliminating this function.
3523 2022-11-24 David Malcolm <dmalcolm@redhat.com>
3525 * analyzer.h (register_known_fd_functions): New decl.
3526 * region-model-impl-calls.cc (class kf_accept): Move to sm-fd.cc.
3527 (class kf_bind): Likewise.
3528 (class kf_connect): Likewise.
3529 (class kf_listen): Likewise.
3530 (class kf_pipe): Likewise.
3531 (class kf_socket): Likewise.
3532 (register_known_functions): Remove registration of the above
3533 functions, instead calling register_known_fd_functions.
3534 * sm-fd.cc: Include "analyzer/call-info.h".
3535 (class kf_socket): Move here from region-model-impl-calls.cc.
3536 (class kf_bind): Likewise.
3537 (class kf_listen): Likewise.
3538 (class kf_accept): Likewise.
3539 (class kf_connect): Likewise.
3540 (class kf_pipe): Likewise.
3541 (register_known_fd_functions): New.
3543 2022-11-22 David Malcolm <dmalcolm@redhat.com>
3545 PR analyzer/107788
3546 * known-function-manager.cc (known_function_manager::get_match):
3547 Don't look up fndecls by name when they're not in the root
3548 namespace.
3550 2022-11-22 David Malcolm <dmalcolm@redhat.com>
3552 PR analyzer/107783
3553 * sm-fd.cc (fd_state_machine::check_for_new_socket_fd): Don't
3554 complain when old state is "fd-constant".
3555 (fd_state_machine::on_listen): Likewise.
3556 (fd_state_machine::on_accept): Likewise.
3558 2022-11-22 David Malcolm <dmalcolm@redhat.com>
3560 PR analyzer/107807
3561 * region-model-impl-calls.cc (register_known_functions): Register
3562 "___errno" and "__error" as synonyms for "__errno_location".
3564 2022-11-22 David Malcolm <dmalcolm@redhat.com>
3566 * analyzer.h (class internal_known_function): New.
3567 (register_varargs_builtins): New decl.
3568 * engine.cc (exploded_node::on_stmt_pre): Remove
3569 "out_terminate_path" param from call to region_model::on_stmt_pre.
3570 (feasibility_state::maybe_update_for_edge): Likewise.
3571 * known-function-manager.cc: Include "basic-block.h", "gimple.h",
3572 and "analyzer/region-model.h".
3573 (known_function_manager::known_function_manager): Initialize
3574 m_combined_fns_arr.
3575 (known_function_manager::~known_function_manager): Clean up
3576 m_combined_fns_arr.
3577 (known_function_manager::get_by_identifier): Make const.
3578 (known_function_manager::add): New overloaded definitions for
3579 enum built_in_function and enum internal_fn.
3580 (known_function_manager::get_by_fndecl): Delete.
3581 (known_function_manager::get_match): New.
3582 (known_function_manager::get_internal_fn): New.
3583 (known_function_manager::get_normal_builtin): New.
3584 * known-function-manager.h
3585 (known_function_manager::get_by_identifier): Make private and
3586 add const qualifier.
3587 (known_function_manager::get_by_fndecl): Delete.
3588 (known_function_manager::add): Add overloaded decls for
3589 enum built_in_function name and enum internal_fn.
3590 (known_function_manager::get_match): New decl.
3591 (known_function_manager::get_internal_fn): New decl.
3592 (known_function_manager::get_normal_builtin): New decl.
3593 (known_function_manager::m_combined_fns_arr): New field.
3594 * region-model-impl-calls.cc (call_details::arg_is_size_p): New.
3595 (class kf_alloca): New.
3596 (region_model::impl_call_alloca): Convert to...
3597 (kf_alloca::impl_call_pre): ...this.
3598 (kf_analyzer_dump_capacity::matches_call_types_p): Rewrite check
3599 to use call_details::arg_is_pointer_p.
3600 (region_model::impl_call_builtin_expect): Convert to...
3601 (class kf_expect): ...this.
3602 (class kf_calloc): New, adding check that both arguments are
3603 size_t.
3604 (region_model::impl_call_calloc): Convert to...
3605 (kf_calloc::impl_call_pre): ...this.
3606 (kf_connect::matches_call_types_p): Rewrite check to use
3607 call_details::arg_is_pointer_p.
3608 (region_model::impl_call_error): Convert to...
3609 (class kf_error): ...this, and...
3610 (kf_error::impl_call_pre): ...this.
3611 (class kf_fgets): New, adding checks that args 0 and 2 are
3612 pointers.
3613 (region_model::impl_call_fgets): Convert to...
3614 (kf_fgets::impl_call_pre): ...this.
3615 (class kf_fread): New, adding checks on the argument types.
3616 (region_model::impl_call_fread): Convert to...
3617 (kf_fread::impl_call_pre): ...this.
3618 (class kf_free): New, adding check that the argument is a pointer.
3619 (region_model::impl_call_free): Convert to...
3620 (kf_free::impl_call_post): ...this.
3621 (class kf_getchar): New.
3622 (class kf_malloc): New, adding check that the argument is a
3623 size_t.
3624 (region_model::impl_call_malloc): Convert to...
3625 (kf_malloc::impl_call_pre): ...this.
3626 (class kf_memcpy): New, adding checks on arguments.
3627 (region_model::impl_call_memcpy): Convert to...
3628 (kf_memcpy::impl_call_pre): ...this.
3629 (class kf_memset): New.
3630 (region_model::impl_call_memset): Convert to...
3631 (kf_memset::impl_call_pre): ...this.
3632 (kf_pipe::matches_call_types_p): Rewrite check to use
3633 call_details::arg_is_pointer_p.
3634 (kf_putenv::matches_call_types_p): Likewise.
3635 (class kf_realloc): New, adding checks on the argument types.
3636 (region_model::impl_call_realloc): Convert to...
3637 (kf_realloc::impl_call_post): ...this.
3638 (class kf_strchr): New.
3639 (region_model::impl_call_strchr): Convert to...
3640 (kf_strchr::impl_call_post): ...this.
3641 (class kf_stack_restore): New.
3642 (class kf_stack_save): New.
3643 (class kf_stdio_output_fn): New.
3644 (class kf_strcpy): New,
3645 (region_model::impl_call_strcpy): Convert to...
3646 (kf_strcpy::impl_call_pre): ...this.
3647 (class kf_strlen): New.
3648 (region_model::impl_call_strlen): Convert to...
3649 (kf_strlen::impl_call_pre): ...this.
3650 (class kf_ubsan_bounds): New.
3651 (region_model::impl_deallocation_call): Reimplement to avoid call
3652 to impl_call_free.
3653 (register_known_functions): Add handlers for IFN_BUILTIN_EXPECT
3654 and IFN_UBSAN_BOUNDS. Add handlers for BUILT_IN_ALLOCA,
3655 BUILT_IN_ALLOCA_WITH_ALIGN, BUILT_IN_CALLOC, BUILT_IN_EXPECT,
3656 BUILT_IN_EXPECT_WITH_PROBABILITY, BUILT_IN_FPRINTF,
3657 BUILT_IN_FPRINTF_UNLOCKED, BUILT_IN_FPUTC,
3658 BUILT_IN_FPUTC_UNLOCKED, BUILT_IN_FPUTS, BUILT_IN_FPUTS_UNLOCKED,
3659 BUILT_IN_FREE, BUILT_IN_FWRITE, BUILT_IN_FWRITE_UNLOCKED,
3660 BUILT_IN_MALLOC, BUILT_IN_MEMCPY, BUILT_IN_MEMCPY_CHK,
3661 BUILT_IN_MEMSET, BUILT_IN_MEMSET_CHK, BUILT_IN_PRINTF,
3662 BUILT_IN_PRINTF_UNLOCKED, BUILT_IN_PUTC, BUILT_IN_PUTCHAR,
3663 BUILT_IN_PUTCHAR_UNLOCKED, BUILT_IN_PUTC_UNLOCKED, BUILT_IN_PUTS,
3664 BUILT_IN_PUTS_UNLOCKED, BUILT_IN_REALLOC, BUILT_IN_STACK_RESTORE,
3665 BUILT_IN_STACK_SAVE, BUILT_IN_STRCHR, BUILT_IN_STRCPY,
3666 BUILT_IN_STRCPY_CHK, BUILT_IN_STRLEN, BUILT_IN_VFPRINTF, and
3667 BUILT_IN_VPRINTF. Call register_varargs_builtins. Add handlers
3668 for "getchar", "memset", "fgets", "fgets_unlocked", "fread",
3669 "error", and "error_at_line".
3670 * region-model.cc (region_model::on_stmt_pre): Drop
3671 "out_terminate_path" param.
3672 (region_model::get_known_function): Reimplement by calling
3673 known_function_manager::get_match, passing new "cd" param.
3674 Add overload taking enum internal_fn.
3675 (region_model::on_call_pre): Drop "out_terminate_path" param.
3676 Remove special-case handling of internal fns IFN_BUILTIN_EXPECT,
3677 IFN_UBSAN_BOUNDS, and IFN_VA_ARG, of built-in fns BUILT_IN_ALLOCA,
3678 BUILT_IN_ALLOCA_WITH_ALIGN, BUILT_IN_CALLOC, BUILT_IN_EXPECT,
3679 BUILT_IN_EXPECT_WITH_PROBABILITY, BUILT_IN_FREE, BUILT_IN_MALLOC,
3680 BUILT_IN_MEMCPY, BUILT_IN_MEMCPY_CHK, BUILT_IN_MEMSET,
3681 BUILT_IN_MEMSET_CHK, BUILT_IN_REALLOC, BUILT_IN_STRCHR,
3682 BUILT_IN_STRCPY, BUILT_IN_STRCPY_CHK, BUILT_IN_STRLEN,
3683 BUILT_IN_STACK_SAVE, BUILT_IN_STACK_RESTORE, BUILT_IN_FPRINTF,
3684 BUILT_IN_FPRINTF_UNLOCKED, BUILT_IN_PUTC, BUILT_IN_PUTC_UNLOCKED,
3685 BUILT_IN_FPUTC, BUILT_IN_FPUTC_UNLOCKED, BUILT_IN_FPUTS,
3686 BUILT_IN_FPUTS_UNLOCKED, BUILT_IN_FWRITE,
3687 BUILT_IN_FWRITE_UNLOCKED, BUILT_IN_PRINTF,
3688 BUILT_IN_PRINTF_UNLOCKED, BUILT_IN_PUTCHAR,
3689 BUILT_IN_PUTCHAR_UNLOCKED, BUILT_IN_PUTS, BUILT_IN_PUTS_UNLOCKED,
3690 BUILT_IN_VFPRINTF, BUILT_IN_VPRINTF, BUILT_IN_VA_START, and
3691 BUILT_IN_VA_COPY, and of named functions "malloc", "calloc",
3692 "alloca", "realloc", "error", "error_at_line", "fgets",
3693 "fgets_unlocked", "fread", "getchar", "memset", "strchr", and
3694 "strlen". Replace all this special-casing with calls to
3695 get_known_function for internal fns and for fn decls.
3696 (region_model::on_call_post): Remove special-casing handling for
3697 "free" and "strchr", and for BUILT_IN_REALLOC, BUILT_IN_STRCHR,
3698 and BUILT_IN_VA_END. Replace by consolidating on usage of
3699 get_known_function.
3700 * region-model.h (call_details::arg_is_size_p): New.
3701 (region_model::on_stmt_pre): Drop "out_terminate_path" param.
3702 (region_model::on_call_pre): Likewise.
3703 (region_model::impl_call_alloca): Delete.
3704 (region_model::impl_call_builtin_expect): Delete.
3705 (region_model::impl_call_calloc): Delete.
3706 (region_model::impl_call_error): Delete.
3707 (region_model::impl_call_fgets): Delete.
3708 (region_model::impl_call_fread): Delete.
3709 (region_model::impl_call_free): Delete.
3710 (region_model::impl_call_malloc): Delete.
3711 (region_model::impl_call_memcpy): Delete.
3712 (region_model::impl_call_memset): Delete.
3713 (region_model::impl_call_realloc): Delete.
3714 (region_model::impl_call_strchr): Delete.
3715 (region_model::impl_call_strcpy): Delete.
3716 (region_model::impl_call_strlen): Delete.
3717 (region_model::impl_call_va_start): Delete.
3718 (region_model::impl_call_va_copy): Delete.
3719 (region_model::impl_call_va_arg): Delete.
3720 (region_model::impl_call_va_end): Delete.
3721 (region_model::check_region_for_write): Public.
3722 (region_model::get_known_function): Add "cd" param. Add
3723 overloaded decl taking enum internal_fn.
3724 * sm-malloc.cc: Update comments.
3725 * varargs.cc (class kf_va_start): New.
3726 (region_model::impl_call_va_start): Convert to...
3727 (kf_va_start::impl_call_pre): ...this.
3728 (class kf_va_copy): New.
3729 (region_model::impl_call_va_copy): Convert to...
3730 (kf_va_copy::impl_call_pre): ...this.
3731 (class kf_va_arg): New.
3732 (region_model::impl_call_va_arg): Convert to...
3733 (kf_va_arg::impl_call_pre): ...this.
3734 (class kf_va_end): New.
3735 (region_model::impl_call_va_end): Delete.
3736 (register_varargs_builtins): New.
3738 2022-11-22 David Malcolm <dmalcolm@redhat.com>
3740 PR analyzer/107788
3741 * region-model.cc (region_model::update_for_int_cst_return):
3742 Require that the return type be an integer type.
3743 (region_model::update_for_nonzero_return): Likewise.
3745 2022-11-22 David Malcolm <dmalcolm@redhat.com>
3747 PR analyzer/107783
3748 * region-model-impl-calls.cc (kf_accept::matches_call_types_p):
3749 Require that args 1 and 2 be pointers.
3750 (kf_bind::matches_call_types_p): Require that arg 1 be a pointer.
3751 * region-model.h (call_details::arg_is_pointer_p): New
3753 2022-11-22 David Malcolm <dmalcolm@redhat.com>
3755 PR analyzer/107777
3756 * call-summary.cc
3757 (call_summary_replay::convert_region_from_summary_1): Handle
3758 RK_THREAD_LOCAL and RK_ERRNO in switch.
3759 * region-model.cc (region_model::get_representative_path_var_1):
3760 Likewise.
3762 2022-11-19 David Malcolm <dmalcolm@redhat.com>
3764 PR analyzer/107582
3765 * engine.cc (dynamic_call_info_t::update_model): Update the model
3766 by pushing or pop a frame, rather than by clobbering it with the
3767 model from the exploded_node's state.
3769 2022-11-18 David Malcolm <dmalcolm@redhat.com>
3771 * analyzer.cc (is_pipe_call_p): Delete.
3772 * analyzer.h (is_pipe_call_p): Delete.
3773 * region-model-impl-calls.cc (call_details::get_location): New.
3774 (class kf_analyzer_break): New, adapted from
3775 region_model::on_stmt_pre.
3776 (region_model::impl_call_analyzer_describe): Convert to...
3777 (class kf_analyzer_describe): ...this.
3778 (region_model::impl_call_analyzer_dump_capacity): Convert to...
3779 (class kf_analyzer_dump_capacity): ...this.
3780 (region_model::impl_call_analyzer_dump_escaped): Convert to...
3781 (class kf_analyzer_dump_escaped): ...this.
3782 (class kf_analyzer_dump_exploded_nodes): New.
3783 (region_model::impl_call_analyzer_dump_named_constant): Convert
3784 to...
3785 (class kf_analyzer_dump_named_constant): ...this.
3786 (class dump_path_diagnostic): Move here from region-model.cc.
3787 (class kf_analyzer_dump_path) New, adapted from
3788 region_model::on_stmt_pre.
3789 (class kf_analyzer_dump_region_model): Likewise.
3790 (region_model::impl_call_analyzer_eval): Convert to...
3791 (class kf_analyzer_eval): ...this.
3792 (region_model::impl_call_analyzer_get_unknown_ptr): Convert to...
3793 (class kf_analyzer_get_unknown_ptr): ...this.
3794 (class known_function_accept): Rename to...
3795 (class kf_accept): ...this.
3796 (class known_function_bind): Rename to...
3797 (class kf_bind): ...this.
3798 (class known_function_connect): Rename to...
3799 (class kf_connect): ...this.
3800 (region_model::impl_call_errno_location): Convert to...
3801 (class kf_errno_location): ...this.
3802 (class known_function_listen): Rename to...
3803 (class kf_listen): ...this.
3804 (region_model::impl_call_pipe): Convert to...
3805 (class kf_pipe): ...this.
3806 (region_model::impl_call_putenv): Convert to...
3807 (class kf_putenv): ...this.
3808 (region_model::impl_call_operator_new): Convert to...
3809 (class kf_operator_new): ...this.
3810 (region_model::impl_call_operator_delete): Convert to...
3811 (class kf_operator_delete): ...this.
3812 (class known_function_socket): Rename to...
3813 (class kf_socket): ...this.
3814 (register_known_functions): Rename param to KFM. Break out
3815 existing known functions into a "POSIX" section, and add "pipe",
3816 "pipe2", and "putenv". Add debugging functions
3817 "__analyzer_break", "__analyzer_describe",
3818 "__analyzer_dump_capacity", "__analyzer_dump_escaped",
3819 "__analyzer_dump_exploded_nodes",
3820 "__analyzer_dump_named_constant", "__analyzer_dump_path",
3821 "__analyzer_dump_region_model", "__analyzer_eval",
3822 "__analyzer_get_unknown_ptr". Add C++ support functions
3823 "operator new", "operator new []", "operator delete", and
3824 "operator delete []".
3825 * region-model.cc (class dump_path_diagnostic): Move to
3826 region-model-impl-calls.cc.
3827 (region_model::on_stmt_pre): Eliminate special-casing of
3828 "__analyzer_describe", "__analyzer_dump_capacity",
3829 "__analyzer_dump_escaped", "__analyzer_dump_named_constant",
3830 "__analyzer_dump_path", "__analyzer_dump_region_model",
3831 "__analyzer_eval", "__analyzer_break",
3832 "__analyzer_dump_exploded_nodes", "__analyzer_get_unknown_ptr",
3833 "__errno_location", "pipe", "pipe2", "putenv", "operator new",
3834 "operator new []", "operator delete", "operator delete []"
3835 "pipe" and "pipe2", handling them instead via the known_functions
3836 mechanism.
3837 * region-model.h (call_details::get_location): New decl.
3838 (region_model::impl_call_analyzer_describe): Delete decl.
3839 (region_model::impl_call_analyzer_dump_capacity): Delete decl.
3840 (region_model::impl_call_analyzer_dump_escaped): Delete decl.
3841 (region_model::impl_call_analyzer_dump_named_constant): Delete decl.
3842 (region_model::impl_call_analyzer_eval): Delete decl.
3843 (region_model::impl_call_analyzer_get_unknown_ptr): Delete decl.
3844 (region_model::impl_call_errno_location): Delete decl.
3845 (region_model::impl_call_pipe): Delete decl.
3846 (region_model::impl_call_putenv): Delete decl.
3847 (region_model::impl_call_operator_new): Delete decl.
3848 (region_model::impl_call_operator_delete): Delete decl.
3849 * sm-fd.cc: Update comments.
3851 2022-11-16 David Malcolm <dmalcolm@redhat.com>
3853 PR analyzer/107711
3854 * analyzer-language.cc: Include "diagnostic.h".
3855 (maybe_stash_named_constant): Add logger param and use it to log
3856 the name being looked up, and the result.
3857 (stash_named_constants): New, splitting out from...
3858 (on_finish_translation_unit): ...this function. Call
3859 get_or_create_logfile and use the result to create a logger
3860 instance, passing it to stash_named_constants.
3861 * analyzer.h (get_or_create_any_logfile): New decl.
3862 * engine.cc (dump_fout, owns_dump_fout): New globals, split out
3863 from run_checkers.
3864 (get_or_create_any_logfile): New function, split out from...
3865 (run_checkers): ...here, so that the logfile can be opened by
3866 on_finish_translation_unit. Clear the globals when closing the
3867 dump file.
3869 2022-11-16 David Malcolm <dmalcolm@redhat.com>
3871 * analyzer.h (known_function::matches_call_types_p): New vfunc.
3872 (known_function::impl_call_pre): Provide base implementation.
3873 (known_function::impl_call_post): New vfunc.
3874 (register_known_functions): New.
3875 * engine.cc (impl_run_checkers): Call register_known_functions.
3876 * region-model-impl-calls.cc (region_model::impl_call_accept):
3877 Convert to...
3878 (class known_function_accept): ...this.
3879 (region_model::impl_call_bind): Convert to...
3880 (class known_function_bind): ...this.
3881 (region_model::impl_call_connect): Convert to...
3882 (class known_function_connect): ...this.
3883 (region_model::impl_call_listen): Convert to...
3884 (class known_function_listen): ...this.
3885 (region_model::impl_call_socket): Convert to...
3886 (class known_function_socket): ...this.
3887 (register_known_functions): New.
3888 * region-model.cc (region_model::on_call_pre): Remove special
3889 case for "bind" in favor of the known_function-handling dispatch.
3890 Add call to known_function::matches_call_types_p to latter.
3891 (region_model::on_call_post): Remove special cases for "accept",
3892 "bind", "connect", "listen", and "socket" in favor of dispatch
3893 to known_function::impl_call_post.
3894 * region-model.h (region_model::impl_call_accept): Delete decl.
3895 (region_model::impl_call_bind): Delete decl.
3896 (region_model::impl_call_connect): Delete decl.
3897 (region_model::impl_call_listen): Delete decl.
3898 (region_model::impl_call_socket): Delete decl.
3899 * sm-fd.cc: Update comments.
3901 2022-11-16 David Malcolm <dmalcolm@redhat.com>
3903 * checker-event.cc: New file, split out from...
3904 * checker-path.cc: ...this file.
3906 2022-11-15 David Malcolm <dmalcolm@redhat.com>
3908 PR analyzer/106140
3909 * analyzer-language.cc (on_finish_translation_unit): Stash named
3910 constants "SOCK_STREAM" and "SOCK_DGRAM".
3911 * analyzer.opt (Wanalyzer-fd-phase-mismatch): New.
3912 (Wanalyzer-fd-type-mismatch): New.
3913 * engine.cc (impl_region_model_context::get_state_map_by_name):
3914 Add "out_sm_context" param. Allow out_sm_idx to be NULL.
3915 * exploded-graph.h
3916 (impl_region_model_context::get_state_map_by_name):
3917 Add "out_sm_context" param.
3918 * region-model-impl-calls.cc (region_model::impl_call_accept): New.
3919 (region_model::impl_call_bind): New.
3920 (region_model::impl_call_connect): New.
3921 (region_model::impl_call_listen): New.
3922 (region_model::impl_call_socket): New.
3923 * region-model.cc (region_model::on_call_pre): Special-case
3924 "bind".
3925 (region_model::on_call_post): Special-case "accept", "bind",
3926 "connect", "listen", and "socket".
3927 * region-model.h (region_model::impl_call_accept): New decl.
3928 (region_model::impl_call_bind): New decl.
3929 (region_model::impl_call_connect): New decl.
3930 (region_model::impl_call_listen): New decl.
3931 (region_model::impl_call_socket): New decl.
3932 (region_model::on_socket): New decl.
3933 (region_model::on_bind): New decl.
3934 (region_model::on_listen): New decl.
3935 (region_model::on_accept): New decl.
3936 (region_model::on_connect): New decl.
3937 (region_model::add_constraint): Make public.
3938 (region_model::check_for_poison): Make public.
3939 (region_model_context::get_state_map_by_name): Add out_sm_context param.
3940 (region_model_context::get_fd_map): Likewise.
3941 (region_model_context::get_malloc_map): Likewise.
3942 (region_model_context::get_taint_map): Likewise.
3943 (noop_region_model_context::get_state_map_by_name): Likewise.
3944 (region_model_context_decorator::get_state_map_by_name): Likewise.
3945 * sm-fd.cc: Include "analyzer/supergraph.h" and
3946 "analyzer/analyzer-language.h".
3947 (enum expected_phase): New enum.
3948 (fd_state_machine::m_new_datagram_socket): New.
3949 (fd_state_machine::m_new_stream_socket): New.
3950 (fd_state_machine::m_new_unknown_socket): New.
3951 (fd_state_machine::m_bound_datagram_socket): New.
3952 (fd_state_machine::m_bound_stream_socket): New.
3953 (fd_state_machine::m_bound_unknown_socket): New.
3954 (fd_state_machine::m_listening_stream_socket): New.
3955 (fd_state_machine::m_m_connected_stream_socket): New.
3956 (fd_state_machine::m_SOCK_STREAM): New.
3957 (fd_state_machine::m_SOCK_DGRAM): New.
3958 (fd_diagnostic::describe_state_change): Handle socket states.
3959 (fd_diagnostic::get_meaning_for_state_change): Likewise.
3960 (class fd_phase_mismatch): New.
3961 (enum expected_type): New enum.
3962 (class fd_type_mismatch): New.
3963 (fd_state_machine::fd_state_machine): Initialize new states and
3964 stashed named constants.
3965 (fd_state_machine::is_socket_fd_p): New.
3966 (fd_state_machine::is_datagram_socket_fd_p): New.
3967 (fd_state_machine::is_stream_socket_fd_p): New.
3968 (fd_state_machine::on_close): Handle the socket states.
3969 (fd_state_machine::check_for_open_fd): Complain about fncalls on
3970 sockets in the wrong phase. Support socket FDs.
3971 (add_constraint_ge_zero): New.
3972 (fd_state_machine::get_state_for_socket_type): New.
3973 (fd_state_machine::on_socket): New.
3974 (fd_state_machine::check_for_socket_fd): New.
3975 (fd_state_machine::check_for_new_socket_fd): New.
3976 (fd_state_machine::on_bind): New.
3977 (fd_state_machine::on_listen): New.
3978 (fd_state_machine::on_accept): New.
3979 (fd_state_machine::on_connect): New.
3980 (fd_state_machine::can_purge_p): Don't purge socket values.
3981 (get_fd_state): New.
3982 (region_model::mark_as_valid_fd): Use get_fd_state.
3983 (region_model::on_socket): New.
3984 (region_model::on_bind): New.
3985 (region_model::on_listen): New.
3986 (region_model::on_accept): New.
3987 (region_model::on_connect): New.
3988 * sm-fd.dot: Update to reflect sm-fd.cc changes.
3990 2022-11-15 David Malcolm <dmalcolm@redhat.com>
3992 PR analyzer/106302
3993 * analyzer-language.cc: New file.
3994 * analyzer-language.h: New file.
3995 * analyzer.h (get_stashed_constant_by_name): New decl.
3996 (log_stashed_constants): New decl.
3997 * engine.cc (impl_run_checkers): Call log_stashed_constants.
3998 * region-model-impl-calls.cc
3999 (region_model::impl_call_analyzer_dump_named_constant): New.
4000 * region-model.cc (region_model::on_stmt_pre): Handle
4001 __analyzer_dump_named_constant.
4002 * region-model.h
4003 (region_model::impl_call_analyzer_dump_named_constant): New decl.
4004 * sm-fd.cc (fd_state_machine::m_O_ACCMODE): New.
4005 (fd_state_machine::m_O_RDONLY): New.
4006 (fd_state_machine::m_O_WRONLY): New.
4007 (fd_state_machine::fd_state_machine): Initialize the new fields.
4008 (fd_state_machine::get_access_mode_from_flag): Use the new fields,
4009 rather than using the host values.
4011 2022-11-13 David Malcolm <dmalcolm@redhat.com>
4013 PR analyzer/106235
4014 * analyzer.opt (Wanalyzer-tainted-assertion): New.
4015 * checker-path.cc (checker_path::fixup_locations): Pass false to
4016 pending_diagnostic::fixup_location.
4017 * diagnostic-manager.cc (get_emission_location): Pass true to
4018 pending_diagnostic::fixup_location.
4019 * pending-diagnostic.cc (pending_diagnostic::fixup_location): Add
4020 bool param.
4021 * pending-diagnostic.h (pending_diagnostic::fixup_location): Add
4022 bool param to decl.
4023 * sm-taint.cc (taint_state_machine::m_tainted_control_flow): New.
4024 (taint_diagnostic::describe_state_change): Drop "final".
4025 (class tainted_assertion): New.
4026 (taint_state_machine::taint_state_machine): Initialize
4027 m_tainted_control_flow.
4028 (taint_state_machine::alt_get_inherited_state): Support
4029 comparisons being tainted, based on their arguments.
4030 (is_assertion_failure_handler_p): New.
4031 (taint_state_machine::on_stmt): Complain about calls to assertion
4032 failure handlers guarded by an attacker-controller conditional.
4033 Detect attacker-controlled gcond conditionals and gswitch index
4034 values.
4035 (taint_state_machine::check_control_flow_arg_for_taint): New.
4037 2022-11-11 David Malcolm <dmalcolm@redhat.com>
4039 * sm-fd.dot: Fix typo in comment.
4040 * sm-file.dot: New file.
4041 * varargs.cc: Fix typo in comment.
4042 * varargs.dot: New file.
4044 2022-11-11 David Malcolm <dmalcolm@redhat.com>
4046 * checker-path.h: Split out checker_event and its subclasses to...
4047 * checker-event.h: ...this new header.
4049 2022-11-11 David Malcolm <dmalcolm@redhat.com>
4051 PR analyzer/106147
4052 * analyzer.opt (Wanalyzer-infinite-recursion): New.
4053 * call-string.cc (call_string::count_occurrences_of_function):
4054 New.
4055 * call-string.h (call_string::count_occurrences_of_function): New
4056 decl.
4057 * checker-path.cc (function_entry_event::function_entry_event):
4058 New ctor.
4059 (checker_path::add_final_event): Delete.
4060 * checker-path.h (function_entry_event::function_entry_event): New
4061 ctor.
4062 (function_entry_event::get_desc): Drop "final".
4063 (checker_path::add_final_event): Delete.
4064 * diagnostic-manager.cc
4065 (diagnostic_manager::emit_saved_diagnostic): Create the final
4066 event via a new pending_diagnostic::add_final_event vfunc, rather
4067 than checker_path::add_final_event.
4068 (diagnostic_manager::add_events_for_eedge): Create function entry
4069 events via a new pending_diagnostic::add_function_entry_event
4070 vfunc.
4071 * engine.cc (exploded_graph::process_node): When creating a new
4072 PK_BEFORE_SUPERNODE node, call
4073 exploded_graph::detect_infinite_recursion on it after adding the
4074 in-edge.
4075 * exploded-graph.h (exploded_graph::detect_infinite_recursion):
4076 New decl.
4077 (exploded_graph::find_previous_entry_to): New decl.
4078 * infinite-recursion.cc: New file.
4079 * pending-diagnostic.cc
4080 (pending_diagnostic::add_function_entry_event): New.
4081 (pending_diagnostic::add_final_event): New.
4082 * pending-diagnostic.h
4083 (pending_diagnostic::add_function_entry_event): New vfunc.
4084 (pending_diagnostic::add_final_event): New vfunc.
4086 2022-11-10 David Malcolm <dmalcolm@redhat.com>
4088 PR analyzer/99671
4089 * analyzer.opt (Wanalyzer-deref-before-check): New warning.
4090 * diagnostic-manager.cc
4091 (null_assignment_sm_context::set_next_state): Only add state
4092 change events for transition to "null" state.
4093 (null_assignment_sm_context::is_transition_to_null): New.
4094 * engine.cc (impl_region_model_context::on_pop_frame): New.
4095 * exploded-graph.h (impl_region_model_context::on_pop_frame): New
4096 decl.
4097 * program-state.cc (sm_state_map::clear_any_state): New.
4098 (sm_state_map::can_merge_with_p): New.
4099 (program_state::can_merge_with_p): Replace requirement that
4100 sm-states be equal in favor of an attempt to merge them.
4101 * program-state.h (sm_state_map::clear_any_state): New decl.
4102 (sm_state_map::can_merge_with_p): New decl.
4103 * region-model.cc (region_model::eval_condition): Make const.
4104 (region_model::pop_frame): Call ctxt->on_pop_frame.
4105 * region-model.h (region_model::eval_condition): Make const.
4106 (region_model_context::on_pop_frame): New vfunc.
4107 (noop_region_model_context::on_pop_frame): New.
4108 (region_model_context_decorator::on_pop_frame): New.
4109 * sm-malloc.cc (enum resource_state): Add RS_ASSUMED_NON_NULL.
4110 (allocation_state::dump_to_pp): Drop "final".
4111 (struct assumed_non_null_state): New subclass.
4112 (malloc_state_machine::m_assumed_non_null): New.
4113 (assumed_non_null_p): New.
4114 (class deref_before_check): New.
4115 (assumed_non_null_state::dump_to_pp): New.
4116 (malloc_state_machine::get_or_create_assumed_non_null_state_for_frame):
4117 New.
4118 (malloc_state_machine::maybe_assume_non_null): New.
4119 (malloc_state_machine::on_stmt): Transition from start state to
4120 "assumed-non-null" state for pointers passed to
4121 __attribute__((nonnull)) arguments, and for pointers explicitly
4122 dereferenced. Call maybe_complain_about_deref_before_check for
4123 pointers explicitly compared against NULL.
4124 (malloc_state_machine::maybe_complain_about_deref_before_check):
4125 New.
4126 (malloc_state_machine::on_deallocator_call): Also transition
4127 "assumed-non-null" states to "freed".
4128 (malloc_state_machine::on_pop_frame): New.
4129 (malloc_state_machine::maybe_get_merged_states_nonequal): New.
4130 * sm-malloc.dot: Update for changes to sm-malloc.cc.
4131 * sm.h (state_machine::on_pop_frame): New.
4132 (state_machine::maybe_get_merged_state): New.
4133 (state_machine::maybe_get_merged_states_nonequal): New.
4135 2022-11-09 David Malcolm <dmalcolm@redhat.com>
4137 * checker-path.cc (checker_event::debug): New.
4138 (checker_path::add_event): Move here from checker-path.h. Add
4139 logging.
4140 * checker-path.h (checker_event::debug): New decl.
4141 (checker_path::checker_path): Add logger param.
4142 (checker_path::add_event): Move definition from here to
4143 checker-path.cc.
4144 (checker_path::m_logger): New field.
4145 * diagnostic-manager.cc
4146 (diagnostic_manager::emit_saved_diagnostic): Pass logger to
4147 checker_path ctor.
4148 (diagnostic_manager::add_events_for_eedge): Log scope when
4149 processing a run of stmts.
4151 2022-11-08 David Malcolm <dmalcolm@redhat.com>
4153 PR analyzer/101962
4154 * region-model-impl-calls.cc: Update comment.
4155 * region-model.cc (region_model::check_symbolic_bounds): Fix
4156 layout of "void" return. Replace usage of
4157 eval_condition_without_cm with eval_condition.
4158 (region_model::eval_condition): Take over body of...
4159 (region_model::eval_condition_without_cm): ...this subroutine,
4160 dropping the latter. Eliminating this distinction avoids issues
4161 where constraints were not considered when recursing.
4162 (region_model::compare_initial_and_pointer): Update comment.
4163 (region_model::symbolic_greater_than): Replace usage of
4164 eval_condition_without_cm with eval_condition.
4165 * region-model.h
4166 (region_model::eval_condition_without_cm): Delete decl.
4168 2022-11-08 David Malcolm <dmalcolm@redhat.com>
4170 * region-model-impl-calls.cc
4171 (region_model::impl_call_errno_location): New.
4172 * region-model-manager.cc
4173 (region_model_manager::region_model_manager): Initialize
4174 m_thread_local_region and m_errno_region.
4175 * region-model-manager.h (region_model_manager::get_errno_region):
4176 New accessor.
4177 (region_model_manager::m_thread_local_region): New.
4178 (region_model_manager::m_errno_region): New.
4179 * region-model.cc (region_model::on_call_pre): Special-case
4180 "__errno_location".
4181 (region_model::set_errno): New.
4182 * region-model.h (impl_call_errno_location): New decl.
4183 (region_model::set_errno): New decl.
4184 * region.cc (thread_local_region::dump_to_pp): New.
4185 (errno_region::dump_to_pp): New.
4186 * region.h (enum memory_space): Add MEMSPACE_THREAD_LOCAL.
4187 (enum region_kind): Add RK_THREAD_LOCAL and RK_ERRNO.
4188 (class thread_local_region): New.
4189 (is_a_helper <const thread_local_region *>::test): New.
4190 (class errno_region): New.
4191 (is_a_helper <const errno_region *>::test): New.
4192 * store.cc (binding_cluster::escaped_p): New.
4193 (store::escaped_p): Treat errno as always having escaped.
4194 (store::replay_call_summary_cluster): Handle RK_THREAD_LOCAL and
4195 RK_ERRNO.
4196 * store.h (binding_cluster::escaped_p): Remove definition.
4198 2022-11-08 David Malcolm <dmalcolm@redhat.com>
4200 * call-info.cc (success_call_info::get_desc): Delete.
4201 (failed_call_info::get_desc): Likewise.
4202 (succeed_or_fail_call_info::get_desc): New.
4203 * call-info.h (class succeed_or_fail_call_info): New.
4204 (class success_call_info): Convert to a subclass of
4205 succeed_or_fail_call_info.
4206 (class failed_call_info): Likewise.
4208 2022-11-08 David Malcolm <dmalcolm@redhat.com>
4210 * region-model-impl-calls.cc (region_model::impl_call_strchr):
4211 Move to on_call_post. Handle both outcomes using bifurcation,
4212 rather than just the "not found" case.
4213 * region-model.cc (region_model::on_call_pre): Move
4214 BUILT_IN_STRCHR and "strchr" to...
4215 (region_model::on_call_post): ...here.
4217 2022-11-03 David Malcolm <dmalcolm@redhat.com>
4219 * analyzer.h: Use std::unique_ptr for state machines from plugins.
4220 * engine.cc: Likewise.
4222 2022-11-03 David Malcolm <dmalcolm@redhat.com>
4224 * analyzer.h: Use std::unique_ptr for known functions.
4225 * engine.cc: Likewise.
4226 * known-function-manager.cc: Likewise.
4227 * known-function-manager.h: Likewise.
4229 2022-11-03 David Malcolm <dmalcolm@redhat.com>
4231 * analysis-plan.cc: Define INCLUDE_MEMORY before including
4232 system.h.
4233 * analyzer-pass.cc: Likewise.
4234 * analyzer-selftests.cc: Likewise.
4235 * analyzer.cc: Likewise.
4236 * analyzer.h: Use std::unique_ptr in bifurcation code.
4237 * call-string.cc: Define INCLUDE_MEMORY before including system.h.
4238 * complexity.cc: Likewise.
4239 * engine.cc: Use std::unique_ptr in bifurcation code.
4240 * exploded-graph.h: Likewise.
4241 * known-function-manager.cc: Define INCLUDE_MEMORY before
4242 including system.h.
4243 * region-model-impl-calls.cc: Use std::unique_ptr in bifurcation
4244 code.
4245 * region-model.cc: Likewise.
4246 * region-model.h: Likewise.
4247 * supergraph.cc: Define INCLUDE_MEMORY before including system.h.
4249 2022-11-03 David Malcolm <dmalcolm@redhat.com>
4251 * call-info.cc: Use std::unique_ptr for checker_event.
4252 * checker-path.cc: Likewise.
4253 * checker-path.h: Likewise.
4254 * diagnostic-manager.cc: Likewise.
4255 * engine.cc: Likewise.
4256 * pending-diagnostic.cc: Likewise.
4257 * sm-signal.cc: Likewise.
4258 * varargs.cc: Likewise.
4260 2022-11-03 David Malcolm <dmalcolm@redhat.com>
4262 * diagnostic-manager.cc: Include "make-unique.h".
4263 Use std::unique_ptr for feasibility_problems and exploded_path.
4264 Delete explicit saved_diagnostic dtor.
4265 * diagnostic-manager.h: Likewise.
4266 * engine.cc: Likewise.
4267 * exploded-graph.h: Likewise.
4268 * feasible-graph.cc: Likewise.
4269 * feasible-graph.h: Likewise.
4271 2022-11-03 David Malcolm <dmalcolm@redhat.com>
4273 * checker-path.cc (rewind_event::rewind_event): Update for usage of
4274 std::unique_ptr on custom_edge_info.
4275 * engine.cc (exploded_node::on_longjmp): Likewise.
4276 (exploded_edge::exploded_edge): Likewise.
4277 (exploded_edge::~exploded_edge): Delete.
4278 (exploded_graph::add_function_entry): Update for usage of
4279 std::unique_ptr on custom_edge_info.
4280 (exploded_graph::add_edge): Likewise.
4281 (add_tainted_args_callback): Likewise.
4282 (exploded_graph::maybe_create_dynamic_call): Likewise.
4283 (exploded_graph::process_node): Likewise.
4284 * exploded-graph.h (exploded_edge::~exploded_edge): Delete.
4285 (exploded_edge::m_custom_info): Use std::unique_ptr.
4286 (exploded_edge::add_edge): Likewise.
4287 * sm-signal.cc (register_signal_handler::impl_transition): Use
4288 make_unique.
4290 2022-11-03 David Malcolm <dmalcolm@redhat.com>
4292 * diagnostic-manager.cc (saved_diagnostic::saved_diagnostic): Make
4293 stmt_finder const.
4294 (saved_diagnostic::~saved_diagnostic): Remove explicit delete of
4295 m_stmt_finder.
4296 (diagnostic_manager::add_diagnostic): Make stmt_finder const.
4297 * diagnostic-manager.h (saved_diagnostic::saved_diagnostic):
4298 Likewise.
4299 (saved_diagnostic::m_stmt_finder): Convert to std::unique_ptr.
4300 (diagnostic_manager::add_diagnostic): Make stmt_finder const.
4301 * engine.cc (impl_sm_context::impl_sm_context): Likewise.
4302 (impl_sm_context::m_stmt_finder): Likewise.
4303 (leak_stmt_finder::clone): Convert return type to std::unique_ptr.
4304 * exploded-graph.h (stmt_finder::clone): Likewise.
4306 2022-11-03 David Malcolm <dmalcolm@redhat.com>
4308 * call-info.cc: Add define of INCLUDE_MEMORY.
4309 * call-summary.cc: Likewise.
4310 * checker-path.cc: Likewise.
4311 * constraint-manager.cc: Likewise.
4312 * diagnostic-manager.cc: Likewise.
4313 (saved_diagnostic::saved_diagnostic): Use std::unique_ptr for
4314 param d and field m_d.
4315 (saved_diagnostic::~saved_diagnostic): Remove explicit delete of m_d.
4316 (saved_diagnostic::add_note): Use std::unique_ptr for
4317 param pn.
4318 (saved_diagnostic::get_pending_diagnostic): Update for conversion
4319 of m_sd.m_d to unique_ptr.
4320 (diagnostic_manager::add_diagnostic): Use std::unique_ptr for
4321 param d. Remove explicit deletion.
4322 (diagnostic_manager::add_note): Use std::unique_ptr for param pn.
4323 (diagnostic_manager::emit_saved_diagnostic): Update for conversion
4324 of m_sd.m_d to unique_ptr.
4325 (null_assignment_sm_context::warn): Use std::unique_ptr for
4326 param d. Remove explicit deletion.
4327 * diagnostic-manager.h (saved_diagnostic::saved_diagnostic): Use
4328 std::unique_ptr for param d.
4329 (saved_diagnostic::add_note): Likewise for param pn.
4330 (saved_diagnostic::m_d): Likewise.
4331 (diagnostic_manager::add_diagnostic): Use std::unique_ptr for
4332 param d.
4333 (diagnostic_manager::add_note): Use std::unique_ptr for param pn.
4334 * engine.cc: Include "make-unique.h".
4335 (impl_region_model_context::warn): Update to use std::unique_ptr
4336 for param, removing explicit deletion.
4337 (impl_region_model_context::add_note): Likewise.
4338 (impl_sm_context::warn): Update to use std::unique_ptr
4339 for param.
4340 (impl_region_model_context::on_state_leak): Likewise for result of
4341 on_leak.
4342 (exploded_node::on_longjmp): Use make_unique when creating
4343 pending_diagnostic.
4344 (exploded_graph::process_node): Likewise.
4345 * exploded-graph.h (impl_region_model_context::warn): Update to
4346 use std::unique_ptr for param.
4347 (impl_region_model_context::add_note): Likewise.
4348 * feasible-graph.cc: Add define of INCLUDE_MEMORY.
4349 * pending-diagnostic.cc: Likewise.
4350 * pending-diagnostic.h: Include analyzer.sm.h"
4351 * program-point.cc: Add define of INCLUDE_MEMORY.
4352 * program-state.cc: Likewise.
4353 * region-model-asm.cc: Likewise.
4354 * region-model-impl-calls.cc: Likewise. Include "make-unique.h".
4355 (region_model::impl_call_putenv): Use make_unique when creating
4356 pending_diagnostic.
4357 * region-model-manager.cc: Add define of INCLUDE_MEMORY.
4358 * region-model-reachability.cc: Likewise.
4359 * region-model.cc: Likewise. Include "make-unique.h".
4360 (region_model::get_gassign_result): Use make_unique when creating
4361 pending_diagnostic.
4362 (region_model::check_for_poison): Likewise.
4363 (region_model::on_stmt_pre): Likewise.
4364 (region_model::check_symbolic_bounds): Likewise.
4365 (region_model::check_region_bounds): Likewise.
4366 (annotating_ctxt: make_note): Use std::unique_ptr for result.
4367 (region_model::deref_rvalue): Use make_unique when creating
4368 pending_diagnostic.
4369 (region_model::check_for_writable_region): Likewise.
4370 (region_model::check_region_size): Likewise.
4371 (region_model::check_dynamic_size_for_floats): Likewise.
4372 (region_model::maybe_complain_about_infoleak): Likewise.
4373 (noop_region_model_context::add_note): Use std::unique_ptr for
4374 param. Remove explicit deletion.
4375 * region-model.h: Include "analyzer/pending-diagnostic.h".
4376 (region_model_context::warn): Convert param to std::unique_ptr.
4377 (region_model_context::add_note): Likewise.
4378 (noop_region_model_context::warn): Likewise.
4379 (noop_region_model_context::add_note): Likewise.
4380 (region_model_context_decorator::warn): Likewise.
4381 (region_model_context_decorator::add_note): Likewise.
4382 (note_adding_context::warn): Likewise.
4383 (note_adding_context::make_note): Likewise for return type.
4384 (test_region_model_context::warn): Convert param to
4385 std::unique_ptr.
4386 * region.cc: Add define of INCLUDE_MEMORY.
4387 * sm-fd.cc: Likewise. Include "make-unique.h".
4388 (fd_state_machine::check_for_fd_attrs): Use make_unique when
4389 creating pending_diagnostics.
4390 (fd_state_machine::on_open): Likewise.
4391 (fd_state_machine::on_creat): Likewise.
4392 (fd_state_machine::check_for_dup): Likewise.
4393 (fd_state_machine::on_close): Likewise.
4394 (fd_state_machine::check_for_open_fd): Likewise.
4395 (fd_state_machine::on_leak): Likewise, converting return type to
4396 std::unique_ptr.
4397 * sm-file.cc: Add define of INCLUDE_MEMORY. Include
4398 "make-unique.h".
4399 (fileptr_state_machine::on_stmt): Use make_unique when creating
4400 pending_diagnostic.
4401 (fileptr_state_machine::on_leak): Likewise, converting return type
4402 to std::unique_ptr.
4403 * sm-malloc.cc: Add define of INCLUDE_MEMORY. Include
4404 "make-unique.h".
4405 (malloc_state_machine::on_stmt): Use make_unique when creating
4406 pending_diagnostic.
4407 (malloc_state_machine::handle_free_of_non_heap): Likewise.
4408 (malloc_state_machine::on_deallocator_call): Likewise.
4409 (malloc_state_machine::on_realloc_call): Likewise.
4410 (malloc_state_machine::on_leak): Likewise, converting return type
4411 to std::unique_ptr.
4412 * sm-pattern-test.cc: Add define of INCLUDE_MEMORY. Include
4413 "make-unique.h".
4414 (pattern_test_state_machine::on_condition): Use make_unique when
4415 creating pending_diagnostic.
4416 * sm-sensitive.cc: Add define of INCLUDE_MEMORY. Include
4417 "make-unique.h".
4418 (sensitive_state_machine::warn_for_any_exposure): Use make_unique
4419 when creating pending_diagnostic.
4420 * sm-signal.cc: Add define of INCLUDE_MEMORY. Include
4421 "make-unique.h".
4422 (signal_state_machine::on_stmt): Use make_unique when creating
4423 pending_diagnostic.
4424 * sm-taint.cc: Add define of INCLUDE_MEMORY. Include
4425 "make-unique.h".
4426 (taint_state_machine::check_for_tainted_size_arg): Use make_unique
4427 when creating pending_diagnostic.
4428 (taint_state_machine::check_for_tainted_divisor): Likewise.
4429 (region_model::check_region_for_taint): Likewise.
4430 (region_model::check_dynamic_size_for_taint): Likewise.
4431 * sm.cc: Add define of INCLUDE_MEMORY. Include
4432 "analyzer/pending-diagnostic.h".
4433 (state_machine::on_leak): Move here from sm.h, changing return
4434 type to std::unique_ptr.
4435 * sm.h (state_machine::on_leak): Change return type to
4436 std::unique_ptr. Move defn of base impl to sm.cc
4437 (sm_context::warn): Convert param d to std_unique_ptr.
4438 * state-purge.cc: Add define of INCLUDE_MEMORY.
4439 * store.cc: Likewise.
4440 * svalue.cc: Likewise.
4441 * trimmed-graph.cc: Likewise.
4442 * varargs.cc: Likewise. Include "make-unique.h".
4443 (va_list_state_machine::check_for_ended_va_list): Use make_unique
4444 when creating pending_diagnostic.
4445 (va_list_state_machine::on_leak): Likewise, converting return type
4446 to std::unique_ptr.
4447 (region_model::impl_call_va_arg): Use make_unique when creating
4448 pending_diagnostic.
4450 2022-11-03 David Malcolm <dmalcolm@redhat.com>
4452 PR analyzer/107486
4453 * analyzer.cc (is_pipe_call_p): New.
4454 * analyzer.h (is_pipe_call_p): New decl.
4455 * region-model.cc (region_model::on_call_pre): Use it.
4456 (region_model::on_call_post): Likewise.
4458 2022-10-26 David Malcolm <dmalcolm@redhat.com>
4460 * sm-fd.cc (fd_state_machine::on_open): Transition to "unchecked"
4461 when the mode is symbolic, rather than just on integer constants.
4462 (fd_state_machine::check_for_open_fd): Don't complain about
4463 unchecked values in the start state.
4465 2022-10-26 David Malcolm <dmalcolm@redhat.com>
4467 * sm-fd.dot: New file.
4469 2022-10-24 David Malcolm <dmalcolm@redhat.com>
4471 PR analyzer/107349
4472 * varargs.cc (get_va_copy_arg): Fix the non-pointer case.
4474 2022-10-24 David Malcolm <dmalcolm@redhat.com>
4476 PR analyzer/107345
4477 * region-model.cc (region_model::eval_condition_without_cm):
4478 Ensure that constants are on the right-hand side before checking
4479 for them.
4481 2022-10-24 David Malcolm <dmalcolm@redhat.com>
4483 * engine.cc (impl_region_model_context::get_malloc_map): Replace
4484 with...
4485 (impl_region_model_context::get_state_map_by_name): ...this.
4486 (impl_region_model_context::get_fd_map): Delete.
4487 (impl_region_model_context::get_taint_map): Delete.
4488 * exploded-graph.h (impl_region_model_context::get_fd_map):
4489 Delete.
4490 (impl_region_model_context::get_malloc_map): Delete.
4491 (impl_region_model_context::get_taint_map): Delete.
4492 (impl_region_model_context::get_state_map_by_name): New.
4493 * region-model.h (region_model_context::get_state_map_by_name):
4494 New vfunc.
4495 (region_model_context::get_fd_map): Convert from vfunc to
4496 function.
4497 (region_model_context::get_malloc_map): Likewise.
4498 (region_model_context::get_taint_map): Likewise.
4499 (noop_region_model_context::get_state_map_by_name): New.
4500 (noop_region_model_context::get_fd_map): Delete.
4501 (noop_region_model_context::get_malloc_map): Delete.
4502 (noop_region_model_context::get_taint_map): Delete.
4503 (region_model_context_decorator::get_state_map_by_name): New.
4504 (region_model_context_decorator::get_fd_map): Delete.
4505 (region_model_context_decorator::get_malloc_map): Delete.
4506 (region_model_context_decorator::get_taint_map): Delete.
4508 2022-10-24 David Malcolm <dmalcolm@redhat.com>
4510 PR analyzer/106300
4511 * engine.cc (impl_region_model_context::get_fd_map): New.
4512 * exploded-graph.h (impl_region_model_context::get_fd_map): New
4513 decl.
4514 * region-model-impl-calls.cc (region_model::impl_call_pipe): New.
4515 * region-model.cc (region_model::update_for_int_cst_return): New,
4516 based on...
4517 (region_model::update_for_zero_return): ...this. Reimplement in
4518 terms of the former.
4519 (region_model::on_call_pre): Handle "pipe" and "pipe2".
4520 (region_model::on_call_post): Likewise.
4521 * region-model.h (region_model::impl_call_pipe): New decl.
4522 (region_model::update_for_int_cst_return): New decl.
4523 (region_model::mark_as_valid_fd): New decl.
4524 (region_model_context::get_fd_map): New pure virtual fn.
4525 (noop_region_model_context::get_fd_map): New.
4526 (region_model_context_decorator::get_fd_map): New.
4527 * sm-fd.cc: Include "analyzer/program-state.h".
4528 (fd_state_machine::describe_state_change): Handle transitions from
4529 start state to valid states.
4530 (fd_state_machine::mark_as_valid_fd): New.
4531 (fd_state_machine::on_stmt): Add missing return for "creat".
4532 (region_model::mark_as_valid_fd): New.
4534 2022-10-19 David Malcolm <dmalcolm@redhat.com>
4536 PR analyzer/105765
4537 * varargs.cc (get_BT_VALIST_ARG): Rename to...
4538 (get_va_copy_arg): ...this, and update logic for determining level
4539 of indirection of va_copy's argument to use type of argument,
4540 rather than looking at va_list_type_node, to correctly handle
4541 __builtin_ms_va_copy.
4542 (get_stateful_BT_VALIST_ARG): Rename to...
4543 (get_stateful_va_copy_arg): ...this.
4544 (va_list_state_machine::on_va_copy): Update for renaming.
4545 (region_model::impl_call_va_copy): Likewise.
4547 2022-10-13 David Malcolm <dmalcolm@redhat.com>
4549 PR analyzer/107210
4550 * svalue.cc (constant_svalue::maybe_fold_bits_within): Only
4551 attempt to extract individual bits when tree_fits_uhwi_p.
4553 2022-10-07 David Malcolm <dmalcolm@redhat.com>
4555 PR analyzer/105783
4556 * region-model.cc (selftest::get_bit): New function.
4557 (selftest::test_bits_within_svalue_folding): New.
4558 (selfftest::analyzer_region_model_cc_tests): Call it.
4559 * svalue.cc (constant_svalue::maybe_fold_bits_within): Handle the
4560 case of extracting a single bit.
4562 2022-10-06 David Malcolm <dmalcolm@redhat.com>
4564 PR analyzer/107158
4565 * store.cc (store::replay_call_summary_cluster): Eliminate
4566 special-casing of RK_HEAP_ALLOCATED in favor of sharing code with
4567 RK_DECL, avoiding an ICE due to attempting to bind a
4568 compound_svalue into a binding_cluster when an svalue in the
4569 summary cluster converts to a compound_svalue in the caller.
4571 2022-10-06 David Malcolm <dmalcolm@redhat.com>
4573 * call-summary.cc (call_summary_replay::dump_to_pp): Bulletproof
4574 against NULL caller regions/svalues.
4576 2022-10-05 David Malcolm <dmalcolm@redhat.com>
4578 * analysis-plan.cc: Simplify includes.
4579 * analyzer-pass.cc: Likewise.
4580 * analyzer-selftests.cc: Likewise.
4581 * analyzer.cc: Likewise.
4582 * analyzer.h: Add includes of "json.h" and "tristate.h".
4583 * call-info.cc: Simplify includes.
4584 * call-string.cc: Likewise.
4585 * call-summary.cc: Likewise.
4586 * checker-path.cc: Likewise.
4587 * complexity.cc: Likewise.
4588 * constraint-manager.cc: Likewise.
4589 * diagnostic-manager.cc: Likewise.
4590 * engine.cc: Likewise.
4591 * feasible-graph.cc: Likewise.
4592 * known-function-manager.cc: Likewise.
4593 * pending-diagnostic.cc: Likewise.
4594 * program-point.cc: Likewise.
4595 * program-state.cc: Likewise.
4596 * region-model-asm.cc: Likewise.
4597 * region-model-impl-calls.cc: Likewise.
4598 * region-model-manager.cc: Likewise.
4599 * region-model-reachability.cc: Likewise.
4600 * region-model.cc: Likewise.
4601 * region-model.h: Include "selftest.h".
4602 * region.cc: Simplify includes.
4603 * sm-fd.cc: Likewise.
4604 * sm-file.cc: Likewise.
4605 * sm-malloc.cc: Likewise.
4606 * sm-pattern-test.cc: Likewise.
4607 * sm-sensitive.cc: Likewise.
4608 * sm-signal.cc: Likewise.
4609 * sm-taint.cc: Likewise.
4610 * sm.cc: Likewise.
4611 * state-purge.cc: Likewise.
4612 * store.cc: Likewise.
4613 * store.h: Likewise.
4614 * supergraph.cc: Likewise.
4615 * svalue.cc: Likewise.
4616 * svalue.h: Likewise.
4617 * trimmed-graph.cc: Likewise.
4618 * varargs.cc: Likewise.
