| blob | e964545b08432c86a9cc31adf714d5f9284488b5 |
1 /* Classes for modeling the state of memory.
2 Copyright (C) 2020-2023 Free Software Foundation, Inc.
3 Contributed by David Malcolm <dmalcolm@redhat.com>.
5 This file is part of GCC.
7 GCC is free software; you can redistribute it and/or modify it
8 under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3, or (at your option)
10 any later version.
12 GCC is distributed in the hope that it will be useful, but
13 WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 General Public License for more details.
17 You should have received a copy of the GNU General Public License
18 along with GCC; see the file COPYING3. If not see
19 <http://www.gnu.org/licenses/>. */
22 #define INCLUDE_MEMORY
59 #if ENABLE_ANALYZER
63 /* Dump SVALS to PP, sorting them to ensure determinism. */
65 static void
68 {
72 {
74 }
81 {
85 }
87 }
89 /* class uncertainty_t. */
91 /* Dump this object to PP. */
93 void
95 {
102 }
104 /* Dump this object to stderr. */
106 DEBUG_FUNCTION void
108 {
109 pretty_printer pp;
116 }
118 /* class binding_key. */
122 {
126 else
127 {
128 bit_size_t bit_size;
130 {
131 /* Must be non-empty. */
134 bit_size);
135 }
136 else
138 }
139 }
141 /* Dump this binding_key to stderr. */
143 DEBUG_FUNCTION void
145 {
146 pretty_printer pp;
153 }
155 /* Get a description of this binding_key. */
157 label_text
159 {
160 pretty_printer pp;
164 }
166 /* qsort callback. */
168 int
170 {
174 }
176 /* Comparator for binding_keys. */
178 int
180 {
186 {
191 SIGNED))
194 SIGNED);
195 }
196 else
197 {
205 }
206 }
208 /* struct bit_range. */
210 void
212 {
216 else
217 {
224 }
225 }
227 /* Dump this object to stderr. */
229 DEBUG_FUNCTION void
231 {
232 pretty_printer pp;
237 }
239 /* If OTHER is a subset of this, return true and write
240 to *OUT the relative range of OTHER within this.
241 Otherwise return false. */
243 bool
245 {
248 {
252 }
253 else
255 }
257 /* If OTHER intersects this, return true and write
258 the relative range of OTHER within THIS to *OUT_THIS,
259 and the relative range of THIS within OTHER to *OUT_OTHER.
260 Otherwise return false. */
262 bool
266 {
269 {
270 bit_offset_t overlap_start
273 bit_offset_t overlap_next
281 }
282 else
284 }
286 int
288 {
294 }
296 /* Offset this range by OFFSET. */
298 bit_range
300 {
302 }
304 /* If MASK is a contiguous range of set bits, write them
305 to *OUT and return true.
306 Otherwise return false. */
308 bool
310 {
314 /* Find the first contiguous run of set bits in MASK. */
316 /* Find first set bit in MASK. */
318 {
321 iter_bit_idx++;
323 }
325 /* MASK is zero. */
330 iter_bit_idx++;
333 /* Find next unset bit in MASK. */
335 {
338 num_set_bits++;
339 iter_bit_idx++;
341 }
343 {
346 }
348 /* We now have the first contiguous run of set bits in MASK.
349 Fail if any other bits are set. */
351 {
354 iter_bit_idx++;
356 }
360 }
362 /* Attempt to convert this bit_range to a byte_range.
363 Return true if it is possible, writing the result to *OUT.
364 Otherwise return false. */
366 bool
368 {
371 {
375 }
377 }
379 /* Dump this object to PP. */
381 void
383 {
385 {
387 }
389 {
392 }
393 else
394 {
399 }
400 }
402 /* Dump this object to stderr. */
404 DEBUG_FUNCTION void
406 {
407 pretty_printer pp;
412 }
414 /* If OTHER is a subset of this, return true and write
415 to *OUT the relative range of OTHER within this.
416 Otherwise return false. */
418 bool
420 {
423 {
427 }
428 else
430 }
432 /* Return true if THIS and OTHER intersect and write the number
433 of bytes both buffers overlap to *OUT_NUM_OVERLAP_BYTES.
435 Otherwise return false. */
437 bool
440 {
443 {
451 }
452 else
454 }
456 /* Return true if THIS exceeds OTHER and write the overhanging
457 byte range to OUT_OVERHANGING_BYTE_RANGE. */
459 bool
462 {
466 {
467 /* THIS definitely exceeds OTHER. */
475 }
476 else
478 }
480 /* Return true if THIS falls short of OFFSET and write the
481 byte range fallen short to OUT_FALL_SHORT_BYTES. */
483 bool
486 {
490 {
491 /* THIS falls short of OFFSET. */
498 }
499 else
501 }
503 /* qsort comparator for byte ranges. */
505 int
507 {
508 /* Order first by offset. */
513 /* ...then by size. */
515 }
517 /* class concrete_binding : public binding_key. */
519 /* Implementation of binding_key::dump_to_pp vfunc for concrete_binding. */
521 void
523 {
525 }
527 /* Return true if this binding overlaps with OTHER. */
529 bool
531 {
536 }
538 /* Comparator for use by vec<const concrete_binding *>::qsort. */
540 int
542 {
547 }
549 /* class symbolic_binding : public binding_key. */
551 void
553 {
554 //binding_key::dump_to_pp (pp, simple);
557 }
559 /* Comparator for use by vec<const symbolic_binding *>::qsort. */
561 int
563 {
568 }
570 /* The store is oblivious to the types of the svalues bound within
571 it: any type can get bound at any location.
