| blob | 8b734295f09d310e43edf1a6347d8e37ce97ed82 |
1 /* Pass to detect and issue warnings for invalid accesses, including
2 invalid or mismatched allocation/deallocation calls.
4 Copyright (C) 2020-2023 Free Software Foundation, Inc.
5 Contributed by Martin Sebor <msebor@redhat.com>.
7 This file is part of GCC.
9 GCC is free software; you can redistribute it and/or modify it under
10 the terms of the GNU General Public License as published by the Free
11 Software Foundation; either version 3, or (at your option) any later
12 version.
14 GCC is distributed in the hope that it will be useful, but WITHOUT ANY
15 WARRANTY; without even the implied warranty of MERCHANTABILITY or
16 FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
17 for more details.
19 You should have received a copy of the GNU General Public License
20 along with GCC; see the file COPYING3. If not see
21 <http://www.gnu.org/licenses/>. */
23 #define INCLUDE_STRING
59 /* Return true if tree node X has an associated location. */
63 {
71 }
73 /* Return the associated location of STMT. */
77 {
79 }
81 /* Return the associated location of tree node X. */
85 {
93 }
95 /* Overload of the nascent tree function for GIMPLE STMT. */
99 {
101 }
105 {
107 }
111 {
113 }
118 {
120 }
124 {
126 }
128 /* For a call EXPR at LOC to a function FNAME that expects a string
129 in the argument ARG, issue a diagnostic due to it being a called
130 with an argument that is a character array with no terminating
131 NUL. SIZE is the EXACT size of the array, and BNDRNG the number
132 of characters in which the NUL is expected. Either EXPR or FNAME
133 may be null but noth both. SIZE may be null when BNDRNG is null. */
136 static void
140 {
149 /* Format the bound range as a string to keep the number of messages
150 from exploding. */
154 {
157 else
161 }
163 auto_diagnostic_group d;
168 {
171 {
174 "%qD specified bound %s exceeds "
177 else
178 {
181 exact
184 : (maybe
186 "exceed the size of at most %E "
189 "the size of at most %E "
192 }
193 }
194 else
197 func);
198 }
199 else
200 {
202 {
205 "%qs specified bound %s exceeds "
208 else
209 {
212 exact
215 : (maybe
217 "exceed the size of at most %E "
220 "the size of at most %E "
223 }
224 }
225 else
228 fname);
229 }
232 {
238 }
239 }
241 void
246 {
249 }
251 void
256 {
259 }
261 /* If EXP refers to an unterminated constant character array return
262 the declaration of the object of which the array is a member or
263 element and if SIZE is not null, set *SIZE to the size of
264 the unterminated array and set *EXACT if the size is exact or
265 clear it otherwise. Otherwise return null. */
267 tree
269 {
270 /* C_STRLEN will return NULL and set DECL in the info
271 structure if EXP references a unterminated array. */
272 c_strlen_data lendata = { };
282 {
283 /* Constant offsets are already accounted for in LENDATA.MINLEN,
284 but not in a SSA_NAME + CST expression. */
289 {
290 /* Subtract the offset from the size of the array. */
295 }
296 else
298 }
299 else
304 }
306 /* For a call EXPR (which may be null) that expects a string argument
307 SRC as an argument, returns false if SRC is a character array with
308 no terminating NUL. When nonnull, BOUND is the number of characters
309 in which to expect the terminating NUL. When EXPR is nonnull also
310 issues a warning. */
313 static bool
315 {
316 /* The constant size of the array SRC points to. The actual size
317 may be less of EXACT is true, but not more. */
318 tree size;
319 /* True if SRC involves a non-constant offset into the array. */
321 /* The unterminated constant array SRC points to. */
326 /* NONSTR refers to the non-nul terminated constant array and SIZE
327 is the constant size of the array in bytes. EXACT is true when
328 SIZE is exact. */
332 {
344 {
347 }
350 }
357 }
359 bool
361 {
363 }
365 bool
367 {
369 }
371 /* Warn about passing a non-string array/pointer to a built-in function
372 that expects a nul-terminated string argument. Returns true if
373 a warning has been issued.*/
376 static bool
378 {
386 /* Avoid clearly invalid calls (more checking done below). */
391 /* The bound argument to a bounded string function like strncpy. */
394 /* The longest known or possible string argument to one of the comparison
395 functions. If the length is less than the bound it is used instead.
396 Since the length is only used for warning and not for code generation
397 disable strict mode in the calls to get_range_strlen below. */
400 /* It's safe to call "bounded" string functions with a non-string
401 argument since the functions provide an explicit bound for this
402 purpose. The exception is strncat where the bound may refer to
403 either the destination or the source. */
406 {
410 {
411 /* For these, if one argument refers to one or more of a set
412 of string constants or arrays of known size, determine
413 the range of their known or possible lengths and use it
414 conservatively as the bound for the unbounded function,
415 and to adjust the range of the bound of the bounded ones. */
419 {
422 {
423 c_strlen_data lendata = { };
424 /* Set MAXBOUND to an arbitrary non-null non-integer
425 node as a request to have it set to the length of
426 the longest string in a PHI. */
430 }
431 }
432 }
433 /* Fall through. */
449 {
452 {
453 c_strlen_data lendata = { };
454 /* Set MAXBOUND to an arbitrary non-null non-integer
455 node as a request to have it set to the length of
456 the longest string in a PHI. */
460 }
464 }
468 }
470 /* Determine the range of the bound argument (if specified). */
473 {
476 }
481 {
482 /* Diagnose excessive bound prior to the adjustment below and
483 regardless of attribute nonstring. */
486 {
490 "%qD specified bound %E "
493 else
495 "%qD specified bound [%E, %E] "
498 maxobjsize);
503 }
504 }
507 {
508 /* Add one for the nul. */
510 size_one_node);
513 {
514 /* Conservatively use the upper bound of the lengths for
515 both the lower and the upper bound of the operation. */
519 }
521 {
522 /* Replace the bound on the operation with the upper bound
523 of the length of the string if the latter is smaller. */
528 }
529 }
532 /* Iterate over the built-in function's formal arguments and check
533 each const char* against the actual argument. If the actual
534 argument is declared attribute non-string issue a warning unless
535 the argument's maximum length is bounded. */
536 function_args_iterator it;
540 {
541 /* Avoid iterating past the declared argument in a call
542 to function declared without a prototype. */
567 /* See if the destination is declared with attribute "nonstring". */
572 /* The maximum number of array elements accessed. */
576 {
577 /* See if the bound in strncat is derived from the length
578 of the strlen of the destination (as it's expected to be).
