| blob | ef2717d6a29e230c3907e68960fb465be93100e0 |
1 /* String length optimization
2 Copyright (C) 2011-2019 Free Software Foundation, Inc.
3 Contributed by Jakub Jelinek <jakub@redhat.com>
5 This file is part of GCC.
7 GCC is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3, or (at your option)
10 any later version.
12 GCC is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
17 You should have received a copy of the GNU General Public License
18 along with GCC; see the file COPYING3. If not see
19 <http://www.gnu.org/licenses/>. */
65 /* A vector indexed by SSA_NAME_VERSION. 0 means unknown, positive value
66 is an index into strinfo vector, negative value stands for
67 string length of a string literal (~strlen). */
70 /* Number of currently active string indexes plus one. */
73 /* Set to true to optimize, false when just checking. */
76 /* String information record. */
77 struct strinfo
78 {
79 /* Number of leading characters that are known to be nonzero. This is
80 also the length of the string if FULL_STRING_P.
82 The values in a list of related string pointers must be consistent;
83 that is, if strinfo B comes X bytes after strinfo A, it must be
84 the case that A->nonzero_chars == X + B->nonzero_chars. */
85 tree nonzero_chars;
86 /* Any of the corresponding pointers for querying alias oracle. */
87 tree ptr;
88 /* This is used for two things:
90 - To record the statement that should be used for delayed length
91 computations. We maintain the invariant that all related strinfos
92 have delayed lengths or none do.
94 - To record the malloc or calloc call that produced this result. */
96 /* Pointer to '\0' if known, if NULL, it can be computed as
97 ptr + length. */
98 tree endptr;
99 /* Reference count. Any changes to strinfo entry possibly shared
100 with dominating basic blocks need unshare_strinfo first, except
101 for dont_invalidate which affects only the immediately next
102 maybe_invalidate. */
104 /* Copy of index. get_strinfo (si->idx) should return si; */
106 /* These 3 fields are for chaining related string pointers together.
107 E.g. for
108 bl = strlen (b); dl = strlen (d); strcpy (a, b); c = a + bl;
109 strcpy (c, d); e = c + dl;
110 strinfo(a) -> strinfo(c) -> strinfo(e)
111 All have ->first field equal to strinfo(a)->idx and are doubly
112 chained through prev/next fields. The later strinfos are required
113 to point into the same string with zero or more bytes after
114 the previous pointer and all bytes in between the two pointers
115 must be non-zero. Functions like strcpy or memcpy are supposed
116 to adjust all previous strinfo lengths, but not following strinfo
117 lengths (those are uncertain, usually invalidated during
118 maybe_invalidate, except when the alias oracle knows better).
119 Functions like strcat on the other side adjust the whole
120 related strinfo chain.
121 They are updated lazily, so to use the chain the same first fields
122 and si->prev->next == si->idx needs to be verified. */
126 /* A flag whether the string is known to be written in the current
127 function. */
129 /* A flag for the next maybe_invalidate that this strinfo shouldn't
130 be invalidated. Always cleared by maybe_invalidate. */
132 /* True if the string is known to be nul-terminated after NONZERO_CHARS
133 characters. False is useful when detecting strings that are built
134 up via successive memcpys. */
136 };
138 /* Pool for allocating strinfo_struct entries. */
141 /* Vector mapping positive string indexes to strinfo, for the
142 current basic block. The first pointer in the vector is special,
143 it is either NULL, meaning the vector isn't shared, or it is
144 a basic block pointer to the owner basic_block if shared.
145 If some other bb wants to modify the vector, the vector needs
146 to be unshared first, and only the owner bb is supposed to free it. */
149 /* One OFFSET->IDX mapping. */
150 struct stridxlist
151 {
153 HOST_WIDE_INT offset;
155 };
157 /* Hash table entry, mapping a DECL to a chain of OFFSET->IDX mappings. */
158 struct decl_stridxlist_map
159 {
162 };
164 /* Hash table for mapping decls to a chained list of offset -> idx
165 mappings. */
169 /* Hash table mapping strlen (or strnlen with constant bound and return
170 smaller than bound) calls to stridx instances describing
171 the calls' arguments. Non-null only when warn_stringop_truncation
172 is non-zero. */
176 /* Obstack for struct stridxlist and struct decl_stridxlist_map. */
179 /* Last memcpy statement if it could be adjusted if the trailing
180 '\0' written is immediately overwritten, or
181 *x = '\0' store that could be removed if it is immediately overwritten. */
182 struct laststmt_struct
183 {
185 tree len;
192 /* Return:
194 - 1 if SI is known to start with more than OFF nonzero characters.
196 - 0 if SI is known to start with OFF nonzero characters,
197 but is not known to start with more.
199 - -1 if SI might not start with OFF nonzero characters. */
203 {
207 else
209 }
211 /* Return true if SI is known to be a zero-length string. */
215 {
217 }
219 /* Return strinfo vector entry IDX. */
223 {
227 }
229 /* Get the next strinfo in the chain after SI, or null if none. */
233 {
240 }
242 /* Helper function for get_stridx. Return the strinfo index of the address
243 of EXP, which is available in PTR if nonnull. If OFFSET_OUT, it is
244 OK to return the index for some X <= &EXP and store &EXP - X in
245 *OFFSET_OUT. */
247 static int
249 {
250 HOST_WIDE_INT off;
252 tree base;
257 poly_int64 poff;
266 do
267 {
269 {
273 }
278 }
282 {
283 unsigned HOST_WIDE_INT rel_off
287 {
289 {
292 }
293 else
295 }
296 }
298 }
300 /* Return string index for EXP. */
302 static int
304 {
306 {
312 /* Follow a chain of at most 5 assignments. */
314 {
323 {
324 /* Handle indices/offsets into VLAs which are implemented
325 as pointers to arrays. */
329 /* Handle also VLAs of types larger than char. */
331 {
333 {
337 {
338 /* Scale the array index by the size of the element
339 type in the rare case that it's greater than
340 the typical 1 for char, making sure both operands
341 have the same type. */
345 }
346 }
347 else
349 }
350 else
356 /* Add the MEM_REF byte offset. */
360 }
362 {
365 }
366 else
379 {
380 strinfo *si
384 }
386 }
388 }
391 {
395 }
402 }
404 /* Return true if strinfo vector is shared with the immediate dominator. */
408 {
411 }
413 /* Unshare strinfo vector that is shared with the immediate dominator. */
415 static void
417 {
427 }
429 /* Attempt to create a string index for exp, ADDR_EXPR's operand.
