| blob | c6c17b58d5c7f9a727858e664de22ad5659ed6d0 |
1 /* Classes for modeling the state of memory.
2 Copyright (C) 2020-2024 Free Software Foundation, Inc.
3 Contributed by David Malcolm <dmalcolm@redhat.com>.
5 This file is part of GCC.
7 GCC is free software; you can redistribute it and/or modify it
8 under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3, or (at your option)
10 any later version.
12 GCC is distributed in the hope that it will be useful, but
13 WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 General Public License for more details.
17 You should have received a copy of the GNU General Public License
18 along with GCC; see the file COPYING3. If not see
19 <http://www.gnu.org/licenses/>. */
22 #define INCLUDE_MEMORY
23 #define INCLUDE_VECTOR
60 #if ENABLE_ANALYZER
64 /* Dump SVALS to PP, sorting them to ensure determinism. */
66 static void
69 {
73 {
75 }
82 {
86 }
88 }
90 /* class uncertainty_t. */
92 /* Dump this object to PP. */
94 void
96 {
103 }
105 /* Dump this object to stderr. */
107 DEBUG_FUNCTION void
109 {
110 pretty_printer pp;
117 }
119 /* class binding_key. */
123 {
127 else
128 {
129 bit_size_t bit_size;
131 {
132 /* Must be non-empty. */
135 bit_size);
136 }
137 else
139 }
140 }
142 /* Dump this binding_key to stderr. */
144 DEBUG_FUNCTION void
146 {
147 pretty_printer pp;
154 }
156 /* Get a description of this binding_key. */
158 label_text
160 {
161 pretty_printer pp;
165 }
167 /* qsort callback. */
169 int
171 {
175 }
177 /* Comparator for binding_keys. */
179 int
181 {
187 {
192 SIGNED))
195 SIGNED);
196 }
197 else
198 {
206 }
207 }
209 /* struct bit_range. */
211 void
213 {
217 else
218 {
225 }
226 }
228 /* Dump this object to stderr. */
230 DEBUG_FUNCTION void
232 {
233 pretty_printer pp;
238 }
240 /* Generate a JSON value for this bit_range.
241 This is intended for debugging the analyzer rather
242 than serialization. */
246 {
253 }
255 /* If OTHER is a subset of this, return true and, if OUT is
256 non-null, write to *OUT the relative range of OTHER within this.
257 Otherwise return false. */
259 bool
261 {
264 {
266 {
269 }
271 }
272 else
274 }
276 /* If OTHER intersects this, return true and write
277 the relative range of OTHER within THIS to *OUT_THIS,
278 and the relative range of THIS within OTHER to *OUT_OTHER.
279 Otherwise return false. */
281 bool
285 {
288 {
289 bit_offset_t overlap_start
292 bit_offset_t overlap_next
296 /* If this has happened, some kind of overflow has happened in
297 our arithmetic. For now, reject such cases. */
303 }
304 else
306 }
308 /* Return true if THIS and OTHER intersect and write the number
309 of bits both buffers overlap to *OUT_NUM_OVERLAP_BITS.
311 Otherwise return false. */
313 bool
316 {
319 {
325 /* If this has happened, some kind of overflow has happened in
326 our arithmetic. For now, reject such cases. */
330 }
331 else
333 }
335 /* Return true if THIS exceeds OTHER and write the overhanging
336 bit range to OUT_OVERHANGING_BIT_RANGE. */
338 bool
341 {
345 {
346 /* THIS definitely exceeds OTHER. */
351 /* If this has happened, some kind of overflow has happened in
352 our arithmetic. For now, reject such cases. */
357 }
358 else
360 }
362 /* Return true if THIS falls short of OFFSET and write the
363 bit range fallen short to OUT_FALL_SHORT_BITS. */
365 bool
368 {
372 {
373 /* THIS falls short of OFFSET. */
377 /* If this has happened, some kind of overflow has happened in
378 our arithmetic. For now, reject such cases. */
383 }
384 else
386 }
388 int
390 {
396 }
398 /* Offset this range by OFFSET. */
400 bit_range
402 {
404 }
406 /* If MASK is a contiguous range of set bits, write them
407 to *OUT and return true.
408 Otherwise return false. */
410 bool
412 {
416 /* Find the first contiguous run of set bits in MASK. */
418 /* Find first set bit in MASK. */
420 {
423 iter_bit_idx++;
425 }
427 /* MASK is zero. */
432 iter_bit_idx++;
435 /* Find next unset bit in MASK. */
437 {
440 num_set_bits++;
441 iter_bit_idx++;
443 }
445 {
448 }
450 /* We now have the first contiguous run of set bits in MASK.
451 Fail if any other bits are set. */
453 {
456 iter_bit_idx++;
458 }
462 }
464 /* Attempt to convert this bit_range to a byte_range.
465 Return true if it is possible, writing the result to *OUT.
466 Otherwise return false. */
468 bool
470 {
473 {
477 }
479 }
481 /* Dump this object to PP. */
483 void
485 {
487 {
489 }
491 {
494 }
495 else
496 {
501 }
502 }
504 /* Dump this object to stderr. */
506 DEBUG_FUNCTION void
508 {
509 pretty_printer pp;
514 }
516 /* Generate a JSON value for this byte_range.
517 This is intended for debugging the analyzer rather
518 than serialization. */
522 {
529 }
531 /* If OTHER is a subset of this, return true and write
532 to *OUT the relative range of OTHER within this.
