| blob | d4c654a34978ce93d952570315412b3522855986 |
1 /* The analysis "engine".
2 Copyright (C) 2019-2020 Free Software Foundation, Inc.
3 Contributed by David Malcolm <dmalcolm@redhat.com>.
5 This file is part of GCC.
7 GCC is free software; you can redistribute it and/or modify it
8 under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3, or (at your option)
10 any later version.
12 GCC is distributed in the hope that it will be useful, but
13 WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 General Public License for more details.
17 You should have received a copy of the GNU General Public License
18 along with GCC; see the file COPYING3. If not see
19 <http://www.gnu.org/licenses/>. */
65 #include <zlib.h>
67 /* For an overview, see gcc/doc/analyzer.texi. */
69 #if ENABLE_ANALYZER
73 /* class impl_region_model_context : public region_model_context. */
89 {
90 }
102 {
103 }
105 void
107 {
113 }
115 void
118 {
123 }
125 void
129 {
134 }
136 void
139 {
144 }
146 void
148 {
150 }
152 /* class setjmp_svalue : public svalue. */
154 /* Implementation of svalue::accept vfunc for setjmp_svalue. */
156 void
158 {
160 }
162 /* Implementation of svalue::dump_to_pp vfunc for setjmp_svalue. */
164 void
166 {
169 else
171 }
173 /* Get the index of the stored exploded_node. */
175 int
177 {
179 }
181 /* Concrete implementation of sm_context, wiring it up to the rest of this
182 file. */
185 {
202 {
203 }
208 {
209 impl_region_model_context old_ctxt
211 call);
214 }
217 tree var)
218 {
221 impl_region_model_context old_ctxt
223 stmt);
230 }
233 tree var,
235 tree origin)
236 {
239 impl_region_model_context old_ctxt
241 stmt);
247 stmt);
258 var,
263 }
267 {
270 impl_region_model_context old_ctxt
276 = (var
282 }
284 /* Hook for picking more readable trees for SSA names of temporaries,
285 so that rather than e.g.
286 "double-free of '<unknown>'"
287 we can print:
288 "double-free of 'inbuf.data'". */
291 {
292 /* Only for SSA_NAMEs of temporaries; otherwise, return EXPR, as it's
293 likely to be the least surprising tree to report. */
301 /* Find trees for all regions storing the value. */
304 else
306 }
309 {
311 }
314 {
316 }
319 {
322 m_sm_idx);
323 }
326 {
330 impl_region_model_context old_ctxt
339 }
341 log_user m_logger;
349 };
351 /* Subclass of stmt_finder for finding the best stmt to report the leak at,
352 given the emission path. */
355 {
361 {
363 }
366 FINAL OVERRIDE
367 {
372 {
373 /* Locate the final write to this SSA name in the path. */
381 /* What was the next write to the underlying var
382 after the SSA name was set? (if any). */
387 {
391 idx,
400 {
405 }
406 }
407 }
409 not_found:
411 /* Look backwards for the first statement with a location. */
415 {
418 i,
427 }
431 }
435 tree m_var;
436 };
438 /* A measurement of how good EXPR is for presenting to the user, so
439 that e.g. we can say prefer printing
440 "leak of 'tmp.m_ptr'"
441 over:
442 "leak of '<unknown>'". */
444 static int
446 {
449 {
452 /* Impose a slight readability penalty relative to that of
453 operand 0. */
457 {
459 /* Slightly favor the underlying var over the SSA name to
460 avoid having them compare equal. */
462 /* Avoid printing '<unknown>' for SSA names for temporaries. */
464 }
470 /* Arbitrarily-chosen "high readability" value. */
472 else
473 /* We don't want to print temporaries. For example, the C FE
474 prints them as e.g. "<Uxxxx>" where "xxxx" is the low 16 bits
475 of the tree pointer (see pp_c_tree_decl_identifier). */
479 /* Printing "<return-value>" isn't ideal, but is less awful than
480 trying to print a temporary. */
485 }
488 }
490 /* A qsort comparator for trees to sort them into most user-readable to
491 least user-readable. */
493 int
495 {
504 /* Favor items that are deeper on the stack and hence more recent;
505 this also favors locals over globals. */
509 /* TODO: We ought to find ways of sorting such cases. */
511 }
513 /* Find the best tree for SVAL and call SM's on_leak vfunc with it.
514 If on_leak returns a pending_diagnostic, queue it up to be reported,
515 so that we potentially complain about a leak of SVAL in the given STATE. */
517 void
521 {
525 {
530 }
535 /* m_old_state also needs to be non-NULL so that the sm_ctxt can look
536 up the old state of SVAL. */
539 /* SVAL has leaked within the new state: it is not used by any reachable
540 regions.
541 We need to convert it back to a tree, but since it's likely no regions
542 use it, we have to find the "best" tree for it in the old_state. */
543 svalue_set visited;
544 path_var leaked_pv
548 /* This might be NULL; the pending_diagnostic subclasses need to cope
549 with this. */
552 {
555 else
557 }
562 /* Don't complain about leaks when returning from "main". */
565 {
568 {
572 }
573 }
581 }
583 /* Implementation of region_model_context::on_condition vfunc.
584 Notify all state machines about the condition, which could lead to
585 state transitions. */
587 void
589 {
593 {
602 }
603 }
605 /* Implementation of region_model_context::on_phi vfunc.
606 Notify all state machines about the phi, which could lead to
607 state transitions. */
609 void
611 {
615 {
622 }
623 }
625 /* Implementation of region_model_context::on_unexpected_tree_code vfunc.