4620 2022-10-05 David Malcolm <dmalcolm@redhat.com>
4622 PR analyzer/107060
4623 * call-summary.cc
4624 (call_summary_replay::convert_svalue_from_summary_1): Handle NULL
4625 results from convert_svalue_from_summary in SK_UNARY_OP and
4626 SK_BIN_OP.
4627 * engine.cc (impl_region_model_context::on_unknown_change): Bail
4628 out on svalues that can't have associated state.
4629 * region-model-impl-calls.cc
4630 (region_model::impl_call_analyzer_get_unknown_ptr): New.
4631 * region-model.cc (region_model::on_stmt_pre): Handle
4632 "__analyzer_get_unknown_ptr".
4633 * region-model.h
4634 (region_model::impl_call_analyzer_get_unknown_ptr): New decl.
4635 * store.cc (store::replay_call_summary_cluster): Avoid trying to
4636 create binding clusters for base regions that shouldn't have them.
4638 2022-10-05 Martin Liska <mliska@suse.cz>
4640 * call-summary.cc (call_summary_replay::call_summary_replay):
4641 Remove unused variable and arguments.
4642 * call-summary.h: Likewise.
4643 * engine.cc (exploded_node::on_stmt): Likewise.
4644 (exploded_node::replay_call_summaries): Likewise.
4645 (exploded_node::replay_call_summary): Likewise.
4646 * exploded-graph.h (class exploded_node): Likewise.
4648 2022-10-05 David Malcolm <dmalcolm@redhat.com>
4650 PR analyzer/107072
4651 * analyzer-logging.h: Include "diagnostic-core.h".
4652 * analyzer.h: Include "function.h".
4653 (class call_summary): New forward decl.
4654 (class call_summary_replay): New forward decl.
4655 (struct per_function_data): New forward decl.
4656 (struct interesting_t): New forward decl.
4657 (custom_edge_info::update_state): New vfunc.
4658 * call-info.cc (custom_edge_info::update_state): New.
4659 * call-summary.cc: New file.
4660 * call-summary.h: New file.
4661 * constraint-manager.cc: Include "analyzer/call-summary.h".
4662 (class replay_fact_visitor): New.
4663 (constraint_manager::replay_call_summary): New.
4664 * constraint-manager.h (constraint_manager::replay_call_summary):
4665 New.
4666 * engine.cc: Include "analyzer/call-summary.h".
4667 (exploded_node::on_stmt): Handle call summaries.
4668 (class call_summary_edge_info): New.
4669 (exploded_node::replay_call_summaries): New.
4670 (exploded_node::replay_call_summary): New.
4671 (per_function_data::~per_function_data): New.
4672 (per_function_data::add_call_summary): Move here from header and
4673 reimplement.
4674 (exploded_graph::process_node): Call update_state rather than
4675 update_model when handling bifurcation
4676 (viz_callgraph_node::dump_dot): Use a regular label rather
4677 than an HTML table; add summaries to dump.
4678 * exploded-graph.h: Include "alloc-pool.h", "fibonacci_heap.h",
4679 "supergraph.h", "sbitmap.h", "shortest-paths.h", "analyzer/sm.h",
4680 "analyzer/program-state.h", and "analyzer/diagnostic-manager.h".
4681 (exploded_node::replay_call_summaries): New decl.
4682 (exploded_node::replay_call_summary): New decl.
4683 (per_function_data::~per_function_data): New decl.
4684 (per_function_data::add_call_summary): Move implemention from
4685 header.
4686 (per_function_data::m_summaries): Update type of element.
4687 * known-function-manager.h: Include "analyzer/analyzer-logging.h".
4688 * program-point.h: Include "pretty-print.h" and
4689 "analyzer/call-string.h".
4690 * program-state.cc: Include "analyzer/call-summary.h".
4691 (sm_state_map::replay_call_summary): New.
4692 (program_state::replay_call_summary): New.
4693 * program-state.h (sm_state_map::replay_call_summary): New decl.
4694 (program_state::replay_call_summary): New decl.
4695 * region-model-manager.cc
4696 (region_model_manager::get_or_create_asm_output_svalue): New
4697 overload.
4698 * region-model-manager.h
4699 (region_model_manager::get_or_create_asm_output_svalue): New
4700 overload decl.
4701 * region-model.cc: Include "analyzer/call-summary.h".
4702 (region_model::maybe_update_for_edge): Remove call to
4703 region_model::update_for_call_summary on
4704 SUPEREDGE_INTRAPROCEDURAL_CALL.
4705 (region_model::update_for_call_summary): Delete.
4706 (region_model::replay_call_summary): New.
4707 * region-model.h (region_model::replay_call_summary): New decl.
4708 (region_model::update_for_call_summary): Delete decl.
4709 * store.cc: Include "analyzer/call-summary.h".
4710 (store::replay_call_summary): New.
4711 (store::replay_call_summary_cluster): New.
4712 * store.h: Include "tristate.h".
4713 (is_a_helper <const ana::concrete_binding *>::test): New.
4714 (store::replay_call_summary): New decl.
4715 (store::replay_call_summary_cluster): New decl.
4716 * supergraph.cc (get_ultimate_function_for_cgraph_edge): Remove
4717 "static" from decl.
4718 (supergraph_call_edge): Make stmt param const.
4719 * supergraph.h: Include "ordered-hash-map.h", "cfg.h",
4720 "basic-block.h", "gimple.h", "gimple-iterator.h", and "digraph.h".
4721 (supergraph_call_edge): Make stmt param const.
4722 (get_ultimate_function_for_cgraph_edge): New decl.
4723 * svalue.cc (compound_svalue::compound_svalue): Assert that we're
4724 not nesting compound_svalues.
4725 * svalue.h: Include "json.h", "analyzer/store.h", and
4726 "analyzer/program-point.h".
4727 (asm_output_svalue::get_num_outputs): New accessor.
4729 2022-10-05 David Malcolm <dmalcolm@redhat.com>
4731 * region-model.h: Include "analyzer/region-model-manager.h"
4732 (class region_model_manager): Move decl to...
4733 * region-model-manager.h: ...this new file.
4735 2022-10-05 David Malcolm <dmalcolm@redhat.com>
4737 * region-model-manager.cc
4738 (region_model_manager::maybe_fold_unaryop): Fold -(-(VAL)) to VAL.
4740 2022-10-05 David Malcolm <dmalcolm@redhat.com>
4742 * region-model-manager.cc
4743 (region_model_manager::get_or_create_widening_svalue): Use a
4744 function_point rather than a program_point.
4745 * region-model.cc (selftest::test_widening_constraints): Likewise.
4746 * region-model.h
4747 (region_model_manager::get_or_create_widening_svalue): Likewise.
4748 (model_merger::get_function_point): New.
4749 * svalue.cc (svalue::can_merge_p): Use a function_point rather
4750 than a program_point.
4751 (svalue::can_merge_p): Likewise.
4752 * svalue.h (widening_svalue::key_t): Likewise.
4753 (widening_svalue::widening_svalue): Likewise.
4755 2022-09-12 Martin Liska <mliska@suse.cz>
4757 * region-model.cc (region_model::maybe_complain_about_infoleak):
4758 Remove unused fields.
4760 2022-09-11 Tim Lange <mail@tim-lange.me>
4762 PR analyzer/106845
4763 * region-model.cc (region_model::check_region_bounds):
4764 Bail out if 0 bytes were accessed.
4765 * store.cc (byte_range::dump_to_pp):
4766 Add special case for empty ranges.
4767 (byte_range::exceeds_p): Restrict to non-empty ranges.
4768 (byte_range::falls_short_of_p): Restrict to non-empty ranges.
4769 * store.h (bit_range::empty_p): New function.
4770 (bit_range::get_last_byte_offset): Restrict to non-empty ranges.
4771 (byte_range::empty_p): New function.
4772 (byte_range::get_last_byte_offset): Restrict to non-empty ranges.
4774 2022-09-09 David Malcolm <dmalcolm@redhat.com>
4776 * analyzer.opt (Wanalyzer-exposure-through-uninit-copy): New.
4777 * checker-path.cc (region_creation_event::region_creation_event):
4778 Add "capacity" and "kind" params.
4779 (region_creation_event::get_desc): Generalize to different kinds
4780 of event.
4781 (checker_path::add_region_creation_event): Convert to...
4782 (checker_path::add_region_creation_events): ...this.
4783 * checker-path.h (enum rce_kind): New.
4784 (region_creation_event::region_creation_event): Add "capacity" and
4785 "kind" params.
4786 (region_creation_event::m_capacity): New field.
4787 (region_creation_event::m_rce_kind): New field.
4788 (checker_path::add_region_creation_event): Convert to...
4789 (checker_path::add_region_creation_events): ...this.
4790 * diagnostic-manager.cc (diagnostic_manager::build_emission_path):
4791 Update for multiple region creation events.
4792 (diagnostic_manager::add_event_on_final_node): Likewise.
4793 (diagnostic_manager::add_events_for_eedge): Likewise.
4794 * region-model-impl-calls.cc (call_details::get_logger): New.
4795 * region-model.cc: Define INCLUDE_MEMORY before including
4796 "system.h". Include "gcc-rich-location.h".
4797 (class record_layout): New.
4798 (class exposure_through_uninit_copy): New.
4799 (contains_uninit_p): New.
4800 (region_model::maybe_complain_about_infoleak): New.
4801 * region-model.h (call_details::get_logger): New decl.
4802 (region_model::maybe_complain_about_infoleak): New decl.
4803 (region_model::mark_as_tainted): New decl.
4804 * sm-taint.cc (region_model::mark_as_tainted): New.
4806 2022-09-09 David Malcolm <dmalcolm@redhat.com>
4808 * analyzer.h (class known_function_manager): New forward decl.
4809 (class known_function): New.
4810 (plugin_analyzer_init_iface::register_known_function): New.
4811 * engine.cc: Include "analyzer/known-function-manager.h".
4812 (plugin_analyzer_init_impl::plugin_analyzer_init_impl): Add
4813 known_fn_mgr param.
4814 (plugin_analyzer_init_impl::register_state_machine): Add
4815 LOC_SCOPE.
4816 (plugin_analyzer_init_impl::register_known_function): New.
4817 (plugin_analyzer_init_impl::m_known_fn_mgr): New.
4818 (impl_run_checkers): Update plugin callback invocation to use
4819 eng's known_function_manager.
4820 * known-function-manager.cc: New file.
4821 * known-function-manager.h: New file.
4822 * region-model-manager.cc
4823 (region_model_manager::region_model_manager): Pass logger to
4824 m_known_fn_mgr's ctor.
4825 * region-model.cc (region_model::update_for_zero_return): New.
4826 (region_model::update_for_nonzero_return): New.
4827 (maybe_simplify_upper_bound): New.
4828 (region_model::maybe_get_copy_bounds): New.
4829 (region_model::get_known_function): New.
4830 (region_model::on_call_pre): Handle plugin-supplied known
4831 functions.
4832 * region-model.h: Include "analyzer/known-function-manager.h".
4833 (region_model_manager::get_known_function_manager): New.
4834 (region_model_manager::m_known_fn_mgr): New.
4835 (call_details::get_model): New accessor.
4836 (region_model::maybe_get_copy_bounds): New decl.
4837 (region_model::update_for_zero_return): New decl.
4838 (region_model::update_for_nonzero_return): New decl.
4839 (region_model::get_known_function): New decl.
4840 (region_model::get_known_function_manager): New.
4842 2022-09-08 Tim Lange <mail@tim-lange.me>
4844 PR analyzer/106625
4845 * analyzer.h (region_offset): Eliminate m_is_symbolic member.
4846 * region-model-impl-calls.cc (region_model::impl_call_realloc):
4847 Refine implementation to be more precise.
4848 * region-model.cc (class symbolic_past_the_end):
4849 Abstract diagnostic class to complain about accesses past the end
4850 with symbolic values.
4851 (class symbolic_buffer_overflow):
4852 Concrete diagnostic class to complain about buffer overflows with
4853 symbolic values.
4854 (class symbolic_buffer_overread):
4855 Concrete diagnostic class to complain about buffer overreads with
4856 symbolic values.
4857 (region_model::check_symbolic_bounds): New function.
4858 (maybe_get_integer_cst_tree): New helper function.
4859 (region_model::check_region_bounds):
4860 Add call to check_symbolic_bounds if offset is not concrete.
4861 (region_model::eval_condition_without_cm):
4862 Add support for EQ_EXPR and GT_EXPR with binaryop_svalues.
4863 (is_positive_svalue): New hleper function.
4864 (region_model::symbolic_greater_than):
4865 New function to handle GT_EXPR comparisons with symbolic values.
4866 (region_model::structural_equality): New function to compare
4867 whether two svalues are structured the same, i.e. evaluate to
4868 the same value.
4869 (test_struct): Reflect changes to region::calc_offset.
4870 (test_var): Likewise.
4871 (test_array_2): Likewise and add selftest with symbolic i.
4872 * region-model.h (class region_model): Add check_symbolic_bounds,
4873 symbolic_greater_than and structural_equality.
4874 * region.cc (region::get_offset):
4875 Reflect changes to region::calc_offset.
4876 (region::calc_offset):
4877 Compute the symbolic offset if the offset is not concrete.
4878 (region::get_relative_symbolic_offset): New function to return the
4879 symbolic offset in bytes relative to its parent.
4880 (field_region::get_relative_symbolic_offset): Likewise.
4881 (element_region::get_relative_symbolic_offset): Likewise.
4882 (offset_region::get_relative_symbolic_offset): Likewise.
4883 (bit_range_region::get_relative_symbolic_offset): Likewise.
4884 * region.h: Add get_relative_symbolic_offset.
4885 * store.cc (binding_key::make):
4886 Reflect changes to region::calc_offset.
4887 (binding_map::apply_ctor_val_to_range): Likewise.
4888 (binding_map::apply_ctor_pair_to_child_region): Likewise.
4889 (binding_cluster::bind_compound_sval): Likewise.
4890 (binding_cluster::get_any_binding): Likewise.
4891 (binding_cluster::maybe_get_compound_binding): Likewise.
4893 2022-09-05 Tim Lange <mail@tim-lange.me>
4895 * region-model-impl-calls.cc (region_model::impl_call_strcpy):
4896 Handle the constant string case.
4897 * region-model.cc (region_model::get_string_size):
4898 New function to get the string size from a region or svalue.
4899 * region-model.h (class region_model): Add get_string_size.
4901 2022-09-05 Tim Lange <mail@tim-lange.me>
4903 * region.cc (cast_region::get_relative_concrete_offset):
4904 New overloaded method.
4905 * region.h: Add cast_region::get_relative_concrete_offset.
4907 2022-08-22 Martin Liska <mliska@suse.cz>
4909 * region-model.cc: Add missing final keyword.
4911 2022-08-18 Tim Lange <mail@tim-lange.me>
4913 PR analyzer/106181
4914 * analyzer.opt: Add Wanalyzer-imprecise-floating-point-arithmetic.
4915 * region-model.cc (is_any_cast_p): Formatting.
4916 (region_model::check_region_size): Ensure precondition.
4917 (class imprecise_floating_point_arithmetic): New abstract
4918 diagnostic class for all floating-point related warnings.
4919 (class float_as_size_arg): Concrete diagnostic class to complain
4920 about floating-point operands inside the size argument.
4921 (class contains_floating_point_visitor):
4922 New visitor to find floating-point operands inside svalues.
4923 (region_model::check_dynamic_size_for_floats): New function.
4924 (region_model::set_dynamic_extents):
4925 Call to check_dynamic_size_for_floats.
4926 * region-model.h (class region_model):
4927 Add region_model::check_dynamic_size_for_floats.
4929 2022-08-16 Martin Liska <mliska@suse.cz>
4931 * region-model.cc: Fix -Winconsistent-missing-override clang
4932 warning.
4933 * region.h: Likewise.
4935 2022-08-15 David Malcolm <dmalcolm@redhat.com>
4937 PR analyzer/106626
4938 * region-model.cc (buffer_overread::emit): Fix copy&paste error in
4939 direction of the access in the note.
4941 2022-08-15 David Malcolm <dmalcolm@redhat.com>
4943 PR analyzer/106573
4944 * region-model.cc (region_model::on_call_pre): Use check_call_args
4945 when ensuring that we call get_arg_svalue on all args. Remove
4946 redundant call from handling for stdio builtins.
4948 2022-08-15 Immad Mir <mirimmad@outlook.com>
4950 PR analyzer/106551
4951 * sm-fd.cc (check_for_dup): exit early if first
4952 argument is invalid for all dup functions.
4954 2022-08-12 Tim Lange <mail@tim-lange.me>
4956 PR analyzer/106000
4957 * analyzer.opt: Add Wanalyzer-out-of-bounds.
4958 * region-model.cc (class out_of_bounds): Diagnostics base class
4959 for all out-of-bounds diagnostics.
4960 (class past_the_end): Base class derived from out_of_bounds for
4961 the buffer_overflow and buffer_overread diagnostics.
4962 (class buffer_overflow): Buffer overflow diagnostics.
4963 (class buffer_overread): Buffer overread diagnostics.
4964 (class buffer_underflow): Buffer underflow diagnostics.
4965 (class buffer_underread): Buffer overread diagnostics.
4966 (region_model::check_region_bounds): New function to check region
4967 bounds for out-of-bounds accesses.
4968 (region_model::check_region_access):
4969 Add call to check_region_bounds.
4970 (region_model::get_representative_tree): New function that accepts
4971 a region instead of an svalue.
4972 * region-model.h (class region_model):
4973 Add region_model::check_region_bounds.
4974 * region.cc (region::symbolic_p): New predicate.
4975 (offset_region::get_byte_size_sval): Only return the remaining
4976 byte size on offset_regions.
4977 * region.h: Add region::symbolic_p.
4978 * store.cc (byte_range::intersects_p):
4979 Add new function equivalent to bit_range::intersects_p.
4980 (byte_range::exceeds_p): New function.
4981 (byte_range::falls_short_of_p): New function.
4982 * store.h (struct byte_range): Add byte_range::intersects_p,
4983 byte_range::exceeds_p and byte_range::falls_short_of_p.
4985 2022-08-12 Tim Lange <mail@tim-lange.me>
4987 PR analyzer/106539
4988 * region-model-impl-calls.cc (region_model::impl_call_realloc):
4989 Use the result of get_copied_size as the size for the
4990 sized_regions in realloc.
4991 (success_with_move::get_copied_size): New function.
4993 2022-08-11 Immad Mir <mirimmad@outlook.com>
4995 PR analyzer/106551
4996 * sm-fd.cc (check_for_dup): handle the m_start
4997 state when transitioning the state of LHS
4998 of dup, dup2 and dup3 call.
5000 2022-08-09 David Malcolm <dmalcolm@redhat.com>
5002 PR analyzer/106573
5003 * region-model.cc (region_model::on_call_pre): Ensure that we call
5004 get_arg_svalue on all arguments.
5006 2022-08-05 David Malcolm <dmalcolm@redhat.com>
5008 PR analyzer/105947
5009 * analyzer.opt (Wanalyzer-jump-through-null): New option.
5010 * engine.cc (class jump_through_null): New.
5011 (exploded_graph::process_node): Complain about jumps through NULL
5012 function pointers.
5014 2022-08-02 Immad Mir <mirimmad@outlook.com>
5016 PR analyzer/106298
5017 * sm-fd.cc (fd_state_machine::on_open): Add
5018 creat, dup, dup2 and dup3 functions.
5019 (enum dup): New.
5020 (fd_state_machine::valid_to_unchecked_state): New.
5021 (fd_state_machine::on_creat): New.
5022 (fd_state_machine::on_dup): New.
5024 2022-07-28 David Malcolm <dmalcolm@redhat.com>
5026 PR analyzer/105893
5027 * analyzer.opt (Wanalyzer-putenv-of-auto-var): New.
5028 * region-model-impl-calls.cc (class putenv_of_auto_var): New.
5029 (region_model::impl_call_putenv): New.
5030 * region-model.cc (region_model::on_call_pre): Handle putenv.
5031 * region-model.h (region_model::impl_call_putenv): New decl.
5033 2022-07-28 David Malcolm <dmalcolm@redhat.com>
5035 * sm-malloc.cc (free_of_non_heap::emit): Add comment about CWE.
5036 * sm-taint.cc (tainted_size::emit): Likewise.
5038 2022-07-28 David Malcolm <dmalcolm@redhat.com>
5040 * region.h: Add notes to the comment describing the region
5041 class hierarchy.
5043 2022-07-27 Immad Mir <mirimmad@outlook.com>
5045 PR analyzer/106286
5046 * sm-fd.cc:
5047 (fd_diagnostic::get_meaning_for_state_change): New.
5049 2022-07-26 David Malcolm <dmalcolm@redhat.com>
5051 PR analyzer/106319
5052 * store.cc (store::set_value): Don't strip away casts if the
5053 region has NULL type.
5055 2022-07-26 David Malcolm <dmalcolm@redhat.com>
5057 * region.h (code_region::get_element): Remove stray decl.
5058 (function_region::get_element): Likewise.
5060 2022-07-25 Martin Liska <mliska@suse.cz>
5062 * sm-fd.cc: Run dos2unix and fix coding style issues.
5064 2022-07-23 Immad Mir <mirimmad@outlook.com>
5066 * sm-fd.cc (fd_param_diagnostic): New diagnostic class.
5067 (fd_access_mode_mismatch): Change inheritance from fd_diagnostic
5068 to fd_param_diagnostic. Add new overloaded constructor.
5069 (fd_use_after_close): Likewise.
5070 (unchecked_use_of_fd): Likewise and also change name to fd_use_without_check.
5071 (double_close): Change name to fd_double_close.
5072 (enum access_directions): New.
5073 (fd_state_machine::on_stmt): Handle calls to function with the
5074 new three function attributes.
5075 (fd_state_machine::check_for_fd_attrs): New.
5076 (fd_state_machine::on_open): Use the new overloaded constructors
5077 of diagnostic classes.
5079 2022-07-22 David Malcolm <dmalcolm@redhat.com>
5081 PR analyzer/106413
5082 * varargs.cc (region_model::impl_call_va_start): Avoid iterating
5083 through non-existant variadic arguments by initializing the
5084 impl_region to "UNKNOWN" if the va_start occurs in the top-level
5085 function to the analysis.
5087 2022-07-22 David Malcolm <dmalcolm@redhat.com>
5089 PR analyzer/106401
5090 * store.cc (binding_cluster::binding_cluster): Remove overzealous
5091 assertion; we're checking for tracked_p in
5092 store::get_or_create_cluster.
5094 2022-07-22 Tim Lange <mail@tim-lange.me>
5096 PR analyzer/106394
5097 * region-model.cc (capacity_compatible_with_type): Always return true
5098 if alloc_size is zero.
5100 2022-07-21 David Malcolm <dmalcolm@redhat.com>
5102 PR analyzer/106383
5103 * varargs.cc (region_model::impl_call_va_arg): When determining if
5104 we're doing interprocedural analysis, use the stack depth of the
5105 frame in which va_start was called, rather than the current stack
5106 depth.
5108 2022-07-21 David Malcolm <dmalcolm@redhat.com>
5110 * sm-taint.cc (tainted_array_index::emit): Bulletproof against
5111 NULL m_arg.
5112 (tainted_array_index::describe_final_event): Likewise.
5113 (tainted_size::emit): Likewise.
5114 (tainted_size::describe_final_event): Likewise.
5116 2022-07-21 David Malcolm <dmalcolm@redhat.com>
5118 PR analyzer/106374
5119 * region.cc (decl_region::get_svalue_for_initializer): Bail out on
5120 untracked regions.
5122 2022-07-20 David Malcolm <dmalcolm@redhat.com>
5124 PR analyzer/106373
5125 * sm-taint.cc (taint_state_machine::on_condition): Potentially
5126 update the state of the RHS as well as the LHS.
5128 2022-07-20 David Malcolm <dmalcolm@redhat.com>
5130 PR analyzer/106359
5131 * region.h (string_region::tracked_p): New.
5132 * store.cc (binding_cluster::binding_cluster): Move here from
5133 store.h. Add assertion that base_region is tracked_p.
5134 * store.h (binding_cluster::binding_cluster): Move to store.cc.
5136 2022-07-19 David Malcolm <dmalcolm@redhat.com>
5138 PR analyzer/106321
5139 * constraint-manager.h (bounded_ranges::get_count): New.
5140 (bounded_ranges::get_range): New.
5141 * engine.cc (impl_region_model_context::on_bounded_ranges): New.
5142 * exploded-graph.h (impl_region_model_context::on_bounded_ranges):
5143 New decl.
5144 * region-model.cc (region_model::apply_constraints_for_gswitch):
5145 Potentially call ctxt->on_bounded_ranges.
5146 * region-model.h (region_model_context::on_bounded_ranges): New
5147 vfunc.
5148 (noop_region_model_context::on_bounded_ranges): New.
5149 (region_model_context_decorator::on_bounded_ranges): New.
5150 * sm-taint.cc: Include "analyzer/constraint-manager.h".
5151 (taint_state_machine::on_bounded_ranges): New.
5152 * sm.h (state_machine::on_bounded_ranges): New.
5154 2022-07-19 David Malcolm <dmalcolm@redhat.com>
5156 * engine.cc (exploded_graph::process_node): Show any description
5157 of the out-edge when logging it for consideration.
5159 2022-07-15 David Malcolm <dmalcolm@redhat.com>
5161 PR analyzer/106284
5162 * sm-taint.cc (taint_state_machine::on_condition): Handle range
5163 checks optimized by build_range_check.
5165 2022-07-15 Jonathan Wakely <jwakely@redhat.com>
5167 * call-info.cc (call_info::print): Adjust to new label_text API.
5168 * checker-path.cc (checker_event::dump): Likewise.
5169 (region_creation_event::get_desc): Likewise.
5170 (state_change_event::get_desc): Likewise.
5171 (superedge_event::should_filter_p): Likewise.
5172 (start_cfg_edge_event::get_desc): Likewise.
5173 (call_event::get_desc): Likewise.
5174 (return_event::get_desc): Likewise.
5175 (warning_event::get_desc): Likewise.
5176 (checker_path::dump): Likewise.
5177 (checker_path::debug): Likewise.
5178 * diagnostic-manager.cc (diagnostic_manager::prune_for_sm_diagnostic):
5179 Likewise.
5180 (diagnostic_manager::prune_interproc_events): Likewise.
5181 * engine.cc (feasibility_state::maybe_update_for_edge):
5182 Likewise.
5183 * program-state.cc (sm_state_map::to_json): Likewise.
5184 * region-model-impl-calls.cc (region_model::impl_call_analyzer_describe): Likewise.
5185 (region_model::impl_call_analyzer_dump_capacity): Likewise.
5186 * region.cc (region::to_json): Likewise.
5187 * sm-malloc.cc (inform_nonnull_attribute): Likewise.
5188 * store.cc (binding_map::to_json): Likewise.
5189 (store::to_json): Likewise.
5190 * supergraph.cc (superedge::dump): Likewise.
5191 * svalue.cc (svalue::to_json): Likewise.
5193 2022-07-07 David Malcolm <dmalcolm@redhat.com>
5195 * checker-path.cc (start_cfg_edge_event::get_desc): Update for
5196 superedge::get_description returning a label_text.
5197 * engine.cc (feasibility_state::maybe_update_for_edge): Likewise.
5198 * supergraph.cc (superedge::dump): Likewise.
5199 (superedge::get_description): Convert return type from char * to
5200 label_text.
5201 * supergraph.h (superedge::get_description): Likewise.
5203 2022-07-07 David Malcolm <dmalcolm@redhat.com>
5205 * call-info.cc (call_info::print): Update for removal of
5206 label_text::maybe_free in favor of automatic memory management.
5207 * checker-path.cc (checker_event::dump): Likewise.
5208 (checker_event::prepare_for_emission): Likewise.
5209 (state_change_event::get_desc): Likewise.
5210 (superedge_event::should_filter_p): Likewise.
5211 (start_cfg_edge_event::get_desc): Likewise.
5212 (warning_event::get_desc): Likewise.
5213 (checker_path::dump): Likewise.
5214 (checker_path::debug): Likewise.
5215 * diagnostic-manager.cc
5216 (diagnostic_manager::prune_for_sm_diagnostic): Likewise.
5217 (diagnostic_manager::prune_interproc_events): Likewise.
5218 * program-state.cc (sm_state_map::to_json): Likewise.
5219 * region.cc (region::to_json): Likewise.
5220 * sm-malloc.cc (inform_nonnull_attribute): Likewise.
5221 * store.cc (binding_map::to_json): Likewise.
5222 (store::to_json): Likewise.
5223 * svalue.cc (svalue::to_json): Likewise.
5225 2022-07-07 David Malcolm <dmalcolm@redhat.com>
5227 PR analyzer/106225
5228 * sm-taint.cc (taint_state_machine::on_stmt): Move handling of
5229 assignments from division to...
5230 (taint_state_machine::check_for_tainted_divisor): ...this new
5231 function. Reject warning when the divisor is known to be non-zero.
5232 * sm.cc: Include "analyzer/program-state.h".
5233 (sm_context::get_old_region_model): New.
5234 * sm.h (sm_context::get_old_region_model): New decl.
5236 2022-07-06 Immad Mir <mirimmad@outlook.com>
5238 PR analyzer/106184
5239 * sm-fd.cc (fd_state_machine): Change ordering of initialization
5240 of state m_invalid so that the order of initializers is same as
5241 the ordering of the fields in the class decl.
5243 2022-07-06 Immad Mir <mirimmad@outlook.com>
5245 * sm-fd.cc (use_after_close): save the "close" event and
5246 show it where possible.
5248 2022-07-06 David Malcolm <dmalcolm@redhat.com>
5250 PR analyzer/106204
5251 * region-model.cc (within_short_circuited_stmt_p): Move extraction
5252 of assign_stmt to caller.
5253 (due_to_ifn_deferred_init_p): New.
5254 (region_model::check_for_poison): Move extraction of assign_stmt
5255 from within_short_circuited_stmt_p to here. Share logic with
5256 call to due_to_ifn_deferred_init_p.
5258 2022-07-02 Tim Lange <mail@tim-lange.me>
5260 PR analyzer/105900
5261 * analyzer.opt: Added Wanalyzer-allocation-size.
5262 * checker-path.cc (region_creation_event::get_desc): Added call to new
5263 virtual function pending_diagnostic::describe_region_creation_event.
5264 * checker-path.h: Added region_creation_event::get_desc.
5265 * diagnostic-manager.cc (diagnostic_manager::add_event_on_final_node):
5266 New function.
5267 * diagnostic-manager.h:
5268 Added diagnostic_manager::add_event_on_final_node.
5269 * pending-diagnostic.h (struct region_creation): New event_desc struct.
5270 (pending_diagnostic::describe_region_creation_event): Added virtual
5271 function to overwrite description of a region creation.
5272 * region-model.cc (class dubious_allocation_size): New class.
5273 (capacity_compatible_with_type): New helper function.
5274 (class size_visitor): New class.
5275 (struct_or_union_with_inheritance_p): New helper function.
5276 (is_any_cast_p): New helper function.
5277 (region_model::check_region_size): New function.
5278 (region_model::set_value): Added call to
5279 region_model::check_region_size.
5280 * region-model.h (class region_model): New function check_region_size.
5281 * svalue.cc (region_svalue::accept): Changed to post-order traversal.
5282 (initial_svalue::accept): Likewise.
5283 (unaryop_svalue::accept): Likewise.
5284 (binop_svalue::accept): Likewise.
5285 (sub_svalue::accept): Likewise.
5286 (repeated_svalue::accept): Likewise.
5287 (bits_within_svalue::accept): Likewise.
5288 (widening_svalue::accept): Likewise.
5289 (unmergeable_svalue::accept): Likewise.
5290 (compound_svalue::accept): Likewise.
5291 (conjured_svalue::accept): Likewise.
5292 (asm_output_svalue::accept): Likewise.
5293 (const_fn_result_svalue::accept): Likewise.
5295 2022-07-02 Immad Mir <mirimmad17@gmail.com>
5297 PR analyzer/106003
5298 * analyzer.opt (Wanalyzer-fd-leak): New option.
5299 (Wanalyzer-fd-access-mode-mismatch): New option.
5300 (Wanalyzer-fd-use-without-check): New option.
5301 (Wanalyzer-fd-double-close): New option.
5302 (Wanalyzer-fd-use-after-close): New option.
5303 * sm.h (make_fd_state_machine): New decl.
5304 * sm.cc (make_checkers): Call make_fd_state_machine.
5305 * sm-fd.cc: New file.
5307 2022-06-24 David Malcolm <dmalcolm@redhat.com>
5309 * call-string.cc: Add includes of "analyzer/analyzer.h"
5310 and "analyzer/analyzer-logging.h".
5311 (call_string::call_string): Delete copy ctor.
5312 (call_string::operator=): Delete.
5313 (call_string::operator==): Delete.
5314 (call_string::hash): Delete.
5315 (call_string::push_call): Make const, returning the resulting
5316 call_string.
5317 (call_string::pop): Delete.
5318 (call_string::cmp_ptr_ptr): New.
5319 (call_string::validate): Assert that m_parent is non-NULL, or
5320 m_elements is empty.
5321 (call_string::call_string): Move default ctor here from
5322 call-string.h and reimplement. Add ctor taking a parent
5323 and an element.
5324 (call_string::~call_string): New.
5325 (call_string::recursive_log): New.
5326 * call-string.h (call_string::call_string): Move default ctor's
5327 defn to call-string.cc. Delete copy ctor. Add ctor taking a
5328 parent and an element.
5329 (call_string::operator=): Delete.
5330 (call_string::operator==): Delete.
5331 (call_string::hash): Delete.
5332 (call_string::push_call): Make const, returning the resulting
5333 call_string.
5334 (call_string::pop): Delete decl.
5335 (call_string::get_parent): New.
5336 (call_string::cmp_ptr_ptr): New decl.
5337 (call_string::get_top_of_stack): New.
5338 (struct call_string::hashmap_traits_t): New.
5339 (class call_string): Add friend class region_model_manager. Add
5340 DISABLE_COPY_AND_ASSIGN.
5341 (call_string::~call_string): New decl.
5342 (call_string::recursive_log): New decl.
5343 (call_string::m_parent): New field.
5344 (call_string::m_children): New field.
5345 * constraint-manager.cc (selftest::test_many_constants): Pass
5346 model manager to program_point::origin.
5347 * engine.cc (exploded_graph::exploded_graph): Likewise.
5348 (exploded_graph::add_function_entry): Likewise for
5349 program_point::from_function_entry.
5350 (add_tainted_args_callback): Likewise.
5351 (exploded_graph::maybe_process_run_of_before_supernode_enodes):
5352 Update for change to program_point.get_call_string.
5353 (exploded_graph::process_node): Likewise.
5354 (class function_call_string_cluster): Convert m_cs from a
5355 call_string to a const call_string &.
5356 (struct function_call_string): Likewise.
5357 (pod_hash_traits<function_call_string>::hash): Use pointer_hash
5358 for m_cs.
5359 (pod_hash_traits<function_call_string>::equal): Update for change
5360 to m_cs.
5361 (root_cluster::add_node): Update for change to
5362 function_call_string.
5363 (viz_callgraph_node::dump_dot): Update for change to call_string.
5364 * exploded-graph.h (per_call_string_data::m_key): Convert to a
5365 reference.
5366 (struct eg_call_string_hash_map_traits): Delete.
5367 (exploded_graph::call_string_data_map_t): Remove traits class.
5368 * program-point.cc: Move include of "analyzer/call-string.h" to
5369 after "analyzer/analyzer-logging.h".
5370 (program_point::print): Update for conversion of m_call_string to
5371 a pointer.
5372 (program_point::to_json): Likewise.
5373 (program_point::push_to_call_stack): Update for immutability of
5374 call strings.
5375 (program_point::pop_from_call_stack): Likewise.
5376 (program_point::hash): Use pointer hashing for m_call_string.
5377 (program_point::get_function_at_depth): Update for change to
5378 m_call_string.
5379 (program_point::validate): Update for changes to call_string.
5380 (program_point::on_edge): Likewise.
5381 (program_point::origin): Move here from call-string.h. Add
5382 region_model_manager param and use it to get empty call string.
5383 (program_point::from_function_entry): Likewise.
5384 (selftest::test_function_point_ordering): Likewise.
5385 (selftest::test_function_point_ordering): Likewise.
5386 * program-point.h (program_point::program_point): Update for
5387 change to m_call_string.
5388 (program_point::get_call_string): Likewise.
5389 (program_point::get_stack_depth): Likewise.
5390 (program_point::origin): Add region_model_manager param, and move
5391 defn to call-string.cc.
5392 (program_point::from_function_entry): Likewise.
5393 (program_point::empty): Drop call_string.
5394 (program_point::deleted): Likewise.
5395 (program_point::program_point): New private ctor.
5396 (program_point::m_call_string): Convert from call_string to const
5397 call_string *.
5398 * program-state.cc (selftest::test_program_state_merging): Update
5399 for call_string changes.
5400 (selftest::test_program_state_merging_2): Likewise.
5401 * region-model-manager.cc
5402 (region_model_manager::region_model_manager): Construct
5403 m_empty_call_string.
5404 (region_model_manager::log_stats): Log the call strings.
5405 * region-model.cc (assert_region_models_merge): Pass the
5406 region_model_manager when creating program_point instances.
5407 (selftest::test_state_merging): Likewise.
5408 (selftest::test_constraint_merging): Likewise.
5409 (selftest::test_widening_constraints): Likewise.
5410 (selftest::test_iteration_1): Likewise.
5411 * region-model.h (region_model_manager::get_empty_call_string):
5412 New.
5413 (region_model_manager::m_empty_call_string): New.
5414 * sm-signal.cc (register_signal_handler::impl_transition): Update
5415 for changes to call_string.
5417 2022-06-24 David Malcolm <dmalcolm@redhat.com>
5419 * call-string.cc (call_string::calc_recursion_depth): Whitespace
5420 cleanups.
5421 (call_string::cmp): Likewise.
5422 (call_string::get_caller_node): Likewise.
5423 (call_string::validate): Likewise.
5424 * engine.cc (dynamic_call_info_t::add_events_to_path): Likewise.
5425 (exploded_graph::get_per_function_data): Likewise.
5426 (exploded_graph::maybe_create_dynamic_call): Likewise.
5427 (exploded_graph::maybe_create_dynamic_call): Likewise.
5428 (exploded_graph::process_node): Likewise.
5430 2022-06-16 David Malcolm <dmalcolm@redhat.com>
5432 * varargs.cc (va_arg_type_mismatch::emit): Associate the warning
5433 with CWE-686 ("Function Call With Incorrect Argument Type").
5435 2022-06-16 David Malcolm <dmalcolm@redhat.com>
5437 * varargs.cc: Include "diagnostic-metadata.h".
5438 (va_list_exhausted::emit): Associate the warning with
5439 CWE-685 ("Function Call With Incorrect Number of Arguments").
5441 2022-06-16 David Malcolm <dmalcolm@redhat.com>
5443 * sm-file.cc (double_fclose::emit): Associate the warning with
5444 CWE-1341 ("Multiple Releases of Same Resource or Handle").
5446 2022-06-15 David Malcolm <dmalcolm@redhat.com>
5448 PR analyzer/105962
5449 * analyzer.opt (fanalyzer-undo-inlining): New option.
5450 * checker-path.cc: Include "diagnostic-core.h" and
5451 "inlining-iterator.h".
5452 (event_kind_to_string): Handle EK_INLINED_CALL.
5453 (class inlining_info): New class.
5454 (checker_event::checker_event): Move here from checker-path.h.
5455 Store original fndecl and depth, and calculate effective fndecl
5456 and depth based on inlining information.
5457 (checker_event::dump): Emit original depth as well as effective
5458 depth when they differ; likewise for fndecl.
5459 (region_creation_event::get_desc): Use m_effective_fndecl.
5460 (inlined_call_event::get_desc): New.
5461 (inlined_call_event::get_meaning): New.
5462 (checker_path::inject_any_inlined_call_events): New.
5463 * checker-path.h (enum event_kind): Add EK_INLINED_CALL.
5464 (checker_event::checker_event): Make protected, and move
5465 definition to checker-path.cc.
5466 (checker_event::get_fndecl): Use effective fndecl.
5467 (checker_event::get_stack_depth): Use effective stack depth.
5468 (checker_event::get_logical_location): Use effective stack depth.
5469 (checker_event::get_original_stack_depth): New.
5470 (checker_event::m_fndecl): Rename to...
5471 (checker_event::m_original_fndecl): ...this.
5472 (checker_event::m_depth): Rename to...
5473 (checker_event::m_original_depth): ...this.
5474 (checker_event::m_effective_fndecl): New field.
5475 (checker_event::m_effective_depth): New field.
5476 (class inlined_call_event): New checker_event subclass.
5477 (checker_path::inject_any_inlined_call_events): New decl.
5478 * diagnostic-manager.cc: Include "inlining-iterator.h".
5479 (diagnostic_manager::emit_saved_diagnostic): Call
5480 checker_path::inject_any_inlined_call_events.
5481 (diagnostic_manager::prune_for_sm_diagnostic): Handle
5482 EK_INLINED_CALL.
5483 * engine.cc (tainted_args_function_custom_event::get_desc): Use
5484 effective fndecl.
5485 * inlining-iterator.h: New file.
5487 2022-06-15 David Malcolm <dmalcolm@redhat.com>
5489 * diagnostic-manager.cc (saved_diagnostic::dump_dot_id): New.
5490 (saved_diagnostic::dump_as_dot_node): New.
5491 * diagnostic-manager.h (saved_diagnostic::dump_dot_id): New decl.
5492 (saved_diagnostic::dump_as_dot_node): New decl.
5493 * engine.cc (exploded_node::dump_dot): Add nodes for saved
5494 diagnostics.
5496 2022-06-02 David Malcolm <dmalcolm@redhat.com>
5498 * checker-path.cc (checker_event::get_meaning): New.
5499 (function_entry_event::get_meaning): New.
5500 (state_change_event::get_desc): Add dump of meaning of the event
5501 to the -fanalyzer-verbose-state-changes output.
5502 (state_change_event::get_meaning): New.
5503 (cfg_edge_event::get_meaning): New.
5504 (call_event::get_meaning): New.
5505 (return_event::get_meaning): New.
5506 (start_consolidated_cfg_edges_event::get_meaning): New.
5507 (warning_event::get_meaning): New.
5508 * checker-path.h: Include "tree-logical-location.h".
5509 (checker_event::checker_event): Construct m_logical_loc.
5510 (checker_event::get_logical_location): New.
5511 (checker_event::get_meaning): New decl.
5512 (checker_event::m_logical_loc): New.
5513 (function_entry_event::get_meaning): New decl.
5514 (state_change_event::get_meaning): New decl.
5515 (cfg_edge_event::get_meaning): New decl.
5516 (call_event::get_meaning): New decl.
5517 (return_event::get_meaning): New decl.
5518 (start_consolidated_cfg_edges_event::get_meaning): New.
5519 (warning_event::get_meaning): New decl.
5520 * pending-diagnostic.h: Include "diagnostic-path.h".
5521 (pending_diagnostic::get_meaning_for_state_change): New vfunc.
5522 * sm-file.cc (file_diagnostic::get_meaning_for_state_change): New
5523 vfunc impl.
5524 * sm-malloc.cc (malloc_diagnostic::get_meaning_for_state_change):
5525 Likewise.
5526 * sm-sensitive.cc
5527 (exposure_through_output_file::get_meaning_for_state_change):
5528 Likewise.
5529 * sm-taint.cc (taint_diagnostic::get_meaning_for_state_change):
5530 Likewise.
5531 * varargs.cc
5532 (va_list_sm_diagnostic::get_meaning_for_state_change): Likewise.
5534 2022-05-23 David Malcolm <dmalcolm@redhat.com>
5536 * call-info.cc: Add "final" and "override" to all vfunc
5537 implementations that were missing them, as appropriate.
5538 * engine.cc: Likewise.
5539 * region-model.cc: Likewise.
5540 * sm-malloc.cc: Likewise.
5541 * supergraph.h: Likewise.
5542 * svalue.cc: Likewise.
5543 * varargs.cc: Likewise.
5545 2022-05-20 David Malcolm <dmalcolm@redhat.com>
5547 * analyzer-pass.cc: Replace uses of "FINAL" and "OVERRIDE" with
5548 "final" and "override".
5549 * call-info.h: Likewise.
5550 * checker-path.h: Likewise.
5551 * constraint-manager.cc: Likewise.
5552 * diagnostic-manager.cc: Likewise.
5553 * engine.cc: Likewise.
5554 * exploded-graph.h: Likewise.
5555 * feasible-graph.h: Likewise.
5556 * pending-diagnostic.h: Likewise.
5557 * region-model-impl-calls.cc: Likewise.
5558 * region-model.cc: Likewise.
5559 * region-model.h: Likewise.
5560 * region.h: Likewise.
5561 * sm-file.cc: Likewise.
5562 * sm-malloc.cc: Likewise.
5563 * sm-pattern-test.cc: Likewise.
5564 * sm-sensitive.cc: Likewise.
5565 * sm-signal.cc: Likewise.
5566 * sm-taint.cc: Likewise.
5567 * state-purge.h: Likewise.
5568 * store.cc: Likewise.
5569 * store.h: Likewise.
5570 * supergraph.h: Likewise.
5571 * svalue.h: Likewise.
5572 * trimmed-graph.h: Likewise.
5573 * varargs.cc: Likewise.
5575 2022-05-16 David Malcolm <dmalcolm@redhat.com>
5577 PR analyzer/105103
5578 * analyzer.cc (make_label_text_n): New.
5579 * analyzer.h (class var_arg_region): New forward decl.
5580 (make_label_text_n): New decl.
5581 * analyzer.opt (Wanalyzer-va-arg-type-mismatch): New option.
5582 (Wanalyzer-va-list-exhausted): New option.
5583 (Wanalyzer-va-list-leak): New option.
5584 (Wanalyzer-va-list-use-after-va-end): New option.
5585 * checker-path.cc (call_event::get_desc): Split out decl access
5586 into..
5587 (call_event::get_caller_fndecl): ...this new function and...
5588 (call_event::get_callee_fndecl): ...this new function.
5589 * checker-path.h (call_event::get_desc): Drop "FINAL".
5590 (call_event::get_caller_fndecl): New decl.
5591 (call_event::get_callee_fndecl): New decl.
5592 (class call_event): Make fields protected.
5593 * diagnostic-manager.cc (null_assignment_sm_context::warn): New
5594 overload.
5595 (null_assignment_sm_context::get_new_program_state): New.
5596 (diagnostic_manager::add_events_for_superedge): Move case
5597 SUPEREDGE_CALL to a new pending_diagnostic::add_call_event vfunc.
5598 * engine.cc (impl_sm_context::warn): Implement new override.
5599 (impl_sm_context::get_new_program_state): New.
5600 * pending-diagnostic.cc: Include "analyzer/diagnostic-manager.h",
5601 "cpplib.h", "digraph.h", "ordered-hash-map.h", "cfg.h",
5602 "basic-block.h", "gimple.h", "gimple-iterator.h", "cgraph.h"
5603 "analyzer/supergraph.h", "analyzer/program-state.h",
5604 "alloc-pool.h", "fibonacci_heap.h", "shortest-paths.h",
5605 "sbitmap.h", "analyzer/exploded-graph.h", "diagnostic-path.h",
5606 and "analyzer/checker-path.h".
5607 (ht_ident_eq): New.
5608 (fixup_location_in_macro_p): New.
5609 (pending_diagnostic::fixup_location): New.
5610 (pending_diagnostic::add_call_event): New.
5611 * pending-diagnostic.h (pending_diagnostic::fixup_location): Drop
5612 no-op inline implementation in favor of the more complex
5613 implementation above.
5614 (pending_diagnostic::add_call_event): New vfunc.
5615 * region-model-impl-calls.cc: Include "analyzer/sm.h",
5616 "diagnostic-path.h", and "analyzer/pending-diagnostic.h".
5617 * region-model-manager.cc
5618 (region_model_manager::get_var_arg_region): New.
5619 (region_model_manager::log_stats): Log m_var_arg_regions.
5620 * region-model.cc (region_model::on_call_pre): Handle IFN_VA_ARG,
5621 BUILT_IN_VA_START, and BUILT_IN_VA_COPY.
5622 (region_model::on_call_post): Handle BUILT_IN_VA_END.
5623 (region_model::get_representative_path_var_1): Handle RK_VAR_ARG.
5624 (region_model::push_frame): Push variadic arguments.
5625 * region-model.h (region_model_manager::get_var_arg_region): New
5626 decl.
5627 (region_model_manager::m_var_arg_regions): New field.
5628 (region_model::impl_call_va_start): New decl.
5629 (region_model::impl_call_va_copy): New decl.
5630 (region_model::impl_call_va_arg): New decl.
5631 (region_model::impl_call_va_end): New decl.
5632 * region.cc (alloca_region::dump_to_pp): Dump the id.
5633 (var_arg_region::dump_to_pp): New.
5634 (var_arg_region::get_frame_region): New.
5635 * region.h (enum region_kind): Add RK_VAR_ARG.
5636 (region::dyn_cast_var_arg_region): New.
5637 (class var_arg_region): New.
5638 (is_a_helper <const var_arg_region *>::test): New.
5639 (struct default_hash_traits<var_arg_region::key_t>): New.
5640 * sm.cc (make_checkers): Call make_va_list_state_machine.
5641 * sm.h (sm_context::warn): New vfunc.
5642 (sm_context::get_old_svalue): Drop unused decl.
5643 (sm_context::get_new_program_state): New vfunc.
5644 (make_va_list_state_machine): New decl.
5645 * varargs.cc: New file.
5647 2022-05-16 Martin Liska <mliska@suse.cz>
5649 * engine.cc (exploded_node::get_dot_fillcolor): Use ARRAY_SIZE.
5650 * function-set.cc (test_stdio_example): Likewise.
5651 * sm-file.cc (get_file_using_fns): Likewise.
5652 * sm-malloc.cc (malloc_state_machine::unaffected_by_call_p): Likewise.
5653 * sm-signal.cc (get_async_signal_unsafe_fns): Likewise.
5655 2022-05-13 Richard Biener <rguenther@suse.de>
5657 * supergraph.cc: Re-order gimple-fold.h include.
5659 2022-05-11 David Malcolm <dmalcolm@redhat.com>
5661 * checker-path.cc (state_change_event::get_desc): Call maybe_free
5662 on label_text temporaries.
5663 * diagnostic-manager.cc
5664 (diagnostic_manager::prune_for_sm_diagnostic): Likewise.
5665 * engine.cc (exploded_graph::~exploded_graph): Fix leak of
5666 m_per_point_data and m_per_call_string_data values. Simplify
5667 cleanup of m_per_function_stats and m_per_point_data values.
5668 (feasibility_state::maybe_update_for_edge): Fix leak of result of
5669 superedge::get_description.
5670 * region-model-manager.cc
5671 (region_model_manager::~region_model_manager): Move cleanup of
5672 m_setjmp_values to match the ordering of the fields within
5673 region_model_manager. Fix leak of values within
5674 m_repeated_values_map, m_bits_within_values_map,
5675 m_asm_output_values_map, and m_const_fn_result_values_map.
5677 2022-04-28 David Malcolm <dmalcolm@redhat.com>
5679 PR analyzer/105285
5680 * store.cc (binding_cluster::get_any_binding): Handle accessing
5681 sub_svalues of clusters where the base region has a symbolic
5682 binding.
5684 2022-04-28 David Malcolm <dmalcolm@redhat.com>
5686 * diagnostic-manager.cc (epath_finder::process_worklist_item):
5687 Call dump_feasible_path when a path that reaches the the target
5688 enode is found.
5689 (epath_finder::dump_feasible_path): New.
5690 * engine.cc (feasibility_state::dump_to_pp): New.
5691 * exploded-graph.h (feasibility_state::dump_to_pp): New decl.
5692 * feasible-graph.cc (feasible_graph::dump_feasible_path): New.
5693 * feasible-graph.h (feasible_graph::dump_feasible_path): New
5694 decls.
5695 * program-point.cc (function_point::print): Fix missing trailing
5696 newlines.
5697 * program-point.h (program_point::print_source_line): Remove
5698 unimplemented decl.
5700 2022-04-25 David Malcolm <dmalcolm@redhat.com>
5702 PR analyzer/105365
5703 PR analyzer/105366
5704 * svalue.cc
5705 (cmp_cst): Rename to...
5706 (cmp_csts_same_type): ...this. Convert all recursive calls to
5707 calls to...
5708 (cmp_csts_and_types): ....this new function.
5709 (svalue::cmp_ptr): Update for renaming of cmp_cst
5711 2022-04-14 David Malcolm <dmalcolm@redhat.com>
5713 PR analyzer/105264
5714 * region-model-reachability.cc (reachable_regions::handle_parm):
5715 Use maybe_get_deref_base_region rather than just region_svalue, to
5716 handle pointer arithmetic also.
5717 * svalue.cc (svalue::maybe_get_deref_base_region): New.
5718 * svalue.h (svalue::maybe_get_deref_base_region): New decl.
5720 2022-04-14 David Malcolm <dmalcolm@redhat.com>
5722 PR analyzer/105252
5723 * svalue.cc (cmp_cst): When comparing VECTOR_CSTs, compare the
5724 types of the encoded elements before calling cmp_cst on them.
5726 2022-04-09 David Malcolm <dmalcolm@redhat.com>
5728 PR analyzer/103892
5729 * region-model-manager.cc
5730 (region_model_manager::get_unknown_symbolic_region): New,
5731 extracted from...
5732 (region_model_manager::get_field_region): ...here.
5733 (region_model_manager::get_element_region): Use it here.
5734 (region_model_manager::get_offset_region): Likewise.
5735 (region_model_manager::get_sized_region): Likewise.
5736 (region_model_manager::get_cast_region): Likewise.
5737 (region_model_manager::get_bit_range): Likewise.
5738 * region-model.h
5739 (region_model_manager::get_unknown_symbolic_region): New decl.
5740 * region.cc (symbolic_region::symbolic_region): Handle sval_ptr
5741 having NULL type.
5742 (symbolic_region::dump_to_pp): Handle having NULL type.
5744 2022-04-07 David Malcolm <dmalcolm@redhat.com>
5746 PR analyzer/102208
5747 * store.cc (binding_map::remove_overlapping_bindings): Add
5748 "always_overlap" param, using it to generalize to the case where
5749 we want to remove all bindings. Update "uncertainty" logic to
5750 only record maybe-bound values for cases where there is a symbolic
5751 write involved.
5752 (binding_cluster::mark_region_as_unknown): Split param "reg" into
5753 "reg_to_bind" and "reg_for_overlap".
5754 (binding_cluster::maybe_get_compound_binding): Pass "false" to
5755 binding_map::remove_overlapping_bindings new "always_overlap" param.
5756 (binding_cluster::remove_overlapping_bindings): Determine
5757 "always_overlap" and pass it to
5758 binding_map::remove_overlapping_bindings.
5759 (store::set_value): Pass uncertainty to remove_overlapping_bindings
5760 call. Update for new param of
5761 binding_cluster::mark_region_as_unknown, passing both the base
5762 region of the iter_cluster, and the lhs_reg.
5763 (store::mark_region_as_unknown): Update for new param of
5764 binding_cluster::mark_region_as_unknown, passing "reg" for both.
5765 (store::remove_overlapping_bindings): Add param "uncertainty", and
5766 pass it on to call to
5767 binding_cluster::remove_overlapping_bindings.
5768 * store.h (binding_map::remove_overlapping_bindings): Add
5769 "always_overlap" param.
5770 (binding_cluster::mark_region_as_unknown): Split param "reg" into
5771 "reg_to_bind" and "reg_for_overlap".
5772 (store::remove_overlapping_bindings): Add param "uncertainty".
5774 2022-03-29 David Malcolm <dmalcolm@redhat.com>
5776 PR testsuite/105085
5777 * region-model-manager.cc (dump_untracked_region): Skip decls in
5778 the constant pool.
5780 2022-03-29 David Malcolm <dmalcolm@redhat.com>
5782 PR analyzer/105087
5783 * analyzer.h (class conjured_purge): New forward decl.
5784 * region-model-asm.cc (region_model::on_asm_stmt): Add
5785 conjured_purge param to calls binding_cluster::on_asm and
5786 region_model_manager::get_or_create_conjured_svalue.
5787 * region-model-impl-calls.cc
5788 (call_details::get_or_create_conjured_svalue): Likewise for call
5789 to region_model_manager::get_or_create_conjured_svalue.
5790 (region_model::impl_call_fgets): Remove call to
5791 region_model::purge_state_involving, as this is now done
5792 implicitly by call_details::get_or_create_conjured_svalue.
5793 (region_model::impl_call_fread): Likewise.
5794 (region_model::impl_call_strchr): Pass conjured_purge param to
5795 call to region_model_manager::get_or_create_conjured_svalue.
5796 * region-model-manager.cc (conjured_purge::purge): New.
5797 (region_model_manager::get_or_create_conjured_svalue): Add
5798 param "p". Use it to purge state when reusing an existing
5799 conjured_svalue.
5800 * region-model.cc (region_model::on_call_pre): Replace call to
5801 region_model::purge_state_involving with passing conjured_purge
5802 to region_model_manager::get_or_create_conjured_svalue.
5803 (region_model::handle_unrecognized_call): Pass conjured_purge to
5804 store::on_unknown_fncall.
5805 * region-model.h
5806 (region_model_manager::get_or_create_conjured_svalue): Add param
5807 "p".
5808 * store.cc (binding_cluster::on_unknown_fncall): Likewise. Pass
5809 it on to region_model_manager::get_or_create_conjured_svalue.
5810 (binding_cluster::on_asm): Likewise.
5811 (store::on_unknown_fncall): Add param "p" and pass it on to
5812 binding_cluster::on_unknown_fncall.
5813 * store.h (binding_cluster::on_unknown_fncall): Add param p.
5814 (binding_cluster::on_asm): Likewise.
5815 (store::on_unknown_fncall): Likewise.
5816 * svalue.h (class conjured_purge): New.
5818 2022-03-29 David Malcolm <dmalcolm@redhat.com>
5820 PR analyzer/105074
5821 * region.cc (ipa_ref_requires_tracking): Drop "context_fndecl",
5822 instead using the ref->referring to get the cgraph node of the
5823 caller.
