| blob | 272c7fbacfc2d5d9762c8ba169706a51e564c9e9 |
1 2023-09-15 David Malcolm <dmalcolm@redhat.com>
3 * analyzer.cc (get_stmt_location): Handle null stmt.
4 * diagnostic-manager.cc (saved_diagnostic::saved_diagnostic): Copy
5 m_loc from ploc.
6 (saved_diagnostic::operator==): Compare m_loc.
7 (saved_diagnostic::calc_best_epath): Only use m_stmt_finder if
8 m_loc is unknown.
9 (dedupe_key::dedupe_key): Initialize m_loc.
10 (dedupe_key::operator==): Compare m_loc.
11 (dedupe_key::get_location): Use m_loc if it's known.
12 (dedupe_key::m_loc): New field.
13 (diagnostic_manager::emit_saved_diagnostic): Only call
14 get_emission_location if m_loc is unknown, preferring to use m_loc
15 if it's available.
16 * diagnostic-manager.h (saved_diagnostic::m_loc): New field.
17 (pending_location::pending_location): Initialize m_loc. Add
18 overload taking a location_t rather than a stmt/stmt_finder.
19 (pending_location::m_loc): New field.
21 2023-09-15 David Malcolm <dmalcolm@redhat.com>
23 * analyzer.h (struct pending_location): New forward decl.
24 * diagnostic-manager.cc (saved_diagnostic::saved_diagnostic):
25 Replace params "enode", "snode", "stmt", and "stmt_finder" with
26 "ploc".
27 (diagnostic_manager::add_diagnostic): Likewise for both overloads.
28 * diagnostic-manager.h (saved_diagnostic::saved_diagnostic):
29 Likewise.
30 (struct pending_location): New.
31 (diagnostic_manager::add_diagnostic): Replace params "enode",
32 "snode", "stmt", and "stmt_finder" with "ploc".
33 * engine.cc (impl_region_model_context::warn): Update call to
34 add_diagnostic for above change.
35 (impl_sm_context::warn): Likewise.
36 (impl_region_model_context::on_state_leak): Likewise.
37 * infinite-recursion.cc
38 (exploded_graph::detect_infinite_recursion): Likewise.
40 2023-09-15 David Malcolm <dmalcolm@redhat.com>
42 * region-model.cc (region_model::get_gassign_result): Handle
43 volatile ops by using a conjured_svalue.
45 2023-09-14 David Malcolm <dmalcolm@redhat.com>
47 * checker-event.h (checker_event::get_thread_id): New.
48 * checker-path.h (class checker_path): Implement thread-related
49 vfuncs via a single simple_diagnostic_thread instance named
50 "main".
52 2023-09-14 David Malcolm <dmalcolm@redhat.com>
54 * diagnostic-manager.cc (compatible_epath_p): Fix missing return.
56 2023-09-14 David Malcolm <dmalcolm@redhat.com>
58 * diagnostic-manager.cc (process_worklist_item): Use
59 std::unique_ptr rather than plain rejected_constraint *.
60 * engine.cc (exploded_path::feasible_p): Likewise.
61 (feasibility_state::maybe_update_for_edge): Likewise.
62 * exploded-graph.h (feasibility_problem::feasibility_problem):
63 Likewise.
64 (feasibility_problem::~feasibility_problem): Delete.
65 (feasibility_problem::m_rc): Use std::unique_ptr.
66 (feasibility_state::maybe_update_for_edge): Likewise.
67 * feasible-graph.cc (feasible_graph::add_feasibility_problem):
68 Likewise.
69 * feasible-graph.h (class infeasible_node): Likewise.
70 (feasible_graph::add_feasibility_problem): Likewise.
71 * region-model.cc (region_model::add_constraint): Likewise.
72 (region_model::maybe_update_for_edge): Likewise.
73 (region_model::apply_constraints_for_gcond): Likewise.
74 (region_model::apply_constraints_for_gswitch): Likewise.
75 (region_model::apply_constraints_for_exception): Likewise.
76 * region-model.h (class region_model): Likewise for decls.
78 2023-09-09 benjamin priour <vultkayn@gcc.gnu.org>
80 PR analyzer/96395
81 * region-model.cc
82 (region_model::add_constraints_from_binop): binop_svalues around
83 LT_EXPR, LE_EXPR, GT_EXPR, GE_EXPR are now unwrapped.
85 2023-09-07 David Malcolm <dmalcolm@redhat.com>
87 PR analyzer/110529
88 * program-point.cc (program_point::on_edge): Don't reject
89 EDGE_ABNORMAL for computed gotos.
90 * region-model.cc (region_model::maybe_update_for_edge): Handle
91 computed goto statements.
92 (region_model::apply_constraints_for_ggoto): New.
93 * region-model.h (region_model::apply_constraints_for_ggoto): New decl.
94 * supergraph.cc (supernode::get_label): New.
95 * supergraph.h (supernode::get_label): New decl.
97 2023-09-07 benjamin priour <vultkayn@gcc.gnu.org>
98 David Malcolm <dmalcolm@redhat.com>
100 PR analyzer/110830
101 * diagnostic-manager.cc
102 (compatible_epaths_p): New function.
103 (saved_diagnostic::supercedes_p): Now calls the above
104 to determine if the diagnostics do overlap and the superseding
105 may proceed.
107 2023-09-07 David Malcolm <dmalcolm@redhat.com>
109 * region-model.h: fix -Wunused-parameter warnings
111 2023-09-06 David Malcolm <dmalcolm@redhat.com>
113 PR analyzer/105899
114 * kf.cc (class kf_strstr): New.
115 (kf_strstr::impl_call_post): New.
116 (register_known_functions): Register it.
118 2023-09-06 David Malcolm <dmalcolm@redhat.com>
120 PR analyzer/105899
121 * kf.cc (class kf_strncpy): New.
122 (kf_strncpy::impl_call_post): New.
123 (register_known_functions): Register it.
124 * region-model.cc (region_model::read_bytes): Handle unknown
125 number of bytes.
127 2023-09-06 David Malcolm <dmalcolm@redhat.com>
129 * kf.cc (kf_calloc::impl_call_pre): Pass ctxt to zero_fill_region.
130 (kf_memset::impl_call_pre): Move responsibility for calling
131 check_region_for_write to fill_region.
132 * region-model.cc (region_model::on_assignment): Pass ctxt to
133 zero_fill_region.
134 (region_model::fill_region): Add "ctxt" param, using it to call
135 check_region_for_write.
136 (region_model::zero_fill_region): Likewise.
137 * region-model.h (region_model::fill_region): Add "ctxt" param.
138 (region_model::zero_fill_region): Likewise.
140 2023-09-01 benjamin priour <priour.be@gmail.com>
142 PR analyzer/105948
143 PR analyzer/94355
144 * analyzer.h (is_placement_new_p): New declaration.
145 * call-details.cc
146 (call_details::deref_ptr_arg): New function.
147 Dereference the argument at given index if possible.
148 * call-details.h: Declaration of the above function.
149 * kf-lang-cp.cc (is_placement_new_p): Returns true if the gcall
150 is recognized as a placement new.
151 (kf_operator_delete::impl_call_post): Unbinding a region and its
152 descendents now poisons with POISON_KIND_DELETED.
153 (register_known_functions_lang_cp): Known function "operator
154 delete" is now registered only once independently of its number of
155 arguments.
156 * region-model.cc (region_model::eval_condition): Now
157 recursively calls itself if any of the operand is wrapped in a
158 cast.
159 * sm-malloc.cc (malloc_state_machine::on_stmt):
160 Add placement new recognition.
161 * svalue.cc (poison_kind_to_str): Wording for the new PK.
162 * svalue.h (enum poison_kind): Add value POISON_KIND_DELETED.
164 2023-08-31 Francois-Xavier Coudert <fxcoudert@gcc.gnu.org>
166 * kf.cc: Change spelling to macOS.
168 2023-08-30 Eric Feng <ef2648@columbia.edu>
170 PR analyzer/107646
171 * engine.cc (impl_region_model_context::warn): New optional
172 parameter.
173 * exploded-graph.h (class impl_region_model_context): Likewise.
174 * region-model.cc (region_model::pop_frame): New callback
175 feature for region_model::pop_frame.
176 * region-model.h (struct append_regions_cb_data): Likewise.
177 (class region_model): Likewise.
178 (class region_model_context): New optional parameter.
179 (class region_model_context_decorator): Likewise.
181 2023-08-30 Francois-Xavier Coudert <fxcoudert@gcc.gnu.org>
183 * region-model.cc: Define INCLUDE_ALGORITHM.
185 2023-08-29 David Malcolm <dmalcolm@redhat.com>
187 PR analyzer/99860
188 * analyzer-selftests.cc (selftest::run_analyzer_selftests): Call
189 selftest::analyzer_ranges_cc_tests.
190 * analyzer-selftests.h (selftest::run_analyzer_selftests): New
191 decl.
192 * analyzer.opt (Wanalyzer-overlapping-buffers): New option.
193 * call-details.cc: Include "analyzer/ranges.h" and "make-unique.h".
194 (class overlapping_buffers): New.
195 (call_details::complain_about_overlap): New.
196 * call-details.h (call_details::complain_about_overlap): New decl.
197 * kf.cc (kf_memcpy_memmove::impl_call_pre): Call
198 cd.complain_about_overlap for memcpy and memcpy_chk.
199 (kf_strcat::impl_call_pre): Call cd.complain_about_overlap.
200 (kf_strcpy::impl_call_pre): Likewise.
201 * ranges.cc: New file.
202 * ranges.h: New file.
204 2023-08-29 David Malcolm <dmalcolm@redhat.com>
206 PR analyzer/105899
207 * kf.cc (kf_strdup::impl_call_pre): Set size of
208 dynamically-allocated buffer. Simulate copying the string from
209 the source region to the new buffer.
211 2023-08-27 benjamin priour <vultkayn@gcc.gnu.org>
213 PR analyzer/96395
214 * analyzer.h (class known_function): Add virtual casts
215 to builtin_known_function.
216 (class builtin_known_function): New subclass of known_function
217 for builtins.
218 * kf.cc (class kf_alloca): Now derived from
219 builtin_known_function.
220 (class kf_calloc): Likewise.
221 (class kf_free): Likewise.
222 (class kf_malloc): Likewise.
223 (class kf_memcpy_memmove): Likewise.
224 (class kf_memset): Likewise.
225 (class kf_realloc): Likewise.
226 (class kf_strchr): Likewise.
227 (class kf_sprintf): Likewise.
228 (class kf_strcat): Likewise.
229 (class kf_strcpy): Likewise.
230 (class kf_strdup): Likewise.
231 (class kf_strlen): Likewise.
232 (class kf_strndup): Likewise.
233 (register_known_functions): Builtins are now registered as
234 known_functions by name rather than by their BUILTIN_CODE.
235 * known-function-manager.cc (get_normal_builtin): New overload.
236 * known-function-manager.h: New overload declaration.
237 * region-model.cc (region_model::get_builtin_kf): New function.
238 * region-model.h (class region_model): Add declaration of
239 get_builtin_kf.
240 * sm-fd.cc: For called recognized as builtins, use the
241 attributes of that builtin as defined in gcc/builtins.def
242 rather than the user's.
243 * sm-malloc.cc (malloc_state_machine::on_stmt): Likewise.
245 2023-08-25 David Malcolm <dmalcolm@redhat.com>
247 * access-diagram.cc (class string_region_spatial_item): Remove
248 assumption that the string is written to the start of the cluster.
250 2023-08-24 David Malcolm <dmalcolm@redhat.com>
252 PR analyzer/105899
253 * call-details.cc
254 (call_details::check_for_null_terminated_string_arg): Split into
255 overloads, one taking just an arg_idx, the other a new
256 "include_terminator" param.
257 * call-details.h: Likewise.
258 * kf.cc (class kf_strcat): New.
259 (kf_strcpy::impl_call_pre): Update for change to
260 check_for_null_terminated_string_arg.
261 (register_known_functions): Register kf_strcat.
262 * region-model.cc
263 (region_model::check_for_null_terminated_string_arg): Split into
264 overloads, one taking just an arg_idx, the other a new
265 "include_terminator" param. When returning an svalue, handle
266 "include_terminator" being false by subtracting one.
267 * region-model.h
268 (region_model::check_for_null_terminated_string_arg): Split into
269 overloads, one taking just an arg_idx, the other a new
270 "include_terminator" param.
272 2023-08-24 David Malcolm <dmalcolm@redhat.com>
274 PR analyzer/105899
275 * region-model.cc (fragment::has_null_terminator): Handle
276 SK_BITS_WITHIN.
278 2023-08-24 David Malcolm <dmalcolm@redhat.com>
280 PR analyzer/105899
281 * region-model-manager.cc
282 (region_model_manager::get_or_create_initial_value): Simplify
283 INIT_VAL(ELEMENT_REG(STRING_REG), CONSTANT_SVAL) to
284 CONSTANT_SVAL(STRING[N]).
286 2023-08-24 David Malcolm <dmalcolm@redhat.com>
288 PR analyzer/105899
289 * region-model.cc (fragment::has_null_terminator): Move STRING_CST
290 handling to fragment::string_cst_has_null_terminator; also use it to
291 handle INIT_VAL(STRING_REG).
292 (fragment::string_cst_has_null_terminator): New, from above.
294 2023-08-24 David Malcolm <dmalcolm@redhat.com>
296 * kf.cc (kf_memcpy_memmove::impl_call_pre): Reimplement using
297 region_model::copy_bytes.
298 * region-model.cc (region_model::read_bytes): New.
299 (region_model::copy_bytes): New.
300 * region-model.h (region_model::read_bytes): New decl.
301 (region_model::copy_bytes): New decl.
303 2023-08-24 David Malcolm <dmalcolm@redhat.com>
305 PR analyzer/105899
306 * region-model.cc (region_model::get_string_size): Delete both.
307 * region-model.h (region_model::get_string_size): Delete both
308 decls.
310 2023-08-24 David Malcolm <dmalcolm@redhat.com>
312 PR analyzer/105899
313 * kf.cc (kf_strcpy::impl_call_pre): Reimplement using
314 check_for_null_terminated_string_arg.
315 * region-model.cc (region_model::get_store_bytes): Shortcut
316 reading all of a string_region.
317 (region_model::scan_for_null_terminator): Use get_store_value for
318 the bytes rather than "unknown" when returning an unknown length.
319 (region_model::write_bytes): New.
320 * region-model.h (region_model::write_bytes): New decl.
322 2023-08-24 David Malcolm <dmalcolm@redhat.com>
324 PR analyzer/105899
325 * region-model.cc (iterable_cluster::iterable_cluster): Add
326 symbolic binding keys to m_symbolic_bindings.
327 (iterable_cluster::has_symbolic_bindings_p): New.
328 (iterable_cluster::m_symbolic_bindings): New field.
329 (region_model::scan_for_null_terminator): Treat clusters with
330 symbolic bindings as having unknown strlen.
332 2023-08-24 David Malcolm <dmalcolm@redhat.com>
334 * engine.cc (impl_path_context::impl_path_context): Add logger
335 param.
336 (impl_path_context::bifurcate): Add log message.
337 (impl_path_context::terminate_path): Likewise.
338 (impl_path_context::m_logger): New field.
339 (exploded_graph::process_node): Pass logger to path_ctxt ctor.
341 2023-08-22 David Malcolm <dmalcolm@redhat.com>
343 PR analyzer/105899
344 * kf-analyzer.cc (class kf_analyzer_get_strlen): Move to kf.cc.
345 (register_known_analyzer_functions): Use make_kf_strlen.
346 * kf.cc (class kf_strlen::impl_call_pre): Replace with
347 implementation of kf_analyzer_get_strlen from kf-analyzer.cc.
348 Handle "UNKNOWN" return from check_for_null_terminated_string_arg
349 by falling back to a conjured svalue.
350 (make_kf_strlen): New.
351 (register_known_functions): Use make_kf_strlen.
352 * known-function-manager.h (make_kf_strlen): New decl.
354 2023-08-22 David Malcolm <dmalcolm@redhat.com>
356 PR analyzer/105899
357 * call-details.cc (call_details::call_details): New ctor.
358 * call-details.h (call_details::call_details): New ctor decl.
359 (struct call_arg_details): Move here from region-model.cc.
360 * region-model.cc (region_model::check_call_format_attr): New.
361 (region_model::check_call_args): Call it.
362 (struct call_arg_details): Move it to call-details.h.
363 * region-model.h (region_model::check_call_format_attr): New decl.
365 2023-08-22 David Malcolm <dmalcolm@redhat.com>
367 * kf.cc (class kf_fopen): New.
368 (register_known_functions): Register it.
370 2023-08-22 David Malcolm <dmalcolm@redhat.com>
372 PR analyzer/105899
373 * analyzer.opt (Wanalyzer-unterminated-string): Delete.
374 * call-details.cc
375 (call_details::check_for_null_terminated_string_arg): Convert
376 return type from void to const svalue *. Add param "out_sval".
377 * call-details.h
378 (call_details::check_for_null_terminated_string_arg): Likewise.
379 * kf-analyzer.cc (kf_analyzer_get_strlen::impl_call_pre): Wire up
380 to result of check_for_null_terminated_string_arg.
381 * region-model.cc (get_strlen): Delete.
382 (class unterminated_string_arg): Delete.
383 (struct fragment): New.
384 (class iterable_cluster): New.
385 (region_model::get_store_bytes): New.
386 (get_tree_for_byte_offset): New.
387 (region_model::scan_for_null_terminator): New.
388 (region_model::check_for_null_terminated_string_arg): Convert
389 return type from void to const svalue *. Add param "out_sval".
390 Reimplement in terms of scan_for_null_terminator, dropping the
391 special-case for -Wanalyzer-unterminated-string.
392 * region-model.h (region_model::get_store_bytes): New decl.
393 (region_model::scan_for_null_terminator): New decl.
394 (region_model::check_for_null_terminated_string_arg): Convert
395 return type from void to const svalue *. Add param "out_sval".
396 * store.cc (concrete_binding::get_byte_range): New.
397 * store.h (concrete_binding::get_byte_range): New decl.
398 (store_manager::get_concrete_binding): New overload.
400 2023-08-22 David Malcolm <dmalcolm@redhat.com>
402 * region-model.cc (region_model_context_decorator::add_event):
403 Handle m_inner being NULL.
404 * region-model.h (class region_model_context_decorator): Likewise.
405 (annotating_context::warn): Likewise.
407 2023-08-22 David Malcolm <dmalcolm@redhat.com>
409 * diagnostic-manager.cc (saved_diagnostic::add_event): New.
410 (saved_diagnostic::add_any_saved_events): New.
411 (diagnostic_manager::add_event): New.
412 (dedupe_winners::emit_best): New.
413 (diagnostic_manager::emit_saved_diagnostic): Make "sd" param
414 non-const. Call saved_diagnostic::add_any_saved_events.
415 * diagnostic-manager.h (saved_diagnostic::add_event): New decl.
416 (saved_diagnostic::add_any_saved_events): New decl.
417 (saved_diagnostic::m_saved_events): New field.
418 (diagnostic_manager::add_event): New decl.
419 (diagnostic_manager::emit_saved_diagnostic): Make "sd" param
420 non-const.
421 * engine.cc (impl_region_model_context::add_event): New.
422 * exploded-graph.h (impl_region_model_context::add_event): New decl.
423 * region-model.cc
424 (noop_region_model_context::add_event): New.
425 (region_model_context_decorator::add_event): New.
426 * region-model.h (region_model_context::add_event): New vfunc.
427 (noop_region_model_context::add_event): New decl.
428 (region_model_context_decorator::add_event): New decl.
430 2023-08-22 David Malcolm <dmalcolm@redhat.com>
432 * region-model.cc
433 (class check_external_function_for_access_attr::annotating_ctxt):
434 Convert to an annotating_context.
435 * region-model.h (class note_adding_context): Rename to...
436 (class annotating_context): ...this, updating the "warn" method.
437 (note_adding_context::make_note): Replace with...
438 (annotating_context::add_annotations): ...this.
440 2023-08-14 benjamin priour <vultkayn@gcc.gnu.org>
442 PR analyzer/110543
443 * analyzer.opt: Add new option.
444 * diagnostic-manager.cc
445 (diagnostic_manager::prune_path): Call prune_system_headers.
446 (prune_frame): New function that deletes all events in a frame.
447 (diagnostic_manager::prune_system_headers): New function.
448 * diagnostic-manager.h: Add prune_system_headers declaration.
450 2023-08-11 David Malcolm <dmalcolm@redhat.com>
452 PR analyzer/105899
453 * analyzer.opt (Wanalyzer-unterminated-string): New.
454 * call-details.cc
455 (call_details::check_for_null_terminated_string_arg): New.
456 * call-details.h
457 (call_details::check_for_null_terminated_string_arg): New decl.
458 * kf-analyzer.cc (class kf_analyzer_get_strlen): New.
459 (register_known_analyzer_functions): Register it.
460 * kf.cc (kf_error::impl_call_pre): Check that format arg is a
461 valid null-terminated string.
462 (kf_putenv::impl_call_pre): Likewise for the sole param.
463 (kf_strchr::impl_call_pre): Likewise for the first param.
464 (kf_strcpy::impl_call_pre): Likewise for the second param.
465 (kf_strdup::impl_call_pre): Likewise for the sole param.
466 * region-model.cc (get_strlen): New.
467 (struct call_arg_details): New.
468 (inform_about_expected_null_terminated_string_arg): New.
469 (class unterminated_string_arg): New.
470 (region_model::check_for_null_terminated_string_arg): New.
471 * region-model.h
472 (region_model::check_for_null_terminated_string_arg): New decl.
474 2023-08-11 Eric Feng <ef2648@columbia.edu>
476 PR analyzer/107646
477 * call-details.h: New function.
478 * region-model.cc (region_model::get_or_create_region_for_heap_alloc):
479 New optional parameters.
480 * region-model.h (class region_model): New optional parameters.
481 * sm-malloc.cc (on_realloc_with_move): New function.
482 (region_model::transition_ptr_sval_non_null): New function.
484 2023-08-09 David Malcolm <dmalcolm@redhat.com>
486 * analyzer.h (class pure_known_function_with_default_return): New
487 subclass.
488 * call-details.cc (const_fn_p): Move here from region-model.cc.
489 (maybe_get_const_fn_result): Likewise.
490 (get_result_size_in_bytes): Likewise.
491 (call_details::set_any_lhs_with_defaults): New function, based on
492 code in region_model::on_call_pre.
493 * call-details.h (call_details::set_any_lhs_with_defaults): New
494 decl.
495 * diagnostic-manager.cc
496 (diagnostic_manager::emit_saved_diagnostic): Log the index of the
497 saved_diagnostic.
498 * kf.cc (pure_known_function_with_default_return::impl_call_pre):
499 New.
500 (kf_memset::impl_call_pre): Set the LHS to the first param.
501 (kf_putenv::impl_call_pre): Call cd.set_any_lhs_with_defaults.
502 (kf_sprintf::impl_call_pre): Call cd.set_any_lhs_with_defaults.
503 (class kf_stack_restore): Derive from
504 pure_known_function_with_default_return.
505 (class kf_stack_save): Likewise.
506 (kf_strlen::impl_call_pre): Call cd.set_any_lhs_with_defaults.
507 * region-model-reachability.cc (reachable_regions::handle_sval):
508 Remove logic for symbolic regions for pointers.
509 * region-model.cc (region_model::canonicalize): Remove purging of
510 dynamic extents workaround for surplus values from
511 region_model::on_call_pre's default LHS code.
512 (const_fn_p): Move to call-details.cc.
513 (maybe_get_const_fn_result): Likewise.
514 (get_result_size_in_bytes): Likewise.
515 (region_model::update_for_nonzero_return): Call
516 cd.set_any_lhs_with_defaults.
517 (region_model::on_call_pre): Remove the assignment to the LHS of a
518 default return value, instead requiring all known_function
519 implementations to write to any LHS of the call. Use
520 cd.set_any_lhs_with_defaults on the non-kf paths.
521 * sm-fd.cc (kf_socket::outcome_of_socket::update_model): Use
522 cd.set_any_lhs_with_defaults when failing to get at fd state.
523 (kf_bind::outcome_of_bind::update_model): Likewise.
524 (kf_listen::outcome_of_listen::update_model): Likewise.
525 (kf_accept::outcome_of_accept::update_model): Likewise.
526 (kf_connect::outcome_of_connect::update_model): Likewise.
527 (kf_read::impl_call_pre): Use cd.set_any_lhs_with_defaults.
528 * sm-file.cc (class kf_stdio_output_fn): Derive from
529 pure_known_function_with_default_return.
530 (class kf_ferror): Likewise.
531 (class kf_fileno): Likewise.
532 (kf_fgets::impl_call_pre): Use cd.set_any_lhs_with_defaults.
533 (kf_read::impl_call_pre): Likewise.
534 (class kf_getc): Derive from
535 pure_known_function_with_default_return.
536 (class kf_getchar): Likewise.
537 * varargs.cc (kf_va_arg::impl_call_pre): Use
538 cd.set_any_lhs_with_defaults.
540 2023-08-04 David Malcolm <dmalcolm@redhat.com>
542 PR analyzer/110426
543 * bounds-checking.cc (region_model::check_region_bounds): Handle
544 symbolic base regions.
545 * call-details.cc: Include "stringpool.h" and "attribs.h".
546 (call_details::lookup_function_attribute): New function.
547 * call-details.h (call_details::lookup_function_attribute): New
548 function decl.
549 * region-model-manager.cc
550 (region_model_manager::maybe_fold_binop): Add reference to
551 PR analyzer/110902.
552 * region-model-reachability.cc (reachable_regions::handle_sval):
553 Add symbolic regions for pointers that are conjured svalues for
554 the LHS of a stmt.
555 * region-model.cc (region_model::canonicalize): Purge dynamic
556 extents for regions that aren't referenced.
557 (get_result_size_in_bytes): New function.
558 (region_model::on_call_pre): Use get_result_size_in_bytes and
559 potentially set the dynamic extents of the region pointed to by
560 the return value.
561 (region_model::deref_rvalue): Add param "add_nonnull_constraint"
562 and use it to conditionalize adding the constraint.
563 (pending_diagnostic_subclass::dubious_allocation_size): Add "stmt"
564 param to both ctors and use it to initialize new "m_stmt" field.
565 (pending_diagnostic_subclass::operator==): Use m_stmt; don't use
566 m_lhs or m_rhs.
567 (pending_diagnostic_subclass::m_stmt): New field.
568 (region_model::check_region_size): Generalize to any kind of
569 pointer svalue by using deref_rvalue rather than checking for
570 region_svalue. Pass stmt to dubious_allocation_size ctor.
571 * region-model.h (region_model::deref_rvalue): Add param
572 "add_nonnull_constraint".
573 * svalue.cc (conjured_svalue::lhs_value_p): New function.
574 * svalue.h (conjured_svalue::lhs_value_p): New decl.
576 2023-08-04 David Malcolm <dmalcolm@redhat.com>
578 * svalue.cc (region_svalue::dump_to_pp): Support NULL type.
579 (constant_svalue::dump_to_pp): Likewise.
580 (initial_svalue::dump_to_pp): Likewise.
581 (conjured_svalue::dump_to_pp): Likewise. Fix missing print of the
582 type.
584 2023-08-03 David Malcolm <dmalcolm@redhat.com>
586 PR analyzer/110882
587 * region.cc (int_size_in_bits): Fail on zero-sized types.
589 2023-08-02 Eric Feng <ef2648@columbia.edu>
591 PR analyzer/107646
592 * analyzer-language.cc (run_callbacks): New function.
593 (on_finish_translation_unit): New function.
594 * analyzer-language.h (GCC_ANALYZER_LANGUAGE_H): New include.
595 (class translation_unit): New vfuncs.
597 2023-07-26 David Malcolm <dmalcolm@redhat.com>
599 PR analyzer/104940
600 * region-model-manager.cc
601 (region_model_manager::region_model_manager): Update for
602 generalizing region ids to also cover svalues.
603 (region_model_manager::get_or_create_constant_svalue): Likewise.
604 (region_model_manager::get_or_create_unknown_svalue): Likewise.
605 (region_model_manager::create_unique_svalue): Likewise.
606 (region_model_manager::get_or_create_initial_value): Likewise.
607 (region_model_manager::get_or_create_setjmp_svalue): Likewise.
608 (region_model_manager::get_or_create_poisoned_svalue): Likewise.
609 (region_model_manager::get_ptr_svalue): Likewise.
610 (region_model_manager::get_or_create_unaryop): Likewise.
611 (region_model_manager::get_or_create_binop): Likewise.
612 (region_model_manager::get_or_create_sub_svalue): Likewise.
613 (region_model_manager::get_or_create_repeated_svalue): Likewise.
614 (region_model_manager::get_or_create_bits_within): Likewise.
615 (region_model_manager::get_or_create_unmergeable): Likewise.
616 (region_model_manager::get_or_create_widening_svalue): Likewise.
617 (region_model_manager::get_or_create_compound_svalue): Likewise.
618 (region_model_manager::get_or_create_conjured_svalue): Likewise.
619 (region_model_manager::get_or_create_asm_output_svalue): Likewise.
620 (region_model_manager::get_or_create_const_fn_result_svalue):
621 Likewise.
622 (region_model_manager::get_region_for_fndecl): Likewise.
623 (region_model_manager::get_region_for_label): Likewise.
624 (region_model_manager::get_region_for_global): Likewise.
625 (region_model_manager::get_field_region): Likewise.
626 (region_model_manager::get_element_region): Likewise.
627 (region_model_manager::get_offset_region): Likewise.
628 (region_model_manager::get_sized_region): Likewise.
629 (region_model_manager::get_cast_region): Likewise.
630 (region_model_manager::get_frame_region): Likewise.
631 (region_model_manager::get_symbolic_region): Likewise.
632 (region_model_manager::get_region_for_string): Likewise.
633 (region_model_manager::get_bit_range): Likewise.
634 (region_model_manager::get_var_arg_region): Likewise.
635 (region_model_manager::get_region_for_unexpected_tree_code):
636 Likewise.
637 (region_model_manager::get_or_create_region_for_heap_alloc):
638 Likewise.
639 (region_model_manager::create_region_for_alloca): Likewise.
640 (region_model_manager::log_stats): Likewise.
641 * region-model-manager.h (region_model_manager::get_num_regions):
642 Replace with...
643 (region_model_manager::get_num_symbols): ...this.
644 (region_model_manager::alloc_region_id): Replace with...
645 (region_model_manager::alloc_symbol_id): ...this.
646 (region_model_manager::m_next_region_id): Replace with...
647 (region_model_manager::m_next_symbol_id): ...this.
648 * region-model.cc (selftest::test_get_representative_tree): Update
649 for generalizing region ids to also cover svalues.
650 (selftest::test_binop_svalue_folding): Likewise.
651 (selftest::test_state_merging): Likewise.
652 * region.cc (region::cmp_ids): Delete, in favor of
653 symbol::cmp_ids.
654 (region::region): Update for introduction of symbol base class.
655 (frame_region::get_region_for_local): Likewise.
656 (root_region::root_region): Likewise.
657 (symbolic_region::symbolic_region): Likewise.
658 * region.h: Replace include of "analyzer/complexity.h" with
659 "analyzer/symbol.h".
660 (class region): Make a subclass of symbol.
661 (region::get_id): Delete in favor of symbol::get_id.
662 (region::cmp_ids): Delete in favor of symbol::cmp_ids.
663 (region::get_complexity): Delete in favor of
664 symbol::get_complexity.
665 (region::region): Use symbol::id_t for "id" param.
666 (region::m_complexity): Move field to symbol base class.
667 (region::m_id): Likewise.
668 (space_region::space_region): Use symbol::id_t for "id" param.
669 (frame_region::frame_region): Likewise.
670 (globals_region::globals_region): Likewise.
671 (code_region::code_region): Likewise.
672 (function_region::function_region): Likewise.
673 (label_region::label_region): Likewise.
674 (stack_region::stack_region): Likewise.
675 (heap_region::heap_region): Likewise.
676 (thread_local_region::thread_local_region): Likewise.
677 (root_region::root_region): Likewise.
678 (symbolic_region::symbolic_region): Likewise.
679 (decl_region::decl_region): Likewise.
680 (field_region::field_region): Likewise.
681 (element_region::element_region): Likewise.
682 (offset_region::offset_region): Likewise.
683 (sized_region::sized_region): Likewise.
684 (cast_region::cast_region): Likewise.
685 (heap_allocated_region::heap_allocated_region): Likewise.
686 (alloca_region::alloca_region): Likewise.
687 (string_region::string_region): Likewise.
688 (bit_range_region::bit_range_region): Likewise.
689 (var_arg_region::var_arg_region): Likewise.
690 (errno_region::errno_region): Likewise.
691 (unknown_region::unknown_region): Likewise.
692 * svalue.cc (sub_svalue::sub_svalue): Add symbol::id_t param.
693 (repeated_svalue::repeated_svalue): Likewise.
694 (bits_within_svalue::bits_within_svalue): Likewise.
695 (compound_svalue::compound_svalue): Likewise.
696 * svalue.h: Replace include of "analyzer/complexity.h" with
697 "analyzer/symbol.h".
698 (class svalue): Make a subclass of symbol.
699 (svalue::get_complexity): Delete in favor of
700 symbol::get_complexity.
701 (svalue::svalue): Add symbol::id_t param. Update for new base
702 class.
703 (svalue::m_complexity): Delete in favor of
704 symbol::m_complexity.
705 (region_svalue::region_svalue): Add symbol::id_t param
706 (constant_svalue::constant_svalue): Likewise.
707 (unknown_svalue::unknown_svalue): Likewise.
708 (poisoned_svalue::poisoned_svalue): Likewise.
709 (setjmp_svalue::setjmp_svalue): Likewise.
710 (initial_svalue::initial_svalue): Likewise.
711 (unaryop_svalue::unaryop_svalue): Likewise.
712 (binop_svalue::binop_svalue): Likewise.
713 (sub_svalue::sub_svalue): Likewise.
714 (repeated_svalue::repeated_svalue): Likewise.
715 (bits_within_svalue::bits_within_svalue): Likewise.
716 (unmergeable_svalue::unmergeable_svalue): Likewise.
717 (placeholder_svalue::placeholder_svalue): Likewise.
718 (widening_svalue::widening_svalue): Likewise.
719 (compound_svalue::compound_svalue): Likewise.
720 (conjured_svalue::conjured_svalue): Likewise.
721 (asm_output_svalue::asm_output_svalue): Likewise.
722 (const_fn_result_svalue::const_fn_result_svalue): Likewise.
723 * symbol.cc: New file.
724 * symbol.h: New file.
726 2023-07-21 David Malcolm <dmalcolm@redhat.com>
728 PR analyzer/110455
729 * region-model.cc (region_model::get_gassign_result): Only check
730 for bad shift counts when dealing with an integral type.
732 2023-07-21 David Malcolm <dmalcolm@redhat.com>
734 PR analyzer/110433
735 PR middle-end/110612
736 * access-diagram.cc (class spatial_item): Add virtual dtor.
738 2023-07-21 David Malcolm <dmalcolm@redhat.com>
740 PR analyzer/110387
741 * region.h (struct cast_region::key_t): Support "m_type" being
742 null by using "m_original_region" for empty/deleted slots.
744 2023-07-19 David Malcolm <dmalcolm@redhat.com>
746 PR analyzer/110700
747 * region-model-manager.cc
748 (region_model_manager::get_or_create_int_cst): Assert that we have
749 an integral or pointer type.
750 * sm-taint.cc (taint_state_machine::check_for_tainted_divisor):
751 Don't check non-integral types.
753 2023-06-29 benjamin priour <priour.be@gmail.com>
755 PR analyzer/110198
756 * region-model-manager.cc
757 (region_model_manager::get_or_create_initial_value): Take an
758 optional boolean value to bypass poisoning checks
759 * region-model-manager.h: Update declaration of the above function.
760 * region-model.cc (region_model::get_store_value): No longer returns
761 on OOB, but rather gives a boolean to get_or_create_initial_value.
762 (region_model::check_region_access): Update docstring.
763 (region_model::check_region_for_write): Update docstring.
765 2023-06-24 David Malcolm <dmalcolm@redhat.com>
767 * access-diagram.cc: Add #define INCLUDE_VECTOR.
768 * bounds-checking.cc: Likewise.
770 2023-06-22 David Malcolm <dmalcolm@redhat.com>
772 PR analyzer/106626
773 * access-diagram.cc: New file.
774 * access-diagram.h: New file.
775 * analyzer.h (class region_offset): Add default ctor.
776 (region_offset::make_byte_offset): New decl.
777 (region_offset::concrete_p): New.
778 (region_offset::get_concrete_byte_offset): New.
779 (region_offset::calc_symbolic_bit_offset): New decl.
780 (region_offset::calc_symbolic_byte_offset): New decl.
781 (region_offset::dump_to_pp): New decl.
782 (region_offset::dump): New decl.
783 (operator<, operator<=, operator>, operator>=): New decls for
784 region_offset.
785 * analyzer.opt
786 (-param=analyzer-text-art-string-ellipsis-threshold=): New.
787 (-param=analyzer-text-art-string-ellipsis-head-len=): New.
788 (-param=analyzer-text-art-string-ellipsis-tail-len=): New.
789 (-param=analyzer-text-art-ideal-canvas-width=): New.
790 (fanalyzer-debug-text-art): New.
791 * bounds-checking.cc: Include "intl.h", "diagnostic-diagram.h",
792 and "analyzer/access-diagram.h".
793 (class out_of_bounds::oob_region_creation_event_capacity): New.
794 (out_of_bounds::out_of_bounds): Add "model" and "sval_hint"
795 params.
796 (out_of_bounds::mark_interesting_stuff): Use the base region.
797 (out_of_bounds::add_region_creation_events): Use
798 oob_region_creation_event_capacity.
799 (out_of_bounds::get_dir): New pure vfunc.
800 (out_of_bounds::maybe_show_notes): New.
801 (out_of_bounds::maybe_show_diagram): New.
802 (out_of_bounds::make_access_diagram): New.
803 (out_of_bounds::m_model): New field.
804 (out_of_bounds::m_sval_hint): New field.
805 (out_of_bounds::m_region_creation_event_id): New field.
806 (concrete_out_of_bounds::concrete_out_of_bounds): Update for new
807 fields.
808 (concrete_past_the_end::concrete_past_the_end): Likewise.
809 (concrete_past_the_end::add_region_creation_events): Use
810 oob_region_creation_event_capacity.
811 (concrete_buffer_overflow::concrete_buffer_overflow): Update for
812 new fields.
813 (concrete_buffer_overflow::emit): Replace call to
814 maybe_describe_array_bounds with maybe_show_notes.
815 (concrete_buffer_overflow::get_dir): New.
816 (concrete_buffer_over_read::concrete_buffer_over_read): Update for
817 new fields.
818 (concrete_buffer_over_read::emit): Replace call to
819 maybe_describe_array_bounds with maybe_show_notes.
820 (concrete_buffer_overflow::get_dir): New.
821 (concrete_buffer_underwrite::concrete_buffer_underwrite): Update
822 for new fields.
823 (concrete_buffer_underwrite::emit): Replace call to
824 maybe_describe_array_bounds with maybe_show_notes.
825 (concrete_buffer_underwrite::get_dir): New.
826 (concrete_buffer_under_read::concrete_buffer_under_read): Update
827 for new fields.
828 (concrete_buffer_under_read::emit): Replace call to
829 maybe_describe_array_bounds with maybe_show_notes.
830 (concrete_buffer_under_read::get_dir): New.
831 (symbolic_past_the_end::symbolic_past_the_end): Update for new
832 fields.
833 (symbolic_buffer_overflow::symbolic_buffer_overflow): Likewise.
834 (symbolic_buffer_overflow::emit): Call maybe_show_notes.
835 (symbolic_buffer_overflow::get_dir): New.
836 (symbolic_buffer_over_read::symbolic_buffer_over_read): Update for
837 new fields.
838 (symbolic_buffer_over_read::emit): Call maybe_show_notes.
839 (symbolic_buffer_over_read::get_dir): New.
840 (region_model::check_symbolic_bounds): Add "sval_hint" param. Pass
841 it and sized_offset_reg to diagnostics.
842 (region_model::check_region_bounds): Add "sval_hint" param, passing
843 it to diagnostics.
844 * diagnostic-manager.cc
845 (diagnostic_manager::emit_saved_diagnostic): Pass logger to
846 pending_diagnostic::emit.
847 * engine.cc: Add logger param to pending_diagnostic::emit
848 implementations.
849 * infinite-recursion.cc: Likewise.
850 * kf-analyzer.cc: Likewise.
851 * kf.cc: Likewise. Add nullptr for new param of
852 check_region_for_write.
853 * pending-diagnostic.h: Likewise in decl.
854 * region-model-manager.cc
855 (region_model_manager::get_or_create_int_cst): Convert param from
856 poly_int64 to const poly_wide_int_ref &.
857 (region_model_manager::maybe_fold_binop): Support type being NULL
858 when checking for floating-point types.
859 Check for (X + Y) - X => Y. Be less strict about types when folding
860 associative ops. Check for (X + Y) * CST => (X * CST) + (Y * CST).
861 * region-model-manager.h
862 (region_model_manager::get_or_create_int_cst): Convert param from
863 poly_int64 to const poly_wide_int_ref &.
864 * region-model.cc: Add logger param to pending_diagnostic::emit
865 implementations.
866 (region_model::check_external_function_for_access_attr): Update
867 for new param of check_region_for_write.
868 (region_model::deref_rvalue): Use nullptr rather than NULL.
869 (region_model::get_capacity): Handle RK_STRING.
870 (region_model::check_region_access): Add "sval_hint" param; pass it to
871 check_region_bounds.
872 (region_model::check_region_for_write): Add "sval_hint" param;
873 pass it to check_region_access.
874 (region_model::check_region_for_read): Add NULL for new param to
875 check_region_access.
876 (region_model::set_value): Pass rhs_sval to
877 check_region_for_write.
878 (region_model::get_representative_path_var_1): Handle SK_CONSTANT
879 in the check for infinite recursion.
880 * region-model.h (region_model::check_region_for_write): Add
881 "sval_hint" param.
882 (region_model::check_region_access): Likewise.
883 (region_model::check_symbolic_bounds): Likewise.
884 (region_model::check_region_bounds): Likewise.
885 * region.cc (region_offset::make_byte_offset): New.
886 (region_offset::calc_symbolic_bit_offset): New.
887 (region_offset::calc_symbolic_byte_offset): New.
888 (region_offset::dump_to_pp): New.
889 (region_offset::dump): New.
890 (struct linear_op): New.
891 (operator<, operator<=, operator>, operator>=): New, for
892 region_offset.
893 (region::get_next_offset): New.
894 (region::get_relative_symbolic_offset): Use ptrdiff_type_node.
895 (field_region::get_relative_symbolic_offset): Likewise.
896 (element_region::get_relative_symbolic_offset): Likewise.
897 (bit_range_region::get_relative_symbolic_offset): Likewise.
898 * region.h (region::get_next_offset): New decl.
899 * sm-fd.cc: Add logger param to pending_diagnostic::emit
900 implementations.
901 * sm-file.cc: Likewise.
902 * sm-malloc.cc: Likewise.
903 * sm-pattern-test.cc: Likewise.
904 * sm-sensitive.cc: Likewise.
905 * sm-signal.cc: Likewise.
906 * sm-taint.cc: Likewise.
907 * store.cc (bit_range::contains_p): Allow "out" to be null.
908 * store.h (byte_range::get_start_bit_offset): New.
909 (byte_range::get_next_bit_offset): New.
910 * varargs.cc: Add logger param to pending_diagnostic::emit
911 implementations.
913 2023-06-10 Tim Lange <mail@tim-lange.me>
915 PR analyzer/109577
916 * constraint-manager.cc (class sval_finder): Visitor to find
917 childs in svalue trees.
918 (constraint_manager::sval_constrained_p): Add new function to
919 check whether a sval might be part of an constraint.
920 * constraint-manager.h: Add sval_constrained_p function.
921 * region-model.cc (class size_visitor): Reverse behavior to not
922 emit a warning on not explicitly considered cases.
923 (region_model::check_region_size):
924 Adapt to size_visitor changes.
926 2023-06-09 David Malcolm <dmalcolm@redhat.com>
928 PR analyzer/110112
929 * region-model.cc (region_model::get_initial_value_for_global):
930 Move code to region::calc_initial_value_at_main.
931 * region.cc (region::get_initial_value_at_main): New function.
932 (region::calc_initial_value_at_main): New function, based on code
933 in region_model::get_initial_value_for_global.
934 (region::region): Initialize m_cached_init_sval_at_main.
935 (decl_region::get_svalue_for_constructor): Add a cache, splitting
936 out body to...
937 (decl_region::calc_svalue_for_constructor): ...this new function.
938 * region.h (region::get_initial_value_at_main): New decl.
939 (region::calc_initial_value_at_main): New decl.
940 (region::m_cached_init_sval_at_main): New field.
941 (decl_region::decl_region): Initialize m_ctor_svalue.
942 (decl_region::calc_svalue_for_constructor): New decl.
943 (decl_region::m_ctor_svalue): New field.
945 2023-06-08 Benjamin Priour <vultkayn@gcc.gnu.org>
947 * bounds-checking.cc (region_model::check_symbolic_bounds): Returns whether the BASE_REG
948 region access was OOB.
949 (region_model::check_region_bounds): Likewise.
950 * region-model.cc (region_model::get_store_value): Creates an
951 unknown svalue on OOB-read access to REG.
952 (region_model::check_region_access): Returns whether an unknown svalue needs be created.
953 (region_model::check_region_for_read): Passes check_region_access return value.
954 * region-model.h: Update prior function definitions.
956 2023-06-02 David Malcolm <dmalcolm@redhat.com>
958 PR analyzer/109015
959 * kf.cc (class kf_atomic_exchange): New.
960 (class kf_atomic_exchange_n): New.
961 (class kf_atomic_fetch_op): New.
962 (class kf_atomic_op_fetch): New.
963 (class kf_atomic_load): New.
964 (class kf_atomic_load_n): New.
965 (class kf_atomic_store_n): New.
966 (register_atomic_builtins): New function.
967 (register_known_functions): Call register_atomic_builtins.
969 2023-06-02 David Malcolm <dmalcolm@redhat.com>
971 * store.cc (store::eval_alias_1): Regions in different memory
972 spaces can't alias.
974 2023-05-18 Bernhard Reutner-Fischer <aldot@gcc.gnu.org>
976 * region-model-manager.cc (get_code_for_cast): Use _P defines from
977 tree.h.
978 (region_model_manager::get_or_create_cast): Ditto.
979 (region_model_manager::get_region_for_global): Ditto.
980 * region-model.cc (region_model::get_lvalue_1): Ditto.
981 * region.cc (decl_region::maybe_get_constant_value): Ditto.
983 2023-03-22 David Malcolm <dmalcolm@redhat.com>
985 PR analyzer/109239
986 * program-point.cc: Include "analyzer/inlining-iterator.h".
987 (program_point::effectively_intraprocedural_p): New function.
988 * program-point.h (program_point::effectively_intraprocedural_p):
989 New decl.
990 * sm-malloc.cc (deref_before_check::emit): Use it when rejecting
991 interprocedural cases, so that we reject interprocedural cases
992 that have become intraprocedural due to inlining.
994 2023-03-18 David Malcolm <dmalcolm@redhat.com>
996 PR analyzer/109094
997 * region-model.cc (region_model::on_longjmp): Pass false for
998 new "eval_return_svalue" param of pop_frame.
999 (region_model::pop_frame): Add new "eval_return_svalue" param and
1000 use it to suppress the call to get_rvalue on the result when
1001 needed by on_longjmp.
1002 * region-model.h (region_model::pop_frame): Add new
1003 "eval_return_svalue" param.
1005 2023-03-10 David Malcolm <dmalcolm@redhat.com>
1007 PR analyzer/109059
1008 * region-model.cc (region_model::mark_region_as_unknown): Gather a
1009 set of maybe-live svalues and call on_maybe_live_values with it.
1010 * store.cc (binding_map::remove_overlapping_bindings): Add new
1011 "maybe_live_values" param; add any removed svalues to it.
1012 (binding_cluster::clobber_region): Add NULL as new param of
1013 remove_overlapping_bindings.
1014 (binding_cluster::mark_region_as_unknown): Add "maybe_live_values"
1015 param and pass it to remove_overlapping_bindings.
1016 (binding_cluster::maybe_get_compound_binding): Add NULL for new
1017 param of binding_map::remove_overlapping_bindings.
1018 (binding_cluster::remove_overlapping_bindings): Add
1019 "maybe_live_values" param and pass to
1020 binding_map::remove_overlapping_bindings.
1021 (store::set_value): Capture a set of maybe-live svalues, and call
1022 on_maybe_live_values with it.
1023 (store::on_maybe_live_values): New.
1024 (store::mark_region_as_unknown): Add "maybe_live_values" param
1025 and pass it to binding_cluster::mark_region_as_unknown.
1026 (store::remove_overlapping_bindings): Pass NULL for new param of
1027 binding_cluster::remove_overlapping_bindings.
1028 * store.h (binding_map::remove_overlapping_bindings): Add
1029 "maybe_live_values" param.
1030 (binding_cluster::mark_region_as_unknown): Likewise.
1031 (binding_cluster::remove_overlapping_bindings): Likewise.
1032 (store::mark_region_as_unknown): Likewise.
1033 (store::on_maybe_live_values): New decl.
1035 2023-03-10 David Malcolm <dmalcolm@redhat.com>
1037 PR analyzer/108475
1038 PR analyzer/109060
1039 * sm-malloc.cc (deref_before_check::deref_before_check):
1040 Initialize new field m_deref_expr. Assert that arg is non-NULL.
1041 (deref_before_check::emit): Reject cases where the spelling of the
1042 thing that was dereferenced differs from that of what is checked,
1043 or if the dereference expression was not found. Remove code to
1044 handle NULL m_arg.
1045 (deref_before_check::describe_state_change): Remove code to handle
1046 NULL m_arg.
1047 (deref_before_check::describe_final_event): Likewise.
1048 (deref_before_check::sufficiently_similar_p): New.
1049 (deref_before_check::m_deref_expr): New field.
1050 (malloc_state_machine::maybe_complain_about_deref_before_check):
1051 Don't warn if the diag_ptr is NULL.
1053 2023-03-03 David Malcolm <dmalcolm@redhat.com>
1055 * kf.cc (class kf_sprintf): New.
1056 (register_known_functions): Register it.
1058 2023-03-02 David Malcolm <dmalcolm@redhat.com>
1060 PR analyzer/108968
1061 * region-model.cc (region_model::get_rvalue_1): Handle VAR_DECLs
1062 with a DECL_HARD_REGISTER by returning UNKNOWN.
1064 2023-03-02 Hans-Peter Nilsson <hp@axis.com>
1066 * kf.cc (register_known_functions): Add __errno function for newlib.
1068 2023-03-01 David Malcolm <dmalcolm@redhat.com>
1070 PR analyzer/107565
1071 * region-model.cc (region_model::on_call_pre): Flatten logic by
1072 returning early. Consolidate logic for detecting const and pure
1073 functions. When considering whether an unhandled built-in
1074 function has side-effects, consider all kinds of builtin, rather
1075 than just BUILT_IN_NORMAL, and don't require
1076 gimple_builtin_call_types_compatible_p.
1078 2023-03-01 David Malcolm <dmalcolm@redhat.com>
1080 PR analyzer/108935
1081 * infinite-recursion.cc (contains_unknown_p): New.
1082 (sufficiently_different_region_binding_p): New function, splitting
1083 out inner loop from...
1084 (sufficiently_different_p): ...here. Extend detection of unknown
1085 svalues to also include svalues that contain unknown. Treat
1086 changes in frames below the entry to the recursion as being
1087 sufficiently different to reject being an infinite recursion.
1089 2023-02-21 David Malcolm <dmalcolm@redhat.com>
1091 PR analyzer/108830
1092 * analyzer.opt (fanalyzer-suppress-followups): New option.
1093 * engine.cc (impl_region_model_context::warn): Terminate the path
1094 if the diagnostic's terminate_path_p vfunc returns true and
1095 -fanalyzer-suppress-followups is true (the default).
1096 (impl_sm_context::warn): Likewise, for both overloads.
1097 * pending-diagnostic.h (pending_diagnostic::terminate_path_p): New
1098 vfunc.
1099 * program-state.cc (program_state::on_edge): Terminate the path if
1100 the ctxt requests it during updating the edge.
1101 * region-model.cc (poisoned_value_diagnostic::terminate_path_p):
1102 New vfunc.
1103 * sm-malloc.cc (null_deref::terminate_path_p): New vfunc.
1104 (null_arg::terminate_path_p): New vfunc.
1106 2023-02-16 David Malcolm <dmalcolm@redhat.com>
1108 PR analyzer/108806
1109 * constraint-manager.cc (bounded_range::dump_to_pp): Use
1110 bounded_range::singleton_p.
1111 (constraint_manager::add_bounded_ranges): Handle singleton ranges
1112 by adding an EQ_EXPR constraint.
1113 (constraint_manager::impossible_derived_conditions_p): New.
1114 (constraint_manager::eval_condition): Reject EQ_EXPR when it would
1115 imply impossible derived conditions.
1116 (selftest::test_bits): New.
1117 (selftest::run_constraint_manager_tests): Run it.
1118 * constraint-manager.h (bounded_range::singleton_p): New.
1119 (constraint_manager::impossible_derived_conditions_p): New decl.
1120 * region-model.cc (region_model::get_rvalue_1): Handle
1121 BIT_AND_EXPR, BIT_IOR_EXPR, and BIT_XOR_EXPR.
1123 2023-02-15 David Malcolm <dmalcolm@redhat.com>
1125 PR analyzer/108664
1126 PR analyzer/108666
1127 PR analyzer/108725
1128 * diagnostic-manager.cc (epath_finder::get_best_epath): Add
1129 "target_stmt" param.
1130 (epath_finder::explore_feasible_paths): Likewise.
1131 (epath_finder::process_worklist_item): Likewise.
1132 (saved_diagnostic::calc_best_epath): Pass m_stmt to
1133 epath_finder::get_best_epath.
1134 * engine.cc (feasibility_state::maybe_update_for_edge): Move
1135 per-stmt logic to...
1136 (feasibility_state::update_for_stmt): ...this new function.
1137 * exploded-graph.h (feasibility_state::update_for_stmt): New decl.
1138 * feasible-graph.cc (feasible_node::get_state_at_stmt): New.
1139 * feasible-graph.h: Include "analyzer/exploded-graph.h".
1140 (feasible_node::get_state_at_stmt): New decl.
1141 * infinite-recursion.cc
1142 (infinite_recursion_diagnostic::check_valid_fpath_p): Update for
1143 vfunc signature change.
1144 * pending-diagnostic.h (pending_diagnostic::check_valid_fpath_p):
1145 Convert first param to a reference. Add stmt param.
1146 * region-model.cc: Include "analyzer/feasible-graph.h".
1147 (poisoned_value_diagnostic::poisoned_value_diagnostic): Add
1148 "check_expr" param.
1149 (poisoned_value_diagnostic::check_valid_fpath_p): New.
1150 (poisoned_value_diagnostic::m_check_expr): New field.
1151 (region_model::check_for_poison): Attempt to supply a check_expr
1152 to the diagnostic
1153 (region_model::deref_rvalue): Add NULL for new check_expr param
1154 of poisoned_value_diagnostic.
1155 (region_model::get_or_create_region_for_heap_alloc): Don't reuse
1156 regions that are marked as TOUCHED.
1158 2023-02-10 David Malcolm <dmalcolm@redhat.com>
1160 PR analyzer/108745
1161 * sm-malloc.cc (deref_before_check::emit): Reject the warning if
1162 the check occurs within a macro defintion.
1164 2023-02-09 David Malcolm <dmalcolm@redhat.com>
1166 PR analyzer/108733
1167 * state-purge.cc (get_candidate_for_purging): Add ADDR_EXPR
1168 and MEM_REF.
1170 2023-02-08 David Malcolm <dmalcolm@redhat.com>
1172 PR analyzer/108704
1173 * state-purge.cc (state_purge_per_decl::process_point_backwards):
1174 Don't stop processing the decl if it's fully overwritten by
1175 this stmt if it's also used by this stmt.
1177 2023-02-07 David Malcolm <dmalcolm@redhat.com>
1179 PR analyzer/108661
1180 * sm-fd.cc (class kf_read): New.
1181 (register_known_fd_functions): Register "read".
1182 * sm-file.cc (class kf_fread): Update comment.
1184 2023-02-02 David Malcolm <dmalcolm@redhat.com>
1186 PR analyzer/108633
1187 * sm-fd.cc (fd_state_machine::check_for_fd_attrs): Add missing
1188 "continue".
1189 (fd_state_machine::on_listen): Don't issue phase-mismatch or
1190 type-mismatch warnings for the "invalid" state.
1192 2023-02-01 David Malcolm <dmalcolm@redhat.com>
1194 PR analyzer/108616
1195 * pending-diagnostic.cc (fixup_location_in_macro_p): Add "alloca"
1196 to macros that we shouldn't unwind inside.
1198 2023-01-26 David Malcolm <dmalcolm@redhat.com>
1200 PR analyzer/108524
1201 * analyzer.h (class feasible_node): New forward decl.
1202 * diagnostic-manager.cc (epath_finder::get_best_epath): Add "pd"
1203 param.
1204 (epath_finder::explore_feasible_paths): Likewise.
1205 (epath_finder::process_worklist_item): Likewise. Use it to call
1206 pending_diagnostic::check_valid_fpath_p on the final fpath to
1207 give pending_diagnostic a way to add additional restrictions on
1208 feasibility.
1209 (saved_diagnostic::calc_best_epath): Pass pending_diagnostic to
1210 epath_finder::get_best_epath.
1211 * infinite-recursion.cc: Include "analyzer/feasible-graph.h".
1212 (infinite_recursion_diagnostic::check_valid_fpath_p): New.
1213 (infinite_recursion_diagnostic::fedge_uses_conjured_svalue_p): New.
1214 (infinite_recursion_diagnostic::expr_uses_conjured_svalue_p): New.
1215 * pending-diagnostic.h (pending_diagnostic::check_valid_fpath_p):
1216 New vfunc.
1218 2023-01-19 David Malcolm <dmalcolm@redhat.com>
1220 PR analyzer/108455
1221 * analyzer.h (class checker_event): New forward decl.
1222 (class state_change_event): Indent.
1223 (class warning_event): New forward decl.
1224 * checker-event.cc (state_change_event::state_change_event): Add
1225 "enode" param.
1226 (warning_event::get_desc): Update for new param of
1227 evdesc::final_event ctor.
1228 * checker-event.h (state_change_event::state_change_event): Add
1229 "enode" param.
1230 (state_change_event::get_exploded_node): New accessor.
1231 (state_change_event::m_enode): New field.
1232 (warning_event::warning_event): New "enode" param.
1233 (warning_event::get_exploded_node): New accessor.
1234 (warning_event::m_enode): New field.
1235 * diagnostic-manager.cc
1236 (state_change_event_creator::on_global_state_change): Pass
1237 src_node to state_change_event ctor.
1238 (state_change_event_creator::on_state_change): Likewise.
1239 (null_assignment_sm_context::set_next_state): Pass NULL for
1240 new param of state_change_event ctor.
1241 * infinite-recursion.cc
1242 (infinite_recursion_diagnostic::add_final_event): Update for new
1243 param of warning_event ctor.
1244 * pending-diagnostic.cc (pending_diagnostic::add_final_event):
1245 Pass enode to warning_event ctor.
1246 * pending-diagnostic.h (evdesc::final_event): Add reference to
1247 warning_event.
1248 * sm-malloc.cc: Include "analyzer/checker-event.h" and
1249 "analyzer/exploded-graph.h".
1250 (deref_before_check::deref_before_check): Initialize new fields.
1251 (deref_before_check::emit): Reject warnings in which we were
1252 unable to determine the enodes of the dereference and the check.
1253 Reject warnings interprocedural warnings. Reject warnings in which
1254 the dereference doesn't dominate the check.
1255 (deref_before_check::describe_state_change): Set m_deref_enode.
1256 (deref_before_check::describe_final_event): Set m_check_enode.
1257 (deref_before_check::m_deref_enode): New field.
1258 (deref_before_check::m_check_enode): New field.
1260 2023-01-13 David Malcolm <dmalcolm@redhat.com>
1262 PR analyzer/105273
1263 * region-model.cc (has_nondefault_case_for_value_p): New.
1264 (has_nondefault_cases_for_all_enum_values_p): New.
1265 (region_model::apply_constraints_for_gswitch): Skip
1266 implicitly-created "default" when switching on an enum
1267 and all enum values have non-default cases.
1268 (rejected_default_case::dump_to_pp): New.
1269 * region-model.h (region_model_context::possibly_tainted_p): New
1270 decl.
1271 (class rejected_default_case): New.
1272 * sm-taint.cc (region_model_context::possibly_tainted_p): New.
1273 * supergraph.cc (switch_cfg_superedge::dump_label_to_pp): Dump
1274 when implicitly_created_default_p.
1275 (switch_cfg_superedge::implicitly_created_default_p): New.
1276 * supergraph.h
1277 (switch_cfg_superedge::implicitly_created_default_p): New decl.
1279 2023-01-11 David Malcolm <dmalcolm@redhat.com>
1281 PR analyzer/108252
1282 * kf.cc (class kf_strdup): New.
1283 (class kf_strndup): New.
1284 (register_known_functions): Register them.
1285 * region-model.cc (region_model::on_call_pre): Use
1286 &HEAP_ALLOCATED_REGION for the default result of an external
1287 function with the "malloc" attribute, rather than CONJURED_SVALUE.
1288 (region_model::get_or_create_region_for_heap_alloc): Allow
1289 "size_in_bytes" to be NULL.
1290 * store.cc (store::set_value): When handling *UNKNOWN = VAL,
1291 mark VAL as "maybe bound".
1293 2022-12-16 David Malcolm <dmalcolm@redhat.com>
1295 PR analyzer/106479
1296 * kf.cc (kf_memcpy_memmove::impl_call_pre): Pass in source region
1297 to region_model::check_for_poison.
1298 * region-model-asm.cc (region_model::on_asm_stmt): Pass NULL
1299 region to region_model::check_for_poison.
1300 * region-model.cc (region_model::check_for_poison): Add
1301 "src_region" param, and pass it to poisoned_value_diagnostic.
1302 (region_model::on_assignment): Pass NULL region to
1303 region_model::check_for_poison.
1304 (region_model::get_rvalue): Likewise.
1305 * region-model.h (region_model::check_for_poison): Add
1306 "src_region" param.
1307 * sm-fd.cc (fd_state_machine::on_accept): Pass in source region
1308 to region_model::check_for_poison.
1309 * varargs.cc (kf_va_copy::impl_call_pre): Pass NULL region to
1310 region_model::check_for_poison.
1311 (kf_va_arg::impl_call_pre): Pass in source region to
1312 region_model::check_for_poison.
1314 2022-12-14 David Malcolm <dmalcolm@redhat.com>
1316 PR analyzer/108065
1317 * region.cc (decl_region::get_svalue_for_initializer): Bail out to
1318 avoid calling binding_key::make with an empty region.
1319 * store.cc (binding_map::apply_ctor_val_to_range): Likewise.
1320 (binding_map::apply_ctor_pair_to_child_region): Likewise.
1321 (binding_cluster::bind): Likewise.
1322 (binding_cluster::purge_region): Likewise.
1323 (binding_cluster::maybe_get_compound_binding): Likewise.
1324 (binding_cluster::maybe_get_simple_value): Likewise.
1326 2022-12-09 David Malcolm <dmalcolm@redhat.com>
1328 * analyzer.h (class known_function): Expand comment.
1329 * region-model-impl-calls.cc: Rename to...
1330 * kf.cc: ...this.
1331 * known-function-manager.h (class known_function_manager): Add
1332 leading comment.
1334 2022-12-09 David Malcolm <dmalcolm@redhat.com>
1336 PR analyzer/108003
1337 * call-summary.cc
1338 (call_summary_replay::convert_region_from_summary_1): Convert
1339 heap_regs_in_use from auto_sbitmap to auto_bitmap.
1340 * region-model-manager.cc
1341 (region_model_manager::get_or_create_region_for_heap_alloc):
1342 Convert from sbitmap to bitmap.
1343 * region-model-manager.h: Likewise.
1344 * region-model.cc
1345 (region_model::get_or_create_region_for_heap_alloc): Convert from
1346 auto_sbitmap to auto_bitmap.
1347 (region_model::get_referenced_base_regions): Likewise.
1348 * region-model.h: Include "bitmap.h" rather than "sbitmap.h".
1349 (region_model::get_referenced_base_regions): Convert from
1350 auto_sbitmap to auto_bitmap.
1352 2022-12-09 David Malcolm <dmalcolm@redhat.com>
1354 * region-model-impl-calls.cc (class kf_memcpy): Rename to...
1355 (class kf_memcpy_memmove): ...this.
1356 (kf_memcpy::impl_call_pre): Rename to...
1357 (kf_memcpy_memmove::impl_call_pre): ...this, and check the src for
1358 poison.
1359 (register_known_functions): Update for above renaming, and
1360 register BUILT_IN_MEMMOVE and BUILT_IN_MEMMOVE_CHK.
1362 2022-12-06 David Malcolm <dmalcolm@redhat.com>
1364 PR analyzer/107882
1365 * region-model.cc (region_model::get_store_value): Return an
1366 unknown value for empty regions.
1367 (region_model::set_value): Bail on empty regions.
1368 * region.cc (region::empty_p): New.
1369 * region.h (region::empty_p): New decl.
1370 * state-purge.cc (same_binding_p): Bail if either region is empty.
1371 * store.cc (binding_key::make): Assert that a concrete binding's
1372 bit_size must be > 0.
1373 (binding_cluster::mark_region_as_unknown): Bail on empty regions.
1374 (binding_cluster::get_binding): Likewise.
1375 (binding_cluster::remove_overlapping_bindings): Likewise.
1376 (binding_cluster::on_unknown_fncall): Don't conjure values for
1377 empty regions.
1378 (store::fill_region): Bail on empty regions.
1379 * store.h (class concrete_binding): Update comment to reflect that
1380 the range of bits must be non-empty.
1381 (concrete_binding::concrete_binding): Assert that bit range is
1382 non-empty.
1384 2022-12-06 David Malcolm <dmalcolm@redhat.com>
1386 PR analyzer/106325
1387 * region-model-manager.cc
1388 (region_model_manager::get_or_create_null_ptr): New.
1389 * region-model-manager.h
1390 (region_model_manager::get_or_create_null_ptr): New decl.
1391 * region-model.cc (region_model::on_top_level_param): Add
1392 "nonnull" param and make use of it.
1393 (region_model::push_frame): When handling a top-level entrypoint
1394 to the analysis, determine which params __attribute__((nonnull))
1395 applies to, and pass to on_top_level_param.
1396 * region-model.h (region_model::on_top_level_param): Add "nonnull"
1397 param.
1399 2022-12-06 David Malcolm <dmalcolm@redhat.com>
1401 * analyzer.h (register_known_analyzer_functions): New decl.
1402 (register_known_functions_lang_cp): New decl.
1403 * call-details.cc: New file, split out from
1404 region-model-impl-calls.cc.
1405 * call-details.h: New file, split out from region-model.h.
1406 * call-info.cc: Include "analyzer/call-details.h".
1407 * call-summary.h: Likewise.
1408 * kf-analyzer.cc: New file, split out from
1409 region-model-impl-calls.cc.
1410 * kf-lang-cp.cc: Likewise.
1411 * known-function-manager.cc: Include "analyzer/call-details.h".
1412 * region-model-impl-calls.cc: Move definitions of call_details's
1413 member functions to call-details.cc. Move class kf_analyzer_* to
1414 kf-analyzer.cc. Move kf_operator_new and kf_operator_delete to
1415 kf-lang-cp.cc. Refresh #includes accordingly.
1416 (register_known_functions): Replace registration of __analyzer_*
1417 functions with a call to register_known_analyzer_functions.
1418 Replace registration of C++ support functions with a call to
1419 register_known_functions_lang_cp.
1420 * region-model.h (class call_details): Move to new call-details.h.
1421 * sm-fd.cc: Include "analyzer/call-details.h".
1422 * sm-file.cc: Likewise.
1423 * sm-malloc.cc: Likewise.
1424 * varargs.cc: Likewise.
1426 2022-12-02 David Malcolm <dmalcolm@redhat.com>
1428 * analyzer.h (struct event_loc_info): New forward decl.
1429 * bounds-checking.cc: Use event_loc_info throughout to bundle the
1430 loc, fndecl, depth triples.
