search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
[RS6000] Power10 ICE running gcc.target/powerpc/ppc-ne0-1.c
[official-gcc.git] / gcc / tree-ssa-strlen.c
blobebb17cd852c87a6323f64d326858a144963556a1
1 /* String length optimization
2 Copyright (C) 2011-2020 Free Software Foundation, Inc.
3 Contributed by Jakub Jelinek <jakub@redhat.com>
4
5 This file is part of GCC.
6
7 GCC is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3, or (at your option)
10 any later version.
11
12 GCC is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
16
17 You should have received a copy of the GNU General Public License
18 along with GCC; see the file COPYING3. If not see
19 <http://www.gnu.org/licenses/>. */
20
21 #include "config.h"
22 #include "system.h"
23 #include "coretypes.h"
24 #include "backend.h"
25 #include "rtl.h"
26 #include "tree.h"
27 #include "gimple.h"
28 #include "alloc-pool.h"
29 #include "tree-pass.h"
30 #include "ssa.h"
31 #include "cgraph.h"
32 #include "gimple-pretty-print.h"
33 #include "gimple-ssa-warn-restrict.h"
34 #include "fold-const.h"
35 #include "stor-layout.h"
36 #include "gimple-fold.h"
37 #include "tree-eh.h"
38 #include "gimplify.h"
39 #include "gimple-iterator.h"
40 #include "gimplify-me.h"
41 #include "expr.h"
42 #include "tree-cfg.h"
43 #include "tree-dfa.h"
44 #include "domwalk.h"
45 #include "tree-ssa-alias.h"
46 #include "tree-ssa-propagate.h"
47 #include "tree-ssa-strlen.h"
48 #include "tree-hash-traits.h"
49 #include "tree-object-size.h"
50 #include "builtins.h"
51 #include "target.h"
52 #include "diagnostic-core.h"
53 #include "diagnostic.h"
54 #include "intl.h"
55 #include "attribs.h"
56 #include "calls.h"
57 #include "cfgloop.h"
58 #include "tree-ssa-loop.h"
59 #include "tree-scalar-evolution.h"
60 #include "vr-values.h"
61 #include "gimple-ssa-evrp-analyze.h"
62 #include "tree-ssa.h"
63
64 /* A vector indexed by SSA_NAME_VERSION. 0 means unknown, positive value
65 is an index into strinfo vector, negative value stands for
66 string length of a string literal (~strlen). */
67 static vec<int> ssa_ver_to_stridx;
68
69 /* Number of currently active string indexes plus one. */
70 static int max_stridx;
71
72 /* Set to true to optimize, false when just checking. */
73 static bool strlen_optimize;
74
75 /* String information record. */
76 struct strinfo
77 {
78 /* Number of leading characters that are known to be nonzero. This is
79 also the length of the string if FULL_STRING_P.
80
81 The values in a list of related string pointers must be consistent;
82 that is, if strinfo B comes X bytes after strinfo A, it must be
83 the case that A->nonzero_chars == X + B->nonzero_chars. */
84 tree nonzero_chars;
85 /* Any of the corresponding pointers for querying alias oracle. */
86 tree ptr;
87 /* STMT is used for two things:
88
89 - To record the statement that should be used for delayed length
90 computations. We maintain the invariant that all related strinfos
91 have delayed lengths or none do.
92
93 - To record the malloc or calloc call that produced this result
94 to optimize away malloc/memset sequences. STMT is reset after
95 a calloc-allocated object has been stored a non-zero value into. */
96 gimple *stmt;
97 /* Set to the dynamic allocation statement for the object (alloca,
98 calloc, malloc, or VLA). Unlike STMT, once set for a strinfo
99 object, ALLOC doesn't change. */
100 gimple *alloc;
101 /* Pointer to '\0' if known, if NULL, it can be computed as
102 ptr + length. */
103 tree endptr;
104 /* Reference count. Any changes to strinfo entry possibly shared
105 with dominating basic blocks need unshare_strinfo first, except
106 for dont_invalidate which affects only the immediately next
107 maybe_invalidate. */
108 int refcount;
109 /* Copy of index. get_strinfo (si->idx) should return si; */
110 int idx;
111 /* These 3 fields are for chaining related string pointers together.
112 E.g. for
113 bl = strlen (b); dl = strlen (d); strcpy (a, b); c = a + bl;
114 strcpy (c, d); e = c + dl;
115 strinfo(a) -> strinfo(c) -> strinfo(e)
116 All have ->first field equal to strinfo(a)->idx and are doubly
117 chained through prev/next fields. The later strinfos are required
118 to point into the same string with zero or more bytes after
119 the previous pointer and all bytes in between the two pointers
120 must be non-zero. Functions like strcpy or memcpy are supposed
121 to adjust all previous strinfo lengths, but not following strinfo
122 lengths (those are uncertain, usually invalidated during
123 maybe_invalidate, except when the alias oracle knows better).
124 Functions like strcat on the other side adjust the whole
125 related strinfo chain.
126 They are updated lazily, so to use the chain the same first fields
127 and si->prev->next == si->idx needs to be verified. */
128 int first;
129 int next;
130 int prev;
131 /* A flag whether the string is known to be written in the current
132 function. */
133 bool writable;
134 /* A flag for the next maybe_invalidate that this strinfo shouldn't
135 be invalidated. Always cleared by maybe_invalidate. */
136 bool dont_invalidate;
137 /* True if the string is known to be nul-terminated after NONZERO_CHARS
138 characters. False is useful when detecting strings that are built
139 up via successive memcpys. */
140 bool full_string_p;
141 };
142
143 /* Pool for allocating strinfo_struct entries. */
144 static object_allocator<strinfo> strinfo_pool ("strinfo pool");
145
146 /* Vector mapping positive string indexes to strinfo, for the
147 current basic block. The first pointer in the vector is special,
148 it is either NULL, meaning the vector isn't shared, or it is
149 a basic block pointer to the owner basic_block if shared.
150 If some other bb wants to modify the vector, the vector needs
151 to be unshared first, and only the owner bb is supposed to free it. */
152 static vec<strinfo *, va_heap, vl_embed> *stridx_to_strinfo;
153
154 /* One OFFSET->IDX mapping. */
155 struct stridxlist
156 {
157 struct stridxlist *next;
158 HOST_WIDE_INT offset;
159 int idx;
160 };
161
162 /* Hash table entry, mapping a DECL to a chain of OFFSET->IDX mappings. */
163 struct decl_stridxlist_map
164 {
165 struct tree_map_base base;
166 struct stridxlist list;
167 };
168
169 /* Hash table for mapping decls to a chained list of offset -> idx
170 mappings. */
171 typedef hash_map<tree_decl_hash, stridxlist> decl_to_stridxlist_htab_t;
172 static decl_to_stridxlist_htab_t *decl_to_stridxlist_htab;
173
174 /* Hash table mapping strlen (or strnlen with constant bound and return
175 smaller than bound) calls to stridx instances describing
176 the calls' arguments. Non-null only when warn_stringop_truncation
177 is non-zero. */
178 typedef std::pair<int, location_t> stridx_strlenloc;
179 static hash_map<tree, stridx_strlenloc> *strlen_to_stridx;
180
181 /* Obstack for struct stridxlist and struct decl_stridxlist_map. */
182 static struct obstack stridx_obstack;
183
184 /* Last memcpy statement if it could be adjusted if the trailing
185 '\0' written is immediately overwritten, or
186 *x = '\0' store that could be removed if it is immediately overwritten. */
187 struct laststmt_struct
188 {
189 gimple *stmt;
190 tree len;
191 int stridx;
192 } laststmt;
193
194 static int get_stridx_plus_constant (strinfo *, unsigned HOST_WIDE_INT, tree);
195 static void handle_builtin_stxncpy_strncat (bool, gimple_stmt_iterator *);
196
197 /* Sets MINMAX to either the constant value or the range VAL is in
198 and returns either the constant value or VAL on success or null
199 when the range couldn't be determined. Uses RVALS when nonnull
200 to determine the range, otherwise get_range_info. */
201
202 tree
203 get_range (tree val, gimple *stmt, wide_int minmax[2],
204 range_query *rvals /* = NULL */)
205 {
206 if (TREE_CODE (val) == INTEGER_CST)
207 {
208 minmax[0] = minmax[1] = wi::to_wide (val);
209 return val;
210 }
211
212 if (TREE_CODE (val) != SSA_NAME)
213 return NULL_TREE;
214
215 if (rvals && stmt)
216 {
217 value_range vr;
218 if (!rvals->range_of_expr (vr, val, stmt))
219 return NULL_TREE;
220 value_range_kind rng = vr.kind ();
221 if (rng != VR_RANGE)
222 return NULL_TREE;
223
224 minmax[0] = wi::to_wide (vr.min ());
225 minmax[1] = wi::to_wide (vr.max ());
226 return val;
227 }
228
229 value_range_kind rng = get_range_info (val, minmax, minmax + 1);
230 if (rng == VR_RANGE)
231 /* This may be an inverted range whose MINMAX[1] < MINMAX[0]. */
232 return val;
233
234 if (rng == VR_ANTI_RANGE)
235 {
236 /* An anti-range is the same as an ordinary range with inverted
237 bounds (where MINMAX[1] < MINMAX[0] is true) that may result
238 from the conversion of a signed anti-range to unsigned. */
239 wide_int tmp = minmax[0];
240 minmax[0] = minmax[1] + 1;
241 minmax[1] = wi::sub (tmp, 1);
242 return val;
243 }
244
245 /* Do not handle anti-ranges and instead make use of the on-demand
246 VRP if/when it becomes available (hopefully in GCC 11). */
247 return NULL_TREE;
248 }
249
250 /* Return:
251
252 * +1 if SI is known to start with more than OFF nonzero characters.
253
254 * 0 if SI is known to start with exactly OFF nonzero characters.
255
256 * -1 if SI either does not start with OFF nonzero characters
257 or the relationship between the number of leading nonzero
258 characters in SI and OFF is unknown. */
259
260 static inline int
261 compare_nonzero_chars (strinfo *si, unsigned HOST_WIDE_INT off)
262 {
263 if (si->nonzero_chars
264 && TREE_CODE (si->nonzero_chars) == INTEGER_CST)
265 return compare_tree_int (si->nonzero_chars, off);
266 else
267 return -1;
268 }
269
270 /* Same as above but suitable also for strings with non-constant lengths.
271 Uses RVALS to determine length range. */
272
273 static int
274 compare_nonzero_chars (strinfo *si, unsigned HOST_WIDE_INT off,
275 range_query *rvals)
276 {
277 if (!si->nonzero_chars)
278 return -1;
279
280 if (TREE_CODE (si->nonzero_chars) == INTEGER_CST)
281 return compare_tree_int (si->nonzero_chars, off);
282
283 if (!rvals || TREE_CODE (si->nonzero_chars) != SSA_NAME)
284 return -1;
285
286 value_range vr;
287 if (!rvals->range_of_expr (vr, si->nonzero_chars, si->stmt))
288 return -1;
289 value_range_kind rng = vr.kind ();
290 if (rng != VR_RANGE)
291 return -1;
292
293 /* If the offset is less than the minimum length or if the bounds
294 of the length range are equal return the result of the comparison
295 same as in the constant case. Otherwise return a conservative
296 result. */
297 int cmpmin = compare_tree_int (vr.min (), off);
298 if (cmpmin > 0 || tree_int_cst_equal (vr.min (), vr.max ()))
299 return cmpmin;
300
301 return -1;
302 }
303
304 /* Return true if SI is known to be a zero-length string. */
305
306 static inline bool
307 zero_length_string_p (strinfo *si)
308 {
309 return si->full_string_p && integer_zerop (si->nonzero_chars);
310 }
311
312 /* Return strinfo vector entry IDX. */
313
314 static inline strinfo *
315 get_strinfo (int idx)
316 {
317 if (vec_safe_length (stridx_to_strinfo) <= (unsigned int) idx)
318 return NULL;
319 return (*stridx_to_strinfo)[idx];
320 }
321
322 /* Get the next strinfo in the chain after SI, or null if none. */
323
324 static inline strinfo *
325 get_next_strinfo (strinfo *si)
326 {
327 if (si->next == 0)
328 return NULL;
329 strinfo *nextsi = get_strinfo (si->next);
330 if (nextsi == NULL || nextsi->first != si->first || nextsi->prev != si->idx)
331 return NULL;
332 return nextsi;
333 }
334
335 /* Helper function for get_stridx. Return the strinfo index of the address
336 of EXP, which is available in PTR if nonnull. If OFFSET_OUT, it is
337 OK to return the index for some X <= &EXP and store &EXP - X in
338 *OFFSET_OUT. When RVALS is nonnull uses it to determine range
339 information. */
340
341 static int
342 get_addr_stridx (tree exp, tree ptr, unsigned HOST_WIDE_INT *offset_out,
343 range_query *rvals = NULL)
344 {
345 HOST_WIDE_INT off;
346 struct stridxlist *list, *last = NULL;
347 tree base;
348
349 if (!decl_to_stridxlist_htab)
350 return 0;
351
352 poly_int64 poff;
353 base = get_addr_base_and_unit_offset (exp, &poff);
354 if (base == NULL || !DECL_P (base) || !poff.is_constant (&off))
355 return 0;
356
357 list = decl_to_stridxlist_htab->get (base);
358 if (list == NULL)
359 return 0;
360
361 do
362 {
363 if (list->offset == off)
364 {
365 if (offset_out)
366 *offset_out = 0;
367 return list->idx;
368 }
369 if (list->offset > off)
370 return 0;
371 last = list;
372 list = list->next;
373 }
374 while (list);
375
376 if ((offset_out || ptr) && last && last->idx > 0)
377 {
378 unsigned HOST_WIDE_INT rel_off
379 = (unsigned HOST_WIDE_INT) off - last->offset;
380 strinfo *si = get_strinfo (last->idx);
381 if (si && compare_nonzero_chars (si, rel_off, rvals) >= 0)
382 {
383 if (offset_out)
384 {
385 *offset_out = rel_off;
386 return last->idx;
387 }
388 else
389 return get_stridx_plus_constant (si, rel_off, ptr);
390 }
391 }
392 return 0;
393 }
394
395 /* Returns string index for EXP. When EXP is an SSA_NAME that refers
396 to a known strinfo with an offset and OFFRNG is non-null, sets
397 both elements of the OFFRNG array to the range of the offset and
398 returns the index of the known strinfo. In this case the result
399 must not be used in for functions that modify the string.
400 When nonnull, uses RVALS to determine range information. */
401
402 static int
403 get_stridx (tree exp, wide_int offrng[2] = NULL, range_query *rvals = NULL)
404 {
405 if (offrng)
406 offrng[0] = offrng[1] = wi::zero (TYPE_PRECISION (ptrdiff_type_node));
407
408 if (TREE_CODE (exp) == SSA_NAME)
409 {
410 if (ssa_ver_to_stridx[SSA_NAME_VERSION (exp)])
411 return ssa_ver_to_stridx[SSA_NAME_VERSION (exp)];
412
413 tree e = exp;
414 int last_idx = 0;
415 HOST_WIDE_INT offset = 0;
416 /* Follow a chain of at most 5 assignments. */
417 for (int i = 0; i < 5; i++)
418 {
419 gimple *def_stmt = SSA_NAME_DEF_STMT (e);
420 if (!is_gimple_assign (def_stmt))
421 return last_idx;
422
423 tree_code rhs_code = gimple_assign_rhs_code (def_stmt);
424 tree ptr, off;
425
426 if (rhs_code == ADDR_EXPR)
427 {
428 /* Handle indices/offsets into VLAs which are implemented
429 as pointers to arrays. */
430 ptr = gimple_assign_rhs1 (def_stmt);
431 ptr = TREE_OPERAND (ptr, 0);
432
433 /* Handle also VLAs of types larger than char. */
434 if (tree eltsize = TYPE_SIZE_UNIT (TREE_TYPE (ptr)))
435 {
436 if (TREE_CODE (ptr) == ARRAY_REF)
437 {
438 off = TREE_OPERAND (ptr, 1);
439 ptr = TREE_OPERAND (ptr, 0);
440 if (!integer_onep (eltsize))
441 {
442 /* Scale the array index by the size of the element
443 type in the rare case that it's greater than
444 the typical 1 for char, making sure both operands
445 have the same type. */
446 eltsize = fold_convert (ssizetype, eltsize);
447 off = fold_convert (ssizetype, off);
448 off = fold_build2 (MULT_EXPR, ssizetype, off, eltsize);
449 }
450 }
451 else
452 off = integer_zero_node;
453 }
454 else
455 return 0;
456
457 if (TREE_CODE (ptr) != MEM_REF)
458 return 0;
459
460 /* Add the MEM_REF byte offset. */
461 tree mem_off = TREE_OPERAND (ptr, 1);
462 off = fold_build2 (PLUS_EXPR, TREE_TYPE (off), off, mem_off);
463 ptr = TREE_OPERAND (ptr, 0);
464 }
465 else if (rhs_code == POINTER_PLUS_EXPR)
466 {
467 ptr = gimple_assign_rhs1 (def_stmt);
468 off = gimple_assign_rhs2 (def_stmt);
469 }
470 else
471 return 0;
472
473 if (TREE_CODE (ptr) != SSA_NAME)
474 return 0;
475
476 if (!tree_fits_shwi_p (off))
477 {
478 if (int idx = ssa_ver_to_stridx[SSA_NAME_VERSION (ptr)])
479 if (offrng)
480 {
481 /* Only when requested by setting OFFRNG to non-null,
482 return the index corresponding to the SSA_NAME.
483 Do this irrespective of the whether the offset
484 is known. */
485 if (get_range (off, def_stmt, offrng, rvals))
486 {
487 /* When the offset range is known, increment it
488 it by the constant offset computed in prior
489 iterations and store it in the OFFRNG array. */
490 offrng[0] += offset;
491 offrng[1] += offset;
492 }
493 else
494 {
495 /* When the offset range cannot be determined
496 store [0, SIZE_MAX] and let the caller decide
497 if the offset matters. */
498 offrng[1] = wi::to_wide (TYPE_MAX_VALUE (sizetype));
499 offrng[0] = wi::zero (offrng[1].get_precision ());
500 }
501 return idx;
502 }
503 return 0;
504 }
505
506 HOST_WIDE_INT this_off = tree_to_shwi (off);
507 if (offrng)
508 {
509 offrng[0] += wi::shwi (this_off, offrng->get_precision ());
510 offrng[1] += offrng[0];
511 }
512
513 if (this_off < 0)
514 return last_idx;
515
516 offset = (unsigned HOST_WIDE_INT) offset + this_off;
517 if (offset < 0)
518 return last_idx;
519
520 if (int idx = ssa_ver_to_stridx[SSA_NAME_VERSION (ptr)])
521 {
522 strinfo *si = get_strinfo (idx);
523 if (si)
524 {
525 if (compare_nonzero_chars (si, offset) >= 0)
526 return get_stridx_plus_constant (si, offset, exp);
527
528 if (offrng)
529 last_idx = idx;
530 }
531 }
532 e = ptr;
533 }
534
535 return last_idx;
536 }
537
538 if (TREE_CODE (exp) == ADDR_EXPR)
539 {
540 int idx = get_addr_stridx (TREE_OPERAND (exp, 0), exp, NULL);
541 if (idx != 0)
542 return idx;
543 }
544
545 const char *p = c_getstr (exp);
546 if (p)
547 return ~(int) strlen (p);
548
549 return 0;
550 }
551
552 /* Return true if strinfo vector is shared with the immediate dominator. */
553
554 static inline bool
555 strinfo_shared (void)
556 {
557 return vec_safe_length (stridx_to_strinfo)
558 && (*stridx_to_strinfo)[0] != NULL;
559 }
560
561 /* Unshare strinfo vector that is shared with the immediate dominator. */
562
563 static void
564 unshare_strinfo_vec (void)
565 {
566 strinfo *si;
567 unsigned int i = 0;
568
569 gcc_assert (strinfo_shared ());
570 stridx_to_strinfo = vec_safe_copy (stridx_to_strinfo);
571 for (i = 1; vec_safe_iterate (stridx_to_strinfo, i, &si); ++i)
572 if (si != NULL)
573 si->refcount++;
574 (*stridx_to_strinfo)[0] = NULL;
575 }
576
577 /* Attempt to create a string index for exp, ADDR_EXPR's operand.
578 Return a pointer to the location where the string index can
579 be stored (if 0) or is stored, or NULL if this can't be tracked. */
580
581 static int *
582 addr_stridxptr (tree exp)
583 {
584 HOST_WIDE_INT off;
585
586 poly_int64 poff;
587 tree base = get_addr_base_and_unit_offset (exp, &poff);
588 if (base == NULL_TREE || !DECL_P (base) || !poff.is_constant (&off))
589 return NULL;
590
591 if (!decl_to_stridxlist_htab)
592 {
593 decl_to_stridxlist_htab
594 = new hash_map<tree_decl_hash, stridxlist> (64);
595 gcc_obstack_init (&stridx_obstack);
596 }
597
598 bool existed;
599 stridxlist *list = &decl_to_stridxlist_htab->get_or_insert (base, &existed);
600 if (existed)
601 {
602 int i;
603 stridxlist *before = NULL;
604 for (i = 0; i < 32; i++)
605 {
606 if (list->offset == off)
607 return &list->idx;
608 if (list->offset > off && before == NULL)
609 before = list;
610 if (list->next == NULL)
611 break;
612 list = list->next;
613 }
614 if (i == 32)
615 return NULL;
616 if (before)
617 {
618 list = before;
619 before = XOBNEW (&stridx_obstack, struct stridxlist);
620 *before = *list;
621 list->next = before;
622 list->offset = off;
623 list->idx = 0;
624 return &list->idx;
625 }
626 list->next = XOBNEW (&stridx_obstack, struct stridxlist);
627 list = list->next;
628 }
629
630 list->next = NULL;
631 list->offset = off;
632 list->idx = 0;
633 return &list->idx;
634 }
635
636 /* Create a new string index, or return 0 if reached limit. */
637
638 static int
639 new_stridx (tree exp)
640 {
641 int idx;
642 if (max_stridx >= param_max_tracked_strlens)
643 return 0;
644 if (TREE_CODE (exp) == SSA_NAME)
645 {
646 if (SSA_NAME_OCCURS_IN_ABNORMAL_PHI (exp))
647 return 0;
648 idx = max_stridx++;
649 ssa_ver_to_stridx[SSA_NAME_VERSION (exp)] = idx;
650 return idx;
651 }
652 if (TREE_CODE (exp) == ADDR_EXPR)
653 {
654 int *pidx = addr_stridxptr (TREE_OPERAND (exp, 0));
655 if (pidx != NULL)
656 {
657 gcc_assert (*pidx == 0);
658 *pidx = max_stridx++;
659 return *pidx;
660 }
661 }
662 return 0;
663 }
664
665 /* Like new_stridx, but for ADDR_EXPR's operand instead. */
666
667 static int
668 new_addr_stridx (tree exp)
669 {
670 int *pidx;
671 if (max_stridx >= param_max_tracked_strlens)
672 return 0;
673 pidx = addr_stridxptr (exp);
674 if (pidx != NULL)
675 {
676 gcc_assert (*pidx == 0);
677 *pidx = max_stridx++;
678 return *pidx;
679 }
680 return 0;
681 }
682
683 /* Create a new strinfo. */
684
685 static strinfo *
686 new_strinfo (tree ptr, int idx, tree nonzero_chars, bool full_string_p)
687 {
688 strinfo *si = strinfo_pool.allocate ();
689 si->nonzero_chars = nonzero_chars;
690 STRIP_USELESS_TYPE_CONVERSION (ptr);
691 si->ptr = ptr;
692 si->stmt = NULL;
693 si->alloc = NULL;
694 si->endptr = NULL_TREE;
695 si->refcount = 1;
696 si->idx = idx;
697 si->first = 0;
698 si->prev = 0;
699 si->next = 0;
700 si->writable = false;
701 si->dont_invalidate = false;
702 si->full_string_p = full_string_p;
703 return si;
704 }
705
706 /* Decrease strinfo refcount and free it if not referenced anymore. */
707
708 static inline void
709 free_strinfo (strinfo *si)
710 {
711 if (si && --si->refcount == 0)
712 strinfo_pool.remove (si);
713 }
714
715 /* Set strinfo in the vector entry IDX to SI. */
716
717 static inline void
718 set_strinfo (int idx, strinfo *si)
719 {
720 if (vec_safe_length (stridx_to_strinfo) && (*stridx_to_strinfo)[0])
721 unshare_strinfo_vec ();
722 if (vec_safe_length (stridx_to_strinfo) <= (unsigned int) idx)
723 vec_safe_grow_cleared (stridx_to_strinfo, idx + 1, true);
724 (*stridx_to_strinfo)[idx] = si;
725 }
726
727 /* Return the first strinfo in the related strinfo chain
728 if all strinfos in between belong to the chain, otherwise NULL. */
729
730 static strinfo *
731 verify_related_strinfos (strinfo *origsi)
732 {
733 strinfo *si = origsi, *psi;
734
735 if (origsi->first == 0)
736 return NULL;
737 for (; si->prev; si = psi)
738 {
739 if (si->first != origsi->first)
740 return NULL;
741 psi = get_strinfo (si->prev);
742 if (psi == NULL)
743 return NULL;
744 if (psi->next != si->idx)
745 return NULL;
746 }
747 if (si->idx != si->first)
748 return NULL;
749 return si;
750 }
751
752 /* Set SI's endptr to ENDPTR and compute its length based on SI->ptr.
753 Use LOC for folding. */
754
755 static void
756 set_endptr_and_length (location_t loc, strinfo *si, tree endptr)
757 {
758 si->endptr = endptr;
759 si->stmt = NULL;
760 tree start_as_size = fold_convert_loc (loc, size_type_node, si->ptr);
761 tree end_as_size = fold_convert_loc (loc, size_type_node, endptr);
762 si->nonzero_chars = fold_build2_loc (loc, MINUS_EXPR, size_type_node,
763 end_as_size, start_as_size);
764 si->full_string_p = true;
765 }
766
767 /* Return the string length, or NULL if it can't be computed.