579 If so, reset BOUND and FNCODE to trigger a warning. */
582 {
583 /* The bound applies to the destination, not to the source,
584 so reset these to trigger a warning without mentioning
585 the bound. */
588 }
590 /* Use the upper bound of the range for strncat. */
592 }
594 /* Use the lower bound of the range for functions other than
595 strncat. */
598 /* Determine the size of the argument array if it is one. */
603 /* Determine the array size. For arrays of unknown bound and
604 pointers reset BOUND to trigger the appropriate warning. */
606 {
608 {
610 {
613 }
614 }
617 }
621 /* In a call to strncat with a bound in a range whose lower but
622 not upper bound is less than the array size, reset ASIZE to
623 be the same as the bound and the other variable to trigger
624 the appropriate warning below. */
628 && (!known_size
630 {
634 }
638 auto_diagnostic_group d;
640 {
643 "%qD argument %i declared attribute "
644 "%<nonstring%> is smaller than the specified "
649 "%qD argument %i declared attribute "
650 "%<nonstring%> is smaller than "
653 else
655 "%qD argument %i declared attribute "
656 "%<nonstring%> may be smaller than "
659 }
662 is equal to the size of the non-string argument. */
669 {
673 }
674 }
680 }
682 bool
684 {
686 }
689 bool
691 {
693 }
695 /* Issue a warning OPT for a bounded call EXP with a bound in RANGE
696 accessing an object with SIZE. */
699 static bool
702 {
711 {
714 {
715 /* Issue a "maybe" warning only if the PHI refers to objects
716 at least one of which has more space remaining than the bound.
717 Otherwise, if the bound is greater, use the definitive form. */
721 }
723 auto_diagnostic_group d;
725 {
727 warned = (func
729 (maybe
736 (maybe
742 else
743 warned = (func
745 (maybe
750 func,
753 (maybe
759 }
763 warned = (func
765 (maybe
772 (maybe
778 else
779 warned = (func
781 (maybe
788 (maybe
795 {
801 }
804 }
808 {
809 /* Issue a "maybe" warning only if the PHI refers to objects
810 at least one of which has more space remaining than the bound.
811 Otherwise, if the bound is greater, use the definitive form. */
815 }
817 {
819 warned = (func
821 (maybe
828 (maybe
834 else
835 warned = (func
837 (maybe
844 (maybe
850 }
854 warned = (func
856 (maybe
863 (maybe
869 else
870 warned = (func
872 (maybe
879 (maybe
887 {
893 }
896 }
898 bool
902 {
904 pad);
905 }
907 bool
911 {
913 }
915 /* For an expression EXP issue an access warning controlled by option OPT
916 with access to a region SIZE bytes in size in the RANGE of sizes.
917 WRITE is true for a write access, READ for a read access, neither for
918 call that may or may not perform an access but for which the range
919 is expected to valid.
920 Returns true when a warning has been issued. */
923 static bool
926 {
930 {
932 warned = (func
934 (maybe
939 (maybe
946 (maybe
951 (maybe
958 {
959 /* Avoid printing the upper bound if it's invalid. */
960 warned = (func
962 (maybe
969 (maybe
975 }
976 else
977 warned = (func
979 (maybe
986 (maybe
993 }
996 {
998 warned = (func
1000 (maybe
1005 (maybe
1012 (maybe
1017 (maybe
1024 {
1025 /* Avoid printing the upper bound if it's invalid. */
1026 warned = (func
1028 (maybe
1032 "into a region of size %E overflows "
1036 (maybe
1040 "a region of size %E overflows "
1043 }
1044 else
1045 warned = (func
1047 (maybe
1051 "into a region of size %E overflows "
1055 (maybe
1059 "into a region of size %E overflows "
1063 }
1066 {
1068 warned = (func
1071 (maybe
1076 (maybe
1084 (maybe
1089 (maybe
1096 {
1097 /* Avoid printing the upper bound if it's invalid. */
1098 warned = (func
1100 (maybe
1107 (maybe
1113 }
1114 else
1115 warned = (func
1117 (maybe
1124 (maybe
1135 }
1139 warned = (func
1151 {
1152 /* Avoid printing the upper bound if it's invalid. */
1153 warned = (func
1155 "%qD expecting %E or more bytes in a region "
1159 "expecting %E or more bytes in a region "
1162 }
1163 else
1164 warned = (func
1166 "%qD expecting between %E and %E bytes in "
1170 "expecting between %E and %E bytes in "
1178 }
1180 static bool
1183 {
1186 }
1188 static bool
1191 {
1194 }
1196 /* Helper to set RANGE to the range of BOUND if it's nonnull, bounded
1197 by BNDRNG if nonnull and valid. */
1199 static void
1202 {
1210 {
1211 offset_int r[] =
1217 }
1218 else
1219 {
1222 }
1223 }
1225 /* Try to verify that the sizes and lengths of the arguments to a string
1226 manipulation function given by EXP are within valid bounds and that
1227 the operation does not lead to buffer overflow or read past the end.
1228 Arguments other than EXP may be null. When non-null, the arguments
1229 have the following meaning:
1230 DST is the destination of a copy call or NULL otherwise.
1231 SRC is the source of a copy call or NULL otherwise.
1232 DSTWRITE is the number of bytes written into the destination obtained
1233 from the user-supplied size argument to the function (such as in
1234 memcpy(DST, SRCs, DSTWRITE) or strncpy(DST, DRC, DSTWRITE).
1235 MAXREAD is the user-supplied bound on the length of the source sequence
1236 (such as in strncat(d, s, N). It specifies the upper limit on the number
1237 of bytes to write. If NULL, it's taken to be the same as DSTWRITE.
1238 SRCSTR is the source string (such as in strcpy(DST, SRC)) when the
1239 expression EXP is a string function call (as opposed to a memory call
1240 like memcpy). As an exception, SRCSTR can also be an integer denoting
1241 the precomputed size of the source string or object (for functions like
1242 memcpy).
1243 DSTSIZE is the size of the destination object.
1245 When DSTWRITE is null LEN is checked to verify that it doesn't exceed
1246 SIZE_MAX.
1248 WRITE is true for write accesses, READ is true for reads. Both are
1249 false for simple size checks in calls to functions that neither read
1250 from nor write to the region.