5824 (symnode_requires_tracking_p): Likewise.
5826 2022-03-26 David Malcolm <dmalcolm@redhat.com>
5828 PR analyzer/105057
5829 * store.cc (binding_cluster::make_unknown_relative_to): Reject
5830 attempts to create a cluster for untracked base regions.
5831 (store::set_value): Likewise.
5832 (store::fill_region): Likewise.
5833 (store::mark_region_as_unknown): Likewise.
5835 2022-03-25 David Malcolm <dmalcolm@redhat.com>
5837 PR analyzer/104954
5838 * analyzer.opt (-fdump-analyzer-untracked): New option.
5839 * engine.cc (impl_run_checkers): Handle it.
5840 * region-model-asm.cc (region_model::on_asm_stmt): Don't attempt
5841 to clobber regions with !tracked_p ().
5842 * region-model-manager.cc (dump_untracked_region): New.
5843 (region_model_manager::dump_untracked_regions): New.
5844 (frame_region::dump_untracked_regions): New.
5845 * region-model.h (region_model_manager::dump_untracked_regions):
5846 New decl.
5847 * region.cc (ipa_ref_requires_tracking): New.
5848 (symnode_requires_tracking_p): New.
5849 (decl_region::calc_tracked_p): New.
5850 * region.h (region::tracked_p): New vfunc.
5851 (frame_region::dump_untracked_regions): New decl.
5852 (class decl_region): Note that this is also used fo SSA names.
5853 (decl_region::decl_region): Initialize m_tracked.
5854 (decl_region::tracked_p): New.
5855 (decl_region::calc_tracked_p): New decl.
5856 (decl_region::m_tracked): New.
5857 * store.cc (store::get_or_create_cluster): Assert that we
5858 don't try to create clusters for base regions that aren't
5859 trackable.
5860 (store::mark_as_escaped): Don't mark base regions that we're not
5861 tracking.
5863 2022-03-23 David Malcolm <dmalcolm@redhat.com>
5865 PR analyzer/104979
5866 * engine.cc (impl_run_checkers): Create the engine after the
5867 supergraph, and pass the supergraph to the engine.
5868 * region-model.cc (region_model::get_lvalue_1): Pass ctxt to
5869 frame_region::get_region_for_local.
5870 (region_model::update_for_return_gcall): Pass the lvalue for the
5871 result to pop_frame as a tree, rather than as a region.
5872 (region_model::pop_frame): Update for above change, determining
5873 the destination region after the frame is popped and thus with
5874 respect to the caller frame rather than the called frame.
5875 Likewise, set the value of the region to the return value after
5876 the frame is popped.
5877 (engine::engine): Add supergraph pointer.
5878 (selftest::test_stack_frames): Set the DECL_CONTECT of PARM_DECLs.
5879 (selftest::test_get_representative_path_var): Likewise.
5880 (selftest::test_state_merging): Likewise.
5881 * region-model.h (region_model::pop_frame): Convert first param
5882 from a const region * to a tree.
5883 (engine::engine): Add param "sg".
5884 (engine::m_sg): New field.
5885 * region.cc: Include "analyzer/sm.h" and
5886 "analyzer/program-state.h".
5887 (frame_region::get_region_for_local): Add "ctxt" param.
5888 Add assertions that VAR_DECLs are locals, and that expr is for the
5889 correct function.
5890 * region.h (frame_region::get_region_for_local): Add "ctxt" param.
5892 2022-03-23 David Malcolm <dmalcolm@redhat.com>
5894 PR analyzer/105017
5895 * sm-taint.cc (taint_diagnostic::subclass_equal_p): Check
5896 m_has_bounds as well as m_arg.
5897 (tainted_allocation_size::subclass_equal_p): Chain up to base
5898 class implementation. Also check m_mem_space.
5899 (tainted_allocation_size::emit): Add note showing stack-based vs
5900 heap-based allocations.
5902 2022-03-23 David Malcolm <dmalcolm@redhat.com>
5904 PR analyzer/104997
5905 * diagnostic-manager.cc (diagnostic_manager::add_diagnostic):
5906 Convert return type from "void" to "bool", reporting success vs
5907 failure to caller, for both overloads.
5908 * diagnostic-manager.h (diagnostic_manager::add_diagnostic):
5909 Likewise.
5910 * engine.cc (impl_region_model_context::warn): Propagate return
5911 value from diagnostic_manager::add_diagnostic.
5913 2022-03-18 David Malcolm <dmalcolm@redhat.com>
5915 PR analyzer/104943
5916 PR analyzer/104954
5917 PR analyzer/103533
5918 * analyzer.h (class state_purge_per_decl): New forward decl.
5919 * engine.cc (impl_run_checkers): Pass region_model_manager to
5920 state_purge_map ctor.
5921 * program-point.cc (function_point::final_stmt_p): New.
5922 (function_point::get_next): New.
5923 * program-point.h (function_point::final_stmt_p): New decl.
5924 (function_point::get_next): New decl.
5925 * program-state.cc (program_state::prune_for_point): Generalize to
5926 purge local decls as well as SSA names.
5927 (program_state::can_purge_base_region_p): New.
5928 * program-state.h (program_state::can_purge_base_region_p): New
5929 decl.
5930 * region-model.cc (struct append_ssa_names_cb_data): Rename to...
5931 (struct append_regions_cb_data): ...this.
5932 (region_model::get_ssa_name_regions_for_current_frame): Rename
5933 to...
5934 (region_model::get_regions_for_current_frame): ...this, updating
5935 for other renamings.
5936 (region_model::append_ssa_names_cb): Rename to...
5937 (region_model::append_regions_cb): ...this, and drop the requirement
5938 that the subregion be a SSA name.
5939 * region-model.h (struct append_ssa_names_cb_data): Rename decl
5940 to...
5941 (struct append_regions_cb_data): ...this.
5942 (region_model::get_ssa_name_regions_for_current_frame): Rename
5943 decl to...
5944 (region_model::get_regions_for_current_frame): ...this.
5945 (region_model::append_ssa_names_cb): Rename decl to...
5946 (region_model::append_regions_cb): ...this.
5947 * state-purge.cc: Include "tristate.h", "selftest.h",
5948 "analyzer/store.h", "analyzer/region-model.h", and
5949 "gimple-walk.h".
5950 (get_candidate_for_purging): New.
5951 (class gimple_op_visitor): New.
5952 (my_load_cb): New.
5953 (my_store_cb): New.
5954 (my_addr_cb): New.
5955 (state_purge_map::state_purge_map): Add "mgr" param. Update for
5956 renamings. Find uses of local variables.
5957 (state_purge_map::~state_purge_map): Update for renaming of m_map
5958 to m_ssa_map. Clean up m_decl_map.
5959 (state_purge_map::get_or_create_data_for_decl): New.
5960 (state_purge_per_ssa_name::state_purge_per_ssa_name): Update for
5961 inheriting from state_purge_per_tree.
5962 (state_purge_per_ssa_name::add_to_worklist): Likewise.
5963 (state_purge_per_decl::state_purge_per_decl): New.
5964 (state_purge_per_decl::add_needed_at): New.
5965 (state_purge_per_decl::add_pointed_to_at): New.
5966 (state_purge_per_decl::process_worklists): New.
5967 (state_purge_per_decl::add_to_worklist): New.
5968 (same_binding_p): New.
5969 (fully_overwrites_p): New.
5970 (state_purge_per_decl::process_point_backwards): New.
5971 (state_purge_per_decl::process_point_forwards): New.
5972 (state_purge_per_decl::needed_at_point_p): New.
5973 (state_purge_annotator::print_needed): Generalize to print local
5974 decls as well as SSA names.
5975 * state-purge.h (class state_purge_map): Update leading comment.
5976 (state_purge_map::map_t): Rename to...
5977 (state_purge_map::ssa_map_t): ...this.
5978 (state_purge_map::iterator): Rename to...
5979 (state_purge_map::ssa_iterator): ...this.
5980 (state_purge_map::decl_map_t): New typedef.
5981 (state_purge_map::decl_iterator): New typedef.
5982 (state_purge_map::state_purge_map): Add "mgr" param.
5983 (state_purge_map::get_data_for_ssa_name): Update for renaming.
5984 (state_purge_map::get_any_data_for_decl): New.
5985 (state_purge_map::get_or_create_data_for_decl): New decl.
5986 (state_purge_map::begin): Rename to...
5987 (state_purge_map::begin_ssas): ...this.
5988 (state_purge_map::end): Rename to...
5989 (state_purge_map::end_ssa): ...this.
5990 (state_purge_map::begin_decls): New.
5991 (state_purge_map::end_decls): New.
5992 (state_purge_map::m_map): Rename to...
5993 (state_purge_map::m_ssa_map): ...this.
5994 (state_purge_map::m_decl_map): New field.
5995 (class state_purge_per_tree): New class.
5996 (class state_purge_per_ssa_name): Inherit from state_purge_per_tree.
5997 (state_purge_per_ssa_name::get_function): Move to base class.
5998 (state_purge_per_ssa_name::point_set_t): Likewise.
5999 (state_purge_per_ssa_name::m_fun): Likewise.
6000 (class state_purge_per_decl): New.
6002 2022-03-17 David Malcolm <dmalcolm@redhat.com>
6004 * state-purge.cc (state_purge_annotator::add_node_annotations):
6005 Avoid duplicate before-supernode annotations when returning from
6006 an interprocedural call. Show after-supernode annotations.
6008 2022-03-17 David Malcolm <dmalcolm@redhat.com>
6010 * program-point.cc (program_point::get_next): Fix missing
6011 increment of index.
6013 2022-03-16 David Malcolm <dmalcolm@redhat.com>
6015 PR analyzer/104955
6016 * diagnostic-manager.cc (get_emission_location): New.
6017 (diagnostic_manager::diagnostic_manager): Initialize
6018 m_num_disabled_diagnostics.
6019 (diagnostic_manager::add_diagnostic): Reject diagnostics that
6020 will eventually be rejected due to being disabled.
6021 (diagnostic_manager::emit_saved_diagnostics): Log the number
6022 of disabled diagnostics.
6023 (diagnostic_manager::emit_saved_diagnostic): Split out logic for
6024 determining emission location to get_emission_location.
6025 * diagnostic-manager.h
6026 (diagnostic_manager::m_num_disabled_diagnostics): New field.
6027 * engine.cc (stale_jmp_buf::get_controlling_option): New.
6028 (stale_jmp_buf::emit): Use it.
6029 * pending-diagnostic.h
6030 (pending_diagnostic::get_controlling_option): New vfunc.
6031 * region-model.cc
6032 (poisoned_value_diagnostic::get_controlling_option): New.
6033 (poisoned_value_diagnostic::emit): Use it.
6034 (shift_count_negative_diagnostic::get_controlling_option): New.
6035 (shift_count_negative_diagnostic::emit): Use it.
6036 (shift_count_overflow_diagnostic::get_controlling_option): New.
6037 (shift_count_overflow_diagnostic::emit): Use it.
6038 (dump_path_diagnostic::get_controlling_option): New.
6039 (dump_path_diagnostic::emit): Use it.
6040 (write_to_const_diagnostic::get_controlling_option): New.
6041 (write_to_const_diagnostic::emit): Use it.
6042 (write_to_string_literal_diagnostic::get_controlling_option): New.
6043 (write_to_string_literal_diagnostic::emit): Use it.
6044 * sm-file.cc (double_fclose::get_controlling_option): New.
6045 (double_fclose::emit): Use it.
6046 (file_leak::get_controlling_option): New.
6047 (file_leak::emit): Use it.
6048 * sm-malloc.cc (mismatching_deallocation::get_controlling_option):
6049 New.
6050 (mismatching_deallocation::emit): Use it.
6051 (double_free::get_controlling_option): New.
6052 (double_free::emit): Use it.
6053 (possible_null_deref::get_controlling_option): New.
6054 (possible_null_deref::emit): Use it.
6055 (possible_null_arg::get_controlling_option): New.
6056 (possible_null_arg::emit): Use it.
6057 (null_deref::get_controlling_option): New.
6058 (null_deref::emit): Use it.
6059 (null_arg::get_controlling_option): New.
6060 (null_arg::emit): Use it.
6061 (use_after_free::get_controlling_option): New.
6062 (use_after_free::emit): Use it.
6063 (malloc_leak::get_controlling_option): New.
6064 (malloc_leak::emit): Use it.
6065 (free_of_non_heap::get_controlling_option): New.
6066 (free_of_non_heap::emit): Use it.
6067 * sm-pattern-test.cc (pattern_match::get_controlling_option): New.
6068 (pattern_match::emit): Use it.
6069 * sm-sensitive.cc
6070 (exposure_through_output_file::get_controlling_option): New.
6071 (exposure_through_output_file::emit): Use it.
6072 * sm-signal.cc (signal_unsafe_call::get_controlling_option): New.
6073 (signal_unsafe_call::emit): Use it.
6074 * sm-taint.cc (tainted_array_index::get_controlling_option): New.
6075 (tainted_array_index::emit): Use it.
6076 (tainted_offset::get_controlling_option): New.
6077 (tainted_offset::emit): Use it.
6078 (tainted_size::get_controlling_option): New.
6079 (tainted_size::emit): Use it.
6080 (tainted_divisor::get_controlling_option): New.
6081 (tainted_divisor::emit): Use it.
6082 (tainted_allocation_size::get_controlling_option): New.
6083 (tainted_allocation_size::emit): Use it.
6085 2022-03-15 David Malcolm <dmalcolm@redhat.com>
6087 * store.cc (store::store): Presize m_cluster_map.
6089 2022-03-10 David Malcolm <dmalcolm@redhat.com>
6091 PR analyzer/104863
6092 * constraint-manager.cc (constraint_manager::add_constraint):
6093 Refresh the EC IDs when adding constraints implied by offsets.
6095 2022-03-10 David Malcolm <dmalcolm@redhat.com>
6097 PR analyzer/104793
6098 * analyzer.h (class pending_note): New forward decl.
6099 * diagnostic-manager.cc (saved_diagnostic::saved_diagnostic):
6100 Initialize m_notes.
6101 (saved_diagnostic::operator==): Compare m_notes.
6102 (saved_diagnostic::add_note): New.
6103 (saved_diagnostic::emit_any_notes): New.
6104 (diagnostic_manager::add_note): New.
6105 (diagnostic_manager::emit_saved_diagnostic): Call emit_any_notes
6106 after emitting the warning.
6107 * diagnostic-manager.h (saved_diagnostic::add_note): New decl.
6108 (saved_diagnostic::emit_any_notes): New decl.
6109 (saved_diagnostic::m_notes): New field.
6110 (diagnostic_manager::add_note): New decl.
6111 * engine.cc (impl_region_model_context::add_note): New.
6112 * exploded-graph.h (impl_region_model_context::add_note): New
6113 decl.
6114 * pending-diagnostic.h (class pending_note): New.
6115 (class pending_note_subclass): New template.
6116 * region-model.cc (class reason_attr_access): New.
6117 (check_external_function_for_access_attr): Add class
6118 annotating_ctxt and use it when checking region.
6119 (noop_region_model_context::add_note): New.
6120 * region-model.h (region_model_context::add_note): New vfunc.
6121 (noop_region_model_context::add_note): New decl.
6122 (class region_model_context_decorator): New.
6123 (class note_adding_context): New.
6125 2022-03-10 David Malcolm <dmalcolm@redhat.com>
6127 PR analyzer/104793
6128 * region-model.cc
6129 (region_model::check_external_function_for_access_attr): New.
6130 (region_model::handle_unrecognized_call): Call it.
6131 * region-model.h
6132 (region_model::check_external_function_for_access_attr): New decl.
6133 (region_model::handle_unrecognized_call): New decl.
6135 2022-03-10 David Malcolm <dmalcolm@redhat.com>
6137 * sm-taint.cc (taint_state_machine::check_for_tainted_size_arg):
6138 Avoid generating duplicate saved_diagnostics by only handling the
6139 rdwr_map entry for the ptrarg, not the duplicate entry for the
6140 sizarg.
6142 2022-03-07 David Malcolm <dmalcolm@redhat.com>
6144 PR analyzer/101983
6145 * engine.cc (returning_from_function_p): New.
6146 (impl_region_model_context::on_state_leak): Use it when rejecting
6147 leaks at the return from "main".
6149 2022-03-07 Jakub Jelinek <jakub@redhat.com>
6151 * store.cc: Fix up duplicated word issue in a comment.
6152 * analyzer.cc: Likewise.
6153 * engine.cc: Likewise.
6154 * sm-taint.cc: Likewise.
6156 2022-03-04 David Malcolm <dmalcolm@redhat.com>
6158 PR analyzer/103521
6159 * analyzer.opt (-param=analyzer-max-svalue-depth=): Reduce from 13
6160 to 12.
6162 2022-02-23 David Malcolm <dmalcolm@redhat.com>
6164 PR analyzer/104434
6165 * analyzer.h (class const_fn_result_svalue): New decl.
6166 * region-model-impl-calls.cc (call_details::get_manager): New.
6167 * region-model-manager.cc
6168 (region_model_manager::get_or_create_const_fn_result_svalue): New.
6169 (region_model_manager::log_stats): Log
6170 m_const_fn_result_values_map.
6171 * region-model.cc (const_fn_p): New.
6172 (maybe_get_const_fn_result): New.
6173 (region_model::on_call_pre): Handle fndecls with
6174 __attribute__((const)) by calling the above rather than making
6175 a conjured_svalue.
6176 * region-model.h (visitor::visit_const_fn_result_svalue): New.
6177 (region_model_manager::get_or_create_const_fn_result_svalue): New
6178 decl.
6179 (region_model_manager::const_fn_result_values_map_t): New typedef.
6180 (region_model_manager::m_const_fn_result_values_map): New field.
6181 (call_details::get_manager): New decl.
6182 * svalue.cc (svalue::cmp_ptr): Handle SK_CONST_FN_RESULT.
6183 (const_fn_result_svalue::dump_to_pp): New.
6184 (const_fn_result_svalue::dump_input): New.
6185 (const_fn_result_svalue::accept): New.
6186 * svalue.h (enum svalue_kind): Add SK_CONST_FN_RESULT.
6187 (svalue::dyn_cast_const_fn_result_svalue): New.
6188 (class const_fn_result_svalue): New.
6189 (is_a_helper <const const_fn_result_svalue *>::test): New.
6190 (template <> struct default_hash_traits<const_fn_result_svalue::key_t>):
6191 New.
6193 2022-02-17 David Malcolm <dmalcolm@redhat.com>
6195 PR analyzer/104576
6196 * region-model.cc: Include "calls.h".
6197 (region_model::on_call_pre): Use flags_from_decl_or_type to
6198 generalize check for DECL_PURE_P to also check for ECF_CONST.
6200 2022-02-16 David Malcolm <dmalcolm@redhat.com>
6202 PR analyzer/104560
6203 * diagnostic-manager.cc (diagnostic_manager::build_emission_path):
6204 Add region creation events for globals of interest.
6205 (null_assignment_sm_context::get_old_program_state): New.
6206 (diagnostic_manager::add_events_for_eedge): Move check for
6207 changing dynamic extents from PK_BEFORE_STMT case to after the
6208 switch on the dst_point's kind so that we can emit them for the
6209 final stmt in a basic block.
6210 * engine.cc (impl_sm_context::get_old_program_state): New.
6211 * sm-malloc.cc (malloc_state_machine::get_default_state): Rewrite
6212 detection of m_non_heap to use get_memory_space.
6213 (free_of_non_heap::free_of_non_heap): Add freed_reg param.
6214 (free_of_non_heap::subclass_equal_p): Update for changes to
6215 fields.
6216 (free_of_non_heap::emit): Drop m_kind in favor of
6217 get_memory_space.
6218 (free_of_non_heap::describe_state_change): Remove logic for
6219 detecting alloca.
6220 (free_of_non_heap::mark_interesting_stuff): Add region-creation of
6221 m_freed_reg.
6222 (free_of_non_heap::get_memory_space): New.
6223 (free_of_non_heap::kind): Drop enum.
6224 (free_of_non_heap::m_freed_reg): New field.
6225 (free_of_non_heap::m_kind): Drop field.
6226 (malloc_state_machine::on_stmt): Drop transition to m_non_heap.
6227 (malloc_state_machine::handle_free_of_non_heap): New function,
6228 split out from on_deallocator_call and on_realloc_call, adding
6229 detection of the freed region.
6230 (malloc_state_machine::on_deallocator_call): Use it.
6231 (malloc_state_machine::on_realloc_call): Likewise.
6232 * sm.h (sm_context::get_old_program_state): New vfunc.
6234 2022-02-15 David Malcolm <dmalcolm@redhat.com>
6236 PR analyzer/104524
6237 * region-model-manager.cc
6238 (region_model_manager::maybe_fold_sub_svalue): Only call
6239 get_or_create_cast if type is non-NULL.
6241 2022-02-15 David Malcolm <dmalcolm@redhat.com>
6243 PR analyzer/102692
6244 * exploded-graph.h (impl_region_model_context::get_stmt): New.
6245 * region-model.cc: Include "gimple-ssa.h", "tree-phinodes.h",
6246 "tree-ssa-operands.h", and "ssa-iterators.h".
6247 (within_short_circuited_stmt_p): New.
6248 (region_model::check_for_poison): Don't warn about uninit values
6249 if within_short_circuited_stmt_p.
6250 * region-model.h (region_model_context::get_stmt): New vfunc.
6251 (noop_region_model_context::get_stmt): New.
6253 2022-02-11 David Malcolm <dmalcolm@redhat.com>
6255 PR analyzer/104274
6256 * region-model.cc (region_model::check_for_poison): Ignore
6257 uninitialized uses of empty types.
6259 2022-02-10 David Malcolm <dmalcolm@redhat.com>
6261 PR analyzer/98797
6262 * region-model-manager.cc
6263 (region_model_manager::maybe_fold_sub_svalue): Generalize getting
6264 individual chars of a STRING_CST from element_region to any
6265 subregion which is a concrete access of a single byte from its
6266 parent region.
6267 * region.cc (region::get_relative_concrete_byte_range): New.
6268 * region.h (region::get_relative_concrete_byte_range): New decl.
6270 2022-02-09 David Malcolm <dmalcolm@redhat.com>
6272 PR analyzer/104452
6273 * region-model.cc (selftest::test_bit_range_regions): New.
6274 (selftest::analyzer_region_model_cc_tests): Call it.
6275 * region.h (bit_range_region::key_t::hash): Fix hashing of m_bits
6276 to avoid using uninitialized data.
6278 2022-02-07 David Malcolm <dmalcolm@redhat.com>
6280 PR analyzer/104417
6281 * sm-taint.cc (tainted_allocation_size::tainted_allocation_size):
6282 Remove overzealous assertion.
6283 (tainted_allocation_size::emit): Likewise.
6284 (region_model::check_dynamic_size_for_taint): Likewise.
6286 2022-02-07 David Malcolm <dmalcolm@redhat.com>
6288 PR analyzer/103872
6289 * region-model-impl-calls.cc (region_model::impl_call_memcpy):
6290 Reimplement in terms of a get_store_value followed by a set_value.
6292 2022-02-03 David Malcolm <dmalcolm@redhat.com>
6294 PR analyzer/104369
6295 * engine.cc (exploded_graph::process_node): Use the node for any
6296 diagnostics, avoiding ICE if a bifurcation update adds a
6297 saved_diagnostic, such as for a tainted realloc size.
6298 * region-model-impl-calls.cc
6299 (region_model::impl_call_realloc::success_no_move::update_model):
6300 Require the old pointer to be non-NULL to be able successfully
6301 grow in place. Use model->deref_rvalue rather than maybe_get_region
6302 to support the old pointer being symbolic.
6303 (region_model::impl_call_realloc::success_with_move::update_model):
6304 Likewise. Add a constraint that the new pointer != the old pointer.
6305 Use a sized_region when setting the value of the new region.
6306 Handle the case where we don't know the dynamic size of the old
6307 region by marking the new region as unknown.
6308 * sm-taint.cc (tainted_allocation_size::tainted_allocation_size):
6309 Update assertion to also allow for MEMSPACE_UNKNOWN.
6310 (tainted_allocation_size::emit): Likewise.
6311 (region_model::check_dynamic_size_for_taint): Likewise.
6313 2022-02-03 David Malcolm <dmalcolm@redhat.com>
6315 * region-model-impl-calls.cc (region_model::impl_call_calloc): Use
6316 a sized_region when calling zero_fill_region.
6318 2022-02-02 David Malcolm <dmalcolm@redhat.com>
6320 * region-model.cc (region_model::on_return): Replace usage of
6321 copy_region with get_rvalue/set_value pair.
6322 (region_model::pop_frame): Likewise.
6323 (selftest::test_compound_assignment): Likewise.
6324 * region-model.h (region_model::copy_region): Delete decl.
6325 * region.cc (region_model::copy_region): Delete.
6327 2022-02-02 David Malcolm <dmalcolm@redhat.com>
6329 * region.cc (region::calc_offset): Consolidate effectively
6330 identical cases.
6332 2022-02-02 David Malcolm <dmalcolm@redhat.com>
6334 * analyzer.h (class bit_range_region): New forward decl.
6335 * region-model-manager.cc (region_model_manager::get_bit_range):
6336 New.
6337 (region_model_manager::log_stats): Handle m_bit_range_regions.
6338 * region-model.cc (region_model::get_lvalue_1): Handle
6339 BIT_FIELD_REF.
6340 * region-model.h (region_model_manager::get_bit_range): New decl.
6341 (region_model_manager::m_bit_range_regions): New field.
6342 * region.cc (region::get_base_region): Handle RK_BIT_RANGE.
6343 (region::base_region_p): Likewise.
6344 (region::calc_offset): Likewise.
6345 (bit_range_region::dump_to_pp): New.
6346 (bit_range_region::get_byte_size): New.
6347 (bit_range_region::get_bit_size): New.
6348 (bit_range_region::get_byte_size_sval): New.
6349 (bit_range_region::get_relative_concrete_offset): New.
6350 * region.h (enum region_kind): Add RK_BIT_RANGE.
6351 (region::dyn_cast_bit_range_region): New vfunc.
6352 (class bit_range_region): New.
6353 (is_a_helper <const bit_range_region *>::test): New.
6354 (default_hash_traits<bit_range_region::key_t>): New.
6356 2022-02-02 David Malcolm <dmalcolm@redhat.com>
6358 PR analyzer/104270
6359 * region-model.cc (region_model::on_call_pre): Handle
6360 IFN_DEFERRED_INIT.
6362 2022-01-27 David Malcolm <dmalcolm@redhat.com>
6364 * checker-path.cc (event_kind_to_string): Handle
6365 EK_REGION_CREATION.
6366 (region_creation_event::region_creation_event): New.
6367 (region_creation_event::get_desc): New.
6368 (checker_path::add_region_creation_event): New.
6369 * checker-path.h (enum event_kind): Add EK_REGION_CREATION.
6370 (class region_creation_event): New subclass.
6371 (checker_path::add_region_creation_event): New decl.
6372 * diagnostic-manager.cc
6373 (diagnostic_manager::emit_saved_diagnostic): Pass NULL for new
6374 param to add_events_for_eedge when handling trailing eedge.
6375 (diagnostic_manager::build_emission_path): Create an interesting_t
6376 instance, allow the pending diagnostic to populate it, and pass it
6377 to the calls to add_events_for_eedge.
6378 (diagnostic_manager::add_events_for_eedge): Add "interest" param.
6379 Use it to add region_creation_events for on-stack regions created
6380 within at function entry, and when pertinent dynamically-sized
6381 regions are created.
6382 (diagnostic_manager::prune_for_sm_diagnostic): Add case for
6383 EK_REGION_CREATION.
6384 * diagnostic-manager.h (diagnostic_manager::add_events_for_eedge):
6385 Add "interest" param.
6386 * pending-diagnostic.cc: Include "selftest.h", "tristate.h",
6387 "analyzer/call-string.h", "analyzer/program-point.h",
6388 "analyzer/store.h", and "analyzer/region-model.h".
6389 (interesting_t::add_region_creation): New.
6390 (interesting_t::dump_to_pp): New.
6391 * pending-diagnostic.h (struct interesting_t): New.
6392 (pending_diagnostic::mark_interesting_stuff): New vfunc.
6393 * region-model.cc
6394 (poisoned_value_diagnostic::poisoned_value_diagnostic): Add
6395 (poisoned_value_diagnostic::operator==): Compare m_pkind and
6396 m_src_region fields.
6397 (poisoned_value_diagnostic::mark_interesting_stuff): New.
6398 (poisoned_value_diagnostic::m_src_region): New.
6399 (region_model::check_for_poison): Call
6400 get_region_for_poisoned_expr for uninit values and pass the resul
6401 to the diagnostic.
6402 (region_model::get_region_for_poisoned_expr): New.
6403 (region_model::deref_rvalue): Pass NULL for
6404 poisoned_value_diagnostic's src_region.
6405 * region-model.h (region_model::get_region_for_poisoned_expr): New
6406 decl.
6407 * region.h (frame_region::get_fndecl): New.
6409 2022-01-27 Martin Liska <mliska@suse.cz>
6411 PR analyzer/104247
6412 * constraint-manager.cc (bounded_ranges_manager::log_stats):
6413 Cast to long for format purpose.
6414 * region-model-manager.cc (log_uniq_map): Likewise.
6416 2022-01-26 David Malcolm <dmalcolm@redhat.com>
6418 PR analyzer/104224
6419 * region-model.cc (region_model::check_call_args): New.
6420 (region_model::on_call_pre): Call it when ignoring stdio builtins.
6421 * region-model.h (region_model::check_call_args): New decl
6423 2022-01-26 David Malcolm <dmalcolm@redhat.com>
6425 PR analyzer/94362
6426 * constraint-manager.cc (range::add_bound): Fix tests for
6427 discarding redundant constraints. Perform test for rejecting
6428 unsatisfiable constraints earlier so that they don't update
6429 the object on failure.
6430 (selftest::test_range): New.
6431 (selftest::test_constant_comparisons): Add test coverage for
6432 existing constraints becoming narrower until they are
6433 unsatisfiable.
6434 (selftest::run_constraint_manager_tests): Call test_range.
6436 2022-01-22 David Malcolm <dmalcolm@redhat.com>
6438 PR analyzer/104159
6439 * region-model-manager.cc
6440 (region_model_manager::get_or_create_cast): Bail out if the types
6441 are the same. Don't attempt to handle casts involving vector
6442 types.
6444 2022-01-20 David Malcolm <dmalcolm@redhat.com>
6446 PR analyzer/94362
6447 * constraint-manager.cc (bound::ensure_closed): Convert param to
6448 enum bound_kind.
6449 (range::constrained_to_single_element): Likewise.
6450 (range::add_bound): New.
6451 (constraint_manager::add_constraint): Handle SVAL + OFFSET
6452 compared to a constant.
6453 (constraint_manager::get_ec_bounds): Rewrite in terms of
6454 range::add_bound.
6455 (constraint_manager::eval_condition): Reject if range::add_bound
6456 fails.
6457 (selftest::test_constant_comparisons): Add test coverage for
6458 various impossible combinations of integer comparisons.
6459 * constraint-manager.h (enum bound_kind): New.
6460 (struct bound): Likewise.
6461 (bound::ensure_closed): Convert to param to enum bound_kind.
6462 (struct range): Convert to...
6463 (class range): ...this, making fields private.
6464 (range::add_bound): New decls.
6465 * region-model.cc (region_model::add_constraint): Fail if
6466 constraint_manager::add_constraint fails.
6468 2022-01-18 David Malcolm <dmalcolm@redhat.com>
6470 PR analyzer/104089
6471 * region-model-manager.cc
6472 (region_model_manager::get_or_create_constant_svalue): Assert that
6473 we have a CONSTANT_CLASS_P.
6474 (region_model_manager::maybe_fold_unaryop): Only fold a constant
6475 when fold_unary's result is a constant or a cast of a constant.
6477 2022-01-18 David Malcolm <dmalcolm@redhat.com>
6479 PR analyzer/104062
6480 * region-model-manager.cc
6481 (region_model_manager::maybe_fold_sub_svalue): Avoid casting to
6482 NULL type when folding access to repeated svalue.
6484 2022-01-17 Martin Liska <mliska@suse.cz>
6486 * analyzer.cc (is_special_named_call_p): Rename .c names to .cc.
6487 (is_named_call_p): Likewise.
6488 * region-model-asm.cc (deterministic_p): Likewise.
6489 * region.cc (field_region::get_relative_concrete_offset): Likewise.
6490 * sm-malloc.cc (method_p): Likewise.
6491 * supergraph.cc (superedge::dump_dot): Likewise.
6493 2022-01-14 David Malcolm <dmalcolm@redhat.com>
6495 * sm-taint.cc (taint_state_machine::combine_states): Handle combination
6496 of has_ub and has_lb.
6498 2022-01-14 David Malcolm <dmalcolm@redhat.com>
6500 PR analyzer/104029
6501 * sm-taint.cc (taint_state_machine::alt_get_inherited_state):
6502 Remove gcc_unreachable from default case for unary ops.
6504 2022-01-14 David Malcolm <dmalcolm@redhat.com>
6506 * engine.cc: Include "stringpool.h", "attribs.h", and
6507 "tree-dfa.h".
6508 (mark_params_as_tainted): New.
6509 (class tainted_args_function_custom_event): New.
6510 (class tainted_args_function_info): New.
6511 (exploded_graph::add_function_entry): Handle functions with
6512 "tainted_args" attribute.
6513 (class tainted_args_field_custom_event): New.
6514 (class tainted_args_callback_custom_event): New.
6515 (class tainted_args_call_info): New.
6516 (add_tainted_args_callback): New.
6517 (add_any_callbacks): New.
6518 (exploded_graph::build_initial_worklist): Likewise.
6519 (exploded_graph::build_initial_worklist): Find callbacks that are
6520 reachable from global initializers, calling add_any_callbacks on
6521 them.
6523 2022-01-12 David Malcolm <dmalcolm@redhat.com>
6525 PR analyzer/103940
6526 * engine.cc (impl_sm_context::impl_sm_context): Add
6527 "unknown_side_effects" param and use it to initialize
6528 new m_unknown_side_effects field.
6529 (impl_sm_context::unknown_side_effects_p): New.
6530 (impl_sm_context::m_unknown_side_effects): New.
6531 (exploded_node::on_stmt): Pass unknown_side_effects to sm_ctxt
6532 ctor.
6533 * sm-taint.cc: Include "stringpool.h" and "attribs.h".
6534 (tainted_size::tainted_size): Drop "dir" param.
6535 (tainted_size::get_kind): Drop "FINAL".
6536 (tainted_size::emit): Likewise.
6537 (tainted_size::m_dir): Drop unused field.
6538 (class tainted_access_attrib_size): New subclass.
6539 (taint_state_machine::on_stmt): Call check_for_tainted_size_arg on
6540 external functions with unknown side effects.
6541 (taint_state_machine::check_for_tainted_size_arg): New.
6542 (region_model::check_region_for_taint): Drop "dir" param from
6543 tainted_size ctor.
6544 * sm.h (sm_context::unknown_side_effects_p): New.
6546 2022-01-11 David Malcolm <dmalcolm@redhat.com>
6548 PR analyzer/102692
6549 * diagnostic-manager.cc
6550 (class auto_disable_complexity_checks): Rename to...
6551 (class auto_checking_feasibility): ...this, updating
6552 the calls accordingly.
6553 (epath_finder::explore_feasible_paths): Update for renaming.
6554 * region-model-manager.cc
6555 (region_model_manager::region_model_manager): Update for change from
6556 m_check_complexity to m_checking_feasibility.
6557 (region_model_manager::reject_if_too_complex): Likewise.
6558 (region_model_manager::get_or_create_unknown_svalue): Handle
6559 m_checking_feasibility.
6560 (region_model_manager::create_unique_svalue): New.
6561 (region_model_manager::maybe_fold_binop): Handle BIT_AND_EXPR and
6562 BIT_IOR_EXPRs on booleans where we know the result.
6563 * region-model.cc (test_binop_svalue_folding): Add test coverage
6564 for the above.
6565 * region-model.h (region_model_manager::create_unique_svalue): New
6566 decl.
6567 (region_model_manager::enable_complexity_check): Replace with...
6568 (region_model_manager::begin_checking_feasibility): ...this.
6569 (region_model_manager::disable_complexity_check): Replace with...
6570 (region_model_manager::end_checking_feasibility): ...this.
6571 (region_model_manager::m_check_complexity): Replace with...
6572 (region_model_manager::m_checking_feasibility): ...this.
6573 (region_model_manager::m_managed_dynamic_svalues): New field.
6575 2022-01-08 David Malcolm <dmalcolm@redhat.com>
6577 * engine.cc (impl_run_checkers): Pass logger to engine ctor.
6578 * region-model-manager.cc
6579 (region_model_manager::region_model_manager): Add logger param and
6580 use it to initialize m_logger.
6581 * region-model.cc (engine::engine): New.
6582 * region-model.h (region_model_manager::region_model_manager):
6583 Add logger param.
6584 (region_model_manager::get_logger): New.
6585 (region_model_manager::m_logger): New field.
6586 (engine::engine): New.
6587 * store.cc (store_manager::get_logger): New.
6588 (store::set_value): Log scope. Log when marking a cluster as
6589 unknown due to possible aliasing.
6590 * store.h (store_manager::get_logger): New decl.
6592 2022-01-08 David Malcolm <dmalcolm@redhat.com>
6594 * region-model-impl-calls.cc (cmp_decls): New.
6595 (cmp_decls_ptr_ptr): New.
6596 (region_model::impl_call_analyzer_dump_escaped): New.
6597 * region-model.cc (region_model::on_stmt_pre): Handle
6598 __analyzer_dump_escaped.
6599 * region-model.h (region_model::impl_call_analyzer_dump_escaped):
6600 New decl.
6601 * store.h (binding_cluster::get_base_region): New accessor.
6603 2022-01-08 David Malcolm <dmalcolm@redhat.com>
6605 * region.cc (region::is_named_decl_p): New.
6606 * region.h (region::is_named_decl_p): New decl.
6608 2022-01-06 David Malcolm <dmalcolm@redhat.com>
6610 PR analyzer/103546
6611 * store.cc (store::eval_alias_1): Refactor handling of decl
6612 regions, adding a test for may_be_aliased, rejecting those for
6613 which it returns false.
6615 2021-12-12 Jonathan Wakely <jwakely@redhat.com>
6617 * engine.cc: Define INCLUDE_MEMORY instead of INCLUDE_UNIQUE_PTR.
6619 2021-12-06 David Malcolm <dmalcolm@redhat.com>
6621 PR analyzer/103533
6622 * constraint-manager.cc (equiv_class::contains_non_constant_p):
6623 New.
6624 (constraint_manager::canonicalize): Call it when determining
6625 redundant ECs.
6626 (selftest::test_purging): New selftest.
6627 (selftest::run_constraint_manager_tests): Likewise.
6628 * constraint-manager.h (equiv_class::contains_non_constant_p):
6629 New decl.
6631 2021-12-01 David Malcolm <dmalcolm@redhat.com>
6633 PR analyzer/102471
6634 * region-model-reachability.cc (reachable_regions::handle_parm):
6635 Treat all svalues within a compound parm has reachable, and those
6636 wrapped in a cast.
6638 2021-11-29 David Malcolm <dmalcolm@redhat.com>
6640 PR analyzer/103217
6641 * store.cc (binding_cluster::can_merge_p): For the "key is bound"
6642 vs "key is not bound" merger case, check that the bound svalue
6643 is mergeable before merging it to "unknown", rejecting the merger
6644 otherwise.
6646 2021-11-19 David Malcolm <dmalcolm@redhat.com>
6648 PR analyzer/103217
6649 * engine.cc (exploded_graph::get_or_create_node): Pass in
6650 m_ext_state to program_state::can_merge_with_p.
6651 (exploded_graph::process_worklist): Likewise.
6652 (exploded_graph::maybe_process_run_of_before_supernode_enodes):
6653 Likewise.
6654 (exploded_graph::process_node): Add missing call to detect_leaks
6655 when handling phi nodes.
6656 * program-state.cc (program_state::can_merge_with_p): Add
6657 "ext_state" param. Pass it and state ptrs to
6658 region_model::can_merge_with_p.
6659 (selftest::test_program_state_merging): Update for new ext_state
6660 param of program_state::can_merge_with_p.
6661 (selftest::test_program_state_merging_2): Likewise.
6662 * program-state.h (program_state::can_purge_p): Make const.
6663 (program_state::can_merge_with_p): Add "ext_state" param.
6664 * region-model.cc: Include "analyzer/program-state.h".
6665 (region_model::can_merge_with_p): Add params "ext_state",
6666 "state_a", and "state_b", use them when creating model_merger
6667 object.
6668 (model_merger::mergeable_svalue_p): New.
6669 * region-model.h (region_model::can_merge_with_p): Add params
6670 "ext_state", "state_a", and "state_b".
6671 (model_merger::model_merger) Likewise, initializing new fields.
6672 (model_merger::mergeable_svalue_p): New decl.
6673 (model_merger::m_ext_state): New field.
6674 (model_merger::m_state_a): New field.
6675 (model_merger::m_state_b): New field.
6676 * svalue.cc (svalue::can_merge_p): Call
6677 model_merger::mergeable_svalue_p on both states and reject the
6678 merger accordingly.
6680 2021-11-17 David Malcolm <dmalcolm@redhat.com>
6682 PR analyzer/102695
6683 * region-model-impl-calls.cc (region_model::impl_call_strchr): New.
6684 * region-model-manager.cc
6685 (region_model_manager::maybe_fold_unaryop): Simplify cast to
6686 pointer type of an existing pointer to a region.
6687 * region-model.cc (region_model::on_call_pre): Handle
6688 BUILT_IN_STRCHR and "strchr".
6689 (write_to_const_diagnostic::emit): Add auto_diagnostic_group. Add
6690 alternate wordings for functions and labels.
6691 (write_to_const_diagnostic::describe_final_event): Add alternate
6692 wordings for functions and labels.
6693 (region_model::check_for_writable_region): Handle RK_FUNCTION and
6694 RK_LABEL.
6695 * region-model.h (region_model::impl_call_strchr): New decl.
6697 2021-11-16 David Malcolm <dmalcolm@redhat.com>
6699 PR analyzer/102662
6700 * constraint-manager.cc (bounded_range::operator==): Require the
6701 types to be the same for equality.
6703 2021-11-13 David Malcolm <dmalcolm@redhat.com>
6705 * analyzer.opt (Wanalyzer-tainted-allocation-size): New.
6706 (Wanalyzer-tainted-divisor): New.
6707 (Wanalyzer-tainted-offset): New.
6708 (Wanalyzer-tainted-size): New.
6709 * engine.cc (impl_region_model_context::get_taint_map): New.
6710 * exploded-graph.h (impl_region_model_context::get_taint_map):
6711 New decl.
6712 * program-state.cc (sm_state_map::get_state): Call
6713 alt_get_inherited_state.
6714 (sm_state_map::impl_set_state): Modify states within
6715 compound svalues.
6716 (program_state::impl_call_analyzer_dump_state): Undo casts.
6717 (selftest::test_program_state_1): Update for new context param of
6718 create_region_for_heap_alloc.
6719 (selftest::test_program_state_merging): Likewise.
6720 * region-model-impl-calls.cc (region_model::impl_call_alloca):
6721 Likewise.
6722 (region_model::impl_call_calloc): Likewise.
6723 (region_model::impl_call_malloc): Likewise.
6724 (region_model::impl_call_operator_new): Likewise.
6725 (region_model::impl_call_realloc): Likewise.
6726 * region-model.cc (region_model::check_region_access): Call
6727 check_region_for_taint.
6728 (region_model::get_representative_path_var_1): Handle binops.
6729 (region_model::create_region_for_heap_alloc): Add "ctxt" param and
6730 pass it to set_dynamic_extents.
6731 (region_model::create_region_for_alloca): Likewise.
6732 (region_model::set_dynamic_extents): Add "ctxt" param and use it
6733 to call check_dynamic_size_for_taint.
6734 (selftest::test_state_merging): Update for new context param of
6735 create_region_for_heap_alloc.
6736 (selftest::test_malloc_constraints): Likewise.
6737 (selftest::test_malloc): Likewise.
6738 (selftest::test_alloca): Likewise for create_region_for_alloca.
6739 * region-model.h (region_model::create_region_for_heap_alloc): Add
6740 "ctxt" param.
6741 (region_model::create_region_for_alloca): Likewise.
6742 (region_model::set_dynamic_extents): Likewise.
6743 (region_model::check_dynamic_size_for_taint): New decl.
6744 (region_model::check_region_for_taint): New decl.
6745 (region_model_context::get_taint_map): New vfunc.
6746 (noop_region_model_context::get_taint_map): New.
6747 * sm-taint.cc: Remove include of "diagnostic-event-id.h"; add
6748 includes of "gimple-iterator.h", "tristate.h", "selftest.h",
6749 "ordered-hash-map.h", "cgraph.h", "cfg.h", "digraph.h",
6750 "analyzer/supergraph.h", "analyzer/call-string.h",
6751 "analyzer/program-point.h", "analyzer/store.h",
6752 "analyzer/region-model.h", and "analyzer/program-state.h".
6753 (enum bounds): Move to top of file.
6754 (class taint_diagnostic): New.
6755 (class tainted_array_index): Convert to subclass of taint_diagnostic.
6756 (tainted_array_index::emit): Add CWE-129. Reword warning to use
6757 "attacker-controlled" rather than "tainted".
6758 (tainted_array_index::describe_state_change): Move to
6759 taint_diagnostic::describe_state_change.
6760 (tainted_array_index::describe_final_event): Reword to use
6761 "attacker-controlled" rather than "tainted".
6762 (class tainted_offset): New.
6763 (class tainted_size): New.
6764 (class tainted_divisor): New.
6765 (class tainted_allocation_size): New.
6766 (taint_state_machine::alt_get_inherited_state): New.
6767 (taint_state_machine::on_stmt): In assignment handling, remove
6768 ARRAY_REF handling in favor of check_region_for_taint. Add
6769 detection of tainted divisors.
6770 (taint_state_machine::get_taint): New.
6771 (taint_state_machine::combine_states): New.
6772 (region_model::check_region_for_taint): New.
6773 (region_model::check_dynamic_size_for_taint): New.
6774 * sm.h (state_machine::alt_get_inherited_state): New.
6776 2021-11-12 David Malcolm <dmalcolm@redhat.com>
6778 * engine.cc (exploded_node::on_stmt_pre): Return when handling
6779 "__analyzer_dump_state".
6781 2021-11-11 Richard Biener <rguenther@suse.de>
6783 * supergraph.cc: Include bitmap.h.
6785 2021-11-04 David Malcolm <dmalcolm@redhat.com>
6787 * program-state.cc (sm_state_map::dump): Use default_tree_printer
6788 as format decoder.
6790 2021-09-16 Maxim Blinov <maxim.blinov@embecosm.com>
6792 PR bootstrap/102242
6793 * engine.cc (INCLUDE_UNIQUE_PTR): Define.
6795 2021-09-08 David Malcolm <dmalcolm@redhat.com>
6797 PR analyzer/102225
6798 * analyzer.h (compat_types_p): New decl.
6799 * constraint-manager.cc
6800 (constraint_manager::get_or_add_equiv_class): Guard against NULL
6801 type when checking for pointer types.
6802 * region-model-impl-calls.cc (region_model::impl_call_realloc):
6803 Guard against NULL lhs type/region. Guard against the size value
6804 not being of a compatible type for dynamic extents.
6805 * region-model.cc (compat_types_p): Make non-static.
6807 2021-08-30 David Malcolm <dmalcolm@redhat.com>
6809 PR analyzer/99260
6810 * analyzer.h (class custom_edge_info): New class, adapted from
6811 exploded_edge::custom_info_t. Make member functions const.
6812 Make update_model return bool, converting edge param from
6813 reference to a pointer, and adding a ctxt param.
6814 (class path_context): New class.
6815 * call-info.cc: New file.
6816 * call-info.h: New file.
6817 * engine.cc: Include "analyzer/call-info.h" and <memory>.
6818 (impl_region_model_context::impl_region_model_context): Update for
6819 new m_path_ctxt field.
6820 (impl_region_model_context::bifurcate): New.
6821 (impl_region_model_context::terminate_path): New.
6822 (impl_region_model_context::get_malloc_map): New.
6823 (impl_sm_context::impl_sm_context): Update for new m_path_ctxt
6824 field.
6825 (impl_sm_context::get_fndecl_for_call): Likewise.
6826 (impl_sm_context::set_next_state): Likewise.
6827 (impl_sm_context::warn): Likewise.
6828 (impl_sm_context::is_zero_assignment): Likewise.
6829 (impl_sm_context::get_path_context): New.
6830 (impl_sm_context::m_path_ctxt): New.
6831 (impl_region_model_context::on_condition): Update for new
6832 path_ctxt param. Handle m_enode_for_diag being NULL.
6833 (impl_region_model_context::on_phi): Update for new path_ctxt
6834 param.
6835 (exploded_node::on_stmt): Add path_ctxt param, updating ctor calls
6836 to use it as necessary. Use it to bail out after sm-handling,
6837 if needed.
6838 (exploded_node::detect_leaks): Update for new path_ctxt param.
6839 (dynamic_call_info_t::update_model): Update for conversion of
6840 exploded_edge::custom_info_t to custom_edge_info.
6841 (dynamic_call_info_t::add_events_to_path): Likewise.
6842 (rewind_info_t::update_model): Likewise.
6843 (rewind_info_t::add_events_to_path): Likewise.
6844 (exploded_edge::exploded_edge): Likewise.
6845 (exploded_graph::add_edge): Likewise.
6846 (exploded_graph::maybe_process_run_of_before_supernode_enodes):
6847 Update for new path_ctxt param.
6848 (class impl_path_context): New.
6849 (exploded_graph::process_node): Update for new path_ctxt param.
6850 Create an impl_path_context and pass it to exploded_node::on_stmt.
6851 Use it to terminate iterating stmts if terminate_path is called
6852 on it. After processing a run of stmts, query path_ctxt to
6853 potentially terminate the analysis path, and/or to "bifurcate" the
6854 analysis into multiple additional paths.
6855 (feasibility_state::maybe_update_for_edge): Update for new
6856 update_model ctxt param.
6857 * exploded-graph.h
6858 (impl_region_model_context::impl_region_model_context): Add
6859 path_ctxt param.
6860 (impl_region_model_context::bifurcate): New.
6861 (impl_region_model_context::terminate_path): New
6862 (impl_region_model_context::get_ext_state): New.
6863 (impl_region_model_context::get_malloc_map): New.
6864 (impl_region_model_context::m_path_ctxt): New field.
6865 (exploded_node::on_stmt): Add path_ctxt param.
6866 (class exploded_edge::custom_info_t): Move to analyzer.h, renaming
6867 to custom_edge_info, and making the changes as noted in analyzer.h
6868 above.
6869 (exploded_edge::exploded_edge): Update for these changes to
6870 exploded_edge::custom_info_t.
6871 (exploded_edge::m_custom_info): Likewise.
6872 (class dynamic_call_info_t): Likewise.
6873 (class rewind_info_t): Likewise.
6874 (exploded_graph::add_edge): Likewise.
6875 * program-state.cc (program_state::on_edge): Update for new
6876 path_ctxt param.
6877 (program_state::push_call): Likewise.
6878 (program_state::returning_call): Likewise.
6879 (program_state::prune_for_point): Likewise.
6880 * region-model-impl-calls.cc: Include "analyzer/call-info.h".
6881 (call_details::get_fndecl_for_call): New.
6882 (region_model::impl_call_realloc): Reimplement.
6883 * region-model.cc (region_model::on_call_pre): Move call to
6884 impl_call_realloc to...
6885 (region_model::on_call_post): ...here. Consolidate creation
6886 of call_details instance.
6887 (noop_region_model_context::bifurcate): New.
6888 (noop_region_model_context::terminate_path): New.
6889 * region-model.h (call_details::get_call_stmt): New.
6890 (call_details::get_fndecl_for_call): New.
6891 (region_model::on_realloc_with_move): New.
6892 (region_model_context::bifurcate): New.
6893 (region_model_context::terminate_path): New.
6894 (region_model_context::get_ext_state): New.
6895 (region_model_context::get_malloc_map): New.
6896 (noop_region_model_context::bifurcate): New.
6897 (noop_region_model_context::terminate_path): New.
6898 (noop_region_model_context::get_ext_state): New.
6899 (noop_region_model_context::get_malloc_map): New.
6900 * sm-malloc.cc: Include "analyzer/program-state.h".
6901 (malloc_state_machine::on_realloc_call): Reimplement.
6902 (malloc_state_machine::on_realloc_with_move): New.
6903 (region_model::on_realloc_with_move): New.
6904 * sm-signal.cc (class signal_delivery_edge_info_t): Update for
6905 conversion from exploded_edge::custom_info_t to custom_edge_info.
6906 * sm.h (sm_context::get_path_context): New.
6907 * svalue.cc (svalue::maybe_get_constant): Call
6908 unwrap_any_unmergeable.
6910 2021-08-25 Ankur Saini <arsenic@sourceware.org>
6912 PR analyzer/101980
6913 * engine.cc (exploded_graph::maybe_create_dynamic_call): Don't create
6914 calls if max recursion limit is reached.
6916 2021-08-23 David Malcolm <dmalcolm@redhat.com>
6918 * analyzer.h (struct rejected_constraint): Convert to...
6919 (class rejected_constraint): ...this.
6920 (class bounded_ranges): New forward decl.
6921 (class bounded_ranges_manager): New forward decl.
6922 * constraint-manager.cc: Include "analyzer/analyzer-logging.h" and
6923 "tree-pretty-print.h".
6924 (can_plus_one_p): New.
6925 (plus_one): New.
6926 (can_minus_one_p): New.
6927 (minus_one): New.
6928 (bounded_range::bounded_range): New.
6929 (dump_cst): New.
6930 (bounded_range::dump_to_pp): New.
6931 (bounded_range::dump): New.
6932 (bounded_range::to_json): New.
6933 (bounded_range::set_json_attr): New.
6934 (bounded_range::contains_p): New.
6935 (bounded_range::intersects_p): New.
6936 (bounded_range::operator==): New.
6937 (bounded_range::cmp): New.
6938 (bounded_ranges::bounded_ranges): New.
6939 (bounded_ranges::bounded_ranges): New.
6940 (bounded_ranges::bounded_ranges): New.
6941 (bounded_ranges::canonicalize): New.
6942 (bounded_ranges::validate): New.
6943 (bounded_ranges::operator==): New.
6944 (bounded_ranges::dump_to_pp): New.
6945 (bounded_ranges::dump): New.
6946 (bounded_ranges::to_json): New.
6947 (bounded_ranges::eval_condition): New.
6948 (bounded_ranges::contain_p): New.
6949 (bounded_ranges::cmp): New.
6950 (bounded_ranges_manager::~bounded_ranges_manager): New.
6951 (bounded_ranges_manager::get_or_create_empty): New.
6952 (bounded_ranges_manager::get_or_create_point): New.
6953 (bounded_ranges_manager::get_or_create_range): New.
6954 (bounded_ranges_manager::get_or_create_union): New.
6955 (bounded_ranges_manager::get_or_create_intersection): New.
6956 (bounded_ranges_manager::get_or_create_inverse): New.
6957 (bounded_ranges_manager::consolidate): New.
6958 (bounded_ranges_manager::get_or_create_ranges_for_switch): New.
6959 (bounded_ranges_manager::create_ranges_for_switch): New.
6960 (bounded_ranges_manager::make_case_label_ranges): New.
6961 (bounded_ranges_manager::log_stats): New.
6962 (bounded_ranges_constraint::print): New.
6963 (bounded_ranges_constraint::to_json): New.
6964 (bounded_ranges_constraint::operator==): New.
6965 (bounded_ranges_constraint::add_to_hash): New.
6966 (constraint_manager::constraint_manager): Update for new field
6967 m_bounded_ranges_constraints.
6968 (constraint_manager::operator=): Likewise.
6969 (constraint_manager::hash): Likewise.
6970 (constraint_manager::operator==): Likewise.
6971 (constraint_manager::print): Likewise.
6972 (constraint_manager::dump_to_pp): Likewise.
6973 (constraint_manager::to_json): Likewise.
6974 (constraint_manager::add_unknown_constraint): Update the lhs_ec_id
6975 if necessary in existing constraints when combining equivalence
6976 classes. Add similar code for handling
6977 m_bounded_ranges_constraints.
6978 (constraint_manager::add_constraint_internal): Add comment.
6979 (constraint_manager::add_bounded_ranges): New.
6980 (constraint_manager::eval_condition): Use new field
6981 m_bounded_ranges_constraints.
6982 (constraint_manager::purge): Update bounded_ranges_constraint
6983 instances.
6984 (constraint_manager::canonicalize): Update for new field.
6985 (merger_fact_visitor::on_ranges): New.
6986 (constraint_manager::for_each_fact): Use new field
6987 m_bounded_ranges_constraints.
6988 (constraint_manager::validate): Fix off-by-one error needed due
6989 to bug fixed above in add_unknown_constraint. Validate the EC IDs
6990 in m_bounded_ranges_constraints.
6991 (constraint_manager::get_range_manager): New.
6992 (selftest::assert_dump_bounded_range_eq): New.
6993 (ASSERT_DUMP_BOUNDED_RANGE_EQ): New.
6994 (selftest::test_bounded_range): New.
6995 (selftest::assert_dump_bounded_ranges_eq): New.
6996 (ASSERT_DUMP_BOUNDED_RANGES_EQ): New.
6997 (selftest::test_bounded_ranges): New.
6998 (selftest::run_constraint_manager_tests): Call the new selftests.
6999 * constraint-manager.h (struct bounded_range): New.
7000 (struct bounded_ranges): New.
7001 (template <> struct default_hash_traits<bounded_ranges::key_t>): New.
7002 (class bounded_ranges_manager): New.
