| blob | e85a19647f7eaf7375dfd861b87639a45bf8cffd |
1 /* Classes for modeling the state of memory.
2 Copyright (C) 2020-2024 Free Software Foundation, Inc.
3 Contributed by David Malcolm <dmalcolm@redhat.com>.
5 This file is part of GCC.
7 GCC is free software; you can redistribute it and/or modify it
8 under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3, or (at your option)
10 any later version.
12 GCC is distributed in the hope that it will be useful, but
13 WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 General Public License for more details.
17 You should have received a copy of the GNU General Public License
18 along with GCC; see the file COPYING3. If not see
19 <http://www.gnu.org/licenses/>. */
22 #define INCLUDE_MEMORY
58 #if ENABLE_ANALYZER
62 /* Dump SVALS to PP, sorting them to ensure determinism. */
64 static void
67 {
71 {
73 }
80 {
84 }
86 }
88 /* class uncertainty_t. */
90 /* Dump this object to PP. */
92 void
94 {
101 }
103 /* Dump this object to stderr. */
105 DEBUG_FUNCTION void
107 {
108 pretty_printer pp;
115 }
117 /* class binding_key. */
121 {
125 else
126 {
127 bit_size_t bit_size;
129 {
130 /* Must be non-empty. */
133 bit_size);
134 }
135 else
137 }
138 }
140 /* Dump this binding_key to stderr. */
142 DEBUG_FUNCTION void
144 {
145 pretty_printer pp;
152 }
154 /* Get a description of this binding_key. */
156 label_text
158 {
159 pretty_printer pp;
163 }
165 /* qsort callback. */
167 int
169 {
173 }
175 /* Comparator for binding_keys. */
177 int
179 {
185 {
190 SIGNED))
193 SIGNED);
194 }
195 else
196 {
204 }
205 }
207 /* struct bit_range. */
209 void
211 {
215 else
216 {
223 }
224 }
226 /* Dump this object to stderr. */
228 DEBUG_FUNCTION void
230 {
231 pretty_printer pp;
236 }
238 /* Generate a JSON value for this bit_range.
239 This is intended for debugging the analyzer rather
240 than serialization. */
244 {
251 }
253 /* If OTHER is a subset of this, return true and, if OUT is
254 non-null, write to *OUT the relative range of OTHER within this.
255 Otherwise return false. */
257 bool
259 {
262 {
264 {
267 }
269 }
270 else
272 }
274 /* If OTHER intersects this, return true and write
275 the relative range of OTHER within THIS to *OUT_THIS,
276 and the relative range of THIS within OTHER to *OUT_OTHER.
277 Otherwise return false. */
279 bool
283 {
286 {
287 bit_offset_t overlap_start
290 bit_offset_t overlap_next
298 }
299 else
301 }
303 /* Return true if THIS and OTHER intersect and write the number
304 of bits both buffers overlap to *OUT_NUM_OVERLAP_BITS.
306 Otherwise return false. */
308 bool
311 {
314 {
322 }
323 else
325 }
327 /* Return true if THIS exceeds OTHER and write the overhanging
328 bit range to OUT_OVERHANGING_BIT_RANGE. */
330 bool
333 {
337 {
338 /* THIS definitely exceeds OTHER. */
346 }
347 else
349 }
351 /* Return true if THIS falls short of OFFSET and write the
352 bit range fallen short to OUT_FALL_SHORT_BITS. */
354 bool
357 {
361 {
362 /* THIS falls short of OFFSET. */
369 }
370 else
372 }
374 int
376 {
382 }
384 /* Offset this range by OFFSET. */
386 bit_range
388 {
390 }
392 /* If MASK is a contiguous range of set bits, write them
393 to *OUT and return true.
394 Otherwise return false. */
396 bool
398 {
402 /* Find the first contiguous run of set bits in MASK. */
404 /* Find first set bit in MASK. */
406 {
409 iter_bit_idx++;
411 }
413 /* MASK is zero. */
418 iter_bit_idx++;
421 /* Find next unset bit in MASK. */
423 {
426 num_set_bits++;
427 iter_bit_idx++;
429 }
431 {
434 }
436 /* We now have the first contiguous run of set bits in MASK.
437 Fail if any other bits are set. */
439 {
442 iter_bit_idx++;
444 }
448 }
450 /* Attempt to convert this bit_range to a byte_range.
451 Return true if it is possible, writing the result to *OUT.
452 Otherwise return false. */
454 bool
456 {
459 {
463 }
465 }
467 /* Dump this object to PP. */
469 void
471 {
473 {
475 }
477 {
480 }
481 else
482 {
487 }
488 }
490 /* Dump this object to stderr. */
492 DEBUG_FUNCTION void
494 {
495 pretty_printer pp;
500 }
502 /* Generate a JSON value for this byte_range.
503 This is intended for debugging the analyzer rather
504 than serialization. */
508 {
515 }
517 /* If OTHER is a subset of this, return true and write
518 to *OUT the relative range of OTHER within this.
519 Otherwise return false. */
521 bool
523 {
526 {
530 }
531 else
533 }
535 /* qsort comparator for byte ranges. */
537 int
539 {
540 /* Order first by offset. */
545 /* ...then by size. */
547 }
549 /* class concrete_binding : public binding_key. */
551 /* Implementation of binding_key::dump_to_pp vfunc for concrete_binding. */
553 void
555 {
557 }
559 /* Return true if this binding overlaps with OTHER. */
561 bool
563 {
568 }
570 /* If this is expressible as a concrete byte range, return true
571 and write it to *OUT. Otherwise return false. */
573 bool
575 {
577 }
579 /* Comparator for use by vec<const concrete_binding *>::qsort. */
581 int
583 {
588 }
590 /* class symbolic_binding : public binding_key. */
592 void
594 {
595 //binding_key::dump_to_pp (pp, simple);
598 }
600 /* Comparator for use by vec<const symbolic_binding *>::qsort. */
602 int
604 {
609 }
611 /* The store is oblivious to the types of the svalues bound within
612 it: any type can get bound at any location.