572 Simplify any casts before binding.
574 For example, if we have:
575 struct big { int ia[1024]; };
576 struct big src, dst;
577 memcpy (&dst, &src, sizeof (struct big));
578 this reaches us in gimple form as:
579 MEM <unsigned char[4096]> [(char * {ref-all})&dst]
580 = MEM <unsigned char[4096]> [(char * {ref-all})&src];
581 Using cast_region when handling the MEM_REF would give us:
582 INIT_VAL(CAST_REG(unsigned char[4096], src))
583 as rhs_sval, but we can fold that into a cast svalue:
584 CAST(unsigned char[4096], INIT_VAL(src))
585 We can discard that cast from the svalue when binding it in
586 the store for "dst", and simply store:
587 cluster for: dst
588 key: {kind: direct, start: 0, size: 32768, next: 32768}
589 value: ‘struct big’ {INIT_VAL(src)}. */
593 {
597 }
599 /* class binding_map. */
601 /* binding_map's copy ctor. */
605 {
606 }
608 /* binding_map's assignment operator. */
610 binding_map&
612 {
613 /* For now, assume we only ever copy to an empty cluster. */
617 {
621 }
623 }
625 /* binding_map's equality operator. */
627 bool
629 {
634 {
643 }
646 }
648 /* Generate a hash value for this binding_map. */
650 hashval_t
652 {
655 {
656 /* Use a new hasher for each key to avoid depending on the ordering
657 of keys when accumulating the result. */
662 }
664 }
666 /* Dump a representation of this binding_map to PP.
667 SIMPLE controls how values and regions are to be printed.
668 If MULTILINE, then split the dump over multiple lines and
669 use whitespace for readability, otherwise put all on one line. */
671 void
674 {
678 {
681 }
687 {
690 {
702 }
703 else
704 {
712 }
713 }
714 }
716 /* Dump a multiline representation of this binding_map to stderr. */
718 DEBUG_FUNCTION void
720 {
721 pretty_printer pp;
728 }
730 /* Return a new json::object of the form
731 {KEY_DESC : SVALUE_DESC,
732 ...for the various key/value pairs in this binding_map}. */
736 {
742 {
745 }
751 {
755 }
758 }
760 /* Comparator for imposing an order on binding_maps. */
762 int
764 {
781 {
789 }
792 }
794 /* Get the child region of PARENT_REG based upon INDEX within a
795 CONSTRUCTOR. */
800 {
802 {
806 {
811 index_sval);
812 }
816 }
817 }
819 /* Get the svalue for VAL, a non-CONSTRUCTOR value within a CONSTRUCTOR. */
823 {
824 /* Reuse the get_rvalue logic from region_model. */
827 }
829 /* Bind values from CONSTRUCTOR to this map, relative to
830 PARENT_REG's relationship to its base region.
831 Return true if successful, false if there was a problem (e.g. due
832 to hitting a complexity limit). */
834 bool
837 {
842 tree index;
843 tree val;
845 tree field;
848 else
851 {
853 {
854 /* If index is NULL, then iterate through the fields for
855 a RECORD_TYPE, or use an INTEGER_CST otherwise.
856 Compare with similar logic in output_constructor. */
858 {
861 }
862 else
864 }
866 {
870 {
874 }
875 else
876 {
880 }
882 }
885 }
887 }
889 /* Bind the value VAL into the range of elements within PARENT_REF
890 from MIN_INDEX to MAX_INDEX (including endpoints).
891 For use in handling RANGE_EXPR within a CONSTRUCTOR.
892 Return true if successful, false if there was a problem (e.g. due
893 to hitting a complexity limit). */
895 bool
899 tree val)
900 {
904 /* Generate a binding key for the range. */
921 bit_size_t range_size_in_bits
928 /* Get the value. */
933 /* Bind the value to the range. */
936 }
938 /* Bind the value VAL into INDEX within PARENT_REF.
939 For use in handling a pair of entries within a CONSTRUCTOR.
940 Return true if successful, false if there was a problem (e.g. due
941 to hitting a complexity limit). */
943 bool
947 {
952 else
953 {
959 /* Handle the case where we have an unknown size for child_reg
960 (e.g. due to it being a trailing field with incomplete array
961 type. */
963 {
964 /* Assume that sval has a well-defined size for this case. */
970 /* Get offset of child relative to base region. */
974 /* Convert to an offset relative to the parent region. */
977 bit_offset_t child_parent_offset
980 /* Create a concrete key for the child within the parent. */
983 }
987 }
988 }
990 /* Populate OUT with all bindings within this map that overlap KEY. */
992 void
995 {
997 {
1001 {
1004 {
1007 }
1008 else
1009 {
1010 /* Assume overlap. */
1012 }
1013 }
1014 else
1015 {
1016 /* Assume overlap. */
1018 }
1019 }
1020 }
1022 /* Remove, truncate, and/or split any bindings within this map that
1023 overlap DROP_KEY.
1025 For example, if we have:
1027 +------------------------------------+
1028 | old binding |
1029 +------------------------------------+
1031 which is to be overwritten with:
1033 .......+----------------------+.......