7003 (fact_visitor::on_ranges): New pure virtual function.
7004 (class bounded_ranges_constraint): New.
7005 (constraint_manager::add_bounded_ranges): New decl.
7006 (constraint_manager::get_range_manager): New decl.
7007 (constraint_manager::m_bounded_ranges_constraints): New field.
7008 * diagnostic-manager.cc (epath_finder::process_worklist_item):
7009 Transfer ownership of rc to add_feasibility_problem.
7010 * engine.cc (feasibility_problem::dump_to_pp): Use get_model.
7011 * feasible-graph.cc (infeasible_node::dump_dot): Update for
7012 conversion of m_rc to a pointer.
7013 (feasible_graph::add_feasibility_problem): Pass RC by pointer and
7014 take ownership.
7015 * feasible-graph.h (infeasible_node::infeasible_node): Pass RC by
7016 pointer and take ownership.
7017 (infeasible_node::~infeasible_node): New.
7018 (infeasible_node::m_rc): Convert to a pointer.
7019 (feasible_graph::add_feasibility_problem): Pass RC by pointer and
7020 take ownership.
7021 * region-model-manager.cc: Include
7022 "analyzer/constraint-manager.h".
7023 (region_model_manager::region_model_manager): Initializer new
7024 field m_range_mgr.
7025 (region_model_manager::~region_model_manager): Delete it.
7026 (region_model_manager::log_stats): Call log_stats on it.
7027 * region-model.cc (region_model::add_constraint): Use new subclass
7028 rejected_op_constraint.
7029 (region_model::apply_constraints_for_gswitch): Reimplement using
7030 bounded_ranges_manager.
7031 (rejected_constraint::dump_to_pp): Convert to...
7032 (rejected_op_constraint::dump_to_pp): ...this.
7033 (rejected_ranges_constraint::dump_to_pp): New.
7034 * region-model.h (struct purge_stats): Add field
7035 m_num_bounded_ranges_constraints.
7036 (region_model_manager::get_range_manager): New.
7037 (region_model_manager::m_range_mgr): New.
7038 (region_model::get_range_manager): New.
7039 (struct rejected_constraint): Split into...
7040 (class rejected_constraint):...this new abstract base class,
7041 and...
7042 (class rejected_op_constraint): ...this new concrete subclass.
7043 (class rejected_ranges_constraint): New.
7044 * supergraph.cc: Include "tree-cfg.h".
7045 (supergraph::supergraph): Drop idx param from add_cfg_edge.
7046 (supergraph::add_cfg_edge): Drop idx param.
7047 (switch_cfg_superedge::switch_cfg_superedge): Move here from
7048 header. Populate m_case_labels with all cases which go to DST.
7049 (switch_cfg_superedge::dump_label_to_pp): Reimplement to use
7050 m_case_labels.
7051 (switch_cfg_superedge::get_case_label): Delete.
7052 * supergraph.h (supergraphadd_cfg_edge): Drop "idx" param.
7053 (switch_cfg_superedge::switch_cfg_superedge): Drop idx param and
7054 move implementation to supergraph.cc.
7055 (switch_cfg_superedge::get_case_label): Delete.
7056 (switch_cfg_superedge::get_case_labels): New.
7057 (switch_cfg_superedge::m_idx): Delete.
7058 (switch_cfg_superedge::m_case_labels): New field.
7060 2021-08-23 David Malcolm <dmalcolm@redhat.com>
7062 PR analyzer/101875
7063 * sm-file.cc (file_diagnostic::describe_state_change): Handle
7064 change.m_expr being NULL.
7066 2021-08-23 David Malcolm <dmalcolm@redhat.com>
7068 PR analyzer/101837
7069 * analyzer.cc (maybe_reconstruct_from_def_stmt): Bail if fn is
7070 NULL, and assert that it's non-NULL before passing it to
7071 build_call_array_loc.
7073 2021-08-23 David Malcolm <dmalcolm@redhat.com>
7075 PR analyzer/101962
7076 * region-model.cc (region_model::eval_condition_without_cm):
7077 Refactor comparison against zero, adding a check for
7078 POINTER_PLUS_EXPR of non-NULL.
7080 2021-08-23 David Malcolm <dmalcolm@redhat.com>
7082 * store.cc (bit_range::intersects_p): New overload.
7083 (bit_range::operator-): New.
7084 (binding_cluster::maybe_get_compound_binding): Handle the partial
7085 overlap case.
7086 (selftest::test_bit_range_intersects_p): Add test coverage for
7087 new overload of bit_range::intersects_p.
7088 * store.h (bit_range::intersects_p): New overload.
7089 (bit_range::operator-): New.
7091 2021-08-23 Ankur Saini <arsenic@sourceware.org>
7093 PR analyzer/102020
7094 * diagnostic-manager.cc
7095 (diagnostic_manager::prune_for_sm_diagnostic)<case EK_CALL_EDGE>: Fix typo.
7097 2021-08-21 Ankur Saini <arsenic@sourceware.org>
7099 PR analyzer/101980
7100 * diagnostic-manager.cc
7101 (diagnostic_manager::prune_for_sm_diagnostic)<case EK_CALL_EDGE>: Use
7102 caller_model only when the supergraph_edge doesn't exixt.
7103 (diagnostic_manager::prune_for_sm_diagnostic)<case EK_RETURN_EDGE>:
7104 Likewise.
7105 * engine.cc (exploded_graph::create_dynamic_call): Rename to...
7106 (exploded_graph::maybe_create_dynamic_call): ...this, return call
7107 creation status.
7108 (exploded_graph::process_node): Handle calls which were not dynamically
7109 discovered.
7110 * exploded-graph.h (exploded_graph::create_dynamic_call): Rename to...
7111 (exploded_graph::maybe_create_dynamic_call): ...this.
7112 * region-model.cc (region_model::update_for_gcall): New param, use it
7113 to push call to frame.
7114 (region_model::update_for_call_superedge): Pass callee function to
7115 update_for_gcall.
7116 * region-model.h (region_model::update_for_gcall): New param.
7118 2021-08-18 Ankur Saini <arsenic@sourceware.org>
7120 PR analyzer/97114
7121 * region-model.cc (region_model::get_rvalue_1): Add case for
7122 OBJ_TYPE_REF.
7124 2021-08-18 Ankur Saini <arsenic@sourceware.org>
7126 PR analyzer/100546
7127 * analysis-plan.cc (analysis_plan::use_summary_p): Don't use call
7128 summaries if there is no callgraph edge
7129 * checker-path.cc (call_event::call_event): Handle calls events that
7130 are not represented by a supergraph call edge
7131 (return_event::return_event): Likewise.
7132 (call_event::get_desc): Work with new call_event structure.
7133 (return_event::get_desc): Likeise.
7134 * checker-path.h (call_event::m_src_snode): New field.
7135 (call_event::m_dest_snode): New field.
7136 (return_event::m_src_snode): New field.
7137 (return_event::m_dest_snode): New field.
7138 * diagnostic-manager.cc
7139 (diagnostic_manager::prune_for_sm_diagnostic)<case EK_CALL_EDGE>:
7140 Refactor to work with edges without callgraph edge.
7141 (diagnostic_manager::prune_for_sm_diagnostic)<case EK_RETURN_EDGE>:
7142 Likewise.
7143 * engine.cc (dynamic_call_info_t::update_model): New function.
7144 (dynamic_call_info_t::add_events_to_path): New function.
7145 (exploded_graph::create_dynamic_call): New function.
7146 (exploded_graph::process_node): Work with dynamically discovered calls.
7147 * exploded-graph.h (class dynamic_call_info_t): New class.
7148 (exploded_graph::create_dynamic_call): New decl.
7149 * program-point.cc (program_point::push_to_call_stack): New function.
7150 (program_point::pop_from_call_stack): New function.
7151 * program-point.h (program_point::push_to_call_stack): New decl.
7152 (program_point::pop_from_call_stack): New decl.
7153 * program-state.cc (program_state::push_call): New function.
7154 (program_state::returning_call): New function.
7155 * program-state.h (program_state::push_call): New decl.
7156 (program_state::returning_call): New decl.
7157 * region-model.cc (region_model::update_for_gcall) New function.
7158 (region_model::update_for_return_gcall): New function.
7159 (egion_model::update_for_call_superedge): Get the underlying gcall and
7160 update for gcall.
7161 (region_model::update_for_return_superedge): Likewise.
7162 * region-model.h (region_model::update_for_gcall): New decl.
7163 (region_model::update_for_return_gcall): New decl.
7164 * state-purge.cc (state_purge_per_ssa_name::process_point): Update to
7165 work with calls without underlying cgraph edge.
7166 * supergraph.cc (supergraph::supergraph) Split snodes at every callsite.
7167 * supergraph.h (supernode::get_returning_call) New accessor.
7169 2021-08-04 David Malcolm <dmalcolm@redhat.com>
7171 PR analyzer/101570
7172 * analyzer.cc (maybe_reconstruct_from_def_stmt): Add GIMPLE_ASM
7173 case.
7174 * analyzer.h (class asm_output_svalue): New forward decl.
7175 (class reachable_regions): New forward decl.
7176 * complexity.cc (complexity::from_vec_svalue): New.
7177 * complexity.h (complexity::from_vec_svalue): New decl.
7178 * engine.cc (feasibility_state::maybe_update_for_edge): Handle
7179 asm stmts by calling on_asm_stmt.
7180 * region-model-asm.cc: New file.
7181 * region-model-manager.cc
7182 (region_model_manager::maybe_fold_asm_output_svalue): New.
7183 (region_model_manager::get_or_create_asm_output_svalue): New.
7184 (region_model_manager::log_stats): Log m_asm_output_values_map.
7185 * region-model.cc (region_model::on_stmt_pre): Handle GIMPLE_ASM.
7186 * region-model.h (visitor::visit_asm_output_svalue): New.
7187 (region_model_manager::get_or_create_asm_output_svalue): New decl.
7188 (region_model_manager::maybe_fold_asm_output_svalue): New decl.
7189 (region_model_manager::asm_output_values_map_t): New typedef.
7190 (region_model_manager::m_asm_output_values_map): New field.
7191 (region_model::on_asm_stmt): New.
7192 * store.cc (binding_cluster::on_asm): New.
7193 * store.h (binding_cluster::on_asm): New decl.
7194 * svalue.cc (svalue::cmp_ptr): Handle SK_ASM_OUTPUT.
7195 (asm_output_svalue::dump_to_pp): New.
7196 (asm_output_svalue::dump_input): New.
7197 (asm_output_svalue::input_idx_to_asm_idx): New.
7198 (asm_output_svalue::accept): New.
7199 * svalue.h (enum svalue_kind): Add SK_ASM_OUTPUT.
7200 (svalue::dyn_cast_asm_output_svalue): New.
7201 (class asm_output_svalue): New.
7202 (is_a_helper <const asm_output_svalue *>::test): New.
7203 (struct default_hash_traits<asm_output_svalue::key_t>): New.
7205 2021-08-03 Jakub Jelinek <jakub@redhat.com>
7207 PR analyzer/101721
7208 * sm-malloc.cc (known_allocator_p): Only check DECL_FUNCTION_CODE on
7209 BUILT_IN_NORMAL builtins.
7211 2021-07-29 Ankur Saini <arsenic@sourceware.org>
7213 * call-string.cc (call_string::element_t::operator==): New operator.
7214 (call_String::element_t::operator!=): New operator.
7215 (call_string::element_t::get_caller_function): New function.
7216 (call_string::element_t::get_callee_function): New function.
7217 (call_string::call_string): Refactor to Initialise m_elements.
7218 (call_string::operator=): Refactor to work with m_elements.
7219 (call_string::operator==): Likewise.
7220 (call_string::to_json): Likewise.
7221 (call_string::hash): Refactor to hash e.m_caller.
7222 (call_string::push_call): Refactor to work with m_elements.
7223 (call_string::push_call): New overload to push call via supernodes.
7224 (call_string::pop): Refactor to work with m_elements.
7225 (call_string::calc_recursion_depth): Likewise.
7226 (call_string::cmp): Likewise.
7227 (call_string::validate): Likewise.
7228 (call_string::operator[]): Likewise.
7229 * call-string.h (class supernode): New forward decl.
7230 (struct call_string::element_t): New struct.
7231 (call_string::call_string): Refactor to initialise m_elements.
7232 (call_string::bool empty_p): Refactor to work with m_elements.
7233 (call_string::get_callee_node): New decl.
7234 (call_string::get_caller_node): New decl.
7235 (m_elements): Replaces m_return_edges.
7236 * program-point.cc (program_point::get_function_at_depth): Refactor to
7237 work with new call-string format.
7238 (program_point::validate): Likewise.
7239 (program_point::on_edge): Likewise.
7241 2021-07-28 David Malcolm <dmalcolm@redhat.com>
7243 * region-model.cc (region_model::on_call_pre): Treat
7244 IFN_UBSAN_BOUNDS, BUILT_IN_STACK_SAVE, and BUILT_IN_STACK_RESTORE
7245 as no-ops, rather than handling them as unknown functions.
7247 2021-07-28 David Malcolm <dmalcolm@redhat.com>
7249 * region-model-impl-calls.cc (region_model::impl_call_alloca):
7250 Drop redundant return value.
7251 (region_model::impl_call_builtin_expect): Likewise.
7252 (region_model::impl_call_calloc): Likewise.
7253 (region_model::impl_call_malloc): Likewise.
7254 (region_model::impl_call_memset): Likewise.
7255 (region_model::impl_call_operator_new): Likewise.
7256 (region_model::impl_call_operator_delete): Likewise.
7257 (region_model::impl_call_strlen): Likewise.
7258 * region-model.cc (region_model::on_call_pre): Fix return value of
7259 known functions that don't have unknown side-effects.
7260 * region-model.h (region_model::impl_call_alloca): Drop redundant
7261 return value.
7262 (region_model::impl_call_builtin_expect): Likewise.
7263 (region_model::impl_call_calloc): Likewise.
7264 (region_model::impl_call_malloc): Likewise.
7265 (region_model::impl_call_memset): Likewise.
7266 (region_model::impl_call_strlen): Likewise.
7267 (region_model::impl_call_operator_new): Likewise.
7268 (region_model::impl_call_operator_delete): Likewise.
7270 2021-07-28 Siddhesh Poyarekar <siddhesh@gotplt.org>
7272 * analyzer.cc (is_named_call_p, is_std_named_call_p): Make
7273 first argument a const_tree.
7274 * analyzer.h (is_named_call_p, -s_std_named_call_p): Likewise.
7275 * sm-malloc.cc (known_allocator_p): New function.
7276 (malloc_state_machine::on_stmt): Use it.
7278 2021-07-28 Siddhesh Poyarekar <siddhesh@gotplt.org>
7280 * sm-malloc.cc
7281 (malloc_state_machine::get_or_create_deallocator): Recognize
7282 __builtin_free.
7284 2021-07-26 David Malcolm <dmalcolm@redhat.com>
7286 * region-model.cc (region_model::on_call_pre): Always set conjured
7287 LHS, not just for SSA names.
7289 2021-07-23 David Malcolm <dmalcolm@redhat.com>
7291 * diagnostic-manager.cc
7292 (class auto_disable_complexity_checks): New.
7293 (epath_finder::explore_feasible_paths): Use it to disable
7294 complexity checks whilst processing the worklist.
7295 * region-model-manager.cc
7296 (region_model_manager::region_model_manager): Initialize
7297 m_check_complexity.
7298 (region_model_manager::reject_if_too_complex): Bail if
7299 m_check_complexity is false.
7300 * region-model.h
7301 (region_model_manager::enable_complexity_check): New.
7302 (region_model_manager::disable_complexity_check): New.
7303 (region_model_manager::m_check_complexity): New.
7305 2021-07-21 David Malcolm <dmalcolm@redhat.com>
7307 PR analyzer/101547
7308 * sm-file.cc (file_leak::emit): Handle m_arg being NULL.
7309 (file_leak::describe_final_event): Handle ev.m_expr being NULL.
7311 2021-07-21 David Malcolm <dmalcolm@redhat.com>
7313 PR analyzer/101522
7314 * store.cc (binding_cluster::purge_state_involving): Don't change
7315 m_map whilst iterating through it.
7317 2021-07-21 David Malcolm <dmalcolm@redhat.com>
7319 * region-model.cc (region_model::handle_phi): Add "old_state"
7320 param and use it.
7321 (region_model::update_for_phis): Update so that all of the phi
7322 stmts are effectively handled simultaneously, rather than in
7323 order.
7324 * region-model.h (region_model::handle_phi): Add "old_state"
7325 param.
7326 * state-purge.cc (self_referential_phi_p): Replace with...
7327 (name_used_by_phis_p): ...this new function.
7328 (state_purge_per_ssa_name::process_point): Update to use the
7329 above, so that all phi stmts at a basic block are effectively
7330 considered simultaneously, and only consider the phi arguments for
7331 the pertinent in-edge.
7332 * supergraph.cc (cfg_superedge::get_phi_arg_idx): New.
7333 (cfg_superedge::get_phi_arg): Use the above.
7334 * supergraph.h (cfg_superedge::get_phi_arg_idx): New decl.
7336 2021-07-21 David Malcolm <dmalcolm@redhat.com>
7338 * state-purge.cc (state_purge_annotator::add_node_annotations):
7339 Rather than erroneously always using the NULL in-edge, determine
7340 each relevant in-edge, and print the appropriate data for each
7341 in-edge. Use print_needed to print the data as comma-separated
7342 lists of SSA names.
7343 (print_vec_of_names): Add "within_table" param and use it.
7344 (state_purge_annotator::add_stmt_annotations): Factor out
7345 collation and printing code into...
7346 (state_purge_annotator::print_needed): ...this new function.
7347 * state-purge.h (state_purge_annotator::print_needed): New decl.
7349 2021-07-21 David Malcolm <dmalcolm@redhat.com>
7351 * program-point.cc (function_point::print): Show src BB index at
7352 BEFORE_SUPERNODE.
7354 2021-07-21 David Malcolm <dmalcolm@redhat.com>
7356 * svalue.cc (infix_p): New.
7357 (binop_svalue::dump_to_pp): Use it to print MIN_EXPR and MAX_EXPR
7358 in prefix form, rather than infix.
7360 2021-07-19 David Malcolm <dmalcolm@redhat.com>
7362 PR analyzer/101503
7363 * constraint-manager.cc (constraint_manager::add_constraint): Use
7364 can_have_associated_state_p rather than testing for unknown.
7365 (constraint_manager::get_or_add_equiv_class): Likewise.
7366 * program-state.cc (sm_state_map::set_state): Likewise.
7367 (sm_state_map::impl_set_state): Add assertion.
7368 * region-model-manager.cc
7369 (region_model_manager::maybe_fold_unaryop): Handle poisoned
7370 values.
7371 (region_model_manager::maybe_fold_binop): Move handling of unknown
7372 values...
7373 (region_model_manager::get_or_create_binop): ...to here, and
7374 generalize to use can_have_associated_state_p.
7375 (region_model_manager::maybe_fold_sub_svalue): Use
7376 can_have_associated_state_p rather than testing for unknown.
7377 (region_model_manager::maybe_fold_repeated_svalue): Use unknown
7378 when the size or repeated value is "unknown"/"poisoned".
7379 * region-model.cc (region_model::purge_state_involving): Reject
7380 attempts to purge unknown/poisoned svalues, as these svalues
7381 should not have state associated with them.
7382 * svalue.cc (sub_svalue::sub_svalue): Assert that we're building
7383 on top of an svalue with can_have_associated_state_p.
7384 (repeated_svalue::repeated_svalue): Likewise.
7385 (bits_within_svalue::bits_within_svalue): Likewise.
7386 * svalue.h (svalue::can_have_associated_state_p): New.
7387 (unknown_svalue::can_have_associated_state_p): New.
7388 (poisoned_svalue::can_have_associated_state_p): New.
7389 (unaryop_svalue::unaryop_svalue): Assert that we're building on
7390 top of an svalue with can_have_associated_state_p.
7391 (binop_svalue::binop_svalue): Likewise.
7392 (widening_svalue::widening_svalue): Likewise.
7394 2021-07-16 David Malcolm <dmalcolm@redhat.com>
7396 * analyzer.h (enum access_direction): New.
7397 * engine.cc (exploded_node::on_longjmp): Update for new param of
7398 get_store_value.
7399 * program-state.cc (program_state::prune_for_point): Likewise.
7400 * region-model-impl-calls.cc (region_model::impl_call_memcpy):
7401 Replace call to check_for_writable_region with call to
7402 check_region_for_write.
7403 (region_model::impl_call_memset): Likewise.
7404 (region_model::impl_call_strcpy): Likewise.
7405 * region-model-reachability.cc (reachable_regions::add): Update
7406 for new param of get_store_value.
7407 * region-model.cc (region_model::get_rvalue_1): Likewise, also for
7408 get_rvalue_for_bits.
7409 (region_model::get_store_value): Add ctxt param and use it to call
7410 check_region_for_read.
7411 (region_model::get_rvalue_for_bits): Add ctxt param and use it to
7412 call get_store_value.
7413 (region_model::check_region_access): New.
7414 (region_model::check_region_for_write): New.
7415 (region_model::check_region_for_read): New.
7416 (region_model::set_value): Update comment. Replace call to
7417 check_for_writable_region with call to check_region_for_write.
7418 * region-model.h (region_model::get_rvalue_for_bits): Add ctxt
7419 param.
7420 (region_model::get_store_value): Add ctxt param.
7421 (region_model::check_region_access): New decl.
7422 (region_model::check_region_for_write): New decl.
7423 (region_model::check_region_for_read): New decl.
7424 * region.cc (region_model::copy_region): Update call to
7425 get_store_value.
7426 * svalue.cc (initial_svalue::implicitly_live_p): Likewise.
7428 2021-07-16 David Malcolm <dmalcolm@redhat.com>
7430 * engine.cc (exploded_node::on_stmt_pre): Handle
7431 __analyzer_dump_state.
7432 * program-state.cc (extrinsic_state::get_sm_idx_by_name): New.
7433 (program_state::impl_call_analyzer_dump_state): New.
7434 * program-state.h (extrinsic_state::get_sm_idx_by_name): New decl.
7435 (program_state::impl_call_analyzer_dump_state): New decl.
7436 * region-model-impl-calls.cc
7437 (call_details::get_arg_string_literal): New.
7438 * region-model.h (call_details::get_arg_string_literal): New decl.
7440 2021-07-16 David Malcolm <dmalcolm@redhat.com>
7442 * program-state.cc (program_state::detect_leaks): Simplify using
7443 svalue::maybe_get_region.
7444 * region-model-impl-calls.cc (region_model::impl_call_fgets): Likewise.
7445 (region_model::impl_call_fread): Likewise.
7446 (region_model::impl_call_free): Likewise.
7447 (region_model::impl_call_operator_delete): Likewise.
7448 * region-model.cc (selftest::test_stack_frames): Likewise.
7449 (selftest::test_state_merging): Likewise.
7450 * svalue.cc (svalue::maybe_get_region): New.
7451 * svalue.h (svalue::maybe_get_region): New decl.
7453 2021-07-15 David Malcolm <dmalcolm@redhat.com>
7455 * svalue.h (is_a_helper <placeholder_svalue *>::test): Make
7456 param and template param const.
7457 (is_a_helper <widening_svalue *>::test): Likewise.
7458 (is_a_helper <compound_svalue *>::test): Likewise.
7459 (is_a_helper <conjured_svalue *>::test): Likewise.
7461 2021-07-15 David Malcolm <dmalcolm@redhat.com>
7463 PR analyzer/95006
7464 PR analyzer/94713
7465 PR analyzer/94714
7466 * analyzer.cc (maybe_reconstruct_from_def_stmt): Split out
7467 GIMPLE_ASSIGN case into...
7468 (get_diagnostic_tree_for_gassign_1): New.
7469 (get_diagnostic_tree_for_gassign): New.
7470 * analyzer.h (get_diagnostic_tree_for_gassign): New decl.
7471 * analyzer.opt (Wanalyzer-write-to-string-literal): New.
7472 * constraint-manager.cc (class svalue_purger): New.
7473 (constraint_manager::purge_state_involving): New.
7474 * constraint-manager.h
7475 (constraint_manager::purge_state_involving): New.
7476 * diagnostic-manager.cc (saved_diagnostic::supercedes_p): New.
7477 (dedupe_winners::handle_interactions): New.
7478 (diagnostic_manager::emit_saved_diagnostics): Call it.
7479 * diagnostic-manager.h (saved_diagnostic::supercedes_p): New decl.
7480 * engine.cc (impl_region_model_context::warn): Convert return type
7481 to bool. Return false if the diagnostic isn't saved.
7482 (impl_region_model_context::purge_state_involving): New.
7483 (impl_sm_context::get_state): Use NULL ctxt when querying old
7484 rvalue.
7485 (impl_sm_context::set_next_state): Use new sval when querying old
7486 state.
7487 (class dump_path_diagnostic): Move to region-model.cc
7488 (exploded_node::on_stmt): Move to on_stmt_pre and on_stmt_post.
7489 Remove call to purge_state_involving.
7490 (exploded_node::on_stmt_pre): New, based on the above. Move most
7491 of it to region_model::on_stmt_pre.
7492 (exploded_node::on_stmt_post): Likewise, moving to
7493 region_model::on_stmt_post.
7494 (class stale_jmp_buf): Fix parent class to use curiously recurring
7495 template pattern.
7496 (feasibility_state::maybe_update_for_edge): Call on_call_pre and
7497 on_call_post on gcalls.
7498 * exploded-graph.h (impl_region_model_context::warn): Return bool.
7499 (impl_region_model_context::purge_state_involving): New decl.
7500 (exploded_node::on_stmt_pre): New decl.
7501 (exploded_node::on_stmt_post): New decl.
7502 * pending-diagnostic.h (pending_diagnostic::use_of_uninit_p): New.
7503 (pending_diagnostic::supercedes_p): New.
7504 * program-state.cc (sm_state_map::get_state): Inherit state for
7505 conjured_svalue as well as initial_svalue.
7506 (sm_state_map::purge_state_involving): Also support SK_CONJURED.
7507 * region-model-impl-calls.cc (call_details::get_uncertainty):
7508 Handle m_ctxt being NULL.
7509 (call_details::get_or_create_conjured_svalue): New.
7510 (region_model::impl_call_fgets): New.
7511 (region_model::impl_call_fread): New.
7512 * region-model-manager.cc
7513 (region_model_manager::get_or_create_initial_value): Return an
7514 uninitialized poisoned value for regions that can't have initial
7515 values.
7516 * region-model-reachability.cc
7517 (reachable_regions::mark_escaped_clusters): Handle ctxt being
7518 NULL.
7519 * region-model.cc (region_to_value_map::purge_state_involving): New.
7520 (poisoned_value_diagnostic::use_of_uninit_p): New.
7521 (poisoned_value_diagnostic::emit): Handle POISON_KIND_UNINIT.
7522 (poisoned_value_diagnostic::describe_final_event): Likewise.
7523 (region_model::check_for_poison): New.
7524 (region_model::on_assignment): Call it.
7525 (class dump_path_diagnostic): Move here from engine.cc.
7526 (region_model::on_stmt_pre): New, based on exploded_node::on_stmt.
7527 (region_model::on_call_pre): Move the setting of the LHS to a
7528 conjured svalue to before the checks for specific functions.
7529 Handle "fgets", "fgets_unlocked", and "fread".
7530 (region_model::purge_state_involving): New.
7531 (region_model::handle_unrecognized_call): Handle ctxt being NULL.
7532 (region_model::get_rvalue): Call check_for_poison.
7533 (selftest::test_stack_frames): Use NULL for context when getting
7534 uninitialized rvalue.
7535 (selftest::test_alloca): Likewise.
7536 * region-model.h (region_to_value_map::purge_state_involving): New
7537 decl.
7538 (call_details::get_or_create_conjured_svalue): New decl.
7539 (region_model::on_stmt_pre): New decl.
7540 (region_model::purge_state_involving): New decl.
7541 (region_model::impl_call_fgets): New decl.
7542 (region_model::impl_call_fread): New decl.
7543 (region_model::check_for_poison): New decl.
7544 (region_model_context::warn): Return bool.
7545 (region_model_context::purge_state_involving): New.
7546 (noop_region_model_context::warn): Return bool.
7547 (noop_region_model_context::purge_state_involving): New.
7548 (test_region_model_context:: warn): Return bool.
7549 * region.cc (region::get_memory_space): New.
7550 (region::can_have_initial_svalue_p): New.
7551 (region::involves_p): New.
7552 * region.h (enum memory_space): New.
7553 (region::get_memory_space): New decl.
7554 (region::can_have_initial_svalue_p): New decl.
7555 (region::involves_p): New decl.
7556 * sm-malloc.cc (use_after_free::supercedes_p): New.
7557 * store.cc (binding_cluster::purge_state_involving): New.
7558 (store::purge_state_involving): New.
7559 * store.h (class symbolic_binding): New forward decl.
7560 (binding_key::dyn_cast_symbolic_binding): New.
7561 (symbolic_binding::dyn_cast_symbolic_binding): New.
7562 (binding_cluster::purge_state_involving): New.
7563 (store::purge_state_involving): New.
7564 * svalue.cc (svalue::can_merge_p): Reject attempts to merge
7565 poisoned svalues with other svalues, so that we identify
7566 paths in which a variable is conditionally uninitialized.
7567 (involvement_visitor::visit_conjured_svalue): New.
7568 (svalue::involves_p): Also handle SK_CONJURED.
7569 (poison_kind_to_str): Handle POISON_KIND_UNINIT.
7570 (poisoned_svalue::maybe_fold_bits_within): New.
7571 * svalue.h (enum poison_kind): Add POISON_KIND_UNINIT.
7572 (poisoned_svalue::maybe_fold_bits_within): New decl.
7574 2021-07-15 David Malcolm <dmalcolm@redhat.com>
7576 * analyzer.opt (fdump-analyzer-exploded-paths): New.
7577 * diagnostic-manager.cc
7578 (diagnostic_manager::emit_saved_diagnostic): Implement it.
7579 * engine.cc (exploded_path::dump_to_pp): Add ext_state param and
7580 use it to dump states if non-NULL.
7581 (exploded_path::dump): Likewise.
7582 (exploded_path::dump_to_file): New.
7583 * exploded-graph.h (exploded_path::dump_to_pp): Add ext_state
7584 param.
7585 (exploded_path::dump): Likewise.
7586 (exploded_path::dump): Likewise.
7587 (exploded_path::dump_to_file): New.
7589 2021-07-15 David Malcolm <dmalcolm@redhat.com>
7591 * analyzer.cc (fixup_tree_for_diagnostic_1): Use DECL_DEBUG_EXPR
7592 if it's available.
7593 * engine.cc (readability): Likewise.
7595 2021-07-15 David Malcolm <dmalcolm@redhat.com>
7597 * state-purge.cc (self_referential_phi_p): New.
7598 (state_purge_per_ssa_name::process_point): Don't purge an SSA name
7599 at its def-stmt if the def-stmt is self-referential.
7601 2021-07-07 David Malcolm <dmalcolm@redhat.com>
7603 * diagnostic-manager.cc (null_assignment_sm_context::get_state):
7604 New overload.
7605 (null_assignment_sm_context::set_next_state): New overload.
7606 (null_assignment_sm_context::get_diagnostic_tree): New.
7607 * engine.cc (impl_sm_context::get_state): New overload.
7608 (impl_sm_context::set_next_state): New overload.
7609 (impl_sm_context::get_diagnostic_tree): New overload.
7610 (impl_region_model_context::on_condition): Convert params from
7611 tree to const svalue *.
7612 * exploded-graph.h (impl_region_model_context::on_condition):
7613 Likewise.
7614 * region-model.cc (region_model::on_call_pre): Move handling of
7615 internal calls to before checking for get_fndecl_for_call.
7616 (region_model::add_constraints_from_binop): New.
7617 (region_model::add_constraint): Split out into a new overload
7618 working on const svalue * rather than tree. Call
7619 add_constraints_from_binop. Drop call to
7620 add_any_constraints_from_ssa_def_stmt.
7621 (region_model::add_any_constraints_from_ssa_def_stmt): Delete.
7622 (region_model::add_any_constraints_from_gassign): Delete.
7623 (region_model::add_any_constraints_from_gcall): Delete.
7624 * region-model.h
7625 (region_model::add_any_constraints_from_ssa_def_stmt): Delete.
7626 (region_model::add_any_constraints_from_gassign): Delete.
7627 (region_model::add_any_constraints_from_gcall): Delete.
7628 (region_model::add_constraint): Add overload decl.
7629 (region_model::add_constraints_from_binop): New decl.
7630 (region_model_context::on_condition): Convert params from tree to
7631 const svalue *.
7632 (noop_region_model_context::on_condition): Likewise.
7633 * sm-file.cc (fileptr_state_machine::condition): Likewise.
7634 * sm-malloc.cc (malloc_state_machine::on_condition): Likewise.
7635 * sm-pattern-test.cc: Include tristate.h, selftest.h,
7636 analyzer/call-string.h, analyzer/program-point.h,
7637 analyzer/store.h, and analyzer/region-model.h.
7638 (pattern_test_state_machine::on_condition): Convert params from tree to
7639 const svalue *.
7640 * sm-sensitive.cc (sensitive_state_machine::on_condition): Delete.
7641 * sm-signal.cc (signal_state_machine::on_condition): Delete.
7642 * sm-taint.cc (taint_state_machine::on_condition): Convert params
7643 from tree to const svalue *.
7644 * sm.cc: Include tristate.h, selftest.h, analyzer/call-string.h,
7645 analyzer/program-point.h, analyzer/store.h, and
7646 analyzer/region-model.h.
7647 (any_pointer_p): Add overload taking const svalue *sval.
7648 * sm.h (any_pointer_p): Add overload taking const svalue *sval.
7649 (state_machine::on_condition): Convert params from tree to
7650 const svalue *. Provide no-op default implementation.
7651 (sm_context::get_state): Add overload taking const svalue *sval.
7652 (sm_context::set_next_state): Likewise.
7653 (sm_context::on_transition): Likewise.
7654 (sm_context::get_diagnostic_tree): Likewise.
7655 * svalue.cc (svalue::all_zeroes_p): New.
7656 (constant_svalue::all_zeroes_p): New.
7657 (repeated_svalue::all_zeroes_p): Convert to vfunc.
7658 * svalue.h (svalue::all_zeroes_p): New decl.
7659 (constant_svalue::all_zeroes_p): New decl.
7660 (repeated_svalue::all_zeroes_p): Convert decl to vfunc.
7662 2021-06-30 David Malcolm <dmalcolm@redhat.com>
7664 PR analyzer/95006
7665 * analyzer.h (class repeated_svalue): New forward decl.
7666 (class bits_within_svalue): New forward decl.
7667 (class sized_region): New forward decl.
7668 (get_field_at_bit_offset): New forward decl.
7669 * engine.cc (exploded_graph::get_or_create_node): Validate the
7670 merged state.
7671 (exploded_graph::maybe_process_run_of_before_supernode_enodes):
7672 Validate the states at each stage.
7673 * program-state.cc (program_state::validate): Validate
7674 m_region_model.
7675 * region-model-impl-calls.cc (region_model::impl_call_memset):
7676 Replace special-case logic for handling constant sizes with
7677 a call to fill_region of a sized_region with the given fill value.
7678 * region-model-manager.cc (maybe_undo_optimize_bit_field_compare):
7679 Drop DK_direct.
7680 (region_model_manager::maybe_fold_sub_svalue): Fold element-based
7681 subregions of an initial value into initial values of an element.
7682 Fold subvalues of repeated svalues.
7683 (region_model_manager::maybe_fold_repeated_svalue): New.
7684 (region_model_manager::get_or_create_repeated_svalue): New.
7685 (get_bit_range_for_field): New.
7686 (get_byte_range_for_field): New.
7687 (get_field_at_byte_range): New.
7688 (region_model_manager::maybe_fold_bits_within_svalue): New.
7689 (region_model_manager::get_or_create_bits_within): New.
7690 (region_model_manager::get_sized_region): New.
7691 (region_model_manager::log_stats): Update for addition of
7692 m_repeated_values_map, m_bits_within_values_map, and
7693 m_sized_regions.
7694 * region-model.cc (region_model::validate): New.
7695 (region_model::on_assignment): Drop enum binding_kind.
7696 (region_model::get_initial_value_for_global): Likewise.
7697 (region_model::get_rvalue_for_bits): Replace body with call to
7698 get_or_create_bits_within.
7699 (region_model::get_capacity): Handle RK_SIZED.
7700 (region_model::set_value): Drop enum binding_kind.
7701 (region_model::fill_region): New.
7702 (region_model::get_representative_path_var_1): Handle RK_SIZED.
7703 * region-model.h (visitor::visit_repeated_svalue): New.
7704 (visitor::visit_bits_within_svalue): New.
7705 (region_model_manager::get_or_create_repeated_svalue): New decl.
7706 (region_model_manager::get_or_create_bits_within): New decl.
7707 (region_model_manager::get_sized_region): New decl.
7708 (region_model_manager::maybe_fold_repeated_svalue): New decl.
7709 (region_model_manager::maybe_fold_bits_within_svalue): New decl.
7710 (region_model_manager::repeated_values_map_t): New typedef.
7711 (region_model_manager::m_repeated_values_map): New field.
7712 (region_model_manager::bits_within_values_map_t): New typedef.
7713 (region_model_manager::m_bits_within_values_map): New field.
7714 (region_model_manager::m_sized_regions): New field.
7715 (region_model::fill_region): New decl.
7716 * region.cc (region::get_base_region): Handle RK_SIZED.
7717 (region::base_region_p): Likewise.
7718 (region::get_byte_size_sval): New.
7719 (get_field_at_bit_offset): Make non-static.
7720 (region::calc_offset): Move implementation of cases to
7721 get_relative_concrete_offset vfunc implementations. Handle
7722 RK_SIZED.
7723 (region::get_relative_concrete_offset): New.
7724 (decl_region::get_svalue_for_initializer): Drop enum binding_kind.
7725 (field_region::get_relative_concrete_offset): New, from
7726 region::calc_offset.
7727 (element_region::get_relative_concrete_offset): Likewise.
7728 (offset_region::get_relative_concrete_offset): Likewise.
7729 (sized_region::accept): New.
7730 (sized_region::dump_to_pp): New.
7731 (sized_region::get_byte_size): New.
7732 (sized_region::get_bit_size): New.
7733 * region.h (enum region_kind): Add RK_SIZED.
7734 (region::dyn_cast_sized_region): New.
7735 (region::get_byte_size): Make virtual.
7736 (region::get_bit_size): Likewise.
7737 (region::get_byte_size_sval): New decl.
7738 (region::get_relative_concrete_offset): New decl.
7739 (field_region::get_relative_concrete_offset): New decl.
7740 (element_region::get_relative_concrete_offset): Likewise.
7741 (offset_region::get_relative_concrete_offset): Likewise.
7742 (class sized_region): New.
7743 * store.cc (binding_kind_to_string): Delete.
7744 (binding_key::make): Drop enum binding_kind.
7745 (binding_key::dump_to_pp): Delete.
7746 (binding_key::cmp_ptrs): Drop enum binding_kind.
7747 (bit_range::contains_p): New.
7748 (byte_range::dump): New.
7749 (byte_range::contains_p): New.
7750 (byte_range::cmp): New.
7751 (concrete_binding::dump_to_pp): Drop enum binding_kind.
7752 (concrete_binding::cmp_ptr_ptr): Likewise.
7753 (symbolic_binding::dump_to_pp): Likewise.
7754 (symbolic_binding::cmp_ptr_ptr): Likewise.
7755 (binding_map::apply_ctor_val_to_range): Likewise.
7756 (binding_map::apply_ctor_pair_to_child_region): Likewise.
7757 (binding_map::get_overlapping_bindings): New.
7758 (binding_map::remove_overlapping_bindings): New.
7759 (binding_cluster::validate): New.
7760 (binding_cluster::bind): Drop enum binding_kind.
7761 (binding_cluster::bind_compound_sval): Likewise.
7762 (binding_cluster::purge_region): Likewise.
7763 (binding_cluster::zero_fill_region): Reimplement in terms of...
7764 (binding_cluster::fill_region): New.
7765 (binding_cluster::mark_region_as_unknown): Drop enum binding_kind.
7766 (binding_cluster::get_binding): Likewise.
7767 (binding_cluster::get_binding_recursive): Likewise.
7768 (binding_cluster::get_any_binding): Likewise.
7769 (binding_cluster::maybe_get_compound_binding): Reimplement.
7770 (binding_cluster::get_overlapping_bindings): Delete.
7771 (binding_cluster::remove_overlapping_bindings): Reimplement in
7772 terms of binding_map::remove_overlapping_bindings.
7773 (binding_cluster::can_merge_p): Update for removal of
7774 enum binding_kind.
7775 (binding_cluster::on_unknown_fncall): Drop enum binding_kind.
7776 (binding_cluster::maybe_get_simple_value): Likewise.
7777 (store_manager::get_concrete_binding): Likewise.
7778 (store_manager::get_symbolic_binding): Likewise.
7779 (store::validate): New.
7780 (store::set_value): Drop enum binding_kind.
7781 (store::zero_fill_region): Reimplement in terms of...
7782 (store::fill_region): New.
7783 (selftest::test_binding_key_overlap): Drop enum binding_kind.
7784 * store.h (enum binding_kind): Delete.
7785 (binding_kind_to_string): Delete decl.
7786 (binding_key::make): Drop enum binding_kind.
7787 (binding_key::dump_to_pp): Make pure virtual.
7788 (binding_key::get_kind): Delete.
7789 (binding_key::mark_deleted): Delete.
7790 (binding_key::mark_empty): Delete.
7791 (binding_key::is_deleted): Delete.
7792 (binding_key::is_empty): Delete.
7793 (binding_key::binding_key): Delete.
7794 (binding_key::impl_hash): Delete.
7795 (binding_key::impl_eq): Delete.
7796 (binding_key::m_kind): Delete.
7797 (bit_range::get_last_bit_offset): New.
7798 (bit_range::contains_p): New.
7799 (byte_range::contains_p): New.
7800 (byte_range::operator==): New.
7801 (byte_range::get_start_byte_offset): New.
7802 (byte_range::get_next_byte_offset): New.
7803 (byte_range::get_last_byte_offset): New.
7804 (byte_range::as_bit_range): New.
7805 (byte_range::cmp): New.
7806 (concrete_binding::concrete_binding): Drop enum binding_kind.
7807 (concrete_binding::hash): Likewise.
7808 (concrete_binding::operator==): Likewise.
7809 (concrete_binding::mark_deleted): New.
7810 (concrete_binding::mark_empty): New.
7811 (concrete_binding::is_deleted): New.
7812 (concrete_binding::is_empty): New.
7813 (default_hash_traits<ana::concrete_binding>::empty_zero_p): Make false.
7814 (symbolic_binding::symbolic_binding): Drop enum binding_kind.
7815 (symbolic_binding::hash): Likewise.
7816 (symbolic_binding::operator==): Likewise.
7817 (symbolic_binding::mark_deleted): New.
7818 (symbolic_binding::mark_empty): New.
7819 (symbolic_binding::is_deleted): New.
7820 (symbolic_binding::is_empty): New.
7821 (binding_map::remove_overlapping_bindings): New decl.
7822 (binding_map::get_overlapping_bindings): New decl.
7823 (binding_cluster::validate): New decl.
7824 (binding_cluster::bind): Drop enum binding_kind.
7825 (binding_cluster::fill_region): New decl.
7826 (binding_cluster::get_binding): Drop enum binding_kind.
7827 (binding_cluster::get_binding_recursive): Likewise.
7828 (binding_cluster::get_overlapping_bindings): Delete.
7829 (store::validate): New decl.
7830 (store::set_value): Drop enum binding_kind.
7831 (store::fill_region): New decl.
7832 (store_manager::get_concrete_binding): Drop enum binding_kind.
7833 (store_manager::get_symbolic_binding): Likewise.
7834 * svalue.cc (svalue::cmp_ptr): Handle SK_REPEATED and
7835 SK_BITS_WITHIN.
7836 (svalue::extract_bit_range): New.
7837 (svalue::maybe_fold_bits_within): New.
7838 (constant_svalue::maybe_fold_bits_within): New.
7839 (unknown_svalue::maybe_fold_bits_within): New.
7840 (unaryop_svalue::maybe_fold_bits_within): New.
7841 (repeated_svalue::repeated_svalue): New.
7842 (repeated_svalue::dump_to_pp): New.
7843 (repeated_svalue::accept): New.
7844 (repeated_svalue::all_zeroes_p): New.
7845 (repeated_svalue::maybe_fold_bits_within): New.
7846 (bits_within_svalue::bits_within_svalue): New.
7847 (bits_within_svalue::dump_to_pp): New.
7848 (bits_within_svalue::maybe_fold_bits_within): New.
7849 (bits_within_svalue::accept): New.
7850 (bits_within_svalue::implicitly_live_p): New.
7851 (compound_svalue::maybe_fold_bits_within): New.
7852 * svalue.h (enum svalue_kind): Add SK_REPEATED and SK_BITS_WITHIN.
7853 (svalue::dyn_cast_repeated_svalue): New.
7854 (svalue::dyn_cast_bits_within_svalue): New.
7855 (svalue::extract_bit_range): New decl.
7856 (svalue::maybe_fold_bits_within): New vfunc decl.
7857 (region_svalue::key_t::mark_empty): Use 2 rather than NULL_TREE.
7858 (region_svalue::key_t::is_empty): Likewise.
7859 (default_hash_traits<region_svalue::key_t>::empty_zero_p): Make false.
7860 (constant_svalue::maybe_fold_bits_within): New.
7861 (unknown_svalue::maybe_fold_bits_within): New.
7862 (poisoned_svalue::key_t::mark_empty): Use 2 rather than NULL_TREE.
7863 (poisoned_svalue::key_t::is_empty): Likewise.
7864 (default_hash_traits<poisoned_svalue::key_t>::empty_zero_p): Make
7865 false.
7866 (setjmp_svalue::key_t::mark_empty): Use 2 rather than NULL_TREE.
7867 (setjmp_svalue::key_t::is_empty): Likewise.
7868 (default_hash_traits<setjmp_svalue::key_t>::empty_zero_p): Make
7869 false.
7870 (unaryop_svalue::key_t::mark_empty): Use 2 rather than NULL_TREE.
7871 (unaryop_svalue::key_t::is_empty): Likewise.
7872 (unaryop_svalue::maybe_fold_bits_within): New.
7873 (default_hash_traits<unaryop_svalue::key_t>::empty_zero_p): Make
7874 false.
7875 (binop_svalue::key_t::mark_empty): Use 2 rather than NULL_TREE.
7876 (binop_svalue::key_t::is_empty): Likewise.
7877 (default_hash_traits<binop_svalue::key_t>::empty_zero_p): Make
7878 false.
7879 (sub_svalue::key_t::mark_empty): Use 2 rather than NULL_TREE.
7880 (sub_svalue::key_t::is_empty): Likewise.
7881 (default_hash_traits<sub_svalue::key_t>::empty_zero_p): Make
7882 false.
7883 (class repeated_svalue): New.
7884 (is_a_helper <const repeated_svalue *>::test): New.
7885 (struct default_hash_traits<repeated_svalue::key_t>): New.
7886 (class bits_within_svalue): New.
7887 (is_a_helper <const bits_within_svalue *>::test): New.
7888 (struct default_hash_traits<bits_within_svalue::key_t>): New.
7889 (widening_svalue::key_t::mark_empty): Use 2 rather than NULL_TREE.
7890 (widening_svalue::key_t::is_empty): Likewise.
7891 (default_hash_traits<widening_svalue::key_t>::empty_zero_p): Make
7892 false.
7893 (compound_svalue::key_t::mark_empty): Use 2 rather than NULL_TREE.
7894 (compound_svalue::key_t::is_empty): Likewise.
7895 (compound_svalue::maybe_fold_bits_within): New.
7896 (default_hash_traits<compound_svalue::key_t>::empty_zero_p): Make
7897 false.
7899 2021-06-28 David Malcolm <dmalcolm@redhat.com>
7901 * analyzer.h (byte_offset_t): New typedef.
7902 * store.cc (bit_range::dump_to_pp): Dump as a byte range if
7903 possible.
7904 (bit_range::as_byte_range): New.
7905 (byte_range::dump_to_pp): New.
7906 * store.h (class byte_range): New forward decl.
7907 (struct bit_range): Add comment.
7908 (bit_range::as_byte_range): New decl.
7909 (struct byte_range): New.
7911 2021-06-22 David Malcolm <dmalcolm@redhat.com>
7913 PR analyzer/101143
7914 * region-model.cc (compat_types_p): New function.
7915 (region_model::create_region_for_heap_alloc): Convert assertion to
7916 an error check.
7917 (region_model::create_region_for_alloca): Likewise.
7919 2021-06-18 David Malcolm <dmalcolm@redhat.com>
7921 * store.cc (binding_cluster::get_any_binding): Make symbolic reads
7922 from a cluster with concrete bindings return unknown.
7924 2021-06-18 David Malcolm <dmalcolm@redhat.com>
7926 * region-model-manager.cc
7927 (region_model_manager::get_or_create_int_cst): New.
7928 (region_model_manager::maybe_undo_optimize_bit_field_compare): Use
7929 it to simplify away a local tree.
7930 * region-model.cc (region_model::on_setjmp): Likewise.
7931 (region_model::on_longjmp): Likewise.
7932 * region-model.h (region_model_manager::get_or_create_int_cst):
7933 New decl.
7934 * store.cc (binding_cluster::zero_fill_region): Use it to simplify
7935 away a local tree.
7937 2021-06-18 David Malcolm <dmalcolm@redhat.com>
7939 * checker-path.cc (class custom_event): Make abstract to allow for
7940 custom vfuncs, splitting existing implementation into...
7941 (class precanned_custom_event): New subclass.
7942 (custom_event::get_desc): Move to...
7943 (precanned_custom_event::get_desc): ...subclass.
7944 * checker-path.h (class custom_event): Make abstract to allow for
7945 custom vfuncs, splitting existing implementation into...
7946 (class precanned_custom_event): New subclass.
7947 * diagnostic-manager.cc (diagnostic_manager::add_events_for_eedge):
7948 Use precanned_custom_event.
7949 * engine.cc
7950 (stale_jmp_buf::maybe_add_custom_events_for_superedge): Likewise.
7951 * sm-signal.cc (signal_delivery_edge_info_t::add_events_to_path):
7952 Likewise.
7954 2021-06-15 David Malcolm <dmalcolm@redhat.com>
7956 PR analyzer/99212
7957 PR analyzer/101082
7958 * engine.cc: Include "target.h".
7959 (impl_run_checkers): Log BITS_BIG_ENDIAN, BYTES_BIG_ENDIAN, and
7960 WORDS_BIG_ENDIAN.
7961 * region-model-manager.cc
7962 (region_model_manager::maybe_fold_binop): Move support for masking
7963 via ARG0 & CST into...
7964 (region_model_manager::maybe_undo_optimize_bit_field_compare):
7965 ...this new function. Flatten by converting from nested
7966 conditionals to a series of early return statements to reject
7967 failures. Reject if type is not unsigned_char_type_node.
7968 Handle BYTES_BIG_ENDIAN when determining which bits are bound
7969 in the binding_map.
7970 * region-model.h
7971 (region_model_manager::maybe_undo_optimize_bit_field_compare):
7972 New decl.
7973 * store.cc (bit_range::dump): New function.
7974 * store.h (bit_range::dump): New decl.
7976 2021-06-15 David Malcolm <dmalcolm@redhat.com>
7978 * engine.cc (exploded_node::on_stmt): Handle __analyzer_dump_capacity.
7979 (exploded_node::on_stmt): Drop m_sm_changes from on_stmt_flags.
7980 (state_change_requires_new_enode_p): New function...
7981 (exploded_graph::process_node): Call it, rather than querying
7982 flags.m_sm_changes, so that dynamic-extent differences can also
7983 trigger the splitting of nodes.
7984 * exploded-graph.h (struct on_stmt_flags): Drop field m_sm_changes.
7985 * program-state.cc (program_state::detect_leaks): Purge dead
7986 heap-allocated regions from dynamic extents.
7987 (selftest::test_program_state_1): Fix type of "size_in_bytes".
7988 (selftest::test_program_state_merging): Likewise.
7989 * region-model-impl-calls.cc
7990 (region_model::impl_call_analyzer_dump_capacity): New.
7991 (region_model::impl_call_free): Remove dynamic extents from the
7992 freed region.
7993 * region-model-reachability.h
7994 (reachable_regions::begin_mutable_base_regs): New.
7995 (reachable_regions::end_mutable_base_regs): New.
7996 * region-model.cc: Include "tree-object-size.h".
7997 (region_model::region_model): Support new field m_dynamic_extents.
7998 (region_model::operator=): Likewise.
7999 (region_model::operator==): Likewise.
8000 (region_model::dump_to_pp): Dump sizes of dynamic regions.
8001 (region_model::handle_unrecognized_call): Purge dynamic extents
8002 from any regions that have escaped mutably:.
8003 (region_model::get_capacity): New function.
8004 (region_model::add_constraint): Unset dynamic extents when a
8005 heap-allocated region's address is NULL.
8006 (region_model::unbind_region_and_descendents): Purge dynamic
8007 extents of unbound regions.
8008 (region_model::can_merge_with_p): Call
8009 m_dynamic_extents.can_merge_with_p.
8010 (region_model::create_region_for_heap_alloc): Assert that
8011 size_in_bytes's type is compatible with size_type_node. Update
8012 for renaming of record_dynamic_extents to set_dynamic_extents.
8013 (region_model::create_region_for_alloca): Likewise.
8014 (region_model::record_dynamic_extents): Rename to...
8015 (region_model::set_dynamic_extents): ...this. Assert that
8016 size_in_bytes's type is compatible with size_type_node. Add it
8017 to the m_dynamic_extents map.
8018 (region_model::get_dynamic_extents): New.
8019 (region_model::unset_dynamic_extents): New.
8020 (selftest::test_state_merging): Fix type of "size".
8021 (selftest::test_malloc_constraints): Likewise.
8022 (selftest::test_malloc): Verify dynamic extents.
8023 (selftest::test_alloca): Likewise.
8024 * region-model.h (region_to_value_map::is_empty): New.
8025 (region_model::dynamic_extents_t): New typedef.
8026 (region_model::impl_call_analyzer_dump_capacity): New decl.
8027 (region_model::get_dynamic_extents): New function.
8028 (region_model::get_dynamic_extents): New decl.
8029 (region_model::set_dynamic_extents): New decl.
8030 (region_model::unset_dynamic_extents): New decl.
8031 (region_model::get_capacity): New decl.
8032 (region_model::record_dynamic_extents): Rename to set_dynamic_extents.
8033 (region_model::m_dynamic_extents): New field.
8035 2021-06-15 David Malcolm <dmalcolm@redhat.com>
8037 * region-model.cc (region_to_value_map::operator=): New.
8038 (region_to_value_map::operator==): New.
8039 (region_to_value_map::dump_to_pp): New.
8040 (region_to_value_map::dump): New.
8041 (region_to_value_map::can_merge_with_p): New.
8042 * region-model.h (class region_to_value_map): New class.
8044 2021-06-13 Trevor Saunders <tbsaunde@tbsaunde.org>
8046 * call-string.cc (call_string::call_string): Use range based for
8047 to iterate over vec<>.
8048 (call_string::to_json): Likewise.
8049 (call_string::hash): Likewise.
8050 (call_string::calc_recursion_depth): Likewise.
8051 * checker-path.cc (checker_path::fixup_locations): Likewise.
8052 * constraint-manager.cc (equiv_class::equiv_class): Likewise.
8053 (equiv_class::to_json): Likewise.
8054 (equiv_class::hash): Likewise.
8055 (constraint_manager::to_json): Likewise.
8056 * engine.cc (impl_region_model_context::on_svalue_leak):
8057 Likewise.
8058 (on_liveness_change): Likewise.
8059 (impl_region_model_context::on_unknown_change): Likewise.
8060 * program-state.cc (sm_state_map::set_state): Likewise.
8061 * region-model.cc (test_canonicalization_4): Likewise.
8063 2021-06-11 David Malcolm <dmalcolm@redhat.com>
8065 * engine.cc (worklist::key_t::cmp): Move sort by call_string to
8066 before SCC.
8068 2021-06-09 David Malcolm <dmalcolm@redhat.com>
8070 * region-model.cc (region_model::get_lvalue_1): Make const.
8071 (region_model::get_lvalue): Likewise.
8072 (region_model::get_rvalue_1): Likewise.
8073 (region_model::get_rvalue): Likewise.
8074 (region_model::deref_rvalue): Likewise.
8075 (region_model::get_rvalue_for_bits): Likewise.
8076 * region-model.h (region_model::get_lvalue): Likewise.
8077 (region_model::get_rvalue): Likewise.
8078 (region_model::deref_rvalue): Likewise.
8079 (region_model::get_rvalue_for_bits): Likewise.
8080 (region_model::get_lvalue_1): Likewise.
8081 (region_model::get_rvalue_1): Likewise.
8083 2021-06-08 David Malcolm <dmalcolm@redhat.com>
8085 PR analyzer/99212
8086 * region-model-manager.cc
8087 (region_model_manager::maybe_fold_binop): Add support for folding
8088 BIT_AND_EXPR of compound_svalue and a mask constant.
8089 * region-model.cc (region_model::get_rvalue_1): Implement
8090 BIT_FIELD_REF in terms of...
8091 (region_model::get_rvalue_for_bits): New function.
8092 * region-model.h (region_model::get_rvalue_for_bits): New decl.
8093 * store.cc (bit_range::from_mask): New function.
8094 (selftest::test_bit_range_intersects_p): New selftest.
8095 (selftest::assert_bit_range_from_mask_eq): New.
8096 (ASSERT_BIT_RANGE_FROM_MASK_EQ): New macro.
8097 (selftest::assert_no_bit_range_from_mask_eq): New.
8098 (ASSERT_NO_BIT_RANGE_FROM_MASK): New macro.
