| blob | b3de4b779245e326a053e18e01b3e5e5c1d74efb |
1 /* Pass to detect and issue warnings for invalid accesses, including
2 invalid or mismatched allocation/deallocation calls.
4 Copyright (C) 2020-2023 Free Software Foundation, Inc.
5 Contributed by Martin Sebor <msebor@redhat.com>.
7 This file is part of GCC.
9 GCC is free software; you can redistribute it and/or modify it under
10 the terms of the GNU General Public License as published by the Free
11 Software Foundation; either version 3, or (at your option) any later
12 version.
14 GCC is distributed in the hope that it will be useful, but WITHOUT ANY
15 WARRANTY; without even the implied warranty of MERCHANTABILITY or
16 FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
17 for more details.
19 You should have received a copy of the GNU General Public License
20 along with GCC; see the file COPYING3. If not see
21 <http://www.gnu.org/licenses/>. */
23 #define INCLUDE_STRING
59 /* Return true if tree node X has an associated location. */
63 {
71 }
73 /* Return the associated location of STMT. */
77 {
79 }
81 /* Return the associated location of tree node X. */
85 {
93 }
95 /* Overload of the nascent tree function for GIMPLE STMT. */
99 {
101 }
105 {
107 }
111 {
113 }
118 {
120 }
124 {
126 }
128 /* For a call EXPR at LOC to a function FNAME that expects a string
129 in the argument ARG, issue a diagnostic due to it being a called
130 with an argument that is a character array with no terminating
131 NUL. SIZE is the EXACT size of the array, and BNDRNG the number
132 of characters in which the NUL is expected. Either EXPR or FNAME
133 may be null but noth both. SIZE may be null when BNDRNG is null. */
136 static void
140 {
149 /* Format the bound range as a string to keep the number of messages
150 from exploding. */
154 {
157 else
161 }
163 auto_diagnostic_group d;
168 {
171 {
174 "%qD specified bound %s exceeds "
177 else
178 {
181 exact
184 : (maybe
186 "exceed the size of at most %E "
189 "the size of at most %E "
192 }
193 }
194 else
197 func);
198 }
199 else
200 {
202 {
205 "%qs specified bound %s exceeds "
208 else
209 {
212 exact
215 : (maybe
217 "exceed the size of at most %E "
220 "the size of at most %E "
223 }
224 }
225 else
228 fname);
229 }
232 {
238 }
239 }
241 void
246 {
249 }
251 void
256 {
259 }
261 /* If EXP refers to an unterminated constant character array return
262 the declaration of the object of which the array is a member or
263 element and if SIZE is not null, set *SIZE to the size of
264 the unterminated array and set *EXACT if the size is exact or
265 clear it otherwise. Otherwise return null. */
267 tree
269 {
270 /* C_STRLEN will return NULL and set DECL in the info
271 structure if EXP references a unterminated array. */
272 c_strlen_data lendata = { };
282 {
283 /* Constant offsets are already accounted for in LENDATA.MINLEN,
284 but not in a SSA_NAME + CST expression. */
289 {
290 /* Subtract the offset from the size of the array. */
295 }
296 else
298 }
299 else
304 }
306 /* For a call EXPR (which may be null) that expects a string argument
307 SRC as an argument, returns false if SRC is a character array with
308 no terminating NUL. When nonnull, BOUND is the number of characters
309 in which to expect the terminating NUL. When EXPR is nonnull also
310 issues a warning. */
313 static bool
315 {
316 /* The constant size of the array SRC points to. The actual size
317 may be less of EXACT is true, but not more. */
318 tree size;
319 /* True if SRC involves a non-constant offset into the array. */
321 /* The unterminated constant array SRC points to. */
326 /* NONSTR refers to the non-nul terminated constant array and SIZE
327 is the constant size of the array in bytes. EXACT is true when
328 SIZE is exact. */
332 {
344 {
347 }
350 }
357 }
359 bool
361 {
363 }
365 bool
367 {
369 }
371 /* Warn about passing a non-string array/pointer to a built-in function
372 that expects a nul-terminated string argument. Returns true if
373 a warning has been issued.*/
376 static bool
378 {
386 /* Avoid clearly invalid calls (more checking done below). */
391 /* The bound argument to a bounded string function like strncpy. */
394 /* The longest known or possible string argument to one of the comparison
395 functions. If the length is less than the bound it is used instead.
396 Since the length is only used for warning and not for code generation
397 disable strict mode in the calls to get_range_strlen below. */
400 /* It's safe to call "bounded" string functions with a non-string
401 argument since the functions provide an explicit bound for this
402 purpose. The exception is strncat where the bound may refer to
403 either the destination or the source. */
406 {
410 {
411 /* For these, if one argument refers to one or more of a set
412 of string constants or arrays of known size, determine
413 the range of their known or possible lengths and use it
414 conservatively as the bound for the unbounded function,
415 and to adjust the range of the bound of the bounded ones. */
419 {
422 {
423 c_strlen_data lendata = { };
424 /* Set MAXBOUND to an arbitrary non-null non-integer
425 node as a request to have it set to the length of
426 the longest string in a PHI. */
430 }
431 }
432 }
433 /* Fall through. */
449 {
452 {
453 c_strlen_data lendata = { };
454 /* Set MAXBOUND to an arbitrary non-null non-integer
455 node as a request to have it set to the length of
456 the longest string in a PHI. */
460 }
464 }
468 }
470 /* Determine the range of the bound argument (if specified). */
473 {
476 }
481 {
482 /* Diagnose excessive bound prior to the adjustment below and
483 regardless of attribute nonstring. */
486 {
490 "%qD specified bound %E "
493 else
495 "%qD specified bound [%E, %E] "
498 maxobjsize);
503 }
504 }
507 {
508 /* Add one for the nul. */
510 size_one_node);
513 {
514 /* Conservatively use the upper bound of the lengths for
515 both the lower and the upper bound of the operation. */
519 }
521 {
522 /* Replace the bound on the operation with the upper bound
523 of the length of the string if the latter is smaller. */
528 }
529 }
532 /* Iterate over the built-in function's formal arguments and check
533 each const char* against the actual argument. If the actual
534 argument is declared attribute non-string issue a warning unless
535 the argument's maximum length is bounded. */
536 function_args_iterator it;
540 {
541 /* Avoid iterating past the declared argument in a call
542 to function declared without a prototype. */
567 /* See if the destination is declared with attribute "nonstring". */
572 /* The maximum number of array elements accessed. */
576 {
577 /* See if the bound in strncat is derived from the length
578 of the strlen of the destination (as it's expected to be).