430 Return a pointer to the location where the string index can
431 be stored (if 0) or is stored, or NULL if this can't be tracked. */
435 {
436 HOST_WIDE_INT off;
438 poly_int64 poff;
444 {
445 decl_to_stridxlist_htab
448 }
453 {
457 {
465 }
469 {
477 }
480 }
486 }
488 /* Create a new string index, or return 0 if reached limit. */
490 static int
492 {
497 {
503 }
505 {
508 {
512 }
513 }
515 }
517 /* Like new_stridx, but for ADDR_EXPR's operand instead. */
519 static int
521 {
527 {
531 }
533 }
535 /* Create a new strinfo. */
539 {
554 }
556 /* Decrease strinfo refcount and free it if not referenced anymore. */
560 {
563 }
565 /* Set strinfo in the vector entry IDX to SI. */
569 {
575 }
577 /* Return the first strinfo in the related strinfo chain
578 if all strinfos in between belong to the chain, otherwise NULL. */
582 {
588 {
596 }
600 }
602 /* Set SI's endptr to ENDPTR and compute its length based on SI->ptr.
603 Use LOC for folding. */
605 static void
607 {
615 }
617 /* Return the string length, or NULL if it can't be computed.
618 The length may but need not be constant. Instead, it might be
619 the result of a strlen() call. */
621 static tree
623 {
624 /* If the length has already been computed return it if it's exact
625 (i.e., the string is nul-terminated at NONZERO_CHARS), or return
626 null if it isn't. */
630 /* If the string is the result of one of the built-in calls below
631 attempt to compute the length from the call statement. */
633 {
636 location_t loc;
637 gimple_stmt_iterator gsi;
643 /* unshare_strinfo is intentionally not called here. The (delayed)
644 transformation of strcpy or strcat into stpcpy is done at the place
645 of the former strcpy/strcat call and so can affect all the strinfos
646 with the same stmt. If they were unshared before and transformation
647 has been already done, the handling of BUILT_IN_STPCPY{,_CHK} should
648 just compute the right length. */
650 {
664 {
668 }
669 lenstmt = gimple_build_assign
675 /* FALLTHRU */
681 else
685 {
688 }
694 {
697 }
698 /* FALLTHRU */
712 /* BUILT_IN_CALLOC always has si->nonzero_chars set. */
716 }
717 }
720 }
722 /* Dump strlen data to FP for statement STMT. When non-null, RVALS
723 points to EVRP info and is used to dump strlen range for non-constant
724 results. */
726 DEBUG_FUNCTION void
728 {
730 {
734 }
735 else
743 {
746 {
748 {
753 {
756 }
760 {
764 {
770 {
773 }
774 else
776 }
777 else
781 {
786 }
787 }
790 {
793 }
799 {
801 do
805 }
807 }
808 }
809 }
810 else
815 {
820 {
826 {
832 }
834 }
835 }
836 else
840 {
846 }
847 }
849 /* Attempt to determine the length of the string SRC. On success, store
850 the length in *PDATA and return true. Otherwise, return false.
851 VISITED is a bitmap of visited PHI nodes. RVALS points to EVRP info
852 and PSSA_DEF_MAX to an SSA_NAME assignment limit used to prevent runaway
853 recursion. */
855 static bool
858 {
861 {
863 {
866 {
878 /* Iterate over the PHI arguments and determine the minimum
879 and maximum length/size of each and incorporate them into
880 the overall result. */
883 {
888 c_strlen_data argdata = { };
890 pssa_def_max))
891 {
892 /* Set the DECL of an unterminated array this argument
893 refers to if one hasn't been found yet. */
902 {
903 /* Set the upper bound of the length to unbounded. */
906 }
908 /* Adjust the minimum and maximum length determined
909 so far and the upper bound on the array size. */
924 }
925 else
927 }
930 }
931 }
933 /* Return success regardless of the result and handle *PDATA
934 in the caller. */
937 }
940 {
941 /* SRC is a string of constant length. */
946 }
949 {
952 {
956 {
962 {
965 }
966 else
968 }
969 else
976 HOST_WIDE_INT off;
977 poly_int64 poff;
984 {
991 }
992 else
994 }
996 {
1002 {
1006 }
1007 else
1008 {
1011 }
1012 }
1014 {
1017 }
1018 else
1019 {
1020 /* For PDATA->MINLEN that's a non-constant expression such
1021 as PLUS_EXPR whose value range is unknown, set the bounds
1022 to zero and SIZE_MAX. */
1025 }
1028 }
1031 }
1033 /* Analogous to get_range_strlen but for dynamically created strings,
1034 i.e., those created by calls to strcpy as opposed to just string
1035 constants.
1036 Try to obtain the range of the lengths of the string(s) referenced
1037 by SRC, or the size of the largest array SRC refers to if the range
1038 of lengths cannot be determined, and store all in *PDATA. RVALS
1039 points to EVRP info. */
1041 void
1044 {
1050 {
1051 /* On failure extend the length range to an impossible maximum
1052 (a valid MAXLEN must be less than PTRDIFF_MAX - 1). Other
1053 members can stay unchanged regardless. */
1056 }
1060 /* If it's unchanged from it initial non-null value, set the conservative
1061 MAXBOUND to SIZE_MAX. Otherwise leave it null (if it is null). */
1067 }
1069 /* Invalidate string length information for strings whose length
1070 might change due to stores in stmt. */
1072 static bool
1074 {
1081 {
1083 {
1084 ao_ref r;
1085 /* Do not use si->nonzero_chars. */
1088 {
1092 }
1093 }
1096 }
1098 }
1100 /* Unshare strinfo record SI, if it has refcount > 1 or
1101 if stridx_to_strinfo vector is shared with some other
1102 bbs. */
1106 {
1122 }
1124 /* Attempt to create a new strinfo for BASESI + OFF, or find existing
1125 strinfo if there is any. Return it's idx, or 0 if no strinfo has
1126 been created. */
1128 static int
1130 tree ptr)
1131 {
1139 unsigned HOST_WIDE_INT nonzero_chars
1155 {
1163 {
1165 {
1168 else
1169 {
1173 }
1175 }
1177 }
1178 }
1187 {
1191 }
1203 }
1205 /* Note that PTR, a pointer SSA_NAME initialized in the current stmt, points
1206 to a zero-length string and if possible chain it to a related strinfo
1207 chain whose part is or might be CHAINSI. */
1211 {
1222 {
1225 {
1226 do
1227 {
1228 /* We shouldn't mix delayed and non-delayed lengths. */
1231 {
1234 }
1237 }
1240 {
1242 {
1245 }
1248 }
1249 }
1250 else
1251 {
1252 /* We shouldn't mix delayed and non-delayed lengths. */
1255 {
1260 }
1261 }
1262 }
1270 {
1280 }
1282 }
1284 /* For strinfo ORIGSI whose length has been just updated, adjust other
1285 related strinfos so that they match the new ORIGSI. This involves:
1287 - adding ADJ to the nonzero_chars fields
1288 - copying full_string_p from the new ORIGSI. */
1290 static void
1292 {
1299 {
1303 {
1304 tree tem;
1307 /* We shouldn't see delayed lengths here; the caller must
1308 have calculated the old length in order to calculate
1309 the adjustment. */
1319 }
1324 }
1325 }
1327 /* Find if there are other SSA_NAME pointers equal to PTR
1328 for which we don't track their string lengths yet. If so, use
1329 IDX for them. */
1331 static void
1333 {
1337 {
1343 {
1346 CASE_CONVERT:
1353 /* FALLTHRU */
1355 {
1360 }
1363 }
