| blob | f5fad5b2e4704cd245947004a1cd28d7a59ea6eb |
1 /* The analysis "engine".
2 Copyright (C) 2019-2024 Free Software Foundation, Inc.
3 Contributed by David Malcolm <dmalcolm@redhat.com>.
5 This file is part of GCC.
7 GCC is free software; you can redistribute it and/or modify it
8 under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3, or (at your option)
10 any later version.
12 GCC is distributed in the hope that it will be useful, but
13 WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 General Public License for more details.
17 You should have received a copy of the GNU General Public License
18 along with GCC; see the file COPYING3. If not see
19 <http://www.gnu.org/licenses/>. */
22 #define INCLUDE_MEMORY
23 #define INCLUDE_VECTOR
63 #include <zlib.h>
66 #include <memory>
74 /* For an overview, see gcc/doc/analyzer.texi. */
76 #if ENABLE_ANALYZER
80 /* class impl_region_model_context : public region_model_context. */
102 {
103 }
119 {
120 }
122 bool
125 {
129 {
133 }
135 {
139 m_stmt,
140 curr_stmt_finder);
143 {
145 && terminate_path
149 }
150 }
152 }
154 void
156 {
160 }
162 void
164 {
168 }
170 void
173 {
176 }
178 void
182 {
185 }
187 void
190 {
195 }
197 void
199 {
201 }
203 uncertainty_t *
205 {
207 }
209 /* Purge state involving SVAL. The region_model has already been purged,
210 so we only need to purge other state in the program_state:
211 the sm-state. */
213 void
215 {
220 }
222 void
224 {
227 }
229 void
231 {
234 }
236 /* struct setjmp_record. */
238 int
240 {
245 }
247 /* class setjmp_svalue : public svalue. */
249 /* Implementation of svalue::accept vfunc for setjmp_svalue. */
251 void
253 {
255 }
257 /* Implementation of svalue::dump_to_pp vfunc for setjmp_svalue. */
259 void
261 {
264 else
266 }
268 /* Implementation of svalue::print_dump_widget_label vfunc for
269 setjmp_svalue. */
271 void
273 {
275 }
277 /* Implementation of svalue::add_dump_widget_children vfunc for
278 setjmp_svalue. */
280 void
284 {
285 /* No children. */
286 }
288 /* Get the index of the stored exploded_node. */
290 int
292 {
294 }
296 /* Concrete implementation of sm_context, wiring it up to the rest of this
297 file. */
300 {
321 {
322 }
327 {
328 impl_region_model_context old_ctxt
333 }
336 tree var) final override
337 {
340 /* Use NULL ctxt on this get_rvalue call to avoid triggering
341 uninitialized value warnings. */
348 }
351 {
357 }
361 tree var,
363 tree origin) final override
364 {
372 /* We use the new sval here to avoid issues with uninitialized values. */
378 var,
383 }
388 tree origin) final override
389 {
392 impl_region_model_context old_ctxt
402 {
411 }
414 }
417 tree var,
419 {
425 = (var
434 && terminate_path
437 }
442 {
446 = (sval
455 && terminate_path
458 }
460 /* Hook for picking more readable trees for SSA names of temporaries,
461 so that rather than e.g.
462 "double-free of '<unknown>'"
463 we can print:
464 "double-free of 'inbuf.data'". */
467 {
468 /* Only for SSA_NAMEs of temporaries; otherwise, return EXPR, as it's
469 likely to be the least surprising tree to report. */
477 /* Find trees for all regions storing the value. */
480 else
482 }
485 {
487 }
490 {
492 }
495 {
497 }
500 {
502 }
505 {
508 m_sm_idx);
509 }
512 {
516 impl_region_model_context old_ctxt
525 }
528 {
530 }
533 {
535 }
538 {
540 }
543 {
545 }
547 log_user m_logger;
557 /* Are we handling an external function with unknown side effects? */
559 };
561 bool
568 {
584 {
586 *out_sm_context
588 sm_idx,
590 m_enode_for_diag,
591 m_old_state,
592 m_new_state,
593 old_smap,
594 new_smap,
595 m_path_ctxt,
596 m_stmt_finder,
598 }
600 }
602 /* Subclass of stmt_finder for finding the best stmt to report the leak at,
603 given the emission path. */
606 {
612 {
614 }
617 final override
618 {
623 {
624 /* Locate the final write to this SSA name in the path. */
632 /* What was the next write to the underlying var
633 after the SSA name was set? (if any). */
638 {
642 idx,
651 {
656 }
657 }
658 }
660 not_found:
662 /* Look backwards for the first statement with a location. */
666 {
669 i,
678 }
682 }
685 {
686 /* No-op. */
687 }
691 tree m_var;
692 };
694 /* A measurement of how good EXPR is for presenting to the user, so
695 that e.g. we can say prefer printing
696 "leak of 'tmp.m_ptr'"
697 over:
698 "leak of '<unknown>'". */
700 static int
702 {
703 /* Arbitrarily-chosen "high readability" value. */
708 {
711 /* Impose a slight readability penalty relative to that of
712 operand 0. */
716 {
718 {
720 {
721 /* If we have an SSA name for an artificial var,
722 only use it if it has a debug expr associated with
723 it that fixup_tree_for_diagnostic can use. */
726 }
727 else
728 {
729 /* Slightly favor the underlying var over the SSA name to
730 avoid having them compare equal. */
732 }
733 }
734 /* Avoid printing '<unknown>' for SSA names for temporaries. */
736 }
743 else
744 /* We don't want to print temporaries. For example, the C FE
745 prints them as e.g. "<Uxxxx>" where "xxxx" is the low 16 bits
746 of the tree pointer (see pp_c_tree_decl_identifier). */
750 /* Printing "<return-value>" isn't ideal, but is less awful than
751 trying to print a temporary. */
755 {
756 /* Impose a moderate readability penalty for casts. */
759 }
766 }
769 }
771 /* A qsort comparator for trees to sort them into most user-readable to
772 least user-readable. */
774 int
776 {
783 /* Favor items that are deeper on the stack and hence more recent;
784 this also favors locals over globals. */
789 /* Combine the scores from the tree and from the stack depth.
790 This e.g. lets us have a slightly penalized cast in the most
791 recent stack frame "beat" an uncast value in an older stack frame. */
797 /* Otherwise, more readable trees win. */
801 /* Otherwise, if they have the same readability, then impose an
802 arbitrary deterministic ordering on them. */
808 {
822 }
824 /* TODO: We ought to find ways of sorting such cases. */
826 }
828 /* Return true is SNODE is the EXIT node of a function, or is one
829 of the final snodes within its function.
831 Specifically, handle the final supernodes before the EXIT node,
832 for the case of clobbers that happen immediately before exiting.
833 We need a run of snodes leading to the return_p snode, where all edges are
834 intraprocedural, and every snode has just one successor.
836 We use this when suppressing leak reports at the end of "main". */
838 static bool
840 {
847 {
857 /* Impose a limit to ensure we terminate for pathological cases.
859 We only care about the final 3 nodes, due to cases like:
860 BB:
861 (clobber causing leak)
863 BB:
864 <label>:
865 return _val;
867 EXIT BB.*/
870 }
871 }
873 /* Find the best tree for SVAL and call SM's on_leak vfunc with it.
874 If on_leak returns a pending_diagnostic, queue it up to be reported,
875 so that we potentially complain about a leak of SVAL in the given STATE. */
877 void
881 {
885 {
890 }
895 /* m_old_state also needs to be non-NULL so that the sm_ctxt can look
896 up the old state of SVAL. */
899 /* SVAL has leaked within the new state: it is not used by any reachable
900 regions.
901 We need to convert it back to a tree, but since it's likely no regions
902 use it, we have to find the "best" tree for it in the old_state. */
903 svalue_set visited;
904 path_var leaked_pv
909 /* Strip off top-level casts */
913 /* This might be NULL; the pending_diagnostic subclasses need to cope
914 with this. */
917 {
920 else
922 }
927 /* Don't complain about leaks when returning from "main". */
929 {
932 {
936 }
937 }
942 {
945 m_stmt,
950 }
951 }
953 /* Implementation of region_model_context::on_condition vfunc.