579 If so, reset BOUND and FNCODE to trigger a warning. */
582 {
583 /* The bound applies to the destination, not to the source,
584 so reset these to trigger a warning without mentioning
585 the bound. */
588 }
590 /* Use the upper bound of the range for strncat. */
592 }
594 /* Use the lower bound of the range for functions other than
595 strncat. */
598 /* Determine the size of the argument array if it is one. */
603 /* Determine the array size. For arrays of unknown bound and
604 pointers reset BOUND to trigger the appropriate warning. */
606 {
608 {
610 {
613 }
614 }
617 }
621 /* In a call to strncat with a bound in a range whose lower but
622 not upper bound is less than the array size, reset ASIZE to
623 be the same as the bound and the other variable to trigger
624 the appropriate warning below. */
628 && (!known_size
630 {
634 }
638 auto_diagnostic_group d;
640 {
643 "%qD argument %i declared attribute "
644 "%<nonstring%> is smaller than the specified "
649 "%qD argument %i declared attribute "
650 "%<nonstring%> is smaller than "
653 else
655 "%qD argument %i declared attribute "
656 "%<nonstring%> may be smaller than "
659 }
662 is equal to the size of the non-string argument. */
669 {
673 }
674 }
680 }
682 bool
684 {
686 }
689 bool
691 {
693 }
695 /* Issue a warning OPT for a bounded call EXP with a bound in RANGE
696 accessing an object with SIZE. */
699 static bool
702 {
711 {
714 {
715 /* Issue a "maybe" warning only if the PHI refers to objects
716 at least one of which has more space remaining than the bound.
717 Otherwise, if the bound is greater, use the definitive form. */
721 }
723 auto_diagnostic_group d;
725 {
727 warned = (func
729 (maybe
736 (maybe
742 else
743 warned = (func
745 (maybe
750 func,
753 (maybe
759 }
763 warned = (func
765 (maybe
772 (maybe
778 else
779 warned = (func
781 (maybe
788 (maybe
795 {
801 }
804 }
808 {
809 /* Issue a "maybe" warning only if the PHI refers to objects
810 at least one of which has more space remaining than the bound.
811 Otherwise, if the bound is greater, use the definitive form. */
815 }
817 {
819 warned = (func
821 (maybe
828 (maybe
834 else
835 warned = (func
837 (maybe
844 (maybe
850 }
854 warned = (func
856 (maybe
863 (maybe
869 else
870 warned = (func
872 (maybe
879 (maybe
887 {
893 }
896 }
898 bool
902 {
904 pad);
905 }
907 bool
911 {
913 }
915 /* For an expression EXP issue an access warning controlled by option OPT
916 with access to a region SIZE bytes in size in the RANGE of sizes.
917 WRITE is true for a write access, READ for a read access, neither for
918 call that may or may not perform an access but for which the range
919 is expected to valid.
920 Returns true when a warning has been issued. */
923 static bool
926 {
930 {
932 warned = (func
934 (maybe
939 (maybe
946 (maybe
951 (maybe
958 {
959 /* Avoid printing the upper bound if it's invalid. */
960 warned = (func
962 (maybe
969 (maybe
975 }
976 else
977 warned = (func
979 (maybe
986 (maybe
993 }
996 {
998 warned = (func
1000 (maybe
1005 (maybe
1012 (maybe
1017 (maybe
1024 {
1025 /* Avoid printing the upper bound if it's invalid. */
1026 warned = (func
1028 (maybe
1032 "into a region of size %E overflows "
1036 (maybe
1040 "a region of size %E overflows "
1043 }
1044 else
1045 warned = (func
1047 (maybe
1051 "into a region of size %E overflows "
1055 (maybe
1059 "into a region of size %E overflows "
1063 }
1066 {
1068 warned = (func
1071 (maybe
1076 (maybe
1084 (maybe
1089 (maybe
1096 {
1097 /* Avoid printing the upper bound if it's invalid. */
1098 warned = (func
1100 (maybe
1107 (maybe
1113 }
1114 else
1115 warned = (func
1117 (maybe
1124 (maybe
1135 }
1139 warned = (func
1151 {
1152 /* Avoid printing the upper bound if it's invalid. */
1153 warned = (func
1155 "%qD expecting %E or more bytes in a region "
1159 "expecting %E or more bytes in a region "
1162 }
1163 else
1164 warned = (func
1166 "%qD expecting between %E and %E bytes in "
1170 "expecting between %E and %E bytes in "
1178 }
1180 static bool
1183 {
1186 }
1188 static bool
1191 {
1194 }
1196 /* Helper to set RANGE to the range of BOUND if it's nonnull, bounded
1197 by BNDRNG if nonnull and valid. */
1199 static void
1202 {
1210 {
1211 offset_int r[] =
1217 }
1218 else
1219 {
1222 }
1223 }
1225 /* Try to verify that the sizes and lengths of the arguments to a string
1226 manipulation function given by EXP are within valid bounds and that
1227 the operation does not lead to buffer overflow or read past the end.
1228 Arguments other than EXP may be null. When non-null, the arguments
1229 have the following meaning:
1230 DST is the destination of a copy call or NULL otherwise.
1231 SRC is the source of a copy call or NULL otherwise.
1232 DSTWRITE is the number of bytes written into the destination obtained
1233 from the user-supplied size argument to the function (such as in
1234 memcpy(DST, SRCs, DSTWRITE) or strncpy(DST, DRC, DSTWRITE).
1235 MAXREAD is the user-supplied bound on the length of the source sequence
1236 (such as in strncat(d, s, N). It specifies the upper limit on the number
1237 of bytes to write. If NULL, it's taken to be the same as DSTWRITE.
1238 SRCSTR is the source string (such as in strcpy(DST, SRC)) when the
1239 expression EXP is a string function call (as opposed to a memory call
1240 like memcpy). As an exception, SRCSTR can also be an integer denoting
1241 the precomputed size of the source string or object (for functions like
1242 memcpy).
1243 DSTSIZE is the size of the destination object.
1245 When DSTWRITE is null LEN is checked to verify that it doesn't exceed
1246 SIZE_MAX.
1248 WRITE is true for write accesses, READ is true for reads. Both are
1249 false for simple size checks in calls to functions that neither read
1250 from nor write to the region.
