| blob | c7bc4b40f87c8ee41befb4856732226de2e0410d |
1 /* Classes for modeling the state of memory.
2 Copyright (C) 2020-2023 Free Software Foundation, Inc.
3 Contributed by David Malcolm <dmalcolm@redhat.com>.
5 This file is part of GCC.
7 GCC is free software; you can redistribute it and/or modify it
8 under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3, or (at your option)
10 any later version.
12 GCC is distributed in the hope that it will be useful, but
13 WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 General Public License for more details.
17 You should have received a copy of the GNU General Public License
18 along with GCC; see the file COPYING3. If not see
19 <http://www.gnu.org/licenses/>. */
22 #define INCLUDE_MEMORY
59 #if ENABLE_ANALYZER
63 /* Dump SVALS to PP, sorting them to ensure determinism. */
65 static void
68 {
72 {
74 }
81 {
85 }
87 }
89 /* class uncertainty_t. */
91 /* Dump this object to PP. */
93 void
95 {
102 }
104 /* Dump this object to stderr. */
106 DEBUG_FUNCTION void
108 {
109 pretty_printer pp;
116 }
118 /* class binding_key. */
122 {
126 else
127 {
128 bit_size_t bit_size;
130 {
131 /* Must be non-empty. */
134 bit_size);
135 }
136 else
138 }
139 }
141 /* Dump this binding_key to stderr. */
143 DEBUG_FUNCTION void
145 {
146 pretty_printer pp;
153 }
155 /* Get a description of this binding_key. */
157 label_text
159 {
160 pretty_printer pp;
164 }
166 /* qsort callback. */
168 int
170 {
174 }
176 /* Comparator for binding_keys. */
178 int
180 {
186 {
191 SIGNED))
194 SIGNED);
195 }
196 else
197 {
205 }
206 }
208 /* struct bit_range. */
210 void
212 {
216 else
217 {
224 }
225 }
227 /* Dump this object to stderr. */
229 DEBUG_FUNCTION void
231 {
232 pretty_printer pp;
237 }
239 /* If OTHER is a subset of this, return true and, if OUT is
240 non-null, write to *OUT the relative range of OTHER within this.
241 Otherwise return false. */
243 bool
245 {
248 {
250 {
253 }
255 }
256 else
258 }
260 /* If OTHER intersects this, return true and write
261 the relative range of OTHER within THIS to *OUT_THIS,
262 and the relative range of THIS within OTHER to *OUT_OTHER.
263 Otherwise return false. */
265 bool
269 {
272 {
273 bit_offset_t overlap_start
276 bit_offset_t overlap_next
284 }
285 else
287 }
289 int
291 {
297 }
299 /* Offset this range by OFFSET. */
301 bit_range
303 {
305 }
307 /* If MASK is a contiguous range of set bits, write them
308 to *OUT and return true.
309 Otherwise return false. */
311 bool
313 {
317 /* Find the first contiguous run of set bits in MASK. */
319 /* Find first set bit in MASK. */
321 {
324 iter_bit_idx++;
326 }
328 /* MASK is zero. */
333 iter_bit_idx++;
336 /* Find next unset bit in MASK. */
338 {
341 num_set_bits++;
342 iter_bit_idx++;
344 }
346 {
349 }
351 /* We now have the first contiguous run of set bits in MASK.
352 Fail if any other bits are set. */
354 {
357 iter_bit_idx++;
359 }
363 }
365 /* Attempt to convert this bit_range to a byte_range.
366 Return true if it is possible, writing the result to *OUT.
367 Otherwise return false. */
369 bool
371 {
374 {
378 }
380 }
382 /* Dump this object to PP. */
384 void
386 {
388 {
390 }
392 {
395 }
396 else
397 {
402 }
403 }
405 /* Dump this object to stderr. */
407 DEBUG_FUNCTION void
409 {
410 pretty_printer pp;
415 }
417 /* If OTHER is a subset of this, return true and write
418 to *OUT the relative range of OTHER within this.
419 Otherwise return false. */
421 bool
423 {
426 {
430 }
431 else
433 }
435 /* Return true if THIS and OTHER intersect and write the number
436 of bytes both buffers overlap to *OUT_NUM_OVERLAP_BYTES.
438 Otherwise return false. */
440 bool
443 {
446 {
454 }
455 else
457 }
459 /* Return true if THIS exceeds OTHER and write the overhanging
460 byte range to OUT_OVERHANGING_BYTE_RANGE. */
462 bool
465 {
469 {
470 /* THIS definitely exceeds OTHER. */
478 }
479 else
481 }
483 /* Return true if THIS falls short of OFFSET and write the
484 byte range fallen short to OUT_FALL_SHORT_BYTES. */
486 bool
489 {
493 {
494 /* THIS falls short of OFFSET. */
501 }
502 else
504 }
506 /* qsort comparator for byte ranges. */
508 int
510 {
511 /* Order first by offset. */
516 /* ...then by size. */
518 }
520 /* class concrete_binding : public binding_key. */
522 /* Implementation of binding_key::dump_to_pp vfunc for concrete_binding. */
524 void
526 {
528 }
530 /* Return true if this binding overlaps with OTHER. */
532 bool
534 {
539 }
541 /* Comparator for use by vec<const concrete_binding *>::qsort. */
543 int
545 {
550 }
552 /* class symbolic_binding : public binding_key. */
554 void
556 {
557 //binding_key::dump_to_pp (pp, simple);
560 }
562 /* Comparator for use by vec<const symbolic_binding *>::qsort. */
564 int
566 {
571 }
573 /* The store is oblivious to the types of the svalues bound within
574 it: any type can get bound at any location.
