| blob | d558d477115e059992e074f5ab09c48ca041b5a8 |
1 /* Classes for modeling the state of memory.
2 Copyright (C) 2020-2022 Free Software Foundation, Inc.
3 Contributed by David Malcolm <dmalcolm@redhat.com>.
5 This file is part of GCC.
7 GCC is free software; you can redistribute it and/or modify it
8 under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3, or (at your option)
10 any later version.
12 GCC is distributed in the hope that it will be useful, but
13 WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 General Public License for more details.
17 You should have received a copy of the GNU General Public License
18 along with GCC; see the file COPYING3. If not see
19 <http://www.gnu.org/licenses/>. */
62 #if ENABLE_ANALYZER
66 /* Dump SVALS to PP, sorting them to ensure determinism. */
68 static void
71 {
75 {
77 }
84 {
88 }
90 }
92 /* class uncertainty_t. */
94 /* Dump this object to PP. */
96 void
98 {
105 }
107 /* Dump this object to stderr. */
109 DEBUG_FUNCTION void
111 {
112 pretty_printer pp;
119 }
121 /* class binding_key. */
125 {
129 else
130 {
131 bit_size_t bit_size;
134 bit_size);
135 else
137 }
138 }
140 /* Dump this binding_key to stderr. */
142 DEBUG_FUNCTION void
144 {
145 pretty_printer pp;
152 }
154 /* Get a description of this binding_key. */
156 label_text
158 {
159 pretty_printer pp;
163 }
165 /* qsort callback. */
167 int
169 {
173 }
175 /* Comparator for binding_keys. */
177 int
179 {
185 {
190 SIGNED))
193 SIGNED);
194 }
195 else
196 {
204 }
205 }
207 /* struct bit_range. */
209 void
211 {
215 else
216 {
223 }
224 }
226 /* Dump this object to stderr. */
228 DEBUG_FUNCTION void
230 {
231 pretty_printer pp;
236 }
238 /* If OTHER is a subset of this, return true and write
239 to *OUT the relative range of OTHER within this.
240 Otherwise return false. */
242 bool
244 {
247 {
251 }
252 else
254 }
256 /* If OTHER intersects this, return true and write
257 the relative range of OTHER within THIS to *OUT_THIS,
258 and the relative range of THIS within OTHER to *OUT_OTHER.
259 Otherwise return false. */
261 bool
265 {
268 {
269 bit_offset_t overlap_start
272 bit_offset_t overlap_next
280 }
281 else
283 }
285 int
287 {
293 }
295 /* Offset this range by OFFSET. */
297 bit_range
299 {
301 }
303 /* If MASK is a contiguous range of set bits, write them
304 to *OUT and return true.
305 Otherwise return false. */
307 bool
309 {
313 /* Find the first contiguous run of set bits in MASK. */
315 /* Find first set bit in MASK. */
317 {
320 iter_bit_idx++;
322 }
324 /* MASK is zero. */
329 iter_bit_idx++;
332 /* Find next unset bit in MASK. */
334 {
337 num_set_bits++;
338 iter_bit_idx++;
340 }
342 {
345 }
347 /* We now have the first contiguous run of set bits in MASK.
348 Fail if any other bits are set. */
350 {
353 iter_bit_idx++;
355 }
359 }
361 /* Attempt to convert this bit_range to a byte_range.
362 Return true if it is possible, writing the result to *OUT.
363 Otherwise return false. */
365 bool
367 {
370 {
374 }
376 }
378 /* Dump this object to PP. */
380 void
382 {
384 {
387 }
388 else
389 {
394 }
395 }
397 /* Dump this object to stderr. */
399 DEBUG_FUNCTION void
401 {
402 pretty_printer pp;
407 }
409 /* If OTHER is a subset of this, return true and write
410 to *OUT the relative range of OTHER within this.
411 Otherwise return false. */
413 bool
415 {
418 {
422 }
423 else
425 }
427 /* qsort comparator for byte ranges. */
429 int
431 {
432 /* Order first by offset. */
437 /* ...then by size. */
439 }
441 /* class concrete_binding : public binding_key. */
443 /* Implementation of binding_key::dump_to_pp vfunc for concrete_binding. */
445 void
447 {
449 }
451 /* Return true if this binding overlaps with OTHER. */
453 bool
455 {
460 }
462 /* Comparator for use by vec<const concrete_binding *>::qsort. */
464 int
466 {
471 }
473 /* class symbolic_binding : public binding_key. */
475 void
477 {
478 //binding_key::dump_to_pp (pp, simple);
481 }
483 /* Comparator for use by vec<const symbolic_binding *>::qsort. */
485 int
487 {
492 }
494 /* The store is oblivious to the types of the svalues bound within
495 it: any type can get bound at any location.