613 Simplify any casts before binding.
615 For example, if we have:
616 struct big { int ia[1024]; };
617 struct big src, dst;
618 memcpy (&dst, &src, sizeof (struct big));
619 this reaches us in gimple form as:
620 MEM <unsigned char[4096]> [(char * {ref-all})&dst]
621 = MEM <unsigned char[4096]> [(char * {ref-all})&src];
622 Using cast_region when handling the MEM_REF would give us:
623 INIT_VAL(CAST_REG(unsigned char[4096], src))
624 as rhs_sval, but we can fold that into a cast svalue:
625 CAST(unsigned char[4096], INIT_VAL(src))
626 We can discard that cast from the svalue when binding it in
627 the store for "dst", and simply store:
628 cluster for: dst
629 key: {kind: direct, start: 0, size: 32768, next: 32768}
630 value: ‘struct big’ {INIT_VAL(src)}. */
634 {
638 }
640 /* class binding_map. */
642 /* binding_map's copy ctor. */
646 {
647 }
649 /* binding_map's assignment operator. */
651 binding_map&
653 {
654 /* For now, assume we only ever copy to an empty cluster. */
658 {
662 }
664 }
666 /* binding_map's equality operator. */
668 bool
670 {
675 {
684 }
687 }
689 /* Generate a hash value for this binding_map. */
691 hashval_t
693 {
696 {
697 /* Use a new hasher for each key to avoid depending on the ordering
698 of keys when accumulating the result. */
703 }
705 }
707 /* Dump a representation of this binding_map to PP.
708 SIMPLE controls how values and regions are to be printed.
709 If MULTILINE, then split the dump over multiple lines and
710 use whitespace for readability, otherwise put all on one line. */
712 void
715 {
719 {
722 }
728 {
731 {
743 }
744 else
745 {
753 }
754 }
755 }
757 /* Dump a multiline representation of this binding_map to stderr. */
759 DEBUG_FUNCTION void
761 {
762 pretty_printer pp;
769 }
771 /* Return a new json::object of the form
772 {KEY_DESC : SVALUE_DESC,
773 ...for the various key/value pairs in this binding_map}. */
777 {
783 {
786 }
792 {
796 }
799 }
801 /* Comparator for imposing an order on binding_maps. */
803 int
805 {
822 {
830 }
833 }
835 /* Get the child region of PARENT_REG based upon INDEX within a
836 CONSTRUCTOR. */
841 {
843 {
847 {
852 index_sval);
853 }
857 }
858 }
860 /* Get the svalue for VAL, a non-CONSTRUCTOR value within a CONSTRUCTOR. */
864 {
865 /* Reuse the get_rvalue logic from region_model. */
868 }
870 /* Bind values from CONSTRUCTOR to this map, relative to
871 PARENT_REG's relationship to its base region.
872 Return true if successful, false if there was a problem (e.g. due
873 to hitting a complexity limit). */
875 bool
878 {
883 tree index;
884 tree val;
886 tree field;
889 else
892 {
894 {
895 /* If index is NULL, then iterate through the fields for
896 a RECORD_TYPE, or use an INTEGER_CST otherwise.
897 Compare with similar logic in output_constructor. */
899 {
902 }
903 else
905 }
907 {
911 {
915 }
916 else
917 {
921 }
923 }
926 }
928 }
930 /* Bind the value VAL into the range of elements within PARENT_REF
931 from MIN_INDEX to MAX_INDEX (including endpoints).
932 For use in handling RANGE_EXPR within a CONSTRUCTOR.
933 Return true if successful, false if there was a problem (e.g. due
934 to hitting a complexity limit). */
936 bool
940 tree val)
941 {
945 /* Generate a binding key for the range. */
962 bit_size_t range_size_in_bits
969 /* Get the value. */
974 /* Bind the value to the range. */
977 }
979 /* Bind the value VAL into INDEX within PARENT_REF.
980 For use in handling a pair of entries within a CONSTRUCTOR.
981 Return true if successful, false if there was a problem (e.g. due
982 to hitting a complexity limit). */
984 bool
988 {
993 else
994 {
1000 /* Handle the case where we have an unknown size for child_reg
1001 (e.g. due to it being a trailing field with incomplete array
1002 type. */
1004 {
1005 /* Assume that sval has a well-defined size for this case. */
1011 /* Get offset of child relative to base region. */
1015 /* Convert to an offset relative to the parent region. */
1018 bit_offset_t child_parent_offset
1021 /* Create a concrete key for the child within the parent. */
1024 }
1028 }
1029 }
1031 /* Populate OUT with all bindings within this map that overlap KEY. */
1033 void
1036 {
1038 {
1042 {
1045 {
1048 }
1049 else
1050 {
1051 /* Assume overlap. */
1053 }
1054 }
1055 else
1056 {
1057 /* Assume overlap. */
1059 }
1060 }
1061 }
1063 /* Remove, truncate, and/or split any bindings within this map that
1064 overlap DROP_KEY.
1066 For example, if we have:
1068 +------------------------------------+
1069 | old binding |
1070 +------------------------------------+
1072 which is to be overwritten with:
1074 .......+----------------------+.......
