| blob | fde8412bc15709331f383a89b5c03cb495ca08a2 |
1 /* The analysis "engine".
2 Copyright (C) 2019-2024 Free Software Foundation, Inc.
3 Contributed by David Malcolm <dmalcolm@redhat.com>.
5 This file is part of GCC.
7 GCC is free software; you can redistribute it and/or modify it
8 under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3, or (at your option)
10 any later version.
12 GCC is distributed in the hope that it will be useful, but
13 WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 General Public License for more details.
17 You should have received a copy of the GNU General Public License
18 along with GCC; see the file COPYING3. If not see
19 <http://www.gnu.org/licenses/>. */
22 #define INCLUDE_MEMORY
62 #include <zlib.h>
65 #include <memory>
72 /* For an overview, see gcc/doc/analyzer.texi. */
74 #if ENABLE_ANALYZER
78 /* class impl_region_model_context : public region_model_context. */
100 {
101 }
117 {
118 }
120 bool
123 {
127 {
131 }
133 {
137 m_stmt,
138 curr_stmt_finder);
141 {
143 && terminate_path
147 }
148 }
150 }
152 void
154 {
158 }
160 void
162 {
166 }
168 void
171 {
174 }
176 void
180 {
183 }
185 void
188 {
193 }
195 void
197 {
199 }
201 uncertainty_t *
203 {
205 }
207 /* Purge state involving SVAL. The region_model has already been purged,
208 so we only need to purge other state in the program_state:
209 the sm-state. */
211 void
213 {
218 }
220 void
222 {
225 }
227 void
229 {
232 }
234 /* struct setjmp_record. */
236 int
238 {
243 }
245 /* class setjmp_svalue : public svalue. */
247 /* Implementation of svalue::accept vfunc for setjmp_svalue. */
249 void
251 {
253 }
255 /* Implementation of svalue::dump_to_pp vfunc for setjmp_svalue. */
257 void
259 {
262 else
264 }
266 /* Get the index of the stored exploded_node. */
268 int
270 {
272 }
274 /* Concrete implementation of sm_context, wiring it up to the rest of this
275 file. */
278 {
299 {
300 }
305 {
306 impl_region_model_context old_ctxt
311 }
314 tree var) final override
315 {
318 /* Use NULL ctxt on this get_rvalue call to avoid triggering
319 uninitialized value warnings. */
326 }
329 {
335 }
339 tree var,
341 tree origin) final override
342 {
350 /* We use the new sval here to avoid issues with uninitialized values. */
356 var,
361 }
366 tree origin) final override
367 {
370 impl_region_model_context old_ctxt
380 {
389 }
392 }
395 tree var,
397 {
403 = (var
412 && terminate_path
415 }
420 {
424 = (sval
433 && terminate_path
436 }
438 /* Hook for picking more readable trees for SSA names of temporaries,
439 so that rather than e.g.
440 "double-free of '<unknown>'"
441 we can print:
442 "double-free of 'inbuf.data'". */
445 {
446 /* Only for SSA_NAMEs of temporaries; otherwise, return EXPR, as it's
447 likely to be the least surprising tree to report. */
455 /* Find trees for all regions storing the value. */
458 else
460 }
463 {
465 }
468 {
470 }
473 {
475 }
478 {
480 }
483 {
486 m_sm_idx);
487 }
490 {
494 impl_region_model_context old_ctxt
503 }
506 {
508 }
511 {
513 }
516 {
518 }
521 {
523 }
525 log_user m_logger;
535 /* Are we handling an external function with unknown side effects? */
537 };
539 bool
546 {
562 {
564 *out_sm_context
566 sm_idx,
568 m_enode_for_diag,
569 m_old_state,
570 m_new_state,
571 old_smap,
572 new_smap,
573 m_path_ctxt,
574 m_stmt_finder,
576 }
578 }
580 /* Subclass of stmt_finder for finding the best stmt to report the leak at,
581 given the emission path. */
584 {
590 {
592 }
595 final override
596 {
601 {
602 /* Locate the final write to this SSA name in the path. */
610 /* What was the next write to the underlying var
611 after the SSA name was set? (if any). */
616 {
620 idx,
629 {
634 }
635 }
636 }
638 not_found:
640 /* Look backwards for the first statement with a location. */
644 {
647 i,
656 }
660 }
664 tree m_var;
665 };
667 /* A measurement of how good EXPR is for presenting to the user, so
668 that e.g. we can say prefer printing
669 "leak of 'tmp.m_ptr'"
670 over:
671 "leak of '<unknown>'". */
673 static int
675 {
676 /* Arbitrarily-chosen "high readability" value. */
681 {
684 /* Impose a slight readability penalty relative to that of
685 operand 0. */
689 {
691 {
693 {
694 /* If we have an SSA name for an artificial var,
695 only use it if it has a debug expr associated with
696 it that fixup_tree_for_diagnostic can use. */
699 }
700 else
701 {
702 /* Slightly favor the underlying var over the SSA name to
703 avoid having them compare equal. */
705 }
706 }
707 /* Avoid printing '<unknown>' for SSA names for temporaries. */
709 }
716 else
717 /* We don't want to print temporaries. For example, the C FE
718 prints them as e.g. "<Uxxxx>" where "xxxx" is the low 16 bits
719 of the tree pointer (see pp_c_tree_decl_identifier). */
723 /* Printing "<return-value>" isn't ideal, but is less awful than
724 trying to print a temporary. */
728 {
729 /* Impose a moderate readability penalty for casts. */
732 }
739 }
742 }
744 /* A qsort comparator for trees to sort them into most user-readable to
745 least user-readable. */
747 int
749 {
756 /* Favor items that are deeper on the stack and hence more recent;
757 this also favors locals over globals. */
762 /* Combine the scores from the tree and from the stack depth.
763 This e.g. lets us have a slightly penalized cast in the most
764 recent stack frame "beat" an uncast value in an older stack frame. */
770 /* Otherwise, more readable trees win. */
774 /* Otherwise, if they have the same readability, then impose an
775 arbitrary deterministic ordering on them. */
781 {
795 }
797 /* TODO: We ought to find ways of sorting such cases. */
799 }
801 /* Return true is SNODE is the EXIT node of a function, or is one
802 of the final snodes within its function.
804 Specifically, handle the final supernodes before the EXIT node,
805 for the case of clobbers that happen immediately before exiting.
806 We need a run of snodes leading to the return_p snode, where all edges are
807 intraprocedural, and every snode has just one successor.
809 We use this when suppressing leak reports at the end of "main". */
811 static bool
813 {
820 {
830 /* Impose a limit to ensure we terminate for pathological cases.
832 We only care about the final 3 nodes, due to cases like:
833 BB:
834 (clobber causing leak)
836 BB:
837 <label>:
838 return _val;
840 EXIT BB.*/
843 }
844 }
846 /* Find the best tree for SVAL and call SM's on_leak vfunc with it.
847 If on_leak returns a pending_diagnostic, queue it up to be reported,
848 so that we potentially complain about a leak of SVAL in the given STATE. */
850 void
854 {
858 {
863 }
868 /* m_old_state also needs to be non-NULL so that the sm_ctxt can look
869 up the old state of SVAL. */
872 /* SVAL has leaked within the new state: it is not used by any reachable
873 regions.
874 We need to convert it back to a tree, but since it's likely no regions
875 use it, we have to find the "best" tree for it in the old_state. */
876 svalue_set visited;
877 path_var leaked_pv
881 /* Strip off top-level casts */
885 /* This might be NULL; the pending_diagnostic subclasses need to cope
886 with this. */
889 {
892 else
894 }
899 /* Don't complain about leaks when returning from "main". */
901 {
904 {
908 }
909 }
914 {
917 m_stmt,
922 }
923 }
925 /* Implementation of region_model_context::on_condition vfunc.
926 Notify all state machines about the condition, which could lead to
927 state transitions. */
929 void
933 {
937 {
943 m_path_ctxt);
945 (m_enode_for_diag
948 m_stmt,
950 }
951 }
953 /* Implementation of region_model_context::on_bounded_ranges vfunc.
954 Notify all state machines about the ranges, which could lead to
955 state transitions. */
957 void
960 {
964 {
970 m_path_ctxt);
972 (m_enode_for_diag
976 }
977 }
979 /* Implementation of region_model_context::on_pop_frame vfunc.