496 Simplify any casts before binding.
498 For example, if we have:
499 struct big { int ia[1024]; };
500 struct big src, dst;
501 memcpy (&dst, &src, sizeof (struct big));
502 this reaches us in gimple form as:
503 MEM <unsigned char[4096]> [(char * {ref-all})&dst]
504 = MEM <unsigned char[4096]> [(char * {ref-all})&src];
505 Using cast_region when handling the MEM_REF would give us:
506 INIT_VAL(CAST_REG(unsigned char[4096], src))
507 as rhs_sval, but we can fold that into a cast svalue:
508 CAST(unsigned char[4096], INIT_VAL(src))
509 We can discard that cast from the svalue when binding it in
510 the store for "dst", and simply store:
511 cluster for: dst
512 key: {kind: direct, start: 0, size: 32768, next: 32768}
513 value: ‘struct big’ {INIT_VAL(src)}. */
517 {
521 }
523 /* class binding_map. */
525 /* binding_map's copy ctor. */
529 {
530 }
532 /* binding_map's assignment operator. */
534 binding_map&
536 {
537 /* For now, assume we only ever copy to an empty cluster. */
541 {
545 }
547 }
549 /* binding_map's equality operator. */
551 bool
553 {
558 {
567 }
570 }
572 /* Generate a hash value for this binding_map. */
574 hashval_t
576 {
579 {
580 /* Use a new hasher for each key to avoid depending on the ordering
581 of keys when accumulating the result. */
586 }
588 }
590 /* Dump a representation of this binding_map to PP.
591 SIMPLE controls how values and regions are to be printed.
592 If MULTILINE, then split the dump over multiple lines and
593 use whitespace for readability, otherwise put all on one line. */
595 void
598 {
602 {
605 }
611 {
614 {
626 }
627 else
628 {
636 }
637 }
638 }
640 /* Dump a multiline representation of this binding_map to stderr. */
642 DEBUG_FUNCTION void
644 {
645 pretty_printer pp;
652 }
654 /* Return a new json::object of the form
655 {KEY_DESC : SVALUE_DESC,
656 ...for the various key/value pairs in this binding_map}. */
660 {
666 {
669 }
675 {
679 }
682 }
684 /* Comparator for imposing an order on binding_maps. */
686 int
688 {
705 {
713 }
716 }
718 /* Get the child region of PARENT_REG based upon INDEX within a
719 CONSTRUCTOR. */
724 {
726 {
730 {
735 index_sval);
736 }
740 }
741 }
743 /* Get the svalue for VAL, a non-CONSTRUCTOR value within a CONSTRUCTOR. */
747 {
748 /* Reuse the get_rvalue logic from region_model. */
751 }
753 /* Bind values from CONSTRUCTOR to this map, relative to
754 PARENT_REG's relationship to its base region.
755 Return true if successful, false if there was a problem (e.g. due
756 to hitting a complexity limit). */
758 bool
761 {
766 tree index;
767 tree val;
769 tree field;
772 else
775 {
777 {
778 /* If index is NULL, then iterate through the fields for
779 a RECORD_TYPE, or use an INTEGER_CST otherwise.
780 Compare with similar logic in output_constructor. */
782 {
785 }
786 else
788 }
790 {
794 {
798 }
799 else
800 {
804 }
806 }
809 }
811 }
813 /* Bind the value VAL into the range of elements within PARENT_REF
814 from MIN_INDEX to MAX_INDEX (including endpoints).
815 For use in handling RANGE_EXPR within a CONSTRUCTOR.
816 Return true if successful, false if there was a problem (e.g. due
817 to hitting a complexity limit). */
819 bool
823 tree val)
824 {
828 /* Generate a binding key for the range. */
843 bit_size_t range_size_in_bits
850 /* Get the value. */
855 /* Bind the value to the range. */
858 }
860 /* Bind the value VAL into INDEX within PARENT_REF.
861 For use in handling a pair of entries within a CONSTRUCTOR.
862 Return true if successful, false if there was a problem (e.g. due
863 to hitting a complexity limit). */
865 bool
869 {
874 else
875 {
879 /* Handle the case where we have an unknown size for child_reg
880 (e.g. due to it being a trailing field with incomplete array
881 type. */
883 {
884 /* Assume that sval has a well-defined size for this case. */
890 /* Get offset of child relative to base region. */
894 /* Convert to an offset relative to the parent region. */
897 bit_offset_t child_parent_offset
900 /* Create a concrete key for the child within the parent. */
903 }
907 }
908 }
910 /* Populate OUT with all bindings within this map that overlap KEY. */
912 void
915 {
917 {
921 {
924 {
927 }
928 else
929 {
930 /* Assume overlap. */
932 }
933 }
934 else
935 {
936 /* Assume overlap. */
938 }
939 }
940 }
942 /* Remove, truncate, and/or split any bindings within this map that
943 overlap DROP_KEY.
945 For example, if we have:
947 +------------------------------------+
948 | old binding |
949 +------------------------------------+
951 which is to be overwritten with:
953 .......+----------------------+.......
954 .......| new binding |.......
955 .......+----------------------+.......
957 this function "cuts a hole" out of the old binding:
959 +------+......................+------+
960 |prefix| hole for new binding |suffix|
961 +------+......................+------+
963 into which the new binding can be added without
964 overlapping the prefix or suffix.
