| blob | 22a54e5332ec7b7081e4ed60242ea6f8df80a7c1 |
1 2024-03-07 Jakub Jelinek <jakub@redhat.com>
3 * access-diagram.cc: Include diagnostic-core.h before including
4 diagnostic.h or diagnostic-path.h.
5 * sm-malloc.cc: Likewise.
6 * diagnostic-manager.cc: Likewise.
7 * call-summary.cc: Likewise.
8 * record-layout.cc: Likewise.
10 2024-02-29 David Malcolm <dmalcolm@redhat.com>
12 PR analyzer/114159
13 * analyzer.cc: Include "tree-dfa.h".
14 (get_ssa_default_def): New decl.
15 * analyzer.h (get_ssa_default_def): New.
16 * call-info.cc (call_info::call_info): New ctor taking an explicit
17 called_fn.
18 * call-info.h (call_info::call_info): Likewise.
19 * call-summary.cc (call_summary_replay::call_summary_replay):
20 Convert param from function * to const function &.
21 * call-summary.h (call_summary_replay::call_summary_replay):
22 Likewise.
23 * checker-event.h (state_change_event::get_dest_function):
24 Constify return value.
25 * engine.cc (point_and_state::validate): Update for conversion to
26 const function &.
27 (exploded_node::on_stmt): Likewise.
28 (call_summary_edge_info::call_summary_edge_info): Likewise.
29 Pass in called_fn to call_info ctor.
30 (exploded_node::replay_call_summaries): Update for conversion to
31 const function &. Convert per_function_data from * to &.
32 (exploded_node::replay_call_summary): Update for conversion to
33 const function &.
34 (exploded_graph::add_function_entry): Likewise.
35 (toplevel_function_p): Likewise.
36 (add_tainted_args_callback): Likewise.
37 (exploded_graph::build_initial_worklist): Likewise.
38 (exploded_graph::maybe_create_dynamic_call): Likewise.
39 (maybe_update_for_edge): Likewise.
40 (exploded_graph::on_escaped_function): Likewise.
41 * exploded-graph.h (exploded_node::replay_call_summaries):
42 Likewise.
43 (exploded_node::replay_call_summary): Likewise.
44 (exploded_graph::add_function_entry): Likewise.
45 * program-point.cc (function_point::from_function_entry):
46 Likewise.
47 (program_point::from_function_entry): Likewise.
48 * program-point.h (function_point::from_function_entry): Likewise.
49 (program_point::from_function_entry): Likewise.
50 * program-state.cc (program_state::push_frame): Likewise.
51 (program_state::get_current_function): Constify return type.
52 * program-state.h (program_state::push_frame): Update for
53 conversion to const function &.
54 (program_state::get_current_function): Likewise.
55 * region-model-manager.cc
56 (region_model_manager::get_frame_region): Likewise.
57 * region-model-manager.h
58 (region_model_manager::get_frame_region): Likewise.
59 * region-model.cc (region_model::called_from_main_p): Likewise.
60 (region_model::update_for_gcall): Likewise.
61 (region_model::push_frame): Likewise.
62 (region_model::get_current_function): Constify return type.
63 (region_model::pop_frame): Update for conversion to
64 const function &.
65 (selftest::test_stack_frames): Likewise.
66 (selftest::test_get_representative_path_var): Likewise.
67 (selftest::test_state_merging): Likewise.
68 (selftest::test_alloca): Likewise.
69 * region-model.h (region_model::push_frame): Likewise.
70 (region_model::get_current_function): Likewise.
71 * region.cc (frame_region::dump_to_pp): Likewise.
72 (frame_region::get_region_for_local): Likewise.
73 * region.h (class frame_region): Likewise.
74 * sm-signal.cc (signal_unsafe_call::describe_state_change):
75 Likewise.
76 (update_model_for_signal_handler): Likewise.
77 (signal_delivery_edge_info_t::update_model): Likewise.
78 (register_signal_handler::impl_transition): Likewise.
79 * state-purge.cc (class gimple_op_visitor): Likewise.
80 (state_purge_map::state_purge_map): Likewise.
81 (state_purge_map::get_or_create_data_for_decl): Likewise.
82 (state_purge_per_ssa_name::state_purge_per_ssa_name): Likewise.
83 (state_purge_per_ssa_name::add_to_worklist): Likewise.
84 (state_purge_per_ssa_name::process_point): Likewise.
85 (state_purge_per_decl::add_to_worklist): Likewise.
86 (state_purge_annotator::print_needed): Likewise.
87 * state-purge.h
88 (state_purge_map::get_or_create_data_for_decl): Likewise.
89 (class state_purge_per_tree): Likewise.
90 (class state_purge_per_ssa_name): Likewise.
91 (class state_purge_per_decl): Likewise.
92 * supergraph.cc (supergraph::dump_dot_to_pp): Likewise.
93 * supergraph.h
94 (supergraph::get_node_for_function_entry): Likewise.
95 (supergraph::get_node_for_function_exit): Likewise.
97 2024-02-27 David Malcolm <dmalcolm@redhat.com>
99 PR analyzer/110483
100 PR analyzer/111802
101 * access-diagram.cc
102 (string_literal_spatial_item::add_column_for_byte): Use %wu for
103 printing unsigned HOST_WIDE_INT.
105 2024-02-27 David Malcolm <dmalcolm@redhat.com>
107 PR analyzer/111881
108 * constraint-manager.cc (bound::ensure_closed): Assert that
109 m_constant has integral type.
110 (range::add_bound): Bail out on floating point constants.
112 2024-02-21 David Malcolm <dmalcolm@redhat.com>
114 PR analyzer/113999
115 * analyzer.h (get_string_cst_size): New decl.
116 * region-model-manager.cc (get_string_cst_size): New.
117 (region_model_manager::maybe_get_char_from_string_cst): Treat
118 single-byte accesses within string_cst but beyond
119 TREE_STRING_LENGTH as being 0.
120 * region-model.cc (string_cst_has_null_terminator): Likewise.
122 2024-02-21 David Malcolm <dmalcolm@redhat.com>
124 PR analyzer/113998
125 * ranges.cc (symbolic_byte_range::intersection): Handle empty ranges.
126 (selftest::test_intersects): Add test coverage for empty ranges.
128 2024-02-19 David Malcolm <dmalcolm@redhat.com>
130 PR analyzer/111289
131 * varargs.cc (representable_in_integral_type_p): New.
132 (va_arg_compatible_types_p): Add "arg_sval" param. Handle integer
133 types.
134 (kf_va_arg::impl_call_pre): Pass arg_sval to
135 va_arg_compatible_types_p.
137 2024-02-19 Andrew Pinski <quic_apinski@quicinc.com>
139 PR analyzer/113983
140 * region-model-manager.cc (maybe_undo_optimize_bit_field_compare): Reject
141 non integral types.
143 2024-02-15 David Malcolm <dmalcolm@redhat.com>
145 PR analyzer/111266
146 * region.cc (offset_region::get_byte_size_sval): Delete.
147 (offset_region::get_bit_size_sval): Delete.
148 * region.h (region::get_byte_size): Add comment clarifying that
149 this relates to the size of the access, rather than the size
150 that's valid to access.
151 (region::get_bit_size): Likewise.
152 (region::get_byte_size_sval): Likewise.
153 (region::get_bit_size_sval): Likewise.
154 (offset_region::get_byte_size_sval): Delete.
155 (offset_region::get_bit_size_sval): Delete.
157 2024-02-13 David Malcolm <dmalcolm@redhat.com>
159 * pending-diagnostic.cc (diagnostic_emission_context::warn):
160 Update for renaming of emit_diagnostic_valist overload to
161 emit_diagnostic_valist_meta.
162 (diagnostic_emission_context::inform): Likewise.
164 2024-01-31 David Malcolm <dmalcolm@redhat.com>
166 PR analyzer/113253
167 * region-model.cc (region_model::on_stmt_pre): Add gcc_unreachable
168 for debug statements.
169 * state-purge.cc
170 (state_purge_per_ssa_name::state_purge_per_ssa_name): Skip any
171 debug stmts in the FOR_EACH_IMM_USE_FAST list.
172 * supergraph.cc (supergraph::supergraph): Don't add debug stmts
173 to the supernodes.
175 2024-01-31 David Malcolm <dmalcolm@redhat.com>
177 PR analyzer/113509
178 * checker-event.cc (state_change_event::get_desc): Don't assume
179 "var" is non-NULL.
181 2024-01-30 David Malcolm <dmalcolm@redhat.com>
183 PR analyzer/113654
184 * region-model.cc (is_round_up): New.
185 (is_multiple_p): New.
186 (is_dubious_capacity): New.
187 (region_model::check_region_size): Move usage of size_visitor into
188 is_dubious_capacity.
190 2024-01-30 David Malcolm <dmalcolm@redhat.com>
192 * region-model.cc
193 (dubious_allocation_size::dubious_allocation_size): Add
194 "capacity_sval" param. Drop unused ctor.
195 (dubious_allocation_size::maybe_add_sarif_properties): New.
196 (dubious_allocation_size::m_capacity_sval): New field.
197 (region_model::check_region_size): Pass capacity svalue to
198 dubious_allocation_size ctor.
200 2024-01-25 David Malcolm <dmalcolm@redhat.com>
202 PR analyzer/112969
203 * store.cc (binding_cluster::maybe_get_compound_binding): When
204 populating default_map, express the bit-range of the default key
205 for REG relative to REG, rather than to the base region.
207 2024-01-24 David Malcolm <dmalcolm@redhat.com>
209 PR analyzer/112977
210 * engine.cc (impl_region_model_context::on_liveness_change): Pass
211 m_ext_state to sm_state_map::on_liveness_change.
212 * program-state.cc (sm_state_map::on_svalue_leak): Guard removal
213 of map entry based on can_purge_p.
214 (sm_state_map::on_liveness_change): Add ext_state param. Add
215 workaround for bad interaction between state purging and
216 alt-inherited sm-state.
217 * program-state.h (sm_state_map::on_liveness_change): Add
218 ext_state param.
219 * sm-taint.cc
220 (taint_state_machine::has_alt_get_inherited_state_p): New.
221 (taint_state_machine::can_purge_p): Return false for "has_lb" and
222 "has_ub".
223 * sm.h (state_machine::has_alt_get_inherited_state_p): New vfunc.
225 2024-01-18 David Malcolm <dmalcolm@redhat.com>
227 PR analyzer/111361
228 * region-model.cc (svalue_byte_range_has_null_terminator_1): The
229 initial byte of an all-zeroes SVAL is a zero byte. Remove
230 gcc_unreachable from SK_CONSTANT for constants that aren't
231 STRING_CST or INTEGER_CST.
233 2024-01-18 David Malcolm <dmalcolm@redhat.com>
235 PR analyzer/112811
236 * region-model.cc (fragment::dump_to_pp): New.
237 (fragment::has_null_terminator): Convert to...
238 (svalue_byte_range_has_null_terminator_1): ...this new function,
239 updating to use a byte_range relative to the start of the svalue.
240 (svalue_byte_range_has_null_terminator): New.
241 (fragment::string_cst_has_null_terminator): Convert to...
242 (string_cst_has_null_terminator): ...this, updating to use a
243 byte_range relative to the start of the svalue.
244 (iterable_cluster::dump_to_pp): New.
245 (region_model::scan_for_null_terminator): Add logging, moving body
246 to...
247 (region_model::scan_for_null_terminator_1): ...this new function,
248 adding more logging, and updating to use
249 svalue_byte_range_has_null_terminator.
250 * region-model.h (region_model::scan_for_null_terminator_1): New
251 decl.
253 2024-01-16 David Malcolm <dmalcolm@redhat.com>
255 PR analyzer/106229
256 * analyzer.h (compare_constants): New decl.
257 * constraint-manager.cc (compare_constants): Make non-static.
258 * sm-taint.cc: Add include "fold-const.h".
259 (class concrete_range): New.
260 (get_possible_range): New.
261 (index_can_be_out_of_bounds_p): New.
262 (region_model::check_region_for_taint): Reject
263 -Wanalyzer-tainted-array-index if the type of the value makes it
264 impossible for it to be out-of-bounds of the array.
266 2024-01-16 David Malcolm <dmalcolm@redhat.com>
268 PR analyzer/113333
269 * region-model-manager.cc
270 (region_model_manager::maybe_fold_unaryop): Casting all zeroes
271 should give all zeroes.
273 2024-01-04 David Malcolm <dmalcolm@redhat.com>
275 * analyzer.opt.urls: New file, autogenerated by
276 regenerate-opt-urls.py.
278 2024-01-04 David Malcolm <dmalcolm@redhat.com>
280 * checker-event.cc: Include "diagnostic-format-sarif.h" and
281 "tree-logical-location.h".
282 (checker_event::maybe_add_sarif_properties): New.
283 (superedge_event::maybe_add_sarif_properties): New.
284 (superedge_event::superedge_event): Add comment.
285 * checker-event.h (checker_event::maybe_add_sarif_properties): New
286 decl.
287 (superedge_event::maybe_add_sarif_properties): New decl.
289 2024-01-04 David Malcolm <dmalcolm@redhat.com>
291 PR analyzer/112790
292 * checker-event.cc (class inlining_info): Move to...
293 * inlining-iterator.h (class inlining_info): ...here.
294 * sm-malloc.cc: Include "analyzer/inlining-iterator.h".
295 (maybe_complain_about_deref_before_check): Reject stmts that were
296 inlined from another function.
298 2024-01-04 David Malcolm <dmalcolm@redhat.com>
300 PR analyzer/113222
301 * access-diagram.cc (valid_region_spatial_item::add_boundaries):
302 Handle TYPE_DOMAIN being null.
303 (valid_region_spatial_item::add_array_elements_to_table):
304 Likewise.
306 2023-12-16 David Malcolm <dmalcolm@redhat.com>
308 * analyzer.cc: Include "tree-pretty-print.h" and
309 "diagnostic-event-id.h".
310 (tree_to_json): New.
311 (diagnostic_event_id_to_json): New.
312 (bit_offset_to_json): New.
313 (byte_offset_to_json): New.
314 * analyzer.h (tree_to_json): New decl.
315 (diagnostic_event_id_to_json): New decl.
316 (bit_offset_to_json): New decl.
317 (byte_offset_to_json): New decl.
318 * bounds-checking.cc: Include "diagnostic-format-sarif.h".
319 (out_of_bounds::maybe_add_sarif_properties): New.
320 (concrete_out_of_bounds::maybe_add_sarif_properties): New.
321 (concrete_past_the_end::maybe_add_sarif_properties): New.
322 (symbolic_past_the_end::maybe_add_sarif_properties): New.
323 * region-model.cc (region_to_value_map::to_json): New.
324 (region_model::to_json): New.
325 * region-model.h (region_to_value_map::to_json): New decl.
326 (region_model::to_json): New decl.
327 * store.cc (bit_range::to_json): New.
328 (byte_range::to_json): New.
329 * store.h (bit_range::to_json): New decl.
330 (byte_range::to_json): New decl.
332 2023-12-16 David Malcolm <dmalcolm@redhat.com>
334 PR analyzer/112792
335 * bounds-checking.cc
336 (out_of_bounds::oob_region_creation_event_capacity): Rename
337 "capacity" to "byte_capacity". Layout fix.
338 (out_of_bounds::::add_region_creation_events): Rename
339 "capacity" to "byte_capacity".
340 (class concrete_out_of_bounds): Rename m_out_of_bounds_range to
341 m_out_of_bounds_bits and convert from a byte_range to a bit_range.
342 (concrete_out_of_bounds::get_out_of_bounds_bytes): New.
343 (concrete_past_the_end::concrete_past_the_end): Rename param
344 "byte_bound" to "bit_bound". Initialize m_byte_bound.
345 (concrete_past_the_end::subclass_equal_p): Update for renaming
346 of m_byte_bound to m_bit_bound.
347 (concrete_past_the_end::m_bit_bound): New field.
348 (concrete_buffer_overflow::concrete_buffer_overflow): Convert
349 param "range" from byte_range to bit_range. Rename param
350 "byte_bound" to "bit_bound".
351 (concrete_buffer_overflow::emit): Update for bits vs bytes.
352 (concrete_buffer_overflow::describe_final_event): Split
353 into...
354 (concrete_buffer_overflow::describe_final_event_as_bytes): ...this
355 (concrete_buffer_overflow::describe_final_event_as_bits): ...and
356 this.
357 (concrete_buffer_over_read::concrete_buffer_over_read): Convert
358 param "range" from byte_range to bit_range. Rename param
359 "byte_bound" to "bit_bound".
360 (concrete_buffer_over_read::emit): Update for bits vs bytes.
361 (concrete_buffer_over_read::describe_final_event): Split into...
362 (concrete_buffer_over_read::describe_final_event_as_bytes):
363 ...this
364 (concrete_buffer_over_read::describe_final_event_as_bits): ...and
365 this.
366 (concrete_buffer_underwrite::concrete_buffer_underwrite): Convert
367 param "range" from byte_range to bit_range.
368 (concrete_buffer_underwrite::describe_final_event): Split into...
369 (concrete_buffer_underwrite::describe_final_event_as_bytes):
370 ...this
371 (concrete_buffer_underwrite::describe_final_event_as_bits): ...and
372 this.
373 (concrete_buffer_under_read::concrete_buffer_under_read): Convert
374 param "range" from byte_range to bit_range.
375 (concrete_buffer_under_read::describe_final_event): Split into...
376 (concrete_buffer_under_read::describe_final_event_as_bytes):
377 ...this
378 (concrete_buffer_under_read::describe_final_event_as_bits): ...and
379 this.
380 (region_model::check_region_bounds): Use bits for concrete values,
381 and rename locals to indicate whether we're dealing with bits or
382 bytes. Specifically, replace "num_bytes_sval" with
383 "num_bits_sval", and get it from reg's "get_bit_size_sval".
384 Replace "num_bytes_tree" with "num_bits_tree". Rename "capacity"
385 to "byte_capacity". Rename "cst_capacity_tree" to
386 "cst_byte_capacity_tree". Replace "offset" and
387 "num_bytes_unsigned" with "bit_offset" and "num_bits_unsigned"
388 respectively, converting from byte_offset_t to bit_offset_t.
389 Replace "out" and "read_bytes" with "bits_outside" and "read_bits"
390 respectively, converting from byte_range to bit_range. Convert
391 "buffer" from byte_range to bit_range. Replace "byte_bound" with
392 "bit_bound".
393 * region.cc (region::get_bit_size_sval): New.
394 (offset_region::get_bit_offset): New.
395 (offset_region::get_bit_size_sval): New.
396 (sized_region::get_bit_size_sval): New.
397 (bit_range_region::get_bit_size_sval): New.
398 * region.h (region::get_bit_size_sval): New vfunc.
399 (offset_region::get_bit_offset): New decl.
400 (offset_region::get_bit_size_sval): New decl.
401 (sized_region::get_bit_size_sval): New decl.
402 (bit_range_region::get_bit_size_sval): New decl.
403 * store.cc (bit_range::intersects_p): New, based on
404 byte_range::intersects_p.
405 (bit_range::exceeds_p): New, based on byte_range::exceeds_p.
406 (bit_range::falls_short_of_p): New, based on
407 byte_range::falls_short_of_p.
408 (byte_range::intersects_p): Delete.
409 (byte_range::exceeds_p): Delete.
410 (byte_range::falls_short_of_p): Delete.
411 * store.h (bit_range::intersects_p): New overload.
412 (bit_range::exceeds_p): New.
413 (bit_range::falls_short_of_p): New.
414 (byte_range::intersects_p): Delete.
415 (byte_range::exceeds_p): Delete.
416 (byte_range::falls_short_of_p): Delete.
418 2023-12-14 David Malcolm <dmalcolm@redhat.com>
420 PR analyzer/112655
421 * infinite-loop.cc (infinite_loop::infinite_loop): Pass eedges
422 via rvalue reference rather than by value.
423 (starts_infinite_loop_p): Move eedges when constructing an
424 infinite_loop instance.
425 * sm-file.cc (fileptr_state_machine::fileptr_state_machine): Use
426 initializer list for states.
427 * sm-sensitive.cc
428 (sensitive_state_machine::sensitive_state_machine): Likewise.
429 * sm-signal.cc (signal_state_machine::signal_state_machine):
430 Likewise.
431 * sm-taint.cc (taint_state_machine::taint_state_machine):
432 Likewise.
433 * varargs.cc (va_list_state_machine::va_list_state_machine): Likewise.
435 2023-12-11 David Malcolm <dmalcolm@redhat.com>
437 PR analyzer/112955
438 * engine.cc (feasibility_state::feasibility_state): Initialize
439 m_snodes_visited.
441 2023-12-11 Andrew Pinski <apinski@marvell.com>
443 * region-model-manager.cc (maybe_undo_optimize_bit_field_compare): Remove
444 the check for type being unsigned_char_type_node.
446 2023-12-08 David Malcolm <dmalcolm@redhat.com>
448 * sm-taint.cc (taint_state_machine::alt_get_inherited_state): Fix
449 handling of TRUNC_MOD_EXPR.
451 2023-12-08 David Malcolm <dmalcolm@redhat.com>
453 * region-model.cc (contains_uninit_p): Only check for
454 svalues that the infoleak warning can handle.
456 2023-12-08 David Malcolm <dmalcolm@redhat.com>
458 PR analyzer/112889
459 * store.h (concrete_binding::concrete_binding): Strengthen
460 assertion to require size to be be positive, rather than just
461 non-zero.
462 (concrete_binding::mark_deleted): Use size rather than start bit
463 offset.
464 (concrete_binding::mark_empty): Likewise.
465 (concrete_binding::is_deleted): Likewise.
466 (concrete_binding::is_empty): Likewise.
468 2023-12-07 Alexandre Oliva <oliva@adacore.com>
470 * region-model.cc (has_nondefault_case_for_value_p): Take
471 enumerate type as a parameter.
472 (region_model::apply_constraints_for_gswitch): Cope with
473 integral promotion type casts.
475 2023-12-07 David Malcolm <dmalcolm@redhat.com>
477 PR analyzer/103546
478 PR analyzer/112850
479 * analyzer.opt (-param=analyzer-max-svalue-depth=): Increase from
480 12 to 18.
481 (Wanalyzer-symbol-too-complex): New.
482 * diagnostic-manager.cc
483 (null_assignment_sm_context::clear_all_per_svalue_state): New.
484 * engine.cc (impl_sm_context::clear_all_per_svalue_state): New.
485 * program-state.cc (sm_state_map::clear_all_per_svalue_state):
486 New.
487 * program-state.h (sm_state_map::clear_all_per_svalue_state): New
488 decl.
489 * region-model-manager.cc
490 (region_model_manager::reject_if_too_complex): Add
491 -Wanalyzer-symbol-too-complex.
492 * sm-taint.cc (taint_state_machine::on_condition): Handle
493 comparisons against UNKNOWN.
494 * sm.h (sm_context::clear_all_per_svalue_state): New.
496 2023-12-06 David Malcolm <dmalcolm@redhat.com>
498 * engine.cc (dump_analyzer_json): Use
499 flag_diagnostics_json_formatting.
501 2023-12-01 David Malcolm <dmalcolm@redhat.com>
503 * analyzer.h (class saved_diagnostic): New forward decl.
504 * bounds-checking.cc: Update for changes to
505 pending_diagnostic::emit.
506 * call-details.cc: Likewise.
507 * diagnostic-manager.cc: Include "diagnostic-format-sarif.h".
508 (saved_diagnostic::maybe_add_sarif_properties): New.
509 (class pending_diagnostic_metadata): New.
510 (diagnostic_manager::emit_saved_diagnostic): Create a
511 pending_diagnostic_metadata and a diagnostic_emission_context.
512 Pass the latter to the pending_diagnostic::emit vfunc.
513 * diagnostic-manager.h
514 (saved_diagnostic::maybe_add_sarif_properties): New decl.
515 * engine.cc: Update for changes to pending_diagnostic::emit.
516 * infinite-loop.cc: Likewise.
517 * infinite-recursion.cc: Likewise.
518 * kf-analyzer.cc: Likewise.
519 * kf.cc: Likewise.
520 * pending-diagnostic.cc
521 (diagnostic_emission_context::get_pending_diagnostic): New.
522 (diagnostic_emission_context::warn): New.
523 (diagnostic_emission_context::inform): New.
524 * pending-diagnostic.h (class diagnostic_emission_context): New.
525 (pending_diagnostic::emit): Update params.
526 (pending_diagnostic::maybe_add_sarif_properties): New vfunc.
527 * region.cc: Don't include "diagnostic-metadata.h".
528 * region-model.cc: Include "diagnostic-format-sarif.h". Update
529 for changes to pending_diagnostic::emit.
530 (exposure_through_uninit_copy::maybe_add_sarif_properties): New.
531 * sm-fd.cc: Update for changes to pending_diagnostic::emit.
532 * sm-file.cc: Likewise.
533 * sm-malloc.cc: Likewise.
534 * sm-pattern-test.cc: Likewise.
535 * sm-sensitive.cc: Likewise.
536 * sm-signal.cc: Likewise.
537 * sm-taint.cc: Likewise.
538 * store.cc: Don't include "diagnostic-metadata.h".
539 * varargs.cc: Update for changes to pending_diagnostic::emit.
541 2023-11-19 David Malcolm <dmalcolm@redhat.com>
543 * analyzer.h: Include "rich-location.h".
545 2023-11-19 David Malcolm <dmalcolm@redhat.com>
547 PR analyzer/107573
548 * analyzer.h (register_known_functions): Add region_model_manager
549 param.
550 * analyzer.opt (Wanalyzer-undefined-behavior-strtok): New.
551 * call-summary.cc
552 (call_summary_replay::convert_region_from_summary_1): Handle
553 RK_PRIVATE.
554 * engine.cc (impl_run_checkers): Pass model manager to
555 register_known_functions.
556 * kf.cc (class undefined_function_behavior): New.
557 (class kf_strtok): New.
558 (register_known_functions): Add region_model_manager param.
559 Use it to register "strtok".
560 * region-model-manager.cc
561 (region_model_manager::get_or_create_conjured_svalue): Add "idx"
562 param.
563 * region-model-manager.h
564 (region_model_manager::get_or_create_conjured_svalue): Add "idx"
565 param.
566 (region_model_manager::get_root_region): New accessor.
567 * region-model.cc (region_model::scan_for_null_terminator): Handle
568 "expr" being null.
569 (region_model::get_representative_path_var_1): Handle RK_PRIVATE.
570 * region-model.h (region_model::called_from_main_p): Make public.
571 * region.cc (region::get_memory_space): Handle RK_PRIVATE.
572 (region::can_have_initial_svalue_p): Handle MEMSPACE_PRIVATE.
573 (private_region::dump_to_pp): New.
574 * region.h (MEMSPACE_PRIVATE): New.
575 (RK_PRIVATE): New.
576 (class private_region): New.
577 (is_a_helper <const private_region *>::test): New.
578 * store.cc (store::replay_call_summary_cluster): Handle
579 RK_PRIVATE.
580 * svalue.h (struct conjured_svalue::key_t): Add "idx" param to
581 ctor and "m_idx" field.
582 (class conjured_svalue::conjured_svalue): Likewise.
584 2023-11-18 David Malcolm <dmalcolm@redhat.com>
586 PR analyzer/106147
587 * analyzer.opt (Wanalyzer-infinite-loop): New option.
588 (fdump-analyzer-infinite-loop): New option.
589 * checker-event.h (start_cfg_edge_event::get_desc): Drop "final".
590 (start_cfg_edge_event::maybe_describe_condition): Convert from
591 private to protected.
592 * checker-path.h (checker_path::get_logger): New.
593 * diagnostic-manager.cc (process_worklist_item): Update for
594 new context param of maybe_update_for_edge.
595 * engine.cc
596 (impl_region_model_context::impl_region_model_context): Add
597 out_could_have_done_work param to both ctors and use it to
598 initialize mm_out_could_have_done_work.
599 (impl_region_model_context::maybe_did_work): New vfunc
600 implementation.
601 (exploded_node::on_stmt): Add out_could_have_done_work param and
602 pass to ctxt ctor.
603 (exploded_node::on_stmt_pre): Treat setjmp and longjmp as "doing
604 work".
605 (exploded_node::on_longjmp): Likewise.
606 (exploded_edge::exploded_edge): Add "could_do_work" param and use
607 it to initialize m_could_do_work_p.
608 (exploded_edge::dump_dot_label): Add result of could_do_work_p.
609 (exploded_graph::add_function_entry): Mark edge as doing no work.
610 (exploded_graph::add_edge): Add "could_do_work" param and pass to
611 exploded_edge ctor.
612 (add_tainted_args_callback): Treat as doing no work.
613 (exploded_graph::process_worklist): Likewise when merging nodes.
614 (maybe_process_run_of_before_supernode_enodes::item): Likewise.
615 (exploded_graph::maybe_create_dynamic_call): Likewise.
616 (exploded_graph::process_node): Likewise for phi nodes.
617 Pass in a "could_have_done_work" bool when handling stmts and use
618 when creating edges. Assume work is done at bifurcation.
619 (exploded_path::feasible_p): Update for new context param of
620 maybe_update_for_edge.
621 (feasibility_state::feasibility_state): New ctor.
622 (feasibility_state::operator=): New.
623 (feasibility_state::maybe_update_for_edge): Add ctxt param and use
624 it. Fix missing newline when logging state.
625 (impl_run_checkers): Call exploded_graph::detect_infinite_loops.
626 * exploded-graph.h
627 (impl_region_model_context::impl_region_model_context): Add
628 out_could_have_done_work param to both ctors.
629 (impl_region_model_context::maybe_did_work): New decl.
630 (impl_region_model_context::checking_for_infinite_loop_p): New.
631 (impl_region_model_context::on_unusable_in_infinite_loop): New.
632 (impl_region_model_context::m_out_could_have_done_work): New
633 field.
634 (exploded_node::on_stmt): Add "out_could_have_done_work" param.
635 (exploded_edge::exploded_edge): Add "could_do_work" param.
636 (exploded_edge::could_do_work_p): New accessor.
637 (exploded_edge::m_could_do_work_p): New field.
638 (exploded_graph::add_edge): Add "could_do_work" param.
639 (exploded_graph::detect_infinite_loops): New decl.
640 (feasibility_state::feasibility_state): New ctor.
641 (feasibility_state::operator=): New decl.
642 (feasibility_state::maybe_update_for_edge): Add ctxt param.
643 * infinite-loop.cc: New file.
644 * program-state.cc (program_state::on_edge): Log the rejected
645 constraint when region_model::maybe_update_for_edge fails.
646 * region-model.cc (region_model::on_assignment): Treat any writes
647 other than to the stack as "doing work".
648 (region_model::on_stmt_pre): Treat all asm stmts as "doing work".
649 (region_model::on_call_post): Likewise for all calls to functions
650 with unknown side effects.
651 (region_model::handle_phi): Add svals_changing_meaning param.
652 Mark widening svalue in phi nodes as changing meaning.
653 (unusable_in_infinite_loop_constraint_p): New.
654 (region_model::add_constraint): If we're checking for an infinite
655 loop, bail out on unusable svalues, or if we don't have a definite
656 true/false for the constraint.
657 (region_model::update_for_phis): Gather all svalues changing
658 meaning in phi nodes, and purge constraints involving them.
659 (region_model::replay_call_summary): Treat all call summaries as
660 doing work.
661 (region_model::can_merge_with_p): Purge constraints involving
662 svalues that change meaning.
663 (model_merger::on_widening_reuse): New.
664 (test_iteration_1): Likewise.
665 (selftest::test_iteration_1): Remove assertion that model6 "knows"
666 that i < 157.
667 * region-model.h (region_model::handle_phi): Add
668 svals_changing_meaning param
669 (region_model_context::maybe_did_work): New pure virtual func.
670 (region_model_context::checking_for_infinite_loop_p): Likewise.
671 (region_model_context::on_unusable_in_infinite_loop): Likewise.
672 (noop_region_model_context::maybe_did_work): Implement.
673 (noop_region_model_context::checking_for_infinite_loop_p):
674 Likewise.
675 (noop_region_model_context::on_unusable_in_infinite_loop):
676 Likewise.
677 (region_model_context_decorator::maybe_did_work): Implement.
678 (region_model_context_decorator::checking_for_infinite_loop_p):
679 Likewise.
680 (region_model_context_decorator::on_unusable_in_infinite_loop):
681 Likewise.
682 (model_merger::on_widening_reuse): New decl.
683 (model_merger::m_svals_changing_meaning): New field.
684 * sm-signal.cc (register_signal_handler::impl_transition): Assume
685 the edge "does work".
686 * supergraph.cc (supernode::get_start_location): Use CFG edge's
687 goto_locus if available.
688 (supernode::get_end_location): Likewise.
689 (cfg_superedge::dump_label_to_pp): Dump edges with a "goto_locus"
690 * supergraph.h (cfg_superedge::get_goto_locus): New.
691 * svalue.cc (svalue::can_merge_p): Call on_widening_reuse for
692 widening values.
693 (involvement_visitor::visit_widening_svalue): New.
694 (svalue::involves_p): Update assertion to allow widening svalues.
696 2023-11-14 David Malcolm <dmalcolm@redhat.com>
698 PR analyzer/103533
699 * sm-taint.cc: Remove "experimental" from comment.
700 * sm.cc (make_checkers): Always add taint state machine.
702 2023-11-04 David Malcolm <dmalcolm@redhat.com>
704 * bounds-checking.cc: Update for changes to diagnostic_context.
706 2023-11-02 David Malcolm <dmalcolm@redhat.com>
708 PR analyzer/112317
709 * access-diagram.cc (class x_aligned_x_ruler_widget): Eliminate
710 unused field "m_col_widths".
711 (access_diagram_impl::add_valid_vs_invalid_ruler): Update for
712 above change.
713 * region-model.cc
714 (check_one_function_attr_null_terminated_string_arg): Remove
715 unused variables "cd_unchecked", "strlen_sval", and
716 "limited_sval".
717 * region-model.h (region_model_context_decorator::warn): Add
718 missing "override".
720 2023-10-31 David Malcolm <dmalcolm@redhat.com>
722 * record-layout.cc: New file, based on material in region-model.cc.
723 * record-layout.h: Likewise.
724 * region-model.cc: Include "analyzer/record-layout.h".
725 (class record_layout): Move to record-layout.cc and .h
727 2023-10-26 David Malcolm <dmalcolm@redhat.com>
729 * region-model.cc
730 (region_model::check_external_function_for_access_attr): Split
731 out, replacing with...
732 (region_model::check_function_attr_access): ...this new function
733 and...
734 (region_model::check_function_attrs): ...this new function.
735 (region_model::check_one_function_attr_null_terminated_string_arg):
736 New.
737 (region_model::check_function_attr_null_terminated_string_arg):
738 New.
739 (region_model::handle_unrecognized_call): Update for renaming of
740 check_external_function_for_access_attr to check_function_attrs.
741 (region_model::check_for_null_terminated_string_arg): Add return
742 value to one overload. Make both overloads const.
743 * region-model.h: Include "stringpool.h" and "attribs.h".
744 (region_model::check_for_null_terminated_string_arg): Add return
745 value to one overload. Make both overloads const.
746 (region_model::check_external_function_for_access_attr): Delete
747 decl.
748 (region_model::check_function_attr_access): New decl.
749 (region_model::check_function_attr_null_terminated_string_arg):
750 New decl.
751 (region_model::check_one_function_attr_null_terminated_string_arg):
752 New decl.
753 (region_model::check_function_attrs): New decl.
755 2023-10-09 David Malcolm <dmalcolm@redhat.com>
757 * access-diagram.cc (boundaries::add): Explicitly state
758 "boundaries::" scope for "kind" enum.
760 2023-10-08 David Malcolm <dmalcolm@redhat.com>
762 PR analyzer/111155
763 * access-diagram.cc (boundaries::boundaries): Add logger param
764 (boundaries::add): Add logging.
765 (boundaries::get_hard_boundaries_in_range): New.
766 (boundaries::m_logger): New field.
767 (boundaries::get_table_x_for_offset): Make public.
768 (class svalue_spatial_item): New.
769 (class compound_svalue_spatial_item): New.
770 (add_ellipsis_to_gaps): New.
771 (valid_region_spatial_item::valid_region_spatial_item): Add theme
772 param. Initialize m_boundaries, m_existing_sval, and
773 m_existing_sval_spatial_item.
774 (valid_region_spatial_item::add_boundaries): Set m_boundaries.
775 Add boundaries for any m_existing_sval_spatial_item.
776 (valid_region_spatial_item::add_array_elements_to_table): Rewrite
777 creation of min/max index in terms of
778 maybe_add_array_index_to_table. Rewrite ellipsis code using
779 add_ellipsis_to_gaps. Add index values for any hard boundaries
780 within the valid region.
781 (valid_region_spatial_item::maybe_add_array_index_to_table): New,
782 based on code formerly in add_array_elements_to_table.
783 (valid_region_spatial_item::make_table): Make use of
784 m_existing_sval_spatial_item, if any.
785 (valid_region_spatial_item::m_boundaries): New field.
786 (valid_region_spatial_item::m_existing_sval): New field.
787 (valid_region_spatial_item::m_existing_sval_spatial_item): New
788 field.
789 (class svalue_spatial_item): Rename to...
790 (class written_svalue_spatial_item): ...this.
791 (class string_region_spatial_item): Rename to..
792 (class string_literal_spatial_item): ...this. Add "kind".
793 (string_literal_spatial_item::add_boundaries): Use m_kind to
794 determine kind of boundary. Update for renaming of m_actual_bits
795 to m_bits.
796 (string_literal_spatial_item::make_table): Likewise. Support not
797 displaying a row for byte indexes, and not displaying a row for
798 the type.
799 (string_literal_spatial_item::add_column_for_byte): Make byte index
800 row optional.
801 (svalue_spatial_item::make): Convert to...
802 (make_written_svalue_spatial_item): ...this.
803 (make_existing_svalue_spatial_item): New.
804 (access_diagram_impl::access_diagram_impl): Pass theme to
805 m_valid_region_spatial_item ctor. Update for renaming of
806 m_svalue_spatial_item.
807 (access_diagram_impl::find_boundaries): Pass logger to boundaries.
808 Update for renaming of...
809 (access_diagram_impl::m_svalue_spatial_item): Rename to...
810 (access_diagram_impl::m_written_svalue_spatial_item): ...this.
812 2023-10-03 David Malcolm <dmalcolm@redhat.com>
814 * analyzer-logging.cc (logger::log_va_partial): Use text_info
815 ctor.
816 * analyzer.cc (make_label_text): Likewise.
817 (make_label_text_n): Likewise.
818 * pending-diagnostic.cc (evdesc::event_desc::formatted_print):
819 Likewise.
821 2023-10-02 David Malcolm <dmalcolm@redhat.com>
823 * program-point.cc: Update for grouping of source printing fields
824 within diagnostic_context.
826 2023-09-15 David Malcolm <dmalcolm@redhat.com>
828 * analyzer.cc (get_stmt_location): Handle null stmt.
829 * diagnostic-manager.cc (saved_diagnostic::saved_diagnostic): Copy
830 m_loc from ploc.
831 (saved_diagnostic::operator==): Compare m_loc.
832 (saved_diagnostic::calc_best_epath): Only use m_stmt_finder if
833 m_loc is unknown.
834 (dedupe_key::dedupe_key): Initialize m_loc.
835 (dedupe_key::operator==): Compare m_loc.
836 (dedupe_key::get_location): Use m_loc if it's known.
837 (dedupe_key::m_loc): New field.
838 (diagnostic_manager::emit_saved_diagnostic): Only call
839 get_emission_location if m_loc is unknown, preferring to use m_loc
840 if it's available.
841 * diagnostic-manager.h (saved_diagnostic::m_loc): New field.
842 (pending_location::pending_location): Initialize m_loc. Add
843 overload taking a location_t rather than a stmt/stmt_finder.
844 (pending_location::m_loc): New field.
846 2023-09-15 David Malcolm <dmalcolm@redhat.com>
848 * analyzer.h (struct pending_location): New forward decl.
849 * diagnostic-manager.cc (saved_diagnostic::saved_diagnostic):
850 Replace params "enode", "snode", "stmt", and "stmt_finder" with
851 "ploc".
852 (diagnostic_manager::add_diagnostic): Likewise for both overloads.
853 * diagnostic-manager.h (saved_diagnostic::saved_diagnostic):
854 Likewise.
855 (struct pending_location): New.
856 (diagnostic_manager::add_diagnostic): Replace params "enode",
857 "snode", "stmt", and "stmt_finder" with "ploc".
858 * engine.cc (impl_region_model_context::warn): Update call to
859 add_diagnostic for above change.
860 (impl_sm_context::warn): Likewise.
861 (impl_region_model_context::on_state_leak): Likewise.
862 * infinite-recursion.cc
863 (exploded_graph::detect_infinite_recursion): Likewise.
865 2023-09-15 David Malcolm <dmalcolm@redhat.com>
867 * region-model.cc (region_model::get_gassign_result): Handle
868 volatile ops by using a conjured_svalue.
870 2023-09-14 David Malcolm <dmalcolm@redhat.com>
872 * checker-event.h (checker_event::get_thread_id): New.
873 * checker-path.h (class checker_path): Implement thread-related
874 vfuncs via a single simple_diagnostic_thread instance named
875 "main".
877 2023-09-14 David Malcolm <dmalcolm@redhat.com>
879 * diagnostic-manager.cc (compatible_epath_p): Fix missing return.
881 2023-09-14 David Malcolm <dmalcolm@redhat.com>
883 * diagnostic-manager.cc (process_worklist_item): Use
884 std::unique_ptr rather than plain rejected_constraint *.
885 * engine.cc (exploded_path::feasible_p): Likewise.
886 (feasibility_state::maybe_update_for_edge): Likewise.
887 * exploded-graph.h (feasibility_problem::feasibility_problem):
888 Likewise.
889 (feasibility_problem::~feasibility_problem): Delete.
890 (feasibility_problem::m_rc): Use std::unique_ptr.
891 (feasibility_state::maybe_update_for_edge): Likewise.
892 * feasible-graph.cc (feasible_graph::add_feasibility_problem):
893 Likewise.
894 * feasible-graph.h (class infeasible_node): Likewise.
895 (feasible_graph::add_feasibility_problem): Likewise.
896 * region-model.cc (region_model::add_constraint): Likewise.
897 (region_model::maybe_update_for_edge): Likewise.
898 (region_model::apply_constraints_for_gcond): Likewise.
899 (region_model::apply_constraints_for_gswitch): Likewise.
900 (region_model::apply_constraints_for_exception): Likewise.
901 * region-model.h (class region_model): Likewise for decls.
903 2023-09-09 benjamin priour <vultkayn@gcc.gnu.org>
905 PR analyzer/96395
906 * region-model.cc
907 (region_model::add_constraints_from_binop): binop_svalues around
908 LT_EXPR, LE_EXPR, GT_EXPR, GE_EXPR are now unwrapped.
910 2023-09-07 David Malcolm <dmalcolm@redhat.com>
912 PR analyzer/110529
913 * program-point.cc (program_point::on_edge): Don't reject
914 EDGE_ABNORMAL for computed gotos.
915 * region-model.cc (region_model::maybe_update_for_edge): Handle
916 computed goto statements.
917 (region_model::apply_constraints_for_ggoto): New.
918 * region-model.h (region_model::apply_constraints_for_ggoto): New decl.
919 * supergraph.cc (supernode::get_label): New.
920 * supergraph.h (supernode::get_label): New decl.
922 2023-09-07 benjamin priour <vultkayn@gcc.gnu.org>
923 David Malcolm <dmalcolm@redhat.com>
925 PR analyzer/110830
926 * diagnostic-manager.cc
927 (compatible_epaths_p): New function.
928 (saved_diagnostic::supercedes_p): Now calls the above
929 to determine if the diagnostics do overlap and the superseding
930 may proceed.
932 2023-09-07 David Malcolm <dmalcolm@redhat.com>
934 * region-model.h: fix -Wunused-parameter warnings
936 2023-09-06 David Malcolm <dmalcolm@redhat.com>
938 PR analyzer/105899
939 * kf.cc (class kf_strstr): New.
940 (kf_strstr::impl_call_post): New.
941 (register_known_functions): Register it.
943 2023-09-06 David Malcolm <dmalcolm@redhat.com>
945 PR analyzer/105899
946 * kf.cc (class kf_strncpy): New.
947 (kf_strncpy::impl_call_post): New.
948 (register_known_functions): Register it.
949 * region-model.cc (region_model::read_bytes): Handle unknown
950 number of bytes.
952 2023-09-06 David Malcolm <dmalcolm@redhat.com>
954 * kf.cc (kf_calloc::impl_call_pre): Pass ctxt to zero_fill_region.
955 (kf_memset::impl_call_pre): Move responsibility for calling
956 check_region_for_write to fill_region.
957 * region-model.cc (region_model::on_assignment): Pass ctxt to
958 zero_fill_region.
959 (region_model::fill_region): Add "ctxt" param, using it to call
960 check_region_for_write.
961 (region_model::zero_fill_region): Likewise.
962 * region-model.h (region_model::fill_region): Add "ctxt" param.
963 (region_model::zero_fill_region): Likewise.
965 2023-09-01 benjamin priour <priour.be@gmail.com>
967 PR analyzer/105948
968 PR analyzer/94355
969 * analyzer.h (is_placement_new_p): New declaration.
970 * call-details.cc
971 (call_details::deref_ptr_arg): New function.
972 Dereference the argument at given index if possible.
973 * call-details.h: Declaration of the above function.
974 * kf-lang-cp.cc (is_placement_new_p): Returns true if the gcall
975 is recognized as a placement new.
976 (kf_operator_delete::impl_call_post): Unbinding a region and its
977 descendents now poisons with POISON_KIND_DELETED.
978 (register_known_functions_lang_cp): Known function "operator
979 delete" is now registered only once independently of its number of
980 arguments.
981 * region-model.cc (region_model::eval_condition): Now
982 recursively calls itself if any of the operand is wrapped in a
983 cast.
984 * sm-malloc.cc (malloc_state_machine::on_stmt):
985 Add placement new recognition.
986 * svalue.cc (poison_kind_to_str): Wording for the new PK.
987 * svalue.h (enum poison_kind): Add value POISON_KIND_DELETED.
989 2023-08-31 Francois-Xavier Coudert <fxcoudert@gcc.gnu.org>
991 * kf.cc: Change spelling to macOS.
993 2023-08-30 Eric Feng <ef2648@columbia.edu>
995 PR analyzer/107646
996 * engine.cc (impl_region_model_context::warn): New optional
997 parameter.
998 * exploded-graph.h (class impl_region_model_context): Likewise.
999 * region-model.cc (region_model::pop_frame): New callback
1000 feature for region_model::pop_frame.
1001 * region-model.h (struct append_regions_cb_data): Likewise.
1002 (class region_model): Likewise.
1003 (class region_model_context): New optional parameter.
1004 (class region_model_context_decorator): Likewise.
1006 2023-08-30 Francois-Xavier Coudert <fxcoudert@gcc.gnu.org>
1008 * region-model.cc: Define INCLUDE_ALGORITHM.
1010 2023-08-29 David Malcolm <dmalcolm@redhat.com>
1012 PR analyzer/99860
1013 * analyzer-selftests.cc (selftest::run_analyzer_selftests): Call
1014 selftest::analyzer_ranges_cc_tests.
1015 * analyzer-selftests.h (selftest::run_analyzer_selftests): New
1016 decl.
1017 * analyzer.opt (Wanalyzer-overlapping-buffers): New option.
1018 * call-details.cc: Include "analyzer/ranges.h" and "make-unique.h".
1019 (class overlapping_buffers): New.
1020 (call_details::complain_about_overlap): New.
1021 * call-details.h (call_details::complain_about_overlap): New decl.
1022 * kf.cc (kf_memcpy_memmove::impl_call_pre): Call
1023 cd.complain_about_overlap for memcpy and memcpy_chk.
1024 (kf_strcat::impl_call_pre): Call cd.complain_about_overlap.
1025 (kf_strcpy::impl_call_pre): Likewise.
1026 * ranges.cc: New file.
1027 * ranges.h: New file.
1029 2023-08-29 David Malcolm <dmalcolm@redhat.com>
1031 PR analyzer/105899
1032 * kf.cc (kf_strdup::impl_call_pre): Set size of
1033 dynamically-allocated buffer. Simulate copying the string from
1034 the source region to the new buffer.
1036 2023-08-27 benjamin priour <vultkayn@gcc.gnu.org>
1038 PR analyzer/96395
1039 * analyzer.h (class known_function): Add virtual casts
1040 to builtin_known_function.
1041 (class builtin_known_function): New subclass of known_function
1042 for builtins.
1043 * kf.cc (class kf_alloca): Now derived from
1044 builtin_known_function.
1045 (class kf_calloc): Likewise.
1046 (class kf_free): Likewise.
1047 (class kf_malloc): Likewise.
1048 (class kf_memcpy_memmove): Likewise.
1049 (class kf_memset): Likewise.
1050 (class kf_realloc): Likewise.
1051 (class kf_strchr): Likewise.
1052 (class kf_sprintf): Likewise.
1053 (class kf_strcat): Likewise.
1054 (class kf_strcpy): Likewise.
1055 (class kf_strdup): Likewise.
1056 (class kf_strlen): Likewise.
1057 (class kf_strndup): Likewise.
1058 (register_known_functions): Builtins are now registered as
1059 known_functions by name rather than by their BUILTIN_CODE.
1060 * known-function-manager.cc (get_normal_builtin): New overload.
1061 * known-function-manager.h: New overload declaration.
1062 * region-model.cc (region_model::get_builtin_kf): New function.
1063 * region-model.h (class region_model): Add declaration of
1064 get_builtin_kf.
1065 * sm-fd.cc: For called recognized as builtins, use the
1066 attributes of that builtin as defined in gcc/builtins.def
1067 rather than the user's.
1068 * sm-malloc.cc (malloc_state_machine::on_stmt): Likewise.
1070 2023-08-25 David Malcolm <dmalcolm@redhat.com>
1072 * access-diagram.cc (class string_region_spatial_item): Remove
1073 assumption that the string is written to the start of the cluster.
1075 2023-08-24 David Malcolm <dmalcolm@redhat.com>
1077 PR analyzer/105899
1078 * call-details.cc
1079 (call_details::check_for_null_terminated_string_arg): Split into
1080 overloads, one taking just an arg_idx, the other a new
1081 "include_terminator" param.
1082 * call-details.h: Likewise.
1083 * kf.cc (class kf_strcat): New.
1084 (kf_strcpy::impl_call_pre): Update for change to
1085 check_for_null_terminated_string_arg.
1086 (register_known_functions): Register kf_strcat.
1087 * region-model.cc
1088 (region_model::check_for_null_terminated_string_arg): Split into
1089 overloads, one taking just an arg_idx, the other a new
1090 "include_terminator" param. When returning an svalue, handle
1091 "include_terminator" being false by subtracting one.
1092 * region-model.h
1093 (region_model::check_for_null_terminated_string_arg): Split into
1094 overloads, one taking just an arg_idx, the other a new
1095 "include_terminator" param.
1097 2023-08-24 David Malcolm <dmalcolm@redhat.com>
1099 PR analyzer/105899
1100 * region-model.cc (fragment::has_null_terminator): Handle
1101 SK_BITS_WITHIN.
1103 2023-08-24 David Malcolm <dmalcolm@redhat.com>
1105 PR analyzer/105899
1106 * region-model-manager.cc
1107 (region_model_manager::get_or_create_initial_value): Simplify
1108 INIT_VAL(ELEMENT_REG(STRING_REG), CONSTANT_SVAL) to
1109 CONSTANT_SVAL(STRING[N]).
1111 2023-08-24 David Malcolm <dmalcolm@redhat.com>
1113 PR analyzer/105899
1114 * region-model.cc (fragment::has_null_terminator): Move STRING_CST
1115 handling to fragment::string_cst_has_null_terminator; also use it to
1116 handle INIT_VAL(STRING_REG).
1117 (fragment::string_cst_has_null_terminator): New, from above.
1119 2023-08-24 David Malcolm <dmalcolm@redhat.com>
1121 * kf.cc (kf_memcpy_memmove::impl_call_pre): Reimplement using
1122 region_model::copy_bytes.
1123 * region-model.cc (region_model::read_bytes): New.
1124 (region_model::copy_bytes): New.
1125 * region-model.h (region_model::read_bytes): New decl.
1126 (region_model::copy_bytes): New decl.
1128 2023-08-24 David Malcolm <dmalcolm@redhat.com>
1130 PR analyzer/105899
1131 * region-model.cc (region_model::get_string_size): Delete both.
1132 * region-model.h (region_model::get_string_size): Delete both
1133 decls.
1135 2023-08-24 David Malcolm <dmalcolm@redhat.com>
1137 PR analyzer/105899
1138 * kf.cc (kf_strcpy::impl_call_pre): Reimplement using
1139 check_for_null_terminated_string_arg.
1140 * region-model.cc (region_model::get_store_bytes): Shortcut
1141 reading all of a string_region.
1142 (region_model::scan_for_null_terminator): Use get_store_value for
1143 the bytes rather than "unknown" when returning an unknown length.
1144 (region_model::write_bytes): New.
1145 * region-model.h (region_model::write_bytes): New decl.
1147 2023-08-24 David Malcolm <dmalcolm@redhat.com>
1149 PR analyzer/105899
1150 * region-model.cc (iterable_cluster::iterable_cluster): Add
1151 symbolic binding keys to m_symbolic_bindings.
1152 (iterable_cluster::has_symbolic_bindings_p): New.
1153 (iterable_cluster::m_symbolic_bindings): New field.
1154 (region_model::scan_for_null_terminator): Treat clusters with
1155 symbolic bindings as having unknown strlen.
1157 2023-08-24 David Malcolm <dmalcolm@redhat.com>
1159 * engine.cc (impl_path_context::impl_path_context): Add logger
1160 param.
1161 (impl_path_context::bifurcate): Add log message.
1162 (impl_path_context::terminate_path): Likewise.
1163 (impl_path_context::m_logger): New field.
1164 (exploded_graph::process_node): Pass logger to path_ctxt ctor.
1166 2023-08-22 David Malcolm <dmalcolm@redhat.com>
1168 PR analyzer/105899
1169 * kf-analyzer.cc (class kf_analyzer_get_strlen): Move to kf.cc.
1170 (register_known_analyzer_functions): Use make_kf_strlen.
1171 * kf.cc (class kf_strlen::impl_call_pre): Replace with
1172 implementation of kf_analyzer_get_strlen from kf-analyzer.cc.
1173 Handle "UNKNOWN" return from check_for_null_terminated_string_arg
1174 by falling back to a conjured svalue.
1175 (make_kf_strlen): New.
1176 (register_known_functions): Use make_kf_strlen.
1177 * known-function-manager.h (make_kf_strlen): New decl.
1179 2023-08-22 David Malcolm <dmalcolm@redhat.com>
1181 PR analyzer/105899
1182 * call-details.cc (call_details::call_details): New ctor.
1183 * call-details.h (call_details::call_details): New ctor decl.
1184 (struct call_arg_details): Move here from region-model.cc.
1185 * region-model.cc (region_model::check_call_format_attr): New.
1186 (region_model::check_call_args): Call it.
1187 (struct call_arg_details): Move it to call-details.h.
1188 * region-model.h (region_model::check_call_format_attr): New decl.
1190 2023-08-22 David Malcolm <dmalcolm@redhat.com>
1192 * kf.cc (class kf_fopen): New.
1193 (register_known_functions): Register it.
1195 2023-08-22 David Malcolm <dmalcolm@redhat.com>
1197 PR analyzer/105899
1198 * analyzer.opt (Wanalyzer-unterminated-string): Delete.
1199 * call-details.cc
1200 (call_details::check_for_null_terminated_string_arg): Convert
1201 return type from void to const svalue *. Add param "out_sval".
1202 * call-details.h
1203 (call_details::check_for_null_terminated_string_arg): Likewise.
1204 * kf-analyzer.cc (kf_analyzer_get_strlen::impl_call_pre): Wire up
1205 to result of check_for_null_terminated_string_arg.
1206 * region-model.cc (get_strlen): Delete.
1207 (class unterminated_string_arg): Delete.
1208 (struct fragment): New.
1209 (class iterable_cluster): New.
1210 (region_model::get_store_bytes): New.
1211 (get_tree_for_byte_offset): New.
1212 (region_model::scan_for_null_terminator): New.
1213 (region_model::check_for_null_terminated_string_arg): Convert
1214 return type from void to const svalue *. Add param "out_sval".
1215 Reimplement in terms of scan_for_null_terminator, dropping the
1216 special-case for -Wanalyzer-unterminated-string.
1217 * region-model.h (region_model::get_store_bytes): New decl.
1218 (region_model::scan_for_null_terminator): New decl.
1219 (region_model::check_for_null_terminated_string_arg): Convert
1220 return type from void to const svalue *. Add param "out_sval".
1221 * store.cc (concrete_binding::get_byte_range): New.
1222 * store.h (concrete_binding::get_byte_range): New decl.
1223 (store_manager::get_concrete_binding): New overload.
1225 2023-08-22 David Malcolm <dmalcolm@redhat.com>
1227 * region-model.cc (region_model_context_decorator::add_event):
1228 Handle m_inner being NULL.
1229 * region-model.h (class region_model_context_decorator): Likewise.
1230 (annotating_context::warn): Likewise.
1232 2023-08-22 David Malcolm <dmalcolm@redhat.com>
1234 * diagnostic-manager.cc (saved_diagnostic::add_event): New.
1235 (saved_diagnostic::add_any_saved_events): New.
1236 (diagnostic_manager::add_event): New.
1237 (dedupe_winners::emit_best): New.
1238 (diagnostic_manager::emit_saved_diagnostic): Make "sd" param
1239 non-const. Call saved_diagnostic::add_any_saved_events.
1240 * diagnostic-manager.h (saved_diagnostic::add_event): New decl.
1241 (saved_diagnostic::add_any_saved_events): New decl.
1242 (saved_diagnostic::m_saved_events): New field.
1243 (diagnostic_manager::add_event): New decl.
1244 (diagnostic_manager::emit_saved_diagnostic): Make "sd" param
1245 non-const.
1246 * engine.cc (impl_region_model_context::add_event): New.
1247 * exploded-graph.h (impl_region_model_context::add_event): New decl.
1248 * region-model.cc
1249 (noop_region_model_context::add_event): New.
1250 (region_model_context_decorator::add_event): New.
1251 * region-model.h (region_model_context::add_event): New vfunc.
1252 (noop_region_model_context::add_event): New decl.
1253 (region_model_context_decorator::add_event): New decl.
1255 2023-08-22 David Malcolm <dmalcolm@redhat.com>
1257 * region-model.cc
1258 (class check_external_function_for_access_attr::annotating_ctxt):
1259 Convert to an annotating_context.
1260 * region-model.h (class note_adding_context): Rename to...
1261 (class annotating_context): ...this, updating the "warn" method.
1262 (note_adding_context::make_note): Replace with...
1263 (annotating_context::add_annotations): ...this.
1265 2023-08-14 benjamin priour <vultkayn@gcc.gnu.org>
1267 PR analyzer/110543
1268 * analyzer.opt: Add new option.
1269 * diagnostic-manager.cc
1270 (diagnostic_manager::prune_path): Call prune_system_headers.
1271 (prune_frame): New function that deletes all events in a frame.
1272 (diagnostic_manager::prune_system_headers): New function.
1273 * diagnostic-manager.h: Add prune_system_headers declaration.
1275 2023-08-11 David Malcolm <dmalcolm@redhat.com>
1277 PR analyzer/105899
1278 * analyzer.opt (Wanalyzer-unterminated-string): New.
1279 * call-details.cc
1280 (call_details::check_for_null_terminated_string_arg): New.
1281 * call-details.h
1282 (call_details::check_for_null_terminated_string_arg): New decl.
1283 * kf-analyzer.cc (class kf_analyzer_get_strlen): New.
1284 (register_known_analyzer_functions): Register it.
1285 * kf.cc (kf_error::impl_call_pre): Check that format arg is a
1286 valid null-terminated string.
1287 (kf_putenv::impl_call_pre): Likewise for the sole param.
1288 (kf_strchr::impl_call_pre): Likewise for the first param.
1289 (kf_strcpy::impl_call_pre): Likewise for the second param.
1290 (kf_strdup::impl_call_pre): Likewise for the sole param.
1291 * region-model.cc (get_strlen): New.
1292 (struct call_arg_details): New.
1293 (inform_about_expected_null_terminated_string_arg): New.
1294 (class unterminated_string_arg): New.
1295 (region_model::check_for_null_terminated_string_arg): New.
1296 * region-model.h
1297 (region_model::check_for_null_terminated_string_arg): New decl.
1299 2023-08-11 Eric Feng <ef2648@columbia.edu>
1301 PR analyzer/107646
1302 * call-details.h: New function.
1303 * region-model.cc (region_model::get_or_create_region_for_heap_alloc):
1304 New optional parameters.
1305 * region-model.h (class region_model): New optional parameters.
1306 * sm-malloc.cc (on_realloc_with_move): New function.
1307 (region_model::transition_ptr_sval_non_null): New function.
1309 2023-08-09 David Malcolm <dmalcolm@redhat.com>
1311 * analyzer.h (class pure_known_function_with_default_return): New
1312 subclass.
1313 * call-details.cc (const_fn_p): Move here from region-model.cc.
1314 (maybe_get_const_fn_result): Likewise.
1315 (get_result_size_in_bytes): Likewise.
1316 (call_details::set_any_lhs_with_defaults): New function, based on
1317 code in region_model::on_call_pre.
1318 * call-details.h (call_details::set_any_lhs_with_defaults): New
1319 decl.
1320 * diagnostic-manager.cc
1321 (diagnostic_manager::emit_saved_diagnostic): Log the index of the
1322 saved_diagnostic.
1323 * kf.cc (pure_known_function_with_default_return::impl_call_pre):
1324 New.
1325 (kf_memset::impl_call_pre): Set the LHS to the first param.
1326 (kf_putenv::impl_call_pre): Call cd.set_any_lhs_with_defaults.
1327 (kf_sprintf::impl_call_pre): Call cd.set_any_lhs_with_defaults.
1328 (class kf_stack_restore): Derive from
1329 pure_known_function_with_default_return.
1330 (class kf_stack_save): Likewise.
1331 (kf_strlen::impl_call_pre): Call cd.set_any_lhs_with_defaults.
1332 * region-model-reachability.cc (reachable_regions::handle_sval):
1333 Remove logic for symbolic regions for pointers.
1334 * region-model.cc (region_model::canonicalize): Remove purging of
1335 dynamic extents workaround for surplus values from
1336 region_model::on_call_pre's default LHS code.
1337 (const_fn_p): Move to call-details.cc.
1338 (maybe_get_const_fn_result): Likewise.
1339 (get_result_size_in_bytes): Likewise.
1340 (region_model::update_for_nonzero_return): Call
1341 cd.set_any_lhs_with_defaults.
1342 (region_model::on_call_pre): Remove the assignment to the LHS of a
1343 default return value, instead requiring all known_function
1344 implementations to write to any LHS of the call. Use
1345 cd.set_any_lhs_with_defaults on the non-kf paths.
1346 * sm-fd.cc (kf_socket::outcome_of_socket::update_model): Use
1347 cd.set_any_lhs_with_defaults when failing to get at fd state.
1348 (kf_bind::outcome_of_bind::update_model): Likewise.
1349 (kf_listen::outcome_of_listen::update_model): Likewise.
1350 (kf_accept::outcome_of_accept::update_model): Likewise.
1351 (kf_connect::outcome_of_connect::update_model): Likewise.
1352 (kf_read::impl_call_pre): Use cd.set_any_lhs_with_defaults.
1353 * sm-file.cc (class kf_stdio_output_fn): Derive from
1354 pure_known_function_with_default_return.
1355 (class kf_ferror): Likewise.
1356 (class kf_fileno): Likewise.
1357 (kf_fgets::impl_call_pre): Use cd.set_any_lhs_with_defaults.
1358 (kf_read::impl_call_pre): Likewise.
1359 (class kf_getc): Derive from
1360 pure_known_function_with_default_return.
1361 (class kf_getchar): Likewise.
1362 * varargs.cc (kf_va_arg::impl_call_pre): Use
1363 cd.set_any_lhs_with_defaults.
1365 2023-08-04 David Malcolm <dmalcolm@redhat.com>
1367 PR analyzer/110426
1368 * bounds-checking.cc (region_model::check_region_bounds): Handle
1369 symbolic base regions.
1370 * call-details.cc: Include "stringpool.h" and "attribs.h".
1371 (call_details::lookup_function_attribute): New function.
1372 * call-details.h (call_details::lookup_function_attribute): New
1373 function decl.
1374 * region-model-manager.cc
1375 (region_model_manager::maybe_fold_binop): Add reference to
1376 PR analyzer/110902.
1377 * region-model-reachability.cc (reachable_regions::handle_sval):
1378 Add symbolic regions for pointers that are conjured svalues for
1379 the LHS of a stmt.
1380 * region-model.cc (region_model::canonicalize): Purge dynamic
1381 extents for regions that aren't referenced.
1382 (get_result_size_in_bytes): New function.
1383 (region_model::on_call_pre): Use get_result_size_in_bytes and
1384 potentially set the dynamic extents of the region pointed to by
1385 the return value.
1386 (region_model::deref_rvalue): Add param "add_nonnull_constraint"
1387 and use it to conditionalize adding the constraint.
1388 (pending_diagnostic_subclass::dubious_allocation_size): Add "stmt"
1389 param to both ctors and use it to initialize new "m_stmt" field.
1390 (pending_diagnostic_subclass::operator==): Use m_stmt; don't use
1391 m_lhs or m_rhs.
1392 (pending_diagnostic_subclass::m_stmt): New field.
1393 (region_model::check_region_size): Generalize to any kind of
1394 pointer svalue by using deref_rvalue rather than checking for
1395 region_svalue. Pass stmt to dubious_allocation_size ctor.
1396 * region-model.h (region_model::deref_rvalue): Add param
1397 "add_nonnull_constraint".
1398 * svalue.cc (conjured_svalue::lhs_value_p): New function.
1399 * svalue.h (conjured_svalue::lhs_value_p): New decl.
1401 2023-08-04 David Malcolm <dmalcolm@redhat.com>
1403 * svalue.cc (region_svalue::dump_to_pp): Support NULL type.
1404 (constant_svalue::dump_to_pp): Likewise.
1405 (initial_svalue::dump_to_pp): Likewise.
1406 (conjured_svalue::dump_to_pp): Likewise. Fix missing print of the
1407 type.
1409 2023-08-03 David Malcolm <dmalcolm@redhat.com>
1411 PR analyzer/110882
1412 * region.cc (int_size_in_bits): Fail on zero-sized types.
1414 2023-08-02 Eric Feng <ef2648@columbia.edu>
1416 PR analyzer/107646
1417 * analyzer-language.cc (run_callbacks): New function.
1418 (on_finish_translation_unit): New function.
1419 * analyzer-language.h (GCC_ANALYZER_LANGUAGE_H): New include.
1420 (class translation_unit): New vfuncs.
1422 2023-07-26 David Malcolm <dmalcolm@redhat.com>
1424 PR analyzer/104940
1425 * region-model-manager.cc
1426 (region_model_manager::region_model_manager): Update for
1427 generalizing region ids to also cover svalues.
1428 (region_model_manager::get_or_create_constant_svalue): Likewise.
1429 (region_model_manager::get_or_create_unknown_svalue): Likewise.
1430 (region_model_manager::create_unique_svalue): Likewise.
1431 (region_model_manager::get_or_create_initial_value): Likewise.
1432 (region_model_manager::get_or_create_setjmp_svalue): Likewise.
1433 (region_model_manager::get_or_create_poisoned_svalue): Likewise.
1434 (region_model_manager::get_ptr_svalue): Likewise.
1435 (region_model_manager::get_or_create_unaryop): Likewise.
1436 (region_model_manager::get_or_create_binop): Likewise.
1437 (region_model_manager::get_or_create_sub_svalue): Likewise.
1438 (region_model_manager::get_or_create_repeated_svalue): Likewise.
1439 (region_model_manager::get_or_create_bits_within): Likewise.
1440 (region_model_manager::get_or_create_unmergeable): Likewise.
1441 (region_model_manager::get_or_create_widening_svalue): Likewise.
1442 (region_model_manager::get_or_create_compound_svalue): Likewise.
1443 (region_model_manager::get_or_create_conjured_svalue): Likewise.
1444 (region_model_manager::get_or_create_asm_output_svalue): Likewise.
1445 (region_model_manager::get_or_create_const_fn_result_svalue):
1446 Likewise.
1447 (region_model_manager::get_region_for_fndecl): Likewise.
1448 (region_model_manager::get_region_for_label): Likewise.
1449 (region_model_manager::get_region_for_global): Likewise.
1450 (region_model_manager::get_field_region): Likewise.
1451 (region_model_manager::get_element_region): Likewise.
1452 (region_model_manager::get_offset_region): Likewise.
1453 (region_model_manager::get_sized_region): Likewise.
1454 (region_model_manager::get_cast_region): Likewise.
1455 (region_model_manager::get_frame_region): Likewise.
1456 (region_model_manager::get_symbolic_region): Likewise.
1457 (region_model_manager::get_region_for_string): Likewise.
1458 (region_model_manager::get_bit_range): Likewise.
1459 (region_model_manager::get_var_arg_region): Likewise.
1460 (region_model_manager::get_region_for_unexpected_tree_code):
1461 Likewise.
1462 (region_model_manager::get_or_create_region_for_heap_alloc):
1463 Likewise.
1464 (region_model_manager::create_region_for_alloca): Likewise.
1465 (region_model_manager::log_stats): Likewise.
1466 * region-model-manager.h (region_model_manager::get_num_regions):
1467 Replace with...
1468 (region_model_manager::get_num_symbols): ...this.
1469 (region_model_manager::alloc_region_id): Replace with...
1470 (region_model_manager::alloc_symbol_id): ...this.
1471 (region_model_manager::m_next_region_id): Replace with...
1472 (region_model_manager::m_next_symbol_id): ...this.
1473 * region-model.cc (selftest::test_get_representative_tree): Update
1474 for generalizing region ids to also cover svalues.
1475 (selftest::test_binop_svalue_folding): Likewise.
1476 (selftest::test_state_merging): Likewise.
1477 * region.cc (region::cmp_ids): Delete, in favor of
1478 symbol::cmp_ids.
1479 (region::region): Update for introduction of symbol base class.
1480 (frame_region::get_region_for_local): Likewise.
1481 (root_region::root_region): Likewise.
1482 (symbolic_region::symbolic_region): Likewise.
1483 * region.h: Replace include of "analyzer/complexity.h" with
1484 "analyzer/symbol.h".
1485 (class region): Make a subclass of symbol.
1486 (region::get_id): Delete in favor of symbol::get_id.
1487 (region::cmp_ids): Delete in favor of symbol::cmp_ids.
1488 (region::get_complexity): Delete in favor of
1489 symbol::get_complexity.
1490 (region::region): Use symbol::id_t for "id" param.
1491 (region::m_complexity): Move field to symbol base class.
1492 (region::m_id): Likewise.
1493 (space_region::space_region): Use symbol::id_t for "id" param.
1494 (frame_region::frame_region): Likewise.
1495 (globals_region::globals_region): Likewise.
1496 (code_region::code_region): Likewise.
1497 (function_region::function_region): Likewise.
1498 (label_region::label_region): Likewise.
1499 (stack_region::stack_region): Likewise.
1500 (heap_region::heap_region): Likewise.
1501 (thread_local_region::thread_local_region): Likewise.
1502 (root_region::root_region): Likewise.
1503 (symbolic_region::symbolic_region): Likewise.
1504 (decl_region::decl_region): Likewise.
1505 (field_region::field_region): Likewise.
1506 (element_region::element_region): Likewise.
1507 (offset_region::offset_region): Likewise.
1508 (sized_region::sized_region): Likewise.
1509 (cast_region::cast_region): Likewise.
1510 (heap_allocated_region::heap_allocated_region): Likewise.
1511 (alloca_region::alloca_region): Likewise.
1512 (string_region::string_region): Likewise.
1513 (bit_range_region::bit_range_region): Likewise.
1514 (var_arg_region::var_arg_region): Likewise.
1515 (errno_region::errno_region): Likewise.
1516 (unknown_region::unknown_region): Likewise.
1517 * svalue.cc (sub_svalue::sub_svalue): Add symbol::id_t param.
1518 (repeated_svalue::repeated_svalue): Likewise.
1519 (bits_within_svalue::bits_within_svalue): Likewise.
1520 (compound_svalue::compound_svalue): Likewise.
1521 * svalue.h: Replace include of "analyzer/complexity.h" with
1522 "analyzer/symbol.h".
1523 (class svalue): Make a subclass of symbol.
1524 (svalue::get_complexity): Delete in favor of
1525 symbol::get_complexity.
1526 (svalue::svalue): Add symbol::id_t param. Update for new base
1527 class.
1528 (svalue::m_complexity): Delete in favor of
1529 symbol::m_complexity.
1530 (region_svalue::region_svalue): Add symbol::id_t param
1531 (constant_svalue::constant_svalue): Likewise.
1532 (unknown_svalue::unknown_svalue): Likewise.
1533 (poisoned_svalue::poisoned_svalue): Likewise.
1534 (setjmp_svalue::setjmp_svalue): Likewise.
1535 (initial_svalue::initial_svalue): Likewise.
1536 (unaryop_svalue::unaryop_svalue): Likewise.
1537 (binop_svalue::binop_svalue): Likewise.
1538 (sub_svalue::sub_svalue): Likewise.
1539 (repeated_svalue::repeated_svalue): Likewise.
1540 (bits_within_svalue::bits_within_svalue): Likewise.