626 Mark the new state as being invalid for further exploration.
627 TODO(stage1): introduce a warning for when this occurs. */
629 void
632 {
642 }
644 /* struct point_and_state. */
646 /* Assert that this object is sane. */
648 void
650 {
651 /* Skip this in a release build. */
652 #if !CHECKING_P
654 #endif
660 /* Verify that the callstring's model of the stack corresponds to that
661 of the region_model. */
662 /* They should have the same depth. */
665 /* Check the functions in the callstring vs those in the frames
666 at each depth. */
670 {
674 }
675 }
677 /* Subroutine of print_enode_indices: print a run of indices from START_IDX
678 to END_IDX to PP, using and updating *FIRST_RUN. */
680 static void
683 {
689 else
691 }
693 /* Print the indices within ENODES to PP, collecting them as
694 runs/singletons e.g. "EN: 4-7, EN: 20-23, EN: 42". */
696 static void
699 {
706 {
708 {
711 }
712 else
713 {
715 /* Continuation of a run. */
717 else
718 {
719 /* Finish existing run, start a new one. */
725 }
726 }
727 }
728 /* Finish any existing run. */
730 {
734 }
735 }
737 /* struct eg_traits::dump_args_t. */
739 /* The <FILENAME>.eg.dot output can quickly become unwieldy if we show
740 full details for all enodes (both in terms of CPU time to render it,
741 and in terms of being meaningful to a human viewing it).
743 If we show just the IDs then the resulting graph is usually viewable,
744 but then we have to keep switching back and forth between the .dot
745 view and other dumps.
747 This function implements a heuristic for showing detail at the enodes
748 that (we hope) matter, and just the ID at other enodes, fixing the CPU
749 usage of the .dot viewer, and drawing the attention of the viewer
750 to these enodes.
752 Return true if ENODE should be shown in detail in .dot output.
753 Return false if no detail should be shown for ENODE. */
755 bool
757 {
758 /* If the number of exploded nodes isn't too large, we may as well show
759 all enodes in full detail in the .dot output. */
764 /* Otherwise, assume that what's most interesting are state explosions,
765 and thus the places where this happened.
766 Expand enodes at program points where we hit the per-enode limit, so we
767 can investigate what exploded. */
771 }
773 /* class exploded_node : public dnode<eg_traits>. */
777 {
779 {
785 }
786 }
788 /* exploded_node's ctor. */
794 {
796 }
798 /* Get the stmt that was processed in this enode at index IDX.
799 IDX is an index within the stmts processed at this enode, rather
800 than within those of the supernode. */
804 {
813 }
815 /* For use by dump_dot, get a value for the .dot "fillcolor" attribute.
816 Colorize by sm-state, to make it easier to see how sm-state propagates
817 through the exploded_graph. */
821 {
824 /* We want to be able to easily distinguish the no-sm-state case,
825 and to be able to distinguish cases where there's a single state
826 from each other.
828 Sum the sm_states, and use the result to choose from a table,
829 modulo table-size, special-casing the "no sm-state" case. */
834 {
840 }
843 {
844 /* An arbitrarily-picked collection of light colors. */
851 }
852 else
853 /* No sm-state. */
855 }
857 /* Implementation of dnode::dump_dot vfunc for exploded_node. */
859 void
861 {
877 {
887 /* Show any stmts that were processed within this enode,
888 and their index within the supernode. */
890 {
899 {
905 }
906 }
907 }
909 /* Dump any saved_diagnostics at this enode. */
910 {
913 {
916 {
919 }
920 }
921 }
927 }
929 /* Dump this to PP in a form suitable for use as an id in .dot output. */
931 void
933 {
935 }
937 /* Dump a multiline representation of this node to PP. */
939 void
942 {
952 }
954 /* Dump a multiline representation of this node to FILE. */
956 void
959 {
960 pretty_printer pp;
966 }
968 /* Dump a multiline representation of this node to stderr. */
970 DEBUG_FUNCTION void
972 {
974 }
976 /* Return a new json::object of the form
977 {"point" : object for program_point,
978 "state" : object for program_state,
979 "status" : str,
980 "idx" : int,
981 "processed_stmts" : int}. */
985 {
996 }
1000 /* Return true if FNDECL has a gimple body. */
1001 // TODO: is there a pre-canned way to do this?
1003 bool
1005 {
1014 }
1018 /* A pending_diagnostic subclass for implementing "__analyzer_dump_path". */
1020 class dump_path_diagnostic
1022 {
1025 {
1028 }
1033 {
1035 }
1036 };
1038 /* Modify STATE in place, applying the effects of the stmt at this node's
1039 point. */
1046 {
1050 {
1054 }
1056 /* Update input_location in case of ICE: make it easier to track down which
1057 source construct we're failing to handle. */
1062 /* Preserve the old state. It is used here for looking
1063 up old checker states, for determining state transitions, and
1064 also within impl_region_model_context and impl_sm_context for
1065 going from tree to svalue_id. */
1070 stmt);
1075 {
1077 /* No-op for now. */
1081 {
1084 }
1088 /* No-op for now. */
1092 {
1093 /* Track whether we have a gcall to a function that's not recognized by
1094 anything, for which we don't have a function body, or for which we
1095 don't know the fndecl. */
1098 /* Debugging/test support. */
1102 {
1103 /* Handle the builtin "__analyzer_dump" by dumping state
1104 to stderr. */
1106 }
1108 {
1109 /* Handle the builtin "__analyzer_dump_path" by queuing a
1110 diagnostic at this exploded_node. */
1112 }
1115 {
1116 /* Handle the builtin "__analyzer_dump_region_model" by dumping
1117 the region model's state to stderr. */
1119 }
1123 {
1124 /* Handle the builtin "__analyzer_break" by triggering a
1125 breakpoint. */
1126 /* TODO: is there a good cross-platform way to do this? */
1128 }
1132 {
1133 /* This is handled elsewhere. */
1134 }
1138 {
1141 }
1142 else
1143 unknown_side_effects
1145 }
1149 {
1152 }
1154 }
1160 {
1167 /* Allow the state_machine to handle the stmt. */
1172 }
1178 }
1180 /* Consider the effect of following superedge SUCC from this node.
1182 Return true if it's feasible to follow the edge, or false
1183 if it's infeasible.
1185 Examples: if it's the "true" branch within
1186 a CFG and we know the conditional is false, we know it's infeasible.
1187 If it's one of multiple interprocedual "return" edges, then only
1188 the edge back to the most recent callsite is feasible.
1190 Update NEXT_STATE accordingly (e.g. to record that a condition was
1191 true or false, or that the NULL-ness of a pointer has been checked,
1192 pushing/popping stack frames, etc).
1194 Update NEXT_POINT accordingly (updating the call string). */
1196 bool
1201 {
1211 }
1213 /* Verify that the stack at LONGJMP_POINT is still valid, given a call
1214 to "setjmp" at SETJMP_POINT - the stack frame that "setjmp" was
1215 called in must still be valid.
