]> git.ipfire.org Git - thirdparty/gcc.git/blame - gcc/analyzer/ChangeLog
projects / thirdparty / gcc.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
analyzer: add sarif properties for bounds checking diagnostics
[thirdparty/gcc.git] / gcc / analyzer / ChangeLog
CommitLineData
f998335a
GA		 12023-12-14 David Malcolm <dmalcolm@redhat.com>
2
3 PR analyzer/112655
4 * infinite-loop.cc (infinite_loop::infinite_loop): Pass eedges
5 via rvalue reference rather than by value.
6 (starts_infinite_loop_p): Move eedges when constructing an
7 infinite_loop instance.
8 * sm-file.cc (fileptr_state_machine::fileptr_state_machine): Use
9 initializer list for states.
10 * sm-sensitive.cc
11 (sensitive_state_machine::sensitive_state_machine): Likewise.
12 * sm-signal.cc (signal_state_machine::signal_state_machine):
13 Likewise.
14 * sm-taint.cc (taint_state_machine::taint_state_machine):
15 Likewise.
16 * varargs.cc (va_list_state_machine::va_list_state_machine): Likewise.
17
d5c96225
GA		 182023-12-11 David Malcolm <dmalcolm@redhat.com>
19
20 PR analyzer/112955
21 * engine.cc (feasibility_state::feasibility_state): Initialize
22 m_snodes_visited.
23
242023-12-11 Andrew Pinski <apinski@marvell.com>
25
26 * region-model-manager.cc (maybe_undo_optimize_bit_field_compare): Remove
27 the check for type being unsigned_char_type_node.
28
dd3b75d8
GA		 292023-12-08 David Malcolm <dmalcolm@redhat.com>
30
31 * sm-taint.cc (taint_state_machine::alt_get_inherited_state): Fix
32 handling of TRUNC_MOD_EXPR.
33
342023-12-08 David Malcolm <dmalcolm@redhat.com>
35
36 * region-model.cc (contains_uninit_p): Only check for
37 svalues that the infoleak warning can handle.
38
392023-12-08 David Malcolm <dmalcolm@redhat.com>
40
41 PR analyzer/112889
42 * store.h (concrete_binding::concrete_binding): Strengthen
43 assertion to require size to be be positive, rather than just
44 non-zero.
45 (concrete_binding::mark_deleted): Use size rather than start bit
46 offset.
47 (concrete_binding::mark_empty): Likewise.
48 (concrete_binding::is_deleted): Likewise.
49 (concrete_binding::is_empty): Likewise.
50
08f89e5e
GA		 512023-12-07 Alexandre Oliva <oliva@adacore.com>
52
53 * region-model.cc (has_nondefault_case_for_value_p): Take
54 enumerate type as a parameter.
55 (region_model::apply_constraints_for_gswitch): Cope with
56 integral promotion type casts.
57
582023-12-07 David Malcolm <dmalcolm@redhat.com>
59
60 PR analyzer/103546
61 PR analyzer/112850
62 * analyzer.opt (-param=analyzer-max-svalue-depth=): Increase from
63 12 to 18.
64 (Wanalyzer-symbol-too-complex): New.
65 * diagnostic-manager.cc
66 (null_assignment_sm_context::clear_all_per_svalue_state): New.
67 * engine.cc (impl_sm_context::clear_all_per_svalue_state): New.
68 * program-state.cc (sm_state_map::clear_all_per_svalue_state):
69 New.
70 * program-state.h (sm_state_map::clear_all_per_svalue_state): New
71 decl.
72 * region-model-manager.cc
73 (region_model_manager::reject_if_too_complex): Add
74 -Wanalyzer-symbol-too-complex.
75 * sm-taint.cc (taint_state_machine::on_condition): Handle
76 comparisons against UNKNOWN.
77 * sm.h (sm_context::clear_all_per_svalue_state): New.
78
ae9e48e5
GA		 792023-12-06 David Malcolm <dmalcolm@redhat.com>
80
81 * engine.cc (dump_analyzer_json): Use
82 flag_diagnostics_json_formatting.
83
2e0f3f97
GA		 842023-12-01 David Malcolm <dmalcolm@redhat.com>
85
86 * analyzer.h (class saved_diagnostic): New forward decl.
87 * bounds-checking.cc: Update for changes to
88 pending_diagnostic::emit.
89 * call-details.cc: Likewise.
90 * diagnostic-manager.cc: Include "diagnostic-format-sarif.h".
91 (saved_diagnostic::maybe_add_sarif_properties): New.
92 (class pending_diagnostic_metadata): New.
93 (diagnostic_manager::emit_saved_diagnostic): Create a
94 pending_diagnostic_metadata and a diagnostic_emission_context.
95 Pass the latter to the pending_diagnostic::emit vfunc.
96 * diagnostic-manager.h
97 (saved_diagnostic::maybe_add_sarif_properties): New decl.
98 * engine.cc: Update for changes to pending_diagnostic::emit.
99 * infinite-loop.cc: Likewise.
100 * infinite-recursion.cc: Likewise.
101 * kf-analyzer.cc: Likewise.
102 * kf.cc: Likewise.
103 * pending-diagnostic.cc
104 (diagnostic_emission_context::get_pending_diagnostic): New.
105 (diagnostic_emission_context::warn): New.
106 (diagnostic_emission_context::inform): New.
107 * pending-diagnostic.h (class diagnostic_emission_context): New.
108 (pending_diagnostic::emit): Update params.
109 (pending_diagnostic::maybe_add_sarif_properties): New vfunc.
110 * region.cc: Don't include "diagnostic-metadata.h".
111 * region-model.cc: Include "diagnostic-format-sarif.h". Update
112 for changes to pending_diagnostic::emit.
113 (exposure_through_uninit_copy::maybe_add_sarif_properties): New.
114 * sm-fd.cc: Update for changes to pending_diagnostic::emit.
115 * sm-file.cc: Likewise.
116 * sm-malloc.cc: Likewise.
117 * sm-pattern-test.cc: Likewise.
118 * sm-sensitive.cc: Likewise.
119 * sm-signal.cc: Likewise.
120 * sm-taint.cc: Likewise.
121 * store.cc: Don't include "diagnostic-metadata.h".
122 * varargs.cc: Update for changes to pending_diagnostic::emit.
123
b54b3800
GA		 1242023-11-19 David Malcolm <dmalcolm@redhat.com>
125
126 * analyzer.h: Include "rich-location.h".
127
1282023-11-19 David Malcolm <dmalcolm@redhat.com>
129
130 PR analyzer/107573
131 * analyzer.h (register_known_functions): Add region_model_manager
132 param.
133 * analyzer.opt (Wanalyzer-undefined-behavior-strtok): New.
134 * call-summary.cc
135 (call_summary_replay::convert_region_from_summary_1): Handle
136 RK_PRIVATE.
137 * engine.cc (impl_run_checkers): Pass model manager to
138 register_known_functions.
139 * kf.cc (class undefined_function_behavior): New.
140 (class kf_strtok): New.
141 (register_known_functions): Add region_model_manager param.
142 Use it to register "strtok".
143 * region-model-manager.cc
144 (region_model_manager::get_or_create_conjured_svalue): Add "idx"
145 param.
146 * region-model-manager.h
147 (region_model_manager::get_or_create_conjured_svalue): Add "idx"
148 param.
149 (region_model_manager::get_root_region): New accessor.
150 * region-model.cc (region_model::scan_for_null_terminator): Handle
151 "expr" being null.
152 (region_model::get_representative_path_var_1): Handle RK_PRIVATE.
153 * region-model.h (region_model::called_from_main_p): Make public.
154 * region.cc (region::get_memory_space): Handle RK_PRIVATE.
155 (region::can_have_initial_svalue_p): Handle MEMSPACE_PRIVATE.
156 (private_region::dump_to_pp): New.
157 * region.h (MEMSPACE_PRIVATE): New.
158 (RK_PRIVATE): New.
159 (class private_region): New.
160 (is_a_helper <const private_region *>::test): New.
161 * store.cc (store::replay_call_summary_cluster): Handle
162 RK_PRIVATE.
163 * svalue.h (struct conjured_svalue::key_t): Add "idx" param to
164 ctor and "m_idx" field.
165 (class conjured_svalue::conjured_svalue): Likewise.
166
9d58d2d8
GA		 1672023-11-18 David Malcolm <dmalcolm@redhat.com>
168
169 PR analyzer/106147
170 * analyzer.opt (Wanalyzer-infinite-loop): New option.
171 (fdump-analyzer-infinite-loop): New option.
172 * checker-event.h (start_cfg_edge_event::get_desc): Drop "final".
173 (start_cfg_edge_event::maybe_describe_condition): Convert from
174 private to protected.
175 * checker-path.h (checker_path::get_logger): New.
176 * diagnostic-manager.cc (process_worklist_item): Update for
177 new context param of maybe_update_for_edge.
178 * engine.cc
179 (impl_region_model_context::impl_region_model_context): Add
180 out_could_have_done_work param to both ctors and use it to
181 initialize mm_out_could_have_done_work.
182 (impl_region_model_context::maybe_did_work): New vfunc
183 implementation.
184 (exploded_node::on_stmt): Add out_could_have_done_work param and
185 pass to ctxt ctor.
186 (exploded_node::on_stmt_pre): Treat setjmp and longjmp as "doing
187 work".
188 (exploded_node::on_longjmp): Likewise.
189 (exploded_edge::exploded_edge): Add "could_do_work" param and use
190 it to initialize m_could_do_work_p.
191 (exploded_edge::dump_dot_label): Add result of could_do_work_p.
192 (exploded_graph::add_function_entry): Mark edge as doing no work.
193 (exploded_graph::add_edge): Add "could_do_work" param and pass to
194 exploded_edge ctor.
195 (add_tainted_args_callback): Treat as doing no work.
196 (exploded_graph::process_worklist): Likewise when merging nodes.
197 (maybe_process_run_of_before_supernode_enodes::item): Likewise.
198 (exploded_graph::maybe_create_dynamic_call): Likewise.
199 (exploded_graph::process_node): Likewise for phi nodes.
200 Pass in a "could_have_done_work" bool when handling stmts and use
201 when creating edges. Assume work is done at bifurcation.
202 (exploded_path::feasible_p): Update for new context param of
203 maybe_update_for_edge.
204 (feasibility_state::feasibility_state): New ctor.
205 (feasibility_state::operator=): New.
206 (feasibility_state::maybe_update_for_edge): Add ctxt param and use
207 it. Fix missing newline when logging state.
208 (impl_run_checkers): Call exploded_graph::detect_infinite_loops.
209 * exploded-graph.h
210 (impl_region_model_context::impl_region_model_context): Add
211 out_could_have_done_work param to both ctors.
212 (impl_region_model_context::maybe_did_work): New decl.
213 (impl_region_model_context::checking_for_infinite_loop_p): New.
214 (impl_region_model_context::on_unusable_in_infinite_loop): New.
215 (impl_region_model_context::m_out_could_have_done_work): New
216 field.
217 (exploded_node::on_stmt): Add "out_could_have_done_work" param.
218 (exploded_edge::exploded_edge): Add "could_do_work" param.
219 (exploded_edge::could_do_work_p): New accessor.
220 (exploded_edge::m_could_do_work_p): New field.
221 (exploded_graph::add_edge): Add "could_do_work" param.
222 (exploded_graph::detect_infinite_loops): New decl.
223 (feasibility_state::feasibility_state): New ctor.
224 (feasibility_state::operator=): New decl.
225 (feasibility_state::maybe_update_for_edge): Add ctxt param.
226 * infinite-loop.cc: New file.
227 * program-state.cc (program_state::on_edge): Log the rejected
228 constraint when region_model::maybe_update_for_edge fails.
229 * region-model.cc (region_model::on_assignment): Treat any writes
230 other than to the stack as "doing work".
231 (region_model::on_stmt_pre): Treat all asm stmts as "doing work".
232 (region_model::on_call_post): Likewise for all calls to functions
233 with unknown side effects.
234 (region_model::handle_phi): Add svals_changing_meaning param.
235 Mark widening svalue in phi nodes as changing meaning.
236 (unusable_in_infinite_loop_constraint_p): New.
237 (region_model::add_constraint): If we're checking for an infinite
238 loop, bail out on unusable svalues, or if we don't have a definite
239 true/false for the constraint.
240 (region_model::update_for_phis): Gather all svalues changing
241 meaning in phi nodes, and purge constraints involving them.
242 (region_model::replay_call_summary): Treat all call summaries as
243 doing work.
244 (region_model::can_merge_with_p): Purge constraints involving
245 svalues that change meaning.
246 (model_merger::on_widening_reuse): New.
247 (test_iteration_1): Likewise.
248 (selftest::test_iteration_1): Remove assertion that model6 "knows"
249 that i < 157.
250 * region-model.h (region_model::handle_phi): Add
251 svals_changing_meaning param
252 (region_model_context::maybe_did_work): New pure virtual func.
253 (region_model_context::checking_for_infinite_loop_p): Likewise.
254 (region_model_context::on_unusable_in_infinite_loop): Likewise.
255 (noop_region_model_context::maybe_did_work): Implement.
256 (noop_region_model_context::checking_for_infinite_loop_p):
257 Likewise.
258 (noop_region_model_context::on_unusable_in_infinite_loop):
259 Likewise.
260 (region_model_context_decorator::maybe_did_work): Implement.
261 (region_model_context_decorator::checking_for_infinite_loop_p):
262 Likewise.
263 (region_model_context_decorator::on_unusable_in_infinite_loop):
264 Likewise.
265 (model_merger::on_widening_reuse): New decl.
266 (model_merger::m_svals_changing_meaning): New field.
267 * sm-signal.cc (register_signal_handler::impl_transition): Assume
268 the edge "does work".
269 * supergraph.cc (supernode::get_start_location): Use CFG edge's
270 goto_locus if available.
271 (supernode::get_end_location): Likewise.
272 (cfg_superedge::dump_label_to_pp): Dump edges with a "goto_locus"
273 * supergraph.h (cfg_superedge::get_goto_locus): New.
274 * svalue.cc (svalue::can_merge_p): Call on_widening_reuse for
275 widening values.
276 (involvement_visitor::visit_widening_svalue): New.
277 (svalue::involves_p): Update assertion to allow widening svalues.
278
eaedb56a
GA		 2792023-11-14 David Malcolm <dmalcolm@redhat.com>
280
281 PR analyzer/103533
282 * sm-taint.cc: Remove "experimental" from comment.
283 * sm.cc (make_checkers): Always add taint state machine.
284
eb4e1b62
GA		 2852023-11-04 David Malcolm <dmalcolm@redhat.com>
286
287 * bounds-checking.cc: Update for changes to diagnostic_context.
288
9daed0b5
GA		 2892023-11-02 David Malcolm <dmalcolm@redhat.com>
290
291 PR analyzer/112317
292 * access-diagram.cc (class x_aligned_x_ruler_widget): Eliminate
293 unused field "m_col_widths".
294 (access_diagram_impl::add_valid_vs_invalid_ruler): Update for
295 above change.
296 * region-model.cc
297 (check_one_function_attr_null_terminated_string_arg): Remove
298 unused variables "cd_unchecked", "strlen_sval", and
299 "limited_sval".
300 * region-model.h (region_model_context_decorator::warn): Add
301 missing "override".
302
eac0917b
GA		 3032023-10-31 David Malcolm <dmalcolm@redhat.com>
304
305 * record-layout.cc: New file, based on material in region-model.cc.
306 * record-layout.h: Likewise.
307 * region-model.cc: Include "analyzer/record-layout.h".
308 (class record_layout): Move to record-layout.cc and .h
309
ecca503b
GA		 3102023-10-26 David Malcolm <dmalcolm@redhat.com>
311
312 * region-model.cc
313 (region_model::check_external_function_for_access_attr): Split
314 out, replacing with...
315 (region_model::check_function_attr_access): ...this new function
316 and...
317 (region_model::check_function_attrs): ...this new function.
318 (region_model::check_one_function_attr_null_terminated_string_arg):
319 New.
320 (region_model::check_function_attr_null_terminated_string_arg):
321 New.
322 (region_model::handle_unrecognized_call): Update for renaming of
323 check_external_function_for_access_attr to check_function_attrs.
324 (region_model::check_for_null_terminated_string_arg): Add return
325 value to one overload. Make both overloads const.
326 * region-model.h: Include "stringpool.h" and "attribs.h".
327 (region_model::check_for_null_terminated_string_arg): Add return
328 value to one overload. Make both overloads const.
329 (region_model::check_external_function_for_access_attr): Delete
330 decl.
331 (region_model::check_function_attr_access): New decl.
332 (region_model::check_function_attr_null_terminated_string_arg):
333 New decl.
334 (region_model::check_one_function_attr_null_terminated_string_arg):
335 New decl.
336 (region_model::check_function_attrs): New decl.
337
fb124f2a
GA		 3382023-10-09 David Malcolm <dmalcolm@redhat.com>
339
340 * access-diagram.cc (boundaries::add): Explicitly state
341 "boundaries::" scope for "kind" enum.
342
00c67d62
GA		 3432023-10-08 David Malcolm <dmalcolm@redhat.com>
344
345 PR analyzer/111155
346 * access-diagram.cc (boundaries::boundaries): Add logger param
347 (boundaries::add): Add logging.
348 (boundaries::get_hard_boundaries_in_range): New.
349 (boundaries::m_logger): New field.
350 (boundaries::get_table_x_for_offset): Make public.
351 (class svalue_spatial_item): New.
352 (class compound_svalue_spatial_item): New.
353 (add_ellipsis_to_gaps): New.
354 (valid_region_spatial_item::valid_region_spatial_item): Add theme
355 param. Initialize m_boundaries, m_existing_sval, and
356 m_existing_sval_spatial_item.
357 (valid_region_spatial_item::add_boundaries): Set m_boundaries.
358 Add boundaries for any m_existing_sval_spatial_item.
359 (valid_region_spatial_item::add_array_elements_to_table): Rewrite
360 creation of min/max index in terms of
361 maybe_add_array_index_to_table. Rewrite ellipsis code using
362 add_ellipsis_to_gaps. Add index values for any hard boundaries
363 within the valid region.
364 (valid_region_spatial_item::maybe_add_array_index_to_table): New,
365 based on code formerly in add_array_elements_to_table.
366 (valid_region_spatial_item::make_table): Make use of
367 m_existing_sval_spatial_item, if any.
368 (valid_region_spatial_item::m_boundaries): New field.
369 (valid_region_spatial_item::m_existing_sval): New field.
370 (valid_region_spatial_item::m_existing_sval_spatial_item): New
371 field.
372 (class svalue_spatial_item): Rename to...
373 (class written_svalue_spatial_item): ...this.
374 (class string_region_spatial_item): Rename to..
375 (class string_literal_spatial_item): ...this. Add "kind".
376 (string_literal_spatial_item::add_boundaries): Use m_kind to
377 determine kind of boundary. Update for renaming of m_actual_bits
378 to m_bits.
379 (string_literal_spatial_item::make_table): Likewise. Support not
380 displaying a row for byte indexes, and not displaying a row for
381 the type.
382 (string_literal_spatial_item::add_column_for_byte): Make byte index
383 row optional.
384 (svalue_spatial_item::make): Convert to...
385 (make_written_svalue_spatial_item): ...this.
386 (make_existing_svalue_spatial_item): New.
387 (access_diagram_impl::access_diagram_impl): Pass theme to
388 m_valid_region_spatial_item ctor. Update for renaming of
389 m_svalue_spatial_item.
390 (access_diagram_impl::find_boundaries): Pass logger to boundaries.
391 Update for renaming of...
392 (access_diagram_impl::m_svalue_spatial_item): Rename to...
393 (access_diagram_impl::m_written_svalue_spatial_item): ...this.
394
96557ee6
GA		 3952023-10-03 David Malcolm <dmalcolm@redhat.com>
396
397 * analyzer-logging.cc (logger::log_va_partial): Use text_info
398 ctor.
399 * analyzer.cc (make_label_text): Likewise.
400 (make_label_text_n): Likewise.
401 * pending-diagnostic.cc (evdesc::event_desc::formatted_print):
402 Likewise.
403
41d1c9a9
GA		 4042023-10-02 David Malcolm <dmalcolm@redhat.com>
405
406 * program-point.cc: Update for grouping of source printing fields
407 within diagnostic_context.
408
37bbfd1c
GA		 4092023-09-15 David Malcolm <dmalcolm@redhat.com>
410
411 * analyzer.cc (get_stmt_location): Handle null stmt.
412 * diagnostic-manager.cc (saved_diagnostic::saved_diagnostic): Copy
413 m_loc from ploc.
414 (saved_diagnostic::operator==): Compare m_loc.
415 (saved_diagnostic::calc_best_epath): Only use m_stmt_finder if
416 m_loc is unknown.
417 (dedupe_key::dedupe_key): Initialize m_loc.
418 (dedupe_key::operator==): Compare m_loc.
419 (dedupe_key::get_location): Use m_loc if it's known.
420 (dedupe_key::m_loc): New field.
421 (diagnostic_manager::emit_saved_diagnostic): Only call
422 get_emission_location if m_loc is unknown, preferring to use m_loc
423 if it's available.
424 * diagnostic-manager.h (saved_diagnostic::m_loc): New field.
425 (pending_location::pending_location): Initialize m_loc. Add
426 overload taking a location_t rather than a stmt/stmt_finder.
427 (pending_location::m_loc): New field.
428
4292023-09-15 David Malcolm <dmalcolm@redhat.com>
430
431 * analyzer.h (struct pending_location): New forward decl.
432 * diagnostic-manager.cc (saved_diagnostic::saved_diagnostic):
433 Replace params "enode", "snode", "stmt", and "stmt_finder" with
434 "ploc".
435 (diagnostic_manager::add_diagnostic): Likewise for both overloads.
436 * diagnostic-manager.h (saved_diagnostic::saved_diagnostic):
437 Likewise.
438 (struct pending_location): New.
439 (diagnostic_manager::add_diagnostic): Replace params "enode",
440 "snode", "stmt", and "stmt_finder" with "ploc".
441 * engine.cc (impl_region_model_context::warn): Update call to
442 add_diagnostic for above change.
443 (impl_sm_context::warn): Likewise.
444 (impl_region_model_context::on_state_leak): Likewise.
445 * infinite-recursion.cc
446 (exploded_graph::detect_infinite_recursion): Likewise.
447
4482023-09-15 David Malcolm <dmalcolm@redhat.com>
449
450 * region-model.cc (region_model::get_gassign_result): Handle
451 volatile ops by using a conjured_svalue.
452
05cb8730
GA		 4532023-09-14 David Malcolm <dmalcolm@redhat.com>
454
455 * checker-event.h (checker_event::get_thread_id): New.
456 * checker-path.h (class checker_path): Implement thread-related
457 vfuncs via a single simple_diagnostic_thread instance named
458 "main".
459
4602023-09-14 David Malcolm <dmalcolm@redhat.com>
461
462 * diagnostic-manager.cc (compatible_epath_p): Fix missing return.
463
4642023-09-14 David Malcolm <dmalcolm@redhat.com>
465
466 * diagnostic-manager.cc (process_worklist_item): Use
467 std::unique_ptr rather than plain rejected_constraint *.
468 * engine.cc (exploded_path::feasible_p): Likewise.
469 (feasibility_state::maybe_update_for_edge): Likewise.
470 * exploded-graph.h (feasibility_problem::feasibility_problem):
471 Likewise.
472 (feasibility_problem::~feasibility_problem): Delete.
473 (feasibility_problem::m_rc): Use std::unique_ptr.
474 (feasibility_state::maybe_update_for_edge): Likewise.
475 * feasible-graph.cc (feasible_graph::add_feasibility_problem):
476 Likewise.
477 * feasible-graph.h (class infeasible_node): Likewise.
478 (feasible_graph::add_feasibility_problem): Likewise.
479 * region-model.cc (region_model::add_constraint): Likewise.
480 (region_model::maybe_update_for_edge): Likewise.
481 (region_model::apply_constraints_for_gcond): Likewise.
482 (region_model::apply_constraints_for_gswitch): Likewise.
483 (region_model::apply_constraints_for_exception): Likewise.
484 * region-model.h (class region_model): Likewise for decls.
485
a467cfd0
GA		 4862023-09-09 benjamin priour <vultkayn@gcc.gnu.org>
487
488 PR analyzer/96395
489 * region-model.cc
490 (region_model::add_constraints_from_binop): binop_svalues around
491 LT_EXPR, LE_EXPR, GT_EXPR, GE_EXPR are now unwrapped.
492
109c11f6
GA		 4932023-09-07 David Malcolm <dmalcolm@redhat.com>
494
495 PR analyzer/110529
496 * program-point.cc (program_point::on_edge): Don't reject
497 EDGE_ABNORMAL for computed gotos.
498 * region-model.cc (region_model::maybe_update_for_edge): Handle
499 computed goto statements.
500 (region_model::apply_constraints_for_ggoto): New.
501 * region-model.h (region_model::apply_constraints_for_ggoto): New decl.
502 * supergraph.cc (supernode::get_label): New.
503 * supergraph.h (supernode::get_label): New decl.
504
5052023-09-07 benjamin priour <vultkayn@gcc.gnu.org>
506 David Malcolm <dmalcolm@redhat.com>
507
508 PR analyzer/110830
509 * diagnostic-manager.cc
510 (compatible_epaths_p): New function.
511 (saved_diagnostic::supercedes_p): Now calls the above
512 to determine if the diagnostics do overlap and the superseding
513 may proceed.
514
5152023-09-07 David Malcolm <dmalcolm@redhat.com>
516
517 * region-model.h: fix -Wunused-parameter warnings
518
a134b6ce
GA		 5192023-09-06 David Malcolm <dmalcolm@redhat.com>
520
521 PR analyzer/105899
522 * kf.cc (class kf_strstr): New.
523 (kf_strstr::impl_call_post): New.
524 (register_known_functions): Register it.
525
5262023-09-06 David Malcolm <dmalcolm@redhat.com>
527
528 PR analyzer/105899
529 * kf.cc (class kf_strncpy): New.
530 (kf_strncpy::impl_call_post): New.
531 (register_known_functions): Register it.
532 * region-model.cc (region_model::read_bytes): Handle unknown
533 number of bytes.
534
5352023-09-06 David Malcolm <dmalcolm@redhat.com>
536
537 * kf.cc (kf_calloc::impl_call_pre): Pass ctxt to zero_fill_region.
538 (kf_memset::impl_call_pre): Move responsibility for calling
539 check_region_for_write to fill_region.
540 * region-model.cc (region_model::on_assignment): Pass ctxt to
541 zero_fill_region.
542 (region_model::fill_region): Add "ctxt" param, using it to call
543 check_region_for_write.
544 (region_model::zero_fill_region): Likewise.
545 * region-model.h (region_model::fill_region): Add "ctxt" param.
546 (region_model::zero_fill_region): Likewise.
547
80907b03
GA		 5482023-09-01 benjamin priour <priour.be@gmail.com>
549
550 PR analyzer/105948
551 PR analyzer/94355
552 * analyzer.h (is_placement_new_p): New declaration.
553 * call-details.cc
554 (call_details::deref_ptr_arg): New function.
555 Dereference the argument at given index if possible.
556 * call-details.h: Declaration of the above function.
557 * kf-lang-cp.cc (is_placement_new_p): Returns true if the gcall
558 is recognized as a placement new.
559 (kf_operator_delete::impl_call_post): Unbinding a region and its
560 descendents now poisons with POISON_KIND_DELETED.
561 (register_known_functions_lang_cp): Known function "operator
562 delete" is now registered only once independently of its number of
563 arguments.
564 * region-model.cc (region_model::eval_condition): Now
565 recursively calls itself if any of the operand is wrapped in a
566 cast.
567 * sm-malloc.cc (malloc_state_machine::on_stmt):
568 Add placement new recognition.
569 * svalue.cc (poison_kind_to_str): Wording for the new PK.
570 * svalue.h (enum poison_kind): Add value POISON_KIND_DELETED.
571
65c36ecc
GA		 5722023-08-31 Francois-Xavier Coudert <fxcoudert@gcc.gnu.org>
573
574 * kf.cc: Change spelling to macOS.
575
ffb8568a
GA		 5762023-08-30 Eric Feng <ef2648@columbia.edu>
577
578 PR analyzer/107646
579 * engine.cc (impl_region_model_context::warn): New optional
580 parameter.
581 * exploded-graph.h (class impl_region_model_context): Likewise.
582 * region-model.cc (region_model::pop_frame): New callback
583 feature for region_model::pop_frame.
584 * region-model.h (struct append_regions_cb_data): Likewise.
585 (class region_model): Likewise.
586 (class region_model_context): New optional parameter.
587 (class region_model_context_decorator): Likewise.
588
5892023-08-30 Francois-Xavier Coudert <fxcoudert@gcc.gnu.org>
590
591 * region-model.cc: Define INCLUDE_ALGORITHM.
592
ded52c9f
GA		 5932023-08-29 David Malcolm <dmalcolm@redhat.com>
594
595 PR analyzer/99860
596 * analyzer-selftests.cc (selftest::run_analyzer_selftests): Call
597 selftest::analyzer_ranges_cc_tests.
598 * analyzer-selftests.h (selftest::run_analyzer_selftests): New
599 decl.
600 * analyzer.opt (Wanalyzer-overlapping-buffers): New option.
601 * call-details.cc: Include "analyzer/ranges.h" and "make-unique.h".
602 (class overlapping_buffers): New.
603 (call_details::complain_about_overlap): New.
604 * call-details.h (call_details::complain_about_overlap): New decl.
605 * kf.cc (kf_memcpy_memmove::impl_call_pre): Call
606 cd.complain_about_overlap for memcpy and memcpy_chk.
607 (kf_strcat::impl_call_pre): Call cd.complain_about_overlap.
608 (kf_strcpy::impl_call_pre): Likewise.
609 * ranges.cc: New file.
610 * ranges.h: New file.
611
6122023-08-29 David Malcolm <dmalcolm@redhat.com>
613
614 PR analyzer/105899
615 * kf.cc (kf_strdup::impl_call_pre): Set size of
616 dynamically-allocated buffer. Simulate copying the string from
617 the source region to the new buffer.
618
9cc55211
GA		 6192023-08-27 benjamin priour <vultkayn@gcc.gnu.org>
620
621 PR analyzer/96395
622 * analyzer.h (class known_function): Add virtual casts
623 to builtin_known_function.
624 (class builtin_known_function): New subclass of known_function
625 for builtins.
626 * kf.cc (class kf_alloca): Now derived from
627 builtin_known_function.
628 (class kf_calloc): Likewise.
629 (class kf_free): Likewise.
630 (class kf_malloc): Likewise.
631 (class kf_memcpy_memmove): Likewise.
632 (class kf_memset): Likewise.
633 (class kf_realloc): Likewise.
634 (class kf_strchr): Likewise.
635 (class kf_sprintf): Likewise.
636 (class kf_strcat): Likewise.
637 (class kf_strcpy): Likewise.
638 (class kf_strdup): Likewise.
639 (class kf_strlen): Likewise.
640 (class kf_strndup): Likewise.
641 (register_known_functions): Builtins are now registered as
642 known_functions by name rather than by their BUILTIN_CODE.
643 * known-function-manager.cc (get_normal_builtin): New overload.
644 * known-function-manager.h: New overload declaration.
645 * region-model.cc (region_model::get_builtin_kf): New function.
646 * region-model.h (class region_model): Add declaration of
647 get_builtin_kf.
648 * sm-fd.cc: For called recognized as builtins, use the
649 attributes of that builtin as defined in gcc/builtins.def
650 rather than the user's.
651 * sm-malloc.cc (malloc_state_machine::on_stmt): Likewise.
652
b8863640
GA		 6532023-08-25 David Malcolm <dmalcolm@redhat.com>
654
655 * access-diagram.cc (class string_region_spatial_item): Remove
656 assumption that the string is written to the start of the cluster.
657
6d47c9b4
GA		 6582023-08-24 David Malcolm <dmalcolm@redhat.com>
659
660 PR analyzer/105899
661 * call-details.cc
662 (call_details::check_for_null_terminated_string_arg): Split into
663 overloads, one taking just an arg_idx, the other a new
664 "include_terminator" param.
665 * call-details.h: Likewise.
666 * kf.cc (class kf_strcat): New.
667 (kf_strcpy::impl_call_pre): Update for change to
668 check_for_null_terminated_string_arg.
669 (register_known_functions): Register kf_strcat.
670 * region-model.cc
671 (region_model::check_for_null_terminated_string_arg): Split into
672 overloads, one taking just an arg_idx, the other a new
673 "include_terminator" param. When returning an svalue, handle
674 "include_terminator" being false by subtracting one.
675 * region-model.h
676 (region_model::check_for_null_terminated_string_arg): Split into
677 overloads, one taking just an arg_idx, the other a new
678 "include_terminator" param.
679
6802023-08-24 David Malcolm <dmalcolm@redhat.com>
681
682 PR analyzer/105899
683 * region-model.cc (fragment::has_null_terminator): Handle
684 SK_BITS_WITHIN.
685
6862023-08-24 David Malcolm <dmalcolm@redhat.com>
687
688 PR analyzer/105899
689 * region-model-manager.cc
690 (region_model_manager::get_or_create_initial_value): Simplify
691 INIT_VAL(ELEMENT_REG(STRING_REG), CONSTANT_SVAL) to
692 CONSTANT_SVAL(STRING[N]).
693
6942023-08-24 David Malcolm <dmalcolm@redhat.com>
695
696 PR analyzer/105899
697 * region-model.cc (fragment::has_null_terminator): Move STRING_CST
698 handling to fragment::string_cst_has_null_terminator; also use it to
699 handle INIT_VAL(STRING_REG).
700 (fragment::string_cst_has_null_terminator): New, from above.
701
7022023-08-24 David Malcolm <dmalcolm@redhat.com>
703
704 * kf.cc (kf_memcpy_memmove::impl_call_pre): Reimplement using
705 region_model::copy_bytes.
706 * region-model.cc (region_model::read_bytes): New.
707 (region_model::copy_bytes): New.
708 * region-model.h (region_model::read_bytes): New decl.
709 (region_model::copy_bytes): New decl.
710
7112023-08-24 David Malcolm <dmalcolm@redhat.com>
712
713 PR analyzer/105899
714 * region-model.cc (region_model::get_string_size): Delete both.
715 * region-model.h (region_model::get_string_size): Delete both
716 decls.
717
7182023-08-24 David Malcolm <dmalcolm@redhat.com>
719
720 PR analyzer/105899
721 * kf.cc (kf_strcpy::impl_call_pre): Reimplement using
722 check_for_null_terminated_string_arg.
723 * region-model.cc (region_model::get_store_bytes): Shortcut
724 reading all of a string_region.
725 (region_model::scan_for_null_terminator): Use get_store_value for
726 the bytes rather than "unknown" when returning an unknown length.
727 (region_model::write_bytes): New.
728 * region-model.h (region_model::write_bytes): New decl.
729
7302023-08-24 David Malcolm <dmalcolm@redhat.com>
731
732 PR analyzer/105899
733 * region-model.cc (iterable_cluster::iterable_cluster): Add
734 symbolic binding keys to m_symbolic_bindings.
735 (iterable_cluster::has_symbolic_bindings_p): New.
736 (iterable_cluster::m_symbolic_bindings): New field.
737 (region_model::scan_for_null_terminator): Treat clusters with
738 symbolic bindings as having unknown strlen.
739
7402023-08-24 David Malcolm <dmalcolm@redhat.com>
741
742 * engine.cc (impl_path_context::impl_path_context): Add logger
743 param.
744 (impl_path_context::bifurcate): Add log message.
745 (impl_path_context::terminate_path): Likewise.
746 (impl_path_context::m_logger): New field.
747 (exploded_graph::process_node): Pass logger to path_ctxt ctor.
748
6cd85273
GA		 7492023-08-22 David Malcolm <dmalcolm@redhat.com>
750
751 PR analyzer/105899
752 * kf-analyzer.cc (class kf_analyzer_get_strlen): Move to kf.cc.
753 (register_known_analyzer_functions): Use make_kf_strlen.
754 * kf.cc (class kf_strlen::impl_call_pre): Replace with
755 implementation of kf_analyzer_get_strlen from kf-analyzer.cc.
756 Handle "UNKNOWN" return from check_for_null_terminated_string_arg
757 by falling back to a conjured svalue.
758 (make_kf_strlen): New.
759 (register_known_functions): Use make_kf_strlen.
760 * known-function-manager.h (make_kf_strlen): New decl.
761
7622023-08-22 David Malcolm <dmalcolm@redhat.com>
763
764 PR analyzer/105899
765 * call-details.cc (call_details::call_details): New ctor.
766 * call-details.h (call_details::call_details): New ctor decl.
767 (struct call_arg_details): Move here from region-model.cc.
768 * region-model.cc (region_model::check_call_format_attr): New.
769 (region_model::check_call_args): Call it.
770 (struct call_arg_details): Move it to call-details.h.
771 * region-model.h (region_model::check_call_format_attr): New decl.
772
7732023-08-22 David Malcolm <dmalcolm@redhat.com>
774
775 * kf.cc (class kf_fopen): New.
776 (register_known_functions): Register it.
777
7782023-08-22 David Malcolm <dmalcolm@redhat.com>
779
780 PR analyzer/105899
781 * analyzer.opt (Wanalyzer-unterminated-string): Delete.
782 * call-details.cc
783 (call_details::check_for_null_terminated_string_arg): Convert
784 return type from void to const svalue *. Add param "out_sval".
785 * call-details.h
786 (call_details::check_for_null_terminated_string_arg): Likewise.
787 * kf-analyzer.cc (kf_analyzer_get_strlen::impl_call_pre): Wire up
788 to result of check_for_null_terminated_string_arg.
789 * region-model.cc (get_strlen): Delete.
790 (class unterminated_string_arg): Delete.
791 (struct fragment): New.
792 (class iterable_cluster): New.
793 (region_model::get_store_bytes): New.
794 (get_tree_for_byte_offset): New.
795 (region_model::scan_for_null_terminator): New.
796 (region_model::check_for_null_terminated_string_arg): Convert
797 return type from void to const svalue *. Add param "out_sval".
798 Reimplement in terms of scan_for_null_terminator, dropping the
799 special-case for -Wanalyzer-unterminated-string.
800 * region-model.h (region_model::get_store_bytes): New decl.
801 (region_model::scan_for_null_terminator): New decl.
802 (region_model::check_for_null_terminated_string_arg): Convert
803 return type from void to const svalue *. Add param "out_sval".
804 * store.cc (concrete_binding::get_byte_range): New.
805 * store.h (concrete_binding::get_byte_range): New decl.
806 (store_manager::get_concrete_binding): New overload.
807
8082023-08-22 David Malcolm <dmalcolm@redhat.com>
809
810 * region-model.cc (region_model_context_decorator::add_event):
811 Handle m_inner being NULL.
812 * region-model.h (class region_model_context_decorator): Likewise.
813 (annotating_context::warn): Likewise.
814
8152023-08-22 David Malcolm <dmalcolm@redhat.com>
816
817 * diagnostic-manager.cc (saved_diagnostic::add_event): New.
818 (saved_diagnostic::add_any_saved_events): New.
819 (diagnostic_manager::add_event): New.
820 (dedupe_winners::emit_best): New.
821 (diagnostic_manager::emit_saved_diagnostic): Make "sd" param
822 non-const. Call saved_diagnostic::add_any_saved_events.
823 * diagnostic-manager.h (saved_diagnostic::add_event): New decl.
824 (saved_diagnostic::add_any_saved_events): New decl.
825 (saved_diagnostic::m_saved_events): New field.
826 (diagnostic_manager::add_event): New decl.
827 (diagnostic_manager::emit_saved_diagnostic): Make "sd" param
828 non-const.
829 * engine.cc (impl_region_model_context::add_event): New.
830 * exploded-graph.h (impl_region_model_context::add_event): New decl.
831 * region-model.cc
832 (noop_region_model_context::add_event): New.
833 (region_model_context_decorator::add_event): New.
834 * region-model.h (region_model_context::add_event): New vfunc.
835 (noop_region_model_context::add_event): New decl.
836 (region_model_context_decorator::add_event): New decl.
837
8382023-08-22 David Malcolm <dmalcolm@redhat.com>
839
840 * region-model.cc
841 (class check_external_function_for_access_attr::annotating_ctxt):
842 Convert to an annotating_context.
843 * region-model.h (class note_adding_context): Rename to...
844 (class annotating_context): ...this, updating the "warn" method.
845 (note_adding_context::make_note): Replace with...
846 (annotating_context::add_annotations): ...this.
847
3cc78cf2
GA		 8482023-08-14 benjamin priour <vultkayn@gcc.gnu.org>
849
850 PR analyzer/110543
851 * analyzer.opt: Add new option.
852 * diagnostic-manager.cc
853 (diagnostic_manager::prune_path): Call prune_system_headers.
854 (prune_frame): New function that deletes all events in a frame.
855 (diagnostic_manager::prune_system_headers): New function.
856 * diagnostic-manager.h: Add prune_system_headers declaration.
857
886afed6
GA		 8582023-08-11 David Malcolm <dmalcolm@redhat.com>
859
860 PR analyzer/105899
861 * analyzer.opt (Wanalyzer-unterminated-string): New.
862 * call-details.cc
863 (call_details::check_for_null_terminated_string_arg): New.
864 * call-details.h
865 (call_details::check_for_null_terminated_string_arg): New decl.
866 * kf-analyzer.cc (class kf_analyzer_get_strlen): New.
867 (register_known_analyzer_functions): Register it.
868 * kf.cc (kf_error::impl_call_pre): Check that format arg is a
869 valid null-terminated string.
870 (kf_putenv::impl_call_pre): Likewise for the sole param.
871 (kf_strchr::impl_call_pre): Likewise for the first param.
872 (kf_strcpy::impl_call_pre): Likewise for the second param.
873 (kf_strdup::impl_call_pre): Likewise for the sole param.
874 * region-model.cc (get_strlen): New.
875 (struct call_arg_details): New.
876 (inform_about_expected_null_terminated_string_arg): New.
877 (class unterminated_string_arg): New.
878 (region_model::check_for_null_terminated_string_arg): New.
879 * region-model.h
880 (region_model::check_for_null_terminated_string_arg): New decl.
881
8822023-08-11 Eric Feng <ef2648@columbia.edu>
883
884 PR analyzer/107646
885 * call-details.h: New function.
886 * region-model.cc (region_model::get_or_create_region_for_heap_alloc):
887 New optional parameters.
888 * region-model.h (class region_model): New optional parameters.
889 * sm-malloc.cc (on_realloc_with_move): New function.
890 (region_model::transition_ptr_sval_non_null): New function.
891
9b099a83
GA		 8922023-08-09 David Malcolm <dmalcolm@redhat.com>
893
894 * analyzer.h (class pure_known_function_with_default_return): New
895 subclass.
896 * call-details.cc (const_fn_p): Move here from region-model.cc.
897 (maybe_get_const_fn_result): Likewise.
898 (get_result_size_in_bytes): Likewise.
899 (call_details::set_any_lhs_with_defaults): New function, based on
900 code in region_model::on_call_pre.
901 * call-details.h (call_details::set_any_lhs_with_defaults): New
902 decl.
903 * diagnostic-manager.cc
904 (diagnostic_manager::emit_saved_diagnostic): Log the index of the
905 saved_diagnostic.
906 * kf.cc (pure_known_function_with_default_return::impl_call_pre):
907 New.
908 (kf_memset::impl_call_pre): Set the LHS to the first param.
909 (kf_putenv::impl_call_pre): Call cd.set_any_lhs_with_defaults.
910 (kf_sprintf::impl_call_pre): Call cd.set_any_lhs_with_defaults.
911 (class kf_stack_restore): Derive from
912 pure_known_function_with_default_return.
913 (class kf_stack_save): Likewise.
914 (kf_strlen::impl_call_pre): Call cd.set_any_lhs_with_defaults.
915 * region-model-reachability.cc (reachable_regions::handle_sval):
916 Remove logic for symbolic regions for pointers.
917 * region-model.cc (region_model::canonicalize): Remove purging of
918 dynamic extents workaround for surplus values from
919 region_model::on_call_pre's default LHS code.
920 (const_fn_p): Move to call-details.cc.
921 (maybe_get_const_fn_result): Likewise.
922 (get_result_size_in_bytes): Likewise.
923 (region_model::update_for_nonzero_return): Call
924 cd.set_any_lhs_with_defaults.
925 (region_model::on_call_pre): Remove the assignment to the LHS of a
926 default return value, instead requiring all known_function
927 implementations to write to any LHS of the call. Use
928 cd.set_any_lhs_with_defaults on the non-kf paths.
929 * sm-fd.cc (kf_socket::outcome_of_socket::update_model): Use
930 cd.set_any_lhs_with_defaults when failing to get at fd state.
931 (kf_bind::outcome_of_bind::update_model): Likewise.
932 (kf_listen::outcome_of_listen::update_model): Likewise.
933 (kf_accept::outcome_of_accept::update_model): Likewise.
934 (kf_connect::outcome_of_connect::update_model): Likewise.
935 (kf_read::impl_call_pre): Use cd.set_any_lhs_with_defaults.
936 * sm-file.cc (class kf_stdio_output_fn): Derive from
937 pure_known_function_with_default_return.
938 (class kf_ferror): Likewise.
939 (class kf_fileno): Likewise.
940 (kf_fgets::impl_call_pre): Use cd.set_any_lhs_with_defaults.
941 (kf_read::impl_call_pre): Likewise.
942 (class kf_getc): Derive from
943 pure_known_function_with_default_return.
944 (class kf_getchar): Likewise.
945 * varargs.cc (kf_va_arg::impl_call_pre): Use
946 cd.set_any_lhs_with_defaults.
947
5b42ee2c
GA		 9482023-08-04 David Malcolm <dmalcolm@redhat.com>
949
950 PR analyzer/110426
951 * bounds-checking.cc (region_model::check_region_bounds): Handle
952 symbolic base regions.
953 * call-details.cc: Include "stringpool.h" and "attribs.h".
954 (call_details::lookup_function_attribute): New function.
955 * call-details.h (call_details::lookup_function_attribute): New
956 function decl.
957 * region-model-manager.cc
958 (region_model_manager::maybe_fold_binop): Add reference to
959 PR analyzer/110902.
960 * region-model-reachability.cc (reachable_regions::handle_sval):
961 Add symbolic regions for pointers that are conjured svalues for
962 the LHS of a stmt.
963 * region-model.cc (region_model::canonicalize): Purge dynamic
964 extents for regions that aren't referenced.
965 (get_result_size_in_bytes): New function.
966 (region_model::on_call_pre): Use get_result_size_in_bytes and
967 potentially set the dynamic extents of the region pointed to by
968 the return value.
969 (region_model::deref_rvalue): Add param "add_nonnull_constraint"
970 and use it to conditionalize adding the constraint.
971 (pending_diagnostic_subclass::dubious_allocation_size): Add "stmt"
972 param to both ctors and use it to initialize new "m_stmt" field.
973 (pending_diagnostic_subclass::operator==): Use m_stmt; don't use
974 m_lhs or m_rhs.
975 (pending_diagnostic_subclass::m_stmt): New field.
976 (region_model::check_region_size): Generalize to any kind of
977 pointer svalue by using deref_rvalue rather than checking for
978 region_svalue. Pass stmt to dubious_allocation_size ctor.
979 * region-model.h (region_model::deref_rvalue): Add param
980 "add_nonnull_constraint".
981 * svalue.cc (conjured_svalue::lhs_value_p): New function.
982 * svalue.h (conjured_svalue::lhs_value_p): New decl.
983
9842023-08-04 David Malcolm <dmalcolm@redhat.com>
985
986 * svalue.cc (region_svalue::dump_to_pp): Support NULL type.
987 (constant_svalue::dump_to_pp): Likewise.
988 (initial_svalue::dump_to_pp): Likewise.
989 (conjured_svalue::dump_to_pp): Likewise. Fix missing print of the
990 type.
991
86fa4433
GA		 9922023-08-03 David Malcolm <dmalcolm@redhat.com>
993
994 PR analyzer/110882
995 * region.cc (int_size_in_bits): Fail on zero-sized types.
996
4297a08e
GA		 9972023-08-02 Eric Feng <ef2648@columbia.edu>
998
999 PR analyzer/107646
1000 * analyzer-language.cc (run_callbacks): New function.
1001 (on_finish_translation_unit): New function.
1002 * analyzer-language.h (GCC_ANALYZER_LANGUAGE_H): New include.
1003 (class translation_unit): New vfuncs.
1004
5278cd6a
GA		 10052023-07-26 David Malcolm <dmalcolm@redhat.com>
1006
1007 PR analyzer/104940
1008 * region-model-manager.cc
1009 (region_model_manager::region_model_manager): Update for
1010 generalizing region ids to also cover svalues.
1011 (region_model_manager::get_or_create_constant_svalue): Likewise.
1012 (region_model_manager::get_or_create_unknown_svalue): Likewise.
1013 (region_model_manager::create_unique_svalue): Likewise.
1014 (region_model_manager::get_or_create_initial_value): Likewise.
1015 (region_model_manager::get_or_create_setjmp_svalue): Likewise.
1016 (region_model_manager::get_or_create_poisoned_svalue): Likewise.
1017 (region_model_manager::get_ptr_svalue): Likewise.
1018 (region_model_manager::get_or_create_unaryop): Likewise.
1019 (region_model_manager::get_or_create_binop): Likewise.
1020 (region_model_manager::get_or_create_sub_svalue): Likewise.
1021 (region_model_manager::get_or_create_repeated_svalue): Likewise.
1022 (region_model_manager::get_or_create_bits_within): Likewise.
1023 (region_model_manager::get_or_create_unmergeable): Likewise.
1024 (region_model_manager::get_or_create_widening_svalue): Likewise.
1025 (region_model_manager::get_or_create_compound_svalue): Likewise.
1026 (region_model_manager::get_or_create_conjured_svalue): Likewise.
1027 (region_model_manager::get_or_create_asm_output_svalue): Likewise.
1028 (region_model_manager::get_or_create_const_fn_result_svalue):
1029 Likewise.
1030 (region_model_manager::get_region_for_fndecl): Likewise.
1031 (region_model_manager::get_region_for_label): Likewise.
1032 (region_model_manager::get_region_for_global): Likewise.
1033 (region_model_manager::get_field_region): Likewise.
1034 (region_model_manager::get_element_region): Likewise.
1035 (region_model_manager::get_offset_region): Likewise.
1036 (region_model_manager::get_sized_region): Likewise.
1037 (region_model_manager::get_cast_region): Likewise.
1038 (region_model_manager::get_frame_region): Likewise.
1039 (region_model_manager::get_symbolic_region): Likewise.
1040 (region_model_manager::get_region_for_string): Likewise.
1041 (region_model_manager::get_bit_range): Likewise.
1042 (region_model_manager::get_var_arg_region): Likewise.
1043 (region_model_manager::get_region_for_unexpected_tree_code):
1044 Likewise.
1045 (region_model_manager::get_or_create_region_for_heap_alloc):
1046 Likewise.
1047 (region_model_manager::create_region_for_alloca): Likewise.
1048 (region_model_manager::log_stats): Likewise.
1049 * region-model-manager.h (region_model_manager::get_num_regions):
1050 Replace with...
1051 (region_model_manager::get_num_symbols): ...this.
1052 (region_model_manager::alloc_region_id): Replace with...
1053 (region_model_manager::alloc_symbol_id): ...this.
1054 (region_model_manager::m_next_region_id): Replace with...
1055 (region_model_manager::m_next_symbol_id): ...this.
1056 * region-model.cc (selftest::test_get_representative_tree): Update
1057 for generalizing region ids to also cover svalues.
1058 (selftest::test_binop_svalue_folding): Likewise.
1059 (selftest::test_state_merging): Likewise.
1060 * region.cc (region::cmp_ids): Delete, in favor of
1061 symbol::cmp_ids.
1062 (region::region): Update for introduction of symbol base class.
1063 (frame_region::get_region_for_local): Likewise.
1064 (root_region::root_region): Likewise.
1065 (symbolic_region::symbolic_region): Likewise.
1066 * region.h: Replace include of "analyzer/complexity.h" with
1067 "analyzer/symbol.h".
1068 (class region): Make a subclass of symbol.
1069 (region::get_id): Delete in favor of symbol::get_id.
1070 (region::cmp_ids): Delete in favor of symbol::cmp_ids.
1071 (region::get_complexity): Delete in favor of
1072 symbol::get_complexity.
1073 (region::region): Use symbol::id_t for "id" param.
1074 (region::m_complexity): Move field to symbol base class.
1075 (region::m_id): Likewise.
1076 (space_region::space_region): Use symbol::id_t for "id" param.
1077 (frame_region::frame_region): Likewise.
1078 (globals_region::globals_region): Likewise.
1079 (code_region::code_region): Likewise.
1080 (function_region::function_region): Likewise.
1081 (label_region::label_region): Likewise.
1082 (stack_region::stack_region): Likewise.
1083 (heap_region::heap_region): Likewise.
1084 (thread_local_region::thread_local_region): Likewise.
1085 (root_region::root_region): Likewise.
1086 (symbolic_region::symbolic_region): Likewise.
1087 (decl_region::decl_region): Likewise.
1088 (field_region::field_region): Likewise.
1089 (element_region::element_region): Likewise.
1090 (offset_region::offset_region): Likewise.
1091 (sized_region::sized_region): Likewise.
1092 (cast_region::cast_region): Likewise.
1093 (heap_allocated_region::heap_allocated_region): Likewise.
1094 (alloca_region::alloca_region): Likewise.
1095 (string_region::string_region): Likewise.
1096 (bit_range_region::bit_range_region): Likewise.
1097 (var_arg_region::var_arg_region): Likewise.
1098 (errno_region::errno_region): Likewise.
1099 (unknown_region::unknown_region): Likewise.
1100 * svalue.cc (sub_svalue::sub_svalue): Add symbol::id_t param.
1101 (repeated_svalue::repeated_svalue): Likewise.
1102 (bits_within_svalue::bits_within_svalue): Likewise.
1103 (compound_svalue::compound_svalue): Likewise.
1104 * svalue.h: Replace include of "analyzer/complexity.h" with
1105 "analyzer/symbol.h".
1106 (class svalue): Make a subclass of symbol.
1107 (svalue::get_complexity): Delete in favor of
1108 symbol::get_complexity.
1109 (svalue::svalue): Add symbol::id_t param. Update for new base
1110 class.
1111 (svalue::m_complexity): Delete in favor of
1112 symbol::m_complexity.
1113 (region_svalue::region_svalue): Add symbol::id_t param
1114 (constant_svalue::constant_svalue): Likewise.
1115 (unknown_svalue::unknown_svalue): Likewise.
1116 (poisoned_svalue::poisoned_svalue): Likewise.
1117 (setjmp_svalue::setjmp_svalue): Likewise.
1118 (initial_svalue::initial_svalue): Likewise.
1119 (unaryop_svalue::unaryop_svalue): Likewise.
1120 (binop_svalue::binop_svalue): Likewise.
1121 (sub_svalue::sub_svalue): Likewise.
1122 (repeated_svalue::repeated_svalue): Likewise.
1123 (bits_within_svalue::bits_within_svalue): Likewise.
1124 (unmergeable_svalue::unmergeable_svalue): Likewise.
1125 (placeholder_svalue::placeholder_svalue): Likewise.
1126 (widening_svalue::widening_svalue): Likewise.
1127 (compound_svalue::compound_svalue): Likewise.
1128 (conjured_svalue::conjured_svalue): Likewise.
1129 (asm_output_svalue::asm_output_svalue): Likewise.
1130 (const_fn_result_svalue::const_fn_result_svalue): Likewise.
1131 * symbol.cc: New file.
1132 * symbol.h: New file.
1133
0ce63530
GA		 11342023-07-21 David Malcolm <dmalcolm@redhat.com>
1135
1136 PR analyzer/110455
1137 * region-model.cc (region_model::get_gassign_result): Only check
1138 for bad shift counts when dealing with an integral type.
1139
11402023-07-21 David Malcolm <dmalcolm@redhat.com>
1141
1142 PR analyzer/110433
1143 PR middle-end/110612
1144 * access-diagram.cc (class spatial_item): Add virtual dtor.
1145
11462023-07-21 David Malcolm <dmalcolm@redhat.com>
1147
1148 PR analyzer/110387
1149 * region.h (struct cast_region::key_t): Support "m_type" being
1150 null by using "m_original_region" for empty/deleted slots.
1151
49bed11d
GA		 11522023-07-19 David Malcolm <dmalcolm@redhat.com>
1153
1154 PR analyzer/110700
1155 * region-model-manager.cc
1156 (region_model_manager::get_or_create_int_cst): Assert that we have
1157 an integral or pointer type.
1158 * sm-taint.cc (taint_state_machine::check_for_tainted_divisor):
1159 Don't check non-integral types.
1160
14bfda60
GA		 11612023-06-29 benjamin priour <priour.be@gmail.com>
1162
1163 PR analyzer/110198
1164 * region-model-manager.cc
1165 (region_model_manager::get_or_create_initial_value): Take an
1166 optional boolean value to bypass poisoning checks
1167 * region-model-manager.h: Update declaration of the above function.
1168 * region-model.cc (region_model::get_store_value): No longer returns
1169 on OOB, but rather gives a boolean to get_or_create_initial_value.
1170 (region_model::check_region_access): Update docstring.
1171 (region_model::check_region_for_write): Update docstring.
1172
7b1076a5
GA		 11732023-06-24 David Malcolm <dmalcolm@redhat.com>
1174
1175 * access-diagram.cc: Add #define INCLUDE_VECTOR.
1176 * bounds-checking.cc: Likewise.
1177
270742ce
GA		 11782023-06-22 David Malcolm <dmalcolm@redhat.com>
1179
1180 PR analyzer/106626
1181 * access-diagram.cc: New file.
1182 * access-diagram.h: New file.
1183 * analyzer.h (class region_offset): Add default ctor.
1184 (region_offset::make_byte_offset): New decl.
1185 (region_offset::concrete_p): New.
1186 (region_offset::get_concrete_byte_offset): New.
1187 (region_offset::calc_symbolic_bit_offset): New decl.
1188 (region_offset::calc_symbolic_byte_offset): New decl.
1189 (region_offset::dump_to_pp): New decl.
1190 (region_offset::dump): New decl.
1191 (operator<, operator<=, operator>, operator>=): New decls for
1192 region_offset.
1193 * analyzer.opt
1194 (-param=analyzer-text-art-string-ellipsis-threshold=): New.
1195 (-param=analyzer-text-art-string-ellipsis-head-len=): New.
1196 (-param=analyzer-text-art-string-ellipsis-tail-len=): New.
1197 (-param=analyzer-text-art-ideal-canvas-width=): New.
1198 (fanalyzer-debug-text-art): New.
1199 * bounds-checking.cc: Include "intl.h", "diagnostic-diagram.h",
1200 and "analyzer/access-diagram.h".
1201 (class out_of_bounds::oob_region_creation_event_capacity): New.
1202 (out_of_bounds::out_of_bounds): Add "model" and "sval_hint"
1203 params.
1204 (out_of_bounds::mark_interesting_stuff): Use the base region.
1205 (out_of_bounds::add_region_creation_events): Use
1206 oob_region_creation_event_capacity.
1207 (out_of_bounds::get_dir): New pure vfunc.
1208 (out_of_bounds::maybe_show_notes): New.
1209 (out_of_bounds::maybe_show_diagram): New.
1210 (out_of_bounds::make_access_diagram): New.
1211 (out_of_bounds::m_model): New field.
1212 (out_of_bounds::m_sval_hint): New field.
1213 (out_of_bounds::m_region_creation_event_id): New field.
1214 (concrete_out_of_bounds::concrete_out_of_bounds): Update for new
1215 fields.
1216 (concrete_past_the_end::concrete_past_the_end): Likewise.
1217 (concrete_past_the_end::add_region_creation_events): Use
1218 oob_region_creation_event_capacity.
1219 (concrete_buffer_overflow::concrete_buffer_overflow): Update for
1220 new fields.
1221 (concrete_buffer_overflow::emit): Replace call to
1222 maybe_describe_array_bounds with maybe_show_notes.
1223 (concrete_buffer_overflow::get_dir): New.
1224 (concrete_buffer_over_read::concrete_buffer_over_read): Update for
1225 new fields.
1226 (concrete_buffer_over_read::emit): Replace call to
1227 maybe_describe_array_bounds with maybe_show_notes.
1228 (concrete_buffer_overflow::get_dir): New.
1229 (concrete_buffer_underwrite::concrete_buffer_underwrite): Update
1230 for new fields.
1231 (concrete_buffer_underwrite::emit): Replace call to
1232 maybe_describe_array_bounds with maybe_show_notes.
1233 (concrete_buffer_underwrite::get_dir): New.
1234 (concrete_buffer_under_read::concrete_buffer_under_read): Update
1235 for new fields.
1236 (concrete_buffer_under_read::emit): Replace call to
1237 maybe_describe_array_bounds with maybe_show_notes.
1238 (concrete_buffer_under_read::get_dir): New.
1239 (symbolic_past_the_end::symbolic_past_the_end): Update for new
1240 fields.
1241 (symbolic_buffer_overflow::symbolic_buffer_overflow): Likewise.
1242 (symbolic_buffer_overflow::emit): Call maybe_show_notes.
1243 (symbolic_buffer_overflow::get_dir): New.
1244 (symbolic_buffer_over_read::symbolic_buffer_over_read): Update for
1245 new fields.
1246 (symbolic_buffer_over_read::emit): Call maybe_show_notes.
1247 (symbolic_buffer_over_read::get_dir): New.
1248 (region_model::check_symbolic_bounds): Add "sval_hint" param. Pass
1249 it and sized_offset_reg to diagnostics.