1252 When nonnull, PAD points to a more detailed description of the access.
1254 If the call is successfully verified as safe return true, otherwise
1255 return false. */
1258 static bool
1263 {
1264 /* The size of the largest object is half the address space, or
1265 PTRDIFF_MAX. (This is way too permissive.) */
1268 /* Either an approximate/minimum the length of the source string for
1269 string functions or the size of the source object for raw memory
1270 functions. */
1273 /* The range of the access in bytes; first set to the write access
1274 for functions that write and then read for those that also (or
1275 just) read. */
1278 /* Set to true when the exact number of bytes written by a string
1279 function like strcpy is not known and the only thing that is
1280 known is that it must be at least one (for the terminating nul). */
1283 {
1284 /* SRCSTR is normally a pointer to string but as a special case
1285 it can be an integer denoting the length of a string. */
1287 {
1289 /* Return if the array is not nul-terminated and a warning
1290 has been issued. */
1293 /* Try to determine the range of lengths the source string
1294 refers to. If it can be determined and is less than
1295 the upper bound given by MAXREAD add one to it for
1296 the terminating nul. Otherwise, set it to one for
1297 the same reason, or to MAXREAD as appropriate. */
1298 c_strlen_data lendata = { };
1306 {
1309 else
1320 }
1321 else
1322 {
1325 }
1326 }
1327 else
1329 }
1332 {
1333 /* When the only available piece of data is the object size
1334 there is nothing to do. */
1338 /* Otherwise, when the length of the source sequence is known
1339 (as with strlen), set DSTWRITE to it. */
1342 }
1347 /* Set RANGE to that of DSTWRITE if non-null, bounded by PAD->DST_BNDRNG
1348 if valid. */
1351 /* If the destination has known zero size prefer a zero
1352 size range to avoid false positives if that's a
1353 possibility. */
1358 /* Read vs write access by built-ins can be determined from the const
1359 qualifiers on the pointer argument. In the absence of attribute
1360 access, non-const qualified pointer arguments to user-defined
1361 functions are assumed to both read and write the objects. */
1364 /* First check the number of bytes to be written against the maximum
1365 object size. */
1369 {
1374 }
1376 /* The number of bytes to write is "exact" if DSTWRITE is non-null,
1377 constant, and in range of unsigned HOST_WIDE_INT. */
1380 /* Next check the number of bytes to be written against the destination
1381 object size. */
1383 {
1388 || (dstwrite
1391 {
1398 auto_diagnostic_group d;
1402 {
1403 /* This is a call to strcpy with a destination of 0 size
1404 and a source of unknown length. The call will write
1405 at least one byte past the end of the destination. */
1406 warned = (func
1408 "%qD writing %E or more bytes into "
1409 "a region of size %E overflows "
1413 "writing %E or more bytes into "
1414 "a region of size %E overflows "
1417 }
1418 else
1419 {
1420 const bool read
1422 const bool write
1426 OPT_Wstringop_overflow_,
1429 }
1432 {
1436 }
1438 /* Return error when an overflow has been detected. */
1440 }
1441 }
1443 /* Check the maximum length of the source sequence against the size
1444 of the destination object if known, or against the maximum size
1445 of an object. */
1447 {
1448 /* Set RANGE to that of MAXREAD, bounded by PAD->SRC_BNDRNG if
1449 PAD is nonnull and BNDRNG is valid. */
1459 {
1461 {
1465 }
1468 {
1470 ? OPT_Wstringop_overflow_
1474 }
1475 }
1478 }
1480 /* Check for reading past the end of SRC. */
1483 && dstwrite
1487 /* If none is determined try to get a better answer based on the details
1488 in PAD. */
1490 && pad
1495 {
1496 /* Set RANGE to that of MAXREAD, bounded by PAD->SRC_BNDRNG if
1497 PAD is nonnull and BNDRNG is valid. */
1500 /* Set OVERREAD for reads starting just past the end of an object. */
1504 }
1507 {
1516 const bool read
1519 auto_diagnostic_group d;
1521 maybe))
1522 {
1526 }
1528 }
1531 }
1533 static bool
1538 {
1541 }
1543 bool
1547 {
1550 }
1552 /* Return true if STMT is a call to an allocation function. Unless
1553 ALL_ALLOC is set, consider only functions that return dynamically
1554 allocated objects. Otherwise return true even for all forms of
1555 alloca (including VLA). */
1557 static bool
1559 {
1563 /* A call to operator new isn't recognized as one to a built-in. */
1568 {
1570 {
1584 }
1585 }
1587 /* A function is considered an allocation function if it's declared
1588 with attribute malloc with an argument naming its associated
1589 deallocation function. */
1597 {
1604 }
1607 }
1609 /* Return true if STMT is a call to an allocation function. A wrapper
1610 around fndecl_alloc_p. */
1612 static bool
1614 {
1616 }
1618 /* Return true if DELC doesn't refer to an operator delete that's
1619 suitable to call with a pointer returned from the operator new
1620 described by NEWC. */
1622 static bool
1625 {
1630 {
1632 {
1640 {
1645 }
1647 }
1650 /* Operator mismatches are handled above. */
1679 {
1680 /* The demangler API provides no better way to compare built-in
1681 types except to by comparing their demangled names. */
1693 }
1716 }
1732 }
1734 /* Return true if DELETE_DECL is an operator delete that's not suitable
1735 to call with a pointer returned from NEW_DECL. */
1737 static bool
1739 {
1743 /* valid_new_delete_pair_p() returns a conservative result (currently
1744 it only handles global operators). A true result is reliable but
1745 a false result doesn't necessarily mean the operators don't match
1746 unless CERTAIN is set. */
1750 /* CERTAIN is set when the negative result is certain. */
1754 /* For anything not handled by valid_new_delete_pair_p() such as member
1755 operators compare the individual demangled components of the mangled
1756 name. */
1767 }
1769 /* ALLOC_DECL and DEALLOC_DECL are pair of allocation and deallocation
1770 functions. Return true if the latter is suitable to deallocate objects
1771 allocated by calls to the former. */
1773 static bool
1775 {
1776 /* Set to alloc_kind_t::builtin if ALLOC_DECL is associated with
1777 a built-in deallocator. */
1782 {
1784 /* Return true iff both functions are of the same array or
1785 singleton form and false otherwise. */
1788 /* Return false for deallocation functions that are known not
1789 to match. */
1792 /* Otherwise proceed below to check the deallocation function's
1793 "*dealloc" attributes to look for one that mentions this operator
1794 new. */
1795 }
1797 {
1799 {
1815 BUILT_IN_REALLOC))
1823 }
1824 }
1826 /* Set if DEALLOC_DECL both allocates and deallocates. */
1830 {
1838 {
1850 }
1851 }
1856 /* If DEALLOC_DECL has an internal "*dealloc" attribute scan the list
1857 of its associated allocation functions for ALLOC_DECL.
1858 If the corresponding ALLOC_DECL is found they're a matching pair,
1859 otherwise they're not.
1860 With DDATS set to the Deallocator's *Dealloc ATtributes... */
1864 {
1877 {
1881 {
1893 }
1902 }
1906 }
1912 /* Special handling for deallocators. Iterate over both the allocator's
1913 and the reallocator's associated deallocator functions looking for
1914 the first one in common. If one is found, the de/reallocator is
1915 a match for the allocator even though the latter isn't directly
1916 associated with the former. This simplifies declarations in system
1917 headers.