954 Notify all state machines about the condition, which could lead to
955 state transitions. */
957 void
961 {
965 {
971 m_path_ctxt);
973 (m_enode_for_diag
976 m_stmt,
978 }
979 }
981 /* Implementation of region_model_context::on_bounded_ranges vfunc.
982 Notify all state machines about the ranges, which could lead to
983 state transitions. */
985 void
988 {
992 {
998 m_path_ctxt);
1000 (m_enode_for_diag
1004 }
1005 }
1007 /* Implementation of region_model_context::on_pop_frame vfunc.
1008 Notify all state machines about the frame being popped, which
1009 could lead to states being discarded. */
1011 void
1013 {
1017 {
1020 }
1021 }
1023 /* Implementation of region_model_context::on_phi vfunc.
1024 Notify all state machines about the phi, which could lead to
1025 state transitions. */
1027 void
1029 {
1033 {
1039 m_path_ctxt);
1041 }
1042 }
1044 /* Implementation of region_model_context::on_unexpected_tree_code vfunc.
1045 Mark the new state as being invalid for further exploration.
1046 TODO(stage1): introduce a warning for when this occurs. */
1048 void
1051 {
1061 }
1063 /* Implementation of region_model_context::maybe_did_work vfunc.
1064 Mark that "externally visible work" has occurred, and thus we
1065 shouldn't report an infinite loop here. */
1067 void
1069 {
1072 }
1074 /* struct point_and_state. */
1076 /* Assert that this object is sane. */
1078 void
1080 {
1081 /* Skip this in a release build. */
1082 #if !CHECKING_P
1084 #endif
1090 /* Verify that the callstring's model of the stack corresponds to that
1091 of the region_model. */
1092 /* They should have the same depth. */
1095 /* Check the functions in the callstring vs those in the frames
1096 at each depth. */
1100 {
1104 }
1105 }
1107 /* Subroutine of print_enode_indices: print a run of indices from START_IDX
1108 to END_IDX to PP, using and updating *FIRST_RUN. */
1110 static void
1113 {
1119 else
1121 }
1123 /* Print the indices within ENODES to PP, collecting them as
1124 runs/singletons e.g. "EN: 4-7, EN: 20-23, EN: 42". */
1126 static void
1129 {
1136 {
1138 {
1141 }
1142 else
1143 {
1145 /* Continuation of a run. */
1147 else
1148 {
1149 /* Finish existing run, start a new one. */
1155 }
1156 }
1157 }
1158 /* Finish any existing run. */
1160 {
1164 }
1165 }
1167 /* struct eg_traits::dump_args_t. */
1169 /* The <FILENAME>.eg.dot output can quickly become unwieldy if we show
1170 full details for all enodes (both in terms of CPU time to render it,
1171 and in terms of being meaningful to a human viewing it).
1173 If we show just the IDs then the resulting graph is usually viewable,
1174 but then we have to keep switching back and forth between the .dot
1175 view and other dumps.
1177 This function implements a heuristic for showing detail at the enodes
1178 that (we hope) matter, and just the ID at other enodes, fixing the CPU
1179 usage of the .dot viewer, and drawing the attention of the viewer
1180 to these enodes.
1182 Return true if ENODE should be shown in detail in .dot output.
1183 Return false if no detail should be shown for ENODE. */
1185 bool
1187 {
1188 /* If the number of exploded nodes isn't too large, we may as well show
1189 all enodes in full detail in the .dot output. */
1194 /* Otherwise, assume that what's most interesting are state explosions,
1195 and thus the places where this happened.
1196 Expand enodes at program points where we hit the per-enode limit, so we
1197 can investigate what exploded. */
1201 }
1203 /* class exploded_node : public dnode<eg_traits>. */
1207 {
1209 {
1215 }
1216 }
1218 /* exploded_node's ctor. */
1224 {
1226 }
1228 /* Get the stmt that was processed in this enode at index IDX.
1229 IDX is an index within the stmts processed at this enode, rather
1230 than within those of the supernode. */
1234 {
1243 }
1245 /* For use by dump_dot, get a value for the .dot "fillcolor" attribute.
1246 Colorize by sm-state, to make it easier to see how sm-state propagates
1247 through the exploded_graph. */
1251 {
1254 /* We want to be able to easily distinguish the no-sm-state case,
1255 and to be able to distinguish cases where there's a single state
1256 from each other.
1258 Sum the sm_states, and use the result to choose from a table,
1259 modulo table-size, special-casing the "no sm-state" case. */
1264 {
1270 }
1273 {
1274 /* An arbitrarily-picked collection of light colors. */
1281 }
1282 else
1283 /* No sm-state. */
1285 }
1287 /* Implementation of dnode::dump_dot vfunc for exploded_node. */
1289 void
1291 {
1307 {
1318 }
1328 /* It can be hard to locate the saved diagnostics as text within the
1329 enode nodes, so add extra nodes to the graph for each saved_diagnostic,
1330 highlighted in red.
1331 Compare with dump_saved_diagnostics. */
1332 {
1336 {
1339 /* Add edge connecting this enode to the saved_diagnostic. */
1345 }
1346 }
1349 }
1351 /* Show any stmts that were processed within this enode,
1352 and their index within the supernode. */
1353 void
1355 {
1357 {
1366 {
1372 }
1373 }
1374 }
1376 /* Dump any saved_diagnostics at this enode to PP. */
1378 void
1380 {
1384 {
1388 }
1389 }
1391 /* Dump this to PP in a form suitable for use as an id in .dot output. */
1393 void
1395 {
1397 }
1399 /* Dump a multiline representation of this node to PP. */
1401 void
1404 {
1414 }
1416 /* Dump a multiline representation of this node to FILE. */
1418 void
1421 {
1422 pretty_printer pp;
1428 }
1430 /* Dump a multiline representation of this node to stderr. */
1432 DEBUG_FUNCTION void
1434 {
1436 }
1438 /* Return a new json::object of the form
1439 {"point" : object for program_point,
1440 "state" : object for program_state,
1441 "status" : str,
1442 "idx" : int,
1443 "processed_stmts" : int}. */
1447 {
1458 }
1462 /* Return true if FNDECL has a gimple body. */
1463 // TODO: is there a pre-canned way to do this?
1465 bool
1467 {
1476 }
1480 /* Modify STATE in place, applying the effects of the stmt at this node's
1481 point. */
1491 {
1495 {
1499 }
1501 /* Update input_location in case of ICE: make it easier to track down which
1502 source construct we're failing to handle. */
1507 /* Preserve the old state. It is used here for looking
1508 up old checker states, for determining state transitions, and
1509 also within impl_region_model_context and impl_sm_context for
1510 going from tree to svalue_id. */
1516 out_could_have_done_work);
1518 /* Handle call summaries here. */
1522 {
1524 per_function_data *called_fn_data
1527 {
1530 snode,
1532 state,
1533 path_ctxt,
1537 }
1538 }
1552 {
1559 unknown_side_effects);
1561 /* Allow the state_machine to handle the stmt. */
1564 }
1572 }
1574 /* Handle the pre-sm-state part of STMT, modifying STATE in-place.
1575 Write true to *OUT_TERMINATE_PATH if the path should be terminated.
1576 Write true to *OUT_UNKNOWN_SIDE_EFFECTS if the stmt has unknown
1577 side effects. */
1579 void
1586 {
1587 /* Handle special-case calls that require the full program_state. */
1589 {
1591 {
1592 /* Handle the builtin "__analyzer_dump" by dumping state
1593 to stderr. */
1596 }
1598 {
1600 ctxt);
1602 }
1604 {
1609 }
1611 {
1617 }
1618 }
1620 /* Otherwise, defer to m_region_model. */
1622 out_unknown_side_effects,
1623 ctxt);
1624 }
1626 /* Handle the post-sm-state part of STMT, modifying STATE in-place. */
1628 void
1633 {
1636 }
1638 /* A concrete call_info subclass representing a replay of a call summary. */
1641 {
1651 {}
1656 {
1657 /* Update STATE based on summary_end_state. */
1662 }
1667 {
1668 /* Update STATE based on summary_end_state. */
1674 }
1677 {
1679 }
1685 };
1687 /* Use PATH_CTXT to bifurcate, which when handled will add custom edges
1688 for a replay of the various feasible summaries in CALLED_FN_DATA. */
1699 {
1703 /* Each summary will call bifurcate on the PATH_CTXT. */
1710 }
1712 /* Use PATH_CTXT to bifurcate, which when handled will add a
1713 custom edge for a replay of SUMMARY, if the summary's
1714 conditions are feasible based on the current state. */
1716 void
1725 {
1741 {
1753 }
1762 called_fn,
1763 summary,
1764 ext_state));
1765 }
1768 /* Consider the effect of following superedge SUCC from this node.