1365 /* We might find an endptr created in this pass. Grow the
1366 vector in that case. */
1373 }
1374 }
1376 /* Return true if STMT is a call to a builtin function with the right
1377 arguments and attributes that should be considered for optimization
1378 by this pass. */
1380 static bool
1382 {
1394 {
1402 /* The above functions should be pure. Punt if they aren't. */
1426 /* The above functions should be neither const nor pure. Punt if they
1427 aren't. */
1434 }
1437 }
1439 /* If the last .MEM setter statement before STMT is
1440 memcpy (x, y, strlen (y) + 1), the only .MEM use of it is STMT
1441 and STMT is known to overwrite x[strlen (x)], adjust the last memcpy to
1442 just memcpy (x, y, strlen (y)). SI must be the zero length
1443 strinfo. */
1445 static void
1447 {
1472 {
1480 {
1484 }
1485 }
1491 {
1492 gimple_stmt_iterator gsi;
1503 }
1510 {
1516 }
1520 {
1525 /* Don't adjust the length if it is divisible by 4, it is more efficient
1526 to store the extra '\0' in that case. */
1530 /* Don't fold away an out of bounds access, as this defeats proper
1531 warnings. */
1536 }
1538 {
1545 }
1546 else
1551 }
1553 /* For an LHS that is an SSA_NAME that is the result of a strlen()
1554 call, or when BOUND is non-null, of a strnlen() call, set LHS
1555 range info to [0, min (MAX, BOUND)] when the range includes more
1556 than one value and return LHS. Otherwise, when the range
1557 [MIN, MAX] is such that MIN == MAX, return the tree representation
1558 of (MIN). The latter allows callers to fold suitable strnlen() calls
1559 to constants. */
1561 tree
1564 {
1570 {
1571 /* For strnlen, adjust MIN and MAX as necessary. If the bound
1572 is less than the size of the array set MAX to it. It it's
1573 greater than MAX and MAX is non-zero bump MAX down to account
1574 for the necessary terminating nul. Otherwise leave it alone. */
1576 {
1583 }
1585 {
1589 {
1590 /* For a bound in a known range, adjust the range determined
1591 above as necessary. For a bound in some anti-range or
1592 in an unknown range, use the range determined by callers. */
1597 }
1598 }
1599 }
1606 }
1608 /* For an LHS that is an SSA_NAME and for strlen() or strnlen() argument
1609 SRC, set LHS range info to [0, min (N, BOUND)] if SRC refers to
1610 a character array A[N] with unknown length bounded by N, and for
1611 strnlen(), by min (N, BOUND). */
1613 static tree
1615 {
1621 {
1626 }
1628 /* The longest string is PTRDIFF_MAX - 1 bytes including the final
1629 NUL so that the difference between a pointer to just past it and
1630 one to its beginning is positive. */
1634 {
1635 /* The last array member of a struct can be bigger than its size
1636 suggests if it's treated as a poor-man's flexible array member. */
1640 {
1646 {
1647 /* Even though such uses of strlen would be undefined,
1648 avoid relying on arrays of arrays in case some genius
1649 decides to call strlen on an unterminated array element
1650 that's followed by a terminated one. Likewise, avoid
1651 assuming that a struct array member is necessarily
1652 nul-terminated (the nul may be in the member that
1653 follows). In those cases, assume that the length
1654 of the string stored in such an array is bounded
1655 by the size of the enclosing object if one can be
1656 determined. */
1659 {
1665 }
1666 }
1668 /* For strlen() the upper bound above is equal to
1669 the longest string that can be stored in the array
1670 (i.e., it accounts for the terminating nul. For
1671 strnlen() bump up the maximum by one since the array
1672 need not be nul-terminated. */
1675 }
1676 }
1680 }
1682 /* Handle a strlen call. If strlen of the argument is known, replace
1683 the strlen call with the known value, otherwise remember that strlen
1684 of the argument is stored in the lhs SSA_NAME. */
1686 static void
1688 {
1702 {
1704 tree rhs;
1710 else
1711 {
1715 {
1717 /* For strnlen, if bound is constant, even if si is not known
1718 to be zero terminated, if we know at least bound bytes are
1719 not zero, the return value will be bound. */
1727 }
1728 }
1730 {
1732 {
1735 }
1748 {
1751 }
1754 /* Don't update anything for strnlen. */
1759 {
1763 }
1767 /* For strnlen record this only if the call is proven
1768 to return the same value as strlen would. */
1775 }
1776 }
1782 else
1783 {
1786 {
1788 {
1789 /* Until now we only had a lower bound on the string length.
1790 Install LHS as the actual length. */
1796 {
1801 /* Use the constant minimim length as the lower bound
1802 of the non-constant length. */
1804 wide_int max
1807 }
1808 else
1809 {
1813 }
1814 }
1816 }
1817 }
1819 {
1821 {
1822 /* Only store the new length information for calls to strlen(),
1823 not for those to strnlen(). */
1827 }
1829 /* For SRC that is an array of N elements, set LHS's range
1830 to [0, min (N, BOUND)]. A constant return value means
1831 the range would have consisted of a single value. In
1832 that case, fold the result into the returned constant. */
1835 {
1837 {
1840 }
1848 {
1851 }
1852 }
1856 }
1857 }
1859 /* Handle a strchr call. If strlen of the first argument is known, replace
1860 the strchr (x, 0) call with the endptr or x + strlen, otherwise remember
1861 that lhs of the call is endptr and strlen of the argument is endptr - x. */
1863 static void
1865 {
1867 tree src;
1880 {
1882 tree rhs;
1886 else
1887 {
1892 }
1894 {
1898 {
1901 }
1903 {
1908 }
1909 else
1910 {
1917 }
1923 {
1926 }
1930 {
1933 }
1936 }
1937 }
1941 {
1945 {
1948 }
1950 {
1961 }
1962 }
1963 else
1965 }
1967 /* Handle a strcpy-like ({st{r,p}cpy,__st{r,p}cpy_chk}) call.
1968 If strlen of the second argument is known, strlen of the first argument
1969 is the same after this call. Furthermore, attempt to convert it to
1970 memcpy. */
1972 static void
1974 {
1980 location_t loc;
2010 {
2020 else
2021 {
2026 }
2030 }
2033 {
2037 }
2039 {
2044 /* Break the chain, so adjust_related_strinfo on later pointers in
2045 the chain won't adjust this one anymore. */
2049 }
2050 else
2051 {
2055 }
2060 {
2063 /* If string length of src is unknown, use delayed length
2064 computation. If string lenth of dst will be needed, it
2065 can be computed by transforming this strcpy call into
2066 stpcpy and subtracting dst from the return value. */
2068 /* Look for earlier strings whose length could be determined if
2069 this strcpy is turned into an stpcpy. */
2072 {
2074 {
2075 /* When setting a stmt for delayed length computation
2076 prevent all strinfos through dsi from being
2077 invalidated. */
2084 }
2085 }
2088 /* Try to detect overlap before returning. This catches cases
2089 like strcpy (d, d + n) where n is non-constant whose range
2090 is such that (n <= strlen (d) holds).