1250 (region_model::check_region_bounds): Add "sval_hint" param, passing
1251 it to diagnostics.
1252 * diagnostic-manager.cc
1253 (diagnostic_manager::emit_saved_diagnostic): Pass logger to
1254 pending_diagnostic::emit.
1255 * engine.cc: Add logger param to pending_diagnostic::emit
1256 implementations.
1257 * infinite-recursion.cc: Likewise.
1258 * kf-analyzer.cc: Likewise.
1259 * kf.cc: Likewise. Add nullptr for new param of
1260 check_region_for_write.
1261 * pending-diagnostic.h: Likewise in decl.
1262 * region-model-manager.cc
1263 (region_model_manager::get_or_create_int_cst): Convert param from
1264 poly_int64 to const poly_wide_int_ref &.
1265 (region_model_manager::maybe_fold_binop): Support type being NULL
1266 when checking for floating-point types.
1267 Check for (X + Y) - X => Y. Be less strict about types when folding
1268 associative ops. Check for (X + Y) * CST => (X * CST) + (Y * CST).
1269 * region-model-manager.h
1270 (region_model_manager::get_or_create_int_cst): Convert param from
1271 poly_int64 to const poly_wide_int_ref &.
1272 * region-model.cc: Add logger param to pending_diagnostic::emit
1273 implementations.
1274 (region_model::check_external_function_for_access_attr): Update
1275 for new param of check_region_for_write.
1276 (region_model::deref_rvalue): Use nullptr rather than NULL.
1277 (region_model::get_capacity): Handle RK_STRING.
1278 (region_model::check_region_access): Add "sval_hint" param; pass it to
1279 check_region_bounds.
1280 (region_model::check_region_for_write): Add "sval_hint" param;
1281 pass it to check_region_access.
1282 (region_model::check_region_for_read): Add NULL for new param to
1283 check_region_access.
1284 (region_model::set_value): Pass rhs_sval to
1285 check_region_for_write.
1286 (region_model::get_representative_path_var_1): Handle SK_CONSTANT
1287 in the check for infinite recursion.
1288 * region-model.h (region_model::check_region_for_write): Add
1289 "sval_hint" param.
1290 (region_model::check_region_access): Likewise.
1291 (region_model::check_symbolic_bounds): Likewise.
1292 (region_model::check_region_bounds): Likewise.
1293 * region.cc (region_offset::make_byte_offset): New.
1294 (region_offset::calc_symbolic_bit_offset): New.
1295 (region_offset::calc_symbolic_byte_offset): New.
1296 (region_offset::dump_to_pp): New.
1297 (region_offset::dump): New.
1298 (struct linear_op): New.
1299 (operator<, operator<=, operator>, operator>=): New, for
1300 region_offset.
1301 (region::get_next_offset): New.
1302 (region::get_relative_symbolic_offset): Use ptrdiff_type_node.
1303 (field_region::get_relative_symbolic_offset): Likewise.
1304 (element_region::get_relative_symbolic_offset): Likewise.
1305 (bit_range_region::get_relative_symbolic_offset): Likewise.
1306 * region.h (region::get_next_offset): New decl.
1307 * sm-fd.cc: Add logger param to pending_diagnostic::emit
1308 implementations.
1309 * sm-file.cc: Likewise.
1310 * sm-malloc.cc: Likewise.
1311 * sm-pattern-test.cc: Likewise.
1312 * sm-sensitive.cc: Likewise.
1313 * sm-signal.cc: Likewise.
1314 * sm-taint.cc: Likewise.
1315 * store.cc (bit_range::contains_p): Allow "out" to be null.
1316 * store.h (byte_range::get_start_bit_offset): New.
1317 (byte_range::get_next_bit_offset): New.
1318 * varargs.cc: Add logger param to pending_diagnostic::emit
1319 implementations.
1320
09ae3035
GA		 13212023-06-10 Tim Lange <mail@tim-lange.me>
1322
1323 PR analyzer/109577
1324 * constraint-manager.cc (class sval_finder): Visitor to find
1325 childs in svalue trees.
1326 (constraint_manager::sval_constrained_p): Add new function to
1327 check whether a sval might be part of an constraint.
1328 * constraint-manager.h: Add sval_constrained_p function.
1329 * region-model.cc (class size_visitor): Reverse behavior to not
1330 emit a warning on not explicitly considered cases.
1331 (region_model::check_region_size):
1332 Adapt to size_visitor changes.
1333
a2c019e2
GA		 13342023-06-09 David Malcolm <dmalcolm@redhat.com>
1335
1336 PR analyzer/110112
1337 * region-model.cc (region_model::get_initial_value_for_global):
1338 Move code to region::calc_initial_value_at_main.
1339 * region.cc (region::get_initial_value_at_main): New function.
1340 (region::calc_initial_value_at_main): New function, based on code
1341 in region_model::get_initial_value_for_global.
1342 (region::region): Initialize m_cached_init_sval_at_main.
1343 (decl_region::get_svalue_for_constructor): Add a cache, splitting
1344 out body to...
1345 (decl_region::calc_svalue_for_constructor): ...this new function.
1346 * region.h (region::get_initial_value_at_main): New decl.
1347 (region::calc_initial_value_at_main): New decl.
1348 (region::m_cached_init_sval_at_main): New field.
1349 (decl_region::decl_region): Initialize m_ctor_svalue.
1350 (decl_region::calc_svalue_for_constructor): New decl.
1351 (decl_region::m_ctor_svalue): New field.
1352
feae15ae
GA		 13532023-06-08 Benjamin Priour <vultkayn@gcc.gnu.org>
1354
1355 * bounds-checking.cc (region_model::check_symbolic_bounds): Returns whether the BASE_REG
1356 region access was OOB.
1357 (region_model::check_region_bounds): Likewise.
1358 * region-model.cc (region_model::get_store_value): Creates an
1359 unknown svalue on OOB-read access to REG.
1360 (region_model::check_region_access): Returns whether an unknown svalue needs be created.
1361 (region_model::check_region_for_read): Passes check_region_access return value.
1362 * region-model.h: Update prior function definitions.
1363
829d5975
GA		 13642023-06-02 David Malcolm <dmalcolm@redhat.com>
1365
1366 PR analyzer/109015
1367 * kf.cc (class kf_atomic_exchange): New.
1368 (class kf_atomic_exchange_n): New.
1369 (class kf_atomic_fetch_op): New.
1370 (class kf_atomic_op_fetch): New.
1371 (class kf_atomic_load): New.
1372 (class kf_atomic_load_n): New.
1373 (class kf_atomic_store_n): New.
1374 (register_atomic_builtins): New function.
1375 (register_known_functions): Call register_atomic_builtins.
1376
13772023-06-02 David Malcolm <dmalcolm@redhat.com>
1378
1379 * store.cc (store::eval_alias_1): Regions in different memory
1380 spaces can't alias.
1381
b2776076
GA		 13822023-05-18 Bernhard Reutner-Fischer <aldot@gcc.gnu.org>
1383
1384 * region-model-manager.cc (get_code_for_cast): Use _P defines from
1385 tree.h.
1386 (region_model_manager::get_or_create_cast): Ditto.
1387 (region_model_manager::get_region_for_global): Ditto.
1388 * region-model.cc (region_model::get_lvalue_1): Ditto.
1389 * region.cc (decl_region::maybe_get_constant_value): Ditto.
1390
50bd9c41
GA		 13912023-03-22 David Malcolm <dmalcolm@redhat.com>
1392
1393 PR analyzer/109239
1394 * program-point.cc: Include "analyzer/inlining-iterator.h".
1395 (program_point::effectively_intraprocedural_p): New function.
1396 * program-point.h (program_point::effectively_intraprocedural_p):
1397 New decl.
1398 * sm-malloc.cc (deref_before_check::emit): Use it when rejecting
1399 interprocedural cases, so that we reject interprocedural cases
1400 that have become intraprocedural due to inlining.
1401
cffcb774
GA		 14022023-03-18 David Malcolm <dmalcolm@redhat.com>
1403
1404 PR analyzer/109094
1405 * region-model.cc (region_model::on_longjmp): Pass false for
1406 new "eval_return_svalue" param of pop_frame.
1407 (region_model::pop_frame): Add new "eval_return_svalue" param and
1408 use it to suppress the call to get_rvalue on the result when
1409 needed by on_longjmp.
1410 * region-model.h (region_model::pop_frame): Add new
1411 "eval_return_svalue" param.
1412
c8065441
GA		 14132023-03-10 David Malcolm <dmalcolm@redhat.com>
1414
1415 PR analyzer/109059
1416 * region-model.cc (region_model::mark_region_as_unknown): Gather a
1417 set of maybe-live svalues and call on_maybe_live_values with it.
1418 * store.cc (binding_map::remove_overlapping_bindings): Add new
1419 "maybe_live_values" param; add any removed svalues to it.
1420 (binding_cluster::clobber_region): Add NULL as new param of
1421 remove_overlapping_bindings.
1422 (binding_cluster::mark_region_as_unknown): Add "maybe_live_values"
1423 param and pass it to remove_overlapping_bindings.
1424 (binding_cluster::maybe_get_compound_binding): Add NULL for new
1425 param of binding_map::remove_overlapping_bindings.
1426 (binding_cluster::remove_overlapping_bindings): Add
1427 "maybe_live_values" param and pass to
1428 binding_map::remove_overlapping_bindings.
1429 (store::set_value): Capture a set of maybe-live svalues, and call
1430 on_maybe_live_values with it.
1431 (store::on_maybe_live_values): New.
1432 (store::mark_region_as_unknown): Add "maybe_live_values" param
1433 and pass it to binding_cluster::mark_region_as_unknown.
1434 (store::remove_overlapping_bindings): Pass NULL for new param of
1435 binding_cluster::remove_overlapping_bindings.
1436 * store.h (binding_map::remove_overlapping_bindings): Add
1437 "maybe_live_values" param.
1438 (binding_cluster::mark_region_as_unknown): Likewise.
1439 (binding_cluster::remove_overlapping_bindings): Likewise.
1440 (store::mark_region_as_unknown): Likewise.
1441 (store::on_maybe_live_values): New decl.
1442
14432023-03-10 David Malcolm <dmalcolm@redhat.com>
1444
1445 PR analyzer/108475
1446 PR analyzer/109060
1447 * sm-malloc.cc (deref_before_check::deref_before_check):
1448 Initialize new field m_deref_expr. Assert that arg is non-NULL.
1449 (deref_before_check::emit): Reject cases where the spelling of the
1450 thing that was dereferenced differs from that of what is checked,
1451 or if the dereference expression was not found. Remove code to
1452 handle NULL m_arg.
1453 (deref_before_check::describe_state_change): Remove code to handle
1454 NULL m_arg.
1455 (deref_before_check::describe_final_event): Likewise.
1456 (deref_before_check::sufficiently_similar_p): New.
1457 (deref_before_check::m_deref_expr): New field.
1458 (malloc_state_machine::maybe_complain_about_deref_before_check):
1459 Don't warn if the diag_ptr is NULL.
1460
2aa6673e
GA		 14612023-03-03 David Malcolm <dmalcolm@redhat.com>
1462
1463 * kf.cc (class kf_sprintf): New.
1464 (register_known_functions): Register it.
1465
14db9ed5
GA		 14662023-03-02 David Malcolm <dmalcolm@redhat.com>
1467
1468 PR analyzer/108968
1469 * region-model.cc (region_model::get_rvalue_1): Handle VAR_DECLs
1470 with a DECL_HARD_REGISTER by returning UNKNOWN.
1471
14722023-03-02 Hans-Peter Nilsson <hp@axis.com>
1473
1474 * kf.cc (register_known_functions): Add __errno function for newlib.
1475
c88a7c63
GA		 14762023-03-01 David Malcolm <dmalcolm@redhat.com>
1477
1478 PR analyzer/107565
1479 * region-model.cc (region_model::on_call_pre): Flatten logic by
1480 returning early. Consolidate logic for detecting const and pure
1481 functions. When considering whether an unhandled built-in
1482 function has side-effects, consider all kinds of builtin, rather
1483 than just BUILT_IN_NORMAL, and don't require
1484 gimple_builtin_call_types_compatible_p.
1485
14862023-03-01 David Malcolm <dmalcolm@redhat.com>
1487
1488 PR analyzer/108935
1489 * infinite-recursion.cc (contains_unknown_p): New.
1490 (sufficiently_different_region_binding_p): New function, splitting
1491 out inner loop from...
1492 (sufficiently_different_p): ...here. Extend detection of unknown
1493 svalues to also include svalues that contain unknown. Treat
1494 changes in frames below the entry to the recursion as being
1495 sufficiently different to reject being an infinite recursion.
1496
c3bf22d9
GA		 14972023-02-21 David Malcolm <dmalcolm@redhat.com>
1498
1499 PR analyzer/108830
1500 * analyzer.opt (fanalyzer-suppress-followups): New option.
1501 * engine.cc (impl_region_model_context::warn): Terminate the path
1502 if the diagnostic's terminate_path_p vfunc returns true and
1503 -fanalyzer-suppress-followups is true (the default).
1504 (impl_sm_context::warn): Likewise, for both overloads.
1505 * pending-diagnostic.h (pending_diagnostic::terminate_path_p): New
1506 vfunc.
1507 * program-state.cc (program_state::on_edge): Terminate the path if
1508 the ctxt requests it during updating the edge.
1509 * region-model.cc (poisoned_value_diagnostic::terminate_path_p):
1510 New vfunc.
1511 * sm-malloc.cc (null_deref::terminate_path_p): New vfunc.
1512 (null_arg::terminate_path_p): New vfunc.
1513
88cc4495
GA		 15142023-02-16 David Malcolm <dmalcolm@redhat.com>
1515
1516 PR analyzer/108806
1517 * constraint-manager.cc (bounded_range::dump_to_pp): Use
1518 bounded_range::singleton_p.
1519 (constraint_manager::add_bounded_ranges): Handle singleton ranges
1520 by adding an EQ_EXPR constraint.
1521 (constraint_manager::impossible_derived_conditions_p): New.
1522 (constraint_manager::eval_condition): Reject EQ_EXPR when it would
1523 imply impossible derived conditions.
1524 (selftest::test_bits): New.
1525 (selftest::run_constraint_manager_tests): Run it.
1526 * constraint-manager.h (bounded_range::singleton_p): New.
1527 (constraint_manager::impossible_derived_conditions_p): New decl.
1528 * region-model.cc (region_model::get_rvalue_1): Handle
1529 BIT_AND_EXPR, BIT_IOR_EXPR, and BIT_XOR_EXPR.
1530
29a35391
GA		 15312023-02-15 David Malcolm <dmalcolm@redhat.com>
1532
1533 PR analyzer/108664
1534 PR analyzer/108666
1535 PR analyzer/108725
1536 * diagnostic-manager.cc (epath_finder::get_best_epath): Add
1537 "target_stmt" param.
1538 (epath_finder::explore_feasible_paths): Likewise.
1539 (epath_finder::process_worklist_item): Likewise.
1540 (saved_diagnostic::calc_best_epath): Pass m_stmt to
1541 epath_finder::get_best_epath.
1542 * engine.cc (feasibility_state::maybe_update_for_edge): Move
1543 per-stmt logic to...
1544 (feasibility_state::update_for_stmt): ...this new function.
1545 * exploded-graph.h (feasibility_state::update_for_stmt): New decl.
1546 * feasible-graph.cc (feasible_node::get_state_at_stmt): New.
1547 * feasible-graph.h: Include "analyzer/exploded-graph.h".
1548 (feasible_node::get_state_at_stmt): New decl.
1549 * infinite-recursion.cc
1550 (infinite_recursion_diagnostic::check_valid_fpath_p): Update for
1551 vfunc signature change.
1552 * pending-diagnostic.h (pending_diagnostic::check_valid_fpath_p):
1553 Convert first param to a reference. Add stmt param.
1554 * region-model.cc: Include "analyzer/feasible-graph.h".
1555 (poisoned_value_diagnostic::poisoned_value_diagnostic): Add
1556 "check_expr" param.
1557 (poisoned_value_diagnostic::check_valid_fpath_p): New.
1558 (poisoned_value_diagnostic::m_check_expr): New field.
1559 (region_model::check_for_poison): Attempt to supply a check_expr
1560 to the diagnostic
1561 (region_model::deref_rvalue): Add NULL for new check_expr param
1562 of poisoned_value_diagnostic.
1563 (region_model::get_or_create_region_for_heap_alloc): Don't reuse
1564 regions that are marked as TOUCHED.
1565
d7a47ed1
GA		 15662023-02-10 David Malcolm <dmalcolm@redhat.com>
1567
1568 PR analyzer/108745
1569 * sm-malloc.cc (deref_before_check::emit): Reject the warning if
1570 the check occurs within a macro defintion.
1571
e92e2c96
GA		 15722023-02-09 David Malcolm <dmalcolm@redhat.com>
1573
1574 PR analyzer/108733
1575 * state-purge.cc (get_candidate_for_purging): Add ADDR_EXPR
1576 and MEM_REF.
1577
f6fc79d0
GA		 15782023-02-08 David Malcolm <dmalcolm@redhat.com>
1579
1580 PR analyzer/108704
1581 * state-purge.cc (state_purge_per_decl::process_point_backwards):
1582 Don't stop processing the decl if it's fully overwritten by
1583 this stmt if it's also used by this stmt.
1584
8f3b85ef
GA		 15852023-02-07 David Malcolm <dmalcolm@redhat.com>
1586
1587 PR analyzer/108661
1588 * sm-fd.cc (class kf_read): New.
1589 (register_known_fd_functions): Register "read".
1590 * sm-file.cc (class kf_fread): Update comment.
1591
a37a0cb3
GA		 15922023-02-02 David Malcolm <dmalcolm@redhat.com>
1593
1594 PR analyzer/108633
1595 * sm-fd.cc (fd_state_machine::check_for_fd_attrs): Add missing
1596 "continue".
1597 (fd_state_machine::on_listen): Don't issue phase-mismatch or
1598 type-mismatch warnings for the "invalid" state.
1599
0a251e74
GA		 16002023-02-01 David Malcolm <dmalcolm@redhat.com>
1601
1602 PR analyzer/108616
1603 * pending-diagnostic.cc (fixup_location_in_macro_p): Add "alloca"
1604 to macros that we shouldn't unwind inside.
1605
2371d100
GA		 16062023-01-26 David Malcolm <dmalcolm@redhat.com>
1607
1608 PR analyzer/108524
1609 * analyzer.h (class feasible_node): New forward decl.
1610 * diagnostic-manager.cc (epath_finder::get_best_epath): Add "pd"
1611 param.
1612 (epath_finder::explore_feasible_paths): Likewise.
1613 (epath_finder::process_worklist_item): Likewise. Use it to call
1614 pending_diagnostic::check_valid_fpath_p on the final fpath to
1615 give pending_diagnostic a way to add additional restrictions on
1616 feasibility.
1617 (saved_diagnostic::calc_best_epath): Pass pending_diagnostic to
1618 epath_finder::get_best_epath.
1619 * infinite-recursion.cc: Include "analyzer/feasible-graph.h".
1620 (infinite_recursion_diagnostic::check_valid_fpath_p): New.
1621 (infinite_recursion_diagnostic::fedge_uses_conjured_svalue_p): New.
1622 (infinite_recursion_diagnostic::expr_uses_conjured_svalue_p): New.
1623 * pending-diagnostic.h (pending_diagnostic::check_valid_fpath_p):
1624 New vfunc.
1625
0846336d
GA		 16262023-01-19 David Malcolm <dmalcolm@redhat.com>
1627
1628 PR analyzer/108455
1629 * analyzer.h (class checker_event): New forward decl.
1630 (class state_change_event): Indent.
1631 (class warning_event): New forward decl.
1632 * checker-event.cc (state_change_event::state_change_event): Add
1633 "enode" param.
1634 (warning_event::get_desc): Update for new param of
1635 evdesc::final_event ctor.
1636 * checker-event.h (state_change_event::state_change_event): Add
1637 "enode" param.
1638 (state_change_event::get_exploded_node): New accessor.
1639 (state_change_event::m_enode): New field.
1640 (warning_event::warning_event): New "enode" param.
1641 (warning_event::get_exploded_node): New accessor.
1642 (warning_event::m_enode): New field.
1643 * diagnostic-manager.cc
1644 (state_change_event_creator::on_global_state_change): Pass
1645 src_node to state_change_event ctor.
1646 (state_change_event_creator::on_state_change): Likewise.
1647 (null_assignment_sm_context::set_next_state): Pass NULL for
1648 new param of state_change_event ctor.
1649 * infinite-recursion.cc
1650 (infinite_recursion_diagnostic::add_final_event): Update for new
1651 param of warning_event ctor.
1652 * pending-diagnostic.cc (pending_diagnostic::add_final_event):
1653 Pass enode to warning_event ctor.
1654 * pending-diagnostic.h (evdesc::final_event): Add reference to
1655 warning_event.
1656 * sm-malloc.cc: Include "analyzer/checker-event.h" and
1657 "analyzer/exploded-graph.h".
1658 (deref_before_check::deref_before_check): Initialize new fields.
1659 (deref_before_check::emit): Reject warnings in which we were
1660 unable to determine the enodes of the dereference and the check.
1661 Reject warnings interprocedural warnings. Reject warnings in which
1662 the dereference doesn't dominate the check.
1663 (deref_before_check::describe_state_change): Set m_deref_enode.
1664 (deref_before_check::describe_final_event): Set m_check_enode.
1665 (deref_before_check::m_deref_enode): New field.
1666 (deref_before_check::m_check_enode): New field.
1667
5013c3bb
GA		 16682023-01-13 David Malcolm <dmalcolm@redhat.com>
1669
1670 PR analyzer/105273
1671 * region-model.cc (has_nondefault_case_for_value_p): New.
1672 (has_nondefault_cases_for_all_enum_values_p): New.
1673 (region_model::apply_constraints_for_gswitch): Skip
1674 implicitly-created "default" when switching on an enum
1675 and all enum values have non-default cases.
1676 (rejected_default_case::dump_to_pp): New.
1677 * region-model.h (region_model_context::possibly_tainted_p): New
1678 decl.
1679 (class rejected_default_case): New.
1680 * sm-taint.cc (region_model_context::possibly_tainted_p): New.
1681 * supergraph.cc (switch_cfg_superedge::dump_label_to_pp): Dump
1682 when implicitly_created_default_p.
1683 (switch_cfg_superedge::implicitly_created_default_p): New.
1684 * supergraph.h
1685 (switch_cfg_superedge::implicitly_created_default_p): New decl.
1686
81ed98bc
GA		 16872023-01-11 David Malcolm <dmalcolm@redhat.com>
1688
1689 PR analyzer/108252
1690 * kf.cc (class kf_strdup): New.
1691 (class kf_strndup): New.
1692 (register_known_functions): Register them.
1693 * region-model.cc (region_model::on_call_pre): Use
1694 &HEAP_ALLOCATED_REGION for the default result of an external
1695 function with the "malloc" attribute, rather than CONJURED_SVALUE.
1696 (region_model::get_or_create_region_for_heap_alloc): Allow
1697 "size_in_bytes" to be NULL.
1698 * store.cc (store::set_value): When handling *UNKNOWN = VAL,
1699 mark VAL as "maybe bound".
1700
5fb1e674
GA		 17012022-12-16 David Malcolm <dmalcolm@redhat.com>
1702
1703 PR analyzer/106479
1704 * kf.cc (kf_memcpy_memmove::impl_call_pre): Pass in source region
1705 to region_model::check_for_poison.
1706 * region-model-asm.cc (region_model::on_asm_stmt): Pass NULL
1707 region to region_model::check_for_poison.
1708 * region-model.cc (region_model::check_for_poison): Add
1709 "src_region" param, and pass it to poisoned_value_diagnostic.
1710 (region_model::on_assignment): Pass NULL region to
1711 region_model::check_for_poison.
1712 (region_model::get_rvalue): Likewise.
1713 * region-model.h (region_model::check_for_poison): Add
1714 "src_region" param.
1715 * sm-fd.cc (fd_state_machine::on_accept): Pass in source region
1716 to region_model::check_for_poison.
1717 * varargs.cc (kf_va_copy::impl_call_pre): Pass NULL region to
1718 region_model::check_for_poison.
1719 (kf_va_arg::impl_call_pre): Pass in source region to
1720 region_model::check_for_poison.
1721
26f4aefa
GA		 17222022-12-14 David Malcolm <dmalcolm@redhat.com>
1723
1724 PR analyzer/108065
1725 * region.cc (decl_region::get_svalue_for_initializer): Bail out to
1726 avoid calling binding_key::make with an empty region.
1727 * store.cc (binding_map::apply_ctor_val_to_range): Likewise.
1728 (binding_map::apply_ctor_pair_to_child_region): Likewise.
1729 (binding_cluster::bind): Likewise.
1730 (binding_cluster::purge_region): Likewise.
1731 (binding_cluster::maybe_get_compound_binding): Likewise.
1732 (binding_cluster::maybe_get_simple_value): Likewise.
1733
40ce6485
GA		 17342022-12-09 David Malcolm <dmalcolm@redhat.com>
1735
1736 * analyzer.h (class known_function): Expand comment.
1737 * region-model-impl-calls.cc: Rename to...
1738 * kf.cc: ...this.
1739 * known-function-manager.h (class known_function_manager): Add
1740 leading comment.
1741
17422022-12-09 David Malcolm <dmalcolm@redhat.com>
1743
1744 PR analyzer/108003
1745 * call-summary.cc
1746 (call_summary_replay::convert_region_from_summary_1): Convert
1747 heap_regs_in_use from auto_sbitmap to auto_bitmap.
1748 * region-model-manager.cc
1749 (region_model_manager::get_or_create_region_for_heap_alloc):
1750 Convert from sbitmap to bitmap.
1751 * region-model-manager.h: Likewise.
1752 * region-model.cc
1753 (region_model::get_or_create_region_for_heap_alloc): Convert from
1754 auto_sbitmap to auto_bitmap.
1755 (region_model::get_referenced_base_regions): Likewise.
1756 * region-model.h: Include "bitmap.h" rather than "sbitmap.h".
1757 (region_model::get_referenced_base_regions): Convert from
1758 auto_sbitmap to auto_bitmap.
1759
17602022-12-09 David Malcolm <dmalcolm@redhat.com>
1761
1762 * region-model-impl-calls.cc (class kf_memcpy): Rename to...
1763 (class kf_memcpy_memmove): ...this.
1764 (kf_memcpy::impl_call_pre): Rename to...
1765 (kf_memcpy_memmove::impl_call_pre): ...this, and check the src for
1766 poison.
1767 (register_known_functions): Update for above renaming, and
1768 register BUILT_IN_MEMMOVE and BUILT_IN_MEMMOVE_CHK.
1769
3fe66f7f
GA		 17702022-12-06 David Malcolm <dmalcolm@redhat.com>
1771
1772 PR analyzer/107882
1773 * region-model.cc (region_model::get_store_value): Return an
1774 unknown value for empty regions.
1775 (region_model::set_value): Bail on empty regions.
1776 * region.cc (region::empty_p): New.
1777 * region.h (region::empty_p): New decl.
1778 * state-purge.cc (same_binding_p): Bail if either region is empty.
1779 * store.cc (binding_key::make): Assert that a concrete binding's
1780 bit_size must be > 0.
1781 (binding_cluster::mark_region_as_unknown): Bail on empty regions.
1782 (binding_cluster::get_binding): Likewise.
1783 (binding_cluster::remove_overlapping_bindings): Likewise.
1784 (binding_cluster::on_unknown_fncall): Don't conjure values for
1785 empty regions.
1786 (store::fill_region): Bail on empty regions.
1787 * store.h (class concrete_binding): Update comment to reflect that
1788 the range of bits must be non-empty.
1789 (concrete_binding::concrete_binding): Assert that bit range is
1790 non-empty.
1791
17922022-12-06 David Malcolm <dmalcolm@redhat.com>
1793
1794 PR analyzer/106325
1795 * region-model-manager.cc
1796 (region_model_manager::get_or_create_null_ptr): New.
1797 * region-model-manager.h
1798 (region_model_manager::get_or_create_null_ptr): New decl.
1799 * region-model.cc (region_model::on_top_level_param): Add
1800 "nonnull" param and make use of it.
1801 (region_model::push_frame): When handling a top-level entrypoint
1802 to the analysis, determine which params __attribute__((nonnull))
1803 applies to, and pass to on_top_level_param.
1804 * region-model.h (region_model::on_top_level_param): Add "nonnull"
1805 param.
1806
18072022-12-06 David Malcolm <dmalcolm@redhat.com>
1808
1809 * analyzer.h (register_known_analyzer_functions): New decl.
1810 (register_known_functions_lang_cp): New decl.
1811 * call-details.cc: New file, split out from
1812 region-model-impl-calls.cc.
1813 * call-details.h: New file, split out from region-model.h.
1814 * call-info.cc: Include "analyzer/call-details.h".
1815 * call-summary.h: Likewise.
1816 * kf-analyzer.cc: New file, split out from
1817 region-model-impl-calls.cc.
1818 * kf-lang-cp.cc: Likewise.
1819 * known-function-manager.cc: Include "analyzer/call-details.h".
1820 * region-model-impl-calls.cc: Move definitions of call_details's
1821 member functions to call-details.cc. Move class kf_analyzer_* to
1822 kf-analyzer.cc. Move kf_operator_new and kf_operator_delete to
1823 kf-lang-cp.cc. Refresh #includes accordingly.
1824 (register_known_functions): Replace registration of __analyzer_*
1825 functions with a call to register_known_analyzer_functions.
1826 Replace registration of C++ support functions with a call to
1827 register_known_functions_lang_cp.
1828 * region-model.h (class call_details): Move to new call-details.h.
1829 * sm-fd.cc: Include "analyzer/call-details.h".
1830 * sm-file.cc: Likewise.
1831 * sm-malloc.cc: Likewise.
1832 * varargs.cc: Likewise.
1833
596dbfff
GA		 18342022-12-02 David Malcolm <dmalcolm@redhat.com>
1835
1836 * analyzer.h (struct event_loc_info): New forward decl.
1837 * bounds-checking.cc: Use event_loc_info throughout to bundle the
1838 loc, fndecl, depth triples.
1839 * call-info.cc: Likewise.
1840 * checker-event.cc: Likewise.
1841 * checker-event.h (struct event_loc_info): New decl. Use it
1842 throughout to bundle the loc, fndecl, depth triples.
1843 * checker-path.cc: Likewise.
1844 * checker-path.h: Likewise.
1845 * diagnostic-manager.cc: Likewise.
1846 * engine.cc: Likewise.
1847 * infinite-recursion.cc: Likewise.
1848 * pending-diagnostic.cc: Likewise.
1849 * pending-diagnostic.h: Likewise.
1850 * region-model.cc: Likewise.
1851 * sm-signal.cc: Likewise.
1852 * varargs.cc: Likewise.
1853
18542022-12-02 David Malcolm <dmalcolm@redhat.com>
1855
1856 PR analyzer/107851
1857 * analyzer.cc (make_label_text_n): Convert param "n" from int to
1858 unsigned HOST_WIDE_INT.
1859 * analyzer.h (make_label_text_n): Likewise for decl.
1860 * bounds-checking.cc: Include "analyzer/checker-event.h" and
1861 "analyzer/checker-path.h".
1862 (out_of_bounds::add_region_creation_events): New.
1863 (concrete_past_the_end::describe_region_creation_event): Replace
1864 with...
1865 (concrete_past_the_end::add_region_creation_events): ...this.
1866 (symbolic_past_the_end::describe_region_creation_event): Delete.
1867 * checker-event.cc (region_creation_event::region_creation_event):
1868 Update for dropping all member data.
1869 (region_creation_event::get_desc): Delete, splitting out into
1870 region_creation_event_memory_space::get_desc,
1871 region_creation_event_capacity::get_desc, and
1872 region_creation_event_debug::get_desc.
1873 (region_creation_event_memory_space::get_desc): New.
1874 (region_creation_event_capacity::get_desc): New.
1875 (region_creation_event_allocation_size::get_desc): New.
1876 (region_creation_event_debug::get_desc): New.
1877 * checker-event.h: Include "analyzer/program-state.h".
1878 (enum rce_kind): Delete.
1879 (class region_creation_event): Drop all member data.
1880 (region_creation_event::region_creation_event): Make protected.
1881 (region_creation_event::get_desc): Delete.
1882 (class region_creation_event_memory_space): New.
1883 (class region_creation_event_capacity): New.
1884 (class region_creation_event_allocation_size): New.
1885 (class region_creation_event_debug): New.
1886 * checker-path.cc (checker_path::add_region_creation_events): Add
1887 "pd" param. Call pending_diangnostic::add_region_creation_events.
1888 Update for conversion of RCE_DEBUG to region_creation_event_debug.
1889 * checker-path.h (checker_path::add_region_creation_events): Add
1890 "pd" param.
1891 * diagnostic-manager.cc (diagnostic_manager::build_emission_path):
1892 Pass pending_diagnostic to
1893 emission_path::add_region_creation_events.
1894 (diagnostic_manager::build_emission_path): Pass path_builder to
1895 add_event_on_final_node.
1896 (diagnostic_manager::add_event_on_final_node): Add "pb" param.
1897 Pass pending_diagnostic to
1898 emission_path::add_region_creation_events.
1899 (diagnostic_manager::add_events_for_eedge): Pass
1900 pending_diagnostic to emission_path::add_region_creation_events.
1901 * diagnostic-manager.h
1902 (diagnostic_manager::add_event_on_final_node): Add "pb" param.
1903 * pending-diagnostic.cc
1904 (pending_diagnostic::add_region_creation_events): New.
1905 * pending-diagnostic.h (struct region_creation): Delete.
1906 (pending_diagnostic::describe_region_creation_event): Delete.
1907 (pending_diagnostic::add_region_creation_events): New vfunc.
1908 * region-model.cc: Include "analyzer/checker-event.h" and
1909 "analyzer/checker-path.h".
1910 (dubious_allocation_size::dubious_allocation_size): Initialize
1911 m_has_allocation_event.
1912 (dubious_allocation_size::describe_region_creation_event): Delete.
1913 (dubious_allocation_size::describe_final_event): Update for
1914 replacement of m_allocation_event with m_has_allocation_event.
1915 (dubious_allocation_size::add_region_creation_events): New.
1916 (dubious_allocation_size::m_allocation_event): Replace with...
1917 (dubious_allocation_size::m_has_allocation_event): ...this.
1918
b35680ec
GA		 19192022-12-02 David Malcolm <dmalcolm@redhat.com>
1920
1921 PR analyzer/107948
1922 * region-model-manager.cc
1923 (region_model_manager::maybe_fold_binop): Fold (0 - VAL) to -VAL.
1924 * region-model.cc (region_model::eval_condition): Handle e.g.
1925 "-X <= 0" as equivalent to X >= 0".
1926
19272022-12-01 David Malcolm <dmalcolm@redhat.com>
1928
1929 PR analyzer/106626
1930 * bounds-checking.cc
1931 (symbolic_past_the_end::describe_final_event): Delete, moving to
1932 symbolic_buffer_overflow::describe_final_event and
1933 symbolic_buffer_over_read::describe_final_event, eliminating
1934 composition of text strings via "byte_str" and "m_dir_str".
1935 (symbolic_past_the_end::m_dir_str): Delete field.
1936 (symbolic_buffer_overflow::symbolic_buffer_overflow): Drop
1937 m_dir_str.
1938 (symbolic_buffer_overflow::describe_final_event): New, as noted
1939 above.
1940 (symbolic_buffer_over_read::symbolic_buffer_overflow): Drop
1941 m_dir_str.
1942 (symbolic_buffer_over_read::describe_final_event): New, as noted
1943 above.
1944
19452022-12-01 David Malcolm <dmalcolm@redhat.com>
1946
1947 * bounds-checking.cc (class out_of_bounds): Split out from...
1948 (class concrete_out_of_bounds): New abstract subclass.
1949 (class past_the_end): Rename to...
1950 (class concrete_past_the_end): ...this, and make a subclass of
1951 concrete_out_of_bounds.
1952 (class buffer_overflow): Rename to...
1953 (class concrete_buffer_overflow): ...this, and make a subclass of
1954 concrete_past_the_end.
1955 (class buffer_over_read): Rename to...
1956 (class concrete_buffer_over_read): ...this, and make a subclass of
1957 concrete_past_the_end.
1958 (class buffer_underwrite): Rename to...
1959 (class concrete_buffer_underwrite): ...this, and make a subclass
1960 of concrete_out_of_bounds.
1961 (class buffer_under_read): Rename to...
1962 (class concrete_buffer_under_read): ...this, and make a subclass
1963 of concrete_out_of_bounds.
1964 (class symbolic_past_the_end): Convert to a subclass of
1965 out_of_bounds.
1966 (symbolic_buffer_overflow::get_kind): New.
1967 (symbolic_buffer_over_read::get_kind): New.
1968 (region_model::check_region_bounds): Update for renamings.
1969 * engine.cc (impl_sm_context::set_next_state): Eliminate
1970 "new_ctxt", passing NULL to get_rvalue instead.
1971 (impl_sm_context::warn): Likewise.
1972
19732022-12-01 David Malcolm <dmalcolm@redhat.com>
1974
1975 PR analyzer/106626
1976 * bounds-checking.cc (out_of_bounds::get_memory_space): New.
1977 (buffer_overflow::emit): Use it.
1978 (class buffer_overread): Rename to...
1979 (class buffer_over_read): ...this.
1980 (buffer_over_read::emit): Specify which memory space the read is
1981 from, where known. Change "overread" to "over-read".
1982 (class buffer_underflow): Rename to...
1983 (class buffer_underwrite): ...this.
1984 (buffer_underwrite::emit): Specify which memory space the write is
1985 to, where known. Change "underflow" to "underwrite".
1986 (class buffer_underread): Rename to...
1987 (class buffer_under_read): Rename to...
1988 (buffer_under_read::emit): Specify which memory space the read is
1989 from, where known. Change "underread" to "under-read".
1990 (symbolic_past_the_end::get_memory_space): New.
1991 (symbolic_buffer_overflow::emit): Use it.
1992 (class symbolic_buffer_overread): Rename to...
1993 (class symbolic_buffer_over_read): ...this.
1994 (symbolic_buffer_over_read::emit): Specify which memory space the
1995 read is from, where known. Change "overread" to "over-read".
1996 (region_model::check_symbolic_bounds): Update for class renaming.
1997 (region_model::check_region_bounds): Likewise.
1998
19992022-12-01 David Malcolm <dmalcolm@redhat.com>
2000
2001 PR analyzer/106626
2002 * bounds-checking.cc (out_of_bounds::maybe_describe_array_bounds):
2003 New.
2004 (buffer_overflow::emit): Call maybe_describe_array_bounds.
2005 (buffer_overread::emit): Likewise.
2006 (buffer_underflow::emit): Likewise.
2007 (buffer_underread::emit): Likewise.
2008
20092022-12-01 David Malcolm <dmalcolm@redhat.com>
2010
2011 PR analyzer/106626
2012 * bounds-checking.cc (buffer_overflow::emit): Use inform_n.
2013 Update wording to clarify that we're talking about the size of
2014 the bad access, rather than its position.
2015 (buffer_overread::emit): Likewise.
2016
20172022-12-01 David Malcolm <dmalcolm@redhat.com>
2018
2019 * bounds-checking.cc: New file, taken from region-model.cc.
2020 * region-model.cc (class out_of_bounds): Move to
2021 bounds-checking.cc.
2022 (class past_the_end): Likewise.
2023 (class buffer_overflow): Likewise.
2024 (class buffer_overread): Likewise.
2025 (class buffer_underflow): Likewise.
2026 (class buffer_underread): Likewise.
2027 (class symbolic_past_the_end): Likewise.
2028 (class symbolic_buffer_overflow): Likewise.
2029 (class symbolic_buffer_overread): Likewise.
2030 (region_model::check_symbolic_bounds): Likewise.
2031 (maybe_get_integer_cst_tree): Likewise.
2032 (region_model::check_region_bounds): Likewise.
2033 * region-model.h: Add comment.
2034
20352022-12-01 David Malcolm <dmalcolm@redhat.com>
2036
2037 PR analyzer/107928
2038 * sm-fd.cc (fd_state_machine::on_bind): Handle m_constant_fd in
2039 the "success" outcome.
2040 (fd_state_machine::on_connect): Likewise.
2041 * sm-fd.dot: Add "constant_fd" state and its transitions.
2042
6eea85a9
GA		 20432022-11-30 David Malcolm <dmalcolm@redhat.com>
2044
2045 * region-model-impl-calls.cc (class kf_fgets): Move to sm-file.cc.
2046 (kf_fgets::impl_call_pre): Likewise.
2047 (class kf_fread): Likewise.
2048 (kf_fread::impl_call_pre): Likewise.
2049 (class kf_getchar): Likewise.
2050 (class kf_stdio_output_fn): Likewise.
2051 (register_known_functions): Move registration of
2052 BUILT_IN_FPRINTF, BUILT_IN_FPRINTF_UNLOCKED, BUILT_IN_FPUTC,
2053 BUILT_IN_FPUTC_UNLOCKED, BUILT_IN_FPUTS, BUILT_IN_FPUTS_UNLOCKED,
2054 BUILT_IN_FWRITE, BUILT_IN_FWRITE_UNLOCKED, BUILT_IN_PRINTF,
2055 BUILT_IN_PRINTF_UNLOCKED, BUILT_IN_PUTC, BUILT_IN_PUTCHAR,
2056 BUILT_IN_PUTCHAR_UNLOCKED, BUILT_IN_PUTC_UNLOCKED, BUILT_IN_PUTS,
2057 BUILT_IN_PUTS_UNLOCKED, BUILT_IN_VFPRINTF, BUILT_IN_VPRINTF,
2058 "getchar", "fgets", "fgets_unlocked", and "fread" to
2059 register_known_file_functions.
2060 * sm-file.cc (class kf_stdio_output_fn): Move here from
2061 region-model-impl-calls.cc.
2062 (class kf_fgets): Likewise.
2063 (class kf_fread): Likewise.
2064 (class kf_getchar): Likewise.
2065 (register_known_file_functions): Move registration of
2066 BUILT_IN_FPRINTF, BUILT_IN_FPRINTF_UNLOCKED, BUILT_IN_FPUTC,
2067 BUILT_IN_FPUTC_UNLOCKED, BUILT_IN_FPUTS, BUILT_IN_FPUTS_UNLOCKED,
2068 BUILT_IN_FWRITE, BUILT_IN_FWRITE_UNLOCKED, BUILT_IN_PRINTF,
2069 BUILT_IN_PRINTF_UNLOCKED, BUILT_IN_PUTC, BUILT_IN_PUTCHAR,
2070 BUILT_IN_PUTCHAR_UNLOCKED, BUILT_IN_PUTC_UNLOCKED, BUILT_IN_PUTS,
2071 BUILT_IN_PUTS_UNLOCKED, BUILT_IN_VFPRINTF, BUILT_IN_VPRINTF,
2072 "fgets", "fgets_unlocked", "fread", and "getchar" to here from
2073 register_known_functions.
2074
20752022-11-30 David Malcolm <dmalcolm@redhat.com>
2076
2077 PR analyzer/103546
2078 * analyzer.h (register_known_file_functions): New decl.
2079 * program-state.cc (sm_state_map::replay_call_summary): Rejct
2080 attempts to store sm-state for caller_sval that can't have
2081 associated state.
2082 * region-model-impl-calls.cc (register_known_functions): Call
2083 register_known_file_functions.
2084 * sm-fd.cc (class kf_isatty): New.
2085 (register_known_fd_functions): Register it.
2086 * sm-file.cc (class kf_ferror): New.
2087 (class kf_fileno): New.
2088 (class kf_getc): New.
2089 (register_known_file_functions): New.
2090
20912022-11-30 David Malcolm <dmalcolm@redhat.com>
2092
2093 PR analyzer/105784
2094 * region-model-manager.cc
2095 (region_model_manager::maybe_fold_binop): For POINTER_PLUS_EXPR,
2096 PLUS_EXPR and MINUS_EXPR, eliminate requirement that the final
2097 type matches that of arg0 in favor of a cast.
2098
9a1b4f1d
GA		 20992022-11-24 Martin Liska <mliska@suse.cz>
2100
2101 * varargs.cc: Fix Clang warnings.
2102
21032022-11-24 David Malcolm <dmalcolm@redhat.com>
2104
2105 PR analyzer/106473
2106 * call-summary.cc
2107 (call_summary_replay::convert_region_from_summary_1): Update for
2108 change to creation of heap-allocated regions.
2109 * program-state.cc (test_program_state_1): Likewise.
2110 (test_program_state_merging): Likewise.
2111 * region-model-impl-calls.cc (kf_calloc::impl_call_pre): Likewise.
2112 (kf_malloc::impl_call_pre): Likewise.
2113 (kf_operator_new::impl_call_pre): Likewise.
2114 (kf_realloc::impl_call_postsuccess_with_move::update_model): Likewise.
2115 * region-model-manager.cc
2116 (region_model_manager::create_region_for_heap_alloc): Convert
2117 to...
2118 (region_model_manager::get_or_create_region_for_heap_alloc):
2119 ...this, reusing an existing region if it's unreferenced in the
2120 client state.
2121 * region-model-manager.h (region_model_manager::get_num_regions): New.
2122 (region_model_manager::create_region_for_heap_alloc): Convert to...
2123 (region_model_manager::get_or_create_region_for_heap_alloc): ...this.
2124 * region-model.cc (region_to_value_map::can_merge_with_p): Reject
2125 merger when the values are different.
2126 (region_model::create_region_for_heap_alloc): Convert to...
2127 (region_model::get_or_create_region_for_heap_alloc): ...this.
2128 (region_model::get_referenced_base_regions): New.
2129 (selftest::test_state_merging): Update for change to creation of
2130 heap-allocated regions.
2131 (selftest::test_malloc_constraints): Likewise.
2132 (selftest::test_malloc): Likewise.
2133 * region-model.h: Include "sbitmap.h".
2134 (region_model::create_region_for_heap_alloc): Convert to...
2135 (region_model::get_or_create_region_for_heap_alloc): ...this.
2136 (region_model::get_referenced_base_regions): New decl.
2137 * store.cc (store::canonicalize): Don't purge a heap-allocated region
2138 that's been marked as escaping.
2139
21402022-11-24 David Malcolm <dmalcolm@redhat.com>
2141
2142 * checker-path.cc (checker_path::inject_any_inlined_call_events):
2143 Don't dump the address of the block when -fdump-noaddr.
2144
21452022-11-24 David Malcolm <dmalcolm@redhat.com>
2146
2147 * region-model.h (region_model::on_socket): Delete decl.
2148 (region_model::on_bind): Likewise.
2149 (region_model::on_listen): Likewise.
2150 (region_model::on_accept): Likewise.
2151 (region_model::on_connect): Likewise.
2152 * sm-fd.cc (kf_socket::outcome_of_socket::update_model): Move body
2153 of region_model::on_socket into here, ...
2154 (region_model::on_socket): ...eliminating this function.
2155 (kf_bind::outcome_of_bind::update_model): Likewise for on_bind...
2156 (region_model::on_bind): ...eliminating this function.
2157 (kf_listen::outcome_of_listen::update_model): Likewise fo
2158 on_listen...
2159 (region_model::on_listen): ...eliminating this function.
2160 (kf_accept::outcome_of_accept::update_model): Likewise fo
2161 on_accept...
2162 (region_model::on_accept): ...eliminating this function.
2163 (kf_connect::outcome_of_connect::update_model): Likewise fo
2164 on_connect...
2165 (region_model::on_connect): ...eliminating this function.
2166
21672022-11-24 David Malcolm <dmalcolm@redhat.com>
2168
2169 * analyzer.h (register_known_fd_functions): New decl.
2170 * region-model-impl-calls.cc (class kf_accept): Move to sm-fd.cc.
2171 (class kf_bind): Likewise.
2172 (class kf_connect): Likewise.
2173 (class kf_listen): Likewise.
2174 (class kf_pipe): Likewise.
2175 (class kf_socket): Likewise.
2176 (register_known_functions): Remove registration of the above
2177 functions, instead calling register_known_fd_functions.
2178 * sm-fd.cc: Include "analyzer/call-info.h".
2179 (class kf_socket): Move here from region-model-impl-calls.cc.
2180 (class kf_bind): Likewise.
2181 (class kf_listen): Likewise.
2182 (class kf_accept): Likewise.
2183 (class kf_connect): Likewise.
2184 (class kf_pipe): Likewise.
2185 (register_known_fd_functions): New.
2186
d0e4cdb4
GA		 21872022-11-22 David Malcolm <dmalcolm@redhat.com>
2188
2189 PR analyzer/107788
2190 * known-function-manager.cc (known_function_manager::get_match):
2191 Don't look up fndecls by name when they're not in the root
2192 namespace.
2193
21942022-11-22 David Malcolm <dmalcolm@redhat.com>
2195
2196 PR analyzer/107783
2197 * sm-fd.cc (fd_state_machine::check_for_new_socket_fd): Don't
2198 complain when old state is "fd-constant".
2199 (fd_state_machine::on_listen): Likewise.
2200 (fd_state_machine::on_accept): Likewise.
2201
22022022-11-22 David Malcolm <dmalcolm@redhat.com>
2203
2204 PR analyzer/107807
2205 * region-model-impl-calls.cc (register_known_functions): Register
2206 "___errno" and "__error" as synonyms for "__errno_location".
2207
22082022-11-22 David Malcolm <dmalcolm@redhat.com>
2209
2210 * analyzer.h (class internal_known_function): New.
2211 (register_varargs_builtins): New decl.
2212 * engine.cc (exploded_node::on_stmt_pre): Remove
2213 "out_terminate_path" param from call to region_model::on_stmt_pre.
2214 (feasibility_state::maybe_update_for_edge): Likewise.
2215 * known-function-manager.cc: Include "basic-block.h", "gimple.h",
2216 and "analyzer/region-model.h".
2217 (known_function_manager::known_function_manager): Initialize
2218 m_combined_fns_arr.
2219 (known_function_manager::~known_function_manager): Clean up
2220 m_combined_fns_arr.
2221 (known_function_manager::get_by_identifier): Make const.
2222 (known_function_manager::add): New overloaded definitions for
2223 enum built_in_function and enum internal_fn.
2224 (known_function_manager::get_by_fndecl): Delete.
2225 (known_function_manager::get_match): New.
2226 (known_function_manager::get_internal_fn): New.
2227 (known_function_manager::get_normal_builtin): New.
2228 * known-function-manager.h
2229 (known_function_manager::get_by_identifier): Make private and
2230 add const qualifier.
2231 (known_function_manager::get_by_fndecl): Delete.
2232 (known_function_manager::add): Add overloaded decls for
2233 enum built_in_function name and enum internal_fn.
2234 (known_function_manager::get_match): New decl.
2235 (known_function_manager::get_internal_fn): New decl.
2236 (known_function_manager::get_normal_builtin): New decl.
2237 (known_function_manager::m_combined_fns_arr): New field.
2238 * region-model-impl-calls.cc (call_details::arg_is_size_p): New.
2239 (class kf_alloca): New.
2240 (region_model::impl_call_alloca): Convert to...
2241 (kf_alloca::impl_call_pre): ...this.
2242 (kf_analyzer_dump_capacity::matches_call_types_p): Rewrite check
2243 to use call_details::arg_is_pointer_p.
2244 (region_model::impl_call_builtin_expect): Convert to...
2245 (class kf_expect): ...this.
2246 (class kf_calloc): New, adding check that both arguments are
2247 size_t.
2248 (region_model::impl_call_calloc): Convert to...
2249 (kf_calloc::impl_call_pre): ...this.
2250 (kf_connect::matches_call_types_p): Rewrite check to use
2251 call_details::arg_is_pointer_p.
2252 (region_model::impl_call_error): Convert to...
2253 (class kf_error): ...this, and...
2254 (kf_error::impl_call_pre): ...this.
2255 (class kf_fgets): New, adding checks that args 0 and 2 are
2256 pointers.
2257 (region_model::impl_call_fgets): Convert to...
2258 (kf_fgets::impl_call_pre): ...this.
2259 (class kf_fread): New, adding checks on the argument types.
2260 (region_model::impl_call_fread): Convert to...
2261 (kf_fread::impl_call_pre): ...this.
2262 (class kf_free): New, adding check that the argument is a pointer.
2263 (region_model::impl_call_free): Convert to...
2264 (kf_free::impl_call_post): ...this.
2265 (class kf_getchar): New.
2266 (class kf_malloc): New, adding check that the argument is a
2267 size_t.
2268 (region_model::impl_call_malloc): Convert to...
2269 (kf_malloc::impl_call_pre): ...this.
2270 (class kf_memcpy): New, adding checks on arguments.
2271 (region_model::impl_call_memcpy): Convert to...
2272 (kf_memcpy::impl_call_pre): ...this.
2273 (class kf_memset): New.
2274 (region_model::impl_call_memset): Convert to...
2275 (kf_memset::impl_call_pre): ...this.
2276 (kf_pipe::matches_call_types_p): Rewrite check to use
2277 call_details::arg_is_pointer_p.
2278 (kf_putenv::matches_call_types_p): Likewise.
2279 (class kf_realloc): New, adding checks on the argument types.
2280 (region_model::impl_call_realloc): Convert to...
2281 (kf_realloc::impl_call_post): ...this.
2282 (class kf_strchr): New.
2283 (region_model::impl_call_strchr): Convert to...
2284 (kf_strchr::impl_call_post): ...this.
2285 (class kf_stack_restore): New.
2286 (class kf_stack_save): New.
2287 (class kf_stdio_output_fn): New.
2288 (class kf_strcpy): New,
2289 (region_model::impl_call_strcpy): Convert to...
2290 (kf_strcpy::impl_call_pre): ...this.
2291 (class kf_strlen): New.
2292 (region_model::impl_call_strlen): Convert to...
2293 (kf_strlen::impl_call_pre): ...this.
2294 (class kf_ubsan_bounds): New.
2295 (region_model::impl_deallocation_call): Reimplement to avoid call
2296 to impl_call_free.
2297 (register_known_functions): Add handlers for IFN_BUILTIN_EXPECT
2298 and IFN_UBSAN_BOUNDS. Add handlers for BUILT_IN_ALLOCA,
2299 BUILT_IN_ALLOCA_WITH_ALIGN, BUILT_IN_CALLOC, BUILT_IN_EXPECT,
2300 BUILT_IN_EXPECT_WITH_PROBABILITY, BUILT_IN_FPRINTF,
2301 BUILT_IN_FPRINTF_UNLOCKED, BUILT_IN_FPUTC,
2302 BUILT_IN_FPUTC_UNLOCKED, BUILT_IN_FPUTS, BUILT_IN_FPUTS_UNLOCKED,
2303 BUILT_IN_FREE, BUILT_IN_FWRITE, BUILT_IN_FWRITE_UNLOCKED,
2304 BUILT_IN_MALLOC, BUILT_IN_MEMCPY, BUILT_IN_MEMCPY_CHK,
2305 BUILT_IN_MEMSET, BUILT_IN_MEMSET_CHK, BUILT_IN_PRINTF,
2306 BUILT_IN_PRINTF_UNLOCKED, BUILT_IN_PUTC, BUILT_IN_PUTCHAR,
2307 BUILT_IN_PUTCHAR_UNLOCKED, BUILT_IN_PUTC_UNLOCKED, BUILT_IN_PUTS,
2308 BUILT_IN_PUTS_UNLOCKED, BUILT_IN_REALLOC, BUILT_IN_STACK_RESTORE,
2309 BUILT_IN_STACK_SAVE, BUILT_IN_STRCHR, BUILT_IN_STRCPY,
2310 BUILT_IN_STRCPY_CHK, BUILT_IN_STRLEN, BUILT_IN_VFPRINTF, and
2311 BUILT_IN_VPRINTF. Call register_varargs_builtins. Add handlers
2312 for "getchar", "memset", "fgets", "fgets_unlocked", "fread",
2313 "error", and "error_at_line".
2314 * region-model.cc (region_model::on_stmt_pre): Drop
2315 "out_terminate_path" param.
2316 (region_model::get_known_function): Reimplement by calling
2317 known_function_manager::get_match, passing new "cd" param.
2318 Add overload taking enum internal_fn.
2319 (region_model::on_call_pre): Drop "out_terminate_path" param.
2320 Remove special-case handling of internal fns IFN_BUILTIN_EXPECT,
2321 IFN_UBSAN_BOUNDS, and IFN_VA_ARG, of built-in fns BUILT_IN_ALLOCA,
2322 BUILT_IN_ALLOCA_WITH_ALIGN, BUILT_IN_CALLOC, BUILT_IN_EXPECT,
2323 BUILT_IN_EXPECT_WITH_PROBABILITY, BUILT_IN_FREE, BUILT_IN_MALLOC,
2324 BUILT_IN_MEMCPY, BUILT_IN_MEMCPY_CHK, BUILT_IN_MEMSET,
2325 BUILT_IN_MEMSET_CHK, BUILT_IN_REALLOC, BUILT_IN_STRCHR,
2326 BUILT_IN_STRCPY, BUILT_IN_STRCPY_CHK, BUILT_IN_STRLEN,
2327 BUILT_IN_STACK_SAVE, BUILT_IN_STACK_RESTORE, BUILT_IN_FPRINTF,
2328 BUILT_IN_FPRINTF_UNLOCKED, BUILT_IN_PUTC, BUILT_IN_PUTC_UNLOCKED,
2329 BUILT_IN_FPUTC, BUILT_IN_FPUTC_UNLOCKED, BUILT_IN_FPUTS,
2330 BUILT_IN_FPUTS_UNLOCKED, BUILT_IN_FWRITE,
2331 BUILT_IN_FWRITE_UNLOCKED, BUILT_IN_PRINTF,
2332 BUILT_IN_PRINTF_UNLOCKED, BUILT_IN_PUTCHAR,
2333 BUILT_IN_PUTCHAR_UNLOCKED, BUILT_IN_PUTS, BUILT_IN_PUTS_UNLOCKED,
2334 BUILT_IN_VFPRINTF, BUILT_IN_VPRINTF, BUILT_IN_VA_START, and
2335 BUILT_IN_VA_COPY, and of named functions "malloc", "calloc",
2336 "alloca", "realloc", "error", "error_at_line", "fgets",
2337 "fgets_unlocked", "fread", "getchar", "memset", "strchr", and
2338 "strlen". Replace all this special-casing with calls to
2339 get_known_function for internal fns and for fn decls.
2340 (region_model::on_call_post): Remove special-casing handling for
2341 "free" and "strchr", and for BUILT_IN_REALLOC, BUILT_IN_STRCHR,
2342 and BUILT_IN_VA_END. Replace by consolidating on usage of
2343 get_known_function.
2344 * region-model.h (call_details::arg_is_size_p): New.
2345 (region_model::on_stmt_pre): Drop "out_terminate_path" param.
2346 (region_model::on_call_pre): Likewise.
2347 (region_model::impl_call_alloca): Delete.
2348 (region_model::impl_call_builtin_expect): Delete.
2349 (region_model::impl_call_calloc): Delete.
2350 (region_model::impl_call_error): Delete.
2351 (region_model::impl_call_fgets): Delete.
2352 (region_model::impl_call_fread): Delete.
2353 (region_model::impl_call_free): Delete.
2354 (region_model::impl_call_malloc): Delete.
2355 (region_model::impl_call_memcpy): Delete.
2356 (region_model::impl_call_memset): Delete.
2357 (region_model::impl_call_realloc): Delete.
2358 (region_model::impl_call_strchr): Delete.
2359 (region_model::impl_call_strcpy): Delete.
2360 (region_model::impl_call_strlen): Delete.
2361 (region_model::impl_call_va_start): Delete.
2362 (region_model::impl_call_va_copy): Delete.
2363 (region_model::impl_call_va_arg): Delete.
2364 (region_model::impl_call_va_end): Delete.
2365 (region_model::check_region_for_write): Public.
2366 (region_model::get_known_function): Add "cd" param. Add
2367 overloaded decl taking enum internal_fn.
2368 * sm-malloc.cc: Update comments.
2369 * varargs.cc (class kf_va_start): New.
2370 (region_model::impl_call_va_start): Convert to...
2371 (kf_va_start::impl_call_pre): ...this.
2372 (class kf_va_copy): New.
2373 (region_model::impl_call_va_copy): Convert to...
2374 (kf_va_copy::impl_call_pre): ...this.
2375 (class kf_va_arg): New.
2376 (region_model::impl_call_va_arg): Convert to...
2377 (kf_va_arg::impl_call_pre): ...this.
2378 (class kf_va_end): New.
2379 (region_model::impl_call_va_end): Delete.
2380 (register_varargs_builtins): New.
2381
8b7fee1d
GA		 23822022-11-22 David Malcolm <dmalcolm@redhat.com>
2383
2384 PR analyzer/107788
2385 * region-model.cc (region_model::update_for_int_cst_return):
2386 Require that the return type be an integer type.
2387 (region_model::update_for_nonzero_return): Likewise.
2388
23892022-11-22 David Malcolm <dmalcolm@redhat.com>
2390
2391 PR analyzer/107783
2392 * region-model-impl-calls.cc (kf_accept::matches_call_types_p):
2393 Require that args 1 and 2 be pointers.
2394 (kf_bind::matches_call_types_p): Require that arg 1 be a pointer.