1541 (unmergeable_svalue::unmergeable_svalue): Likewise.
1542 (placeholder_svalue::placeholder_svalue): Likewise.
1543 (widening_svalue::widening_svalue): Likewise.
1544 (compound_svalue::compound_svalue): Likewise.
1545 (conjured_svalue::conjured_svalue): Likewise.
1546 (asm_output_svalue::asm_output_svalue): Likewise.
1547 (const_fn_result_svalue::const_fn_result_svalue): Likewise.
1548 * symbol.cc: New file.
1549 * symbol.h: New file.
1551 2023-07-21 David Malcolm <dmalcolm@redhat.com>
1553 PR analyzer/110455
1554 * region-model.cc (region_model::get_gassign_result): Only check
1555 for bad shift counts when dealing with an integral type.
1557 2023-07-21 David Malcolm <dmalcolm@redhat.com>
1559 PR analyzer/110433
1560 PR middle-end/110612
1561 * access-diagram.cc (class spatial_item): Add virtual dtor.
1563 2023-07-21 David Malcolm <dmalcolm@redhat.com>
1565 PR analyzer/110387
1566 * region.h (struct cast_region::key_t): Support "m_type" being
1567 null by using "m_original_region" for empty/deleted slots.
1569 2023-07-19 David Malcolm <dmalcolm@redhat.com>
1571 PR analyzer/110700
1572 * region-model-manager.cc
1573 (region_model_manager::get_or_create_int_cst): Assert that we have
1574 an integral or pointer type.
1575 * sm-taint.cc (taint_state_machine::check_for_tainted_divisor):
1576 Don't check non-integral types.
1578 2023-06-29 benjamin priour <priour.be@gmail.com>
1580 PR analyzer/110198
1581 * region-model-manager.cc
1582 (region_model_manager::get_or_create_initial_value): Take an
1583 optional boolean value to bypass poisoning checks
1584 * region-model-manager.h: Update declaration of the above function.
1585 * region-model.cc (region_model::get_store_value): No longer returns
1586 on OOB, but rather gives a boolean to get_or_create_initial_value.
1587 (region_model::check_region_access): Update docstring.
1588 (region_model::check_region_for_write): Update docstring.
1590 2023-06-24 David Malcolm <dmalcolm@redhat.com>
1592 * access-diagram.cc: Add #define INCLUDE_VECTOR.
1593 * bounds-checking.cc: Likewise.
1595 2023-06-22 David Malcolm <dmalcolm@redhat.com>
1597 PR analyzer/106626
1598 * access-diagram.cc: New file.
1599 * access-diagram.h: New file.
1600 * analyzer.h (class region_offset): Add default ctor.
1601 (region_offset::make_byte_offset): New decl.
1602 (region_offset::concrete_p): New.
1603 (region_offset::get_concrete_byte_offset): New.
1604 (region_offset::calc_symbolic_bit_offset): New decl.
1605 (region_offset::calc_symbolic_byte_offset): New decl.
1606 (region_offset::dump_to_pp): New decl.
1607 (region_offset::dump): New decl.
1608 (operator<, operator<=, operator>, operator>=): New decls for
1609 region_offset.
1610 * analyzer.opt
1611 (-param=analyzer-text-art-string-ellipsis-threshold=): New.
1612 (-param=analyzer-text-art-string-ellipsis-head-len=): New.
1613 (-param=analyzer-text-art-string-ellipsis-tail-len=): New.
1614 (-param=analyzer-text-art-ideal-canvas-width=): New.
1615 (fanalyzer-debug-text-art): New.
1616 * bounds-checking.cc: Include "intl.h", "diagnostic-diagram.h",
1617 and "analyzer/access-diagram.h".
1618 (class out_of_bounds::oob_region_creation_event_capacity): New.
1619 (out_of_bounds::out_of_bounds): Add "model" and "sval_hint"
1620 params.
1621 (out_of_bounds::mark_interesting_stuff): Use the base region.
1622 (out_of_bounds::add_region_creation_events): Use
1623 oob_region_creation_event_capacity.
1624 (out_of_bounds::get_dir): New pure vfunc.
1625 (out_of_bounds::maybe_show_notes): New.
1626 (out_of_bounds::maybe_show_diagram): New.
1627 (out_of_bounds::make_access_diagram): New.
1628 (out_of_bounds::m_model): New field.
1629 (out_of_bounds::m_sval_hint): New field.
1630 (out_of_bounds::m_region_creation_event_id): New field.
1631 (concrete_out_of_bounds::concrete_out_of_bounds): Update for new
1632 fields.
1633 (concrete_past_the_end::concrete_past_the_end): Likewise.
1634 (concrete_past_the_end::add_region_creation_events): Use
1635 oob_region_creation_event_capacity.
1636 (concrete_buffer_overflow::concrete_buffer_overflow): Update for
1637 new fields.
1638 (concrete_buffer_overflow::emit): Replace call to
1639 maybe_describe_array_bounds with maybe_show_notes.
1640 (concrete_buffer_overflow::get_dir): New.
1641 (concrete_buffer_over_read::concrete_buffer_over_read): Update for
1642 new fields.
1643 (concrete_buffer_over_read::emit): Replace call to
1644 maybe_describe_array_bounds with maybe_show_notes.
1645 (concrete_buffer_overflow::get_dir): New.
1646 (concrete_buffer_underwrite::concrete_buffer_underwrite): Update
1647 for new fields.
1648 (concrete_buffer_underwrite::emit): Replace call to
1649 maybe_describe_array_bounds with maybe_show_notes.
1650 (concrete_buffer_underwrite::get_dir): New.
1651 (concrete_buffer_under_read::concrete_buffer_under_read): Update
1652 for new fields.
1653 (concrete_buffer_under_read::emit): Replace call to
1654 maybe_describe_array_bounds with maybe_show_notes.
1655 (concrete_buffer_under_read::get_dir): New.
1656 (symbolic_past_the_end::symbolic_past_the_end): Update for new
1657 fields.
1658 (symbolic_buffer_overflow::symbolic_buffer_overflow): Likewise.
1659 (symbolic_buffer_overflow::emit): Call maybe_show_notes.
1660 (symbolic_buffer_overflow::get_dir): New.
1661 (symbolic_buffer_over_read::symbolic_buffer_over_read): Update for
1662 new fields.
1663 (symbolic_buffer_over_read::emit): Call maybe_show_notes.
1664 (symbolic_buffer_over_read::get_dir): New.
1665 (region_model::check_symbolic_bounds): Add "sval_hint" param. Pass
1666 it and sized_offset_reg to diagnostics.
1667 (region_model::check_region_bounds): Add "sval_hint" param, passing
1668 it to diagnostics.
1669 * diagnostic-manager.cc
1670 (diagnostic_manager::emit_saved_diagnostic): Pass logger to
1671 pending_diagnostic::emit.
1672 * engine.cc: Add logger param to pending_diagnostic::emit
1673 implementations.
1674 * infinite-recursion.cc: Likewise.
1675 * kf-analyzer.cc: Likewise.
1676 * kf.cc: Likewise. Add nullptr for new param of
1677 check_region_for_write.
1678 * pending-diagnostic.h: Likewise in decl.
1679 * region-model-manager.cc
1680 (region_model_manager::get_or_create_int_cst): Convert param from
1681 poly_int64 to const poly_wide_int_ref &.
1682 (region_model_manager::maybe_fold_binop): Support type being NULL
1683 when checking for floating-point types.
1684 Check for (X + Y) - X => Y. Be less strict about types when folding
1685 associative ops. Check for (X + Y) * CST => (X * CST) + (Y * CST).
1686 * region-model-manager.h
1687 (region_model_manager::get_or_create_int_cst): Convert param from
1688 poly_int64 to const poly_wide_int_ref &.
1689 * region-model.cc: Add logger param to pending_diagnostic::emit
1690 implementations.
1691 (region_model::check_external_function_for_access_attr): Update
1692 for new param of check_region_for_write.
1693 (region_model::deref_rvalue): Use nullptr rather than NULL.
1694 (region_model::get_capacity): Handle RK_STRING.
1695 (region_model::check_region_access): Add "sval_hint" param; pass it to
1696 check_region_bounds.
1697 (region_model::check_region_for_write): Add "sval_hint" param;
1698 pass it to check_region_access.
1699 (region_model::check_region_for_read): Add NULL for new param to
1700 check_region_access.
1701 (region_model::set_value): Pass rhs_sval to
1702 check_region_for_write.
1703 (region_model::get_representative_path_var_1): Handle SK_CONSTANT
1704 in the check for infinite recursion.
1705 * region-model.h (region_model::check_region_for_write): Add
1706 "sval_hint" param.
1707 (region_model::check_region_access): Likewise.
1708 (region_model::check_symbolic_bounds): Likewise.
1709 (region_model::check_region_bounds): Likewise.
1710 * region.cc (region_offset::make_byte_offset): New.
1711 (region_offset::calc_symbolic_bit_offset): New.
1712 (region_offset::calc_symbolic_byte_offset): New.
1713 (region_offset::dump_to_pp): New.
1714 (region_offset::dump): New.
1715 (struct linear_op): New.
1716 (operator<, operator<=, operator>, operator>=): New, for
1717 region_offset.
1718 (region::get_next_offset): New.
1719 (region::get_relative_symbolic_offset): Use ptrdiff_type_node.
1720 (field_region::get_relative_symbolic_offset): Likewise.
1721 (element_region::get_relative_symbolic_offset): Likewise.
1722 (bit_range_region::get_relative_symbolic_offset): Likewise.
1723 * region.h (region::get_next_offset): New decl.
1724 * sm-fd.cc: Add logger param to pending_diagnostic::emit
1725 implementations.
1726 * sm-file.cc: Likewise.
1727 * sm-malloc.cc: Likewise.
1728 * sm-pattern-test.cc: Likewise.
1729 * sm-sensitive.cc: Likewise.
1730 * sm-signal.cc: Likewise.
1731 * sm-taint.cc: Likewise.
1732 * store.cc (bit_range::contains_p): Allow "out" to be null.
1733 * store.h (byte_range::get_start_bit_offset): New.
1734 (byte_range::get_next_bit_offset): New.
1735 * varargs.cc: Add logger param to pending_diagnostic::emit
1736 implementations.
1738 2023-06-10 Tim Lange <mail@tim-lange.me>
1740 PR analyzer/109577
1741 * constraint-manager.cc (class sval_finder): Visitor to find
1742 childs in svalue trees.
1743 (constraint_manager::sval_constrained_p): Add new function to
1744 check whether a sval might be part of an constraint.
1745 * constraint-manager.h: Add sval_constrained_p function.
1746 * region-model.cc (class size_visitor): Reverse behavior to not
1747 emit a warning on not explicitly considered cases.
1748 (region_model::check_region_size):
1749 Adapt to size_visitor changes.
1751 2023-06-09 David Malcolm <dmalcolm@redhat.com>
1753 PR analyzer/110112
1754 * region-model.cc (region_model::get_initial_value_for_global):
1755 Move code to region::calc_initial_value_at_main.
1756 * region.cc (region::get_initial_value_at_main): New function.
1757 (region::calc_initial_value_at_main): New function, based on code
1758 in region_model::get_initial_value_for_global.
1759 (region::region): Initialize m_cached_init_sval_at_main.
1760 (decl_region::get_svalue_for_constructor): Add a cache, splitting
1761 out body to...
1762 (decl_region::calc_svalue_for_constructor): ...this new function.
1763 * region.h (region::get_initial_value_at_main): New decl.
1764 (region::calc_initial_value_at_main): New decl.
1765 (region::m_cached_init_sval_at_main): New field.
1766 (decl_region::decl_region): Initialize m_ctor_svalue.
1767 (decl_region::calc_svalue_for_constructor): New decl.
1768 (decl_region::m_ctor_svalue): New field.
1770 2023-06-08 Benjamin Priour <vultkayn@gcc.gnu.org>
1772 * bounds-checking.cc (region_model::check_symbolic_bounds): Returns whether the BASE_REG
1773 region access was OOB.
1774 (region_model::check_region_bounds): Likewise.
1775 * region-model.cc (region_model::get_store_value): Creates an
1776 unknown svalue on OOB-read access to REG.
1777 (region_model::check_region_access): Returns whether an unknown svalue needs be created.
1778 (region_model::check_region_for_read): Passes check_region_access return value.
1779 * region-model.h: Update prior function definitions.
1781 2023-06-02 David Malcolm <dmalcolm@redhat.com>
1783 PR analyzer/109015
1784 * kf.cc (class kf_atomic_exchange): New.
1785 (class kf_atomic_exchange_n): New.
1786 (class kf_atomic_fetch_op): New.
1787 (class kf_atomic_op_fetch): New.
1788 (class kf_atomic_load): New.
1789 (class kf_atomic_load_n): New.
1790 (class kf_atomic_store_n): New.
1791 (register_atomic_builtins): New function.
1792 (register_known_functions): Call register_atomic_builtins.
1794 2023-06-02 David Malcolm <dmalcolm@redhat.com>
1796 * store.cc (store::eval_alias_1): Regions in different memory
1797 spaces can't alias.
1799 2023-05-18 Bernhard Reutner-Fischer <aldot@gcc.gnu.org>
1801 * region-model-manager.cc (get_code_for_cast): Use _P defines from
1802 tree.h.
1803 (region_model_manager::get_or_create_cast): Ditto.
1804 (region_model_manager::get_region_for_global): Ditto.
1805 * region-model.cc (region_model::get_lvalue_1): Ditto.
1806 * region.cc (decl_region::maybe_get_constant_value): Ditto.
1808 2023-03-22 David Malcolm <dmalcolm@redhat.com>
1810 PR analyzer/109239
1811 * program-point.cc: Include "analyzer/inlining-iterator.h".
1812 (program_point::effectively_intraprocedural_p): New function.
1813 * program-point.h (program_point::effectively_intraprocedural_p):
1814 New decl.
1815 * sm-malloc.cc (deref_before_check::emit): Use it when rejecting
1816 interprocedural cases, so that we reject interprocedural cases
1817 that have become intraprocedural due to inlining.
1819 2023-03-18 David Malcolm <dmalcolm@redhat.com>
1821 PR analyzer/109094
1822 * region-model.cc (region_model::on_longjmp): Pass false for
1823 new "eval_return_svalue" param of pop_frame.
1824 (region_model::pop_frame): Add new "eval_return_svalue" param and
1825 use it to suppress the call to get_rvalue on the result when
1826 needed by on_longjmp.
1827 * region-model.h (region_model::pop_frame): Add new
1828 "eval_return_svalue" param.
1830 2023-03-10 David Malcolm <dmalcolm@redhat.com>
1832 PR analyzer/109059
1833 * region-model.cc (region_model::mark_region_as_unknown): Gather a
1834 set of maybe-live svalues and call on_maybe_live_values with it.
1835 * store.cc (binding_map::remove_overlapping_bindings): Add new
1836 "maybe_live_values" param; add any removed svalues to it.
1837 (binding_cluster::clobber_region): Add NULL as new param of
1838 remove_overlapping_bindings.
1839 (binding_cluster::mark_region_as_unknown): Add "maybe_live_values"
1840 param and pass it to remove_overlapping_bindings.
1841 (binding_cluster::maybe_get_compound_binding): Add NULL for new
1842 param of binding_map::remove_overlapping_bindings.
1843 (binding_cluster::remove_overlapping_bindings): Add
1844 "maybe_live_values" param and pass to
1845 binding_map::remove_overlapping_bindings.
1846 (store::set_value): Capture a set of maybe-live svalues, and call
1847 on_maybe_live_values with it.
1848 (store::on_maybe_live_values): New.
1849 (store::mark_region_as_unknown): Add "maybe_live_values" param
1850 and pass it to binding_cluster::mark_region_as_unknown.
1851 (store::remove_overlapping_bindings): Pass NULL for new param of
1852 binding_cluster::remove_overlapping_bindings.
1853 * store.h (binding_map::remove_overlapping_bindings): Add
1854 "maybe_live_values" param.
1855 (binding_cluster::mark_region_as_unknown): Likewise.
1856 (binding_cluster::remove_overlapping_bindings): Likewise.
1857 (store::mark_region_as_unknown): Likewise.
1858 (store::on_maybe_live_values): New decl.
1860 2023-03-10 David Malcolm <dmalcolm@redhat.com>
1862 PR analyzer/108475
1863 PR analyzer/109060
1864 * sm-malloc.cc (deref_before_check::deref_before_check):
1865 Initialize new field m_deref_expr. Assert that arg is non-NULL.
1866 (deref_before_check::emit): Reject cases where the spelling of the
1867 thing that was dereferenced differs from that of what is checked,
1868 or if the dereference expression was not found. Remove code to
1869 handle NULL m_arg.
1870 (deref_before_check::describe_state_change): Remove code to handle
1871 NULL m_arg.
1872 (deref_before_check::describe_final_event): Likewise.
1873 (deref_before_check::sufficiently_similar_p): New.
1874 (deref_before_check::m_deref_expr): New field.
1875 (malloc_state_machine::maybe_complain_about_deref_before_check):
1876 Don't warn if the diag_ptr is NULL.
1878 2023-03-03 David Malcolm <dmalcolm@redhat.com>
1880 * kf.cc (class kf_sprintf): New.
1881 (register_known_functions): Register it.
1883 2023-03-02 David Malcolm <dmalcolm@redhat.com>
1885 PR analyzer/108968
1886 * region-model.cc (region_model::get_rvalue_1): Handle VAR_DECLs
1887 with a DECL_HARD_REGISTER by returning UNKNOWN.
1889 2023-03-02 Hans-Peter Nilsson <hp@axis.com>
1891 * kf.cc (register_known_functions): Add __errno function for newlib.
1893 2023-03-01 David Malcolm <dmalcolm@redhat.com>
1895 PR analyzer/107565
1896 * region-model.cc (region_model::on_call_pre): Flatten logic by
1897 returning early. Consolidate logic for detecting const and pure
1898 functions. When considering whether an unhandled built-in
1899 function has side-effects, consider all kinds of builtin, rather
1900 than just BUILT_IN_NORMAL, and don't require
1901 gimple_builtin_call_types_compatible_p.
1903 2023-03-01 David Malcolm <dmalcolm@redhat.com>
1905 PR analyzer/108935
1906 * infinite-recursion.cc (contains_unknown_p): New.
1907 (sufficiently_different_region_binding_p): New function, splitting
1908 out inner loop from...
1909 (sufficiently_different_p): ...here. Extend detection of unknown
1910 svalues to also include svalues that contain unknown. Treat
1911 changes in frames below the entry to the recursion as being
1912 sufficiently different to reject being an infinite recursion.
1914 2023-02-21 David Malcolm <dmalcolm@redhat.com>
1916 PR analyzer/108830
1917 * analyzer.opt (fanalyzer-suppress-followups): New option.
1918 * engine.cc (impl_region_model_context::warn): Terminate the path
1919 if the diagnostic's terminate_path_p vfunc returns true and
1920 -fanalyzer-suppress-followups is true (the default).
1921 (impl_sm_context::warn): Likewise, for both overloads.
1922 * pending-diagnostic.h (pending_diagnostic::terminate_path_p): New
1923 vfunc.
1924 * program-state.cc (program_state::on_edge): Terminate the path if
1925 the ctxt requests it during updating the edge.
1926 * region-model.cc (poisoned_value_diagnostic::terminate_path_p):
1927 New vfunc.
1928 * sm-malloc.cc (null_deref::terminate_path_p): New vfunc.
1929 (null_arg::terminate_path_p): New vfunc.
1931 2023-02-16 David Malcolm <dmalcolm@redhat.com>
1933 PR analyzer/108806
1934 * constraint-manager.cc (bounded_range::dump_to_pp): Use
1935 bounded_range::singleton_p.
1936 (constraint_manager::add_bounded_ranges): Handle singleton ranges
1937 by adding an EQ_EXPR constraint.
1938 (constraint_manager::impossible_derived_conditions_p): New.
1939 (constraint_manager::eval_condition): Reject EQ_EXPR when it would
1940 imply impossible derived conditions.
1941 (selftest::test_bits): New.
1942 (selftest::run_constraint_manager_tests): Run it.
1943 * constraint-manager.h (bounded_range::singleton_p): New.
1944 (constraint_manager::impossible_derived_conditions_p): New decl.
1945 * region-model.cc (region_model::get_rvalue_1): Handle
1946 BIT_AND_EXPR, BIT_IOR_EXPR, and BIT_XOR_EXPR.
1948 2023-02-15 David Malcolm <dmalcolm@redhat.com>
1950 PR analyzer/108664
1951 PR analyzer/108666
1952 PR analyzer/108725
1953 * diagnostic-manager.cc (epath_finder::get_best_epath): Add
1954 "target_stmt" param.
1955 (epath_finder::explore_feasible_paths): Likewise.
1956 (epath_finder::process_worklist_item): Likewise.
1957 (saved_diagnostic::calc_best_epath): Pass m_stmt to
1958 epath_finder::get_best_epath.
1959 * engine.cc (feasibility_state::maybe_update_for_edge): Move
1960 per-stmt logic to...
1961 (feasibility_state::update_for_stmt): ...this new function.
1962 * exploded-graph.h (feasibility_state::update_for_stmt): New decl.
1963 * feasible-graph.cc (feasible_node::get_state_at_stmt): New.
1964 * feasible-graph.h: Include "analyzer/exploded-graph.h".
1965 (feasible_node::get_state_at_stmt): New decl.
1966 * infinite-recursion.cc
1967 (infinite_recursion_diagnostic::check_valid_fpath_p): Update for
1968 vfunc signature change.
1969 * pending-diagnostic.h (pending_diagnostic::check_valid_fpath_p):
1970 Convert first param to a reference. Add stmt param.
1971 * region-model.cc: Include "analyzer/feasible-graph.h".
1972 (poisoned_value_diagnostic::poisoned_value_diagnostic): Add
1973 "check_expr" param.
1974 (poisoned_value_diagnostic::check_valid_fpath_p): New.
1975 (poisoned_value_diagnostic::m_check_expr): New field.
1976 (region_model::check_for_poison): Attempt to supply a check_expr
1977 to the diagnostic
1978 (region_model::deref_rvalue): Add NULL for new check_expr param
1979 of poisoned_value_diagnostic.
1980 (region_model::get_or_create_region_for_heap_alloc): Don't reuse
1981 regions that are marked as TOUCHED.
1983 2023-02-10 David Malcolm <dmalcolm@redhat.com>
1985 PR analyzer/108745
1986 * sm-malloc.cc (deref_before_check::emit): Reject the warning if
1987 the check occurs within a macro defintion.
1989 2023-02-09 David Malcolm <dmalcolm@redhat.com>
1991 PR analyzer/108733
1992 * state-purge.cc (get_candidate_for_purging): Add ADDR_EXPR
1993 and MEM_REF.
1995 2023-02-08 David Malcolm <dmalcolm@redhat.com>
1997 PR analyzer/108704
1998 * state-purge.cc (state_purge_per_decl::process_point_backwards):
1999 Don't stop processing the decl if it's fully overwritten by
2000 this stmt if it's also used by this stmt.
2002 2023-02-07 David Malcolm <dmalcolm@redhat.com>
2004 PR analyzer/108661
2005 * sm-fd.cc (class kf_read): New.
2006 (register_known_fd_functions): Register "read".
2007 * sm-file.cc (class kf_fread): Update comment.
2009 2023-02-02 David Malcolm <dmalcolm@redhat.com>
2011 PR analyzer/108633
2012 * sm-fd.cc (fd_state_machine::check_for_fd_attrs): Add missing
2013 "continue".
2014 (fd_state_machine::on_listen): Don't issue phase-mismatch or
2015 type-mismatch warnings for the "invalid" state.
2017 2023-02-01 David Malcolm <dmalcolm@redhat.com>
2019 PR analyzer/108616
2020 * pending-diagnostic.cc (fixup_location_in_macro_p): Add "alloca"
2021 to macros that we shouldn't unwind inside.
2023 2023-01-26 David Malcolm <dmalcolm@redhat.com>
2025 PR analyzer/108524
2026 * analyzer.h (class feasible_node): New forward decl.
2027 * diagnostic-manager.cc (epath_finder::get_best_epath): Add "pd"
2028 param.
2029 (epath_finder::explore_feasible_paths): Likewise.
2030 (epath_finder::process_worklist_item): Likewise. Use it to call
2031 pending_diagnostic::check_valid_fpath_p on the final fpath to
2032 give pending_diagnostic a way to add additional restrictions on
2033 feasibility.
2034 (saved_diagnostic::calc_best_epath): Pass pending_diagnostic to
2035 epath_finder::get_best_epath.
2036 * infinite-recursion.cc: Include "analyzer/feasible-graph.h".
2037 (infinite_recursion_diagnostic::check_valid_fpath_p): New.
2038 (infinite_recursion_diagnostic::fedge_uses_conjured_svalue_p): New.
2039 (infinite_recursion_diagnostic::expr_uses_conjured_svalue_p): New.
2040 * pending-diagnostic.h (pending_diagnostic::check_valid_fpath_p):
2041 New vfunc.
2043 2023-01-19 David Malcolm <dmalcolm@redhat.com>
2045 PR analyzer/108455
2046 * analyzer.h (class checker_event): New forward decl.
2047 (class state_change_event): Indent.
2048 (class warning_event): New forward decl.
2049 * checker-event.cc (state_change_event::state_change_event): Add
2050 "enode" param.
2051 (warning_event::get_desc): Update for new param of
2052 evdesc::final_event ctor.
2053 * checker-event.h (state_change_event::state_change_event): Add
2054 "enode" param.
2055 (state_change_event::get_exploded_node): New accessor.
2056 (state_change_event::m_enode): New field.
2057 (warning_event::warning_event): New "enode" param.
2058 (warning_event::get_exploded_node): New accessor.
2059 (warning_event::m_enode): New field.
2060 * diagnostic-manager.cc
2061 (state_change_event_creator::on_global_state_change): Pass
2062 src_node to state_change_event ctor.
2063 (state_change_event_creator::on_state_change): Likewise.
2064 (null_assignment_sm_context::set_next_state): Pass NULL for
2065 new param of state_change_event ctor.
2066 * infinite-recursion.cc
2067 (infinite_recursion_diagnostic::add_final_event): Update for new
2068 param of warning_event ctor.
2069 * pending-diagnostic.cc (pending_diagnostic::add_final_event):
2070 Pass enode to warning_event ctor.
2071 * pending-diagnostic.h (evdesc::final_event): Add reference to
2072 warning_event.
2073 * sm-malloc.cc: Include "analyzer/checker-event.h" and
2074 "analyzer/exploded-graph.h".
2075 (deref_before_check::deref_before_check): Initialize new fields.
2076 (deref_before_check::emit): Reject warnings in which we were
2077 unable to determine the enodes of the dereference and the check.
2078 Reject warnings interprocedural warnings. Reject warnings in which
2079 the dereference doesn't dominate the check.
2080 (deref_before_check::describe_state_change): Set m_deref_enode.
2081 (deref_before_check::describe_final_event): Set m_check_enode.
2082 (deref_before_check::m_deref_enode): New field.
2083 (deref_before_check::m_check_enode): New field.
2085 2023-01-13 David Malcolm <dmalcolm@redhat.com>
2087 PR analyzer/105273
2088 * region-model.cc (has_nondefault_case_for_value_p): New.
2089 (has_nondefault_cases_for_all_enum_values_p): New.
2090 (region_model::apply_constraints_for_gswitch): Skip
2091 implicitly-created "default" when switching on an enum
2092 and all enum values have non-default cases.
2093 (rejected_default_case::dump_to_pp): New.
2094 * region-model.h (region_model_context::possibly_tainted_p): New
2095 decl.
2096 (class rejected_default_case): New.
2097 * sm-taint.cc (region_model_context::possibly_tainted_p): New.
2098 * supergraph.cc (switch_cfg_superedge::dump_label_to_pp): Dump
2099 when implicitly_created_default_p.
2100 (switch_cfg_superedge::implicitly_created_default_p): New.
2101 * supergraph.h
2102 (switch_cfg_superedge::implicitly_created_default_p): New decl.
2104 2023-01-11 David Malcolm <dmalcolm@redhat.com>
2106 PR analyzer/108252
2107 * kf.cc (class kf_strdup): New.
2108 (class kf_strndup): New.
2109 (register_known_functions): Register them.
2110 * region-model.cc (region_model::on_call_pre): Use
2111 &HEAP_ALLOCATED_REGION for the default result of an external
2112 function with the "malloc" attribute, rather than CONJURED_SVALUE.
2113 (region_model::get_or_create_region_for_heap_alloc): Allow
2114 "size_in_bytes" to be NULL.
2115 * store.cc (store::set_value): When handling *UNKNOWN = VAL,
2116 mark VAL as "maybe bound".
2118 2022-12-16 David Malcolm <dmalcolm@redhat.com>
2120 PR analyzer/106479
2121 * kf.cc (kf_memcpy_memmove::impl_call_pre): Pass in source region
2122 to region_model::check_for_poison.
2123 * region-model-asm.cc (region_model::on_asm_stmt): Pass NULL
2124 region to region_model::check_for_poison.
2125 * region-model.cc (region_model::check_for_poison): Add
2126 "src_region" param, and pass it to poisoned_value_diagnostic.
2127 (region_model::on_assignment): Pass NULL region to
2128 region_model::check_for_poison.
2129 (region_model::get_rvalue): Likewise.
2130 * region-model.h (region_model::check_for_poison): Add
2131 "src_region" param.
2132 * sm-fd.cc (fd_state_machine::on_accept): Pass in source region
2133 to region_model::check_for_poison.
2134 * varargs.cc (kf_va_copy::impl_call_pre): Pass NULL region to
2135 region_model::check_for_poison.
2136 (kf_va_arg::impl_call_pre): Pass in source region to
2137 region_model::check_for_poison.
2139 2022-12-14 David Malcolm <dmalcolm@redhat.com>
2141 PR analyzer/108065
2142 * region.cc (decl_region::get_svalue_for_initializer): Bail out to
2143 avoid calling binding_key::make with an empty region.
2144 * store.cc (binding_map::apply_ctor_val_to_range): Likewise.
2145 (binding_map::apply_ctor_pair_to_child_region): Likewise.
2146 (binding_cluster::bind): Likewise.
2147 (binding_cluster::purge_region): Likewise.
2148 (binding_cluster::maybe_get_compound_binding): Likewise.
2149 (binding_cluster::maybe_get_simple_value): Likewise.
2151 2022-12-09 David Malcolm <dmalcolm@redhat.com>
2153 * analyzer.h (class known_function): Expand comment.
2154 * region-model-impl-calls.cc: Rename to...
2155 * kf.cc: ...this.
2156 * known-function-manager.h (class known_function_manager): Add
2157 leading comment.
2159 2022-12-09 David Malcolm <dmalcolm@redhat.com>
2161 PR analyzer/108003
2162 * call-summary.cc
2163 (call_summary_replay::convert_region_from_summary_1): Convert
2164 heap_regs_in_use from auto_sbitmap to auto_bitmap.
2165 * region-model-manager.cc
2166 (region_model_manager::get_or_create_region_for_heap_alloc):
2167 Convert from sbitmap to bitmap.
2168 * region-model-manager.h: Likewise.
2169 * region-model.cc
2170 (region_model::get_or_create_region_for_heap_alloc): Convert from
2171 auto_sbitmap to auto_bitmap.
2172 (region_model::get_referenced_base_regions): Likewise.
2173 * region-model.h: Include "bitmap.h" rather than "sbitmap.h".
2174 (region_model::get_referenced_base_regions): Convert from
2175 auto_sbitmap to auto_bitmap.
2177 2022-12-09 David Malcolm <dmalcolm@redhat.com>
2179 * region-model-impl-calls.cc (class kf_memcpy): Rename to...
2180 (class kf_memcpy_memmove): ...this.
2181 (kf_memcpy::impl_call_pre): Rename to...
2182 (kf_memcpy_memmove::impl_call_pre): ...this, and check the src for
2183 poison.
2184 (register_known_functions): Update for above renaming, and
2185 register BUILT_IN_MEMMOVE and BUILT_IN_MEMMOVE_CHK.
2187 2022-12-06 David Malcolm <dmalcolm@redhat.com>
2189 PR analyzer/107882
2190 * region-model.cc (region_model::get_store_value): Return an
2191 unknown value for empty regions.
2192 (region_model::set_value): Bail on empty regions.
2193 * region.cc (region::empty_p): New.
2194 * region.h (region::empty_p): New decl.
2195 * state-purge.cc (same_binding_p): Bail if either region is empty.
2196 * store.cc (binding_key::make): Assert that a concrete binding's
2197 bit_size must be > 0.
2198 (binding_cluster::mark_region_as_unknown): Bail on empty regions.
2199 (binding_cluster::get_binding): Likewise.
2200 (binding_cluster::remove_overlapping_bindings): Likewise.
2201 (binding_cluster::on_unknown_fncall): Don't conjure values for
2202 empty regions.
2203 (store::fill_region): Bail on empty regions.
2204 * store.h (class concrete_binding): Update comment to reflect that
2205 the range of bits must be non-empty.
2206 (concrete_binding::concrete_binding): Assert that bit range is
2207 non-empty.
2209 2022-12-06 David Malcolm <dmalcolm@redhat.com>
2211 PR analyzer/106325
2212 * region-model-manager.cc
2213 (region_model_manager::get_or_create_null_ptr): New.
2214 * region-model-manager.h
2215 (region_model_manager::get_or_create_null_ptr): New decl.
2216 * region-model.cc (region_model::on_top_level_param): Add
2217 "nonnull" param and make use of it.
2218 (region_model::push_frame): When handling a top-level entrypoint
2219 to the analysis, determine which params __attribute__((nonnull))
2220 applies to, and pass to on_top_level_param.
2221 * region-model.h (region_model::on_top_level_param): Add "nonnull"
2222 param.
2224 2022-12-06 David Malcolm <dmalcolm@redhat.com>
2226 * analyzer.h (register_known_analyzer_functions): New decl.
2227 (register_known_functions_lang_cp): New decl.
2228 * call-details.cc: New file, split out from
2229 region-model-impl-calls.cc.
2230 * call-details.h: New file, split out from region-model.h.
2231 * call-info.cc: Include "analyzer/call-details.h".
2232 * call-summary.h: Likewise.
2233 * kf-analyzer.cc: New file, split out from
2234 region-model-impl-calls.cc.
2235 * kf-lang-cp.cc: Likewise.
2236 * known-function-manager.cc: Include "analyzer/call-details.h".
2237 * region-model-impl-calls.cc: Move definitions of call_details's
2238 member functions to call-details.cc. Move class kf_analyzer_* to
2239 kf-analyzer.cc. Move kf_operator_new and kf_operator_delete to
2240 kf-lang-cp.cc. Refresh #includes accordingly.
2241 (register_known_functions): Replace registration of __analyzer_*
2242 functions with a call to register_known_analyzer_functions.
2243 Replace registration of C++ support functions with a call to
2244 register_known_functions_lang_cp.
2245 * region-model.h (class call_details): Move to new call-details.h.
2246 * sm-fd.cc: Include "analyzer/call-details.h".
2247 * sm-file.cc: Likewise.
2248 * sm-malloc.cc: Likewise.
2249 * varargs.cc: Likewise.
2251 2022-12-02 David Malcolm <dmalcolm@redhat.com>
2253 * analyzer.h (struct event_loc_info): New forward decl.
2254 * bounds-checking.cc: Use event_loc_info throughout to bundle the
2255 loc, fndecl, depth triples.
2256 * call-info.cc: Likewise.
2257 * checker-event.cc: Likewise.
2258 * checker-event.h (struct event_loc_info): New decl. Use it
2259 throughout to bundle the loc, fndecl, depth triples.
2260 * checker-path.cc: Likewise.
2261 * checker-path.h: Likewise.
2262 * diagnostic-manager.cc: Likewise.
2263 * engine.cc: Likewise.
2264 * infinite-recursion.cc: Likewise.
2265 * pending-diagnostic.cc: Likewise.
2266 * pending-diagnostic.h: Likewise.
2267 * region-model.cc: Likewise.
2268 * sm-signal.cc: Likewise.
2269 * varargs.cc: Likewise.
2271 2022-12-02 David Malcolm <dmalcolm@redhat.com>
2273 PR analyzer/107851
2274 * analyzer.cc (make_label_text_n): Convert param "n" from int to
2275 unsigned HOST_WIDE_INT.
2276 * analyzer.h (make_label_text_n): Likewise for decl.
2277 * bounds-checking.cc: Include "analyzer/checker-event.h" and
2278 "analyzer/checker-path.h".
2279 (out_of_bounds::add_region_creation_events): New.
2280 (concrete_past_the_end::describe_region_creation_event): Replace
2281 with...
2282 (concrete_past_the_end::add_region_creation_events): ...this.
2283 (symbolic_past_the_end::describe_region_creation_event): Delete.
2284 * checker-event.cc (region_creation_event::region_creation_event):
2285 Update for dropping all member data.
2286 (region_creation_event::get_desc): Delete, splitting out into
2287 region_creation_event_memory_space::get_desc,
2288 region_creation_event_capacity::get_desc, and
2289 region_creation_event_debug::get_desc.
2290 (region_creation_event_memory_space::get_desc): New.
2291 (region_creation_event_capacity::get_desc): New.
2292 (region_creation_event_allocation_size::get_desc): New.
2293 (region_creation_event_debug::get_desc): New.
2294 * checker-event.h: Include "analyzer/program-state.h".
2295 (enum rce_kind): Delete.
2296 (class region_creation_event): Drop all member data.
2297 (region_creation_event::region_creation_event): Make protected.
2298 (region_creation_event::get_desc): Delete.
2299 (class region_creation_event_memory_space): New.
2300 (class region_creation_event_capacity): New.
2301 (class region_creation_event_allocation_size): New.
2302 (class region_creation_event_debug): New.
2303 * checker-path.cc (checker_path::add_region_creation_events): Add
2304 "pd" param. Call pending_diangnostic::add_region_creation_events.
2305 Update for conversion of RCE_DEBUG to region_creation_event_debug.
2306 * checker-path.h (checker_path::add_region_creation_events): Add
2307 "pd" param.
2308 * diagnostic-manager.cc (diagnostic_manager::build_emission_path):
2309 Pass pending_diagnostic to
2310 emission_path::add_region_creation_events.
2311 (diagnostic_manager::build_emission_path): Pass path_builder to
2312 add_event_on_final_node.
2313 (diagnostic_manager::add_event_on_final_node): Add "pb" param.
2314 Pass pending_diagnostic to
2315 emission_path::add_region_creation_events.
2316 (diagnostic_manager::add_events_for_eedge): Pass
2317 pending_diagnostic to emission_path::add_region_creation_events.
2318 * diagnostic-manager.h
2319 (diagnostic_manager::add_event_on_final_node): Add "pb" param.
2320 * pending-diagnostic.cc
2321 (pending_diagnostic::add_region_creation_events): New.
2322 * pending-diagnostic.h (struct region_creation): Delete.
2323 (pending_diagnostic::describe_region_creation_event): Delete.
2324 (pending_diagnostic::add_region_creation_events): New vfunc.
2325 * region-model.cc: Include "analyzer/checker-event.h" and
2326 "analyzer/checker-path.h".
2327 (dubious_allocation_size::dubious_allocation_size): Initialize
2328 m_has_allocation_event.
2329 (dubious_allocation_size::describe_region_creation_event): Delete.
2330 (dubious_allocation_size::describe_final_event): Update for
2331 replacement of m_allocation_event with m_has_allocation_event.
2332 (dubious_allocation_size::add_region_creation_events): New.
2333 (dubious_allocation_size::m_allocation_event): Replace with...
2334 (dubious_allocation_size::m_has_allocation_event): ...this.
2336 2022-12-02 David Malcolm <dmalcolm@redhat.com>
2338 PR analyzer/107948
2339 * region-model-manager.cc
2340 (region_model_manager::maybe_fold_binop): Fold (0 - VAL) to -VAL.
2341 * region-model.cc (region_model::eval_condition): Handle e.g.
2342 "-X <= 0" as equivalent to X >= 0".
2344 2022-12-01 David Malcolm <dmalcolm@redhat.com>
2346 PR analyzer/106626
2347 * bounds-checking.cc
2348 (symbolic_past_the_end::describe_final_event): Delete, moving to
2349 symbolic_buffer_overflow::describe_final_event and
2350 symbolic_buffer_over_read::describe_final_event, eliminating
2351 composition of text strings via "byte_str" and "m_dir_str".
2352 (symbolic_past_the_end::m_dir_str): Delete field.
2353 (symbolic_buffer_overflow::symbolic_buffer_overflow): Drop
2354 m_dir_str.
2355 (symbolic_buffer_overflow::describe_final_event): New, as noted
2356 above.
2357 (symbolic_buffer_over_read::symbolic_buffer_overflow): Drop
2358 m_dir_str.
2359 (symbolic_buffer_over_read::describe_final_event): New, as noted
2360 above.
2362 2022-12-01 David Malcolm <dmalcolm@redhat.com>
2364 * bounds-checking.cc (class out_of_bounds): Split out from...
2365 (class concrete_out_of_bounds): New abstract subclass.
2366 (class past_the_end): Rename to...
2367 (class concrete_past_the_end): ...this, and make a subclass of
2368 concrete_out_of_bounds.
2369 (class buffer_overflow): Rename to...
2370 (class concrete_buffer_overflow): ...this, and make a subclass of
2371 concrete_past_the_end.
2372 (class buffer_over_read): Rename to...
2373 (class concrete_buffer_over_read): ...this, and make a subclass of
2374 concrete_past_the_end.
2375 (class buffer_underwrite): Rename to...
2376 (class concrete_buffer_underwrite): ...this, and make a subclass
2377 of concrete_out_of_bounds.
2378 (class buffer_under_read): Rename to...
2379 (class concrete_buffer_under_read): ...this, and make a subclass
2380 of concrete_out_of_bounds.
2381 (class symbolic_past_the_end): Convert to a subclass of
2382 out_of_bounds.
2383 (symbolic_buffer_overflow::get_kind): New.
2384 (symbolic_buffer_over_read::get_kind): New.
2385 (region_model::check_region_bounds): Update for renamings.
2386 * engine.cc (impl_sm_context::set_next_state): Eliminate
2387 "new_ctxt", passing NULL to get_rvalue instead.
2388 (impl_sm_context::warn): Likewise.
2390 2022-12-01 David Malcolm <dmalcolm@redhat.com>
2392 PR analyzer/106626
2393 * bounds-checking.cc (out_of_bounds::get_memory_space): New.
2394 (buffer_overflow::emit): Use it.
2395 (class buffer_overread): Rename to...
2396 (class buffer_over_read): ...this.
2397 (buffer_over_read::emit): Specify which memory space the read is
2398 from, where known. Change "overread" to "over-read".
2399 (class buffer_underflow): Rename to...
2400 (class buffer_underwrite): ...this.
2401 (buffer_underwrite::emit): Specify which memory space the write is
2402 to, where known. Change "underflow" to "underwrite".
2403 (class buffer_underread): Rename to...
2404 (class buffer_under_read): Rename to...
2405 (buffer_under_read::emit): Specify which memory space the read is
2406 from, where known. Change "underread" to "under-read".
2407 (symbolic_past_the_end::get_memory_space): New.
2408 (symbolic_buffer_overflow::emit): Use it.
2409 (class symbolic_buffer_overread): Rename to...
2410 (class symbolic_buffer_over_read): ...this.
2411 (symbolic_buffer_over_read::emit): Specify which memory space the
2412 read is from, where known. Change "overread" to "over-read".
2413 (region_model::check_symbolic_bounds): Update for class renaming.
2414 (region_model::check_region_bounds): Likewise.
2416 2022-12-01 David Malcolm <dmalcolm@redhat.com>
2418 PR analyzer/106626
2419 * bounds-checking.cc (out_of_bounds::maybe_describe_array_bounds):
2420 New.
2421 (buffer_overflow::emit): Call maybe_describe_array_bounds.
2422 (buffer_overread::emit): Likewise.
2423 (buffer_underflow::emit): Likewise.
2424 (buffer_underread::emit): Likewise.
2426 2022-12-01 David Malcolm <dmalcolm@redhat.com>
2428 PR analyzer/106626
2429 * bounds-checking.cc (buffer_overflow::emit): Use inform_n.
2430 Update wording to clarify that we're talking about the size of
2431 the bad access, rather than its position.
2432 (buffer_overread::emit): Likewise.
2434 2022-12-01 David Malcolm <dmalcolm@redhat.com>
2436 * bounds-checking.cc: New file, taken from region-model.cc.
2437 * region-model.cc (class out_of_bounds): Move to
2438 bounds-checking.cc.
2439 (class past_the_end): Likewise.
2440 (class buffer_overflow): Likewise.
2441 (class buffer_overread): Likewise.
2442 (class buffer_underflow): Likewise.
2443 (class buffer_underread): Likewise.
2444 (class symbolic_past_the_end): Likewise.
2445 (class symbolic_buffer_overflow): Likewise.
2446 (class symbolic_buffer_overread): Likewise.
2447 (region_model::check_symbolic_bounds): Likewise.
2448 (maybe_get_integer_cst_tree): Likewise.
2449 (region_model::check_region_bounds): Likewise.
2450 * region-model.h: Add comment.
2452 2022-12-01 David Malcolm <dmalcolm@redhat.com>
2454 PR analyzer/107928
2455 * sm-fd.cc (fd_state_machine::on_bind): Handle m_constant_fd in
2456 the "success" outcome.
2457 (fd_state_machine::on_connect): Likewise.
2458 * sm-fd.dot: Add "constant_fd" state and its transitions.
2460 2022-11-30 David Malcolm <dmalcolm@redhat.com>
2462 * region-model-impl-calls.cc (class kf_fgets): Move to sm-file.cc.
2463 (kf_fgets::impl_call_pre): Likewise.
2464 (class kf_fread): Likewise.
2465 (kf_fread::impl_call_pre): Likewise.
2466 (class kf_getchar): Likewise.
2467 (class kf_stdio_output_fn): Likewise.
2468 (register_known_functions): Move registration of
2469 BUILT_IN_FPRINTF, BUILT_IN_FPRINTF_UNLOCKED, BUILT_IN_FPUTC,
2470 BUILT_IN_FPUTC_UNLOCKED, BUILT_IN_FPUTS, BUILT_IN_FPUTS_UNLOCKED,
2471 BUILT_IN_FWRITE, BUILT_IN_FWRITE_UNLOCKED, BUILT_IN_PRINTF,
2472 BUILT_IN_PRINTF_UNLOCKED, BUILT_IN_PUTC, BUILT_IN_PUTCHAR,
2473 BUILT_IN_PUTCHAR_UNLOCKED, BUILT_IN_PUTC_UNLOCKED, BUILT_IN_PUTS,
2474 BUILT_IN_PUTS_UNLOCKED, BUILT_IN_VFPRINTF, BUILT_IN_VPRINTF,
2475 "getchar", "fgets", "fgets_unlocked", and "fread" to
2476 register_known_file_functions.
2477 * sm-file.cc (class kf_stdio_output_fn): Move here from
2478 region-model-impl-calls.cc.
2479 (class kf_fgets): Likewise.
2480 (class kf_fread): Likewise.
2481 (class kf_getchar): Likewise.
2482 (register_known_file_functions): Move registration of
2483 BUILT_IN_FPRINTF, BUILT_IN_FPRINTF_UNLOCKED, BUILT_IN_FPUTC,
2484 BUILT_IN_FPUTC_UNLOCKED, BUILT_IN_FPUTS, BUILT_IN_FPUTS_UNLOCKED,
2485 BUILT_IN_FWRITE, BUILT_IN_FWRITE_UNLOCKED, BUILT_IN_PRINTF,
2486 BUILT_IN_PRINTF_UNLOCKED, BUILT_IN_PUTC, BUILT_IN_PUTCHAR,
2487 BUILT_IN_PUTCHAR_UNLOCKED, BUILT_IN_PUTC_UNLOCKED, BUILT_IN_PUTS,
2488 BUILT_IN_PUTS_UNLOCKED, BUILT_IN_VFPRINTF, BUILT_IN_VPRINTF,
2489 "fgets", "fgets_unlocked", "fread", and "getchar" to here from
2490 register_known_functions.
2492 2022-11-30 David Malcolm <dmalcolm@redhat.com>
2494 PR analyzer/103546
2495 * analyzer.h (register_known_file_functions): New decl.
2496 * program-state.cc (sm_state_map::replay_call_summary): Rejct
2497 attempts to store sm-state for caller_sval that can't have
2498 associated state.
2499 * region-model-impl-calls.cc (register_known_functions): Call
2500 register_known_file_functions.
2501 * sm-fd.cc (class kf_isatty): New.
2502 (register_known_fd_functions): Register it.
2503 * sm-file.cc (class kf_ferror): New.
2504 (class kf_fileno): New.
2505 (class kf_getc): New.
2506 (register_known_file_functions): New.
2508 2022-11-30 David Malcolm <dmalcolm@redhat.com>
2510 PR analyzer/105784
2511 * region-model-manager.cc
2512 (region_model_manager::maybe_fold_binop): For POINTER_PLUS_EXPR,
2513 PLUS_EXPR and MINUS_EXPR, eliminate requirement that the final
2514 type matches that of arg0 in favor of a cast.
2516 2022-11-24 Martin Liska <mliska@suse.cz>
2518 * varargs.cc: Fix Clang warnings.
2520 2022-11-24 David Malcolm <dmalcolm@redhat.com>
2522 PR analyzer/106473
2523 * call-summary.cc
2524 (call_summary_replay::convert_region_from_summary_1): Update for
2525 change to creation of heap-allocated regions.
2526 * program-state.cc (test_program_state_1): Likewise.
2527 (test_program_state_merging): Likewise.
2528 * region-model-impl-calls.cc (kf_calloc::impl_call_pre): Likewise.
2529 (kf_malloc::impl_call_pre): Likewise.
2530 (kf_operator_new::impl_call_pre): Likewise.
2531 (kf_realloc::impl_call_postsuccess_with_move::update_model): Likewise.
2532 * region-model-manager.cc
2533 (region_model_manager::create_region_for_heap_alloc): Convert
2534 to...
2535 (region_model_manager::get_or_create_region_for_heap_alloc):
2536 ...this, reusing an existing region if it's unreferenced in the
2537 client state.
2538 * region-model-manager.h (region_model_manager::get_num_regions): New.
2539 (region_model_manager::create_region_for_heap_alloc): Convert to...
2540 (region_model_manager::get_or_create_region_for_heap_alloc): ...this.
2541 * region-model.cc (region_to_value_map::can_merge_with_p): Reject
2542 merger when the values are different.
2543 (region_model::create_region_for_heap_alloc): Convert to...
2544 (region_model::get_or_create_region_for_heap_alloc): ...this.
2545 (region_model::get_referenced_base_regions): New.
2546 (selftest::test_state_merging): Update for change to creation of
2547 heap-allocated regions.
2548 (selftest::test_malloc_constraints): Likewise.
2549 (selftest::test_malloc): Likewise.
2550 * region-model.h: Include "sbitmap.h".
2551 (region_model::create_region_for_heap_alloc): Convert to...
2552 (region_model::get_or_create_region_for_heap_alloc): ...this.
2553 (region_model::get_referenced_base_regions): New decl.
2554 * store.cc (store::canonicalize): Don't purge a heap-allocated region
2555 that's been marked as escaping.
2557 2022-11-24 David Malcolm <dmalcolm@redhat.com>
2559 * checker-path.cc (checker_path::inject_any_inlined_call_events):
2560 Don't dump the address of the block when -fdump-noaddr.
2562 2022-11-24 David Malcolm <dmalcolm@redhat.com>
2564 * region-model.h (region_model::on_socket): Delete decl.
2565 (region_model::on_bind): Likewise.
2566 (region_model::on_listen): Likewise.
2567 (region_model::on_accept): Likewise.
2568 (region_model::on_connect): Likewise.
2569 * sm-fd.cc (kf_socket::outcome_of_socket::update_model): Move body
2570 of region_model::on_socket into here, ...
2571 (region_model::on_socket): ...eliminating this function.
2572 (kf_bind::outcome_of_bind::update_model): Likewise for on_bind...
2573 (region_model::on_bind): ...eliminating this function.
2574 (kf_listen::outcome_of_listen::update_model): Likewise fo
2575 on_listen...
2576 (region_model::on_listen): ...eliminating this function.
2577 (kf_accept::outcome_of_accept::update_model): Likewise fo
2578 on_accept...
2579 (region_model::on_accept): ...eliminating this function.
2580 (kf_connect::outcome_of_connect::update_model): Likewise fo
2581 on_connect...
2582 (region_model::on_connect): ...eliminating this function.
2584 2022-11-24 David Malcolm <dmalcolm@redhat.com>
2586 * analyzer.h (register_known_fd_functions): New decl.
2587 * region-model-impl-calls.cc (class kf_accept): Move to sm-fd.cc.
2588 (class kf_bind): Likewise.
2589 (class kf_connect): Likewise.
2590 (class kf_listen): Likewise.
2591 (class kf_pipe): Likewise.
2592 (class kf_socket): Likewise.
2593 (register_known_functions): Remove registration of the above
2594 functions, instead calling register_known_fd_functions.
2595 * sm-fd.cc: Include "analyzer/call-info.h".
2596 (class kf_socket): Move here from region-model-impl-calls.cc.
2597 (class kf_bind): Likewise.
2598 (class kf_listen): Likewise.
2599 (class kf_accept): Likewise.
2600 (class kf_connect): Likewise.
2601 (class kf_pipe): Likewise.
2602 (register_known_fd_functions): New.
2604 2022-11-22 David Malcolm <dmalcolm@redhat.com>
2606 PR analyzer/107788
2607 * known-function-manager.cc (known_function_manager::get_match):
2608 Don't look up fndecls by name when they're not in the root
2609 namespace.
2611 2022-11-22 David Malcolm <dmalcolm@redhat.com>
2613 PR analyzer/107783
2614 * sm-fd.cc (fd_state_machine::check_for_new_socket_fd): Don't
2615 complain when old state is "fd-constant".
2616 (fd_state_machine::on_listen): Likewise.
2617 (fd_state_machine::on_accept): Likewise.
2619 2022-11-22 David Malcolm <dmalcolm@redhat.com>
2621 PR analyzer/107807
2622 * region-model-impl-calls.cc (register_known_functions): Register
2623 "___errno" and "__error" as synonyms for "__errno_location".
2625 2022-11-22 David Malcolm <dmalcolm@redhat.com>
2627 * analyzer.h (class internal_known_function): New.
2628 (register_varargs_builtins): New decl.
2629 * engine.cc (exploded_node::on_stmt_pre): Remove
2630 "out_terminate_path" param from call to region_model::on_stmt_pre.
2631 (feasibility_state::maybe_update_for_edge): Likewise.
2632 * known-function-manager.cc: Include "basic-block.h", "gimple.h",
2633 and "analyzer/region-model.h".
2634 (known_function_manager::known_function_manager): Initialize
2635 m_combined_fns_arr.
2636 (known_function_manager::~known_function_manager): Clean up
2637 m_combined_fns_arr.
2638 (known_function_manager::get_by_identifier): Make const.
2639 (known_function_manager::add): New overloaded definitions for
2640 enum built_in_function and enum internal_fn.
2641 (known_function_manager::get_by_fndecl): Delete.
2642 (known_function_manager::get_match): New.
2643 (known_function_manager::get_internal_fn): New.
2644 (known_function_manager::get_normal_builtin): New.
2645 * known-function-manager.h
2646 (known_function_manager::get_by_identifier): Make private and
2647 add const qualifier.
2648 (known_function_manager::get_by_fndecl): Delete.
2649 (known_function_manager::add): Add overloaded decls for
2650 enum built_in_function name and enum internal_fn.
2651 (known_function_manager::get_match): New decl.
2652 (known_function_manager::get_internal_fn): New decl.
2653 (known_function_manager::get_normal_builtin): New decl.
2654 (known_function_manager::m_combined_fns_arr): New field.
2655 * region-model-impl-calls.cc (call_details::arg_is_size_p): New.
2656 (class kf_alloca): New.
2657 (region_model::impl_call_alloca): Convert to...
2658 (kf_alloca::impl_call_pre): ...this.
2659 (kf_analyzer_dump_capacity::matches_call_types_p): Rewrite check
2660 to use call_details::arg_is_pointer_p.
2661 (region_model::impl_call_builtin_expect): Convert to...
2662 (class kf_expect): ...this.
2663 (class kf_calloc): New, adding check that both arguments are
2664 size_t.
2665 (region_model::impl_call_calloc): Convert to...
2666 (kf_calloc::impl_call_pre): ...this.
2667 (kf_connect::matches_call_types_p): Rewrite check to use
2668 call_details::arg_is_pointer_p.
2669 (region_model::impl_call_error): Convert to...
2670 (class kf_error): ...this, and...
2671 (kf_error::impl_call_pre): ...this.
2672 (class kf_fgets): New, adding checks that args 0 and 2 are
2673 pointers.
2674 (region_model::impl_call_fgets): Convert to...
2675 (kf_fgets::impl_call_pre): ...this.
2676 (class kf_fread): New, adding checks on the argument types.
2677 (region_model::impl_call_fread): Convert to...
2678 (kf_fread::impl_call_pre): ...this.
2679 (class kf_free): New, adding check that the argument is a pointer.
2680 (region_model::impl_call_free): Convert to...
2681 (kf_free::impl_call_post): ...this.
2682 (class kf_getchar): New.
2683 (class kf_malloc): New, adding check that the argument is a
2684 size_t.
2685 (region_model::impl_call_malloc): Convert to...
2686 (kf_malloc::impl_call_pre): ...this.
2687 (class kf_memcpy): New, adding checks on arguments.
2688 (region_model::impl_call_memcpy): Convert to...
2689 (kf_memcpy::impl_call_pre): ...this.
2690 (class kf_memset): New.
2691 (region_model::impl_call_memset): Convert to...
2692 (kf_memset::impl_call_pre): ...this.
2693 (kf_pipe::matches_call_types_p): Rewrite check to use
2694 call_details::arg_is_pointer_p.
2695 (kf_putenv::matches_call_types_p): Likewise.
2696 (class kf_realloc): New, adding checks on the argument types.
2697 (region_model::impl_call_realloc): Convert to...
2698 (kf_realloc::impl_call_post): ...this.
2699 (class kf_strchr): New.
2700 (region_model::impl_call_strchr): Convert to...
2701 (kf_strchr::impl_call_post): ...this.
2702 (class kf_stack_restore): New.
2703 (class kf_stack_save): New.
2704 (class kf_stdio_output_fn): New.
2705 (class kf_strcpy): New,
2706 (region_model::impl_call_strcpy): Convert to...
2707 (kf_strcpy::impl_call_pre): ...this.
2708 (class kf_strlen): New.
2709 (region_model::impl_call_strlen): Convert to...
2710 (kf_strlen::impl_call_pre): ...this.
2711 (class kf_ubsan_bounds): New.
2712 (region_model::impl_deallocation_call): Reimplement to avoid call
2713 to impl_call_free.
2714 (register_known_functions): Add handlers for IFN_BUILTIN_EXPECT
2715 and IFN_UBSAN_BOUNDS. Add handlers for BUILT_IN_ALLOCA,
2716 BUILT_IN_ALLOCA_WITH_ALIGN, BUILT_IN_CALLOC, BUILT_IN_EXPECT,
2717 BUILT_IN_EXPECT_WITH_PROBABILITY, BUILT_IN_FPRINTF,
2718 BUILT_IN_FPRINTF_UNLOCKED, BUILT_IN_FPUTC,
2719 BUILT_IN_FPUTC_UNLOCKED, BUILT_IN_FPUTS, BUILT_IN_FPUTS_UNLOCKED,
2720 BUILT_IN_FREE, BUILT_IN_FWRITE, BUILT_IN_FWRITE_UNLOCKED,
2721 BUILT_IN_MALLOC, BUILT_IN_MEMCPY, BUILT_IN_MEMCPY_CHK,
2722 BUILT_IN_MEMSET, BUILT_IN_MEMSET_CHK, BUILT_IN_PRINTF,
2723 BUILT_IN_PRINTF_UNLOCKED, BUILT_IN_PUTC, BUILT_IN_PUTCHAR,
2724 BUILT_IN_PUTCHAR_UNLOCKED, BUILT_IN_PUTC_UNLOCKED, BUILT_IN_PUTS,
2725 BUILT_IN_PUTS_UNLOCKED, BUILT_IN_REALLOC, BUILT_IN_STACK_RESTORE,
2726 BUILT_IN_STACK_SAVE, BUILT_IN_STRCHR, BUILT_IN_STRCPY,
2727 BUILT_IN_STRCPY_CHK, BUILT_IN_STRLEN, BUILT_IN_VFPRINTF, and
2728 BUILT_IN_VPRINTF. Call register_varargs_builtins. Add handlers
2729 for "getchar", "memset", "fgets", "fgets_unlocked", "fread",
2730 "error", and "error_at_line".
2731 * region-model.cc (region_model::on_stmt_pre): Drop
2732 "out_terminate_path" param.
2733 (region_model::get_known_function): Reimplement by calling
2734 known_function_manager::get_match, passing new "cd" param.
2735 Add overload taking enum internal_fn.
2736 (region_model::on_call_pre): Drop "out_terminate_path" param.
2737 Remove special-case handling of internal fns IFN_BUILTIN_EXPECT,
2738 IFN_UBSAN_BOUNDS, and IFN_VA_ARG, of built-in fns BUILT_IN_ALLOCA,
2739 BUILT_IN_ALLOCA_WITH_ALIGN, BUILT_IN_CALLOC, BUILT_IN_EXPECT,
2740 BUILT_IN_EXPECT_WITH_PROBABILITY, BUILT_IN_FREE, BUILT_IN_MALLOC,
2741 BUILT_IN_MEMCPY, BUILT_IN_MEMCPY_CHK, BUILT_IN_MEMSET,
2742 BUILT_IN_MEMSET_CHK, BUILT_IN_REALLOC, BUILT_IN_STRCHR,
2743 BUILT_IN_STRCPY, BUILT_IN_STRCPY_CHK, BUILT_IN_STRLEN,
2744 BUILT_IN_STACK_SAVE, BUILT_IN_STACK_RESTORE, BUILT_IN_FPRINTF,
2745 BUILT_IN_FPRINTF_UNLOCKED, BUILT_IN_PUTC, BUILT_IN_PUTC_UNLOCKED,
2746 BUILT_IN_FPUTC, BUILT_IN_FPUTC_UNLOCKED, BUILT_IN_FPUTS,
2747 BUILT_IN_FPUTS_UNLOCKED, BUILT_IN_FWRITE,
2748 BUILT_IN_FWRITE_UNLOCKED, BUILT_IN_PRINTF,
2749 BUILT_IN_PRINTF_UNLOCKED, BUILT_IN_PUTCHAR,
2750 BUILT_IN_PUTCHAR_UNLOCKED, BUILT_IN_PUTS, BUILT_IN_PUTS_UNLOCKED,
2751 BUILT_IN_VFPRINTF, BUILT_IN_VPRINTF, BUILT_IN_VA_START, and
2752 BUILT_IN_VA_COPY, and of named functions "malloc", "calloc",
2753 "alloca", "realloc", "error", "error_at_line", "fgets",
2754 "fgets_unlocked", "fread", "getchar", "memset", "strchr", and
2755 "strlen". Replace all this special-casing with calls to
2756 get_known_function for internal fns and for fn decls.
2757 (region_model::on_call_post): Remove special-casing handling for
2758 "free" and "strchr", and for BUILT_IN_REALLOC, BUILT_IN_STRCHR,
2759 and BUILT_IN_VA_END. Replace by consolidating on usage of
2760 get_known_function.
2761 * region-model.h (call_details::arg_is_size_p): New.
2762 (region_model::on_stmt_pre): Drop "out_terminate_path" param.
2763 (region_model::on_call_pre): Likewise.
2764 (region_model::impl_call_alloca): Delete.
2765 (region_model::impl_call_builtin_expect): Delete.
2766 (region_model::impl_call_calloc): Delete.
2767 (region_model::impl_call_error): Delete.
2768 (region_model::impl_call_fgets): Delete.
2769 (region_model::impl_call_fread): Delete.
2770 (region_model::impl_call_free): Delete.
2771 (region_model::impl_call_malloc): Delete.
2772 (region_model::impl_call_memcpy): Delete.
2773 (region_model::impl_call_memset): Delete.
2774 (region_model::impl_call_realloc): Delete.
2775 (region_model::impl_call_strchr): Delete.
2776 (region_model::impl_call_strcpy): Delete.
2777 (region_model::impl_call_strlen): Delete.
2778 (region_model::impl_call_va_start): Delete.
2779 (region_model::impl_call_va_copy): Delete.
2780 (region_model::impl_call_va_arg): Delete.
2781 (region_model::impl_call_va_end): Delete.
2782 (region_model::check_region_for_write): Public.
2783 (region_model::get_known_function): Add "cd" param. Add
2784 overloaded decl taking enum internal_fn.
2785 * sm-malloc.cc: Update comments.
2786 * varargs.cc (class kf_va_start): New.
2787 (region_model::impl_call_va_start): Convert to...
2788 (kf_va_start::impl_call_pre): ...this.
2789 (class kf_va_copy): New.
2790 (region_model::impl_call_va_copy): Convert to...
2791 (kf_va_copy::impl_call_pre): ...this.
2792 (class kf_va_arg): New.
2793 (region_model::impl_call_va_arg): Convert to...
2794 (kf_va_arg::impl_call_pre): ...this.
2795 (class kf_va_end): New.
2796 (region_model::impl_call_va_end): Delete.
2797 (register_varargs_builtins): New.
2799 2022-11-22 David Malcolm <dmalcolm@redhat.com>
2801 PR analyzer/107788
2802 * region-model.cc (region_model::update_for_int_cst_return):
2803 Require that the return type be an integer type.
2804 (region_model::update_for_nonzero_return): Likewise.
2806 2022-11-22 David Malcolm <dmalcolm@redhat.com>
2808 PR analyzer/107783
2809 * region-model-impl-calls.cc (kf_accept::matches_call_types_p):
2810 Require that args 1 and 2 be pointers.
2811 (kf_bind::matches_call_types_p): Require that arg 1 be a pointer.
2812 * region-model.h (call_details::arg_is_pointer_p): New
2814 2022-11-22 David Malcolm <dmalcolm@redhat.com>
2816 PR analyzer/107777
2817 * call-summary.cc
2818 (call_summary_replay::convert_region_from_summary_1): Handle
2819 RK_THREAD_LOCAL and RK_ERRNO in switch.
2820 * region-model.cc (region_model::get_representative_path_var_1):
2821 Likewise.
2823 2022-11-19 David Malcolm <dmalcolm@redhat.com>
2825 PR analyzer/107582
2826 * engine.cc (dynamic_call_info_t::update_model): Update the model
2827 by pushing or pop a frame, rather than by clobbering it with the
2828 model from the exploded_node's state.
2830 2022-11-18 David Malcolm <dmalcolm@redhat.com>
2832 * analyzer.cc (is_pipe_call_p): Delete.
2833 * analyzer.h (is_pipe_call_p): Delete.
2834 * region-model-impl-calls.cc (call_details::get_location): New.
2835 (class kf_analyzer_break): New, adapted from
2836 region_model::on_stmt_pre.
2837 (region_model::impl_call_analyzer_describe): Convert to...
2838 (class kf_analyzer_describe): ...this.
2839 (region_model::impl_call_analyzer_dump_capacity): Convert to...
2840 (class kf_analyzer_dump_capacity): ...this.
2841 (region_model::impl_call_analyzer_dump_escaped): Convert to...
2842 (class kf_analyzer_dump_escaped): ...this.
2843 (class kf_analyzer_dump_exploded_nodes): New.
2844 (region_model::impl_call_analyzer_dump_named_constant): Convert
2845 to...
2846 (class kf_analyzer_dump_named_constant): ...this.
2847 (class dump_path_diagnostic): Move here from region-model.cc.
2848 (class kf_analyzer_dump_path) New, adapted from
2849 region_model::on_stmt_pre.
2850 (class kf_analyzer_dump_region_model): Likewise.
2851 (region_model::impl_call_analyzer_eval): Convert to...
2852 (class kf_analyzer_eval): ...this.
2853 (region_model::impl_call_analyzer_get_unknown_ptr): Convert to...
2854 (class kf_analyzer_get_unknown_ptr): ...this.
2855 (class known_function_accept): Rename to...
2856 (class kf_accept): ...this.
2857 (class known_function_bind): Rename to...
2858 (class kf_bind): ...this.
2859 (class known_function_connect): Rename to...
2860 (class kf_connect): ...this.
2861 (region_model::impl_call_errno_location): Convert to...
2862 (class kf_errno_location): ...this.
2863 (class known_function_listen): Rename to...
2864 (class kf_listen): ...this.
2865 (region_model::impl_call_pipe): Convert to...
2866 (class kf_pipe): ...this.
2867 (region_model::impl_call_putenv): Convert to...
2868 (class kf_putenv): ...this.
2869 (region_model::impl_call_operator_new): Convert to...
2870 (class kf_operator_new): ...this.
2871 (region_model::impl_call_operator_delete): Convert to...
2872 (class kf_operator_delete): ...this.
2873 (class known_function_socket): Rename to...
2874 (class kf_socket): ...this.
2875 (register_known_functions): Rename param to KFM. Break out
2876 existing known functions into a "POSIX" section, and add "pipe",
2877 "pipe2", and "putenv". Add debugging functions
2878 "__analyzer_break", "__analyzer_describe",
2879 "__analyzer_dump_capacity", "__analyzer_dump_escaped",
2880 "__analyzer_dump_exploded_nodes",
2881 "__analyzer_dump_named_constant", "__analyzer_dump_path",
2882 "__analyzer_dump_region_model", "__analyzer_eval",
2883 "__analyzer_get_unknown_ptr". Add C++ support functions
2884 "operator new", "operator new []", "operator delete", and
2885 "operator delete []".
2886 * region-model.cc (class dump_path_diagnostic): Move to
2887 region-model-impl-calls.cc.
2888 (region_model::on_stmt_pre): Eliminate special-casing of
2889 "__analyzer_describe", "__analyzer_dump_capacity",
2890 "__analyzer_dump_escaped", "__analyzer_dump_named_constant",
2891 "__analyzer_dump_path", "__analyzer_dump_region_model",
2892 "__analyzer_eval", "__analyzer_break",
2893 "__analyzer_dump_exploded_nodes", "__analyzer_get_unknown_ptr",
2894 "__errno_location", "pipe", "pipe2", "putenv", "operator new",
2895 "operator new []", "operator delete", "operator delete []"
2896 "pipe" and "pipe2", handling them instead via the known_functions
2897 mechanism.
2898 * region-model.h (call_details::get_location): New decl.
2899 (region_model::impl_call_analyzer_describe): Delete decl.
2900 (region_model::impl_call_analyzer_dump_capacity): Delete decl.
2901 (region_model::impl_call_analyzer_dump_escaped): Delete decl.
2902 (region_model::impl_call_analyzer_dump_named_constant): Delete decl.
2903 (region_model::impl_call_analyzer_eval): Delete decl.
2904 (region_model::impl_call_analyzer_get_unknown_ptr): Delete decl.
2905 (region_model::impl_call_errno_location): Delete decl.
2906 (region_model::impl_call_pipe): Delete decl.
2907 (region_model::impl_call_putenv): Delete decl.
2908 (region_model::impl_call_operator_new): Delete decl.
2909 (region_model::impl_call_operator_delete): Delete decl.
2910 * sm-fd.cc: Update comments.
2912 2022-11-16 David Malcolm <dmalcolm@redhat.com>
2914 PR analyzer/107711
2915 * analyzer-language.cc: Include "diagnostic.h".
2916 (maybe_stash_named_constant): Add logger param and use it to log
2917 the name being looked up, and the result.
2918 (stash_named_constants): New, splitting out from...
2919 (on_finish_translation_unit): ...this function. Call
2920 get_or_create_logfile and use the result to create a logger
2921 instance, passing it to stash_named_constants.
2922 * analyzer.h (get_or_create_any_logfile): New decl.
2923 * engine.cc (dump_fout, owns_dump_fout): New globals, split out
2924 from run_checkers.
2925 (get_or_create_any_logfile): New function, split out from...
2926 (run_checkers): ...here, so that the logfile can be opened by
2927 on_finish_translation_unit. Clear the globals when closing the
2928 dump file.
2930 2022-11-16 David Malcolm <dmalcolm@redhat.com>
2932 * analyzer.h (known_function::matches_call_types_p): New vfunc.
2933 (known_function::impl_call_pre): Provide base implementation.
2934 (known_function::impl_call_post): New vfunc.
2935 (register_known_functions): New.
2936 * engine.cc (impl_run_checkers): Call register_known_functions.
2937 * region-model-impl-calls.cc (region_model::impl_call_accept):
2938 Convert to...
2939 (class known_function_accept): ...this.
2940 (region_model::impl_call_bind): Convert to...
2941 (class known_function_bind): ...this.
2942 (region_model::impl_call_connect): Convert to...
2943 (class known_function_connect): ...this.
2944 (region_model::impl_call_listen): Convert to...
2945 (class known_function_listen): ...this.
2946 (region_model::impl_call_socket): Convert to...
2947 (class known_function_socket): ...this.
2948 (register_known_functions): New.
2949 * region-model.cc (region_model::on_call_pre): Remove special
2950 case for "bind" in favor of the known_function-handling dispatch.
2951 Add call to known_function::matches_call_types_p to latter.
2952 (region_model::on_call_post): Remove special cases for "accept",
2953 "bind", "connect", "listen", and "socket" in favor of dispatch
2954 to known_function::impl_call_post.
2955 * region-model.h (region_model::impl_call_accept): Delete decl.