1770 Return true if it's feasible to follow the edge, or false
1771 if it's infeasible.
1773 Examples: if it's the "true" branch within
1774 a CFG and we know the conditional is false, we know it's infeasible.
1775 If it's one of multiple interprocedual "return" edges, then only
1776 the edge back to the most recent callsite is feasible.
1778 Update NEXT_STATE accordingly (e.g. to record that a condition was
1779 true or false, or that the NULL-ness of a pointer has been checked,
1780 pushing/popping stack frames, etc).
1782 Update NEXT_POINT accordingly (updating the call string). */
1784 bool
1790 {
1800 }
1802 /* Verify that the stack at LONGJMP_POINT is still valid, given a call
1803 to "setjmp" at SETJMP_POINT - the stack frame that "setjmp" was
1804 called in must still be valid.
1806 Caveat: this merely checks the call_strings in the points; it doesn't
1807 detect the case where a frame returns and is then called again. */
1809 static bool
1812 {
1819 /* Check that the call strings match, up to the depth of the
1820 setjmp point. */
1826 }
1828 /* A pending_diagnostic subclass for complaining about bad longjmps,
1829 where the enclosing function of the "setjmp" has returned (and thus
1830 the stack frame no longer exists). */
1833 {
1839 {}
1842 {
1844 }
1847 {
1851 }
1857 {
1860 }
1862 bool
1865 final override
1866 {
1867 /* Detect exactly when the stack first becomes invalid,
1868 and issue an event then. */
1877 {
1878 /* Compare with diagnostic_manager::add_events_for_superedge. */
1883 src_stack_depth),
1885 emission_path->add_event
1888 }
1890 }
1893 {
1900 else
1905 }
1911 program_point m_setjmp_point;
1913 };
1915 /* Handle LONGJMP_CALL, a call to longjmp or siglongjmp.
1917 Attempt to locate where setjmp/sigsetjmp was called on the jmp_buf and build
1918 an exploded_node and exploded_edge to it representing a rewind to that frame,
1919 handling the various kinds of failure that can occur. */
1921 void
1926 {
1933 ctxt);
1944 /* Build a custom enode and eedge for rewinding from the longjmp/siglongjmp
1945 call back to the setjmp/sigsetjmp. */
1953 /* Verify that the setjmp's call_stack hasn't been popped. */
1955 {
1957 longjmp_call,
1958 setjmp_point));
1960 }
1965 /* Update the state for use by the destination node. */
1967 /* Stash the current number of diagnostics so that we can update
1968 any that this adds to show where the longjmp is rewinding to. */
1976 /* Detect leaks in the new state relative to the old state. */
1980 program_point next_point
1984 exploded_node *next
1987 /* Create custom exploded_edge for a longjmp. */
1989 {
1990 exploded_edge *eedge
1993 longjmp_call));
1995 /* For any diagnostics that were queued here (such as leaks) we want
1996 the checker_path to show the rewinding events after the "final event"
1997 so that the user sees where the longjmp is rewinding to (otherwise the
1998 path is meaningless).
2000 For example, we want to emit something like:
2001 | NN | {
2002 | NN | longjmp (env, 1);
2003 | | ~~~~~~~~~~~~~~~~
2004 | | |
2005 | | (10) 'ptr' leaks here; was allocated at (7)
2006 | | (11) rewinding from 'longjmp' in 'inner'...
2007 |
2008 <-------------+
2009 |
2010 'outer': event 12
2011 |
2012 | NN | i = setjmp(env);
2013 | | ^~~~~~
2014 | | |
2015 | | (12) ...to 'setjmp' in 'outer' (saved at (2))
2017 where the "final" event above is event (10), but we want to append
2018 events (11) and (12) afterwards.
2020 Do this by setting m_trailing_eedge on any diagnostics that were
2021 just saved. */
2024 {
2027 }
2028 }
2029 }
2031 /* Subroutine of exploded_graph::process_node for finding the successors
2032 of the supernode for a function exit basic block.
2034 Ensure that pop_frame is called, potentially queuing diagnostics about
2035 leaks. */
2037 void
2039 {
2044 /* If we're not a "top-level" function, do nothing; pop_frame
2045 will be called when handling the return superedge. */
2049 /* We have a "top-level" function. */
2054 /* Work with a temporary copy of the state: pop the frame, and see
2055 what leaks (via purge_unused_svalues). */
2060 uncertainty_t uncertainty;
2068 }
2070 /* Dump the successors and predecessors of this enode to OUTF. */
2072 void
2074 {
2077 {
2081 pretty_printer pp;
2085 }
2086 {
2090 pretty_printer pp;
2094 }
2095 }
2097 /* class dynamic_call_info_t : public custom_edge_info. */
2099 /* Implementation of custom_edge_info::update_model vfunc
2100 for dynamic_call_info_t.
2102 Update state for a dynamically discovered call (or return), by pushing
2103 or popping the a frame for the appropriate function. */
2105 bool
2109 {
2113 else
2114 {
2117 }
2119 }
2121 /* Implementation of custom_edge_info::add_events_to_path vfunc
2122 for dynamic_call_info_t. */
2124 void
2127 {
2136 emission_path->add_event
2142 dest_stack_depth)));
2143 else
2144 emission_path->add_event
2150 src_stack_depth)));
2151 }
2153 /* class rewind_info_t : public custom_edge_info. */
2155 /* Implementation of custom_edge_info::update_model vfunc
2156 for rewind_info_t.
2158 Update state for the special-case of a rewind of a longjmp
2159 to a setjmp (which doesn't have a superedge, but does affect
2160 state). */
2162 bool
2166 {
2178 }
2180 /* Implementation of custom_edge_info::add_events_to_path vfunc
2181 for rewind_info_t. */
2183 void
2186 {
2194 emission_path->add_event
2199 src_stack_depth),
2201 emission_path->add_event
2206 dst_stack_depth),
2208 }
2210 /* class exploded_edge : public dedge<eg_traits>. */
2212 /* exploded_edge's ctor. */
2220 {
2221 }
2223 /* Implementation of dedge::dump_dot vfunc for exploded_edge.
2224 Use the label of the underlying superedge, if any. */
2226 void
2228 {
2235 }
2237 /* Second half of exploded_edge::dump_dot. This is split out
2238 for use by trimmed_graph::dump_dot and base_feasible_edge::dump_dot. */
2240 void
2242 {
2250 {
2257 //constraint = "false";
2261 //constraint = "false";
2266 }
2268 {
2271 }
2286 //pp_write_text_as_dot_label_to_stream (pp, /*for_record=*/false);
2289 }
2291 /* Return a new json::object of the form
2292 {"src_idx": int, the index of the source exploded edge,
2293 "dst_idx": int, the index of the destination exploded edge,
2294 "sedge": (optional) object for the superedge, if any,
2295 "custom": (optional) str, a description, if this is a custom edge}. */
2299 {
2306 {
2307 pretty_printer pp;
2311 }
2313 }
2315 /* struct stats. */
2317 /* stats' ctor. */
2323 {
2326 }
2328 /* Log these stats in multiline form to LOGGER. */
2330 void
2332 {
2341 m_node_reuse_after_merge_count);
2342 }
2344 /* Dump these stats in multiline form to OUT. */
2346 void
2348 {
2356 m_node_reuse_after_merge_count);
2361 }
2363 /* Return the total number of enodes recorded within this object. */
2365 int
2367 {
2372 }
2374 /* struct per_function_data. */
2377 {
2380 }
2382 void
2384 {
2386 }
2388 /* strongly_connected_components's ctor. Tarjan's SCC algorithm. */
2393 {
2406 }
2408 /* Dump this object to stderr. */
2410 DEBUG_FUNCTION void
2412 {
2414 {
2418 }
2419 }
2421 /* Return a new json::array of per-snode SCC ids. */
2425 {
2430 }
2432 /* Subroutine of strongly_connected_components's ctor, part of Tarjan's
2433 SCC algorithm. */
2435 void
2437 {
2440 /* Set the depth index for v to the smallest unused index. */
2446 index++;
2448 /* Consider successors of v. */
2452 {
2459 {
2460 /* Successor w has not yet been visited; recurse on it. */
2463 }
2465 {
2466 /* Successor w is in stack S and hence in the current SCC
2467 If w is not on stack, then (v, w) is a cross-edge in the DFS
2468 tree and must be ignored. */
2470 }
2471 }
2473 /* If v is a root node, pop the stack and generate an SCC. */
2476 {
2483 }
2484 }
2486 /* worklist's ctor. */
2492 {
2493 }
2495 /* Return the number of nodes in the worklist. */
2497 unsigned
2499 {
2501 }
2503 /* Return the next node in the worklist, removing it. */
2505 exploded_node *
2507 {
2509 }
2511 /* Return the next node in the worklist without removing it. */
2513 exploded_node *
2515 {
2517 }
2519 /* Add ENODE to the worklist. */
2521 void
2523 {
2526 }
2528 /* Comparator for implementing worklist::key_t comparison operators.