1034 .......| new binding |.......
1035 .......+----------------------+.......
1037 this function "cuts a hole" out of the old binding:
1039 +------+......................+------+
1040 |prefix| hole for new binding |suffix|
1041 +------+......................+------+
1043 into which the new binding can be added without
1044 overlapping the prefix or suffix.
1046 The prefix and suffix (if added) will be bound to the pertinent
1047 parts of the value of the old binding.
1049 For example, given:
1050 struct s5
1051 {
1052 char arr[8];
1053 };
1054 void test_5 (struct s5 *p)
1055 {
1056 struct s5 f = *p;
1057 f.arr[3] = 42;
1058 }
1059 then after the "f = *p;" we have:
1060 cluster for: f: INIT_VAL((*INIT_VAL(p_33(D))))
1061 and at the "f.arr[3] = 42;" we remove the bindings overlapping
1062 "f.arr[3]", replacing it with a prefix (bytes 0-2) and suffix (bytes 4-7)
1063 giving:
1064 cluster for: f
1065 key: {bytes 0-2}
1066 value: {BITS_WITHIN(bytes 0-2, inner_val: INIT_VAL((*INIT_VAL(p_33(D))).arr))}
1067 key: {bytes 4-7}
1068 value: {BITS_WITHIN(bytes 4-7, inner_val: INIT_VAL((*INIT_VAL(p_33(D))).arr))}
1069 punching a hole into which the new value can be written at byte 3:
1070 cluster for: f
1071 key: {bytes 0-2}
1072 value: {BITS_WITHIN(bytes 0-2, inner_val: INIT_VAL((*INIT_VAL(p_33(D))).arr))}
1073 key: {byte 3}
1074 value: 'char' {(char)42}
1075 key: {bytes 4-7}
1076 value: {BITS_WITHIN(bytes 4-7, inner_val: INIT_VAL((*INIT_VAL(p_33(D))).arr))}
1078 If UNCERTAINTY is non-NULL, use it to record any svalues that
1079 were removed, as being maybe-bound.
1081 If ALWAYS_OVERLAP, then assume that DROP_KEY can overlap anything
1082 in the map, due to one or both of the underlying clusters being
1083 symbolic (but not the same symbolic region). Hence even if DROP_KEY is a
1084 concrete binding it could actually be referring to the same memory as
1085 distinct concrete bindings in the map. Remove all bindings, but
1086 register any svalues with *UNCERTAINTY. */
1088 void
1093 {
1094 /* Get the bindings of interest within this map. */
1099 else
1100 /* Just add overlapping bindings. */
1106 {
1107 /* Record any svalues that were removed to *UNCERTAINTY as being
1108 maybe-bound, provided at least some part of the binding is symbolic.
1110 Specifically, if at least one of the bindings is symbolic, or we
1111 have ALWAYS_OVERLAP for the case where we have possibly aliasing
1112 regions, then we don't know that the svalue has been overwritten,
1113 and should record that to *UNCERTAINTY.
1115 However, if we have concrete keys accessing within the same symbolic
1116 region, then we *know* that the symbolic region has been overwritten,
1117 so we don't record it to *UNCERTAINTY, as this could be a genuine
1118 leak. */
1126 /* Begin by removing the old binding. */
1129 /* Don't attempt to handle prefixes/suffixes for the
1130 "always_overlap" case; everything's being removed. */
1134 /* Now potentially add the prefix and suffix. */
1139 {
1147 {
1148 /* We have a truncated prefix. */
1157 rel_prefix,
1160 }
1164 {
1165 /* We have a truncated suffix. */
1176 rel_suffix,
1179 }
1180 }
1181 }
1182 }
1184 /* class binding_cluster. */
1189 {
1190 }
1192 /* binding_cluster's copy ctor. */
1197 {
1198 }
1200 /* binding_cluster's assignment operator. */
1202 binding_cluster&
1204 {
1210 }
1212 /* binding_cluster's equality operator. */
1214 bool
1216 {
1232 }
1234 /* Generate a hash value for this binding_cluster. */
1236 hashval_t
1238 {
1240 }
1242 /* Return true if this binding_cluster is symbolic
1243 i.e. its base region is symbolic. */
1245 bool
1247 {
1249 }
1251 /* Dump a representation of this binding_cluster to PP.
1252 SIMPLE controls how values and regions are to be printed.
1253 If MULTILINE, then split the dump over multiple lines and
1254 use whitespace for readability, otherwise put all on one line. */
1256 void
1259 {
1261 {
1263 {
1266 }
1267 else
1269 }
1271 {
1273 {
1276 }
1277 else
1279 }
1282 }
1284 /* Dump a multiline representation of this binding_cluster to stderr. */
1286 DEBUG_FUNCTION void
1288 {
1289 pretty_printer pp;
1300 }
1302 /* Assert that this object is valid. */
1304 void
1306 {
1310 {
1312 num_symbolic++;
1313 else
1314 num_concrete++;
1315 }
1316 /* We shouldn't have more than one symbolic key per cluster
1317 (or one would have clobbered the other). */
1319 /* We can't have both concrete and symbolic keys. */
1321 }
1323 /* Return a new json::object of the form
1324 {"escaped": true/false,
1325 "touched": true/false,
1326 "map" : object for the binding_map. */
1330 {
1338 }
1340 /* Add a binding of SVAL of kind KIND to REG, unpacking SVAL if it is a
1341 compound_sval. */
1343 void
1346 {
1349 {
1352 }
1358 }
1360 /* Bind SVAL to KEY.