980 Notify all state machines about the frame being popped, which
981 could lead to states being discarded. */
983 void
985 {
989 {
992 }
993 }
995 /* Implementation of region_model_context::on_phi vfunc.
996 Notify all state machines about the phi, which could lead to
997 state transitions. */
999 void
1001 {
1005 {
1011 m_path_ctxt);
1013 }
1014 }
1016 /* Implementation of region_model_context::on_unexpected_tree_code vfunc.
1017 Mark the new state as being invalid for further exploration.
1018 TODO(stage1): introduce a warning for when this occurs. */
1020 void
1023 {
1033 }
1035 /* Implementation of region_model_context::maybe_did_work vfunc.
1036 Mark that "externally visible work" has occurred, and thus we
1037 shouldn't report an infinite loop here. */
1039 void
1041 {
1044 }
1046 /* struct point_and_state. */
1048 /* Assert that this object is sane. */
1050 void
1052 {
1053 /* Skip this in a release build. */
1054 #if !CHECKING_P
1056 #endif
1062 /* Verify that the callstring's model of the stack corresponds to that
1063 of the region_model. */
1064 /* They should have the same depth. */
1067 /* Check the functions in the callstring vs those in the frames
1068 at each depth. */
1072 {
1076 }
1077 }
1079 /* Subroutine of print_enode_indices: print a run of indices from START_IDX
1080 to END_IDX to PP, using and updating *FIRST_RUN. */
1082 static void
1085 {
1091 else
1093 }
1095 /* Print the indices within ENODES to PP, collecting them as
1096 runs/singletons e.g. "EN: 4-7, EN: 20-23, EN: 42". */
1098 static void
1101 {
1108 {
1110 {
1113 }
1114 else
1115 {
1117 /* Continuation of a run. */
1119 else
1120 {
1121 /* Finish existing run, start a new one. */
1127 }
1128 }
1129 }
1130 /* Finish any existing run. */
1132 {
1136 }
1137 }
1139 /* struct eg_traits::dump_args_t. */
1141 /* The <FILENAME>.eg.dot output can quickly become unwieldy if we show
1142 full details for all enodes (both in terms of CPU time to render it,
1143 and in terms of being meaningful to a human viewing it).
1145 If we show just the IDs then the resulting graph is usually viewable,
1146 but then we have to keep switching back and forth between the .dot
1147 view and other dumps.
1149 This function implements a heuristic for showing detail at the enodes
1150 that (we hope) matter, and just the ID at other enodes, fixing the CPU
1151 usage of the .dot viewer, and drawing the attention of the viewer
1152 to these enodes.
1154 Return true if ENODE should be shown in detail in .dot output.
1155 Return false if no detail should be shown for ENODE. */
1157 bool
1159 {
1160 /* If the number of exploded nodes isn't too large, we may as well show
1161 all enodes in full detail in the .dot output. */
1166 /* Otherwise, assume that what's most interesting are state explosions,
1167 and thus the places where this happened.
1168 Expand enodes at program points where we hit the per-enode limit, so we
1169 can investigate what exploded. */
1173 }
1175 /* class exploded_node : public dnode<eg_traits>. */
1179 {
1181 {
1187 }
1188 }
1190 /* exploded_node's ctor. */
1196 {
1198 }
1200 /* Get the stmt that was processed in this enode at index IDX.
1201 IDX is an index within the stmts processed at this enode, rather
1202 than within those of the supernode. */
1206 {
1215 }
1217 /* For use by dump_dot, get a value for the .dot "fillcolor" attribute.
1218 Colorize by sm-state, to make it easier to see how sm-state propagates
1219 through the exploded_graph. */
1223 {
1226 /* We want to be able to easily distinguish the no-sm-state case,
1227 and to be able to distinguish cases where there's a single state
1228 from each other.
1230 Sum the sm_states, and use the result to choose from a table,
1231 modulo table-size, special-casing the "no sm-state" case. */
1236 {
1242 }
1245 {
1246 /* An arbitrarily-picked collection of light colors. */
1253 }
1254 else
1255 /* No sm-state. */
1257 }
1259 /* Implementation of dnode::dump_dot vfunc for exploded_node. */
1261 void
1263 {
1279 {
1290 }
1300 /* It can be hard to locate the saved diagnostics as text within the
1301 enode nodes, so add extra nodes to the graph for each saved_diagnostic,
1302 highlighted in red.
1303 Compare with dump_saved_diagnostics. */
1304 {
1308 {
1311 /* Add edge connecting this enode to the saved_diagnostic. */
1317 }
1318 }
1321 }
1323 /* Show any stmts that were processed within this enode,
1324 and their index within the supernode. */
1325 void
1327 {
1329 {
1338 {
1344 }
1345 }
1346 }
1348 /* Dump any saved_diagnostics at this enode to PP. */
1350 void
1352 {
1356 {
1360 }
1361 }
1363 /* Dump this to PP in a form suitable for use as an id in .dot output. */
1365 void
1367 {
1369 }
1371 /* Dump a multiline representation of this node to PP. */
1373 void
1376 {
1386 }
1388 /* Dump a multiline representation of this node to FILE. */
1390 void
1393 {
1394 pretty_printer pp;
1400 }
1402 /* Dump a multiline representation of this node to stderr. */
1404 DEBUG_FUNCTION void
1406 {
1408 }
1410 /* Return a new json::object of the form
1411 {"point" : object for program_point,
1412 "state" : object for program_state,
1413 "status" : str,
1414 "idx" : int,
1415 "processed_stmts" : int}. */
1419 {
1430 }
1434 /* Return true if FNDECL has a gimple body. */
1435 // TODO: is there a pre-canned way to do this?
1437 bool
1439 {
1448 }
1452 /* Modify STATE in place, applying the effects of the stmt at this node's
1453 point. */
1463 {
1467 {
1471 }
1473 /* Update input_location in case of ICE: make it easier to track down which
1474 source construct we're failing to handle. */
1479 /* Preserve the old state. It is used here for looking
1480 up old checker states, for determining state transitions, and
1481 also within impl_region_model_context and impl_sm_context for
1482 going from tree to svalue_id. */
1488 out_could_have_done_work);
1490 /* Handle call summaries here. */
1494 {
1496 per_function_data *called_fn_data
1500 snode,
1502 state,
1503 path_ctxt,
1504 called_fn,
1505 called_fn_data,
1507 }
1521 {
1528 unknown_side_effects);
1530 /* Allow the state_machine to handle the stmt. */
1533 }
1541 }
1543 /* Handle the pre-sm-state part of STMT, modifying STATE in-place.
1544 Write true to *OUT_TERMINATE_PATH if the path should be terminated.
1545 Write true to *OUT_UNKNOWN_SIDE_EFFECTS if the stmt has unknown
1546 side effects. */
1548 void
1555 {
1556 /* Handle special-case calls that require the full program_state. */
1558 {
1560 {
1561 /* Handle the builtin "__analyzer_dump" by dumping state
1562 to stderr. */
1565 }
1567 {
1569 ctxt);
1571 }
1573 {
1578 }
1580 {
1586 }
1587 }
1589 /* Otherwise, defer to m_region_model. */
1591 out_unknown_side_effects,
1592 ctxt);
1593 }
1595 /* Handle the post-sm-state part of STMT, modifying STATE in-place. */
1597 void
1602 {
1605 }
1607 /* A concrete call_info subclass representing a replay of a call summary. */
1610 {
1620 {}
1625 {
1626 /* Update STATE based on summary_end_state. */
1631 }
1636 {
1637 /* Update STATE based on summary_end_state. */
1643 }
1646 {
1648 }
1654 };
1656 /* Use PATH_CTXT to bifurcate, which when handled will add custom edges
1657 for a replay of the various feasible summaries in CALLED_FN_DATA. */
1668 {
1675 /* Each summary will call bifurcate on the PATH_CTXT. */
1682 }
1684 /* Use PATH_CTXT to bifurcate, which when handled will add a
1685 custom edge for a replay of SUMMARY, if the summary's
1686 conditions are feasible based on the current state. */
1688 void
1697 {
1714 {
1726 }
1735 called_fn,
1736 summary,
1737 ext_state));
1738 }
1741 /* Consider the effect of following superedge SUCC from this node.
