| blob | 61685f43fba0761cb228fc9c55798e101120d2f4 |
1 /* The analysis "engine".
2 Copyright (C) 2019-2023 Free Software Foundation, Inc.
3 Contributed by David Malcolm <dmalcolm@redhat.com>.
5 This file is part of GCC.
7 GCC is free software; you can redistribute it and/or modify it
8 under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3, or (at your option)
10 any later version.
12 GCC is distributed in the hope that it will be useful, but
13 WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 General Public License for more details.
17 You should have received a copy of the GNU General Public License
18 along with GCC; see the file COPYING3. If not see
19 <http://www.gnu.org/licenses/>. */
22 #define INCLUDE_MEMORY
62 #include <zlib.h>
65 #include <memory>
72 /* For an overview, see gcc/doc/analyzer.texi. */
74 #if ENABLE_ANALYZER
78 /* class impl_region_model_context : public region_model_context. */
98 {
99 }
114 {
115 }
117 bool
119 {
122 {
126 }
128 {
133 {
135 && terminate_path
139 }
140 }
142 }
144 void
146 {
150 }
152 void
155 {
158 }
160 void
164 {
167 }
169 void
172 {
177 }
179 void
181 {
183 }
185 uncertainty_t *
187 {
189 }
191 /* Purge state involving SVAL. The region_model has already been purged,
192 so we only need to purge other state in the program_state:
193 the sm-state. */
195 void
197 {
202 }
204 void
206 {
209 }
211 void
213 {
216 }
218 /* struct setjmp_record. */
220 int
222 {
227 }
229 /* class setjmp_svalue : public svalue. */
231 /* Implementation of svalue::accept vfunc for setjmp_svalue. */
233 void
235 {
237 }
239 /* Implementation of svalue::dump_to_pp vfunc for setjmp_svalue. */
241 void
243 {
246 else
248 }
250 /* Get the index of the stored exploded_node. */
252 int
254 {
256 }
258 /* Concrete implementation of sm_context, wiring it up to the rest of this
259 file. */
262 {
283 {
284 }
289 {
290 impl_region_model_context old_ctxt
295 }
298 tree var) final override
299 {
302 /* Use NULL ctxt on this get_rvalue call to avoid triggering
303 uninitialized value warnings. */
310 }
313 {
319 }
323 tree var,
325 tree origin) final override
326 {
334 /* We use the new sval here to avoid issues with uninitialized values. */
340 var,
345 }
350 tree origin) final override
351 {
354 impl_region_model_context old_ctxt
364 {
373 }
376 }
379 tree var,
381 {
387 = (var
395 && terminate_path
398 }
403 {
407 = (sval
415 && terminate_path
418 }
420 /* Hook for picking more readable trees for SSA names of temporaries,
421 so that rather than e.g.
422 "double-free of '<unknown>'"
423 we can print:
424 "double-free of 'inbuf.data'". */
427 {
428 /* Only for SSA_NAMEs of temporaries; otherwise, return EXPR, as it's
429 likely to be the least surprising tree to report. */
437 /* Find trees for all regions storing the value. */
440 else
442 }
445 {
447 }
450 {
452 }
455 {
457 }
460 {
463 m_sm_idx);
464 }
467 {
471 impl_region_model_context old_ctxt
480 }
483 {
485 }
488 {
490 }
493 {
495 }
498 {
500 }
502 log_user m_logger;
512 /* Are we handling an external function with unknown side effects? */
514 };
516 bool
523 {
539 {
541 *out_sm_context
543 sm_idx,
545 m_enode_for_diag,
546 m_old_state,
547 m_new_state,
548 old_smap,
549 new_smap,
550 m_path_ctxt,
551 m_stmt_finder,
553 }
555 }
557 /* Subclass of stmt_finder for finding the best stmt to report the leak at,
558 given the emission path. */
561 {
567 {
569 }
572 final override
573 {
578 {
579 /* Locate the final write to this SSA name in the path. */
587 /* What was the next write to the underlying var
588 after the SSA name was set? (if any). */
593 {
597 idx,
606 {
611 }
612 }
613 }
615 not_found:
617 /* Look backwards for the first statement with a location. */
621 {
624 i,
633 }
637 }
641 tree m_var;
642 };
644 /* A measurement of how good EXPR is for presenting to the user, so
645 that e.g. we can say prefer printing
646 "leak of 'tmp.m_ptr'"
647 over:
648 "leak of '<unknown>'". */
650 static int
652 {
653 /* Arbitrarily-chosen "high readability" value. */
658 {
661 /* Impose a slight readability penalty relative to that of
662 operand 0. */
666 {
668 {
670 {
671 /* If we have an SSA name for an artificial var,
672 only use it if it has a debug expr associated with
673 it that fixup_tree_for_diagnostic can use. */
676 }
677 else
678 {
679 /* Slightly favor the underlying var over the SSA name to
680 avoid having them compare equal. */
682 }
683 }
684 /* Avoid printing '<unknown>' for SSA names for temporaries. */
686 }
693 else
694 /* We don't want to print temporaries. For example, the C FE
695 prints them as e.g. "<Uxxxx>" where "xxxx" is the low 16 bits
696 of the tree pointer (see pp_c_tree_decl_identifier). */
700 /* Printing "<return-value>" isn't ideal, but is less awful than
701 trying to print a temporary. */
705 {
706 /* Impose a moderate readability penalty for casts. */
709 }
716 }
719 }
721 /* A qsort comparator for trees to sort them into most user-readable to
722 least user-readable. */
724 int
726 {
733 /* Favor items that are deeper on the stack and hence more recent;
734 this also favors locals over globals. */
739 /* Combine the scores from the tree and from the stack depth.
740 This e.g. lets us have a slightly penalized cast in the most
741 recent stack frame "beat" an uncast value in an older stack frame. */
747 /* Otherwise, more readable trees win. */
751 /* Otherwise, if they have the same readability, then impose an
752 arbitrary deterministic ordering on them. */
758 {
772 }
774 /* TODO: We ought to find ways of sorting such cases. */
776 }
778 /* Return true is SNODE is the EXIT node of a function, or is one
779 of the final snodes within its function.
781 Specifically, handle the final supernodes before the EXIT node,
782 for the case of clobbers that happen immediately before exiting.
783 We need a run of snodes leading to the return_p snode, where all edges are
784 intraprocedural, and every snode has just one successor.
786 We use this when suppressing leak reports at the end of "main". */
788 static bool
790 {
797 {
807 /* Impose a limit to ensure we terminate for pathological cases.
809 We only care about the final 3 nodes, due to cases like:
810 BB:
811 (clobber causing leak)
813 BB:
814 <label>:
815 return _val;
817 EXIT BB.*/
820 }
821 }
823 /* Find the best tree for SVAL and call SM's on_leak vfunc with it.
824 If on_leak returns a pending_diagnostic, queue it up to be reported,
825 so that we potentially complain about a leak of SVAL in the given STATE. */
827 void
831 {
835 {
840 }
845 /* m_old_state also needs to be non-NULL so that the sm_ctxt can look
846 up the old state of SVAL. */
849 /* SVAL has leaked within the new state: it is not used by any reachable
850 regions.
851 We need to convert it back to a tree, but since it's likely no regions
852 use it, we have to find the "best" tree for it in the old_state. */
853 svalue_set visited;
854 path_var leaked_pv
858 /* Strip off top-level casts */
862 /* This might be NULL; the pending_diagnostic subclasses need to cope
863 with this. */
866 {
869 else
871 }
876 /* Don't complain about leaks when returning from "main". */
878 {
881 {
885 }
886 }
895 }
897 /* Implementation of region_model_context::on_condition vfunc.
898 Notify all state machines about the condition, which could lead to
899 state transitions. */
901 void
905 {
909 {
915 m_path_ctxt);
917 (m_enode_for_diag
920 m_stmt,
922 }
923 }
925 /* Implementation of region_model_context::on_bounded_ranges vfunc.
926 Notify all state machines about the ranges, which could lead to
927 state transitions. */
929 void
932 {
936 {
942 m_path_ctxt);
944 (m_enode_for_diag
948 }
949 }
951 /* Implementation of region_model_context::on_pop_frame vfunc.