768 The length may but need not be constant. Instead, it might be
769 the result of a strlen() call. */
770
771 static tree
772 get_string_length (strinfo *si)
773 {
774 /* If the length has already been computed return it if it's exact
775 (i.e., the string is nul-terminated at NONZERO_CHARS), or return
776 null if it isn't. */
777 if (si->nonzero_chars)
778 return si->full_string_p ? si->nonzero_chars : NULL;
779
780 /* If the string is the result of one of the built-in calls below
781 attempt to compute the length from the call statement. */
782 if (si->stmt)
783 {
784 gimple *stmt = si->stmt, *lenstmt;
785 tree callee, lhs, fn, tem;
786 location_t loc;
787 gimple_stmt_iterator gsi;
788
789 gcc_assert (is_gimple_call (stmt));
790 callee = gimple_call_fndecl (stmt);
791 gcc_assert (callee && fndecl_built_in_p (callee, BUILT_IN_NORMAL));
792 lhs = gimple_call_lhs (stmt);
793 /* unshare_strinfo is intentionally not called here. The (delayed)
794 transformation of strcpy or strcat into stpcpy is done at the place
795 of the former strcpy/strcat call and so can affect all the strinfos
796 with the same stmt. If they were unshared before and transformation
797 has been already done, the handling of BUILT_IN_STPCPY{,_CHK} should
798 just compute the right length. */
799 switch (DECL_FUNCTION_CODE (callee))
800 {
801 case BUILT_IN_STRCAT:
802 case BUILT_IN_STRCAT_CHK:
803 gsi = gsi_for_stmt (stmt);
804 fn = builtin_decl_implicit (BUILT_IN_STRLEN);
805 gcc_assert (lhs == NULL_TREE);
806 tem = unshare_expr (gimple_call_arg (stmt, 0));
807 lenstmt = gimple_build_call (fn, 1, tem);
808 lhs = make_ssa_name (TREE_TYPE (TREE_TYPE (fn)), lenstmt);
809 gimple_call_set_lhs (lenstmt, lhs);
810 gimple_set_vuse (lenstmt, gimple_vuse (stmt));
811 gsi_insert_before (&gsi, lenstmt, GSI_SAME_STMT);
812 tem = gimple_call_arg (stmt, 0);
813 if (!ptrofftype_p (TREE_TYPE (lhs)))
814 {
815 lhs = convert_to_ptrofftype (lhs);
816 lhs = force_gimple_operand_gsi (&gsi, lhs, true, NULL_TREE,
817 true, GSI_SAME_STMT);
818 }
819 lenstmt = gimple_build_assign
820 (make_ssa_name (TREE_TYPE (gimple_call_arg (stmt, 0))),
821 POINTER_PLUS_EXPR,tem, lhs);
822 gsi_insert_before (&gsi, lenstmt, GSI_SAME_STMT);
823 gimple_call_set_arg (stmt, 0, gimple_assign_lhs (lenstmt));
824 lhs = NULL_TREE;
825 /* FALLTHRU */
826 case BUILT_IN_STRCPY:
827 case BUILT_IN_STRCPY_CHK:
828 gcc_assert (builtin_decl_implicit_p (BUILT_IN_STPCPY));
829 if (gimple_call_num_args (stmt) == 2)
830 fn = builtin_decl_implicit (BUILT_IN_STPCPY);
831 else
832 fn = builtin_decl_explicit (BUILT_IN_STPCPY_CHK);
833 gcc_assert (lhs == NULL_TREE);
834 if (dump_file && (dump_flags & TDF_DETAILS) != 0)
835 {
836 fprintf (dump_file, "Optimizing: ");
837 print_gimple_stmt (dump_file, stmt, 0, TDF_SLIM);
838 }
839 gimple_call_set_fndecl (stmt, fn);
840 lhs = make_ssa_name (TREE_TYPE (TREE_TYPE (fn)), stmt);
841 gimple_call_set_lhs (stmt, lhs);
842 update_stmt (stmt);
843 if (dump_file && (dump_flags & TDF_DETAILS) != 0)
844 {
845 fprintf (dump_file, "into: ");
846 print_gimple_stmt (dump_file, stmt, 0, TDF_SLIM);
847 }
848 /* FALLTHRU */
849 case BUILT_IN_STPCPY:
850 case BUILT_IN_STPCPY_CHK:
851 gcc_assert (lhs != NULL_TREE);
852 loc = gimple_location (stmt);
853 set_endptr_and_length (loc, si, lhs);
854 for (strinfo *chainsi = verify_related_strinfos (si);
855 chainsi != NULL;
856 chainsi = get_next_strinfo (chainsi))
857 if (chainsi->nonzero_chars == NULL)
858 set_endptr_and_length (loc, chainsi, lhs);
859 break;
860 case BUILT_IN_ALLOCA:
861 case BUILT_IN_ALLOCA_WITH_ALIGN:
862 case BUILT_IN_MALLOC:
863 break;
864 /* BUILT_IN_CALLOC always has si->nonzero_chars set. */
865 default:
866 gcc_unreachable ();
867 break;
868 }
869 }
870
871 return si->nonzero_chars;
872 }
873
874 /* Dump strlen data to FP for statement STMT. When non-null, RVALS
875 points to the valuation engine used to calculate ranges, and is
876 used to dump strlen range for non-constant results. */
877
878 DEBUG_FUNCTION void
879 dump_strlen_info (FILE *fp, gimple *stmt, range_query *rvals)
880 {
881 if (stmt)
882 {
883 fprintf (fp, "\nDumping strlen pass data after ");
884 print_gimple_expr (fp, stmt, TDF_LINENO);
885 fputc ('\n', fp);
886 }
887 else
888 fprintf (fp, "\nDumping strlen pass data\n");
889
890 fprintf (fp, "max_stridx = %i\n", max_stridx);
891 fprintf (fp, "ssa_ver_to_stridx has %u elements\n",
892 ssa_ver_to_stridx.length ());
893 fprintf (fp, "stridx_to_strinfo");
894 if (stridx_to_strinfo)
895 {
896 fprintf (fp, " has %u elements\n", stridx_to_strinfo->length ());
897 for (unsigned i = 0; i != stridx_to_strinfo->length (); ++i)
898 {
899 if (strinfo *si = (*stridx_to_strinfo)[i])
900 {
901 if (!si->idx)
902 continue;
903 fprintf (fp, " idx = %i", si->idx);
904 if (si->ptr)
905 {
906 fprintf (fp, ", ptr = ");
907 print_generic_expr (fp, si->ptr);
908 }
909
910 if (si->nonzero_chars)
911 {
912 fprintf (fp, ", nonzero_chars = ");
913 print_generic_expr (fp, si->nonzero_chars);
914 if (TREE_CODE (si->nonzero_chars) == SSA_NAME)
915 {
916 value_range_kind rng = VR_UNDEFINED;
917 wide_int min, max;
918 if (rvals)
919 {
920 value_range vr;
921 rvals->range_of_expr (vr, si->nonzero_chars,
922 si->stmt);
923 rng = vr.kind ();
924 if (range_int_cst_p (&vr))
925 {
926 min = wi::to_wide (vr.min ());
927 max = wi::to_wide (vr.max ());
928 }
929 else
930 rng = VR_UNDEFINED;
931 }
932 else
933 rng = get_range_info (si->nonzero_chars, &min, &max);
934
935 if (rng == VR_RANGE || rng == VR_ANTI_RANGE)
936 {
937 fprintf (fp, " %s[%llu, %llu]",
938 rng == VR_RANGE ? "" : "~",
939 (long long) min.to_uhwi (),
940 (long long) max.to_uhwi ());
941 }
942 }
943 }
944
945 fprintf (fp, ", refcount = %i", si->refcount);
946 if (si->stmt)
947 {
948 fprintf (fp, ", stmt = ");
949 print_gimple_expr (fp, si->stmt, 0);
950 }
951 if (si->alloc)
952 {
953 fprintf (fp, ", alloc = ");
954 print_gimple_expr (fp, si->alloc, 0);
955 }
956 if (si->writable)
957 fprintf (fp, ", writable");
958 if (si->dont_invalidate)
959 fprintf (fp, ", dont_invalidate");
960 if (si->full_string_p)
961 fprintf (fp, ", full_string_p");
962 if (strinfo *next = get_next_strinfo (si))
963 {
964 fprintf (fp, ", {");
965 do
966 fprintf (fp, "%i%s", next->idx, next->first ? ", " : "");
967 while ((next = get_next_strinfo (next)));
968 fprintf (fp, "}");
969 }
970 fputs ("\n", fp);
971 }
972 }
973 }
974 else
975 fprintf (fp, " = null\n");
976
977 fprintf (fp, "decl_to_stridxlist_htab");
978 if (decl_to_stridxlist_htab)
979 {
980 fputs ("\n", fp);
981 typedef decl_to_stridxlist_htab_t::iterator iter_t;
982 for (iter_t it = decl_to_stridxlist_htab->begin ();
983 it != decl_to_stridxlist_htab->end (); ++it)
984 {
985 tree decl = (*it).first;
986 stridxlist *list = &(*it).second;
987 fprintf (fp, " decl = ");
988 print_generic_expr (fp, decl);
989 if (list)
990 {
991 fprintf (fp, ", offsets = {");
992 for (; list; list = list->next)
993 fprintf (fp, "%lli%s", (long long) list->offset,
994 list->next ? ", " : "");
995 fputs ("}", fp);
996 }
997 fputs ("\n", fp);
998 }
999 }
1000 else
1001 fprintf (fp, " = null\n");
1002
1003 if (laststmt.stmt)
1004 {
1005 fprintf (fp, "laststmt = ");
1006 print_gimple_expr (fp, laststmt.stmt, 0);
1007 fprintf (fp, ", len = ");
1008 print_generic_expr (fp, laststmt.len);
1009 fprintf (fp, ", stridx = %i\n", laststmt.stridx);
1010 }
1011 }
1012
1013 /* Attempt to determine the length of the string SRC. On success, store
1014 the length in *PDATA and return true. Otherwise, return false.
1015 VISITED is a bitmap of visited PHI nodes. RVALS points to the valuation
1016 engine used to calculate ranges. PSSA_DEF_MAX to an SSA_NAME
1017 assignment limit used to prevent runaway recursion. */
1018
1019 static bool
1020 get_range_strlen_dynamic (tree src, gimple *stmt,
1021 c_strlen_data *pdata, bitmap *visited,
1022 range_query *rvals, unsigned *pssa_def_max)
1023 {
1024 int idx = get_stridx (src);
1025 if (!idx)
1026 {
1027 if (TREE_CODE (src) == SSA_NAME)
1028 {
1029 gimple *def_stmt = SSA_NAME_DEF_STMT (src);
1030 if (gimple_code (def_stmt) == GIMPLE_PHI)
1031 {
1032 if (!*visited)
1033 *visited = BITMAP_ALLOC (NULL);
1034
1035 if (!bitmap_set_bit (*visited, SSA_NAME_VERSION (src)))
1036 return true;
1037
1038 if (*pssa_def_max == 0)
1039 return false;
1040
1041 --*pssa_def_max;
1042
1043 /* Iterate over the PHI arguments and determine the minimum
1044 and maximum length/size of each and incorporate them into
1045 the overall result. */
1046 gphi *phi = as_a <gphi *> (def_stmt);
1047 for (unsigned i = 0; i != gimple_phi_num_args (phi); ++i)
1048 {
1049 tree arg = gimple_phi_arg_def (phi, i);
1050 if (arg == gimple_phi_result (def_stmt))
1051 continue;
1052
1053 c_strlen_data argdata = { };
1054 if (get_range_strlen_dynamic (arg, phi, &argdata, visited,
1055 rvals, pssa_def_max))
1056 {
1057 /* Set the DECL of an unterminated array this argument
1058 refers to if one hasn't been found yet. */
1059 if (!pdata->decl && argdata.decl)
1060 pdata->decl = argdata.decl;
1061
1062 if (!argdata.minlen
1063 || (integer_zerop (argdata.minlen)
1064 && (!argdata.maxbound
1065 || integer_all_onesp (argdata.maxbound))
1066 && integer_all_onesp (argdata.maxlen)))
1067 {
1068 /* Set the upper bound of the length to unbounded. */
1069 pdata->maxlen = build_all_ones_cst (size_type_node);
1070 continue;
1071 }
1072
1073 /* Adjust the minimum and maximum length determined
1074 so far and the upper bound on the array size. */
1075 if (!pdata->minlen
1076 || tree_int_cst_lt (argdata.minlen, pdata->minlen))
1077 pdata->minlen = argdata.minlen;
1078 if (!pdata->maxlen
1079 || (argdata.maxlen
1080 && tree_int_cst_lt (pdata->maxlen, argdata.maxlen)))
1081 pdata->maxlen = argdata.maxlen;
1082 if (!pdata->maxbound
1083 || TREE_CODE (pdata->maxbound) != INTEGER_CST
1084 || (argdata.maxbound
1085 && tree_int_cst_lt (pdata->maxbound,
1086 argdata.maxbound)
1087 && !integer_all_onesp (argdata.maxbound)))
1088 pdata->maxbound = argdata.maxbound;
1089 }
1090 else
1091 pdata->maxlen = build_all_ones_cst (size_type_node);
1092 }
1093
1094 return true;
1095 }
1096 }
1097
1098 /* Return success regardless of the result and handle *PDATA
1099 in the caller. */
1100 get_range_strlen (src, pdata, 1);
1101 return true;
1102 }
1103
1104 if (idx < 0)
1105 {
1106 /* SRC is a string of constant length. */
1107 pdata->minlen = build_int_cst (size_type_node, ~idx);
1108 pdata->maxlen = pdata->minlen;
1109 pdata->maxbound = pdata->maxlen;
1110 return true;
1111 }
1112
1113 if (strinfo *si = get_strinfo (idx))
1114 {
1115 pdata->minlen = get_string_length (si);
1116 if (!pdata->minlen && si->nonzero_chars)
1117 {
1118 if (TREE_CODE (si->nonzero_chars) == INTEGER_CST)
1119 pdata->minlen = si->nonzero_chars;
1120 else if (TREE_CODE (si->nonzero_chars) == SSA_NAME)
1121 {
1122 value_range vr;
1123 rvals->range_of_expr (vr, si->nonzero_chars, si->stmt);
1124 if (range_int_cst_p (&vr))
1125 {
1126 pdata->minlen = vr.min ();
1127 pdata->maxlen = vr.max ();
1128 }
1129 else
1130 pdata->minlen = build_zero_cst (size_type_node);
1131 }
1132 else
1133 pdata->minlen = build_zero_cst (size_type_node);
1134
1135 tree base = si->ptr;
1136 if (TREE_CODE (base) == ADDR_EXPR)
1137 base = TREE_OPERAND (base, 0);
1138
1139 HOST_WIDE_INT off;
1140 poly_int64 poff;
1141 base = get_addr_base_and_unit_offset (base, &poff);
1142 if (base
1143 && DECL_P (base)
1144 && TREE_CODE (TREE_TYPE (base)) == ARRAY_TYPE
1145 && TYPE_SIZE_UNIT (TREE_TYPE (base))
1146 && poff.is_constant (&off))
1147 {
1148 tree basetype = TREE_TYPE (base);
1149 tree size = TYPE_SIZE_UNIT (basetype);
1150 if (TREE_CODE (size) == INTEGER_CST)
1151 {
1152 ++off; /* Increment for the terminating nul. */
1153 tree toffset = build_int_cst (size_type_node, off);
1154 pdata->maxlen = fold_build2 (MINUS_EXPR, size_type_node, size,
1155 toffset);
1156 pdata->maxbound = pdata->maxlen;
1157 }
1158 else
1159 pdata->maxlen = build_all_ones_cst (size_type_node);
1160 }
1161 else
1162 pdata->maxlen = build_all_ones_cst (size_type_node);
1163 }
1164 else if (pdata->minlen && TREE_CODE (pdata->minlen) == SSA_NAME)
1165 {
1166 value_range vr;
1167 rvals->range_of_expr (vr, si->nonzero_chars, stmt);
1168 if (range_int_cst_p (&vr))
1169 {
1170 pdata->minlen = vr.min ();
1171 pdata->maxlen = vr.max ();
1172 pdata->maxbound = pdata->maxlen;
1173 }
1174 else
1175 {
1176 pdata->minlen = build_zero_cst (size_type_node);
1177 pdata->maxlen = build_all_ones_cst (size_type_node);
1178 }
1179 }
1180 else if (pdata->minlen && TREE_CODE (pdata->minlen) == INTEGER_CST)
1181 {
1182 pdata->maxlen = pdata->minlen;
1183 pdata->maxbound = pdata->minlen;
1184 }
1185 else
1186 {
1187 /* For PDATA->MINLEN that's a non-constant expression such
1188 as PLUS_EXPR whose value range is unknown, set the bounds
1189 to zero and SIZE_MAX. */
1190 pdata->minlen = build_zero_cst (size_type_node);
1191 pdata->maxlen = build_all_ones_cst (size_type_node);
1192 }
1193
1194 return true;
1195 }
1196
1197 return false;
1198 }
1199
1200 /* Analogous to get_range_strlen but for dynamically created strings,
1201 i.e., those created by calls to strcpy as opposed to just string
1202 constants.
1203 Try to obtain the range of the lengths of the string(s) referenced
1204 by SRC, or the size of the largest array SRC refers to if the range
1205 of lengths cannot be determined, and store all in *PDATA. RVALS
1206 points to the valuation engine used to calculate ranges. */
1207
1208 void
1209 get_range_strlen_dynamic (tree src, gimple *stmt, c_strlen_data *pdata,
1210 range_query *rvals)
1211 {
1212 bitmap visited = NULL;
1213 tree maxbound = pdata->maxbound;
1214
1215 unsigned limit = param_ssa_name_def_chain_limit;
1216 if (!get_range_strlen_dynamic (src, stmt, pdata, &visited, rvals, &limit))
1217 {
1218 /* On failure extend the length range to an impossible maximum
1219 (a valid MAXLEN must be less than PTRDIFF_MAX - 1). Other
1220 members can stay unchanged regardless. */
1221 pdata->minlen = ssize_int (0);
1222 pdata->maxlen = build_all_ones_cst (size_type_node);
1223 }
1224 else if (!pdata->minlen)
1225 pdata->minlen = ssize_int (0);
1226
1227 /* If it's unchanged from it initial non-null value, set the conservative
1228 MAXBOUND to SIZE_MAX. Otherwise leave it null (if it is null). */
1229 if (maxbound && pdata->maxbound == maxbound)
1230 pdata->maxbound = build_all_ones_cst (size_type_node);
1231
1232 if (visited)
1233 BITMAP_FREE (visited);
1234 }
1235
1236 /* Invalidate string length information for strings whose length might
1237 change due to stores in STMT, except those marked DONT_INVALIDATE.
1238 For string-modifying statements, ZERO_WRITE is set when the statement
1239 wrote only zeros.
1240 Returns true if any STRIDX_TO_STRINFO entries were considered
1241 for invalidation. */
1242
1243 static bool
1244 maybe_invalidate (gimple *stmt, bool zero_write = false)
1245 {
1246 if (dump_file && (dump_flags & TDF_DETAILS))
1247 {
1248 fprintf (dump_file, "%s called for ", __func__);
1249 print_gimple_stmt (dump_file, stmt, TDF_LINENO);
1250 }
1251
1252 strinfo *si;
1253 bool nonempty = false;
1254
1255 for (unsigned i = 1; vec_safe_iterate (stridx_to_strinfo, i, &si); ++i)
1256 {
1257 if (si == NULL || !POINTER_TYPE_P (TREE_TYPE (si->ptr)))
1258 continue;
1259
1260 nonempty = true;
1261
1262 /* Unconditionally reset DONT_INVALIDATE. */
1263 bool dont_invalidate = si->dont_invalidate;
1264 si->dont_invalidate = false;
1265
1266 if (dont_invalidate)
1267 continue;
1268
1269 ao_ref r;
1270 tree size = NULL_TREE;
1271 if (si->nonzero_chars)
1272 {
1273 /* Include the terminating nul in the size of the string
1274 to consider when determining possible clobber. */
1275 tree type = TREE_TYPE (si->nonzero_chars);
1276 size = fold_build2 (PLUS_EXPR, type, si->nonzero_chars,
1277 build_int_cst (type, 1));
1278 }
1279 ao_ref_init_from_ptr_and_size (&r, si->ptr, size);
1280 if (stmt_may_clobber_ref_p_1 (stmt, &r))
1281 {
1282 if (dump_file && (dump_flags & TDF_DETAILS))
1283 {
1284 fputs (" statement may clobber object ", dump_file);
1285 print_generic_expr (dump_file, si->ptr);
1286 if (size && tree_fits_uhwi_p (size))
1287 fprintf (dump_file, " " HOST_WIDE_INT_PRINT_UNSIGNED
1288 " bytes in size", tree_to_uhwi (size));
1289 fputc ('\n', dump_file);
1290 }
1291
1292 set_strinfo (i, NULL);
1293 free_strinfo (si);
1294 continue;
1295 }
1296
1297 if (size
1298 && !zero_write
1299 && si->stmt
1300 && is_gimple_call (si->stmt)
1301 && (DECL_FUNCTION_CODE (gimple_call_fndecl (si->stmt))
1302 == BUILT_IN_CALLOC))
1303 {
1304 /* If the clobber test above considered the length of
1305 the string (including the nul), then for (potentially)
1306 non-zero writes that might modify storage allocated by
1307 calloc consider the whole object and if it might be
1308 clobbered by the statement reset the statement. */
1309 ao_ref_init_from_ptr_and_size (&r, si->ptr, NULL_TREE);
1310 if (stmt_may_clobber_ref_p_1 (stmt, &r))
1311 si->stmt = NULL;
1312 }
1313 }
1314
1315 if (dump_file && (dump_flags & TDF_DETAILS))
1316 fprintf (dump_file, "%s returns %i\n", __func__, nonempty);
1317
1318 return nonempty;
1319 }
1320
1321 /* Unshare strinfo record SI, if it has refcount > 1 or
1322 if stridx_to_strinfo vector is shared with some other
1323 bbs. */
1324
1325 static strinfo *
1326 unshare_strinfo (strinfo *si)
1327 {
1328 strinfo *nsi;
1329
1330 if (si->refcount == 1 && !strinfo_shared ())
1331 return si;
1332
1333 nsi = new_strinfo (si->ptr, si->idx, si->nonzero_chars, si->full_string_p);
1334 nsi->stmt = si->stmt;
1335 nsi->alloc = si->alloc;
1336 nsi->endptr = si->endptr;
1337 nsi->first = si->first;
1338 nsi->prev = si->prev;
1339 nsi->next = si->next;
1340 nsi->writable = si->writable;
1341 set_strinfo (si->idx, nsi);
1342 free_strinfo (si);
1343 return nsi;
1344 }
1345
1346 /* Attempt to create a new strinfo for BASESI + OFF, or find existing
1347 strinfo if there is any. Return it's idx, or 0 if no strinfo has
1348 been created. */
1349
1350 static int
1351 get_stridx_plus_constant (strinfo *basesi, unsigned HOST_WIDE_INT off,
1352 tree ptr)
1353 {
1354 if (TREE_CODE (ptr) == SSA_NAME && SSA_NAME_OCCURS_IN_ABNORMAL_PHI (ptr))
1355 return 0;
1356
1357 if (compare_nonzero_chars (basesi, off) < 0
1358 || !tree_fits_uhwi_p (basesi->nonzero_chars))
1359 return 0;
1360
1361 unsigned HOST_WIDE_INT nonzero_chars
1362 = tree_to_uhwi (basesi->nonzero_chars) - off;
1363 strinfo *si = basesi, *chainsi;
1364 if (si->first || si->prev || si->next)
1365 si = verify_related_strinfos (basesi);
1366 if (si == NULL
1367 || si->nonzero_chars == NULL_TREE
1368 || TREE_CODE (si->nonzero_chars) != INTEGER_CST)
1369 return 0;
1370
1371 if (TREE_CODE (ptr) == SSA_NAME
1372 && ssa_ver_to_stridx.length () <= SSA_NAME_VERSION (ptr))
1373 ssa_ver_to_stridx.safe_grow_cleared (num_ssa_names, true);
1374
1375 gcc_checking_assert (compare_tree_int (si->nonzero_chars, off) != -1);
1376 for (chainsi = si; chainsi->next; chainsi = si)
1377 {
1378 si = get_next_strinfo (chainsi);
1379 if (si == NULL
1380 || si->nonzero_chars == NULL_TREE
1381 || TREE_CODE (si->nonzero_chars) != INTEGER_CST)
1382 break;
1383 int r = compare_tree_int (si->nonzero_chars, nonzero_chars);
1384 if (r != 1)
1385 {
1386 if (r == 0)
1387 {
1388 if (TREE_CODE (ptr) == SSA_NAME)
1389 ssa_ver_to_stridx[SSA_NAME_VERSION (ptr)] = si->idx;
1390 else
1391 {
1392 int *pidx = addr_stridxptr (TREE_OPERAND (ptr, 0));
1393 if (pidx != NULL && *pidx == 0)
1394 *pidx = si->idx;
1395 }
1396 return si->idx;
1397 }
1398 break;
1399 }
1400 }
1401
1402 int idx = new_stridx (ptr);
1403 if (idx == 0)
1404 return 0;
1405 si = new_strinfo (ptr, idx, build_int_cst (size_type_node, nonzero_chars),
1406 basesi->full_string_p);
1407 set_strinfo (idx, si);
1408 if (strinfo *nextsi = get_strinfo (chainsi->next))
1409 {
1410 nextsi = unshare_strinfo (nextsi);
1411 si->next = nextsi->idx;
1412 nextsi->prev = idx;
1413 }
1414 chainsi = unshare_strinfo (chainsi);
1415 if (chainsi->first == 0)
1416 chainsi->first = chainsi->idx;
1417 chainsi->next = idx;
1418 if (chainsi->endptr == NULL_TREE && zero_length_string_p (si))
1419 chainsi->endptr = ptr;
1420 si->endptr = chainsi->endptr;
1421 si->prev = chainsi->idx;
1422 si->first = chainsi->first;
1423 si->writable = chainsi->writable;
1424 return si->idx;
1425 }
1426
1427 /* Note that PTR, a pointer SSA_NAME initialized in the current stmt, points
1428 to a zero-length string and if possible chain it to a related strinfo
1429 chain whose part is or might be CHAINSI. */
1430
1431 static strinfo *
1432 zero_length_string (tree ptr, strinfo *chainsi)
1433 {
1434 strinfo *si;
1435 int idx;
1436 if (ssa_ver_to_stridx.length () <= SSA_NAME_VERSION (ptr))
1437 ssa_ver_to_stridx.safe_grow_cleared (num_ssa_names, true);
1438 gcc_checking_assert (TREE_CODE (ptr) == SSA_NAME
1439 && ssa_ver_to_stridx[SSA_NAME_VERSION (ptr)] == 0);
1440
1441 if (SSA_NAME_OCCURS_IN_ABNORMAL_PHI (ptr))
1442 return NULL;
1443 if (chainsi != NULL)
1444 {
1445 si = verify_related_strinfos (chainsi);
1446 if (si)
1447 {
1448 do
1449 {
1450 /* We shouldn't mix delayed and non-delayed lengths. */
1451 gcc_assert (si->full_string_p);
1452 if (si->endptr == NULL_TREE)
1453 {
1454 si = unshare_strinfo (si);
1455 si->endptr = ptr;
1456 }
1457 chainsi = si;
1458 si = get_next_strinfo (si);
1459 }
1460 while (si != NULL);
1461 if (zero_length_string_p (chainsi))
1462 {
1463 if (chainsi->next)
1464 {
1465 chainsi = unshare_strinfo (chainsi);
1466 chainsi->next = 0;
1467 }
1468 ssa_ver_to_stridx[SSA_NAME_VERSION (ptr)] = chainsi->idx;
1469 return chainsi;
1470 }
1471 }
1472 else
1473 {
1474 /* We shouldn't mix delayed and non-delayed lengths. */
1475 gcc_assert (chainsi->full_string_p);
1476 if (chainsi->first || chainsi->prev || chainsi->next)
1477 {
1478 chainsi = unshare_strinfo (chainsi);
1479 chainsi->first = 0;
1480 chainsi->prev = 0;
1481 chainsi->next = 0;
1482 }
1483 }
1484 }
1485 idx = new_stridx (ptr);
1486 if (idx == 0)
1487 return NULL;
1488 si = new_strinfo (ptr, idx, build_int_cst (size_type_node, 0), true);
1489 set_strinfo (idx, si);
1490 si->endptr = ptr;
1491 if (chainsi != NULL)
1492 {
1493 chainsi = unshare_strinfo (chainsi);
1494 if (chainsi->first == 0)
1495 chainsi->first = chainsi->idx;
1496 chainsi->next = idx;
1497 if (chainsi->endptr == NULL_TREE)
1498 chainsi->endptr = ptr;
1499 si->prev = chainsi->idx;
1500 si->first = chainsi->first;
1501 si->writable = chainsi->writable;
1502 }
1503 return si;
1504 }
1505
1506 /* For strinfo ORIGSI whose length has been just updated, adjust other
1507 related strinfos so that they match the new ORIGSI. This involves:
1508
1509 - adding ADJ to the nonzero_chars fields
1510 - copying full_string_p from the new ORIGSI. */
1511
1512 static void
1513 adjust_related_strinfos (location_t loc, strinfo *origsi, tree adj)
1514 {
1515 strinfo *si = verify_related_strinfos (origsi);
1516
1517 if (si == NULL)
1518 return;
1519
1520 while (1)
1521 {
1522 strinfo *nsi;
1523
1524 if (si != origsi)
1525 {
1526 tree tem;
1527
1528 si = unshare_strinfo (si);
1529 /* We shouldn't see delayed lengths here; the caller must
1530 have calculated the old length in order to calculate
1531 the adjustment. */
1532 gcc_assert (si->nonzero_chars);
1533 tem = fold_convert_loc (loc, TREE_TYPE (si->nonzero_chars), adj);
1534 si->nonzero_chars = fold_build2_loc (loc, PLUS_EXPR,
1535 TREE_TYPE (si->nonzero_chars),
1536 si->nonzero_chars, tem);
1537 si->full_string_p = origsi->full_string_p;
1538
1539 si->endptr = NULL_TREE;
1540 si->dont_invalidate = true;
1541 }
1542 nsi = get_next_strinfo (si);
1543 if (nsi == NULL)
1544 return;
1545 si = nsi;
1546 }
1547 }
1548
1549 /* Find if there are other SSA_NAME pointers equal to PTR
1550 for which we don't track their string lengths yet. If so, use
1551 IDX for them. */
1552
1553 static void
1554 find_equal_ptrs (tree ptr, int idx)
1555 {
1556 if (TREE_CODE (ptr) != SSA_NAME)
1557 return;
1558 while (1)
1559 {
1560 gimple *stmt = SSA_NAME_DEF_STMT (ptr);
1561 if (!is_gimple_assign (stmt))
1562 return;
1563 ptr = gimple_assign_rhs1 (stmt);
1564 switch (gimple_assign_rhs_code (stmt))
1565 {
1566 case SSA_NAME:
1567 break;
1568 CASE_CONVERT:
1569 if (!POINTER_TYPE_P (TREE_TYPE (ptr)))
1570 return;
1571 if (TREE_CODE (ptr) == SSA_NAME)
1572 break;
1573 if (TREE_CODE (ptr) != ADDR_EXPR)
1574 return;
1575 /* FALLTHRU */
1576 case ADDR_EXPR:
1577 {
1578 int *pidx = addr_stridxptr (TREE_OPERAND (ptr, 0));
1579 if (pidx != NULL && *pidx == 0)
1580 *pidx = idx;
1581 return;
1582 }
1583 default:
1584 return;
1585 }
1586
1587 /* We might find an endptr created in this pass. Grow the
1588 vector in that case. */
1589 if (ssa_ver_to_stridx.length () <= SSA_NAME_VERSION (ptr))
1590 ssa_ver_to_stridx.safe_grow_cleared (num_ssa_names, true);
1591
1592 if (ssa_ver_to_stridx[SSA_NAME_VERSION (ptr)] != 0)
1593 return;
1594 ssa_ver_to_stridx[SSA_NAME_VERSION (ptr)] = idx;
1595 }
1596 }
1597
1598 /* Return true if STMT is a call to a builtin function with the right
1599 arguments and attributes that should be considered for optimization
1600 by this pass. */
1601
1602 static bool
1603 valid_builtin_call (gimple *stmt)
1604 {
1605 if (!gimple_call_builtin_p (stmt, BUILT_IN_NORMAL))
1606 return false;
1607
1608 tree callee = gimple_call_fndecl (stmt);
1609 tree decl = builtin_decl_explicit (DECL_FUNCTION_CODE (callee));
1610 if (decl
1611 && decl != callee
1612 && !gimple_builtin_call_types_compatible_p (stmt, decl))
1613 return false;
1614
1615 switch (DECL_FUNCTION_CODE (callee))
1616 {
1617 case BUILT_IN_MEMCMP:
1618 case BUILT_IN_MEMCMP_EQ:
1619 case BUILT_IN_STRCMP:
1620 case BUILT_IN_STRNCMP:
1621 case BUILT_IN_STRCHR:
1622 case BUILT_IN_STRLEN:
1623 case BUILT_IN_STRNLEN:
1624 /* The above functions should be pure. Punt if they aren't. */
1625 if (gimple_vdef (stmt) || gimple_vuse (stmt) == NULL_TREE)
1626 return false;
1627 break;
1628
1629 case BUILT_IN_ALLOCA:
1630 case BUILT_IN_ALLOCA_WITH_ALIGN:
1631 case BUILT_IN_CALLOC:
1632 case BUILT_IN_MALLOC:
1633 case BUILT_IN_MEMCPY:
1634 case BUILT_IN_MEMCPY_CHK:
1635 case BUILT_IN_MEMPCPY:
1636 case BUILT_IN_MEMPCPY_CHK:
1637 case BUILT_IN_MEMSET:
1638 case BUILT_IN_STPCPY:
1639 case BUILT_IN_STPCPY_CHK:
1640 case BUILT_IN_STPNCPY:
1641 case BUILT_IN_STPNCPY_CHK:
1642 case BUILT_IN_STRCAT:
1643 case BUILT_IN_STRCAT_CHK:
1644 case BUILT_IN_STRCPY:
1645 case BUILT_IN_STRCPY_CHK:
1646 case BUILT_IN_STRNCAT:
1647 case BUILT_IN_STRNCAT_CHK:
1648 case BUILT_IN_STRNCPY:
1649 case BUILT_IN_STRNCPY_CHK:
1650 /* The above functions should be neither const nor pure. Punt if they
1651 aren't. */
1652 if (gimple_vdef (stmt) == NULL_TREE || gimple_vuse (stmt) == NULL_TREE)
1653 return false;
1654 break;
1655
1656 default:
1657 break;
1658 }
1659
1660 return true;
1661 }
1662
1663 /* If the last .MEM setter statement before STMT is
1664 memcpy (x, y, strlen (y) + 1), the only .MEM use of it is STMT
1665 and STMT is known to overwrite x[strlen (x)], adjust the last memcpy to
1666 just memcpy (x, y, strlen (y)). SI must be the zero length
1667 strinfo. */
1668
1669 static void
1670 adjust_last_stmt (strinfo *si, gimple *stmt, bool is_strcat)
1671 {
1672 tree vuse, callee, len;
1673 struct laststmt_struct last = laststmt;
1674 strinfo *lastsi, *firstsi;
1675 unsigned len_arg_no = 2;
1676
1677 laststmt.stmt = NULL;
1678 laststmt.len = NULL_TREE;
1679 laststmt.stridx = 0;
1680
1681 if (last.stmt == NULL)
1682 return;
1683
1684 vuse = gimple_vuse (stmt);
1685 if (vuse == NULL_TREE
1686 || SSA_NAME_DEF_STMT (vuse) != last.stmt
1687 || !has_single_use (vuse))
1688 return;
1689
1690 gcc_assert (last.stridx > 0);
1691 lastsi = get_strinfo (last.stridx);
1692 if (lastsi == NULL)
1693 return;
1694
1695 if (lastsi != si)
1696 {
1697 if (lastsi->first == 0 || lastsi->first != si->first)
1698 return;
1699
1700 firstsi = verify_related_strinfos (si);
1701 if (firstsi == NULL)
1702 return;
1703 while (firstsi != lastsi)
1704 {
1705 firstsi = get_next_strinfo (firstsi);
1706 if (firstsi == NULL)
1707 return;
1708 }
1709 }
1710
1711 if (!is_strcat && !zero_length_string_p (si))
1712 return;
1713
1714 if (is_gimple_assign (last.stmt))
1715 {
1716 gimple_stmt_iterator gsi;
1717
1718 if (!integer_zerop (gimple_assign_rhs1 (last.stmt)))
1719 return;
1720 if (stmt_could_throw_p (cfun, last.stmt))
1721 return;
1722 gsi = gsi_for_stmt (last.stmt);
1723 unlink_stmt_vdef (last.stmt);
1724 release_defs (last.stmt);
1725 gsi_remove (&gsi, true);
1726 return;
1727 }
1728
1729 if (!valid_builtin_call (last.stmt))
1730 return;
1731
1732 callee = gimple_call_fndecl (last.stmt);
1733 switch (DECL_FUNCTION_CODE (callee))
1734 {
1735 case BUILT_IN_MEMCPY:
1736 case BUILT_IN_MEMCPY_CHK:
1737 break;
1738 default:
1739 return;
1740 }
1741
1742 len = gimple_call_arg (last.stmt, len_arg_no);
1743 if (tree_fits_uhwi_p (len))
1744 {
1745 if (!tree_fits_uhwi_p (last.len)
1746 || integer_zerop (len)
1747 || tree_to_uhwi (len) != tree_to_uhwi (last.len) + 1)
1748 return;
1749 /* Don't adjust the length if it is divisible by 4, it is more efficient
1750 to store the extra '\0' in that case. */
1751 if ((tree_to_uhwi (len) & 3) == 0)
1752 return;
1753
1754 /* Don't fold away an out of bounds access, as this defeats proper
1755 warnings. */
1756 tree dst = gimple_call_arg (last.stmt, 0);
1757 tree size = compute_objsize (dst, 0);
1758 if (size && tree_int_cst_lt (size, len))
1759 return;
1760 }
1761 else if (TREE_CODE (len) == SSA_NAME)
1762 {
1763 gimple *def_stmt = SSA_NAME_DEF_STMT (len);
1764 if (!is_gimple_assign (def_stmt)
1765 || gimple_assign_rhs_code (def_stmt) != PLUS_EXPR
1766 || gimple_assign_rhs1 (def_stmt) != last.len
1767 || !integer_onep (gimple_assign_rhs2 (def_stmt)))
1768 return;
1769 }
1770 else
1771 return;
1772
1773 gimple_call_set_arg (last.stmt, len_arg_no, last.len);
1774 update_stmt (last.stmt);
1775 }
1776
1777 /* For an LHS that is an SSA_NAME that is the result of a strlen()
1778 call, or when BOUND is non-null, of a strnlen() call, set LHS
1779 range info to [0, min (MAX, BOUND)] when the range includes more
1780 than one value and return LHS. Otherwise, when the range
1781 [MIN, MAX] is such that MIN == MAX, return the tree representation
1782 of (MIN). The latter allows callers to fold suitable strnlen() calls
1783 to constants. */
1784
1785 tree
1786 set_strlen_range (tree lhs, wide_int min, wide_int max,
1787 tree bound /* = NULL_TREE */)
1788 {
1789 if (TREE_CODE (lhs) != SSA_NAME
1790 || !INTEGRAL_TYPE_P (TREE_TYPE (lhs)))
1791 return NULL_TREE;
1792
1793 if (bound)
1794 {
1795 /* For strnlen, adjust MIN and MAX as necessary. If the bound
1796 is less than the size of the array set MAX to it. It it's
1797 greater than MAX and MAX is non-zero bump MAX down to account
1798 for the necessary terminating nul. Otherwise leave it alone. */
1799 if (TREE_CODE (bound) == INTEGER_CST)
1800 {
1801 wide_int wibnd = wi::to_wide (bound);
1802 int cmp = wi::cmpu (wibnd, max);
1803 if (cmp < 0)
1804 max = wibnd;
1805 else if (cmp && wi::ne_p (max, min))
1806 --max;
1807 }
1808 else if (TREE_CODE (bound) == SSA_NAME)
1809 {
1810 wide_int minbound, maxbound;
1811 // FIXME: Use range_query instead of global ranges.