1743 Return true if it's feasible to follow the edge, or false
1744 if it's infeasible.
1746 Examples: if it's the "true" branch within
1747 a CFG and we know the conditional is false, we know it's infeasible.
1748 If it's one of multiple interprocedual "return" edges, then only
1749 the edge back to the most recent callsite is feasible.
1751 Update NEXT_STATE accordingly (e.g. to record that a condition was
1752 true or false, or that the NULL-ness of a pointer has been checked,
1753 pushing/popping stack frames, etc).
1755 Update NEXT_POINT accordingly (updating the call string). */
1757 bool
1763 {
1773 }
1775 /* Verify that the stack at LONGJMP_POINT is still valid, given a call
1776 to "setjmp" at SETJMP_POINT - the stack frame that "setjmp" was
1777 called in must still be valid.
1779 Caveat: this merely checks the call_strings in the points; it doesn't
1780 detect the case where a frame returns and is then called again. */
1782 static bool
1785 {
1792 /* Check that the call strings match, up to the depth of the
1793 setjmp point. */
1799 }
1801 /* A pending_diagnostic subclass for complaining about bad longjmps,
1802 where the enclosing function of the "setjmp" has returned (and thus
1803 the stack frame no longer exists). */
1806 {
1812 {}
1815 {
1817 }
1820 {
1824 }
1830 {
1833 }
1835 bool
1838 final override
1839 {
1840 /* Detect exactly when the stack first becomes invalid,
1841 and issue an event then. */
1850 {
1851 /* Compare with diagnostic_manager::add_events_for_superedge. */
1856 src_stack_depth),
1858 emission_path->add_event
1861 }
1863 }
1866 {
1873 else
1878 }
1884 program_point m_setjmp_point;
1886 };
1888 /* Handle LONGJMP_CALL, a call to longjmp or siglongjmp.
1890 Attempt to locate where setjmp/sigsetjmp was called on the jmp_buf and build
1891 an exploded_node and exploded_edge to it representing a rewind to that frame,
1892 handling the various kinds of failure that can occur. */
1894 void
1899 {
1906 ctxt);
1917 /* Build a custom enode and eedge for rewinding from the longjmp/siglongjmp
1918 call back to the setjmp/sigsetjmp. */
1926 /* Verify that the setjmp's call_stack hasn't been popped. */
1928 {
1930 longjmp_call,
1931 setjmp_point));
1933 }
1938 /* Update the state for use by the destination node. */
1940 /* Stash the current number of diagnostics so that we can update
1941 any that this adds to show where the longjmp is rewinding to. */
1949 /* Detect leaks in the new state relative to the old state. */
1953 program_point next_point
1957 exploded_node *next
1960 /* Create custom exploded_edge for a longjmp. */
1962 {
1963 exploded_edge *eedge
1966 longjmp_call));
1968 /* For any diagnostics that were queued here (such as leaks) we want
1969 the checker_path to show the rewinding events after the "final event"
1970 so that the user sees where the longjmp is rewinding to (otherwise the
1971 path is meaningless).
1973 For example, we want to emit something like:
1974 | NN | {
1975 | NN | longjmp (env, 1);
1976 | | ~~~~~~~~~~~~~~~~
1977 | | |
1978 | | (10) 'ptr' leaks here; was allocated at (7)
1979 | | (11) rewinding from 'longjmp' in 'inner'...
1980 |
1981 <-------------+
1982 |
1983 'outer': event 12
1984 |
1985 | NN | i = setjmp(env);
1986 | | ^~~~~~
1987 | | |
1988 | | (12) ...to 'setjmp' in 'outer' (saved at (2))
1990 where the "final" event above is event (10), but we want to append
1991 events (11) and (12) afterwards.
1993 Do this by setting m_trailing_eedge on any diagnostics that were
1994 just saved. */
1997 {
2000 }
2001 }
2002 }
2004 /* Subroutine of exploded_graph::process_node for finding the successors
2005 of the supernode for a function exit basic block.
2007 Ensure that pop_frame is called, potentially queuing diagnostics about
2008 leaks. */
2010 void
2012 {
2017 /* If we're not a "top-level" function, do nothing; pop_frame
2018 will be called when handling the return superedge. */
2022 /* We have a "top-level" function. */
2027 /* Work with a temporary copy of the state: pop the frame, and see
2028 what leaks (via purge_unused_svalues). */
2033 uncertainty_t uncertainty;
2041 }
2043 /* Dump the successors and predecessors of this enode to OUTF. */
2045 void
2047 {
2050 {
2054 pretty_printer pp;
2058 }
2059 {
2063 pretty_printer pp;
2067 }
2068 }
2070 /* class dynamic_call_info_t : public custom_edge_info. */
2072 /* Implementation of custom_edge_info::update_model vfunc
2073 for dynamic_call_info_t.
2075 Update state for a dynamically discovered call (or return), by pushing
2076 or popping the a frame for the appropriate function. */
2078 bool
2082 {
2086 else
2087 {
2090 }
2092 }
2094 /* Implementation of custom_edge_info::add_events_to_path vfunc
2095 for dynamic_call_info_t. */
2097 void
2100 {
2109 emission_path->add_event
2115 dest_stack_depth)));
2116 else
2117 emission_path->add_event
2123 src_stack_depth)));
2124 }
2126 /* class rewind_info_t : public custom_edge_info. */
2128 /* Implementation of custom_edge_info::update_model vfunc
2129 for rewind_info_t.
2131 Update state for the special-case of a rewind of a longjmp
2132 to a setjmp (which doesn't have a superedge, but does affect
2133 state). */
2135 bool
2139 {
2151 }
2153 /* Implementation of custom_edge_info::add_events_to_path vfunc
2154 for rewind_info_t. */
2156 void
2159 {
2167 emission_path->add_event
2172 src_stack_depth),
2174 emission_path->add_event
2179 dst_stack_depth),
2181 }
2183 /* class exploded_edge : public dedge<eg_traits>. */
2185 /* exploded_edge's ctor. */
2193 {
2194 }
2196 /* Implementation of dedge::dump_dot vfunc for exploded_edge.
2197 Use the label of the underlying superedge, if any. */
2199 void
2201 {
2208 }
2210 /* Second half of exploded_edge::dump_dot. This is split out
2211 for use by trimmed_graph::dump_dot and base_feasible_edge::dump_dot. */
2213 void
2215 {
2223 {
2230 //constraint = "false";
2234 //constraint = "false";
2239 }
2241 {
2244 }
2259 //pp_write_text_as_dot_label_to_stream (pp, /*for_record=*/false);
2262 }
2264 /* Return a new json::object of the form
2265 {"src_idx": int, the index of the source exploded edge,
2266 "dst_idx": int, the index of the destination exploded edge,
2267 "sedge": (optional) object for the superedge, if any,
2268 "custom": (optional) str, a description, if this is a custom edge}. */
2272 {
2279 {
2280 pretty_printer pp;
2284 }
2286 }
2288 /* struct stats. */
2290 /* stats' ctor. */
2296 {
2299 }
2301 /* Log these stats in multiline form to LOGGER. */
2303 void
2305 {
2314 m_node_reuse_after_merge_count);
2315 }
2317 /* Dump these stats in multiline form to OUT. */
2319 void
2321 {
2329 m_node_reuse_after_merge_count);
2334 }
2336 /* Return the total number of enodes recorded within this object. */
2338 int
2340 {
2345 }
2347 /* struct per_function_data. */
2350 {
2353 }
2355 void
2357 {
2359 }
2361 /* strongly_connected_components's ctor. Tarjan's SCC algorithm. */
2366 {
2379 }
2381 /* Dump this object to stderr. */
2383 DEBUG_FUNCTION void
2385 {
2387 {
2391 }
2392 }
2394 /* Return a new json::array of per-snode SCC ids. */
2398 {
2403 }
2405 /* Subroutine of strongly_connected_components's ctor, part of Tarjan's
2406 SCC algorithm. */
2408 void
2410 {
2413 /* Set the depth index for v to the smallest unused index. */
2419 index++;
2421 /* Consider successors of v. */
2425 {
2432 {
2433 /* Successor w has not yet been visited; recurse on it. */
2436 }
2438 {
2439 /* Successor w is in stack S and hence in the current SCC
2440 If w is not on stack, then (v, w) is a cross-edge in the DFS
2441 tree and must be ignored. */
2443 }
2444 }
2446 /* If v is a root node, pop the stack and generate an SCC. */
2449 {
2456 }
2457 }
2459 /* worklist's ctor. */
2465 {
2466 }
2468 /* Return the number of nodes in the worklist. */
2470 unsigned
2472 {
2474 }
2476 /* Return the next node in the worklist, removing it. */
2478 exploded_node *
2480 {
2482 }
2484 /* Return the next node in the worklist without removing it. */
2486 exploded_node *
2488 {
2490 }
2492 /* Add ENODE to the worklist. */
2494 void
2496 {
2499 }
2501 /* Comparator for implementing worklist::key_t comparison operators.