1217 Caveat: this merely checks the call_strings in the points; it doesn't
1218 detect the case where a frame returns and is then called again. */
1220 static bool
1223 {
1230 /* Check that the call strings match, up to the depth of the
1231 setjmp point. */
1237 }
1239 /* A pending_diagnostic subclass for complaining about bad longjmps,
1240 where the enclosing function of the "setjmp" has returned (and thus
1241 the stack frame no longer exists). */
1244 {
1248 {}
1251 {
1252 return warning_at
1257 }
1263 {
1266 }
1271 };
1273 /* Handle LONGJMP_CALL, a call to longjmp or siglongjmp.
1275 Attempt to locate where setjmp/sigsetjmp was called on the jmp_buf and build
1276 an exploded_node and exploded_edge to it representing a rewind to that frame,
1277 handling the various kinds of failure that can occur. */
1279 void
1284 {
1291 ctxt);
1301 /* Build a custom enode and eedge for rewinding from the longjmp/siglongjmp
1302 call back to the setjmp/sigsetjmp. */
1310 /* Verify that the setjmp's call_stack hasn't been popped. */
1312 {
1315 }
1320 /* Update the state for use by the destination node. */
1322 /* Stash the current number of diagnostics so that we can update
1323 any that this adds to show where the longjmp is rewinding to. */
1331 /* Detect leaks in the new state relative to the old state. */
1335 program_point next_point
1339 exploded_node *next
1342 /* Create custom exploded_edge for a longjmp. */
1344 {
1345 exploded_edge *eedge
1349 /* For any diagnostics that were queued here (such as leaks) we want
1350 the checker_path to show the rewinding events after the "final event"
1351 so that the user sees where the longjmp is rewinding to (otherwise the
1352 path is meaningless).
1354 For example, we want to emit something like:
1355 | NN | {
1356 | NN | longjmp (env, 1);
1357 | | ~~~~~~~~~~~~~~~~
1358 | | |
1359 | | (10) 'ptr' leaks here; was allocated at (7)
1360 | | (11) rewinding from 'longjmp' in 'inner'...
1361 |
1362 <-------------+
1363 |
1364 'outer': event 12
1365 |
1366 | NN | i = setjmp(env);
1367 | | ^~~~~~
1368 | | |
1369 | | (12) ...to 'setjmp' in 'outer' (saved at (2))
1371 where the "final" event above is event (10), but we want to append
1372 events (11) and (12) afterwards.
1374 Do this by setting m_trailing_eedge on any diagnostics that were
1375 just saved. */
1378 {
1381 }
1382 }
1383 }
1385 /* Subroutine of exploded_graph::process_node for finding the successors
1386 of the supernode for a function exit basic block.
1388 Ensure that pop_frame is called, potentially queuing diagnostics about
1389 leaks. */
1391 void
1393 {
1398 /* If we're not a "top-level" function, do nothing; pop_frame
1399 will be called when handling the return superedge. */
1403 /* We have a "top-level" function. */
1408 /* Work with a temporary copy of the state: pop the frame, and see
1409 what leaks (via purge_unused_svalues). */
1421 }
1423 /* Dump the successors and predecessors of this enode to OUTF. */
1425 void
1427 {
1430 {
1434 pretty_printer pp;
1438 }
1439 {
1443 pretty_printer pp;
1447 }
1448 }
1450 /* class rewind_info_t : public exploded_edge::custom_info_t. */
1452 /* Implementation of exploded_edge::custom_info_t::update_model vfunc
1453 for rewind_info_t.
1455 Update state for the special-case of a rewind of a longjmp
1456 to a setjmp (which doesn't have a superedge, but does affect
1457 state). */
1459 void
1462 {
1472 }
1474 /* Implementation of exploded_edge::custom_info_t::add_events_to_path vfunc
1475 for rewind_info_t. */
1477 void
1480 {
1488 emission_path->add_event
1493 emission_path->add_event
1498 }
1500 /* class exploded_edge : public dedge<eg_traits>. */
1502 /* exploded_edge's ctor. */
1509 {
1510 }
1512 /* exploded_edge's dtor. */
1515 {
1517 }
1519 /* Implementation of dedge::dump_dot vfunc for exploded_edge.
1520 Use the label of the underlying superedge, if any. */
1522 void
1524 {
1534 {
1541 //constraint = "false";
1545 //constraint = "false";
1550 }
1552 {
1555 }
1570 //pp_write_text_as_dot_label_to_stream (pp, /*for_record=*/false);
1573 }
1575 /* Return a new json::object of the form
1576 {"src_idx": int, the index of the source exploded edge,
1577 "dst_idx": int, the index of the destination exploded edge,
1578 "sedge": (optional) object for the superedge, if any,
1579 "custom": (optional) str, a description, if this is a custom edge}. */
1583 {
1590 {
1591 pretty_printer pp;
1595 }
1597 }
1599 /* struct stats. */
1601 /* stats' ctor. */
1607 {
1610 }
1612 /* Log these stats in multiline form to LOGGER. */
1614 void
1616 {
1625 m_node_reuse_after_merge_count);
1626 }
1628 /* Dump these stats in multiline form to OUT. */
1630 void
1632 {
1640 m_node_reuse_after_merge_count);
1645 }
1647 /* Return the total number of enodes recorded within this object. */
1649 int
1651 {
1656 }
1658 /* strongly_connected_components's ctor. Tarjan's SCC algorithm. */
1663 {
1676 }
1678 /* Dump this object to stderr. */
1680 DEBUG_FUNCTION void
1682 {
1684 {
1688 }
1689 }
1691 /* Subroutine of strongly_connected_components's ctor, part of Tarjan's
1692 SCC algorithm. */
1694 void
1696 {
1699 /* Set the depth index for v to the smallest unused index. */
1705 index++;
1707 /* Consider successors of v. */
1711 {
1718 {
1719 /* Successor w has not yet been visited; recurse on it. */
1722 }
1724 {
1725 /* Successor w is in stack S and hence in the current SCC
1726 If w is not on stack, then (v, w) is a cross-edge in the DFS
1727 tree and must be ignored. */
1729 }
1730 }
1732 /* If v is a root node, pop the stack and generate an SCC. */
1735 {
1742 }
1743 }
1745 /* worklist's ctor. */
1751 {
1752 }
1754 /* Return the number of nodes in the worklist. */
1756 unsigned
1758 {
1760 }
1762 /* Return the next node in the worklist, removing it. */
1764 exploded_node *
1766 {
1768 }
1770 /* Return the next node in the worklist without removing it. */
1772 exploded_node *
1774 {
1776 }
1778 /* Add ENODE to the worklist. */
1780 void
1782 {
1785 }
1787 /* Comparator for implementing worklist::key_t comparison operators.