533 Otherwise return false. */
535 bool
537 {
540 {
544 }
545 else
547 }
549 /* qsort comparator for byte ranges. */
551 int
553 {
554 /* Order first by offset. */
559 /* ...then by size. */
561 }
563 /* class concrete_binding : public binding_key. */
565 /* Implementation of binding_key::dump_to_pp vfunc for concrete_binding. */
567 void
569 {
571 }
573 /* Return true if this binding overlaps with OTHER. */
575 bool
577 {
582 }
584 /* If this is expressible as a concrete byte range, return true
585 and write it to *OUT. Otherwise return false. */
587 bool
589 {
591 }
593 /* Comparator for use by vec<const concrete_binding *>::qsort. */
595 int
597 {
602 }
604 /* class symbolic_binding : public binding_key. */
606 void
608 {
609 //binding_key::dump_to_pp (pp, simple);
612 }
614 /* Comparator for use by vec<const symbolic_binding *>::qsort. */
616 int
618 {
623 }
625 /* The store is oblivious to the types of the svalues bound within
626 it: any type can get bound at any location.
627 Simplify any casts before binding.
629 For example, if we have:
630 struct big { int ia[1024]; };
631 struct big src, dst;
632 memcpy (&dst, &src, sizeof (struct big));
633 this reaches us in gimple form as:
634 MEM <unsigned char[4096]> [(char * {ref-all})&dst]
635 = MEM <unsigned char[4096]> [(char * {ref-all})&src];
636 Using cast_region when handling the MEM_REF would give us:
637 INIT_VAL(CAST_REG(unsigned char[4096], src))
638 as rhs_sval, but we can fold that into a cast svalue:
639 CAST(unsigned char[4096], INIT_VAL(src))
640 We can discard that cast from the svalue when binding it in
641 the store for "dst", and simply store:
642 cluster for: dst
643 key: {kind: direct, start: 0, size: 32768, next: 32768}
644 value: ‘struct big’ {INIT_VAL(src)}. */
648 {
652 }
654 /* class binding_map. */
656 /* binding_map's copy ctor. */
660 {
661 }
663 /* binding_map's assignment operator. */
665 binding_map&
667 {
668 /* For now, assume we only ever copy to an empty cluster. */
672 {
676 }
678 }
680 /* binding_map's equality operator. */
682 bool
684 {
689 {
698 }
701 }
703 /* Generate a hash value for this binding_map. */
705 hashval_t
707 {
710 {
711 /* Use a new hasher for each key to avoid depending on the ordering
712 of keys when accumulating the result. */
717 }
719 }
721 /* Dump a representation of this binding_map to PP.
722 SIMPLE controls how values and regions are to be printed.
723 If MULTILINE, then split the dump over multiple lines and
724 use whitespace for readability, otherwise put all on one line. */
726 void
729 {
733 {
736 }
742 {
745 {
757 }
758 else
759 {
767 }
768 }
769 }
771 /* Dump a multiline representation of this binding_map to stderr. */
773 DEBUG_FUNCTION void
775 {
776 pretty_printer pp;
783 }
785 /* Return a new json::object of the form
786 {KEY_DESC : SVALUE_DESC,
787 ...for the various key/value pairs in this binding_map}. */
791 {
797 {
800 }
806 {
810 }
813 }
815 /* Add a child to PARENT_WIDGET expressing a binding between
816 KEY and SVAL. */
818 static void
823 {
824 pretty_printer the_pp;
839 }
841 void
844 {
848 {
851 }
857 {
861 }
862 }
865 /* Comparator for imposing an order on binding_maps. */
867 int
869 {
886 {
894 }
897 }
899 /* Get the child region of PARENT_REG based upon INDEX within a
900 CONSTRUCTOR. */
905 {
907 {
911 {
916 index_sval);
917 }
921 }
922 }
924 /* Get the svalue for VAL, a non-CONSTRUCTOR value within a CONSTRUCTOR. */
928 {
929 /* Reuse the get_rvalue logic from region_model. */
932 }
934 /* Bind values from CONSTRUCTOR to this map, relative to
935 PARENT_REG's relationship to its base region.
936 Return true if successful, false if there was a problem (e.g. due
937 to hitting a complexity limit). */
939 bool
942 {
947 tree index;
948 tree val;
950 tree field;
953 else
956 {
958 {
959 /* If index is NULL, then iterate through the fields for
960 a RECORD_TYPE, or use an INTEGER_CST otherwise.
961 Compare with similar logic in output_constructor. */
963 {
966 }
967 else
969 }
971 {
975 {
979 }
980 else
981 {
985 }
987 }
990 }
992 }
994 /* Bind the value VAL into the range of elements within PARENT_REF
995 from MIN_INDEX to MAX_INDEX (including endpoints).
996 For use in handling RANGE_EXPR within a CONSTRUCTOR.
997 Return true if successful, false if there was a problem (e.g. due
998 to hitting a complexity limit). */
1000 bool
1004 tree val)
1005 {
1009 /* Generate a binding key for the range. */
1026 bit_size_t range_size_in_bits
1033 /* Get the value. */
1038 /* Bind the value to the range. */
1041 }
1043 /* Bind the value VAL into INDEX within PARENT_REF.
1044 For use in handling a pair of entries within a CONSTRUCTOR.
1045 Return true if successful, false if there was a problem (e.g. due
1046 to hitting a complexity limit). */
1048 bool
1052 {
1057 else
1058 {
1064 /* Handle the case where we have an unknown size for child_reg
1065 (e.g. due to it being a trailing field with incomplete array
1066 type. */
1068 {
1069 /* Assume that sval has a well-defined size for this case. */
1075 /* Get offset of child relative to base region. */
1079 /* Convert to an offset relative to the parent region. */
1082 bit_offset_t child_parent_offset
1085 /* Create a concrete key for the child within the parent. */
1088 }
1092 }
1093 }
1095 /* Populate OUT with all bindings within this map that overlap KEY. */
1097 void
1100 {
1102 {
1106 {
1109 {
1112 }
1113 else
1114 {
1115 /* Assume overlap. */
1117 }
1118 }
1119 else
1120 {
1121 /* Assume overlap. */
1123 }
1124 }
1125 }
1127 /* Remove, truncate, and/or split any bindings within this map that
1128 overlap DROP_KEY.
