| blob | 2bcef6c398ae9c537a28a6323afbcf86545c6879 |
1 /* Classes for modeling the state of memory.
2 Copyright (C) 2020-2021 Free Software Foundation, Inc.
3 Contributed by David Malcolm <dmalcolm@redhat.com>.
5 This file is part of GCC.
7 GCC is free software; you can redistribute it and/or modify it
8 under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3, or (at your option)
10 any later version.
12 GCC is distributed in the hope that it will be useful, but
13 WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 General Public License for more details.
17 You should have received a copy of the GNU General Public License
18 along with GCC; see the file COPYING3. If not see
19 <http://www.gnu.org/licenses/>. */
21 #ifndef GCC_ANALYZER_STORE_H
22 #define GCC_ANALYZER_STORE_H
24 /* Implementation of the region-based ternary model described in:
25 "A Memory Model for Static Analysis of C Programs"
26 (Zhongxing Xu, Ted Kremenek, and Jian Zhang)
27 http://lcs.ios.ac.cn/~xuzb/canalyze/memmodel.pdf */
29 /* The store models memory as a collection of "clusters", where regions
30 are partitioned into clusters via their base region.
32 For example, given:
33 int a, b, c;
34 struct coord { double x; double y; } verts[3];
35 then "verts[0].y" and "verts[1].x" both have "verts" as their base region.
36 Each of a, b, c, and verts will have their own clusters, so that we
37 know that writes to e.g. "verts[1].x".don't affect e.g. "a".
39 Within each cluster we store a map of bindings to values, where the
40 binding keys can be either concrete or symbolic.
42 Concrete bindings affect a specific range of bits relative to the start
43 of the base region of the cluster, whereas symbolic bindings affect
44 a specific subregion within the cluster.
46 Consider (from the symbolic-1.c testcase):
48 char arr[1024];
49 arr[2] = a; (1)
50 arr[3] = b; (2)
51 After (1) and (2), the cluster for "arr" has concrete bindings
52 for bits 16-23 and for bits 24-31, with svalues "INIT_VAL(a)"
53 and "INIT_VAL(b)" respectively:
54 cluster: {bits 16-23: "INIT_VAL(a)",
55 bits 24-31: "INIT_VAL(b)";
56 flags: {}}
57 Attempting to query unbound subregions e.g. arr[4] will
58 return "UNINITIALIZED".
59 "a" and "b" are each in their own clusters, with no explicit
60 bindings, and thus implicitly have value INIT_VAL(a) and INIT_VAL(b).
62 arr[3] = c; (3)
63 After (3), the concrete binding for bits 24-31 is replaced with the
64 svalue "INIT_VAL(c)":
65 cluster: {bits 16-23: "INIT_VAL(a)", (from before)
66 bits 24-31: "INIT_VAL(c)"; (updated)
67 flags: {}}
69 arr[i] = d; (4)
70 After (4), we lose the concrete bindings and replace them with a
71 symbolic binding for "arr[i]", with svalue "INIT_VAL(d)". We also
72 mark the cluster as having been "symbolically touched": future
73 attempts to query the values of subregions other than "arr[i]",
74 such as "arr[3]" are "UNKNOWN", since we don't know if the write
75 to arr[i] affected them.
76 cluster: {symbolic_key(arr[i]): "INIT_VAL(d)";
77 flags: {TOUCHED}}
79 arr[j] = e; (5)
80 After (5), we lose the symbolic binding for "arr[i]" since we could
81 have overwritten it, and add a symbolic binding for "arr[j]".
82 cluster: {symbolic_key(arr[j]): "INIT_VAL(d)"; (different symbolic
83 flags: {TOUCHED}} binding)
85 arr[3] = f; (6)
86 After (6), we lose the symbolic binding for "arr[j]" since we could
87 have overwritten it, and gain a concrete binding for bits 24-31
88 again, this time with svalue "INIT_VAL(e)":
89 cluster: {bits 24-31: "INIT_VAL(d)";
90 flags: {TOUCHED}}
91 The cluster is still flagged as touched, so that we know that
92 accesses to other elements are "UNKNOWN" rather than
93 "UNINITIALIZED".
95 Handling symbolic regions requires us to handle aliasing.
97 In the first example above, each of a, b, c and verts are non-symbolic
98 base regions and so their clusters are "concrete clusters", whereas given:
99 struct coord *p, *q;
100 then "*p" and "*q" are symbolic base regions, and thus "*p" and "*q"
101 have "symbolic clusters".