966 The prefix and suffix (if added) will be bound to the pertinent
967 parts of the value of the old binding.
969 For example, given:
970 struct s5
971 {
972 char arr[8];
973 };
974 void test_5 (struct s5 *p)
975 {
976 struct s5 f = *p;
977 f.arr[3] = 42;
978 }
979 then after the "f = *p;" we have:
980 cluster for: f: INIT_VAL((*INIT_VAL(p_33(D))))
981 and at the "f.arr[3] = 42;" we remove the bindings overlapping
982 "f.arr[3]", replacing it with a prefix (bytes 0-2) and suffix (bytes 4-7)
983 giving:
984 cluster for: f
985 key: {bytes 0-2}
986 value: {BITS_WITHIN(bytes 0-2, inner_val: INIT_VAL((*INIT_VAL(p_33(D))).arr))}
987 key: {bytes 4-7}
988 value: {BITS_WITHIN(bytes 4-7, inner_val: INIT_VAL((*INIT_VAL(p_33(D))).arr))}
989 punching a hole into which the new value can be written at byte 3:
990 cluster for: f
991 key: {bytes 0-2}
992 value: {BITS_WITHIN(bytes 0-2, inner_val: INIT_VAL((*INIT_VAL(p_33(D))).arr))}
993 key: {byte 3}
994 value: 'char' {(char)42}
995 key: {bytes 4-7}
996 value: {BITS_WITHIN(bytes 4-7, inner_val: INIT_VAL((*INIT_VAL(p_33(D))).arr))}
998 If UNCERTAINTY is non-NULL, use it to record any svalues that
999 were removed, as being maybe-bound.
1001 If ALWAYS_OVERLAP, then assume that DROP_KEY can overlap anything
1002 in the map, due to one or both of the underlying clusters being
1003 symbolic (but not the same symbolic region). Hence even if DROP_KEY is a
1004 concrete binding it could actually be referring to the same memory as
1005 distinct concrete bindings in the map. Remove all bindings, but
1006 register any svalues with *UNCERTAINTY. */
1008 void
1013 {
1014 /* Get the bindings of interest within this map. */
1019 else
1020 /* Just add overlapping bindings. */
1026 {
1027 /* Record any svalues that were removed to *UNCERTAINTY as being
1028 maybe-bound, provided at least some part of the binding is symbolic.
1030 Specifically, if at least one of the bindings is symbolic, or we
1031 have ALWAYS_OVERLAP for the case where we have possibly aliasing
1032 regions, then we don't know that the svalue has been overwritten,
1033 and should record that to *UNCERTAINTY.
1035 However, if we have concrete keys accessing within the same symbolic
1036 region, then we *know* that the symbolic region has been overwritten,
1037 so we don't record it to *UNCERTAINTY, as this could be a genuine
1038 leak. */
1046 /* Begin by removing the old binding. */
1049 /* Don't attempt to handle prefixes/suffixes for the
1050 "always_overlap" case; everything's being removed. */
1054 /* Now potentially add the prefix and suffix. */
1059 {
1067 {
1068 /* We have a truncated prefix. */
1077 rel_prefix,
1080 }
1084 {
1085 /* We have a truncated suffix. */
1096 rel_suffix,
1099 }
1100 }
1101 }
1102 }
1104 /* class binding_cluster. */
1106 /* binding_cluster's copy ctor. */
1111 {
1112 }
1114 /* binding_cluster's assignment operator. */
1116 binding_cluster&
1118 {
1124 }
1126 /* binding_cluster's equality operator. */
1128 bool
1130 {
1146 }
1148 /* Generate a hash value for this binding_cluster. */
1150 hashval_t
1152 {
1154 }
1156 /* Return true if this binding_cluster is symbolic
1157 i.e. its base region is symbolic. */
1159 bool
1161 {
1163 }
1165 /* Dump a representation of this binding_cluster to PP.
1166 SIMPLE controls how values and regions are to be printed.
1167 If MULTILINE, then split the dump over multiple lines and
1168 use whitespace for readability, otherwise put all on one line. */
1170 void
1173 {
1175 {
1177 {
1180 }
1181 else
1183 }
1185 {
1187 {
1190 }
1191 else
1193 }
1196 }
1198 /* Dump a multiline representation of this binding_cluster to stderr. */
1200 DEBUG_FUNCTION void
1202 {
1203 pretty_printer pp;
1214 }
1216 /* Assert that this object is valid. */
1218 void
1220 {
1224 {
1226 num_symbolic++;
1227 else
1228 num_concrete++;
1229 }
1230 /* We shouldn't have more than one symbolic key per cluster
1231 (or one would have clobbered the other). */
1233 /* We can't have both concrete and symbolic keys. */
1235 }
1237 /* Return a new json::object of the form
1238 {"escaped": true/false,
1239 "touched": true/false,
1240 "map" : object for the binding_map. */
1244 {
1252 }
1254 /* Add a binding of SVAL of kind KIND to REG, unpacking SVAL if it is a
1255 compound_sval. */
1257 void
1260 {
1263 {
1266 }
1270 }
1272 /* Bind SVAL to KEY.