1252 When nonnull, PAD points to a more detailed description of the access.
1254 If the call is successfully verified as safe return true, otherwise
1255 return false. */
1258 static bool
1263 {
1264 /* The size of the largest object is half the address space, or
1265 PTRDIFF_MAX. (This is way too permissive.) */
1268 /* Either an approximate/minimum the length of the source string for
1269 string functions or the size of the source object for raw memory
1270 functions. */
1273 /* The range of the access in bytes; first set to the write access
1274 for functions that write and then read for those that also (or
1275 just) read. */
1278 /* Set to true when the exact number of bytes written by a string
1279 function like strcpy is not known and the only thing that is
1280 known is that it must be at least one (for the terminating nul). */
1283 {
1284 /* SRCSTR is normally a pointer to string but as a special case
1285 it can be an integer denoting the length of a string. */
1287 {
1289 /* Return if the array is not nul-terminated and a warning
1290 has been issued. */
1293 /* Try to determine the range of lengths the source string
1294 refers to. If it can be determined and is less than
1295 the upper bound given by MAXREAD add one to it for
1296 the terminating nul. Otherwise, set it to one for
1297 the same reason, or to MAXREAD as appropriate. */
1298 c_strlen_data lendata = { };
1306 {
1309 else
1320 }
1321 else
1322 {
1325 }
1326 }
1327 else
1329 }
1332 {
1333 /* When the only available piece of data is the object size
1334 there is nothing to do. */
1338 /* Otherwise, when the length of the source sequence is known
1339 (as with strlen), set DSTWRITE to it. */
1342 }
1347 /* Set RANGE to that of DSTWRITE if non-null, bounded by PAD->DST_BNDRNG
1348 if valid. */
1351 /* If the destination has known zero size prefer a zero
1352 size range to avoid false positives if that's a
1353 possibility. */
1358 /* Read vs write access by built-ins can be determined from the const
1359 qualifiers on the pointer argument. In the absence of attribute
1360 access, non-const qualified pointer arguments to user-defined
1361 functions are assumed to both read and write the objects. */
1364 /* First check the number of bytes to be written against the maximum
1365 object size. */
1369 {
1374 }
1376 /* The number of bytes to write is "exact" if DSTWRITE is non-null,
1377 constant, and in range of unsigned HOST_WIDE_INT. */
1380 /* Next check the number of bytes to be written against the destination
1381 object size. */
1383 {
1388 || (dstwrite
1391 {
1398 auto_diagnostic_group d;
1402 {
1403 /* This is a call to strcpy with a destination of 0 size
1404 and a source of unknown length. The call will write
1405 at least one byte past the end of the destination. */
1406 warned = (func
1408 "%qD writing %E or more bytes into "
1409 "a region of size %E overflows "
1413 "writing %E or more bytes into "
1414 "a region of size %E overflows "
1417 }
1418 else
1419 {
1420 const bool read
1422 const bool write
1426 OPT_Wstringop_overflow_,
1429 }
1432 {
1436 }
1438 /* Return error when an overflow has been detected. */
1440 }
1441 }
1443 /* Check the maximum length of the source sequence against the size
1444 of the destination object if known, or against the maximum size
1445 of an object. */
1447 {
1448 /* Set RANGE to that of MAXREAD, bounded by PAD->SRC_BNDRNG if
1449 PAD is nonnull and BNDRNG is valid. */
1459 {
1461 {
1465 }
1468 {
1470 ? OPT_Wstringop_overflow_
1474 }
1475 }
1478 }
1480 /* Check for reading past the end of SRC. */
1483 && dstwrite
1487 /* If none is determined try to get a better answer based on the details
1488 in PAD. */
1490 && pad
1495 {
1496 /* Set RANGE to that of MAXREAD, bounded by PAD->SRC_BNDRNG if
1497 PAD is nonnull and BNDRNG is valid. */
1500 /* Set OVERREAD for reads starting just past the end of an object. */
1504 }
1507 {
1516 const bool read
1519 auto_diagnostic_group d;
1521 maybe))
1522 {
1526 }
1528 }
1531 }
1533 static bool
1538 {
1541 }
1543 bool
1547 {
1550 }
1552 /* Return true if STMT is a call to an allocation function. Unless
1553 ALL_ALLOC is set, consider only functions that return dynamically
1554 allocated objects. Otherwise return true even for all forms of
1555 alloca (including VLA). */
1557 static bool
1559 {
1563 /* A call to operator new isn't recognized as one to a built-in. */
1568 {
1570 {
1584 }
1585 }
1587 /* A function is considered an allocation function if it's declared
1588 with attribute malloc with an argument naming its associated
1589 deallocation function. */
1597 {
1604 }
1607 }
1609 /* Return true if STMT is a call to an allocation function. A wrapper
1610 around fndecl_alloc_p. */
1612 static bool
1614 {
1616 }
1618 /* Return true if DELC doesn't refer to an operator delete that's
1619 suitable to call with a pointer returned from the operator new
1620 described by NEWC. */
1622 static bool
1625 {
1630 {
1632 {
1640 {
1645 }
1647 }
1650 /* Operator mismatches are handled above. */
1679 {
1680 /* The demangler API provides no better way to compare built-in
1681 types except to by comparing their demangled names. */
1693 }
1716 }
1732 }
1734 /* Return true if DELETE_DECL is an operator delete that's not suitable
1735 to call with a pointer returned from NEW_DECL. */
1737 static bool
1739 {
1743 /* valid_new_delete_pair_p() returns a conservative result (currently
1744 it only handles global operators). A true result is reliable but
1745 a false result doesn't necessarily mean the operators don't match
1746 unless CERTAIN is set. */
1750 /* CERTAIN is set when the negative result is certain. */
1754 /* For anything not handled by valid_new_delete_pair_p() such as member
1755 operators compare the individual demangled components of the mangled
1756 name. */
1767 }
1769 /* ALLOC_DECL and DEALLOC_DECL are pair of allocation and deallocation
1770 functions. Return true if the latter is suitable to deallocate objects
1771 allocated by calls to the former. */
1773 static bool
1775 {
1776 /* Set to alloc_kind_t::builtin if ALLOC_DECL is associated with
1777 a built-in deallocator. */
1782 {
1784 /* Return true iff both functions are of the same array or
1785 singleton form and false otherwise. */
1788 /* Return false for deallocation functions that are known not
1789 to match. */
1793 /* Otherwise proceed below to check the deallocation function's
1794 "*dealloc" attributes to look for one that mentions this operator
1795 new. */
1796 }
1798 {
1800 {
1824 }
1825 }
1827 /* Set if DEALLOC_DECL both allocates and deallocates. */
1831 {
1839 {
1851 }
1852 }
1857 /* If DEALLOC_DECL has an internal "*dealloc" attribute scan the list
1858 of its associated allocation functions for ALLOC_DECL.
1859 If the corresponding ALLOC_DECL is found they're a matching pair,
1860 otherwise they're not.
1861 With DDATS set to the Deallocator's *Dealloc ATtributes... */
1865 {
1878 {
1882 {
1894 }
1903 }
1907 }
1913 /* Special handling for deallocators. Iterate over both the allocator's
1914 and the reallocator's associated deallocator functions looking for
1915 the first one in common. If one is found, the de/reallocator is
1916 a match for the allocator even though the latter isn't directly
1917 associated with the former. This simplifies declarations in system
1918 headers.