1361 Unpacking of compound_svalues should already have been done by the
1362 time this is called. */
1364 void
1366 {
1372 }
1374 /* Subroutine of binding_cluster::bind.
1375 Unpack compound_svals when binding them, so that we bind them
1376 element-wise. */
1378 void
1382 {
1383 region_offset reg_offset
1386 {
1390 }
1394 {
1400 {
1401 bit_offset_t effective_start
1408 }
1409 else
1411 }
1412 }
1414 /* Remove all bindings overlapping REG within this cluster. */
1416 void
1418 {
1420 }
1422 /* Remove any bindings for REG within this cluster. */
1424 void
1426 {
1433 }
1435 /* Clobber REG and fill it with repeated copies of SVAL. */
1437 void
1441 {
1450 }
1452 /* Clobber REG within this cluster and fill it with zeroes. */
1454 void
1456 {
1460 }
1462 /* Mark REG_TO_BIND within this cluster as being unknown.
1464 Remove any bindings overlapping REG_FOR_OVERLAP.
1465 If UNCERTAINTY is non-NULL, use it to record any svalues that
1466 had bindings to them removed, as being maybe-bound.
1468 REG_TO_BIND and REG_FOR_OVERLAP are the same for
1469 store::mark_region_as_unknown, but are different in
1470 store::set_value's alias handling, for handling the case where
1471 we have a write to a symbolic REG_FOR_OVERLAP. */
1473 void
1478 {
1484 /* Add a default binding to "unknown". */
1489 }
1491 /* Purge state involving SVAL. */
1493 void
1496 {
1500 {
1504 {
1508 }
1513 }
1515 {
1518 }
1520 {
1524 }
1525 }
1527 /* Get any SVAL bound to REG within this cluster via kind KIND,
1528 without checking parent regions of REG. */
1533 {
1539 {
1540 /* If we have a struct with a single field, then the binding of
1541 the field will equal that of the struct, and looking up e.g.
1542 PARENT_REG.field within:
1543 cluster for PARENT_REG: INIT_VAL(OTHER_REG)
1544 will erroneously return INIT_VAL(OTHER_REG), rather than
1545 SUB_VALUE(INIT_VAL(OTHER_REG), FIELD) == INIT_VAL(OTHER_REG.FIELD).
1546 Fix this issue by iterating upwards whilst the bindings are equal,
1547 expressing the lookups as subvalues.
1548 We have to gather a list of subregion accesses, then walk it
1549 in reverse to get the subvalues. */
1552 {
1559 {
1562 }
1563 else
1565 }
1569 {
1573 {
1577 }
1578 }
1579 }
1581 }
1583 /* Get any SVAL bound to REG within this cluster,
1584 either directly for REG, or recursively checking for bindings within
1585 parent regions and extracting subvalues if need be. */
1590 {
1597 {
1598 /* Extract child svalue from parent svalue. */
1602 }
1604 }
1606 /* Get any value bound for REG within this cluster. */
1611 {
1612 /* Look for a direct binding. */
1617 /* If we had a write to a cluster of unknown size, we might
1618 have a self-binding of the whole base region with an svalue,
1619 where the base region is symbolic.
1620 Handle such cases by returning sub_svalue instances. */
1622 {
1623 /* Extract child svalue from parent svalue. */
1627 }
1629 /* If this cluster has been touched by a symbolic write, then the content
1630 of any subregion not currently specifically bound is "UNKNOWN". */
1632 {
1635 }
1637 /* Alternatively, if this is a symbolic read and the cluster has any bindings,
1638 then we don't know if we're reading those values or not, so the result
1639 is also "UNKNOWN". */
1642 {
1645 }
1650 /* Otherwise, the initial value, or uninitialized. */
1652 }
1654 /* Attempt to get a compound_svalue for the bindings within the cluster
1655 affecting REG (which could be the base region itself).
1657 Create a compound_svalue with the subset of bindings the affect REG,
1658 offsetting them so that the offsets are relative to the start of REG
1659 within the cluster.
1661 For example, REG could be one element within an array of structs.
1663 Return the resulting compound_svalue, or NULL if there's a problem. */
1668 {
1669 region_offset cluster_offset
1682 /* We will a build the result map in two parts:
1683 (a) result_map, holding the concrete keys from this cluster,
1685 (b) default_map, holding the initial values for the region
1686 (e.g. uninitialized, initializer values, or zero), unless this
1687 cluster has been touched.
1689 We will populate (a), and as we do, clobber (b), trimming and
1690 splitting its bindings as necessary.
1691 Finally, we will merge (b) into (a), giving a concrete map
1692 that merges both the initial values and the bound values from
1693 the binding_cluster.
1694 Doing it this way reduces N for the O(N^2) intersection-finding,
1695 perhaps we should have a spatial-organized data structure for
1696 concrete keys, though. */
1698 binding_map result_map;
1699 binding_map default_map;
1701 /* Set up default values in default_map. */
1705 else
1711 {
1717 {
1720 bit_size_t reg_bit_size;
1725 reg_bit_size);
1727 /* Skip bindings that are outside the bit range of REG. */
1731 /* We shouldn't have an exact match; that should have been
1732 handled already. */
1737 {
1738 /* We have a bound range fully within REG.