2529 Return negative if KA is before KB
2530 Return positive if KA is after KB
2531 Return 0 if they are equal.
2533 The ordering of the worklist is critical for performance and for
2534 avoiding node explosions. Ideally we want all enodes at a CFG join-point
2535 with the same callstring to be sorted next to each other in the worklist
2536 so that a run of consecutive enodes can be merged and processed "in bulk"
2537 rather than individually or pairwise, minimizing the number of new enodes
2538 created. */
2540 int
2542 {
2548 /* Order empty-callstring points with different functions based on the
2549 analysis_plan, so that we generate summaries before they are used. */
2556 {
2560 }
2562 /* Sort by callstring, so that nodes with deeper call strings are processed
2563 before those with shallower call strings.
2564 If we have
2565 splitting BB
2566 / \
2567 / \
2568 fn call no fn call
2569 \ /
2570 \ /
2571 join BB
2572 then we want the path inside the function call to be fully explored up
2573 to the return to the join BB before we explore on the "no fn call" path,
2574 so that both enodes at the join BB reach the front of the worklist at
2575 the same time and thus have a chance of being merged. */
2580 /* Order by SCC. */
2586 /* If in same SCC, order by supernode index (an arbitrary but stable
2587 ordering). */
2591 {
2593 /* One is NULL. */
2595 else
2596 /* Both are NULL. */
2598 }
2600 /* One is NULL. */
2602 /* Neither are NULL. */
2609 /* Order within supernode via program point. */
2610 int within_snode_cmp
2616 /* Otherwise, we ought to have the same program_point. */
2622 /* Sort by sm-state, so that identical sm-states are grouped
2623 together in the worklist. */
2626 {
2632 }
2634 /* Otherwise, we have two enodes at the same program point but with
2635 different states. We don't have a good total ordering on states,
2636 so order them by enode index, so that we have at least have a
2637 stable sort. */
2639 }
2641 /* Return a new json::object of the form
2642 {"scc" : [per-snode-IDs]}, */
2646 {
2651 /* The following field isn't yet being JSONified:
2652 queue_t m_queue; */
2655 }
2657 /* exploded_graph's ctor. */
2673 {
2674 m_origin = get_or_create_node
2679 }
2681 /* exploded_graph's dtor. */
2684 {
2693 }
2695 /* Subroutine for use when implementing __attribute__((tainted_args))
2696 on functions and on function pointer fields in structs.
2698 Called on STATE representing a call to FNDECL.
2699 Mark all params of FNDECL in STATE as "tainted". Mark the value of all
2700 regions pointed to by params of FNDECL as "tainted".
2702 Return true if successful; return false if the "taint" state machine
2703 was not found. */
2705 static bool
2708 {
2724 {
2733 {
2735 /* Mark "*param" as tainted. */
2740 }
2741 }
2744 }
2746 /* Custom event for use by tainted_args_function_info when a function
2747 has been marked with __attribute__((tainted_args)). */
2750 {
2755 {
2756 }
2759 {
2760 return make_label_text
2763 m_fndecl);
2764 }
2767 tree m_fndecl;
2768 };
2770 /* Custom exploded_edge info for top-level calls to a function
2771 marked with __attribute__((tainted_args)). */
2774 {
2778 {}
2781 {
2783 };
2788 {
2789 /* No-op. */
2791 }
2795 {
2796 emission_path->add_event
2799 }
2802 tree m_fndecl;
2803 };
2805 /* Ensure that there is an exploded_node representing an external call to
2806 FUN, adding it to the worklist if creating it.
2808 Add an edge from the origin exploded_node to the function entrypoint
2809 exploded_node.
2811 Return the exploded_node for the entrypoint to the function. */
2813 exploded_node *
2815 {
2818 /* Be idempotent. */
2821 {
2826 }
2828 program_point point
2837 {
2840 }
2854 }
2856 /* Get or create an exploded_node for (POINT, STATE).
2857 If a new node is created, it is added to the worklist.
2859 Use ENODE_FOR_DIAG, a pre-existing enode, for any diagnostics
2860 that need to be emitted (e.g. when purging state *before* we have
2861 a new enode). */
2863 exploded_node *
2867 {
2871 {
2882 }
2884 /* Stop exploring paths for which we don't know how to effectively
2885 model the state. */
2887 {
2891 }
2897 //state.dump (get_ext_state ());
2899 /* Prune state to try to improve the chances of a cache hit,
2900 avoiding generating redundant nodes. */
2901 uncertainty_t uncertainty;
2902 program_state pruned_state
2907 //pruned_state.dump (get_ext_state ());
2910 {
2918 }
2922 stats *per_cs_stats
2928 {
2929 /* An exploded_node for PS already exists. */
2936 }
2938 per_program_point_data *per_point_data
2941 /* Consider merging state with another enode at this program_point. */
2943 {
2947 {
2954 /* This merges successfully within the loop. */
2959 {
2965 /* Try again for a cache hit.
2966 Whether we get one or not, merged_state's value_ids have no
2967 relationship to those of the input state, and thus to those
2968 of CHANGE, so we must purge any svalue_ids from *CHANGE. */
2972 {
2973 /* An exploded_node for PS already exists. */
2980 }
2981 }
2982 else
2986 }
2987 }
2989 /* Impose a limit on the number of enodes per program point, and
2990 simply stop if we exceed it. */
2993 {
2994 pretty_printer pp;
3005 }
3009 /* An exploded_node for "ps" doesn't already exist; create one. */
3014 /* Update per-program_point data. */
3026 {
3038 }
3040 /* Add the new node to the worlist. */
3043 }
3045 /* Add an exploded_edge from SRC to DEST, recording its association
3046 with SEDGE (which may be NULL), and, if non-NULL, taking ownership
3047 of CUSTOM_INFO. COULD_DO_WORK is used for detecting infinite loops.
3048 Return the newly-created eedge. */
3050 exploded_edge *
3054 {
3058 exploded_edge *e
3063 }
3065 /* Ensure that this graph has per-program_point-data for POINT;
3066 borrow a pointer to it. */
3068 per_program_point_data *
3071 {
3078 }
3080 /* Get this graph's per-program-point-data for POINT if there is any,
3081 otherwise NULL. */
3083 per_program_point_data *
3085 {
3091 }
3093 /* Ensure that this graph has per-call_string-data for CS;
3094 borrow a pointer to it. */
3096 per_call_string_data *
3098 {
3104 data);
3106 }
3108 /* Ensure that this graph has per-function-data for FUN;
3109 borrow a pointer to it. */
3111 per_function_data *
3113 {
3120 }
3122 /* Get this graph's per-function-data for FUN if there is any,
3123 otherwise NULL. */
3125 per_function_data *
3127 {
3133 }
3135 /* Return true if FUN should be traversed directly, rather than only as
3136 called via other functions. */
3138 static bool
3140 {
3141 /* Don't directly traverse into functions that have an "__analyzer_"
3142 prefix. Doing so is useful for the analyzer test suite, allowing
3143 us to have functions that are called in traversals, but not directly
3144 explored, thus testing how the analyzer handles calls and returns.