8099 (selftest::test_bit_range_from_mask): New selftest.
8100 (selftest::analyzer_store_cc_tests): Call the new selftests.
8101 * store.h (bit_range::intersects_p): New.
8102 (bit_range::from_mask): New decl.
8103 (concrete_binding::get_bit_range): New accessor.
8104 (store_manager::get_concrete_binding): New overload taking
8105 const bit_range &.
8107 2021-06-08 David Malcolm <dmalcolm@redhat.com>
8109 * analyzer.h (int_size_in_bits): New decl.
8110 * region.cc (int_size_in_bits): New function.
8111 (region::get_bit_size): Reimplement in terms of the above.
8113 2021-06-08 David Malcolm <dmalcolm@redhat.com>
8115 * store.cc (concrete_binding::dump_to_pp): Move bulk of
8116 implementation to...
8117 (bit_range::dump_to_pp): ...this new function.
8118 (bit_range::cmp): New.
8119 (concrete_binding::overlaps_p): Update for use of bit_range.
8120 (concrete_binding::cmp_ptr_ptr): Likewise.
8121 * store.h (struct bit_range): New.
8122 (class concrete_binding): Replace fields m_start_bit_offset and
8123 m_size_in_bits with new field m_bit_range.
8125 2021-06-08 David Malcolm <dmalcolm@redhat.com>
8127 * svalue.h (conjured_svalue::iterator_t): Delete.
8129 2021-06-03 David Malcolm <dmalcolm@redhat.com>
8131 * store.h (store::get_direct_binding): Remove unused decl.
8132 (store::get_default_binding): Likewise.
8134 2021-06-03 David Malcolm <dmalcolm@redhat.com>
8136 * svalue.cc (poisoned_svalue::dump_to_pp): Dump type.
8137 (compound_svalue::dump_to_pp): Dump any type.
8139 2021-05-18 David Malcolm <dmalcolm@redhat.com>
8141 PR analyzer/100615
8142 * sm-malloc.cc: Include "analyzer/function-set.h".
8143 (malloc_state_machine::on_stmt): Call unaffected_by_call_p and
8144 bail on the functions it recognizes.
8145 (malloc_state_machine::unaffected_by_call_p): New.
8147 2021-05-10 Martin Liska <mliska@suse.cz>
8149 * sm-file.cc (is_file_using_fn_p): Use startswith
8150 function instead of strncmp.
8152 2021-05-10 Martin Liska <mliska@suse.cz>
8154 * program-state.cc (program_state::operator=): Remove
8155 __cplusplus >= 201103.
8156 (program_state::program_state): Likewise.
8157 * program-state.h: Likewise.
8158 * region-model.h (class region_model): Remove dead code.
8160 2021-04-24 David Malcolm <dmalcolm@redhat.com>
8162 PR analyzer/100244
8163 * sm-malloc.cc (free_of_non_heap::describe_state_change):
8164 Bulletproof against change.m_expr being NULL.
8166 2021-04-13 David Malcolm <dmalcolm@redhat.com>
8168 PR analyzer/98599
8169 * supergraph.cc (saved_uids::make_uid_unique): New.
8170 (saved_uids::restore_uids): New.
8171 (supergraph::supergraph): Replace assignments to stmt->uid with
8172 calls to m_stmt_uids.make_uid_unique.
8173 (supergraph::~supergraph): New.
8174 * supergraph.h (class saved_uids): New.
8175 (supergraph::~supergraph): New decl.
8176 (supergraph::m_stmt_uids): New field.
8178 2021-04-10 David Malcolm <dmalcolm@redhat.com>
8180 PR analyzer/100011
8181 * region-model.cc (region_model::on_assignment): Avoid NULL
8182 dereference if ctxt is NULL when assigning from a STRING_CST.
8184 2021-04-08 David Malcolm <dmalcolm@redhat.com>
8186 PR analyzer/99042
8187 PR analyzer/99774
8188 * engine.cc
8189 (impl_region_model_context::impl_region_model_context): Add
8190 uncertainty param and use it to initialize m_uncertainty.
8191 (impl_region_model_context::get_uncertainty): New.
8192 (impl_sm_context::get_fndecl_for_call): Add NULL for new
8193 uncertainty param when constructing impl_region_model_context.
8194 (impl_sm_context::get_state): Likewise.
8195 (impl_sm_context::set_next_state): Likewise.
8196 (impl_sm_context::warn): Likewise.
8197 (exploded_node::on_stmt): Add uncertainty param
8198 and use it when constructing impl_region_model_context.
8199 (exploded_node::on_edge): Add uncertainty param and pass
8200 to on_edge call.
8201 (exploded_node::detect_leaks): Create uncertainty_t and pass to
8202 impl_region_model_context.
8203 (exploded_graph::get_or_create_node): Create uncertainty_t and
8204 pass to prune_for_point.
8205 (maybe_process_run_of_before_supernode_enodes): Create
8206 uncertainty_t and pass to impl_region_model_context.
8207 (exploded_graph::process_node): Create uncertainty_t instances and
8208 pass around as needed.
8209 * exploded-graph.h
8210 (impl_region_model_context::impl_region_model_context): Add
8211 uncertainty param.
8212 (impl_region_model_context::get_uncertainty): New decl.
8213 (impl_region_model_context::m_uncertainty): New field.
8214 (exploded_node::on_stmt): Add uncertainty param.
8215 (exploded_node::on_edge): Likewise.
8216 * program-state.cc (sm_state_map::on_liveness_change): Get
8217 uncertainty from context and use it to unset sm-state from
8218 svalues as appropriate.
8219 (program_state::on_edge): Add uncertainty param and use it when
8220 constructing impl_region_model_context. Fix indentation.
8221 (program_state::prune_for_point): Add uncertainty param and use it
8222 when constructing impl_region_model_context.
8223 (program_state::detect_leaks): Get any uncertainty from ctxt and
8224 use it to get maybe-live svalues for dest_state, rather than
8225 definitely-live ones; use this when determining which svalues
8226 have leaked.
8227 (selftest::test_program_state_merging): Create uncertainty_t and
8228 pass to impl_region_model_context.
8229 * program-state.h (program_state::on_edge): Add uncertainty param.
8230 (program_state::prune_for_point): Likewise.
8231 * region-model-impl-calls.cc (call_details::get_uncertainty): New.
8232 (region_model::impl_call_memcpy): Pass uncertainty to
8233 mark_region_as_unknown call.
8234 (region_model::impl_call_memset): Likewise.
8235 (region_model::impl_call_strcpy): Likewise.
8236 * region-model-reachability.cc (reachable_regions::handle_sval):
8237 Also add sval to m_mutable_svals.
8238 * region-model.cc (region_model::on_assignment): Pass any
8239 uncertainty from ctxt to the store::set_value call.
8240 (region_model::handle_unrecognized_call): Get any uncertainty from
8241 ctxt and use it to record mutable svalues at the unknown call.
8242 (region_model::get_reachable_svalues): Add uncertainty param and
8243 use it to mark any maybe-bound svalues as being reachable.
8244 (region_model::set_value): Pass any uncertainty from ctxt to the
8245 store::set_value call.
8246 (region_model::mark_region_as_unknown): Add uncertainty param and
8247 pass it on to the store::mark_region_as_unknown call.
8248 (region_model::update_for_call_summary): Add uncertainty param and
8249 pass it on to the region_model::mark_region_as_unknown call.
8250 * region-model.h (call_details::get_uncertainty): New decl.
8251 (region_model::get_reachable_svalues): Add uncertainty param.
8252 (region_model::mark_region_as_unknown): Add uncertainty param.
8253 (region_model_context::get_uncertainty): New vfunc.
8254 (noop_region_model_context::get_uncertainty): New vfunc
8255 implementation.
8256 * store.cc (dump_svalue_set): New.
8257 (uncertainty_t::dump_to_pp): New.
8258 (uncertainty_t::dump): New.
8259 (binding_cluster::clobber_region): Pass NULL for uncertainty to
8260 remove_overlapping_bindings.
8261 (binding_cluster::mark_region_as_unknown): Add uncertainty param
8262 and pass it to remove_overlapping_bindings.
8263 (binding_cluster::remove_overlapping_bindings): Add uncertainty param.
8264 Use it to record any svalues that were in clobbered bindings.
8265 (store::set_value): Add uncertainty param. Pass it to
8266 binding_cluster::mark_region_as_unknown when handling symbolic
8267 regions.
8268 (store::mark_region_as_unknown): Add uncertainty param and pass it
8269 to binding_cluster::mark_region_as_unknown.
8270 (store::remove_overlapping_bindings): Add uncertainty param and
8271 pass it to binding_cluster::remove_overlapping_bindings.
8272 * store.h (binding_cluster::mark_region_as_unknown): Add
8273 uncertainty param.
8274 (binding_cluster::remove_overlapping_bindings): Likewise.
8275 (store::set_value): Likewise.
8276 (store::mark_region_as_unknown): Likewise.
8278 2021-04-05 David Malcolm <dmalcolm@redhat.com>
8280 PR analyzer/99906
8281 * analyzer.cc (maybe_reconstruct_from_def_stmt): Fix NULL
8282 dereference on calls with zero arguments.
8283 * sm-malloc.cc (malloc_state_machine::on_stmt): When handling
8284 __attribute__((nonnull)), only call get_diagnostic_tree if the
8285 result will be used.
8287 2021-04-05 David Malcolm <dmalcolm@redhat.com>
8289 PR analyzer/99886
8290 * diagnostic-manager.cc
8291 (diagnostic_manager::prune_interproc_events): Use signed integers
8292 when subtracting one from path->num_events ().
8293 (diagnostic_manager::consolidate_conditions): Likewise. Convert
8294 next_idx to a signed int.
8296 2021-04-01 David Malcolm <dmalcolm@redhat.com>
8298 * diagnostic-manager.cc (diagnostic_manager::add_diagnostic): Make
8299 enode param non-constant, and call add_diagnostic on it. Add
8300 enode index to log message.
8301 (diagnostic_manager::add_diagnostic): Make enode param
8302 non-constant.
8303 * diagnostic-manager.h (diagnostic_manager::add_diagnostic):
8304 Likewise for both decls.
8305 * engine.cc
8306 (impl_region_model_context::impl_region_model_context): Likewise
8307 for enode_for_diag.
8308 (impl_sm_context::impl_sm_context): Likewise.
8309 (impl_sm_context::m_enode_for_diag): Likewise.
8310 (exploded_node::dump_dot): Don't pass the diagnostic manager
8311 to dump_saved_diagnostics.
8312 (exploded_node::dump_saved_diagnostics): Drop param. Iterate
8313 directly through all saved diagnostics for the enode, rather
8314 than all saved diagnostics in the diagnostic_manager and
8315 filtering.
8316 (exploded_node::on_stmt): Make non-const.
8317 (exploded_node::on_edge): Likewise.
8318 (exploded_node::on_longjmp): Likewise.
8319 (exploded_node::detect_leaks): Likewise.
8320 (exploded_graph::get_or_create_node): Make enode_for_diag param
8321 non-const.
8322 (exploded_graph_annotator::print_enode): Iterate
8323 directly through all saved diagnostics for the enode, rather
8324 than all saved diagnostics in the diagnostic_manager and
8325 filtering.
8326 * exploded-graph.h
8327 (impl_region_model_context::impl_region_model_context): Make
8328 enode_for_diag param non-constant.
8329 (impl_region_model_context::m_enode_for_diag): Likewise.
8330 (exploded_node::dump_saved_diagnostics): Drop param.
8331 (exploded_node::on_stmt): Make non-const.
8332 (exploded_node::on_edge): Likewise.
8333 (exploded_node::on_longjmp): Likewise.
8334 (exploded_node::detect_leaks): Likewise.
8335 (exploded_node::add_diagnostic): New.
8336 (exploded_node::get_num_diagnostics): New.
8337 (exploded_node::get_saved_diagnostic): New.
8338 (exploded_node::m_saved_diagnostics): New.
8339 (exploded_graph::get_or_create_node): Make enode_for_diag param
8340 non-constant.
8341 * feasible-graph.cc (feasible_node::dump_dot): Drop
8342 diagnostic_manager from call to dump_saved_diagnostics.
8343 * program-state.cc (program_state::on_edge): Convert enode param
8344 to non-const pointer.
8345 (program_state::prune_for_point): Likewise for enode_for_diag
8346 param.
8347 * program-state.h (program_state::on_edge): Convert enode param
8348 to non-const pointer.
8349 (program_state::prune_for_point): Likewise for enode_for_diag
8350 param.
8352 2021-03-31 David Malcolm <dmalcolm@redhat.com>
8354 PR analyzer/99771
8355 * analyzer.cc (maybe_reconstruct_from_def_stmt): New.
8356 (fixup_tree_for_diagnostic_1): New.
8357 (fixup_tree_for_diagnostic): New.
8358 * analyzer.h (fixup_tree_for_diagnostic): New decl.
8359 * checker-path.cc (call_event::get_desc): Call
8360 fixup_tree_for_diagnostic and use it for the call_with_state call.
8361 (warning_event::get_desc): Likewise for the final_event and
8362 make_label_text calls.
8363 * engine.cc (impl_region_model_context::on_state_leak): Likewise
8364 for the on_leak and add_diagnostic calls.
8365 * region-model.cc (region_model::get_representative_tree):
8366 Likewise for the result.
8368 2021-03-30 David Malcolm <dmalcolm@redhat.com>
8370 * region.h (region::dump_to_pp): Remove old decl.
8372 2021-03-30 David Malcolm <dmalcolm@redhat.com>
8374 * sm-file.cc (fileptr_state_machine::on_stmt): Only call
8375 get_diagnostic_tree if the result will be used.
8376 * sm-malloc.cc (malloc_state_machine::on_stmt): Likewise.
8377 (malloc_state_machine::on_deallocator_call): Likewise.
8378 (malloc_state_machine::on_realloc_call): Likewise.
8379 (malloc_state_machine::on_realloc_call): Likewise.
8380 * sm-sensitive.cc
8381 (sensitive_state_machine::warn_for_any_exposure): Likewise.
8382 * sm-taint.cc (taint_state_machine::on_stmt): Likewise.
8384 2021-03-25 David Malcolm <dmalcolm@redhat.com>
8386 PR analyzer/93695
8387 PR analyzer/99044
8388 PR analyzer/99716
8389 * engine.cc (exploded_node::on_stmt): Clear sm-state involving
8390 an SSA name at the def-stmt of that SSA name.
8391 * program-state.cc (sm_state_map::purge_state_involving): New.
8392 * program-state.h (sm_state_map::purge_state_involving): New decl.
8393 * region-model.cc (selftest::test_involves_p): New.
8394 (selftest::analyzer_region_model_cc_tests): Call it.
8395 * svalue.cc (class involvement_visitor): New class
8396 (svalue::involves_p): New.
8397 * svalue.h (svalue::involves_p): New decl.
8399 2021-03-19 David Malcolm <dmalcolm@redhat.com>
8401 PR analyzer/99614
8402 * diagnostic-manager.cc (class epath_finder): Add
8403 DISABLE_COPY_AND_ASSIGN.
8405 2021-03-15 Martin Liska <mliska@suse.cz>
8407 * sm-file.cc (get_file_using_fns): Add missing comma in initializer.
8409 2021-03-11 David Malcolm <dmalcolm@redhat.com>
8411 PR analyzer/96374
8412 * analyzer.opt (-param=analyzer-max-infeasible-edges=): New param.
8413 (fdump-analyzer-feasibility): New flag.
8414 * diagnostic-manager.cc: Include "analyzer/trimmed-graph.h" and
8415 "analyzer/feasible-graph.h".
8416 (epath_finder::epath_finder): Convert m_sep to a pointer and
8417 only create it if !flag_analyzer_feasibility.
8418 (epath_finder::~epath_finder): New.
8419 (epath_finder::m_sep): Convert to a pointer.
8420 (epath_finder::get_best_epath): Add param "diag_idx" and use it
8421 when logging. Rather than finding the shortest path and then
8422 checking feasibility, instead use explore_feasible_paths unless
8423 !flag_analyzer_feasibility, in which case simply use the shortest
8424 path, and note if it is infeasible. Update for m_sep becoming a
8425 pointer.
8426 (class feasible_worklist): New.
8427 (epath_finder::explore_feasible_paths): New.
8428 (epath_finder::process_worklist_item): New.
8429 (class dump_eg_with_shortest_path): New.
8430 (epath_finder::dump_trimmed_graph): New.
8431 (epath_finder::dump_feasible_graph): New.
8432 (saved_diagnostic::saved_diagnostic): Add "idx" param, using it
8433 on new field m_idx.
8434 (saved_diagnostic::to_json): Dump m_idx.
8435 (saved_diagnostic::calc_best_epath): Pass m_idx to get_best_epath.
8436 Remove assertion that m_problem was set when m_best_epath is NULL.
8437 (diagnostic_manager::add_diagnostic): Pass an index when created
8438 saved_diagnostic instances.
8439 * diagnostic-manager.h (saved_diagnostic::saved_diagnostic): Add
8440 "idx" param.
8441 (saved_diagnostic::get_index): New accessor.
8442 (saved_diagnostic::m_idx): New field.
8443 * engine.cc (exploded_node::dump_dot): Call args.dump_extra_info.
8444 Move code to...
8445 (exploded_node::dump_processed_stmts): ...this new function and...
8446 (exploded_node::dump_saved_diagnostics): ...this new function.
8447 Add index of each diagnostic.
8448 (exploded_edge::dump_dot): Move bulk of code to...
8449 (exploded_edge::dump_dot_label): ...this new function.
8450 * exploded-graph.h (eg_traits::dump_args_t::dump_extra_info): New
8451 vfunc.
8452 (exploded_node::dump_processed_stmts): New decl.
8453 (exploded_node::dump_saved_diagnostics): New decl.
8454 (exploded_edge::dump_dot_label): New decl.
8455 * feasible-graph.cc: New file.
8456 * feasible-graph.h: New file.
8457 * trimmed-graph.cc: New file.
8458 * trimmed-graph.h: New file.
8460 2021-03-11 David Malcolm <dmalcolm@redhat.com>
8462 * diagnostic-manager.cc (epath_finder::epath_finder):
8463 Update shortest_paths init for new param.
8465 2021-03-10 David Malcolm <dmalcolm@redhat.com>
8467 PR analyzer/96374
8468 * engine.cc (exploded_path::feasible_p): Move "snodes_visited" and
8469 "model" locals into a new class feasibility_state. Move heart
8470 of per-edge processing into
8471 feasibility_state::maybe_update_for_edge.
8472 (feasibility_state::feasibility_state): New.
8473 (feasibility_state::maybe_update_for_edge): New, based on loop
8474 body in exploded_path::feasible_p.
8475 * exploded-graph.h (class feasibility_state): New.
8477 2021-03-10 David Malcolm <dmalcolm@redhat.com>
8479 * supergraph.h
8480 (callgraph_superedge::dyn_cast_callgraph_superedge): New.
8481 (call_superedge::dyn_cast_callgraph_superedge): Delete.
8482 (return_superedge::dyn_cast_callgraph_superedge): Delete.
8484 2021-03-02 Martin Liska <mliska@suse.cz>
8486 * diagnostic-manager.cc (diagnostic_manager::emit_saved_diagnostics):
8487 Do not pass engine.
8489 2021-02-26 David Malcolm <dmalcolm@redhat.com>
8491 * engine.cc (exploded_path::exploded_path): New copy-ctor.
8492 * exploded-graph.h (exploded_path::operator=): Drop decl.
8494 2021-02-26 David Malcolm <dmalcolm@redhat.com>
8496 PR analyzer/96374
8497 * diagnostic-manager.cc (class epath_finder): New.
8498 (epath_finder::get_best_epath): New.
8499 (saved_diagnostic::saved_diagnostic): Update for replacement of
8500 m_state and m_epath_length with m_best_epath.
8501 (saved_diagnostic::~saved_diagnostic): Delete m_best_epath.
8502 (saved_diagnostic::to_json): Update "path_length" to be optional.
8503 (saved_diagnostic::calc_best_epath): New, based on
8504 dedupe_winners::add and parts of dedupe_key::dedupe_key.
8505 (saved_diagnostic::get_epath_length): New.
8506 (saved_diagnostic::add_duplicate): New.
8507 (dedupe_key::dedupe_key): Drop epath param. Move invocation of
8508 stmt_finder to saved_diagnostic::calc_best_epath.
8509 (class dedupe_candidate): Delete.
8510 (class dedupe_hash_map_traits): Update to use saved_diagnotic *
8511 rather than dedupe_candidate * as the value_type/compare_type.
8512 (dedupe_winners::~dedupe_winners): Don't delete the values.
8513 (dedupe_winners::add): Convert param from shortest_exploded_paths to
8514 epath_finder. Drop "eg" param. Drop dedupe_candidate, moving
8515 path generation and feasiblity checking to
8516 epath_finder::get_best_epath. Update winner-selection for move
8517 of epaths from dedupe_candidate to saved_diagnostic.
8518 (dedupe_winners::emit_best): Update for removal of class
8519 dedupe_candidate.
8520 (dedupe_winners::map_t): Update to use saved_diagnotic * rather
8521 than dedupe_candidate * as the value_type/compare_type.
8522 (diagnostic_manager::emit_saved_diagnostics): Move
8523 shortest_exploded_paths instance into epath_finder and pass that
8524 around instead.
8525 (diagnostic_manager::emit_saved_diagnostic): Drop epath, stmt
8526 and num_dupes params, instead getting these from the
8527 saved_diagnostic. Use correct location in inform_n call.
8528 * diagnostic-manager.h (class epath_finder): New forward decl.
8529 (saved_diagnostic::status): Drop enum.
8530 (saved_diagnostic::set_feasible): Drop.
8531 (saved_diagnostic::set_infeasible): Drop.
8532 (saved_diagnostic::get_status): Drop.
8533 (saved_diagnostic::calc_best_epath): New decl.
8534 (saved_diagnostic::get_best_epath): New decl.
8535 (saved_diagnostic::get_epath_length): New decl.
8536 (saved_diagnostic::set_epath_length): Drop.
8537 (saved_diagnostic::get_epath_length): Drop inline implementation.
8538 (saved_diagnostic::add_duplicate): New.
8539 (saved_diagnostic::get_num_dupes): New.
8540 (saved_diagnostic::m_d): Document ownership.
8541 (saved_diagnostic::m_trailing_eedge): Make const.
8542 (saved_diagnostic::m_status): Drop field.
8543 (saved_diagnostic::m_epath_length): Drop field.
8544 (saved_diagnostic::m_best_epath): New field.
8545 (saved_diagnostic::m_problem): Document ownership.
8546 (saved_diagnostic::m_duplicates): New field.
8547 (diagnostic_manager::emit_saved_diagnostic): Drop params epath,
8548 stmt, and num_dupes.
8549 * engine.cc (exploded_graph_annotator::print_saved_diagnostic):
8550 Update for changes to saved_diagnostic class.
8551 * exploded-graph.h (exploded_path::feasible_p): Drop unused
8552 overloaded decl.
8554 2021-02-25 David Malcolm <dmalcolm@redhat.com>
8556 PR analyzer/99193
8557 * region-model-impl-calls.cc (region_model::impl_call_realloc): New.
8558 * region-model.cc (region_model::on_call_pre): Call it.
8559 * region-model.h (region_model::impl_call_realloc): New decl.
8560 * sm-malloc.cc (enum wording): Add WORDING_REALLOCATED.
8561 (malloc_state_machine::m_realloc): New field.
8562 (use_after_free::describe_state_change): Add case for
8563 WORDING_REALLOCATED.
8564 (use_after_free::describe_final_event): Likewise.
8565 (malloc_state_machine::malloc_state_machine): Initialize
8566 m_realloc.
8567 (malloc_state_machine::on_stmt): Handle realloc by calling...
8568 (malloc_state_machine::on_realloc_call): New.
8570 2021-02-22 David Malcolm <dmalcolm@redhat.com>
8572 PR analyzer/99196
8573 * engine.cc (exploded_node::on_stmt): Provide terminate_path
8574 flag as a way for on_call_pre to terminate the current analysis
8575 path.
8576 * region-model-impl-calls.cc (call_details::num_args): New.
8577 (region_model::impl_call_error): New.
8578 * region-model.cc (region_model::on_call_pre): Add param
8579 "out_terminate_path". Handle "error" and "error_at_line".
8580 * region-model.h (call_details::num_args): New decl.
8581 (region_model::on_call_pre): Add param "out_terminate_path".
8582 (region_model::impl_call_error): New decl.
8584 2021-02-17 David Malcolm <dmalcolm@redhat.com>
8586 PR analyzer/98969
8587 * constraint-manager.cc (dead_svalue_purger::should_purge_p):
8588 Update for change to svalue::live_p.
8589 * program-state.cc (sm_state_map::on_liveness_change): Likewise.
8590 (program_state::detect_leaks): Likewise.
8591 * region-model-reachability.cc (reachable_regions::init_cluster):
8592 When dealing with a symbolic region, if the underlying pointer is
8593 implicitly live, add the region to the reachable regions.
8594 * region-model.cc (region_model::compare_initial_and_pointer):
8595 Move logic for detecting initial values of params to
8596 initial_svalue::initial_value_of_param_p.
8597 * svalue.cc (svalue::live_p): Convert "live_svalues" from a
8598 reference to a pointer; support it being NULL.
8599 (svalue::implicitly_live_p): Convert first param from a
8600 refererence to a pointer.
8601 (region_svalue::implicitly_live_p): Likewise.
8602 (constant_svalue::implicitly_live_p): Likewise.
8603 (initial_svalue::implicitly_live_p): Likewise. Treat the initial
8604 values of params for the top level frame as still live.
8605 (initial_svalue::initial_value_of_param_p): New function, taken
8606 from a test in region_model::compare_initial_and_pointer.
8607 (unaryop_svalue::implicitly_live_p): Convert first param from a
8608 refererence to a pointer.
8609 (binop_svalue::implicitly_live_p): Likewise.
8610 (sub_svalue::implicitly_live_p): Likewise.
8611 (unmergeable_svalue::implicitly_live_p): Likewise.
8612 * svalue.h (svalue::live_p): Likewise.
8613 (svalue::implicitly_live_p): Likewise.
8614 (region_svalue::implicitly_live_p): Likewise.
8615 (constant_svalue::implicitly_live_p): Likewise.
8616 (initial_svalue::implicitly_live_p): Likewise.
8617 (initial_svalue::initial_value_of_param_p): New decl.
8618 (unaryop_svalue::implicitly_live_p): Convert first param from a
8619 refererence to a pointer.
8620 (binop_svalue::implicitly_live_p): Likewise.
8621 (sub_svalue::implicitly_live_p): Likewise.
8622 (unmergeable_svalue::implicitly_live_p): Likewise.
8624 2021-02-12 David Malcolm <dmalcolm@redhat.com>
8626 PR analyzer/98969
8627 * engine.cc (readability): Add names for the various arbitrary
8628 values. Handle NOP_EXPR and INTEGER_CST.
8629 (readability_comparator): Combine the readability tests for
8630 tree and stack depth, rather than performing them sequentially.
8631 (impl_region_model_context::on_state_leak): Strip off top-level
8632 casts.
8633 * region-model.cc (region_model::get_representative_path_var): Add
8634 type-checking, moving the bulk of the implementation to...
8635 (region_model::get_representative_path_var_1): ...here. Respect
8636 types in casts by recursing and re-adding the cast, rather than
8637 merely stripping them off. Use the correct type when handling
8638 region_svalue.
8639 (region_model::get_representative_tree): Strip off any top-level
8640 cast.
8641 (region_model::get_representative_path_var): Add type-checking,
8642 moving the bulk of the implementation to...
8643 (region_model::get_representative_path_var_1): ...here.
8644 * region-model.h (region_model::get_representative_path_var_1):
8645 New decl
8646 (region_model::get_representative_path_var_1): New decl.
8647 * store.cc (append_pathvar_with_type): New.
8648 (binding_cluster::get_representative_path_vars): Cast path_vars
8649 to the correct type when adding them to *OUT_PVS.
8651 2021-02-09 David Malcolm <dmalcolm@redhat.com>
8653 PR analyzer/98575
8654 * sm-file.cc (is_file_using_fn_p): Support "_IO_"-prefixed
8655 variants.
8657 2021-02-09 David Malcolm <dmalcolm@redhat.com>
8659 PR analyzer/98575
8660 * store.cc (store::set_value): Treat a pointer written to *UNKNOWN
8661 as having escaped.
8663 2021-02-02 David Malcolm <dmalcolm@redhat.com>
8665 PR analyzer/93355
8666 PR analyzer/96374
8667 * engine.cc (toplevel_function_p): Simplify so that
8668 we only reject functions with a "__analyzer_" prefix.
8669 (add_any_callbacks): Delete.
8670 (exploded_graph::build_initial_worklist): Update for
8671 dropped param of toplevel_function_p.
8672 (exploded_graph::build_initial_worklist): Don't bother
8673 looking for callbacks that are reachable from global
8674 initializers.
8676 2021-02-01 David Malcolm <dmalcolm@redhat.com>
8678 PR analyzer/98918
8679 * region-model-manager.cc
8680 (region_model_manager::get_or_create_initial_value):
8681 Fold the initial value of *UNKNOWN_PTR to an UNKNOWN value.
8682 (region_model_manager::get_field_region): Fold the value
8683 of UNKNOWN_PTR->FIELD to *UNKNOWN_PTR_OF_&FIELD_TYPE.
8685 2021-01-29 David Malcolm <dmalcolm@redhat.com>
8687 * checker-path.cc (event_kind_to_string): Handle
8688 EK_START_CONSOLIDATED_CFG_EDGES and
8689 EK_END_CONSOLIDATED_CFG_EDGES.
8690 (start_consolidated_cfg_edges_event::get_desc): New.
8691 (checker_path::cfg_edge_pair_at_p): New.
8692 * checker-path.h (enum event_kind): Add
8693 EK_START_CONSOLIDATED_CFG_EDGES and
8694 EK_END_CONSOLIDATED_CFG_EDGES.
8695 (class start_consolidated_cfg_edges_event): New class.
8696 (class end_consolidated_cfg_edges_event): New class.
8697 (checker_path::delete_events): New.
8698 (checker_path::replace_event): New.
8699 (checker_path::cfg_edge_pair_at_p): New decl.
8700 * diagnostic-manager.cc (diagnostic_manager::prune_path): Call
8701 consolidate_conditions.
8702 (same_line_as_p): New.
8703 (diagnostic_manager::consolidate_conditions): New.
8704 * diagnostic-manager.h
8705 (diagnostic_manager::consolidate_conditions): New decl.
8707 2021-01-18 David Malcolm <dmalcolm@redhat.com>
8709 * analyzer.h (is_std_named_call_p): New decl.
8710 * diagnostic-manager.cc (path_builder::get_sm): New.
8711 (state_change_event_creator::state_change_event_creator): Add "pb"
8712 param.
8713 (state_change_event_creator::on_global_state_change): Don't consider
8714 state changes affecting other state_machines.
8715 (state_change_event_creator::on_state_change): Likewise.
8716 (state_change_event_creator::m_pb): New field.
8717 (diagnostic_manager::add_events_for_eedge): Pass pb to visitor
8718 ctor.
8719 * region-model-impl-calls.cc
8720 (region_model::impl_deallocation_call): New.
8721 * region-model.cc: Include "attribs.h".
8722 (region_model::on_call_post): Handle fndecls referenced by
8723 __attribute__((deallocated_by(FOO))).
8724 * region-model.h (region_model::impl_deallocation_call): New decl.
8725 * sm-malloc.cc: Include "stringpool.h" and "attribs.h". Add
8726 leading comment.
8727 (class api): Delete.
8728 (enum resource_state): Update comment for change from api to
8729 deallocator and deallocator_set.
8730 (allocation_state::allocation_state): Drop api param. Add
8731 "deallocators" and "deallocator".
8732 (allocation_state::m_api): Drop field in favor of...
8733 (allocation_state::m_deallocators): New field.
8734 (allocation_state::m_deallocator): New field.
8735 (enum wording): Add WORDING_DEALLOCATED.
8736 (struct deallocator): New.
8737 (struct standard_deallocator): New.
8738 (struct custom_deallocator): New.
8739 (struct deallocator_set): New.
8740 (struct custom_deallocator_set): New.
8741 (struct standard_deallocator_set): New.
8742 (struct deallocator_set_map_traits): New.
8743 (malloc_state_machine::m_malloc): Drop field
8744 (malloc_state_machine::m_scalar_new): Likewise.
8745 (malloc_state_machine::m_vector_new): Likewise.
8746 (malloc_state_machine::m_free): New field
8747 (malloc_state_machine::m_scalar_delete): Likewise.
8748 (malloc_state_machine::m_vector_delete): Likewise.
8749 (malloc_state_machine::deallocator_map_t): New typedef.
8750 (malloc_state_machine::m_deallocator_map): New field.
8751 (malloc_state_machine::deallocator_set_cache_t): New typedef.
8752 (malloc_state_machine::m_custom_deallocator_set_cache): New field.
8753 (malloc_state_machine::custom_deallocator_set_map_t): New typedef.
8754 (malloc_state_machine::m_custom_deallocator_set_map): New field.
8755 (malloc_state_machine::m_dynamic_sets): New field.
8756 (malloc_state_machine::m_dynamic_deallocators): New field.
8757 (api::api): Delete.
8758 (deallocator::deallocator): New ctor.
8759 (deallocator::hash): New.
8760 (deallocator::dump_to_pp): New.
8761 (deallocator::cmp): New.
8762 (deallocator::cmp_ptr_ptr): New.
8763 (standard_deallocator::standard_deallocator): New ctor.
8764 (deallocator_set::deallocator_set): New ctor.
8765 (deallocator_set::dump): New.
8766 (custom_deallocator_set::custom_deallocator_set): New ctor.
8767 (custom_deallocator_set::contains_p): New.
8768 (custom_deallocator_set::maybe_get_single): New.
8769 (custom_deallocator_set::dump_to_pp): New.
8770 (standard_deallocator_set::standard_deallocator_set): New ctor.
8771 (standard_deallocator_set::contains_p): New.
8772 (standard_deallocator_set::maybe_get_single): New.
8773 (standard_deallocator_set::dump_to_pp): New.
8774 (start_p): New.
8775 (class mismatching_deallocation): Update for conversion from api
8776 to deallocator_set and deallocator.
8777 (double_free::emit): Use %qs.
8778 (class use_after_free): Update for conversion from api to
8779 deallocator_set and deallocator.
8780 (malloc_leak::describe_state_change): Only emit "allocated here" on
8781 a start->nonnull transition, rather than on other transitions to
8782 nonnull.
8783 (allocation_state::dump_to_pp): Update for conversion from api to
8784 deallocator_set.
8785 (allocation_state::get_nonnull): Likewise.
8786 (malloc_state_machine::malloc_state_machine): Likewise.
8787 (malloc_state_machine::~malloc_state_machine): New.
8788 (malloc_state_machine::add_state): Update for conversion from api
8789 to deallocator_set.
8790 (malloc_state_machine::get_or_create_custom_deallocator_set): New.
8791 (malloc_state_machine::maybe_create_custom_deallocator_set): New.
8792 (malloc_state_machine::get_or_create_deallocator): New.
8793 (malloc_state_machine::on_stmt): Update for conversion from api
8794 to deallocator_set. Handle "__attribute__((malloc(FOO)))", and
8795 the special attribute set on FOO.
8796 (malloc_state_machine::on_allocator_call): Update for conversion
8797 from api to deallocator_set. Add "returns_nonnull" param and use
8798 it to affect which state to transition to.
8799 (malloc_state_machine::on_deallocator_call): Update for conversion
8800 from api to deallocator_set.
8802 2021-01-14 David Malcolm <dmalcolm@redhat.com>
8804 * engine.cc (strongly_connected_components::to_json): New.
8805 (worklist::to_json): New.
8806 (exploded_graph::to_json): JSON-ify the worklist.
8807 * exploded-graph.h (strongly_connected_components::to_json): New
8808 decl.
8809 (worklist::to_json): New decl.
8810 * store.cc (store::to_json): Fix comment.
8811 * supergraph.cc (supernode::to_json): Fix reference to
8812 "returning_call" in comment. Add optional "fun" to JSON.
8813 (edge_kind_to_string): New.
8814 (superedge::to_json): Add "kind" to JSON.
8816 2021-01-14 David Malcolm <dmalcolm@redhat.com>
8818 PR analyzer/98679
8819 * analyzer.h (region_offset::operator==): Make const.
8820 * pending-diagnostic.h (pending_diagnostic::equal_p): Likewise.
8821 * store.h (binding_cluster::for_each_value): Likewise.
8822 (binding_cluster::for_each_binding): Likewise.
8824 2021-01-12 David Malcolm <dmalcolm@redhat.com>
8826 PR analyzer/98628
8827 * store.cc (binding_cluster::make_unknown_relative_to): Don't mark
8828 dereferenced unknown pointers as having escaped.
8830 2021-01-07 David Malcolm <dmalcolm@redhat.com>
8832 PR analyzer/98580
8833 * region.cc (decl_region::get_svalue_for_initializer): Gracefully
8834 handle when LTO writes out DECL_INITIAL as error_mark_node.
8836 2021-01-07 David Malcolm <dmalcolm@redhat.com>
8838 PR analyzer/97074
8839 * store.cc (binding_cluster::can_merge_p): Add "out_store" param
8840 and pass to calls to binding_cluster::make_unknown_relative_to.
8841 (binding_cluster::make_unknown_relative_to): Add "out_store"
8842 param. Use it to mark base regions that are pointed to by
8843 pointers that become unknown as having escaped.
8844 (store::can_merge_p): Pass out_store to
8845 binding_cluster::can_merge_p.
8846 * store.h (binding_cluster::can_merge_p): Add "out_store" param.
8847 (binding_cluster::make_unknown_relative_to): Likewise.
8848 * svalue.cc (region_svalue::implicitly_live_p): New vfunc.
8849 * svalue.h (region_svalue::implicitly_live_p): New vfunc decl.
8851 2021-01-07 David Malcolm <dmalcolm@redhat.com>
8853 PR analyzer/98564
8854 * engine.cc (exploded_path::feasible_p): Add missing call to
8855 bitmap_clear.
8857 2021-01-06 David Malcolm <dmalcolm@redhat.com>
8859 PR analyzer/97072
8860 * region-model-reachability.cc (reachable_regions::init_cluster):
8861 Convert symbolic region handling to a switch statement. Add cases
8862 to handle SK_UNKNOWN and SK_CONJURED.
8864 2021-01-05 David Malcolm <dmalcolm@redhat.com>
8866 PR analyzer/98293
8867 * store.cc (binding_map::apply_ctor_to_region): When "index" is
8868 NULL, iterate through the fields for RECORD_TYPEs, rather than
8869 creating an INTEGER_CST index.
8871 2020-11-30 David Malcolm <dmalcolm@redhat.com>
8873 * analyzer-pass.cc: Include "analyzer/analyzer.h" for the
8874 declaration of sorry_no_analyzer; include "tree.h" and
8875 "function.h" as these are needed by it.
8877 2020-11-30 David Malcolm <dmalcolm@redhat.com>
8879 * analyzer-pass.cc (pass_analyzer::execute): Move sorry call to...
8880 (sorry_no_analyzer): New.
8881 * analyzer.h (class state_machine): New forward decl.
8882 (class logger): New forward decl.
8883 (class plugin_analyzer_init_iface): New.
8884 (sorry_no_analyzer): New decl.
8885 * checker-path.cc (checker_path::fixup_locations): New.
8886 * checker-path.h (checker_event::set_location): New.
8887 (checker_path::fixup_locations): New decl.
8888 * diagnostic-manager.cc
8889 (diagnostic_manager::emit_saved_diagnostic): Call
8890 checker_path::fixup_locations, and call fixup_location
8891 on the primary location.
8892 * engine.cc: Include "plugin.h".
8893 (class plugin_analyzer_init_impl): New.
8894 (impl_run_checkers): Invoke PLUGIN_ANALYZER_INIT callbacks.
8895 * pending-diagnostic.h (pending_diagnostic::fixup_location): New
8896 vfunc.
8898 2020-11-18 David Malcolm <dmalcolm@redhat.com>
8900 PR analyzer/97893
8901 * sm-malloc.cc (null_deref::emit): Use CWE-476 rather than
8902 CWE-690, as this isn't due to an unchecked return value.
8903 (null_arg::emit): Likewise.
8905 2020-11-12 David Malcolm <dmalcolm@redhat.com>
8907 * checker-path.h (checker_event::get_id_ptr): New.
8908 * diagnostic-manager.cc (path_builder::path_builder): Add "sd"
8909 param and use it to initialize new field "m_sd".
8910 (path_builder::get_pending_diagnostic): New.
8911 (path_builder::m_sd): New field.
8912 (diagnostic_manager::emit_saved_diagnostic): Pass sd to
8913 path_builder ctor.
8914 (diagnostic_manager::add_events_for_superedge): Call new
8915 maybe_add_custom_events_for_superedge vfunc.
8916 * engine.cc (stale_jmp_buf::stale_jmp_buf): Add "setjmp_point"
8917 param and use it to initialize new field "m_setjmp_point".
8918 Initialize new field "m_stack_pop_event".
8919 (stale_jmp_buf::maybe_add_custom_events_for_superedge): New vfunc
8920 implementation.
8921 (stale_jmp_buf::describe_final_event): New vfunc implementation.
8922 (stale_jmp_buf::m_setjmp_point): New field.
8923 (stale_jmp_buf::m_stack_pop_event): New field.
8924 (exploded_node::on_longjmp): Pass setjmp_point to stale_jmp_buf
8925 ctor.
8926 * pending-diagnostic.h
8927 (pending_diagnostic::maybe_add_custom_events_for_superedge): New
8928 vfunc.
8930 2020-11-12 David Malcolm <dmalcolm@redhat.com>
8932 PR tree-optimization/97424
8933 * analyzer.opt (Wanalyzer-shift-count-negative): New.
8934 (Wanalyzer-shift-count-overflow): New.
8935 * region-model.cc (class shift_count_negative_diagnostic): New.
8936 (class shift_count_overflow_diagnostic): New.
8937 (region_model::get_gassign_result): Complain about shift counts that
8938 are negative or are >= the operand's type's width.
8940 2020-11-10 Martin Liska <mliska@suse.cz>
8942 * constraint-manager.cc (constraint_manager::merge): Remove
8943 unused code.
8944 * constraint-manager.h: Likewise.
8945 * program-state.cc (sm_state_map::sm_state_map): Likewise.
8946 (program_state::program_state): Likewise.
8947 (test_sm_state_map): Likewise.
8948 * program-state.h: Likewise.
8949 * region-model-reachability.cc (reachable_regions::reachable_regions): Likewise.
8950 * region-model-reachability.h: Likewise.
8951 * region-model.cc (region_model::handle_unrecognized_call): Likewise.
8952 (region_model::get_reachable_svalues): Likewise.
8953 (region_model::can_merge_with_p): Likewise.
8955 2020-11-05 David Malcolm <dmalcolm@redhat.com>
8957 PR analyzer/97668
8958 * svalue.cc (cmp_cst): Handle COMPLEX_CST.
8960 2020-10-29 David Malcolm <dmalcolm@redhat.com>
8962 * program-state.cc (sm_state_map::on_liveness_change): Sort the
8963 leaking svalues before calling on_state_leak.
8964 (program_state::detect_leaks): Likewise when calling
8965 on_svalue_leak.
8966 * region-model-reachability.cc
8967 (reachable_regions::mark_escaped_clusters): Likewise when
8968 calling on_escaped_function.
8970 2020-10-29 David Malcolm <dmalcolm@redhat.com>
8972 PR analyzer/97608
8973 * region-model-reachability.cc (reachable_regions::handle_sval):
8974 Operands of reachable reversible operations are reachable.
8976 2020-10-29 David Malcolm <dmalcolm@redhat.com>
8978 * analyzer.h (class state_machine): New forward decl.
8979 (class logger): Likewise.
8980 (class visitor): Likewise.
8981 * complexity.cc: New file, taken from svalue.cc.
8982 * complexity.h: New file, taken from region-model.h.
8983 * region-model.h: Include "analyzer/svalue.h" and
8984 "analyzer/region.h". Move struct complexity to complexity.h.
8985 Move svalue, its subclasses and supporting decls to svalue.h.
8986 Move region, its subclasses and supporting decls to region.h.
8987 * region.cc: Include "analyzer/region.h".
8988 (symbolic_region::symbolic_region): Move here from region-model.h.
8989 * region.h: New file, based on material from region-model.h.
8990 * svalue.cc: Include "analyzer/svalue.h".
8991 (complexity::complexity): Move to complexity.cc.
8992 (complexity::from_pair): Likewise.
8993 * svalue.h: New file, based on material from region-model.h.
8995 2020-10-29 David Malcolm <dmalcolm@redhat.com>
8997 * program-state.cc (sm_state_map::print): Guard the printing of
8998 the origin pointer with !flag_dump_noaddr.
8999 * region.cc (string_region::dump_to_pp): Likewise for
9000 m_string_cst.
9002 2020-10-27 David Malcolm <dmalcolm@redhat.com>
9004 PR analyzer/97568
9005 * region-model.cc (region_model::get_initial_value_for_global):
9006 Move check that !DECL_EXTERNAL from here to...
9007 * region.cc (decl_region::get_svalue_for_initializer): ...here,
9008 using it to reject zero initialization.
9010 2020-10-27 Markus Böck <markus.boeck02@gmail.com>
9012 PR analyzer/96608
9013 * store.h (hash): Cast to intptr_t instead of long
9015 2020-10-27 David Malcolm <dmalcolm@redhat.com>
9017 * constraint-manager.cc (svalue_cmp_by_ptr): Delete.
9018 (equiv_class::canonicalize): Use svalue::cmp_ptr_ptr instead.
9019 (equiv_class_cmp): Eliminate pointer comparison.
9020 * diagnostic-manager.cc (dedupe_key::comparator): If they are at
9021 the same location, also compare epath ength and pending_diagnostic
9022 kind.
9023 * engine.cc (readability_comparator): If two path_vars have the
9024 same readability, then impose an arbitrary ordering on them.
9025 (worklist::key_t::cmp): If two points have the same plan ordering,
9026 continue the comparison. Call sm_state_map::cmp rather than
9027 comparing hash values.
9028 * program-state.cc (sm_state_map::entry_t::cmp): New.
9029 (sm_state_map::cmp): New.
9030 * program-state.h (sm_state_map::entry_t::cmp): New decl.
9031 (sm_state_map::elements): New.
9032 (sm_state_map::cmp): New.
9034 2020-10-27 David Malcolm <dmalcolm@redhat.com>
9036 * engine.cc (setjmp_record::cmp): New.
9037 (supernode_cluster::dump_dot): Avoid embedding pointer in cluster
9038 name.
9039 (supernode_cluster::cmp_ptr_ptr): New.
9040 (function_call_string_cluster::dump_dot): Avoid embedding pointer
9041 in cluster name. Sort m_map when dumping child clusters.
9042 (function_call_string_cluster::cmp_ptr_ptr): New.
9043 (root_cluster::dump_dot): Sort m_map when dumping child clusters.
9044 * program-point.cc (function_point::cmp): New.
9045 (function_point::cmp_ptr): New.
9046 * program-point.h (function_point::cmp): New decl.
9047 (function_point::cmp_ptr): New decl.
9048 * program-state.cc (sm_state_map::print): Sort the values. Guard
9049 the printing of pointers with !flag_dump_noaddr.
9050 (program_state::prune_for_point): Sort the regions.
9051 (log_set_of_svalues): Sort the values. Guard the printing of
9052 pointers with !flag_dump_noaddr.
9053 * region-model-manager.cc (log_uniq_map): Sort the values.
9054 * region-model-reachability.cc (dump_set): New function template.
9055 (reachable_regions::dump_to_pp): Use it.
9056 * region-model.h (svalue::cmp_ptr): New decl.
9057 (svalue::cmp_ptr_ptr): New decl.
9058 (setjmp_record::cmp): New decl.
9059 (placeholder_svalue::get_name): New accessor.
9060 (widening_svalue::get_point): New accessor.
9061 (compound_svalue::get_map): New accessor.
9062 (conjured_svalue::get_stmt): New accessor.
9063 (conjured_svalue::get_id_region): New accessor.
9064 (region::cmp_ptrs): Rename to...
9065 (region::cmp_ptr_ptr): ...this.
9066 * region.cc (region::cmp_ptrs): Rename to...
9067 (region::cmp_ptr_ptr): ...this.
9068 * state-purge.cc
9069 (state_purge_per_ssa_name::state_purge_per_ssa_name): Sort
9070 m_points_needing_name when dumping.
9071 * store.cc (concrete_binding::cmp_ptr_ptr): New.
9072 (symbolic_binding::cmp_ptr_ptr): New.
9073 (binding_map::cmp): New.
9074 (get_sorted_parent_regions): Update for renaming of
9075 region::cmp_ptrs to region::cmp_ptr_ptr.
9076 (store::dump_to_pp): Likewise.
9077 (store::to_json): Likewise.
9078 (store::can_merge_p): Sort the base regions before considering
9079 them.
9080 * store.h (concrete_binding::cmp_ptr_ptr): New decl.
9081 (symbolic_binding::cmp_ptr_ptr): New decl.
9082 (binding_map::cmp): New decl.
9083 * supergraph.cc (supergraph::supergraph): Assign UIDs to the
9084 gimple stmts.
9085 * svalue.cc (cmp_cst): New.
9086 (svalue::cmp_ptr): New.
9087 (svalue::cmp_ptr_ptr): New.
9089 2020-10-27 David Malcolm <dmalcolm@redhat.com>
9091 * engine.cc (exploded_graph::get_or_create_node): Fix off-by-one
9092 when imposing param_analyzer_max_enodes_per_program_point limit.
9094 2020-10-27 David Malcolm <dmalcolm@redhat.com>
9096 * region-model.cc (region_model::get_representative_path_var):
9097 Implement case RK_LABEL.
9098 * region-model.h (label_region::get_label): New accessor.
9100 2020-10-22 David Malcolm <dmalcolm@redhat.com>
9102 PR analyzer/97514
9103 * engine.cc (exploded_graph::add_function_entry): Handle failure
9104 to create an enode, rather than asserting.
9106 2020-10-22 David Malcolm <dmalcolm@redhat.com>
9108 PR analyzer/97489
9109 * engine.cc (exploded_graph::add_function_entry): Assert that we
9110 have a function body.
9111 (exploded_graph::on_escaped_function): Reject fndecls that don't
9112 have a function body.
9114 2020-10-14 David Malcolm <dmalcolm@redhat.com>
9116 PR analyzer/93388
9117 * region-model.cc (region_model::get_initial_value_for_global):
9118 Fall back to returning an initial_svalue if
9119 decl_region::get_svalue_for_initializer fails.
9120 * region.cc (decl_region::get_svalue_for_initializer): Don't
9121 attempt to create a compound_svalue if the region has an unknown
9122 size.
9124 2020-10-14 David Malcolm <dmalcolm@redhat.com>
9126 PR analyzer/93723
9127 * store.cc (binding_map::apply_ctor_to_region): Remove redundant
9128 assertion.
9130 2020-10-12 David Malcolm <dmalcolm@redhat.com>
9132 PR analyzer/97258
9133 * engine.cc (impl_region_model_context::on_escaped_function): New
9134 vfunc.
9135 (exploded_graph::add_function_entry): Use m_functions_with_enodes
9136 to implement idempotency.
9137 (add_any_callbacks): New.
9138 (exploded_graph::build_initial_worklist): Use the above to find
9139 callbacks that are reachable from global initializers.
9140 (exploded_graph::on_escaped_function): New.
9141 * exploded-graph.h
9142 (impl_region_model_context::on_escaped_function): New decl.
9143 (exploded_graph::on_escaped_function): New decl.
9144 (exploded_graph::m_functions_with_enodes): New field.
9145 * region-model-reachability.cc
9146 (reachable_regions::reachable_regions): Replace "store" param with
9147 "model" param; use it to initialize m_model.
9148 (reachable_regions::add): When getting the svalue for the region,
9149 call get_store_value on the model rather than using an initial
9150 value.
9151 (reachable_regions::mark_escaped_clusters): Add ctxt param and
9152 use it to call on_escaped_function when a function_region escapes.
9153 * region-model-reachability.h
9154 (reachable_regions::reachable_regions): Replace "store" param with
9155 "model" param.
9156 (reachable_regions::mark_escaped_clusters): Add ctxt param.
9157 (reachable_regions::m_model): New field.
9158 * region-model.cc (region_model::handle_unrecognized_call): Update
9159 for change in reachable_regions ctor.
9160 (region_model::handle_unrecognized_call): Pass ctxt to
9161 mark_escaped_clusters.
9162 (region_model::get_reachable_svalues): Update for change in
9163 reachable_regions ctor.
9164 (region_model::get_initial_value_for_global): Read-only variables
9165 keep their initial values.
9166 * region-model.h (region_model_context::on_escaped_function): New
9167 vfunc.
9168 (noop_region_model_context::on_escaped_function): New.
9170 2020-10-12 David Malcolm <dmalcolm@redhat.com>
9172 * analyzer.opt (Wanalyzer-write-to-const): New.
9173 (Wanalyzer-write-to-string-literal): New.
9174 * region-model-impl-calls.cc (region_model::impl_call_memcpy):
9175 Call check_for_writable_region.
9176 (region_model::impl_call_memset): Likewise.
9177 (region_model::impl_call_strcpy): Likewise.
9178 * region-model.cc (class write_to_const_diagnostic): New.
9179 (class write_to_string_literal_diagnostic): New.
9180 (region_model::check_for_writable_region): New.
9181 (region_model::set_value): Call check_for_writable_region.
9182 * region-model.h (region_model::check_for_writable_region): New
9183 decl.
9185 2020-10-07 David Malcolm <dmalcolm@redhat.com>
9187 PR analyzer/97116
9188 * sm-malloc.cc (method_p): New.
9189 (describe_argument_index): New.
9190 (inform_nonnull_attribute): Use describe_argument_index.
9191 (possible_null_arg::describe_final_event): Likewise.
9192 (null_arg::describe_final_event): Likewise.
9194 2020-09-29 David Malcolm <dmalcolm@redhat.com>
9196 PR analyzer/95188
9197 * engine.cc (stmt_requires_new_enode_p): Split enodes before
9198 "signal" calls.
9200 2020-09-29 David Malcolm <dmalcolm@redhat.com>
9202 * constraint-manager.cc
9203 (constraint_manager::add_constraint_internal): Whitespace fixes.
9204 Silence -Wsign-compare warning.
9205 * engine.cc (maybe_process_run_of_before_supernode_enodes):
9206 Silence -Wsign-compare warning.
9208 2020-09-28 David Malcolm <dmalcolm@redhat.com>
9210 * region-model.h (binop_svalue::dyn_cast_binop_svalue): Remove
9211 redundant "virtual". Add FINAL OVERRIDE.
9212 (widening_svalue::dyn_cast_widening_svalue): Add FINAL OVERRIDE.
9213 (compound_svalue::dyn_cast_compound_svalue): Likewise.
9214 (conjured_svalue::dyn_cast_conjured_svalue): Likewise.
9216 2020-09-28 David Malcolm <dmalcolm@redhat.com>
9218 * diagnostic-manager.cc (null_assignment_sm_context::m_visitor):
9219 Remove unused field.
9221 2020-09-28 David Malcolm <dmalcolm@redhat.com>
9223 PR analyzer/97233
9224 * analyzer.cc (is_longjmp_call_p): Require the initial argument
9225 to be a pointer.
9226 * engine.cc (exploded_node::on_longjmp): Likewise.
9228 2020-09-28 David Malcolm <dmalcolm@redhat.com>
9230 * program-state.cc (sm_state_map::print): Update check
9231 for m_global_state being the start state.
9233 2020-09-26 David Malcolm <dmalcolm@redhat.com>
9235 PR analyzer/96646
9236 PR analyzer/96841
9237 * region-model.cc (region_model::get_representative_path_var):
9238 When handling offset_region, wrap the MEM_REF's first argument in
9239 an ADDR_EXPR of pointer type, rather than simply using the tree
9240 for the parent region. Require the MEM_REF's second argument to
9241 be an integer constant.
9243 2020-09-24 David Malcolm <dmalcolm@redhat.com>
9245 * analyzer.h (struct rejected_constraint): New decl.
9246 * analyzer.opt (fanalyzer-feasibility): New option.
9247 * diagnostic-manager.cc (path_builder::path_builder): Add
9248 "problem" param and use it to initialize new field.
9249 (path_builder::get_feasibility_problem): New accessor.
9250 (path_builder::m_feasibility_problem): New field.
9251 (dedupe_winners::add): Remove inversion of logic in "if" clause,
9252 swapping if/else suites. In the !feasible_p suite, inspect
9253 flag_analyzer_feasibility and add code to handle when this
9254 is off, accepting the infeasible path, but recording the
9255 feasibility_problem.
9256 (diagnostic_manager::emit_saved_diagnostic): Pass the
9257 feasibility_problem to the path_builder.
9258 (diagnostic_manager::add_events_for_eedge): If we have
9259 a feasibility_problem at this edge, use it to add a custom event.
9260 * engine.cc (exploded_path::feasible_p): Pass a
9261 rejected_constraint ** to model.maybe_update_for_edge and transfer
9262 ownership of any created instance to any feasibility_problem.
9263 (feasibility_problem::dump_to_pp): New.
9264 * exploded-graph.h (feasibility_problem::feasibility_problem):
9265 Drop "model" param; add rejected_constraint * param.
9266 (feasibility_problem::~feasibility_problem): New.
9267 (feasibility_problem::dump_to_pp): New decl.
9268 (feasibility_problem::m_model): Drop field.
9269 (feasibility_problem::m_rc): New field.
9270 * program-point.cc (function_point::get_location): Handle
9271 PK_BEFORE_SUPERNODE and PK_AFTER_SUPERNODE.
9272 * program-state.cc (program_state::on_edge): Pass NULL to new
9273 param of region_model::maybe_update_for_edge.