1739 Add it to map, offsetting accordingly. */
1741 /* Get offset of KEY relative to REG, rather than to
1742 the cluster. */
1747 /* Clobber default_map, removing/trimming/spliting where
1748 it overlaps with offset_concrete_key. */
1750 offset_concrete_key,
1752 }
1754 {
1755 /* REG is fully within the bound range, but
1756 is not equal to it; we're extracting a subvalue. */
1758 subrange,
1760 }
1761 else
1762 {
1763 /* REG and the bound range partially overlap. */
1769 /* Get the bits from the bound value for the bits at the
1770 intersection (relative to the bound value). */
1773 bound_subrange,
1776 /* Get key for overlap, relative to the REG. */
1781 /* Clobber default_map, removing/trimming/spliting where
1782 it overlaps with overlap_concrete_key. */
1784 overlap_concrete_key,
1786 }
1787 }
1788 else
1789 /* Can't handle symbolic bindings. */
1791 }
1796 /* Merge any bindings from default_map into result_map. */
1798 {
1802 }
1805 }
1807 /* Remove, truncate, and/or split any bindings within this map that
1808 could overlap REG.
1810 If REG's base region or this cluster is symbolic and they're different
1811 base regions, then remove everything in this cluster's map, on the
1812 grounds that REG could be referring to the same memory as anything
1813 in the map.
1815 If UNCERTAINTY is non-NULL, use it to record any svalues that
1816 were removed, as being maybe-bound. */
1818 void
1822 {
1829 /* If at least one of the base regions involved is symbolic, and they're
1830 not the same base region, then consider everything in the map as
1831 potentially overlapping with reg_binding (even if it's a concrete
1832 binding and things in the map are concrete - they could be referring
1833 to the same memory when the symbolic base regions are taken into
1834 account). */
1839 always_overlap);
1840 }
1842 /* Attempt to merge CLUSTER_A and CLUSTER_B into OUT_CLUSTER, using
1843 MGR and MERGER.
1844 Return true if they can be merged, false otherwise. */
1846 bool
1853 {
1856 /* Merge flags ("ESCAPED" and "TOUCHED") by setting the merged flag to
1857 true if either of the inputs is true. */
1865 /* At least one of CLUSTER_A and CLUSTER_B are non-NULL, but either
1866 could be NULL. Handle these cases. */
1868 {
1873 }
1875 {
1880 }
1882 /* The "both inputs are non-NULL" case. */
1890 {
1893 }
1896 {
1899 }
1904 {
1911 num_symbolic_keys++;
1912 else
1913 num_concrete_keys++;
1916 {
1920 }
1922 {
1925 {
1928 }
1929 /* Merger of the svalues failed. Reject merger of the cluster. */
1931 }
1933 /* If we get here, then one cluster binds this key and the other
1934 doesn't; merge them as "UNKNOWN". */
1942 /* ...but reject the merger if this sval shouldn't be mergeable
1943 (e.g. reject merging svalues that have non-purgable sm-state,
1944 to avoid falsely reporting memory leaks by merging them
1945 with something else). */
1950 }
1952 /* We can only have at most one symbolic key per cluster,
1953 and if we do, we can't have any concrete keys.
1954 If this happens, mark the cluster as touched, with no keys. */
1957 {
1960 }
1962 /* We don't handle other kinds of overlaps yet. */
1965 }
1967 /* Update this cluster to reflect an attempt to merge OTHER where there
1968 is no other cluster to merge with, and so we're notionally merging the
1969 bound values in OTHER with the initial value of the relevant regions.
1971 Any bound keys in OTHER should be bound to unknown in this. */
1973 void
1977 {
1980 {
1988 /* For any pointers in OTHER, the merger means that the
1989 concrete pointer becomes an unknown value, which could
1990 show up as a false report of a leak when considering what
1991 pointers are live before vs after.
1992 Avoid this by marking the base regions they point to as having
1993 escaped. */
1996 {
2001 {
2004 }
2005 }
2006 }
2007 }
2009 /* Mark this cluster as having escaped. */
2011 void
2013 {
2015 }
2017 /* If this cluster has escaped (by this call, or by an earlier one, or
2018 by being an external param), then unbind all values and mark it
2019 as "touched", so that it has a conjured value, rather than an
2020 initial_svalue.
2021 Use P to purge state involving conjured_svalues. */
2023 void
2027 {
2029 {
2033 {
2034 /* Bind it to a new "conjured" value using CALL. */
2039 }
2042 }
2043 }
2045 /* Mark this cluster as having been clobbered by STMT.
2046 Use P to purge state involving conjured_svalues. */
2048 void
2052 {
2055 /* Bind it to a new "conjured" value using CALL. */
2062 }
2064 /* Return true if this cluster has escaped. */
2066 bool
2068 {
2069 /* Consider the "errno" region to always have escaped. */
2073 }
2075 /* Return true if this binding_cluster has no information
2076 i.e. if there are no bindings, and it hasn't been marked as having
2077 escaped, or touched symbolically. */
2079 bool
2081 {
2083 && !m_escaped
2085 }
2087 /* Add PV to OUT_PVS, casting it to TYPE if it is not already of that type. */
2089 static void
2091 tree type,
2093 {
2100 }
2102 /* Find representative path_vars for SVAL within this binding of BASE_REG,
2103 appending the results to OUT_PVS. */
2105 void
2111 const
2112 {
2116 {
2120 {
2123 {
2125 base_reg->get_subregions_for_binding
2134 {
2137 visited))
2139 }
2140 }
2141 else
2142 {
2146 visited))
2148 }
2149 }
2150 }
2151 }
2153 /* Get any svalue bound to KEY, or NULL. */
2157 {
2159 }
2161 /* If this cluster has a single direct binding for the whole of the region,
2162 return it.