1130 For example, if we have:
1132 +------------------------------------+
1133 | old binding |
1134 +------------------------------------+
1136 which is to be overwritten with:
1138 .......+----------------------+.......
1139 .......| new binding |.......
1140 .......+----------------------+.......
1142 this function "cuts a hole" out of the old binding:
1144 +------+......................+------+
1145 |prefix| hole for new binding |suffix|
1146 +------+......................+------+
1148 into which the new binding can be added without
1149 overlapping the prefix or suffix.
1151 The prefix and suffix (if added) will be bound to the pertinent
1152 parts of the value of the old binding.
1154 For example, given:
1155 struct s5
1156 {
1157 char arr[8];
1158 };
1159 void test_5 (struct s5 *p)
1160 {
1161 struct s5 f = *p;
1162 f.arr[3] = 42;
1163 }
1164 then after the "f = *p;" we have:
1165 cluster for: f: INIT_VAL((*INIT_VAL(p_33(D))))
1166 and at the "f.arr[3] = 42;" we remove the bindings overlapping
1167 "f.arr[3]", replacing it with a prefix (bytes 0-2) and suffix (bytes 4-7)
1168 giving:
1169 cluster for: f
1170 key: {bytes 0-2}
1171 value: {BITS_WITHIN(bytes 0-2, inner_val: INIT_VAL((*INIT_VAL(p_33(D))).arr))}
1172 key: {bytes 4-7}
1173 value: {BITS_WITHIN(bytes 4-7, inner_val: INIT_VAL((*INIT_VAL(p_33(D))).arr))}
1174 punching a hole into which the new value can be written at byte 3:
1175 cluster for: f
1176 key: {bytes 0-2}
1177 value: {BITS_WITHIN(bytes 0-2, inner_val: INIT_VAL((*INIT_VAL(p_33(D))).arr))}
1178 key: {byte 3}
1179 value: 'char' {(char)42}
1180 key: {bytes 4-7}
1181 value: {BITS_WITHIN(bytes 4-7, inner_val: INIT_VAL((*INIT_VAL(p_33(D))).arr))}
1183 If UNCERTAINTY is non-NULL, use it to record any svalues that
1184 were removed, as being maybe-bound.
1186 If MAYBE_LIVE_VALUES is non-NULL, then use it to record any svalues that
1187 were removed as being maybe-live.
1189 If ALWAYS_OVERLAP, then assume that DROP_KEY can overlap anything
1190 in the map, due to one or both of the underlying clusters being
1191 symbolic (but not the same symbolic region). Hence even if DROP_KEY is a
1192 concrete binding it could actually be referring to the same memory as
1193 distinct concrete bindings in the map. Remove all bindings, but
1194 register any svalues with *UNCERTAINTY. */
1196 void
1202 {
1203 /* Get the bindings of interest within this map. */
1208 else
1209 /* Just add overlapping bindings. */
1215 {
1216 /* Record any svalues that were removed to *UNCERTAINTY as being
1217 maybe-bound, provided at least some part of the binding is symbolic.
1219 Specifically, if at least one of the bindings is symbolic, or we
1220 have ALWAYS_OVERLAP for the case where we have possibly aliasing
1221 regions, then we don't know that the svalue has been overwritten,
1222 and should record that to *UNCERTAINTY.
1224 However, if we have concrete keys accessing within the same symbolic
1225 region, then we *know* that the symbolic region has been overwritten,
1226 so we don't record it to *UNCERTAINTY, as this could be a genuine
1227 leak. */
1235 /* Record any svalues that were removed to *MAYBE_LIVE_VALUES as being
1236 maybe-live. */
1240 /* Begin by removing the old binding. */
1243 /* Don't attempt to handle prefixes/suffixes for the
1244 "always_overlap" case; everything's being removed. */
1248 /* Now potentially add the prefix and suffix. */
1253 {
1261 {
1262 /* We have a truncated prefix. */
1271 rel_prefix,
1274 }
1278 {
1279 /* We have a truncated suffix. */
1290 rel_suffix,
1293 }
1294 }
1295 }
1296 }
1298 /* class binding_cluster. */
1303 {
1304 }
1306 /* binding_cluster's copy ctor. */
1311 {
1312 }
1314 /* binding_cluster's assignment operator. */
1316 binding_cluster&
1318 {
1324 }
1326 /* binding_cluster's equality operator. */
1328 bool
1330 {
1346 }
1348 /* Generate a hash value for this binding_cluster. */
1350 hashval_t
1352 {
1354 }
1356 /* Return true if this binding_cluster is symbolic
1357 i.e. its base region is symbolic. */
1359 bool
1361 {
1363 }
1365 /* Dump a representation of this binding_cluster to PP.
1366 SIMPLE controls how values and regions are to be printed.
1367 If MULTILINE, then split the dump over multiple lines and
1368 use whitespace for readability, otherwise put all on one line. */
1370 void
1373 {
1375 {
1377 {
1380 }
1381 else
1383 }
1385 {
1387 {
1390 }
1391 else
1393 }
1396 }
1398 /* Dump a multiline representation of this binding_cluster to stderr. */
1400 DEBUG_FUNCTION void
1402 {
1403 pretty_printer pp;
1414 }
1416 /* Assert that this object is valid. */
1418 void
1420 {
1424 {
1426 num_symbolic++;
1427 else
1428 num_concrete++;
1429 }
1430 /* We shouldn't have more than one symbolic key per cluster
1431 (or one would have clobbered the other). */
1433 /* We can't have both concrete and symbolic keys. */
1435 }
1437 /* Return a new json::object of the form
1438 {"escaped": true/false,
1439 "touched": true/false,
1440 "map" : object for the binding_map. */
1444 {
1452 }
1457 {
1458 pretty_printer the_pp;
1468 {
1469 /* Special-case to simplify dumps for the common case where
1470 we just have one value directly bound to the whole of a
1471 region. */
1479 }
1480 else
1481 {
1493 }
1494 }
1496 /* Add a binding of SVAL of kind KIND to REG, unpacking SVAL if it is a
1497 compound_sval. */
1499 void
1502 {
1505 {
1508 }
1514 }
1516 /* Bind SVAL to KEY.