1918 With AMATS set to the Allocator's Malloc ATtributes,
1919 and RMATS set to Reallocator's Malloc ATtributes... */
1926 {
1929 {
1932 {
1935 {
1939 }
1941 }
1944 }
1948 {
1951 {
1954 {
1958 }
1960 }
1964 }
1965 }
1967 /* Succeed only if ALLOC_DECL and the reallocator DEALLOC_DECL share
1968 a built-in deallocator. */
1971 }
1973 /* Return true if DEALLOC_DECL is a function suitable to deallocate
1974 objects allocated by the ALLOC call. */
1976 static bool
1978 {
1984 }
1986 /* Diagnose a call EXP to deallocate a pointer referenced by AREF if it
1987 includes a nonzero offset. Such a pointer cannot refer to the beginning
1988 of an allocated object. A negative offset may refer to it only if
1989 the target pointer is unknown. */
1991 static bool
1993 {
2003 {
2004 /* A call to a user-defined operator delete with a pointer plus offset
2005 may be valid if it's returned from an unknown function (i.e., one
2006 that's not operator new). */
2008 {
2011 {
2015 }
2016 }
2017 }
2022 {
2027 else
2031 }
2033 auto_diagnostic_group d;
2042 {
2045 {
2054 else
2056 }
2057 }
2060 }
2065 GIMPLE_PASS,
2067 OPTGROUP_NONE,
2074 };
2076 /* Pass to detect invalid accesses. */
2078 {
2093 /* Not copyable or assignable. */
2097 /* Check a call to an atomic built-in function. */
2100 /* Check a call to a built-in function. */
2103 /* Check a call to an ordinary function for invalid accesses. */
2106 /* Check a non-call statement. */
2109 /* Check statements in a basic block. */
2112 /* Check a call to a function. */
2115 /* Check a call to the named built-in function. */
2131 /* Check for uses of indeterminate pointers. */
2134 /* Return the argument that a call returns. */
2137 /* Check a call for uses of a dangling pointer arguments. */
2140 /* Check uses of a dangling pointer or those derived from it. */
2148 /* Return true if use follows an invalidating statement. */
2151 /* A pointer_query object to store information about pointers and
2152 their targets in. */
2153 pointer_query m_ptr_qry;
2154 /* Mapping from DECLs and their clobber statements in the function. */
2156 /* A bit is set for each basic block whose statements have been assigned
2157 valid UIDs. */
2158 bitmap m_bb_uids_set;
2159 /* The current function. */
2161 /* True to run checks for uses of dangling pointers. */
2163 /* True to run checks early on in the optimization pipeline. */
2165 };
2167 /* Construct the pass. */
2177 {
2178 }
2180 /* Return a copy of the pass with RUN_NUMBER one greater than THIS. */
2182 opt_pass*
2184 {
2186 }
2188 /* Release pointer_query cache. */
2191 {
2193 }
2195 void
2197 {
2201 }
2203 /* Return true when any checks performed by the pass are enabled. */
2205 bool
2207 {
2209 || warn_mismatched_alloc
2211 }
2213 /* Initialize ALLOC_OBJECT_SIZE_LIMIT based on the -Walloc-size-larger-than=
2214 setting if the option is specified, or to the maximum object size if it
2215 is not. Return the initialized value. */
2217 static tree
2219 {
2225 }
2227 /* Diagnose a call EXP to function FN decorated with attribute alloc_size
2228 whose argument numbers given by IDX with values given by ARGS exceed
2229 the maximum object size or cause an unsigned overflow (wrapping) when
2230 multiplied. FN is null when EXP is a call via a function pointer.
2231 When ARGS[0] is null the function does nothing. ARGS[1] may be null
2232 for functions like malloc, and non-null for those like calloc that
2233 are decorated with a two-argument attribute alloc_size. */
2235 void
2238 {
2239 /* The range each of the (up to) two arguments is known to be in. */
2242 /* Maximum object size set by -Walloc-size-larger-than= or SIZE_MAX / 2. */
2251 /* Validate each argument individually. */
2253 {
2255 {
2260 {
2264 }
2266 {
2267 /* Avoid issuing -Walloc-zero for allocation functions other
2268 than __builtin_alloca that are declared with attribute
2269 returns_nonnull because there's no portability risk. This
2270 avoids warning for such calls to libiberty's xmalloc and
2271 friends.
2272 Also avoid issuing the warning for calls to function named
2273 "alloca". */
2281 }
2283 {
2284 /* G++ emits calls to ::operator new[](SIZE_MAX) in C++98
2285 mode and with -fno-exceptions as a way to indicate array
2286 size overflow. There's no good way to detect C++98 here
2287 so avoid diagnosing these calls for all C++ modes. */
2289 && fn
2297 "argument %i value %qE exceeds "
2300 }
2301 }
2304 {
2305 /* Verify that the argument's range is not negative (including
2306 upper bound of zero). */
2309 {
2314 }
2316 {
2318 "argument %i range [%E, %E] exceeds "
2322 maxobjsize);
2323 }
2324 }
2325 }
2330 /* For a two-argument alloc_size, validate the product of the two
2331 arguments if both of their values or ranges are known. */
2336 {
2337 /* Check for overflow in the product of a function decorated with
2338 attribute alloc_size (X, Y). */
2348 "product %<%E * %E%> of arguments %i and %i "
2354 "product %<%E * %E%> of arguments %i and %i "
2358 maxobjsize);
2361 {
2362 /* Print the full range of each of the two arguments to make
2363 it clear when it is, in fact, in a range and not constant. */
2370 }
2371 }
2374 {
2380 else
2383 }
2384 }
2386 /* Check a call to an alloca function for an excessive size. */
2388 void
2390 {
2398 {
2399 /* -Walloca-larger-than and -Wvla-larger-than settings of less
2400 than HWI_MAX override the more general -Walloc-size-larger-than
2401 so unless either of the former options is smaller than the last
2402 one (which would imply that the call was already checked), check
2403 the alloca arguments for overflow. */
2407 }
2408 }
2410 /* Check a call to an allocation function for an excessive size. */
2412 void
2414 {
2419 /* Avoid invalid calls to functions without a prototype. */
2424 {
2425 /* Alloca is handled separately. */
2427 {
2434 }
2435 }
2444 /* Extract attribute alloc_size from the type of the called expression
2445 (which could be a function or a function pointer) and if set, store
2446 the indices of the corresponding arguments in ALLOC_IDX, and then
2447 the actual argument(s) at those indices in ALLOC_ARGS. */
2454 /* Avoid invalid calls to functions without a prototype. */
2459 {
2464 }
2467 }
2469 /* Check a call STMT to strcat() for overflow and warn if it does. */
2471 void
2473 {
2483 /* There is no way here to determine the length of the string in
2484 the destination to which the SRC string is being appended so
2485 just diagnose cases when the source string is longer than
2486 the destination object. */
2495 }
2497 /* Check a call STMT to strcat() for overflow and warn if it does. */
2499 void
2501 {
2510 /* The upper bound on the number of bytes to write. */
2513 /* Detect unterminated source (only). */
2517 /* The length of the source sequence. */
2520 /* Try to determine the range of lengths that the source expression
2521 refers to. Since the lengths are only used for warning and not
2522 for code generation disable strict mode below. */
2525 {
2526 c_strlen_data lendata = { };
2529 }
2532 /* Try to verify that the destination is big enough for the shortest