2163 For use in simplifying dumps. */
2167 {
2168 /* Fail gracefully if MGR is NULL to make it easier to dump store
2169 instances in the debugger. */
2181 }
2183 /* class store_manager. */
2185 logger *
2187 {
2189 }
2191 /* binding consolidation. */
2195 bit_offset_t size_in_bits)
2196 {
2204 }
2208 {
2216 }
2218 /* class store. */
2220 /* store's default ctor. */
2224 {
2225 }
2227 /* store's copy ctor. */
2232 {
2236 {
2242 }
2243 }
2245 /* store's dtor. */
2248 {
2253 }
2255 /* store's assignment operator. */
2257 store &
2259 {
2260 /* Delete existing cluster map. */
2272 {
2278 }
2280 }
2282 /* store's equality operator. */
2284 bool
2286 {
2296 {
2299 binding_cluster **other_slot
2305 }
2310 }
2312 /* Get a hash value for this store. */
2314 hashval_t
2316 {
2323 }
2325 /* Populate OUT with a sorted list of parent regions for the regions in IN,
2326 removing duplicate parents. */
2328 static void
2331 {
2332 /* Get the set of parent regions. */
2337 {
2341 }
2343 /* Write to OUT. */
2348 /* Sort OUT. */
2350 }
2352 /* Dump a representation of this store to PP, using SIMPLE to control how
2353 svalues and regions are printed.
2354 MGR is used for simplifying dumps if non-NULL, but can also be NULL
2355 (to make it easier to use from the debugger). */
2357 void
2360 {
2361 /* Sort into some deterministic order. */
2365 {
2368 }
2371 /* Gather clusters, organize by parent region, so that we can group
2372 together locals, globals, etc. */
2379 {
2385 else
2391 {
2392 /* This is O(N * M), but N ought to be small. */
2395 binding_cluster *cluster
2398 {
2401 }
2403 {
2404 /* Special-case to simplify dumps for the common case where
2405 we just have one value directly bound to the whole of a
2406 region. */
2408 {
2418 }
2419 else
2420 {
2430 }
2431 }
2433 {
2438 }
2439 else
2440 {
2446 }
2447 }
2450 }
2455 }
2457 /* Dump a multiline representation of this store to stderr. */
2459 DEBUG_FUNCTION void
2461 {
2462 pretty_printer pp;
2469 }
2471 /* Assert that this object is valid. */
2473 void
2475 {
2478 }
2480 /* Return a new json::object of the form
2481 {PARENT_REGION_DESC: {BASE_REGION_DESC: object for binding_map,
2482 ... for each cluster within parent region},
2483 ...for each parent region,
2484 "called_unknown_fn": true/false}. */
2488 {
2491 /* Sort into some deterministic order. */
2495 {
2498 }
2501 /* Gather clusters, organize by parent region, so that we can group
2502 together locals, globals, etc. */
2509 {
2517 {
2518 /* This is O(N * M), but N ought to be small. */
2521 binding_cluster *cluster
2526 }
2529 }
2534 }
2536 /* Get any svalue bound to REG, or NULL. */
2540 {
2542 binding_cluster **cluster_slot
2547 }
2549 /* Set the value of LHS_REG to RHS_SVAL. */
2551 void
2555 {
2563 /* ...but if we have no type for the region, retain any cast. */
2568 {
2569 /* Reject attempting to bind values into a symbolic region
2570 for an unknown ptr; merely invalidate values below. */
2573 /* The LHS of the write is *UNKNOWN. If the RHS is a pointer,
2574 then treat the region being pointed to as having escaped. */
2576 {
2580 }
2583 }
2585 {
2588 }
2589 else
2590 {
2591 /* Reject attempting to bind values into an untracked region;
2592 merely invalidate values below. */
2594 }
2596 /* Bindings to a cluster can affect other clusters if a symbolic
2597 base region is involved.
2598 Writes to concrete clusters can't affect other concrete clusters,
2599 but can affect symbolic clusters.
2600 Writes to symbolic clusters can affect both concrete and symbolic
2601 clusters.
2602 Invalidate our knowledge of other clusters that might have been
2603 affected by the write. */
2606 {
2613 {
2616 {
2622 {
2632 }
2633 /* Mark all of iter_cluster's iter_base_reg as unknown,
2634 using LHS_REG when considering overlaps, to handle
2635 symbolic vs concrete issues. */
2636 iter_cluster->mark_region_as_unknown
2640 uncertainty);
2648 /* If they can't be aliases, then don't invalidate this
2649 cluster. */
2651 }
2652 }
2653 }
2654 }
2656 /* Determine if BASE_REG_A could be an alias of BASE_REG_B. */
2658 tristate
2661 {
2662 /* SSA names can't alias. */
2670 /* Try both ways, for symmetry. */
2678 }
2680 /* Half of store::eval_alias; called twice for symmetry. */
2682 tristate
2685 {
2688 {
2691 {
2696 {
2697 /* The initial value of a pointer can't point to a local. */
2699 }
2700 }
2703 {
2704 /* The initial value of a pointer can't point to a
2705 region that was allocated on the heap after the beginning of the
2706 path. */
2708 }
2711 {
2715 {
2717 /* If we have sval_a is WIDENING(®ION, OP), and
2718 B can't alias REGION, then B can't alias A either.
2719 For example, A might arise from
2720 for (ptr = ®ION; ...; ptr++)
2721 where sval_a is ptr in the 2nd iteration of the loop.