2092 OLDDSI->NONZERO_chars may have been reset by this point with
2093 oldlen holding it original value. */
2095 {
2096 /* Add 1 for the terminating NUL. */
2101 }
2104 }
2107 {
2110 ;
2118 oldlen));
2121 else
2123 }
2124 /* strcpy src may not overlap dst, so src doesn't need to be
2125 invalidated either. */
2132 {
2144 /* This would need adjustment of the lhs (subtract one),
2145 or detection that the trailing '\0' doesn't need to be
2146 written, if it will be immediately overwritten.
2147 fn = builtin_decl_explicit (BUILT_IN_MEMPCPY); */
2149 {
2152 }
2155 /* This would need adjustment of the lhs (subtract one),
2156 or detection that the trailing '\0' doesn't need to be
2157 written, if it will be immediately overwritten.
2158 fn = builtin_decl_explicit (BUILT_IN_MEMPCPY_CHK); */
2160 {
2163 }
2167 }
2172 {
2175 }
2176 else
2182 /* Set the no-warning bit on the transformed statement? */
2188 {
2191 }
2197 GSI_SAME_STMT);
2199 {
2202 }
2205 else
2209 {
2213 {
2216 }
2217 /* Allow adjust_last_stmt to decrease this memcpy's size. */
2221 }
2227 }
2229 /* Check the size argument to the built-in forms of stpncpy and strncpy
2230 for out-of-bounds offsets or overlapping access, and to see if the
2231 size argument is derived from a call to strlen() on the source argument,
2232 and if so, issue an appropriate warning. */
2234 static void
2236 {
2237 /* Same as stxncpy(). */
2239 }
2241 /* Return true if LEN depends on a call to strlen(SRC) in an interesting
2242 way. LEN can either be an integer expression, or a pointer (to char).
2243 When it is the latter (such as in recursive calls to self) is is
2244 assumed to be the argument in some call to strlen() whose relationship
2245 to SRC is being ascertained. */
2247 bool
2249 {
2262 {
2270 }
2283 {
2284 /* Pointer plus (an integer), and truncation are considered among
2285 the (potentially) related expressions to strlen. */
2287 }
2290 {
2291 /* Integer subtraction is considered strlen-related when both
2292 arguments are integers and second one is strlen-related. */
2296 }
2299 }
2301 /* Called by handle_builtin_stxncpy and by gimple_fold_builtin_strncpy
2302 in gimple-fold.c.
2303 Check to see if the specified bound is a) equal to the size of
2304 the destination DST and if so, b) if it's immediately followed by
2305 DST[CNT - 1] = '\0'. If a) holds and b) does not, warn. Otherwise,
2306 do nothing. Return true if diagnostic has been issued.
2308 The purpose is to diagnose calls to strncpy and stpncpy that do
2309 not nul-terminate the copy while allowing for the idiom where
2310 such a call is immediately followed by setting the last element
2311 to nul, as in:
2312 char a[32];
2313 strncpy (a, s, sizeof a);
2314 a[sizeof a - 1] = '\0';
2315 */
2317 bool
2319 {
2329 {
2332 ;
2334 {
2338 {
2341 }
2342 else
2343 {
2346 }
2347 }
2348 else
2350 }
2351 else
2354 /* Negative value is the constant string length. If it's less than
2355 the lower bound there is no truncation. Avoid calling get_stridx()
2356 when ssa_ver_to_stridx is empty. That implies the caller isn't
2357 running under the control of this pass and ssa_ver_to_stridx hasn't
2358 been created yet. */
2371 {
2372 /* If the source is a non-string return early to avoid warning
2373 for possible truncation (if the truncation is certain SIDX
2374 is non-zero). */
2380 }
2382 /* Likewise, if the destination refers to a an array/pointer declared
2383 nonstring return early. */
2387 /* Look for dst[i] = '\0'; after the stxncpy() call and if found
2388 avoid the truncation warning. */
2392 {
2393 /* When there is no statement in the same basic block check
2394 the immediate successor block. */
2396 {
2398 {
2399 /* For simplicity, ignore blocks with multiple outgoing
2400 edges for now and only consider successor blocks along
2401 normal edges. */
2404 {
2408 {
2411 }
2412 }
2413 }
2414 }
2415 }
2418 {
2426 {
2430 }
2432 /* Determine the base address and offset of the reference,
2433 ignoring the innermost array index. */
2437 poly_int64 dstoff;
2440 poly_int64 lhsoff;
2443 && dstbase
2447 }
2452 {
2458 }
2461 else
2462 {
2463 c_strlen_data lendata = { };
2464 /* Set MAXBOUND to an arbitrary non-null non-integer node as a request
2465 to have it set to the length of the longest string in a PHI. */
2470 {
2471 /* When LENDATA.MAXLEN is unknown, reset LENDATA.MINLEN
2472 which stores the length of the shortest known string. */
2475 else
2478 }
2479 else
2480 {
2483 }
2484 }
2492 {
2493 /* If the longest source string is shorter than the lower bound
2494 of the specified count the copy is definitely nul-terminated. */
2499 {
2500 /* The length of one of the strings is unknown but at least
2501 one has non-zero length and that length is stored in
2502 LENRANGE[1]. Swap the bounds to force a "may be truncated"
2503 warning below. */
2506 }
2508 /* Set to true for strncat whose bound is derived from the length
2509 of the destination (the expected usage pattern). */
2517 "%G%qD output truncated before terminating "
2518 "nul copying %E byte from a string of the "
2520 "%G%qD output truncated before terminating nul "
2521 "copying %E bytes from a string of the same "
2525 {
2527 {
2528 /* The shortest string is longer than the upper bound of
2529 the count so the truncation is certain. */
2533 "%G%qD output truncated copying %E byte "
2535 "%G%qD output truncated copying %E bytes "
2540 "%G%qD output truncated copying between %wu "
2544 }
2546 {
2547 /* The longest string is longer than the upper bound of
2548 the count so the truncation is possible. */
2552 "%G%qD output may be truncated copying %E "
2554 "%G%qD output may be truncated copying %E "
2559 "%G%qD output may be truncated copying between "
2563 }
2564 }
2570 {
2571 /* If the source (including the terminating nul) is longer than
2572 the lower bound of the specified count but shorter than the
2573 upper bound the copy may (but need not) be truncated. */
2575 "%G%qD output may be truncated copying between "
2579 }
2580 }
2583 {
2584 /* The source length is uknown. Try to determine the destination
2585 size and see if it matches the specified bound. If not, bail.