103 In the above, "verts[i].x" will have a symbolic *binding* within a
104 concrete cluster for "verts", whereas "*p" is a symbolic *cluster*.
106 Writes to concrete clusters can't affect other concrete clusters,
107 but can affect symbolic clusters; e.g. after:
108 verts[0].x = 42;
109 we bind 42 in the cluster for "verts", but the clusters for "b" and "c"
110 can't be affected. Any symbolic clusters for *p and for *q can be
111 affected, *p and *q could alias verts.
113 Writes to a symbolic cluster can affect other clusters, both
114 concrete and symbolic; e.g. after:
115 p->x = 17;
116 we bind 17 within the cluster for "*p". The concrete clusters for a, b,
117 c, and verts could be affected, depending on whether *p aliases them.
118 Similarly, the symbolic cluster to *q could be affected. */
124 /* An enum for discriminating between "direct" vs "default" levels of
125 mapping. */
127 enum binding_kind
128 {
129 /* Special-case value for hash support.
130 This is the initial entry, so that hash traits can have
131 empty_zero_p = true. */
134 /* Special-case value for hash support. */
135 BK_deleted,
137 /* The normal kind of mapping. */
138 BK_direct,
140 /* A lower-priority kind of mapping, for use when inheriting
141 default values from a parent region. */
142 BK_default
143 };
147 /* Abstract base class for describing ranges of bits within a binding_map
148 that can have svalues bound to them. */
150 class binding_key
151 {
181 {
183 }
185 {
187 }
191 };
193 /* Concrete subclass of binding_key, for describing a concrete range of
194 bits within the binding_map (e.g. "bits 8-15"). */
197 {
199 /* This class is its own key for the purposes of consolidation. */
207 {}
211 {
216 }
218 {
223 }
232 /* Return the next bit offset after the end of this binding. */
234 {
236 }
243 bit_offset_t m_start_bit_offset;
244 bit_size_t m_size_in_bits;
245 };
251 {
253 };
257 /* Concrete subclass of binding_key, for describing a symbolic set of
258 bits within the binding_map in terms of a region (e.g. "arr[i]"). */
261 {
263 /* This class is its own key for the purposes of consolidation. */
269 {}
273 {
275 }
277 {
281 }
291 };
297 {
299 };
303 /* A mapping from binding_keys to svalues, for use by binding_cluster
304 and compound_svalue. */
306 class binding_map
307 {
318 {
320 }
325 {
329 else
331 }
333 {
336 }
359 tree val);
364 map_t m_map;
365 };
367 /* Concept: BindingVisitor, for use by binding_cluster::for_each_binding
368 and store::for_each_binding.
370 Should implement:
371 void on_binding (const binding_key *key, const svalue *&sval);
372 */
374 /* All of the bindings within a store for regions that share the same
375 base region. */
377 class binding_cluster
378 {
393 {
395 }
407 binding_kind kind);
429 {
432 }
463 {
465 {
469 }
470 }
488 binding_map m_map;
490 /* Has a pointer to this cluster "escaped" into a part of the program
491 we don't know about (via a call to a function with an unknown body,
492 or by being passed in as a pointer param of a "top-level" function call).
493 Such regions could be overwritten when other such functions are called,
494 even if the region is no longer reachable by pointers that we are
495 tracking. */
498 /* Has this cluster been written to via a symbolic binding?
499 If so, then we don't know anything about unbound subregions,
500 so we can't use initial_svalue, treat them as uninitialized, or
501 inherit values from a parent region. */
503 };
505 /* The mapping from regions to svalues.
506 This is actually expressed by subdividing into clusters, to better
507 handle aliasing. */
509 class store
510 {
522 {
524 }
556 {
560 }
583 {
587 }
598 cluster_map_t m_cluster_map;
600 /* If this is true, then unknown code has been called, and so
601 any global variable that isn't currently modelled by the store
602 has unknown state, rather than being in an "initial state".
603 This is to avoid having to mark (and thus explicitly track)
604 every global when an unknown function is called; instead, they
605 can be tracked implicitly. */
607 };
609 /* A class responsible for owning and consolidating binding keys
610 (both concrete and symbolic).
611 Key instances are immutable as far as clients are concerned, so they
612 are provided as "const" ptrs. */
614 class store_manager
615 {
619 /* binding consolidation. */
622 bit_offset_t size_in_bits,
629 {
631 }
639 };