1075 .......| new binding |.......
1076 .......+----------------------+.......
1078 this function "cuts a hole" out of the old binding:
1080 +------+......................+------+
1081 |prefix| hole for new binding |suffix|
1082 +------+......................+------+
1084 into which the new binding can be added without
1085 overlapping the prefix or suffix.
1087 The prefix and suffix (if added) will be bound to the pertinent
1088 parts of the value of the old binding.
1090 For example, given:
1091 struct s5
1092 {
1093 char arr[8];
1094 };
1095 void test_5 (struct s5 *p)
1096 {
1097 struct s5 f = *p;
1098 f.arr[3] = 42;
1099 }
1100 then after the "f = *p;" we have:
1101 cluster for: f: INIT_VAL((*INIT_VAL(p_33(D))))
1102 and at the "f.arr[3] = 42;" we remove the bindings overlapping
1103 "f.arr[3]", replacing it with a prefix (bytes 0-2) and suffix (bytes 4-7)
1104 giving:
1105 cluster for: f
1106 key: {bytes 0-2}
1107 value: {BITS_WITHIN(bytes 0-2, inner_val: INIT_VAL((*INIT_VAL(p_33(D))).arr))}
1108 key: {bytes 4-7}
1109 value: {BITS_WITHIN(bytes 4-7, inner_val: INIT_VAL((*INIT_VAL(p_33(D))).arr))}
1110 punching a hole into which the new value can be written at byte 3:
1111 cluster for: f
1112 key: {bytes 0-2}
1113 value: {BITS_WITHIN(bytes 0-2, inner_val: INIT_VAL((*INIT_VAL(p_33(D))).arr))}
1114 key: {byte 3}
1115 value: 'char' {(char)42}
1116 key: {bytes 4-7}
1117 value: {BITS_WITHIN(bytes 4-7, inner_val: INIT_VAL((*INIT_VAL(p_33(D))).arr))}
1119 If UNCERTAINTY is non-NULL, use it to record any svalues that
1120 were removed, as being maybe-bound.
1122 If MAYBE_LIVE_VALUES is non-NULL, then use it to record any svalues that
1123 were removed as being maybe-live.
1125 If ALWAYS_OVERLAP, then assume that DROP_KEY can overlap anything
1126 in the map, due to one or both of the underlying clusters being
1127 symbolic (but not the same symbolic region). Hence even if DROP_KEY is a
1128 concrete binding it could actually be referring to the same memory as
1129 distinct concrete bindings in the map. Remove all bindings, but
1130 register any svalues with *UNCERTAINTY. */
1132 void
1138 {
1139 /* Get the bindings of interest within this map. */
1144 else
1145 /* Just add overlapping bindings. */
1151 {
1152 /* Record any svalues that were removed to *UNCERTAINTY as being
1153 maybe-bound, provided at least some part of the binding is symbolic.
1155 Specifically, if at least one of the bindings is symbolic, or we
1156 have ALWAYS_OVERLAP for the case where we have possibly aliasing
1157 regions, then we don't know that the svalue has been overwritten,
1158 and should record that to *UNCERTAINTY.
1160 However, if we have concrete keys accessing within the same symbolic
1161 region, then we *know* that the symbolic region has been overwritten,
1162 so we don't record it to *UNCERTAINTY, as this could be a genuine
1163 leak. */
1171 /* Record any svalues that were removed to *MAYBE_LIVE_VALUES as being
1172 maybe-live. */
1176 /* Begin by removing the old binding. */
1179 /* Don't attempt to handle prefixes/suffixes for the
1180 "always_overlap" case; everything's being removed. */
1184 /* Now potentially add the prefix and suffix. */
1189 {
1197 {
1198 /* We have a truncated prefix. */
1207 rel_prefix,
1210 }
1214 {
1215 /* We have a truncated suffix. */
1226 rel_suffix,
1229 }
1230 }
1231 }
1232 }
1234 /* class binding_cluster. */
1239 {
1240 }
1242 /* binding_cluster's copy ctor. */
1247 {
1248 }
1250 /* binding_cluster's assignment operator. */
1252 binding_cluster&
1254 {
1260 }
1262 /* binding_cluster's equality operator. */
1264 bool
1266 {
1282 }
1284 /* Generate a hash value for this binding_cluster. */
1286 hashval_t
1288 {
1290 }
1292 /* Return true if this binding_cluster is symbolic
1293 i.e. its base region is symbolic. */
1295 bool
1297 {
1299 }
1301 /* Dump a representation of this binding_cluster to PP.
1302 SIMPLE controls how values and regions are to be printed.
1303 If MULTILINE, then split the dump over multiple lines and
1304 use whitespace for readability, otherwise put all on one line. */
1306 void
1309 {
1311 {
1313 {
1316 }
1317 else
1319 }
1321 {
1323 {
1326 }
1327 else
1329 }
1332 }
1334 /* Dump a multiline representation of this binding_cluster to stderr. */
1336 DEBUG_FUNCTION void
1338 {
1339 pretty_printer pp;
1350 }
1352 /* Assert that this object is valid. */
1354 void
1356 {
1360 {
1362 num_symbolic++;
1363 else
1364 num_concrete++;
1365 }
1366 /* We shouldn't have more than one symbolic key per cluster
1367 (or one would have clobbered the other). */
1369 /* We can't have both concrete and symbolic keys. */
1371 }
1373 /* Return a new json::object of the form
1374 {"escaped": true/false,
1375 "touched": true/false,
1376 "map" : object for the binding_map. */
1380 {
1388 }
1390 /* Add a binding of SVAL of kind KIND to REG, unpacking SVAL if it is a
1391 compound_sval. */
1393 void
1396 {
1399 {
1402 }
1408 }
1410 /* Bind SVAL to KEY.