1788 Return negative if KA is before KB
1789 Return positive if KA is after KB
1790 Return 0 if they are equal.
1792 The ordering of the worklist is critical for performance and for
1793 avoiding node explosions. Ideally we want all enodes at a CFG join-point
1794 with the same callstring to be sorted next to each other in the worklist
1795 so that a run of consecutive enodes can be merged and processed "in bulk"
1796 rather than individually or pairwise, minimizing the number of new enodes
1797 created. */
1799 int
1801 {
1807 /* Order empty-callstring points with different functions based on the
1808 analysis_plan, so that we generate summaries before they are used. */
1815 {
1818 }
1820 /* First, order by SCC. */
1826 /* If in same SCC, order by supernode index (an arbitrary but stable
1827 ordering). */
1831 {
1833 /* One is NULL. */
1835 else
1836 /* Both are NULL. */
1838 }
1840 /* One is NULL. */
1842 /* Neither are NULL. */
1849 /* The points might vary by callstring; try sorting by callstring. */
1854 /* Order within supernode via program point. */
1855 int within_snode_cmp
1861 /* Otherwise, we ought to have the same program_point. */
1867 /* Sort by sm-state, so that identical sm-states are grouped
1868 together in the worklist.
1869 For now, sort by the hash value (might not be deterministic). */
1872 {
1882 }
1884 /* Otherwise, we have two enodes at the same program point but with
1885 different states. We don't have a good total ordering on states,
1886 so order them by enode index, so that we have at least have a
1887 stable sort. */
1889 }
1891 /* exploded_graph's ctor. */
1907 {
1912 }
1914 /* exploded_graph's dtor. */
1917 {
1927 }
1929 /* Ensure that there is an exploded_node representing an external call to
1930 FUN, adding it to the worklist if creating it.
1932 Add an edge from the origin exploded_node to the function entrypoint
1933 exploded_node.
1935 Return the exploded_node for the entrypoint to the function. */
1937 exploded_node *
1939 {
1942 /* Be idempotent. */
1944 {
1949 }
1967 }
1969 /* Get or create an exploded_node for (POINT, STATE).
1970 If a new node is created, it is added to the worklist.
1972 Use ENODE_FOR_DIAG, a pre-existing enode, for any diagnostics
1973 that need to be emitted (e.g. when purging state *before* we have
1974 a new enode). */
1976 exploded_node *
1980 {
1984 {
1995 }
1997 /* Stop exploring paths for which we don't know how to effectively
1998 model the state. */
2000 {
2004 }
2010 //state.dump (get_ext_state ());
2012 /* Prune state to try to improve the chances of a cache hit,
2013 avoiding generating redundant nodes. */
2014 program_state pruned_state
2019 //pruned_state.dump (get_ext_state ());
2022 {
2030 }
2034 stats *per_cs_stats
2040 {
2041 /* An exploded_node for PS already exists. */
2048 }
2050 per_program_point_data *per_point_data
2053 /* Consider merging state with another enode at this program_point. */
2055 {
2059 {
2066 /* This merges successfully within the loop. */
2071 {
2076 /* Try again for a cache hit.
2077 Whether we get one or not, merged_state's value_ids have no
2078 relationship to those of the input state, and thus to those
2079 of CHANGE, so we must purge any svalue_ids from *CHANGE. */
2083 {
2084 /* An exploded_node for PS already exists. */
2091 }
2092 }
2093 else
2097 }
2098 }
2100 /* Impose a limit on the number of enodes per program point, and
2101 simply stop if we exceed it. */
2104 {
2105 pretty_printer pp;
2116 }
2120 /* An exploded_node for "ps" doesn't already exist; create one. */
2125 /* Update per-program_point data. */
2137 {
2149 }
2151 /* Add the new node to the worlist. */
2154 }
2156 /* Add an exploded_edge from SRC to DEST, recording its association
2157 with SEDGE (which may be NULL), and, if non-NULL, taking ownership
2158 of REWIND_INFO.
2159 Return the newly-created eedge. */
2161 exploded_edge *
2165 {
2172 }
2174 /* Ensure that this graph has per-program_point-data for POINT;
2175 borrow a pointer to it. */
2177 per_program_point_data *
2180 {
2187 }
2189 /* Get this graph's per-program-point-data for POINT if there is any,
2190 otherwise NULL. */
2192 per_program_point_data *
2194 {
2200 }
2202 /* Ensure that this graph has per-call_string-data for CS;
2203 borrow a pointer to it. */
2205 per_call_string_data *
2207 {
2213 data);
2215 }
2217 /* Ensure that this graph has per-function-data for FUN;
2218 borrow a pointer to it. */
2220 per_function_data *
2222 {
2229 }
2231 /* Get this graph's per-function-data for FUN if there is any,
2232 otherwise NULL. */
2234 per_function_data *
2236 {
2242 }
2244 /* Return true if NODE and FUN should be traversed directly, rather than
2245 called via other functions. */
2247 static bool
2249 {
2250 /* TODO: better logic here
2251 e.g. only if more than one caller, and significantly complicated.
2252 Perhaps some whole-callgraph analysis to decide if it's worth summarizing
2253 an edge, and if so, we need summaries. */
2255 {
2260 /* For now, if there's more than one in-edge, and we want call
2261 summaries, do it at the top level so that there's a chance
2262 we'll have a summary when we need one. */
2264 {
2269 }
2270 }
2273 {
2277 }
2283 }
2285 /* Callback for walk_tree for finding callbacks within initializers;
2286 ensure they are treated as possible entrypoints to the analysis. */
2288 static tree
2290 {
2295 }
2297 /* Add initial nodes to EG, with entrypoints for externally-callable
2298 functions. */
2300 void
2302 {
2308 {
2314 {
2318 else
2320 }
2321 }
2323 /* Find callbacks that are reachable from global initializers. */
2326 {
2334 }
2335 }
2337 /* The main loop of the analysis.