2502 Return negative if KA is before KB
2503 Return positive if KA is after KB
2504 Return 0 if they are equal.
2506 The ordering of the worklist is critical for performance and for
2507 avoiding node explosions. Ideally we want all enodes at a CFG join-point
2508 with the same callstring to be sorted next to each other in the worklist
2509 so that a run of consecutive enodes can be merged and processed "in bulk"
2510 rather than individually or pairwise, minimizing the number of new enodes
2511 created. */
2513 int
2515 {
2521 /* Order empty-callstring points with different functions based on the
2522 analysis_plan, so that we generate summaries before they are used. */
2529 {
2533 }
2535 /* Sort by callstring, so that nodes with deeper call strings are processed
2536 before those with shallower call strings.
2537 If we have
2538 splitting BB
2539 / \
2540 / \
2541 fn call no fn call
2542 \ /
2543 \ /
2544 join BB
2545 then we want the path inside the function call to be fully explored up
2546 to the return to the join BB before we explore on the "no fn call" path,
2547 so that both enodes at the join BB reach the front of the worklist at
2548 the same time and thus have a chance of being merged. */
2553 /* Order by SCC. */
2559 /* If in same SCC, order by supernode index (an arbitrary but stable
2560 ordering). */
2564 {
2566 /* One is NULL. */
2568 else
2569 /* Both are NULL. */
2571 }
2573 /* One is NULL. */
2575 /* Neither are NULL. */
2582 /* Order within supernode via program point. */
2583 int within_snode_cmp
2589 /* Otherwise, we ought to have the same program_point. */
2595 /* Sort by sm-state, so that identical sm-states are grouped
2596 together in the worklist. */
2599 {
2605 }
2607 /* Otherwise, we have two enodes at the same program point but with
2608 different states. We don't have a good total ordering on states,
2609 so order them by enode index, so that we have at least have a
2610 stable sort. */
2612 }
2614 /* Return a new json::object of the form
2615 {"scc" : [per-snode-IDs]}, */
2619 {
2624 /* The following field isn't yet being JSONified:
2625 queue_t m_queue; */
2628 }
2630 /* exploded_graph's ctor. */
2646 {
2647 m_origin = get_or_create_node
2652 }
2654 /* exploded_graph's dtor. */
2657 {
2666 }
2668 /* Subroutine for use when implementing __attribute__((tainted_args))
2669 on functions and on function pointer fields in structs.
2671 Called on STATE representing a call to FNDECL.
2672 Mark all params of FNDECL in STATE as "tainted". Mark the value of all
2673 regions pointed to by params of FNDECL as "tainted".
2675 Return true if successful; return false if the "taint" state machine
2676 was not found. */
2678 static bool
2681 {
2697 {
2706 {
2708 /* Mark "*param" as tainted. */
2713 }
2714 }
2717 }
2719 /* Custom event for use by tainted_args_function_info when a function
2720 has been marked with __attribute__((tainted_args)). */
2723 {
2728 {
2729 }
2732 {
2733 return make_label_text
2736 m_fndecl);
2737 }
2740 tree m_fndecl;
2741 };
2743 /* Custom exploded_edge info for top-level calls to a function
2744 marked with __attribute__((tainted_args)). */
2747 {
2751 {}
2754 {
2756 };
2761 {
2762 /* No-op. */
2764 }
2768 {
2769 emission_path->add_event
2772 }
2775 tree m_fndecl;
2776 };
2778 /* Ensure that there is an exploded_node representing an external call to
2779 FUN, adding it to the worklist if creating it.
2781 Add an edge from the origin exploded_node to the function entrypoint
2782 exploded_node.
2784 Return the exploded_node for the entrypoint to the function. */
2786 exploded_node *
2788 {
2791 /* Be idempotent. */
2793 {
2798 }
2800 program_point point
2809 {
2812 }
2826 }
2828 /* Get or create an exploded_node for (POINT, STATE).
2829 If a new node is created, it is added to the worklist.
2831 Use ENODE_FOR_DIAG, a pre-existing enode, for any diagnostics
2832 that need to be emitted (e.g. when purging state *before* we have
2833 a new enode). */
2835 exploded_node *
2839 {
2843 {
2854 }
2856 /* Stop exploring paths for which we don't know how to effectively
2857 model the state. */
2859 {
2863 }
2869 //state.dump (get_ext_state ());
2871 /* Prune state to try to improve the chances of a cache hit,
2872 avoiding generating redundant nodes. */
2873 uncertainty_t uncertainty;
2874 program_state pruned_state
2879 //pruned_state.dump (get_ext_state ());
2882 {
2890 }
2894 stats *per_cs_stats
2900 {
2901 /* An exploded_node for PS already exists. */
2908 }
2910 per_program_point_data *per_point_data
2913 /* Consider merging state with another enode at this program_point. */
2915 {
2919 {
2926 /* This merges successfully within the loop. */
2931 {
2937 /* Try again for a cache hit.
2938 Whether we get one or not, merged_state's value_ids have no
2939 relationship to those of the input state, and thus to those
2940 of CHANGE, so we must purge any svalue_ids from *CHANGE. */
2944 {
2945 /* An exploded_node for PS already exists. */
2952 }
2953 }
2954 else
2958 }
2959 }
2961 /* Impose a limit on the number of enodes per program point, and
2962 simply stop if we exceed it. */
2965 {
2966 pretty_printer pp;
2977 }
2981 /* An exploded_node for "ps" doesn't already exist; create one. */
2986 /* Update per-program_point data. */
2998 {
3010 }
3012 /* Add the new node to the worlist. */
3015 }
3017 /* Add an exploded_edge from SRC to DEST, recording its association
3018 with SEDGE (which may be NULL), and, if non-NULL, taking ownership
3019 of CUSTOM_INFO. COULD_DO_WORK is used for detecting infinite loops.
3020 Return the newly-created eedge. */
3022 exploded_edge *
3026 {
3030 exploded_edge *e
3035 }
3037 /* Ensure that this graph has per-program_point-data for POINT;
3038 borrow a pointer to it. */
3040 per_program_point_data *
3043 {
3050 }
3052 /* Get this graph's per-program-point-data for POINT if there is any,
3053 otherwise NULL. */
3055 per_program_point_data *
3057 {
3063 }
3065 /* Ensure that this graph has per-call_string-data for CS;
3066 borrow a pointer to it. */
3068 per_call_string_data *
3070 {
3076 data);
3078 }
3080 /* Ensure that this graph has per-function-data for FUN;
3081 borrow a pointer to it. */
3083 per_function_data *
3085 {
3092 }
3094 /* Get this graph's per-function-data for FUN if there is any,
3095 otherwise NULL. */
3097 per_function_data *
3099 {
3105 }
3107 /* Return true if FUN should be traversed directly, rather than only as
3108 called via other functions. */
3110 static bool
3112 {
3113 /* Don't directly traverse into functions that have an "__analyzer_"
3114 prefix. Doing so is useful for the analyzer test suite, allowing
3115 us to have functions that are called in traversals, but not directly
3116 explored, thus testing how the analyzer handles calls and returns.