1517 Unpacking of compound_svalues should already have been done by the
1518 time this is called. */
1520 void
1522 {
1528 }
1530 /* Subroutine of binding_cluster::bind.
1531 Unpack compound_svals when binding them, so that we bind them
1532 element-wise. */
1534 void
1538 {
1539 region_offset reg_offset
1542 {
1546 }
1550 {
1556 {
1557 bit_offset_t effective_start
1564 }
1565 else
1567 }
1568 }
1570 /* Remove all bindings overlapping REG within this cluster. */
1572 void
1574 {
1576 }
1578 /* Remove any bindings for REG within this cluster. */
1580 void
1582 {
1589 }
1591 /* Clobber REG and fill it with repeated copies of SVAL. */
1593 void
1597 {
1606 }
1608 /* Clobber REG within this cluster and fill it with zeroes. */
1610 void
1612 {
1616 }
1618 /* Mark REG_TO_BIND within this cluster as being unknown.
1620 Remove any bindings overlapping REG_FOR_OVERLAP.
1621 If UNCERTAINTY is non-NULL, use it to record any svalues that
1622 had bindings to them removed, as being maybe-bound.
1623 If MAYBE_LIVE_VALUES is non-NULL, use it to record any svalues that
1624 had bindings to them removed, as being maybe-live.
1626 REG_TO_BIND and REG_FOR_OVERLAP are the same for
1627 store::mark_region_as_unknown, but are different in
1628 store::set_value's alias handling, for handling the case where
1629 we have a write to a symbolic REG_FOR_OVERLAP. */
1631 void
1637 {
1642 maybe_live_values);
1644 /* Add a default binding to "unknown". */
1649 }
1651 /* Purge state involving SVAL. */
1653 void
1656 {
1660 {
1664 {
1668 }
1673 }
1675 {
1678 }
1680 {
1684 }
1685 }
1687 /* Get any SVAL bound to REG within this cluster via kind KIND,
1688 without checking parent regions of REG. */
1693 {
1699 {
1700 /* If we have a struct with a single field, then the binding of
1701 the field will equal that of the struct, and looking up e.g.
1702 PARENT_REG.field within:
1703 cluster for PARENT_REG: INIT_VAL(OTHER_REG)
1704 will erroneously return INIT_VAL(OTHER_REG), rather than
1705 SUB_VALUE(INIT_VAL(OTHER_REG), FIELD) == INIT_VAL(OTHER_REG.FIELD).
1706 Fix this issue by iterating upwards whilst the bindings are equal,
1707 expressing the lookups as subvalues.
1708 We have to gather a list of subregion accesses, then walk it
1709 in reverse to get the subvalues. */
1712 {
1719 {
1722 }
1723 else
1725 }
1729 {
1733 {
1737 }
1738 }
1739 }
1741 }
1743 /* Get any SVAL bound to REG within this cluster,
1744 either directly for REG, or recursively checking for bindings within
1745 parent regions and extracting subvalues if need be. */
1750 {
1757 {
1758 /* Extract child svalue from parent svalue. */
1762 }
1764 }
1766 /* Get any value bound for REG within this cluster. */
1771 {
1772 /* Look for a direct binding. */
1777 /* If we had a write to a cluster of unknown size, we might
1778 have a self-binding of the whole base region with an svalue,
1779 where the base region is symbolic.
1780 Handle such cases by returning sub_svalue instances. */
1782 {
1783 /* Extract child svalue from parent svalue. */
1787 }
1789 /* If this cluster has been touched by a symbolic write, then the content
1790 of any subregion not currently specifically bound is "UNKNOWN". */
1792 {
1795 }
1797 /* Alternatively, if this is a symbolic read and the cluster has any bindings,
1798 then we don't know if we're reading those values or not, so the result
1799 is also "UNKNOWN". */
1802 {
1805 }
1810 /* Otherwise, the initial value, or uninitialized. */
1812 }
1814 /* Attempt to get a compound_svalue for the bindings within the cluster
1815 affecting REG (which could be the base region itself).
1817 Create a compound_svalue with the subset of bindings the affect REG,
1818 offsetting them so that the offsets are relative to the start of REG
1819 within the cluster.
1821 For example, REG could be one element within an array of structs.
1823 Return the resulting compound_svalue, or NULL if there's a problem. */
1828 {
1829 region_offset cluster_offset
1842 /* We will a build the result map in two parts:
1843 (a) result_map, holding the concrete keys from this cluster,
1845 (b) default_map, holding the initial values for the region
1846 (e.g. uninitialized, initializer values, or zero), unless this
1847 cluster has been touched.
1849 We will populate (a), and as we do, clobber (b), trimming and
1850 splitting its bindings as necessary.
1851 Finally, we will merge (b) into (a), giving a concrete map
1852 that merges both the initial values and the bound values from
1853 the binding_cluster.