1812 value_range_kind rng = get_range_info (bound, &minbound, &maxbound);
1813 if (rng == VR_RANGE)
1814 {
1815 /* For a bound in a known range, adjust the range determined
1816 above as necessary. For a bound in some anti-range or
1817 in an unknown range, use the range determined by callers. */
1818 if (wi::ltu_p (minbound, min))
1819 min = minbound;
1820 if (wi::ltu_p (maxbound, max))
1821 max = maxbound;
1822 }
1823 }
1824 }
1825
1826 if (min == max)
1827 return wide_int_to_tree (size_type_node, min);
1828
1829 set_range_info (lhs, VR_RANGE, min, max);
1830 return lhs;
1831 }
1832
1833 /* For an LHS that is an SSA_NAME and for strlen() or strnlen() argument
1834 SRC, set LHS range info to [0, min (N, BOUND)] if SRC refers to
1835 a character array A[N] with unknown length bounded by N, and for
1836 strnlen(), by min (N, BOUND). */
1837
1838 static tree
1839 maybe_set_strlen_range (tree lhs, tree src, tree bound)
1840 {
1841 if (TREE_CODE (lhs) != SSA_NAME
1842 || !INTEGRAL_TYPE_P (TREE_TYPE (lhs)))
1843 return NULL_TREE;
1844
1845 if (TREE_CODE (src) == SSA_NAME)
1846 {
1847 gimple *def = SSA_NAME_DEF_STMT (src);
1848 if (is_gimple_assign (def)
1849 && gimple_assign_rhs_code (def) == ADDR_EXPR)
1850 src = gimple_assign_rhs1 (def);
1851 }
1852
1853 /* The longest string is PTRDIFF_MAX - 1 bytes including the final
1854 NUL so that the difference between a pointer to just past it and
1855 one to its beginning is positive. */
1856 wide_int max = wi::to_wide (TYPE_MAX_VALUE (ptrdiff_type_node)) - 2;
1857
1858 if (TREE_CODE (src) == ADDR_EXPR)
1859 {
1860 /* The last array member of a struct can be bigger than its size
1861 suggests if it's treated as a poor-man's flexible array member. */
1862 src = TREE_OPERAND (src, 0);
1863 if (TREE_CODE (src) != MEM_REF
1864 && !array_at_struct_end_p (src))
1865 {
1866 tree type = TREE_TYPE (src);
1867 tree size = TYPE_SIZE_UNIT (type);
1868 if (size
1869 && TREE_CODE (size) == INTEGER_CST
1870 && !integer_zerop (size))
1871 {
1872 /* Even though such uses of strlen would be undefined,
1873 avoid relying on arrays of arrays in case some genius
1874 decides to call strlen on an unterminated array element
1875 that's followed by a terminated one. Likewise, avoid
1876 assuming that a struct array member is necessarily
1877 nul-terminated (the nul may be in the member that
1878 follows). In those cases, assume that the length
1879 of the string stored in such an array is bounded
1880 by the size of the enclosing object if one can be
1881 determined. */
1882 tree base = get_base_address (src);
1883 if (VAR_P (base))
1884 {
1885 if (tree size = DECL_SIZE_UNIT (base))
1886 if (size
1887 && TREE_CODE (size) == INTEGER_CST
1888 && TREE_CODE (TREE_TYPE (base)) != POINTER_TYPE)
1889 max = wi::to_wide (size);
1890 }
1891 }
1892
1893 /* For strlen() the upper bound above is equal to
1894 the longest string that can be stored in the array
1895 (i.e., it accounts for the terminating nul. For
1896 strnlen() bump up the maximum by one since the array
1897 need not be nul-terminated. */
1898 if (!bound && max != 0)
1899 --max;
1900 }
1901 }
1902
1903 wide_int min = wi::zero (max.get_precision ());
1904 return set_strlen_range (lhs, min, max, bound);
1905 }
1906
1907 /* Diagnose buffer overflow by a STMT writing LEN + PLUS_ONE bytes,
1908 either into a region allocated for the object SI when non-null,
1909 or into an object designated by the LHS of STMT otherwise.
1910 When nonnull uses RVALS to determine range information.
1911 RAWMEM may be set by memcpy and other raw memory functions
1912 to allow accesses across subobject boundaries. */
1913
1914 static void
1915 maybe_warn_overflow (gimple *stmt, tree len,
1916 range_query *rvals = NULL,
1917 strinfo *si = NULL, bool plus_one = false,
1918 bool rawmem = false)
1919 {
1920 if (!len || gimple_no_warning_p (stmt))
1921 return;
1922
1923 /* The DECL of the function performing the write if it is done
1924 by one. */
1925 tree writefn = NULL_TREE;
1926 /* The destination expression involved in the store STMT. */
1927 tree dest = NULL_TREE;
1928
1929 if (is_gimple_assign (stmt))
1930 dest = gimple_assign_lhs (stmt);
1931 else if (is_gimple_call (stmt))
1932 {
1933 dest = gimple_call_arg (stmt, 0);
1934 writefn = gimple_call_fndecl (stmt);
1935 }
1936
1937 if (TREE_NO_WARNING (dest))
1938 return;
1939
1940 /* Use maximum precision to avoid overflow in the addition below.
1941 Make sure all operands have the same precision to keep wide_int
1942 from ICE'ing. */
1943
1944 /* Convenience constants. */
1945 const widest_int diff_min
1946 = wi::to_widest (TYPE_MIN_VALUE (ptrdiff_type_node));
1947 const widest_int diff_max
1948 = wi::to_widest (TYPE_MAX_VALUE (ptrdiff_type_node));
1949 const widest_int size_max
1950 = wi::to_widest (TYPE_MAX_VALUE (size_type_node));
1951
1952 /* The offset into the destination object computed below and not
1953 reflected in DESTSIZE. */
1954 widest_int offrng[2] = { 0, 0 };
1955
1956 if (!si)
1957 {
1958 /* If no destination STRINFO was provided try to get it from
1959 the DEST argument. */
1960 tree ref = dest;
1961 if (TREE_CODE (ref) == ARRAY_REF)
1962 {
1963 /* Handle stores to VLAs (represented as
1964 ARRAY_REF (MEM_REF (vlaptr, 0), N]. */
1965 tree off = TREE_OPERAND (ref, 1);
1966 ref = TREE_OPERAND (ref, 0);
1967 wide_int rng[2];
1968 if (get_range (off, stmt, rng, rvals))
1969 {
1970 /* Convert offsets to the maximum precision. */
1971 offrng[0] = widest_int::from (rng[0], SIGNED);
1972 offrng[1] = widest_int::from (rng[1], SIGNED);
1973 }
1974 else
1975 {
1976 offrng[0] = diff_min;
1977 offrng[1] = diff_max;
1978 }
1979 }
1980
1981 if (TREE_CODE (ref) == MEM_REF)
1982 {
1983 tree mem_off = TREE_OPERAND (ref, 1);
1984 ref = TREE_OPERAND (ref, 0);
1985 wide_int rng[2];
1986 if (get_range (mem_off, stmt, rng, rvals))
1987 {
1988 offrng[0] += widest_int::from (rng[0], SIGNED);
1989 offrng[1] += widest_int::from (rng[1], SIGNED);
1990 }
1991 else
1992 {
1993 offrng[0] = diff_min;
1994 offrng[1] = diff_max;
1995 }
1996 }
1997
1998 wide_int rng[2];
1999 if (int idx = get_stridx (ref, rng, rvals))
2000 {
2001 si = get_strinfo (idx);
2002 offrng[0] += widest_int::from (rng[0], SIGNED);
2003 offrng[1] += widest_int::from (rng[1], SIGNED);
2004 }
2005 }
2006
2007 /* The allocation call if the destination object was allocated
2008 by one. */
2009 gimple *alloc_call = NULL;
2010 /* The DECL of the destination object if known and not dynamically
2011 allocated. */
2012 tree destdecl = NULL_TREE;
2013 /* The offset into the destination object set by compute_objsize
2014 but already reflected in DESTSIZE. */
2015 tree destoff = NULL_TREE;
2016 /* The size of the destination region (which is smaller than
2017 the destination object for stores at a non-zero offset). */
2018 tree destsize = NULL_TREE;
2019
2020 /* Compute the range of sizes of the destination object. The range
2021 is constant for declared objects but may be a range for allocated
2022 objects. */
2023 widest_int sizrng[2] = { 0, 0 };
2024 if (si)
2025 {
2026 wide_int rng[2];
2027 destsize = gimple_call_alloc_size (si->alloc, rng, rvals);
2028 if (destsize)
2029 {
2030 sizrng[0] = widest_int::from (rng[0], UNSIGNED);
2031 sizrng[1] = widest_int::from (rng[1], UNSIGNED);
2032 }
2033 alloc_call = si->alloc;
2034 }
2035 else
2036 offrng[0] = offrng[1] = 0;
2037
2038 if (!destsize)
2039 {
2040 /* If there is no STRINFO for DEST, fall back on compute_objsize. */
2041 tree off = NULL_TREE;
2042 destsize = compute_objsize (dest, rawmem ? 0 : 1, &destdecl, &off, rvals);
2043 if (destsize)
2044 {
2045 /* Remember OFF but clear OFFRNG that may have been set above. */
2046 destoff = off;
2047 offrng[0] = offrng[1] = 0;
2048
2049 if (destdecl && TREE_CODE (destdecl) == SSA_NAME)
2050 {
2051 gimple *stmt = SSA_NAME_DEF_STMT (destdecl);
2052 if (is_gimple_call (stmt))
2053 alloc_call = stmt;
2054 destdecl = NULL_TREE;
2055 }
2056
2057 wide_int rng[2];
2058 if (get_range (destsize, stmt, rng, rvals))
2059 {
2060 sizrng[0] = widest_int::from (rng[0], UNSIGNED);
2061 sizrng[1] = widest_int::from (rng[1], UNSIGNED);
2062 }
2063 else
2064 {
2065 /* On failure, rather than failing, set the maximum range
2066 so that overflow in allocated objects whose size depends
2067 on the strlen of the source can still be diagnosed
2068 below. */
2069 sizrng[0] = 0;
2070 sizrng[1] = size_max;
2071 }
2072 }
2073 }
2074
2075 if (!destsize)
2076 {
2077 sizrng[0] = 0;
2078 sizrng[1] = size_max;
2079 };
2080
2081 /* Return early if the DESTSIZE size expression is the same as LEN
2082 and the offset into the destination is zero. This might happen
2083 in the case of a pair of malloc and memset calls to allocate
2084 an object and clear it as if by calloc. */
2085 if (destsize == len && !plus_one && offrng[0] == 0 && offrng[0] == offrng[1])
2086 return;
2087
2088 wide_int rng[2];
2089 if (!get_range (len, stmt, rng, rvals))
2090 return;
2091
2092 widest_int lenrng[2] =
2093 { widest_int::from (rng[0], SIGNED), widest_int::from (rng[1], SIGNED) };
2094
2095 if (plus_one)
2096 {
2097 lenrng[0] += 1;
2098 lenrng[1] += 1;
2099 }
2100
2101 /* The size of the remaining space in the destination computed
2102 as the size of the latter minus the offset into it. */
2103 widest_int spcrng[2] = { sizrng[0], sizrng[1] };
2104 if (wi::neg_p (offrng[0]) && wi::neg_p (offrng[1]))
2105 {
2106 /* When the offset is negative and the size of the destination
2107 object unknown there is little to do.
2108 FIXME: Detect offsets that are necessarily invalid regardless
2109 of the size of the object. */
2110 if (!destsize)
2111 return;
2112
2113 /* The remaining space is necessarily zero. */
2114 spcrng[0] = spcrng[1] = 0;
2115 }
2116 else if (wi::neg_p (offrng[0]))
2117 {
2118 /* When the lower bound of the offset is negative but the upper
2119 bound is not, reduce the upper bound of the remaining space
2120 by the upper bound of the offset but leave the lower bound
2121 unchanged. If that makes the upper bound of the space less
2122 than the lower bound swap the two. */
2123 spcrng[1] -= wi::ltu_p (offrng[1], spcrng[1]) ? offrng[1] : spcrng[1];
2124 if (wi::ltu_p (spcrng[1], spcrng[0]))
2125 std::swap (spcrng[1], spcrng[0]);
2126 }
2127 else
2128 {
2129 /* When the offset is positive reduce the remaining space by
2130 the lower bound of the offset or clear it if the offset is
2131 greater. */
2132 spcrng[0] -= wi::ltu_p (offrng[0], spcrng[0]) ? offrng[0] : spcrng[0];
2133 spcrng[1] -= wi::ltu_p (offrng[0], spcrng[1]) ? offrng[0] : spcrng[1];
2134 }
2135
2136 if (wi::leu_p (lenrng[0], spcrng[0])
2137 && wi::leu_p (lenrng[1], spcrng[1]))
2138 return;
2139
2140 if (lenrng[0] == spcrng[1]
2141 && (len != destsize
2142 || !si || !is_strlen_related_p (si->ptr, len)))
2143 return;
2144
2145 location_t loc = gimple_or_expr_nonartificial_location (stmt, dest);
2146 bool warned = false;
2147 if (wi::leu_p (lenrng[0], spcrng[1]))
2148 {
2149 if (len != destsize
2150 && (!si || !is_strlen_related_p (si->ptr, len)))
2151 return;
2152
2153 warned = (writefn
2154 ? warning_at (loc, OPT_Wstringop_overflow_,
2155 "%G%qD writing one too many bytes into a region "
2156 "of a size that depends on %<strlen%>",
2157 stmt, writefn)
2158 : warning_at (loc, OPT_Wstringop_overflow_,
2159 "%Gwriting one too many bytes into a region "
2160 "of a size that depends on %<strlen%>",
2161 stmt));
2162 }
2163 else if (lenrng[0] == lenrng[1])
2164 {
2165 if (spcrng[0] == spcrng[1])
2166 warned = (writefn
2167 ? warning_n (loc, OPT_Wstringop_overflow_,
2168 lenrng[0].to_uhwi (),
2169 "%G%qD writing %wu byte into a region "
2170 "of size %wu",
2171 "%G%qD writing %wu bytes into a region "
2172 "of size %wu",
2173 stmt, writefn, lenrng[0].to_uhwi (),
2174 spcrng[0].to_uhwi ())
2175 : warning_n (loc, OPT_Wstringop_overflow_,
2176 lenrng[0].to_uhwi (),
2177 "%Gwriting %wu byte into a region "
2178 "of size %wu",
2179 "%Gwriting %wu bytes into a region "
2180 "of size %wu",
2181 stmt, lenrng[0].to_uhwi (),
2182 spcrng[0].to_uhwi ()));
2183 else
2184 warned = (writefn
2185 ? warning_n (loc, OPT_Wstringop_overflow_,
2186 lenrng[0].to_uhwi (),
2187 "%G%qD writing %wu byte into a region "
2188 "of size between %wu and %wu",
2189 "%G%qD writing %wu bytes into a region "
2190 "of size between %wu and %wu",
2191 stmt, writefn, lenrng[0].to_uhwi (),
2192 spcrng[0].to_uhwi (), spcrng[1].to_uhwi ())
2193 : warning_n (loc, OPT_Wstringop_overflow_,
2194 lenrng[0].to_uhwi (),
2195 "%Gwriting %wu byte into a region "
2196 "of size between %wu and %wu",
2197 "%Gwriting %wu bytes into a region "
2198 "of size between %wu and %wu",
2199 stmt, lenrng[0].to_uhwi (),
2200 spcrng[0].to_uhwi (), spcrng[1].to_uhwi ()));
2201 }
2202 else if (spcrng[0] == spcrng[1])
2203 warned = (writefn
2204 ? warning_at (loc, OPT_Wstringop_overflow_,
2205 "%G%qD writing between %wu and %wu bytes "
2206 "into a region of size %wu",
2207 stmt, writefn, lenrng[0].to_uhwi (),
2208 lenrng[1].to_uhwi (),
2209 spcrng[0].to_uhwi ())
2210 : warning_at (loc, OPT_Wstringop_overflow_,
2211 "%Gwriting between %wu and %wu bytes "
2212 "into a region of size %wu",
2213 stmt, lenrng[0].to_uhwi (),
2214 lenrng[1].to_uhwi (),
2215 spcrng[0].to_uhwi ()));
2216 else
2217 warned = (writefn
2218 ? warning_at (loc, OPT_Wstringop_overflow_,
2219 "%G%qD writing between %wu and %wu bytes "
2220 "into a region of size between %wu and %wu",
2221 stmt, writefn, lenrng[0].to_uhwi (),
2222 lenrng[1].to_uhwi (),
2223 spcrng[0].to_uhwi (), spcrng[1].to_uhwi ())
2224 : warning_at (loc, OPT_Wstringop_overflow_,
2225 "%Gwriting between %wu and %wu bytes "
2226 "into a region of size between %wu and %wu",
2227 stmt, lenrng[0].to_uhwi (),
2228 lenrng[1].to_uhwi (),
2229 spcrng[0].to_uhwi (), spcrng[1].to_uhwi ()));
2230
2231 if (!warned)
2232 return;
2233
2234 gimple_set_no_warning (stmt, true);
2235
2236 /* If DESTOFF is not null, use it to format the offset value/range. */
2237 if (destoff)
2238 {
2239 wide_int rng[2];
2240 if (get_range (destoff, stmt, rng))
2241 {
2242 offrng[0] = widest_int::from (rng[0], SIGNED);
2243 offrng[1] = widest_int::from (rng[1], SIGNED);
2244 }
2245 else
2246 offrng[0] = offrng[1] = 0;
2247 }
2248
2249 /* Format the offset to keep the number of inform calls from growing
2250 out of control. */
2251 char offstr[64];
2252 if (offrng[0] == offrng[1])
2253 sprintf (offstr, "%lli", (long long) offrng[0].to_shwi ());
2254 else
2255 sprintf (offstr, "[%lli, %lli]",
2256 (long long) offrng[0].to_shwi (), (long long) offrng[1].to_shwi ());
2257
2258 if (destdecl && DECL_P (destdecl))
2259 {
2260 if (tree size = DECL_SIZE_UNIT (destdecl))
2261 inform (DECL_SOURCE_LOCATION (destdecl),
2262 "at offset %s to object %qD with size %E declared here",
2263 offstr, destdecl, size);
2264 else
2265 inform (DECL_SOURCE_LOCATION (destdecl),
2266 "at offset %s to object %qD declared here",
2267 offstr, destdecl);
2268 return;
2269 }
2270
2271 if (!alloc_call)
2272 return;
2273
2274 tree allocfn = gimple_call_fndecl (alloc_call);
2275 if (!allocfn)
2276 {
2277 /* For an ALLOC_CALL via a function pointer make a small effort
2278 to determine the destination of the pointer. */
2279 allocfn = gimple_call_fn (alloc_call);
2280 if (TREE_CODE (allocfn) == SSA_NAME)
2281 {
2282 gimple *def = SSA_NAME_DEF_STMT (allocfn);
2283 if (gimple_assign_single_p (def))
2284 {
2285 tree rhs = gimple_assign_rhs1 (def);
2286 if (DECL_P (rhs))
2287 allocfn = rhs;
2288 else if (TREE_CODE (rhs) == COMPONENT_REF)
2289 allocfn = TREE_OPERAND (rhs, 1);
2290 }
2291 }
2292 }
2293
2294 if (gimple_call_builtin_p (alloc_call, BUILT_IN_ALLOCA_WITH_ALIGN))
2295 {
2296 if (sizrng[0] == sizrng[1])
2297 inform (gimple_location (alloc_call),
2298 "at offset %s to an object with size %wu declared here",
2299 offstr, sizrng[0].to_uhwi ());
2300 else if (sizrng[0] == 0)
2301 {
2302 /* Avoid printing impossible sizes. */
2303 if (wi::ltu_p (sizrng[1], diff_max - 2))
2304 inform (gimple_location (alloc_call),
2305 "at offset %s to an object with size at most %wu "
2306 "declared here",
2307 offstr, sizrng[1].to_uhwi ());
2308 else
2309 inform (gimple_location (alloc_call),
2310 "at offset %s to an object declared here", offstr);
2311 }
2312 else
2313 inform (gimple_location (alloc_call),
2314 "at offset %s to an object with size between %wu and %wu "
2315 "declared here",
2316 offstr, sizrng[0].to_uhwi (), sizrng[1].to_uhwi ());
2317 return;
2318 }
2319
2320 if (sizrng[0] == sizrng[1])
2321 inform (gimple_location (alloc_call),
2322 "at offset %s to an object with size %wu allocated by %qE here",
2323 offstr, sizrng[0].to_uhwi (), allocfn);
2324 else if (sizrng[0] == 0)
2325 {
2326 /* Avoid printing impossible sizes. */
2327 if (wi::ltu_p (sizrng[1], diff_max - 2))
2328 inform (gimple_location (alloc_call),
2329 "at offset %s to an object with size at most %wu allocated "
2330 "by %qD here",
2331 offstr, sizrng[1].to_uhwi (), allocfn);
2332 else
2333 inform (gimple_location (alloc_call),
2334 "at offset %s to an object allocated by %qE here",
2335 offstr, allocfn);
2336 }
2337 else
2338 inform (gimple_location (alloc_call),
2339 "at offset %s to an object with size between %wu and %wu "
2340 "allocated by %qE here",
2341 offstr, sizrng[0].to_uhwi (), sizrng[1].to_uhwi (), allocfn);
2342 }
2343
2344 /* Convenience wrapper for the above. */
2345
2346 static inline void
2347 maybe_warn_overflow (gimple *stmt, unsigned HOST_WIDE_INT len,
2348 range_query *rvals = NULL, strinfo *si = NULL,
2349 bool plus_one = false, bool rawmem = false)
2350 {
2351 maybe_warn_overflow (stmt, build_int_cst (size_type_node, len), rvals,
2352 si, plus_one, rawmem);
2353 }
2354
2355 /* Handle a strlen call. If strlen of the argument is known, replace
2356 the strlen call with the known value, otherwise remember that strlen
2357 of the argument is stored in the lhs SSA_NAME. */
2358
2359 static void
2360 handle_builtin_strlen (gimple_stmt_iterator *gsi)
2361 {
2362 gimple *stmt = gsi_stmt (*gsi);
2363 tree lhs = gimple_call_lhs (stmt);
2364
2365 if (lhs == NULL_TREE)
2366 return;
2367
2368 location_t loc = gimple_location (stmt);
2369 tree callee = gimple_call_fndecl (stmt);
2370 tree src = gimple_call_arg (stmt, 0);
2371 tree bound = (DECL_FUNCTION_CODE (callee) == BUILT_IN_STRNLEN
2372 ? gimple_call_arg (stmt, 1) : NULL_TREE);
2373 int idx = get_stridx (src);
2374 if (idx || (bound && integer_zerop (bound)))
2375 {
2376 strinfo *si = NULL;
2377 tree rhs;
2378
2379 if (idx < 0)
2380 rhs = build_int_cst (TREE_TYPE (lhs), ~idx);
2381 else if (idx == 0)
2382 rhs = bound;
2383 else
2384 {
2385 rhs = NULL_TREE;
2386 si = get_strinfo (idx);
2387 if (si != NULL)
2388 {
2389 rhs = get_string_length (si);
2390 /* For strnlen, if bound is constant, even if si is not known
2391 to be zero terminated, if we know at least bound bytes are
2392 not zero, the return value will be bound. */
2393 if (rhs == NULL_TREE
2394 && bound != NULL_TREE
2395 && TREE_CODE (bound) == INTEGER_CST
2396 && si->nonzero_chars != NULL_TREE
2397 && TREE_CODE (si->nonzero_chars) == INTEGER_CST
2398 && tree_int_cst_le (bound, si->nonzero_chars))
2399 rhs = bound;
2400 }
2401 }
2402 if (rhs != NULL_TREE)
2403 {
2404 if (dump_file && (dump_flags & TDF_DETAILS) != 0)
2405 {
2406 fprintf (dump_file, "Optimizing: ");
2407 print_gimple_stmt (dump_file, stmt, 0, TDF_SLIM);
2408 }
2409 rhs = unshare_expr (rhs);
2410 if (!useless_type_conversion_p (TREE_TYPE (lhs), TREE_TYPE (rhs)))
2411 rhs = fold_convert_loc (loc, TREE_TYPE (lhs), rhs);
2412
2413 if (bound)
2414 rhs = fold_build2_loc (loc, MIN_EXPR, TREE_TYPE (rhs), rhs, bound);
2415
2416 if (!update_call_from_tree (gsi, rhs))
2417 gimplify_and_update_call_from_tree (gsi, rhs);
2418 stmt = gsi_stmt (*gsi);
2419 update_stmt (stmt);
2420 if (dump_file && (dump_flags & TDF_DETAILS) != 0)
2421 {
2422 fprintf (dump_file, "into: ");
2423 print_gimple_stmt (dump_file, stmt, 0, TDF_SLIM);
2424 }
2425
2426 if (si != NULL
2427 /* Don't update anything for strnlen. */
2428 && bound == NULL_TREE
2429 && TREE_CODE (si->nonzero_chars) != SSA_NAME
2430 && TREE_CODE (si->nonzero_chars) != INTEGER_CST
2431 && !SSA_NAME_OCCURS_IN_ABNORMAL_PHI (lhs))
2432 {
2433 si = unshare_strinfo (si);
2434 si->nonzero_chars = lhs;
2435 gcc_assert (si->full_string_p);
2436 }
2437
2438 if (strlen_to_stridx
2439 && (bound == NULL_TREE
2440 /* For strnlen record this only if the call is proven
2441 to return the same value as strlen would. */
2442 || (TREE_CODE (bound) == INTEGER_CST
2443 && TREE_CODE (rhs) == INTEGER_CST
2444 && tree_int_cst_lt (rhs, bound))))
2445 strlen_to_stridx->put (lhs, stridx_strlenloc (idx, loc));
2446
2447 return;
2448 }
2449 }
2450 if (SSA_NAME_OCCURS_IN_ABNORMAL_PHI (lhs))
2451 return;
2452
2453 if (idx == 0)
2454 idx = new_stridx (src);
2455 else
2456 {
2457 strinfo *si = get_strinfo (idx);
2458 if (si != NULL)
2459 {
2460 if (!si->full_string_p && !si->stmt)
2461 {
2462 /* Until now we only had a lower bound on the string length.