2338 Take freshly-created exploded_nodes from the worklist, calling
2339 process_node on them to explore the <point, state> graph.
2340 Add edges to their successors, potentially creating new successors
2341 (which are also added to the worklist). */
2343 void
2345 {
2351 {
2360 /* If we have a run of nodes that are before-supernode, try merging and
2361 processing them together, rather than pairwise or individually. */
2366 /* Avoid exponential explosions of nodes by attempting to merge
2367 nodes that are at the same program point and which have
2368 sufficiently similar state. */
2371 {
2383 {
2386 {
2390 logger->log_partial
2395 }
2399 /* They shouldn't be equal, or we wouldn't have two
2400 separate nodes. */
2405 {
2411 {
2412 /* Then merge node_2 into node by adding an edge. */
2415 /* Remove node_2 from the worklist. */
2419 /* Continue processing "node" below. */
2420 }
2422 {
2423 /* Then merge node into node_2, and leave node_2
2424 in the worklist, to be processed on the next
2425 iteration. */
2429 }
2430 else
2431 {
2432 /* We have a merged state that differs from
2433 both state and state_2. */
2435 /* Remove node_2 from the worklist. */
2438 /* Create (or get) an exploded node for the merged
2439 states, adding to the worklist. */
2440 exploded_node *merged_enode
2451 /* "node" and "node_2" have both now been removed
2452 from the worklist; we should not process them.
2454 "merged_enode" may be a new node; if so it will be
2455 processed in a subsequent iteration.
2456 Alternatively, "merged_enode" could be an existing
2457 node; one way the latter can
2458 happen is if we end up merging a succession of
2459 similar nodes into one. */
2461 /* If merged_node is one of the two we were merging,
2462 add it back to the worklist to ensure it gets
2463 processed.
2465 Add edges from the merged nodes to it (but not a
2466 self-edge). */
2469 else
2470 {
2473 }
2477 else
2478 {
2481 }
2484 }
2485 }
2487 /* TODO: should we attempt more than two nodes,
2488 or just do pairs of nodes? (and hope that we get
2489 a cascade of mergers). */
2490 }
2491 }
2495 handle_limit:
2496 /* Impose a hard limit on the number of exploded nodes, to ensure
2497 that the analysis terminates in the face of pathological state
2498 explosion (or bugs).
2500 Specifically, the limit is on the number of PK_AFTER_SUPERNODE
2501 exploded nodes, looking at supernode exit events.
2503 We use exit rather than entry since there can be multiple
2504 entry ENs, one per phi; the number of PK_AFTER_SUPERNODE ought
2505 to be equivalent to the number of supernodes multiplied by the
2506 number of states. */
2509 {
2513 OPT_Wanalyzer_too_complex,
2514 "analysis bailed out early"
2519 }
2520 }
2521 }
2523 /* Attempt to process a consecutive run of sufficiently-similar nodes in
2524 the worklist at a CFG join-point (having already popped ENODE from the
2525 head of the worklist).
2527 If ENODE's point is of the form (before-supernode, SNODE) and the next
2528 nodes in the worklist are a consecutive run of enodes of the same form,
2529 for the same supernode as ENODE (but potentially from different in-edges),
2530 process them all together, setting their status to STATUS_BULK_MERGED,
2531 and return true.
2532 Otherwise, return false, in which case ENODE must be processed in the
2533 normal way.
2535 When processing them all together, generate successor states based
2536 on phi nodes for the appropriate CFG edges, and then attempt to merge
2537 these states into a minimal set of merged successor states, partitioning
2538 the inputs by merged successor state.
2540 Create new exploded nodes for all of the merged states, and add edges
2541 connecting the input enodes to the corresponding merger exploded nodes.
2543 We hope we have a much smaller number of merged successor states
2544 compared to the number of input enodes - ideally just one,
2545 if all successor states can be merged.
2547 Processing and merging many together as one operation rather than as
2548 pairs avoids scaling issues where per-pair mergers could bloat the
2549 graph with merger nodes (especially so after switch statements). */
2551 bool
2554 {
2555 /* A struct for tracking per-input state. */
2556 struct item
2557 {
2562 {}
2565 program_state m_processed_state;
2567 };
2582 /* Find a run of enodes in the worklist that are before the same supernode,
2583 but potentially from different in-edges. */
2587 {
2597 {
2600 }
2601 else
2603 }
2605 /* If the only node is ENODE, then give up. */
2613 /* All of these enodes have a shared successor point (even if they
2614 were for different in-edges). */
2617 /* Calculate the successor state for each enode in enodes. */
2622 {
2629 {
2637 }
2638 }
2640 /* Attempt to partition the items into a set of merged states.
2641 We hope we have a much smaller number of merged states
2642 compared to the number of input enodes - ideally just one,
2643 if all can be merged. */
2648 {
2653 {
2656 {
2663 }
2664 }
2665 /* If it couldn't be merged with any existing merged_states,
2666 create a new one. */
2668 {
2675 }
2676 got_merger:
2679 }
2681 /* Create merger nodes. */
2685 {
2686 exploded_node *src_enode
2688 exploded_node *next
2690 /* "next" could be NULL; we handle that when adding the edges below. */
2693 {
2696 else
2698 }
2699 }
2701 /* Create edges from each input enode to the appropriate successor enode.
2702 Update the status of the now-processed input enodes. */
2704 {
2709 }
2716 }
2718 /* Return true if STMT must appear at the start of its exploded node, and
2719 thus we can't consolidate its effects within a run of other statements,
2720 where PREV_STMT was the previous statement. */
2722 static bool
2725 {
2727 {
2728 /* Stop consolidating at calls to
2729 "__analyzer_dump_exploded_nodes", so they always appear at the
2730 start of an exploded_node. */
2735 /* sm-signal.cc injects an additional custom eedge at "signal" calls
2736 from the registration enode to the handler enode, separate from the
2737 regular next state, which defeats the "detect state change" logic
2738 in process_node. Work around this via special-casing, to ensure
2739 we split the enode immediately before any "signal" call. */
2742 }
2744 /* If we had a PREV_STMT with an unknown location, and this stmt
2745 has a known location, then if a state change happens here, it
2746 could be consolidated into PREV_STMT, giving us an event with
2747 no location. Ensure that STMT gets its own exploded_node to
2748 avoid this. */
2754 }
2756 /* The core of exploded_graph::process_worklist (the main analysis loop),
2757 handling one node in the worklist.