1431 * call-info.cc: Likewise.
1432 * checker-event.cc: Likewise.
1433 * checker-event.h (struct event_loc_info): New decl. Use it
1434 throughout to bundle the loc, fndecl, depth triples.
1435 * checker-path.cc: Likewise.
1436 * checker-path.h: Likewise.
1437 * diagnostic-manager.cc: Likewise.
1438 * engine.cc: Likewise.
1439 * infinite-recursion.cc: Likewise.
1440 * pending-diagnostic.cc: Likewise.
1441 * pending-diagnostic.h: Likewise.
1442 * region-model.cc: Likewise.
1443 * sm-signal.cc: Likewise.
1444 * varargs.cc: Likewise.
1446 2022-12-02 David Malcolm <dmalcolm@redhat.com>
1448 PR analyzer/107851
1449 * analyzer.cc (make_label_text_n): Convert param "n" from int to
1450 unsigned HOST_WIDE_INT.
1451 * analyzer.h (make_label_text_n): Likewise for decl.
1452 * bounds-checking.cc: Include "analyzer/checker-event.h" and
1453 "analyzer/checker-path.h".
1454 (out_of_bounds::add_region_creation_events): New.
1455 (concrete_past_the_end::describe_region_creation_event): Replace
1456 with...
1457 (concrete_past_the_end::add_region_creation_events): ...this.
1458 (symbolic_past_the_end::describe_region_creation_event): Delete.
1459 * checker-event.cc (region_creation_event::region_creation_event):
1460 Update for dropping all member data.
1461 (region_creation_event::get_desc): Delete, splitting out into
1462 region_creation_event_memory_space::get_desc,
1463 region_creation_event_capacity::get_desc, and
1464 region_creation_event_debug::get_desc.
1465 (region_creation_event_memory_space::get_desc): New.
1466 (region_creation_event_capacity::get_desc): New.
1467 (region_creation_event_allocation_size::get_desc): New.
1468 (region_creation_event_debug::get_desc): New.
1469 * checker-event.h: Include "analyzer/program-state.h".
1470 (enum rce_kind): Delete.
1471 (class region_creation_event): Drop all member data.
1472 (region_creation_event::region_creation_event): Make protected.
1473 (region_creation_event::get_desc): Delete.
1474 (class region_creation_event_memory_space): New.
1475 (class region_creation_event_capacity): New.
1476 (class region_creation_event_allocation_size): New.
1477 (class region_creation_event_debug): New.
1478 * checker-path.cc (checker_path::add_region_creation_events): Add
1479 "pd" param. Call pending_diangnostic::add_region_creation_events.
1480 Update for conversion of RCE_DEBUG to region_creation_event_debug.
1481 * checker-path.h (checker_path::add_region_creation_events): Add
1482 "pd" param.
1483 * diagnostic-manager.cc (diagnostic_manager::build_emission_path):
1484 Pass pending_diagnostic to
1485 emission_path::add_region_creation_events.
1486 (diagnostic_manager::build_emission_path): Pass path_builder to
1487 add_event_on_final_node.
1488 (diagnostic_manager::add_event_on_final_node): Add "pb" param.
1489 Pass pending_diagnostic to
1490 emission_path::add_region_creation_events.
1491 (diagnostic_manager::add_events_for_eedge): Pass
1492 pending_diagnostic to emission_path::add_region_creation_events.
1493 * diagnostic-manager.h
1494 (diagnostic_manager::add_event_on_final_node): Add "pb" param.
1495 * pending-diagnostic.cc
1496 (pending_diagnostic::add_region_creation_events): New.
1497 * pending-diagnostic.h (struct region_creation): Delete.
1498 (pending_diagnostic::describe_region_creation_event): Delete.
1499 (pending_diagnostic::add_region_creation_events): New vfunc.
1500 * region-model.cc: Include "analyzer/checker-event.h" and
1501 "analyzer/checker-path.h".
1502 (dubious_allocation_size::dubious_allocation_size): Initialize
1503 m_has_allocation_event.
1504 (dubious_allocation_size::describe_region_creation_event): Delete.
1505 (dubious_allocation_size::describe_final_event): Update for
1506 replacement of m_allocation_event with m_has_allocation_event.
1507 (dubious_allocation_size::add_region_creation_events): New.
1508 (dubious_allocation_size::m_allocation_event): Replace with...
1509 (dubious_allocation_size::m_has_allocation_event): ...this.
1511 2022-12-02 David Malcolm <dmalcolm@redhat.com>
1513 PR analyzer/107948
1514 * region-model-manager.cc
1515 (region_model_manager::maybe_fold_binop): Fold (0 - VAL) to -VAL.
1516 * region-model.cc (region_model::eval_condition): Handle e.g.
1517 "-X <= 0" as equivalent to X >= 0".
1519 2022-12-01 David Malcolm <dmalcolm@redhat.com>
1521 PR analyzer/106626
1522 * bounds-checking.cc
1523 (symbolic_past_the_end::describe_final_event): Delete, moving to
1524 symbolic_buffer_overflow::describe_final_event and
1525 symbolic_buffer_over_read::describe_final_event, eliminating
1526 composition of text strings via "byte_str" and "m_dir_str".
1527 (symbolic_past_the_end::m_dir_str): Delete field.
1528 (symbolic_buffer_overflow::symbolic_buffer_overflow): Drop
1529 m_dir_str.
1530 (symbolic_buffer_overflow::describe_final_event): New, as noted
1531 above.
1532 (symbolic_buffer_over_read::symbolic_buffer_overflow): Drop
1533 m_dir_str.
1534 (symbolic_buffer_over_read::describe_final_event): New, as noted
1535 above.
1537 2022-12-01 David Malcolm <dmalcolm@redhat.com>
1539 * bounds-checking.cc (class out_of_bounds): Split out from...
1540 (class concrete_out_of_bounds): New abstract subclass.
1541 (class past_the_end): Rename to...
1542 (class concrete_past_the_end): ...this, and make a subclass of
1543 concrete_out_of_bounds.
1544 (class buffer_overflow): Rename to...
1545 (class concrete_buffer_overflow): ...this, and make a subclass of
1546 concrete_past_the_end.
1547 (class buffer_over_read): Rename to...
1548 (class concrete_buffer_over_read): ...this, and make a subclass of
1549 concrete_past_the_end.
1550 (class buffer_underwrite): Rename to...
1551 (class concrete_buffer_underwrite): ...this, and make a subclass
1552 of concrete_out_of_bounds.
1553 (class buffer_under_read): Rename to...
1554 (class concrete_buffer_under_read): ...this, and make a subclass
1555 of concrete_out_of_bounds.
1556 (class symbolic_past_the_end): Convert to a subclass of
1557 out_of_bounds.
1558 (symbolic_buffer_overflow::get_kind): New.
1559 (symbolic_buffer_over_read::get_kind): New.
1560 (region_model::check_region_bounds): Update for renamings.
1561 * engine.cc (impl_sm_context::set_next_state): Eliminate
1562 "new_ctxt", passing NULL to get_rvalue instead.
1563 (impl_sm_context::warn): Likewise.
1565 2022-12-01 David Malcolm <dmalcolm@redhat.com>
1567 PR analyzer/106626
1568 * bounds-checking.cc (out_of_bounds::get_memory_space): New.
1569 (buffer_overflow::emit): Use it.
1570 (class buffer_overread): Rename to...
1571 (class buffer_over_read): ...this.
1572 (buffer_over_read::emit): Specify which memory space the read is
1573 from, where known. Change "overread" to "over-read".
1574 (class buffer_underflow): Rename to...
1575 (class buffer_underwrite): ...this.
1576 (buffer_underwrite::emit): Specify which memory space the write is
1577 to, where known. Change "underflow" to "underwrite".
1578 (class buffer_underread): Rename to...
1579 (class buffer_under_read): Rename to...
1580 (buffer_under_read::emit): Specify which memory space the read is
1581 from, where known. Change "underread" to "under-read".
1582 (symbolic_past_the_end::get_memory_space): New.
1583 (symbolic_buffer_overflow::emit): Use it.
1584 (class symbolic_buffer_overread): Rename to...
1585 (class symbolic_buffer_over_read): ...this.
1586 (symbolic_buffer_over_read::emit): Specify which memory space the
1587 read is from, where known. Change "overread" to "over-read".
1588 (region_model::check_symbolic_bounds): Update for class renaming.
1589 (region_model::check_region_bounds): Likewise.
1591 2022-12-01 David Malcolm <dmalcolm@redhat.com>
1593 PR analyzer/106626
1594 * bounds-checking.cc (out_of_bounds::maybe_describe_array_bounds):
1595 New.
1596 (buffer_overflow::emit): Call maybe_describe_array_bounds.
1597 (buffer_overread::emit): Likewise.
1598 (buffer_underflow::emit): Likewise.
1599 (buffer_underread::emit): Likewise.
1601 2022-12-01 David Malcolm <dmalcolm@redhat.com>
1603 PR analyzer/106626
1604 * bounds-checking.cc (buffer_overflow::emit): Use inform_n.
1605 Update wording to clarify that we're talking about the size of
1606 the bad access, rather than its position.
1607 (buffer_overread::emit): Likewise.
1609 2022-12-01 David Malcolm <dmalcolm@redhat.com>
1611 * bounds-checking.cc: New file, taken from region-model.cc.
1612 * region-model.cc (class out_of_bounds): Move to
1613 bounds-checking.cc.
1614 (class past_the_end): Likewise.
1615 (class buffer_overflow): Likewise.
1616 (class buffer_overread): Likewise.
1617 (class buffer_underflow): Likewise.
1618 (class buffer_underread): Likewise.
1619 (class symbolic_past_the_end): Likewise.
1620 (class symbolic_buffer_overflow): Likewise.
1621 (class symbolic_buffer_overread): Likewise.
1622 (region_model::check_symbolic_bounds): Likewise.
1623 (maybe_get_integer_cst_tree): Likewise.
1624 (region_model::check_region_bounds): Likewise.
1625 * region-model.h: Add comment.
1627 2022-12-01 David Malcolm <dmalcolm@redhat.com>
1629 PR analyzer/107928
1630 * sm-fd.cc (fd_state_machine::on_bind): Handle m_constant_fd in
1631 the "success" outcome.
1632 (fd_state_machine::on_connect): Likewise.
1633 * sm-fd.dot: Add "constant_fd" state and its transitions.
1635 2022-11-30 David Malcolm <dmalcolm@redhat.com>
1637 * region-model-impl-calls.cc (class kf_fgets): Move to sm-file.cc.
1638 (kf_fgets::impl_call_pre): Likewise.
1639 (class kf_fread): Likewise.
1640 (kf_fread::impl_call_pre): Likewise.
1641 (class kf_getchar): Likewise.
1642 (class kf_stdio_output_fn): Likewise.
1643 (register_known_functions): Move registration of
1644 BUILT_IN_FPRINTF, BUILT_IN_FPRINTF_UNLOCKED, BUILT_IN_FPUTC,
1645 BUILT_IN_FPUTC_UNLOCKED, BUILT_IN_FPUTS, BUILT_IN_FPUTS_UNLOCKED,
1646 BUILT_IN_FWRITE, BUILT_IN_FWRITE_UNLOCKED, BUILT_IN_PRINTF,
1647 BUILT_IN_PRINTF_UNLOCKED, BUILT_IN_PUTC, BUILT_IN_PUTCHAR,
1648 BUILT_IN_PUTCHAR_UNLOCKED, BUILT_IN_PUTC_UNLOCKED, BUILT_IN_PUTS,
1649 BUILT_IN_PUTS_UNLOCKED, BUILT_IN_VFPRINTF, BUILT_IN_VPRINTF,
1650 "getchar", "fgets", "fgets_unlocked", and "fread" to
1651 register_known_file_functions.
1652 * sm-file.cc (class kf_stdio_output_fn): Move here from
1653 region-model-impl-calls.cc.
1654 (class kf_fgets): Likewise.
1655 (class kf_fread): Likewise.
1656 (class kf_getchar): Likewise.
1657 (register_known_file_functions): Move registration of
1658 BUILT_IN_FPRINTF, BUILT_IN_FPRINTF_UNLOCKED, BUILT_IN_FPUTC,
1659 BUILT_IN_FPUTC_UNLOCKED, BUILT_IN_FPUTS, BUILT_IN_FPUTS_UNLOCKED,
1660 BUILT_IN_FWRITE, BUILT_IN_FWRITE_UNLOCKED, BUILT_IN_PRINTF,
1661 BUILT_IN_PRINTF_UNLOCKED, BUILT_IN_PUTC, BUILT_IN_PUTCHAR,
1662 BUILT_IN_PUTCHAR_UNLOCKED, BUILT_IN_PUTC_UNLOCKED, BUILT_IN_PUTS,
1663 BUILT_IN_PUTS_UNLOCKED, BUILT_IN_VFPRINTF, BUILT_IN_VPRINTF,
1664 "fgets", "fgets_unlocked", "fread", and "getchar" to here from
1665 register_known_functions.
1667 2022-11-30 David Malcolm <dmalcolm@redhat.com>
1669 PR analyzer/103546
1670 * analyzer.h (register_known_file_functions): New decl.
1671 * program-state.cc (sm_state_map::replay_call_summary): Rejct
1672 attempts to store sm-state for caller_sval that can't have
1673 associated state.
1674 * region-model-impl-calls.cc (register_known_functions): Call
1675 register_known_file_functions.
1676 * sm-fd.cc (class kf_isatty): New.
1677 (register_known_fd_functions): Register it.
1678 * sm-file.cc (class kf_ferror): New.
1679 (class kf_fileno): New.
1680 (class kf_getc): New.
1681 (register_known_file_functions): New.
1683 2022-11-30 David Malcolm <dmalcolm@redhat.com>
1685 PR analyzer/105784
1686 * region-model-manager.cc
1687 (region_model_manager::maybe_fold_binop): For POINTER_PLUS_EXPR,
1688 PLUS_EXPR and MINUS_EXPR, eliminate requirement that the final
1689 type matches that of arg0 in favor of a cast.
1691 2022-11-24 Martin Liska <mliska@suse.cz>
1693 * varargs.cc: Fix Clang warnings.
1695 2022-11-24 David Malcolm <dmalcolm@redhat.com>
1697 PR analyzer/106473
1698 * call-summary.cc
1699 (call_summary_replay::convert_region_from_summary_1): Update for
1700 change to creation of heap-allocated regions.
1701 * program-state.cc (test_program_state_1): Likewise.
1702 (test_program_state_merging): Likewise.
1703 * region-model-impl-calls.cc (kf_calloc::impl_call_pre): Likewise.
1704 (kf_malloc::impl_call_pre): Likewise.
1705 (kf_operator_new::impl_call_pre): Likewise.
1706 (kf_realloc::impl_call_postsuccess_with_move::update_model): Likewise.
1707 * region-model-manager.cc
1708 (region_model_manager::create_region_for_heap_alloc): Convert
1709 to...
1710 (region_model_manager::get_or_create_region_for_heap_alloc):
1711 ...this, reusing an existing region if it's unreferenced in the
1712 client state.
1713 * region-model-manager.h (region_model_manager::get_num_regions): New.
1714 (region_model_manager::create_region_for_heap_alloc): Convert to...
1715 (region_model_manager::get_or_create_region_for_heap_alloc): ...this.
1716 * region-model.cc (region_to_value_map::can_merge_with_p): Reject
1717 merger when the values are different.
1718 (region_model::create_region_for_heap_alloc): Convert to...
1719 (region_model::get_or_create_region_for_heap_alloc): ...this.
1720 (region_model::get_referenced_base_regions): New.
1721 (selftest::test_state_merging): Update for change to creation of
1722 heap-allocated regions.
1723 (selftest::test_malloc_constraints): Likewise.
1724 (selftest::test_malloc): Likewise.
1725 * region-model.h: Include "sbitmap.h".
1726 (region_model::create_region_for_heap_alloc): Convert to...
1727 (region_model::get_or_create_region_for_heap_alloc): ...this.
1728 (region_model::get_referenced_base_regions): New decl.
1729 * store.cc (store::canonicalize): Don't purge a heap-allocated region
1730 that's been marked as escaping.
1732 2022-11-24 David Malcolm <dmalcolm@redhat.com>
1734 * checker-path.cc (checker_path::inject_any_inlined_call_events):
1735 Don't dump the address of the block when -fdump-noaddr.
1737 2022-11-24 David Malcolm <dmalcolm@redhat.com>
1739 * region-model.h (region_model::on_socket): Delete decl.
1740 (region_model::on_bind): Likewise.
1741 (region_model::on_listen): Likewise.
1742 (region_model::on_accept): Likewise.
1743 (region_model::on_connect): Likewise.
1744 * sm-fd.cc (kf_socket::outcome_of_socket::update_model): Move body
1745 of region_model::on_socket into here, ...
1746 (region_model::on_socket): ...eliminating this function.
1747 (kf_bind::outcome_of_bind::update_model): Likewise for on_bind...
1748 (region_model::on_bind): ...eliminating this function.
1749 (kf_listen::outcome_of_listen::update_model): Likewise fo
1750 on_listen...
1751 (region_model::on_listen): ...eliminating this function.
1752 (kf_accept::outcome_of_accept::update_model): Likewise fo
1753 on_accept...
1754 (region_model::on_accept): ...eliminating this function.
1755 (kf_connect::outcome_of_connect::update_model): Likewise fo
1756 on_connect...
1757 (region_model::on_connect): ...eliminating this function.
1759 2022-11-24 David Malcolm <dmalcolm@redhat.com>
1761 * analyzer.h (register_known_fd_functions): New decl.
1762 * region-model-impl-calls.cc (class kf_accept): Move to sm-fd.cc.
1763 (class kf_bind): Likewise.
1764 (class kf_connect): Likewise.
1765 (class kf_listen): Likewise.
1766 (class kf_pipe): Likewise.
1767 (class kf_socket): Likewise.
1768 (register_known_functions): Remove registration of the above
1769 functions, instead calling register_known_fd_functions.
1770 * sm-fd.cc: Include "analyzer/call-info.h".
1771 (class kf_socket): Move here from region-model-impl-calls.cc.
1772 (class kf_bind): Likewise.
1773 (class kf_listen): Likewise.
1774 (class kf_accept): Likewise.
1775 (class kf_connect): Likewise.
1776 (class kf_pipe): Likewise.
1777 (register_known_fd_functions): New.
1779 2022-11-22 David Malcolm <dmalcolm@redhat.com>
1781 PR analyzer/107788
1782 * known-function-manager.cc (known_function_manager::get_match):
1783 Don't look up fndecls by name when they're not in the root
1784 namespace.
1786 2022-11-22 David Malcolm <dmalcolm@redhat.com>
1788 PR analyzer/107783
1789 * sm-fd.cc (fd_state_machine::check_for_new_socket_fd): Don't
1790 complain when old state is "fd-constant".
1791 (fd_state_machine::on_listen): Likewise.
1792 (fd_state_machine::on_accept): Likewise.
1794 2022-11-22 David Malcolm <dmalcolm@redhat.com>
1796 PR analyzer/107807
1797 * region-model-impl-calls.cc (register_known_functions): Register
1798 "___errno" and "__error" as synonyms for "__errno_location".
1800 2022-11-22 David Malcolm <dmalcolm@redhat.com>
1802 * analyzer.h (class internal_known_function): New.
1803 (register_varargs_builtins): New decl.
1804 * engine.cc (exploded_node::on_stmt_pre): Remove
1805 "out_terminate_path" param from call to region_model::on_stmt_pre.
1806 (feasibility_state::maybe_update_for_edge): Likewise.
1807 * known-function-manager.cc: Include "basic-block.h", "gimple.h",
1808 and "analyzer/region-model.h".
1809 (known_function_manager::known_function_manager): Initialize
1810 m_combined_fns_arr.
1811 (known_function_manager::~known_function_manager): Clean up
1812 m_combined_fns_arr.
1813 (known_function_manager::get_by_identifier): Make const.
1814 (known_function_manager::add): New overloaded definitions for
1815 enum built_in_function and enum internal_fn.
1816 (known_function_manager::get_by_fndecl): Delete.
1817 (known_function_manager::get_match): New.
1818 (known_function_manager::get_internal_fn): New.
1819 (known_function_manager::get_normal_builtin): New.
1820 * known-function-manager.h
1821 (known_function_manager::get_by_identifier): Make private and
1822 add const qualifier.
1823 (known_function_manager::get_by_fndecl): Delete.
1824 (known_function_manager::add): Add overloaded decls for
1825 enum built_in_function name and enum internal_fn.
1826 (known_function_manager::get_match): New decl.
1827 (known_function_manager::get_internal_fn): New decl.
1828 (known_function_manager::get_normal_builtin): New decl.
1829 (known_function_manager::m_combined_fns_arr): New field.
1830 * region-model-impl-calls.cc (call_details::arg_is_size_p): New.
1831 (class kf_alloca): New.
1832 (region_model::impl_call_alloca): Convert to...
1833 (kf_alloca::impl_call_pre): ...this.
1834 (kf_analyzer_dump_capacity::matches_call_types_p): Rewrite check
1835 to use call_details::arg_is_pointer_p.
1836 (region_model::impl_call_builtin_expect): Convert to...
1837 (class kf_expect): ...this.
1838 (class kf_calloc): New, adding check that both arguments are
1839 size_t.
1840 (region_model::impl_call_calloc): Convert to...
1841 (kf_calloc::impl_call_pre): ...this.
1842 (kf_connect::matches_call_types_p): Rewrite check to use
1843 call_details::arg_is_pointer_p.
1844 (region_model::impl_call_error): Convert to...
1845 (class kf_error): ...this, and...
1846 (kf_error::impl_call_pre): ...this.
1847 (class kf_fgets): New, adding checks that args 0 and 2 are
1848 pointers.
1849 (region_model::impl_call_fgets): Convert to...
1850 (kf_fgets::impl_call_pre): ...this.
1851 (class kf_fread): New, adding checks on the argument types.
1852 (region_model::impl_call_fread): Convert to...
1853 (kf_fread::impl_call_pre): ...this.
1854 (class kf_free): New, adding check that the argument is a pointer.
1855 (region_model::impl_call_free): Convert to...
1856 (kf_free::impl_call_post): ...this.
1857 (class kf_getchar): New.
1858 (class kf_malloc): New, adding check that the argument is a
1859 size_t.
1860 (region_model::impl_call_malloc): Convert to...
1861 (kf_malloc::impl_call_pre): ...this.
1862 (class kf_memcpy): New, adding checks on arguments.
1863 (region_model::impl_call_memcpy): Convert to...
1864 (kf_memcpy::impl_call_pre): ...this.
1865 (class kf_memset): New.
1866 (region_model::impl_call_memset): Convert to...
1867 (kf_memset::impl_call_pre): ...this.
1868 (kf_pipe::matches_call_types_p): Rewrite check to use
1869 call_details::arg_is_pointer_p.
1870 (kf_putenv::matches_call_types_p): Likewise.
1871 (class kf_realloc): New, adding checks on the argument types.
1872 (region_model::impl_call_realloc): Convert to...
1873 (kf_realloc::impl_call_post): ...this.
1874 (class kf_strchr): New.
1875 (region_model::impl_call_strchr): Convert to...
1876 (kf_strchr::impl_call_post): ...this.
1877 (class kf_stack_restore): New.
1878 (class kf_stack_save): New.
1879 (class kf_stdio_output_fn): New.
1880 (class kf_strcpy): New,
1881 (region_model::impl_call_strcpy): Convert to...
1882 (kf_strcpy::impl_call_pre): ...this.
1883 (class kf_strlen): New.
1884 (region_model::impl_call_strlen): Convert to...
1885 (kf_strlen::impl_call_pre): ...this.
1886 (class kf_ubsan_bounds): New.
1887 (region_model::impl_deallocation_call): Reimplement to avoid call
1888 to impl_call_free.
1889 (register_known_functions): Add handlers for IFN_BUILTIN_EXPECT
1890 and IFN_UBSAN_BOUNDS. Add handlers for BUILT_IN_ALLOCA,
1891 BUILT_IN_ALLOCA_WITH_ALIGN, BUILT_IN_CALLOC, BUILT_IN_EXPECT,
1892 BUILT_IN_EXPECT_WITH_PROBABILITY, BUILT_IN_FPRINTF,
1893 BUILT_IN_FPRINTF_UNLOCKED, BUILT_IN_FPUTC,
1894 BUILT_IN_FPUTC_UNLOCKED, BUILT_IN_FPUTS, BUILT_IN_FPUTS_UNLOCKED,
1895 BUILT_IN_FREE, BUILT_IN_FWRITE, BUILT_IN_FWRITE_UNLOCKED,
1896 BUILT_IN_MALLOC, BUILT_IN_MEMCPY, BUILT_IN_MEMCPY_CHK,
1897 BUILT_IN_MEMSET, BUILT_IN_MEMSET_CHK, BUILT_IN_PRINTF,
1898 BUILT_IN_PRINTF_UNLOCKED, BUILT_IN_PUTC, BUILT_IN_PUTCHAR,
1899 BUILT_IN_PUTCHAR_UNLOCKED, BUILT_IN_PUTC_UNLOCKED, BUILT_IN_PUTS,
1900 BUILT_IN_PUTS_UNLOCKED, BUILT_IN_REALLOC, BUILT_IN_STACK_RESTORE,
1901 BUILT_IN_STACK_SAVE, BUILT_IN_STRCHR, BUILT_IN_STRCPY,
1902 BUILT_IN_STRCPY_CHK, BUILT_IN_STRLEN, BUILT_IN_VFPRINTF, and
1903 BUILT_IN_VPRINTF. Call register_varargs_builtins. Add handlers
1904 for "getchar", "memset", "fgets", "fgets_unlocked", "fread",
1905 "error", and "error_at_line".
1906 * region-model.cc (region_model::on_stmt_pre): Drop
1907 "out_terminate_path" param.
1908 (region_model::get_known_function): Reimplement by calling
1909 known_function_manager::get_match, passing new "cd" param.
1910 Add overload taking enum internal_fn.
1911 (region_model::on_call_pre): Drop "out_terminate_path" param.
1912 Remove special-case handling of internal fns IFN_BUILTIN_EXPECT,
1913 IFN_UBSAN_BOUNDS, and IFN_VA_ARG, of built-in fns BUILT_IN_ALLOCA,
1914 BUILT_IN_ALLOCA_WITH_ALIGN, BUILT_IN_CALLOC, BUILT_IN_EXPECT,
1915 BUILT_IN_EXPECT_WITH_PROBABILITY, BUILT_IN_FREE, BUILT_IN_MALLOC,
1916 BUILT_IN_MEMCPY, BUILT_IN_MEMCPY_CHK, BUILT_IN_MEMSET,
1917 BUILT_IN_MEMSET_CHK, BUILT_IN_REALLOC, BUILT_IN_STRCHR,
1918 BUILT_IN_STRCPY, BUILT_IN_STRCPY_CHK, BUILT_IN_STRLEN,
1919 BUILT_IN_STACK_SAVE, BUILT_IN_STACK_RESTORE, BUILT_IN_FPRINTF,
1920 BUILT_IN_FPRINTF_UNLOCKED, BUILT_IN_PUTC, BUILT_IN_PUTC_UNLOCKED,
1921 BUILT_IN_FPUTC, BUILT_IN_FPUTC_UNLOCKED, BUILT_IN_FPUTS,
1922 BUILT_IN_FPUTS_UNLOCKED, BUILT_IN_FWRITE,
1923 BUILT_IN_FWRITE_UNLOCKED, BUILT_IN_PRINTF,
1924 BUILT_IN_PRINTF_UNLOCKED, BUILT_IN_PUTCHAR,
1925 BUILT_IN_PUTCHAR_UNLOCKED, BUILT_IN_PUTS, BUILT_IN_PUTS_UNLOCKED,
1926 BUILT_IN_VFPRINTF, BUILT_IN_VPRINTF, BUILT_IN_VA_START, and
1927 BUILT_IN_VA_COPY, and of named functions "malloc", "calloc",
1928 "alloca", "realloc", "error", "error_at_line", "fgets",
1929 "fgets_unlocked", "fread", "getchar", "memset", "strchr", and
1930 "strlen". Replace all this special-casing with calls to
1931 get_known_function for internal fns and for fn decls.
1932 (region_model::on_call_post): Remove special-casing handling for
1933 "free" and "strchr", and for BUILT_IN_REALLOC, BUILT_IN_STRCHR,
1934 and BUILT_IN_VA_END. Replace by consolidating on usage of
1935 get_known_function.
1936 * region-model.h (call_details::arg_is_size_p): New.
1937 (region_model::on_stmt_pre): Drop "out_terminate_path" param.
1938 (region_model::on_call_pre): Likewise.
1939 (region_model::impl_call_alloca): Delete.
1940 (region_model::impl_call_builtin_expect): Delete.
1941 (region_model::impl_call_calloc): Delete.
1942 (region_model::impl_call_error): Delete.
1943 (region_model::impl_call_fgets): Delete.
1944 (region_model::impl_call_fread): Delete.
1945 (region_model::impl_call_free): Delete.
1946 (region_model::impl_call_malloc): Delete.
1947 (region_model::impl_call_memcpy): Delete.
1948 (region_model::impl_call_memset): Delete.
1949 (region_model::impl_call_realloc): Delete.
1950 (region_model::impl_call_strchr): Delete.
1951 (region_model::impl_call_strcpy): Delete.
1952 (region_model::impl_call_strlen): Delete.
1953 (region_model::impl_call_va_start): Delete.
1954 (region_model::impl_call_va_copy): Delete.
1955 (region_model::impl_call_va_arg): Delete.
1956 (region_model::impl_call_va_end): Delete.
1957 (region_model::check_region_for_write): Public.
1958 (region_model::get_known_function): Add "cd" param. Add
1959 overloaded decl taking enum internal_fn.
1960 * sm-malloc.cc: Update comments.
1961 * varargs.cc (class kf_va_start): New.
1962 (region_model::impl_call_va_start): Convert to...
1963 (kf_va_start::impl_call_pre): ...this.
1964 (class kf_va_copy): New.
1965 (region_model::impl_call_va_copy): Convert to...
1966 (kf_va_copy::impl_call_pre): ...this.
1967 (class kf_va_arg): New.
1968 (region_model::impl_call_va_arg): Convert to...
1969 (kf_va_arg::impl_call_pre): ...this.
1970 (class kf_va_end): New.
1971 (region_model::impl_call_va_end): Delete.
1972 (register_varargs_builtins): New.
1974 2022-11-22 David Malcolm <dmalcolm@redhat.com>
1976 PR analyzer/107788
1977 * region-model.cc (region_model::update_for_int_cst_return):
1978 Require that the return type be an integer type.
1979 (region_model::update_for_nonzero_return): Likewise.
1981 2022-11-22 David Malcolm <dmalcolm@redhat.com>
1983 PR analyzer/107783
1984 * region-model-impl-calls.cc (kf_accept::matches_call_types_p):
1985 Require that args 1 and 2 be pointers.
1986 (kf_bind::matches_call_types_p): Require that arg 1 be a pointer.
1987 * region-model.h (call_details::arg_is_pointer_p): New
1989 2022-11-22 David Malcolm <dmalcolm@redhat.com>
1991 PR analyzer/107777
1992 * call-summary.cc
1993 (call_summary_replay::convert_region_from_summary_1): Handle
1994 RK_THREAD_LOCAL and RK_ERRNO in switch.
1995 * region-model.cc (region_model::get_representative_path_var_1):
1996 Likewise.
1998 2022-11-19 David Malcolm <dmalcolm@redhat.com>
2000 PR analyzer/107582
2001 * engine.cc (dynamic_call_info_t::update_model): Update the model
2002 by pushing or pop a frame, rather than by clobbering it with the
2003 model from the exploded_node's state.
2005 2022-11-18 David Malcolm <dmalcolm@redhat.com>
2007 * analyzer.cc (is_pipe_call_p): Delete.
2008 * analyzer.h (is_pipe_call_p): Delete.
2009 * region-model-impl-calls.cc (call_details::get_location): New.
2010 (class kf_analyzer_break): New, adapted from
2011 region_model::on_stmt_pre.
2012 (region_model::impl_call_analyzer_describe): Convert to...
2013 (class kf_analyzer_describe): ...this.
2014 (region_model::impl_call_analyzer_dump_capacity): Convert to...
2015 (class kf_analyzer_dump_capacity): ...this.
2016 (region_model::impl_call_analyzer_dump_escaped): Convert to...
2017 (class kf_analyzer_dump_escaped): ...this.
2018 (class kf_analyzer_dump_exploded_nodes): New.
2019 (region_model::impl_call_analyzer_dump_named_constant): Convert
2020 to...
2021 (class kf_analyzer_dump_named_constant): ...this.
2022 (class dump_path_diagnostic): Move here from region-model.cc.
2023 (class kf_analyzer_dump_path) New, adapted from
2024 region_model::on_stmt_pre.
2025 (class kf_analyzer_dump_region_model): Likewise.
2026 (region_model::impl_call_analyzer_eval): Convert to...
2027 (class kf_analyzer_eval): ...this.
2028 (region_model::impl_call_analyzer_get_unknown_ptr): Convert to...
2029 (class kf_analyzer_get_unknown_ptr): ...this.
2030 (class known_function_accept): Rename to...
2031 (class kf_accept): ...this.
2032 (class known_function_bind): Rename to...
2033 (class kf_bind): ...this.
2034 (class known_function_connect): Rename to...
2035 (class kf_connect): ...this.
2036 (region_model::impl_call_errno_location): Convert to...
2037 (class kf_errno_location): ...this.
2038 (class known_function_listen): Rename to...
2039 (class kf_listen): ...this.
2040 (region_model::impl_call_pipe): Convert to...
2041 (class kf_pipe): ...this.
2042 (region_model::impl_call_putenv): Convert to...
2043 (class kf_putenv): ...this.
2044 (region_model::impl_call_operator_new): Convert to...
2045 (class kf_operator_new): ...this.
2046 (region_model::impl_call_operator_delete): Convert to...
2047 (class kf_operator_delete): ...this.
2048 (class known_function_socket): Rename to...
2049 (class kf_socket): ...this.
2050 (register_known_functions): Rename param to KFM. Break out
2051 existing known functions into a "POSIX" section, and add "pipe",
2052 "pipe2", and "putenv". Add debugging functions
2053 "__analyzer_break", "__analyzer_describe",
2054 "__analyzer_dump_capacity", "__analyzer_dump_escaped",
2055 "__analyzer_dump_exploded_nodes",
2056 "__analyzer_dump_named_constant", "__analyzer_dump_path",
2057 "__analyzer_dump_region_model", "__analyzer_eval",
2058 "__analyzer_get_unknown_ptr". Add C++ support functions
2059 "operator new", "operator new []", "operator delete", and
2060 "operator delete []".
2061 * region-model.cc (class dump_path_diagnostic): Move to
2062 region-model-impl-calls.cc.
2063 (region_model::on_stmt_pre): Eliminate special-casing of
2064 "__analyzer_describe", "__analyzer_dump_capacity",
2065 "__analyzer_dump_escaped", "__analyzer_dump_named_constant",
2066 "__analyzer_dump_path", "__analyzer_dump_region_model",
2067 "__analyzer_eval", "__analyzer_break",
2068 "__analyzer_dump_exploded_nodes", "__analyzer_get_unknown_ptr",
2069 "__errno_location", "pipe", "pipe2", "putenv", "operator new",
2070 "operator new []", "operator delete", "operator delete []"
2071 "pipe" and "pipe2", handling them instead via the known_functions
2072 mechanism.
2073 * region-model.h (call_details::get_location): New decl.
2074 (region_model::impl_call_analyzer_describe): Delete decl.
2075 (region_model::impl_call_analyzer_dump_capacity): Delete decl.
2076 (region_model::impl_call_analyzer_dump_escaped): Delete decl.
2077 (region_model::impl_call_analyzer_dump_named_constant): Delete decl.
2078 (region_model::impl_call_analyzer_eval): Delete decl.
2079 (region_model::impl_call_analyzer_get_unknown_ptr): Delete decl.
2080 (region_model::impl_call_errno_location): Delete decl.
2081 (region_model::impl_call_pipe): Delete decl.
2082 (region_model::impl_call_putenv): Delete decl.
2083 (region_model::impl_call_operator_new): Delete decl.
2084 (region_model::impl_call_operator_delete): Delete decl.
2085 * sm-fd.cc: Update comments.
2087 2022-11-16 David Malcolm <dmalcolm@redhat.com>
2089 PR analyzer/107711
2090 * analyzer-language.cc: Include "diagnostic.h".
2091 (maybe_stash_named_constant): Add logger param and use it to log
2092 the name being looked up, and the result.
2093 (stash_named_constants): New, splitting out from...
2094 (on_finish_translation_unit): ...this function. Call
2095 get_or_create_logfile and use the result to create a logger
2096 instance, passing it to stash_named_constants.
2097 * analyzer.h (get_or_create_any_logfile): New decl.
2098 * engine.cc (dump_fout, owns_dump_fout): New globals, split out
2099 from run_checkers.
2100 (get_or_create_any_logfile): New function, split out from...
2101 (run_checkers): ...here, so that the logfile can be opened by
2102 on_finish_translation_unit. Clear the globals when closing the
2103 dump file.
2105 2022-11-16 David Malcolm <dmalcolm@redhat.com>
2107 * analyzer.h (known_function::matches_call_types_p): New vfunc.
2108 (known_function::impl_call_pre): Provide base implementation.
2109 (known_function::impl_call_post): New vfunc.
2110 (register_known_functions): New.
2111 * engine.cc (impl_run_checkers): Call register_known_functions.
2112 * region-model-impl-calls.cc (region_model::impl_call_accept):
2113 Convert to...
2114 (class known_function_accept): ...this.
2115 (region_model::impl_call_bind): Convert to...
2116 (class known_function_bind): ...this.
2117 (region_model::impl_call_connect): Convert to...
2118 (class known_function_connect): ...this.
2119 (region_model::impl_call_listen): Convert to...
2120 (class known_function_listen): ...this.
2121 (region_model::impl_call_socket): Convert to...
2122 (class known_function_socket): ...this.
2123 (register_known_functions): New.
2124 * region-model.cc (region_model::on_call_pre): Remove special
2125 case for "bind" in favor of the known_function-handling dispatch.
2126 Add call to known_function::matches_call_types_p to latter.
2127 (region_model::on_call_post): Remove special cases for "accept",
2128 "bind", "connect", "listen", and "socket" in favor of dispatch
2129 to known_function::impl_call_post.
2130 * region-model.h (region_model::impl_call_accept): Delete decl.
2131 (region_model::impl_call_bind): Delete decl.
2132 (region_model::impl_call_connect): Delete decl.
2133 (region_model::impl_call_listen): Delete decl.
2134 (region_model::impl_call_socket): Delete decl.
2135 * sm-fd.cc: Update comments.
2137 2022-11-16 David Malcolm <dmalcolm@redhat.com>
2139 * checker-event.cc: New file, split out from...
2140 * checker-path.cc: ...this file.
2142 2022-11-15 David Malcolm <dmalcolm@redhat.com>
2144 PR analyzer/106140
2145 * analyzer-language.cc (on_finish_translation_unit): Stash named
2146 constants "SOCK_STREAM" and "SOCK_DGRAM".
2147 * analyzer.opt (Wanalyzer-fd-phase-mismatch): New.
2148 (Wanalyzer-fd-type-mismatch): New.
2149 * engine.cc (impl_region_model_context::get_state_map_by_name):
2150 Add "out_sm_context" param. Allow out_sm_idx to be NULL.
2151 * exploded-graph.h
2152 (impl_region_model_context::get_state_map_by_name):
2153 Add "out_sm_context" param.
2154 * region-model-impl-calls.cc (region_model::impl_call_accept): New.
2155 (region_model::impl_call_bind): New.
2156 (region_model::impl_call_connect): New.
2157 (region_model::impl_call_listen): New.
2158 (region_model::impl_call_socket): New.
2159 * region-model.cc (region_model::on_call_pre): Special-case
2160 "bind".
2161 (region_model::on_call_post): Special-case "accept", "bind",
2162 "connect", "listen", and "socket".
2163 * region-model.h (region_model::impl_call_accept): New decl.
2164 (region_model::impl_call_bind): New decl.
2165 (region_model::impl_call_connect): New decl.
2166 (region_model::impl_call_listen): New decl.
2167 (region_model::impl_call_socket): New decl.
2168 (region_model::on_socket): New decl.
2169 (region_model::on_bind): New decl.
2170 (region_model::on_listen): New decl.
2171 (region_model::on_accept): New decl.
2172 (region_model::on_connect): New decl.
2173 (region_model::add_constraint): Make public.
2174 (region_model::check_for_poison): Make public.
2175 (region_model_context::get_state_map_by_name): Add out_sm_context param.
2176 (region_model_context::get_fd_map): Likewise.
2177 (region_model_context::get_malloc_map): Likewise.
2178 (region_model_context::get_taint_map): Likewise.
2179 (noop_region_model_context::get_state_map_by_name): Likewise.
2180 (region_model_context_decorator::get_state_map_by_name): Likewise.
2181 * sm-fd.cc: Include "analyzer/supergraph.h" and
2182 "analyzer/analyzer-language.h".
2183 (enum expected_phase): New enum.
2184 (fd_state_machine::m_new_datagram_socket): New.
2185 (fd_state_machine::m_new_stream_socket): New.
2186 (fd_state_machine::m_new_unknown_socket): New.
2187 (fd_state_machine::m_bound_datagram_socket): New.
2188 (fd_state_machine::m_bound_stream_socket): New.
2189 (fd_state_machine::m_bound_unknown_socket): New.
2190 (fd_state_machine::m_listening_stream_socket): New.
2191 (fd_state_machine::m_m_connected_stream_socket): New.
2192 (fd_state_machine::m_SOCK_STREAM): New.
2193 (fd_state_machine::m_SOCK_DGRAM): New.
2194 (fd_diagnostic::describe_state_change): Handle socket states.
2195 (fd_diagnostic::get_meaning_for_state_change): Likewise.
2196 (class fd_phase_mismatch): New.
2197 (enum expected_type): New enum.
2198 (class fd_type_mismatch): New.
2199 (fd_state_machine::fd_state_machine): Initialize new states and
2200 stashed named constants.
2201 (fd_state_machine::is_socket_fd_p): New.
2202 (fd_state_machine::is_datagram_socket_fd_p): New.
2203 (fd_state_machine::is_stream_socket_fd_p): New.
2204 (fd_state_machine::on_close): Handle the socket states.
2205 (fd_state_machine::check_for_open_fd): Complain about fncalls on
2206 sockets in the wrong phase. Support socket FDs.
2207 (add_constraint_ge_zero): New.
2208 (fd_state_machine::get_state_for_socket_type): New.
2209 (fd_state_machine::on_socket): New.
2210 (fd_state_machine::check_for_socket_fd): New.
2211 (fd_state_machine::check_for_new_socket_fd): New.
2212 (fd_state_machine::on_bind): New.
2213 (fd_state_machine::on_listen): New.
2214 (fd_state_machine::on_accept): New.
2215 (fd_state_machine::on_connect): New.
2216 (fd_state_machine::can_purge_p): Don't purge socket values.
2217 (get_fd_state): New.
2218 (region_model::mark_as_valid_fd): Use get_fd_state.
2219 (region_model::on_socket): New.
2220 (region_model::on_bind): New.
2221 (region_model::on_listen): New.
2222 (region_model::on_accept): New.
2223 (region_model::on_connect): New.
2224 * sm-fd.dot: Update to reflect sm-fd.cc changes.
2226 2022-11-15 David Malcolm <dmalcolm@redhat.com>
2228 PR analyzer/106302
2229 * analyzer-language.cc: New file.
2230 * analyzer-language.h: New file.
2231 * analyzer.h (get_stashed_constant_by_name): New decl.
2232 (log_stashed_constants): New decl.
2233 * engine.cc (impl_run_checkers): Call log_stashed_constants.
2234 * region-model-impl-calls.cc
2235 (region_model::impl_call_analyzer_dump_named_constant): New.
2236 * region-model.cc (region_model::on_stmt_pre): Handle
2237 __analyzer_dump_named_constant.
2238 * region-model.h
2239 (region_model::impl_call_analyzer_dump_named_constant): New decl.
2240 * sm-fd.cc (fd_state_machine::m_O_ACCMODE): New.
2241 (fd_state_machine::m_O_RDONLY): New.
2242 (fd_state_machine::m_O_WRONLY): New.
2243 (fd_state_machine::fd_state_machine): Initialize the new fields.
2244 (fd_state_machine::get_access_mode_from_flag): Use the new fields,
2245 rather than using the host values.
2247 2022-11-13 David Malcolm <dmalcolm@redhat.com>
2249 PR analyzer/106235
2250 * analyzer.opt (Wanalyzer-tainted-assertion): New.
2251 * checker-path.cc (checker_path::fixup_locations): Pass false to
2252 pending_diagnostic::fixup_location.
2253 * diagnostic-manager.cc (get_emission_location): Pass true to
2254 pending_diagnostic::fixup_location.
2255 * pending-diagnostic.cc (pending_diagnostic::fixup_location): Add
2256 bool param.
2257 * pending-diagnostic.h (pending_diagnostic::fixup_location): Add
2258 bool param to decl.
2259 * sm-taint.cc (taint_state_machine::m_tainted_control_flow): New.
2260 (taint_diagnostic::describe_state_change): Drop "final".
2261 (class tainted_assertion): New.
2262 (taint_state_machine::taint_state_machine): Initialize
2263 m_tainted_control_flow.
2264 (taint_state_machine::alt_get_inherited_state): Support
2265 comparisons being tainted, based on their arguments.
2266 (is_assertion_failure_handler_p): New.
2267 (taint_state_machine::on_stmt): Complain about calls to assertion
2268 failure handlers guarded by an attacker-controller conditional.
2269 Detect attacker-controlled gcond conditionals and gswitch index
2270 values.
2271 (taint_state_machine::check_control_flow_arg_for_taint): New.
2273 2022-11-11 David Malcolm <dmalcolm@redhat.com>
2275 * sm-fd.dot: Fix typo in comment.
2276 * sm-file.dot: New file.
2277 * varargs.cc: Fix typo in comment.
2278 * varargs.dot: New file.
2280 2022-11-11 David Malcolm <dmalcolm@redhat.com>
2282 * checker-path.h: Split out checker_event and its subclasses to...
2283 * checker-event.h: ...this new header.
2285 2022-11-11 David Malcolm <dmalcolm@redhat.com>
2287 PR analyzer/106147
2288 * analyzer.opt (Wanalyzer-infinite-recursion): New.
2289 * call-string.cc (call_string::count_occurrences_of_function):
2290 New.
2291 * call-string.h (call_string::count_occurrences_of_function): New
2292 decl.
2293 * checker-path.cc (function_entry_event::function_entry_event):
2294 New ctor.
2295 (checker_path::add_final_event): Delete.
2296 * checker-path.h (function_entry_event::function_entry_event): New
2297 ctor.
2298 (function_entry_event::get_desc): Drop "final".
2299 (checker_path::add_final_event): Delete.
2300 * diagnostic-manager.cc
2301 (diagnostic_manager::emit_saved_diagnostic): Create the final
2302 event via a new pending_diagnostic::add_final_event vfunc, rather
2303 than checker_path::add_final_event.
2304 (diagnostic_manager::add_events_for_eedge): Create function entry
2305 events via a new pending_diagnostic::add_function_entry_event
2306 vfunc.
2307 * engine.cc (exploded_graph::process_node): When creating a new
2308 PK_BEFORE_SUPERNODE node, call
2309 exploded_graph::detect_infinite_recursion on it after adding the
2310 in-edge.
2311 * exploded-graph.h (exploded_graph::detect_infinite_recursion):
2312 New decl.
2313 (exploded_graph::find_previous_entry_to): New decl.
2314 * infinite-recursion.cc: New file.
2315 * pending-diagnostic.cc
2316 (pending_diagnostic::add_function_entry_event): New.
2317 (pending_diagnostic::add_final_event): New.
2318 * pending-diagnostic.h
2319 (pending_diagnostic::add_function_entry_event): New vfunc.
2320 (pending_diagnostic::add_final_event): New vfunc.
2322 2022-11-10 David Malcolm <dmalcolm@redhat.com>
2324 PR analyzer/99671
2325 * analyzer.opt (Wanalyzer-deref-before-check): New warning.
2326 * diagnostic-manager.cc
2327 (null_assignment_sm_context::set_next_state): Only add state
2328 change events for transition to "null" state.
2329 (null_assignment_sm_context::is_transition_to_null): New.
2330 * engine.cc (impl_region_model_context::on_pop_frame): New.
2331 * exploded-graph.h (impl_region_model_context::on_pop_frame): New
2332 decl.
2333 * program-state.cc (sm_state_map::clear_any_state): New.
2334 (sm_state_map::can_merge_with_p): New.
2335 (program_state::can_merge_with_p): Replace requirement that
2336 sm-states be equal in favor of an attempt to merge them.
2337 * program-state.h (sm_state_map::clear_any_state): New decl.
2338 (sm_state_map::can_merge_with_p): New decl.
2339 * region-model.cc (region_model::eval_condition): Make const.
2340 (region_model::pop_frame): Call ctxt->on_pop_frame.
2341 * region-model.h (region_model::eval_condition): Make const.
2342 (region_model_context::on_pop_frame): New vfunc.
2343 (noop_region_model_context::on_pop_frame): New.
2344 (region_model_context_decorator::on_pop_frame): New.
2345 * sm-malloc.cc (enum resource_state): Add RS_ASSUMED_NON_NULL.
2346 (allocation_state::dump_to_pp): Drop "final".
2347 (struct assumed_non_null_state): New subclass.
2348 (malloc_state_machine::m_assumed_non_null): New.
2349 (assumed_non_null_p): New.
2350 (class deref_before_check): New.
2351 (assumed_non_null_state::dump_to_pp): New.
2352 (malloc_state_machine::get_or_create_assumed_non_null_state_for_frame):
2353 New.
2354 (malloc_state_machine::maybe_assume_non_null): New.
2355 (malloc_state_machine::on_stmt): Transition from start state to
2356 "assumed-non-null" state for pointers passed to
2357 __attribute__((nonnull)) arguments, and for pointers explicitly
2358 dereferenced. Call maybe_complain_about_deref_before_check for
2359 pointers explicitly compared against NULL.
2360 (malloc_state_machine::maybe_complain_about_deref_before_check):
2361 New.
2362 (malloc_state_machine::on_deallocator_call): Also transition
2363 "assumed-non-null" states to "freed".
2364 (malloc_state_machine::on_pop_frame): New.
2365 (malloc_state_machine::maybe_get_merged_states_nonequal): New.
2366 * sm-malloc.dot: Update for changes to sm-malloc.cc.
2367 * sm.h (state_machine::on_pop_frame): New.
2368 (state_machine::maybe_get_merged_state): New.
2369 (state_machine::maybe_get_merged_states_nonequal): New.
2371 2022-11-09 David Malcolm <dmalcolm@redhat.com>
2373 * checker-path.cc (checker_event::debug): New.
2374 (checker_path::add_event): Move here from checker-path.h. Add
2375 logging.
2376 * checker-path.h (checker_event::debug): New decl.
2377 (checker_path::checker_path): Add logger param.
2378 (checker_path::add_event): Move definition from here to
2379 checker-path.cc.
2380 (checker_path::m_logger): New field.
2381 * diagnostic-manager.cc
2382 (diagnostic_manager::emit_saved_diagnostic): Pass logger to
2383 checker_path ctor.
2384 (diagnostic_manager::add_events_for_eedge): Log scope when
2385 processing a run of stmts.
2387 2022-11-08 David Malcolm <dmalcolm@redhat.com>
2389 PR analyzer/101962
2390 * region-model-impl-calls.cc: Update comment.
2391 * region-model.cc (region_model::check_symbolic_bounds): Fix
2392 layout of "void" return. Replace usage of
2393 eval_condition_without_cm with eval_condition.
2394 (region_model::eval_condition): Take over body of...
2395 (region_model::eval_condition_without_cm): ...this subroutine,
2396 dropping the latter. Eliminating this distinction avoids issues
2397 where constraints were not considered when recursing.
2398 (region_model::compare_initial_and_pointer): Update comment.
2399 (region_model::symbolic_greater_than): Replace usage of
2400 eval_condition_without_cm with eval_condition.
2401 * region-model.h
2402 (region_model::eval_condition_without_cm): Delete decl.
2404 2022-11-08 David Malcolm <dmalcolm@redhat.com>
2406 * region-model-impl-calls.cc
2407 (region_model::impl_call_errno_location): New.
2408 * region-model-manager.cc
2409 (region_model_manager::region_model_manager): Initialize
2410 m_thread_local_region and m_errno_region.
2411 * region-model-manager.h (region_model_manager::get_errno_region):
2412 New accessor.
2413 (region_model_manager::m_thread_local_region): New.
2414 (region_model_manager::m_errno_region): New.
2415 * region-model.cc (region_model::on_call_pre): Special-case
2416 "__errno_location".
2417 (region_model::set_errno): New.
2418 * region-model.h (impl_call_errno_location): New decl.
2419 (region_model::set_errno): New decl.
2420 * region.cc (thread_local_region::dump_to_pp): New.
2421 (errno_region::dump_to_pp): New.
2422 * region.h (enum memory_space): Add MEMSPACE_THREAD_LOCAL.
2423 (enum region_kind): Add RK_THREAD_LOCAL and RK_ERRNO.
2424 (class thread_local_region): New.
2425 (is_a_helper <const thread_local_region *>::test): New.
2426 (class errno_region): New.
2427 (is_a_helper <const errno_region *>::test): New.
2428 * store.cc (binding_cluster::escaped_p): New.
2429 (store::escaped_p): Treat errno as always having escaped.
2430 (store::replay_call_summary_cluster): Handle RK_THREAD_LOCAL and
2431 RK_ERRNO.
2432 * store.h (binding_cluster::escaped_p): Remove definition.
2434 2022-11-08 David Malcolm <dmalcolm@redhat.com>
2436 * call-info.cc (success_call_info::get_desc): Delete.
2437 (failed_call_info::get_desc): Likewise.
2438 (succeed_or_fail_call_info::get_desc): New.
2439 * call-info.h (class succeed_or_fail_call_info): New.
2440 (class success_call_info): Convert to a subclass of
2441 succeed_or_fail_call_info.
2442 (class failed_call_info): Likewise.
2444 2022-11-08 David Malcolm <dmalcolm@redhat.com>
2446 * region-model-impl-calls.cc (region_model::impl_call_strchr):
2447 Move to on_call_post. Handle both outcomes using bifurcation,
2448 rather than just the "not found" case.
2449 * region-model.cc (region_model::on_call_pre): Move
2450 BUILT_IN_STRCHR and "strchr" to...
2451 (region_model::on_call_post): ...here.
2453 2022-11-03 David Malcolm <dmalcolm@redhat.com>
2455 * analyzer.h: Use std::unique_ptr for state machines from plugins.
2456 * engine.cc: Likewise.
2458 2022-11-03 David Malcolm <dmalcolm@redhat.com>
2460 * analyzer.h: Use std::unique_ptr for known functions.
2461 * engine.cc: Likewise.
2462 * known-function-manager.cc: Likewise.
2463 * known-function-manager.h: Likewise.
2465 2022-11-03 David Malcolm <dmalcolm@redhat.com>
2467 * analysis-plan.cc: Define INCLUDE_MEMORY before including
2468 system.h.
2469 * analyzer-pass.cc: Likewise.
2470 * analyzer-selftests.cc: Likewise.
2471 * analyzer.cc: Likewise.
2472 * analyzer.h: Use std::unique_ptr in bifurcation code.
2473 * call-string.cc: Define INCLUDE_MEMORY before including system.h.
2474 * complexity.cc: Likewise.
2475 * engine.cc: Use std::unique_ptr in bifurcation code.
2476 * exploded-graph.h: Likewise.
2477 * known-function-manager.cc: Define INCLUDE_MEMORY before
2478 including system.h.
2479 * region-model-impl-calls.cc: Use std::unique_ptr in bifurcation
2480 code.
2481 * region-model.cc: Likewise.
2482 * region-model.h: Likewise.
2483 * supergraph.cc: Define INCLUDE_MEMORY before including system.h.
2485 2022-11-03 David Malcolm <dmalcolm@redhat.com>
2487 * call-info.cc: Use std::unique_ptr for checker_event.
2488 * checker-path.cc: Likewise.
2489 * checker-path.h: Likewise.
2490 * diagnostic-manager.cc: Likewise.
2491 * engine.cc: Likewise.
2492 * pending-diagnostic.cc: Likewise.
2493 * sm-signal.cc: Likewise.
2494 * varargs.cc: Likewise.
2496 2022-11-03 David Malcolm <dmalcolm@redhat.com>
2498 * diagnostic-manager.cc: Include "make-unique.h".
2499 Use std::unique_ptr for feasibility_problems and exploded_path.
2500 Delete explicit saved_diagnostic dtor.
2501 * diagnostic-manager.h: Likewise.
2502 * engine.cc: Likewise.
2503 * exploded-graph.h: Likewise.
2504 * feasible-graph.cc: Likewise.
2505 * feasible-graph.h: Likewise.
2507 2022-11-03 David Malcolm <dmalcolm@redhat.com>
2509 * checker-path.cc (rewind_event::rewind_event): Update for usage of
2510 std::unique_ptr on custom_edge_info.
2511 * engine.cc (exploded_node::on_longjmp): Likewise.
2512 (exploded_edge::exploded_edge): Likewise.
2513 (exploded_edge::~exploded_edge): Delete.
2514 (exploded_graph::add_function_entry): Update for usage of
2515 std::unique_ptr on custom_edge_info.
2516 (exploded_graph::add_edge): Likewise.
2517 (add_tainted_args_callback): Likewise.
2518 (exploded_graph::maybe_create_dynamic_call): Likewise.
2519 (exploded_graph::process_node): Likewise.
2520 * exploded-graph.h (exploded_edge::~exploded_edge): Delete.
2521 (exploded_edge::m_custom_info): Use std::unique_ptr.
2522 (exploded_edge::add_edge): Likewise.
2523 * sm-signal.cc (register_signal_handler::impl_transition): Use
2524 make_unique.
2526 2022-11-03 David Malcolm <dmalcolm@redhat.com>
2528 * diagnostic-manager.cc (saved_diagnostic::saved_diagnostic): Make
2529 stmt_finder const.
2530 (saved_diagnostic::~saved_diagnostic): Remove explicit delete of
2531 m_stmt_finder.
2532 (diagnostic_manager::add_diagnostic): Make stmt_finder const.
2533 * diagnostic-manager.h (saved_diagnostic::saved_diagnostic):
2534 Likewise.
2535 (saved_diagnostic::m_stmt_finder): Convert to std::unique_ptr.
2536 (diagnostic_manager::add_diagnostic): Make stmt_finder const.
2537 * engine.cc (impl_sm_context::impl_sm_context): Likewise.
2538 (impl_sm_context::m_stmt_finder): Likewise.
2539 (leak_stmt_finder::clone): Convert return type to std::unique_ptr.
2540 * exploded-graph.h (stmt_finder::clone): Likewise.
2542 2022-11-03 David Malcolm <dmalcolm@redhat.com>
2544 * call-info.cc: Add define of INCLUDE_MEMORY.
2545 * call-summary.cc: Likewise.
2546 * checker-path.cc: Likewise.
2547 * constraint-manager.cc: Likewise.
2548 * diagnostic-manager.cc: Likewise.
2549 (saved_diagnostic::saved_diagnostic): Use std::unique_ptr for
2550 param d and field m_d.
2551 (saved_diagnostic::~saved_diagnostic): Remove explicit delete of m_d.
2552 (saved_diagnostic::add_note): Use std::unique_ptr for
2553 param pn.
2554 (saved_diagnostic::get_pending_diagnostic): Update for conversion
2555 of m_sd.m_d to unique_ptr.
2556 (diagnostic_manager::add_diagnostic): Use std::unique_ptr for
2557 param d. Remove explicit deletion.
2558 (diagnostic_manager::add_note): Use std::unique_ptr for param pn.
2559 (diagnostic_manager::emit_saved_diagnostic): Update for conversion
2560 of m_sd.m_d to unique_ptr.
2561 (null_assignment_sm_context::warn): Use std::unique_ptr for
2562 param d. Remove explicit deletion.
2563 * diagnostic-manager.h (saved_diagnostic::saved_diagnostic): Use
2564 std::unique_ptr for param d.
2565 (saved_diagnostic::add_note): Likewise for param pn.
2566 (saved_diagnostic::m_d): Likewise.
2567 (diagnostic_manager::add_diagnostic): Use std::unique_ptr for
2568 param d.
2569 (diagnostic_manager::add_note): Use std::unique_ptr for param pn.
2570 * engine.cc: Include "make-unique.h".
2571 (impl_region_model_context::warn): Update to use std::unique_ptr
2572 for param, removing explicit deletion.
2573 (impl_region_model_context::add_note): Likewise.
2574 (impl_sm_context::warn): Update to use std::unique_ptr
2575 for param.
2576 (impl_region_model_context::on_state_leak): Likewise for result of
2577 on_leak.
2578 (exploded_node::on_longjmp): Use make_unique when creating
2579 pending_diagnostic.
2580 (exploded_graph::process_node): Likewise.
2581 * exploded-graph.h (impl_region_model_context::warn): Update to
2582 use std::unique_ptr for param.
2583 (impl_region_model_context::add_note): Likewise.
2584 * feasible-graph.cc: Add define of INCLUDE_MEMORY.
2585 * pending-diagnostic.cc: Likewise.
2586 * pending-diagnostic.h: Include analyzer.sm.h"
2587 * program-point.cc: Add define of INCLUDE_MEMORY.
2588 * program-state.cc: Likewise.
2589 * region-model-asm.cc: Likewise.
2590 * region-model-impl-calls.cc: Likewise. Include "make-unique.h".
2591 (region_model::impl_call_putenv): Use make_unique when creating
2592 pending_diagnostic.
2593 * region-model-manager.cc: Add define of INCLUDE_MEMORY.
2594 * region-model-reachability.cc: Likewise.
2595 * region-model.cc: Likewise. Include "make-unique.h".
2596 (region_model::get_gassign_result): Use make_unique when creating
2597 pending_diagnostic.
2598 (region_model::check_for_poison): Likewise.
2599 (region_model::on_stmt_pre): Likewise.
2600 (region_model::check_symbolic_bounds): Likewise.
2601 (region_model::check_region_bounds): Likewise.
2602 (annotating_ctxt: make_note): Use std::unique_ptr for result.
2603 (region_model::deref_rvalue): Use make_unique when creating
2604 pending_diagnostic.
2605 (region_model::check_for_writable_region): Likewise.
2606 (region_model::check_region_size): Likewise.
2607 (region_model::check_dynamic_size_for_floats): Likewise.
2608 (region_model::maybe_complain_about_infoleak): Likewise.
2609 (noop_region_model_context::add_note): Use std::unique_ptr for
2610 param. Remove explicit deletion.
2611 * region-model.h: Include "analyzer/pending-diagnostic.h".
2612 (region_model_context::warn): Convert param to std::unique_ptr.
2613 (region_model_context::add_note): Likewise.
2614 (noop_region_model_context::warn): Likewise.
2615 (noop_region_model_context::add_note): Likewise.
2616 (region_model_context_decorator::warn): Likewise.
2617 (region_model_context_decorator::add_note): Likewise.
2618 (note_adding_context::warn): Likewise.
2619 (note_adding_context::make_note): Likewise for return type.
2620 (test_region_model_context::warn): Convert param to
2621 std::unique_ptr.
2622 * region.cc: Add define of INCLUDE_MEMORY.
2623 * sm-fd.cc: Likewise. Include "make-unique.h".
2624 (fd_state_machine::check_for_fd_attrs): Use make_unique when
2625 creating pending_diagnostics.
2626 (fd_state_machine::on_open): Likewise.
2627 (fd_state_machine::on_creat): Likewise.
2628 (fd_state_machine::check_for_dup): Likewise.
2629 (fd_state_machine::on_close): Likewise.
2630 (fd_state_machine::check_for_open_fd): Likewise.
2631 (fd_state_machine::on_leak): Likewise, converting return type to
2632 std::unique_ptr.
2633 * sm-file.cc: Add define of INCLUDE_MEMORY. Include
2634 "make-unique.h".
2635 (fileptr_state_machine::on_stmt): Use make_unique when creating
2636 pending_diagnostic.
2637 (fileptr_state_machine::on_leak): Likewise, converting return type
2638 to std::unique_ptr.
2639 * sm-malloc.cc: Add define of INCLUDE_MEMORY. Include
2640 "make-unique.h".
2641 (malloc_state_machine::on_stmt): Use make_unique when creating
2642 pending_diagnostic.
2643 (malloc_state_machine::handle_free_of_non_heap): Likewise.
2644 (malloc_state_machine::on_deallocator_call): Likewise.
2645 (malloc_state_machine::on_realloc_call): Likewise.
2646 (malloc_state_machine::on_leak): Likewise, converting return type
2647 to std::unique_ptr.
2648 * sm-pattern-test.cc: Add define of INCLUDE_MEMORY. Include
2649 "make-unique.h".
2650 (pattern_test_state_machine::on_condition): Use make_unique when
2651 creating pending_diagnostic.
2652 * sm-sensitive.cc: Add define of INCLUDE_MEMORY. Include
2653 "make-unique.h".
2654 (sensitive_state_machine::warn_for_any_exposure): Use make_unique
2655 when creating pending_diagnostic.
2656 * sm-signal.cc: Add define of INCLUDE_MEMORY. Include
2657 "make-unique.h".
2658 (signal_state_machine::on_stmt): Use make_unique when creating
2659 pending_diagnostic.
2660 * sm-taint.cc: Add define of INCLUDE_MEMORY. Include
2661 "make-unique.h".
2662 (taint_state_machine::check_for_tainted_size_arg): Use make_unique
2663 when creating pending_diagnostic.
2664 (taint_state_machine::check_for_tainted_divisor): Likewise.
2665 (region_model::check_region_for_taint): Likewise.
2666 (region_model::check_dynamic_size_for_taint): Likewise.
2667 * sm.cc: Add define of INCLUDE_MEMORY. Include
2668 "analyzer/pending-diagnostic.h".
2669 (state_machine::on_leak): Move here from sm.h, changing return
2670 type to std::unique_ptr.
2671 * sm.h (state_machine::on_leak): Change return type to
2672 std::unique_ptr. Move defn of base impl to sm.cc
2673 (sm_context::warn): Convert param d to std_unique_ptr.
2674 * state-purge.cc: Add define of INCLUDE_MEMORY.
2675 * store.cc: Likewise.
2676 * svalue.cc: Likewise.
2677 * trimmed-graph.cc: Likewise.
2678 * varargs.cc: Likewise. Include "make-unique.h".
2679 (va_list_state_machine::check_for_ended_va_list): Use make_unique
2680 when creating pending_diagnostic.
2681 (va_list_state_machine::on_leak): Likewise, converting return type
2682 to std::unique_ptr.
2683 (region_model::impl_call_va_arg): Use make_unique when creating
2684 pending_diagnostic.
2686 2022-11-03 David Malcolm <dmalcolm@redhat.com>
2688 PR analyzer/107486
2689 * analyzer.cc (is_pipe_call_p): New.
2690 * analyzer.h (is_pipe_call_p): New decl.
2691 * region-model.cc (region_model::on_call_pre): Use it.
2692 (region_model::on_call_post): Likewise.
2694 2022-10-26 David Malcolm <dmalcolm@redhat.com>
2696 * sm-fd.cc (fd_state_machine::on_open): Transition to "unchecked"
2697 when the mode is symbolic, rather than just on integer constants.
2698 (fd_state_machine::check_for_open_fd): Don't complain about
2699 unchecked values in the start state.
2701 2022-10-26 David Malcolm <dmalcolm@redhat.com>
2703 * sm-fd.dot: New file.
2705 2022-10-24 David Malcolm <dmalcolm@redhat.com>
2707 PR analyzer/107349
2708 * varargs.cc (get_va_copy_arg): Fix the non-pointer case.
2710 2022-10-24 David Malcolm <dmalcolm@redhat.com>
2712 PR analyzer/107345
2713 * region-model.cc (region_model::eval_condition_without_cm):
2714 Ensure that constants are on the right-hand side before checking
2715 for them.
2717 2022-10-24 David Malcolm <dmalcolm@redhat.com>
2719 * engine.cc (impl_region_model_context::get_malloc_map): Replace
2720 with...
2721 (impl_region_model_context::get_state_map_by_name): ...this.
2722 (impl_region_model_context::get_fd_map): Delete.
2723 (impl_region_model_context::get_taint_map): Delete.