3145 With this, we can have DejaGnu directives that cover just the case
3146 of where a function is called by another function, without generating
3147 excess messages from the case of the first function being traversed
3148 directly. */
3152 {
3157 }
3163 }
3165 /* Custom event for use by tainted_call_info when a callback field has been
3166 marked with __attribute__((tainted_args)), for labelling the field. */
3169 {
3174 {
3175 }
3178 {
3180 "field %qE of %qT"
3183 }
3186 tree m_field;
3187 };
3189 /* Custom event for use by tainted_call_info when a callback field has been
3190 marked with __attribute__((tainted_args)), for labelling the function used
3191 in that callback. */
3194 {
3197 tree field)
3200 {
3201 }
3204 {
3206 "function %qE used as initializer for field %qE"
3209 }
3212 tree m_field;
3213 };
3215 /* Custom edge info for use when adding a function used by a callback field
3216 marked with '__attribute__((tainted_args))'. */
3219 {
3223 {}
3226 {
3228 };
3233 {
3234 /* No-op. */
3236 }
3240 {
3241 /* Show the field in the struct declaration, e.g.
3242 "(1) field 'store' is marked with '__attribute__((tainted_args))'" */
3243 emission_path->add_event
3246 /* Show the callback in the initializer
3247 e.g.
3248 "(2) function 'gadget_dev_desc_UDC_store' used as initializer
3249 for field 'store' marked with '__attribute__((tainted_args))'". */
3250 emission_path->add_event
3253 m_field));
3254 }
3257 tree m_field;
3258 tree m_fndecl;
3259 location_t m_loc;
3260 };
3262 /* Given an initializer at LOC for FIELD marked with
3263 '__attribute__((tainted_args))' initialized with FNDECL, add an
3264 entrypoint to FNDECL to EG (and to its worklist) where the params to
3265 FNDECL are marked as tainted. */
3267 static void
3269 location_t loc)
3270 {
3283 program_point point
3297 {
3301 else
3302 {
3304 fndecl);
3306 }
3307 }
3311 }
3313 /* Callback for walk_tree for finding callbacks within initializers;
3314 ensure that any callback initializer where the corresponding field is
3315 marked with '__attribute__((tainted_args))' is treated as an entrypoint
3316 to the analysis, special-casing that the inputs to the callback are
3317 untrustworthy. */
3319 static tree
3321 {
3324 {
3325 /* Find fields with the "tainted_args" attribute.
3326 walk_tree only walks the values, not the index values;
3327 look at the index values. */
3332 idx++)
3335 {
3342 }
3343 }
3346 }
3348 /* Add initial nodes to EG, with entrypoints for externally-callable
3349 functions. */
3351 void
3353 {
3359 {
3366 {
3370 else
3372 }
3373 }
3375 /* Find callbacks that are reachable from global initializers. */
3378 {
3384 }
3385 }
3387 /* The main loop of the analysis.
3388 Take freshly-created exploded_nodes from the worklist, calling
3389 process_node on them to explore the <point, state> graph.
3390 Add edges to their successors, potentially creating new successors
3391 (which are also added to the worklist). */
3393 void
3395 {
3401 {
3410 /* If we have a run of nodes that are before-supernode, try merging and
3411 processing them together, rather than pairwise or individually. */
3416 /* Avoid exponential explosions of nodes by attempting to merge
3417 nodes that are at the same program point and which have
3418 sufficiently similar state. */
3421 {
3433 {
3436 {
3440 logger->log_partial
3445 }
3449 /* They shouldn't be equal, or we wouldn't have two
3450 separate nodes. */
3456 {
3462 {
3463 /* Then merge node_2 into node by adding an edge. */
3466 /* Remove node_2 from the worklist. */
3470 /* Continue processing "node" below. */
3471 }
3473 {
3474 /* Then merge node into node_2, and leave node_2
3475 in the worklist, to be processed on the next
3476 iteration. */
3480 }
3481 else
3482 {
3483 /* We have a merged state that differs from
3484 both state and state_2. */
3486 /* Remove node_2 from the worklist. */
3489 /* Create (or get) an exploded node for the merged
3490 states, adding to the worklist. */
3491 exploded_node *merged_enode
3502 /* "node" and "node_2" have both now been removed
3503 from the worklist; we should not process them.
3505 "merged_enode" may be a new node; if so it will be
3506 processed in a subsequent iteration.
3507 Alternatively, "merged_enode" could be an existing
3508 node; one way the latter can
3509 happen is if we end up merging a succession of
3510 similar nodes into one. */
3512 /* If merged_node is one of the two we were merging,
3513 add it back to the worklist to ensure it gets
3514 processed.
3516 Add edges from the merged nodes to it (but not a
3517 self-edge). */
3520 else
3521 {
3524 }
3528 else
3529 {
3532 }
3535 }
3536 }
3538 /* TODO: should we attempt more than two nodes,
3539 or just do pairs of nodes? (and hope that we get
3540 a cascade of mergers). */
3541 }
3542 }
3546 handle_limit:
3547 /* Impose a hard limit on the number of exploded nodes, to ensure
3548 that the analysis terminates in the face of pathological state
3549 explosion (or bugs).
3551 Specifically, the limit is on the number of PK_AFTER_SUPERNODE
3552 exploded nodes, looking at supernode exit events.
3554 We use exit rather than entry since there can be multiple
3555 entry ENs, one per phi; the number of PK_AFTER_SUPERNODE ought
3556 to be equivalent to the number of supernodes multiplied by the
3557 number of states. */
3560 {
3564 OPT_Wanalyzer_too_complex,
3565 "analysis bailed out early"
3570 }
3571 }
3572 }
3574 /* Attempt to process a consecutive run of sufficiently-similar nodes in
3575 the worklist at a CFG join-point (having already popped ENODE from the
3576 head of the worklist).
3578 If ENODE's point is of the form (before-supernode, SNODE) and the next
3579 nodes in the worklist are a consecutive run of enodes of the same form,
3580 for the same supernode as ENODE (but potentially from different in-edges),
3581 process them all together, setting their status to STATUS_BULK_MERGED,
3582 and return true.
3583 Otherwise, return false, in which case ENODE must be processed in the
3584 normal way.
3586 When processing them all together, generate successor states based
3587 on phi nodes for the appropriate CFG edges, and then attempt to merge
3588 these states into a minimal set of merged successor states, partitioning
3589 the inputs by merged successor state.
3591 Create new exploded nodes for all of the merged states, and add edges
3592 connecting the input enodes to the corresponding merger exploded nodes.
3594 We hope we have a much smaller number of merged successor states
3595 compared to the number of input enodes - ideally just one,
3596 if all successor states can be merged.
3598 Processing and merging many together as one operation rather than as
3599 pairs avoids scaling issues where per-pair mergers could bloat the
3600 graph with merger nodes (especially so after switch statements). */
3602 bool
3605 {
3606 /* A struct for tracking per-input state. */
3607 struct item
3608 {
3613 {}
3616 program_state m_processed_state;
3618 };
3633 /* Find a run of enodes in the worklist that are before the same supernode,
3634 but potentially from different in-edges. */
3638 {
3648 {
3651 }
3652 else
3654 }
3656 /* If the only node is ENODE, then give up. */
3664 /* All of these enodes have a shared successor point (even if they
3665 were for different in-edges). */
3668 /* Calculate the successor state for each enode in enodes. */
3673 {
3681 {
3682 uncertainty_t uncertainty;
3691 }
3693 }
3695 /* Attempt to partition the items into a set of merged states.
3696 We hope we have a much smaller number of merged states
3697 compared to the number of input enodes - ideally just one,
3698 if all can be merged. */
3703 {
3708 {
3713 {
3721 }
3722 }
3723 /* If it couldn't be merged with any existing merged_states,
3724 create a new one. */
3726 {
3733 }
3734 got_merger:
3737 }
3739 /* Create merger nodes. */
3743 {
3744 exploded_node *src_enode
3746 exploded_node *next
3748 /* "next" could be NULL; we handle that when adding the edges below. */
3751 {
3754 else
3756 }
3757 }
3759 /* Create edges from each input enode to the appropriate successor enode.