3117 With this, we can have DejaGnu directives that cover just the case
3118 of where a function is called by another function, without generating
3119 excess messages from the case of the first function being traversed
3120 directly. */
3124 {
3129 }
3135 }
3137 /* Custom event for use by tainted_call_info when a callback field has been
3138 marked with __attribute__((tainted_args)), for labelling the field. */
3141 {
3146 {
3147 }
3150 {
3152 "field %qE of %qT"
3155 }
3158 tree m_field;
3159 };
3161 /* Custom event for use by tainted_call_info when a callback field has been
3162 marked with __attribute__((tainted_args)), for labelling the function used
3163 in that callback. */
3166 {
3169 tree field)
3172 {
3173 }
3176 {
3178 "function %qE used as initializer for field %qE"
3181 }
3184 tree m_field;
3185 };
3187 /* Custom edge info for use when adding a function used by a callback field
3188 marked with '__attribute__((tainted_args))'. */
3191 {
3195 {}
3198 {
3200 };
3205 {
3206 /* No-op. */
3208 }
3212 {
3213 /* Show the field in the struct declaration, e.g.
3214 "(1) field 'store' is marked with '__attribute__((tainted_args))'" */
3215 emission_path->add_event
3218 /* Show the callback in the initializer
3219 e.g.
3220 "(2) function 'gadget_dev_desc_UDC_store' used as initializer
3221 for field 'store' marked with '__attribute__((tainted_args))'". */
3222 emission_path->add_event
3225 m_field));
3226 }
3229 tree m_field;
3230 tree m_fndecl;
3231 location_t m_loc;
3232 };
3234 /* Given an initializer at LOC for FIELD marked with
3235 '__attribute__((tainted_args))' initialized with FNDECL, add an
3236 entrypoint to FNDECL to EG (and to its worklist) where the params to
3237 FNDECL are marked as tainted. */
3239 static void
3241 location_t loc)
3242 {
3255 program_point point
3269 {
3273 else
3274 {
3276 fndecl);
3278 }
3279 }
3283 }
3285 /* Callback for walk_tree for finding callbacks within initializers;
3286 ensure that any callback initializer where the corresponding field is
3287 marked with '__attribute__((tainted_args))' is treated as an entrypoint
3288 to the analysis, special-casing that the inputs to the callback are
3289 untrustworthy. */
3291 static tree
3293 {
3296 {
3297 /* Find fields with the "tainted_args" attribute.
3298 walk_tree only walks the values, not the index values;
3299 look at the index values. */
3304 idx++)
3307 {
3314 }
3315 }
3318 }
3320 /* Add initial nodes to EG, with entrypoints for externally-callable
3321 functions. */
3323 void
3325 {
3331 {
3337 {
3341 else
3343 }
3344 }
3346 /* Find callbacks that are reachable from global initializers. */
3349 {
3355 }
3356 }
3358 /* The main loop of the analysis.
3359 Take freshly-created exploded_nodes from the worklist, calling
3360 process_node on them to explore the <point, state> graph.
3361 Add edges to their successors, potentially creating new successors
3362 (which are also added to the worklist). */
3364 void
3366 {
3372 {
3381 /* If we have a run of nodes that are before-supernode, try merging and
3382 processing them together, rather than pairwise or individually. */
3387 /* Avoid exponential explosions of nodes by attempting to merge
3388 nodes that are at the same program point and which have
3389 sufficiently similar state. */
3392 {
3404 {
3407 {
3411 logger->log_partial
3416 }
3420 /* They shouldn't be equal, or we wouldn't have two
3421 separate nodes. */
3427 {
3433 {
3434 /* Then merge node_2 into node by adding an edge. */
3437 /* Remove node_2 from the worklist. */
3441 /* Continue processing "node" below. */
3442 }
3444 {
3445 /* Then merge node into node_2, and leave node_2
3446 in the worklist, to be processed on the next
3447 iteration. */
3451 }
3452 else
3453 {
3454 /* We have a merged state that differs from
3455 both state and state_2. */
3457 /* Remove node_2 from the worklist. */
3460 /* Create (or get) an exploded node for the merged
3461 states, adding to the worklist. */
3462 exploded_node *merged_enode
3473 /* "node" and "node_2" have both now been removed
3474 from the worklist; we should not process them.
3476 "merged_enode" may be a new node; if so it will be
3477 processed in a subsequent iteration.
3478 Alternatively, "merged_enode" could be an existing
3479 node; one way the latter can
3480 happen is if we end up merging a succession of
3481 similar nodes into one. */
3483 /* If merged_node is one of the two we were merging,
3484 add it back to the worklist to ensure it gets
3485 processed.
3487 Add edges from the merged nodes to it (but not a
3488 self-edge). */
3491 else
3492 {
3495 }
3499 else
3500 {
3503 }
3506 }
3507 }
3509 /* TODO: should we attempt more than two nodes,
3510 or just do pairs of nodes? (and hope that we get
3511 a cascade of mergers). */
3512 }
3513 }
3517 handle_limit:
3518 /* Impose a hard limit on the number of exploded nodes, to ensure
3519 that the analysis terminates in the face of pathological state
3520 explosion (or bugs).
3522 Specifically, the limit is on the number of PK_AFTER_SUPERNODE
3523 exploded nodes, looking at supernode exit events.
3525 We use exit rather than entry since there can be multiple
3526 entry ENs, one per phi; the number of PK_AFTER_SUPERNODE ought
3527 to be equivalent to the number of supernodes multiplied by the
3528 number of states. */
3531 {
3535 OPT_Wanalyzer_too_complex,
3536 "analysis bailed out early"
3541 }
3542 }
3543 }
3545 /* Attempt to process a consecutive run of sufficiently-similar nodes in
3546 the worklist at a CFG join-point (having already popped ENODE from the
3547 head of the worklist).
3549 If ENODE's point is of the form (before-supernode, SNODE) and the next
3550 nodes in the worklist are a consecutive run of enodes of the same form,
3551 for the same supernode as ENODE (but potentially from different in-edges),
3552 process them all together, setting their status to STATUS_BULK_MERGED,
3553 and return true.
3554 Otherwise, return false, in which case ENODE must be processed in the
3555 normal way.
3557 When processing them all together, generate successor states based
3558 on phi nodes for the appropriate CFG edges, and then attempt to merge
3559 these states into a minimal set of merged successor states, partitioning
3560 the inputs by merged successor state.
3562 Create new exploded nodes for all of the merged states, and add edges
3563 connecting the input enodes to the corresponding merger exploded nodes.
3565 We hope we have a much smaller number of merged successor states
3566 compared to the number of input enodes - ideally just one,
3567 if all successor states can be merged.
3569 Processing and merging many together as one operation rather than as
3570 pairs avoids scaling issues where per-pair mergers could bloat the
3571 graph with merger nodes (especially so after switch statements). */
3573 bool
3576 {
3577 /* A struct for tracking per-input state. */
3578 struct item
3579 {
3584 {}
3587 program_state m_processed_state;
3589 };
3604 /* Find a run of enodes in the worklist that are before the same supernode,
3605 but potentially from different in-edges. */
3609 {
3619 {
3622 }
3623 else
3625 }
3627 /* If the only node is ENODE, then give up. */
3635 /* All of these enodes have a shared successor point (even if they
3636 were for different in-edges). */
3639 /* Calculate the successor state for each enode in enodes. */
3644 {
3652 {
3653 uncertainty_t uncertainty;
3662 }
3664 }
3666 /* Attempt to partition the items into a set of merged states.
3667 We hope we have a much smaller number of merged states
3668 compared to the number of input enodes - ideally just one,
3669 if all can be merged. */
3674 {
3679 {
3684 {
3692 }
3693 }
3694 /* If it couldn't be merged with any existing merged_states,
3695 create a new one. */
3697 {
3704 }
3705 got_merger:
3708 }
3710 /* Create merger nodes. */
3714 {
3715 exploded_node *src_enode
3717 exploded_node *next
3719 /* "next" could be NULL; we handle that when adding the edges below. */
3722 {
3725 else
3727 }
3728 }
3730 /* Create edges from each input enode to the appropriate successor enode.