9274 * region-model.cc (region_model::add_constraint): New overload
9275 adding a rejected_constraint ** param.
9276 (region_model::maybe_update_for_edge): Add rejected_constraint **
9277 param and pass it to the various apply_constraints_for_ calls.
9278 (region_model::apply_constraints_for_gcond): Add
9279 rejected_constraint ** param and pass it to add_constraint calls.
9280 (region_model::apply_constraints_for_gswitch): Likewise.
9281 (region_model::apply_constraints_for_exception): Likewise.
9282 (rejected_constraint::dump_to_pp): New.
9283 * region-model.h (region_model::maybe_update_for_edge):
9284 Add rejected_constraint ** param.
9285 (region_model::add_constraint): New overload adding a
9286 rejected_constraint ** param.
9287 (region_model::apply_constraints_for_gcond): Add
9288 rejected_constraint ** param.
9289 (region_model::apply_constraints_for_gswitch): Likewise.
9290 (region_model::apply_constraints_for_exception): Likewise.
9291 (struct rejected_constraint): New.
9293 2020-09-23 David Malcolm <dmalcolm@redhat.com>
9295 PR analyzer/97178
9296 * engine.cc (impl_run_checkers): Update for change to ext_state
9297 ctor.
9298 * program-state.cc (selftest::test_sm_state_map): Pass an engine
9299 instance to ext_state ctor.
9300 (selftest::test_program_state_1): Likewise.
9301 (selftest::test_program_state_2): Likewise.
9302 (selftest::test_program_state_merging): Likewise.
9303 (selftest::test_program_state_merging_2): Likewise.
9304 * program-state.h (extrinsic_state::extrinsic_state): Remove NULL
9305 default value for "eng" param.
9307 2020-09-23 Tobias Burnus <tobias@codesourcery.com>
9309 * analyzer-logging.cc: Guard '#pragma ... ignored "-Wformat-diag"'
9310 by '#if __GNUC__ >= 10'
9311 * analyzer.h: Likewise.
9312 * call-string.cc: Likewise.
9314 2020-09-23 David Malcolm <dmalcolm@redhat.com>
9316 * engine.cc (exploded_node::on_stmt): Replace sequence of dyn_cast
9317 with switch.
9319 2020-09-22 David Malcolm <dmalcolm@redhat.com>
9321 * analysis-plan.cc: Include "json.h".
9322 * analyzer.opt (fdump-analyzer-json): New.
9323 * call-string.cc: Include "json.h".
9324 (call_string::to_json): New.
9325 * call-string.h (call_string::to_json): New decl.
9326 * checker-path.cc: Include "json.h".
9327 * constraint-manager.cc: Include "json.h".
9328 (equiv_class::to_json): New.
9329 (constraint::to_json): New.
9330 (constraint_manager::to_json): New.
9331 * constraint-manager.h (equiv_class::to_json): New decl.
9332 (constraint::to_json): New decl.
9333 (constraint_manager::to_json): New decl.
9334 * diagnostic-manager.cc: Include "json.h".
9335 (saved_diagnostic::to_json): New.
9336 (diagnostic_manager::to_json): New.
9337 * diagnostic-manager.h (saved_diagnostic::to_json): New decl.
9338 (diagnostic_manager::to_json): New decl.
9339 * engine.cc: Include "json.h", <zlib.h>.
9340 (exploded_node::status_to_str): New.
9341 (exploded_node::to_json): New.
9342 (exploded_edge::to_json): New.
9343 (exploded_graph::to_json): New.
9344 (dump_analyzer_json): New.
9345 (impl_run_checkers): Call it.
9346 * exploded-graph.h (exploded_node::status_to_str): New decl.
9347 (exploded_node::to_json): New.
9348 (exploded_edge::to_json): New.
9349 (exploded_graph::to_json): New.
9350 * pending-diagnostic.cc: Include "json.h".
9351 * program-point.cc: Include "json.h".
9352 (program_point::to_json): New.
9353 * program-point.h (program_point::to_json): New decl.
9354 * program-state.cc: Include "json.h".
9355 (extrinsic_state::to_json): New.
9356 (sm_state_map::to_json): New.
9357 (program_state::to_json): New.
9358 * program-state.h (extrinsic_state::to_json): New decl.
9359 (sm_state_map::to_json): New decl.
9360 (program_state::to_json): New decl.
9361 * region-model-impl-calls.cc: Include "json.h".
9362 * region-model-manager.cc: Include "json.h".
9363 * region-model-reachability.cc: Include "json.h".
9364 * region-model.cc: Include "json.h".
9365 * region-model.h (svalue::to_json): New decl.
9366 (region::to_json): New decl.
9367 * region.cc: Include "json.h".
9368 (region::to_json: New.
9369 * sm-file.cc: Include "json.h".
9370 * sm-malloc.cc: Include "json.h".
9371 * sm-pattern-test.cc: Include "json.h".
9372 * sm-sensitive.cc: Include "json.h".
9373 * sm-signal.cc: Include "json.h".
9374 (signal_delivery_edge_info_t::to_json): New.
9375 * sm-taint.cc: Include "json.h".
9376 * sm.cc: Include "diagnostic.h", "tree-diagnostic.h", and
9377 "json.h".
9378 (state_machine::state::to_json): New.
9379 (state_machine::to_json): New.
9380 * sm.h (state_machine::state::to_json): New.
9381 (state_machine::to_json): New.
9382 * state-purge.cc: Include "json.h".
9383 * store.cc: Include "json.h".
9384 (binding_key::get_desc): New.
9385 (binding_map::to_json): New.
9386 (binding_cluster::to_json): New.
9387 (store::to_json): New.
9388 * store.h (binding_key::get_desc): New decl.
9389 (binding_map::to_json): New decl.
9390 (binding_cluster::to_json): New decl.
9391 (store::to_json): New decl.
9392 * supergraph.cc: Include "json.h".
9393 (supergraph::to_json): New.
9394 (supernode::to_json): New.
9395 (superedge::to_json): New.
9396 * supergraph.h (supergraph::to_json): New decl.
9397 (supernode::to_json): New decl.
9398 (superedge::to_json): New decl.
9399 * svalue.cc: Include "json.h".
9400 (svalue::to_json): New.
9402 2020-09-21 David Malcolm <dmalcolm@redhat.com>
9404 PR analyzer/97130
9405 * region-model-impl-calls.cc (call_details::get_arg_type): New.
9406 * region-model.cc (region_model::on_call_pre): Check that the
9407 initial arg is a pointer before calling impl_call_memset and
9408 impl_call_strlen.
9409 * region-model.h (call_details::get_arg_type): New decl.
9411 2020-09-21 David Malcolm <dmalcolm@redhat.com>
9413 PR analyzer/93355
9414 * sm-malloc.cc (malloc_state_machine::get_default_state): Look at
9415 the base region when considering pointers. Treat pointers to
9416 decls as being non-heap.
9418 2020-09-18 David Malcolm <dmalcolm@redhat.com>
9420 * checker-path.cc (warning_event::get_desc): Handle global state
9421 changes.
9423 2020-09-18 David Malcolm <dmalcolm@redhat.com>
9425 * sm-malloc.cc (malloc_state_machine::on_stmt): Handle strdup and
9426 strndup as being malloc-like allocators.
9428 2020-09-16 David Malcolm <dmalcolm@redhat.com>
9430 * engine.cc (strongly_connected_components::strong_connect): Only
9431 consider intraprocedural edges when creating SCCs.
9432 (worklist::key_t::cmp): Add comment. Treat call_string
9433 differences as more important than differences of program_point
9434 within a supernode.
9436 2020-09-16 David Malcolm <dmalcolm@redhat.com>
9438 * engine.cc (supernode_cluster::dump_dot): Show the SCC id
9439 in the per-supernode clusters in FILENAME.eg.dot output.
9440 (exploded_graph_annotator::add_node_annotations):
9441 Show the SCC of the supernode in FILENAME.supernode.eg.dot output.
9442 * exploded-graph.h (worklist::scc_id): New.
9443 (exploded_graph::get_scc_id): New.
9445 2020-09-16 David Malcolm <dmalcolm@redhat.com>
9447 * engine.cc (exploded_node::dump_dot): Show STATUS_BULK_MERGED.
9448 (exploded_graph::process_worklist): Call
9449 maybe_process_run_of_before_supernode_enodes.
9450 (exploded_graph::maybe_process_run_of_before_supernode_enodes):
9451 New.
9452 (exploded_graph_annotator::print_enode): Show STATUS_BULK_MERGED.
9453 * exploded-graph.h (enum exploded_node::status): Add
9454 STATUS_BULK_MERGED.
9456 2020-09-16 David Malcolm <dmalcolm@redhat.com>
9458 * engine.cc
9459 (exploded_graph::process_node) <case PK_BEFORE_SUPERNODE>:
9460 Simplify by using program_point::get_next.
9461 * program-point.cc (program_point::get_next): New.
9462 * program-point.h (program_point::get_next): New decl.
9464 2020-09-16 David Malcolm <dmalcolm@redhat.com>
9466 * engine.cc (exploded_graph::get_or_create_node): Show the
9467 program point when issuing -Wanalyzer-too-complex due to hitting
9468 the per-program-point limit.
9470 2020-09-16 David Malcolm <dmalcolm@redhat.com>
9472 * region-model.cc (region_model::on_call_pre): Treat getchar as
9473 having no side-effects.
9475 2020-09-15 David Malcolm <dmalcolm@redhat.com>
9477 PR analyzer/96650
9478 * constraint-manager.cc (merger_fact_visitor::on_fact): Replace
9479 assertion that add_constraint succeeded with an assertion that
9480 if it fails, -fanalyzer-transitivity is off.
9482 2020-09-14 David Malcolm <dmalcolm@redhat.com>
9484 * analyzer.opt (-param=analyzer-max-constraints=): New param.
9485 * constraint-manager.cc
9486 (constraint_manager::add_constraint_internal): Silently reject
9487 attempts to add constraints when the above limit is reached.
9489 2020-09-14 David Malcolm <dmalcolm@redhat.com>
9491 PR analyzer/96653
9492 * constraint-manager.cc
9493 (constraint_manager::get_or_add_equiv_class): Don't accumulate
9494 transitive closure of all constraints on constants.
9496 2020-09-14 David Malcolm <dmalcolm@redhat.com>
9498 PR analyzer/97029
9499 * analyzer.cc (is_setjmp_call_p): Require the initial arg to be a
9500 pointer.
9501 * region-model.cc (region_model::deref_rvalue): Assert that the
9502 svalue is of pointer type.
9504 2020-09-11 David Malcolm <dmalcolm@redhat.com>
9506 PR analyzer/96798
9507 * region-model-impl-calls.cc (region_model::impl_call_memcpy):
9508 New.
9509 (region_model::impl_call_strcpy): New.
9510 * region-model.cc (region_model::on_call_pre): Flag unhandled
9511 builtins that are non-pure as having unknown side-effects.
9512 Implement BUILT_IN_MEMCPY, BUILT_IN_MEMCPY_CHK, BUILT_IN_STRCPY,
9513 BUILT_IN_STRCPY_CHK, BUILT_IN_FPRINTF, BUILT_IN_FPRINTF_UNLOCKED,
9514 BUILT_IN_PUTC, BUILT_IN_PUTC_UNLOCKED, BUILT_IN_FPUTC,
9515 BUILT_IN_FPUTC_UNLOCKED, BUILT_IN_FPUTS, BUILT_IN_FPUTS_UNLOCKED,
9516 BUILT_IN_FWRITE, BUILT_IN_FWRITE_UNLOCKED, BUILT_IN_PRINTF,
9517 BUILT_IN_PRINTF_UNLOCKED, BUILT_IN_PUTCHAR,
9518 BUILT_IN_PUTCHAR_UNLOCKED, BUILT_IN_PUTS, BUILT_IN_PUTS_UNLOCKED,
9519 BUILT_IN_VFPRINTF, BUILT_IN_VPRINTF.
9520 * region-model.h (region_model::impl_call_memcpy): New decl.
9521 (region_model::impl_call_strcpy): New decl.
9523 2020-09-09 David Malcolm <dmalcolm@redhat.com>
9525 PR analyzer/94355
9526 * analyzer.opt (Wanalyzer-mismatching-deallocation): New warning.
9527 * region-model-impl-calls.cc
9528 (region_model::impl_call_operator_new): New.
9529 (region_model::impl_call_operator_delete): New.
9530 * region-model.cc (region_model::on_call_pre): Detect operator new
9531 and operator delete.
9532 (region_model::on_call_post): Likewise.
9533 (region_model::maybe_update_for_edge): Detect EH edges and call...
9534 (region_model::apply_constraints_for_exception): New function.
9535 * region-model.h (region_model::impl_call_operator_new): New decl.
9536 (region_model::impl_call_operator_delete): New decl.
9537 (region_model::apply_constraints_for_exception): New decl.
9538 * sm-malloc.cc (enum resource_state): New.
9539 (struct allocation_state): New state subclass.
9540 (enum wording): New.
9541 (struct api): New.
9542 (malloc_state_machine::custom_data_t): New typedef.
9543 (malloc_state_machine::add_state): New decl.
9544 (malloc_state_machine::m_unchecked)
9545 (malloc_state_machine::m_nonnull)
9546 (malloc_state_machine::m_freed): Delete these states in favor
9547 of...
9548 (malloc_state_machine::m_malloc)
9549 (malloc_state_machine::m_scalar_new)
9550 (malloc_state_machine::m_vector_new): ...this new api instances,
9551 which own their own versions of these states.
9552 (malloc_state_machine::on_allocator_call): New decl.
9553 (malloc_state_machine::on_deallocator_call): New decl.
9554 (api::api): New ctor.
9555 (dyn_cast_allocation_state): New.
9556 (as_a_allocation_state): New.
9557 (get_rs): New.
9558 (unchecked_p): New.
9559 (nonnull_p): New.
9560 (freed_p): New.
9561 (malloc_diagnostic::describe_state_change): Use unchecked_p and
9562 nonnull_p.
9563 (class mismatching_deallocation): New.
9564 (double_free::double_free): Add funcname param for initializing
9565 m_funcname.
9566 (double_free::emit): Use m_funcname in warning message rather
9567 than hardcoding "free".
9568 (double_free::describe_state_change): Likewise. Use freed_p.
9569 (double_free::describe_call_with_state): Use freed_p.
9570 (double_free::describe_final_event): Use m_funcname in message
9571 rather than hardcoding "free".
9572 (double_free::m_funcname): New field.
9573 (possible_null::describe_state_change): Use unchecked_p.
9574 (possible_null::describe_return_of_state): Likewise.
9575 (use_after_free::use_after_free): Add param for initializing m_api.
9576 (use_after_free::emit): Use m_api->m_dealloc_funcname in message
9577 rather than hardcoding "free".
9578 (use_after_free::describe_state_change): Use freed_p. Change the
9579 wording of the message based on the API.
9580 (use_after_free::describe_final_event): Use
9581 m_api->m_dealloc_funcname in message rather than hardcoding
9582 "free". Change the wording of the message based on the API.
9583 (use_after_free::m_api): New field.
9584 (malloc_leak::describe_state_change): Use unchecked_p. Update
9585 for renaming of m_malloc_event to m_alloc_event.
9586 (malloc_leak::describe_final_event): Update for renaming of
9587 m_malloc_event to m_alloc_event.
9588 (malloc_leak::m_malloc_event): Rename...
9589 (malloc_leak::m_alloc_event): ...to this.
9590 (free_of_non_heap::free_of_non_heap): Add param for initializing
9591 m_funcname.
9592 (free_of_non_heap::emit): Use m_funcname in message rather than
9593 hardcoding "free".
9594 (free_of_non_heap::describe_final_event): Likewise.
9595 (free_of_non_heap::m_funcname): New field.
9596 (allocation_state::dump_to_pp): New.
9597 (allocation_state::get_nonnull): New.
9598 (malloc_state_machine::malloc_state_machine): Update for changes
9599 to state fields and new api fields.
9600 (malloc_state_machine::add_state): New.
9601 (malloc_state_machine::on_stmt): Move malloc/calloc handling to
9602 on_allocator_call and call it, passing in the API pointer.
9603 Likewise for free, moving it to on_deallocator_call. Handle calls
9604 to operator new and delete in an analogous way. Use unchecked_p
9605 when testing for possibly-null-arg and possibly-null-deref, and
9606 transition to the non-null for the correct API. Remove redundant
9607 node param from call to on_zero_assignment. Use freed_p for
9608 use-after-free check, and pass in API.
9609 (malloc_state_machine::on_allocator_call): New, based on code in
9610 on_stmt.
9611 (malloc_state_machine::on_deallocator_call): Likewise.
9612 (malloc_state_machine::on_phi): Mark node param with
9613 ATTRIBUTE_UNUSED; don't pass it to on_zero_assignment.
9614 (malloc_state_machine::on_condition): Mark node param with
9615 ATTRIBUTE_UNUSED. Replace on_transition calls with get_state and
9616 set_next_state pairs, transitioning to the non-null state for the
9617 appropriate API.
9618 (malloc_state_machine::can_purge_p): Port to new state approach.
9619 (malloc_state_machine::on_zero_assignment): Replace on_transition
9620 calls with get_state and set_next_state pairs. Drop redundant
9621 node param.
9622 * sm.h (state_machine::add_custom_state): New.
9624 2020-09-09 David Malcolm <dmalcolm@redhat.com>
9626 * diagnostic-manager.cc
9627 (null_assignment_sm_context::warn_for_state): Replace with...
9628 (null_assignment_sm_context::warn): ...this.
9629 * engine.cc (impl_sm_context::warn_for_state): Replace with...
9630 (impl_sm_context::warn): ...this.
9631 * sm-file.cc (fileptr_state_machine::on_stmt): Replace
9632 warn_for_state and on_transition calls with a get_state
9633 test guarding warn and set_next_state calls.
9634 * sm-malloc.cc (malloc_state_machine::on_stmt): Likewise.
9635 * sm-pattern-test.cc (pattern_test_state_machine::on_condition):
9636 Replace warn_for_state call with warn call.
9637 * sm-sensitive.cc
9638 (sensitive_state_machine::warn_for_any_exposure): Replace
9639 warn_for_state call with a get_state test guarding a warn call.
9640 * sm-signal.cc (signal_state_machine::on_stmt): Likewise.
9641 * sm-taint.cc (taint_state_machine::on_stmt): Replace
9642 warn_for_state and on_transition calls with a get_state
9643 test guarding warn and set_next_state calls.
9644 * sm.h (sm_context::warn_for_state): Replace with...
9645 (sm_context::warn): ...this.
9647 2020-09-09 David Malcolm <dmalcolm@redhat.com>
9649 * diagnostic-manager.cc
9650 (null_assignment_sm_context::null_assignment_sm_context): Add old_state
9651 and ext_state params, initializing m_old_state and m_ext_state.
9652 (null_assignment_sm_context::on_transition): Split into...
9653 (null_assignment_sm_context::get_state): ...this new vfunc
9654 implementation and...
9655 (null_assignment_sm_context::set_next_state): ...this new vfunc
9656 implementation.
9657 (null_assignment_sm_context::m_old_state): New field.
9658 (null_assignment_sm_context::m_ext_state): New field.
9659 (diagnostic_manager::add_events_for_eedge): Pass in old state and
9660 ext_state when creating sm_ctxt.
9661 * engine.cc (impl_sm_context::on_transition): Split into...
9662 (impl_sm_context::get_state): ...this new vfunc
9663 implementation and...
9664 (impl_sm_context::set_next_state): ...this new vfunc
9665 implementation.
9666 * sm.h (sm_context::get_state): New pure virtual function.
9667 (sm_context::set_next_state): Likewise.
9668 (sm_context::on_transition): Convert from a pure virtual function
9669 to a regular function implemented in terms of get_state and
9670 set_next_state.
9672 2020-09-09 David Malcolm <dmalcolm@redhat.com>
9674 * checker-path.cc (state_change_event::get_desc): Update
9675 state_machine::get_state_name calls to state::get_name.
9676 (warning_event::get_desc): Likewise.
9677 * diagnostic-manager.cc
9678 (null_assignment_sm_context::on_transition): Update comparison
9679 against 0 with comparison with m_sm.get_start_state.
9680 (diagnostic_manager::prune_for_sm_diagnostic): Update
9681 state_machine::get_state_name calls to state::get_name.
9682 * engine.cc (impl_sm_context::on_transition): Likewise.
9683 (exploded_node::get_dot_fillcolor): Use get_id when summing
9684 the sm states.
9685 * program-state.cc (sm_state_map::sm_state_map): Don't hardcode
9686 0 as the start state when initializing m_global_state.
9687 (sm_state_map::print): Use dump_to_pp rather than get_state_name
9688 when dumping states.
9689 (sm_state_map::is_empty_p): Don't hardcode 0 as the start state
9690 when examining m_global_state.
9691 (sm_state_map::hash): Use get_id when hashing states.
9692 (selftest::test_sm_state_map): Use state objects rather than
9693 arbitrary hardcoded integers.
9694 (selftest::test_program_state_merging): Likewise.
9695 (selftest::test_program_state_merging_2): Likewise.
9696 * sm-file.cc (fileptr_state_machine::m_start): Move to base class.
9697 (file_diagnostic::describe_state_change): Use get_start_state.
9698 (fileptr_state_machine::fileptr_state_machine): Drop m_start
9699 initialization.
9700 * sm-malloc.cc (malloc_state_machine::m_start): Move to base
9701 class.
9702 (malloc_diagnostic::describe_state_change): Use get_start_state.
9703 (possible_null::describe_state_change): Likewise.
9704 (malloc_state_machine::malloc_state_machine): Drop m_start
9705 initialization.
9706 * sm-pattern-test.cc (pattern_test_state_machine::m_start): Move
9707 to base class.
9708 (pattern_test_state_machine::pattern_test_state_machine): Drop
9709 m_start initialization.
9710 * sm-sensitive.cc (sensitive_state_machine::m_start): Move to base
9711 class.
9712 (sensitive_state_machine::sensitive_state_machine): Drop m_start
9713 initialization.
9714 * sm-signal.cc (signal_state_machine::m_start): Move to base
9715 class.
9716 (signal_state_machine::signal_state_machine): Drop m_start
9717 initialization.
9718 * sm-taint.cc (taint_state_machine::m_start): Move to base class.
9719 (taint_state_machine::taint_state_machine): Drop m_start
9720 initialization.
9721 * sm.cc (state_machine::state::dump_to_pp): New.
9722 (state_machine::state_machine): Move here from sm.h. Initialize
9723 m_next_state_id and m_start.
9724 (state_machine::add_state): Reimplement in terms of state objects.
9725 (state_machine::get_state_name): Delete.
9726 (state_machine::get_state_by_name): Reimplement in terms of state
9727 objects. Make const.
9728 (state_machine::validate): Delete.
9729 (state_machine::dump_to_pp): Reimplement in terms of state
9730 objects.
9731 * sm.h (state_machine::state): New class.
9732 (state_machine::state_t): Convert typedef from "unsigned" to
9733 "const state_machine::state *".
9734 (state_machine::state_machine): Move to sm.cc.
9735 (state_machine::get_default_state): Use m_start rather than
9736 hardcoding 0.
9737 (state_machine::get_state_name): Delete.
9738 (state_machine::get_state_by_name): Make const.
9739 (state_machine::get_start_state): New accessor.
9740 (state_machine::alloc_state_id): New.
9741 (state_machine::m_state_names): Drop in favor of...
9742 (state_machine::m_states): New field
9743 (state_machine::m_start): New field
9744 (start_start_p): Delete.
9746 2020-09-08 David Malcolm <dmalcolm@redhat.com>
9748 PR analyzer/96949
9749 * store.cc (binding_map::apply_ctor_val_to_range): Add
9750 error-handling for the cases where we have symbolic offsets.
9752 2020-09-08 David Malcolm <dmalcolm@redhat.com>
9754 PR analyzer/96950
9755 * store.cc (binding_map::apply_ctor_to_region): Handle RANGE_EXPR
9756 where min_index == max_index.
9757 (binding_map::apply_ctor_val_to_range): Replace assertion that we
9758 don't have a CONSTRUCTOR value with error-handling.
9760 2020-09-08 David Malcolm <dmalcolm@redhat.com>
9762 PR analyzer/96962
9763 * region-model.cc (region_model::on_call_pre): Fix guard on switch
9764 on built-ins to only consider BUILT_IN_NORMAL, rather than other
9765 kinds of build-ins.
9767 2020-09-01 David Malcolm <dmalcolm@redhat.com>
9769 PR analyzer/96792
9770 * region-model.cc (region_model::deref_rvalue): Add the constraint
9771 that PTR_SVAL is non-NULL.
9773 2020-08-31 David Malcolm <dmalcolm@redhat.com>
9775 PR analyzer/96798
9776 * region-model.cc (region_model::on_call_pre): Handle
9777 BUILT_IN_MEMSET_CHK.
9779 2020-08-31 David Malcolm <dmalcolm@redhat.com>
9781 * region-model.cc (region_model::on_call_pre): Gather handling of
9782 builtins and of internal fns into switch statements. Handle
9783 "alloca" and BUILT_IN_ALLOCA_WITH_ALIGN.
9785 2020-08-31 David Malcolm <dmalcolm@redhat.com>
9787 PR analyzer/96860
9788 * region.cc (decl_region::get_svalue_for_constructor): Support
9789 apply_ctor_to_region failing.
9790 * store.cc (binding_map::apply_ctor_to_region): Add failure
9791 handling.
9792 (binding_map::apply_ctor_val_to_range): Likewise.
9793 (binding_map::apply_ctor_pair_to_child_region): Likewise. Replace
9794 assertion that child_base_offset is not symbolic with error
9795 handling.
9796 * store.h (binding_map::apply_ctor_to_region): Convert return type
9797 from void to bool.
9798 (binding_map::apply_ctor_val_to_range): Likewise.
9799 (binding_map::apply_ctor_pair_to_child_region): Likewise.
9801 2020-08-31 David Malcolm <dmalcolm@redhat.com>
9803 PR analyzer/96763
9804 * store.cc (binding_map::apply_ctor_to_region): Handle RANGE_EXPR
9805 by calling a new binding_map::apply_ctor_val_to_range subroutine.
9806 Split out the existing non-CONSTRUCTOR-handling code to a new
9807 apply_ctor_pair_to_child_region subroutine.
9808 (binding_map::apply_ctor_val_to_range): New.
9809 (binding_map::apply_ctor_pair_to_child_region): New, split out
9810 from binding_map::apply_ctor_to_region as noted above.
9811 * store.h (binding_map::apply_ctor_val_to_range): New decl.
9812 (binding_map::apply_ctor_pair_to_child_region): New decl.
9814 2020-08-31 David Malcolm <dmalcolm@redhat.com>
9816 PR analyzer/96764
9817 * region-model-manager.cc
9818 (region_model_manager::maybe_fold_unaryop): Handle VIEW_CONVERT_EXPR.
9819 (region_model_manager::get_or_create_cast): Move logic for
9820 real->integer casting to...
9821 (get_code_for_cast): ...this new function, and add logic for
9822 real->non-integer casts.
9823 (region_model_manager::maybe_fold_sub_svalue): Handle
9824 VIEW_CONVERT_EXPR.
9825 * region-model.cc
9826 (region_model::add_any_constraints_from_gassign): Likewise.
9827 * svalue.cc (svalue::maybe_undo_cast): Likewise.
9828 (unaryop_svalue::dump_to_pp): Likewise.
9830 2020-08-26 David Malcolm <dmalcolm@redhat.com>
9832 PR analyzer/94858
9833 * region-model-manager.cc
9834 (region_model_manager::get_or_create_widening_svalue): Assert that
9835 neither of the inputs are themselves widenings.
9836 * store.cc (store::eval_alias_1): The initial value of a pointer
9837 can't point to a region that was allocated on the heap after the
9838 beginning of the path. A widened pointer value can't alias anything
9839 that the initial pointer value can't alias.
9840 * svalue.cc (svalue::can_merge_p): Merge BINOP (X, OP, CST) with X
9841 to a widening svalue. Merge
9842 BINOP(WIDENING(BASE, BINOP(BASE, X)), X) and BINOP(BASE, X) to
9843 to the LHS of the first BINOP.
9845 2020-08-26 David Malcolm <dmalcolm@redhat.com>
9847 PR analyzer/96777
9848 * region-model.h (class compound_svalue): Document that all keys
9849 must be concrete.
9850 (compound_svalue::compound_svalue): Move definition to svalue.cc.
9851 * store.cc (binding_map::apply_ctor_to_region): Handle
9852 initializers for trailing arrays with incomplete size.
9853 * svalue.cc (compound_svalue::compound_svalue): Move definition
9854 here from region-model.h. Add assertion that all keys are
9855 concrete.
9857 2020-08-22 David Malcolm <dmalcolm@redhat.com>
9859 PR analyzer/94851
9860 * region-model-manager.cc
9861 (region_model_manager::maybe_fold_binop): Fold bitwise "& 0" to 0.
9863 2020-08-22 David Malcolm <dmalcolm@redhat.com>
9865 * store.cc (store::eval_alias): Make const. Split out 2nd half
9866 into store::eval_alias_1 and call it twice for symmetry, avoiding
9867 test duplication.
9868 (store::eval_alias_1): New function, split out from the above.
9869 * store.h (store::eval_alias): Make const.
9870 (store::eval_alias_1): New decl.
9872 2020-08-22 David Malcolm <dmalcolm@redhat.com>
9874 * region-model.cc (region_model::push_frame): Bind the default
9875 SSA name for each parm if it exists, falling back to the parm
9876 itself otherwise, rather than doing both.
9878 2020-08-20 David Malcolm <dmalcolm@redhat.com>
9880 PR analyzer/96723
9881 * region-model-manager.cc
9882 (region_model_manager::get_field_region): Assert that field is a
9883 FIELD_DECL.
9884 * region.cc (region::get_subregions_for_binding): In
9885 union-handling, filter the TYPE_FIELDS traversal to just FIELD_DECLs.
9887 2020-08-20 David Malcolm <dmalcolm@redhat.com>
9889 PR analyzer/96713
9890 * region-model.cc (region_model::get_gassign_result): For
9891 comparisons, only use eval_condition when the lhs has boolean
9892 type, and use get_or_create_constant_svalue on the boolean
9893 constants directly rather than via get_rvalue.
9895 2020-08-19 David Malcolm <dmalcolm@redhat.com>
9897 PR analyzer/96643
9898 * region-model.cc (region_model::deref_rvalue): Rather than
9899 attempting to handle all svalue kinds in the switch, only cover
9900 the special cases, and move symbolic-region handling to after
9901 the switch, thus implicitly handling the missing case SK_COMPOUND.
9903 2020-08-19 David Malcolm <dmalcolm@redhat.com>
9905 PR analyzer/96705
9906 * region-model-manager.cc
9907 (region_model_manager::maybe_fold_binop): Check that we have an
9908 integral type before calling build_int_cst.
9910 2020-08-19 David Malcolm <dmalcolm@redhat.com>
9912 PR analyzer/96699
9913 * region-model-manager.cc
9914 (region_model_manager::get_or_create_cast): Use FIX_TRUNC_EXPR for
9915 casting from REAL_TYPE to INTEGER_TYPE.
9917 2020-08-19 David Malcolm <dmalcolm@redhat.com>
9919 PR analyzer/96651
9920 * region-model.cc (region_model::called_from_main_p): New.
9921 (region_model::get_store_value): Move handling for globals into...
9922 (region_model::get_initial_value_for_global): ...this new
9923 function, and add logic for extracting values from decl
9924 initializers.
9925 * region-model.h (decl_region::get_svalue_for_constructor): New
9926 decl.
9927 (decl_region::get_svalue_for_initializer): New decl.
9928 (region_model::called_from_main_p): New decl.
9929 (region_model::get_initial_value_for_global): New.
9930 * region.cc (decl_region::maybe_get_constant_value): Move logic
9931 for getting an svalue from a CONSTRUCTOR node to...
9932 (decl_region::get_svalue_for_constructor): ...this new function.
9933 (decl_region::get_svalue_for_initializer): New.
9934 * store.cc (get_svalue_for_ctor_val): Rewrite in terms of
9935 region_model::get_rvalue.
9936 * store.h (binding_cluster::get_map): New accessor.
9938 2020-08-19 David Malcolm <dmalcolm@redhat.com>
9940 PR analyzer/96648
9941 * region.cc (get_field_at_bit_offset): Gracefully handle negative
9942 values for bit_offset.
9944 2020-08-18 David Malcolm <dmalcolm@redhat.com>
9946 * region-model.cc (region_model::get_rvalue_1): Fix name of local.
9948 2020-08-18 David Malcolm <dmalcolm@redhat.com>
9950 PR analyzer/96641
9951 * region-model.cc (region_model::get_rvalue_1): Handle
9952 unrecognized tree codes by returning "UNKNOWN.
9954 2020-08-18 David Malcolm <dmalcolm@redhat.com>
9956 PR analyzer/96640
9957 * region-model.cc (region_model::get_gassign_result): Handle various
9958 VEC_* tree codes by returning UNKNOWN.
9959 (region_model::on_assignment): Handle unrecognized tree codes by
9960 setting lhs to an unknown value, rather than issuing a "sorry" and
9961 asserting.
9963 2020-08-17 David Malcolm <dmalcolm@redhat.com>
9965 PR analyzer/96644
9966 * region-model-manager.cc (get_region_for_unexpected_tree_code):
9967 Handle ctxt being NULL.
9969 2020-08-17 David Malcolm <dmalcolm@redhat.com>
9971 PR analyzer/96639
9972 * region.cc (region::get_subregions_for_binding): Check for "type"
9973 being NULL.
9975 2020-08-17 David Malcolm <dmalcolm@redhat.com>
9977 PR analyzer/96642
9978 * store.cc (get_svalue_for_ctor_val): New.
9979 (binding_map::apply_ctor_to_region): Call it.
9981 2020-08-14 David Malcolm <dmalcolm@redhat.com>
9983 PR testsuite/96609
9984 PR analyzer/96616
9985 * region-model.cc (region_model::get_store_value): Call
9986 maybe_get_constant_value on decl_regions first.
9987 * region-model.h (decl_region::maybe_get_constant_value): New decl.
9988 * region.cc (decl_region::get_stack_depth): Likewise.
9989 (decl_region::maybe_get_constant_value): New.
9990 * store.cc (get_subregion_within_ctor): New.
9991 (binding_map::apply_ctor_to_region): New.
9992 * store.h (binding_map::apply_ctor_to_region): New decl.
9994 2020-08-14 David Malcolm <dmalcolm@redhat.com>
9996 PR analyzer/96611
9997 * store.cc (store::mark_as_escaped): Reject attempts to
9998 get a cluster for an unknown pointer.
10000 2020-08-13 David Malcolm <dmalcolm@redhat.com>
10002 PR analyzer/93032
10003 PR analyzer/93938
10004 PR analyzer/94011
10005 PR analyzer/94099
10006 PR analyzer/94399
10007 PR analyzer/94458
10008 PR analyzer/94503
10009 PR analyzer/94640
10010 PR analyzer/94688
10011 PR analyzer/94689
10012 PR analyzer/94839
10013 PR analyzer/95026
10014 PR analyzer/95042
10015 PR analyzer/95240
10016 * analyzer-logging.cc: Ignore "-Wformat-diag".
10017 (logger::enter_scope): Use inc_indent in both overloads.
10018 (logger::exit_scope): Use dec_indent.
10019 * analyzer-logging.h (logger::inc_indent): New.
10020 (logger::dec_indent): New.
10021 * analyzer-selftests.cc (run_analyzer_selftests): Call
10022 analyzer_store_cc_tests.
10023 * analyzer-selftests.h (analyzer_store_cc_tests): New decl.
10024 * analyzer.cc (get_stmt_location): New function.
10025 * analyzer.h (class initial_svalue): New forward decl.
10026 (class unaryop_svalue): New forward decl.
10027 (class binop_svalue): New forward decl.
10028 (class sub_svalue): New forward decl.
10029 (class unmergeable_svalue): New forward decl.
10030 (class placeholder_svalue): New forward decl.
10031 (class widening_svalue): New forward decl.
10032 (class compound_svalue): New forward decl.
10033 (class conjured_svalue): New forward decl.
10034 (svalue_set): New typedef.
10035 (class map_region): Delete.
10036 (class array_region): Delete.
10037 (class frame_region): New forward decl.
10038 (class function_region): New forward decl.
10039 (class label_region): New forward decl.
10040 (class decl_region): New forward decl.
10041 (class element_region): New forward decl.
10042 (class offset_region): New forward decl.
10043 (class cast_region): New forward decl.
10044 (class field_region): New forward decl.
10045 (class string_region): New forward decl.
10046 (class region_model_manager): New forward decl.
10047 (class store_manager): New forward decl.
10048 (class store): New forward decl.
10049 (class call_details): New forward decl.
10050 (struct svalue_id_merger_mapping): Delete.
10051 (struct canonicalization): Delete.
10052 (class function_point): New forward decl.
10053 (class engine): New forward decl.
10054 (dump_tree): New function decl.
10055 (print_quoted_type): New function decl.
10056 (readability_comparator): New function decl.
10057 (tree_cmp): New function decl.
10058 (class path_var): Move here from region-model.h
10059 (bit_offset_t, bit_size_t, byte_size_t): New typedefs.
10060 (class region_offset): New class.
10061 (get_stmt_location): New decl.
10062 (struct member_function_hash_traits): New struct.
10063 (class consolidation_map): New class.
10064 Ignore "-Wformat-diag".
10065 * analyzer.opt (-param=analyzer-max-svalue-depth=): New param.
10066 (-param=analyzer-max-enodes-for-full-dump=): New param.
10067 * call-string.cc: Ignore -Wformat-diag.
10068 * checker-path.cc: Move includes of "analyzer/call-string.h" and
10069 "analyzer/program-point.h" to before "analyzer/region-model.h",
10070 and also include "analyzer/store.h" before it.
10071 (state_change_event::state_change_event): Replace "tree var" param
10072 with "const svalue *sval". Convert "origin" param from tree to
10073 "const svalue *".
10074 (state_change_event::get_desc): Call get_representative_tree to
10075 convert the var and origin from const svalue * to tree. Use
10076 svalue::get_desc rather than %qE when describing state changes.
10077 (checker_path::add_final_event): Use get_stmt_location.
10078 * checker-path.h (state_change_event::state_change_event): Port
10079 from tree to const svalue *.
10080 (state_change_event::get_lvalue): Delete.
10081 (state_change_event::get_dest_function): New.
10082 (state_change_event::m_var): Replace with...
10083 (state_change_event::m_sval): ...this.
10084 (state_change_event::m_origin): Convert from tree to
10085 const svalue *.
10086 * constraint-manager.cc: Include "analyzer/call-string.h",
10087 "analyzer/program-point.h", and "analyzer/store.h" before
10088 "analyzer/region-model.h".
10089 (struct bound, struct range): Move to constraint-manager.h.
10090 (compare_constants): New function.
10091 (range::dump): Rename to...
10092 (range::dump_to_pp): ...this. Support NULL constants.
10093 (range::dump): Reintroduce for dumping to stderr.
10094 (range::constrained_to_single_element): Return result, rather than
10095 writing to *OUT.
10096 (range::eval_condition): New.
10097 (range::below_lower_bound): New.
10098 (range::above_upper_bound): New.
10099 (equiv_class::equiv_class): Port from svalue_id to const svalue *.
10100 (equiv_class::print): Likewise.
10101 (equiv_class::hash): Likewise.
10102 (equiv_class::operator==): Port from svalue_id to const svalue *.
10103 (equiv_class::add): Port from svalue_id to const svalue *. Drop
10104 "cm" param.
10105 (equiv_class::del): Port from svalue_id to const svalue *.
10106 (equiv_class::get_representative): Likewise.
10107 (equiv_class::remap_svalue_ids): Delete.
10108 (svalue_id_cmp_by_id): Rename to...
10109 (svalue_cmp_by_ptr): ...this, porting from svalue_id to
10110 const svalue *.
10111 (equiv_class::canonicalize): Update qsort comparator.
10112 (constraint::implied_by): New.
10113 (constraint_manager::constraint_manager): Copy m_mgr in copy ctor.
10114 (constraint_manager::dump_to_pp): Add "multiline" param
10115 (constraint_manager::dump): Pass "true" for "multiline".
10116 (constraint_manager::add_constraint): Port from svalue_id to
10117 const svalue *. Split out second part into...
10118 (constraint_manager::add_unknown_constraint): ...this new
10119 function. Remove self-constraints when merging equivalence
10120 classes.
10121 (constraint_manager::add_constraint_internal): Remove constraints
10122 that would be implied by the new constraint. Port from svalue_id
10123 to const svalue *.
10124 (constraint_manager::get_equiv_class_by_sid): Rename to...
10125 (constraint_manager::get_equiv_class_by_svalue): ...this, porting
10126 from svalue_id to const svalue *.
10127 (constraint_manager::get_or_add_equiv_class): Port from svalue_id
10128 to const svalue *.
10129 (constraint_manager::eval_condition): Make const. Call
10130 compare_constants and return early if it provides a known result.
10131 (constraint_manager::get_ec_bounds): New.
10132 (constraint_manager::eval_condition): New overloads. Make
10133 existing one const, and use compare_constants.
10134 (constraint_manager::purge): Convert "p" param to a template
10135 rather that an abstract base class. Port from svalue_id to
10136 const svalue *.
10137 (class dead_svalue_purger): New class.
10138 (constraint_manager::remap_svalue_ids): Delete.
10139 (constraint_manager::on_liveness_change): New.
10140 (equiv_class_cmp): Port from svalue_id to const svalue *.
10141 (constraint_manager::canonicalize): Likewise. Combine with
10142 purging of redundant equivalence classes and constraints.
10143 (class cleaned_constraint_manager): Delete.
10144 (class merger_fact_visitor): Make "m_cm_b" const. Add "m_merger"
10145 field.
10146 (merger_fact_visitor::fact): Port from svalue_id to const svalue *.
10147 Add special case for widening.
10148 (constraint_manager::merge): Port from svalue_id to const svalue *.
10149 (constraint_manager::clean_merger_input): Delete.
10150 (constraint_manager::for_each_fact): Port from svalue_id to
10151 const svalue *.
10152 (constraint_manager::validate): Likewise.
10153 (selftest::test_constraint_conditions): Provide a
10154 region_model_manager when creating region_model instances.
10155 Add test for self-equality not creating equivalence classes.
10156 (selftest::test_transitivity): Provide a region_model_manager when
10157 creating region_model instances. Verify that EC-merging happens
10158 when constraints are implied.
10159 (selftest::test_constant_comparisons): Provide a
10160 region_model_manager when creating region_model instances.
10161 (selftest::test_constraint_impl): Likewise. Remove over-specified
10162 assertions.
10163 (selftest::test_equality): Provide a region_model_manager when
10164 creating region_model instances.
10165 (selftest::test_many_constants): Likewise. Provide a
10166 program_point when testing merging.
10167 (selftest::run_constraint_manager_tests): Move call to
10168 test_constant_comparisons to outside the transitivity guard.
10169 * constraint-manager.h (struct bound): Move here from
10170 constraint-manager.cc.
10171 (struct range): Likewise.
10172 (struct::eval_condition): New decl.
10173 (struct::below_lower_bound): New decl.
10174 (struct::above_upper_bound): New decl.
10175 (equiv_class::add): Port from svalue_id to const svalue *.
10176 (equiv_class::del): Likewise.
10177 (equiv_class::get_representative): Likewise.
10178 (equiv_class::remap_svalue_ids): Drop.
10179 (equiv_class::m_cst_sid): Convert to..
10180 (equiv_class::m_cst_sval): ...this.
10181 (equiv_class::m_vars): Port from svalue_id to const svalue *.
10182 (constraint::bool implied_by): New decl.
10183 (fact_visitor::on_fact): Port from svalue_id to const svalue *.
10184 (constraint_manager::constraint_manager): Add mgr param.
10185 (constraint_manager::clone): Delete.
10186 (constraint_manager::maybe_get_constant): Delete.
10187 (constraint_manager::get_sid_for_constant): Delete.
10188 (constraint_manager::get_num_svalues): Delete.
10189 (constraint_manager::dump_to_pp): Add "multiline" param.
10190 (constraint_manager::get_equiv_class): Port from svalue_id to
10191 const svalue *.
10192 (constraint_manager::add_constraint): Likewise.
10193 (constraint_manager::get_equiv_class_by_sid): Rename to...
10194 (constraint_manager::get_equiv_class_by_svalue): ...this, porting
10195 from svalue_id to const svalue *.
10196 (constraint_manager::add_unknown_constraint): New decl.
10197 (constraint_manager::get_or_add_equiv_class): Port from svalue_id
10198 to const svalue *.
10199 (constraint_manager::eval_condition): Likewise. Add overloads.
10200 (constraint_manager::get_ec_bounds): New decl.
10201 (constraint_manager::purge): Convert to template.
10202 (constraint_manager::remap_svalue_ids): Delete.
10203 (constraint_manager::on_liveness_change): New decl.
10204 (constraint_manager::canonicalize): Drop param.
10205 (constraint_manager::clean_merger_input): Delete.
10206 (constraint_manager::m_mgr): New field.
10207 * diagnostic-manager.cc: Move includes of
10208 "analyzer/call-string.h" and "analyzer/program-point.h" to before
10209 "analyzer/region-model.h", and also include "analyzer/store.h"
10210 before it.
10211 (saved_diagnostic::saved_diagnostic): Add "sval" param.
10212 (diagnostic_manager::diagnostic_manager): Add engine param.
10213 (diagnostic_manager::add_diagnostic): Add "sval" param, passing it
10214 to saved_diagnostic ctor. Update overload to pass NULL for it.
10215 (dedupe_winners::dedupe_winners): Add engine param.
10216 (dedupe_winners::add): Add "eg" param. Pass m_engine to
10217 feasible_p.
10218 (dedupe_winner::m_engine): New field.
10219 (diagnostic_manager::emit_saved_diagnostics): Pass engine to
10220 dedupe_winners. Pass &eg when adding candidates. Pass svalue
10221 rather than tree to prune_path. Use get_stmt_location to get
10222 primary location of diagnostic.
10223 (diagnostic_manager::emit_saved_diagnostic): Likewise.
10224 (get_any_origin): Drop.
10225 (state_change_event_creator::on_global_state_change): Pass NULL
10226 const svalue * rather than NULL_TREE trees to state_change_event
10227 ctor.
10228 (state_change_event_creator::on_state_change): Port from tree and
10229 svalue_id to const svalue *.
10230 (for_each_state_change): Port from svalue_id to const svalue *.
10231 (struct null_assignment_sm_context): New.
10232 (diagnostic_manager::add_events_for_eedge): Add state change
10233 events for assignment to NULL.
10234 (diagnostic_manager::prune_path): Update param from tree to
10235 const svalue *.
10236 (diagnostic_manager::prune_for_sm_diagnostic): Port from tracking
10237 by tree to by const svalue *.
10238 * diagnostic-manager.h (saved_diagnostic::saved_diagnostic): Add sval
10239 param.
10240 (saved_diagnostic::m_sval): New field.
10241 (diagnostic_manager::diagnostic_manager): Add engine param.
10242 (diagnostic_manager::get_engine): New.
10243 (diagnostic_manager::add_diagnostic): Add "sval" param.
10244 (diagnostic_manager::prune_path): Likewise.
10245 (diagnostic_manager::prune_for_sm_diagnostic): New overload.
10246 (diagnostic_manager::m_eng): New field.
10247 * engine.cc: Move includes of "analyzer/call-string.h" and
10248 "analyzer/program-point.h" to before "analyzer/region-model.h",
10249 and also include "analyzer/store.h" before it.
10250 (impl_region_model_context::impl_region_model_context): Update for
10251 removal of m_change field.
10252 (impl_region_model_context::remap_svalue_ids): Delete.
10253 (impl_region_model_context::on_svalue_leak): New.
10254 (impl_region_model_context::on_svalue_purge): Delete.
10255 (impl_region_model_context::on_liveness_change): New.
10256 (impl_region_model_context::on_unknown_change): Update param
10257 from svalue_id to const svalue *. Add is_mutable param.
10258 (setjmp_svalue::compare_fields): Delete.
10259 (setjmp_svalue::accept): New.
10260 (setjmp_svalue::add_to_hash): Delete.
10261 (setjmp_svalue::dump_to_pp): New.
10262 (setjmp_svalue::print_details): Delete.
10263 (impl_sm_context::impl_sm_context): Drop "change" param.
10264 (impl_sm_context::get_fndecl_for_call): Drop "m_change".
10265 (impl_sm_context::on_transition): Drop ATTRIBUTE_UNUSED from
10266 "stmt" param. Drop m_change. Port from svalue_id to
10267 const svalue *.
10268 (impl_sm_context::warn_for_state): Drop m_change. Port from
10269 svalue_id to const svalue *.
10270 (impl_sm_context::get_readable_tree): Rename to...
10271 (impl_sm_context::get_diagnostic_tree): ...this. Port from
10272 svalue_id to const svalue *.
10273 (impl_sm_context::is_zero_assignment): New.
10274 (impl_sm_context::m_change): Delete field.
10275 (leak_stmt_finder::find_stmt): Handle m_var being NULL.
10276 (readability): Increase penalty for MEM_REF. For SSA_NAMEs,
10277 slightly favor the underlying var over the SSA name. Heavily
10278 penalize temporaries. Handle RESULT_DECL.
10279 (readability_comparator): Make non-static. Consider stack depths.
10280 (impl_region_model_context::on_state_leak): Convert from svalue_id
10281 to const svalue *, updating for region_model changes. Use
10282 id_equal.
10283 (impl_region_model_context::on_inherited_svalue): Delete.
10284 (impl_region_model_context::on_cast): Delete.
10285 (impl_region_model_context::on_condition): Drop m_change.
10286 (impl_region_model_context::on_phi): Likewise.
10287 (impl_region_model_context::on_unexpected_tree_code): Handle t
10288 being NULL.
10289 (point_and_state::validate): Update stack checking for
10290 region_model changes.
10291 (eg_traits::dump_args_t::show_enode_details_p): New.
10292 (exploded_node::exploded_node): Initialize m_num_processed_stmts.
10293 (exploded_node::get_processed_stmt): New function.
10294 (exploded_node::get_dot_fillcolor): Add more colors.
10295 (exploded_node::dump_dot): Guard the printing of the point and
10296 state with show_enode_details_p. Print the processed stmts for
10297 this enode after the initial state.
10298 (exploded_node::dump_to_pp): Pass true for new multiline param
10299 of program_state::dump_to_pp.
10300 (exploded_node::on_stmt): Drop "change" param. Log the stmt.
10301 Set input_location. Implement __analyzer_describe. Update
10302 implementation of __analyzer_dump and __analyzer_eval.
10303 Remove purging of sm-state for unknown fncalls from here.
10304 (exploded_node::on_edge): Drop "change" param.
10305 (exploded_node::on_longjmp): Port from region_id/svalue_id to
10306 const region */const svalue *. Call program_state::detect_leaks.
10307 Drop state_change.
10308 (exploded_node::detect_leaks): Update for changes to region_model.
10309 Call program_state::detect_leaks.
10310 (exploded_edge::exploded_edge): Drop ext_state and change params.
10311 (exploded_edge::dump_dot): "args" is no longer used. Drop dumping
10312 of m_change.
10313 (exploded_graph::exploded_graph): Pass engine to
10314 m_diagnostic_manager ctor. Use program_point::origin.
10315 (exploded_graph::add_function_entry): Drop ctxt. Use
10316 program_state::push_frame. Drop state_change.
10317 (exploded_graph::get_or_create_node): Drop "change" param. Add
10318 "enode_for_diag" param. Update dumping calls for API changes.
10319 Pass point to can_merge_with_p. Show enode indices
10320 within -Wanalyzer-too-complex diagnostic for hitting the per-point
10321 limit.
10322 (exploded_graph::add_edge): Drop "change" param. Log which nodes
10323 are being connected. Update for changes to exploded_edge ctor.
10324 (exploded_graph::get_per_program_point_data): New.
10325 (exploded_graph::process_worklist): Pass point to
10326 can_merge_with_p. Drop state_change. Update dumping call for API
10327 change.
10328 (exploded_graph::process_node): Drop state_change. Split the
10329 node in-place if an sm-state-change occurs. Update
10330 m_num_processed_stmts. Update dumping calls for API change.
10331 (exploded_graph::log_stats): Call engine::log_stats.
10332 (exploded_graph::dump_states_for_supernode): Update dumping
10333 call.
10334 (exploded_path::feasible_p): Add "eng" and "eg" params.
10335 Rename "i" to "end_idx". Pass the manager to the region_model
10336 ctor. Update for every processed stmt in the enode, not just the
10337 first. Keep track of which snodes have been visited, and call
10338 loop_replay_fixup when revisiting one.
10339 (enode_label::get_text): Update dump call for new param.
10340 (exploded_graph::dump_exploded_nodes): Likewise.
10341 (exploded_graph::get_node_by_index): New.
10342 (impl_run_checkers): Create engine instance and pass its address
10343 to extrinsic_state ctor.
10344 * exploded-graph.h
10345 (impl_region_model_context::impl_region_model_context): Drop
10346 "change" params.
10347 (impl_region_model_context::void remap_svalue_ids): Delete.
10348 (impl_region_model_context::on_svalue_purge): Delete.
10349 (impl_region_model_context::on_svalue_leak): New.
10350 (impl_region_model_context::on_liveness_change): New.
10351 (impl_region_model_context::on_state_leak): Update signature.
10352 (impl_region_model_context::on_inherited_svalue): Delete.
10353 (impl_region_model_context::on_cast): Delete.
10354 (impl_region_model_context::on_unknown_change): Update signature.
10355 (impl_region_model_context::m_change): Delete.
10356 (eg_traits::dump_args_t::show_enode_details_p): New.
10357 (exploded_node::on_stmt): Drop "change" param.
10358 (exploded_node::on_edge): Likewise.
10359 (exploded_node::get_processed_stmt): New decl.
10360 (exploded_node::m_num_processed_stmts): New field.
10361 (exploded_edge::exploded_edge): Drop ext_state and change params.
10362 (exploded_edge::m_change): Delete.
10363 (exploded_graph::get_engine): New accessor.
10364 (exploded_graph::get_or_create_node): Drop "change" param. Add
10365 "enode_for_diag" param.
10366 (exploded_graph::add_edge): Drop "change" param.
10367 (exploded_graph::get_per_program_point_data): New decl.
10368 (exploded_graph::get_node_by_index): New decl.
10369 (exploded_path::feasible_p): Add "eng" and "eg" params.
10370 * program-point.cc: Include "analyzer/store.h" before including
10371 "analyzer/region-model.h".
10372 (function_point::function_point): Move here from
10373 program-point.h.
10374 (function_point::get_function): Likewise.
10375 (function_point::from_function_entry): Likewise.
10376 (function_point::before_supernode): Likewise.
10377 (function_point::next_stmt): New function.
10378 * program-point.h (function_point::function_point): Move
10379 implementation from here to program-point.cc.
10380 (function_point::get_function): Likewise.
10381 (function_point::from_function_entry): Likewise.
10382 (function_point::before_supernode): Likewise.
10383 (function_point::next_stmt): New decl.
10384 (program_point::operator!=): New.
10385 (program_point::origin): New.
10386 (program_point::next_stmt): New.
10387 (program_point::m_function_point): Make non-const.
10388 * program-state.cc: Move includes of "analyzer/call-string.h" and
10389 "analyzer/program-point.h" to before "analyzer/region-model.h",
10390 and also include "analyzer/store.h" before it.
10391 (extrinsic_state::get_model_manager): New.
10392 (sm_state_map::sm_state_map): Pass in sm and sm_idx to ctor,
10393 rather than pass the around.
10394 (sm_state_map::clone_with_remapping): Delete.
10395 (sm_state_map::print): Remove "sm" param in favor of "m_sm". Add
10396 "simple" and "multiline" params and support multiline vs single
10397 line dumping.
10398 (sm_state_map::dump): Remove "sm" param in favor of "m_sm". Add
10399 "simple" param.
10400 (sm_state_map::hash): Port from svalue_id to const svalue *.
10401 (sm_state_map::operator==): Likewise.
10402 (sm_state_map::get_state): Likewise. Call canonicalize_svalue on
10403 input. Handle inheritance of sm-state. Call get_default_state.
10404 (sm_state_map::get_origin): Port from svalue_id to const svalue *.
10405 (sm_state_map::set_state): Likewise. Pass in ext_state. Reject
10406 attempts to set state on UNKNOWN.
10407 (sm_state_map::impl_set_state): Port from svalue_id to
10408 const svalue *. Pass in ext_state. Call canonicalize_svalue on
10409 input.
10410 (sm_state_map::purge_for_unknown_fncall): Delete.
10411 (sm_state_map::on_svalue_leak): New.
10412 (sm_state_map::remap_svalue_ids): Delete.
10413 (sm_state_map::on_liveness_change): New.
10414 (sm_state_map::on_unknown_change): Reimplement.
10415 (sm_state_map::on_svalue_purge): Delete.
10416 (sm_state_map::on_inherited_svalue): Delete.
10417 (sm_state_map::on_cast): Delete.
10418 (sm_state_map::validate): Delete.
10419 (sm_state_map::canonicalize_svalue): New.
10420 (program_state::program_state): Update to pass manager to
10421 region_model's ctor. Constify num_states and pass state machine
10422 and index to sm_state_map ctor.
10423 (program_state::print): Update for changes to dump API.
10424 (program_state::dump_to_pp): Ignore the summarize param. Add
10425 "multiline" param.
10426 (program_state::dump_to_file): Add "multiline" param.
10427 (program_state::dump): Pass "true" for new "multiline" param.
10428 (program_state::push_frame): New.
10429 (program_state::on_edge): Drop "change" param. Call
10430 program_state::detect_leaks.
10431 (program_state::prune_for_point): Add enode_for_diag param.
10432 Reimplement based on store class. Call detect_leaks
10433 (program_state::remap_svalue_ids): Delete.