1854 Doing it this way reduces N for the O(N^2) intersection-finding,
1855 perhaps we should have a spatial-organized data structure for
1856 concrete keys, though. */
1858 binding_map result_map;
1859 binding_map default_map;
1861 /* Set up default values in default_map. */
1865 else
1869 /* Express the bit-range of the default key for REG relative to REG,
1870 rather than to the base region. */
1880 {
1886 {
1889 bit_size_t reg_bit_size;
1894 reg_bit_size);
1896 /* Skip bindings that are outside the bit range of REG. */
1900 /* We shouldn't have an exact match; that should have been
1901 handled already. */
1906 {
1907 /* We have a bound range fully within REG.
1908 Add it to map, offsetting accordingly. */
1910 /* Get offset of KEY relative to REG, rather than to
1911 the cluster. */
1916 /* Clobber default_map, removing/trimming/spliting where
1917 it overlaps with offset_concrete_key. */
1919 offset_concrete_key,
1921 }
1923 {
1924 /* REG is fully within the bound range, but
1925 is not equal to it; we're extracting a subvalue. */
1927 subrange,
1929 }
1930 else
1931 {
1932 /* REG and the bound range partially overlap. */
1938 /* Get the bits from the bound value for the bits at the
1939 intersection (relative to the bound value). */
1942 bound_subrange,
1945 /* Get key for overlap, relative to the REG. */
1950 /* Clobber default_map, removing/trimming/spliting where
1951 it overlaps with overlap_concrete_key. */
1953 overlap_concrete_key,
1955 }
1956 }
1957 else
1958 /* Can't handle symbolic bindings. */
1960 }
1965 /* Merge any bindings from default_map into result_map. */
1967 {
1971 }
1974 }
1976 /* Remove, truncate, and/or split any bindings within this map that
1977 could overlap REG.
1979 If REG's base region or this cluster is symbolic and they're different
1980 base regions, then remove everything in this cluster's map, on the
1981 grounds that REG could be referring to the same memory as anything
1982 in the map.
1984 If UNCERTAINTY is non-NULL, use it to record any svalues that
1985 were removed, as being maybe-bound.
1987 If MAYBE_LIVE_VALUES is non-NULL, use it to record any svalues that
1988 were removed, as being maybe-live. */
1990 void
1995 {
2002 /* If at least one of the base regions involved is symbolic, and they're
2003 not the same base region, then consider everything in the map as
2004 potentially overlapping with reg_binding (even if it's a concrete
2005 binding and things in the map are concrete - they could be referring
2006 to the same memory when the symbolic base regions are taken into
2007 account). */
2012 maybe_live_values,
2013 always_overlap);
2014 }
2016 /* Attempt to merge CLUSTER_A and CLUSTER_B into OUT_CLUSTER, using
2017 MGR and MERGER.
2018 Return true if they can be merged, false otherwise. */
2020 bool
2027 {
2030 /* Merge flags ("ESCAPED" and "TOUCHED") by setting the merged flag to
2031 true if either of the inputs is true. */
2039 /* At least one of CLUSTER_A and CLUSTER_B are non-NULL, but either
2040 could be NULL. Handle these cases. */
2042 {
2047 }
2049 {
2054 }
2056 /* The "both inputs are non-NULL" case. */
2064 {
2067 }
2070 {
2073 }
2078 {
2085 num_symbolic_keys++;
2086 else
2087 num_concrete_keys++;
2090 {
2094 }
2096 {
2099 {
2102 }
2103 /* Merger of the svalues failed. Reject merger of the cluster. */
2105 }
2107 /* If we get here, then one cluster binds this key and the other
2108 doesn't; merge them as "UNKNOWN". */
2116 /* ...but reject the merger if this sval shouldn't be mergeable
2117 (e.g. reject merging svalues that have non-purgable sm-state,
2118 to avoid falsely reporting memory leaks by merging them
2119 with something else). */
2124 }
2126 /* We can only have at most one symbolic key per cluster,
2127 and if we do, we can't have any concrete keys.
2128 If this happens, mark the cluster as touched, with no keys. */
2131 {
2134 }
2136 /* We don't handle other kinds of overlaps yet. */
2139 }
2141 /* Update this cluster to reflect an attempt to merge OTHER where there
2142 is no other cluster to merge with, and so we're notionally merging the
2143 bound values in OTHER with the initial value of the relevant regions.
2145 Any bound keys in OTHER should be bound to unknown in this. */
2147 void
2151 {
2154 {
2162 /* For any pointers in OTHER, the merger means that the
2163 concrete pointer becomes an unknown value, which could
2164 show up as a false report of a leak when considering what
2165 pointers are live before vs after.
2166 Avoid this by marking the base regions they point to as having
2167 escaped. */
2170 {
2175 {
2178 }
2179 }
2180 }
2181 }
2183 /* Mark this cluster as having escaped. */
2185 void
2187 {
2189 }
2191 /* If this cluster has escaped (by this call, or by an earlier one, or
2192 by being an external param), then unbind all values and mark it
2193 as "touched", so that it has a conjured value, rather than an
2194 initial_svalue.
2195 Use P to purge state involving conjured_svalues. */
2197 void
2201 {
2203 {
2207 {
2208 /* Bind it to a new "conjured" value using CALL. */
2213 }
2216 }
2217 }
2219 /* Mark this cluster as having been clobbered by STMT.
2220 Use P to purge state involving conjured_svalues. */
2222 void
2226 {
2229 /* Bind it to a new "conjured" value using CALL. */
2236 }
2238 /* Return true if this cluster has escaped. */
2240 bool
2242 {
2243 /* Consider the "errno" region to always have escaped. */
2247 }
2249 /* Return true if this binding_cluster has no information
2250 i.e. if there are no bindings, and it hasn't been marked as having
2251 escaped, or touched symbolically. */
2253 bool
2255 {
2257 && !m_escaped
2259 }
2261 /* Add PV to OUT_PVS, casting it to TYPE if it is not already of that type. */
2263 static void
2265 tree type,
2267 {
2274 }
2276 /* Find representative path_vars for SVAL within this binding of BASE_REG,
2277 appending the results to OUT_PVS. */
2279 void
2286 const
2287 {
2291 {
2295 {
2298 {
2300 base_reg->get_subregions_for_binding
2309 {
2312 visited,
2313 logger))
2315 }
2316 }
2317 else
2318 {
2322 visited,
2323 logger))
2325 }
2326 }
2327 }
2328 }
2330 /* Get any svalue bound to KEY, or NULL. */
2334 {
2336 }
2338 /* If this cluster has a single direct binding for the whole of the region,
2339 return it.
