| blob | 67d7f94ea3d4a8a94fa8f373e054d31d579d4044 |
1 /* Strict aliasing checks.
2 Copyright (C) 2007, 2008 Free Software Foundation, Inc.
3 Contributed by Silvius Rus <rus@google.com>.
5 This file is part of GCC.
7 GCC is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3, or (at your option)
10 any later version.
12 GCC is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
17 You should have received a copy of the GNU General Public License
18 along with GCC; see the file COPYING3. If not see
19 <http://www.gnu.org/licenses/>. */
38 /* Module to issue a warning when a program uses data through a type
39 different from the type through which the data were defined.
40 Implements -Wstrict-aliasing and -Wstrict-aliasing=n.
41 These checks only happen when -fstrict-aliasing is present.
43 The idea is to use the compiler to identify occurrences of nonstandard
44 aliasing, and report them to programmers. Programs free of such aliasing
45 are more portable, maintainable, and can usually be optimized better.
47 The current, as of April 2007, C and C++ language standards forbid
48 accessing data of type A through an lvalue of another type B,
49 with certain exceptions. See the C Standard ISO/IEC 9899:1999,
50 section 6.5, paragraph 7, and the C++ Standard ISO/IEC 14882:1998,
51 section 3.10, paragraph 15.
53 Example 1:*a is used as int but was defined as a float, *b.
54 int* a = ...;
55 float* b = reinterpret_cast<float*> (a);
56 *b = 2.0;
57 return *a
59 Unfortunately, the problem is in general undecidable if we take into
60 account arithmetic expressions such as array indices or pointer arithmetic.
61 (It is at least as hard as Peano arithmetic decidability.)
62 Even ignoring arithmetic, the problem is still NP-hard, because it is
63 at least as hard as flow-insensitive may-alias analysis, which was proved
64 NP-hard by Horwitz et al, TOPLAS 1997.
66 It is clear that we need to choose some heuristics.
67 Unfortunately, various users have different goals which correspond to
68 different time budgets so a common approach will not suit all.
69 We present the user with three effort/accuracy levels. By accuracy, we mean
70 a common-sense mix of low count of false positives with a
71 reasonably low number of false negatives. We are heavily biased
72 towards a low count of false positives.
73 The effort (compilation time) is likely to increase with the level.
75 -Wstrict-aliasing=1
76 ===================
77 Most aggressive, least accurate. Possibly useful when higher levels
78 do not warn but -fstrict-aliasing still breaks the code, as
79 it has very few false negatives.
80 Warn for all bad pointer conversions, even if never dereferenced.
81 Implemented in the front end (c-common.c).
82 Uses alias_sets_might_conflict to compare types.
84 -Wstrict-aliasing=2
85 ===================
86 Aggressive, not too precise.
87 May still have many false positives (not as many as level 1 though),
88 and few false negatives (but possibly more than level 1).
89 Runs only in the front end. Uses alias_sets_might_conflict to
90 compare types. Does not check for pointer dereferences.
91 Only warns when an address is taken. Warns about incomplete type punning.
93 -Wstrict-aliasing=3 (default)
94 ===================
95 Should have very few false positives and few false negatives.
96 Takes care of the common pun+dereference pattern in the front end:
97 *(int*)&some_float.
98 Takes care of multiple statement cases in the back end,
99 using flow-sensitive points-to information (-O required).
100 Uses alias_sets_conflict_p to compare types and only warns
101 when the converted pointer is dereferenced.
102 Does not warn about incomplete type punning.
104 Future improvements can be included by adding higher levels.
106 In summary, expression level analysis is performed in the front-end,
107 and multiple-statement analysis is performed in the backend.
108 The remainder of this discussion is only about the backend analysis.
110 This implementation uses flow-sensitive points-to information.
111 Flow-sensitivity refers to accesses to the pointer, and not the object
112 pointed. For instance, we do not warn about the following case.
114 Example 2.
115 int* a = (int*)malloc (...);
116 float* b = reinterpret_cast<float*> (a);
117 *b = 2.0;
118 a = (int*)malloc (...);
119 return *a;
121 In SSA, it becomes clear that the INT value *A_2 referenced in the
122 return statement is not aliased to the FLOAT defined through *B_1.