2395 * region-model.h (call_details::arg_is_pointer_p): New
2396
23972022-11-22 David Malcolm <dmalcolm@redhat.com>
2398
2399 PR analyzer/107777
2400 * call-summary.cc
2401 (call_summary_replay::convert_region_from_summary_1): Handle
2402 RK_THREAD_LOCAL and RK_ERRNO in switch.
2403 * region-model.cc (region_model::get_representative_path_var_1):
2404 Likewise.
2405
fb98ede8
GA		 24062022-11-19 David Malcolm <dmalcolm@redhat.com>
2407
2408 PR analyzer/107582
2409 * engine.cc (dynamic_call_info_t::update_model): Update the model
2410 by pushing or pop a frame, rather than by clobbering it with the
2411 model from the exploded_node's state.
2412
24132022-11-18 David Malcolm <dmalcolm@redhat.com>
2414
2415 * analyzer.cc (is_pipe_call_p): Delete.
2416 * analyzer.h (is_pipe_call_p): Delete.
2417 * region-model-impl-calls.cc (call_details::get_location): New.
2418 (class kf_analyzer_break): New, adapted from
2419 region_model::on_stmt_pre.
2420 (region_model::impl_call_analyzer_describe): Convert to...
2421 (class kf_analyzer_describe): ...this.
2422 (region_model::impl_call_analyzer_dump_capacity): Convert to...
2423 (class kf_analyzer_dump_capacity): ...this.
2424 (region_model::impl_call_analyzer_dump_escaped): Convert to...
2425 (class kf_analyzer_dump_escaped): ...this.
2426 (class kf_analyzer_dump_exploded_nodes): New.
2427 (region_model::impl_call_analyzer_dump_named_constant): Convert
2428 to...
2429 (class kf_analyzer_dump_named_constant): ...this.
2430 (class dump_path_diagnostic): Move here from region-model.cc.
2431 (class kf_analyzer_dump_path) New, adapted from
2432 region_model::on_stmt_pre.
2433 (class kf_analyzer_dump_region_model): Likewise.
2434 (region_model::impl_call_analyzer_eval): Convert to...
2435 (class kf_analyzer_eval): ...this.
2436 (region_model::impl_call_analyzer_get_unknown_ptr): Convert to...
2437 (class kf_analyzer_get_unknown_ptr): ...this.
2438 (class known_function_accept): Rename to...
2439 (class kf_accept): ...this.
2440 (class known_function_bind): Rename to...
2441 (class kf_bind): ...this.
2442 (class known_function_connect): Rename to...
2443 (class kf_connect): ...this.
2444 (region_model::impl_call_errno_location): Convert to...
2445 (class kf_errno_location): ...this.
2446 (class known_function_listen): Rename to...
2447 (class kf_listen): ...this.
2448 (region_model::impl_call_pipe): Convert to...
2449 (class kf_pipe): ...this.
2450 (region_model::impl_call_putenv): Convert to...
2451 (class kf_putenv): ...this.
2452 (region_model::impl_call_operator_new): Convert to...
2453 (class kf_operator_new): ...this.
2454 (region_model::impl_call_operator_delete): Convert to...
2455 (class kf_operator_delete): ...this.
2456 (class known_function_socket): Rename to...
2457 (class kf_socket): ...this.
2458 (register_known_functions): Rename param to KFM. Break out
2459 existing known functions into a "POSIX" section, and add "pipe",
2460 "pipe2", and "putenv". Add debugging functions
2461 "__analyzer_break", "__analyzer_describe",
2462 "__analyzer_dump_capacity", "__analyzer_dump_escaped",
2463 "__analyzer_dump_exploded_nodes",
2464 "__analyzer_dump_named_constant", "__analyzer_dump_path",
2465 "__analyzer_dump_region_model", "__analyzer_eval",
2466 "__analyzer_get_unknown_ptr". Add C++ support functions
2467 "operator new", "operator new []", "operator delete", and
2468 "operator delete []".
2469 * region-model.cc (class dump_path_diagnostic): Move to
2470 region-model-impl-calls.cc.
2471 (region_model::on_stmt_pre): Eliminate special-casing of
2472 "__analyzer_describe", "__analyzer_dump_capacity",
2473 "__analyzer_dump_escaped", "__analyzer_dump_named_constant",
2474 "__analyzer_dump_path", "__analyzer_dump_region_model",
2475 "__analyzer_eval", "__analyzer_break",
2476 "__analyzer_dump_exploded_nodes", "__analyzer_get_unknown_ptr",
2477 "__errno_location", "pipe", "pipe2", "putenv", "operator new",
2478 "operator new []", "operator delete", "operator delete []"
2479 "pipe" and "pipe2", handling them instead via the known_functions
2480 mechanism.
2481 * region-model.h (call_details::get_location): New decl.
2482 (region_model::impl_call_analyzer_describe): Delete decl.
2483 (region_model::impl_call_analyzer_dump_capacity): Delete decl.
2484 (region_model::impl_call_analyzer_dump_escaped): Delete decl.
2485 (region_model::impl_call_analyzer_dump_named_constant): Delete decl.
2486 (region_model::impl_call_analyzer_eval): Delete decl.
2487 (region_model::impl_call_analyzer_get_unknown_ptr): Delete decl.
2488 (region_model::impl_call_errno_location): Delete decl.
2489 (region_model::impl_call_pipe): Delete decl.
2490 (region_model::impl_call_putenv): Delete decl.
2491 (region_model::impl_call_operator_new): Delete decl.
2492 (region_model::impl_call_operator_delete): Delete decl.
2493 * sm-fd.cc: Update comments.
2494
80909529
GA		 24952022-11-16 David Malcolm <dmalcolm@redhat.com>
2496
2497 PR analyzer/107711
2498 * analyzer-language.cc: Include "diagnostic.h".
2499 (maybe_stash_named_constant): Add logger param and use it to log
2500 the name being looked up, and the result.
2501 (stash_named_constants): New, splitting out from...
2502 (on_finish_translation_unit): ...this function. Call
2503 get_or_create_logfile and use the result to create a logger
2504 instance, passing it to stash_named_constants.
2505 * analyzer.h (get_or_create_any_logfile): New decl.
2506 * engine.cc (dump_fout, owns_dump_fout): New globals, split out
2507 from run_checkers.
2508 (get_or_create_any_logfile): New function, split out from...
2509 (run_checkers): ...here, so that the logfile can be opened by
2510 on_finish_translation_unit. Clear the globals when closing the
2511 dump file.
2512
25132022-11-16 David Malcolm <dmalcolm@redhat.com>
2514
2515 * analyzer.h (known_function::matches_call_types_p): New vfunc.
2516 (known_function::impl_call_pre): Provide base implementation.
2517 (known_function::impl_call_post): New vfunc.
2518 (register_known_functions): New.
2519 * engine.cc (impl_run_checkers): Call register_known_functions.
2520 * region-model-impl-calls.cc (region_model::impl_call_accept):
2521 Convert to...
2522 (class known_function_accept): ...this.
2523 (region_model::impl_call_bind): Convert to...
2524 (class known_function_bind): ...this.
2525 (region_model::impl_call_connect): Convert to...
2526 (class known_function_connect): ...this.
2527 (region_model::impl_call_listen): Convert to...
2528 (class known_function_listen): ...this.
2529 (region_model::impl_call_socket): Convert to...
2530 (class known_function_socket): ...this.
2531 (register_known_functions): New.
2532 * region-model.cc (region_model::on_call_pre): Remove special
2533 case for "bind" in favor of the known_function-handling dispatch.
2534 Add call to known_function::matches_call_types_p to latter.
2535 (region_model::on_call_post): Remove special cases for "accept",
2536 "bind", "connect", "listen", and "socket" in favor of dispatch
2537 to known_function::impl_call_post.
2538 * region-model.h (region_model::impl_call_accept): Delete decl.
2539 (region_model::impl_call_bind): Delete decl.
2540 (region_model::impl_call_connect): Delete decl.
2541 (region_model::impl_call_listen): Delete decl.
2542 (region_model::impl_call_socket): Delete decl.
2543 * sm-fd.cc: Update comments.
2544
25452022-11-16 David Malcolm <dmalcolm@redhat.com>
2546
2547 * checker-event.cc: New file, split out from...
2548 * checker-path.cc: ...this file.
2549
cdc34229
GA		 25502022-11-15 David Malcolm <dmalcolm@redhat.com>
2551
2552 PR analyzer/106140
2553 * analyzer-language.cc (on_finish_translation_unit): Stash named
2554 constants "SOCK_STREAM" and "SOCK_DGRAM".
2555 * analyzer.opt (Wanalyzer-fd-phase-mismatch): New.
2556 (Wanalyzer-fd-type-mismatch): New.
2557 * engine.cc (impl_region_model_context::get_state_map_by_name):
2558 Add "out_sm_context" param. Allow out_sm_idx to be NULL.
2559 * exploded-graph.h
2560 (impl_region_model_context::get_state_map_by_name):
2561 Add "out_sm_context" param.
2562 * region-model-impl-calls.cc (region_model::impl_call_accept): New.
2563 (region_model::impl_call_bind): New.
2564 (region_model::impl_call_connect): New.
2565 (region_model::impl_call_listen): New.
2566 (region_model::impl_call_socket): New.
2567 * region-model.cc (region_model::on_call_pre): Special-case
2568 "bind".
2569 (region_model::on_call_post): Special-case "accept", "bind",
2570 "connect", "listen", and "socket".
2571 * region-model.h (region_model::impl_call_accept): New decl.
2572 (region_model::impl_call_bind): New decl.
2573 (region_model::impl_call_connect): New decl.
2574 (region_model::impl_call_listen): New decl.
2575 (region_model::impl_call_socket): New decl.
2576 (region_model::on_socket): New decl.
2577 (region_model::on_bind): New decl.
2578 (region_model::on_listen): New decl.
2579 (region_model::on_accept): New decl.
2580 (region_model::on_connect): New decl.
2581 (region_model::add_constraint): Make public.
2582 (region_model::check_for_poison): Make public.
2583 (region_model_context::get_state_map_by_name): Add out_sm_context param.
2584 (region_model_context::get_fd_map): Likewise.
2585 (region_model_context::get_malloc_map): Likewise.
2586 (region_model_context::get_taint_map): Likewise.
2587 (noop_region_model_context::get_state_map_by_name): Likewise.
2588 (region_model_context_decorator::get_state_map_by_name): Likewise.
2589 * sm-fd.cc: Include "analyzer/supergraph.h" and
2590 "analyzer/analyzer-language.h".
2591 (enum expected_phase): New enum.
2592 (fd_state_machine::m_new_datagram_socket): New.
2593 (fd_state_machine::m_new_stream_socket): New.
2594 (fd_state_machine::m_new_unknown_socket): New.
2595 (fd_state_machine::m_bound_datagram_socket): New.
2596 (fd_state_machine::m_bound_stream_socket): New.
2597 (fd_state_machine::m_bound_unknown_socket): New.
2598 (fd_state_machine::m_listening_stream_socket): New.
2599 (fd_state_machine::m_m_connected_stream_socket): New.
2600 (fd_state_machine::m_SOCK_STREAM): New.
2601 (fd_state_machine::m_SOCK_DGRAM): New.
2602 (fd_diagnostic::describe_state_change): Handle socket states.
2603 (fd_diagnostic::get_meaning_for_state_change): Likewise.
2604 (class fd_phase_mismatch): New.
2605 (enum expected_type): New enum.
2606 (class fd_type_mismatch): New.
2607 (fd_state_machine::fd_state_machine): Initialize new states and
2608 stashed named constants.
2609 (fd_state_machine::is_socket_fd_p): New.
2610 (fd_state_machine::is_datagram_socket_fd_p): New.
2611 (fd_state_machine::is_stream_socket_fd_p): New.
2612 (fd_state_machine::on_close): Handle the socket states.
2613 (fd_state_machine::check_for_open_fd): Complain about fncalls on
2614 sockets in the wrong phase. Support socket FDs.
2615 (add_constraint_ge_zero): New.
2616 (fd_state_machine::get_state_for_socket_type): New.
2617 (fd_state_machine::on_socket): New.
2618 (fd_state_machine::check_for_socket_fd): New.
2619 (fd_state_machine::check_for_new_socket_fd): New.
2620 (fd_state_machine::on_bind): New.
2621 (fd_state_machine::on_listen): New.
2622 (fd_state_machine::on_accept): New.
2623 (fd_state_machine::on_connect): New.
2624 (fd_state_machine::can_purge_p): Don't purge socket values.
2625 (get_fd_state): New.
2626 (region_model::mark_as_valid_fd): Use get_fd_state.
2627 (region_model::on_socket): New.
2628 (region_model::on_bind): New.
2629 (region_model::on_listen): New.
2630 (region_model::on_accept): New.
2631 (region_model::on_connect): New.
2632 * sm-fd.dot: Update to reflect sm-fd.cc changes.
2633
26342022-11-15 David Malcolm <dmalcolm@redhat.com>
2635
2636 PR analyzer/106302
2637 * analyzer-language.cc: New file.
2638 * analyzer-language.h: New file.
2639 * analyzer.h (get_stashed_constant_by_name): New decl.
2640 (log_stashed_constants): New decl.
2641 * engine.cc (impl_run_checkers): Call log_stashed_constants.
2642 * region-model-impl-calls.cc
2643 (region_model::impl_call_analyzer_dump_named_constant): New.
2644 * region-model.cc (region_model::on_stmt_pre): Handle
2645 __analyzer_dump_named_constant.
2646 * region-model.h
2647 (region_model::impl_call_analyzer_dump_named_constant): New decl.
2648 * sm-fd.cc (fd_state_machine::m_O_ACCMODE): New.
2649 (fd_state_machine::m_O_RDONLY): New.
2650 (fd_state_machine::m_O_WRONLY): New.
2651 (fd_state_machine::fd_state_machine): Initialize the new fields.
2652 (fd_state_machine::get_access_mode_from_flag): Use the new fields,
2653 rather than using the host values.
2654
eefbfbc7
GA		 26552022-11-13 David Malcolm <dmalcolm@redhat.com>
2656
2657 PR analyzer/106235
2658 * analyzer.opt (Wanalyzer-tainted-assertion): New.
2659 * checker-path.cc (checker_path::fixup_locations): Pass false to
2660 pending_diagnostic::fixup_location.
2661 * diagnostic-manager.cc (get_emission_location): Pass true to
2662 pending_diagnostic::fixup_location.
2663 * pending-diagnostic.cc (pending_diagnostic::fixup_location): Add
2664 bool param.
2665 * pending-diagnostic.h (pending_diagnostic::fixup_location): Add
2666 bool param to decl.
2667 * sm-taint.cc (taint_state_machine::m_tainted_control_flow): New.
2668 (taint_diagnostic::describe_state_change): Drop "final".
2669 (class tainted_assertion): New.
2670 (taint_state_machine::taint_state_machine): Initialize
2671 m_tainted_control_flow.
2672 (taint_state_machine::alt_get_inherited_state): Support
2673 comparisons being tainted, based on their arguments.
2674 (is_assertion_failure_handler_p): New.
2675 (taint_state_machine::on_stmt): Complain about calls to assertion
2676 failure handlers guarded by an attacker-controller conditional.
2677 Detect attacker-controlled gcond conditionals and gswitch index
2678 values.
2679 (taint_state_machine::check_control_flow_arg_for_taint): New.
2680
5b6ce16a
GA		 26812022-11-11 David Malcolm <dmalcolm@redhat.com>
2682
2683 * sm-fd.dot: Fix typo in comment.
2684 * sm-file.dot: New file.
2685 * varargs.cc: Fix typo in comment.
2686 * varargs.dot: New file.
2687
26882022-11-11 David Malcolm <dmalcolm@redhat.com>
2689
2690 * checker-path.h: Split out checker_event and its subclasses to...
2691 * checker-event.h: ...this new header.
2692
26932022-11-11 David Malcolm <dmalcolm@redhat.com>
2694
2695 PR analyzer/106147
2696 * analyzer.opt (Wanalyzer-infinite-recursion): New.
2697 * call-string.cc (call_string::count_occurrences_of_function):
2698 New.
2699 * call-string.h (call_string::count_occurrences_of_function): New
2700 decl.
2701 * checker-path.cc (function_entry_event::function_entry_event):
2702 New ctor.
2703 (checker_path::add_final_event): Delete.
2704 * checker-path.h (function_entry_event::function_entry_event): New
2705 ctor.
2706 (function_entry_event::get_desc): Drop "final".
2707 (checker_path::add_final_event): Delete.
2708 * diagnostic-manager.cc
2709 (diagnostic_manager::emit_saved_diagnostic): Create the final
2710 event via a new pending_diagnostic::add_final_event vfunc, rather
2711 than checker_path::add_final_event.
2712 (diagnostic_manager::add_events_for_eedge): Create function entry
2713 events via a new pending_diagnostic::add_function_entry_event
2714 vfunc.
2715 * engine.cc (exploded_graph::process_node): When creating a new
2716 PK_BEFORE_SUPERNODE node, call
2717 exploded_graph::detect_infinite_recursion on it after adding the
2718 in-edge.
2719 * exploded-graph.h (exploded_graph::detect_infinite_recursion):
2720 New decl.
2721 (exploded_graph::find_previous_entry_to): New decl.
2722 * infinite-recursion.cc: New file.
2723 * pending-diagnostic.cc
2724 (pending_diagnostic::add_function_entry_event): New.
2725 (pending_diagnostic::add_final_event): New.
2726 * pending-diagnostic.h
2727 (pending_diagnostic::add_function_entry_event): New vfunc.
2728 (pending_diagnostic::add_final_event): New vfunc.
2729
f225b813
GA		 27302022-11-10 David Malcolm <dmalcolm@redhat.com>
2731
2732 PR analyzer/99671
2733 * analyzer.opt (Wanalyzer-deref-before-check): New warning.
2734 * diagnostic-manager.cc
2735 (null_assignment_sm_context::set_next_state): Only add state
2736 change events for transition to "null" state.
2737 (null_assignment_sm_context::is_transition_to_null): New.
2738 * engine.cc (impl_region_model_context::on_pop_frame): New.
2739 * exploded-graph.h (impl_region_model_context::on_pop_frame): New
2740 decl.
2741 * program-state.cc (sm_state_map::clear_any_state): New.
2742 (sm_state_map::can_merge_with_p): New.
2743 (program_state::can_merge_with_p): Replace requirement that
2744 sm-states be equal in favor of an attempt to merge them.
2745 * program-state.h (sm_state_map::clear_any_state): New decl.
2746 (sm_state_map::can_merge_with_p): New decl.
2747 * region-model.cc (region_model::eval_condition): Make const.
2748 (region_model::pop_frame): Call ctxt->on_pop_frame.
2749 * region-model.h (region_model::eval_condition): Make const.
2750 (region_model_context::on_pop_frame): New vfunc.
2751 (noop_region_model_context::on_pop_frame): New.
2752 (region_model_context_decorator::on_pop_frame): New.
2753 * sm-malloc.cc (enum resource_state): Add RS_ASSUMED_NON_NULL.
2754 (allocation_state::dump_to_pp): Drop "final".
2755 (struct assumed_non_null_state): New subclass.
2756 (malloc_state_machine::m_assumed_non_null): New.
2757 (assumed_non_null_p): New.
2758 (class deref_before_check): New.
2759 (assumed_non_null_state::dump_to_pp): New.
2760 (malloc_state_machine::get_or_create_assumed_non_null_state_for_frame):
2761 New.
2762 (malloc_state_machine::maybe_assume_non_null): New.
2763 (malloc_state_machine::on_stmt): Transition from start state to
2764 "assumed-non-null" state for pointers passed to
2765 __attribute__((nonnull)) arguments, and for pointers explicitly
2766 dereferenced. Call maybe_complain_about_deref_before_check for
2767 pointers explicitly compared against NULL.
2768 (malloc_state_machine::maybe_complain_about_deref_before_check):
2769 New.
2770 (malloc_state_machine::on_deallocator_call): Also transition
2771 "assumed-non-null" states to "freed".
2772 (malloc_state_machine::on_pop_frame): New.
2773 (malloc_state_machine::maybe_get_merged_states_nonequal): New.
2774 * sm-malloc.dot: Update for changes to sm-malloc.cc.
2775 * sm.h (state_machine::on_pop_frame): New.
2776 (state_machine::maybe_get_merged_state): New.
2777 (state_machine::maybe_get_merged_states_nonequal): New.
2778
1cdfd0e5
GA		 27792022-11-09 David Malcolm <dmalcolm@redhat.com>
2780
2781 * checker-path.cc (checker_event::debug): New.
2782 (checker_path::add_event): Move here from checker-path.h. Add
2783 logging.
2784 * checker-path.h (checker_event::debug): New decl.
2785 (checker_path::checker_path): Add logger param.
2786 (checker_path::add_event): Move definition from here to
2787 checker-path.cc.
2788 (checker_path::m_logger): New field.
2789 * diagnostic-manager.cc
2790 (diagnostic_manager::emit_saved_diagnostic): Pass logger to
2791 checker_path ctor.
2792 (diagnostic_manager::add_events_for_eedge): Log scope when
2793 processing a run of stmts.
2794
69023a9f
GA		 27952022-11-08 David Malcolm <dmalcolm@redhat.com>
2796
2797 PR analyzer/101962
2798 * region-model-impl-calls.cc: Update comment.
2799 * region-model.cc (region_model::check_symbolic_bounds): Fix
2800 layout of "void" return. Replace usage of
2801 eval_condition_without_cm with eval_condition.
2802 (region_model::eval_condition): Take over body of...
2803 (region_model::eval_condition_without_cm): ...this subroutine,
2804 dropping the latter. Eliminating this distinction avoids issues
2805 where constraints were not considered when recursing.
2806 (region_model::compare_initial_and_pointer): Update comment.
2807 (region_model::symbolic_greater_than): Replace usage of
2808 eval_condition_without_cm with eval_condition.
2809 * region-model.h
2810 (region_model::eval_condition_without_cm): Delete decl.
2811
28122022-11-08 David Malcolm <dmalcolm@redhat.com>
2813
2814 * region-model-impl-calls.cc
2815 (region_model::impl_call_errno_location): New.
2816 * region-model-manager.cc
2817 (region_model_manager::region_model_manager): Initialize
2818 m_thread_local_region and m_errno_region.
2819 * region-model-manager.h (region_model_manager::get_errno_region):
2820 New accessor.
2821 (region_model_manager::m_thread_local_region): New.
2822 (region_model_manager::m_errno_region): New.
2823 * region-model.cc (region_model::on_call_pre): Special-case
2824 "__errno_location".
2825 (region_model::set_errno): New.
2826 * region-model.h (impl_call_errno_location): New decl.
2827 (region_model::set_errno): New decl.
2828 * region.cc (thread_local_region::dump_to_pp): New.
2829 (errno_region::dump_to_pp): New.
2830 * region.h (enum memory_space): Add MEMSPACE_THREAD_LOCAL.
2831 (enum region_kind): Add RK_THREAD_LOCAL and RK_ERRNO.
2832 (class thread_local_region): New.
2833 (is_a_helper <const thread_local_region *>::test): New.
2834 (class errno_region): New.
2835 (is_a_helper <const errno_region *>::test): New.
2836 * store.cc (binding_cluster::escaped_p): New.
2837 (store::escaped_p): Treat errno as always having escaped.
2838 (store::replay_call_summary_cluster): Handle RK_THREAD_LOCAL and
2839 RK_ERRNO.
2840 * store.h (binding_cluster::escaped_p): Remove definition.
2841
28422022-11-08 David Malcolm <dmalcolm@redhat.com>
2843
2844 * call-info.cc (success_call_info::get_desc): Delete.
2845 (failed_call_info::get_desc): Likewise.
2846 (succeed_or_fail_call_info::get_desc): New.
2847 * call-info.h (class succeed_or_fail_call_info): New.
2848 (class success_call_info): Convert to a subclass of
2849 succeed_or_fail_call_info.
2850 (class failed_call_info): Likewise.
2851
28522022-11-08 David Malcolm <dmalcolm@redhat.com>
2853
2854 * region-model-impl-calls.cc (region_model::impl_call_strchr):
2855 Move to on_call_post. Handle both outcomes using bifurcation,
2856 rather than just the "not found" case.
2857 * region-model.cc (region_model::on_call_pre): Move
2858 BUILT_IN_STRCHR and "strchr" to...
2859 (region_model::on_call_post): ...here.
2860
d29260ce
GA		 28612022-11-03 David Malcolm <dmalcolm@redhat.com>
2862
2863 * analyzer.h: Use std::unique_ptr for state machines from plugins.
2864 * engine.cc: Likewise.
2865
28662022-11-03 David Malcolm <dmalcolm@redhat.com>
2867
2868 * analyzer.h: Use std::unique_ptr for known functions.
2869 * engine.cc: Likewise.
2870 * known-function-manager.cc: Likewise.
2871 * known-function-manager.h: Likewise.
2872
28732022-11-03 David Malcolm <dmalcolm@redhat.com>
2874
2875 * analysis-plan.cc: Define INCLUDE_MEMORY before including
2876 system.h.
2877 * analyzer-pass.cc: Likewise.
2878 * analyzer-selftests.cc: Likewise.
2879 * analyzer.cc: Likewise.
2880 * analyzer.h: Use std::unique_ptr in bifurcation code.
2881 * call-string.cc: Define INCLUDE_MEMORY before including system.h.
2882 * complexity.cc: Likewise.
2883 * engine.cc: Use std::unique_ptr in bifurcation code.
2884 * exploded-graph.h: Likewise.
2885 * known-function-manager.cc: Define INCLUDE_MEMORY before
2886 including system.h.
2887 * region-model-impl-calls.cc: Use std::unique_ptr in bifurcation
2888 code.
2889 * region-model.cc: Likewise.
2890 * region-model.h: Likewise.
2891 * supergraph.cc: Define INCLUDE_MEMORY before including system.h.
2892
28932022-11-03 David Malcolm <dmalcolm@redhat.com>
2894
2895 * call-info.cc: Use std::unique_ptr for checker_event.
2896 * checker-path.cc: Likewise.
2897 * checker-path.h: Likewise.
2898 * diagnostic-manager.cc: Likewise.
2899 * engine.cc: Likewise.
2900 * pending-diagnostic.cc: Likewise.
2901 * sm-signal.cc: Likewise.
2902 * varargs.cc: Likewise.
2903
29042022-11-03 David Malcolm <dmalcolm@redhat.com>
2905
2906 * diagnostic-manager.cc: Include "make-unique.h".
2907 Use std::unique_ptr for feasibility_problems and exploded_path.
2908 Delete explicit saved_diagnostic dtor.
2909 * diagnostic-manager.h: Likewise.
2910 * engine.cc: Likewise.
2911 * exploded-graph.h: Likewise.
2912 * feasible-graph.cc: Likewise.
2913 * feasible-graph.h: Likewise.
2914
29152022-11-03 David Malcolm <dmalcolm@redhat.com>
2916
2917 * checker-path.cc (rewind_event::rewind_event): Update for usage of
2918 std::unique_ptr on custom_edge_info.
2919 * engine.cc (exploded_node::on_longjmp): Likewise.
2920 (exploded_edge::exploded_edge): Likewise.
2921 (exploded_edge::~exploded_edge): Delete.
2922 (exploded_graph::add_function_entry): Update for usage of
2923 std::unique_ptr on custom_edge_info.
2924 (exploded_graph::add_edge): Likewise.
2925 (add_tainted_args_callback): Likewise.
2926 (exploded_graph::maybe_create_dynamic_call): Likewise.
2927 (exploded_graph::process_node): Likewise.
2928 * exploded-graph.h (exploded_edge::~exploded_edge): Delete.
2929 (exploded_edge::m_custom_info): Use std::unique_ptr.
2930 (exploded_edge::add_edge): Likewise.
2931 * sm-signal.cc (register_signal_handler::impl_transition): Use
2932 make_unique.
2933
29342022-11-03 David Malcolm <dmalcolm@redhat.com>
2935
2936 * diagnostic-manager.cc (saved_diagnostic::saved_diagnostic): Make
2937 stmt_finder const.
2938 (saved_diagnostic::~saved_diagnostic): Remove explicit delete of
2939 m_stmt_finder.
2940 (diagnostic_manager::add_diagnostic): Make stmt_finder const.
2941 * diagnostic-manager.h (saved_diagnostic::saved_diagnostic):
2942 Likewise.
2943 (saved_diagnostic::m_stmt_finder): Convert to std::unique_ptr.
2944 (diagnostic_manager::add_diagnostic): Make stmt_finder const.
2945 * engine.cc (impl_sm_context::impl_sm_context): Likewise.
2946 (impl_sm_context::m_stmt_finder): Likewise.
2947 (leak_stmt_finder::clone): Convert return type to std::unique_ptr.
2948 * exploded-graph.h (stmt_finder::clone): Likewise.
2949
29502022-11-03 David Malcolm <dmalcolm@redhat.com>
2951
2952 * call-info.cc: Add define of INCLUDE_MEMORY.
2953 * call-summary.cc: Likewise.
2954 * checker-path.cc: Likewise.
2955 * constraint-manager.cc: Likewise.
2956 * diagnostic-manager.cc: Likewise.
2957 (saved_diagnostic::saved_diagnostic): Use std::unique_ptr for
2958 param d and field m_d.
2959 (saved_diagnostic::~saved_diagnostic): Remove explicit delete of m_d.
2960 (saved_diagnostic::add_note): Use std::unique_ptr for
2961 param pn.
2962 (saved_diagnostic::get_pending_diagnostic): Update for conversion
2963 of m_sd.m_d to unique_ptr.
2964 (diagnostic_manager::add_diagnostic): Use std::unique_ptr for
2965 param d. Remove explicit deletion.
2966 (diagnostic_manager::add_note): Use std::unique_ptr for param pn.
2967 (diagnostic_manager::emit_saved_diagnostic): Update for conversion
2968 of m_sd.m_d to unique_ptr.
2969 (null_assignment_sm_context::warn): Use std::unique_ptr for
2970 param d. Remove explicit deletion.
2971 * diagnostic-manager.h (saved_diagnostic::saved_diagnostic): Use
2972 std::unique_ptr for param d.
2973 (saved_diagnostic::add_note): Likewise for param pn.
2974 (saved_diagnostic::m_d): Likewise.
2975 (diagnostic_manager::add_diagnostic): Use std::unique_ptr for
2976 param d.
2977 (diagnostic_manager::add_note): Use std::unique_ptr for param pn.
2978 * engine.cc: Include "make-unique.h".
2979 (impl_region_model_context::warn): Update to use std::unique_ptr
2980 for param, removing explicit deletion.
2981 (impl_region_model_context::add_note): Likewise.
2982 (impl_sm_context::warn): Update to use std::unique_ptr
2983 for param.
2984 (impl_region_model_context::on_state_leak): Likewise for result of
2985 on_leak.
2986 (exploded_node::on_longjmp): Use make_unique when creating
2987 pending_diagnostic.
2988 (exploded_graph::process_node): Likewise.
2989 * exploded-graph.h (impl_region_model_context::warn): Update to
2990 use std::unique_ptr for param.
2991 (impl_region_model_context::add_note): Likewise.
2992 * feasible-graph.cc: Add define of INCLUDE_MEMORY.
2993 * pending-diagnostic.cc: Likewise.
2994 * pending-diagnostic.h: Include analyzer.sm.h"
2995 * program-point.cc: Add define of INCLUDE_MEMORY.
2996 * program-state.cc: Likewise.
2997 * region-model-asm.cc: Likewise.
2998 * region-model-impl-calls.cc: Likewise. Include "make-unique.h".
2999 (region_model::impl_call_putenv): Use make_unique when creating
3000 pending_diagnostic.
3001 * region-model-manager.cc: Add define of INCLUDE_MEMORY.
3002 * region-model-reachability.cc: Likewise.
3003 * region-model.cc: Likewise. Include "make-unique.h".
3004 (region_model::get_gassign_result): Use make_unique when creating
3005 pending_diagnostic.
3006 (region_model::check_for_poison): Likewise.
3007 (region_model::on_stmt_pre): Likewise.
3008 (region_model::check_symbolic_bounds): Likewise.
3009 (region_model::check_region_bounds): Likewise.
3010 (annotating_ctxt: make_note): Use std::unique_ptr for result.
3011 (region_model::deref_rvalue): Use make_unique when creating
3012 pending_diagnostic.
3013 (region_model::check_for_writable_region): Likewise.
3014 (region_model::check_region_size): Likewise.
3015 (region_model::check_dynamic_size_for_floats): Likewise.
3016 (region_model::maybe_complain_about_infoleak): Likewise.
3017 (noop_region_model_context::add_note): Use std::unique_ptr for
3018 param. Remove explicit deletion.
3019 * region-model.h: Include "analyzer/pending-diagnostic.h".
3020 (region_model_context::warn): Convert param to std::unique_ptr.
3021 (region_model_context::add_note): Likewise.
3022 (noop_region_model_context::warn): Likewise.
3023 (noop_region_model_context::add_note): Likewise.
3024 (region_model_context_decorator::warn): Likewise.
3025 (region_model_context_decorator::add_note): Likewise.
3026 (note_adding_context::warn): Likewise.
3027 (note_adding_context::make_note): Likewise for return type.
3028 (test_region_model_context::warn): Convert param to
3029 std::unique_ptr.
3030 * region.cc: Add define of INCLUDE_MEMORY.
3031 * sm-fd.cc: Likewise. Include "make-unique.h".
3032 (fd_state_machine::check_for_fd_attrs): Use make_unique when
3033 creating pending_diagnostics.
3034 (fd_state_machine::on_open): Likewise.
3035 (fd_state_machine::on_creat): Likewise.
3036 (fd_state_machine::check_for_dup): Likewise.
3037 (fd_state_machine::on_close): Likewise.
3038 (fd_state_machine::check_for_open_fd): Likewise.
3039 (fd_state_machine::on_leak): Likewise, converting return type to
3040 std::unique_ptr.
3041 * sm-file.cc: Add define of INCLUDE_MEMORY. Include
3042 "make-unique.h".
3043 (fileptr_state_machine::on_stmt): Use make_unique when creating
3044 pending_diagnostic.
3045 (fileptr_state_machine::on_leak): Likewise, converting return type
3046 to std::unique_ptr.
3047 * sm-malloc.cc: Add define of INCLUDE_MEMORY. Include
3048 "make-unique.h".
3049 (malloc_state_machine::on_stmt): Use make_unique when creating
3050 pending_diagnostic.
3051 (malloc_state_machine::handle_free_of_non_heap): Likewise.
3052 (malloc_state_machine::on_deallocator_call): Likewise.
3053 (malloc_state_machine::on_realloc_call): Likewise.
3054 (malloc_state_machine::on_leak): Likewise, converting return type
3055 to std::unique_ptr.
3056 * sm-pattern-test.cc: Add define of INCLUDE_MEMORY. Include
3057 "make-unique.h".
3058 (pattern_test_state_machine::on_condition): Use make_unique when
3059 creating pending_diagnostic.
3060 * sm-sensitive.cc: Add define of INCLUDE_MEMORY. Include
3061 "make-unique.h".
3062 (sensitive_state_machine::warn_for_any_exposure): Use make_unique
3063 when creating pending_diagnostic.
3064 * sm-signal.cc: Add define of INCLUDE_MEMORY. Include
3065 "make-unique.h".
3066 (signal_state_machine::on_stmt): Use make_unique when creating
3067 pending_diagnostic.
3068 * sm-taint.cc: Add define of INCLUDE_MEMORY. Include
3069 "make-unique.h".
3070 (taint_state_machine::check_for_tainted_size_arg): Use make_unique
3071 when creating pending_diagnostic.
3072 (taint_state_machine::check_for_tainted_divisor): Likewise.
3073 (region_model::check_region_for_taint): Likewise.
3074 (region_model::check_dynamic_size_for_taint): Likewise.
3075 * sm.cc: Add define of INCLUDE_MEMORY. Include
3076 "analyzer/pending-diagnostic.h".
3077 (state_machine::on_leak): Move here from sm.h, changing return
3078 type to std::unique_ptr.
3079 * sm.h (state_machine::on_leak): Change return type to
3080 std::unique_ptr. Move defn of base impl to sm.cc
3081 (sm_context::warn): Convert param d to std_unique_ptr.
3082 * state-purge.cc: Add define of INCLUDE_MEMORY.
3083 * store.cc: Likewise.
3084 * svalue.cc: Likewise.
3085 * trimmed-graph.cc: Likewise.
3086 * varargs.cc: Likewise. Include "make-unique.h".
3087 (va_list_state_machine::check_for_ended_va_list): Use make_unique
3088 when creating pending_diagnostic.
3089 (va_list_state_machine::on_leak): Likewise, converting return type
3090 to std::unique_ptr.
3091 (region_model::impl_call_va_arg): Use make_unique when creating
3092 pending_diagnostic.
3093
30942022-11-03 David Malcolm <dmalcolm@redhat.com>
3095
3096 PR analyzer/107486
3097 * analyzer.cc (is_pipe_call_p): New.
3098 * analyzer.h (is_pipe_call_p): New decl.
3099 * region-model.cc (region_model::on_call_pre): Use it.
3100 (region_model::on_call_post): Likewise.
3101
486a5037
GA		 31022022-10-26 David Malcolm <dmalcolm@redhat.com>
3103
3104 * sm-fd.cc (fd_state_machine::on_open): Transition to "unchecked"
3105 when the mode is symbolic, rather than just on integer constants.
3106 (fd_state_machine::check_for_open_fd): Don't complain about
3107 unchecked values in the start state.
3108
31092022-10-26 David Malcolm <dmalcolm@redhat.com>
3110
3111 * sm-fd.dot: New file.
3112
4e939ae1
GA		 31132022-10-24 David Malcolm <dmalcolm@redhat.com>
3114
3115 PR analyzer/107349
3116 * varargs.cc (get_va_copy_arg): Fix the non-pointer case.
3117
31182022-10-24 David Malcolm <dmalcolm@redhat.com>
3119
3120 PR analyzer/107345
3121 * region-model.cc (region_model::eval_condition_without_cm):
3122 Ensure that constants are on the right-hand side before checking
3123 for them.
3124
31252022-10-24 David Malcolm <dmalcolm@redhat.com>
3126
3127 * engine.cc (impl_region_model_context::get_malloc_map): Replace
3128 with...
3129 (impl_region_model_context::get_state_map_by_name): ...this.
3130 (impl_region_model_context::get_fd_map): Delete.
3131 (impl_region_model_context::get_taint_map): Delete.
3132 * exploded-graph.h (impl_region_model_context::get_fd_map):
3133 Delete.
3134 (impl_region_model_context::get_malloc_map): Delete.
3135 (impl_region_model_context::get_taint_map): Delete.
3136 (impl_region_model_context::get_state_map_by_name): New.
3137 * region-model.h (region_model_context::get_state_map_by_name):
3138 New vfunc.
3139 (region_model_context::get_fd_map): Convert from vfunc to
3140 function.
3141 (region_model_context::get_malloc_map): Likewise.
3142 (region_model_context::get_taint_map): Likewise.
3143 (noop_region_model_context::get_state_map_by_name): New.
3144 (noop_region_model_context::get_fd_map): Delete.
3145 (noop_region_model_context::get_malloc_map): Delete.
3146 (noop_region_model_context::get_taint_map): Delete.
3147 (region_model_context_decorator::get_state_map_by_name): New.
3148 (region_model_context_decorator::get_fd_map): Delete.
3149 (region_model_context_decorator::get_malloc_map): Delete.
3150 (region_model_context_decorator::get_taint_map): Delete.
3151
31522022-10-24 David Malcolm <dmalcolm@redhat.com>
3153
3154 PR analyzer/106300
3155 * engine.cc (impl_region_model_context::get_fd_map): New.
3156 * exploded-graph.h (impl_region_model_context::get_fd_map): New
3157 decl.
3158 * region-model-impl-calls.cc (region_model::impl_call_pipe): New.
3159 * region-model.cc (region_model::update_for_int_cst_return): New,
3160 based on...
3161 (region_model::update_for_zero_return): ...this. Reimplement in
3162 terms of the former.
3163 (region_model::on_call_pre): Handle "pipe" and "pipe2".
3164 (region_model::on_call_post): Likewise.
3165 * region-model.h (region_model::impl_call_pipe): New decl.
3166 (region_model::update_for_int_cst_return): New decl.
3167 (region_model::mark_as_valid_fd): New decl.
3168 (region_model_context::get_fd_map): New pure virtual fn.
3169 (noop_region_model_context::get_fd_map): New.
3170 (region_model_context_decorator::get_fd_map): New.
3171 * sm-fd.cc: Include "analyzer/program-state.h".
3172 (fd_state_machine::describe_state_change): Handle transitions from
3173 start state to valid states.
3174 (fd_state_machine::mark_as_valid_fd): New.
3175 (fd_state_machine::on_stmt): Add missing return for "creat".
3176 (region_model::mark_as_valid_fd): New.
3177
87f9c4a4
GA		 31782022-10-19 David Malcolm <dmalcolm@redhat.com>
3179
3180 PR analyzer/105765
3181 * varargs.cc (get_BT_VALIST_ARG): Rename to...
3182 (get_va_copy_arg): ...this, and update logic for determining level
3183 of indirection of va_copy's argument to use type of argument,
3184 rather than looking at va_list_type_node, to correctly handle
3185 __builtin_ms_va_copy.
3186 (get_stateful_BT_VALIST_ARG): Rename to...
3187 (get_stateful_va_copy_arg): ...this.
3188 (va_list_state_machine::on_va_copy): Update for renaming.
3189 (region_model::impl_call_va_copy): Likewise.
3190
621a911d
GA		 31912022-10-13 David Malcolm <dmalcolm@redhat.com>
3192
3193 PR analyzer/107210
3194 * svalue.cc (constant_svalue::maybe_fold_bits_within): Only
3195 attempt to extract individual bits when tree_fits_uhwi_p.
3196
9ff6c33e
GA		 31972022-10-07 David Malcolm <dmalcolm@redhat.com>
3198
3199 PR analyzer/105783
3200 * region-model.cc (selftest::get_bit): New function.
3201 (selftest::test_bits_within_svalue_folding): New.
3202 (selfftest::analyzer_region_model_cc_tests): Call it.
3203 * svalue.cc (constant_svalue::maybe_fold_bits_within): Handle the
3204 case of extracting a single bit.
3205
629d04d3
GA		 32062022-10-06 David Malcolm <dmalcolm@redhat.com>
3207
3208 PR analyzer/107158
3209 * store.cc (store::replay_call_summary_cluster): Eliminate
3210 special-casing of RK_HEAP_ALLOCATED in favor of sharing code with
3211 RK_DECL, avoiding an ICE due to attempting to bind a
3212 compound_svalue into a binding_cluster when an svalue in the
3213 summary cluster converts to a compound_svalue in the caller.
3214
32152022-10-06 David Malcolm <dmalcolm@redhat.com>
3216
3217 * call-summary.cc (call_summary_replay::dump_to_pp): Bulletproof
3218 against NULL caller regions/svalues.
3219
966010b2
GA		 32202022-10-05 David Malcolm <dmalcolm@redhat.com>
3221
3222 * analysis-plan.cc: Simplify includes.
3223 * analyzer-pass.cc: Likewise.
3224 * analyzer-selftests.cc: Likewise.
3225 * analyzer.cc: Likewise.
3226 * analyzer.h: Add includes of "json.h" and "tristate.h".
3227 * call-info.cc: Simplify includes.
3228 * call-string.cc: Likewise.
3229 * call-summary.cc: Likewise.
3230 * checker-path.cc: Likewise.
3231 * complexity.cc: Likewise.
3232 * constraint-manager.cc: Likewise.
3233 * diagnostic-manager.cc: Likewise.
3234 * engine.cc: Likewise.
3235 * feasible-graph.cc: Likewise.
3236 * known-function-manager.cc: Likewise.
3237 * pending-diagnostic.cc: Likewise.
3238 * program-point.cc: Likewise.
3239 * program-state.cc: Likewise.
3240 * region-model-asm.cc: Likewise.
3241 * region-model-impl-calls.cc: Likewise.
3242 * region-model-manager.cc: Likewise.
3243 * region-model-reachability.cc: Likewise.
3244 * region-model.cc: Likewise.
3245 * region-model.h: Include "selftest.h".
3246 * region.cc: Simplify includes.
3247 * sm-fd.cc: Likewise.
3248 * sm-file.cc: Likewise.
3249 * sm-malloc.cc: Likewise.
3250 * sm-pattern-test.cc: Likewise.
3251 * sm-sensitive.cc: Likewise.
3252 * sm-signal.cc: Likewise.
3253 * sm-taint.cc: Likewise.
3254 * sm.cc: Likewise.
3255 * state-purge.cc: Likewise.
3256 * store.cc: Likewise.
3257 * store.h: Likewise.
3258 * supergraph.cc: Likewise.
3259 * svalue.cc: Likewise.
3260 * svalue.h: Likewise.
3261 * trimmed-graph.cc: Likewise.
3262 * varargs.cc: Likewise.
3263
32642022-10-05 David Malcolm <dmalcolm@redhat.com>
3265
3266 PR analyzer/107060
3267 * call-summary.cc
3268 (call_summary_replay::convert_svalue_from_summary_1): Handle NULL
3269 results from convert_svalue_from_summary in SK_UNARY_OP and
3270 SK_BIN_OP.
3271 * engine.cc (impl_region_model_context::on_unknown_change): Bail
3272 out on svalues that can't have associated state.
3273 * region-model-impl-calls.cc
3274 (region_model::impl_call_analyzer_get_unknown_ptr): New.
3275 * region-model.cc (region_model::on_stmt_pre): Handle
3276 "__analyzer_get_unknown_ptr".
3277 * region-model.h
3278 (region_model::impl_call_analyzer_get_unknown_ptr): New decl.
3279 * store.cc (store::replay_call_summary_cluster): Avoid trying to
3280 create binding clusters for base regions that shouldn't have them.
3281
32822022-10-05 Martin Liska <mliska@suse.cz>
3283
3284 * call-summary.cc (call_summary_replay::call_summary_replay):
3d3b561f 3285 Remove unused variable and arguments.
966010b2
GA		 3286 * call-summary.h: Likewise.
3287 * engine.cc (exploded_node::on_stmt): Likewise.
3288 (exploded_node::replay_call_summaries): Likewise.
3289 (exploded_node::replay_call_summary): Likewise.
3290 * exploded-graph.h (class exploded_node): Likewise.
3291
32922022-10-05 David Malcolm <dmalcolm@redhat.com>
3293
3294 PR analyzer/107072
3295 * analyzer-logging.h: Include "diagnostic-core.h".
3296 * analyzer.h: Include "function.h".
3297 (class call_summary): New forward decl.
3298 (class call_summary_replay): New forward decl.
3299 (struct per_function_data): New forward decl.
3300 (struct interesting_t): New forward decl.
3301 (custom_edge_info::update_state): New vfunc.
3302 * call-info.cc (custom_edge_info::update_state): New.
3303 * call-summary.cc: New file.
3304 * call-summary.h: New file.
3305 * constraint-manager.cc: Include "analyzer/call-summary.h".
3306 (class replay_fact_visitor): New.
3307 (constraint_manager::replay_call_summary): New.
3308 * constraint-manager.h (constraint_manager::replay_call_summary):
3309 New.
3310 * engine.cc: Include "analyzer/call-summary.h".
3311 (exploded_node::on_stmt): Handle call summaries.
3312 (class call_summary_edge_info): New.
3313 (exploded_node::replay_call_summaries): New.
3314 (exploded_node::replay_call_summary): New.
3315 (per_function_data::~per_function_data): New.
3316 (per_function_data::add_call_summary): Move here from header and
3317 reimplement.
3318 (exploded_graph::process_node): Call update_state rather than
3319 update_model when handling bifurcation
3320 (viz_callgraph_node::dump_dot): Use a regular label rather
3321 than an HTML table; add summaries to dump.
3322 * exploded-graph.h: Include "alloc-pool.h", "fibonacci_heap.h",
3323 "supergraph.h", "sbitmap.h", "shortest-paths.h", "analyzer/sm.h",
3324 "analyzer/program-state.h", and "analyzer/diagnostic-manager.h".
3325 (exploded_node::replay_call_summaries): New decl.
3326 (exploded_node::replay_call_summary): New decl.
3327 (per_function_data::~per_function_data): New decl.
3328 (per_function_data::add_call_summary): Move implemention from
3329 header.
3330 (per_function_data::m_summaries): Update type of element.
3331 * known-function-manager.h: Include "analyzer/analyzer-logging.h".
3332 * program-point.h: Include "pretty-print.h" and
3333 "analyzer/call-string.h".
3334 * program-state.cc: Include "analyzer/call-summary.h".
3335 (sm_state_map::replay_call_summary): New.
3336 (program_state::replay_call_summary): New.
3337 * program-state.h (sm_state_map::replay_call_summary): New decl.
3338 (program_state::replay_call_summary): New decl.
3339 * region-model-manager.cc
3340 (region_model_manager::get_or_create_asm_output_svalue): New
3341 overload.
3342 * region-model-manager.h
3343 (region_model_manager::get_or_create_asm_output_svalue): New
3344 overload decl.
3345 * region-model.cc: Include "analyzer/call-summary.h".
3346 (region_model::maybe_update_for_edge): Remove call to
3347 region_model::update_for_call_summary on
3348 SUPEREDGE_INTRAPROCEDURAL_CALL.
3349 (region_model::update_for_call_summary): Delete.
3350 (region_model::replay_call_summary): New.
3351 * region-model.h (region_model::replay_call_summary): New decl.
3352 (region_model::update_for_call_summary): Delete decl.
3353 * store.cc: Include "analyzer/call-summary.h".
3354 (store::replay_call_summary): New.
3355 (store::replay_call_summary_cluster): New.
3356 * store.h: Include "tristate.h".
3357 (is_a_helper <const ana::concrete_binding *>::test): New.
3358 (store::replay_call_summary): New decl.
3359 (store::replay_call_summary_cluster): New decl.
3360 * supergraph.cc (get_ultimate_function_for_cgraph_edge): Remove
3361 "static" from decl.
3362 (supergraph_call_edge): Make stmt param const.
3363 * supergraph.h: Include "ordered-hash-map.h", "cfg.h",
3364 "basic-block.h", "gimple.h", "gimple-iterator.h", and "digraph.h".
3365 (supergraph_call_edge): Make stmt param const.
3366 (get_ultimate_function_for_cgraph_edge): New decl.
3367 * svalue.cc (compound_svalue::compound_svalue): Assert that we're
3368 not nesting compound_svalues.
3369 * svalue.h: Include "json.h", "analyzer/store.h", and
3370 "analyzer/program-point.h".
3371 (asm_output_svalue::get_num_outputs): New accessor.
3372
33732022-10-05 David Malcolm <dmalcolm@redhat.com>
3374
3375 * region-model.h: Include "analyzer/region-model-manager.h"
3376 (class region_model_manager): Move decl to...
3377 * region-model-manager.h: ...this new file.
3378
33792022-10-05 David Malcolm <dmalcolm@redhat.com>
3380
3381 * region-model-manager.cc
3382 (region_model_manager::maybe_fold_unaryop): Fold -(-(VAL)) to VAL.
3383
33842022-10-05 David Malcolm <dmalcolm@redhat.com>
3385
3386 * region-model-manager.cc
3387 (region_model_manager::get_or_create_widening_svalue): Use a
3388 function_point rather than a program_point.
3389 * region-model.cc (selftest::test_widening_constraints): Likewise.
3390 * region-model.h
3391 (region_model_manager::get_or_create_widening_svalue): Likewise.
3392 (model_merger::get_function_point): New.
3393 * svalue.cc (svalue::can_merge_p): Use a function_point rather
3394 than a program_point.
3395 (svalue::can_merge_p): Likewise.
3396 * svalue.h (widening_svalue::key_t): Likewise.
3397 (widening_svalue::widening_svalue): Likewise.
3398
b5f09bd7
GA		 33992022-09-12 Martin Liska <mliska@suse.cz>
3400
3401 * region-model.cc (region_model::maybe_complain_about_infoleak):
3d3b561f 3402 Remove unused fields.
b5f09bd7 3403
5b9111db
GA		 34042022-09-11 Tim Lange <mail@tim-lange.me>
3405
3406 PR analyzer/106845
3407 * region-model.cc (region_model::check_region_bounds):
3408 Bail out if 0 bytes were accessed.
3409 * store.cc (byte_range::dump_to_pp):
3410 Add special case for empty ranges.
3411 (byte_range::exceeds_p): Restrict to non-empty ranges.
3412 (byte_range::falls_short_of_p): Restrict to non-empty ranges.
3413 * store.h (bit_range::empty_p): New function.
3414 (bit_range::get_last_byte_offset): Restrict to non-empty ranges.
3415 (byte_range::empty_p): New function.
3416 (byte_range::get_last_byte_offset): Restrict to non-empty ranges.
3417
861d1a11
GA		 34182022-09-09 David Malcolm <dmalcolm@redhat.com>
3419
3420 * analyzer.opt (Wanalyzer-exposure-through-uninit-copy): New.
3421 * checker-path.cc (region_creation_event::region_creation_event):
3422 Add "capacity" and "kind" params.
3423 (region_creation_event::get_desc): Generalize to different kinds
3424 of event.
3425 (checker_path::add_region_creation_event): Convert to...
3426 (checker_path::add_region_creation_events): ...this.
3427 * checker-path.h (enum rce_kind): New.
3428 (region_creation_event::region_creation_event): Add "capacity" and
3429 "kind" params.
3430 (region_creation_event::m_capacity): New field.
3431 (region_creation_event::m_rce_kind): New field.
3432 (checker_path::add_region_creation_event): Convert to...
3433 (checker_path::add_region_creation_events): ...this.
3434 * diagnostic-manager.cc (diagnostic_manager::build_emission_path):
3435 Update for multiple region creation events.
3436 (diagnostic_manager::add_event_on_final_node): Likewise.
3437 (diagnostic_manager::add_events_for_eedge): Likewise.
3438 * region-model-impl-calls.cc (call_details::get_logger): New.
3439 * region-model.cc: Define INCLUDE_MEMORY before including
3440 "system.h". Include "gcc-rich-location.h".
3441 (class record_layout): New.
3442 (class exposure_through_uninit_copy): New.
3443 (contains_uninit_p): New.
3444 (region_model::maybe_complain_about_infoleak): New.
3445 * region-model.h (call_details::get_logger): New decl.
3446 (region_model::maybe_complain_about_infoleak): New decl.
3447 (region_model::mark_as_tainted): New decl.
3448 * sm-taint.cc (region_model::mark_as_tainted): New.
3449
34502022-09-09 David Malcolm <dmalcolm@redhat.com>
3451
3452 * analyzer.h (class known_function_manager): New forward decl.
3453 (class known_function): New.
3454 (plugin_analyzer_init_iface::register_known_function): New.
3455 * engine.cc: Include "analyzer/known-function-manager.h".
3456 (plugin_analyzer_init_impl::plugin_analyzer_init_impl): Add
3457 known_fn_mgr param.
3458 (plugin_analyzer_init_impl::register_state_machine): Add
3459 LOC_SCOPE.
3460 (plugin_analyzer_init_impl::register_known_function): New.
3461 (plugin_analyzer_init_impl::m_known_fn_mgr): New.
3462 (impl_run_checkers): Update plugin callback invocation to use
3463 eng's known_function_manager.
3464 * known-function-manager.cc: New file.
3465 * known-function-manager.h: New file.
3466 * region-model-manager.cc
3467 (region_model_manager::region_model_manager): Pass logger to
3468 m_known_fn_mgr's ctor.
3469 * region-model.cc (region_model::update_for_zero_return): New.
3470 (region_model::update_for_nonzero_return): New.
3471 (maybe_simplify_upper_bound): New.
3472 (region_model::maybe_get_copy_bounds): New.
3473 (region_model::get_known_function): New.
3474 (region_model::on_call_pre): Handle plugin-supplied known
3475 functions.
3476 * region-model.h: Include "analyzer/known-function-manager.h".
3477 (region_model_manager::get_known_function_manager): New.
3478 (region_model_manager::m_known_fn_mgr): New.
3479 (call_details::get_model): New accessor.
3480 (region_model::maybe_get_copy_bounds): New decl.
3481 (region_model::update_for_zero_return): New decl.
3482 (region_model::update_for_nonzero_return): New decl.
3483 (region_model::get_known_function): New decl.
3484 (region_model::get_known_function_manager): New.
3485
2e7ad70c
GA		 34862022-09-08 Tim Lange <mail@tim-lange.me>
3487
3488 PR analyzer/106625
3489 * analyzer.h (region_offset): Eliminate m_is_symbolic member.
3490 * region-model-impl-calls.cc (region_model::impl_call_realloc):
3491 Refine implementation to be more precise.
3492 * region-model.cc (class symbolic_past_the_end):
3493 Abstract diagnostic class to complain about accesses past the end
3494 with symbolic values.
3495 (class symbolic_buffer_overflow):
3496 Concrete diagnostic class to complain about buffer overflows with
3497 symbolic values.
3498 (class symbolic_buffer_overread):
3499 Concrete diagnostic class to complain about buffer overreads with
3500 symbolic values.
3501 (region_model::check_symbolic_bounds): New function.
3502 (maybe_get_integer_cst_tree): New helper function.
3503 (region_model::check_region_bounds):
3504 Add call to check_symbolic_bounds if offset is not concrete.
3505 (region_model::eval_condition_without_cm):
3506 Add support for EQ_EXPR and GT_EXPR with binaryop_svalues.
3507 (is_positive_svalue): New hleper function.
3508 (region_model::symbolic_greater_than):
3509 New function to handle GT_EXPR comparisons with symbolic values.
3510 (region_model::structural_equality): New function to compare
3511 whether two svalues are structured the same, i.e. evaluate to
3512 the same value.
3513 (test_struct): Reflect changes to region::calc_offset.
3514 (test_var): Likewise.
3515 (test_array_2): Likewise and add selftest with symbolic i.
3516 * region-model.h (class region_model): Add check_symbolic_bounds,
3517 symbolic_greater_than and structural_equality.
3518 * region.cc (region::get_offset):
3519 Reflect changes to region::calc_offset.
3520 (region::calc_offset):
3521 Compute the symbolic offset if the offset is not concrete.
3522 (region::get_relative_symbolic_offset): New function to return the
3523 symbolic offset in bytes relative to its parent.
3524 (field_region::get_relative_symbolic_offset): Likewise.
3525 (element_region::get_relative_symbolic_offset): Likewise.
3526 (offset_region::get_relative_symbolic_offset): Likewise.
3527 (bit_range_region::get_relative_symbolic_offset): Likewise.
3528 * region.h: Add get_relative_symbolic_offset.
3529 * store.cc (binding_key::make):
3530 Reflect changes to region::calc_offset.
3531 (binding_map::apply_ctor_val_to_range): Likewise.
3532 (binding_map::apply_ctor_pair_to_child_region): Likewise.
3533 (binding_cluster::bind_compound_sval): Likewise.
3534 (binding_cluster::get_any_binding): Likewise.
3535 (binding_cluster::maybe_get_compound_binding): Likewise.
3536
47d2dcd1
GA		 35372022-09-05 Tim Lange <mail@tim-lange.me>
3538
3539 * region-model-impl-calls.cc (region_model::impl_call_strcpy):
3540 Handle the constant string case.
3541 * region-model.cc (region_model::get_string_size):
3542 New function to get the string size from a region or svalue.
3543 * region-model.h (class region_model): Add get_string_size.
3544
35452022-09-05 Tim Lange <mail@tim-lange.me>
3546
3547 * region.cc (cast_region::get_relative_concrete_offset):
3548 New overloaded method.
3549 * region.h: Add cast_region::get_relative_concrete_offset.
3550
3b2e3fa3
GA		 35512022-08-22 Martin Liska <mliska@suse.cz>
3552
3553 * region-model.cc: Add missing final keyword.
3554
30afe5e7
GA		 35552022-08-18 Tim Lange <mail@tim-lange.me>
3556
3557 PR analyzer/106181
3558 * analyzer.opt: Add Wanalyzer-imprecise-floating-point-arithmetic.
3559 * region-model.cc (is_any_cast_p): Formatting.
3560 (region_model::check_region_size): Ensure precondition.
3561 (class imprecise_floating_point_arithmetic): New abstract
3562 diagnostic class for all floating-point related warnings.
3563 (class float_as_size_arg): Concrete diagnostic class to complain
3564 about floating-point operands inside the size argument.
3565 (class contains_floating_point_visitor):
3566 New visitor to find floating-point operands inside svalues.
3567 (region_model::check_dynamic_size_for_floats): New function.
3568 (region_model::set_dynamic_extents):
3569 Call to check_dynamic_size_for_floats.
3570 * region-model.h (class region_model):
3571 Add region_model::check_dynamic_size_for_floats.
3572
47a61e65
GA		 35732022-08-16 Martin Liska <mliska@suse.cz>
3574
3575 * region-model.cc: Fix -Winconsistent-missing-override clang
3d3b561f 3576 warning.
47a61e65
GA		 3577 * region.h: Likewise.
3578
ec63a946
GA		 35792022-08-15 David Malcolm <dmalcolm@redhat.com>
3580
3581 PR analyzer/106626
3582 * region-model.cc (buffer_overread::emit): Fix copy&paste error in
3583 direction of the access in the note.
3584
35852022-08-15 David Malcolm <dmalcolm@redhat.com>
3586
3587 PR analyzer/106573
3588 * region-model.cc (region_model::on_call_pre): Use check_call_args
3589 when ensuring that we call get_arg_svalue on all args. Remove
3590 redundant call from handling for stdio builtins.
3591
35922022-08-15 Immad Mir <mirimmad@outlook.com>
3593
3594 PR analyzer/106551
3595 * sm-fd.cc (check_for_dup): exit early if first
3596 argument is invalid for all dup functions.
3597
475ed8fd
GA		 35982022-08-12 Tim Lange <mail@tim-lange.me>
3599
3600 PR analyzer/106000
3601 * analyzer.opt: Add Wanalyzer-out-of-bounds.