1411 Unpacking of compound_svalues should already have been done by the
1412 time this is called. */
1414 void
1416 {
1422 }
1424 /* Subroutine of binding_cluster::bind.
1425 Unpack compound_svals when binding them, so that we bind them
1426 element-wise. */
1428 void
1432 {
1433 region_offset reg_offset
1436 {
1440 }
1444 {
1450 {
1451 bit_offset_t effective_start
1458 }
1459 else
1461 }
1462 }
1464 /* Remove all bindings overlapping REG within this cluster. */
1466 void
1468 {
1470 }
1472 /* Remove any bindings for REG within this cluster. */
1474 void
1476 {
1483 }
1485 /* Clobber REG and fill it with repeated copies of SVAL. */
1487 void
1491 {
1500 }
1502 /* Clobber REG within this cluster and fill it with zeroes. */
1504 void
1506 {
1510 }
1512 /* Mark REG_TO_BIND within this cluster as being unknown.
1514 Remove any bindings overlapping REG_FOR_OVERLAP.
1515 If UNCERTAINTY is non-NULL, use it to record any svalues that
1516 had bindings to them removed, as being maybe-bound.
1517 If MAYBE_LIVE_VALUES is non-NULL, use it to record any svalues that
1518 had bindings to them removed, as being maybe-live.
1520 REG_TO_BIND and REG_FOR_OVERLAP are the same for
1521 store::mark_region_as_unknown, but are different in
1522 store::set_value's alias handling, for handling the case where
1523 we have a write to a symbolic REG_FOR_OVERLAP. */
1525 void
1531 {
1536 maybe_live_values);
1538 /* Add a default binding to "unknown". */
1543 }
1545 /* Purge state involving SVAL. */
1547 void
1550 {
1554 {
1558 {
1562 }
1567 }
1569 {
1572 }
1574 {
1578 }
1579 }
1581 /* Get any SVAL bound to REG within this cluster via kind KIND,
1582 without checking parent regions of REG. */
1587 {
1593 {
1594 /* If we have a struct with a single field, then the binding of
1595 the field will equal that of the struct, and looking up e.g.
1596 PARENT_REG.field within:
1597 cluster for PARENT_REG: INIT_VAL(OTHER_REG)
1598 will erroneously return INIT_VAL(OTHER_REG), rather than
1599 SUB_VALUE(INIT_VAL(OTHER_REG), FIELD) == INIT_VAL(OTHER_REG.FIELD).
1600 Fix this issue by iterating upwards whilst the bindings are equal,
1601 expressing the lookups as subvalues.
1602 We have to gather a list of subregion accesses, then walk it
1603 in reverse to get the subvalues. */
1606 {
1613 {
1616 }
1617 else
1619 }
1623 {
1627 {
1631 }
1632 }
1633 }
1635 }
1637 /* Get any SVAL bound to REG within this cluster,
1638 either directly for REG, or recursively checking for bindings within
1639 parent regions and extracting subvalues if need be. */
1644 {
1651 {
1652 /* Extract child svalue from parent svalue. */
1656 }
1658 }
1660 /* Get any value bound for REG within this cluster. */
1665 {
1666 /* Look for a direct binding. */
1671 /* If we had a write to a cluster of unknown size, we might
1672 have a self-binding of the whole base region with an svalue,
1673 where the base region is symbolic.
1674 Handle such cases by returning sub_svalue instances. */
1676 {
1677 /* Extract child svalue from parent svalue. */
1681 }
1683 /* If this cluster has been touched by a symbolic write, then the content
1684 of any subregion not currently specifically bound is "UNKNOWN". */
1686 {
1689 }
1691 /* Alternatively, if this is a symbolic read and the cluster has any bindings,
1692 then we don't know if we're reading those values or not, so the result
1693 is also "UNKNOWN". */
1696 {
1699 }
1704 /* Otherwise, the initial value, or uninitialized. */
1706 }
1708 /* Attempt to get a compound_svalue for the bindings within the cluster
1709 affecting REG (which could be the base region itself).
1711 Create a compound_svalue with the subset of bindings the affect REG,
1712 offsetting them so that the offsets are relative to the start of REG
1713 within the cluster.
1715 For example, REG could be one element within an array of structs.
1717 Return the resulting compound_svalue, or NULL if there's a problem. */
1722 {
1723 region_offset cluster_offset
1736 /* We will a build the result map in two parts:
1737 (a) result_map, holding the concrete keys from this cluster,
1739 (b) default_map, holding the initial values for the region
1740 (e.g. uninitialized, initializer values, or zero), unless this
1741 cluster has been touched.
1743 We will populate (a), and as we do, clobber (b), trimming and
1744 splitting its bindings as necessary.
1745 Finally, we will merge (b) into (a), giving a concrete map
1746 that merges both the initial values and the bound values from
1747 the binding_cluster.
1748 Doing it this way reduces N for the O(N^2) intersection-finding,
1749 perhaps we should have a spatial-organized data structure for
1750 concrete keys, though. */
1752 binding_map result_map;
1753 binding_map default_map;
1755 /* Set up default values in default_map. */
1759 else
1763 /* Express the bit-range of the default key for REG relative to REG,
1764 rather than to the base region. */
1774 {
1780 {
1783 bit_size_t reg_bit_size;
1788 reg_bit_size);
1790 /* Skip bindings that are outside the bit range of REG. */
1794 /* We shouldn't have an exact match; that should have been
1795 handled already. */
1800 {
1801 /* We have a bound range fully within REG.