2956 (region_model::impl_call_bind): Delete decl.
2957 (region_model::impl_call_connect): Delete decl.
2958 (region_model::impl_call_listen): Delete decl.
2959 (region_model::impl_call_socket): Delete decl.
2960 * sm-fd.cc: Update comments.
2962 2022-11-16 David Malcolm <dmalcolm@redhat.com>
2964 * checker-event.cc: New file, split out from...
2965 * checker-path.cc: ...this file.
2967 2022-11-15 David Malcolm <dmalcolm@redhat.com>
2969 PR analyzer/106140
2970 * analyzer-language.cc (on_finish_translation_unit): Stash named
2971 constants "SOCK_STREAM" and "SOCK_DGRAM".
2972 * analyzer.opt (Wanalyzer-fd-phase-mismatch): New.
2973 (Wanalyzer-fd-type-mismatch): New.
2974 * engine.cc (impl_region_model_context::get_state_map_by_name):
2975 Add "out_sm_context" param. Allow out_sm_idx to be NULL.
2976 * exploded-graph.h
2977 (impl_region_model_context::get_state_map_by_name):
2978 Add "out_sm_context" param.
2979 * region-model-impl-calls.cc (region_model::impl_call_accept): New.
2980 (region_model::impl_call_bind): New.
2981 (region_model::impl_call_connect): New.
2982 (region_model::impl_call_listen): New.
2983 (region_model::impl_call_socket): New.
2984 * region-model.cc (region_model::on_call_pre): Special-case
2985 "bind".
2986 (region_model::on_call_post): Special-case "accept", "bind",
2987 "connect", "listen", and "socket".
2988 * region-model.h (region_model::impl_call_accept): New decl.
2989 (region_model::impl_call_bind): New decl.
2990 (region_model::impl_call_connect): New decl.
2991 (region_model::impl_call_listen): New decl.
2992 (region_model::impl_call_socket): New decl.
2993 (region_model::on_socket): New decl.
2994 (region_model::on_bind): New decl.
2995 (region_model::on_listen): New decl.
2996 (region_model::on_accept): New decl.
2997 (region_model::on_connect): New decl.
2998 (region_model::add_constraint): Make public.
2999 (region_model::check_for_poison): Make public.
3000 (region_model_context::get_state_map_by_name): Add out_sm_context param.
3001 (region_model_context::get_fd_map): Likewise.
3002 (region_model_context::get_malloc_map): Likewise.
3003 (region_model_context::get_taint_map): Likewise.
3004 (noop_region_model_context::get_state_map_by_name): Likewise.
3005 (region_model_context_decorator::get_state_map_by_name): Likewise.
3006 * sm-fd.cc: Include "analyzer/supergraph.h" and
3007 "analyzer/analyzer-language.h".
3008 (enum expected_phase): New enum.
3009 (fd_state_machine::m_new_datagram_socket): New.
3010 (fd_state_machine::m_new_stream_socket): New.
3011 (fd_state_machine::m_new_unknown_socket): New.
3012 (fd_state_machine::m_bound_datagram_socket): New.
3013 (fd_state_machine::m_bound_stream_socket): New.
3014 (fd_state_machine::m_bound_unknown_socket): New.
3015 (fd_state_machine::m_listening_stream_socket): New.
3016 (fd_state_machine::m_m_connected_stream_socket): New.
3017 (fd_state_machine::m_SOCK_STREAM): New.
3018 (fd_state_machine::m_SOCK_DGRAM): New.
3019 (fd_diagnostic::describe_state_change): Handle socket states.
3020 (fd_diagnostic::get_meaning_for_state_change): Likewise.
3021 (class fd_phase_mismatch): New.
3022 (enum expected_type): New enum.
3023 (class fd_type_mismatch): New.
3024 (fd_state_machine::fd_state_machine): Initialize new states and
3025 stashed named constants.
3026 (fd_state_machine::is_socket_fd_p): New.
3027 (fd_state_machine::is_datagram_socket_fd_p): New.
3028 (fd_state_machine::is_stream_socket_fd_p): New.
3029 (fd_state_machine::on_close): Handle the socket states.
3030 (fd_state_machine::check_for_open_fd): Complain about fncalls on
3031 sockets in the wrong phase. Support socket FDs.
3032 (add_constraint_ge_zero): New.
3033 (fd_state_machine::get_state_for_socket_type): New.
3034 (fd_state_machine::on_socket): New.
3035 (fd_state_machine::check_for_socket_fd): New.
3036 (fd_state_machine::check_for_new_socket_fd): New.
3037 (fd_state_machine::on_bind): New.
3038 (fd_state_machine::on_listen): New.
3039 (fd_state_machine::on_accept): New.
3040 (fd_state_machine::on_connect): New.
3041 (fd_state_machine::can_purge_p): Don't purge socket values.
3042 (get_fd_state): New.
3043 (region_model::mark_as_valid_fd): Use get_fd_state.
3044 (region_model::on_socket): New.
3045 (region_model::on_bind): New.
3046 (region_model::on_listen): New.
3047 (region_model::on_accept): New.
3048 (region_model::on_connect): New.
3049 * sm-fd.dot: Update to reflect sm-fd.cc changes.
3051 2022-11-15 David Malcolm <dmalcolm@redhat.com>
3053 PR analyzer/106302
3054 * analyzer-language.cc: New file.
3055 * analyzer-language.h: New file.
3056 * analyzer.h (get_stashed_constant_by_name): New decl.
3057 (log_stashed_constants): New decl.
3058 * engine.cc (impl_run_checkers): Call log_stashed_constants.
3059 * region-model-impl-calls.cc
3060 (region_model::impl_call_analyzer_dump_named_constant): New.
3061 * region-model.cc (region_model::on_stmt_pre): Handle
3062 __analyzer_dump_named_constant.
3063 * region-model.h
3064 (region_model::impl_call_analyzer_dump_named_constant): New decl.
3065 * sm-fd.cc (fd_state_machine::m_O_ACCMODE): New.
3066 (fd_state_machine::m_O_RDONLY): New.
3067 (fd_state_machine::m_O_WRONLY): New.
3068 (fd_state_machine::fd_state_machine): Initialize the new fields.
3069 (fd_state_machine::get_access_mode_from_flag): Use the new fields,
3070 rather than using the host values.
3072 2022-11-13 David Malcolm <dmalcolm@redhat.com>
3074 PR analyzer/106235
3075 * analyzer.opt (Wanalyzer-tainted-assertion): New.
3076 * checker-path.cc (checker_path::fixup_locations): Pass false to
3077 pending_diagnostic::fixup_location.
3078 * diagnostic-manager.cc (get_emission_location): Pass true to
3079 pending_diagnostic::fixup_location.
3080 * pending-diagnostic.cc (pending_diagnostic::fixup_location): Add
3081 bool param.
3082 * pending-diagnostic.h (pending_diagnostic::fixup_location): Add
3083 bool param to decl.
3084 * sm-taint.cc (taint_state_machine::m_tainted_control_flow): New.
3085 (taint_diagnostic::describe_state_change): Drop "final".
3086 (class tainted_assertion): New.
3087 (taint_state_machine::taint_state_machine): Initialize
3088 m_tainted_control_flow.
3089 (taint_state_machine::alt_get_inherited_state): Support
3090 comparisons being tainted, based on their arguments.
3091 (is_assertion_failure_handler_p): New.
3092 (taint_state_machine::on_stmt): Complain about calls to assertion
3093 failure handlers guarded by an attacker-controller conditional.
3094 Detect attacker-controlled gcond conditionals and gswitch index
3095 values.
3096 (taint_state_machine::check_control_flow_arg_for_taint): New.
3098 2022-11-11 David Malcolm <dmalcolm@redhat.com>
3100 * sm-fd.dot: Fix typo in comment.
3101 * sm-file.dot: New file.
3102 * varargs.cc: Fix typo in comment.
3103 * varargs.dot: New file.
3105 2022-11-11 David Malcolm <dmalcolm@redhat.com>
3107 * checker-path.h: Split out checker_event and its subclasses to...
3108 * checker-event.h: ...this new header.
3110 2022-11-11 David Malcolm <dmalcolm@redhat.com>
3112 PR analyzer/106147
3113 * analyzer.opt (Wanalyzer-infinite-recursion): New.
3114 * call-string.cc (call_string::count_occurrences_of_function):
3115 New.
3116 * call-string.h (call_string::count_occurrences_of_function): New
3117 decl.
3118 * checker-path.cc (function_entry_event::function_entry_event):
3119 New ctor.
3120 (checker_path::add_final_event): Delete.
3121 * checker-path.h (function_entry_event::function_entry_event): New
3122 ctor.
3123 (function_entry_event::get_desc): Drop "final".
3124 (checker_path::add_final_event): Delete.
3125 * diagnostic-manager.cc
3126 (diagnostic_manager::emit_saved_diagnostic): Create the final
3127 event via a new pending_diagnostic::add_final_event vfunc, rather
3128 than checker_path::add_final_event.
3129 (diagnostic_manager::add_events_for_eedge): Create function entry
3130 events via a new pending_diagnostic::add_function_entry_event
3131 vfunc.
3132 * engine.cc (exploded_graph::process_node): When creating a new
3133 PK_BEFORE_SUPERNODE node, call
3134 exploded_graph::detect_infinite_recursion on it after adding the
3135 in-edge.
3136 * exploded-graph.h (exploded_graph::detect_infinite_recursion):
3137 New decl.
3138 (exploded_graph::find_previous_entry_to): New decl.
3139 * infinite-recursion.cc: New file.
3140 * pending-diagnostic.cc
3141 (pending_diagnostic::add_function_entry_event): New.
3142 (pending_diagnostic::add_final_event): New.
3143 * pending-diagnostic.h
3144 (pending_diagnostic::add_function_entry_event): New vfunc.
3145 (pending_diagnostic::add_final_event): New vfunc.
3147 2022-11-10 David Malcolm <dmalcolm@redhat.com>
3149 PR analyzer/99671
3150 * analyzer.opt (Wanalyzer-deref-before-check): New warning.
3151 * diagnostic-manager.cc
3152 (null_assignment_sm_context::set_next_state): Only add state
3153 change events for transition to "null" state.
3154 (null_assignment_sm_context::is_transition_to_null): New.
3155 * engine.cc (impl_region_model_context::on_pop_frame): New.
3156 * exploded-graph.h (impl_region_model_context::on_pop_frame): New
3157 decl.
3158 * program-state.cc (sm_state_map::clear_any_state): New.
3159 (sm_state_map::can_merge_with_p): New.
3160 (program_state::can_merge_with_p): Replace requirement that
3161 sm-states be equal in favor of an attempt to merge them.
3162 * program-state.h (sm_state_map::clear_any_state): New decl.
3163 (sm_state_map::can_merge_with_p): New decl.
3164 * region-model.cc (region_model::eval_condition): Make const.
3165 (region_model::pop_frame): Call ctxt->on_pop_frame.
3166 * region-model.h (region_model::eval_condition): Make const.
3167 (region_model_context::on_pop_frame): New vfunc.
3168 (noop_region_model_context::on_pop_frame): New.
3169 (region_model_context_decorator::on_pop_frame): New.
3170 * sm-malloc.cc (enum resource_state): Add RS_ASSUMED_NON_NULL.
3171 (allocation_state::dump_to_pp): Drop "final".
3172 (struct assumed_non_null_state): New subclass.
3173 (malloc_state_machine::m_assumed_non_null): New.
3174 (assumed_non_null_p): New.
3175 (class deref_before_check): New.
3176 (assumed_non_null_state::dump_to_pp): New.
3177 (malloc_state_machine::get_or_create_assumed_non_null_state_for_frame):
3178 New.
3179 (malloc_state_machine::maybe_assume_non_null): New.
3180 (malloc_state_machine::on_stmt): Transition from start state to
3181 "assumed-non-null" state for pointers passed to
3182 __attribute__((nonnull)) arguments, and for pointers explicitly
3183 dereferenced. Call maybe_complain_about_deref_before_check for
3184 pointers explicitly compared against NULL.
3185 (malloc_state_machine::maybe_complain_about_deref_before_check):
3186 New.
3187 (malloc_state_machine::on_deallocator_call): Also transition
3188 "assumed-non-null" states to "freed".
3189 (malloc_state_machine::on_pop_frame): New.
3190 (malloc_state_machine::maybe_get_merged_states_nonequal): New.
3191 * sm-malloc.dot: Update for changes to sm-malloc.cc.
3192 * sm.h (state_machine::on_pop_frame): New.
3193 (state_machine::maybe_get_merged_state): New.
3194 (state_machine::maybe_get_merged_states_nonequal): New.
3196 2022-11-09 David Malcolm <dmalcolm@redhat.com>
3198 * checker-path.cc (checker_event::debug): New.
3199 (checker_path::add_event): Move here from checker-path.h. Add
3200 logging.
3201 * checker-path.h (checker_event::debug): New decl.
3202 (checker_path::checker_path): Add logger param.
3203 (checker_path::add_event): Move definition from here to
3204 checker-path.cc.
3205 (checker_path::m_logger): New field.
3206 * diagnostic-manager.cc
3207 (diagnostic_manager::emit_saved_diagnostic): Pass logger to
3208 checker_path ctor.
3209 (diagnostic_manager::add_events_for_eedge): Log scope when
3210 processing a run of stmts.
3212 2022-11-08 David Malcolm <dmalcolm@redhat.com>
3214 PR analyzer/101962
3215 * region-model-impl-calls.cc: Update comment.
3216 * region-model.cc (region_model::check_symbolic_bounds): Fix
3217 layout of "void" return. Replace usage of
3218 eval_condition_without_cm with eval_condition.
3219 (region_model::eval_condition): Take over body of...
3220 (region_model::eval_condition_without_cm): ...this subroutine,
3221 dropping the latter. Eliminating this distinction avoids issues
3222 where constraints were not considered when recursing.
3223 (region_model::compare_initial_and_pointer): Update comment.
3224 (region_model::symbolic_greater_than): Replace usage of
3225 eval_condition_without_cm with eval_condition.
3226 * region-model.h
3227 (region_model::eval_condition_without_cm): Delete decl.
3229 2022-11-08 David Malcolm <dmalcolm@redhat.com>
3231 * region-model-impl-calls.cc
3232 (region_model::impl_call_errno_location): New.
3233 * region-model-manager.cc
3234 (region_model_manager::region_model_manager): Initialize
3235 m_thread_local_region and m_errno_region.
3236 * region-model-manager.h (region_model_manager::get_errno_region):
3237 New accessor.
3238 (region_model_manager::m_thread_local_region): New.
3239 (region_model_manager::m_errno_region): New.
3240 * region-model.cc (region_model::on_call_pre): Special-case
3241 "__errno_location".
3242 (region_model::set_errno): New.
3243 * region-model.h (impl_call_errno_location): New decl.
3244 (region_model::set_errno): New decl.
3245 * region.cc (thread_local_region::dump_to_pp): New.
3246 (errno_region::dump_to_pp): New.
3247 * region.h (enum memory_space): Add MEMSPACE_THREAD_LOCAL.
3248 (enum region_kind): Add RK_THREAD_LOCAL and RK_ERRNO.
3249 (class thread_local_region): New.
3250 (is_a_helper <const thread_local_region *>::test): New.
3251 (class errno_region): New.
3252 (is_a_helper <const errno_region *>::test): New.
3253 * store.cc (binding_cluster::escaped_p): New.
3254 (store::escaped_p): Treat errno as always having escaped.
3255 (store::replay_call_summary_cluster): Handle RK_THREAD_LOCAL and
3256 RK_ERRNO.
3257 * store.h (binding_cluster::escaped_p): Remove definition.
3259 2022-11-08 David Malcolm <dmalcolm@redhat.com>
3261 * call-info.cc (success_call_info::get_desc): Delete.
3262 (failed_call_info::get_desc): Likewise.
3263 (succeed_or_fail_call_info::get_desc): New.
3264 * call-info.h (class succeed_or_fail_call_info): New.
3265 (class success_call_info): Convert to a subclass of
3266 succeed_or_fail_call_info.
3267 (class failed_call_info): Likewise.
3269 2022-11-08 David Malcolm <dmalcolm@redhat.com>
3271 * region-model-impl-calls.cc (region_model::impl_call_strchr):
3272 Move to on_call_post. Handle both outcomes using bifurcation,
3273 rather than just the "not found" case.
3274 * region-model.cc (region_model::on_call_pre): Move
3275 BUILT_IN_STRCHR and "strchr" to...
3276 (region_model::on_call_post): ...here.
3278 2022-11-03 David Malcolm <dmalcolm@redhat.com>
3280 * analyzer.h: Use std::unique_ptr for state machines from plugins.
3281 * engine.cc: Likewise.
3283 2022-11-03 David Malcolm <dmalcolm@redhat.com>
3285 * analyzer.h: Use std::unique_ptr for known functions.
3286 * engine.cc: Likewise.
3287 * known-function-manager.cc: Likewise.
3288 * known-function-manager.h: Likewise.
3290 2022-11-03 David Malcolm <dmalcolm@redhat.com>
3292 * analysis-plan.cc: Define INCLUDE_MEMORY before including
3293 system.h.
3294 * analyzer-pass.cc: Likewise.
3295 * analyzer-selftests.cc: Likewise.
3296 * analyzer.cc: Likewise.
3297 * analyzer.h: Use std::unique_ptr in bifurcation code.
3298 * call-string.cc: Define INCLUDE_MEMORY before including system.h.
3299 * complexity.cc: Likewise.
3300 * engine.cc: Use std::unique_ptr in bifurcation code.
3301 * exploded-graph.h: Likewise.
3302 * known-function-manager.cc: Define INCLUDE_MEMORY before
3303 including system.h.
3304 * region-model-impl-calls.cc: Use std::unique_ptr in bifurcation
3305 code.
3306 * region-model.cc: Likewise.
3307 * region-model.h: Likewise.
3308 * supergraph.cc: Define INCLUDE_MEMORY before including system.h.
3310 2022-11-03 David Malcolm <dmalcolm@redhat.com>
3312 * call-info.cc: Use std::unique_ptr for checker_event.
3313 * checker-path.cc: Likewise.
3314 * checker-path.h: Likewise.
3315 * diagnostic-manager.cc: Likewise.
3316 * engine.cc: Likewise.
3317 * pending-diagnostic.cc: Likewise.
3318 * sm-signal.cc: Likewise.
3319 * varargs.cc: Likewise.
3321 2022-11-03 David Malcolm <dmalcolm@redhat.com>
3323 * diagnostic-manager.cc: Include "make-unique.h".
3324 Use std::unique_ptr for feasibility_problems and exploded_path.
3325 Delete explicit saved_diagnostic dtor.
3326 * diagnostic-manager.h: Likewise.
3327 * engine.cc: Likewise.
3328 * exploded-graph.h: Likewise.
3329 * feasible-graph.cc: Likewise.
3330 * feasible-graph.h: Likewise.
3332 2022-11-03 David Malcolm <dmalcolm@redhat.com>
3334 * checker-path.cc (rewind_event::rewind_event): Update for usage of
3335 std::unique_ptr on custom_edge_info.
3336 * engine.cc (exploded_node::on_longjmp): Likewise.
3337 (exploded_edge::exploded_edge): Likewise.
3338 (exploded_edge::~exploded_edge): Delete.
3339 (exploded_graph::add_function_entry): Update for usage of
3340 std::unique_ptr on custom_edge_info.
3341 (exploded_graph::add_edge): Likewise.
3342 (add_tainted_args_callback): Likewise.
3343 (exploded_graph::maybe_create_dynamic_call): Likewise.
3344 (exploded_graph::process_node): Likewise.
3345 * exploded-graph.h (exploded_edge::~exploded_edge): Delete.
3346 (exploded_edge::m_custom_info): Use std::unique_ptr.
3347 (exploded_edge::add_edge): Likewise.
3348 * sm-signal.cc (register_signal_handler::impl_transition): Use
3349 make_unique.
3351 2022-11-03 David Malcolm <dmalcolm@redhat.com>
3353 * diagnostic-manager.cc (saved_diagnostic::saved_diagnostic): Make
3354 stmt_finder const.
3355 (saved_diagnostic::~saved_diagnostic): Remove explicit delete of
3356 m_stmt_finder.
3357 (diagnostic_manager::add_diagnostic): Make stmt_finder const.
3358 * diagnostic-manager.h (saved_diagnostic::saved_diagnostic):
3359 Likewise.
3360 (saved_diagnostic::m_stmt_finder): Convert to std::unique_ptr.
3361 (diagnostic_manager::add_diagnostic): Make stmt_finder const.
3362 * engine.cc (impl_sm_context::impl_sm_context): Likewise.
3363 (impl_sm_context::m_stmt_finder): Likewise.
3364 (leak_stmt_finder::clone): Convert return type to std::unique_ptr.
3365 * exploded-graph.h (stmt_finder::clone): Likewise.
3367 2022-11-03 David Malcolm <dmalcolm@redhat.com>
3369 * call-info.cc: Add define of INCLUDE_MEMORY.
3370 * call-summary.cc: Likewise.
3371 * checker-path.cc: Likewise.
3372 * constraint-manager.cc: Likewise.
3373 * diagnostic-manager.cc: Likewise.
3374 (saved_diagnostic::saved_diagnostic): Use std::unique_ptr for
3375 param d and field m_d.
3376 (saved_diagnostic::~saved_diagnostic): Remove explicit delete of m_d.
3377 (saved_diagnostic::add_note): Use std::unique_ptr for
3378 param pn.
3379 (saved_diagnostic::get_pending_diagnostic): Update for conversion
3380 of m_sd.m_d to unique_ptr.
3381 (diagnostic_manager::add_diagnostic): Use std::unique_ptr for
3382 param d. Remove explicit deletion.
3383 (diagnostic_manager::add_note): Use std::unique_ptr for param pn.
3384 (diagnostic_manager::emit_saved_diagnostic): Update for conversion
3385 of m_sd.m_d to unique_ptr.
3386 (null_assignment_sm_context::warn): Use std::unique_ptr for
3387 param d. Remove explicit deletion.
3388 * diagnostic-manager.h (saved_diagnostic::saved_diagnostic): Use
3389 std::unique_ptr for param d.
3390 (saved_diagnostic::add_note): Likewise for param pn.
3391 (saved_diagnostic::m_d): Likewise.
3392 (diagnostic_manager::add_diagnostic): Use std::unique_ptr for
3393 param d.
3394 (diagnostic_manager::add_note): Use std::unique_ptr for param pn.
3395 * engine.cc: Include "make-unique.h".
3396 (impl_region_model_context::warn): Update to use std::unique_ptr
3397 for param, removing explicit deletion.
3398 (impl_region_model_context::add_note): Likewise.
3399 (impl_sm_context::warn): Update to use std::unique_ptr
3400 for param.
3401 (impl_region_model_context::on_state_leak): Likewise for result of
3402 on_leak.
3403 (exploded_node::on_longjmp): Use make_unique when creating
3404 pending_diagnostic.
3405 (exploded_graph::process_node): Likewise.
3406 * exploded-graph.h (impl_region_model_context::warn): Update to
3407 use std::unique_ptr for param.
3408 (impl_region_model_context::add_note): Likewise.
3409 * feasible-graph.cc: Add define of INCLUDE_MEMORY.
3410 * pending-diagnostic.cc: Likewise.
3411 * pending-diagnostic.h: Include analyzer.sm.h"
3412 * program-point.cc: Add define of INCLUDE_MEMORY.
3413 * program-state.cc: Likewise.
3414 * region-model-asm.cc: Likewise.
3415 * region-model-impl-calls.cc: Likewise. Include "make-unique.h".
3416 (region_model::impl_call_putenv): Use make_unique when creating
3417 pending_diagnostic.
3418 * region-model-manager.cc: Add define of INCLUDE_MEMORY.
3419 * region-model-reachability.cc: Likewise.
3420 * region-model.cc: Likewise. Include "make-unique.h".
3421 (region_model::get_gassign_result): Use make_unique when creating
3422 pending_diagnostic.
3423 (region_model::check_for_poison): Likewise.
3424 (region_model::on_stmt_pre): Likewise.
3425 (region_model::check_symbolic_bounds): Likewise.
3426 (region_model::check_region_bounds): Likewise.
3427 (annotating_ctxt: make_note): Use std::unique_ptr for result.
3428 (region_model::deref_rvalue): Use make_unique when creating
3429 pending_diagnostic.
3430 (region_model::check_for_writable_region): Likewise.
3431 (region_model::check_region_size): Likewise.
3432 (region_model::check_dynamic_size_for_floats): Likewise.
3433 (region_model::maybe_complain_about_infoleak): Likewise.
3434 (noop_region_model_context::add_note): Use std::unique_ptr for
3435 param. Remove explicit deletion.
3436 * region-model.h: Include "analyzer/pending-diagnostic.h".
3437 (region_model_context::warn): Convert param to std::unique_ptr.
3438 (region_model_context::add_note): Likewise.
3439 (noop_region_model_context::warn): Likewise.
3440 (noop_region_model_context::add_note): Likewise.
3441 (region_model_context_decorator::warn): Likewise.
3442 (region_model_context_decorator::add_note): Likewise.
3443 (note_adding_context::warn): Likewise.
3444 (note_adding_context::make_note): Likewise for return type.
3445 (test_region_model_context::warn): Convert param to
3446 std::unique_ptr.
3447 * region.cc: Add define of INCLUDE_MEMORY.
3448 * sm-fd.cc: Likewise. Include "make-unique.h".
3449 (fd_state_machine::check_for_fd_attrs): Use make_unique when
3450 creating pending_diagnostics.
3451 (fd_state_machine::on_open): Likewise.
3452 (fd_state_machine::on_creat): Likewise.
3453 (fd_state_machine::check_for_dup): Likewise.
3454 (fd_state_machine::on_close): Likewise.
3455 (fd_state_machine::check_for_open_fd): Likewise.
3456 (fd_state_machine::on_leak): Likewise, converting return type to
3457 std::unique_ptr.
3458 * sm-file.cc: Add define of INCLUDE_MEMORY. Include
3459 "make-unique.h".
3460 (fileptr_state_machine::on_stmt): Use make_unique when creating
3461 pending_diagnostic.
3462 (fileptr_state_machine::on_leak): Likewise, converting return type
3463 to std::unique_ptr.
3464 * sm-malloc.cc: Add define of INCLUDE_MEMORY. Include
3465 "make-unique.h".
3466 (malloc_state_machine::on_stmt): Use make_unique when creating
3467 pending_diagnostic.
3468 (malloc_state_machine::handle_free_of_non_heap): Likewise.
3469 (malloc_state_machine::on_deallocator_call): Likewise.
3470 (malloc_state_machine::on_realloc_call): Likewise.
3471 (malloc_state_machine::on_leak): Likewise, converting return type
3472 to std::unique_ptr.
3473 * sm-pattern-test.cc: Add define of INCLUDE_MEMORY. Include
3474 "make-unique.h".
3475 (pattern_test_state_machine::on_condition): Use make_unique when
3476 creating pending_diagnostic.
3477 * sm-sensitive.cc: Add define of INCLUDE_MEMORY. Include
3478 "make-unique.h".
3479 (sensitive_state_machine::warn_for_any_exposure): Use make_unique
3480 when creating pending_diagnostic.
3481 * sm-signal.cc: Add define of INCLUDE_MEMORY. Include
3482 "make-unique.h".
3483 (signal_state_machine::on_stmt): Use make_unique when creating
3484 pending_diagnostic.
3485 * sm-taint.cc: Add define of INCLUDE_MEMORY. Include
3486 "make-unique.h".
3487 (taint_state_machine::check_for_tainted_size_arg): Use make_unique
3488 when creating pending_diagnostic.
3489 (taint_state_machine::check_for_tainted_divisor): Likewise.
3490 (region_model::check_region_for_taint): Likewise.
3491 (region_model::check_dynamic_size_for_taint): Likewise.
3492 * sm.cc: Add define of INCLUDE_MEMORY. Include
3493 "analyzer/pending-diagnostic.h".
3494 (state_machine::on_leak): Move here from sm.h, changing return
3495 type to std::unique_ptr.
3496 * sm.h (state_machine::on_leak): Change return type to
3497 std::unique_ptr. Move defn of base impl to sm.cc
3498 (sm_context::warn): Convert param d to std_unique_ptr.
3499 * state-purge.cc: Add define of INCLUDE_MEMORY.
3500 * store.cc: Likewise.
3501 * svalue.cc: Likewise.
3502 * trimmed-graph.cc: Likewise.
3503 * varargs.cc: Likewise. Include "make-unique.h".
3504 (va_list_state_machine::check_for_ended_va_list): Use make_unique
3505 when creating pending_diagnostic.
3506 (va_list_state_machine::on_leak): Likewise, converting return type
3507 to std::unique_ptr.
3508 (region_model::impl_call_va_arg): Use make_unique when creating
3509 pending_diagnostic.
3511 2022-11-03 David Malcolm <dmalcolm@redhat.com>
3513 PR analyzer/107486
3514 * analyzer.cc (is_pipe_call_p): New.
3515 * analyzer.h (is_pipe_call_p): New decl.
3516 * region-model.cc (region_model::on_call_pre): Use it.
3517 (region_model::on_call_post): Likewise.
3519 2022-10-26 David Malcolm <dmalcolm@redhat.com>
3521 * sm-fd.cc (fd_state_machine::on_open): Transition to "unchecked"
3522 when the mode is symbolic, rather than just on integer constants.
3523 (fd_state_machine::check_for_open_fd): Don't complain about
3524 unchecked values in the start state.
3526 2022-10-26 David Malcolm <dmalcolm@redhat.com>
3528 * sm-fd.dot: New file.
3530 2022-10-24 David Malcolm <dmalcolm@redhat.com>
3532 PR analyzer/107349
3533 * varargs.cc (get_va_copy_arg): Fix the non-pointer case.
3535 2022-10-24 David Malcolm <dmalcolm@redhat.com>
3537 PR analyzer/107345
3538 * region-model.cc (region_model::eval_condition_without_cm):
3539 Ensure that constants are on the right-hand side before checking
3540 for them.
3542 2022-10-24 David Malcolm <dmalcolm@redhat.com>
3544 * engine.cc (impl_region_model_context::get_malloc_map): Replace
3545 with...
3546 (impl_region_model_context::get_state_map_by_name): ...this.
3547 (impl_region_model_context::get_fd_map): Delete.
3548 (impl_region_model_context::get_taint_map): Delete.
3549 * exploded-graph.h (impl_region_model_context::get_fd_map):
3550 Delete.
3551 (impl_region_model_context::get_malloc_map): Delete.
3552 (impl_region_model_context::get_taint_map): Delete.
3553 (impl_region_model_context::get_state_map_by_name): New.
3554 * region-model.h (region_model_context::get_state_map_by_name):
3555 New vfunc.
3556 (region_model_context::get_fd_map): Convert from vfunc to
3557 function.
3558 (region_model_context::get_malloc_map): Likewise.
3559 (region_model_context::get_taint_map): Likewise.
3560 (noop_region_model_context::get_state_map_by_name): New.
3561 (noop_region_model_context::get_fd_map): Delete.
3562 (noop_region_model_context::get_malloc_map): Delete.
3563 (noop_region_model_context::get_taint_map): Delete.
3564 (region_model_context_decorator::get_state_map_by_name): New.
3565 (region_model_context_decorator::get_fd_map): Delete.
3566 (region_model_context_decorator::get_malloc_map): Delete.
3567 (region_model_context_decorator::get_taint_map): Delete.
3569 2022-10-24 David Malcolm <dmalcolm@redhat.com>
3571 PR analyzer/106300
3572 * engine.cc (impl_region_model_context::get_fd_map): New.
3573 * exploded-graph.h (impl_region_model_context::get_fd_map): New
3574 decl.
3575 * region-model-impl-calls.cc (region_model::impl_call_pipe): New.
3576 * region-model.cc (region_model::update_for_int_cst_return): New,
3577 based on...
3578 (region_model::update_for_zero_return): ...this. Reimplement in
3579 terms of the former.
3580 (region_model::on_call_pre): Handle "pipe" and "pipe2".
3581 (region_model::on_call_post): Likewise.
3582 * region-model.h (region_model::impl_call_pipe): New decl.
3583 (region_model::update_for_int_cst_return): New decl.
3584 (region_model::mark_as_valid_fd): New decl.
3585 (region_model_context::get_fd_map): New pure virtual fn.
3586 (noop_region_model_context::get_fd_map): New.
3587 (region_model_context_decorator::get_fd_map): New.
3588 * sm-fd.cc: Include "analyzer/program-state.h".
3589 (fd_state_machine::describe_state_change): Handle transitions from
3590 start state to valid states.
3591 (fd_state_machine::mark_as_valid_fd): New.
3592 (fd_state_machine::on_stmt): Add missing return for "creat".
3593 (region_model::mark_as_valid_fd): New.
3595 2022-10-19 David Malcolm <dmalcolm@redhat.com>
3597 PR analyzer/105765
3598 * varargs.cc (get_BT_VALIST_ARG): Rename to...
3599 (get_va_copy_arg): ...this, and update logic for determining level
3600 of indirection of va_copy's argument to use type of argument,
3601 rather than looking at va_list_type_node, to correctly handle
3602 __builtin_ms_va_copy.
3603 (get_stateful_BT_VALIST_ARG): Rename to...
3604 (get_stateful_va_copy_arg): ...this.
3605 (va_list_state_machine::on_va_copy): Update for renaming.
3606 (region_model::impl_call_va_copy): Likewise.
3608 2022-10-13 David Malcolm <dmalcolm@redhat.com>
3610 PR analyzer/107210
3611 * svalue.cc (constant_svalue::maybe_fold_bits_within): Only
3612 attempt to extract individual bits when tree_fits_uhwi_p.
3614 2022-10-07 David Malcolm <dmalcolm@redhat.com>
3616 PR analyzer/105783
3617 * region-model.cc (selftest::get_bit): New function.
3618 (selftest::test_bits_within_svalue_folding): New.
3619 (selfftest::analyzer_region_model_cc_tests): Call it.
3620 * svalue.cc (constant_svalue::maybe_fold_bits_within): Handle the
3621 case of extracting a single bit.
3623 2022-10-06 David Malcolm <dmalcolm@redhat.com>
3625 PR analyzer/107158
3626 * store.cc (store::replay_call_summary_cluster): Eliminate
3627 special-casing of RK_HEAP_ALLOCATED in favor of sharing code with
3628 RK_DECL, avoiding an ICE due to attempting to bind a
3629 compound_svalue into a binding_cluster when an svalue in the
3630 summary cluster converts to a compound_svalue in the caller.
3632 2022-10-06 David Malcolm <dmalcolm@redhat.com>
3634 * call-summary.cc (call_summary_replay::dump_to_pp): Bulletproof
3635 against NULL caller regions/svalues.
3637 2022-10-05 David Malcolm <dmalcolm@redhat.com>
3639 * analysis-plan.cc: Simplify includes.
3640 * analyzer-pass.cc: Likewise.
3641 * analyzer-selftests.cc: Likewise.
3642 * analyzer.cc: Likewise.
3643 * analyzer.h: Add includes of "json.h" and "tristate.h".
3644 * call-info.cc: Simplify includes.
3645 * call-string.cc: Likewise.
3646 * call-summary.cc: Likewise.
3647 * checker-path.cc: Likewise.
3648 * complexity.cc: Likewise.
3649 * constraint-manager.cc: Likewise.
3650 * diagnostic-manager.cc: Likewise.
3651 * engine.cc: Likewise.
3652 * feasible-graph.cc: Likewise.
3653 * known-function-manager.cc: Likewise.
3654 * pending-diagnostic.cc: Likewise.
3655 * program-point.cc: Likewise.
3656 * program-state.cc: Likewise.
3657 * region-model-asm.cc: Likewise.
3658 * region-model-impl-calls.cc: Likewise.
3659 * region-model-manager.cc: Likewise.
3660 * region-model-reachability.cc: Likewise.
3661 * region-model.cc: Likewise.
3662 * region-model.h: Include "selftest.h".
3663 * region.cc: Simplify includes.
3664 * sm-fd.cc: Likewise.
3665 * sm-file.cc: Likewise.
3666 * sm-malloc.cc: Likewise.
3667 * sm-pattern-test.cc: Likewise.
3668 * sm-sensitive.cc: Likewise.
3669 * sm-signal.cc: Likewise.
3670 * sm-taint.cc: Likewise.
3671 * sm.cc: Likewise.
3672 * state-purge.cc: Likewise.
3673 * store.cc: Likewise.
3674 * store.h: Likewise.
3675 * supergraph.cc: Likewise.
3676 * svalue.cc: Likewise.
3677 * svalue.h: Likewise.
3678 * trimmed-graph.cc: Likewise.
3679 * varargs.cc: Likewise.
3681 2022-10-05 David Malcolm <dmalcolm@redhat.com>
3683 PR analyzer/107060
3684 * call-summary.cc
3685 (call_summary_replay::convert_svalue_from_summary_1): Handle NULL
3686 results from convert_svalue_from_summary in SK_UNARY_OP and
3687 SK_BIN_OP.
3688 * engine.cc (impl_region_model_context::on_unknown_change): Bail
3689 out on svalues that can't have associated state.
3690 * region-model-impl-calls.cc
3691 (region_model::impl_call_analyzer_get_unknown_ptr): New.
3692 * region-model.cc (region_model::on_stmt_pre): Handle
3693 "__analyzer_get_unknown_ptr".
3694 * region-model.h
3695 (region_model::impl_call_analyzer_get_unknown_ptr): New decl.
3696 * store.cc (store::replay_call_summary_cluster): Avoid trying to
3697 create binding clusters for base regions that shouldn't have them.
3699 2022-10-05 Martin Liska <mliska@suse.cz>
3701 * call-summary.cc (call_summary_replay::call_summary_replay):
3702 Remove unused variable and arguments.
3703 * call-summary.h: Likewise.
3704 * engine.cc (exploded_node::on_stmt): Likewise.
3705 (exploded_node::replay_call_summaries): Likewise.
3706 (exploded_node::replay_call_summary): Likewise.
3707 * exploded-graph.h (class exploded_node): Likewise.
3709 2022-10-05 David Malcolm <dmalcolm@redhat.com>
3711 PR analyzer/107072
3712 * analyzer-logging.h: Include "diagnostic-core.h".
3713 * analyzer.h: Include "function.h".
3714 (class call_summary): New forward decl.
3715 (class call_summary_replay): New forward decl.
3716 (struct per_function_data): New forward decl.
3717 (struct interesting_t): New forward decl.
3718 (custom_edge_info::update_state): New vfunc.
3719 * call-info.cc (custom_edge_info::update_state): New.
3720 * call-summary.cc: New file.
3721 * call-summary.h: New file.
3722 * constraint-manager.cc: Include "analyzer/call-summary.h".
3723 (class replay_fact_visitor): New.
3724 (constraint_manager::replay_call_summary): New.
3725 * constraint-manager.h (constraint_manager::replay_call_summary):
3726 New.
3727 * engine.cc: Include "analyzer/call-summary.h".
3728 (exploded_node::on_stmt): Handle call summaries.
3729 (class call_summary_edge_info): New.
3730 (exploded_node::replay_call_summaries): New.
3731 (exploded_node::replay_call_summary): New.
3732 (per_function_data::~per_function_data): New.
3733 (per_function_data::add_call_summary): Move here from header and
3734 reimplement.
3735 (exploded_graph::process_node): Call update_state rather than
3736 update_model when handling bifurcation
3737 (viz_callgraph_node::dump_dot): Use a regular label rather
3738 than an HTML table; add summaries to dump.
3739 * exploded-graph.h: Include "alloc-pool.h", "fibonacci_heap.h",
3740 "supergraph.h", "sbitmap.h", "shortest-paths.h", "analyzer/sm.h",
3741 "analyzer/program-state.h", and "analyzer/diagnostic-manager.h".
3742 (exploded_node::replay_call_summaries): New decl.
3743 (exploded_node::replay_call_summary): New decl.
3744 (per_function_data::~per_function_data): New decl.
3745 (per_function_data::add_call_summary): Move implemention from
3746 header.
3747 (per_function_data::m_summaries): Update type of element.
3748 * known-function-manager.h: Include "analyzer/analyzer-logging.h".
3749 * program-point.h: Include "pretty-print.h" and
3750 "analyzer/call-string.h".
3751 * program-state.cc: Include "analyzer/call-summary.h".
3752 (sm_state_map::replay_call_summary): New.
3753 (program_state::replay_call_summary): New.
3754 * program-state.h (sm_state_map::replay_call_summary): New decl.
3755 (program_state::replay_call_summary): New decl.
3756 * region-model-manager.cc
3757 (region_model_manager::get_or_create_asm_output_svalue): New
3758 overload.
3759 * region-model-manager.h
3760 (region_model_manager::get_or_create_asm_output_svalue): New
3761 overload decl.
3762 * region-model.cc: Include "analyzer/call-summary.h".
3763 (region_model::maybe_update_for_edge): Remove call to
3764 region_model::update_for_call_summary on
3765 SUPEREDGE_INTRAPROCEDURAL_CALL.
3766 (region_model::update_for_call_summary): Delete.
3767 (region_model::replay_call_summary): New.
3768 * region-model.h (region_model::replay_call_summary): New decl.
3769 (region_model::update_for_call_summary): Delete decl.
3770 * store.cc: Include "analyzer/call-summary.h".
3771 (store::replay_call_summary): New.
3772 (store::replay_call_summary_cluster): New.
3773 * store.h: Include "tristate.h".
3774 (is_a_helper <const ana::concrete_binding *>::test): New.
3775 (store::replay_call_summary): New decl.
3776 (store::replay_call_summary_cluster): New decl.
3777 * supergraph.cc (get_ultimate_function_for_cgraph_edge): Remove
3778 "static" from decl.
3779 (supergraph_call_edge): Make stmt param const.
3780 * supergraph.h: Include "ordered-hash-map.h", "cfg.h",
3781 "basic-block.h", "gimple.h", "gimple-iterator.h", and "digraph.h".
3782 (supergraph_call_edge): Make stmt param const.
3783 (get_ultimate_function_for_cgraph_edge): New decl.
3784 * svalue.cc (compound_svalue::compound_svalue): Assert that we're
3785 not nesting compound_svalues.
3786 * svalue.h: Include "json.h", "analyzer/store.h", and
3787 "analyzer/program-point.h".
3788 (asm_output_svalue::get_num_outputs): New accessor.
3790 2022-10-05 David Malcolm <dmalcolm@redhat.com>
3792 * region-model.h: Include "analyzer/region-model-manager.h"
3793 (class region_model_manager): Move decl to...
3794 * region-model-manager.h: ...this new file.
3796 2022-10-05 David Malcolm <dmalcolm@redhat.com>
3798 * region-model-manager.cc
3799 (region_model_manager::maybe_fold_unaryop): Fold -(-(VAL)) to VAL.
3801 2022-10-05 David Malcolm <dmalcolm@redhat.com>
3803 * region-model-manager.cc
3804 (region_model_manager::get_or_create_widening_svalue): Use a
3805 function_point rather than a program_point.
3806 * region-model.cc (selftest::test_widening_constraints): Likewise.
3807 * region-model.h
3808 (region_model_manager::get_or_create_widening_svalue): Likewise.
3809 (model_merger::get_function_point): New.
3810 * svalue.cc (svalue::can_merge_p): Use a function_point rather
3811 than a program_point.
3812 (svalue::can_merge_p): Likewise.
3813 * svalue.h (widening_svalue::key_t): Likewise.
3814 (widening_svalue::widening_svalue): Likewise.
3816 2022-09-12 Martin Liska <mliska@suse.cz>
3818 * region-model.cc (region_model::maybe_complain_about_infoleak):
3819 Remove unused fields.
3821 2022-09-11 Tim Lange <mail@tim-lange.me>
3823 PR analyzer/106845
3824 * region-model.cc (region_model::check_region_bounds):
3825 Bail out if 0 bytes were accessed.
3826 * store.cc (byte_range::dump_to_pp):
3827 Add special case for empty ranges.
3828 (byte_range::exceeds_p): Restrict to non-empty ranges.
3829 (byte_range::falls_short_of_p): Restrict to non-empty ranges.
3830 * store.h (bit_range::empty_p): New function.
3831 (bit_range::get_last_byte_offset): Restrict to non-empty ranges.
3832 (byte_range::empty_p): New function.
3833 (byte_range::get_last_byte_offset): Restrict to non-empty ranges.
3835 2022-09-09 David Malcolm <dmalcolm@redhat.com>
3837 * analyzer.opt (Wanalyzer-exposure-through-uninit-copy): New.
3838 * checker-path.cc (region_creation_event::region_creation_event):
3839 Add "capacity" and "kind" params.
3840 (region_creation_event::get_desc): Generalize to different kinds
3841 of event.
3842 (checker_path::add_region_creation_event): Convert to...
3843 (checker_path::add_region_creation_events): ...this.
3844 * checker-path.h (enum rce_kind): New.
3845 (region_creation_event::region_creation_event): Add "capacity" and
3846 "kind" params.
3847 (region_creation_event::m_capacity): New field.
3848 (region_creation_event::m_rce_kind): New field.
3849 (checker_path::add_region_creation_event): Convert to...
3850 (checker_path::add_region_creation_events): ...this.
3851 * diagnostic-manager.cc (diagnostic_manager::build_emission_path):
3852 Update for multiple region creation events.
3853 (diagnostic_manager::add_event_on_final_node): Likewise.
3854 (diagnostic_manager::add_events_for_eedge): Likewise.
3855 * region-model-impl-calls.cc (call_details::get_logger): New.
3856 * region-model.cc: Define INCLUDE_MEMORY before including
3857 "system.h". Include "gcc-rich-location.h".
3858 (class record_layout): New.
3859 (class exposure_through_uninit_copy): New.
3860 (contains_uninit_p): New.
3861 (region_model::maybe_complain_about_infoleak): New.
3862 * region-model.h (call_details::get_logger): New decl.
3863 (region_model::maybe_complain_about_infoleak): New decl.
3864 (region_model::mark_as_tainted): New decl.
3865 * sm-taint.cc (region_model::mark_as_tainted): New.
3867 2022-09-09 David Malcolm <dmalcolm@redhat.com>
3869 * analyzer.h (class known_function_manager): New forward decl.
3870 (class known_function): New.
3871 (plugin_analyzer_init_iface::register_known_function): New.
3872 * engine.cc: Include "analyzer/known-function-manager.h".
3873 (plugin_analyzer_init_impl::plugin_analyzer_init_impl): Add
3874 known_fn_mgr param.
3875 (plugin_analyzer_init_impl::register_state_machine): Add
3876 LOC_SCOPE.
3877 (plugin_analyzer_init_impl::register_known_function): New.
3878 (plugin_analyzer_init_impl::m_known_fn_mgr): New.
3879 (impl_run_checkers): Update plugin callback invocation to use
3880 eng's known_function_manager.
3881 * known-function-manager.cc: New file.
3882 * known-function-manager.h: New file.
3883 * region-model-manager.cc
3884 (region_model_manager::region_model_manager): Pass logger to
3885 m_known_fn_mgr's ctor.
3886 * region-model.cc (region_model::update_for_zero_return): New.
3887 (region_model::update_for_nonzero_return): New.
3888 (maybe_simplify_upper_bound): New.
3889 (region_model::maybe_get_copy_bounds): New.
3890 (region_model::get_known_function): New.
3891 (region_model::on_call_pre): Handle plugin-supplied known
3892 functions.
3893 * region-model.h: Include "analyzer/known-function-manager.h".
3894 (region_model_manager::get_known_function_manager): New.
3895 (region_model_manager::m_known_fn_mgr): New.
3896 (call_details::get_model): New accessor.
3897 (region_model::maybe_get_copy_bounds): New decl.
3898 (region_model::update_for_zero_return): New decl.
3899 (region_model::update_for_nonzero_return): New decl.
3900 (region_model::get_known_function): New decl.
3901 (region_model::get_known_function_manager): New.
3903 2022-09-08 Tim Lange <mail@tim-lange.me>
3905 PR analyzer/106625
3906 * analyzer.h (region_offset): Eliminate m_is_symbolic member.
3907 * region-model-impl-calls.cc (region_model::impl_call_realloc):
3908 Refine implementation to be more precise.
3909 * region-model.cc (class symbolic_past_the_end):
3910 Abstract diagnostic class to complain about accesses past the end
3911 with symbolic values.
3912 (class symbolic_buffer_overflow):
3913 Concrete diagnostic class to complain about buffer overflows with
3914 symbolic values.
3915 (class symbolic_buffer_overread):
3916 Concrete diagnostic class to complain about buffer overreads with
3917 symbolic values.
3918 (region_model::check_symbolic_bounds): New function.
3919 (maybe_get_integer_cst_tree): New helper function.
3920 (region_model::check_region_bounds):
3921 Add call to check_symbolic_bounds if offset is not concrete.
3922 (region_model::eval_condition_without_cm):
3923 Add support for EQ_EXPR and GT_EXPR with binaryop_svalues.
3924 (is_positive_svalue): New hleper function.
3925 (region_model::symbolic_greater_than):
3926 New function to handle GT_EXPR comparisons with symbolic values.
3927 (region_model::structural_equality): New function to compare
3928 whether two svalues are structured the same, i.e. evaluate to
3929 the same value.
3930 (test_struct): Reflect changes to region::calc_offset.
3931 (test_var): Likewise.
3932 (test_array_2): Likewise and add selftest with symbolic i.
3933 * region-model.h (class region_model): Add check_symbolic_bounds,
3934 symbolic_greater_than and structural_equality.
3935 * region.cc (region::get_offset):
3936 Reflect changes to region::calc_offset.
3937 (region::calc_offset):
3938 Compute the symbolic offset if the offset is not concrete.
3939 (region::get_relative_symbolic_offset): New function to return the
3940 symbolic offset in bytes relative to its parent.
3941 (field_region::get_relative_symbolic_offset): Likewise.
3942 (element_region::get_relative_symbolic_offset): Likewise.
3943 (offset_region::get_relative_symbolic_offset): Likewise.
3944 (bit_range_region::get_relative_symbolic_offset): Likewise.
3945 * region.h: Add get_relative_symbolic_offset.
3946 * store.cc (binding_key::make):
3947 Reflect changes to region::calc_offset.
3948 (binding_map::apply_ctor_val_to_range): Likewise.
3949 (binding_map::apply_ctor_pair_to_child_region): Likewise.
3950 (binding_cluster::bind_compound_sval): Likewise.
3951 (binding_cluster::get_any_binding): Likewise.
3952 (binding_cluster::maybe_get_compound_binding): Likewise.
3954 2022-09-05 Tim Lange <mail@tim-lange.me>
3956 * region-model-impl-calls.cc (region_model::impl_call_strcpy):
3957 Handle the constant string case.
3958 * region-model.cc (region_model::get_string_size):
3959 New function to get the string size from a region or svalue.
3960 * region-model.h (class region_model): Add get_string_size.
3962 2022-09-05 Tim Lange <mail@tim-lange.me>
3964 * region.cc (cast_region::get_relative_concrete_offset):
3965 New overloaded method.
3966 * region.h: Add cast_region::get_relative_concrete_offset.
3968 2022-08-22 Martin Liska <mliska@suse.cz>
3970 * region-model.cc: Add missing final keyword.
3972 2022-08-18 Tim Lange <mail@tim-lange.me>
3974 PR analyzer/106181
3975 * analyzer.opt: Add Wanalyzer-imprecise-floating-point-arithmetic.
3976 * region-model.cc (is_any_cast_p): Formatting.
3977 (region_model::check_region_size): Ensure precondition.
3978 (class imprecise_floating_point_arithmetic): New abstract
3979 diagnostic class for all floating-point related warnings.
3980 (class float_as_size_arg): Concrete diagnostic class to complain
3981 about floating-point operands inside the size argument.
3982 (class contains_floating_point_visitor):
3983 New visitor to find floating-point operands inside svalues.
3984 (region_model::check_dynamic_size_for_floats): New function.
3985 (region_model::set_dynamic_extents):
3986 Call to check_dynamic_size_for_floats.
3987 * region-model.h (class region_model):
3988 Add region_model::check_dynamic_size_for_floats.
3990 2022-08-16 Martin Liska <mliska@suse.cz>
3992 * region-model.cc: Fix -Winconsistent-missing-override clang
3993 warning.
3994 * region.h: Likewise.
3996 2022-08-15 David Malcolm <dmalcolm@redhat.com>
3998 PR analyzer/106626
3999 * region-model.cc (buffer_overread::emit): Fix copy&paste error in
4000 direction of the access in the note.
4002 2022-08-15 David Malcolm <dmalcolm@redhat.com>
4004 PR analyzer/106573
4005 * region-model.cc (region_model::on_call_pre): Use check_call_args
4006 when ensuring that we call get_arg_svalue on all args. Remove
4007 redundant call from handling for stdio builtins.
4009 2022-08-15 Immad Mir <mirimmad@outlook.com>
4011 PR analyzer/106551
4012 * sm-fd.cc (check_for_dup): exit early if first
4013 argument is invalid for all dup functions.
4015 2022-08-12 Tim Lange <mail@tim-lange.me>
4017 PR analyzer/106000
4018 * analyzer.opt: Add Wanalyzer-out-of-bounds.
4019 * region-model.cc (class out_of_bounds): Diagnostics base class
4020 for all out-of-bounds diagnostics.
4021 (class past_the_end): Base class derived from out_of_bounds for
4022 the buffer_overflow and buffer_overread diagnostics.
4023 (class buffer_overflow): Buffer overflow diagnostics.
4024 (class buffer_overread): Buffer overread diagnostics.
4025 (class buffer_underflow): Buffer underflow diagnostics.
4026 (class buffer_underread): Buffer overread diagnostics.
4027 (region_model::check_region_bounds): New function to check region
4028 bounds for out-of-bounds accesses.
4029 (region_model::check_region_access):
4030 Add call to check_region_bounds.
4031 (region_model::get_representative_tree): New function that accepts
4032 a region instead of an svalue.
4033 * region-model.h (class region_model):
4034 Add region_model::check_region_bounds.
4035 * region.cc (region::symbolic_p): New predicate.
4036 (offset_region::get_byte_size_sval): Only return the remaining
4037 byte size on offset_regions.
4038 * region.h: Add region::symbolic_p.
4039 * store.cc (byte_range::intersects_p):
4040 Add new function equivalent to bit_range::intersects_p.
4041 (byte_range::exceeds_p): New function.
4042 (byte_range::falls_short_of_p): New function.
4043 * store.h (struct byte_range): Add byte_range::intersects_p,
4044 byte_range::exceeds_p and byte_range::falls_short_of_p.
4046 2022-08-12 Tim Lange <mail@tim-lange.me>
4048 PR analyzer/106539
4049 * region-model-impl-calls.cc (region_model::impl_call_realloc):
4050 Use the result of get_copied_size as the size for the
4051 sized_regions in realloc.
4052 (success_with_move::get_copied_size): New function.
4054 2022-08-11 Immad Mir <mirimmad@outlook.com>
4056 PR analyzer/106551
4057 * sm-fd.cc (check_for_dup): handle the m_start
4058 state when transitioning the state of LHS
4059 of dup, dup2 and dup3 call.
4061 2022-08-09 David Malcolm <dmalcolm@redhat.com>
4063 PR analyzer/106573
4064 * region-model.cc (region_model::on_call_pre): Ensure that we call
4065 get_arg_svalue on all arguments.
4067 2022-08-05 David Malcolm <dmalcolm@redhat.com>
4069 PR analyzer/105947
4070 * analyzer.opt (Wanalyzer-jump-through-null): New option.
4071 * engine.cc (class jump_through_null): New.
4072 (exploded_graph::process_node): Complain about jumps through NULL
4073 function pointers.
4075 2022-08-02 Immad Mir <mirimmad@outlook.com>
4077 PR analyzer/106298
4078 * sm-fd.cc (fd_state_machine::on_open): Add
4079 creat, dup, dup2 and dup3 functions.
4080 (enum dup): New.
4081 (fd_state_machine::valid_to_unchecked_state): New.
4082 (fd_state_machine::on_creat): New.
4083 (fd_state_machine::on_dup): New.
4085 2022-07-28 David Malcolm <dmalcolm@redhat.com>
4087 PR analyzer/105893
4088 * analyzer.opt (Wanalyzer-putenv-of-auto-var): New.
4089 * region-model-impl-calls.cc (class putenv_of_auto_var): New.
4090 (region_model::impl_call_putenv): New.
4091 * region-model.cc (region_model::on_call_pre): Handle putenv.
4092 * region-model.h (region_model::impl_call_putenv): New decl.
4094 2022-07-28 David Malcolm <dmalcolm@redhat.com>
4096 * sm-malloc.cc (free_of_non_heap::emit): Add comment about CWE.
4097 * sm-taint.cc (tainted_size::emit): Likewise.
4099 2022-07-28 David Malcolm <dmalcolm@redhat.com>
4101 * region.h: Add notes to the comment describing the region
4102 class hierarchy.
4104 2022-07-27 Immad Mir <mirimmad@outlook.com>
4106 PR analyzer/106286
4107 * sm-fd.cc:
4108 (fd_diagnostic::get_meaning_for_state_change): New.
4110 2022-07-26 David Malcolm <dmalcolm@redhat.com>
4112 PR analyzer/106319
4113 * store.cc (store::set_value): Don't strip away casts if the
4114 region has NULL type.
4116 2022-07-26 David Malcolm <dmalcolm@redhat.com>
4118 * region.h (code_region::get_element): Remove stray decl.
4119 (function_region::get_element): Likewise.
4121 2022-07-25 Martin Liska <mliska@suse.cz>
4123 * sm-fd.cc: Run dos2unix and fix coding style issues.
4125 2022-07-23 Immad Mir <mirimmad@outlook.com>
4127 * sm-fd.cc (fd_param_diagnostic): New diagnostic class.
4128 (fd_access_mode_mismatch): Change inheritance from fd_diagnostic
4129 to fd_param_diagnostic. Add new overloaded constructor.
4130 (fd_use_after_close): Likewise.
4131 (unchecked_use_of_fd): Likewise and also change name to fd_use_without_check.
4132 (double_close): Change name to fd_double_close.
4133 (enum access_directions): New.
4134 (fd_state_machine::on_stmt): Handle calls to function with the
4135 new three function attributes.
4136 (fd_state_machine::check_for_fd_attrs): New.
4137 (fd_state_machine::on_open): Use the new overloaded constructors
4138 of diagnostic classes.
4140 2022-07-22 David Malcolm <dmalcolm@redhat.com>
4142 PR analyzer/106413
4143 * varargs.cc (region_model::impl_call_va_start): Avoid iterating
4144 through non-existant variadic arguments by initializing the
4145 impl_region to "UNKNOWN" if the va_start occurs in the top-level
4146 function to the analysis.
4148 2022-07-22 David Malcolm <dmalcolm@redhat.com>
4150 PR analyzer/106401
4151 * store.cc (binding_cluster::binding_cluster): Remove overzealous
4152 assertion; we're checking for tracked_p in
4153 store::get_or_create_cluster.
4155 2022-07-22 Tim Lange <mail@tim-lange.me>
4157 PR analyzer/106394
4158 * region-model.cc (capacity_compatible_with_type): Always return true
4159 if alloc_size is zero.
4161 2022-07-21 David Malcolm <dmalcolm@redhat.com>
4163 PR analyzer/106383
4164 * varargs.cc (region_model::impl_call_va_arg): When determining if
4165 we're doing interprocedural analysis, use the stack depth of the
4166 frame in which va_start was called, rather than the current stack
4167 depth.
4169 2022-07-21 David Malcolm <dmalcolm@redhat.com>
4171 * sm-taint.cc (tainted_array_index::emit): Bulletproof against
4172 NULL m_arg.
4173 (tainted_array_index::describe_final_event): Likewise.
4174 (tainted_size::emit): Likewise.
4175 (tainted_size::describe_final_event): Likewise.
4177 2022-07-21 David Malcolm <dmalcolm@redhat.com>
4179 PR analyzer/106374
4180 * region.cc (decl_region::get_svalue_for_initializer): Bail out on
4181 untracked regions.
4183 2022-07-20 David Malcolm <dmalcolm@redhat.com>
4185 PR analyzer/106373
4186 * sm-taint.cc (taint_state_machine::on_condition): Potentially
4187 update the state of the RHS as well as the LHS.
4189 2022-07-20 David Malcolm <dmalcolm@redhat.com>
4191 PR analyzer/106359
4192 * region.h (string_region::tracked_p): New.
4193 * store.cc (binding_cluster::binding_cluster): Move here from
4194 store.h. Add assertion that base_region is tracked_p.
4195 * store.h (binding_cluster::binding_cluster): Move to store.cc.
4197 2022-07-19 David Malcolm <dmalcolm@redhat.com>
4199 PR analyzer/106321
4200 * constraint-manager.h (bounded_ranges::get_count): New.
4201 (bounded_ranges::get_range): New.
4202 * engine.cc (impl_region_model_context::on_bounded_ranges): New.
4203 * exploded-graph.h (impl_region_model_context::on_bounded_ranges):
4204 New decl.
4205 * region-model.cc (region_model::apply_constraints_for_gswitch):
4206 Potentially call ctxt->on_bounded_ranges.
4207 * region-model.h (region_model_context::on_bounded_ranges): New
4208 vfunc.
4209 (noop_region_model_context::on_bounded_ranges): New.
4210 (region_model_context_decorator::on_bounded_ranges): New.
4211 * sm-taint.cc: Include "analyzer/constraint-manager.h".
4212 (taint_state_machine::on_bounded_ranges): New.
4213 * sm.h (state_machine::on_bounded_ranges): New.
4215 2022-07-19 David Malcolm <dmalcolm@redhat.com>
4217 * engine.cc (exploded_graph::process_node): Show any description
4218 of the out-edge when logging it for consideration.
4220 2022-07-15 David Malcolm <dmalcolm@redhat.com>
4222 PR analyzer/106284
4223 * sm-taint.cc (taint_state_machine::on_condition): Handle range
4224 checks optimized by build_range_check.
4226 2022-07-15 Jonathan Wakely <jwakely@redhat.com>
4228 * call-info.cc (call_info::print): Adjust to new label_text API.
4229 * checker-path.cc (checker_event::dump): Likewise.
4230 (region_creation_event::get_desc): Likewise.
4231 (state_change_event::get_desc): Likewise.
4232 (superedge_event::should_filter_p): Likewise.
4233 (start_cfg_edge_event::get_desc): Likewise.
4234 (call_event::get_desc): Likewise.
4235 (return_event::get_desc): Likewise.
4236 (warning_event::get_desc): Likewise.
4237 (checker_path::dump): Likewise.
4238 (checker_path::debug): Likewise.
4239 * diagnostic-manager.cc (diagnostic_manager::prune_for_sm_diagnostic):
4240 Likewise.
4241 (diagnostic_manager::prune_interproc_events): Likewise.
4242 * engine.cc (feasibility_state::maybe_update_for_edge):
4243 Likewise.
4244 * program-state.cc (sm_state_map::to_json): Likewise.
4245 * region-model-impl-calls.cc (region_model::impl_call_analyzer_describe): Likewise.
4246 (region_model::impl_call_analyzer_dump_capacity): Likewise.
4247 * region.cc (region::to_json): Likewise.
4248 * sm-malloc.cc (inform_nonnull_attribute): Likewise.
4249 * store.cc (binding_map::to_json): Likewise.
4250 (store::to_json): Likewise.
4251 * supergraph.cc (superedge::dump): Likewise.
4252 * svalue.cc (svalue::to_json): Likewise.
4254 2022-07-07 David Malcolm <dmalcolm@redhat.com>
4256 * checker-path.cc (start_cfg_edge_event::get_desc): Update for
4257 superedge::get_description returning a label_text.
4258 * engine.cc (feasibility_state::maybe_update_for_edge): Likewise.
4259 * supergraph.cc (superedge::dump): Likewise.
4260 (superedge::get_description): Convert return type from char * to
4261 label_text.
4262 * supergraph.h (superedge::get_description): Likewise.
4264 2022-07-07 David Malcolm <dmalcolm@redhat.com>
4266 * call-info.cc (call_info::print): Update for removal of
4267 label_text::maybe_free in favor of automatic memory management.
4268 * checker-path.cc (checker_event::dump): Likewise.
4269 (checker_event::prepare_for_emission): Likewise.
4270 (state_change_event::get_desc): Likewise.
4271 (superedge_event::should_filter_p): Likewise.
4272 (start_cfg_edge_event::get_desc): Likewise.
4273 (warning_event::get_desc): Likewise.
4274 (checker_path::dump): Likewise.
4275 (checker_path::debug): Likewise.
4276 * diagnostic-manager.cc
4277 (diagnostic_manager::prune_for_sm_diagnostic): Likewise.
4278 (diagnostic_manager::prune_interproc_events): Likewise.
4279 * program-state.cc (sm_state_map::to_json): Likewise.
4280 * region.cc (region::to_json): Likewise.
4281 * sm-malloc.cc (inform_nonnull_attribute): Likewise.
4282 * store.cc (binding_map::to_json): Likewise.
4283 (store::to_json): Likewise.
4284 * svalue.cc (svalue::to_json): Likewise.
4286 2022-07-07 David Malcolm <dmalcolm@redhat.com>
4288 PR analyzer/106225
4289 * sm-taint.cc (taint_state_machine::on_stmt): Move handling of
4290 assignments from division to...
4291 (taint_state_machine::check_for_tainted_divisor): ...this new
4292 function. Reject warning when the divisor is known to be non-zero.
4293 * sm.cc: Include "analyzer/program-state.h".
4294 (sm_context::get_old_region_model): New.
4295 * sm.h (sm_context::get_old_region_model): New decl.
4297 2022-07-06 Immad Mir <mirimmad@outlook.com>
4299 PR analyzer/106184
4300 * sm-fd.cc (fd_state_machine): Change ordering of initialization
4301 of state m_invalid so that the order of initializers is same as
4302 the ordering of the fields in the class decl.
4304 2022-07-06 Immad Mir <mirimmad@outlook.com>
4306 * sm-fd.cc (use_after_close): save the "close" event and
4307 show it where possible.
4309 2022-07-06 David Malcolm <dmalcolm@redhat.com>
4311 PR analyzer/106204
4312 * region-model.cc (within_short_circuited_stmt_p): Move extraction
4313 of assign_stmt to caller.
4314 (due_to_ifn_deferred_init_p): New.
4315 (region_model::check_for_poison): Move extraction of assign_stmt
4316 from within_short_circuited_stmt_p to here. Share logic with
4317 call to due_to_ifn_deferred_init_p.
4319 2022-07-02 Tim Lange <mail@tim-lange.me>
4321 PR analyzer/105900
4322 * analyzer.opt: Added Wanalyzer-allocation-size.
4323 * checker-path.cc (region_creation_event::get_desc): Added call to new
4324 virtual function pending_diagnostic::describe_region_creation_event.
4325 * checker-path.h: Added region_creation_event::get_desc.
4326 * diagnostic-manager.cc (diagnostic_manager::add_event_on_final_node):
4327 New function.
4328 * diagnostic-manager.h:
4329 Added diagnostic_manager::add_event_on_final_node.
4330 * pending-diagnostic.h (struct region_creation): New event_desc struct.
4331 (pending_diagnostic::describe_region_creation_event): Added virtual
4332 function to overwrite description of a region creation.
4333 * region-model.cc (class dubious_allocation_size): New class.
4334 (capacity_compatible_with_type): New helper function.
4335 (class size_visitor): New class.
4336 (struct_or_union_with_inheritance_p): New helper function.
4337 (is_any_cast_p): New helper function.
4338 (region_model::check_region_size): New function.
4339 (region_model::set_value): Added call to
4340 region_model::check_region_size.
4341 * region-model.h (class region_model): New function check_region_size.
4342 * svalue.cc (region_svalue::accept): Changed to post-order traversal.
4343 (initial_svalue::accept): Likewise.
4344 (unaryop_svalue::accept): Likewise.
4345 (binop_svalue::accept): Likewise.
4346 (sub_svalue::accept): Likewise.
4347 (repeated_svalue::accept): Likewise.
4348 (bits_within_svalue::accept): Likewise.
4349 (widening_svalue::accept): Likewise.
4350 (unmergeable_svalue::accept): Likewise.
4351 (compound_svalue::accept): Likewise.
4352 (conjured_svalue::accept): Likewise.
4353 (asm_output_svalue::accept): Likewise.
4354 (const_fn_result_svalue::accept): Likewise.
4356 2022-07-02 Immad Mir <mirimmad17@gmail.com>
4358 PR analyzer/106003
4359 * analyzer.opt (Wanalyzer-fd-leak): New option.
4360 (Wanalyzer-fd-access-mode-mismatch): New option.
4361 (Wanalyzer-fd-use-without-check): New option.
4362 (Wanalyzer-fd-double-close): New option.
4363 (Wanalyzer-fd-use-after-close): New option.
4364 * sm.h (make_fd_state_machine): New decl.
4365 * sm.cc (make_checkers): Call make_fd_state_machine.
4366 * sm-fd.cc: New file.
4368 2022-06-24 David Malcolm <dmalcolm@redhat.com>
4370 * call-string.cc: Add includes of "analyzer/analyzer.h"
4371 and "analyzer/analyzer-logging.h".
4372 (call_string::call_string): Delete copy ctor.
4373 (call_string::operator=): Delete.
4374 (call_string::operator==): Delete.
4375 (call_string::hash): Delete.
4376 (call_string::push_call): Make const, returning the resulting
4377 call_string.
4378 (call_string::pop): Delete.
4379 (call_string::cmp_ptr_ptr): New.
4380 (call_string::validate): Assert that m_parent is non-NULL, or
4381 m_elements is empty.
4382 (call_string::call_string): Move default ctor here from
4383 call-string.h and reimplement. Add ctor taking a parent
4384 and an element.
4385 (call_string::~call_string): New.
4386 (call_string::recursive_log): New.
4387 * call-string.h (call_string::call_string): Move default ctor's
4388 defn to call-string.cc. Delete copy ctor. Add ctor taking a
4389 parent and an element.
4390 (call_string::operator=): Delete.
4391 (call_string::operator==): Delete.
4392 (call_string::hash): Delete.
4393 (call_string::push_call): Make const, returning the resulting
4394 call_string.
4395 (call_string::pop): Delete decl.
4396 (call_string::get_parent): New.
4397 (call_string::cmp_ptr_ptr): New decl.
4398 (call_string::get_top_of_stack): New.
4399 (struct call_string::hashmap_traits_t): New.
4400 (class call_string): Add friend class region_model_manager. Add
4401 DISABLE_COPY_AND_ASSIGN.
4402 (call_string::~call_string): New decl.
4403 (call_string::recursive_log): New decl.
4404 (call_string::m_parent): New field.
4405 (call_string::m_children): New field.
4406 * constraint-manager.cc (selftest::test_many_constants): Pass
4407 model manager to program_point::origin.
4408 * engine.cc (exploded_graph::exploded_graph): Likewise.
4409 (exploded_graph::add_function_entry): Likewise for
4410 program_point::from_function_entry.
4411 (add_tainted_args_callback): Likewise.
4412 (exploded_graph::maybe_process_run_of_before_supernode_enodes):
4413 Update for change to program_point.get_call_string.
4414 (exploded_graph::process_node): Likewise.
4415 (class function_call_string_cluster): Convert m_cs from a
4416 call_string to a const call_string &.
4417 (struct function_call_string): Likewise.
4418 (pod_hash_traits<function_call_string>::hash): Use pointer_hash
4419 for m_cs.
4420 (pod_hash_traits<function_call_string>::equal): Update for change
4421 to m_cs.
4422 (root_cluster::add_node): Update for change to
4423 function_call_string.
4424 (viz_callgraph_node::dump_dot): Update for change to call_string.
4425 * exploded-graph.h (per_call_string_data::m_key): Convert to a
4426 reference.
4427 (struct eg_call_string_hash_map_traits): Delete.
4428 (exploded_graph::call_string_data_map_t): Remove traits class.
4429 * program-point.cc: Move include of "analyzer/call-string.h" to
4430 after "analyzer/analyzer-logging.h".
4431 (program_point::print): Update for conversion of m_call_string to
4432 a pointer.
4433 (program_point::to_json): Likewise.
4434 (program_point::push_to_call_stack): Update for immutability of
4435 call strings.
4436 (program_point::pop_from_call_stack): Likewise.
4437 (program_point::hash): Use pointer hashing for m_call_string.
4438 (program_point::get_function_at_depth): Update for change to
4439 m_call_string.
4440 (program_point::validate): Update for changes to call_string.
4441 (program_point::on_edge): Likewise.
4442 (program_point::origin): Move here from call-string.h. Add
4443 region_model_manager param and use it to get empty call string.
4444 (program_point::from_function_entry): Likewise.
4445 (selftest::test_function_point_ordering): Likewise.
4446 (selftest::test_function_point_ordering): Likewise.
4447 * program-point.h (program_point::program_point): Update for
4448 change to m_call_string.
4449 (program_point::get_call_string): Likewise.
4450 (program_point::get_stack_depth): Likewise.
4451 (program_point::origin): Add region_model_manager param, and move
4452 defn to call-string.cc.
4453 (program_point::from_function_entry): Likewise.
4454 (program_point::empty): Drop call_string.
4455 (program_point::deleted): Likewise.
4456 (program_point::program_point): New private ctor.
4457 (program_point::m_call_string): Convert from call_string to const
4458 call_string *.
4459 * program-state.cc (selftest::test_program_state_merging): Update
4460 for call_string changes.
4461 (selftest::test_program_state_merging_2): Likewise.
4462 * region-model-manager.cc
4463 (region_model_manager::region_model_manager): Construct
4464 m_empty_call_string.
4465 (region_model_manager::log_stats): Log the call strings.
4466 * region-model.cc (assert_region_models_merge): Pass the
4467 region_model_manager when creating program_point instances.