3602 * region-model.cc (class out_of_bounds): Diagnostics base class
3603 for all out-of-bounds diagnostics.
3604 (class past_the_end): Base class derived from out_of_bounds for
3605 the buffer_overflow and buffer_overread diagnostics.
3606 (class buffer_overflow): Buffer overflow diagnostics.
3607 (class buffer_overread): Buffer overread diagnostics.
3608 (class buffer_underflow): Buffer underflow diagnostics.
3609 (class buffer_underread): Buffer overread diagnostics.
3610 (region_model::check_region_bounds): New function to check region
3611 bounds for out-of-bounds accesses.
3612 (region_model::check_region_access):
3613 Add call to check_region_bounds.
3614 (region_model::get_representative_tree): New function that accepts
3615 a region instead of an svalue.
3616 * region-model.h (class region_model):
3617 Add region_model::check_region_bounds.
3618 * region.cc (region::symbolic_p): New predicate.
3619 (offset_region::get_byte_size_sval): Only return the remaining
3620 byte size on offset_regions.
3621 * region.h: Add region::symbolic_p.
3622 * store.cc (byte_range::intersects_p):
3623 Add new function equivalent to bit_range::intersects_p.
3624 (byte_range::exceeds_p): New function.
3625 (byte_range::falls_short_of_p): New function.
3626 * store.h (struct byte_range): Add byte_range::intersects_p,
3627 byte_range::exceeds_p and byte_range::falls_short_of_p.
3628
36292022-08-12 Tim Lange <mail@tim-lange.me>
3630
3631 PR analyzer/106539
3632 * region-model-impl-calls.cc (region_model::impl_call_realloc):
3633 Use the result of get_copied_size as the size for the
3634 sized_regions in realloc.
3635 (success_with_move::get_copied_size): New function.
3636
5cd525f0
GA		 36372022-08-11 Immad Mir <mirimmad@outlook.com>
3638
3639 PR analyzer/106551
3640 * sm-fd.cc (check_for_dup): handle the m_start
3641 state when transitioning the state of LHS
3642 of dup, dup2 and dup3 call.
3643
6d001ec1
GA		 36442022-08-09 David Malcolm <dmalcolm@redhat.com>
3645
3646 PR analyzer/106573
3647 * region-model.cc (region_model::on_call_pre): Ensure that we call
3648 get_arg_svalue on all arguments.
3649
36e96748
GA		 36502022-08-05 David Malcolm <dmalcolm@redhat.com>
3651
3652 PR analyzer/105947
3653 * analyzer.opt (Wanalyzer-jump-through-null): New option.
3654 * engine.cc (class jump_through_null): New.
3655 (exploded_graph::process_node): Complain about jumps through NULL
3656 function pointers.
3657
969a989d
GA		 36582022-08-02 Immad Mir <mirimmad@outlook.com>
3659
3660 PR analyzer/106298
3661 * sm-fd.cc (fd_state_machine::on_open): Add
3662 creat, dup, dup2 and dup3 functions.
3663 (enum dup): New.
3664 (fd_state_machine::valid_to_unchecked_state): New.
3665 (fd_state_machine::on_creat): New.
3666 (fd_state_machine::on_dup): New.
3667
af086d19
GA		 36682022-07-28 David Malcolm <dmalcolm@redhat.com>
3669
3670 PR analyzer/105893
3671 * analyzer.opt (Wanalyzer-putenv-of-auto-var): New.
3672 * region-model-impl-calls.cc (class putenv_of_auto_var): New.
3673 (region_model::impl_call_putenv): New.
3674 * region-model.cc (region_model::on_call_pre): Handle putenv.
3675 * region-model.h (region_model::impl_call_putenv): New decl.
3676
36772022-07-28 David Malcolm <dmalcolm@redhat.com>
3678
3679 * sm-malloc.cc (free_of_non_heap::emit): Add comment about CWE.
3680 * sm-taint.cc (tainted_size::emit): Likewise.
3681
36822022-07-28 David Malcolm <dmalcolm@redhat.com>
3683
3684 * region.h: Add notes to the comment describing the region
3685 class hierarchy.
3686
1e2c5f4c
GA		 36872022-07-27 Immad Mir <mirimmad@outlook.com>
3688
3689 PR analyzer/106286
3690 * sm-fd.cc:
3691 (fd_diagnostic::get_meaning_for_state_change): New.
3692
fd96c4b5
GA		 36932022-07-26 David Malcolm <dmalcolm@redhat.com>
3694
3695 PR analyzer/106319
3696 * store.cc (store::set_value): Don't strip away casts if the
3697 region has NULL type.
3698
36992022-07-26 David Malcolm <dmalcolm@redhat.com>
3700
3701 * region.h (code_region::get_element): Remove stray decl.
3702 (function_region::get_element): Likewise.
3703
a5271b14
GA		 37042022-07-25 Martin Liska <mliska@suse.cz>
3705
3706 * sm-fd.cc: Run dos2unix and fix coding style issues.
3707
0e6fa997
GA		 37082022-07-23 Immad Mir <mirimmad@outlook.com>
3709
3710 * sm-fd.cc (fd_param_diagnostic): New diagnostic class.
3711 (fd_access_mode_mismatch): Change inheritance from fd_diagnostic
3712 to fd_param_diagnostic. Add new overloaded constructor.
3713 (fd_use_after_close): Likewise.
3714 (unchecked_use_of_fd): Likewise and also change name to fd_use_without_check.
3715 (double_close): Change name to fd_double_close.
3716 (enum access_directions): New.
3717 (fd_state_machine::on_stmt): Handle calls to function with the
3718 new three function attributes.
3719 (fd_state_machine::check_for_fd_attrs): New.
3720 (fd_state_machine::on_open): Use the new overloaded constructors
3721 of diagnostic classes.
3722
b563a8dd
GA		 37232022-07-22 David Malcolm <dmalcolm@redhat.com>
3724
3725 PR analyzer/106413
3726 * varargs.cc (region_model::impl_call_va_start): Avoid iterating
3727 through non-existant variadic arguments by initializing the
3728 impl_region to "UNKNOWN" if the va_start occurs in the top-level
3729 function to the analysis.
3730
37312022-07-22 David Malcolm <dmalcolm@redhat.com>
3732
3733 PR analyzer/106401
3734 * store.cc (binding_cluster::binding_cluster): Remove overzealous
3735 assertion; we're checking for tracked_p in
3736 store::get_or_create_cluster.
3737
37382022-07-22 Tim Lange <mail@tim-lange.me>
3739
3740 PR analyzer/106394
3741 * region-model.cc (capacity_compatible_with_type): Always return true
3742 if alloc_size is zero.
3743
bbb9c030
GA		 37442022-07-21 David Malcolm <dmalcolm@redhat.com>
3745
3746 PR analyzer/106383
3747 * varargs.cc (region_model::impl_call_va_arg): When determining if
3748 we're doing interprocedural analysis, use the stack depth of the
3749 frame in which va_start was called, rather than the current stack
3750 depth.
3751
37522022-07-21 David Malcolm <dmalcolm@redhat.com>
3753
3754 * sm-taint.cc (tainted_array_index::emit): Bulletproof against
3755 NULL m_arg.
3756 (tainted_array_index::describe_final_event): Likewise.
3757 (tainted_size::emit): Likewise.
3758 (tainted_size::describe_final_event): Likewise.
3759
37602022-07-21 David Malcolm <dmalcolm@redhat.com>
3761
3762 PR analyzer/106374
3763 * region.cc (decl_region::get_svalue_for_initializer): Bail out on
3764 untracked regions.
3765
e7dfd874
GA		 37662022-07-20 David Malcolm <dmalcolm@redhat.com>
3767
3768 PR analyzer/106373
3769 * sm-taint.cc (taint_state_machine::on_condition): Potentially
3770 update the state of the RHS as well as the LHS.
3771
37722022-07-20 David Malcolm <dmalcolm@redhat.com>
3773
3774 PR analyzer/106359
3775 * region.h (string_region::tracked_p): New.
3776 * store.cc (binding_cluster::binding_cluster): Move here from
3777 store.h. Add assertion that base_region is tracked_p.
3778 * store.h (binding_cluster::binding_cluster): Move to store.cc.
3779
7c0c10db
GA		 37802022-07-19 David Malcolm <dmalcolm@redhat.com>
3781
3782 PR analyzer/106321
3783 * constraint-manager.h (bounded_ranges::get_count): New.
3784 (bounded_ranges::get_range): New.
3785 * engine.cc (impl_region_model_context::on_bounded_ranges): New.
3786 * exploded-graph.h (impl_region_model_context::on_bounded_ranges):
3787 New decl.
3788 * region-model.cc (region_model::apply_constraints_for_gswitch):
3789 Potentially call ctxt->on_bounded_ranges.
3790 * region-model.h (region_model_context::on_bounded_ranges): New
3791 vfunc.
3792 (noop_region_model_context::on_bounded_ranges): New.
3793 (region_model_context_decorator::on_bounded_ranges): New.
3794 * sm-taint.cc: Include "analyzer/constraint-manager.h".
3795 (taint_state_machine::on_bounded_ranges): New.
3796 * sm.h (state_machine::on_bounded_ranges): New.
3797
37982022-07-19 David Malcolm <dmalcolm@redhat.com>
3799
3800 * engine.cc (exploded_graph::process_node): Show any description
3801 of the out-edge when logging it for consideration.
3802
bdc7b765
GA		 38032022-07-15 David Malcolm <dmalcolm@redhat.com>
3804
3805 PR analyzer/106284
3806 * sm-taint.cc (taint_state_machine::on_condition): Handle range
3807 checks optimized by build_range_check.
3808
38092022-07-15 Jonathan Wakely <jwakely@redhat.com>
3810
3811 * call-info.cc (call_info::print): Adjust to new label_text API.
3812 * checker-path.cc (checker_event::dump): Likewise.
3813 (region_creation_event::get_desc): Likewise.
3814 (state_change_event::get_desc): Likewise.
3815 (superedge_event::should_filter_p): Likewise.
3816 (start_cfg_edge_event::get_desc): Likewise.
3817 (call_event::get_desc): Likewise.
3818 (return_event::get_desc): Likewise.
3819 (warning_event::get_desc): Likewise.
3820 (checker_path::dump): Likewise.
3821 (checker_path::debug): Likewise.
3822 * diagnostic-manager.cc (diagnostic_manager::prune_for_sm_diagnostic):
3823 Likewise.
3824 (diagnostic_manager::prune_interproc_events): Likewise.
3825 * engine.cc (feasibility_state::maybe_update_for_edge):
3826 Likewise.
3827 * program-state.cc (sm_state_map::to_json): Likewise.
3828 * region-model-impl-calls.cc (region_model::impl_call_analyzer_describe): Likewise.
3829 (region_model::impl_call_analyzer_dump_capacity): Likewise.
3830 * region.cc (region::to_json): Likewise.
3831 * sm-malloc.cc (inform_nonnull_attribute): Likewise.
3832 * store.cc (binding_map::to_json): Likewise.
3833 (store::to_json): Likewise.
3834 * supergraph.cc (superedge::dump): Likewise.
3835 * svalue.cc (svalue::to_json): Likewise.
3836
6345c414
GA		 38372022-07-07 David Malcolm <dmalcolm@redhat.com>
3838
3839 * checker-path.cc (start_cfg_edge_event::get_desc): Update for
3840 superedge::get_description returning a label_text.
3841 * engine.cc (feasibility_state::maybe_update_for_edge): Likewise.
3842 * supergraph.cc (superedge::dump): Likewise.
3843 (superedge::get_description): Convert return type from char * to
3844 label_text.
3845 * supergraph.h (superedge::get_description): Likewise.
3846
38472022-07-07 David Malcolm <dmalcolm@redhat.com>
3848
3849 * call-info.cc (call_info::print): Update for removal of
3850 label_text::maybe_free in favor of automatic memory management.
3851 * checker-path.cc (checker_event::dump): Likewise.
3852 (checker_event::prepare_for_emission): Likewise.
3853 (state_change_event::get_desc): Likewise.
3854 (superedge_event::should_filter_p): Likewise.
3855 (start_cfg_edge_event::get_desc): Likewise.
3856 (warning_event::get_desc): Likewise.
3857 (checker_path::dump): Likewise.
3858 (checker_path::debug): Likewise.
3859 * diagnostic-manager.cc
3860 (diagnostic_manager::prune_for_sm_diagnostic): Likewise.
3861 (diagnostic_manager::prune_interproc_events): Likewise.
3862 * program-state.cc (sm_state_map::to_json): Likewise.
3863 * region.cc (region::to_json): Likewise.
3864 * sm-malloc.cc (inform_nonnull_attribute): Likewise.
3865 * store.cc (binding_map::to_json): Likewise.
3866 (store::to_json): Likewise.
3867 * svalue.cc (svalue::to_json): Likewise.
3868
38692022-07-07 David Malcolm <dmalcolm@redhat.com>
3870
3871 PR analyzer/106225
3872 * sm-taint.cc (taint_state_machine::on_stmt): Move handling of
3873 assignments from division to...
3874 (taint_state_machine::check_for_tainted_divisor): ...this new
3875 function. Reject warning when the divisor is known to be non-zero.
3876 * sm.cc: Include "analyzer/program-state.h".
3877 (sm_context::get_old_region_model): New.
3878 * sm.h (sm_context::get_old_region_model): New decl.
3879
4bc92c3b
GA		 38802022-07-06 Immad Mir <mirimmad@outlook.com>
3881
3882 PR analyzer/106184
3883 * sm-fd.cc (fd_state_machine): Change ordering of initialization
3884 of state m_invalid so that the order of initializers is same as
3885 the ordering of the fields in the class decl.
3886
38872022-07-06 Immad Mir <mirimmad@outlook.com>
3888
3889 * sm-fd.cc (use_after_close): save the "close" event and
3890 show it where possible.
3891
38922022-07-06 David Malcolm <dmalcolm@redhat.com>
3893
3894 PR analyzer/106204
3895 * region-model.cc (within_short_circuited_stmt_p): Move extraction
3896 of assign_stmt to caller.
3897 (due_to_ifn_deferred_init_p): New.
3898 (region_model::check_for_poison): Move extraction of assign_stmt
3899 from within_short_circuited_stmt_p to here. Share logic with
3900 call to due_to_ifn_deferred_init_p.
3901
20f0f305
GA		 39022022-07-02 Tim Lange <mail@tim-lange.me>
3903
3904 PR analyzer/105900
3905 * analyzer.opt: Added Wanalyzer-allocation-size.
3906 * checker-path.cc (region_creation_event::get_desc): Added call to new
3907 virtual function pending_diagnostic::describe_region_creation_event.
3908 * checker-path.h: Added region_creation_event::get_desc.
3909 * diagnostic-manager.cc (diagnostic_manager::add_event_on_final_node):
3910 New function.
3911 * diagnostic-manager.h:
3912 Added diagnostic_manager::add_event_on_final_node.
3913 * pending-diagnostic.h (struct region_creation): New event_desc struct.
3914 (pending_diagnostic::describe_region_creation_event): Added virtual
3915 function to overwrite description of a region creation.
3916 * region-model.cc (class dubious_allocation_size): New class.
3917 (capacity_compatible_with_type): New helper function.
3918 (class size_visitor): New class.
3919 (struct_or_union_with_inheritance_p): New helper function.
3920 (is_any_cast_p): New helper function.
3921 (region_model::check_region_size): New function.
3922 (region_model::set_value): Added call to
3923 region_model::check_region_size.
3924 * region-model.h (class region_model): New function check_region_size.
3925 * svalue.cc (region_svalue::accept): Changed to post-order traversal.
3926 (initial_svalue::accept): Likewise.
3927 (unaryop_svalue::accept): Likewise.
3928 (binop_svalue::accept): Likewise.
3929 (sub_svalue::accept): Likewise.
3930 (repeated_svalue::accept): Likewise.
3931 (bits_within_svalue::accept): Likewise.
3932 (widening_svalue::accept): Likewise.
3933 (unmergeable_svalue::accept): Likewise.
3934 (compound_svalue::accept): Likewise.
3935 (conjured_svalue::accept): Likewise.
3936 (asm_output_svalue::accept): Likewise.
3937 (const_fn_result_svalue::accept): Likewise.
3938
39392022-07-02 Immad Mir <mirimmad17@gmail.com>
3940
3941 PR analyzer/106003
3942 * analyzer.opt (Wanalyzer-fd-leak): New option.
3943 (Wanalyzer-fd-access-mode-mismatch): New option.
3944 (Wanalyzer-fd-use-without-check): New option.
3945 (Wanalyzer-fd-double-close): New option.
3946 (Wanalyzer-fd-use-after-close): New option.
3947 * sm.h (make_fd_state_machine): New decl.
3948 * sm.cc (make_checkers): Call make_fd_state_machine.
3949 * sm-fd.cc: New file.
3950
84c2131d
GA		 39512022-06-24 David Malcolm <dmalcolm@redhat.com>
3952
3953 * call-string.cc: Add includes of "analyzer/analyzer.h"
3954 and "analyzer/analyzer-logging.h".
3955 (call_string::call_string): Delete copy ctor.
3956 (call_string::operator=): Delete.
3957 (call_string::operator==): Delete.
3958 (call_string::hash): Delete.
3959 (call_string::push_call): Make const, returning the resulting
3960 call_string.
3961 (call_string::pop): Delete.
3962 (call_string::cmp_ptr_ptr): New.
3963 (call_string::validate): Assert that m_parent is non-NULL, or
3964 m_elements is empty.
3965 (call_string::call_string): Move default ctor here from
3966 call-string.h and reimplement. Add ctor taking a parent
3967 and an element.
3968 (call_string::~call_string): New.
3969 (call_string::recursive_log): New.
3970 * call-string.h (call_string::call_string): Move default ctor's
3971 defn to call-string.cc. Delete copy ctor. Add ctor taking a
3972 parent and an element.
3973 (call_string::operator=): Delete.
3974 (call_string::operator==): Delete.
3975 (call_string::hash): Delete.
3976 (call_string::push_call): Make const, returning the resulting
3977 call_string.
3978 (call_string::pop): Delete decl.
3979 (call_string::get_parent): New.
3980 (call_string::cmp_ptr_ptr): New decl.
3981 (call_string::get_top_of_stack): New.
3982 (struct call_string::hashmap_traits_t): New.
3983 (class call_string): Add friend class region_model_manager. Add
3984 DISABLE_COPY_AND_ASSIGN.
3985 (call_string::~call_string): New decl.
3986 (call_string::recursive_log): New decl.
3987 (call_string::m_parent): New field.
3988 (call_string::m_children): New field.
3989 * constraint-manager.cc (selftest::test_many_constants): Pass
3990 model manager to program_point::origin.
3991 * engine.cc (exploded_graph::exploded_graph): Likewise.
3992 (exploded_graph::add_function_entry): Likewise for
3993 program_point::from_function_entry.
3994 (add_tainted_args_callback): Likewise.
3995 (exploded_graph::maybe_process_run_of_before_supernode_enodes):
3996 Update for change to program_point.get_call_string.
3997 (exploded_graph::process_node): Likewise.
3998 (class function_call_string_cluster): Convert m_cs from a
3999 call_string to a const call_string &.
4000 (struct function_call_string): Likewise.
4001 (pod_hash_traits<function_call_string>::hash): Use pointer_hash
4002 for m_cs.
4003 (pod_hash_traits<function_call_string>::equal): Update for change
4004 to m_cs.
4005 (root_cluster::add_node): Update for change to
4006 function_call_string.
4007 (viz_callgraph_node::dump_dot): Update for change to call_string.
4008 * exploded-graph.h (per_call_string_data::m_key): Convert to a
4009 reference.
4010 (struct eg_call_string_hash_map_traits): Delete.
4011 (exploded_graph::call_string_data_map_t): Remove traits class.
4012 * program-point.cc: Move include of "analyzer/call-string.h" to
4013 after "analyzer/analyzer-logging.h".
4014 (program_point::print): Update for conversion of m_call_string to
4015 a pointer.
4016 (program_point::to_json): Likewise.
4017 (program_point::push_to_call_stack): Update for immutability of
4018 call strings.
4019 (program_point::pop_from_call_stack): Likewise.
4020 (program_point::hash): Use pointer hashing for m_call_string.
4021 (program_point::get_function_at_depth): Update for change to
4022 m_call_string.
4023 (program_point::validate): Update for changes to call_string.
4024 (program_point::on_edge): Likewise.
4025 (program_point::origin): Move here from call-string.h. Add
4026 region_model_manager param and use it to get empty call string.
4027 (program_point::from_function_entry): Likewise.
4028 (selftest::test_function_point_ordering): Likewise.
4029 (selftest::test_function_point_ordering): Likewise.
4030 * program-point.h (program_point::program_point): Update for
4031 change to m_call_string.
4032 (program_point::get_call_string): Likewise.
4033 (program_point::get_stack_depth): Likewise.
4034 (program_point::origin): Add region_model_manager param, and move
4035 defn to call-string.cc.
4036 (program_point::from_function_entry): Likewise.
4037 (program_point::empty): Drop call_string.
4038 (program_point::deleted): Likewise.
4039 (program_point::program_point): New private ctor.
4040 (program_point::m_call_string): Convert from call_string to const
4041 call_string *.
4042 * program-state.cc (selftest::test_program_state_merging): Update
4043 for call_string changes.
4044 (selftest::test_program_state_merging_2): Likewise.
4045 * region-model-manager.cc
4046 (region_model_manager::region_model_manager): Construct
4047 m_empty_call_string.
4048 (region_model_manager::log_stats): Log the call strings.
4049 * region-model.cc (assert_region_models_merge): Pass the
4050 region_model_manager when creating program_point instances.
4051 (selftest::test_state_merging): Likewise.
4052 (selftest::test_constraint_merging): Likewise.
4053 (selftest::test_widening_constraints): Likewise.
4054 (selftest::test_iteration_1): Likewise.
4055 * region-model.h (region_model_manager::get_empty_call_string):
4056 New.
4057 (region_model_manager::m_empty_call_string): New.
4058 * sm-signal.cc (register_signal_handler::impl_transition): Update
4059 for changes to call_string.
4060
40612022-06-24 David Malcolm <dmalcolm@redhat.com>
4062
4063 * call-string.cc (call_string::calc_recursion_depth): Whitespace
4064 cleanups.
4065 (call_string::cmp): Likewise.
4066 (call_string::get_caller_node): Likewise.
4067 (call_string::validate): Likewise.
4068 * engine.cc (dynamic_call_info_t::add_events_to_path): Likewise.
4069 (exploded_graph::get_per_function_data): Likewise.
4070 (exploded_graph::maybe_create_dynamic_call): Likewise.
4071 (exploded_graph::maybe_create_dynamic_call): Likewise.
4072 (exploded_graph::process_node): Likewise.
4073
bc7e9f76
GA		 40742022-06-16 David Malcolm <dmalcolm@redhat.com>
4075
4076 * varargs.cc (va_arg_type_mismatch::emit): Associate the warning
4077 with CWE-686 ("Function Call With Incorrect Argument Type").
4078
40792022-06-16 David Malcolm <dmalcolm@redhat.com>
4080
4081 * varargs.cc: Include "diagnostic-metadata.h".
4082 (va_list_exhausted::emit): Associate the warning with
4083 CWE-685 ("Function Call With Incorrect Number of Arguments").
4084
40852022-06-16 David Malcolm <dmalcolm@redhat.com>
4086
4087 * sm-file.cc (double_fclose::emit): Associate the warning with
4088 CWE-1341 ("Multiple Releases of Same Resource or Handle").
4089
499b9c5f
GA		 40902022-06-15 David Malcolm <dmalcolm@redhat.com>
4091
4092 PR analyzer/105962
4093 * analyzer.opt (fanalyzer-undo-inlining): New option.
4094 * checker-path.cc: Include "diagnostic-core.h" and
4095 "inlining-iterator.h".
4096 (event_kind_to_string): Handle EK_INLINED_CALL.
4097 (class inlining_info): New class.
4098 (checker_event::checker_event): Move here from checker-path.h.
4099 Store original fndecl and depth, and calculate effective fndecl
4100 and depth based on inlining information.
4101 (checker_event::dump): Emit original depth as well as effective
4102 depth when they differ; likewise for fndecl.
4103 (region_creation_event::get_desc): Use m_effective_fndecl.
4104 (inlined_call_event::get_desc): New.
4105 (inlined_call_event::get_meaning): New.
4106 (checker_path::inject_any_inlined_call_events): New.
4107 * checker-path.h (enum event_kind): Add EK_INLINED_CALL.
4108 (checker_event::checker_event): Make protected, and move
4109 definition to checker-path.cc.
4110 (checker_event::get_fndecl): Use effective fndecl.
4111 (checker_event::get_stack_depth): Use effective stack depth.
4112 (checker_event::get_logical_location): Use effective stack depth.
4113 (checker_event::get_original_stack_depth): New.
4114 (checker_event::m_fndecl): Rename to...
4115 (checker_event::m_original_fndecl): ...this.
4116 (checker_event::m_depth): Rename to...
4117 (checker_event::m_original_depth): ...this.
4118 (checker_event::m_effective_fndecl): New field.
4119 (checker_event::m_effective_depth): New field.
4120 (class inlined_call_event): New checker_event subclass.
4121 (checker_path::inject_any_inlined_call_events): New decl.
4122 * diagnostic-manager.cc: Include "inlining-iterator.h".
4123 (diagnostic_manager::emit_saved_diagnostic): Call
4124 checker_path::inject_any_inlined_call_events.
4125 (diagnostic_manager::prune_for_sm_diagnostic): Handle
4126 EK_INLINED_CALL.
4127 * engine.cc (tainted_args_function_custom_event::get_desc): Use
4128 effective fndecl.
4129 * inlining-iterator.h: New file.
4130
41312022-06-15 David Malcolm <dmalcolm@redhat.com>
4132
4133 * diagnostic-manager.cc (saved_diagnostic::dump_dot_id): New.
4134 (saved_diagnostic::dump_as_dot_node): New.
4135 * diagnostic-manager.h (saved_diagnostic::dump_dot_id): New decl.
4136 (saved_diagnostic::dump_as_dot_node): New decl.
4137 * engine.cc (exploded_node::dump_dot): Add nodes for saved
4138 diagnostics.
4139
b168441c
GA		 41402022-06-02 David Malcolm <dmalcolm@redhat.com>
4141
4142 * checker-path.cc (checker_event::get_meaning): New.
4143 (function_entry_event::get_meaning): New.
4144 (state_change_event::get_desc): Add dump of meaning of the event
4145 to the -fanalyzer-verbose-state-changes output.
4146 (state_change_event::get_meaning): New.
4147 (cfg_edge_event::get_meaning): New.
4148 (call_event::get_meaning): New.
4149 (return_event::get_meaning): New.
4150 (start_consolidated_cfg_edges_event::get_meaning): New.
4151 (warning_event::get_meaning): New.
4152 * checker-path.h: Include "tree-logical-location.h".
4153 (checker_event::checker_event): Construct m_logical_loc.
4154 (checker_event::get_logical_location): New.
4155 (checker_event::get_meaning): New decl.
4156 (checker_event::m_logical_loc): New.
4157 (function_entry_event::get_meaning): New decl.
4158 (state_change_event::get_meaning): New decl.
4159 (cfg_edge_event::get_meaning): New decl.
4160 (call_event::get_meaning): New decl.
4161 (return_event::get_meaning): New decl.
4162 (start_consolidated_cfg_edges_event::get_meaning): New.
4163 (warning_event::get_meaning): New decl.
4164 * pending-diagnostic.h: Include "diagnostic-path.h".
4165 (pending_diagnostic::get_meaning_for_state_change): New vfunc.
4166 * sm-file.cc (file_diagnostic::get_meaning_for_state_change): New
4167 vfunc impl.
4168 * sm-malloc.cc (malloc_diagnostic::get_meaning_for_state_change):
4169 Likewise.
4170 * sm-sensitive.cc
4171 (exposure_through_output_file::get_meaning_for_state_change):
4172 Likewise.
4173 * sm-taint.cc (taint_diagnostic::get_meaning_for_state_change):
4174 Likewise.
4175 * varargs.cc
4176 (va_list_sm_diagnostic::get_meaning_for_state_change): Likewise.
4177
168fc8bd
GA		 41782022-05-23 David Malcolm <dmalcolm@redhat.com>
4179
4180 * call-info.cc: Add "final" and "override" to all vfunc
4181 implementations that were missing them, as appropriate.
4182 * engine.cc: Likewise.
4183 * region-model.cc: Likewise.
4184 * sm-malloc.cc: Likewise.
4185 * supergraph.h: Likewise.
4186 * svalue.cc: Likewise.
4187 * varargs.cc: Likewise.
4188
57f2ce6a
GA		 41892022-05-20 David Malcolm <dmalcolm@redhat.com>
4190
4191 * analyzer-pass.cc: Replace uses of "FINAL" and "OVERRIDE" with
4192 "final" and "override".
4193 * call-info.h: Likewise.
4194 * checker-path.h: Likewise.
4195 * constraint-manager.cc: Likewise.
4196 * diagnostic-manager.cc: Likewise.
4197 * engine.cc: Likewise.
4198 * exploded-graph.h: Likewise.
4199 * feasible-graph.h: Likewise.
4200 * pending-diagnostic.h: Likewise.
4201 * region-model-impl-calls.cc: Likewise.
4202 * region-model.cc: Likewise.
4203 * region-model.h: Likewise.
4204 * region.h: Likewise.
4205 * sm-file.cc: Likewise.
4206 * sm-malloc.cc: Likewise.
4207 * sm-pattern-test.cc: Likewise.
4208 * sm-sensitive.cc: Likewise.
4209 * sm-signal.cc: Likewise.
4210 * sm-taint.cc: Likewise.
4211 * state-purge.h: Likewise.
4212 * store.cc: Likewise.
4213 * store.h: Likewise.
4214 * supergraph.h: Likewise.
4215 * svalue.h: Likewise.
4216 * trimmed-graph.h: Likewise.
4217 * varargs.cc: Likewise.
4218
702bd11f
GA		 42192022-05-16 David Malcolm <dmalcolm@redhat.com>
4220
4221 PR analyzer/105103
4222 * analyzer.cc (make_label_text_n): New.
4223 * analyzer.h (class var_arg_region): New forward decl.
4224 (make_label_text_n): New decl.
4225 * analyzer.opt (Wanalyzer-va-arg-type-mismatch): New option.
4226 (Wanalyzer-va-list-exhausted): New option.
4227 (Wanalyzer-va-list-leak): New option.
4228 (Wanalyzer-va-list-use-after-va-end): New option.
4229 * checker-path.cc (call_event::get_desc): Split out decl access
4230 into..
4231 (call_event::get_caller_fndecl): ...this new function and...
4232 (call_event::get_callee_fndecl): ...this new function.
4233 * checker-path.h (call_event::get_desc): Drop "FINAL".
4234 (call_event::get_caller_fndecl): New decl.
4235 (call_event::get_callee_fndecl): New decl.
4236 (class call_event): Make fields protected.
4237 * diagnostic-manager.cc (null_assignment_sm_context::warn): New
4238 overload.
4239 (null_assignment_sm_context::get_new_program_state): New.
4240 (diagnostic_manager::add_events_for_superedge): Move case
4241 SUPEREDGE_CALL to a new pending_diagnostic::add_call_event vfunc.
4242 * engine.cc (impl_sm_context::warn): Implement new override.
4243 (impl_sm_context::get_new_program_state): New.
4244 * pending-diagnostic.cc: Include "analyzer/diagnostic-manager.h",
4245 "cpplib.h", "digraph.h", "ordered-hash-map.h", "cfg.h",
4246 "basic-block.h", "gimple.h", "gimple-iterator.h", "cgraph.h"
4247 "analyzer/supergraph.h", "analyzer/program-state.h",
4248 "alloc-pool.h", "fibonacci_heap.h", "shortest-paths.h",
4249 "sbitmap.h", "analyzer/exploded-graph.h", "diagnostic-path.h",
4250 and "analyzer/checker-path.h".
4251 (ht_ident_eq): New.
4252 (fixup_location_in_macro_p): New.
4253 (pending_diagnostic::fixup_location): New.
4254 (pending_diagnostic::add_call_event): New.
4255 * pending-diagnostic.h (pending_diagnostic::fixup_location): Drop
4256 no-op inline implementation in favor of the more complex
4257 implementation above.
4258 (pending_diagnostic::add_call_event): New vfunc.
4259 * region-model-impl-calls.cc: Include "analyzer/sm.h",
4260 "diagnostic-path.h", and "analyzer/pending-diagnostic.h".
4261 * region-model-manager.cc
4262 (region_model_manager::get_var_arg_region): New.
4263 (region_model_manager::log_stats): Log m_var_arg_regions.
4264 * region-model.cc (region_model::on_call_pre): Handle IFN_VA_ARG,
4265 BUILT_IN_VA_START, and BUILT_IN_VA_COPY.
4266 (region_model::on_call_post): Handle BUILT_IN_VA_END.
4267 (region_model::get_representative_path_var_1): Handle RK_VAR_ARG.
4268 (region_model::push_frame): Push variadic arguments.
4269 * region-model.h (region_model_manager::get_var_arg_region): New
4270 decl.
4271 (region_model_manager::m_var_arg_regions): New field.
4272 (region_model::impl_call_va_start): New decl.
4273 (region_model::impl_call_va_copy): New decl.
4274 (region_model::impl_call_va_arg): New decl.
4275 (region_model::impl_call_va_end): New decl.
4276 * region.cc (alloca_region::dump_to_pp): Dump the id.
4277 (var_arg_region::dump_to_pp): New.
4278 (var_arg_region::get_frame_region): New.
4279 * region.h (enum region_kind): Add RK_VAR_ARG.
4280 (region::dyn_cast_var_arg_region): New.
4281 (class var_arg_region): New.
4282 (is_a_helper <const var_arg_region *>::test): New.
4283 (struct default_hash_traits<var_arg_region::key_t>): New.
4284 * sm.cc (make_checkers): Call make_va_list_state_machine.
4285 * sm.h (sm_context::warn): New vfunc.
4286 (sm_context::get_old_svalue): Drop unused decl.
4287 (sm_context::get_new_program_state): New vfunc.
4288 (make_va_list_state_machine): New decl.
4289 * varargs.cc: New file.
4290
42912022-05-16 Martin Liska <mliska@suse.cz>
4292
4293 * engine.cc (exploded_node::get_dot_fillcolor): Use ARRAY_SIZE.
4294 * function-set.cc (test_stdio_example): Likewise.
4295 * sm-file.cc (get_file_using_fns): Likewise.
4296 * sm-malloc.cc (malloc_state_machine::unaffected_by_call_p): Likewise.
4297 * sm-signal.cc (get_async_signal_unsafe_fns): Likewise.
4298
9df4ffe4
GA		 42992022-05-13 Richard Biener <rguenther@suse.de>
4300
4301 * supergraph.cc: Re-order gimple-fold.h include.
4302
d0d513b5
GA		 43032022-05-11 David Malcolm <dmalcolm@redhat.com>
4304
4305 * checker-path.cc (state_change_event::get_desc): Call maybe_free
4306 on label_text temporaries.
4307 * diagnostic-manager.cc
4308 (diagnostic_manager::prune_for_sm_diagnostic): Likewise.
4309 * engine.cc (exploded_graph::~exploded_graph): Fix leak of
4310 m_per_point_data and m_per_call_string_data values. Simplify
4311 cleanup of m_per_function_stats and m_per_point_data values.
4312 (feasibility_state::maybe_update_for_edge): Fix leak of result of
4313 superedge::get_description.
4314 * region-model-manager.cc
4315 (region_model_manager::~region_model_manager): Move cleanup of
4316 m_setjmp_values to match the ordering of the fields within
4317 region_model_manager. Fix leak of values within
4318 m_repeated_values_map, m_bits_within_values_map,
4319 m_asm_output_values_map, and m_const_fn_result_values_map.
4320
6b6f53d8
GA		 43212022-04-28 David Malcolm <dmalcolm@redhat.com>
4322
4323 PR analyzer/105285
4324 * store.cc (binding_cluster::get_any_binding): Handle accessing
4325 sub_svalues of clusters where the base region has a symbolic
4326 binding.
4327
43282022-04-28 David Malcolm <dmalcolm@redhat.com>
4329
4330 * diagnostic-manager.cc (epath_finder::process_worklist_item):
4331 Call dump_feasible_path when a path that reaches the the target
4332 enode is found.
4333 (epath_finder::dump_feasible_path): New.
4334 * engine.cc (feasibility_state::dump_to_pp): New.
4335 * exploded-graph.h (feasibility_state::dump_to_pp): New decl.
4336 * feasible-graph.cc (feasible_graph::dump_feasible_path): New.
4337 * feasible-graph.h (feasible_graph::dump_feasible_path): New
4338 decls.
4339 * program-point.cc (function_point::print): Fix missing trailing
4340 newlines.
4341 * program-point.h (program_point::print_source_line): Remove
4342 unimplemented decl.
4343
98de0da6
GA		 43442022-04-25 David Malcolm <dmalcolm@redhat.com>
4345
4346 PR analyzer/105365
4347 PR analyzer/105366
4348 * svalue.cc
4349 (cmp_cst): Rename to...
4350 (cmp_csts_same_type): ...this. Convert all recursive calls to
4351 calls to...
4352 (cmp_csts_and_types): ....this new function.
4353 (svalue::cmp_ptr): Update for renaming of cmp_cst
4354
031bd52e
GA		 43552022-04-14 David Malcolm <dmalcolm@redhat.com>
4356
4357 PR analyzer/105264
4358 * region-model-reachability.cc (reachable_regions::handle_parm):
4359 Use maybe_get_deref_base_region rather than just region_svalue, to
4360 handle pointer arithmetic also.
4361 * svalue.cc (svalue::maybe_get_deref_base_region): New.
4362 * svalue.h (svalue::maybe_get_deref_base_region): New decl.
4363
43642022-04-14 David Malcolm <dmalcolm@redhat.com>
4365
4366 PR analyzer/105252
4367 * svalue.cc (cmp_cst): When comparing VECTOR_CSTs, compare the
4368 types of the encoded elements before calling cmp_cst on them.
4369
71cac7de
GA		 43702022-04-09 David Malcolm <dmalcolm@redhat.com>
4371
4372 PR analyzer/103892
4373 * region-model-manager.cc
4374 (region_model_manager::get_unknown_symbolic_region): New,
4375 extracted from...
4376 (region_model_manager::get_field_region): ...here.
4377 (region_model_manager::get_element_region): Use it here.
4378 (region_model_manager::get_offset_region): Likewise.
4379 (region_model_manager::get_sized_region): Likewise.
4380 (region_model_manager::get_cast_region): Likewise.
4381 (region_model_manager::get_bit_range): Likewise.
4382 * region-model.h
4383 (region_model_manager::get_unknown_symbolic_region): New decl.
4384 * region.cc (symbolic_region::symbolic_region): Handle sval_ptr
4385 having NULL type.
4386 (symbolic_region::dump_to_pp): Handle having NULL type.
4387
df00d103
GA		 43882022-04-07 David Malcolm <dmalcolm@redhat.com>
4389
4390 PR analyzer/102208
4391 * store.cc (binding_map::remove_overlapping_bindings): Add
4392 "always_overlap" param, using it to generalize to the case where
4393 we want to remove all bindings. Update "uncertainty" logic to
4394 only record maybe-bound values for cases where there is a symbolic
4395 write involved.
4396 (binding_cluster::mark_region_as_unknown): Split param "reg" into
4397 "reg_to_bind" and "reg_for_overlap".
4398 (binding_cluster::maybe_get_compound_binding): Pass "false" to
4399 binding_map::remove_overlapping_bindings new "always_overlap" param.
4400 (binding_cluster::remove_overlapping_bindings): Determine
4401 "always_overlap" and pass it to
4402 binding_map::remove_overlapping_bindings.
4403 (store::set_value): Pass uncertainty to remove_overlapping_bindings
4404 call. Update for new param of
4405 binding_cluster::mark_region_as_unknown, passing both the base
4406 region of the iter_cluster, and the lhs_reg.
4407 (store::mark_region_as_unknown): Update for new param of
4408 binding_cluster::mark_region_as_unknown, passing "reg" for both.
4409 (store::remove_overlapping_bindings): Add param "uncertainty", and
4410 pass it on to call to
4411 binding_cluster::remove_overlapping_bindings.
4412 * store.h (binding_map::remove_overlapping_bindings): Add
4413 "always_overlap" param.
4414 (binding_cluster::mark_region_as_unknown): Split param "reg" into
4415 "reg_to_bind" and "reg_for_overlap".
4416 (store::remove_overlapping_bindings): Add param "uncertainty".
4417
9f774626
GA		 44182022-03-29 David Malcolm <dmalcolm@redhat.com>
4419
4420 PR testsuite/105085
4421 * region-model-manager.cc (dump_untracked_region): Skip decls in
4422 the constant pool.
4423
44242022-03-29 David Malcolm <dmalcolm@redhat.com>
4425
4426 PR analyzer/105087
4427 * analyzer.h (class conjured_purge): New forward decl.
4428 * region-model-asm.cc (region_model::on_asm_stmt): Add
4429 conjured_purge param to calls binding_cluster::on_asm and
4430 region_model_manager::get_or_create_conjured_svalue.
4431 * region-model-impl-calls.cc
4432 (call_details::get_or_create_conjured_svalue): Likewise for call
4433 to region_model_manager::get_or_create_conjured_svalue.
4434 (region_model::impl_call_fgets): Remove call to
4435 region_model::purge_state_involving, as this is now done
4436 implicitly by call_details::get_or_create_conjured_svalue.
4437 (region_model::impl_call_fread): Likewise.
4438 (region_model::impl_call_strchr): Pass conjured_purge param to
4439 call to region_model_manager::get_or_create_conjured_svalue.
4440 * region-model-manager.cc (conjured_purge::purge): New.
4441 (region_model_manager::get_or_create_conjured_svalue): Add
4442 param "p". Use it to purge state when reusing an existing
4443 conjured_svalue.
4444 * region-model.cc (region_model::on_call_pre): Replace call to
4445 region_model::purge_state_involving with passing conjured_purge
4446 to region_model_manager::get_or_create_conjured_svalue.
4447 (region_model::handle_unrecognized_call): Pass conjured_purge to
4448 store::on_unknown_fncall.
4449 * region-model.h
4450 (region_model_manager::get_or_create_conjured_svalue): Add param
4451 "p".
4452 * store.cc (binding_cluster::on_unknown_fncall): Likewise. Pass
4453 it on to region_model_manager::get_or_create_conjured_svalue.
4454 (binding_cluster::on_asm): Likewise.
4455 (store::on_unknown_fncall): Add param "p" and pass it on to
4456 binding_cluster::on_unknown_fncall.
4457 * store.h (binding_cluster::on_unknown_fncall): Add param p.
4458 (binding_cluster::on_asm): Likewise.
4459 (store::on_unknown_fncall): Likewise.
4460 * svalue.h (class conjured_purge): New.
4461
44622022-03-29 David Malcolm <dmalcolm@redhat.com>
4463
4464 PR analyzer/105074
4465 * region.cc (ipa_ref_requires_tracking): Drop "context_fndecl",
4466 instead using the ref->referring to get the cgraph node of the
4467 caller.
4468 (symnode_requires_tracking_p): Likewise.
4469
d2906412
GA		 44702022-03-26 David Malcolm <dmalcolm@redhat.com>
4471
4472 PR analyzer/105057
4473 * store.cc (binding_cluster::make_unknown_relative_to): Reject
4474 attempts to create a cluster for untracked base regions.
4475 (store::set_value): Likewise.
4476 (store::fill_region): Likewise.
4477 (store::mark_region_as_unknown): Likewise.
4478
31e989a2
GA		 44792022-03-25 David Malcolm <dmalcolm@redhat.com>
4480
4481 PR analyzer/104954
4482 * analyzer.opt (-fdump-analyzer-untracked): New option.
4483 * engine.cc (impl_run_checkers): Handle it.
4484 * region-model-asm.cc (region_model::on_asm_stmt): Don't attempt
4485 to clobber regions with !tracked_p ().
4486 * region-model-manager.cc (dump_untracked_region): New.
4487 (region_model_manager::dump_untracked_regions): New.
4488 (frame_region::dump_untracked_regions): New.
4489 * region-model.h (region_model_manager::dump_untracked_regions):
4490 New decl.
4491 * region.cc (ipa_ref_requires_tracking): New.
4492 (symnode_requires_tracking_p): New.
4493 (decl_region::calc_tracked_p): New.
4494 * region.h (region::tracked_p): New vfunc.
4495 (frame_region::dump_untracked_regions): New decl.
4496 (class decl_region): Note that this is also used fo SSA names.
4497 (decl_region::decl_region): Initialize m_tracked.
4498 (decl_region::tracked_p): New.
4499 (decl_region::calc_tracked_p): New decl.
4500 (decl_region::m_tracked): New.
4501 * store.cc (store::get_or_create_cluster): Assert that we
4502 don't try to create clusters for base regions that aren't
4503 trackable.
4504 (store::mark_as_escaped): Don't mark base regions that we're not
4505 tracking.
4506
d1ca63a1
GA		 45072022-03-23 David Malcolm <dmalcolm@redhat.com>
4508
4509 PR analyzer/104979
4510 * engine.cc (impl_run_checkers): Create the engine after the
4511 supergraph, and pass the supergraph to the engine.
4512 * region-model.cc (region_model::get_lvalue_1): Pass ctxt to
4513 frame_region::get_region_for_local.
4514 (region_model::update_for_return_gcall): Pass the lvalue for the
4515 result to pop_frame as a tree, rather than as a region.
4516 (region_model::pop_frame): Update for above change, determining
4517 the destination region after the frame is popped and thus with
4518 respect to the caller frame rather than the called frame.
4519 Likewise, set the value of the region to the return value after
4520 the frame is popped.
4521 (engine::engine): Add supergraph pointer.
4522 (selftest::test_stack_frames): Set the DECL_CONTECT of PARM_DECLs.
4523 (selftest::test_get_representative_path_var): Likewise.
4524 (selftest::test_state_merging): Likewise.
4525 * region-model.h (region_model::pop_frame): Convert first param
4526 from a const region * to a tree.
4527 (engine::engine): Add param "sg".
4528 (engine::m_sg): New field.
4529 * region.cc: Include "analyzer/sm.h" and
4530 "analyzer/program-state.h".
4531 (frame_region::get_region_for_local): Add "ctxt" param.
4532 Add assertions that VAR_DECLs are locals, and that expr is for the
4533 correct function.
4534 * region.h (frame_region::get_region_for_local): Add "ctxt" param.
4535
45362022-03-23 David Malcolm <dmalcolm@redhat.com>
4537
4538 PR analyzer/105017
4539 * sm-taint.cc (taint_diagnostic::subclass_equal_p): Check
4540 m_has_bounds as well as m_arg.
4541 (tainted_allocation_size::subclass_equal_p): Chain up to base
4542 class implementation. Also check m_mem_space.
4543 (tainted_allocation_size::emit): Add note showing stack-based vs
4544 heap-based allocations.
4545
45462022-03-23 David Malcolm <dmalcolm@redhat.com>
4547
4548 PR analyzer/104997
4549 * diagnostic-manager.cc (diagnostic_manager::add_diagnostic):
4550 Convert return type from "void" to "bool", reporting success vs
4551 failure to caller, for both overloads.
4552 * diagnostic-manager.h (diagnostic_manager::add_diagnostic):
4553 Likewise.
4554 * engine.cc (impl_region_model_context::warn): Propagate return
4555 value from diagnostic_manager::add_diagnostic.
4556
8ca61ad1
GA		 45572022-03-18 David Malcolm <dmalcolm@redhat.com>
4558
4559 PR analyzer/104943
4560 PR analyzer/104954
4561 PR analyzer/103533
4562 * analyzer.h (class state_purge_per_decl): New forward decl.
4563 * engine.cc (impl_run_checkers): Pass region_model_manager to
4564 state_purge_map ctor.
4565 * program-point.cc (function_point::final_stmt_p): New.
4566 (function_point::get_next): New.
4567 * program-point.h (function_point::final_stmt_p): New decl.
4568 (function_point::get_next): New decl.
4569 * program-state.cc (program_state::prune_for_point): Generalize to
4570 purge local decls as well as SSA names.
4571 (program_state::can_purge_base_region_p): New.
4572 * program-state.h (program_state::can_purge_base_region_p): New
4573 decl.
4574 * region-model.cc (struct append_ssa_names_cb_data): Rename to...
4575 (struct append_regions_cb_data): ...this.
4576 (region_model::get_ssa_name_regions_for_current_frame): Rename
4577 to...
4578 (region_model::get_regions_for_current_frame): ...this, updating
4579 for other renamings.
4580 (region_model::append_ssa_names_cb): Rename to...
4581 (region_model::append_regions_cb): ...this, and drop the requirement
4582 that the subregion be a SSA name.
4583 * region-model.h (struct append_ssa_names_cb_data): Rename decl
4584 to...
4585 (struct append_regions_cb_data): ...this.
4586 (region_model::get_ssa_name_regions_for_current_frame): Rename
4587 decl to...
4588 (region_model::get_regions_for_current_frame): ...this.
4589 (region_model::append_ssa_names_cb): Rename decl to...
4590 (region_model::append_regions_cb): ...this.
4591 * state-purge.cc: Include "tristate.h", "selftest.h",
4592 "analyzer/store.h", "analyzer/region-model.h", and
4593 "gimple-walk.h".
4594 (get_candidate_for_purging): New.
4595 (class gimple_op_visitor): New.
4596 (my_load_cb): New.
4597 (my_store_cb): New.
4598 (my_addr_cb): New.
4599 (state_purge_map::state_purge_map): Add "mgr" param. Update for
4600 renamings. Find uses of local variables.
4601 (state_purge_map::~state_purge_map): Update for renaming of m_map
4602 to m_ssa_map. Clean up m_decl_map.
4603 (state_purge_map::get_or_create_data_for_decl): New.
4604 (state_purge_per_ssa_name::state_purge_per_ssa_name): Update for
4605 inheriting from state_purge_per_tree.
4606 (state_purge_per_ssa_name::add_to_worklist): Likewise.
4607 (state_purge_per_decl::state_purge_per_decl): New.
4608 (state_purge_per_decl::add_needed_at): New.
4609 (state_purge_per_decl::add_pointed_to_at): New.
4610 (state_purge_per_decl::process_worklists): New.
4611 (state_purge_per_decl::add_to_worklist): New.
4612 (same_binding_p): New.
4613 (fully_overwrites_p): New.
4614 (state_purge_per_decl::process_point_backwards): New.
4615 (state_purge_per_decl::process_point_forwards): New.
4616 (state_purge_per_decl::needed_at_point_p): New.
4617 (state_purge_annotator::print_needed): Generalize to print local
4618 decls as well as SSA names.
4619 * state-purge.h (class state_purge_map): Update leading comment.
4620 (state_purge_map::map_t): Rename to...
4621 (state_purge_map::ssa_map_t): ...this.
4622 (state_purge_map::iterator): Rename to...
4623 (state_purge_map::ssa_iterator): ...this.
4624 (state_purge_map::decl_map_t): New typedef.
4625 (state_purge_map::decl_iterator): New typedef.
4626 (state_purge_map::state_purge_map): Add "mgr" param.
4627 (state_purge_map::get_data_for_ssa_name): Update for renaming.
4628 (state_purge_map::get_any_data_for_decl): New.
4629 (state_purge_map::get_or_create_data_for_decl): New decl.
4630 (state_purge_map::begin): Rename to...
4631 (state_purge_map::begin_ssas): ...this.
4632 (state_purge_map::end): Rename to...
4633 (state_purge_map::end_ssa): ...this.
4634 (state_purge_map::begin_decls): New.
4635 (state_purge_map::end_decls): New.
4636 (state_purge_map::m_map): Rename to...
4637 (state_purge_map::m_ssa_map): ...this.
4638 (state_purge_map::m_decl_map): New field.
4639 (class state_purge_per_tree): New class.
4640 (class state_purge_per_ssa_name): Inherit from state_purge_per_tree.
4641 (state_purge_per_ssa_name::get_function): Move to base class.
4642 (state_purge_per_ssa_name::point_set_t): Likewise.
4643 (state_purge_per_ssa_name::m_fun): Likewise.
4644 (class state_purge_per_decl): New.
4645
e9ea3016
GA		 46462022-03-17 David Malcolm <dmalcolm@redhat.com>
4647
4648 * state-purge.cc (state_purge_annotator::add_node_annotations):
4649 Avoid duplicate before-supernode annotations when returning from
4650 an interprocedural call. Show after-supernode annotations.
4651
46522022-03-17 David Malcolm <dmalcolm@redhat.com>
4653
4654 * program-point.cc (program_point::get_next): Fix missing
4655 increment of index.
4656
9fc8f278
GA		 46572022-03-16 David Malcolm <dmalcolm@redhat.com>
4658
4659 PR analyzer/104955
4660 * diagnostic-manager.cc (get_emission_location): New.
4661 (diagnostic_manager::diagnostic_manager): Initialize
4662 m_num_disabled_diagnostics.
4663 (diagnostic_manager::add_diagnostic): Reject diagnostics that
4664 will eventually be rejected due to being disabled.
4665 (diagnostic_manager::emit_saved_diagnostics): Log the number
4666 of disabled diagnostics.
4667 (diagnostic_manager::emit_saved_diagnostic): Split out logic for
4668 determining emission location to get_emission_location.
4669 * diagnostic-manager.h
4670 (diagnostic_manager::m_num_disabled_diagnostics): New field.
4671 * engine.cc (stale_jmp_buf::get_controlling_option): New.
4672 (stale_jmp_buf::emit): Use it.
4673 * pending-diagnostic.h
4674 (pending_diagnostic::get_controlling_option): New vfunc.
4675 * region-model.cc
4676 (poisoned_value_diagnostic::get_controlling_option): New.
4677 (poisoned_value_diagnostic::emit): Use it.
4678 (shift_count_negative_diagnostic::get_controlling_option): New.
4679 (shift_count_negative_diagnostic::emit): Use it.
4680 (shift_count_overflow_diagnostic::get_controlling_option): New.
4681 (shift_count_overflow_diagnostic::emit): Use it.
4682 (dump_path_diagnostic::get_controlling_option): New.
4683 (dump_path_diagnostic::emit): Use it.
4684 (write_to_const_diagnostic::get_controlling_option): New.
4685 (write_to_const_diagnostic::emit): Use it.
4686 (write_to_string_literal_diagnostic::get_controlling_option): New.
4687 (write_to_string_literal_diagnostic::emit): Use it.
4688 * sm-file.cc (double_fclose::get_controlling_option): New.
4689 (double_fclose::emit): Use it.
4690 (file_leak::get_controlling_option): New.
4691 (file_leak::emit): Use it.
4692 * sm-malloc.cc (mismatching_deallocation::get_controlling_option):
4693 New.
4694 (mismatching_deallocation::emit): Use it.
4695 (double_free::get_controlling_option): New.
4696 (double_free::emit): Use it.
4697 (possible_null_deref::get_controlling_option): New.
4698 (possible_null_deref::emit): Use it.
4699 (possible_null_arg::get_controlling_option): New.
4700 (possible_null_arg::emit): Use it.
4701 (null_deref::get_controlling_option): New.
4702 (null_deref::emit): Use it.
4703 (null_arg::get_controlling_option): New.
4704 (null_arg::emit): Use it.
4705 (use_after_free::get_controlling_option): New.
4706 (use_after_free::emit): Use it.
4707 (malloc_leak::get_controlling_option): New.
4708 (malloc_leak::emit): Use it.
4709 (free_of_non_heap::get_controlling_option): New.
4710 (free_of_non_heap::emit): Use it.
4711 * sm-pattern-test.cc (pattern_match::get_controlling_option): New.
4712 (pattern_match::emit): Use it.
4713 * sm-sensitive.cc
4714 (exposure_through_output_file::get_controlling_option): New.
4715 (exposure_through_output_file::emit): Use it.
4716 * sm-signal.cc (signal_unsafe_call::get_controlling_option): New.
4717 (signal_unsafe_call::emit): Use it.
4718 * sm-taint.cc (tainted_array_index::get_controlling_option): New.
4719 (tainted_array_index::emit): Use it.
4720 (tainted_offset::get_controlling_option): New.
4721 (tainted_offset::emit): Use it.
4722 (tainted_size::get_controlling_option): New.
4723 (tainted_size::emit): Use it.
4724 (tainted_divisor::get_controlling_option): New.
4725 (tainted_divisor::emit): Use it.
4726 (tainted_allocation_size::get_controlling_option): New.
4727 (tainted_allocation_size::emit): Use it.
4728
14d2ac82
GA		 47292022-03-15 David Malcolm <dmalcolm@redhat.com>
4730
4731 * store.cc (store::store): Presize m_cluster_map.
4732
5e28be89
GA		 47332022-03-10 David Malcolm <dmalcolm@redhat.com>
4734
4735 PR analyzer/104863
4736 * constraint-manager.cc (constraint_manager::add_constraint):
4737 Refresh the EC IDs when adding constraints implied by offsets.
4738
47392022-03-10 David Malcolm <dmalcolm@redhat.com>
4740
4741 PR analyzer/104793
4742 * analyzer.h (class pending_note): New forward decl.
4743 * diagnostic-manager.cc (saved_diagnostic::saved_diagnostic):
4744 Initialize m_notes.
4745 (saved_diagnostic::operator==): Compare m_notes.
4746 (saved_diagnostic::add_note): New.
4747 (saved_diagnostic::emit_any_notes): New.
4748 (diagnostic_manager::add_note): New.
4749 (diagnostic_manager::emit_saved_diagnostic): Call emit_any_notes
4750 after emitting the warning.
4751 * diagnostic-manager.h (saved_diagnostic::add_note): New decl.
4752 (saved_diagnostic::emit_any_notes): New decl.
4753 (saved_diagnostic::m_notes): New field.
4754 (diagnostic_manager::add_note): New decl.
4755 * engine.cc (impl_region_model_context::add_note): New.
4756 * exploded-graph.h (impl_region_model_context::add_note): New
4757 decl.
4758 * pending-diagnostic.h (class pending_note): New.
4759 (class pending_note_subclass): New template.
4760 * region-model.cc (class reason_attr_access): New.
4761 (check_external_function_for_access_attr): Add class
4762 annotating_ctxt and use it when checking region.
4763 (noop_region_model_context::add_note): New.
4764 * region-model.h (region_model_context::add_note): New vfunc.
4765 (noop_region_model_context::add_note): New decl.
4766 (class region_model_context_decorator): New.
4767 (class note_adding_context): New.
4768
47692022-03-10 David Malcolm <dmalcolm@redhat.com>
4770
4771 PR analyzer/104793
4772 * region-model.cc
4773 (region_model::check_external_function_for_access_attr): New.
4774 (region_model::handle_unrecognized_call): Call it.
4775 * region-model.h
4776 (region_model::check_external_function_for_access_attr): New decl.
4777 (region_model::handle_unrecognized_call): New decl.
4778
47792022-03-10 David Malcolm <dmalcolm@redhat.com>
4780
4781 * sm-taint.cc (taint_state_machine::check_for_tainted_size_arg):
4782 Avoid generating duplicate saved_diagnostics by only handling the
4783 rdwr_map entry for the ptrarg, not the duplicate entry for the
4784 sizarg.
4785
e6533e2e
GA		 47862022-03-07 David Malcolm <dmalcolm@redhat.com>
4787
4788 PR analyzer/101983
4789 * engine.cc (returning_from_function_p): New.
4790 (impl_region_model_context::on_state_leak): Use it when rejecting
4791 leaks at the return from "main".
4792
47932022-03-07 Jakub Jelinek <jakub@redhat.com>
4794
4795 * store.cc: Fix up duplicated word issue in a comment.
4796 * analyzer.cc: Likewise.
4797 * engine.cc: Likewise.
4798 * sm-taint.cc: Likewise.
4799
8d96e14c
GA		 48002022-03-04 David Malcolm <dmalcolm@redhat.com>
4801
4802 PR analyzer/103521
4803 * analyzer.opt (-param=analyzer-max-svalue-depth=): Reduce from 13
4804 to 12.
4805
4bf3bac1
GA		 48062022-02-23 David Malcolm <dmalcolm@redhat.com>
4807
4808 PR analyzer/104434
4809 * analyzer.h (class const_fn_result_svalue): New decl.
4810 * region-model-impl-calls.cc (call_details::get_manager): New.
4811 * region-model-manager.cc
4812 (region_model_manager::get_or_create_const_fn_result_svalue): New.
4813 (region_model_manager::log_stats): Log
4814 m_const_fn_result_values_map.
4815 * region-model.cc (const_fn_p): New.
4816 (maybe_get_const_fn_result): New.
4817 (region_model::on_call_pre): Handle fndecls with
4818 __attribute__((const)) by calling the above rather than making
4819 a conjured_svalue.
4820 * region-model.h (visitor::visit_const_fn_result_svalue): New.
4821 (region_model_manager::get_or_create_const_fn_result_svalue): New
4822 decl.
4823 (region_model_manager::const_fn_result_values_map_t): New typedef.
4824 (region_model_manager::m_const_fn_result_values_map): New field.
4825 (call_details::get_manager): New decl.
4826 * svalue.cc (svalue::cmp_ptr): Handle SK_CONST_FN_RESULT.
4827 (const_fn_result_svalue::dump_to_pp): New.
4828 (const_fn_result_svalue::dump_input): New.
4829 (const_fn_result_svalue::accept): New.
4830 * svalue.h (enum svalue_kind): Add SK_CONST_FN_RESULT.
4831 (svalue::dyn_cast_const_fn_result_svalue): New.
4832 (class const_fn_result_svalue): New.