2340 For use in simplifying dumps. */
2344 {
2345 /* Fail gracefully if MGR is NULL to make it easier to dump store
2346 instances in the debugger. */
2358 }
2360 /* class store_manager. */
2362 logger *
2364 {
2366 }
2368 /* binding consolidation. */
2372 bit_offset_t size_in_bits)
2373 {
2381 }
2385 {
2393 }
2395 /* class store. */
2397 /* store's default ctor. */
2401 {
2402 }
2404 /* store's copy ctor. */
2409 {
2413 {
2419 }
2420 }
2422 /* store's dtor. */
2425 {
2430 }
2432 /* store's assignment operator. */
2434 store &
2436 {
2437 /* Delete existing cluster map. */
2449 {
2455 }
2457 }
2459 /* store's equality operator. */
2461 bool
2463 {
2473 {
2476 binding_cluster **other_slot
2482 }
2487 }
2489 /* Get a hash value for this store. */
2491 hashval_t
2493 {
2500 }
2502 /* Populate OUT with a sorted list of parent regions for the regions in IN,
2503 removing duplicate parents. */
2505 static void
2508 {
2509 /* Get the set of parent regions. */
2514 {
2518 }
2520 /* Write to OUT. */
2525 /* Sort OUT. */
2527 }
2529 /* Dump a representation of this store to PP, using SIMPLE to control how
2530 svalues and regions are printed.
2531 MGR is used for simplifying dumps if non-NULL, but can also be NULL
2532 (to make it easier to use from the debugger). */
2534 void
2537 {
2538 /* Sort into some deterministic order. */
2542 {
2545 }
2548 /* Gather clusters, organize by parent region, so that we can group
2549 together locals, globals, etc. */
2556 {
2562 else
2568 {
2569 /* This is O(N * M), but N ought to be small. */
2572 binding_cluster *cluster
2575 {
2578 }
2580 {
2581 /* Special-case to simplify dumps for the common case where
2582 we just have one value directly bound to the whole of a
2583 region. */
2585 {
2595 }
2596 else
2597 {
2607 }
2608 }
2610 {
2615 }
2616 else
2617 {
2623 }
2624 }
2627 }
2632 }
2634 /* Dump a multiline representation of this store to stderr. */
2636 DEBUG_FUNCTION void
2638 {
2639 pretty_printer pp;
2646 }
2648 /* Assert that this object is valid. */
2650 void
2652 {
2655 }
2657 /* Return a new json::object of the form
2658 {PARENT_REGION_DESC: {BASE_REGION_DESC: object for binding_map,
2659 ... for each cluster within parent region},
2660 ...for each parent region,
2661 "called_unknown_fn": true/false}. */
2665 {
2668 /* Sort into some deterministic order. */
2672 {
2675 }
2678 /* Gather clusters, organize by parent region, so that we can group
2679 together locals, globals, etc. */
2686 {
2694 {
2695 /* This is O(N * M), but N ought to be small. */
2698 binding_cluster *cluster
2703 }
2706 }
2711 }
2716 {
2720 store_widget->add_child
2725 /* Sort into some deterministic order. */
2729 {
2732 }
2735 /* Gather clusters, organize by parent region, so that we can group
2736 together locals, globals, etc. */
2743 {
2746 pretty_printer the_pp;
2760 {
2761 /* This is O(N * M), but N ought to be small. */
2764 binding_cluster *cluster
2766 parent_reg_widget->add_child
2768 }
2770 }
2773 }
2775 /* Get any svalue bound to REG, or NULL. */
2779 {
2781 binding_cluster **cluster_slot
2786 }
2788 /* Set the value of LHS_REG to RHS_SVAL. */
2790 void
2794 {
2802 /* ...but if we have no type for the region, retain any cast. */
2807 {
2808 /* Reject attempting to bind values into a symbolic region
2809 for an unknown ptr; merely invalidate values below. */
2812 /* The LHS of the write is *UNKNOWN. If the RHS is a pointer,
2813 then treat the region being pointed to as having escaped. */
2815 {
2819 }
2822 }
2824 {
2827 }
2828 else
2829 {
2830 /* Reject attempting to bind values into an untracked region;
2831 merely invalidate values below. */
2833 }
2835 /* Bindings to a cluster can affect other clusters if a symbolic
2836 base region is involved.
2837 Writes to concrete clusters can't affect other concrete clusters,
2838 but can affect symbolic clusters.
2839 Writes to symbolic clusters can affect both concrete and symbolic
2840 clusters.
2841 Invalidate our knowledge of other clusters that might have been
2842 affected by the write.
2843 Gather the set of all svalues that might still be live even if
2844 the store doesn't refer to them. */
2845 svalue_set maybe_live_values;
2848 {
2855 {
2858 {
2864 {
2874 }
2875 /* Mark all of iter_cluster's iter_base_reg as unknown,
2876 using LHS_REG when considering overlaps, to handle
2877 symbolic vs concrete issues. */
2878 iter_cluster->mark_region_as_unknown
2882 uncertainty,
2891 /* If they can't be aliases, then don't invalidate this
2892 cluster. */
2894 }
2895 }
2896 }
2897 /* Given the set of svalues that might still be live, process them
2898 (e.g. marking regions as escaped).