4468 (selftest::test_state_merging): Likewise.
4469 (selftest::test_constraint_merging): Likewise.
4470 (selftest::test_widening_constraints): Likewise.
4471 (selftest::test_iteration_1): Likewise.
4472 * region-model.h (region_model_manager::get_empty_call_string):
4473 New.
4474 (region_model_manager::m_empty_call_string): New.
4475 * sm-signal.cc (register_signal_handler::impl_transition): Update
4476 for changes to call_string.
4478 2022-06-24 David Malcolm <dmalcolm@redhat.com>
4480 * call-string.cc (call_string::calc_recursion_depth): Whitespace
4481 cleanups.
4482 (call_string::cmp): Likewise.
4483 (call_string::get_caller_node): Likewise.
4484 (call_string::validate): Likewise.
4485 * engine.cc (dynamic_call_info_t::add_events_to_path): Likewise.
4486 (exploded_graph::get_per_function_data): Likewise.
4487 (exploded_graph::maybe_create_dynamic_call): Likewise.
4488 (exploded_graph::maybe_create_dynamic_call): Likewise.
4489 (exploded_graph::process_node): Likewise.
4491 2022-06-16 David Malcolm <dmalcolm@redhat.com>
4493 * varargs.cc (va_arg_type_mismatch::emit): Associate the warning
4494 with CWE-686 ("Function Call With Incorrect Argument Type").
4496 2022-06-16 David Malcolm <dmalcolm@redhat.com>
4498 * varargs.cc: Include "diagnostic-metadata.h".
4499 (va_list_exhausted::emit): Associate the warning with
4500 CWE-685 ("Function Call With Incorrect Number of Arguments").
4502 2022-06-16 David Malcolm <dmalcolm@redhat.com>
4504 * sm-file.cc (double_fclose::emit): Associate the warning with
4505 CWE-1341 ("Multiple Releases of Same Resource or Handle").
4507 2022-06-15 David Malcolm <dmalcolm@redhat.com>
4509 PR analyzer/105962
4510 * analyzer.opt (fanalyzer-undo-inlining): New option.
4511 * checker-path.cc: Include "diagnostic-core.h" and
4512 "inlining-iterator.h".
4513 (event_kind_to_string): Handle EK_INLINED_CALL.
4514 (class inlining_info): New class.
4515 (checker_event::checker_event): Move here from checker-path.h.
4516 Store original fndecl and depth, and calculate effective fndecl
4517 and depth based on inlining information.
4518 (checker_event::dump): Emit original depth as well as effective
4519 depth when they differ; likewise for fndecl.
4520 (region_creation_event::get_desc): Use m_effective_fndecl.
4521 (inlined_call_event::get_desc): New.
4522 (inlined_call_event::get_meaning): New.
4523 (checker_path::inject_any_inlined_call_events): New.
4524 * checker-path.h (enum event_kind): Add EK_INLINED_CALL.
4525 (checker_event::checker_event): Make protected, and move
4526 definition to checker-path.cc.
4527 (checker_event::get_fndecl): Use effective fndecl.
4528 (checker_event::get_stack_depth): Use effective stack depth.
4529 (checker_event::get_logical_location): Use effective stack depth.
4530 (checker_event::get_original_stack_depth): New.
4531 (checker_event::m_fndecl): Rename to...
4532 (checker_event::m_original_fndecl): ...this.
4533 (checker_event::m_depth): Rename to...
4534 (checker_event::m_original_depth): ...this.
4535 (checker_event::m_effective_fndecl): New field.
4536 (checker_event::m_effective_depth): New field.
4537 (class inlined_call_event): New checker_event subclass.
4538 (checker_path::inject_any_inlined_call_events): New decl.
4539 * diagnostic-manager.cc: Include "inlining-iterator.h".
4540 (diagnostic_manager::emit_saved_diagnostic): Call
4541 checker_path::inject_any_inlined_call_events.
4542 (diagnostic_manager::prune_for_sm_diagnostic): Handle
4543 EK_INLINED_CALL.
4544 * engine.cc (tainted_args_function_custom_event::get_desc): Use
4545 effective fndecl.
4546 * inlining-iterator.h: New file.
4548 2022-06-15 David Malcolm <dmalcolm@redhat.com>
4550 * diagnostic-manager.cc (saved_diagnostic::dump_dot_id): New.
4551 (saved_diagnostic::dump_as_dot_node): New.
4552 * diagnostic-manager.h (saved_diagnostic::dump_dot_id): New decl.
4553 (saved_diagnostic::dump_as_dot_node): New decl.
4554 * engine.cc (exploded_node::dump_dot): Add nodes for saved
4555 diagnostics.
4557 2022-06-02 David Malcolm <dmalcolm@redhat.com>
4559 * checker-path.cc (checker_event::get_meaning): New.
4560 (function_entry_event::get_meaning): New.
4561 (state_change_event::get_desc): Add dump of meaning of the event
4562 to the -fanalyzer-verbose-state-changes output.
4563 (state_change_event::get_meaning): New.
4564 (cfg_edge_event::get_meaning): New.
4565 (call_event::get_meaning): New.
4566 (return_event::get_meaning): New.
4567 (start_consolidated_cfg_edges_event::get_meaning): New.
4568 (warning_event::get_meaning): New.
4569 * checker-path.h: Include "tree-logical-location.h".
4570 (checker_event::checker_event): Construct m_logical_loc.
4571 (checker_event::get_logical_location): New.
4572 (checker_event::get_meaning): New decl.
4573 (checker_event::m_logical_loc): New.
4574 (function_entry_event::get_meaning): New decl.
4575 (state_change_event::get_meaning): New decl.
4576 (cfg_edge_event::get_meaning): New decl.
4577 (call_event::get_meaning): New decl.
4578 (return_event::get_meaning): New decl.
4579 (start_consolidated_cfg_edges_event::get_meaning): New.
4580 (warning_event::get_meaning): New decl.
4581 * pending-diagnostic.h: Include "diagnostic-path.h".
4582 (pending_diagnostic::get_meaning_for_state_change): New vfunc.
4583 * sm-file.cc (file_diagnostic::get_meaning_for_state_change): New
4584 vfunc impl.
4585 * sm-malloc.cc (malloc_diagnostic::get_meaning_for_state_change):
4586 Likewise.
4587 * sm-sensitive.cc
4588 (exposure_through_output_file::get_meaning_for_state_change):
4589 Likewise.
4590 * sm-taint.cc (taint_diagnostic::get_meaning_for_state_change):
4591 Likewise.
4592 * varargs.cc
4593 (va_list_sm_diagnostic::get_meaning_for_state_change): Likewise.
4595 2022-05-23 David Malcolm <dmalcolm@redhat.com>
4597 * call-info.cc: Add "final" and "override" to all vfunc
4598 implementations that were missing them, as appropriate.
4599 * engine.cc: Likewise.
4600 * region-model.cc: Likewise.
4601 * sm-malloc.cc: Likewise.
4602 * supergraph.h: Likewise.
4603 * svalue.cc: Likewise.
4604 * varargs.cc: Likewise.
4606 2022-05-20 David Malcolm <dmalcolm@redhat.com>
4608 * analyzer-pass.cc: Replace uses of "FINAL" and "OVERRIDE" with
4609 "final" and "override".
4610 * call-info.h: Likewise.
4611 * checker-path.h: Likewise.
4612 * constraint-manager.cc: Likewise.
4613 * diagnostic-manager.cc: Likewise.
4614 * engine.cc: Likewise.
4615 * exploded-graph.h: Likewise.
4616 * feasible-graph.h: Likewise.
4617 * pending-diagnostic.h: Likewise.
4618 * region-model-impl-calls.cc: Likewise.
4619 * region-model.cc: Likewise.
4620 * region-model.h: Likewise.
4621 * region.h: Likewise.
4622 * sm-file.cc: Likewise.
4623 * sm-malloc.cc: Likewise.
4624 * sm-pattern-test.cc: Likewise.
4625 * sm-sensitive.cc: Likewise.
4626 * sm-signal.cc: Likewise.
4627 * sm-taint.cc: Likewise.
4628 * state-purge.h: Likewise.
4629 * store.cc: Likewise.
4630 * store.h: Likewise.
4631 * supergraph.h: Likewise.
4632 * svalue.h: Likewise.
4633 * trimmed-graph.h: Likewise.
4634 * varargs.cc: Likewise.
4636 2022-05-16 David Malcolm <dmalcolm@redhat.com>
4638 PR analyzer/105103
4639 * analyzer.cc (make_label_text_n): New.
4640 * analyzer.h (class var_arg_region): New forward decl.
4641 (make_label_text_n): New decl.
4642 * analyzer.opt (Wanalyzer-va-arg-type-mismatch): New option.
4643 (Wanalyzer-va-list-exhausted): New option.
4644 (Wanalyzer-va-list-leak): New option.
4645 (Wanalyzer-va-list-use-after-va-end): New option.
4646 * checker-path.cc (call_event::get_desc): Split out decl access
4647 into..
4648 (call_event::get_caller_fndecl): ...this new function and...
4649 (call_event::get_callee_fndecl): ...this new function.
4650 * checker-path.h (call_event::get_desc): Drop "FINAL".
4651 (call_event::get_caller_fndecl): New decl.
4652 (call_event::get_callee_fndecl): New decl.
4653 (class call_event): Make fields protected.
4654 * diagnostic-manager.cc (null_assignment_sm_context::warn): New
4655 overload.
4656 (null_assignment_sm_context::get_new_program_state): New.
4657 (diagnostic_manager::add_events_for_superedge): Move case
4658 SUPEREDGE_CALL to a new pending_diagnostic::add_call_event vfunc.
4659 * engine.cc (impl_sm_context::warn): Implement new override.
4660 (impl_sm_context::get_new_program_state): New.
4661 * pending-diagnostic.cc: Include "analyzer/diagnostic-manager.h",
4662 "cpplib.h", "digraph.h", "ordered-hash-map.h", "cfg.h",
4663 "basic-block.h", "gimple.h", "gimple-iterator.h", "cgraph.h"
4664 "analyzer/supergraph.h", "analyzer/program-state.h",
4665 "alloc-pool.h", "fibonacci_heap.h", "shortest-paths.h",
4666 "sbitmap.h", "analyzer/exploded-graph.h", "diagnostic-path.h",
4667 and "analyzer/checker-path.h".
4668 (ht_ident_eq): New.
4669 (fixup_location_in_macro_p): New.
4670 (pending_diagnostic::fixup_location): New.
4671 (pending_diagnostic::add_call_event): New.
4672 * pending-diagnostic.h (pending_diagnostic::fixup_location): Drop
4673 no-op inline implementation in favor of the more complex
4674 implementation above.
4675 (pending_diagnostic::add_call_event): New vfunc.
4676 * region-model-impl-calls.cc: Include "analyzer/sm.h",
4677 "diagnostic-path.h", and "analyzer/pending-diagnostic.h".
4678 * region-model-manager.cc
4679 (region_model_manager::get_var_arg_region): New.
4680 (region_model_manager::log_stats): Log m_var_arg_regions.
4681 * region-model.cc (region_model::on_call_pre): Handle IFN_VA_ARG,
4682 BUILT_IN_VA_START, and BUILT_IN_VA_COPY.
4683 (region_model::on_call_post): Handle BUILT_IN_VA_END.
4684 (region_model::get_representative_path_var_1): Handle RK_VAR_ARG.
4685 (region_model::push_frame): Push variadic arguments.
4686 * region-model.h (region_model_manager::get_var_arg_region): New
4687 decl.
4688 (region_model_manager::m_var_arg_regions): New field.
4689 (region_model::impl_call_va_start): New decl.
4690 (region_model::impl_call_va_copy): New decl.
4691 (region_model::impl_call_va_arg): New decl.
4692 (region_model::impl_call_va_end): New decl.
4693 * region.cc (alloca_region::dump_to_pp): Dump the id.
4694 (var_arg_region::dump_to_pp): New.
4695 (var_arg_region::get_frame_region): New.
4696 * region.h (enum region_kind): Add RK_VAR_ARG.
4697 (region::dyn_cast_var_arg_region): New.
4698 (class var_arg_region): New.
4699 (is_a_helper <const var_arg_region *>::test): New.
4700 (struct default_hash_traits<var_arg_region::key_t>): New.
4701 * sm.cc (make_checkers): Call make_va_list_state_machine.
4702 * sm.h (sm_context::warn): New vfunc.
4703 (sm_context::get_old_svalue): Drop unused decl.
4704 (sm_context::get_new_program_state): New vfunc.
4705 (make_va_list_state_machine): New decl.
4706 * varargs.cc: New file.
4708 2022-05-16 Martin Liska <mliska@suse.cz>
4710 * engine.cc (exploded_node::get_dot_fillcolor): Use ARRAY_SIZE.
4711 * function-set.cc (test_stdio_example): Likewise.
4712 * sm-file.cc (get_file_using_fns): Likewise.
4713 * sm-malloc.cc (malloc_state_machine::unaffected_by_call_p): Likewise.
4714 * sm-signal.cc (get_async_signal_unsafe_fns): Likewise.
4716 2022-05-13 Richard Biener <rguenther@suse.de>
4718 * supergraph.cc: Re-order gimple-fold.h include.
4720 2022-05-11 David Malcolm <dmalcolm@redhat.com>
4722 * checker-path.cc (state_change_event::get_desc): Call maybe_free
4723 on label_text temporaries.
4724 * diagnostic-manager.cc
4725 (diagnostic_manager::prune_for_sm_diagnostic): Likewise.
4726 * engine.cc (exploded_graph::~exploded_graph): Fix leak of
4727 m_per_point_data and m_per_call_string_data values. Simplify
4728 cleanup of m_per_function_stats and m_per_point_data values.
4729 (feasibility_state::maybe_update_for_edge): Fix leak of result of
4730 superedge::get_description.
4731 * region-model-manager.cc
4732 (region_model_manager::~region_model_manager): Move cleanup of
4733 m_setjmp_values to match the ordering of the fields within
4734 region_model_manager. Fix leak of values within
4735 m_repeated_values_map, m_bits_within_values_map,
4736 m_asm_output_values_map, and m_const_fn_result_values_map.
4738 2022-04-28 David Malcolm <dmalcolm@redhat.com>
4740 PR analyzer/105285
4741 * store.cc (binding_cluster::get_any_binding): Handle accessing
4742 sub_svalues of clusters where the base region has a symbolic
4743 binding.
4745 2022-04-28 David Malcolm <dmalcolm@redhat.com>
4747 * diagnostic-manager.cc (epath_finder::process_worklist_item):
4748 Call dump_feasible_path when a path that reaches the the target
4749 enode is found.
4750 (epath_finder::dump_feasible_path): New.
4751 * engine.cc (feasibility_state::dump_to_pp): New.
4752 * exploded-graph.h (feasibility_state::dump_to_pp): New decl.
4753 * feasible-graph.cc (feasible_graph::dump_feasible_path): New.
4754 * feasible-graph.h (feasible_graph::dump_feasible_path): New
4755 decls.
4756 * program-point.cc (function_point::print): Fix missing trailing
4757 newlines.
4758 * program-point.h (program_point::print_source_line): Remove
4759 unimplemented decl.
4761 2022-04-25 David Malcolm <dmalcolm@redhat.com>
4763 PR analyzer/105365
4764 PR analyzer/105366
4765 * svalue.cc
4766 (cmp_cst): Rename to...
4767 (cmp_csts_same_type): ...this. Convert all recursive calls to
4768 calls to...
4769 (cmp_csts_and_types): ....this new function.
4770 (svalue::cmp_ptr): Update for renaming of cmp_cst
4772 2022-04-14 David Malcolm <dmalcolm@redhat.com>
4774 PR analyzer/105264
4775 * region-model-reachability.cc (reachable_regions::handle_parm):
4776 Use maybe_get_deref_base_region rather than just region_svalue, to
4777 handle pointer arithmetic also.
4778 * svalue.cc (svalue::maybe_get_deref_base_region): New.
4779 * svalue.h (svalue::maybe_get_deref_base_region): New decl.
4781 2022-04-14 David Malcolm <dmalcolm@redhat.com>
4783 PR analyzer/105252
4784 * svalue.cc (cmp_cst): When comparing VECTOR_CSTs, compare the
4785 types of the encoded elements before calling cmp_cst on them.
4787 2022-04-09 David Malcolm <dmalcolm@redhat.com>
4789 PR analyzer/103892
4790 * region-model-manager.cc
4791 (region_model_manager::get_unknown_symbolic_region): New,
4792 extracted from...
4793 (region_model_manager::get_field_region): ...here.
4794 (region_model_manager::get_element_region): Use it here.
4795 (region_model_manager::get_offset_region): Likewise.
4796 (region_model_manager::get_sized_region): Likewise.
4797 (region_model_manager::get_cast_region): Likewise.
4798 (region_model_manager::get_bit_range): Likewise.
4799 * region-model.h
4800 (region_model_manager::get_unknown_symbolic_region): New decl.
4801 * region.cc (symbolic_region::symbolic_region): Handle sval_ptr
4802 having NULL type.
4803 (symbolic_region::dump_to_pp): Handle having NULL type.
4805 2022-04-07 David Malcolm <dmalcolm@redhat.com>
4807 PR analyzer/102208
4808 * store.cc (binding_map::remove_overlapping_bindings): Add
4809 "always_overlap" param, using it to generalize to the case where
4810 we want to remove all bindings. Update "uncertainty" logic to
4811 only record maybe-bound values for cases where there is a symbolic
4812 write involved.
4813 (binding_cluster::mark_region_as_unknown): Split param "reg" into
4814 "reg_to_bind" and "reg_for_overlap".
4815 (binding_cluster::maybe_get_compound_binding): Pass "false" to
4816 binding_map::remove_overlapping_bindings new "always_overlap" param.
4817 (binding_cluster::remove_overlapping_bindings): Determine
4818 "always_overlap" and pass it to
4819 binding_map::remove_overlapping_bindings.
4820 (store::set_value): Pass uncertainty to remove_overlapping_bindings
4821 call. Update for new param of
4822 binding_cluster::mark_region_as_unknown, passing both the base
4823 region of the iter_cluster, and the lhs_reg.
4824 (store::mark_region_as_unknown): Update for new param of
4825 binding_cluster::mark_region_as_unknown, passing "reg" for both.
4826 (store::remove_overlapping_bindings): Add param "uncertainty", and
4827 pass it on to call to
4828 binding_cluster::remove_overlapping_bindings.
4829 * store.h (binding_map::remove_overlapping_bindings): Add
4830 "always_overlap" param.
4831 (binding_cluster::mark_region_as_unknown): Split param "reg" into
4832 "reg_to_bind" and "reg_for_overlap".
4833 (store::remove_overlapping_bindings): Add param "uncertainty".
4835 2022-03-29 David Malcolm <dmalcolm@redhat.com>
4837 PR testsuite/105085
4838 * region-model-manager.cc (dump_untracked_region): Skip decls in
4839 the constant pool.
4841 2022-03-29 David Malcolm <dmalcolm@redhat.com>
4843 PR analyzer/105087
4844 * analyzer.h (class conjured_purge): New forward decl.
4845 * region-model-asm.cc (region_model::on_asm_stmt): Add
4846 conjured_purge param to calls binding_cluster::on_asm and
4847 region_model_manager::get_or_create_conjured_svalue.
4848 * region-model-impl-calls.cc
4849 (call_details::get_or_create_conjured_svalue): Likewise for call
4850 to region_model_manager::get_or_create_conjured_svalue.
4851 (region_model::impl_call_fgets): Remove call to
4852 region_model::purge_state_involving, as this is now done
4853 implicitly by call_details::get_or_create_conjured_svalue.
4854 (region_model::impl_call_fread): Likewise.
4855 (region_model::impl_call_strchr): Pass conjured_purge param to
4856 call to region_model_manager::get_or_create_conjured_svalue.
4857 * region-model-manager.cc (conjured_purge::purge): New.
4858 (region_model_manager::get_or_create_conjured_svalue): Add
4859 param "p". Use it to purge state when reusing an existing
4860 conjured_svalue.
4861 * region-model.cc (region_model::on_call_pre): Replace call to
4862 region_model::purge_state_involving with passing conjured_purge
4863 to region_model_manager::get_or_create_conjured_svalue.
4864 (region_model::handle_unrecognized_call): Pass conjured_purge to
4865 store::on_unknown_fncall.
4866 * region-model.h
4867 (region_model_manager::get_or_create_conjured_svalue): Add param
4868 "p".
4869 * store.cc (binding_cluster::on_unknown_fncall): Likewise. Pass
4870 it on to region_model_manager::get_or_create_conjured_svalue.
4871 (binding_cluster::on_asm): Likewise.
4872 (store::on_unknown_fncall): Add param "p" and pass it on to
4873 binding_cluster::on_unknown_fncall.
4874 * store.h (binding_cluster::on_unknown_fncall): Add param p.
4875 (binding_cluster::on_asm): Likewise.
4876 (store::on_unknown_fncall): Likewise.
4877 * svalue.h (class conjured_purge): New.
4879 2022-03-29 David Malcolm <dmalcolm@redhat.com>
4881 PR analyzer/105074
4882 * region.cc (ipa_ref_requires_tracking): Drop "context_fndecl",
4883 instead using the ref->referring to get the cgraph node of the
4884 caller.
4885 (symnode_requires_tracking_p): Likewise.
4887 2022-03-26 David Malcolm <dmalcolm@redhat.com>
4889 PR analyzer/105057
4890 * store.cc (binding_cluster::make_unknown_relative_to): Reject
4891 attempts to create a cluster for untracked base regions.
4892 (store::set_value): Likewise.
4893 (store::fill_region): Likewise.
4894 (store::mark_region_as_unknown): Likewise.
4896 2022-03-25 David Malcolm <dmalcolm@redhat.com>
4898 PR analyzer/104954
4899 * analyzer.opt (-fdump-analyzer-untracked): New option.
4900 * engine.cc (impl_run_checkers): Handle it.
4901 * region-model-asm.cc (region_model::on_asm_stmt): Don't attempt
4902 to clobber regions with !tracked_p ().
4903 * region-model-manager.cc (dump_untracked_region): New.
4904 (region_model_manager::dump_untracked_regions): New.
4905 (frame_region::dump_untracked_regions): New.
4906 * region-model.h (region_model_manager::dump_untracked_regions):
4907 New decl.
4908 * region.cc (ipa_ref_requires_tracking): New.
4909 (symnode_requires_tracking_p): New.
4910 (decl_region::calc_tracked_p): New.
4911 * region.h (region::tracked_p): New vfunc.
4912 (frame_region::dump_untracked_regions): New decl.
4913 (class decl_region): Note that this is also used fo SSA names.
4914 (decl_region::decl_region): Initialize m_tracked.
4915 (decl_region::tracked_p): New.
4916 (decl_region::calc_tracked_p): New decl.
4917 (decl_region::m_tracked): New.
4918 * store.cc (store::get_or_create_cluster): Assert that we
4919 don't try to create clusters for base regions that aren't
4920 trackable.
4921 (store::mark_as_escaped): Don't mark base regions that we're not
4922 tracking.
4924 2022-03-23 David Malcolm <dmalcolm@redhat.com>
4926 PR analyzer/104979
4927 * engine.cc (impl_run_checkers): Create the engine after the
4928 supergraph, and pass the supergraph to the engine.
4929 * region-model.cc (region_model::get_lvalue_1): Pass ctxt to
4930 frame_region::get_region_for_local.
4931 (region_model::update_for_return_gcall): Pass the lvalue for the
4932 result to pop_frame as a tree, rather than as a region.
4933 (region_model::pop_frame): Update for above change, determining
4934 the destination region after the frame is popped and thus with
4935 respect to the caller frame rather than the called frame.
4936 Likewise, set the value of the region to the return value after
4937 the frame is popped.
4938 (engine::engine): Add supergraph pointer.
4939 (selftest::test_stack_frames): Set the DECL_CONTECT of PARM_DECLs.
4940 (selftest::test_get_representative_path_var): Likewise.
4941 (selftest::test_state_merging): Likewise.
4942 * region-model.h (region_model::pop_frame): Convert first param
4943 from a const region * to a tree.
4944 (engine::engine): Add param "sg".
4945 (engine::m_sg): New field.
4946 * region.cc: Include "analyzer/sm.h" and
4947 "analyzer/program-state.h".
4948 (frame_region::get_region_for_local): Add "ctxt" param.
4949 Add assertions that VAR_DECLs are locals, and that expr is for the
4950 correct function.
4951 * region.h (frame_region::get_region_for_local): Add "ctxt" param.
4953 2022-03-23 David Malcolm <dmalcolm@redhat.com>
4955 PR analyzer/105017
4956 * sm-taint.cc (taint_diagnostic::subclass_equal_p): Check
4957 m_has_bounds as well as m_arg.
4958 (tainted_allocation_size::subclass_equal_p): Chain up to base
4959 class implementation. Also check m_mem_space.
4960 (tainted_allocation_size::emit): Add note showing stack-based vs
4961 heap-based allocations.
4963 2022-03-23 David Malcolm <dmalcolm@redhat.com>
4965 PR analyzer/104997
4966 * diagnostic-manager.cc (diagnostic_manager::add_diagnostic):
4967 Convert return type from "void" to "bool", reporting success vs
4968 failure to caller, for both overloads.
4969 * diagnostic-manager.h (diagnostic_manager::add_diagnostic):
4970 Likewise.
4971 * engine.cc (impl_region_model_context::warn): Propagate return
4972 value from diagnostic_manager::add_diagnostic.
4974 2022-03-18 David Malcolm <dmalcolm@redhat.com>
4976 PR analyzer/104943
4977 PR analyzer/104954
4978 PR analyzer/103533
4979 * analyzer.h (class state_purge_per_decl): New forward decl.
4980 * engine.cc (impl_run_checkers): Pass region_model_manager to
4981 state_purge_map ctor.
4982 * program-point.cc (function_point::final_stmt_p): New.
4983 (function_point::get_next): New.
4984 * program-point.h (function_point::final_stmt_p): New decl.
4985 (function_point::get_next): New decl.
4986 * program-state.cc (program_state::prune_for_point): Generalize to
4987 purge local decls as well as SSA names.
4988 (program_state::can_purge_base_region_p): New.
4989 * program-state.h (program_state::can_purge_base_region_p): New
4990 decl.
4991 * region-model.cc (struct append_ssa_names_cb_data): Rename to...
4992 (struct append_regions_cb_data): ...this.
4993 (region_model::get_ssa_name_regions_for_current_frame): Rename
4994 to...
4995 (region_model::get_regions_for_current_frame): ...this, updating
4996 for other renamings.
4997 (region_model::append_ssa_names_cb): Rename to...
4998 (region_model::append_regions_cb): ...this, and drop the requirement
4999 that the subregion be a SSA name.
5000 * region-model.h (struct append_ssa_names_cb_data): Rename decl
5001 to...
5002 (struct append_regions_cb_data): ...this.
5003 (region_model::get_ssa_name_regions_for_current_frame): Rename
5004 decl to...
5005 (region_model::get_regions_for_current_frame): ...this.
5006 (region_model::append_ssa_names_cb): Rename decl to...
5007 (region_model::append_regions_cb): ...this.
5008 * state-purge.cc: Include "tristate.h", "selftest.h",
5009 "analyzer/store.h", "analyzer/region-model.h", and
5010 "gimple-walk.h".
5011 (get_candidate_for_purging): New.
5012 (class gimple_op_visitor): New.
5013 (my_load_cb): New.
5014 (my_store_cb): New.
5015 (my_addr_cb): New.
5016 (state_purge_map::state_purge_map): Add "mgr" param. Update for
5017 renamings. Find uses of local variables.
5018 (state_purge_map::~state_purge_map): Update for renaming of m_map
5019 to m_ssa_map. Clean up m_decl_map.
5020 (state_purge_map::get_or_create_data_for_decl): New.
5021 (state_purge_per_ssa_name::state_purge_per_ssa_name): Update for
5022 inheriting from state_purge_per_tree.
5023 (state_purge_per_ssa_name::add_to_worklist): Likewise.
5024 (state_purge_per_decl::state_purge_per_decl): New.
5025 (state_purge_per_decl::add_needed_at): New.
5026 (state_purge_per_decl::add_pointed_to_at): New.
5027 (state_purge_per_decl::process_worklists): New.
5028 (state_purge_per_decl::add_to_worklist): New.
5029 (same_binding_p): New.
5030 (fully_overwrites_p): New.
5031 (state_purge_per_decl::process_point_backwards): New.
5032 (state_purge_per_decl::process_point_forwards): New.
5033 (state_purge_per_decl::needed_at_point_p): New.
5034 (state_purge_annotator::print_needed): Generalize to print local
5035 decls as well as SSA names.
5036 * state-purge.h (class state_purge_map): Update leading comment.
5037 (state_purge_map::map_t): Rename to...
5038 (state_purge_map::ssa_map_t): ...this.
5039 (state_purge_map::iterator): Rename to...
5040 (state_purge_map::ssa_iterator): ...this.
5041 (state_purge_map::decl_map_t): New typedef.
5042 (state_purge_map::decl_iterator): New typedef.
5043 (state_purge_map::state_purge_map): Add "mgr" param.
5044 (state_purge_map::get_data_for_ssa_name): Update for renaming.
5045 (state_purge_map::get_any_data_for_decl): New.
5046 (state_purge_map::get_or_create_data_for_decl): New decl.
5047 (state_purge_map::begin): Rename to...
5048 (state_purge_map::begin_ssas): ...this.
5049 (state_purge_map::end): Rename to...
5050 (state_purge_map::end_ssa): ...this.
5051 (state_purge_map::begin_decls): New.
5052 (state_purge_map::end_decls): New.
5053 (state_purge_map::m_map): Rename to...
5054 (state_purge_map::m_ssa_map): ...this.
5055 (state_purge_map::m_decl_map): New field.
5056 (class state_purge_per_tree): New class.
5057 (class state_purge_per_ssa_name): Inherit from state_purge_per_tree.
5058 (state_purge_per_ssa_name::get_function): Move to base class.
5059 (state_purge_per_ssa_name::point_set_t): Likewise.
5060 (state_purge_per_ssa_name::m_fun): Likewise.
5061 (class state_purge_per_decl): New.
5063 2022-03-17 David Malcolm <dmalcolm@redhat.com>
5065 * state-purge.cc (state_purge_annotator::add_node_annotations):
5066 Avoid duplicate before-supernode annotations when returning from
5067 an interprocedural call. Show after-supernode annotations.
5069 2022-03-17 David Malcolm <dmalcolm@redhat.com>
5071 * program-point.cc (program_point::get_next): Fix missing
5072 increment of index.
5074 2022-03-16 David Malcolm <dmalcolm@redhat.com>
5076 PR analyzer/104955
5077 * diagnostic-manager.cc (get_emission_location): New.
5078 (diagnostic_manager::diagnostic_manager): Initialize
5079 m_num_disabled_diagnostics.
5080 (diagnostic_manager::add_diagnostic): Reject diagnostics that
5081 will eventually be rejected due to being disabled.
5082 (diagnostic_manager::emit_saved_diagnostics): Log the number
5083 of disabled diagnostics.
5084 (diagnostic_manager::emit_saved_diagnostic): Split out logic for
5085 determining emission location to get_emission_location.
5086 * diagnostic-manager.h
5087 (diagnostic_manager::m_num_disabled_diagnostics): New field.
5088 * engine.cc (stale_jmp_buf::get_controlling_option): New.
5089 (stale_jmp_buf::emit): Use it.
5090 * pending-diagnostic.h
5091 (pending_diagnostic::get_controlling_option): New vfunc.
5092 * region-model.cc
5093 (poisoned_value_diagnostic::get_controlling_option): New.
5094 (poisoned_value_diagnostic::emit): Use it.
5095 (shift_count_negative_diagnostic::get_controlling_option): New.
5096 (shift_count_negative_diagnostic::emit): Use it.
5097 (shift_count_overflow_diagnostic::get_controlling_option): New.
5098 (shift_count_overflow_diagnostic::emit): Use it.
5099 (dump_path_diagnostic::get_controlling_option): New.
5100 (dump_path_diagnostic::emit): Use it.
5101 (write_to_const_diagnostic::get_controlling_option): New.
5102 (write_to_const_diagnostic::emit): Use it.
5103 (write_to_string_literal_diagnostic::get_controlling_option): New.
5104 (write_to_string_literal_diagnostic::emit): Use it.
5105 * sm-file.cc (double_fclose::get_controlling_option): New.
5106 (double_fclose::emit): Use it.
5107 (file_leak::get_controlling_option): New.
5108 (file_leak::emit): Use it.
5109 * sm-malloc.cc (mismatching_deallocation::get_controlling_option):
5110 New.
5111 (mismatching_deallocation::emit): Use it.
5112 (double_free::get_controlling_option): New.
5113 (double_free::emit): Use it.
5114 (possible_null_deref::get_controlling_option): New.
5115 (possible_null_deref::emit): Use it.
5116 (possible_null_arg::get_controlling_option): New.
5117 (possible_null_arg::emit): Use it.
5118 (null_deref::get_controlling_option): New.
5119 (null_deref::emit): Use it.
5120 (null_arg::get_controlling_option): New.
5121 (null_arg::emit): Use it.
5122 (use_after_free::get_controlling_option): New.
5123 (use_after_free::emit): Use it.
5124 (malloc_leak::get_controlling_option): New.
5125 (malloc_leak::emit): Use it.
5126 (free_of_non_heap::get_controlling_option): New.
5127 (free_of_non_heap::emit): Use it.
5128 * sm-pattern-test.cc (pattern_match::get_controlling_option): New.
5129 (pattern_match::emit): Use it.
5130 * sm-sensitive.cc
5131 (exposure_through_output_file::get_controlling_option): New.
5132 (exposure_through_output_file::emit): Use it.
5133 * sm-signal.cc (signal_unsafe_call::get_controlling_option): New.
5134 (signal_unsafe_call::emit): Use it.
5135 * sm-taint.cc (tainted_array_index::get_controlling_option): New.
5136 (tainted_array_index::emit): Use it.
5137 (tainted_offset::get_controlling_option): New.
5138 (tainted_offset::emit): Use it.
5139 (tainted_size::get_controlling_option): New.
5140 (tainted_size::emit): Use it.
5141 (tainted_divisor::get_controlling_option): New.
5142 (tainted_divisor::emit): Use it.
5143 (tainted_allocation_size::get_controlling_option): New.
5144 (tainted_allocation_size::emit): Use it.
5146 2022-03-15 David Malcolm <dmalcolm@redhat.com>
5148 * store.cc (store::store): Presize m_cluster_map.
5150 2022-03-10 David Malcolm <dmalcolm@redhat.com>
5152 PR analyzer/104863
5153 * constraint-manager.cc (constraint_manager::add_constraint):
5154 Refresh the EC IDs when adding constraints implied by offsets.
5156 2022-03-10 David Malcolm <dmalcolm@redhat.com>
5158 PR analyzer/104793
5159 * analyzer.h (class pending_note): New forward decl.
5160 * diagnostic-manager.cc (saved_diagnostic::saved_diagnostic):
5161 Initialize m_notes.
5162 (saved_diagnostic::operator==): Compare m_notes.
5163 (saved_diagnostic::add_note): New.
5164 (saved_diagnostic::emit_any_notes): New.
5165 (diagnostic_manager::add_note): New.
5166 (diagnostic_manager::emit_saved_diagnostic): Call emit_any_notes
5167 after emitting the warning.
5168 * diagnostic-manager.h (saved_diagnostic::add_note): New decl.
5169 (saved_diagnostic::emit_any_notes): New decl.
5170 (saved_diagnostic::m_notes): New field.
5171 (diagnostic_manager::add_note): New decl.
5172 * engine.cc (impl_region_model_context::add_note): New.
5173 * exploded-graph.h (impl_region_model_context::add_note): New
5174 decl.
5175 * pending-diagnostic.h (class pending_note): New.
5176 (class pending_note_subclass): New template.
5177 * region-model.cc (class reason_attr_access): New.
5178 (check_external_function_for_access_attr): Add class
5179 annotating_ctxt and use it when checking region.
5180 (noop_region_model_context::add_note): New.
5181 * region-model.h (region_model_context::add_note): New vfunc.
5182 (noop_region_model_context::add_note): New decl.
5183 (class region_model_context_decorator): New.
5184 (class note_adding_context): New.
5186 2022-03-10 David Malcolm <dmalcolm@redhat.com>
5188 PR analyzer/104793
5189 * region-model.cc
5190 (region_model::check_external_function_for_access_attr): New.
5191 (region_model::handle_unrecognized_call): Call it.
5192 * region-model.h
5193 (region_model::check_external_function_for_access_attr): New decl.
5194 (region_model::handle_unrecognized_call): New decl.
5196 2022-03-10 David Malcolm <dmalcolm@redhat.com>
5198 * sm-taint.cc (taint_state_machine::check_for_tainted_size_arg):
5199 Avoid generating duplicate saved_diagnostics by only handling the
5200 rdwr_map entry for the ptrarg, not the duplicate entry for the
5201 sizarg.
5203 2022-03-07 David Malcolm <dmalcolm@redhat.com>
5205 PR analyzer/101983
5206 * engine.cc (returning_from_function_p): New.
5207 (impl_region_model_context::on_state_leak): Use it when rejecting
5208 leaks at the return from "main".
5210 2022-03-07 Jakub Jelinek <jakub@redhat.com>
5212 * store.cc: Fix up duplicated word issue in a comment.
5213 * analyzer.cc: Likewise.
5214 * engine.cc: Likewise.
5215 * sm-taint.cc: Likewise.
5217 2022-03-04 David Malcolm <dmalcolm@redhat.com>
5219 PR analyzer/103521
5220 * analyzer.opt (-param=analyzer-max-svalue-depth=): Reduce from 13
5221 to 12.
5223 2022-02-23 David Malcolm <dmalcolm@redhat.com>
5225 PR analyzer/104434
5226 * analyzer.h (class const_fn_result_svalue): New decl.
5227 * region-model-impl-calls.cc (call_details::get_manager): New.
5228 * region-model-manager.cc
5229 (region_model_manager::get_or_create_const_fn_result_svalue): New.
5230 (region_model_manager::log_stats): Log
5231 m_const_fn_result_values_map.
5232 * region-model.cc (const_fn_p): New.
5233 (maybe_get_const_fn_result): New.
5234 (region_model::on_call_pre): Handle fndecls with
5235 __attribute__((const)) by calling the above rather than making
5236 a conjured_svalue.
5237 * region-model.h (visitor::visit_const_fn_result_svalue): New.
5238 (region_model_manager::get_or_create_const_fn_result_svalue): New
5239 decl.
5240 (region_model_manager::const_fn_result_values_map_t): New typedef.
5241 (region_model_manager::m_const_fn_result_values_map): New field.
5242 (call_details::get_manager): New decl.
5243 * svalue.cc (svalue::cmp_ptr): Handle SK_CONST_FN_RESULT.
5244 (const_fn_result_svalue::dump_to_pp): New.
5245 (const_fn_result_svalue::dump_input): New.
5246 (const_fn_result_svalue::accept): New.
5247 * svalue.h (enum svalue_kind): Add SK_CONST_FN_RESULT.
5248 (svalue::dyn_cast_const_fn_result_svalue): New.
5249 (class const_fn_result_svalue): New.
5250 (is_a_helper <const const_fn_result_svalue *>::test): New.
5251 (template <> struct default_hash_traits<const_fn_result_svalue::key_t>):
5252 New.
5254 2022-02-17 David Malcolm <dmalcolm@redhat.com>
5256 PR analyzer/104576
5257 * region-model.cc: Include "calls.h".
5258 (region_model::on_call_pre): Use flags_from_decl_or_type to
5259 generalize check for DECL_PURE_P to also check for ECF_CONST.
5261 2022-02-16 David Malcolm <dmalcolm@redhat.com>
5263 PR analyzer/104560
5264 * diagnostic-manager.cc (diagnostic_manager::build_emission_path):
5265 Add region creation events for globals of interest.
5266 (null_assignment_sm_context::get_old_program_state): New.
5267 (diagnostic_manager::add_events_for_eedge): Move check for
5268 changing dynamic extents from PK_BEFORE_STMT case to after the
5269 switch on the dst_point's kind so that we can emit them for the
5270 final stmt in a basic block.
5271 * engine.cc (impl_sm_context::get_old_program_state): New.
5272 * sm-malloc.cc (malloc_state_machine::get_default_state): Rewrite
5273 detection of m_non_heap to use get_memory_space.
5274 (free_of_non_heap::free_of_non_heap): Add freed_reg param.
5275 (free_of_non_heap::subclass_equal_p): Update for changes to
5276 fields.
5277 (free_of_non_heap::emit): Drop m_kind in favor of
5278 get_memory_space.
5279 (free_of_non_heap::describe_state_change): Remove logic for
5280 detecting alloca.
5281 (free_of_non_heap::mark_interesting_stuff): Add region-creation of
5282 m_freed_reg.
5283 (free_of_non_heap::get_memory_space): New.
5284 (free_of_non_heap::kind): Drop enum.
5285 (free_of_non_heap::m_freed_reg): New field.
5286 (free_of_non_heap::m_kind): Drop field.
5287 (malloc_state_machine::on_stmt): Drop transition to m_non_heap.
5288 (malloc_state_machine::handle_free_of_non_heap): New function,
5289 split out from on_deallocator_call and on_realloc_call, adding
5290 detection of the freed region.
5291 (malloc_state_machine::on_deallocator_call): Use it.
5292 (malloc_state_machine::on_realloc_call): Likewise.
5293 * sm.h (sm_context::get_old_program_state): New vfunc.
5295 2022-02-15 David Malcolm <dmalcolm@redhat.com>
5297 PR analyzer/104524
5298 * region-model-manager.cc
5299 (region_model_manager::maybe_fold_sub_svalue): Only call
5300 get_or_create_cast if type is non-NULL.
5302 2022-02-15 David Malcolm <dmalcolm@redhat.com>
5304 PR analyzer/102692
5305 * exploded-graph.h (impl_region_model_context::get_stmt): New.
5306 * region-model.cc: Include "gimple-ssa.h", "tree-phinodes.h",
5307 "tree-ssa-operands.h", and "ssa-iterators.h".
5308 (within_short_circuited_stmt_p): New.
5309 (region_model::check_for_poison): Don't warn about uninit values
5310 if within_short_circuited_stmt_p.
5311 * region-model.h (region_model_context::get_stmt): New vfunc.
5312 (noop_region_model_context::get_stmt): New.
5314 2022-02-11 David Malcolm <dmalcolm@redhat.com>
5316 PR analyzer/104274
5317 * region-model.cc (region_model::check_for_poison): Ignore
5318 uninitialized uses of empty types.
5320 2022-02-10 David Malcolm <dmalcolm@redhat.com>
5322 PR analyzer/98797
5323 * region-model-manager.cc
5324 (region_model_manager::maybe_fold_sub_svalue): Generalize getting
5325 individual chars of a STRING_CST from element_region to any
5326 subregion which is a concrete access of a single byte from its
5327 parent region.
5328 * region.cc (region::get_relative_concrete_byte_range): New.
5329 * region.h (region::get_relative_concrete_byte_range): New decl.
5331 2022-02-09 David Malcolm <dmalcolm@redhat.com>
5333 PR analyzer/104452
5334 * region-model.cc (selftest::test_bit_range_regions): New.
5335 (selftest::analyzer_region_model_cc_tests): Call it.
5336 * region.h (bit_range_region::key_t::hash): Fix hashing of m_bits
5337 to avoid using uninitialized data.
5339 2022-02-07 David Malcolm <dmalcolm@redhat.com>
5341 PR analyzer/104417
5342 * sm-taint.cc (tainted_allocation_size::tainted_allocation_size):
5343 Remove overzealous assertion.
5344 (tainted_allocation_size::emit): Likewise.
5345 (region_model::check_dynamic_size_for_taint): Likewise.
5347 2022-02-07 David Malcolm <dmalcolm@redhat.com>
5349 PR analyzer/103872
5350 * region-model-impl-calls.cc (region_model::impl_call_memcpy):
5351 Reimplement in terms of a get_store_value followed by a set_value.
5353 2022-02-03 David Malcolm <dmalcolm@redhat.com>
5355 PR analyzer/104369
5356 * engine.cc (exploded_graph::process_node): Use the node for any
5357 diagnostics, avoiding ICE if a bifurcation update adds a
5358 saved_diagnostic, such as for a tainted realloc size.
5359 * region-model-impl-calls.cc
5360 (region_model::impl_call_realloc::success_no_move::update_model):
5361 Require the old pointer to be non-NULL to be able successfully
5362 grow in place. Use model->deref_rvalue rather than maybe_get_region
5363 to support the old pointer being symbolic.
5364 (region_model::impl_call_realloc::success_with_move::update_model):
5365 Likewise. Add a constraint that the new pointer != the old pointer.
5366 Use a sized_region when setting the value of the new region.
5367 Handle the case where we don't know the dynamic size of the old
5368 region by marking the new region as unknown.
5369 * sm-taint.cc (tainted_allocation_size::tainted_allocation_size):
5370 Update assertion to also allow for MEMSPACE_UNKNOWN.
5371 (tainted_allocation_size::emit): Likewise.
5372 (region_model::check_dynamic_size_for_taint): Likewise.
5374 2022-02-03 David Malcolm <dmalcolm@redhat.com>
5376 * region-model-impl-calls.cc (region_model::impl_call_calloc): Use
5377 a sized_region when calling zero_fill_region.
5379 2022-02-02 David Malcolm <dmalcolm@redhat.com>
5381 * region-model.cc (region_model::on_return): Replace usage of
5382 copy_region with get_rvalue/set_value pair.
5383 (region_model::pop_frame): Likewise.
5384 (selftest::test_compound_assignment): Likewise.
5385 * region-model.h (region_model::copy_region): Delete decl.
5386 * region.cc (region_model::copy_region): Delete.
5388 2022-02-02 David Malcolm <dmalcolm@redhat.com>
5390 * region.cc (region::calc_offset): Consolidate effectively
5391 identical cases.
5393 2022-02-02 David Malcolm <dmalcolm@redhat.com>
5395 * analyzer.h (class bit_range_region): New forward decl.
5396 * region-model-manager.cc (region_model_manager::get_bit_range):
5397 New.
5398 (region_model_manager::log_stats): Handle m_bit_range_regions.
5399 * region-model.cc (region_model::get_lvalue_1): Handle
5400 BIT_FIELD_REF.
5401 * region-model.h (region_model_manager::get_bit_range): New decl.
5402 (region_model_manager::m_bit_range_regions): New field.
5403 * region.cc (region::get_base_region): Handle RK_BIT_RANGE.
5404 (region::base_region_p): Likewise.
5405 (region::calc_offset): Likewise.
5406 (bit_range_region::dump_to_pp): New.
5407 (bit_range_region::get_byte_size): New.
5408 (bit_range_region::get_bit_size): New.
5409 (bit_range_region::get_byte_size_sval): New.
5410 (bit_range_region::get_relative_concrete_offset): New.
5411 * region.h (enum region_kind): Add RK_BIT_RANGE.
5412 (region::dyn_cast_bit_range_region): New vfunc.
5413 (class bit_range_region): New.
5414 (is_a_helper <const bit_range_region *>::test): New.
5415 (default_hash_traits<bit_range_region::key_t>): New.
5417 2022-02-02 David Malcolm <dmalcolm@redhat.com>
5419 PR analyzer/104270
5420 * region-model.cc (region_model::on_call_pre): Handle
5421 IFN_DEFERRED_INIT.
5423 2022-01-27 David Malcolm <dmalcolm@redhat.com>
5425 * checker-path.cc (event_kind_to_string): Handle
5426 EK_REGION_CREATION.
5427 (region_creation_event::region_creation_event): New.
5428 (region_creation_event::get_desc): New.
5429 (checker_path::add_region_creation_event): New.
5430 * checker-path.h (enum event_kind): Add EK_REGION_CREATION.
5431 (class region_creation_event): New subclass.
5432 (checker_path::add_region_creation_event): New decl.
5433 * diagnostic-manager.cc
5434 (diagnostic_manager::emit_saved_diagnostic): Pass NULL for new
5435 param to add_events_for_eedge when handling trailing eedge.
5436 (diagnostic_manager::build_emission_path): Create an interesting_t
5437 instance, allow the pending diagnostic to populate it, and pass it
5438 to the calls to add_events_for_eedge.
5439 (diagnostic_manager::add_events_for_eedge): Add "interest" param.
5440 Use it to add region_creation_events for on-stack regions created
5441 within at function entry, and when pertinent dynamically-sized
5442 regions are created.
5443 (diagnostic_manager::prune_for_sm_diagnostic): Add case for
5444 EK_REGION_CREATION.
5445 * diagnostic-manager.h (diagnostic_manager::add_events_for_eedge):
5446 Add "interest" param.
5447 * pending-diagnostic.cc: Include "selftest.h", "tristate.h",
5448 "analyzer/call-string.h", "analyzer/program-point.h",
5449 "analyzer/store.h", and "analyzer/region-model.h".
5450 (interesting_t::add_region_creation): New.
5451 (interesting_t::dump_to_pp): New.
5452 * pending-diagnostic.h (struct interesting_t): New.
5453 (pending_diagnostic::mark_interesting_stuff): New vfunc.
5454 * region-model.cc
5455 (poisoned_value_diagnostic::poisoned_value_diagnostic): Add
5456 (poisoned_value_diagnostic::operator==): Compare m_pkind and
5457 m_src_region fields.
5458 (poisoned_value_diagnostic::mark_interesting_stuff): New.
5459 (poisoned_value_diagnostic::m_src_region): New.
5460 (region_model::check_for_poison): Call
5461 get_region_for_poisoned_expr for uninit values and pass the resul
5462 to the diagnostic.
5463 (region_model::get_region_for_poisoned_expr): New.
5464 (region_model::deref_rvalue): Pass NULL for
5465 poisoned_value_diagnostic's src_region.
5466 * region-model.h (region_model::get_region_for_poisoned_expr): New
5467 decl.
5468 * region.h (frame_region::get_fndecl): New.
5470 2022-01-27 Martin Liska <mliska@suse.cz>
5472 PR analyzer/104247
5473 * constraint-manager.cc (bounded_ranges_manager::log_stats):
5474 Cast to long for format purpose.
5475 * region-model-manager.cc (log_uniq_map): Likewise.
5477 2022-01-26 David Malcolm <dmalcolm@redhat.com>
5479 PR analyzer/104224
5480 * region-model.cc (region_model::check_call_args): New.
5481 (region_model::on_call_pre): Call it when ignoring stdio builtins.
5482 * region-model.h (region_model::check_call_args): New decl
5484 2022-01-26 David Malcolm <dmalcolm@redhat.com>
5486 PR analyzer/94362
5487 * constraint-manager.cc (range::add_bound): Fix tests for
5488 discarding redundant constraints. Perform test for rejecting
5489 unsatisfiable constraints earlier so that they don't update
5490 the object on failure.
5491 (selftest::test_range): New.
5492 (selftest::test_constant_comparisons): Add test coverage for
5493 existing constraints becoming narrower until they are
5494 unsatisfiable.
5495 (selftest::run_constraint_manager_tests): Call test_range.
5497 2022-01-22 David Malcolm <dmalcolm@redhat.com>
5499 PR analyzer/104159
5500 * region-model-manager.cc
5501 (region_model_manager::get_or_create_cast): Bail out if the types
5502 are the same. Don't attempt to handle casts involving vector
5503 types.
5505 2022-01-20 David Malcolm <dmalcolm@redhat.com>
5507 PR analyzer/94362
5508 * constraint-manager.cc (bound::ensure_closed): Convert param to
5509 enum bound_kind.
5510 (range::constrained_to_single_element): Likewise.
5511 (range::add_bound): New.
5512 (constraint_manager::add_constraint): Handle SVAL + OFFSET
5513 compared to a constant.
5514 (constraint_manager::get_ec_bounds): Rewrite in terms of
5515 range::add_bound.
5516 (constraint_manager::eval_condition): Reject if range::add_bound
5517 fails.
5518 (selftest::test_constant_comparisons): Add test coverage for
5519 various impossible combinations of integer comparisons.
5520 * constraint-manager.h (enum bound_kind): New.
5521 (struct bound): Likewise.
5522 (bound::ensure_closed): Convert to param to enum bound_kind.
5523 (struct range): Convert to...
5524 (class range): ...this, making fields private.
5525 (range::add_bound): New decls.
5526 * region-model.cc (region_model::add_constraint): Fail if
5527 constraint_manager::add_constraint fails.
5529 2022-01-18 David Malcolm <dmalcolm@redhat.com>
5531 PR analyzer/104089
5532 * region-model-manager.cc
5533 (region_model_manager::get_or_create_constant_svalue): Assert that
5534 we have a CONSTANT_CLASS_P.
5535 (region_model_manager::maybe_fold_unaryop): Only fold a constant
5536 when fold_unary's result is a constant or a cast of a constant.
5538 2022-01-18 David Malcolm <dmalcolm@redhat.com>
5540 PR analyzer/104062
5541 * region-model-manager.cc
5542 (region_model_manager::maybe_fold_sub_svalue): Avoid casting to
5543 NULL type when folding access to repeated svalue.
5545 2022-01-17 Martin Liska <mliska@suse.cz>
5547 * analyzer.cc (is_special_named_call_p): Rename .c names to .cc.
5548 (is_named_call_p): Likewise.
5549 * region-model-asm.cc (deterministic_p): Likewise.
5550 * region.cc (field_region::get_relative_concrete_offset): Likewise.
5551 * sm-malloc.cc (method_p): Likewise.
5552 * supergraph.cc (superedge::dump_dot): Likewise.
5554 2022-01-14 David Malcolm <dmalcolm@redhat.com>
5556 * sm-taint.cc (taint_state_machine::combine_states): Handle combination
5557 of has_ub and has_lb.
5559 2022-01-14 David Malcolm <dmalcolm@redhat.com>
5561 PR analyzer/104029
5562 * sm-taint.cc (taint_state_machine::alt_get_inherited_state):
5563 Remove gcc_unreachable from default case for unary ops.
5565 2022-01-14 David Malcolm <dmalcolm@redhat.com>
5567 * engine.cc: Include "stringpool.h", "attribs.h", and
5568 "tree-dfa.h".
5569 (mark_params_as_tainted): New.
5570 (class tainted_args_function_custom_event): New.
5571 (class tainted_args_function_info): New.
5572 (exploded_graph::add_function_entry): Handle functions with
5573 "tainted_args" attribute.
5574 (class tainted_args_field_custom_event): New.
5575 (class tainted_args_callback_custom_event): New.
5576 (class tainted_args_call_info): New.
5577 (add_tainted_args_callback): New.
5578 (add_any_callbacks): New.
5579 (exploded_graph::build_initial_worklist): Likewise.
5580 (exploded_graph::build_initial_worklist): Find callbacks that are
5581 reachable from global initializers, calling add_any_callbacks on
5582 them.
5584 2022-01-12 David Malcolm <dmalcolm@redhat.com>
5586 PR analyzer/103940
5587 * engine.cc (impl_sm_context::impl_sm_context): Add
5588 "unknown_side_effects" param and use it to initialize
5589 new m_unknown_side_effects field.
5590 (impl_sm_context::unknown_side_effects_p): New.
5591 (impl_sm_context::m_unknown_side_effects): New.
5592 (exploded_node::on_stmt): Pass unknown_side_effects to sm_ctxt
5593 ctor.
5594 * sm-taint.cc: Include "stringpool.h" and "attribs.h".
5595 (tainted_size::tainted_size): Drop "dir" param.
5596 (tainted_size::get_kind): Drop "FINAL".
5597 (tainted_size::emit): Likewise.
5598 (tainted_size::m_dir): Drop unused field.
5599 (class tainted_access_attrib_size): New subclass.
5600 (taint_state_machine::on_stmt): Call check_for_tainted_size_arg on
5601 external functions with unknown side effects.
5602 (taint_state_machine::check_for_tainted_size_arg): New.
5603 (region_model::check_region_for_taint): Drop "dir" param from
5604 tainted_size ctor.
5605 * sm.h (sm_context::unknown_side_effects_p): New.
5607 2022-01-11 David Malcolm <dmalcolm@redhat.com>
5609 PR analyzer/102692
5610 * diagnostic-manager.cc
5611 (class auto_disable_complexity_checks): Rename to...
5612 (class auto_checking_feasibility): ...this, updating
5613 the calls accordingly.
5614 (epath_finder::explore_feasible_paths): Update for renaming.
5615 * region-model-manager.cc
5616 (region_model_manager::region_model_manager): Update for change from
5617 m_check_complexity to m_checking_feasibility.
5618 (region_model_manager::reject_if_too_complex): Likewise.
5619 (region_model_manager::get_or_create_unknown_svalue): Handle
5620 m_checking_feasibility.
5621 (region_model_manager::create_unique_svalue): New.
5622 (region_model_manager::maybe_fold_binop): Handle BIT_AND_EXPR and
5623 BIT_IOR_EXPRs on booleans where we know the result.
5624 * region-model.cc (test_binop_svalue_folding): Add test coverage
5625 for the above.
5626 * region-model.h (region_model_manager::create_unique_svalue): New
5627 decl.
5628 (region_model_manager::enable_complexity_check): Replace with...
5629 (region_model_manager::begin_checking_feasibility): ...this.
5630 (region_model_manager::disable_complexity_check): Replace with...
5631 (region_model_manager::end_checking_feasibility): ...this.
5632 (region_model_manager::m_check_complexity): Replace with...
5633 (region_model_manager::m_checking_feasibility): ...this.
5634 (region_model_manager::m_managed_dynamic_svalues): New field.
5636 2022-01-08 David Malcolm <dmalcolm@redhat.com>
5638 * engine.cc (impl_run_checkers): Pass logger to engine ctor.
5639 * region-model-manager.cc
5640 (region_model_manager::region_model_manager): Add logger param and
5641 use it to initialize m_logger.
5642 * region-model.cc (engine::engine): New.
5643 * region-model.h (region_model_manager::region_model_manager):
5644 Add logger param.
5645 (region_model_manager::get_logger): New.
5646 (region_model_manager::m_logger): New field.
5647 (engine::engine): New.
5648 * store.cc (store_manager::get_logger): New.
5649 (store::set_value): Log scope. Log when marking a cluster as
5650 unknown due to possible aliasing.
5651 * store.h (store_manager::get_logger): New decl.
5653 2022-01-08 David Malcolm <dmalcolm@redhat.com>
5655 * region-model-impl-calls.cc (cmp_decls): New.
5656 (cmp_decls_ptr_ptr): New.
5657 (region_model::impl_call_analyzer_dump_escaped): New.
5658 * region-model.cc (region_model::on_stmt_pre): Handle
5659 __analyzer_dump_escaped.
5660 * region-model.h (region_model::impl_call_analyzer_dump_escaped):
5661 New decl.
5662 * store.h (binding_cluster::get_base_region): New accessor.
5664 2022-01-08 David Malcolm <dmalcolm@redhat.com>
5666 * region.cc (region::is_named_decl_p): New.
5667 * region.h (region::is_named_decl_p): New decl.
5669 2022-01-06 David Malcolm <dmalcolm@redhat.com>
5671 PR analyzer/103546
5672 * store.cc (store::eval_alias_1): Refactor handling of decl
5673 regions, adding a test for may_be_aliased, rejecting those for
5674 which it returns false.
5676 2021-12-12 Jonathan Wakely <jwakely@redhat.com>
5678 * engine.cc: Define INCLUDE_MEMORY instead of INCLUDE_UNIQUE_PTR.
5680 2021-12-06 David Malcolm <dmalcolm@redhat.com>
5682 PR analyzer/103533
5683 * constraint-manager.cc (equiv_class::contains_non_constant_p):
5684 New.
5685 (constraint_manager::canonicalize): Call it when determining
5686 redundant ECs.
5687 (selftest::test_purging): New selftest.
5688 (selftest::run_constraint_manager_tests): Likewise.
5689 * constraint-manager.h (equiv_class::contains_non_constant_p):
5690 New decl.
5692 2021-12-01 David Malcolm <dmalcolm@redhat.com>
5694 PR analyzer/102471
5695 * region-model-reachability.cc (reachable_regions::handle_parm):
5696 Treat all svalues within a compound parm has reachable, and those
5697 wrapped in a cast.
5699 2021-11-29 David Malcolm <dmalcolm@redhat.com>
5701 PR analyzer/103217
5702 * store.cc (binding_cluster::can_merge_p): For the "key is bound"
5703 vs "key is not bound" merger case, check that the bound svalue
5704 is mergeable before merging it to "unknown", rejecting the merger
5705 otherwise.
5707 2021-11-19 David Malcolm <dmalcolm@redhat.com>
5709 PR analyzer/103217
5710 * engine.cc (exploded_graph::get_or_create_node): Pass in
5711 m_ext_state to program_state::can_merge_with_p.
5712 (exploded_graph::process_worklist): Likewise.
5713 (exploded_graph::maybe_process_run_of_before_supernode_enodes):
5714 Likewise.
5715 (exploded_graph::process_node): Add missing call to detect_leaks
5716 when handling phi nodes.
5717 * program-state.cc (program_state::can_merge_with_p): Add
5718 "ext_state" param. Pass it and state ptrs to
5719 region_model::can_merge_with_p.
5720 (selftest::test_program_state_merging): Update for new ext_state
5721 param of program_state::can_merge_with_p.
5722 (selftest::test_program_state_merging_2): Likewise.
5723 * program-state.h (program_state::can_purge_p): Make const.
5724 (program_state::can_merge_with_p): Add "ext_state" param.
5725 * region-model.cc: Include "analyzer/program-state.h".
5726 (region_model::can_merge_with_p): Add params "ext_state",
5727 "state_a", and "state_b", use them when creating model_merger
5728 object.
5729 (model_merger::mergeable_svalue_p): New.
5730 * region-model.h (region_model::can_merge_with_p): Add params
5731 "ext_state", "state_a", and "state_b".
5732 (model_merger::model_merger) Likewise, initializing new fields.
5733 (model_merger::mergeable_svalue_p): New decl.
5734 (model_merger::m_ext_state): New field.
5735 (model_merger::m_state_a): New field.
5736 (model_merger::m_state_b): New field.
5737 * svalue.cc (svalue::can_merge_p): Call
5738 model_merger::mergeable_svalue_p on both states and reject the
5739 merger accordingly.
5741 2021-11-17 David Malcolm <dmalcolm@redhat.com>
5743 PR analyzer/102695
5744 * region-model-impl-calls.cc (region_model::impl_call_strchr): New.
5745 * region-model-manager.cc
5746 (region_model_manager::maybe_fold_unaryop): Simplify cast to
5747 pointer type of an existing pointer to a region.
5748 * region-model.cc (region_model::on_call_pre): Handle
5749 BUILT_IN_STRCHR and "strchr".
5750 (write_to_const_diagnostic::emit): Add auto_diagnostic_group. Add
5751 alternate wordings for functions and labels.
5752 (write_to_const_diagnostic::describe_final_event): Add alternate
5753 wordings for functions and labels.
5754 (region_model::check_for_writable_region): Handle RK_FUNCTION and
5755 RK_LABEL.
5756 * region-model.h (region_model::impl_call_strchr): New decl.
5758 2021-11-16 David Malcolm <dmalcolm@redhat.com>
5760 PR analyzer/102662
5761 * constraint-manager.cc (bounded_range::operator==): Require the
5762 types to be the same for equality.
5764 2021-11-13 David Malcolm <dmalcolm@redhat.com>
5766 * analyzer.opt (Wanalyzer-tainted-allocation-size): New.
5767 (Wanalyzer-tainted-divisor): New.
5768 (Wanalyzer-tainted-offset): New.
5769 (Wanalyzer-tainted-size): New.
5770 * engine.cc (impl_region_model_context::get_taint_map): New.
5771 * exploded-graph.h (impl_region_model_context::get_taint_map):
5772 New decl.
5773 * program-state.cc (sm_state_map::get_state): Call
5774 alt_get_inherited_state.
5775 (sm_state_map::impl_set_state): Modify states within
5776 compound svalues.
5777 (program_state::impl_call_analyzer_dump_state): Undo casts.
5778 (selftest::test_program_state_1): Update for new context param of
5779 create_region_for_heap_alloc.
5780 (selftest::test_program_state_merging): Likewise.
5781 * region-model-impl-calls.cc (region_model::impl_call_alloca):
5782 Likewise.
5783 (region_model::impl_call_calloc): Likewise.
5784 (region_model::impl_call_malloc): Likewise.
5785 (region_model::impl_call_operator_new): Likewise.
5786 (region_model::impl_call_realloc): Likewise.
5787 * region-model.cc (region_model::check_region_access): Call
5788 check_region_for_taint.
5789 (region_model::get_representative_path_var_1): Handle binops.
5790 (region_model::create_region_for_heap_alloc): Add "ctxt" param and
5791 pass it to set_dynamic_extents.
5792 (region_model::create_region_for_alloca): Likewise.
5793 (region_model::set_dynamic_extents): Add "ctxt" param and use it
5794 to call check_dynamic_size_for_taint.
5795 (selftest::test_state_merging): Update for new context param of
5796 create_region_for_heap_alloc.
5797 (selftest::test_malloc_constraints): Likewise.
5798 (selftest::test_malloc): Likewise.
5799 (selftest::test_alloca): Likewise for create_region_for_alloca.
5800 * region-model.h (region_model::create_region_for_heap_alloc): Add
5801 "ctxt" param.
5802 (region_model::create_region_for_alloca): Likewise.
5803 (region_model::set_dynamic_extents): Likewise.
5804 (region_model::check_dynamic_size_for_taint): New decl.
5805 (region_model::check_region_for_taint): New decl.
5806 (region_model_context::get_taint_map): New vfunc.
5807 (noop_region_model_context::get_taint_map): New.
5808 * sm-taint.cc: Remove include of "diagnostic-event-id.h"; add
5809 includes of "gimple-iterator.h", "tristate.h", "selftest.h",
5810 "ordered-hash-map.h", "cgraph.h", "cfg.h", "digraph.h",
5811 "analyzer/supergraph.h", "analyzer/call-string.h",
5812 "analyzer/program-point.h", "analyzer/store.h",
5813 "analyzer/region-model.h", and "analyzer/program-state.h".
5814 (enum bounds): Move to top of file.
5815 (class taint_diagnostic): New.
5816 (class tainted_array_index): Convert to subclass of taint_diagnostic.
5817 (tainted_array_index::emit): Add CWE-129. Reword warning to use
5818 "attacker-controlled" rather than "tainted".
5819 (tainted_array_index::describe_state_change): Move to
5820 taint_diagnostic::describe_state_change.
5821 (tainted_array_index::describe_final_event): Reword to use
5822 "attacker-controlled" rather than "tainted".
5823 (class tainted_offset): New.
5824 (class tainted_size): New.
5825 (class tainted_divisor): New.
5826 (class tainted_allocation_size): New.
5827 (taint_state_machine::alt_get_inherited_state): New.
5828 (taint_state_machine::on_stmt): In assignment handling, remove
5829 ARRAY_REF handling in favor of check_region_for_taint. Add
5830 detection of tainted divisors.
5831 (taint_state_machine::get_taint): New.
5832 (taint_state_machine::combine_states): New.
5833 (region_model::check_region_for_taint): New.
5834 (region_model::check_dynamic_size_for_taint): New.
5835 * sm.h (state_machine::alt_get_inherited_state): New.
5837 2021-11-12 David Malcolm <dmalcolm@redhat.com>
5839 * engine.cc (exploded_node::on_stmt_pre): Return when handling
5840 "__analyzer_dump_state".
5842 2021-11-11 Richard Biener <rguenther@suse.de>
5844 * supergraph.cc: Include bitmap.h.
5846 2021-11-04 David Malcolm <dmalcolm@redhat.com>
5848 * program-state.cc (sm_state_map::dump): Use default_tree_printer
5849 as format decoder.
5851 2021-09-16 Maxim Blinov <maxim.blinov@embecosm.com>
5853 PR bootstrap/102242
5854 * engine.cc (INCLUDE_UNIQUE_PTR): Define.
5856 2021-09-08 David Malcolm <dmalcolm@redhat.com>
5858 PR analyzer/102225
5859 * analyzer.h (compat_types_p): New decl.
5860 * constraint-manager.cc
5861 (constraint_manager::get_or_add_equiv_class): Guard against NULL
5862 type when checking for pointer types.
5863 * region-model-impl-calls.cc (region_model::impl_call_realloc):
5864 Guard against NULL lhs type/region. Guard against the size value
5865 not being of a compatible type for dynamic extents.
5866 * region-model.cc (compat_types_p): Make non-static.
5868 2021-08-30 David Malcolm <dmalcolm@redhat.com>
5870 PR analyzer/99260
5871 * analyzer.h (class custom_edge_info): New class, adapted from
5872 exploded_edge::custom_info_t. Make member functions const.
5873 Make update_model return bool, converting edge param from
5874 reference to a pointer, and adding a ctxt param.
5875 (class path_context): New class.
5876 * call-info.cc: New file.
5877 * call-info.h: New file.
5878 * engine.cc: Include "analyzer/call-info.h" and <memory>.
5879 (impl_region_model_context::impl_region_model_context): Update for
5880 new m_path_ctxt field.
5881 (impl_region_model_context::bifurcate): New.
5882 (impl_region_model_context::terminate_path): New.
5883 (impl_region_model_context::get_malloc_map): New.
5884 (impl_sm_context::impl_sm_context): Update for new m_path_ctxt
5885 field.
5886 (impl_sm_context::get_fndecl_for_call): Likewise.
5887 (impl_sm_context::set_next_state): Likewise.
5888 (impl_sm_context::warn): Likewise.
5889 (impl_sm_context::is_zero_assignment): Likewise.
5890 (impl_sm_context::get_path_context): New.
5891 (impl_sm_context::m_path_ctxt): New.
5892 (impl_region_model_context::on_condition): Update for new
5893 path_ctxt param. Handle m_enode_for_diag being NULL.
5894 (impl_region_model_context::on_phi): Update for new path_ctxt
5895 param.
5896 (exploded_node::on_stmt): Add path_ctxt param, updating ctor calls
5897 to use it as necessary. Use it to bail out after sm-handling,
5898 if needed.
5899 (exploded_node::detect_leaks): Update for new path_ctxt param.
5900 (dynamic_call_info_t::update_model): Update for conversion of
5901 exploded_edge::custom_info_t to custom_edge_info.
5902 (dynamic_call_info_t::add_events_to_path): Likewise.
5903 (rewind_info_t::update_model): Likewise.
5904 (rewind_info_t::add_events_to_path): Likewise.
5905 (exploded_edge::exploded_edge): Likewise.
5906 (exploded_graph::add_edge): Likewise.
5907 (exploded_graph::maybe_process_run_of_before_supernode_enodes):
5908 Update for new path_ctxt param.
5909 (class impl_path_context): New.
5910 (exploded_graph::process_node): Update for new path_ctxt param.
5911 Create an impl_path_context and pass it to exploded_node::on_stmt.
5912 Use it to terminate iterating stmts if terminate_path is called
5913 on it. After processing a run of stmts, query path_ctxt to
5914 potentially terminate the analysis path, and/or to "bifurcate" the
5915 analysis into multiple additional paths.
5916 (feasibility_state::maybe_update_for_edge): Update for new
5917 update_model ctxt param.
5918 * exploded-graph.h
5919 (impl_region_model_context::impl_region_model_context): Add
5920 path_ctxt param.
5921 (impl_region_model_context::bifurcate): New.
5922 (impl_region_model_context::terminate_path): New
5923 (impl_region_model_context::get_ext_state): New.
5924 (impl_region_model_context::get_malloc_map): New.
5925 (impl_region_model_context::m_path_ctxt): New field.
5926 (exploded_node::on_stmt): Add path_ctxt param.
5927 (class exploded_edge::custom_info_t): Move to analyzer.h, renaming
5928 to custom_edge_info, and making the changes as noted in analyzer.h
5929 above.
5930 (exploded_edge::exploded_edge): Update for these changes to
5931 exploded_edge::custom_info_t.
5932 (exploded_edge::m_custom_info): Likewise.
5933 (class dynamic_call_info_t): Likewise.
5934 (class rewind_info_t): Likewise.
5935 (exploded_graph::add_edge): Likewise.
5936 * program-state.cc (program_state::on_edge): Update for new
5937 path_ctxt param.
5938 (program_state::push_call): Likewise.
5939 (program_state::returning_call): Likewise.
5940 (program_state::prune_for_point): Likewise.
5941 * region-model-impl-calls.cc: Include "analyzer/call-info.h".
5942 (call_details::get_fndecl_for_call): New.
5943 (region_model::impl_call_realloc): Reimplement.
5944 * region-model.cc (region_model::on_call_pre): Move call to
5945 impl_call_realloc to...
5946 (region_model::on_call_post): ...here. Consolidate creation
5947 of call_details instance.
5948 (noop_region_model_context::bifurcate): New.
5949 (noop_region_model_context::terminate_path): New.
5950 * region-model.h (call_details::get_call_stmt): New.
5951 (call_details::get_fndecl_for_call): New.
5952 (region_model::on_realloc_with_move): New.
5953 (region_model_context::bifurcate): New.
5954 (region_model_context::terminate_path): New.
5955 (region_model_context::get_ext_state): New.
5956 (region_model_context::get_malloc_map): New.
5957 (noop_region_model_context::bifurcate): New.
5958 (noop_region_model_context::terminate_path): New.
5959 (noop_region_model_context::get_ext_state): New.
5960 (noop_region_model_context::get_malloc_map): New.
5961 * sm-malloc.cc: Include "analyzer/program-state.h".
5962 (malloc_state_machine::on_realloc_call): Reimplement.
5963 (malloc_state_machine::on_realloc_with_move): New.
5964 (region_model::on_realloc_with_move): New.