1919 With AMATS set to the Allocator's Malloc ATtributes,
1920 and RMATS set to Reallocator's Malloc ATtributes... */
1927 {
1930 {
1933 {
1936 {
1940 }
1942 }
1945 }
1949 {
1952 {
1955 {
1959 }
1961 }
1965 }
1966 }
1968 /* Succeed only if ALLOC_DECL and the reallocator DEALLOC_DECL share
1969 a built-in deallocator. */
1972 }
1974 /* Return true if DEALLOC_DECL is a function suitable to deallocate
1975 objects allocated by the ALLOC call. */
1977 static bool
1979 {
1985 }
1987 /* Diagnose a call EXP to deallocate a pointer referenced by AREF if it
1988 includes a nonzero offset. Such a pointer cannot refer to the beginning
1989 of an allocated object. A negative offset may refer to it only if
1990 the target pointer is unknown. */
1992 static bool
1994 {
2004 {
2005 /* A call to a user-defined operator delete with a pointer plus offset
2006 may be valid if it's returned from an unknown function (i.e., one
2007 that's not operator new). */
2009 {
2012 {
2016 }
2017 }
2018 }
2023 {
2028 else
2032 }
2034 auto_diagnostic_group d;
2043 {
2046 {
2055 else
2057 }
2058 }
2061 }
2066 GIMPLE_PASS,
2068 OPTGROUP_NONE,
2075 };
2077 /* Pass to detect invalid accesses. */
2079 {
2094 /* Not copyable or assignable. */
2098 /* Check a call to an atomic built-in function. */
2101 /* Check a call to a built-in function. */
2104 /* Check a call to an ordinary function for invalid accesses. */
2107 /* Check a non-call statement. */
2110 /* Check statements in a basic block. */
2113 /* Check a call to a function. */
2116 /* Check a call to the named built-in function. */
2132 /* Check for uses of indeterminate pointers. */
2135 /* Return the argument that a call returns. */
2138 /* Check a call for uses of a dangling pointer arguments. */
2141 /* Check uses of a dangling pointer or those derived from it. */
2149 /* Return true if use follows an invalidating statement. */
2152 /* A pointer_query object to store information about pointers and
2153 their targets in. */
2154 pointer_query m_ptr_qry;
2155 /* Mapping from DECLs and their clobber statements in the function. */
2157 /* A bit is set for each basic block whose statements have been assigned
2158 valid UIDs. */
2159 bitmap m_bb_uids_set;
2160 /* The current function. */
2162 /* True to run checks for uses of dangling pointers. */
2164 /* True to run checks early on in the optimization pipeline. */
2166 };
2168 /* Construct the pass. */
2178 {
2179 }
2181 /* Return a copy of the pass with RUN_NUMBER one greater than THIS. */
2183 opt_pass*
2185 {
2187 }
2189 /* Release pointer_query cache. */
2192 {
2194 }
2196 void
2198 {
2202 }
2204 /* Return true when any checks performed by the pass are enabled. */
2206 bool
2208 {
2210 || warn_mismatched_alloc
2212 }
2214 /* Initialize ALLOC_OBJECT_SIZE_LIMIT based on the -Walloc-size-larger-than=
2215 setting if the option is specified, or to the maximum object size if it
2216 is not. Return the initialized value. */
2218 static tree
2220 {
2226 }
2228 /* Diagnose a call EXP to function FN decorated with attribute alloc_size
2229 whose argument numbers given by IDX with values given by ARGS exceed
2230 the maximum object size or cause an unsigned overflow (wrapping) when
2231 multiplied. FN is null when EXP is a call via a function pointer.
2232 When ARGS[0] is null the function does nothing. ARGS[1] may be null
2233 for functions like malloc, and non-null for those like calloc that
2234 are decorated with a two-argument attribute alloc_size. */
2236 void
2239 {
2240 /* The range each of the (up to) two arguments is known to be in. */
2243 /* Maximum object size set by -Walloc-size-larger-than= or SIZE_MAX / 2. */
2252 /* Validate each argument individually. */
2254 {
2256 {
2261 {
2265 }
2267 {
2268 /* Avoid issuing -Walloc-zero for allocation functions other
2269 than __builtin_alloca that are declared with attribute
2270 returns_nonnull because there's no portability risk. This
2271 avoids warning for such calls to libiberty's xmalloc and
2272 friends.
2273 Also avoid issuing the warning for calls to function named
2274 "alloca". */
2282 }
2284 {
2285 /* G++ emits calls to ::operator new[](SIZE_MAX) in C++98
2286 mode and with -fno-exceptions as a way to indicate array
2287 size overflow. There's no good way to detect C++98 here
2288 so avoid diagnosing these calls for all C++ modes. */
2290 && fn
2298 "argument %i value %qE exceeds "
2301 }
2302 }
2305 {
2306 /* Verify that the argument's range is not negative (including
2307 upper bound of zero). */
2310 {
2315 }
2317 {
2319 "argument %i range [%E, %E] exceeds "
2323 maxobjsize);
2324 }
2325 }
2326 }
2331 /* For a two-argument alloc_size, validate the product of the two
2332 arguments if both of their values or ranges are known. */
2337 {
2338 /* Check for overflow in the product of a function decorated with
2339 attribute alloc_size (X, Y). */
2349 "product %<%E * %E%> of arguments %i and %i "
2355 "product %<%E * %E%> of arguments %i and %i "
2359 maxobjsize);
2362 {
2363 /* Print the full range of each of the two arguments to make
2364 it clear when it is, in fact, in a range and not constant. */
2371 }
2372 }
2375 {
2381 else
2384 }
2385 }
2387 /* Check a call to an alloca function for an excessive size. */
2389 void
2391 {
2399 {
2400 /* -Walloca-larger-than and -Wvla-larger-than settings of less
2401 than HWI_MAX override the more general -Walloc-size-larger-than
2402 so unless either of the former options is smaller than the last
2403 one (which would imply that the call was already checked), check
2404 the alloca arguments for overflow. */
2408 }
2409 }
2411 /* Check a call to an allocation function for an excessive size. */
2413 void
2415 {
2420 /* Avoid invalid calls to functions without a prototype. */
2425 {
2426 /* Alloca is handled separately. */
2428 {
2435 }
2436 }
2445 /* Extract attribute alloc_size from the type of the called expression
2446 (which could be a function or a function pointer) and if set, store
2447 the indices of the corresponding arguments in ALLOC_IDX, and then
2448 the actual argument(s) at those indices in ALLOC_ARGS. */
2455 /* Avoid invalid calls to functions without a prototype. */
2460 {
2465 }
2468 }
2470 /* Check a call STMT to strcat() for overflow and warn if it does. */
2472 void
2474 {
2484 /* There is no way here to determine the length of the string in
2485 the destination to which the SRC string is being appended so
2486 just diagnose cases when the source string is longer than
2487 the destination object. */
2496 }
2498 /* Check a call STMT to strcat() for overflow and warn if it does. */
2500 void
2502 {
2511 /* The upper bound on the number of bytes to write. */
2514 /* Detect unterminated source (only). */
2518 /* The length of the source sequence. */
2521 /* Try to determine the range of lengths that the source expression
2522 refers to. Since the lengths are only used for warning and not
2523 for code generation disable strict mode below. */
2526 {
2527 c_strlen_data lendata = { };
2530 }
2533 /* Try to verify that the destination is big enough for the shortest