2724 * exploded-graph.h (impl_region_model_context::get_fd_map):
2725 Delete.
2726 (impl_region_model_context::get_malloc_map): Delete.
2727 (impl_region_model_context::get_taint_map): Delete.
2728 (impl_region_model_context::get_state_map_by_name): New.
2729 * region-model.h (region_model_context::get_state_map_by_name):
2730 New vfunc.
2731 (region_model_context::get_fd_map): Convert from vfunc to
2732 function.
2733 (region_model_context::get_malloc_map): Likewise.
2734 (region_model_context::get_taint_map): Likewise.
2735 (noop_region_model_context::get_state_map_by_name): New.
2736 (noop_region_model_context::get_fd_map): Delete.
2737 (noop_region_model_context::get_malloc_map): Delete.
2738 (noop_region_model_context::get_taint_map): Delete.
2739 (region_model_context_decorator::get_state_map_by_name): New.
2740 (region_model_context_decorator::get_fd_map): Delete.
2741 (region_model_context_decorator::get_malloc_map): Delete.
2742 (region_model_context_decorator::get_taint_map): Delete.
2744 2022-10-24 David Malcolm <dmalcolm@redhat.com>
2746 PR analyzer/106300
2747 * engine.cc (impl_region_model_context::get_fd_map): New.
2748 * exploded-graph.h (impl_region_model_context::get_fd_map): New
2749 decl.
2750 * region-model-impl-calls.cc (region_model::impl_call_pipe): New.
2751 * region-model.cc (region_model::update_for_int_cst_return): New,
2752 based on...
2753 (region_model::update_for_zero_return): ...this. Reimplement in
2754 terms of the former.
2755 (region_model::on_call_pre): Handle "pipe" and "pipe2".
2756 (region_model::on_call_post): Likewise.
2757 * region-model.h (region_model::impl_call_pipe): New decl.
2758 (region_model::update_for_int_cst_return): New decl.
2759 (region_model::mark_as_valid_fd): New decl.
2760 (region_model_context::get_fd_map): New pure virtual fn.
2761 (noop_region_model_context::get_fd_map): New.
2762 (region_model_context_decorator::get_fd_map): New.
2763 * sm-fd.cc: Include "analyzer/program-state.h".
2764 (fd_state_machine::describe_state_change): Handle transitions from
2765 start state to valid states.
2766 (fd_state_machine::mark_as_valid_fd): New.
2767 (fd_state_machine::on_stmt): Add missing return for "creat".
2768 (region_model::mark_as_valid_fd): New.
2770 2022-10-19 David Malcolm <dmalcolm@redhat.com>
2772 PR analyzer/105765
2773 * varargs.cc (get_BT_VALIST_ARG): Rename to...
2774 (get_va_copy_arg): ...this, and update logic for determining level
2775 of indirection of va_copy's argument to use type of argument,
2776 rather than looking at va_list_type_node, to correctly handle
2777 __builtin_ms_va_copy.
2778 (get_stateful_BT_VALIST_ARG): Rename to...
2779 (get_stateful_va_copy_arg): ...this.
2780 (va_list_state_machine::on_va_copy): Update for renaming.
2781 (region_model::impl_call_va_copy): Likewise.
2783 2022-10-13 David Malcolm <dmalcolm@redhat.com>
2785 PR analyzer/107210
2786 * svalue.cc (constant_svalue::maybe_fold_bits_within): Only
2787 attempt to extract individual bits when tree_fits_uhwi_p.
2789 2022-10-07 David Malcolm <dmalcolm@redhat.com>
2791 PR analyzer/105783
2792 * region-model.cc (selftest::get_bit): New function.
2793 (selftest::test_bits_within_svalue_folding): New.
2794 (selfftest::analyzer_region_model_cc_tests): Call it.
2795 * svalue.cc (constant_svalue::maybe_fold_bits_within): Handle the
2796 case of extracting a single bit.
2798 2022-10-06 David Malcolm <dmalcolm@redhat.com>
2800 PR analyzer/107158
2801 * store.cc (store::replay_call_summary_cluster): Eliminate
2802 special-casing of RK_HEAP_ALLOCATED in favor of sharing code with
2803 RK_DECL, avoiding an ICE due to attempting to bind a
2804 compound_svalue into a binding_cluster when an svalue in the
2805 summary cluster converts to a compound_svalue in the caller.
2807 2022-10-06 David Malcolm <dmalcolm@redhat.com>
2809 * call-summary.cc (call_summary_replay::dump_to_pp): Bulletproof
2810 against NULL caller regions/svalues.
2812 2022-10-05 David Malcolm <dmalcolm@redhat.com>
2814 * analysis-plan.cc: Simplify includes.
2815 * analyzer-pass.cc: Likewise.
2816 * analyzer-selftests.cc: Likewise.
2817 * analyzer.cc: Likewise.
2818 * analyzer.h: Add includes of "json.h" and "tristate.h".
2819 * call-info.cc: Simplify includes.
2820 * call-string.cc: Likewise.
2821 * call-summary.cc: Likewise.
2822 * checker-path.cc: Likewise.
2823 * complexity.cc: Likewise.
2824 * constraint-manager.cc: Likewise.
2825 * diagnostic-manager.cc: Likewise.
2826 * engine.cc: Likewise.
2827 * feasible-graph.cc: Likewise.
2828 * known-function-manager.cc: Likewise.
2829 * pending-diagnostic.cc: Likewise.
2830 * program-point.cc: Likewise.
2831 * program-state.cc: Likewise.
2832 * region-model-asm.cc: Likewise.
2833 * region-model-impl-calls.cc: Likewise.
2834 * region-model-manager.cc: Likewise.
2835 * region-model-reachability.cc: Likewise.
2836 * region-model.cc: Likewise.
2837 * region-model.h: Include "selftest.h".
2838 * region.cc: Simplify includes.
2839 * sm-fd.cc: Likewise.
2840 * sm-file.cc: Likewise.
2841 * sm-malloc.cc: Likewise.
2842 * sm-pattern-test.cc: Likewise.
2843 * sm-sensitive.cc: Likewise.
2844 * sm-signal.cc: Likewise.
2845 * sm-taint.cc: Likewise.
2846 * sm.cc: Likewise.
2847 * state-purge.cc: Likewise.
2848 * store.cc: Likewise.
2849 * store.h: Likewise.
2850 * supergraph.cc: Likewise.
2851 * svalue.cc: Likewise.
2852 * svalue.h: Likewise.
2853 * trimmed-graph.cc: Likewise.
2854 * varargs.cc: Likewise.
2856 2022-10-05 David Malcolm <dmalcolm@redhat.com>
2858 PR analyzer/107060
2859 * call-summary.cc
2860 (call_summary_replay::convert_svalue_from_summary_1): Handle NULL
2861 results from convert_svalue_from_summary in SK_UNARY_OP and
2862 SK_BIN_OP.
2863 * engine.cc (impl_region_model_context::on_unknown_change): Bail
2864 out on svalues that can't have associated state.
2865 * region-model-impl-calls.cc
2866 (region_model::impl_call_analyzer_get_unknown_ptr): New.
2867 * region-model.cc (region_model::on_stmt_pre): Handle
2868 "__analyzer_get_unknown_ptr".
2869 * region-model.h
2870 (region_model::impl_call_analyzer_get_unknown_ptr): New decl.
2871 * store.cc (store::replay_call_summary_cluster): Avoid trying to
2872 create binding clusters for base regions that shouldn't have them.
2874 2022-10-05 Martin Liska <mliska@suse.cz>
2876 * call-summary.cc (call_summary_replay::call_summary_replay):
2877 Remove unused variable and arguments.
2878 * call-summary.h: Likewise.
2879 * engine.cc (exploded_node::on_stmt): Likewise.
2880 (exploded_node::replay_call_summaries): Likewise.
2881 (exploded_node::replay_call_summary): Likewise.
2882 * exploded-graph.h (class exploded_node): Likewise.
2884 2022-10-05 David Malcolm <dmalcolm@redhat.com>
2886 PR analyzer/107072
2887 * analyzer-logging.h: Include "diagnostic-core.h".
2888 * analyzer.h: Include "function.h".
2889 (class call_summary): New forward decl.
2890 (class call_summary_replay): New forward decl.
2891 (struct per_function_data): New forward decl.
2892 (struct interesting_t): New forward decl.
2893 (custom_edge_info::update_state): New vfunc.
2894 * call-info.cc (custom_edge_info::update_state): New.
2895 * call-summary.cc: New file.
2896 * call-summary.h: New file.
2897 * constraint-manager.cc: Include "analyzer/call-summary.h".
2898 (class replay_fact_visitor): New.
2899 (constraint_manager::replay_call_summary): New.
2900 * constraint-manager.h (constraint_manager::replay_call_summary):
2901 New.
2902 * engine.cc: Include "analyzer/call-summary.h".
2903 (exploded_node::on_stmt): Handle call summaries.
2904 (class call_summary_edge_info): New.
2905 (exploded_node::replay_call_summaries): New.
2906 (exploded_node::replay_call_summary): New.
2907 (per_function_data::~per_function_data): New.
2908 (per_function_data::add_call_summary): Move here from header and
2909 reimplement.
2910 (exploded_graph::process_node): Call update_state rather than
2911 update_model when handling bifurcation
2912 (viz_callgraph_node::dump_dot): Use a regular label rather
2913 than an HTML table; add summaries to dump.
2914 * exploded-graph.h: Include "alloc-pool.h", "fibonacci_heap.h",
2915 "supergraph.h", "sbitmap.h", "shortest-paths.h", "analyzer/sm.h",
2916 "analyzer/program-state.h", and "analyzer/diagnostic-manager.h".
2917 (exploded_node::replay_call_summaries): New decl.
2918 (exploded_node::replay_call_summary): New decl.
2919 (per_function_data::~per_function_data): New decl.
2920 (per_function_data::add_call_summary): Move implemention from
2921 header.
2922 (per_function_data::m_summaries): Update type of element.
2923 * known-function-manager.h: Include "analyzer/analyzer-logging.h".
2924 * program-point.h: Include "pretty-print.h" and
2925 "analyzer/call-string.h".
2926 * program-state.cc: Include "analyzer/call-summary.h".
2927 (sm_state_map::replay_call_summary): New.
2928 (program_state::replay_call_summary): New.
2929 * program-state.h (sm_state_map::replay_call_summary): New decl.
2930 (program_state::replay_call_summary): New decl.
2931 * region-model-manager.cc
2932 (region_model_manager::get_or_create_asm_output_svalue): New
2933 overload.
2934 * region-model-manager.h
2935 (region_model_manager::get_or_create_asm_output_svalue): New
2936 overload decl.
2937 * region-model.cc: Include "analyzer/call-summary.h".
2938 (region_model::maybe_update_for_edge): Remove call to
2939 region_model::update_for_call_summary on
2940 SUPEREDGE_INTRAPROCEDURAL_CALL.
2941 (region_model::update_for_call_summary): Delete.
2942 (region_model::replay_call_summary): New.
2943 * region-model.h (region_model::replay_call_summary): New decl.
2944 (region_model::update_for_call_summary): Delete decl.
2945 * store.cc: Include "analyzer/call-summary.h".
2946 (store::replay_call_summary): New.
2947 (store::replay_call_summary_cluster): New.
2948 * store.h: Include "tristate.h".
2949 (is_a_helper <const ana::concrete_binding *>::test): New.
2950 (store::replay_call_summary): New decl.
2951 (store::replay_call_summary_cluster): New decl.
2952 * supergraph.cc (get_ultimate_function_for_cgraph_edge): Remove
2953 "static" from decl.
2954 (supergraph_call_edge): Make stmt param const.
2955 * supergraph.h: Include "ordered-hash-map.h", "cfg.h",
2956 "basic-block.h", "gimple.h", "gimple-iterator.h", and "digraph.h".
2957 (supergraph_call_edge): Make stmt param const.
2958 (get_ultimate_function_for_cgraph_edge): New decl.
2959 * svalue.cc (compound_svalue::compound_svalue): Assert that we're
2960 not nesting compound_svalues.
2961 * svalue.h: Include "json.h", "analyzer/store.h", and
2962 "analyzer/program-point.h".
2963 (asm_output_svalue::get_num_outputs): New accessor.
2965 2022-10-05 David Malcolm <dmalcolm@redhat.com>
2967 * region-model.h: Include "analyzer/region-model-manager.h"
2968 (class region_model_manager): Move decl to...
2969 * region-model-manager.h: ...this new file.
2971 2022-10-05 David Malcolm <dmalcolm@redhat.com>
2973 * region-model-manager.cc
2974 (region_model_manager::maybe_fold_unaryop): Fold -(-(VAL)) to VAL.
2976 2022-10-05 David Malcolm <dmalcolm@redhat.com>
2978 * region-model-manager.cc
2979 (region_model_manager::get_or_create_widening_svalue): Use a
2980 function_point rather than a program_point.
2981 * region-model.cc (selftest::test_widening_constraints): Likewise.
2982 * region-model.h
2983 (region_model_manager::get_or_create_widening_svalue): Likewise.
2984 (model_merger::get_function_point): New.
2985 * svalue.cc (svalue::can_merge_p): Use a function_point rather
2986 than a program_point.
2987 (svalue::can_merge_p): Likewise.
2988 * svalue.h (widening_svalue::key_t): Likewise.
2989 (widening_svalue::widening_svalue): Likewise.
2991 2022-09-12 Martin Liska <mliska@suse.cz>
2993 * region-model.cc (region_model::maybe_complain_about_infoleak):
2994 Remove unused fields.
2996 2022-09-11 Tim Lange <mail@tim-lange.me>
2998 PR analyzer/106845
2999 * region-model.cc (region_model::check_region_bounds):
3000 Bail out if 0 bytes were accessed.
3001 * store.cc (byte_range::dump_to_pp):
3002 Add special case for empty ranges.
3003 (byte_range::exceeds_p): Restrict to non-empty ranges.
3004 (byte_range::falls_short_of_p): Restrict to non-empty ranges.
3005 * store.h (bit_range::empty_p): New function.
3006 (bit_range::get_last_byte_offset): Restrict to non-empty ranges.
3007 (byte_range::empty_p): New function.
3008 (byte_range::get_last_byte_offset): Restrict to non-empty ranges.
3010 2022-09-09 David Malcolm <dmalcolm@redhat.com>
3012 * analyzer.opt (Wanalyzer-exposure-through-uninit-copy): New.
3013 * checker-path.cc (region_creation_event::region_creation_event):
3014 Add "capacity" and "kind" params.
3015 (region_creation_event::get_desc): Generalize to different kinds
3016 of event.
3017 (checker_path::add_region_creation_event): Convert to...
3018 (checker_path::add_region_creation_events): ...this.
3019 * checker-path.h (enum rce_kind): New.
3020 (region_creation_event::region_creation_event): Add "capacity" and
3021 "kind" params.
3022 (region_creation_event::m_capacity): New field.
3023 (region_creation_event::m_rce_kind): New field.
3024 (checker_path::add_region_creation_event): Convert to...
3025 (checker_path::add_region_creation_events): ...this.
3026 * diagnostic-manager.cc (diagnostic_manager::build_emission_path):
3027 Update for multiple region creation events.
3028 (diagnostic_manager::add_event_on_final_node): Likewise.
3029 (diagnostic_manager::add_events_for_eedge): Likewise.
3030 * region-model-impl-calls.cc (call_details::get_logger): New.
3031 * region-model.cc: Define INCLUDE_MEMORY before including
3032 "system.h". Include "gcc-rich-location.h".
3033 (class record_layout): New.
3034 (class exposure_through_uninit_copy): New.
3035 (contains_uninit_p): New.
3036 (region_model::maybe_complain_about_infoleak): New.
3037 * region-model.h (call_details::get_logger): New decl.
3038 (region_model::maybe_complain_about_infoleak): New decl.
3039 (region_model::mark_as_tainted): New decl.
3040 * sm-taint.cc (region_model::mark_as_tainted): New.
3042 2022-09-09 David Malcolm <dmalcolm@redhat.com>
3044 * analyzer.h (class known_function_manager): New forward decl.
3045 (class known_function): New.
3046 (plugin_analyzer_init_iface::register_known_function): New.
3047 * engine.cc: Include "analyzer/known-function-manager.h".
3048 (plugin_analyzer_init_impl::plugin_analyzer_init_impl): Add
3049 known_fn_mgr param.
3050 (plugin_analyzer_init_impl::register_state_machine): Add
3051 LOC_SCOPE.
3052 (plugin_analyzer_init_impl::register_known_function): New.
3053 (plugin_analyzer_init_impl::m_known_fn_mgr): New.
3054 (impl_run_checkers): Update plugin callback invocation to use
3055 eng's known_function_manager.
3056 * known-function-manager.cc: New file.
3057 * known-function-manager.h: New file.
3058 * region-model-manager.cc
3059 (region_model_manager::region_model_manager): Pass logger to
3060 m_known_fn_mgr's ctor.
3061 * region-model.cc (region_model::update_for_zero_return): New.
3062 (region_model::update_for_nonzero_return): New.
3063 (maybe_simplify_upper_bound): New.
3064 (region_model::maybe_get_copy_bounds): New.
3065 (region_model::get_known_function): New.
3066 (region_model::on_call_pre): Handle plugin-supplied known
3067 functions.
3068 * region-model.h: Include "analyzer/known-function-manager.h".
3069 (region_model_manager::get_known_function_manager): New.
3070 (region_model_manager::m_known_fn_mgr): New.
3071 (call_details::get_model): New accessor.
3072 (region_model::maybe_get_copy_bounds): New decl.
3073 (region_model::update_for_zero_return): New decl.
3074 (region_model::update_for_nonzero_return): New decl.
3075 (region_model::get_known_function): New decl.
3076 (region_model::get_known_function_manager): New.
3078 2022-09-08 Tim Lange <mail@tim-lange.me>
3080 PR analyzer/106625
3081 * analyzer.h (region_offset): Eliminate m_is_symbolic member.
3082 * region-model-impl-calls.cc (region_model::impl_call_realloc):
3083 Refine implementation to be more precise.
3084 * region-model.cc (class symbolic_past_the_end):
3085 Abstract diagnostic class to complain about accesses past the end
3086 with symbolic values.
3087 (class symbolic_buffer_overflow):
3088 Concrete diagnostic class to complain about buffer overflows with
3089 symbolic values.
3090 (class symbolic_buffer_overread):
3091 Concrete diagnostic class to complain about buffer overreads with
3092 symbolic values.
3093 (region_model::check_symbolic_bounds): New function.
3094 (maybe_get_integer_cst_tree): New helper function.
3095 (region_model::check_region_bounds):
3096 Add call to check_symbolic_bounds if offset is not concrete.
3097 (region_model::eval_condition_without_cm):
3098 Add support for EQ_EXPR and GT_EXPR with binaryop_svalues.
3099 (is_positive_svalue): New hleper function.
3100 (region_model::symbolic_greater_than):
3101 New function to handle GT_EXPR comparisons with symbolic values.
3102 (region_model::structural_equality): New function to compare
3103 whether two svalues are structured the same, i.e. evaluate to
3104 the same value.
3105 (test_struct): Reflect changes to region::calc_offset.
3106 (test_var): Likewise.
3107 (test_array_2): Likewise and add selftest with symbolic i.
3108 * region-model.h (class region_model): Add check_symbolic_bounds,
3109 symbolic_greater_than and structural_equality.
3110 * region.cc (region::get_offset):
3111 Reflect changes to region::calc_offset.
3112 (region::calc_offset):
3113 Compute the symbolic offset if the offset is not concrete.
3114 (region::get_relative_symbolic_offset): New function to return the
3115 symbolic offset in bytes relative to its parent.
3116 (field_region::get_relative_symbolic_offset): Likewise.
3117 (element_region::get_relative_symbolic_offset): Likewise.
3118 (offset_region::get_relative_symbolic_offset): Likewise.
3119 (bit_range_region::get_relative_symbolic_offset): Likewise.
3120 * region.h: Add get_relative_symbolic_offset.
3121 * store.cc (binding_key::make):
3122 Reflect changes to region::calc_offset.
3123 (binding_map::apply_ctor_val_to_range): Likewise.
3124 (binding_map::apply_ctor_pair_to_child_region): Likewise.
3125 (binding_cluster::bind_compound_sval): Likewise.
3126 (binding_cluster::get_any_binding): Likewise.
3127 (binding_cluster::maybe_get_compound_binding): Likewise.
3129 2022-09-05 Tim Lange <mail@tim-lange.me>
3131 * region-model-impl-calls.cc (region_model::impl_call_strcpy):
3132 Handle the constant string case.
3133 * region-model.cc (region_model::get_string_size):
3134 New function to get the string size from a region or svalue.
3135 * region-model.h (class region_model): Add get_string_size.
3137 2022-09-05 Tim Lange <mail@tim-lange.me>
3139 * region.cc (cast_region::get_relative_concrete_offset):
3140 New overloaded method.
3141 * region.h: Add cast_region::get_relative_concrete_offset.
3143 2022-08-22 Martin Liska <mliska@suse.cz>
3145 * region-model.cc: Add missing final keyword.
3147 2022-08-18 Tim Lange <mail@tim-lange.me>
3149 PR analyzer/106181
3150 * analyzer.opt: Add Wanalyzer-imprecise-floating-point-arithmetic.
3151 * region-model.cc (is_any_cast_p): Formatting.
3152 (region_model::check_region_size): Ensure precondition.
3153 (class imprecise_floating_point_arithmetic): New abstract
3154 diagnostic class for all floating-point related warnings.
3155 (class float_as_size_arg): Concrete diagnostic class to complain
3156 about floating-point operands inside the size argument.
3157 (class contains_floating_point_visitor):
3158 New visitor to find floating-point operands inside svalues.
3159 (region_model::check_dynamic_size_for_floats): New function.
3160 (region_model::set_dynamic_extents):
3161 Call to check_dynamic_size_for_floats.
3162 * region-model.h (class region_model):
3163 Add region_model::check_dynamic_size_for_floats.
3165 2022-08-16 Martin Liska <mliska@suse.cz>
3167 * region-model.cc: Fix -Winconsistent-missing-override clang
3168 warning.
3169 * region.h: Likewise.
3171 2022-08-15 David Malcolm <dmalcolm@redhat.com>
3173 PR analyzer/106626
3174 * region-model.cc (buffer_overread::emit): Fix copy&paste error in
3175 direction of the access in the note.
3177 2022-08-15 David Malcolm <dmalcolm@redhat.com>
3179 PR analyzer/106573
3180 * region-model.cc (region_model::on_call_pre): Use check_call_args
3181 when ensuring that we call get_arg_svalue on all args. Remove
3182 redundant call from handling for stdio builtins.
3184 2022-08-15 Immad Mir <mirimmad@outlook.com>
3186 PR analyzer/106551
3187 * sm-fd.cc (check_for_dup): exit early if first
3188 argument is invalid for all dup functions.
3190 2022-08-12 Tim Lange <mail@tim-lange.me>
3192 PR analyzer/106000
3193 * analyzer.opt: Add Wanalyzer-out-of-bounds.
3194 * region-model.cc (class out_of_bounds): Diagnostics base class
3195 for all out-of-bounds diagnostics.
3196 (class past_the_end): Base class derived from out_of_bounds for
3197 the buffer_overflow and buffer_overread diagnostics.
3198 (class buffer_overflow): Buffer overflow diagnostics.
3199 (class buffer_overread): Buffer overread diagnostics.
3200 (class buffer_underflow): Buffer underflow diagnostics.
3201 (class buffer_underread): Buffer overread diagnostics.
3202 (region_model::check_region_bounds): New function to check region
3203 bounds for out-of-bounds accesses.
3204 (region_model::check_region_access):
3205 Add call to check_region_bounds.
3206 (region_model::get_representative_tree): New function that accepts
3207 a region instead of an svalue.
3208 * region-model.h (class region_model):
3209 Add region_model::check_region_bounds.
3210 * region.cc (region::symbolic_p): New predicate.
3211 (offset_region::get_byte_size_sval): Only return the remaining
3212 byte size on offset_regions.
3213 * region.h: Add region::symbolic_p.
3214 * store.cc (byte_range::intersects_p):
3215 Add new function equivalent to bit_range::intersects_p.
3216 (byte_range::exceeds_p): New function.
3217 (byte_range::falls_short_of_p): New function.
3218 * store.h (struct byte_range): Add byte_range::intersects_p,
3219 byte_range::exceeds_p and byte_range::falls_short_of_p.
3221 2022-08-12 Tim Lange <mail@tim-lange.me>
3223 PR analyzer/106539
3224 * region-model-impl-calls.cc (region_model::impl_call_realloc):
3225 Use the result of get_copied_size as the size for the
3226 sized_regions in realloc.
3227 (success_with_move::get_copied_size): New function.
3229 2022-08-11 Immad Mir <mirimmad@outlook.com>
3231 PR analyzer/106551
3232 * sm-fd.cc (check_for_dup): handle the m_start
3233 state when transitioning the state of LHS
3234 of dup, dup2 and dup3 call.
3236 2022-08-09 David Malcolm <dmalcolm@redhat.com>
3238 PR analyzer/106573
3239 * region-model.cc (region_model::on_call_pre): Ensure that we call
3240 get_arg_svalue on all arguments.
3242 2022-08-05 David Malcolm <dmalcolm@redhat.com>
3244 PR analyzer/105947
3245 * analyzer.opt (Wanalyzer-jump-through-null): New option.
3246 * engine.cc (class jump_through_null): New.
3247 (exploded_graph::process_node): Complain about jumps through NULL
3248 function pointers.
3250 2022-08-02 Immad Mir <mirimmad@outlook.com>
3252 PR analyzer/106298
3253 * sm-fd.cc (fd_state_machine::on_open): Add
3254 creat, dup, dup2 and dup3 functions.
3255 (enum dup): New.
3256 (fd_state_machine::valid_to_unchecked_state): New.
3257 (fd_state_machine::on_creat): New.
3258 (fd_state_machine::on_dup): New.
3260 2022-07-28 David Malcolm <dmalcolm@redhat.com>
3262 PR analyzer/105893
3263 * analyzer.opt (Wanalyzer-putenv-of-auto-var): New.
3264 * region-model-impl-calls.cc (class putenv_of_auto_var): New.
3265 (region_model::impl_call_putenv): New.
3266 * region-model.cc (region_model::on_call_pre): Handle putenv.
3267 * region-model.h (region_model::impl_call_putenv): New decl.
3269 2022-07-28 David Malcolm <dmalcolm@redhat.com>
3271 * sm-malloc.cc (free_of_non_heap::emit): Add comment about CWE.
3272 * sm-taint.cc (tainted_size::emit): Likewise.
3274 2022-07-28 David Malcolm <dmalcolm@redhat.com>
3276 * region.h: Add notes to the comment describing the region
3277 class hierarchy.
3279 2022-07-27 Immad Mir <mirimmad@outlook.com>
3281 PR analyzer/106286
3282 * sm-fd.cc:
3283 (fd_diagnostic::get_meaning_for_state_change): New.
3285 2022-07-26 David Malcolm <dmalcolm@redhat.com>
3287 PR analyzer/106319
3288 * store.cc (store::set_value): Don't strip away casts if the
3289 region has NULL type.
3291 2022-07-26 David Malcolm <dmalcolm@redhat.com>
3293 * region.h (code_region::get_element): Remove stray decl.
3294 (function_region::get_element): Likewise.
3296 2022-07-25 Martin Liska <mliska@suse.cz>
3298 * sm-fd.cc: Run dos2unix and fix coding style issues.
3300 2022-07-23 Immad Mir <mirimmad@outlook.com>
3302 * sm-fd.cc (fd_param_diagnostic): New diagnostic class.
3303 (fd_access_mode_mismatch): Change inheritance from fd_diagnostic
3304 to fd_param_diagnostic. Add new overloaded constructor.
3305 (fd_use_after_close): Likewise.
3306 (unchecked_use_of_fd): Likewise and also change name to fd_use_without_check.
3307 (double_close): Change name to fd_double_close.
3308 (enum access_directions): New.
3309 (fd_state_machine::on_stmt): Handle calls to function with the
3310 new three function attributes.
3311 (fd_state_machine::check_for_fd_attrs): New.
3312 (fd_state_machine::on_open): Use the new overloaded constructors
3313 of diagnostic classes.
3315 2022-07-22 David Malcolm <dmalcolm@redhat.com>
3317 PR analyzer/106413
3318 * varargs.cc (region_model::impl_call_va_start): Avoid iterating
3319 through non-existant variadic arguments by initializing the
3320 impl_region to "UNKNOWN" if the va_start occurs in the top-level
3321 function to the analysis.
3323 2022-07-22 David Malcolm <dmalcolm@redhat.com>
3325 PR analyzer/106401
3326 * store.cc (binding_cluster::binding_cluster): Remove overzealous
3327 assertion; we're checking for tracked_p in
3328 store::get_or_create_cluster.
3330 2022-07-22 Tim Lange <mail@tim-lange.me>
3332 PR analyzer/106394
3333 * region-model.cc (capacity_compatible_with_type): Always return true
3334 if alloc_size is zero.
3336 2022-07-21 David Malcolm <dmalcolm@redhat.com>
3338 PR analyzer/106383
3339 * varargs.cc (region_model::impl_call_va_arg): When determining if
3340 we're doing interprocedural analysis, use the stack depth of the
3341 frame in which va_start was called, rather than the current stack
3342 depth.
3344 2022-07-21 David Malcolm <dmalcolm@redhat.com>
3346 * sm-taint.cc (tainted_array_index::emit): Bulletproof against
3347 NULL m_arg.
3348 (tainted_array_index::describe_final_event): Likewise.
3349 (tainted_size::emit): Likewise.
3350 (tainted_size::describe_final_event): Likewise.
3352 2022-07-21 David Malcolm <dmalcolm@redhat.com>
3354 PR analyzer/106374
3355 * region.cc (decl_region::get_svalue_for_initializer): Bail out on
3356 untracked regions.
3358 2022-07-20 David Malcolm <dmalcolm@redhat.com>
3360 PR analyzer/106373
3361 * sm-taint.cc (taint_state_machine::on_condition): Potentially
3362 update the state of the RHS as well as the LHS.
3364 2022-07-20 David Malcolm <dmalcolm@redhat.com>
3366 PR analyzer/106359
3367 * region.h (string_region::tracked_p): New.
3368 * store.cc (binding_cluster::binding_cluster): Move here from
3369 store.h. Add assertion that base_region is tracked_p.
3370 * store.h (binding_cluster::binding_cluster): Move to store.cc.
3372 2022-07-19 David Malcolm <dmalcolm@redhat.com>
3374 PR analyzer/106321
3375 * constraint-manager.h (bounded_ranges::get_count): New.
3376 (bounded_ranges::get_range): New.
3377 * engine.cc (impl_region_model_context::on_bounded_ranges): New.
3378 * exploded-graph.h (impl_region_model_context::on_bounded_ranges):
3379 New decl.
3380 * region-model.cc (region_model::apply_constraints_for_gswitch):
3381 Potentially call ctxt->on_bounded_ranges.
3382 * region-model.h (region_model_context::on_bounded_ranges): New
3383 vfunc.
3384 (noop_region_model_context::on_bounded_ranges): New.
3385 (region_model_context_decorator::on_bounded_ranges): New.
3386 * sm-taint.cc: Include "analyzer/constraint-manager.h".
3387 (taint_state_machine::on_bounded_ranges): New.
3388 * sm.h (state_machine::on_bounded_ranges): New.
3390 2022-07-19 David Malcolm <dmalcolm@redhat.com>
3392 * engine.cc (exploded_graph::process_node): Show any description
3393 of the out-edge when logging it for consideration.
3395 2022-07-15 David Malcolm <dmalcolm@redhat.com>
3397 PR analyzer/106284
3398 * sm-taint.cc (taint_state_machine::on_condition): Handle range
3399 checks optimized by build_range_check.
3401 2022-07-15 Jonathan Wakely <jwakely@redhat.com>
3403 * call-info.cc (call_info::print): Adjust to new label_text API.
3404 * checker-path.cc (checker_event::dump): Likewise.
3405 (region_creation_event::get_desc): Likewise.
3406 (state_change_event::get_desc): Likewise.
3407 (superedge_event::should_filter_p): Likewise.
3408 (start_cfg_edge_event::get_desc): Likewise.
3409 (call_event::get_desc): Likewise.
3410 (return_event::get_desc): Likewise.
3411 (warning_event::get_desc): Likewise.
3412 (checker_path::dump): Likewise.
3413 (checker_path::debug): Likewise.
3414 * diagnostic-manager.cc (diagnostic_manager::prune_for_sm_diagnostic):
3415 Likewise.
3416 (diagnostic_manager::prune_interproc_events): Likewise.
3417 * engine.cc (feasibility_state::maybe_update_for_edge):
3418 Likewise.
3419 * program-state.cc (sm_state_map::to_json): Likewise.
3420 * region-model-impl-calls.cc (region_model::impl_call_analyzer_describe): Likewise.
3421 (region_model::impl_call_analyzer_dump_capacity): Likewise.
3422 * region.cc (region::to_json): Likewise.
3423 * sm-malloc.cc (inform_nonnull_attribute): Likewise.
3424 * store.cc (binding_map::to_json): Likewise.
3425 (store::to_json): Likewise.
3426 * supergraph.cc (superedge::dump): Likewise.
3427 * svalue.cc (svalue::to_json): Likewise.
3429 2022-07-07 David Malcolm <dmalcolm@redhat.com>
3431 * checker-path.cc (start_cfg_edge_event::get_desc): Update for
3432 superedge::get_description returning a label_text.
3433 * engine.cc (feasibility_state::maybe_update_for_edge): Likewise.
3434 * supergraph.cc (superedge::dump): Likewise.
3435 (superedge::get_description): Convert return type from char * to
3436 label_text.
3437 * supergraph.h (superedge::get_description): Likewise.
3439 2022-07-07 David Malcolm <dmalcolm@redhat.com>
3441 * call-info.cc (call_info::print): Update for removal of
3442 label_text::maybe_free in favor of automatic memory management.
3443 * checker-path.cc (checker_event::dump): Likewise.
3444 (checker_event::prepare_for_emission): Likewise.
3445 (state_change_event::get_desc): Likewise.
3446 (superedge_event::should_filter_p): Likewise.
3447 (start_cfg_edge_event::get_desc): Likewise.
3448 (warning_event::get_desc): Likewise.
3449 (checker_path::dump): Likewise.
3450 (checker_path::debug): Likewise.
3451 * diagnostic-manager.cc
3452 (diagnostic_manager::prune_for_sm_diagnostic): Likewise.
3453 (diagnostic_manager::prune_interproc_events): Likewise.
3454 * program-state.cc (sm_state_map::to_json): Likewise.
3455 * region.cc (region::to_json): Likewise.
3456 * sm-malloc.cc (inform_nonnull_attribute): Likewise.
3457 * store.cc (binding_map::to_json): Likewise.
3458 (store::to_json): Likewise.
3459 * svalue.cc (svalue::to_json): Likewise.
3461 2022-07-07 David Malcolm <dmalcolm@redhat.com>
3463 PR analyzer/106225
3464 * sm-taint.cc (taint_state_machine::on_stmt): Move handling of
3465 assignments from division to...
3466 (taint_state_machine::check_for_tainted_divisor): ...this new
3467 function. Reject warning when the divisor is known to be non-zero.
3468 * sm.cc: Include "analyzer/program-state.h".
3469 (sm_context::get_old_region_model): New.
3470 * sm.h (sm_context::get_old_region_model): New decl.
3472 2022-07-06 Immad Mir <mirimmad@outlook.com>
3474 PR analyzer/106184
3475 * sm-fd.cc (fd_state_machine): Change ordering of initialization
3476 of state m_invalid so that the order of initializers is same as
3477 the ordering of the fields in the class decl.
3479 2022-07-06 Immad Mir <mirimmad@outlook.com>
3481 * sm-fd.cc (use_after_close): save the "close" event and
3482 show it where possible.
3484 2022-07-06 David Malcolm <dmalcolm@redhat.com>
3486 PR analyzer/106204
3487 * region-model.cc (within_short_circuited_stmt_p): Move extraction
3488 of assign_stmt to caller.
3489 (due_to_ifn_deferred_init_p): New.
3490 (region_model::check_for_poison): Move extraction of assign_stmt
3491 from within_short_circuited_stmt_p to here. Share logic with
3492 call to due_to_ifn_deferred_init_p.
3494 2022-07-02 Tim Lange <mail@tim-lange.me>
3496 PR analyzer/105900
3497 * analyzer.opt: Added Wanalyzer-allocation-size.
3498 * checker-path.cc (region_creation_event::get_desc): Added call to new
3499 virtual function pending_diagnostic::describe_region_creation_event.
3500 * checker-path.h: Added region_creation_event::get_desc.
3501 * diagnostic-manager.cc (diagnostic_manager::add_event_on_final_node):
3502 New function.
3503 * diagnostic-manager.h:
3504 Added diagnostic_manager::add_event_on_final_node.
3505 * pending-diagnostic.h (struct region_creation): New event_desc struct.
3506 (pending_diagnostic::describe_region_creation_event): Added virtual
3507 function to overwrite description of a region creation.
3508 * region-model.cc (class dubious_allocation_size): New class.
3509 (capacity_compatible_with_type): New helper function.
3510 (class size_visitor): New class.
3511 (struct_or_union_with_inheritance_p): New helper function.
3512 (is_any_cast_p): New helper function.
3513 (region_model::check_region_size): New function.
3514 (region_model::set_value): Added call to
3515 region_model::check_region_size.
3516 * region-model.h (class region_model): New function check_region_size.
3517 * svalue.cc (region_svalue::accept): Changed to post-order traversal.
3518 (initial_svalue::accept): Likewise.
3519 (unaryop_svalue::accept): Likewise.
3520 (binop_svalue::accept): Likewise.
3521 (sub_svalue::accept): Likewise.
3522 (repeated_svalue::accept): Likewise.
3523 (bits_within_svalue::accept): Likewise.
3524 (widening_svalue::accept): Likewise.
3525 (unmergeable_svalue::accept): Likewise.
3526 (compound_svalue::accept): Likewise.
3527 (conjured_svalue::accept): Likewise.
3528 (asm_output_svalue::accept): Likewise.
3529 (const_fn_result_svalue::accept): Likewise.
3531 2022-07-02 Immad Mir <mirimmad17@gmail.com>
3533 PR analyzer/106003
3534 * analyzer.opt (Wanalyzer-fd-leak): New option.
3535 (Wanalyzer-fd-access-mode-mismatch): New option.
3536 (Wanalyzer-fd-use-without-check): New option.
3537 (Wanalyzer-fd-double-close): New option.
3538 (Wanalyzer-fd-use-after-close): New option.
3539 * sm.h (make_fd_state_machine): New decl.
3540 * sm.cc (make_checkers): Call make_fd_state_machine.
3541 * sm-fd.cc: New file.
3543 2022-06-24 David Malcolm <dmalcolm@redhat.com>
3545 * call-string.cc: Add includes of "analyzer/analyzer.h"
3546 and "analyzer/analyzer-logging.h".
3547 (call_string::call_string): Delete copy ctor.
3548 (call_string::operator=): Delete.
3549 (call_string::operator==): Delete.
3550 (call_string::hash): Delete.
3551 (call_string::push_call): Make const, returning the resulting
3552 call_string.
3553 (call_string::pop): Delete.
3554 (call_string::cmp_ptr_ptr): New.
3555 (call_string::validate): Assert that m_parent is non-NULL, or
3556 m_elements is empty.
3557 (call_string::call_string): Move default ctor here from
3558 call-string.h and reimplement. Add ctor taking a parent
3559 and an element.
3560 (call_string::~call_string): New.
3561 (call_string::recursive_log): New.
3562 * call-string.h (call_string::call_string): Move default ctor's
3563 defn to call-string.cc. Delete copy ctor. Add ctor taking a
3564 parent and an element.
3565 (call_string::operator=): Delete.
3566 (call_string::operator==): Delete.
3567 (call_string::hash): Delete.
3568 (call_string::push_call): Make const, returning the resulting
3569 call_string.
3570 (call_string::pop): Delete decl.
3571 (call_string::get_parent): New.
3572 (call_string::cmp_ptr_ptr): New decl.
3573 (call_string::get_top_of_stack): New.
3574 (struct call_string::hashmap_traits_t): New.
3575 (class call_string): Add friend class region_model_manager. Add
3576 DISABLE_COPY_AND_ASSIGN.
3577 (call_string::~call_string): New decl.
3578 (call_string::recursive_log): New decl.
3579 (call_string::m_parent): New field.
3580 (call_string::m_children): New field.
3581 * constraint-manager.cc (selftest::test_many_constants): Pass
3582 model manager to program_point::origin.
3583 * engine.cc (exploded_graph::exploded_graph): Likewise.
3584 (exploded_graph::add_function_entry): Likewise for
3585 program_point::from_function_entry.
3586 (add_tainted_args_callback): Likewise.
3587 (exploded_graph::maybe_process_run_of_before_supernode_enodes):
3588 Update for change to program_point.get_call_string.
3589 (exploded_graph::process_node): Likewise.
3590 (class function_call_string_cluster): Convert m_cs from a
3591 call_string to a const call_string &.
3592 (struct function_call_string): Likewise.
3593 (pod_hash_traits<function_call_string>::hash): Use pointer_hash
3594 for m_cs.
3595 (pod_hash_traits<function_call_string>::equal): Update for change
3596 to m_cs.
3597 (root_cluster::add_node): Update for change to
3598 function_call_string.
3599 (viz_callgraph_node::dump_dot): Update for change to call_string.
3600 * exploded-graph.h (per_call_string_data::m_key): Convert to a
3601 reference.
3602 (struct eg_call_string_hash_map_traits): Delete.
3603 (exploded_graph::call_string_data_map_t): Remove traits class.
3604 * program-point.cc: Move include of "analyzer/call-string.h" to
3605 after "analyzer/analyzer-logging.h".
3606 (program_point::print): Update for conversion of m_call_string to
3607 a pointer.
3608 (program_point::to_json): Likewise.
3609 (program_point::push_to_call_stack): Update for immutability of
3610 call strings.
3611 (program_point::pop_from_call_stack): Likewise.
3612 (program_point::hash): Use pointer hashing for m_call_string.
3613 (program_point::get_function_at_depth): Update for change to
3614 m_call_string.
3615 (program_point::validate): Update for changes to call_string.
3616 (program_point::on_edge): Likewise.
3617 (program_point::origin): Move here from call-string.h. Add
3618 region_model_manager param and use it to get empty call string.
3619 (program_point::from_function_entry): Likewise.
3620 (selftest::test_function_point_ordering): Likewise.
3621 (selftest::test_function_point_ordering): Likewise.
3622 * program-point.h (program_point::program_point): Update for
3623 change to m_call_string.
3624 (program_point::get_call_string): Likewise.
3625 (program_point::get_stack_depth): Likewise.
3626 (program_point::origin): Add region_model_manager param, and move
3627 defn to call-string.cc.
3628 (program_point::from_function_entry): Likewise.
3629 (program_point::empty): Drop call_string.
3630 (program_point::deleted): Likewise.
3631 (program_point::program_point): New private ctor.
3632 (program_point::m_call_string): Convert from call_string to const
3633 call_string *.
3634 * program-state.cc (selftest::test_program_state_merging): Update
3635 for call_string changes.
3636 (selftest::test_program_state_merging_2): Likewise.
3637 * region-model-manager.cc
3638 (region_model_manager::region_model_manager): Construct
3639 m_empty_call_string.
3640 (region_model_manager::log_stats): Log the call strings.
3641 * region-model.cc (assert_region_models_merge): Pass the
3642 region_model_manager when creating program_point instances.
3643 (selftest::test_state_merging): Likewise.
3644 (selftest::test_constraint_merging): Likewise.
3645 (selftest::test_widening_constraints): Likewise.
3646 (selftest::test_iteration_1): Likewise.
3647 * region-model.h (region_model_manager::get_empty_call_string):
3648 New.
3649 (region_model_manager::m_empty_call_string): New.
3650 * sm-signal.cc (register_signal_handler::impl_transition): Update
3651 for changes to call_string.
3653 2022-06-24 David Malcolm <dmalcolm@redhat.com>
3655 * call-string.cc (call_string::calc_recursion_depth): Whitespace
3656 cleanups.
3657 (call_string::cmp): Likewise.
3658 (call_string::get_caller_node): Likewise.
3659 (call_string::validate): Likewise.
3660 * engine.cc (dynamic_call_info_t::add_events_to_path): Likewise.
3661 (exploded_graph::get_per_function_data): Likewise.
3662 (exploded_graph::maybe_create_dynamic_call): Likewise.
3663 (exploded_graph::maybe_create_dynamic_call): Likewise.
3664 (exploded_graph::process_node): Likewise.
3666 2022-06-16 David Malcolm <dmalcolm@redhat.com>
3668 * varargs.cc (va_arg_type_mismatch::emit): Associate the warning
3669 with CWE-686 ("Function Call With Incorrect Argument Type").
3671 2022-06-16 David Malcolm <dmalcolm@redhat.com>
3673 * varargs.cc: Include "diagnostic-metadata.h".
3674 (va_list_exhausted::emit): Associate the warning with
3675 CWE-685 ("Function Call With Incorrect Number of Arguments").
3677 2022-06-16 David Malcolm <dmalcolm@redhat.com>
3679 * sm-file.cc (double_fclose::emit): Associate the warning with
3680 CWE-1341 ("Multiple Releases of Same Resource or Handle").
3682 2022-06-15 David Malcolm <dmalcolm@redhat.com>
3684 PR analyzer/105962
3685 * analyzer.opt (fanalyzer-undo-inlining): New option.
3686 * checker-path.cc: Include "diagnostic-core.h" and
3687 "inlining-iterator.h".
3688 (event_kind_to_string): Handle EK_INLINED_CALL.
3689 (class inlining_info): New class.
3690 (checker_event::checker_event): Move here from checker-path.h.
3691 Store original fndecl and depth, and calculate effective fndecl
3692 and depth based on inlining information.
3693 (checker_event::dump): Emit original depth as well as effective
3694 depth when they differ; likewise for fndecl.
3695 (region_creation_event::get_desc): Use m_effective_fndecl.
3696 (inlined_call_event::get_desc): New.
3697 (inlined_call_event::get_meaning): New.
3698 (checker_path::inject_any_inlined_call_events): New.
3699 * checker-path.h (enum event_kind): Add EK_INLINED_CALL.
3700 (checker_event::checker_event): Make protected, and move
3701 definition to checker-path.cc.
3702 (checker_event::get_fndecl): Use effective fndecl.
3703 (checker_event::get_stack_depth): Use effective stack depth.
3704 (checker_event::get_logical_location): Use effective stack depth.
3705 (checker_event::get_original_stack_depth): New.
3706 (checker_event::m_fndecl): Rename to...
3707 (checker_event::m_original_fndecl): ...this.
3708 (checker_event::m_depth): Rename to...
3709 (checker_event::m_original_depth): ...this.
3710 (checker_event::m_effective_fndecl): New field.
3711 (checker_event::m_effective_depth): New field.
3712 (class inlined_call_event): New checker_event subclass.
3713 (checker_path::inject_any_inlined_call_events): New decl.
3714 * diagnostic-manager.cc: Include "inlining-iterator.h".
3715 (diagnostic_manager::emit_saved_diagnostic): Call
3716 checker_path::inject_any_inlined_call_events.
3717 (diagnostic_manager::prune_for_sm_diagnostic): Handle
3718 EK_INLINED_CALL.
3719 * engine.cc (tainted_args_function_custom_event::get_desc): Use
3720 effective fndecl.
3721 * inlining-iterator.h: New file.
3723 2022-06-15 David Malcolm <dmalcolm@redhat.com>
3725 * diagnostic-manager.cc (saved_diagnostic::dump_dot_id): New.
3726 (saved_diagnostic::dump_as_dot_node): New.
3727 * diagnostic-manager.h (saved_diagnostic::dump_dot_id): New decl.
3728 (saved_diagnostic::dump_as_dot_node): New decl.
3729 * engine.cc (exploded_node::dump_dot): Add nodes for saved
3730 diagnostics.
3732 2022-06-02 David Malcolm <dmalcolm@redhat.com>
3734 * checker-path.cc (checker_event::get_meaning): New.
3735 (function_entry_event::get_meaning): New.
3736 (state_change_event::get_desc): Add dump of meaning of the event
3737 to the -fanalyzer-verbose-state-changes output.
3738 (state_change_event::get_meaning): New.
3739 (cfg_edge_event::get_meaning): New.
3740 (call_event::get_meaning): New.
3741 (return_event::get_meaning): New.
3742 (start_consolidated_cfg_edges_event::get_meaning): New.
3743 (warning_event::get_meaning): New.
3744 * checker-path.h: Include "tree-logical-location.h".
3745 (checker_event::checker_event): Construct m_logical_loc.
3746 (checker_event::get_logical_location): New.
3747 (checker_event::get_meaning): New decl.
3748 (checker_event::m_logical_loc): New.
3749 (function_entry_event::get_meaning): New decl.
3750 (state_change_event::get_meaning): New decl.
3751 (cfg_edge_event::get_meaning): New decl.
3752 (call_event::get_meaning): New decl.
3753 (return_event::get_meaning): New decl.
3754 (start_consolidated_cfg_edges_event::get_meaning): New.
3755 (warning_event::get_meaning): New decl.
3756 * pending-diagnostic.h: Include "diagnostic-path.h".
3757 (pending_diagnostic::get_meaning_for_state_change): New vfunc.
3758 * sm-file.cc (file_diagnostic::get_meaning_for_state_change): New
3759 vfunc impl.
3760 * sm-malloc.cc (malloc_diagnostic::get_meaning_for_state_change):
3761 Likewise.
3762 * sm-sensitive.cc
3763 (exposure_through_output_file::get_meaning_for_state_change):
3764 Likewise.
3765 * sm-taint.cc (taint_diagnostic::get_meaning_for_state_change):
3766 Likewise.
3767 * varargs.cc
3768 (va_list_sm_diagnostic::get_meaning_for_state_change): Likewise.
3770 2022-05-23 David Malcolm <dmalcolm@redhat.com>
3772 * call-info.cc: Add "final" and "override" to all vfunc
3773 implementations that were missing them, as appropriate.
3774 * engine.cc: Likewise.
3775 * region-model.cc: Likewise.
3776 * sm-malloc.cc: Likewise.
3777 * supergraph.h: Likewise.
3778 * svalue.cc: Likewise.
3779 * varargs.cc: Likewise.
3781 2022-05-20 David Malcolm <dmalcolm@redhat.com>
3783 * analyzer-pass.cc: Replace uses of "FINAL" and "OVERRIDE" with
3784 "final" and "override".
3785 * call-info.h: Likewise.
3786 * checker-path.h: Likewise.
3787 * constraint-manager.cc: Likewise.
3788 * diagnostic-manager.cc: Likewise.
3789 * engine.cc: Likewise.
3790 * exploded-graph.h: Likewise.
3791 * feasible-graph.h: Likewise.
3792 * pending-diagnostic.h: Likewise.
3793 * region-model-impl-calls.cc: Likewise.
3794 * region-model.cc: Likewise.
3795 * region-model.h: Likewise.
3796 * region.h: Likewise.
3797 * sm-file.cc: Likewise.
3798 * sm-malloc.cc: Likewise.
3799 * sm-pattern-test.cc: Likewise.
3800 * sm-sensitive.cc: Likewise.
3801 * sm-signal.cc: Likewise.
3802 * sm-taint.cc: Likewise.
3803 * state-purge.h: Likewise.
3804 * store.cc: Likewise.
3805 * store.h: Likewise.
3806 * supergraph.h: Likewise.
3807 * svalue.h: Likewise.
3808 * trimmed-graph.h: Likewise.
3809 * varargs.cc: Likewise.
3811 2022-05-16 David Malcolm <dmalcolm@redhat.com>
3813 PR analyzer/105103
3814 * analyzer.cc (make_label_text_n): New.
3815 * analyzer.h (class var_arg_region): New forward decl.
3816 (make_label_text_n): New decl.
3817 * analyzer.opt (Wanalyzer-va-arg-type-mismatch): New option.
3818 (Wanalyzer-va-list-exhausted): New option.
3819 (Wanalyzer-va-list-leak): New option.
3820 (Wanalyzer-va-list-use-after-va-end): New option.
3821 * checker-path.cc (call_event::get_desc): Split out decl access
3822 into..
3823 (call_event::get_caller_fndecl): ...this new function and...
3824 (call_event::get_callee_fndecl): ...this new function.
3825 * checker-path.h (call_event::get_desc): Drop "FINAL".
3826 (call_event::get_caller_fndecl): New decl.
3827 (call_event::get_callee_fndecl): New decl.
3828 (class call_event): Make fields protected.
3829 * diagnostic-manager.cc (null_assignment_sm_context::warn): New
3830 overload.
3831 (null_assignment_sm_context::get_new_program_state): New.
3832 (diagnostic_manager::add_events_for_superedge): Move case
3833 SUPEREDGE_CALL to a new pending_diagnostic::add_call_event vfunc.
3834 * engine.cc (impl_sm_context::warn): Implement new override.
3835 (impl_sm_context::get_new_program_state): New.
3836 * pending-diagnostic.cc: Include "analyzer/diagnostic-manager.h",
3837 "cpplib.h", "digraph.h", "ordered-hash-map.h", "cfg.h",
3838 "basic-block.h", "gimple.h", "gimple-iterator.h", "cgraph.h"
3839 "analyzer/supergraph.h", "analyzer/program-state.h",
3840 "alloc-pool.h", "fibonacci_heap.h", "shortest-paths.h",
3841 "sbitmap.h", "analyzer/exploded-graph.h", "diagnostic-path.h",
3842 and "analyzer/checker-path.h".
3843 (ht_ident_eq): New.
3844 (fixup_location_in_macro_p): New.
3845 (pending_diagnostic::fixup_location): New.
3846 (pending_diagnostic::add_call_event): New.
3847 * pending-diagnostic.h (pending_diagnostic::fixup_location): Drop
3848 no-op inline implementation in favor of the more complex
3849 implementation above.
3850 (pending_diagnostic::add_call_event): New vfunc.
3851 * region-model-impl-calls.cc: Include "analyzer/sm.h",
3852 "diagnostic-path.h", and "analyzer/pending-diagnostic.h".
3853 * region-model-manager.cc
3854 (region_model_manager::get_var_arg_region): New.
3855 (region_model_manager::log_stats): Log m_var_arg_regions.
3856 * region-model.cc (region_model::on_call_pre): Handle IFN_VA_ARG,
3857 BUILT_IN_VA_START, and BUILT_IN_VA_COPY.
3858 (region_model::on_call_post): Handle BUILT_IN_VA_END.
3859 (region_model::get_representative_path_var_1): Handle RK_VAR_ARG.
3860 (region_model::push_frame): Push variadic arguments.
3861 * region-model.h (region_model_manager::get_var_arg_region): New
3862 decl.
3863 (region_model_manager::m_var_arg_regions): New field.
3864 (region_model::impl_call_va_start): New decl.
3865 (region_model::impl_call_va_copy): New decl.
3866 (region_model::impl_call_va_arg): New decl.
3867 (region_model::impl_call_va_end): New decl.
3868 * region.cc (alloca_region::dump_to_pp): Dump the id.
3869 (var_arg_region::dump_to_pp): New.
3870 (var_arg_region::get_frame_region): New.
3871 * region.h (enum region_kind): Add RK_VAR_ARG.
3872 (region::dyn_cast_var_arg_region): New.
3873 (class var_arg_region): New.
3874 (is_a_helper <const var_arg_region *>::test): New.
3875 (struct default_hash_traits<var_arg_region::key_t>): New.
3876 * sm.cc (make_checkers): Call make_va_list_state_machine.
3877 * sm.h (sm_context::warn): New vfunc.
3878 (sm_context::get_old_svalue): Drop unused decl.
3879 (sm_context::get_new_program_state): New vfunc.
3880 (make_va_list_state_machine): New decl.
3881 * varargs.cc: New file.
3883 2022-05-16 Martin Liska <mliska@suse.cz>
3885 * engine.cc (exploded_node::get_dot_fillcolor): Use ARRAY_SIZE.
3886 * function-set.cc (test_stdio_example): Likewise.
3887 * sm-file.cc (get_file_using_fns): Likewise.
3888 * sm-malloc.cc (malloc_state_machine::unaffected_by_call_p): Likewise.
3889 * sm-signal.cc (get_async_signal_unsafe_fns): Likewise.
3891 2022-05-13 Richard Biener <rguenther@suse.de>
3893 * supergraph.cc: Re-order gimple-fold.h include.
3895 2022-05-11 David Malcolm <dmalcolm@redhat.com>
3897 * checker-path.cc (state_change_event::get_desc): Call maybe_free
3898 on label_text temporaries.
3899 * diagnostic-manager.cc
3900 (diagnostic_manager::prune_for_sm_diagnostic): Likewise.
3901 * engine.cc (exploded_graph::~exploded_graph): Fix leak of
3902 m_per_point_data and m_per_call_string_data values. Simplify
3903 cleanup of m_per_function_stats and m_per_point_data values.
3904 (feasibility_state::maybe_update_for_edge): Fix leak of result of
3905 superedge::get_description.
3906 * region-model-manager.cc
3907 (region_model_manager::~region_model_manager): Move cleanup of
3908 m_setjmp_values to match the ordering of the fields within
3909 region_model_manager. Fix leak of values within
3910 m_repeated_values_map, m_bits_within_values_map,
3911 m_asm_output_values_map, and m_const_fn_result_values_map.
3913 2022-04-28 David Malcolm <dmalcolm@redhat.com>
3915 PR analyzer/105285
3916 * store.cc (binding_cluster::get_any_binding): Handle accessing
3917 sub_svalues of clusters where the base region has a symbolic
3918 binding.
3920 2022-04-28 David Malcolm <dmalcolm@redhat.com>
3922 * diagnostic-manager.cc (epath_finder::process_worklist_item):
3923 Call dump_feasible_path when a path that reaches the the target
3924 enode is found.
3925 (epath_finder::dump_feasible_path): New.
3926 * engine.cc (feasibility_state::dump_to_pp): New.
3927 * exploded-graph.h (feasibility_state::dump_to_pp): New decl.
3928 * feasible-graph.cc (feasible_graph::dump_feasible_path): New.
3929 * feasible-graph.h (feasible_graph::dump_feasible_path): New
3930 decls.
3931 * program-point.cc (function_point::print): Fix missing trailing
3932 newlines.
3933 * program-point.h (program_point::print_source_line): Remove
3934 unimplemented decl.
3936 2022-04-25 David Malcolm <dmalcolm@redhat.com>
3938 PR analyzer/105365
3939 PR analyzer/105366
3940 * svalue.cc
3941 (cmp_cst): Rename to...
3942 (cmp_csts_same_type): ...this. Convert all recursive calls to
3943 calls to...
3944 (cmp_csts_and_types): ....this new function.
3945 (svalue::cmp_ptr): Update for renaming of cmp_cst
3947 2022-04-14 David Malcolm <dmalcolm@redhat.com>
3949 PR analyzer/105264
3950 * region-model-reachability.cc (reachable_regions::handle_parm):
3951 Use maybe_get_deref_base_region rather than just region_svalue, to
3952 handle pointer arithmetic also.
3953 * svalue.cc (svalue::maybe_get_deref_base_region): New.
3954 * svalue.h (svalue::maybe_get_deref_base_region): New decl.
3956 2022-04-14 David Malcolm <dmalcolm@redhat.com>
3958 PR analyzer/105252
3959 * svalue.cc (cmp_cst): When comparing VECTOR_CSTs, compare the
3960 types of the encoded elements before calling cmp_cst on them.
3962 2022-04-09 David Malcolm <dmalcolm@redhat.com>
3964 PR analyzer/103892
3965 * region-model-manager.cc
3966 (region_model_manager::get_unknown_symbolic_region): New,
3967 extracted from...
3968 (region_model_manager::get_field_region): ...here.
3969 (region_model_manager::get_element_region): Use it here.
3970 (region_model_manager::get_offset_region): Likewise.
3971 (region_model_manager::get_sized_region): Likewise.
3972 (region_model_manager::get_cast_region): Likewise.
3973 (region_model_manager::get_bit_range): Likewise.
3974 * region-model.h
3975 (region_model_manager::get_unknown_symbolic_region): New decl.
3976 * region.cc (symbolic_region::symbolic_region): Handle sval_ptr
3977 having NULL type.
3978 (symbolic_region::dump_to_pp): Handle having NULL type.
3980 2022-04-07 David Malcolm <dmalcolm@redhat.com>
3982 PR analyzer/102208
3983 * store.cc (binding_map::remove_overlapping_bindings): Add
3984 "always_overlap" param, using it to generalize to the case where
3985 we want to remove all bindings. Update "uncertainty" logic to
3986 only record maybe-bound values for cases where there is a symbolic
3987 write involved.
3988 (binding_cluster::mark_region_as_unknown): Split param "reg" into
3989 "reg_to_bind" and "reg_for_overlap".
3990 (binding_cluster::maybe_get_compound_binding): Pass "false" to
3991 binding_map::remove_overlapping_bindings new "always_overlap" param.
3992 (binding_cluster::remove_overlapping_bindings): Determine
3993 "always_overlap" and pass it to
3994 binding_map::remove_overlapping_bindings.
3995 (store::set_value): Pass uncertainty to remove_overlapping_bindings
3996 call. Update for new param of
3997 binding_cluster::mark_region_as_unknown, passing both the base
3998 region of the iter_cluster, and the lhs_reg.
3999 (store::mark_region_as_unknown): Update for new param of
4000 binding_cluster::mark_region_as_unknown, passing "reg" for both.
4001 (store::remove_overlapping_bindings): Add param "uncertainty", and
4002 pass it on to call to
4003 binding_cluster::remove_overlapping_bindings.
4004 * store.h (binding_map::remove_overlapping_bindings): Add
4005 "always_overlap" param.
4006 (binding_cluster::mark_region_as_unknown): Split param "reg" into
4007 "reg_to_bind" and "reg_for_overlap".
4008 (store::remove_overlapping_bindings): Add param "uncertainty".
4010 2022-03-29 David Malcolm <dmalcolm@redhat.com>
4012 PR testsuite/105085
4013 * region-model-manager.cc (dump_untracked_region): Skip decls in
4014 the constant pool.
4016 2022-03-29 David Malcolm <dmalcolm@redhat.com>
4018 PR analyzer/105087
4019 * analyzer.h (class conjured_purge): New forward decl.
4020 * region-model-asm.cc (region_model::on_asm_stmt): Add
4021 conjured_purge param to calls binding_cluster::on_asm and
4022 region_model_manager::get_or_create_conjured_svalue.
4023 * region-model-impl-calls.cc
4024 (call_details::get_or_create_conjured_svalue): Likewise for call
4025 to region_model_manager::get_or_create_conjured_svalue.
4026 (region_model::impl_call_fgets): Remove call to
4027 region_model::purge_state_involving, as this is now done
4028 implicitly by call_details::get_or_create_conjured_svalue.
4029 (region_model::impl_call_fread): Likewise.
4030 (region_model::impl_call_strchr): Pass conjured_purge param to
4031 call to region_model_manager::get_or_create_conjured_svalue.
4032 * region-model-manager.cc (conjured_purge::purge): New.
4033 (region_model_manager::get_or_create_conjured_svalue): Add
4034 param "p". Use it to purge state when reusing an existing
4035 conjured_svalue.
4036 * region-model.cc (region_model::on_call_pre): Replace call to
4037 region_model::purge_state_involving with passing conjured_purge
4038 to region_model_manager::get_or_create_conjured_svalue.
4039 (region_model::handle_unrecognized_call): Pass conjured_purge to
4040 store::on_unknown_fncall.
4041 * region-model.h
4042 (region_model_manager::get_or_create_conjured_svalue): Add param
4043 "p".
4044 * store.cc (binding_cluster::on_unknown_fncall): Likewise. Pass
4045 it on to region_model_manager::get_or_create_conjured_svalue.
4046 (binding_cluster::on_asm): Likewise.
4047 (store::on_unknown_fncall): Add param "p" and pass it on to
4048 binding_cluster::on_unknown_fncall.
4049 * store.h (binding_cluster::on_unknown_fncall): Add param p.
4050 (binding_cluster::on_asm): Likewise.
4051 (store::on_unknown_fncall): Likewise.
4052 * svalue.h (class conjured_purge): New.
4054 2022-03-29 David Malcolm <dmalcolm@redhat.com>
4056 PR analyzer/105074
4057 * region.cc (ipa_ref_requires_tracking): Drop "context_fndecl",
4058 instead using the ref->referring to get the cgraph node of the
4059 caller.
4060 (symnode_requires_tracking_p): Likewise.
4062 2022-03-26 David Malcolm <dmalcolm@redhat.com>
4064 PR analyzer/105057
4065 * store.cc (binding_cluster::make_unknown_relative_to): Reject
4066 attempts to create a cluster for untracked base regions.
4067 (store::set_value): Likewise.
4068 (store::fill_region): Likewise.
4069 (store::mark_region_as_unknown): Likewise.
4071 2022-03-25 David Malcolm <dmalcolm@redhat.com>
4073 PR analyzer/104954
4074 * analyzer.opt (-fdump-analyzer-untracked): New option.
4075 * engine.cc (impl_run_checkers): Handle it.
4076 * region-model-asm.cc (region_model::on_asm_stmt): Don't attempt
4077 to clobber regions with !tracked_p ().
4078 * region-model-manager.cc (dump_untracked_region): New.
4079 (region_model_manager::dump_untracked_regions): New.
4080 (frame_region::dump_untracked_regions): New.
4081 * region-model.h (region_model_manager::dump_untracked_regions):
4082 New decl.
4083 * region.cc (ipa_ref_requires_tracking): New.
4084 (symnode_requires_tracking_p): New.
4085 (decl_region::calc_tracked_p): New.
4086 * region.h (region::tracked_p): New vfunc.
4087 (frame_region::dump_untracked_regions): New decl.
4088 (class decl_region): Note that this is also used fo SSA names.
4089 (decl_region::decl_region): Initialize m_tracked.
4090 (decl_region::tracked_p): New.
4091 (decl_region::calc_tracked_p): New decl.
4092 (decl_region::m_tracked): New.
4093 * store.cc (store::get_or_create_cluster): Assert that we
4094 don't try to create clusters for base regions that aren't
4095 trackable.
4096 (store::mark_as_escaped): Don't mark base regions that we're not
4097 tracking.
4099 2022-03-23 David Malcolm <dmalcolm@redhat.com>
4101 PR analyzer/104979
4102 * engine.cc (impl_run_checkers): Create the engine after the
4103 supergraph, and pass the supergraph to the engine.
4104 * region-model.cc (region_model::get_lvalue_1): Pass ctxt to
4105 frame_region::get_region_for_local.
4106 (region_model::update_for_return_gcall): Pass the lvalue for the
4107 result to pop_frame as a tree, rather than as a region.
4108 (region_model::pop_frame): Update for above change, determining
4109 the destination region after the frame is popped and thus with
4110 respect to the caller frame rather than the called frame.
4111 Likewise, set the value of the region to the return value after
4112 the frame is popped.
4113 (engine::engine): Add supergraph pointer.
4114 (selftest::test_stack_frames): Set the DECL_CONTECT of PARM_DECLs.
4115 (selftest::test_get_representative_path_var): Likewise.
4116 (selftest::test_state_merging): Likewise.
4117 * region-model.h (region_model::pop_frame): Convert first param
4118 from a const region * to a tree.
4119 (engine::engine): Add param "sg".
4120 (engine::m_sg): New field.
4121 * region.cc: Include "analyzer/sm.h" and
4122 "analyzer/program-state.h".
4123 (frame_region::get_region_for_local): Add "ctxt" param.
4124 Add assertions that VAR_DECLs are locals, and that expr is for the
4125 correct function.
4126 * region.h (frame_region::get_region_for_local): Add "ctxt" param.
4128 2022-03-23 David Malcolm <dmalcolm@redhat.com>
4130 PR analyzer/105017
4131 * sm-taint.cc (taint_diagnostic::subclass_equal_p): Check
4132 m_has_bounds as well as m_arg.
4133 (tainted_allocation_size::subclass_equal_p): Chain up to base
4134 class implementation. Also check m_mem_space.
4135 (tainted_allocation_size::emit): Add note showing stack-based vs
4136 heap-based allocations.
4138 2022-03-23 David Malcolm <dmalcolm@redhat.com>
4140 PR analyzer/104997
4141 * diagnostic-manager.cc (diagnostic_manager::add_diagnostic):
4142 Convert return type from "void" to "bool", reporting success vs
4143 failure to caller, for both overloads.
4144 * diagnostic-manager.h (diagnostic_manager::add_diagnostic):
4145 Likewise.
4146 * engine.cc (impl_region_model_context::warn): Propagate return
4147 value from diagnostic_manager::add_diagnostic.