1802 Add it to map, offsetting accordingly. */
1804 /* Get offset of KEY relative to REG, rather than to
1805 the cluster. */
1810 /* Clobber default_map, removing/trimming/spliting where
1811 it overlaps with offset_concrete_key. */
1813 offset_concrete_key,
1815 }
1817 {
1818 /* REG is fully within the bound range, but
1819 is not equal to it; we're extracting a subvalue. */
1821 subrange,
1823 }
1824 else
1825 {
1826 /* REG and the bound range partially overlap. */
1832 /* Get the bits from the bound value for the bits at the
1833 intersection (relative to the bound value). */
1836 bound_subrange,
1839 /* Get key for overlap, relative to the REG. */
1844 /* Clobber default_map, removing/trimming/spliting where
1845 it overlaps with overlap_concrete_key. */
1847 overlap_concrete_key,
1849 }
1850 }
1851 else
1852 /* Can't handle symbolic bindings. */
1854 }
1859 /* Merge any bindings from default_map into result_map. */
1861 {
1865 }
1868 }
1870 /* Remove, truncate, and/or split any bindings within this map that
1871 could overlap REG.
1873 If REG's base region or this cluster is symbolic and they're different
1874 base regions, then remove everything in this cluster's map, on the
1875 grounds that REG could be referring to the same memory as anything
1876 in the map.
1878 If UNCERTAINTY is non-NULL, use it to record any svalues that
1879 were removed, as being maybe-bound.
1881 If MAYBE_LIVE_VALUES is non-NULL, use it to record any svalues that
1882 were removed, as being maybe-live. */
1884 void
1889 {
1896 /* If at least one of the base regions involved is symbolic, and they're
1897 not the same base region, then consider everything in the map as
1898 potentially overlapping with reg_binding (even if it's a concrete
1899 binding and things in the map are concrete - they could be referring
1900 to the same memory when the symbolic base regions are taken into
1901 account). */
1906 maybe_live_values,
1907 always_overlap);
1908 }
1910 /* Attempt to merge CLUSTER_A and CLUSTER_B into OUT_CLUSTER, using
1911 MGR and MERGER.
1912 Return true if they can be merged, false otherwise. */
1914 bool
1921 {
1924 /* Merge flags ("ESCAPED" and "TOUCHED") by setting the merged flag to
1925 true if either of the inputs is true. */
1933 /* At least one of CLUSTER_A and CLUSTER_B are non-NULL, but either
1934 could be NULL. Handle these cases. */
1936 {
1941 }
1943 {
1948 }
1950 /* The "both inputs are non-NULL" case. */
1958 {
1961 }
1964 {
1967 }
1972 {
1979 num_symbolic_keys++;
1980 else
1981 num_concrete_keys++;
1984 {
1988 }
1990 {
1993 {
1996 }
1997 /* Merger of the svalues failed. Reject merger of the cluster. */
1999 }
2001 /* If we get here, then one cluster binds this key and the other
2002 doesn't; merge them as "UNKNOWN". */
2010 /* ...but reject the merger if this sval shouldn't be mergeable
2011 (e.g. reject merging svalues that have non-purgable sm-state,
2012 to avoid falsely reporting memory leaks by merging them
2013 with something else). */
2018 }
2020 /* We can only have at most one symbolic key per cluster,
2021 and if we do, we can't have any concrete keys.
2022 If this happens, mark the cluster as touched, with no keys. */
2025 {
2028 }
2030 /* We don't handle other kinds of overlaps yet. */
2033 }
2035 /* Update this cluster to reflect an attempt to merge OTHER where there
2036 is no other cluster to merge with, and so we're notionally merging the
2037 bound values in OTHER with the initial value of the relevant regions.
2039 Any bound keys in OTHER should be bound to unknown in this. */
2041 void
2045 {
2048 {
2056 /* For any pointers in OTHER, the merger means that the
2057 concrete pointer becomes an unknown value, which could
2058 show up as a false report of a leak when considering what
2059 pointers are live before vs after.
2060 Avoid this by marking the base regions they point to as having
2061 escaped. */
2064 {
2069 {
2072 }
2073 }
2074 }
2075 }
2077 /* Mark this cluster as having escaped. */
2079 void
2081 {
2083 }
2085 /* If this cluster has escaped (by this call, or by an earlier one, or
2086 by being an external param), then unbind all values and mark it
2087 as "touched", so that it has a conjured value, rather than an
2088 initial_svalue.
2089 Use P to purge state involving conjured_svalues. */
2091 void
2095 {
2097 {
2101 {
2102 /* Bind it to a new "conjured" value using CALL. */
2107 }
2110 }
2111 }
2113 /* Mark this cluster as having been clobbered by STMT.
2114 Use P to purge state involving conjured_svalues. */
2116 void
2120 {
2123 /* Bind it to a new "conjured" value using CALL. */
2130 }
2132 /* Return true if this cluster has escaped. */
2134 bool
2136 {
2137 /* Consider the "errno" region to always have escaped. */
2141 }
2143 /* Return true if this binding_cluster has no information
2144 i.e. if there are no bindings, and it hasn't been marked as having
2145 escaped, or touched symbolically. */
2147 bool
2149 {
2151 && !m_escaped
2153 }
2155 /* Add PV to OUT_PVS, casting it to TYPE if it is not already of that type. */
2157 static void
2159 tree type,
2161 {
2168 }
2170 /* Find representative path_vars for SVAL within this binding of BASE_REG,
2171 appending the results to OUT_PVS. */
2173 void
2179 const
2180 {
2184 {
2188 {
2191 {
2193 base_reg->get_subregions_for_binding
2202 {
2205 visited))
2207 }
2208 }
2209 else
2210 {
2214 visited))
2216 }
2217 }
2218 }
2219 }
2221 /* Get any svalue bound to KEY, or NULL. */
2225 {
2227 }
2229 /* If this cluster has a single direct binding for the whole of the region,
2230 return it.