2722 We want to ensure that "*ptr" can only clobber things
2723 within REGION's base region. */
2725 base_reg_b);
2728 }
2729 }
2730 }
2732 }
2734 /* Remove all bindings overlapping REG within this store. */
2736 void
2738 {
2746 {
2749 }
2750 }
2752 /* Remove any bindings for REG within this store. */
2754 void
2756 {
2764 {
2767 }
2768 }
2770 /* Fill REG with SVAL. */
2772 void
2774 {
2775 /* Filling an empty region is a no-op. */
2785 }
2787 /* Zero-fill REG. */
2789 void
2791 {
2795 }
2797 /* Mark REG as having unknown content. */
2799 void
2802 {
2809 }
2811 /* Purge state involving SVAL. */
2813 void
2816 {
2819 {
2823 else
2824 {
2827 }
2828 }
2832 }
2834 /* Get the cluster for BASE_REG, or NULL (const version). */
2838 {
2844 else
2846 }
2848 /* Get the cluster for BASE_REG, or NULL (non-const version). */
2850 binding_cluster *
2852 {
2857 else
2859 }
2861 /* Get the cluster for BASE_REG, creating it if doesn't already exist. */
2863 binding_cluster *
2865 {
2869 /* We shouldn't create clusters for dereferencing an UNKNOWN ptr. */
2872 /* We shouldn't create clusters for base regions that aren't trackable. */
2882 }
2884 /* Remove any cluster for BASE_REG, for use by
2885 region_model::unbind_region_and_descendents
2886 when popping stack frames and handling deleted heap regions. */
2888 void
2890 {
2898 }
2900 /* Attempt to merge STORE_A and STORE_B into OUT_STORE.
2901 Return true if successful, or false if the stores can't be merged. */
2903 bool
2907 {
2911 /* Get the union of all base regions for STORE_A and STORE_B. */
2915 {
2918 }
2921 {
2924 }
2926 /* Sort the base regions before considering them. This ought not to
2927 affect the results, but can affect which types UNKNOWN_REGIONs are
2928 created for in a run; sorting them thus avoids minor differences
2929 in logfiles. */
2938 {
2941 /* At least one of cluster_a and cluster_b must be non-NULL. */
2942 binding_cluster *out_cluster
2947 }
2949 }
2951 /* Mark the cluster for BASE_REG as having escaped.
2952 For use when handling an unrecognized function call, and
2953 for params to "top-level" calls.
2954 Further unknown function calls could touch it, even if the cluster
2955 isn't reachable from args of those calls. */
2957 void
2959 {
2969 }
2971 /* Handle an unknown fncall by updating any clusters that have escaped
2972 (either in this fncall, or in a prior one). */
2974 void
2977 {
2983 }
2985 /* Return true if a non-const pointer to BASE_REG (or something within it)
2986 has escaped to code outside of the TU being analyzed. */
2988 bool
2990 {
2994 /* "errno" can always be modified by external code. */
3002 }
3004 /* Populate OUT_PVS with a list of path_vars for describing SVAL based on
3005 this store, using VISITED to ensure the traversal terminates. */
3007 void
3012 {
3015 /* Find all bindings that reference SVAL. */
3018 {
3022 out_pvs);
3023 }
3026 {
3029 visited))
3031 }
3032 }
3034 /* Remove all bindings overlapping REG within this store, removing
3035 any clusters that become redundant.
3037 If UNCERTAINTY is non-NULL, use it to record any svalues that
3038 were removed, as being maybe-bound. */
3040 void
3043 {
3046 {
3049 {
3050 /* Remove whole cluster. */
3054 }
3056 }
3057 }
3059 /* Subclass of visitor that accumulates a hash_set of the regions that
3060 were visited. */
3063 {
3065 {
3067 }
3070 };
3072 /* Canonicalize this store, to maximize the chance of equality between
3073 instances. */
3075 void
3077 {
3078 /* If we have e.g.:
3079 cluster for: HEAP_ALLOCATED_REGION(543)
3080 ESCAPED
3081 TOUCHED
3082 where the heap region is empty and unreferenced, then purge that
3083 cluster, to avoid unbounded state chains involving these. */
3085 /* Find regions that are referenced by bound values in the store. */
3086 region_finder s;
3089 {
3094 }
3096 /* Locate heap-allocated regions that have empty bindings that weren't
3097 found above. */
3101 {
3105 {
3106 /* Don't purge a heap-allocated region that's been marked as
3107 escaping, since this could be recording that a ptr to it
3108 was written to an unknown symbolic region along this
3109 path, and so we don't know whether it's referenced or
3110 not, and hence should report it as leaking
3111 (PR analyzer/106473). */
3119 /* Also cover the UNKNOWN case. */
3124 }
3125 }
3127 /* Purge them. */
3130 {
3133 }
3134 }
3136 /* Subroutine for use by exploded_path::feasible_p.