2463 Install LHS as the actual length. */
2464 si = unshare_strinfo (si);
2465 tree old = si->nonzero_chars;
2466 si->nonzero_chars = lhs;
2467 si->full_string_p = true;
2468 if (old && TREE_CODE (old) == INTEGER_CST)
2469 {
2470 old = fold_convert_loc (loc, TREE_TYPE (lhs), old);
2471 tree adj = fold_build2_loc (loc, MINUS_EXPR,
2472 TREE_TYPE (lhs), lhs, old);
2473 adjust_related_strinfos (loc, si, adj);
2474 /* Use the constant minimum length as the lower bound
2475 of the non-constant length. */
2476 wide_int min = wi::to_wide (old);
2477 wide_int max
2478 = wi::to_wide (TYPE_MAX_VALUE (ptrdiff_type_node)) - 2;
2479 set_strlen_range (lhs, min, max);
2480 }
2481 else
2482 {
2483 si->first = 0;
2484 si->prev = 0;
2485 si->next = 0;
2486 }
2487 }
2488 return;
2489 }
2490 }
2491 if (idx)
2492 {
2493 if (!bound)
2494 {
2495 /* Only store the new length information for calls to strlen(),
2496 not for those to strnlen(). */
2497 strinfo *si = new_strinfo (src, idx, lhs, true);
2498 set_strinfo (idx, si);
2499 find_equal_ptrs (src, idx);
2500 }
2501
2502 /* For SRC that is an array of N elements, set LHS's range
2503 to [0, min (N, BOUND)]. A constant return value means
2504 the range would have consisted of a single value. In
2505 that case, fold the result into the returned constant. */
2506 if (tree ret = maybe_set_strlen_range (lhs, src, bound))
2507 if (TREE_CODE (ret) == INTEGER_CST)
2508 {
2509 if (dump_file && (dump_flags & TDF_DETAILS) != 0)
2510 {
2511 fprintf (dump_file, "Optimizing: ");
2512 print_gimple_stmt (dump_file, stmt, 0, TDF_SLIM);
2513 }
2514 if (!useless_type_conversion_p (TREE_TYPE (lhs), TREE_TYPE (ret)))
2515 ret = fold_convert_loc (loc, TREE_TYPE (lhs), ret);
2516 if (!update_call_from_tree (gsi, ret))
2517 gimplify_and_update_call_from_tree (gsi, ret);
2518 stmt = gsi_stmt (*gsi);
2519 update_stmt (stmt);
2520 if (dump_file && (dump_flags & TDF_DETAILS) != 0)
2521 {
2522 fprintf (dump_file, "into: ");
2523 print_gimple_stmt (dump_file, stmt, 0, TDF_SLIM);
2524 }
2525 }
2526
2527 if (strlen_to_stridx && !bound)
2528 strlen_to_stridx->put (lhs, stridx_strlenloc (idx, loc));
2529 }
2530 }
2531
2532 /* Handle a strchr call. If strlen of the first argument is known, replace
2533 the strchr (x, 0) call with the endptr or x + strlen, otherwise remember
2534 that lhs of the call is endptr and strlen of the argument is endptr - x. */
2535
2536 static void
2537 handle_builtin_strchr (gimple_stmt_iterator *gsi)
2538 {
2539 gimple *stmt = gsi_stmt (*gsi);
2540 tree lhs = gimple_call_lhs (stmt);
2541
2542 if (lhs == NULL_TREE)
2543 return;
2544
2545 if (!integer_zerop (gimple_call_arg (stmt, 1)))
2546 return;
2547
2548 tree src = gimple_call_arg (stmt, 0);
2549
2550 /* Avoid folding if the first argument is not a nul-terminated array.
2551 Defer warning until later. */
2552 if (!check_nul_terminated_array (NULL_TREE, src))
2553 return;
2554
2555 int idx = get_stridx (src);
2556 if (idx)
2557 {
2558 strinfo *si = NULL;
2559 tree rhs;
2560
2561 if (idx < 0)
2562 rhs = build_int_cst (size_type_node, ~idx);
2563 else
2564 {
2565 rhs = NULL_TREE;
2566 si = get_strinfo (idx);
2567 if (si != NULL)
2568 rhs = get_string_length (si);
2569 }
2570 if (rhs != NULL_TREE)
2571 {
2572 location_t loc = gimple_location (stmt);
2573
2574 if (dump_file && (dump_flags & TDF_DETAILS) != 0)
2575 {
2576 fprintf (dump_file, "Optimizing: ");
2577 print_gimple_stmt (dump_file, stmt, 0, TDF_SLIM);
2578 }
2579 if (si != NULL && si->endptr != NULL_TREE)
2580 {
2581 rhs = unshare_expr (si->endptr);
2582 if (!useless_type_conversion_p (TREE_TYPE (lhs),
2583 TREE_TYPE (rhs)))
2584 rhs = fold_convert_loc (loc, TREE_TYPE (lhs), rhs);
2585 }
2586 else
2587 {
2588 rhs = fold_convert_loc (loc, sizetype, unshare_expr (rhs));
2589 rhs = fold_build2_loc (loc, POINTER_PLUS_EXPR,
2590 TREE_TYPE (src), src, rhs);
2591 if (!useless_type_conversion_p (TREE_TYPE (lhs),
2592 TREE_TYPE (rhs)))
2593 rhs = fold_convert_loc (loc, TREE_TYPE (lhs), rhs);
2594 }
2595 if (!update_call_from_tree (gsi, rhs))
2596 gimplify_and_update_call_from_tree (gsi, rhs);
2597 stmt = gsi_stmt (*gsi);
2598 update_stmt (stmt);
2599 if (dump_file && (dump_flags & TDF_DETAILS) != 0)
2600 {
2601 fprintf (dump_file, "into: ");
2602 print_gimple_stmt (dump_file, stmt, 0, TDF_SLIM);
2603 }
2604 if (si != NULL
2605 && si->endptr == NULL_TREE
2606 && !SSA_NAME_OCCURS_IN_ABNORMAL_PHI (lhs))
2607 {
2608 si = unshare_strinfo (si);
2609 si->endptr = lhs;
2610 }
2611 zero_length_string (lhs, si);
2612 return;
2613 }
2614 }
2615 if (SSA_NAME_OCCURS_IN_ABNORMAL_PHI (lhs))
2616 return;
2617 if (TREE_CODE (src) != SSA_NAME || !SSA_NAME_OCCURS_IN_ABNORMAL_PHI (src))
2618 {
2619 if (idx == 0)
2620 idx = new_stridx (src);
2621 else if (get_strinfo (idx) != NULL)
2622 {
2623 zero_length_string (lhs, NULL);
2624 return;
2625 }
2626 if (idx)
2627 {
2628 location_t loc = gimple_location (stmt);
2629 tree lhsu = fold_convert_loc (loc, size_type_node, lhs);
2630 tree srcu = fold_convert_loc (loc, size_type_node, src);
2631 tree length = fold_build2_loc (loc, MINUS_EXPR,
2632 size_type_node, lhsu, srcu);
2633 strinfo *si = new_strinfo (src, idx, length, true);
2634 si->endptr = lhs;
2635 set_strinfo (idx, si);
2636 find_equal_ptrs (src, idx);
2637 zero_length_string (lhs, si);
2638 }
2639 }
2640 else
2641 zero_length_string (lhs, NULL);
2642 }
2643
2644 /* Handle a strcpy-like ({st{r,p}cpy,__st{r,p}cpy_chk}) call.
2645 If strlen of the second argument is known, strlen of the first argument
2646 is the same after this call. Furthermore, attempt to convert it to
2647 memcpy. Uses RVALS to determine range information. */
2648
2649 static void
2650 handle_builtin_strcpy (enum built_in_function bcode, gimple_stmt_iterator *gsi,
2651 range_query *rvals)
2652 {
2653 int idx, didx;
2654 tree src, dst, srclen, len, lhs, type, fn, oldlen;
2655 bool success;
2656 gimple *stmt = gsi_stmt (*gsi);
2657 strinfo *si, *dsi, *olddsi, *zsi;
2658 location_t loc;
2659
2660 src = gimple_call_arg (stmt, 1);
2661 dst = gimple_call_arg (stmt, 0);
2662 lhs = gimple_call_lhs (stmt);
2663 idx = get_stridx (src);
2664 si = NULL;
2665 if (idx > 0)
2666 si = get_strinfo (idx);
2667
2668 didx = get_stridx (dst);
2669 olddsi = NULL;
2670 oldlen = NULL_TREE;
2671 if (didx > 0)
2672 olddsi = get_strinfo (didx);
2673 else if (didx < 0)
2674 return;
2675
2676 if (olddsi != NULL)
2677 adjust_last_stmt (olddsi, stmt, false);
2678
2679 srclen = NULL_TREE;
2680 if (si != NULL)
2681 srclen = get_string_length (si);
2682 else if (idx < 0)
2683 srclen = build_int_cst (size_type_node, ~idx);
2684
2685 maybe_warn_overflow (stmt, srclen, rvals, olddsi, true);
2686
2687 if (olddsi != NULL)
2688 adjust_last_stmt (olddsi, stmt, false);
2689
2690 loc = gimple_location (stmt);
2691 if (srclen == NULL_TREE)
2692 switch (bcode)
2693 {
2694 case BUILT_IN_STRCPY:
2695 case BUILT_IN_STRCPY_CHK:
2696 if (lhs != NULL_TREE || !builtin_decl_implicit_p (BUILT_IN_STPCPY))
2697 return;
2698 break;
2699 case BUILT_IN_STPCPY:
2700 case BUILT_IN_STPCPY_CHK:
2701 if (lhs == NULL_TREE)
2702 return;
2703 else
2704 {
2705 tree lhsuint = fold_convert_loc (loc, size_type_node, lhs);
2706 srclen = fold_convert_loc (loc, size_type_node, dst);
2707 srclen = fold_build2_loc (loc, MINUS_EXPR, size_type_node,
2708 lhsuint, srclen);
2709 }
2710 break;
2711 default:
2712 gcc_unreachable ();
2713 }
2714
2715 if (didx == 0)
2716 {
2717 didx = new_stridx (dst);
2718 if (didx == 0)
2719 return;
2720 }
2721 if (olddsi != NULL)
2722 {
2723 oldlen = olddsi->nonzero_chars;
2724 dsi = unshare_strinfo (olddsi);
2725 dsi->nonzero_chars = srclen;
2726 dsi->full_string_p = (srclen != NULL_TREE);
2727 /* Break the chain, so adjust_related_strinfo on later pointers in
2728 the chain won't adjust this one anymore. */
2729 dsi->next = 0;
2730 dsi->stmt = NULL;
2731 dsi->endptr = NULL_TREE;
2732 }
2733 else
2734 {
2735 dsi = new_strinfo (dst, didx, srclen, srclen != NULL_TREE);
2736 set_strinfo (didx, dsi);
2737 find_equal_ptrs (dst, didx);
2738 }
2739 dsi->writable = true;
2740 dsi->dont_invalidate = true;
2741
2742 if (dsi->nonzero_chars == NULL_TREE)
2743 {
2744 strinfo *chainsi;
2745
2746 /* If string length of src is unknown, use delayed length
2747 computation. If string length of dst will be needed, it
2748 can be computed by transforming this strcpy call into
2749 stpcpy and subtracting dst from the return value. */
2750
2751 /* Look for earlier strings whose length could be determined if
2752 this strcpy is turned into an stpcpy. */
2753
2754 if (dsi->prev != 0 && (chainsi = verify_related_strinfos (dsi)) != NULL)
2755 {
2756 for (; chainsi && chainsi != dsi; chainsi = get_strinfo (chainsi->next))
2757 {
2758 /* When setting a stmt for delayed length computation
2759 prevent all strinfos through dsi from being
2760 invalidated. */
2761 chainsi = unshare_strinfo (chainsi);
2762 chainsi->stmt = stmt;
2763 chainsi->nonzero_chars = NULL_TREE;
2764 chainsi->full_string_p = false;
2765 chainsi->endptr = NULL_TREE;
2766 chainsi->dont_invalidate = true;
2767 }
2768 }
2769 dsi->stmt = stmt;
2770
2771 /* Try to detect overlap before returning. This catches cases
2772 like strcpy (d, d + n) where n is non-constant whose range
2773 is such that (n <= strlen (d) holds).
2774
2775 OLDDSI->NONZERO_chars may have been reset by this point with
2776 oldlen holding it original value. */
2777 if (olddsi && oldlen)
2778 {
2779 /* Add 1 for the terminating NUL. */
2780 tree type = TREE_TYPE (oldlen);
2781 oldlen = fold_build2 (PLUS_EXPR, type, oldlen,
2782 build_int_cst (type, 1));
2783 check_bounds_or_overlap (stmt, olddsi->ptr, src, oldlen, NULL_TREE);
2784 }
2785
2786 return;
2787 }
2788
2789 if (olddsi != NULL)
2790 {
2791 tree adj = NULL_TREE;
2792 if (oldlen == NULL_TREE)
2793 ;
2794 else if (integer_zerop (oldlen))
2795 adj = srclen;
2796 else if (TREE_CODE (oldlen) == INTEGER_CST
2797 || TREE_CODE (srclen) == INTEGER_CST)
2798 adj = fold_build2_loc (loc, MINUS_EXPR,
2799 TREE_TYPE (srclen), srclen,
2800 fold_convert_loc (loc, TREE_TYPE (srclen),
2801 oldlen));
2802 if (adj != NULL_TREE)
2803 adjust_related_strinfos (loc, dsi, adj);
2804 else
2805 dsi->prev = 0;
2806 }
2807 /* strcpy src may not overlap dst, so src doesn't need to be
2808 invalidated either. */
2809 if (si != NULL)
2810 si->dont_invalidate = true;
2811
2812 fn = NULL_TREE;
2813 zsi = NULL;
2814 switch (bcode)
2815 {
2816 case BUILT_IN_STRCPY:
2817 fn = builtin_decl_implicit (BUILT_IN_MEMCPY);
2818 if (lhs)
2819 ssa_ver_to_stridx[SSA_NAME_VERSION (lhs)] = didx;
2820 break;
2821 case BUILT_IN_STRCPY_CHK:
2822 fn = builtin_decl_explicit (BUILT_IN_MEMCPY_CHK);
2823 if (lhs)
2824 ssa_ver_to_stridx[SSA_NAME_VERSION (lhs)] = didx;
2825 break;
2826 case BUILT_IN_STPCPY:
2827 /* This would need adjustment of the lhs (subtract one),
2828 or detection that the trailing '\0' doesn't need to be
2829 written, if it will be immediately overwritten.
2830 fn = builtin_decl_explicit (BUILT_IN_MEMPCPY); */
2831 if (lhs)
2832 {
2833 dsi->endptr = lhs;
2834 zsi = zero_length_string (lhs, dsi);
2835 }
2836 break;
2837 case BUILT_IN_STPCPY_CHK:
2838 /* This would need adjustment of the lhs (subtract one),
2839 or detection that the trailing '\0' doesn't need to be
2840 written, if it will be immediately overwritten.
2841 fn = builtin_decl_explicit (BUILT_IN_MEMPCPY_CHK); */
2842 if (lhs)
2843 {
2844 dsi->endptr = lhs;
2845 zsi = zero_length_string (lhs, dsi);
2846 }
2847 break;
2848 default:
2849 gcc_unreachable ();
2850 }
2851 if (zsi != NULL)
2852 zsi->dont_invalidate = true;
2853
2854 if (fn)
2855 {
2856 tree args = TYPE_ARG_TYPES (TREE_TYPE (fn));
2857 type = TREE_VALUE (TREE_CHAIN (TREE_CHAIN (args)));
2858 }
2859 else
2860 type = size_type_node;
2861
2862 len = fold_convert_loc (loc, type, unshare_expr (srclen));
2863 len = fold_build2_loc (loc, PLUS_EXPR, type, len, build_int_cst (type, 1));
2864
2865 /* Set the no-warning bit on the transformed statement? */
2866 bool set_no_warning = false;
2867
2868 if (const strinfo *chksi = olddsi ? olddsi : dsi)
2869 if (si
2870 && check_bounds_or_overlap (stmt, chksi->ptr, si->ptr, NULL_TREE, len))
2871 {
2872 gimple_set_no_warning (stmt, true);
2873 set_no_warning = true;
2874 }
2875
2876 if (fn == NULL_TREE)
2877 return;
2878
2879 len = force_gimple_operand_gsi (gsi, len, true, NULL_TREE, true,
2880 GSI_SAME_STMT);
2881 if (dump_file && (dump_flags & TDF_DETAILS) != 0)
2882 {
2883 fprintf (dump_file, "Optimizing: ");
2884 print_gimple_stmt (dump_file, stmt, 0, TDF_SLIM);
2885 }
2886 if (gimple_call_num_args (stmt) == 2)
2887 success = update_gimple_call (gsi, fn, 3, dst, src, len);
2888 else
2889 success = update_gimple_call (gsi, fn, 4, dst, src, len,
2890 gimple_call_arg (stmt, 2));
2891 if (success)
2892 {
2893 stmt = gsi_stmt (*gsi);
2894 update_stmt (stmt);
2895 if (dump_file && (dump_flags & TDF_DETAILS) != 0)
2896 {
2897 fprintf (dump_file, "into: ");
2898 print_gimple_stmt (dump_file, stmt, 0, TDF_SLIM);
2899 }
2900 /* Allow adjust_last_stmt to decrease this memcpy's size. */
2901 laststmt.stmt = stmt;
2902 laststmt.len = srclen;
2903 laststmt.stridx = dsi->idx;
2904 }
2905 else if (dump_file && (dump_flags & TDF_DETAILS) != 0)
2906 fprintf (dump_file, "not possible.\n");
2907
2908 if (set_no_warning)
2909 gimple_set_no_warning (stmt, true);
2910 }
2911
2912 /* Check the size argument to the built-in forms of stpncpy and strncpy
2913 for out-of-bounds offsets or overlapping access, and to see if the
2914 size argument is derived from a call to strlen() on the source argument,
2915 and if so, issue an appropriate warning. */
2916
2917 static void
2918 handle_builtin_strncat (built_in_function, gimple_stmt_iterator *gsi)
2919 {
2920 /* Same as stxncpy(). */
2921 handle_builtin_stxncpy_strncat (true, gsi);
2922 }
2923
2924 /* Return true if LEN depends on a call to strlen(SRC) in an interesting
2925 way. LEN can either be an integer expression, or a pointer (to char).
2926 When it is the latter (such as in recursive calls to self) it is
2927 assumed to be the argument in some call to strlen() whose relationship
2928 to SRC is being ascertained. */
2929
2930 bool
2931 is_strlen_related_p (tree src, tree len)
2932 {
2933 if (TREE_CODE (TREE_TYPE (len)) == POINTER_TYPE
2934 && operand_equal_p (src, len, 0))
2935 return true;
2936
2937 if (TREE_CODE (len) != SSA_NAME)
2938 return false;
2939
2940 if (TREE_CODE (src) == SSA_NAME)
2941 {
2942 gimple *srcdef = SSA_NAME_DEF_STMT (src);
2943 if (is_gimple_assign (srcdef))
2944 {
2945 /* Handle bitwise AND used in conversions from wider size_t
2946 to narrower unsigned types. */
2947 tree_code code = gimple_assign_rhs_code (srcdef);
2948 if (code == BIT_AND_EXPR
2949 || code == NOP_EXPR)
2950 return is_strlen_related_p (gimple_assign_rhs1 (srcdef), len);
2951
2952 return false;
2953 }
2954
2955 if (gimple_call_builtin_p (srcdef, BUILT_IN_NORMAL))
2956 {
2957 /* If SRC is the result of a call to an allocation function
2958 or strlen, use the function's argument instead. */
2959 tree func = gimple_call_fndecl (srcdef);
2960 built_in_function code = DECL_FUNCTION_CODE (func);
2961 if (code == BUILT_IN_ALLOCA
2962 || code == BUILT_IN_ALLOCA_WITH_ALIGN
2963 || code == BUILT_IN_MALLOC
2964 || code == BUILT_IN_STRLEN)
2965 return is_strlen_related_p (gimple_call_arg (srcdef, 0), len);
2966
2967 /* FIXME: Handle other functions with attribute alloc_size. */
2968 return false;
2969 }
2970 }
2971
2972 gimple *lendef = SSA_NAME_DEF_STMT (len);
2973 if (!lendef)
2974 return false;
2975
2976 if (is_gimple_call (lendef))
2977 {
2978 tree func = gimple_call_fndecl (lendef);
2979 if (!valid_builtin_call (lendef)
2980 || DECL_FUNCTION_CODE (func) != BUILT_IN_STRLEN)
2981 return false;
2982
2983 tree arg = gimple_call_arg (lendef, 0);
2984 return is_strlen_related_p (src, arg);
2985 }
2986
2987 if (!is_gimple_assign (lendef))
2988 return false;
2989
2990 tree_code code = gimple_assign_rhs_code (lendef);
2991 tree rhs1 = gimple_assign_rhs1 (lendef);
2992 tree rhstype = TREE_TYPE (rhs1);
2993
2994 if ((TREE_CODE (rhstype) == POINTER_TYPE && code == POINTER_PLUS_EXPR)
2995 || (INTEGRAL_TYPE_P (rhstype)
2996 && (code == BIT_AND_EXPR
2997 || code == NOP_EXPR)))
2998 {
2999 /* Pointer plus (an integer), and truncation are considered among
3000 the (potentially) related expressions to strlen. */
3001 return is_strlen_related_p (src, rhs1);
3002 }
3003
3004 if (tree rhs2 = gimple_assign_rhs2 (lendef))
3005 {
3006 /* Integer subtraction is considered strlen-related when both
3007 arguments are integers and second one is strlen-related. */
3008 rhstype = TREE_TYPE (rhs2);
3009 if (INTEGRAL_TYPE_P (rhstype) && code == MINUS_EXPR)
3010 return is_strlen_related_p (src, rhs2);
3011 }
3012
3013 return false;
3014 }
3015
3016 /* Called by handle_builtin_stxncpy_strncat and by
3017 gimple_fold_builtin_strncpy in gimple-fold.c.
3018 Check to see if the specified bound is a) equal to the size of
3019 the destination DST and if so, b) if it's immediately followed by
3020 DST[CNT - 1] = '\0'. If a) holds and b) does not, warn. Otherwise,
3021 do nothing. Return true if diagnostic has been issued.
3022
3023 The purpose is to diagnose calls to strncpy and stpncpy that do
3024 not nul-terminate the copy while allowing for the idiom where
3025 such a call is immediately followed by setting the last element
3026 to nul, as in:
3027 char a[32];
3028 strncpy (a, s, sizeof a);
3029 a[sizeof a - 1] = '\0';
3030 */
3031
3032 bool
3033 maybe_diag_stxncpy_trunc (gimple_stmt_iterator gsi, tree src, tree cnt)
3034 {
3035 gimple *stmt = gsi_stmt (gsi);
3036 if (gimple_no_warning_p (stmt))
3037 return false;
3038
3039 wide_int cntrange[2];
3040
3041 if (TREE_CODE (cnt) == INTEGER_CST)
3042 cntrange[0] = cntrange[1] = wi::to_wide (cnt);
3043 else if (TREE_CODE (cnt) == SSA_NAME)
3044 {
3045 // FIXME: Use range_query instead of global ranges.