4833 (is_a_helper <const const_fn_result_svalue *>::test): New.
4834 (template <> struct default_hash_traits<const_fn_result_svalue::key_t>):
4835 New.
4836
0bdb0498
GA		 48372022-02-17 David Malcolm <dmalcolm@redhat.com>
4838
4839 PR analyzer/104576
4840 * region-model.cc: Include "calls.h".
4841 (region_model::on_call_pre): Use flags_from_decl_or_type to
4842 generalize check for DECL_PURE_P to also check for ECF_CONST.
4843
cb3afcd2
GA		 48442022-02-16 David Malcolm <dmalcolm@redhat.com>
4845
4846 PR analyzer/104560
4847 * diagnostic-manager.cc (diagnostic_manager::build_emission_path):
4848 Add region creation events for globals of interest.
4849 (null_assignment_sm_context::get_old_program_state): New.
4850 (diagnostic_manager::add_events_for_eedge): Move check for
4851 changing dynamic extents from PK_BEFORE_STMT case to after the
4852 switch on the dst_point's kind so that we can emit them for the
4853 final stmt in a basic block.
4854 * engine.cc (impl_sm_context::get_old_program_state): New.
4855 * sm-malloc.cc (malloc_state_machine::get_default_state): Rewrite
4856 detection of m_non_heap to use get_memory_space.
4857 (free_of_non_heap::free_of_non_heap): Add freed_reg param.
4858 (free_of_non_heap::subclass_equal_p): Update for changes to
4859 fields.
4860 (free_of_non_heap::emit): Drop m_kind in favor of
4861 get_memory_space.
4862 (free_of_non_heap::describe_state_change): Remove logic for
4863 detecting alloca.
4864 (free_of_non_heap::mark_interesting_stuff): Add region-creation of
4865 m_freed_reg.
4866 (free_of_non_heap::get_memory_space): New.
4867 (free_of_non_heap::kind): Drop enum.
4868 (free_of_non_heap::m_freed_reg): New field.
4869 (free_of_non_heap::m_kind): Drop field.
4870 (malloc_state_machine::on_stmt): Drop transition to m_non_heap.
4871 (malloc_state_machine::handle_free_of_non_heap): New function,
4872 split out from on_deallocator_call and on_realloc_call, adding
4873 detection of the freed region.
4874 (malloc_state_machine::on_deallocator_call): Use it.
4875 (malloc_state_machine::on_realloc_call): Likewise.
4876 * sm.h (sm_context::get_old_program_state): New vfunc.
4877
875e493b
GA		 48782022-02-15 David Malcolm <dmalcolm@redhat.com>
4879
4880 PR analyzer/104524
4881 * region-model-manager.cc
4882 (region_model_manager::maybe_fold_sub_svalue): Only call
4883 get_or_create_cast if type is non-NULL.
4884
48852022-02-15 David Malcolm <dmalcolm@redhat.com>
4886
4887 PR analyzer/102692
4888 * exploded-graph.h (impl_region_model_context::get_stmt): New.
4889 * region-model.cc: Include "gimple-ssa.h", "tree-phinodes.h",
4890 "tree-ssa-operands.h", and "ssa-iterators.h".
4891 (within_short_circuited_stmt_p): New.
4892 (region_model::check_for_poison): Don't warn about uninit values
4893 if within_short_circuited_stmt_p.
4894 * region-model.h (region_model_context::get_stmt): New vfunc.
4895 (noop_region_model_context::get_stmt): New.
4896
e8d68f0a
GA		 48972022-02-11 David Malcolm <dmalcolm@redhat.com>
4898
4899 PR analyzer/104274
4900 * region-model.cc (region_model::check_for_poison): Ignore
4901 uninitialized uses of empty types.
4902
a645583d
GA		 49032022-02-10 David Malcolm <dmalcolm@redhat.com>
4904
4905 PR analyzer/98797
4906 * region-model-manager.cc
4907 (region_model_manager::maybe_fold_sub_svalue): Generalize getting
4908 individual chars of a STRING_CST from element_region to any
4909 subregion which is a concrete access of a single byte from its
4910 parent region.
4911 * region.cc (region::get_relative_concrete_byte_range): New.
4912 * region.h (region::get_relative_concrete_byte_range): New decl.
4913
3adf509f
GA		 49142022-02-09 David Malcolm <dmalcolm@redhat.com>
4915
4916 PR analyzer/104452
4917 * region-model.cc (selftest::test_bit_range_regions): New.
4918 (selftest::analyzer_region_model_cc_tests): Call it.
4919 * region.h (bit_range_region::key_t::hash): Fix hashing of m_bits
4920 to avoid using uninitialized data.
4921
cc2430c1
GA		 49222022-02-07 David Malcolm <dmalcolm@redhat.com>
4923
4924 PR analyzer/104417
4925 * sm-taint.cc (tainted_allocation_size::tainted_allocation_size):
4926 Remove overzealous assertion.
4927 (tainted_allocation_size::emit): Likewise.
4928 (region_model::check_dynamic_size_for_taint): Likewise.
4929
49302022-02-07 David Malcolm <dmalcolm@redhat.com>
4931
4932 PR analyzer/103872
4933 * region-model-impl-calls.cc (region_model::impl_call_memcpy):
4934 Reimplement in terms of a get_store_value followed by a set_value.
4935
682ede39
GA		 49362022-02-03 David Malcolm <dmalcolm@redhat.com>
4937
4938 PR analyzer/104369
4939 * engine.cc (exploded_graph::process_node): Use the node for any
4940 diagnostics, avoiding ICE if a bifurcation update adds a
4941 saved_diagnostic, such as for a tainted realloc size.
4942 * region-model-impl-calls.cc
4943 (region_model::impl_call_realloc::success_no_move::update_model):
4944 Require the old pointer to be non-NULL to be able successfully
4945 grow in place. Use model->deref_rvalue rather than maybe_get_region
4946 to support the old pointer being symbolic.
4947 (region_model::impl_call_realloc::success_with_move::update_model):
4948 Likewise. Add a constraint that the new pointer != the old pointer.
4949 Use a sized_region when setting the value of the new region.
4950 Handle the case where we don't know the dynamic size of the old
4951 region by marking the new region as unknown.
4952 * sm-taint.cc (tainted_allocation_size::tainted_allocation_size):
4953 Update assertion to also allow for MEMSPACE_UNKNOWN.
4954 (tainted_allocation_size::emit): Likewise.
4955 (region_model::check_dynamic_size_for_taint): Likewise.
4956
49572022-02-03 David Malcolm <dmalcolm@redhat.com>
4958
4959 * region-model-impl-calls.cc (region_model::impl_call_calloc): Use
4960 a sized_region when calling zero_fill_region.
4961
88944e13
GA		 49622022-02-02 David Malcolm <dmalcolm@redhat.com>
4963
4964 * region-model.cc (region_model::on_return): Replace usage of
4965 copy_region with get_rvalue/set_value pair.
4966 (region_model::pop_frame): Likewise.
4967 (selftest::test_compound_assignment): Likewise.
4968 * region-model.h (region_model::copy_region): Delete decl.
4969 * region.cc (region_model::copy_region): Delete.
4970
49712022-02-02 David Malcolm <dmalcolm@redhat.com>
4972
4973 * region.cc (region::calc_offset): Consolidate effectively
4974 identical cases.
4975
49762022-02-02 David Malcolm <dmalcolm@redhat.com>
4977
4978 * analyzer.h (class bit_range_region): New forward decl.
4979 * region-model-manager.cc (region_model_manager::get_bit_range):
4980 New.
4981 (region_model_manager::log_stats): Handle m_bit_range_regions.
4982 * region-model.cc (region_model::get_lvalue_1): Handle
4983 BIT_FIELD_REF.
4984 * region-model.h (region_model_manager::get_bit_range): New decl.
4985 (region_model_manager::m_bit_range_regions): New field.
4986 * region.cc (region::get_base_region): Handle RK_BIT_RANGE.
4987 (region::base_region_p): Likewise.
4988 (region::calc_offset): Likewise.
4989 (bit_range_region::dump_to_pp): New.
4990 (bit_range_region::get_byte_size): New.
4991 (bit_range_region::get_bit_size): New.
4992 (bit_range_region::get_byte_size_sval): New.
4993 (bit_range_region::get_relative_concrete_offset): New.
4994 * region.h (enum region_kind): Add RK_BIT_RANGE.
4995 (region::dyn_cast_bit_range_region): New vfunc.
4996 (class bit_range_region): New.
4997 (is_a_helper <const bit_range_region *>::test): New.
4998 (default_hash_traits<bit_range_region::key_t>): New.
4999
50002022-02-02 David Malcolm <dmalcolm@redhat.com>
5001
5002 PR analyzer/104270
5003 * region-model.cc (region_model::on_call_pre): Handle
5004 IFN_DEFERRED_INIT.
5005
99f17e99
GA		 50062022-01-27 David Malcolm <dmalcolm@redhat.com>
5007
5008 * checker-path.cc (event_kind_to_string): Handle
5009 EK_REGION_CREATION.
5010 (region_creation_event::region_creation_event): New.
5011 (region_creation_event::get_desc): New.
5012 (checker_path::add_region_creation_event): New.
5013 * checker-path.h (enum event_kind): Add EK_REGION_CREATION.
5014 (class region_creation_event): New subclass.
5015 (checker_path::add_region_creation_event): New decl.
5016 * diagnostic-manager.cc
5017 (diagnostic_manager::emit_saved_diagnostic): Pass NULL for new
5018 param to add_events_for_eedge when handling trailing eedge.
5019 (diagnostic_manager::build_emission_path): Create an interesting_t
5020 instance, allow the pending diagnostic to populate it, and pass it
5021 to the calls to add_events_for_eedge.
5022 (diagnostic_manager::add_events_for_eedge): Add "interest" param.
5023 Use it to add region_creation_events for on-stack regions created
5024 within at function entry, and when pertinent dynamically-sized
5025 regions are created.
5026 (diagnostic_manager::prune_for_sm_diagnostic): Add case for
5027 EK_REGION_CREATION.
5028 * diagnostic-manager.h (diagnostic_manager::add_events_for_eedge):
5029 Add "interest" param.
5030 * pending-diagnostic.cc: Include "selftest.h", "tristate.h",
5031 "analyzer/call-string.h", "analyzer/program-point.h",
5032 "analyzer/store.h", and "analyzer/region-model.h".
5033 (interesting_t::add_region_creation): New.
5034 (interesting_t::dump_to_pp): New.
5035 * pending-diagnostic.h (struct interesting_t): New.
5036 (pending_diagnostic::mark_interesting_stuff): New vfunc.
5037 * region-model.cc
5038 (poisoned_value_diagnostic::poisoned_value_diagnostic): Add
5039 (poisoned_value_diagnostic::operator==): Compare m_pkind and
5040 m_src_region fields.
5041 (poisoned_value_diagnostic::mark_interesting_stuff): New.
5042 (poisoned_value_diagnostic::m_src_region): New.
5043 (region_model::check_for_poison): Call
5044 get_region_for_poisoned_expr for uninit values and pass the resul
5045 to the diagnostic.
5046 (region_model::get_region_for_poisoned_expr): New.
5047 (region_model::deref_rvalue): Pass NULL for
5048 poisoned_value_diagnostic's src_region.
5049 * region-model.h (region_model::get_region_for_poisoned_expr): New
5050 decl.
5051 * region.h (frame_region::get_fndecl): New.
5052
50532022-01-27 Martin Liska <mliska@suse.cz>
5054
5055 PR analyzer/104247
5056 * constraint-manager.cc (bounded_ranges_manager::log_stats):
5057 Cast to long for format purpose.
5058 * region-model-manager.cc (log_uniq_map): Likewise.
5059
eaa59070
GA		 50602022-01-26 David Malcolm <dmalcolm@redhat.com>
5061
5062 PR analyzer/104224
5063 * region-model.cc (region_model::check_call_args): New.
5064 (region_model::on_call_pre): Call it when ignoring stdio builtins.
5065 * region-model.h (region_model::check_call_args): New decl
5066
50672022-01-26 David Malcolm <dmalcolm@redhat.com>
5068
5069 PR analyzer/94362
5070 * constraint-manager.cc (range::add_bound): Fix tests for
5071 discarding redundant constraints. Perform test for rejecting
5072 unsatisfiable constraints earlier so that they don't update
5073 the object on failure.
5074 (selftest::test_range): New.
5075 (selftest::test_constant_comparisons): Add test coverage for
5076 existing constraints becoming narrower until they are
5077 unsatisfiable.
5078 (selftest::run_constraint_manager_tests): Call test_range.
5079
d43be9dc
GA		 50802022-01-22 David Malcolm <dmalcolm@redhat.com>
5081
5082 PR analyzer/104159
5083 * region-model-manager.cc
5084 (region_model_manager::get_or_create_cast): Bail out if the types
5085 are the same. Don't attempt to handle casts involving vector
5086 types.
5087
5fa55d55
GA		 50882022-01-20 David Malcolm <dmalcolm@redhat.com>
5089
5090 PR analyzer/94362
5091 * constraint-manager.cc (bound::ensure_closed): Convert param to
5092 enum bound_kind.
5093 (range::constrained_to_single_element): Likewise.
5094 (range::add_bound): New.
5095 (constraint_manager::add_constraint): Handle SVAL + OFFSET
5096 compared to a constant.
5097 (constraint_manager::get_ec_bounds): Rewrite in terms of
5098 range::add_bound.
5099 (constraint_manager::eval_condition): Reject if range::add_bound
5100 fails.
5101 (selftest::test_constant_comparisons): Add test coverage for
5102 various impossible combinations of integer comparisons.
5103 * constraint-manager.h (enum bound_kind): New.
5104 (struct bound): Likewise.
5105 (bound::ensure_closed): Convert to param to enum bound_kind.
5106 (struct range): Convert to...
5107 (class range): ...this, making fields private.
5108 (range::add_bound): New decls.
5109 * region-model.cc (region_model::add_constraint): Fail if
5110 constraint_manager::add_constraint fails.
5111
7a761ae6
GA		 51122022-01-18 David Malcolm <dmalcolm@redhat.com>
5113
5114 PR analyzer/104089
5115 * region-model-manager.cc
5116 (region_model_manager::get_or_create_constant_svalue): Assert that
5117 we have a CONSTANT_CLASS_P.
5118 (region_model_manager::maybe_fold_unaryop): Only fold a constant
5119 when fold_unary's result is a constant or a cast of a constant.
5120
51212022-01-18 David Malcolm <dmalcolm@redhat.com>
5122
5123 PR analyzer/104062
5124 * region-model-manager.cc
5125 (region_model_manager::maybe_fold_sub_svalue): Avoid casting to
5126 NULL type when folding access to repeated svalue.
5127
fc829782
GA		 51282022-01-17 Martin Liska <mliska@suse.cz>
5129
5130 * analyzer.cc (is_special_named_call_p): Rename .c names to .cc.
5131 (is_named_call_p): Likewise.
5132 * region-model-asm.cc (deterministic_p): Likewise.
5133 * region.cc (field_region::get_relative_concrete_offset): Likewise.
5134 * sm-malloc.cc (method_p): Likewise.
5135 * supergraph.cc (superedge::dump_dot): Likewise.
5136
617db51d
GA		 51372022-01-14 David Malcolm <dmalcolm@redhat.com>
5138
5139 * sm-taint.cc (taint_state_machine::combine_states): Handle combination
5140 of has_ub and has_lb.
5141
51422022-01-14 David Malcolm <dmalcolm@redhat.com>
5143
5144 PR analyzer/104029
5145 * sm-taint.cc (taint_state_machine::alt_get_inherited_state):
5146 Remove gcc_unreachable from default case for unary ops.
5147
51482022-01-14 David Malcolm <dmalcolm@redhat.com>
5149
5150 * engine.cc: Include "stringpool.h", "attribs.h", and
5151 "tree-dfa.h".
5152 (mark_params_as_tainted): New.
5153 (class tainted_args_function_custom_event): New.
5154 (class tainted_args_function_info): New.
5155 (exploded_graph::add_function_entry): Handle functions with
5156 "tainted_args" attribute.
5157 (class tainted_args_field_custom_event): New.
5158 (class tainted_args_callback_custom_event): New.
5159 (class tainted_args_call_info): New.
5160 (add_tainted_args_callback): New.
5161 (add_any_callbacks): New.
5162 (exploded_graph::build_initial_worklist): Likewise.
5163 (exploded_graph::build_initial_worklist): Find callbacks that are
5164 reachable from global initializers, calling add_any_callbacks on
5165 them.
5166
02a8a01b
GA		 51672022-01-12 David Malcolm <dmalcolm@redhat.com>
5168
5169 PR analyzer/103940
5170 * engine.cc (impl_sm_context::impl_sm_context): Add
5171 "unknown_side_effects" param and use it to initialize
5172 new m_unknown_side_effects field.
5173 (impl_sm_context::unknown_side_effects_p): New.
5174 (impl_sm_context::m_unknown_side_effects): New.
5175 (exploded_node::on_stmt): Pass unknown_side_effects to sm_ctxt
5176 ctor.
5177 * sm-taint.cc: Include "stringpool.h" and "attribs.h".
5178 (tainted_size::tainted_size): Drop "dir" param.
5179 (tainted_size::get_kind): Drop "FINAL".
5180 (tainted_size::emit): Likewise.
5181 (tainted_size::m_dir): Drop unused field.
5182 (class tainted_access_attrib_size): New subclass.
5183 (taint_state_machine::on_stmt): Call check_for_tainted_size_arg on
5184 external functions with unknown side effects.
5185 (taint_state_machine::check_for_tainted_size_arg): New.
5186 (region_model::check_region_for_taint): Drop "dir" param from
5187 tainted_size ctor.
5188 * sm.h (sm_context::unknown_side_effects_p): New.
5189
01a254e3
GA		 51902022-01-11 David Malcolm <dmalcolm@redhat.com>
5191
5192 PR analyzer/102692
5193 * diagnostic-manager.cc
5194 (class auto_disable_complexity_checks): Rename to...
5195 (class auto_checking_feasibility): ...this, updating
5196 the calls accordingly.
5197 (epath_finder::explore_feasible_paths): Update for renaming.
5198 * region-model-manager.cc
5199 (region_model_manager::region_model_manager): Update for change from
5200 m_check_complexity to m_checking_feasibility.
5201 (region_model_manager::reject_if_too_complex): Likewise.
5202 (region_model_manager::get_or_create_unknown_svalue): Handle
5203 m_checking_feasibility.
5204 (region_model_manager::create_unique_svalue): New.
5205 (region_model_manager::maybe_fold_binop): Handle BIT_AND_EXPR and
5206 BIT_IOR_EXPRs on booleans where we know the result.
5207 * region-model.cc (test_binop_svalue_folding): Add test coverage
5208 for the above.
5209 * region-model.h (region_model_manager::create_unique_svalue): New
5210 decl.
5211 (region_model_manager::enable_complexity_check): Replace with...
5212 (region_model_manager::begin_checking_feasibility): ...this.
5213 (region_model_manager::disable_complexity_check): Replace with...
5214 (region_model_manager::end_checking_feasibility): ...this.
5215 (region_model_manager::m_check_complexity): Replace with...
5216 (region_model_manager::m_checking_feasibility): ...this.
5217 (region_model_manager::m_managed_dynamic_svalues): New field.
5218
55e96bf9
GA		 52192022-01-08 David Malcolm <dmalcolm@redhat.com>
5220
5221 * engine.cc (impl_run_checkers): Pass logger to engine ctor.
5222 * region-model-manager.cc
5223 (region_model_manager::region_model_manager): Add logger param and
5224 use it to initialize m_logger.
5225 * region-model.cc (engine::engine): New.
5226 * region-model.h (region_model_manager::region_model_manager):
5227 Add logger param.
5228 (region_model_manager::get_logger): New.
5229 (region_model_manager::m_logger): New field.
5230 (engine::engine): New.
5231 * store.cc (store_manager::get_logger): New.
5232 (store::set_value): Log scope. Log when marking a cluster as
5233 unknown due to possible aliasing.
5234 * store.h (store_manager::get_logger): New decl.
5235
52362022-01-08 David Malcolm <dmalcolm@redhat.com>
5237
5238 * region-model-impl-calls.cc (cmp_decls): New.
5239 (cmp_decls_ptr_ptr): New.
5240 (region_model::impl_call_analyzer_dump_escaped): New.
5241 * region-model.cc (region_model::on_stmt_pre): Handle
5242 __analyzer_dump_escaped.
5243 * region-model.h (region_model::impl_call_analyzer_dump_escaped):
5244 New decl.
5245 * store.h (binding_cluster::get_base_region): New accessor.
5246
52472022-01-08 David Malcolm <dmalcolm@redhat.com>
5248
5249 * region.cc (region::is_named_decl_p): New.
5250 * region.h (region::is_named_decl_p): New decl.
5251
11ce8d04
GA		 52522022-01-06 David Malcolm <dmalcolm@redhat.com>
5253
5254 PR analyzer/103546
5255 * store.cc (store::eval_alias_1): Refactor handling of decl
5256 regions, adding a test for may_be_aliased, rejecting those for
5257 which it returns false.
5258
c8dcf64b
GA		 52592021-12-12 Jonathan Wakely <jwakely@redhat.com>
5260
5261 * engine.cc: Define INCLUDE_MEMORY instead of INCLUDE_UNIQUE_PTR.
5262
3a580f96
GA		 52632021-12-06 David Malcolm <dmalcolm@redhat.com>
5264
5265 PR analyzer/103533
5266 * constraint-manager.cc (equiv_class::contains_non_constant_p):
5267 New.
5268 (constraint_manager::canonicalize): Call it when determining
5269 redundant ECs.
5270 (selftest::test_purging): New selftest.
5271 (selftest::run_constraint_manager_tests): Likewise.
5272 * constraint-manager.h (equiv_class::contains_non_constant_p):
5273 New decl.
5274
40fa651e
GA		 52752021-12-01 David Malcolm <dmalcolm@redhat.com>
5276
5277 PR analyzer/102471
5278 * region-model-reachability.cc (reachable_regions::handle_parm):
5279 Treat all svalues within a compound parm has reachable, and those
5280 wrapped in a cast.
5281
87cd82c8
GA		 52822021-11-29 David Malcolm <dmalcolm@redhat.com>
5283
5284 PR analyzer/103217
5285 * store.cc (binding_cluster::can_merge_p): For the "key is bound"
5286 vs "key is not bound" merger case, check that the bound svalue
5287 is mergeable before merging it to "unknown", rejecting the merger
5288 otherwise.
5289
9c077398
GA		 52902021-11-19 David Malcolm <dmalcolm@redhat.com>
5291
5292 PR analyzer/103217
5293 * engine.cc (exploded_graph::get_or_create_node): Pass in
5294 m_ext_state to program_state::can_merge_with_p.
5295 (exploded_graph::process_worklist): Likewise.
5296 (exploded_graph::maybe_process_run_of_before_supernode_enodes):
5297 Likewise.
5298 (exploded_graph::process_node): Add missing call to detect_leaks
5299 when handling phi nodes.
5300 * program-state.cc (program_state::can_merge_with_p): Add
5301 "ext_state" param. Pass it and state ptrs to
5302 region_model::can_merge_with_p.
5303 (selftest::test_program_state_merging): Update for new ext_state
5304 param of program_state::can_merge_with_p.
5305 (selftest::test_program_state_merging_2): Likewise.
5306 * program-state.h (program_state::can_purge_p): Make const.
5307 (program_state::can_merge_with_p): Add "ext_state" param.
5308 * region-model.cc: Include "analyzer/program-state.h".
5309 (region_model::can_merge_with_p): Add params "ext_state",
5310 "state_a", and "state_b", use them when creating model_merger
5311 object.
5312 (model_merger::mergeable_svalue_p): New.
5313 * region-model.h (region_model::can_merge_with_p): Add params
5314 "ext_state", "state_a", and "state_b".
5315 (model_merger::model_merger) Likewise, initializing new fields.
5316 (model_merger::mergeable_svalue_p): New decl.
5317 (model_merger::m_ext_state): New field.
5318 (model_merger::m_state_a): New field.
5319 (model_merger::m_state_b): New field.
5320 * svalue.cc (svalue::can_merge_p): Call
5321 model_merger::mergeable_svalue_p on both states and reject the
5322 merger accordingly.
5323
280d2838
GA		 53242021-11-17 David Malcolm <dmalcolm@redhat.com>
5325
5326 PR analyzer/102695
5327 * region-model-impl-calls.cc (region_model::impl_call_strchr): New.
5328 * region-model-manager.cc
5329 (region_model_manager::maybe_fold_unaryop): Simplify cast to
5330 pointer type of an existing pointer to a region.
5331 * region-model.cc (region_model::on_call_pre): Handle
5332 BUILT_IN_STRCHR and "strchr".
5333 (write_to_const_diagnostic::emit): Add auto_diagnostic_group. Add
5334 alternate wordings for functions and labels.
5335 (write_to_const_diagnostic::describe_final_event): Add alternate
5336 wordings for functions and labels.
5337 (region_model::check_for_writable_region): Handle RK_FUNCTION and
5338 RK_LABEL.
5339 * region-model.h (region_model::impl_call_strchr): New decl.
5340
6b1695f4
GA		 53412021-11-16 David Malcolm <dmalcolm@redhat.com>
5342
5343 PR analyzer/102662
5344 * constraint-manager.cc (bounded_range::operator==): Require the
5345 types to be the same for equality.
5346
a8029add
GA		 53472021-11-13 David Malcolm <dmalcolm@redhat.com>
5348
5349 * analyzer.opt (Wanalyzer-tainted-allocation-size): New.
5350 (Wanalyzer-tainted-divisor): New.
5351 (Wanalyzer-tainted-offset): New.
5352 (Wanalyzer-tainted-size): New.
5353 * engine.cc (impl_region_model_context::get_taint_map): New.
5354 * exploded-graph.h (impl_region_model_context::get_taint_map):
5355 New decl.
5356 * program-state.cc (sm_state_map::get_state): Call
5357 alt_get_inherited_state.
5358 (sm_state_map::impl_set_state): Modify states within
5359 compound svalues.
5360 (program_state::impl_call_analyzer_dump_state): Undo casts.
5361 (selftest::test_program_state_1): Update for new context param of
5362 create_region_for_heap_alloc.
5363 (selftest::test_program_state_merging): Likewise.
5364 * region-model-impl-calls.cc (region_model::impl_call_alloca):
5365 Likewise.
5366 (region_model::impl_call_calloc): Likewise.
5367 (region_model::impl_call_malloc): Likewise.
5368 (region_model::impl_call_operator_new): Likewise.
5369 (region_model::impl_call_realloc): Likewise.
5370 * region-model.cc (region_model::check_region_access): Call
5371 check_region_for_taint.
5372 (region_model::get_representative_path_var_1): Handle binops.
5373 (region_model::create_region_for_heap_alloc): Add "ctxt" param and
5374 pass it to set_dynamic_extents.
5375 (region_model::create_region_for_alloca): Likewise.
5376 (region_model::set_dynamic_extents): Add "ctxt" param and use it
5377 to call check_dynamic_size_for_taint.
5378 (selftest::test_state_merging): Update for new context param of
5379 create_region_for_heap_alloc.
5380 (selftest::test_malloc_constraints): Likewise.
5381 (selftest::test_malloc): Likewise.
5382 (selftest::test_alloca): Likewise for create_region_for_alloca.
5383 * region-model.h (region_model::create_region_for_heap_alloc): Add
5384 "ctxt" param.
5385 (region_model::create_region_for_alloca): Likewise.
5386 (region_model::set_dynamic_extents): Likewise.
5387 (region_model::check_dynamic_size_for_taint): New decl.
5388 (region_model::check_region_for_taint): New decl.
5389 (region_model_context::get_taint_map): New vfunc.
5390 (noop_region_model_context::get_taint_map): New.
5391 * sm-taint.cc: Remove include of "diagnostic-event-id.h"; add
5392 includes of "gimple-iterator.h", "tristate.h", "selftest.h",
5393 "ordered-hash-map.h", "cgraph.h", "cfg.h", "digraph.h",
5394 "analyzer/supergraph.h", "analyzer/call-string.h",
5395 "analyzer/program-point.h", "analyzer/store.h",
5396 "analyzer/region-model.h", and "analyzer/program-state.h".
5397 (enum bounds): Move to top of file.
5398 (class taint_diagnostic): New.
5399 (class tainted_array_index): Convert to subclass of taint_diagnostic.
5400 (tainted_array_index::emit): Add CWE-129. Reword warning to use
5401 "attacker-controlled" rather than "tainted".
5402 (tainted_array_index::describe_state_change): Move to
5403 taint_diagnostic::describe_state_change.
5404 (tainted_array_index::describe_final_event): Reword to use
5405 "attacker-controlled" rather than "tainted".
5406 (class tainted_offset): New.
5407 (class tainted_size): New.
5408 (class tainted_divisor): New.
5409 (class tainted_allocation_size): New.
5410 (taint_state_machine::alt_get_inherited_state): New.
5411 (taint_state_machine::on_stmt): In assignment handling, remove
5412 ARRAY_REF handling in favor of check_region_for_taint. Add
5413 detection of tainted divisors.
5414 (taint_state_machine::get_taint): New.
5415 (taint_state_machine::combine_states): New.
5416 (region_model::check_region_for_taint): New.
5417 (region_model::check_dynamic_size_for_taint): New.
5418 * sm.h (state_machine::alt_get_inherited_state): New.
5419
af2852b9
GA		 54202021-11-12 David Malcolm <dmalcolm@redhat.com>
5421
5422 * engine.cc (exploded_node::on_stmt_pre): Return when handling
5423 "__analyzer_dump_state".
5424
b39265d4
GA		 54252021-11-11 Richard Biener <rguenther@suse.de>
5426
5427 * supergraph.cc: Include bitmap.h.
5428
29a1af24
GA		 54292021-11-04 David Malcolm <dmalcolm@redhat.com>
5430
5431 * program-state.cc (sm_state_map::dump): Use default_tree_printer
5432 as format decoder.
5433
e19570d3
GA		 54342021-09-16 Maxim Blinov <maxim.blinov@embecosm.com>
5435
5436 PR bootstrap/102242
5437 * engine.cc (INCLUDE_UNIQUE_PTR): Define.
5438
b6db7cd4
GA		 54392021-09-08 David Malcolm <dmalcolm@redhat.com>
5440
5441 PR analyzer/102225
5442 * analyzer.h (compat_types_p): New decl.
5443 * constraint-manager.cc
5444 (constraint_manager::get_or_add_equiv_class): Guard against NULL
5445 type when checking for pointer types.
5446 * region-model-impl-calls.cc (region_model::impl_call_realloc):
5447 Guard against NULL lhs type/region. Guard against the size value
5448 not being of a compatible type for dynamic extents.
5449 * region-model.cc (compat_types_p): Make non-static.
5450
1e2f030b
GA		 54512021-08-30 David Malcolm <dmalcolm@redhat.com>
5452
5453 PR analyzer/99260
5454 * analyzer.h (class custom_edge_info): New class, adapted from
5455 exploded_edge::custom_info_t. Make member functions const.
5456 Make update_model return bool, converting edge param from
5457 reference to a pointer, and adding a ctxt param.
5458 (class path_context): New class.
5459 * call-info.cc: New file.
5460 * call-info.h: New file.
5461 * engine.cc: Include "analyzer/call-info.h" and <memory>.
5462 (impl_region_model_context::impl_region_model_context): Update for
5463 new m_path_ctxt field.
5464 (impl_region_model_context::bifurcate): New.
5465 (impl_region_model_context::terminate_path): New.
5466 (impl_region_model_context::get_malloc_map): New.
5467 (impl_sm_context::impl_sm_context): Update for new m_path_ctxt
5468 field.
5469 (impl_sm_context::get_fndecl_for_call): Likewise.
5470 (impl_sm_context::set_next_state): Likewise.
5471 (impl_sm_context::warn): Likewise.
5472 (impl_sm_context::is_zero_assignment): Likewise.
5473 (impl_sm_context::get_path_context): New.
5474 (impl_sm_context::m_path_ctxt): New.
5475 (impl_region_model_context::on_condition): Update for new
5476 path_ctxt param. Handle m_enode_for_diag being NULL.
5477 (impl_region_model_context::on_phi): Update for new path_ctxt
5478 param.
5479 (exploded_node::on_stmt): Add path_ctxt param, updating ctor calls
5480 to use it as necessary. Use it to bail out after sm-handling,
5481 if needed.
5482 (exploded_node::detect_leaks): Update for new path_ctxt param.
5483 (dynamic_call_info_t::update_model): Update for conversion of
5484 exploded_edge::custom_info_t to custom_edge_info.
5485 (dynamic_call_info_t::add_events_to_path): Likewise.
5486 (rewind_info_t::update_model): Likewise.
5487 (rewind_info_t::add_events_to_path): Likewise.
5488 (exploded_edge::exploded_edge): Likewise.
5489 (exploded_graph::add_edge): Likewise.
5490 (exploded_graph::maybe_process_run_of_before_supernode_enodes):
5491 Update for new path_ctxt param.
5492 (class impl_path_context): New.
5493 (exploded_graph::process_node): Update for new path_ctxt param.
5494 Create an impl_path_context and pass it to exploded_node::on_stmt.
5495 Use it to terminate iterating stmts if terminate_path is called
5496 on it. After processing a run of stmts, query path_ctxt to
5497 potentially terminate the analysis path, and/or to "bifurcate" the
5498 analysis into multiple additional paths.
5499 (feasibility_state::maybe_update_for_edge): Update for new
5500 update_model ctxt param.
5501 * exploded-graph.h
5502 (impl_region_model_context::impl_region_model_context): Add
5503 path_ctxt param.
5504 (impl_region_model_context::bifurcate): New.
5505 (impl_region_model_context::terminate_path): New
5506 (impl_region_model_context::get_ext_state): New.
5507 (impl_region_model_context::get_malloc_map): New.
5508 (impl_region_model_context::m_path_ctxt): New field.
5509 (exploded_node::on_stmt): Add path_ctxt param.
5510 (class exploded_edge::custom_info_t): Move to analyzer.h, renaming
5511 to custom_edge_info, and making the changes as noted in analyzer.h
5512 above.
5513 (exploded_edge::exploded_edge): Update for these changes to
5514 exploded_edge::custom_info_t.
5515 (exploded_edge::m_custom_info): Likewise.
5516 (class dynamic_call_info_t): Likewise.
5517 (class rewind_info_t): Likewise.
5518 (exploded_graph::add_edge): Likewise.
5519 * program-state.cc (program_state::on_edge): Update for new
5520 path_ctxt param.
5521 (program_state::push_call): Likewise.
5522 (program_state::returning_call): Likewise.
5523 (program_state::prune_for_point): Likewise.
5524 * region-model-impl-calls.cc: Include "analyzer/call-info.h".
5525 (call_details::get_fndecl_for_call): New.
5526 (region_model::impl_call_realloc): Reimplement.
5527 * region-model.cc (region_model::on_call_pre): Move call to
5528 impl_call_realloc to...
5529 (region_model::on_call_post): ...here. Consolidate creation
5530 of call_details instance.
5531 (noop_region_model_context::bifurcate): New.
5532 (noop_region_model_context::terminate_path): New.
5533 * region-model.h (call_details::get_call_stmt): New.
5534 (call_details::get_fndecl_for_call): New.
5535 (region_model::on_realloc_with_move): New.
5536 (region_model_context::bifurcate): New.
5537 (region_model_context::terminate_path): New.
5538 (region_model_context::get_ext_state): New.
5539 (region_model_context::get_malloc_map): New.
5540 (noop_region_model_context::bifurcate): New.
5541 (noop_region_model_context::terminate_path): New.
5542 (noop_region_model_context::get_ext_state): New.
5543 (noop_region_model_context::get_malloc_map): New.
5544 * sm-malloc.cc: Include "analyzer/program-state.h".
5545 (malloc_state_machine::on_realloc_call): Reimplement.
5546 (malloc_state_machine::on_realloc_with_move): New.
5547 (region_model::on_realloc_with_move): New.
5548 * sm-signal.cc (class signal_delivery_edge_info_t): Update for
5549 conversion from exploded_edge::custom_info_t to custom_edge_info.
5550 * sm.h (sm_context::get_path_context): New.
5551 * svalue.cc (svalue::maybe_get_constant): Call
5552 unwrap_any_unmergeable.
5553
85d77ac4
GA		 55542021-08-25 Ankur Saini <arsenic@sourceware.org>
5555
5556 PR analyzer/101980
5557 * engine.cc (exploded_graph::maybe_create_dynamic_call): Don't create
5558 calls if max recursion limit is reached.
5559
38b19c5b
GA		 55602021-08-23 David Malcolm <dmalcolm@redhat.com>
5561
5562 * analyzer.h (struct rejected_constraint): Convert to...
5563 (class rejected_constraint): ...this.
5564 (class bounded_ranges): New forward decl.
5565 (class bounded_ranges_manager): New forward decl.
5566 * constraint-manager.cc: Include "analyzer/analyzer-logging.h" and
5567 "tree-pretty-print.h".
5568 (can_plus_one_p): New.
5569 (plus_one): New.
5570 (can_minus_one_p): New.
5571 (minus_one): New.
5572 (bounded_range::bounded_range): New.
5573 (dump_cst): New.
5574 (bounded_range::dump_to_pp): New.
5575 (bounded_range::dump): New.
5576 (bounded_range::to_json): New.
5577 (bounded_range::set_json_attr): New.
5578 (bounded_range::contains_p): New.
5579 (bounded_range::intersects_p): New.
5580 (bounded_range::operator==): New.
5581 (bounded_range::cmp): New.
5582 (bounded_ranges::bounded_ranges): New.
5583 (bounded_ranges::bounded_ranges): New.
5584 (bounded_ranges::bounded_ranges): New.
5585 (bounded_ranges::canonicalize): New.
5586 (bounded_ranges::validate): New.
5587 (bounded_ranges::operator==): New.
5588 (bounded_ranges::dump_to_pp): New.
5589 (bounded_ranges::dump): New.
5590 (bounded_ranges::to_json): New.
5591 (bounded_ranges::eval_condition): New.
5592 (bounded_ranges::contain_p): New.
5593 (bounded_ranges::cmp): New.
5594 (bounded_ranges_manager::~bounded_ranges_manager): New.
5595 (bounded_ranges_manager::get_or_create_empty): New.
5596 (bounded_ranges_manager::get_or_create_point): New.
5597 (bounded_ranges_manager::get_or_create_range): New.
5598 (bounded_ranges_manager::get_or_create_union): New.
5599 (bounded_ranges_manager::get_or_create_intersection): New.
5600 (bounded_ranges_manager::get_or_create_inverse): New.
5601 (bounded_ranges_manager::consolidate): New.
5602 (bounded_ranges_manager::get_or_create_ranges_for_switch): New.
5603 (bounded_ranges_manager::create_ranges_for_switch): New.
5604 (bounded_ranges_manager::make_case_label_ranges): New.
5605 (bounded_ranges_manager::log_stats): New.
5606 (bounded_ranges_constraint::print): New.
5607 (bounded_ranges_constraint::to_json): New.
5608 (bounded_ranges_constraint::operator==): New.
5609 (bounded_ranges_constraint::add_to_hash): New.
5610 (constraint_manager::constraint_manager): Update for new field
5611 m_bounded_ranges_constraints.
5612 (constraint_manager::operator=): Likewise.
5613 (constraint_manager::hash): Likewise.
5614 (constraint_manager::operator==): Likewise.
5615 (constraint_manager::print): Likewise.
5616 (constraint_manager::dump_to_pp): Likewise.
5617 (constraint_manager::to_json): Likewise.
5618 (constraint_manager::add_unknown_constraint): Update the lhs_ec_id
5619 if necessary in existing constraints when combining equivalence
5620 classes. Add similar code for handling
5621 m_bounded_ranges_constraints.
5622 (constraint_manager::add_constraint_internal): Add comment.
5623 (constraint_manager::add_bounded_ranges): New.
5624 (constraint_manager::eval_condition): Use new field
5625 m_bounded_ranges_constraints.
5626 (constraint_manager::purge): Update bounded_ranges_constraint
5627 instances.
5628 (constraint_manager::canonicalize): Update for new field.
5629 (merger_fact_visitor::on_ranges): New.
5630 (constraint_manager::for_each_fact): Use new field
5631 m_bounded_ranges_constraints.
5632 (constraint_manager::validate): Fix off-by-one error needed due
5633 to bug fixed above in add_unknown_constraint. Validate the EC IDs
5634 in m_bounded_ranges_constraints.
5635 (constraint_manager::get_range_manager): New.
5636 (selftest::assert_dump_bounded_range_eq): New.
5637 (ASSERT_DUMP_BOUNDED_RANGE_EQ): New.
5638 (selftest::test_bounded_range): New.
5639 (selftest::assert_dump_bounded_ranges_eq): New.
5640 (ASSERT_DUMP_BOUNDED_RANGES_EQ): New.
5641 (selftest::test_bounded_ranges): New.
5642 (selftest::run_constraint_manager_tests): Call the new selftests.
5643 * constraint-manager.h (struct bounded_range): New.
5644 (struct bounded_ranges): New.
5645 (template <> struct default_hash_traits<bounded_ranges::key_t>): New.
5646 (class bounded_ranges_manager): New.
5647 (fact_visitor::on_ranges): New pure virtual function.
5648 (class bounded_ranges_constraint): New.
5649 (constraint_manager::add_bounded_ranges): New decl.
5650 (constraint_manager::get_range_manager): New decl.
5651 (constraint_manager::m_bounded_ranges_constraints): New field.
5652 * diagnostic-manager.cc (epath_finder::process_worklist_item):
5653 Transfer ownership of rc to add_feasibility_problem.
5654 * engine.cc (feasibility_problem::dump_to_pp): Use get_model.
5655 * feasible-graph.cc (infeasible_node::dump_dot): Update for
5656 conversion of m_rc to a pointer.
5657 (feasible_graph::add_feasibility_problem): Pass RC by pointer and
5658 take ownership.
5659 * feasible-graph.h (infeasible_node::infeasible_node): Pass RC by
5660 pointer and take ownership.
5661 (infeasible_node::~infeasible_node): New.
5662 (infeasible_node::m_rc): Convert to a pointer.
5663 (feasible_graph::add_feasibility_problem): Pass RC by pointer and
5664 take ownership.
5665 * region-model-manager.cc: Include
5666 "analyzer/constraint-manager.h".
5667 (region_model_manager::region_model_manager): Initializer new
5668 field m_range_mgr.
5669 (region_model_manager::~region_model_manager): Delete it.
5670 (region_model_manager::log_stats): Call log_stats on it.
5671 * region-model.cc (region_model::add_constraint): Use new subclass
5672 rejected_op_constraint.
5673 (region_model::apply_constraints_for_gswitch): Reimplement using
5674 bounded_ranges_manager.
5675 (rejected_constraint::dump_to_pp): Convert to...
5676 (rejected_op_constraint::dump_to_pp): ...this.
5677 (rejected_ranges_constraint::dump_to_pp): New.
5678 * region-model.h (struct purge_stats): Add field
5679 m_num_bounded_ranges_constraints.
5680 (region_model_manager::get_range_manager): New.
5681 (region_model_manager::m_range_mgr): New.
5682 (region_model::get_range_manager): New.
5683 (struct rejected_constraint): Split into...
5684 (class rejected_constraint):...this new abstract base class,
5685 and...
5686 (class rejected_op_constraint): ...this new concrete subclass.
5687 (class rejected_ranges_constraint): New.
5688 * supergraph.cc: Include "tree-cfg.h".
5689 (supergraph::supergraph): Drop idx param from add_cfg_edge.
5690 (supergraph::add_cfg_edge): Drop idx param.
5691 (switch_cfg_superedge::switch_cfg_superedge): Move here from
5692 header. Populate m_case_labels with all cases which go to DST.
5693 (switch_cfg_superedge::dump_label_to_pp): Reimplement to use
5694 m_case_labels.
5695 (switch_cfg_superedge::get_case_label): Delete.
5696 * supergraph.h (supergraphadd_cfg_edge): Drop "idx" param.
5697 (switch_cfg_superedge::switch_cfg_superedge): Drop idx param and
5698 move implementation to supergraph.cc.
5699 (switch_cfg_superedge::get_case_label): Delete.
5700 (switch_cfg_superedge::get_case_labels): New.
5701 (switch_cfg_superedge::m_idx): Delete.
5702 (switch_cfg_superedge::m_case_labels): New field.
5703
57042021-08-23 David Malcolm <dmalcolm@redhat.com>
5705
5706 PR analyzer/101875
5707 * sm-file.cc (file_diagnostic::describe_state_change): Handle
5708 change.m_expr being NULL.
5709
57102021-08-23 David Malcolm <dmalcolm@redhat.com>
5711
5712 PR analyzer/101837
5713 * analyzer.cc (maybe_reconstruct_from_def_stmt): Bail if fn is
5714 NULL, and assert that it's non-NULL before passing it to
5715 build_call_array_loc.
5716
57172021-08-23 David Malcolm <dmalcolm@redhat.com>
5718
5719 PR analyzer/101962
5720 * region-model.cc (region_model::eval_condition_without_cm):
5721 Refactor comparison against zero, adding a check for
5722 POINTER_PLUS_EXPR of non-NULL.
5723
57242021-08-23 David Malcolm <dmalcolm@redhat.com>
5725
5726 * store.cc (bit_range::intersects_p): New overload.
5727 (bit_range::operator-): New.
5728 (binding_cluster::maybe_get_compound_binding): Handle the partial
5729 overlap case.
5730 (selftest::test_bit_range_intersects_p): Add test coverage for
5731 new overload of bit_range::intersects_p.
5732 * store.h (bit_range::intersects_p): New overload.
5733 (bit_range::operator-): New.
5734
57352021-08-23 Ankur Saini <arsenic@sourceware.org>
5736
5737 PR analyzer/102020
5738 * diagnostic-manager.cc
5739 (diagnostic_manager::prune_for_sm_diagnostic)<case EK_CALL_EDGE>: Fix typo.
5740
4be4fa4e
GA		 57412021-08-21 Ankur Saini <arsenic@sourceware.org>
5742
5743 PR analyzer/101980
5744 * diagnostic-manager.cc
5745 (diagnostic_manager::prune_for_sm_diagnostic)<case EK_CALL_EDGE>: Use
5746 caller_model only when the supergraph_edge doesn't exixt.
5747 (diagnostic_manager::prune_for_sm_diagnostic)<case EK_RETURN_EDGE>:
5748 Likewise.
5749 * engine.cc (exploded_graph::create_dynamic_call): Rename to...
5750 (exploded_graph::maybe_create_dynamic_call): ...this, return call
5751 creation status.
5752 (exploded_graph::process_node): Handle calls which were not dynamically
5753 discovered.
5754 * exploded-graph.h (exploded_graph::create_dynamic_call): Rename to...
5755 (exploded_graph::maybe_create_dynamic_call): ...this.
5756 * region-model.cc (region_model::update_for_gcall): New param, use it
5757 to push call to frame.
5758 (region_model::update_for_call_superedge): Pass callee function to
5759 update_for_gcall.
5760 * region-model.h (region_model::update_for_gcall): New param.
5761
6e529985
GA		 57622021-08-18 Ankur Saini <arsenic@sourceware.org>
5763
5764 PR analyzer/97114
5765 * region-model.cc (region_model::get_rvalue_1): Add case for
5766 OBJ_TYPE_REF.
5767
57682021-08-18 Ankur Saini <arsenic@sourceware.org>
5769
5770 PR analyzer/100546
5771 * analysis-plan.cc (analysis_plan::use_summary_p): Don't use call
5772 summaries if there is no callgraph edge
5773 * checker-path.cc (call_event::call_event): Handle calls events that
5774 are not represented by a supergraph call edge
5775 (return_event::return_event): Likewise.
5776 (call_event::get_desc): Work with new call_event structure.
5777 (return_event::get_desc): Likeise.
5778 * checker-path.h (call_event::m_src_snode): New field.
5779 (call_event::m_dest_snode): New field.
5780 (return_event::m_src_snode): New field.
5781 (return_event::m_dest_snode): New field.
5782 * diagnostic-manager.cc
5783 (diagnostic_manager::prune_for_sm_diagnostic)<case EK_CALL_EDGE>:
5784 Refactor to work with edges without callgraph edge.
5785 (diagnostic_manager::prune_for_sm_diagnostic)<case EK_RETURN_EDGE>:
5786 Likewise.
5787 * engine.cc (dynamic_call_info_t::update_model): New function.
5788 (dynamic_call_info_t::add_events_to_path): New function.
5789 (exploded_graph::create_dynamic_call): New function.
5790 (exploded_graph::process_node): Work with dynamically discovered calls.
5791 * exploded-graph.h (class dynamic_call_info_t): New class.
5792 (exploded_graph::create_dynamic_call): New decl.
5793 * program-point.cc (program_point::push_to_call_stack): New function.
5794 (program_point::pop_from_call_stack): New function.
5795 * program-point.h (program_point::push_to_call_stack): New decl.
5796 (program_point::pop_from_call_stack): New decl.
5797 * program-state.cc (program_state::push_call): New function.
5798 (program_state::returning_call): New function.
5799 * program-state.h (program_state::push_call): New decl.
5800 (program_state::returning_call): New decl.
5801 * region-model.cc (region_model::update_for_gcall) New function.
5802 (region_model::update_for_return_gcall): New function.
5803 (egion_model::update_for_call_superedge): Get the underlying gcall and
5804 update for gcall.
5805 (region_model::update_for_return_superedge): Likewise.
5806 * region-model.h (region_model::update_for_gcall): New decl.
5807 (region_model::update_for_return_gcall): New decl.
5808 * state-purge.cc (state_purge_per_ssa_name::process_point): Update to
5809 work with calls without underlying cgraph edge.
5810 * supergraph.cc (supergraph::supergraph) Split snodes at every callsite.
5811 * supergraph.h (supernode::get_returning_call) New accessor.
5812
2697f832
GA		 58132021-08-04 David Malcolm <dmalcolm@redhat.com>
5814
5815 PR analyzer/101570
5816 * analyzer.cc (maybe_reconstruct_from_def_stmt): Add GIMPLE_ASM
5817 case.
5818 * analyzer.h (class asm_output_svalue): New forward decl.
5819 (class reachable_regions): New forward decl.
5820 * complexity.cc (complexity::from_vec_svalue): New.
5821 * complexity.h (complexity::from_vec_svalue): New decl.
5822 * engine.cc (feasibility_state::maybe_update_for_edge): Handle
5823 asm stmts by calling on_asm_stmt.
5824 * region-model-asm.cc: New file.
5825 * region-model-manager.cc
5826 (region_model_manager::maybe_fold_asm_output_svalue): New.
5827 (region_model_manager::get_or_create_asm_output_svalue): New.
5828 (region_model_manager::log_stats): Log m_asm_output_values_map.
5829 * region-model.cc (region_model::on_stmt_pre): Handle GIMPLE_ASM.
5830 * region-model.h (visitor::visit_asm_output_svalue): New.
5831 (region_model_manager::get_or_create_asm_output_svalue): New decl.
5832 (region_model_manager::maybe_fold_asm_output_svalue): New decl.
5833 (region_model_manager::asm_output_values_map_t): New typedef.
5834 (region_model_manager::m_asm_output_values_map): New field.
5835 (region_model::on_asm_stmt): New.
5836 * store.cc (binding_cluster::on_asm): New.
5837 * store.h (binding_cluster::on_asm): New decl.
5838 * svalue.cc (svalue::cmp_ptr): Handle SK_ASM_OUTPUT.
5839 (asm_output_svalue::dump_to_pp): New.
5840 (asm_output_svalue::dump_input): New.
5841 (asm_output_svalue::input_idx_to_asm_idx): New.
5842 (asm_output_svalue::accept): New.
5843 * svalue.h (enum svalue_kind): Add SK_ASM_OUTPUT.
5844 (svalue::dyn_cast_asm_output_svalue): New.
5845 (class asm_output_svalue): New.
5846 (is_a_helper <const asm_output_svalue *>::test): New.
5847 (struct default_hash_traits<asm_output_svalue::key_t>): New.
5848
fa1407c7
GA		 58492021-08-03 Jakub Jelinek <jakub@redhat.com>
5850
5851 PR analyzer/101721
5852 * sm-malloc.cc (known_allocator_p): Only check DECL_FUNCTION_CODE on
5853 BUILT_IN_NORMAL builtins.
5854
4d17ca1b
GA		 58552021-07-29 Ankur Saini <arsenic@sourceware.org>
5856
5857 * call-string.cc (call_string::element_t::operator==): New operator.
5858 (call_String::element_t::operator!=): New operator.
5859 (call_string::element_t::get_caller_function): New function.
5860 (call_string::element_t::get_callee_function): New function.
5861 (call_string::call_string): Refactor to Initialise m_elements.
5862 (call_string::operator=): Refactor to work with m_elements.
5863 (call_string::operator==): Likewise.
5864 (call_string::to_json): Likewise.
5865 (call_string::hash): Refactor to hash e.m_caller.
5866 (call_string::push_call): Refactor to work with m_elements.
5867 (call_string::push_call): New overload to push call via supernodes.
5868 (call_string::pop): Refactor to work with m_elements.
5869 (call_string::calc_recursion_depth): Likewise.
5870 (call_string::cmp): Likewise.
5871 (call_string::validate): Likewise.
5872 (call_string::operator[]): Likewise.
5873 * call-string.h (class supernode): New forward decl.
5874 (struct call_string::element_t): New struct.
5875 (call_string::call_string): Refactor to initialise m_elements.
5876 (call_string::bool empty_p): Refactor to work with m_elements.
5877 (call_string::get_callee_node): New decl.
5878 (call_string::get_caller_node): New decl.
5879 (m_elements): Replaces m_return_edges.
5880 * program-point.cc (program_point::get_function_at_depth): Refactor to
5881 work with new call-string format.
5882 (program_point::validate): Likewise.
5883 (program_point::on_edge): Likewise.
5884
39169029
GA		 58852021-07-28 David Malcolm <dmalcolm@redhat.com>
5886
5887 * region-model.cc (region_model::on_call_pre): Treat
5888 IFN_UBSAN_BOUNDS, BUILT_IN_STACK_SAVE, and BUILT_IN_STACK_RESTORE
5889 as no-ops, rather than handling them as unknown functions.
5890
58912021-07-28 David Malcolm <dmalcolm@redhat.com>
5892
5893 * region-model-impl-calls.cc (region_model::impl_call_alloca):
5894 Drop redundant return value.
5895 (region_model::impl_call_builtin_expect): Likewise.
5896 (region_model::impl_call_calloc): Likewise.
5897 (region_model::impl_call_malloc): Likewise.
5898 (region_model::impl_call_memset): Likewise.
5899 (region_model::impl_call_operator_new): Likewise.
5900 (region_model::impl_call_operator_delete): Likewise.
5901 (region_model::impl_call_strlen): Likewise.
5902 * region-model.cc (region_model::on_call_pre): Fix return value of
5903 known functions that don't have unknown side-effects.
5904 * region-model.h (region_model::impl_call_alloca): Drop redundant
5905 return value.
5906 (region_model::impl_call_builtin_expect): Likewise.
5907 (region_model::impl_call_calloc): Likewise.
5908 (region_model::impl_call_malloc): Likewise.
5909 (region_model::impl_call_memset): Likewise.
5910 (region_model::impl_call_strlen): Likewise.
5911 (region_model::impl_call_operator_new): Likewise.
5912 (region_model::impl_call_operator_delete): Likewise.
5913
59142021-07-28 Siddhesh Poyarekar <siddhesh@gotplt.org>
5915
5916 * analyzer.cc (is_named_call_p, is_std_named_call_p): Make
5917 first argument a const_tree.
5918 * analyzer.h (is_named_call_p, -s_std_named_call_p): Likewise.
5919 * sm-malloc.cc (known_allocator_p): New function.
5920 (malloc_state_machine::on_stmt): Use it.
5921
59222021-07-28 Siddhesh Poyarekar <siddhesh@gotplt.org>
5923
5924 * sm-malloc.cc
5925 (malloc_state_machine::get_or_create_deallocator): Recognize
5926 __builtin_free.
5927
1a7febe9
GA		 59282021-07-26 David Malcolm <dmalcolm@redhat.com>
5929
5930 * region-model.cc (region_model::on_call_pre): Always set conjured
5931 LHS, not just for SSA names.
5932
ead235f6
GA		 59332021-07-23 David Malcolm <dmalcolm@redhat.com>
5934
5935 * diagnostic-manager.cc
5936 (class auto_disable_complexity_checks): New.
5937 (epath_finder::explore_feasible_paths): Use it to disable
5938 complexity checks whilst processing the worklist.
5939 * region-model-manager.cc
5940 (region_model_manager::region_model_manager): Initialize
5941 m_check_complexity.
5942 (region_model_manager::reject_if_too_complex): Bail if
5943 m_check_complexity is false.
5944 * region-model.h
5945 (region_model_manager::enable_complexity_check): New.
5946 (region_model_manager::disable_complexity_check): New.
5947 (region_model_manager::m_check_complexity): New.
5948
419c6c68
GA		 59492021-07-21 David Malcolm <dmalcolm@redhat.com>
5950
5951 PR analyzer/101547
5952 * sm-file.cc (file_leak::emit): Handle m_arg being NULL.
5953 (file_leak::describe_final_event): Handle ev.m_expr being NULL.
5954
59552021-07-21 David Malcolm <dmalcolm@redhat.com>
5956
5957 PR analyzer/101522
5958 * store.cc (binding_cluster::purge_state_involving): Don't change
5959 m_map whilst iterating through it.
5960
59612021-07-21 David Malcolm <dmalcolm@redhat.com>
5962
5963 * region-model.cc (region_model::handle_phi): Add "old_state"
5964 param and use it.
5965 (region_model::update_for_phis): Update so that all of the phi
5966 stmts are effectively handled simultaneously, rather than in
5967 order.
5968 * region-model.h (region_model::handle_phi): Add "old_state"
5969 param.
5970 * state-purge.cc (self_referential_phi_p): Replace with...
5971 (name_used_by_phis_p): ...this new function.
5972 (state_purge_per_ssa_name::process_point): Update to use the
5973 above, so that all phi stmts at a basic block are effectively
5974 considered simultaneously, and only consider the phi arguments for
5975 the pertinent in-edge.
5976 * supergraph.cc (cfg_superedge::get_phi_arg_idx): New.
5977 (cfg_superedge::get_phi_arg): Use the above.
5978 * supergraph.h (cfg_superedge::get_phi_arg_idx): New decl.
5979
59802021-07-21 David Malcolm <dmalcolm@redhat.com>
5981
5982 * state-purge.cc (state_purge_annotator::add_node_annotations):
5983 Rather than erroneously always using the NULL in-edge, determine
5984 each relevant in-edge, and print the appropriate data for each
5985 in-edge. Use print_needed to print the data as comma-separated
5986 lists of SSA names.
5987 (print_vec_of_names): Add "within_table" param and use it.
5988 (state_purge_annotator::add_stmt_annotations): Factor out
5989 collation and printing code into...
5990 (state_purge_annotator::print_needed): ...this new function.
5991 * state-purge.h (state_purge_annotator::print_needed): New decl.
5992
59932021-07-21 David Malcolm <dmalcolm@redhat.com>
5994
5995 * program-point.cc (function_point::print): Show src BB index at
5996 BEFORE_SUPERNODE.
5997
59982021-07-21 David Malcolm <dmalcolm@redhat.com>
5999
6000 * svalue.cc (infix_p): New.
6001 (binop_svalue::dump_to_pp): Use it to print MIN_EXPR and MAX_EXPR
6002 in prefix form, rather than infix.
6003
21ea2f93
GA		 60042021-07-19 David Malcolm <dmalcolm@redhat.com>
6005
6006 PR analyzer/101503
6007 * constraint-manager.cc (constraint_manager::add_constraint): Use
6008 can_have_associated_state_p rather than testing for unknown.
6009 (constraint_manager::get_or_add_equiv_class): Likewise.
6010 * program-state.cc (sm_state_map::set_state): Likewise.
6011 (sm_state_map::impl_set_state): Add assertion.
6012 * region-model-manager.cc
6013 (region_model_manager::maybe_fold_unaryop): Handle poisoned
6014 values.
6015 (region_model_manager::maybe_fold_binop): Move handling of unknown
6016 values...
6017 (region_model_manager::get_or_create_binop): ...to here, and
6018 generalize to use can_have_associated_state_p.
6019 (region_model_manager::maybe_fold_sub_svalue): Use
6020 can_have_associated_state_p rather than testing for unknown.
6021 (region_model_manager::maybe_fold_repeated_svalue): Use unknown
6022 when the size or repeated value is "unknown"/"poisoned".
6023 * region-model.cc (region_model::purge_state_involving): Reject
6024 attempts to purge unknown/poisoned svalues, as these svalues
6025 should not have state associated with them.
6026 * svalue.cc (sub_svalue::sub_svalue): Assert that we're building
6027 on top of an svalue with can_have_associated_state_p.
6028 (repeated_svalue::repeated_svalue): Likewise.
6029 (bits_within_svalue::bits_within_svalue): Likewise.
6030 * svalue.h (svalue::can_have_associated_state_p): New.
6031 (unknown_svalue::can_have_associated_state_p): New.
6032 (poisoned_svalue::can_have_associated_state_p): New.
6033 (unaryop_svalue::unaryop_svalue): Assert that we're building on
6034 top of an svalue with can_have_associated_state_p.
6035 (binop_svalue::binop_svalue): Likewise.
6036 (widening_svalue::widening_svalue): Likewise.
6037
87277b6a
GA		 60382021-07-16 David Malcolm <dmalcolm@redhat.com>
6039
6040 * analyzer.h (enum access_direction): New.