952 Notify all state machines about the frame being popped, which
953 could lead to states being discarded. */
955 void
957 {
961 {
964 }
965 }
967 /* Implementation of region_model_context::on_phi vfunc.
968 Notify all state machines about the phi, which could lead to
969 state transitions. */
971 void
973 {
977 {
983 m_path_ctxt);
985 }
986 }
988 /* Implementation of region_model_context::on_unexpected_tree_code vfunc.
989 Mark the new state as being invalid for further exploration.
990 TODO(stage1): introduce a warning for when this occurs. */
992 void
995 {
1005 }
1007 /* struct point_and_state. */
1009 /* Assert that this object is sane. */
1011 void
1013 {
1014 /* Skip this in a release build. */
1015 #if !CHECKING_P
1017 #endif
1023 /* Verify that the callstring's model of the stack corresponds to that
1024 of the region_model. */
1025 /* They should have the same depth. */
1028 /* Check the functions in the callstring vs those in the frames
1029 at each depth. */
1033 {
1037 }
1038 }
1040 /* Subroutine of print_enode_indices: print a run of indices from START_IDX
1041 to END_IDX to PP, using and updating *FIRST_RUN. */
1043 static void
1046 {
1052 else
1054 }
1056 /* Print the indices within ENODES to PP, collecting them as
1057 runs/singletons e.g. "EN: 4-7, EN: 20-23, EN: 42". */
1059 static void
1062 {
1069 {
1071 {
1074 }
1075 else
1076 {
1078 /* Continuation of a run. */
1080 else
1081 {
1082 /* Finish existing run, start a new one. */
1088 }
1089 }
1090 }
1091 /* Finish any existing run. */
1093 {
1097 }
1098 }
1100 /* struct eg_traits::dump_args_t. */
1102 /* The <FILENAME>.eg.dot output can quickly become unwieldy if we show
1103 full details for all enodes (both in terms of CPU time to render it,
1104 and in terms of being meaningful to a human viewing it).
1106 If we show just the IDs then the resulting graph is usually viewable,
1107 but then we have to keep switching back and forth between the .dot
1108 view and other dumps.
1110 This function implements a heuristic for showing detail at the enodes
1111 that (we hope) matter, and just the ID at other enodes, fixing the CPU
1112 usage of the .dot viewer, and drawing the attention of the viewer
1113 to these enodes.
1115 Return true if ENODE should be shown in detail in .dot output.
1116 Return false if no detail should be shown for ENODE. */
1118 bool
1120 {
1121 /* If the number of exploded nodes isn't too large, we may as well show
1122 all enodes in full detail in the .dot output. */
1127 /* Otherwise, assume that what's most interesting are state explosions,
1128 and thus the places where this happened.
1129 Expand enodes at program points where we hit the per-enode limit, so we
1130 can investigate what exploded. */
1134 }
1136 /* class exploded_node : public dnode<eg_traits>. */
1140 {
1142 {
1148 }
1149 }
1151 /* exploded_node's ctor. */
1157 {
1159 }
1161 /* Get the stmt that was processed in this enode at index IDX.
1162 IDX is an index within the stmts processed at this enode, rather
1163 than within those of the supernode. */
1167 {
1176 }
1178 /* For use by dump_dot, get a value for the .dot "fillcolor" attribute.
1179 Colorize by sm-state, to make it easier to see how sm-state propagates
1180 through the exploded_graph. */
1184 {
1187 /* We want to be able to easily distinguish the no-sm-state case,
1188 and to be able to distinguish cases where there's a single state
1189 from each other.
1191 Sum the sm_states, and use the result to choose from a table,
1192 modulo table-size, special-casing the "no sm-state" case. */
1197 {
1203 }
1206 {
1207 /* An arbitrarily-picked collection of light colors. */
1214 }
1215 else
1216 /* No sm-state. */
1218 }
1220 /* Implementation of dnode::dump_dot vfunc for exploded_node. */
1222 void
1224 {
1240 {
1251 }
1261 /* It can be hard to locate the saved diagnostics as text within the
1262 enode nodes, so add extra nodes to the graph for each saved_diagnostic,
1263 highlighted in red.
1264 Compare with dump_saved_diagnostics. */
1265 {
1269 {
1272 /* Add edge connecting this enode to the saved_diagnostic. */
1278 }
1279 }
1282 }
1284 /* Show any stmts that were processed within this enode,
1285 and their index within the supernode. */
1286 void
1288 {
1290 {
1299 {
1305 }
1306 }
1307 }
1309 /* Dump any saved_diagnostics at this enode to PP. */
1311 void
1313 {
1317 {
1321 }
1322 }
1324 /* Dump this to PP in a form suitable for use as an id in .dot output. */
1326 void
1328 {
1330 }
1332 /* Dump a multiline representation of this node to PP. */
1334 void
1337 {
1347 }
1349 /* Dump a multiline representation of this node to FILE. */
1351 void
1354 {
1355 pretty_printer pp;
1361 }
1363 /* Dump a multiline representation of this node to stderr. */
1365 DEBUG_FUNCTION void
1367 {
1369 }
1371 /* Return a new json::object of the form
1372 {"point" : object for program_point,
1373 "state" : object for program_state,
1374 "status" : str,
1375 "idx" : int,
1376 "processed_stmts" : int}. */
1380 {
1391 }
1395 /* Return true if FNDECL has a gimple body. */
1396 // TODO: is there a pre-canned way to do this?
1398 bool
1400 {
1409 }
1413 /* Modify STATE in place, applying the effects of the stmt at this node's
1414 point. */
1423 {
1427 {
1431 }
1433 /* Update input_location in case of ICE: make it easier to track down which
1434 source construct we're failing to handle. */
1439 /* Preserve the old state. It is used here for looking
1440 up old checker states, for determining state transitions, and
1441 also within impl_region_model_context and impl_sm_context for
1442 going from tree to svalue_id. */
1449 /* Handle call summaries here. */
1453 {
1455 per_function_data *called_fn_data
1459 snode,
1461 state,
1462 path_ctxt,
1463 called_fn,
1464 called_fn_data,
1466 }
1480 {
1487 unknown_side_effects);
1489 /* Allow the state_machine to handle the stmt. */
1492 }
1500 }
1502 /* Handle the pre-sm-state part of STMT, modifying STATE in-place.
1503 Write true to *OUT_TERMINATE_PATH if the path should be terminated.
1504 Write true to *OUT_UNKNOWN_SIDE_EFFECTS if the stmt has unknown
1505 side effects. */
1507 void
1514 {
1515 /* Handle special-case calls that require the full program_state. */
1517 {
1519 {
1520 /* Handle the builtin "__analyzer_dump" by dumping state
1521 to stderr. */
1524 }
1526 {
1528 ctxt);
1530 }
1532 {
1535 }
1537 {
1541 }
1542 }
1544 /* Otherwise, defer to m_region_model. */
1546 out_unknown_side_effects,
1547 ctxt);
1548 }
1550 /* Handle the post-sm-state part of STMT, modifying STATE in-place. */
1552 void
1557 {
1560 }
1562 /* A concrete call_info subclass representing a replay of a call summary. */
1565 {
1575 {}
1580 {
1581 /* Update STATE based on summary_end_state. */
1586 }
1591 {
1592 /* Update STATE based on summary_end_state. */
1598 }
1601 {
1603 }
1609 };
1611 /* Use PATH_CTXT to bifurcate, which when handled will add custom edges
1612 for a replay of the various feasible summaries in CALLED_FN_DATA. */
1623 {
1630 /* Each summary will call bifurcate on the PATH_CTXT. */
1637 }
1639 /* Use PATH_CTXT to bifurcate, which when handled will add a
1640 custom edge for a replay of SUMMARY, if the summary's
1641 conditions are feasible based on the current state. */
1643 void
1652 {
1669 {
1681 }
1690 called_fn,
1691 summary,
1692 ext_state));
1693 }
1696 /* Consider the effect of following superedge SUCC from this node.
1698 Return true if it's feasible to follow the edge, or false
1699 if it's infeasible.
1701 Examples: if it's the "true" branch within
1702 a CFG and we know the conditional is false, we know it's infeasible.