3046 enum value_range_kind rng = get_range_info (cnt, cntrange, cntrange + 1);
3047 if (rng == VR_RANGE)
3048 ;
3049 else if (rng == VR_ANTI_RANGE)
3050 {
3051 wide_int maxobjsize = wi::to_wide (TYPE_MAX_VALUE (ptrdiff_type_node));
3052
3053 if (wi::ltu_p (cntrange[1], maxobjsize))
3054 {
3055 cntrange[0] = cntrange[1] + 1;
3056 cntrange[1] = maxobjsize;
3057 }
3058 else
3059 {
3060 cntrange[1] = cntrange[0] - 1;
3061 cntrange[0] = wi::zero (TYPE_PRECISION (TREE_TYPE (cnt)));
3062 }
3063 }
3064 else
3065 return false;
3066 }
3067 else
3068 return false;
3069
3070 /* Negative value is the constant string length. If it's less than
3071 the lower bound there is no truncation. Avoid calling get_stridx()
3072 when ssa_ver_to_stridx is empty. That implies the caller isn't
3073 running under the control of this pass and ssa_ver_to_stridx hasn't
3074 been created yet. */
3075 int sidx = ssa_ver_to_stridx.length () ? get_stridx (src) : 0;
3076 if (sidx < 0 && wi::gtu_p (cntrange[0], ~sidx))
3077 return false;
3078
3079 tree dst = gimple_call_arg (stmt, 0);
3080 tree dstdecl = dst;
3081 if (TREE_CODE (dstdecl) == ADDR_EXPR)
3082 dstdecl = TREE_OPERAND (dstdecl, 0);
3083
3084 tree ref = NULL_TREE;
3085
3086 if (!sidx)
3087 {
3088 /* If the source is a non-string return early to avoid warning
3089 for possible truncation (if the truncation is certain SIDX
3090 is non-zero). */
3091 tree srcdecl = gimple_call_arg (stmt, 1);
3092 if (TREE_CODE (srcdecl) == ADDR_EXPR)
3093 srcdecl = TREE_OPERAND (srcdecl, 0);
3094 if (get_attr_nonstring_decl (srcdecl, &ref))
3095 return false;
3096 }
3097
3098 /* Likewise, if the destination refers to an array/pointer declared
3099 nonstring return early. */
3100 if (get_attr_nonstring_decl (dstdecl, &ref))
3101 return false;
3102
3103 /* Look for dst[i] = '\0'; after the stxncpy() call and if found
3104 avoid the truncation warning. */
3105 gsi_next_nondebug (&gsi);
3106 gimple *next_stmt = gsi_stmt (gsi);
3107 if (!next_stmt)
3108 {
3109 /* When there is no statement in the same basic block check
3110 the immediate successor block. */
3111 if (basic_block bb = gimple_bb (stmt))
3112 {
3113 if (single_succ_p (bb))
3114 {
3115 /* For simplicity, ignore blocks with multiple outgoing
3116 edges for now and only consider successor blocks along
3117 normal edges. */
3118 edge e = EDGE_SUCC (bb, 0);
3119 if (!(e->flags & EDGE_ABNORMAL))
3120 {
3121 gsi = gsi_start_bb (e->dest);
3122 next_stmt = gsi_stmt (gsi);
3123 if (next_stmt && is_gimple_debug (next_stmt))
3124 {
3125 gsi_next_nondebug (&gsi);
3126 next_stmt = gsi_stmt (gsi);
3127 }
3128 }
3129 }
3130 }
3131 }
3132
3133 if (next_stmt && is_gimple_assign (next_stmt))
3134 {
3135 tree lhs = gimple_assign_lhs (next_stmt);
3136 tree_code code = TREE_CODE (lhs);
3137 if (code == ARRAY_REF || code == MEM_REF)
3138 lhs = TREE_OPERAND (lhs, 0);
3139
3140 tree func = gimple_call_fndecl (stmt);
3141 if (DECL_FUNCTION_CODE (func) == BUILT_IN_STPNCPY)
3142 {
3143 tree ret = gimple_call_lhs (stmt);
3144 if (ret && operand_equal_p (ret, lhs, 0))
3145 return false;
3146 }
3147
3148 /* Determine the base address and offset of the reference,
3149 ignoring the innermost array index. */
3150 if (TREE_CODE (ref) == ARRAY_REF)
3151 ref = TREE_OPERAND (ref, 0);
3152
3153 poly_int64 dstoff;
3154 tree dstbase = get_addr_base_and_unit_offset (ref, &dstoff);
3155
3156 poly_int64 lhsoff;
3157 tree lhsbase = get_addr_base_and_unit_offset (lhs, &lhsoff);
3158 if (lhsbase
3159 && dstbase
3160 && known_eq (dstoff, lhsoff)
3161 && operand_equal_p (dstbase, lhsbase, 0))
3162 return false;
3163 }
3164
3165 int prec = TYPE_PRECISION (TREE_TYPE (cnt));
3166 wide_int lenrange[2];
3167 if (strinfo *sisrc = sidx > 0 ? get_strinfo (sidx) : NULL)
3168 {
3169 lenrange[0] = (sisrc->nonzero_chars
3170 && TREE_CODE (sisrc->nonzero_chars) == INTEGER_CST
3171 ? wi::to_wide (sisrc->nonzero_chars)
3172 : wi::zero (prec));
3173 lenrange[1] = lenrange[0];
3174 }
3175 else if (sidx < 0)
3176 lenrange[0] = lenrange[1] = wi::shwi (~sidx, prec);
3177 else
3178 {
3179 c_strlen_data lendata = { };
3180 /* Set MAXBOUND to an arbitrary non-null non-integer node as a request
3181 to have it set to the length of the longest string in a PHI. */
3182 lendata.maxbound = src;
3183 get_range_strlen (src, &lendata, /* eltsize = */1);
3184 if (TREE_CODE (lendata.minlen) == INTEGER_CST
3185 && TREE_CODE (lendata.maxbound) == INTEGER_CST)
3186 {
3187 /* When LENDATA.MAXLEN is unknown, reset LENDATA.MINLEN
3188 which stores the length of the shortest known string. */
3189 if (integer_all_onesp (lendata.maxlen))
3190 lenrange[0] = wi::shwi (0, prec);
3191 else
3192 lenrange[0] = wi::to_wide (lendata.minlen, prec);
3193 lenrange[1] = wi::to_wide (lendata.maxbound, prec);
3194 }
3195 else
3196 {
3197 lenrange[0] = wi::shwi (0, prec);
3198 lenrange[1] = wi::shwi (-1, prec);
3199 }
3200 }
3201
3202 location_t callloc = gimple_or_expr_nonartificial_location (stmt, dst);
3203 tree func = gimple_call_fndecl (stmt);
3204
3205 if (lenrange[0] != 0 || !wi::neg_p (lenrange[1]))
3206 {
3207 /* If the longest source string is shorter than the lower bound
3208 of the specified count the copy is definitely nul-terminated. */
3209 if (wi::ltu_p (lenrange[1], cntrange[0]))
3210 return false;
3211
3212 if (wi::neg_p (lenrange[1]))
3213 {
3214 /* The length of one of the strings is unknown but at least
3215 one has non-zero length and that length is stored in
3216 LENRANGE[1]. Swap the bounds to force a "may be truncated"
3217 warning below. */
3218 lenrange[1] = lenrange[0];
3219 lenrange[0] = wi::shwi (0, prec);
3220 }
3221
3222 /* Set to true for strncat whose bound is derived from the length
3223 of the destination (the expected usage pattern). */
3224 bool cat_dstlen_bounded = false;
3225 if (DECL_FUNCTION_CODE (func) == BUILT_IN_STRNCAT)
3226 cat_dstlen_bounded = is_strlen_related_p (dst, cnt);
3227
3228 if (lenrange[0] == cntrange[1] && cntrange[0] == cntrange[1])
3229 return warning_n (callloc, OPT_Wstringop_truncation,
3230 cntrange[0].to_uhwi (),
3231 "%G%qD output truncated before terminating "
3232 "nul copying %E byte from a string of the "
3233 "same length",
3234 "%G%qD output truncated before terminating nul "
3235 "copying %E bytes from a string of the same "
3236 "length",
3237 stmt, func, cnt);
3238 else if (!cat_dstlen_bounded)
3239 {
3240 if (wi::geu_p (lenrange[0], cntrange[1]))
3241 {
3242 /* The shortest string is longer than the upper bound of
3243 the count so the truncation is certain. */
3244 if (cntrange[0] == cntrange[1])
3245 return warning_n (callloc, OPT_Wstringop_truncation,
3246 cntrange[0].to_uhwi (),
3247 "%G%qD output truncated copying %E byte "
3248 "from a string of length %wu",
3249 "%G%qD output truncated copying %E bytes "
3250 "from a string of length %wu",
3251 stmt, func, cnt, lenrange[0].to_uhwi ());
3252
3253 return warning_at (callloc, OPT_Wstringop_truncation,
3254 "%G%qD output truncated copying between %wu "
3255 "and %wu bytes from a string of length %wu",
3256 stmt, func, cntrange[0].to_uhwi (),
3257 cntrange[1].to_uhwi (), lenrange[0].to_uhwi ());
3258 }
3259 else if (wi::geu_p (lenrange[1], cntrange[1]))
3260 {
3261 /* The longest string is longer than the upper bound of
3262 the count so the truncation is possible. */
3263 if (cntrange[0] == cntrange[1])
3264 return warning_n (callloc, OPT_Wstringop_truncation,
3265 cntrange[0].to_uhwi (),
3266 "%G%qD output may be truncated copying %E "
3267 "byte from a string of length %wu",
3268 "%G%qD output may be truncated copying %E "
3269 "bytes from a string of length %wu",
3270 stmt, func, cnt, lenrange[1].to_uhwi ());
3271
3272 return warning_at (callloc, OPT_Wstringop_truncation,
3273 "%G%qD output may be truncated copying between "
3274 "%wu and %wu bytes from a string of length %wu",
3275 stmt, func, cntrange[0].to_uhwi (),
3276 cntrange[1].to_uhwi (), lenrange[1].to_uhwi ());
3277 }
3278 }
3279
3280 if (!cat_dstlen_bounded
3281 && cntrange[0] != cntrange[1]
3282 && wi::leu_p (cntrange[0], lenrange[0])
3283 && wi::leu_p (cntrange[1], lenrange[0] + 1))
3284 {
3285 /* If the source (including the terminating nul) is longer than
3286 the lower bound of the specified count but shorter than the
3287 upper bound the copy may (but need not) be truncated. */
3288 return warning_at (callloc, OPT_Wstringop_truncation,
3289 "%G%qD output may be truncated copying between "
3290 "%wu and %wu bytes from a string of length %wu",
3291 stmt, func, cntrange[0].to_uhwi (),
3292 cntrange[1].to_uhwi (), lenrange[0].to_uhwi ());
3293 }
3294 }
3295
3296 if (tree dstsize = compute_objsize (dst, 1))
3297 {
3298 /* The source length is unknown. Try to determine the destination
3299 size and see if it matches the specified bound. If not, bail.
3300 Otherwise go on to see if it should be diagnosed for possible
3301 truncation. */
3302 if (!dstsize)
3303 return false;
3304
3305 if (wi::to_wide (dstsize) != cntrange[1])
3306 return false;
3307
3308 /* Avoid warning for strncpy(a, b, N) calls where the following
3309 equalities hold:
3310 N == sizeof a && N == sizeof b */
3311 if (tree srcsize = compute_objsize (src, 1))
3312 if (wi::to_wide (srcsize) == cntrange[1])
3313 return false;
3314
3315 if (cntrange[0] == cntrange[1])
3316 return warning_at (callloc, OPT_Wstringop_truncation,
3317 "%G%qD specified bound %E equals destination size",
3318 stmt, func, cnt);
3319 }
3320
3321 return false;
3322 }
3323
3324 /* Check the arguments to the built-in forms of stpncpy, strncpy, and
3325 strncat, for out-of-bounds offsets or overlapping access, and to see
3326 if the size is derived from calling strlen() on the source argument,
3327 and if so, issue the appropriate warning.
3328 APPEND_P is true for strncat. */
3329
3330 static void
3331 handle_builtin_stxncpy_strncat (bool append_p, gimple_stmt_iterator *gsi)
3332 {
3333 if (!strlen_to_stridx)
3334 return;
3335
3336 gimple *stmt = gsi_stmt (*gsi);
3337
3338 tree dst = gimple_call_arg (stmt, 0);
3339 tree src = gimple_call_arg (stmt, 1);
3340 tree len = gimple_call_arg (stmt, 2);
3341 tree dstsize = NULL_TREE, srcsize = NULL_TREE;
3342
3343 int didx = get_stridx (dst);
3344 if (strinfo *sidst = didx > 0 ? get_strinfo (didx) : NULL)
3345 {
3346 /* Compute the size of the destination string including the nul
3347 if it is known to be nul-terminated. */
3348 if (sidst->nonzero_chars)
3349 {
3350 if (sidst->full_string_p)
3351 {
3352 /* String is known to be nul-terminated. */
3353 tree type = TREE_TYPE (sidst->nonzero_chars);
3354 dstsize = fold_build2 (PLUS_EXPR, type, sidst->nonzero_chars,
3355 build_int_cst (type, 1));
3356 }
3357 else
3358 dstsize = sidst->nonzero_chars;
3359 }
3360
3361 dst = sidst->ptr;
3362 }
3363
3364 int sidx = get_stridx (src);
3365 strinfo *sisrc = sidx > 0 ? get_strinfo (sidx) : NULL;
3366 if (sisrc)
3367 {
3368 /* strncat() and strncpy() can modify the source string by writing
3369 over the terminating nul so SISRC->DONT_INVALIDATE must be left
3370 clear. */
3371
3372 /* Compute the size of the source string including the terminating
3373 nul if its known to be nul-terminated. */
3374 if (sisrc->nonzero_chars)
3375 {
3376 if (sisrc->full_string_p)
3377 {
3378 tree type = TREE_TYPE (sisrc->nonzero_chars);
3379 srcsize = fold_build2 (PLUS_EXPR, type, sisrc->nonzero_chars,
3380 build_int_cst (type, 1));
3381 }
3382 else
3383 srcsize = sisrc->nonzero_chars;
3384 }
3385
3386 src = sisrc->ptr;
3387 }
3388 else
3389 srcsize = NULL_TREE;
3390
3391 if (check_bounds_or_overlap (stmt, dst, src, dstsize, srcsize))
3392 {
3393 gimple_set_no_warning (stmt, true);
3394 return;
3395 }
3396
3397 /* If the length argument was computed from strlen(S) for some string
3398 S retrieve the strinfo index for the string (PSS->FIRST) along with
3399 the location of the strlen() call (PSS->SECOND). */
3400 stridx_strlenloc *pss = strlen_to_stridx->get (len);
3401 if (!pss || pss->first <= 0)
3402 {
3403 if (maybe_diag_stxncpy_trunc (*gsi, src, len))
3404 gimple_set_no_warning (stmt, true);
3405
3406 return;
3407 }
3408
3409 /* Retrieve the strinfo data for the string S that LEN was computed
3410 from as some function F of strlen (S) (i.e., LEN need not be equal
3411 to strlen(S)). */
3412 strinfo *silen = get_strinfo (pss->first);
3413
3414 location_t callloc = gimple_or_expr_nonartificial_location (stmt, dst);
3415
3416 tree func = gimple_call_fndecl (stmt);
3417
3418 bool warned = false;
3419
3420 /* When -Wstringop-truncation is set, try to determine truncation
3421 before diagnosing possible overflow. Truncation is implied by
3422 the LEN argument being equal to strlen(SRC), regardless of
3423 whether its value is known. Otherwise, issue the more generic
3424 -Wstringop-overflow which triggers for LEN arguments that in
3425 any meaningful way depend on strlen(SRC). */
3426 if (!append_p
3427 && sisrc == silen
3428 && is_strlen_related_p (src, len)
3429 && warning_at (callloc, OPT_Wstringop_truncation,
3430 "%G%qD output truncated before terminating nul "
3431 "copying as many bytes from a string as its length",
3432 stmt, func))
3433 warned = true;
3434 else if (silen && is_strlen_related_p (src, silen->ptr))
3435 warned = warning_at (callloc, OPT_Wstringop_overflow_,
3436 "%G%qD specified bound depends on the length "
3437 "of the source argument",
3438 stmt, func);
3439 if (warned)
3440 {
3441 location_t strlenloc = pss->second;
3442 if (strlenloc != UNKNOWN_LOCATION && strlenloc != callloc)
3443 inform (strlenloc, "length computed here");
3444 }
3445 }
3446
3447 /* Handle a memcpy-like ({mem{,p}cpy,__mem{,p}cpy_chk}) call.
3448 If strlen of the second argument is known and length of the third argument
3449 is that plus one, strlen of the first argument is the same after this
3450 call. Uses RVALS to determine range information. */
3451
3452 static void
3453 handle_builtin_memcpy (enum built_in_function bcode, gimple_stmt_iterator *gsi,
3454 range_query *rvals)
3455 {
3456 tree lhs, oldlen, newlen;
3457 gimple *stmt = gsi_stmt (*gsi);
3458 strinfo *si, *dsi;
3459
3460 tree len = gimple_call_arg (stmt, 2);
3461 tree src = gimple_call_arg (stmt, 1);
3462 tree dst = gimple_call_arg (stmt, 0);
3463
3464 int didx = get_stridx (dst);
3465 strinfo *olddsi = NULL;
3466 if (didx > 0)
3467 olddsi = get_strinfo (didx);
3468 else if (didx < 0)
3469 return;
3470
3471 if (olddsi != NULL
3472 && !integer_zerop (len))
3473 {
3474 maybe_warn_overflow (stmt, len, rvals, olddsi, false, true);
3475 adjust_last_stmt (olddsi, stmt, false);
3476 }
3477
3478 int idx = get_stridx (src);
3479 if (idx == 0)
3480 return;
3481
3482 bool full_string_p;
3483 if (idx > 0)
3484 {
3485 gimple *def_stmt;
3486
3487 /* Handle memcpy (x, y, l) where l's relationship with strlen (y)
3488 is known. */
3489 si = get_strinfo (idx);
3490 if (si == NULL || si->nonzero_chars == NULL_TREE)
3491 return;
3492 if (TREE_CODE (len) == INTEGER_CST
3493 && TREE_CODE (si->nonzero_chars) == INTEGER_CST)
3494 {
3495 if (tree_int_cst_le (len, si->nonzero_chars))
3496 {
3497 /* Copying LEN nonzero characters, where LEN is constant. */
3498 newlen = len;
3499 full_string_p = false;
3500 }
3501 else
3502 {
3503 /* Copying the whole of the analyzed part of SI. */
3504 newlen = si->nonzero_chars;
3505 full_string_p = si->full_string_p;
3506 }
3507 }
3508 else
3509 {
3510 if (!si->full_string_p)
3511 return;
3512 if (TREE_CODE (len) != SSA_NAME)
3513 return;
3514 def_stmt = SSA_NAME_DEF_STMT (len);
3515 if (!is_gimple_assign (def_stmt)
3516 || gimple_assign_rhs_code (def_stmt) != PLUS_EXPR
3517 || gimple_assign_rhs1 (def_stmt) != si->nonzero_chars
3518 || !integer_onep (gimple_assign_rhs2 (def_stmt)))
3519 return;
3520 /* Copying variable-length string SI (and no more). */
3521 newlen = si->nonzero_chars;
3522 full_string_p = true;
3523 }
3524 }
3525 else
3526 {
3527 si = NULL;
3528 /* Handle memcpy (x, "abcd", 5) or
3529 memcpy (x, "abc\0uvw", 7). */
3530 if (!tree_fits_uhwi_p (len))
3531 return;
3532
3533 unsigned HOST_WIDE_INT clen = tree_to_uhwi (len);
3534 unsigned HOST_WIDE_INT nonzero_chars = ~idx;
3535 newlen = build_int_cst (size_type_node, MIN (nonzero_chars, clen));
3536 full_string_p = clen > nonzero_chars;
3537 }
3538
3539 if (!full_string_p
3540 && olddsi
3541 && olddsi->nonzero_chars
3542 && TREE_CODE (olddsi->nonzero_chars) == INTEGER_CST
3543 && tree_int_cst_le (newlen, olddsi->nonzero_chars))
3544 {
3545 /* The SRC substring being written strictly overlaps
3546 a subsequence of the existing string OLDDSI. */
3547 newlen = olddsi->nonzero_chars;
3548 full_string_p = olddsi->full_string_p;
3549 }
3550
3551 if (olddsi != NULL && TREE_CODE (len) == SSA_NAME)
3552 adjust_last_stmt (olddsi, stmt, false);
3553
3554 if (didx == 0)
3555 {
3556 didx = new_stridx (dst);
3557 if (didx == 0)
3558 return;
3559 }
3560 oldlen = NULL_TREE;
3561 if (olddsi != NULL)
3562 {
3563 dsi = unshare_strinfo (olddsi);
3564 oldlen = olddsi->nonzero_chars;
3565 dsi->nonzero_chars = newlen;
3566 dsi->full_string_p = full_string_p;
3567 /* Break the chain, so adjust_related_strinfo on later pointers in
3568 the chain won't adjust this one anymore. */
3569 dsi->next = 0;
3570 dsi->stmt = NULL;
3571 dsi->endptr = NULL_TREE;
3572 }
3573 else
3574 {
3575 dsi = new_strinfo (dst, didx, newlen, full_string_p);
3576 set_strinfo (didx, dsi);
3577 find_equal_ptrs (dst, didx);
3578 }
3579 dsi->writable = true;
3580 dsi->dont_invalidate = true;
3581 if (olddsi != NULL)
3582 {
3583 tree adj = NULL_TREE;
3584 location_t loc = gimple_location (stmt);
3585 if (oldlen == NULL_TREE)
3586 ;
3587 else if (integer_zerop (oldlen))
3588 adj = newlen;
3589 else if (TREE_CODE (oldlen) == INTEGER_CST
3590 || TREE_CODE (newlen) == INTEGER_CST)
3591 adj = fold_build2_loc (loc, MINUS_EXPR, TREE_TYPE (newlen), newlen,
3592 fold_convert_loc (loc, TREE_TYPE (newlen),
3593 oldlen));
3594 if (adj != NULL_TREE)
3595 adjust_related_strinfos (loc, dsi, adj);
3596 else
3597 dsi->prev = 0;
3598 }
3599 /* memcpy src may not overlap dst, so src doesn't need to be
3600 invalidated either. */
3601 if (si != NULL)
3602 si->dont_invalidate = true;
3603
3604 if (full_string_p)
3605 {
3606 lhs = gimple_call_lhs (stmt);
3607 switch (bcode)
3608 {
3609 case BUILT_IN_MEMCPY:
3610 case BUILT_IN_MEMCPY_CHK:
3611 /* Allow adjust_last_stmt to decrease this memcpy's size. */
3612 laststmt.stmt = stmt;
3613 laststmt.len = dsi->nonzero_chars;
3614 laststmt.stridx = dsi->idx;
3615 if (lhs)
3616 ssa_ver_to_stridx[SSA_NAME_VERSION (lhs)] = didx;
3617 break;
3618 case BUILT_IN_MEMPCPY:
3619 case BUILT_IN_MEMPCPY_CHK:
3620 break;
3621 default:
3622 gcc_unreachable ();
3623 }
3624 }
3625 }
3626
3627 /* Handle a strcat-like ({strcat,__strcat_chk}) call.
3628 If strlen of the second argument is known, strlen of the first argument
3629 is increased by the length of the second argument. Furthermore, attempt
3630 to convert it to memcpy/strcpy if the length of the first argument
3631 is known. */
3632
3633 static void
3634 handle_builtin_strcat (enum built_in_function bcode, gimple_stmt_iterator *gsi)
3635 {
3636 int idx, didx;
3637 tree srclen, args, type, fn, objsz, endptr;
3638 bool success;
3639 gimple *stmt = gsi_stmt (*gsi);
3640 strinfo *si, *dsi;
3641 location_t loc = gimple_location (stmt);
3642
3643 tree src = gimple_call_arg (stmt, 1);
3644 tree dst = gimple_call_arg (stmt, 0);
3645
3646 /* Bail if the source is the same as destination. It will be diagnosed
3647 elsewhere. */
3648 if (operand_equal_p (src, dst, 0))
3649 return;
3650
3651 tree lhs = gimple_call_lhs (stmt);
3652
3653 didx = get_stridx (dst);
3654 if (didx < 0)
3655 return;
3656
3657 dsi = NULL;
3658 if (didx > 0)
3659 dsi = get_strinfo (didx);
3660
3661 srclen = NULL_TREE;
3662 si = NULL;
3663 idx = get_stridx (src);
3664 if (idx < 0)
3665 srclen = build_int_cst (size_type_node, ~idx);
3666 else if (idx > 0)
3667 {
3668 si = get_strinfo (idx);
3669 if (si != NULL)
3670 srclen = get_string_length (si);
3671 }
3672
3673 /* Set the no-warning bit on the transformed statement? */
3674 bool set_no_warning = false;
3675
3676 if (dsi == NULL || get_string_length (dsi) == NULL_TREE)
3677 {
3678 {
3679 /* The concatenation always involves copying at least one byte
3680 (the terminating nul), even if the source string is empty.
3681 If the source is unknown assume it's one character long and
3682 used that as both sizes. */
3683 tree slen = srclen;
3684 if (slen)
3685 {
3686 tree type = TREE_TYPE (slen);
3687 slen = fold_build2 (PLUS_EXPR, type, slen, build_int_cst (type, 1));
3688 }
3689
3690 tree sptr = si && si->ptr ? si->ptr : src;
3691
3692 if (check_bounds_or_overlap (stmt, dst, sptr, NULL_TREE, slen))
3693 {
3694 gimple_set_no_warning (stmt, true);
3695 set_no_warning = true;
3696 }
3697 }
3698
3699 /* strcat (p, q) can be transformed into
3700 tmp = p + strlen (p); endptr = stpcpy (tmp, q);
3701 with length endptr - p if we need to compute the length
3702 later on. Don't do this transformation if we don't need
3703 it. */
3704 if (builtin_decl_implicit_p (BUILT_IN_STPCPY) && lhs == NULL_TREE)
3705 {
3706 if (didx == 0)
3707 {
3708 didx = new_stridx (dst);
3709 if (didx == 0)
3710 return;
3711 }
3712 if (dsi == NULL)
3713 {
3714 dsi = new_strinfo (dst, didx, NULL_TREE, false);
3715 set_strinfo (didx, dsi);
3716 find_equal_ptrs (dst, didx);
3717 }
3718 else
3719 {
3720 dsi = unshare_strinfo (dsi);
3721 dsi->nonzero_chars = NULL_TREE;
3722 dsi->full_string_p = false;
3723 dsi->next = 0;
3724 dsi->endptr = NULL_TREE;
3725 }
3726 dsi->writable = true;
3727 dsi->stmt = stmt;
3728 dsi->dont_invalidate = true;
3729 }
3730 return;
3731 }
3732
3733 tree dstlen = dsi->nonzero_chars;
3734 endptr = dsi->endptr;
3735
3736 dsi = unshare_strinfo (dsi);
3737 dsi->endptr = NULL_TREE;
3738 dsi->stmt = NULL;
3739 dsi->writable = true;
3740
3741 if (srclen != NULL_TREE)
3742 {
3743 dsi->nonzero_chars = fold_build2_loc (loc, PLUS_EXPR,
3744 TREE_TYPE (dsi->nonzero_chars),
3745 dsi->nonzero_chars, srclen);
3746 gcc_assert (dsi->full_string_p);
3747 adjust_related_strinfos (loc, dsi, srclen);
3748 dsi->dont_invalidate = true;
3749 }
3750 else
3751 {
3752 dsi->nonzero_chars = NULL;
3753 dsi->full_string_p = false;
3754 if (lhs == NULL_TREE && builtin_decl_implicit_p (BUILT_IN_STPCPY))
3755 dsi->dont_invalidate = true;
3756 }
3757
3758 if (si != NULL)
3759 /* strcat src may not overlap dst, so src doesn't need to be
3760 invalidated either. */
3761 si->dont_invalidate = true;
3762
3763 /* For now. Could remove the lhs from the call and add
3764 lhs = dst; afterwards. */
3765 if (lhs)
3766 return;
3767
3768 fn = NULL_TREE;
3769 objsz = NULL_TREE;
3770 switch (bcode)
3771 {
3772 case BUILT_IN_STRCAT:
3773 if (srclen != NULL_TREE)
3774 fn = builtin_decl_implicit (BUILT_IN_MEMCPY);
3775 else
3776 fn = builtin_decl_implicit (BUILT_IN_STRCPY);
3777 break;
3778 case BUILT_IN_STRCAT_CHK:
3779 if (srclen != NULL_TREE)
3780 fn = builtin_decl_explicit (BUILT_IN_MEMCPY_CHK);
3781 else
3782 fn = builtin_decl_explicit (BUILT_IN_STRCPY_CHK);
3783 objsz = gimple_call_arg (stmt, 2);
3784 break;
3785 default:
3786 gcc_unreachable ();
3787 }
3788
3789 if (fn == NULL_TREE)
3790 return;
3791
3792 if (dsi && dstlen)
3793 {
3794 tree type = TREE_TYPE (dstlen);
3795
3796 /* Compute the size of the source sequence, including the nul. */
3797 tree srcsize = srclen ? srclen : size_zero_node;
3798 tree one = build_int_cst (type, 1);
3799 srcsize = fold_build2 (PLUS_EXPR, type, srcsize, one);
3800 tree dstsize = fold_build2 (PLUS_EXPR, type, dstlen, one);
3801 tree sptr = si && si->ptr ? si->ptr : src;
3802
3803 if (check_bounds_or_overlap (stmt, dst, sptr, dstsize, srcsize))
3804 {
3805 gimple_set_no_warning (stmt, true);
3806 set_no_warning = true;
3807 }
3808 }
3809
3810 tree len = NULL_TREE;
3811 if (srclen != NULL_TREE)
3812 {
3813 args = TYPE_ARG_TYPES (TREE_TYPE (fn));
3814 type = TREE_VALUE (TREE_CHAIN (TREE_CHAIN (args)));
3815
3816 len = fold_convert_loc (loc, type, unshare_expr (srclen));
3817 len = fold_build2_loc (loc, PLUS_EXPR, type, len,
3818 build_int_cst (type, 1));
3819 len = force_gimple_operand_gsi (gsi, len, true, NULL_TREE, true,
3820 GSI_SAME_STMT);
3821 }
3822 if (endptr)
3823 dst = fold_convert_loc (loc, TREE_TYPE (dst), unshare_expr (endptr));
3824 else
3825 dst = fold_build2_loc (loc, POINTER_PLUS_EXPR, TREE_TYPE (dst), dst,
3826 fold_convert_loc (loc, sizetype,
3827 unshare_expr (dstlen)));
3828 dst = force_gimple_operand_gsi (gsi, dst, true, NULL_TREE, true,
3829 GSI_SAME_STMT);
3830 if (objsz)
3831 {
3832 objsz = fold_build2_loc (loc, MINUS_EXPR, TREE_TYPE (objsz), objsz,
3833 fold_convert_loc (loc, TREE_TYPE (objsz),
3834 unshare_expr (dstlen)));
3835 objsz = force_gimple_operand_gsi (gsi, objsz, true, NULL_TREE, true,
3836 GSI_SAME_STMT);
3837 }
3838 if (dump_file && (dump_flags & TDF_DETAILS) != 0)
3839 {
3840 fprintf (dump_file, "Optimizing: ");
3841 print_gimple_stmt (dump_file, stmt, 0, TDF_SLIM);
3842 }
3843 if (srclen != NULL_TREE)
3844 success = update_gimple_call (gsi, fn, 3 + (objsz != NULL_TREE),
3845 dst, src, len, objsz);
3846 else
3847 success = update_gimple_call (gsi, fn, 2 + (objsz != NULL_TREE),
3848 dst, src, objsz);
3849 if (success)
3850 {
3851 stmt = gsi_stmt (*gsi);
3852 update_stmt (stmt);
3853 if (dump_file && (dump_flags & TDF_DETAILS) != 0)
3854 {
3855 fprintf (dump_file, "into: ");
3856 print_gimple_stmt (dump_file, stmt, 0, TDF_SLIM);
3857 }
3858 /* If srclen == NULL, note that current string length can be
3859 computed by transforming this strcpy into stpcpy. */
3860 if (srclen == NULL_TREE && dsi->dont_invalidate)
3861 dsi->stmt = stmt;
3862 adjust_last_stmt (dsi, stmt, true);
3863 if (srclen != NULL_TREE)
3864 {
3865 laststmt.stmt = stmt;
3866 laststmt.len = srclen;
3867 laststmt.stridx = dsi->idx;
3868 }
3869 }
3870 else if (dump_file && (dump_flags & TDF_DETAILS) != 0)
3871 fprintf (dump_file, "not possible.\n");
3872
3873 if (set_no_warning)
3874 gimple_set_no_warning (stmt, true);
3875 }
3876
3877 /* Handle a call to an allocation function like alloca, malloc or calloc,
3878 or an ordinary allocation function declared with attribute alloc_size. */
3879
3880 static void
3881 handle_alloc_call (enum built_in_function bcode, gimple_stmt_iterator *gsi)
3882 {
3883 gimple *stmt = gsi_stmt (*gsi);
3884 tree lhs = gimple_call_lhs (stmt);
3885 if (lhs == NULL_TREE)
3886 return;
3887
3888 gcc_assert (get_stridx (lhs) == 0);
3889 int idx = new_stridx (lhs);
3890 tree length = NULL_TREE;
3891 if (bcode == BUILT_IN_CALLOC)
3892 length = build_int_cst (size_type_node, 0);
3893 strinfo *si = new_strinfo (lhs, idx, length, length != NULL_TREE);
3894 if (bcode == BUILT_IN_CALLOC)
3895 {
3896 /* Only set STMT for calloc and malloc. */
3897 si->stmt = stmt;
3898 /* Only set ENDPTR for calloc. */
3899 si->endptr = lhs;
3900 }
3901 else if (bcode == BUILT_IN_MALLOC)
3902 si->stmt = stmt;
3903
3904 /* Set ALLOC is set for all allocation functions. */
3905 si->alloc = stmt;
3906 set_strinfo (idx, si);
3907 si->writable = true;
3908 si->dont_invalidate = true;
3909 }
3910
3911 /* Handle a call to memset.