2586 Otherwise go on to see if it should be diagnosed for possible
2587 truncation. */
2594 /* Avoid warning for strncpy(a, b, N) calls where the following
2595 equalities hold:
2596 N == sizeof a && N == sizeof b */
2605 }
2608 }
2610 /* Check the arguments to the built-in forms of stpncpy and strncpy for
2611 out-of-bounds offsets or overlapping access, and to see if the size
2612 is derived from calling strlen() on the source argument, and if so,
2613 issue the appropriate warning. */
2615 static void
2617 {
2630 {
2631 /* Compute the size of the destination string including the nul
2632 if it is known to be nul-terminated. */
2634 {
2636 {
2637 /* String is known to be nul-terminated. */
2641 }
2642 else
2644 }
2647 }
2652 {
2653 /* strncat() and strncpy() can modify the source string by writing
2654 over the terminating nul so SISRC->DONT_INVALIDATE must be left
2655 clear. */
2657 /* Compute the size of the source string including the terminating
2658 nul if its known to be nul-terminated. */
2660 {
2662 {
2666 }
2667 else
2669 }
2672 }
2673 else
2677 {
2680 }
2682 /* If the length argument was computed from strlen(S) for some string
2683 S retrieve the strinfo index for the string (PSS->FIRST) alonng with
2684 the location of the strlen() call (PSS->SECOND). */
2687 {
2692 }
2694 /* Retrieve the strinfo data for the string S that LEN was computed
2695 from as some function F of strlen (S) (i.e., LEN need not be equal
2696 to strlen(S)). */
2706 /* When -Wstringop-truncation is set, try to determine truncation
2707 before diagnosing possible overflow. Truncation is implied by
2708 the LEN argument being equal to strlen(SRC), regardless of
2709 whether its value is known. Otherwise, issue the more generic
2710 -Wstringop-overflow which triggers for LEN arguments that in
2711 any meaningful way depend on strlen(SRC). */
2715 "%G%qD output truncated before terminating nul "
2721 "%G%qD specified bound depends on the length "
2725 {
2729 }
2730 }
2732 /* Handle a memcpy-like ({mem{,p}cpy,__mem{,p}cpy_chk}) call.
2733 If strlen of the second argument is known and length of the third argument
2734 is that plus one, strlen of the first argument is the same after this
2735 call. */
2737 static void
2739 {
2766 {
2769 /* Handle memcpy (x, y, l) where l's relationship with strlen (y)
2770 is known. */
2776 {
2778 {
2779 /* Copying LEN nonzero characters, where LEN is constant. */
2782 }
2783 else
2784 {
2785 /* Copying the whole of the analyzed part of SI. */
2788 }
2789 }
2790 else
2791 {
2802 /* Copying variable-length string SI (and no more). */
2805 }
2806 }
2807 else
2808 {
2810 /* Handle memcpy (x, "abcd", 5) or
2811 memcpy (x, "abc\0uvw", 7). */
2819 }
2822 && olddsi
2826 {
2827 /* The SRC substring being written strictly overlaps
2828 a subsequence of the existing string OLDDSI. */
2831 }
2837 {
2841 }
2844 {
2849 /* Break the chain, so adjust_related_strinfo on later pointers in
2850 the chain won't adjust this one anymore. */
2854 }
2855 else
2856 {
2860 }
2864 {
2868 ;
2875 oldlen));
2878 else
2880 }
2881 /* memcpy src may not overlap dst, so src doesn't need to be
2882 invalidated either. */
2887 {
2890 {
2893 /* Allow adjust_last_stmt to decrease this memcpy's size. */
2905 }
2906 }
2907 }
2909 /* Handle a strcat-like ({strcat,__strcat_chk}) call.
2910 If strlen of the second argument is known, strlen of the first argument
2911 is increased by the length of the second argument. Furthermore, attempt
2912 to convert it to memcpy/strcpy if the length of the first argument
2913 is known. */
2915 static void
2917 {
2928 /* Bail if the source is the same as destination. It will be diagnosed
2929 elsewhere. */
2949 {
2953 }
2955 /* Set the no-warning bit on the transformed statement? */
2959 {
2960 {
2961 /* The concatenation always involves copying at least one byte
2962 (the terminating nul), even if the source string is empty.
2963 If the source is unknown assume it's one character long and
2964 used that as both sizes. */
2967 {
2970 }
2975 {
2978 }
2979 }
2981 /* strcat (p, q) can be transformed into
2982 tmp = p + strlen (p); endptr = stpcpy (tmp, q);
2983 with length endptr - p if we need to compute the length
2984 later on. Don't do this transformation if we don't need
2985 it. */
2987 {
2989 {
2993 }
2995 {
2999 }
3000 else
3001 {
3007 }
3011 }
3013 }
3024 {
3031 }
3032 else
3033 {
3038 }
3041 /* strcat src may not overlap dst, so src doesn't need to be
3042 invalidated either. */
3045 /* For now. Could remove the lhs from the call and add
3046 lhs = dst; afterwards. */
3053 {
3057 else
3063 else
3069 }
3075 {
3078 /* Compute the size of the source sequence, including the nul. */
3086 {
3089 }
3090 }
3094 {
3102 GSI_SAME_STMT);
3103 }
3106 else
3111 GSI_SAME_STMT);
3113 {
3118 GSI_SAME_STMT);
3119 }
3121 {
3124 }
3128 else
3132 {
3136 {
3139 }
3140 /* If srclen == NULL, note that current string length can be
3141 computed by transforming this strcpy into stpcpy. */
3146 {
3150 }
3151 }
3157 }
3159 /* Handle a call to malloc or calloc. */
3161 static void
3163 {
3181 }
3183 /* Handle a call to memset.
3184 After a call to calloc, memset(,0,) is unnecessary.
3185 memset(malloc(n),0,n) is calloc(n,1).
3186 return true when the call is transfomred, false otherwise. */
3188 static bool
3190 {
3213 {
3220 }
3221 else
3226 {
3229 }
3230 else
3231 {
3234 }
3237 }
3239 /* Return a pointer to the first such equality expression if RES is used
3240 only in expressions testing its equality to zero, and null otherwise. */
3244 {
3247 use_operand_p use_p;
3248 imm_use_iterator iter;
3251 {
3257 {
3260 {
3266 }
3268 {
3271 }
3272 else
3274 }
3276 {
3281 }
3282 else
3287 }
3290 }
3292 /* Handle a call to memcmp. We try to handle small comparisons by
3293 converting them to load and compare, and replacing the call to memcmp
3294 with a __builtin_memcmp_eq call where possible.
3295 return true when call is transformed, return false otherwise. */
3297 static bool
3299 {
3314 {
3319 scalar_int_mode mode;
3322 {
3340 boolean_type_node,
3344 }
3345 }
3349 }
3351 /* Given an index to the strinfo vector, compute the string length
3352 for the corresponding string. Return -1 when unknown. */
3354 static HOST_WIDE_INT
3356 {
3365 {
3369 }
3375 }
3377 /* Determine the minimum size of the object referenced by DEST expression
3378 which must have a pointer type.
3379 Return the minimum size of the object if successful or HWI_M1U when
3380 the size cannot be determined. */
3382 static unsigned HOST_WIDE_INT
3384 {
3390 /* Try to determine the size of the object through the RHS
3391 of the assign statement. */
3393 {
3404 }
3406 /* Try to determine the size of the object from its type. */
3416 /* The size of a flexible array cannot be determined. Otherwise,
3417 for arrays with more than one element, return the size of its
3418 type. GCC itself misuses arrays of both zero and one elements
3419 as flexible array members so they are excluded as well. */
3422 {
3428 }
3431 }
3433 /* Given strinfo IDX for ARG, set LENRNG[] to the range of lengths
3434 of the string(s) referenced by ARG if it can be determined.