2899 We do this after the iteration to avoid potentially changing
2900 m_cluster_map whilst iterating over it. */
2902 }
2904 /* Determine if BASE_REG_A could be an alias of BASE_REG_B. */
2906 tristate
2909 {
2910 /* SSA names can't alias. */
2918 /* Try both ways, for symmetry. */
2926 }
2928 /* Half of store::eval_alias; called twice for symmetry. */
2930 tristate
2933 {
2934 /* If they're in different memory spaces, they can't alias. */
2935 {
2938 {
2943 }
2944 }
2948 {
2951 {
2956 {
2957 /* The initial value of a pointer can't point to a local. */
2959 }
2960 }
2963 {
2964 /* The initial value of a pointer can't point to a
2965 region that was allocated on the heap after the beginning of the
2966 path. */
2968 }
2971 {
2975 {
2977 /* If we have sval_a is WIDENING(®ION, OP), and
2978 B can't alias REGION, then B can't alias A either.
2979 For example, A might arise from
2980 for (ptr = ®ION; ...; ptr++)
2981 where sval_a is ptr in the 2nd iteration of the loop.
2982 We want to ensure that "*ptr" can only clobber things
2983 within REGION's base region. */
2985 base_reg_b);
2988 }
2989 }
2990 }
2992 }
2994 /* Record all of the values in MAYBE_LIVE_VALUES as being possibly live. */
2996 void
2998 {
3000 {
3002 {
3005 }
3006 }
3007 }
3009 /* Remove all bindings overlapping REG within this store. */
3011 void
3013 {
3021 {
3024 }
3025 }
3027 /* Remove any bindings for REG within this store. */
3029 void
3031 {
3039 {
3042 }
3043 }
3045 /* Fill REG with SVAL. */
3047 void
3049 {
3050 /* Filling an empty region is a no-op. */
3060 }
3062 /* Zero-fill REG. */
3064 void
3066 {
3070 }
3072 /* Mark REG as having unknown content. */
3074 void
3078 {
3085 maybe_live_values);
3086 }
3088 /* Purge state involving SVAL. */
3090 void
3093 {
3096 {
3100 else
3101 {
3104 }
3105 }
3109 }
3111 /* Get the cluster for BASE_REG, or NULL (const version). */
3115 {
3121 else
3123 }
3125 /* Get the cluster for BASE_REG, or NULL (non-const version). */
3127 binding_cluster *
3129 {
3134 else
3136 }
3138 /* Get the cluster for BASE_REG, creating it if doesn't already exist. */
3140 binding_cluster *
3142 {
3146 /* We shouldn't create clusters for dereferencing an UNKNOWN ptr. */
3149 /* We shouldn't create clusters for base regions that aren't trackable. */
3159 }
3161 /* Remove any cluster for BASE_REG, for use by
3162 region_model::unbind_region_and_descendents
3163 when popping stack frames and handling deleted heap regions. */
3165 void
3167 {
3175 }
3177 /* Attempt to merge STORE_A and STORE_B into OUT_STORE.
3178 Return true if successful, or false if the stores can't be merged. */
3180 bool
3184 {
3188 /* Get the union of all base regions for STORE_A and STORE_B. */
3192 {
3195 }
3198 {
3201 }
3203 /* Sort the base regions before considering them. This ought not to
3204 affect the results, but can affect which types UNKNOWN_REGIONs are
3205 created for in a run; sorting them thus avoids minor differences
3206 in logfiles. */
3215 {
3218 /* At least one of cluster_a and cluster_b must be non-NULL. */
3219 binding_cluster *out_cluster
3224 }
3226 }
3228 /* Mark the cluster for BASE_REG as having escaped.
3229 For use when handling an unrecognized function call, and
3230 for params to "top-level" calls.
3231 Further unknown function calls could touch it, even if the cluster
3232 isn't reachable from args of those calls. */
3234 void
3236 {
3246 }
3248 /* Handle an unknown fncall by updating any clusters that have escaped
3249 (either in this fncall, or in a prior one). */
3251 void
3254 {
3260 }
3262 /* Return true if a non-const pointer to BASE_REG (or something within it)
3263 has escaped to code outside of the TU being analyzed. */
3265 bool
3267 {
3271 /* "errno" can always be modified by external code. */
3279 }
3281 /* Populate OUT_PVS with a list of path_vars for describing SVAL based on
3282 this store, using VISITED to ensure the traversal terminates. */
3284 void
3290 {
3293 /* Find all bindings that reference SVAL. */
3296 {
3300 logger,
3301 out_pvs);
3302 }
3305 {
3308 visited,
3309 logger))
3311 }
3312 }
3314 /* Remove all bindings overlapping REG within this store, removing
3315 any clusters that become redundant.
3317 If UNCERTAINTY is non-NULL, use it to record any svalues that
3318 were removed, as being maybe-bound. */
3320 void
3323 {
3326 {
3329 {
3330 /* Remove whole cluster. */
3334 }
3335 /* Pass NULL for the maybe_live_values here, as we don't want to
3336 record the old svalues as being maybe-bound. */
3338 }
3339 }
3341 /* Subclass of visitor that accumulates a hash_set of the regions that
3342 were visited. */
3345 {
3347 {
3349 }
3352 };
3354 /* Canonicalize this store, to maximize the chance of equality between
3355 instances. */
3357 void
3359 {
3360 /* If we have e.g.:
3361 cluster for: HEAP_ALLOCATED_REGION(543)
3362 ESCAPED
3363 TOUCHED
3364 where the heap region is empty and unreferenced, then purge that
3365 cluster, to avoid unbounded state chains involving these. */
3367 /* Find regions that are referenced by bound values in the store. */
3368 region_finder s;
3371 {
3376 }
3378 /* Locate heap-allocated regions that have empty bindings that weren't
3379 found above. */
3383 {
3387 {
3388 /* Don't purge a heap-allocated region that's been marked as
3389 escaping, since this could be recording that a ptr to it
3390 was written to an unknown symbolic region along this
3391 path, and so we don't know whether it's referenced or
3392 not, and hence should report it as leaking
3393 (PR analyzer/106473). */
3401 /* Also cover the UNKNOWN case. */
3406 }
3407 }
3409 /* Purge them. */
3412 {
3415 }
3416 }
3418 /* Subroutine for use by exploded_path::feasible_p.