2534 string. First try to determine the size of the destination object
2535 into which the source is being copied. */
2539 /* Add one for the terminating nul. */
2540 tree srclen = (maxlen
2542 size_one_node)
2545 /* The strncat function copies at most MAXREAD bytes and always appends
2546 the terminating nul so the specified upper bound should never be equal
2547 to (or greater than) the size of the destination. */
2550 {
2557 }
2567 }
2569 /* Check a call STMT to stpcpy() or strcpy() for overflow and warn
2570 if it does. */
2572 void
2574 {
2581 tree size;
2584 {
2585 /* NONSTR refers to the non-nul terminated constant array. */
2589 }
2592 {
2601 }
2603 /* Check to see if the argument was declared attribute nonstring
2604 and if so, issue a warning since at this point it's not known
2605 to be nul-terminated. */
2608 }
2610 /* Check a call STMT to stpncpy() or strncpy() for overflow and warn
2611 if it does. */
2613 void
2615 {
2621 /* The number of bytes to write (not the maximum). */
2632 }
2634 /* Check a call STMT to stpncpy() or strncpy() for overflow and warn
2635 if it does. */
2637 void
2639 {
2647 /* First check each argument separately, considering the bound. */
2652 /* A strncmp read from each argument is constrained not just by
2653 the bound but also by the length of the shorter string. Specifying
2654 a bound that's larger than the size of either array makes no sense
2655 and is likely a bug. When the length of neither of the two strings
2656 is known but the sizes of both of the arrays they are stored in is,
2657 issue a warning if the bound is larger than the size of
2658 the larger of the two arrays. */
2670 /* If the length of both arguments was computed they must both be
2671 nul-terminated and no further checking is necessary regardless
2672 of the bound. */
2675 /* Check to see if the argument was declared with attribute nonstring
2676 and if so, issue a warning since at this point it's not known to be
2677 nul-terminated. */
2686 /* Determine the range of the bound first and bail if it fails; it's
2687 cheaper than computing the size of the objects. */
2698 /* compute_objsize almost never fails (and ultimately should never
2699 fail). Don't bother to handle the rare case when it does. */
2704 /* Compute the size of the remaining space in each array after
2705 subtracting any offset into it. */
2709 /* Cap REM1 and REM2 at the other if the other's argument is known
2710 to be an unterminated array, either because there's no space
2711 left in it after adding its offset or because it's constant and
2712 has no nul. */
2718 /* Point PAD at the array to reference in the note if a warning
2719 is issued. */
2724 {
2725 /* Warn when either argument isn't nul-terminated or the maximum
2726 remaining space in the two arrays is less than the bound. */
2731 pad);
2732 }
2733 }
2735 /* Determine and check the sizes of the source and the destination
2736 of calls to __builtin_{bzero,memcpy,mempcpy,memset} calls. STMT is
2737 the call statement, DEST is the destination argument, SRC is the source
2738 argument or null, and SIZE is the number of bytes being accessed. Use
2739 Object Size type-0 regardless of the OPT_Wstringop_overflow_ setting.
2740 Return true on success (no overflow or invalid sizes), false otherwise. */
2742 void
2744 {
2748 /* For functions like memset and memcpy that operate on raw memory
2749 try to determine the size of the largest source and destination
2750 object using type-0 Object Size regardless of the object size
2751 type specified by the option. */
2753 tree srcsize
2759 }
2761 /* A convenience wrapper for check_access to check access by a read-only
2762 function like puts or strcmp. */
2764 void
2768 {
2784 }
2786 /* Return true if memory model ORD is constant in the context of STMT and
2787 set *CSTVAL to the constant value. Otherwise return false. Warn for
2788 invalid ORD. */
2790 bool
2792 {
2796 {
2800 }
2801 else
2802 {
2803 /* Use the range query to determine constant values in the absence
2804 of constant propagation (such as at -O0). */
2815 }
2818 /* This might warn for an invalid VAL but return a conservatively
2819 valid result. */
2822 {
2828 "unknown architecture specifier in memory model "
2831 }
2836 }
2838 /* Valid memory model for each set of atomic built-in functions. */
2840 struct memmodel_pair
2841 {
2842 memmodel modval;
2845 #define MEMMODEL_PAIR(val, str) \
2847 };
2849 /* Valid memory models in the order of increasing strength. */
2858 };
2860 /* Return the name of the memory model VAL. */
2864 {
2868 {
2871 }
2873 }
2875 /* Indices of valid MEMORY_MODELS above for corresponding atomic operations. */
2882 /* Check the success memory model argument ORD_SUCS to the call STMT to
2883 an atomic function and warn if it's invalid. If nonnull, also check
2884 the failure memory model ORD_FAIL and warn if it's invalid. Return
2885 true if a warning has been issued. */
2887 bool
2890 {
2899 {
2902 {
2905 }
2906 }
2907 else
2915 {
2917 auto_diagnostic_group d;
2922 else
2930 /* Print a note with the valid memory models. */
2931 pretty_printer pp;
2934 {
2937 }
2941 }
2948 {
2949 /* If both memory model arguments are valid but their combination
2950 is not, use their names in the warning. */
2951 auto_diagnostic_group d;
2962 }
2969 {
2970 /* If both memory model arguments are valid but their combination
2971 is not, use their names in the warning. */
2972 auto_diagnostic_group d;
2974 "failure memory model %qs cannot be stronger "
2979 /* Print a note with the valid failure memory models which are
2980 those with a value less than or equal to the success mode. */
2985 {
2991 }
2995 }
2997 /* If either memory model argument value is invalid use the numerical
2998 value of both in the message. */
3000 "failure memory model %wi cannot be stronger "
3003 }
3005 /* Wrapper for the above. */
3007 void
3010 {
3018 }
3020 /* Check a call STMT to an atomic or sync built-in. */
3022 bool
3024 {
3029 /* The size in bytes of the access by the function, and the number
3030 of the second argument to check (if any). */
3033 /* Points to the array of indices of valid memory models. */
3037 {
3038 #define BUILTIN_ACCESS_SIZE_FNSPEC(N) \
3039 BUILT_IN_SYNC_FETCH_AND_ADD_ ## N: \
3040 case BUILT_IN_SYNC_FETCH_AND_SUB_ ## N: \
3041 case BUILT_IN_SYNC_FETCH_AND_OR_ ## N: \
3042 case BUILT_IN_SYNC_FETCH_AND_AND_ ## N: \
3043 case BUILT_IN_SYNC_FETCH_AND_XOR_ ## N: \
3044 case BUILT_IN_SYNC_FETCH_AND_NAND_ ## N: \
3045 case BUILT_IN_SYNC_ADD_AND_FETCH_ ## N: \
3046 case BUILT_IN_SYNC_SUB_AND_FETCH_ ## N: \
3047 case BUILT_IN_SYNC_OR_AND_FETCH_ ## N: \
3048 case BUILT_IN_SYNC_AND_AND_FETCH_ ## N: \
3049 case BUILT_IN_SYNC_XOR_AND_FETCH_ ## N: \
3050 case BUILT_IN_SYNC_NAND_AND_FETCH_ ## N: \
3051 case BUILT_IN_SYNC_LOCK_TEST_AND_SET_ ## N: \
3052 case BUILT_IN_SYNC_BOOL_COMPARE_AND_SWAP_ ## N: \
3053 case BUILT_IN_SYNC_VAL_COMPARE_AND_SWAP_ ## N: \
3054 case BUILT_IN_SYNC_LOCK_RELEASE_ ## N: \
3055 bytes = N; \
3056 break; \
3057 case BUILT_IN_ATOMIC_LOAD_ ## N: \
3058 pvalid_models = load_models; \
3059 sucs_arg = 1; \