3435 If the length cannot be determined, set *SIZE to the size of
3436 the array the string is stored in, if any. If no such array is
3437 known, set *SIZE to -1. When the strings are nul-terminated set
3438 *NULTERM to true, otherwise to false. Return true on success. */
3440 static bool
3443 {
3444 /* Set so that both LEN and ~LEN are invalid lengths, i.e.,
3445 maximum possible length + 1. */
3451 {
3452 /* IDX is the inverted constant string length. */
3456 }
3460 {
3464 {
3467 /* Set the upper bound only if the string is known to be
3468 nul-terminated, otherwise leave it at maximum + 1. */
3471 }
3473 {
3477 {
3481 }
3482 }
3485 }
3488 {
3489 /* Compute the minimum and maximum real or possible lengths. */
3490 c_strlen_data lendata = { };
3492 {
3494 {
3498 }
3500 {
3501 /* Set *SIZE to the conservative LENDATA.MAXBOUND which
3502 is a conservative estimate of the longest string based
3503 on the sizes of the arrays referenced by ARG. */
3506 }
3507 }
3508 else
3509 {
3510 /* Set *SIZE to the size of the smallest object referenced
3511 by ARG if ARG denotes a single object, or to HWI_M1U
3512 otherwise. */
3515 }
3516 }
3519 }
3521 /* If IDX1 and IDX2 refer to strings A and B of unequal lengths, return
3522 the result of 0 == strncmp (A, B, BOUND) (which is the same as strcmp
3523 for a sufficiently large BOUND). If the result is based on the length
3524 of one string being greater than the longest string that would fit in
3525 the array pointer to by the argument, set *PLEN and *PSIZE to
3526 the corresponding length (or its complement when the string is known
3527 to be at least as long and need not be nul-terminated) and size.
3528 Otherwise return null. */
3530 static tree
3534 {
3535 /* Determine the range the length of each string is in and whether it's
3536 known to be nul-terminated, or the size of the array it's stored in. */
3544 /* BOUND is set to HWI_M1U for strcmp and less to strncmp, and LENiRNG
3545 to HWI_MAX when invalid. Adjust the length of each string to consider
3546 to be no more than BOUND. */
3556 /* Two empty strings are equal. */
3560 /* The strings are definitely unequal when the lower bound of the length
3561 of one of them is greater than the length of the longest string that
3562 would fit into the other array. */
3567 {
3570 /* Set LEN[0] to the lower bound of ARG1's length when it's
3571 nul-terminated or to the complement of its minimum length
3572 otherwise, */
3575 }
3581 {
3586 }
3588 /* The strings are also definitely unequal when their lengths are unequal
3589 and at least one is nul-terminated. */
3594 {
3597 else
3603 }
3605 /* The string lengths may be equal or unequal. Even when equal and
3606 both strings nul-terminated, without the string contents there's
3607 no way to determine whether they are equal. */
3609 }
3611 /* Diagnose pointless calls to strcmp or strncmp STMT with string
3612 arguments of lengths LEN or size SIZ and (for strncmp) BOUND,
3613 whose result is used in equality expressions that evaluate to
3614 a constant due to one argument being longer than the size of
3615 the other. */
3617 static void
3621 {
3628 /* Excessive LEN[i] indicates a lower bound. */
3630 {
3633 }
3636 {
3639 }
3643 /* FIXME: Include a note pointing to the declaration of the smaller
3644 array. */
3650 (at_least
3657 {
3660 "%G%qD of strings of length %wu and %wu "
3663 else
3665 "%G%qD of a string of length %wu, an array "
3666 "of size %wu and bound of %wu evaluates to "
3669 }
3672 {
3676 }
3677 }
3680 /* Optimize a call to strcmp or strncmp either by folding it to a constant
3681 when possible or by transforming the latter to the former. Warn about
3682 calls where the length of one argument is greater than the size of
3683 the array to which the other argument points if the latter's length
3684 is not known. Return true when the call has been transformed into
3685 another and false otherwise. */
3687 static bool
3689 {
3701 /* For strncmp set to the the value of the third argument if known. */
3704 /* Extract the strncmp bound. */
3706 {
3711 /* If the bound argument is NOT known, do nothing. */
3714 }
3716 {
3717 /* Set to the length of one argument (or its complement if it's
3718 the lower bound of a range) and the size of the array storing
3719 the other if the result is based on the former being equal to
3720 or greater than the latter. */
3724 /* Try to determine if the two strings are either definitely equal
3725 or definitely unequal and if so, either fold the result to zero
3726 (when equal) or set the range of the result to ~[0, 0] otherwise. */
3729 {
3731 {
3734 /* When the lengths of the first two string arguments are
3735 known to be unequal set the range of the result to non-zero.
3736 This allows the call to be eliminated if its result is only
3737 used in tests for equality to zero. */
3741 }
3742 /* When the two strings are definitely equal (such as when they
3743 are both empty) fold the call to the constant result. */
3746 }
3747 }
3749 /* Return if nothing is known about the strings pointed to by ARG1
3750 and ARG2. */
3754 /* Determine either the length or the size of each of the strings,
3755 whichever is available. */
3761 else
3764 /* Bail if neither the string length nor the size of the array
3765 it is stored in can be determined. */
3769 /* Repeat for the second argument. */
3772 else
3778 /* The exact number of characters to compare. */
3780 /* The size of the array in which the unknown string is stored. */
3784 {
3785 /* If the known length is less than the size of the other array
3786 and the strcmp result is only used to test equality to zero,
3787 transform the call to the equivalent _eq call. */
3790 {
3794 }
3795 }
3798 }
3800 /* Handle a POINTER_PLUS_EXPR statement.
3801 For p = "abcd" + 2; compute associated length, or if
3802 p = q + off is pointing to a '\0' character of a string, call
3803 zero_length_string on it. */
3805 static void
3807 {
3817 {
3824 }
3835 {
3842 }
3847 {
3848 enum tree_code rhs_code
3854 }
3855 }
3857 /* Describes recursion limits used by count_nonzero_bytes. */
3859 class ssa_name_limit_t
3860 {
3864 /* Not copyable or assignable. */
3877 {
3880 }
3881 };
3883 /* If the SSA_NAME has already been "seen" return a positive value.
3884 Otherwise add it to VISITED. If the SSA_NAME limit has been
3885 reached, return a negative value. Otherwise return zero. */
3888 {
3892 /* Return a positive value if SSA_NAME has already been visited. */
3896 /* Return a negative value to let caller avoid recursing beyond
3897 the specified limit. */
3904 }
3906 /* Determines the minimum and maximum number of leading non-zero bytes
3907 in the representation of EXP and set LENRANGE[0] and LENRANGE[1]
3908 to each. Sets LENRANGE[2] to the total number of bytes in
3909 the representation. Sets *NULTREM if the representation contains
3910 a zero byte, and sets *ALLNUL if all the bytes are zero.