1273 Unpacking of compound_svalues should already have been done by the
1274 time this is called. */
1276 void
1278 {
1284 }
1286 /* Subroutine of binding_cluster::bind.
1287 Unpack compound_svals when binding them, so that we bind them
1288 element-wise. */
1290 void
1294 {
1297 {
1301 }
1305 {
1311 {
1312 bit_offset_t effective_start
1319 }
1320 else
1322 }
1323 }
1325 /* Remove all bindings overlapping REG within this cluster. */
1327 void
1329 {
1331 }
1333 /* Remove any bindings for REG within this cluster. */
1335 void
1337 {
1342 }
1344 /* Clobber REG and fill it with repeated copies of SVAL. */
1346 void
1350 {
1359 }
1361 /* Clobber REG within this cluster and fill it with zeroes. */
1363 void
1365 {
1369 }
1371 /* Mark REG_TO_BIND within this cluster as being unknown.
1373 Remove any bindings overlapping REG_FOR_OVERLAP.
1374 If UNCERTAINTY is non-NULL, use it to record any svalues that
1375 had bindings to them removed, as being maybe-bound.
1377 REG_TO_BIND and REG_FOR_OVERLAP are the same for
1378 store::mark_region_as_unknown, but are different in
1379 store::set_value's alias handling, for handling the case where
1380 we have a write to a symbolic REG_FOR_OVERLAP. */
1382 void
1387 {
1390 /* Add a default binding to "unknown". */
1395 }
1397 /* Purge state involving SVAL. */
1399 void
1402 {
1406 {
1410 {
1414 }
1419 }
1421 {
1424 }
1426 {
1430 }
1431 }
1433 /* Get any SVAL bound to REG within this cluster via kind KIND,
1434 without checking parent regions of REG. */
1439 {
1443 {
1444 /* If we have a struct with a single field, then the binding of
1445 the field will equal that of the struct, and looking up e.g.
1446 PARENT_REG.field within:
1447 cluster for PARENT_REG: INIT_VAL(OTHER_REG)
1448 will erroneously return INIT_VAL(OTHER_REG), rather than
1449 SUB_VALUE(INIT_VAL(OTHER_REG), FIELD) == INIT_VAL(OTHER_REG.FIELD).
1450 Fix this issue by iterating upwards whilst the bindings are equal,
1451 expressing the lookups as subvalues.
1452 We have to gather a list of subregion accesses, then walk it
1453 in reverse to get the subvalues. */
1456 {
1463 {
1466 }
1467 else
1469 }
1473 {
1477 {
1481 }
1482 }
1483 }
1485 }
1487 /* Get any SVAL bound to REG within this cluster,
1488 either directly for REG, or recursively checking for bindings within
1489 parent regions and extracting subvalues if need be. */
1494 {
1501 {
1502 /* Extract child svalue from parent svalue. */
1506 }
1508 }
1510 /* Get any value bound for REG within this cluster. */
1515 {
1516 /* Look for a direct binding. */
1521 /* If we had a write to a cluster of unknown size, we might
1522 have a self-binding of the whole base region with an svalue,
1523 where the base region is symbolic.
1524 Handle such cases by returning sub_svalue instances. */
1526 {
1527 /* Extract child svalue from parent svalue. */
1531 }
1533 /* If this cluster has been touched by a symbolic write, then the content
1534 of any subregion not currently specifically bound is "UNKNOWN". */
1536 {
1539 }
1541 /* Alternatively, if this is a symbolic read and the cluster has any bindings,
1542 then we don't know if we're reading those values or not, so the result
1543 is also "UNKNOWN". */
1546 {
1549 }
1554 /* Otherwise, the initial value, or uninitialized. */
1556 }
1558 /* Attempt to get a compound_svalue for the bindings within the cluster
1559 affecting REG (which could be the base region itself).
1561 Create a compound_svalue with the subset of bindings the affect REG,
1562 offsetting them so that the offsets are relative to the start of REG
1563 within the cluster.
1565 For example, REG could be one element within an array of structs.
1567 Return the resulting compound_svalue, or NULL if there's a problem. */
1572 {
1582 /* We will a build the result map in two parts:
1583 (a) result_map, holding the concrete keys from this cluster,
1585 (b) default_map, holding the initial values for the region
1586 (e.g. uninitialized, initializer values, or zero), unless this
1587 cluster has been touched.
1589 We will populate (a), and as we do, clobber (b), trimming and
1590 splitting its bindings as necessary.
1591 Finally, we will merge (b) into (a), giving a concrete map
1592 that merges both the initial values and the bound values from
1593 the binding_cluster.