3138 We need to deal with state differences between:
3139 (a) when the exploded_graph is being initially constructed and
3140 (b) when replaying the state changes along a specific path in
3141 in exploded_path::feasible_p.
3143 In (a), state merging happens, so when exploring a loop
3144 for (i = 0; i < 1024; i++)
3145 on successive iterations we have i == 0, then i == WIDENING.
3147 In (b), no state merging happens, so naively replaying the path
3148 that goes twice through the loop then exits it
3149 would lead to i == 0, then i == 1, and then a (i >= 1024) eedge
3150 that exits the loop, which would be found to be infeasible as i == 1,
3151 and the path would be rejected.
3153 We need to fix up state during replay. This subroutine is
3154 called whenever we enter a supernode that we've already
3155 visited along this exploded_path, passing in OTHER_STORE
3156 from the destination enode's state.
3158 Find bindings to widening values in OTHER_STORE.
3159 For all that are found, update the binding in this store to UNKNOWN. */
3161 void
3164 {
3168 {
3173 {
3177 {
3178 binding_cluster *this_cluster
3183 }
3184 }
3185 }
3186 }
3188 /* Use R to replay the bindings from SUMMARY into this object. */
3190 void
3193 {
3195 {
3196 /* A call to an external function occurred in the summary.
3197 Hence we need to invalidate our knownledge of globals,
3198 escaped regions, etc. */
3203 }
3211 }
3213 /* Use R and SUMMARY to replay the bindings in SUMMARY_CLUSTER
3214 into this object. */
3216 void
3220 {
3227 /* Handle "ESCAPED" and "TOUCHED" flags. */
3231 {
3235 {
3236 binding_cluster *caller_cluster
3242 }
3243 }
3246 {
3247 /* Top-level regions. */
3255 /* Child regions. */
3262 /* Other regions. */
3265 /* These should never be the base region of a binding cluster. */
3272 /* These can be marked as escaping. */
3276 {
3286 NULL_TREE,
3295 caller_sval =
3299 }
3305 {
3319 caller_sval =
3323 }
3327 /* Ignore bindings of alloca regions in the summary. */
3329 }
3330 }
3332 #if CHECKING_P
3336 /* Verify that bit_range::intersects_p works as expected. */
3338 static void
3340 {
3354 /* self-intersection is true. */
3396 }
3398 /* Implementation detail of ASSERT_BIT_RANGE_FROM_MASK_EQ. */
3400 static void
3404 {
3409 }
3411 /* Assert that bit_range::from_mask (MASK) returns true, and writes
3412 out EXPECTED_BIT_RANGE. */
3414 #define ASSERT_BIT_RANGE_FROM_MASK_EQ(MASK, EXPECTED_BIT_RANGE) \
3415 SELFTEST_BEGIN_STMT \
3416 assert_bit_range_from_mask_eq (SELFTEST_LOCATION, MASK, \
3417 EXPECTED_BIT_RANGE); \
3418 SELFTEST_END_STMT
3420 /* Implementation detail of ASSERT_NO_BIT_RANGE_FROM_MASK. */
3422 static void
3425 {
3429 }
3431 /* Assert that bit_range::from_mask (MASK) returns false. */
3433 #define ASSERT_NO_BIT_RANGE_FROM_MASK(MASK) \
3434 SELFTEST_BEGIN_STMT \
3435 assert_no_bit_range_from_mask_eq (SELFTEST_LOCATION, MASK); \
3436 SELFTEST_END_STMT
3438 /* Verify that bit_range::from_mask works as expected. */
3440 static void
3442 {
3443 /* Should fail on zero. */
3446 /* Verify 1-bit masks. */
3456 /* Verify N-bit masks starting at bit 0. */
3466 /* Various other tests. */
3471 /* Multiple ranges of set bits should fail. */
3474 }
3476 /* Implementation detail of ASSERT_OVERLAP. */
3478 static void
3482 {
3485 }
3487 /* Implementation detail of ASSERT_DISJOINT. */
3489 static void
3493 {
3496 }
3498 /* Assert that B1 and B2 overlap, checking both ways. */
3500 #define ASSERT_OVERLAP(B1, B2) \
3501 SELFTEST_BEGIN_STMT \
3502 assert_overlap (SELFTEST_LOCATION, B1, B2); \
3503 SELFTEST_END_STMT
3505 /* Assert that B1 and B2 do not overlap, checking both ways. */
3507 #define ASSERT_DISJOINT(B1, B2) \
3508 SELFTEST_BEGIN_STMT \
3509 assert_disjoint (SELFTEST_LOCATION, B1, B2); \
3510 SELFTEST_END_STMT
3512 /* Verify that concrete_binding::overlaps_p works as expected. */
3514 static void
3516 {
3519 /* Various 8-bit bindings. */
3525 /* 16-bit bindings. */
3530 /* 32-bit binding. */
3533 /* Everything should self-overlap. */
3543 /* Verify the 8-bit bindings that don't overlap each other. */
3547 /* Check for overlap of differently-sized bindings. */
3549 /* ...and with differing start points. */
3559 }
3561 /* Run all of the selftests within this file. */
3563 void
3565 {
3569 }