2533 string. First try to determine the size of the destination object
2534 into which the source is being copied. */
2538 /* Add one for the terminating nul. */
2539 tree srclen = (maxlen
2541 size_one_node)
2544 /* The strncat function copies at most MAXREAD bytes and always appends
2545 the terminating nul so the specified upper bound should never be equal
2546 to (or greater than) the size of the destination. */
2549 {
2556 }
2566 }
2568 /* Check a call STMT to stpcpy() or strcpy() for overflow and warn
2569 if it does. */
2571 void
2573 {
2580 tree size;
2583 {
2584 /* NONSTR refers to the non-nul terminated constant array. */
2588 }
2591 {
2600 }
2602 /* Check to see if the argument was declared attribute nonstring
2603 and if so, issue a warning since at this point it's not known
2604 to be nul-terminated. */
2607 }
2609 /* Check a call STMT to stpncpy() or strncpy() for overflow and warn
2610 if it does. */
2612 void
2614 {
2620 /* The number of bytes to write (not the maximum). */
2631 }
2633 /* Check a call STMT to stpncpy() or strncpy() for overflow and warn
2634 if it does. */
2636 void
2638 {
2646 /* First check each argument separately, considering the bound. */
2651 /* A strncmp read from each argument is constrained not just by
2652 the bound but also by the length of the shorter string. Specifying
2653 a bound that's larger than the size of either array makes no sense
2654 and is likely a bug. When the length of neither of the two strings
2655 is known but the sizes of both of the arrays they are stored in is,
2656 issue a warning if the bound is larger than the size of
2657 the larger of the two arrays. */
2669 /* If the length of both arguments was computed they must both be
2670 nul-terminated and no further checking is necessary regardless
2671 of the bound. */
2674 /* Check to see if the argument was declared with attribute nonstring
2675 and if so, issue a warning since at this point it's not known to be
2676 nul-terminated. */
2685 /* Determine the range of the bound first and bail if it fails; it's
2686 cheaper than computing the size of the objects. */
2697 /* compute_objsize almost never fails (and ultimately should never
2698 fail). Don't bother to handle the rare case when it does. */
2703 /* Compute the size of the remaining space in each array after
2704 subtracting any offset into it. */
2708 /* Cap REM1 and REM2 at the other if the other's argument is known
2709 to be an unterminated array, either because there's no space
2710 left in it after adding its offset or because it's constant and
2711 has no nul. */
2717 /* Point PAD at the array to reference in the note if a warning
2718 is issued. */
2723 {
2724 /* Warn when either argument isn't nul-terminated or the maximum
2725 remaining space in the two arrays is less than the bound. */
2730 pad);
2731 }
2732 }
2734 /* Determine and check the sizes of the source and the destination
2735 of calls to __builtin_{bzero,memcpy,mempcpy,memset} calls. STMT is
2736 the call statement, DEST is the destination argument, SRC is the source
2737 argument or null, and SIZE is the number of bytes being accessed. Use
2738 Object Size type-0 regardless of the OPT_Wstringop_overflow_ setting.
2739 Return true on success (no overflow or invalid sizes), false otherwise. */
2741 void
2743 {
2747 /* For functions like memset and memcpy that operate on raw memory
2748 try to determine the size of the largest source and destination
2749 object using type-0 Object Size regardless of the object size
2750 type specified by the option. */
2752 tree srcsize
2758 }
2760 /* A convenience wrapper for check_access to check access by a read-only
2761 function like puts or strcmp. */
2763 void
2767 {
2783 }
2785 /* Return true if memory model ORD is constant in the context of STMT and
2786 set *CSTVAL to the constant value. Otherwise return false. Warn for
2787 invalid ORD. */
2789 bool
2791 {
2795 {
2799 }
2800 else
2801 {
2802 /* Use the range query to determine constant values in the absence
2803 of constant propagation (such as at -O0). */
2814 }
2817 /* This might warn for an invalid VAL but return a conservatively
2818 valid result. */
2821 {
2827 "unknown architecture specifier in memory model "
2830 }
2835 }
2837 /* Valid memory model for each set of atomic built-in functions. */
2839 struct memmodel_pair
2840 {
2841 memmodel modval;
2844 #define MEMMODEL_PAIR(val, str) \
2846 };
2848 /* Valid memory models in the order of increasing strength. */
2857 };
2859 /* Return the name of the memory model VAL. */
2863 {
2867 {
2870 }
2872 }
2874 /* Indices of valid MEMORY_MODELS above for corresponding atomic operations. */
2881 /* Check the success memory model argument ORD_SUCS to the call STMT to
2882 an atomic function and warn if it's invalid. If nonnull, also check
2883 the failure memory model ORD_FAIL and warn if it's invalid. Return
2884 true if a warning has been issued. */
2886 bool
2889 {
2898 {
2901 {
2904 }
2905 }
2906 else
2914 {
2916 auto_diagnostic_group d;
2921 else
2929 /* Print a note with the valid memory models. */
2930 pretty_printer pp;
2933 {
2936 }
2940 }
2947 {
2948 /* If both memory model arguments are valid but their combination
2949 is not, use their names in the warning. */
2950 auto_diagnostic_group d;
2961 }
2968 {
2969 /* If both memory model arguments are valid but their combination
2970 is not, use their names in the warning. */
2971 auto_diagnostic_group d;
2973 "failure memory model %qs cannot be stronger "
2978 /* Print a note with the valid failure memory models which are
2979 those with a value less than or equal to the success mode. */
2984 {
2990 }
2994 }
2996 /* If either memory model argument value is invalid use the numerical
2997 value of both in the message. */
2999 "failure memory model %wi cannot be stronger "
3002 }
3004 /* Wrapper for the above. */
3006 void
3009 {
3017 }
3019 /* Check a call STMT to an atomic or sync built-in. */
3021 bool
3023 {
3028 /* The size in bytes of the access by the function, and the number
3029 of the second argument to check (if any). */
3032 /* Points to the array of indices of valid memory models. */
3036 {
3037 #define BUILTIN_ACCESS_SIZE_FNSPEC(N) \
3038 BUILT_IN_SYNC_FETCH_AND_ADD_ ## N: \
3039 case BUILT_IN_SYNC_FETCH_AND_SUB_ ## N: \
3040 case BUILT_IN_SYNC_FETCH_AND_OR_ ## N: \
3041 case BUILT_IN_SYNC_FETCH_AND_AND_ ## N: \
3042 case BUILT_IN_SYNC_FETCH_AND_XOR_ ## N: \
3043 case BUILT_IN_SYNC_FETCH_AND_NAND_ ## N: \
3044 case BUILT_IN_SYNC_ADD_AND_FETCH_ ## N: \
3045 case BUILT_IN_SYNC_SUB_AND_FETCH_ ## N: \
3046 case BUILT_IN_SYNC_OR_AND_FETCH_ ## N: \
3047 case BUILT_IN_SYNC_AND_AND_FETCH_ ## N: \
3048 case BUILT_IN_SYNC_XOR_AND_FETCH_ ## N: \
3049 case BUILT_IN_SYNC_NAND_AND_FETCH_ ## N: \
3050 case BUILT_IN_SYNC_LOCK_TEST_AND_SET_ ## N: \
3051 case BUILT_IN_SYNC_BOOL_COMPARE_AND_SWAP_ ## N: \
3052 case BUILT_IN_SYNC_VAL_COMPARE_AND_SWAP_ ## N: \
3053 case BUILT_IN_SYNC_LOCK_RELEASE_ ## N: \
3054 bytes = N; \
3055 break; \
3056 case BUILT_IN_ATOMIC_LOAD_ ## N: \