2759 Get successor <point, state> pairs for NODE, calling get_or_create on
2760 them, and adding an exploded_edge to each successors.
2762 Freshly-created nodes will be added to the worklist. */
2764 void
2766 {
2774 /* Update cfun and input_location in case of an ICE: make it easier to
2775 track down which source construct we're failing to handle. */
2783 {
2791 }
2794 {
2798 /* This node exists to simplify finding the shortest path
2799 to an exploded_node. */
2803 {
2807 {
2815 last_cfg_superedge,
2817 }
2823 }
2826 {
2827 /* Determine the effect of a run of one or more statements
2828 within one supernode, generating an edge to the program_point
2829 after the last statement that's processed.
2831 Stop iterating statements and thus consolidating into one enode
2832 when:
2833 - reaching the end of the statements in the supernode
2834 - if an sm-state-change occurs (so that it gets its own
2835 exploded_node)
2836 - if "-fanalyzer-fine-grained" is active
2837 - encountering certain statements must appear at the start of
2838 their enode (for which stmt_requires_new_enode_p returns true)
2840 Update next_state in-place, to get the result of the one
2841 or more stmts that are processed.
2843 Split the node in-place if an sm-state-change occurs, so that
2844 the sm-state-change occurs on an edge where the src enode has
2845 exactly one stmt, the one that caused the change. */
2852 stmt_idx++)
2853 {
2858 {
2859 stmt_idx--;
2861 }
2866 /* Process the stmt. */
2871 /* If flags.m_terminate_path, stop analyzing; any nodes/edges
2872 will have been added by on_stmt (e.g. for handling longjmp). */
2877 {
2882 }
2885 program_point next_point
2894 {
2895 program_point split_point
2897 stmt_idx,
2900 {
2901 /* If we're not at the start of NODE, split the enode at
2902 this stmt, so we have:
2903 node -> split_enode
2904 so that when split_enode is processed the next edge
2905 we add will be:
2906 split_enode -> next
2907 and any state change will effectively occur on that
2908 latter edge, and split_enode will contain just stmt. */
2911 exploded_node *split_enode
2915 /* "stmt" will be reprocessed when split_enode is
2916 processed. */
2922 }
2923 else
2924 /* If we're at the start of NODE, stop iterating,
2925 so that an edge will be created from NODE to
2926 (next_point, next_state) below. */
2928 }
2929 }
2931 program_point next_point
2940 }
2943 {
2944 /* If this is an EXIT BB, detect leaks, and potentially
2945 create a function summary. */
2947 {
2951 {
2952 /* TODO: create function summary
2953 There can be more than one; each corresponds to a different
2954 final enode in the function. */
2956 {
2959 logger->log_partial
2964 }
2965 per_function_data *per_fn_data
2968 }
2969 }
2970 /* Traverse into successors of the supernode. */
2974 {
2979 program_point next_point
2985 {
2990 }
2993 node);
2996 }
2997 }
2999 }
3000 }
3002 /* Ensure that this graph has a stats instance for FN, return it.
3003 FN can be NULL, in which case a stats instances is returned covering
3004 "functionless" parts of the graph (the origin node). */
3006 stats *
3008 {
3014 else
3015 {
3017 /* not quite the num supernodes, but nearly. */
3021 }
3022 }
3024 /* Print bar charts to PP showing:
3025 - the number of enodes per function, and
3026 - for each function:
3027 - the number of enodes per supernode/BB
3028 - the number of excess enodes per supernode/BB beyond the
3029 per-program-point limit, if there were any. */
3031 void
3033 {
3038 bar_chart enodes_per_function;
3040 {
3046 }
3049 /* Accumulate number of enodes per supernode. */
3056 {
3061 }
3063 /* Accumulate excess enodes per supernode. */
3069 {
3077 }
3079 /* Show per-function bar_charts of enodes per supernode/BB. */
3083 {
3088 bar_chart enodes_per_snode;
3089 bar_chart excess_enodes_per_snode;
3092 {
3096 pretty_printer tmp_pp;
3101 const int num_excess
3104 num_excess);
3107 }
3110 {
3114 }
3115 }
3116 }
3118 /* Write all stats information to this graph's logger, if any. */
3120 void
3122 {
3142 {
3146 }
3149 }
3151 /* Dump all stats information to OUT. */
3153 void
3155 {
3167 {
3171 }
3176 }
3178 void
3181 {
3187 {
3191 {
3192 pretty_printer pp;
3198 }
3199 }
3202 }
3204 /* Return a new json::object of the form
3205 {"nodes" : [objs for enodes],
3206 "edges" : [objs for eedges],
3207 "ext_state": object for extrinsic_state,
3208 "diagnostic_manager": object for diagnostic_manager}. */
3212 {
3215 /* Nodes. */
3216 {
3223 }
3225 /* Edges. */
3226 {
3233 }
3235 /* m_sg is JSONified at the top-level. */
3240 /* The following fields aren't yet being JSONified:
3241 worklist m_worklist;
3242 const state_purge_map *const m_purge_map;
3243 const analysis_plan &m_plan;
3244 stats m_global_stats;
3245 function_stat_map_t m_per_function_stats;
3246 stats m_functionless_stats;
3247 call_string_data_map_t m_per_call_string_data;
3248 auto_vec<int> m_PK_AFTER_SUPERNODE_per_snode; */
3251 }
3253 /* Look for the last use of SEARCH_STMT within this path.
3254 If found write the edge's index to *OUT_IDX and return true, otherwise
3255 return false. */
3257 bool
3260 {
3264 {
3269 {
3272 }
3273 }
3275 }
3277 /* Get the final exploded_node in this path, which must be non-empty. */
3279 exploded_node *
3281 {
3284 }
3286 /* Check state along this path, returning true if it is feasible.