123 int* a_1 = (int*)malloc (...);
124 float* b_1 = reinterpret_cast<float*> (a_1);
125 *b_1 = 2.0;
126 a_2 = (int*)malloc (...);
127 return *a_2;
130 Algorithm Outline
131 =================
133 ForEach (ptr, object) in the points-to table
134 If (incompatible_types (*ptr, object))
135 If (referenced (ptr, current function)
136 and referenced (object, current function))
137 Issue warning (ptr, object, reference locations)
139 The complexity is:
140 O (sizeof (points-to table)
141 + sizeof (function body) * lookup_time (points-to table))
143 Pointer dereference locations are looked up on demand. The search is
144 a single scan of the function body, in which all references to pointers
145 and objects in the points-to table are recorded. However, this dominant
146 time factor occurs rarely, only when cross-type aliasing was detected.
149 Limitations of the Proposed Implementation
150 ==========================================
152 1. We do not catch the following case, because -fstrict-aliasing will
153 associate different tags with MEM while building points-to information,
154 thus before we get to analyze it.
155 XXX: this could be solved by either running with -fno-strict-aliasing
156 or by recording the points-to information before splitting the original
157 tag based on type.
159 Example 3.
160 void* mem = malloc (...);
161 int* pi = reinterpret_cast<int*> (mem);
162 float* b = reinterpret_cast<float*> (mem);
163 *b = 2.0;
164 return *pi+1;
166 2. We do not check whether the two conflicting (de)references can
167 reach each other in the control flow sense. If we fixed limitation
168 1, we would wrongly issue a warning in the following case.
170 Example 4.
171 void* raw = malloc (...);
172 if (...) {
173 float* b = reinterpret_cast<float*> (raw);
174 *b = 2.0;
175 return (int)*b;
176 } else {
177 int* a = reinterpret_cast<int*> (raw);
178 *a = 1;
179 return *a;
181 3. Only simple types are compared, thus no structures, unions or classes
182 are analyzed. A first attempt to deal with structures introduced much
183 complication and has not showed much improvement in preliminary tests,
184 so it was left out.
186 4. All analysis is intraprocedural. */
189 /* Local declarations. */
191 \f
194 /* Get main type of tree TYPE, stripping array dimensions and qualifiers. */
196 static tree
198 {
202 }
205 /* Get the type of the given object. If IS_PTR is true, get the type of the
206 object pointed to or referenced by OBJECT instead.
207 For arrays, return the element type. Ignore all qualifiers. */
209 static tree
211 {
215 {
218 }
220 }
223 /* Return true if tree TYPE is struct, class or union. */
225 static bool
227 {
231 }
232 \f
235 /* Keep data during a search for an aliasing site.
236 RHS = object or pointer aliased. No LHS is specified because we are only
237 looking in the UseDef paths of a given variable, so LHS will always be
238 an SSA name of the same variable.
239 When IS_RHS_POINTER = true, we are looking for ... = RHS. Otherwise,
240 we are looking for ... = &RHS.
241 SITE is the output of a search, non-NULL if the search succeeded. */
243 struct alias_match
244 {
245 tree rhs;
247 gimple site;
248 };
251 /* Callback for find_alias_site. Return true if the right hand site
252 of STMT matches DATA. */
254 static bool
256 {
265 /* Not a type conversion. */
274 /* Type conversion, but not a name match. */
277 /* Found it. */
280 }
283 /* Find the statement where OBJECT1 gets aliased to OBJECT2.
284 If IS_PTR2 is true, consider OBJECT2 to be the name of a pointer or
285 reference rather than the actual aliased object.
286 For now, just implement the case where OBJECT1 is an SSA name defined
287 by a PHI statement. */
289 static gimple
292 {
304 }
307 /* Structure to store temporary results when trying to figure out whether
308 an object is referenced. Just its presence in the text is not enough,
309 as we may just be taking its address. */
311 struct match_info
312 {
313 tree object;
315 /* The difference between the number of references to OBJECT
316 and the number of occurrences of &OBJECT. */
318 };
321 /* Return the base if EXPR is an SSA name. Return EXPR otherwise. */
323 static tree
325 {
328 else
330 }
333 /* Record references to objects and pointer dereferences across some piece of
334 code. The number of references is recorded for each item.