3760 Update the status of the now-processed input enodes. */
3762 {
3768 }
3775 }
3777 /* Return true if STMT must appear at the start of its exploded node, and
3778 thus we can't consolidate its effects within a run of other statements,
3779 where PREV_STMT was the previous statement. */
3781 static bool
3784 {
3786 {
3787 /* Stop consolidating at calls to
3788 "__analyzer_dump_exploded_nodes", so they always appear at the
3789 start of an exploded_node. */
3794 /* sm-signal.cc injects an additional custom eedge at "signal" calls
3795 from the registration enode to the handler enode, separate from the
3796 regular next state, which defeats the "detect state change" logic
3797 in process_node. Work around this via special-casing, to ensure
3798 we split the enode immediately before any "signal" call. */
3801 }
3803 /* If we had a PREV_STMT with an unknown location, and this stmt
3804 has a known location, then if a state change happens here, it
3805 could be consolidated into PREV_STMT, giving us an event with
3806 no location. Ensure that STMT gets its own exploded_node to
3807 avoid this. */
3813 }
3815 /* Return true if OLD_STATE and NEW_STATE are sufficiently different that
3816 we should split enodes and create an exploded_edge separating them
3817 (which makes it easier to identify state changes of intereset when
3818 constructing checker_paths). */
3820 static bool
3823 {
3824 /* Changes in dynamic extents signify creations of heap/alloca regions
3825 and resizings of heap regions; likely to be of interest in
3826 diagnostic paths. */
3831 /* Changes in sm-state are of interest. */
3835 {
3840 }
3843 }
3845 /* Create enodes and eedges for the function calls that doesn't have an
3846 underlying call superedge.
3848 Such case occurs when GCC's middle end didn't know which function to
3849 call but the analyzer does (with the help of current state).
3851 Some example such calls are dynamically dispatched calls to virtual
3852 functions or calls that happen via function pointer. */
3854 bool
3856 tree fn_decl,
3858 program_state next_state,
3862 {
3868 {
3873 program_point new_point
3875 NULL,
3881 /* Impose a maximum recursion depth and don't analyze paths
3882 that exceed it further.
3883 This is something of a blunt workaround, but it only
3884 applies to recursion (and mutual recursion), not to
3885 general call stacks. */
3888 {
3892 }
3897 {
3905 next_state,
3906 node);
3912 }
3913 }
3915 }
3917 /* Subclass of path_context for use within exploded_graph::process_node,
3918 so that we can split states e.g. at "realloc" calls. */
3921 {
3928 {
3929 }
3932 {
3934 }
3937 {
3940 }
3942 void
3944 {
3949 /* Verify that the state at bifurcation is consistent when we
3950 split into multiple out-edges. */
3952 else
3953 /* Take a copy of the cur_state at the moment when bifurcation
3954 happens. */
3955 m_state_at_bifurcation
3958 /* Take ownership of INFO. */
3960 }
3963 {
3967 }
3970 {
3972 }
3975 {
3977 }
3984 /* Lazily-created copy of the state before the split. */
3990 };
3992 /* A subclass of pending_diagnostic for complaining about jumps through NULL
3993 function pointers. */
3996 {
4000 {}
4003 {
4005 }
4008 {
4010 }
4013 {
4015 }
4018 {
4020 }
4023 {
4025 }
4029 };
4031 /* The core of exploded_graph::process_worklist (the main analysis loop),
4032 handling one node in the worklist.
4034 Get successor <point, state> pairs for NODE, calling get_or_create on
4035 them, and adding an exploded_edge to each successors.
4037 Freshly-created nodes will be added to the worklist. */
4039 void
4041 {
4049 /* Update cfun and input_location in case of an ICE: make it easier to
4050 track down which source construct we're failing to handle. */
4058 {
4066 }
4069 {
4073 /* This node exists to simplify finding the shortest path
4074 to an exploded_node. */
4078 {
4080 uncertainty_t uncertainty;
4083 {
4092 last_cfg_superedge,
4096 }
4103 }
4106 {
4107 /* Determine the effect of a run of one or more statements
4108 within one supernode, generating an edge to the program_point
4109 after the last statement that's processed.
4111 Stop iterating statements and thus consolidating into one enode
4112 when:
4113 - reaching the end of the statements in the supernode
4114 - if an sm-state-change occurs (so that it gets its own
4115 exploded_node)
4116 - if "-fanalyzer-fine-grained" is active
4117 - encountering certain statements must appear at the start of
4118 their enode (for which stmt_requires_new_enode_p returns true)
4120 Update next_state in-place, to get the result of the one
4121 or more stmts that are processed.
4123 Split the node in-place if an sm-state-change occurs, so that
4124 the sm-state-change occurs on an edge where the src enode has
4125 exactly one stmt, the one that caused the change. */
4131 uncertainty_t uncertainty;
4137 stmt_idx++)
4138 {
4143 {
4144 stmt_idx--;
4146 }
4151 /* Process the stmt. */
4157 /* If flags.m_terminate_path, stop analyzing; any nodes/edges
4158 will have been added by on_stmt (e.g. for handling longjmp). */
4163 {
4169 }
4172 program_point next_point
4185 {
4186 program_point split_point
4188 stmt_idx,
4191 {
4192 /* If we're not at the start of NODE, split the enode at
4193 this stmt, so we have:
4194 node -> split_enode
4195 so that when split_enode is processed the next edge
4196 we add will be:
4197 split_enode -> next
4198 and any state change will effectively occur on that
4199 latter edge, and split_enode will contain just stmt. */
4202 exploded_node *split_enode
4206 /* "stmt" will be reprocessed when split_enode is
4207 processed. */
4213 }
4214 else
4215 /* If we're at the start of NODE, stop iterating,
4216 so that an edge will be created from NODE to
4217 (next_point, next_state) below. */
4219 }
4220 }
4222 program_point next_point
4229 {
4232 }
4233 else
4234 {
4235 exploded_node *next
4239 }
4241 /* If we have custom edge infos, "bifurcate" the state
4242 accordingly, potentially creating a new state/enode/eedge
4243 instances. For example, to handle a "realloc" call, we
4244 might split into 3 states, for the "failure",
4245 "resizing in place", and "moving to a new buffer" cases. */
4247 {
4248 /* Take ownership of the edge infos from the path_ctxt. */
4251 {
4256 }
4257 program_state bifurcated_new_state
4260 /* Apply edge_info to state. */
4261 impl_region_model_context
4268 stmt);
4272 {
4273 exploded_node *next2
4279 }
4280 else
4281 {
4284 }
4285 }
4286 }
4289 {
4292 /* If this is an EXIT BB, detect leaks, and potentially
4293 create a function summary. */
4295 {
4300 {
4301 /* TODO: create function summary
4302 There can be more than one; each corresponds to a different
4303 final enode in the function. */
4305 {
4308 logger->log_partial
4313 }
4314 per_function_data *per_fn_data
4317 }
4318 }
4319 /* Traverse into successors of the supernode. */
4323 {
4326 {
4331 }
4333 program_point next_point
4337 uncertainty_t uncertainty;
4339 /* Make use the current state and try to discover and analyse
4340 indirect function calls (a call that doesn't have an underlying
4341 cgraph edge representing call).
4343 Some examples of such calls are virtual function calls
4344 and calls that happen via a function pointer. */
4347 {
4352 node,
4356 NULL,
4364 fn_decl,
4365 node,
4366 next_state,
4367 next_point,
4369 logger);
4371 {
4372 /* Check for jump through NULL. */
4374 {
4379 }
4381 /* An unknown function or a special function was called
4382 at this point, in such case, don't terminate the
4383 analysis of the current function.
4385 The analyzer handles calls to such functions while
4386 analysing the stmt itself, so the function call
4387 must have been handled by the anlyzer till now. */
4388 exploded_node *next
4390 next_state,
4391 node);
4395 }
4396 }
4400 {
4405 }
4407 node);
4409 {
4412 /* We might have a function entrypoint. */
4414 }
4415 }
4417 /* Return from the calls which doesn't have a return superedge.
4418 Such case occurs when GCC's middle end didn't knew which function to
4419 call but analyzer did. */
4422 {
4424 program_point next_point
4426 NULL,
4427 cs);
4429 uncertainty_t uncertainty;
4438 {
4441 next_state,
4442 node);
4446 }
4447 }
4448 }
4450 }
4451 }
4453 /* Ensure that this graph has a stats instance for FN, return it.