1594 Doing it this way reduces N for the O(N^2) intersection-finding,
1595 perhaps we should have a spatial-organized data structure for
1596 concrete keys, though. */
1598 binding_map result_map;
1599 binding_map default_map;
1601 /* Set up default values in default_map. */
1605 else
1611 {
1617 {
1620 bit_size_t reg_bit_size;
1625 reg_bit_size);
1627 /* Skip bindings that are outside the bit range of REG. */
1631 /* We shouldn't have an exact match; that should have been
1632 handled already. */
1637 {
1638 /* We have a bound range fully within REG.
1639 Add it to map, offsetting accordingly. */
1641 /* Get offset of KEY relative to REG, rather than to
1642 the cluster. */
1647 /* Clobber default_map, removing/trimming/spliting where
1648 it overlaps with offset_concrete_key. */
1650 offset_concrete_key,
1652 }
1654 {
1655 /* REG is fully within the bound range, but
1656 is not equal to it; we're extracting a subvalue. */
1658 subrange,
1660 }
1661 else
1662 {
1663 /* REG and the bound range partially overlap. */
1669 /* Get the bits from the bound value for the bits at the
1670 intersection (relative to the bound value). */
1673 bound_subrange,
1676 /* Get key for overlap, relative to the REG. */
1681 /* Clobber default_map, removing/trimming/spliting where
1682 it overlaps with overlap_concrete_key. */
1684 overlap_concrete_key,
1686 }
1687 }
1688 else
1689 /* Can't handle symbolic bindings. */
1691 }
1696 /* Merge any bindings from default_map into result_map. */
1698 {
1702 }
1705 }
1707 /* Remove, truncate, and/or split any bindings within this map that
1708 could overlap REG.
1710 If REG's base region or this cluster is symbolic and they're different
1711 base regions, then remove everything in this cluster's map, on the
1712 grounds that REG could be referring to the same memory as anything
1713 in the map.
1715 If UNCERTAINTY is non-NULL, use it to record any svalues that
1716 were removed, as being maybe-bound. */
1718 void
1722 {
1727 /* If at least one of the base regions involved is symbolic, and they're
1728 not the same base region, then consider everything in the map as
1729 potentially overlapping with reg_binding (even if it's a concrete
1730 binding and things in the map are concrete - they could be referring
1731 to the same memory when the symbolic base regions are taken into
1732 account). */
1737 always_overlap);
1738 }
1740 /* Attempt to merge CLUSTER_A and CLUSTER_B into OUT_CLUSTER, using
1741 MGR and MERGER.
1742 Return true if they can be merged, false otherwise. */
1744 bool
1751 {
1754 /* Merge flags ("ESCAPED" and "TOUCHED") by setting the merged flag to
1755 true if either of the inputs is true. */
1763 /* At least one of CLUSTER_A and CLUSTER_B are non-NULL, but either
1764 could be NULL. Handle these cases. */
1766 {
1771 }
1773 {
1778 }
1780 /* The "both inputs are non-NULL" case. */
1788 {
1791 }
1794 {
1797 }
1802 {
1809 num_symbolic_keys++;
1810 else
1811 num_concrete_keys++;
1814 {
1818 }
1820 {
1823 {
1826 }
1827 /* Merger of the svalues failed. Reject merger of the cluster. */
1829 }
1831 /* If we get here, then one cluster binds this key and the other
1832 doesn't; merge them as "UNKNOWN". */
1840 /* ...but reject the merger if this sval shouldn't be mergeable
1841 (e.g. reject merging svalues that have non-purgable sm-state,
1842 to avoid falsely reporting memory leaks by merging them
1843 with something else). */
1848 }
1850 /* We can only have at most one symbolic key per cluster,
1851 and if we do, we can't have any concrete keys.
1852 If this happens, mark the cluster as touched, with no keys. */
1855 {
1858 }
1860 /* We don't handle other kinds of overlaps yet. */
1863 }
1865 /* Update this cluster to reflect an attempt to merge OTHER where there
1866 is no other cluster to merge with, and so we're notionally merging the
1867 bound values in OTHER with the initial value of the relevant regions.
1869 Any bound keys in OTHER should be bound to unknown in this. */
1871 void
1875 {
1878 {
1886 /* For any pointers in OTHER, the merger means that the
1887 concrete pointer becomes an unknown value, which could
1888 show up as a false report of a leak when considering what
1889 pointers are live before vs after.
1890 Avoid this by marking the base regions they point to as having
1891 escaped. */
1894 {
1899 {
1902 }
1903 }
1904 }
1905 }
1907 /* Mark this cluster as having escaped. */
1909 void
1911 {
1913 }
1915 /* If this cluster has escaped (by this call, or by an earlier one, or
1916 by being an external param), then unbind all values and mark it
1917 as "touched", so that it has a conjured value, rather than an
1918 initial_svalue.
1919 Use P to purge state involving conjured_svalues. */
1921 void
1925 {
1927 {
1930 /* Bind it to a new "conjured" value using CALL. */
1937 }
1938 }
1940 /* Mark this cluster as having been clobbered by STMT.