575 Simplify any casts before binding.
577 For example, if we have:
578 struct big { int ia[1024]; };
579 struct big src, dst;
580 memcpy (&dst, &src, sizeof (struct big));
581 this reaches us in gimple form as:
582 MEM <unsigned char[4096]> [(char * {ref-all})&dst]
583 = MEM <unsigned char[4096]> [(char * {ref-all})&src];
584 Using cast_region when handling the MEM_REF would give us:
585 INIT_VAL(CAST_REG(unsigned char[4096], src))
586 as rhs_sval, but we can fold that into a cast svalue:
587 CAST(unsigned char[4096], INIT_VAL(src))
588 We can discard that cast from the svalue when binding it in
589 the store for "dst", and simply store:
590 cluster for: dst
591 key: {kind: direct, start: 0, size: 32768, next: 32768}
592 value: ‘struct big’ {INIT_VAL(src)}. */
596 {
600 }
602 /* class binding_map. */
604 /* binding_map's copy ctor. */
608 {
609 }
611 /* binding_map's assignment operator. */
613 binding_map&
615 {
616 /* For now, assume we only ever copy to an empty cluster. */
620 {
624 }
626 }
628 /* binding_map's equality operator. */
630 bool
632 {
637 {
646 }
649 }
651 /* Generate a hash value for this binding_map. */
653 hashval_t
655 {
658 {
659 /* Use a new hasher for each key to avoid depending on the ordering
660 of keys when accumulating the result. */
665 }
667 }
669 /* Dump a representation of this binding_map to PP.
670 SIMPLE controls how values and regions are to be printed.
671 If MULTILINE, then split the dump over multiple lines and
672 use whitespace for readability, otherwise put all on one line. */
674 void
677 {
681 {
684 }
690 {
693 {
705 }
706 else
707 {
715 }
716 }
717 }
719 /* Dump a multiline representation of this binding_map to stderr. */
721 DEBUG_FUNCTION void
723 {
724 pretty_printer pp;
731 }
733 /* Return a new json::object of the form
734 {KEY_DESC : SVALUE_DESC,
735 ...for the various key/value pairs in this binding_map}. */
739 {
745 {
748 }
754 {
758 }
761 }
763 /* Comparator for imposing an order on binding_maps. */
765 int
767 {
784 {
792 }
795 }
797 /* Get the child region of PARENT_REG based upon INDEX within a
798 CONSTRUCTOR. */
803 {
805 {
809 {
814 index_sval);
815 }
819 }
820 }
822 /* Get the svalue for VAL, a non-CONSTRUCTOR value within a CONSTRUCTOR. */
826 {
827 /* Reuse the get_rvalue logic from region_model. */
830 }
832 /* Bind values from CONSTRUCTOR to this map, relative to
833 PARENT_REG's relationship to its base region.
834 Return true if successful, false if there was a problem (e.g. due
835 to hitting a complexity limit). */
837 bool
840 {
845 tree index;
846 tree val;
848 tree field;
851 else
854 {
856 {
857 /* If index is NULL, then iterate through the fields for
858 a RECORD_TYPE, or use an INTEGER_CST otherwise.
859 Compare with similar logic in output_constructor. */
861 {
864 }
865 else
867 }
869 {
873 {
877 }
878 else
879 {
883 }
885 }
888 }
890 }
892 /* Bind the value VAL into the range of elements within PARENT_REF
893 from MIN_INDEX to MAX_INDEX (including endpoints).
894 For use in handling RANGE_EXPR within a CONSTRUCTOR.
895 Return true if successful, false if there was a problem (e.g. due
896 to hitting a complexity limit). */
898 bool
902 tree val)
903 {
907 /* Generate a binding key for the range. */
924 bit_size_t range_size_in_bits
931 /* Get the value. */
936 /* Bind the value to the range. */
939 }
941 /* Bind the value VAL into INDEX within PARENT_REF.
942 For use in handling a pair of entries within a CONSTRUCTOR.
943 Return true if successful, false if there was a problem (e.g. due
944 to hitting a complexity limit). */
946 bool
950 {
955 else
956 {
962 /* Handle the case where we have an unknown size for child_reg
963 (e.g. due to it being a trailing field with incomplete array
964 type. */
966 {
967 /* Assume that sval has a well-defined size for this case. */
973 /* Get offset of child relative to base region. */
977 /* Convert to an offset relative to the parent region. */
980 bit_offset_t child_parent_offset
983 /* Create a concrete key for the child within the parent. */
986 }
990 }
991 }
993 /* Populate OUT with all bindings within this map that overlap KEY. */
995 void
998 {
1000 {
1004 {
1007 {
1010 }
1011 else
1012 {
1013 /* Assume overlap. */
1015 }
1016 }
1017 else
1018 {
1019 /* Assume overlap. */
1021 }
1022 }
1023 }
1025 /* Remove, truncate, and/or split any bindings within this map that
1026 overlap DROP_KEY.
1028 For example, if we have:
1030 +------------------------------------+
1031 | old binding |
1032 +------------------------------------+
1034 which is to be overwritten with:
1036 .......+----------------------+.......
1037 .......| new binding |.......
1038 .......+----------------------+.......
1040 this function "cuts a hole" out of the old binding:
1042 +------+......................+------+
1043 |prefix| hole for new binding |suffix|
1044 +------+......................+------+
1046 into which the new binding can be added without
1047 overlapping the prefix or suffix.