335 References to an object just to take its address are not counted.
336 For instance, if PTR is a pointer and OBJ is an object:
337 1. Expression &obj + *ptr will have the following reference match structure:
338 ptrs: <ptr, 1>
339 objs: <ptr, 1>
340 OBJ does not appear as referenced because we just take its address.
341 2. Expression ptr + *ptr will have the following reference match structure:
342 ptrs: <ptr, 1>
343 objs: <ptr, 2>
344 PTR shows up twice as an object, but is dereferenced only once.
346 The elements of the hash tables are gimple_map objects. */
347 struct reference_matches
348 {
349 htab_t ptrs;
350 htab_t objs;
351 };
353 struct gimple_tree_map
354 {
355 tree from;
356 gimple to;
357 };
359 /* Return true if the from tree in both gimple-tree maps are equal.
360 VA and VB are really instances of struct gimple_tree_map. */
362 static int
364 {
368 }
370 /* Hash a from tree in a gimple_tree_map. ITEM is really an instance
371 of struct gimple_tree_map. */
373 static unsigned int
375 {
377 }
379 /* Return the match, if any. Otherwise, return NULL. It will return
380 NULL even when a match was found, if the value associated to KEY is
381 NULL. */
385 {
396 }
399 /* Set the entry corresponding to KEY, but only if the entry
400 already exists and its value is NULL_TREE. Otherwise, do nothing. */
404 {
411 }
414 /* Add an entry to HT, with key T and value NULL_TREE. */
416 static void
418 {
428 }
431 /* Some memory to keep the objects in the reference table. */
436 /* Get some memory to keep the objects in the reference table. */
440 {
449 }
452 /* Initialize the reference table by adding all pointers in the points-to
453 table as keys, and NULL_TREE as associated values. */
457 {
464 NULL);
466 NULL);
469 {
479 {
480 /* Add pointer to the interesting dereference list. */
483 /* Add all aliased names to the interesting reference list. */
485 {
487 bitmap_iterator bi;
490 {
493 }
494 }
495 }
496 }
499 }
502 /* Reference table. */
507 /* Clean up the reference table if allocated. */
509 static void
511 {
513 {
518 }
521 {
524 }
525 }
528 /* Get the reference table. Initialize it if needed. */
532 {
539 }
542 /* Callback for find_references_in_function.
543 Check whether *TP is an object reference or pointer dereference for the
544 variables given in ((struct match_info*)DATA)->OBJS or
545 ((struct match_info*)DATA)->PTRS. The total number of references
546 is stored in the same structures. */
548 static tree
552 {
557 /* Do not report references just for the purpose of taking an address.
558 XXX: we rely on the fact that the tree walk is in preorder
559 and that ADDR_EXPR is not a leaf, thus cannot be carried over across
560 walks. */
567 {
570 }
571 else
572 {
575 }
577 finish:
580 }
583 /* Find all the references to aliased variables in the current function. */
585 static void
587 {
588 basic_block bb;
589 gimple_stmt_iterator i;
593 {
598 }
599 }
602 /* Find the reference site for OBJECT.
603 If IS_PTR is true, look for dereferences of OBJECT instead.
604 XXX: only the first site is returned in the current
605 implementation. If there are no matching sites, return NULL_TREE. */
607 static gimple
609 {
612 else
614 }
617 /* Try to get more location info when something is missing.
618 OBJECT1 and OBJECT2 are aliased names. If IS_PTR1 or IS_PTR2, the alias
619 is on the memory referenced or pointed to by OBJECT1 and OBJECT2.
620 ALIAS_SITE, DEREF_SITE1 and DEREF_SITE2 are the statements where the
621 alias takes place (some pointer assignment usually) and where the
622 alias is referenced through OBJECT1 and OBJECT2 respectively.
623 REF_TYPE1 and REF_TYPE2 will return the type of the reference at the
624 respective sites. Only the first matching reference is returned for
625 each name. If no statement is found, the function header is returned. */
627 static void
633 {
635 {
644 }
646 /* If we could not find the alias site, set it to one of the dereference
647 sites, if available. */
649 {
654 }
656 /* If we could not find the dereference sites, set them to the alias site,
657 if known. */
662 }
665 /* Callback for find_first_artificial_name.