1703 If it's one of multiple interprocedual "return" edges, then only
1704 the edge back to the most recent callsite is feasible.
1706 Update NEXT_STATE accordingly (e.g. to record that a condition was
1707 true or false, or that the NULL-ness of a pointer has been checked,
1708 pushing/popping stack frames, etc).
1710 Update NEXT_POINT accordingly (updating the call string). */
1712 bool
1718 {
1728 }
1730 /* Verify that the stack at LONGJMP_POINT is still valid, given a call
1731 to "setjmp" at SETJMP_POINT - the stack frame that "setjmp" was
1732 called in must still be valid.
1734 Caveat: this merely checks the call_strings in the points; it doesn't
1735 detect the case where a frame returns and is then called again. */
1737 static bool
1740 {
1747 /* Check that the call strings match, up to the depth of the
1748 setjmp point. */
1754 }
1756 /* A pending_diagnostic subclass for complaining about bad longjmps,
1757 where the enclosing function of the "setjmp" has returned (and thus
1758 the stack frame no longer exists). */
1761 {
1767 {}
1770 {
1772 }
1775 {
1776 return warning_at
1781 }
1787 {
1790 }
1792 bool
1795 final override
1796 {
1797 /* Detect exactly when the stack first becomes invalid,
1798 and issue an event then. */
1807 {
1808 /* Compare with diagnostic_manager::add_events_for_superedge. */
1813 src_stack_depth),
1815 emission_path->add_event
1818 }
1820 }
1823 {
1830 else
1835 }
1841 program_point m_setjmp_point;
1843 };
1845 /* Handle LONGJMP_CALL, a call to longjmp or siglongjmp.
1847 Attempt to locate where setjmp/sigsetjmp was called on the jmp_buf and build
1848 an exploded_node and exploded_edge to it representing a rewind to that frame,
1849 handling the various kinds of failure that can occur. */
1851 void
1856 {
1863 ctxt);
1874 /* Build a custom enode and eedge for rewinding from the longjmp/siglongjmp
1875 call back to the setjmp/sigsetjmp. */
1883 /* Verify that the setjmp's call_stack hasn't been popped. */
1885 {
1887 longjmp_call,
1888 setjmp_point));
1890 }
1895 /* Update the state for use by the destination node. */
1897 /* Stash the current number of diagnostics so that we can update
1898 any that this adds to show where the longjmp is rewinding to. */
1906 /* Detect leaks in the new state relative to the old state. */
1910 program_point next_point
1914 exploded_node *next
1917 /* Create custom exploded_edge for a longjmp. */
1919 {
1920 exploded_edge *eedge
1924 /* For any diagnostics that were queued here (such as leaks) we want
1925 the checker_path to show the rewinding events after the "final event"
1926 so that the user sees where the longjmp is rewinding to (otherwise the
1927 path is meaningless).
1929 For example, we want to emit something like:
1930 | NN | {
1931 | NN | longjmp (env, 1);
1932 | | ~~~~~~~~~~~~~~~~
1933 | | |
1934 | | (10) 'ptr' leaks here; was allocated at (7)
1935 | | (11) rewinding from 'longjmp' in 'inner'...
1936 |
1937 <-------------+
1938 |
1939 'outer': event 12
1940 |
1941 | NN | i = setjmp(env);
1942 | | ^~~~~~
1943 | | |
1944 | | (12) ...to 'setjmp' in 'outer' (saved at (2))
1946 where the "final" event above is event (10), but we want to append
1947 events (11) and (12) afterwards.
1949 Do this by setting m_trailing_eedge on any diagnostics that were
1950 just saved. */
1953 {
1956 }
1957 }
1958 }
1960 /* Subroutine of exploded_graph::process_node for finding the successors
1961 of the supernode for a function exit basic block.
1963 Ensure that pop_frame is called, potentially queuing diagnostics about
1964 leaks. */
1966 void
1968 {
1973 /* If we're not a "top-level" function, do nothing; pop_frame
1974 will be called when handling the return superedge. */
1978 /* We have a "top-level" function. */
1983 /* Work with a temporary copy of the state: pop the frame, and see
1984 what leaks (via purge_unused_svalues). */
1989 uncertainty_t uncertainty;
1997 }
1999 /* Dump the successors and predecessors of this enode to OUTF. */
2001 void
2003 {
2006 {
2010 pretty_printer pp;
2014 }
2015 {
2019 pretty_printer pp;
2023 }
2024 }
2026 /* class dynamic_call_info_t : public custom_edge_info. */
2028 /* Implementation of custom_edge_info::update_model vfunc
2029 for dynamic_call_info_t.
2031 Update state for a dynamically discovered call (or return), by pushing
2032 or popping the a frame for the appropriate function. */
2034 bool
2038 {
2042 else
2043 {
2046 }
2048 }
2050 /* Implementation of custom_edge_info::add_events_to_path vfunc
2051 for dynamic_call_info_t. */
2053 void
2056 {
2065 emission_path->add_event
2071 dest_stack_depth)));
2072 else
2073 emission_path->add_event
2079 src_stack_depth)));
2080 }
2082 /* class rewind_info_t : public custom_edge_info. */
2084 /* Implementation of custom_edge_info::update_model vfunc
2085 for rewind_info_t.
2087 Update state for the special-case of a rewind of a longjmp
2088 to a setjmp (which doesn't have a superedge, but does affect
2089 state). */
2091 bool
2095 {
2107 }
2109 /* Implementation of custom_edge_info::add_events_to_path vfunc
2110 for rewind_info_t. */
2112 void
2115 {
2123 emission_path->add_event
2128 src_stack_depth),
2130 emission_path->add_event
2135 dst_stack_depth),
2137 }
2139 /* class exploded_edge : public dedge<eg_traits>. */
2141 /* exploded_edge's ctor. */
2148 {
2149 }
2151 /* Implementation of dedge::dump_dot vfunc for exploded_edge.
2152 Use the label of the underlying superedge, if any. */
2154 void
2156 {
2163 }
2165 /* Second half of exploded_edge::dump_dot. This is split out
2166 for use by trimmed_graph::dump_dot and base_feasible_edge::dump_dot. */
2168 void
2170 {
2178 {
2185 //constraint = "false";
2189 //constraint = "false";
2194 }
2196 {
2199 }
2211 //pp_write_text_as_dot_label_to_stream (pp, /*for_record=*/false);
2214 }
2216 /* Return a new json::object of the form
2217 {"src_idx": int, the index of the source exploded edge,
2218 "dst_idx": int, the index of the destination exploded edge,
2219 "sedge": (optional) object for the superedge, if any,
2220 "custom": (optional) str, a description, if this is a custom edge}. */
2224 {
2231 {
2232 pretty_printer pp;
2236 }
2238 }
2240 /* struct stats. */
2242 /* stats' ctor. */
2248 {
2251 }
2253 /* Log these stats in multiline form to LOGGER. */
2255 void
2257 {
2266 m_node_reuse_after_merge_count);
2267 }
2269 /* Dump these stats in multiline form to OUT. */
2271 void
2273 {
2281 m_node_reuse_after_merge_count);
2286 }
2288 /* Return the total number of enodes recorded within this object. */
2290 int
2292 {
2297 }
2299 /* struct per_function_data. */
2302 {
2305 }
2307 void
2309 {
2311 }
2313 /* strongly_connected_components's ctor. Tarjan's SCC algorithm. */
2318 {
2331 }
2333 /* Dump this object to stderr. */
2335 DEBUG_FUNCTION void
2337 {
2339 {
2343 }
2344 }
2346 /* Return a new json::array of per-snode SCC ids. */
2350 {
2355 }
2357 /* Subroutine of strongly_connected_components's ctor, part of Tarjan's
2358 SCC algorithm. */
2360 void
2362 {
2365 /* Set the depth index for v to the smallest unused index. */
2371 index++;
2373 /* Consider successors of v. */
2377 {
2384 {
2385 /* Successor w has not yet been visited; recurse on it. */
2388 }
2390 {
2391 /* Successor w is in stack S and hence in the current SCC
2392 If w is not on stack, then (v, w) is a cross-edge in the DFS
2393 tree and must be ignored. */
2395 }
2396 }
2398 /* If v is a root node, pop the stack and generate an SCC. */
2401 {
2408 }
2409 }
2411 /* worklist's ctor. */
2417 {
2418 }
2420 /* Return the number of nodes in the worklist. */
2422 unsigned
2424 {
2426 }
2428 /* Return the next node in the worklist, removing it. */
2430 exploded_node *
2432 {
2434 }
2436 /* Return the next node in the worklist without removing it. */
2438 exploded_node *
2440 {
2442 }
2444 /* Add ENODE to the worklist. */
2446 void
2448 {
2451 }
2453 /* Comparator for implementing worklist::key_t comparison operators.