3287 If OUT is non-NULL, and the path is infeasible, write a new
3288 feasibility_problem to *OUT. */
3290 bool
3293 {
3298 /* Traverse the path, updating this model. */
3301 {
3305 edge_idx,
3311 {
3315 }
3317 /* Update state for the stmts that were processed in each enode. */
3319 stmt_idx++)
3320 {
3323 /* Update cfun and input_location in case of ICE: make it easier to
3324 track down which source construct we're failing to handle. */
3332 }
3336 {
3346 {
3348 {
3351 }
3355 else
3358 }
3359 }
3360 else
3361 {
3362 /* Special-case the initial eedge from the origin node to the
3363 initial function by pushing a frame for it. */
3365 {
3375 }
3377 {
3379 }
3380 }
3382 /* Handle phi nodes on an edge leaving a PK_BEFORE_SUPERNODE (to
3383 a PK_BEFORE_STMT, or a PK_AFTER_SUPERNODE if no stmts).
3384 This will typically not be associated with a superedge. */
3386 {
3392 {
3396 last_cfg_superedge,
3397 NULL);
3398 /* If we've entering an snode that we've already visited on this
3399 epath, then we need do fix things up for loops; see the
3400 comment for store::loop_replay_fixup.
3401 Perhaps we should probably also verify the callstring,
3402 and track program_points, but hopefully doing it by supernode
3403 is good enough. */
3406 }
3408 }
3411 {
3413 edge_idx,
3419 }
3420 }
3423 }
3425 /* Dump this path in multiline form to PP. */
3427 void
3429 {
3431 {
3434 i,
3438 }
3439 }
3441 /* Dump this path in multiline form to FP. */
3443 void
3445 {
3446 pretty_printer pp;
3452 }
3454 /* Dump this path in multiline form to stderr. */
3456 DEBUG_FUNCTION void
3458 {
3460 }
3462 /* class feasibility_problem. */
3464 void
3466 {
3470 {
3475 }
3476 }
3478 /* A family of cluster subclasses for use when generating .dot output for
3479 exploded graphs (-fdump-analyzer-exploded-graph), for grouping the
3480 enodes into hierarchical boxes.
3482 All functionless enodes appear in the top-level graph.
3483 Every (function, call_string) pair gets its own cluster. Within that
3484 cluster, each supernode gets its own cluster.
3486 Hence all enodes relating to a particular function with a particular
3487 callstring will be in a cluster together; all enodes for the same
3488 function but with a different callstring will be in a different
3489 cluster. */
3491 /* Base class of cluster for clustering exploded_node instances in .dot
3492 output, based on various subclass-specific criteria. */
3495 {
3496 };
3498 /* Cluster containing all exploded_node instances for one supernode. */
3501 {
3505 // TODO: dtor?
3508 {
3522 /* Terminate subgraph. */
3525 }
3528 {
3530 }
3535 };
3537 /* Cluster containing all supernode_cluster instances for one
3538 (function, call_string) pair. */
3541 {
3547 {
3552 }
3555 {
3571 /* Terminate subgraph. */
3574 }
3577 {
3583 else
3584 {
3588 }
3589 }
3593 call_string m_cs;
3595 map_t m_map;
3596 };
3598 /* Keys for root_cluster. */
3600 struct function_call_string
3601 {
3604 {
3606 }
3609 call_string m_cs;
3610 };
3616 {
3618 };
3621 inline hashval_t
3623 {
3625 }
3631 {
3633 }
3637 {
3639 }
3643 {
3645 }
3649 {
3651 }
3655 {
3657 }
3661 /* Top-level cluster for generating .dot output for exploded graphs,
3662 handling the functionless nodes, and grouping the remaining nodes by
3663 callstring. */
3666 {
3669 {
3674 }
3677 {
3687 }
3690 {
3693 {
3696 }
3703 else
3704 {
3705 function_call_string_cluster *child
3709 }
3710 }
3713 /* This can't be an ordered_hash_map, as we can't store vec<call_string>,
3714 since it's not a POD; vec<>::quick_push has:
3715 *slot = obj;
3716 and the slot isn't initialized, so the assignment op dies when cleaning up
3717 un-inited *slot (within the truncate call). */
3719 map_t m_map;
3721 /* This should just be the origin exploded_node. */
3723 };
3725 /* Subclass of range_label for use within
3726 exploded_graph::dump_exploded_nodes for implementing
3727 -fdump-analyzer-exploded-nodes: a label for a specific
3728 exploded_node. */
3731 {
3738 {
3739 pretty_printer pp;
3744 }
3749 };
3751 /* Postprocessing support for dumping the exploded nodes.
3752 Handle -fdump-analyzer-exploded-nodes,
3753 -fdump-analyzer-exploded-nodes-2, and the
3754 "__analyzer_dump_exploded_nodes" builtin. */
3756 void
3758 {
3759 // TODO
3760 /* Locate calls to __analyzer_dump_exploded_nodes. */
3761 // Print how many egs there are for them?
3762 /* Better: log them as we go, and record the exploded nodes
3763 in question. */
3765 /* Show every enode. */
3767 /* Gather them by stmt, so that we can more clearly see the
3768 "hotspots" requiring numerous exploded nodes. */
3770 /* Alternatively, simply throw them all into one big rich_location
3771 and see if the label-printing will sort it out...
3772 This requires them all to be in the same source file. */
3775 {
3781 {
3783 {
3786 else
3788 SHOW_RANGE_WITHOUT_CARET,
3790 }
3791 }
3794 /* Repeat the warning without all the labels, so that message is visible
3795 (the other one may well have scrolled past the terminal limit). */
3802 }
3804 /* Dump the egraph in textual form to a dump file. */
3806 {
3822 {
3825 pretty_printer pp;
3829 }
3832 }
3834 /* Dump the egraph in textual form to multiple dump files, one per enode. */
3836 {
3842 {
3852 pretty_printer pp;
3858 }
3859 }
3861 /* Emit a warning at any call to "__analyzer_dump_exploded_nodes",
3862 giving the number of processed exploded nodes for "before-stmt",
3863 and the IDs of processed, merger, and worklist enodes.
3865 We highlight the count of *processed* enodes since this is of most
3866 interest in DejaGnu tests for ensuring that state merger has
3867 happened.