3057 pvalid_models = load_models; \
3058 sucs_arg = 1; \
3060 case BUILT_IN_ATOMIC_STORE_ ## N: \
3061 if (!pvalid_models) \
3062 pvalid_models = store_models; \
3064 case BUILT_IN_ATOMIC_ADD_FETCH_ ## N: \
3065 case BUILT_IN_ATOMIC_SUB_FETCH_ ## N: \
3066 case BUILT_IN_ATOMIC_AND_FETCH_ ## N: \
3067 case BUILT_IN_ATOMIC_NAND_FETCH_ ## N: \
3068 case BUILT_IN_ATOMIC_XOR_FETCH_ ## N: \
3069 case BUILT_IN_ATOMIC_OR_FETCH_ ## N: \
3070 case BUILT_IN_ATOMIC_FETCH_ADD_ ## N: \
3071 case BUILT_IN_ATOMIC_FETCH_SUB_ ## N: \
3072 case BUILT_IN_ATOMIC_FETCH_AND_ ## N: \
3073 case BUILT_IN_ATOMIC_FETCH_NAND_ ## N: \
3074 case BUILT_IN_ATOMIC_FETCH_OR_ ## N: \
3075 case BUILT_IN_ATOMIC_FETCH_XOR_ ## N: \
3076 bytes = N; \
3077 if (sucs_arg == UINT_MAX) \
3078 sucs_arg = 2; \
3079 if (!pvalid_models) \
3080 pvalid_models = all_models; \
3081 break; \
3082 case BUILT_IN_ATOMIC_EXCHANGE_ ## N: \
3083 bytes = N; \
3084 sucs_arg = 3; \
3085 pvalid_models = xchg_models; \
3086 break; \
3087 case BUILT_IN_ATOMIC_COMPARE_EXCHANGE_ ## N: \
3088 bytes = N; \
3089 sucs_arg = 4; \
3090 fail_arg = 5; \
3091 pvalid_models = all_models; \
3092 arg2 = 1
3112 }
3116 {
3122 }
3132 {
3135 }
3138 }
3140 /* Check call STMT to a built-in function for invalid accesses. Return
3141 true if a call has been handled. */
3143 bool
3145 {
3151 {
3170 {
3174 }
3199 {
3204 }
3240 {
3247 }
3252 {
3258 }
3261 {
3266 }
3269 {
3274 }
3280 }
3283 }
3285 /* Returns the type of the argument ARGNO to function with type FNTYPE
3286 or null when the type cannot be determined or no such argument exists. */
3288 static tree
3290 {
3294 tree argtype;
3295 function_args_iterator it;
3301 }
3303 /* Helper to append the "human readable" attribute access specification
3304 described by ACCESS to the array ATTRSTR with size STRSIZE. Used in
3305 diagnostics. */
3310 {
3317 }
3319 /* Iterate over attribute access read-only, read-write, and write-only
3320 arguments and diagnose past-the-end accesses and related problems
3321 in the function call EXP. */
3323 void
3326 {
3331 auto_diagnostic_group adg;
3333 /* Set if a warning has been issued for any argument (used to decide
3334 whether to emit an informational note at the end). */
3337 /* A string describing the attributes that the warnings issued by this
3338 function apply to. Used to print one informational note per function
3339 call, rather than one per warning. That reduces clutter. */
3344 {
3347 /* Get the function call arguments corresponding to the attribute's
3348 positional arguments. When both arguments have been specified
3349 there will be two entries in *RWM, one for each. They are
3350 cross-referenced by their respective argument numbers in
3351 ACCESS.PTRARG and ACCESS.SIZARG. */
3358 /* The pointer is set to null for the entry corresponding to
3359 the size argument. Skip it. It's handled when the entry
3360 corresponding to the pointer argument comes up. */
3366 /* A function with a prototype was redeclared without one and
3367 the prototype has been lost. See pr102759. Avoid dealing
3368 with this pathological case. */
3373 /* The size of the access by the call in elements. */
3374 tree access_nelts;
3376 {
3377 /* If only the pointer attribute operand was specified and
3378 not size, set SIZE to the greater of MINSIZE or size of
3379 one element of the pointed to type to detect smaller
3380 objects (null pointers are diagnosed in this case only
3381 if the pointer is also declared with attribute nonnull. */
3386 /* Treat access mode none on a void* argument as expecting
3387 as little as zero bytes. */
3389 else
3391 }
3392 else
3395 /* Format the value or range to avoid an explosion of messages. */
3399 {
3402 {
3405 }
3406 else
3407 {
3413 }
3415 }
3416 else
3419 /* Set if a warning has been issued for the current argument. */
3426 {
3427 /* Warn about negative sizes. */
3429 {
3434 "bound argument %i value %s is "
3435 "negative for a variable length array "
3440 }
3447 {
3449 /* Remember a warning has been issued and avoid warning
3450 again below for the same attribute. */
3453 }
3454 }
3456 /* The size of the access by the call in bytes. */
3459 {
3461 {
3462 /* Multiply ACCESS_SIZE by the size of the type the pointer
3463 argument points to. If it's incomplete the size is used
3464 as is. */
3467 {
3472 }
3473 }
3474 else
3476 }
3479 {
3482 {
3483 /* Warn about null pointers with positive sizes. This is
3484 different from also declaring the pointer argument with
3485 attribute nonnull when the function accepts null pointers
3486 only when the corresponding size is zero. */
3488 "argument %i is null but "
3489 "the corresponding size argument "
3493 }
3495 {
3496 /* Warn about null pointers for [static N] array arguments
3497 but do not warn for ordinary (i.e., nonstatic) arrays. */
3499 "argument %i to %<%T[static %E]%> "
3503 }
3506 {
3508 /* Remember a warning has been issued and avoid warning
3509 again below for the same attribute. */
3512 }
3513 }
3521 /* The size of the destination or source object. */
3525 {
3526 /* For a read-only argument there is no destination. For
3527 no access, set the source as well and differentiate via
3528 the access flag below. */
3532 {
3533 /* For a read-only attribute there is no destination so
3534 clear OBJSIZE. This emits "reading N bytes" kind of
3535 diagnostics instead of the "writing N bytes" kind,
3536 unless MODE is none. */
3538 }
3539 }
3540 else
3543 /* Clear the no-warning bit in case it was set by check_access
3544 in a prior iteration so that accesses via different arguments
3545 are diagnosed. */
3556 {
3558 {
3564 }
3565 else
3566 /* If check_access issued a warning above, append the relevant
3567 attribute to the string. */
3569 }
3570 }
3573 {
3578 else
3582 }
3584 {
3588 else
3591 }
3593 /* Set the bit in case it was cleared and not set above. */
3596 }
3598 /* Check call STMT to an ordinary (non-built-in) function for invalid
3599 accesses. Return true if a call has been handled. */
3601 bool
3603 {
3612 /* Map of attribute access specifications for function arguments. */
3613 rdwr_map rdwr_idx;
3618 {
3621 /* Save the actual argument that corresponds to the access attribute
3622 operand for later processing. */
3624 {
3626 {
3628 /* A nonnull ACCESS->SIZE contains VLA bounds. */
3629 }
3630 else
3631 {
3634 }
3635 }
3636 }
3638 /* Check attribute access arguments. */
3644 }
3646 /* Check arguments in a call STMT for attribute nonstring. */
3648 static void
3650 {
3653 /* Detect passing non-string arguments to functions expecting
3654 nul-terminated strings. */
3656 }
3658 /* Issue a warning if a deallocation function such as free, realloc,
3659 or C++ operator delete is called with an argument not returned by
3660 a matching allocation function such as malloc or the corresponding
3661 form of C++ operator new. */
3663 void
3665 {
3678 access_ref aref;
3690 {
3691 /* Diagnose freeing a declared object. */
3693 {
3694 auto_diagnostic_group d;
3698 {
3701 }
3702 }
3704 /* Diagnose freeing a pointer that includes a positive offset.