6041 * engine.cc (exploded_node::on_longjmp): Update for new param of
6042 get_store_value.
6043 * program-state.cc (program_state::prune_for_point): Likewise.
6044 * region-model-impl-calls.cc (region_model::impl_call_memcpy):
6045 Replace call to check_for_writable_region with call to
6046 check_region_for_write.
6047 (region_model::impl_call_memset): Likewise.
6048 (region_model::impl_call_strcpy): Likewise.
6049 * region-model-reachability.cc (reachable_regions::add): Update
6050 for new param of get_store_value.
6051 * region-model.cc (region_model::get_rvalue_1): Likewise, also for
6052 get_rvalue_for_bits.
6053 (region_model::get_store_value): Add ctxt param and use it to call
6054 check_region_for_read.
6055 (region_model::get_rvalue_for_bits): Add ctxt param and use it to
6056 call get_store_value.
6057 (region_model::check_region_access): New.
6058 (region_model::check_region_for_write): New.
6059 (region_model::check_region_for_read): New.
6060 (region_model::set_value): Update comment. Replace call to
6061 check_for_writable_region with call to check_region_for_write.
6062 * region-model.h (region_model::get_rvalue_for_bits): Add ctxt
6063 param.
6064 (region_model::get_store_value): Add ctxt param.
6065 (region_model::check_region_access): New decl.
6066 (region_model::check_region_for_write): New decl.
6067 (region_model::check_region_for_read): New decl.
6068 * region.cc (region_model::copy_region): Update call to
6069 get_store_value.
6070 * svalue.cc (initial_svalue::implicitly_live_p): Likewise.
6071
60722021-07-16 David Malcolm <dmalcolm@redhat.com>
6073
6074 * engine.cc (exploded_node::on_stmt_pre): Handle
6075 __analyzer_dump_state.
6076 * program-state.cc (extrinsic_state::get_sm_idx_by_name): New.
6077 (program_state::impl_call_analyzer_dump_state): New.
6078 * program-state.h (extrinsic_state::get_sm_idx_by_name): New decl.
6079 (program_state::impl_call_analyzer_dump_state): New decl.
6080 * region-model-impl-calls.cc
6081 (call_details::get_arg_string_literal): New.
6082 * region-model.h (call_details::get_arg_string_literal): New decl.
6083
60842021-07-16 David Malcolm <dmalcolm@redhat.com>
6085
6086 * program-state.cc (program_state::detect_leaks): Simplify using
6087 svalue::maybe_get_region.
6088 * region-model-impl-calls.cc (region_model::impl_call_fgets): Likewise.
6089 (region_model::impl_call_fread): Likewise.
6090 (region_model::impl_call_free): Likewise.
6091 (region_model::impl_call_operator_delete): Likewise.
6092 * region-model.cc (selftest::test_stack_frames): Likewise.
6093 (selftest::test_state_merging): Likewise.
6094 * svalue.cc (svalue::maybe_get_region): New.
6095 * svalue.h (svalue::maybe_get_region): New decl.
6096
d97d71a1
GA		 60972021-07-15 David Malcolm <dmalcolm@redhat.com>
6098
6099 * svalue.h (is_a_helper <placeholder_svalue *>::test): Make
6100 param and template param const.
6101 (is_a_helper <widening_svalue *>::test): Likewise.
6102 (is_a_helper <compound_svalue *>::test): Likewise.
6103 (is_a_helper <conjured_svalue *>::test): Likewise.
6104
61052021-07-15 David Malcolm <dmalcolm@redhat.com>
6106
6107 PR analyzer/95006
6108 PR analyzer/94713
6109 PR analyzer/94714
6110 * analyzer.cc (maybe_reconstruct_from_def_stmt): Split out
6111 GIMPLE_ASSIGN case into...
6112 (get_diagnostic_tree_for_gassign_1): New.
6113 (get_diagnostic_tree_for_gassign): New.
6114 * analyzer.h (get_diagnostic_tree_for_gassign): New decl.
6115 * analyzer.opt (Wanalyzer-write-to-string-literal): New.
6116 * constraint-manager.cc (class svalue_purger): New.
6117 (constraint_manager::purge_state_involving): New.
6118 * constraint-manager.h
6119 (constraint_manager::purge_state_involving): New.
6120 * diagnostic-manager.cc (saved_diagnostic::supercedes_p): New.
6121 (dedupe_winners::handle_interactions): New.
6122 (diagnostic_manager::emit_saved_diagnostics): Call it.
6123 * diagnostic-manager.h (saved_diagnostic::supercedes_p): New decl.
6124 * engine.cc (impl_region_model_context::warn): Convert return type
6125 to bool. Return false if the diagnostic isn't saved.
6126 (impl_region_model_context::purge_state_involving): New.
6127 (impl_sm_context::get_state): Use NULL ctxt when querying old
6128 rvalue.
6129 (impl_sm_context::set_next_state): Use new sval when querying old
6130 state.
6131 (class dump_path_diagnostic): Move to region-model.cc
6132 (exploded_node::on_stmt): Move to on_stmt_pre and on_stmt_post.
6133 Remove call to purge_state_involving.
6134 (exploded_node::on_stmt_pre): New, based on the above. Move most
6135 of it to region_model::on_stmt_pre.
6136 (exploded_node::on_stmt_post): Likewise, moving to
6137 region_model::on_stmt_post.
6138 (class stale_jmp_buf): Fix parent class to use curiously recurring
6139 template pattern.
6140 (feasibility_state::maybe_update_for_edge): Call on_call_pre and
6141 on_call_post on gcalls.
6142 * exploded-graph.h (impl_region_model_context::warn): Return bool.
6143 (impl_region_model_context::purge_state_involving): New decl.
6144 (exploded_node::on_stmt_pre): New decl.
6145 (exploded_node::on_stmt_post): New decl.
6146 * pending-diagnostic.h (pending_diagnostic::use_of_uninit_p): New.
6147 (pending_diagnostic::supercedes_p): New.
6148 * program-state.cc (sm_state_map::get_state): Inherit state for
6149 conjured_svalue as well as initial_svalue.
6150 (sm_state_map::purge_state_involving): Also support SK_CONJURED.
6151 * region-model-impl-calls.cc (call_details::get_uncertainty):
6152 Handle m_ctxt being NULL.
6153 (call_details::get_or_create_conjured_svalue): New.
6154 (region_model::impl_call_fgets): New.
6155 (region_model::impl_call_fread): New.
6156 * region-model-manager.cc
6157 (region_model_manager::get_or_create_initial_value): Return an
6158 uninitialized poisoned value for regions that can't have initial
6159 values.
6160 * region-model-reachability.cc
6161 (reachable_regions::mark_escaped_clusters): Handle ctxt being
6162 NULL.
6163 * region-model.cc (region_to_value_map::purge_state_involving): New.
6164 (poisoned_value_diagnostic::use_of_uninit_p): New.
6165 (poisoned_value_diagnostic::emit): Handle POISON_KIND_UNINIT.
6166 (poisoned_value_diagnostic::describe_final_event): Likewise.
6167 (region_model::check_for_poison): New.
6168 (region_model::on_assignment): Call it.
6169 (class dump_path_diagnostic): Move here from engine.cc.
6170 (region_model::on_stmt_pre): New, based on exploded_node::on_stmt.
6171 (region_model::on_call_pre): Move the setting of the LHS to a
6172 conjured svalue to before the checks for specific functions.
6173 Handle "fgets", "fgets_unlocked", and "fread".
6174 (region_model::purge_state_involving): New.
6175 (region_model::handle_unrecognized_call): Handle ctxt being NULL.
6176 (region_model::get_rvalue): Call check_for_poison.
6177 (selftest::test_stack_frames): Use NULL for context when getting
6178 uninitialized rvalue.
6179 (selftest::test_alloca): Likewise.
6180 * region-model.h (region_to_value_map::purge_state_involving): New
6181 decl.
6182 (call_details::get_or_create_conjured_svalue): New decl.
6183 (region_model::on_stmt_pre): New decl.
6184 (region_model::purge_state_involving): New decl.
6185 (region_model::impl_call_fgets): New decl.
6186 (region_model::impl_call_fread): New decl.
6187 (region_model::check_for_poison): New decl.
6188 (region_model_context::warn): Return bool.
6189 (region_model_context::purge_state_involving): New.
6190 (noop_region_model_context::warn): Return bool.
6191 (noop_region_model_context::purge_state_involving): New.
6192 (test_region_model_context:: warn): Return bool.
6193 * region.cc (region::get_memory_space): New.
6194 (region::can_have_initial_svalue_p): New.
6195 (region::involves_p): New.
6196 * region.h (enum memory_space): New.
6197 (region::get_memory_space): New decl.
6198 (region::can_have_initial_svalue_p): New decl.
6199 (region::involves_p): New decl.
6200 * sm-malloc.cc (use_after_free::supercedes_p): New.
6201 * store.cc (binding_cluster::purge_state_involving): New.
6202 (store::purge_state_involving): New.
6203 * store.h (class symbolic_binding): New forward decl.
6204 (binding_key::dyn_cast_symbolic_binding): New.
6205 (symbolic_binding::dyn_cast_symbolic_binding): New.
6206 (binding_cluster::purge_state_involving): New.
6207 (store::purge_state_involving): New.
6208 * svalue.cc (svalue::can_merge_p): Reject attempts to merge
6209 poisoned svalues with other svalues, so that we identify
6210 paths in which a variable is conditionally uninitialized.
6211 (involvement_visitor::visit_conjured_svalue): New.
6212 (svalue::involves_p): Also handle SK_CONJURED.
6213 (poison_kind_to_str): Handle POISON_KIND_UNINIT.
6214 (poisoned_svalue::maybe_fold_bits_within): New.
6215 * svalue.h (enum poison_kind): Add POISON_KIND_UNINIT.
6216 (poisoned_svalue::maybe_fold_bits_within): New decl.
6217
62182021-07-15 David Malcolm <dmalcolm@redhat.com>
6219
6220 * analyzer.opt (fdump-analyzer-exploded-paths): New.
6221 * diagnostic-manager.cc
6222 (diagnostic_manager::emit_saved_diagnostic): Implement it.
6223 * engine.cc (exploded_path::dump_to_pp): Add ext_state param and
6224 use it to dump states if non-NULL.
6225 (exploded_path::dump): Likewise.
6226 (exploded_path::dump_to_file): New.
6227 * exploded-graph.h (exploded_path::dump_to_pp): Add ext_state
6228 param.
6229 (exploded_path::dump): Likewise.
6230 (exploded_path::dump): Likewise.
6231 (exploded_path::dump_to_file): New.
6232
62332021-07-15 David Malcolm <dmalcolm@redhat.com>
6234
6235 * analyzer.cc (fixup_tree_for_diagnostic_1): Use DECL_DEBUG_EXPR
6236 if it's available.
6237 * engine.cc (readability): Likewise.
6238
62392021-07-15 David Malcolm <dmalcolm@redhat.com>
6240
6241 * state-purge.cc (self_referential_phi_p): New.
6242 (state_purge_per_ssa_name::process_point): Don't purge an SSA name
6243 at its def-stmt if the def-stmt is self-referential.
6244
c24a9707
GA		 62452021-07-07 David Malcolm <dmalcolm@redhat.com>
6246
6247 * diagnostic-manager.cc (null_assignment_sm_context::get_state):
6248 New overload.
6249 (null_assignment_sm_context::set_next_state): New overload.
6250 (null_assignment_sm_context::get_diagnostic_tree): New.
6251 * engine.cc (impl_sm_context::get_state): New overload.
6252 (impl_sm_context::set_next_state): New overload.
6253 (impl_sm_context::get_diagnostic_tree): New overload.
6254 (impl_region_model_context::on_condition): Convert params from
6255 tree to const svalue *.
6256 * exploded-graph.h (impl_region_model_context::on_condition):
6257 Likewise.
6258 * region-model.cc (region_model::on_call_pre): Move handling of
6259 internal calls to before checking for get_fndecl_for_call.
6260 (region_model::add_constraints_from_binop): New.
6261 (region_model::add_constraint): Split out into a new overload
6262 working on const svalue * rather than tree. Call
6263 add_constraints_from_binop. Drop call to
6264 add_any_constraints_from_ssa_def_stmt.
6265 (region_model::add_any_constraints_from_ssa_def_stmt): Delete.
6266 (region_model::add_any_constraints_from_gassign): Delete.
6267 (region_model::add_any_constraints_from_gcall): Delete.
6268 * region-model.h
6269 (region_model::add_any_constraints_from_ssa_def_stmt): Delete.
6270 (region_model::add_any_constraints_from_gassign): Delete.
6271 (region_model::add_any_constraints_from_gcall): Delete.
6272 (region_model::add_constraint): Add overload decl.
6273 (region_model::add_constraints_from_binop): New decl.
6274 (region_model_context::on_condition): Convert params from tree to
6275 const svalue *.
6276 (noop_region_model_context::on_condition): Likewise.
6277 * sm-file.cc (fileptr_state_machine::condition): Likewise.
6278 * sm-malloc.cc (malloc_state_machine::on_condition): Likewise.
6279 * sm-pattern-test.cc: Include tristate.h, selftest.h,
6280 analyzer/call-string.h, analyzer/program-point.h,
6281 analyzer/store.h, and analyzer/region-model.h.
6282 (pattern_test_state_machine::on_condition): Convert params from tree to
6283 const svalue *.
6284 * sm-sensitive.cc (sensitive_state_machine::on_condition): Delete.
6285 * sm-signal.cc (signal_state_machine::on_condition): Delete.
6286 * sm-taint.cc (taint_state_machine::on_condition): Convert params
6287 from tree to const svalue *.
6288 * sm.cc: Include tristate.h, selftest.h, analyzer/call-string.h,
6289 analyzer/program-point.h, analyzer/store.h, and
6290 analyzer/region-model.h.
6291 (any_pointer_p): Add overload taking const svalue *sval.
6292 * sm.h (any_pointer_p): Add overload taking const svalue *sval.
6293 (state_machine::on_condition): Convert params from tree to
6294 const svalue *. Provide no-op default implementation.
6295 (sm_context::get_state): Add overload taking const svalue *sval.
6296 (sm_context::set_next_state): Likewise.
6297 (sm_context::on_transition): Likewise.
6298 (sm_context::get_diagnostic_tree): Likewise.
6299 * svalue.cc (svalue::all_zeroes_p): New.
6300 (constant_svalue::all_zeroes_p): New.
6301 (repeated_svalue::all_zeroes_p): Convert to vfunc.
6302 * svalue.h (svalue::all_zeroes_p): New decl.
6303 (constant_svalue::all_zeroes_p): New decl.
6304 (repeated_svalue::all_zeroes_p): Convert decl to vfunc.
6305
25b6bfea
GA		 63062021-06-30 David Malcolm <dmalcolm@redhat.com>
6307
6308 PR analyzer/95006
6309 * analyzer.h (class repeated_svalue): New forward decl.
6310 (class bits_within_svalue): New forward decl.
6311 (class sized_region): New forward decl.
6312 (get_field_at_bit_offset): New forward decl.
6313 * engine.cc (exploded_graph::get_or_create_node): Validate the
6314 merged state.
6315 (exploded_graph::maybe_process_run_of_before_supernode_enodes):
6316 Validate the states at each stage.
6317 * program-state.cc (program_state::validate): Validate
6318 m_region_model.
6319 * region-model-impl-calls.cc (region_model::impl_call_memset):
6320 Replace special-case logic for handling constant sizes with
6321 a call to fill_region of a sized_region with the given fill value.
6322 * region-model-manager.cc (maybe_undo_optimize_bit_field_compare):
6323 Drop DK_direct.
6324 (region_model_manager::maybe_fold_sub_svalue): Fold element-based
6325 subregions of an initial value into initial values of an element.
6326 Fold subvalues of repeated svalues.
6327 (region_model_manager::maybe_fold_repeated_svalue): New.
6328 (region_model_manager::get_or_create_repeated_svalue): New.
6329 (get_bit_range_for_field): New.
6330 (get_byte_range_for_field): New.
6331 (get_field_at_byte_range): New.
6332 (region_model_manager::maybe_fold_bits_within_svalue): New.
6333 (region_model_manager::get_or_create_bits_within): New.
6334 (region_model_manager::get_sized_region): New.
6335 (region_model_manager::log_stats): Update for addition of
6336 m_repeated_values_map, m_bits_within_values_map, and
6337 m_sized_regions.
6338 * region-model.cc (region_model::validate): New.
6339 (region_model::on_assignment): Drop enum binding_kind.
6340 (region_model::get_initial_value_for_global): Likewise.
6341 (region_model::get_rvalue_for_bits): Replace body with call to
6342 get_or_create_bits_within.
6343 (region_model::get_capacity): Handle RK_SIZED.
6344 (region_model::set_value): Drop enum binding_kind.
6345 (region_model::fill_region): New.
6346 (region_model::get_representative_path_var_1): Handle RK_SIZED.
6347 * region-model.h (visitor::visit_repeated_svalue): New.
6348 (visitor::visit_bits_within_svalue): New.
6349 (region_model_manager::get_or_create_repeated_svalue): New decl.
6350 (region_model_manager::get_or_create_bits_within): New decl.
6351 (region_model_manager::get_sized_region): New decl.
6352 (region_model_manager::maybe_fold_repeated_svalue): New decl.
6353 (region_model_manager::maybe_fold_bits_within_svalue): New decl.
6354 (region_model_manager::repeated_values_map_t): New typedef.
6355 (region_model_manager::m_repeated_values_map): New field.
6356 (region_model_manager::bits_within_values_map_t): New typedef.
6357 (region_model_manager::m_bits_within_values_map): New field.
6358 (region_model_manager::m_sized_regions): New field.
6359 (region_model::fill_region): New decl.
6360 * region.cc (region::get_base_region): Handle RK_SIZED.
6361 (region::base_region_p): Likewise.
6362 (region::get_byte_size_sval): New.
6363 (get_field_at_bit_offset): Make non-static.
6364 (region::calc_offset): Move implementation of cases to
6365 get_relative_concrete_offset vfunc implementations. Handle
6366 RK_SIZED.
6367 (region::get_relative_concrete_offset): New.
6368 (decl_region::get_svalue_for_initializer): Drop enum binding_kind.
6369 (field_region::get_relative_concrete_offset): New, from
6370 region::calc_offset.
6371 (element_region::get_relative_concrete_offset): Likewise.
6372 (offset_region::get_relative_concrete_offset): Likewise.
6373 (sized_region::accept): New.
6374 (sized_region::dump_to_pp): New.
6375 (sized_region::get_byte_size): New.
6376 (sized_region::get_bit_size): New.
6377 * region.h (enum region_kind): Add RK_SIZED.
6378 (region::dyn_cast_sized_region): New.
6379 (region::get_byte_size): Make virtual.
6380 (region::get_bit_size): Likewise.
6381 (region::get_byte_size_sval): New decl.
6382 (region::get_relative_concrete_offset): New decl.
6383 (field_region::get_relative_concrete_offset): New decl.
6384 (element_region::get_relative_concrete_offset): Likewise.
6385 (offset_region::get_relative_concrete_offset): Likewise.
6386 (class sized_region): New.
6387 * store.cc (binding_kind_to_string): Delete.
6388 (binding_key::make): Drop enum binding_kind.
6389 (binding_key::dump_to_pp): Delete.
6390 (binding_key::cmp_ptrs): Drop enum binding_kind.
6391 (bit_range::contains_p): New.
6392 (byte_range::dump): New.
6393 (byte_range::contains_p): New.
6394 (byte_range::cmp): New.
6395 (concrete_binding::dump_to_pp): Drop enum binding_kind.
6396 (concrete_binding::cmp_ptr_ptr): Likewise.
6397 (symbolic_binding::dump_to_pp): Likewise.
6398 (symbolic_binding::cmp_ptr_ptr): Likewise.
6399 (binding_map::apply_ctor_val_to_range): Likewise.
6400 (binding_map::apply_ctor_pair_to_child_region): Likewise.
6401 (binding_map::get_overlapping_bindings): New.
6402 (binding_map::remove_overlapping_bindings): New.
6403 (binding_cluster::validate): New.
6404 (binding_cluster::bind): Drop enum binding_kind.
6405 (binding_cluster::bind_compound_sval): Likewise.
6406 (binding_cluster::purge_region): Likewise.
6407 (binding_cluster::zero_fill_region): Reimplement in terms of...
6408 (binding_cluster::fill_region): New.
6409 (binding_cluster::mark_region_as_unknown): Drop enum binding_kind.
6410 (binding_cluster::get_binding): Likewise.
6411 (binding_cluster::get_binding_recursive): Likewise.
6412 (binding_cluster::get_any_binding): Likewise.
6413 (binding_cluster::maybe_get_compound_binding): Reimplement.
6414 (binding_cluster::get_overlapping_bindings): Delete.
6415 (binding_cluster::remove_overlapping_bindings): Reimplement in
6416 terms of binding_map::remove_overlapping_bindings.
6417 (binding_cluster::can_merge_p): Update for removal of
6418 enum binding_kind.
6419 (binding_cluster::on_unknown_fncall): Drop enum binding_kind.
6420 (binding_cluster::maybe_get_simple_value): Likewise.
6421 (store_manager::get_concrete_binding): Likewise.
6422 (store_manager::get_symbolic_binding): Likewise.
6423 (store::validate): New.
6424 (store::set_value): Drop enum binding_kind.
6425 (store::zero_fill_region): Reimplement in terms of...
6426 (store::fill_region): New.
6427 (selftest::test_binding_key_overlap): Drop enum binding_kind.
6428 * store.h (enum binding_kind): Delete.
6429 (binding_kind_to_string): Delete decl.
6430 (binding_key::make): Drop enum binding_kind.
6431 (binding_key::dump_to_pp): Make pure virtual.
6432 (binding_key::get_kind): Delete.
6433 (binding_key::mark_deleted): Delete.
6434 (binding_key::mark_empty): Delete.
6435 (binding_key::is_deleted): Delete.
6436 (binding_key::is_empty): Delete.
6437 (binding_key::binding_key): Delete.
6438 (binding_key::impl_hash): Delete.
6439 (binding_key::impl_eq): Delete.
6440 (binding_key::m_kind): Delete.
6441 (bit_range::get_last_bit_offset): New.
6442 (bit_range::contains_p): New.
6443 (byte_range::contains_p): New.
6444 (byte_range::operator==): New.
6445 (byte_range::get_start_byte_offset): New.
6446 (byte_range::get_next_byte_offset): New.
6447 (byte_range::get_last_byte_offset): New.
6448 (byte_range::as_bit_range): New.
6449 (byte_range::cmp): New.
6450 (concrete_binding::concrete_binding): Drop enum binding_kind.
6451 (concrete_binding::hash): Likewise.
6452 (concrete_binding::operator==): Likewise.
6453 (concrete_binding::mark_deleted): New.
6454 (concrete_binding::mark_empty): New.
6455 (concrete_binding::is_deleted): New.
6456 (concrete_binding::is_empty): New.
6457 (default_hash_traits<ana::concrete_binding>::empty_zero_p): Make false.
6458 (symbolic_binding::symbolic_binding): Drop enum binding_kind.
6459 (symbolic_binding::hash): Likewise.
6460 (symbolic_binding::operator==): Likewise.
6461 (symbolic_binding::mark_deleted): New.
6462 (symbolic_binding::mark_empty): New.
6463 (symbolic_binding::is_deleted): New.
6464 (symbolic_binding::is_empty): New.
6465 (binding_map::remove_overlapping_bindings): New decl.
6466 (binding_map::get_overlapping_bindings): New decl.
6467 (binding_cluster::validate): New decl.
6468 (binding_cluster::bind): Drop enum binding_kind.
6469 (binding_cluster::fill_region): New decl.
6470 (binding_cluster::get_binding): Drop enum binding_kind.
6471 (binding_cluster::get_binding_recursive): Likewise.
6472 (binding_cluster::get_overlapping_bindings): Delete.
6473 (store::validate): New decl.
6474 (store::set_value): Drop enum binding_kind.
6475 (store::fill_region): New decl.
6476 (store_manager::get_concrete_binding): Drop enum binding_kind.
6477 (store_manager::get_symbolic_binding): Likewise.
6478 * svalue.cc (svalue::cmp_ptr): Handle SK_REPEATED and
6479 SK_BITS_WITHIN.
6480 (svalue::extract_bit_range): New.
6481 (svalue::maybe_fold_bits_within): New.
6482 (constant_svalue::maybe_fold_bits_within): New.
6483 (unknown_svalue::maybe_fold_bits_within): New.
6484 (unaryop_svalue::maybe_fold_bits_within): New.
6485 (repeated_svalue::repeated_svalue): New.
6486 (repeated_svalue::dump_to_pp): New.
6487 (repeated_svalue::accept): New.
6488 (repeated_svalue::all_zeroes_p): New.
6489 (repeated_svalue::maybe_fold_bits_within): New.
6490 (bits_within_svalue::bits_within_svalue): New.
6491 (bits_within_svalue::dump_to_pp): New.
6492 (bits_within_svalue::maybe_fold_bits_within): New.
6493 (bits_within_svalue::accept): New.
6494 (bits_within_svalue::implicitly_live_p): New.
6495 (compound_svalue::maybe_fold_bits_within): New.
6496 * svalue.h (enum svalue_kind): Add SK_REPEATED and SK_BITS_WITHIN.
6497 (svalue::dyn_cast_repeated_svalue): New.
6498 (svalue::dyn_cast_bits_within_svalue): New.
6499 (svalue::extract_bit_range): New decl.
6500 (svalue::maybe_fold_bits_within): New vfunc decl.
6501 (region_svalue::key_t::mark_empty): Use 2 rather than NULL_TREE.
6502 (region_svalue::key_t::is_empty): Likewise.
6503 (default_hash_traits<region_svalue::key_t>::empty_zero_p): Make false.
6504 (constant_svalue::maybe_fold_bits_within): New.
6505 (unknown_svalue::maybe_fold_bits_within): New.
6506 (poisoned_svalue::key_t::mark_empty): Use 2 rather than NULL_TREE.
6507 (poisoned_svalue::key_t::is_empty): Likewise.
6508 (default_hash_traits<poisoned_svalue::key_t>::empty_zero_p): Make
6509 false.
6510 (setjmp_svalue::key_t::mark_empty): Use 2 rather than NULL_TREE.
6511 (setjmp_svalue::key_t::is_empty): Likewise.
6512 (default_hash_traits<setjmp_svalue::key_t>::empty_zero_p): Make
6513 false.
6514 (unaryop_svalue::key_t::mark_empty): Use 2 rather than NULL_TREE.
6515 (unaryop_svalue::key_t::is_empty): Likewise.
6516 (unaryop_svalue::maybe_fold_bits_within): New.
6517 (default_hash_traits<unaryop_svalue::key_t>::empty_zero_p): Make
6518 false.
6519 (binop_svalue::key_t::mark_empty): Use 2 rather than NULL_TREE.
6520 (binop_svalue::key_t::is_empty): Likewise.
6521 (default_hash_traits<binop_svalue::key_t>::empty_zero_p): Make
6522 false.
6523 (sub_svalue::key_t::mark_empty): Use 2 rather than NULL_TREE.
6524 (sub_svalue::key_t::is_empty): Likewise.
6525 (default_hash_traits<sub_svalue::key_t>::empty_zero_p): Make
6526 false.
6527 (class repeated_svalue): New.
6528 (is_a_helper <const repeated_svalue *>::test): New.
6529 (struct default_hash_traits<repeated_svalue::key_t>): New.
6530 (class bits_within_svalue): New.
6531 (is_a_helper <const bits_within_svalue *>::test): New.
6532 (struct default_hash_traits<bits_within_svalue::key_t>): New.
6533 (widening_svalue::key_t::mark_empty): Use 2 rather than NULL_TREE.
6534 (widening_svalue::key_t::is_empty): Likewise.
6535 (default_hash_traits<widening_svalue::key_t>::empty_zero_p): Make
6536 false.
6537 (compound_svalue::key_t::mark_empty): Use 2 rather than NULL_TREE.
6538 (compound_svalue::key_t::is_empty): Likewise.
6539 (compound_svalue::maybe_fold_bits_within): New.
6540 (default_hash_traits<compound_svalue::key_t>::empty_zero_p): Make
6541 false.
6542
c8abc205
GA		 65432021-06-28 David Malcolm <dmalcolm@redhat.com>
6544
6545 * analyzer.h (byte_offset_t): New typedef.
6546 * store.cc (bit_range::dump_to_pp): Dump as a byte range if
6547 possible.
6548 (bit_range::as_byte_range): New.
6549 (byte_range::dump_to_pp): New.
6550 * store.h (class byte_range): New forward decl.
6551 (struct bit_range): Add comment.
6552 (bit_range::as_byte_range): New decl.
6553 (struct byte_range): New.
6554
419af06a
GA		 65552021-06-22 David Malcolm <dmalcolm@redhat.com>
6556
6557 PR analyzer/101143
6558 * region-model.cc (compat_types_p): New function.
6559 (region_model::create_region_for_heap_alloc): Convert assertion to
6560 an error check.
6561 (region_model::create_region_for_alloca): Likewise.
6562
c5581d48
GA		 65632021-06-18 David Malcolm <dmalcolm@redhat.com>
6564
6565 * store.cc (binding_cluster::get_any_binding): Make symbolic reads
6566 from a cluster with concrete bindings return unknown.
6567
65682021-06-18 David Malcolm <dmalcolm@redhat.com>
6569
6570 * region-model-manager.cc
6571 (region_model_manager::get_or_create_int_cst): New.
6572 (region_model_manager::maybe_undo_optimize_bit_field_compare): Use
6573 it to simplify away a local tree.
6574 * region-model.cc (region_model::on_setjmp): Likewise.
6575 (region_model::on_longjmp): Likewise.
6576 * region-model.h (region_model_manager::get_or_create_int_cst):
6577 New decl.
6578 * store.cc (binding_cluster::zero_fill_region): Use it to simplify
6579 away a local tree.
6580
65812021-06-18 David Malcolm <dmalcolm@redhat.com>
6582
6583 * checker-path.cc (class custom_event): Make abstract to allow for
6584 custom vfuncs, splitting existing implementation into...
6585 (class precanned_custom_event): New subclass.
6586 (custom_event::get_desc): Move to...
6587 (precanned_custom_event::get_desc): ...subclass.
6588 * checker-path.h (class custom_event): Make abstract to allow for
6589 custom vfuncs, splitting existing implementation into...
6590 (class precanned_custom_event): New subclass.
6591 * diagnostic-manager.cc (diagnostic_manager::add_events_for_eedge):
6592 Use precanned_custom_event.
6593 * engine.cc
6594 (stale_jmp_buf::maybe_add_custom_events_for_superedge): Likewise.
6595 * sm-signal.cc (signal_delivery_edge_info_t::add_events_to_path):
6596 Likewise.
6597
ede6c356
GA		 65982021-06-15 David Malcolm <dmalcolm@redhat.com>
6599
6600 PR analyzer/99212
6601 PR analyzer/101082
6602 * engine.cc: Include "target.h".
6603 (impl_run_checkers): Log BITS_BIG_ENDIAN, BYTES_BIG_ENDIAN, and
6604 WORDS_BIG_ENDIAN.
6605 * region-model-manager.cc
6606 (region_model_manager::maybe_fold_binop): Move support for masking
6607 via ARG0 & CST into...
6608 (region_model_manager::maybe_undo_optimize_bit_field_compare):
6609 ...this new function. Flatten by converting from nested
6610 conditionals to a series of early return statements to reject
6611 failures. Reject if type is not unsigned_char_type_node.
6612 Handle BYTES_BIG_ENDIAN when determining which bits are bound
6613 in the binding_map.
6614 * region-model.h
6615 (region_model_manager::maybe_undo_optimize_bit_field_compare):
6616 New decl.
6617 * store.cc (bit_range::dump): New function.
6618 * store.h (bit_range::dump): New decl.
6619
66202021-06-15 David Malcolm <dmalcolm@redhat.com>
6621
6622 * engine.cc (exploded_node::on_stmt): Handle __analyzer_dump_capacity.
6623 (exploded_node::on_stmt): Drop m_sm_changes from on_stmt_flags.
6624 (state_change_requires_new_enode_p): New function...
6625 (exploded_graph::process_node): Call it, rather than querying
6626 flags.m_sm_changes, so that dynamic-extent differences can also
6627 trigger the splitting of nodes.
6628 * exploded-graph.h (struct on_stmt_flags): Drop field m_sm_changes.
6629 * program-state.cc (program_state::detect_leaks): Purge dead
6630 heap-allocated regions from dynamic extents.
6631 (selftest::test_program_state_1): Fix type of "size_in_bytes".
6632 (selftest::test_program_state_merging): Likewise.
6633 * region-model-impl-calls.cc
6634 (region_model::impl_call_analyzer_dump_capacity): New.
6635 (region_model::impl_call_free): Remove dynamic extents from the
6636 freed region.
6637 * region-model-reachability.h
6638 (reachable_regions::begin_mutable_base_regs): New.
6639 (reachable_regions::end_mutable_base_regs): New.
6640 * region-model.cc: Include "tree-object-size.h".
6641 (region_model::region_model): Support new field m_dynamic_extents.
6642 (region_model::operator=): Likewise.
6643 (region_model::operator==): Likewise.
6644 (region_model::dump_to_pp): Dump sizes of dynamic regions.
6645 (region_model::handle_unrecognized_call): Purge dynamic extents
6646 from any regions that have escaped mutably:.
6647 (region_model::get_capacity): New function.
6648 (region_model::add_constraint): Unset dynamic extents when a
6649 heap-allocated region's address is NULL.
6650 (region_model::unbind_region_and_descendents): Purge dynamic
6651 extents of unbound regions.
6652 (region_model::can_merge_with_p): Call
6653 m_dynamic_extents.can_merge_with_p.
6654 (region_model::create_region_for_heap_alloc): Assert that
6655 size_in_bytes's type is compatible with size_type_node. Update
6656 for renaming of record_dynamic_extents to set_dynamic_extents.
6657 (region_model::create_region_for_alloca): Likewise.
6658 (region_model::record_dynamic_extents): Rename to...
6659 (region_model::set_dynamic_extents): ...this. Assert that
6660 size_in_bytes's type is compatible with size_type_node. Add it
6661 to the m_dynamic_extents map.
6662 (region_model::get_dynamic_extents): New.
6663 (region_model::unset_dynamic_extents): New.
6664 (selftest::test_state_merging): Fix type of "size".
6665 (selftest::test_malloc_constraints): Likewise.
6666 (selftest::test_malloc): Verify dynamic extents.
6667 (selftest::test_alloca): Likewise.
6668 * region-model.h (region_to_value_map::is_empty): New.
6669 (region_model::dynamic_extents_t): New typedef.
6670 (region_model::impl_call_analyzer_dump_capacity): New decl.
6671 (region_model::get_dynamic_extents): New function.
6672 (region_model::get_dynamic_extents): New decl.
6673 (region_model::set_dynamic_extents): New decl.
6674 (region_model::unset_dynamic_extents): New decl.
6675 (region_model::get_capacity): New decl.
6676 (region_model::record_dynamic_extents): Rename to set_dynamic_extents.
6677 (region_model::m_dynamic_extents): New field.
6678
66792021-06-15 David Malcolm <dmalcolm@redhat.com>
6680
6681 * region-model.cc (region_to_value_map::operator=): New.
6682 (region_to_value_map::operator==): New.
6683 (region_to_value_map::dump_to_pp): New.
6684 (region_to_value_map::dump): New.
6685 (region_to_value_map::can_merge_with_p): New.
6686 * region-model.h (class region_to_value_map): New class.
6687
4e70c34e
GA		 66882021-06-13 Trevor Saunders <tbsaunde@tbsaunde.org>
6689
6690 * call-string.cc (call_string::call_string): Use range based for
6691 to iterate over vec<>.
6692 (call_string::to_json): Likewise.
6693 (call_string::hash): Likewise.
6694 (call_string::calc_recursion_depth): Likewise.
6695 * checker-path.cc (checker_path::fixup_locations): Likewise.
6696 * constraint-manager.cc (equiv_class::equiv_class): Likewise.
6697 (equiv_class::to_json): Likewise.
6698 (equiv_class::hash): Likewise.
6699 (constraint_manager::to_json): Likewise.
6700 * engine.cc (impl_region_model_context::on_svalue_leak):
6701 Likewise.
6702 (on_liveness_change): Likewise.
6703 (impl_region_model_context::on_unknown_change): Likewise.
6704 * program-state.cc (sm_state_map::set_state): Likewise.
6705 * region-model.cc (test_canonicalization_4): Likewise.
6706
f16f65f8
GA		 67072021-06-11 David Malcolm <dmalcolm@redhat.com>
6708
6709 * engine.cc (worklist::key_t::cmp): Move sort by call_string to
6710 before SCC.
6711
4f625f47
GA		 67122021-06-09 David Malcolm <dmalcolm@redhat.com>
6713
6714 * region-model.cc (region_model::get_lvalue_1): Make const.
6715 (region_model::get_lvalue): Likewise.
6716 (region_model::get_rvalue_1): Likewise.
6717 (region_model::get_rvalue): Likewise.
6718 (region_model::deref_rvalue): Likewise.
6719 (region_model::get_rvalue_for_bits): Likewise.
6720 * region-model.h (region_model::get_lvalue): Likewise.
6721 (region_model::get_rvalue): Likewise.
6722 (region_model::deref_rvalue): Likewise.
6723 (region_model::get_rvalue_for_bits): Likewise.
6724 (region_model::get_lvalue_1): Likewise.
6725 (region_model::get_rvalue_1): Likewise.
6726
c6038721
GA		 67272021-06-08 David Malcolm <dmalcolm@redhat.com>
6728
6729 PR analyzer/99212
6730 * region-model-manager.cc
6731 (region_model_manager::maybe_fold_binop): Add support for folding
6732 BIT_AND_EXPR of compound_svalue and a mask constant.
6733 * region-model.cc (region_model::get_rvalue_1): Implement
6734 BIT_FIELD_REF in terms of...
6735 (region_model::get_rvalue_for_bits): New function.
6736 * region-model.h (region_model::get_rvalue_for_bits): New decl.
6737 * store.cc (bit_range::from_mask): New function.
6738 (selftest::test_bit_range_intersects_p): New selftest.
6739 (selftest::assert_bit_range_from_mask_eq): New.
6740 (ASSERT_BIT_RANGE_FROM_MASK_EQ): New macro.
6741 (selftest::assert_no_bit_range_from_mask_eq): New.
6742 (ASSERT_NO_BIT_RANGE_FROM_MASK): New macro.
6743 (selftest::test_bit_range_from_mask): New selftest.
6744 (selftest::analyzer_store_cc_tests): Call the new selftests.
6745 * store.h (bit_range::intersects_p): New.
6746 (bit_range::from_mask): New decl.
6747 (concrete_binding::get_bit_range): New accessor.
6748 (store_manager::get_concrete_binding): New overload taking
6749 const bit_range &.
6750
67512021-06-08 David Malcolm <dmalcolm@redhat.com>
6752
6753 * analyzer.h (int_size_in_bits): New decl.
6754 * region.cc (int_size_in_bits): New function.
6755 (region::get_bit_size): Reimplement in terms of the above.
6756
67572021-06-08 David Malcolm <dmalcolm@redhat.com>
6758
6759 * store.cc (concrete_binding::dump_to_pp): Move bulk of
6760 implementation to...
6761 (bit_range::dump_to_pp): ...this new function.
6762 (bit_range::cmp): New.
6763 (concrete_binding::overlaps_p): Update for use of bit_range.
6764 (concrete_binding::cmp_ptr_ptr): Likewise.
6765 * store.h (struct bit_range): New.
6766 (class concrete_binding): Replace fields m_start_bit_offset and
6767 m_size_in_bits with new field m_bit_range.
6768
67692021-06-08 David Malcolm <dmalcolm@redhat.com>
6770
6771 * svalue.h (conjured_svalue::iterator_t): Delete.
6772
440c8a0a
GA		 67732021-06-03 David Malcolm <dmalcolm@redhat.com>
6774
6775 * store.h (store::get_direct_binding): Remove unused decl.
6776 (store::get_default_binding): Likewise.
6777
67782021-06-03 David Malcolm <dmalcolm@redhat.com>
6779
6780 * svalue.cc (poisoned_svalue::dump_to_pp): Dump type.
6781 (compound_svalue::dump_to_pp): Dump any type.
6782
a8daf9a1
GA		 67832021-05-18 David Malcolm <dmalcolm@redhat.com>
6784
6785 PR analyzer/100615
6786 * sm-malloc.cc: Include "analyzer/function-set.h".
6787 (malloc_state_machine::on_stmt): Call unaffected_by_call_p and
6788 bail on the functions it recognizes.
6789 (malloc_state_machine::unaffected_by_call_p): New.
6790
aa891c56
GA		 67912021-05-10 Martin Liska <mliska@suse.cz>
6792
6793 * sm-file.cc (is_file_using_fn_p): Use startswith
6794 function instead of strncmp.
6795
67962021-05-10 Martin Liska <mliska@suse.cz>
6797
6798 * program-state.cc (program_state::operator=): Remove
6799 __cplusplus >= 201103.
6800 (program_state::program_state): Likewise.
6801 * program-state.h: Likewise.
6802 * region-model.h (class region_model): Remove dead code.
6803
502ef97c
GA		 68042021-04-24 David Malcolm <dmalcolm@redhat.com>
6805
6806 PR analyzer/100244
6807 * sm-malloc.cc (free_of_non_heap::describe_state_change):
6808 Bulletproof against change.m_expr being NULL.
6809
6d0d35d5
GA		 68102021-04-13 David Malcolm <dmalcolm@redhat.com>
6811
6812 PR analyzer/98599
6813 * supergraph.cc (saved_uids::make_uid_unique): New.
6814 (saved_uids::restore_uids): New.
6815 (supergraph::supergraph): Replace assignments to stmt->uid with
6816 calls to m_stmt_uids.make_uid_unique.
6817 (supergraph::~supergraph): New.
6818 * supergraph.h (class saved_uids): New.
6819 (supergraph::~supergraph): New decl.
6820 (supergraph::m_stmt_uids): New field.
6821
1d54b138
GA		 68222021-04-10 David Malcolm <dmalcolm@redhat.com>
6823
6824 PR analyzer/100011
6825 * region-model.cc (region_model::on_assignment): Avoid NULL
6826 dereference if ctxt is NULL when assigning from a STRING_CST.
6827
019a9220
GA		 68282021-04-08 David Malcolm <dmalcolm@redhat.com>
6829
6830 PR analyzer/99042
6831 PR analyzer/99774
6832 * engine.cc
6833 (impl_region_model_context::impl_region_model_context): Add
6834 uncertainty param and use it to initialize m_uncertainty.
6835 (impl_region_model_context::get_uncertainty): New.
6836 (impl_sm_context::get_fndecl_for_call): Add NULL for new
6837 uncertainty param when constructing impl_region_model_context.
6838 (impl_sm_context::get_state): Likewise.
6839 (impl_sm_context::set_next_state): Likewise.
6840 (impl_sm_context::warn): Likewise.
6841 (exploded_node::on_stmt): Add uncertainty param
6842 and use it when constructing impl_region_model_context.
6843 (exploded_node::on_edge): Add uncertainty param and pass
6844 to on_edge call.
6845 (exploded_node::detect_leaks): Create uncertainty_t and pass to
6846 impl_region_model_context.
6847 (exploded_graph::get_or_create_node): Create uncertainty_t and
6848 pass to prune_for_point.
6849 (maybe_process_run_of_before_supernode_enodes): Create
6850 uncertainty_t and pass to impl_region_model_context.
6851 (exploded_graph::process_node): Create uncertainty_t instances and
6852 pass around as needed.
6853 * exploded-graph.h
6854 (impl_region_model_context::impl_region_model_context): Add
6855 uncertainty param.
6856 (impl_region_model_context::get_uncertainty): New decl.
6857 (impl_region_model_context::m_uncertainty): New field.
6858 (exploded_node::on_stmt): Add uncertainty param.
6859 (exploded_node::on_edge): Likewise.
6860 * program-state.cc (sm_state_map::on_liveness_change): Get
6861 uncertainty from context and use it to unset sm-state from
6862 svalues as appropriate.
6863 (program_state::on_edge): Add uncertainty param and use it when
6864 constructing impl_region_model_context. Fix indentation.
6865 (program_state::prune_for_point): Add uncertainty param and use it
6866 when constructing impl_region_model_context.
6867 (program_state::detect_leaks): Get any uncertainty from ctxt and
6868 use it to get maybe-live svalues for dest_state, rather than
6869 definitely-live ones; use this when determining which svalues
6870 have leaked.
6871 (selftest::test_program_state_merging): Create uncertainty_t and
6872 pass to impl_region_model_context.
6873 * program-state.h (program_state::on_edge): Add uncertainty param.
6874 (program_state::prune_for_point): Likewise.
6875 * region-model-impl-calls.cc (call_details::get_uncertainty): New.
6876 (region_model::impl_call_memcpy): Pass uncertainty to
6877 mark_region_as_unknown call.
6878 (region_model::impl_call_memset): Likewise.
6879 (region_model::impl_call_strcpy): Likewise.
6880 * region-model-reachability.cc (reachable_regions::handle_sval):
6881 Also add sval to m_mutable_svals.
6882 * region-model.cc (region_model::on_assignment): Pass any
6883 uncertainty from ctxt to the store::set_value call.
6884 (region_model::handle_unrecognized_call): Get any uncertainty from
6885 ctxt and use it to record mutable svalues at the unknown call.
6886 (region_model::get_reachable_svalues): Add uncertainty param and
6887 use it to mark any maybe-bound svalues as being reachable.
6888 (region_model::set_value): Pass any uncertainty from ctxt to the
6889 store::set_value call.
6890 (region_model::mark_region_as_unknown): Add uncertainty param and
6891 pass it on to the store::mark_region_as_unknown call.
6892 (region_model::update_for_call_summary): Add uncertainty param and
6893 pass it on to the region_model::mark_region_as_unknown call.
6894 * region-model.h (call_details::get_uncertainty): New decl.
6895 (region_model::get_reachable_svalues): Add uncertainty param.
6896 (region_model::mark_region_as_unknown): Add uncertainty param.
6897 (region_model_context::get_uncertainty): New vfunc.
6898 (noop_region_model_context::get_uncertainty): New vfunc
6899 implementation.
6900 * store.cc (dump_svalue_set): New.
6901 (uncertainty_t::dump_to_pp): New.
6902 (uncertainty_t::dump): New.
6903 (binding_cluster::clobber_region): Pass NULL for uncertainty to
6904 remove_overlapping_bindings.
6905 (binding_cluster::mark_region_as_unknown): Add uncertainty param
6906 and pass it to remove_overlapping_bindings.
6907 (binding_cluster::remove_overlapping_bindings): Add uncertainty param.
6908 Use it to record any svalues that were in clobbered bindings.
6909 (store::set_value): Add uncertainty param. Pass it to
6910 binding_cluster::mark_region_as_unknown when handling symbolic
6911 regions.
6912 (store::mark_region_as_unknown): Add uncertainty param and pass it
6913 to binding_cluster::mark_region_as_unknown.
6914 (store::remove_overlapping_bindings): Add uncertainty param and
6915 pass it to binding_cluster::remove_overlapping_bindings.
6916 * store.h (binding_cluster::mark_region_as_unknown): Add
6917 uncertainty param.
6918 (binding_cluster::remove_overlapping_bindings): Likewise.
6919 (store::set_value): Likewise.
6920 (store::mark_region_as_unknown): Likewise.
6921
b1da9916
GA		 69222021-04-05 David Malcolm <dmalcolm@redhat.com>
6923
6924 PR analyzer/99906
6925 * analyzer.cc (maybe_reconstruct_from_def_stmt): Fix NULL
6926 dereference on calls with zero arguments.
6927 * sm-malloc.cc (malloc_state_machine::on_stmt): When handling
6928 __attribute__((nonnull)), only call get_diagnostic_tree if the
6929 result will be used.
6930
69312021-04-05 David Malcolm <dmalcolm@redhat.com>
6932
6933 PR analyzer/99886
6934 * diagnostic-manager.cc
6935 (diagnostic_manager::prune_interproc_events): Use signed integers
6936 when subtracting one from path->num_events ().
6937 (diagnostic_manager::consolidate_conditions): Likewise. Convert
6938 next_idx to a signed int.
6939
f1607029
GA		 69402021-04-01 David Malcolm <dmalcolm@redhat.com>
6941
6942 * diagnostic-manager.cc (diagnostic_manager::add_diagnostic): Make
6943 enode param non-constant, and call add_diagnostic on it. Add
6944 enode index to log message.
6945 (diagnostic_manager::add_diagnostic): Make enode param
6946 non-constant.
6947 * diagnostic-manager.h (diagnostic_manager::add_diagnostic):
6948 Likewise for both decls.
6949 * engine.cc
6950 (impl_region_model_context::impl_region_model_context): Likewise
6951 for enode_for_diag.
6952 (impl_sm_context::impl_sm_context): Likewise.
6953 (impl_sm_context::m_enode_for_diag): Likewise.
6954 (exploded_node::dump_dot): Don't pass the diagnostic manager
6955 to dump_saved_diagnostics.
6956 (exploded_node::dump_saved_diagnostics): Drop param. Iterate
6957 directly through all saved diagnostics for the enode, rather
6958 than all saved diagnostics in the diagnostic_manager and
6959 filtering.
6960 (exploded_node::on_stmt): Make non-const.
6961 (exploded_node::on_edge): Likewise.
6962 (exploded_node::on_longjmp): Likewise.
6963 (exploded_node::detect_leaks): Likewise.
6964 (exploded_graph::get_or_create_node): Make enode_for_diag param
6965 non-const.
6966 (exploded_graph_annotator::print_enode): Iterate
6967 directly through all saved diagnostics for the enode, rather
6968 than all saved diagnostics in the diagnostic_manager and
6969 filtering.
6970 * exploded-graph.h
6971 (impl_region_model_context::impl_region_model_context): Make
6972 enode_for_diag param non-constant.
6973 (impl_region_model_context::m_enode_for_diag): Likewise.
6974 (exploded_node::dump_saved_diagnostics): Drop param.
6975 (exploded_node::on_stmt): Make non-const.
6976 (exploded_node::on_edge): Likewise.
6977 (exploded_node::on_longjmp): Likewise.
6978 (exploded_node::detect_leaks): Likewise.
6979 (exploded_node::add_diagnostic): New.
6980 (exploded_node::get_num_diagnostics): New.
6981 (exploded_node::get_saved_diagnostic): New.
6982 (exploded_node::m_saved_diagnostics): New.
6983 (exploded_graph::get_or_create_node): Make enode_for_diag param
6984 non-constant.
6985 * feasible-graph.cc (feasible_node::dump_dot): Drop
6986 diagnostic_manager from call to dump_saved_diagnostics.
6987 * program-state.cc (program_state::on_edge): Convert enode param
6988 to non-const pointer.
6989 (program_state::prune_for_point): Likewise for enode_for_diag
6990 param.
6991 * program-state.h (program_state::on_edge): Convert enode param
6992 to non-const pointer.
6993 (program_state::prune_for_point): Likewise for enode_for_diag
6994 param.
6995
95d217ab
GA		 69962021-03-31 David Malcolm <dmalcolm@redhat.com>
6997
6998 PR analyzer/99771
6999 * analyzer.cc (maybe_reconstruct_from_def_stmt): New.
7000 (fixup_tree_for_diagnostic_1): New.
7001 (fixup_tree_for_diagnostic): New.
7002 * analyzer.h (fixup_tree_for_diagnostic): New decl.
7003 * checker-path.cc (call_event::get_desc): Call
7004 fixup_tree_for_diagnostic and use it for the call_with_state call.
7005 (warning_event::get_desc): Likewise for the final_event and
7006 make_label_text calls.
7007 * engine.cc (impl_region_model_context::on_state_leak): Likewise
7008 for the on_leak and add_diagnostic calls.
7009 * region-model.cc (region_model::get_representative_tree):
7010 Likewise for the result.
7011
08d2edae
GA		 70122021-03-30 David Malcolm <dmalcolm@redhat.com>
7013
7014 * region.h (region::dump_to_pp): Remove old decl.
7015
70162021-03-30 David Malcolm <dmalcolm@redhat.com>
7017
7018 * sm-file.cc (fileptr_state_machine::on_stmt): Only call
7019 get_diagnostic_tree if the result will be used.
7020 * sm-malloc.cc (malloc_state_machine::on_stmt): Likewise.
7021 (malloc_state_machine::on_deallocator_call): Likewise.
7022 (malloc_state_machine::on_realloc_call): Likewise.
7023 (malloc_state_machine::on_realloc_call): Likewise.
7024 * sm-sensitive.cc
7025 (sensitive_state_machine::warn_for_any_exposure): Likewise.
7026 * sm-taint.cc (taint_state_machine::on_stmt): Likewise.
7027
4493b1c1
GA		 70282021-03-25 David Malcolm <dmalcolm@redhat.com>
7029
7030 PR analyzer/93695
7031 PR analyzer/99044
7032 PR analyzer/99716
7033 * engine.cc (exploded_node::on_stmt): Clear sm-state involving
7034 an SSA name at the def-stmt of that SSA name.
7035 * program-state.cc (sm_state_map::purge_state_involving): New.
7036 * program-state.h (sm_state_map::purge_state_involving): New decl.
7037 * region-model.cc (selftest::test_involves_p): New.
7038 (selftest::analyzer_region_model_cc_tests): Call it.
7039 * svalue.cc (class involvement_visitor): New class
7040 (svalue::involves_p): New.
7041 * svalue.h (svalue::involves_p): New decl.
7042
5f256a70
GA		 70432021-03-19 David Malcolm <dmalcolm@redhat.com>
7044
7045 PR analyzer/99614
7046 * diagnostic-manager.cc (class epath_finder): Add
7047 DISABLE_COPY_AND_ASSIGN.
7048
3c5b6d24
GA		 70492021-03-15 Martin Liska <mliska@suse.cz>
7050
7051 * sm-file.cc (get_file_using_fns): Add missing comma in initializer.
7052
48ff383f
GA		 70532021-03-11 David Malcolm <dmalcolm@redhat.com>
7054
7055 PR analyzer/96374
7056 * analyzer.opt (-param=analyzer-max-infeasible-edges=): New param.
7057 (fdump-analyzer-feasibility): New flag.
7058 * diagnostic-manager.cc: Include "analyzer/trimmed-graph.h" and
7059 "analyzer/feasible-graph.h".
7060 (epath_finder::epath_finder): Convert m_sep to a pointer and
7061 only create it if !flag_analyzer_feasibility.
7062 (epath_finder::~epath_finder): New.
7063 (epath_finder::m_sep): Convert to a pointer.
7064 (epath_finder::get_best_epath): Add param "diag_idx" and use it
7065 when logging. Rather than finding the shortest path and then
7066 checking feasibility, instead use explore_feasible_paths unless
7067 !flag_analyzer_feasibility, in which case simply use the shortest
7068 path, and note if it is infeasible. Update for m_sep becoming a
7069 pointer.
7070 (class feasible_worklist): New.
7071 (epath_finder::explore_feasible_paths): New.
7072 (epath_finder::process_worklist_item): New.
7073 (class dump_eg_with_shortest_path): New.
7074 (epath_finder::dump_trimmed_graph): New.
7075 (epath_finder::dump_feasible_graph): New.
7076 (saved_diagnostic::saved_diagnostic): Add "idx" param, using it
7077 on new field m_idx.
7078 (saved_diagnostic::to_json): Dump m_idx.
7079 (saved_diagnostic::calc_best_epath): Pass m_idx to get_best_epath.
7080 Remove assertion that m_problem was set when m_best_epath is NULL.
7081 (diagnostic_manager::add_diagnostic): Pass an index when created
7082 saved_diagnostic instances.
7083 * diagnostic-manager.h (saved_diagnostic::saved_diagnostic): Add
7084 "idx" param.
7085 (saved_diagnostic::get_index): New accessor.
7086 (saved_diagnostic::m_idx): New field.
7087 * engine.cc (exploded_node::dump_dot): Call args.dump_extra_info.
7088 Move code to...
7089 (exploded_node::dump_processed_stmts): ...this new function and...
7090 (exploded_node::dump_saved_diagnostics): ...this new function.
7091 Add index of each diagnostic.
7092 (exploded_edge::dump_dot): Move bulk of code to...
7093 (exploded_edge::dump_dot_label): ...this new function.
7094 * exploded-graph.h (eg_traits::dump_args_t::dump_extra_info): New
7095 vfunc.
7096 (exploded_node::dump_processed_stmts): New decl.
7097 (exploded_node::dump_saved_diagnostics): New decl.
7098 (exploded_edge::dump_dot_label): New decl.
7099 * feasible-graph.cc: New file.
7100 * feasible-graph.h: New file.
7101 * trimmed-graph.cc: New file.
7102 * trimmed-graph.h: New file.
7103
71042021-03-11 David Malcolm <dmalcolm@redhat.com>
7105
7106 * diagnostic-manager.cc (epath_finder::epath_finder):
7107 Update shortest_paths init for new param.
7108
e9800852
GA		 71092021-03-10 David Malcolm <dmalcolm@redhat.com>
7110
7111 PR analyzer/96374
7112 * engine.cc (exploded_path::feasible_p): Move "snodes_visited" and
7113 "model" locals into a new class feasibility_state. Move heart
7114 of per-edge processing into
7115 feasibility_state::maybe_update_for_edge.
7116 (feasibility_state::feasibility_state): New.
7117 (feasibility_state::maybe_update_for_edge): New, based on loop
7118 body in exploded_path::feasible_p.
7119 * exploded-graph.h (class feasibility_state): New.
7120
71212021-03-10 David Malcolm <dmalcolm@redhat.com>
7122
7123 * supergraph.h
7124 (callgraph_superedge::dyn_cast_callgraph_superedge): New.
7125 (call_superedge::dyn_cast_callgraph_superedge): Delete.
7126 (return_superedge::dyn_cast_callgraph_superedge): Delete.
7127
d97a92dc
GA		 71282021-03-02 Martin Liska <mliska@suse.cz>
7129
7130 * diagnostic-manager.cc (diagnostic_manager::emit_saved_diagnostics):
7131 Do not pass engine.
7132
06a9f20f
GA		 71332021-02-26 David Malcolm <dmalcolm@redhat.com>
7134
7135 * engine.cc (exploded_path::exploded_path): New copy-ctor.
7136 * exploded-graph.h (exploded_path::operator=): Drop decl.
7137
71382021-02-26 David Malcolm <dmalcolm@redhat.com>
7139
7140 PR analyzer/96374
7141 * diagnostic-manager.cc (class epath_finder): New.
7142 (epath_finder::get_best_epath): New.
7143 (saved_diagnostic::saved_diagnostic): Update for replacement of
7144 m_state and m_epath_length with m_best_epath.
7145 (saved_diagnostic::~saved_diagnostic): Delete m_best_epath.
7146 (saved_diagnostic::to_json): Update "path_length" to be optional.
7147 (saved_diagnostic::calc_best_epath): New, based on
7148 dedupe_winners::add and parts of dedupe_key::dedupe_key.
7149 (saved_diagnostic::get_epath_length): New.
7150 (saved_diagnostic::add_duplicate): New.
7151 (dedupe_key::dedupe_key): Drop epath param. Move invocation of
7152 stmt_finder to saved_diagnostic::calc_best_epath.
7153 (class dedupe_candidate): Delete.
7154 (class dedupe_hash_map_traits): Update to use saved_diagnotic *
7155 rather than dedupe_candidate * as the value_type/compare_type.
7156 (dedupe_winners::~dedupe_winners): Don't delete the values.
7157 (dedupe_winners::add): Convert param from shortest_exploded_paths to
7158 epath_finder. Drop "eg" param. Drop dedupe_candidate, moving
7159 path generation and feasiblity checking to
7160 epath_finder::get_best_epath. Update winner-selection for move
7161 of epaths from dedupe_candidate to saved_diagnostic.
7162 (dedupe_winners::emit_best): Update for removal of class
7163 dedupe_candidate.
7164 (dedupe_winners::map_t): Update to use saved_diagnotic * rather
7165 than dedupe_candidate * as the value_type/compare_type.
7166 (diagnostic_manager::emit_saved_diagnostics): Move
7167 shortest_exploded_paths instance into epath_finder and pass that
7168 around instead.
7169 (diagnostic_manager::emit_saved_diagnostic): Drop epath, stmt
7170 and num_dupes params, instead getting these from the
7171 saved_diagnostic. Use correct location in inform_n call.
7172 * diagnostic-manager.h (class epath_finder): New forward decl.
7173 (saved_diagnostic::status): Drop enum.
7174 (saved_diagnostic::set_feasible): Drop.
7175 (saved_diagnostic::set_infeasible): Drop.
7176 (saved_diagnostic::get_status): Drop.
7177 (saved_diagnostic::calc_best_epath): New decl.
7178 (saved_diagnostic::get_best_epath): New decl.
7179 (saved_diagnostic::get_epath_length): New decl.
7180 (saved_diagnostic::set_epath_length): Drop.
7181 (saved_diagnostic::get_epath_length): Drop inline implementation.
7182 (saved_diagnostic::add_duplicate): New.
7183 (saved_diagnostic::get_num_dupes): New.
7184 (saved_diagnostic::m_d): Document ownership.
7185 (saved_diagnostic::m_trailing_eedge): Make const.
7186 (saved_diagnostic::m_status): Drop field.
7187 (saved_diagnostic::m_epath_length): Drop field.
7188 (saved_diagnostic::m_best_epath): New field.
7189 (saved_diagnostic::m_problem): Document ownership.
7190 (saved_diagnostic::m_duplicates): New field.