4149 2022-03-18 David Malcolm <dmalcolm@redhat.com>
4151 PR analyzer/104943
4152 PR analyzer/104954
4153 PR analyzer/103533
4154 * analyzer.h (class state_purge_per_decl): New forward decl.
4155 * engine.cc (impl_run_checkers): Pass region_model_manager to
4156 state_purge_map ctor.
4157 * program-point.cc (function_point::final_stmt_p): New.
4158 (function_point::get_next): New.
4159 * program-point.h (function_point::final_stmt_p): New decl.
4160 (function_point::get_next): New decl.
4161 * program-state.cc (program_state::prune_for_point): Generalize to
4162 purge local decls as well as SSA names.
4163 (program_state::can_purge_base_region_p): New.
4164 * program-state.h (program_state::can_purge_base_region_p): New
4165 decl.
4166 * region-model.cc (struct append_ssa_names_cb_data): Rename to...
4167 (struct append_regions_cb_data): ...this.
4168 (region_model::get_ssa_name_regions_for_current_frame): Rename
4169 to...
4170 (region_model::get_regions_for_current_frame): ...this, updating
4171 for other renamings.
4172 (region_model::append_ssa_names_cb): Rename to...
4173 (region_model::append_regions_cb): ...this, and drop the requirement
4174 that the subregion be a SSA name.
4175 * region-model.h (struct append_ssa_names_cb_data): Rename decl
4176 to...
4177 (struct append_regions_cb_data): ...this.
4178 (region_model::get_ssa_name_regions_for_current_frame): Rename
4179 decl to...
4180 (region_model::get_regions_for_current_frame): ...this.
4181 (region_model::append_ssa_names_cb): Rename decl to...
4182 (region_model::append_regions_cb): ...this.
4183 * state-purge.cc: Include "tristate.h", "selftest.h",
4184 "analyzer/store.h", "analyzer/region-model.h", and
4185 "gimple-walk.h".
4186 (get_candidate_for_purging): New.
4187 (class gimple_op_visitor): New.
4188 (my_load_cb): New.
4189 (my_store_cb): New.
4190 (my_addr_cb): New.
4191 (state_purge_map::state_purge_map): Add "mgr" param. Update for
4192 renamings. Find uses of local variables.
4193 (state_purge_map::~state_purge_map): Update for renaming of m_map
4194 to m_ssa_map. Clean up m_decl_map.
4195 (state_purge_map::get_or_create_data_for_decl): New.
4196 (state_purge_per_ssa_name::state_purge_per_ssa_name): Update for
4197 inheriting from state_purge_per_tree.
4198 (state_purge_per_ssa_name::add_to_worklist): Likewise.
4199 (state_purge_per_decl::state_purge_per_decl): New.
4200 (state_purge_per_decl::add_needed_at): New.
4201 (state_purge_per_decl::add_pointed_to_at): New.
4202 (state_purge_per_decl::process_worklists): New.
4203 (state_purge_per_decl::add_to_worklist): New.
4204 (same_binding_p): New.
4205 (fully_overwrites_p): New.
4206 (state_purge_per_decl::process_point_backwards): New.
4207 (state_purge_per_decl::process_point_forwards): New.
4208 (state_purge_per_decl::needed_at_point_p): New.
4209 (state_purge_annotator::print_needed): Generalize to print local
4210 decls as well as SSA names.
4211 * state-purge.h (class state_purge_map): Update leading comment.
4212 (state_purge_map::map_t): Rename to...
4213 (state_purge_map::ssa_map_t): ...this.
4214 (state_purge_map::iterator): Rename to...
4215 (state_purge_map::ssa_iterator): ...this.
4216 (state_purge_map::decl_map_t): New typedef.
4217 (state_purge_map::decl_iterator): New typedef.
4218 (state_purge_map::state_purge_map): Add "mgr" param.
4219 (state_purge_map::get_data_for_ssa_name): Update for renaming.
4220 (state_purge_map::get_any_data_for_decl): New.
4221 (state_purge_map::get_or_create_data_for_decl): New decl.
4222 (state_purge_map::begin): Rename to...
4223 (state_purge_map::begin_ssas): ...this.
4224 (state_purge_map::end): Rename to...
4225 (state_purge_map::end_ssa): ...this.
4226 (state_purge_map::begin_decls): New.
4227 (state_purge_map::end_decls): New.
4228 (state_purge_map::m_map): Rename to...
4229 (state_purge_map::m_ssa_map): ...this.
4230 (state_purge_map::m_decl_map): New field.
4231 (class state_purge_per_tree): New class.
4232 (class state_purge_per_ssa_name): Inherit from state_purge_per_tree.
4233 (state_purge_per_ssa_name::get_function): Move to base class.
4234 (state_purge_per_ssa_name::point_set_t): Likewise.
4235 (state_purge_per_ssa_name::m_fun): Likewise.
4236 (class state_purge_per_decl): New.
4238 2022-03-17 David Malcolm <dmalcolm@redhat.com>
4240 * state-purge.cc (state_purge_annotator::add_node_annotations):
4241 Avoid duplicate before-supernode annotations when returning from
4242 an interprocedural call. Show after-supernode annotations.
4244 2022-03-17 David Malcolm <dmalcolm@redhat.com>
4246 * program-point.cc (program_point::get_next): Fix missing
4247 increment of index.
4249 2022-03-16 David Malcolm <dmalcolm@redhat.com>
4251 PR analyzer/104955
4252 * diagnostic-manager.cc (get_emission_location): New.
4253 (diagnostic_manager::diagnostic_manager): Initialize
4254 m_num_disabled_diagnostics.
4255 (diagnostic_manager::add_diagnostic): Reject diagnostics that
4256 will eventually be rejected due to being disabled.
4257 (diagnostic_manager::emit_saved_diagnostics): Log the number
4258 of disabled diagnostics.
4259 (diagnostic_manager::emit_saved_diagnostic): Split out logic for
4260 determining emission location to get_emission_location.
4261 * diagnostic-manager.h
4262 (diagnostic_manager::m_num_disabled_diagnostics): New field.
4263 * engine.cc (stale_jmp_buf::get_controlling_option): New.
4264 (stale_jmp_buf::emit): Use it.
4265 * pending-diagnostic.h
4266 (pending_diagnostic::get_controlling_option): New vfunc.
4267 * region-model.cc
4268 (poisoned_value_diagnostic::get_controlling_option): New.
4269 (poisoned_value_diagnostic::emit): Use it.
4270 (shift_count_negative_diagnostic::get_controlling_option): New.
4271 (shift_count_negative_diagnostic::emit): Use it.
4272 (shift_count_overflow_diagnostic::get_controlling_option): New.
4273 (shift_count_overflow_diagnostic::emit): Use it.
4274 (dump_path_diagnostic::get_controlling_option): New.
4275 (dump_path_diagnostic::emit): Use it.
4276 (write_to_const_diagnostic::get_controlling_option): New.
4277 (write_to_const_diagnostic::emit): Use it.
4278 (write_to_string_literal_diagnostic::get_controlling_option): New.
4279 (write_to_string_literal_diagnostic::emit): Use it.
4280 * sm-file.cc (double_fclose::get_controlling_option): New.
4281 (double_fclose::emit): Use it.
4282 (file_leak::get_controlling_option): New.
4283 (file_leak::emit): Use it.
4284 * sm-malloc.cc (mismatching_deallocation::get_controlling_option):
4285 New.
4286 (mismatching_deallocation::emit): Use it.
4287 (double_free::get_controlling_option): New.
4288 (double_free::emit): Use it.
4289 (possible_null_deref::get_controlling_option): New.
4290 (possible_null_deref::emit): Use it.
4291 (possible_null_arg::get_controlling_option): New.
4292 (possible_null_arg::emit): Use it.
4293 (null_deref::get_controlling_option): New.
4294 (null_deref::emit): Use it.
4295 (null_arg::get_controlling_option): New.
4296 (null_arg::emit): Use it.
4297 (use_after_free::get_controlling_option): New.
4298 (use_after_free::emit): Use it.
4299 (malloc_leak::get_controlling_option): New.
4300 (malloc_leak::emit): Use it.
4301 (free_of_non_heap::get_controlling_option): New.
4302 (free_of_non_heap::emit): Use it.
4303 * sm-pattern-test.cc (pattern_match::get_controlling_option): New.
4304 (pattern_match::emit): Use it.
4305 * sm-sensitive.cc
4306 (exposure_through_output_file::get_controlling_option): New.
4307 (exposure_through_output_file::emit): Use it.
4308 * sm-signal.cc (signal_unsafe_call::get_controlling_option): New.
4309 (signal_unsafe_call::emit): Use it.
4310 * sm-taint.cc (tainted_array_index::get_controlling_option): New.
4311 (tainted_array_index::emit): Use it.
4312 (tainted_offset::get_controlling_option): New.
4313 (tainted_offset::emit): Use it.
4314 (tainted_size::get_controlling_option): New.
4315 (tainted_size::emit): Use it.
4316 (tainted_divisor::get_controlling_option): New.
4317 (tainted_divisor::emit): Use it.
4318 (tainted_allocation_size::get_controlling_option): New.
4319 (tainted_allocation_size::emit): Use it.
4321 2022-03-15 David Malcolm <dmalcolm@redhat.com>
4323 * store.cc (store::store): Presize m_cluster_map.
4325 2022-03-10 David Malcolm <dmalcolm@redhat.com>
4327 PR analyzer/104863
4328 * constraint-manager.cc (constraint_manager::add_constraint):
4329 Refresh the EC IDs when adding constraints implied by offsets.
4331 2022-03-10 David Malcolm <dmalcolm@redhat.com>
4333 PR analyzer/104793
4334 * analyzer.h (class pending_note): New forward decl.
4335 * diagnostic-manager.cc (saved_diagnostic::saved_diagnostic):
4336 Initialize m_notes.
4337 (saved_diagnostic::operator==): Compare m_notes.
4338 (saved_diagnostic::add_note): New.
4339 (saved_diagnostic::emit_any_notes): New.
4340 (diagnostic_manager::add_note): New.
4341 (diagnostic_manager::emit_saved_diagnostic): Call emit_any_notes
4342 after emitting the warning.
4343 * diagnostic-manager.h (saved_diagnostic::add_note): New decl.
4344 (saved_diagnostic::emit_any_notes): New decl.
4345 (saved_diagnostic::m_notes): New field.
4346 (diagnostic_manager::add_note): New decl.
4347 * engine.cc (impl_region_model_context::add_note): New.
4348 * exploded-graph.h (impl_region_model_context::add_note): New
4349 decl.
4350 * pending-diagnostic.h (class pending_note): New.
4351 (class pending_note_subclass): New template.
4352 * region-model.cc (class reason_attr_access): New.
4353 (check_external_function_for_access_attr): Add class
4354 annotating_ctxt and use it when checking region.
4355 (noop_region_model_context::add_note): New.
4356 * region-model.h (region_model_context::add_note): New vfunc.
4357 (noop_region_model_context::add_note): New decl.
4358 (class region_model_context_decorator): New.
4359 (class note_adding_context): New.
4361 2022-03-10 David Malcolm <dmalcolm@redhat.com>
4363 PR analyzer/104793
4364 * region-model.cc
4365 (region_model::check_external_function_for_access_attr): New.
4366 (region_model::handle_unrecognized_call): Call it.
4367 * region-model.h
4368 (region_model::check_external_function_for_access_attr): New decl.
4369 (region_model::handle_unrecognized_call): New decl.
4371 2022-03-10 David Malcolm <dmalcolm@redhat.com>
4373 * sm-taint.cc (taint_state_machine::check_for_tainted_size_arg):
4374 Avoid generating duplicate saved_diagnostics by only handling the
4375 rdwr_map entry for the ptrarg, not the duplicate entry for the
4376 sizarg.
4378 2022-03-07 David Malcolm <dmalcolm@redhat.com>
4380 PR analyzer/101983
4381 * engine.cc (returning_from_function_p): New.
4382 (impl_region_model_context::on_state_leak): Use it when rejecting
4383 leaks at the return from "main".
4385 2022-03-07 Jakub Jelinek <jakub@redhat.com>
4387 * store.cc: Fix up duplicated word issue in a comment.
4388 * analyzer.cc: Likewise.
4389 * engine.cc: Likewise.
4390 * sm-taint.cc: Likewise.
4392 2022-03-04 David Malcolm <dmalcolm@redhat.com>
4394 PR analyzer/103521
4395 * analyzer.opt (-param=analyzer-max-svalue-depth=): Reduce from 13
4396 to 12.
4398 2022-02-23 David Malcolm <dmalcolm@redhat.com>
4400 PR analyzer/104434
4401 * analyzer.h (class const_fn_result_svalue): New decl.
4402 * region-model-impl-calls.cc (call_details::get_manager): New.
4403 * region-model-manager.cc
4404 (region_model_manager::get_or_create_const_fn_result_svalue): New.
4405 (region_model_manager::log_stats): Log
4406 m_const_fn_result_values_map.
4407 * region-model.cc (const_fn_p): New.
4408 (maybe_get_const_fn_result): New.
4409 (region_model::on_call_pre): Handle fndecls with
4410 __attribute__((const)) by calling the above rather than making
4411 a conjured_svalue.
4412 * region-model.h (visitor::visit_const_fn_result_svalue): New.
4413 (region_model_manager::get_or_create_const_fn_result_svalue): New
4414 decl.
4415 (region_model_manager::const_fn_result_values_map_t): New typedef.
4416 (region_model_manager::m_const_fn_result_values_map): New field.
4417 (call_details::get_manager): New decl.
4418 * svalue.cc (svalue::cmp_ptr): Handle SK_CONST_FN_RESULT.
4419 (const_fn_result_svalue::dump_to_pp): New.
4420 (const_fn_result_svalue::dump_input): New.
4421 (const_fn_result_svalue::accept): New.
4422 * svalue.h (enum svalue_kind): Add SK_CONST_FN_RESULT.
4423 (svalue::dyn_cast_const_fn_result_svalue): New.
4424 (class const_fn_result_svalue): New.
4425 (is_a_helper <const const_fn_result_svalue *>::test): New.
4426 (template <> struct default_hash_traits<const_fn_result_svalue::key_t>):
4427 New.
4429 2022-02-17 David Malcolm <dmalcolm@redhat.com>
4431 PR analyzer/104576
4432 * region-model.cc: Include "calls.h".
4433 (region_model::on_call_pre): Use flags_from_decl_or_type to
4434 generalize check for DECL_PURE_P to also check for ECF_CONST.
4436 2022-02-16 David Malcolm <dmalcolm@redhat.com>
4438 PR analyzer/104560
4439 * diagnostic-manager.cc (diagnostic_manager::build_emission_path):
4440 Add region creation events for globals of interest.
4441 (null_assignment_sm_context::get_old_program_state): New.
4442 (diagnostic_manager::add_events_for_eedge): Move check for
4443 changing dynamic extents from PK_BEFORE_STMT case to after the
4444 switch on the dst_point's kind so that we can emit them for the
4445 final stmt in a basic block.
4446 * engine.cc (impl_sm_context::get_old_program_state): New.
4447 * sm-malloc.cc (malloc_state_machine::get_default_state): Rewrite
4448 detection of m_non_heap to use get_memory_space.
4449 (free_of_non_heap::free_of_non_heap): Add freed_reg param.
4450 (free_of_non_heap::subclass_equal_p): Update for changes to
4451 fields.
4452 (free_of_non_heap::emit): Drop m_kind in favor of
4453 get_memory_space.
4454 (free_of_non_heap::describe_state_change): Remove logic for
4455 detecting alloca.
4456 (free_of_non_heap::mark_interesting_stuff): Add region-creation of
4457 m_freed_reg.
4458 (free_of_non_heap::get_memory_space): New.
4459 (free_of_non_heap::kind): Drop enum.
4460 (free_of_non_heap::m_freed_reg): New field.
4461 (free_of_non_heap::m_kind): Drop field.
4462 (malloc_state_machine::on_stmt): Drop transition to m_non_heap.
4463 (malloc_state_machine::handle_free_of_non_heap): New function,
4464 split out from on_deallocator_call and on_realloc_call, adding
4465 detection of the freed region.
4466 (malloc_state_machine::on_deallocator_call): Use it.
4467 (malloc_state_machine::on_realloc_call): Likewise.
4468 * sm.h (sm_context::get_old_program_state): New vfunc.
4470 2022-02-15 David Malcolm <dmalcolm@redhat.com>
4472 PR analyzer/104524
4473 * region-model-manager.cc
4474 (region_model_manager::maybe_fold_sub_svalue): Only call
4475 get_or_create_cast if type is non-NULL.
4477 2022-02-15 David Malcolm <dmalcolm@redhat.com>
4479 PR analyzer/102692
4480 * exploded-graph.h (impl_region_model_context::get_stmt): New.
4481 * region-model.cc: Include "gimple-ssa.h", "tree-phinodes.h",
4482 "tree-ssa-operands.h", and "ssa-iterators.h".
4483 (within_short_circuited_stmt_p): New.
4484 (region_model::check_for_poison): Don't warn about uninit values
4485 if within_short_circuited_stmt_p.
4486 * region-model.h (region_model_context::get_stmt): New vfunc.
4487 (noop_region_model_context::get_stmt): New.
4489 2022-02-11 David Malcolm <dmalcolm@redhat.com>
4491 PR analyzer/104274
4492 * region-model.cc (region_model::check_for_poison): Ignore
4493 uninitialized uses of empty types.
4495 2022-02-10 David Malcolm <dmalcolm@redhat.com>
4497 PR analyzer/98797
4498 * region-model-manager.cc
4499 (region_model_manager::maybe_fold_sub_svalue): Generalize getting
4500 individual chars of a STRING_CST from element_region to any
4501 subregion which is a concrete access of a single byte from its
4502 parent region.
4503 * region.cc (region::get_relative_concrete_byte_range): New.
4504 * region.h (region::get_relative_concrete_byte_range): New decl.
4506 2022-02-09 David Malcolm <dmalcolm@redhat.com>
4508 PR analyzer/104452
4509 * region-model.cc (selftest::test_bit_range_regions): New.
4510 (selftest::analyzer_region_model_cc_tests): Call it.
4511 * region.h (bit_range_region::key_t::hash): Fix hashing of m_bits
4512 to avoid using uninitialized data.
4514 2022-02-07 David Malcolm <dmalcolm@redhat.com>
4516 PR analyzer/104417
4517 * sm-taint.cc (tainted_allocation_size::tainted_allocation_size):
4518 Remove overzealous assertion.
4519 (tainted_allocation_size::emit): Likewise.
4520 (region_model::check_dynamic_size_for_taint): Likewise.
4522 2022-02-07 David Malcolm <dmalcolm@redhat.com>
4524 PR analyzer/103872
4525 * region-model-impl-calls.cc (region_model::impl_call_memcpy):
4526 Reimplement in terms of a get_store_value followed by a set_value.
4528 2022-02-03 David Malcolm <dmalcolm@redhat.com>
4530 PR analyzer/104369
4531 * engine.cc (exploded_graph::process_node): Use the node for any
4532 diagnostics, avoiding ICE if a bifurcation update adds a
4533 saved_diagnostic, such as for a tainted realloc size.
4534 * region-model-impl-calls.cc
4535 (region_model::impl_call_realloc::success_no_move::update_model):
4536 Require the old pointer to be non-NULL to be able successfully
4537 grow in place. Use model->deref_rvalue rather than maybe_get_region
4538 to support the old pointer being symbolic.
4539 (region_model::impl_call_realloc::success_with_move::update_model):
4540 Likewise. Add a constraint that the new pointer != the old pointer.
4541 Use a sized_region when setting the value of the new region.
4542 Handle the case where we don't know the dynamic size of the old
4543 region by marking the new region as unknown.
4544 * sm-taint.cc (tainted_allocation_size::tainted_allocation_size):
4545 Update assertion to also allow for MEMSPACE_UNKNOWN.
4546 (tainted_allocation_size::emit): Likewise.
4547 (region_model::check_dynamic_size_for_taint): Likewise.
4549 2022-02-03 David Malcolm <dmalcolm@redhat.com>
4551 * region-model-impl-calls.cc (region_model::impl_call_calloc): Use
4552 a sized_region when calling zero_fill_region.
4554 2022-02-02 David Malcolm <dmalcolm@redhat.com>
4556 * region-model.cc (region_model::on_return): Replace usage of
4557 copy_region with get_rvalue/set_value pair.
4558 (region_model::pop_frame): Likewise.
4559 (selftest::test_compound_assignment): Likewise.
4560 * region-model.h (region_model::copy_region): Delete decl.
4561 * region.cc (region_model::copy_region): Delete.
4563 2022-02-02 David Malcolm <dmalcolm@redhat.com>
4565 * region.cc (region::calc_offset): Consolidate effectively
4566 identical cases.
4568 2022-02-02 David Malcolm <dmalcolm@redhat.com>
4570 * analyzer.h (class bit_range_region): New forward decl.
4571 * region-model-manager.cc (region_model_manager::get_bit_range):
4572 New.
4573 (region_model_manager::log_stats): Handle m_bit_range_regions.
4574 * region-model.cc (region_model::get_lvalue_1): Handle
4575 BIT_FIELD_REF.
4576 * region-model.h (region_model_manager::get_bit_range): New decl.
4577 (region_model_manager::m_bit_range_regions): New field.
4578 * region.cc (region::get_base_region): Handle RK_BIT_RANGE.
4579 (region::base_region_p): Likewise.
4580 (region::calc_offset): Likewise.
4581 (bit_range_region::dump_to_pp): New.
4582 (bit_range_region::get_byte_size): New.
4583 (bit_range_region::get_bit_size): New.
4584 (bit_range_region::get_byte_size_sval): New.
4585 (bit_range_region::get_relative_concrete_offset): New.
4586 * region.h (enum region_kind): Add RK_BIT_RANGE.
4587 (region::dyn_cast_bit_range_region): New vfunc.
4588 (class bit_range_region): New.
4589 (is_a_helper <const bit_range_region *>::test): New.
4590 (default_hash_traits<bit_range_region::key_t>): New.
4592 2022-02-02 David Malcolm <dmalcolm@redhat.com>
4594 PR analyzer/104270
4595 * region-model.cc (region_model::on_call_pre): Handle
4596 IFN_DEFERRED_INIT.
4598 2022-01-27 David Malcolm <dmalcolm@redhat.com>
4600 * checker-path.cc (event_kind_to_string): Handle
4601 EK_REGION_CREATION.
4602 (region_creation_event::region_creation_event): New.
4603 (region_creation_event::get_desc): New.
4604 (checker_path::add_region_creation_event): New.
4605 * checker-path.h (enum event_kind): Add EK_REGION_CREATION.
4606 (class region_creation_event): New subclass.
4607 (checker_path::add_region_creation_event): New decl.
4608 * diagnostic-manager.cc
4609 (diagnostic_manager::emit_saved_diagnostic): Pass NULL for new
4610 param to add_events_for_eedge when handling trailing eedge.
4611 (diagnostic_manager::build_emission_path): Create an interesting_t
4612 instance, allow the pending diagnostic to populate it, and pass it
4613 to the calls to add_events_for_eedge.
4614 (diagnostic_manager::add_events_for_eedge): Add "interest" param.
4615 Use it to add region_creation_events for on-stack regions created
4616 within at function entry, and when pertinent dynamically-sized
4617 regions are created.
4618 (diagnostic_manager::prune_for_sm_diagnostic): Add case for
4619 EK_REGION_CREATION.
4620 * diagnostic-manager.h (diagnostic_manager::add_events_for_eedge):
4621 Add "interest" param.
4622 * pending-diagnostic.cc: Include "selftest.h", "tristate.h",
4623 "analyzer/call-string.h", "analyzer/program-point.h",
4624 "analyzer/store.h", and "analyzer/region-model.h".
4625 (interesting_t::add_region_creation): New.
4626 (interesting_t::dump_to_pp): New.
4627 * pending-diagnostic.h (struct interesting_t): New.
4628 (pending_diagnostic::mark_interesting_stuff): New vfunc.
4629 * region-model.cc
4630 (poisoned_value_diagnostic::poisoned_value_diagnostic): Add
4631 (poisoned_value_diagnostic::operator==): Compare m_pkind and
4632 m_src_region fields.
4633 (poisoned_value_diagnostic::mark_interesting_stuff): New.
4634 (poisoned_value_diagnostic::m_src_region): New.
4635 (region_model::check_for_poison): Call
4636 get_region_for_poisoned_expr for uninit values and pass the resul
4637 to the diagnostic.
4638 (region_model::get_region_for_poisoned_expr): New.
4639 (region_model::deref_rvalue): Pass NULL for
4640 poisoned_value_diagnostic's src_region.
4641 * region-model.h (region_model::get_region_for_poisoned_expr): New
4642 decl.
4643 * region.h (frame_region::get_fndecl): New.
4645 2022-01-27 Martin Liska <mliska@suse.cz>
4647 PR analyzer/104247
4648 * constraint-manager.cc (bounded_ranges_manager::log_stats):
4649 Cast to long for format purpose.
4650 * region-model-manager.cc (log_uniq_map): Likewise.
4652 2022-01-26 David Malcolm <dmalcolm@redhat.com>
4654 PR analyzer/104224
4655 * region-model.cc (region_model::check_call_args): New.
4656 (region_model::on_call_pre): Call it when ignoring stdio builtins.
4657 * region-model.h (region_model::check_call_args): New decl
4659 2022-01-26 David Malcolm <dmalcolm@redhat.com>
4661 PR analyzer/94362
4662 * constraint-manager.cc (range::add_bound): Fix tests for
4663 discarding redundant constraints. Perform test for rejecting
4664 unsatisfiable constraints earlier so that they don't update
4665 the object on failure.
4666 (selftest::test_range): New.
4667 (selftest::test_constant_comparisons): Add test coverage for
4668 existing constraints becoming narrower until they are
4669 unsatisfiable.
4670 (selftest::run_constraint_manager_tests): Call test_range.
4672 2022-01-22 David Malcolm <dmalcolm@redhat.com>
4674 PR analyzer/104159
4675 * region-model-manager.cc
4676 (region_model_manager::get_or_create_cast): Bail out if the types
4677 are the same. Don't attempt to handle casts involving vector
4678 types.
4680 2022-01-20 David Malcolm <dmalcolm@redhat.com>
4682 PR analyzer/94362
4683 * constraint-manager.cc (bound::ensure_closed): Convert param to
4684 enum bound_kind.
4685 (range::constrained_to_single_element): Likewise.
4686 (range::add_bound): New.
4687 (constraint_manager::add_constraint): Handle SVAL + OFFSET
4688 compared to a constant.
4689 (constraint_manager::get_ec_bounds): Rewrite in terms of
4690 range::add_bound.
4691 (constraint_manager::eval_condition): Reject if range::add_bound
4692 fails.
4693 (selftest::test_constant_comparisons): Add test coverage for
4694 various impossible combinations of integer comparisons.
4695 * constraint-manager.h (enum bound_kind): New.
4696 (struct bound): Likewise.
4697 (bound::ensure_closed): Convert to param to enum bound_kind.
4698 (struct range): Convert to...
4699 (class range): ...this, making fields private.
4700 (range::add_bound): New decls.
4701 * region-model.cc (region_model::add_constraint): Fail if
4702 constraint_manager::add_constraint fails.
4704 2022-01-18 David Malcolm <dmalcolm@redhat.com>
4706 PR analyzer/104089
4707 * region-model-manager.cc
4708 (region_model_manager::get_or_create_constant_svalue): Assert that
4709 we have a CONSTANT_CLASS_P.
4710 (region_model_manager::maybe_fold_unaryop): Only fold a constant
4711 when fold_unary's result is a constant or a cast of a constant.
4713 2022-01-18 David Malcolm <dmalcolm@redhat.com>
4715 PR analyzer/104062
4716 * region-model-manager.cc
4717 (region_model_manager::maybe_fold_sub_svalue): Avoid casting to
4718 NULL type when folding access to repeated svalue.
4720 2022-01-17 Martin Liska <mliska@suse.cz>
4722 * analyzer.cc (is_special_named_call_p): Rename .c names to .cc.
4723 (is_named_call_p): Likewise.
4724 * region-model-asm.cc (deterministic_p): Likewise.
4725 * region.cc (field_region::get_relative_concrete_offset): Likewise.
4726 * sm-malloc.cc (method_p): Likewise.
4727 * supergraph.cc (superedge::dump_dot): Likewise.
4729 2022-01-14 David Malcolm <dmalcolm@redhat.com>
4731 * sm-taint.cc (taint_state_machine::combine_states): Handle combination
4732 of has_ub and has_lb.
4734 2022-01-14 David Malcolm <dmalcolm@redhat.com>
4736 PR analyzer/104029
4737 * sm-taint.cc (taint_state_machine::alt_get_inherited_state):
4738 Remove gcc_unreachable from default case for unary ops.
4740 2022-01-14 David Malcolm <dmalcolm@redhat.com>
4742 * engine.cc: Include "stringpool.h", "attribs.h", and
4743 "tree-dfa.h".
4744 (mark_params_as_tainted): New.
4745 (class tainted_args_function_custom_event): New.
4746 (class tainted_args_function_info): New.
4747 (exploded_graph::add_function_entry): Handle functions with
4748 "tainted_args" attribute.
4749 (class tainted_args_field_custom_event): New.
4750 (class tainted_args_callback_custom_event): New.
4751 (class tainted_args_call_info): New.
4752 (add_tainted_args_callback): New.
4753 (add_any_callbacks): New.
4754 (exploded_graph::build_initial_worklist): Likewise.
4755 (exploded_graph::build_initial_worklist): Find callbacks that are
4756 reachable from global initializers, calling add_any_callbacks on
4757 them.
4759 2022-01-12 David Malcolm <dmalcolm@redhat.com>
4761 PR analyzer/103940
4762 * engine.cc (impl_sm_context::impl_sm_context): Add
4763 "unknown_side_effects" param and use it to initialize
4764 new m_unknown_side_effects field.
4765 (impl_sm_context::unknown_side_effects_p): New.
4766 (impl_sm_context::m_unknown_side_effects): New.
4767 (exploded_node::on_stmt): Pass unknown_side_effects to sm_ctxt
4768 ctor.
4769 * sm-taint.cc: Include "stringpool.h" and "attribs.h".
4770 (tainted_size::tainted_size): Drop "dir" param.
4771 (tainted_size::get_kind): Drop "FINAL".
4772 (tainted_size::emit): Likewise.
4773 (tainted_size::m_dir): Drop unused field.
4774 (class tainted_access_attrib_size): New subclass.
4775 (taint_state_machine::on_stmt): Call check_for_tainted_size_arg on
4776 external functions with unknown side effects.
4777 (taint_state_machine::check_for_tainted_size_arg): New.
4778 (region_model::check_region_for_taint): Drop "dir" param from
4779 tainted_size ctor.
4780 * sm.h (sm_context::unknown_side_effects_p): New.
4782 2022-01-11 David Malcolm <dmalcolm@redhat.com>
4784 PR analyzer/102692
4785 * diagnostic-manager.cc
4786 (class auto_disable_complexity_checks): Rename to...
4787 (class auto_checking_feasibility): ...this, updating
4788 the calls accordingly.
4789 (epath_finder::explore_feasible_paths): Update for renaming.
4790 * region-model-manager.cc
4791 (region_model_manager::region_model_manager): Update for change from
4792 m_check_complexity to m_checking_feasibility.
4793 (region_model_manager::reject_if_too_complex): Likewise.
4794 (region_model_manager::get_or_create_unknown_svalue): Handle
4795 m_checking_feasibility.
4796 (region_model_manager::create_unique_svalue): New.
4797 (region_model_manager::maybe_fold_binop): Handle BIT_AND_EXPR and
4798 BIT_IOR_EXPRs on booleans where we know the result.
4799 * region-model.cc (test_binop_svalue_folding): Add test coverage
4800 for the above.
4801 * region-model.h (region_model_manager::create_unique_svalue): New
4802 decl.
4803 (region_model_manager::enable_complexity_check): Replace with...
4804 (region_model_manager::begin_checking_feasibility): ...this.
4805 (region_model_manager::disable_complexity_check): Replace with...
4806 (region_model_manager::end_checking_feasibility): ...this.
4807 (region_model_manager::m_check_complexity): Replace with...
4808 (region_model_manager::m_checking_feasibility): ...this.
4809 (region_model_manager::m_managed_dynamic_svalues): New field.
4811 2022-01-08 David Malcolm <dmalcolm@redhat.com>
4813 * engine.cc (impl_run_checkers): Pass logger to engine ctor.
4814 * region-model-manager.cc
4815 (region_model_manager::region_model_manager): Add logger param and
4816 use it to initialize m_logger.
4817 * region-model.cc (engine::engine): New.
4818 * region-model.h (region_model_manager::region_model_manager):
4819 Add logger param.
4820 (region_model_manager::get_logger): New.
4821 (region_model_manager::m_logger): New field.
4822 (engine::engine): New.
4823 * store.cc (store_manager::get_logger): New.
4824 (store::set_value): Log scope. Log when marking a cluster as
4825 unknown due to possible aliasing.
4826 * store.h (store_manager::get_logger): New decl.
4828 2022-01-08 David Malcolm <dmalcolm@redhat.com>
4830 * region-model-impl-calls.cc (cmp_decls): New.
4831 (cmp_decls_ptr_ptr): New.
4832 (region_model::impl_call_analyzer_dump_escaped): New.
4833 * region-model.cc (region_model::on_stmt_pre): Handle
4834 __analyzer_dump_escaped.
4835 * region-model.h (region_model::impl_call_analyzer_dump_escaped):
4836 New decl.
4837 * store.h (binding_cluster::get_base_region): New accessor.
4839 2022-01-08 David Malcolm <dmalcolm@redhat.com>
4841 * region.cc (region::is_named_decl_p): New.
4842 * region.h (region::is_named_decl_p): New decl.
4844 2022-01-06 David Malcolm <dmalcolm@redhat.com>
4846 PR analyzer/103546
4847 * store.cc (store::eval_alias_1): Refactor handling of decl
4848 regions, adding a test for may_be_aliased, rejecting those for
4849 which it returns false.
4851 2021-12-12 Jonathan Wakely <jwakely@redhat.com>
4853 * engine.cc: Define INCLUDE_MEMORY instead of INCLUDE_UNIQUE_PTR.
4855 2021-12-06 David Malcolm <dmalcolm@redhat.com>
4857 PR analyzer/103533
4858 * constraint-manager.cc (equiv_class::contains_non_constant_p):
4859 New.
4860 (constraint_manager::canonicalize): Call it when determining
4861 redundant ECs.
4862 (selftest::test_purging): New selftest.
4863 (selftest::run_constraint_manager_tests): Likewise.
4864 * constraint-manager.h (equiv_class::contains_non_constant_p):
4865 New decl.
4867 2021-12-01 David Malcolm <dmalcolm@redhat.com>
4869 PR analyzer/102471
4870 * region-model-reachability.cc (reachable_regions::handle_parm):
4871 Treat all svalues within a compound parm has reachable, and those
4872 wrapped in a cast.
4874 2021-11-29 David Malcolm <dmalcolm@redhat.com>
4876 PR analyzer/103217
4877 * store.cc (binding_cluster::can_merge_p): For the "key is bound"
4878 vs "key is not bound" merger case, check that the bound svalue
4879 is mergeable before merging it to "unknown", rejecting the merger
4880 otherwise.
4882 2021-11-19 David Malcolm <dmalcolm@redhat.com>
4884 PR analyzer/103217
4885 * engine.cc (exploded_graph::get_or_create_node): Pass in
4886 m_ext_state to program_state::can_merge_with_p.
4887 (exploded_graph::process_worklist): Likewise.
4888 (exploded_graph::maybe_process_run_of_before_supernode_enodes):
4889 Likewise.
4890 (exploded_graph::process_node): Add missing call to detect_leaks
4891 when handling phi nodes.
4892 * program-state.cc (program_state::can_merge_with_p): Add
4893 "ext_state" param. Pass it and state ptrs to
4894 region_model::can_merge_with_p.
4895 (selftest::test_program_state_merging): Update for new ext_state
4896 param of program_state::can_merge_with_p.
4897 (selftest::test_program_state_merging_2): Likewise.
4898 * program-state.h (program_state::can_purge_p): Make const.
4899 (program_state::can_merge_with_p): Add "ext_state" param.
4900 * region-model.cc: Include "analyzer/program-state.h".
4901 (region_model::can_merge_with_p): Add params "ext_state",
4902 "state_a", and "state_b", use them when creating model_merger
4903 object.
4904 (model_merger::mergeable_svalue_p): New.
4905 * region-model.h (region_model::can_merge_with_p): Add params
4906 "ext_state", "state_a", and "state_b".
4907 (model_merger::model_merger) Likewise, initializing new fields.
4908 (model_merger::mergeable_svalue_p): New decl.
4909 (model_merger::m_ext_state): New field.
4910 (model_merger::m_state_a): New field.
4911 (model_merger::m_state_b): New field.
4912 * svalue.cc (svalue::can_merge_p): Call
4913 model_merger::mergeable_svalue_p on both states and reject the
4914 merger accordingly.
4916 2021-11-17 David Malcolm <dmalcolm@redhat.com>
4918 PR analyzer/102695
4919 * region-model-impl-calls.cc (region_model::impl_call_strchr): New.
4920 * region-model-manager.cc
4921 (region_model_manager::maybe_fold_unaryop): Simplify cast to
4922 pointer type of an existing pointer to a region.
4923 * region-model.cc (region_model::on_call_pre): Handle
4924 BUILT_IN_STRCHR and "strchr".
4925 (write_to_const_diagnostic::emit): Add auto_diagnostic_group. Add
4926 alternate wordings for functions and labels.
4927 (write_to_const_diagnostic::describe_final_event): Add alternate
4928 wordings for functions and labels.
4929 (region_model::check_for_writable_region): Handle RK_FUNCTION and
4930 RK_LABEL.
4931 * region-model.h (region_model::impl_call_strchr): New decl.
4933 2021-11-16 David Malcolm <dmalcolm@redhat.com>
4935 PR analyzer/102662
4936 * constraint-manager.cc (bounded_range::operator==): Require the
4937 types to be the same for equality.
4939 2021-11-13 David Malcolm <dmalcolm@redhat.com>
4941 * analyzer.opt (Wanalyzer-tainted-allocation-size): New.
4942 (Wanalyzer-tainted-divisor): New.
4943 (Wanalyzer-tainted-offset): New.
4944 (Wanalyzer-tainted-size): New.
4945 * engine.cc (impl_region_model_context::get_taint_map): New.
4946 * exploded-graph.h (impl_region_model_context::get_taint_map):
4947 New decl.
4948 * program-state.cc (sm_state_map::get_state): Call
4949 alt_get_inherited_state.
4950 (sm_state_map::impl_set_state): Modify states within
4951 compound svalues.
4952 (program_state::impl_call_analyzer_dump_state): Undo casts.
4953 (selftest::test_program_state_1): Update for new context param of
4954 create_region_for_heap_alloc.
4955 (selftest::test_program_state_merging): Likewise.
4956 * region-model-impl-calls.cc (region_model::impl_call_alloca):
4957 Likewise.
4958 (region_model::impl_call_calloc): Likewise.
4959 (region_model::impl_call_malloc): Likewise.
4960 (region_model::impl_call_operator_new): Likewise.
4961 (region_model::impl_call_realloc): Likewise.
4962 * region-model.cc (region_model::check_region_access): Call
4963 check_region_for_taint.
4964 (region_model::get_representative_path_var_1): Handle binops.
4965 (region_model::create_region_for_heap_alloc): Add "ctxt" param and
4966 pass it to set_dynamic_extents.
4967 (region_model::create_region_for_alloca): Likewise.
4968 (region_model::set_dynamic_extents): Add "ctxt" param and use it
4969 to call check_dynamic_size_for_taint.
4970 (selftest::test_state_merging): Update for new context param of
4971 create_region_for_heap_alloc.
4972 (selftest::test_malloc_constraints): Likewise.
4973 (selftest::test_malloc): Likewise.
4974 (selftest::test_alloca): Likewise for create_region_for_alloca.
4975 * region-model.h (region_model::create_region_for_heap_alloc): Add
4976 "ctxt" param.
4977 (region_model::create_region_for_alloca): Likewise.
4978 (region_model::set_dynamic_extents): Likewise.
4979 (region_model::check_dynamic_size_for_taint): New decl.
4980 (region_model::check_region_for_taint): New decl.
4981 (region_model_context::get_taint_map): New vfunc.
4982 (noop_region_model_context::get_taint_map): New.
4983 * sm-taint.cc: Remove include of "diagnostic-event-id.h"; add
4984 includes of "gimple-iterator.h", "tristate.h", "selftest.h",
4985 "ordered-hash-map.h", "cgraph.h", "cfg.h", "digraph.h",
4986 "analyzer/supergraph.h", "analyzer/call-string.h",
4987 "analyzer/program-point.h", "analyzer/store.h",
4988 "analyzer/region-model.h", and "analyzer/program-state.h".
4989 (enum bounds): Move to top of file.
4990 (class taint_diagnostic): New.
4991 (class tainted_array_index): Convert to subclass of taint_diagnostic.
4992 (tainted_array_index::emit): Add CWE-129. Reword warning to use
4993 "attacker-controlled" rather than "tainted".
4994 (tainted_array_index::describe_state_change): Move to
4995 taint_diagnostic::describe_state_change.
4996 (tainted_array_index::describe_final_event): Reword to use
4997 "attacker-controlled" rather than "tainted".
4998 (class tainted_offset): New.
4999 (class tainted_size): New.
5000 (class tainted_divisor): New.
5001 (class tainted_allocation_size): New.
5002 (taint_state_machine::alt_get_inherited_state): New.
5003 (taint_state_machine::on_stmt): In assignment handling, remove
5004 ARRAY_REF handling in favor of check_region_for_taint. Add
5005 detection of tainted divisors.
5006 (taint_state_machine::get_taint): New.
5007 (taint_state_machine::combine_states): New.
5008 (region_model::check_region_for_taint): New.
5009 (region_model::check_dynamic_size_for_taint): New.
5010 * sm.h (state_machine::alt_get_inherited_state): New.
5012 2021-11-12 David Malcolm <dmalcolm@redhat.com>
5014 * engine.cc (exploded_node::on_stmt_pre): Return when handling
5015 "__analyzer_dump_state".
5017 2021-11-11 Richard Biener <rguenther@suse.de>
5019 * supergraph.cc: Include bitmap.h.
5021 2021-11-04 David Malcolm <dmalcolm@redhat.com>
5023 * program-state.cc (sm_state_map::dump): Use default_tree_printer
5024 as format decoder.
5026 2021-09-16 Maxim Blinov <maxim.blinov@embecosm.com>
5028 PR bootstrap/102242
5029 * engine.cc (INCLUDE_UNIQUE_PTR): Define.
5031 2021-09-08 David Malcolm <dmalcolm@redhat.com>
5033 PR analyzer/102225
5034 * analyzer.h (compat_types_p): New decl.
5035 * constraint-manager.cc
5036 (constraint_manager::get_or_add_equiv_class): Guard against NULL
5037 type when checking for pointer types.
5038 * region-model-impl-calls.cc (region_model::impl_call_realloc):
5039 Guard against NULL lhs type/region. Guard against the size value
5040 not being of a compatible type for dynamic extents.
5041 * region-model.cc (compat_types_p): Make non-static.
5043 2021-08-30 David Malcolm <dmalcolm@redhat.com>
5045 PR analyzer/99260
5046 * analyzer.h (class custom_edge_info): New class, adapted from
5047 exploded_edge::custom_info_t. Make member functions const.
5048 Make update_model return bool, converting edge param from
5049 reference to a pointer, and adding a ctxt param.
5050 (class path_context): New class.
5051 * call-info.cc: New file.
5052 * call-info.h: New file.
5053 * engine.cc: Include "analyzer/call-info.h" and <memory>.
5054 (impl_region_model_context::impl_region_model_context): Update for
5055 new m_path_ctxt field.
5056 (impl_region_model_context::bifurcate): New.
5057 (impl_region_model_context::terminate_path): New.
5058 (impl_region_model_context::get_malloc_map): New.
5059 (impl_sm_context::impl_sm_context): Update for new m_path_ctxt
5060 field.
5061 (impl_sm_context::get_fndecl_for_call): Likewise.
5062 (impl_sm_context::set_next_state): Likewise.
5063 (impl_sm_context::warn): Likewise.
5064 (impl_sm_context::is_zero_assignment): Likewise.
5065 (impl_sm_context::get_path_context): New.
5066 (impl_sm_context::m_path_ctxt): New.
5067 (impl_region_model_context::on_condition): Update for new
5068 path_ctxt param. Handle m_enode_for_diag being NULL.
5069 (impl_region_model_context::on_phi): Update for new path_ctxt
5070 param.
5071 (exploded_node::on_stmt): Add path_ctxt param, updating ctor calls
5072 to use it as necessary. Use it to bail out after sm-handling,
5073 if needed.
5074 (exploded_node::detect_leaks): Update for new path_ctxt param.
5075 (dynamic_call_info_t::update_model): Update for conversion of
5076 exploded_edge::custom_info_t to custom_edge_info.
5077 (dynamic_call_info_t::add_events_to_path): Likewise.
5078 (rewind_info_t::update_model): Likewise.
5079 (rewind_info_t::add_events_to_path): Likewise.
5080 (exploded_edge::exploded_edge): Likewise.
5081 (exploded_graph::add_edge): Likewise.
5082 (exploded_graph::maybe_process_run_of_before_supernode_enodes):
5083 Update for new path_ctxt param.
5084 (class impl_path_context): New.
5085 (exploded_graph::process_node): Update for new path_ctxt param.
5086 Create an impl_path_context and pass it to exploded_node::on_stmt.
5087 Use it to terminate iterating stmts if terminate_path is called
5088 on it. After processing a run of stmts, query path_ctxt to
5089 potentially terminate the analysis path, and/or to "bifurcate" the
5090 analysis into multiple additional paths.
5091 (feasibility_state::maybe_update_for_edge): Update for new
5092 update_model ctxt param.
5093 * exploded-graph.h
5094 (impl_region_model_context::impl_region_model_context): Add
5095 path_ctxt param.
5096 (impl_region_model_context::bifurcate): New.
5097 (impl_region_model_context::terminate_path): New
5098 (impl_region_model_context::get_ext_state): New.
5099 (impl_region_model_context::get_malloc_map): New.
5100 (impl_region_model_context::m_path_ctxt): New field.
5101 (exploded_node::on_stmt): Add path_ctxt param.
5102 (class exploded_edge::custom_info_t): Move to analyzer.h, renaming
5103 to custom_edge_info, and making the changes as noted in analyzer.h
5104 above.
5105 (exploded_edge::exploded_edge): Update for these changes to
5106 exploded_edge::custom_info_t.
5107 (exploded_edge::m_custom_info): Likewise.
5108 (class dynamic_call_info_t): Likewise.
5109 (class rewind_info_t): Likewise.
5110 (exploded_graph::add_edge): Likewise.
5111 * program-state.cc (program_state::on_edge): Update for new
5112 path_ctxt param.
5113 (program_state::push_call): Likewise.
5114 (program_state::returning_call): Likewise.
5115 (program_state::prune_for_point): Likewise.
5116 * region-model-impl-calls.cc: Include "analyzer/call-info.h".
5117 (call_details::get_fndecl_for_call): New.
5118 (region_model::impl_call_realloc): Reimplement.
5119 * region-model.cc (region_model::on_call_pre): Move call to
5120 impl_call_realloc to...
5121 (region_model::on_call_post): ...here. Consolidate creation
5122 of call_details instance.
5123 (noop_region_model_context::bifurcate): New.
5124 (noop_region_model_context::terminate_path): New.
5125 * region-model.h (call_details::get_call_stmt): New.
5126 (call_details::get_fndecl_for_call): New.
5127 (region_model::on_realloc_with_move): New.
5128 (region_model_context::bifurcate): New.
5129 (region_model_context::terminate_path): New.
5130 (region_model_context::get_ext_state): New.
5131 (region_model_context::get_malloc_map): New.
5132 (noop_region_model_context::bifurcate): New.
5133 (noop_region_model_context::terminate_path): New.
5134 (noop_region_model_context::get_ext_state): New.
5135 (noop_region_model_context::get_malloc_map): New.
5136 * sm-malloc.cc: Include "analyzer/program-state.h".
5137 (malloc_state_machine::on_realloc_call): Reimplement.
5138 (malloc_state_machine::on_realloc_with_move): New.
5139 (region_model::on_realloc_with_move): New.
5140 * sm-signal.cc (class signal_delivery_edge_info_t): Update for
5141 conversion from exploded_edge::custom_info_t to custom_edge_info.
5142 * sm.h (sm_context::get_path_context): New.
5143 * svalue.cc (svalue::maybe_get_constant): Call
5144 unwrap_any_unmergeable.
5146 2021-08-25 Ankur Saini <arsenic@sourceware.org>
5148 PR analyzer/101980
5149 * engine.cc (exploded_graph::maybe_create_dynamic_call): Don't create
5150 calls if max recursion limit is reached.
5152 2021-08-23 David Malcolm <dmalcolm@redhat.com>
5154 * analyzer.h (struct rejected_constraint): Convert to...
5155 (class rejected_constraint): ...this.
5156 (class bounded_ranges): New forward decl.
5157 (class bounded_ranges_manager): New forward decl.
5158 * constraint-manager.cc: Include "analyzer/analyzer-logging.h" and
5159 "tree-pretty-print.h".
5160 (can_plus_one_p): New.
5161 (plus_one): New.
5162 (can_minus_one_p): New.
5163 (minus_one): New.
5164 (bounded_range::bounded_range): New.
5165 (dump_cst): New.
5166 (bounded_range::dump_to_pp): New.
5167 (bounded_range::dump): New.
5168 (bounded_range::to_json): New.
5169 (bounded_range::set_json_attr): New.
5170 (bounded_range::contains_p): New.
5171 (bounded_range::intersects_p): New.
5172 (bounded_range::operator==): New.
5173 (bounded_range::cmp): New.
5174 (bounded_ranges::bounded_ranges): New.
5175 (bounded_ranges::bounded_ranges): New.
5176 (bounded_ranges::bounded_ranges): New.
5177 (bounded_ranges::canonicalize): New.
5178 (bounded_ranges::validate): New.
5179 (bounded_ranges::operator==): New.
5180 (bounded_ranges::dump_to_pp): New.
5181 (bounded_ranges::dump): New.
5182 (bounded_ranges::to_json): New.
5183 (bounded_ranges::eval_condition): New.
5184 (bounded_ranges::contain_p): New.
5185 (bounded_ranges::cmp): New.
5186 (bounded_ranges_manager::~bounded_ranges_manager): New.
5187 (bounded_ranges_manager::get_or_create_empty): New.
5188 (bounded_ranges_manager::get_or_create_point): New.
5189 (bounded_ranges_manager::get_or_create_range): New.
5190 (bounded_ranges_manager::get_or_create_union): New.
5191 (bounded_ranges_manager::get_or_create_intersection): New.
5192 (bounded_ranges_manager::get_or_create_inverse): New.
5193 (bounded_ranges_manager::consolidate): New.
5194 (bounded_ranges_manager::get_or_create_ranges_for_switch): New.
5195 (bounded_ranges_manager::create_ranges_for_switch): New.
5196 (bounded_ranges_manager::make_case_label_ranges): New.
5197 (bounded_ranges_manager::log_stats): New.
5198 (bounded_ranges_constraint::print): New.
5199 (bounded_ranges_constraint::to_json): New.
5200 (bounded_ranges_constraint::operator==): New.
5201 (bounded_ranges_constraint::add_to_hash): New.
5202 (constraint_manager::constraint_manager): Update for new field
5203 m_bounded_ranges_constraints.
5204 (constraint_manager::operator=): Likewise.
5205 (constraint_manager::hash): Likewise.
5206 (constraint_manager::operator==): Likewise.
5207 (constraint_manager::print): Likewise.
5208 (constraint_manager::dump_to_pp): Likewise.
5209 (constraint_manager::to_json): Likewise.
5210 (constraint_manager::add_unknown_constraint): Update the lhs_ec_id
5211 if necessary in existing constraints when combining equivalence
5212 classes. Add similar code for handling
5213 m_bounded_ranges_constraints.
5214 (constraint_manager::add_constraint_internal): Add comment.
5215 (constraint_manager::add_bounded_ranges): New.
5216 (constraint_manager::eval_condition): Use new field
5217 m_bounded_ranges_constraints.
5218 (constraint_manager::purge): Update bounded_ranges_constraint
5219 instances.
5220 (constraint_manager::canonicalize): Update for new field.
5221 (merger_fact_visitor::on_ranges): New.
5222 (constraint_manager::for_each_fact): Use new field
5223 m_bounded_ranges_constraints.
5224 (constraint_manager::validate): Fix off-by-one error needed due
5225 to bug fixed above in add_unknown_constraint. Validate the EC IDs
5226 in m_bounded_ranges_constraints.
5227 (constraint_manager::get_range_manager): New.
5228 (selftest::assert_dump_bounded_range_eq): New.
5229 (ASSERT_DUMP_BOUNDED_RANGE_EQ): New.
5230 (selftest::test_bounded_range): New.
5231 (selftest::assert_dump_bounded_ranges_eq): New.
5232 (ASSERT_DUMP_BOUNDED_RANGES_EQ): New.
5233 (selftest::test_bounded_ranges): New.
5234 (selftest::run_constraint_manager_tests): Call the new selftests.
5235 * constraint-manager.h (struct bounded_range): New.
5236 (struct bounded_ranges): New.
5237 (template <> struct default_hash_traits<bounded_ranges::key_t>): New.
5238 (class bounded_ranges_manager): New.
5239 (fact_visitor::on_ranges): New pure virtual function.
5240 (class bounded_ranges_constraint): New.
5241 (constraint_manager::add_bounded_ranges): New decl.
5242 (constraint_manager::get_range_manager): New decl.
5243 (constraint_manager::m_bounded_ranges_constraints): New field.
5244 * diagnostic-manager.cc (epath_finder::process_worklist_item):
5245 Transfer ownership of rc to add_feasibility_problem.
5246 * engine.cc (feasibility_problem::dump_to_pp): Use get_model.
5247 * feasible-graph.cc (infeasible_node::dump_dot): Update for
5248 conversion of m_rc to a pointer.
5249 (feasible_graph::add_feasibility_problem): Pass RC by pointer and
5250 take ownership.
5251 * feasible-graph.h (infeasible_node::infeasible_node): Pass RC by
5252 pointer and take ownership.
5253 (infeasible_node::~infeasible_node): New.
5254 (infeasible_node::m_rc): Convert to a pointer.
5255 (feasible_graph::add_feasibility_problem): Pass RC by pointer and
5256 take ownership.
5257 * region-model-manager.cc: Include
5258 "analyzer/constraint-manager.h".
5259 (region_model_manager::region_model_manager): Initializer new
5260 field m_range_mgr.
5261 (region_model_manager::~region_model_manager): Delete it.
5262 (region_model_manager::log_stats): Call log_stats on it.
5263 * region-model.cc (region_model::add_constraint): Use new subclass
5264 rejected_op_constraint.
5265 (region_model::apply_constraints_for_gswitch): Reimplement using
5266 bounded_ranges_manager.
5267 (rejected_constraint::dump_to_pp): Convert to...
5268 (rejected_op_constraint::dump_to_pp): ...this.
5269 (rejected_ranges_constraint::dump_to_pp): New.
5270 * region-model.h (struct purge_stats): Add field
5271 m_num_bounded_ranges_constraints.
5272 (region_model_manager::get_range_manager): New.
5273 (region_model_manager::m_range_mgr): New.
5274 (region_model::get_range_manager): New.
5275 (struct rejected_constraint): Split into...
5276 (class rejected_constraint):...this new abstract base class,
5277 and...
5278 (class rejected_op_constraint): ...this new concrete subclass.
5279 (class rejected_ranges_constraint): New.
5280 * supergraph.cc: Include "tree-cfg.h".
5281 (supergraph::supergraph): Drop idx param from add_cfg_edge.
5282 (supergraph::add_cfg_edge): Drop idx param.
5283 (switch_cfg_superedge::switch_cfg_superedge): Move here from
5284 header. Populate m_case_labels with all cases which go to DST.
5285 (switch_cfg_superedge::dump_label_to_pp): Reimplement to use
5286 m_case_labels.
5287 (switch_cfg_superedge::get_case_label): Delete.
5288 * supergraph.h (supergraphadd_cfg_edge): Drop "idx" param.
5289 (switch_cfg_superedge::switch_cfg_superedge): Drop idx param and
5290 move implementation to supergraph.cc.
5291 (switch_cfg_superedge::get_case_label): Delete.
5292 (switch_cfg_superedge::get_case_labels): New.
5293 (switch_cfg_superedge::m_idx): Delete.
5294 (switch_cfg_superedge::m_case_labels): New field.
5296 2021-08-23 David Malcolm <dmalcolm@redhat.com>
5298 PR analyzer/101875
5299 * sm-file.cc (file_diagnostic::describe_state_change): Handle
5300 change.m_expr being NULL.
5302 2021-08-23 David Malcolm <dmalcolm@redhat.com>
5304 PR analyzer/101837
5305 * analyzer.cc (maybe_reconstruct_from_def_stmt): Bail if fn is
5306 NULL, and assert that it's non-NULL before passing it to
5307 build_call_array_loc.
5309 2021-08-23 David Malcolm <dmalcolm@redhat.com>
5311 PR analyzer/101962
5312 * region-model.cc (region_model::eval_condition_without_cm):
5313 Refactor comparison against zero, adding a check for
5314 POINTER_PLUS_EXPR of non-NULL.
5316 2021-08-23 David Malcolm <dmalcolm@redhat.com>
5318 * store.cc (bit_range::intersects_p): New overload.
5319 (bit_range::operator-): New.
5320 (binding_cluster::maybe_get_compound_binding): Handle the partial
5321 overlap case.
5322 (selftest::test_bit_range_intersects_p): Add test coverage for
5323 new overload of bit_range::intersects_p.
5324 * store.h (bit_range::intersects_p): New overload.
5325 (bit_range::operator-): New.
5327 2021-08-23 Ankur Saini <arsenic@sourceware.org>
5329 PR analyzer/102020
5330 * diagnostic-manager.cc
5331 (diagnostic_manager::prune_for_sm_diagnostic)<case EK_CALL_EDGE>: Fix typo.
5333 2021-08-21 Ankur Saini <arsenic@sourceware.org>
5335 PR analyzer/101980
5336 * diagnostic-manager.cc
5337 (diagnostic_manager::prune_for_sm_diagnostic)<case EK_CALL_EDGE>: Use
5338 caller_model only when the supergraph_edge doesn't exixt.
5339 (diagnostic_manager::prune_for_sm_diagnostic)<case EK_RETURN_EDGE>:
5340 Likewise.
5341 * engine.cc (exploded_graph::create_dynamic_call): Rename to...
5342 (exploded_graph::maybe_create_dynamic_call): ...this, return call
5343 creation status.
5344 (exploded_graph::process_node): Handle calls which were not dynamically
5345 discovered.
5346 * exploded-graph.h (exploded_graph::create_dynamic_call): Rename to...
5347 (exploded_graph::maybe_create_dynamic_call): ...this.
5348 * region-model.cc (region_model::update_for_gcall): New param, use it
5349 to push call to frame.
5350 (region_model::update_for_call_superedge): Pass callee function to
5351 update_for_gcall.
5352 * region-model.h (region_model::update_for_gcall): New param.
5354 2021-08-18 Ankur Saini <arsenic@sourceware.org>
5356 PR analyzer/97114
5357 * region-model.cc (region_model::get_rvalue_1): Add case for
5358 OBJ_TYPE_REF.
5360 2021-08-18 Ankur Saini <arsenic@sourceware.org>
5362 PR analyzer/100546
5363 * analysis-plan.cc (analysis_plan::use_summary_p): Don't use call
5364 summaries if there is no callgraph edge
5365 * checker-path.cc (call_event::call_event): Handle calls events that
5366 are not represented by a supergraph call edge
5367 (return_event::return_event): Likewise.
5368 (call_event::get_desc): Work with new call_event structure.
5369 (return_event::get_desc): Likeise.
5370 * checker-path.h (call_event::m_src_snode): New field.
5371 (call_event::m_dest_snode): New field.
5372 (return_event::m_src_snode): New field.
5373 (return_event::m_dest_snode): New field.
5374 * diagnostic-manager.cc
5375 (diagnostic_manager::prune_for_sm_diagnostic)<case EK_CALL_EDGE>:
5376 Refactor to work with edges without callgraph edge.
5377 (diagnostic_manager::prune_for_sm_diagnostic)<case EK_RETURN_EDGE>:
5378 Likewise.
5379 * engine.cc (dynamic_call_info_t::update_model): New function.
5380 (dynamic_call_info_t::add_events_to_path): New function.
5381 (exploded_graph::create_dynamic_call): New function.
5382 (exploded_graph::process_node): Work with dynamically discovered calls.
5383 * exploded-graph.h (class dynamic_call_info_t): New class.
5384 (exploded_graph::create_dynamic_call): New decl.
5385 * program-point.cc (program_point::push_to_call_stack): New function.
5386 (program_point::pop_from_call_stack): New function.
5387 * program-point.h (program_point::push_to_call_stack): New decl.
5388 (program_point::pop_from_call_stack): New decl.
5389 * program-state.cc (program_state::push_call): New function.
5390 (program_state::returning_call): New function.
5391 * program-state.h (program_state::push_call): New decl.
5392 (program_state::returning_call): New decl.
5393 * region-model.cc (region_model::update_for_gcall) New function.
5394 (region_model::update_for_return_gcall): New function.
5395 (egion_model::update_for_call_superedge): Get the underlying gcall and
5396 update for gcall.
5397 (region_model::update_for_return_superedge): Likewise.
5398 * region-model.h (region_model::update_for_gcall): New decl.
5399 (region_model::update_for_return_gcall): New decl.
5400 * state-purge.cc (state_purge_per_ssa_name::process_point): Update to
5401 work with calls without underlying cgraph edge.
5402 * supergraph.cc (supergraph::supergraph) Split snodes at every callsite.
5403 * supergraph.h (supernode::get_returning_call) New accessor.
5405 2021-08-04 David Malcolm <dmalcolm@redhat.com>
5407 PR analyzer/101570
5408 * analyzer.cc (maybe_reconstruct_from_def_stmt): Add GIMPLE_ASM
5409 case.
5410 * analyzer.h (class asm_output_svalue): New forward decl.
5411 (class reachable_regions): New forward decl.
5412 * complexity.cc (complexity::from_vec_svalue): New.
5413 * complexity.h (complexity::from_vec_svalue): New decl.
5414 * engine.cc (feasibility_state::maybe_update_for_edge): Handle
5415 asm stmts by calling on_asm_stmt.
5416 * region-model-asm.cc: New file.
5417 * region-model-manager.cc
5418 (region_model_manager::maybe_fold_asm_output_svalue): New.
5419 (region_model_manager::get_or_create_asm_output_svalue): New.
5420 (region_model_manager::log_stats): Log m_asm_output_values_map.
5421 * region-model.cc (region_model::on_stmt_pre): Handle GIMPLE_ASM.
5422 * region-model.h (visitor::visit_asm_output_svalue): New.
5423 (region_model_manager::get_or_create_asm_output_svalue): New decl.
5424 (region_model_manager::maybe_fold_asm_output_svalue): New decl.
5425 (region_model_manager::asm_output_values_map_t): New typedef.
5426 (region_model_manager::m_asm_output_values_map): New field.
5427 (region_model::on_asm_stmt): New.
5428 * store.cc (binding_cluster::on_asm): New.
5429 * store.h (binding_cluster::on_asm): New decl.
5430 * svalue.cc (svalue::cmp_ptr): Handle SK_ASM_OUTPUT.
5431 (asm_output_svalue::dump_to_pp): New.
5432 (asm_output_svalue::dump_input): New.
5433 (asm_output_svalue::input_idx_to_asm_idx): New.
5434 (asm_output_svalue::accept): New.
5435 * svalue.h (enum svalue_kind): Add SK_ASM_OUTPUT.
5436 (svalue::dyn_cast_asm_output_svalue): New.
5437 (class asm_output_svalue): New.
5438 (is_a_helper <const asm_output_svalue *>::test): New.
5439 (struct default_hash_traits<asm_output_svalue::key_t>): New.
5441 2021-08-03 Jakub Jelinek <jakub@redhat.com>
5443 PR analyzer/101721
5444 * sm-malloc.cc (known_allocator_p): Only check DECL_FUNCTION_CODE on
5445 BUILT_IN_NORMAL builtins.
5447 2021-07-29 Ankur Saini <arsenic@sourceware.org>
5449 * call-string.cc (call_string::element_t::operator==): New operator.
5450 (call_String::element_t::operator!=): New operator.
5451 (call_string::element_t::get_caller_function): New function.
5452 (call_string::element_t::get_callee_function): New function.
5453 (call_string::call_string): Refactor to Initialise m_elements.
5454 (call_string::operator=): Refactor to work with m_elements.
5455 (call_string::operator==): Likewise.
5456 (call_string::to_json): Likewise.
5457 (call_string::hash): Refactor to hash e.m_caller.
5458 (call_string::push_call): Refactor to work with m_elements.
5459 (call_string::push_call): New overload to push call via supernodes.
5460 (call_string::pop): Refactor to work with m_elements.
5461 (call_string::calc_recursion_depth): Likewise.
5462 (call_string::cmp): Likewise.
5463 (call_string::validate): Likewise.
5464 (call_string::operator[]): Likewise.
5465 * call-string.h (class supernode): New forward decl.
5466 (struct call_string::element_t): New struct.
5467 (call_string::call_string): Refactor to initialise m_elements.
5468 (call_string::bool empty_p): Refactor to work with m_elements.
5469 (call_string::get_callee_node): New decl.
5470 (call_string::get_caller_node): New decl.
5471 (m_elements): Replaces m_return_edges.
5472 * program-point.cc (program_point::get_function_at_depth): Refactor to
5473 work with new call-string format.
5474 (program_point::validate): Likewise.
5475 (program_point::on_edge): Likewise.
5477 2021-07-28 David Malcolm <dmalcolm@redhat.com>
5479 * region-model.cc (region_model::on_call_pre): Treat
5480 IFN_UBSAN_BOUNDS, BUILT_IN_STACK_SAVE, and BUILT_IN_STACK_RESTORE
5481 as no-ops, rather than handling them as unknown functions.
5483 2021-07-28 David Malcolm <dmalcolm@redhat.com>
5485 * region-model-impl-calls.cc (region_model::impl_call_alloca):
5486 Drop redundant return value.
5487 (region_model::impl_call_builtin_expect): Likewise.
5488 (region_model::impl_call_calloc): Likewise.
5489 (region_model::impl_call_malloc): Likewise.
5490 (region_model::impl_call_memset): Likewise.
5491 (region_model::impl_call_operator_new): Likewise.
5492 (region_model::impl_call_operator_delete): Likewise.
5493 (region_model::impl_call_strlen): Likewise.
5494 * region-model.cc (region_model::on_call_pre): Fix return value of
5495 known functions that don't have unknown side-effects.
5496 * region-model.h (region_model::impl_call_alloca): Drop redundant
5497 return value.
5498 (region_model::impl_call_builtin_expect): Likewise.
5499 (region_model::impl_call_calloc): Likewise.
5500 (region_model::impl_call_malloc): Likewise.
5501 (region_model::impl_call_memset): Likewise.
5502 (region_model::impl_call_strlen): Likewise.
5503 (region_model::impl_call_operator_new): Likewise.
5504 (region_model::impl_call_operator_delete): Likewise.
5506 2021-07-28 Siddhesh Poyarekar <siddhesh@gotplt.org>
5508 * analyzer.cc (is_named_call_p, is_std_named_call_p): Make
5509 first argument a const_tree.
5510 * analyzer.h (is_named_call_p, -s_std_named_call_p): Likewise.
5511 * sm-malloc.cc (known_allocator_p): New function.
5512 (malloc_state_machine::on_stmt): Use it.
5514 2021-07-28 Siddhesh Poyarekar <siddhesh@gotplt.org>
5516 * sm-malloc.cc
5517 (malloc_state_machine::get_or_create_deallocator): Recognize
5518 __builtin_free.
5520 2021-07-26 David Malcolm <dmalcolm@redhat.com>
5522 * region-model.cc (region_model::on_call_pre): Always set conjured
5523 LHS, not just for SSA names.
5525 2021-07-23 David Malcolm <dmalcolm@redhat.com>
5527 * diagnostic-manager.cc
5528 (class auto_disable_complexity_checks): New.