3061 case BUILT_IN_ATOMIC_STORE_ ## N: \
3062 if (!pvalid_models) \
3063 pvalid_models = store_models; \
3065 case BUILT_IN_ATOMIC_ADD_FETCH_ ## N: \
3066 case BUILT_IN_ATOMIC_SUB_FETCH_ ## N: \
3067 case BUILT_IN_ATOMIC_AND_FETCH_ ## N: \
3068 case BUILT_IN_ATOMIC_NAND_FETCH_ ## N: \
3069 case BUILT_IN_ATOMIC_XOR_FETCH_ ## N: \
3070 case BUILT_IN_ATOMIC_OR_FETCH_ ## N: \
3071 case BUILT_IN_ATOMIC_FETCH_ADD_ ## N: \
3072 case BUILT_IN_ATOMIC_FETCH_SUB_ ## N: \
3073 case BUILT_IN_ATOMIC_FETCH_AND_ ## N: \
3074 case BUILT_IN_ATOMIC_FETCH_NAND_ ## N: \
3075 case BUILT_IN_ATOMIC_FETCH_OR_ ## N: \
3076 case BUILT_IN_ATOMIC_FETCH_XOR_ ## N: \
3077 bytes = N; \
3078 if (sucs_arg == UINT_MAX) \
3079 sucs_arg = 2; \
3080 if (!pvalid_models) \
3081 pvalid_models = all_models; \
3082 break; \
3083 case BUILT_IN_ATOMIC_EXCHANGE_ ## N: \
3084 bytes = N; \
3085 sucs_arg = 3; \
3086 pvalid_models = xchg_models; \
3087 break; \
3088 case BUILT_IN_ATOMIC_COMPARE_EXCHANGE_ ## N: \
3089 bytes = N; \
3090 sucs_arg = 4; \
3091 fail_arg = 5; \
3092 pvalid_models = all_models; \
3093 arg2 = 1
3113 }
3117 {
3123 }
3133 {
3136 }
3139 }
3141 /* Check call STMT to a built-in function for invalid accesses. Return
3142 true if a call has been handled. */
3144 bool
3146 {
3152 {
3171 {
3175 }
3200 {
3205 }
3241 {
3248 }
3253 {
3259 }
3262 {
3267 }
3270 {
3275 }
3281 }
3284 }
3286 /* Returns the type of the argument ARGNO to function with type FNTYPE
3287 or null when the type cannot be determined or no such argument exists. */
3289 static tree
3291 {
3295 tree argtype;
3296 function_args_iterator it;
3302 }
3304 /* Helper to append the "human readable" attribute access specification
3305 described by ACCESS to the array ATTRSTR with size STRSIZE. Used in
3306 diagnostics. */
3311 {
3318 }
3320 /* Iterate over attribute access read-only, read-write, and write-only
3321 arguments and diagnose past-the-end accesses and related problems
3322 in the function call EXP. */
3324 void
3327 {
3332 auto_diagnostic_group adg;
3334 /* Set if a warning has been issued for any argument (used to decide
3335 whether to emit an informational note at the end). */
3338 /* A string describing the attributes that the warnings issued by this
3339 function apply to. Used to print one informational note per function
3340 call, rather than one per warning. That reduces clutter. */
3345 {
3348 /* Get the function call arguments corresponding to the attribute's
3349 positional arguments. When both arguments have been specified
3350 there will be two entries in *RWM, one for each. They are
3351 cross-referenced by their respective argument numbers in
3352 ACCESS.PTRARG and ACCESS.SIZARG. */
3359 /* The pointer is set to null for the entry corresponding to
3360 the size argument. Skip it. It's handled when the entry
3361 corresponding to the pointer argument comes up. */
3367 /* A function with a prototype was redeclared without one and
3368 the prototype has been lost. See pr102759. Avoid dealing
3369 with this pathological case. */
3374 /* The size of the access by the call in elements. */
3375 tree access_nelts;
3377 {
3378 /* If only the pointer attribute operand was specified and
3379 not size, set SIZE to the greater of MINSIZE or size of
3380 one element of the pointed to type to detect smaller
3381 objects (null pointers are diagnosed in this case only
3382 if the pointer is also declared with attribute nonnull. */
3387 /* Treat access mode none on a void* argument as expecting
3388 as little as zero bytes. */
3390 else
3392 }
3393 else
3396 /* Format the value or range to avoid an explosion of messages. */
3400 {
3403 {
3406 }
3407 else
3408 {
3414 }
3416 }
3417 else
3420 /* Set if a warning has been issued for the current argument. */
3427 {
3428 /* Warn about negative sizes. */
3430 {
3435 "bound argument %i value %s is "
3436 "negative for a variable length array "
3441 }
3448 {
3450 /* Remember a warning has been issued and avoid warning
3451 again below for the same attribute. */
3454 }
3455 }
3457 /* The size of the access by the call in bytes. */
3460 {
3462 {
3463 /* Multiply ACCESS_SIZE by the size of the type the pointer
3464 argument points to. If it's incomplete the size is used
3465 as is. */
3468 {
3473 }
3474 }
3475 else
3477 }
3480 {
3482 {
3483 /* Warn about null pointers with positive sizes. This is
3484 different from also declaring the pointer argument with
3485 attribute nonnull when the function accepts null pointers
3486 only when the corresponding size is zero. */
3488 {
3493 "argument %i of variable length "
3494 "array %s is null but "
3495 "the corresponding bound argument "
3500 }
3502 "argument %i is null but "
3503 "the corresponding size argument "
3507 }
3509 {
3510 /* Warn about null pointers for [static N] array arguments
3511 but do not warn for ordinary (i.e., nonstatic) arrays. */
3513 "argument %i to %<%T[static %E]%> "
3517 }
3520 {
3522 /* Remember a warning has been issued and avoid warning
3523 again below for the same attribute. */
3526 }
3527 }
3535 /* The size of the destination or source object. */
3539 {
3540 /* For a read-only argument there is no destination. For
3541 no access, set the source as well and differentiate via
3542 the access flag below. */
3546 {
3547 /* For a read-only attribute there is no destination so
3548 clear OBJSIZE. This emits "reading N bytes" kind of
3549 diagnostics instead of the "writing N bytes" kind,
3550 unless MODE is none. */
3552 }
3553 }
3554 else
3557 /* Clear the no-warning bit in case it was set by check_access
3558 in a prior iteration so that accesses via different arguments
3559 are diagnosed. */
3570 {
3572 {
3578 }
3579 else
3580 /* If check_access issued a warning above, append the relevant
3581 attribute to the string. */
3583 }
3584 }
3587 {
3592 else
3596 }
3598 {
3602 else
3605 }
3607 /* Set the bit in case it was cleared and not set above. */
3610 }
3612 /* Check call STMT to an ordinary (non-built-in) function for invalid
3613 accesses. Return true if a call has been handled. */
3615 bool
3617 {
3626 /* Map of attribute access specifications for function arguments. */
3627 rdwr_map rdwr_idx;
3632 {
3635 /* Save the actual argument that corresponds to the access attribute
3636 operand for later processing. */
3638 {
3640 {
3642 /* A nonnull ACCESS->SIZE contains VLA bounds. */
3643 }
3644 else
3645 {
3648 }
3649 }
3650 }
3652 /* Check attribute access arguments. */
3658 }
3660 /* Check arguments in a call STMT for attribute nonstring. */
3662 static void
3664 {
3667 /* Detect passing non-string arguments to functions expecting
3668 nul-terminated strings. */
3670 }
3672 /* Issue a warning if a deallocation function such as free, realloc,
3673 or C++ operator delete is called with an argument not returned by
3674 a matching allocation function such as malloc or the corresponding
3675 form of C++ operator new. */
3677 void
3679 {
3692 access_ref aref;
3704 {
3705 /* Diagnose freeing a declared object. */
3707 {
3708 auto_diagnostic_group d;
3712 {
3715 }
3716 }
3718 /* Diagnose freeing a pointer that includes a positive offset.