4454 FN can be NULL, in which case a stats instances is returned covering
4455 "functionless" parts of the graph (the origin node). */
4457 stats *
4459 {
4465 else
4466 {
4468 /* not quite the num supernodes, but nearly. */
4472 }
4473 }
4475 /* Print bar charts to PP showing:
4476 - the number of enodes per function, and
4477 - for each function:
4478 - the number of enodes per supernode/BB
4479 - the number of excess enodes per supernode/BB beyond the
4480 per-program-point limit, if there were any. */
4482 void
4484 {
4489 bar_chart enodes_per_function;
4491 {
4497 }
4500 /* Accumulate number of enodes per supernode. */
4507 {
4512 }
4514 /* Accumulate excess enodes per supernode. */
4520 {
4528 }
4530 /* Show per-function bar_charts of enodes per supernode/BB. */
4534 {
4539 bar_chart enodes_per_snode;
4540 bar_chart excess_enodes_per_snode;
4543 {
4547 pretty_printer tmp_pp;
4552 const int num_excess
4555 num_excess);
4558 }
4561 {
4565 }
4566 }
4567 }
4569 /* Write all stats information to this graph's logger, if any. */
4571 void
4573 {
4593 {
4597 }
4600 }
4602 /* Dump all stats information to OUT. */
4604 void
4606 {
4618 {
4622 }
4627 }
4629 void
4632 {
4638 {
4642 {
4643 pretty_printer pp;
4649 }
4650 }
4653 }
4655 /* Return a new json::object of the form
4656 {"nodes" : [objs for enodes],
4657 "edges" : [objs for eedges],
4658 "ext_state": object for extrinsic_state,
4659 "diagnostic_manager": object for diagnostic_manager}. */
4663 {
4666 /* Nodes. */
4667 {
4674 }
4676 /* Edges. */
4677 {
4684 }
4686 /* m_sg is JSONified at the top-level. */
4692 /* The following fields aren't yet being JSONified:
4693 const state_purge_map *const m_purge_map;
4694 const analysis_plan &m_plan;
4695 stats m_global_stats;
4696 function_stat_map_t m_per_function_stats;
4697 stats m_functionless_stats;
4698 call_string_data_map_t m_per_call_string_data;
4699 auto_vec<int> m_PK_AFTER_SUPERNODE_per_snode; */
4702 }
4704 /* class exploded_path. */
4706 /* Copy ctor. */
4710 {
4715 }
4717 /* Look for the last use of SEARCH_STMT within this path.
4718 If found write the edge's index to *OUT_IDX and return true, otherwise
4719 return false. */
4721 bool
4724 {
4728 {
4733 {
4736 }
4737 }
4739 }
4741 /* Get the final exploded_node in this path, which must be non-empty. */
4743 exploded_node *
4745 {
4748 }
4750 /* Check state along this path, returning true if it is feasible.
4751 If OUT is non-NULL, and the path is infeasible, write a new
4752 feasibility_problem to *OUT. */
4754 bool
4758 {
4764 /* Traverse the path, updating this state. */
4766 {
4770 edge_idx,
4776 {
4779 {
4785 last_stmt,
4787 }
4789 }
4792 {
4794 edge_idx,
4800 }
4801 }
4804 }
4806 /* Dump this path in multiline form to PP.
4807 If EXT_STATE is non-NULL, then show the nodes. */
4809 void
4812 {
4814 {
4817 i,
4824 }
4825 }
4827 /* Dump this path in multiline form to FP. */
4829 void
4831 {
4832 pretty_printer pp;
4838 }
4840 /* Dump this path in multiline form to stderr. */
4842 DEBUG_FUNCTION void
4844 {
4846 }
4848 /* Dump this path verbosely to FILENAME. */
4850 void
4853 {
4857 pretty_printer pp;
4863 }
4865 /* class feasibility_problem. */
4867 void
4869 {
4873 {
4878 }
4879 }
4881 /* class feasibility_state. */
4883 /* Ctor for feasibility_state, at the beginning of a path. */
4889 {
4891 }
4893 /* Copy ctor for feasibility_state, for extending a path. */
4898 {
4900 }
4906 {
4908 }
4910 feasibility_state &
4912 {
4916 }
4918 /* The heart of feasibility-checking.
4920 Attempt to update this state in-place based on traversing EEDGE
4921 in a path.
4922 Update the model for the stmts in the src enode.
4923 Attempt to add constraints for EEDGE.
4925 If feasible, return true.
4926 Otherwise, return false and write to *OUT_RC. */
4928 bool
4934 {
4938 {
4942 }
4944 /* Update state for the stmts that were processed in each enode. */
4946 stmt_idx++)
4947 {
4950 /* Update cfun and input_location in case of ICE: make it easier to
4951 track down which source construct we're failing to handle. */
4956 }
4960 {
4962 {
4968 }
4972 {
4974 {
4979 }
4981 }
4982 }
4983 else
4984 {
4985 /* Special-case the initial eedge from the origin node to the
4986 initial function by pushing a frame for it. */
4988 {
4997 }
4999 {
5001 }
5002 }
5004 /* Handle phi nodes on an edge leaving a PK_BEFORE_SUPERNODE (to
5005 a PK_BEFORE_STMT, or a PK_AFTER_SUPERNODE if no stmts).
5006 This will typically not be associated with a superedge. */
5008 {
5014 {
5018 last_cfg_superedge,
5019 ctxt);
5020 /* If we've entering an snode that we've already visited on this
5021 epath, then we need do fix things up for loops; see the
5022 comment for store::loop_replay_fixup.
5023 Perhaps we should probably also verify the callstring,
5024 and track program_points, but hopefully doing it by supernode
5025 is good enough. */
5028 }
5030 }
5032 }
5034 /* Update this object for the effects of STMT. */
5036 void
5038 {
5044 {
5047 }
5050 }
5052 /* Dump this object to PP. */
5054 void
5057 {
5059 }
5061 /* A family of cluster subclasses for use when generating .dot output for
5062 exploded graphs (-fdump-analyzer-exploded-graph), for grouping the
5063 enodes into hierarchical boxes.
5065 All functionless enodes appear in the top-level graph.
5066 Every (function, call_string) pair gets its own cluster. Within that
5067 cluster, each supernode gets its own cluster.
5069 Hence all enodes relating to a particular function with a particular
5070 callstring will be in a cluster together; all enodes for the same
5071 function but with a different callstring will be in a different
5072 cluster. */
5074 /* Base class of cluster for clustering exploded_node instances in .dot
5075 output, based on various subclass-specific criteria. */
5078 {
5079 };
5081 /* Cluster containing all exploded_node instances for one supernode. */
5084 {
5088 // TODO: dtor?
5091 {
5104 /* Terminate subgraph. */
5107 }
5110 {
5112 }
5114 /* Comparator for use by auto_vec<supernode_cluster *>::qsort. */
5117 {
5123 }
5128 };
5130 /* Cluster containing all supernode_cluster instances for one
5131 (function, call_string) pair. */
5134 {
5140 {
5145 }
5148 {
5160 /* Dump m_map, sorting it to avoid churn when comparing dumps. */
5174 /* Terminate subgraph. */
5177 }
5180 {
5186 else
5187 {
5191 }
5192 }
5194 /* Comparator for use by auto_vec<function_call_string_cluster *>. */
5197 {
5207 }
5213 map_t m_map;
5214 };
5216 /* Keys for root_cluster. */
5218 struct function_call_string
5219 {
5222 {
5225 }
5229 };
5235 {
5237 };
5240 inline hashval_t
5242 {
5245 }
5251 {
5253 }
5257 {
5259 }
5263 {
5265 }
5269 {
5271 }
5275 {
5277 }
5281 /* Top-level cluster for generating .dot output for exploded graphs,
5282 handling the functionless nodes, and grouping the remaining nodes by
5283 callstring. */
5286 {
5289 {
5294 }
5297 {
5303 /* Dump m_map, sorting it to avoid churn when comparing dumps. */
5315 }
5318 {
5321 {
5324 }
5331 else
5332 {
5333 function_call_string_cluster *child
5337 }
5338 }
5342 map_t m_map;
5344 /* This should just be the origin exploded_node. */
5346 };
5348 /* Subclass of range_label for use within
5349 exploded_graph::dump_exploded_nodes for implementing
5350 -fdump-analyzer-exploded-nodes: a label for a specific
5351 exploded_node. */
5354 {
5361 {
5362 pretty_printer pp;
5367 }
5372 };
5374 /* Postprocessing support for dumping the exploded nodes.