2454 Return negative if KA is before KB
2455 Return positive if KA is after KB
2456 Return 0 if they are equal.
2458 The ordering of the worklist is critical for performance and for
2459 avoiding node explosions. Ideally we want all enodes at a CFG join-point
2460 with the same callstring to be sorted next to each other in the worklist
2461 so that a run of consecutive enodes can be merged and processed "in bulk"
2462 rather than individually or pairwise, minimizing the number of new enodes
2463 created. */
2465 int
2467 {
2473 /* Order empty-callstring points with different functions based on the
2474 analysis_plan, so that we generate summaries before they are used. */
2481 {
2485 }
2487 /* Sort by callstring, so that nodes with deeper call strings are processed
2488 before those with shallower call strings.
2489 If we have
2490 splitting BB
2491 / \
2492 / \
2493 fn call no fn call
2494 \ /
2495 \ /
2496 join BB
2497 then we want the path inside the function call to be fully explored up
2498 to the return to the join BB before we explore on the "no fn call" path,
2499 so that both enodes at the join BB reach the front of the worklist at
2500 the same time and thus have a chance of being merged. */
2505 /* Order by SCC. */
2511 /* If in same SCC, order by supernode index (an arbitrary but stable
2512 ordering). */
2516 {
2518 /* One is NULL. */
2520 else
2521 /* Both are NULL. */
2523 }
2525 /* One is NULL. */
2527 /* Neither are NULL. */
2534 /* Order within supernode via program point. */
2535 int within_snode_cmp
2541 /* Otherwise, we ought to have the same program_point. */
2547 /* Sort by sm-state, so that identical sm-states are grouped
2548 together in the worklist. */
2551 {
2557 }
2559 /* Otherwise, we have two enodes at the same program point but with
2560 different states. We don't have a good total ordering on states,
2561 so order them by enode index, so that we have at least have a
2562 stable sort. */
2564 }
2566 /* Return a new json::object of the form
2567 {"scc" : [per-snode-IDs]}, */
2571 {
2576 /* The following field isn't yet being JSONified:
2577 queue_t m_queue; */
2580 }
2582 /* exploded_graph's ctor. */
2598 {
2599 m_origin = get_or_create_node
2604 }
2606 /* exploded_graph's dtor. */
2609 {
2618 }
2620 /* Subroutine for use when implementing __attribute__((tainted_args))
2621 on functions and on function pointer fields in structs.
2623 Called on STATE representing a call to FNDECL.
2624 Mark all params of FNDECL in STATE as "tainted". Mark the value of all
2625 regions pointed to by params of FNDECL as "tainted".
2627 Return true if successful; return false if the "taint" state machine
2628 was not found. */
2630 static bool
2633 {
2649 {
2658 {
2660 /* Mark "*param" as tainted. */
2665 }
2666 }
2669 }
2671 /* Custom event for use by tainted_args_function_info when a function
2672 has been marked with __attribute__((tainted_args)). */
2675 {
2680 {
2681 }
2684 {
2685 return make_label_text
2688 m_fndecl);
2689 }
2692 tree m_fndecl;
2693 };
2695 /* Custom exploded_edge info for top-level calls to a function
2696 marked with __attribute__((tainted_args)). */
2699 {
2703 {}
2706 {
2708 };
2713 {
2714 /* No-op. */
2716 }
2720 {
2721 emission_path->add_event
2724 }
2727 tree m_fndecl;
2728 };
2730 /* Ensure that there is an exploded_node representing an external call to
2731 FUN, adding it to the worklist if creating it.
2733 Add an edge from the origin exploded_node to the function entrypoint
2734 exploded_node.
2736 Return the exploded_node for the entrypoint to the function. */
2738 exploded_node *
2740 {
2743 /* Be idempotent. */
2745 {
2750 }
2752 program_point point
2761 {
2764 }
2778 }
2780 /* Get or create an exploded_node for (POINT, STATE).
2781 If a new node is created, it is added to the worklist.
2783 Use ENODE_FOR_DIAG, a pre-existing enode, for any diagnostics
2784 that need to be emitted (e.g. when purging state *before* we have
2785 a new enode). */
2787 exploded_node *
2791 {
2795 {
2806 }
2808 /* Stop exploring paths for which we don't know how to effectively
2809 model the state. */
2811 {
2815 }
2821 //state.dump (get_ext_state ());
2823 /* Prune state to try to improve the chances of a cache hit,
2824 avoiding generating redundant nodes. */
2825 uncertainty_t uncertainty;
2826 program_state pruned_state
2831 //pruned_state.dump (get_ext_state ());
2834 {
2842 }
2846 stats *per_cs_stats
2852 {
2853 /* An exploded_node for PS already exists. */
2860 }
2862 per_program_point_data *per_point_data
2865 /* Consider merging state with another enode at this program_point. */
2867 {
2871 {
2878 /* This merges successfully within the loop. */
2883 {
2889 /* Try again for a cache hit.
2890 Whether we get one or not, merged_state's value_ids have no
2891 relationship to those of the input state, and thus to those
2892 of CHANGE, so we must purge any svalue_ids from *CHANGE. */
2896 {
2897 /* An exploded_node for PS already exists. */
2904 }
2905 }
2906 else
2910 }
2911 }
2913 /* Impose a limit on the number of enodes per program point, and
2914 simply stop if we exceed it. */
2917 {
2918 pretty_printer pp;
2929 }
2933 /* An exploded_node for "ps" doesn't already exist; create one. */
2938 /* Update per-program_point data. */
2950 {
2962 }
2964 /* Add the new node to the worlist. */
2967 }
2969 /* Add an exploded_edge from SRC to DEST, recording its association
2970 with SEDGE (which may be NULL), and, if non-NULL, taking ownership
2971 of CUSTOM_INFO.
2972 Return the newly-created eedge. */
2974 exploded_edge *
2978 {
2986 }
2988 /* Ensure that this graph has per-program_point-data for POINT;
2989 borrow a pointer to it. */
2991 per_program_point_data *
2994 {
3001 }
3003 /* Get this graph's per-program-point-data for POINT if there is any,
3004 otherwise NULL. */
3006 per_program_point_data *
3008 {
3014 }
3016 /* Ensure that this graph has per-call_string-data for CS;
3017 borrow a pointer to it. */
3019 per_call_string_data *
3021 {
3027 data);
3029 }
3031 /* Ensure that this graph has per-function-data for FUN;
3032 borrow a pointer to it. */
3034 per_function_data *
3036 {
3043 }
3045 /* Get this graph's per-function-data for FUN if there is any,
3046 otherwise NULL. */
3048 per_function_data *
3050 {
3056 }
3058 /* Return true if FUN should be traversed directly, rather than only as
3059 called via other functions. */
3061 static bool
3063 {
3064 /* Don't directly traverse into functions that have an "__analyzer_"
3065 prefix. Doing so is useful for the analyzer test suite, allowing
3066 us to have functions that are called in traversals, but not directly
3067 explored, thus testing how the analyzer handles calls and returns.