1049 The prefix and suffix (if added) will be bound to the pertinent
1050 parts of the value of the old binding.
1052 For example, given:
1053 struct s5
1054 {
1055 char arr[8];
1056 };
1057 void test_5 (struct s5 *p)
1058 {
1059 struct s5 f = *p;
1060 f.arr[3] = 42;
1061 }
1062 then after the "f = *p;" we have:
1063 cluster for: f: INIT_VAL((*INIT_VAL(p_33(D))))
1064 and at the "f.arr[3] = 42;" we remove the bindings overlapping
1065 "f.arr[3]", replacing it with a prefix (bytes 0-2) and suffix (bytes 4-7)
1066 giving:
1067 cluster for: f
1068 key: {bytes 0-2}
1069 value: {BITS_WITHIN(bytes 0-2, inner_val: INIT_VAL((*INIT_VAL(p_33(D))).arr))}
1070 key: {bytes 4-7}
1071 value: {BITS_WITHIN(bytes 4-7, inner_val: INIT_VAL((*INIT_VAL(p_33(D))).arr))}
1072 punching a hole into which the new value can be written at byte 3:
1073 cluster for: f
1074 key: {bytes 0-2}
1075 value: {BITS_WITHIN(bytes 0-2, inner_val: INIT_VAL((*INIT_VAL(p_33(D))).arr))}
1076 key: {byte 3}
1077 value: 'char' {(char)42}
1078 key: {bytes 4-7}
1079 value: {BITS_WITHIN(bytes 4-7, inner_val: INIT_VAL((*INIT_VAL(p_33(D))).arr))}
1081 If UNCERTAINTY is non-NULL, use it to record any svalues that
1082 were removed, as being maybe-bound.
1084 If MAYBE_LIVE_VALUES is non-NULL, then use it to record any svalues that
1085 were removed as being maybe-live.
1087 If ALWAYS_OVERLAP, then assume that DROP_KEY can overlap anything
1088 in the map, due to one or both of the underlying clusters being
1089 symbolic (but not the same symbolic region). Hence even if DROP_KEY is a
1090 concrete binding it could actually be referring to the same memory as
1091 distinct concrete bindings in the map. Remove all bindings, but
1092 register any svalues with *UNCERTAINTY. */
1094 void
1100 {
1101 /* Get the bindings of interest within this map. */
1106 else
1107 /* Just add overlapping bindings. */
1113 {
1114 /* Record any svalues that were removed to *UNCERTAINTY as being
1115 maybe-bound, provided at least some part of the binding is symbolic.
1117 Specifically, if at least one of the bindings is symbolic, or we
1118 have ALWAYS_OVERLAP for the case where we have possibly aliasing
1119 regions, then we don't know that the svalue has been overwritten,
1120 and should record that to *UNCERTAINTY.
1122 However, if we have concrete keys accessing within the same symbolic
1123 region, then we *know* that the symbolic region has been overwritten,
1124 so we don't record it to *UNCERTAINTY, as this could be a genuine
1125 leak. */
1133 /* Record any svalues that were removed to *MAYBE_LIVE_VALUES as being
1134 maybe-live. */
1138 /* Begin by removing the old binding. */
1141 /* Don't attempt to handle prefixes/suffixes for the
1142 "always_overlap" case; everything's being removed. */
1146 /* Now potentially add the prefix and suffix. */
1151 {
1159 {
1160 /* We have a truncated prefix. */
1169 rel_prefix,
1172 }
1176 {
1177 /* We have a truncated suffix. */
1188 rel_suffix,
1191 }
1192 }
1193 }
1194 }
1196 /* class binding_cluster. */
1201 {
1202 }
1204 /* binding_cluster's copy ctor. */
1209 {
1210 }
1212 /* binding_cluster's assignment operator. */
1214 binding_cluster&
1216 {
1222 }
1224 /* binding_cluster's equality operator. */
1226 bool
1228 {
1244 }
1246 /* Generate a hash value for this binding_cluster. */
1248 hashval_t
1250 {
1252 }
1254 /* Return true if this binding_cluster is symbolic
1255 i.e. its base region is symbolic. */
1257 bool
1259 {
1261 }
1263 /* Dump a representation of this binding_cluster to PP.
1264 SIMPLE controls how values and regions are to be printed.
1265 If MULTILINE, then split the dump over multiple lines and
1266 use whitespace for readability, otherwise put all on one line. */
1268 void
1271 {
1273 {
1275 {
1278 }
1279 else
1281 }
1283 {
1285 {
1288 }
1289 else
1291 }
1294 }
1296 /* Dump a multiline representation of this binding_cluster to stderr. */
1298 DEBUG_FUNCTION void
1300 {
1301 pretty_printer pp;
1312 }
1314 /* Assert that this object is valid. */
1316 void
1318 {
1322 {
1324 num_symbolic++;
1325 else
1326 num_concrete++;
1327 }
1328 /* We shouldn't have more than one symbolic key per cluster
1329 (or one would have clobbered the other). */
1331 /* We can't have both concrete and symbolic keys. */
1333 }
1335 /* Return a new json::object of the form
1336 {"escaped": true/false,
1337 "touched": true/false,
1338 "map" : object for the binding_map. */
1342 {
1350 }
1352 /* Add a binding of SVAL of kind KIND to REG, unpacking SVAL if it is a
1353 compound_sval. */
1355 void
1358 {
1361 {
1364 }
1370 }
1372 /* Bind SVAL to KEY.