3912 After a call to calloc, memset(,0,) is unnecessary.
3913 memset(malloc(n),0,n) is calloc(n,1).
3914 return true when the call is transformed, false otherwise.
3915 When nonnull uses RVALS to determine range information. */
3916
3917 static bool
3918 handle_builtin_memset (gimple_stmt_iterator *gsi, bool *zero_write,
3919 range_query *rvals)
3920 {
3921 gimple *memset_stmt = gsi_stmt (*gsi);
3922 tree ptr = gimple_call_arg (memset_stmt, 0);
3923 /* Set to the non-constant offset added to PTR. */
3924 wide_int offrng[2];
3925 int idx1 = get_stridx (ptr, offrng, rvals);
3926 if (idx1 <= 0)
3927 return false;
3928 strinfo *si1 = get_strinfo (idx1);
3929 if (!si1)
3930 return false;
3931 gimple *alloc_stmt = si1->alloc;
3932 if (!alloc_stmt || !is_gimple_call (alloc_stmt))
3933 return false;
3934 tree callee1 = gimple_call_fndecl (alloc_stmt);
3935 if (!valid_builtin_call (alloc_stmt))
3936 return false;
3937 tree alloc_size = gimple_call_arg (alloc_stmt, 0);
3938 tree memset_size = gimple_call_arg (memset_stmt, 2);
3939
3940 /* Check for overflow. */
3941 maybe_warn_overflow (memset_stmt, memset_size, rvals, NULL, false, true);
3942
3943 /* Bail when there is no statement associated with the destination
3944 (the statement may be null even when SI1->ALLOC is not). */
3945 if (!si1->stmt)
3946 return false;
3947
3948 /* Avoid optimizing if store is at a variable offset from the beginning
3949 of the allocated object. */
3950 if (offrng[0] != 0 || offrng[0] != offrng[1])
3951 return false;
3952
3953 /* Bail when the call writes a non-zero value. */
3954 if (!integer_zerop (gimple_call_arg (memset_stmt, 1)))
3955 return false;
3956
3957 /* Let the caller know the memset call cleared the destination. */
3958 *zero_write = true;
3959
3960 enum built_in_function code1 = DECL_FUNCTION_CODE (callee1);
3961 if (code1 == BUILT_IN_CALLOC)
3962 /* Not touching alloc_stmt */ ;
3963 else if (code1 == BUILT_IN_MALLOC
3964 && operand_equal_p (memset_size, alloc_size, 0))
3965 {
3966 /* Replace the malloc + memset calls with calloc. */
3967 gimple_stmt_iterator gsi1 = gsi_for_stmt (si1->stmt);
3968 update_gimple_call (&gsi1, builtin_decl_implicit (BUILT_IN_CALLOC), 2,
3969 alloc_size, build_one_cst (size_type_node));
3970 si1->nonzero_chars = build_int_cst (size_type_node, 0);
3971 si1->full_string_p = true;
3972 si1->stmt = gsi_stmt (gsi1);
3973 }
3974 else
3975 return false;
3976 tree lhs = gimple_call_lhs (memset_stmt);
3977 unlink_stmt_vdef (memset_stmt);
3978 if (lhs)
3979 {
3980 gimple *assign = gimple_build_assign (lhs, ptr);
3981 gsi_replace (gsi, assign, false);
3982 }
3983 else
3984 {
3985 gsi_remove (gsi, true);
3986 release_defs (memset_stmt);
3987 }
3988
3989 return true;
3990 }
3991
3992 /* Return a pointer to the first such equality expression if RES is used
3993 only in expressions testing its equality to zero, and null otherwise. */
3994
3995 static gimple *
3996 used_only_for_zero_equality (tree res)
3997 {
3998 gimple *first_use = NULL;
3999
4000 use_operand_p use_p;
4001 imm_use_iterator iter;
4002
4003 FOR_EACH_IMM_USE_FAST (use_p, iter, res)
4004 {
4005 gimple *use_stmt = USE_STMT (use_p);
4006
4007 if (is_gimple_debug (use_stmt))
4008 continue;
4009 if (gimple_code (use_stmt) == GIMPLE_ASSIGN)
4010 {
4011 tree_code code = gimple_assign_rhs_code (use_stmt);
4012 if (code == COND_EXPR)
4013 {
4014 tree cond_expr = gimple_assign_rhs1 (use_stmt);
4015 if ((TREE_CODE (cond_expr) != EQ_EXPR
4016 && (TREE_CODE (cond_expr) != NE_EXPR))
4017 || !integer_zerop (TREE_OPERAND (cond_expr, 1)))
4018 return NULL;
4019 }
4020 else if (code == EQ_EXPR || code == NE_EXPR)
4021 {
4022 if (!integer_zerop (gimple_assign_rhs2 (use_stmt)))
4023 return NULL;
4024 }
4025 else
4026 return NULL;
4027 }
4028 else if (gimple_code (use_stmt) == GIMPLE_COND)
4029 {
4030 tree_code code = gimple_cond_code (use_stmt);
4031 if ((code != EQ_EXPR && code != NE_EXPR)
4032 || !integer_zerop (gimple_cond_rhs (use_stmt)))
4033 return NULL;
4034 }
4035 else
4036 return NULL;
4037
4038 if (!first_use)
4039 first_use = use_stmt;
4040 }
4041
4042 return first_use;
4043 }
4044
4045 /* Handle a call to memcmp. We try to handle small comparisons by
4046 converting them to load and compare, and replacing the call to memcmp
4047 with a __builtin_memcmp_eq call where possible.
4048 return true when call is transformed, return false otherwise. */
4049
4050 static bool
4051 handle_builtin_memcmp (gimple_stmt_iterator *gsi)
4052 {
4053 gcall *stmt = as_a <gcall *> (gsi_stmt (*gsi));
4054 tree res = gimple_call_lhs (stmt);
4055
4056 if (!res || !used_only_for_zero_equality (res))
4057 return false;
4058
4059 tree arg1 = gimple_call_arg (stmt, 0);
4060 tree arg2 = gimple_call_arg (stmt, 1);
4061 tree len = gimple_call_arg (stmt, 2);
4062 unsigned HOST_WIDE_INT leni;
4063
4064 if (tree_fits_uhwi_p (len)
4065 && (leni = tree_to_uhwi (len)) <= GET_MODE_SIZE (word_mode)
4066 && pow2p_hwi (leni))
4067 {
4068 leni *= CHAR_TYPE_SIZE;
4069 unsigned align1 = get_pointer_alignment (arg1);
4070 unsigned align2 = get_pointer_alignment (arg2);
4071 unsigned align = MIN (align1, align2);
4072 scalar_int_mode mode;
4073 if (int_mode_for_size (leni, 1).exists (&mode)
4074 && (align >= leni || !targetm.slow_unaligned_access (mode, align)))
4075 {
4076 location_t loc = gimple_location (stmt);
4077 tree type, off;
4078 type = build_nonstandard_integer_type (leni, 1);
4079 gcc_assert (known_eq (GET_MODE_BITSIZE (TYPE_MODE (type)), leni));
4080 tree ptrtype = build_pointer_type_for_mode (char_type_node,
4081 ptr_mode, true);
4082 off = build_int_cst (ptrtype, 0);
4083 arg1 = build2_loc (loc, MEM_REF, type, arg1, off);
4084 arg2 = build2_loc (loc, MEM_REF, type, arg2, off);
4085 tree tem1 = fold_const_aggregate_ref (arg1);
4086 if (tem1)
4087 arg1 = tem1;
4088 tree tem2 = fold_const_aggregate_ref (arg2);
4089 if (tem2)
4090 arg2 = tem2;
4091 res = fold_convert_loc (loc, TREE_TYPE (res),
4092 fold_build2_loc (loc, NE_EXPR,
4093 boolean_type_node,
4094 arg1, arg2));
4095 gimplify_and_update_call_from_tree (gsi, res);
4096 return true;
4097 }
4098 }
4099
4100 gimple_call_set_fndecl (stmt, builtin_decl_explicit (BUILT_IN_MEMCMP_EQ));
4101 return true;
4102 }
4103
4104 /* Given strinfo IDX for ARG, sets LENRNG[] to the range of lengths
4105 of the string(s) referenced by ARG if it can be determined.
4106 If the length cannot be determined, sets *SIZE to the size of
4107 the array the string is stored in, if any. If no such array is
4108 known, sets *SIZE to -1. When the strings are nul-terminated sets
4109 *NULTERM to true, otherwise to false. When nonnull uses RVALS to
4110 determine range information. Returns true on success. */
4111
4112 static bool
4113 get_len_or_size (gimple *stmt, tree arg, int idx,
4114 unsigned HOST_WIDE_INT lenrng[2],
4115 unsigned HOST_WIDE_INT *size, bool *nulterm,
4116 range_query *rvals)
4117 {
4118 /* Invalidate. */
4119 *size = HOST_WIDE_INT_M1U;
4120
4121 if (idx < 0)
4122 {
4123 /* IDX is the inverted constant string length. */
4124 lenrng[0] = ~idx;
4125 lenrng[1] = lenrng[0];
4126 *nulterm = true;
4127 return true;
4128 }
4129
4130 /* Set so that both LEN and ~LEN are invalid lengths, i.e., maximum
4131 possible length + 1. */
4132 lenrng[0] = lenrng[1] = HOST_WIDE_INT_MAX;
4133
4134 if (strinfo *si = idx ? get_strinfo (idx) : NULL)
4135 {
4136 /* FIXME: Handle all this in_range_strlen_dynamic. */
4137 if (!si->nonzero_chars)
4138 ;
4139 else if (tree_fits_uhwi_p (si->nonzero_chars))
4140 {
4141 lenrng[0] = tree_to_uhwi (si->nonzero_chars);
4142 *nulterm = si->full_string_p;
4143 /* Set the upper bound only if the string is known to be
4144 nul-terminated, otherwise leave it at maximum + 1. */
4145 if (*nulterm)
4146 lenrng[1] = lenrng[0];
4147 }
4148 else if (TREE_CODE (si->nonzero_chars) == SSA_NAME)
4149 {
4150 wide_int min, max;
4151 // FIXME: Use range_query instead of global ranges.
4152 value_range_kind rng = get_range_info (si->nonzero_chars, &min, &max);
4153 if (rng == VR_RANGE)
4154 {
4155 lenrng[0] = min.to_uhwi ();
4156 lenrng[1] = max.to_uhwi ();
4157 *nulterm = si->full_string_p;
4158 }
4159 }
4160 }
4161
4162 if (lenrng[0] != HOST_WIDE_INT_MAX)
4163 return true;
4164
4165 /* Compute the minimum and maximum real or possible lengths. */
4166 c_strlen_data lendata = { };
4167 /* Set MAXBOUND to an arbitrary non-null non-integer node as a request
4168 to have it set to the length of the longest string in a PHI. */
4169 lendata.maxbound = arg;
4170 get_range_strlen_dynamic (arg, stmt, &lendata, rvals);
4171
4172 unsigned HOST_WIDE_INT maxbound = HOST_WIDE_INT_M1U;
4173 if (tree_fits_uhwi_p (lendata.maxbound)
4174 && !integer_all_onesp (lendata.maxbound))
4175 maxbound = tree_to_uhwi (lendata.maxbound);
4176
4177 if (tree_fits_uhwi_p (lendata.minlen) && tree_fits_uhwi_p (lendata.maxlen))
4178 {
4179 unsigned HOST_WIDE_INT minlen = tree_to_uhwi (lendata.minlen);
4180 unsigned HOST_WIDE_INT maxlen = tree_to_uhwi (lendata.maxlen);
4181
4182 /* The longest string in this data model. */
4183 const unsigned HOST_WIDE_INT lenmax
4184 = tree_to_uhwi (max_object_size ()) - 2;
4185
4186 if (maxbound == HOST_WIDE_INT_M1U)
4187 {
4188 lenrng[0] = minlen;
4189 lenrng[1] = maxlen;
4190 *nulterm = minlen == maxlen;
4191 }
4192 else if (maxlen < lenmax)
4193 {
4194 *size = maxbound + 1;
4195 *nulterm = false;
4196 }
4197 else
4198 return false;
4199
4200 return true;
4201 }
4202
4203 if (maxbound != HOST_WIDE_INT_M1U
4204 && lendata.maxlen
4205 && !integer_all_onesp (lendata.maxlen))
4206 {
4207 /* Set *SIZE to LENDATA.MAXBOUND which is a conservative estimate
4208 of the longest string based on the sizes of the arrays referenced
4209 by ARG. */
4210 *size = maxbound + 1;
4211 *nulterm = false;
4212 return true;
4213 }
4214
4215 return false;
4216 }
4217
4218 /* If IDX1 and IDX2 refer to strings A and B of unequal lengths, return
4219 the result of 0 == strncmp (A, B, BOUND) (which is the same as strcmp
4220 for a sufficiently large BOUND). If the result is based on the length
4221 of one string being greater than the longest string that would fit in
4222 the array pointer to by the argument, set *PLEN and *PSIZE to
4223 the corresponding length (or its complement when the string is known
4224 to be at least as long and need not be nul-terminated) and size.
4225 Otherwise return null. */
4226
4227 static tree
4228 strxcmp_eqz_result (gimple *stmt, tree arg1, int idx1, tree arg2, int idx2,
4229 unsigned HOST_WIDE_INT bound, unsigned HOST_WIDE_INT len[2],
4230 unsigned HOST_WIDE_INT *psize, range_query *rvals)
4231 {
4232 /* Determine the range the length of each string is in and whether it's
4233 known to be nul-terminated, or the size of the array it's stored in. */
4234 bool nul1, nul2;
4235 unsigned HOST_WIDE_INT siz1, siz2;
4236 unsigned HOST_WIDE_INT len1rng[2], len2rng[2];
4237 if (!get_len_or_size (stmt, arg1, idx1, len1rng, &siz1, &nul1, rvals)
4238 || !get_len_or_size (stmt, arg2, idx2, len2rng, &siz2, &nul2, rvals))
4239 return NULL_TREE;
4240
4241 /* BOUND is set to HWI_M1U for strcmp and less to strncmp, and LENiRNG
4242 to HWI_MAX when invalid. Adjust the length of each string to consider
4243 to be no more than BOUND. */
4244 if (len1rng[0] < HOST_WIDE_INT_MAX && len1rng[0] > bound)
4245 len1rng[0] = bound;
4246 if (len1rng[1] < HOST_WIDE_INT_MAX && len1rng[1] > bound)
4247 len1rng[1] = bound;
4248 if (len2rng[0] < HOST_WIDE_INT_MAX && len2rng[0] > bound)
4249 len2rng[0] = bound;
4250 if (len2rng[1] < HOST_WIDE_INT_MAX && len2rng[1] > bound)
4251 len2rng[1] = bound;
4252
4253 /* Two empty strings are equal. */
4254 if (len1rng[1] == 0 && len2rng[1] == 0)
4255 return integer_one_node;
4256
4257 /* The strings are definitely unequal when the lower bound of the length
4258 of one of them is greater than the length of the longest string that
4259 would fit into the other array. */
4260 if (len1rng[0] == HOST_WIDE_INT_MAX
4261 && len2rng[0] != HOST_WIDE_INT_MAX
4262 && ((len2rng[0] < bound && len2rng[0] >= siz1)
4263 || len2rng[0] > siz1))
4264 {
4265 *psize = siz1;
4266 len[0] = len1rng[0];
4267 /* Set LEN[0] to the lower bound of ARG1's length when it's
4268 nul-terminated or to the complement of its minimum length
4269 otherwise, */
4270 len[1] = nul2 ? len2rng[0] : ~len2rng[0];
4271 return integer_zero_node;
4272 }
4273
4274 if (len2rng[0] == HOST_WIDE_INT_MAX
4275 && len1rng[0] != HOST_WIDE_INT_MAX
4276 && ((len1rng[0] < bound && len1rng[0] >= siz2)
4277 || len1rng[0] > siz2))
4278 {
4279 *psize = siz2;
4280 len[0] = nul1 ? len1rng[0] : ~len1rng[0];
4281 len[1] = len2rng[0];
4282 return integer_zero_node;
4283 }
4284
4285 /* The strings are also definitely unequal when their lengths are unequal
4286 and at least one is nul-terminated. */
4287 if (len1rng[0] != HOST_WIDE_INT_MAX
4288 && len2rng[0] != HOST_WIDE_INT_MAX
4289 && ((len1rng[1] < len2rng[0] && nul1)
4290 || (len2rng[1] < len1rng[0] && nul2)))
4291 {
4292 if (bound <= len1rng[0] || bound <= len2rng[0])
4293 *psize = bound;
4294 else
4295 *psize = HOST_WIDE_INT_M1U;
4296
4297 len[0] = len1rng[0];
4298 len[1] = len2rng[0];
4299 return integer_zero_node;
4300 }
4301
4302 /* The string lengths may be equal or unequal. Even when equal and
4303 both strings nul-terminated, without the string contents there's
4304 no way to determine whether they are equal. */
4305 return NULL_TREE;
4306 }
4307
4308 /* Diagnose pointless calls to strcmp or strncmp STMT with string
4309 arguments of lengths LEN or size SIZ and (for strncmp) BOUND,
4310 whose result is used in equality expressions that evaluate to
4311 a constant due to one argument being longer than the size of
4312 the other. */
4313
4314 static void
4315 maybe_warn_pointless_strcmp (gimple *stmt, HOST_WIDE_INT bound,
4316 unsigned HOST_WIDE_INT len[2],
4317 unsigned HOST_WIDE_INT siz)
4318 {
4319 tree lhs = gimple_call_lhs (stmt);
4320 gimple *use = used_only_for_zero_equality (lhs);
4321 if (!use)
4322 return;
4323
4324 bool at_least = false;
4325
4326 /* Excessive LEN[i] indicates a lower bound. */
4327 if (len[0] > HOST_WIDE_INT_MAX)
4328 {
4329 at_least = true;
4330 len[0] = ~len[0];
4331 }
4332
4333 if (len[1] > HOST_WIDE_INT_MAX)
4334 {
4335 at_least = true;
4336 len[1] = ~len[1];
4337 }
4338
4339 unsigned HOST_WIDE_INT minlen = MIN (len[0], len[1]);
4340
4341 /* FIXME: Include a note pointing to the declaration of the smaller
4342 array. */
4343 location_t stmt_loc = gimple_or_expr_nonartificial_location (stmt, lhs);
4344
4345 tree callee = gimple_call_fndecl (stmt);
4346 bool warned = false;
4347 if (siz <= minlen && bound == -1)
4348 warned = warning_at (stmt_loc, OPT_Wstring_compare,
4349 (at_least
4350 ? G_("%G%qD of a string of length %wu or more and "
4351 "an array of size %wu evaluates to nonzero")
4352 : G_("%G%qD of a string of length %wu and an array "
4353 "of size %wu evaluates to nonzero")),
4354 stmt, callee, minlen, siz);
4355 else if (!at_least && siz <= HOST_WIDE_INT_MAX)
4356 {
4357 if (len[0] != HOST_WIDE_INT_MAX && len[1] != HOST_WIDE_INT_MAX)
4358 warned = warning_at (stmt_loc, OPT_Wstring_compare,
4359 "%G%qD of strings of length %wu and %wu "
4360 "and bound of %wu evaluates to nonzero",
4361 stmt, callee, len[0], len[1], bound);
4362 else
4363 warned = warning_at (stmt_loc, OPT_Wstring_compare,
4364 "%G%qD of a string of length %wu, an array "
4365 "of size %wu and bound of %wu evaluates to "
4366 "nonzero",
4367 stmt, callee, minlen, siz, bound);
4368 }
4369
4370 if (warned)
4371 {
4372 location_t use_loc = gimple_location (use);
4373 if (LOCATION_LINE (stmt_loc) != LOCATION_LINE (use_loc))
4374 inform (use_loc, "in this expression");
4375 }
4376 }
4377
4378
4379 /* Optimize a call to strcmp or strncmp either by folding it to a constant
4380 when possible or by transforming the latter to the former. Warn about
4381 calls where the length of one argument is greater than the size of
4382 the array to which the other argument points if the latter's length
4383 is not known. Return true when the call has been transformed into
4384 another and false otherwise. */
4385
4386 static bool
4387 handle_builtin_string_cmp (gimple_stmt_iterator *gsi, range_query *rvals)
4388 {
4389 gcall *stmt = as_a <gcall *> (gsi_stmt (*gsi));
4390 tree lhs = gimple_call_lhs (stmt);
4391
4392 if (!lhs)
4393 return false;
4394
4395 tree arg1 = gimple_call_arg (stmt, 0);
4396 tree arg2 = gimple_call_arg (stmt, 1);
4397 int idx1 = get_stridx (arg1);
4398 int idx2 = get_stridx (arg2);
4399
4400 /* For strncmp set to the value of the third argument if known. */
4401 HOST_WIDE_INT bound = -1;
4402 tree len = NULL_TREE;
4403 /* Extract the strncmp bound. */
4404 if (gimple_call_num_args (stmt) == 3)
4405 {
4406 len = gimple_call_arg (stmt, 2);
4407 if (tree_fits_shwi_p (len))
4408 bound = tree_to_shwi (len);
4409
4410 /* If the bound argument is NOT known, do nothing. */
4411 if (bound < 0)
4412 return false;
4413 }
4414
4415 /* Avoid folding if either argument is not a nul-terminated array.
4416 Defer warning until later. */
4417 if (!check_nul_terminated_array (NULL_TREE, arg1, len)
4418 || !check_nul_terminated_array (NULL_TREE, arg2, len))
4419 return false;
4420
4421 {
4422 /* Set to the length of one argument (or its complement if it's
4423 the lower bound of a range) and the size of the array storing
4424 the other if the result is based on the former being equal to
4425 or greater than the latter. */
4426 unsigned HOST_WIDE_INT len[2] = { HOST_WIDE_INT_MAX, HOST_WIDE_INT_MAX };
4427 unsigned HOST_WIDE_INT siz = HOST_WIDE_INT_M1U;
4428
4429 /* Try to determine if the two strings are either definitely equal
4430 or definitely unequal and if so, either fold the result to zero
4431 (when equal) or set the range of the result to ~[0, 0] otherwise. */
4432 if (tree eqz = strxcmp_eqz_result (stmt, arg1, idx1, arg2, idx2, bound,
4433 len, &siz, rvals))
4434 {
4435 if (integer_zerop (eqz))
4436 {
4437 maybe_warn_pointless_strcmp (stmt, bound, len, siz);
4438
4439 /* When the lengths of the first two string arguments are
4440 known to be unequal set the range of the result to non-zero.
4441 This allows the call to be eliminated if its result is only
4442 used in tests for equality to zero. */
4443 wide_int zero = wi::zero (TYPE_PRECISION (TREE_TYPE (lhs)));
4444 set_range_info (lhs, VR_ANTI_RANGE, zero, zero);
4445 return false;
4446 }
4447 /* When the two strings are definitely equal (such as when they
4448 are both empty) fold the call to the constant result. */
4449 replace_call_with_value (gsi, integer_zero_node);
4450 return true;
4451 }
4452 }
4453
4454 /* Return if nothing is known about the strings pointed to by ARG1
4455 and ARG2. */
4456 if (idx1 == 0 && idx2 == 0)
4457 return false;
4458
4459 /* Determine either the length or the size of each of the strings,
4460 whichever is available. */
4461 HOST_WIDE_INT cstlen1 = -1, cstlen2 = -1;
4462 HOST_WIDE_INT arysiz1 = -1, arysiz2 = -1;
4463
4464 {
4465 unsigned HOST_WIDE_INT len1rng[2], len2rng[2];
4466 unsigned HOST_WIDE_INT arsz1, arsz2;
4467 bool nulterm[2];
4468
4469 if (!get_len_or_size (stmt, arg1, idx1, len1rng, &arsz1, nulterm, rvals)
4470 || !get_len_or_size (stmt, arg2, idx2, len2rng, &arsz2, nulterm + 1,
4471 rvals))
4472 return false;
4473
4474 if (len1rng[0] == len1rng[1] && len1rng[0] < HOST_WIDE_INT_MAX)
4475 cstlen1 = len1rng[0];
4476 else if (arsz1 < HOST_WIDE_INT_M1U)
4477 arysiz1 = arsz1;
4478
4479 if (len2rng[0] == len2rng[1] && len2rng[0] < HOST_WIDE_INT_MAX)
4480 cstlen2 = len2rng[0];
4481 else if (arsz2 < HOST_WIDE_INT_M1U)
4482 arysiz2 = arsz2;
4483 }
4484
4485 /* Bail if neither the string length nor the size of the array
4486 it is stored in can be determined. */
4487 if ((cstlen1 < 0 && arysiz1 < 0)
4488 || (cstlen2 < 0 && arysiz2 < 0)
4489 || (cstlen1 < 0 && cstlen2 < 0))
4490 return false;
4491
4492 if (cstlen1 >= 0)
4493 ++cstlen1;
4494 if (cstlen2 >= 0)
4495 ++cstlen2;
4496
4497 /* The exact number of characters to compare. */
4498 HOST_WIDE_INT cmpsiz;
4499 if (cstlen1 >= 0 && cstlen2 >= 0)
4500 cmpsiz = MIN (cstlen1, cstlen2);
4501 else if (cstlen1 >= 0)
4502 cmpsiz = cstlen1;
4503 else
4504 cmpsiz = cstlen2;
4505 if (bound >= 0)
4506 cmpsiz = MIN (cmpsiz, bound);
4507 /* The size of the array in which the unknown string is stored. */
4508 HOST_WIDE_INT varsiz = arysiz1 < 0 ? arysiz2 : arysiz1;
4509
4510 if ((varsiz < 0 || cmpsiz < varsiz) && used_only_for_zero_equality (lhs))
4511 {
4512 /* If the known length is less than the size of the other array
4513 and the strcmp result is only used to test equality to zero,
4514 transform the call to the equivalent _eq call. */
4515 if (tree fn = builtin_decl_implicit (bound < 0 ? BUILT_IN_STRCMP_EQ
4516 : BUILT_IN_STRNCMP_EQ))
4517 {
4518 tree n = build_int_cst (size_type_node, cmpsiz);
4519 update_gimple_call (gsi, fn, 3, arg1, arg2, n);
4520 return true;
4521 }
4522 }
4523
4524 return false;
4525 }
4526
4527 /* Handle a POINTER_PLUS_EXPR statement.