3705 Such a pointer cannot refer to the beginning of an allocated
3706 object. A negative offset may refer to it. */
3710 }
3712 {
3713 auto_diagnostic_group d;
3715 "%qD called on a pointer to an unallocated "
3717 {
3719 {
3722 {
3725 }
3726 }
3728 }
3729 }
3731 {
3732 /* Also warn if the pointer argument refers to the result
3733 of an allocation call like alloca or VLA. */
3739 {
3742 {
3744 {
3747 }
3748 else
3749 {
3754 ? OPT_Wmismatched_new_delete
3757 "%qD called on pointer returned "
3758 "from a mismatched allocation "
3760 }
3761 }
3764 BUILT_IN_ALLOCA_WITH_ALIGN))
3766 "%qD called on pointer to "
3768 dealloc_decl);
3773 {
3778 }
3779 }
3781 {
3783 /* Diagnose freeing a pointer that includes a positive offset. */
3790 }
3791 }
3792 }
3794 /* Return true if either USE_STMT's basic block (that of a pointer's use)
3795 is dominated by INVAL_STMT's (that of a pointer's invalidating statement,
3796 which is either a clobber or a deallocation call), or if they're in
3797 the same block, USE_STMT follows INVAL_STMT. */
3799 bool
3802 {
3803 tree clobvar =
3813 {
3820 /* Proceed only when looking for uses of dangling pointers. */
3823 /* A use statement in the last basic block in a function or one that
3824 falls through to it is after any other prior clobber of the used
3825 variable unless it's followed by a clobber of the same variable. */
3831 {
3833 {
3836 {
3838 /* The use is followed by a clobber. */
3840 }
3841 }
3845 }
3847 /* The use is one of a dangling pointer if a clobber of the variable
3848 [the pointer points to] has not been found before the function exit
3849 point. */
3851 }
3854 /* The first time this basic block is visited assign increasing ids
3855 to consecutive statements in it. Use the ids to determine which
3856 precedes which. This avoids the linear traversal on subsequent
3857 visits to the same block. */
3861 }
3863 /* Issue a warning for the USE_STMT of pointer or reference REF rendered
3864 invalid by INVAL_STMT. REF may be null when it's been optimized away.
3865 When nonnull, INVAL_STMT is the deallocation function that rendered
3866 the pointer or reference dangling. Otherwise, VAR is the auto variable
3867 (including an unnamed temporary such as a compound literal) whose
3868 lifetime's rended it dangling. MAYBE is true to issue the "maybe"
3869 kind of warning. EQUALITY is true when the pointer is used in
3870 an equality expression. */
3872 void
3876 {
3877 /* Avoid printing the unhelpful "<unknown>" in the diagnostics. */
3879 {
3883 /* Don't warn for cases like when a cdtor returns 'this' on ARM. */
3888 }
3892 {
3895 /* Avoid issuing a warning with no context other than
3896 the function. That would make it difficult to debug
3897 in any but very simple cases. */
3899 }
3902 {
3911 auto_diagnostic_group d;
3913 (maybe
3918 (maybe
3921 inval_decl)))
3922 {
3926 }
3928 }
3936 {
3937 auto_diagnostic_group d;
3940 (maybe
3944 || (!ref
3946 (maybe
3949 var)))
3954 }
3958 (maybe
3963 ref))
3964 || (!ref
3966 (maybe
3971 {
3975 }
3976 }
3978 /* If STMT is a call to either the standard realloc or to a user-defined
3979 reallocation function returns its LHS and set *PTR to the reallocated
3980 pointer. Otherwise return null. */
3982 static tree
3984 {
3986 {
3989 }
3999 else
4000 {
4005 }
4012 {
4022 {
4028 }
4029 }
4032 }
4034 /* Warn if STMT is a call to a deallocation function that's not a match
4035 for the REALLOC_STMT call. Return true if warned. */
4037 static bool
4039 {
4054 /* Avoid printing the unhelpful "<unknown>" in the diagnostics. */
4063 "%qD called on pointer %qE passed to mismatched "
4068 "%qD called on a pointer passed to mismatched "
4076 }
4078 /* Return true if P and Q point to the same object, and false if they
4079 either don't or their relationship cannot be determined. */
4081 static bool
4084 {
4088 /* TODO: Work harder to rule out relatedness. */
4092 /* GET_REF() only rarely fails. When it does, it's likely because
4093 it involves a self-referential PHI. Return a conservative result. */
4099 /* If either pointer is a PHI, iterate over all its operands and
4100 return true if they're all related to the other pointer. */
4106 else
4107 {
4114 }
4121 {
4125 }
4128 }
4130 /* Convenience wrapper for the above. */
4132 static bool
4134 {
4135 auto_bitmap visited;
4137 }
4139 /* For a STMT either a call to a deallocation function or a clobber, warn
4140 for uses of the pointer PTR it was called with (including its copies
4141 or others derived from it by pointer arithmetic). If STMT is a clobber,
4142 VAR is the decl of the clobbered variable. When MAYBE is true use
4143 a "maybe" form of diagnostic. */
4145 void
4149 {
4155 /* If STMT is a reallocation function set to the reallocated pointer
4156 and the LHS of the call, respectively. */
4160 auto_bitmap visited;
4166 /* Starting with PTR, iterate over POINTERS added by the loop, and
4167 either warn for their uses in basic blocks dominated by the STMT
4168 or in statements that follow it in the same basic block, or add
4169 them to POINTERS if they point into the same object as PTR (i.e.,
4170 are obtained by pointer arithmetic on PTR). */
4172 {
4175 /* Avoid revisiting the same pointer. */
4178 use_operand_p use_p;
4179 imm_use_iterator iter;
4181 {
4186 /* A clobber isn't a use. */
4191 {
4192 /* Check to see if USE_STMT is a mismatched deallocation
4193 call for the pointer passed to realloc. That's a bug
4194 regardless of the pointer's value and so warn. */
4198 /* Pointers passed to realloc that are used in basic blocks
4199 where the realloc call is known to have failed are valid.