3911 OFFSET and NBYTES are the offset into the representation and
3912 the size of the access to it determined from a MEM_REF or zero
3913 for other expressions.
3914 Avoid recursing deeper than the limits in SNLIM allow.
3915 Returns true on success and false otherwise. */
3917 static bool
3922 {
3925 {
3927 /* FIXME: Handle non-constant lengths in some range. */
3948 /* Since only the length of the string are known and
3949 its contents, clear ALLNUL and ALLNONNUL purely on
3950 the basis of the length. */
3953 else
3956 }
3962 {
3963 /* Handle a single-character specially. */
3969 {
3970 /* If the character EXP is known to be non-zero (even if its
3971 exact value is not known) recurse once to set the range
3972 for an arbitrary constant. */
3976 }
3980 {
3984 }
3986 {
3987 /* Avoid processing an SSA_NAME that has already been visited
3988 or if an SSA_NAME limit has been reached. Indicate success
3989 if the former and failure if the latter. */
3993 /* Determine the minimum and maximum from the PHI arguments. */
3996 {
4001 }
4004 }
4005 }
4008 {
4027 /* The size of the MEM_REF access determines the number of bytes. */
4031 else
4034 /* Handle MEM_REF = SSA_NAME types of assignments. */
4037 }
4040 {
4044 }
4048 {
4054 /* If NBYTES hasn't been determined earlier from MEM_REF,
4055 set it here. It includes all internal nuls, including
4056 the terminating one if the string has one. */
4060 }
4064 {
4065 /* If the pointer to representation hasn't been set above
4066 for STRING_CST point it at the buffer. */
4068 /* Try to extract the representation of the constant object
4069 or expression starting from the offset. */
4072 {
4073 /* This should only happen when REPSIZE is zero because EXP
4074 doesn't denote an object with a known initializer, except
4075 perhaps when the reference reads past its end. */
4078 }
4083 }
4088 /* Compute the number of leading nonzero bytes in the representation
4089 and update the minimum and maximum. */
4097 /* Set the size of the representation. */
4101 /* Clear NULTERM if none of the bytes is zero. */
4106 {
4107 /* When the initial number of non-zero bytes N is non-zero, reset
4108 *ALLNUL; if N is less than that the size of the representation
4109 also clear *ALLNONNUL. */
4113 }
4115 {
4119 {
4120 /* When either ALLNUL is set and N is zero, also determine
4121 whether all subsequent bytes after the first one (which
4122 is nul) are zero or nonzero and clear ALLNUL if not. */
4125 {
4128 }
4129 }
4130 }
4133 }
4135 /* Same as above except with an implicit SSA_NAME limit. */
4137 static bool
4140 {
4141 /* Set to optimistic values so the caller doesn't have to worry about
4142 initializing these and to what. On success, the function will clear
4143 these if it determines their values are different but being recursive
4144 it never sets either to true. On failure, their values are
4145 unspecified. */
4150 ssa_name_limit_t snlim;
4152 snlim);
4153 }
4155 /* Handle a single or multibyte store other than by a built-in function,
4156 either via a single character assignment or by multi-byte assignment
4157 either via MEM_REF or via a type other than char (such as in
4158 '*(int*)a = 12345'). Return true when handled. */
4160 static bool
4162 {
4169 /* The offset of the first byte in LHS modified by the the store. */
4174 {
4177 {
4178 /* Get the strinfo for the base, and use it if it starts with at
4179 least OFFSET nonzero characters. This is trivially true if
4180 OFFSET is zero. */
4189 }
4190 }
4191 else
4192 {
4196 }
4198 /* Minimum and maximum leading non-zero bytes and the size of the store. */
4201 /* Set to the minimum length of the string being assigned if known. */
4204 /* STORING_NONZERO_P is true iff not all stored characters are zero.
4205 STORING_ALL_NONZERO_P is true if all stored characters are zero.
4206 STORING_ALL_ZEROS_P is true iff all stored characters are zero.
4207 Both are false when it's impossible to determine which is true. */
4211 /* FULL_STRING_P is set when the stored sequence of characters form
4212 a nul-terminated string. */
4215 const bool ranges_valid
4219 {
4223 /* Avoid issuing multiple warnings for the same LHS or statement.
4224 For example, -Warray-bounds may have already been issued for
4225 an out-of-bounds subscript. */
4227 {
4228 /* Set to the declaration referenced by LHS (if known). */
4232 {
4233 /* Fall back on the LHS location if the statement
4234 doesn't have one. */
4244 {
4249 }
4250 }
4251 }
4252 }
4253 else
4254 {
4260 }
4263 {
4264 /* The corresponding element is set to 1 if the first and last
4265 element, respectively, of the sequence of characters being
4266 written over the string described by SI ends before
4267 the terminating nul (if it has one), to zero if the nul is
4268 being overwritten but not beyond, or negative otherwise. */
4271 {
4272 /* The offset of the last stored byte. */
4277 else
4279 }
4280 else
4281 {
4285 }
4291 {
4292 /* When overwriting a '\0' with a '\0', the store can be removed
4293 if we know it has been stored in the current function. */
4295 {
4300 }
4301 else
4302 {
4306 }
4307 }
4310 && storing_nonzero_p
4314 {
4315 /* Handle a store of one or more non-nul characters that ends
4316 before the terminating nul of the destination and so does
4317 not affect its length
4318 If si->nonzero_chars > OFFSET, we aren't overwriting '\0',
4319 and if we aren't storing '\0', we know that the length of
4320 the string and any other zero terminated string in memory
4321 remains the same. In that case we move to the next gimple
4322 statement and return to signal the caller that it shouldn't
4323 invalidate anything.
4325 This is benefical for cases like:
4327 char p[20];
4328 void foo (char *q)
4329 {
4330 strcpy (p, "foobar");
4331 size_t len = strlen (p); // can be folded to 6
4332 size_t len2 = strlen (q); // has to be computed
4333 p[0] = 'X';
4334 size_t len3 = strlen (p); // can be folded to 6
4335 size_t len4 = strlen (q); // can be folded to len2
4336 bar (len, len2, len3, len4);
4337 } */
4340 }
4343 || storing_nonzero_p
4345 {
4346 /* When STORING_NONZERO_P, we know that the string will start
4347 with at least OFFSET + 1 nonzero characters. If storing
4348 a single character, set si->NONZERO_CHARS to the result.
4349 If storing multiple characters, try to determine the number
4350 of leading non-zero characters and set si->NONZERO_CHARS to
4351 the result instead.
4353 When STORING_ALL_ZEROS_P, we know that the string is now
4354 OFFSET characters long.
4356 Otherwise, we're storing an unknown value at offset OFFSET,
4357 so need to clip the nonzero_chars to OFFSET.