5965 * sm-signal.cc (class signal_delivery_edge_info_t): Update for
5966 conversion from exploded_edge::custom_info_t to custom_edge_info.
5967 * sm.h (sm_context::get_path_context): New.
5968 * svalue.cc (svalue::maybe_get_constant): Call
5969 unwrap_any_unmergeable.
5971 2021-08-25 Ankur Saini <arsenic@sourceware.org>
5973 PR analyzer/101980
5974 * engine.cc (exploded_graph::maybe_create_dynamic_call): Don't create
5975 calls if max recursion limit is reached.
5977 2021-08-23 David Malcolm <dmalcolm@redhat.com>
5979 * analyzer.h (struct rejected_constraint): Convert to...
5980 (class rejected_constraint): ...this.
5981 (class bounded_ranges): New forward decl.
5982 (class bounded_ranges_manager): New forward decl.
5983 * constraint-manager.cc: Include "analyzer/analyzer-logging.h" and
5984 "tree-pretty-print.h".
5985 (can_plus_one_p): New.
5986 (plus_one): New.
5987 (can_minus_one_p): New.
5988 (minus_one): New.
5989 (bounded_range::bounded_range): New.
5990 (dump_cst): New.
5991 (bounded_range::dump_to_pp): New.
5992 (bounded_range::dump): New.
5993 (bounded_range::to_json): New.
5994 (bounded_range::set_json_attr): New.
5995 (bounded_range::contains_p): New.
5996 (bounded_range::intersects_p): New.
5997 (bounded_range::operator==): New.
5998 (bounded_range::cmp): New.
5999 (bounded_ranges::bounded_ranges): New.
6000 (bounded_ranges::bounded_ranges): New.
6001 (bounded_ranges::bounded_ranges): New.
6002 (bounded_ranges::canonicalize): New.
6003 (bounded_ranges::validate): New.
6004 (bounded_ranges::operator==): New.
6005 (bounded_ranges::dump_to_pp): New.
6006 (bounded_ranges::dump): New.
6007 (bounded_ranges::to_json): New.
6008 (bounded_ranges::eval_condition): New.
6009 (bounded_ranges::contain_p): New.
6010 (bounded_ranges::cmp): New.
6011 (bounded_ranges_manager::~bounded_ranges_manager): New.
6012 (bounded_ranges_manager::get_or_create_empty): New.
6013 (bounded_ranges_manager::get_or_create_point): New.
6014 (bounded_ranges_manager::get_or_create_range): New.
6015 (bounded_ranges_manager::get_or_create_union): New.
6016 (bounded_ranges_manager::get_or_create_intersection): New.
6017 (bounded_ranges_manager::get_or_create_inverse): New.
6018 (bounded_ranges_manager::consolidate): New.
6019 (bounded_ranges_manager::get_or_create_ranges_for_switch): New.
6020 (bounded_ranges_manager::create_ranges_for_switch): New.
6021 (bounded_ranges_manager::make_case_label_ranges): New.
6022 (bounded_ranges_manager::log_stats): New.
6023 (bounded_ranges_constraint::print): New.
6024 (bounded_ranges_constraint::to_json): New.
6025 (bounded_ranges_constraint::operator==): New.
6026 (bounded_ranges_constraint::add_to_hash): New.
6027 (constraint_manager::constraint_manager): Update for new field
6028 m_bounded_ranges_constraints.
6029 (constraint_manager::operator=): Likewise.
6030 (constraint_manager::hash): Likewise.
6031 (constraint_manager::operator==): Likewise.
6032 (constraint_manager::print): Likewise.
6033 (constraint_manager::dump_to_pp): Likewise.
6034 (constraint_manager::to_json): Likewise.
6035 (constraint_manager::add_unknown_constraint): Update the lhs_ec_id
6036 if necessary in existing constraints when combining equivalence
6037 classes. Add similar code for handling
6038 m_bounded_ranges_constraints.
6039 (constraint_manager::add_constraint_internal): Add comment.
6040 (constraint_manager::add_bounded_ranges): New.
6041 (constraint_manager::eval_condition): Use new field
6042 m_bounded_ranges_constraints.
6043 (constraint_manager::purge): Update bounded_ranges_constraint
6044 instances.
6045 (constraint_manager::canonicalize): Update for new field.
6046 (merger_fact_visitor::on_ranges): New.
6047 (constraint_manager::for_each_fact): Use new field
6048 m_bounded_ranges_constraints.
6049 (constraint_manager::validate): Fix off-by-one error needed due
6050 to bug fixed above in add_unknown_constraint. Validate the EC IDs
6051 in m_bounded_ranges_constraints.
6052 (constraint_manager::get_range_manager): New.
6053 (selftest::assert_dump_bounded_range_eq): New.
6054 (ASSERT_DUMP_BOUNDED_RANGE_EQ): New.
6055 (selftest::test_bounded_range): New.
6056 (selftest::assert_dump_bounded_ranges_eq): New.
6057 (ASSERT_DUMP_BOUNDED_RANGES_EQ): New.
6058 (selftest::test_bounded_ranges): New.
6059 (selftest::run_constraint_manager_tests): Call the new selftests.
6060 * constraint-manager.h (struct bounded_range): New.
6061 (struct bounded_ranges): New.
6062 (template <> struct default_hash_traits<bounded_ranges::key_t>): New.
6063 (class bounded_ranges_manager): New.
6064 (fact_visitor::on_ranges): New pure virtual function.
6065 (class bounded_ranges_constraint): New.
6066 (constraint_manager::add_bounded_ranges): New decl.
6067 (constraint_manager::get_range_manager): New decl.
6068 (constraint_manager::m_bounded_ranges_constraints): New field.
6069 * diagnostic-manager.cc (epath_finder::process_worklist_item):
6070 Transfer ownership of rc to add_feasibility_problem.
6071 * engine.cc (feasibility_problem::dump_to_pp): Use get_model.
6072 * feasible-graph.cc (infeasible_node::dump_dot): Update for
6073 conversion of m_rc to a pointer.
6074 (feasible_graph::add_feasibility_problem): Pass RC by pointer and
6075 take ownership.
6076 * feasible-graph.h (infeasible_node::infeasible_node): Pass RC by
6077 pointer and take ownership.
6078 (infeasible_node::~infeasible_node): New.
6079 (infeasible_node::m_rc): Convert to a pointer.
6080 (feasible_graph::add_feasibility_problem): Pass RC by pointer and
6081 take ownership.
6082 * region-model-manager.cc: Include
6083 "analyzer/constraint-manager.h".
6084 (region_model_manager::region_model_manager): Initializer new
6085 field m_range_mgr.
6086 (region_model_manager::~region_model_manager): Delete it.
6087 (region_model_manager::log_stats): Call log_stats on it.
6088 * region-model.cc (region_model::add_constraint): Use new subclass
6089 rejected_op_constraint.
6090 (region_model::apply_constraints_for_gswitch): Reimplement using
6091 bounded_ranges_manager.
6092 (rejected_constraint::dump_to_pp): Convert to...
6093 (rejected_op_constraint::dump_to_pp): ...this.
6094 (rejected_ranges_constraint::dump_to_pp): New.
6095 * region-model.h (struct purge_stats): Add field
6096 m_num_bounded_ranges_constraints.
6097 (region_model_manager::get_range_manager): New.
6098 (region_model_manager::m_range_mgr): New.
6099 (region_model::get_range_manager): New.
6100 (struct rejected_constraint): Split into...
6101 (class rejected_constraint):...this new abstract base class,
6102 and...
6103 (class rejected_op_constraint): ...this new concrete subclass.
6104 (class rejected_ranges_constraint): New.
6105 * supergraph.cc: Include "tree-cfg.h".
6106 (supergraph::supergraph): Drop idx param from add_cfg_edge.
6107 (supergraph::add_cfg_edge): Drop idx param.
6108 (switch_cfg_superedge::switch_cfg_superedge): Move here from
6109 header. Populate m_case_labels with all cases which go to DST.
6110 (switch_cfg_superedge::dump_label_to_pp): Reimplement to use
6111 m_case_labels.
6112 (switch_cfg_superedge::get_case_label): Delete.
6113 * supergraph.h (supergraphadd_cfg_edge): Drop "idx" param.
6114 (switch_cfg_superedge::switch_cfg_superedge): Drop idx param and
6115 move implementation to supergraph.cc.
6116 (switch_cfg_superedge::get_case_label): Delete.
6117 (switch_cfg_superedge::get_case_labels): New.
6118 (switch_cfg_superedge::m_idx): Delete.
6119 (switch_cfg_superedge::m_case_labels): New field.
6121 2021-08-23 David Malcolm <dmalcolm@redhat.com>
6123 PR analyzer/101875
6124 * sm-file.cc (file_diagnostic::describe_state_change): Handle
6125 change.m_expr being NULL.
6127 2021-08-23 David Malcolm <dmalcolm@redhat.com>
6129 PR analyzer/101837
6130 * analyzer.cc (maybe_reconstruct_from_def_stmt): Bail if fn is
6131 NULL, and assert that it's non-NULL before passing it to
6132 build_call_array_loc.
6134 2021-08-23 David Malcolm <dmalcolm@redhat.com>
6136 PR analyzer/101962
6137 * region-model.cc (region_model::eval_condition_without_cm):
6138 Refactor comparison against zero, adding a check for
6139 POINTER_PLUS_EXPR of non-NULL.
6141 2021-08-23 David Malcolm <dmalcolm@redhat.com>
6143 * store.cc (bit_range::intersects_p): New overload.
6144 (bit_range::operator-): New.
6145 (binding_cluster::maybe_get_compound_binding): Handle the partial
6146 overlap case.
6147 (selftest::test_bit_range_intersects_p): Add test coverage for
6148 new overload of bit_range::intersects_p.
6149 * store.h (bit_range::intersects_p): New overload.
6150 (bit_range::operator-): New.
6152 2021-08-23 Ankur Saini <arsenic@sourceware.org>
6154 PR analyzer/102020
6155 * diagnostic-manager.cc
6156 (diagnostic_manager::prune_for_sm_diagnostic)<case EK_CALL_EDGE>: Fix typo.
6158 2021-08-21 Ankur Saini <arsenic@sourceware.org>
6160 PR analyzer/101980
6161 * diagnostic-manager.cc
6162 (diagnostic_manager::prune_for_sm_diagnostic)<case EK_CALL_EDGE>: Use
6163 caller_model only when the supergraph_edge doesn't exixt.
6164 (diagnostic_manager::prune_for_sm_diagnostic)<case EK_RETURN_EDGE>:
6165 Likewise.
6166 * engine.cc (exploded_graph::create_dynamic_call): Rename to...
6167 (exploded_graph::maybe_create_dynamic_call): ...this, return call
6168 creation status.
6169 (exploded_graph::process_node): Handle calls which were not dynamically
6170 discovered.
6171 * exploded-graph.h (exploded_graph::create_dynamic_call): Rename to...
6172 (exploded_graph::maybe_create_dynamic_call): ...this.
6173 * region-model.cc (region_model::update_for_gcall): New param, use it
6174 to push call to frame.
6175 (region_model::update_for_call_superedge): Pass callee function to
6176 update_for_gcall.
6177 * region-model.h (region_model::update_for_gcall): New param.
6179 2021-08-18 Ankur Saini <arsenic@sourceware.org>
6181 PR analyzer/97114
6182 * region-model.cc (region_model::get_rvalue_1): Add case for
6183 OBJ_TYPE_REF.
6185 2021-08-18 Ankur Saini <arsenic@sourceware.org>
6187 PR analyzer/100546
6188 * analysis-plan.cc (analysis_plan::use_summary_p): Don't use call
6189 summaries if there is no callgraph edge
6190 * checker-path.cc (call_event::call_event): Handle calls events that
6191 are not represented by a supergraph call edge
6192 (return_event::return_event): Likewise.
6193 (call_event::get_desc): Work with new call_event structure.
6194 (return_event::get_desc): Likeise.
6195 * checker-path.h (call_event::m_src_snode): New field.
6196 (call_event::m_dest_snode): New field.
6197 (return_event::m_src_snode): New field.
6198 (return_event::m_dest_snode): New field.
6199 * diagnostic-manager.cc
6200 (diagnostic_manager::prune_for_sm_diagnostic)<case EK_CALL_EDGE>:
6201 Refactor to work with edges without callgraph edge.
6202 (diagnostic_manager::prune_for_sm_diagnostic)<case EK_RETURN_EDGE>:
6203 Likewise.
6204 * engine.cc (dynamic_call_info_t::update_model): New function.
6205 (dynamic_call_info_t::add_events_to_path): New function.
6206 (exploded_graph::create_dynamic_call): New function.
6207 (exploded_graph::process_node): Work with dynamically discovered calls.
6208 * exploded-graph.h (class dynamic_call_info_t): New class.
6209 (exploded_graph::create_dynamic_call): New decl.
6210 * program-point.cc (program_point::push_to_call_stack): New function.
6211 (program_point::pop_from_call_stack): New function.
6212 * program-point.h (program_point::push_to_call_stack): New decl.
6213 (program_point::pop_from_call_stack): New decl.
6214 * program-state.cc (program_state::push_call): New function.
6215 (program_state::returning_call): New function.
6216 * program-state.h (program_state::push_call): New decl.
6217 (program_state::returning_call): New decl.
6218 * region-model.cc (region_model::update_for_gcall) New function.
6219 (region_model::update_for_return_gcall): New function.
6220 (egion_model::update_for_call_superedge): Get the underlying gcall and
6221 update for gcall.
6222 (region_model::update_for_return_superedge): Likewise.
6223 * region-model.h (region_model::update_for_gcall): New decl.
6224 (region_model::update_for_return_gcall): New decl.
6225 * state-purge.cc (state_purge_per_ssa_name::process_point): Update to
6226 work with calls without underlying cgraph edge.
6227 * supergraph.cc (supergraph::supergraph) Split snodes at every callsite.
6228 * supergraph.h (supernode::get_returning_call) New accessor.
6230 2021-08-04 David Malcolm <dmalcolm@redhat.com>
6232 PR analyzer/101570
6233 * analyzer.cc (maybe_reconstruct_from_def_stmt): Add GIMPLE_ASM
6234 case.
6235 * analyzer.h (class asm_output_svalue): New forward decl.
6236 (class reachable_regions): New forward decl.
6237 * complexity.cc (complexity::from_vec_svalue): New.
6238 * complexity.h (complexity::from_vec_svalue): New decl.
6239 * engine.cc (feasibility_state::maybe_update_for_edge): Handle
6240 asm stmts by calling on_asm_stmt.
6241 * region-model-asm.cc: New file.
6242 * region-model-manager.cc
6243 (region_model_manager::maybe_fold_asm_output_svalue): New.
6244 (region_model_manager::get_or_create_asm_output_svalue): New.
6245 (region_model_manager::log_stats): Log m_asm_output_values_map.
6246 * region-model.cc (region_model::on_stmt_pre): Handle GIMPLE_ASM.
6247 * region-model.h (visitor::visit_asm_output_svalue): New.
6248 (region_model_manager::get_or_create_asm_output_svalue): New decl.
6249 (region_model_manager::maybe_fold_asm_output_svalue): New decl.
6250 (region_model_manager::asm_output_values_map_t): New typedef.
6251 (region_model_manager::m_asm_output_values_map): New field.
6252 (region_model::on_asm_stmt): New.
6253 * store.cc (binding_cluster::on_asm): New.
6254 * store.h (binding_cluster::on_asm): New decl.
6255 * svalue.cc (svalue::cmp_ptr): Handle SK_ASM_OUTPUT.
6256 (asm_output_svalue::dump_to_pp): New.
6257 (asm_output_svalue::dump_input): New.
6258 (asm_output_svalue::input_idx_to_asm_idx): New.
6259 (asm_output_svalue::accept): New.
6260 * svalue.h (enum svalue_kind): Add SK_ASM_OUTPUT.
6261 (svalue::dyn_cast_asm_output_svalue): New.
6262 (class asm_output_svalue): New.
6263 (is_a_helper <const asm_output_svalue *>::test): New.
6264 (struct default_hash_traits<asm_output_svalue::key_t>): New.
6266 2021-08-03 Jakub Jelinek <jakub@redhat.com>
6268 PR analyzer/101721
6269 * sm-malloc.cc (known_allocator_p): Only check DECL_FUNCTION_CODE on
6270 BUILT_IN_NORMAL builtins.
6272 2021-07-29 Ankur Saini <arsenic@sourceware.org>
6274 * call-string.cc (call_string::element_t::operator==): New operator.
6275 (call_String::element_t::operator!=): New operator.
6276 (call_string::element_t::get_caller_function): New function.
6277 (call_string::element_t::get_callee_function): New function.
6278 (call_string::call_string): Refactor to Initialise m_elements.
6279 (call_string::operator=): Refactor to work with m_elements.
6280 (call_string::operator==): Likewise.
6281 (call_string::to_json): Likewise.
6282 (call_string::hash): Refactor to hash e.m_caller.
6283 (call_string::push_call): Refactor to work with m_elements.
6284 (call_string::push_call): New overload to push call via supernodes.
6285 (call_string::pop): Refactor to work with m_elements.
6286 (call_string::calc_recursion_depth): Likewise.
6287 (call_string::cmp): Likewise.
6288 (call_string::validate): Likewise.
6289 (call_string::operator[]): Likewise.
6290 * call-string.h (class supernode): New forward decl.
6291 (struct call_string::element_t): New struct.
6292 (call_string::call_string): Refactor to initialise m_elements.
6293 (call_string::bool empty_p): Refactor to work with m_elements.
6294 (call_string::get_callee_node): New decl.
6295 (call_string::get_caller_node): New decl.
6296 (m_elements): Replaces m_return_edges.
6297 * program-point.cc (program_point::get_function_at_depth): Refactor to
6298 work with new call-string format.
6299 (program_point::validate): Likewise.
6300 (program_point::on_edge): Likewise.
6302 2021-07-28 David Malcolm <dmalcolm@redhat.com>
6304 * region-model.cc (region_model::on_call_pre): Treat
6305 IFN_UBSAN_BOUNDS, BUILT_IN_STACK_SAVE, and BUILT_IN_STACK_RESTORE
6306 as no-ops, rather than handling them as unknown functions.
6308 2021-07-28 David Malcolm <dmalcolm@redhat.com>
6310 * region-model-impl-calls.cc (region_model::impl_call_alloca):
6311 Drop redundant return value.
6312 (region_model::impl_call_builtin_expect): Likewise.
6313 (region_model::impl_call_calloc): Likewise.
6314 (region_model::impl_call_malloc): Likewise.
6315 (region_model::impl_call_memset): Likewise.
6316 (region_model::impl_call_operator_new): Likewise.
6317 (region_model::impl_call_operator_delete): Likewise.
6318 (region_model::impl_call_strlen): Likewise.
6319 * region-model.cc (region_model::on_call_pre): Fix return value of
6320 known functions that don't have unknown side-effects.
6321 * region-model.h (region_model::impl_call_alloca): Drop redundant
6322 return value.
6323 (region_model::impl_call_builtin_expect): Likewise.
6324 (region_model::impl_call_calloc): Likewise.
6325 (region_model::impl_call_malloc): Likewise.
6326 (region_model::impl_call_memset): Likewise.
6327 (region_model::impl_call_strlen): Likewise.
6328 (region_model::impl_call_operator_new): Likewise.
6329 (region_model::impl_call_operator_delete): Likewise.
6331 2021-07-28 Siddhesh Poyarekar <siddhesh@gotplt.org>
6333 * analyzer.cc (is_named_call_p, is_std_named_call_p): Make
6334 first argument a const_tree.
6335 * analyzer.h (is_named_call_p, -s_std_named_call_p): Likewise.
6336 * sm-malloc.cc (known_allocator_p): New function.
6337 (malloc_state_machine::on_stmt): Use it.
6339 2021-07-28 Siddhesh Poyarekar <siddhesh@gotplt.org>
6341 * sm-malloc.cc
6342 (malloc_state_machine::get_or_create_deallocator): Recognize
6343 __builtin_free.
6345 2021-07-26 David Malcolm <dmalcolm@redhat.com>
6347 * region-model.cc (region_model::on_call_pre): Always set conjured
6348 LHS, not just for SSA names.
6350 2021-07-23 David Malcolm <dmalcolm@redhat.com>
6352 * diagnostic-manager.cc
6353 (class auto_disable_complexity_checks): New.
6354 (epath_finder::explore_feasible_paths): Use it to disable
6355 complexity checks whilst processing the worklist.
6356 * region-model-manager.cc
6357 (region_model_manager::region_model_manager): Initialize
6358 m_check_complexity.
6359 (region_model_manager::reject_if_too_complex): Bail if
6360 m_check_complexity is false.
6361 * region-model.h
6362 (region_model_manager::enable_complexity_check): New.
6363 (region_model_manager::disable_complexity_check): New.
6364 (region_model_manager::m_check_complexity): New.
6366 2021-07-21 David Malcolm <dmalcolm@redhat.com>
6368 PR analyzer/101547
6369 * sm-file.cc (file_leak::emit): Handle m_arg being NULL.
6370 (file_leak::describe_final_event): Handle ev.m_expr being NULL.
6372 2021-07-21 David Malcolm <dmalcolm@redhat.com>
6374 PR analyzer/101522
6375 * store.cc (binding_cluster::purge_state_involving): Don't change
6376 m_map whilst iterating through it.
6378 2021-07-21 David Malcolm <dmalcolm@redhat.com>
6380 * region-model.cc (region_model::handle_phi): Add "old_state"
6381 param and use it.
6382 (region_model::update_for_phis): Update so that all of the phi
6383 stmts are effectively handled simultaneously, rather than in
6384 order.
6385 * region-model.h (region_model::handle_phi): Add "old_state"
6386 param.
6387 * state-purge.cc (self_referential_phi_p): Replace with...
6388 (name_used_by_phis_p): ...this new function.
6389 (state_purge_per_ssa_name::process_point): Update to use the
6390 above, so that all phi stmts at a basic block are effectively
6391 considered simultaneously, and only consider the phi arguments for
6392 the pertinent in-edge.
6393 * supergraph.cc (cfg_superedge::get_phi_arg_idx): New.
6394 (cfg_superedge::get_phi_arg): Use the above.
6395 * supergraph.h (cfg_superedge::get_phi_arg_idx): New decl.
6397 2021-07-21 David Malcolm <dmalcolm@redhat.com>
6399 * state-purge.cc (state_purge_annotator::add_node_annotations):
6400 Rather than erroneously always using the NULL in-edge, determine
6401 each relevant in-edge, and print the appropriate data for each
6402 in-edge. Use print_needed to print the data as comma-separated
6403 lists of SSA names.
6404 (print_vec_of_names): Add "within_table" param and use it.
6405 (state_purge_annotator::add_stmt_annotations): Factor out
6406 collation and printing code into...
6407 (state_purge_annotator::print_needed): ...this new function.
6408 * state-purge.h (state_purge_annotator::print_needed): New decl.
6410 2021-07-21 David Malcolm <dmalcolm@redhat.com>
6412 * program-point.cc (function_point::print): Show src BB index at
6413 BEFORE_SUPERNODE.
6415 2021-07-21 David Malcolm <dmalcolm@redhat.com>
6417 * svalue.cc (infix_p): New.
6418 (binop_svalue::dump_to_pp): Use it to print MIN_EXPR and MAX_EXPR
6419 in prefix form, rather than infix.
6421 2021-07-19 David Malcolm <dmalcolm@redhat.com>
6423 PR analyzer/101503
6424 * constraint-manager.cc (constraint_manager::add_constraint): Use
6425 can_have_associated_state_p rather than testing for unknown.
6426 (constraint_manager::get_or_add_equiv_class): Likewise.
6427 * program-state.cc (sm_state_map::set_state): Likewise.
6428 (sm_state_map::impl_set_state): Add assertion.
6429 * region-model-manager.cc
6430 (region_model_manager::maybe_fold_unaryop): Handle poisoned
6431 values.
6432 (region_model_manager::maybe_fold_binop): Move handling of unknown
6433 values...
6434 (region_model_manager::get_or_create_binop): ...to here, and
6435 generalize to use can_have_associated_state_p.
6436 (region_model_manager::maybe_fold_sub_svalue): Use
6437 can_have_associated_state_p rather than testing for unknown.
6438 (region_model_manager::maybe_fold_repeated_svalue): Use unknown
6439 when the size or repeated value is "unknown"/"poisoned".
6440 * region-model.cc (region_model::purge_state_involving): Reject
6441 attempts to purge unknown/poisoned svalues, as these svalues
6442 should not have state associated with them.
6443 * svalue.cc (sub_svalue::sub_svalue): Assert that we're building
6444 on top of an svalue with can_have_associated_state_p.
6445 (repeated_svalue::repeated_svalue): Likewise.
6446 (bits_within_svalue::bits_within_svalue): Likewise.
6447 * svalue.h (svalue::can_have_associated_state_p): New.
6448 (unknown_svalue::can_have_associated_state_p): New.
6449 (poisoned_svalue::can_have_associated_state_p): New.
6450 (unaryop_svalue::unaryop_svalue): Assert that we're building on
6451 top of an svalue with can_have_associated_state_p.
6452 (binop_svalue::binop_svalue): Likewise.
6453 (widening_svalue::widening_svalue): Likewise.
6455 2021-07-16 David Malcolm <dmalcolm@redhat.com>
6457 * analyzer.h (enum access_direction): New.
6458 * engine.cc (exploded_node::on_longjmp): Update for new param of
6459 get_store_value.
6460 * program-state.cc (program_state::prune_for_point): Likewise.
6461 * region-model-impl-calls.cc (region_model::impl_call_memcpy):
6462 Replace call to check_for_writable_region with call to
6463 check_region_for_write.
6464 (region_model::impl_call_memset): Likewise.
6465 (region_model::impl_call_strcpy): Likewise.
6466 * region-model-reachability.cc (reachable_regions::add): Update
6467 for new param of get_store_value.
6468 * region-model.cc (region_model::get_rvalue_1): Likewise, also for
6469 get_rvalue_for_bits.
6470 (region_model::get_store_value): Add ctxt param and use it to call
6471 check_region_for_read.
6472 (region_model::get_rvalue_for_bits): Add ctxt param and use it to
6473 call get_store_value.
6474 (region_model::check_region_access): New.
6475 (region_model::check_region_for_write): New.
6476 (region_model::check_region_for_read): New.
6477 (region_model::set_value): Update comment. Replace call to
6478 check_for_writable_region with call to check_region_for_write.
6479 * region-model.h (region_model::get_rvalue_for_bits): Add ctxt
6480 param.
6481 (region_model::get_store_value): Add ctxt param.
6482 (region_model::check_region_access): New decl.
6483 (region_model::check_region_for_write): New decl.
6484 (region_model::check_region_for_read): New decl.
6485 * region.cc (region_model::copy_region): Update call to
6486 get_store_value.
6487 * svalue.cc (initial_svalue::implicitly_live_p): Likewise.
6489 2021-07-16 David Malcolm <dmalcolm@redhat.com>
6491 * engine.cc (exploded_node::on_stmt_pre): Handle
6492 __analyzer_dump_state.
6493 * program-state.cc (extrinsic_state::get_sm_idx_by_name): New.
6494 (program_state::impl_call_analyzer_dump_state): New.
6495 * program-state.h (extrinsic_state::get_sm_idx_by_name): New decl.
6496 (program_state::impl_call_analyzer_dump_state): New decl.
6497 * region-model-impl-calls.cc
6498 (call_details::get_arg_string_literal): New.
6499 * region-model.h (call_details::get_arg_string_literal): New decl.
6501 2021-07-16 David Malcolm <dmalcolm@redhat.com>
6503 * program-state.cc (program_state::detect_leaks): Simplify using
6504 svalue::maybe_get_region.
6505 * region-model-impl-calls.cc (region_model::impl_call_fgets): Likewise.
6506 (region_model::impl_call_fread): Likewise.
6507 (region_model::impl_call_free): Likewise.
6508 (region_model::impl_call_operator_delete): Likewise.
6509 * region-model.cc (selftest::test_stack_frames): Likewise.
6510 (selftest::test_state_merging): Likewise.
6511 * svalue.cc (svalue::maybe_get_region): New.
6512 * svalue.h (svalue::maybe_get_region): New decl.
6514 2021-07-15 David Malcolm <dmalcolm@redhat.com>
6516 * svalue.h (is_a_helper <placeholder_svalue *>::test): Make
6517 param and template param const.
6518 (is_a_helper <widening_svalue *>::test): Likewise.
6519 (is_a_helper <compound_svalue *>::test): Likewise.
6520 (is_a_helper <conjured_svalue *>::test): Likewise.
6522 2021-07-15 David Malcolm <dmalcolm@redhat.com>
6524 PR analyzer/95006
6525 PR analyzer/94713
6526 PR analyzer/94714
6527 * analyzer.cc (maybe_reconstruct_from_def_stmt): Split out
6528 GIMPLE_ASSIGN case into...
6529 (get_diagnostic_tree_for_gassign_1): New.
6530 (get_diagnostic_tree_for_gassign): New.
6531 * analyzer.h (get_diagnostic_tree_for_gassign): New decl.
6532 * analyzer.opt (Wanalyzer-write-to-string-literal): New.
6533 * constraint-manager.cc (class svalue_purger): New.
6534 (constraint_manager::purge_state_involving): New.
6535 * constraint-manager.h
6536 (constraint_manager::purge_state_involving): New.
6537 * diagnostic-manager.cc (saved_diagnostic::supercedes_p): New.
6538 (dedupe_winners::handle_interactions): New.
6539 (diagnostic_manager::emit_saved_diagnostics): Call it.
6540 * diagnostic-manager.h (saved_diagnostic::supercedes_p): New decl.
6541 * engine.cc (impl_region_model_context::warn): Convert return type
6542 to bool. Return false if the diagnostic isn't saved.
6543 (impl_region_model_context::purge_state_involving): New.
6544 (impl_sm_context::get_state): Use NULL ctxt when querying old
6545 rvalue.
6546 (impl_sm_context::set_next_state): Use new sval when querying old
6547 state.
6548 (class dump_path_diagnostic): Move to region-model.cc
6549 (exploded_node::on_stmt): Move to on_stmt_pre and on_stmt_post.
6550 Remove call to purge_state_involving.
6551 (exploded_node::on_stmt_pre): New, based on the above. Move most
6552 of it to region_model::on_stmt_pre.
6553 (exploded_node::on_stmt_post): Likewise, moving to
6554 region_model::on_stmt_post.
6555 (class stale_jmp_buf): Fix parent class to use curiously recurring
6556 template pattern.
6557 (feasibility_state::maybe_update_for_edge): Call on_call_pre and
6558 on_call_post on gcalls.
6559 * exploded-graph.h (impl_region_model_context::warn): Return bool.
6560 (impl_region_model_context::purge_state_involving): New decl.
6561 (exploded_node::on_stmt_pre): New decl.
6562 (exploded_node::on_stmt_post): New decl.
6563 * pending-diagnostic.h (pending_diagnostic::use_of_uninit_p): New.
6564 (pending_diagnostic::supercedes_p): New.
6565 * program-state.cc (sm_state_map::get_state): Inherit state for
6566 conjured_svalue as well as initial_svalue.
6567 (sm_state_map::purge_state_involving): Also support SK_CONJURED.
6568 * region-model-impl-calls.cc (call_details::get_uncertainty):
6569 Handle m_ctxt being NULL.
6570 (call_details::get_or_create_conjured_svalue): New.
6571 (region_model::impl_call_fgets): New.
6572 (region_model::impl_call_fread): New.
6573 * region-model-manager.cc
6574 (region_model_manager::get_or_create_initial_value): Return an
6575 uninitialized poisoned value for regions that can't have initial
6576 values.
6577 * region-model-reachability.cc
6578 (reachable_regions::mark_escaped_clusters): Handle ctxt being
6579 NULL.
6580 * region-model.cc (region_to_value_map::purge_state_involving): New.
6581 (poisoned_value_diagnostic::use_of_uninit_p): New.
6582 (poisoned_value_diagnostic::emit): Handle POISON_KIND_UNINIT.
6583 (poisoned_value_diagnostic::describe_final_event): Likewise.
6584 (region_model::check_for_poison): New.
6585 (region_model::on_assignment): Call it.
6586 (class dump_path_diagnostic): Move here from engine.cc.
6587 (region_model::on_stmt_pre): New, based on exploded_node::on_stmt.
6588 (region_model::on_call_pre): Move the setting of the LHS to a
6589 conjured svalue to before the checks for specific functions.
6590 Handle "fgets", "fgets_unlocked", and "fread".
6591 (region_model::purge_state_involving): New.
6592 (region_model::handle_unrecognized_call): Handle ctxt being NULL.
6593 (region_model::get_rvalue): Call check_for_poison.
6594 (selftest::test_stack_frames): Use NULL for context when getting
6595 uninitialized rvalue.
6596 (selftest::test_alloca): Likewise.
6597 * region-model.h (region_to_value_map::purge_state_involving): New
6598 decl.
6599 (call_details::get_or_create_conjured_svalue): New decl.
6600 (region_model::on_stmt_pre): New decl.
6601 (region_model::purge_state_involving): New decl.
6602 (region_model::impl_call_fgets): New decl.
6603 (region_model::impl_call_fread): New decl.
6604 (region_model::check_for_poison): New decl.
6605 (region_model_context::warn): Return bool.
6606 (region_model_context::purge_state_involving): New.
6607 (noop_region_model_context::warn): Return bool.
6608 (noop_region_model_context::purge_state_involving): New.
6609 (test_region_model_context:: warn): Return bool.
6610 * region.cc (region::get_memory_space): New.
6611 (region::can_have_initial_svalue_p): New.
6612 (region::involves_p): New.
6613 * region.h (enum memory_space): New.
6614 (region::get_memory_space): New decl.
6615 (region::can_have_initial_svalue_p): New decl.
6616 (region::involves_p): New decl.
6617 * sm-malloc.cc (use_after_free::supercedes_p): New.
6618 * store.cc (binding_cluster::purge_state_involving): New.
6619 (store::purge_state_involving): New.
6620 * store.h (class symbolic_binding): New forward decl.
6621 (binding_key::dyn_cast_symbolic_binding): New.
6622 (symbolic_binding::dyn_cast_symbolic_binding): New.
6623 (binding_cluster::purge_state_involving): New.
6624 (store::purge_state_involving): New.
6625 * svalue.cc (svalue::can_merge_p): Reject attempts to merge
6626 poisoned svalues with other svalues, so that we identify
6627 paths in which a variable is conditionally uninitialized.
6628 (involvement_visitor::visit_conjured_svalue): New.
6629 (svalue::involves_p): Also handle SK_CONJURED.
6630 (poison_kind_to_str): Handle POISON_KIND_UNINIT.
6631 (poisoned_svalue::maybe_fold_bits_within): New.
6632 * svalue.h (enum poison_kind): Add POISON_KIND_UNINIT.
6633 (poisoned_svalue::maybe_fold_bits_within): New decl.
6635 2021-07-15 David Malcolm <dmalcolm@redhat.com>
6637 * analyzer.opt (fdump-analyzer-exploded-paths): New.
6638 * diagnostic-manager.cc
6639 (diagnostic_manager::emit_saved_diagnostic): Implement it.
6640 * engine.cc (exploded_path::dump_to_pp): Add ext_state param and
6641 use it to dump states if non-NULL.
6642 (exploded_path::dump): Likewise.
6643 (exploded_path::dump_to_file): New.
6644 * exploded-graph.h (exploded_path::dump_to_pp): Add ext_state
6645 param.
6646 (exploded_path::dump): Likewise.
6647 (exploded_path::dump): Likewise.
6648 (exploded_path::dump_to_file): New.
6650 2021-07-15 David Malcolm <dmalcolm@redhat.com>
6652 * analyzer.cc (fixup_tree_for_diagnostic_1): Use DECL_DEBUG_EXPR
6653 if it's available.
6654 * engine.cc (readability): Likewise.
6656 2021-07-15 David Malcolm <dmalcolm@redhat.com>
6658 * state-purge.cc (self_referential_phi_p): New.
6659 (state_purge_per_ssa_name::process_point): Don't purge an SSA name
6660 at its def-stmt if the def-stmt is self-referential.
6662 2021-07-07 David Malcolm <dmalcolm@redhat.com>
6664 * diagnostic-manager.cc (null_assignment_sm_context::get_state):
6665 New overload.
6666 (null_assignment_sm_context::set_next_state): New overload.
6667 (null_assignment_sm_context::get_diagnostic_tree): New.
6668 * engine.cc (impl_sm_context::get_state): New overload.
6669 (impl_sm_context::set_next_state): New overload.
6670 (impl_sm_context::get_diagnostic_tree): New overload.
6671 (impl_region_model_context::on_condition): Convert params from
6672 tree to const svalue *.
6673 * exploded-graph.h (impl_region_model_context::on_condition):
6674 Likewise.
6675 * region-model.cc (region_model::on_call_pre): Move handling of
6676 internal calls to before checking for get_fndecl_for_call.
6677 (region_model::add_constraints_from_binop): New.
6678 (region_model::add_constraint): Split out into a new overload
6679 working on const svalue * rather than tree. Call
6680 add_constraints_from_binop. Drop call to
6681 add_any_constraints_from_ssa_def_stmt.
6682 (region_model::add_any_constraints_from_ssa_def_stmt): Delete.
6683 (region_model::add_any_constraints_from_gassign): Delete.
6684 (region_model::add_any_constraints_from_gcall): Delete.
6685 * region-model.h
6686 (region_model::add_any_constraints_from_ssa_def_stmt): Delete.
6687 (region_model::add_any_constraints_from_gassign): Delete.
6688 (region_model::add_any_constraints_from_gcall): Delete.
6689 (region_model::add_constraint): Add overload decl.
6690 (region_model::add_constraints_from_binop): New decl.
6691 (region_model_context::on_condition): Convert params from tree to
6692 const svalue *.
6693 (noop_region_model_context::on_condition): Likewise.
6694 * sm-file.cc (fileptr_state_machine::condition): Likewise.
6695 * sm-malloc.cc (malloc_state_machine::on_condition): Likewise.
6696 * sm-pattern-test.cc: Include tristate.h, selftest.h,
6697 analyzer/call-string.h, analyzer/program-point.h,
6698 analyzer/store.h, and analyzer/region-model.h.
6699 (pattern_test_state_machine::on_condition): Convert params from tree to
6700 const svalue *.
6701 * sm-sensitive.cc (sensitive_state_machine::on_condition): Delete.
6702 * sm-signal.cc (signal_state_machine::on_condition): Delete.
6703 * sm-taint.cc (taint_state_machine::on_condition): Convert params
6704 from tree to const svalue *.
6705 * sm.cc: Include tristate.h, selftest.h, analyzer/call-string.h,
6706 analyzer/program-point.h, analyzer/store.h, and
6707 analyzer/region-model.h.
6708 (any_pointer_p): Add overload taking const svalue *sval.
6709 * sm.h (any_pointer_p): Add overload taking const svalue *sval.
6710 (state_machine::on_condition): Convert params from tree to
6711 const svalue *. Provide no-op default implementation.
6712 (sm_context::get_state): Add overload taking const svalue *sval.
6713 (sm_context::set_next_state): Likewise.
6714 (sm_context::on_transition): Likewise.
6715 (sm_context::get_diagnostic_tree): Likewise.
6716 * svalue.cc (svalue::all_zeroes_p): New.
6717 (constant_svalue::all_zeroes_p): New.
6718 (repeated_svalue::all_zeroes_p): Convert to vfunc.
6719 * svalue.h (svalue::all_zeroes_p): New decl.
6720 (constant_svalue::all_zeroes_p): New decl.
6721 (repeated_svalue::all_zeroes_p): Convert decl to vfunc.
6723 2021-06-30 David Malcolm <dmalcolm@redhat.com>
6725 PR analyzer/95006
6726 * analyzer.h (class repeated_svalue): New forward decl.
6727 (class bits_within_svalue): New forward decl.
6728 (class sized_region): New forward decl.
6729 (get_field_at_bit_offset): New forward decl.
6730 * engine.cc (exploded_graph::get_or_create_node): Validate the
6731 merged state.
6732 (exploded_graph::maybe_process_run_of_before_supernode_enodes):
6733 Validate the states at each stage.
6734 * program-state.cc (program_state::validate): Validate
6735 m_region_model.
6736 * region-model-impl-calls.cc (region_model::impl_call_memset):
6737 Replace special-case logic for handling constant sizes with
6738 a call to fill_region of a sized_region with the given fill value.
6739 * region-model-manager.cc (maybe_undo_optimize_bit_field_compare):
6740 Drop DK_direct.
6741 (region_model_manager::maybe_fold_sub_svalue): Fold element-based
6742 subregions of an initial value into initial values of an element.
6743 Fold subvalues of repeated svalues.
6744 (region_model_manager::maybe_fold_repeated_svalue): New.
6745 (region_model_manager::get_or_create_repeated_svalue): New.
6746 (get_bit_range_for_field): New.
6747 (get_byte_range_for_field): New.
6748 (get_field_at_byte_range): New.
6749 (region_model_manager::maybe_fold_bits_within_svalue): New.
6750 (region_model_manager::get_or_create_bits_within): New.
6751 (region_model_manager::get_sized_region): New.
6752 (region_model_manager::log_stats): Update for addition of
6753 m_repeated_values_map, m_bits_within_values_map, and
6754 m_sized_regions.
6755 * region-model.cc (region_model::validate): New.
6756 (region_model::on_assignment): Drop enum binding_kind.
6757 (region_model::get_initial_value_for_global): Likewise.
6758 (region_model::get_rvalue_for_bits): Replace body with call to
6759 get_or_create_bits_within.
6760 (region_model::get_capacity): Handle RK_SIZED.
6761 (region_model::set_value): Drop enum binding_kind.
6762 (region_model::fill_region): New.
6763 (region_model::get_representative_path_var_1): Handle RK_SIZED.
6764 * region-model.h (visitor::visit_repeated_svalue): New.
6765 (visitor::visit_bits_within_svalue): New.
6766 (region_model_manager::get_or_create_repeated_svalue): New decl.
6767 (region_model_manager::get_or_create_bits_within): New decl.
6768 (region_model_manager::get_sized_region): New decl.
6769 (region_model_manager::maybe_fold_repeated_svalue): New decl.
6770 (region_model_manager::maybe_fold_bits_within_svalue): New decl.
6771 (region_model_manager::repeated_values_map_t): New typedef.
6772 (region_model_manager::m_repeated_values_map): New field.
6773 (region_model_manager::bits_within_values_map_t): New typedef.
6774 (region_model_manager::m_bits_within_values_map): New field.
6775 (region_model_manager::m_sized_regions): New field.
6776 (region_model::fill_region): New decl.
6777 * region.cc (region::get_base_region): Handle RK_SIZED.
6778 (region::base_region_p): Likewise.
6779 (region::get_byte_size_sval): New.
6780 (get_field_at_bit_offset): Make non-static.
6781 (region::calc_offset): Move implementation of cases to
6782 get_relative_concrete_offset vfunc implementations. Handle
6783 RK_SIZED.
6784 (region::get_relative_concrete_offset): New.
6785 (decl_region::get_svalue_for_initializer): Drop enum binding_kind.
6786 (field_region::get_relative_concrete_offset): New, from
6787 region::calc_offset.
6788 (element_region::get_relative_concrete_offset): Likewise.
6789 (offset_region::get_relative_concrete_offset): Likewise.
6790 (sized_region::accept): New.
6791 (sized_region::dump_to_pp): New.
6792 (sized_region::get_byte_size): New.
6793 (sized_region::get_bit_size): New.
6794 * region.h (enum region_kind): Add RK_SIZED.
6795 (region::dyn_cast_sized_region): New.
6796 (region::get_byte_size): Make virtual.
6797 (region::get_bit_size): Likewise.
6798 (region::get_byte_size_sval): New decl.
6799 (region::get_relative_concrete_offset): New decl.
6800 (field_region::get_relative_concrete_offset): New decl.
6801 (element_region::get_relative_concrete_offset): Likewise.
6802 (offset_region::get_relative_concrete_offset): Likewise.
6803 (class sized_region): New.
6804 * store.cc (binding_kind_to_string): Delete.
6805 (binding_key::make): Drop enum binding_kind.
6806 (binding_key::dump_to_pp): Delete.
6807 (binding_key::cmp_ptrs): Drop enum binding_kind.
6808 (bit_range::contains_p): New.
6809 (byte_range::dump): New.
6810 (byte_range::contains_p): New.
6811 (byte_range::cmp): New.
6812 (concrete_binding::dump_to_pp): Drop enum binding_kind.
6813 (concrete_binding::cmp_ptr_ptr): Likewise.
6814 (symbolic_binding::dump_to_pp): Likewise.
6815 (symbolic_binding::cmp_ptr_ptr): Likewise.
6816 (binding_map::apply_ctor_val_to_range): Likewise.
6817 (binding_map::apply_ctor_pair_to_child_region): Likewise.
6818 (binding_map::get_overlapping_bindings): New.
6819 (binding_map::remove_overlapping_bindings): New.
6820 (binding_cluster::validate): New.
6821 (binding_cluster::bind): Drop enum binding_kind.
6822 (binding_cluster::bind_compound_sval): Likewise.
6823 (binding_cluster::purge_region): Likewise.
6824 (binding_cluster::zero_fill_region): Reimplement in terms of...
6825 (binding_cluster::fill_region): New.
6826 (binding_cluster::mark_region_as_unknown): Drop enum binding_kind.
6827 (binding_cluster::get_binding): Likewise.
6828 (binding_cluster::get_binding_recursive): Likewise.
6829 (binding_cluster::get_any_binding): Likewise.
6830 (binding_cluster::maybe_get_compound_binding): Reimplement.
6831 (binding_cluster::get_overlapping_bindings): Delete.
6832 (binding_cluster::remove_overlapping_bindings): Reimplement in
6833 terms of binding_map::remove_overlapping_bindings.
6834 (binding_cluster::can_merge_p): Update for removal of
6835 enum binding_kind.
6836 (binding_cluster::on_unknown_fncall): Drop enum binding_kind.
6837 (binding_cluster::maybe_get_simple_value): Likewise.
6838 (store_manager::get_concrete_binding): Likewise.
6839 (store_manager::get_symbolic_binding): Likewise.
6840 (store::validate): New.
6841 (store::set_value): Drop enum binding_kind.
6842 (store::zero_fill_region): Reimplement in terms of...
6843 (store::fill_region): New.
6844 (selftest::test_binding_key_overlap): Drop enum binding_kind.
6845 * store.h (enum binding_kind): Delete.
6846 (binding_kind_to_string): Delete decl.
6847 (binding_key::make): Drop enum binding_kind.
6848 (binding_key::dump_to_pp): Make pure virtual.
6849 (binding_key::get_kind): Delete.
6850 (binding_key::mark_deleted): Delete.
6851 (binding_key::mark_empty): Delete.
6852 (binding_key::is_deleted): Delete.
6853 (binding_key::is_empty): Delete.
6854 (binding_key::binding_key): Delete.
6855 (binding_key::impl_hash): Delete.
6856 (binding_key::impl_eq): Delete.
6857 (binding_key::m_kind): Delete.
6858 (bit_range::get_last_bit_offset): New.
6859 (bit_range::contains_p): New.
6860 (byte_range::contains_p): New.
6861 (byte_range::operator==): New.
6862 (byte_range::get_start_byte_offset): New.
6863 (byte_range::get_next_byte_offset): New.
6864 (byte_range::get_last_byte_offset): New.
6865 (byte_range::as_bit_range): New.
6866 (byte_range::cmp): New.
6867 (concrete_binding::concrete_binding): Drop enum binding_kind.
6868 (concrete_binding::hash): Likewise.
6869 (concrete_binding::operator==): Likewise.
6870 (concrete_binding::mark_deleted): New.
6871 (concrete_binding::mark_empty): New.
6872 (concrete_binding::is_deleted): New.
6873 (concrete_binding::is_empty): New.
6874 (default_hash_traits<ana::concrete_binding>::empty_zero_p): Make false.
6875 (symbolic_binding::symbolic_binding): Drop enum binding_kind.
6876 (symbolic_binding::hash): Likewise.
6877 (symbolic_binding::operator==): Likewise.
6878 (symbolic_binding::mark_deleted): New.
6879 (symbolic_binding::mark_empty): New.
6880 (symbolic_binding::is_deleted): New.
6881 (symbolic_binding::is_empty): New.
6882 (binding_map::remove_overlapping_bindings): New decl.
6883 (binding_map::get_overlapping_bindings): New decl.
6884 (binding_cluster::validate): New decl.
6885 (binding_cluster::bind): Drop enum binding_kind.
6886 (binding_cluster::fill_region): New decl.
6887 (binding_cluster::get_binding): Drop enum binding_kind.
6888 (binding_cluster::get_binding_recursive): Likewise.
6889 (binding_cluster::get_overlapping_bindings): Delete.
6890 (store::validate): New decl.
6891 (store::set_value): Drop enum binding_kind.
6892 (store::fill_region): New decl.
6893 (store_manager::get_concrete_binding): Drop enum binding_kind.
6894 (store_manager::get_symbolic_binding): Likewise.
6895 * svalue.cc (svalue::cmp_ptr): Handle SK_REPEATED and
6896 SK_BITS_WITHIN.
6897 (svalue::extract_bit_range): New.
6898 (svalue::maybe_fold_bits_within): New.
6899 (constant_svalue::maybe_fold_bits_within): New.
6900 (unknown_svalue::maybe_fold_bits_within): New.
6901 (unaryop_svalue::maybe_fold_bits_within): New.
6902 (repeated_svalue::repeated_svalue): New.
6903 (repeated_svalue::dump_to_pp): New.
6904 (repeated_svalue::accept): New.
6905 (repeated_svalue::all_zeroes_p): New.
6906 (repeated_svalue::maybe_fold_bits_within): New.
6907 (bits_within_svalue::bits_within_svalue): New.
6908 (bits_within_svalue::dump_to_pp): New.
6909 (bits_within_svalue::maybe_fold_bits_within): New.
6910 (bits_within_svalue::accept): New.
6911 (bits_within_svalue::implicitly_live_p): New.
6912 (compound_svalue::maybe_fold_bits_within): New.
6913 * svalue.h (enum svalue_kind): Add SK_REPEATED and SK_BITS_WITHIN.
6914 (svalue::dyn_cast_repeated_svalue): New.
6915 (svalue::dyn_cast_bits_within_svalue): New.
6916 (svalue::extract_bit_range): New decl.
6917 (svalue::maybe_fold_bits_within): New vfunc decl.
6918 (region_svalue::key_t::mark_empty): Use 2 rather than NULL_TREE.
6919 (region_svalue::key_t::is_empty): Likewise.
6920 (default_hash_traits<region_svalue::key_t>::empty_zero_p): Make false.
6921 (constant_svalue::maybe_fold_bits_within): New.
6922 (unknown_svalue::maybe_fold_bits_within): New.
6923 (poisoned_svalue::key_t::mark_empty): Use 2 rather than NULL_TREE.
6924 (poisoned_svalue::key_t::is_empty): Likewise.
6925 (default_hash_traits<poisoned_svalue::key_t>::empty_zero_p): Make
6926 false.
6927 (setjmp_svalue::key_t::mark_empty): Use 2 rather than NULL_TREE.
6928 (setjmp_svalue::key_t::is_empty): Likewise.
6929 (default_hash_traits<setjmp_svalue::key_t>::empty_zero_p): Make
6930 false.
6931 (unaryop_svalue::key_t::mark_empty): Use 2 rather than NULL_TREE.
6932 (unaryop_svalue::key_t::is_empty): Likewise.
6933 (unaryop_svalue::maybe_fold_bits_within): New.
6934 (default_hash_traits<unaryop_svalue::key_t>::empty_zero_p): Make
6935 false.
6936 (binop_svalue::key_t::mark_empty): Use 2 rather than NULL_TREE.
6937 (binop_svalue::key_t::is_empty): Likewise.
6938 (default_hash_traits<binop_svalue::key_t>::empty_zero_p): Make
6939 false.
6940 (sub_svalue::key_t::mark_empty): Use 2 rather than NULL_TREE.
6941 (sub_svalue::key_t::is_empty): Likewise.
6942 (default_hash_traits<sub_svalue::key_t>::empty_zero_p): Make
6943 false.
6944 (class repeated_svalue): New.
6945 (is_a_helper <const repeated_svalue *>::test): New.
6946 (struct default_hash_traits<repeated_svalue::key_t>): New.
6947 (class bits_within_svalue): New.
6948 (is_a_helper <const bits_within_svalue *>::test): New.
6949 (struct default_hash_traits<bits_within_svalue::key_t>): New.
6950 (widening_svalue::key_t::mark_empty): Use 2 rather than NULL_TREE.
6951 (widening_svalue::key_t::is_empty): Likewise.
6952 (default_hash_traits<widening_svalue::key_t>::empty_zero_p): Make
6953 false.
6954 (compound_svalue::key_t::mark_empty): Use 2 rather than NULL_TREE.
6955 (compound_svalue::key_t::is_empty): Likewise.
6956 (compound_svalue::maybe_fold_bits_within): New.
6957 (default_hash_traits<compound_svalue::key_t>::empty_zero_p): Make
6958 false.
6960 2021-06-28 David Malcolm <dmalcolm@redhat.com>
6962 * analyzer.h (byte_offset_t): New typedef.
6963 * store.cc (bit_range::dump_to_pp): Dump as a byte range if
6964 possible.
6965 (bit_range::as_byte_range): New.
6966 (byte_range::dump_to_pp): New.
6967 * store.h (class byte_range): New forward decl.
6968 (struct bit_range): Add comment.
6969 (bit_range::as_byte_range): New decl.
6970 (struct byte_range): New.
6972 2021-06-22 David Malcolm <dmalcolm@redhat.com>
6974 PR analyzer/101143
6975 * region-model.cc (compat_types_p): New function.
6976 (region_model::create_region_for_heap_alloc): Convert assertion to
6977 an error check.
6978 (region_model::create_region_for_alloca): Likewise.
6980 2021-06-18 David Malcolm <dmalcolm@redhat.com>
6982 * store.cc (binding_cluster::get_any_binding): Make symbolic reads
6983 from a cluster with concrete bindings return unknown.
6985 2021-06-18 David Malcolm <dmalcolm@redhat.com>
6987 * region-model-manager.cc
6988 (region_model_manager::get_or_create_int_cst): New.
6989 (region_model_manager::maybe_undo_optimize_bit_field_compare): Use
6990 it to simplify away a local tree.
6991 * region-model.cc (region_model::on_setjmp): Likewise.
6992 (region_model::on_longjmp): Likewise.
6993 * region-model.h (region_model_manager::get_or_create_int_cst):
6994 New decl.
6995 * store.cc (binding_cluster::zero_fill_region): Use it to simplify
6996 away a local tree.
6998 2021-06-18 David Malcolm <dmalcolm@redhat.com>
7000 * checker-path.cc (class custom_event): Make abstract to allow for
7001 custom vfuncs, splitting existing implementation into...
7002 (class precanned_custom_event): New subclass.
7003 (custom_event::get_desc): Move to...
7004 (precanned_custom_event::get_desc): ...subclass.
7005 * checker-path.h (class custom_event): Make abstract to allow for
7006 custom vfuncs, splitting existing implementation into...
7007 (class precanned_custom_event): New subclass.
7008 * diagnostic-manager.cc (diagnostic_manager::add_events_for_eedge):
7009 Use precanned_custom_event.
7010 * engine.cc
7011 (stale_jmp_buf::maybe_add_custom_events_for_superedge): Likewise.
7012 * sm-signal.cc (signal_delivery_edge_info_t::add_events_to_path):
7013 Likewise.
7015 2021-06-15 David Malcolm <dmalcolm@redhat.com>
7017 PR analyzer/99212
7018 PR analyzer/101082
7019 * engine.cc: Include "target.h".
7020 (impl_run_checkers): Log BITS_BIG_ENDIAN, BYTES_BIG_ENDIAN, and
7021 WORDS_BIG_ENDIAN.
7022 * region-model-manager.cc
7023 (region_model_manager::maybe_fold_binop): Move support for masking
7024 via ARG0 & CST into...
7025 (region_model_manager::maybe_undo_optimize_bit_field_compare):
7026 ...this new function. Flatten by converting from nested
7027 conditionals to a series of early return statements to reject
7028 failures. Reject if type is not unsigned_char_type_node.
7029 Handle BYTES_BIG_ENDIAN when determining which bits are bound
7030 in the binding_map.
7031 * region-model.h
7032 (region_model_manager::maybe_undo_optimize_bit_field_compare):
7033 New decl.
7034 * store.cc (bit_range::dump): New function.
7035 * store.h (bit_range::dump): New decl.
7037 2021-06-15 David Malcolm <dmalcolm@redhat.com>
7039 * engine.cc (exploded_node::on_stmt): Handle __analyzer_dump_capacity.
7040 (exploded_node::on_stmt): Drop m_sm_changes from on_stmt_flags.
7041 (state_change_requires_new_enode_p): New function...
7042 (exploded_graph::process_node): Call it, rather than querying
7043 flags.m_sm_changes, so that dynamic-extent differences can also
7044 trigger the splitting of nodes.
7045 * exploded-graph.h (struct on_stmt_flags): Drop field m_sm_changes.
7046 * program-state.cc (program_state::detect_leaks): Purge dead
7047 heap-allocated regions from dynamic extents.
7048 (selftest::test_program_state_1): Fix type of "size_in_bytes".
7049 (selftest::test_program_state_merging): Likewise.
7050 * region-model-impl-calls.cc
7051 (region_model::impl_call_analyzer_dump_capacity): New.
7052 (region_model::impl_call_free): Remove dynamic extents from the
7053 freed region.
7054 * region-model-reachability.h
7055 (reachable_regions::begin_mutable_base_regs): New.
7056 (reachable_regions::end_mutable_base_regs): New.
7057 * region-model.cc: Include "tree-object-size.h".
7058 (region_model::region_model): Support new field m_dynamic_extents.
7059 (region_model::operator=): Likewise.
7060 (region_model::operator==): Likewise.
7061 (region_model::dump_to_pp): Dump sizes of dynamic regions.
7062 (region_model::handle_unrecognized_call): Purge dynamic extents
7063 from any regions that have escaped mutably:.
7064 (region_model::get_capacity): New function.
7065 (region_model::add_constraint): Unset dynamic extents when a
7066 heap-allocated region's address is NULL.
7067 (region_model::unbind_region_and_descendents): Purge dynamic
7068 extents of unbound regions.
7069 (region_model::can_merge_with_p): Call
7070 m_dynamic_extents.can_merge_with_p.
7071 (region_model::create_region_for_heap_alloc): Assert that
7072 size_in_bytes's type is compatible with size_type_node. Update
7073 for renaming of record_dynamic_extents to set_dynamic_extents.
7074 (region_model::create_region_for_alloca): Likewise.
7075 (region_model::record_dynamic_extents): Rename to...
7076 (region_model::set_dynamic_extents): ...this. Assert that
7077 size_in_bytes's type is compatible with size_type_node. Add it
7078 to the m_dynamic_extents map.
7079 (region_model::get_dynamic_extents): New.
7080 (region_model::unset_dynamic_extents): New.
7081 (selftest::test_state_merging): Fix type of "size".
7082 (selftest::test_malloc_constraints): Likewise.
7083 (selftest::test_malloc): Verify dynamic extents.
7084 (selftest::test_alloca): Likewise.
7085 * region-model.h (region_to_value_map::is_empty): New.
7086 (region_model::dynamic_extents_t): New typedef.
7087 (region_model::impl_call_analyzer_dump_capacity): New decl.
7088 (region_model::get_dynamic_extents): New function.
7089 (region_model::get_dynamic_extents): New decl.
7090 (region_model::set_dynamic_extents): New decl.
7091 (region_model::unset_dynamic_extents): New decl.
7092 (region_model::get_capacity): New decl.
7093 (region_model::record_dynamic_extents): Rename to set_dynamic_extents.
7094 (region_model::m_dynamic_extents): New field.
7096 2021-06-15 David Malcolm <dmalcolm@redhat.com>
7098 * region-model.cc (region_to_value_map::operator=): New.
7099 (region_to_value_map::operator==): New.
7100 (region_to_value_map::dump_to_pp): New.
7101 (region_to_value_map::dump): New.
7102 (region_to_value_map::can_merge_with_p): New.
7103 * region-model.h (class region_to_value_map): New class.
7105 2021-06-13 Trevor Saunders <tbsaunde@tbsaunde.org>
7107 * call-string.cc (call_string::call_string): Use range based for
7108 to iterate over vec<>.
7109 (call_string::to_json): Likewise.
7110 (call_string::hash): Likewise.
7111 (call_string::calc_recursion_depth): Likewise.
7112 * checker-path.cc (checker_path::fixup_locations): Likewise.
7113 * constraint-manager.cc (equiv_class::equiv_class): Likewise.
7114 (equiv_class::to_json): Likewise.
7115 (equiv_class::hash): Likewise.
7116 (constraint_manager::to_json): Likewise.
7117 * engine.cc (impl_region_model_context::on_svalue_leak):
7118 Likewise.
7119 (on_liveness_change): Likewise.
7120 (impl_region_model_context::on_unknown_change): Likewise.
7121 * program-state.cc (sm_state_map::set_state): Likewise.
7122 * region-model.cc (test_canonicalization_4): Likewise.
7124 2021-06-11 David Malcolm <dmalcolm@redhat.com>
7126 * engine.cc (worklist::key_t::cmp): Move sort by call_string to
7127 before SCC.
7129 2021-06-09 David Malcolm <dmalcolm@redhat.com>
7131 * region-model.cc (region_model::get_lvalue_1): Make const.
7132 (region_model::get_lvalue): Likewise.
7133 (region_model::get_rvalue_1): Likewise.
7134 (region_model::get_rvalue): Likewise.
7135 (region_model::deref_rvalue): Likewise.
7136 (region_model::get_rvalue_for_bits): Likewise.
7137 * region-model.h (region_model::get_lvalue): Likewise.
7138 (region_model::get_rvalue): Likewise.
7139 (region_model::deref_rvalue): Likewise.
7140 (region_model::get_rvalue_for_bits): Likewise.
7141 (region_model::get_lvalue_1): Likewise.
7142 (region_model::get_rvalue_1): Likewise.
7144 2021-06-08 David Malcolm <dmalcolm@redhat.com>
7146 PR analyzer/99212
7147 * region-model-manager.cc
7148 (region_model_manager::maybe_fold_binop): Add support for folding
7149 BIT_AND_EXPR of compound_svalue and a mask constant.
7150 * region-model.cc (region_model::get_rvalue_1): Implement
7151 BIT_FIELD_REF in terms of...
7152 (region_model::get_rvalue_for_bits): New function.
7153 * region-model.h (region_model::get_rvalue_for_bits): New decl.
7154 * store.cc (bit_range::from_mask): New function.
7155 (selftest::test_bit_range_intersects_p): New selftest.
7156 (selftest::assert_bit_range_from_mask_eq): New.
7157 (ASSERT_BIT_RANGE_FROM_MASK_EQ): New macro.
7158 (selftest::assert_no_bit_range_from_mask_eq): New.
7159 (ASSERT_NO_BIT_RANGE_FROM_MASK): New macro.
7160 (selftest::test_bit_range_from_mask): New selftest.
7161 (selftest::analyzer_store_cc_tests): Call the new selftests.
7162 * store.h (bit_range::intersects_p): New.
7163 (bit_range::from_mask): New decl.
7164 (concrete_binding::get_bit_range): New accessor.
7165 (store_manager::get_concrete_binding): New overload taking
7166 const bit_range &.
7168 2021-06-08 David Malcolm <dmalcolm@redhat.com>
7170 * analyzer.h (int_size_in_bits): New decl.
7171 * region.cc (int_size_in_bits): New function.
7172 (region::get_bit_size): Reimplement in terms of the above.
7174 2021-06-08 David Malcolm <dmalcolm@redhat.com>
7176 * store.cc (concrete_binding::dump_to_pp): Move bulk of
7177 implementation to...
7178 (bit_range::dump_to_pp): ...this new function.
7179 (bit_range::cmp): New.
7180 (concrete_binding::overlaps_p): Update for use of bit_range.
7181 (concrete_binding::cmp_ptr_ptr): Likewise.
7182 * store.h (struct bit_range): New.
7183 (class concrete_binding): Replace fields m_start_bit_offset and
7184 m_size_in_bits with new field m_bit_range.
7186 2021-06-08 David Malcolm <dmalcolm@redhat.com>
7188 * svalue.h (conjured_svalue::iterator_t): Delete.
7190 2021-06-03 David Malcolm <dmalcolm@redhat.com>
7192 * store.h (store::get_direct_binding): Remove unused decl.
7193 (store::get_default_binding): Likewise.
7195 2021-06-03 David Malcolm <dmalcolm@redhat.com>
7197 * svalue.cc (poisoned_svalue::dump_to_pp): Dump type.
7198 (compound_svalue::dump_to_pp): Dump any type.
7200 2021-05-18 David Malcolm <dmalcolm@redhat.com>
7202 PR analyzer/100615
7203 * sm-malloc.cc: Include "analyzer/function-set.h".
7204 (malloc_state_machine::on_stmt): Call unaffected_by_call_p and
7205 bail on the functions it recognizes.
7206 (malloc_state_machine::unaffected_by_call_p): New.
7208 2021-05-10 Martin Liska <mliska@suse.cz>
7210 * sm-file.cc (is_file_using_fn_p): Use startswith
7211 function instead of strncmp.
7213 2021-05-10 Martin Liska <mliska@suse.cz>
7215 * program-state.cc (program_state::operator=): Remove
7216 __cplusplus >= 201103.
7217 (program_state::program_state): Likewise.
7218 * program-state.h: Likewise.
7219 * region-model.h (class region_model): Remove dead code.
7221 2021-04-24 David Malcolm <dmalcolm@redhat.com>
7223 PR analyzer/100244
7224 * sm-malloc.cc (free_of_non_heap::describe_state_change):
7225 Bulletproof against change.m_expr being NULL.
7227 2021-04-13 David Malcolm <dmalcolm@redhat.com>
7229 PR analyzer/98599
7230 * supergraph.cc (saved_uids::make_uid_unique): New.
7231 (saved_uids::restore_uids): New.
7232 (supergraph::supergraph): Replace assignments to stmt->uid with
7233 calls to m_stmt_uids.make_uid_unique.
7234 (supergraph::~supergraph): New.
7235 * supergraph.h (class saved_uids): New.
7236 (supergraph::~supergraph): New decl.
7237 (supergraph::m_stmt_uids): New field.
7239 2021-04-10 David Malcolm <dmalcolm@redhat.com>
7241 PR analyzer/100011
7242 * region-model.cc (region_model::on_assignment): Avoid NULL
7243 dereference if ctxt is NULL when assigning from a STRING_CST.
7245 2021-04-08 David Malcolm <dmalcolm@redhat.com>
7247 PR analyzer/99042
7248 PR analyzer/99774
7249 * engine.cc
7250 (impl_region_model_context::impl_region_model_context): Add
7251 uncertainty param and use it to initialize m_uncertainty.
7252 (impl_region_model_context::get_uncertainty): New.
7253 (impl_sm_context::get_fndecl_for_call): Add NULL for new
7254 uncertainty param when constructing impl_region_model_context.
7255 (impl_sm_context::get_state): Likewise.
7256 (impl_sm_context::set_next_state): Likewise.
7257 (impl_sm_context::warn): Likewise.
7258 (exploded_node::on_stmt): Add uncertainty param
7259 and use it when constructing impl_region_model_context.
7260 (exploded_node::on_edge): Add uncertainty param and pass
7261 to on_edge call.
7262 (exploded_node::detect_leaks): Create uncertainty_t and pass to
7263 impl_region_model_context.
7264 (exploded_graph::get_or_create_node): Create uncertainty_t and
7265 pass to prune_for_point.
7266 (maybe_process_run_of_before_supernode_enodes): Create
7267 uncertainty_t and pass to impl_region_model_context.
7268 (exploded_graph::process_node): Create uncertainty_t instances and
7269 pass around as needed.
7270 * exploded-graph.h
7271 (impl_region_model_context::impl_region_model_context): Add
7272 uncertainty param.
7273 (impl_region_model_context::get_uncertainty): New decl.
7274 (impl_region_model_context::m_uncertainty): New field.
7275 (exploded_node::on_stmt): Add uncertainty param.
7276 (exploded_node::on_edge): Likewise.
7277 * program-state.cc (sm_state_map::on_liveness_change): Get
7278 uncertainty from context and use it to unset sm-state from
7279 svalues as appropriate.
7280 (program_state::on_edge): Add uncertainty param and use it when
7281 constructing impl_region_model_context. Fix indentation.
7282 (program_state::prune_for_point): Add uncertainty param and use it
7283 when constructing impl_region_model_context.
7284 (program_state::detect_leaks): Get any uncertainty from ctxt and
7285 use it to get maybe-live svalues for dest_state, rather than
7286 definitely-live ones; use this when determining which svalues
7287 have leaked.
7288 (selftest::test_program_state_merging): Create uncertainty_t and
7289 pass to impl_region_model_context.
7290 * program-state.h (program_state::on_edge): Add uncertainty param.
7291 (program_state::prune_for_point): Likewise.
7292 * region-model-impl-calls.cc (call_details::get_uncertainty): New.
7293 (region_model::impl_call_memcpy): Pass uncertainty to
7294 mark_region_as_unknown call.
7295 (region_model::impl_call_memset): Likewise.
7296 (region_model::impl_call_strcpy): Likewise.
7297 * region-model-reachability.cc (reachable_regions::handle_sval):
7298 Also add sval to m_mutable_svals.
7299 * region-model.cc (region_model::on_assignment): Pass any
7300 uncertainty from ctxt to the store::set_value call.
7301 (region_model::handle_unrecognized_call): Get any uncertainty from
7302 ctxt and use it to record mutable svalues at the unknown call.
7303 (region_model::get_reachable_svalues): Add uncertainty param and
7304 use it to mark any maybe-bound svalues as being reachable.
7305 (region_model::set_value): Pass any uncertainty from ctxt to the
7306 store::set_value call.
7307 (region_model::mark_region_as_unknown): Add uncertainty param and
7308 pass it on to the store::mark_region_as_unknown call.
7309 (region_model::update_for_call_summary): Add uncertainty param and
7310 pass it on to the region_model::mark_region_as_unknown call.
7311 * region-model.h (call_details::get_uncertainty): New decl.
7312 (region_model::get_reachable_svalues): Add uncertainty param.
7313 (region_model::mark_region_as_unknown): Add uncertainty param.
7314 (region_model_context::get_uncertainty): New vfunc.
7315 (noop_region_model_context::get_uncertainty): New vfunc
7316 implementation.
7317 * store.cc (dump_svalue_set): New.
7318 (uncertainty_t::dump_to_pp): New.
7319 (uncertainty_t::dump): New.
7320 (binding_cluster::clobber_region): Pass NULL for uncertainty to
7321 remove_overlapping_bindings.
7322 (binding_cluster::mark_region_as_unknown): Add uncertainty param
7323 and pass it to remove_overlapping_bindings.
7324 (binding_cluster::remove_overlapping_bindings): Add uncertainty param.
7325 Use it to record any svalues that were in clobbered bindings.
7326 (store::set_value): Add uncertainty param. Pass it to
7327 binding_cluster::mark_region_as_unknown when handling symbolic
7328 regions.
7329 (store::mark_region_as_unknown): Add uncertainty param and pass it
7330 to binding_cluster::mark_region_as_unknown.
7331 (store::remove_overlapping_bindings): Add uncertainty param and
7332 pass it to binding_cluster::remove_overlapping_bindings.
7333 * store.h (binding_cluster::mark_region_as_unknown): Add
7334 uncertainty param.
7335 (binding_cluster::remove_overlapping_bindings): Likewise.
7336 (store::set_value): Likewise.
7337 (store::mark_region_as_unknown): Likewise.
7339 2021-04-05 David Malcolm <dmalcolm@redhat.com>
7341 PR analyzer/99906
7342 * analyzer.cc (maybe_reconstruct_from_def_stmt): Fix NULL
7343 dereference on calls with zero arguments.
7344 * sm-malloc.cc (malloc_state_machine::on_stmt): When handling
7345 __attribute__((nonnull)), only call get_diagnostic_tree if the
7346 result will be used.
7348 2021-04-05 David Malcolm <dmalcolm@redhat.com>
7350 PR analyzer/99886
7351 * diagnostic-manager.cc
7352 (diagnostic_manager::prune_interproc_events): Use signed integers
7353 when subtracting one from path->num_events ().
7354 (diagnostic_manager::consolidate_conditions): Likewise. Convert
7355 next_idx to a signed int.
7357 2021-04-01 David Malcolm <dmalcolm@redhat.com>
7359 * diagnostic-manager.cc (diagnostic_manager::add_diagnostic): Make
7360 enode param non-constant, and call add_diagnostic on it. Add
7361 enode index to log message.
7362 (diagnostic_manager::add_diagnostic): Make enode param
7363 non-constant.
7364 * diagnostic-manager.h (diagnostic_manager::add_diagnostic):
7365 Likewise for both decls.
7366 * engine.cc
7367 (impl_region_model_context::impl_region_model_context): Likewise
7368 for enode_for_diag.
7369 (impl_sm_context::impl_sm_context): Likewise.
7370 (impl_sm_context::m_enode_for_diag): Likewise.
7371 (exploded_node::dump_dot): Don't pass the diagnostic manager
7372 to dump_saved_diagnostics.
7373 (exploded_node::dump_saved_diagnostics): Drop param. Iterate
7374 directly through all saved diagnostics for the enode, rather
7375 than all saved diagnostics in the diagnostic_manager and
7376 filtering.
7377 (exploded_node::on_stmt): Make non-const.