5529 (epath_finder::explore_feasible_paths): Use it to disable
5530 complexity checks whilst processing the worklist.
5531 * region-model-manager.cc
5532 (region_model_manager::region_model_manager): Initialize
5533 m_check_complexity.
5534 (region_model_manager::reject_if_too_complex): Bail if
5535 m_check_complexity is false.
5536 * region-model.h
5537 (region_model_manager::enable_complexity_check): New.
5538 (region_model_manager::disable_complexity_check): New.
5539 (region_model_manager::m_check_complexity): New.
5541 2021-07-21 David Malcolm <dmalcolm@redhat.com>
5543 PR analyzer/101547
5544 * sm-file.cc (file_leak::emit): Handle m_arg being NULL.
5545 (file_leak::describe_final_event): Handle ev.m_expr being NULL.
5547 2021-07-21 David Malcolm <dmalcolm@redhat.com>
5549 PR analyzer/101522
5550 * store.cc (binding_cluster::purge_state_involving): Don't change
5551 m_map whilst iterating through it.
5553 2021-07-21 David Malcolm <dmalcolm@redhat.com>
5555 * region-model.cc (region_model::handle_phi): Add "old_state"
5556 param and use it.
5557 (region_model::update_for_phis): Update so that all of the phi
5558 stmts are effectively handled simultaneously, rather than in
5559 order.
5560 * region-model.h (region_model::handle_phi): Add "old_state"
5561 param.
5562 * state-purge.cc (self_referential_phi_p): Replace with...
5563 (name_used_by_phis_p): ...this new function.
5564 (state_purge_per_ssa_name::process_point): Update to use the
5565 above, so that all phi stmts at a basic block are effectively
5566 considered simultaneously, and only consider the phi arguments for
5567 the pertinent in-edge.
5568 * supergraph.cc (cfg_superedge::get_phi_arg_idx): New.
5569 (cfg_superedge::get_phi_arg): Use the above.
5570 * supergraph.h (cfg_superedge::get_phi_arg_idx): New decl.
5572 2021-07-21 David Malcolm <dmalcolm@redhat.com>
5574 * state-purge.cc (state_purge_annotator::add_node_annotations):
5575 Rather than erroneously always using the NULL in-edge, determine
5576 each relevant in-edge, and print the appropriate data for each
5577 in-edge. Use print_needed to print the data as comma-separated
5578 lists of SSA names.
5579 (print_vec_of_names): Add "within_table" param and use it.
5580 (state_purge_annotator::add_stmt_annotations): Factor out
5581 collation and printing code into...
5582 (state_purge_annotator::print_needed): ...this new function.
5583 * state-purge.h (state_purge_annotator::print_needed): New decl.
5585 2021-07-21 David Malcolm <dmalcolm@redhat.com>
5587 * program-point.cc (function_point::print): Show src BB index at
5588 BEFORE_SUPERNODE.
5590 2021-07-21 David Malcolm <dmalcolm@redhat.com>
5592 * svalue.cc (infix_p): New.
5593 (binop_svalue::dump_to_pp): Use it to print MIN_EXPR and MAX_EXPR
5594 in prefix form, rather than infix.
5596 2021-07-19 David Malcolm <dmalcolm@redhat.com>
5598 PR analyzer/101503
5599 * constraint-manager.cc (constraint_manager::add_constraint): Use
5600 can_have_associated_state_p rather than testing for unknown.
5601 (constraint_manager::get_or_add_equiv_class): Likewise.
5602 * program-state.cc (sm_state_map::set_state): Likewise.
5603 (sm_state_map::impl_set_state): Add assertion.
5604 * region-model-manager.cc
5605 (region_model_manager::maybe_fold_unaryop): Handle poisoned
5606 values.
5607 (region_model_manager::maybe_fold_binop): Move handling of unknown
5608 values...
5609 (region_model_manager::get_or_create_binop): ...to here, and
5610 generalize to use can_have_associated_state_p.
5611 (region_model_manager::maybe_fold_sub_svalue): Use
5612 can_have_associated_state_p rather than testing for unknown.
5613 (region_model_manager::maybe_fold_repeated_svalue): Use unknown
5614 when the size or repeated value is "unknown"/"poisoned".
5615 * region-model.cc (region_model::purge_state_involving): Reject
5616 attempts to purge unknown/poisoned svalues, as these svalues
5617 should not have state associated with them.
5618 * svalue.cc (sub_svalue::sub_svalue): Assert that we're building
5619 on top of an svalue with can_have_associated_state_p.
5620 (repeated_svalue::repeated_svalue): Likewise.
5621 (bits_within_svalue::bits_within_svalue): Likewise.
5622 * svalue.h (svalue::can_have_associated_state_p): New.
5623 (unknown_svalue::can_have_associated_state_p): New.
5624 (poisoned_svalue::can_have_associated_state_p): New.
5625 (unaryop_svalue::unaryop_svalue): Assert that we're building on
5626 top of an svalue with can_have_associated_state_p.
5627 (binop_svalue::binop_svalue): Likewise.
5628 (widening_svalue::widening_svalue): Likewise.
5630 2021-07-16 David Malcolm <dmalcolm@redhat.com>
5632 * analyzer.h (enum access_direction): New.
5633 * engine.cc (exploded_node::on_longjmp): Update for new param of
5634 get_store_value.
5635 * program-state.cc (program_state::prune_for_point): Likewise.
5636 * region-model-impl-calls.cc (region_model::impl_call_memcpy):
5637 Replace call to check_for_writable_region with call to
5638 check_region_for_write.
5639 (region_model::impl_call_memset): Likewise.
5640 (region_model::impl_call_strcpy): Likewise.
5641 * region-model-reachability.cc (reachable_regions::add): Update
5642 for new param of get_store_value.
5643 * region-model.cc (region_model::get_rvalue_1): Likewise, also for
5644 get_rvalue_for_bits.
5645 (region_model::get_store_value): Add ctxt param and use it to call
5646 check_region_for_read.
5647 (region_model::get_rvalue_for_bits): Add ctxt param and use it to
5648 call get_store_value.
5649 (region_model::check_region_access): New.
5650 (region_model::check_region_for_write): New.
5651 (region_model::check_region_for_read): New.
5652 (region_model::set_value): Update comment. Replace call to
5653 check_for_writable_region with call to check_region_for_write.
5654 * region-model.h (region_model::get_rvalue_for_bits): Add ctxt
5655 param.
5656 (region_model::get_store_value): Add ctxt param.
5657 (region_model::check_region_access): New decl.
5658 (region_model::check_region_for_write): New decl.
5659 (region_model::check_region_for_read): New decl.
5660 * region.cc (region_model::copy_region): Update call to
5661 get_store_value.
5662 * svalue.cc (initial_svalue::implicitly_live_p): Likewise.
5664 2021-07-16 David Malcolm <dmalcolm@redhat.com>
5666 * engine.cc (exploded_node::on_stmt_pre): Handle
5667 __analyzer_dump_state.
5668 * program-state.cc (extrinsic_state::get_sm_idx_by_name): New.
5669 (program_state::impl_call_analyzer_dump_state): New.
5670 * program-state.h (extrinsic_state::get_sm_idx_by_name): New decl.
5671 (program_state::impl_call_analyzer_dump_state): New decl.
5672 * region-model-impl-calls.cc
5673 (call_details::get_arg_string_literal): New.
5674 * region-model.h (call_details::get_arg_string_literal): New decl.
5676 2021-07-16 David Malcolm <dmalcolm@redhat.com>
5678 * program-state.cc (program_state::detect_leaks): Simplify using
5679 svalue::maybe_get_region.
5680 * region-model-impl-calls.cc (region_model::impl_call_fgets): Likewise.
5681 (region_model::impl_call_fread): Likewise.
5682 (region_model::impl_call_free): Likewise.
5683 (region_model::impl_call_operator_delete): Likewise.
5684 * region-model.cc (selftest::test_stack_frames): Likewise.
5685 (selftest::test_state_merging): Likewise.
5686 * svalue.cc (svalue::maybe_get_region): New.
5687 * svalue.h (svalue::maybe_get_region): New decl.
5689 2021-07-15 David Malcolm <dmalcolm@redhat.com>
5691 * svalue.h (is_a_helper <placeholder_svalue *>::test): Make
5692 param and template param const.
5693 (is_a_helper <widening_svalue *>::test): Likewise.
5694 (is_a_helper <compound_svalue *>::test): Likewise.
5695 (is_a_helper <conjured_svalue *>::test): Likewise.
5697 2021-07-15 David Malcolm <dmalcolm@redhat.com>
5699 PR analyzer/95006
5700 PR analyzer/94713
5701 PR analyzer/94714
5702 * analyzer.cc (maybe_reconstruct_from_def_stmt): Split out
5703 GIMPLE_ASSIGN case into...
5704 (get_diagnostic_tree_for_gassign_1): New.
5705 (get_diagnostic_tree_for_gassign): New.
5706 * analyzer.h (get_diagnostic_tree_for_gassign): New decl.
5707 * analyzer.opt (Wanalyzer-write-to-string-literal): New.
5708 * constraint-manager.cc (class svalue_purger): New.
5709 (constraint_manager::purge_state_involving): New.
5710 * constraint-manager.h
5711 (constraint_manager::purge_state_involving): New.
5712 * diagnostic-manager.cc (saved_diagnostic::supercedes_p): New.
5713 (dedupe_winners::handle_interactions): New.
5714 (diagnostic_manager::emit_saved_diagnostics): Call it.
5715 * diagnostic-manager.h (saved_diagnostic::supercedes_p): New decl.
5716 * engine.cc (impl_region_model_context::warn): Convert return type
5717 to bool. Return false if the diagnostic isn't saved.
5718 (impl_region_model_context::purge_state_involving): New.
5719 (impl_sm_context::get_state): Use NULL ctxt when querying old
5720 rvalue.
5721 (impl_sm_context::set_next_state): Use new sval when querying old
5722 state.
5723 (class dump_path_diagnostic): Move to region-model.cc
5724 (exploded_node::on_stmt): Move to on_stmt_pre and on_stmt_post.
5725 Remove call to purge_state_involving.
5726 (exploded_node::on_stmt_pre): New, based on the above. Move most
5727 of it to region_model::on_stmt_pre.
5728 (exploded_node::on_stmt_post): Likewise, moving to
5729 region_model::on_stmt_post.
5730 (class stale_jmp_buf): Fix parent class to use curiously recurring
5731 template pattern.
5732 (feasibility_state::maybe_update_for_edge): Call on_call_pre and
5733 on_call_post on gcalls.
5734 * exploded-graph.h (impl_region_model_context::warn): Return bool.
5735 (impl_region_model_context::purge_state_involving): New decl.
5736 (exploded_node::on_stmt_pre): New decl.
5737 (exploded_node::on_stmt_post): New decl.
5738 * pending-diagnostic.h (pending_diagnostic::use_of_uninit_p): New.
5739 (pending_diagnostic::supercedes_p): New.
5740 * program-state.cc (sm_state_map::get_state): Inherit state for
5741 conjured_svalue as well as initial_svalue.
5742 (sm_state_map::purge_state_involving): Also support SK_CONJURED.
5743 * region-model-impl-calls.cc (call_details::get_uncertainty):
5744 Handle m_ctxt being NULL.
5745 (call_details::get_or_create_conjured_svalue): New.
5746 (region_model::impl_call_fgets): New.
5747 (region_model::impl_call_fread): New.
5748 * region-model-manager.cc
5749 (region_model_manager::get_or_create_initial_value): Return an
5750 uninitialized poisoned value for regions that can't have initial
5751 values.
5752 * region-model-reachability.cc
5753 (reachable_regions::mark_escaped_clusters): Handle ctxt being
5754 NULL.
5755 * region-model.cc (region_to_value_map::purge_state_involving): New.
5756 (poisoned_value_diagnostic::use_of_uninit_p): New.
5757 (poisoned_value_diagnostic::emit): Handle POISON_KIND_UNINIT.
5758 (poisoned_value_diagnostic::describe_final_event): Likewise.
5759 (region_model::check_for_poison): New.
5760 (region_model::on_assignment): Call it.
5761 (class dump_path_diagnostic): Move here from engine.cc.
5762 (region_model::on_stmt_pre): New, based on exploded_node::on_stmt.
5763 (region_model::on_call_pre): Move the setting of the LHS to a
5764 conjured svalue to before the checks for specific functions.
5765 Handle "fgets", "fgets_unlocked", and "fread".
5766 (region_model::purge_state_involving): New.
5767 (region_model::handle_unrecognized_call): Handle ctxt being NULL.
5768 (region_model::get_rvalue): Call check_for_poison.
5769 (selftest::test_stack_frames): Use NULL for context when getting
5770 uninitialized rvalue.
5771 (selftest::test_alloca): Likewise.
5772 * region-model.h (region_to_value_map::purge_state_involving): New
5773 decl.
5774 (call_details::get_or_create_conjured_svalue): New decl.
5775 (region_model::on_stmt_pre): New decl.
5776 (region_model::purge_state_involving): New decl.
5777 (region_model::impl_call_fgets): New decl.
5778 (region_model::impl_call_fread): New decl.
5779 (region_model::check_for_poison): New decl.
5780 (region_model_context::warn): Return bool.
5781 (region_model_context::purge_state_involving): New.
5782 (noop_region_model_context::warn): Return bool.
5783 (noop_region_model_context::purge_state_involving): New.
5784 (test_region_model_context:: warn): Return bool.
5785 * region.cc (region::get_memory_space): New.
5786 (region::can_have_initial_svalue_p): New.
5787 (region::involves_p): New.
5788 * region.h (enum memory_space): New.
5789 (region::get_memory_space): New decl.
5790 (region::can_have_initial_svalue_p): New decl.
5791 (region::involves_p): New decl.
5792 * sm-malloc.cc (use_after_free::supercedes_p): New.
5793 * store.cc (binding_cluster::purge_state_involving): New.
5794 (store::purge_state_involving): New.
5795 * store.h (class symbolic_binding): New forward decl.
5796 (binding_key::dyn_cast_symbolic_binding): New.
5797 (symbolic_binding::dyn_cast_symbolic_binding): New.
5798 (binding_cluster::purge_state_involving): New.
5799 (store::purge_state_involving): New.
5800 * svalue.cc (svalue::can_merge_p): Reject attempts to merge
5801 poisoned svalues with other svalues, so that we identify
5802 paths in which a variable is conditionally uninitialized.
5803 (involvement_visitor::visit_conjured_svalue): New.
5804 (svalue::involves_p): Also handle SK_CONJURED.
5805 (poison_kind_to_str): Handle POISON_KIND_UNINIT.
5806 (poisoned_svalue::maybe_fold_bits_within): New.
5807 * svalue.h (enum poison_kind): Add POISON_KIND_UNINIT.
5808 (poisoned_svalue::maybe_fold_bits_within): New decl.
5810 2021-07-15 David Malcolm <dmalcolm@redhat.com>
5812 * analyzer.opt (fdump-analyzer-exploded-paths): New.
5813 * diagnostic-manager.cc
5814 (diagnostic_manager::emit_saved_diagnostic): Implement it.
5815 * engine.cc (exploded_path::dump_to_pp): Add ext_state param and
5816 use it to dump states if non-NULL.
5817 (exploded_path::dump): Likewise.
5818 (exploded_path::dump_to_file): New.
5819 * exploded-graph.h (exploded_path::dump_to_pp): Add ext_state
5820 param.
5821 (exploded_path::dump): Likewise.
5822 (exploded_path::dump): Likewise.
5823 (exploded_path::dump_to_file): New.
5825 2021-07-15 David Malcolm <dmalcolm@redhat.com>
5827 * analyzer.cc (fixup_tree_for_diagnostic_1): Use DECL_DEBUG_EXPR
5828 if it's available.
5829 * engine.cc (readability): Likewise.
5831 2021-07-15 David Malcolm <dmalcolm@redhat.com>
5833 * state-purge.cc (self_referential_phi_p): New.
5834 (state_purge_per_ssa_name::process_point): Don't purge an SSA name
5835 at its def-stmt if the def-stmt is self-referential.
5837 2021-07-07 David Malcolm <dmalcolm@redhat.com>
5839 * diagnostic-manager.cc (null_assignment_sm_context::get_state):
5840 New overload.
5841 (null_assignment_sm_context::set_next_state): New overload.
5842 (null_assignment_sm_context::get_diagnostic_tree): New.
5843 * engine.cc (impl_sm_context::get_state): New overload.
5844 (impl_sm_context::set_next_state): New overload.
5845 (impl_sm_context::get_diagnostic_tree): New overload.
5846 (impl_region_model_context::on_condition): Convert params from
5847 tree to const svalue *.
5848 * exploded-graph.h (impl_region_model_context::on_condition):
5849 Likewise.
5850 * region-model.cc (region_model::on_call_pre): Move handling of
5851 internal calls to before checking for get_fndecl_for_call.
5852 (region_model::add_constraints_from_binop): New.
5853 (region_model::add_constraint): Split out into a new overload
5854 working on const svalue * rather than tree. Call
5855 add_constraints_from_binop. Drop call to
5856 add_any_constraints_from_ssa_def_stmt.
5857 (region_model::add_any_constraints_from_ssa_def_stmt): Delete.
5858 (region_model::add_any_constraints_from_gassign): Delete.
5859 (region_model::add_any_constraints_from_gcall): Delete.
5860 * region-model.h
5861 (region_model::add_any_constraints_from_ssa_def_stmt): Delete.
5862 (region_model::add_any_constraints_from_gassign): Delete.
5863 (region_model::add_any_constraints_from_gcall): Delete.
5864 (region_model::add_constraint): Add overload decl.
5865 (region_model::add_constraints_from_binop): New decl.
5866 (region_model_context::on_condition): Convert params from tree to
5867 const svalue *.
5868 (noop_region_model_context::on_condition): Likewise.
5869 * sm-file.cc (fileptr_state_machine::condition): Likewise.
5870 * sm-malloc.cc (malloc_state_machine::on_condition): Likewise.
5871 * sm-pattern-test.cc: Include tristate.h, selftest.h,
5872 analyzer/call-string.h, analyzer/program-point.h,
5873 analyzer/store.h, and analyzer/region-model.h.
5874 (pattern_test_state_machine::on_condition): Convert params from tree to
5875 const svalue *.
5876 * sm-sensitive.cc (sensitive_state_machine::on_condition): Delete.
5877 * sm-signal.cc (signal_state_machine::on_condition): Delete.
5878 * sm-taint.cc (taint_state_machine::on_condition): Convert params
5879 from tree to const svalue *.
5880 * sm.cc: Include tristate.h, selftest.h, analyzer/call-string.h,
5881 analyzer/program-point.h, analyzer/store.h, and
5882 analyzer/region-model.h.
5883 (any_pointer_p): Add overload taking const svalue *sval.
5884 * sm.h (any_pointer_p): Add overload taking const svalue *sval.
5885 (state_machine::on_condition): Convert params from tree to
5886 const svalue *. Provide no-op default implementation.
5887 (sm_context::get_state): Add overload taking const svalue *sval.
5888 (sm_context::set_next_state): Likewise.
5889 (sm_context::on_transition): Likewise.
5890 (sm_context::get_diagnostic_tree): Likewise.
5891 * svalue.cc (svalue::all_zeroes_p): New.
5892 (constant_svalue::all_zeroes_p): New.
5893 (repeated_svalue::all_zeroes_p): Convert to vfunc.
5894 * svalue.h (svalue::all_zeroes_p): New decl.
5895 (constant_svalue::all_zeroes_p): New decl.
5896 (repeated_svalue::all_zeroes_p): Convert decl to vfunc.
5898 2021-06-30 David Malcolm <dmalcolm@redhat.com>
5900 PR analyzer/95006
5901 * analyzer.h (class repeated_svalue): New forward decl.
5902 (class bits_within_svalue): New forward decl.
5903 (class sized_region): New forward decl.
5904 (get_field_at_bit_offset): New forward decl.
5905 * engine.cc (exploded_graph::get_or_create_node): Validate the
5906 merged state.
5907 (exploded_graph::maybe_process_run_of_before_supernode_enodes):
5908 Validate the states at each stage.
5909 * program-state.cc (program_state::validate): Validate
5910 m_region_model.
5911 * region-model-impl-calls.cc (region_model::impl_call_memset):
5912 Replace special-case logic for handling constant sizes with
5913 a call to fill_region of a sized_region with the given fill value.
5914 * region-model-manager.cc (maybe_undo_optimize_bit_field_compare):
5915 Drop DK_direct.
5916 (region_model_manager::maybe_fold_sub_svalue): Fold element-based
5917 subregions of an initial value into initial values of an element.
5918 Fold subvalues of repeated svalues.
5919 (region_model_manager::maybe_fold_repeated_svalue): New.
5920 (region_model_manager::get_or_create_repeated_svalue): New.
5921 (get_bit_range_for_field): New.
5922 (get_byte_range_for_field): New.
5923 (get_field_at_byte_range): New.
5924 (region_model_manager::maybe_fold_bits_within_svalue): New.
5925 (region_model_manager::get_or_create_bits_within): New.
5926 (region_model_manager::get_sized_region): New.
5927 (region_model_manager::log_stats): Update for addition of
5928 m_repeated_values_map, m_bits_within_values_map, and
5929 m_sized_regions.
5930 * region-model.cc (region_model::validate): New.
5931 (region_model::on_assignment): Drop enum binding_kind.
5932 (region_model::get_initial_value_for_global): Likewise.
5933 (region_model::get_rvalue_for_bits): Replace body with call to
5934 get_or_create_bits_within.
5935 (region_model::get_capacity): Handle RK_SIZED.
5936 (region_model::set_value): Drop enum binding_kind.
5937 (region_model::fill_region): New.
5938 (region_model::get_representative_path_var_1): Handle RK_SIZED.
5939 * region-model.h (visitor::visit_repeated_svalue): New.
5940 (visitor::visit_bits_within_svalue): New.
5941 (region_model_manager::get_or_create_repeated_svalue): New decl.
5942 (region_model_manager::get_or_create_bits_within): New decl.
5943 (region_model_manager::get_sized_region): New decl.
5944 (region_model_manager::maybe_fold_repeated_svalue): New decl.
5945 (region_model_manager::maybe_fold_bits_within_svalue): New decl.
5946 (region_model_manager::repeated_values_map_t): New typedef.
5947 (region_model_manager::m_repeated_values_map): New field.
5948 (region_model_manager::bits_within_values_map_t): New typedef.
5949 (region_model_manager::m_bits_within_values_map): New field.
5950 (region_model_manager::m_sized_regions): New field.
5951 (region_model::fill_region): New decl.
5952 * region.cc (region::get_base_region): Handle RK_SIZED.
5953 (region::base_region_p): Likewise.
5954 (region::get_byte_size_sval): New.
5955 (get_field_at_bit_offset): Make non-static.
5956 (region::calc_offset): Move implementation of cases to
5957 get_relative_concrete_offset vfunc implementations. Handle
5958 RK_SIZED.
5959 (region::get_relative_concrete_offset): New.
5960 (decl_region::get_svalue_for_initializer): Drop enum binding_kind.
5961 (field_region::get_relative_concrete_offset): New, from
5962 region::calc_offset.
5963 (element_region::get_relative_concrete_offset): Likewise.
5964 (offset_region::get_relative_concrete_offset): Likewise.
5965 (sized_region::accept): New.
5966 (sized_region::dump_to_pp): New.
5967 (sized_region::get_byte_size): New.
5968 (sized_region::get_bit_size): New.
5969 * region.h (enum region_kind): Add RK_SIZED.
5970 (region::dyn_cast_sized_region): New.
5971 (region::get_byte_size): Make virtual.
5972 (region::get_bit_size): Likewise.
5973 (region::get_byte_size_sval): New decl.
5974 (region::get_relative_concrete_offset): New decl.
5975 (field_region::get_relative_concrete_offset): New decl.
5976 (element_region::get_relative_concrete_offset): Likewise.
5977 (offset_region::get_relative_concrete_offset): Likewise.
5978 (class sized_region): New.
5979 * store.cc (binding_kind_to_string): Delete.
5980 (binding_key::make): Drop enum binding_kind.
5981 (binding_key::dump_to_pp): Delete.
5982 (binding_key::cmp_ptrs): Drop enum binding_kind.
5983 (bit_range::contains_p): New.
5984 (byte_range::dump): New.
5985 (byte_range::contains_p): New.
5986 (byte_range::cmp): New.
5987 (concrete_binding::dump_to_pp): Drop enum binding_kind.
5988 (concrete_binding::cmp_ptr_ptr): Likewise.
5989 (symbolic_binding::dump_to_pp): Likewise.
5990 (symbolic_binding::cmp_ptr_ptr): Likewise.
5991 (binding_map::apply_ctor_val_to_range): Likewise.
5992 (binding_map::apply_ctor_pair_to_child_region): Likewise.
5993 (binding_map::get_overlapping_bindings): New.
5994 (binding_map::remove_overlapping_bindings): New.
5995 (binding_cluster::validate): New.
5996 (binding_cluster::bind): Drop enum binding_kind.
5997 (binding_cluster::bind_compound_sval): Likewise.
5998 (binding_cluster::purge_region): Likewise.
5999 (binding_cluster::zero_fill_region): Reimplement in terms of...
6000 (binding_cluster::fill_region): New.
6001 (binding_cluster::mark_region_as_unknown): Drop enum binding_kind.
6002 (binding_cluster::get_binding): Likewise.
6003 (binding_cluster::get_binding_recursive): Likewise.
6004 (binding_cluster::get_any_binding): Likewise.
6005 (binding_cluster::maybe_get_compound_binding): Reimplement.
6006 (binding_cluster::get_overlapping_bindings): Delete.
6007 (binding_cluster::remove_overlapping_bindings): Reimplement in
6008 terms of binding_map::remove_overlapping_bindings.
6009 (binding_cluster::can_merge_p): Update for removal of
6010 enum binding_kind.
6011 (binding_cluster::on_unknown_fncall): Drop enum binding_kind.
6012 (binding_cluster::maybe_get_simple_value): Likewise.
6013 (store_manager::get_concrete_binding): Likewise.
6014 (store_manager::get_symbolic_binding): Likewise.
6015 (store::validate): New.
6016 (store::set_value): Drop enum binding_kind.
6017 (store::zero_fill_region): Reimplement in terms of...
6018 (store::fill_region): New.
6019 (selftest::test_binding_key_overlap): Drop enum binding_kind.
6020 * store.h (enum binding_kind): Delete.
6021 (binding_kind_to_string): Delete decl.
6022 (binding_key::make): Drop enum binding_kind.
6023 (binding_key::dump_to_pp): Make pure virtual.
6024 (binding_key::get_kind): Delete.
6025 (binding_key::mark_deleted): Delete.
6026 (binding_key::mark_empty): Delete.
6027 (binding_key::is_deleted): Delete.
6028 (binding_key::is_empty): Delete.
6029 (binding_key::binding_key): Delete.
6030 (binding_key::impl_hash): Delete.
6031 (binding_key::impl_eq): Delete.
6032 (binding_key::m_kind): Delete.
6033 (bit_range::get_last_bit_offset): New.
6034 (bit_range::contains_p): New.
6035 (byte_range::contains_p): New.
6036 (byte_range::operator==): New.
6037 (byte_range::get_start_byte_offset): New.
6038 (byte_range::get_next_byte_offset): New.
6039 (byte_range::get_last_byte_offset): New.
6040 (byte_range::as_bit_range): New.
6041 (byte_range::cmp): New.
6042 (concrete_binding::concrete_binding): Drop enum binding_kind.
6043 (concrete_binding::hash): Likewise.
6044 (concrete_binding::operator==): Likewise.
6045 (concrete_binding::mark_deleted): New.
6046 (concrete_binding::mark_empty): New.
6047 (concrete_binding::is_deleted): New.
6048 (concrete_binding::is_empty): New.
6049 (default_hash_traits<ana::concrete_binding>::empty_zero_p): Make false.
6050 (symbolic_binding::symbolic_binding): Drop enum binding_kind.
6051 (symbolic_binding::hash): Likewise.
6052 (symbolic_binding::operator==): Likewise.
6053 (symbolic_binding::mark_deleted): New.
6054 (symbolic_binding::mark_empty): New.
6055 (symbolic_binding::is_deleted): New.
6056 (symbolic_binding::is_empty): New.
6057 (binding_map::remove_overlapping_bindings): New decl.
6058 (binding_map::get_overlapping_bindings): New decl.
6059 (binding_cluster::validate): New decl.
6060 (binding_cluster::bind): Drop enum binding_kind.
6061 (binding_cluster::fill_region): New decl.
6062 (binding_cluster::get_binding): Drop enum binding_kind.
6063 (binding_cluster::get_binding_recursive): Likewise.
6064 (binding_cluster::get_overlapping_bindings): Delete.
6065 (store::validate): New decl.
6066 (store::set_value): Drop enum binding_kind.
6067 (store::fill_region): New decl.
6068 (store_manager::get_concrete_binding): Drop enum binding_kind.
6069 (store_manager::get_symbolic_binding): Likewise.
6070 * svalue.cc (svalue::cmp_ptr): Handle SK_REPEATED and
6071 SK_BITS_WITHIN.
6072 (svalue::extract_bit_range): New.
6073 (svalue::maybe_fold_bits_within): New.
6074 (constant_svalue::maybe_fold_bits_within): New.
6075 (unknown_svalue::maybe_fold_bits_within): New.
6076 (unaryop_svalue::maybe_fold_bits_within): New.
6077 (repeated_svalue::repeated_svalue): New.
6078 (repeated_svalue::dump_to_pp): New.
6079 (repeated_svalue::accept): New.
6080 (repeated_svalue::all_zeroes_p): New.
6081 (repeated_svalue::maybe_fold_bits_within): New.
6082 (bits_within_svalue::bits_within_svalue): New.
6083 (bits_within_svalue::dump_to_pp): New.
6084 (bits_within_svalue::maybe_fold_bits_within): New.
6085 (bits_within_svalue::accept): New.
6086 (bits_within_svalue::implicitly_live_p): New.
6087 (compound_svalue::maybe_fold_bits_within): New.
6088 * svalue.h (enum svalue_kind): Add SK_REPEATED and SK_BITS_WITHIN.
6089 (svalue::dyn_cast_repeated_svalue): New.
6090 (svalue::dyn_cast_bits_within_svalue): New.
6091 (svalue::extract_bit_range): New decl.
6092 (svalue::maybe_fold_bits_within): New vfunc decl.
6093 (region_svalue::key_t::mark_empty): Use 2 rather than NULL_TREE.
6094 (region_svalue::key_t::is_empty): Likewise.
6095 (default_hash_traits<region_svalue::key_t>::empty_zero_p): Make false.
6096 (constant_svalue::maybe_fold_bits_within): New.
6097 (unknown_svalue::maybe_fold_bits_within): New.
6098 (poisoned_svalue::key_t::mark_empty): Use 2 rather than NULL_TREE.
6099 (poisoned_svalue::key_t::is_empty): Likewise.
6100 (default_hash_traits<poisoned_svalue::key_t>::empty_zero_p): Make
6101 false.
6102 (setjmp_svalue::key_t::mark_empty): Use 2 rather than NULL_TREE.
6103 (setjmp_svalue::key_t::is_empty): Likewise.
6104 (default_hash_traits<setjmp_svalue::key_t>::empty_zero_p): Make
6105 false.
6106 (unaryop_svalue::key_t::mark_empty): Use 2 rather than NULL_TREE.
6107 (unaryop_svalue::key_t::is_empty): Likewise.
6108 (unaryop_svalue::maybe_fold_bits_within): New.
6109 (default_hash_traits<unaryop_svalue::key_t>::empty_zero_p): Make
6110 false.
6111 (binop_svalue::key_t::mark_empty): Use 2 rather than NULL_TREE.
6112 (binop_svalue::key_t::is_empty): Likewise.
6113 (default_hash_traits<binop_svalue::key_t>::empty_zero_p): Make
6114 false.
6115 (sub_svalue::key_t::mark_empty): Use 2 rather than NULL_TREE.
6116 (sub_svalue::key_t::is_empty): Likewise.
6117 (default_hash_traits<sub_svalue::key_t>::empty_zero_p): Make
6118 false.
6119 (class repeated_svalue): New.
6120 (is_a_helper <const repeated_svalue *>::test): New.
6121 (struct default_hash_traits<repeated_svalue::key_t>): New.
6122 (class bits_within_svalue): New.
6123 (is_a_helper <const bits_within_svalue *>::test): New.
6124 (struct default_hash_traits<bits_within_svalue::key_t>): New.
6125 (widening_svalue::key_t::mark_empty): Use 2 rather than NULL_TREE.
6126 (widening_svalue::key_t::is_empty): Likewise.
6127 (default_hash_traits<widening_svalue::key_t>::empty_zero_p): Make
6128 false.
6129 (compound_svalue::key_t::mark_empty): Use 2 rather than NULL_TREE.
6130 (compound_svalue::key_t::is_empty): Likewise.
6131 (compound_svalue::maybe_fold_bits_within): New.
6132 (default_hash_traits<compound_svalue::key_t>::empty_zero_p): Make
6133 false.
6135 2021-06-28 David Malcolm <dmalcolm@redhat.com>
6137 * analyzer.h (byte_offset_t): New typedef.
6138 * store.cc (bit_range::dump_to_pp): Dump as a byte range if
6139 possible.
6140 (bit_range::as_byte_range): New.
6141 (byte_range::dump_to_pp): New.
6142 * store.h (class byte_range): New forward decl.
6143 (struct bit_range): Add comment.
6144 (bit_range::as_byte_range): New decl.
6145 (struct byte_range): New.
6147 2021-06-22 David Malcolm <dmalcolm@redhat.com>
6149 PR analyzer/101143
6150 * region-model.cc (compat_types_p): New function.
6151 (region_model::create_region_for_heap_alloc): Convert assertion to
6152 an error check.
6153 (region_model::create_region_for_alloca): Likewise.
6155 2021-06-18 David Malcolm <dmalcolm@redhat.com>
6157 * store.cc (binding_cluster::get_any_binding): Make symbolic reads
6158 from a cluster with concrete bindings return unknown.
6160 2021-06-18 David Malcolm <dmalcolm@redhat.com>
6162 * region-model-manager.cc
6163 (region_model_manager::get_or_create_int_cst): New.
6164 (region_model_manager::maybe_undo_optimize_bit_field_compare): Use
6165 it to simplify away a local tree.
6166 * region-model.cc (region_model::on_setjmp): Likewise.
6167 (region_model::on_longjmp): Likewise.
6168 * region-model.h (region_model_manager::get_or_create_int_cst):
6169 New decl.
6170 * store.cc (binding_cluster::zero_fill_region): Use it to simplify
6171 away a local tree.
6173 2021-06-18 David Malcolm <dmalcolm@redhat.com>
6175 * checker-path.cc (class custom_event): Make abstract to allow for
6176 custom vfuncs, splitting existing implementation into...
6177 (class precanned_custom_event): New subclass.
6178 (custom_event::get_desc): Move to...
6179 (precanned_custom_event::get_desc): ...subclass.
6180 * checker-path.h (class custom_event): Make abstract to allow for
6181 custom vfuncs, splitting existing implementation into...
6182 (class precanned_custom_event): New subclass.
6183 * diagnostic-manager.cc (diagnostic_manager::add_events_for_eedge):
6184 Use precanned_custom_event.
6185 * engine.cc
6186 (stale_jmp_buf::maybe_add_custom_events_for_superedge): Likewise.
6187 * sm-signal.cc (signal_delivery_edge_info_t::add_events_to_path):
6188 Likewise.
6190 2021-06-15 David Malcolm <dmalcolm@redhat.com>
6192 PR analyzer/99212
6193 PR analyzer/101082
6194 * engine.cc: Include "target.h".
6195 (impl_run_checkers): Log BITS_BIG_ENDIAN, BYTES_BIG_ENDIAN, and
6196 WORDS_BIG_ENDIAN.
6197 * region-model-manager.cc
6198 (region_model_manager::maybe_fold_binop): Move support for masking
6199 via ARG0 & CST into...
6200 (region_model_manager::maybe_undo_optimize_bit_field_compare):
6201 ...this new function. Flatten by converting from nested
6202 conditionals to a series of early return statements to reject
6203 failures. Reject if type is not unsigned_char_type_node.
6204 Handle BYTES_BIG_ENDIAN when determining which bits are bound
6205 in the binding_map.
6206 * region-model.h
6207 (region_model_manager::maybe_undo_optimize_bit_field_compare):
6208 New decl.
6209 * store.cc (bit_range::dump): New function.
6210 * store.h (bit_range::dump): New decl.
6212 2021-06-15 David Malcolm <dmalcolm@redhat.com>
6214 * engine.cc (exploded_node::on_stmt): Handle __analyzer_dump_capacity.
6215 (exploded_node::on_stmt): Drop m_sm_changes from on_stmt_flags.
6216 (state_change_requires_new_enode_p): New function...
6217 (exploded_graph::process_node): Call it, rather than querying
6218 flags.m_sm_changes, so that dynamic-extent differences can also
6219 trigger the splitting of nodes.
6220 * exploded-graph.h (struct on_stmt_flags): Drop field m_sm_changes.
6221 * program-state.cc (program_state::detect_leaks): Purge dead
6222 heap-allocated regions from dynamic extents.
6223 (selftest::test_program_state_1): Fix type of "size_in_bytes".
6224 (selftest::test_program_state_merging): Likewise.
6225 * region-model-impl-calls.cc
6226 (region_model::impl_call_analyzer_dump_capacity): New.
6227 (region_model::impl_call_free): Remove dynamic extents from the
6228 freed region.
6229 * region-model-reachability.h
6230 (reachable_regions::begin_mutable_base_regs): New.
6231 (reachable_regions::end_mutable_base_regs): New.
6232 * region-model.cc: Include "tree-object-size.h".
6233 (region_model::region_model): Support new field m_dynamic_extents.
6234 (region_model::operator=): Likewise.
6235 (region_model::operator==): Likewise.
6236 (region_model::dump_to_pp): Dump sizes of dynamic regions.
6237 (region_model::handle_unrecognized_call): Purge dynamic extents
6238 from any regions that have escaped mutably:.
6239 (region_model::get_capacity): New function.
6240 (region_model::add_constraint): Unset dynamic extents when a
6241 heap-allocated region's address is NULL.
6242 (region_model::unbind_region_and_descendents): Purge dynamic
6243 extents of unbound regions.
6244 (region_model::can_merge_with_p): Call
6245 m_dynamic_extents.can_merge_with_p.
6246 (region_model::create_region_for_heap_alloc): Assert that
6247 size_in_bytes's type is compatible with size_type_node. Update
6248 for renaming of record_dynamic_extents to set_dynamic_extents.
6249 (region_model::create_region_for_alloca): Likewise.
6250 (region_model::record_dynamic_extents): Rename to...
6251 (region_model::set_dynamic_extents): ...this. Assert that
6252 size_in_bytes's type is compatible with size_type_node. Add it
6253 to the m_dynamic_extents map.
6254 (region_model::get_dynamic_extents): New.
6255 (region_model::unset_dynamic_extents): New.
6256 (selftest::test_state_merging): Fix type of "size".
6257 (selftest::test_malloc_constraints): Likewise.
6258 (selftest::test_malloc): Verify dynamic extents.
6259 (selftest::test_alloca): Likewise.
6260 * region-model.h (region_to_value_map::is_empty): New.
6261 (region_model::dynamic_extents_t): New typedef.
6262 (region_model::impl_call_analyzer_dump_capacity): New decl.
6263 (region_model::get_dynamic_extents): New function.
6264 (region_model::get_dynamic_extents): New decl.
6265 (region_model::set_dynamic_extents): New decl.
6266 (region_model::unset_dynamic_extents): New decl.
6267 (region_model::get_capacity): New decl.
6268 (region_model::record_dynamic_extents): Rename to set_dynamic_extents.
6269 (region_model::m_dynamic_extents): New field.
6271 2021-06-15 David Malcolm <dmalcolm@redhat.com>
6273 * region-model.cc (region_to_value_map::operator=): New.
6274 (region_to_value_map::operator==): New.
6275 (region_to_value_map::dump_to_pp): New.
6276 (region_to_value_map::dump): New.
6277 (region_to_value_map::can_merge_with_p): New.
6278 * region-model.h (class region_to_value_map): New class.
6280 2021-06-13 Trevor Saunders <tbsaunde@tbsaunde.org>
6282 * call-string.cc (call_string::call_string): Use range based for
6283 to iterate over vec<>.
6284 (call_string::to_json): Likewise.
6285 (call_string::hash): Likewise.
6286 (call_string::calc_recursion_depth): Likewise.
6287 * checker-path.cc (checker_path::fixup_locations): Likewise.
6288 * constraint-manager.cc (equiv_class::equiv_class): Likewise.
6289 (equiv_class::to_json): Likewise.
6290 (equiv_class::hash): Likewise.
6291 (constraint_manager::to_json): Likewise.
6292 * engine.cc (impl_region_model_context::on_svalue_leak):
6293 Likewise.
6294 (on_liveness_change): Likewise.
6295 (impl_region_model_context::on_unknown_change): Likewise.
6296 * program-state.cc (sm_state_map::set_state): Likewise.
6297 * region-model.cc (test_canonicalization_4): Likewise.
6299 2021-06-11 David Malcolm <dmalcolm@redhat.com>
6301 * engine.cc (worklist::key_t::cmp): Move sort by call_string to
6302 before SCC.
6304 2021-06-09 David Malcolm <dmalcolm@redhat.com>
6306 * region-model.cc (region_model::get_lvalue_1): Make const.
6307 (region_model::get_lvalue): Likewise.
6308 (region_model::get_rvalue_1): Likewise.
6309 (region_model::get_rvalue): Likewise.
6310 (region_model::deref_rvalue): Likewise.
6311 (region_model::get_rvalue_for_bits): Likewise.
6312 * region-model.h (region_model::get_lvalue): Likewise.
6313 (region_model::get_rvalue): Likewise.
6314 (region_model::deref_rvalue): Likewise.
6315 (region_model::get_rvalue_for_bits): Likewise.
6316 (region_model::get_lvalue_1): Likewise.
6317 (region_model::get_rvalue_1): Likewise.
6319 2021-06-08 David Malcolm <dmalcolm@redhat.com>
6321 PR analyzer/99212
6322 * region-model-manager.cc
6323 (region_model_manager::maybe_fold_binop): Add support for folding
6324 BIT_AND_EXPR of compound_svalue and a mask constant.
6325 * region-model.cc (region_model::get_rvalue_1): Implement
6326 BIT_FIELD_REF in terms of...
6327 (region_model::get_rvalue_for_bits): New function.
6328 * region-model.h (region_model::get_rvalue_for_bits): New decl.
6329 * store.cc (bit_range::from_mask): New function.
6330 (selftest::test_bit_range_intersects_p): New selftest.
6331 (selftest::assert_bit_range_from_mask_eq): New.
6332 (ASSERT_BIT_RANGE_FROM_MASK_EQ): New macro.
6333 (selftest::assert_no_bit_range_from_mask_eq): New.
6334 (ASSERT_NO_BIT_RANGE_FROM_MASK): New macro.
6335 (selftest::test_bit_range_from_mask): New selftest.
6336 (selftest::analyzer_store_cc_tests): Call the new selftests.
6337 * store.h (bit_range::intersects_p): New.
6338 (bit_range::from_mask): New decl.
6339 (concrete_binding::get_bit_range): New accessor.
6340 (store_manager::get_concrete_binding): New overload taking
6341 const bit_range &.
6343 2021-06-08 David Malcolm <dmalcolm@redhat.com>
6345 * analyzer.h (int_size_in_bits): New decl.
6346 * region.cc (int_size_in_bits): New function.
6347 (region::get_bit_size): Reimplement in terms of the above.
6349 2021-06-08 David Malcolm <dmalcolm@redhat.com>
6351 * store.cc (concrete_binding::dump_to_pp): Move bulk of
6352 implementation to...
6353 (bit_range::dump_to_pp): ...this new function.
6354 (bit_range::cmp): New.
6355 (concrete_binding::overlaps_p): Update for use of bit_range.
6356 (concrete_binding::cmp_ptr_ptr): Likewise.
6357 * store.h (struct bit_range): New.
6358 (class concrete_binding): Replace fields m_start_bit_offset and
6359 m_size_in_bits with new field m_bit_range.
6361 2021-06-08 David Malcolm <dmalcolm@redhat.com>
6363 * svalue.h (conjured_svalue::iterator_t): Delete.
6365 2021-06-03 David Malcolm <dmalcolm@redhat.com>
6367 * store.h (store::get_direct_binding): Remove unused decl.
6368 (store::get_default_binding): Likewise.
6370 2021-06-03 David Malcolm <dmalcolm@redhat.com>
6372 * svalue.cc (poisoned_svalue::dump_to_pp): Dump type.
6373 (compound_svalue::dump_to_pp): Dump any type.
6375 2021-05-18 David Malcolm <dmalcolm@redhat.com>
6377 PR analyzer/100615
6378 * sm-malloc.cc: Include "analyzer/function-set.h".
6379 (malloc_state_machine::on_stmt): Call unaffected_by_call_p and
6380 bail on the functions it recognizes.
6381 (malloc_state_machine::unaffected_by_call_p): New.
6383 2021-05-10 Martin Liska <mliska@suse.cz>
6385 * sm-file.cc (is_file_using_fn_p): Use startswith
6386 function instead of strncmp.
6388 2021-05-10 Martin Liska <mliska@suse.cz>
6390 * program-state.cc (program_state::operator=): Remove
6391 __cplusplus >= 201103.
6392 (program_state::program_state): Likewise.
6393 * program-state.h: Likewise.
6394 * region-model.h (class region_model): Remove dead code.
6396 2021-04-24 David Malcolm <dmalcolm@redhat.com>
6398 PR analyzer/100244
6399 * sm-malloc.cc (free_of_non_heap::describe_state_change):
6400 Bulletproof against change.m_expr being NULL.
6402 2021-04-13 David Malcolm <dmalcolm@redhat.com>
6404 PR analyzer/98599
6405 * supergraph.cc (saved_uids::make_uid_unique): New.
6406 (saved_uids::restore_uids): New.
6407 (supergraph::supergraph): Replace assignments to stmt->uid with
6408 calls to m_stmt_uids.make_uid_unique.
6409 (supergraph::~supergraph): New.
6410 * supergraph.h (class saved_uids): New.
6411 (supergraph::~supergraph): New decl.
6412 (supergraph::m_stmt_uids): New field.
6414 2021-04-10 David Malcolm <dmalcolm@redhat.com>
6416 PR analyzer/100011
6417 * region-model.cc (region_model::on_assignment): Avoid NULL
6418 dereference if ctxt is NULL when assigning from a STRING_CST.
6420 2021-04-08 David Malcolm <dmalcolm@redhat.com>
6422 PR analyzer/99042
6423 PR analyzer/99774
6424 * engine.cc
6425 (impl_region_model_context::impl_region_model_context): Add
6426 uncertainty param and use it to initialize m_uncertainty.
6427 (impl_region_model_context::get_uncertainty): New.
6428 (impl_sm_context::get_fndecl_for_call): Add NULL for new
6429 uncertainty param when constructing impl_region_model_context.
6430 (impl_sm_context::get_state): Likewise.
6431 (impl_sm_context::set_next_state): Likewise.
6432 (impl_sm_context::warn): Likewise.
6433 (exploded_node::on_stmt): Add uncertainty param
6434 and use it when constructing impl_region_model_context.
6435 (exploded_node::on_edge): Add uncertainty param and pass
6436 to on_edge call.
6437 (exploded_node::detect_leaks): Create uncertainty_t and pass to
6438 impl_region_model_context.
6439 (exploded_graph::get_or_create_node): Create uncertainty_t and
6440 pass to prune_for_point.
6441 (maybe_process_run_of_before_supernode_enodes): Create
6442 uncertainty_t and pass to impl_region_model_context.
6443 (exploded_graph::process_node): Create uncertainty_t instances and
6444 pass around as needed.
6445 * exploded-graph.h
6446 (impl_region_model_context::impl_region_model_context): Add
6447 uncertainty param.
6448 (impl_region_model_context::get_uncertainty): New decl.
6449 (impl_region_model_context::m_uncertainty): New field.
6450 (exploded_node::on_stmt): Add uncertainty param.
6451 (exploded_node::on_edge): Likewise.
6452 * program-state.cc (sm_state_map::on_liveness_change): Get
6453 uncertainty from context and use it to unset sm-state from
6454 svalues as appropriate.
6455 (program_state::on_edge): Add uncertainty param and use it when
6456 constructing impl_region_model_context. Fix indentation.
6457 (program_state::prune_for_point): Add uncertainty param and use it
6458 when constructing impl_region_model_context.
6459 (program_state::detect_leaks): Get any uncertainty from ctxt and
6460 use it to get maybe-live svalues for dest_state, rather than
6461 definitely-live ones; use this when determining which svalues
6462 have leaked.
6463 (selftest::test_program_state_merging): Create uncertainty_t and
6464 pass to impl_region_model_context.
6465 * program-state.h (program_state::on_edge): Add uncertainty param.
6466 (program_state::prune_for_point): Likewise.
6467 * region-model-impl-calls.cc (call_details::get_uncertainty): New.
6468 (region_model::impl_call_memcpy): Pass uncertainty to
6469 mark_region_as_unknown call.
6470 (region_model::impl_call_memset): Likewise.
6471 (region_model::impl_call_strcpy): Likewise.
6472 * region-model-reachability.cc (reachable_regions::handle_sval):
6473 Also add sval to m_mutable_svals.
6474 * region-model.cc (region_model::on_assignment): Pass any
6475 uncertainty from ctxt to the store::set_value call.
6476 (region_model::handle_unrecognized_call): Get any uncertainty from
6477 ctxt and use it to record mutable svalues at the unknown call.
6478 (region_model::get_reachable_svalues): Add uncertainty param and
6479 use it to mark any maybe-bound svalues as being reachable.
6480 (region_model::set_value): Pass any uncertainty from ctxt to the
6481 store::set_value call.
6482 (region_model::mark_region_as_unknown): Add uncertainty param and
6483 pass it on to the store::mark_region_as_unknown call.
6484 (region_model::update_for_call_summary): Add uncertainty param and
6485 pass it on to the region_model::mark_region_as_unknown call.
6486 * region-model.h (call_details::get_uncertainty): New decl.
6487 (region_model::get_reachable_svalues): Add uncertainty param.
6488 (region_model::mark_region_as_unknown): Add uncertainty param.
6489 (region_model_context::get_uncertainty): New vfunc.
6490 (noop_region_model_context::get_uncertainty): New vfunc
6491 implementation.
6492 * store.cc (dump_svalue_set): New.
6493 (uncertainty_t::dump_to_pp): New.
6494 (uncertainty_t::dump): New.
6495 (binding_cluster::clobber_region): Pass NULL for uncertainty to
6496 remove_overlapping_bindings.
6497 (binding_cluster::mark_region_as_unknown): Add uncertainty param
6498 and pass it to remove_overlapping_bindings.
6499 (binding_cluster::remove_overlapping_bindings): Add uncertainty param.
6500 Use it to record any svalues that were in clobbered bindings.
6501 (store::set_value): Add uncertainty param. Pass it to
6502 binding_cluster::mark_region_as_unknown when handling symbolic
6503 regions.
6504 (store::mark_region_as_unknown): Add uncertainty param and pass it
6505 to binding_cluster::mark_region_as_unknown.
6506 (store::remove_overlapping_bindings): Add uncertainty param and
6507 pass it to binding_cluster::remove_overlapping_bindings.
6508 * store.h (binding_cluster::mark_region_as_unknown): Add
6509 uncertainty param.
6510 (binding_cluster::remove_overlapping_bindings): Likewise.
6511 (store::set_value): Likewise.
6512 (store::mark_region_as_unknown): Likewise.
6514 2021-04-05 David Malcolm <dmalcolm@redhat.com>
6516 PR analyzer/99906
6517 * analyzer.cc (maybe_reconstruct_from_def_stmt): Fix NULL
6518 dereference on calls with zero arguments.
6519 * sm-malloc.cc (malloc_state_machine::on_stmt): When handling
6520 __attribute__((nonnull)), only call get_diagnostic_tree if the
6521 result will be used.
6523 2021-04-05 David Malcolm <dmalcolm@redhat.com>
6525 PR analyzer/99886
6526 * diagnostic-manager.cc
6527 (diagnostic_manager::prune_interproc_events): Use signed integers
6528 when subtracting one from path->num_events ().
6529 (diagnostic_manager::consolidate_conditions): Likewise. Convert
6530 next_idx to a signed int.
6532 2021-04-01 David Malcolm <dmalcolm@redhat.com>
6534 * diagnostic-manager.cc (diagnostic_manager::add_diagnostic): Make
6535 enode param non-constant, and call add_diagnostic on it. Add
6536 enode index to log message.
6537 (diagnostic_manager::add_diagnostic): Make enode param
6538 non-constant.
6539 * diagnostic-manager.h (diagnostic_manager::add_diagnostic):
6540 Likewise for both decls.
6541 * engine.cc
6542 (impl_region_model_context::impl_region_model_context): Likewise
6543 for enode_for_diag.
6544 (impl_sm_context::impl_sm_context): Likewise.
6545 (impl_sm_context::m_enode_for_diag): Likewise.
6546 (exploded_node::dump_dot): Don't pass the diagnostic manager
6547 to dump_saved_diagnostics.
6548 (exploded_node::dump_saved_diagnostics): Drop param. Iterate
6549 directly through all saved diagnostics for the enode, rather
6550 than all saved diagnostics in the diagnostic_manager and
6551 filtering.
6552 (exploded_node::on_stmt): Make non-const.
6553 (exploded_node::on_edge): Likewise.
6554 (exploded_node::on_longjmp): Likewise.
6555 (exploded_node::detect_leaks): Likewise.
6556 (exploded_graph::get_or_create_node): Make enode_for_diag param
6557 non-const.
6558 (exploded_graph_annotator::print_enode): Iterate
6559 directly through all saved diagnostics for the enode, rather
6560 than all saved diagnostics in the diagnostic_manager and
6561 filtering.
6562 * exploded-graph.h
6563 (impl_region_model_context::impl_region_model_context): Make
6564 enode_for_diag param non-constant.
6565 (impl_region_model_context::m_enode_for_diag): Likewise.
6566 (exploded_node::dump_saved_diagnostics): Drop param.
6567 (exploded_node::on_stmt): Make non-const.
6568 (exploded_node::on_edge): Likewise.
6569 (exploded_node::on_longjmp): Likewise.
6570 (exploded_node::detect_leaks): Likewise.
6571 (exploded_node::add_diagnostic): New.
6572 (exploded_node::get_num_diagnostics): New.
6573 (exploded_node::get_saved_diagnostic): New.
6574 (exploded_node::m_saved_diagnostics): New.
6575 (exploded_graph::get_or_create_node): Make enode_for_diag param
6576 non-constant.
6577 * feasible-graph.cc (feasible_node::dump_dot): Drop
6578 diagnostic_manager from call to dump_saved_diagnostics.
6579 * program-state.cc (program_state::on_edge): Convert enode param
6580 to non-const pointer.
6581 (program_state::prune_for_point): Likewise for enode_for_diag
6582 param.
6583 * program-state.h (program_state::on_edge): Convert enode param
6584 to non-const pointer.
6585 (program_state::prune_for_point): Likewise for enode_for_diag
6586 param.
6588 2021-03-31 David Malcolm <dmalcolm@redhat.com>
6590 PR analyzer/99771
6591 * analyzer.cc (maybe_reconstruct_from_def_stmt): New.
6592 (fixup_tree_for_diagnostic_1): New.
6593 (fixup_tree_for_diagnostic): New.
6594 * analyzer.h (fixup_tree_for_diagnostic): New decl.
6595 * checker-path.cc (call_event::get_desc): Call
6596 fixup_tree_for_diagnostic and use it for the call_with_state call.
6597 (warning_event::get_desc): Likewise for the final_event and
6598 make_label_text calls.
6599 * engine.cc (impl_region_model_context::on_state_leak): Likewise
6600 for the on_leak and add_diagnostic calls.
6601 * region-model.cc (region_model::get_representative_tree):
6602 Likewise for the result.
6604 2021-03-30 David Malcolm <dmalcolm@redhat.com>
6606 * region.h (region::dump_to_pp): Remove old decl.
6608 2021-03-30 David Malcolm <dmalcolm@redhat.com>
6610 * sm-file.cc (fileptr_state_machine::on_stmt): Only call
6611 get_diagnostic_tree if the result will be used.
6612 * sm-malloc.cc (malloc_state_machine::on_stmt): Likewise.
6613 (malloc_state_machine::on_deallocator_call): Likewise.
6614 (malloc_state_machine::on_realloc_call): Likewise.
6615 (malloc_state_machine::on_realloc_call): Likewise.
6616 * sm-sensitive.cc
6617 (sensitive_state_machine::warn_for_any_exposure): Likewise.
6618 * sm-taint.cc (taint_state_machine::on_stmt): Likewise.
6620 2021-03-25 David Malcolm <dmalcolm@redhat.com>
6622 PR analyzer/93695
6623 PR analyzer/99044
6624 PR analyzer/99716
6625 * engine.cc (exploded_node::on_stmt): Clear sm-state involving
6626 an SSA name at the def-stmt of that SSA name.
6627 * program-state.cc (sm_state_map::purge_state_involving): New.
6628 * program-state.h (sm_state_map::purge_state_involving): New decl.
6629 * region-model.cc (selftest::test_involves_p): New.
6630 (selftest::analyzer_region_model_cc_tests): Call it.
6631 * svalue.cc (class involvement_visitor): New class
6632 (svalue::involves_p): New.
6633 * svalue.h (svalue::involves_p): New decl.
6635 2021-03-19 David Malcolm <dmalcolm@redhat.com>
6637 PR analyzer/99614
6638 * diagnostic-manager.cc (class epath_finder): Add
6639 DISABLE_COPY_AND_ASSIGN.
6641 2021-03-15 Martin Liska <mliska@suse.cz>
6643 * sm-file.cc (get_file_using_fns): Add missing comma in initializer.
6645 2021-03-11 David Malcolm <dmalcolm@redhat.com>
6647 PR analyzer/96374
6648 * analyzer.opt (-param=analyzer-max-infeasible-edges=): New param.
6649 (fdump-analyzer-feasibility): New flag.
6650 * diagnostic-manager.cc: Include "analyzer/trimmed-graph.h" and
6651 "analyzer/feasible-graph.h".
6652 (epath_finder::epath_finder): Convert m_sep to a pointer and
6653 only create it if !flag_analyzer_feasibility.
6654 (epath_finder::~epath_finder): New.
6655 (epath_finder::m_sep): Convert to a pointer.
6656 (epath_finder::get_best_epath): Add param "diag_idx" and use it
6657 when logging. Rather than finding the shortest path and then
6658 checking feasibility, instead use explore_feasible_paths unless
6659 !flag_analyzer_feasibility, in which case simply use the shortest
6660 path, and note if it is infeasible. Update for m_sep becoming a
6661 pointer.
6662 (class feasible_worklist): New.
6663 (epath_finder::explore_feasible_paths): New.
6664 (epath_finder::process_worklist_item): New.
6665 (class dump_eg_with_shortest_path): New.
6666 (epath_finder::dump_trimmed_graph): New.
6667 (epath_finder::dump_feasible_graph): New.
6668 (saved_diagnostic::saved_diagnostic): Add "idx" param, using it
6669 on new field m_idx.
6670 (saved_diagnostic::to_json): Dump m_idx.
6671 (saved_diagnostic::calc_best_epath): Pass m_idx to get_best_epath.
6672 Remove assertion that m_problem was set when m_best_epath is NULL.
6673 (diagnostic_manager::add_diagnostic): Pass an index when created
6674 saved_diagnostic instances.
6675 * diagnostic-manager.h (saved_diagnostic::saved_diagnostic): Add
6676 "idx" param.
6677 (saved_diagnostic::get_index): New accessor.
6678 (saved_diagnostic::m_idx): New field.
6679 * engine.cc (exploded_node::dump_dot): Call args.dump_extra_info.
6680 Move code to...
6681 (exploded_node::dump_processed_stmts): ...this new function and...
6682 (exploded_node::dump_saved_diagnostics): ...this new function.
6683 Add index of each diagnostic.
6684 (exploded_edge::dump_dot): Move bulk of code to...
6685 (exploded_edge::dump_dot_label): ...this new function.
6686 * exploded-graph.h (eg_traits::dump_args_t::dump_extra_info): New
6687 vfunc.
6688 (exploded_node::dump_processed_stmts): New decl.
6689 (exploded_node::dump_saved_diagnostics): New decl.
6690 (exploded_edge::dump_dot_label): New decl.
6691 * feasible-graph.cc: New file.
6692 * feasible-graph.h: New file.
6693 * trimmed-graph.cc: New file.
6694 * trimmed-graph.h: New file.
6696 2021-03-11 David Malcolm <dmalcolm@redhat.com>
6698 * diagnostic-manager.cc (epath_finder::epath_finder):
6699 Update shortest_paths init for new param.
6701 2021-03-10 David Malcolm <dmalcolm@redhat.com>
6703 PR analyzer/96374
6704 * engine.cc (exploded_path::feasible_p): Move "snodes_visited" and
6705 "model" locals into a new class feasibility_state. Move heart
6706 of per-edge processing into
6707 feasibility_state::maybe_update_for_edge.
6708 (feasibility_state::feasibility_state): New.
6709 (feasibility_state::maybe_update_for_edge): New, based on loop
6710 body in exploded_path::feasible_p.
6711 * exploded-graph.h (class feasibility_state): New.
6713 2021-03-10 David Malcolm <dmalcolm@redhat.com>
6715 * supergraph.h
6716 (callgraph_superedge::dyn_cast_callgraph_superedge): New.
6717 (call_superedge::dyn_cast_callgraph_superedge): Delete.
6718 (return_superedge::dyn_cast_callgraph_superedge): Delete.
6720 2021-03-02 Martin Liska <mliska@suse.cz>
6722 * diagnostic-manager.cc (diagnostic_manager::emit_saved_diagnostics):
6723 Do not pass engine.
6725 2021-02-26 David Malcolm <dmalcolm@redhat.com>
6727 * engine.cc (exploded_path::exploded_path): New copy-ctor.
6728 * exploded-graph.h (exploded_path::operator=): Drop decl.
6730 2021-02-26 David Malcolm <dmalcolm@redhat.com>
6732 PR analyzer/96374
6733 * diagnostic-manager.cc (class epath_finder): New.
6734 (epath_finder::get_best_epath): New.
6735 (saved_diagnostic::saved_diagnostic): Update for replacement of
6736 m_state and m_epath_length with m_best_epath.
6737 (saved_diagnostic::~saved_diagnostic): Delete m_best_epath.
6738 (saved_diagnostic::to_json): Update "path_length" to be optional.
6739 (saved_diagnostic::calc_best_epath): New, based on
6740 dedupe_winners::add and parts of dedupe_key::dedupe_key.
6741 (saved_diagnostic::get_epath_length): New.
6742 (saved_diagnostic::add_duplicate): New.
6743 (dedupe_key::dedupe_key): Drop epath param. Move invocation of
6744 stmt_finder to saved_diagnostic::calc_best_epath.
6745 (class dedupe_candidate): Delete.
6746 (class dedupe_hash_map_traits): Update to use saved_diagnotic *
6747 rather than dedupe_candidate * as the value_type/compare_type.
6748 (dedupe_winners::~dedupe_winners): Don't delete the values.
6749 (dedupe_winners::add): Convert param from shortest_exploded_paths to
6750 epath_finder. Drop "eg" param. Drop dedupe_candidate, moving
6751 path generation and feasiblity checking to
6752 epath_finder::get_best_epath. Update winner-selection for move
6753 of epaths from dedupe_candidate to saved_diagnostic.
6754 (dedupe_winners::emit_best): Update for removal of class
6755 dedupe_candidate.
6756 (dedupe_winners::map_t): Update to use saved_diagnotic * rather
6757 than dedupe_candidate * as the value_type/compare_type.
6758 (diagnostic_manager::emit_saved_diagnostics): Move
6759 shortest_exploded_paths instance into epath_finder and pass that
6760 around instead.
6761 (diagnostic_manager::emit_saved_diagnostic): Drop epath, stmt
6762 and num_dupes params, instead getting these from the
6763 saved_diagnostic. Use correct location in inform_n call.
6764 * diagnostic-manager.h (class epath_finder): New forward decl.
6765 (saved_diagnostic::status): Drop enum.
6766 (saved_diagnostic::set_feasible): Drop.
6767 (saved_diagnostic::set_infeasible): Drop.
6768 (saved_diagnostic::get_status): Drop.
6769 (saved_diagnostic::calc_best_epath): New decl.
6770 (saved_diagnostic::get_best_epath): New decl.
6771 (saved_diagnostic::get_epath_length): New decl.
6772 (saved_diagnostic::set_epath_length): Drop.
6773 (saved_diagnostic::get_epath_length): Drop inline implementation.
6774 (saved_diagnostic::add_duplicate): New.
6775 (saved_diagnostic::get_num_dupes): New.
6776 (saved_diagnostic::m_d): Document ownership.
6777 (saved_diagnostic::m_trailing_eedge): Make const.
6778 (saved_diagnostic::m_status): Drop field.
6779 (saved_diagnostic::m_epath_length): Drop field.
6780 (saved_diagnostic::m_best_epath): New field.
6781 (saved_diagnostic::m_problem): Document ownership.
6782 (saved_diagnostic::m_duplicates): New field.
6783 (diagnostic_manager::emit_saved_diagnostic): Drop params epath,
6784 stmt, and num_dupes.
6785 * engine.cc (exploded_graph_annotator::print_saved_diagnostic):
6786 Update for changes to saved_diagnostic class.
6787 * exploded-graph.h (exploded_path::feasible_p): Drop unused
6788 overloaded decl.
6790 2021-02-25 David Malcolm <dmalcolm@redhat.com>
6792 PR analyzer/99193
6793 * region-model-impl-calls.cc (region_model::impl_call_realloc): New.
6794 * region-model.cc (region_model::on_call_pre): Call it.
6795 * region-model.h (region_model::impl_call_realloc): New decl.
6796 * sm-malloc.cc (enum wording): Add WORDING_REALLOCATED.
6797 (malloc_state_machine::m_realloc): New field.
6798 (use_after_free::describe_state_change): Add case for
6799 WORDING_REALLOCATED.
6800 (use_after_free::describe_final_event): Likewise.
6801 (malloc_state_machine::malloc_state_machine): Initialize
6802 m_realloc.
6803 (malloc_state_machine::on_stmt): Handle realloc by calling...
6804 (malloc_state_machine::on_realloc_call): New.
6806 2021-02-22 David Malcolm <dmalcolm@redhat.com>
6808 PR analyzer/99196
6809 * engine.cc (exploded_node::on_stmt): Provide terminate_path
6810 flag as a way for on_call_pre to terminate the current analysis
6811 path.
6812 * region-model-impl-calls.cc (call_details::num_args): New.
6813 (region_model::impl_call_error): New.
6814 * region-model.cc (region_model::on_call_pre): Add param
6815 "out_terminate_path". Handle "error" and "error_at_line".
6816 * region-model.h (call_details::num_args): New decl.
6817 (region_model::on_call_pre): Add param "out_terminate_path".
6818 (region_model::impl_call_error): New decl.
6820 2021-02-17 David Malcolm <dmalcolm@redhat.com>
6822 PR analyzer/98969
6823 * constraint-manager.cc (dead_svalue_purger::should_purge_p):
6824 Update for change to svalue::live_p.
6825 * program-state.cc (sm_state_map::on_liveness_change): Likewise.
6826 (program_state::detect_leaks): Likewise.
6827 * region-model-reachability.cc (reachable_regions::init_cluster):
6828 When dealing with a symbolic region, if the underlying pointer is
6829 implicitly live, add the region to the reachable regions.
6830 * region-model.cc (region_model::compare_initial_and_pointer):
6831 Move logic for detecting initial values of params to
6832 initial_svalue::initial_value_of_param_p.
6833 * svalue.cc (svalue::live_p): Convert "live_svalues" from a
6834 reference to a pointer; support it being NULL.
6835 (svalue::implicitly_live_p): Convert first param from a
6836 refererence to a pointer.
6837 (region_svalue::implicitly_live_p): Likewise.
6838 (constant_svalue::implicitly_live_p): Likewise.
6839 (initial_svalue::implicitly_live_p): Likewise. Treat the initial
6840 values of params for the top level frame as still live.
6841 (initial_svalue::initial_value_of_param_p): New function, taken
6842 from a test in region_model::compare_initial_and_pointer.
6843 (unaryop_svalue::implicitly_live_p): Convert first param from a
6844 refererence to a pointer.