1941 Use P to purge state involving conjured_svalues. */
1943 void
1947 {
1950 /* Bind it to a new "conjured" value using CALL. */
1957 }
1959 /* Return true if this binding_cluster has no information
1960 i.e. if there are no bindings, and it hasn't been marked as having
1961 escaped, or touched symbolically. */
1963 bool
1965 {
1967 && !m_escaped
1969 }
1971 /* Add PV to OUT_PVS, casting it to TYPE if it is not already of that type. */
1973 static void
1975 tree type,
1977 {
1984 }
1986 /* Find representative path_vars for SVAL within this binding of BASE_REG,
1987 appending the results to OUT_PVS. */
1989 void
1995 const
1996 {
2000 {
2004 {
2007 {
2009 base_reg->get_subregions_for_binding
2018 {
2021 visited))
2023 }
2024 }
2025 else
2026 {
2030 visited))
2032 }
2033 }
2034 }
2035 }
2037 /* Get any svalue bound to KEY, or NULL. */
2041 {
2043 }
2045 /* If this cluster has a single direct binding for the whole of the region,
2046 return it.
2047 For use in simplifying dumps. */
2051 {
2052 /* Fail gracefully if MGR is NULL to make it easier to dump store
2053 instances in the debugger. */
2062 }
2064 /* class store_manager. */
2066 logger *
2068 {
2070 }
2072 /* binding consolidation. */
2076 bit_offset_t size_in_bits)
2077 {
2085 }
2089 {
2097 }
2099 /* class store. */
2101 /* store's default ctor. */
2105 {
2106 }
2108 /* store's copy ctor. */
2113 {
2117 {
2123 }
2124 }
2126 /* store's dtor. */
2129 {
2134 }
2136 /* store's assignment operator. */
2138 store &
2140 {
2141 /* Delete existing cluster map. */
2153 {
2159 }
2161 }
2163 /* store's equality operator. */
2165 bool
2167 {
2177 {
2180 binding_cluster **other_slot
2186 }
2191 }
2193 /* Get a hash value for this store. */
2195 hashval_t
2197 {
2204 }
2206 /* Populate OUT with a sorted list of parent regions for the regions in IN,
2207 removing duplicate parents. */
2209 static void
2212 {
2213 /* Get the set of parent regions. */
2218 {
2222 }
2224 /* Write to OUT. */
2229 /* Sort OUT. */
2231 }
2233 /* Dump a representation of this store to PP, using SIMPLE to control how
2234 svalues and regions are printed.
2235 MGR is used for simplifying dumps if non-NULL, but can also be NULL
2236 (to make it easier to use from the debugger). */
2238 void
2241 {
2242 /* Sort into some deterministic order. */
2246 {
2249 }
2252 /* Gather clusters, organize by parent region, so that we can group
2253 together locals, globals, etc. */
2260 {
2266 else
2272 {
2273 /* This is O(N * M), but N ought to be small. */
2276 binding_cluster *cluster
2279 {
2282 }
2284 {
2285 /* Special-case to simplify dumps for the common case where
2286 we just have one value directly bound to the whole of a
2287 region. */
2289 {
2299 }
2300 else
2301 {
2311 }
2312 }
2314 {
2319 }
2320 else
2321 {
2327 }
2328 }
2331 }
2336 }
2338 /* Dump a multiline representation of this store to stderr. */
2340 DEBUG_FUNCTION void
2342 {
2343 pretty_printer pp;
2350 }
2352 /* Assert that this object is valid. */
2354 void
2356 {
2359 }
2361 /* Return a new json::object of the form
2362 {PARENT_REGION_DESC: {BASE_REGION_DESC: object for binding_map,
2363 ... for each cluster within parent region},
2364 ...for each parent region,
2365 "called_unknown_fn": true/false}. */
2369 {
2372 /* Sort into some deterministic order. */
2376 {
2379 }
2382 /* Gather clusters, organize by parent region, so that we can group
2383 together locals, globals, etc. */
2390 {
2398 {
2399 /* This is O(N * M), but N ought to be small. */
2402 binding_cluster *cluster
2407 }
2410 }
2415 }
2417 /* Get any svalue bound to REG, or NULL. */
2421 {
2423 binding_cluster **cluster_slot
2428 }
2430 /* Set the value of LHS_REG to RHS_SVAL. */
2432 void
2436 {
2447 {
2448 /* Reject attempting to bind values into a symbolic region
2449 for an unknown ptr; merely invalidate values below. */
2452 /* The LHS of the write is *UNKNOWN. If the RHS is a pointer,
2453 then treat the region being pointed to as having escaped. */
2455 {
2459 }
2460 }
2462 {
2465 }
2466 else
2467 {
2468 /* Reject attempting to bind values into an untracked region;
2469 merely invalidate values below. */
2471 }
2473 /* Bindings to a cluster can affect other clusters if a symbolic
2474 base region is involved.
2475 Writes to concrete clusters can't affect other concrete clusters,
2476 but can affect symbolic clusters.
2477 Writes to symbolic clusters can affect both concrete and symbolic
2478 clusters.