7378 (exploded_node::on_edge): Likewise.
7379 (exploded_node::on_longjmp): Likewise.
7380 (exploded_node::detect_leaks): Likewise.
7381 (exploded_graph::get_or_create_node): Make enode_for_diag param
7382 non-const.
7383 (exploded_graph_annotator::print_enode): Iterate
7384 directly through all saved diagnostics for the enode, rather
7385 than all saved diagnostics in the diagnostic_manager and
7386 filtering.
7387 * exploded-graph.h
7388 (impl_region_model_context::impl_region_model_context): Make
7389 enode_for_diag param non-constant.
7390 (impl_region_model_context::m_enode_for_diag): Likewise.
7391 (exploded_node::dump_saved_diagnostics): Drop param.
7392 (exploded_node::on_stmt): Make non-const.
7393 (exploded_node::on_edge): Likewise.
7394 (exploded_node::on_longjmp): Likewise.
7395 (exploded_node::detect_leaks): Likewise.
7396 (exploded_node::add_diagnostic): New.
7397 (exploded_node::get_num_diagnostics): New.
7398 (exploded_node::get_saved_diagnostic): New.
7399 (exploded_node::m_saved_diagnostics): New.
7400 (exploded_graph::get_or_create_node): Make enode_for_diag param
7401 non-constant.
7402 * feasible-graph.cc (feasible_node::dump_dot): Drop
7403 diagnostic_manager from call to dump_saved_diagnostics.
7404 * program-state.cc (program_state::on_edge): Convert enode param
7405 to non-const pointer.
7406 (program_state::prune_for_point): Likewise for enode_for_diag
7407 param.
7408 * program-state.h (program_state::on_edge): Convert enode param
7409 to non-const pointer.
7410 (program_state::prune_for_point): Likewise for enode_for_diag
7411 param.
7413 2021-03-31 David Malcolm <dmalcolm@redhat.com>
7415 PR analyzer/99771
7416 * analyzer.cc (maybe_reconstruct_from_def_stmt): New.
7417 (fixup_tree_for_diagnostic_1): New.
7418 (fixup_tree_for_diagnostic): New.
7419 * analyzer.h (fixup_tree_for_diagnostic): New decl.
7420 * checker-path.cc (call_event::get_desc): Call
7421 fixup_tree_for_diagnostic and use it for the call_with_state call.
7422 (warning_event::get_desc): Likewise for the final_event and
7423 make_label_text calls.
7424 * engine.cc (impl_region_model_context::on_state_leak): Likewise
7425 for the on_leak and add_diagnostic calls.
7426 * region-model.cc (region_model::get_representative_tree):
7427 Likewise for the result.
7429 2021-03-30 David Malcolm <dmalcolm@redhat.com>
7431 * region.h (region::dump_to_pp): Remove old decl.
7433 2021-03-30 David Malcolm <dmalcolm@redhat.com>
7435 * sm-file.cc (fileptr_state_machine::on_stmt): Only call
7436 get_diagnostic_tree if the result will be used.
7437 * sm-malloc.cc (malloc_state_machine::on_stmt): Likewise.
7438 (malloc_state_machine::on_deallocator_call): Likewise.
7439 (malloc_state_machine::on_realloc_call): Likewise.
7440 (malloc_state_machine::on_realloc_call): Likewise.
7441 * sm-sensitive.cc
7442 (sensitive_state_machine::warn_for_any_exposure): Likewise.
7443 * sm-taint.cc (taint_state_machine::on_stmt): Likewise.
7445 2021-03-25 David Malcolm <dmalcolm@redhat.com>
7447 PR analyzer/93695
7448 PR analyzer/99044
7449 PR analyzer/99716
7450 * engine.cc (exploded_node::on_stmt): Clear sm-state involving
7451 an SSA name at the def-stmt of that SSA name.
7452 * program-state.cc (sm_state_map::purge_state_involving): New.
7453 * program-state.h (sm_state_map::purge_state_involving): New decl.
7454 * region-model.cc (selftest::test_involves_p): New.
7455 (selftest::analyzer_region_model_cc_tests): Call it.
7456 * svalue.cc (class involvement_visitor): New class
7457 (svalue::involves_p): New.
7458 * svalue.h (svalue::involves_p): New decl.
7460 2021-03-19 David Malcolm <dmalcolm@redhat.com>
7462 PR analyzer/99614
7463 * diagnostic-manager.cc (class epath_finder): Add
7464 DISABLE_COPY_AND_ASSIGN.
7466 2021-03-15 Martin Liska <mliska@suse.cz>
7468 * sm-file.cc (get_file_using_fns): Add missing comma in initializer.
7470 2021-03-11 David Malcolm <dmalcolm@redhat.com>
7472 PR analyzer/96374
7473 * analyzer.opt (-param=analyzer-max-infeasible-edges=): New param.
7474 (fdump-analyzer-feasibility): New flag.
7475 * diagnostic-manager.cc: Include "analyzer/trimmed-graph.h" and
7476 "analyzer/feasible-graph.h".
7477 (epath_finder::epath_finder): Convert m_sep to a pointer and
7478 only create it if !flag_analyzer_feasibility.
7479 (epath_finder::~epath_finder): New.
7480 (epath_finder::m_sep): Convert to a pointer.
7481 (epath_finder::get_best_epath): Add param "diag_idx" and use it
7482 when logging. Rather than finding the shortest path and then
7483 checking feasibility, instead use explore_feasible_paths unless
7484 !flag_analyzer_feasibility, in which case simply use the shortest
7485 path, and note if it is infeasible. Update for m_sep becoming a
7486 pointer.
7487 (class feasible_worklist): New.
7488 (epath_finder::explore_feasible_paths): New.
7489 (epath_finder::process_worklist_item): New.
7490 (class dump_eg_with_shortest_path): New.
7491 (epath_finder::dump_trimmed_graph): New.
7492 (epath_finder::dump_feasible_graph): New.
7493 (saved_diagnostic::saved_diagnostic): Add "idx" param, using it
7494 on new field m_idx.
7495 (saved_diagnostic::to_json): Dump m_idx.
7496 (saved_diagnostic::calc_best_epath): Pass m_idx to get_best_epath.
7497 Remove assertion that m_problem was set when m_best_epath is NULL.
7498 (diagnostic_manager::add_diagnostic): Pass an index when created
7499 saved_diagnostic instances.
7500 * diagnostic-manager.h (saved_diagnostic::saved_diagnostic): Add
7501 "idx" param.
7502 (saved_diagnostic::get_index): New accessor.
7503 (saved_diagnostic::m_idx): New field.
7504 * engine.cc (exploded_node::dump_dot): Call args.dump_extra_info.
7505 Move code to...
7506 (exploded_node::dump_processed_stmts): ...this new function and...
7507 (exploded_node::dump_saved_diagnostics): ...this new function.
7508 Add index of each diagnostic.
7509 (exploded_edge::dump_dot): Move bulk of code to...
7510 (exploded_edge::dump_dot_label): ...this new function.
7511 * exploded-graph.h (eg_traits::dump_args_t::dump_extra_info): New
7512 vfunc.
7513 (exploded_node::dump_processed_stmts): New decl.
7514 (exploded_node::dump_saved_diagnostics): New decl.
7515 (exploded_edge::dump_dot_label): New decl.
7516 * feasible-graph.cc: New file.
7517 * feasible-graph.h: New file.
7518 * trimmed-graph.cc: New file.
7519 * trimmed-graph.h: New file.
7521 2021-03-11 David Malcolm <dmalcolm@redhat.com>
7523 * diagnostic-manager.cc (epath_finder::epath_finder):
7524 Update shortest_paths init for new param.
7526 2021-03-10 David Malcolm <dmalcolm@redhat.com>
7528 PR analyzer/96374
7529 * engine.cc (exploded_path::feasible_p): Move "snodes_visited" and
7530 "model" locals into a new class feasibility_state. Move heart
7531 of per-edge processing into
7532 feasibility_state::maybe_update_for_edge.
7533 (feasibility_state::feasibility_state): New.
7534 (feasibility_state::maybe_update_for_edge): New, based on loop
7535 body in exploded_path::feasible_p.
7536 * exploded-graph.h (class feasibility_state): New.
7538 2021-03-10 David Malcolm <dmalcolm@redhat.com>
7540 * supergraph.h
7541 (callgraph_superedge::dyn_cast_callgraph_superedge): New.
7542 (call_superedge::dyn_cast_callgraph_superedge): Delete.
7543 (return_superedge::dyn_cast_callgraph_superedge): Delete.
7545 2021-03-02 Martin Liska <mliska@suse.cz>
7547 * diagnostic-manager.cc (diagnostic_manager::emit_saved_diagnostics):
7548 Do not pass engine.
7550 2021-02-26 David Malcolm <dmalcolm@redhat.com>
7552 * engine.cc (exploded_path::exploded_path): New copy-ctor.
7553 * exploded-graph.h (exploded_path::operator=): Drop decl.
7555 2021-02-26 David Malcolm <dmalcolm@redhat.com>
7557 PR analyzer/96374
7558 * diagnostic-manager.cc (class epath_finder): New.
7559 (epath_finder::get_best_epath): New.
7560 (saved_diagnostic::saved_diagnostic): Update for replacement of
7561 m_state and m_epath_length with m_best_epath.
7562 (saved_diagnostic::~saved_diagnostic): Delete m_best_epath.
7563 (saved_diagnostic::to_json): Update "path_length" to be optional.
7564 (saved_diagnostic::calc_best_epath): New, based on
7565 dedupe_winners::add and parts of dedupe_key::dedupe_key.
7566 (saved_diagnostic::get_epath_length): New.
7567 (saved_diagnostic::add_duplicate): New.
7568 (dedupe_key::dedupe_key): Drop epath param. Move invocation of
7569 stmt_finder to saved_diagnostic::calc_best_epath.
7570 (class dedupe_candidate): Delete.
7571 (class dedupe_hash_map_traits): Update to use saved_diagnotic *
7572 rather than dedupe_candidate * as the value_type/compare_type.
7573 (dedupe_winners::~dedupe_winners): Don't delete the values.
7574 (dedupe_winners::add): Convert param from shortest_exploded_paths to
7575 epath_finder. Drop "eg" param. Drop dedupe_candidate, moving
7576 path generation and feasiblity checking to
7577 epath_finder::get_best_epath. Update winner-selection for move
7578 of epaths from dedupe_candidate to saved_diagnostic.
7579 (dedupe_winners::emit_best): Update for removal of class
7580 dedupe_candidate.
7581 (dedupe_winners::map_t): Update to use saved_diagnotic * rather
7582 than dedupe_candidate * as the value_type/compare_type.
7583 (diagnostic_manager::emit_saved_diagnostics): Move
7584 shortest_exploded_paths instance into epath_finder and pass that
7585 around instead.
7586 (diagnostic_manager::emit_saved_diagnostic): Drop epath, stmt
7587 and num_dupes params, instead getting these from the
7588 saved_diagnostic. Use correct location in inform_n call.
7589 * diagnostic-manager.h (class epath_finder): New forward decl.
7590 (saved_diagnostic::status): Drop enum.
7591 (saved_diagnostic::set_feasible): Drop.
7592 (saved_diagnostic::set_infeasible): Drop.
7593 (saved_diagnostic::get_status): Drop.
7594 (saved_diagnostic::calc_best_epath): New decl.
7595 (saved_diagnostic::get_best_epath): New decl.
7596 (saved_diagnostic::get_epath_length): New decl.
7597 (saved_diagnostic::set_epath_length): Drop.
7598 (saved_diagnostic::get_epath_length): Drop inline implementation.
7599 (saved_diagnostic::add_duplicate): New.
7600 (saved_diagnostic::get_num_dupes): New.
7601 (saved_diagnostic::m_d): Document ownership.
7602 (saved_diagnostic::m_trailing_eedge): Make const.
7603 (saved_diagnostic::m_status): Drop field.
7604 (saved_diagnostic::m_epath_length): Drop field.
7605 (saved_diagnostic::m_best_epath): New field.
7606 (saved_diagnostic::m_problem): Document ownership.
7607 (saved_diagnostic::m_duplicates): New field.
7608 (diagnostic_manager::emit_saved_diagnostic): Drop params epath,
7609 stmt, and num_dupes.
7610 * engine.cc (exploded_graph_annotator::print_saved_diagnostic):
7611 Update for changes to saved_diagnostic class.
7612 * exploded-graph.h (exploded_path::feasible_p): Drop unused
7613 overloaded decl.
7615 2021-02-25 David Malcolm <dmalcolm@redhat.com>
7617 PR analyzer/99193
7618 * region-model-impl-calls.cc (region_model::impl_call_realloc): New.
7619 * region-model.cc (region_model::on_call_pre): Call it.
7620 * region-model.h (region_model::impl_call_realloc): New decl.
7621 * sm-malloc.cc (enum wording): Add WORDING_REALLOCATED.
7622 (malloc_state_machine::m_realloc): New field.
7623 (use_after_free::describe_state_change): Add case for
7624 WORDING_REALLOCATED.
7625 (use_after_free::describe_final_event): Likewise.
7626 (malloc_state_machine::malloc_state_machine): Initialize
7627 m_realloc.
7628 (malloc_state_machine::on_stmt): Handle realloc by calling...
7629 (malloc_state_machine::on_realloc_call): New.
7631 2021-02-22 David Malcolm <dmalcolm@redhat.com>
7633 PR analyzer/99196
7634 * engine.cc (exploded_node::on_stmt): Provide terminate_path
7635 flag as a way for on_call_pre to terminate the current analysis
7636 path.
7637 * region-model-impl-calls.cc (call_details::num_args): New.
7638 (region_model::impl_call_error): New.
7639 * region-model.cc (region_model::on_call_pre): Add param
7640 "out_terminate_path". Handle "error" and "error_at_line".
7641 * region-model.h (call_details::num_args): New decl.
7642 (region_model::on_call_pre): Add param "out_terminate_path".
7643 (region_model::impl_call_error): New decl.
7645 2021-02-17 David Malcolm <dmalcolm@redhat.com>
7647 PR analyzer/98969
7648 * constraint-manager.cc (dead_svalue_purger::should_purge_p):
7649 Update for change to svalue::live_p.
7650 * program-state.cc (sm_state_map::on_liveness_change): Likewise.
7651 (program_state::detect_leaks): Likewise.
7652 * region-model-reachability.cc (reachable_regions::init_cluster):
7653 When dealing with a symbolic region, if the underlying pointer is
7654 implicitly live, add the region to the reachable regions.
7655 * region-model.cc (region_model::compare_initial_and_pointer):
7656 Move logic for detecting initial values of params to
7657 initial_svalue::initial_value_of_param_p.
7658 * svalue.cc (svalue::live_p): Convert "live_svalues" from a
7659 reference to a pointer; support it being NULL.
7660 (svalue::implicitly_live_p): Convert first param from a
7661 refererence to a pointer.
7662 (region_svalue::implicitly_live_p): Likewise.
7663 (constant_svalue::implicitly_live_p): Likewise.
7664 (initial_svalue::implicitly_live_p): Likewise. Treat the initial
7665 values of params for the top level frame as still live.
7666 (initial_svalue::initial_value_of_param_p): New function, taken
7667 from a test in region_model::compare_initial_and_pointer.
7668 (unaryop_svalue::implicitly_live_p): Convert first param from a
7669 refererence to a pointer.
7670 (binop_svalue::implicitly_live_p): Likewise.
7671 (sub_svalue::implicitly_live_p): Likewise.
7672 (unmergeable_svalue::implicitly_live_p): Likewise.
7673 * svalue.h (svalue::live_p): Likewise.
7674 (svalue::implicitly_live_p): Likewise.
7675 (region_svalue::implicitly_live_p): Likewise.
7676 (constant_svalue::implicitly_live_p): Likewise.
7677 (initial_svalue::implicitly_live_p): Likewise.
7678 (initial_svalue::initial_value_of_param_p): New decl.
7679 (unaryop_svalue::implicitly_live_p): Convert first param from a
7680 refererence to a pointer.
7681 (binop_svalue::implicitly_live_p): Likewise.
7682 (sub_svalue::implicitly_live_p): Likewise.
7683 (unmergeable_svalue::implicitly_live_p): Likewise.
7685 2021-02-12 David Malcolm <dmalcolm@redhat.com>
7687 PR analyzer/98969
7688 * engine.cc (readability): Add names for the various arbitrary
7689 values. Handle NOP_EXPR and INTEGER_CST.
7690 (readability_comparator): Combine the readability tests for
7691 tree and stack depth, rather than performing them sequentially.
7692 (impl_region_model_context::on_state_leak): Strip off top-level
7693 casts.
7694 * region-model.cc (region_model::get_representative_path_var): Add
7695 type-checking, moving the bulk of the implementation to...
7696 (region_model::get_representative_path_var_1): ...here. Respect
7697 types in casts by recursing and re-adding the cast, rather than
7698 merely stripping them off. Use the correct type when handling
7699 region_svalue.
7700 (region_model::get_representative_tree): Strip off any top-level
7701 cast.
7702 (region_model::get_representative_path_var): Add type-checking,
7703 moving the bulk of the implementation to...
7704 (region_model::get_representative_path_var_1): ...here.
7705 * region-model.h (region_model::get_representative_path_var_1):
7706 New decl
7707 (region_model::get_representative_path_var_1): New decl.
7708 * store.cc (append_pathvar_with_type): New.
7709 (binding_cluster::get_representative_path_vars): Cast path_vars
7710 to the correct type when adding them to *OUT_PVS.
7712 2021-02-09 David Malcolm <dmalcolm@redhat.com>
7714 PR analyzer/98575
7715 * sm-file.cc (is_file_using_fn_p): Support "_IO_"-prefixed
7716 variants.
7718 2021-02-09 David Malcolm <dmalcolm@redhat.com>
7720 PR analyzer/98575
7721 * store.cc (store::set_value): Treat a pointer written to *UNKNOWN
7722 as having escaped.
7724 2021-02-02 David Malcolm <dmalcolm@redhat.com>
7726 PR analyzer/93355
7727 PR analyzer/96374
7728 * engine.cc (toplevel_function_p): Simplify so that
7729 we only reject functions with a "__analyzer_" prefix.
7730 (add_any_callbacks): Delete.
7731 (exploded_graph::build_initial_worklist): Update for
7732 dropped param of toplevel_function_p.
7733 (exploded_graph::build_initial_worklist): Don't bother
7734 looking for callbacks that are reachable from global
7735 initializers.
7737 2021-02-01 David Malcolm <dmalcolm@redhat.com>
7739 PR analyzer/98918
7740 * region-model-manager.cc
7741 (region_model_manager::get_or_create_initial_value):
7742 Fold the initial value of *UNKNOWN_PTR to an UNKNOWN value.
7743 (region_model_manager::get_field_region): Fold the value
7744 of UNKNOWN_PTR->FIELD to *UNKNOWN_PTR_OF_&FIELD_TYPE.
7746 2021-01-29 David Malcolm <dmalcolm@redhat.com>
7748 * checker-path.cc (event_kind_to_string): Handle
7749 EK_START_CONSOLIDATED_CFG_EDGES and
7750 EK_END_CONSOLIDATED_CFG_EDGES.
7751 (start_consolidated_cfg_edges_event::get_desc): New.
7752 (checker_path::cfg_edge_pair_at_p): New.
7753 * checker-path.h (enum event_kind): Add
7754 EK_START_CONSOLIDATED_CFG_EDGES and
7755 EK_END_CONSOLIDATED_CFG_EDGES.
7756 (class start_consolidated_cfg_edges_event): New class.
7757 (class end_consolidated_cfg_edges_event): New class.
7758 (checker_path::delete_events): New.
7759 (checker_path::replace_event): New.
7760 (checker_path::cfg_edge_pair_at_p): New decl.
7761 * diagnostic-manager.cc (diagnostic_manager::prune_path): Call
7762 consolidate_conditions.
7763 (same_line_as_p): New.
7764 (diagnostic_manager::consolidate_conditions): New.
7765 * diagnostic-manager.h
7766 (diagnostic_manager::consolidate_conditions): New decl.
7768 2021-01-18 David Malcolm <dmalcolm@redhat.com>
7770 * analyzer.h (is_std_named_call_p): New decl.
7771 * diagnostic-manager.cc (path_builder::get_sm): New.
7772 (state_change_event_creator::state_change_event_creator): Add "pb"
7773 param.
7774 (state_change_event_creator::on_global_state_change): Don't consider
7775 state changes affecting other state_machines.
7776 (state_change_event_creator::on_state_change): Likewise.
7777 (state_change_event_creator::m_pb): New field.
7778 (diagnostic_manager::add_events_for_eedge): Pass pb to visitor
7779 ctor.
7780 * region-model-impl-calls.cc
7781 (region_model::impl_deallocation_call): New.
7782 * region-model.cc: Include "attribs.h".
7783 (region_model::on_call_post): Handle fndecls referenced by
7784 __attribute__((deallocated_by(FOO))).
7785 * region-model.h (region_model::impl_deallocation_call): New decl.
7786 * sm-malloc.cc: Include "stringpool.h" and "attribs.h". Add
7787 leading comment.
7788 (class api): Delete.
7789 (enum resource_state): Update comment for change from api to
7790 deallocator and deallocator_set.
7791 (allocation_state::allocation_state): Drop api param. Add
7792 "deallocators" and "deallocator".
7793 (allocation_state::m_api): Drop field in favor of...
7794 (allocation_state::m_deallocators): New field.
7795 (allocation_state::m_deallocator): New field.
7796 (enum wording): Add WORDING_DEALLOCATED.
7797 (struct deallocator): New.
7798 (struct standard_deallocator): New.
7799 (struct custom_deallocator): New.
7800 (struct deallocator_set): New.
7801 (struct custom_deallocator_set): New.
7802 (struct standard_deallocator_set): New.
7803 (struct deallocator_set_map_traits): New.
7804 (malloc_state_machine::m_malloc): Drop field
7805 (malloc_state_machine::m_scalar_new): Likewise.
7806 (malloc_state_machine::m_vector_new): Likewise.
7807 (malloc_state_machine::m_free): New field
7808 (malloc_state_machine::m_scalar_delete): Likewise.
7809 (malloc_state_machine::m_vector_delete): Likewise.
7810 (malloc_state_machine::deallocator_map_t): New typedef.
7811 (malloc_state_machine::m_deallocator_map): New field.
7812 (malloc_state_machine::deallocator_set_cache_t): New typedef.
7813 (malloc_state_machine::m_custom_deallocator_set_cache): New field.
7814 (malloc_state_machine::custom_deallocator_set_map_t): New typedef.
7815 (malloc_state_machine::m_custom_deallocator_set_map): New field.
7816 (malloc_state_machine::m_dynamic_sets): New field.
7817 (malloc_state_machine::m_dynamic_deallocators): New field.
7818 (api::api): Delete.
7819 (deallocator::deallocator): New ctor.
7820 (deallocator::hash): New.
7821 (deallocator::dump_to_pp): New.
7822 (deallocator::cmp): New.
7823 (deallocator::cmp_ptr_ptr): New.
7824 (standard_deallocator::standard_deallocator): New ctor.
7825 (deallocator_set::deallocator_set): New ctor.
7826 (deallocator_set::dump): New.
7827 (custom_deallocator_set::custom_deallocator_set): New ctor.
7828 (custom_deallocator_set::contains_p): New.
7829 (custom_deallocator_set::maybe_get_single): New.
7830 (custom_deallocator_set::dump_to_pp): New.
7831 (standard_deallocator_set::standard_deallocator_set): New ctor.
7832 (standard_deallocator_set::contains_p): New.
7833 (standard_deallocator_set::maybe_get_single): New.
7834 (standard_deallocator_set::dump_to_pp): New.
7835 (start_p): New.
7836 (class mismatching_deallocation): Update for conversion from api
7837 to deallocator_set and deallocator.
7838 (double_free::emit): Use %qs.
7839 (class use_after_free): Update for conversion from api to
7840 deallocator_set and deallocator.
7841 (malloc_leak::describe_state_change): Only emit "allocated here" on
7842 a start->nonnull transition, rather than on other transitions to
7843 nonnull.
7844 (allocation_state::dump_to_pp): Update for conversion from api to
7845 deallocator_set.
7846 (allocation_state::get_nonnull): Likewise.
7847 (malloc_state_machine::malloc_state_machine): Likewise.
7848 (malloc_state_machine::~malloc_state_machine): New.
7849 (malloc_state_machine::add_state): Update for conversion from api
7850 to deallocator_set.
7851 (malloc_state_machine::get_or_create_custom_deallocator_set): New.
7852 (malloc_state_machine::maybe_create_custom_deallocator_set): New.
7853 (malloc_state_machine::get_or_create_deallocator): New.
7854 (malloc_state_machine::on_stmt): Update for conversion from api
7855 to deallocator_set. Handle "__attribute__((malloc(FOO)))", and
7856 the special attribute set on FOO.
7857 (malloc_state_machine::on_allocator_call): Update for conversion
7858 from api to deallocator_set. Add "returns_nonnull" param and use
7859 it to affect which state to transition to.
7860 (malloc_state_machine::on_deallocator_call): Update for conversion
7861 from api to deallocator_set.
7863 2021-01-14 David Malcolm <dmalcolm@redhat.com>
7865 * engine.cc (strongly_connected_components::to_json): New.
7866 (worklist::to_json): New.
7867 (exploded_graph::to_json): JSON-ify the worklist.
7868 * exploded-graph.h (strongly_connected_components::to_json): New
7869 decl.
7870 (worklist::to_json): New decl.
7871 * store.cc (store::to_json): Fix comment.
7872 * supergraph.cc (supernode::to_json): Fix reference to
7873 "returning_call" in comment. Add optional "fun" to JSON.
7874 (edge_kind_to_string): New.
7875 (superedge::to_json): Add "kind" to JSON.
7877 2021-01-14 David Malcolm <dmalcolm@redhat.com>
7879 PR analyzer/98679
7880 * analyzer.h (region_offset::operator==): Make const.
7881 * pending-diagnostic.h (pending_diagnostic::equal_p): Likewise.
7882 * store.h (binding_cluster::for_each_value): Likewise.
7883 (binding_cluster::for_each_binding): Likewise.
7885 2021-01-12 David Malcolm <dmalcolm@redhat.com>
7887 PR analyzer/98628
7888 * store.cc (binding_cluster::make_unknown_relative_to): Don't mark
7889 dereferenced unknown pointers as having escaped.
7891 2021-01-07 David Malcolm <dmalcolm@redhat.com>
7893 PR analyzer/98580
7894 * region.cc (decl_region::get_svalue_for_initializer): Gracefully
7895 handle when LTO writes out DECL_INITIAL as error_mark_node.
7897 2021-01-07 David Malcolm <dmalcolm@redhat.com>
7899 PR analyzer/97074
7900 * store.cc (binding_cluster::can_merge_p): Add "out_store" param
7901 and pass to calls to binding_cluster::make_unknown_relative_to.
7902 (binding_cluster::make_unknown_relative_to): Add "out_store"
7903 param. Use it to mark base regions that are pointed to by
7904 pointers that become unknown as having escaped.
7905 (store::can_merge_p): Pass out_store to
7906 binding_cluster::can_merge_p.
7907 * store.h (binding_cluster::can_merge_p): Add "out_store" param.
7908 (binding_cluster::make_unknown_relative_to): Likewise.
7909 * svalue.cc (region_svalue::implicitly_live_p): New vfunc.
7910 * svalue.h (region_svalue::implicitly_live_p): New vfunc decl.
7912 2021-01-07 David Malcolm <dmalcolm@redhat.com>
7914 PR analyzer/98564
7915 * engine.cc (exploded_path::feasible_p): Add missing call to
7916 bitmap_clear.
7918 2021-01-06 David Malcolm <dmalcolm@redhat.com>
7920 PR analyzer/97072
7921 * region-model-reachability.cc (reachable_regions::init_cluster):
7922 Convert symbolic region handling to a switch statement. Add cases
7923 to handle SK_UNKNOWN and SK_CONJURED.
7925 2021-01-05 David Malcolm <dmalcolm@redhat.com>
7927 PR analyzer/98293
7928 * store.cc (binding_map::apply_ctor_to_region): When "index" is
7929 NULL, iterate through the fields for RECORD_TYPEs, rather than
7930 creating an INTEGER_CST index.
7932 2020-11-30 David Malcolm <dmalcolm@redhat.com>
7934 * analyzer-pass.cc: Include "analyzer/analyzer.h" for the
7935 declaration of sorry_no_analyzer; include "tree.h" and
7936 "function.h" as these are needed by it.
7938 2020-11-30 David Malcolm <dmalcolm@redhat.com>
7940 * analyzer-pass.cc (pass_analyzer::execute): Move sorry call to...
7941 (sorry_no_analyzer): New.
7942 * analyzer.h (class state_machine): New forward decl.
7943 (class logger): New forward decl.
7944 (class plugin_analyzer_init_iface): New.
7945 (sorry_no_analyzer): New decl.
7946 * checker-path.cc (checker_path::fixup_locations): New.
7947 * checker-path.h (checker_event::set_location): New.
7948 (checker_path::fixup_locations): New decl.
7949 * diagnostic-manager.cc
7950 (diagnostic_manager::emit_saved_diagnostic): Call
7951 checker_path::fixup_locations, and call fixup_location
7952 on the primary location.
7953 * engine.cc: Include "plugin.h".
7954 (class plugin_analyzer_init_impl): New.
7955 (impl_run_checkers): Invoke PLUGIN_ANALYZER_INIT callbacks.
7956 * pending-diagnostic.h (pending_diagnostic::fixup_location): New
7957 vfunc.
7959 2020-11-18 David Malcolm <dmalcolm@redhat.com>
7961 PR analyzer/97893
7962 * sm-malloc.cc (null_deref::emit): Use CWE-476 rather than
7963 CWE-690, as this isn't due to an unchecked return value.
7964 (null_arg::emit): Likewise.
7966 2020-11-12 David Malcolm <dmalcolm@redhat.com>
7968 * checker-path.h (checker_event::get_id_ptr): New.
7969 * diagnostic-manager.cc (path_builder::path_builder): Add "sd"
7970 param and use it to initialize new field "m_sd".
7971 (path_builder::get_pending_diagnostic): New.
7972 (path_builder::m_sd): New field.
7973 (diagnostic_manager::emit_saved_diagnostic): Pass sd to
7974 path_builder ctor.
7975 (diagnostic_manager::add_events_for_superedge): Call new
7976 maybe_add_custom_events_for_superedge vfunc.
7977 * engine.cc (stale_jmp_buf::stale_jmp_buf): Add "setjmp_point"
7978 param and use it to initialize new field "m_setjmp_point".
7979 Initialize new field "m_stack_pop_event".
7980 (stale_jmp_buf::maybe_add_custom_events_for_superedge): New vfunc
7981 implementation.
7982 (stale_jmp_buf::describe_final_event): New vfunc implementation.
7983 (stale_jmp_buf::m_setjmp_point): New field.
7984 (stale_jmp_buf::m_stack_pop_event): New field.
7985 (exploded_node::on_longjmp): Pass setjmp_point to stale_jmp_buf
7986 ctor.
7987 * pending-diagnostic.h
7988 (pending_diagnostic::maybe_add_custom_events_for_superedge): New
7989 vfunc.
7991 2020-11-12 David Malcolm <dmalcolm@redhat.com>
7993 PR tree-optimization/97424
7994 * analyzer.opt (Wanalyzer-shift-count-negative): New.
7995 (Wanalyzer-shift-count-overflow): New.
7996 * region-model.cc (class shift_count_negative_diagnostic): New.
7997 (class shift_count_overflow_diagnostic): New.
7998 (region_model::get_gassign_result): Complain about shift counts that
7999 are negative or are >= the operand's type's width.
8001 2020-11-10 Martin Liska <mliska@suse.cz>
8003 * constraint-manager.cc (constraint_manager::merge): Remove
8004 unused code.
8005 * constraint-manager.h: Likewise.
8006 * program-state.cc (sm_state_map::sm_state_map): Likewise.
8007 (program_state::program_state): Likewise.
8008 (test_sm_state_map): Likewise.
8009 * program-state.h: Likewise.
8010 * region-model-reachability.cc (reachable_regions::reachable_regions): Likewise.
8011 * region-model-reachability.h: Likewise.
8012 * region-model.cc (region_model::handle_unrecognized_call): Likewise.
8013 (region_model::get_reachable_svalues): Likewise.
8014 (region_model::can_merge_with_p): Likewise.
8016 2020-11-05 David Malcolm <dmalcolm@redhat.com>
8018 PR analyzer/97668
8019 * svalue.cc (cmp_cst): Handle COMPLEX_CST.
8021 2020-10-29 David Malcolm <dmalcolm@redhat.com>
8023 * program-state.cc (sm_state_map::on_liveness_change): Sort the
8024 leaking svalues before calling on_state_leak.
8025 (program_state::detect_leaks): Likewise when calling
8026 on_svalue_leak.
8027 * region-model-reachability.cc
8028 (reachable_regions::mark_escaped_clusters): Likewise when
8029 calling on_escaped_function.
8031 2020-10-29 David Malcolm <dmalcolm@redhat.com>
8033 PR analyzer/97608
8034 * region-model-reachability.cc (reachable_regions::handle_sval):
8035 Operands of reachable reversible operations are reachable.
8037 2020-10-29 David Malcolm <dmalcolm@redhat.com>
8039 * analyzer.h (class state_machine): New forward decl.
8040 (class logger): Likewise.
8041 (class visitor): Likewise.
8042 * complexity.cc: New file, taken from svalue.cc.
8043 * complexity.h: New file, taken from region-model.h.
8044 * region-model.h: Include "analyzer/svalue.h" and
8045 "analyzer/region.h". Move struct complexity to complexity.h.
8046 Move svalue, its subclasses and supporting decls to svalue.h.
8047 Move region, its subclasses and supporting decls to region.h.
8048 * region.cc: Include "analyzer/region.h".
8049 (symbolic_region::symbolic_region): Move here from region-model.h.
8050 * region.h: New file, based on material from region-model.h.
8051 * svalue.cc: Include "analyzer/svalue.h".
8052 (complexity::complexity): Move to complexity.cc.
8053 (complexity::from_pair): Likewise.
8054 * svalue.h: New file, based on material from region-model.h.
8056 2020-10-29 David Malcolm <dmalcolm@redhat.com>
8058 * program-state.cc (sm_state_map::print): Guard the printing of
8059 the origin pointer with !flag_dump_noaddr.
8060 * region.cc (string_region::dump_to_pp): Likewise for
8061 m_string_cst.
8063 2020-10-27 David Malcolm <dmalcolm@redhat.com>
8065 PR analyzer/97568
8066 * region-model.cc (region_model::get_initial_value_for_global):
8067 Move check that !DECL_EXTERNAL from here to...
8068 * region.cc (decl_region::get_svalue_for_initializer): ...here,
8069 using it to reject zero initialization.
8071 2020-10-27 Markus Böck <markus.boeck02@gmail.com>
8073 PR analyzer/96608
8074 * store.h (hash): Cast to intptr_t instead of long
8076 2020-10-27 David Malcolm <dmalcolm@redhat.com>
8078 * constraint-manager.cc (svalue_cmp_by_ptr): Delete.
8079 (equiv_class::canonicalize): Use svalue::cmp_ptr_ptr instead.
8080 (equiv_class_cmp): Eliminate pointer comparison.
8081 * diagnostic-manager.cc (dedupe_key::comparator): If they are at
8082 the same location, also compare epath ength and pending_diagnostic
8083 kind.
8084 * engine.cc (readability_comparator): If two path_vars have the
8085 same readability, then impose an arbitrary ordering on them.
8086 (worklist::key_t::cmp): If two points have the same plan ordering,
8087 continue the comparison. Call sm_state_map::cmp rather than
8088 comparing hash values.
8089 * program-state.cc (sm_state_map::entry_t::cmp): New.
8090 (sm_state_map::cmp): New.
8091 * program-state.h (sm_state_map::entry_t::cmp): New decl.
8092 (sm_state_map::elements): New.
8093 (sm_state_map::cmp): New.
8095 2020-10-27 David Malcolm <dmalcolm@redhat.com>
8097 * engine.cc (setjmp_record::cmp): New.
8098 (supernode_cluster::dump_dot): Avoid embedding pointer in cluster
8099 name.
8100 (supernode_cluster::cmp_ptr_ptr): New.
8101 (function_call_string_cluster::dump_dot): Avoid embedding pointer
8102 in cluster name. Sort m_map when dumping child clusters.
8103 (function_call_string_cluster::cmp_ptr_ptr): New.
8104 (root_cluster::dump_dot): Sort m_map when dumping child clusters.
8105 * program-point.cc (function_point::cmp): New.
8106 (function_point::cmp_ptr): New.
8107 * program-point.h (function_point::cmp): New decl.
8108 (function_point::cmp_ptr): New decl.
8109 * program-state.cc (sm_state_map::print): Sort the values. Guard
8110 the printing of pointers with !flag_dump_noaddr.
8111 (program_state::prune_for_point): Sort the regions.
8112 (log_set_of_svalues): Sort the values. Guard the printing of
8113 pointers with !flag_dump_noaddr.
8114 * region-model-manager.cc (log_uniq_map): Sort the values.
8115 * region-model-reachability.cc (dump_set): New function template.
8116 (reachable_regions::dump_to_pp): Use it.
8117 * region-model.h (svalue::cmp_ptr): New decl.
8118 (svalue::cmp_ptr_ptr): New decl.
8119 (setjmp_record::cmp): New decl.
8120 (placeholder_svalue::get_name): New accessor.
8121 (widening_svalue::get_point): New accessor.
8122 (compound_svalue::get_map): New accessor.
8123 (conjured_svalue::get_stmt): New accessor.
8124 (conjured_svalue::get_id_region): New accessor.
8125 (region::cmp_ptrs): Rename to...
8126 (region::cmp_ptr_ptr): ...this.
8127 * region.cc (region::cmp_ptrs): Rename to...
8128 (region::cmp_ptr_ptr): ...this.
8129 * state-purge.cc
8130 (state_purge_per_ssa_name::state_purge_per_ssa_name): Sort
8131 m_points_needing_name when dumping.
8132 * store.cc (concrete_binding::cmp_ptr_ptr): New.
8133 (symbolic_binding::cmp_ptr_ptr): New.
8134 (binding_map::cmp): New.
8135 (get_sorted_parent_regions): Update for renaming of
8136 region::cmp_ptrs to region::cmp_ptr_ptr.
8137 (store::dump_to_pp): Likewise.
8138 (store::to_json): Likewise.
8139 (store::can_merge_p): Sort the base regions before considering
8140 them.
8141 * store.h (concrete_binding::cmp_ptr_ptr): New decl.
8142 (symbolic_binding::cmp_ptr_ptr): New decl.
8143 (binding_map::cmp): New decl.
8144 * supergraph.cc (supergraph::supergraph): Assign UIDs to the
8145 gimple stmts.
8146 * svalue.cc (cmp_cst): New.
8147 (svalue::cmp_ptr): New.
8148 (svalue::cmp_ptr_ptr): New.
8150 2020-10-27 David Malcolm <dmalcolm@redhat.com>
8152 * engine.cc (exploded_graph::get_or_create_node): Fix off-by-one
8153 when imposing param_analyzer_max_enodes_per_program_point limit.
8155 2020-10-27 David Malcolm <dmalcolm@redhat.com>
8157 * region-model.cc (region_model::get_representative_path_var):
8158 Implement case RK_LABEL.
8159 * region-model.h (label_region::get_label): New accessor.
8161 2020-10-22 David Malcolm <dmalcolm@redhat.com>
8163 PR analyzer/97514
8164 * engine.cc (exploded_graph::add_function_entry): Handle failure
8165 to create an enode, rather than asserting.
8167 2020-10-22 David Malcolm <dmalcolm@redhat.com>
8169 PR analyzer/97489
8170 * engine.cc (exploded_graph::add_function_entry): Assert that we
8171 have a function body.
8172 (exploded_graph::on_escaped_function): Reject fndecls that don't
8173 have a function body.
8175 2020-10-14 David Malcolm <dmalcolm@redhat.com>
8177 PR analyzer/93388
8178 * region-model.cc (region_model::get_initial_value_for_global):
8179 Fall back to returning an initial_svalue if
8180 decl_region::get_svalue_for_initializer fails.
8181 * region.cc (decl_region::get_svalue_for_initializer): Don't
8182 attempt to create a compound_svalue if the region has an unknown
8183 size.
8185 2020-10-14 David Malcolm <dmalcolm@redhat.com>
8187 PR analyzer/93723
8188 * store.cc (binding_map::apply_ctor_to_region): Remove redundant
8189 assertion.
8191 2020-10-12 David Malcolm <dmalcolm@redhat.com>
8193 PR analyzer/97258
8194 * engine.cc (impl_region_model_context::on_escaped_function): New
8195 vfunc.
8196 (exploded_graph::add_function_entry): Use m_functions_with_enodes
8197 to implement idempotency.
8198 (add_any_callbacks): New.
8199 (exploded_graph::build_initial_worklist): Use the above to find
8200 callbacks that are reachable from global initializers.
8201 (exploded_graph::on_escaped_function): New.
8202 * exploded-graph.h
8203 (impl_region_model_context::on_escaped_function): New decl.
8204 (exploded_graph::on_escaped_function): New decl.
8205 (exploded_graph::m_functions_with_enodes): New field.
8206 * region-model-reachability.cc
8207 (reachable_regions::reachable_regions): Replace "store" param with
8208 "model" param; use it to initialize m_model.
8209 (reachable_regions::add): When getting the svalue for the region,
8210 call get_store_value on the model rather than using an initial
8211 value.
8212 (reachable_regions::mark_escaped_clusters): Add ctxt param and
8213 use it to call on_escaped_function when a function_region escapes.
8214 * region-model-reachability.h
8215 (reachable_regions::reachable_regions): Replace "store" param with
8216 "model" param.
8217 (reachable_regions::mark_escaped_clusters): Add ctxt param.
8218 (reachable_regions::m_model): New field.
8219 * region-model.cc (region_model::handle_unrecognized_call): Update
8220 for change in reachable_regions ctor.
8221 (region_model::handle_unrecognized_call): Pass ctxt to
8222 mark_escaped_clusters.
8223 (region_model::get_reachable_svalues): Update for change in
8224 reachable_regions ctor.
8225 (region_model::get_initial_value_for_global): Read-only variables
8226 keep their initial values.
8227 * region-model.h (region_model_context::on_escaped_function): New
8228 vfunc.
8229 (noop_region_model_context::on_escaped_function): New.
8231 2020-10-12 David Malcolm <dmalcolm@redhat.com>
8233 * analyzer.opt (Wanalyzer-write-to-const): New.
8234 (Wanalyzer-write-to-string-literal): New.
8235 * region-model-impl-calls.cc (region_model::impl_call_memcpy):
8236 Call check_for_writable_region.
8237 (region_model::impl_call_memset): Likewise.
8238 (region_model::impl_call_strcpy): Likewise.
8239 * region-model.cc (class write_to_const_diagnostic): New.
8240 (class write_to_string_literal_diagnostic): New.
8241 (region_model::check_for_writable_region): New.
8242 (region_model::set_value): Call check_for_writable_region.
8243 * region-model.h (region_model::check_for_writable_region): New
8244 decl.
8246 2020-10-07 David Malcolm <dmalcolm@redhat.com>
8248 PR analyzer/97116
8249 * sm-malloc.cc (method_p): New.
8250 (describe_argument_index): New.
8251 (inform_nonnull_attribute): Use describe_argument_index.
8252 (possible_null_arg::describe_final_event): Likewise.
8253 (null_arg::describe_final_event): Likewise.
8255 2020-09-29 David Malcolm <dmalcolm@redhat.com>
8257 PR analyzer/95188
8258 * engine.cc (stmt_requires_new_enode_p): Split enodes before
8259 "signal" calls.
8261 2020-09-29 David Malcolm <dmalcolm@redhat.com>
8263 * constraint-manager.cc
8264 (constraint_manager::add_constraint_internal): Whitespace fixes.
8265 Silence -Wsign-compare warning.
8266 * engine.cc (maybe_process_run_of_before_supernode_enodes):
8267 Silence -Wsign-compare warning.
8269 2020-09-28 David Malcolm <dmalcolm@redhat.com>
8271 * region-model.h (binop_svalue::dyn_cast_binop_svalue): Remove
8272 redundant "virtual". Add FINAL OVERRIDE.
8273 (widening_svalue::dyn_cast_widening_svalue): Add FINAL OVERRIDE.
8274 (compound_svalue::dyn_cast_compound_svalue): Likewise.
8275 (conjured_svalue::dyn_cast_conjured_svalue): Likewise.
8277 2020-09-28 David Malcolm <dmalcolm@redhat.com>
8279 * diagnostic-manager.cc (null_assignment_sm_context::m_visitor):
8280 Remove unused field.
8282 2020-09-28 David Malcolm <dmalcolm@redhat.com>
8284 PR analyzer/97233
8285 * analyzer.cc (is_longjmp_call_p): Require the initial argument
8286 to be a pointer.
8287 * engine.cc (exploded_node::on_longjmp): Likewise.
8289 2020-09-28 David Malcolm <dmalcolm@redhat.com>
8291 * program-state.cc (sm_state_map::print): Update check
8292 for m_global_state being the start state.
8294 2020-09-26 David Malcolm <dmalcolm@redhat.com>
8296 PR analyzer/96646
8297 PR analyzer/96841
8298 * region-model.cc (region_model::get_representative_path_var):
8299 When handling offset_region, wrap the MEM_REF's first argument in
8300 an ADDR_EXPR of pointer type, rather than simply using the tree
8301 for the parent region. Require the MEM_REF's second argument to
8302 be an integer constant.
8304 2020-09-24 David Malcolm <dmalcolm@redhat.com>
8306 * analyzer.h (struct rejected_constraint): New decl.
8307 * analyzer.opt (fanalyzer-feasibility): New option.
8308 * diagnostic-manager.cc (path_builder::path_builder): Add
8309 "problem" param and use it to initialize new field.
8310 (path_builder::get_feasibility_problem): New accessor.
8311 (path_builder::m_feasibility_problem): New field.
8312 (dedupe_winners::add): Remove inversion of logic in "if" clause,
8313 swapping if/else suites. In the !feasible_p suite, inspect
8314 flag_analyzer_feasibility and add code to handle when this
8315 is off, accepting the infeasible path, but recording the
8316 feasibility_problem.
8317 (diagnostic_manager::emit_saved_diagnostic): Pass the
8318 feasibility_problem to the path_builder.
8319 (diagnostic_manager::add_events_for_eedge): If we have
8320 a feasibility_problem at this edge, use it to add a custom event.
8321 * engine.cc (exploded_path::feasible_p): Pass a
8322 rejected_constraint ** to model.maybe_update_for_edge and transfer
8323 ownership of any created instance to any feasibility_problem.
8324 (feasibility_problem::dump_to_pp): New.
8325 * exploded-graph.h (feasibility_problem::feasibility_problem):
8326 Drop "model" param; add rejected_constraint * param.
8327 (feasibility_problem::~feasibility_problem): New.
8328 (feasibility_problem::dump_to_pp): New decl.
8329 (feasibility_problem::m_model): Drop field.
8330 (feasibility_problem::m_rc): New field.
8331 * program-point.cc (function_point::get_location): Handle
8332 PK_BEFORE_SUPERNODE and PK_AFTER_SUPERNODE.
8333 * program-state.cc (program_state::on_edge): Pass NULL to new
8334 param of region_model::maybe_update_for_edge.
8335 * region-model.cc (region_model::add_constraint): New overload
8336 adding a rejected_constraint ** param.
8337 (region_model::maybe_update_for_edge): Add rejected_constraint **
8338 param and pass it to the various apply_constraints_for_ calls.
8339 (region_model::apply_constraints_for_gcond): Add
8340 rejected_constraint ** param and pass it to add_constraint calls.
8341 (region_model::apply_constraints_for_gswitch): Likewise.
8342 (region_model::apply_constraints_for_exception): Likewise.
8343 (rejected_constraint::dump_to_pp): New.
8344 * region-model.h (region_model::maybe_update_for_edge):
8345 Add rejected_constraint ** param.
8346 (region_model::add_constraint): New overload adding a
8347 rejected_constraint ** param.
8348 (region_model::apply_constraints_for_gcond): Add
8349 rejected_constraint ** param.
8350 (region_model::apply_constraints_for_gswitch): Likewise.
8351 (region_model::apply_constraints_for_exception): Likewise.
8352 (struct rejected_constraint): New.
8354 2020-09-23 David Malcolm <dmalcolm@redhat.com>
8356 PR analyzer/97178
8357 * engine.cc (impl_run_checkers): Update for change to ext_state
8358 ctor.
8359 * program-state.cc (selftest::test_sm_state_map): Pass an engine
8360 instance to ext_state ctor.
8361 (selftest::test_program_state_1): Likewise.
8362 (selftest::test_program_state_2): Likewise.
8363 (selftest::test_program_state_merging): Likewise.
8364 (selftest::test_program_state_merging_2): Likewise.
8365 * program-state.h (extrinsic_state::extrinsic_state): Remove NULL
8366 default value for "eng" param.
8368 2020-09-23 Tobias Burnus <tobias@codesourcery.com>
8370 * analyzer-logging.cc: Guard '#pragma ... ignored "-Wformat-diag"'
8371 by '#if __GNUC__ >= 10'
8372 * analyzer.h: Likewise.
8373 * call-string.cc: Likewise.
8375 2020-09-23 David Malcolm <dmalcolm@redhat.com>
8377 * engine.cc (exploded_node::on_stmt): Replace sequence of dyn_cast
8378 with switch.
8380 2020-09-22 David Malcolm <dmalcolm@redhat.com>
8382 * analysis-plan.cc: Include "json.h".
8383 * analyzer.opt (fdump-analyzer-json): New.
8384 * call-string.cc: Include "json.h".
8385 (call_string::to_json): New.
8386 * call-string.h (call_string::to_json): New decl.
8387 * checker-path.cc: Include "json.h".
8388 * constraint-manager.cc: Include "json.h".
8389 (equiv_class::to_json): New.
8390 (constraint::to_json): New.
8391 (constraint_manager::to_json): New.
8392 * constraint-manager.h (equiv_class::to_json): New decl.
8393 (constraint::to_json): New decl.
8394 (constraint_manager::to_json): New decl.
8395 * diagnostic-manager.cc: Include "json.h".
8396 (saved_diagnostic::to_json): New.
8397 (diagnostic_manager::to_json): New.
8398 * diagnostic-manager.h (saved_diagnostic::to_json): New decl.
8399 (diagnostic_manager::to_json): New decl.
8400 * engine.cc: Include "json.h", <zlib.h>.
8401 (exploded_node::status_to_str): New.
8402 (exploded_node::to_json): New.
8403 (exploded_edge::to_json): New.
8404 (exploded_graph::to_json): New.
8405 (dump_analyzer_json): New.
8406 (impl_run_checkers): Call it.
8407 * exploded-graph.h (exploded_node::status_to_str): New decl.
8408 (exploded_node::to_json): New.
8409 (exploded_edge::to_json): New.
8410 (exploded_graph::to_json): New.
8411 * pending-diagnostic.cc: Include "json.h".
8412 * program-point.cc: Include "json.h".
8413 (program_point::to_json): New.
8414 * program-point.h (program_point::to_json): New decl.
8415 * program-state.cc: Include "json.h".
8416 (extrinsic_state::to_json): New.
8417 (sm_state_map::to_json): New.
8418 (program_state::to_json): New.
8419 * program-state.h (extrinsic_state::to_json): New decl.
8420 (sm_state_map::to_json): New decl.
8421 (program_state::to_json): New decl.
8422 * region-model-impl-calls.cc: Include "json.h".
8423 * region-model-manager.cc: Include "json.h".
8424 * region-model-reachability.cc: Include "json.h".
8425 * region-model.cc: Include "json.h".
8426 * region-model.h (svalue::to_json): New decl.
8427 (region::to_json): New decl.
8428 * region.cc: Include "json.h".
8429 (region::to_json: New.
8430 * sm-file.cc: Include "json.h".
8431 * sm-malloc.cc: Include "json.h".
8432 * sm-pattern-test.cc: Include "json.h".
8433 * sm-sensitive.cc: Include "json.h".
8434 * sm-signal.cc: Include "json.h".
8435 (signal_delivery_edge_info_t::to_json): New.
8436 * sm-taint.cc: Include "json.h".
8437 * sm.cc: Include "diagnostic.h", "tree-diagnostic.h", and
8438 "json.h".
8439 (state_machine::state::to_json): New.
8440 (state_machine::to_json): New.
8441 * sm.h (state_machine::state::to_json): New.
8442 (state_machine::to_json): New.
8443 * state-purge.cc: Include "json.h".
8444 * store.cc: Include "json.h".
8445 (binding_key::get_desc): New.
8446 (binding_map::to_json): New.
8447 (binding_cluster::to_json): New.
8448 (store::to_json): New.
8449 * store.h (binding_key::get_desc): New decl.
8450 (binding_map::to_json): New decl.
8451 (binding_cluster::to_json): New decl.
8452 (store::to_json): New decl.
8453 * supergraph.cc: Include "json.h".
8454 (supergraph::to_json): New.
8455 (supernode::to_json): New.
8456 (superedge::to_json): New.
8457 * supergraph.h (supergraph::to_json): New decl.
8458 (supernode::to_json): New decl.
8459 (superedge::to_json): New decl.
8460 * svalue.cc: Include "json.h".
8461 (svalue::to_json): New.
8463 2020-09-21 David Malcolm <dmalcolm@redhat.com>
8465 PR analyzer/97130
8466 * region-model-impl-calls.cc (call_details::get_arg_type): New.
8467 * region-model.cc (region_model::on_call_pre): Check that the
8468 initial arg is a pointer before calling impl_call_memset and
8469 impl_call_strlen.
8470 * region-model.h (call_details::get_arg_type): New decl.
8472 2020-09-21 David Malcolm <dmalcolm@redhat.com>
8474 PR analyzer/93355
8475 * sm-malloc.cc (malloc_state_machine::get_default_state): Look at
8476 the base region when considering pointers. Treat pointers to
8477 decls as being non-heap.
8479 2020-09-18 David Malcolm <dmalcolm@redhat.com>
8481 * checker-path.cc (warning_event::get_desc): Handle global state
8482 changes.
8484 2020-09-18 David Malcolm <dmalcolm@redhat.com>
8486 * sm-malloc.cc (malloc_state_machine::on_stmt): Handle strdup and
8487 strndup as being malloc-like allocators.
8489 2020-09-16 David Malcolm <dmalcolm@redhat.com>
8491 * engine.cc (strongly_connected_components::strong_connect): Only
8492 consider intraprocedural edges when creating SCCs.
8493 (worklist::key_t::cmp): Add comment. Treat call_string
8494 differences as more important than differences of program_point
8495 within a supernode.
8497 2020-09-16 David Malcolm <dmalcolm@redhat.com>
8499 * engine.cc (supernode_cluster::dump_dot): Show the SCC id
8500 in the per-supernode clusters in FILENAME.eg.dot output.
8501 (exploded_graph_annotator::add_node_annotations):
8502 Show the SCC of the supernode in FILENAME.supernode.eg.dot output.
8503 * exploded-graph.h (worklist::scc_id): New.
8504 (exploded_graph::get_scc_id): New.
8506 2020-09-16 David Malcolm <dmalcolm@redhat.com>
8508 * engine.cc (exploded_node::dump_dot): Show STATUS_BULK_MERGED.
8509 (exploded_graph::process_worklist): Call
8510 maybe_process_run_of_before_supernode_enodes.
8511 (exploded_graph::maybe_process_run_of_before_supernode_enodes):
8512 New.
8513 (exploded_graph_annotator::print_enode): Show STATUS_BULK_MERGED.
8514 * exploded-graph.h (enum exploded_node::status): Add
8515 STATUS_BULK_MERGED.
8517 2020-09-16 David Malcolm <dmalcolm@redhat.com>
8519 * engine.cc
8520 (exploded_graph::process_node) <case PK_BEFORE_SUPERNODE>:
8521 Simplify by using program_point::get_next.
8522 * program-point.cc (program_point::get_next): New.
8523 * program-point.h (program_point::get_next): New decl.
8525 2020-09-16 David Malcolm <dmalcolm@redhat.com>
8527 * engine.cc (exploded_graph::get_or_create_node): Show the
8528 program point when issuing -Wanalyzer-too-complex due to hitting
8529 the per-program-point limit.
8531 2020-09-16 David Malcolm <dmalcolm@redhat.com>
8533 * region-model.cc (region_model::on_call_pre): Treat getchar as
8534 having no side-effects.
8536 2020-09-15 David Malcolm <dmalcolm@redhat.com>
8538 PR analyzer/96650
8539 * constraint-manager.cc (merger_fact_visitor::on_fact): Replace
8540 assertion that add_constraint succeeded with an assertion that
8541 if it fails, -fanalyzer-transitivity is off.
8543 2020-09-14 David Malcolm <dmalcolm@redhat.com>
8545 * analyzer.opt (-param=analyzer-max-constraints=): New param.
8546 * constraint-manager.cc
8547 (constraint_manager::add_constraint_internal): Silently reject
8548 attempts to add constraints when the above limit is reached.
8550 2020-09-14 David Malcolm <dmalcolm@redhat.com>
8552 PR analyzer/96653
8553 * constraint-manager.cc
8554 (constraint_manager::get_or_add_equiv_class): Don't accumulate
8555 transitive closure of all constraints on constants.
8557 2020-09-14 David Malcolm <dmalcolm@redhat.com>
8559 PR analyzer/97029
8560 * analyzer.cc (is_setjmp_call_p): Require the initial arg to be a
8561 pointer.
8562 * region-model.cc (region_model::deref_rvalue): Assert that the
8563 svalue is of pointer type.
8565 2020-09-11 David Malcolm <dmalcolm@redhat.com>
8567 PR analyzer/96798
8568 * region-model-impl-calls.cc (region_model::impl_call_memcpy):
8569 New.
8570 (region_model::impl_call_strcpy): New.
8571 * region-model.cc (region_model::on_call_pre): Flag unhandled
8572 builtins that are non-pure as having unknown side-effects.
8573 Implement BUILT_IN_MEMCPY, BUILT_IN_MEMCPY_CHK, BUILT_IN_STRCPY,
8574 BUILT_IN_STRCPY_CHK, BUILT_IN_FPRINTF, BUILT_IN_FPRINTF_UNLOCKED,
8575 BUILT_IN_PUTC, BUILT_IN_PUTC_UNLOCKED, BUILT_IN_FPUTC,
8576 BUILT_IN_FPUTC_UNLOCKED, BUILT_IN_FPUTS, BUILT_IN_FPUTS_UNLOCKED,
8577 BUILT_IN_FWRITE, BUILT_IN_FWRITE_UNLOCKED, BUILT_IN_PRINTF,
8578 BUILT_IN_PRINTF_UNLOCKED, BUILT_IN_PUTCHAR,
8579 BUILT_IN_PUTCHAR_UNLOCKED, BUILT_IN_PUTS, BUILT_IN_PUTS_UNLOCKED,
8580 BUILT_IN_VFPRINTF, BUILT_IN_VPRINTF.
8581 * region-model.h (region_model::impl_call_memcpy): New decl.
8582 (region_model::impl_call_strcpy): New decl.
8584 2020-09-09 David Malcolm <dmalcolm@redhat.com>
8586 PR analyzer/94355
8587 * analyzer.opt (Wanalyzer-mismatching-deallocation): New warning.
8588 * region-model-impl-calls.cc
8589 (region_model::impl_call_operator_new): New.
8590 (region_model::impl_call_operator_delete): New.
8591 * region-model.cc (region_model::on_call_pre): Detect operator new
8592 and operator delete.
8593 (region_model::on_call_post): Likewise.
8594 (region_model::maybe_update_for_edge): Detect EH edges and call...
8595 (region_model::apply_constraints_for_exception): New function.
8596 * region-model.h (region_model::impl_call_operator_new): New decl.
8597 (region_model::impl_call_operator_delete): New decl.
8598 (region_model::apply_constraints_for_exception): New decl.
8599 * sm-malloc.cc (enum resource_state): New.
8600 (struct allocation_state): New state subclass.
8601 (enum wording): New.
8602 (struct api): New.
8603 (malloc_state_machine::custom_data_t): New typedef.
8604 (malloc_state_machine::add_state): New decl.
8605 (malloc_state_machine::m_unchecked)
8606 (malloc_state_machine::m_nonnull)
8607 (malloc_state_machine::m_freed): Delete these states in favor
8608 of...
8609 (malloc_state_machine::m_malloc)
8610 (malloc_state_machine::m_scalar_new)
8611 (malloc_state_machine::m_vector_new): ...this new api instances,
8612 which own their own versions of these states.
8613 (malloc_state_machine::on_allocator_call): New decl.
8614 (malloc_state_machine::on_deallocator_call): New decl.
8615 (api::api): New ctor.
8616 (dyn_cast_allocation_state): New.
8617 (as_a_allocation_state): New.
8618 (get_rs): New.
8619 (unchecked_p): New.
8620 (nonnull_p): New.
8621 (freed_p): New.
8622 (malloc_diagnostic::describe_state_change): Use unchecked_p and
8623 nonnull_p.
8624 (class mismatching_deallocation): New.
8625 (double_free::double_free): Add funcname param for initializing
8626 m_funcname.
8627 (double_free::emit): Use m_funcname in warning message rather
8628 than hardcoding "free".
8629 (double_free::describe_state_change): Likewise. Use freed_p.
8630 (double_free::describe_call_with_state): Use freed_p.
8631 (double_free::describe_final_event): Use m_funcname in message
8632 rather than hardcoding "free".
8633 (double_free::m_funcname): New field.
8634 (possible_null::describe_state_change): Use unchecked_p.
8635 (possible_null::describe_return_of_state): Likewise.
8636 (use_after_free::use_after_free): Add param for initializing m_api.
8637 (use_after_free::emit): Use m_api->m_dealloc_funcname in message
8638 rather than hardcoding "free".
8639 (use_after_free::describe_state_change): Use freed_p. Change the
8640 wording of the message based on the API.
8641 (use_after_free::describe_final_event): Use
8642 m_api->m_dealloc_funcname in message rather than hardcoding
8643 "free". Change the wording of the message based on the API.
8644 (use_after_free::m_api): New field.
8645 (malloc_leak::describe_state_change): Use unchecked_p. Update
8646 for renaming of m_malloc_event to m_alloc_event.
8647 (malloc_leak::describe_final_event): Update for renaming of
8648 m_malloc_event to m_alloc_event.
8649 (malloc_leak::m_malloc_event): Rename...
8650 (malloc_leak::m_alloc_event): ...to this.
8651 (free_of_non_heap::free_of_non_heap): Add param for initializing
8652 m_funcname.
8653 (free_of_non_heap::emit): Use m_funcname in message rather than
8654 hardcoding "free".
8655 (free_of_non_heap::describe_final_event): Likewise.
8656 (free_of_non_heap::m_funcname): New field.
8657 (allocation_state::dump_to_pp): New.
8658 (allocation_state::get_nonnull): New.
8659 (malloc_state_machine::malloc_state_machine): Update for changes
8660 to state fields and new api fields.
8661 (malloc_state_machine::add_state): New.
8662 (malloc_state_machine::on_stmt): Move malloc/calloc handling to
8663 on_allocator_call and call it, passing in the API pointer.
8664 Likewise for free, moving it to on_deallocator_call. Handle calls
8665 to operator new and delete in an analogous way. Use unchecked_p
8666 when testing for possibly-null-arg and possibly-null-deref, and
8667 transition to the non-null for the correct API. Remove redundant
8668 node param from call to on_zero_assignment. Use freed_p for
8669 use-after-free check, and pass in API.
8670 (malloc_state_machine::on_allocator_call): New, based on code in
8671 on_stmt.
8672 (malloc_state_machine::on_deallocator_call): Likewise.
8673 (malloc_state_machine::on_phi): Mark node param with
8674 ATTRIBUTE_UNUSED; don't pass it to on_zero_assignment.
8675 (malloc_state_machine::on_condition): Mark node param with
8676 ATTRIBUTE_UNUSED. Replace on_transition calls with get_state and
8677 set_next_state pairs, transitioning to the non-null state for the
8678 appropriate API.
8679 (malloc_state_machine::can_purge_p): Port to new state approach.
8680 (malloc_state_machine::on_zero_assignment): Replace on_transition
8681 calls with get_state and set_next_state pairs. Drop redundant
8682 node param.
8683 * sm.h (state_machine::add_custom_state): New.
8685 2020-09-09 David Malcolm <dmalcolm@redhat.com>
8687 * diagnostic-manager.cc
8688 (null_assignment_sm_context::warn_for_state): Replace with...
8689 (null_assignment_sm_context::warn): ...this.
8690 * engine.cc (impl_sm_context::warn_for_state): Replace with...
8691 (impl_sm_context::warn): ...this.
8692 * sm-file.cc (fileptr_state_machine::on_stmt): Replace
8693 warn_for_state and on_transition calls with a get_state
8694 test guarding warn and set_next_state calls.
8695 * sm-malloc.cc (malloc_state_machine::on_stmt): Likewise.
8696 * sm-pattern-test.cc (pattern_test_state_machine::on_condition):
8697 Replace warn_for_state call with warn call.
8698 * sm-sensitive.cc
8699 (sensitive_state_machine::warn_for_any_exposure): Replace
8700 warn_for_state call with a get_state test guarding a warn call.
8701 * sm-signal.cc (signal_state_machine::on_stmt): Likewise.
8702 * sm-taint.cc (taint_state_machine::on_stmt): Replace
8703 warn_for_state and on_transition calls with a get_state
8704 test guarding warn and set_next_state calls.
8705 * sm.h (sm_context::warn_for_state): Replace with...
8706 (sm_context::warn): ...this.
8708 2020-09-09 David Malcolm <dmalcolm@redhat.com>
8710 * diagnostic-manager.cc
8711 (null_assignment_sm_context::null_assignment_sm_context): Add old_state
8712 and ext_state params, initializing m_old_state and m_ext_state.
8713 (null_assignment_sm_context::on_transition): Split into...
8714 (null_assignment_sm_context::get_state): ...this new vfunc
8715 implementation and...
8716 (null_assignment_sm_context::set_next_state): ...this new vfunc
8717 implementation.
8718 (null_assignment_sm_context::m_old_state): New field.
8719 (null_assignment_sm_context::m_ext_state): New field.
8720 (diagnostic_manager::add_events_for_eedge): Pass in old state and
8721 ext_state when creating sm_ctxt.
8722 * engine.cc (impl_sm_context::on_transition): Split into...
8723 (impl_sm_context::get_state): ...this new vfunc
8724 implementation and...
8725 (impl_sm_context::set_next_state): ...this new vfunc
8726 implementation.
8727 * sm.h (sm_context::get_state): New pure virtual function.
8728 (sm_context::set_next_state): Likewise.
8729 (sm_context::on_transition): Convert from a pure virtual function
8730 to a regular function implemented in terms of get_state and
8731 set_next_state.
8733 2020-09-09 David Malcolm <dmalcolm@redhat.com>
8735 * checker-path.cc (state_change_event::get_desc): Update
8736 state_machine::get_state_name calls to state::get_name.
8737 (warning_event::get_desc): Likewise.
8738 * diagnostic-manager.cc
8739 (null_assignment_sm_context::on_transition): Update comparison
8740 against 0 with comparison with m_sm.get_start_state.
8741 (diagnostic_manager::prune_for_sm_diagnostic): Update
8742 state_machine::get_state_name calls to state::get_name.
8743 * engine.cc (impl_sm_context::on_transition): Likewise.
8744 (exploded_node::get_dot_fillcolor): Use get_id when summing
8745 the sm states.
8746 * program-state.cc (sm_state_map::sm_state_map): Don't hardcode
8747 0 as the start state when initializing m_global_state.
8748 (sm_state_map::print): Use dump_to_pp rather than get_state_name
8749 when dumping states.
8750 (sm_state_map::is_empty_p): Don't hardcode 0 as the start state
8751 when examining m_global_state.
8752 (sm_state_map::hash): Use get_id when hashing states.
8753 (selftest::test_sm_state_map): Use state objects rather than
8754 arbitrary hardcoded integers.
8755 (selftest::test_program_state_merging): Likewise.
8756 (selftest::test_program_state_merging_2): Likewise.
8757 * sm-file.cc (fileptr_state_machine::m_start): Move to base class.
8758 (file_diagnostic::describe_state_change): Use get_start_state.
8759 (fileptr_state_machine::fileptr_state_machine): Drop m_start
8760 initialization.
8761 * sm-malloc.cc (malloc_state_machine::m_start): Move to base
8762 class.
8763 (malloc_diagnostic::describe_state_change): Use get_start_state.
8764 (possible_null::describe_state_change): Likewise.
8765 (malloc_state_machine::malloc_state_machine): Drop m_start
8766 initialization.
8767 * sm-pattern-test.cc (pattern_test_state_machine::m_start): Move
8768 to base class.
8769 (pattern_test_state_machine::pattern_test_state_machine): Drop
8770 m_start initialization.
8771 * sm-sensitive.cc (sensitive_state_machine::m_start): Move to base
8772 class.
8773 (sensitive_state_machine::sensitive_state_machine): Drop m_start
8774 initialization.
8775 * sm-signal.cc (signal_state_machine::m_start): Move to base
8776 class.
8777 (signal_state_machine::signal_state_machine): Drop m_start
8778 initialization.
8779 * sm-taint.cc (taint_state_machine::m_start): Move to base class.
8780 (taint_state_machine::taint_state_machine): Drop m_start
8781 initialization.
8782 * sm.cc (state_machine::state::dump_to_pp): New.
8783 (state_machine::state_machine): Move here from sm.h. Initialize
8784 m_next_state_id and m_start.
8785 (state_machine::add_state): Reimplement in terms of state objects.
8786 (state_machine::get_state_name): Delete.
8787 (state_machine::get_state_by_name): Reimplement in terms of state
8788 objects. Make const.
8789 (state_machine::validate): Delete.
8790 (state_machine::dump_to_pp): Reimplement in terms of state
8791 objects.
8792 * sm.h (state_machine::state): New class.
8793 (state_machine::state_t): Convert typedef from "unsigned" to
8794 "const state_machine::state *".
8795 (state_machine::state_machine): Move to sm.cc.
8796 (state_machine::get_default_state): Use m_start rather than
8797 hardcoding 0.
8798 (state_machine::get_state_name): Delete.
8799 (state_machine::get_state_by_name): Make const.
8800 (state_machine::get_start_state): New accessor.
8801 (state_machine::alloc_state_id): New.
8802 (state_machine::m_state_names): Drop in favor of...
8803 (state_machine::m_states): New field
8804 (state_machine::m_start): New field
8805 (start_start_p): Delete.
8807 2020-09-08 David Malcolm <dmalcolm@redhat.com>
8809 PR analyzer/96949
8810 * store.cc (binding_map::apply_ctor_val_to_range): Add
8811 error-handling for the cases where we have symbolic offsets.
8813 2020-09-08 David Malcolm <dmalcolm@redhat.com>
8815 PR analyzer/96950
8816 * store.cc (binding_map::apply_ctor_to_region): Handle RANGE_EXPR
8817 where min_index == max_index.
8818 (binding_map::apply_ctor_val_to_range): Replace assertion that we
8819 don't have a CONSTRUCTOR value with error-handling.
8821 2020-09-08 David Malcolm <dmalcolm@redhat.com>
8823 PR analyzer/96962
8824 * region-model.cc (region_model::on_call_pre): Fix guard on switch
8825 on built-ins to only consider BUILT_IN_NORMAL, rather than other
8826 kinds of build-ins.
8828 2020-09-01 David Malcolm <dmalcolm@redhat.com>
8830 PR analyzer/96792
8831 * region-model.cc (region_model::deref_rvalue): Add the constraint
8832 that PTR_SVAL is non-NULL.
8834 2020-08-31 David Malcolm <dmalcolm@redhat.com>
8836 PR analyzer/96798
8837 * region-model.cc (region_model::on_call_pre): Handle
8838 BUILT_IN_MEMSET_CHK.
8840 2020-08-31 David Malcolm <dmalcolm@redhat.com>
8842 * region-model.cc (region_model::on_call_pre): Gather handling of
8843 builtins and of internal fns into switch statements. Handle
8844 "alloca" and BUILT_IN_ALLOCA_WITH_ALIGN.
8846 2020-08-31 David Malcolm <dmalcolm@redhat.com>
8848 PR analyzer/96860
8849 * region.cc (decl_region::get_svalue_for_constructor): Support
8850 apply_ctor_to_region failing.
8851 * store.cc (binding_map::apply_ctor_to_region): Add failure
8852 handling.
8853 (binding_map::apply_ctor_val_to_range): Likewise.
8854 (binding_map::apply_ctor_pair_to_child_region): Likewise. Replace
8855 assertion that child_base_offset is not symbolic with error
8856 handling.
8857 * store.h (binding_map::apply_ctor_to_region): Convert return type
8858 from void to bool.
8859 (binding_map::apply_ctor_val_to_range): Likewise.
8860 (binding_map::apply_ctor_pair_to_child_region): Likewise.
8862 2020-08-31 David Malcolm <dmalcolm@redhat.com>
8864 PR analyzer/96763
8865 * store.cc (binding_map::apply_ctor_to_region): Handle RANGE_EXPR
8866 by calling a new binding_map::apply_ctor_val_to_range subroutine.
8867 Split out the existing non-CONSTRUCTOR-handling code to a new
8868 apply_ctor_pair_to_child_region subroutine.
8869 (binding_map::apply_ctor_val_to_range): New.
8870 (binding_map::apply_ctor_pair_to_child_region): New, split out
8871 from binding_map::apply_ctor_to_region as noted above.