7191 (diagnostic_manager::emit_saved_diagnostic): Drop params epath,
7192 stmt, and num_dupes.
7193 * engine.cc (exploded_graph_annotator::print_saved_diagnostic):
7194 Update for changes to saved_diagnostic class.
7195 * exploded-graph.h (exploded_path::feasible_p): Drop unused
7196 overloaded decl.
7197
daa68844
GA		 71982021-02-25 David Malcolm <dmalcolm@redhat.com>
7199
7200 PR analyzer/99193
7201 * region-model-impl-calls.cc (region_model::impl_call_realloc): New.
7202 * region-model.cc (region_model::on_call_pre): Call it.
7203 * region-model.h (region_model::impl_call_realloc): New decl.
7204 * sm-malloc.cc (enum wording): Add WORDING_REALLOCATED.
7205 (malloc_state_machine::m_realloc): New field.
7206 (use_after_free::describe_state_change): Add case for
7207 WORDING_REALLOCATED.
7208 (use_after_free::describe_final_event): Likewise.
7209 (malloc_state_machine::malloc_state_machine): Initialize
7210 m_realloc.
7211 (malloc_state_machine::on_stmt): Handle realloc by calling...
7212 (malloc_state_machine::on_realloc_call): New.
7213
2f5765cf
GA		 72142021-02-22 David Malcolm <dmalcolm@redhat.com>
7215
7216 PR analyzer/99196
7217 * engine.cc (exploded_node::on_stmt): Provide terminate_path
7218 flag as a way for on_call_pre to terminate the current analysis
7219 path.
7220 * region-model-impl-calls.cc (call_details::num_args): New.
7221 (region_model::impl_call_error): New.
7222 * region-model.cc (region_model::on_call_pre): Add param
7223 "out_terminate_path". Handle "error" and "error_at_line".
7224 * region-model.h (call_details::num_args): New decl.
7225 (region_model::on_call_pre): Add param "out_terminate_path".
7226 (region_model::impl_call_error): New decl.
7227
acc0ee5c
GA		 72282021-02-17 David Malcolm <dmalcolm@redhat.com>
7229
7230 PR analyzer/98969
7231 * constraint-manager.cc (dead_svalue_purger::should_purge_p):
7232 Update for change to svalue::live_p.
7233 * program-state.cc (sm_state_map::on_liveness_change): Likewise.
7234 (program_state::detect_leaks): Likewise.
7235 * region-model-reachability.cc (reachable_regions::init_cluster):
7236 When dealing with a symbolic region, if the underlying pointer is
7237 implicitly live, add the region to the reachable regions.
7238 * region-model.cc (region_model::compare_initial_and_pointer):
7239 Move logic for detecting initial values of params to
7240 initial_svalue::initial_value_of_param_p.
7241 * svalue.cc (svalue::live_p): Convert "live_svalues" from a
7242 reference to a pointer; support it being NULL.
7243 (svalue::implicitly_live_p): Convert first param from a
7244 refererence to a pointer.
7245 (region_svalue::implicitly_live_p): Likewise.
7246 (constant_svalue::implicitly_live_p): Likewise.
7247 (initial_svalue::implicitly_live_p): Likewise. Treat the initial
7248 values of params for the top level frame as still live.
7249 (initial_svalue::initial_value_of_param_p): New function, taken
7250 from a test in region_model::compare_initial_and_pointer.
7251 (unaryop_svalue::implicitly_live_p): Convert first param from a
7252 refererence to a pointer.
7253 (binop_svalue::implicitly_live_p): Likewise.
7254 (sub_svalue::implicitly_live_p): Likewise.
7255 (unmergeable_svalue::implicitly_live_p): Likewise.
7256 * svalue.h (svalue::live_p): Likewise.
7257 (svalue::implicitly_live_p): Likewise.
7258 (region_svalue::implicitly_live_p): Likewise.
7259 (constant_svalue::implicitly_live_p): Likewise.
7260 (initial_svalue::implicitly_live_p): Likewise.
7261 (initial_svalue::initial_value_of_param_p): New decl.
7262 (unaryop_svalue::implicitly_live_p): Convert first param from a
7263 refererence to a pointer.
7264 (binop_svalue::implicitly_live_p): Likewise.
7265 (sub_svalue::implicitly_live_p): Likewise.
7266 (unmergeable_svalue::implicitly_live_p): Likewise.
7267
fab095da
GA		 72682021-02-12 David Malcolm <dmalcolm@redhat.com>
7269
7270 PR analyzer/98969
7271 * engine.cc (readability): Add names for the various arbitrary
7272 values. Handle NOP_EXPR and INTEGER_CST.
7273 (readability_comparator): Combine the readability tests for
7274 tree and stack depth, rather than performing them sequentially.
7275 (impl_region_model_context::on_state_leak): Strip off top-level
7276 casts.
7277 * region-model.cc (region_model::get_representative_path_var): Add
7278 type-checking, moving the bulk of the implementation to...
7279 (region_model::get_representative_path_var_1): ...here. Respect
7280 types in casts by recursing and re-adding the cast, rather than
7281 merely stripping them off. Use the correct type when handling
7282 region_svalue.
7283 (region_model::get_representative_tree): Strip off any top-level
7284 cast.
7285 (region_model::get_representative_path_var): Add type-checking,
7286 moving the bulk of the implementation to...
7287 (region_model::get_representative_path_var_1): ...here.
7288 * region-model.h (region_model::get_representative_path_var_1):
7289 New decl
7290 (region_model::get_representative_path_var_1): New decl.
7291 * store.cc (append_pathvar_with_type): New.
7292 (binding_cluster::get_representative_path_vars): Cast path_vars
7293 to the correct type when adding them to *OUT_PVS.
7294
0a91b73e
GA		 72952021-02-09 David Malcolm <dmalcolm@redhat.com>
7296
7297 PR analyzer/98575
7298 * sm-file.cc (is_file_using_fn_p): Support "_IO_"-prefixed
7299 variants.
7300
73012021-02-09 David Malcolm <dmalcolm@redhat.com>
7302
7303 PR analyzer/98575
7304 * store.cc (store::set_value): Treat a pointer written to *UNKNOWN
7305 as having escaped.
7306
548b75d8
GA		 73072021-02-02 David Malcolm <dmalcolm@redhat.com>
7308
7309 PR analyzer/93355
7310 PR analyzer/96374
7311 * engine.cc (toplevel_function_p): Simplify so that
7312 we only reject functions with a "__analyzer_" prefix.
7313 (add_any_callbacks): Delete.
7314 (exploded_graph::build_initial_worklist): Update for
7315 dropped param of toplevel_function_p.
7316 (exploded_graph::build_initial_worklist): Don't bother
7317 looking for callbacks that are reachable from global
7318 initializers.
7319
f7884fb1
GA		 73202021-02-01 David Malcolm <dmalcolm@redhat.com>
7321
7322 PR analyzer/98918
7323 * region-model-manager.cc
7324 (region_model_manager::get_or_create_initial_value):
7325 Fold the initial value of *UNKNOWN_PTR to an UNKNOWN value.
7326 (region_model_manager::get_field_region): Fold the value
7327 of UNKNOWN_PTR->FIELD to *UNKNOWN_PTR_OF_&FIELD_TYPE.
7328
2900f2f2
GA		 73292021-01-29 David Malcolm <dmalcolm@redhat.com>
7330
7331 * checker-path.cc (event_kind_to_string): Handle
7332 EK_START_CONSOLIDATED_CFG_EDGES and
7333 EK_END_CONSOLIDATED_CFG_EDGES.
7334 (start_consolidated_cfg_edges_event::get_desc): New.
7335 (checker_path::cfg_edge_pair_at_p): New.
7336 * checker-path.h (enum event_kind): Add
7337 EK_START_CONSOLIDATED_CFG_EDGES and
7338 EK_END_CONSOLIDATED_CFG_EDGES.
7339 (class start_consolidated_cfg_edges_event): New class.
7340 (class end_consolidated_cfg_edges_event): New class.
7341 (checker_path::delete_events): New.
7342 (checker_path::replace_event): New.
7343 (checker_path::cfg_edge_pair_at_p): New decl.
7344 * diagnostic-manager.cc (diagnostic_manager::prune_path): Call
7345 consolidate_conditions.
7346 (same_line_as_p): New.
7347 (diagnostic_manager::consolidate_conditions): New.
7348 * diagnostic-manager.h
7349 (diagnostic_manager::consolidate_conditions): New decl.
7350
ef1f8ee6
GA		 73512021-01-18 David Malcolm <dmalcolm@redhat.com>
7352
7353 * analyzer.h (is_std_named_call_p): New decl.
7354 * diagnostic-manager.cc (path_builder::get_sm): New.
7355 (state_change_event_creator::state_change_event_creator): Add "pb"
7356 param.
7357 (state_change_event_creator::on_global_state_change): Don't consider
7358 state changes affecting other state_machines.
7359 (state_change_event_creator::on_state_change): Likewise.
7360 (state_change_event_creator::m_pb): New field.
7361 (diagnostic_manager::add_events_for_eedge): Pass pb to visitor
7362 ctor.
7363 * region-model-impl-calls.cc
7364 (region_model::impl_deallocation_call): New.
7365 * region-model.cc: Include "attribs.h".
7366 (region_model::on_call_post): Handle fndecls referenced by
7367 __attribute__((deallocated_by(FOO))).
7368 * region-model.h (region_model::impl_deallocation_call): New decl.
7369 * sm-malloc.cc: Include "stringpool.h" and "attribs.h". Add
7370 leading comment.
7371 (class api): Delete.
7372 (enum resource_state): Update comment for change from api to
7373 deallocator and deallocator_set.
7374 (allocation_state::allocation_state): Drop api param. Add
7375 "deallocators" and "deallocator".
7376 (allocation_state::m_api): Drop field in favor of...
7377 (allocation_state::m_deallocators): New field.
7378 (allocation_state::m_deallocator): New field.
7379 (enum wording): Add WORDING_DEALLOCATED.
7380 (struct deallocator): New.
7381 (struct standard_deallocator): New.
7382 (struct custom_deallocator): New.
7383 (struct deallocator_set): New.
7384 (struct custom_deallocator_set): New.
7385 (struct standard_deallocator_set): New.
7386 (struct deallocator_set_map_traits): New.
7387 (malloc_state_machine::m_malloc): Drop field
7388 (malloc_state_machine::m_scalar_new): Likewise.
7389 (malloc_state_machine::m_vector_new): Likewise.
7390 (malloc_state_machine::m_free): New field
7391 (malloc_state_machine::m_scalar_delete): Likewise.
7392 (malloc_state_machine::m_vector_delete): Likewise.
7393 (malloc_state_machine::deallocator_map_t): New typedef.
7394 (malloc_state_machine::m_deallocator_map): New field.
7395 (malloc_state_machine::deallocator_set_cache_t): New typedef.
7396 (malloc_state_machine::m_custom_deallocator_set_cache): New field.
7397 (malloc_state_machine::custom_deallocator_set_map_t): New typedef.
7398 (malloc_state_machine::m_custom_deallocator_set_map): New field.
7399 (malloc_state_machine::m_dynamic_sets): New field.
7400 (malloc_state_machine::m_dynamic_deallocators): New field.
7401 (api::api): Delete.
7402 (deallocator::deallocator): New ctor.
7403 (deallocator::hash): New.
7404 (deallocator::dump_to_pp): New.
7405 (deallocator::cmp): New.
7406 (deallocator::cmp_ptr_ptr): New.
7407 (standard_deallocator::standard_deallocator): New ctor.
7408 (deallocator_set::deallocator_set): New ctor.
7409 (deallocator_set::dump): New.
7410 (custom_deallocator_set::custom_deallocator_set): New ctor.
7411 (custom_deallocator_set::contains_p): New.
7412 (custom_deallocator_set::maybe_get_single): New.
7413 (custom_deallocator_set::dump_to_pp): New.
7414 (standard_deallocator_set::standard_deallocator_set): New ctor.
7415 (standard_deallocator_set::contains_p): New.
7416 (standard_deallocator_set::maybe_get_single): New.
7417 (standard_deallocator_set::dump_to_pp): New.
7418 (start_p): New.
7419 (class mismatching_deallocation): Update for conversion from api
7420 to deallocator_set and deallocator.
7421 (double_free::emit): Use %qs.
7422 (class use_after_free): Update for conversion from api to
7423 deallocator_set and deallocator.
7424 (malloc_leak::describe_state_change): Only emit "allocated here" on
7425 a start->nonnull transition, rather than on other transitions to
7426 nonnull.
7427 (allocation_state::dump_to_pp): Update for conversion from api to
7428 deallocator_set.
7429 (allocation_state::get_nonnull): Likewise.
7430 (malloc_state_machine::malloc_state_machine): Likewise.
7431 (malloc_state_machine::~malloc_state_machine): New.
7432 (malloc_state_machine::add_state): Update for conversion from api
7433 to deallocator_set.
7434 (malloc_state_machine::get_or_create_custom_deallocator_set): New.
7435 (malloc_state_machine::maybe_create_custom_deallocator_set): New.
7436 (malloc_state_machine::get_or_create_deallocator): New.
7437 (malloc_state_machine::on_stmt): Update for conversion from api
7438 to deallocator_set. Handle "__attribute__((malloc(FOO)))", and
7439 the special attribute set on FOO.
7440 (malloc_state_machine::on_allocator_call): Update for conversion
7441 from api to deallocator_set. Add "returns_nonnull" param and use
7442 it to affect which state to transition to.
7443 (malloc_state_machine::on_deallocator_call): Update for conversion
7444 from api to deallocator_set.
7445
5fff80fd
GA		 74462021-01-14 David Malcolm <dmalcolm@redhat.com>
7447
7448 * engine.cc (strongly_connected_components::to_json): New.
7449 (worklist::to_json): New.
7450 (exploded_graph::to_json): JSON-ify the worklist.
7451 * exploded-graph.h (strongly_connected_components::to_json): New
7452 decl.
7453 (worklist::to_json): New decl.
7454 * store.cc (store::to_json): Fix comment.
7455 * supergraph.cc (supernode::to_json): Fix reference to
7456 "returning_call" in comment. Add optional "fun" to JSON.
7457 (edge_kind_to_string): New.
7458 (superedge::to_json): Add "kind" to JSON.
7459
74602021-01-14 David Malcolm <dmalcolm@redhat.com>
7461
7462 PR analyzer/98679
7463 * analyzer.h (region_offset::operator==): Make const.
7464 * pending-diagnostic.h (pending_diagnostic::equal_p): Likewise.
7465 * store.h (binding_cluster::for_each_value): Likewise.
7466 (binding_cluster::for_each_binding): Likewise.
7467
6851dda2
GA		 74682021-01-12 David Malcolm <dmalcolm@redhat.com>
7469
7470 PR analyzer/98628
7471 * store.cc (binding_cluster::make_unknown_relative_to): Don't mark
7472 dereferenced unknown pointers as having escaped.
7473
7d187e4f
GA		 74742021-01-07 David Malcolm <dmalcolm@redhat.com>
7475
7476 PR analyzer/98580
7477 * region.cc (decl_region::get_svalue_for_initializer): Gracefully
7478 handle when LTO writes out DECL_INITIAL as error_mark_node.
7479
74802021-01-07 David Malcolm <dmalcolm@redhat.com>
7481
7482 PR analyzer/97074
7483 * store.cc (binding_cluster::can_merge_p): Add "out_store" param
7484 and pass to calls to binding_cluster::make_unknown_relative_to.
7485 (binding_cluster::make_unknown_relative_to): Add "out_store"
7486 param. Use it to mark base regions that are pointed to by
7487 pointers that become unknown as having escaped.
7488 (store::can_merge_p): Pass out_store to
7489 binding_cluster::can_merge_p.
7490 * store.h (binding_cluster::can_merge_p): Add "out_store" param.
7491 (binding_cluster::make_unknown_relative_to): Likewise.
7492 * svalue.cc (region_svalue::implicitly_live_p): New vfunc.
7493 * svalue.h (region_svalue::implicitly_live_p): New vfunc decl.
7494
74952021-01-07 David Malcolm <dmalcolm@redhat.com>
7496
7497 PR analyzer/98564
7498 * engine.cc (exploded_path::feasible_p): Add missing call to
7499 bitmap_clear.
7500
942ae5be
GA		 75012021-01-06 David Malcolm <dmalcolm@redhat.com>
7502
7503 PR analyzer/97072
7504 * region-model-reachability.cc (reachable_regions::init_cluster):
7505 Convert symbolic region handling to a switch statement. Add cases
7506 to handle SK_UNKNOWN and SK_CONJURED.
7507
651b8a50
GA		 75082021-01-05 David Malcolm <dmalcolm@redhat.com>
7509
7510 PR analyzer/98293
7511 * store.cc (binding_map::apply_ctor_to_region): When "index" is
7512 NULL, iterate through the fields for RECORD_TYPEs, rather than
7513 creating an INTEGER_CST index.
7514
94358e47
GA		 75152020-11-30 David Malcolm <dmalcolm@redhat.com>
7516
7517 * analyzer-pass.cc: Include "analyzer/analyzer.h" for the
7518 declaration of sorry_no_analyzer; include "tree.h" and
7519 "function.h" as these are needed by it.
7520
75212020-11-30 David Malcolm <dmalcolm@redhat.com>
7522
7523 * analyzer-pass.cc (pass_analyzer::execute): Move sorry call to...
7524 (sorry_no_analyzer): New.
7525 * analyzer.h (class state_machine): New forward decl.
7526 (class logger): New forward decl.
7527 (class plugin_analyzer_init_iface): New.
7528 (sorry_no_analyzer): New decl.
7529 * checker-path.cc (checker_path::fixup_locations): New.
7530 * checker-path.h (checker_event::set_location): New.
7531 (checker_path::fixup_locations): New decl.
7532 * diagnostic-manager.cc
7533 (diagnostic_manager::emit_saved_diagnostic): Call
7534 checker_path::fixup_locations, and call fixup_location
7535 on the primary location.
7536 * engine.cc: Include "plugin.h".
7537 (class plugin_analyzer_init_impl): New.
7538 (impl_run_checkers): Invoke PLUGIN_ANALYZER_INIT callbacks.
7539 * pending-diagnostic.h (pending_diagnostic::fixup_location): New
7540 vfunc.
7541
25bb75f8
GA		 75422020-11-18 David Malcolm <dmalcolm@redhat.com>
7543
7544 PR analyzer/97893
7545 * sm-malloc.cc (null_deref::emit): Use CWE-476 rather than
7546 CWE-690, as this isn't due to an unchecked return value.
7547 (null_arg::emit): Likewise.
7548
a5a11525
GA		 75492020-11-12 David Malcolm <dmalcolm@redhat.com>
7550
7551 * checker-path.h (checker_event::get_id_ptr): New.
7552 * diagnostic-manager.cc (path_builder::path_builder): Add "sd"
7553 param and use it to initialize new field "m_sd".
7554 (path_builder::get_pending_diagnostic): New.
7555 (path_builder::m_sd): New field.
7556 (diagnostic_manager::emit_saved_diagnostic): Pass sd to
7557 path_builder ctor.
7558 (diagnostic_manager::add_events_for_superedge): Call new
7559 maybe_add_custom_events_for_superedge vfunc.
7560 * engine.cc (stale_jmp_buf::stale_jmp_buf): Add "setjmp_point"
7561 param and use it to initialize new field "m_setjmp_point".
7562 Initialize new field "m_stack_pop_event".
7563 (stale_jmp_buf::maybe_add_custom_events_for_superedge): New vfunc
7564 implementation.
7565 (stale_jmp_buf::describe_final_event): New vfunc implementation.
7566 (stale_jmp_buf::m_setjmp_point): New field.
7567 (stale_jmp_buf::m_stack_pop_event): New field.
7568 (exploded_node::on_longjmp): Pass setjmp_point to stale_jmp_buf
7569 ctor.
7570 * pending-diagnostic.h
7571 (pending_diagnostic::maybe_add_custom_events_for_superedge): New
7572 vfunc.
7573
75742020-11-12 David Malcolm <dmalcolm@redhat.com>
7575
7576 PR tree-optimization/97424
7577 * analyzer.opt (Wanalyzer-shift-count-negative): New.
7578 (Wanalyzer-shift-count-overflow): New.
7579 * region-model.cc (class shift_count_negative_diagnostic): New.
7580 (class shift_count_overflow_diagnostic): New.
7581 (region_model::get_gassign_result): Complain about shift counts that
7582 are negative or are >= the operand's type's width.
7583
bb622641
GA		 75842020-11-10 Martin Liska <mliska@suse.cz>
7585
7586 * constraint-manager.cc (constraint_manager::merge): Remove
7587 unused code.
7588 * constraint-manager.h: Likewise.
7589 * program-state.cc (sm_state_map::sm_state_map): Likewise.
7590 (program_state::program_state): Likewise.
7591 (test_sm_state_map): Likewise.
7592 * program-state.h: Likewise.
7593 * region-model-reachability.cc (reachable_regions::reachable_regions): Likewise.
7594 * region-model-reachability.h: Likewise.
7595 * region-model.cc (region_model::handle_unrecognized_call): Likewise.
7596 (region_model::get_reachable_svalues): Likewise.
7597 (region_model::can_merge_with_p): Likewise.
7598
0cfd9109
GA		 75992020-11-05 David Malcolm <dmalcolm@redhat.com>
7600
7601 PR analyzer/97668
7602 * svalue.cc (cmp_cst): Handle COMPLEX_CST.
7603
e93aae4a
GA		 76042020-10-29 David Malcolm <dmalcolm@redhat.com>
7605
7606 * program-state.cc (sm_state_map::on_liveness_change): Sort the
7607 leaking svalues before calling on_state_leak.
7608 (program_state::detect_leaks): Likewise when calling
7609 on_svalue_leak.
7610 * region-model-reachability.cc
7611 (reachable_regions::mark_escaped_clusters): Likewise when
7612 calling on_escaped_function.
7613
76142020-10-29 David Malcolm <dmalcolm@redhat.com>
7615
7616 PR analyzer/97608
7617 * region-model-reachability.cc (reachable_regions::handle_sval):
7618 Operands of reachable reversible operations are reachable.
7619
76202020-10-29 David Malcolm <dmalcolm@redhat.com>
7621
7622 * analyzer.h (class state_machine): New forward decl.
7623 (class logger): Likewise.
7624 (class visitor): Likewise.
7625 * complexity.cc: New file, taken from svalue.cc.
7626 * complexity.h: New file, taken from region-model.h.
7627 * region-model.h: Include "analyzer/svalue.h" and
7628 "analyzer/region.h". Move struct complexity to complexity.h.
7629 Move svalue, its subclasses and supporting decls to svalue.h.
7630 Move region, its subclasses and supporting decls to region.h.
7631 * region.cc: Include "analyzer/region.h".
7632 (symbolic_region::symbolic_region): Move here from region-model.h.
7633 * region.h: New file, based on material from region-model.h.
7634 * svalue.cc: Include "analyzer/svalue.h".
7635 (complexity::complexity): Move to complexity.cc.
7636 (complexity::from_pair): Likewise.
7637 * svalue.h: New file, based on material from region-model.h.
7638
76392020-10-29 David Malcolm <dmalcolm@redhat.com>
7640
7641 * program-state.cc (sm_state_map::print): Guard the printing of
7642 the origin pointer with !flag_dump_noaddr.
7643 * region.cc (string_region::dump_to_pp): Likewise for
7644 m_string_cst.
7645
89bb01e7
GA		 76462020-10-27 David Malcolm <dmalcolm@redhat.com>
7647
7648 PR analyzer/97568
7649 * region-model.cc (region_model::get_initial_value_for_global):
7650 Move check that !DECL_EXTERNAL from here to...
7651 * region.cc (decl_region::get_svalue_for_initializer): ...here,
7652 using it to reject zero initialization.
7653
76542020-10-27 Markus Böck <markus.boeck02@gmail.com>
7655
7656 PR analyzer/96608
7657 * store.h (hash): Cast to intptr_t instead of long
7658
76592020-10-27 David Malcolm <dmalcolm@redhat.com>
7660
7661 * constraint-manager.cc (svalue_cmp_by_ptr): Delete.
7662 (equiv_class::canonicalize): Use svalue::cmp_ptr_ptr instead.
7663 (equiv_class_cmp): Eliminate pointer comparison.
7664 * diagnostic-manager.cc (dedupe_key::comparator): If they are at
7665 the same location, also compare epath ength and pending_diagnostic
7666 kind.
7667 * engine.cc (readability_comparator): If two path_vars have the
7668 same readability, then impose an arbitrary ordering on them.
7669 (worklist::key_t::cmp): If two points have the same plan ordering,
7670 continue the comparison. Call sm_state_map::cmp rather than
7671 comparing hash values.
7672 * program-state.cc (sm_state_map::entry_t::cmp): New.
7673 (sm_state_map::cmp): New.
7674 * program-state.h (sm_state_map::entry_t::cmp): New decl.
7675 (sm_state_map::elements): New.
7676 (sm_state_map::cmp): New.
7677
76782020-10-27 David Malcolm <dmalcolm@redhat.com>
7679
7680 * engine.cc (setjmp_record::cmp): New.
7681 (supernode_cluster::dump_dot): Avoid embedding pointer in cluster
7682 name.
7683 (supernode_cluster::cmp_ptr_ptr): New.
7684 (function_call_string_cluster::dump_dot): Avoid embedding pointer
7685 in cluster name. Sort m_map when dumping child clusters.
7686 (function_call_string_cluster::cmp_ptr_ptr): New.
7687 (root_cluster::dump_dot): Sort m_map when dumping child clusters.
7688 * program-point.cc (function_point::cmp): New.
7689 (function_point::cmp_ptr): New.
7690 * program-point.h (function_point::cmp): New decl.
7691 (function_point::cmp_ptr): New decl.
7692 * program-state.cc (sm_state_map::print): Sort the values. Guard
7693 the printing of pointers with !flag_dump_noaddr.
7694 (program_state::prune_for_point): Sort the regions.
7695 (log_set_of_svalues): Sort the values. Guard the printing of
7696 pointers with !flag_dump_noaddr.
7697 * region-model-manager.cc (log_uniq_map): Sort the values.
7698 * region-model-reachability.cc (dump_set): New function template.
7699 (reachable_regions::dump_to_pp): Use it.
7700 * region-model.h (svalue::cmp_ptr): New decl.
7701 (svalue::cmp_ptr_ptr): New decl.
7702 (setjmp_record::cmp): New decl.
7703 (placeholder_svalue::get_name): New accessor.
7704 (widening_svalue::get_point): New accessor.
7705 (compound_svalue::get_map): New accessor.
7706 (conjured_svalue::get_stmt): New accessor.
7707 (conjured_svalue::get_id_region): New accessor.
7708 (region::cmp_ptrs): Rename to...
7709 (region::cmp_ptr_ptr): ...this.
7710 * region.cc (region::cmp_ptrs): Rename to...
7711 (region::cmp_ptr_ptr): ...this.
7712 * state-purge.cc
7713 (state_purge_per_ssa_name::state_purge_per_ssa_name): Sort
7714 m_points_needing_name when dumping.
7715 * store.cc (concrete_binding::cmp_ptr_ptr): New.
7716 (symbolic_binding::cmp_ptr_ptr): New.
7717 (binding_map::cmp): New.
7718 (get_sorted_parent_regions): Update for renaming of
7719 region::cmp_ptrs to region::cmp_ptr_ptr.
7720 (store::dump_to_pp): Likewise.
7721 (store::to_json): Likewise.
7722 (store::can_merge_p): Sort the base regions before considering
7723 them.
7724 * store.h (concrete_binding::cmp_ptr_ptr): New decl.
7725 (symbolic_binding::cmp_ptr_ptr): New decl.
7726 (binding_map::cmp): New decl.
7727 * supergraph.cc (supergraph::supergraph): Assign UIDs to the
7728 gimple stmts.
7729 * svalue.cc (cmp_cst): New.
7730 (svalue::cmp_ptr): New.
7731 (svalue::cmp_ptr_ptr): New.
7732
77332020-10-27 David Malcolm <dmalcolm@redhat.com>
7734
7735 * engine.cc (exploded_graph::get_or_create_node): Fix off-by-one
7736 when imposing param_analyzer_max_enodes_per_program_point limit.
7737
77382020-10-27 David Malcolm <dmalcolm@redhat.com>
7739
7740 * region-model.cc (region_model::get_representative_path_var):
7741 Implement case RK_LABEL.
7742 * region-model.h (label_region::get_label): New accessor.
7743
43868df3
GA		 77442020-10-22 David Malcolm <dmalcolm@redhat.com>
7745
7746 PR analyzer/97514
7747 * engine.cc (exploded_graph::add_function_entry): Handle failure
7748 to create an enode, rather than asserting.
7749
77502020-10-22 David Malcolm <dmalcolm@redhat.com>
7751
7752 PR analyzer/97489
7753 * engine.cc (exploded_graph::add_function_entry): Assert that we
7754 have a function body.
7755 (exploded_graph::on_escaped_function): Reject fndecls that don't
7756 have a function body.
7757
b2698c21
GA		 77582020-10-14 David Malcolm <dmalcolm@redhat.com>
7759
7760 PR analyzer/93388
7761 * region-model.cc (region_model::get_initial_value_for_global):
7762 Fall back to returning an initial_svalue if
7763 decl_region::get_svalue_for_initializer fails.
7764 * region.cc (decl_region::get_svalue_for_initializer): Don't
7765 attempt to create a compound_svalue if the region has an unknown
7766 size.
7767
77682020-10-14 David Malcolm <dmalcolm@redhat.com>
7769
7770 PR analyzer/93723
7771 * store.cc (binding_map::apply_ctor_to_region): Remove redundant
7772 assertion.
7773
8be127ca
GA		 77742020-10-12 David Malcolm <dmalcolm@redhat.com>
7775
7776 PR analyzer/97258
7777 * engine.cc (impl_region_model_context::on_escaped_function): New
7778 vfunc.
7779 (exploded_graph::add_function_entry): Use m_functions_with_enodes
7780 to implement idempotency.
7781 (add_any_callbacks): New.
7782 (exploded_graph::build_initial_worklist): Use the above to find
7783 callbacks that are reachable from global initializers.
7784 (exploded_graph::on_escaped_function): New.
7785 * exploded-graph.h
7786 (impl_region_model_context::on_escaped_function): New decl.
7787 (exploded_graph::on_escaped_function): New decl.
7788 (exploded_graph::m_functions_with_enodes): New field.
7789 * region-model-reachability.cc
7790 (reachable_regions::reachable_regions): Replace "store" param with
7791 "model" param; use it to initialize m_model.
7792 (reachable_regions::add): When getting the svalue for the region,
7793 call get_store_value on the model rather than using an initial
7794 value.
7795 (reachable_regions::mark_escaped_clusters): Add ctxt param and
7796 use it to call on_escaped_function when a function_region escapes.
7797 * region-model-reachability.h
7798 (reachable_regions::reachable_regions): Replace "store" param with
7799 "model" param.
7800 (reachable_regions::mark_escaped_clusters): Add ctxt param.
7801 (reachable_regions::m_model): New field.
7802 * region-model.cc (region_model::handle_unrecognized_call): Update
7803 for change in reachable_regions ctor.
7804 (region_model::handle_unrecognized_call): Pass ctxt to
7805 mark_escaped_clusters.
7806 (region_model::get_reachable_svalues): Update for change in
7807 reachable_regions ctor.
7808 (region_model::get_initial_value_for_global): Read-only variables
7809 keep their initial values.
7810 * region-model.h (region_model_context::on_escaped_function): New
7811 vfunc.
7812 (noop_region_model_context::on_escaped_function): New.
7813
78142020-10-12 David Malcolm <dmalcolm@redhat.com>
7815
7816 * analyzer.opt (Wanalyzer-write-to-const): New.
7817 (Wanalyzer-write-to-string-literal): New.
7818 * region-model-impl-calls.cc (region_model::impl_call_memcpy):
7819 Call check_for_writable_region.
7820 (region_model::impl_call_memset): Likewise.
7821 (region_model::impl_call_strcpy): Likewise.
7822 * region-model.cc (class write_to_const_diagnostic): New.
7823 (class write_to_string_literal_diagnostic): New.
7824 (region_model::check_for_writable_region): New.
7825 (region_model::set_value): Call check_for_writable_region.
7826 * region-model.h (region_model::check_for_writable_region): New
7827 decl.
7828
6caec77e
GA		 78292020-10-07 David Malcolm <dmalcolm@redhat.com>
7830
7831 PR analyzer/97116
7832 * sm-malloc.cc (method_p): New.
7833 (describe_argument_index): New.
7834 (inform_nonnull_attribute): Use describe_argument_index.
7835 (possible_null_arg::describe_final_event): Likewise.
7836 (null_arg::describe_final_event): Likewise.
7837
93bca37c
GA		 78382020-09-29 David Malcolm <dmalcolm@redhat.com>
7839
7840 PR analyzer/95188
7841 * engine.cc (stmt_requires_new_enode_p): Split enodes before
7842 "signal" calls.
7843
78442020-09-29 David Malcolm <dmalcolm@redhat.com>
7845
7846 * constraint-manager.cc
7847 (constraint_manager::add_constraint_internal): Whitespace fixes.
7848 Silence -Wsign-compare warning.
7849 * engine.cc (maybe_process_run_of_before_supernode_enodes):
7850 Silence -Wsign-compare warning.
7851
e84761c6
GA		 78522020-09-28 David Malcolm <dmalcolm@redhat.com>
7853
7854 * region-model.h (binop_svalue::dyn_cast_binop_svalue): Remove
7855 redundant "virtual". Add FINAL OVERRIDE.
7856 (widening_svalue::dyn_cast_widening_svalue): Add FINAL OVERRIDE.
7857 (compound_svalue::dyn_cast_compound_svalue): Likewise.
7858 (conjured_svalue::dyn_cast_conjured_svalue): Likewise.
7859
78602020-09-28 David Malcolm <dmalcolm@redhat.com>
7861
7862 * diagnostic-manager.cc (null_assignment_sm_context::m_visitor):
7863 Remove unused field.
7864
78652020-09-28 David Malcolm <dmalcolm@redhat.com>
7866
7867 PR analyzer/97233
7868 * analyzer.cc (is_longjmp_call_p): Require the initial argument
7869 to be a pointer.
7870 * engine.cc (exploded_node::on_longjmp): Likewise.
7871
78722020-09-28 David Malcolm <dmalcolm@redhat.com>
7873
7874 * program-state.cc (sm_state_map::print): Update check
7875 for m_global_state being the start state.
7876
91dd4a38
GA		 78772020-09-26 David Malcolm <dmalcolm@redhat.com>
7878
7879 PR analyzer/96646
7880 PR analyzer/96841
7881 * region-model.cc (region_model::get_representative_path_var):
7882 When handling offset_region, wrap the MEM_REF's first argument in
7883 an ADDR_EXPR of pointer type, rather than simply using the tree
7884 for the parent region. Require the MEM_REF's second argument to
7885 be an integer constant.
7886
a2b7397b
GA		 78872020-09-24 David Malcolm <dmalcolm@redhat.com>
7888
7889 * analyzer.h (struct rejected_constraint): New decl.
7890 * analyzer.opt (fanalyzer-feasibility): New option.
7891 * diagnostic-manager.cc (path_builder::path_builder): Add
7892 "problem" param and use it to initialize new field.
7893 (path_builder::get_feasibility_problem): New accessor.
7894 (path_builder::m_feasibility_problem): New field.
7895 (dedupe_winners::add): Remove inversion of logic in "if" clause,
7896 swapping if/else suites. In the !feasible_p suite, inspect
7897 flag_analyzer_feasibility and add code to handle when this
7898 is off, accepting the infeasible path, but recording the
7899 feasibility_problem.
7900 (diagnostic_manager::emit_saved_diagnostic): Pass the
7901 feasibility_problem to the path_builder.
7902 (diagnostic_manager::add_events_for_eedge): If we have
7903 a feasibility_problem at this edge, use it to add a custom event.
7904 * engine.cc (exploded_path::feasible_p): Pass a
7905 rejected_constraint ** to model.maybe_update_for_edge and transfer
7906 ownership of any created instance to any feasibility_problem.
7907 (feasibility_problem::dump_to_pp): New.
7908 * exploded-graph.h (feasibility_problem::feasibility_problem):
7909 Drop "model" param; add rejected_constraint * param.
7910 (feasibility_problem::~feasibility_problem): New.
7911 (feasibility_problem::dump_to_pp): New decl.
7912 (feasibility_problem::m_model): Drop field.
7913 (feasibility_problem::m_rc): New field.
7914 * program-point.cc (function_point::get_location): Handle
7915 PK_BEFORE_SUPERNODE and PK_AFTER_SUPERNODE.
7916 * program-state.cc (program_state::on_edge): Pass NULL to new
7917 param of region_model::maybe_update_for_edge.
7918 * region-model.cc (region_model::add_constraint): New overload
7919 adding a rejected_constraint ** param.
7920 (region_model::maybe_update_for_edge): Add rejected_constraint **
7921 param and pass it to the various apply_constraints_for_ calls.
7922 (region_model::apply_constraints_for_gcond): Add
7923 rejected_constraint ** param and pass it to add_constraint calls.
7924 (region_model::apply_constraints_for_gswitch): Likewise.
7925 (region_model::apply_constraints_for_exception): Likewise.
7926 (rejected_constraint::dump_to_pp): New.
7927 * region-model.h (region_model::maybe_update_for_edge):
7928 Add rejected_constraint ** param.
7929 (region_model::add_constraint): New overload adding a
7930 rejected_constraint ** param.
7931 (region_model::apply_constraints_for_gcond): Add
7932 rejected_constraint ** param.
7933 (region_model::apply_constraints_for_gswitch): Likewise.
7934 (region_model::apply_constraints_for_exception): Likewise.
7935 (struct rejected_constraint): New.
7936
82b77dee
GA		 79372020-09-23 David Malcolm <dmalcolm@redhat.com>
7938
7939 PR analyzer/97178
7940 * engine.cc (impl_run_checkers): Update for change to ext_state
7941 ctor.
7942 * program-state.cc (selftest::test_sm_state_map): Pass an engine
7943 instance to ext_state ctor.
7944 (selftest::test_program_state_1): Likewise.
7945 (selftest::test_program_state_2): Likewise.
7946 (selftest::test_program_state_merging): Likewise.
7947 (selftest::test_program_state_merging_2): Likewise.
7948 * program-state.h (extrinsic_state::extrinsic_state): Remove NULL
7949 default value for "eng" param.
7950
79512020-09-23 Tobias Burnus <tobias@codesourcery.com>
7952
7953 * analyzer-logging.cc: Guard '#pragma ... ignored "-Wformat-diag"'
7954 by '#if __GNUC__ >= 10'
7955 * analyzer.h: Likewise.
7956 * call-string.cc: Likewise.
7957
79582020-09-23 David Malcolm <dmalcolm@redhat.com>
7959
7960 * engine.cc (exploded_node::on_stmt): Replace sequence of dyn_cast
7961 with switch.
7962
521d2711
GA		 79632020-09-22 David Malcolm <dmalcolm@redhat.com>
7964
7965 * analysis-plan.cc: Include "json.h".
7966 * analyzer.opt (fdump-analyzer-json): New.
7967 * call-string.cc: Include "json.h".
7968 (call_string::to_json): New.
7969 * call-string.h (call_string::to_json): New decl.
7970 * checker-path.cc: Include "json.h".
7971 * constraint-manager.cc: Include "json.h".
7972 (equiv_class::to_json): New.
7973 (constraint::to_json): New.
7974 (constraint_manager::to_json): New.
7975 * constraint-manager.h (equiv_class::to_json): New decl.
7976 (constraint::to_json): New decl.
7977 (constraint_manager::to_json): New decl.
7978 * diagnostic-manager.cc: Include "json.h".
7979 (saved_diagnostic::to_json): New.
7980 (diagnostic_manager::to_json): New.
7981 * diagnostic-manager.h (saved_diagnostic::to_json): New decl.
7982 (diagnostic_manager::to_json): New decl.
7983 * engine.cc: Include "json.h", <zlib.h>.
7984 (exploded_node::status_to_str): New.
7985 (exploded_node::to_json): New.
7986 (exploded_edge::to_json): New.
7987 (exploded_graph::to_json): New.
7988 (dump_analyzer_json): New.
7989 (impl_run_checkers): Call it.
7990 * exploded-graph.h (exploded_node::status_to_str): New decl.
7991 (exploded_node::to_json): New.
7992 (exploded_edge::to_json): New.
7993 (exploded_graph::to_json): New.
7994 * pending-diagnostic.cc: Include "json.h".
7995 * program-point.cc: Include "json.h".
7996 (program_point::to_json): New.
7997 * program-point.h (program_point::to_json): New decl.
7998 * program-state.cc: Include "json.h".
7999 (extrinsic_state::to_json): New.
8000 (sm_state_map::to_json): New.
8001 (program_state::to_json): New.
8002 * program-state.h (extrinsic_state::to_json): New decl.
8003 (sm_state_map::to_json): New decl.
8004 (program_state::to_json): New decl.
8005 * region-model-impl-calls.cc: Include "json.h".
8006 * region-model-manager.cc: Include "json.h".
8007 * region-model-reachability.cc: Include "json.h".
8008 * region-model.cc: Include "json.h".
8009 * region-model.h (svalue::to_json): New decl.
8010 (region::to_json): New decl.
8011 * region.cc: Include "json.h".
8012 (region::to_json: New.
8013 * sm-file.cc: Include "json.h".
8014 * sm-malloc.cc: Include "json.h".
8015 * sm-pattern-test.cc: Include "json.h".
8016 * sm-sensitive.cc: Include "json.h".
8017 * sm-signal.cc: Include "json.h".
8018 (signal_delivery_edge_info_t::to_json): New.
8019 * sm-taint.cc: Include "json.h".
8020 * sm.cc: Include "diagnostic.h", "tree-diagnostic.h", and
8021 "json.h".
8022 (state_machine::state::to_json): New.
8023 (state_machine::to_json): New.
8024 * sm.h (state_machine::state::to_json): New.
8025 (state_machine::to_json): New.
8026 * state-purge.cc: Include "json.h".
8027 * store.cc: Include "json.h".
8028 (binding_key::get_desc): New.
8029 (binding_map::to_json): New.
8030 (binding_cluster::to_json): New.
8031 (store::to_json): New.
8032 * store.h (binding_key::get_desc): New decl.
8033 (binding_map::to_json): New decl.
8034 (binding_cluster::to_json): New decl.
8035 (store::to_json): New decl.
8036 * supergraph.cc: Include "json.h".
8037 (supergraph::to_json): New.
8038 (supernode::to_json): New.
8039 (superedge::to_json): New.
8040 * supergraph.h (supergraph::to_json): New decl.
8041 (supernode::to_json): New decl.
8042 (superedge::to_json): New decl.
8043 * svalue.cc: Include "json.h".
8044 (svalue::to_json): New.
8045
44135373
GA		 80462020-09-21 David Malcolm <dmalcolm@redhat.com>
8047
8048 PR analyzer/97130
8049 * region-model-impl-calls.cc (call_details::get_arg_type): New.
8050 * region-model.cc (region_model::on_call_pre): Check that the
8051 initial arg is a pointer before calling impl_call_memset and
8052 impl_call_strlen.
8053 * region-model.h (call_details::get_arg_type): New decl.
8054
80552020-09-21 David Malcolm <dmalcolm@redhat.com>
8056
8057 PR analyzer/93355
8058 * sm-malloc.cc (malloc_state_machine::get_default_state): Look at
8059 the base region when considering pointers. Treat pointers to
8060 decls as being non-heap.
8061
239601c5
GA		 80622020-09-18 David Malcolm <dmalcolm@redhat.com>
8063
8064 * checker-path.cc (warning_event::get_desc): Handle global state
8065 changes.
8066
80672020-09-18 David Malcolm <dmalcolm@redhat.com>
8068
8069 * sm-malloc.cc (malloc_state_machine::on_stmt): Handle strdup and
8070 strndup as being malloc-like allocators.
8071
ecde1b0a
GA		 80722020-09-16 David Malcolm <dmalcolm@redhat.com>
8073
8074 * engine.cc (strongly_connected_components::strong_connect): Only
8075 consider intraprocedural edges when creating SCCs.
8076 (worklist::key_t::cmp): Add comment. Treat call_string
8077 differences as more important than differences of program_point
8078 within a supernode.
8079
80802020-09-16 David Malcolm <dmalcolm@redhat.com>
8081
8082 * engine.cc (supernode_cluster::dump_dot): Show the SCC id
8083 in the per-supernode clusters in FILENAME.eg.dot output.
8084 (exploded_graph_annotator::add_node_annotations):
8085 Show the SCC of the supernode in FILENAME.supernode.eg.dot output.
8086 * exploded-graph.h (worklist::scc_id): New.
8087 (exploded_graph::get_scc_id): New.
8088
80892020-09-16 David Malcolm <dmalcolm@redhat.com>
8090
8091 * engine.cc (exploded_node::dump_dot): Show STATUS_BULK_MERGED.
8092 (exploded_graph::process_worklist): Call
8093 maybe_process_run_of_before_supernode_enodes.
8094 (exploded_graph::maybe_process_run_of_before_supernode_enodes):
8095 New.
8096 (exploded_graph_annotator::print_enode): Show STATUS_BULK_MERGED.
8097 * exploded-graph.h (enum exploded_node::status): Add
8098 STATUS_BULK_MERGED.
8099
81002020-09-16 David Malcolm <dmalcolm@redhat.com>
8101
8102 * engine.cc
8103 (exploded_graph::process_node) <case PK_BEFORE_SUPERNODE>:
8104 Simplify by using program_point::get_next.
8105 * program-point.cc (program_point::get_next): New.
8106 * program-point.h (program_point::get_next): New decl.
8107
81082020-09-16 David Malcolm <dmalcolm@redhat.com>
8109
8110 * engine.cc (exploded_graph::get_or_create_node): Show the
8111 program point when issuing -Wanalyzer-too-complex due to hitting
8112 the per-program-point limit.
8113
81142020-09-16 David Malcolm <dmalcolm@redhat.com>
8115
8116 * region-model.cc (region_model::on_call_pre): Treat getchar as
8117 having no side-effects.
8118
9f7ab8c5
GA		 81192020-09-15 David Malcolm <dmalcolm@redhat.com>
8120
8121 PR analyzer/96650
8122 * constraint-manager.cc (merger_fact_visitor::on_fact): Replace
8123 assertion that add_constraint succeeded with an assertion that
8124 if it fails, -fanalyzer-transitivity is off.
8125
50a71cd0
GA		 81262020-09-14 David Malcolm <dmalcolm@redhat.com>
8127
8128 * analyzer.opt (-param=analyzer-max-constraints=): New param.
8129 * constraint-manager.cc
8130 (constraint_manager::add_constraint_internal): Silently reject
8131 attempts to add constraints when the above limit is reached.
8132
81332020-09-14 David Malcolm <dmalcolm@redhat.com>
8134
8135 PR analyzer/96653
8136 * constraint-manager.cc
8137 (constraint_manager::get_or_add_equiv_class): Don't accumulate
8138 transitive closure of all constraints on constants.
8139
81402020-09-14 David Malcolm <dmalcolm@redhat.com>
8141
8142 PR analyzer/97029
8143 * analyzer.cc (is_setjmp_call_p): Require the initial arg to be a
8144 pointer.
8145 * region-model.cc (region_model::deref_rvalue): Assert that the
8146 svalue is of pointer type.
8147
ac35c090
GA		 81482020-09-11 David Malcolm <dmalcolm@redhat.com>
8149
8150 PR analyzer/96798
8151 * region-model-impl-calls.cc (region_model::impl_call_memcpy):
8152 New.
8153 (region_model::impl_call_strcpy): New.
8154 * region-model.cc (region_model::on_call_pre): Flag unhandled
8155 builtins that are non-pure as having unknown side-effects.
8156 Implement BUILT_IN_MEMCPY, BUILT_IN_MEMCPY_CHK, BUILT_IN_STRCPY,
8157 BUILT_IN_STRCPY_CHK, BUILT_IN_FPRINTF, BUILT_IN_FPRINTF_UNLOCKED,
8158 BUILT_IN_PUTC, BUILT_IN_PUTC_UNLOCKED, BUILT_IN_FPUTC,
8159 BUILT_IN_FPUTC_UNLOCKED, BUILT_IN_FPUTS, BUILT_IN_FPUTS_UNLOCKED,
8160 BUILT_IN_FWRITE, BUILT_IN_FWRITE_UNLOCKED, BUILT_IN_PRINTF,
8161 BUILT_IN_PRINTF_UNLOCKED, BUILT_IN_PUTCHAR,
8162 BUILT_IN_PUTCHAR_UNLOCKED, BUILT_IN_PUTS, BUILT_IN_PUTS_UNLOCKED,
8163 BUILT_IN_VFPRINTF, BUILT_IN_VPRINTF.
8164 * region-model.h (region_model::impl_call_memcpy): New decl.
8165 (region_model::impl_call_strcpy): New decl.
8166
80f86e78
GA		 81672020-09-09 David Malcolm <dmalcolm@redhat.com>
8168
8169 PR analyzer/94355
8170 * analyzer.opt (Wanalyzer-mismatching-deallocation): New warning.
8171 * region-model-impl-calls.cc
8172 (region_model::impl_call_operator_new): New.
8173 (region_model::impl_call_operator_delete): New.
8174 * region-model.cc (region_model::on_call_pre): Detect operator new
8175 and operator delete.
8176 (region_model::on_call_post): Likewise.
8177 (region_model::maybe_update_for_edge): Detect EH edges and call...
8178 (region_model::apply_constraints_for_exception): New function.
8179 * region-model.h (region_model::impl_call_operator_new): New decl.
8180 (region_model::impl_call_operator_delete): New decl.
8181 (region_model::apply_constraints_for_exception): New decl.
8182 * sm-malloc.cc (enum resource_state): New.
8183 (struct allocation_state): New state subclass.
8184 (enum wording): New.
8185 (struct api): New.
8186 (malloc_state_machine::custom_data_t): New typedef.
8187 (malloc_state_machine::add_state): New decl.
8188 (malloc_state_machine::m_unchecked)
8189 (malloc_state_machine::m_nonnull)
8190 (malloc_state_machine::m_freed): Delete these states in favor
8191 of...
8192 (malloc_state_machine::m_malloc)
8193 (malloc_state_machine::m_scalar_new)
8194 (malloc_state_machine::m_vector_new): ...this new api instances,
8195 which own their own versions of these states.
8196 (malloc_state_machine::on_allocator_call): New decl.
8197 (malloc_state_machine::on_deallocator_call): New decl.
8198 (api::api): New ctor.
8199 (dyn_cast_allocation_state): New.
8200 (as_a_allocation_state): New.
8201 (get_rs): New.
8202 (unchecked_p): New.
8203 (nonnull_p): New.
8204 (freed_p): New.
8205 (malloc_diagnostic::describe_state_change): Use unchecked_p and
8206 nonnull_p.
8207 (class mismatching_deallocation): New.
8208 (double_free::double_free): Add funcname param for initializing
8209 m_funcname.
8210 (double_free::emit): Use m_funcname in warning message rather
8211 than hardcoding "free".
8212 (double_free::describe_state_change): Likewise. Use freed_p.
8213 (double_free::describe_call_with_state): Use freed_p.
8214 (double_free::describe_final_event): Use m_funcname in message
8215 rather than hardcoding "free".
8216 (double_free::m_funcname): New field.
8217 (possible_null::describe_state_change): Use unchecked_p.
8218 (possible_null::describe_return_of_state): Likewise.
8219 (use_after_free::use_after_free): Add param for initializing m_api.
8220 (use_after_free::emit): Use m_api->m_dealloc_funcname in message
8221 rather than hardcoding "free".
8222 (use_after_free::describe_state_change): Use freed_p. Change the
8223 wording of the message based on the API.
8224 (use_after_free::describe_final_event): Use
8225 m_api->m_dealloc_funcname in message rather than hardcoding
8226 "free". Change the wording of the message based on the API.
8227 (use_after_free::m_api): New field.
8228 (malloc_leak::describe_state_change): Use unchecked_p. Update
8229 for renaming of m_malloc_event to m_alloc_event.
8230 (malloc_leak::describe_final_event): Update for renaming of
8231 m_malloc_event to m_alloc_event.
8232 (malloc_leak::m_malloc_event): Rename...
8233 (malloc_leak::m_alloc_event): ...to this.
8234 (free_of_non_heap::free_of_non_heap): Add param for initializing
8235 m_funcname.
8236 (free_of_non_heap::emit): Use m_funcname in message rather than
8237 hardcoding "free".
8238 (free_of_non_heap::describe_final_event): Likewise.
8239 (free_of_non_heap::m_funcname): New field.
8240 (allocation_state::dump_to_pp): New.
8241 (allocation_state::get_nonnull): New.
8242 (malloc_state_machine::malloc_state_machine): Update for changes
8243 to state fields and new api fields.
8244 (malloc_state_machine::add_state): New.
8245 (malloc_state_machine::on_stmt): Move malloc/calloc handling to
8246 on_allocator_call and call it, passing in the API pointer.
8247 Likewise for free, moving it to on_deallocator_call. Handle calls
8248 to operator new and delete in an analogous way. Use unchecked_p
8249 when testing for possibly-null-arg and possibly-null-deref, and
8250 transition to the non-null for the correct API. Remove redundant
8251 node param from call to on_zero_assignment. Use freed_p for
8252 use-after-free check, and pass in API.
8253 (malloc_state_machine::on_allocator_call): New, based on code in
8254 on_stmt.
8255 (malloc_state_machine::on_deallocator_call): Likewise.
8256 (malloc_state_machine::on_phi): Mark node param with
8257 ATTRIBUTE_UNUSED; don't pass it to on_zero_assignment.
8258 (malloc_state_machine::on_condition): Mark node param with
8259 ATTRIBUTE_UNUSED. Replace on_transition calls with get_state and
8260 set_next_state pairs, transitioning to the non-null state for the
8261 appropriate API.
8262 (malloc_state_machine::can_purge_p): Port to new state approach.
8263 (malloc_state_machine::on_zero_assignment): Replace on_transition
8264 calls with get_state and set_next_state pairs. Drop redundant
8265 node param.
8266 * sm.h (state_machine::add_custom_state): New.
8267
82682020-09-09 David Malcolm <dmalcolm@redhat.com>
8269
8270 * diagnostic-manager.cc
8271 (null_assignment_sm_context::warn_for_state): Replace with...
8272 (null_assignment_sm_context::warn): ...this.
8273 * engine.cc (impl_sm_context::warn_for_state): Replace with...
8274 (impl_sm_context::warn): ...this.
8275 * sm-file.cc (fileptr_state_machine::on_stmt): Replace
8276 warn_for_state and on_transition calls with a get_state
8277 test guarding warn and set_next_state calls.
8278 * sm-malloc.cc (malloc_state_machine::on_stmt): Likewise.
8279 * sm-pattern-test.cc (pattern_test_state_machine::on_condition):
8280 Replace warn_for_state call with warn call.
8281 * sm-sensitive.cc
8282 (sensitive_state_machine::warn_for_any_exposure): Replace
8283 warn_for_state call with a get_state test guarding a warn call.
8284 * sm-signal.cc (signal_state_machine::on_stmt): Likewise.
8285 * sm-taint.cc (taint_state_machine::on_stmt): Replace
8286 warn_for_state and on_transition calls with a get_state
8287 test guarding warn and set_next_state calls.
8288 * sm.h (sm_context::warn_for_state): Replace with...
8289 (sm_context::warn): ...this.
8290
82912020-09-09 David Malcolm <dmalcolm@redhat.com>
8292
8293 * diagnostic-manager.cc
8294 (null_assignment_sm_context::null_assignment_sm_context): Add old_state
8295 and ext_state params, initializing m_old_state and m_ext_state.
8296 (null_assignment_sm_context::on_transition): Split into...
8297 (null_assignment_sm_context::get_state): ...this new vfunc
8298 implementation and...
8299 (null_assignment_sm_context::set_next_state): ...this new vfunc
8300 implementation.
8301 (null_assignment_sm_context::m_old_state): New field.
8302 (null_assignment_sm_context::m_ext_state): New field.
8303 (diagnostic_manager::add_events_for_eedge): Pass in old state and
8304 ext_state when creating sm_ctxt.
8305 * engine.cc (impl_sm_context::on_transition): Split into...
8306 (impl_sm_context::get_state): ...this new vfunc
8307 implementation and...
8308 (impl_sm_context::set_next_state): ...this new vfunc
8309 implementation.
8310 * sm.h (sm_context::get_state): New pure virtual function.
8311 (sm_context::set_next_state): Likewise.
8312 (sm_context::on_transition): Convert from a pure virtual function
8313 to a regular function implemented in terms of get_state and
8314 set_next_state.
8315
83162020-09-09 David Malcolm <dmalcolm@redhat.com>
8317
8318 * checker-path.cc (state_change_event::get_desc): Update
8319 state_machine::get_state_name calls to state::get_name.
8320 (warning_event::get_desc): Likewise.
8321 * diagnostic-manager.cc
8322 (null_assignment_sm_context::on_transition): Update comparison
8323 against 0 with comparison with m_sm.get_start_state.
8324 (diagnostic_manager::prune_for_sm_diagnostic): Update
8325 state_machine::get_state_name calls to state::get_name.
8326 * engine.cc (impl_sm_context::on_transition): Likewise.
8327 (exploded_node::get_dot_fillcolor): Use get_id when summing
8328 the sm states.
8329 * program-state.cc (sm_state_map::sm_state_map): Don't hardcode
8330 0 as the start state when initializing m_global_state.
8331 (sm_state_map::print): Use dump_to_pp rather than get_state_name
8332 when dumping states.
8333 (sm_state_map::is_empty_p): Don't hardcode 0 as the start state
8334 when examining m_global_state.
8335 (sm_state_map::hash): Use get_id when hashing states.
8336 (selftest::test_sm_state_map): Use state objects rather than
8337 arbitrary hardcoded integers.
8338 (selftest::test_program_state_merging): Likewise.
8339 (selftest::test_program_state_merging_2): Likewise.
8340 * sm-file.cc (fileptr_state_machine::m_start): Move to base class.
8341 (file_diagnostic::describe_state_change): Use get_start_state.
8342 (fileptr_state_machine::fileptr_state_machine): Drop m_start
8343 initialization.
8344 * sm-malloc.cc (malloc_state_machine::m_start): Move to base
8345 class.
8346 (malloc_diagnostic::describe_state_change): Use get_start_state.
8347 (possible_null::describe_state_change): Likewise.
8348 (malloc_state_machine::malloc_state_machine): Drop m_start
8349 initialization.
8350 * sm-pattern-test.cc (pattern_test_state_machine::m_start): Move
8351 to base class.
8352 (pattern_test_state_machine::pattern_test_state_machine): Drop
8353 m_start initialization.
8354 * sm-sensitive.cc (sensitive_state_machine::m_start): Move to base
8355 class.
8356 (sensitive_state_machine::sensitive_state_machine): Drop m_start
8357 initialization.
8358 * sm-signal.cc (signal_state_machine::m_start): Move to base
8359 class.
8360 (signal_state_machine::signal_state_machine): Drop m_start
8361 initialization.
8362 * sm-taint.cc (taint_state_machine::m_start): Move to base class.
8363 (taint_state_machine::taint_state_machine): Drop m_start
8364 initialization.
8365 * sm.cc (state_machine::state::dump_to_pp): New.
8366 (state_machine::state_machine): Move here from sm.h. Initialize
8367 m_next_state_id and m_start.
8368 (state_machine::add_state): Reimplement in terms of state objects.
8369 (state_machine::get_state_name): Delete.
8370 (state_machine::get_state_by_name): Reimplement in terms of state
8371 objects. Make const.
8372 (state_machine::validate): Delete.
8373 (state_machine::dump_to_pp): Reimplement in terms of state
8374 objects.
8375 * sm.h (state_machine::state): New class.
8376 (state_machine::state_t): Convert typedef from "unsigned" to
8377 "const state_machine::state *".
8378 (state_machine::state_machine): Move to sm.cc.
8379 (state_machine::get_default_state): Use m_start rather than
8380 hardcoding 0.
8381 (state_machine::get_state_name): Delete.
8382 (state_machine::get_state_by_name): Make const.
8383 (state_machine::get_start_state): New accessor.
8384 (state_machine::alloc_state_id): New.
8385 (state_machine::m_state_names): Drop in favor of...
8386 (state_machine::m_states): New field
8387 (state_machine::m_start): New field
8388 (start_start_p): Delete.
8389
31a05046
GA		 83902020-09-08 David Malcolm <dmalcolm@redhat.com>
8391
8392 PR analyzer/96949
8393 * store.cc (binding_map::apply_ctor_val_to_range): Add
8394 error-handling for the cases where we have symbolic offsets.
8395
83962020-09-08 David Malcolm <dmalcolm@redhat.com>
8397
8398 PR analyzer/96950
8399 * store.cc (binding_map::apply_ctor_to_region): Handle RANGE_EXPR
8400 where min_index == max_index.
8401 (binding_map::apply_ctor_val_to_range): Replace assertion that we
8402 don't have a CONSTRUCTOR value with error-handling.
8403
84042020-09-08 David Malcolm <dmalcolm@redhat.com>
8405
8406 PR analyzer/96962
8407 * region-model.cc (region_model::on_call_pre): Fix guard on switch
8408 on built-ins to only consider BUILT_IN_NORMAL, rather than other
8409 kinds of build-ins.
8410
e1a4a8a0
GA		 84112020-09-01 David Malcolm <dmalcolm@redhat.com>
8412
8413 PR analyzer/96792
8414 * region-model.cc (region_model::deref_rvalue): Add the constraint
8415 that PTR_SVAL is non-NULL.