2479 Invalidate our knowledge of other clusters that might have been
2480 affected by the write. */
2483 {
2490 {
2493 {
2499 {
2509 }
2510 /* Mark all of iter_cluster's iter_base_reg as unknown,
2511 using LHS_REG when considering overlaps, to handle
2512 symbolic vs concrete issues. */
2513 iter_cluster->mark_region_as_unknown
2517 uncertainty);
2525 /* If they can't be aliases, then don't invalidate this
2526 cluster. */
2528 }
2529 }
2530 }
2531 }
2533 /* Determine if BASE_REG_A could be an alias of BASE_REG_B. */
2535 tristate
2538 {
2539 /* SSA names can't alias. */
2547 /* Try both ways, for symmetry. */
2555 }
2557 /* Half of store::eval_alias; called twice for symmetry. */
2559 tristate
2562 {
2565 {
2568 {
2573 {
2574 /* The initial value of a pointer can't point to a local. */
2576 }
2577 }
2580 {
2581 /* The initial value of a pointer can't point to a
2582 region that was allocated on the heap after the beginning of the
2583 path. */
2585 }
2588 {
2592 {
2594 /* If we have sval_a is WIDENING(®ION, OP), and
2595 B can't alias REGION, then B can't alias A either.
2596 For example, A might arise from
2597 for (ptr = ®ION; ...; ptr++)
2598 where sval_a is ptr in the 2nd iteration of the loop.
2599 We want to ensure that "*ptr" can only clobber things
2600 within REGION's base region. */
2602 base_reg_b);
2605 }
2606 }
2607 }
2609 }
2611 /* Remove all bindings overlapping REG within this store. */
2613 void
2615 {
2623 {
2626 }
2627 }
2629 /* Remove any bindings for REG within this store. */
2631 void
2633 {
2641 {
2644 }
2645 }
2647 /* Fill REG with SVAL. */
2649 void
2651 {
2658 }
2660 /* Zero-fill REG. */
2662 void
2664 {
2668 }
2670 /* Mark REG as having unknown content. */
2672 void
2675 {
2682 }
2684 /* Purge state involving SVAL. */
2686 void
2689 {
2692 {
2696 else
2697 {
2700 }
2701 }
2705 }
2707 /* Get the cluster for BASE_REG, or NULL (const version). */
2711 {
2717 else
2719 }
2721 /* Get the cluster for BASE_REG, or NULL (non-const version). */
2723 binding_cluster *
2725 {
2730 else
2732 }
2734 /* Get the cluster for BASE_REG, creating it if doesn't already exist. */
2736 binding_cluster *
2738 {
2742 /* We shouldn't create clusters for dereferencing an UNKNOWN ptr. */
2745 /* We shouldn't create clusters for base regions that aren't trackable. */
2755 }
2757 /* Remove any cluster for BASE_REG, for use by
2758 region_model::unbind_region_and_descendents
2759 when popping stack frames and handling deleted heap regions. */
2761 void
2763 {
2771 }
2773 /* Attempt to merge STORE_A and STORE_B into OUT_STORE.
2774 Return true if successful, or false if the stores can't be merged. */
2776 bool
2780 {
2784 /* Get the union of all base regions for STORE_A and STORE_B. */
2788 {
2791 }
2794 {
2797 }
2799 /* Sort the base regions before considering them. This ought not to
2800 affect the results, but can affect which types UNKNOWN_REGIONs are
2801 created for in a run; sorting them thus avoids minor differences
2802 in logfiles. */
2811 {
2814 /* At least one of cluster_a and cluster_b must be non-NULL. */
2815 binding_cluster *out_cluster
2820 }
2822 }
2824 /* Mark the cluster for BASE_REG as having escaped.
2825 For use when handling an unrecognized function call, and
2826 for params to "top-level" calls.
2827 Further unknown function calls could touch it, even if the cluster
2828 isn't reachable from args of those calls. */
2830 void
2832 {
2842 }
2844 /* Handle an unknown fncall by updating any clusters that have escaped
2845 (either in this fncall, or in a prior one). */
2847 void
2850 {
2856 }
2858 /* Return true if a non-const pointer to BASE_REG (or something within it)
2859 has escaped to code outside of the TU being analyzed. */
2861 bool
2863 {
2871 }
2873 /* Populate OUT_PVS with a list of path_vars for describing SVAL based on
2874 this store, using VISITED to ensure the traversal terminates. */
2876 void
2881 {
2884 /* Find all bindings that reference SVAL. */
2887 {
2891 out_pvs);
2892 }
2895 {
2898 visited))
2900 }
2901 }
2903 /* Remove all bindings overlapping REG within this store, removing
2904 any clusters that become redundant.