2231 For use in simplifying dumps. */
2235 {
2236 /* Fail gracefully if MGR is NULL to make it easier to dump store
2237 instances in the debugger. */
2249 }
2251 /* class store_manager. */
2253 logger *
2255 {
2257 }
2259 /* binding consolidation. */
2263 bit_offset_t size_in_bits)
2264 {
2272 }
2276 {
2284 }
2286 /* class store. */
2288 /* store's default ctor. */
2292 {
2293 }
2295 /* store's copy ctor. */
2300 {
2304 {
2310 }
2311 }
2313 /* store's dtor. */
2316 {
2321 }
2323 /* store's assignment operator. */
2325 store &
2327 {
2328 /* Delete existing cluster map. */
2340 {
2346 }
2348 }
2350 /* store's equality operator. */
2352 bool
2354 {
2364 {
2367 binding_cluster **other_slot
2373 }
2378 }
2380 /* Get a hash value for this store. */
2382 hashval_t
2384 {
2391 }
2393 /* Populate OUT with a sorted list of parent regions for the regions in IN,
2394 removing duplicate parents. */
2396 static void
2399 {
2400 /* Get the set of parent regions. */
2405 {
2409 }
2411 /* Write to OUT. */
2416 /* Sort OUT. */
2418 }
2420 /* Dump a representation of this store to PP, using SIMPLE to control how
2421 svalues and regions are printed.
2422 MGR is used for simplifying dumps if non-NULL, but can also be NULL
2423 (to make it easier to use from the debugger). */
2425 void
2428 {
2429 /* Sort into some deterministic order. */
2433 {
2436 }
2439 /* Gather clusters, organize by parent region, so that we can group
2440 together locals, globals, etc. */
2447 {
2453 else
2459 {
2460 /* This is O(N * M), but N ought to be small. */
2463 binding_cluster *cluster
2466 {
2469 }
2471 {
2472 /* Special-case to simplify dumps for the common case where
2473 we just have one value directly bound to the whole of a
2474 region. */
2476 {
2486 }
2487 else
2488 {
2498 }
2499 }
2501 {
2506 }
2507 else
2508 {
2514 }
2515 }
2518 }
2523 }
2525 /* Dump a multiline representation of this store to stderr. */
2527 DEBUG_FUNCTION void
2529 {
2530 pretty_printer pp;
2537 }
2539 /* Assert that this object is valid. */
2541 void
2543 {
2546 }
2548 /* Return a new json::object of the form
2549 {PARENT_REGION_DESC: {BASE_REGION_DESC: object for binding_map,
2550 ... for each cluster within parent region},
2551 ...for each parent region,
2552 "called_unknown_fn": true/false}. */
2556 {
2559 /* Sort into some deterministic order. */
2563 {
2566 }
2569 /* Gather clusters, organize by parent region, so that we can group
2570 together locals, globals, etc. */
2577 {
2585 {
2586 /* This is O(N * M), but N ought to be small. */
2589 binding_cluster *cluster
2594 }
2597 }
2602 }
2604 /* Get any svalue bound to REG, or NULL. */
2608 {
2610 binding_cluster **cluster_slot
2615 }
2617 /* Set the value of LHS_REG to RHS_SVAL. */
2619 void
2623 {
2631 /* ...but if we have no type for the region, retain any cast. */
2636 {
2637 /* Reject attempting to bind values into a symbolic region
2638 for an unknown ptr; merely invalidate values below. */
2641 /* The LHS of the write is *UNKNOWN. If the RHS is a pointer,
2642 then treat the region being pointed to as having escaped. */
2644 {
2648 }
2651 }
2653 {
2656 }
2657 else
2658 {
2659 /* Reject attempting to bind values into an untracked region;
2660 merely invalidate values below. */
2662 }
2664 /* Bindings to a cluster can affect other clusters if a symbolic
2665 base region is involved.
2666 Writes to concrete clusters can't affect other concrete clusters,
2667 but can affect symbolic clusters.
2668 Writes to symbolic clusters can affect both concrete and symbolic
2669 clusters.
2670 Invalidate our knowledge of other clusters that might have been
2671 affected by the write.
2672 Gather the set of all svalues that might still be live even if
2673 the store doesn't refer to them. */
2674 svalue_set maybe_live_values;
2677 {
2684 {
2687 {
2693 {
2703 }
2704 /* Mark all of iter_cluster's iter_base_reg as unknown,
2705 using LHS_REG when considering overlaps, to handle
2706 symbolic vs concrete issues. */
2707 iter_cluster->mark_region_as_unknown
2711 uncertainty,
2720 /* If they can't be aliases, then don't invalidate this
2721 cluster. */
2723 }
2724 }
2725 }
2726 /* Given the set of svalues that might still be live, process them
2727 (e.g. marking regions as escaped).