3719 Such a pointer cannot refer to the beginning of an allocated
3720 object. A negative offset may refer to it. */
3724 }
3726 {
3727 auto_diagnostic_group d;
3729 "%qD called on a pointer to an unallocated "
3731 {
3733 {
3736 {
3739 }
3740 }
3742 }
3743 }
3745 {
3746 /* Also warn if the pointer argument refers to the result
3747 of an allocation call like alloca or VLA. */
3753 {
3756 {
3758 {
3761 }
3762 else
3763 {
3768 ? OPT_Wmismatched_new_delete
3771 "%qD called on pointer returned "
3772 "from a mismatched allocation "
3774 }
3775 }
3778 BUILT_IN_ALLOCA_WITH_ALIGN))
3780 "%qD called on pointer to "
3782 dealloc_decl);
3787 {
3792 }
3793 }
3795 {
3797 /* Diagnose freeing a pointer that includes a positive offset. */
3804 }
3805 }
3806 }
3808 /* Return true if either USE_STMT's basic block (that of a pointer's use)
3809 is dominated by INVAL_STMT's (that of a pointer's invalidating statement,
3810 which is either a clobber or a deallocation call), or if they're in
3811 the same block, USE_STMT follows INVAL_STMT. */
3813 bool
3816 {
3817 tree clobvar =
3827 {
3834 /* Proceed only when looking for uses of dangling pointers. */
3837 /* A use statement in the last basic block in a function or one that
3838 falls through to it is after any other prior clobber of the used
3839 variable unless it's followed by a clobber of the same variable. */
3845 {
3847 {
3850 {
3852 /* The use is followed by a clobber. */
3854 }
3855 }
3859 }
3861 /* The use is one of a dangling pointer if a clobber of the variable
3862 [the pointer points to] has not been found before the function exit
3863 point. */
3865 }
3868 /* The first time this basic block is visited assign increasing ids
3869 to consecutive statements in it. Use the ids to determine which
3870 precedes which. This avoids the linear traversal on subsequent
3871 visits to the same block. */
3875 }
3877 /* Issue a warning for the USE_STMT of pointer or reference REF rendered
3878 invalid by INVAL_STMT. REF may be null when it's been optimized away.
3879 When nonnull, INVAL_STMT is the deallocation function that rendered
3880 the pointer or reference dangling. Otherwise, VAR is the auto variable
3881 (including an unnamed temporary such as a compound literal) whose
3882 lifetime's rended it dangling. MAYBE is true to issue the "maybe"
3883 kind of warning. EQUALITY is true when the pointer is used in
3884 an equality expression. */
3886 void
3890 {
3891 /* Avoid printing the unhelpful "<unknown>" in the diagnostics. */
3893 {
3897 /* Don't warn for cases like when a cdtor returns 'this' on ARM. */
3902 }
3906 {
3909 /* Avoid issuing a warning with no context other than
3910 the function. That would make it difficult to debug
3911 in any but very simple cases. */
3913 }
3916 {
3925 auto_diagnostic_group d;
3927 (maybe
3932 (maybe
3935 inval_decl)))
3936 {
3940 }
3942 }
3950 {
3951 auto_diagnostic_group d;
3954 (maybe
3958 || (!ref
3960 (maybe
3963 var)))
3968 }
3972 (maybe
3977 ref))
3978 || (!ref
3980 (maybe
3985 {
3989 }
3990 }
3992 /* If STMT is a call to either the standard realloc or to a user-defined
3993 reallocation function returns its LHS and set *PTR to the reallocated
3994 pointer. Otherwise return null. */
3996 static tree
3998 {
4000 {
4003 }
4013 else
4014 {
4019 }
4026 {
4036 {
4042 }
4043 }
4046 }
4048 /* Warn if STMT is a call to a deallocation function that's not a match
4049 for the REALLOC_STMT call. Return true if warned. */
4051 static bool
4053 {
4068 /* Avoid printing the unhelpful "<unknown>" in the diagnostics. */
4077 "%qD called on pointer %qE passed to mismatched "
4082 "%qD called on a pointer passed to mismatched "
4090 }
4092 /* Return true if P and Q point to the same object, and false if they
4093 either don't or their relationship cannot be determined. */
4095 static bool
4098 {
4102 /* TODO: Work harder to rule out relatedness. */
4106 /* GET_REF() only rarely fails. When it does, it's likely because
4107 it involves a self-referential PHI. Return a conservative result. */
4113 /* If either pointer is a PHI, iterate over all its operands and
4114 return true if they're all related to the other pointer. */
4120 else
4121 {
4128 }
4135 {
4139 }
4142 }
4144 /* Convenience wrapper for the above. */
4146 static bool
4148 {
4149 auto_bitmap visited;
4151 }
4153 /* For a STMT either a call to a deallocation function or a clobber, warn
4154 for uses of the pointer PTR it was called with (including its copies
4155 or others derived from it by pointer arithmetic). If STMT is a clobber,
4156 VAR is the decl of the clobbered variable. When MAYBE is true use
4157 a "maybe" form of diagnostic. */
4159 void
4163 {
4169 /* If STMT is a reallocation function set to the reallocated pointer
4170 and the LHS of the call, respectively. */
4174 auto_bitmap visited;
4179 /* Starting with PTR, iterate over POINTERS added by the loop, and
4180 either warn for their uses in basic blocks dominated by the STMT
4181 or in statements that follow it in the same basic block, or add
4182 them to POINTERS if they point into the same object as PTR (i.e.,
4183 are obtained by pointer arithmetic on PTR). */
4185 {
4188 /* Avoid revisiting the same pointer. */
4191 use_operand_p use_p;
4192 imm_use_iterator iter;
4194 {
4199 /* A clobber isn't a use. */
4204 {
4205 /* Check to see if USE_STMT is a mismatched deallocation
4206 call for the pointer passed to realloc. That's a bug
4207 regardless of the pointer's value and so warn. */
4211 /* Pointers passed to realloc that are used in basic blocks
4212 where the realloc call is known to have failed are valid.