1373 Unpacking of compound_svalues should already have been done by the
1374 time this is called. */
1376 void
1378 {
1384 }
1386 /* Subroutine of binding_cluster::bind.
1387 Unpack compound_svals when binding them, so that we bind them
1388 element-wise. */
1390 void
1394 {
1395 region_offset reg_offset
1398 {
1402 }
1406 {
1412 {
1413 bit_offset_t effective_start
1420 }
1421 else
1423 }
1424 }
1426 /* Remove all bindings overlapping REG within this cluster. */
1428 void
1430 {
1432 }
1434 /* Remove any bindings for REG within this cluster. */
1436 void
1438 {
1445 }
1447 /* Clobber REG and fill it with repeated copies of SVAL. */
1449 void
1453 {
1462 }
1464 /* Clobber REG within this cluster and fill it with zeroes. */
1466 void
1468 {
1472 }
1474 /* Mark REG_TO_BIND within this cluster as being unknown.
1476 Remove any bindings overlapping REG_FOR_OVERLAP.
1477 If UNCERTAINTY is non-NULL, use it to record any svalues that
1478 had bindings to them removed, as being maybe-bound.
1479 If MAYBE_LIVE_VALUES is non-NULL, use it to record any svalues that
1480 had bindings to them removed, as being maybe-live.
1482 REG_TO_BIND and REG_FOR_OVERLAP are the same for
1483 store::mark_region_as_unknown, but are different in
1484 store::set_value's alias handling, for handling the case where
1485 we have a write to a symbolic REG_FOR_OVERLAP. */
1487 void
1493 {
1498 maybe_live_values);
1500 /* Add a default binding to "unknown". */
1505 }
1507 /* Purge state involving SVAL. */
1509 void
1512 {
1516 {
1520 {
1524 }
1529 }
1531 {
1534 }
1536 {
1540 }
1541 }
1543 /* Get any SVAL bound to REG within this cluster via kind KIND,
1544 without checking parent regions of REG. */
1549 {
1555 {
1556 /* If we have a struct with a single field, then the binding of
1557 the field will equal that of the struct, and looking up e.g.
1558 PARENT_REG.field within:
1559 cluster for PARENT_REG: INIT_VAL(OTHER_REG)
1560 will erroneously return INIT_VAL(OTHER_REG), rather than
1561 SUB_VALUE(INIT_VAL(OTHER_REG), FIELD) == INIT_VAL(OTHER_REG.FIELD).
1562 Fix this issue by iterating upwards whilst the bindings are equal,
1563 expressing the lookups as subvalues.
1564 We have to gather a list of subregion accesses, then walk it
1565 in reverse to get the subvalues. */
1568 {
1575 {
1578 }
1579 else
1581 }
1585 {
1589 {
1593 }
1594 }
1595 }
1597 }
1599 /* Get any SVAL bound to REG within this cluster,
1600 either directly for REG, or recursively checking for bindings within
1601 parent regions and extracting subvalues if need be. */
1606 {
1613 {
1614 /* Extract child svalue from parent svalue. */
1618 }
1620 }
1622 /* Get any value bound for REG within this cluster. */
1627 {
1628 /* Look for a direct binding. */
1633 /* If we had a write to a cluster of unknown size, we might
1634 have a self-binding of the whole base region with an svalue,
1635 where the base region is symbolic.
1636 Handle such cases by returning sub_svalue instances. */
1638 {
1639 /* Extract child svalue from parent svalue. */
1643 }
1645 /* If this cluster has been touched by a symbolic write, then the content
1646 of any subregion not currently specifically bound is "UNKNOWN". */
1648 {
1651 }
1653 /* Alternatively, if this is a symbolic read and the cluster has any bindings,
1654 then we don't know if we're reading those values or not, so the result
1655 is also "UNKNOWN". */
1658 {
1661 }
1666 /* Otherwise, the initial value, or uninitialized. */
1668 }
1670 /* Attempt to get a compound_svalue for the bindings within the cluster
1671 affecting REG (which could be the base region itself).
1673 Create a compound_svalue with the subset of bindings the affect REG,
1674 offsetting them so that the offsets are relative to the start of REG
1675 within the cluster.
1677 For example, REG could be one element within an array of structs.
1679 Return the resulting compound_svalue, or NULL if there's a problem. */
1684 {
1685 region_offset cluster_offset
1698 /* We will a build the result map in two parts:
1699 (a) result_map, holding the concrete keys from this cluster,
1701 (b) default_map, holding the initial values for the region
1702 (e.g. uninitialized, initializer values, or zero), unless this
1703 cluster has been touched.
1705 We will populate (a), and as we do, clobber (b), trimming and
1706 splitting its bindings as necessary.
1707 Finally, we will merge (b) into (a), giving a concrete map
1708 that merges both the initial values and the bound values from
1709 the binding_cluster.
1710 Doing it this way reduces N for the O(N^2) intersection-finding,
1711 perhaps we should have a spatial-organized data structure for
1712 concrete keys, though. */
1714 binding_map result_map;
1715 binding_map default_map;
1717 /* Set up default values in default_map. */
1721 else
1727 {
1733 {
1736 bit_size_t reg_bit_size;
1741 reg_bit_size);
1743 /* Skip bindings that are outside the bit range of REG. */
1747 /* We shouldn't have an exact match; that should have been
1748 handled already. */
1753 {
1754 /* We have a bound range fully within REG.