3420 We need to deal with state differences between:
3421 (a) when the exploded_graph is being initially constructed and
3422 (b) when replaying the state changes along a specific path in
3423 in exploded_path::feasible_p.
3425 In (a), state merging happens, so when exploring a loop
3426 for (i = 0; i < 1024; i++)
3427 on successive iterations we have i == 0, then i == WIDENING.
3429 In (b), no state merging happens, so naively replaying the path
3430 that goes twice through the loop then exits it
3431 would lead to i == 0, then i == 1, and then a (i >= 1024) eedge
3432 that exits the loop, which would be found to be infeasible as i == 1,
3433 and the path would be rejected.
3435 We need to fix up state during replay. This subroutine is
3436 called whenever we enter a supernode that we've already
3437 visited along this exploded_path, passing in OTHER_STORE
3438 from the destination enode's state.
3440 Find bindings to widening values in OTHER_STORE.
3441 For all that are found, update the binding in this store to UNKNOWN. */
3443 void
3446 {
3450 {
3455 {
3459 {
3460 binding_cluster *this_cluster
3465 }
3466 }
3467 }
3468 }
3470 /* Use R to replay the bindings from SUMMARY into this object. */
3472 void
3475 {
3477 {
3478 /* A call to an external function occurred in the summary.
3479 Hence we need to invalidate our knownledge of globals,
3480 escaped regions, etc. */
3485 }
3493 }
3495 /* Use R and SUMMARY to replay the bindings in SUMMARY_CLUSTER
3496 into this object. */
3498 void
3502 {
3509 /* Handle "ESCAPED" and "TOUCHED" flags. */
3513 {
3517 {
3518 binding_cluster *caller_cluster
3524 }
3525 }
3528 {
3529 /* Top-level regions. */
3537 /* Child regions. */
3544 /* Other regions. */
3547 /* These should never be the base region of a binding cluster. */
3554 /* These can be marked as escaping. */
3558 {
3568 NULL_TREE,
3577 caller_sval =
3581 }
3588 {
3602 caller_sval =
3606 }
3610 /* Ignore bindings of alloca regions in the summary. */
3612 }
3613 }
3615 #if CHECKING_P
3619 /* Verify that bit_range::intersects_p works as expected. */
3621 static void
3623 {
3637 /* self-intersection is true. */
3679 }
3681 /* Implementation detail of ASSERT_BIT_RANGE_FROM_MASK_EQ. */
3683 static void
3687 {
3692 }
3694 /* Assert that bit_range::from_mask (MASK) returns true, and writes
3695 out EXPECTED_BIT_RANGE. */
3697 #define ASSERT_BIT_RANGE_FROM_MASK_EQ(MASK, EXPECTED_BIT_RANGE) \
3698 SELFTEST_BEGIN_STMT \
3699 assert_bit_range_from_mask_eq (SELFTEST_LOCATION, MASK, \
3700 EXPECTED_BIT_RANGE); \
3701 SELFTEST_END_STMT
3703 /* Implementation detail of ASSERT_NO_BIT_RANGE_FROM_MASK. */
3705 static void
3708 {
3712 }
3714 /* Assert that bit_range::from_mask (MASK) returns false. */
3716 #define ASSERT_NO_BIT_RANGE_FROM_MASK(MASK) \
3717 SELFTEST_BEGIN_STMT \
3718 assert_no_bit_range_from_mask_eq (SELFTEST_LOCATION, MASK); \
3719 SELFTEST_END_STMT
3721 /* Verify that bit_range::from_mask works as expected. */
3723 static void
3725 {
3726 /* Should fail on zero. */
3729 /* Verify 1-bit masks. */
3739 /* Verify N-bit masks starting at bit 0. */
3749 /* Various other tests. */
3754 /* Multiple ranges of set bits should fail. */
3757 }
3759 /* Implementation detail of ASSERT_OVERLAP. */
3761 static void
3765 {
3768 }
3770 /* Implementation detail of ASSERT_DISJOINT. */
3772 static void
3776 {
3779 }
3781 /* Assert that B1 and B2 overlap, checking both ways. */
3783 #define ASSERT_OVERLAP(B1, B2) \
3784 SELFTEST_BEGIN_STMT \
3785 assert_overlap (SELFTEST_LOCATION, B1, B2); \
3786 SELFTEST_END_STMT
3788 /* Assert that B1 and B2 do not overlap, checking both ways. */
3790 #define ASSERT_DISJOINT(B1, B2) \
3791 SELFTEST_BEGIN_STMT \
3792 assert_disjoint (SELFTEST_LOCATION, B1, B2); \
3793 SELFTEST_END_STMT
3795 /* Verify that concrete_binding::overlaps_p works as expected. */
3797 static void
3799 {
3802 /* Various 8-bit bindings. */
3808 /* 16-bit bindings. */
3813 /* 32-bit binding. */
3816 /* Everything should self-overlap. */
3826 /* Verify the 8-bit bindings that don't overlap each other. */
3830 /* Check for overlap of differently-sized bindings. */
3832 /* ...and with differing start points. */
3842 }
3844 /* Run all of the selftests within this file. */
3846 void
3848 {
3852 }