3731 Update the status of the now-processed input enodes. */
3733 {
3739 }
3746 }
3748 /* Return true if STMT must appear at the start of its exploded node, and
3749 thus we can't consolidate its effects within a run of other statements,
3750 where PREV_STMT was the previous statement. */
3752 static bool
3755 {
3757 {
3758 /* Stop consolidating at calls to
3759 "__analyzer_dump_exploded_nodes", so they always appear at the
3760 start of an exploded_node. */
3765 /* sm-signal.cc injects an additional custom eedge at "signal" calls
3766 from the registration enode to the handler enode, separate from the
3767 regular next state, which defeats the "detect state change" logic
3768 in process_node. Work around this via special-casing, to ensure
3769 we split the enode immediately before any "signal" call. */
3772 }
3774 /* If we had a PREV_STMT with an unknown location, and this stmt
3775 has a known location, then if a state change happens here, it
3776 could be consolidated into PREV_STMT, giving us an event with
3777 no location. Ensure that STMT gets its own exploded_node to
3778 avoid this. */
3784 }
3786 /* Return true if OLD_STATE and NEW_STATE are sufficiently different that
3787 we should split enodes and create an exploded_edge separating them
3788 (which makes it easier to identify state changes of intereset when
3789 constructing checker_paths). */
3791 static bool
3794 {
3795 /* Changes in dynamic extents signify creations of heap/alloca regions
3796 and resizings of heap regions; likely to be of interest in
3797 diagnostic paths. */
3802 /* Changes in sm-state are of interest. */
3806 {
3811 }
3814 }
3816 /* Create enodes and eedges for the function calls that doesn't have an
3817 underlying call superedge.
3819 Such case occurs when GCC's middle end didn't know which function to
3820 call but the analyzer does (with the help of current state).
3822 Some example such calls are dynamically dispatched calls to virtual
3823 functions or calls that happen via function pointer. */
3825 bool
3827 tree fn_decl,
3829 program_state next_state,
3833 {
3839 {
3844 program_point new_point
3846 NULL,
3852 /* Impose a maximum recursion depth and don't analyze paths
3853 that exceed it further.
3854 This is something of a blunt workaround, but it only
3855 applies to recursion (and mutual recursion), not to
3856 general call stacks. */
3859 {
3863 }
3868 {
3876 next_state,
3877 node);
3883 }
3884 }
3886 }
3888 /* Subclass of path_context for use within exploded_graph::process_node,
3889 so that we can split states e.g. at "realloc" calls. */
3892 {
3899 {
3900 }
3903 {
3905 }
3908 {
3911 }
3913 void
3915 {
3920 /* Verify that the state at bifurcation is consistent when we
3921 split into multiple out-edges. */
3923 else
3924 /* Take a copy of the cur_state at the moment when bifurcation
3925 happens. */
3926 m_state_at_bifurcation
3929 /* Take ownership of INFO. */
3931 }
3934 {
3938 }
3941 {
3943 }
3946 {
3948 }
3955 /* Lazily-created copy of the state before the split. */
3961 };
3963 /* A subclass of pending_diagnostic for complaining about jumps through NULL
3964 function pointers. */
3967 {
3971 {}
3974 {
3976 }
3979 {
3981 }
3984 {
3986 }
3989 {
3991 }
3994 {
3996 }
4000 };
4002 /* The core of exploded_graph::process_worklist (the main analysis loop),
4003 handling one node in the worklist.
4005 Get successor <point, state> pairs for NODE, calling get_or_create on
4006 them, and adding an exploded_edge to each successors.
4008 Freshly-created nodes will be added to the worklist. */
4010 void
4012 {
4020 /* Update cfun and input_location in case of an ICE: make it easier to
4021 track down which source construct we're failing to handle. */
4029 {
4037 }
4040 {
4044 /* This node exists to simplify finding the shortest path
4045 to an exploded_node. */
4049 {
4051 uncertainty_t uncertainty;
4054 {
4063 last_cfg_superedge,
4067 }
4074 }
4077 {
4078 /* Determine the effect of a run of one or more statements
4079 within one supernode, generating an edge to the program_point
4080 after the last statement that's processed.
4082 Stop iterating statements and thus consolidating into one enode
4083 when:
4084 - reaching the end of the statements in the supernode
4085 - if an sm-state-change occurs (so that it gets its own
4086 exploded_node)
4087 - if "-fanalyzer-fine-grained" is active
4088 - encountering certain statements must appear at the start of
4089 their enode (for which stmt_requires_new_enode_p returns true)
4091 Update next_state in-place, to get the result of the one
4092 or more stmts that are processed.
4094 Split the node in-place if an sm-state-change occurs, so that
4095 the sm-state-change occurs on an edge where the src enode has
4096 exactly one stmt, the one that caused the change. */
4102 uncertainty_t uncertainty;
4108 stmt_idx++)
4109 {
4114 {
4115 stmt_idx--;
4117 }
4122 /* Process the stmt. */
4128 /* If flags.m_terminate_path, stop analyzing; any nodes/edges
4129 will have been added by on_stmt (e.g. for handling longjmp). */
4134 {
4140 }
4143 program_point next_point
4156 {
4157 program_point split_point
4159 stmt_idx,
4162 {
4163 /* If we're not at the start of NODE, split the enode at
4164 this stmt, so we have:
4165 node -> split_enode
4166 so that when split_enode is processed the next edge
4167 we add will be:
4168 split_enode -> next
4169 and any state change will effectively occur on that
4170 latter edge, and split_enode will contain just stmt. */
4173 exploded_node *split_enode
4177 /* "stmt" will be reprocessed when split_enode is
4178 processed. */
4184 }
4185 else
4186 /* If we're at the start of NODE, stop iterating,
4187 so that an edge will be created from NODE to
4188 (next_point, next_state) below. */
4190 }
4191 }
4193 program_point next_point
4200 {
4203 }
4204 else
4205 {
4206 exploded_node *next
4210 }
4212 /* If we have custom edge infos, "bifurcate" the state
4213 accordingly, potentially creating a new state/enode/eedge
4214 instances. For example, to handle a "realloc" call, we
4215 might split into 3 states, for the "failure",
4216 "resizing in place", and "moving to a new buffer" cases. */
4218 {
4219 /* Take ownership of the edge infos from the path_ctxt. */
4222 {
4227 }
4228 program_state bifurcated_new_state
4231 /* Apply edge_info to state. */
4232 impl_region_model_context
4239 stmt);
4243 {
4244 exploded_node *next2
4250 }
4251 else
4252 {
4255 }
4256 }
4257 }
4260 {
4263 /* If this is an EXIT BB, detect leaks, and potentially
4264 create a function summary. */
4266 {
4271 {
4272 /* TODO: create function summary
4273 There can be more than one; each corresponds to a different
4274 final enode in the function. */
4276 {
4279 logger->log_partial
4284 }
4285 per_function_data *per_fn_data
4288 }
4289 }
4290 /* Traverse into successors of the supernode. */
4294 {
4297 {
4302 }
4304 program_point next_point
4308 uncertainty_t uncertainty;
4310 /* Make use the current state and try to discover and analyse
4311 indirect function calls (a call that doesn't have an underlying
4312 cgraph edge representing call).
4314 Some examples of such calls are virtual function calls
4315 and calls that happen via a function pointer. */
4318 {
4323 node,
4327 NULL,
4335 fn_decl,
4336 node,
4337 next_state,
4338 next_point,
4340 logger);
4342 {
4343 /* Check for jump through NULL. */
4345 {
4350 }
4352 /* An unknown function or a special function was called
4353 at this point, in such case, don't terminate the
4354 analysis of the current function.
4356 The analyzer handles calls to such functions while
4357 analysing the stmt itself, so the function call
4358 must have been handled by the anlyzer till now. */
4359 exploded_node *next
4361 next_state,
4362 node);
4366 }
4367 }
4371 {
4376 }
4378 node);
4380 {
4383 /* We might have a function entrypoint. */
4385 }
4386 }
4388 /* Return from the calls which doesn't have a return superedge.
4389 Such case occurs when GCC's middle end didn't knew which function to
4390 call but analyzer did. */
4393 {
4395 program_point next_point
4397 NULL,
4398 cs);
4400 uncertainty_t uncertainty;
4409 {
4412 next_state,
4413 node);
4417 }
4418 }
4419 }
4421 }
4422 }
4424 /* Ensure that this graph has a stats instance for FN, return it.