6845 (binop_svalue::implicitly_live_p): Likewise.
6846 (sub_svalue::implicitly_live_p): Likewise.
6847 (unmergeable_svalue::implicitly_live_p): Likewise.
6848 * svalue.h (svalue::live_p): Likewise.
6849 (svalue::implicitly_live_p): Likewise.
6850 (region_svalue::implicitly_live_p): Likewise.
6851 (constant_svalue::implicitly_live_p): Likewise.
6852 (initial_svalue::implicitly_live_p): Likewise.
6853 (initial_svalue::initial_value_of_param_p): New decl.
6854 (unaryop_svalue::implicitly_live_p): Convert first param from a
6855 refererence to a pointer.
6856 (binop_svalue::implicitly_live_p): Likewise.
6857 (sub_svalue::implicitly_live_p): Likewise.
6858 (unmergeable_svalue::implicitly_live_p): Likewise.
6860 2021-02-12 David Malcolm <dmalcolm@redhat.com>
6862 PR analyzer/98969
6863 * engine.cc (readability): Add names for the various arbitrary
6864 values. Handle NOP_EXPR and INTEGER_CST.
6865 (readability_comparator): Combine the readability tests for
6866 tree and stack depth, rather than performing them sequentially.
6867 (impl_region_model_context::on_state_leak): Strip off top-level
6868 casts.
6869 * region-model.cc (region_model::get_representative_path_var): Add
6870 type-checking, moving the bulk of the implementation to...
6871 (region_model::get_representative_path_var_1): ...here. Respect
6872 types in casts by recursing and re-adding the cast, rather than
6873 merely stripping them off. Use the correct type when handling
6874 region_svalue.
6875 (region_model::get_representative_tree): Strip off any top-level
6876 cast.
6877 (region_model::get_representative_path_var): Add type-checking,
6878 moving the bulk of the implementation to...
6879 (region_model::get_representative_path_var_1): ...here.
6880 * region-model.h (region_model::get_representative_path_var_1):
6881 New decl
6882 (region_model::get_representative_path_var_1): New decl.
6883 * store.cc (append_pathvar_with_type): New.
6884 (binding_cluster::get_representative_path_vars): Cast path_vars
6885 to the correct type when adding them to *OUT_PVS.
6887 2021-02-09 David Malcolm <dmalcolm@redhat.com>
6889 PR analyzer/98575
6890 * sm-file.cc (is_file_using_fn_p): Support "_IO_"-prefixed
6891 variants.
6893 2021-02-09 David Malcolm <dmalcolm@redhat.com>
6895 PR analyzer/98575
6896 * store.cc (store::set_value): Treat a pointer written to *UNKNOWN
6897 as having escaped.
6899 2021-02-02 David Malcolm <dmalcolm@redhat.com>
6901 PR analyzer/93355
6902 PR analyzer/96374
6903 * engine.cc (toplevel_function_p): Simplify so that
6904 we only reject functions with a "__analyzer_" prefix.
6905 (add_any_callbacks): Delete.
6906 (exploded_graph::build_initial_worklist): Update for
6907 dropped param of toplevel_function_p.
6908 (exploded_graph::build_initial_worklist): Don't bother
6909 looking for callbacks that are reachable from global
6910 initializers.
6912 2021-02-01 David Malcolm <dmalcolm@redhat.com>
6914 PR analyzer/98918
6915 * region-model-manager.cc
6916 (region_model_manager::get_or_create_initial_value):
6917 Fold the initial value of *UNKNOWN_PTR to an UNKNOWN value.
6918 (region_model_manager::get_field_region): Fold the value
6919 of UNKNOWN_PTR->FIELD to *UNKNOWN_PTR_OF_&FIELD_TYPE.
6921 2021-01-29 David Malcolm <dmalcolm@redhat.com>
6923 * checker-path.cc (event_kind_to_string): Handle
6924 EK_START_CONSOLIDATED_CFG_EDGES and
6925 EK_END_CONSOLIDATED_CFG_EDGES.
6926 (start_consolidated_cfg_edges_event::get_desc): New.
6927 (checker_path::cfg_edge_pair_at_p): New.
6928 * checker-path.h (enum event_kind): Add
6929 EK_START_CONSOLIDATED_CFG_EDGES and
6930 EK_END_CONSOLIDATED_CFG_EDGES.
6931 (class start_consolidated_cfg_edges_event): New class.
6932 (class end_consolidated_cfg_edges_event): New class.
6933 (checker_path::delete_events): New.
6934 (checker_path::replace_event): New.
6935 (checker_path::cfg_edge_pair_at_p): New decl.
6936 * diagnostic-manager.cc (diagnostic_manager::prune_path): Call
6937 consolidate_conditions.
6938 (same_line_as_p): New.
6939 (diagnostic_manager::consolidate_conditions): New.
6940 * diagnostic-manager.h
6941 (diagnostic_manager::consolidate_conditions): New decl.
6943 2021-01-18 David Malcolm <dmalcolm@redhat.com>
6945 * analyzer.h (is_std_named_call_p): New decl.
6946 * diagnostic-manager.cc (path_builder::get_sm): New.
6947 (state_change_event_creator::state_change_event_creator): Add "pb"
6948 param.
6949 (state_change_event_creator::on_global_state_change): Don't consider
6950 state changes affecting other state_machines.
6951 (state_change_event_creator::on_state_change): Likewise.
6952 (state_change_event_creator::m_pb): New field.
6953 (diagnostic_manager::add_events_for_eedge): Pass pb to visitor
6954 ctor.
6955 * region-model-impl-calls.cc
6956 (region_model::impl_deallocation_call): New.
6957 * region-model.cc: Include "attribs.h".
6958 (region_model::on_call_post): Handle fndecls referenced by
6959 __attribute__((deallocated_by(FOO))).
6960 * region-model.h (region_model::impl_deallocation_call): New decl.
6961 * sm-malloc.cc: Include "stringpool.h" and "attribs.h". Add
6962 leading comment.
6963 (class api): Delete.
6964 (enum resource_state): Update comment for change from api to
6965 deallocator and deallocator_set.
6966 (allocation_state::allocation_state): Drop api param. Add
6967 "deallocators" and "deallocator".
6968 (allocation_state::m_api): Drop field in favor of...
6969 (allocation_state::m_deallocators): New field.
6970 (allocation_state::m_deallocator): New field.
6971 (enum wording): Add WORDING_DEALLOCATED.
6972 (struct deallocator): New.
6973 (struct standard_deallocator): New.
6974 (struct custom_deallocator): New.
6975 (struct deallocator_set): New.
6976 (struct custom_deallocator_set): New.
6977 (struct standard_deallocator_set): New.
6978 (struct deallocator_set_map_traits): New.
6979 (malloc_state_machine::m_malloc): Drop field
6980 (malloc_state_machine::m_scalar_new): Likewise.
6981 (malloc_state_machine::m_vector_new): Likewise.
6982 (malloc_state_machine::m_free): New field
6983 (malloc_state_machine::m_scalar_delete): Likewise.
6984 (malloc_state_machine::m_vector_delete): Likewise.
6985 (malloc_state_machine::deallocator_map_t): New typedef.
6986 (malloc_state_machine::m_deallocator_map): New field.
6987 (malloc_state_machine::deallocator_set_cache_t): New typedef.
6988 (malloc_state_machine::m_custom_deallocator_set_cache): New field.
6989 (malloc_state_machine::custom_deallocator_set_map_t): New typedef.
6990 (malloc_state_machine::m_custom_deallocator_set_map): New field.
6991 (malloc_state_machine::m_dynamic_sets): New field.
6992 (malloc_state_machine::m_dynamic_deallocators): New field.
6993 (api::api): Delete.
6994 (deallocator::deallocator): New ctor.
6995 (deallocator::hash): New.
6996 (deallocator::dump_to_pp): New.
6997 (deallocator::cmp): New.
6998 (deallocator::cmp_ptr_ptr): New.
6999 (standard_deallocator::standard_deallocator): New ctor.
7000 (deallocator_set::deallocator_set): New ctor.
7001 (deallocator_set::dump): New.
7002 (custom_deallocator_set::custom_deallocator_set): New ctor.
7003 (custom_deallocator_set::contains_p): New.
7004 (custom_deallocator_set::maybe_get_single): New.
7005 (custom_deallocator_set::dump_to_pp): New.
7006 (standard_deallocator_set::standard_deallocator_set): New ctor.
7007 (standard_deallocator_set::contains_p): New.
7008 (standard_deallocator_set::maybe_get_single): New.
7009 (standard_deallocator_set::dump_to_pp): New.
7010 (start_p): New.
7011 (class mismatching_deallocation): Update for conversion from api
7012 to deallocator_set and deallocator.
7013 (double_free::emit): Use %qs.
7014 (class use_after_free): Update for conversion from api to
7015 deallocator_set and deallocator.
7016 (malloc_leak::describe_state_change): Only emit "allocated here" on
7017 a start->nonnull transition, rather than on other transitions to
7018 nonnull.
7019 (allocation_state::dump_to_pp): Update for conversion from api to
7020 deallocator_set.
7021 (allocation_state::get_nonnull): Likewise.
7022 (malloc_state_machine::malloc_state_machine): Likewise.
7023 (malloc_state_machine::~malloc_state_machine): New.
7024 (malloc_state_machine::add_state): Update for conversion from api
7025 to deallocator_set.
7026 (malloc_state_machine::get_or_create_custom_deallocator_set): New.
7027 (malloc_state_machine::maybe_create_custom_deallocator_set): New.
7028 (malloc_state_machine::get_or_create_deallocator): New.
7029 (malloc_state_machine::on_stmt): Update for conversion from api
7030 to deallocator_set. Handle "__attribute__((malloc(FOO)))", and
7031 the special attribute set on FOO.
7032 (malloc_state_machine::on_allocator_call): Update for conversion
7033 from api to deallocator_set. Add "returns_nonnull" param and use
7034 it to affect which state to transition to.
7035 (malloc_state_machine::on_deallocator_call): Update for conversion
7036 from api to deallocator_set.
7038 2021-01-14 David Malcolm <dmalcolm@redhat.com>
7040 * engine.cc (strongly_connected_components::to_json): New.
7041 (worklist::to_json): New.
7042 (exploded_graph::to_json): JSON-ify the worklist.
7043 * exploded-graph.h (strongly_connected_components::to_json): New
7044 decl.
7045 (worklist::to_json): New decl.
7046 * store.cc (store::to_json): Fix comment.
7047 * supergraph.cc (supernode::to_json): Fix reference to
7048 "returning_call" in comment. Add optional "fun" to JSON.
7049 (edge_kind_to_string): New.
7050 (superedge::to_json): Add "kind" to JSON.
7052 2021-01-14 David Malcolm <dmalcolm@redhat.com>
7054 PR analyzer/98679
7055 * analyzer.h (region_offset::operator==): Make const.
7056 * pending-diagnostic.h (pending_diagnostic::equal_p): Likewise.
7057 * store.h (binding_cluster::for_each_value): Likewise.
7058 (binding_cluster::for_each_binding): Likewise.
7060 2021-01-12 David Malcolm <dmalcolm@redhat.com>
7062 PR analyzer/98628
7063 * store.cc (binding_cluster::make_unknown_relative_to): Don't mark
7064 dereferenced unknown pointers as having escaped.
7066 2021-01-07 David Malcolm <dmalcolm@redhat.com>
7068 PR analyzer/98580
7069 * region.cc (decl_region::get_svalue_for_initializer): Gracefully
7070 handle when LTO writes out DECL_INITIAL as error_mark_node.
7072 2021-01-07 David Malcolm <dmalcolm@redhat.com>
7074 PR analyzer/97074
7075 * store.cc (binding_cluster::can_merge_p): Add "out_store" param
7076 and pass to calls to binding_cluster::make_unknown_relative_to.
7077 (binding_cluster::make_unknown_relative_to): Add "out_store"
7078 param. Use it to mark base regions that are pointed to by
7079 pointers that become unknown as having escaped.
7080 (store::can_merge_p): Pass out_store to
7081 binding_cluster::can_merge_p.
7082 * store.h (binding_cluster::can_merge_p): Add "out_store" param.
7083 (binding_cluster::make_unknown_relative_to): Likewise.
7084 * svalue.cc (region_svalue::implicitly_live_p): New vfunc.
7085 * svalue.h (region_svalue::implicitly_live_p): New vfunc decl.
7087 2021-01-07 David Malcolm <dmalcolm@redhat.com>
7089 PR analyzer/98564
7090 * engine.cc (exploded_path::feasible_p): Add missing call to
7091 bitmap_clear.
7093 2021-01-06 David Malcolm <dmalcolm@redhat.com>
7095 PR analyzer/97072
7096 * region-model-reachability.cc (reachable_regions::init_cluster):
7097 Convert symbolic region handling to a switch statement. Add cases
7098 to handle SK_UNKNOWN and SK_CONJURED.
7100 2021-01-05 David Malcolm <dmalcolm@redhat.com>
7102 PR analyzer/98293
7103 * store.cc (binding_map::apply_ctor_to_region): When "index" is
7104 NULL, iterate through the fields for RECORD_TYPEs, rather than
7105 creating an INTEGER_CST index.
7107 2020-11-30 David Malcolm <dmalcolm@redhat.com>
7109 * analyzer-pass.cc: Include "analyzer/analyzer.h" for the
7110 declaration of sorry_no_analyzer; include "tree.h" and
7111 "function.h" as these are needed by it.
7113 2020-11-30 David Malcolm <dmalcolm@redhat.com>
7115 * analyzer-pass.cc (pass_analyzer::execute): Move sorry call to...
7116 (sorry_no_analyzer): New.
7117 * analyzer.h (class state_machine): New forward decl.
7118 (class logger): New forward decl.
7119 (class plugin_analyzer_init_iface): New.
7120 (sorry_no_analyzer): New decl.
7121 * checker-path.cc (checker_path::fixup_locations): New.
7122 * checker-path.h (checker_event::set_location): New.
7123 (checker_path::fixup_locations): New decl.
7124 * diagnostic-manager.cc
7125 (diagnostic_manager::emit_saved_diagnostic): Call
7126 checker_path::fixup_locations, and call fixup_location
7127 on the primary location.
7128 * engine.cc: Include "plugin.h".
7129 (class plugin_analyzer_init_impl): New.
7130 (impl_run_checkers): Invoke PLUGIN_ANALYZER_INIT callbacks.
7131 * pending-diagnostic.h (pending_diagnostic::fixup_location): New
7132 vfunc.
7134 2020-11-18 David Malcolm <dmalcolm@redhat.com>
7136 PR analyzer/97893
7137 * sm-malloc.cc (null_deref::emit): Use CWE-476 rather than
7138 CWE-690, as this isn't due to an unchecked return value.
7139 (null_arg::emit): Likewise.
7141 2020-11-12 David Malcolm <dmalcolm@redhat.com>
7143 * checker-path.h (checker_event::get_id_ptr): New.
7144 * diagnostic-manager.cc (path_builder::path_builder): Add "sd"
7145 param and use it to initialize new field "m_sd".
7146 (path_builder::get_pending_diagnostic): New.
7147 (path_builder::m_sd): New field.
7148 (diagnostic_manager::emit_saved_diagnostic): Pass sd to
7149 path_builder ctor.
7150 (diagnostic_manager::add_events_for_superedge): Call new
7151 maybe_add_custom_events_for_superedge vfunc.
7152 * engine.cc (stale_jmp_buf::stale_jmp_buf): Add "setjmp_point"
7153 param and use it to initialize new field "m_setjmp_point".
7154 Initialize new field "m_stack_pop_event".
7155 (stale_jmp_buf::maybe_add_custom_events_for_superedge): New vfunc
7156 implementation.
7157 (stale_jmp_buf::describe_final_event): New vfunc implementation.
7158 (stale_jmp_buf::m_setjmp_point): New field.
7159 (stale_jmp_buf::m_stack_pop_event): New field.
7160 (exploded_node::on_longjmp): Pass setjmp_point to stale_jmp_buf
7161 ctor.
7162 * pending-diagnostic.h
7163 (pending_diagnostic::maybe_add_custom_events_for_superedge): New
7164 vfunc.
7166 2020-11-12 David Malcolm <dmalcolm@redhat.com>
7168 PR tree-optimization/97424
7169 * analyzer.opt (Wanalyzer-shift-count-negative): New.
7170 (Wanalyzer-shift-count-overflow): New.
7171 * region-model.cc (class shift_count_negative_diagnostic): New.
7172 (class shift_count_overflow_diagnostic): New.
7173 (region_model::get_gassign_result): Complain about shift counts that
7174 are negative or are >= the operand's type's width.
7176 2020-11-10 Martin Liska <mliska@suse.cz>
7178 * constraint-manager.cc (constraint_manager::merge): Remove
7179 unused code.
7180 * constraint-manager.h: Likewise.
7181 * program-state.cc (sm_state_map::sm_state_map): Likewise.
7182 (program_state::program_state): Likewise.
7183 (test_sm_state_map): Likewise.
7184 * program-state.h: Likewise.
7185 * region-model-reachability.cc (reachable_regions::reachable_regions): Likewise.
7186 * region-model-reachability.h: Likewise.
7187 * region-model.cc (region_model::handle_unrecognized_call): Likewise.
7188 (region_model::get_reachable_svalues): Likewise.
7189 (region_model::can_merge_with_p): Likewise.
7191 2020-11-05 David Malcolm <dmalcolm@redhat.com>
7193 PR analyzer/97668
7194 * svalue.cc (cmp_cst): Handle COMPLEX_CST.
7196 2020-10-29 David Malcolm <dmalcolm@redhat.com>
7198 * program-state.cc (sm_state_map::on_liveness_change): Sort the
7199 leaking svalues before calling on_state_leak.
7200 (program_state::detect_leaks): Likewise when calling
7201 on_svalue_leak.
7202 * region-model-reachability.cc
7203 (reachable_regions::mark_escaped_clusters): Likewise when
7204 calling on_escaped_function.
7206 2020-10-29 David Malcolm <dmalcolm@redhat.com>
7208 PR analyzer/97608
7209 * region-model-reachability.cc (reachable_regions::handle_sval):
7210 Operands of reachable reversible operations are reachable.
7212 2020-10-29 David Malcolm <dmalcolm@redhat.com>
7214 * analyzer.h (class state_machine): New forward decl.
7215 (class logger): Likewise.
7216 (class visitor): Likewise.
7217 * complexity.cc: New file, taken from svalue.cc.
7218 * complexity.h: New file, taken from region-model.h.
7219 * region-model.h: Include "analyzer/svalue.h" and
7220 "analyzer/region.h". Move struct complexity to complexity.h.
7221 Move svalue, its subclasses and supporting decls to svalue.h.
7222 Move region, its subclasses and supporting decls to region.h.
7223 * region.cc: Include "analyzer/region.h".
7224 (symbolic_region::symbolic_region): Move here from region-model.h.
7225 * region.h: New file, based on material from region-model.h.
7226 * svalue.cc: Include "analyzer/svalue.h".
7227 (complexity::complexity): Move to complexity.cc.
7228 (complexity::from_pair): Likewise.
7229 * svalue.h: New file, based on material from region-model.h.
7231 2020-10-29 David Malcolm <dmalcolm@redhat.com>
7233 * program-state.cc (sm_state_map::print): Guard the printing of
7234 the origin pointer with !flag_dump_noaddr.
7235 * region.cc (string_region::dump_to_pp): Likewise for
7236 m_string_cst.
7238 2020-10-27 David Malcolm <dmalcolm@redhat.com>
7240 PR analyzer/97568
7241 * region-model.cc (region_model::get_initial_value_for_global):
7242 Move check that !DECL_EXTERNAL from here to...
7243 * region.cc (decl_region::get_svalue_for_initializer): ...here,
7244 using it to reject zero initialization.
7246 2020-10-27 Markus Böck <markus.boeck02@gmail.com>
7248 PR analyzer/96608
7249 * store.h (hash): Cast to intptr_t instead of long
7251 2020-10-27 David Malcolm <dmalcolm@redhat.com>
7253 * constraint-manager.cc (svalue_cmp_by_ptr): Delete.
7254 (equiv_class::canonicalize): Use svalue::cmp_ptr_ptr instead.
7255 (equiv_class_cmp): Eliminate pointer comparison.
7256 * diagnostic-manager.cc (dedupe_key::comparator): If they are at
7257 the same location, also compare epath ength and pending_diagnostic
7258 kind.
7259 * engine.cc (readability_comparator): If two path_vars have the
7260 same readability, then impose an arbitrary ordering on them.
7261 (worklist::key_t::cmp): If two points have the same plan ordering,
7262 continue the comparison. Call sm_state_map::cmp rather than
7263 comparing hash values.
7264 * program-state.cc (sm_state_map::entry_t::cmp): New.
7265 (sm_state_map::cmp): New.
7266 * program-state.h (sm_state_map::entry_t::cmp): New decl.
7267 (sm_state_map::elements): New.
7268 (sm_state_map::cmp): New.
7270 2020-10-27 David Malcolm <dmalcolm@redhat.com>
7272 * engine.cc (setjmp_record::cmp): New.
7273 (supernode_cluster::dump_dot): Avoid embedding pointer in cluster
7274 name.
7275 (supernode_cluster::cmp_ptr_ptr): New.
7276 (function_call_string_cluster::dump_dot): Avoid embedding pointer
7277 in cluster name. Sort m_map when dumping child clusters.
7278 (function_call_string_cluster::cmp_ptr_ptr): New.
7279 (root_cluster::dump_dot): Sort m_map when dumping child clusters.
7280 * program-point.cc (function_point::cmp): New.
7281 (function_point::cmp_ptr): New.
7282 * program-point.h (function_point::cmp): New decl.
7283 (function_point::cmp_ptr): New decl.
7284 * program-state.cc (sm_state_map::print): Sort the values. Guard
7285 the printing of pointers with !flag_dump_noaddr.
7286 (program_state::prune_for_point): Sort the regions.
7287 (log_set_of_svalues): Sort the values. Guard the printing of
7288 pointers with !flag_dump_noaddr.
7289 * region-model-manager.cc (log_uniq_map): Sort the values.
7290 * region-model-reachability.cc (dump_set): New function template.
7291 (reachable_regions::dump_to_pp): Use it.
7292 * region-model.h (svalue::cmp_ptr): New decl.
7293 (svalue::cmp_ptr_ptr): New decl.
7294 (setjmp_record::cmp): New decl.
7295 (placeholder_svalue::get_name): New accessor.
7296 (widening_svalue::get_point): New accessor.
7297 (compound_svalue::get_map): New accessor.
7298 (conjured_svalue::get_stmt): New accessor.
7299 (conjured_svalue::get_id_region): New accessor.
7300 (region::cmp_ptrs): Rename to...
7301 (region::cmp_ptr_ptr): ...this.
7302 * region.cc (region::cmp_ptrs): Rename to...
7303 (region::cmp_ptr_ptr): ...this.
7304 * state-purge.cc
7305 (state_purge_per_ssa_name::state_purge_per_ssa_name): Sort
7306 m_points_needing_name when dumping.
7307 * store.cc (concrete_binding::cmp_ptr_ptr): New.
7308 (symbolic_binding::cmp_ptr_ptr): New.
7309 (binding_map::cmp): New.
7310 (get_sorted_parent_regions): Update for renaming of
7311 region::cmp_ptrs to region::cmp_ptr_ptr.
7312 (store::dump_to_pp): Likewise.
7313 (store::to_json): Likewise.
7314 (store::can_merge_p): Sort the base regions before considering
7315 them.
7316 * store.h (concrete_binding::cmp_ptr_ptr): New decl.
7317 (symbolic_binding::cmp_ptr_ptr): New decl.
7318 (binding_map::cmp): New decl.
7319 * supergraph.cc (supergraph::supergraph): Assign UIDs to the
7320 gimple stmts.
7321 * svalue.cc (cmp_cst): New.
7322 (svalue::cmp_ptr): New.
7323 (svalue::cmp_ptr_ptr): New.
7325 2020-10-27 David Malcolm <dmalcolm@redhat.com>
7327 * engine.cc (exploded_graph::get_or_create_node): Fix off-by-one
7328 when imposing param_analyzer_max_enodes_per_program_point limit.
7330 2020-10-27 David Malcolm <dmalcolm@redhat.com>
7332 * region-model.cc (region_model::get_representative_path_var):
7333 Implement case RK_LABEL.
7334 * region-model.h (label_region::get_label): New accessor.
7336 2020-10-22 David Malcolm <dmalcolm@redhat.com>
7338 PR analyzer/97514
7339 * engine.cc (exploded_graph::add_function_entry): Handle failure
7340 to create an enode, rather than asserting.
7342 2020-10-22 David Malcolm <dmalcolm@redhat.com>
7344 PR analyzer/97489
7345 * engine.cc (exploded_graph::add_function_entry): Assert that we
7346 have a function body.
7347 (exploded_graph::on_escaped_function): Reject fndecls that don't
7348 have a function body.
7350 2020-10-14 David Malcolm <dmalcolm@redhat.com>
7352 PR analyzer/93388
7353 * region-model.cc (region_model::get_initial_value_for_global):
7354 Fall back to returning an initial_svalue if
7355 decl_region::get_svalue_for_initializer fails.
7356 * region.cc (decl_region::get_svalue_for_initializer): Don't
7357 attempt to create a compound_svalue if the region has an unknown
7358 size.
7360 2020-10-14 David Malcolm <dmalcolm@redhat.com>
7362 PR analyzer/93723
7363 * store.cc (binding_map::apply_ctor_to_region): Remove redundant
7364 assertion.
7366 2020-10-12 David Malcolm <dmalcolm@redhat.com>
7368 PR analyzer/97258
7369 * engine.cc (impl_region_model_context::on_escaped_function): New
7370 vfunc.
7371 (exploded_graph::add_function_entry): Use m_functions_with_enodes
7372 to implement idempotency.
7373 (add_any_callbacks): New.
7374 (exploded_graph::build_initial_worklist): Use the above to find
7375 callbacks that are reachable from global initializers.
7376 (exploded_graph::on_escaped_function): New.
7377 * exploded-graph.h
7378 (impl_region_model_context::on_escaped_function): New decl.
7379 (exploded_graph::on_escaped_function): New decl.
7380 (exploded_graph::m_functions_with_enodes): New field.
7381 * region-model-reachability.cc
7382 (reachable_regions::reachable_regions): Replace "store" param with
7383 "model" param; use it to initialize m_model.
7384 (reachable_regions::add): When getting the svalue for the region,
7385 call get_store_value on the model rather than using an initial
7386 value.
7387 (reachable_regions::mark_escaped_clusters): Add ctxt param and
7388 use it to call on_escaped_function when a function_region escapes.
7389 * region-model-reachability.h
7390 (reachable_regions::reachable_regions): Replace "store" param with
7391 "model" param.
7392 (reachable_regions::mark_escaped_clusters): Add ctxt param.
7393 (reachable_regions::m_model): New field.
7394 * region-model.cc (region_model::handle_unrecognized_call): Update
7395 for change in reachable_regions ctor.
7396 (region_model::handle_unrecognized_call): Pass ctxt to
7397 mark_escaped_clusters.
7398 (region_model::get_reachable_svalues): Update for change in
7399 reachable_regions ctor.
7400 (region_model::get_initial_value_for_global): Read-only variables
7401 keep their initial values.
7402 * region-model.h (region_model_context::on_escaped_function): New
7403 vfunc.
7404 (noop_region_model_context::on_escaped_function): New.
7406 2020-10-12 David Malcolm <dmalcolm@redhat.com>
7408 * analyzer.opt (Wanalyzer-write-to-const): New.
7409 (Wanalyzer-write-to-string-literal): New.
7410 * region-model-impl-calls.cc (region_model::impl_call_memcpy):
7411 Call check_for_writable_region.
7412 (region_model::impl_call_memset): Likewise.
7413 (region_model::impl_call_strcpy): Likewise.
7414 * region-model.cc (class write_to_const_diagnostic): New.
7415 (class write_to_string_literal_diagnostic): New.
7416 (region_model::check_for_writable_region): New.
7417 (region_model::set_value): Call check_for_writable_region.
7418 * region-model.h (region_model::check_for_writable_region): New
7419 decl.
7421 2020-10-07 David Malcolm <dmalcolm@redhat.com>
7423 PR analyzer/97116
7424 * sm-malloc.cc (method_p): New.
7425 (describe_argument_index): New.
7426 (inform_nonnull_attribute): Use describe_argument_index.
7427 (possible_null_arg::describe_final_event): Likewise.
7428 (null_arg::describe_final_event): Likewise.
7430 2020-09-29 David Malcolm <dmalcolm@redhat.com>
7432 PR analyzer/95188
7433 * engine.cc (stmt_requires_new_enode_p): Split enodes before
7434 "signal" calls.
7436 2020-09-29 David Malcolm <dmalcolm@redhat.com>
7438 * constraint-manager.cc
7439 (constraint_manager::add_constraint_internal): Whitespace fixes.
7440 Silence -Wsign-compare warning.
7441 * engine.cc (maybe_process_run_of_before_supernode_enodes):
7442 Silence -Wsign-compare warning.
7444 2020-09-28 David Malcolm <dmalcolm@redhat.com>
7446 * region-model.h (binop_svalue::dyn_cast_binop_svalue): Remove
7447 redundant "virtual". Add FINAL OVERRIDE.
7448 (widening_svalue::dyn_cast_widening_svalue): Add FINAL OVERRIDE.
7449 (compound_svalue::dyn_cast_compound_svalue): Likewise.
7450 (conjured_svalue::dyn_cast_conjured_svalue): Likewise.
7452 2020-09-28 David Malcolm <dmalcolm@redhat.com>
7454 * diagnostic-manager.cc (null_assignment_sm_context::m_visitor):
7455 Remove unused field.
7457 2020-09-28 David Malcolm <dmalcolm@redhat.com>
7459 PR analyzer/97233
7460 * analyzer.cc (is_longjmp_call_p): Require the initial argument
7461 to be a pointer.
7462 * engine.cc (exploded_node::on_longjmp): Likewise.
7464 2020-09-28 David Malcolm <dmalcolm@redhat.com>
7466 * program-state.cc (sm_state_map::print): Update check
7467 for m_global_state being the start state.
7469 2020-09-26 David Malcolm <dmalcolm@redhat.com>
7471 PR analyzer/96646
7472 PR analyzer/96841
7473 * region-model.cc (region_model::get_representative_path_var):
7474 When handling offset_region, wrap the MEM_REF's first argument in
7475 an ADDR_EXPR of pointer type, rather than simply using the tree
7476 for the parent region. Require the MEM_REF's second argument to
7477 be an integer constant.
7479 2020-09-24 David Malcolm <dmalcolm@redhat.com>
7481 * analyzer.h (struct rejected_constraint): New decl.
7482 * analyzer.opt (fanalyzer-feasibility): New option.
7483 * diagnostic-manager.cc (path_builder::path_builder): Add
7484 "problem" param and use it to initialize new field.
7485 (path_builder::get_feasibility_problem): New accessor.
7486 (path_builder::m_feasibility_problem): New field.
7487 (dedupe_winners::add): Remove inversion of logic in "if" clause,
7488 swapping if/else suites. In the !feasible_p suite, inspect
7489 flag_analyzer_feasibility and add code to handle when this
7490 is off, accepting the infeasible path, but recording the
7491 feasibility_problem.
7492 (diagnostic_manager::emit_saved_diagnostic): Pass the
7493 feasibility_problem to the path_builder.
7494 (diagnostic_manager::add_events_for_eedge): If we have
7495 a feasibility_problem at this edge, use it to add a custom event.
7496 * engine.cc (exploded_path::feasible_p): Pass a
7497 rejected_constraint ** to model.maybe_update_for_edge and transfer
7498 ownership of any created instance to any feasibility_problem.
7499 (feasibility_problem::dump_to_pp): New.
7500 * exploded-graph.h (feasibility_problem::feasibility_problem):
7501 Drop "model" param; add rejected_constraint * param.
7502 (feasibility_problem::~feasibility_problem): New.
7503 (feasibility_problem::dump_to_pp): New decl.
7504 (feasibility_problem::m_model): Drop field.
7505 (feasibility_problem::m_rc): New field.
7506 * program-point.cc (function_point::get_location): Handle
7507 PK_BEFORE_SUPERNODE and PK_AFTER_SUPERNODE.
7508 * program-state.cc (program_state::on_edge): Pass NULL to new
7509 param of region_model::maybe_update_for_edge.
7510 * region-model.cc (region_model::add_constraint): New overload
7511 adding a rejected_constraint ** param.
7512 (region_model::maybe_update_for_edge): Add rejected_constraint **
7513 param and pass it to the various apply_constraints_for_ calls.
7514 (region_model::apply_constraints_for_gcond): Add
7515 rejected_constraint ** param and pass it to add_constraint calls.
7516 (region_model::apply_constraints_for_gswitch): Likewise.
7517 (region_model::apply_constraints_for_exception): Likewise.
7518 (rejected_constraint::dump_to_pp): New.
7519 * region-model.h (region_model::maybe_update_for_edge):
7520 Add rejected_constraint ** param.
7521 (region_model::add_constraint): New overload adding a
7522 rejected_constraint ** param.
7523 (region_model::apply_constraints_for_gcond): Add
7524 rejected_constraint ** param.
7525 (region_model::apply_constraints_for_gswitch): Likewise.
7526 (region_model::apply_constraints_for_exception): Likewise.
7527 (struct rejected_constraint): New.
7529 2020-09-23 David Malcolm <dmalcolm@redhat.com>
7531 PR analyzer/97178
7532 * engine.cc (impl_run_checkers): Update for change to ext_state
7533 ctor.
7534 * program-state.cc (selftest::test_sm_state_map): Pass an engine
7535 instance to ext_state ctor.
7536 (selftest::test_program_state_1): Likewise.
7537 (selftest::test_program_state_2): Likewise.
7538 (selftest::test_program_state_merging): Likewise.
7539 (selftest::test_program_state_merging_2): Likewise.
7540 * program-state.h (extrinsic_state::extrinsic_state): Remove NULL
7541 default value for "eng" param.
7543 2020-09-23 Tobias Burnus <tobias@codesourcery.com>
7545 * analyzer-logging.cc: Guard '#pragma ... ignored "-Wformat-diag"'
7546 by '#if __GNUC__ >= 10'
7547 * analyzer.h: Likewise.
7548 * call-string.cc: Likewise.
7550 2020-09-23 David Malcolm <dmalcolm@redhat.com>
7552 * engine.cc (exploded_node::on_stmt): Replace sequence of dyn_cast
7553 with switch.
7555 2020-09-22 David Malcolm <dmalcolm@redhat.com>
7557 * analysis-plan.cc: Include "json.h".
7558 * analyzer.opt (fdump-analyzer-json): New.
7559 * call-string.cc: Include "json.h".
7560 (call_string::to_json): New.
7561 * call-string.h (call_string::to_json): New decl.
7562 * checker-path.cc: Include "json.h".
7563 * constraint-manager.cc: Include "json.h".
7564 (equiv_class::to_json): New.
7565 (constraint::to_json): New.
7566 (constraint_manager::to_json): New.
7567 * constraint-manager.h (equiv_class::to_json): New decl.
7568 (constraint::to_json): New decl.
7569 (constraint_manager::to_json): New decl.
7570 * diagnostic-manager.cc: Include "json.h".
7571 (saved_diagnostic::to_json): New.
7572 (diagnostic_manager::to_json): New.
7573 * diagnostic-manager.h (saved_diagnostic::to_json): New decl.
7574 (diagnostic_manager::to_json): New decl.
7575 * engine.cc: Include "json.h", <zlib.h>.
7576 (exploded_node::status_to_str): New.
7577 (exploded_node::to_json): New.
7578 (exploded_edge::to_json): New.
7579 (exploded_graph::to_json): New.
7580 (dump_analyzer_json): New.
7581 (impl_run_checkers): Call it.
7582 * exploded-graph.h (exploded_node::status_to_str): New decl.
7583 (exploded_node::to_json): New.
7584 (exploded_edge::to_json): New.
7585 (exploded_graph::to_json): New.
7586 * pending-diagnostic.cc: Include "json.h".
7587 * program-point.cc: Include "json.h".
7588 (program_point::to_json): New.
7589 * program-point.h (program_point::to_json): New decl.
7590 * program-state.cc: Include "json.h".
7591 (extrinsic_state::to_json): New.
7592 (sm_state_map::to_json): New.
7593 (program_state::to_json): New.
7594 * program-state.h (extrinsic_state::to_json): New decl.
7595 (sm_state_map::to_json): New decl.
7596 (program_state::to_json): New decl.
7597 * region-model-impl-calls.cc: Include "json.h".
7598 * region-model-manager.cc: Include "json.h".
7599 * region-model-reachability.cc: Include "json.h".
7600 * region-model.cc: Include "json.h".
7601 * region-model.h (svalue::to_json): New decl.
7602 (region::to_json): New decl.
7603 * region.cc: Include "json.h".
7604 (region::to_json: New.
7605 * sm-file.cc: Include "json.h".
7606 * sm-malloc.cc: Include "json.h".
7607 * sm-pattern-test.cc: Include "json.h".
7608 * sm-sensitive.cc: Include "json.h".
7609 * sm-signal.cc: Include "json.h".
7610 (signal_delivery_edge_info_t::to_json): New.
7611 * sm-taint.cc: Include "json.h".
7612 * sm.cc: Include "diagnostic.h", "tree-diagnostic.h", and
7613 "json.h".
7614 (state_machine::state::to_json): New.
7615 (state_machine::to_json): New.
7616 * sm.h (state_machine::state::to_json): New.
7617 (state_machine::to_json): New.
7618 * state-purge.cc: Include "json.h".
7619 * store.cc: Include "json.h".
7620 (binding_key::get_desc): New.
7621 (binding_map::to_json): New.
7622 (binding_cluster::to_json): New.
7623 (store::to_json): New.
7624 * store.h (binding_key::get_desc): New decl.
7625 (binding_map::to_json): New decl.
7626 (binding_cluster::to_json): New decl.
7627 (store::to_json): New decl.
7628 * supergraph.cc: Include "json.h".
7629 (supergraph::to_json): New.
7630 (supernode::to_json): New.
7631 (superedge::to_json): New.
7632 * supergraph.h (supergraph::to_json): New decl.
7633 (supernode::to_json): New decl.
7634 (superedge::to_json): New decl.
7635 * svalue.cc: Include "json.h".
7636 (svalue::to_json): New.
7638 2020-09-21 David Malcolm <dmalcolm@redhat.com>
7640 PR analyzer/97130
7641 * region-model-impl-calls.cc (call_details::get_arg_type): New.
7642 * region-model.cc (region_model::on_call_pre): Check that the
7643 initial arg is a pointer before calling impl_call_memset and
7644 impl_call_strlen.
7645 * region-model.h (call_details::get_arg_type): New decl.
7647 2020-09-21 David Malcolm <dmalcolm@redhat.com>
7649 PR analyzer/93355
7650 * sm-malloc.cc (malloc_state_machine::get_default_state): Look at
7651 the base region when considering pointers. Treat pointers to
7652 decls as being non-heap.
7654 2020-09-18 David Malcolm <dmalcolm@redhat.com>
7656 * checker-path.cc (warning_event::get_desc): Handle global state
7657 changes.
7659 2020-09-18 David Malcolm <dmalcolm@redhat.com>
7661 * sm-malloc.cc (malloc_state_machine::on_stmt): Handle strdup and
7662 strndup as being malloc-like allocators.
7664 2020-09-16 David Malcolm <dmalcolm@redhat.com>
7666 * engine.cc (strongly_connected_components::strong_connect): Only
7667 consider intraprocedural edges when creating SCCs.
7668 (worklist::key_t::cmp): Add comment. Treat call_string
7669 differences as more important than differences of program_point
7670 within a supernode.
7672 2020-09-16 David Malcolm <dmalcolm@redhat.com>
7674 * engine.cc (supernode_cluster::dump_dot): Show the SCC id
7675 in the per-supernode clusters in FILENAME.eg.dot output.
7676 (exploded_graph_annotator::add_node_annotations):
7677 Show the SCC of the supernode in FILENAME.supernode.eg.dot output.
7678 * exploded-graph.h (worklist::scc_id): New.
7679 (exploded_graph::get_scc_id): New.
7681 2020-09-16 David Malcolm <dmalcolm@redhat.com>
7683 * engine.cc (exploded_node::dump_dot): Show STATUS_BULK_MERGED.
7684 (exploded_graph::process_worklist): Call
7685 maybe_process_run_of_before_supernode_enodes.
7686 (exploded_graph::maybe_process_run_of_before_supernode_enodes):
7687 New.
7688 (exploded_graph_annotator::print_enode): Show STATUS_BULK_MERGED.
7689 * exploded-graph.h (enum exploded_node::status): Add
7690 STATUS_BULK_MERGED.
7692 2020-09-16 David Malcolm <dmalcolm@redhat.com>
7694 * engine.cc
7695 (exploded_graph::process_node) <case PK_BEFORE_SUPERNODE>:
7696 Simplify by using program_point::get_next.
7697 * program-point.cc (program_point::get_next): New.
7698 * program-point.h (program_point::get_next): New decl.
7700 2020-09-16 David Malcolm <dmalcolm@redhat.com>
7702 * engine.cc (exploded_graph::get_or_create_node): Show the
7703 program point when issuing -Wanalyzer-too-complex due to hitting
7704 the per-program-point limit.
7706 2020-09-16 David Malcolm <dmalcolm@redhat.com>
7708 * region-model.cc (region_model::on_call_pre): Treat getchar as
7709 having no side-effects.
7711 2020-09-15 David Malcolm <dmalcolm@redhat.com>
7713 PR analyzer/96650
7714 * constraint-manager.cc (merger_fact_visitor::on_fact): Replace
7715 assertion that add_constraint succeeded with an assertion that
7716 if it fails, -fanalyzer-transitivity is off.
7718 2020-09-14 David Malcolm <dmalcolm@redhat.com>
7720 * analyzer.opt (-param=analyzer-max-constraints=): New param.
7721 * constraint-manager.cc
7722 (constraint_manager::add_constraint_internal): Silently reject
7723 attempts to add constraints when the above limit is reached.
7725 2020-09-14 David Malcolm <dmalcolm@redhat.com>
7727 PR analyzer/96653
7728 * constraint-manager.cc
7729 (constraint_manager::get_or_add_equiv_class): Don't accumulate
7730 transitive closure of all constraints on constants.
7732 2020-09-14 David Malcolm <dmalcolm@redhat.com>
7734 PR analyzer/97029
7735 * analyzer.cc (is_setjmp_call_p): Require the initial arg to be a
7736 pointer.
7737 * region-model.cc (region_model::deref_rvalue): Assert that the
7738 svalue is of pointer type.
7740 2020-09-11 David Malcolm <dmalcolm@redhat.com>
7742 PR analyzer/96798
7743 * region-model-impl-calls.cc (region_model::impl_call_memcpy):
7744 New.
7745 (region_model::impl_call_strcpy): New.
7746 * region-model.cc (region_model::on_call_pre): Flag unhandled
7747 builtins that are non-pure as having unknown side-effects.
7748 Implement BUILT_IN_MEMCPY, BUILT_IN_MEMCPY_CHK, BUILT_IN_STRCPY,
7749 BUILT_IN_STRCPY_CHK, BUILT_IN_FPRINTF, BUILT_IN_FPRINTF_UNLOCKED,
7750 BUILT_IN_PUTC, BUILT_IN_PUTC_UNLOCKED, BUILT_IN_FPUTC,
7751 BUILT_IN_FPUTC_UNLOCKED, BUILT_IN_FPUTS, BUILT_IN_FPUTS_UNLOCKED,
7752 BUILT_IN_FWRITE, BUILT_IN_FWRITE_UNLOCKED, BUILT_IN_PRINTF,
7753 BUILT_IN_PRINTF_UNLOCKED, BUILT_IN_PUTCHAR,
7754 BUILT_IN_PUTCHAR_UNLOCKED, BUILT_IN_PUTS, BUILT_IN_PUTS_UNLOCKED,
7755 BUILT_IN_VFPRINTF, BUILT_IN_VPRINTF.
7756 * region-model.h (region_model::impl_call_memcpy): New decl.
7757 (region_model::impl_call_strcpy): New decl.
7759 2020-09-09 David Malcolm <dmalcolm@redhat.com>
7761 PR analyzer/94355
7762 * analyzer.opt (Wanalyzer-mismatching-deallocation): New warning.
7763 * region-model-impl-calls.cc
7764 (region_model::impl_call_operator_new): New.
7765 (region_model::impl_call_operator_delete): New.
7766 * region-model.cc (region_model::on_call_pre): Detect operator new
7767 and operator delete.
7768 (region_model::on_call_post): Likewise.
7769 (region_model::maybe_update_for_edge): Detect EH edges and call...
7770 (region_model::apply_constraints_for_exception): New function.
7771 * region-model.h (region_model::impl_call_operator_new): New decl.
7772 (region_model::impl_call_operator_delete): New decl.
7773 (region_model::apply_constraints_for_exception): New decl.
7774 * sm-malloc.cc (enum resource_state): New.
7775 (struct allocation_state): New state subclass.
7776 (enum wording): New.
7777 (struct api): New.
7778 (malloc_state_machine::custom_data_t): New typedef.
7779 (malloc_state_machine::add_state): New decl.
7780 (malloc_state_machine::m_unchecked)
7781 (malloc_state_machine::m_nonnull)
7782 (malloc_state_machine::m_freed): Delete these states in favor
7783 of...
7784 (malloc_state_machine::m_malloc)
7785 (malloc_state_machine::m_scalar_new)
7786 (malloc_state_machine::m_vector_new): ...this new api instances,
7787 which own their own versions of these states.
7788 (malloc_state_machine::on_allocator_call): New decl.
7789 (malloc_state_machine::on_deallocator_call): New decl.
7790 (api::api): New ctor.
7791 (dyn_cast_allocation_state): New.
7792 (as_a_allocation_state): New.
7793 (get_rs): New.
7794 (unchecked_p): New.
7795 (nonnull_p): New.
7796 (freed_p): New.
7797 (malloc_diagnostic::describe_state_change): Use unchecked_p and
7798 nonnull_p.
7799 (class mismatching_deallocation): New.
7800 (double_free::double_free): Add funcname param for initializing
7801 m_funcname.
7802 (double_free::emit): Use m_funcname in warning message rather
7803 than hardcoding "free".
7804 (double_free::describe_state_change): Likewise. Use freed_p.
7805 (double_free::describe_call_with_state): Use freed_p.
7806 (double_free::describe_final_event): Use m_funcname in message
7807 rather than hardcoding "free".
7808 (double_free::m_funcname): New field.
7809 (possible_null::describe_state_change): Use unchecked_p.
7810 (possible_null::describe_return_of_state): Likewise.
7811 (use_after_free::use_after_free): Add param for initializing m_api.
7812 (use_after_free::emit): Use m_api->m_dealloc_funcname in message
7813 rather than hardcoding "free".
7814 (use_after_free::describe_state_change): Use freed_p. Change the
7815 wording of the message based on the API.
7816 (use_after_free::describe_final_event): Use
7817 m_api->m_dealloc_funcname in message rather than hardcoding
7818 "free". Change the wording of the message based on the API.
7819 (use_after_free::m_api): New field.
7820 (malloc_leak::describe_state_change): Use unchecked_p. Update
7821 for renaming of m_malloc_event to m_alloc_event.
7822 (malloc_leak::describe_final_event): Update for renaming of
7823 m_malloc_event to m_alloc_event.
7824 (malloc_leak::m_malloc_event): Rename...
7825 (malloc_leak::m_alloc_event): ...to this.
7826 (free_of_non_heap::free_of_non_heap): Add param for initializing
7827 m_funcname.
7828 (free_of_non_heap::emit): Use m_funcname in message rather than
7829 hardcoding "free".
7830 (free_of_non_heap::describe_final_event): Likewise.
7831 (free_of_non_heap::m_funcname): New field.
7832 (allocation_state::dump_to_pp): New.
7833 (allocation_state::get_nonnull): New.
7834 (malloc_state_machine::malloc_state_machine): Update for changes
7835 to state fields and new api fields.
7836 (malloc_state_machine::add_state): New.
7837 (malloc_state_machine::on_stmt): Move malloc/calloc handling to
7838 on_allocator_call and call it, passing in the API pointer.
7839 Likewise for free, moving it to on_deallocator_call. Handle calls
7840 to operator new and delete in an analogous way. Use unchecked_p
7841 when testing for possibly-null-arg and possibly-null-deref, and
7842 transition to the non-null for the correct API. Remove redundant
7843 node param from call to on_zero_assignment. Use freed_p for
7844 use-after-free check, and pass in API.
7845 (malloc_state_machine::on_allocator_call): New, based on code in
7846 on_stmt.
7847 (malloc_state_machine::on_deallocator_call): Likewise.
7848 (malloc_state_machine::on_phi): Mark node param with
7849 ATTRIBUTE_UNUSED; don't pass it to on_zero_assignment.
7850 (malloc_state_machine::on_condition): Mark node param with
7851 ATTRIBUTE_UNUSED. Replace on_transition calls with get_state and
7852 set_next_state pairs, transitioning to the non-null state for the
7853 appropriate API.
7854 (malloc_state_machine::can_purge_p): Port to new state approach.
7855 (malloc_state_machine::on_zero_assignment): Replace on_transition
7856 calls with get_state and set_next_state pairs. Drop redundant
7857 node param.
7858 * sm.h (state_machine::add_custom_state): New.
7860 2020-09-09 David Malcolm <dmalcolm@redhat.com>
7862 * diagnostic-manager.cc
7863 (null_assignment_sm_context::warn_for_state): Replace with...
7864 (null_assignment_sm_context::warn): ...this.
7865 * engine.cc (impl_sm_context::warn_for_state): Replace with...
7866 (impl_sm_context::warn): ...this.
7867 * sm-file.cc (fileptr_state_machine::on_stmt): Replace
7868 warn_for_state and on_transition calls with a get_state
7869 test guarding warn and set_next_state calls.
7870 * sm-malloc.cc (malloc_state_machine::on_stmt): Likewise.
7871 * sm-pattern-test.cc (pattern_test_state_machine::on_condition):
7872 Replace warn_for_state call with warn call.
7873 * sm-sensitive.cc
7874 (sensitive_state_machine::warn_for_any_exposure): Replace
7875 warn_for_state call with a get_state test guarding a warn call.
7876 * sm-signal.cc (signal_state_machine::on_stmt): Likewise.
7877 * sm-taint.cc (taint_state_machine::on_stmt): Replace
7878 warn_for_state and on_transition calls with a get_state
7879 test guarding warn and set_next_state calls.
7880 * sm.h (sm_context::warn_for_state): Replace with...
7881 (sm_context::warn): ...this.
7883 2020-09-09 David Malcolm <dmalcolm@redhat.com>
7885 * diagnostic-manager.cc
7886 (null_assignment_sm_context::null_assignment_sm_context): Add old_state
7887 and ext_state params, initializing m_old_state and m_ext_state.
7888 (null_assignment_sm_context::on_transition): Split into...
7889 (null_assignment_sm_context::get_state): ...this new vfunc
7890 implementation and...
7891 (null_assignment_sm_context::set_next_state): ...this new vfunc
7892 implementation.
7893 (null_assignment_sm_context::m_old_state): New field.
7894 (null_assignment_sm_context::m_ext_state): New field.
7895 (diagnostic_manager::add_events_for_eedge): Pass in old state and
7896 ext_state when creating sm_ctxt.
7897 * engine.cc (impl_sm_context::on_transition): Split into...
7898 (impl_sm_context::get_state): ...this new vfunc
7899 implementation and...
7900 (impl_sm_context::set_next_state): ...this new vfunc
7901 implementation.
7902 * sm.h (sm_context::get_state): New pure virtual function.
7903 (sm_context::set_next_state): Likewise.
7904 (sm_context::on_transition): Convert from a pure virtual function
7905 to a regular function implemented in terms of get_state and
7906 set_next_state.
7908 2020-09-09 David Malcolm <dmalcolm@redhat.com>
7910 * checker-path.cc (state_change_event::get_desc): Update
7911 state_machine::get_state_name calls to state::get_name.
7912 (warning_event::get_desc): Likewise.
7913 * diagnostic-manager.cc
7914 (null_assignment_sm_context::on_transition): Update comparison
7915 against 0 with comparison with m_sm.get_start_state.
7916 (diagnostic_manager::prune_for_sm_diagnostic): Update
7917 state_machine::get_state_name calls to state::get_name.
7918 * engine.cc (impl_sm_context::on_transition): Likewise.
7919 (exploded_node::get_dot_fillcolor): Use get_id when summing
7920 the sm states.
7921 * program-state.cc (sm_state_map::sm_state_map): Don't hardcode
7922 0 as the start state when initializing m_global_state.
7923 (sm_state_map::print): Use dump_to_pp rather than get_state_name
7924 when dumping states.
7925 (sm_state_map::is_empty_p): Don't hardcode 0 as the start state
7926 when examining m_global_state.
7927 (sm_state_map::hash): Use get_id when hashing states.
7928 (selftest::test_sm_state_map): Use state objects rather than
7929 arbitrary hardcoded integers.
7930 (selftest::test_program_state_merging): Likewise.
7931 (selftest::test_program_state_merging_2): Likewise.
7932 * sm-file.cc (fileptr_state_machine::m_start): Move to base class.
7933 (file_diagnostic::describe_state_change): Use get_start_state.
7934 (fileptr_state_machine::fileptr_state_machine): Drop m_start
7935 initialization.
7936 * sm-malloc.cc (malloc_state_machine::m_start): Move to base
7937 class.
7938 (malloc_diagnostic::describe_state_change): Use get_start_state.
7939 (possible_null::describe_state_change): Likewise.
7940 (malloc_state_machine::malloc_state_machine): Drop m_start
7941 initialization.
7942 * sm-pattern-test.cc (pattern_test_state_machine::m_start): Move
7943 to base class.
7944 (pattern_test_state_machine::pattern_test_state_machine): Drop
7945 m_start initialization.
7946 * sm-sensitive.cc (sensitive_state_machine::m_start): Move to base
7947 class.
7948 (sensitive_state_machine::sensitive_state_machine): Drop m_start
7949 initialization.
7950 * sm-signal.cc (signal_state_machine::m_start): Move to base
7951 class.
7952 (signal_state_machine::signal_state_machine): Drop m_start
7953 initialization.
7954 * sm-taint.cc (taint_state_machine::m_start): Move to base class.
7955 (taint_state_machine::taint_state_machine): Drop m_start
7956 initialization.
7957 * sm.cc (state_machine::state::dump_to_pp): New.
7958 (state_machine::state_machine): Move here from sm.h. Initialize
7959 m_next_state_id and m_start.
7960 (state_machine::add_state): Reimplement in terms of state objects.
7961 (state_machine::get_state_name): Delete.
7962 (state_machine::get_state_by_name): Reimplement in terms of state
7963 objects. Make const.
7964 (state_machine::validate): Delete.
7965 (state_machine::dump_to_pp): Reimplement in terms of state
7966 objects.
7967 * sm.h (state_machine::state): New class.
7968 (state_machine::state_t): Convert typedef from "unsigned" to
7969 "const state_machine::state *".
7970 (state_machine::state_machine): Move to sm.cc.
7971 (state_machine::get_default_state): Use m_start rather than
7972 hardcoding 0.
7973 (state_machine::get_state_name): Delete.
7974 (state_machine::get_state_by_name): Make const.
7975 (state_machine::get_start_state): New accessor.
7976 (state_machine::alloc_state_id): New.
7977 (state_machine::m_state_names): Drop in favor of...
7978 (state_machine::m_states): New field
7979 (state_machine::m_start): New field
7980 (start_start_p): Delete.
7982 2020-09-08 David Malcolm <dmalcolm@redhat.com>
7984 PR analyzer/96949
7985 * store.cc (binding_map::apply_ctor_val_to_range): Add
7986 error-handling for the cases where we have symbolic offsets.
7988 2020-09-08 David Malcolm <dmalcolm@redhat.com>
7990 PR analyzer/96950
7991 * store.cc (binding_map::apply_ctor_to_region): Handle RANGE_EXPR
7992 where min_index == max_index.
7993 (binding_map::apply_ctor_val_to_range): Replace assertion that we
7994 don't have a CONSTRUCTOR value with error-handling.
7996 2020-09-08 David Malcolm <dmalcolm@redhat.com>
7998 PR analyzer/96962
7999 * region-model.cc (region_model::on_call_pre): Fix guard on switch
8000 on built-ins to only consider BUILT_IN_NORMAL, rather than other
8001 kinds of build-ins.
8003 2020-09-01 David Malcolm <dmalcolm@redhat.com>
8005 PR analyzer/96792
8006 * region-model.cc (region_model::deref_rvalue): Add the constraint
8007 that PTR_SVAL is non-NULL.
8009 2020-08-31 David Malcolm <dmalcolm@redhat.com>
8011 PR analyzer/96798
8012 * region-model.cc (region_model::on_call_pre): Handle
8013 BUILT_IN_MEMSET_CHK.
8015 2020-08-31 David Malcolm <dmalcolm@redhat.com>
8017 * region-model.cc (region_model::on_call_pre): Gather handling of
8018 builtins and of internal fns into switch statements. Handle
8019 "alloca" and BUILT_IN_ALLOCA_WITH_ALIGN.
8021 2020-08-31 David Malcolm <dmalcolm@redhat.com>
8023 PR analyzer/96860
8024 * region.cc (decl_region::get_svalue_for_constructor): Support
8025 apply_ctor_to_region failing.
8026 * store.cc (binding_map::apply_ctor_to_region): Add failure
8027 handling.
8028 (binding_map::apply_ctor_val_to_range): Likewise.
8029 (binding_map::apply_ctor_pair_to_child_region): Likewise. Replace
8030 assertion that child_base_offset is not symbolic with error
8031 handling.
8032 * store.h (binding_map::apply_ctor_to_region): Convert return type
8033 from void to bool.
8034 (binding_map::apply_ctor_val_to_range): Likewise.
8035 (binding_map::apply_ctor_pair_to_child_region): Likewise.
8037 2020-08-31 David Malcolm <dmalcolm@redhat.com>
8039 PR analyzer/96763
8040 * store.cc (binding_map::apply_ctor_to_region): Handle RANGE_EXPR
8041 by calling a new binding_map::apply_ctor_val_to_range subroutine.
8042 Split out the existing non-CONSTRUCTOR-handling code to a new
8043 apply_ctor_pair_to_child_region subroutine.
8044 (binding_map::apply_ctor_val_to_range): New.
8045 (binding_map::apply_ctor_pair_to_child_region): New, split out
8046 from binding_map::apply_ctor_to_region as noted above.
8047 * store.h (binding_map::apply_ctor_val_to_range): New decl.
8048 (binding_map::apply_ctor_pair_to_child_region): New decl.
8050 2020-08-31 David Malcolm <dmalcolm@redhat.com>
8052 PR analyzer/96764
8053 * region-model-manager.cc
8054 (region_model_manager::maybe_fold_unaryop): Handle VIEW_CONVERT_EXPR.
8055 (region_model_manager::get_or_create_cast): Move logic for
8056 real->integer casting to...
8057 (get_code_for_cast): ...this new function, and add logic for
8058 real->non-integer casts.
8059 (region_model_manager::maybe_fold_sub_svalue): Handle
8060 VIEW_CONVERT_EXPR.
8061 * region-model.cc
8062 (region_model::add_any_constraints_from_gassign): Likewise.
8063 * svalue.cc (svalue::maybe_undo_cast): Likewise.
8064 (unaryop_svalue::dump_to_pp): Likewise.
8066 2020-08-26 David Malcolm <dmalcolm@redhat.com>
8068 PR analyzer/94858
8069 * region-model-manager.cc
8070 (region_model_manager::get_or_create_widening_svalue): Assert that
8071 neither of the inputs are themselves widenings.
8072 * store.cc (store::eval_alias_1): The initial value of a pointer
8073 can't point to a region that was allocated on the heap after the
8074 beginning of the path. A widened pointer value can't alias anything
8075 that the initial pointer value can't alias.
8076 * svalue.cc (svalue::can_merge_p): Merge BINOP (X, OP, CST) with X
8077 to a widening svalue. Merge
8078 BINOP(WIDENING(BASE, BINOP(BASE, X)), X) and BINOP(BASE, X) to
8079 to the LHS of the first BINOP.
8081 2020-08-26 David Malcolm <dmalcolm@redhat.com>
8083 PR analyzer/96777
8084 * region-model.h (class compound_svalue): Document that all keys
8085 must be concrete.
8086 (compound_svalue::compound_svalue): Move definition to svalue.cc.
8087 * store.cc (binding_map::apply_ctor_to_region): Handle
8088 initializers for trailing arrays with incomplete size.
8089 * svalue.cc (compound_svalue::compound_svalue): Move definition
8090 here from region-model.h. Add assertion that all keys are
8091 concrete.
8093 2020-08-22 David Malcolm <dmalcolm@redhat.com>
8095 PR analyzer/94851
8096 * region-model-manager.cc
8097 (region_model_manager::maybe_fold_binop): Fold bitwise "& 0" to 0.
8099 2020-08-22 David Malcolm <dmalcolm@redhat.com>
8101 * store.cc (store::eval_alias): Make const. Split out 2nd half
8102 into store::eval_alias_1 and call it twice for symmetry, avoiding
8103 test duplication.
8104 (store::eval_alias_1): New function, split out from the above.
8105 * store.h (store::eval_alias): Make const.
8106 (store::eval_alias_1): New decl.
8108 2020-08-22 David Malcolm <dmalcolm@redhat.com>
8110 * region-model.cc (region_model::push_frame): Bind the default
8111 SSA name for each parm if it exists, falling back to the parm
8112 itself otherwise, rather than doing both.
8114 2020-08-20 David Malcolm <dmalcolm@redhat.com>
8116 PR analyzer/96723
8117 * region-model-manager.cc
8118 (region_model_manager::get_field_region): Assert that field is a
8119 FIELD_DECL.
8120 * region.cc (region::get_subregions_for_binding): In
8121 union-handling, filter the TYPE_FIELDS traversal to just FIELD_DECLs.
8123 2020-08-20 David Malcolm <dmalcolm@redhat.com>
8125 PR analyzer/96713
8126 * region-model.cc (region_model::get_gassign_result): For
8127 comparisons, only use eval_condition when the lhs has boolean
8128 type, and use get_or_create_constant_svalue on the boolean
8129 constants directly rather than via get_rvalue.
8131 2020-08-19 David Malcolm <dmalcolm@redhat.com>
8133 PR analyzer/96643
8134 * region-model.cc (region_model::deref_rvalue): Rather than
8135 attempting to handle all svalue kinds in the switch, only cover
8136 the special cases, and move symbolic-region handling to after
8137 the switch, thus implicitly handling the missing case SK_COMPOUND.
8139 2020-08-19 David Malcolm <dmalcolm@redhat.com>
8141 PR analyzer/96705
8142 * region-model-manager.cc
8143 (region_model_manager::maybe_fold_binop): Check that we have an
8144 integral type before calling build_int_cst.
8146 2020-08-19 David Malcolm <dmalcolm@redhat.com>
8148 PR analyzer/96699
8149 * region-model-manager.cc
8150 (region_model_manager::get_or_create_cast): Use FIX_TRUNC_EXPR for
8151 casting from REAL_TYPE to INTEGER_TYPE.
8153 2020-08-19 David Malcolm <dmalcolm@redhat.com>
8155 PR analyzer/96651
8156 * region-model.cc (region_model::called_from_main_p): New.
8157 (region_model::get_store_value): Move handling for globals into...
8158 (region_model::get_initial_value_for_global): ...this new
8159 function, and add logic for extracting values from decl
8160 initializers.
8161 * region-model.h (decl_region::get_svalue_for_constructor): New
8162 decl.
8163 (decl_region::get_svalue_for_initializer): New decl.
8164 (region_model::called_from_main_p): New decl.
8165 (region_model::get_initial_value_for_global): New.
8166 * region.cc (decl_region::maybe_get_constant_value): Move logic
8167 for getting an svalue from a CONSTRUCTOR node to...
8168 (decl_region::get_svalue_for_constructor): ...this new function.
8169 (decl_region::get_svalue_for_initializer): New.
8170 * store.cc (get_svalue_for_ctor_val): Rewrite in terms of
8171 region_model::get_rvalue.
8172 * store.h (binding_cluster::get_map): New accessor.
8174 2020-08-19 David Malcolm <dmalcolm@redhat.com>
8176 PR analyzer/96648
8177 * region.cc (get_field_at_bit_offset): Gracefully handle negative
8178 values for bit_offset.
8180 2020-08-18 David Malcolm <dmalcolm@redhat.com>
8182 * region-model.cc (region_model::get_rvalue_1): Fix name of local.
8184 2020-08-18 David Malcolm <dmalcolm@redhat.com>
8186 PR analyzer/96641
8187 * region-model.cc (region_model::get_rvalue_1): Handle
8188 unrecognized tree codes by returning "UNKNOWN.
8190 2020-08-18 David Malcolm <dmalcolm@redhat.com>
8192 PR analyzer/96640
8193 * region-model.cc (region_model::get_gassign_result): Handle various
8194 VEC_* tree codes by returning UNKNOWN.
8195 (region_model::on_assignment): Handle unrecognized tree codes by
8196 setting lhs to an unknown value, rather than issuing a "sorry" and
8197 asserting.
8199 2020-08-17 David Malcolm <dmalcolm@redhat.com>
8201 PR analyzer/96644
8202 * region-model-manager.cc (get_region_for_unexpected_tree_code):
8203 Handle ctxt being NULL.
8205 2020-08-17 David Malcolm <dmalcolm@redhat.com>
8207 PR analyzer/96639
8208 * region.cc (region::get_subregions_for_binding): Check for "type"
8209 being NULL.
8211 2020-08-17 David Malcolm <dmalcolm@redhat.com>
8213 PR analyzer/96642
8214 * store.cc (get_svalue_for_ctor_val): New.
8215 (binding_map::apply_ctor_to_region): Call it.
8217 2020-08-14 David Malcolm <dmalcolm@redhat.com>
8219 PR testsuite/96609
8220 PR analyzer/96616
8221 * region-model.cc (region_model::get_store_value): Call
8222 maybe_get_constant_value on decl_regions first.
8223 * region-model.h (decl_region::maybe_get_constant_value): New decl.
8224 * region.cc (decl_region::get_stack_depth): Likewise.
8225 (decl_region::maybe_get_constant_value): New.
8226 * store.cc (get_subregion_within_ctor): New.
8227 (binding_map::apply_ctor_to_region): New.
8228 * store.h (binding_map::apply_ctor_to_region): New decl.
8230 2020-08-14 David Malcolm <dmalcolm@redhat.com>
8232 PR analyzer/96611
8233 * store.cc (store::mark_as_escaped): Reject attempts to
8234 get a cluster for an unknown pointer.
8236 2020-08-13 David Malcolm <dmalcolm@redhat.com>
8238 PR analyzer/93032
8239 PR analyzer/93938
8240 PR analyzer/94011
8241 PR analyzer/94099
8242 PR analyzer/94399
8243 PR analyzer/94458
8244 PR analyzer/94503
8245 PR analyzer/94640
8246 PR analyzer/94688
8247 PR analyzer/94689
8248 PR analyzer/94839
8249 PR analyzer/95026
8250 PR analyzer/95042
8251 PR analyzer/95240
8252 * analyzer-logging.cc: Ignore "-Wformat-diag".
8253 (logger::enter_scope): Use inc_indent in both overloads.
8254 (logger::exit_scope): Use dec_indent.
8255 * analyzer-logging.h (logger::inc_indent): New.
8256 (logger::dec_indent): New.
8257 * analyzer-selftests.cc (run_analyzer_selftests): Call
8258 analyzer_store_cc_tests.
8259 * analyzer-selftests.h (analyzer_store_cc_tests): New decl.
8260 * analyzer.cc (get_stmt_location): New function.
8261 * analyzer.h (class initial_svalue): New forward decl.
8262 (class unaryop_svalue): New forward decl.
8263 (class binop_svalue): New forward decl.
8264 (class sub_svalue): New forward decl.
8265 (class unmergeable_svalue): New forward decl.
8266 (class placeholder_svalue): New forward decl.
8267 (class widening_svalue): New forward decl.
8268 (class compound_svalue): New forward decl.
8269 (class conjured_svalue): New forward decl.
8270 (svalue_set): New typedef.
8271 (class map_region): Delete.
8272 (class array_region): Delete.
8273 (class frame_region): New forward decl.
8274 (class function_region): New forward decl.
8275 (class label_region): New forward decl.
8276 (class decl_region): New forward decl.
8277 (class element_region): New forward decl.
8278 (class offset_region): New forward decl.
8279 (class cast_region): New forward decl.