3068 With this, we can have DejaGnu directives that cover just the case
3069 of where a function is called by another function, without generating
3070 excess messages from the case of the first function being traversed
3071 directly. */
3075 {
3080 }
3086 }
3088 /* Custom event for use by tainted_call_info when a callback field has been
3089 marked with __attribute__((tainted_args)), for labelling the field. */
3092 {
3097 {
3098 }
3101 {
3103 "field %qE of %qT"
3106 }
3109 tree m_field;
3110 };
3112 /* Custom event for use by tainted_call_info when a callback field has been
3113 marked with __attribute__((tainted_args)), for labelling the function used
3114 in that callback. */
3117 {
3120 tree field)
3123 {
3124 }
3127 {
3129 "function %qE used as initializer for field %qE"
3132 }
3135 tree m_field;
3136 };
3138 /* Custom edge info for use when adding a function used by a callback field
3139 marked with '__attribute__((tainted_args))'. */
3142 {
3146 {}
3149 {
3151 };
3156 {
3157 /* No-op. */
3159 }
3163 {
3164 /* Show the field in the struct declaration, e.g.
3165 "(1) field 'store' is marked with '__attribute__((tainted_args))'" */
3166 emission_path->add_event
3169 /* Show the callback in the initializer
3170 e.g.
3171 "(2) function 'gadget_dev_desc_UDC_store' used as initializer
3172 for field 'store' marked with '__attribute__((tainted_args))'". */
3173 emission_path->add_event
3176 m_field));
3177 }
3180 tree m_field;
3181 tree m_fndecl;
3182 location_t m_loc;
3183 };
3185 /* Given an initializer at LOC for FIELD marked with
3186 '__attribute__((tainted_args))' initialized with FNDECL, add an
3187 entrypoint to FNDECL to EG (and to its worklist) where the params to
3188 FNDECL are marked as tainted. */
3190 static void
3192 location_t loc)
3193 {
3206 program_point point
3220 {
3224 else
3225 {
3227 fndecl);
3229 }
3230 }
3234 }
3236 /* Callback for walk_tree for finding callbacks within initializers;
3237 ensure that any callback initializer where the corresponding field is
3238 marked with '__attribute__((tainted_args))' is treated as an entrypoint
3239 to the analysis, special-casing that the inputs to the callback are
3240 untrustworthy. */
3242 static tree
3244 {
3247 {
3248 /* Find fields with the "tainted_args" attribute.
3249 walk_tree only walks the values, not the index values;
3250 look at the index values. */
3255 idx++)
3258 {
3265 }
3266 }
3269 }
3271 /* Add initial nodes to EG, with entrypoints for externally-callable
3272 functions. */
3274 void
3276 {
3282 {
3288 {
3292 else
3294 }
3295 }
3297 /* Find callbacks that are reachable from global initializers. */
3300 {
3306 }
3307 }
3309 /* The main loop of the analysis.
3310 Take freshly-created exploded_nodes from the worklist, calling
3311 process_node on them to explore the <point, state> graph.
3312 Add edges to their successors, potentially creating new successors
3313 (which are also added to the worklist). */
3315 void
3317 {
3323 {
3332 /* If we have a run of nodes that are before-supernode, try merging and
3333 processing them together, rather than pairwise or individually. */
3338 /* Avoid exponential explosions of nodes by attempting to merge
3339 nodes that are at the same program point and which have
3340 sufficiently similar state. */
3343 {
3355 {
3358 {
3362 logger->log_partial
3367 }
3371 /* They shouldn't be equal, or we wouldn't have two
3372 separate nodes. */
3378 {
3384 {
3385 /* Then merge node_2 into node by adding an edge. */
3388 /* Remove node_2 from the worklist. */
3392 /* Continue processing "node" below. */
3393 }
3395 {
3396 /* Then merge node into node_2, and leave node_2
3397 in the worklist, to be processed on the next
3398 iteration. */
3402 }
3403 else
3404 {
3405 /* We have a merged state that differs from
3406 both state and state_2. */
3408 /* Remove node_2 from the worklist. */
3411 /* Create (or get) an exploded node for the merged
3412 states, adding to the worklist. */
3413 exploded_node *merged_enode
3424 /* "node" and "node_2" have both now been removed
3425 from the worklist; we should not process them.
3427 "merged_enode" may be a new node; if so it will be
3428 processed in a subsequent iteration.
3429 Alternatively, "merged_enode" could be an existing
3430 node; one way the latter can
3431 happen is if we end up merging a succession of
3432 similar nodes into one. */
3434 /* If merged_node is one of the two we were merging,
3435 add it back to the worklist to ensure it gets
3436 processed.
3438 Add edges from the merged nodes to it (but not a
3439 self-edge). */
3442 else
3443 {
3446 }
3450 else
3451 {
3454 }
3457 }
3458 }
3460 /* TODO: should we attempt more than two nodes,
3461 or just do pairs of nodes? (and hope that we get
3462 a cascade of mergers). */
3463 }
3464 }
3468 handle_limit:
3469 /* Impose a hard limit on the number of exploded nodes, to ensure
3470 that the analysis terminates in the face of pathological state
3471 explosion (or bugs).
3473 Specifically, the limit is on the number of PK_AFTER_SUPERNODE
3474 exploded nodes, looking at supernode exit events.
3476 We use exit rather than entry since there can be multiple
3477 entry ENs, one per phi; the number of PK_AFTER_SUPERNODE ought
3478 to be equivalent to the number of supernodes multiplied by the
3479 number of states. */
3482 {
3486 OPT_Wanalyzer_too_complex,
3487 "analysis bailed out early"
3492 }
3493 }
3494 }
3496 /* Attempt to process a consecutive run of sufficiently-similar nodes in
3497 the worklist at a CFG join-point (having already popped ENODE from the
3498 head of the worklist).
3500 If ENODE's point is of the form (before-supernode, SNODE) and the next
3501 nodes in the worklist are a consecutive run of enodes of the same form,
3502 for the same supernode as ENODE (but potentially from different in-edges),
3503 process them all together, setting their status to STATUS_BULK_MERGED,
3504 and return true.
3505 Otherwise, return false, in which case ENODE must be processed in the
3506 normal way.
3508 When processing them all together, generate successor states based
3509 on phi nodes for the appropriate CFG edges, and then attempt to merge
3510 these states into a minimal set of merged successor states, partitioning
3511 the inputs by merged successor state.
3513 Create new exploded nodes for all of the merged states, and add edges
3514 connecting the input enodes to the corresponding merger exploded nodes.
3516 We hope we have a much smaller number of merged successor states
3517 compared to the number of input enodes - ideally just one,
3518 if all successor states can be merged.
3520 Processing and merging many together as one operation rather than as
3521 pairs avoids scaling issues where per-pair mergers could bloat the
3522 graph with merger nodes (especially so after switch statements). */
3524 bool
3527 {
3528 /* A struct for tracking per-input state. */
3529 struct item
3530 {
3535 {}
3538 program_state m_processed_state;
3540 };
3555 /* Find a run of enodes in the worklist that are before the same supernode,
3556 but potentially from different in-edges. */
3560 {
3570 {
3573 }
3574 else
3576 }
3578 /* If the only node is ENODE, then give up. */
3586 /* All of these enodes have a shared successor point (even if they
3587 were for different in-edges). */
3590 /* Calculate the successor state for each enode in enodes. */
3595 {
3603 {
3604 uncertainty_t uncertainty;
3613 }
3615 }
3617 /* Attempt to partition the items into a set of merged states.
3618 We hope we have a much smaller number of merged states
3619 compared to the number of input enodes - ideally just one,
3620 if all can be merged. */
3625 {
3630 {
3635 {
3643 }
3644 }
3645 /* If it couldn't be merged with any existing merged_states,
3646 create a new one. */
3648 {
3655 }
3656 got_merger:
3659 }
3661 /* Create merger nodes. */
3665 {
3666 exploded_node *src_enode
3668 exploded_node *next
3670 /* "next" could be NULL; we handle that when adding the edges below. */
3673 {
3676 else
3678 }
3679 }
3681 /* Create edges from each input enode to the appropriate successor enode.