4425 FN can be NULL, in which case a stats instances is returned covering
4426 "functionless" parts of the graph (the origin node). */
4428 stats *
4430 {
4436 else
4437 {
4439 /* not quite the num supernodes, but nearly. */
4443 }
4444 }
4446 /* Print bar charts to PP showing:
4447 - the number of enodes per function, and
4448 - for each function:
4449 - the number of enodes per supernode/BB
4450 - the number of excess enodes per supernode/BB beyond the
4451 per-program-point limit, if there were any. */
4453 void
4455 {
4460 bar_chart enodes_per_function;
4462 {
4468 }
4471 /* Accumulate number of enodes per supernode. */
4478 {
4483 }
4485 /* Accumulate excess enodes per supernode. */
4491 {
4499 }
4501 /* Show per-function bar_charts of enodes per supernode/BB. */
4505 {
4510 bar_chart enodes_per_snode;
4511 bar_chart excess_enodes_per_snode;
4514 {
4518 pretty_printer tmp_pp;
4523 const int num_excess
4526 num_excess);
4529 }
4532 {
4536 }
4537 }
4538 }
4540 /* Write all stats information to this graph's logger, if any. */
4542 void
4544 {
4564 {
4568 }
4571 }
4573 /* Dump all stats information to OUT. */
4575 void
4577 {
4589 {
4593 }
4598 }
4600 void
4603 {
4609 {
4613 {
4614 pretty_printer pp;
4620 }
4621 }
4624 }
4626 /* Return a new json::object of the form
4627 {"nodes" : [objs for enodes],
4628 "edges" : [objs for eedges],
4629 "ext_state": object for extrinsic_state,
4630 "diagnostic_manager": object for diagnostic_manager}. */
4634 {
4637 /* Nodes. */
4638 {
4645 }
4647 /* Edges. */
4648 {
4655 }
4657 /* m_sg is JSONified at the top-level. */
4663 /* The following fields aren't yet being JSONified:
4664 const state_purge_map *const m_purge_map;
4665 const analysis_plan &m_plan;
4666 stats m_global_stats;
4667 function_stat_map_t m_per_function_stats;
4668 stats m_functionless_stats;
4669 call_string_data_map_t m_per_call_string_data;
4670 auto_vec<int> m_PK_AFTER_SUPERNODE_per_snode; */
4673 }
4675 /* class exploded_path. */
4677 /* Copy ctor. */
4681 {
4686 }
4688 /* Look for the last use of SEARCH_STMT within this path.
4689 If found write the edge's index to *OUT_IDX and return true, otherwise
4690 return false. */
4692 bool
4695 {
4699 {
4704 {
4707 }
4708 }
4710 }
4712 /* Get the final exploded_node in this path, which must be non-empty. */
4714 exploded_node *
4716 {
4719 }
4721 /* Check state along this path, returning true if it is feasible.
4722 If OUT is non-NULL, and the path is infeasible, write a new
4723 feasibility_problem to *OUT. */
4725 bool
4729 {
4735 /* Traverse the path, updating this state. */
4737 {
4741 edge_idx,
4747 {
4750 {
4756 last_stmt,
4758 }
4760 }
4763 {
4765 edge_idx,
4771 }
4772 }
4775 }
4777 /* Dump this path in multiline form to PP.
4778 If EXT_STATE is non-NULL, then show the nodes. */
4780 void
4783 {
4785 {
4788 i,
4795 }
4796 }
4798 /* Dump this path in multiline form to FP. */
4800 void
4802 {
4803 pretty_printer pp;
4809 }
4811 /* Dump this path in multiline form to stderr. */
4813 DEBUG_FUNCTION void
4815 {
4817 }
4819 /* Dump this path verbosely to FILENAME. */
4821 void
4824 {
4828 pretty_printer pp;
4834 }
4836 /* class feasibility_problem. */
4838 void
4840 {
4844 {
4849 }
4850 }
4852 /* class feasibility_state. */
4854 /* Ctor for feasibility_state, at the beginning of a path. */
4860 {
4862 }
4864 /* Copy ctor for feasibility_state, for extending a path. */
4869 {
4871 }
4877 {
4879 }
4881 feasibility_state &
4883 {
4887 }
4889 /* The heart of feasibility-checking.
4891 Attempt to update this state in-place based on traversing EEDGE
4892 in a path.
4893 Update the model for the stmts in the src enode.
4894 Attempt to add constraints for EEDGE.
4896 If feasible, return true.
4897 Otherwise, return false and write to *OUT_RC. */
4899 bool
4905 {
4909 {
4913 }
4915 /* Update state for the stmts that were processed in each enode. */
4917 stmt_idx++)
4918 {
4921 /* Update cfun and input_location in case of ICE: make it easier to
4922 track down which source construct we're failing to handle. */
4927 }
4931 {
4933 {
4939 }
4943 {
4945 {
4950 }
4952 }
4953 }
4954 else
4955 {
4956 /* Special-case the initial eedge from the origin node to the
4957 initial function by pushing a frame for it. */
4959 {
4968 }
4970 {
4972 }
4973 }
4975 /* Handle phi nodes on an edge leaving a PK_BEFORE_SUPERNODE (to
4976 a PK_BEFORE_STMT, or a PK_AFTER_SUPERNODE if no stmts).
4977 This will typically not be associated with a superedge. */
4979 {
4985 {
4989 last_cfg_superedge,
4990 ctxt);
4991 /* If we've entering an snode that we've already visited on this
4992 epath, then we need do fix things up for loops; see the
4993 comment for store::loop_replay_fixup.
4994 Perhaps we should probably also verify the callstring,
4995 and track program_points, but hopefully doing it by supernode
4996 is good enough. */
4999 }
5001 }
5003 }
5005 /* Update this object for the effects of STMT. */
5007 void
5009 {
5015 {
5018 }
5021 }
5023 /* Dump this object to PP. */
5025 void
5028 {
5030 }
5032 /* A family of cluster subclasses for use when generating .dot output for
5033 exploded graphs (-fdump-analyzer-exploded-graph), for grouping the
5034 enodes into hierarchical boxes.
5036 All functionless enodes appear in the top-level graph.
5037 Every (function, call_string) pair gets its own cluster. Within that
5038 cluster, each supernode gets its own cluster.
5040 Hence all enodes relating to a particular function with a particular
5041 callstring will be in a cluster together; all enodes for the same
5042 function but with a different callstring will be in a different
5043 cluster. */
5045 /* Base class of cluster for clustering exploded_node instances in .dot
5046 output, based on various subclass-specific criteria. */
5049 {
5050 };
5052 /* Cluster containing all exploded_node instances for one supernode. */
5055 {
5059 // TODO: dtor?
5062 {
5075 /* Terminate subgraph. */
5078 }
5081 {
5083 }
5085 /* Comparator for use by auto_vec<supernode_cluster *>::qsort. */
5088 {
5094 }
5099 };
5101 /* Cluster containing all supernode_cluster instances for one
5102 (function, call_string) pair. */
5105 {
5111 {
5116 }
5119 {
5131 /* Dump m_map, sorting it to avoid churn when comparing dumps. */
5145 /* Terminate subgraph. */
5148 }
5151 {
5157 else
5158 {
5162 }
5163 }
5165 /* Comparator for use by auto_vec<function_call_string_cluster *>. */
5168 {
5178 }
5184 map_t m_map;
5185 };
5187 /* Keys for root_cluster. */
5189 struct function_call_string
5190 {
5193 {
5196 }
5200 };
5206 {
5208 };
5211 inline hashval_t
5213 {
5216 }
5222 {
5224 }
5228 {
5230 }
5234 {
5236 }
5240 {
5242 }
5246 {
5248 }
5252 /* Top-level cluster for generating .dot output for exploded graphs,
5253 handling the functionless nodes, and grouping the remaining nodes by
5254 callstring. */
5257 {
5260 {
5265 }
5268 {
5274 /* Dump m_map, sorting it to avoid churn when comparing dumps. */
5286 }
5289 {
5292 {
5295 }
5302 else
5303 {
5304 function_call_string_cluster *child
5308 }
5309 }
5313 map_t m_map;
5315 /* This should just be the origin exploded_node. */
5317 };
5319 /* Subclass of range_label for use within
5320 exploded_graph::dump_exploded_nodes for implementing
5321 -fdump-analyzer-exploded-nodes: a label for a specific
5322 exploded_node. */
5325 {
5332 {
5333 pretty_printer pp;
5338 }
5343 };
5345 /* Postprocessing support for dumping the exploded nodes.