1755 Add it to map, offsetting accordingly. */
1757 /* Get offset of KEY relative to REG, rather than to
1758 the cluster. */
1763 /* Clobber default_map, removing/trimming/spliting where
1764 it overlaps with offset_concrete_key. */
1766 offset_concrete_key,
1768 }
1770 {
1771 /* REG is fully within the bound range, but
1772 is not equal to it; we're extracting a subvalue. */
1774 subrange,
1776 }
1777 else
1778 {
1779 /* REG and the bound range partially overlap. */
1785 /* Get the bits from the bound value for the bits at the
1786 intersection (relative to the bound value). */
1789 bound_subrange,
1792 /* Get key for overlap, relative to the REG. */
1797 /* Clobber default_map, removing/trimming/spliting where
1798 it overlaps with overlap_concrete_key. */
1800 overlap_concrete_key,
1802 }
1803 }
1804 else
1805 /* Can't handle symbolic bindings. */
1807 }
1812 /* Merge any bindings from default_map into result_map. */
1814 {
1818 }
1821 }
1823 /* Remove, truncate, and/or split any bindings within this map that
1824 could overlap REG.
1826 If REG's base region or this cluster is symbolic and they're different
1827 base regions, then remove everything in this cluster's map, on the
1828 grounds that REG could be referring to the same memory as anything
1829 in the map.
1831 If UNCERTAINTY is non-NULL, use it to record any svalues that
1832 were removed, as being maybe-bound.
1834 If MAYBE_LIVE_VALUES is non-NULL, use it to record any svalues that
1835 were removed, as being maybe-live. */
1837 void
1842 {
1849 /* If at least one of the base regions involved is symbolic, and they're
1850 not the same base region, then consider everything in the map as
1851 potentially overlapping with reg_binding (even if it's a concrete
1852 binding and things in the map are concrete - they could be referring
1853 to the same memory when the symbolic base regions are taken into
1854 account). */
1859 maybe_live_values,
1860 always_overlap);
1861 }
1863 /* Attempt to merge CLUSTER_A and CLUSTER_B into OUT_CLUSTER, using
1864 MGR and MERGER.
1865 Return true if they can be merged, false otherwise. */
1867 bool
1874 {
1877 /* Merge flags ("ESCAPED" and "TOUCHED") by setting the merged flag to
1878 true if either of the inputs is true. */
1886 /* At least one of CLUSTER_A and CLUSTER_B are non-NULL, but either
1887 could be NULL. Handle these cases. */
1889 {
1894 }
1896 {
1901 }
1903 /* The "both inputs are non-NULL" case. */
1911 {
1914 }
1917 {
1920 }
1925 {
1932 num_symbolic_keys++;
1933 else
1934 num_concrete_keys++;
1937 {
1941 }
1943 {
1946 {
1949 }
1950 /* Merger of the svalues failed. Reject merger of the cluster. */
1952 }
1954 /* If we get here, then one cluster binds this key and the other
1955 doesn't; merge them as "UNKNOWN". */
1963 /* ...but reject the merger if this sval shouldn't be mergeable
1964 (e.g. reject merging svalues that have non-purgable sm-state,
1965 to avoid falsely reporting memory leaks by merging them
1966 with something else). */
1971 }
1973 /* We can only have at most one symbolic key per cluster,
1974 and if we do, we can't have any concrete keys.
1975 If this happens, mark the cluster as touched, with no keys. */
1978 {
1981 }
1983 /* We don't handle other kinds of overlaps yet. */
1986 }
1988 /* Update this cluster to reflect an attempt to merge OTHER where there
1989 is no other cluster to merge with, and so we're notionally merging the
1990 bound values in OTHER with the initial value of the relevant regions.
1992 Any bound keys in OTHER should be bound to unknown in this. */
1994 void
1998 {
2001 {
2009 /* For any pointers in OTHER, the merger means that the
2010 concrete pointer becomes an unknown value, which could
2011 show up as a false report of a leak when considering what
2012 pointers are live before vs after.
2013 Avoid this by marking the base regions they point to as having
2014 escaped. */
2017 {
2022 {
2025 }
2026 }
2027 }
2028 }
2030 /* Mark this cluster as having escaped. */
2032 void
2034 {
2036 }
2038 /* If this cluster has escaped (by this call, or by an earlier one, or
2039 by being an external param), then unbind all values and mark it
2040 as "touched", so that it has a conjured value, rather than an
2041 initial_svalue.
2042 Use P to purge state involving conjured_svalues. */
2044 void
2048 {
2050 {
2054 {
2055 /* Bind it to a new "conjured" value using CALL. */
2060 }
2063 }
2064 }
2066 /* Mark this cluster as having been clobbered by STMT.
2067 Use P to purge state involving conjured_svalues. */
2069 void
2073 {
2076 /* Bind it to a new "conjured" value using CALL. */
2083 }
2085 /* Return true if this cluster has escaped. */
2087 bool
2089 {
2090 /* Consider the "errno" region to always have escaped. */
2094 }
2096 /* Return true if this binding_cluster has no information
2097 i.e. if there are no bindings, and it hasn't been marked as having
2098 escaped, or touched symbolically. */
2100 bool
2102 {
2104 && !m_escaped
2106 }
2108 /* Add PV to OUT_PVS, casting it to TYPE if it is not already of that type. */
2110 static void
2112 tree type,
2114 {
2121 }
2123 /* Find representative path_vars for SVAL within this binding of BASE_REG,
2124 appending the results to OUT_PVS. */
2126 void
2132 const
2133 {
2137 {
2141 {
2144 {
2146 base_reg->get_subregions_for_binding
2155 {
2158 visited))
2160 }
2161 }
2162 else
2163 {
2167 visited))
2169 }
2170 }
2171 }
2172 }
2174 /* Get any svalue bound to KEY, or NULL. */
2178 {
2180 }
2182 /* If this cluster has a single direct binding for the whole of the region,
2183 return it.