8280 (class field_region): New forward decl.
8281 (class string_region): New forward decl.
8282 (class region_model_manager): New forward decl.
8283 (class store_manager): New forward decl.
8284 (class store): New forward decl.
8285 (class call_details): New forward decl.
8286 (struct svalue_id_merger_mapping): Delete.
8287 (struct canonicalization): Delete.
8288 (class function_point): New forward decl.
8289 (class engine): New forward decl.
8290 (dump_tree): New function decl.
8291 (print_quoted_type): New function decl.
8292 (readability_comparator): New function decl.
8293 (tree_cmp): New function decl.
8294 (class path_var): Move here from region-model.h
8295 (bit_offset_t, bit_size_t, byte_size_t): New typedefs.
8296 (class region_offset): New class.
8297 (get_stmt_location): New decl.
8298 (struct member_function_hash_traits): New struct.
8299 (class consolidation_map): New class.
8300 Ignore "-Wformat-diag".
8301 * analyzer.opt (-param=analyzer-max-svalue-depth=): New param.
8302 (-param=analyzer-max-enodes-for-full-dump=): New param.
8303 * call-string.cc: Ignore -Wformat-diag.
8304 * checker-path.cc: Move includes of "analyzer/call-string.h" and
8305 "analyzer/program-point.h" to before "analyzer/region-model.h",
8306 and also include "analyzer/store.h" before it.
8307 (state_change_event::state_change_event): Replace "tree var" param
8308 with "const svalue *sval". Convert "origin" param from tree to
8309 "const svalue *".
8310 (state_change_event::get_desc): Call get_representative_tree to
8311 convert the var and origin from const svalue * to tree. Use
8312 svalue::get_desc rather than %qE when describing state changes.
8313 (checker_path::add_final_event): Use get_stmt_location.
8314 * checker-path.h (state_change_event::state_change_event): Port
8315 from tree to const svalue *.
8316 (state_change_event::get_lvalue): Delete.
8317 (state_change_event::get_dest_function): New.
8318 (state_change_event::m_var): Replace with...
8319 (state_change_event::m_sval): ...this.
8320 (state_change_event::m_origin): Convert from tree to
8321 const svalue *.
8322 * constraint-manager.cc: Include "analyzer/call-string.h",
8323 "analyzer/program-point.h", and "analyzer/store.h" before
8324 "analyzer/region-model.h".
8325 (struct bound, struct range): Move to constraint-manager.h.
8326 (compare_constants): New function.
8327 (range::dump): Rename to...
8328 (range::dump_to_pp): ...this. Support NULL constants.
8329 (range::dump): Reintroduce for dumping to stderr.
8330 (range::constrained_to_single_element): Return result, rather than
8331 writing to *OUT.
8332 (range::eval_condition): New.
8333 (range::below_lower_bound): New.
8334 (range::above_upper_bound): New.
8335 (equiv_class::equiv_class): Port from svalue_id to const svalue *.
8336 (equiv_class::print): Likewise.
8337 (equiv_class::hash): Likewise.
8338 (equiv_class::operator==): Port from svalue_id to const svalue *.
8339 (equiv_class::add): Port from svalue_id to const svalue *. Drop
8340 "cm" param.
8341 (equiv_class::del): Port from svalue_id to const svalue *.
8342 (equiv_class::get_representative): Likewise.
8343 (equiv_class::remap_svalue_ids): Delete.
8344 (svalue_id_cmp_by_id): Rename to...
8345 (svalue_cmp_by_ptr): ...this, porting from svalue_id to
8346 const svalue *.
8347 (equiv_class::canonicalize): Update qsort comparator.
8348 (constraint::implied_by): New.
8349 (constraint_manager::constraint_manager): Copy m_mgr in copy ctor.
8350 (constraint_manager::dump_to_pp): Add "multiline" param
8351 (constraint_manager::dump): Pass "true" for "multiline".
8352 (constraint_manager::add_constraint): Port from svalue_id to
8353 const svalue *. Split out second part into...
8354 (constraint_manager::add_unknown_constraint): ...this new
8355 function. Remove self-constraints when merging equivalence
8356 classes.
8357 (constraint_manager::add_constraint_internal): Remove constraints
8358 that would be implied by the new constraint. Port from svalue_id
8359 to const svalue *.
8360 (constraint_manager::get_equiv_class_by_sid): Rename to...
8361 (constraint_manager::get_equiv_class_by_svalue): ...this, porting
8362 from svalue_id to const svalue *.
8363 (constraint_manager::get_or_add_equiv_class): Port from svalue_id
8364 to const svalue *.
8365 (constraint_manager::eval_condition): Make const. Call
8366 compare_constants and return early if it provides a known result.
8367 (constraint_manager::get_ec_bounds): New.
8368 (constraint_manager::eval_condition): New overloads. Make
8369 existing one const, and use compare_constants.
8370 (constraint_manager::purge): Convert "p" param to a template
8371 rather that an abstract base class. Port from svalue_id to
8372 const svalue *.
8373 (class dead_svalue_purger): New class.
8374 (constraint_manager::remap_svalue_ids): Delete.
8375 (constraint_manager::on_liveness_change): New.
8376 (equiv_class_cmp): Port from svalue_id to const svalue *.
8377 (constraint_manager::canonicalize): Likewise. Combine with
8378 purging of redundant equivalence classes and constraints.
8379 (class cleaned_constraint_manager): Delete.
8380 (class merger_fact_visitor): Make "m_cm_b" const. Add "m_merger"
8381 field.
8382 (merger_fact_visitor::fact): Port from svalue_id to const svalue *.
8383 Add special case for widening.
8384 (constraint_manager::merge): Port from svalue_id to const svalue *.
8385 (constraint_manager::clean_merger_input): Delete.
8386 (constraint_manager::for_each_fact): Port from svalue_id to
8387 const svalue *.
8388 (constraint_manager::validate): Likewise.
8389 (selftest::test_constraint_conditions): Provide a
8390 region_model_manager when creating region_model instances.
8391 Add test for self-equality not creating equivalence classes.
8392 (selftest::test_transitivity): Provide a region_model_manager when
8393 creating region_model instances. Verify that EC-merging happens
8394 when constraints are implied.
8395 (selftest::test_constant_comparisons): Provide a
8396 region_model_manager when creating region_model instances.
8397 (selftest::test_constraint_impl): Likewise. Remove over-specified
8398 assertions.
8399 (selftest::test_equality): Provide a region_model_manager when
8400 creating region_model instances.
8401 (selftest::test_many_constants): Likewise. Provide a
8402 program_point when testing merging.
8403 (selftest::run_constraint_manager_tests): Move call to
8404 test_constant_comparisons to outside the transitivity guard.
8405 * constraint-manager.h (struct bound): Move here from
8406 constraint-manager.cc.
8407 (struct range): Likewise.
8408 (struct::eval_condition): New decl.
8409 (struct::below_lower_bound): New decl.
8410 (struct::above_upper_bound): New decl.
8411 (equiv_class::add): Port from svalue_id to const svalue *.
8412 (equiv_class::del): Likewise.
8413 (equiv_class::get_representative): Likewise.
8414 (equiv_class::remap_svalue_ids): Drop.
8415 (equiv_class::m_cst_sid): Convert to..
8416 (equiv_class::m_cst_sval): ...this.
8417 (equiv_class::m_vars): Port from svalue_id to const svalue *.
8418 (constraint::bool implied_by): New decl.
8419 (fact_visitor::on_fact): Port from svalue_id to const svalue *.
8420 (constraint_manager::constraint_manager): Add mgr param.
8421 (constraint_manager::clone): Delete.
8422 (constraint_manager::maybe_get_constant): Delete.
8423 (constraint_manager::get_sid_for_constant): Delete.
8424 (constraint_manager::get_num_svalues): Delete.
8425 (constraint_manager::dump_to_pp): Add "multiline" param.
8426 (constraint_manager::get_equiv_class): Port from svalue_id to
8427 const svalue *.
8428 (constraint_manager::add_constraint): Likewise.
8429 (constraint_manager::get_equiv_class_by_sid): Rename to...
8430 (constraint_manager::get_equiv_class_by_svalue): ...this, porting
8431 from svalue_id to const svalue *.
8432 (constraint_manager::add_unknown_constraint): New decl.
8433 (constraint_manager::get_or_add_equiv_class): Port from svalue_id
8434 to const svalue *.
8435 (constraint_manager::eval_condition): Likewise. Add overloads.
8436 (constraint_manager::get_ec_bounds): New decl.
8437 (constraint_manager::purge): Convert to template.
8438 (constraint_manager::remap_svalue_ids): Delete.
8439 (constraint_manager::on_liveness_change): New decl.
8440 (constraint_manager::canonicalize): Drop param.
8441 (constraint_manager::clean_merger_input): Delete.
8442 (constraint_manager::m_mgr): New field.
8443 * diagnostic-manager.cc: Move includes of
8444 "analyzer/call-string.h" and "analyzer/program-point.h" to before
8445 "analyzer/region-model.h", and also include "analyzer/store.h"
8446 before it.
8447 (saved_diagnostic::saved_diagnostic): Add "sval" param.
8448 (diagnostic_manager::diagnostic_manager): Add engine param.
8449 (diagnostic_manager::add_diagnostic): Add "sval" param, passing it
8450 to saved_diagnostic ctor. Update overload to pass NULL for it.
8451 (dedupe_winners::dedupe_winners): Add engine param.
8452 (dedupe_winners::add): Add "eg" param. Pass m_engine to
8453 feasible_p.
8454 (dedupe_winner::m_engine): New field.
8455 (diagnostic_manager::emit_saved_diagnostics): Pass engine to
8456 dedupe_winners. Pass &eg when adding candidates. Pass svalue
8457 rather than tree to prune_path. Use get_stmt_location to get
8458 primary location of diagnostic.
8459 (diagnostic_manager::emit_saved_diagnostic): Likewise.
8460 (get_any_origin): Drop.
8461 (state_change_event_creator::on_global_state_change): Pass NULL
8462 const svalue * rather than NULL_TREE trees to state_change_event
8463 ctor.
8464 (state_change_event_creator::on_state_change): Port from tree and
8465 svalue_id to const svalue *.
8466 (for_each_state_change): Port from svalue_id to const svalue *.
8467 (struct null_assignment_sm_context): New.
8468 (diagnostic_manager::add_events_for_eedge): Add state change
8469 events for assignment to NULL.
8470 (diagnostic_manager::prune_path): Update param from tree to
8471 const svalue *.
8472 (diagnostic_manager::prune_for_sm_diagnostic): Port from tracking
8473 by tree to by const svalue *.
8474 * diagnostic-manager.h (saved_diagnostic::saved_diagnostic): Add sval
8475 param.
8476 (saved_diagnostic::m_sval): New field.
8477 (diagnostic_manager::diagnostic_manager): Add engine param.
8478 (diagnostic_manager::get_engine): New.
8479 (diagnostic_manager::add_diagnostic): Add "sval" param.
8480 (diagnostic_manager::prune_path): Likewise.
8481 (diagnostic_manager::prune_for_sm_diagnostic): New overload.
8482 (diagnostic_manager::m_eng): New field.
8483 * engine.cc: Move includes of "analyzer/call-string.h" and
8484 "analyzer/program-point.h" to before "analyzer/region-model.h",
8485 and also include "analyzer/store.h" before it.
8486 (impl_region_model_context::impl_region_model_context): Update for
8487 removal of m_change field.
8488 (impl_region_model_context::remap_svalue_ids): Delete.
8489 (impl_region_model_context::on_svalue_leak): New.
8490 (impl_region_model_context::on_svalue_purge): Delete.
8491 (impl_region_model_context::on_liveness_change): New.
8492 (impl_region_model_context::on_unknown_change): Update param
8493 from svalue_id to const svalue *. Add is_mutable param.
8494 (setjmp_svalue::compare_fields): Delete.
8495 (setjmp_svalue::accept): New.
8496 (setjmp_svalue::add_to_hash): Delete.
8497 (setjmp_svalue::dump_to_pp): New.
8498 (setjmp_svalue::print_details): Delete.
8499 (impl_sm_context::impl_sm_context): Drop "change" param.
8500 (impl_sm_context::get_fndecl_for_call): Drop "m_change".
8501 (impl_sm_context::on_transition): Drop ATTRIBUTE_UNUSED from
8502 "stmt" param. Drop m_change. Port from svalue_id to
8503 const svalue *.
8504 (impl_sm_context::warn_for_state): Drop m_change. Port from
8505 svalue_id to const svalue *.
8506 (impl_sm_context::get_readable_tree): Rename to...
8507 (impl_sm_context::get_diagnostic_tree): ...this. Port from
8508 svalue_id to const svalue *.
8509 (impl_sm_context::is_zero_assignment): New.
8510 (impl_sm_context::m_change): Delete field.
8511 (leak_stmt_finder::find_stmt): Handle m_var being NULL.
8512 (readability): Increase penalty for MEM_REF. For SSA_NAMEs,
8513 slightly favor the underlying var over the SSA name. Heavily
8514 penalize temporaries. Handle RESULT_DECL.
8515 (readability_comparator): Make non-static. Consider stack depths.
8516 (impl_region_model_context::on_state_leak): Convert from svalue_id
8517 to const svalue *, updating for region_model changes. Use
8518 id_equal.
8519 (impl_region_model_context::on_inherited_svalue): Delete.
8520 (impl_region_model_context::on_cast): Delete.
8521 (impl_region_model_context::on_condition): Drop m_change.
8522 (impl_region_model_context::on_phi): Likewise.
8523 (impl_region_model_context::on_unexpected_tree_code): Handle t
8524 being NULL.
8525 (point_and_state::validate): Update stack checking for
8526 region_model changes.
8527 (eg_traits::dump_args_t::show_enode_details_p): New.
8528 (exploded_node::exploded_node): Initialize m_num_processed_stmts.
8529 (exploded_node::get_processed_stmt): New function.
8530 (exploded_node::get_dot_fillcolor): Add more colors.
8531 (exploded_node::dump_dot): Guard the printing of the point and
8532 state with show_enode_details_p. Print the processed stmts for
8533 this enode after the initial state.
8534 (exploded_node::dump_to_pp): Pass true for new multiline param
8535 of program_state::dump_to_pp.
8536 (exploded_node::on_stmt): Drop "change" param. Log the stmt.
8537 Set input_location. Implement __analyzer_describe. Update
8538 implementation of __analyzer_dump and __analyzer_eval.
8539 Remove purging of sm-state for unknown fncalls from here.
8540 (exploded_node::on_edge): Drop "change" param.
8541 (exploded_node::on_longjmp): Port from region_id/svalue_id to
8542 const region */const svalue *. Call program_state::detect_leaks.
8543 Drop state_change.
8544 (exploded_node::detect_leaks): Update for changes to region_model.
8545 Call program_state::detect_leaks.
8546 (exploded_edge::exploded_edge): Drop ext_state and change params.
8547 (exploded_edge::dump_dot): "args" is no longer used. Drop dumping
8548 of m_change.
8549 (exploded_graph::exploded_graph): Pass engine to
8550 m_diagnostic_manager ctor. Use program_point::origin.
8551 (exploded_graph::add_function_entry): Drop ctxt. Use
8552 program_state::push_frame. Drop state_change.
8553 (exploded_graph::get_or_create_node): Drop "change" param. Add
8554 "enode_for_diag" param. Update dumping calls for API changes.
8555 Pass point to can_merge_with_p. Show enode indices
8556 within -Wanalyzer-too-complex diagnostic for hitting the per-point
8557 limit.
8558 (exploded_graph::add_edge): Drop "change" param. Log which nodes
8559 are being connected. Update for changes to exploded_edge ctor.
8560 (exploded_graph::get_per_program_point_data): New.
8561 (exploded_graph::process_worklist): Pass point to
8562 can_merge_with_p. Drop state_change. Update dumping call for API
8563 change.
8564 (exploded_graph::process_node): Drop state_change. Split the
8565 node in-place if an sm-state-change occurs. Update
8566 m_num_processed_stmts. Update dumping calls for API change.
8567 (exploded_graph::log_stats): Call engine::log_stats.
8568 (exploded_graph::dump_states_for_supernode): Update dumping
8569 call.
8570 (exploded_path::feasible_p): Add "eng" and "eg" params.
8571 Rename "i" to "end_idx". Pass the manager to the region_model
8572 ctor. Update for every processed stmt in the enode, not just the
8573 first. Keep track of which snodes have been visited, and call
8574 loop_replay_fixup when revisiting one.
8575 (enode_label::get_text): Update dump call for new param.
8576 (exploded_graph::dump_exploded_nodes): Likewise.
8577 (exploded_graph::get_node_by_index): New.
8578 (impl_run_checkers): Create engine instance and pass its address
8579 to extrinsic_state ctor.
8580 * exploded-graph.h
8581 (impl_region_model_context::impl_region_model_context): Drop
8582 "change" params.
8583 (impl_region_model_context::void remap_svalue_ids): Delete.
8584 (impl_region_model_context::on_svalue_purge): Delete.
8585 (impl_region_model_context::on_svalue_leak): New.
8586 (impl_region_model_context::on_liveness_change): New.
8587 (impl_region_model_context::on_state_leak): Update signature.
8588 (impl_region_model_context::on_inherited_svalue): Delete.
8589 (impl_region_model_context::on_cast): Delete.
8590 (impl_region_model_context::on_unknown_change): Update signature.
8591 (impl_region_model_context::m_change): Delete.
8592 (eg_traits::dump_args_t::show_enode_details_p): New.
8593 (exploded_node::on_stmt): Drop "change" param.
8594 (exploded_node::on_edge): Likewise.
8595 (exploded_node::get_processed_stmt): New decl.
8596 (exploded_node::m_num_processed_stmts): New field.
8597 (exploded_edge::exploded_edge): Drop ext_state and change params.
8598 (exploded_edge::m_change): Delete.
8599 (exploded_graph::get_engine): New accessor.
8600 (exploded_graph::get_or_create_node): Drop "change" param. Add
8601 "enode_for_diag" param.
8602 (exploded_graph::add_edge): Drop "change" param.
8603 (exploded_graph::get_per_program_point_data): New decl.
8604 (exploded_graph::get_node_by_index): New decl.
8605 (exploded_path::feasible_p): Add "eng" and "eg" params.
8606 * program-point.cc: Include "analyzer/store.h" before including
8607 "analyzer/region-model.h".
8608 (function_point::function_point): Move here from
8609 program-point.h.
8610 (function_point::get_function): Likewise.
8611 (function_point::from_function_entry): Likewise.
8612 (function_point::before_supernode): Likewise.
8613 (function_point::next_stmt): New function.
8614 * program-point.h (function_point::function_point): Move
8615 implementation from here to program-point.cc.
8616 (function_point::get_function): Likewise.
8617 (function_point::from_function_entry): Likewise.
8618 (function_point::before_supernode): Likewise.
8619 (function_point::next_stmt): New decl.
8620 (program_point::operator!=): New.
8621 (program_point::origin): New.
8622 (program_point::next_stmt): New.
8623 (program_point::m_function_point): Make non-const.
8624 * program-state.cc: Move includes of "analyzer/call-string.h" and
8625 "analyzer/program-point.h" to before "analyzer/region-model.h",
8626 and also include "analyzer/store.h" before it.
8627 (extrinsic_state::get_model_manager): New.
8628 (sm_state_map::sm_state_map): Pass in sm and sm_idx to ctor,
8629 rather than pass the around.
8630 (sm_state_map::clone_with_remapping): Delete.
8631 (sm_state_map::print): Remove "sm" param in favor of "m_sm". Add
8632 "simple" and "multiline" params and support multiline vs single
8633 line dumping.
8634 (sm_state_map::dump): Remove "sm" param in favor of "m_sm". Add
8635 "simple" param.
8636 (sm_state_map::hash): Port from svalue_id to const svalue *.
8637 (sm_state_map::operator==): Likewise.
8638 (sm_state_map::get_state): Likewise. Call canonicalize_svalue on
8639 input. Handle inheritance of sm-state. Call get_default_state.
8640 (sm_state_map::get_origin): Port from svalue_id to const svalue *.
8641 (sm_state_map::set_state): Likewise. Pass in ext_state. Reject
8642 attempts to set state on UNKNOWN.
8643 (sm_state_map::impl_set_state): Port from svalue_id to
8644 const svalue *. Pass in ext_state. Call canonicalize_svalue on
8645 input.
8646 (sm_state_map::purge_for_unknown_fncall): Delete.
8647 (sm_state_map::on_svalue_leak): New.
8648 (sm_state_map::remap_svalue_ids): Delete.
8649 (sm_state_map::on_liveness_change): New.
8650 (sm_state_map::on_unknown_change): Reimplement.
8651 (sm_state_map::on_svalue_purge): Delete.
8652 (sm_state_map::on_inherited_svalue): Delete.
8653 (sm_state_map::on_cast): Delete.
8654 (sm_state_map::validate): Delete.
8655 (sm_state_map::canonicalize_svalue): New.
8656 (program_state::program_state): Update to pass manager to
8657 region_model's ctor. Constify num_states and pass state machine
8658 and index to sm_state_map ctor.
8659 (program_state::print): Update for changes to dump API.
8660 (program_state::dump_to_pp): Ignore the summarize param. Add
8661 "multiline" param.
8662 (program_state::dump_to_file): Add "multiline" param.
8663 (program_state::dump): Pass "true" for new "multiline" param.
8664 (program_state::push_frame): New.
8665 (program_state::on_edge): Drop "change" param. Call
8666 program_state::detect_leaks.
8667 (program_state::prune_for_point): Add enode_for_diag param.
8668 Reimplement based on store class. Call detect_leaks
8669 (program_state::remap_svalue_ids): Delete.
8670 (program_state::get_representative_tree): Port from svalue_id to
8671 const svalue *.
8672 (program_state::can_merge_with_p): Add "point" param. Add early
8673 reject for sm-differences. Drop id remapping.
8674 (program_state::validate): Drop region model and sm_state_map
8675 validation.
8676 (state_change::sm_change::dump): Delete.
8677 (state_change::sm_change::remap_svalue_ids): Delete.
8678 (state_change::sm_change::on_svalue_purge): Delete.
8679 (log_set_of_svalues): New.
8680 (state_change::sm_change::validate): Delete.
8681 (state_change::state_change): Delete.
8682 (state_change::add_sm_change): Delete.
8683 (state_change::affects_p): Delete.
8684 (state_change::dump): Delete.
8685 (state_change::remap_svalue_ids): Delete.
8686 (state_change::on_svalue_purge): Delete.
8687 (state_change::validate): Delete.
8688 (selftest::assert_dump_eq): Delete.
8689 (ASSERT_DUMP_EQ): Delete.
8690 (selftest::test_sm_state_map): Update for changes to region_model
8691 and sm_state_map, porting from svalue_id to const svalue *.
8692 (selftest::test_program_state_dumping): Likewise. Drop test of
8693 dumping, renaming to...
8694 (selftest::test_program_state_1): ...this.
8695 (selftest::test_program_state_dumping_2): Likewise, renaming to...
8696 (selftest::test_program_state_2): ...this.
8697 (selftest::test_program_state_merging): Update for changes to
8698 region_model.
8699 (selftest::test_program_state_merging_2): Likewise.
8700 (selftest::analyzer_program_state_cc_tests): Update for renamed
8701 tests.
8702 * program-state.h (extrinsic_state::extrinsic_state): Add logger
8703 and engine params.
8704 (extrinsic_state::get_logger): New accessor.
8705 (extrinsic_state::get_engine): New accessor.
8706 (extrinsic_state::get_model_manager): New accessor.
8707 (extrinsic_state::m_logger): New field.
8708 (extrinsic_state::m_engine): New field.
8709 (struct default_hash_traits<svalue_id>): Delete.
8710 (pod_hash_traits<svalue_id>::hash): Delete.
8711 (pod_hash_traits<svalue_id>::equal): Delete.
8712 (pod_hash_traits<svalue_id>::mark_deleted): Delete.
8713 (pod_hash_traits<svalue_id>::mark_empty): Delete.
8714 (pod_hash_traits<svalue_id>::is_deleted): Delete.
8715 (pod_hash_traits<svalue_id>::is_empty): Delete.
8716 (sm_state_map::entry_t::entry_t): Port from svalue_id to
8717 const svalue *.
8718 (sm_state_map::entry_t::m_origin): Likewise.
8719 (sm_state_map::map_t): Likewise.
8720 (sm_state_map::sm_state_map): Add state_machine and index params.
8721 (sm_state_map::clone_with_remapping): Delete.
8722 (sm_state_map::print): Drop sm param; add simple and multiline
8723 params.
8724 (sm_state_map::dump): Drop sm param; add simple param.
8725 (sm_state_map::get_state): Port from svalue_id to const svalue *.
8726 Add ext_state param.
8727 (sm_state_map::get_origin): Likewise.
8728 (sm_state_map::set_state): Likewise.
8729 (sm_state_map::impl_set_state): Likewise.
8730 (sm_state_map::purge_for_unknown_fncall): Delete.
8731 (sm_state_map::remap_svalue_ids): Delete.
8732 (sm_state_map::on_svalue_purge): Delete.
8733 (sm_state_map::on_svalue_leak): New.
8734 (sm_state_map::on_liveness_change): New.
8735 (sm_state_map::on_inherited_svalue): Delete.
8736 (sm_state_map::on_cast): Delete.
8737 (sm_state_map::validate): Delete.
8738 (sm_state_map::on_unknown_change): Port from svalue_id to
8739 const svalue *. Add is_mutable and ext_state params.
8740 (sm_state_map::canonicalize_svalue): New.
8741 (sm_state_map::m_sm): New field.
8742 (sm_state_map::m_sm_idx): New field.
8743 (program_state::operator=): Delete.
8744 (program_state::dump_to_pp): Drop "summarize" param, adding
8745 "simple" and "multiline".
8746 (program_state::dump_to_file): Likewise.
8747 (program_state::dump): Rename "summarize" to "simple".
8748 (program_state::push_frame): New.
8749 (program_state::get_current_function): New.
8750 (program_state::on_edge): Drop "change" param.
8751 (program_state::prune_for_point): Likewise. Add enode_for_diag
8752 param.
8753 (program_state::remap_svalue_ids): Delete.
8754 (program_state::get_representative_tree): Port from svalue_id to
8755 const svalue *.
8756 (program_state::can_purge_p): Likewise. Pass ext_state to get_state.
8757 (program_state::can_merge_with_p): Add point param.
8758 (program_state::detect_leaks): New.
8759 (state_change_visitor::on_state_change): Port from tree and
8760 svalue_id to a pair of const svalue *.
8761 (class state_change): Delete.
8762 * region.cc: New file.
8763 * region-model-impl-calls.cc: New file.
8764 * region-model-manager.cc: New file.
8765 * region-model-reachability.cc: New file.
8766 * region-model-reachability.h: New file.
8767 * region-model.cc: Include "analyzer/call-string.h",
8768 "analyzer/program-point.h", and "analyzer/store.h" before
8769 "analyzer/region-model.h". Include
8770 "analyzer/region-model-reachability.h".
8771 (dump_tree): Make non-static.
8772 (dump_quoted_tree): Make non-static.
8773 (print_quoted_type): Make non-static.
8774 (path_var::dump): Delete.
8775 (dump_separator): Delete.
8776 (class impl_constraint_manager): Delete.
8777 (svalue_id::print): Delete.
8778 (svalue_id::dump_node_name_to_pp): Delete.
8779 (svalue_id::validate): Delete.
8780 (region_id::print): Delete.
8781 (region_id::dump_node_name_to_pp): Delete.
8782 (region_id::validate): Delete.
8783 (region_id_set::region_id_set): Delete.
8784 (svalue_id_set::svalue_id_set): Delete.
8785 (svalue::operator==): Delete.
8786 (svalue::hash): Delete.
8787 (svalue::print): Delete.
8788 (svalue::dump_dot_to_pp): Delete.
8789 (svalue::remap_region_ids): Delete.
8790 (svalue::walk_for_canonicalization): Delete.
8791 (svalue::get_child_sid): Delete.
8792 (svalue::maybe_get_constant): Delete.
8793 (region_svalue::compare_fields): Delete.
8794 (region_svalue::add_to_hash): Delete.
8795 (region_svalue::print_details): Delete.
8796 (region_svalue::dump_dot_to_pp): Delete.
8797 (region_svalue::remap_region_ids): Delete.
8798 (region_svalue::merge_values): Delete.
8799 (region_svalue::walk_for_canonicalization): Delete.
8800 (region_svalue::eval_condition): Delete.
8801 (constant_svalue::compare_fields): Delete.
8802 (constant_svalue::add_to_hash): Delete.
8803 (constant_svalue::merge_values): Delete.
8804 (constant_svalue::eval_condition): Move to svalue.cc.
8805 (constant_svalue::print_details): Delete.
8806 (constant_svalue::get_child_sid): Delete.
8807 (unknown_svalue::compare_fields): Delete.
8808 (unknown_svalue::add_to_hash): Delete.
8809 (unknown_svalue::print_details): Delete.
8810 (poison_kind_to_str): Move to svalue.cc.
8811 (poisoned_svalue::compare_fields): Delete.
8812 (poisoned_svalue::add_to_hash): Delete.
8813 (poisoned_svalue::print_details): Delete.
8814 (region_kind_to_str): Move to region.cc and reimplement.
8815 (region::operator==): Delete.
8816 (region::get_parent_region): Delete.
8817 (region::set_value): Delete.
8818 (region::become_active_view): Delete.
8819 (region::deactivate_any_active_view): Delete.
8820 (region::deactivate_view): Delete.
8821 (region::get_value): Delete.
8822 (region::get_inherited_child_sid): Delete.
8823 (region_model::copy_region): Delete.
8824 (region_model::copy_struct_region): Delete.
8825 (region_model::copy_union_region): Delete.
8826 (region_model::copy_array_region): Delete.
8827 (region::hash): Delete.
8828 (region::print): Delete.
8829 (region::dump_dot_to_pp): Delete.
8830 (region::dump_to_pp): Delete.
8831 (region::dump_child_label): Delete.
8832 (region::validate): Delete.
8833 (region::remap_svalue_ids): Delete.
8834 (region::remap_region_ids): Delete.
8835 (region::add_view): Delete.
8836 (region::get_view): Delete.
8837 (region::region): Move to region.cc.
8838 (region::add_to_hash): Delete.
8839 (region::print_fields): Delete.
8840 (region::non_null_p): Delete.
8841 (primitive_region::clone): Delete.
8842 (primitive_region::walk_for_canonicalization): Delete.
8843 (map_region::map_region): Delete.
8844 (map_region::compare_fields): Delete.
8845 (map_region::print_fields): Delete.
8846 (map_region::validate): Delete.
8847 (map_region::dump_dot_to_pp): Delete.
8848 (map_region::dump_child_label): Delete.
8849 (map_region::get_or_create): Delete.
8850 (map_region::get): Delete.
8851 (map_region::add_to_hash): Delete.
8852 (map_region::remap_region_ids): Delete.
8853 (map_region::unbind): Delete.
8854 (map_region::get_tree_for_child_region): Delete.
8855 (map_region::get_tree_for_child_region): Delete.
8856 (tree_cmp): Move to region.cc.
8857 (map_region::can_merge_p): Delete.
8858 (map_region::walk_for_canonicalization): Delete.
8859 (map_region::get_value_by_name): Delete.
8860 (struct_or_union_region::valid_key_p): Delete.
8861 (struct_or_union_region::compare_fields): Delete.
8862 (struct_region::clone): Delete.
8863 (struct_region::compare_fields): Delete.
8864 (union_region::clone): Delete.
8865 (union_region::compare_fields): Delete.
8866 (frame_region::compare_fields): Delete.
8867 (frame_region::clone): Delete.
8868 (frame_region::valid_key_p): Delete.
8869 (frame_region::print_fields): Delete.
8870 (frame_region::add_to_hash): Delete.
8871 (globals_region::compare_fields): Delete.
8872 (globals_region::clone): Delete.
8873 (globals_region::valid_key_p): Delete.
8874 (code_region::compare_fields): Delete.
8875 (code_region::clone): Delete.
8876 (code_region::valid_key_p): Delete.
8877 (array_region::array_region): Delete.
8878 (array_region::get_element): Delete.
8879 (array_region::clone): Delete.
8880 (array_region::compare_fields): Delete.
8881 (array_region::print_fields): Delete.
8882 (array_region::validate): Delete.
8883 (array_region::dump_dot_to_pp): Delete.
8884 (array_region::dump_child_label): Delete.
8885 (array_region::get_or_create): Delete.
8886 (array_region::get): Delete.
8887 (array_region::add_to_hash): Delete.
8888 (array_region::remap_region_ids): Delete.
8889 (array_region::get_key_for_child_region): Delete.
8890 (array_region::key_cmp): Delete.
8891 (array_region::walk_for_canonicalization): Delete.
8892 (array_region::key_from_constant): Delete.
8893 (array_region::constant_from_key): Delete.
8894 (function_region::compare_fields): Delete.
8895 (function_region::clone): Delete.
8896 (function_region::valid_key_p): Delete.
8897 (stack_region::stack_region): Delete.
8898 (stack_region::compare_fields): Delete.
8899 (stack_region::clone): Delete.
8900 (stack_region::print_fields): Delete.
8901 (stack_region::dump_child_label): Delete.
8902 (stack_region::validate): Delete.
8903 (stack_region::push_frame): Delete.
8904 (stack_region::get_current_frame_id): Delete.
8905 (stack_region::pop_frame): Delete.
8906 (stack_region::add_to_hash): Delete.
8907 (stack_region::remap_region_ids): Delete.
8908 (stack_region::can_merge_p): Delete.
8909 (stack_region::walk_for_canonicalization): Delete.
8910 (stack_region::get_value_by_name): Delete.
8911 (heap_region::heap_region): Delete.
8912 (heap_region::compare_fields): Delete.
8913 (heap_region::clone): Delete.
8914 (heap_region::walk_for_canonicalization): Delete.
8915 (root_region::root_region): Delete.
8916 (root_region::compare_fields): Delete.
8917 (root_region::clone): Delete.
8918 (root_region::print_fields): Delete.
8919 (root_region::validate): Delete.
8920 (root_region::dump_child_label): Delete.
8921 (root_region::push_frame): Delete.
8922 (root_region::get_current_frame_id): Delete.
8923 (root_region::pop_frame): Delete.
8924 (root_region::ensure_stack_region): Delete.
8925 (root_region::get_stack_region): Delete.
8926 (root_region::ensure_globals_region): Delete.
8927 (root_region::get_code_region): Delete.
8928 (root_region::ensure_code_region): Delete.
8929 (root_region::get_globals_region): Delete.
8930 (root_region::ensure_heap_region): Delete.
8931 (root_region::get_heap_region): Delete.
8932 (root_region::remap_region_ids): Delete.
8933 (root_region::can_merge_p): Delete.
8934 (root_region::add_to_hash): Delete.
8935 (root_region::walk_for_canonicalization): Delete.
8936 (root_region::get_value_by_name): Delete.
8937 (symbolic_region::symbolic_region): Delete.
8938 (symbolic_region::compare_fields): Delete.
8939 (symbolic_region::clone): Delete.
8940 (symbolic_region::walk_for_canonicalization): Delete.
8941 (symbolic_region::print_fields): Delete.
8942 (region_model::region_model): Add region_model_manager * param.
8943 Reimplement in terms of store, dropping impl_constraint_manager
8944 subclass.
8945 (region_model::operator=): Reimplement in terms of store
8946 (region_model::operator==): Likewise.
8947 (region_model::hash): Likewise.
8948 (region_model::print): Delete.
8949 (region_model::print_svalue): Delete.
8950 (region_model::dump_dot_to_pp): Delete.
8951 (region_model::dump_dot_to_file): Delete.
8952 (region_model::dump_dot): Delete.
8953 (region_model::dump_to_pp): Replace "summarize" param with
8954 "simple" and "multiline". Port to store-based implementation.
8955 (region_model::dump): Replace "summarize" param with "simple" and
8956 "multiline".
8957 (dump_vec_of_tree): Delete.
8958 (region_model::dump_summary_of_rep_path_vars): Delete.
8959 (region_model::validate): Delete.
8960 (svalue_id_cmp_by_constant_svalue_model): Delete.
8961 (svalue_id_cmp_by_constant_svalue): Delete.
8962 (region_model::canonicalize): Drop "ctxt" param. Reimplement in
8963 terms of store and constraints.
8964 (region_model::canonicalized_p): Remove NULL arg to canonicalize.
8965 (region_model::loop_replay_fixup): New.
8966 (poisoned_value_diagnostic::emit): Tweak wording of warnings.
8967 (region_model::check_for_poison): Delete.
8968 (region_model::get_gassign_result): New.
8969 (region_model::on_assignment): Port to store-based implementation.
8970 (region_model::on_call_pre): Delete calls to check_for_poison.
8971 Move implementations to region-model-impl-calls.c and port to
8972 store-based implementation.
8973 (region_model::on_call_post): Likewise.
8974 (class reachable_regions): Move to region-model-reachability.h/cc
8975 and port to store-based implementation.
8976 (region_model::handle_unrecognized_call): Port to store-based
8977 implementation.
8978 (region_model::get_reachable_svalues): New.
8979 (region_model::on_setjmp): Port to store-based implementation.
8980 (region_model::on_longjmp): Likewise.
8981 (region_model::handle_phi): Drop is_back_edge param and the logic
8982 using it.
8983 (region_model::get_lvalue_1): Port from region_id to const region *.
8984 (region_model::make_region_for_unexpected_tree_code): Delete.
8985 (assert_compat_types): If the check fails, use internal_error to
8986 show the types.
8987 (region_model::get_lvalue): Port from region_id to const region *.
8988 (region_model::get_rvalue_1): Port from svalue_id to const svalue *.
8989 (region_model::get_rvalue): Likewise.
8990 (region_model::get_or_create_ptr_svalue): Delete.
8991 (region_model::get_or_create_constant_svalue): Delete.
8992 (region_model::get_svalue_for_fndecl): Delete.
8993 (region_model::get_region_for_fndecl): Delete.
8994 (region_model::get_svalue_for_label): Delete.
8995 (region_model::get_region_for_label): Delete.
8996 (build_cast): Delete.
8997 (region_model::maybe_cast_1): Delete.
8998 (region_model::maybe_cast): Delete.
8999 (region_model::get_field_region): Delete.
9000 (region_model::get_store_value): New.
9001 (region_model::region_exists_p): New.
9002 (region_model::deref_rvalue): Port from svalue_id to const svalue *.
9003 (region_model::set_value): Likewise.
9004 (region_model::clobber_region): New.
9005 (region_model::purge_region): New.
9006 (region_model::zero_fill_region): New.
9007 (region_model::mark_region_as_unknown): New.
9008 (region_model::eval_condition): Port from svalue_id to
9009 const svalue *.
9010 (region_model::eval_condition_without_cm): Likewise.
9011 (region_model::compare_initial_and_pointer): New.
9012 (region_model::add_constraint): Port from svalue_id to
9013 const svalue *.
9014 (region_model::maybe_get_constant): Delete.
9015 (region_model::get_representative_path_var): New.
9016 (region_model::add_new_malloc_region): Delete.
9017 (region_model::get_representative_tree): Port to const svalue *.
9018 (region_model::get_representative_path_var): Port to
9019 const region *.
9020 (region_model::get_path_vars_for_svalue): Delete.
9021 (region_model::set_to_new_unknown_value): Delete.
9022 (region_model::update_for_phis): Don't pass is_back_edge to handle_phi.
9023 (region_model::update_for_call_superedge): Port from svalue_id to
9024 const svalue *.
9025 (region_model::update_for_return_superedge): Port to store-based
9026 implementation.
9027 (region_model::update_for_call_summary): Replace
9028 set_to_new_unknown_value with mark_region_as_unknown.
9029 (region_model::get_root_region): Delete.
9030 (region_model::get_stack_region_id): Delete.
9031 (region_model::push_frame): Delete.
9032 (region_model::get_current_frame_id): Delete.
9033 (region_model::get_current_function): Delete.
9034 (region_model::pop_frame): Delete.
9035 (region_model::on_top_level_param): New.
9036 (region_model::get_stack_depth): Delete.
9037 (region_model::get_function_at_depth): Delete.
9038 (region_model::get_globals_region_id): Delete.
9039 (region_model::add_svalue): Delete.
9040 (region_model::replace_svalue): Delete.
9041 (region_model::add_region): Delete.
9042 (region_model::get_svalue): Delete.
9043 (region_model::get_region): Delete.
9044 (make_region_for_type): Delete.
9045 (region_model::add_region_for_type): Delete.
9046 (region_model::on_top_level_param): New.
9047 (class restrict_to_used_svalues): Delete.
9048 (region_model::purge_unused_svalues): Delete.
9049 (region_model::push_frame): New.
9050 (region_model::remap_svalue_ids): Delete.
9051 (region_model::remap_region_ids): Delete.
9052 (region_model::purge_regions): Delete.
9053 (region_model::get_descendents): Delete.
9054 (region_model::delete_region_and_descendents): Delete.
9055 (region_model::poison_any_pointers_to_bad_regions): Delete.
9056 (region_model::can_merge_with_p): Delete.
9057 (region_model::get_current_function): New.
9058 (region_model::get_value_by_name): Delete.
9059 (region_model::convert_byte_offset_to_array_index): Delete.
9060 (region_model::pop_frame): New.
9061 (region_model::get_or_create_mem_ref): Delete.
9062 (region_model::get_stack_depth): New.
9063 (region_model::get_frame_at_index): New.
9064 (region_model::unbind_region_and_descendents): New.
9065 (struct bad_pointer_finder): New.
9066 (region_model::get_or_create_pointer_plus_expr): Delete.
9067 (region_model::poison_any_pointers_to_descendents): New.
9068 (region_model::get_or_create_view): Delete.
9069 (region_model::can_merge_with_p): New.
9070 (region_model::get_fndecl_for_call): Port from svalue_id to
9071 const svalue *.
9072 (struct append_ssa_names_cb_data): New.
9073 (get_ssa_name_regions_for_current_frame): New.
9074 (region_model::append_ssa_names_cb): New.
9075 (model_merger::dump_to_pp): Add "simple" param. Drop dumping of
9076 remappings.
9077 (model_merger::dump): Add "simple" param to both overloads.
9078 (model_merger::can_merge_values_p): Delete.
9079 (model_merger::record_regions): Delete.
9080 (model_merger::record_svalues): Delete.
9081 (svalue_id_merger_mapping::svalue_id_merger_mapping): Delete.
9082 (svalue_id_merger_mapping::dump_to_pp): Delete.
9083 (svalue_id_merger_mapping::dump): Delete.
9084 (region_model::create_region_for_heap_alloc): New.
9085 (region_model::create_region_for_alloca): New.
9086 (region_model::record_dynamic_extents): New.
9087 (canonicalization::canonicalization): Delete.
9088 (canonicalization::walk_rid): Delete.
9089 (canonicalization::walk_sid): Delete.
9090 (canonicalization::dump_to_pp): Delete.
9091 (canonicalization::dump): Delete.
9092 (inchash::add): Delete overloads for svalue_id and region_id.
9093 (engine::log_stats): New.
9094 (assert_condition): Add overload comparing svalues.
9095 (assert_dump_eq): Pass "true" for multiline.
9096 (selftest::test_dump): Update for rewrite of region_model.
9097 (selftest::test_dump_2): Rename to...
9098 (selftest::test_struct): ...this. Provide a region_model_manager
9099 when creating region_model instance. Remove dump test. Add
9100 checks for get_offset.
9101 (selftest::test_dump_3): Rename to...
9102 (selftest::test_array_1): ...this. Provide a region_model_manager
9103 when creating region_model instance. Remove dump test.
9104 (selftest::test_get_representative_tree): Port from svalue_id to
9105 new API. Add test coverage for various expressions.
9106 (selftest::test_unique_constants): Provide a region_model_manager
9107 for the region_model. Add test coverage for comparing const vs
9108 non-const.
9109 (selftest::test_svalue_equality): Delete.
9110 (selftest::test_region_equality): Delete.
9111 (selftest::test_unique_unknowns): New.
9112 (class purge_all_svalue_ids): Delete.
9113 (class purge_one_svalue_id): Delete.
9114 (selftest::test_purging_by_criteria): Delete.
9115 (selftest::test_initial_svalue_folding): New.
9116 (selftest::test_unaryop_svalue_folding): New.
9117 (selftest::test_binop_svalue_folding): New.
9118 (selftest::test_sub_svalue_folding): New.
9119 (selftest::test_purge_unused_svalues): Delete.
9120 (selftest::test_descendent_of_p): New.
9121 (selftest::test_assignment): Provide a region_model_manager for
9122 the region_model. Drop the dump test.
9123 (selftest::test_compound_assignment): Likewise.
9124 (selftest::test_stack_frames): Port to new implementation.
9125 (selftest::test_get_representative_path_var): Likewise.
9126 (selftest::test_canonicalization_1): Rename to...
9127 (selftest::test_equality_1): ...this. Port to new API, and add
9128 (selftest::test_canonicalization_2): Provide a
9129 region_model_manager when creating region_model instances.
9130 Remove redundant canicalization.
9131 (selftest::test_canonicalization_3): Provide a
9132 region_model_manager when creating region_model instances.
9133 Remove param from calls to region_model::canonicalize.
9134 (selftest::test_canonicalization_4): Likewise.
9135 (selftest::assert_region_models_merge): Constify
9136 out_merged_svalue. Port to new API.
9137 (selftest::test_state_merging): Provide a
9138 region_model_manager when creating region_model instances.
9139 Provide a program_point point when merging them. Replace
9140 set_to_new_unknown_value with usage of placeholder_svalues.
9141 Drop get_value_by_name. Port from svalue_id to const svalue *.
9142 Add test of heap allocation.
9143 (selftest::test_constraint_merging): Provide a
9144 region_model_manager when creating region_model instances.
9145 Provide a program_point point when merging them. Eliminate use
9146 of set_to_new_unknown_value.
9147 (selftest::test_widening_constraints): New.
9148 (selftest::test_iteration_1): New.
9149 (selftest::test_malloc_constraints): Port to store-based
9150 implementation.
9151 (selftest::test_var): New test.
9152 (selftest::test_array_2): New test.
9153 (selftest::test_mem_ref): New test.
9154 (selftest::test_POINTER_PLUS_EXPR_then_MEM_REF): New.
9155 (selftest::test_malloc): New.
9156 (selftest::test_alloca): New.
9157 (selftest::analyzer_region_model_cc_tests): Update for renamings.
9158 Call new functions.
9159 * region-model.h (class path_var): Move to analyzer.h.
9160 (class svalue_id): Delete.
9161 (class region_id): Delete.
9162 (class id_map): Delete.
9163 (svalue_id_map): Delete.
9164 (region_id_map): Delete.
9165 (id_map<T>::id_map): Delete.
9166 (id_map<T>::put): Delete.
9167 (id_map<T>::get_dst_for_src): Delete.
9168 (id_map<T>::get_src_for_dst): Delete.
9169 (id_map<T>::dump_to_pp): Delete.
9170 (id_map<T>::dump): Delete.
9171 (id_map<T>::update): Delete.
9172 (one_way_svalue_id_map): Delete.
9173 (one_way_region_id_map): Delete.
9174 (class region_id_set): Delete.
9175 (class svalue_id_set): Delete.
9176 (struct complexity): New.
9177 (class visitor): New.
9178 (enum svalue_kind): Add SK_SETJMP, SK_INITIAL, SK_UNARYOP,
9179 SK_BINOP, SK_SUB,SK_UNMERGEABLE, SK_PLACEHOLDER, SK_WIDENING,
9180 SK_COMPOUND, and SK_CONJURED.
9181 (svalue::operator==): Delete.
9182 (svalue::operator!=): Delete.
9183 (svalue::clone): Delete.
9184 (svalue::hash): Delete.
9185 (svalue::dump_dot_to_pp): Delete.
9186 (svalue::dump_to_pp): New.
9187 (svalue::dump): New.
9188 (svalue::get_desc): New.
9189 (svalue::dyn_cast_initial_svalue): New.
9190 (svalue::dyn_cast_unaryop_svalue): New.
9191 (svalue::dyn_cast_binop_svalue): New.
9192 (svalue::dyn_cast_sub_svalue): New.
9193 (svalue::dyn_cast_unmergeable_svalue): New.
9194 (svalue::dyn_cast_widening_svalue): New.
9195 (svalue::dyn_cast_compound_svalue): New.
9196 (svalue::dyn_cast_conjured_svalue): New.
9197 (svalue::maybe_undo_cast): New.
9198 (svalue::unwrap_any_unmergeable): New.
9199 (svalue::remap_region_ids): Delete
9200 (svalue::can_merge_p): New.
9201 (svalue::walk_for_canonicalization): Delete
9202 (svalue::get_complexity): New.
9203 (svalue::get_child_sid): Delete
9204 (svalue::accept): New.
9205 (svalue::live_p): New.
9206 (svalue::implicitly_live_p): New.
9207 (svalue::svalue): Add complexity param.
9208 (svalue::add_to_hash): Delete
9209 (svalue::print_details): Delete
9210 (svalue::m_complexity): New field.
9211 (region_svalue::key_t): New struct.
9212 (region_svalue::region_svalue): Port from region_id to
9213 const region_id *. Add complexity.
9214 (region_svalue::compare_fields): Delete.
9215 (region_svalue::clone): Delete.
9216 (region_svalue::dump_dot_to_pp): Delete.
9217 (region_svalue::get_pointee): Port from region_id to
9218 const region_id *.
9219 (region_svalue::remap_region_ids): Delete.
9220 (region_svalue::merge_values): Delete.
9221 (region_svalue::dump_to_pp): New.
9222 (region_svalue::accept): New.
9223 (region_svalue::walk_for_canonicalization): Delete.
9224 (region_svalue::eval_condition): Make params const.
9225 (region_svalue::add_to_hash): Delete.
9226 (region_svalue::print_details): Delete.
9227 (region_svalue::m_rid): Replace with...
9228 (region_svalue::m_reg): ...this.
9229 (is_a_helper <region_svalue *>::test): Convert to...
9230 (is_a_helper <const region_svalue *>::test): ...this.
9231 (template <> struct default_hash_traits<region_svalue::key_t>):
9232 New.
9233 (constant_svalue::constant_svalue): Add complexity.
9234 (constant_svalue::compare_fields): Delete.
9235 (constant_svalue::clone): Delete.
9236 (constant_svalue::add_to_hash): Delete.
9237 (constant_svalue::dump_to_pp): New.
9238 (constant_svalue::accept): New.
9239 (constant_svalue::implicitly_live_p): New.
9240 (constant_svalue::merge_values): Delete.
9241 (constant_svalue::eval_condition): Make params const.
9242 (constant_svalue::get_child_sid): Delete.
9243 (constant_svalue::print_details): Delete.
9244 (is_a_helper <constant_svalue *>::test): Convert to...
9245 (is_a_helper <const constant_svalue *>::test): ...this.
9246 (class unknown_svalue): Update leading comment.
9247 (unknown_svalue::unknown_svalue): Add complexity.
9248 (unknown_svalue::compare_fields): Delete.
9249 (unknown_svalue::add_to_hash): Delete.
9250 (unknown_svalue::dyn_cast_unknown_svalue): Delete.
9251 (unknown_svalue::print_details): Delete.
9252 (unknown_svalue::dump_to_pp): New.
9253 (unknown_svalue::accept): New.
9254 (poisoned_svalue::key_t): New struct.
9255 (poisoned_svalue::poisoned_svalue): Add complexity.
9256 (poisoned_svalue::compare_fields): Delete.
9257 (poisoned_svalue::clone): Delete.
9258 (poisoned_svalue::add_to_hash): Delete.
9259 (poisoned_svalue::dump_to_pp): New.
9260 (poisoned_svalue::accept): New.
9261 (poisoned_svalue::print_details): Delete.
9262 (is_a_helper <poisoned_svalue *>::test): Convert to...
9263 (is_a_helper <const poisoned_svalue *>::test): ...this.
9264 (template <> struct default_hash_traits<poisoned_svalue::key_t>):
9265 New.
9266 (setjmp_record::add_to_hash): New.
9267 (setjmp_svalue::key_t): New struct.
9268 (setjmp_svalue::compare_fields): Delete.
9269 (setjmp_svalue::clone): Delete.
9270 (setjmp_svalue::add_to_hash): Delete.
9271 (setjmp_svalue::setjmp_svalue): Add complexity.
9272 (setjmp_svalue::dump_to_pp): New.
9273 (setjmp_svalue::accept): New.
9274 (setjmp_svalue::void print_details): Delete.
9275 (is_a_helper <const setjmp_svalue *>::test): New.
9276 (template <> struct default_hash_traits<setjmp_svalue::key_t>): New.
9277 (class initial_svalue : public svalue): New.
9278 (is_a_helper <const initial_svalue *>::test): New.
9279 (class unaryop_svalue): New.
9280 (is_a_helper <const unaryop_svalue *>::test): New.
9281 (template <> struct default_hash_traits<unaryop_svalue::key_t>): New.
9282 (class binop_svalue): New.
9283 (is_a_helper <const binop_svalue *>::test): New.
9284 (template <> struct default_hash_traits<binop_svalue::key_t>): New.
9285 (class sub_svalue): New.
9286 (is_a_helper <const sub_svalue *>::test): New.
9287 (template <> struct default_hash_traits<sub_svalue::key_t>): New.
9288 (class unmergeable_svalue): New.
9289 (is_a_helper <const unmergeable_svalue *>::test): New.
9290 (class placeholder_svalue): New.
9291 (is_a_helper <placeholder_svalue *>::test): New.
9292 (class widening_svalue): New.
9293 (is_a_helper <widening_svalue *>::test): New.
9294 (template <> struct default_hash_traits<widening_svalue::key_t>): New.
9295 (class compound_svalue): New.
9296 (is_a_helper <compound_svalue *>::test): New.
9297 (template <> struct default_hash_traits<compound_svalue::key_t>): New.
9298 (class conjured_svalue): New.
9299 (is_a_helper <conjured_svalue *>::test): New.
9300 (template <> struct default_hash_traits<conjured_svalue::key_t>): New.
9301 (enum region_kind): Delete RK_PRIMITIVE, RK_STRUCT, RK_UNION, and
9302 RK_ARRAY. Add RK_LABEL, RK_DECL, RK_FIELD, RK_ELEMENT, RK_OFFSET,
9303 RK_CAST, RK_HEAP_ALLOCATED, RK_ALLOCA, RK_STRING, and RK_UNKNOWN.
9304 (region_kind_to_str): Delete.
9305 (region::~region): Move implementation to region.cc.
9306 (region::operator==): Delete.
9307 (region::operator!=): Delete.
9308 (region::clone): Delete.
9309 (region::get_id): New.
9310 (region::cmp_ids): New.
9311 (region::dyn_cast_map_region): Delete.
9312 (region::dyn_cast_array_region): Delete.
9313 (region::region_id get_parent): Delete.
9314 (region::get_parent_region): Convert to a simple accessor.
9315 (region::void set_value): Delete.
9316 (region::svalue_id get_value): Delete.
9317 (region::svalue_id get_value_direct): Delete.
9318 (region::svalue_id get_inherited_child_sid): Delete.
9319 (region::dyn_cast_frame_region): New.
9320 (region::dyn_cast_function_region): New.
9321 (region::dyn_cast_decl_region): New.
9322 (region::dyn_cast_field_region): New.
9323 (region::dyn_cast_element_region): New.
9324 (region::dyn_cast_offset_region): New.
9325 (region::dyn_cast_cast_region): New.
9326 (region::dyn_cast_string_region): New.
9327 (region::accept): New.
9328 (region::get_base_region): New.
9329 (region::base_region_p): New.
9330 (region::descendent_of_p): New.
9331 (region::maybe_get_frame_region): New.
9332 (region::maybe_get_decl): New.
9333 (region::hash): Delete.
9334 (region::rint): Delete.
9335 (region::dump_dot_to_pp): Delete.
9336 (region::get_desc): New.
9337 (region::dump_to_pp): Convert to vfunc, changing signature.
9338 (region::dump_child_label): Delete.
9339 (region::remap_svalue_ids): Delete.
9340 (region::remap_region_ids): Delete.
9341 (region::dump): New.
9342 (region::walk_for_canonicalization): Delete.
9343 (region::non_null_p): Drop region_model param.
9344 (region::add_view): Delete.
9345 (region::get_view): Delete.
9346 (region::get_active_view): Delete.
9347 (region::is_view_p): Delete.
9348 (region::cmp_ptrs): New.
9349 (region::validate): Delete.
9350 (region::get_offset): New.
9351 (region::get_byte_size): New.
9352 (region::get_bit_size): New.
9353 (region::get_subregions_for_binding): New.
9354 (region::region): Add complexity param. Convert parent from
9355 region_id to const region *. Drop svalue_id. Drop copy ctor.
9356 (region::symbolic_for_unknown_ptr_p): New.
9357 (region::add_to_hash): Delete.
9358 (region::print_fields): Delete.
9359 (region::get_complexity): New accessor.
9360 (region::become_active_view): Delete.
9361 (region::deactivate_any_active_view): Delete.
9362 (region::deactivate_view): Delete.
9363 (region::calc_offset): New.
9364 (region::m_parent_rid): Delete.
9365 (region::m_sval_id): Delete.
9366 (region::m_complexity): New.
9367 (region::m_id): New.
9368 (region::m_parent): New.
9369 (region::m_view_rids): Delete.
9370 (region::m_is_view): Delete.
9371 (region::m_active_view_rid): Delete.
9372 (region::m_cached_offset): New.
9373 (is_a_helper <region *>::test): Convert to...
9374 (is_a_helper <const region *>::test): ... this.
9375 (class primitive_region): Delete.
9376 (class space_region): New.
9377 (class map_region): Delete.
9378 (is_a_helper <map_region *>::test): Delete.
9379 (class frame_region): Reimplement.
9380 (template <> struct default_hash_traits<frame_region::key_t>):
9381 New.
9382 (class globals_region): Reimplement.
9383 (is_a_helper <globals_region *>::test): Convert to...
9384 (is_a_helper <const globals_region *>::test): ...this.
9385 (class struct_or_union_region): Delete.
9386 (is_a_helper <struct_or_union_region *>::test): Delete.
9387 (class code_region): Reimplement.
9388 (is_a_helper <const code_region *>::test): New.
9389 (class struct_region): Delete.
9390 (is_a_helper <struct_region *>::test): Delete.
9391 (class function_region): Reimplement.
9392 (is_a_helper <function_region *>::test): Convert to...
9393 (is_a_helper <const function_region *>::test): ...this.
9394 (class union_region): Delete.
9395 (is_a_helper <union_region *>::test): Delete.
9396 (class label_region): New.
9397 (is_a_helper <const label_region *>::test): New.
9398 (class scope_region): Delete.
9399 (class stack_region): Reimplement.
9400 (is_a_helper <stack_region *>::test): Convert to...
9401 (is_a_helper <const stack_region *>::test): ...this.
9402 (class heap_region): Reimplement.
9403 (is_a_helper <heap_region *>::test): Convert to...
9404 (is_a_helper <const heap_region *>::test): ...this.
9405 (class root_region): Reimplement.
9406 (is_a_helper <root_region *>::test): Convert to...
9407 (is_a_helper <const root_region *>::test): ...this.
9408 (class symbolic_region): Reimplement.
9409 (is_a_helper <const symbolic_region *>::test): New.
9410 (template <> struct default_hash_traits<symbolic_region::key_t>):
9411 New.
9412 (class decl_region): New.
9413 (is_a_helper <const decl_region *>::test): New.
9414 (class field_region): New.
9415 (template <> struct default_hash_traits<field_region::key_t>): New.
9416 (class array_region): Delete.
9417 (class element_region): New.
9418 (is_a_helper <array_region *>::test): Delete.
9419 (is_a_helper <const element_region *>::test): New.
9420 (template <> struct default_hash_traits<element_region::key_t>):
9421 New.
9422 (class offset_region): New.
9423 (is_a_helper <const offset_region *>::test): New.
9424 (template <> struct default_hash_traits<offset_region::key_t>):
9425 New.
9426 (class cast_region): New.
9427 (is_a_helper <const cast_region *>::test): New.
9428 (template <> struct default_hash_traits<cast_region::key_t>): New.
9429 (class heap_allocated_region): New.
9430 (class alloca_region): New.
9431 (class string_region): New.
9432 (is_a_helper <const string_region *>::test): New.
9433 (class unknown_region): New.
9434 (class region_model_manager): New.
9435 (struct append_ssa_names_cb_data): New.
9436 (class call_details): New.
9437 (region_model::region_model): Add region_model_manager param.
9438 (region_model::print_svalue): Delete.
9439 (region_model::dump_dot_to_pp): Delete.
9440 (region_model::dump_dot_to_file): Delete.
9441 (region_model::dump_dot): Delete.
9442 (region_model::dump_to_pp): Drop summarize param in favor of
9443 simple and multiline.
9444 (region_model::dump): Likewise.
9445 (region_model::summarize_to_pp): Delete.
9446 (region_model::summarize): Delete.
9447 (region_model::void canonicalize): Drop ctxt param.
9448 (region_model::void check_for_poison): Delete.
9449 (region_model::get_gassign_result): New.
9450 (region_model::impl_call_alloca): New.
9451 (region_model::impl_call_analyzer_describe): New.
9452 (region_model::impl_call_analyzer_eval): New.
9453 (region_model::impl_call_builtin_expect): New.
9454 (region_model::impl_call_calloc): New.
9455 (region_model::impl_call_free): New.
9456 (region_model::impl_call_malloc): New.
9457 (region_model::impl_call_memset): New.
9458 (region_model::impl_call_strlen): New.
9459 (region_model::get_reachable_svalues): New.
9460 (region_model::handle_phi): Drop is_back_edge param.
9461 (region_model::region_id get_root_rid): Delete.
9462 (region_model::root_region *get_root_region): Delete.
9463 (region_model::region_id get_stack_region_id): Delete.
9464 (region_model::push_frame): Convert from region_id and svalue_id
9465 to const region * and const svalue *.
9466 (region_model::get_current_frame_id): Replace with...
9467 (region_model::get_current_frame): ...this.
9468 (region_model::pop_frame): Convert from region_id to
9469 const region *. Drop purge and stats param. Add out_result.
9470 (region_model::function *get_function_at_depth): Delete.
9471 (region_model::get_globals_region_id): Delete.
9472 (region_model::add_svalue): Delete.
9473 (region_model::replace_svalue): Delete.
9474 (region_model::add_region): Delete.
9475 (region_model::add_region_for_type): Delete.
9476 (region_model::get_svalue): Delete.
9477 (region_model::get_region): Delete.
9478 (region_model::get_lvalue): Convert from region_id to
9479 const region *.
9480 (region_model::get_rvalue): Convert from svalue_id to
9481 const svalue *.
9482 (region_model::get_or_create_ptr_svalue): Delete.
9483 (region_model::get_or_create_constant_svalue): Delete.
9484 (region_model::get_svalue_for_fndecl): Delete.
9485 (region_model::get_svalue_for_label): Delete.
9486 (region_model::get_region_for_fndecl): Delete.
9487 (region_model::get_region_for_label): Delete.
9488 (region_model::get_frame_at_index (int index) const;): New.
9489 (region_model::maybe_cast): Delete.
9490 (region_model::maybe_cast_1): Delete.
9491 (region_model::get_field_region): Delete.
9492 (region_model::id deref_rvalue): Convert from region_id and
9493 svalue_id to const region * and const svalue *. Drop overload,
9494 passing in both a tree and an svalue.
9495 (region_model::set_value): Convert from region_id and svalue_id to
9496 const region * and const svalue *.
9497 (region_model::set_to_new_unknown_value): Delete.
9498 (region_model::clobber_region (const region *reg);): New.
9499 (region_model::purge_region (const region *reg);): New.
9500 (region_model::zero_fill_region (const region *reg);): New.
9501 (region_model::mark_region_as_unknown (const region *reg);): New.
9502 (region_model::copy_region): Convert from region_id to
9503 const region *.
9504 (region_model::eval_condition): Convert from svalue_id to
9505 const svalue *.
9506 (region_model::eval_condition_without_cm): Likewise.
9507 (region_model::compare_initial_and_pointer): New.
9508 (region_model:maybe_get_constant): Delete.
9509 (region_model::add_new_malloc_region): Delete.
9510 (region_model::get_representative_tree): Convert from svalue_id to
9511 const svalue *.
9512 (region_model::get_representative_path_var): Delete decl taking a
9513 region_id in favor of two decls, for svalue vs region, with an
9514 svalue_set to ensure termination.
9515 (region_model::get_path_vars_for_svalue): Delete.
9516 (region_model::create_region_for_heap_alloc): New.
9517 (region_model::create_region_for_alloca): New.
9518 (region_model::purge_unused_svalues): Delete.
9519 (region_model::remap_svalue_ids): Delete.
9520 (region_model::remap_region_ids): Delete.
9521 (region_model::purge_regions): Delete.
9522 (region_model::get_num_svalues): Delete.
9523 (region_model::get_num_regions): Delete.
9524 (region_model::get_descendents): Delete.
9525 (region_model::get_store): New.
9526 (region_model::delete_region_and_descendents): Delete.
9527 (region_model::get_manager): New.
9528 (region_model::unbind_region_and_descendents): New.
9529 (region_model::can_merge_with_p): Add point param. Drop
9530 svalue_id_merger_mapping.
9531 (region_model::get_value_by_name): Delete.
9532 (region_model::convert_byte_offset_to_array_index): Delete.
9533 (region_model::get_or_create_mem_ref): Delete.
9534 (region_model::get_or_create_pointer_plus_expr): Delete.
9535 (region_model::get_or_create_view): Delete.
9536 (region_model::get_lvalue_1): Convert from region_id to
9537 const region *.
9538 (region_model::get_rvalue_1): Convert from svalue_id to
9539 const svalue *.
9540 (region_model::get_ssa_name_regions_for_current_frame): New.
9541 (region_model::append_ssa_names_cb): New.
9542 (region_model::get_store_value): New.
9543 (region_model::copy_struct_region): Delete.
9544 (region_model::copy_union_region): Delete.
9545 (region_model::copy_array_region): Delete.
9546 (region_model::region_exists_p): New.
9547 (region_model::make_region_for_unexpected_tree_code): Delete.
9548 (region_model::loop_replay_fixup): New.
9549 (region_model::poison_any_pointers_to_bad_regions): Delete.
9550 (region_model::poison_any_pointers_to_descendents): New.
9551 (region_model::dump_summary_of_rep_path_vars): Delete.
9552 (region_model::on_top_level_param): New.
9553 (region_model::record_dynamic_extents): New.
9554 (region_model::m_mgr;): New.
9555 (region_model::m_store;): New.
9556 (region_model::m_svalues;): Delete.
9557 (region_model::m_regions;): Delete.
9558 (region_model::m_root_rid;): Delete.
9559 (region_model::m_current_frame;): New.
9560 (region_model_context::remap_svalue_ids): Delete.
9561 (region_model_context::can_purge_p): Delete.
9562 (region_model_context::on_svalue_leak): New.
9563 (region_model_context::on_svalue_purge): Delete.
9564 (region_model_context::on_liveness_change): New.
9565 (region_model_context::on_inherited_svalue): Delete.
9566 (region_model_context::on_cast): Delete.
9567 (region_model_context::on_unknown_change): Convert from svalue_id to
9568 const svalue * and add is_mutable.
9569 (class noop_region_model_context): Update for region_model_context
9570 changes.
9571 (model_merger::model_merger): Add program_point. Drop
9572 svalue_id_merger_mapping.
9573 (model_merger::dump_to_pp): Add "simple" param.
9574 (model_merger::dump): Likewise.
9575 (model_merger::get_region_a): Delete.
9576 (model_merger::get_region_b): Delete.
9577 (model_merger::can_merge_values_p): Delete.
9578 (model_merger::record_regions): Delete.
9579 (model_merger::record_svalues): Delete.
9580 (model_merger::m_point): New field.
9581 (model_merger::m_map_regions_from_a_to_m): Delete.
9582 (model_merger::m_map_regions_from_b_to_m): Delete.
9583 (model_merger::m_sid_mapping): Delete.
9584 (struct svalue_id_merger_mapping): Delete.
9585 (class engine): New.
9586 (struct canonicalization): Delete.
9587 (inchash::add): Delete decls for hashing svalue_id and region_id.
9588 (test_region_model_context::on_unexpected_tree_code): Require t to
9589 be non-NULL.
9590 (selftest::assert_condition): Add overload comparing a pair of
9591 const svalue *.
9592 * sm-file.cc: Include "tristate.h", "selftest.h",
9593 "analyzer/call-string.h", "analyzer/program-point.h",
9594 "analyzer/store.h", and "analyzer/region-model.h".