3682 Update the status of the now-processed input enodes. */
3684 {
3689 }
3696 }
3698 /* Return true if STMT must appear at the start of its exploded node, and
3699 thus we can't consolidate its effects within a run of other statements,
3700 where PREV_STMT was the previous statement. */
3702 static bool
3705 {
3707 {
3708 /* Stop consolidating at calls to
3709 "__analyzer_dump_exploded_nodes", so they always appear at the
3710 start of an exploded_node. */
3715 /* sm-signal.cc injects an additional custom eedge at "signal" calls
3716 from the registration enode to the handler enode, separate from the
3717 regular next state, which defeats the "detect state change" logic
3718 in process_node. Work around this via special-casing, to ensure
3719 we split the enode immediately before any "signal" call. */
3722 }
3724 /* If we had a PREV_STMT with an unknown location, and this stmt
3725 has a known location, then if a state change happens here, it
3726 could be consolidated into PREV_STMT, giving us an event with
3727 no location. Ensure that STMT gets its own exploded_node to
3728 avoid this. */
3734 }
3736 /* Return true if OLD_STATE and NEW_STATE are sufficiently different that
3737 we should split enodes and create an exploded_edge separating them
3738 (which makes it easier to identify state changes of intereset when
3739 constructing checker_paths). */
3741 static bool
3744 {
3745 /* Changes in dynamic extents signify creations of heap/alloca regions
3746 and resizings of heap regions; likely to be of interest in
3747 diagnostic paths. */
3752 /* Changes in sm-state are of interest. */
3756 {
3761 }
3764 }
3766 /* Create enodes and eedges for the function calls that doesn't have an
3767 underlying call superedge.
3769 Such case occurs when GCC's middle end didn't know which function to
3770 call but the analyzer does (with the help of current state).
3772 Some example such calls are dynamically dispatched calls to virtual
3773 functions or calls that happen via function pointer. */
3775 bool
3777 tree fn_decl,
3779 program_state next_state,
3783 {
3789 {
3794 program_point new_point
3796 NULL,
3802 /* Impose a maximum recursion depth and don't analyze paths
3803 that exceed it further.
3804 This is something of a blunt workaround, but it only
3805 applies to recursion (and mutual recursion), not to
3806 general call stacks. */
3809 {
3813 }
3818 {
3826 next_state,
3827 node);
3832 }
3833 }
3835 }
3837 /* Subclass of path_context for use within exploded_graph::process_node,
3838 so that we can split states e.g. at "realloc" calls. */
3841 {
3846 {
3847 }
3850 {
3852 }
3855 {
3858 }
3860 void
3862 {
3864 /* Verify that the state at bifurcation is consistent when we
3865 split into multiple out-edges. */
3867 else
3868 /* Take a copy of the cur_state at the moment when bifurcation
3869 happens. */
3870 m_state_at_bifurcation
3873 /* Take ownership of INFO. */
3875 }
3878 {
3880 }
3883 {
3885 }
3888 {
3890 }
3895 /* Lazily-created copy of the state before the split. */
3901 };
3903 /* A subclass of pending_diagnostic for complaining about jumps through NULL
3904 function pointers. */
3907 {
3911 {}
3914 {
3916 }
3919 {
3921 }
3924 {
3926 }
3929 {
3932 }
3935 {
3937 }
3941 };
3943 /* The core of exploded_graph::process_worklist (the main analysis loop),
3944 handling one node in the worklist.
3946 Get successor <point, state> pairs for NODE, calling get_or_create on
3947 them, and adding an exploded_edge to each successors.
3949 Freshly-created nodes will be added to the worklist. */
3951 void
3953 {
3961 /* Update cfun and input_location in case of an ICE: make it easier to
3962 track down which source construct we're failing to handle. */
3970 {
3978 }
3981 {
3985 /* This node exists to simplify finding the shortest path
3986 to an exploded_node. */
3990 {
3992 uncertainty_t uncertainty;
3995 {
4004 last_cfg_superedge,
4008 }
4014 }
4017 {
4018 /* Determine the effect of a run of one or more statements
4019 within one supernode, generating an edge to the program_point
4020 after the last statement that's processed.
4022 Stop iterating statements and thus consolidating into one enode
4023 when:
4024 - reaching the end of the statements in the supernode
4025 - if an sm-state-change occurs (so that it gets its own
4026 exploded_node)
4027 - if "-fanalyzer-fine-grained" is active
4028 - encountering certain statements must appear at the start of
4029 their enode (for which stmt_requires_new_enode_p returns true)
4031 Update next_state in-place, to get the result of the one
4032 or more stmts that are processed.
4034 Split the node in-place if an sm-state-change occurs, so that
4035 the sm-state-change occurs on an edge where the src enode has
4036 exactly one stmt, the one that caused the change. */
4041 uncertainty_t uncertainty;
4047 stmt_idx++)
4048 {
4053 {
4054 stmt_idx--;
4056 }
4061 /* Process the stmt. */
4067 /* If flags.m_terminate_path, stop analyzing; any nodes/edges
4068 will have been added by on_stmt (e.g. for handling longjmp). */
4073 {
4079 }
4082 program_point next_point
4095 {
4096 program_point split_point
4098 stmt_idx,
4101 {
4102 /* If we're not at the start of NODE, split the enode at
4103 this stmt, so we have:
4104 node -> split_enode
4105 so that when split_enode is processed the next edge
4106 we add will be:
4107 split_enode -> next
4108 and any state change will effectively occur on that
4109 latter edge, and split_enode will contain just stmt. */
4112 exploded_node *split_enode
4116 /* "stmt" will be reprocessed when split_enode is
4117 processed. */
4123 }
4124 else
4125 /* If we're at the start of NODE, stop iterating,
4126 so that an edge will be created from NODE to
4127 (next_point, next_state) below. */
4129 }
4130 }
4132 program_point next_point
4139 {
4142 }
4143 else
4144 {
4145 exploded_node *next
4149 }
4151 /* If we have custom edge infos, "bifurcate" the state
4152 accordingly, potentially creating a new state/enode/eedge
4153 instances. For example, to handle a "realloc" call, we
4154 might split into 3 states, for the "failure",
4155 "resizing in place", and "moving to a new buffer" cases. */
4157 {
4158 /* Take ownership of the edge infos from the path_ctxt. */
4161 {
4166 }
4167 program_state bifurcated_new_state
4170 /* Apply edge_info to state. */
4171 impl_region_model_context
4178 stmt);
4182 {
4183 exploded_node *next2
4187 }
4188 else
4189 {
4192 }
4193 }
4194 }
4197 {
4200 /* If this is an EXIT BB, detect leaks, and potentially
4201 create a function summary. */
4203 {
4208 {
4209 /* TODO: create function summary
4210 There can be more than one; each corresponds to a different
4211 final enode in the function. */
4213 {
4216 logger->log_partial
4221 }
4222 per_function_data *per_fn_data
4225 }
4226 }
4227 /* Traverse into successors of the supernode. */
4231 {
4234 {
4239 }
4241 program_point next_point
4245 uncertainty_t uncertainty;
4247 /* Make use the current state and try to discover and analyse
4248 indirect function calls (a call that doesn't have an underlying
4249 cgraph edge representing call).
4251 Some examples of such calls are virtual function calls
4252 and calls that happen via a function pointer. */
4255 {
4260 node,
4264 NULL,
4272 fn_decl,
4273 node,
4274 next_state,
4275 next_point,
4277 logger);
4279 {
4280 /* Check for jump through NULL. */
4282 {
4287 }
4289 /* An unknown function or a special function was called
4290 at this point, in such case, don't terminate the
4291 analysis of the current function.
4293 The analyzer handles calls to such functions while
4294 analysing the stmt itself, so the function call
4295 must have been handled by the anlyzer till now. */
4296 exploded_node *next
4298 next_state,
4299 node);
4302 }
4303 }
4307 {
4312 }
4314 node);
4316 {
4319 /* We might have a function entrypoint. */
4321 }
4322 }
4324 /* Return from the calls which doesn't have a return superedge.
4325 Such case occurs when GCC's middle end didn't knew which function to
4326 call but analyzer did. */
4329 {
4331 program_point next_point
4333 NULL,
4334 cs);
4336 uncertainty_t uncertainty;
4345 {
4348 next_state,
4349 node);
4353 }
4354 }
4355 }
4357 }
4358 }
4360 /* Ensure that this graph has a stats instance for FN, return it.