2184 For use in simplifying dumps. */
2188 {
2189 /* Fail gracefully if MGR is NULL to make it easier to dump store
2190 instances in the debugger. */
2202 }
2204 /* class store_manager. */
2206 logger *
2208 {
2210 }
2212 /* binding consolidation. */
2216 bit_offset_t size_in_bits)
2217 {
2225 }
2229 {
2237 }
2239 /* class store. */
2241 /* store's default ctor. */
2245 {
2246 }
2248 /* store's copy ctor. */
2253 {
2257 {
2263 }
2264 }
2266 /* store's dtor. */
2269 {
2274 }
2276 /* store's assignment operator. */
2278 store &
2280 {
2281 /* Delete existing cluster map. */
2293 {
2299 }
2301 }
2303 /* store's equality operator. */
2305 bool
2307 {
2317 {
2320 binding_cluster **other_slot
2326 }
2331 }
2333 /* Get a hash value for this store. */
2335 hashval_t
2337 {
2344 }
2346 /* Populate OUT with a sorted list of parent regions for the regions in IN,
2347 removing duplicate parents. */
2349 static void
2352 {
2353 /* Get the set of parent regions. */
2358 {
2362 }
2364 /* Write to OUT. */
2369 /* Sort OUT. */
2371 }
2373 /* Dump a representation of this store to PP, using SIMPLE to control how
2374 svalues and regions are printed.
2375 MGR is used for simplifying dumps if non-NULL, but can also be NULL
2376 (to make it easier to use from the debugger). */
2378 void
2381 {
2382 /* Sort into some deterministic order. */
2386 {
2389 }
2392 /* Gather clusters, organize by parent region, so that we can group
2393 together locals, globals, etc. */
2400 {
2406 else
2412 {
2413 /* This is O(N * M), but N ought to be small. */
2416 binding_cluster *cluster
2419 {
2422 }
2424 {
2425 /* Special-case to simplify dumps for the common case where
2426 we just have one value directly bound to the whole of a
2427 region. */
2429 {
2439 }
2440 else
2441 {
2451 }
2452 }
2454 {
2459 }
2460 else
2461 {
2467 }
2468 }
2471 }
2476 }
2478 /* Dump a multiline representation of this store to stderr. */
2480 DEBUG_FUNCTION void
2482 {
2483 pretty_printer pp;
2490 }
2492 /* Assert that this object is valid. */
2494 void
2496 {
2499 }
2501 /* Return a new json::object of the form
2502 {PARENT_REGION_DESC: {BASE_REGION_DESC: object for binding_map,
2503 ... for each cluster within parent region},
2504 ...for each parent region,
2505 "called_unknown_fn": true/false}. */
2509 {
2512 /* Sort into some deterministic order. */
2516 {
2519 }
2522 /* Gather clusters, organize by parent region, so that we can group
2523 together locals, globals, etc. */
2530 {
2538 {
2539 /* This is O(N * M), but N ought to be small. */
2542 binding_cluster *cluster
2547 }
2550 }
2555 }
2557 /* Get any svalue bound to REG, or NULL. */
2561 {
2563 binding_cluster **cluster_slot
2568 }
2570 /* Set the value of LHS_REG to RHS_SVAL. */
2572 void
2576 {
2584 /* ...but if we have no type for the region, retain any cast. */
2589 {
2590 /* Reject attempting to bind values into a symbolic region
2591 for an unknown ptr; merely invalidate values below. */
2594 /* The LHS of the write is *UNKNOWN. If the RHS is a pointer,
2595 then treat the region being pointed to as having escaped. */
2597 {
2601 }
2604 }
2606 {
2609 }
2610 else
2611 {
2612 /* Reject attempting to bind values into an untracked region;
2613 merely invalidate values below. */
2615 }
2617 /* Bindings to a cluster can affect other clusters if a symbolic
2618 base region is involved.
2619 Writes to concrete clusters can't affect other concrete clusters,
2620 but can affect symbolic clusters.
2621 Writes to symbolic clusters can affect both concrete and symbolic
2622 clusters.
2623 Invalidate our knowledge of other clusters that might have been
2624 affected by the write.
2625 Gather the set of all svalues that might still be live even if
2626 the store doesn't refer to them. */
2627 svalue_set maybe_live_values;
2630 {
2637 {
2640 {
2646 {
2656 }
2657 /* Mark all of iter_cluster's iter_base_reg as unknown,
2658 using LHS_REG when considering overlaps, to handle
2659 symbolic vs concrete issues. */
2660 iter_cluster->mark_region_as_unknown
2664 uncertainty,
2673 /* If they can't be aliases, then don't invalidate this
2674 cluster. */
2676 }
2677 }
2678 }
2679 /* Given the set of svalues that might still be live, process them
2680 (e.g. marking regions as escaped).