2906 If UNCERTAINTY is non-NULL, use it to record any svalues that
2907 were removed, as being maybe-bound. */
2909 void
2912 {
2915 {
2918 {
2919 /* Remove whole cluster. */
2923 }
2925 }
2926 }
2928 /* Subclass of visitor that accumulates a hash_set of the regions that
2929 were visited. */
2932 {
2934 {
2936 }
2939 };
2941 /* Canonicalize this store, to maximize the chance of equality between
2942 instances. */
2944 void
2946 {
2947 /* If we have e.g.:
2948 cluster for: HEAP_ALLOCATED_REGION(543)
2949 ESCAPED
2950 TOUCHED
2951 where the heap region is empty and unreferenced, then purge that
2952 cluster, to avoid unbounded state chains involving these. */
2954 /* Find regions that are referenced by bound values in the store. */
2955 region_finder s;
2958 {
2963 }
2965 /* Locate heap-allocated regions that have empty bindings that weren't
2966 found above. */
2970 {
2974 {
2979 /* Also cover the UNKNOWN case. */
2984 }
2985 }
2987 /* Purge them. */
2990 {
2993 }
2994 }
2996 /* Subroutine for use by exploded_path::feasible_p.
2998 We need to deal with state differences between:
2999 (a) when the exploded_graph is being initially constructed and
3000 (b) when replaying the state changes along a specific path in
3001 in exploded_path::feasible_p.
3003 In (a), state merging happens, so when exploring a loop
3004 for (i = 0; i < 1024; i++)
3005 on successive iterations we have i == 0, then i == WIDENING.
3007 In (b), no state merging happens, so naively replaying the path
3008 that goes twice through the loop then exits it
3009 would lead to i == 0, then i == 1, and then a (i >= 1024) eedge
3010 that exits the loop, which would be found to be infeasible as i == 1,
3011 and the path would be rejected.
3013 We need to fix up state during replay. This subroutine is
3014 called whenever we enter a supernode that we've already
3015 visited along this exploded_path, passing in OTHER_STORE
3016 from the destination enode's state.
3018 Find bindings to widening values in OTHER_STORE.
3019 For all that are found, update the binding in this store to UNKNOWN. */
3021 void
3024 {
3028 {
3033 {
3037 {
3038 binding_cluster *this_cluster
3043 }
3044 }
3045 }
3046 }
3048 #if CHECKING_P
3052 /* Verify that bit_range::intersects_p works as expected. */
3054 static void
3056 {
3070 /* self-intersection is true. */
3112 }
3114 /* Implementation detail of ASSERT_BIT_RANGE_FROM_MASK_EQ. */
3116 static void
3120 {
3125 }
3127 /* Assert that bit_range::from_mask (MASK) returns true, and writes
3128 out EXPECTED_BIT_RANGE. */
3130 #define ASSERT_BIT_RANGE_FROM_MASK_EQ(MASK, EXPECTED_BIT_RANGE) \
3131 SELFTEST_BEGIN_STMT \
3132 assert_bit_range_from_mask_eq (SELFTEST_LOCATION, MASK, \
3133 EXPECTED_BIT_RANGE); \
3134 SELFTEST_END_STMT
3136 /* Implementation detail of ASSERT_NO_BIT_RANGE_FROM_MASK. */
3138 static void
3141 {
3145 }
3147 /* Assert that bit_range::from_mask (MASK) returns false. */
3149 #define ASSERT_NO_BIT_RANGE_FROM_MASK(MASK) \
3150 SELFTEST_BEGIN_STMT \
3151 assert_no_bit_range_from_mask_eq (SELFTEST_LOCATION, MASK); \
3152 SELFTEST_END_STMT
3154 /* Verify that bit_range::from_mask works as expected. */
3156 static void
3158 {
3159 /* Should fail on zero. */
3162 /* Verify 1-bit masks. */
3172 /* Verify N-bit masks starting at bit 0. */
3182 /* Various other tests. */
3187 /* Multiple ranges of set bits should fail. */
3190 }
3192 /* Implementation detail of ASSERT_OVERLAP. */
3194 static void
3198 {
3201 }
3203 /* Implementation detail of ASSERT_DISJOINT. */
3205 static void
3209 {
3212 }
3214 /* Assert that B1 and B2 overlap, checking both ways. */
3216 #define ASSERT_OVERLAP(B1, B2) \
3217 SELFTEST_BEGIN_STMT \
3218 assert_overlap (SELFTEST_LOCATION, B1, B2); \
3219 SELFTEST_END_STMT
3221 /* Assert that B1 and B2 do not overlap, checking both ways. */
3223 #define ASSERT_DISJOINT(B1, B2) \
3224 SELFTEST_BEGIN_STMT \
3225 assert_disjoint (SELFTEST_LOCATION, B1, B2); \
3226 SELFTEST_END_STMT
3228 /* Verify that concrete_binding::overlaps_p works as expected. */
3230 static void
3232 {
3235 /* Various 8-bit bindings. */
3241 /* 16-bit bindings. */
3246 /* 32-bit binding. */
3249 /* Everything should self-overlap. */
3259 /* Verify the 8-bit bindings that don't overlap each other. */
3263 /* Check for overlap of differently-sized bindings. */
3265 /* ...and with differing start points. */
3275 }
3277 /* Run all of the selftests within this file. */
3279 void
3281 {
3285 }