4361 FN can be NULL, in which case a stats instances is returned covering
4362 "functionless" parts of the graph (the origin node). */
4364 stats *
4366 {
4372 else
4373 {
4375 /* not quite the num supernodes, but nearly. */
4379 }
4380 }
4382 /* Print bar charts to PP showing:
4383 - the number of enodes per function, and
4384 - for each function:
4385 - the number of enodes per supernode/BB
4386 - the number of excess enodes per supernode/BB beyond the
4387 per-program-point limit, if there were any. */
4389 void
4391 {
4396 bar_chart enodes_per_function;
4398 {
4404 }
4407 /* Accumulate number of enodes per supernode. */
4414 {
4419 }
4421 /* Accumulate excess enodes per supernode. */
4427 {
4435 }
4437 /* Show per-function bar_charts of enodes per supernode/BB. */
4441 {
4446 bar_chart enodes_per_snode;
4447 bar_chart excess_enodes_per_snode;
4450 {
4454 pretty_printer tmp_pp;
4459 const int num_excess
4462 num_excess);
4465 }
4468 {
4472 }
4473 }
4474 }
4476 /* Write all stats information to this graph's logger, if any. */
4478 void
4480 {
4500 {
4504 }
4507 }
4509 /* Dump all stats information to OUT. */
4511 void
4513 {
4525 {
4529 }
4534 }
4536 void
4539 {
4545 {
4549 {
4550 pretty_printer pp;
4556 }
4557 }
4560 }
4562 /* Return a new json::object of the form
4563 {"nodes" : [objs for enodes],
4564 "edges" : [objs for eedges],
4565 "ext_state": object for extrinsic_state,
4566 "diagnostic_manager": object for diagnostic_manager}. */
4570 {
4573 /* Nodes. */
4574 {
4581 }
4583 /* Edges. */
4584 {
4591 }
4593 /* m_sg is JSONified at the top-level. */
4599 /* The following fields aren't yet being JSONified:
4600 const state_purge_map *const m_purge_map;
4601 const analysis_plan &m_plan;
4602 stats m_global_stats;
4603 function_stat_map_t m_per_function_stats;
4604 stats m_functionless_stats;
4605 call_string_data_map_t m_per_call_string_data;
4606 auto_vec<int> m_PK_AFTER_SUPERNODE_per_snode; */
4609 }
4611 /* class exploded_path. */
4613 /* Copy ctor. */
4617 {
4622 }
4624 /* Look for the last use of SEARCH_STMT within this path.
4625 If found write the edge's index to *OUT_IDX and return true, otherwise
4626 return false. */
4628 bool
4631 {
4635 {
4640 {
4643 }
4644 }
4646 }
4648 /* Get the final exploded_node in this path, which must be non-empty. */
4650 exploded_node *
4652 {
4655 }
4657 /* Check state along this path, returning true if it is feasible.
4658 If OUT is non-NULL, and the path is infeasible, write a new
4659 feasibility_problem to *OUT. */
4661 bool
4665 {
4671 /* Traverse the path, updating this state. */
4673 {
4677 edge_idx,
4683 {
4686 {
4693 }
4694 else
4697 }
4700 {
4702 edge_idx,
4708 }
4709 }
4712 }
4714 /* Dump this path in multiline form to PP.
4715 If EXT_STATE is non-NULL, then show the nodes. */
4717 void
4720 {
4722 {
4725 i,
4732 }
4733 }
4735 /* Dump this path in multiline form to FP. */
4737 void
4739 {
4740 pretty_printer pp;
4746 }
4748 /* Dump this path in multiline form to stderr. */
4750 DEBUG_FUNCTION void
4752 {
4754 }
4756 /* Dump this path verbosely to FILENAME. */
4758 void
4761 {
4765 pretty_printer pp;
4771 }
4773 /* class feasibility_problem. */
4775 void
4777 {
4781 {
4786 }
4787 }
4789 /* class feasibility_state. */
4791 /* Ctor for feasibility_state, at the beginning of a path. */
4797 {
4799 }
4801 /* Copy ctor for feasibility_state, for extending a path. */
4806 {
4808 }
4810 /* The heart of feasibility-checking.
4812 Attempt to update this state in-place based on traversing EEDGE
4813 in a path.
4814 Update the model for the stmts in the src enode.
4815 Attempt to add constraints for EEDGE.
4817 If feasible, return true.
4818 Otherwise, return false and write to *OUT_RC. */
4820 bool
4824 {
4828 {
4832 }
4834 /* Update state for the stmts that were processed in each enode. */
4836 stmt_idx++)
4837 {
4840 /* Update cfun and input_location in case of ICE: make it easier to
4841 track down which source construct we're failing to handle. */
4846 }
4850 {
4852 {
4858 }
4862 {
4864 {
4867 }
4869 }
4870 }
4871 else
4872 {
4873 /* Special-case the initial eedge from the origin node to the
4874 initial function by pushing a frame for it. */
4876 {
4885 }
4887 {
4889 }
4890 }
4892 /* Handle phi nodes on an edge leaving a PK_BEFORE_SUPERNODE (to
4893 a PK_BEFORE_STMT, or a PK_AFTER_SUPERNODE if no stmts).
4894 This will typically not be associated with a superedge. */
4896 {
4902 {
4906 last_cfg_superedge,
4907 NULL);
4908 /* If we've entering an snode that we've already visited on this
4909 epath, then we need do fix things up for loops; see the
4910 comment for store::loop_replay_fixup.
4911 Perhaps we should probably also verify the callstring,
4912 and track program_points, but hopefully doing it by supernode
4913 is good enough. */
4916 }
4918 }
4920 }
4922 /* Update this object for the effects of STMT. */
4924 void
4926 {
4932 {
4935 }
4938 }
4940 /* Dump this object to PP. */
4942 void
4945 {
4947 }
4949 /* A family of cluster subclasses for use when generating .dot output for
4950 exploded graphs (-fdump-analyzer-exploded-graph), for grouping the
4951 enodes into hierarchical boxes.
4953 All functionless enodes appear in the top-level graph.
4954 Every (function, call_string) pair gets its own cluster. Within that
4955 cluster, each supernode gets its own cluster.
4957 Hence all enodes relating to a particular function with a particular
4958 callstring will be in a cluster together; all enodes for the same
4959 function but with a different callstring will be in a different
4960 cluster. */
4962 /* Base class of cluster for clustering exploded_node instances in .dot
4963 output, based on various subclass-specific criteria. */
4966 {
4967 };
4969 /* Cluster containing all exploded_node instances for one supernode. */
4972 {
4976 // TODO: dtor?
4979 {
4992 /* Terminate subgraph. */
4995 }
4998 {
5000 }
5002 /* Comparator for use by auto_vec<supernode_cluster *>::qsort. */
5005 {
5011 }
5016 };
5018 /* Cluster containing all supernode_cluster instances for one
5019 (function, call_string) pair. */
5022 {
5028 {
5033 }
5036 {
5048 /* Dump m_map, sorting it to avoid churn when comparing dumps. */
5062 /* Terminate subgraph. */
5065 }
5068 {
5074 else
5075 {
5079 }
5080 }
5082 /* Comparator for use by auto_vec<function_call_string_cluster *>. */
5085 {
5095 }
5101 map_t m_map;
5102 };
5104 /* Keys for root_cluster. */
5106 struct function_call_string
5107 {
5110 {
5113 }
5117 };
5123 {
5125 };
5128 inline hashval_t
5130 {
5133 }
5139 {
5141 }
5145 {
5147 }
5151 {
5153 }
5157 {
5159 }
5163 {
5165 }
5169 /* Top-level cluster for generating .dot output for exploded graphs,
5170 handling the functionless nodes, and grouping the remaining nodes by
5171 callstring. */
5174 {
5177 {
5182 }
5185 {
5191 /* Dump m_map, sorting it to avoid churn when comparing dumps. */
5203 }
5206 {
5209 {
5212 }
5219 else
5220 {
5221 function_call_string_cluster *child
5225 }
5226 }
5230 map_t m_map;
5232 /* This should just be the origin exploded_node. */
5234 };
5236 /* Subclass of range_label for use within
5237 exploded_graph::dump_exploded_nodes for implementing
5238 -fdump-analyzer-exploded-nodes: a label for a specific
5239 exploded_node. */
5242 {
5249 {
5250 pretty_printer pp;
5255 }
5260 };
5262 /* Postprocessing support for dumping the exploded nodes.