3869 We don't show the count of merger and worklist enodes, as this is
3870 more of an implementation detail of the merging/worklist that we
3871 don't want to bake into our expected DejaGnu messages. */
3877 {
3885 {
3892 /* This is O(N^2). */
3896 {
3901 {
3913 }
3914 }
3916 pretty_printer pp;
3920 {
3923 }
3925 {
3928 }
3937 /* If the argument is non-zero, then print all of the states
3938 of the various enodes. */
3941 {
3945 }
3948 {
3951 {
3956 /* Dump state. */
3958 }
3959 }
3960 }
3961 }
3962 }
3964 DEBUG_FUNCTION exploded_node *
3966 {
3970 }
3972 /* Ensure that there is an exploded_node for a top-level call to FNDECL. */
3974 void
3976 {
3993 {
3997 else
3999 }
4000 }
4002 /* A collection of classes for visualizing the callgraph in .dot form
4003 (as represented in the supergraph). */
4005 /* Forward decls. */
4011 /* Traits for using "digraph.h" to visualize the callgraph. */
4013 struct viz_callgraph_traits
4014 {
4018 struct dump_args_t
4019 {
4022 };
4024 };
4026 /* Subclass of dnode representing a function within the callgraph. */
4029 {
4035 {
4037 }
4040 {
4065 {
4070 {
4072 num_enodes++;
4073 }
4079 // TODO: also show the per-callstring breakdown
4086 {
4088 //per_call_string_data *data = (*iter).second;
4091 {
4094 num_enodes++;
4095 }
4097 {
4103 }
4104 }
4106 /* Show any summaries. */
4109 {
4115 }
4116 }
4120 }
4123 {
4125 }
4132 };
4134 /* Subclass of dedge representing a callgraph edge. */
4137 {
4141 {}
4144 FINAL OVERRIDE
4145 {
4161 }
4162 };
4164 /* Subclass of digraph representing the callgraph. */
4167 {
4172 {
4174 }
4177 {
4179 }
4183 };
4185 /* Placeholder subclass of cluster. */
4188 {
4189 };
4191 /* viz_callgraph's ctor. */
4194 {
4197 {
4199 viz_callgraph_node *vcg_node
4203 }
4208 {
4213 {
4215 viz_callgraph_edge *vcg_edge
4218 }
4219 }
4223 {
4226 }
4227 }
4229 /* Dump the callgraph to FILENAME. */
4231 static void
4234 {
4239 // TODO
4244 }
4246 /* Dump the callgraph to "<srcfile>.callgraph.dot". */
4248 static void
4250 {
4255 }
4257 /* Subclass of dot_annotator for implementing
4258 DUMP_BASE_NAME.supergraph-eg.dot, a post-analysis dump of the supergraph.
4260 Annotate the supergraph nodes by printing the exploded nodes in concise
4261 form within them, next to their pertinent statements where appropriate,
4262 colorizing the exploded nodes based on sm-state.
4263 Also show saved diagnostics within the exploded nodes, giving information
4264 on whether they were feasible, and, if infeasible, where the problem
4265 was. */
4268 {
4272 {
4273 /* Avoid O(N^2) by prepopulating m_enodes_per_snodes. */
4282 }
4284 /* Show exploded nodes for BEFORE_SUPERNODE points before N. */
4287 const FINAL OVERRIDE
4288 {
4303 {
4310 }
4316 }
4318 /* Show exploded nodes for STMT. */
4321 const FINAL OVERRIDE
4322 {
4333 {
4341 }
4344 {
4347 }
4348 }
4350 /* Show exploded nodes for AFTER_SUPERNODE points after N. */
4352 const FINAL OVERRIDE
4353 {
4364 {
4370 }
4374 }
4377 /* Concisely print a TD element for ENODE, showing the index, status,
4378 and any saved_diagnostics at the enode. Colorize it to show sm-state.
4380 Ideally we'd dump ENODE's state here, hidden behind some kind of
4381 interactive disclosure method like a tooltip, so that the states
4382 can be explored without overwhelming the graph.
4383 However, I wasn't able to get graphviz/xdot to show tooltips on
4384 individual elements within a HTML-like label. */
4386 {
4394 {
4408 }
4410 /* Dump any saved_diagnostics at this enode. */
4411 {
4414 {
4418 }
4419 }
4422 }
4424 /* Print a TABLE element for SD, showing the kind, the length of the
4425 exploded_path, whether the path was feasible, and if infeasible,
4426 what the problem was. */
4429 {
4441 {
4447 {
4468 /* Ideally we'd print p->m_model here; see the notes above about
4469 tooltips. */
4470 }
4477 }
4480 }
4484 };
4486 /* Implement -fdump-analyzer-json. */
4488 static void
4491 {
4496 {
4500 }
4506 pretty_printer pp;
4517 }
4519 /* Run the analysis "engine". */
4521 void
4523 {
4526 /* If using LTO, ensure that the cgraph nodes have function bodies. */
4531 engine eng;
4533 /* Create the supergraph. */
4542 {
4543 /* Dump supergraph pre-analysis. */
4549 }
4552 {
4559 }
4565 {
4570 }
4572 /* Extrinsic state shared by nodes in the graph. */
4577 /* The exploded graph. */
4579 analyzer_verbosity);
4581 /* Add entrypoints to the graph for externally-callable functions. */
4584 /* Now process the worklist, exploring the <point, state> graph. */
4588 {
4593 root_cluster c;
4596 }
4598 /* Now emit any saved diagnostics. */
4609 {
4610 /* Dump post-analysis form of supergraph. */
4617 }
4623 }
4625 /* External entrypoint to the analysis "engine".
4626 Set up any dumps, then call impl_run_checkers. */
4628 void
4630 {
4631 /* Save input_location. */
4634 /* Handle -fdump-analyzer and -fdump-analyzer-stderr. */
4636 /* Track if we're responsible for closing dump_fout. */
4641 {
4647 }
4649 {
4658 /* end of lifetime of the_logger (so that dump file is closed after the
4659 various dtors run). */
4660 }
4665 /* Restore input_location. Subsequent passes may assume that input_location
4666 is some arbitrary value *not* in the block tree, which might be violated
4667 if we didn't restore it. */
4669 }