4528 For p = "abcd" + 2; compute associated length, or if
4529 p = q + off is pointing to a '\0' character of a string, call
4530 zero_length_string on it. */
4531
4532 static void
4533 handle_pointer_plus (gimple_stmt_iterator *gsi)
4534 {
4535 gimple *stmt = gsi_stmt (*gsi);
4536 tree lhs = gimple_assign_lhs (stmt), off;
4537 int idx = get_stridx (gimple_assign_rhs1 (stmt));
4538 strinfo *si, *zsi;
4539
4540 if (idx == 0)
4541 return;
4542
4543 if (idx < 0)
4544 {
4545 tree off = gimple_assign_rhs2 (stmt);
4546 if (tree_fits_uhwi_p (off)
4547 && tree_to_uhwi (off) <= (unsigned HOST_WIDE_INT) ~idx)
4548 ssa_ver_to_stridx[SSA_NAME_VERSION (lhs)]
4549 = ~(~idx - (int) tree_to_uhwi (off));
4550 return;
4551 }
4552
4553 si = get_strinfo (idx);
4554 if (si == NULL || si->nonzero_chars == NULL_TREE)
4555 return;
4556
4557 off = gimple_assign_rhs2 (stmt);
4558 zsi = NULL;
4559 if (si->full_string_p && operand_equal_p (si->nonzero_chars, off, 0))
4560 zsi = zero_length_string (lhs, si);
4561 else if (TREE_CODE (off) == SSA_NAME)
4562 {
4563 gimple *def_stmt = SSA_NAME_DEF_STMT (off);
4564 if (gimple_assign_single_p (def_stmt)
4565 && si->full_string_p
4566 && operand_equal_p (si->nonzero_chars,
4567 gimple_assign_rhs1 (def_stmt), 0))
4568 zsi = zero_length_string (lhs, si);
4569 }
4570 if (zsi != NULL
4571 && si->endptr != NULL_TREE
4572 && si->endptr != lhs
4573 && TREE_CODE (si->endptr) == SSA_NAME)
4574 {
4575 enum tree_code rhs_code
4576 = useless_type_conversion_p (TREE_TYPE (lhs), TREE_TYPE (si->endptr))
4577 ? SSA_NAME : NOP_EXPR;
4578 gimple_assign_set_rhs_with_ops (gsi, rhs_code, si->endptr);
4579 gcc_assert (gsi_stmt (*gsi) == stmt);
4580 update_stmt (stmt);
4581 }
4582 }
4583
4584 /* Describes recursion limits used by count_nonzero_bytes. */
4585
4586 class ssa_name_limit_t
4587 {
4588 bitmap visited; /* Bitmap of visited SSA_NAMEs. */
4589 unsigned ssa_def_max; /* Longest chain of SSA_NAMEs to follow. */
4590
4591 /* Not copyable or assignable. */
4592 ssa_name_limit_t (ssa_name_limit_t&);
4593 void operator= (ssa_name_limit_t&);
4594
4595 public:
4596
4597 ssa_name_limit_t ()
4598 : visited (NULL),
4599 ssa_def_max (param_ssa_name_def_chain_limit) { }
4600
4601 int next_ssa_name (tree);
4602
4603 ~ssa_name_limit_t ()
4604 {
4605 if (visited)
4606 BITMAP_FREE (visited);
4607 }
4608 };
4609
4610 /* If the SSA_NAME has already been "seen" return a positive value.
4611 Otherwise add it to VISITED. If the SSA_NAME limit has been
4612 reached, return a negative value. Otherwise return zero. */
4613
4614 int ssa_name_limit_t::next_ssa_name (tree ssa_name)
4615 {
4616 if (!visited)
4617 visited = BITMAP_ALLOC (NULL);
4618
4619 /* Return a positive value if SSA_NAME has already been visited. */
4620 if (!bitmap_set_bit (visited, SSA_NAME_VERSION (ssa_name)))
4621 return 1;
4622
4623 /* Return a negative value to let caller avoid recursing beyond
4624 the specified limit. */
4625 if (ssa_def_max == 0)
4626 return -1;
4627
4628 --ssa_def_max;
4629
4630 return 0;
4631 }
4632
4633 static bool
4634 count_nonzero_bytes_addr (tree, unsigned HOST_WIDE_INT, unsigned HOST_WIDE_INT,
4635 unsigned [3], bool *, bool *, bool *,
4636 range_query *, ssa_name_limit_t &);
4637
4638 /* Determines the minimum and maximum number of leading non-zero bytes
4639 in the representation of EXP and set LENRANGE[0] and LENRANGE[1]
4640 to each.
4641 Sets LENRANGE[2] to the total size of the access (which may be less
4642 than LENRANGE[1] when what's being referenced by EXP is a pointer
4643 rather than an array).
4644 Sets *NULTERM if the representation contains a zero byte, and sets
4645 *ALLNUL if all the bytes are zero.
4646 OFFSET and NBYTES are the offset into the representation and
4647 the size of the access to it determined from an ADDR_EXPR (i.e.,
4648 a pointer) or MEM_REF or zero for other expressions.
4649 Uses RVALS to determine range information.
4650 Avoids recursing deeper than the limits in SNLIM allow.
4651 Returns true on success and false otherwise. */
4652
4653 static bool
4654 count_nonzero_bytes (tree exp, unsigned HOST_WIDE_INT offset,
4655 unsigned HOST_WIDE_INT nbytes,
4656 unsigned lenrange[3], bool *nulterm,
4657 bool *allnul, bool *allnonnul, range_query *rvals,
4658 ssa_name_limit_t &snlim)
4659 {
4660 if (TREE_CODE (exp) == SSA_NAME)
4661 {
4662 /* Handle non-zero single-character stores specially. */
4663 tree type = TREE_TYPE (exp);
4664 if (TREE_CODE (type) == INTEGER_TYPE
4665 && TYPE_MODE (type) == TYPE_MODE (char_type_node)
4666 && TYPE_PRECISION (type) == TYPE_PRECISION (char_type_node)
4667 && tree_expr_nonzero_p (exp))
4668 {
4669 /* If the character EXP is known to be non-zero (even if its
4670 exact value is not known) recurse once to set the range
4671 for an arbitrary constant. */
4672 exp = build_int_cst (type, 1);
4673 return count_nonzero_bytes (exp, offset, 1, lenrange,
4674 nulterm, allnul, allnonnul, rvals, snlim);
4675 }
4676
4677 gimple *stmt = SSA_NAME_DEF_STMT (exp);
4678 if (gimple_assign_single_p (stmt))
4679 {
4680 exp = gimple_assign_rhs1 (stmt);
4681 if (TREE_CODE (exp) != MEM_REF)
4682 return false;
4683 /* Handle MEM_REF below. */
4684 }
4685 else if (gimple_code (stmt) == GIMPLE_PHI)
4686 {
4687 /* Avoid processing an SSA_NAME that has already been visited
4688 or if an SSA_NAME limit has been reached. Indicate success
4689 if the former and failure if the latter. */
4690 if (int res = snlim.next_ssa_name (exp))
4691 return res > 0;
4692
4693 /* Determine the minimum and maximum from the PHI arguments. */
4694 unsigned int n = gimple_phi_num_args (stmt);
4695 for (unsigned i = 0; i != n; i++)
4696 {
4697 tree def = gimple_phi_arg_def (stmt, i);
4698 if (!count_nonzero_bytes (def, offset, nbytes, lenrange, nulterm,
4699 allnul, allnonnul, rvals, snlim))
4700 return false;
4701 }
4702
4703 return true;
4704 }
4705 }
4706
4707 if (TREE_CODE (exp) == MEM_REF)
4708 {
4709 if (nbytes)
4710 return false;
4711
4712 tree arg = TREE_OPERAND (exp, 0);
4713 tree off = TREE_OPERAND (exp, 1);
4714
4715 if (TREE_CODE (off) != INTEGER_CST || !tree_fits_uhwi_p (off))
4716 return false;
4717
4718 unsigned HOST_WIDE_INT wioff = tree_to_uhwi (off);
4719 if (INT_MAX < wioff)
4720 return false;
4721
4722 offset += wioff;
4723 if (INT_MAX < offset)
4724 return false;
4725
4726 /* The size of the MEM_REF access determines the number of bytes. */
4727 tree type = TREE_TYPE (exp);
4728 tree typesize = TYPE_SIZE_UNIT (type);
4729 if (!typesize || !tree_fits_uhwi_p (typesize))
4730 return false;
4731 nbytes = tree_to_uhwi (typesize);
4732 if (!nbytes)
4733 return false;
4734
4735 /* Handle MEM_REF = SSA_NAME types of assignments. */
4736 return count_nonzero_bytes_addr (arg, offset, nbytes, lenrange, nulterm,
4737 allnul, allnonnul, rvals, snlim);
4738 }
4739
4740 if (VAR_P (exp) || TREE_CODE (exp) == CONST_DECL)
4741 {
4742 exp = ctor_for_folding (exp);
4743 if (!exp)
4744 return false;
4745 }
4746
4747 const char *prep = NULL;
4748 if (TREE_CODE (exp) == STRING_CST)
4749 {
4750 unsigned nchars = TREE_STRING_LENGTH (exp);
4751 if (nchars < offset)
4752 return false;
4753
4754 if (!nbytes)
4755 /* If NBYTES hasn't been determined earlier, either from ADDR_EXPR
4756 (i.e., it's the size of a pointer), or from MEM_REF (as the size
4757 of the access), set it here to the size of the string, including
4758 all internal and trailing nuls if the string has any. */
4759 nbytes = nchars - offset;
4760 else if (nchars - offset < nbytes)
4761 return false;
4762
4763 prep = TREE_STRING_POINTER (exp) + offset;
4764 }
4765
4766 unsigned char buf[256];
4767 if (!prep)
4768 {
4769 if (CHAR_BIT != 8 || BITS_PER_UNIT != 8)
4770 return false;
4771 /* If the pointer to representation hasn't been set above
4772 for STRING_CST point it at the buffer. */
4773 prep = reinterpret_cast <char *>(buf);
4774 /* Try to extract the representation of the constant object
4775 or expression starting from the offset. */
4776 unsigned repsize = native_encode_expr (exp, buf, sizeof buf, offset);
4777 if (repsize < nbytes)
4778 {
4779 /* This should only happen when REPSIZE is zero because EXP
4780 doesn't denote an object with a known initializer, except
4781 perhaps when the reference reads past its end. */
4782 lenrange[0] = 0;
4783 prep = NULL;
4784 }
4785 else if (!nbytes)
4786 nbytes = repsize;
4787 else if (nbytes < repsize)
4788 return false;
4789 }
4790
4791 if (!nbytes)
4792 return false;
4793
4794 /* Compute the number of leading nonzero bytes in the representation
4795 and update the minimum and maximum. */
4796 unsigned n = prep ? strnlen (prep, nbytes) : nbytes;
4797
4798 if (n < lenrange[0])
4799 lenrange[0] = n;
4800 if (lenrange[1] < n)
4801 lenrange[1] = n;
4802
4803 /* Set the size of the representation. */
4804 if (lenrange[2] < nbytes)
4805 lenrange[2] = nbytes;
4806
4807 /* Clear NULTERM if none of the bytes is zero. */
4808 if (n == nbytes)
4809 *nulterm = false;
4810
4811 if (n)
4812 {
4813 /* When the initial number of non-zero bytes N is non-zero, reset
4814 *ALLNUL; if N is less than that the size of the representation
4815 also clear *ALLNONNUL. */
4816 *allnul = false;
4817 if (n < nbytes)
4818 *allnonnul = false;
4819 }
4820 else if (*allnul || *allnonnul)
4821 {
4822 *allnonnul = false;
4823
4824 if (*allnul)
4825 {
4826 /* When either ALLNUL is set and N is zero, also determine
4827 whether all subsequent bytes after the first one (which
4828 is nul) are zero or nonzero and clear ALLNUL if not. */
4829 for (const char *p = prep; p != prep + nbytes; ++p)
4830 if (*p)
4831 {
4832 *allnul = false;
4833 break;
4834 }
4835 }
4836 }
4837
4838 return true;
4839 }
4840
4841 /* Like count_nonzero_bytes, but instead of counting bytes in EXP, count
4842 bytes that are pointed to by EXP, which should be a pointer. */
4843
4844 static bool
4845 count_nonzero_bytes_addr (tree exp, unsigned HOST_WIDE_INT offset,
4846 unsigned HOST_WIDE_INT nbytes,
4847 unsigned lenrange[3], bool *nulterm,
4848 bool *allnul, bool *allnonnul,
4849 range_query *rvals, ssa_name_limit_t &snlim)
4850 {
4851 int idx = get_stridx (exp);
4852 if (idx > 0)
4853 {
4854 strinfo *si = get_strinfo (idx);
4855 if (!si)
4856 return false;
4857
4858 /* Handle both constant lengths as well non-constant lengths
4859 in some range. */
4860 unsigned HOST_WIDE_INT minlen, maxlen;
4861 if (tree_fits_shwi_p (si->nonzero_chars))
4862 minlen = maxlen = tree_to_shwi (si->nonzero_chars);
4863 else if (si->nonzero_chars
4864 && TREE_CODE (si->nonzero_chars) == SSA_NAME)
4865 {
4866 value_range vr;
4867 rvals->range_of_expr (vr, si->nonzero_chars, si->stmt);
4868 if (vr.kind () != VR_RANGE)
4869 return false;
4870
4871 minlen = tree_to_uhwi (vr.min ());
4872 maxlen = tree_to_uhwi (vr.max ());
4873 }
4874 else
4875 return false;
4876
4877 if (maxlen < offset)
4878 return false;
4879
4880 minlen = minlen < offset ? 0 : minlen - offset;
4881 maxlen -= offset;
4882 if (maxlen + 1 < nbytes)
4883 return false;
4884
4885 if (nbytes <= minlen)
4886 *nulterm = false;
4887
4888 if (nbytes < minlen)
4889 {
4890 minlen = nbytes;
4891 if (nbytes < maxlen)
4892 maxlen = nbytes;
4893 }
4894
4895 if (minlen < lenrange[0])
4896 lenrange[0] = minlen;
4897 if (lenrange[1] < maxlen)
4898 lenrange[1] = maxlen;
4899
4900 if (lenrange[2] < nbytes)
4901 lenrange[2] = nbytes;
4902
4903 /* Since only the length of the string are known and not its contents,
4904 clear ALLNUL and ALLNONNUL purely on the basis of the length. */
4905 *allnul = false;
4906 if (minlen < nbytes)
4907 *allnonnul = false;
4908
4909 return true;
4910 }
4911
4912 if (TREE_CODE (exp) == ADDR_EXPR)
4913 return count_nonzero_bytes (TREE_OPERAND (exp, 0), offset, nbytes,
4914 lenrange, nulterm, allnul, allnonnul, rvals,
4915 snlim);
4916
4917 if (TREE_CODE (exp) == SSA_NAME)
4918 {
4919 gimple *stmt = SSA_NAME_DEF_STMT (exp);
4920 if (gimple_code (stmt) == GIMPLE_PHI)
4921 {
4922 /* Avoid processing an SSA_NAME that has already been visited
4923 or if an SSA_NAME limit has been reached. Indicate success
4924 if the former and failure if the latter. */
4925 if (int res = snlim.next_ssa_name (exp))
4926 return res > 0;
4927
4928 /* Determine the minimum and maximum from the PHI arguments. */
4929 unsigned int n = gimple_phi_num_args (stmt);
4930 for (unsigned i = 0; i != n; i++)
4931 {
4932 tree def = gimple_phi_arg_def (stmt, i);
4933 if (!count_nonzero_bytes_addr (def, offset, nbytes, lenrange,
4934 nulterm, allnul, allnonnul, rvals,
4935 snlim))
4936 return false;
4937 }
4938
4939 return true;
4940 }
4941 }
4942
4943 /* Otherwise we don't know anything. */
4944 lenrange[0] = 0;
4945 if (lenrange[1] < nbytes)
4946 lenrange[1] = nbytes;
4947 if (lenrange[2] < nbytes)
4948 lenrange[2] = nbytes;
4949 *nulterm = false;
4950 *allnul = false;
4951 *allnonnul = false;
4952 return true;
4953 }
4954
4955 /* Same as above except with an implicit SSA_NAME limit. RVALS is used
4956 to determine ranges of dynamically computed string lengths (the results
4957 of strlen). */
4958
4959 static bool
4960 count_nonzero_bytes (tree exp, unsigned lenrange[3], bool *nulterm,
4961 bool *allnul, bool *allnonnul, range_query *rvals)
4962 {
4963 /* Set to optimistic values so the caller doesn't have to worry about
4964 initializing these and to what. On success, the function will clear
4965 these if it determines their values are different but being recursive
4966 it never sets either to true. On failure, their values are
4967 unspecified. */
4968 *nulterm = true;
4969 *allnul = true;
4970 *allnonnul = true;
4971
4972 ssa_name_limit_t snlim;
4973 return count_nonzero_bytes (exp, 0, 0, lenrange, nulterm, allnul, allnonnul,
4974 rvals, snlim);
4975 }
4976
4977 /* Handle a single or multibyte store other than by a built-in function,
4978 either via a single character assignment or by multi-byte assignment
4979 either via MEM_REF or via a type other than char (such as in
4980 '*(int*)a = 12345'). Return true to let the caller advance *GSI to
4981 the next statement in the basic block and false otherwise. */
4982
4983 static bool
4984 handle_store (gimple_stmt_iterator *gsi, bool *zero_write,
4985 range_query *rvals)
4986 {
4987 int idx = -1;
4988 strinfo *si = NULL;
4989 gimple *stmt = gsi_stmt (*gsi);
4990 tree ssaname = NULL_TREE, lhs = gimple_assign_lhs (stmt);
4991 tree rhs = gimple_assign_rhs1 (stmt);
4992
4993 /* The offset of the first byte in LHS modified by the store. */
4994 unsigned HOST_WIDE_INT offset = 0;
4995
4996 if (TREE_CODE (lhs) == MEM_REF
4997 && TREE_CODE (TREE_OPERAND (lhs, 0)) == SSA_NAME)
4998 {
4999 tree mem_offset = TREE_OPERAND (lhs, 1);
5000 if (tree_fits_uhwi_p (mem_offset))
5001 {
5002 /* Get the strinfo for the base, and use it if it starts with at
5003 least OFFSET nonzero characters. This is trivially true if
5004 OFFSET is zero. */
5005 offset = tree_to_uhwi (mem_offset);
5006 idx = get_stridx (TREE_OPERAND (lhs, 0));
5007 if (idx > 0)
5008 si = get_strinfo (idx);
5009 if (offset == 0)
5010 ssaname = TREE_OPERAND (lhs, 0);
5011 else if (si == NULL || compare_nonzero_chars (si, offset, rvals) < 0)
5012 {
5013 *zero_write = initializer_zerop (rhs);
5014
5015 bool dummy;
5016 unsigned lenrange[] = { UINT_MAX, 0, 0 };
5017 if (count_nonzero_bytes (rhs, lenrange, &dummy, &dummy, &dummy,
5018 rvals))
5019 maybe_warn_overflow (stmt, lenrange[2], rvals);
5020
5021 return true;
5022 }
5023 }
5024 }
5025 else
5026 {
5027 idx = get_addr_stridx (lhs, NULL_TREE, &offset, rvals);
5028 if (idx > 0)
5029 si = get_strinfo (idx);
5030 }
5031
5032 /* Minimum and maximum leading non-zero bytes and the size of the store. */
5033 unsigned lenrange[] = { UINT_MAX, 0, 0 };
5034
5035 /* Set to the minimum length of the string being assigned if known. */
5036 unsigned HOST_WIDE_INT rhs_minlen;
5037
5038 /* STORING_NONZERO_P is true iff not all stored characters are zero.
5039 STORING_ALL_NONZERO_P is true if all stored characters are zero.
5040 STORING_ALL_ZEROS_P is true iff all stored characters are zero.
5041 Both are false when it's impossible to determine which is true. */
5042 bool storing_nonzero_p;
5043 bool storing_all_nonzero_p;
5044 bool storing_all_zeros_p;
5045 /* FULL_STRING_P is set when the stored sequence of characters form
5046 a nul-terminated string. */
5047 bool full_string_p;
5048
5049 const bool ranges_valid
5050 = count_nonzero_bytes (rhs, lenrange, &full_string_p,
5051 &storing_all_zeros_p, &storing_all_nonzero_p,
5052 rvals);
5053 if (ranges_valid)
5054 {
5055 rhs_minlen = lenrange[0];
5056 storing_nonzero_p = lenrange[1] > 0;
5057 *zero_write = storing_all_zeros_p;
5058
5059 maybe_warn_overflow (stmt, lenrange[2], rvals);
5060 }
5061 else
5062 {
5063 rhs_minlen = HOST_WIDE_INT_M1U;
5064 full_string_p = false;
5065 storing_nonzero_p = false;
5066 storing_all_zeros_p = false;
5067 storing_all_nonzero_p = false;
5068 }
5069
5070 if (si != NULL)
5071 {
5072 /* The corresponding element is set to 1 if the first and last
5073 element, respectively, of the sequence of characters being
5074 written over the string described by SI ends before
5075 the terminating nul (if it has one), to zero if the nul is
5076 being overwritten but not beyond, or negative otherwise. */
5077 int store_before_nul[2];
5078 if (ranges_valid)
5079 {
5080 /* The offset of the last stored byte. */
5081 unsigned HOST_WIDE_INT endoff = offset + lenrange[2] - 1;
5082 store_before_nul[0] = compare_nonzero_chars (si, offset, rvals);
5083 if (endoff == offset)
5084 store_before_nul[1] = store_before_nul[0];
5085 else
5086 store_before_nul[1] = compare_nonzero_chars (si, endoff, rvals);
5087 }
5088 else
5089 {
5090 store_before_nul[0] = compare_nonzero_chars (si, offset, rvals);
5091 store_before_nul[1] = store_before_nul[0];
5092 gcc_assert (offset == 0 || store_before_nul[0] >= 0);
5093 }
5094
5095 if (storing_all_zeros_p
5096 && store_before_nul[0] == 0
5097 && store_before_nul[1] == 0
5098 && si->full_string_p)
5099 {
5100 /* When overwriting a '\0' with a '\0', the store can be removed
5101 if we know it has been stored in the current function. */
5102 if (!stmt_could_throw_p (cfun, stmt) && si->writable)
5103 {
5104 unlink_stmt_vdef (stmt);
5105 release_defs (stmt);
5106 gsi_remove (gsi, true);
5107 return false;
5108 }
5109 else
5110 {
5111 si->writable = true;
5112 gsi_next (gsi);
5113 return false;
5114 }
5115 }
5116
5117 if (store_before_nul[1] > 0
5118 && storing_nonzero_p
5119 && lenrange[0] == lenrange[1]
5120 && lenrange[0] == lenrange[2]
5121 && TREE_CODE (TREE_TYPE (rhs)) == INTEGER_TYPE)
5122 {
5123 /* Handle a store of one or more non-nul characters that ends
5124 before the terminating nul of the destination and so does
5125 not affect its length
5126 If si->nonzero_chars > OFFSET, we aren't overwriting '\0',
5127 and if we aren't storing '\0', we know that the length of
5128 the string and any other zero terminated string in memory
5129 remains the same. In that case we move to the next gimple
5130 statement and return to signal the caller that it shouldn't
5131 invalidate anything.
5132
5133 This is beneficial for cases like:
5134
5135 char p[20];
5136 void foo (char *q)
5137 {
5138 strcpy (p, "foobar");
5139 size_t len = strlen (p); // can be folded to 6
5140 size_t len2 = strlen (q); // has to be computed
5141 p[0] = 'X';
5142 size_t len3 = strlen (p); // can be folded to 6
5143 size_t len4 = strlen (q); // can be folded to len2
5144 bar (len, len2, len3, len4);
5145 } */
5146 gsi_next (gsi);
5147 return false;
5148 }
5149
5150 if (storing_all_zeros_p
5151 || storing_nonzero_p
5152 || (offset != 0 && store_before_nul[1] > 0))
5153 {
5154 /* When STORING_NONZERO_P, we know that the string will start
5155 with at least OFFSET + 1 nonzero characters. If storing
5156 a single character, set si->NONZERO_CHARS to the result.
5157 If storing multiple characters, try to determine the number
5158 of leading non-zero characters and set si->NONZERO_CHARS to
5159 the result instead.
5160
5161 When STORING_ALL_ZEROS_P, we know that the string is now
5162 OFFSET characters long.
5163
5164 Otherwise, we're storing an unknown value at offset OFFSET,
5165 so need to clip the nonzero_chars to OFFSET.
5166 Use the minimum length of the string (or individual character)
5167 being stored if it's known. Otherwise, STORING_NONZERO_P
5168 guarantees it's at least 1. */
5169 HOST_WIDE_INT len
5170 = storing_nonzero_p && ranges_valid ? lenrange[0] : 1;
5171 location_t loc = gimple_location (stmt);
5172 tree oldlen = si->nonzero_chars;
5173 if (store_before_nul[1] == 0 && si->full_string_p)
5174 /* We're overwriting the nul terminator with a nonzero or
5175 unknown character. If the previous stmt was a memcpy,
5176 its length may be decreased. */
5177 adjust_last_stmt (si, stmt, false);
5178 si = unshare_strinfo (si);
5179 if (storing_nonzero_p)
5180 {
5181 gcc_assert (len >= 0);
5182 si->nonzero_chars = build_int_cst (size_type_node, offset + len);
5183 }
5184 else
5185 si->nonzero_chars = build_int_cst (size_type_node, offset);
5186
5187 /* Set FULL_STRING_P only if the length of the strings being
5188 written is the same, and clear it if the strings have
5189 different lengths. In the latter case the length stored
5190 in si->NONZERO_CHARS becomes the lower bound.
5191 FIXME: Handle the upper bound of the length if possible. */
5192 si->full_string_p = full_string_p && lenrange[0] == lenrange[1];
5193
5194 if (storing_all_zeros_p
5195 && ssaname
5196 && !SSA_NAME_OCCURS_IN_ABNORMAL_PHI (ssaname))
5197 si->endptr = ssaname;
5198 else
5199 si->endptr = NULL;
5200 si->next = 0;
5201 si->stmt = NULL;
5202 si->writable = true;
5203 si->dont_invalidate = true;
5204 if (oldlen)
5205 {
5206 tree adj = fold_build2_loc (loc, MINUS_EXPR, size_type_node,
5207 si->nonzero_chars, oldlen);
5208 adjust_related_strinfos (loc, si, adj);
5209 }
5210 else
5211 si->prev = 0;
5212 }
5213 }
5214 else if (idx == 0 && (storing_all_zeros_p || storing_nonzero_p))
5215 {
5216 if (ssaname)
5217 idx = new_stridx (ssaname);
5218 else
5219 idx = new_addr_stridx (lhs);
5220 if (idx != 0)
5221 {
5222 tree ptr = (ssaname ? ssaname : build_fold_addr_expr (lhs));
5223
5224 HOST_WIDE_INT slen;
5225 if (storing_all_zeros_p)
5226 slen = 0;
5227 else if (storing_nonzero_p && ranges_valid)
5228 {
5229 /* FIXME: Handle the upper bound of the length when
5230 LENRANGE[0] != LENRANGE[1]. */
5231 slen = lenrange[0];
5232 if (lenrange[0] != lenrange[1])
5233 /* Set the minimum length but ignore the maximum
5234 for now. */
5235 full_string_p = false;
5236 }
5237 else
5238 slen = -1;
5239
5240 tree len = (slen <= 0
5241 ? size_zero_node
5242 : build_int_cst (size_type_node, slen));
5243 si = new_strinfo (ptr, idx, len, slen >= 0 && full_string_p);
5244 set_strinfo (idx, si);
5245 if (storing_all_zeros_p
5246 && ssaname
5247 && !SSA_NAME_OCCURS_IN_ABNORMAL_PHI (ssaname))
5248 si->endptr = ssaname;
5249 si->dont_invalidate = true;
5250 si->writable = true;
5251 }
5252 }
5253 else if (idx == 0
5254 && rhs_minlen < HOST_WIDE_INT_M1U
5255 && ssaname == NULL_TREE
5256 && TREE_CODE (TREE_TYPE (lhs)) == ARRAY_TYPE)
5257 {
5258 HOST_WIDE_INT a = int_size_in_bytes (TREE_TYPE (lhs));
5259 if (a > 0 && (unsigned HOST_WIDE_INT) a > rhs_minlen)
5260 {
5261 int idx = new_addr_stridx (lhs);
5262 if (idx != 0)
5263 {
5264 si = new_strinfo (build_fold_addr_expr (lhs), idx,
5265 build_int_cst (size_type_node, rhs_minlen),
5266 full_string_p);
5267 set_strinfo (idx, si);
5268 si->dont_invalidate = true;
5269 }
5270 }
5271 }
5272
5273 if (si != NULL && offset == 0 && storing_all_zeros_p && lenrange[2] == 1)
5274 {
5275 /* For single-byte stores only, allow adjust_last_stmt to remove
5276 the statement if the stored '\0' is immediately overwritten. */
5277 laststmt.stmt = stmt;
5278 laststmt.len = build_int_cst (size_type_node, 1);
5279 laststmt.stridx = si->idx;
5280 }
5281 return true;
5282 }
5283
5284 /* Try to fold strstr (s, t) eq/ne s to strncmp (s, t, strlen (t)) eq/ne 0. */
5285
5286 static void
5287 fold_strstr_to_strncmp (tree rhs1, tree rhs2, gimple *stmt)
5288 {
5289 if (TREE_CODE (rhs1) != SSA_NAME
5290 || TREE_CODE (rhs2) != SSA_NAME)
5291 return;
5292
5293 gimple *call_stmt = NULL;
5294 for (int pass = 0; pass < 2; pass++)
5295 {
5296 gimple *g = SSA_NAME_DEF_STMT (rhs1);
5297 if (gimple_call_builtin_p (g, BUILT_IN_STRSTR)
5298 && has_single_use (rhs1)
5299 && gimple_call_arg (g, 0) == rhs2)
5300 {
5301 call_stmt = g;
5302 break;
5303 }
5304 std::swap (rhs1, rhs2);
5305 }
5306
5307 if (call_stmt)
5308 {
5309 tree arg0 = gimple_call_arg (call_stmt, 0);
5310
5311 if (arg0 == rhs2)
5312 {
5313 tree arg1 = gimple_call_arg (call_stmt, 1);
5314 tree arg1_len = NULL_TREE;
5315 int idx = get_stridx (arg1);
5316
5317 if (idx)
5318 {
5319 if (idx < 0)
5320 arg1_len = build_int_cst (size_type_node, ~idx);
5321 else
5322 {
5323 strinfo *si = get_strinfo (idx);
5324 if (si)
5325 arg1_len = get_string_length (si);
5326 }
5327 }
5328
5329 if (arg1_len != NULL_TREE)
5330 {
5331 gimple_stmt_iterator gsi = gsi_for_stmt (call_stmt);
5332 tree strncmp_decl = builtin_decl_explicit (BUILT_IN_STRNCMP);
5333
5334 if (!is_gimple_val (arg1_len))
5335 {
5336 tree arg1_len_tmp = make_ssa_name (TREE_TYPE (arg1_len));
5337 gassign *arg1_stmt = gimple_build_assign (arg1_len_tmp,
5338 arg1_len);
5339 gsi_insert_before (&gsi, arg1_stmt, GSI_SAME_STMT);
5340 arg1_len = arg1_len_tmp;
5341 }
5342
5343 gcall *strncmp_call = gimple_build_call (strncmp_decl, 3,
5344 arg0, arg1, arg1_len);
5345 tree strncmp_lhs = make_ssa_name (integer_type_node);
5346 gimple_set_vuse (strncmp_call, gimple_vuse (call_stmt));
5347 gimple_call_set_lhs (strncmp_call, strncmp_lhs);
5348 gsi_remove (&gsi, true);
5349 gsi_insert_before (&gsi, strncmp_call, GSI_SAME_STMT);
5350 tree zero = build_zero_cst (TREE_TYPE (strncmp_lhs));
5351
5352 if (is_gimple_assign (stmt))
5353 {
5354 if (gimple_assign_rhs_code (stmt) == COND_EXPR)
5355 {
5356 tree cond = gimple_assign_rhs1 (stmt);
5357 TREE_OPERAND (cond, 0) = strncmp_lhs;
5358 TREE_OPERAND (cond, 1) = zero;
5359 }
5360 else
5361 {
5362 gimple_assign_set_rhs1 (stmt, strncmp_lhs);
5363 gimple_assign_set_rhs2 (stmt, zero);
5364 }
5365 }
5366 else
5367 {
5368 gcond *cond = as_a<gcond *> (stmt);
5369 gimple_cond_set_lhs (cond, strncmp_lhs);
5370 gimple_cond_set_rhs (cond, zero);
5371 }
5372 update_stmt (stmt);
5373 }
5374 }
5375 }
5376 }
5377
5378 /* Return true if TYPE corresponds to a narrow character type. */
5379
5380 static bool
5381 is_char_type (tree type)
5382 {
5383 return (TREE_CODE (type) == INTEGER_TYPE
5384 && TYPE_MODE (type) == TYPE_MODE (char_type_node)
5385 && TYPE_PRECISION (type) == TYPE_PRECISION (char_type_node));
5386 }
5387
5388 /* Check the built-in call at GSI for validity and optimize it.