2728 We do this after the iteration to avoid potentially changing
2729 m_cluster_map whilst iterating over it. */
2731 }
2733 /* Determine if BASE_REG_A could be an alias of BASE_REG_B. */
2735 tristate
2738 {
2739 /* SSA names can't alias. */
2747 /* Try both ways, for symmetry. */
2755 }
2757 /* Half of store::eval_alias; called twice for symmetry. */
2759 tristate
2762 {
2763 /* If they're in different memory spaces, they can't alias. */
2764 {
2767 {
2772 }
2773 }
2777 {
2780 {
2785 {
2786 /* The initial value of a pointer can't point to a local. */
2788 }
2789 }
2792 {
2793 /* The initial value of a pointer can't point to a
2794 region that was allocated on the heap after the beginning of the
2795 path. */
2797 }
2800 {
2804 {
2806 /* If we have sval_a is WIDENING(®ION, OP), and
2807 B can't alias REGION, then B can't alias A either.
2808 For example, A might arise from
2809 for (ptr = ®ION; ...; ptr++)
2810 where sval_a is ptr in the 2nd iteration of the loop.
2811 We want to ensure that "*ptr" can only clobber things
2812 within REGION's base region. */
2814 base_reg_b);
2817 }
2818 }
2819 }
2821 }
2823 /* Record all of the values in MAYBE_LIVE_VALUES as being possibly live. */
2825 void
2827 {
2829 {
2831 {
2834 }
2835 }
2836 }
2838 /* Remove all bindings overlapping REG within this store. */
2840 void
2842 {
2850 {
2853 }
2854 }
2856 /* Remove any bindings for REG within this store. */
2858 void
2860 {
2868 {
2871 }
2872 }
2874 /* Fill REG with SVAL. */
2876 void
2878 {
2879 /* Filling an empty region is a no-op. */
2889 }
2891 /* Zero-fill REG. */
2893 void
2895 {
2899 }
2901 /* Mark REG as having unknown content. */
2903 void
2907 {
2914 maybe_live_values);
2915 }
2917 /* Purge state involving SVAL. */
2919 void
2922 {
2925 {
2929 else
2930 {
2933 }
2934 }
2938 }
2940 /* Get the cluster for BASE_REG, or NULL (const version). */
2944 {
2950 else
2952 }
2954 /* Get the cluster for BASE_REG, or NULL (non-const version). */
2956 binding_cluster *
2958 {
2963 else
2965 }
2967 /* Get the cluster for BASE_REG, creating it if doesn't already exist. */
2969 binding_cluster *
2971 {
2975 /* We shouldn't create clusters for dereferencing an UNKNOWN ptr. */
2978 /* We shouldn't create clusters for base regions that aren't trackable. */
2988 }
2990 /* Remove any cluster for BASE_REG, for use by
2991 region_model::unbind_region_and_descendents
2992 when popping stack frames and handling deleted heap regions. */
2994 void
2996 {
3004 }
3006 /* Attempt to merge STORE_A and STORE_B into OUT_STORE.
3007 Return true if successful, or false if the stores can't be merged. */
3009 bool
3013 {
3017 /* Get the union of all base regions for STORE_A and STORE_B. */
3021 {
3024 }
3027 {
3030 }
3032 /* Sort the base regions before considering them. This ought not to
3033 affect the results, but can affect which types UNKNOWN_REGIONs are
3034 created for in a run; sorting them thus avoids minor differences
3035 in logfiles. */
3044 {
3047 /* At least one of cluster_a and cluster_b must be non-NULL. */
3048 binding_cluster *out_cluster
3053 }
3055 }
3057 /* Mark the cluster for BASE_REG as having escaped.
3058 For use when handling an unrecognized function call, and
3059 for params to "top-level" calls.
3060 Further unknown function calls could touch it, even if the cluster
3061 isn't reachable from args of those calls. */
3063 void
3065 {
3075 }
3077 /* Handle an unknown fncall by updating any clusters that have escaped
3078 (either in this fncall, or in a prior one). */
3080 void
3083 {
3089 }
3091 /* Return true if a non-const pointer to BASE_REG (or something within it)
3092 has escaped to code outside of the TU being analyzed. */
3094 bool
3096 {
3100 /* "errno" can always be modified by external code. */
3108 }
3110 /* Populate OUT_PVS with a list of path_vars for describing SVAL based on
3111 this store, using VISITED to ensure the traversal terminates. */
3113 void
3118 {
3121 /* Find all bindings that reference SVAL. */
3124 {
3128 out_pvs);
3129 }
3132 {
3135 visited))
3137 }
3138 }
3140 /* Remove all bindings overlapping REG within this store, removing
3141 any clusters that become redundant.
3143 If UNCERTAINTY is non-NULL, use it to record any svalues that
3144 were removed, as being maybe-bound. */
3146 void
3149 {
3152 {
3155 {
3156 /* Remove whole cluster. */
3160 }
3161 /* Pass NULL for the maybe_live_values here, as we don't want to
3162 record the old svalues as being maybe-bound. */
3164 }
3165 }
3167 /* Subclass of visitor that accumulates a hash_set of the regions that
3168 were visited. */
3171 {
3173 {
3175 }
3178 };
3180 /* Canonicalize this store, to maximize the chance of equality between
3181 instances. */
3183 void
3185 {
3186 /* If we have e.g.:
3187 cluster for: HEAP_ALLOCATED_REGION(543)
3188 ESCAPED
3189 TOUCHED
3190 where the heap region is empty and unreferenced, then purge that
3191 cluster, to avoid unbounded state chains involving these. */
3193 /* Find regions that are referenced by bound values in the store. */
3194 region_finder s;
3197 {
3202 }
3204 /* Locate heap-allocated regions that have empty bindings that weren't
3205 found above. */
3209 {
3213 {
3214 /* Don't purge a heap-allocated region that's been marked as
3215 escaping, since this could be recording that a ptr to it
3216 was written to an unknown symbolic region along this
3217 path, and so we don't know whether it's referenced or
3218 not, and hence should report it as leaking
3219 (PR analyzer/106473). */
3227 /* Also cover the UNKNOWN case. */
3232 }
3233 }
3235 /* Purge them. */
3238 {
3241 }
3242 }
3244 /* Subroutine for use by exploded_path::feasible_p.