10434 (program_state::get_representative_tree): Port from svalue_id to
10435 const svalue *.
10436 (program_state::can_merge_with_p): Add "point" param. Add early
10437 reject for sm-differences. Drop id remapping.
10438 (program_state::validate): Drop region model and sm_state_map
10439 validation.
10440 (state_change::sm_change::dump): Delete.
10441 (state_change::sm_change::remap_svalue_ids): Delete.
10442 (state_change::sm_change::on_svalue_purge): Delete.
10443 (log_set_of_svalues): New.
10444 (state_change::sm_change::validate): Delete.
10445 (state_change::state_change): Delete.
10446 (state_change::add_sm_change): Delete.
10447 (state_change::affects_p): Delete.
10448 (state_change::dump): Delete.
10449 (state_change::remap_svalue_ids): Delete.
10450 (state_change::on_svalue_purge): Delete.
10451 (state_change::validate): Delete.
10452 (selftest::assert_dump_eq): Delete.
10453 (ASSERT_DUMP_EQ): Delete.
10454 (selftest::test_sm_state_map): Update for changes to region_model
10455 and sm_state_map, porting from svalue_id to const svalue *.
10456 (selftest::test_program_state_dumping): Likewise. Drop test of
10457 dumping, renaming to...
10458 (selftest::test_program_state_1): ...this.
10459 (selftest::test_program_state_dumping_2): Likewise, renaming to...
10460 (selftest::test_program_state_2): ...this.
10461 (selftest::test_program_state_merging): Update for changes to
10462 region_model.
10463 (selftest::test_program_state_merging_2): Likewise.
10464 (selftest::analyzer_program_state_cc_tests): Update for renamed
10465 tests.
10466 * program-state.h (extrinsic_state::extrinsic_state): Add logger
10467 and engine params.
10468 (extrinsic_state::get_logger): New accessor.
10469 (extrinsic_state::get_engine): New accessor.
10470 (extrinsic_state::get_model_manager): New accessor.
10471 (extrinsic_state::m_logger): New field.
10472 (extrinsic_state::m_engine): New field.
10473 (struct default_hash_traits<svalue_id>): Delete.
10474 (pod_hash_traits<svalue_id>::hash): Delete.
10475 (pod_hash_traits<svalue_id>::equal): Delete.
10476 (pod_hash_traits<svalue_id>::mark_deleted): Delete.
10477 (pod_hash_traits<svalue_id>::mark_empty): Delete.
10478 (pod_hash_traits<svalue_id>::is_deleted): Delete.
10479 (pod_hash_traits<svalue_id>::is_empty): Delete.
10480 (sm_state_map::entry_t::entry_t): Port from svalue_id to
10481 const svalue *.
10482 (sm_state_map::entry_t::m_origin): Likewise.
10483 (sm_state_map::map_t): Likewise.
10484 (sm_state_map::sm_state_map): Add state_machine and index params.
10485 (sm_state_map::clone_with_remapping): Delete.
10486 (sm_state_map::print): Drop sm param; add simple and multiline
10487 params.
10488 (sm_state_map::dump): Drop sm param; add simple param.
10489 (sm_state_map::get_state): Port from svalue_id to const svalue *.
10490 Add ext_state param.
10491 (sm_state_map::get_origin): Likewise.
10492 (sm_state_map::set_state): Likewise.
10493 (sm_state_map::impl_set_state): Likewise.
10494 (sm_state_map::purge_for_unknown_fncall): Delete.
10495 (sm_state_map::remap_svalue_ids): Delete.
10496 (sm_state_map::on_svalue_purge): Delete.
10497 (sm_state_map::on_svalue_leak): New.
10498 (sm_state_map::on_liveness_change): New.
10499 (sm_state_map::on_inherited_svalue): Delete.
10500 (sm_state_map::on_cast): Delete.
10501 (sm_state_map::validate): Delete.
10502 (sm_state_map::on_unknown_change): Port from svalue_id to
10503 const svalue *. Add is_mutable and ext_state params.
10504 (sm_state_map::canonicalize_svalue): New.
10505 (sm_state_map::m_sm): New field.
10506 (sm_state_map::m_sm_idx): New field.
10507 (program_state::operator=): Delete.
10508 (program_state::dump_to_pp): Drop "summarize" param, adding
10509 "simple" and "multiline".
10510 (program_state::dump_to_file): Likewise.
10511 (program_state::dump): Rename "summarize" to "simple".
10512 (program_state::push_frame): New.
10513 (program_state::get_current_function): New.
10514 (program_state::on_edge): Drop "change" param.
10515 (program_state::prune_for_point): Likewise. Add enode_for_diag
10516 param.
10517 (program_state::remap_svalue_ids): Delete.
10518 (program_state::get_representative_tree): Port from svalue_id to
10519 const svalue *.
10520 (program_state::can_purge_p): Likewise. Pass ext_state to get_state.
10521 (program_state::can_merge_with_p): Add point param.
10522 (program_state::detect_leaks): New.
10523 (state_change_visitor::on_state_change): Port from tree and
10524 svalue_id to a pair of const svalue *.
10525 (class state_change): Delete.
10526 * region.cc: New file.
10527 * region-model-impl-calls.cc: New file.
10528 * region-model-manager.cc: New file.
10529 * region-model-reachability.cc: New file.
10530 * region-model-reachability.h: New file.
10531 * region-model.cc: Include "analyzer/call-string.h",
10532 "analyzer/program-point.h", and "analyzer/store.h" before
10533 "analyzer/region-model.h". Include
10534 "analyzer/region-model-reachability.h".
10535 (dump_tree): Make non-static.
10536 (dump_quoted_tree): Make non-static.
10537 (print_quoted_type): Make non-static.
10538 (path_var::dump): Delete.
10539 (dump_separator): Delete.
10540 (class impl_constraint_manager): Delete.
10541 (svalue_id::print): Delete.
10542 (svalue_id::dump_node_name_to_pp): Delete.
10543 (svalue_id::validate): Delete.
10544 (region_id::print): Delete.
10545 (region_id::dump_node_name_to_pp): Delete.
10546 (region_id::validate): Delete.
10547 (region_id_set::region_id_set): Delete.
10548 (svalue_id_set::svalue_id_set): Delete.
10549 (svalue::operator==): Delete.
10550 (svalue::hash): Delete.
10551 (svalue::print): Delete.
10552 (svalue::dump_dot_to_pp): Delete.
10553 (svalue::remap_region_ids): Delete.
10554 (svalue::walk_for_canonicalization): Delete.
10555 (svalue::get_child_sid): Delete.
10556 (svalue::maybe_get_constant): Delete.
10557 (region_svalue::compare_fields): Delete.
10558 (region_svalue::add_to_hash): Delete.
10559 (region_svalue::print_details): Delete.
10560 (region_svalue::dump_dot_to_pp): Delete.
10561 (region_svalue::remap_region_ids): Delete.
10562 (region_svalue::merge_values): Delete.
10563 (region_svalue::walk_for_canonicalization): Delete.
10564 (region_svalue::eval_condition): Delete.
10565 (constant_svalue::compare_fields): Delete.
10566 (constant_svalue::add_to_hash): Delete.
10567 (constant_svalue::merge_values): Delete.
10568 (constant_svalue::eval_condition): Move to svalue.cc.
10569 (constant_svalue::print_details): Delete.
10570 (constant_svalue::get_child_sid): Delete.
10571 (unknown_svalue::compare_fields): Delete.
10572 (unknown_svalue::add_to_hash): Delete.
10573 (unknown_svalue::print_details): Delete.
10574 (poison_kind_to_str): Move to svalue.cc.
10575 (poisoned_svalue::compare_fields): Delete.
10576 (poisoned_svalue::add_to_hash): Delete.
10577 (poisoned_svalue::print_details): Delete.
10578 (region_kind_to_str): Move to region.cc and reimplement.
10579 (region::operator==): Delete.
10580 (region::get_parent_region): Delete.
10581 (region::set_value): Delete.
10582 (region::become_active_view): Delete.
10583 (region::deactivate_any_active_view): Delete.
10584 (region::deactivate_view): Delete.
10585 (region::get_value): Delete.
10586 (region::get_inherited_child_sid): Delete.
10587 (region_model::copy_region): Delete.
10588 (region_model::copy_struct_region): Delete.
10589 (region_model::copy_union_region): Delete.
10590 (region_model::copy_array_region): Delete.
10591 (region::hash): Delete.
10592 (region::print): Delete.
10593 (region::dump_dot_to_pp): Delete.
10594 (region::dump_to_pp): Delete.
10595 (region::dump_child_label): Delete.
10596 (region::validate): Delete.
10597 (region::remap_svalue_ids): Delete.
10598 (region::remap_region_ids): Delete.
10599 (region::add_view): Delete.
10600 (region::get_view): Delete.
10601 (region::region): Move to region.cc.
10602 (region::add_to_hash): Delete.
10603 (region::print_fields): Delete.
10604 (region::non_null_p): Delete.
10605 (primitive_region::clone): Delete.
10606 (primitive_region::walk_for_canonicalization): Delete.
10607 (map_region::map_region): Delete.
10608 (map_region::compare_fields): Delete.
10609 (map_region::print_fields): Delete.
10610 (map_region::validate): Delete.
10611 (map_region::dump_dot_to_pp): Delete.
10612 (map_region::dump_child_label): Delete.
10613 (map_region::get_or_create): Delete.
10614 (map_region::get): Delete.
10615 (map_region::add_to_hash): Delete.
10616 (map_region::remap_region_ids): Delete.
10617 (map_region::unbind): Delete.
10618 (map_region::get_tree_for_child_region): Delete.
10619 (map_region::get_tree_for_child_region): Delete.
10620 (tree_cmp): Move to region.cc.
10621 (map_region::can_merge_p): Delete.
10622 (map_region::walk_for_canonicalization): Delete.
10623 (map_region::get_value_by_name): Delete.
10624 (struct_or_union_region::valid_key_p): Delete.
10625 (struct_or_union_region::compare_fields): Delete.
10626 (struct_region::clone): Delete.
10627 (struct_region::compare_fields): Delete.
10628 (union_region::clone): Delete.
10629 (union_region::compare_fields): Delete.
10630 (frame_region::compare_fields): Delete.
10631 (frame_region::clone): Delete.
10632 (frame_region::valid_key_p): Delete.
10633 (frame_region::print_fields): Delete.
10634 (frame_region::add_to_hash): Delete.
10635 (globals_region::compare_fields): Delete.
10636 (globals_region::clone): Delete.
10637 (globals_region::valid_key_p): Delete.
10638 (code_region::compare_fields): Delete.
10639 (code_region::clone): Delete.
10640 (code_region::valid_key_p): Delete.
10641 (array_region::array_region): Delete.
10642 (array_region::get_element): Delete.
10643 (array_region::clone): Delete.
10644 (array_region::compare_fields): Delete.
10645 (array_region::print_fields): Delete.
10646 (array_region::validate): Delete.
10647 (array_region::dump_dot_to_pp): Delete.
10648 (array_region::dump_child_label): Delete.
10649 (array_region::get_or_create): Delete.
10650 (array_region::get): Delete.
10651 (array_region::add_to_hash): Delete.
10652 (array_region::remap_region_ids): Delete.
10653 (array_region::get_key_for_child_region): Delete.
10654 (array_region::key_cmp): Delete.
10655 (array_region::walk_for_canonicalization): Delete.
10656 (array_region::key_from_constant): Delete.
10657 (array_region::constant_from_key): Delete.
10658 (function_region::compare_fields): Delete.
10659 (function_region::clone): Delete.
10660 (function_region::valid_key_p): Delete.
10661 (stack_region::stack_region): Delete.
10662 (stack_region::compare_fields): Delete.
10663 (stack_region::clone): Delete.
10664 (stack_region::print_fields): Delete.
10665 (stack_region::dump_child_label): Delete.
10666 (stack_region::validate): Delete.
10667 (stack_region::push_frame): Delete.
10668 (stack_region::get_current_frame_id): Delete.
10669 (stack_region::pop_frame): Delete.
10670 (stack_region::add_to_hash): Delete.
10671 (stack_region::remap_region_ids): Delete.
10672 (stack_region::can_merge_p): Delete.
10673 (stack_region::walk_for_canonicalization): Delete.
10674 (stack_region::get_value_by_name): Delete.
10675 (heap_region::heap_region): Delete.
10676 (heap_region::compare_fields): Delete.
10677 (heap_region::clone): Delete.
10678 (heap_region::walk_for_canonicalization): Delete.
10679 (root_region::root_region): Delete.
10680 (root_region::compare_fields): Delete.
10681 (root_region::clone): Delete.
10682 (root_region::print_fields): Delete.
10683 (root_region::validate): Delete.
10684 (root_region::dump_child_label): Delete.
10685 (root_region::push_frame): Delete.
10686 (root_region::get_current_frame_id): Delete.
10687 (root_region::pop_frame): Delete.
10688 (root_region::ensure_stack_region): Delete.
10689 (root_region::get_stack_region): Delete.
10690 (root_region::ensure_globals_region): Delete.
10691 (root_region::get_code_region): Delete.
10692 (root_region::ensure_code_region): Delete.
10693 (root_region::get_globals_region): Delete.
10694 (root_region::ensure_heap_region): Delete.
10695 (root_region::get_heap_region): Delete.
10696 (root_region::remap_region_ids): Delete.
10697 (root_region::can_merge_p): Delete.
10698 (root_region::add_to_hash): Delete.
10699 (root_region::walk_for_canonicalization): Delete.
10700 (root_region::get_value_by_name): Delete.
10701 (symbolic_region::symbolic_region): Delete.
10702 (symbolic_region::compare_fields): Delete.
10703 (symbolic_region::clone): Delete.
10704 (symbolic_region::walk_for_canonicalization): Delete.
10705 (symbolic_region::print_fields): Delete.
10706 (region_model::region_model): Add region_model_manager * param.
10707 Reimplement in terms of store, dropping impl_constraint_manager
10708 subclass.
10709 (region_model::operator=): Reimplement in terms of store
10710 (region_model::operator==): Likewise.
10711 (region_model::hash): Likewise.
10712 (region_model::print): Delete.
10713 (region_model::print_svalue): Delete.
10714 (region_model::dump_dot_to_pp): Delete.
10715 (region_model::dump_dot_to_file): Delete.
10716 (region_model::dump_dot): Delete.
10717 (region_model::dump_to_pp): Replace "summarize" param with
10718 "simple" and "multiline". Port to store-based implementation.
10719 (region_model::dump): Replace "summarize" param with "simple" and
10720 "multiline".
10721 (dump_vec_of_tree): Delete.
10722 (region_model::dump_summary_of_rep_path_vars): Delete.
10723 (region_model::validate): Delete.
10724 (svalue_id_cmp_by_constant_svalue_model): Delete.
10725 (svalue_id_cmp_by_constant_svalue): Delete.
10726 (region_model::canonicalize): Drop "ctxt" param. Reimplement in
10727 terms of store and constraints.
10728 (region_model::canonicalized_p): Remove NULL arg to canonicalize.
10729 (region_model::loop_replay_fixup): New.
10730 (poisoned_value_diagnostic::emit): Tweak wording of warnings.
10731 (region_model::check_for_poison): Delete.
10732 (region_model::get_gassign_result): New.
10733 (region_model::on_assignment): Port to store-based implementation.
10734 (region_model::on_call_pre): Delete calls to check_for_poison.
10735 Move implementations to region-model-impl-calls.c and port to
10736 store-based implementation.
10737 (region_model::on_call_post): Likewise.
10738 (class reachable_regions): Move to region-model-reachability.h/cc
10739 and port to store-based implementation.
10740 (region_model::handle_unrecognized_call): Port to store-based
10741 implementation.
10742 (region_model::get_reachable_svalues): New.
10743 (region_model::on_setjmp): Port to store-based implementation.
10744 (region_model::on_longjmp): Likewise.
10745 (region_model::handle_phi): Drop is_back_edge param and the logic
10746 using it.
10747 (region_model::get_lvalue_1): Port from region_id to const region *.
10748 (region_model::make_region_for_unexpected_tree_code): Delete.
10749 (assert_compat_types): If the check fails, use internal_error to
10750 show the types.
10751 (region_model::get_lvalue): Port from region_id to const region *.
10752 (region_model::get_rvalue_1): Port from svalue_id to const svalue *.
10753 (region_model::get_rvalue): Likewise.
10754 (region_model::get_or_create_ptr_svalue): Delete.
10755 (region_model::get_or_create_constant_svalue): Delete.
10756 (region_model::get_svalue_for_fndecl): Delete.
10757 (region_model::get_region_for_fndecl): Delete.
10758 (region_model::get_svalue_for_label): Delete.
10759 (region_model::get_region_for_label): Delete.
10760 (build_cast): Delete.
10761 (region_model::maybe_cast_1): Delete.
10762 (region_model::maybe_cast): Delete.
10763 (region_model::get_field_region): Delete.
10764 (region_model::get_store_value): New.
10765 (region_model::region_exists_p): New.
10766 (region_model::deref_rvalue): Port from svalue_id to const svalue *.
10767 (region_model::set_value): Likewise.
10768 (region_model::clobber_region): New.
10769 (region_model::purge_region): New.
10770 (region_model::zero_fill_region): New.
10771 (region_model::mark_region_as_unknown): New.
10772 (region_model::eval_condition): Port from svalue_id to
10773 const svalue *.
10774 (region_model::eval_condition_without_cm): Likewise.
10775 (region_model::compare_initial_and_pointer): New.
10776 (region_model::add_constraint): Port from svalue_id to
10777 const svalue *.
10778 (region_model::maybe_get_constant): Delete.
10779 (region_model::get_representative_path_var): New.
10780 (region_model::add_new_malloc_region): Delete.
10781 (region_model::get_representative_tree): Port to const svalue *.
10782 (region_model::get_representative_path_var): Port to
10783 const region *.
10784 (region_model::get_path_vars_for_svalue): Delete.
10785 (region_model::set_to_new_unknown_value): Delete.
10786 (region_model::update_for_phis): Don't pass is_back_edge to handle_phi.
10787 (region_model::update_for_call_superedge): Port from svalue_id to
10788 const svalue *.
10789 (region_model::update_for_return_superedge): Port to store-based
10790 implementation.
10791 (region_model::update_for_call_summary): Replace
10792 set_to_new_unknown_value with mark_region_as_unknown.
10793 (region_model::get_root_region): Delete.
10794 (region_model::get_stack_region_id): Delete.
10795 (region_model::push_frame): Delete.
10796 (region_model::get_current_frame_id): Delete.
10797 (region_model::get_current_function): Delete.
10798 (region_model::pop_frame): Delete.
10799 (region_model::on_top_level_param): New.
10800 (region_model::get_stack_depth): Delete.
10801 (region_model::get_function_at_depth): Delete.
10802 (region_model::get_globals_region_id): Delete.
10803 (region_model::add_svalue): Delete.
10804 (region_model::replace_svalue): Delete.
10805 (region_model::add_region): Delete.
10806 (region_model::get_svalue): Delete.
10807 (region_model::get_region): Delete.
10808 (make_region_for_type): Delete.
10809 (region_model::add_region_for_type): Delete.
10810 (region_model::on_top_level_param): New.
10811 (class restrict_to_used_svalues): Delete.
10812 (region_model::purge_unused_svalues): Delete.
10813 (region_model::push_frame): New.
10814 (region_model::remap_svalue_ids): Delete.
10815 (region_model::remap_region_ids): Delete.
10816 (region_model::purge_regions): Delete.
10817 (region_model::get_descendents): Delete.
10818 (region_model::delete_region_and_descendents): Delete.
10819 (region_model::poison_any_pointers_to_bad_regions): Delete.
10820 (region_model::can_merge_with_p): Delete.
10821 (region_model::get_current_function): New.
10822 (region_model::get_value_by_name): Delete.
10823 (region_model::convert_byte_offset_to_array_index): Delete.
10824 (region_model::pop_frame): New.
10825 (region_model::get_or_create_mem_ref): Delete.
10826 (region_model::get_stack_depth): New.
10827 (region_model::get_frame_at_index): New.
10828 (region_model::unbind_region_and_descendents): New.
10829 (struct bad_pointer_finder): New.
10830 (region_model::get_or_create_pointer_plus_expr): Delete.
10831 (region_model::poison_any_pointers_to_descendents): New.
10832 (region_model::get_or_create_view): Delete.
10833 (region_model::can_merge_with_p): New.
10834 (region_model::get_fndecl_for_call): Port from svalue_id to
10835 const svalue *.
10836 (struct append_ssa_names_cb_data): New.
10837 (get_ssa_name_regions_for_current_frame): New.
10838 (region_model::append_ssa_names_cb): New.
10839 (model_merger::dump_to_pp): Add "simple" param. Drop dumping of
10840 remappings.
10841 (model_merger::dump): Add "simple" param to both overloads.
10842 (model_merger::can_merge_values_p): Delete.
10843 (model_merger::record_regions): Delete.
10844 (model_merger::record_svalues): Delete.
10845 (svalue_id_merger_mapping::svalue_id_merger_mapping): Delete.
10846 (svalue_id_merger_mapping::dump_to_pp): Delete.
10847 (svalue_id_merger_mapping::dump): Delete.
10848 (region_model::create_region_for_heap_alloc): New.
10849 (region_model::create_region_for_alloca): New.
10850 (region_model::record_dynamic_extents): New.
10851 (canonicalization::canonicalization): Delete.
10852 (canonicalization::walk_rid): Delete.
10853 (canonicalization::walk_sid): Delete.
10854 (canonicalization::dump_to_pp): Delete.
10855 (canonicalization::dump): Delete.
10856 (inchash::add): Delete overloads for svalue_id and region_id.
10857 (engine::log_stats): New.
10858 (assert_condition): Add overload comparing svalues.
10859 (assert_dump_eq): Pass "true" for multiline.
10860 (selftest::test_dump): Update for rewrite of region_model.
10861 (selftest::test_dump_2): Rename to...
10862 (selftest::test_struct): ...this. Provide a region_model_manager
10863 when creating region_model instance. Remove dump test. Add
10864 checks for get_offset.
10865 (selftest::test_dump_3): Rename to...
10866 (selftest::test_array_1): ...this. Provide a region_model_manager
10867 when creating region_model instance. Remove dump test.
10868 (selftest::test_get_representative_tree): Port from svalue_id to
10869 new API. Add test coverage for various expressions.
10870 (selftest::test_unique_constants): Provide a region_model_manager
10871 for the region_model. Add test coverage for comparing const vs
10872 non-const.
10873 (selftest::test_svalue_equality): Delete.
10874 (selftest::test_region_equality): Delete.
10875 (selftest::test_unique_unknowns): New.
10876 (class purge_all_svalue_ids): Delete.
10877 (class purge_one_svalue_id): Delete.
10878 (selftest::test_purging_by_criteria): Delete.
10879 (selftest::test_initial_svalue_folding): New.
10880 (selftest::test_unaryop_svalue_folding): New.
10881 (selftest::test_binop_svalue_folding): New.
10882 (selftest::test_sub_svalue_folding): New.
10883 (selftest::test_purge_unused_svalues): Delete.
10884 (selftest::test_descendent_of_p): New.
10885 (selftest::test_assignment): Provide a region_model_manager for
10886 the region_model. Drop the dump test.
10887 (selftest::test_compound_assignment): Likewise.
10888 (selftest::test_stack_frames): Port to new implementation.
10889 (selftest::test_get_representative_path_var): Likewise.
10890 (selftest::test_canonicalization_1): Rename to...
10891 (selftest::test_equality_1): ...this. Port to new API, and add
10892 (selftest::test_canonicalization_2): Provide a
10893 region_model_manager when creating region_model instances.
10894 Remove redundant canicalization.
10895 (selftest::test_canonicalization_3): Provide a
10896 region_model_manager when creating region_model instances.
10897 Remove param from calls to region_model::canonicalize.
10898 (selftest::test_canonicalization_4): Likewise.
10899 (selftest::assert_region_models_merge): Constify
10900 out_merged_svalue. Port to new API.
10901 (selftest::test_state_merging): Provide a
10902 region_model_manager when creating region_model instances.
10903 Provide a program_point point when merging them. Replace
10904 set_to_new_unknown_value with usage of placeholder_svalues.
10905 Drop get_value_by_name. Port from svalue_id to const svalue *.
10906 Add test of heap allocation.
10907 (selftest::test_constraint_merging): Provide a
10908 region_model_manager when creating region_model instances.
10909 Provide a program_point point when merging them. Eliminate use
10910 of set_to_new_unknown_value.
10911 (selftest::test_widening_constraints): New.
10912 (selftest::test_iteration_1): New.
10913 (selftest::test_malloc_constraints): Port to store-based
10914 implementation.
10915 (selftest::test_var): New test.
10916 (selftest::test_array_2): New test.
10917 (selftest::test_mem_ref): New test.
10918 (selftest::test_POINTER_PLUS_EXPR_then_MEM_REF): New.
10919 (selftest::test_malloc): New.
10920 (selftest::test_alloca): New.
10921 (selftest::analyzer_region_model_cc_tests): Update for renamings.
10922 Call new functions.
10923 * region-model.h (class path_var): Move to analyzer.h.
10924 (class svalue_id): Delete.
10925 (class region_id): Delete.
10926 (class id_map): Delete.
10927 (svalue_id_map): Delete.
10928 (region_id_map): Delete.
10929 (id_map<T>::id_map): Delete.
10930 (id_map<T>::put): Delete.
10931 (id_map<T>::get_dst_for_src): Delete.
10932 (id_map<T>::get_src_for_dst): Delete.
10933 (id_map<T>::dump_to_pp): Delete.
10934 (id_map<T>::dump): Delete.
10935 (id_map<T>::update): Delete.
10936 (one_way_svalue_id_map): Delete.
10937 (one_way_region_id_map): Delete.
10938 (class region_id_set): Delete.
10939 (class svalue_id_set): Delete.
10940 (struct complexity): New.
10941 (class visitor): New.
10942 (enum svalue_kind): Add SK_SETJMP, SK_INITIAL, SK_UNARYOP,
10943 SK_BINOP, SK_SUB,SK_UNMERGEABLE, SK_PLACEHOLDER, SK_WIDENING,
10944 SK_COMPOUND, and SK_CONJURED.
10945 (svalue::operator==): Delete.
10946 (svalue::operator!=): Delete.
10947 (svalue::clone): Delete.
10948 (svalue::hash): Delete.
10949 (svalue::dump_dot_to_pp): Delete.
10950 (svalue::dump_to_pp): New.
10951 (svalue::dump): New.
10952 (svalue::get_desc): New.
10953 (svalue::dyn_cast_initial_svalue): New.
10954 (svalue::dyn_cast_unaryop_svalue): New.
10955 (svalue::dyn_cast_binop_svalue): New.
10956 (svalue::dyn_cast_sub_svalue): New.
10957 (svalue::dyn_cast_unmergeable_svalue): New.
10958 (svalue::dyn_cast_widening_svalue): New.
10959 (svalue::dyn_cast_compound_svalue): New.
10960 (svalue::dyn_cast_conjured_svalue): New.
10961 (svalue::maybe_undo_cast): New.
10962 (svalue::unwrap_any_unmergeable): New.
10963 (svalue::remap_region_ids): Delete
10964 (svalue::can_merge_p): New.
10965 (svalue::walk_for_canonicalization): Delete
10966 (svalue::get_complexity): New.
10967 (svalue::get_child_sid): Delete
10968 (svalue::accept): New.
10969 (svalue::live_p): New.
10970 (svalue::implicitly_live_p): New.
10971 (svalue::svalue): Add complexity param.
10972 (svalue::add_to_hash): Delete
10973 (svalue::print_details): Delete
10974 (svalue::m_complexity): New field.
10975 (region_svalue::key_t): New struct.
10976 (region_svalue::region_svalue): Port from region_id to
10977 const region_id *. Add complexity.
10978 (region_svalue::compare_fields): Delete.
10979 (region_svalue::clone): Delete.
10980 (region_svalue::dump_dot_to_pp): Delete.
10981 (region_svalue::get_pointee): Port from region_id to
10982 const region_id *.
10983 (region_svalue::remap_region_ids): Delete.
10984 (region_svalue::merge_values): Delete.
10985 (region_svalue::dump_to_pp): New.
10986 (region_svalue::accept): New.
10987 (region_svalue::walk_for_canonicalization): Delete.
10988 (region_svalue::eval_condition): Make params const.
10989 (region_svalue::add_to_hash): Delete.
10990 (region_svalue::print_details): Delete.
10991 (region_svalue::m_rid): Replace with...
10992 (region_svalue::m_reg): ...this.
10993 (is_a_helper <region_svalue *>::test): Convert to...
10994 (is_a_helper <const region_svalue *>::test): ...this.
10995 (template <> struct default_hash_traits<region_svalue::key_t>):
10996 New.
10997 (constant_svalue::constant_svalue): Add complexity.
10998 (constant_svalue::compare_fields): Delete.
10999 (constant_svalue::clone): Delete.
11000 (constant_svalue::add_to_hash): Delete.
11001 (constant_svalue::dump_to_pp): New.
11002 (constant_svalue::accept): New.
11003 (constant_svalue::implicitly_live_p): New.
11004 (constant_svalue::merge_values): Delete.
11005 (constant_svalue::eval_condition): Make params const.
11006 (constant_svalue::get_child_sid): Delete.
11007 (constant_svalue::print_details): Delete.
11008 (is_a_helper <constant_svalue *>::test): Convert to...
11009 (is_a_helper <const constant_svalue *>::test): ...this.
11010 (class unknown_svalue): Update leading comment.
11011 (unknown_svalue::unknown_svalue): Add complexity.
11012 (unknown_svalue::compare_fields): Delete.
11013 (unknown_svalue::add_to_hash): Delete.
11014 (unknown_svalue::dyn_cast_unknown_svalue): Delete.
11015 (unknown_svalue::print_details): Delete.
11016 (unknown_svalue::dump_to_pp): New.
11017 (unknown_svalue::accept): New.
11018 (poisoned_svalue::key_t): New struct.
11019 (poisoned_svalue::poisoned_svalue): Add complexity.
11020 (poisoned_svalue::compare_fields): Delete.
11021 (poisoned_svalue::clone): Delete.
11022 (poisoned_svalue::add_to_hash): Delete.
11023 (poisoned_svalue::dump_to_pp): New.
11024 (poisoned_svalue::accept): New.
11025 (poisoned_svalue::print_details): Delete.
11026 (is_a_helper <poisoned_svalue *>::test): Convert to...
11027 (is_a_helper <const poisoned_svalue *>::test): ...this.
11028 (template <> struct default_hash_traits<poisoned_svalue::key_t>):
11029 New.
11030 (setjmp_record::add_to_hash): New.
11031 (setjmp_svalue::key_t): New struct.
11032 (setjmp_svalue::compare_fields): Delete.
11033 (setjmp_svalue::clone): Delete.
11034 (setjmp_svalue::add_to_hash): Delete.
11035 (setjmp_svalue::setjmp_svalue): Add complexity.
11036 (setjmp_svalue::dump_to_pp): New.
11037 (setjmp_svalue::accept): New.
11038 (setjmp_svalue::void print_details): Delete.
11039 (is_a_helper <const setjmp_svalue *>::test): New.
11040 (template <> struct default_hash_traits<setjmp_svalue::key_t>): New.
11041 (class initial_svalue : public svalue): New.
11042 (is_a_helper <const initial_svalue *>::test): New.
11043 (class unaryop_svalue): New.
11044 (is_a_helper <const unaryop_svalue *>::test): New.
11045 (template <> struct default_hash_traits<unaryop_svalue::key_t>): New.
11046 (class binop_svalue): New.
11047 (is_a_helper <const binop_svalue *>::test): New.
11048 (template <> struct default_hash_traits<binop_svalue::key_t>): New.
11049 (class sub_svalue): New.
11050 (is_a_helper <const sub_svalue *>::test): New.
11051 (template <> struct default_hash_traits<sub_svalue::key_t>): New.
11052 (class unmergeable_svalue): New.
11053 (is_a_helper <const unmergeable_svalue *>::test): New.
11054 (class placeholder_svalue): New.
11055 (is_a_helper <placeholder_svalue *>::test): New.
11056 (class widening_svalue): New.
11057 (is_a_helper <widening_svalue *>::test): New.
11058 (template <> struct default_hash_traits<widening_svalue::key_t>): New.
11059 (class compound_svalue): New.
11060 (is_a_helper <compound_svalue *>::test): New.
11061 (template <> struct default_hash_traits<compound_svalue::key_t>): New.
11062 (class conjured_svalue): New.
11063 (is_a_helper <conjured_svalue *>::test): New.
11064 (template <> struct default_hash_traits<conjured_svalue::key_t>): New.
11065 (enum region_kind): Delete RK_PRIMITIVE, RK_STRUCT, RK_UNION, and
11066 RK_ARRAY. Add RK_LABEL, RK_DECL, RK_FIELD, RK_ELEMENT, RK_OFFSET,
11067 RK_CAST, RK_HEAP_ALLOCATED, RK_ALLOCA, RK_STRING, and RK_UNKNOWN.
11068 (region_kind_to_str): Delete.
11069 (region::~region): Move implementation to region.cc.
11070 (region::operator==): Delete.
11071 (region::operator!=): Delete.
11072 (region::clone): Delete.
11073 (region::get_id): New.
11074 (region::cmp_ids): New.
11075 (region::dyn_cast_map_region): Delete.
11076 (region::dyn_cast_array_region): Delete.
11077 (region::region_id get_parent): Delete.
11078 (region::get_parent_region): Convert to a simple accessor.
11079 (region::void set_value): Delete.
11080 (region::svalue_id get_value): Delete.
11081 (region::svalue_id get_value_direct): Delete.
11082 (region::svalue_id get_inherited_child_sid): Delete.
11083 (region::dyn_cast_frame_region): New.
11084 (region::dyn_cast_function_region): New.
11085 (region::dyn_cast_decl_region): New.
11086 (region::dyn_cast_field_region): New.
11087 (region::dyn_cast_element_region): New.
11088 (region::dyn_cast_offset_region): New.
11089 (region::dyn_cast_cast_region): New.
11090 (region::dyn_cast_string_region): New.
11091 (region::accept): New.
11092 (region::get_base_region): New.
11093 (region::base_region_p): New.
11094 (region::descendent_of_p): New.
11095 (region::maybe_get_frame_region): New.
11096 (region::maybe_get_decl): New.
11097 (region::hash): Delete.
11098 (region::rint): Delete.
11099 (region::dump_dot_to_pp): Delete.
11100 (region::get_desc): New.
11101 (region::dump_to_pp): Convert to vfunc, changing signature.
11102 (region::dump_child_label): Delete.
11103 (region::remap_svalue_ids): Delete.
11104 (region::remap_region_ids): Delete.
11105 (region::dump): New.
11106 (region::walk_for_canonicalization): Delete.
11107 (region::non_null_p): Drop region_model param.
11108 (region::add_view): Delete.
11109 (region::get_view): Delete.
11110 (region::get_active_view): Delete.
11111 (region::is_view_p): Delete.
11112 (region::cmp_ptrs): New.
11113 (region::validate): Delete.
11114 (region::get_offset): New.
11115 (region::get_byte_size): New.
11116 (region::get_bit_size): New.
11117 (region::get_subregions_for_binding): New.
11118 (region::region): Add complexity param. Convert parent from
11119 region_id to const region *. Drop svalue_id. Drop copy ctor.
11120 (region::symbolic_for_unknown_ptr_p): New.
11121 (region::add_to_hash): Delete.
11122 (region::print_fields): Delete.
11123 (region::get_complexity): New accessor.
11124 (region::become_active_view): Delete.
11125 (region::deactivate_any_active_view): Delete.
11126 (region::deactivate_view): Delete.
11127 (region::calc_offset): New.
11128 (region::m_parent_rid): Delete.
11129 (region::m_sval_id): Delete.
11130 (region::m_complexity): New.
11131 (region::m_id): New.
11132 (region::m_parent): New.
11133 (region::m_view_rids): Delete.
11134 (region::m_is_view): Delete.
11135 (region::m_active_view_rid): Delete.
11136 (region::m_cached_offset): New.
11137 (is_a_helper <region *>::test): Convert to...
11138 (is_a_helper <const region *>::test): ... this.
11139 (class primitive_region): Delete.
11140 (class space_region): New.
11141 (class map_region): Delete.
11142 (is_a_helper <map_region *>::test): Delete.
11143 (class frame_region): Reimplement.
11144 (template <> struct default_hash_traits<frame_region::key_t>):
11145 New.
11146 (class globals_region): Reimplement.
11147 (is_a_helper <globals_region *>::test): Convert to...
11148 (is_a_helper <const globals_region *>::test): ...this.
11149 (class struct_or_union_region): Delete.
11150 (is_a_helper <struct_or_union_region *>::test): Delete.
11151 (class code_region): Reimplement.
11152 (is_a_helper <const code_region *>::test): New.
11153 (class struct_region): Delete.
11154 (is_a_helper <struct_region *>::test): Delete.
11155 (class function_region): Reimplement.
11156 (is_a_helper <function_region *>::test): Convert to...
11157 (is_a_helper <const function_region *>::test): ...this.
11158 (class union_region): Delete.
11159 (is_a_helper <union_region *>::test): Delete.
11160 (class label_region): New.
11161 (is_a_helper <const label_region *>::test): New.
11162 (class scope_region): Delete.
11163 (class stack_region): Reimplement.
11164 (is_a_helper <stack_region *>::test): Convert to...
11165 (is_a_helper <const stack_region *>::test): ...this.
11166 (class heap_region): Reimplement.
11167 (is_a_helper <heap_region *>::test): Convert to...
11168 (is_a_helper <const heap_region *>::test): ...this.
11169 (class root_region): Reimplement.
11170 (is_a_helper <root_region *>::test): Convert to...
11171 (is_a_helper <const root_region *>::test): ...this.
11172 (class symbolic_region): Reimplement.
11173 (is_a_helper <const symbolic_region *>::test): New.
11174 (template <> struct default_hash_traits<symbolic_region::key_t>):
11175 New.
11176 (class decl_region): New.
11177 (is_a_helper <const decl_region *>::test): New.
11178 (class field_region): New.
11179 (template <> struct default_hash_traits<field_region::key_t>): New.
11180 (class array_region): Delete.
11181 (class element_region): New.
11182 (is_a_helper <array_region *>::test): Delete.
11183 (is_a_helper <const element_region *>::test): New.
11184 (template <> struct default_hash_traits<element_region::key_t>):
11185 New.
11186 (class offset_region): New.
11187 (is_a_helper <const offset_region *>::test): New.
11188 (template <> struct default_hash_traits<offset_region::key_t>):
11189 New.
11190 (class cast_region): New.
11191 (is_a_helper <const cast_region *>::test): New.
11192 (template <> struct default_hash_traits<cast_region::key_t>): New.
11193 (class heap_allocated_region): New.
11194 (class alloca_region): New.
11195 (class string_region): New.
11196 (is_a_helper <const string_region *>::test): New.
11197 (class unknown_region): New.
11198 (class region_model_manager): New.
11199 (struct append_ssa_names_cb_data): New.
11200 (class call_details): New.
11201 (region_model::region_model): Add region_model_manager param.
11202 (region_model::print_svalue): Delete.
11203 (region_model::dump_dot_to_pp): Delete.
11204 (region_model::dump_dot_to_file): Delete.
11205 (region_model::dump_dot): Delete.
11206 (region_model::dump_to_pp): Drop summarize param in favor of
11207 simple and multiline.
11208 (region_model::dump): Likewise.
11209 (region_model::summarize_to_pp): Delete.
11210 (region_model::summarize): Delete.
11211 (region_model::void canonicalize): Drop ctxt param.
11212 (region_model::void check_for_poison): Delete.
11213 (region_model::get_gassign_result): New.
11214 (region_model::impl_call_alloca): New.
11215 (region_model::impl_call_analyzer_describe): New.
11216 (region_model::impl_call_analyzer_eval): New.
11217 (region_model::impl_call_builtin_expect): New.
11218 (region_model::impl_call_calloc): New.
11219 (region_model::impl_call_free): New.
11220 (region_model::impl_call_malloc): New.
11221 (region_model::impl_call_memset): New.
11222 (region_model::impl_call_strlen): New.
11223 (region_model::get_reachable_svalues): New.
11224 (region_model::handle_phi): Drop is_back_edge param.
11225 (region_model::region_id get_root_rid): Delete.
11226 (region_model::root_region *get_root_region): Delete.
11227 (region_model::region_id get_stack_region_id): Delete.
11228 (region_model::push_frame): Convert from region_id and svalue_id
11229 to const region * and const svalue *.
11230 (region_model::get_current_frame_id): Replace with...
11231 (region_model::get_current_frame): ...this.
11232 (region_model::pop_frame): Convert from region_id to
11233 const region *. Drop purge and stats param. Add out_result.
11234 (region_model::function *get_function_at_depth): Delete.
11235 (region_model::get_globals_region_id): Delete.
11236 (region_model::add_svalue): Delete.
11237 (region_model::replace_svalue): Delete.
11238 (region_model::add_region): Delete.
11239 (region_model::add_region_for_type): Delete.
11240 (region_model::get_svalue): Delete.
11241 (region_model::get_region): Delete.
11242 (region_model::get_lvalue): Convert from region_id to
11243 const region *.
11244 (region_model::get_rvalue): Convert from svalue_id to
11245 const svalue *.
11246 (region_model::get_or_create_ptr_svalue): Delete.
11247 (region_model::get_or_create_constant_svalue): Delete.
11248 (region_model::get_svalue_for_fndecl): Delete.
11249 (region_model::get_svalue_for_label): Delete.
11250 (region_model::get_region_for_fndecl): Delete.
11251 (region_model::get_region_for_label): Delete.
11252 (region_model::get_frame_at_index (int index) const;): New.
11253 (region_model::maybe_cast): Delete.
11254 (region_model::maybe_cast_1): Delete.
11255 (region_model::get_field_region): Delete.
11256 (region_model::id deref_rvalue): Convert from region_id and
11257 svalue_id to const region * and const svalue *. Drop overload,
11258 passing in both a tree and an svalue.
11259 (region_model::set_value): Convert from region_id and svalue_id to
11260 const region * and const svalue *.
11261 (region_model::set_to_new_unknown_value): Delete.
11262 (region_model::clobber_region (const region *reg);): New.
11263 (region_model::purge_region (const region *reg);): New.
11264 (region_model::zero_fill_region (const region *reg);): New.
11265 (region_model::mark_region_as_unknown (const region *reg);): New.
11266 (region_model::copy_region): Convert from region_id to
11267 const region *.
11268 (region_model::eval_condition): Convert from svalue_id to
11269 const svalue *.
11270 (region_model::eval_condition_without_cm): Likewise.
11271 (region_model::compare_initial_and_pointer): New.
11272 (region_model:maybe_get_constant): Delete.
11273 (region_model::add_new_malloc_region): Delete.
11274 (region_model::get_representative_tree): Convert from svalue_id to
11275 const svalue *.
11276 (region_model::get_representative_path_var): Delete decl taking a
11277 region_id in favor of two decls, for svalue vs region, with an
11278 svalue_set to ensure termination.
11279 (region_model::get_path_vars_for_svalue): Delete.
11280 (region_model::create_region_for_heap_alloc): New.
11281 (region_model::create_region_for_alloca): New.
11282 (region_model::purge_unused_svalues): Delete.
11283 (region_model::remap_svalue_ids): Delete.
11284 (region_model::remap_region_ids): Delete.
11285 (region_model::purge_regions): Delete.
11286 (region_model::get_num_svalues): Delete.
11287 (region_model::get_num_regions): Delete.
11288 (region_model::get_descendents): Delete.
11289 (region_model::get_store): New.
11290 (region_model::delete_region_and_descendents): Delete.
11291 (region_model::get_manager): New.
11292 (region_model::unbind_region_and_descendents): New.
11293 (region_model::can_merge_with_p): Add point param. Drop
11294 svalue_id_merger_mapping.
11295 (region_model::get_value_by_name): Delete.
11296 (region_model::convert_byte_offset_to_array_index): Delete.
11297 (region_model::get_or_create_mem_ref): Delete.
11298 (region_model::get_or_create_pointer_plus_expr): Delete.
11299 (region_model::get_or_create_view): Delete.
11300 (region_model::get_lvalue_1): Convert from region_id to
11301 const region *.
11302 (region_model::get_rvalue_1): Convert from svalue_id to
11303 const svalue *.
11304 (region_model::get_ssa_name_regions_for_current_frame): New.
11305 (region_model::append_ssa_names_cb): New.
11306 (region_model::get_store_value): New.
11307 (region_model::copy_struct_region): Delete.
11308 (region_model::copy_union_region): Delete.
11309 (region_model::copy_array_region): Delete.
11310 (region_model::region_exists_p): New.
11311 (region_model::make_region_for_unexpected_tree_code): Delete.
11312 (region_model::loop_replay_fixup): New.
11313 (region_model::poison_any_pointers_to_bad_regions): Delete.
11314 (region_model::poison_any_pointers_to_descendents): New.
11315 (region_model::dump_summary_of_rep_path_vars): Delete.
11316 (region_model::on_top_level_param): New.
11317 (region_model::record_dynamic_extents): New.
11318 (region_model::m_mgr;): New.
11319 (region_model::m_store;): New.
11320 (region_model::m_svalues;): Delete.
11321 (region_model::m_regions;): Delete.
11322 (region_model::m_root_rid;): Delete.
11323 (region_model::m_current_frame;): New.
11324 (region_model_context::remap_svalue_ids): Delete.
11325 (region_model_context::can_purge_p): Delete.
11326 (region_model_context::on_svalue_leak): New.
11327 (region_model_context::on_svalue_purge): Delete.
11328 (region_model_context::on_liveness_change): New.
11329 (region_model_context::on_inherited_svalue): Delete.
11330 (region_model_context::on_cast): Delete.
11331 (region_model_context::on_unknown_change): Convert from svalue_id to
11332 const svalue * and add is_mutable.
11333 (class noop_region_model_context): Update for region_model_context
11334 changes.
11335 (model_merger::model_merger): Add program_point. Drop
11336 svalue_id_merger_mapping.
11337 (model_merger::dump_to_pp): Add "simple" param.
11338 (model_merger::dump): Likewise.
11339 (model_merger::get_region_a): Delete.
11340 (model_merger::get_region_b): Delete.
11341 (model_merger::can_merge_values_p): Delete.
11342 (model_merger::record_regions): Delete.
11343 (model_merger::record_svalues): Delete.
11344 (model_merger::m_point): New field.
11345 (model_merger::m_map_regions_from_a_to_m): Delete.
11346 (model_merger::m_map_regions_from_b_to_m): Delete.
11347 (model_merger::m_sid_mapping): Delete.
11348 (struct svalue_id_merger_mapping): Delete.
11349 (class engine): New.
11350 (struct canonicalization): Delete.
11351 (inchash::add): Delete decls for hashing svalue_id and region_id.
11352 (test_region_model_context::on_unexpected_tree_code): Require t to
11353 be non-NULL.
11354 (selftest::assert_condition): Add overload comparing a pair of
11355 const svalue *.
11356 * sm-file.cc: Include "tristate.h", "selftest.h",
11357 "analyzer/call-string.h", "analyzer/program-point.h",
11358 "analyzer/store.h", and "analyzer/region-model.h".
11359 (fileptr_state_machine::get_default_state): New.
11360 (fileptr_state_machine::on_stmt): Remove calls to
11361 get_readable_tree in favor of get_diagnostic_tree.
11362 * sm-malloc.cc: Include "tristate.h", "selftest.h",
11363 "analyzer/call-string.h", "analyzer/program-point.h",
11364 "analyzer/store.h", and "analyzer/region-model.h".
11365 (malloc_state_machine::get_default_state): New.
11366 (malloc_state_machine::reset_when_passed_to_unknown_fn_p): New.
11367 (malloc_diagnostic::describe_state_change): Handle change.m_expr
11368 being NULL.
11369 (null_arg::emit): Avoid printing "NULL '0'".
11370 (null_arg::describe_final_event): Avoid printing "(0) NULL".
11371 (malloc_leak::emit): Handle m_arg being NULL.
11372 (malloc_leak::describe_final_event): Handle ev.m_expr being NULL.
11373 (malloc_state_machine::on_stmt): Don't call get_readable_tree.
11374 Call get_diagnostic_tree when creating pending diagnostics.
11375 Update for is_zero_assignment becoming a member function of
11376 sm_ctxt.
11377 Don't transition to m_non_heap for ADDR_EXPR(MEM_REF()).
11378 (malloc_state_machine::reset_when_passed_to_unknown_fn_p): New
11379 vfunc implementation.
11380 * sm-sensitive.cc (sensitive_state_machine::warn_for_any_exposure): Call
11381 get_diagnostic_tree and pass the result to warn_for_state.
11382 * sm-signal.cc: Move includes of "analyzer/call-string.h" and
11383 "analyzer/program-point.h" to before "analyzer/region-model.h",
11384 and also include "analyzer/store.h" before it.
11385 (signal_unsafe_call::describe_state_change): Use
11386 get_dest_function to get handler.
11387 (update_model_for_signal_handler): Pass manager to region_model
11388 ctor.
11389 (register_signal_handler::impl_transition): Update for changes to
11390 get_or_create_node and add_edge.
11391 * sm-taint.cc (taint_state_machine::on_stmt): Remove calls to
11392 get_readable_tree, replacing them when calling warn_for_state with
11393 calls to get_diagnostic_tree.
11394 * sm.cc (is_zero_assignment): Delete.
11395 (any_pointer_p): Move to within namespace ana.
11396 * sm.h (is_zero_assignment): Remove decl.
11397 (any_pointer_p): Move decl to within namespace ana.
11398 (state_machine::get_default_state): New vfunc.
11399 (state_machine::reset_when_passed_to_unknown_fn_p): New vfunc.
11400 (sm_context::get_readable_tree): Rename to...
11401 (sm_context::get_diagnostic_tree): ...this.
11402 (sm_context::is_zero_assignment): New vfunc.
11403 * store.cc: New file.
11404 * store.h: New file.
11405 * svalue.cc: New file.
11407 2020-05-22 Mark Wielaard <mark@klomp.org>
11409 * sm-signal.cc(signal_unsafe_call::emit): Possibly add
11410 gcc_rich_location note for replacement.
11411 (signal_unsafe_call::get_replacement_fn): New private function.
11412 (get_async_signal_unsafe_fns): Add "exit".
11414 2020-04-28 David Malcolm <dmalcolm@redhat.com>
11416 PR analyzer/94816
11417 * engine.cc (impl_region_model_context::on_unexpected_tree_code):
11418 Handle NULL tree.
11419 * region-model.cc (region_model::add_region_for_type): Handle
11420 NULL type.
11421 * region-model.h
11422 (test_region_model_context::on_unexpected_tree_code): Handle NULL
11423 tree.
11425 2020-04-28 David Malcolm <dmalcolm@redhat.com>
11427 PR analyzer/94447
11428 PR analyzer/94639
11429 PR analyzer/94732
11430 PR analyzer/94754
11431 * analyzer.opt (Wanalyzer-use-of-uninitialized-value): Delete.
11432 * program-state.cc (selftest::test_program_state_dumping): Update
11433 expected dump result for removal of "uninit".
11434 * region-model.cc (poison_kind_to_str): Delete POISON_KIND_UNINIT
11435 case.
11436 (root_region::ensure_stack_region): Initialize stack with null
11437 svalue_id rather than with a typeless POISON_KIND_UNINIT value.
11438 (root_region::ensure_heap_region): Likewise for the heap.
11439 (region_model::dump_summary_of_rep_path_vars): Remove
11440 summarization of uninit values.
11441 (region_model::validate): Remove check that the stack has a
11442 POISON_KIND_UNINIT value.
11443 (poisoned_value_diagnostic::emit): Remove POISON_KIND_UNINIT
11444 case.
11445 (poisoned_value_diagnostic::describe_final_event): Likewise.
11446 (selftest::test_dump): Update expected dump result for removal of
11447 "uninit".
11448 (selftest::test_svalue_equality): Remove "uninit" and "freed".
11449 * region-model.h (enum poison_kind): Remove POISON_KIND_UNINIT.
11451 2020-04-01 David Malcolm <dmalcolm@redhat.com>
11453 PR analyzer/94378
11454 * checker-path.cc: Include "bitmap.h".
11455 * constraint-manager.cc: Likewise.
11456 * diagnostic-manager.cc: Likewise.
11457 * engine.cc: Likewise.
11458 (exploded_node::detect_leaks): Pass null region_id to pop_frame.
11459 * program-point.cc: Include "bitmap.h".
11460 * program-state.cc: Likewise.
11461 * region-model.cc (id_set<region_id>::id_set): Convert to...
11462 (region_id_set::region_id_set): ...this.
11463 (svalue_id_set::svalue_id_set): New ctor.
11464 (region_model::copy_region): New function.
11465 (region_model::copy_struct_region): New function.
11466 (region_model::copy_union_region): New function.
11467 (region_model::copy_array_region): New function.
11468 (stack_region::pop_frame): Drop return value. Add
11469 "result_dst_rid" param; if it is non-null, use copy_region to copy
11470 the result to it. Rather than capture and pass a single "known
11471 used" return value to be used by purge_unused_values, instead
11472 gather and pass a set of known used return values.
11473 (root_region::pop_frame): Drop return value. Add "result_dst_rid"
11474 param.
11475 (region_model::on_assignment): Use copy_region.
11476 (region_model::on_return): Likewise for the result.
11477 (region_model::on_longjmp): Pass null for pop_frame's
11478 result_dst_rid.
11479 (region_model::update_for_return_superedge): Pass the region for the
11480 return value of the call, if any, to pop_frame, rather than setting
11481 the lvalue for the lhs of the result.
11482 (region_model::pop_frame): Drop return value. Add
11483 "result_dst_rid" param.
11484 (region_model::purge_unused_svalues): Convert third param from an
11485 svalue_id * to an svalue_id_set *, updating the initial populating
11486 of the "used" bitmap accordingly. Don't remap it when done.
11487 (struct selftest::coord_test): New selftest fixture, extracted from...
11488 (selftest::test_dump_2): ...here.
11489 (selftest::test_compound_assignment): New selftest.
11490 (selftest::test_stack_frames): Pass null to new param of pop_frame.
11491 (selftest::analyzer_region_model_cc_tests): Call the new selftest.
11492 * region-model.h (class id_set): Delete template.
11493 (class region_id_set): Reimplement, using old id_set implementation.
11494 (class svalue_id_set): Likewise. Convert from auto_sbitmap to
11495 auto_bitmap.
11496 (region::get_active_view): New accessor.
11497 (stack_region::pop_frame): Drop return value. Add
11498 "result_dst_rid" param.
11499 (root_region::pop_frame): Likewise.
11500 (region_model::pop_frame): Likewise.
11501 (region_model::copy_region): New decl.
11502 (region_model::purge_unused_svalues): Convert third param from an
11503 svalue_id * to an svalue_id_set *.
11504 (region_model::copy_struct_region): New decl.
11505 (region_model::copy_union_region): New decl.
11506 (region_model::copy_array_region): New decl.
11508 2020-03-27 David Malcolm <dmalcolm@redhat.com>
11510 * program-state.cc (selftest::test_program_state_dumping): Update
11511 expected dump to include symbolic_region's possibly_null field.
11512 * region-model.cc (symbolic_region::print_fields): New vfunc
11513 implementation.
11514 (region_model::add_constraint): Clear m_possibly_null from
11515 symbolic_regions now known to be non-NULL.
11516 (selftest::test_malloc_constraints): New selftest.
11517 (selftest::analyzer_region_model_cc_tests): Call it.
11518 * region-model.h (region::dyn_cast_symbolic_region): Add non-const
11519 overload.
11520 (symbolic_region::dyn_cast_symbolic_region): Implement it.
11521 (symbolic_region::print_fields): New vfunc override decl.
11523 2020-03-27 David Malcolm <dmalcolm@redhat.com>
11525 * analyzer.h (class feasibility_problem): New forward decl.
11526 * diagnostic-manager.cc (saved_diagnostic::saved_diagnostic):
11527 Initialize new fields m_status, m_epath_length, and m_problem.
11528 (saved_diagnostic::~saved_diagnostic): Delete m_problem.
11529 (dedupe_candidate::dedupe_candidate): Convert "sd" param from a
11530 const ref to a mutable ptr.
11531 (dedupe_winners::add): Convert "sd" param from a const ref to a
11532 mutable ptr. Record the length of the exploded_path. Record the
11533 feasibility/infeasibility of sd into sd, capturing a
11534 feasibility_problem when feasible_p fails, and storing it in sd.
11535 (diagnostic_manager::emit_saved_diagnostics): Update for pass by
11536 ptr rather than by const ref.
11537 * diagnostic-manager.h (class saved_diagnostic): Add new enum
11538 status. Add fields m_status, m_epath_length and m_problem.
11539 (saved_diagnostic::set_feasible): New member function.
11540 (saved_diagnostic::set_infeasible): New member function.
11541 (saved_diagnostic::get_feasibility_problem): New accessor.
11542 (saved_diagnostic::get_status): New accessor.
11543 (saved_diagnostic::set_epath_length): New member function.
11544 (saved_diagnostic::get_epath_length): New accessor.
11545 * engine.cc: Include "gimple-pretty-print.h".
11546 (exploded_path::feasible_p): Add OUT param and, if non-NULL, write
11547 a new feasibility_problem to it on failure.
11548 (viz_callgraph_node::dump_dot): Convert begin_tr calls to
11549 begin_trtd. Convert end_tr calls to end_tdtr.
11550 (class exploded_graph_annotator): New subclass of dot_annotator.
11551 (impl_run_checkers): Add a second -fdump-analyzer-supergraph dump
11552 after the analysis runs, using exploded_graph_annotator. dumping
11553 to DUMP_BASE_NAME.supergraph-eg.dot.
11554 * exploded-graph.h (exploded_node::get_dot_fillcolor): Make
11555 public.
11556 (exploded_path::feasible_p): Add OUT param.
11557 (class feasibility_problem): New class.