2681 We do this after the iteration to avoid potentially changing
2682 m_cluster_map whilst iterating over it. */
2684 }
2686 /* Determine if BASE_REG_A could be an alias of BASE_REG_B. */
2688 tristate
2691 {
2692 /* SSA names can't alias. */
2700 /* Try both ways, for symmetry. */
2708 }
2710 /* Half of store::eval_alias; called twice for symmetry. */
2712 tristate
2715 {
2716 /* If they're in different memory spaces, they can't alias. */
2717 {
2720 {
2725 }
2726 }
2730 {
2733 {
2738 {
2739 /* The initial value of a pointer can't point to a local. */
2741 }
2742 }
2745 {
2746 /* The initial value of a pointer can't point to a
2747 region that was allocated on the heap after the beginning of the
2748 path. */
2750 }
2753 {
2757 {
2759 /* If we have sval_a is WIDENING(®ION, OP), and
2760 B can't alias REGION, then B can't alias A either.
2761 For example, A might arise from
2762 for (ptr = ®ION; ...; ptr++)
2763 where sval_a is ptr in the 2nd iteration of the loop.
2764 We want to ensure that "*ptr" can only clobber things
2765 within REGION's base region. */
2767 base_reg_b);
2770 }
2771 }
2772 }
2774 }
2776 /* Record all of the values in MAYBE_LIVE_VALUES as being possibly live. */
2778 void
2780 {
2782 {
2784 {
2787 }
2788 }
2789 }
2791 /* Remove all bindings overlapping REG within this store. */
2793 void
2795 {
2803 {
2806 }
2807 }
2809 /* Remove any bindings for REG within this store. */
2811 void
2813 {
2821 {
2824 }
2825 }
2827 /* Fill REG with SVAL. */
2829 void
2831 {
2832 /* Filling an empty region is a no-op. */
2842 }
2844 /* Zero-fill REG. */
2846 void
2848 {
2852 }
2854 /* Mark REG as having unknown content. */
2856 void
2860 {
2867 maybe_live_values);
2868 }
2870 /* Purge state involving SVAL. */
2872 void
2875 {
2878 {
2882 else
2883 {
2886 }
2887 }
2891 }
2893 /* Get the cluster for BASE_REG, or NULL (const version). */
2897 {
2903 else
2905 }
2907 /* Get the cluster for BASE_REG, or NULL (non-const version). */
2909 binding_cluster *
2911 {
2916 else
2918 }
2920 /* Get the cluster for BASE_REG, creating it if doesn't already exist. */
2922 binding_cluster *
2924 {
2928 /* We shouldn't create clusters for dereferencing an UNKNOWN ptr. */
2931 /* We shouldn't create clusters for base regions that aren't trackable. */
2941 }
2943 /* Remove any cluster for BASE_REG, for use by
2944 region_model::unbind_region_and_descendents
2945 when popping stack frames and handling deleted heap regions. */
2947 void
2949 {
2957 }
2959 /* Attempt to merge STORE_A and STORE_B into OUT_STORE.
2960 Return true if successful, or false if the stores can't be merged. */
2962 bool
2966 {
2970 /* Get the union of all base regions for STORE_A and STORE_B. */
2974 {
2977 }
2980 {
2983 }
2985 /* Sort the base regions before considering them. This ought not to
2986 affect the results, but can affect which types UNKNOWN_REGIONs are
2987 created for in a run; sorting them thus avoids minor differences
2988 in logfiles. */
2997 {
3000 /* At least one of cluster_a and cluster_b must be non-NULL. */
3001 binding_cluster *out_cluster
3006 }
3008 }
3010 /* Mark the cluster for BASE_REG as having escaped.
3011 For use when handling an unrecognized function call, and
3012 for params to "top-level" calls.
3013 Further unknown function calls could touch it, even if the cluster
3014 isn't reachable from args of those calls. */
3016 void
3018 {
3028 }
3030 /* Handle an unknown fncall by updating any clusters that have escaped
3031 (either in this fncall, or in a prior one). */
3033 void
3036 {
3042 }
3044 /* Return true if a non-const pointer to BASE_REG (or something within it)
3045 has escaped to code outside of the TU being analyzed. */
3047 bool
3049 {
3053 /* "errno" can always be modified by external code. */
3061 }
3063 /* Populate OUT_PVS with a list of path_vars for describing SVAL based on
3064 this store, using VISITED to ensure the traversal terminates. */
3066 void
3071 {
3074 /* Find all bindings that reference SVAL. */
3077 {
3081 out_pvs);
3082 }
3085 {
3088 visited))
3090 }
3091 }
3093 /* Remove all bindings overlapping REG within this store, removing
3094 any clusters that become redundant.
3096 If UNCERTAINTY is non-NULL, use it to record any svalues that
3097 were removed, as being maybe-bound. */
3099 void
3102 {
3105 {
3108 {
3109 /* Remove whole cluster. */
3113 }
3114 /* Pass NULL for the maybe_live_values here, as we don't want to
3115 record the old svalues as being maybe-bound. */
3117 }
3118 }
3120 /* Subclass of visitor that accumulates a hash_set of the regions that
3121 were visited. */
3124 {
3126 {
3128 }
3131 };
3133 /* Canonicalize this store, to maximize the chance of equality between
3134 instances. */
3136 void
3138 {
3139 /* If we have e.g.:
3140 cluster for: HEAP_ALLOCATED_REGION(543)
3141 ESCAPED
3142 TOUCHED
3143 where the heap region is empty and unreferenced, then purge that
3144 cluster, to avoid unbounded state chains involving these. */
3146 /* Find regions that are referenced by bound values in the store. */
3147 region_finder s;
3150 {
3155 }
3157 /* Locate heap-allocated regions that have empty bindings that weren't
3158 found above. */
3162 {
3166 {
3167 /* Don't purge a heap-allocated region that's been marked as
3168 escaping, since this could be recording that a ptr to it
3169 was written to an unknown symbolic region along this
3170 path, and so we don't know whether it's referenced or
3171 not, and hence should report it as leaking
3172 (PR analyzer/106473). */
3180 /* Also cover the UNKNOWN case. */
3185 }
3186 }
3188 /* Purge them. */
3191 {
3194 }
3195 }
3197 /* Subroutine for use by exploded_path::feasible_p.