9595 (fileptr_state_machine::get_default_state): New.
9596 (fileptr_state_machine::on_stmt): Remove calls to
9597 get_readable_tree in favor of get_diagnostic_tree.
9598 * sm-malloc.cc: Include "tristate.h", "selftest.h",
9599 "analyzer/call-string.h", "analyzer/program-point.h",
9600 "analyzer/store.h", and "analyzer/region-model.h".
9601 (malloc_state_machine::get_default_state): New.
9602 (malloc_state_machine::reset_when_passed_to_unknown_fn_p): New.
9603 (malloc_diagnostic::describe_state_change): Handle change.m_expr
9604 being NULL.
9605 (null_arg::emit): Avoid printing "NULL '0'".
9606 (null_arg::describe_final_event): Avoid printing "(0) NULL".
9607 (malloc_leak::emit): Handle m_arg being NULL.
9608 (malloc_leak::describe_final_event): Handle ev.m_expr being NULL.
9609 (malloc_state_machine::on_stmt): Don't call get_readable_tree.
9610 Call get_diagnostic_tree when creating pending diagnostics.
9611 Update for is_zero_assignment becoming a member function of
9612 sm_ctxt.
9613 Don't transition to m_non_heap for ADDR_EXPR(MEM_REF()).
9614 (malloc_state_machine::reset_when_passed_to_unknown_fn_p): New
9615 vfunc implementation.
9616 * sm-sensitive.cc (sensitive_state_machine::warn_for_any_exposure): Call
9617 get_diagnostic_tree and pass the result to warn_for_state.
9618 * sm-signal.cc: Move includes of "analyzer/call-string.h" and
9619 "analyzer/program-point.h" to before "analyzer/region-model.h",
9620 and also include "analyzer/store.h" before it.
9621 (signal_unsafe_call::describe_state_change): Use
9622 get_dest_function to get handler.
9623 (update_model_for_signal_handler): Pass manager to region_model
9624 ctor.
9625 (register_signal_handler::impl_transition): Update for changes to
9626 get_or_create_node and add_edge.
9627 * sm-taint.cc (taint_state_machine::on_stmt): Remove calls to
9628 get_readable_tree, replacing them when calling warn_for_state with
9629 calls to get_diagnostic_tree.
9630 * sm.cc (is_zero_assignment): Delete.
9631 (any_pointer_p): Move to within namespace ana.
9632 * sm.h (is_zero_assignment): Remove decl.
9633 (any_pointer_p): Move decl to within namespace ana.
9634 (state_machine::get_default_state): New vfunc.
9635 (state_machine::reset_when_passed_to_unknown_fn_p): New vfunc.
9636 (sm_context::get_readable_tree): Rename to...
9637 (sm_context::get_diagnostic_tree): ...this.
9638 (sm_context::is_zero_assignment): New vfunc.
9639 * store.cc: New file.
9640 * store.h: New file.
9641 * svalue.cc: New file.
9643 2020-05-22 Mark Wielaard <mark@klomp.org>
9645 * sm-signal.cc(signal_unsafe_call::emit): Possibly add
9646 gcc_rich_location note for replacement.
9647 (signal_unsafe_call::get_replacement_fn): New private function.
9648 (get_async_signal_unsafe_fns): Add "exit".
9650 2020-04-28 David Malcolm <dmalcolm@redhat.com>
9652 PR analyzer/94816
9653 * engine.cc (impl_region_model_context::on_unexpected_tree_code):
9654 Handle NULL tree.
9655 * region-model.cc (region_model::add_region_for_type): Handle
9656 NULL type.
9657 * region-model.h
9658 (test_region_model_context::on_unexpected_tree_code): Handle NULL
9659 tree.
9661 2020-04-28 David Malcolm <dmalcolm@redhat.com>
9663 PR analyzer/94447
9664 PR analyzer/94639
9665 PR analyzer/94732
9666 PR analyzer/94754
9667 * analyzer.opt (Wanalyzer-use-of-uninitialized-value): Delete.
9668 * program-state.cc (selftest::test_program_state_dumping): Update
9669 expected dump result for removal of "uninit".
9670 * region-model.cc (poison_kind_to_str): Delete POISON_KIND_UNINIT
9671 case.
9672 (root_region::ensure_stack_region): Initialize stack with null
9673 svalue_id rather than with a typeless POISON_KIND_UNINIT value.
9674 (root_region::ensure_heap_region): Likewise for the heap.
9675 (region_model::dump_summary_of_rep_path_vars): Remove
9676 summarization of uninit values.
9677 (region_model::validate): Remove check that the stack has a
9678 POISON_KIND_UNINIT value.
9679 (poisoned_value_diagnostic::emit): Remove POISON_KIND_UNINIT
9680 case.
9681 (poisoned_value_diagnostic::describe_final_event): Likewise.
9682 (selftest::test_dump): Update expected dump result for removal of
9683 "uninit".
9684 (selftest::test_svalue_equality): Remove "uninit" and "freed".
9685 * region-model.h (enum poison_kind): Remove POISON_KIND_UNINIT.
9687 2020-04-01 David Malcolm <dmalcolm@redhat.com>
9689 PR analyzer/94378
9690 * checker-path.cc: Include "bitmap.h".
9691 * constraint-manager.cc: Likewise.
9692 * diagnostic-manager.cc: Likewise.
9693 * engine.cc: Likewise.
9694 (exploded_node::detect_leaks): Pass null region_id to pop_frame.
9695 * program-point.cc: Include "bitmap.h".
9696 * program-state.cc: Likewise.
9697 * region-model.cc (id_set<region_id>::id_set): Convert to...
9698 (region_id_set::region_id_set): ...this.
9699 (svalue_id_set::svalue_id_set): New ctor.
9700 (region_model::copy_region): New function.
9701 (region_model::copy_struct_region): New function.
9702 (region_model::copy_union_region): New function.
9703 (region_model::copy_array_region): New function.
9704 (stack_region::pop_frame): Drop return value. Add
9705 "result_dst_rid" param; if it is non-null, use copy_region to copy
9706 the result to it. Rather than capture and pass a single "known
9707 used" return value to be used by purge_unused_values, instead
9708 gather and pass a set of known used return values.
9709 (root_region::pop_frame): Drop return value. Add "result_dst_rid"
9710 param.
9711 (region_model::on_assignment): Use copy_region.
9712 (region_model::on_return): Likewise for the result.
9713 (region_model::on_longjmp): Pass null for pop_frame's
9714 result_dst_rid.
9715 (region_model::update_for_return_superedge): Pass the region for the
9716 return value of the call, if any, to pop_frame, rather than setting
9717 the lvalue for the lhs of the result.
9718 (region_model::pop_frame): Drop return value. Add
9719 "result_dst_rid" param.
9720 (region_model::purge_unused_svalues): Convert third param from an
9721 svalue_id * to an svalue_id_set *, updating the initial populating
9722 of the "used" bitmap accordingly. Don't remap it when done.
9723 (struct selftest::coord_test): New selftest fixture, extracted from...
9724 (selftest::test_dump_2): ...here.
9725 (selftest::test_compound_assignment): New selftest.
9726 (selftest::test_stack_frames): Pass null to new param of pop_frame.
9727 (selftest::analyzer_region_model_cc_tests): Call the new selftest.
9728 * region-model.h (class id_set): Delete template.
9729 (class region_id_set): Reimplement, using old id_set implementation.
9730 (class svalue_id_set): Likewise. Convert from auto_sbitmap to
9731 auto_bitmap.
9732 (region::get_active_view): New accessor.
9733 (stack_region::pop_frame): Drop return value. Add
9734 "result_dst_rid" param.
9735 (root_region::pop_frame): Likewise.
9736 (region_model::pop_frame): Likewise.
9737 (region_model::copy_region): New decl.
9738 (region_model::purge_unused_svalues): Convert third param from an
9739 svalue_id * to an svalue_id_set *.
9740 (region_model::copy_struct_region): New decl.
9741 (region_model::copy_union_region): New decl.
9742 (region_model::copy_array_region): New decl.
9744 2020-03-27 David Malcolm <dmalcolm@redhat.com>
9746 * program-state.cc (selftest::test_program_state_dumping): Update
9747 expected dump to include symbolic_region's possibly_null field.
9748 * region-model.cc (symbolic_region::print_fields): New vfunc
9749 implementation.
9750 (region_model::add_constraint): Clear m_possibly_null from
9751 symbolic_regions now known to be non-NULL.
9752 (selftest::test_malloc_constraints): New selftest.
9753 (selftest::analyzer_region_model_cc_tests): Call it.
9754 * region-model.h (region::dyn_cast_symbolic_region): Add non-const
9755 overload.
9756 (symbolic_region::dyn_cast_symbolic_region): Implement it.
9757 (symbolic_region::print_fields): New vfunc override decl.
9759 2020-03-27 David Malcolm <dmalcolm@redhat.com>
9761 * analyzer.h (class feasibility_problem): New forward decl.
9762 * diagnostic-manager.cc (saved_diagnostic::saved_diagnostic):
9763 Initialize new fields m_status, m_epath_length, and m_problem.
9764 (saved_diagnostic::~saved_diagnostic): Delete m_problem.
9765 (dedupe_candidate::dedupe_candidate): Convert "sd" param from a
9766 const ref to a mutable ptr.
9767 (dedupe_winners::add): Convert "sd" param from a const ref to a
9768 mutable ptr. Record the length of the exploded_path. Record the
9769 feasibility/infeasibility of sd into sd, capturing a
9770 feasibility_problem when feasible_p fails, and storing it in sd.
9771 (diagnostic_manager::emit_saved_diagnostics): Update for pass by
9772 ptr rather than by const ref.
9773 * diagnostic-manager.h (class saved_diagnostic): Add new enum
9774 status. Add fields m_status, m_epath_length and m_problem.
9775 (saved_diagnostic::set_feasible): New member function.
9776 (saved_diagnostic::set_infeasible): New member function.
9777 (saved_diagnostic::get_feasibility_problem): New accessor.
9778 (saved_diagnostic::get_status): New accessor.
9779 (saved_diagnostic::set_epath_length): New member function.
9780 (saved_diagnostic::get_epath_length): New accessor.
9781 * engine.cc: Include "gimple-pretty-print.h".
9782 (exploded_path::feasible_p): Add OUT param and, if non-NULL, write
9783 a new feasibility_problem to it on failure.
9784 (viz_callgraph_node::dump_dot): Convert begin_tr calls to
9785 begin_trtd. Convert end_tr calls to end_tdtr.
9786 (class exploded_graph_annotator): New subclass of dot_annotator.
9787 (impl_run_checkers): Add a second -fdump-analyzer-supergraph dump
9788 after the analysis runs, using exploded_graph_annotator. dumping
9789 to DUMP_BASE_NAME.supergraph-eg.dot.
9790 * exploded-graph.h (exploded_node::get_dot_fillcolor): Make
9791 public.
9792 (exploded_path::feasible_p): Add OUT param.
9793 (class feasibility_problem): New class.
9794 * state-purge.cc (state_purge_annotator::add_node_annotations):
9795 Return a bool, add a "within_table" param.
9796 (print_vec_of_names): Convert begin_tr calls to begin_trtd.
9797 Convert end_tr calls to end_tdtr.
9798 (state_purge_annotator::add_stmt_annotations): Add "within_row"
9799 param.
9800 * state-purge.h ((state_purge_annotator::add_node_annotations):
9801 Return a bool, add a "within_table" param.
9802 (state_purge_annotator::add_stmt_annotations): Add "within_row"
9803 param.
9804 * supergraph.cc (supernode::dump_dot): Call add_node_annotations
9805 twice: as before, passing false for "within_table", then again
9806 with true when within the TABLE element. Convert some begin_tr
9807 calls to begin_trtd, and some end_tr calls to end_tdtr.
9808 Repeat each add_stmt_annotations call, distinguishing between
9809 calls that add TRs and those that add TDs to an existing TR.
9810 Add a call to add_after_node_annotations.
9811 * supergraph.h (dot_annotator::add_node_annotations): Add a
9812 "within_table" param.
9813 (dot_annotator::add_stmt_annotations): Add a "within_row" param.
9814 (dot_annotator::add_after_node_annotations): New vfunc.
9816 2020-03-27 David Malcolm <dmalcolm@redhat.com>
9818 * diagnostic-manager.cc (dedupe_winners::add): Show the
9819 exploded_node index in the log messages.
9820 (diagnostic_manager::emit_saved_diagnostics): Log a summary of
9821 m_saved_diagnostics at entry.
9823 2020-03-27 David Malcolm <dmalcolm@redhat.com>
9825 * supergraph.cc (superedge::dump): Add space before description;
9826 move newline to non-pretty_printer overload.
9828 2020-03-18 David Malcolm <dmalcolm@redhat.com>
9830 * region-model.cc: Include "stor-layout.h".
9831 (region_model::dump_to_pp): Rather than calling
9832 dump_summary_of_map on each of the current frame and the globals,
9833 instead get a vec of representative path_vars for all regions,
9834 and then dump a summary of all of them.
9835 (region_model::dump_summary_of_map): Delete, rewriting into...
9836 (region_model::dump_summary_of_rep_path_vars): ...this new
9837 function, working on a vec of path_vars.
9838 (region_model::set_value): New overload.
9839 (region_model::get_representative_path_var): Rename
9840 "parent_region" local to "parent_reg" and consolidate with other
9841 local. Guard test for grandparent being stack on parent_reg being
9842 non-NULL. Move handling for parent being an array_region to
9843 within guard for parent_reg being non-NULL.
9844 (selftest::make_test_compound_type): New function.
9845 (selftest::test_dump_2): New selftest.
9846 (selftest::test_dump_3): New selftest.
9847 (selftest::test_stack_frames): Update expected output from
9848 simplified dump to show "a" and "b" from parent frame and "y" in
9849 child frame.
9850 (selftest::analyzer_region_model_cc_tests): Call test_dump_2 and
9851 test_dump_3.
9852 * region-model.h (region_model::set_value): New overload decl.
9853 (region_model::dump_summary_of_map): Delete.
9854 (region_model::dump_summary_of_rep_path_vars): New.
9856 2020-03-18 David Malcolm <dmalcolm@redhat.com>
9858 * region-model.h (class noop_region_model_context): New subclass
9859 of region_model_context.
9860 (class tentative_region_model_context): Inherit from
9861 noop_region_model_context rather than from region_model_context;
9862 drop redundant vfunc implementations.
9863 (class test_region_model_context): Likewise.
9865 2020-03-18 David Malcolm <dmalcolm@redhat.com>
9867 * engine.cc (exploded_node::exploded_node): Move implementation
9868 here from header; accept point_and_state by const reference rather
9869 than by value.
9870 * exploded-graph.h (exploded_node::exploded_node): Pass
9871 point_and_state by const reference rather than by value. Move
9872 body to engine.cc.
9874 2020-03-18 Jakub Jelinek <jakub@redhat.com>
9876 * sm-malloc.cc (malloc_state_machine::on_stmt): Fix up duplicated word
9877 issue in a comment.
9878 * region-model.cc (region_model::make_region_for_unexpected_tree_code,
9879 region_model::delete_region_and_descendents): Likewise.
9880 * engine.cc (class exploded_cluster): Likewise.
9881 * diagnostic-manager.cc (class path_builder): Likewise.
9883 2020-03-13 David Malcolm <dmalcolm@redhat.com>
9885 PR analyzer/94099
9886 PR analyzer/94105
9887 * diagnostic-manager.cc (for_each_state_change): Bulletproof
9888 against errors in get_rvalue by passing a
9889 tentative_region_model_context and rejecting if there's an error.
9890 * region-model.cc (region_model::get_lvalue_1): When handling
9891 ARRAY_REF, handle results of error-handling. Handle NOP_EXPR.
9893 2020-03-06 David Malcolm <dmalcolm@redhat.com>
9895 * analyzer.h (class array_region): New forward decl.
9896 * program-state.cc (selftest::test_program_state_dumping_2): New.
9897 (selftest::analyzer_program_state_cc_tests): Call it.
9898 * region-model.cc (array_region::constant_from_key): New.
9899 (region_model::get_representative_tree): Handle region_svalue by
9900 generating an ADDR_EXPR.
9901 (region_model::get_representative_path_var): In view handling,
9902 remove erroneous TREE_TYPE when determining the type of the tree.
9903 Handle array regions and STRING_CST.
9904 (selftest::assert_dump_tree_eq): New.
9905 (ASSERT_DUMP_TREE_EQ): New macro.
9906 (selftest::test_get_representative_tree): New selftest.
9907 (selftest::analyzer_region_model_cc_tests): Call it.
9908 * region-model.h (region::dyn_cast_array_region): New vfunc.
9909 (array_region::dyn_cast_array_region): New vfunc implementation.
9910 (array_region::constant_from_key): New decl.
9912 2020-03-06 David Malcolm <dmalcolm@redhat.com>
9914 * analyzer.h (dump_quoted_tree): New decl.
9915 * engine.cc (exploded_node::dump_dot): Pass region model to
9916 sm_state_map::print.
9917 * program-state.cc: Include diagnostic-core.h.
9918 (sm_state_map::print): Add "model" param and use it to print
9919 representative trees. Only print origin information if non-null.
9920 (sm_state_map::dump): Pass NULL for model to print call.
9921 (program_state::print): Pass region model to sm_state_map::print.
9922 (program_state::dump_to_pp): Use spaces rather than newlines when
9923 summarizing. Pass region_model to sm_state_map::print.
9924 (ana::selftest::assert_dump_eq): New function.
9925 (ASSERT_DUMP_EQ): New macro.
9926 (ana::selftest::test_program_state_dumping): New function.
9927 (ana::selftest::analyzer_program_state_cc_tests): Call it.
9928 * program-state.h (program_state::print): Add model param.
9929 * region-model.cc (dump_quoted_tree): New function.
9930 (map_region::print_fields): Use dump_quoted_tree rather than
9931 %qE to avoid lang-dependent output.
9932 (map_region::dump_child_label): Likewise.
9933 (region_model::dump_summary_of_map): For SK_REGION, when
9934 get_representative_path_var fails, print the region id rather than
9935 erroneously printing NULL.
9936 * sm.cc (state_machine::get_state_by_name): New function.
9937 * sm.h (state_machine::get_state_by_name): New decl.
9939 2020-03-04 David Malcolm <dmalcolm@redhat.com>
9941 * region-model.cc (region::validate): Convert model param from ptr
9942 to reference. Update comment to reflect that it's now a vfunc.
9943 (map_region::validate): New vfunc implementation.
9944 (array_region::validate): New vfunc implementation.
9945 (stack_region::validate): New vfunc implementation.
9946 (root_region::validate): New vfunc implementation.
9947 (region_model::validate): Pass a reference rather than a pointer
9948 to the region::validate vfunc.
9949 * region-model.h (region::validate): Make virtual. Convert model
9950 param from ptr to reference.
9951 (map_region::validate): New vfunc decl.
9952 (array_region::validate): New vfunc decl.
9953 (stack_region::validate): New vfunc decl.
9954 (root_region::validate): New vfunc decl.
9956 2020-03-04 David Malcolm <dmalcolm@redhat.com>
9958 PR analyzer/93993
9959 * region-model.cc (region_model::on_call_pre): Handle
9960 BUILT_IN_EXPECT and its variants.
9961 (region_model::add_any_constraints_from_ssa_def_stmt): Split out
9962 gassign handling into add_any_constraints_from_gassign; add gcall
9963 handling.
9964 (region_model::add_any_constraints_from_gassign): New function,
9965 based on the above. Add handling for NOP_EXPR.
9966 (region_model::add_any_constraints_from_gcall): New function.
9967 (region_model::get_representative_path_var): Handle views.
9968 * region-model.h
9969 (region_model::add_any_constraints_from_ssa_def_stmt): New decl.
9970 (region_model::add_any_constraints_from_gassign): New decl.
9972 2020-03-04 David Malcolm <dmalcolm@redhat.com>
9974 PR analyzer/93993
9975 * checker-path.h (state_change_event::get_lvalue): Add ctxt param
9976 and pass it to region_model::get_value call.
9977 * diagnostic-manager.cc (get_any_origin): Pass a
9978 tentative_region_model_context to the calls to get_lvalue and reject
9979 the comparison if errors occur.
9980 (can_be_expr_of_interest_p): New function.
9981 (diagnostic_manager::prune_for_sm_diagnostic): Replace checks for
9982 CONSTANT_CLASS_P with calls to update_for_unsuitable_sm_exprs.
9983 Pass a tentative_region_model_context to the calls to
9984 state_change_event::get_lvalue and reject the comparison if errors
9985 occur.
9986 (diagnostic_manager::update_for_unsuitable_sm_exprs): New.
9987 * diagnostic-manager.h
9988 (diagnostic_manager::update_for_unsuitable_sm_exprs): New decl.
9989 * region-model.h (class tentative_region_model_context): New class.
9991 2020-03-04 David Malcolm <dmalcolm@redhat.com>
9993 * engine.cc (worklist::worklist): Remove unused field m_eg.
9994 (class viz_callgraph_edge): Remove unused field m_call_sedge.
9995 (class viz_callgraph): Remove unused field m_sg.
9996 * exploded-graph.h (worklist::::m_eg): Remove unused field.
9998 2020-03-02 David Malcolm <dmalcolm@redhat.com>
10000 * analyzer.opt (fanalyzer-show-duplicate-count): New option.
10001 * diagnostic-manager.cc
10002 (diagnostic_manager::emit_saved_diagnostic): Use the above to
10003 guard the printing of the duplicate count.
10005 2020-03-02 David Malcolm <dmalcolm@redhat.com>
10007 PR analyzer/93959
10008 * analyzer.cc (is_std_function_p): New function.
10009 (is_std_named_call_p): New functions.
10010 * analyzer.h (is_std_named_call_p): New decl.
10011 * sm-malloc.cc (malloc_state_machine::on_stmt): Check for "std::"
10012 variants when checking for malloc, calloc and free.
10014 2020-02-26 David Malcolm <dmalcolm@redhat.com>
10016 PR analyzer/93950
10017 * diagnostic-manager.cc
10018 (diagnostic_manager::prune_for_sm_diagnostic): Assert that var is
10019 either NULL or not a constant. When updating var, bulletproof
10020 against constant values.
10022 2020-02-26 David Malcolm <dmalcolm@redhat.com>
10024 PR analyzer/93947
10025 * region-model.cc (region_model::get_fndecl_for_call): Gracefully
10026 fail for fn_decls that don't have a cgraph_node.
10028 2020-02-26 David Malcolm <dmalcolm@redhat.com>
10030 * bar-chart.cc: New file.
10031 * bar-chart.h: New file.
10032 * engine.cc: Include "analyzer/bar-chart.h".
10033 (stats::log): Only log the m_num_nodes kinds that are non-zero.
10034 (stats::dump): Likewise when dumping.
10035 (stats::get_total_enodes): New.
10036 (exploded_graph::get_or_create_node): Increment the per-point-data
10037 m_excess_enodes when hitting the per-program-point limit on
10038 enodes.
10039 (exploded_graph::print_bar_charts): New.
10040 (exploded_graph::log_stats): Log the number of unprocessed enodes
10041 in the worklist. Call print_bar_charts.
10042 (exploded_graph::dump_stats): Print the number of unprocessed
10043 enodes in the worklist.
10044 * exploded-graph.h (stats::get_total_enodes): New decl.
10045 (struct per_program_point_data): Add field m_excess_enodes.
10046 (exploded_graph::print_bar_charts): New decl.
10047 * supergraph.cc (superedge::dump): New.
10048 (superedge::dump): New.
10049 * supergraph.h (supernode::get_function): New.
10050 (superedge::dump): New decl.
10051 (superedge::dump): New decl.
10053 2020-02-24 David Malcolm <dmalcolm@redhat.com>
10055 * engine.cc (exploded_graph::get_or_create_node): Dump the
10056 program_state to the pp, rather than to stderr.
10058 2020-02-24 David Malcolm <dmalcolm@redhat.com>
10060 PR analyzer/93032
10061 * sm.cc (make_checkers): Require the "taint" checker to be
10062 explicitly enabled.
10064 2020-02-24 David Malcolm <dmalcolm@redhat.com>
10066 PR analyzer/93899
10067 * engine.cc
10068 (impl_region_model_context::impl_region_model_context): Add logger
10069 param.
10070 * engine.cc (exploded_graph::add_function_entry): Create an
10071 impl_region_model_context and pass it to the push_frame call.
10072 Bail if the resulting state is invalid.
10073 (exploded_graph::build_initial_worklist): Likewise.
10074 (exploded_graph::build_initial_worklist): Handle the case where
10075 add_function_entry fails.
10076 * exploded-graph.h
10077 (impl_region_model_context::impl_region_model_context): Add logger
10078 param.
10079 * region-model.cc (map_region::get_or_create): Add ctxt param and
10080 pass it to add_region_for_type.
10081 (map_region::can_merge_p): Pass NULL as a ctxt to call to
10082 get_or_create.
10083 (array_region::get_element): Pass ctxt to call to get_or_create.
10084 (array_region::get_or_create): Add ctxt param and pass it to
10085 add_region_for_type.
10086 (root_region::push_frame): Pass ctxt to get_or_create calls.
10087 (region_model::get_lvalue_1): Likewise.
10088 (region_model::make_region_for_unexpected_tree_code): Assert that
10089 ctxt is non-NULL.
10090 (region_model::get_rvalue_1): Pass ctxt to get_svalue_for_fndecl
10091 and get_svalue_for_label calls.
10092 (region_model::get_svalue_for_fndecl): Add ctxt param and pass it
10093 to get_region_for_fndecl.
10094 (region_model::get_region_for_fndecl): Add ctxt param and pass it
10095 to get_or_create.
10096 (region_model::get_svalue_for_label): Add ctxt param and pass it
10097 to get_region_for_label.
10098 (region_model::get_region_for_label): Add ctxt param and pass it
10099 to get_region_for_fndecl and get_or_create.
10100 (region_model::get_field_region): Add ctxt param and pass it to
10101 get_or_create_view and get_or_create.
10102 (make_region_for_type): Replace gcc_unreachable with return NULL.
10103 (region_model::add_region_for_type): Add ctxt param. Handle a
10104 return of NULL from make_region_for_type by calling
10105 make_region_for_unexpected_tree_code.
10106 (region_model::get_or_create_mem_ref): Pass ctxt to calls to
10107 get_or_create_view.
10108 (region_model::get_or_create_view): Add ctxt param and pass it to
10109 add_region_for_type.
10110 (selftest::test_state_merging): Pass ctxt to get_or_create_view.
10111 * region-model.h (region_model::get_or_create): Add ctxt param.
10112 (region_model::add_region_for_type): Likewise.
10113 (region_model::get_svalue_for_fndecl): Likewise.
10114 (region_model::get_svalue_for_label): Likewise.
10115 (region_model::get_region_for_fndecl): Likewise.
10116 (region_model::get_region_for_label): Likewise.
10117 (region_model::get_field_region): Likewise.
10118 (region_model::get_or_create_view): Likewise.
10120 2020-02-24 David Malcolm <dmalcolm@redhat.com>
10122 * checker-path.cc (superedge_event::should_filter_p): Update
10123 filter for empty descriptions to cover verbosity level 3 as well
10124 as 2.
10125 * diagnostic-manager.cc: Include "analyzer/reachability.h".
10126 (class path_builder): New class.
10127 (diagnostic_manager::emit_saved_diagnostic): Create a path_builder
10128 and pass it to build_emission_path, rather passing eg; similarly
10129 for add_events_for_eedge and ext_state.
10130 (diagnostic_manager::build_emission_path): Replace "eg" param
10131 with a path_builder, pass it to add_events_for_eedge.
10132 (diagnostic_manager::add_events_for_eedge): Replace ext_state
10133 param with path_builder; pass it to add_events_for_superedge.
10134 (diagnostic_manager::significant_edge_p): New.
10135 (diagnostic_manager::add_events_for_superedge): Add path_builder
10136 param. Reject insignificant edges at verbosity levels below 3.
10137 (diagnostic_manager::prune_for_sm_diagnostic): Update highest
10138 verbosity level to 4.
10139 * diagnostic-manager.h (class path_builder): New forward decl.
10140 (diagnostic_manager::build_emission_path): Replace "eg" param
10141 with a path_builder.
10142 (diagnostic_manager::add_events_for_eedge): Replace ext_state
10143 param with path_builder.
10144 (diagnostic_manager::significant_edge_p): New.
10145 (diagnostic_manager::add_events_for_superedge): Add path_builder
10146 param.
10147 * reachability.h: New file.
10149 2020-02-18 David Malcolm <dmalcolm@redhat.com>
10151 PR analyzer/93692
10152 * analyzer.opt (fdump-analyzer-callgraph): Rewrite description.
10154 2020-02-18 David Malcolm <dmalcolm@redhat.com>
10156 PR analyzer/93777
10157 * region-model.cc (region_model::maybe_cast_1): Replace assertion
10158 that build_cast returns non-NULL with a conditional, falling
10159 through to the logic which returns a new unknown value of the
10160 desired type if it fails.
10162 2020-02-18 David Malcolm <dmalcolm@redhat.com>
10164 PR analyzer/93778
10165 * engine.cc (impl_region_model_context::on_unknown_tree_code):
10166 Rename to...
10167 (impl_region_model_context::on_unexpected_tree_code): ...this and
10168 convert first argument from path_var to tree.
10169 (exploded_node::on_stmt): Pass ctxt to purge_for_unknown_fncall.
10170 * exploded-graph.h (region_model_context::on_unknown_tree_code):
10171 Rename to...
10172 (region_model_context::on_unexpected_tree_code): ...this and
10173 convert first argument from path_var to tree.
10174 * program-state.cc (sm_state_map::purge_for_unknown_fncall): Add
10175 ctxt param and pass on to calls to get_rvalue.
10176 * program-state.h (sm_state_map::purge_for_unknown_fncall): Add
10177 ctxt param.
10178 * region-model.cc (region_model::handle_unrecognized_call): Pass
10179 ctxt on to call to get_rvalue.
10180 (region_model::get_lvalue_1): Move body of default case to
10181 region_model::make_region_for_unexpected_tree_code and call it.
10182 Within COMPONENT_REF case, reject attempts to handle types other
10183 than RECORD_TYPE and UNION_TYPE.
10184 (region_model::make_region_for_unexpected_tree_code): New
10185 function, based on default case of region_model::get_lvalue_1.
10186 * region-model.h
10187 (region_model::make_region_for_unexpected_tree_code): New decl.
10188 (region_model::on_unknown_tree_code): Rename to...
10189 (region_model::on_unexpected_tree_code): ...this and convert first
10190 argument from path_var to tree.
10191 (class test_region_model_context): Update vfunc implementation for
10192 above change.
10194 2020-02-18 David Malcolm <dmalcolm@redhat.com>
10196 PR analyzer/93774
10197 * region-model.cc
10198 (region_model::convert_byte_offset_to_array_index): Use
10199 int_size_in_bytes before calling size_in_bytes, to gracefully fail
10200 on incomplete types.
10202 2020-02-17 David Malcolm <dmalcolm@redhat.com>
10204 PR analyzer/93775
10205 * region-model.cc (region_model::get_fndecl_for_call): Handle the
10206 case where the code_region's get_tree_for_child_region returns
10207 NULL.
10209 2020-02-17 David Malcolm <dmalcolm@redhat.com>
10211 PR analyzer/93388
10212 * engine.cc (impl_region_model_context::on_unknown_tree_code):
10213 New.
10214 (exploded_graph::get_or_create_node): Reject invalid states.
10215 * exploded-graph.h
10216 (impl_region_model_context::on_unknown_tree_code): New decl.
10217 (point_and_state::point_and_state): Assert that the state is
10218 valid.
10219 * program-state.cc (program_state::program_state): Initialize
10220 m_valid to true.
10221 (program_state::operator=): Copy m_valid.
10222 (program_state::program_state): Likewise for move constructor.
10223 (program_state::print): Print m_valid.
10224 (program_state::dump_to_pp): Likewise.
10225 * program-state.h (program_state::m_valid): New field.
10226 * region-model.cc (region_model::get_lvalue_1): Implement the
10227 default case by returning a new symbolic region and calling
10228 the context's on_unknown_tree_code, rather than issuing an
10229 internal_error. Implement VIEW_CONVERT_EXPR.
10230 * region-model.h (region_model_context::on_unknown_tree_code): New
10231 vfunc.
10232 (test_region_model_context::on_unknown_tree_code): New.
10234 2020-02-17 David Malcolm <dmalcolm@redhat.com>
10236 * sm-malloc.cc (malloc_diagnostic::describe_state_change): For
10237 transition to the "null" state, only say "assuming" when
10238 transitioning from the "unchecked" state.
10240 2020-02-17 David Malcolm <dmalcolm@redhat.com>
10242 * diagnostic-manager.h (diagnostic_manager::get_saved_diagnostic):
10243 Add const overload.
10244 * engine.cc (exploded_node::dump_dot): Dump saved_diagnostics.
10245 * exploded-graph.h (exploded_graph::get_diagnostic_manager): Add
10246 const overload.
10248 2020-02-11 David Malcolm <dmalcolm@redhat.com>
10250 PR analyzer/93288
10251 * analysis-plan.cc (analysis_plan::use_summary_p): Look through
10252 the ultimate_alias_target when getting the called function.
10253 * engine.cc (exploded_node::on_stmt): Rename second "ctxt" to
10254 "sm_ctxt". Use the region_model's get_fndecl_for_call rather than
10255 gimple_call_fndecl.
10256 * region-model.cc (region_model::get_fndecl_for_call): Use
10257 ultimate_alias_target on fndecl.
10258 * supergraph.cc (get_ultimate_function_for_cgraph_edge): New
10259 function.
10260 (supergraph_call_edge): Use it when rejecting edges without
10261 functions.
10262 (supergraph::supergraph): Use it to get the function for the
10263 cgraph_edge when building interprocedural superedges.
10264 (callgraph_superedge::get_callee_function): Use it.
10265 * supergraph.h (supergraph::get_num_snodes): Make param const.
10266 (supergraph::function_to_num_snodes_t): Make first type param
10267 const.
10269 2020-02-11 David Malcolm <dmalcolm@redhat.com>
10271 PR analyzer/93374
10272 * engine.cc (exploded_edge::exploded_edge): Add ext_state param
10273 and pass it to change.validate.
10274 (exploded_graph::get_or_create_node): Move purging of change
10275 svalues to also cover the case of reusing an existing enode.
10276 (exploded_graph::add_edge): Pass m_ext_state to exploded_edge's
10277 ctor.
10278 * exploded-graph.h (exploded_edge::exploded_edge): Add ext_state
10279 param.
10280 * program-state.cc (state_change::sm_change::validate): Likewise.
10281 Assert that m_sm_idx is sane. Use ext_state to validate
10282 m_old_state and m_new_state.
10283 (state_change::validate): Add ext_state param and pass it to
10284 the sm_change validate calls.
10285 * program-state.h (state_change::sm_change::validate): Add
10286 ext_state param.
10287 (state_change::validate): Likewise.
10289 2020-02-11 David Malcolm <dmalcolm@redhat.com>
10291 PR analyzer/93669
10292 * engine.cc (exploded_graph::dump_exploded_nodes): Handle missing
10293 case of STATUS_WORKLIST in implementation of
10294 "__analyzer_dump_exploded_nodes".
10296 2020-02-11 David Malcolm <dmalcolm@redhat.com>
10298 PR analyzer/93649
10299 * constraint-manager.cc (constraint_manager::add_constraint): When
10300 merging equivalence classes and updating m_constant, also update
10301 m_cst_sid.
10302 (constraint_manager::validate): If m_constant is non-NULL assert
10303 that m_cst_sid is non-null and is valid.
10305 2020-02-11 David Malcolm <dmalcolm@redhat.com>
10307 PR analyzer/93657
10308 * analyzer.opt (fdump-analyzer): Reword description.
10309 (fdump-analyzer-stderr): Likewise.
10311 2020-02-11 David Malcolm <dmalcolm@redhat.com>
10313 * region-model.cc (print_quoted_type): New function.
10314 (svalue::print): Use it to replace %qT.
10315 (region::dump_to_pp): Likewise.
10316 (region::dump_child_label): Likewise.
10317 (region::print_fields): Likewise.
10319 2020-02-10 David Malcolm <dmalcolm@redhat.com>
10321 PR analyzer/93659
10322 * analyzer.opt (-param=analyzer-max-recursion-depth=): Fix "tha"
10323 -> "that" typo.
10324 (Wanalyzer-use-of-uninitialized-value): Fix "initialized" ->
10325 "uninitialized" typo.
10327 2020-02-10 David Malcolm <dmalcolm@redhat.com>
10329 PR analyzer/93350
10330 * region-model.cc (region_model::get_lvalue_1):
10331 Handle BIT_FIELD_REF.
10332 (make_region_for_type): Handle VECTOR_TYPE.
10334 2020-02-10 David Malcolm <dmalcolm@redhat.com>
10336 PR analyzer/93647
10337 * diagnostic-manager.cc
10338 (diagnostic_manager::prune_for_sm_diagnostic): Bulletproof against
10339 VAR being constant.
10340 * region-model.cc (region_model::get_lvalue_1): Provide a better
10341 error message when encountering an unhandled tree code.
10343 2020-02-10 David Malcolm <dmalcolm@redhat.com>
10345 PR analyzer/93405
10346 * region-model.cc (region_model::get_lvalue_1): Implement
10347 CONST_DECL.
10349 2020-02-06 David Malcolm <dmalcolm@redhat.com>
10351 * region-model.cc (region_model::maybe_cast_1): Attempt to provide
10352 a region_svalue if either type is a pointer, rather than if both
10353 types are pointers.
10355 2020-02-05 David Malcolm <dmalcolm@redhat.com>
10357 * engine.cc (exploded_node::dump_dot): Show merger enodes.
10358 (worklist::add_node): Assert that the node's m_status is
10359 STATUS_WORKLIST.
10360 (exploded_graph::process_worklist): Likewise for nodes from the
10361 worklist. Set status of merged nodes to STATUS_MERGER.
10362 (exploded_graph::process_node): Set status of node to
10363 STATUS_PROCESSED.
10364 (exploded_graph::dump_exploded_nodes): Rework handling of
10365 "__analyzer_dump_exploded_nodes", splitting enodes by status into
10366 "processed" and "merger", showing the count of just the processed
10367 enodes at the call, rather than the count of all enodes.
10368 * exploded-graph.h (exploded_node::status): New enum.
10369 (exploded_node::exploded_node): Initialize m_status to
10370 STATUS_WORKLIST.
10371 (exploded_node::get_status): New getter.
10372 (exploded_node::set_status): New setter.
10374 2020-02-04 David Malcolm <dmalcolm@redhat.com>
10376 PR analyzer/93543
10377 * engine.cc (pod_hash_traits<function_call_string>::mark_empty):
10378 Eliminate reinterpret_cast.
10379 (pod_hash_traits<function_call_string>::is_empty): Likewise.
10381 2020-02-03 David Malcolm <dmalcolm@redhat.com>
10383 * constraint-manager.cc (range::constrained_to_single_element):
10384 Replace fold_build2 with fold_binary. Remove unnecessary newline.
10385 (constraint_manager::get_or_add_equiv_class): Replace fold_build2
10386 with fold_binary in two places, and remove out-of-date comment.
10387 (constraint_manager::eval_condition): Replace fold_build2 with
10388 fold_binary.
10389 * region-model.cc (constant_svalue::eval_condition): Likewise.
10390 (region_model::on_assignment): Likewise.
10392 2020-02-03 David Malcolm <dmalcolm@redhat.com>
10394 PR analyzer/93544
10395 * diagnostic-manager.cc
10396 (diagnostic_manager::prune_for_sm_diagnostic): Bulletproof
10397 against bad choices due to bad paths.
10398 * engine.cc (impl_region_model_context::on_phi): New.
10399 * exploded-graph.h (impl_region_model_context::on_phi): New decl.
10400 * region-model.cc (region_model::on_longjmp): Likewise.
10401 (region_model::handle_phi): Add phi param. Call the ctxt's on_phi
10402 vfunc.
10403 (region_model::update_for_phis): Pass phi to handle_phi.
10404 * region-model.h (region_model::handle_phi): Add phi param.
10405 (region_model_context::on_phi): New vfunc.
10406 (test_region_model_context::on_phi): New.
10407 * sm-malloc.cc (malloc_state_machine::on_phi): New.
10408 (malloc_state_machine::on_zero_assignment): New.
10409 * sm.h (state_machine::on_phi): New vfunc.
10411 2020-02-03 David Malcolm <dmalcolm@redhat.com>
10413 * engine.cc (supernode_cluster::dump_dot): Show BB index as
10414 well as SN index.
10415 * supergraph.cc (supernode::dump_dot): Likewise.
10417 2020-02-03 David Malcolm <dmalcolm@redhat.com>
10419 PR analyzer/93546
10420 * region-model.cc (region_model::on_call_pre): Update for new
10421 param of symbolic_region ctor.
10422 (region_model::deref_rvalue): Likewise.
10423 (region_model::add_new_malloc_region): Likewise.
10424 (make_region_for_type): Likewise, preserving type.
10425 * region-model.h (symbolic_region::symbolic_region): Add "type"
10426 param and pass it to base class ctor.
10428 2020-02-03 David Malcolm <dmalcolm@redhat.com>
10430 PR analyzer/93547
10431 * constraint-manager.cc
10432 (constraint_manager::get_or_add_equiv_class): Ensure types are
10433 compatible before comparing constants.
10435 2020-01-31 David Malcolm <dmalcolm@redhat.com>
10437 PR analyzer/93457
10438 * region-model.cc (make_region_for_type): Use VOID_TYPE_P rather
10439 than checking against void_type_node.
10441 2020-01-31 David Malcolm <dmalcolm@redhat.com>
10443 PR analyzer/93373
10444 * region-model.cc (ASSERT_COMPAT_TYPES): Convert to...
10445 (assert_compat_types): ...this, and bail when either type is NULL,
10446 or when VOID_TYPE_P (dst_type).
10447 (region_model::get_lvalue): Update for above conversion.
10448 (region_model::get_rvalue): Likewise.
10450 2020-01-31 David Malcolm <dmalcolm@redhat.com>
10452 PR analyzer/93379
10453 * region-model.cc (region_model::update_for_return_superedge):
10454 Move check for null result so that it also guards setting the
10455 lhs.
10457 2020-01-31 David Malcolm <dmalcolm@redhat.com>
10459 PR analyzer/93438
10460 * region-model.cc (stack_region::can_merge_p): Split into a two
10461 pass approach, creating all stack regions first, then populating
10462 them.
10463 (selftest::test_state_merging): Add test coverage for (a) the case
10464 of self-merging a model in which a local in an older stack frame
10465 points to a local in a more recent stack frame (which previously
10466 would ICE), and (b) the case of self-merging a model in which a
10467 local points to a global (which previously worked OK).
10469 2020-01-31 David Malcolm <dmalcolm@redhat.com>
10471 * analyzer.cc (is_named_call_p): Replace tests for fndecl being
10472 extern at file scope and having a non-NULL DECL_NAME with a call
10473 to maybe_special_function_p.
10474 * function-set.cc (function_set::contains_decl_p): Add call to
10475 maybe_special_function_p.
10477 2020-01-31 David Malcolm <dmalcolm@redhat.com>
10479 PR analyzer/93450
10480 * constraint-manager.cc
10481 (constraint_manager::get_or_add_equiv_class): Only compare constants
10482 if their types are compatible.
10483 * region-model.cc (constant_svalue::eval_condition): Replace check
10484 for identical types with call to types_compatible_p.
10486 2020-01-30 David Malcolm <dmalcolm@redhat.com>
10488 * program-state.cc (extrinsic_state::dump_to_pp): New.
10489 (extrinsic_state::dump_to_file): New.
10490 (extrinsic_state::dump): New.
10491 * program-state.h (extrinsic_state::dump_to_pp): New decl.
10492 (extrinsic_state::dump_to_file): New decl.
10493 (extrinsic_state::dump): New decl.
10494 * sm.cc: Include "pretty-print.h".
10495 (state_machine::dump_to_pp): New.
10496 * sm.h (state_machine::dump_to_pp): New decl.
10498 2020-01-30 David Malcolm <dmalcolm@redhat.com>
10500 * diagnostic-manager.cc (for_each_state_change): Use
10501 extrinsic_state::get_num_checkers rather than accessing m_checkers
10502 directly.
10503 * program-state.cc (program_state::program_state): Likewise.
10504 * program-state.h (extrinsic_state::m_checkers): Make private.
10506 2020-01-30 David Malcolm <dmalcolm@redhat.com>
10508 PR analyzer/93356
10509 * region-model.cc (region_model::eval_condition): In both
10510 overloads, bail out immediately on floating-point types.
10511 (region_model::eval_condition_without_cm): Likewise.
10512 (region_model::add_constraint): Likewise.
10514 2020-01-30 David Malcolm <dmalcolm@redhat.com>
10516 PR analyzer/93450
10517 * program-state.cc (sm_state_map::set_state): For the overload
10518 taking an svalue_id, bail out if the set_state on the ec does
10519 nothing. Convert the latter's return type from void to bool,
10520 returning true if anything changed.
10521 (sm_state_map::impl_set_state): Convert the return type from void
10522 to bool, returning true if the state changed.
10523 * program-state.h (sm_state_map::set_state): Convert return type
10524 from void to bool.
10525 (sm_state_map::impl_set_state): Likewise.
10526 * region-model.cc (constant_svalue::eval_condition): Only call
10527 fold_build2 if the types are the same.
10529 2020-01-29 Jakub Jelinek <jakub@redhat.com>
10531 * analyzer.h (PUSH_IGNORE_WFORMAT, POP_IGNORE_WFORMAT): Remove.
10532 * constraint-manager.cc: Include diagnostic-core.h before graphviz.h.
10533 (range::dump, equiv_class::print): Don't use PUSH_IGNORE_WFORMAT or
10534 POP_IGNORE_WFORMAT.
10535 * state-purge.cc: Include diagnostic-core.h before
10536 gimple-pretty-print.h.
10537 (state_purge_annotator::add_node_annotations, print_vec_of_names):
10538 Don't use PUSH_IGNORE_WFORMAT or POP_IGNORE_WFORMAT.
10539 * region-model.cc: Move diagnostic-core.h include before graphviz.h.
10540 (path_var::dump, svalue::print, constant_svalue::print_details,
10541 region::dump_to_pp, region::dump_child_label, region::print_fields,
10542 map_region::print_fields, map_region::dump_dot_to_pp,
10543 map_region::dump_child_label, array_region::print_fields,
10544 array_region::dump_dot_to_pp): Don't use PUSH_IGNORE_WFORMAT or
10545 POP_IGNORE_WFORMAT.
10547 2020-01-28 David Malcolm <dmalcolm@redhat.com>
10549 PR analyzer/93316
10550 * engine.cc (rewind_info_t::update_model): Get the longjmp call
10551 stmt via get_longjmp_call () rather than assuming it is the last
10552 stmt in the longjmp's supernode.
10553 (rewind_info_t::add_events_to_path): Get the location_t for the
10554 rewind_from_longjmp_event via get_longjmp_call () rather than from
10555 the supernode's get_end_location ().
10557 2020-01-28 David Malcolm <dmalcolm@redhat.com>
10559 * region-model.cc (poisoned_value_diagnostic::emit): Update for
10560 renaming of warning_at overload to warning_meta.
10561 * sm-file.cc (file_leak::emit): Likewise.
10562 * sm-malloc.cc (double_free::emit): Likewise.
10563 (possible_null_deref::emit): Likewise.
10564 (possible_null_arg::emit): Likewise.
10565 (null_deref::emit): Likewise.
10566 (null_arg::emit): Likewise.
10567 (use_after_free::emit): Likewise.
10568 (malloc_leak::emit): Likewise.
10569 (free_of_non_heap::emit): Likewise.
10570 * sm-sensitive.cc (exposure_through_output_file::emit): Likewise.
10571 * sm-signal.cc (signal_unsafe_call::emit): Likewise.
10572 * sm-taint.cc (tainted_array_index::emit): Likewise.
10574 2020-01-27 David Malcolm <dmalcolm@redhat.com>
10576 PR analyzer/93451
10577 * region-model.cc (tree_cmp): For the REAL_CST case, impose an
10578 arbitrary order on NaNs relative to other NaNs and to non-NaNs;
10579 const-correctness tweak.
10580 (ana::selftests::build_real_cst_from_string): New function.
10581 (ana::selftests::append_interesting_constants): New function.
10582 (ana::selftests::test_tree_cmp_on_constants): New test.
10583 (ana::selftests::test_canonicalization_4): New test.
10584 (ana::selftests::analyzer_region_model_cc_tests): Call the new
10585 tests.
10587 2020-01-27 David Malcolm <dmalcolm@redhat.com>
10589 PR analyzer/93349
10590 * engine.cc (run_checkers): Save and restore input_location.
10592 2020-01-27 David Malcolm <dmalcolm@redhat.com>
10594 * call-string.cc (call_string::cmp_1): Delete, moving body to...
10595 (call_string::cmp): ...here.
10596 * call-string.h (call_string::cmp_1): Delete decl.
10597 * engine.cc (worklist::key_t::cmp_1): Delete, moving body to...
10598 (worklist::key_t::cmp): ...here. Implement hash comparisons
10599 via comparison rather than subtraction to avoid overflow issues.
10600 * exploded-graph.h (worklist::key_t::cmp_1): Delete decl.
10601 * region-model.cc (tree_cmp): Eliminate buggy checking for
10602 symmetry.
10604 2020-01-27 David Malcolm <dmalcolm@redhat.com>
10606 * analyzer.cc (is_named_call_p): Check that fndecl is "extern"
10607 and at file scope. Potentially disregard prefix _ or __ in
10608 fndecl's name. Bail if the identifier is NULL.
10609 (is_setjmp_call_p): Expect a gcall rather than plain gimple.
10610 Remove special-case check for leading prefix, and also check for
10611 sigsetjmp.
10612 (is_longjmp_call_p): Also check for siglongjmp.
10613 (get_user_facing_name): New function.
10614 * analyzer.h (is_setjmp_call_p): Expect a gcall rather than plain
10615 gimple.
10616 (get_user_facing_name): New decl.
10617 * checker-path.cc (setjmp_event::get_desc): Use
10618 get_user_facing_name to avoid hardcoding the function name.
10619 (rewind_event::rewind_event): Add rewind_info param, using it to
10620 initialize new m_rewind_info field, and strengthen the assertion.
10621 (rewind_from_longjmp_event::get_desc): Use get_user_facing_name to
10622 avoid hardcoding the function name.
10623 (rewind_to_setjmp_event::get_desc): Likewise.
10624 * checker-path.h (setjmp_event::setjmp_event): Add setjmp_call
10625 param and use it to initialize...
10626 (setjmp_event::m_setjmp_call): New field.
10627 (rewind_event::rewind_event): Add rewind_info param.
10628 (rewind_event::m_rewind_info): New protected field.
10629 (rewind_from_longjmp_event::rewind_from_longjmp_event): Add
10630 rewind_info param.
10631 (class rewind_to_setjmp_event): Move rewind_info field to parent
10632 class.
10633 * diagnostic-manager.cc (diagnostic_manager::add_events_for_eedge):
10634 Update setjmp-handling for is_setjmp_call_p requiring a gcall;
10635 pass the call to the new setjmp_event.
10636 * engine.cc (exploded_node::on_stmt): Update for is_setjmp_call_p
10637 requiring a gcall.
10638 (stale_jmp_buf::emit): Use get_user_facing_name to avoid
10639 hardcoding the function names.
10640 (exploded_node::on_longjmp): Pass the longjmp_call when
10641 constructing rewind_info.
10642 (rewind_info_t::add_events_to_path): Pass the rewind_info_t to the
10643 rewind_from_longjmp_event's ctor.
10644 * exploded-graph.h (rewind_info_t::rewind_info_t): Add
10645 longjmp_call param.
10646 (rewind_info_t::get_longjmp_call): New.
10647 (rewind_info_t::m_longjmp_call): New.
10648 * region-model.cc (region_model::on_setjmp): Update comment to
10649 indicate this is also for sigsetjmp.
10650 * region-model.h (struct setjmp_record): Likewise.
10651 (class setjmp_svalue): Likewise.
10653 2020-01-27 David Malcolm <dmalcolm@redhat.com>
10655 PR analyzer/93276
10656 * analyzer.h (PUSH_IGNORE_WFORMAT, POP_IGNORE_WFORMAT): Guard these
10657 macros with GCC_VERSION >= 4006, making them no-op otherwise.
10658 * engine.cc (exploded_edge::exploded_edge): Specify template for
10659 base class initializer.
10660 (exploded_graph::add_edge): Specify template when chaining up to
10661 base class add_edge implementation.
10662 (viz_callgraph_node::dump_dot): Drop redundant "typename".
10663 (viz_callgraph_edge::viz_callgraph_edge): Specify template for
10664 base class initializer.
10665 * program-state.cc (sm_state_map::clone_with_remapping): Drop
10666 redundant "typename".
10667 (sm_state_map::print): Likewise.
10668 (sm_state_map::hash): Likewise.
10669 (sm_state_map::operator==): Likewise.
10670 (sm_state_map::remap_svalue_ids): Likewise.
10671 (sm_state_map::on_svalue_purge): Likewise.
10672 (sm_state_map::validate): Likewise.
10673 * program-state.h (sm_state_map::iterator_t): Likewise.
10674 * supergraph.h (superedge::superedge): Specify template for base
10675 class initializer.
10677 2020-01-23 David Malcolm <dmalcolm@redhat.com>
10679 PR analyzer/93375
10680 * supergraph.cc (callgraph_superedge::get_arg_for_parm): Fail
10681 gracefully is the number of parameters at the callee exceeds the
10682 number of arguments at the call stmt.
10683 (callgraph_superedge::get_parm_for_arg): Likewise.
10685 2020-01-22 David Malcolm <dmalcolm@redhat.com>
10687 PR analyzer/93382
10688 * program-state.cc (sm_state_map::on_svalue_purge): If the
10689 entry survives, but the origin is being purged, then reset the
10690 origin to null.
10692 2020-01-22 David Malcolm <dmalcolm@redhat.com>
10694 * sm-signal.cc: Fix nesting of CHECKING_P and namespace ana.
10696 2020-01-22 David Malcolm <dmalcolm@redhat.com>
10698 PR analyzer/93378
10699 * engine.cc (setjmp_svalue::compare_fields): Update for
10700 replacement of m_enode with m_setjmp_record.
10701 (setjmp_svalue::add_to_hash): Likewise.
10702 (setjmp_svalue::get_index): Rename...
10703 (setjmp_svalue::get_enode_index): ...to this.
10704 (setjmp_svalue::print_details): Update for replacement of m_enode
10705 with m_setjmp_record.
10706 (exploded_node::on_longjmp): Likewise.
10707 * exploded-graph.h (rewind_info_t::m_enode_origin): Replace...
10708 (rewind_info_t::m_setjmp_record): ...with this.
10709 (rewind_info_t::rewind_info_t): Update for replacement of m_enode
10710 with m_setjmp_record.
10711 (rewind_info_t::get_setjmp_point): Likewise.
10712 (rewind_info_t::get_setjmp_call): Likewise.
10713 * region-model.cc (region_model::dump_summary_of_map): Likewise.
10714 (region_model::on_setjmp): Likewise.
10715 * region-model.h (struct setjmp_record): New struct.
10716 (setjmp_svalue::m_enode): Replace...
10717 (setjmp_svalue::m_setjmp_record): ...with this.
10718 (setjmp_svalue::setjmp_svalue): Update for replacement of m_enode
10719 with m_setjmp_record.
10720 (setjmp_svalue::clone): Likewise.
10721 (setjmp_svalue::get_index): Rename...
10722 (setjmp_svalue::get_enode_index): ...to this.
10723 (setjmp_svalue::get_exploded_node): Replace...
10724 (setjmp_svalue::get_setjmp_record): ...with this.
10726 2020-01-22 David Malcolm <dmalcolm@redhat.com>
10728 PR analyzer/93316
10729 * analyzer.cc (is_setjmp_call_p): Check for "setjmp" as well as
10730 "_setjmp".
10732 2020-01-22 David Malcolm <dmalcolm@redhat.com>
10734 PR analyzer/93307
10735 * analysis-plan.h: Wrap everything namespace "ana".
10736 * analyzer-logging.cc: Likewise.
10737 * analyzer-logging.h: Likewise.
10738 * analyzer-pass.cc (pass_analyzer::execute): Update for "ana"
10739 namespace.
10740 * analyzer-selftests.cc: Wrap everything namespace "ana".
10741 * analyzer-selftests.h: Likewise.
10742 * analyzer.h: Likewise for forward decls of types.
10743 * call-string.h: Likewise.
10744 * checker-path.cc: Likewise.
10745 * checker-path.h: Likewise.
10746 * constraint-manager.cc: Likewise.
10747 * constraint-manager.h: Likewise.
10748 * diagnostic-manager.cc: Likewise.
10749 * diagnostic-manager.h: Likewise.
10750 * engine.cc: Likewise.
10751 * engine.h: Likewise.
10752 * exploded-graph.h: Likewise.
10753 * function-set.cc: Likewise.
10754 * function-set.h: Likewise.
10755 * pending-diagnostic.cc: Likewise.
10756 * pending-diagnostic.h: Likewise.
10757 * program-point.cc: Likewise.
10758 * program-point.h: Likewise.
10759 * program-state.cc: Likewise.
10760 * program-state.h: Likewise.
10761 * region-model.cc: Likewise.
10762 * region-model.h: Likewise.
10763 * sm-file.cc: Likewise.
10764 * sm-malloc.cc: Likewise.
10765 * sm-pattern-test.cc: Likewise.
10766 * sm-sensitive.cc: Likewise.
10767 * sm-signal.cc: Likewise.
10768 * sm-taint.cc: Likewise.
10769 * sm.cc: Likewise.
10770 * sm.h: Likewise.
10771 * state-purge.h: Likewise.
10772 * supergraph.cc: Likewise.
10773 * supergraph.h: Likewise.
10775 2020-01-21 David Malcolm <dmalcolm@redhat.com>
10777 PR analyzer/93352
10778 * region-model.cc (int_cmp): Rename to...
10779 (array_region::key_cmp): ...this, using key_t rather than int.
10780 Rewrite in terms of comparisons rather than subtraction to
10781 ensure qsort is anti-symmetric when handling extreme values.
10782 (array_region::walk_for_canonicalization): Update for above
10783 renaming.
10784 * region-model.h (array_region::key_cmp): New decl.
10786 2020-01-17 David Malcolm <dmalcolm@redhat.com>
10788 PR analyzer/93290
10789 * region-model.cc (region_model::eval_condition_without_cm): Avoid
10790 gcc_unreachable for unexpected operations for the case where
10791 we're comparing an svalue against itself.
10793 2020-01-17 David Malcolm <dmalcolm@redhat.com>
10795 PR analyzer/93281
10796 * region-model.cc
10797 (region_model::convert_byte_offset_to_array_index): Convert to
10798 ssizetype before dividing by byte_size. Use fold_binary rather
10799 than fold_build2 to avoid needlessly constructing a tree for the
10800 non-const case.
10802 2020-01-15 David Malcolm <dmalcolm@redhat.com>
10804 * engine.cc (class impl_region_model_context): Fix comment.
10806 2020-01-14 David Malcolm <dmalcolm@redhat.com>
10808 PR analyzer/93212
10809 * region-model.cc (make_region_for_type): Use
10810 FUNC_OR_METHOD_TYPE_P rather than comparing against FUNCTION_TYPE.
10811 * region-model.h (function_region::function_region): Likewise.
10813 2020-01-14 David Malcolm <dmalcolm@redhat.com>
10815 * program-state.cc (sm_state_map::clone_with_remapping): Copy
10816 m_global_state.
10817 (selftest::test_program_state_merging_2): New selftest.
10818 (selftest::analyzer_program_state_cc_tests): Call it.
10820 2020-01-14 David Malcolm <dmalcolm@redhat.com>
10822 * checker-path.h (checker_path::get_checker_event): New function.
10823 (checker_path): Add DISABLE_COPY_AND_ASSIGN; make fields private.
10824 * diagnostic-manager.cc
10825 (diagnostic_manager::prune_for_sm_diagnostic): Replace direct
10826 access to checker_path::m_events with accessor functions. Fix
10827 overlong line.
10828 (diagnostic_manager::prune_interproc_events): Replace direct
10829 access to checker_path::m_events with accessor functions.
10830 (diagnostic_manager::finish_pruning): Likewise.
10832 2020-01-14 David Malcolm <dmalcolm@redhat.com>
10834 * checker-path.h (checker_event::clone): Delete vfunc decl.
10835 (debug_event::clone): Delete vfunc impl.
10836 (custom_event::clone): Delete vfunc impl.
10837 (statement_event::clone): Delete vfunc impl.
10838 (function_entry_event::clone): Delete vfunc impl.
10839 (state_change_event::clone): Delete vfunc impl.
10840 (start_cfg_edge_event::clone): Delete vfunc impl.
10841 (end_cfg_edge_event::clone): Delete vfunc impl.
10842 (call_event::clone): Delete vfunc impl.
10843 (return_event::clone): Delete vfunc impl.
10844 (setjmp_event::clone): Delete vfunc impl.
10845 (rewind_from_longjmp_event::clone): Delete vfunc impl.
10846 (rewind_to_setjmp_event::clone): Delete vfunc impl.
10847 (warning_event::clone): Delete vfunc impl.
10849 2020-01-14 David Malcolm <dmalcolm@redhat.com>
10851 * supergraph.cc (supernode::dump_dot): Ensure that the TABLE
10852 element has at least one TR.
10854 2020-01-14 David Malcolm <dmalcolm@redhat.com>
10856 PR analyzer/58237
10857 * engine.cc (leak_stmt_finder::find_stmt): Use get_pure_location
10858 when comparing against UNKNOWN_LOCATION.
10859 (stmt_requires_new_enode_p): Likewise.
10860 (exploded_graph::dump_exploded_nodes): Likewise.
10861 * supergraph.cc (supernode::get_start_location): Likewise.
10862 (supernode::get_end_location): Likewise.
10864 2020-01-14 David Malcolm <dmalcolm@redhat.com>
10866 PR analyzer/58237
10867 * analyzer-selftests.cc (selftest::run_analyzer_selftests): Call
10868 selftest::analyzer_sm_file_cc_tests.
10869 * analyzer-selftests.h (selftest::analyzer_sm_file_cc_tests): New
10870 decl.
10871 * sm-file.cc: Include "analyzer/function-set.h" and
10872 "analyzer/analyzer-selftests.h".
10873 (get_file_using_fns): New function.
10874 (is_file_using_fn_p): New function.
10875 (fileptr_state_machine::on_stmt): Return true for known functions.
10876 (selftest::analyzer_sm_file_cc_tests): New function.
10878 2020-01-14 David Malcolm <dmalcolm@redhat.com>
10880 * analyzer-selftests.cc (selftest::run_analyzer_selftests): Call
10881 selftest::analyzer_sm_signal_cc_tests.
10882 * analyzer-selftests.h (selftest::analyzer_sm_signal_cc_tests):
10883 New decl.
10884 * sm-signal.cc: Include "analyzer/function-set.h" and
10885 "analyzer/analyzer-selftests.h".
10886 (get_async_signal_unsafe_fns): New function.
10887 (signal_unsafe_p): Reimplement in terms of the above.
10888 (selftest::analyzer_sm_signal_cc_tests): New function.
10890 2020-01-14 David Malcolm <dmalcolm@redhat.com>
10892 * analyzer-selftests.cc (selftest::run_analyzer_selftests): Call
10893 selftest::analyzer_function_set_cc_tests.
10894 * analyzer-selftests.h (selftest::analyzer_function_set_cc_tests):
10895 New decl.
10896 * function-set.cc: New file.
10897 * function-set.h: New file.
10899 2020-01-14 David Malcolm <dmalcolm@redhat.com>
10901 * analyzer.h (fndecl_has_gimple_body_p): New decl.
10902 * engine.cc (impl_region_model_context::on_unknown_change): New
10903 function.
10904 (fndecl_has_gimple_body_p): Make non-static.
10905 (exploded_node::on_stmt): Treat __analyzer_dump_exploded_nodes as
10906 known. Track whether we have a call with unknown side-effects and
10907 pass it to on_call_post.
10908 * exploded-graph.h (impl_region_model_context::on_unknown_change):
10909 New decl.
10910 * program-state.cc (sm_state_map::on_unknown_change): New function.
10911 * program-state.h (sm_state_map::on_unknown_change): New decl.
10912 * region-model.cc: Include "bitmap.h".
10913 (region_model::on_call_pre): Return a bool, capturing whether the
10914 call has unknown side effects.
10915 (region_model::on_call_post): Add arg "bool unknown_side_effects"
10916 and if true, call handle_unrecognized_call.
10917 (class reachable_regions): New class.
10918 (region_model::handle_unrecognized_call): New function.
10919 * region-model.h (region_model::on_call_pre): Return a bool.
10920 (region_model::on_call_post): Add arg "bool unknown_side_effects".
10921 (region_model::handle_unrecognized_call): New decl.
10922 (region_model_context::on_unknown_change): New vfunc.
10923 (test_region_model_context::on_unknown_change): New function.
10925 2020-01-14 David Malcolm <dmalcolm@redhat.com>
10927 * diagnostic-manager.cc (saved_diagnostic::operator==): Move here
10928 from header. Replace pointer equality test on m_var with call to
10929 pending_diagnostic::same_tree_p.
10930 * diagnostic-manager.h (saved_diagnostic::operator==): Move to
10931 diagnostic-manager.cc.
10932 * pending-diagnostic.cc (pending_diagnostic::same_tree_p): New.
10933 * pending-diagnostic.h (pending_diagnostic::same_tree_p): New.
10934 * sm-file.cc (file_diagnostic::subclass_equal_p): Replace pointer
10935 equality on m_arg with call to pending_diagnostic::same_tree_p.
10936 * sm-malloc.cc (malloc_diagnostic::subclass_equal_p): Likewise.
10937 (possible_null_arg::subclass_equal_p): Likewise.
10938 (null_arg::subclass_equal_p): Likewise.
10939 (free_of_non_heap::subclass_equal_p): Likewise.
10940 * sm-pattern-test.cc (pattern_match::operator==): Likewise.
10941 * sm-sensitive.cc (exposure_through_output_file::operator==):
10942 Likewise.
10943 * sm-taint.cc (tainted_array_index::operator==): Likewise.
10945 2020-01-14 David Malcolm <dmalcolm@redhat.com>
10947 * diagnostic-manager.cc (dedupe_winners::add): Add logging
10948 of deduplication decisions made.
10950 2020-01-14 David Malcolm <dmalcolm@redhat.com>
10952 * ChangeLog: New file.
10953 * analyzer-selftests.cc: New file.
10954 * analyzer-selftests.h: New file.
10955 * analyzer.opt: New file.
10956 * analysis-plan.cc: New file.
10957 * analysis-plan.h: New file.
10958 * analyzer-logging.cc: New file.
10959 * analyzer-logging.h: New file.
10960 * analyzer-pass.cc: New file.
10961 * analyzer.cc: New file.
10962 * analyzer.h: New file.
10963 * call-string.cc: New file.
10964 * call-string.h: New file.
10965 * checker-path.cc: New file.
10966 * checker-path.h: New file.
10967 * constraint-manager.cc: New file.
10968 * constraint-manager.h: New file.
10969 * diagnostic-manager.cc: New file.
10970 * diagnostic-manager.h: New file.
10971 * engine.cc: New file.
10972 * engine.h: New file.
10973 * exploded-graph.h: New file.
10974 * pending-diagnostic.cc: New file.
10975 * pending-diagnostic.h: New file.
10976 * program-point.cc: New file.
10977 * program-point.h: New file.
10978 * program-state.cc: New file.
10979 * program-state.h: New file.
10980 * region-model.cc: New file.
10981 * region-model.h: New file.
10982 * sm-file.cc: New file.
10983 * sm-malloc.cc: New file.
10984 * sm-malloc.dot: New file.
10985 * sm-pattern-test.cc: New file.
10986 * sm-sensitive.cc: New file.
10987 * sm-signal.cc: New file.
10988 * sm-taint.cc: New file.
10989 * sm.cc: New file.
10990 * sm.h: New file.
10991 * state-purge.cc: New file.
10992 * state-purge.h: New file.
10993 * supergraph.cc: New file.
10994 * supergraph.h: New file.
10996 2019-12-13 David Malcolm <dmalcolm@redhat.com>
10998 * Initial creation
11000 \f
11001 Copyright (C) 2019-2023 Free Software Foundation, Inc.
11003 Copying and distribution of this file, with or without modification,
11004 are permitted in any medium without royalty provided the copyright
11005 notice and this notice are preserved.