8872 * store.h (binding_map::apply_ctor_val_to_range): New decl.
8873 (binding_map::apply_ctor_pair_to_child_region): New decl.
8875 2020-08-31 David Malcolm <dmalcolm@redhat.com>
8877 PR analyzer/96764
8878 * region-model-manager.cc
8879 (region_model_manager::maybe_fold_unaryop): Handle VIEW_CONVERT_EXPR.
8880 (region_model_manager::get_or_create_cast): Move logic for
8881 real->integer casting to...
8882 (get_code_for_cast): ...this new function, and add logic for
8883 real->non-integer casts.
8884 (region_model_manager::maybe_fold_sub_svalue): Handle
8885 VIEW_CONVERT_EXPR.
8886 * region-model.cc
8887 (region_model::add_any_constraints_from_gassign): Likewise.
8888 * svalue.cc (svalue::maybe_undo_cast): Likewise.
8889 (unaryop_svalue::dump_to_pp): Likewise.
8891 2020-08-26 David Malcolm <dmalcolm@redhat.com>
8893 PR analyzer/94858
8894 * region-model-manager.cc
8895 (region_model_manager::get_or_create_widening_svalue): Assert that
8896 neither of the inputs are themselves widenings.
8897 * store.cc (store::eval_alias_1): The initial value of a pointer
8898 can't point to a region that was allocated on the heap after the
8899 beginning of the path. A widened pointer value can't alias anything
8900 that the initial pointer value can't alias.
8901 * svalue.cc (svalue::can_merge_p): Merge BINOP (X, OP, CST) with X
8902 to a widening svalue. Merge
8903 BINOP(WIDENING(BASE, BINOP(BASE, X)), X) and BINOP(BASE, X) to
8904 to the LHS of the first BINOP.
8906 2020-08-26 David Malcolm <dmalcolm@redhat.com>
8908 PR analyzer/96777
8909 * region-model.h (class compound_svalue): Document that all keys
8910 must be concrete.
8911 (compound_svalue::compound_svalue): Move definition to svalue.cc.
8912 * store.cc (binding_map::apply_ctor_to_region): Handle
8913 initializers for trailing arrays with incomplete size.
8914 * svalue.cc (compound_svalue::compound_svalue): Move definition
8915 here from region-model.h. Add assertion that all keys are
8916 concrete.
8918 2020-08-22 David Malcolm <dmalcolm@redhat.com>
8920 PR analyzer/94851
8921 * region-model-manager.cc
8922 (region_model_manager::maybe_fold_binop): Fold bitwise "& 0" to 0.
8924 2020-08-22 David Malcolm <dmalcolm@redhat.com>
8926 * store.cc (store::eval_alias): Make const. Split out 2nd half
8927 into store::eval_alias_1 and call it twice for symmetry, avoiding
8928 test duplication.
8929 (store::eval_alias_1): New function, split out from the above.
8930 * store.h (store::eval_alias): Make const.
8931 (store::eval_alias_1): New decl.
8933 2020-08-22 David Malcolm <dmalcolm@redhat.com>
8935 * region-model.cc (region_model::push_frame): Bind the default
8936 SSA name for each parm if it exists, falling back to the parm
8937 itself otherwise, rather than doing both.
8939 2020-08-20 David Malcolm <dmalcolm@redhat.com>
8941 PR analyzer/96723
8942 * region-model-manager.cc
8943 (region_model_manager::get_field_region): Assert that field is a
8944 FIELD_DECL.
8945 * region.cc (region::get_subregions_for_binding): In
8946 union-handling, filter the TYPE_FIELDS traversal to just FIELD_DECLs.
8948 2020-08-20 David Malcolm <dmalcolm@redhat.com>
8950 PR analyzer/96713
8951 * region-model.cc (region_model::get_gassign_result): For
8952 comparisons, only use eval_condition when the lhs has boolean
8953 type, and use get_or_create_constant_svalue on the boolean
8954 constants directly rather than via get_rvalue.
8956 2020-08-19 David Malcolm <dmalcolm@redhat.com>
8958 PR analyzer/96643
8959 * region-model.cc (region_model::deref_rvalue): Rather than
8960 attempting to handle all svalue kinds in the switch, only cover
8961 the special cases, and move symbolic-region handling to after
8962 the switch, thus implicitly handling the missing case SK_COMPOUND.
8964 2020-08-19 David Malcolm <dmalcolm@redhat.com>
8966 PR analyzer/96705
8967 * region-model-manager.cc
8968 (region_model_manager::maybe_fold_binop): Check that we have an
8969 integral type before calling build_int_cst.
8971 2020-08-19 David Malcolm <dmalcolm@redhat.com>
8973 PR analyzer/96699
8974 * region-model-manager.cc
8975 (region_model_manager::get_or_create_cast): Use FIX_TRUNC_EXPR for
8976 casting from REAL_TYPE to INTEGER_TYPE.
8978 2020-08-19 David Malcolm <dmalcolm@redhat.com>
8980 PR analyzer/96651
8981 * region-model.cc (region_model::called_from_main_p): New.
8982 (region_model::get_store_value): Move handling for globals into...
8983 (region_model::get_initial_value_for_global): ...this new
8984 function, and add logic for extracting values from decl
8985 initializers.
8986 * region-model.h (decl_region::get_svalue_for_constructor): New
8987 decl.
8988 (decl_region::get_svalue_for_initializer): New decl.
8989 (region_model::called_from_main_p): New decl.
8990 (region_model::get_initial_value_for_global): New.
8991 * region.cc (decl_region::maybe_get_constant_value): Move logic
8992 for getting an svalue from a CONSTRUCTOR node to...
8993 (decl_region::get_svalue_for_constructor): ...this new function.
8994 (decl_region::get_svalue_for_initializer): New.
8995 * store.cc (get_svalue_for_ctor_val): Rewrite in terms of
8996 region_model::get_rvalue.
8997 * store.h (binding_cluster::get_map): New accessor.
8999 2020-08-19 David Malcolm <dmalcolm@redhat.com>
9001 PR analyzer/96648
9002 * region.cc (get_field_at_bit_offset): Gracefully handle negative
9003 values for bit_offset.
9005 2020-08-18 David Malcolm <dmalcolm@redhat.com>
9007 * region-model.cc (region_model::get_rvalue_1): Fix name of local.
9009 2020-08-18 David Malcolm <dmalcolm@redhat.com>
9011 PR analyzer/96641
9012 * region-model.cc (region_model::get_rvalue_1): Handle
9013 unrecognized tree codes by returning "UNKNOWN.
9015 2020-08-18 David Malcolm <dmalcolm@redhat.com>
9017 PR analyzer/96640
9018 * region-model.cc (region_model::get_gassign_result): Handle various
9019 VEC_* tree codes by returning UNKNOWN.
9020 (region_model::on_assignment): Handle unrecognized tree codes by
9021 setting lhs to an unknown value, rather than issuing a "sorry" and
9022 asserting.
9024 2020-08-17 David Malcolm <dmalcolm@redhat.com>
9026 PR analyzer/96644
9027 * region-model-manager.cc (get_region_for_unexpected_tree_code):
9028 Handle ctxt being NULL.
9030 2020-08-17 David Malcolm <dmalcolm@redhat.com>
9032 PR analyzer/96639
9033 * region.cc (region::get_subregions_for_binding): Check for "type"
9034 being NULL.
9036 2020-08-17 David Malcolm <dmalcolm@redhat.com>
9038 PR analyzer/96642
9039 * store.cc (get_svalue_for_ctor_val): New.
9040 (binding_map::apply_ctor_to_region): Call it.
9042 2020-08-14 David Malcolm <dmalcolm@redhat.com>
9044 PR testsuite/96609
9045 PR analyzer/96616
9046 * region-model.cc (region_model::get_store_value): Call
9047 maybe_get_constant_value on decl_regions first.
9048 * region-model.h (decl_region::maybe_get_constant_value): New decl.
9049 * region.cc (decl_region::get_stack_depth): Likewise.
9050 (decl_region::maybe_get_constant_value): New.
9051 * store.cc (get_subregion_within_ctor): New.
9052 (binding_map::apply_ctor_to_region): New.
9053 * store.h (binding_map::apply_ctor_to_region): New decl.
9055 2020-08-14 David Malcolm <dmalcolm@redhat.com>
9057 PR analyzer/96611
9058 * store.cc (store::mark_as_escaped): Reject attempts to
9059 get a cluster for an unknown pointer.
9061 2020-08-13 David Malcolm <dmalcolm@redhat.com>
9063 PR analyzer/93032
9064 PR analyzer/93938
9065 PR analyzer/94011
9066 PR analyzer/94099
9067 PR analyzer/94399
9068 PR analyzer/94458
9069 PR analyzer/94503
9070 PR analyzer/94640
9071 PR analyzer/94688
9072 PR analyzer/94689
9073 PR analyzer/94839
9074 PR analyzer/95026
9075 PR analyzer/95042
9076 PR analyzer/95240
9077 * analyzer-logging.cc: Ignore "-Wformat-diag".
9078 (logger::enter_scope): Use inc_indent in both overloads.
9079 (logger::exit_scope): Use dec_indent.
9080 * analyzer-logging.h (logger::inc_indent): New.
9081 (logger::dec_indent): New.
9082 * analyzer-selftests.cc (run_analyzer_selftests): Call
9083 analyzer_store_cc_tests.
9084 * analyzer-selftests.h (analyzer_store_cc_tests): New decl.
9085 * analyzer.cc (get_stmt_location): New function.
9086 * analyzer.h (class initial_svalue): New forward decl.
9087 (class unaryop_svalue): New forward decl.
9088 (class binop_svalue): New forward decl.
9089 (class sub_svalue): New forward decl.
9090 (class unmergeable_svalue): New forward decl.
9091 (class placeholder_svalue): New forward decl.
9092 (class widening_svalue): New forward decl.
9093 (class compound_svalue): New forward decl.
9094 (class conjured_svalue): New forward decl.
9095 (svalue_set): New typedef.
9096 (class map_region): Delete.
9097 (class array_region): Delete.
9098 (class frame_region): New forward decl.
9099 (class function_region): New forward decl.
9100 (class label_region): New forward decl.
9101 (class decl_region): New forward decl.
9102 (class element_region): New forward decl.
9103 (class offset_region): New forward decl.
9104 (class cast_region): New forward decl.
9105 (class field_region): New forward decl.
9106 (class string_region): New forward decl.
9107 (class region_model_manager): New forward decl.
9108 (class store_manager): New forward decl.
9109 (class store): New forward decl.
9110 (class call_details): New forward decl.
9111 (struct svalue_id_merger_mapping): Delete.
9112 (struct canonicalization): Delete.
9113 (class function_point): New forward decl.
9114 (class engine): New forward decl.
9115 (dump_tree): New function decl.
9116 (print_quoted_type): New function decl.
9117 (readability_comparator): New function decl.
9118 (tree_cmp): New function decl.
9119 (class path_var): Move here from region-model.h
9120 (bit_offset_t, bit_size_t, byte_size_t): New typedefs.
9121 (class region_offset): New class.
9122 (get_stmt_location): New decl.
9123 (struct member_function_hash_traits): New struct.
9124 (class consolidation_map): New class.
9125 Ignore "-Wformat-diag".
9126 * analyzer.opt (-param=analyzer-max-svalue-depth=): New param.
9127 (-param=analyzer-max-enodes-for-full-dump=): New param.
9128 * call-string.cc: Ignore -Wformat-diag.
9129 * checker-path.cc: Move includes of "analyzer/call-string.h" and
9130 "analyzer/program-point.h" to before "analyzer/region-model.h",
9131 and also include "analyzer/store.h" before it.
9132 (state_change_event::state_change_event): Replace "tree var" param
9133 with "const svalue *sval". Convert "origin" param from tree to
9134 "const svalue *".
9135 (state_change_event::get_desc): Call get_representative_tree to
9136 convert the var and origin from const svalue * to tree. Use
9137 svalue::get_desc rather than %qE when describing state changes.
9138 (checker_path::add_final_event): Use get_stmt_location.
9139 * checker-path.h (state_change_event::state_change_event): Port
9140 from tree to const svalue *.
9141 (state_change_event::get_lvalue): Delete.
9142 (state_change_event::get_dest_function): New.
9143 (state_change_event::m_var): Replace with...
9144 (state_change_event::m_sval): ...this.
9145 (state_change_event::m_origin): Convert from tree to
9146 const svalue *.
9147 * constraint-manager.cc: Include "analyzer/call-string.h",
9148 "analyzer/program-point.h", and "analyzer/store.h" before
9149 "analyzer/region-model.h".
9150 (struct bound, struct range): Move to constraint-manager.h.
9151 (compare_constants): New function.
9152 (range::dump): Rename to...
9153 (range::dump_to_pp): ...this. Support NULL constants.
9154 (range::dump): Reintroduce for dumping to stderr.
9155 (range::constrained_to_single_element): Return result, rather than
9156 writing to *OUT.
9157 (range::eval_condition): New.
9158 (range::below_lower_bound): New.
9159 (range::above_upper_bound): New.
9160 (equiv_class::equiv_class): Port from svalue_id to const svalue *.
9161 (equiv_class::print): Likewise.
9162 (equiv_class::hash): Likewise.
9163 (equiv_class::operator==): Port from svalue_id to const svalue *.
9164 (equiv_class::add): Port from svalue_id to const svalue *. Drop
9165 "cm" param.
9166 (equiv_class::del): Port from svalue_id to const svalue *.
9167 (equiv_class::get_representative): Likewise.
9168 (equiv_class::remap_svalue_ids): Delete.
9169 (svalue_id_cmp_by_id): Rename to...
9170 (svalue_cmp_by_ptr): ...this, porting from svalue_id to
9171 const svalue *.
9172 (equiv_class::canonicalize): Update qsort comparator.
9173 (constraint::implied_by): New.
9174 (constraint_manager::constraint_manager): Copy m_mgr in copy ctor.
9175 (constraint_manager::dump_to_pp): Add "multiline" param
9176 (constraint_manager::dump): Pass "true" for "multiline".
9177 (constraint_manager::add_constraint): Port from svalue_id to
9178 const svalue *. Split out second part into...
9179 (constraint_manager::add_unknown_constraint): ...this new
9180 function. Remove self-constraints when merging equivalence
9181 classes.
9182 (constraint_manager::add_constraint_internal): Remove constraints
9183 that would be implied by the new constraint. Port from svalue_id
9184 to const svalue *.
9185 (constraint_manager::get_equiv_class_by_sid): Rename to...
9186 (constraint_manager::get_equiv_class_by_svalue): ...this, porting
9187 from svalue_id to const svalue *.
9188 (constraint_manager::get_or_add_equiv_class): Port from svalue_id
9189 to const svalue *.
9190 (constraint_manager::eval_condition): Make const. Call
9191 compare_constants and return early if it provides a known result.
9192 (constraint_manager::get_ec_bounds): New.
9193 (constraint_manager::eval_condition): New overloads. Make
9194 existing one const, and use compare_constants.
9195 (constraint_manager::purge): Convert "p" param to a template
9196 rather that an abstract base class. Port from svalue_id to
9197 const svalue *.
9198 (class dead_svalue_purger): New class.
9199 (constraint_manager::remap_svalue_ids): Delete.
9200 (constraint_manager::on_liveness_change): New.
9201 (equiv_class_cmp): Port from svalue_id to const svalue *.
9202 (constraint_manager::canonicalize): Likewise. Combine with
9203 purging of redundant equivalence classes and constraints.
9204 (class cleaned_constraint_manager): Delete.
9205 (class merger_fact_visitor): Make "m_cm_b" const. Add "m_merger"
9206 field.
9207 (merger_fact_visitor::fact): Port from svalue_id to const svalue *.
9208 Add special case for widening.
9209 (constraint_manager::merge): Port from svalue_id to const svalue *.
9210 (constraint_manager::clean_merger_input): Delete.
9211 (constraint_manager::for_each_fact): Port from svalue_id to
9212 const svalue *.
9213 (constraint_manager::validate): Likewise.
9214 (selftest::test_constraint_conditions): Provide a
9215 region_model_manager when creating region_model instances.
9216 Add test for self-equality not creating equivalence classes.
9217 (selftest::test_transitivity): Provide a region_model_manager when
9218 creating region_model instances. Verify that EC-merging happens
9219 when constraints are implied.
9220 (selftest::test_constant_comparisons): Provide a
9221 region_model_manager when creating region_model instances.
9222 (selftest::test_constraint_impl): Likewise. Remove over-specified
9223 assertions.
9224 (selftest::test_equality): Provide a region_model_manager when
9225 creating region_model instances.
9226 (selftest::test_many_constants): Likewise. Provide a
9227 program_point when testing merging.
9228 (selftest::run_constraint_manager_tests): Move call to
9229 test_constant_comparisons to outside the transitivity guard.
9230 * constraint-manager.h (struct bound): Move here from
9231 constraint-manager.cc.
9232 (struct range): Likewise.
9233 (struct::eval_condition): New decl.
9234 (struct::below_lower_bound): New decl.
9235 (struct::above_upper_bound): New decl.
9236 (equiv_class::add): Port from svalue_id to const svalue *.
9237 (equiv_class::del): Likewise.
9238 (equiv_class::get_representative): Likewise.
9239 (equiv_class::remap_svalue_ids): Drop.
9240 (equiv_class::m_cst_sid): Convert to..
9241 (equiv_class::m_cst_sval): ...this.
9242 (equiv_class::m_vars): Port from svalue_id to const svalue *.
9243 (constraint::bool implied_by): New decl.
9244 (fact_visitor::on_fact): Port from svalue_id to const svalue *.
9245 (constraint_manager::constraint_manager): Add mgr param.
9246 (constraint_manager::clone): Delete.
9247 (constraint_manager::maybe_get_constant): Delete.
9248 (constraint_manager::get_sid_for_constant): Delete.
9249 (constraint_manager::get_num_svalues): Delete.
9250 (constraint_manager::dump_to_pp): Add "multiline" param.
9251 (constraint_manager::get_equiv_class): Port from svalue_id to
9252 const svalue *.
9253 (constraint_manager::add_constraint): Likewise.
9254 (constraint_manager::get_equiv_class_by_sid): Rename to...
9255 (constraint_manager::get_equiv_class_by_svalue): ...this, porting
9256 from svalue_id to const svalue *.
9257 (constraint_manager::add_unknown_constraint): New decl.
9258 (constraint_manager::get_or_add_equiv_class): Port from svalue_id
9259 to const svalue *.
9260 (constraint_manager::eval_condition): Likewise. Add overloads.
9261 (constraint_manager::get_ec_bounds): New decl.
9262 (constraint_manager::purge): Convert to template.
9263 (constraint_manager::remap_svalue_ids): Delete.
9264 (constraint_manager::on_liveness_change): New decl.
9265 (constraint_manager::canonicalize): Drop param.
9266 (constraint_manager::clean_merger_input): Delete.
9267 (constraint_manager::m_mgr): New field.
9268 * diagnostic-manager.cc: Move includes of
9269 "analyzer/call-string.h" and "analyzer/program-point.h" to before
9270 "analyzer/region-model.h", and also include "analyzer/store.h"
9271 before it.
9272 (saved_diagnostic::saved_diagnostic): Add "sval" param.
9273 (diagnostic_manager::diagnostic_manager): Add engine param.
9274 (diagnostic_manager::add_diagnostic): Add "sval" param, passing it
9275 to saved_diagnostic ctor. Update overload to pass NULL for it.
9276 (dedupe_winners::dedupe_winners): Add engine param.
9277 (dedupe_winners::add): Add "eg" param. Pass m_engine to
9278 feasible_p.
9279 (dedupe_winner::m_engine): New field.
9280 (diagnostic_manager::emit_saved_diagnostics): Pass engine to
9281 dedupe_winners. Pass &eg when adding candidates. Pass svalue
9282 rather than tree to prune_path. Use get_stmt_location to get
9283 primary location of diagnostic.
9284 (diagnostic_manager::emit_saved_diagnostic): Likewise.
9285 (get_any_origin): Drop.
9286 (state_change_event_creator::on_global_state_change): Pass NULL
9287 const svalue * rather than NULL_TREE trees to state_change_event
9288 ctor.
9289 (state_change_event_creator::on_state_change): Port from tree and
9290 svalue_id to const svalue *.
9291 (for_each_state_change): Port from svalue_id to const svalue *.
9292 (struct null_assignment_sm_context): New.
9293 (diagnostic_manager::add_events_for_eedge): Add state change
9294 events for assignment to NULL.
9295 (diagnostic_manager::prune_path): Update param from tree to
9296 const svalue *.
9297 (diagnostic_manager::prune_for_sm_diagnostic): Port from tracking
9298 by tree to by const svalue *.
9299 * diagnostic-manager.h (saved_diagnostic::saved_diagnostic): Add sval
9300 param.
9301 (saved_diagnostic::m_sval): New field.
9302 (diagnostic_manager::diagnostic_manager): Add engine param.
9303 (diagnostic_manager::get_engine): New.
9304 (diagnostic_manager::add_diagnostic): Add "sval" param.
9305 (diagnostic_manager::prune_path): Likewise.
9306 (diagnostic_manager::prune_for_sm_diagnostic): New overload.
9307 (diagnostic_manager::m_eng): New field.
9308 * engine.cc: Move includes of "analyzer/call-string.h" and
9309 "analyzer/program-point.h" to before "analyzer/region-model.h",
9310 and also include "analyzer/store.h" before it.
9311 (impl_region_model_context::impl_region_model_context): Update for
9312 removal of m_change field.
9313 (impl_region_model_context::remap_svalue_ids): Delete.
9314 (impl_region_model_context::on_svalue_leak): New.
9315 (impl_region_model_context::on_svalue_purge): Delete.
9316 (impl_region_model_context::on_liveness_change): New.
9317 (impl_region_model_context::on_unknown_change): Update param
9318 from svalue_id to const svalue *. Add is_mutable param.
9319 (setjmp_svalue::compare_fields): Delete.
9320 (setjmp_svalue::accept): New.
9321 (setjmp_svalue::add_to_hash): Delete.
9322 (setjmp_svalue::dump_to_pp): New.
9323 (setjmp_svalue::print_details): Delete.
9324 (impl_sm_context::impl_sm_context): Drop "change" param.
9325 (impl_sm_context::get_fndecl_for_call): Drop "m_change".
9326 (impl_sm_context::on_transition): Drop ATTRIBUTE_UNUSED from
9327 "stmt" param. Drop m_change. Port from svalue_id to
9328 const svalue *.
9329 (impl_sm_context::warn_for_state): Drop m_change. Port from
9330 svalue_id to const svalue *.
9331 (impl_sm_context::get_readable_tree): Rename to...
9332 (impl_sm_context::get_diagnostic_tree): ...this. Port from
9333 svalue_id to const svalue *.
9334 (impl_sm_context::is_zero_assignment): New.
9335 (impl_sm_context::m_change): Delete field.
9336 (leak_stmt_finder::find_stmt): Handle m_var being NULL.
9337 (readability): Increase penalty for MEM_REF. For SSA_NAMEs,
9338 slightly favor the underlying var over the SSA name. Heavily
9339 penalize temporaries. Handle RESULT_DECL.
9340 (readability_comparator): Make non-static. Consider stack depths.
9341 (impl_region_model_context::on_state_leak): Convert from svalue_id
9342 to const svalue *, updating for region_model changes. Use
9343 id_equal.
9344 (impl_region_model_context::on_inherited_svalue): Delete.
9345 (impl_region_model_context::on_cast): Delete.
9346 (impl_region_model_context::on_condition): Drop m_change.
9347 (impl_region_model_context::on_phi): Likewise.
9348 (impl_region_model_context::on_unexpected_tree_code): Handle t
9349 being NULL.
9350 (point_and_state::validate): Update stack checking for
9351 region_model changes.
9352 (eg_traits::dump_args_t::show_enode_details_p): New.
9353 (exploded_node::exploded_node): Initialize m_num_processed_stmts.
9354 (exploded_node::get_processed_stmt): New function.
9355 (exploded_node::get_dot_fillcolor): Add more colors.
9356 (exploded_node::dump_dot): Guard the printing of the point and
9357 state with show_enode_details_p. Print the processed stmts for
9358 this enode after the initial state.
9359 (exploded_node::dump_to_pp): Pass true for new multiline param
9360 of program_state::dump_to_pp.
9361 (exploded_node::on_stmt): Drop "change" param. Log the stmt.
9362 Set input_location. Implement __analyzer_describe. Update
9363 implementation of __analyzer_dump and __analyzer_eval.
9364 Remove purging of sm-state for unknown fncalls from here.
9365 (exploded_node::on_edge): Drop "change" param.
9366 (exploded_node::on_longjmp): Port from region_id/svalue_id to
9367 const region */const svalue *. Call program_state::detect_leaks.
9368 Drop state_change.
9369 (exploded_node::detect_leaks): Update for changes to region_model.
9370 Call program_state::detect_leaks.
9371 (exploded_edge::exploded_edge): Drop ext_state and change params.
9372 (exploded_edge::dump_dot): "args" is no longer used. Drop dumping
9373 of m_change.
9374 (exploded_graph::exploded_graph): Pass engine to
9375 m_diagnostic_manager ctor. Use program_point::origin.
9376 (exploded_graph::add_function_entry): Drop ctxt. Use
9377 program_state::push_frame. Drop state_change.
9378 (exploded_graph::get_or_create_node): Drop "change" param. Add
9379 "enode_for_diag" param. Update dumping calls for API changes.
9380 Pass point to can_merge_with_p. Show enode indices
9381 within -Wanalyzer-too-complex diagnostic for hitting the per-point
9382 limit.
9383 (exploded_graph::add_edge): Drop "change" param. Log which nodes
9384 are being connected. Update for changes to exploded_edge ctor.
9385 (exploded_graph::get_per_program_point_data): New.
9386 (exploded_graph::process_worklist): Pass point to
9387 can_merge_with_p. Drop state_change. Update dumping call for API
9388 change.
9389 (exploded_graph::process_node): Drop state_change. Split the
9390 node in-place if an sm-state-change occurs. Update
9391 m_num_processed_stmts. Update dumping calls for API change.
9392 (exploded_graph::log_stats): Call engine::log_stats.
9393 (exploded_graph::dump_states_for_supernode): Update dumping
9394 call.
9395 (exploded_path::feasible_p): Add "eng" and "eg" params.
9396 Rename "i" to "end_idx". Pass the manager to the region_model
9397 ctor. Update for every processed stmt in the enode, not just the
9398 first. Keep track of which snodes have been visited, and call
9399 loop_replay_fixup when revisiting one.
9400 (enode_label::get_text): Update dump call for new param.
9401 (exploded_graph::dump_exploded_nodes): Likewise.
9402 (exploded_graph::get_node_by_index): New.
9403 (impl_run_checkers): Create engine instance and pass its address
9404 to extrinsic_state ctor.
9405 * exploded-graph.h
9406 (impl_region_model_context::impl_region_model_context): Drop
9407 "change" params.
9408 (impl_region_model_context::void remap_svalue_ids): Delete.
9409 (impl_region_model_context::on_svalue_purge): Delete.
9410 (impl_region_model_context::on_svalue_leak): New.
9411 (impl_region_model_context::on_liveness_change): New.
9412 (impl_region_model_context::on_state_leak): Update signature.
9413 (impl_region_model_context::on_inherited_svalue): Delete.
9414 (impl_region_model_context::on_cast): Delete.
9415 (impl_region_model_context::on_unknown_change): Update signature.
9416 (impl_region_model_context::m_change): Delete.
9417 (eg_traits::dump_args_t::show_enode_details_p): New.
9418 (exploded_node::on_stmt): Drop "change" param.
9419 (exploded_node::on_edge): Likewise.
9420 (exploded_node::get_processed_stmt): New decl.
9421 (exploded_node::m_num_processed_stmts): New field.
9422 (exploded_edge::exploded_edge): Drop ext_state and change params.
9423 (exploded_edge::m_change): Delete.
9424 (exploded_graph::get_engine): New accessor.
9425 (exploded_graph::get_or_create_node): Drop "change" param. Add
9426 "enode_for_diag" param.
9427 (exploded_graph::add_edge): Drop "change" param.
9428 (exploded_graph::get_per_program_point_data): New decl.
9429 (exploded_graph::get_node_by_index): New decl.
9430 (exploded_path::feasible_p): Add "eng" and "eg" params.
9431 * program-point.cc: Include "analyzer/store.h" before including
9432 "analyzer/region-model.h".
9433 (function_point::function_point): Move here from
9434 program-point.h.
9435 (function_point::get_function): Likewise.
9436 (function_point::from_function_entry): Likewise.
9437 (function_point::before_supernode): Likewise.
9438 (function_point::next_stmt): New function.
9439 * program-point.h (function_point::function_point): Move
9440 implementation from here to program-point.cc.
9441 (function_point::get_function): Likewise.
9442 (function_point::from_function_entry): Likewise.
9443 (function_point::before_supernode): Likewise.
9444 (function_point::next_stmt): New decl.
9445 (program_point::operator!=): New.
9446 (program_point::origin): New.
9447 (program_point::next_stmt): New.
9448 (program_point::m_function_point): Make non-const.
9449 * program-state.cc: Move includes of "analyzer/call-string.h" and
9450 "analyzer/program-point.h" to before "analyzer/region-model.h",
9451 and also include "analyzer/store.h" before it.
9452 (extrinsic_state::get_model_manager): New.
9453 (sm_state_map::sm_state_map): Pass in sm and sm_idx to ctor,
9454 rather than pass the around.
9455 (sm_state_map::clone_with_remapping): Delete.
9456 (sm_state_map::print): Remove "sm" param in favor of "m_sm". Add
9457 "simple" and "multiline" params and support multiline vs single
9458 line dumping.
9459 (sm_state_map::dump): Remove "sm" param in favor of "m_sm". Add
9460 "simple" param.
9461 (sm_state_map::hash): Port from svalue_id to const svalue *.
9462 (sm_state_map::operator==): Likewise.
9463 (sm_state_map::get_state): Likewise. Call canonicalize_svalue on
9464 input. Handle inheritance of sm-state. Call get_default_state.
9465 (sm_state_map::get_origin): Port from svalue_id to const svalue *.
9466 (sm_state_map::set_state): Likewise. Pass in ext_state. Reject
9467 attempts to set state on UNKNOWN.
9468 (sm_state_map::impl_set_state): Port from svalue_id to
9469 const svalue *. Pass in ext_state. Call canonicalize_svalue on
9470 input.
9471 (sm_state_map::purge_for_unknown_fncall): Delete.
9472 (sm_state_map::on_svalue_leak): New.
9473 (sm_state_map::remap_svalue_ids): Delete.
9474 (sm_state_map::on_liveness_change): New.
9475 (sm_state_map::on_unknown_change): Reimplement.
9476 (sm_state_map::on_svalue_purge): Delete.
9477 (sm_state_map::on_inherited_svalue): Delete.
9478 (sm_state_map::on_cast): Delete.
9479 (sm_state_map::validate): Delete.
9480 (sm_state_map::canonicalize_svalue): New.
9481 (program_state::program_state): Update to pass manager to
9482 region_model's ctor. Constify num_states and pass state machine
9483 and index to sm_state_map ctor.
9484 (program_state::print): Update for changes to dump API.
9485 (program_state::dump_to_pp): Ignore the summarize param. Add
9486 "multiline" param.
9487 (program_state::dump_to_file): Add "multiline" param.
9488 (program_state::dump): Pass "true" for new "multiline" param.
9489 (program_state::push_frame): New.
9490 (program_state::on_edge): Drop "change" param. Call
9491 program_state::detect_leaks.
9492 (program_state::prune_for_point): Add enode_for_diag param.
9493 Reimplement based on store class. Call detect_leaks
9494 (program_state::remap_svalue_ids): Delete.
9495 (program_state::get_representative_tree): Port from svalue_id to
9496 const svalue *.
9497 (program_state::can_merge_with_p): Add "point" param. Add early
9498 reject for sm-differences. Drop id remapping.
9499 (program_state::validate): Drop region model and sm_state_map
9500 validation.
9501 (state_change::sm_change::dump): Delete.
9502 (state_change::sm_change::remap_svalue_ids): Delete.
9503 (state_change::sm_change::on_svalue_purge): Delete.
9504 (log_set_of_svalues): New.
9505 (state_change::sm_change::validate): Delete.
9506 (state_change::state_change): Delete.
9507 (state_change::add_sm_change): Delete.
9508 (state_change::affects_p): Delete.
9509 (state_change::dump): Delete.
9510 (state_change::remap_svalue_ids): Delete.
9511 (state_change::on_svalue_purge): Delete.
9512 (state_change::validate): Delete.
9513 (selftest::assert_dump_eq): Delete.
9514 (ASSERT_DUMP_EQ): Delete.
9515 (selftest::test_sm_state_map): Update for changes to region_model
9516 and sm_state_map, porting from svalue_id to const svalue *.
9517 (selftest::test_program_state_dumping): Likewise. Drop test of
9518 dumping, renaming to...
9519 (selftest::test_program_state_1): ...this.
9520 (selftest::test_program_state_dumping_2): Likewise, renaming to...
9521 (selftest::test_program_state_2): ...this.
9522 (selftest::test_program_state_merging): Update for changes to
9523 region_model.
9524 (selftest::test_program_state_merging_2): Likewise.
9525 (selftest::analyzer_program_state_cc_tests): Update for renamed
9526 tests.
9527 * program-state.h (extrinsic_state::extrinsic_state): Add logger
9528 and engine params.
9529 (extrinsic_state::get_logger): New accessor.
9530 (extrinsic_state::get_engine): New accessor.
9531 (extrinsic_state::get_model_manager): New accessor.
9532 (extrinsic_state::m_logger): New field.
9533 (extrinsic_state::m_engine): New field.
9534 (struct default_hash_traits<svalue_id>): Delete.
9535 (pod_hash_traits<svalue_id>::hash): Delete.
9536 (pod_hash_traits<svalue_id>::equal): Delete.
9537 (pod_hash_traits<svalue_id>::mark_deleted): Delete.
9538 (pod_hash_traits<svalue_id>::mark_empty): Delete.
9539 (pod_hash_traits<svalue_id>::is_deleted): Delete.
9540 (pod_hash_traits<svalue_id>::is_empty): Delete.
9541 (sm_state_map::entry_t::entry_t): Port from svalue_id to
9542 const svalue *.
9543 (sm_state_map::entry_t::m_origin): Likewise.
9544 (sm_state_map::map_t): Likewise.
9545 (sm_state_map::sm_state_map): Add state_machine and index params.
9546 (sm_state_map::clone_with_remapping): Delete.
9547 (sm_state_map::print): Drop sm param; add simple and multiline
9548 params.
9549 (sm_state_map::dump): Drop sm param; add simple param.
9550 (sm_state_map::get_state): Port from svalue_id to const svalue *.
9551 Add ext_state param.
9552 (sm_state_map::get_origin): Likewise.
9553 (sm_state_map::set_state): Likewise.
9554 (sm_state_map::impl_set_state): Likewise.
9555 (sm_state_map::purge_for_unknown_fncall): Delete.
9556 (sm_state_map::remap_svalue_ids): Delete.
9557 (sm_state_map::on_svalue_purge): Delete.
9558 (sm_state_map::on_svalue_leak): New.
9559 (sm_state_map::on_liveness_change): New.
9560 (sm_state_map::on_inherited_svalue): Delete.
9561 (sm_state_map::on_cast): Delete.
9562 (sm_state_map::validate): Delete.
9563 (sm_state_map::on_unknown_change): Port from svalue_id to
9564 const svalue *. Add is_mutable and ext_state params.
9565 (sm_state_map::canonicalize_svalue): New.
9566 (sm_state_map::m_sm): New field.
9567 (sm_state_map::m_sm_idx): New field.
9568 (program_state::operator=): Delete.
9569 (program_state::dump_to_pp): Drop "summarize" param, adding
9570 "simple" and "multiline".
9571 (program_state::dump_to_file): Likewise.
9572 (program_state::dump): Rename "summarize" to "simple".
9573 (program_state::push_frame): New.
9574 (program_state::get_current_function): New.
9575 (program_state::on_edge): Drop "change" param.
9576 (program_state::prune_for_point): Likewise. Add enode_for_diag
9577 param.
9578 (program_state::remap_svalue_ids): Delete.
9579 (program_state::get_representative_tree): Port from svalue_id to
9580 const svalue *.
9581 (program_state::can_purge_p): Likewise. Pass ext_state to get_state.
9582 (program_state::can_merge_with_p): Add point param.
9583 (program_state::detect_leaks): New.
9584 (state_change_visitor::on_state_change): Port from tree and
9585 svalue_id to a pair of const svalue *.
9586 (class state_change): Delete.
9587 * region.cc: New file.
9588 * region-model-impl-calls.cc: New file.
9589 * region-model-manager.cc: New file.
9590 * region-model-reachability.cc: New file.
9591 * region-model-reachability.h: New file.
9592 * region-model.cc: Include "analyzer/call-string.h",
9593 "analyzer/program-point.h", and "analyzer/store.h" before
9594 "analyzer/region-model.h". Include
9595 "analyzer/region-model-reachability.h".
9596 (dump_tree): Make non-static.
9597 (dump_quoted_tree): Make non-static.
9598 (print_quoted_type): Make non-static.
9599 (path_var::dump): Delete.
9600 (dump_separator): Delete.
9601 (class impl_constraint_manager): Delete.
9602 (svalue_id::print): Delete.
9603 (svalue_id::dump_node_name_to_pp): Delete.
9604 (svalue_id::validate): Delete.
9605 (region_id::print): Delete.
9606 (region_id::dump_node_name_to_pp): Delete.
9607 (region_id::validate): Delete.
9608 (region_id_set::region_id_set): Delete.
9609 (svalue_id_set::svalue_id_set): Delete.
9610 (svalue::operator==): Delete.
9611 (svalue::hash): Delete.
9612 (svalue::print): Delete.
9613 (svalue::dump_dot_to_pp): Delete.
9614 (svalue::remap_region_ids): Delete.
9615 (svalue::walk_for_canonicalization): Delete.
9616 (svalue::get_child_sid): Delete.
9617 (svalue::maybe_get_constant): Delete.
9618 (region_svalue::compare_fields): Delete.
9619 (region_svalue::add_to_hash): Delete.
9620 (region_svalue::print_details): Delete.
9621 (region_svalue::dump_dot_to_pp): Delete.
9622 (region_svalue::remap_region_ids): Delete.
9623 (region_svalue::merge_values): Delete.
9624 (region_svalue::walk_for_canonicalization): Delete.
9625 (region_svalue::eval_condition): Delete.
9626 (constant_svalue::compare_fields): Delete.
9627 (constant_svalue::add_to_hash): Delete.
9628 (constant_svalue::merge_values): Delete.
9629 (constant_svalue::eval_condition): Move to svalue.cc.
9630 (constant_svalue::print_details): Delete.
9631 (constant_svalue::get_child_sid): Delete.
9632 (unknown_svalue::compare_fields): Delete.
9633 (unknown_svalue::add_to_hash): Delete.
9634 (unknown_svalue::print_details): Delete.
9635 (poison_kind_to_str): Move to svalue.cc.
9636 (poisoned_svalue::compare_fields): Delete.
9637 (poisoned_svalue::add_to_hash): Delete.
9638 (poisoned_svalue::print_details): Delete.
9639 (region_kind_to_str): Move to region.cc and reimplement.
9640 (region::operator==): Delete.
9641 (region::get_parent_region): Delete.
9642 (region::set_value): Delete.
9643 (region::become_active_view): Delete.
9644 (region::deactivate_any_active_view): Delete.
9645 (region::deactivate_view): Delete.
9646 (region::get_value): Delete.
9647 (region::get_inherited_child_sid): Delete.
9648 (region_model::copy_region): Delete.
9649 (region_model::copy_struct_region): Delete.
9650 (region_model::copy_union_region): Delete.
9651 (region_model::copy_array_region): Delete.
9652 (region::hash): Delete.
9653 (region::print): Delete.
9654 (region::dump_dot_to_pp): Delete.
9655 (region::dump_to_pp): Delete.
9656 (region::dump_child_label): Delete.
9657 (region::validate): Delete.
9658 (region::remap_svalue_ids): Delete.
9659 (region::remap_region_ids): Delete.
9660 (region::add_view): Delete.
9661 (region::get_view): Delete.
9662 (region::region): Move to region.cc.
9663 (region::add_to_hash): Delete.
9664 (region::print_fields): Delete.
9665 (region::non_null_p): Delete.
9666 (primitive_region::clone): Delete.
9667 (primitive_region::walk_for_canonicalization): Delete.
9668 (map_region::map_region): Delete.
9669 (map_region::compare_fields): Delete.
9670 (map_region::print_fields): Delete.
9671 (map_region::validate): Delete.
9672 (map_region::dump_dot_to_pp): Delete.
9673 (map_region::dump_child_label): Delete.
9674 (map_region::get_or_create): Delete.
9675 (map_region::get): Delete.
9676 (map_region::add_to_hash): Delete.
9677 (map_region::remap_region_ids): Delete.
9678 (map_region::unbind): Delete.
9679 (map_region::get_tree_for_child_region): Delete.
9680 (map_region::get_tree_for_child_region): Delete.
9681 (tree_cmp): Move to region.cc.
9682 (map_region::can_merge_p): Delete.
9683 (map_region::walk_for_canonicalization): Delete.
9684 (map_region::get_value_by_name): Delete.
9685 (struct_or_union_region::valid_key_p): Delete.
9686 (struct_or_union_region::compare_fields): Delete.
9687 (struct_region::clone): Delete.
9688 (struct_region::compare_fields): Delete.
9689 (union_region::clone): Delete.
9690 (union_region::compare_fields): Delete.
9691 (frame_region::compare_fields): Delete.
9692 (frame_region::clone): Delete.
9693 (frame_region::valid_key_p): Delete.
9694 (frame_region::print_fields): Delete.
9695 (frame_region::add_to_hash): Delete.
9696 (globals_region::compare_fields): Delete.
9697 (globals_region::clone): Delete.
9698 (globals_region::valid_key_p): Delete.
9699 (code_region::compare_fields): Delete.
9700 (code_region::clone): Delete.
9701 (code_region::valid_key_p): Delete.
9702 (array_region::array_region): Delete.
9703 (array_region::get_element): Delete.
9704 (array_region::clone): Delete.
9705 (array_region::compare_fields): Delete.
9706 (array_region::print_fields): Delete.
9707 (array_region::validate): Delete.
9708 (array_region::dump_dot_to_pp): Delete.
9709 (array_region::dump_child_label): Delete.
9710 (array_region::get_or_create): Delete.
9711 (array_region::get): Delete.
9712 (array_region::add_to_hash): Delete.
9713 (array_region::remap_region_ids): Delete.
9714 (array_region::get_key_for_child_region): Delete.
9715 (array_region::key_cmp): Delete.
9716 (array_region::walk_for_canonicalization): Delete.
9717 (array_region::key_from_constant): Delete.
9718 (array_region::constant_from_key): Delete.
9719 (function_region::compare_fields): Delete.
9720 (function_region::clone): Delete.
9721 (function_region::valid_key_p): Delete.
9722 (stack_region::stack_region): Delete.
9723 (stack_region::compare_fields): Delete.
9724 (stack_region::clone): Delete.
9725 (stack_region::print_fields): Delete.
9726 (stack_region::dump_child_label): Delete.
9727 (stack_region::validate): Delete.
9728 (stack_region::push_frame): Delete.
9729 (stack_region::get_current_frame_id): Delete.
9730 (stack_region::pop_frame): Delete.
9731 (stack_region::add_to_hash): Delete.
9732 (stack_region::remap_region_ids): Delete.
9733 (stack_region::can_merge_p): Delete.
9734 (stack_region::walk_for_canonicalization): Delete.
9735 (stack_region::get_value_by_name): Delete.
9736 (heap_region::heap_region): Delete.
9737 (heap_region::compare_fields): Delete.
9738 (heap_region::clone): Delete.
9739 (heap_region::walk_for_canonicalization): Delete.
9740 (root_region::root_region): Delete.
9741 (root_region::compare_fields): Delete.
9742 (root_region::clone): Delete.
9743 (root_region::print_fields): Delete.
9744 (root_region::validate): Delete.
9745 (root_region::dump_child_label): Delete.
9746 (root_region::push_frame): Delete.
9747 (root_region::get_current_frame_id): Delete.
9748 (root_region::pop_frame): Delete.
9749 (root_region::ensure_stack_region): Delete.
9750 (root_region::get_stack_region): Delete.
9751 (root_region::ensure_globals_region): Delete.
9752 (root_region::get_code_region): Delete.
9753 (root_region::ensure_code_region): Delete.
9754 (root_region::get_globals_region): Delete.
9755 (root_region::ensure_heap_region): Delete.
9756 (root_region::get_heap_region): Delete.
9757 (root_region::remap_region_ids): Delete.
9758 (root_region::can_merge_p): Delete.
9759 (root_region::add_to_hash): Delete.
9760 (root_region::walk_for_canonicalization): Delete.
9761 (root_region::get_value_by_name): Delete.
9762 (symbolic_region::symbolic_region): Delete.
9763 (symbolic_region::compare_fields): Delete.
9764 (symbolic_region::clone): Delete.
9765 (symbolic_region::walk_for_canonicalization): Delete.
9766 (symbolic_region::print_fields): Delete.
9767 (region_model::region_model): Add region_model_manager * param.
9768 Reimplement in terms of store, dropping impl_constraint_manager
9769 subclass.
9770 (region_model::operator=): Reimplement in terms of store
9771 (region_model::operator==): Likewise.
9772 (region_model::hash): Likewise.
9773 (region_model::print): Delete.
9774 (region_model::print_svalue): Delete.
9775 (region_model::dump_dot_to_pp): Delete.
9776 (region_model::dump_dot_to_file): Delete.
9777 (region_model::dump_dot): Delete.
9778 (region_model::dump_to_pp): Replace "summarize" param with
9779 "simple" and "multiline". Port to store-based implementation.
9780 (region_model::dump): Replace "summarize" param with "simple" and
9781 "multiline".
9782 (dump_vec_of_tree): Delete.
9783 (region_model::dump_summary_of_rep_path_vars): Delete.
9784 (region_model::validate): Delete.
9785 (svalue_id_cmp_by_constant_svalue_model): Delete.
9786 (svalue_id_cmp_by_constant_svalue): Delete.
9787 (region_model::canonicalize): Drop "ctxt" param. Reimplement in
9788 terms of store and constraints.
9789 (region_model::canonicalized_p): Remove NULL arg to canonicalize.
9790 (region_model::loop_replay_fixup): New.
9791 (poisoned_value_diagnostic::emit): Tweak wording of warnings.
9792 (region_model::check_for_poison): Delete.
9793 (region_model::get_gassign_result): New.
9794 (region_model::on_assignment): Port to store-based implementation.
9795 (region_model::on_call_pre): Delete calls to check_for_poison.
9796 Move implementations to region-model-impl-calls.c and port to
9797 store-based implementation.
9798 (region_model::on_call_post): Likewise.
9799 (class reachable_regions): Move to region-model-reachability.h/cc
9800 and port to store-based implementation.
9801 (region_model::handle_unrecognized_call): Port to store-based
9802 implementation.
9803 (region_model::get_reachable_svalues): New.
9804 (region_model::on_setjmp): Port to store-based implementation.
9805 (region_model::on_longjmp): Likewise.
9806 (region_model::handle_phi): Drop is_back_edge param and the logic
9807 using it.
9808 (region_model::get_lvalue_1): Port from region_id to const region *.
9809 (region_model::make_region_for_unexpected_tree_code): Delete.
9810 (assert_compat_types): If the check fails, use internal_error to
9811 show the types.
9812 (region_model::get_lvalue): Port from region_id to const region *.
9813 (region_model::get_rvalue_1): Port from svalue_id to const svalue *.
9814 (region_model::get_rvalue): Likewise.
9815 (region_model::get_or_create_ptr_svalue): Delete.
9816 (region_model::get_or_create_constant_svalue): Delete.
9817 (region_model::get_svalue_for_fndecl): Delete.
9818 (region_model::get_region_for_fndecl): Delete.
9819 (region_model::get_svalue_for_label): Delete.
9820 (region_model::get_region_for_label): Delete.
9821 (build_cast): Delete.
9822 (region_model::maybe_cast_1): Delete.
9823 (region_model::maybe_cast): Delete.
9824 (region_model::get_field_region): Delete.
9825 (region_model::get_store_value): New.
9826 (region_model::region_exists_p): New.
9827 (region_model::deref_rvalue): Port from svalue_id to const svalue *.
9828 (region_model::set_value): Likewise.
9829 (region_model::clobber_region): New.
9830 (region_model::purge_region): New.
9831 (region_model::zero_fill_region): New.
9832 (region_model::mark_region_as_unknown): New.
9833 (region_model::eval_condition): Port from svalue_id to
9834 const svalue *.
9835 (region_model::eval_condition_without_cm): Likewise.
9836 (region_model::compare_initial_and_pointer): New.
9837 (region_model::add_constraint): Port from svalue_id to
9838 const svalue *.
9839 (region_model::maybe_get_constant): Delete.
9840 (region_model::get_representative_path_var): New.
9841 (region_model::add_new_malloc_region): Delete.
9842 (region_model::get_representative_tree): Port to const svalue *.
9843 (region_model::get_representative_path_var): Port to
9844 const region *.
9845 (region_model::get_path_vars_for_svalue): Delete.
9846 (region_model::set_to_new_unknown_value): Delete.
9847 (region_model::update_for_phis): Don't pass is_back_edge to handle_phi.
9848 (region_model::update_for_call_superedge): Port from svalue_id to
9849 const svalue *.
9850 (region_model::update_for_return_superedge): Port to store-based
9851 implementation.
9852 (region_model::update_for_call_summary): Replace
9853 set_to_new_unknown_value with mark_region_as_unknown.
9854 (region_model::get_root_region): Delete.
9855 (region_model::get_stack_region_id): Delete.
9856 (region_model::push_frame): Delete.
9857 (region_model::get_current_frame_id): Delete.
9858 (region_model::get_current_function): Delete.
9859 (region_model::pop_frame): Delete.
9860 (region_model::on_top_level_param): New.
9861 (region_model::get_stack_depth): Delete.
9862 (region_model::get_function_at_depth): Delete.
9863 (region_model::get_globals_region_id): Delete.
9864 (region_model::add_svalue): Delete.
9865 (region_model::replace_svalue): Delete.
9866 (region_model::add_region): Delete.
9867 (region_model::get_svalue): Delete.
9868 (region_model::get_region): Delete.
9869 (make_region_for_type): Delete.
9870 (region_model::add_region_for_type): Delete.
9871 (region_model::on_top_level_param): New.
9872 (class restrict_to_used_svalues): Delete.
9873 (region_model::purge_unused_svalues): Delete.
9874 (region_model::push_frame): New.
9875 (region_model::remap_svalue_ids): Delete.
9876 (region_model::remap_region_ids): Delete.
9877 (region_model::purge_regions): Delete.
9878 (region_model::get_descendents): Delete.
9879 (region_model::delete_region_and_descendents): Delete.
9880 (region_model::poison_any_pointers_to_bad_regions): Delete.
9881 (region_model::can_merge_with_p): Delete.
9882 (region_model::get_current_function): New.
9883 (region_model::get_value_by_name): Delete.
9884 (region_model::convert_byte_offset_to_array_index): Delete.
9885 (region_model::pop_frame): New.
9886 (region_model::get_or_create_mem_ref): Delete.
9887 (region_model::get_stack_depth): New.
9888 (region_model::get_frame_at_index): New.
9889 (region_model::unbind_region_and_descendents): New.
9890 (struct bad_pointer_finder): New.
9891 (region_model::get_or_create_pointer_plus_expr): Delete.
9892 (region_model::poison_any_pointers_to_descendents): New.
9893 (region_model::get_or_create_view): Delete.
9894 (region_model::can_merge_with_p): New.
9895 (region_model::get_fndecl_for_call): Port from svalue_id to
9896 const svalue *.
9897 (struct append_ssa_names_cb_data): New.
9898 (get_ssa_name_regions_for_current_frame): New.
9899 (region_model::append_ssa_names_cb): New.
9900 (model_merger::dump_to_pp): Add "simple" param. Drop dumping of
9901 remappings.
9902 (model_merger::dump): Add "simple" param to both overloads.
9903 (model_merger::can_merge_values_p): Delete.
9904 (model_merger::record_regions): Delete.
9905 (model_merger::record_svalues): Delete.
9906 (svalue_id_merger_mapping::svalue_id_merger_mapping): Delete.
9907 (svalue_id_merger_mapping::dump_to_pp): Delete.
9908 (svalue_id_merger_mapping::dump): Delete.
9909 (region_model::create_region_for_heap_alloc): New.
9910 (region_model::create_region_for_alloca): New.
9911 (region_model::record_dynamic_extents): New.
9912 (canonicalization::canonicalization): Delete.
9913 (canonicalization::walk_rid): Delete.
9914 (canonicalization::walk_sid): Delete.
9915 (canonicalization::dump_to_pp): Delete.
9916 (canonicalization::dump): Delete.
9917 (inchash::add): Delete overloads for svalue_id and region_id.
9918 (engine::log_stats): New.
9919 (assert_condition): Add overload comparing svalues.
9920 (assert_dump_eq): Pass "true" for multiline.
9921 (selftest::test_dump): Update for rewrite of region_model.
9922 (selftest::test_dump_2): Rename to...
9923 (selftest::test_struct): ...this. Provide a region_model_manager
9924 when creating region_model instance. Remove dump test. Add
9925 checks for get_offset.
9926 (selftest::test_dump_3): Rename to...
9927 (selftest::test_array_1): ...this. Provide a region_model_manager
9928 when creating region_model instance. Remove dump test.
9929 (selftest::test_get_representative_tree): Port from svalue_id to
9930 new API. Add test coverage for various expressions.
9931 (selftest::test_unique_constants): Provide a region_model_manager
9932 for the region_model. Add test coverage for comparing const vs
9933 non-const.
9934 (selftest::test_svalue_equality): Delete.
9935 (selftest::test_region_equality): Delete.
9936 (selftest::test_unique_unknowns): New.
9937 (class purge_all_svalue_ids): Delete.
9938 (class purge_one_svalue_id): Delete.
9939 (selftest::test_purging_by_criteria): Delete.
9940 (selftest::test_initial_svalue_folding): New.
9941 (selftest::test_unaryop_svalue_folding): New.
9942 (selftest::test_binop_svalue_folding): New.
9943 (selftest::test_sub_svalue_folding): New.
9944 (selftest::test_purge_unused_svalues): Delete.
9945 (selftest::test_descendent_of_p): New.
9946 (selftest::test_assignment): Provide a region_model_manager for
9947 the region_model. Drop the dump test.
9948 (selftest::test_compound_assignment): Likewise.
9949 (selftest::test_stack_frames): Port to new implementation.
9950 (selftest::test_get_representative_path_var): Likewise.
9951 (selftest::test_canonicalization_1): Rename to...
9952 (selftest::test_equality_1): ...this. Port to new API, and add
9953 (selftest::test_canonicalization_2): Provide a
9954 region_model_manager when creating region_model instances.
9955 Remove redundant canicalization.
9956 (selftest::test_canonicalization_3): Provide a
9957 region_model_manager when creating region_model instances.
9958 Remove param from calls to region_model::canonicalize.
9959 (selftest::test_canonicalization_4): Likewise.
9960 (selftest::assert_region_models_merge): Constify
9961 out_merged_svalue. Port to new API.
9962 (selftest::test_state_merging): Provide a
9963 region_model_manager when creating region_model instances.
9964 Provide a program_point point when merging them. Replace
9965 set_to_new_unknown_value with usage of placeholder_svalues.
9966 Drop get_value_by_name. Port from svalue_id to const svalue *.
9967 Add test of heap allocation.
9968 (selftest::test_constraint_merging): Provide a
9969 region_model_manager when creating region_model instances.
9970 Provide a program_point point when merging them. Eliminate use
9971 of set_to_new_unknown_value.
9972 (selftest::test_widening_constraints): New.
9973 (selftest::test_iteration_1): New.
9974 (selftest::test_malloc_constraints): Port to store-based
9975 implementation.
9976 (selftest::test_var): New test.
9977 (selftest::test_array_2): New test.
9978 (selftest::test_mem_ref): New test.
9979 (selftest::test_POINTER_PLUS_EXPR_then_MEM_REF): New.
9980 (selftest::test_malloc): New.
9981 (selftest::test_alloca): New.
9982 (selftest::analyzer_region_model_cc_tests): Update for renamings.
9983 Call new functions.
9984 * region-model.h (class path_var): Move to analyzer.h.
9985 (class svalue_id): Delete.
9986 (class region_id): Delete.
9987 (class id_map): Delete.
9988 (svalue_id_map): Delete.
9989 (region_id_map): Delete.
9990 (id_map<T>::id_map): Delete.
9991 (id_map<T>::put): Delete.
9992 (id_map<T>::get_dst_for_src): Delete.
9993 (id_map<T>::get_src_for_dst): Delete.
9994 (id_map<T>::dump_to_pp): Delete.
9995 (id_map<T>::dump): Delete.
9996 (id_map<T>::update): Delete.
9997 (one_way_svalue_id_map): Delete.
9998 (one_way_region_id_map): Delete.
9999 (class region_id_set): Delete.
10000 (class svalue_id_set): Delete.
10001 (struct complexity): New.
10002 (class visitor): New.
10003 (enum svalue_kind): Add SK_SETJMP, SK_INITIAL, SK_UNARYOP,
10004 SK_BINOP, SK_SUB,SK_UNMERGEABLE, SK_PLACEHOLDER, SK_WIDENING,
10005 SK_COMPOUND, and SK_CONJURED.
10006 (svalue::operator==): Delete.
10007 (svalue::operator!=): Delete.
10008 (svalue::clone): Delete.
10009 (svalue::hash): Delete.
10010 (svalue::dump_dot_to_pp): Delete.
10011 (svalue::dump_to_pp): New.
10012 (svalue::dump): New.
10013 (svalue::get_desc): New.
10014 (svalue::dyn_cast_initial_svalue): New.
10015 (svalue::dyn_cast_unaryop_svalue): New.
10016 (svalue::dyn_cast_binop_svalue): New.
10017 (svalue::dyn_cast_sub_svalue): New.
10018 (svalue::dyn_cast_unmergeable_svalue): New.
10019 (svalue::dyn_cast_widening_svalue): New.
10020 (svalue::dyn_cast_compound_svalue): New.
10021 (svalue::dyn_cast_conjured_svalue): New.
10022 (svalue::maybe_undo_cast): New.
10023 (svalue::unwrap_any_unmergeable): New.
10024 (svalue::remap_region_ids): Delete
10025 (svalue::can_merge_p): New.
10026 (svalue::walk_for_canonicalization): Delete
10027 (svalue::get_complexity): New.
10028 (svalue::get_child_sid): Delete
10029 (svalue::accept): New.
10030 (svalue::live_p): New.
10031 (svalue::implicitly_live_p): New.
10032 (svalue::svalue): Add complexity param.
10033 (svalue::add_to_hash): Delete
10034 (svalue::print_details): Delete
10035 (svalue::m_complexity): New field.
10036 (region_svalue::key_t): New struct.
10037 (region_svalue::region_svalue): Port from region_id to
10038 const region_id *. Add complexity.
10039 (region_svalue::compare_fields): Delete.
10040 (region_svalue::clone): Delete.
10041 (region_svalue::dump_dot_to_pp): Delete.
10042 (region_svalue::get_pointee): Port from region_id to
10043 const region_id *.
10044 (region_svalue::remap_region_ids): Delete.
10045 (region_svalue::merge_values): Delete.
10046 (region_svalue::dump_to_pp): New.
10047 (region_svalue::accept): New.
10048 (region_svalue::walk_for_canonicalization): Delete.
10049 (region_svalue::eval_condition): Make params const.
10050 (region_svalue::add_to_hash): Delete.
10051 (region_svalue::print_details): Delete.
10052 (region_svalue::m_rid): Replace with...
10053 (region_svalue::m_reg): ...this.
10054 (is_a_helper <region_svalue *>::test): Convert to...
10055 (is_a_helper <const region_svalue *>::test): ...this.
10056 (template <> struct default_hash_traits<region_svalue::key_t>):
10057 New.
10058 (constant_svalue::constant_svalue): Add complexity.
10059 (constant_svalue::compare_fields): Delete.
10060 (constant_svalue::clone): Delete.
10061 (constant_svalue::add_to_hash): Delete.
10062 (constant_svalue::dump_to_pp): New.
10063 (constant_svalue::accept): New.
10064 (constant_svalue::implicitly_live_p): New.
10065 (constant_svalue::merge_values): Delete.
10066 (constant_svalue::eval_condition): Make params const.
10067 (constant_svalue::get_child_sid): Delete.
10068 (constant_svalue::print_details): Delete.
10069 (is_a_helper <constant_svalue *>::test): Convert to...
10070 (is_a_helper <const constant_svalue *>::test): ...this.
10071 (class unknown_svalue): Update leading comment.
10072 (unknown_svalue::unknown_svalue): Add complexity.
10073 (unknown_svalue::compare_fields): Delete.
10074 (unknown_svalue::add_to_hash): Delete.
10075 (unknown_svalue::dyn_cast_unknown_svalue): Delete.
10076 (unknown_svalue::print_details): Delete.
10077 (unknown_svalue::dump_to_pp): New.
10078 (unknown_svalue::accept): New.
10079 (poisoned_svalue::key_t): New struct.
10080 (poisoned_svalue::poisoned_svalue): Add complexity.
10081 (poisoned_svalue::compare_fields): Delete.
10082 (poisoned_svalue::clone): Delete.
10083 (poisoned_svalue::add_to_hash): Delete.
10084 (poisoned_svalue::dump_to_pp): New.
10085 (poisoned_svalue::accept): New.
10086 (poisoned_svalue::print_details): Delete.
10087 (is_a_helper <poisoned_svalue *>::test): Convert to...
10088 (is_a_helper <const poisoned_svalue *>::test): ...this.
10089 (template <> struct default_hash_traits<poisoned_svalue::key_t>):
10090 New.
10091 (setjmp_record::add_to_hash): New.
10092 (setjmp_svalue::key_t): New struct.
10093 (setjmp_svalue::compare_fields): Delete.
10094 (setjmp_svalue::clone): Delete.
10095 (setjmp_svalue::add_to_hash): Delete.
10096 (setjmp_svalue::setjmp_svalue): Add complexity.
10097 (setjmp_svalue::dump_to_pp): New.
10098 (setjmp_svalue::accept): New.
10099 (setjmp_svalue::void print_details): Delete.
10100 (is_a_helper <const setjmp_svalue *>::test): New.
10101 (template <> struct default_hash_traits<setjmp_svalue::key_t>): New.
10102 (class initial_svalue : public svalue): New.
10103 (is_a_helper <const initial_svalue *>::test): New.
10104 (class unaryop_svalue): New.
10105 (is_a_helper <const unaryop_svalue *>::test): New.
10106 (template <> struct default_hash_traits<unaryop_svalue::key_t>): New.
10107 (class binop_svalue): New.
10108 (is_a_helper <const binop_svalue *>::test): New.
10109 (template <> struct default_hash_traits<binop_svalue::key_t>): New.
10110 (class sub_svalue): New.
10111 (is_a_helper <const sub_svalue *>::test): New.
10112 (template <> struct default_hash_traits<sub_svalue::key_t>): New.
10113 (class unmergeable_svalue): New.
10114 (is_a_helper <const unmergeable_svalue *>::test): New.
10115 (class placeholder_svalue): New.
10116 (is_a_helper <placeholder_svalue *>::test): New.
10117 (class widening_svalue): New.
10118 (is_a_helper <widening_svalue *>::test): New.
10119 (template <> struct default_hash_traits<widening_svalue::key_t>): New.
10120 (class compound_svalue): New.
10121 (is_a_helper <compound_svalue *>::test): New.
10122 (template <> struct default_hash_traits<compound_svalue::key_t>): New.
10123 (class conjured_svalue): New.
10124 (is_a_helper <conjured_svalue *>::test): New.
10125 (template <> struct default_hash_traits<conjured_svalue::key_t>): New.
10126 (enum region_kind): Delete RK_PRIMITIVE, RK_STRUCT, RK_UNION, and
10127 RK_ARRAY. Add RK_LABEL, RK_DECL, RK_FIELD, RK_ELEMENT, RK_OFFSET,
10128 RK_CAST, RK_HEAP_ALLOCATED, RK_ALLOCA, RK_STRING, and RK_UNKNOWN.
10129 (region_kind_to_str): Delete.
10130 (region::~region): Move implementation to region.cc.
10131 (region::operator==): Delete.
10132 (region::operator!=): Delete.
10133 (region::clone): Delete.
10134 (region::get_id): New.
10135 (region::cmp_ids): New.
10136 (region::dyn_cast_map_region): Delete.
10137 (region::dyn_cast_array_region): Delete.
10138 (region::region_id get_parent): Delete.
10139 (region::get_parent_region): Convert to a simple accessor.
10140 (region::void set_value): Delete.
10141 (region::svalue_id get_value): Delete.
10142 (region::svalue_id get_value_direct): Delete.
10143 (region::svalue_id get_inherited_child_sid): Delete.
10144 (region::dyn_cast_frame_region): New.
10145 (region::dyn_cast_function_region): New.
10146 (region::dyn_cast_decl_region): New.
10147 (region::dyn_cast_field_region): New.
10148 (region::dyn_cast_element_region): New.
10149 (region::dyn_cast_offset_region): New.
10150 (region::dyn_cast_cast_region): New.
10151 (region::dyn_cast_string_region): New.
10152 (region::accept): New.
10153 (region::get_base_region): New.
10154 (region::base_region_p): New.
10155 (region::descendent_of_p): New.
10156 (region::maybe_get_frame_region): New.
10157 (region::maybe_get_decl): New.
10158 (region::hash): Delete.
10159 (region::rint): Delete.
10160 (region::dump_dot_to_pp): Delete.
10161 (region::get_desc): New.
10162 (region::dump_to_pp): Convert to vfunc, changing signature.
10163 (region::dump_child_label): Delete.
10164 (region::remap_svalue_ids): Delete.
10165 (region::remap_region_ids): Delete.
10166 (region::dump): New.
10167 (region::walk_for_canonicalization): Delete.
10168 (region::non_null_p): Drop region_model param.
10169 (region::add_view): Delete.
10170 (region::get_view): Delete.
10171 (region::get_active_view): Delete.
10172 (region::is_view_p): Delete.
10173 (region::cmp_ptrs): New.
10174 (region::validate): Delete.
10175 (region::get_offset): New.
10176 (region::get_byte_size): New.
10177 (region::get_bit_size): New.
10178 (region::get_subregions_for_binding): New.
10179 (region::region): Add complexity param. Convert parent from
10180 region_id to const region *. Drop svalue_id. Drop copy ctor.
10181 (region::symbolic_for_unknown_ptr_p): New.
10182 (region::add_to_hash): Delete.
10183 (region::print_fields): Delete.
10184 (region::get_complexity): New accessor.
10185 (region::become_active_view): Delete.
10186 (region::deactivate_any_active_view): Delete.
10187 (region::deactivate_view): Delete.
10188 (region::calc_offset): New.
10189 (region::m_parent_rid): Delete.
10190 (region::m_sval_id): Delete.
10191 (region::m_complexity): New.
10192 (region::m_id): New.
10193 (region::m_parent): New.
10194 (region::m_view_rids): Delete.
10195 (region::m_is_view): Delete.
10196 (region::m_active_view_rid): Delete.
10197 (region::m_cached_offset): New.
10198 (is_a_helper <region *>::test): Convert to...
10199 (is_a_helper <const region *>::test): ... this.
10200 (class primitive_region): Delete.
10201 (class space_region): New.
10202 (class map_region): Delete.
10203 (is_a_helper <map_region *>::test): Delete.
10204 (class frame_region): Reimplement.
10205 (template <> struct default_hash_traits<frame_region::key_t>):
10206 New.
10207 (class globals_region): Reimplement.
10208 (is_a_helper <globals_region *>::test): Convert to...
10209 (is_a_helper <const globals_region *>::test): ...this.
10210 (class struct_or_union_region): Delete.
10211 (is_a_helper <struct_or_union_region *>::test): Delete.
10212 (class code_region): Reimplement.
10213 (is_a_helper <const code_region *>::test): New.
10214 (class struct_region): Delete.
10215 (is_a_helper <struct_region *>::test): Delete.
10216 (class function_region): Reimplement.
10217 (is_a_helper <function_region *>::test): Convert to...
10218 (is_a_helper <const function_region *>::test): ...this.
10219 (class union_region): Delete.
10220 (is_a_helper <union_region *>::test): Delete.
10221 (class label_region): New.
10222 (is_a_helper <const label_region *>::test): New.
10223 (class scope_region): Delete.
10224 (class stack_region): Reimplement.
10225 (is_a_helper <stack_region *>::test): Convert to...
10226 (is_a_helper <const stack_region *>::test): ...this.
10227 (class heap_region): Reimplement.
10228 (is_a_helper <heap_region *>::test): Convert to...
10229 (is_a_helper <const heap_region *>::test): ...this.
10230 (class root_region): Reimplement.
10231 (is_a_helper <root_region *>::test): Convert to...
10232 (is_a_helper <const root_region *>::test): ...this.
10233 (class symbolic_region): Reimplement.
10234 (is_a_helper <const symbolic_region *>::test): New.
10235 (template <> struct default_hash_traits<symbolic_region::key_t>):
10236 New.
10237 (class decl_region): New.
10238 (is_a_helper <const decl_region *>::test): New.
10239 (class field_region): New.
10240 (template <> struct default_hash_traits<field_region::key_t>): New.
10241 (class array_region): Delete.
10242 (class element_region): New.
10243 (is_a_helper <array_region *>::test): Delete.
10244 (is_a_helper <const element_region *>::test): New.
10245 (template <> struct default_hash_traits<element_region::key_t>):
10246 New.
10247 (class offset_region): New.
10248 (is_a_helper <const offset_region *>::test): New.
10249 (template <> struct default_hash_traits<offset_region::key_t>):
10250 New.
10251 (class cast_region): New.
10252 (is_a_helper <const cast_region *>::test): New.
10253 (template <> struct default_hash_traits<cast_region::key_t>): New.
10254 (class heap_allocated_region): New.
10255 (class alloca_region): New.
10256 (class string_region): New.
10257 (is_a_helper <const string_region *>::test): New.
10258 (class unknown_region): New.
10259 (class region_model_manager): New.
10260 (struct append_ssa_names_cb_data): New.
10261 (class call_details): New.
10262 (region_model::region_model): Add region_model_manager param.
10263 (region_model::print_svalue): Delete.
10264 (region_model::dump_dot_to_pp): Delete.
10265 (region_model::dump_dot_to_file): Delete.
10266 (region_model::dump_dot): Delete.
10267 (region_model::dump_to_pp): Drop summarize param in favor of
10268 simple and multiline.
10269 (region_model::dump): Likewise.
10270 (region_model::summarize_to_pp): Delete.
10271 (region_model::summarize): Delete.
10272 (region_model::void canonicalize): Drop ctxt param.
10273 (region_model::void check_for_poison): Delete.
10274 (region_model::get_gassign_result): New.
10275 (region_model::impl_call_alloca): New.
10276 (region_model::impl_call_analyzer_describe): New.
10277 (region_model::impl_call_analyzer_eval): New.
10278 (region_model::impl_call_builtin_expect): New.
10279 (region_model::impl_call_calloc): New.
10280 (region_model::impl_call_free): New.
10281 (region_model::impl_call_malloc): New.
10282 (region_model::impl_call_memset): New.
10283 (region_model::impl_call_strlen): New.
10284 (region_model::get_reachable_svalues): New.
10285 (region_model::handle_phi): Drop is_back_edge param.
10286 (region_model::region_id get_root_rid): Delete.
10287 (region_model::root_region *get_root_region): Delete.
10288 (region_model::region_id get_stack_region_id): Delete.
10289 (region_model::push_frame): Convert from region_id and svalue_id
10290 to const region * and const svalue *.
10291 (region_model::get_current_frame_id): Replace with...
10292 (region_model::get_current_frame): ...this.
10293 (region_model::pop_frame): Convert from region_id to
10294 const region *. Drop purge and stats param. Add out_result.
10295 (region_model::function *get_function_at_depth): Delete.
10296 (region_model::get_globals_region_id): Delete.
10297 (region_model::add_svalue): Delete.
10298 (region_model::replace_svalue): Delete.
10299 (region_model::add_region): Delete.
10300 (region_model::add_region_for_type): Delete.
10301 (region_model::get_svalue): Delete.
10302 (region_model::get_region): Delete.
10303 (region_model::get_lvalue): Convert from region_id to
10304 const region *.
10305 (region_model::get_rvalue): Convert from svalue_id to
10306 const svalue *.
10307 (region_model::get_or_create_ptr_svalue): Delete.
10308 (region_model::get_or_create_constant_svalue): Delete.
10309 (region_model::get_svalue_for_fndecl): Delete.
10310 (region_model::get_svalue_for_label): Delete.
10311 (region_model::get_region_for_fndecl): Delete.
10312 (region_model::get_region_for_label): Delete.
10313 (region_model::get_frame_at_index (int index) const;): New.
10314 (region_model::maybe_cast): Delete.
10315 (region_model::maybe_cast_1): Delete.
10316 (region_model::get_field_region): Delete.
10317 (region_model::id deref_rvalue): Convert from region_id and
10318 svalue_id to const region * and const svalue *. Drop overload,
10319 passing in both a tree and an svalue.
10320 (region_model::set_value): Convert from region_id and svalue_id to
10321 const region * and const svalue *.
10322 (region_model::set_to_new_unknown_value): Delete.
10323 (region_model::clobber_region (const region *reg);): New.