666 Find out if there are no artificial names at tree node *T. */
668 static tree
672 {
675 else
677 }
679 /* Return the first artificial name within EXPR, or NULL_TREE if
680 none exists. */
682 static tree
684 {
686 }
689 /* Get a name from the original program for VAR. */
693 {
705 }
708 /* Return "*" if OBJECT is not the actual alias but a pointer to it, or
709 "" otherwise.
710 IS_PTR is true when OBJECT is not the actual alias.
711 In addition to checking IS_PTR, we also make sure that OBJECT is a pointer
712 since IS_PTR would also be true for C++ references, but we should only
713 print a * before a pointer and not before a reference. */
717 {
721 }
723 /* Callback for contains_node_type_p.
724 Returns true if *T has tree code *(int*)DATA. */
726 static tree
730 {
732 }
735 /* Return true if T contains a node with tree code TYPE. */
737 static bool
739 {
743 }
746 /* Return true if a warning was issued in the front end at STMT. */
748 static bool
750 {
757 else
759 }
762 /* Return true if and only if TYPE is a function or method pointer type,
763 or pointer to a pointer to ... to a function or method. */
765 static bool
767 {
771 }
774 /* Issue a -Wstrict-aliasing warning.
775 OBJECT1 and OBJECT2 are aliased names.
776 If IS_PTR1 and/or IS_PTR2 is true, then the corresponding name
777 OBJECT1/OBJECT2 is a pointer or reference to the aliased memory,
778 rather than actual storage.
779 ALIAS_SITE is a statement where the alias took place. In the most common
780 case, that is where a pointer was assigned to the address of an object. */
782 static bool
787 {
792 location_t alias_loc;
793 location_t ref1_loc;
794 location_t ref2_loc;
809 else
814 else
819 else
825 /* If they are not SSA names, but contain SSA names, drop the warning
826 because it cannot be displayed well.
827 Also drop it if they both contain artificials.
828 XXX: this is a hack, must figure out a better way to display them. */
839 /* XXX: In the following format string, %s:%d should be replaced by %H.
840 However, in my tests only the first %H printed ok, while the
841 second and third were printed as blanks. */
843 "%Hlikely type-punning may break strict-aliasing rules: "
844 "object %<%s%s%> of main type %qT is referenced at or around "
845 "%s:%d and may be "
846 "aliased to object %<%s%s%> of main type %qT which is referenced "
857 }
858 \f
861 /* Return true when any objects of TYPE1 and TYPE2 respectively
862 may not be aliased according to the language standard. */
864 static bool
866 {
867 alias_set_type set1;
868 alias_set_type set2;
876 }
877 \f
880 /* Returns true when *PTR may not be aliased to ALIAS.
881 See C standard 6.5p7 and C++ standard 3.10p15.
882 If PTR_PTR is true, ALIAS represents a pointer or reference to the
883 aliased storage rather than its actual name. */
885 static bool
887 {
888 /* Find the types to compare. */
892 /* XXX: for now, say it's OK if the alias escapes.
893 Not sure this is needed in general, but otherwise GCC will not
894 bootstrap. */
898 /* XXX: don't get into structures for now. It brings much complication
899 and little benefit. */
903 /* If they are both SSA names of artificials, let it go, the warning
904 is too confusing. */
908 /* Compare the types. */
910 }
913 /* Return true when we should skip analysis for pointer PTR based on the
914 fact that their alias information *PI is not considered relevant. */
916 static bool
918 {
919 /* If it is not dereferenced, it is not a problem (locally). */
923 /* This would probably cause too many false positives. */
928 }
931 /* Find aliasing to named objects for pointer PTR. */
933 static void
935 {
939 {
943 /* For all the variables it could be aliased to. */
945 {
947 bitmap_iterator bi;
951 {
957 else
959 }
961 /* If there was no object in the points-to set that the pointer
962 may alias, unconditionally warn. */
965 "dereferencing type-punned pointer %D will "
967 }
968 }
969 }
972 /* Detect and report strict aliasing violation of named objects. */
974 static void
976 {
980 {
991 }
992 }
995 /* Return false only the first time I see each instance of FUNC. */
997 static bool
999 {
1015 }
1018 /* Detect and warn about type-punning using points-to information. */
1020 void
1022 {
1025 {
1028 }
1029 }