4358 Use the minimum length of the string (or individual character)
4359 being stored if it's known. Otherwise, STORING_NONZERO_P
4360 guarantees it's at least 1. */
4361 HOST_WIDE_INT len
4366 /* We're overwriting the nul terminator with a nonzero or
4367 unknown character. If the previous stmt was a memcpy,
4368 its length may be decreased. */
4372 {
4375 }
4376 else
4379 /* Set FULL_STRING_P only if the length of the strings being
4380 written is the same, and clear it if the strings have
4381 different lengths. In the latter case the length stored
4382 in si->NONZERO_CHARS becomes the lower bound.
4383 FIXME: Handle the upper bound of the length if possible. */
4387 && ssaname
4390 else
4397 {
4401 }
4402 else
4404 }
4405 }
4407 {
4410 else
4413 {
4416 HOST_WIDE_INT slen;
4420 {
4421 /* FIXME: Handle the upper bound of the length when
4422 LENRANGE[0] != LENRANGE[1]. */
4425 /* Set the minimum length but ignore the maximum
4426 for now. */
4428 }
4429 else
4433 ? size_zero_node
4438 && ssaname
4443 }
4444 }
4449 {
4452 {
4455 {
4458 full_string_p);
4461 }
4462 }
4463 }
4466 {
4467 /* Allow adjust_last_stmt to remove it if the stored '\0'
4468 is immediately overwritten. */
4472 }
4474 }
4476 /* Try to fold strstr (s, t) eq/ne s to strncmp (s, t, strlen (t)) eq/ne 0. */
4478 static void
4480 {
4487 {
4492 {
4495 }
4497 }
4500 {
4504 {
4510 {
4513 else
4514 {
4518 }
4519 }
4522 {
4527 {
4530 arg1_len);
4533 }
4545 {
4547 {
4551 }
4552 else
4553 {
4556 }
4557 }
4558 else
4559 {
4563 }
4565 }
4566 }
4567 }
4568 }
4570 /* Return true if TYPE corresponds to a narrow character type. */
4572 static bool
4574 {
4578 }
4580 /* Check the built-in call at GSI for validity and optimize it.
4581 Return true to let the caller advance *GSI to the statement
4582 in the CFG and false otherwise. */
4584 static bool
4587 {
4591 || !strlen_optimize
4593 {
4594 /* When not optimizing we must be checking printf calls which
4595 we do even for user-defined functions when they are declared
4596 with attribute format. */
4599 }
4603 {
4660 }
4663 }
4665 /* Handle an assignment statement at *GSI to a LHS of integral type.
4666 If GSI's basic block needs clean-up of EH, set *CLEANUP_EH to true. */
4668 static void
4670 {
4677 {
4684 }
4694 {
4700 {
4703 {
4711 else
4712 /* This case is not useful. See if get_addr_stridx
4713 returns something usable. */
4715 }
4716 }
4720 {
4725 {
4730 {
4732 {
4735 }
4737 /* Reading the final '\0' character. */
4741 *cleanup_eh
4748 {
4751 }
4752 }
4754 {
4755 /* Reading a character before the final '\0'
4756 character. Just set the value range to ~[0, 0]
4757 if we don't have anything better. */
4768 }
4769 }
4770 }
4771 }
4774 {
4778 }
4779 }
4781 /* Attempt to check for validity of the performed access a single statement
4782 at *GSI using string length knowledge, and to optimize it.
4783 If the given basic block needs clean-up of EH, CLEANUP_EH is set to
4784 true. */
4786 static bool
4789 {
4793 {
4796 }
4800 {
4801 /* Handle non-clobbering assignment. */
4806 {
4810 {
4813 }
4816 }
4818 /* Handle assignment to a character. */
4821 {
4828 {
4829 /* To consider stores into char objects via integer types
4830 other than char but not those to non-character objects,
4831 determine the type of the destination rather than just
4832 the type of the access. */
4841 }
4843 /* Handle a single or multibyte assignment. */
4846 }
4847 }
4849 {
4854 }
4859 }
4861 /* Recursively call maybe_invalidate on stmts that might be executed
4862 in between dombb and current bb and that contain a vdef. Stop when
4863 *count stmts are inspected, or if the whole strinfo vector has
4864 been invalidated. */
4866 static void
4868 {
4872 {
4882 {
4884 {
4889 }
4893 {
4896 }
4900 {
4907 }
4908 }
4909 }
4910 }
4913 {
4919 {}
4924 /* EVRP analyzer used for printf argument range processing, and
4925 to track strlen results across integer variable assignments. */
4926 evrp_range_analyzer evrp;
4928 /* Flag that will trigger TODO_cleanup_cfg to be returned in strlen
4929 execute function. */
4931 };
4933 /* Callback for walk_dominator_tree. Attempt to optimize various
4934 string ops by remembering string lengths pointed by pointer SSA_NAMEs. */
4936 edge
4938 {
4945 else
4946 {
4949 {
4952 {
4955 {
4961 {
4962 /* If there were too many vdefs in between immediate
4963 dominator and current bb, invalidate everything.
4964 If stridx_to_strinfo has been unshared, we need
4965 to free it, otherwise just set it to NULL. */
4967 {
4974 {
4977 }
4978 }
4979 else
4981 }
4983 }
4984 }
4985 }
4986 }
4988 /* If all PHI arguments have the same string index, the PHI result
4989 has it as well. */
4992 {
4996 {
4999 {
5006 }
5007 }
5008 }
5012 /* Attempt to optimize individual statements. */
5014 {
5017 /* First record ranges generated by this statement so they
5018 can be used by printf argument processing. */
5023 }
5032 }
5034 /* Callback for walk_dominator_tree. Free strinfo vector if it is
5035 owned by the current bb, clear bb->aux. */
5037 void
5039 {
5043 {
5047 {
5054 }
5056 }
5057 }
5061 static unsigned int
5063 {
5070 {
5073 }
5079 /* This has to happen after initializing the loop optimizer
5080 and initializing SCEV as they create new SSA_NAMEs. */
5084 /* String length optimization is implemented as a walk of the dominator
5085 tree and a forward walk of statements within each block. */
5092 {
5096 }
5102 {
5106 }
5109 {
5112 }
5114 /* Clean up object size info. */
5118 }
5120 /* This file defines two passes: one for warnings that runs only when
5121 optimization is disabled, and another that implements optimizations
5122 and also issues warnings. */
5125 {
5130 /* Normally an optimization pass would require PROP_ssa but because
5131 this pass runs early, with no optimization, to do sprintf format
5132 checking, it only requires PROP_cfg. */
5138 };
5141 {
5145 {}
5149 {
5151 }
5152 };
5155 /* Return true to run the warning pass only when not optimizing and
5156 iff either -Wformat-overflow or -Wformat-truncation is specified. */
5158 bool
5160 {
5162 }
5165 {
5175 };
5178 {
5182 {}
5188 {
5190 }
5191 };
5193 /* Return true to run the pass only when the sprintf and/or strlen
5194 optimizations are enabled and -Wformat-overflow or -Wformat-truncation
5195 are specified. */
5197 bool
5199 {
5205 }
5209 gimple_opt_pass *
5211 {
5213 }
5215 gimple_opt_pass *
5217 {
5219 }