10324 (region_model::purge_region (const region *reg);): New.
10325 (region_model::zero_fill_region (const region *reg);): New.
10326 (region_model::mark_region_as_unknown (const region *reg);): New.
10327 (region_model::copy_region): Convert from region_id to
10328 const region *.
10329 (region_model::eval_condition): Convert from svalue_id to
10330 const svalue *.
10331 (region_model::eval_condition_without_cm): Likewise.
10332 (region_model::compare_initial_and_pointer): New.
10333 (region_model:maybe_get_constant): Delete.
10334 (region_model::add_new_malloc_region): Delete.
10335 (region_model::get_representative_tree): Convert from svalue_id to
10336 const svalue *.
10337 (region_model::get_representative_path_var): Delete decl taking a
10338 region_id in favor of two decls, for svalue vs region, with an
10339 svalue_set to ensure termination.
10340 (region_model::get_path_vars_for_svalue): Delete.
10341 (region_model::create_region_for_heap_alloc): New.
10342 (region_model::create_region_for_alloca): New.
10343 (region_model::purge_unused_svalues): Delete.
10344 (region_model::remap_svalue_ids): Delete.
10345 (region_model::remap_region_ids): Delete.
10346 (region_model::purge_regions): Delete.
10347 (region_model::get_num_svalues): Delete.
10348 (region_model::get_num_regions): Delete.
10349 (region_model::get_descendents): Delete.
10350 (region_model::get_store): New.
10351 (region_model::delete_region_and_descendents): Delete.
10352 (region_model::get_manager): New.
10353 (region_model::unbind_region_and_descendents): New.
10354 (region_model::can_merge_with_p): Add point param. Drop
10355 svalue_id_merger_mapping.
10356 (region_model::get_value_by_name): Delete.
10357 (region_model::convert_byte_offset_to_array_index): Delete.
10358 (region_model::get_or_create_mem_ref): Delete.
10359 (region_model::get_or_create_pointer_plus_expr): Delete.
10360 (region_model::get_or_create_view): Delete.
10361 (region_model::get_lvalue_1): Convert from region_id to
10362 const region *.
10363 (region_model::get_rvalue_1): Convert from svalue_id to
10364 const svalue *.
10365 (region_model::get_ssa_name_regions_for_current_frame): New.
10366 (region_model::append_ssa_names_cb): New.
10367 (region_model::get_store_value): New.
10368 (region_model::copy_struct_region): Delete.
10369 (region_model::copy_union_region): Delete.
10370 (region_model::copy_array_region): Delete.
10371 (region_model::region_exists_p): New.
10372 (region_model::make_region_for_unexpected_tree_code): Delete.
10373 (region_model::loop_replay_fixup): New.
10374 (region_model::poison_any_pointers_to_bad_regions): Delete.
10375 (region_model::poison_any_pointers_to_descendents): New.
10376 (region_model::dump_summary_of_rep_path_vars): Delete.
10377 (region_model::on_top_level_param): New.
10378 (region_model::record_dynamic_extents): New.
10379 (region_model::m_mgr;): New.
10380 (region_model::m_store;): New.
10381 (region_model::m_svalues;): Delete.
10382 (region_model::m_regions;): Delete.
10383 (region_model::m_root_rid;): Delete.
10384 (region_model::m_current_frame;): New.
10385 (region_model_context::remap_svalue_ids): Delete.
10386 (region_model_context::can_purge_p): Delete.
10387 (region_model_context::on_svalue_leak): New.
10388 (region_model_context::on_svalue_purge): Delete.
10389 (region_model_context::on_liveness_change): New.
10390 (region_model_context::on_inherited_svalue): Delete.
10391 (region_model_context::on_cast): Delete.
10392 (region_model_context::on_unknown_change): Convert from svalue_id to
10393 const svalue * and add is_mutable.
10394 (class noop_region_model_context): Update for region_model_context
10395 changes.
10396 (model_merger::model_merger): Add program_point. Drop
10397 svalue_id_merger_mapping.
10398 (model_merger::dump_to_pp): Add "simple" param.
10399 (model_merger::dump): Likewise.
10400 (model_merger::get_region_a): Delete.
10401 (model_merger::get_region_b): Delete.
10402 (model_merger::can_merge_values_p): Delete.
10403 (model_merger::record_regions): Delete.
10404 (model_merger::record_svalues): Delete.
10405 (model_merger::m_point): New field.
10406 (model_merger::m_map_regions_from_a_to_m): Delete.
10407 (model_merger::m_map_regions_from_b_to_m): Delete.
10408 (model_merger::m_sid_mapping): Delete.
10409 (struct svalue_id_merger_mapping): Delete.
10410 (class engine): New.
10411 (struct canonicalization): Delete.
10412 (inchash::add): Delete decls for hashing svalue_id and region_id.
10413 (test_region_model_context::on_unexpected_tree_code): Require t to
10414 be non-NULL.
10415 (selftest::assert_condition): Add overload comparing a pair of
10416 const svalue *.
10417 * sm-file.cc: Include "tristate.h", "selftest.h",
10418 "analyzer/call-string.h", "analyzer/program-point.h",
10419 "analyzer/store.h", and "analyzer/region-model.h".
10420 (fileptr_state_machine::get_default_state): New.
10421 (fileptr_state_machine::on_stmt): Remove calls to
10422 get_readable_tree in favor of get_diagnostic_tree.
10423 * sm-malloc.cc: Include "tristate.h", "selftest.h",
10424 "analyzer/call-string.h", "analyzer/program-point.h",
10425 "analyzer/store.h", and "analyzer/region-model.h".
10426 (malloc_state_machine::get_default_state): New.
10427 (malloc_state_machine::reset_when_passed_to_unknown_fn_p): New.
10428 (malloc_diagnostic::describe_state_change): Handle change.m_expr
10429 being NULL.
10430 (null_arg::emit): Avoid printing "NULL '0'".
10431 (null_arg::describe_final_event): Avoid printing "(0) NULL".
10432 (malloc_leak::emit): Handle m_arg being NULL.
10433 (malloc_leak::describe_final_event): Handle ev.m_expr being NULL.
10434 (malloc_state_machine::on_stmt): Don't call get_readable_tree.
10435 Call get_diagnostic_tree when creating pending diagnostics.
10436 Update for is_zero_assignment becoming a member function of
10437 sm_ctxt.
10438 Don't transition to m_non_heap for ADDR_EXPR(MEM_REF()).
10439 (malloc_state_machine::reset_when_passed_to_unknown_fn_p): New
10440 vfunc implementation.
10441 * sm-sensitive.cc (sensitive_state_machine::warn_for_any_exposure): Call
10442 get_diagnostic_tree and pass the result to warn_for_state.
10443 * sm-signal.cc: Move includes of "analyzer/call-string.h" and
10444 "analyzer/program-point.h" to before "analyzer/region-model.h",
10445 and also include "analyzer/store.h" before it.
10446 (signal_unsafe_call::describe_state_change): Use
10447 get_dest_function to get handler.
10448 (update_model_for_signal_handler): Pass manager to region_model
10449 ctor.
10450 (register_signal_handler::impl_transition): Update for changes to
10451 get_or_create_node and add_edge.
10452 * sm-taint.cc (taint_state_machine::on_stmt): Remove calls to
10453 get_readable_tree, replacing them when calling warn_for_state with
10454 calls to get_diagnostic_tree.
10455 * sm.cc (is_zero_assignment): Delete.
10456 (any_pointer_p): Move to within namespace ana.
10457 * sm.h (is_zero_assignment): Remove decl.
10458 (any_pointer_p): Move decl to within namespace ana.
10459 (state_machine::get_default_state): New vfunc.
10460 (state_machine::reset_when_passed_to_unknown_fn_p): New vfunc.
10461 (sm_context::get_readable_tree): Rename to...
10462 (sm_context::get_diagnostic_tree): ...this.
10463 (sm_context::is_zero_assignment): New vfunc.
10464 * store.cc: New file.
10465 * store.h: New file.
10466 * svalue.cc: New file.
10468 2020-05-22 Mark Wielaard <mark@klomp.org>
10470 * sm-signal.cc(signal_unsafe_call::emit): Possibly add
10471 gcc_rich_location note for replacement.
10472 (signal_unsafe_call::get_replacement_fn): New private function.
10473 (get_async_signal_unsafe_fns): Add "exit".
10475 2020-04-28 David Malcolm <dmalcolm@redhat.com>
10477 PR analyzer/94816
10478 * engine.cc (impl_region_model_context::on_unexpected_tree_code):
10479 Handle NULL tree.
10480 * region-model.cc (region_model::add_region_for_type): Handle
10481 NULL type.
10482 * region-model.h
10483 (test_region_model_context::on_unexpected_tree_code): Handle NULL
10484 tree.
10486 2020-04-28 David Malcolm <dmalcolm@redhat.com>
10488 PR analyzer/94447
10489 PR analyzer/94639
10490 PR analyzer/94732
10491 PR analyzer/94754
10492 * analyzer.opt (Wanalyzer-use-of-uninitialized-value): Delete.
10493 * program-state.cc (selftest::test_program_state_dumping): Update
10494 expected dump result for removal of "uninit".
10495 * region-model.cc (poison_kind_to_str): Delete POISON_KIND_UNINIT
10496 case.
10497 (root_region::ensure_stack_region): Initialize stack with null
10498 svalue_id rather than with a typeless POISON_KIND_UNINIT value.
10499 (root_region::ensure_heap_region): Likewise for the heap.
10500 (region_model::dump_summary_of_rep_path_vars): Remove
10501 summarization of uninit values.
10502 (region_model::validate): Remove check that the stack has a
10503 POISON_KIND_UNINIT value.
10504 (poisoned_value_diagnostic::emit): Remove POISON_KIND_UNINIT
10505 case.
10506 (poisoned_value_diagnostic::describe_final_event): Likewise.
10507 (selftest::test_dump): Update expected dump result for removal of
10508 "uninit".
10509 (selftest::test_svalue_equality): Remove "uninit" and "freed".
10510 * region-model.h (enum poison_kind): Remove POISON_KIND_UNINIT.
10512 2020-04-01 David Malcolm <dmalcolm@redhat.com>
10514 PR analyzer/94378
10515 * checker-path.cc: Include "bitmap.h".
10516 * constraint-manager.cc: Likewise.
10517 * diagnostic-manager.cc: Likewise.
10518 * engine.cc: Likewise.
10519 (exploded_node::detect_leaks): Pass null region_id to pop_frame.
10520 * program-point.cc: Include "bitmap.h".
10521 * program-state.cc: Likewise.
10522 * region-model.cc (id_set<region_id>::id_set): Convert to...
10523 (region_id_set::region_id_set): ...this.
10524 (svalue_id_set::svalue_id_set): New ctor.
10525 (region_model::copy_region): New function.
10526 (region_model::copy_struct_region): New function.
10527 (region_model::copy_union_region): New function.
10528 (region_model::copy_array_region): New function.
10529 (stack_region::pop_frame): Drop return value. Add
10530 "result_dst_rid" param; if it is non-null, use copy_region to copy
10531 the result to it. Rather than capture and pass a single "known
10532 used" return value to be used by purge_unused_values, instead
10533 gather and pass a set of known used return values.
10534 (root_region::pop_frame): Drop return value. Add "result_dst_rid"
10535 param.
10536 (region_model::on_assignment): Use copy_region.
10537 (region_model::on_return): Likewise for the result.
10538 (region_model::on_longjmp): Pass null for pop_frame's
10539 result_dst_rid.
10540 (region_model::update_for_return_superedge): Pass the region for the
10541 return value of the call, if any, to pop_frame, rather than setting
10542 the lvalue for the lhs of the result.
10543 (region_model::pop_frame): Drop return value. Add
10544 "result_dst_rid" param.
10545 (region_model::purge_unused_svalues): Convert third param from an
10546 svalue_id * to an svalue_id_set *, updating the initial populating
10547 of the "used" bitmap accordingly. Don't remap it when done.
10548 (struct selftest::coord_test): New selftest fixture, extracted from...
10549 (selftest::test_dump_2): ...here.
10550 (selftest::test_compound_assignment): New selftest.
10551 (selftest::test_stack_frames): Pass null to new param of pop_frame.
10552 (selftest::analyzer_region_model_cc_tests): Call the new selftest.
10553 * region-model.h (class id_set): Delete template.
10554 (class region_id_set): Reimplement, using old id_set implementation.
10555 (class svalue_id_set): Likewise. Convert from auto_sbitmap to
10556 auto_bitmap.
10557 (region::get_active_view): New accessor.
10558 (stack_region::pop_frame): Drop return value. Add
10559 "result_dst_rid" param.
10560 (root_region::pop_frame): Likewise.
10561 (region_model::pop_frame): Likewise.
10562 (region_model::copy_region): New decl.
10563 (region_model::purge_unused_svalues): Convert third param from an
10564 svalue_id * to an svalue_id_set *.
10565 (region_model::copy_struct_region): New decl.
10566 (region_model::copy_union_region): New decl.
10567 (region_model::copy_array_region): New decl.
10569 2020-03-27 David Malcolm <dmalcolm@redhat.com>
10571 * program-state.cc (selftest::test_program_state_dumping): Update
10572 expected dump to include symbolic_region's possibly_null field.
10573 * region-model.cc (symbolic_region::print_fields): New vfunc
10574 implementation.
10575 (region_model::add_constraint): Clear m_possibly_null from
10576 symbolic_regions now known to be non-NULL.
10577 (selftest::test_malloc_constraints): New selftest.
10578 (selftest::analyzer_region_model_cc_tests): Call it.
10579 * region-model.h (region::dyn_cast_symbolic_region): Add non-const
10580 overload.
10581 (symbolic_region::dyn_cast_symbolic_region): Implement it.
10582 (symbolic_region::print_fields): New vfunc override decl.
10584 2020-03-27 David Malcolm <dmalcolm@redhat.com>
10586 * analyzer.h (class feasibility_problem): New forward decl.
10587 * diagnostic-manager.cc (saved_diagnostic::saved_diagnostic):
10588 Initialize new fields m_status, m_epath_length, and m_problem.
10589 (saved_diagnostic::~saved_diagnostic): Delete m_problem.
10590 (dedupe_candidate::dedupe_candidate): Convert "sd" param from a
10591 const ref to a mutable ptr.
10592 (dedupe_winners::add): Convert "sd" param from a const ref to a
10593 mutable ptr. Record the length of the exploded_path. Record the
10594 feasibility/infeasibility of sd into sd, capturing a
10595 feasibility_problem when feasible_p fails, and storing it in sd.
10596 (diagnostic_manager::emit_saved_diagnostics): Update for pass by
10597 ptr rather than by const ref.
10598 * diagnostic-manager.h (class saved_diagnostic): Add new enum
10599 status. Add fields m_status, m_epath_length and m_problem.
10600 (saved_diagnostic::set_feasible): New member function.
10601 (saved_diagnostic::set_infeasible): New member function.
10602 (saved_diagnostic::get_feasibility_problem): New accessor.
10603 (saved_diagnostic::get_status): New accessor.
10604 (saved_diagnostic::set_epath_length): New member function.
10605 (saved_diagnostic::get_epath_length): New accessor.
10606 * engine.cc: Include "gimple-pretty-print.h".
10607 (exploded_path::feasible_p): Add OUT param and, if non-NULL, write
10608 a new feasibility_problem to it on failure.
10609 (viz_callgraph_node::dump_dot): Convert begin_tr calls to
10610 begin_trtd. Convert end_tr calls to end_tdtr.
10611 (class exploded_graph_annotator): New subclass of dot_annotator.
10612 (impl_run_checkers): Add a second -fdump-analyzer-supergraph dump
10613 after the analysis runs, using exploded_graph_annotator. dumping
10614 to DUMP_BASE_NAME.supergraph-eg.dot.
10615 * exploded-graph.h (exploded_node::get_dot_fillcolor): Make
10616 public.
10617 (exploded_path::feasible_p): Add OUT param.
10618 (class feasibility_problem): New class.
10619 * state-purge.cc (state_purge_annotator::add_node_annotations):
10620 Return a bool, add a "within_table" param.
10621 (print_vec_of_names): Convert begin_tr calls to begin_trtd.
10622 Convert end_tr calls to end_tdtr.
10623 (state_purge_annotator::add_stmt_annotations): Add "within_row"
10624 param.
10625 * state-purge.h ((state_purge_annotator::add_node_annotations):
10626 Return a bool, add a "within_table" param.
10627 (state_purge_annotator::add_stmt_annotations): Add "within_row"
10628 param.
10629 * supergraph.cc (supernode::dump_dot): Call add_node_annotations
10630 twice: as before, passing false for "within_table", then again
10631 with true when within the TABLE element. Convert some begin_tr
10632 calls to begin_trtd, and some end_tr calls to end_tdtr.
10633 Repeat each add_stmt_annotations call, distinguishing between
10634 calls that add TRs and those that add TDs to an existing TR.
10635 Add a call to add_after_node_annotations.
10636 * supergraph.h (dot_annotator::add_node_annotations): Add a
10637 "within_table" param.
10638 (dot_annotator::add_stmt_annotations): Add a "within_row" param.
10639 (dot_annotator::add_after_node_annotations): New vfunc.
10641 2020-03-27 David Malcolm <dmalcolm@redhat.com>
10643 * diagnostic-manager.cc (dedupe_winners::add): Show the
10644 exploded_node index in the log messages.
10645 (diagnostic_manager::emit_saved_diagnostics): Log a summary of
10646 m_saved_diagnostics at entry.
10648 2020-03-27 David Malcolm <dmalcolm@redhat.com>
10650 * supergraph.cc (superedge::dump): Add space before description;
10651 move newline to non-pretty_printer overload.
10653 2020-03-18 David Malcolm <dmalcolm@redhat.com>
10655 * region-model.cc: Include "stor-layout.h".
10656 (region_model::dump_to_pp): Rather than calling
10657 dump_summary_of_map on each of the current frame and the globals,
10658 instead get a vec of representative path_vars for all regions,
10659 and then dump a summary of all of them.
10660 (region_model::dump_summary_of_map): Delete, rewriting into...
10661 (region_model::dump_summary_of_rep_path_vars): ...this new
10662 function, working on a vec of path_vars.
10663 (region_model::set_value): New overload.
10664 (region_model::get_representative_path_var): Rename
10665 "parent_region" local to "parent_reg" and consolidate with other
10666 local. Guard test for grandparent being stack on parent_reg being
10667 non-NULL. Move handling for parent being an array_region to
10668 within guard for parent_reg being non-NULL.
10669 (selftest::make_test_compound_type): New function.
10670 (selftest::test_dump_2): New selftest.
10671 (selftest::test_dump_3): New selftest.
10672 (selftest::test_stack_frames): Update expected output from
10673 simplified dump to show "a" and "b" from parent frame and "y" in
10674 child frame.
10675 (selftest::analyzer_region_model_cc_tests): Call test_dump_2 and
10676 test_dump_3.
10677 * region-model.h (region_model::set_value): New overload decl.
10678 (region_model::dump_summary_of_map): Delete.
10679 (region_model::dump_summary_of_rep_path_vars): New.
10681 2020-03-18 David Malcolm <dmalcolm@redhat.com>
10683 * region-model.h (class noop_region_model_context): New subclass
10684 of region_model_context.
10685 (class tentative_region_model_context): Inherit from
10686 noop_region_model_context rather than from region_model_context;
10687 drop redundant vfunc implementations.
10688 (class test_region_model_context): Likewise.
10690 2020-03-18 David Malcolm <dmalcolm@redhat.com>
10692 * engine.cc (exploded_node::exploded_node): Move implementation
10693 here from header; accept point_and_state by const reference rather
10694 than by value.
10695 * exploded-graph.h (exploded_node::exploded_node): Pass
10696 point_and_state by const reference rather than by value. Move
10697 body to engine.cc.
10699 2020-03-18 Jakub Jelinek <jakub@redhat.com>
10701 * sm-malloc.cc (malloc_state_machine::on_stmt): Fix up duplicated word
10702 issue in a comment.
10703 * region-model.cc (region_model::make_region_for_unexpected_tree_code,
10704 region_model::delete_region_and_descendents): Likewise.
10705 * engine.cc (class exploded_cluster): Likewise.
10706 * diagnostic-manager.cc (class path_builder): Likewise.
10708 2020-03-13 David Malcolm <dmalcolm@redhat.com>
10710 PR analyzer/94099
10711 PR analyzer/94105
10712 * diagnostic-manager.cc (for_each_state_change): Bulletproof
10713 against errors in get_rvalue by passing a
10714 tentative_region_model_context and rejecting if there's an error.
10715 * region-model.cc (region_model::get_lvalue_1): When handling
10716 ARRAY_REF, handle results of error-handling. Handle NOP_EXPR.
10718 2020-03-06 David Malcolm <dmalcolm@redhat.com>
10720 * analyzer.h (class array_region): New forward decl.
10721 * program-state.cc (selftest::test_program_state_dumping_2): New.
10722 (selftest::analyzer_program_state_cc_tests): Call it.
10723 * region-model.cc (array_region::constant_from_key): New.
10724 (region_model::get_representative_tree): Handle region_svalue by
10725 generating an ADDR_EXPR.
10726 (region_model::get_representative_path_var): In view handling,
10727 remove erroneous TREE_TYPE when determining the type of the tree.
10728 Handle array regions and STRING_CST.
10729 (selftest::assert_dump_tree_eq): New.
10730 (ASSERT_DUMP_TREE_EQ): New macro.
10731 (selftest::test_get_representative_tree): New selftest.
10732 (selftest::analyzer_region_model_cc_tests): Call it.
10733 * region-model.h (region::dyn_cast_array_region): New vfunc.
10734 (array_region::dyn_cast_array_region): New vfunc implementation.
10735 (array_region::constant_from_key): New decl.
10737 2020-03-06 David Malcolm <dmalcolm@redhat.com>
10739 * analyzer.h (dump_quoted_tree): New decl.
10740 * engine.cc (exploded_node::dump_dot): Pass region model to
10741 sm_state_map::print.
10742 * program-state.cc: Include diagnostic-core.h.
10743 (sm_state_map::print): Add "model" param and use it to print
10744 representative trees. Only print origin information if non-null.
10745 (sm_state_map::dump): Pass NULL for model to print call.
10746 (program_state::print): Pass region model to sm_state_map::print.
10747 (program_state::dump_to_pp): Use spaces rather than newlines when
10748 summarizing. Pass region_model to sm_state_map::print.
10749 (ana::selftest::assert_dump_eq): New function.
10750 (ASSERT_DUMP_EQ): New macro.
10751 (ana::selftest::test_program_state_dumping): New function.
10752 (ana::selftest::analyzer_program_state_cc_tests): Call it.
10753 * program-state.h (program_state::print): Add model param.
10754 * region-model.cc (dump_quoted_tree): New function.
10755 (map_region::print_fields): Use dump_quoted_tree rather than
10756 %qE to avoid lang-dependent output.
10757 (map_region::dump_child_label): Likewise.
10758 (region_model::dump_summary_of_map): For SK_REGION, when
10759 get_representative_path_var fails, print the region id rather than
10760 erroneously printing NULL.
10761 * sm.cc (state_machine::get_state_by_name): New function.
10762 * sm.h (state_machine::get_state_by_name): New decl.
10764 2020-03-04 David Malcolm <dmalcolm@redhat.com>
10766 * region-model.cc (region::validate): Convert model param from ptr
10767 to reference. Update comment to reflect that it's now a vfunc.
10768 (map_region::validate): New vfunc implementation.
10769 (array_region::validate): New vfunc implementation.
10770 (stack_region::validate): New vfunc implementation.
10771 (root_region::validate): New vfunc implementation.
10772 (region_model::validate): Pass a reference rather than a pointer
10773 to the region::validate vfunc.
10774 * region-model.h (region::validate): Make virtual. Convert model
10775 param from ptr to reference.
10776 (map_region::validate): New vfunc decl.
10777 (array_region::validate): New vfunc decl.
10778 (stack_region::validate): New vfunc decl.
10779 (root_region::validate): New vfunc decl.
10781 2020-03-04 David Malcolm <dmalcolm@redhat.com>
10783 PR analyzer/93993
10784 * region-model.cc (region_model::on_call_pre): Handle
10785 BUILT_IN_EXPECT and its variants.
10786 (region_model::add_any_constraints_from_ssa_def_stmt): Split out
10787 gassign handling into add_any_constraints_from_gassign; add gcall
10788 handling.
10789 (region_model::add_any_constraints_from_gassign): New function,
10790 based on the above. Add handling for NOP_EXPR.
10791 (region_model::add_any_constraints_from_gcall): New function.
10792 (region_model::get_representative_path_var): Handle views.
10793 * region-model.h
10794 (region_model::add_any_constraints_from_ssa_def_stmt): New decl.
10795 (region_model::add_any_constraints_from_gassign): New decl.
10797 2020-03-04 David Malcolm <dmalcolm@redhat.com>
10799 PR analyzer/93993
10800 * checker-path.h (state_change_event::get_lvalue): Add ctxt param
10801 and pass it to region_model::get_value call.
10802 * diagnostic-manager.cc (get_any_origin): Pass a
10803 tentative_region_model_context to the calls to get_lvalue and reject
10804 the comparison if errors occur.
10805 (can_be_expr_of_interest_p): New function.
10806 (diagnostic_manager::prune_for_sm_diagnostic): Replace checks for
10807 CONSTANT_CLASS_P with calls to update_for_unsuitable_sm_exprs.
10808 Pass a tentative_region_model_context to the calls to
10809 state_change_event::get_lvalue and reject the comparison if errors
10810 occur.
10811 (diagnostic_manager::update_for_unsuitable_sm_exprs): New.
10812 * diagnostic-manager.h
10813 (diagnostic_manager::update_for_unsuitable_sm_exprs): New decl.
10814 * region-model.h (class tentative_region_model_context): New class.
10816 2020-03-04 David Malcolm <dmalcolm@redhat.com>
10818 * engine.cc (worklist::worklist): Remove unused field m_eg.
10819 (class viz_callgraph_edge): Remove unused field m_call_sedge.
10820 (class viz_callgraph): Remove unused field m_sg.
10821 * exploded-graph.h (worklist::::m_eg): Remove unused field.
10823 2020-03-02 David Malcolm <dmalcolm@redhat.com>
10825 * analyzer.opt (fanalyzer-show-duplicate-count): New option.
10826 * diagnostic-manager.cc
10827 (diagnostic_manager::emit_saved_diagnostic): Use the above to
10828 guard the printing of the duplicate count.
10830 2020-03-02 David Malcolm <dmalcolm@redhat.com>
10832 PR analyzer/93959
10833 * analyzer.cc (is_std_function_p): New function.
10834 (is_std_named_call_p): New functions.
10835 * analyzer.h (is_std_named_call_p): New decl.
10836 * sm-malloc.cc (malloc_state_machine::on_stmt): Check for "std::"
10837 variants when checking for malloc, calloc and free.
10839 2020-02-26 David Malcolm <dmalcolm@redhat.com>
10841 PR analyzer/93950
10842 * diagnostic-manager.cc
10843 (diagnostic_manager::prune_for_sm_diagnostic): Assert that var is
10844 either NULL or not a constant. When updating var, bulletproof
10845 against constant values.
10847 2020-02-26 David Malcolm <dmalcolm@redhat.com>
10849 PR analyzer/93947
10850 * region-model.cc (region_model::get_fndecl_for_call): Gracefully
10851 fail for fn_decls that don't have a cgraph_node.
10853 2020-02-26 David Malcolm <dmalcolm@redhat.com>
10855 * bar-chart.cc: New file.
10856 * bar-chart.h: New file.
10857 * engine.cc: Include "analyzer/bar-chart.h".
10858 (stats::log): Only log the m_num_nodes kinds that are non-zero.
10859 (stats::dump): Likewise when dumping.
10860 (stats::get_total_enodes): New.
10861 (exploded_graph::get_or_create_node): Increment the per-point-data
10862 m_excess_enodes when hitting the per-program-point limit on
10863 enodes.
10864 (exploded_graph::print_bar_charts): New.
10865 (exploded_graph::log_stats): Log the number of unprocessed enodes
10866 in the worklist. Call print_bar_charts.
10867 (exploded_graph::dump_stats): Print the number of unprocessed
10868 enodes in the worklist.
10869 * exploded-graph.h (stats::get_total_enodes): New decl.
10870 (struct per_program_point_data): Add field m_excess_enodes.
10871 (exploded_graph::print_bar_charts): New decl.
10872 * supergraph.cc (superedge::dump): New.
10873 (superedge::dump): New.
10874 * supergraph.h (supernode::get_function): New.
10875 (superedge::dump): New decl.
10876 (superedge::dump): New decl.
10878 2020-02-24 David Malcolm <dmalcolm@redhat.com>
10880 * engine.cc (exploded_graph::get_or_create_node): Dump the
10881 program_state to the pp, rather than to stderr.
10883 2020-02-24 David Malcolm <dmalcolm@redhat.com>
10885 PR analyzer/93032
10886 * sm.cc (make_checkers): Require the "taint" checker to be
10887 explicitly enabled.
10889 2020-02-24 David Malcolm <dmalcolm@redhat.com>
10891 PR analyzer/93899
10892 * engine.cc
10893 (impl_region_model_context::impl_region_model_context): Add logger
10894 param.
10895 * engine.cc (exploded_graph::add_function_entry): Create an
10896 impl_region_model_context and pass it to the push_frame call.
10897 Bail if the resulting state is invalid.
10898 (exploded_graph::build_initial_worklist): Likewise.
10899 (exploded_graph::build_initial_worklist): Handle the case where
10900 add_function_entry fails.
10901 * exploded-graph.h
10902 (impl_region_model_context::impl_region_model_context): Add logger
10903 param.
10904 * region-model.cc (map_region::get_or_create): Add ctxt param and
10905 pass it to add_region_for_type.
10906 (map_region::can_merge_p): Pass NULL as a ctxt to call to
10907 get_or_create.
10908 (array_region::get_element): Pass ctxt to call to get_or_create.
10909 (array_region::get_or_create): Add ctxt param and pass it to
10910 add_region_for_type.
10911 (root_region::push_frame): Pass ctxt to get_or_create calls.
10912 (region_model::get_lvalue_1): Likewise.
10913 (region_model::make_region_for_unexpected_tree_code): Assert that
10914 ctxt is non-NULL.
10915 (region_model::get_rvalue_1): Pass ctxt to get_svalue_for_fndecl
10916 and get_svalue_for_label calls.
10917 (region_model::get_svalue_for_fndecl): Add ctxt param and pass it
10918 to get_region_for_fndecl.
10919 (region_model::get_region_for_fndecl): Add ctxt param and pass it
10920 to get_or_create.
10921 (region_model::get_svalue_for_label): Add ctxt param and pass it
10922 to get_region_for_label.
10923 (region_model::get_region_for_label): Add ctxt param and pass it
10924 to get_region_for_fndecl and get_or_create.
10925 (region_model::get_field_region): Add ctxt param and pass it to
10926 get_or_create_view and get_or_create.
10927 (make_region_for_type): Replace gcc_unreachable with return NULL.
10928 (region_model::add_region_for_type): Add ctxt param. Handle a
10929 return of NULL from make_region_for_type by calling
10930 make_region_for_unexpected_tree_code.
10931 (region_model::get_or_create_mem_ref): Pass ctxt to calls to
10932 get_or_create_view.
10933 (region_model::get_or_create_view): Add ctxt param and pass it to
10934 add_region_for_type.
10935 (selftest::test_state_merging): Pass ctxt to get_or_create_view.
10936 * region-model.h (region_model::get_or_create): Add ctxt param.
10937 (region_model::add_region_for_type): Likewise.
10938 (region_model::get_svalue_for_fndecl): Likewise.
10939 (region_model::get_svalue_for_label): Likewise.
10940 (region_model::get_region_for_fndecl): Likewise.
10941 (region_model::get_region_for_label): Likewise.
10942 (region_model::get_field_region): Likewise.
10943 (region_model::get_or_create_view): Likewise.
10945 2020-02-24 David Malcolm <dmalcolm@redhat.com>
10947 * checker-path.cc (superedge_event::should_filter_p): Update
10948 filter for empty descriptions to cover verbosity level 3 as well
10949 as 2.
10950 * diagnostic-manager.cc: Include "analyzer/reachability.h".
10951 (class path_builder): New class.
10952 (diagnostic_manager::emit_saved_diagnostic): Create a path_builder
10953 and pass it to build_emission_path, rather passing eg; similarly
10954 for add_events_for_eedge and ext_state.
10955 (diagnostic_manager::build_emission_path): Replace "eg" param
10956 with a path_builder, pass it to add_events_for_eedge.
10957 (diagnostic_manager::add_events_for_eedge): Replace ext_state
10958 param with path_builder; pass it to add_events_for_superedge.
10959 (diagnostic_manager::significant_edge_p): New.
10960 (diagnostic_manager::add_events_for_superedge): Add path_builder
10961 param. Reject insignificant edges at verbosity levels below 3.
10962 (diagnostic_manager::prune_for_sm_diagnostic): Update highest
10963 verbosity level to 4.
10964 * diagnostic-manager.h (class path_builder): New forward decl.
10965 (diagnostic_manager::build_emission_path): Replace "eg" param
10966 with a path_builder.
10967 (diagnostic_manager::add_events_for_eedge): Replace ext_state
10968 param with path_builder.
10969 (diagnostic_manager::significant_edge_p): New.
10970 (diagnostic_manager::add_events_for_superedge): Add path_builder
10971 param.
10972 * reachability.h: New file.
10974 2020-02-18 David Malcolm <dmalcolm@redhat.com>
10976 PR analyzer/93692
10977 * analyzer.opt (fdump-analyzer-callgraph): Rewrite description.
10979 2020-02-18 David Malcolm <dmalcolm@redhat.com>
10981 PR analyzer/93777
10982 * region-model.cc (region_model::maybe_cast_1): Replace assertion
10983 that build_cast returns non-NULL with a conditional, falling
10984 through to the logic which returns a new unknown value of the
10985 desired type if it fails.
10987 2020-02-18 David Malcolm <dmalcolm@redhat.com>
10989 PR analyzer/93778
10990 * engine.cc (impl_region_model_context::on_unknown_tree_code):
10991 Rename to...
10992 (impl_region_model_context::on_unexpected_tree_code): ...this and
10993 convert first argument from path_var to tree.
10994 (exploded_node::on_stmt): Pass ctxt to purge_for_unknown_fncall.
10995 * exploded-graph.h (region_model_context::on_unknown_tree_code):
10996 Rename to...
10997 (region_model_context::on_unexpected_tree_code): ...this and
10998 convert first argument from path_var to tree.
10999 * program-state.cc (sm_state_map::purge_for_unknown_fncall): Add
11000 ctxt param and pass on to calls to get_rvalue.
11001 * program-state.h (sm_state_map::purge_for_unknown_fncall): Add
11002 ctxt param.
11003 * region-model.cc (region_model::handle_unrecognized_call): Pass
11004 ctxt on to call to get_rvalue.
11005 (region_model::get_lvalue_1): Move body of default case to
11006 region_model::make_region_for_unexpected_tree_code and call it.
11007 Within COMPONENT_REF case, reject attempts to handle types other
11008 than RECORD_TYPE and UNION_TYPE.
11009 (region_model::make_region_for_unexpected_tree_code): New
11010 function, based on default case of region_model::get_lvalue_1.
11011 * region-model.h
11012 (region_model::make_region_for_unexpected_tree_code): New decl.
11013 (region_model::on_unknown_tree_code): Rename to...
11014 (region_model::on_unexpected_tree_code): ...this and convert first
11015 argument from path_var to tree.
11016 (class test_region_model_context): Update vfunc implementation for
11017 above change.
11019 2020-02-18 David Malcolm <dmalcolm@redhat.com>
11021 PR analyzer/93774
11022 * region-model.cc
11023 (region_model::convert_byte_offset_to_array_index): Use
11024 int_size_in_bytes before calling size_in_bytes, to gracefully fail
11025 on incomplete types.
11027 2020-02-17 David Malcolm <dmalcolm@redhat.com>
11029 PR analyzer/93775
11030 * region-model.cc (region_model::get_fndecl_for_call): Handle the
11031 case where the code_region's get_tree_for_child_region returns
11032 NULL.
11034 2020-02-17 David Malcolm <dmalcolm@redhat.com>
11036 PR analyzer/93388
11037 * engine.cc (impl_region_model_context::on_unknown_tree_code):
11038 New.
11039 (exploded_graph::get_or_create_node): Reject invalid states.
11040 * exploded-graph.h
11041 (impl_region_model_context::on_unknown_tree_code): New decl.
11042 (point_and_state::point_and_state): Assert that the state is
11043 valid.
11044 * program-state.cc (program_state::program_state): Initialize
11045 m_valid to true.
11046 (program_state::operator=): Copy m_valid.
11047 (program_state::program_state): Likewise for move constructor.
11048 (program_state::print): Print m_valid.
11049 (program_state::dump_to_pp): Likewise.
11050 * program-state.h (program_state::m_valid): New field.
11051 * region-model.cc (region_model::get_lvalue_1): Implement the
11052 default case by returning a new symbolic region and calling
11053 the context's on_unknown_tree_code, rather than issuing an
11054 internal_error. Implement VIEW_CONVERT_EXPR.
11055 * region-model.h (region_model_context::on_unknown_tree_code): New
11056 vfunc.
11057 (test_region_model_context::on_unknown_tree_code): New.
11059 2020-02-17 David Malcolm <dmalcolm@redhat.com>
11061 * sm-malloc.cc (malloc_diagnostic::describe_state_change): For
11062 transition to the "null" state, only say "assuming" when
11063 transitioning from the "unchecked" state.
11065 2020-02-17 David Malcolm <dmalcolm@redhat.com>
11067 * diagnostic-manager.h (diagnostic_manager::get_saved_diagnostic):
11068 Add const overload.
11069 * engine.cc (exploded_node::dump_dot): Dump saved_diagnostics.
11070 * exploded-graph.h (exploded_graph::get_diagnostic_manager): Add
11071 const overload.
11073 2020-02-11 David Malcolm <dmalcolm@redhat.com>
11075 PR analyzer/93288
11076 * analysis-plan.cc (analysis_plan::use_summary_p): Look through
11077 the ultimate_alias_target when getting the called function.
11078 * engine.cc (exploded_node::on_stmt): Rename second "ctxt" to
11079 "sm_ctxt". Use the region_model's get_fndecl_for_call rather than
11080 gimple_call_fndecl.
11081 * region-model.cc (region_model::get_fndecl_for_call): Use
11082 ultimate_alias_target on fndecl.
11083 * supergraph.cc (get_ultimate_function_for_cgraph_edge): New
11084 function.
11085 (supergraph_call_edge): Use it when rejecting edges without
11086 functions.
11087 (supergraph::supergraph): Use it to get the function for the
11088 cgraph_edge when building interprocedural superedges.
11089 (callgraph_superedge::get_callee_function): Use it.
11090 * supergraph.h (supergraph::get_num_snodes): Make param const.
11091 (supergraph::function_to_num_snodes_t): Make first type param
11092 const.
11094 2020-02-11 David Malcolm <dmalcolm@redhat.com>
11096 PR analyzer/93374
11097 * engine.cc (exploded_edge::exploded_edge): Add ext_state param
11098 and pass it to change.validate.
11099 (exploded_graph::get_or_create_node): Move purging of change
11100 svalues to also cover the case of reusing an existing enode.
11101 (exploded_graph::add_edge): Pass m_ext_state to exploded_edge's
11102 ctor.
11103 * exploded-graph.h (exploded_edge::exploded_edge): Add ext_state
11104 param.
11105 * program-state.cc (state_change::sm_change::validate): Likewise.
11106 Assert that m_sm_idx is sane. Use ext_state to validate
11107 m_old_state and m_new_state.
11108 (state_change::validate): Add ext_state param and pass it to
11109 the sm_change validate calls.
11110 * program-state.h (state_change::sm_change::validate): Add
11111 ext_state param.
11112 (state_change::validate): Likewise.
11114 2020-02-11 David Malcolm <dmalcolm@redhat.com>
11116 PR analyzer/93669
11117 * engine.cc (exploded_graph::dump_exploded_nodes): Handle missing
11118 case of STATUS_WORKLIST in implementation of
11119 "__analyzer_dump_exploded_nodes".
11121 2020-02-11 David Malcolm <dmalcolm@redhat.com>
11123 PR analyzer/93649
11124 * constraint-manager.cc (constraint_manager::add_constraint): When
11125 merging equivalence classes and updating m_constant, also update
11126 m_cst_sid.
11127 (constraint_manager::validate): If m_constant is non-NULL assert
11128 that m_cst_sid is non-null and is valid.
11130 2020-02-11 David Malcolm <dmalcolm@redhat.com>
11132 PR analyzer/93657
11133 * analyzer.opt (fdump-analyzer): Reword description.
11134 (fdump-analyzer-stderr): Likewise.
11136 2020-02-11 David Malcolm <dmalcolm@redhat.com>
11138 * region-model.cc (print_quoted_type): New function.
11139 (svalue::print): Use it to replace %qT.
11140 (region::dump_to_pp): Likewise.
11141 (region::dump_child_label): Likewise.
11142 (region::print_fields): Likewise.
11144 2020-02-10 David Malcolm <dmalcolm@redhat.com>
11146 PR analyzer/93659
11147 * analyzer.opt (-param=analyzer-max-recursion-depth=): Fix "tha"
11148 -> "that" typo.
11149 (Wanalyzer-use-of-uninitialized-value): Fix "initialized" ->
11150 "uninitialized" typo.
11152 2020-02-10 David Malcolm <dmalcolm@redhat.com>
11154 PR analyzer/93350
11155 * region-model.cc (region_model::get_lvalue_1):
11156 Handle BIT_FIELD_REF.
11157 (make_region_for_type): Handle VECTOR_TYPE.
11159 2020-02-10 David Malcolm <dmalcolm@redhat.com>
11161 PR analyzer/93647
11162 * diagnostic-manager.cc
11163 (diagnostic_manager::prune_for_sm_diagnostic): Bulletproof against
11164 VAR being constant.
11165 * region-model.cc (region_model::get_lvalue_1): Provide a better
11166 error message when encountering an unhandled tree code.
11168 2020-02-10 David Malcolm <dmalcolm@redhat.com>
11170 PR analyzer/93405
11171 * region-model.cc (region_model::get_lvalue_1): Implement
11172 CONST_DECL.
11174 2020-02-06 David Malcolm <dmalcolm@redhat.com>
11176 * region-model.cc (region_model::maybe_cast_1): Attempt to provide
11177 a region_svalue if either type is a pointer, rather than if both
11178 types are pointers.
11180 2020-02-05 David Malcolm <dmalcolm@redhat.com>
11182 * engine.cc (exploded_node::dump_dot): Show merger enodes.
11183 (worklist::add_node): Assert that the node's m_status is
11184 STATUS_WORKLIST.
11185 (exploded_graph::process_worklist): Likewise for nodes from the
11186 worklist. Set status of merged nodes to STATUS_MERGER.
11187 (exploded_graph::process_node): Set status of node to
11188 STATUS_PROCESSED.
11189 (exploded_graph::dump_exploded_nodes): Rework handling of
11190 "__analyzer_dump_exploded_nodes", splitting enodes by status into
11191 "processed" and "merger", showing the count of just the processed
11192 enodes at the call, rather than the count of all enodes.
11193 * exploded-graph.h (exploded_node::status): New enum.
11194 (exploded_node::exploded_node): Initialize m_status to
11195 STATUS_WORKLIST.
11196 (exploded_node::get_status): New getter.
11197 (exploded_node::set_status): New setter.
11199 2020-02-04 David Malcolm <dmalcolm@redhat.com>
11201 PR analyzer/93543
11202 * engine.cc (pod_hash_traits<function_call_string>::mark_empty):
11203 Eliminate reinterpret_cast.
11204 (pod_hash_traits<function_call_string>::is_empty): Likewise.
11206 2020-02-03 David Malcolm <dmalcolm@redhat.com>
11208 * constraint-manager.cc (range::constrained_to_single_element):
11209 Replace fold_build2 with fold_binary. Remove unnecessary newline.
11210 (constraint_manager::get_or_add_equiv_class): Replace fold_build2
11211 with fold_binary in two places, and remove out-of-date comment.
11212 (constraint_manager::eval_condition): Replace fold_build2 with
11213 fold_binary.
11214 * region-model.cc (constant_svalue::eval_condition): Likewise.
11215 (region_model::on_assignment): Likewise.
11217 2020-02-03 David Malcolm <dmalcolm@redhat.com>
11219 PR analyzer/93544
11220 * diagnostic-manager.cc
11221 (diagnostic_manager::prune_for_sm_diagnostic): Bulletproof
11222 against bad choices due to bad paths.
11223 * engine.cc (impl_region_model_context::on_phi): New.
11224 * exploded-graph.h (impl_region_model_context::on_phi): New decl.
11225 * region-model.cc (region_model::on_longjmp): Likewise.
11226 (region_model::handle_phi): Add phi param. Call the ctxt's on_phi
11227 vfunc.
11228 (region_model::update_for_phis): Pass phi to handle_phi.
11229 * region-model.h (region_model::handle_phi): Add phi param.
11230 (region_model_context::on_phi): New vfunc.
11231 (test_region_model_context::on_phi): New.
11232 * sm-malloc.cc (malloc_state_machine::on_phi): New.
11233 (malloc_state_machine::on_zero_assignment): New.
11234 * sm.h (state_machine::on_phi): New vfunc.
11236 2020-02-03 David Malcolm <dmalcolm@redhat.com>
11238 * engine.cc (supernode_cluster::dump_dot): Show BB index as
11239 well as SN index.
11240 * supergraph.cc (supernode::dump_dot): Likewise.
11242 2020-02-03 David Malcolm <dmalcolm@redhat.com>
11244 PR analyzer/93546
11245 * region-model.cc (region_model::on_call_pre): Update for new
11246 param of symbolic_region ctor.
11247 (region_model::deref_rvalue): Likewise.
11248 (region_model::add_new_malloc_region): Likewise.
11249 (make_region_for_type): Likewise, preserving type.
11250 * region-model.h (symbolic_region::symbolic_region): Add "type"
11251 param and pass it to base class ctor.
11253 2020-02-03 David Malcolm <dmalcolm@redhat.com>
11255 PR analyzer/93547
11256 * constraint-manager.cc
11257 (constraint_manager::get_or_add_equiv_class): Ensure types are
11258 compatible before comparing constants.
11260 2020-01-31 David Malcolm <dmalcolm@redhat.com>
11262 PR analyzer/93457
11263 * region-model.cc (make_region_for_type): Use VOID_TYPE_P rather
11264 than checking against void_type_node.
11266 2020-01-31 David Malcolm <dmalcolm@redhat.com>
11268 PR analyzer/93373
11269 * region-model.cc (ASSERT_COMPAT_TYPES): Convert to...
11270 (assert_compat_types): ...this, and bail when either type is NULL,
11271 or when VOID_TYPE_P (dst_type).
11272 (region_model::get_lvalue): Update for above conversion.
11273 (region_model::get_rvalue): Likewise.
11275 2020-01-31 David Malcolm <dmalcolm@redhat.com>
11277 PR analyzer/93379
11278 * region-model.cc (region_model::update_for_return_superedge):
11279 Move check for null result so that it also guards setting the
11280 lhs.
11282 2020-01-31 David Malcolm <dmalcolm@redhat.com>
11284 PR analyzer/93438
11285 * region-model.cc (stack_region::can_merge_p): Split into a two
11286 pass approach, creating all stack regions first, then populating
11287 them.
11288 (selftest::test_state_merging): Add test coverage for (a) the case
11289 of self-merging a model in which a local in an older stack frame
11290 points to a local in a more recent stack frame (which previously
11291 would ICE), and (b) the case of self-merging a model in which a
11292 local points to a global (which previously worked OK).
11294 2020-01-31 David Malcolm <dmalcolm@redhat.com>
11296 * analyzer.cc (is_named_call_p): Replace tests for fndecl being
11297 extern at file scope and having a non-NULL DECL_NAME with a call
11298 to maybe_special_function_p.
11299 * function-set.cc (function_set::contains_decl_p): Add call to
11300 maybe_special_function_p.
11302 2020-01-31 David Malcolm <dmalcolm@redhat.com>
11304 PR analyzer/93450
11305 * constraint-manager.cc
11306 (constraint_manager::get_or_add_equiv_class): Only compare constants
11307 if their types are compatible.
11308 * region-model.cc (constant_svalue::eval_condition): Replace check
11309 for identical types with call to types_compatible_p.
11311 2020-01-30 David Malcolm <dmalcolm@redhat.com>
11313 * program-state.cc (extrinsic_state::dump_to_pp): New.
11314 (extrinsic_state::dump_to_file): New.
11315 (extrinsic_state::dump): New.
11316 * program-state.h (extrinsic_state::dump_to_pp): New decl.
11317 (extrinsic_state::dump_to_file): New decl.
11318 (extrinsic_state::dump): New decl.
11319 * sm.cc: Include "pretty-print.h".
11320 (state_machine::dump_to_pp): New.
11321 * sm.h (state_machine::dump_to_pp): New decl.
11323 2020-01-30 David Malcolm <dmalcolm@redhat.com>
11325 * diagnostic-manager.cc (for_each_state_change): Use
11326 extrinsic_state::get_num_checkers rather than accessing m_checkers
11327 directly.
11328 * program-state.cc (program_state::program_state): Likewise.
11329 * program-state.h (extrinsic_state::m_checkers): Make private.
11331 2020-01-30 David Malcolm <dmalcolm@redhat.com>
11333 PR analyzer/93356
11334 * region-model.cc (region_model::eval_condition): In both
11335 overloads, bail out immediately on floating-point types.
11336 (region_model::eval_condition_without_cm): Likewise.
11337 (region_model::add_constraint): Likewise.
11339 2020-01-30 David Malcolm <dmalcolm@redhat.com>
11341 PR analyzer/93450
11342 * program-state.cc (sm_state_map::set_state): For the overload
11343 taking an svalue_id, bail out if the set_state on the ec does
11344 nothing. Convert the latter's return type from void to bool,
11345 returning true if anything changed.
11346 (sm_state_map::impl_set_state): Convert the return type from void
11347 to bool, returning true if the state changed.
11348 * program-state.h (sm_state_map::set_state): Convert return type
11349 from void to bool.
11350 (sm_state_map::impl_set_state): Likewise.
11351 * region-model.cc (constant_svalue::eval_condition): Only call
11352 fold_build2 if the types are the same.
11354 2020-01-29 Jakub Jelinek <jakub@redhat.com>
11356 * analyzer.h (PUSH_IGNORE_WFORMAT, POP_IGNORE_WFORMAT): Remove.
11357 * constraint-manager.cc: Include diagnostic-core.h before graphviz.h.
11358 (range::dump, equiv_class::print): Don't use PUSH_IGNORE_WFORMAT or
11359 POP_IGNORE_WFORMAT.
11360 * state-purge.cc: Include diagnostic-core.h before
11361 gimple-pretty-print.h.
11362 (state_purge_annotator::add_node_annotations, print_vec_of_names):
11363 Don't use PUSH_IGNORE_WFORMAT or POP_IGNORE_WFORMAT.
11364 * region-model.cc: Move diagnostic-core.h include before graphviz.h.
11365 (path_var::dump, svalue::print, constant_svalue::print_details,
11366 region::dump_to_pp, region::dump_child_label, region::print_fields,
11367 map_region::print_fields, map_region::dump_dot_to_pp,
11368 map_region::dump_child_label, array_region::print_fields,
11369 array_region::dump_dot_to_pp): Don't use PUSH_IGNORE_WFORMAT or
11370 POP_IGNORE_WFORMAT.
11372 2020-01-28 David Malcolm <dmalcolm@redhat.com>
11374 PR analyzer/93316
11375 * engine.cc (rewind_info_t::update_model): Get the longjmp call
11376 stmt via get_longjmp_call () rather than assuming it is the last
11377 stmt in the longjmp's supernode.
11378 (rewind_info_t::add_events_to_path): Get the location_t for the
11379 rewind_from_longjmp_event via get_longjmp_call () rather than from
11380 the supernode's get_end_location ().
11382 2020-01-28 David Malcolm <dmalcolm@redhat.com>
11384 * region-model.cc (poisoned_value_diagnostic::emit): Update for
11385 renaming of warning_at overload to warning_meta.
11386 * sm-file.cc (file_leak::emit): Likewise.
11387 * sm-malloc.cc (double_free::emit): Likewise.
11388 (possible_null_deref::emit): Likewise.
11389 (possible_null_arg::emit): Likewise.
11390 (null_deref::emit): Likewise.
11391 (null_arg::emit): Likewise.
11392 (use_after_free::emit): Likewise.
11393 (malloc_leak::emit): Likewise.
11394 (free_of_non_heap::emit): Likewise.
11395 * sm-sensitive.cc (exposure_through_output_file::emit): Likewise.
11396 * sm-signal.cc (signal_unsafe_call::emit): Likewise.
11397 * sm-taint.cc (tainted_array_index::emit): Likewise.
11399 2020-01-27 David Malcolm <dmalcolm@redhat.com>
11401 PR analyzer/93451
11402 * region-model.cc (tree_cmp): For the REAL_CST case, impose an
11403 arbitrary order on NaNs relative to other NaNs and to non-NaNs;
11404 const-correctness tweak.
11405 (ana::selftests::build_real_cst_from_string): New function.
11406 (ana::selftests::append_interesting_constants): New function.
11407 (ana::selftests::test_tree_cmp_on_constants): New test.
11408 (ana::selftests::test_canonicalization_4): New test.
11409 (ana::selftests::analyzer_region_model_cc_tests): Call the new
11410 tests.
11412 2020-01-27 David Malcolm <dmalcolm@redhat.com>
11414 PR analyzer/93349
11415 * engine.cc (run_checkers): Save and restore input_location.
11417 2020-01-27 David Malcolm <dmalcolm@redhat.com>
11419 * call-string.cc (call_string::cmp_1): Delete, moving body to...
11420 (call_string::cmp): ...here.
11421 * call-string.h (call_string::cmp_1): Delete decl.
11422 * engine.cc (worklist::key_t::cmp_1): Delete, moving body to...
11423 (worklist::key_t::cmp): ...here. Implement hash comparisons
11424 via comparison rather than subtraction to avoid overflow issues.
11425 * exploded-graph.h (worklist::key_t::cmp_1): Delete decl.
11426 * region-model.cc (tree_cmp): Eliminate buggy checking for
11427 symmetry.
11429 2020-01-27 David Malcolm <dmalcolm@redhat.com>
11431 * analyzer.cc (is_named_call_p): Check that fndecl is "extern"
11432 and at file scope. Potentially disregard prefix _ or __ in
11433 fndecl's name. Bail if the identifier is NULL.
11434 (is_setjmp_call_p): Expect a gcall rather than plain gimple.
11435 Remove special-case check for leading prefix, and also check for
11436 sigsetjmp.
11437 (is_longjmp_call_p): Also check for siglongjmp.
11438 (get_user_facing_name): New function.
11439 * analyzer.h (is_setjmp_call_p): Expect a gcall rather than plain
11440 gimple.
11441 (get_user_facing_name): New decl.
11442 * checker-path.cc (setjmp_event::get_desc): Use
11443 get_user_facing_name to avoid hardcoding the function name.
11444 (rewind_event::rewind_event): Add rewind_info param, using it to
11445 initialize new m_rewind_info field, and strengthen the assertion.
11446 (rewind_from_longjmp_event::get_desc): Use get_user_facing_name to
11447 avoid hardcoding the function name.
11448 (rewind_to_setjmp_event::get_desc): Likewise.
11449 * checker-path.h (setjmp_event::setjmp_event): Add setjmp_call
11450 param and use it to initialize...
11451 (setjmp_event::m_setjmp_call): New field.
11452 (rewind_event::rewind_event): Add rewind_info param.
11453 (rewind_event::m_rewind_info): New protected field.
11454 (rewind_from_longjmp_event::rewind_from_longjmp_event): Add
11455 rewind_info param.
11456 (class rewind_to_setjmp_event): Move rewind_info field to parent
11457 class.
11458 * diagnostic-manager.cc (diagnostic_manager::add_events_for_eedge):
11459 Update setjmp-handling for is_setjmp_call_p requiring a gcall;
11460 pass the call to the new setjmp_event.
11461 * engine.cc (exploded_node::on_stmt): Update for is_setjmp_call_p
11462 requiring a gcall.
11463 (stale_jmp_buf::emit): Use get_user_facing_name to avoid
11464 hardcoding the function names.
11465 (exploded_node::on_longjmp): Pass the longjmp_call when
11466 constructing rewind_info.
11467 (rewind_info_t::add_events_to_path): Pass the rewind_info_t to the
11468 rewind_from_longjmp_event's ctor.
11469 * exploded-graph.h (rewind_info_t::rewind_info_t): Add
11470 longjmp_call param.
11471 (rewind_info_t::get_longjmp_call): New.
11472 (rewind_info_t::m_longjmp_call): New.
11473 * region-model.cc (region_model::on_setjmp): Update comment to
11474 indicate this is also for sigsetjmp.
11475 * region-model.h (struct setjmp_record): Likewise.
11476 (class setjmp_svalue): Likewise.
11478 2020-01-27 David Malcolm <dmalcolm@redhat.com>
11480 PR analyzer/93276
11481 * analyzer.h (PUSH_IGNORE_WFORMAT, POP_IGNORE_WFORMAT): Guard these
11482 macros with GCC_VERSION >= 4006, making them no-op otherwise.
11483 * engine.cc (exploded_edge::exploded_edge): Specify template for
11484 base class initializer.
11485 (exploded_graph::add_edge): Specify template when chaining up to
11486 base class add_edge implementation.
11487 (viz_callgraph_node::dump_dot): Drop redundant "typename".
11488 (viz_callgraph_edge::viz_callgraph_edge): Specify template for
11489 base class initializer.
11490 * program-state.cc (sm_state_map::clone_with_remapping): Drop
11491 redundant "typename".
11492 (sm_state_map::print): Likewise.
11493 (sm_state_map::hash): Likewise.
11494 (sm_state_map::operator==): Likewise.
11495 (sm_state_map::remap_svalue_ids): Likewise.
11496 (sm_state_map::on_svalue_purge): Likewise.
11497 (sm_state_map::validate): Likewise.
11498 * program-state.h (sm_state_map::iterator_t): Likewise.
11499 * supergraph.h (superedge::superedge): Specify template for base
11500 class initializer.
11502 2020-01-23 David Malcolm <dmalcolm@redhat.com>
11504 PR analyzer/93375
11505 * supergraph.cc (callgraph_superedge::get_arg_for_parm): Fail
11506 gracefully is the number of parameters at the callee exceeds the
11507 number of arguments at the call stmt.
11508 (callgraph_superedge::get_parm_for_arg): Likewise.
11510 2020-01-22 David Malcolm <dmalcolm@redhat.com>
11512 PR analyzer/93382
11513 * program-state.cc (sm_state_map::on_svalue_purge): If the
11514 entry survives, but the origin is being purged, then reset the
11515 origin to null.
11517 2020-01-22 David Malcolm <dmalcolm@redhat.com>
11519 * sm-signal.cc: Fix nesting of CHECKING_P and namespace ana.
11521 2020-01-22 David Malcolm <dmalcolm@redhat.com>
11523 PR analyzer/93378
11524 * engine.cc (setjmp_svalue::compare_fields): Update for
11525 replacement of m_enode with m_setjmp_record.
11526 (setjmp_svalue::add_to_hash): Likewise.
11527 (setjmp_svalue::get_index): Rename...
11528 (setjmp_svalue::get_enode_index): ...to this.
11529 (setjmp_svalue::print_details): Update for replacement of m_enode
11530 with m_setjmp_record.
11531 (exploded_node::on_longjmp): Likewise.
11532 * exploded-graph.h (rewind_info_t::m_enode_origin): Replace...
11533 (rewind_info_t::m_setjmp_record): ...with this.
11534 (rewind_info_t::rewind_info_t): Update for replacement of m_enode
11535 with m_setjmp_record.
11536 (rewind_info_t::get_setjmp_point): Likewise.
11537 (rewind_info_t::get_setjmp_call): Likewise.
11538 * region-model.cc (region_model::dump_summary_of_map): Likewise.
11539 (region_model::on_setjmp): Likewise.
11540 * region-model.h (struct setjmp_record): New struct.
11541 (setjmp_svalue::m_enode): Replace...
11542 (setjmp_svalue::m_setjmp_record): ...with this.
11543 (setjmp_svalue::setjmp_svalue): Update for replacement of m_enode
11544 with m_setjmp_record.
11545 (setjmp_svalue::clone): Likewise.
11546 (setjmp_svalue::get_index): Rename...
11547 (setjmp_svalue::get_enode_index): ...to this.
11548 (setjmp_svalue::get_exploded_node): Replace...
11549 (setjmp_svalue::get_setjmp_record): ...with this.
11551 2020-01-22 David Malcolm <dmalcolm@redhat.com>
11553 PR analyzer/93316
11554 * analyzer.cc (is_setjmp_call_p): Check for "setjmp" as well as
11555 "_setjmp".
11557 2020-01-22 David Malcolm <dmalcolm@redhat.com>
11559 PR analyzer/93307
11560 * analysis-plan.h: Wrap everything namespace "ana".
11561 * analyzer-logging.cc: Likewise.
11562 * analyzer-logging.h: Likewise.
11563 * analyzer-pass.cc (pass_analyzer::execute): Update for "ana"
11564 namespace.
11565 * analyzer-selftests.cc: Wrap everything namespace "ana".
11566 * analyzer-selftests.h: Likewise.
11567 * analyzer.h: Likewise for forward decls of types.
11568 * call-string.h: Likewise.
11569 * checker-path.cc: Likewise.
11570 * checker-path.h: Likewise.
11571 * constraint-manager.cc: Likewise.
11572 * constraint-manager.h: Likewise.
11573 * diagnostic-manager.cc: Likewise.
11574 * diagnostic-manager.h: Likewise.
11575 * engine.cc: Likewise.
11576 * engine.h: Likewise.
11577 * exploded-graph.h: Likewise.
11578 * function-set.cc: Likewise.
11579 * function-set.h: Likewise.
11580 * pending-diagnostic.cc: Likewise.
11581 * pending-diagnostic.h: Likewise.
11582 * program-point.cc: Likewise.
11583 * program-point.h: Likewise.
11584 * program-state.cc: Likewise.
11585 * program-state.h: Likewise.
11586 * region-model.cc: Likewise.
11587 * region-model.h: Likewise.
11588 * sm-file.cc: Likewise.
11589 * sm-malloc.cc: Likewise.
11590 * sm-pattern-test.cc: Likewise.
11591 * sm-sensitive.cc: Likewise.
11592 * sm-signal.cc: Likewise.
11593 * sm-taint.cc: Likewise.
11594 * sm.cc: Likewise.
11595 * sm.h: Likewise.
11596 * state-purge.h: Likewise.
11597 * supergraph.cc: Likewise.
11598 * supergraph.h: Likewise.
11600 2020-01-21 David Malcolm <dmalcolm@redhat.com>
11602 PR analyzer/93352
11603 * region-model.cc (int_cmp): Rename to...
11604 (array_region::key_cmp): ...this, using key_t rather than int.
11605 Rewrite in terms of comparisons rather than subtraction to
11606 ensure qsort is anti-symmetric when handling extreme values.
11607 (array_region::walk_for_canonicalization): Update for above
11608 renaming.
11609 * region-model.h (array_region::key_cmp): New decl.
11611 2020-01-17 David Malcolm <dmalcolm@redhat.com>
11613 PR analyzer/93290
11614 * region-model.cc (region_model::eval_condition_without_cm): Avoid
11615 gcc_unreachable for unexpected operations for the case where
11616 we're comparing an svalue against itself.
11618 2020-01-17 David Malcolm <dmalcolm@redhat.com>
11620 PR analyzer/93281
11621 * region-model.cc
11622 (region_model::convert_byte_offset_to_array_index): Convert to
11623 ssizetype before dividing by byte_size. Use fold_binary rather
11624 than fold_build2 to avoid needlessly constructing a tree for the
11625 non-const case.
11627 2020-01-15 David Malcolm <dmalcolm@redhat.com>
11629 * engine.cc (class impl_region_model_context): Fix comment.
11631 2020-01-14 David Malcolm <dmalcolm@redhat.com>
11633 PR analyzer/93212
11634 * region-model.cc (make_region_for_type): Use
11635 FUNC_OR_METHOD_TYPE_P rather than comparing against FUNCTION_TYPE.
11636 * region-model.h (function_region::function_region): Likewise.
11638 2020-01-14 David Malcolm <dmalcolm@redhat.com>
11640 * program-state.cc (sm_state_map::clone_with_remapping): Copy
11641 m_global_state.
11642 (selftest::test_program_state_merging_2): New selftest.
11643 (selftest::analyzer_program_state_cc_tests): Call it.
11645 2020-01-14 David Malcolm <dmalcolm@redhat.com>
11647 * checker-path.h (checker_path::get_checker_event): New function.
11648 (checker_path): Add DISABLE_COPY_AND_ASSIGN; make fields private.
11649 * diagnostic-manager.cc
11650 (diagnostic_manager::prune_for_sm_diagnostic): Replace direct
11651 access to checker_path::m_events with accessor functions. Fix
11652 overlong line.
11653 (diagnostic_manager::prune_interproc_events): Replace direct
11654 access to checker_path::m_events with accessor functions.
11655 (diagnostic_manager::finish_pruning): Likewise.
11657 2020-01-14 David Malcolm <dmalcolm@redhat.com>
11659 * checker-path.h (checker_event::clone): Delete vfunc decl.
11660 (debug_event::clone): Delete vfunc impl.
11661 (custom_event::clone): Delete vfunc impl.
11662 (statement_event::clone): Delete vfunc impl.
11663 (function_entry_event::clone): Delete vfunc impl.
11664 (state_change_event::clone): Delete vfunc impl.
11665 (start_cfg_edge_event::clone): Delete vfunc impl.
11666 (end_cfg_edge_event::clone): Delete vfunc impl.
11667 (call_event::clone): Delete vfunc impl.
11668 (return_event::clone): Delete vfunc impl.
11669 (setjmp_event::clone): Delete vfunc impl.
11670 (rewind_from_longjmp_event::clone): Delete vfunc impl.
11671 (rewind_to_setjmp_event::clone): Delete vfunc impl.
11672 (warning_event::clone): Delete vfunc impl.
11674 2020-01-14 David Malcolm <dmalcolm@redhat.com>
11676 * supergraph.cc (supernode::dump_dot): Ensure that the TABLE
11677 element has at least one TR.
11679 2020-01-14 David Malcolm <dmalcolm@redhat.com>
11681 PR analyzer/58237
11682 * engine.cc (leak_stmt_finder::find_stmt): Use get_pure_location
11683 when comparing against UNKNOWN_LOCATION.
11684 (stmt_requires_new_enode_p): Likewise.
11685 (exploded_graph::dump_exploded_nodes): Likewise.
11686 * supergraph.cc (supernode::get_start_location): Likewise.
11687 (supernode::get_end_location): Likewise.
11689 2020-01-14 David Malcolm <dmalcolm@redhat.com>
11691 PR analyzer/58237
11692 * analyzer-selftests.cc (selftest::run_analyzer_selftests): Call
11693 selftest::analyzer_sm_file_cc_tests.
11694 * analyzer-selftests.h (selftest::analyzer_sm_file_cc_tests): New
11695 decl.
11696 * sm-file.cc: Include "analyzer/function-set.h" and
11697 "analyzer/analyzer-selftests.h".
11698 (get_file_using_fns): New function.
11699 (is_file_using_fn_p): New function.
11700 (fileptr_state_machine::on_stmt): Return true for known functions.
11701 (selftest::analyzer_sm_file_cc_tests): New function.
11703 2020-01-14 David Malcolm <dmalcolm@redhat.com>
11705 * analyzer-selftests.cc (selftest::run_analyzer_selftests): Call
11706 selftest::analyzer_sm_signal_cc_tests.
11707 * analyzer-selftests.h (selftest::analyzer_sm_signal_cc_tests):
11708 New decl.
11709 * sm-signal.cc: Include "analyzer/function-set.h" and
11710 "analyzer/analyzer-selftests.h".
11711 (get_async_signal_unsafe_fns): New function.
11712 (signal_unsafe_p): Reimplement in terms of the above.
11713 (selftest::analyzer_sm_signal_cc_tests): New function.
11715 2020-01-14 David Malcolm <dmalcolm@redhat.com>
11717 * analyzer-selftests.cc (selftest::run_analyzer_selftests): Call
11718 selftest::analyzer_function_set_cc_tests.
11719 * analyzer-selftests.h (selftest::analyzer_function_set_cc_tests):
11720 New decl.
11721 * function-set.cc: New file.
11722 * function-set.h: New file.
11724 2020-01-14 David Malcolm <dmalcolm@redhat.com>
11726 * analyzer.h (fndecl_has_gimple_body_p): New decl.
11727 * engine.cc (impl_region_model_context::on_unknown_change): New
11728 function.
11729 (fndecl_has_gimple_body_p): Make non-static.
11730 (exploded_node::on_stmt): Treat __analyzer_dump_exploded_nodes as
11731 known. Track whether we have a call with unknown side-effects and
11732 pass it to on_call_post.
11733 * exploded-graph.h (impl_region_model_context::on_unknown_change):
11734 New decl.
11735 * program-state.cc (sm_state_map::on_unknown_change): New function.
11736 * program-state.h (sm_state_map::on_unknown_change): New decl.
11737 * region-model.cc: Include "bitmap.h".
11738 (region_model::on_call_pre): Return a bool, capturing whether the
11739 call has unknown side effects.
11740 (region_model::on_call_post): Add arg "bool unknown_side_effects"
11741 and if true, call handle_unrecognized_call.
11742 (class reachable_regions): New class.
11743 (region_model::handle_unrecognized_call): New function.
11744 * region-model.h (region_model::on_call_pre): Return a bool.
11745 (region_model::on_call_post): Add arg "bool unknown_side_effects".
11746 (region_model::handle_unrecognized_call): New decl.
11747 (region_model_context::on_unknown_change): New vfunc.
11748 (test_region_model_context::on_unknown_change): New function.
11750 2020-01-14 David Malcolm <dmalcolm@redhat.com>
11752 * diagnostic-manager.cc (saved_diagnostic::operator==): Move here
11753 from header. Replace pointer equality test on m_var with call to
11754 pending_diagnostic::same_tree_p.
11755 * diagnostic-manager.h (saved_diagnostic::operator==): Move to
11756 diagnostic-manager.cc.
11757 * pending-diagnostic.cc (pending_diagnostic::same_tree_p): New.
11758 * pending-diagnostic.h (pending_diagnostic::same_tree_p): New.
11759 * sm-file.cc (file_diagnostic::subclass_equal_p): Replace pointer
11760 equality on m_arg with call to pending_diagnostic::same_tree_p.
11761 * sm-malloc.cc (malloc_diagnostic::subclass_equal_p): Likewise.
11762 (possible_null_arg::subclass_equal_p): Likewise.
11763 (null_arg::subclass_equal_p): Likewise.
11764 (free_of_non_heap::subclass_equal_p): Likewise.
11765 * sm-pattern-test.cc (pattern_match::operator==): Likewise.
11766 * sm-sensitive.cc (exposure_through_output_file::operator==):
11767 Likewise.
11768 * sm-taint.cc (tainted_array_index::operator==): Likewise.
11770 2020-01-14 David Malcolm <dmalcolm@redhat.com>
11772 * diagnostic-manager.cc (dedupe_winners::add): Add logging
11773 of deduplication decisions made.
11775 2020-01-14 David Malcolm <dmalcolm@redhat.com>
11777 * ChangeLog: New file.
11778 * analyzer-selftests.cc: New file.
11779 * analyzer-selftests.h: New file.
11780 * analyzer.opt: New file.
11781 * analysis-plan.cc: New file.
11782 * analysis-plan.h: New file.
11783 * analyzer-logging.cc: New file.
11784 * analyzer-logging.h: New file.
11785 * analyzer-pass.cc: New file.
11786 * analyzer.cc: New file.
11787 * analyzer.h: New file.
11788 * call-string.cc: New file.
11789 * call-string.h: New file.
11790 * checker-path.cc: New file.
11791 * checker-path.h: New file.
11792 * constraint-manager.cc: New file.
11793 * constraint-manager.h: New file.
11794 * diagnostic-manager.cc: New file.
11795 * diagnostic-manager.h: New file.
11796 * engine.cc: New file.
11797 * engine.h: New file.
11798 * exploded-graph.h: New file.
11799 * pending-diagnostic.cc: New file.
11800 * pending-diagnostic.h: New file.
11801 * program-point.cc: New file.
11802 * program-point.h: New file.
11803 * program-state.cc: New file.
11804 * program-state.h: New file.
11805 * region-model.cc: New file.
11806 * region-model.h: New file.
11807 * sm-file.cc: New file.
11808 * sm-malloc.cc: New file.
11809 * sm-malloc.dot: New file.
11810 * sm-pattern-test.cc: New file.
11811 * sm-sensitive.cc: New file.
11812 * sm-signal.cc: New file.
11813 * sm-taint.cc: New file.
11814 * sm.cc: New file.
11815 * sm.h: New file.
11816 * state-purge.cc: New file.
11817 * state-purge.h: New file.
11818 * supergraph.cc: New file.
11819 * supergraph.h: New file.
11821 2019-12-13 David Malcolm <dmalcolm@redhat.com>
11823 * Initial creation
11825 \f
11826 Copyright (C) 2019-2024 Free Software Foundation, Inc.
11828 Copying and distribution of this file, with or without modification,
11829 are permitted in any medium without royalty provided the copyright
11830 notice and this notice are preserved.