5375 Handle -fdump-analyzer-exploded-nodes,
5376 -fdump-analyzer-exploded-nodes-2, and the
5377 "__analyzer_dump_exploded_nodes" builtin. */
5379 void
5381 {
5382 // TODO
5383 /* Locate calls to __analyzer_dump_exploded_nodes. */
5384 // Print how many egs there are for them?
5385 /* Better: log them as we go, and record the exploded nodes
5386 in question. */
5388 /* Show every enode. */
5390 /* Gather them by stmt, so that we can more clearly see the
5391 "hotspots" requiring numerous exploded nodes. */
5393 /* Alternatively, simply throw them all into one big rich_location
5394 and see if the label-printing will sort it out...
5395 This requires them all to be in the same source file. */
5398 {
5404 {
5406 {
5409 else
5411 SHOW_RANGE_WITHOUT_CARET,
5413 }
5414 }
5417 /* Repeat the warning without all the labels, so that message is visible
5418 (the other one may well have scrolled past the terminal limit). */
5425 }
5427 /* Dump the egraph in textual form to a dump file. */
5429 {
5445 {
5448 pretty_printer pp;
5452 }
5455 }
5457 /* Dump the egraph in textual form to multiple dump files, one per enode. */
5459 {
5465 {
5471 filename);
5476 pretty_printer pp;
5482 }
5483 }
5485 /* Emit a warning at any call to "__analyzer_dump_exploded_nodes",
5486 giving the number of processed exploded nodes for "before-stmt",
5487 and the IDs of processed, merger, and worklist enodes.
5489 We highlight the count of *processed* enodes since this is of most
5490 interest in DejaGnu tests for ensuring that state merger has
5491 happened.
5493 We don't show the count of merger and worklist enodes, as this is
5494 more of an implementation detail of the merging/worklist that we
5495 don't want to bake into our expected DejaGnu messages. */
5501 {
5509 {
5516 /* This is O(N^2). */
5520 {
5525 {
5537 }
5538 }
5540 pretty_printer pp;
5544 {
5547 }
5549 {
5552 }
5561 /* If the argument is non-zero, then print all of the states
5562 of the various enodes. */
5565 {
5569 }
5572 {
5575 {
5580 /* Dump state. */
5582 }
5583 }
5584 }
5585 }
5586 }
5588 DEBUG_FUNCTION exploded_node *
5590 {
5594 }
5596 /* Ensure that there is an exploded_node for a top-level call to FNDECL. */
5598 void
5600 {
5617 {
5621 else
5623 }
5624 }
5626 /* A collection of classes for visualizing the callgraph in .dot form
5627 (as represented in the supergraph). */
5629 /* Forward decls. */
5635 /* Traits for using "digraph.h" to visualize the callgraph. */
5637 struct viz_callgraph_traits
5638 {
5642 struct dump_args_t
5643 {
5646 };
5648 };
5650 /* Subclass of dnode representing a function within the callgraph. */
5653 {
5659 {
5661 }
5664 {
5682 {
5687 {
5689 num_enodes++;
5690 }
5694 // TODO: also show the per-callstring breakdown
5701 {
5703 //per_call_string_data *data = (*iter).second;
5706 {
5709 num_enodes++;
5710 }
5712 {
5715 }
5716 }
5718 /* Show any summaries. */
5721 {
5725 {
5731 }
5732 }
5733 }
5738 }
5741 {
5743 }
5750 };
5752 /* Subclass of dedge representing a callgraph edge. */
5755 {
5759 {}
5762 final override
5763 {
5779 }
5780 };
5782 /* Subclass of digraph representing the callgraph. */
5785 {
5790 {
5792 }
5795 {
5797 }
5801 };
5803 /* Placeholder subclass of cluster. */
5806 {
5807 };
5809 /* viz_callgraph's ctor. */
5812 {
5815 {
5817 viz_callgraph_node *vcg_node
5821 }
5826 {
5831 {
5833 viz_callgraph_edge *vcg_edge
5836 }
5837 }
5841 {
5844 }
5845 }
5847 /* Dump the callgraph to FILENAME. */
5849 static void
5852 {
5857 // TODO
5862 }
5864 /* Dump the callgraph to "<srcfile>.callgraph.dot". */
5866 static void
5868 {
5873 }
5875 /* Subclass of dot_annotator for implementing
5876 DUMP_BASE_NAME.supergraph-eg.dot, a post-analysis dump of the supergraph.
5878 Annotate the supergraph nodes by printing the exploded nodes in concise
5879 form within them, next to their pertinent statements where appropriate,
5880 colorizing the exploded nodes based on sm-state.
5881 Also show saved diagnostics within the exploded nodes, giving information
5882 on whether they were feasible, and, if infeasible, where the problem
5883 was. */
5886 {
5890 {
5891 /* Avoid O(N^2) by prepopulating m_enodes_per_snodes. */
5900 }
5902 /* Show exploded nodes for BEFORE_SUPERNODE points before N. */
5905 const final override
5906 {
5921 {
5928 }
5934 }
5936 /* Show exploded nodes for STMT. */
5939 const final override
5940 {
5951 {
5959 }
5962 {
5965 }
5966 }
5968 /* Show exploded nodes for AFTER_SUPERNODE points after N. */
5970 const final override
5971 {
5982 {
5988 }
5992 }
5995 /* Concisely print a TD element for ENODE, showing the index, status,
5996 and any saved_diagnostics at the enode. Colorize it to show sm-state.
5998 Ideally we'd dump ENODE's state here, hidden behind some kind of
5999 interactive disclosure method like a tooltip, so that the states
6000 can be explored without overwhelming the graph.
6001 However, I wasn't able to get graphviz/xdot to show tooltips on
6002 individual elements within a HTML-like label. */
6004 {
6012 {
6026 }
6029 /* Dump any saved_diagnostics at this enode. */
6031 {
6034 }
6037 }
6039 /* Print a TABLE element for SD, showing the kind, the length of the
6040 exploded_path, whether the path was feasible, and if infeasible,
6041 what the problem was. */
6044 {
6055 else
6059 {
6075 /* Ideally we'd print p->m_model here; see the notes above about
6076 tooltips. */
6077 }
6080 }
6084 };
6086 /* Implement -fdump-analyzer-json. */
6088 static void
6091 {
6096 {
6100 }
6106 pretty_printer pp;
6117 }
6119 /* Concrete subclass of plugin_analyzer_init_iface, allowing plugins
6120 to register new state machines. */
6123 {
6131 {}
6134 {
6137 }
6141 {
6144 }
6147 {
6149 }
6155 };
6157 /* Run the analysis "engine". */
6159 void
6161 {
6165 {
6170 }
6172 /* If using LTO, ensure that the cgraph nodes have function bodies. */
6177 /* Create the supergraph. */
6188 {
6189 /* Dump supergraph pre-analysis. */
6195 }
6198 {
6205 }
6215 logger);
6219 {
6224 }
6226 /* Extrinsic state shared by nodes in the graph. */
6231 /* The exploded graph. */
6233 analyzer_verbosity);
6235 /* Add entrypoints to the graph for externally-callable functions. */
6238 /* Now process the worklist, exploring the <point, state> graph. */
6245 {
6250 root_cluster c;
6253 }
6255 /* Now emit any saved diagnostics. */
6266 {
6267 /* Dump post-analysis form of supergraph. */
6274 }
6284 /* Free up any dominance info that we may have created. */
6286 {
6289 }
6290 }
6292 /* Handle -fdump-analyzer and -fdump-analyzer-stderr. */
6295 /* Track if we're responsible for closing dump_fout. */
6298 /* If dumping is enabled, attempt to create dump_fout if it hasn't already
6299 been opened. Return it. */
6303 {
6305 {
6309 {
6315 }
6316 }
6318 }
6320 /* External entrypoint to the analysis "engine".
6321 Set up any dumps, then call impl_run_checkers. */
6323 void
6325 {
6326 /* Save input_location. */
6329 {
6339 /* end of lifetime of the_logger (so that dump file is closed after the
6340 various dtors run). */
6341 }
6344 {
6348 }
6350 /* Restore input_location. Subsequent passes may assume that input_location
6351 is some arbitrary value *not* in the block tree, which might be violated
6352 if we didn't restore it. */
6354 }