11558 * state-purge.cc (state_purge_annotator::add_node_annotations):
11559 Return a bool, add a "within_table" param.
11560 (print_vec_of_names): Convert begin_tr calls to begin_trtd.
11561 Convert end_tr calls to end_tdtr.
11562 (state_purge_annotator::add_stmt_annotations): Add "within_row"
11563 param.
11564 * state-purge.h ((state_purge_annotator::add_node_annotations):
11565 Return a bool, add a "within_table" param.
11566 (state_purge_annotator::add_stmt_annotations): Add "within_row"
11567 param.
11568 * supergraph.cc (supernode::dump_dot): Call add_node_annotations
11569 twice: as before, passing false for "within_table", then again
11570 with true when within the TABLE element. Convert some begin_tr
11571 calls to begin_trtd, and some end_tr calls to end_tdtr.
11572 Repeat each add_stmt_annotations call, distinguishing between
11573 calls that add TRs and those that add TDs to an existing TR.
11574 Add a call to add_after_node_annotations.
11575 * supergraph.h (dot_annotator::add_node_annotations): Add a
11576 "within_table" param.
11577 (dot_annotator::add_stmt_annotations): Add a "within_row" param.
11578 (dot_annotator::add_after_node_annotations): New vfunc.
11580 2020-03-27 David Malcolm <dmalcolm@redhat.com>
11582 * diagnostic-manager.cc (dedupe_winners::add): Show the
11583 exploded_node index in the log messages.
11584 (diagnostic_manager::emit_saved_diagnostics): Log a summary of
11585 m_saved_diagnostics at entry.
11587 2020-03-27 David Malcolm <dmalcolm@redhat.com>
11589 * supergraph.cc (superedge::dump): Add space before description;
11590 move newline to non-pretty_printer overload.
11592 2020-03-18 David Malcolm <dmalcolm@redhat.com>
11594 * region-model.cc: Include "stor-layout.h".
11595 (region_model::dump_to_pp): Rather than calling
11596 dump_summary_of_map on each of the current frame and the globals,
11597 instead get a vec of representative path_vars for all regions,
11598 and then dump a summary of all of them.
11599 (region_model::dump_summary_of_map): Delete, rewriting into...
11600 (region_model::dump_summary_of_rep_path_vars): ...this new
11601 function, working on a vec of path_vars.
11602 (region_model::set_value): New overload.
11603 (region_model::get_representative_path_var): Rename
11604 "parent_region" local to "parent_reg" and consolidate with other
11605 local. Guard test for grandparent being stack on parent_reg being
11606 non-NULL. Move handling for parent being an array_region to
11607 within guard for parent_reg being non-NULL.
11608 (selftest::make_test_compound_type): New function.
11609 (selftest::test_dump_2): New selftest.
11610 (selftest::test_dump_3): New selftest.
11611 (selftest::test_stack_frames): Update expected output from
11612 simplified dump to show "a" and "b" from parent frame and "y" in
11613 child frame.
11614 (selftest::analyzer_region_model_cc_tests): Call test_dump_2 and
11615 test_dump_3.
11616 * region-model.h (region_model::set_value): New overload decl.
11617 (region_model::dump_summary_of_map): Delete.
11618 (region_model::dump_summary_of_rep_path_vars): New.
11620 2020-03-18 David Malcolm <dmalcolm@redhat.com>
11622 * region-model.h (class noop_region_model_context): New subclass
11623 of region_model_context.
11624 (class tentative_region_model_context): Inherit from
11625 noop_region_model_context rather than from region_model_context;
11626 drop redundant vfunc implementations.
11627 (class test_region_model_context): Likewise.
11629 2020-03-18 David Malcolm <dmalcolm@redhat.com>
11631 * engine.cc (exploded_node::exploded_node): Move implementation
11632 here from header; accept point_and_state by const reference rather
11633 than by value.
11634 * exploded-graph.h (exploded_node::exploded_node): Pass
11635 point_and_state by const reference rather than by value. Move
11636 body to engine.cc.
11638 2020-03-18 Jakub Jelinek <jakub@redhat.com>
11640 * sm-malloc.cc (malloc_state_machine::on_stmt): Fix up duplicated word
11641 issue in a comment.
11642 * region-model.cc (region_model::make_region_for_unexpected_tree_code,
11643 region_model::delete_region_and_descendents): Likewise.
11644 * engine.cc (class exploded_cluster): Likewise.
11645 * diagnostic-manager.cc (class path_builder): Likewise.
11647 2020-03-13 David Malcolm <dmalcolm@redhat.com>
11649 PR analyzer/94099
11650 PR analyzer/94105
11651 * diagnostic-manager.cc (for_each_state_change): Bulletproof
11652 against errors in get_rvalue by passing a
11653 tentative_region_model_context and rejecting if there's an error.
11654 * region-model.cc (region_model::get_lvalue_1): When handling
11655 ARRAY_REF, handle results of error-handling. Handle NOP_EXPR.
11657 2020-03-06 David Malcolm <dmalcolm@redhat.com>
11659 * analyzer.h (class array_region): New forward decl.
11660 * program-state.cc (selftest::test_program_state_dumping_2): New.
11661 (selftest::analyzer_program_state_cc_tests): Call it.
11662 * region-model.cc (array_region::constant_from_key): New.
11663 (region_model::get_representative_tree): Handle region_svalue by
11664 generating an ADDR_EXPR.
11665 (region_model::get_representative_path_var): In view handling,
11666 remove erroneous TREE_TYPE when determining the type of the tree.
11667 Handle array regions and STRING_CST.
11668 (selftest::assert_dump_tree_eq): New.
11669 (ASSERT_DUMP_TREE_EQ): New macro.
11670 (selftest::test_get_representative_tree): New selftest.
11671 (selftest::analyzer_region_model_cc_tests): Call it.
11672 * region-model.h (region::dyn_cast_array_region): New vfunc.
11673 (array_region::dyn_cast_array_region): New vfunc implementation.
11674 (array_region::constant_from_key): New decl.
11676 2020-03-06 David Malcolm <dmalcolm@redhat.com>
11678 * analyzer.h (dump_quoted_tree): New decl.
11679 * engine.cc (exploded_node::dump_dot): Pass region model to
11680 sm_state_map::print.
11681 * program-state.cc: Include diagnostic-core.h.
11682 (sm_state_map::print): Add "model" param and use it to print
11683 representative trees. Only print origin information if non-null.
11684 (sm_state_map::dump): Pass NULL for model to print call.
11685 (program_state::print): Pass region model to sm_state_map::print.
11686 (program_state::dump_to_pp): Use spaces rather than newlines when
11687 summarizing. Pass region_model to sm_state_map::print.
11688 (ana::selftest::assert_dump_eq): New function.
11689 (ASSERT_DUMP_EQ): New macro.
11690 (ana::selftest::test_program_state_dumping): New function.
11691 (ana::selftest::analyzer_program_state_cc_tests): Call it.
11692 * program-state.h (program_state::print): Add model param.
11693 * region-model.cc (dump_quoted_tree): New function.
11694 (map_region::print_fields): Use dump_quoted_tree rather than
11695 %qE to avoid lang-dependent output.
11696 (map_region::dump_child_label): Likewise.
11697 (region_model::dump_summary_of_map): For SK_REGION, when
11698 get_representative_path_var fails, print the region id rather than
11699 erroneously printing NULL.
11700 * sm.cc (state_machine::get_state_by_name): New function.
11701 * sm.h (state_machine::get_state_by_name): New decl.
11703 2020-03-04 David Malcolm <dmalcolm@redhat.com>
11705 * region-model.cc (region::validate): Convert model param from ptr
11706 to reference. Update comment to reflect that it's now a vfunc.
11707 (map_region::validate): New vfunc implementation.
11708 (array_region::validate): New vfunc implementation.
11709 (stack_region::validate): New vfunc implementation.
11710 (root_region::validate): New vfunc implementation.
11711 (region_model::validate): Pass a reference rather than a pointer
11712 to the region::validate vfunc.
11713 * region-model.h (region::validate): Make virtual. Convert model
11714 param from ptr to reference.
11715 (map_region::validate): New vfunc decl.
11716 (array_region::validate): New vfunc decl.
11717 (stack_region::validate): New vfunc decl.
11718 (root_region::validate): New vfunc decl.
11720 2020-03-04 David Malcolm <dmalcolm@redhat.com>
11722 PR analyzer/93993
11723 * region-model.cc (region_model::on_call_pre): Handle
11724 BUILT_IN_EXPECT and its variants.
11725 (region_model::add_any_constraints_from_ssa_def_stmt): Split out
11726 gassign handling into add_any_constraints_from_gassign; add gcall
11727 handling.
11728 (region_model::add_any_constraints_from_gassign): New function,
11729 based on the above. Add handling for NOP_EXPR.
11730 (region_model::add_any_constraints_from_gcall): New function.
11731 (region_model::get_representative_path_var): Handle views.
11732 * region-model.h
11733 (region_model::add_any_constraints_from_ssa_def_stmt): New decl.
11734 (region_model::add_any_constraints_from_gassign): New decl.
11736 2020-03-04 David Malcolm <dmalcolm@redhat.com>
11738 PR analyzer/93993
11739 * checker-path.h (state_change_event::get_lvalue): Add ctxt param
11740 and pass it to region_model::get_value call.
11741 * diagnostic-manager.cc (get_any_origin): Pass a
11742 tentative_region_model_context to the calls to get_lvalue and reject
11743 the comparison if errors occur.
11744 (can_be_expr_of_interest_p): New function.
11745 (diagnostic_manager::prune_for_sm_diagnostic): Replace checks for
11746 CONSTANT_CLASS_P with calls to update_for_unsuitable_sm_exprs.
11747 Pass a tentative_region_model_context to the calls to
11748 state_change_event::get_lvalue and reject the comparison if errors
11749 occur.
11750 (diagnostic_manager::update_for_unsuitable_sm_exprs): New.
11751 * diagnostic-manager.h
11752 (diagnostic_manager::update_for_unsuitable_sm_exprs): New decl.
11753 * region-model.h (class tentative_region_model_context): New class.
11755 2020-03-04 David Malcolm <dmalcolm@redhat.com>
11757 * engine.cc (worklist::worklist): Remove unused field m_eg.
11758 (class viz_callgraph_edge): Remove unused field m_call_sedge.
11759 (class viz_callgraph): Remove unused field m_sg.
11760 * exploded-graph.h (worklist::::m_eg): Remove unused field.
11762 2020-03-02 David Malcolm <dmalcolm@redhat.com>
11764 * analyzer.opt (fanalyzer-show-duplicate-count): New option.
11765 * diagnostic-manager.cc
11766 (diagnostic_manager::emit_saved_diagnostic): Use the above to
11767 guard the printing of the duplicate count.
11769 2020-03-02 David Malcolm <dmalcolm@redhat.com>
11771 PR analyzer/93959
11772 * analyzer.cc (is_std_function_p): New function.
11773 (is_std_named_call_p): New functions.
11774 * analyzer.h (is_std_named_call_p): New decl.
11775 * sm-malloc.cc (malloc_state_machine::on_stmt): Check for "std::"
11776 variants when checking for malloc, calloc and free.
11778 2020-02-26 David Malcolm <dmalcolm@redhat.com>
11780 PR analyzer/93950
11781 * diagnostic-manager.cc
11782 (diagnostic_manager::prune_for_sm_diagnostic): Assert that var is
11783 either NULL or not a constant. When updating var, bulletproof
11784 against constant values.
11786 2020-02-26 David Malcolm <dmalcolm@redhat.com>
11788 PR analyzer/93947
11789 * region-model.cc (region_model::get_fndecl_for_call): Gracefully
11790 fail for fn_decls that don't have a cgraph_node.
11792 2020-02-26 David Malcolm <dmalcolm@redhat.com>
11794 * bar-chart.cc: New file.
11795 * bar-chart.h: New file.
11796 * engine.cc: Include "analyzer/bar-chart.h".
11797 (stats::log): Only log the m_num_nodes kinds that are non-zero.
11798 (stats::dump): Likewise when dumping.
11799 (stats::get_total_enodes): New.
11800 (exploded_graph::get_or_create_node): Increment the per-point-data
11801 m_excess_enodes when hitting the per-program-point limit on
11802 enodes.
11803 (exploded_graph::print_bar_charts): New.
11804 (exploded_graph::log_stats): Log the number of unprocessed enodes
11805 in the worklist. Call print_bar_charts.
11806 (exploded_graph::dump_stats): Print the number of unprocessed
11807 enodes in the worklist.
11808 * exploded-graph.h (stats::get_total_enodes): New decl.
11809 (struct per_program_point_data): Add field m_excess_enodes.
11810 (exploded_graph::print_bar_charts): New decl.
11811 * supergraph.cc (superedge::dump): New.
11812 (superedge::dump): New.
11813 * supergraph.h (supernode::get_function): New.
11814 (superedge::dump): New decl.
11815 (superedge::dump): New decl.
11817 2020-02-24 David Malcolm <dmalcolm@redhat.com>
11819 * engine.cc (exploded_graph::get_or_create_node): Dump the
11820 program_state to the pp, rather than to stderr.
11822 2020-02-24 David Malcolm <dmalcolm@redhat.com>
11824 PR analyzer/93032
11825 * sm.cc (make_checkers): Require the "taint" checker to be
11826 explicitly enabled.
11828 2020-02-24 David Malcolm <dmalcolm@redhat.com>
11830 PR analyzer/93899
11831 * engine.cc
11832 (impl_region_model_context::impl_region_model_context): Add logger
11833 param.
11834 * engine.cc (exploded_graph::add_function_entry): Create an
11835 impl_region_model_context and pass it to the push_frame call.
11836 Bail if the resulting state is invalid.
11837 (exploded_graph::build_initial_worklist): Likewise.
11838 (exploded_graph::build_initial_worklist): Handle the case where
11839 add_function_entry fails.
11840 * exploded-graph.h
11841 (impl_region_model_context::impl_region_model_context): Add logger
11842 param.
11843 * region-model.cc (map_region::get_or_create): Add ctxt param and
11844 pass it to add_region_for_type.
11845 (map_region::can_merge_p): Pass NULL as a ctxt to call to
11846 get_or_create.
11847 (array_region::get_element): Pass ctxt to call to get_or_create.
11848 (array_region::get_or_create): Add ctxt param and pass it to
11849 add_region_for_type.
11850 (root_region::push_frame): Pass ctxt to get_or_create calls.
11851 (region_model::get_lvalue_1): Likewise.
11852 (region_model::make_region_for_unexpected_tree_code): Assert that
11853 ctxt is non-NULL.
11854 (region_model::get_rvalue_1): Pass ctxt to get_svalue_for_fndecl
11855 and get_svalue_for_label calls.
11856 (region_model::get_svalue_for_fndecl): Add ctxt param and pass it
11857 to get_region_for_fndecl.
11858 (region_model::get_region_for_fndecl): Add ctxt param and pass it
11859 to get_or_create.
11860 (region_model::get_svalue_for_label): Add ctxt param and pass it
11861 to get_region_for_label.
11862 (region_model::get_region_for_label): Add ctxt param and pass it
11863 to get_region_for_fndecl and get_or_create.
11864 (region_model::get_field_region): Add ctxt param and pass it to
11865 get_or_create_view and get_or_create.
11866 (make_region_for_type): Replace gcc_unreachable with return NULL.
11867 (region_model::add_region_for_type): Add ctxt param. Handle a
11868 return of NULL from make_region_for_type by calling
11869 make_region_for_unexpected_tree_code.
11870 (region_model::get_or_create_mem_ref): Pass ctxt to calls to
11871 get_or_create_view.
11872 (region_model::get_or_create_view): Add ctxt param and pass it to
11873 add_region_for_type.
11874 (selftest::test_state_merging): Pass ctxt to get_or_create_view.
11875 * region-model.h (region_model::get_or_create): Add ctxt param.
11876 (region_model::add_region_for_type): Likewise.
11877 (region_model::get_svalue_for_fndecl): Likewise.
11878 (region_model::get_svalue_for_label): Likewise.
11879 (region_model::get_region_for_fndecl): Likewise.
11880 (region_model::get_region_for_label): Likewise.
11881 (region_model::get_field_region): Likewise.
11882 (region_model::get_or_create_view): Likewise.
11884 2020-02-24 David Malcolm <dmalcolm@redhat.com>
11886 * checker-path.cc (superedge_event::should_filter_p): Update
11887 filter for empty descriptions to cover verbosity level 3 as well
11888 as 2.
11889 * diagnostic-manager.cc: Include "analyzer/reachability.h".
11890 (class path_builder): New class.
11891 (diagnostic_manager::emit_saved_diagnostic): Create a path_builder
11892 and pass it to build_emission_path, rather passing eg; similarly
11893 for add_events_for_eedge and ext_state.
11894 (diagnostic_manager::build_emission_path): Replace "eg" param
11895 with a path_builder, pass it to add_events_for_eedge.
11896 (diagnostic_manager::add_events_for_eedge): Replace ext_state
11897 param with path_builder; pass it to add_events_for_superedge.
11898 (diagnostic_manager::significant_edge_p): New.
11899 (diagnostic_manager::add_events_for_superedge): Add path_builder
11900 param. Reject insignificant edges at verbosity levels below 3.
11901 (diagnostic_manager::prune_for_sm_diagnostic): Update highest
11902 verbosity level to 4.
11903 * diagnostic-manager.h (class path_builder): New forward decl.
11904 (diagnostic_manager::build_emission_path): Replace "eg" param
11905 with a path_builder.
11906 (diagnostic_manager::add_events_for_eedge): Replace ext_state
11907 param with path_builder.
11908 (diagnostic_manager::significant_edge_p): New.
11909 (diagnostic_manager::add_events_for_superedge): Add path_builder
11910 param.
11911 * reachability.h: New file.
11913 2020-02-18 David Malcolm <dmalcolm@redhat.com>
11915 PR analyzer/93692
11916 * analyzer.opt (fdump-analyzer-callgraph): Rewrite description.
11918 2020-02-18 David Malcolm <dmalcolm@redhat.com>
11920 PR analyzer/93777
11921 * region-model.cc (region_model::maybe_cast_1): Replace assertion
11922 that build_cast returns non-NULL with a conditional, falling
11923 through to the logic which returns a new unknown value of the
11924 desired type if it fails.
11926 2020-02-18 David Malcolm <dmalcolm@redhat.com>
11928 PR analyzer/93778
11929 * engine.cc (impl_region_model_context::on_unknown_tree_code):
11930 Rename to...
11931 (impl_region_model_context::on_unexpected_tree_code): ...this and
11932 convert first argument from path_var to tree.
11933 (exploded_node::on_stmt): Pass ctxt to purge_for_unknown_fncall.
11934 * exploded-graph.h (region_model_context::on_unknown_tree_code):
11935 Rename to...
11936 (region_model_context::on_unexpected_tree_code): ...this and
11937 convert first argument from path_var to tree.
11938 * program-state.cc (sm_state_map::purge_for_unknown_fncall): Add
11939 ctxt param and pass on to calls to get_rvalue.
11940 * program-state.h (sm_state_map::purge_for_unknown_fncall): Add
11941 ctxt param.
11942 * region-model.cc (region_model::handle_unrecognized_call): Pass
11943 ctxt on to call to get_rvalue.
11944 (region_model::get_lvalue_1): Move body of default case to
11945 region_model::make_region_for_unexpected_tree_code and call it.
11946 Within COMPONENT_REF case, reject attempts to handle types other
11947 than RECORD_TYPE and UNION_TYPE.
11948 (region_model::make_region_for_unexpected_tree_code): New
11949 function, based on default case of region_model::get_lvalue_1.
11950 * region-model.h
11951 (region_model::make_region_for_unexpected_tree_code): New decl.
11952 (region_model::on_unknown_tree_code): Rename to...
11953 (region_model::on_unexpected_tree_code): ...this and convert first
11954 argument from path_var to tree.
11955 (class test_region_model_context): Update vfunc implementation for
11956 above change.
11958 2020-02-18 David Malcolm <dmalcolm@redhat.com>
11960 PR analyzer/93774
11961 * region-model.cc
11962 (region_model::convert_byte_offset_to_array_index): Use
11963 int_size_in_bytes before calling size_in_bytes, to gracefully fail
11964 on incomplete types.
11966 2020-02-17 David Malcolm <dmalcolm@redhat.com>
11968 PR analyzer/93775
11969 * region-model.cc (region_model::get_fndecl_for_call): Handle the
11970 case where the code_region's get_tree_for_child_region returns
11971 NULL.
11973 2020-02-17 David Malcolm <dmalcolm@redhat.com>
11975 PR analyzer/93388
11976 * engine.cc (impl_region_model_context::on_unknown_tree_code):
11977 New.
11978 (exploded_graph::get_or_create_node): Reject invalid states.
11979 * exploded-graph.h
11980 (impl_region_model_context::on_unknown_tree_code): New decl.
11981 (point_and_state::point_and_state): Assert that the state is
11982 valid.
11983 * program-state.cc (program_state::program_state): Initialize
11984 m_valid to true.
11985 (program_state::operator=): Copy m_valid.
11986 (program_state::program_state): Likewise for move constructor.
11987 (program_state::print): Print m_valid.
11988 (program_state::dump_to_pp): Likewise.
11989 * program-state.h (program_state::m_valid): New field.
11990 * region-model.cc (region_model::get_lvalue_1): Implement the
11991 default case by returning a new symbolic region and calling
11992 the context's on_unknown_tree_code, rather than issuing an
11993 internal_error. Implement VIEW_CONVERT_EXPR.
11994 * region-model.h (region_model_context::on_unknown_tree_code): New
11995 vfunc.
11996 (test_region_model_context::on_unknown_tree_code): New.
11998 2020-02-17 David Malcolm <dmalcolm@redhat.com>
12000 * sm-malloc.cc (malloc_diagnostic::describe_state_change): For
12001 transition to the "null" state, only say "assuming" when
12002 transitioning from the "unchecked" state.
12004 2020-02-17 David Malcolm <dmalcolm@redhat.com>
12006 * diagnostic-manager.h (diagnostic_manager::get_saved_diagnostic):
12007 Add const overload.
12008 * engine.cc (exploded_node::dump_dot): Dump saved_diagnostics.
12009 * exploded-graph.h (exploded_graph::get_diagnostic_manager): Add
12010 const overload.
12012 2020-02-11 David Malcolm <dmalcolm@redhat.com>
12014 PR analyzer/93288
12015 * analysis-plan.cc (analysis_plan::use_summary_p): Look through
12016 the ultimate_alias_target when getting the called function.
12017 * engine.cc (exploded_node::on_stmt): Rename second "ctxt" to
12018 "sm_ctxt". Use the region_model's get_fndecl_for_call rather than
12019 gimple_call_fndecl.
12020 * region-model.cc (region_model::get_fndecl_for_call): Use
12021 ultimate_alias_target on fndecl.
12022 * supergraph.cc (get_ultimate_function_for_cgraph_edge): New
12023 function.
12024 (supergraph_call_edge): Use it when rejecting edges without
12025 functions.
12026 (supergraph::supergraph): Use it to get the function for the
12027 cgraph_edge when building interprocedural superedges.
12028 (callgraph_superedge::get_callee_function): Use it.
12029 * supergraph.h (supergraph::get_num_snodes): Make param const.
12030 (supergraph::function_to_num_snodes_t): Make first type param
12031 const.
12033 2020-02-11 David Malcolm <dmalcolm@redhat.com>
12035 PR analyzer/93374
12036 * engine.cc (exploded_edge::exploded_edge): Add ext_state param
12037 and pass it to change.validate.
12038 (exploded_graph::get_or_create_node): Move purging of change
12039 svalues to also cover the case of reusing an existing enode.
12040 (exploded_graph::add_edge): Pass m_ext_state to exploded_edge's
12041 ctor.
12042 * exploded-graph.h (exploded_edge::exploded_edge): Add ext_state
12043 param.
12044 * program-state.cc (state_change::sm_change::validate): Likewise.
12045 Assert that m_sm_idx is sane. Use ext_state to validate
12046 m_old_state and m_new_state.
12047 (state_change::validate): Add ext_state param and pass it to
12048 the sm_change validate calls.
12049 * program-state.h (state_change::sm_change::validate): Add
12050 ext_state param.
12051 (state_change::validate): Likewise.
12053 2020-02-11 David Malcolm <dmalcolm@redhat.com>
12055 PR analyzer/93669
12056 * engine.cc (exploded_graph::dump_exploded_nodes): Handle missing
12057 case of STATUS_WORKLIST in implementation of
12058 "__analyzer_dump_exploded_nodes".
12060 2020-02-11 David Malcolm <dmalcolm@redhat.com>
12062 PR analyzer/93649
12063 * constraint-manager.cc (constraint_manager::add_constraint): When
12064 merging equivalence classes and updating m_constant, also update
12065 m_cst_sid.
12066 (constraint_manager::validate): If m_constant is non-NULL assert
12067 that m_cst_sid is non-null and is valid.
12069 2020-02-11 David Malcolm <dmalcolm@redhat.com>
12071 PR analyzer/93657
12072 * analyzer.opt (fdump-analyzer): Reword description.
12073 (fdump-analyzer-stderr): Likewise.
12075 2020-02-11 David Malcolm <dmalcolm@redhat.com>
12077 * region-model.cc (print_quoted_type): New function.
12078 (svalue::print): Use it to replace %qT.
12079 (region::dump_to_pp): Likewise.
12080 (region::dump_child_label): Likewise.
12081 (region::print_fields): Likewise.
12083 2020-02-10 David Malcolm <dmalcolm@redhat.com>
12085 PR analyzer/93659
12086 * analyzer.opt (-param=analyzer-max-recursion-depth=): Fix "tha"
12087 -> "that" typo.
12088 (Wanalyzer-use-of-uninitialized-value): Fix "initialized" ->
12089 "uninitialized" typo.
12091 2020-02-10 David Malcolm <dmalcolm@redhat.com>
12093 PR analyzer/93350
12094 * region-model.cc (region_model::get_lvalue_1):
12095 Handle BIT_FIELD_REF.
12096 (make_region_for_type): Handle VECTOR_TYPE.
12098 2020-02-10 David Malcolm <dmalcolm@redhat.com>
12100 PR analyzer/93647
12101 * diagnostic-manager.cc
12102 (diagnostic_manager::prune_for_sm_diagnostic): Bulletproof against
12103 VAR being constant.
12104 * region-model.cc (region_model::get_lvalue_1): Provide a better
12105 error message when encountering an unhandled tree code.
12107 2020-02-10 David Malcolm <dmalcolm@redhat.com>
12109 PR analyzer/93405
12110 * region-model.cc (region_model::get_lvalue_1): Implement
12111 CONST_DECL.
12113 2020-02-06 David Malcolm <dmalcolm@redhat.com>
12115 * region-model.cc (region_model::maybe_cast_1): Attempt to provide
12116 a region_svalue if either type is a pointer, rather than if both
12117 types are pointers.
12119 2020-02-05 David Malcolm <dmalcolm@redhat.com>
12121 * engine.cc (exploded_node::dump_dot): Show merger enodes.
12122 (worklist::add_node): Assert that the node's m_status is
12123 STATUS_WORKLIST.
12124 (exploded_graph::process_worklist): Likewise for nodes from the
12125 worklist. Set status of merged nodes to STATUS_MERGER.
12126 (exploded_graph::process_node): Set status of node to
12127 STATUS_PROCESSED.
12128 (exploded_graph::dump_exploded_nodes): Rework handling of
12129 "__analyzer_dump_exploded_nodes", splitting enodes by status into
12130 "processed" and "merger", showing the count of just the processed
12131 enodes at the call, rather than the count of all enodes.
12132 * exploded-graph.h (exploded_node::status): New enum.
12133 (exploded_node::exploded_node): Initialize m_status to
12134 STATUS_WORKLIST.
12135 (exploded_node::get_status): New getter.
12136 (exploded_node::set_status): New setter.
12138 2020-02-04 David Malcolm <dmalcolm@redhat.com>
12140 PR analyzer/93543
12141 * engine.cc (pod_hash_traits<function_call_string>::mark_empty):
12142 Eliminate reinterpret_cast.
12143 (pod_hash_traits<function_call_string>::is_empty): Likewise.
12145 2020-02-03 David Malcolm <dmalcolm@redhat.com>
12147 * constraint-manager.cc (range::constrained_to_single_element):
12148 Replace fold_build2 with fold_binary. Remove unnecessary newline.
12149 (constraint_manager::get_or_add_equiv_class): Replace fold_build2
12150 with fold_binary in two places, and remove out-of-date comment.
12151 (constraint_manager::eval_condition): Replace fold_build2 with
12152 fold_binary.
12153 * region-model.cc (constant_svalue::eval_condition): Likewise.
12154 (region_model::on_assignment): Likewise.
12156 2020-02-03 David Malcolm <dmalcolm@redhat.com>
12158 PR analyzer/93544
12159 * diagnostic-manager.cc
12160 (diagnostic_manager::prune_for_sm_diagnostic): Bulletproof
12161 against bad choices due to bad paths.
12162 * engine.cc (impl_region_model_context::on_phi): New.
12163 * exploded-graph.h (impl_region_model_context::on_phi): New decl.
12164 * region-model.cc (region_model::on_longjmp): Likewise.
12165 (region_model::handle_phi): Add phi param. Call the ctxt's on_phi
12166 vfunc.
12167 (region_model::update_for_phis): Pass phi to handle_phi.
12168 * region-model.h (region_model::handle_phi): Add phi param.
12169 (region_model_context::on_phi): New vfunc.
12170 (test_region_model_context::on_phi): New.
12171 * sm-malloc.cc (malloc_state_machine::on_phi): New.
12172 (malloc_state_machine::on_zero_assignment): New.
12173 * sm.h (state_machine::on_phi): New vfunc.
12175 2020-02-03 David Malcolm <dmalcolm@redhat.com>
12177 * engine.cc (supernode_cluster::dump_dot): Show BB index as
12178 well as SN index.
12179 * supergraph.cc (supernode::dump_dot): Likewise.
12181 2020-02-03 David Malcolm <dmalcolm@redhat.com>
12183 PR analyzer/93546
12184 * region-model.cc (region_model::on_call_pre): Update for new
12185 param of symbolic_region ctor.
12186 (region_model::deref_rvalue): Likewise.
12187 (region_model::add_new_malloc_region): Likewise.
12188 (make_region_for_type): Likewise, preserving type.
12189 * region-model.h (symbolic_region::symbolic_region): Add "type"
12190 param and pass it to base class ctor.
12192 2020-02-03 David Malcolm <dmalcolm@redhat.com>
12194 PR analyzer/93547
12195 * constraint-manager.cc
12196 (constraint_manager::get_or_add_equiv_class): Ensure types are
12197 compatible before comparing constants.
12199 2020-01-31 David Malcolm <dmalcolm@redhat.com>
12201 PR analyzer/93457
12202 * region-model.cc (make_region_for_type): Use VOID_TYPE_P rather
12203 than checking against void_type_node.
12205 2020-01-31 David Malcolm <dmalcolm@redhat.com>
12207 PR analyzer/93373
12208 * region-model.cc (ASSERT_COMPAT_TYPES): Convert to...
12209 (assert_compat_types): ...this, and bail when either type is NULL,
12210 or when VOID_TYPE_P (dst_type).
12211 (region_model::get_lvalue): Update for above conversion.
12212 (region_model::get_rvalue): Likewise.
12214 2020-01-31 David Malcolm <dmalcolm@redhat.com>
12216 PR analyzer/93379
12217 * region-model.cc (region_model::update_for_return_superedge):
12218 Move check for null result so that it also guards setting the
12219 lhs.
12221 2020-01-31 David Malcolm <dmalcolm@redhat.com>
12223 PR analyzer/93438
12224 * region-model.cc (stack_region::can_merge_p): Split into a two
12225 pass approach, creating all stack regions first, then populating
12226 them.
12227 (selftest::test_state_merging): Add test coverage for (a) the case
12228 of self-merging a model in which a local in an older stack frame
12229 points to a local in a more recent stack frame (which previously
12230 would ICE), and (b) the case of self-merging a model in which a
12231 local points to a global (which previously worked OK).
12233 2020-01-31 David Malcolm <dmalcolm@redhat.com>
12235 * analyzer.cc (is_named_call_p): Replace tests for fndecl being
12236 extern at file scope and having a non-NULL DECL_NAME with a call
12237 to maybe_special_function_p.
12238 * function-set.cc (function_set::contains_decl_p): Add call to
12239 maybe_special_function_p.
12241 2020-01-31 David Malcolm <dmalcolm@redhat.com>
12243 PR analyzer/93450
12244 * constraint-manager.cc
12245 (constraint_manager::get_or_add_equiv_class): Only compare constants
12246 if their types are compatible.
12247 * region-model.cc (constant_svalue::eval_condition): Replace check
12248 for identical types with call to types_compatible_p.
12250 2020-01-30 David Malcolm <dmalcolm@redhat.com>
12252 * program-state.cc (extrinsic_state::dump_to_pp): New.
12253 (extrinsic_state::dump_to_file): New.
12254 (extrinsic_state::dump): New.
12255 * program-state.h (extrinsic_state::dump_to_pp): New decl.
12256 (extrinsic_state::dump_to_file): New decl.
12257 (extrinsic_state::dump): New decl.
12258 * sm.cc: Include "pretty-print.h".
12259 (state_machine::dump_to_pp): New.
12260 * sm.h (state_machine::dump_to_pp): New decl.
12262 2020-01-30 David Malcolm <dmalcolm@redhat.com>
12264 * diagnostic-manager.cc (for_each_state_change): Use
12265 extrinsic_state::get_num_checkers rather than accessing m_checkers
12266 directly.
12267 * program-state.cc (program_state::program_state): Likewise.
12268 * program-state.h (extrinsic_state::m_checkers): Make private.
12270 2020-01-30 David Malcolm <dmalcolm@redhat.com>
12272 PR analyzer/93356
12273 * region-model.cc (region_model::eval_condition): In both
12274 overloads, bail out immediately on floating-point types.
12275 (region_model::eval_condition_without_cm): Likewise.
12276 (region_model::add_constraint): Likewise.
12278 2020-01-30 David Malcolm <dmalcolm@redhat.com>
12280 PR analyzer/93450
12281 * program-state.cc (sm_state_map::set_state): For the overload
12282 taking an svalue_id, bail out if the set_state on the ec does
12283 nothing. Convert the latter's return type from void to bool,
12284 returning true if anything changed.
12285 (sm_state_map::impl_set_state): Convert the return type from void
12286 to bool, returning true if the state changed.
12287 * program-state.h (sm_state_map::set_state): Convert return type
12288 from void to bool.
12289 (sm_state_map::impl_set_state): Likewise.
12290 * region-model.cc (constant_svalue::eval_condition): Only call
12291 fold_build2 if the types are the same.
12293 2020-01-29 Jakub Jelinek <jakub@redhat.com>
12295 * analyzer.h (PUSH_IGNORE_WFORMAT, POP_IGNORE_WFORMAT): Remove.
12296 * constraint-manager.cc: Include diagnostic-core.h before graphviz.h.
12297 (range::dump, equiv_class::print): Don't use PUSH_IGNORE_WFORMAT or
12298 POP_IGNORE_WFORMAT.
12299 * state-purge.cc: Include diagnostic-core.h before
12300 gimple-pretty-print.h.
12301 (state_purge_annotator::add_node_annotations, print_vec_of_names):
12302 Don't use PUSH_IGNORE_WFORMAT or POP_IGNORE_WFORMAT.
12303 * region-model.cc: Move diagnostic-core.h include before graphviz.h.
12304 (path_var::dump, svalue::print, constant_svalue::print_details,
12305 region::dump_to_pp, region::dump_child_label, region::print_fields,
12306 map_region::print_fields, map_region::dump_dot_to_pp,
12307 map_region::dump_child_label, array_region::print_fields,
12308 array_region::dump_dot_to_pp): Don't use PUSH_IGNORE_WFORMAT or
12309 POP_IGNORE_WFORMAT.
12311 2020-01-28 David Malcolm <dmalcolm@redhat.com>
12313 PR analyzer/93316
12314 * engine.cc (rewind_info_t::update_model): Get the longjmp call
12315 stmt via get_longjmp_call () rather than assuming it is the last
12316 stmt in the longjmp's supernode.
12317 (rewind_info_t::add_events_to_path): Get the location_t for the
12318 rewind_from_longjmp_event via get_longjmp_call () rather than from
12319 the supernode's get_end_location ().
12321 2020-01-28 David Malcolm <dmalcolm@redhat.com>
12323 * region-model.cc (poisoned_value_diagnostic::emit): Update for
12324 renaming of warning_at overload to warning_meta.
12325 * sm-file.cc (file_leak::emit): Likewise.
12326 * sm-malloc.cc (double_free::emit): Likewise.
12327 (possible_null_deref::emit): Likewise.
12328 (possible_null_arg::emit): Likewise.
12329 (null_deref::emit): Likewise.
12330 (null_arg::emit): Likewise.
12331 (use_after_free::emit): Likewise.
12332 (malloc_leak::emit): Likewise.
12333 (free_of_non_heap::emit): Likewise.
12334 * sm-sensitive.cc (exposure_through_output_file::emit): Likewise.
12335 * sm-signal.cc (signal_unsafe_call::emit): Likewise.
12336 * sm-taint.cc (tainted_array_index::emit): Likewise.
12338 2020-01-27 David Malcolm <dmalcolm@redhat.com>
12340 PR analyzer/93451
12341 * region-model.cc (tree_cmp): For the REAL_CST case, impose an
12342 arbitrary order on NaNs relative to other NaNs and to non-NaNs;
12343 const-correctness tweak.
12344 (ana::selftests::build_real_cst_from_string): New function.
12345 (ana::selftests::append_interesting_constants): New function.
12346 (ana::selftests::test_tree_cmp_on_constants): New test.
12347 (ana::selftests::test_canonicalization_4): New test.
12348 (ana::selftests::analyzer_region_model_cc_tests): Call the new
12349 tests.
12351 2020-01-27 David Malcolm <dmalcolm@redhat.com>
12353 PR analyzer/93349
12354 * engine.cc (run_checkers): Save and restore input_location.
12356 2020-01-27 David Malcolm <dmalcolm@redhat.com>
12358 * call-string.cc (call_string::cmp_1): Delete, moving body to...
12359 (call_string::cmp): ...here.
12360 * call-string.h (call_string::cmp_1): Delete decl.
12361 * engine.cc (worklist::key_t::cmp_1): Delete, moving body to...
12362 (worklist::key_t::cmp): ...here. Implement hash comparisons
12363 via comparison rather than subtraction to avoid overflow issues.
12364 * exploded-graph.h (worklist::key_t::cmp_1): Delete decl.
12365 * region-model.cc (tree_cmp): Eliminate buggy checking for
12366 symmetry.
12368 2020-01-27 David Malcolm <dmalcolm@redhat.com>
12370 * analyzer.cc (is_named_call_p): Check that fndecl is "extern"
12371 and at file scope. Potentially disregard prefix _ or __ in
12372 fndecl's name. Bail if the identifier is NULL.
12373 (is_setjmp_call_p): Expect a gcall rather than plain gimple.
12374 Remove special-case check for leading prefix, and also check for
12375 sigsetjmp.
12376 (is_longjmp_call_p): Also check for siglongjmp.
12377 (get_user_facing_name): New function.
12378 * analyzer.h (is_setjmp_call_p): Expect a gcall rather than plain
12379 gimple.
12380 (get_user_facing_name): New decl.
12381 * checker-path.cc (setjmp_event::get_desc): Use
12382 get_user_facing_name to avoid hardcoding the function name.
12383 (rewind_event::rewind_event): Add rewind_info param, using it to
12384 initialize new m_rewind_info field, and strengthen the assertion.
12385 (rewind_from_longjmp_event::get_desc): Use get_user_facing_name to
12386 avoid hardcoding the function name.
12387 (rewind_to_setjmp_event::get_desc): Likewise.
12388 * checker-path.h (setjmp_event::setjmp_event): Add setjmp_call
12389 param and use it to initialize...
12390 (setjmp_event::m_setjmp_call): New field.
12391 (rewind_event::rewind_event): Add rewind_info param.
12392 (rewind_event::m_rewind_info): New protected field.
12393 (rewind_from_longjmp_event::rewind_from_longjmp_event): Add
12394 rewind_info param.
12395 (class rewind_to_setjmp_event): Move rewind_info field to parent
12396 class.
12397 * diagnostic-manager.cc (diagnostic_manager::add_events_for_eedge):
12398 Update setjmp-handling for is_setjmp_call_p requiring a gcall;
12399 pass the call to the new setjmp_event.
12400 * engine.cc (exploded_node::on_stmt): Update for is_setjmp_call_p
12401 requiring a gcall.
12402 (stale_jmp_buf::emit): Use get_user_facing_name to avoid
12403 hardcoding the function names.
12404 (exploded_node::on_longjmp): Pass the longjmp_call when
12405 constructing rewind_info.
12406 (rewind_info_t::add_events_to_path): Pass the rewind_info_t to the
12407 rewind_from_longjmp_event's ctor.
12408 * exploded-graph.h (rewind_info_t::rewind_info_t): Add
12409 longjmp_call param.
12410 (rewind_info_t::get_longjmp_call): New.
12411 (rewind_info_t::m_longjmp_call): New.
12412 * region-model.cc (region_model::on_setjmp): Update comment to
12413 indicate this is also for sigsetjmp.
12414 * region-model.h (struct setjmp_record): Likewise.
12415 (class setjmp_svalue): Likewise.
12417 2020-01-27 David Malcolm <dmalcolm@redhat.com>
12419 PR analyzer/93276
12420 * analyzer.h (PUSH_IGNORE_WFORMAT, POP_IGNORE_WFORMAT): Guard these
12421 macros with GCC_VERSION >= 4006, making them no-op otherwise.
12422 * engine.cc (exploded_edge::exploded_edge): Specify template for
12423 base class initializer.
12424 (exploded_graph::add_edge): Specify template when chaining up to
12425 base class add_edge implementation.
12426 (viz_callgraph_node::dump_dot): Drop redundant "typename".
12427 (viz_callgraph_edge::viz_callgraph_edge): Specify template for
12428 base class initializer.
12429 * program-state.cc (sm_state_map::clone_with_remapping): Drop
12430 redundant "typename".
12431 (sm_state_map::print): Likewise.
12432 (sm_state_map::hash): Likewise.
12433 (sm_state_map::operator==): Likewise.
12434 (sm_state_map::remap_svalue_ids): Likewise.
12435 (sm_state_map::on_svalue_purge): Likewise.
12436 (sm_state_map::validate): Likewise.
12437 * program-state.h (sm_state_map::iterator_t): Likewise.
12438 * supergraph.h (superedge::superedge): Specify template for base
12439 class initializer.
12441 2020-01-23 David Malcolm <dmalcolm@redhat.com>
12443 PR analyzer/93375
12444 * supergraph.cc (callgraph_superedge::get_arg_for_parm): Fail
12445 gracefully is the number of parameters at the callee exceeds the
12446 number of arguments at the call stmt.
12447 (callgraph_superedge::get_parm_for_arg): Likewise.
12449 2020-01-22 David Malcolm <dmalcolm@redhat.com>
12451 PR analyzer/93382
12452 * program-state.cc (sm_state_map::on_svalue_purge): If the
12453 entry survives, but the origin is being purged, then reset the
12454 origin to null.
12456 2020-01-22 David Malcolm <dmalcolm@redhat.com>
12458 * sm-signal.cc: Fix nesting of CHECKING_P and namespace ana.
12460 2020-01-22 David Malcolm <dmalcolm@redhat.com>
12462 PR analyzer/93378
12463 * engine.cc (setjmp_svalue::compare_fields): Update for
12464 replacement of m_enode with m_setjmp_record.
12465 (setjmp_svalue::add_to_hash): Likewise.
12466 (setjmp_svalue::get_index): Rename...
12467 (setjmp_svalue::get_enode_index): ...to this.
12468 (setjmp_svalue::print_details): Update for replacement of m_enode
12469 with m_setjmp_record.
12470 (exploded_node::on_longjmp): Likewise.
12471 * exploded-graph.h (rewind_info_t::m_enode_origin): Replace...
12472 (rewind_info_t::m_setjmp_record): ...with this.
12473 (rewind_info_t::rewind_info_t): Update for replacement of m_enode
12474 with m_setjmp_record.
12475 (rewind_info_t::get_setjmp_point): Likewise.
12476 (rewind_info_t::get_setjmp_call): Likewise.
12477 * region-model.cc (region_model::dump_summary_of_map): Likewise.
12478 (region_model::on_setjmp): Likewise.
12479 * region-model.h (struct setjmp_record): New struct.
12480 (setjmp_svalue::m_enode): Replace...
12481 (setjmp_svalue::m_setjmp_record): ...with this.
12482 (setjmp_svalue::setjmp_svalue): Update for replacement of m_enode
12483 with m_setjmp_record.
12484 (setjmp_svalue::clone): Likewise.
12485 (setjmp_svalue::get_index): Rename...
12486 (setjmp_svalue::get_enode_index): ...to this.
12487 (setjmp_svalue::get_exploded_node): Replace...
12488 (setjmp_svalue::get_setjmp_record): ...with this.
12490 2020-01-22 David Malcolm <dmalcolm@redhat.com>
12492 PR analyzer/93316
12493 * analyzer.cc (is_setjmp_call_p): Check for "setjmp" as well as
12494 "_setjmp".
12496 2020-01-22 David Malcolm <dmalcolm@redhat.com>
12498 PR analyzer/93307
12499 * analysis-plan.h: Wrap everything namespace "ana".
12500 * analyzer-logging.cc: Likewise.
12501 * analyzer-logging.h: Likewise.
12502 * analyzer-pass.cc (pass_analyzer::execute): Update for "ana"
12503 namespace.
12504 * analyzer-selftests.cc: Wrap everything namespace "ana".
12505 * analyzer-selftests.h: Likewise.
12506 * analyzer.h: Likewise for forward decls of types.
12507 * call-string.h: Likewise.
12508 * checker-path.cc: Likewise.
12509 * checker-path.h: Likewise.
12510 * constraint-manager.cc: Likewise.
12511 * constraint-manager.h: Likewise.
12512 * diagnostic-manager.cc: Likewise.
12513 * diagnostic-manager.h: Likewise.
12514 * engine.cc: Likewise.
12515 * engine.h: Likewise.
12516 * exploded-graph.h: Likewise.
12517 * function-set.cc: Likewise.
12518 * function-set.h: Likewise.
12519 * pending-diagnostic.cc: Likewise.
12520 * pending-diagnostic.h: Likewise.
12521 * program-point.cc: Likewise.
12522 * program-point.h: Likewise.
12523 * program-state.cc: Likewise.
12524 * program-state.h: Likewise.
12525 * region-model.cc: Likewise.
12526 * region-model.h: Likewise.
12527 * sm-file.cc: Likewise.
12528 * sm-malloc.cc: Likewise.
12529 * sm-pattern-test.cc: Likewise.
12530 * sm-sensitive.cc: Likewise.
12531 * sm-signal.cc: Likewise.
12532 * sm-taint.cc: Likewise.
12533 * sm.cc: Likewise.
12534 * sm.h: Likewise.
12535 * state-purge.h: Likewise.
12536 * supergraph.cc: Likewise.
12537 * supergraph.h: Likewise.
12539 2020-01-21 David Malcolm <dmalcolm@redhat.com>
12541 PR analyzer/93352
12542 * region-model.cc (int_cmp): Rename to...
12543 (array_region::key_cmp): ...this, using key_t rather than int.
12544 Rewrite in terms of comparisons rather than subtraction to
12545 ensure qsort is anti-symmetric when handling extreme values.
12546 (array_region::walk_for_canonicalization): Update for above
12547 renaming.
12548 * region-model.h (array_region::key_cmp): New decl.
12550 2020-01-17 David Malcolm <dmalcolm@redhat.com>
12552 PR analyzer/93290
12553 * region-model.cc (region_model::eval_condition_without_cm): Avoid
12554 gcc_unreachable for unexpected operations for the case where
12555 we're comparing an svalue against itself.
12557 2020-01-17 David Malcolm <dmalcolm@redhat.com>
12559 PR analyzer/93281
12560 * region-model.cc
12561 (region_model::convert_byte_offset_to_array_index): Convert to
12562 ssizetype before dividing by byte_size. Use fold_binary rather
12563 than fold_build2 to avoid needlessly constructing a tree for the
12564 non-const case.
12566 2020-01-15 David Malcolm <dmalcolm@redhat.com>
12568 * engine.cc (class impl_region_model_context): Fix comment.
12570 2020-01-14 David Malcolm <dmalcolm@redhat.com>
12572 PR analyzer/93212
12573 * region-model.cc (make_region_for_type): Use
12574 FUNC_OR_METHOD_TYPE_P rather than comparing against FUNCTION_TYPE.
12575 * region-model.h (function_region::function_region): Likewise.
12577 2020-01-14 David Malcolm <dmalcolm@redhat.com>
12579 * program-state.cc (sm_state_map::clone_with_remapping): Copy
12580 m_global_state.
12581 (selftest::test_program_state_merging_2): New selftest.
12582 (selftest::analyzer_program_state_cc_tests): Call it.
12584 2020-01-14 David Malcolm <dmalcolm@redhat.com>
12586 * checker-path.h (checker_path::get_checker_event): New function.
12587 (checker_path): Add DISABLE_COPY_AND_ASSIGN; make fields private.
12588 * diagnostic-manager.cc
12589 (diagnostic_manager::prune_for_sm_diagnostic): Replace direct
12590 access to checker_path::m_events with accessor functions. Fix
12591 overlong line.
12592 (diagnostic_manager::prune_interproc_events): Replace direct
12593 access to checker_path::m_events with accessor functions.
12594 (diagnostic_manager::finish_pruning): Likewise.
12596 2020-01-14 David Malcolm <dmalcolm@redhat.com>
12598 * checker-path.h (checker_event::clone): Delete vfunc decl.
12599 (debug_event::clone): Delete vfunc impl.
12600 (custom_event::clone): Delete vfunc impl.
12601 (statement_event::clone): Delete vfunc impl.
12602 (function_entry_event::clone): Delete vfunc impl.
12603 (state_change_event::clone): Delete vfunc impl.
12604 (start_cfg_edge_event::clone): Delete vfunc impl.
12605 (end_cfg_edge_event::clone): Delete vfunc impl.
12606 (call_event::clone): Delete vfunc impl.
12607 (return_event::clone): Delete vfunc impl.
12608 (setjmp_event::clone): Delete vfunc impl.
12609 (rewind_from_longjmp_event::clone): Delete vfunc impl.
12610 (rewind_to_setjmp_event::clone): Delete vfunc impl.
12611 (warning_event::clone): Delete vfunc impl.
12613 2020-01-14 David Malcolm <dmalcolm@redhat.com>
12615 * supergraph.cc (supernode::dump_dot): Ensure that the TABLE
12616 element has at least one TR.
12618 2020-01-14 David Malcolm <dmalcolm@redhat.com>
12620 PR analyzer/58237
12621 * engine.cc (leak_stmt_finder::find_stmt): Use get_pure_location
12622 when comparing against UNKNOWN_LOCATION.
12623 (stmt_requires_new_enode_p): Likewise.
12624 (exploded_graph::dump_exploded_nodes): Likewise.
12625 * supergraph.cc (supernode::get_start_location): Likewise.
12626 (supernode::get_end_location): Likewise.
12628 2020-01-14 David Malcolm <dmalcolm@redhat.com>
12630 PR analyzer/58237
12631 * analyzer-selftests.cc (selftest::run_analyzer_selftests): Call
12632 selftest::analyzer_sm_file_cc_tests.
12633 * analyzer-selftests.h (selftest::analyzer_sm_file_cc_tests): New
12634 decl.
12635 * sm-file.cc: Include "analyzer/function-set.h" and
12636 "analyzer/analyzer-selftests.h".
12637 (get_file_using_fns): New function.
12638 (is_file_using_fn_p): New function.
12639 (fileptr_state_machine::on_stmt): Return true for known functions.
12640 (selftest::analyzer_sm_file_cc_tests): New function.
12642 2020-01-14 David Malcolm <dmalcolm@redhat.com>
12644 * analyzer-selftests.cc (selftest::run_analyzer_selftests): Call
12645 selftest::analyzer_sm_signal_cc_tests.
12646 * analyzer-selftests.h (selftest::analyzer_sm_signal_cc_tests):
12647 New decl.
12648 * sm-signal.cc: Include "analyzer/function-set.h" and
12649 "analyzer/analyzer-selftests.h".
12650 (get_async_signal_unsafe_fns): New function.
12651 (signal_unsafe_p): Reimplement in terms of the above.
12652 (selftest::analyzer_sm_signal_cc_tests): New function.
12654 2020-01-14 David Malcolm <dmalcolm@redhat.com>
12656 * analyzer-selftests.cc (selftest::run_analyzer_selftests): Call
12657 selftest::analyzer_function_set_cc_tests.
12658 * analyzer-selftests.h (selftest::analyzer_function_set_cc_tests):
12659 New decl.
12660 * function-set.cc: New file.
12661 * function-set.h: New file.
12663 2020-01-14 David Malcolm <dmalcolm@redhat.com>
12665 * analyzer.h (fndecl_has_gimple_body_p): New decl.
12666 * engine.cc (impl_region_model_context::on_unknown_change): New
12667 function.
12668 (fndecl_has_gimple_body_p): Make non-static.
12669 (exploded_node::on_stmt): Treat __analyzer_dump_exploded_nodes as
12670 known. Track whether we have a call with unknown side-effects and
12671 pass it to on_call_post.
12672 * exploded-graph.h (impl_region_model_context::on_unknown_change):
12673 New decl.
12674 * program-state.cc (sm_state_map::on_unknown_change): New function.
12675 * program-state.h (sm_state_map::on_unknown_change): New decl.
12676 * region-model.cc: Include "bitmap.h".
12677 (region_model::on_call_pre): Return a bool, capturing whether the
12678 call has unknown side effects.
12679 (region_model::on_call_post): Add arg "bool unknown_side_effects"
12680 and if true, call handle_unrecognized_call.
12681 (class reachable_regions): New class.
12682 (region_model::handle_unrecognized_call): New function.
12683 * region-model.h (region_model::on_call_pre): Return a bool.
12684 (region_model::on_call_post): Add arg "bool unknown_side_effects".
12685 (region_model::handle_unrecognized_call): New decl.
12686 (region_model_context::on_unknown_change): New vfunc.
12687 (test_region_model_context::on_unknown_change): New function.
12689 2020-01-14 David Malcolm <dmalcolm@redhat.com>
12691 * diagnostic-manager.cc (saved_diagnostic::operator==): Move here
12692 from header. Replace pointer equality test on m_var with call to
12693 pending_diagnostic::same_tree_p.
12694 * diagnostic-manager.h (saved_diagnostic::operator==): Move to
12695 diagnostic-manager.cc.
12696 * pending-diagnostic.cc (pending_diagnostic::same_tree_p): New.
12697 * pending-diagnostic.h (pending_diagnostic::same_tree_p): New.
12698 * sm-file.cc (file_diagnostic::subclass_equal_p): Replace pointer
12699 equality on m_arg with call to pending_diagnostic::same_tree_p.
12700 * sm-malloc.cc (malloc_diagnostic::subclass_equal_p): Likewise.
12701 (possible_null_arg::subclass_equal_p): Likewise.
12702 (null_arg::subclass_equal_p): Likewise.
12703 (free_of_non_heap::subclass_equal_p): Likewise.
12704 * sm-pattern-test.cc (pattern_match::operator==): Likewise.
12705 * sm-sensitive.cc (exposure_through_output_file::operator==):
12706 Likewise.
12707 * sm-taint.cc (tainted_array_index::operator==): Likewise.
12709 2020-01-14 David Malcolm <dmalcolm@redhat.com>
12711 * diagnostic-manager.cc (dedupe_winners::add): Add logging
12712 of deduplication decisions made.
12714 2020-01-14 David Malcolm <dmalcolm@redhat.com>
12716 * ChangeLog: New file.
12717 * analyzer-selftests.cc: New file.
12718 * analyzer-selftests.h: New file.
12719 * analyzer.opt: New file.
12720 * analysis-plan.cc: New file.
12721 * analysis-plan.h: New file.
12722 * analyzer-logging.cc: New file.
12723 * analyzer-logging.h: New file.
12724 * analyzer-pass.cc: New file.
12725 * analyzer.cc: New file.
12726 * analyzer.h: New file.
12727 * call-string.cc: New file.
12728 * call-string.h: New file.
12729 * checker-path.cc: New file.
12730 * checker-path.h: New file.
12731 * constraint-manager.cc: New file.
12732 * constraint-manager.h: New file.
12733 * diagnostic-manager.cc: New file.
12734 * diagnostic-manager.h: New file.
12735 * engine.cc: New file.
12736 * engine.h: New file.
12737 * exploded-graph.h: New file.
12738 * pending-diagnostic.cc: New file.
12739 * pending-diagnostic.h: New file.
12740 * program-point.cc: New file.
12741 * program-point.h: New file.
12742 * program-state.cc: New file.
12743 * program-state.h: New file.
12744 * region-model.cc: New file.
12745 * region-model.h: New file.
12746 * sm-file.cc: New file.
12747 * sm-malloc.cc: New file.
12748 * sm-malloc.dot: New file.
12749 * sm-pattern-test.cc: New file.
12750 * sm-sensitive.cc: New file.
12751 * sm-signal.cc: New file.
12752 * sm-taint.cc: New file.
12753 * sm.cc: New file.
12754 * sm.h: New file.
12755 * state-purge.cc: New file.
12756 * state-purge.h: New file.
12757 * supergraph.cc: New file.
12758 * supergraph.h: New file.
12760 2019-12-13 David Malcolm <dmalcolm@redhat.com>
12762 * Initial creation
12764 \f
12765 Copyright (C) 2019-2024 Free Software Foundation, Inc.
12767 Copying and distribution of this file, with or without modification,
12768 are permitted in any medium without royalty provided the copyright
12769 notice and this notice are preserved.