4213 Ignore pointers that nothing is known about. Those could
4214 have escaped along with their nullness. */
4215 value_range vr;
4217 {
4223 }
4224 }
4228 /* Avoid interfering with -Wreturn-local-addr (which runs only
4229 with optimization enabled so it won't diagnose cases that
4230 would be caught here when optimization is disabled). */
4235 {
4238 }
4240 {
4243 }
4245 {
4246 /* Only add a PHI result to POINTERS if all its
4247 operands are related to PTR, otherwise continue. */
4253 {
4256 }
4257 }
4259 /* Warn if USE_STMT is dominated by the deallocation STMT.
4260 Otherwise, add the pointer to POINTERS so that the uses
4261 of any other pointers derived from it can be checked. */
4263 {
4265 bool this_maybe
4266 = (maybe
4271 }
4274 {
4277 {
4281 }
4283 }
4286 {
4292 }
4293 }
4294 }
4295 }
4297 /* Check call STMT for invalid accesses. */
4299 void
4301 {
4302 /* Skip special calls generated by the compiler. */
4306 /* .ASAN_MARK doesn't access any vars, only modifies shadow memory. */
4315 {
4316 /* Check for uses of the pointer passed to either a standard
4317 or a user-defined deallocation function. */
4320 {
4324 }
4325 }
4335 }
4337 /* Check non-call STMT for invalid accesses. */
4339 void
4341 {
4344 {
4345 /* Ignore clobber statements in blocks with exceptional edges. */
4354 }
4357 {
4358 /* Clobbered unnamed temporaries such as compound literals can be
4359 revived. Check for an assignment to one and remove it from
4360 M_CLOBBERS. */
4368 }
4371 {
4373 /* Avoid interfering with -Wreturn-local-addr (which runs only
4374 with optimization enabled). */
4396 }
4397 }
4399 /* Check basic block BB for invalid accesses. */
4401 void
4403 {
4404 /* Iterate over statements, looking for function calls. */
4407 {
4411 else
4413 }
4414 }
4416 /* Return the argument that the call STMT to a built-in function returns
4417 (including with an offset) or null if it doesn't. */
4419 tree
4421 {
4422 /* Check for attribute fn spec to see if the function returns one
4423 of its arguments. */
4427 {
4436 {
4452 }
4453 }
4459 }
4461 /* Check for and diagnose all uses of the dangling pointer VAR to the auto
4462 object DECL whose lifetime has ended. OBJREF is true when VAR denotes
4463 an access to a DECL that may have been clobbered. */
4465 void
4468 {
4477 {
4480 }
4490 }
4492 /* Diagnose stores in BB and (recursively) its predecessors of the addresses
4493 of local variables into nonlocal pointers that are left dangling after
4494 the function returns. BBS is a bitmap of basic blocks visited. */
4496 void
4500 {
4502 /* Avoid cycles. */
4505 /* Iterate backwards over the statements looking for a store of
4506 the address of a local variable into a nonlocal pointer. */
4508 {
4518 /* Avoid looking before nonconst, nonpure calls since those might
4519 use the escaped locals. */
4526 access_ref lhs_ref;
4535 {
4539 }
4541 {
4544 /* Avoid looking at or before stores into unknown objects. */
4549 /* Avoid by-value arguments transformed into by-reference. */
4552 }
4554 {
4557 {
4561 }
4562 }
4563 else
4569 /* FIXME: Handle stores of alloca() and VLA. */
4570 access_ref rhs_ref;
4579 auto_diagnostic_group d;
4584 {
4597 }
4598 }
4600 edge e;
4601 edge_iterator ei;
4603 {
4606 }
4607 }
4609 /* Diagnose stores of the addresses of local variables into nonlocal
4610 pointers that are left dangling after the function returns. */
4612 void
4614 {
4615 auto_bitmap bbs;
4618 }
4620 /* Check for and diagnose uses of dangling pointers to auto objects
4621 whose lifetime has ended. */
4623 void
4625 {
4626 tree var;
4629 {
4630 /* For each SSA_NAME pointer VAR find the object it points to.
4631 If the object is a clobbered local variable, check to see
4632 if any of VAR's uses (or those of other pointers derived
4633 from VAR) happens after the clobber. If so, warn. */
4637 {
4640 {
4644 }
4645 else
4646 {
4647 /* For other expressions, check the base DECL to see
4648 if it's been clobbered, most likely as a result of
4649 inlining a reference to it. */
4653 }
4654 }
4656 {
4658 {
4660 {
4661 access_ref aref;
4665 }
4666 }
4668 {
4671 {
4672 access_ref aref;
4677 }
4678 }
4679 }
4680 }
4681 }
4683 /* Check CALL arguments for dangling pointers (those that have been
4684 clobbered) and warn if found. */
4686 void
4688 {
4691 {
4708 }
4709 }
4711 /* Check function FUN for invalid accesses. */
4713 unsigned
4715 {
4719 /* Set or clear EDGE_DFS_BACK bits on back edges. */
4722 /* Create a new ranger instance and associate it with FUN. */
4726 /* Check for dangling pointers in the earliest run of the pass.
4727 The latest point -Wdangling-pointer should run is just before
4728 loop unrolling which introduces uses after clobbers. Most cases
4729 can be detected without optimization; cases where the address of
4730 the local variable is passed to and then returned from a user-
4731 defined function before its lifetime ends and the returned pointer
4732 becomes dangling depend on inlining. */
4740 basic_block bb;
4745 {
4748 }
4755 /* Release the ranger instance and replace it with a global ranger.
4756 Also reset the pointer since calling disable_ranger() deletes it. */
4766 }
4770 /* Return a new instance of the pass. */
4772 gimple_opt_pass *
4774 {
4776 }