5263 Handle -fdump-analyzer-exploded-nodes,
5264 -fdump-analyzer-exploded-nodes-2, and the
5265 "__analyzer_dump_exploded_nodes" builtin. */
5267 void
5269 {
5270 // TODO
5271 /* Locate calls to __analyzer_dump_exploded_nodes. */
5272 // Print how many egs there are for them?
5273 /* Better: log them as we go, and record the exploded nodes
5274 in question. */
5276 /* Show every enode. */
5278 /* Gather them by stmt, so that we can more clearly see the
5279 "hotspots" requiring numerous exploded nodes. */
5281 /* Alternatively, simply throw them all into one big rich_location
5282 and see if the label-printing will sort it out...
5283 This requires them all to be in the same source file. */
5286 {
5292 {
5294 {
5297 else
5299 SHOW_RANGE_WITHOUT_CARET,
5301 }
5302 }
5305 /* Repeat the warning without all the labels, so that message is visible
5306 (the other one may well have scrolled past the terminal limit). */
5313 }
5315 /* Dump the egraph in textual form to a dump file. */
5317 {
5333 {
5336 pretty_printer pp;
5340 }
5343 }
5345 /* Dump the egraph in textual form to multiple dump files, one per enode. */
5347 {
5353 {
5363 pretty_printer pp;
5369 }
5370 }
5372 /* Emit a warning at any call to "__analyzer_dump_exploded_nodes",
5373 giving the number of processed exploded nodes for "before-stmt",
5374 and the IDs of processed, merger, and worklist enodes.
5376 We highlight the count of *processed* enodes since this is of most
5377 interest in DejaGnu tests for ensuring that state merger has
5378 happened.
5380 We don't show the count of merger and worklist enodes, as this is
5381 more of an implementation detail of the merging/worklist that we
5382 don't want to bake into our expected DejaGnu messages. */
5388 {
5396 {
5403 /* This is O(N^2). */
5407 {
5412 {
5424 }
5425 }
5427 pretty_printer pp;
5431 {
5434 }
5436 {
5439 }
5448 /* If the argument is non-zero, then print all of the states
5449 of the various enodes. */
5452 {
5456 }
5459 {
5462 {
5467 /* Dump state. */
5469 }
5470 }
5471 }
5472 }
5473 }
5475 DEBUG_FUNCTION exploded_node *
5477 {
5481 }
5483 /* Ensure that there is an exploded_node for a top-level call to FNDECL. */
5485 void
5487 {
5504 {
5508 else
5510 }
5511 }
5513 /* A collection of classes for visualizing the callgraph in .dot form
5514 (as represented in the supergraph). */
5516 /* Forward decls. */
5522 /* Traits for using "digraph.h" to visualize the callgraph. */
5524 struct viz_callgraph_traits
5525 {
5529 struct dump_args_t
5530 {
5533 };
5535 };
5537 /* Subclass of dnode representing a function within the callgraph. */
5540 {
5546 {
5548 }
5551 {
5569 {
5574 {
5576 num_enodes++;
5577 }
5581 // TODO: also show the per-callstring breakdown
5588 {
5590 //per_call_string_data *data = (*iter).second;
5593 {
5596 num_enodes++;
5597 }
5599 {
5602 }
5603 }
5605 /* Show any summaries. */
5608 {
5612 {
5618 }
5619 }
5620 }
5625 }
5628 {
5630 }
5637 };
5639 /* Subclass of dedge representing a callgraph edge. */
5642 {
5646 {}
5649 final override
5650 {
5666 }
5667 };
5669 /* Subclass of digraph representing the callgraph. */
5672 {
5677 {
5679 }
5682 {
5684 }
5688 };
5690 /* Placeholder subclass of cluster. */
5693 {
5694 };
5696 /* viz_callgraph's ctor. */
5699 {
5702 {
5704 viz_callgraph_node *vcg_node
5708 }
5713 {
5718 {
5720 viz_callgraph_edge *vcg_edge
5723 }
5724 }
5728 {
5731 }
5732 }
5734 /* Dump the callgraph to FILENAME. */
5736 static void
5739 {
5744 // TODO
5749 }
5751 /* Dump the callgraph to "<srcfile>.callgraph.dot". */
5753 static void
5755 {
5760 }
5762 /* Subclass of dot_annotator for implementing
5763 DUMP_BASE_NAME.supergraph-eg.dot, a post-analysis dump of the supergraph.
5765 Annotate the supergraph nodes by printing the exploded nodes in concise
5766 form within them, next to their pertinent statements where appropriate,
5767 colorizing the exploded nodes based on sm-state.
5768 Also show saved diagnostics within the exploded nodes, giving information
5769 on whether they were feasible, and, if infeasible, where the problem
5770 was. */
5773 {
5777 {
5778 /* Avoid O(N^2) by prepopulating m_enodes_per_snodes. */
5787 }
5789 /* Show exploded nodes for BEFORE_SUPERNODE points before N. */
5792 const final override
5793 {
5808 {
5815 }
5821 }
5823 /* Show exploded nodes for STMT. */
5826 const final override
5827 {
5838 {
5846 }
5849 {
5852 }
5853 }
5855 /* Show exploded nodes for AFTER_SUPERNODE points after N. */
5857 const final override
5858 {
5869 {
5875 }
5879 }
5882 /* Concisely print a TD element for ENODE, showing the index, status,
5883 and any saved_diagnostics at the enode. Colorize it to show sm-state.
5885 Ideally we'd dump ENODE's state here, hidden behind some kind of
5886 interactive disclosure method like a tooltip, so that the states
5887 can be explored without overwhelming the graph.
5888 However, I wasn't able to get graphviz/xdot to show tooltips on
5889 individual elements within a HTML-like label. */
5891 {
5899 {
5913 }
5916 /* Dump any saved_diagnostics at this enode. */
5918 {
5921 }
5924 }
5926 /* Print a TABLE element for SD, showing the kind, the length of the
5927 exploded_path, whether the path was feasible, and if infeasible,
5928 what the problem was. */
5931 {
5942 else
5946 {
5962 /* Ideally we'd print p->m_model here; see the notes above about
5963 tooltips. */
5964 }
5967 }
5971 };
5973 /* Implement -fdump-analyzer-json. */
5975 static void
5978 {
5983 {
5987 }
5993 pretty_printer pp;
6004 }
6006 /* Concrete subclass of plugin_analyzer_init_iface, allowing plugins
6007 to register new state machines. */
6010 {
6018 {}
6021 {
6024 }
6028 {
6031 }
6034 {
6036 }
6042 };
6044 /* Run the analysis "engine". */
6046 void
6048 {
6052 {
6057 }
6059 /* If using LTO, ensure that the cgraph nodes have function bodies. */
6064 /* Create the supergraph. */
6075 {
6076 /* Dump supergraph pre-analysis. */
6082 }
6085 {
6092 }
6101 logger);
6105 {
6110 }
6112 /* Extrinsic state shared by nodes in the graph. */
6117 /* The exploded graph. */
6119 analyzer_verbosity);
6121 /* Add entrypoints to the graph for externally-callable functions. */
6124 /* Now process the worklist, exploring the <point, state> graph. */
6128 {
6133 root_cluster c;
6136 }
6138 /* Now emit any saved diagnostics. */
6149 {
6150 /* Dump post-analysis form of supergraph. */
6157 }
6166 }
6168 /* Handle -fdump-analyzer and -fdump-analyzer-stderr. */
6171 /* Track if we're responsible for closing dump_fout. */
6174 /* If dumping is enabled, attempt to create dump_fout if it hasn't already
6175 been opened. Return it. */
6179 {
6181 {
6185 {
6191 }
6192 }
6194 }
6196 /* External entrypoint to the analysis "engine".
6197 Set up any dumps, then call impl_run_checkers. */
6199 void
6201 {
6202 /* Save input_location. */
6205 {
6215 /* end of lifetime of the_logger (so that dump file is closed after the
6216 various dtors run). */
6217 }
6220 {
6224 }
6226 /* Restore input_location. Subsequent passes may assume that input_location
6227 is some arbitrary value *not* in the block tree, which might be violated
6228 if we didn't restore it. */
6230 }