5346 Handle -fdump-analyzer-exploded-nodes,
5347 -fdump-analyzer-exploded-nodes-2, and the
5348 "__analyzer_dump_exploded_nodes" builtin. */
5350 void
5352 {
5353 // TODO
5354 /* Locate calls to __analyzer_dump_exploded_nodes. */
5355 // Print how many egs there are for them?
5356 /* Better: log them as we go, and record the exploded nodes
5357 in question. */
5359 /* Show every enode. */
5361 /* Gather them by stmt, so that we can more clearly see the
5362 "hotspots" requiring numerous exploded nodes. */
5364 /* Alternatively, simply throw them all into one big rich_location
5365 and see if the label-printing will sort it out...
5366 This requires them all to be in the same source file. */
5369 {
5375 {
5377 {
5380 else
5382 SHOW_RANGE_WITHOUT_CARET,
5384 }
5385 }
5388 /* Repeat the warning without all the labels, so that message is visible
5389 (the other one may well have scrolled past the terminal limit). */
5396 }
5398 /* Dump the egraph in textual form to a dump file. */
5400 {
5416 {
5419 pretty_printer pp;
5423 }
5426 }
5428 /* Dump the egraph in textual form to multiple dump files, one per enode. */
5430 {
5436 {
5446 pretty_printer pp;
5452 }
5453 }
5455 /* Emit a warning at any call to "__analyzer_dump_exploded_nodes",
5456 giving the number of processed exploded nodes for "before-stmt",
5457 and the IDs of processed, merger, and worklist enodes.
5459 We highlight the count of *processed* enodes since this is of most
5460 interest in DejaGnu tests for ensuring that state merger has
5461 happened.
5463 We don't show the count of merger and worklist enodes, as this is
5464 more of an implementation detail of the merging/worklist that we
5465 don't want to bake into our expected DejaGnu messages. */
5471 {
5479 {
5486 /* This is O(N^2). */
5490 {
5495 {
5507 }
5508 }
5510 pretty_printer pp;
5514 {
5517 }
5519 {
5522 }
5531 /* If the argument is non-zero, then print all of the states
5532 of the various enodes. */
5535 {
5539 }
5542 {
5545 {
5550 /* Dump state. */
5552 }
5553 }
5554 }
5555 }
5556 }
5558 DEBUG_FUNCTION exploded_node *
5560 {
5564 }
5566 /* Ensure that there is an exploded_node for a top-level call to FNDECL. */
5568 void
5570 {
5587 {
5591 else
5593 }
5594 }
5596 /* A collection of classes for visualizing the callgraph in .dot form
5597 (as represented in the supergraph). */
5599 /* Forward decls. */
5605 /* Traits for using "digraph.h" to visualize the callgraph. */
5607 struct viz_callgraph_traits
5608 {
5612 struct dump_args_t
5613 {
5616 };
5618 };
5620 /* Subclass of dnode representing a function within the callgraph. */
5623 {
5629 {
5631 }
5634 {
5652 {
5657 {
5659 num_enodes++;
5660 }
5664 // TODO: also show the per-callstring breakdown
5671 {
5673 //per_call_string_data *data = (*iter).second;
5676 {
5679 num_enodes++;
5680 }
5682 {
5685 }
5686 }
5688 /* Show any summaries. */
5691 {
5695 {
5701 }
5702 }
5703 }
5708 }
5711 {
5713 }
5720 };
5722 /* Subclass of dedge representing a callgraph edge. */
5725 {
5729 {}
5732 final override
5733 {
5749 }
5750 };
5752 /* Subclass of digraph representing the callgraph. */
5755 {
5760 {
5762 }
5765 {
5767 }
5771 };
5773 /* Placeholder subclass of cluster. */
5776 {
5777 };
5779 /* viz_callgraph's ctor. */
5782 {
5785 {
5787 viz_callgraph_node *vcg_node
5791 }
5796 {
5801 {
5803 viz_callgraph_edge *vcg_edge
5806 }
5807 }
5811 {
5814 }
5815 }
5817 /* Dump the callgraph to FILENAME. */
5819 static void
5822 {
5827 // TODO
5832 }
5834 /* Dump the callgraph to "<srcfile>.callgraph.dot". */
5836 static void
5838 {
5843 }
5845 /* Subclass of dot_annotator for implementing
5846 DUMP_BASE_NAME.supergraph-eg.dot, a post-analysis dump of the supergraph.
5848 Annotate the supergraph nodes by printing the exploded nodes in concise
5849 form within them, next to their pertinent statements where appropriate,
5850 colorizing the exploded nodes based on sm-state.
5851 Also show saved diagnostics within the exploded nodes, giving information
5852 on whether they were feasible, and, if infeasible, where the problem
5853 was. */
5856 {
5860 {
5861 /* Avoid O(N^2) by prepopulating m_enodes_per_snodes. */
5870 }
5872 /* Show exploded nodes for BEFORE_SUPERNODE points before N. */
5875 const final override
5876 {
5891 {
5898 }
5904 }
5906 /* Show exploded nodes for STMT. */
5909 const final override
5910 {
5921 {
5929 }
5932 {
5935 }
5936 }
5938 /* Show exploded nodes for AFTER_SUPERNODE points after N. */
5940 const final override
5941 {
5952 {
5958 }
5962 }
5965 /* Concisely print a TD element for ENODE, showing the index, status,
5966 and any saved_diagnostics at the enode. Colorize it to show sm-state.
5968 Ideally we'd dump ENODE's state here, hidden behind some kind of
5969 interactive disclosure method like a tooltip, so that the states
5970 can be explored without overwhelming the graph.
5971 However, I wasn't able to get graphviz/xdot to show tooltips on
5972 individual elements within a HTML-like label. */
5974 {
5982 {
5996 }
5999 /* Dump any saved_diagnostics at this enode. */
6001 {
6004 }
6007 }
6009 /* Print a TABLE element for SD, showing the kind, the length of the
6010 exploded_path, whether the path was feasible, and if infeasible,
6011 what the problem was. */
6014 {
6025 else
6029 {
6045 /* Ideally we'd print p->m_model here; see the notes above about
6046 tooltips. */
6047 }
6050 }
6054 };
6056 /* Implement -fdump-analyzer-json. */
6058 static void
6061 {
6066 {
6070 }
6076 pretty_printer pp;
6087 }
6089 /* Concrete subclass of plugin_analyzer_init_iface, allowing plugins
6090 to register new state machines. */
6093 {
6101 {}
6104 {
6107 }
6111 {
6114 }
6117 {
6119 }
6125 };
6127 /* Run the analysis "engine". */
6129 void
6131 {
6135 {
6140 }
6142 /* If using LTO, ensure that the cgraph nodes have function bodies. */
6147 /* Create the supergraph. */
6158 {
6159 /* Dump supergraph pre-analysis. */
6165 }
6168 {
6175 }
6185 logger);
6189 {
6194 }
6196 /* Extrinsic state shared by nodes in the graph. */
6201 /* The exploded graph. */
6203 analyzer_verbosity);
6205 /* Add entrypoints to the graph for externally-callable functions. */
6208 /* Now process the worklist, exploring the <point, state> graph. */
6215 {
6220 root_cluster c;
6223 }
6225 /* Now emit any saved diagnostics. */
6236 {
6237 /* Dump post-analysis form of supergraph. */
6244 }
6253 }
6255 /* Handle -fdump-analyzer and -fdump-analyzer-stderr. */
6258 /* Track if we're responsible for closing dump_fout. */
6261 /* If dumping is enabled, attempt to create dump_fout if it hasn't already
6262 been opened. Return it. */
6266 {
6268 {
6272 {
6278 }
6279 }
6281 }
6283 /* External entrypoint to the analysis "engine".
6284 Set up any dumps, then call impl_run_checkers. */
6286 void
6288 {
6289 /* Save input_location. */
6292 {
6302 /* end of lifetime of the_logger (so that dump file is closed after the
6303 various dtors run). */
6304 }
6307 {
6311 }
6313 /* Restore input_location. Subsequent passes may assume that input_location
6314 is some arbitrary value *not* in the block tree, which might be violated
6315 if we didn't restore it. */
6317 }