5389 Uses RVALS to determine range information.
5390 Return true to let the caller advance *GSI to the next statement
5391 in the basic block and false otherwise. */
5392
5393 static bool
5394 strlen_check_and_optimize_call (gimple_stmt_iterator *gsi, bool *zero_write,
5395 range_query *rvals)
5396 {
5397 gimple *stmt = gsi_stmt (*gsi);
5398
5399 if (!gimple_call_builtin_p (stmt, BUILT_IN_NORMAL))
5400 {
5401 tree fntype = gimple_call_fntype (stmt);
5402 if (fntype && lookup_attribute ("alloc_size", TYPE_ATTRIBUTES (fntype)))
5403 handle_alloc_call (BUILT_IN_NONE, gsi);
5404 }
5405
5406 /* When not optimizing we must be checking printf calls which
5407 we do even for user-defined functions when they are declared
5408 with attribute format. */
5409 if (!flag_optimize_strlen
5410 || !strlen_optimize
5411 || !valid_builtin_call (stmt))
5412 return !handle_printf_call (gsi, rvals);
5413
5414 tree callee = gimple_call_fndecl (stmt);
5415 switch (DECL_FUNCTION_CODE (callee))
5416 {
5417 case BUILT_IN_STRLEN:
5418 case BUILT_IN_STRNLEN:
5419 handle_builtin_strlen (gsi);
5420 break;
5421 case BUILT_IN_STRCHR:
5422 handle_builtin_strchr (gsi);
5423 break;
5424 case BUILT_IN_STRCPY:
5425 case BUILT_IN_STRCPY_CHK:
5426 case BUILT_IN_STPCPY:
5427 case BUILT_IN_STPCPY_CHK:
5428 handle_builtin_strcpy (DECL_FUNCTION_CODE (callee), gsi, rvals);
5429 break;
5430
5431 case BUILT_IN_STRNCAT:
5432 case BUILT_IN_STRNCAT_CHK:
5433 handle_builtin_strncat (DECL_FUNCTION_CODE (callee), gsi);
5434 break;
5435
5436 case BUILT_IN_STPNCPY:
5437 case BUILT_IN_STPNCPY_CHK:
5438 case BUILT_IN_STRNCPY:
5439 case BUILT_IN_STRNCPY_CHK:
5440 handle_builtin_stxncpy_strncat (false, gsi);
5441 break;
5442
5443 case BUILT_IN_MEMCPY:
5444 case BUILT_IN_MEMCPY_CHK:
5445 case BUILT_IN_MEMPCPY:
5446 case BUILT_IN_MEMPCPY_CHK:
5447 handle_builtin_memcpy (DECL_FUNCTION_CODE (callee), gsi, rvals);
5448 break;
5449 case BUILT_IN_STRCAT:
5450 case BUILT_IN_STRCAT_CHK:
5451 handle_builtin_strcat (DECL_FUNCTION_CODE (callee), gsi);
5452 break;
5453 case BUILT_IN_ALLOCA:
5454 case BUILT_IN_ALLOCA_WITH_ALIGN:
5455 case BUILT_IN_MALLOC:
5456 case BUILT_IN_CALLOC:
5457 handle_alloc_call (DECL_FUNCTION_CODE (callee), gsi);
5458 break;
5459 case BUILT_IN_MEMSET:
5460 if (handle_builtin_memset (gsi, zero_write, rvals))
5461 return false;
5462 break;
5463 case BUILT_IN_MEMCMP:
5464 if (handle_builtin_memcmp (gsi))
5465 return false;
5466 break;
5467 case BUILT_IN_STRCMP:
5468 case BUILT_IN_STRNCMP:
5469 if (handle_builtin_string_cmp (gsi, rvals))
5470 return false;
5471 break;
5472 default:
5473 if (handle_printf_call (gsi, rvals))
5474 return false;
5475 break;
5476 }
5477
5478 return true;
5479 }
5480
5481 /* Handle an assignment statement at *GSI to a LHS of integral type.
5482 If GSI's basic block needs clean-up of EH, set *CLEANUP_EH to true. */
5483
5484 static void
5485 handle_integral_assign (gimple_stmt_iterator *gsi, bool *cleanup_eh,
5486 range_query *rvals)
5487 {
5488 gimple *stmt = gsi_stmt (*gsi);
5489 tree lhs = gimple_assign_lhs (stmt);
5490 tree lhs_type = TREE_TYPE (lhs);
5491
5492 enum tree_code code = gimple_assign_rhs_code (stmt);
5493 if (code == COND_EXPR)
5494 {
5495 tree cond = gimple_assign_rhs1 (stmt);
5496 enum tree_code cond_code = TREE_CODE (cond);
5497
5498 if (cond_code == EQ_EXPR || cond_code == NE_EXPR)
5499 fold_strstr_to_strncmp (TREE_OPERAND (cond, 0),
5500 TREE_OPERAND (cond, 1), stmt);
5501 }
5502 else if (code == EQ_EXPR || code == NE_EXPR)
5503 fold_strstr_to_strncmp (gimple_assign_rhs1 (stmt),
5504 gimple_assign_rhs2 (stmt), stmt);
5505 else if (gimple_assign_load_p (stmt)
5506 && TREE_CODE (lhs_type) == INTEGER_TYPE
5507 && TYPE_MODE (lhs_type) == TYPE_MODE (char_type_node)
5508 && (TYPE_PRECISION (lhs_type)
5509 == TYPE_PRECISION (char_type_node))
5510 && !gimple_has_volatile_ops (stmt))
5511 {
5512 tree off = integer_zero_node;
5513 unsigned HOST_WIDE_INT coff = 0;
5514 int idx = 0;
5515 tree rhs1 = gimple_assign_rhs1 (stmt);
5516 if (code == MEM_REF)
5517 {
5518 idx = get_stridx (TREE_OPERAND (rhs1, 0));
5519 if (idx > 0)
5520 {
5521 strinfo *si = get_strinfo (idx);
5522 if (si
5523 && si->nonzero_chars
5524 && TREE_CODE (si->nonzero_chars) == INTEGER_CST
5525 && (wi::to_widest (si->nonzero_chars)
5526 >= wi::to_widest (off)))
5527 off = TREE_OPERAND (rhs1, 1);
5528 else
5529 /* This case is not useful. See if get_addr_stridx
5530 returns something usable. */
5531 idx = 0;
5532 }
5533 }
5534 if (idx <= 0)
5535 idx = get_addr_stridx (rhs1, NULL_TREE, &coff);
5536 if (idx > 0)
5537 {
5538 strinfo *si = get_strinfo (idx);
5539 if (si
5540 && si->nonzero_chars
5541 && TREE_CODE (si->nonzero_chars) == INTEGER_CST)
5542 {
5543 widest_int w1 = wi::to_widest (si->nonzero_chars);
5544 widest_int w2 = wi::to_widest (off) + coff;
5545 if (w1 == w2
5546 && si->full_string_p)
5547 {
5548 if (dump_file && (dump_flags & TDF_DETAILS) != 0)
5549 {
5550 fprintf (dump_file, "Optimizing: ");
5551 print_gimple_stmt (dump_file, stmt, 0, TDF_SLIM);
5552 }
5553
5554 /* Reading the final '\0' character. */
5555 tree zero = build_int_cst (lhs_type, 0);
5556 gimple_set_vuse (stmt, NULL_TREE);
5557 gimple_assign_set_rhs_from_tree (gsi, zero);
5558 *cleanup_eh
5559 |= maybe_clean_or_replace_eh_stmt (stmt,
5560 gsi_stmt (*gsi));
5561 stmt = gsi_stmt (*gsi);
5562 update_stmt (stmt);
5563
5564 if (dump_file && (dump_flags & TDF_DETAILS) != 0)
5565 {
5566 fprintf (dump_file, "into: ");
5567 print_gimple_stmt (dump_file, stmt, 0, TDF_SLIM);
5568 }
5569 }
5570 else if (w1 > w2)
5571 {
5572 /* Reading a character before the final '\0'
5573 character. Just set the value range to ~[0, 0]
5574 if we don't have anything better. */
5575 wide_int min, max;
5576 signop sign = TYPE_SIGN (lhs_type);
5577 int prec = TYPE_PRECISION (lhs_type);
5578 // FIXME: Use range_query instead of global ranges.
5579 value_range_kind vr = get_range_info (lhs, &min, &max);
5580 if (vr == VR_VARYING
5581 || (vr == VR_RANGE
5582 && min == wi::min_value (prec, sign)
5583 && max == wi::max_value (prec, sign)))
5584 set_range_info (lhs, VR_ANTI_RANGE,
5585 wi::zero (prec), wi::zero (prec));
5586 }
5587 }
5588 }
5589 }
5590 else if (code == MEM_REF && TREE_CODE (lhs) == SSA_NAME)
5591 {
5592 if (int idx = new_stridx (lhs))
5593 {
5594 /* Record multi-byte assignments from MEM_REFs. */
5595 bool storing_all_nonzero_p;
5596 bool storing_all_zeros_p;
5597 bool full_string_p;
5598 unsigned lenrange[] = { UINT_MAX, 0, 0 };
5599 tree rhs = gimple_assign_rhs1 (stmt);
5600 const bool ranges_valid
5601 = count_nonzero_bytes (rhs, lenrange, &full_string_p,
5602 &storing_all_zeros_p, &storing_all_nonzero_p,
5603 rvals);
5604 if (ranges_valid)
5605 {
5606 tree length = build_int_cst (sizetype, lenrange[0]);
5607 strinfo *si = new_strinfo (lhs, idx, length, full_string_p);
5608 set_strinfo (idx, si);
5609 si->writable = true;
5610 si->dont_invalidate = true;
5611 }
5612 }
5613 }
5614
5615 if (strlen_to_stridx)
5616 {
5617 tree rhs1 = gimple_assign_rhs1 (stmt);
5618 if (stridx_strlenloc *ps = strlen_to_stridx->get (rhs1))
5619 strlen_to_stridx->put (lhs, stridx_strlenloc (*ps));
5620 }
5621 }
5622
5623 /* Attempt to check for validity of the performed access a single statement
5624 at *GSI using string length knowledge, and to optimize it.
5625 If the given basic block needs clean-up of EH, CLEANUP_EH is set to
5626 true. Return true to let the caller advance *GSI to the next statement
5627 in the basic block and false otherwise. */
5628
5629 static bool
5630 check_and_optimize_stmt (gimple_stmt_iterator *gsi, bool *cleanup_eh,
5631 range_query *rvals)
5632 {
5633 gimple *stmt = gsi_stmt (*gsi);
5634
5635 /* For statements that modify a string, set to true if the write
5636 is only zeros. */
5637 bool zero_write = false;
5638
5639 if (is_gimple_call (stmt))
5640 {
5641 if (!strlen_check_and_optimize_call (gsi, &zero_write, rvals))
5642 return false;
5643 }
5644 else if (!flag_optimize_strlen || !strlen_optimize)
5645 return true;
5646 else if (is_gimple_assign (stmt) && !gimple_clobber_p (stmt))
5647 {
5648 /* Handle non-clobbering assignment. */
5649 tree lhs = gimple_assign_lhs (stmt);
5650 tree lhs_type = TREE_TYPE (lhs);
5651
5652 if (TREE_CODE (lhs) == SSA_NAME && POINTER_TYPE_P (lhs_type))
5653 {
5654 if (gimple_assign_single_p (stmt)
5655 || (gimple_assign_cast_p (stmt)
5656 && POINTER_TYPE_P (TREE_TYPE (gimple_assign_rhs1 (stmt)))))
5657 {
5658 int idx = get_stridx (gimple_assign_rhs1 (stmt));
5659 ssa_ver_to_stridx[SSA_NAME_VERSION (lhs)] = idx;
5660 }
5661 else if (gimple_assign_rhs_code (stmt) == POINTER_PLUS_EXPR)
5662 handle_pointer_plus (gsi);
5663 }
5664 else if (TREE_CODE (lhs) == SSA_NAME && INTEGRAL_TYPE_P (lhs_type))
5665 /* Handle assignment to a character. */
5666 handle_integral_assign (gsi, cleanup_eh, rvals);
5667 else if (TREE_CODE (lhs) != SSA_NAME && !TREE_SIDE_EFFECTS (lhs))
5668 {
5669 tree type = TREE_TYPE (lhs);
5670 if (TREE_CODE (type) == ARRAY_TYPE)
5671 type = TREE_TYPE (type);
5672
5673 bool is_char_store = is_char_type (type);
5674 if (!is_char_store && TREE_CODE (lhs) == MEM_REF)
5675 {
5676 /* To consider stores into char objects via integer types
5677 other than char but not those to non-character objects,
5678 determine the type of the destination rather than just
5679 the type of the access. */
5680 for (int i = 0; i != 2; ++i)
5681 {
5682 tree ref = TREE_OPERAND (lhs, i);
5683 type = TREE_TYPE (ref);
5684 if (TREE_CODE (type) == POINTER_TYPE)
5685 type = TREE_TYPE (type);
5686 if (TREE_CODE (type) == ARRAY_TYPE)
5687 type = TREE_TYPE (type);
5688 if (is_char_type (type))
5689 {
5690 is_char_store = true;
5691 break;
5692 }
5693 }
5694 }
5695
5696 /* Handle a single or multibyte assignment. */
5697 if (is_char_store && !handle_store (gsi, &zero_write, rvals))
5698 return false;
5699 }
5700 }
5701 else if (gcond *cond = dyn_cast<gcond *> (stmt))
5702 {
5703 enum tree_code code = gimple_cond_code (cond);
5704 if (code == EQ_EXPR || code == NE_EXPR)
5705 fold_strstr_to_strncmp (gimple_cond_lhs (stmt),
5706 gimple_cond_rhs (stmt), stmt);
5707 }
5708
5709 if (gimple_vdef (stmt))
5710 maybe_invalidate (stmt, zero_write);
5711 return true;
5712 }
5713
5714 /* Recursively call maybe_invalidate on stmts that might be executed
5715 in between dombb and current bb and that contain a vdef. Stop when
5716 *count stmts are inspected, or if the whole strinfo vector has
5717 been invalidated. */
5718
5719 static void
5720 do_invalidate (basic_block dombb, gimple *phi, bitmap visited, int *count)
5721 {
5722 unsigned int i, n = gimple_phi_num_args (phi);
5723
5724 for (i = 0; i < n; i++)
5725 {
5726 tree vuse = gimple_phi_arg_def (phi, i);
5727 gimple *stmt = SSA_NAME_DEF_STMT (vuse);
5728 basic_block bb = gimple_bb (stmt);
5729 if (bb == NULL
5730 || bb == dombb
5731 || !bitmap_set_bit (visited, bb->index)
5732 || !dominated_by_p (CDI_DOMINATORS, bb, dombb))
5733 continue;
5734 while (1)
5735 {
5736 if (gimple_code (stmt) == GIMPLE_PHI)
5737 {
5738 do_invalidate (dombb, stmt, visited, count);
5739 if (*count == 0)
5740 return;
5741 break;
5742 }
5743 if (--*count == 0)
5744 return;
5745 if (!maybe_invalidate (stmt))
5746 {
5747 *count = 0;
5748 return;
5749 }
5750 vuse = gimple_vuse (stmt);
5751 stmt = SSA_NAME_DEF_STMT (vuse);
5752 if (gimple_bb (stmt) != bb)
5753 {
5754 bb = gimple_bb (stmt);
5755 if (bb == NULL
5756 || bb == dombb
5757 || !bitmap_set_bit (visited, bb->index)
5758 || !dominated_by_p (CDI_DOMINATORS, bb, dombb))
5759 break;
5760 }
5761 }
5762 }
5763 }
5764
5765 class strlen_dom_walker : public dom_walker
5766 {
5767 public:
5768 strlen_dom_walker (cdi_direction direction)
5769 : dom_walker (direction),
5770 evrp (false),
5771 m_cleanup_cfg (false)
5772 {}
5773
5774 virtual edge before_dom_children (basic_block);
5775 virtual void after_dom_children (basic_block);
5776
5777 /* EVRP analyzer used for printf argument range processing, and
5778 to track strlen results across integer variable assignments. */
5779 evrp_range_analyzer evrp;
5780
5781 /* Flag that will trigger TODO_cleanup_cfg to be returned in strlen
5782 execute function. */
5783 bool m_cleanup_cfg;
5784 };
5785
5786 /* Callback for walk_dominator_tree. Attempt to optimize various
5787 string ops by remembering string lengths pointed by pointer SSA_NAMEs. */
5788
5789 edge
5790 strlen_dom_walker::before_dom_children (basic_block bb)
5791 {
5792 evrp.enter (bb);
5793
5794 basic_block dombb = get_immediate_dominator (CDI_DOMINATORS, bb);
5795
5796 if (dombb == NULL)
5797 stridx_to_strinfo = NULL;
5798 else
5799 {
5800 stridx_to_strinfo = ((vec<strinfo *, va_heap, vl_embed> *) dombb->aux);
5801 if (stridx_to_strinfo)
5802 {
5803 for (gphi_iterator gsi = gsi_start_phis (bb); !gsi_end_p (gsi);
5804 gsi_next (&gsi))
5805 {
5806 gphi *phi = gsi.phi ();
5807 if (virtual_operand_p (gimple_phi_result (phi)))
5808 {
5809 bitmap visited = BITMAP_ALLOC (NULL);
5810 int count_vdef = 100;
5811 do_invalidate (dombb, phi, visited, &count_vdef);
5812 BITMAP_FREE (visited);
5813 if (count_vdef == 0)
5814 {
5815 /* If there were too many vdefs in between immediate
5816 dominator and current bb, invalidate everything.
5817 If stridx_to_strinfo has been unshared, we need
5818 to free it, otherwise just set it to NULL. */
5819 if (!strinfo_shared ())
5820 {
5821 unsigned int i;
5822 strinfo *si;
5823
5824 for (i = 1;
5825 vec_safe_iterate (stridx_to_strinfo, i, &si);
5826 ++i)
5827 {
5828 free_strinfo (si);
5829 (*stridx_to_strinfo)[i] = NULL;
5830 }
5831 }
5832 else
5833 stridx_to_strinfo = NULL;
5834 }
5835 break;
5836 }
5837 }
5838 }
5839 }
5840
5841 /* If all PHI arguments have the same string index, the PHI result
5842 has it as well. */
5843 for (gphi_iterator gsi = gsi_start_phis (bb); !gsi_end_p (gsi);
5844 gsi_next (&gsi))
5845 {
5846 gphi *phi = gsi.phi ();
5847 tree result = gimple_phi_result (phi);
5848 if (!virtual_operand_p (result) && POINTER_TYPE_P (TREE_TYPE (result)))
5849 {
5850 int idx = get_stridx (gimple_phi_arg_def (phi, 0));
5851 if (idx != 0)
5852 {
5853 unsigned int i, n = gimple_phi_num_args (phi);
5854 for (i = 1; i < n; i++)
5855 if (idx != get_stridx (gimple_phi_arg_def (phi, i)))
5856 break;
5857 if (i == n)
5858 ssa_ver_to_stridx[SSA_NAME_VERSION (result)] = idx;
5859 }
5860 }
5861 }
5862
5863 bool cleanup_eh = false;
5864
5865 /* Attempt to optimize individual statements. */
5866 for (gimple_stmt_iterator gsi = gsi_start_bb (bb); !gsi_end_p (gsi); )
5867 {
5868 gimple *stmt = gsi_stmt (gsi);
5869
5870 /* First record ranges generated by this statement so they
5871 can be used by printf argument processing. */
5872 evrp.record_ranges_from_stmt (stmt, false);
5873
5874 if (check_and_optimize_stmt (&gsi, &cleanup_eh, &evrp))
5875 gsi_next (&gsi);
5876 }
5877
5878 if (cleanup_eh && gimple_purge_dead_eh_edges (bb))
5879 m_cleanup_cfg = true;
5880
5881 bb->aux = stridx_to_strinfo;
5882 if (vec_safe_length (stridx_to_strinfo) && !strinfo_shared ())
5883 (*stridx_to_strinfo)[0] = (strinfo *) bb;
5884 return NULL;
5885 }
5886
5887 /* Callback for walk_dominator_tree. Free strinfo vector if it is
5888 owned by the current bb, clear bb->aux. */
5889
5890 void
5891 strlen_dom_walker::after_dom_children (basic_block bb)
5892 {
5893 evrp.leave (bb);
5894
5895 if (bb->aux)
5896 {
5897 stridx_to_strinfo = ((vec<strinfo *, va_heap, vl_embed> *) bb->aux);
5898 if (vec_safe_length (stridx_to_strinfo)
5899 && (*stridx_to_strinfo)[0] == (strinfo *) bb)
5900 {
5901 unsigned int i;
5902 strinfo *si;
5903
5904 for (i = 1; vec_safe_iterate (stridx_to_strinfo, i, &si); ++i)
5905 free_strinfo (si);
5906 vec_free (stridx_to_strinfo);
5907 }
5908 bb->aux = NULL;
5909 }
5910 }
5911
5912 namespace {
5913
5914 static unsigned int
5915 printf_strlen_execute (function *fun, bool warn_only)
5916 {
5917 strlen_optimize = !warn_only;
5918
5919 calculate_dominance_info (CDI_DOMINATORS);
5920
5921 bool use_scev = optimize > 0 && flag_printf_return_value;
5922 if (use_scev)
5923 {
5924 loop_optimizer_init (LOOPS_NORMAL);
5925 scev_initialize ();
5926 }
5927
5928 gcc_assert (!strlen_to_stridx);
5929 if (warn_stringop_overflow || warn_stringop_truncation)
5930 strlen_to_stridx = new hash_map<tree, stridx_strlenloc> ();
5931
5932 /* This has to happen after initializing the loop optimizer
5933 and initializing SCEV as they create new SSA_NAMEs. */
5934 ssa_ver_to_stridx.safe_grow_cleared (num_ssa_names, true);
5935 max_stridx = 1;
5936
5937 /* String length optimization is implemented as a walk of the dominator
5938 tree and a forward walk of statements within each block. */
5939 strlen_dom_walker walker (CDI_DOMINATORS);
5940 walker.walk (ENTRY_BLOCK_PTR_FOR_FN (fun));
5941
5942 ssa_ver_to_stridx.release ();
5943 strinfo_pool.release ();
5944 if (decl_to_stridxlist_htab)
5945 {
5946 obstack_free (&stridx_obstack, NULL);
5947 delete decl_to_stridxlist_htab;
5948 decl_to_stridxlist_htab = NULL;
5949 }
5950 laststmt.stmt = NULL;
5951 laststmt.len = NULL_TREE;
5952 laststmt.stridx = 0;
5953
5954 if (strlen_to_stridx)
5955 {
5956 strlen_to_stridx->empty ();
5957 delete strlen_to_stridx;
5958 strlen_to_stridx = NULL;
5959 }
5960
5961 if (use_scev)
5962 {
5963 scev_finalize ();
5964 loop_optimizer_finalize ();
5965 }
5966
5967 /* Clean up object size info. */
5968 fini_object_sizes ();
5969
5970 return walker.m_cleanup_cfg ? TODO_cleanup_cfg : 0;
5971 }
5972
5973 /* This file defines two passes: one for warnings that runs only when
5974 optimization is disabled, and another that implements optimizations
5975 and also issues warnings. */
5976
5977 const pass_data pass_data_warn_printf =
5978 {
5979 GIMPLE_PASS, /* type */
5980 "warn-printf", /* name */
5981 OPTGROUP_NONE, /* optinfo_flags */
5982 TV_NONE, /* tv_id */
5983 /* Normally an optimization pass would require PROP_ssa but because
5984 this pass runs early, with no optimization, to do sprintf format
5985 checking, it only requires PROP_cfg. */
5986 PROP_cfg, /* properties_required */
5987 0, /* properties_provided */
5988 0, /* properties_destroyed */
5989 0, /* todo_flags_start */
5990 0, /* todo_flags_finish */
5991 };
5992
5993 class pass_warn_printf : public gimple_opt_pass
5994 {
5995 public:
5996 pass_warn_printf (gcc::context *ctxt)
5997 : gimple_opt_pass (pass_data_warn_printf, ctxt)
5998 {}
5999
6000 virtual bool gate (function *);
6001 virtual unsigned int execute (function *fun)
6002 {
6003 return printf_strlen_execute (fun, true);
6004 }
6005 };
6006
6007
6008 /* Return true to run the warning pass only when not optimizing and
6009 iff either -Wformat-overflow or -Wformat-truncation is specified. */
6010
6011 bool
6012 pass_warn_printf::gate (function *)
6013 {
6014 return !optimize && (warn_format_overflow > 0 || warn_format_trunc > 0);
6015 }
6016
6017 const pass_data pass_data_strlen =
6018 {
6019 GIMPLE_PASS, /* type */
6020 "strlen", /* name */
6021 OPTGROUP_NONE, /* optinfo_flags */
6022 TV_TREE_STRLEN, /* tv_id */
6023 PROP_cfg | PROP_ssa, /* properties_required */
6024 0, /* properties_provided */
6025 0, /* properties_destroyed */
6026 0, /* todo_flags_start */
6027 0, /* todo_flags_finish */
6028 };
6029
6030 class pass_strlen : public gimple_opt_pass
6031 {
6032 public:
6033 pass_strlen (gcc::context *ctxt)
6034 : gimple_opt_pass (pass_data_strlen, ctxt)
6035 {}
6036
6037 opt_pass * clone () { return new pass_strlen (m_ctxt); }
6038
6039 virtual bool gate (function *);
6040 virtual unsigned int execute (function *fun)
6041 {
6042 return printf_strlen_execute (fun, false);
6043 }
6044 };
6045
6046 /* Return true to run the pass only when the sprintf and/or strlen
6047 optimizations are enabled and -Wformat-overflow or -Wformat-truncation
6048 are specified. */
6049
6050 bool
6051 pass_strlen::gate (function *)
6052 {
6053 return ((warn_format_overflow > 0
6054 || warn_format_trunc > 0
6055 || warn_restrict > 0
6056 || flag_optimize_strlen > 0
6057 || flag_printf_return_value)
6058 && optimize > 0);
6059 }
6060
6061 } // anon namespace
6062
6063 gimple_opt_pass *
6064 make_pass_warn_printf (gcc::context *ctxt)
6065 {
6066 return new pass_warn_printf (ctxt);
6067 }
6068
6069 gimple_opt_pass *
6070 make_pass_strlen (gcc::context *ctxt)
6071 {
6072 return new pass_strlen (ctxt);
6073 }
Mirror of the offical gcc git repository hosted at gcc.gnu.org