3246 We need to deal with state differences between:
3247 (a) when the exploded_graph is being initially constructed and
3248 (b) when replaying the state changes along a specific path in
3249 in exploded_path::feasible_p.
3251 In (a), state merging happens, so when exploring a loop
3252 for (i = 0; i < 1024; i++)
3253 on successive iterations we have i == 0, then i == WIDENING.
3255 In (b), no state merging happens, so naively replaying the path
3256 that goes twice through the loop then exits it
3257 would lead to i == 0, then i == 1, and then a (i >= 1024) eedge
3258 that exits the loop, which would be found to be infeasible as i == 1,
3259 and the path would be rejected.
3261 We need to fix up state during replay. This subroutine is
3262 called whenever we enter a supernode that we've already
3263 visited along this exploded_path, passing in OTHER_STORE
3264 from the destination enode's state.
3266 Find bindings to widening values in OTHER_STORE.
3267 For all that are found, update the binding in this store to UNKNOWN. */
3269 void
3272 {
3276 {
3281 {
3285 {
3286 binding_cluster *this_cluster
3291 }
3292 }
3293 }
3294 }
3296 /* Use R to replay the bindings from SUMMARY into this object. */
3298 void
3301 {
3303 {
3304 /* A call to an external function occurred in the summary.
3305 Hence we need to invalidate our knownledge of globals,
3306 escaped regions, etc. */
3311 }
3319 }
3321 /* Use R and SUMMARY to replay the bindings in SUMMARY_CLUSTER
3322 into this object. */
3324 void
3328 {
3335 /* Handle "ESCAPED" and "TOUCHED" flags. */
3339 {
3343 {
3344 binding_cluster *caller_cluster
3350 }
3351 }
3354 {
3355 /* Top-level regions. */
3363 /* Child regions. */
3370 /* Other regions. */
3373 /* These should never be the base region of a binding cluster. */
3380 /* These can be marked as escaping. */
3384 {
3394 NULL_TREE,
3403 caller_sval =
3407 }
3414 {
3428 caller_sval =
3432 }
3436 /* Ignore bindings of alloca regions in the summary. */
3438 }
3439 }
3441 #if CHECKING_P
3445 /* Verify that bit_range::intersects_p works as expected. */
3447 static void
3449 {
3463 /* self-intersection is true. */
3505 }
3507 /* Implementation detail of ASSERT_BIT_RANGE_FROM_MASK_EQ. */
3509 static void
3513 {
3518 }
3520 /* Assert that bit_range::from_mask (MASK) returns true, and writes
3521 out EXPECTED_BIT_RANGE. */
3523 #define ASSERT_BIT_RANGE_FROM_MASK_EQ(MASK, EXPECTED_BIT_RANGE) \
3524 SELFTEST_BEGIN_STMT \
3525 assert_bit_range_from_mask_eq (SELFTEST_LOCATION, MASK, \
3526 EXPECTED_BIT_RANGE); \
3527 SELFTEST_END_STMT
3529 /* Implementation detail of ASSERT_NO_BIT_RANGE_FROM_MASK. */
3531 static void
3534 {
3538 }
3540 /* Assert that bit_range::from_mask (MASK) returns false. */
3542 #define ASSERT_NO_BIT_RANGE_FROM_MASK(MASK) \
3543 SELFTEST_BEGIN_STMT \
3544 assert_no_bit_range_from_mask_eq (SELFTEST_LOCATION, MASK); \
3545 SELFTEST_END_STMT
3547 /* Verify that bit_range::from_mask works as expected. */
3549 static void
3551 {
3552 /* Should fail on zero. */
3555 /* Verify 1-bit masks. */
3565 /* Verify N-bit masks starting at bit 0. */
3575 /* Various other tests. */
3580 /* Multiple ranges of set bits should fail. */
3583 }
3585 /* Implementation detail of ASSERT_OVERLAP. */
3587 static void
3591 {
3594 }
3596 /* Implementation detail of ASSERT_DISJOINT. */
3598 static void
3602 {
3605 }
3607 /* Assert that B1 and B2 overlap, checking both ways. */
3609 #define ASSERT_OVERLAP(B1, B2) \
3610 SELFTEST_BEGIN_STMT \
3611 assert_overlap (SELFTEST_LOCATION, B1, B2); \
3612 SELFTEST_END_STMT
3614 /* Assert that B1 and B2 do not overlap, checking both ways. */
3616 #define ASSERT_DISJOINT(B1, B2) \
3617 SELFTEST_BEGIN_STMT \
3618 assert_disjoint (SELFTEST_LOCATION, B1, B2); \
3619 SELFTEST_END_STMT
3621 /* Verify that concrete_binding::overlaps_p works as expected. */
3623 static void
3625 {
3628 /* Various 8-bit bindings. */
3634 /* 16-bit bindings. */
3639 /* 32-bit binding. */
3642 /* Everything should self-overlap. */
3652 /* Verify the 8-bit bindings that don't overlap each other. */
3656 /* Check for overlap of differently-sized bindings. */
3658 /* ...and with differing start points. */
3668 }
3670 /* Run all of the selftests within this file. */
3672 void
3674 {
3678 }