4200 Ignore pointers that nothing is known about. Those could
4201 have escaped along with their nullness. */
4202 value_range vr;
4204 {
4210 }
4211 }
4215 /* Avoid interfering with -Wreturn-local-addr (which runs only
4216 with optimization enabled so it won't diagnose cases that
4217 would be caught here when optimization is disabled). */
4222 {
4225 }
4227 {
4230 }
4232 {
4233 /* Only add a PHI result to POINTERS if all its
4234 operands are related to PTR, otherwise continue. The
4235 PHI result is related once we've reached all arguments
4236 through this iteration. That also means any invariant
4237 argument will make the PHI not related. For arguments
4238 flowing over natural loop backedges we are optimistic
4239 (and diagnose the first iteration). */
4246 {
4249 {
4254 basic_block arg_bb;
4256 /* Make sure we are not forward visiting a
4257 backedge argument. */
4260 && ((arg_bb
4265 related--;
4266 }
4267 }
4268 else
4269 related--;
4274 }
4276 /* Warn if USE_STMT is dominated by the deallocation STMT.
4277 Otherwise, add the pointer to POINTERS so that the uses
4278 of any other pointers derived from it can be checked. */
4280 {
4282 bool this_maybe
4283 = (maybe
4288 }
4291 {
4294 {
4298 }
4300 }
4303 {
4309 }
4310 }
4311 }
4315 }
4317 /* Check call STMT for invalid accesses. */
4319 void
4321 {
4322 /* Skip special calls generated by the compiler. */
4326 /* .ASAN_MARK doesn't access any vars, only modifies shadow memory. */
4335 {
4336 /* Check for uses of the pointer passed to either a standard
4337 or a user-defined deallocation function. */
4340 {
4344 }
4345 }
4355 }
4357 /* Check non-call STMT for invalid accesses. */
4359 void
4361 {
4364 {
4365 /* Ignore clobber statements in blocks with exceptional edges. */
4374 }
4377 {
4378 /* Clobbered unnamed temporaries such as compound literals can be
4379 revived. Check for an assignment to one and remove it from
4380 M_CLOBBERS. */
4388 }
4391 {
4393 /* Avoid interfering with -Wreturn-local-addr (which runs only
4394 with optimization enabled). */
4416 }
4417 }
4419 /* Check basic block BB for invalid accesses. */
4421 void
4423 {
4424 /* Iterate over statements, looking for function calls. */
4427 {
4431 else
4433 }
4434 }
4436 /* Return the argument that the call STMT to a built-in function returns
4437 (including with an offset) or null if it doesn't. */
4439 tree
4441 {
4442 /* Check for attribute fn spec to see if the function returns one
4443 of its arguments. */
4447 {
4456 {
4472 }
4473 }
4479 }
4481 /* Check for and diagnose all uses of the dangling pointer VAR to the auto
4482 object DECL whose lifetime has ended. OBJREF is true when VAR denotes
4483 an access to a DECL that may have been clobbered. */
4485 void
4488 {
4497 {
4500 }
4510 }
4512 /* Diagnose stores in BB and (recursively) its predecessors of the addresses
4513 of local variables into nonlocal pointers that are left dangling after
4514 the function returns. Returns true when we can continue walking
4515 the CFG to predecessors. */
4517 bool
4520 {
4521 /* Iterate backwards over the statements looking for a store of
4522 the address of a local variable into a nonlocal pointer. */
4524 {
4534 /* Avoid looking before nonconst, nonpure calls since those might
4535 use the escaped locals. */
4542 access_ref lhs_ref;
4548 {
4551 }
4553 {
4556 }
4558 {
4561 /* Avoid looking at or before stores into unknown objects. */
4565 }
4573 else
4574 /* Something else, don't warn. */
4580 /* FIXME: Handle stores of alloca() and VLA. */
4581 access_ref rhs_ref;
4590 auto_diagnostic_group d;
4595 {
4603 }
4604 }
4607 }
4609 /* Diagnose stores of the addresses of local variables into nonlocal
4610 pointers that are left dangling after the function returns. */
4612 void
4614 {
4618 auto_bitmap bbs;
4622 do
4623 {
4627 {
4631 }
4632 else
4633 {
4636 else
4638 }
4639 }
4641 }
4643 /* Check for and diagnose uses of dangling pointers to auto objects
4644 whose lifetime has ended. */
4646 void
4648 {
4649 tree var;
4652 {
4653 /* For each SSA_NAME pointer VAR find the object it points to.
4654 If the object is a clobbered local variable, check to see
4655 if any of VAR's uses (or those of other pointers derived
4656 from VAR) happens after the clobber. If so, warn. */
4660 {
4663 {
4667 }
4668 else
4669 {
4670 /* For other expressions, check the base DECL to see
4671 if it's been clobbered, most likely as a result of
4672 inlining a reference to it. */
4676 }
4677 }
4679 {
4681 {
4683 {
4684 access_ref aref;
4688 }
4689 }
4691 {
4694 {
4695 access_ref aref;
4700 }
4701 }
4702 }
4703 }
4704 }
4706 /* Check CALL arguments for dangling pointers (those that have been
4707 clobbered) and warn if found. */
4709 void
4711 {
4714 {
4731 }
4732 }
4734 /* Check function FUN for invalid accesses. */
4736 unsigned
4738 {
4742 /* Set or clear EDGE_DFS_BACK bits on back edges. */
4745 /* Create a new ranger instance and associate it with FUN. */
4749 /* Check for dangling pointers in the earliest run of the pass.
4750 The latest point -Wdangling-pointer should run is just before
4751 loop unrolling which introduces uses after clobbers. Most cases
4752 can be detected without optimization; cases where the address of
4753 the local variable is passed to and then returned from a user-
4754 defined function before its lifetime ends and the returned pointer
4755 becomes dangling depend on inlining. */
4763 basic_block bb;
4768 {
4771 }
4778 /* Release the ranger instance and replace it with a global ranger.
4779 Also reset the pointer since calling disable_ranger() deletes it. */
4789 }
4793 /* Return a new instance of the pass. */
4795 gimple_opt_pass *
4797 {
4799 }