3199 We need to deal with state differences between:
3200 (a) when the exploded_graph is being initially constructed and
3201 (b) when replaying the state changes along a specific path in
3202 in exploded_path::feasible_p.
3204 In (a), state merging happens, so when exploring a loop
3205 for (i = 0; i < 1024; i++)
3206 on successive iterations we have i == 0, then i == WIDENING.
3208 In (b), no state merging happens, so naively replaying the path
3209 that goes twice through the loop then exits it
3210 would lead to i == 0, then i == 1, and then a (i >= 1024) eedge
3211 that exits the loop, which would be found to be infeasible as i == 1,
3212 and the path would be rejected.
3214 We need to fix up state during replay. This subroutine is
3215 called whenever we enter a supernode that we've already
3216 visited along this exploded_path, passing in OTHER_STORE
3217 from the destination enode's state.
3219 Find bindings to widening values in OTHER_STORE.
3220 For all that are found, update the binding in this store to UNKNOWN. */
3222 void
3225 {
3229 {
3234 {
3238 {
3239 binding_cluster *this_cluster
3244 }
3245 }
3246 }
3247 }
3249 /* Use R to replay the bindings from SUMMARY into this object. */
3251 void
3254 {
3256 {
3257 /* A call to an external function occurred in the summary.
3258 Hence we need to invalidate our knownledge of globals,
3259 escaped regions, etc. */
3264 }
3272 }
3274 /* Use R and SUMMARY to replay the bindings in SUMMARY_CLUSTER
3275 into this object. */
3277 void
3281 {
3288 /* Handle "ESCAPED" and "TOUCHED" flags. */
3292 {
3296 {
3297 binding_cluster *caller_cluster
3303 }
3304 }
3307 {
3308 /* Top-level regions. */
3316 /* Child regions. */
3323 /* Other regions. */
3326 /* These should never be the base region of a binding cluster. */
3333 /* These can be marked as escaping. */
3337 {
3347 NULL_TREE,
3356 caller_sval =
3360 }
3366 {
3380 caller_sval =
3384 }
3388 /* Ignore bindings of alloca regions in the summary. */
3390 }
3391 }
3393 #if CHECKING_P
3397 /* Verify that bit_range::intersects_p works as expected. */
3399 static void
3401 {
3415 /* self-intersection is true. */
3457 }
3459 /* Implementation detail of ASSERT_BIT_RANGE_FROM_MASK_EQ. */
3461 static void
3465 {
3470 }
3472 /* Assert that bit_range::from_mask (MASK) returns true, and writes
3473 out EXPECTED_BIT_RANGE. */
3475 #define ASSERT_BIT_RANGE_FROM_MASK_EQ(MASK, EXPECTED_BIT_RANGE) \
3476 SELFTEST_BEGIN_STMT \
3477 assert_bit_range_from_mask_eq (SELFTEST_LOCATION, MASK, \
3478 EXPECTED_BIT_RANGE); \
3479 SELFTEST_END_STMT
3481 /* Implementation detail of ASSERT_NO_BIT_RANGE_FROM_MASK. */
3483 static void
3486 {
3490 }
3492 /* Assert that bit_range::from_mask (MASK) returns false. */
3494 #define ASSERT_NO_BIT_RANGE_FROM_MASK(MASK) \
3495 SELFTEST_BEGIN_STMT \
3496 assert_no_bit_range_from_mask_eq (SELFTEST_LOCATION, MASK); \
3497 SELFTEST_END_STMT
3499 /* Verify that bit_range::from_mask works as expected. */
3501 static void
3503 {
3504 /* Should fail on zero. */
3507 /* Verify 1-bit masks. */
3517 /* Verify N-bit masks starting at bit 0. */
3527 /* Various other tests. */
3532 /* Multiple ranges of set bits should fail. */
3535 }
3537 /* Implementation detail of ASSERT_OVERLAP. */
3539 static void
3543 {
3546 }
3548 /* Implementation detail of ASSERT_DISJOINT. */
3550 static void
3554 {
3557 }
3559 /* Assert that B1 and B2 overlap, checking both ways. */
3561 #define ASSERT_OVERLAP(B1, B2) \
3562 SELFTEST_BEGIN_STMT \
3563 assert_overlap (SELFTEST_LOCATION, B1, B2); \
3564 SELFTEST_END_STMT
3566 /* Assert that B1 and B2 do not overlap, checking both ways. */
3568 #define ASSERT_DISJOINT(B1, B2) \
3569 SELFTEST_BEGIN_STMT \
3570 assert_disjoint (SELFTEST_LOCATION, B1, B2); \
3571 SELFTEST_END_STMT
3573 /* Verify that concrete_binding::overlaps_p works as expected. */
3575 static void
3577 {
3580 /* Various 8-bit bindings. */
3586 /* 16-bit bindings. */
3591 /* 32-bit binding. */
3594 /* Everything should self-overlap. */
3604 /* Verify the 8-bit bindings that don't overlap each other. */
3608 /* Check for overlap of differently-sized bindings. */
3610 /* ...and with differing start points. */
3620 }
3622 /* Run all of the selftests within this file. */
3624 void
3626 {
3630 }