8416
13e4ba28
GA		 84172020-08-31 David Malcolm <dmalcolm@redhat.com>
8418
8419 PR analyzer/96798
8420 * region-model.cc (region_model::on_call_pre): Handle
8421 BUILT_IN_MEMSET_CHK.
8422
84232020-08-31 David Malcolm <dmalcolm@redhat.com>
8424
8425 * region-model.cc (region_model::on_call_pre): Gather handling of
8426 builtins and of internal fns into switch statements. Handle
8427 "alloca" and BUILT_IN_ALLOCA_WITH_ALIGN.
8428
84292020-08-31 David Malcolm <dmalcolm@redhat.com>
8430
8431 PR analyzer/96860
8432 * region.cc (decl_region::get_svalue_for_constructor): Support
8433 apply_ctor_to_region failing.
8434 * store.cc (binding_map::apply_ctor_to_region): Add failure
8435 handling.
8436 (binding_map::apply_ctor_val_to_range): Likewise.
8437 (binding_map::apply_ctor_pair_to_child_region): Likewise. Replace
8438 assertion that child_base_offset is not symbolic with error
8439 handling.
8440 * store.h (binding_map::apply_ctor_to_region): Convert return type
8441 from void to bool.
8442 (binding_map::apply_ctor_val_to_range): Likewise.
8443 (binding_map::apply_ctor_pair_to_child_region): Likewise.
8444
84452020-08-31 David Malcolm <dmalcolm@redhat.com>
8446
8447 PR analyzer/96763
8448 * store.cc (binding_map::apply_ctor_to_region): Handle RANGE_EXPR
8449 by calling a new binding_map::apply_ctor_val_to_range subroutine.
8450 Split out the existing non-CONSTRUCTOR-handling code to a new
8451 apply_ctor_pair_to_child_region subroutine.
8452 (binding_map::apply_ctor_val_to_range): New.
8453 (binding_map::apply_ctor_pair_to_child_region): New, split out
8454 from binding_map::apply_ctor_to_region as noted above.
8455 * store.h (binding_map::apply_ctor_val_to_range): New decl.
8456 (binding_map::apply_ctor_pair_to_child_region): New decl.
8457
84582020-08-31 David Malcolm <dmalcolm@redhat.com>
8459
8460 PR analyzer/96764
8461 * region-model-manager.cc
8462 (region_model_manager::maybe_fold_unaryop): Handle VIEW_CONVERT_EXPR.
8463 (region_model_manager::get_or_create_cast): Move logic for
8464 real->integer casting to...
8465 (get_code_for_cast): ...this new function, and add logic for
8466 real->non-integer casts.
8467 (region_model_manager::maybe_fold_sub_svalue): Handle
8468 VIEW_CONVERT_EXPR.
8469 * region-model.cc
8470 (region_model::add_any_constraints_from_gassign): Likewise.
8471 * svalue.cc (svalue::maybe_undo_cast): Likewise.
8472 (unaryop_svalue::dump_to_pp): Likewise.
8473
57ea0894
GA		 84742020-08-26 David Malcolm <dmalcolm@redhat.com>
8475
8476 PR analyzer/94858
8477 * region-model-manager.cc
8478 (region_model_manager::get_or_create_widening_svalue): Assert that
8479 neither of the inputs are themselves widenings.
8480 * store.cc (store::eval_alias_1): The initial value of a pointer
8481 can't point to a region that was allocated on the heap after the
8482 beginning of the path. A widened pointer value can't alias anything
8483 that the initial pointer value can't alias.
8484 * svalue.cc (svalue::can_merge_p): Merge BINOP (X, OP, CST) with X
8485 to a widening svalue. Merge
8486 BINOP(WIDENING(BASE, BINOP(BASE, X)), X) and BINOP(BASE, X) to
8487 to the LHS of the first BINOP.
8488
84892020-08-26 David Malcolm <dmalcolm@redhat.com>
8490
8491 PR analyzer/96777
8492 * region-model.h (class compound_svalue): Document that all keys
8493 must be concrete.
8494 (compound_svalue::compound_svalue): Move definition to svalue.cc.
8495 * store.cc (binding_map::apply_ctor_to_region): Handle
8496 initializers for trailing arrays with incomplete size.
8497 * svalue.cc (compound_svalue::compound_svalue): Move definition
8498 here from region-model.h. Add assertion that all keys are
8499 concrete.
8500
e769f970
GA		 85012020-08-22 David Malcolm <dmalcolm@redhat.com>
8502
8503 PR analyzer/94851
8504 * region-model-manager.cc
8505 (region_model_manager::maybe_fold_binop): Fold bitwise "& 0" to 0.
8506
85072020-08-22 David Malcolm <dmalcolm@redhat.com>
8508
8509 * store.cc (store::eval_alias): Make const. Split out 2nd half
8510 into store::eval_alias_1 and call it twice for symmetry, avoiding
8511 test duplication.
8512 (store::eval_alias_1): New function, split out from the above.
8513 * store.h (store::eval_alias): Make const.
8514 (store::eval_alias_1): New decl.
8515
85162020-08-22 David Malcolm <dmalcolm@redhat.com>
8517
8518 * region-model.cc (region_model::push_frame): Bind the default
8519 SSA name for each parm if it exists, falling back to the parm
8520 itself otherwise, rather than doing both.
8521
5b9a3d2a
GA		 85222020-08-20 David Malcolm <dmalcolm@redhat.com>
8523
8524 PR analyzer/96723
8525 * region-model-manager.cc
8526 (region_model_manager::get_field_region): Assert that field is a
8527 FIELD_DECL.
8528 * region.cc (region::get_subregions_for_binding): In
8529 union-handling, filter the TYPE_FIELDS traversal to just FIELD_DECLs.
8530
85312020-08-20 David Malcolm <dmalcolm@redhat.com>
8532
8533 PR analyzer/96713
8534 * region-model.cc (region_model::get_gassign_result): For
8535 comparisons, only use eval_condition when the lhs has boolean
8536 type, and use get_or_create_constant_svalue on the boolean
8537 constants directly rather than via get_rvalue.
8538
04e23a40
GA		 85392020-08-19 David Malcolm <dmalcolm@redhat.com>
8540
8541 PR analyzer/96643
8542 * region-model.cc (region_model::deref_rvalue): Rather than
8543 attempting to handle all svalue kinds in the switch, only cover
8544 the special cases, and move symbolic-region handling to after
8545 the switch, thus implicitly handling the missing case SK_COMPOUND.
8546
85472020-08-19 David Malcolm <dmalcolm@redhat.com>
8548
8549 PR analyzer/96705
8550 * region-model-manager.cc
8551 (region_model_manager::maybe_fold_binop): Check that we have an
8552 integral type before calling build_int_cst.
8553
85542020-08-19 David Malcolm <dmalcolm@redhat.com>
8555
8556 PR analyzer/96699
8557 * region-model-manager.cc
8558 (region_model_manager::get_or_create_cast): Use FIX_TRUNC_EXPR for
8559 casting from REAL_TYPE to INTEGER_TYPE.
8560
85612020-08-19 David Malcolm <dmalcolm@redhat.com>
8562
8563 PR analyzer/96651
8564 * region-model.cc (region_model::called_from_main_p): New.
8565 (region_model::get_store_value): Move handling for globals into...
8566 (region_model::get_initial_value_for_global): ...this new
8567 function, and add logic for extracting values from decl
8568 initializers.
8569 * region-model.h (decl_region::get_svalue_for_constructor): New
8570 decl.
8571 (decl_region::get_svalue_for_initializer): New decl.
8572 (region_model::called_from_main_p): New decl.
8573 (region_model::get_initial_value_for_global): New.
8574 * region.cc (decl_region::maybe_get_constant_value): Move logic
8575 for getting an svalue from a CONSTRUCTOR node to...
8576 (decl_region::get_svalue_for_constructor): ...this new function.
8577 (decl_region::get_svalue_for_initializer): New.
8578 * store.cc (get_svalue_for_ctor_val): Rewrite in terms of
8579 region_model::get_rvalue.
8580 * store.h (binding_cluster::get_map): New accessor.
8581
85822020-08-19 David Malcolm <dmalcolm@redhat.com>
8583
8584 PR analyzer/96648
8585 * region.cc (get_field_at_bit_offset): Gracefully handle negative
8586 values for bit_offset.
8587
5c265693
GA		 85882020-08-18 David Malcolm <dmalcolm@redhat.com>
8589
8590 * region-model.cc (region_model::get_rvalue_1): Fix name of local.
8591
85922020-08-18 David Malcolm <dmalcolm@redhat.com>
8593
8594 PR analyzer/96641
8595 * region-model.cc (region_model::get_rvalue_1): Handle
8596 unrecognized tree codes by returning "UNKNOWN.
8597
85982020-08-18 David Malcolm <dmalcolm@redhat.com>
8599
8600 PR analyzer/96640
8601 * region-model.cc (region_model::get_gassign_result): Handle various
8602 VEC_* tree codes by returning UNKNOWN.
8603 (region_model::on_assignment): Handle unrecognized tree codes by
8604 setting lhs to an unknown value, rather than issuing a "sorry" and
8605 asserting.
8606
deee2322
GA		 86072020-08-17 David Malcolm <dmalcolm@redhat.com>
8608
8609 PR analyzer/96644
8610 * region-model-manager.cc (get_region_for_unexpected_tree_code):
8611 Handle ctxt being NULL.
8612
86132020-08-17 David Malcolm <dmalcolm@redhat.com>
8614
8615 PR analyzer/96639
8616 * region.cc (region::get_subregions_for_binding): Check for "type"
8617 being NULL.
8618
86192020-08-17 David Malcolm <dmalcolm@redhat.com>
8620
8621 PR analyzer/96642
8622 * store.cc (get_svalue_for_ctor_val): New.
8623 (binding_map::apply_ctor_to_region): Call it.
8624
661ee09b
GA		 86252020-08-14 David Malcolm <dmalcolm@redhat.com>
8626
8627 PR testsuite/96609
8628 PR analyzer/96616
8629 * region-model.cc (region_model::get_store_value): Call
8630 maybe_get_constant_value on decl_regions first.
8631 * region-model.h (decl_region::maybe_get_constant_value): New decl.
8632 * region.cc (decl_region::get_stack_depth): Likewise.
8633 (decl_region::maybe_get_constant_value): New.
8634 * store.cc (get_subregion_within_ctor): New.
8635 (binding_map::apply_ctor_to_region): New.
8636 * store.h (binding_map::apply_ctor_to_region): New decl.
8637
86382020-08-14 David Malcolm <dmalcolm@redhat.com>
8639
8640 PR analyzer/96611
8641 * store.cc (store::mark_as_escaped): Reject attempts to
8642 get a cluster for an unknown pointer.
8643
b3cb5606
GA		 86442020-08-13 David Malcolm <dmalcolm@redhat.com>
8645
5afd1882
ML		 8646 PR analyzer/93032
8647 PR analyzer/93938
8648 PR analyzer/94011
8649 PR analyzer/94099
8650 PR analyzer/94399
8651 PR analyzer/94458
8652 PR analyzer/94503
8653 PR analyzer/94640
8654 PR analyzer/94688
8655 PR analyzer/94689
8656 PR analyzer/94839
8657 PR analyzer/95026
8658 PR analyzer/95042
8659 PR analyzer/95240
b3cb5606
GA		 8660 * analyzer-logging.cc: Ignore "-Wformat-diag".
8661 (logger::enter_scope): Use inc_indent in both overloads.
8662 (logger::exit_scope): Use dec_indent.
8663 * analyzer-logging.h (logger::inc_indent): New.
8664 (logger::dec_indent): New.
8665 * analyzer-selftests.cc (run_analyzer_selftests): Call
8666 analyzer_store_cc_tests.
8667 * analyzer-selftests.h (analyzer_store_cc_tests): New decl.
8668 * analyzer.cc (get_stmt_location): New function.
8669 * analyzer.h (class initial_svalue): New forward decl.
8670 (class unaryop_svalue): New forward decl.
8671 (class binop_svalue): New forward decl.
8672 (class sub_svalue): New forward decl.
8673 (class unmergeable_svalue): New forward decl.
8674 (class placeholder_svalue): New forward decl.
8675 (class widening_svalue): New forward decl.
8676 (class compound_svalue): New forward decl.
8677 (class conjured_svalue): New forward decl.
8678 (svalue_set): New typedef.
8679 (class map_region): Delete.
8680 (class array_region): Delete.
8681 (class frame_region): New forward decl.
8682 (class function_region): New forward decl.
8683 (class label_region): New forward decl.
8684 (class decl_region): New forward decl.
8685 (class element_region): New forward decl.
8686 (class offset_region): New forward decl.
8687 (class cast_region): New forward decl.
8688 (class field_region): New forward decl.
8689 (class string_region): New forward decl.
8690 (class region_model_manager): New forward decl.
8691 (class store_manager): New forward decl.
8692 (class store): New forward decl.
8693 (class call_details): New forward decl.
8694 (struct svalue_id_merger_mapping): Delete.
8695 (struct canonicalization): Delete.
8696 (class function_point): New forward decl.
8697 (class engine): New forward decl.
8698 (dump_tree): New function decl.
8699 (print_quoted_type): New function decl.
8700 (readability_comparator): New function decl.
8701 (tree_cmp): New function decl.
8702 (class path_var): Move here from region-model.h
8703 (bit_offset_t, bit_size_t, byte_size_t): New typedefs.
8704 (class region_offset): New class.
8705 (get_stmt_location): New decl.
8706 (struct member_function_hash_traits): New struct.
8707 (class consolidation_map): New class.
8708 Ignore "-Wformat-diag".
8709 * analyzer.opt (-param=analyzer-max-svalue-depth=): New param.
8710 (-param=analyzer-max-enodes-for-full-dump=): New param.
8711 * call-string.cc: Ignore -Wformat-diag.
8712 * checker-path.cc: Move includes of "analyzer/call-string.h" and
8713 "analyzer/program-point.h" to before "analyzer/region-model.h",
8714 and also include "analyzer/store.h" before it.
8715 (state_change_event::state_change_event): Replace "tree var" param
8716 with "const svalue *sval". Convert "origin" param from tree to
8717 "const svalue *".
8718 (state_change_event::get_desc): Call get_representative_tree to
8719 convert the var and origin from const svalue * to tree. Use
8720 svalue::get_desc rather than %qE when describing state changes.
8721 (checker_path::add_final_event): Use get_stmt_location.
8722 * checker-path.h (state_change_event::state_change_event): Port
8723 from tree to const svalue *.
8724 (state_change_event::get_lvalue): Delete.
8725 (state_change_event::get_dest_function): New.
8726 (state_change_event::m_var): Replace with...
8727 (state_change_event::m_sval): ...this.
8728 (state_change_event::m_origin): Convert from tree to
8729 const svalue *.
8730 * constraint-manager.cc: Include "analyzer/call-string.h",
8731 "analyzer/program-point.h", and "analyzer/store.h" before
8732 "analyzer/region-model.h".
8733 (struct bound, struct range): Move to constraint-manager.h.
8734 (compare_constants): New function.
8735 (range::dump): Rename to...
8736 (range::dump_to_pp): ...this. Support NULL constants.
8737 (range::dump): Reintroduce for dumping to stderr.
8738 (range::constrained_to_single_element): Return result, rather than
8739 writing to *OUT.
8740 (range::eval_condition): New.
8741 (range::below_lower_bound): New.
8742 (range::above_upper_bound): New.
8743 (equiv_class::equiv_class): Port from svalue_id to const svalue *.
8744 (equiv_class::print): Likewise.
8745 (equiv_class::hash): Likewise.
8746 (equiv_class::operator==): Port from svalue_id to const svalue *.
8747 (equiv_class::add): Port from svalue_id to const svalue *. Drop
8748 "cm" param.
8749 (equiv_class::del): Port from svalue_id to const svalue *.
8750 (equiv_class::get_representative): Likewise.
8751 (equiv_class::remap_svalue_ids): Delete.
8752 (svalue_id_cmp_by_id): Rename to...
8753 (svalue_cmp_by_ptr): ...this, porting from svalue_id to
8754 const svalue *.
8755 (equiv_class::canonicalize): Update qsort comparator.
8756 (constraint::implied_by): New.
8757 (constraint_manager::constraint_manager): Copy m_mgr in copy ctor.
8758 (constraint_manager::dump_to_pp): Add "multiline" param
8759 (constraint_manager::dump): Pass "true" for "multiline".
8760 (constraint_manager::add_constraint): Port from svalue_id to
8761 const svalue *. Split out second part into...
8762 (constraint_manager::add_unknown_constraint): ...this new
8763 function. Remove self-constraints when merging equivalence
8764 classes.
8765 (constraint_manager::add_constraint_internal): Remove constraints
8766 that would be implied by the new constraint. Port from svalue_id
8767 to const svalue *.
8768 (constraint_manager::get_equiv_class_by_sid): Rename to...
8769 (constraint_manager::get_equiv_class_by_svalue): ...this, porting
8770 from svalue_id to const svalue *.
8771 (constraint_manager::get_or_add_equiv_class): Port from svalue_id
8772 to const svalue *.
8773 (constraint_manager::eval_condition): Make const. Call
8774 compare_constants and return early if it provides a known result.
8775 (constraint_manager::get_ec_bounds): New.
8776 (constraint_manager::eval_condition): New overloads. Make
8777 existing one const, and use compare_constants.
8778 (constraint_manager::purge): Convert "p" param to a template
8779 rather that an abstract base class. Port from svalue_id to
8780 const svalue *.
8781 (class dead_svalue_purger): New class.
8782 (constraint_manager::remap_svalue_ids): Delete.
8783 (constraint_manager::on_liveness_change): New.
8784 (equiv_class_cmp): Port from svalue_id to const svalue *.
8785 (constraint_manager::canonicalize): Likewise. Combine with
8786 purging of redundant equivalence classes and constraints.
8787 (class cleaned_constraint_manager): Delete.
8788 (class merger_fact_visitor): Make "m_cm_b" const. Add "m_merger"
8789 field.
8790 (merger_fact_visitor::fact): Port from svalue_id to const svalue *.
8791 Add special case for widening.
8792 (constraint_manager::merge): Port from svalue_id to const svalue *.
8793 (constraint_manager::clean_merger_input): Delete.
8794 (constraint_manager::for_each_fact): Port from svalue_id to
8795 const svalue *.
8796 (constraint_manager::validate): Likewise.
8797 (selftest::test_constraint_conditions): Provide a
8798 region_model_manager when creating region_model instances.
8799 Add test for self-equality not creating equivalence classes.
8800 (selftest::test_transitivity): Provide a region_model_manager when
8801 creating region_model instances. Verify that EC-merging happens
8802 when constraints are implied.
8803 (selftest::test_constant_comparisons): Provide a
8804 region_model_manager when creating region_model instances.
8805 (selftest::test_constraint_impl): Likewise. Remove over-specified
8806 assertions.
8807 (selftest::test_equality): Provide a region_model_manager when
8808 creating region_model instances.
8809 (selftest::test_many_constants): Likewise. Provide a
8810 program_point when testing merging.
8811 (selftest::run_constraint_manager_tests): Move call to
8812 test_constant_comparisons to outside the transitivity guard.
8813 * constraint-manager.h (struct bound): Move here from
8814 constraint-manager.cc.
8815 (struct range): Likewise.
8816 (struct::eval_condition): New decl.
8817 (struct::below_lower_bound): New decl.
8818 (struct::above_upper_bound): New decl.
8819 (equiv_class::add): Port from svalue_id to const svalue *.
8820 (equiv_class::del): Likewise.
8821 (equiv_class::get_representative): Likewise.
8822 (equiv_class::remap_svalue_ids): Drop.
8823 (equiv_class::m_cst_sid): Convert to..
8824 (equiv_class::m_cst_sval): ...this.
8825 (equiv_class::m_vars): Port from svalue_id to const svalue *.
8826 (constraint::bool implied_by): New decl.
8827 (fact_visitor::on_fact): Port from svalue_id to const svalue *.
8828 (constraint_manager::constraint_manager): Add mgr param.
8829 (constraint_manager::clone): Delete.
8830 (constraint_manager::maybe_get_constant): Delete.
8831 (constraint_manager::get_sid_for_constant): Delete.
8832 (constraint_manager::get_num_svalues): Delete.
8833 (constraint_manager::dump_to_pp): Add "multiline" param.
8834 (constraint_manager::get_equiv_class): Port from svalue_id to
8835 const svalue *.
8836 (constraint_manager::add_constraint): Likewise.
8837 (constraint_manager::get_equiv_class_by_sid): Rename to...
8838 (constraint_manager::get_equiv_class_by_svalue): ...this, porting
8839 from svalue_id to const svalue *.
8840 (constraint_manager::add_unknown_constraint): New decl.
8841 (constraint_manager::get_or_add_equiv_class): Port from svalue_id
8842 to const svalue *.
8843 (constraint_manager::eval_condition): Likewise. Add overloads.
8844 (constraint_manager::get_ec_bounds): New decl.
8845 (constraint_manager::purge): Convert to template.
8846 (constraint_manager::remap_svalue_ids): Delete.
8847 (constraint_manager::on_liveness_change): New decl.
8848 (constraint_manager::canonicalize): Drop param.
8849 (constraint_manager::clean_merger_input): Delete.
8850 (constraint_manager::m_mgr): New field.
8851 * diagnostic-manager.cc: Move includes of
8852 "analyzer/call-string.h" and "analyzer/program-point.h" to before
8853 "analyzer/region-model.h", and also include "analyzer/store.h"
8854 before it.
8855 (saved_diagnostic::saved_diagnostic): Add "sval" param.
8856 (diagnostic_manager::diagnostic_manager): Add engine param.
8857 (diagnostic_manager::add_diagnostic): Add "sval" param, passing it
8858 to saved_diagnostic ctor. Update overload to pass NULL for it.
8859 (dedupe_winners::dedupe_winners): Add engine param.
8860 (dedupe_winners::add): Add "eg" param. Pass m_engine to
8861 feasible_p.
8862 (dedupe_winner::m_engine): New field.
8863 (diagnostic_manager::emit_saved_diagnostics): Pass engine to
8864 dedupe_winners. Pass &eg when adding candidates. Pass svalue
8865 rather than tree to prune_path. Use get_stmt_location to get
8866 primary location of diagnostic.
8867 (diagnostic_manager::emit_saved_diagnostic): Likewise.
8868 (get_any_origin): Drop.
8869 (state_change_event_creator::on_global_state_change): Pass NULL
8870 const svalue * rather than NULL_TREE trees to state_change_event
8871 ctor.
8872 (state_change_event_creator::on_state_change): Port from tree and
8873 svalue_id to const svalue *.
8874 (for_each_state_change): Port from svalue_id to const svalue *.
8875 (struct null_assignment_sm_context): New.
8876 (diagnostic_manager::add_events_for_eedge): Add state change
8877 events for assignment to NULL.
8878 (diagnostic_manager::prune_path): Update param from tree to
8879 const svalue *.
8880 (diagnostic_manager::prune_for_sm_diagnostic): Port from tracking
8881 by tree to by const svalue *.
8882 * diagnostic-manager.h (saved_diagnostic::saved_diagnostic): Add sval
8883 param.
8884 (saved_diagnostic::m_sval): New field.
8885 (diagnostic_manager::diagnostic_manager): Add engine param.
8886 (diagnostic_manager::get_engine): New.
8887 (diagnostic_manager::add_diagnostic): Add "sval" param.
8888 (diagnostic_manager::prune_path): Likewise.
8889 (diagnostic_manager::prune_for_sm_diagnostic): New overload.
8890 (diagnostic_manager::m_eng): New field.
8891 * engine.cc: Move includes of "analyzer/call-string.h" and
8892 "analyzer/program-point.h" to before "analyzer/region-model.h",
8893 and also include "analyzer/store.h" before it.
8894 (impl_region_model_context::impl_region_model_context): Update for
8895 removal of m_change field.
8896 (impl_region_model_context::remap_svalue_ids): Delete.
8897 (impl_region_model_context::on_svalue_leak): New.
8898 (impl_region_model_context::on_svalue_purge): Delete.
8899 (impl_region_model_context::on_liveness_change): New.
8900 (impl_region_model_context::on_unknown_change): Update param
8901 from svalue_id to const svalue *. Add is_mutable param.
8902 (setjmp_svalue::compare_fields): Delete.
8903 (setjmp_svalue::accept): New.
8904 (setjmp_svalue::add_to_hash): Delete.
8905 (setjmp_svalue::dump_to_pp): New.
8906 (setjmp_svalue::print_details): Delete.
8907 (impl_sm_context::impl_sm_context): Drop "change" param.
8908 (impl_sm_context::get_fndecl_for_call): Drop "m_change".
8909 (impl_sm_context::on_transition): Drop ATTRIBUTE_UNUSED from
8910 "stmt" param. Drop m_change. Port from svalue_id to
8911 const svalue *.
8912 (impl_sm_context::warn_for_state): Drop m_change. Port from
8913 svalue_id to const svalue *.
8914 (impl_sm_context::get_readable_tree): Rename to...
8915 (impl_sm_context::get_diagnostic_tree): ...this. Port from
8916 svalue_id to const svalue *.
8917 (impl_sm_context::is_zero_assignment): New.
8918 (impl_sm_context::m_change): Delete field.
8919 (leak_stmt_finder::find_stmt): Handle m_var being NULL.
8920 (readability): Increase penalty for MEM_REF. For SSA_NAMEs,
8921 slightly favor the underlying var over the SSA name. Heavily
8922 penalize temporaries. Handle RESULT_DECL.
8923 (readability_comparator): Make non-static. Consider stack depths.
8924 (impl_region_model_context::on_state_leak): Convert from svalue_id
8925 to const svalue *, updating for region_model changes. Use
8926 id_equal.
8927 (impl_region_model_context::on_inherited_svalue): Delete.
8928 (impl_region_model_context::on_cast): Delete.
8929 (impl_region_model_context::on_condition): Drop m_change.
8930 (impl_region_model_context::on_phi): Likewise.
8931 (impl_region_model_context::on_unexpected_tree_code): Handle t
8932 being NULL.
8933 (point_and_state::validate): Update stack checking for
8934 region_model changes.
8935 (eg_traits::dump_args_t::show_enode_details_p): New.
8936 (exploded_node::exploded_node): Initialize m_num_processed_stmts.
8937 (exploded_node::get_processed_stmt): New function.
8938 (exploded_node::get_dot_fillcolor): Add more colors.
8939 (exploded_node::dump_dot): Guard the printing of the point and
8940 state with show_enode_details_p. Print the processed stmts for
8941 this enode after the initial state.
8942 (exploded_node::dump_to_pp): Pass true for new multiline param
8943 of program_state::dump_to_pp.
8944 (exploded_node::on_stmt): Drop "change" param. Log the stmt.
8945 Set input_location. Implement __analyzer_describe. Update
8946 implementation of __analyzer_dump and __analyzer_eval.
8947 Remove purging of sm-state for unknown fncalls from here.
8948 (exploded_node::on_edge): Drop "change" param.
8949 (exploded_node::on_longjmp): Port from region_id/svalue_id to
8950 const region */const svalue *. Call program_state::detect_leaks.
8951 Drop state_change.
8952 (exploded_node::detect_leaks): Update for changes to region_model.
8953 Call program_state::detect_leaks.
8954 (exploded_edge::exploded_edge): Drop ext_state and change params.
8955 (exploded_edge::dump_dot): "args" is no longer used. Drop dumping
8956 of m_change.
8957 (exploded_graph::exploded_graph): Pass engine to
8958 m_diagnostic_manager ctor. Use program_point::origin.
8959 (exploded_graph::add_function_entry): Drop ctxt. Use
8960 program_state::push_frame. Drop state_change.
8961 (exploded_graph::get_or_create_node): Drop "change" param. Add
8962 "enode_for_diag" param. Update dumping calls for API changes.
8963 Pass point to can_merge_with_p. Show enode indices
8964 within -Wanalyzer-too-complex diagnostic for hitting the per-point
8965 limit.
8966 (exploded_graph::add_edge): Drop "change" param. Log which nodes
8967 are being connected. Update for changes to exploded_edge ctor.
8968 (exploded_graph::get_per_program_point_data): New.
8969 (exploded_graph::process_worklist): Pass point to
8970 can_merge_with_p. Drop state_change. Update dumping call for API
8971 change.
8972 (exploded_graph::process_node): Drop state_change. Split the
8973 node in-place if an sm-state-change occurs. Update
8974 m_num_processed_stmts. Update dumping calls for API change.
8975 (exploded_graph::log_stats): Call engine::log_stats.
8976 (exploded_graph::dump_states_for_supernode): Update dumping
8977 call.
8978 (exploded_path::feasible_p): Add "eng" and "eg" params.
8979 Rename "i" to "end_idx". Pass the manager to the region_model
8980 ctor. Update for every processed stmt in the enode, not just the
8981 first. Keep track of which snodes have been visited, and call
8982 loop_replay_fixup when revisiting one.
8983 (enode_label::get_text): Update dump call for new param.
8984 (exploded_graph::dump_exploded_nodes): Likewise.
8985 (exploded_graph::get_node_by_index): New.
8986 (impl_run_checkers): Create engine instance and pass its address
8987 to extrinsic_state ctor.
8988 * exploded-graph.h
8989 (impl_region_model_context::impl_region_model_context): Drop
8990 "change" params.
8991 (impl_region_model_context::void remap_svalue_ids): Delete.
8992 (impl_region_model_context::on_svalue_purge): Delete.
8993 (impl_region_model_context::on_svalue_leak): New.
8994 (impl_region_model_context::on_liveness_change): New.
8995 (impl_region_model_context::on_state_leak): Update signature.
8996 (impl_region_model_context::on_inherited_svalue): Delete.
8997 (impl_region_model_context::on_cast): Delete.
8998 (impl_region_model_context::on_unknown_change): Update signature.
8999 (impl_region_model_context::m_change): Delete.
9000 (eg_traits::dump_args_t::show_enode_details_p): New.
9001 (exploded_node::on_stmt): Drop "change" param.
9002 (exploded_node::on_edge): Likewise.
9003 (exploded_node::get_processed_stmt): New decl.
9004 (exploded_node::m_num_processed_stmts): New field.
9005 (exploded_edge::exploded_edge): Drop ext_state and change params.
9006 (exploded_edge::m_change): Delete.
9007 (exploded_graph::get_engine): New accessor.
9008 (exploded_graph::get_or_create_node): Drop "change" param. Add
9009 "enode_for_diag" param.
9010 (exploded_graph::add_edge): Drop "change" param.
9011 (exploded_graph::get_per_program_point_data): New decl.
9012 (exploded_graph::get_node_by_index): New decl.
9013 (exploded_path::feasible_p): Add "eng" and "eg" params.
9014 * program-point.cc: Include "analyzer/store.h" before including
9015 "analyzer/region-model.h".
9016 (function_point::function_point): Move here from
9017 program-point.h.
9018 (function_point::get_function): Likewise.
9019 (function_point::from_function_entry): Likewise.
9020 (function_point::before_supernode): Likewise.
9021 (function_point::next_stmt): New function.
9022 * program-point.h (function_point::function_point): Move
9023 implementation from here to program-point.cc.
9024 (function_point::get_function): Likewise.
9025 (function_point::from_function_entry): Likewise.
9026 (function_point::before_supernode): Likewise.
9027 (function_point::next_stmt): New decl.
9028 (program_point::operator!=): New.
9029 (program_point::origin): New.
9030 (program_point::next_stmt): New.
9031 (program_point::m_function_point): Make non-const.
9032 * program-state.cc: Move includes of "analyzer/call-string.h" and
9033 "analyzer/program-point.h" to before "analyzer/region-model.h",
9034 and also include "analyzer/store.h" before it.
9035 (extrinsic_state::get_model_manager): New.
9036 (sm_state_map::sm_state_map): Pass in sm and sm_idx to ctor,
9037 rather than pass the around.
9038 (sm_state_map::clone_with_remapping): Delete.
9039 (sm_state_map::print): Remove "sm" param in favor of "m_sm". Add
9040 "simple" and "multiline" params and support multiline vs single
9041 line dumping.
9042 (sm_state_map::dump): Remove "sm" param in favor of "m_sm". Add
9043 "simple" param.
9044 (sm_state_map::hash): Port from svalue_id to const svalue *.
9045 (sm_state_map::operator==): Likewise.
9046 (sm_state_map::get_state): Likewise. Call canonicalize_svalue on
9047 input. Handle inheritance of sm-state. Call get_default_state.
9048 (sm_state_map::get_origin): Port from svalue_id to const svalue *.
9049 (sm_state_map::set_state): Likewise. Pass in ext_state. Reject
9050 attempts to set state on UNKNOWN.
9051 (sm_state_map::impl_set_state): Port from svalue_id to
9052 const svalue *. Pass in ext_state. Call canonicalize_svalue on
9053 input.
9054 (sm_state_map::purge_for_unknown_fncall): Delete.
9055 (sm_state_map::on_svalue_leak): New.
9056 (sm_state_map::remap_svalue_ids): Delete.
9057 (sm_state_map::on_liveness_change): New.
9058 (sm_state_map::on_unknown_change): Reimplement.
9059 (sm_state_map::on_svalue_purge): Delete.
9060 (sm_state_map::on_inherited_svalue): Delete.
9061 (sm_state_map::on_cast): Delete.
9062 (sm_state_map::validate): Delete.
9063 (sm_state_map::canonicalize_svalue): New.
9064 (program_state::program_state): Update to pass manager to
9065 region_model's ctor. Constify num_states and pass state machine
9066 and index to sm_state_map ctor.
9067 (program_state::print): Update for changes to dump API.
9068 (program_state::dump_to_pp): Ignore the summarize param. Add
9069 "multiline" param.
9070 (program_state::dump_to_file): Add "multiline" param.
9071 (program_state::dump): Pass "true" for new "multiline" param.
9072 (program_state::push_frame): New.
9073 (program_state::on_edge): Drop "change" param. Call
9074 program_state::detect_leaks.
9075 (program_state::prune_for_point): Add enode_for_diag param.
9076 Reimplement based on store class. Call detect_leaks
9077 (program_state::remap_svalue_ids): Delete.
9078 (program_state::get_representative_tree): Port from svalue_id to
9079 const svalue *.
9080 (program_state::can_merge_with_p): Add "point" param. Add early
9081 reject for sm-differences. Drop id remapping.
9082 (program_state::validate): Drop region model and sm_state_map
9083 validation.
9084 (state_change::sm_change::dump): Delete.
9085 (state_change::sm_change::remap_svalue_ids): Delete.
9086 (state_change::sm_change::on_svalue_purge): Delete.
9087 (log_set_of_svalues): New.
9088 (state_change::sm_change::validate): Delete.
9089 (state_change::state_change): Delete.
9090 (state_change::add_sm_change): Delete.
9091 (state_change::affects_p): Delete.
9092 (state_change::dump): Delete.
9093 (state_change::remap_svalue_ids): Delete.
9094 (state_change::on_svalue_purge): Delete.
9095 (state_change::validate): Delete.
9096 (selftest::assert_dump_eq): Delete.
9097 (ASSERT_DUMP_EQ): Delete.
9098 (selftest::test_sm_state_map): Update for changes to region_model
9099 and sm_state_map, porting from svalue_id to const svalue *.
9100 (selftest::test_program_state_dumping): Likewise. Drop test of
9101 dumping, renaming to...
9102 (selftest::test_program_state_1): ...this.
9103 (selftest::test_program_state_dumping_2): Likewise, renaming to...
9104 (selftest::test_program_state_2): ...this.
9105 (selftest::test_program_state_merging): Update for changes to
9106 region_model.
9107 (selftest::test_program_state_merging_2): Likewise.
9108 (selftest::analyzer_program_state_cc_tests): Update for renamed
9109 tests.
9110 * program-state.h (extrinsic_state::extrinsic_state): Add logger
9111 and engine params.
9112 (extrinsic_state::get_logger): New accessor.
9113 (extrinsic_state::get_engine): New accessor.
9114 (extrinsic_state::get_model_manager): New accessor.
9115 (extrinsic_state::m_logger): New field.
9116 (extrinsic_state::m_engine): New field.
9117 (struct default_hash_traits<svalue_id>): Delete.
9118 (pod_hash_traits<svalue_id>::hash): Delete.
9119 (pod_hash_traits<svalue_id>::equal): Delete.
9120 (pod_hash_traits<svalue_id>::mark_deleted): Delete.
9121 (pod_hash_traits<svalue_id>::mark_empty): Delete.
9122 (pod_hash_traits<svalue_id>::is_deleted): Delete.
9123 (pod_hash_traits<svalue_id>::is_empty): Delete.
9124 (sm_state_map::entry_t::entry_t): Port from svalue_id to
9125 const svalue *.
9126 (sm_state_map::entry_t::m_origin): Likewise.
9127 (sm_state_map::map_t): Likewise.
9128 (sm_state_map::sm_state_map): Add state_machine and index params.
9129 (sm_state_map::clone_with_remapping): Delete.
9130 (sm_state_map::print): Drop sm param; add simple and multiline
9131 params.
9132 (sm_state_map::dump): Drop sm param; add simple param.
9133 (sm_state_map::get_state): Port from svalue_id to const svalue *.
9134 Add ext_state param.
9135 (sm_state_map::get_origin): Likewise.
9136 (sm_state_map::set_state): Likewise.
9137 (sm_state_map::impl_set_state): Likewise.
9138 (sm_state_map::purge_for_unknown_fncall): Delete.
9139 (sm_state_map::remap_svalue_ids): Delete.
9140 (sm_state_map::on_svalue_purge): Delete.
9141 (sm_state_map::on_svalue_leak): New.
9142 (sm_state_map::on_liveness_change): New.
9143 (sm_state_map::on_inherited_svalue): Delete.
9144 (sm_state_map::on_cast): Delete.
9145 (sm_state_map::validate): Delete.
9146 (sm_state_map::on_unknown_change): Port from svalue_id to
9147 const svalue *. Add is_mutable and ext_state params.
9148 (sm_state_map::canonicalize_svalue): New.
9149 (sm_state_map::m_sm): New field.
9150 (sm_state_map::m_sm_idx): New field.
9151 (program_state::operator=): Delete.
9152 (program_state::dump_to_pp): Drop "summarize" param, adding
9153 "simple" and "multiline".
9154 (program_state::dump_to_file): Likewise.
9155 (program_state::dump): Rename "summarize" to "simple".
9156 (program_state::push_frame): New.
9157 (program_state::get_current_function): New.
9158 (program_state::on_edge): Drop "change" param.
9159 (program_state::prune_for_point): Likewise. Add enode_for_diag
9160 param.
9161 (program_state::remap_svalue_ids): Delete.
9162 (program_state::get_representative_tree): Port from svalue_id to
9163 const svalue *.
9164 (program_state::can_purge_p): Likewise. Pass ext_state to get_state.
9165 (program_state::can_merge_with_p): Add point param.
9166 (program_state::detect_leaks): New.
9167 (state_change_visitor::on_state_change): Port from tree and
9168 svalue_id to a pair of const svalue *.
9169 (class state_change): Delete.
9170 * region.cc: New file.
9171 * region-model-impl-calls.cc: New file.
9172 * region-model-manager.cc: New file.
9173 * region-model-reachability.cc: New file.
9174 * region-model-reachability.h: New file.
9175 * region-model.cc: Include "analyzer/call-string.h",
9176 "analyzer/program-point.h", and "analyzer/store.h" before
9177 "analyzer/region-model.h". Include
9178 "analyzer/region-model-reachability.h".
9179 (dump_tree): Make non-static.
9180 (dump_quoted_tree): Make non-static.
9181 (print_quoted_type): Make non-static.
9182 (path_var::dump): Delete.
9183 (dump_separator): Delete.
9184 (class impl_constraint_manager): Delete.
9185 (svalue_id::print): Delete.
9186 (svalue_id::dump_node_name_to_pp): Delete.
9187 (svalue_id::validate): Delete.
9188 (region_id::print): Delete.
9189 (region_id::dump_node_name_to_pp): Delete.
9190 (region_id::validate): Delete.
9191 (region_id_set::region_id_set): Delete.
9192 (svalue_id_set::svalue_id_set): Delete.
9193 (svalue::operator==): Delete.
9194 (svalue::hash): Delete.
9195 (svalue::print): Delete.
9196 (svalue::dump_dot_to_pp): Delete.
9197 (svalue::remap_region_ids): Delete.
9198 (svalue::walk_for_canonicalization): Delete.
9199 (svalue::get_child_sid): Delete.
9200 (svalue::maybe_get_constant): Delete.
9201 (region_svalue::compare_fields): Delete.
9202 (region_svalue::add_to_hash): Delete.
9203 (region_svalue::print_details): Delete.
9204 (region_svalue::dump_dot_to_pp): Delete.
9205 (region_svalue::remap_region_ids): Delete.
9206 (region_svalue::merge_values): Delete.
9207 (region_svalue::walk_for_canonicalization): Delete.
9208 (region_svalue::eval_condition): Delete.
9209 (constant_svalue::compare_fields): Delete.
9210 (constant_svalue::add_to_hash): Delete.
9211 (constant_svalue::merge_values): Delete.
9212 (constant_svalue::eval_condition): Move to svalue.cc.
9213 (constant_svalue::print_details): Delete.
9214 (constant_svalue::get_child_sid): Delete.
9215 (unknown_svalue::compare_fields): Delete.
9216 (unknown_svalue::add_to_hash): Delete.
9217 (unknown_svalue::print_details): Delete.
9218 (poison_kind_to_str): Move to svalue.cc.
9219 (poisoned_svalue::compare_fields): Delete.
9220 (poisoned_svalue::add_to_hash): Delete.
9221 (poisoned_svalue::print_details): Delete.
9222 (region_kind_to_str): Move to region.cc and reimplement.
9223 (region::operator==): Delete.
9224 (region::get_parent_region): Delete.
9225 (region::set_value): Delete.
9226 (region::become_active_view): Delete.
9227 (region::deactivate_any_active_view): Delete.
9228 (region::deactivate_view): Delete.
9229 (region::get_value): Delete.
9230 (region::get_inherited_child_sid): Delete.
9231 (region_model::copy_region): Delete.
9232 (region_model::copy_struct_region): Delete.
9233 (region_model::copy_union_region): Delete.
9234 (region_model::copy_array_region): Delete.
9235 (region::hash): Delete.
9236 (region::print): Delete.
9237 (region::dump_dot_to_pp): Delete.
9238 (region::dump_to_pp): Delete.
9239 (region::dump_child_label): Delete.
9240 (region::validate): Delete.
9241 (region::remap_svalue_ids): Delete.
9242 (region::remap_region_ids): Delete.
9243 (region::add_view): Delete.
9244 (region::get_view): Delete.
9245 (region::region): Move to region.cc.
9246 (region::add_to_hash): Delete.
9247 (region::print_fields): Delete.
9248 (region::non_null_p): Delete.
9249 (primitive_region::clone): Delete.
9250 (primitive_region::walk_for_canonicalization): Delete.
9251 (map_region::map_region): Delete.
9252 (map_region::compare_fields): Delete.
9253 (map_region::print_fields): Delete.
9254 (map_region::validate): Delete.
9255 (map_region::dump_dot_to_pp): Delete.
9256 (map_region::dump_child_label): Delete.
9257 (map_region::get_or_create): Delete.
9258 (map_region::get): Delete.
9259 (map_region::add_to_hash): Delete.
9260 (map_region::remap_region_ids): Delete.
9261 (map_region::unbind): Delete.
9262 (map_region::get_tree_for_child_region): Delete.
9263 (map_region::get_tree_for_child_region): Delete.
9264 (tree_cmp): Move to region.cc.
9265 (map_region::can_merge_p): Delete.
9266 (map_region::walk_for_canonicalization): Delete.
9267 (map_region::get_value_by_name): Delete.
9268 (struct_or_union_region::valid_key_p): Delete.
9269 (struct_or_union_region::compare_fields): Delete.
9270 (struct_region::clone): Delete.
9271 (struct_region::compare_fields): Delete.
9272 (union_region::clone): Delete.
9273 (union_region::compare_fields): Delete.
9274 (frame_region::compare_fields): Delete.
9275 (frame_region::clone): Delete.
9276 (frame_region::valid_key_p): Delete.
9277 (frame_region::print_fields): Delete.
9278 (frame_region::add_to_hash): Delete.
9279 (globals_region::compare_fields): Delete.
9280 (globals_region::clone): Delete.
9281 (globals_region::valid_key_p): Delete.
9282 (code_region::compare_fields): Delete.
9283 (code_region::clone): Delete.
9284 (code_region::valid_key_p): Delete.
9285 (array_region::array_region): Delete.
9286 (array_region::get_element): Delete.
9287 (array_region::clone): Delete.
9288 (array_region::compare_fields): Delete.
9289 (array_region::print_fields): Delete.
9290 (array_region::validate): Delete.
9291 (array_region::dump_dot_to_pp): Delete.
9292 (array_region::dump_child_label): Delete.
9293 (array_region::get_or_create): Delete.
9294 (array_region::get): Delete.
9295 (array_region::add_to_hash): Delete.
9296 (array_region::remap_region_ids): Delete.
9297 (array_region::get_key_for_child_region): Delete.
9298 (array_region::key_cmp): Delete.
9299 (array_region::walk_for_canonicalization): Delete.
9300 (array_region::key_from_constant): Delete.
9301 (array_region::constant_from_key): Delete.
9302 (function_region::compare_fields): Delete.
9303 (function_region::clone): Delete.
9304 (function_region::valid_key_p): Delete.
9305 (stack_region::stack_region): Delete.
9306 (stack_region::compare_fields): Delete.
9307 (stack_region::clone): Delete.
9308 (stack_region::print_fields): Delete.
9309 (stack_region::dump_child_label): Delete.
9310 (stack_region::validate): Delete.
9311 (stack_region::push_frame): Delete.
9312 (stack_region::get_current_frame_id): Delete.
9313 (stack_region::pop_frame): Delete.
9314 (stack_region::add_to_hash): Delete.
9315 (stack_region::remap_region_ids): Delete.
9316 (stack_region::can_merge_p): Delete.
9317 (stack_region::walk_for_canonicalization): Delete.
9318 (stack_region::get_value_by_name): Delete.
9319 (heap_region::heap_region): Delete.
9320 (heap_region::compare_fields): Delete.
9321 (heap_region::clone): Delete.
9322 (heap_region::walk_for_canonicalization): Delete.
9323 (root_region::root_region): Delete.
9324 (root_region::compare_fields): Delete.
9325 (root_region::clone): Delete.
9326 (root_region::print_fields): Delete.
9327 (root_region::validate): Delete.
9328 (root_region::dump_child_label): Delete.
9329 (root_region::push_frame): Delete.
9330 (root_region::get_current_frame_id): Delete.
9331 (root_region::pop_frame): Delete.
9332 (root_region::ensure_stack_region): Delete.
9333 (root_region::get_stack_region): Delete.
9334 (root_region::ensure_globals_region): Delete.
9335 (root_region::get_code_region): Delete.
9336 (root_region::ensure_code_region): Delete.
9337 (root_region::get_globals_region): Delete.
9338 (root_region::ensure_heap_region): Delete.
9339 (root_region::get_heap_region): Delete.
9340 (root_region::remap_region_ids): Delete.
9341 (root_region::can_merge_p): Delete.
9342 (root_region::add_to_hash): Delete.
9343 (root_region::walk_for_canonicalization): Delete.
9344 (root_region::get_value_by_name): Delete.
9345 (symbolic_region::symbolic_region): Delete.
9346 (symbolic_region::compare_fields): Delete.
9347 (symbolic_region::clone): Delete.
9348 (symbolic_region::walk_for_canonicalization): Delete.
9349 (symbolic_region::print_fields): Delete.
9350 (region_model::region_model): Add region_model_manager * param.
9351 Reimplement in terms of store, dropping impl_constraint_manager
9352 subclass.
9353 (region_model::operator=): Reimplement in terms of store
9354 (region_model::operator==): Likewise.
9355 (region_model::hash): Likewise.
9356 (region_model::print): Delete.
9357 (region_model::print_svalue): Delete.
9358 (region_model::dump_dot_to_pp): Delete.
9359 (region_model::dump_dot_to_file): Delete.
9360 (region_model::dump_dot): Delete.
9361 (region_model::dump_to_pp): Replace "summarize" param with
9362 "simple" and "multiline". Port to store-based implementation.
9363 (region_model::dump): Replace "summarize" param with "simple" and
9364 "multiline".
9365 (dump_vec_of_tree): Delete.
9366 (region_model::dump_summary_of_rep_path_vars): Delete.
9367 (region_model::validate): Delete.
9368 (svalue_id_cmp_by_constant_svalue_model): Delete.
9369 (svalue_id_cmp_by_constant_svalue): Delete.
9370 (region_model::canonicalize): Drop "ctxt" param. Reimplement in
9371 terms of store and constraints.
9372 (region_model::canonicalized_p): Remove NULL arg to canonicalize.
9373 (region_model::loop_replay_fixup): New.
9374 (poisoned_value_diagnostic::emit): Tweak wording of warnings.
9375 (region_model::check_for_poison): Delete.
9376 (region_model::get_gassign_result): New.
9377 (region_model::on_assignment): Port to store-based implementation.
9378 (region_model::on_call_pre): Delete calls to check_for_poison.
9379 Move implementations to region-model-impl-calls.c and port to
9380 store-based implementation.
9381 (region_model::on_call_post): Likewise.
9382 (class reachable_regions): Move to region-model-reachability.h/cc
9383 and port to store-based implementation.
9384 (region_model::handle_unrecognized_call): Port to store-based
9385 implementation.
9386 (region_model::get_reachable_svalues): New.
9387 (region_model::on_setjmp): Port to store-based implementation.
9388 (region_model::on_longjmp): Likewise.
9389 (region_model::handle_phi): Drop is_back_edge param and the logic
9390 using it.
9391 (region_model::get_lvalue_1): Port from region_id to const region *.
9392 (region_model::make_region_for_unexpected_tree_code): Delete.
9393 (assert_compat_types): If the check fails, use internal_error to
9394 show the types.
9395 (region_model::get_lvalue): Port from region_id to const region *.
9396 (region_model::get_rvalue_1): Port from svalue_id to const svalue *.
9397 (region_model::get_rvalue): Likewise.
9398 (region_model::get_or_create_ptr_svalue): Delete.
9399 (region_model::get_or_create_constant_svalue): Delete.
9400 (region_model::get_svalue_for_fndecl): Delete.
9401 (region_model::get_region_for_fndecl): Delete.
9402 (region_model::get_svalue_for_label): Delete.
9403 (region_model::get_region_for_label): Delete.
9404 (build_cast): Delete.
9405 (region_model::maybe_cast_1): Delete.
9406 (region_model::maybe_cast): Delete.
9407 (region_model::get_field_region): Delete.
9408 (region_model::get_store_value): New.
9409 (region_model::region_exists_p): New.
9410 (region_model::deref_rvalue): Port from svalue_id to const svalue *.
9411 (region_model::set_value): Likewise.
9412 (region_model::clobber_region): New.
9413 (region_model::purge_region): New.
9414 (region_model::zero_fill_region): New.
9415 (region_model::mark_region_as_unknown): New.
9416 (region_model::eval_condition): Port from svalue_id to
9417 const svalue *.
9418 (region_model::eval_condition_without_cm): Likewise.
9419 (region_model::compare_initial_and_pointer): New.
9420 (region_model::add_constraint): Port from svalue_id to
9421 const svalue *.
9422 (region_model::maybe_get_constant): Delete.
9423 (region_model::get_representative_path_var): New.
9424 (region_model::add_new_malloc_region): Delete.
9425 (region_model::get_representative_tree): Port to const svalue *.
9426 (region_model::get_representative_path_var): Port to
9427 const region *.
9428 (region_model::get_path_vars_for_svalue): Delete.
9429 (region_model::set_to_new_unknown_value): Delete.
9430 (region_model::update_for_phis): Don't pass is_back_edge to handle_phi.
9431 (region_model::update_for_call_superedge): Port from svalue_id to
9432 const svalue *.
9433 (region_model::update_for_return_superedge): Port to store-based
9434 implementation.
9435 (region_model::update_for_call_summary): Replace
9436 set_to_new_unknown_value with mark_region_as_unknown.
9437 (region_model::get_root_region): Delete.
9438 (region_model::get_stack_region_id): Delete.
9439 (region_model::push_frame): Delete.
9440 (region_model::get_current_frame_id): Delete.
9441 (region_model::get_current_function): Delete.
9442 (region_model::pop_frame): Delete.
9443 (region_model::on_top_level_param): New.
9444 (region_model::get_stack_depth): Delete.
9445 (region_model::get_function_at_depth): Delete.
9446 (region_model::get_globals_region_id): Delete.
9447 (region_model::add_svalue): Delete.
9448 (region_model::replace_svalue): Delete.
9449 (region_model::add_region): Delete.
9450 (region_model::get_svalue): Delete.
9451 (region_model::get_region): Delete.
9452 (make_region_for_type): Delete.
9453 (region_model::add_region_for_type): Delete.
9454 (region_model::on_top_level_param): New.
9455 (class restrict_to_used_svalues): Delete.
9456 (region_model::purge_unused_svalues): Delete.
9457 (region_model::push_frame): New.
9458 (region_model::remap_svalue_ids): Delete.
9459 (region_model::remap_region_ids): Delete.
9460 (region_model::purge_regions): Delete.
9461 (region_model::get_descendents): Delete.
9462 (region_model::delete_region_and_descendents): Delete.
9463 (region_model::poison_any_pointers_to_bad_regions): Delete.
9464 (region_model::can_merge_with_p): Delete.
9465 (region_model::get_current_function): New.
9466 (region_model::get_value_by_name): Delete.
9467 (region_model::convert_byte_offset_to_array_index): Delete.
9468 (region_model::pop_frame): New.
9469 (region_model::get_or_create_mem_ref): Delete.
9470 (region_model::get_stack_depth): New.
9471 (region_model::get_frame_at_index): New.
9472 (region_model::unbind_region_and_descendents): New.
9473 (struct bad_pointer_finder): New.
9474 (region_model::get_or_create_pointer_plus_expr): Delete.
9475 (region_model::poison_any_pointers_to_descendents): New.
9476 (region_model::get_or_create_view): Delete.
9477 (region_model::can_merge_with_p): New.
9478 (region_model::get_fndecl_for_call): Port from svalue_id to
9479 const svalue *.
9480 (struct append_ssa_names_cb_data): New.
9481 (get_ssa_name_regions_for_current_frame): New.
9482 (region_model::append_ssa_names_cb): New.
9483 (model_merger::dump_to_pp): Add "simple" param. Drop dumping of
9484 remappings.
9485 (model_merger::dump): Add "simple" param to both overloads.
9486 (model_merger::can_merge_values_p): Delete.
9487 (model_merger::record_regions): Delete.
9488 (model_merger::record_svalues): Delete.
9489 (svalue_id_merger_mapping::svalue_id_merger_mapping): Delete.
9490 (svalue_id_merger_mapping::dump_to_pp): Delete.
9491 (svalue_id_merger_mapping::dump): Delete.
9492 (region_model::create_region_for_heap_alloc): New.
9493 (region_model::create_region_for_alloca): New.
9494 (region_model::record_dynamic_extents): New.
9495 (canonicalization::canonicalization): Delete.
9496 (canonicalization::walk_rid): Delete.
9497 (canonicalization::walk_sid): Delete.
9498 (canonicalization::dump_to_pp): Delete.
9499 (canonicalization::dump): Delete.
9500 (inchash::add): Delete overloads for svalue_id and region_id.
9501 (engine::log_stats): New.
9502 (assert_condition): Add overload comparing svalues.
9503 (assert_dump_eq): Pass "true" for multiline.
9504 (selftest::test_dump): Update for rewrite of region_model.
9505 (selftest::test_dump_2): Rename to...
9506 (selftest::test_struct): ...this. Provide a region_model_manager
9507 when creating region_model instance. Remove dump test. Add
9508 checks for get_offset.
9509 (selftest::test_dump_3): Rename to...
9510 (selftest::test_array_1): ...this. Provide a region_model_manager
9511 when creating region_model instance. Remove dump test.
9512 (selftest::test_get_representative_tree): Port from svalue_id to
9513 new API. Add test coverage for various expressions.
9514 (selftest::test_unique_constants): Provide a region_model_manager
9515 for the region_model. Add test coverage for comparing const vs
9516 non-const.
9517 (selftest::test_svalue_equality): Delete.
9518 (selftest::test_region_equality): Delete.
9519 (selftest::test_unique_unknowns): New.
9520 (class purge_all_svalue_ids): Delete.
9521 (class purge_one_svalue_id): Delete.
9522 (selftest::test_purging_by_criteria): Delete.
9523 (selftest::test_initial_svalue_folding): New.
9524 (selftest::test_unaryop_svalue_folding): New.
9525 (selftest::test_binop_svalue_folding): New.
9526 (selftest::test_sub_svalue_folding): New.
9527 (selftest::test_purge_unused_svalues): Delete.
9528 (selftest::test_descendent_of_p): New.
9529 (selftest::test_assignment): Provide a region_model_manager for
9530 the region_model. Drop the dump test.
9531 (selftest::test_compound_assignment): Likewise.
9532 (selftest::test_stack_frames): Port to new implementation.
9533 (selftest::test_get_representative_path_var): Likewise.
9534 (selftest::test_canonicalization_1): Rename to...
9535 (selftest::test_equality_1): ...this. Port to new API, and add
9536 (selftest::test_canonicalization_2): Provide a
9537 region_model_manager when creating region_model instances.
9538 Remove redundant canicalization.
9539 (selftest::test_canonicalization_3): Provide a
9540 region_model_manager when creating region_model instances.
9541 Remove param from calls to region_model::canonicalize.
9542 (selftest::test_canonicalization_4): Likewise.
9543 (selftest::assert_region_models_merge): Constify
9544 out_merged_svalue. Port to new API.
9545 (selftest::test_state_merging): Provide a
9546 region_model_manager when creating region_model instances.
9547 Provide a program_point point when merging them. Replace
9548 set_to_new_unknown_value with usage of placeholder_svalues.
9549 Drop get_value_by_name. Port from svalue_id to const svalue *.
9550 Add test of heap allocation.
9551 (selftest::test_constraint_merging): Provide a
9552 region_model_manager when creating region_model instances.
9553 Provide a program_point point when merging them. Eliminate use
9554 of set_to_new_unknown_value.
9555 (selftest::test_widening_constraints): New.
9556 (selftest::test_iteration_1): New.
9557 (selftest::test_malloc_constraints): Port to store-based
9558 implementation.
9559 (selftest::test_var): New test.
9560 (selftest::test_array_2): New test.
9561 (selftest::test_mem_ref): New test.
9562 (selftest::test_POINTER_PLUS_EXPR_then_MEM_REF): New.
9563 (selftest::test_malloc): New.
9564 (selftest::test_alloca): New.
9565 (selftest::analyzer_region_model_cc_tests): Update for renamings.
9566 Call new functions.
9567 * region-model.h (class path_var): Move to analyzer.h.
9568 (class svalue_id): Delete.
9569 (class region_id): Delete.
9570 (class id_map): Delete.
9571 (svalue_id_map): Delete.
9572 (region_id_map): Delete.
9573 (id_map<T>::id_map): Delete.
9574 (id_map<T>::put): Delete.
9575 (id_map<T>::get_dst_for_src): Delete.
9576 (id_map<T>::get_src_for_dst): Delete.
9577 (id_map<T>::dump_to_pp): Delete.
9578 (id_map<T>::dump): Delete.
9579 (id_map<T>::update): Delete.
9580 (one_way_svalue_id_map): Delete.
9581 (one_way_region_id_map): Delete.
9582 (class region_id_set): Delete.
9583 (class svalue_id_set): Delete.
9584 (struct complexity): New.
9585 (class visitor): New.
9586 (enum svalue_kind): Add SK_SETJMP, SK_INITIAL, SK_UNARYOP,
9587 SK_BINOP, SK_SUB,SK_UNMERGEABLE, SK_PLACEHOLDER, SK_WIDENING,
9588 SK_COMPOUND, and SK_CONJURED.
9589 (svalue::operator==): Delete.
9590 (svalue::operator!=): Delete.
9591 (svalue::clone): Delete.
9592 (svalue::hash): Delete.
9593 (svalue::dump_dot_to_pp): Delete.
9594 (svalue::dump_to_pp): New.
9595 (svalue::dump): New.
9596 (svalue::get_desc): New.
9597 (svalue::dyn_cast_initial_svalue): New.
9598 (svalue::dyn_cast_unaryop_svalue): New.
9599 (svalue::dyn_cast_binop_svalue): New.
9600 (svalue::dyn_cast_sub_svalue): New.
9601 (svalue::dyn_cast_unmergeable_svalue): New.
9602 (svalue::dyn_cast_widening_svalue): New.
9603 (svalue::dyn_cast_compound_svalue): New.
9604 (svalue::dyn_cast_conjured_svalue): New.
9605 (svalue::maybe_undo_cast): New.
9606 (svalue::unwrap_any_unmergeable): New.
9607 (svalue::remap_region_ids): Delete
9608 (svalue::can_merge_p): New.
9609 (svalue::walk_for_canonicalization): Delete
9610 (svalue::get_complexity): New.
9611 (svalue::get_child_sid): Delete
9612 (svalue::accept): New.
9613 (svalue::live_p): New.
9614 (svalue::implicitly_live_p): New.
9615 (svalue::svalue): Add complexity param.
9616 (svalue::add_to_hash): Delete
9617 (svalue::print_details): Delete
9618 (svalue::m_complexity): New field.
9619 (region_svalue::key_t): New struct.
9620 (region_svalue::region_svalue): Port from region_id to
9621 const region_id *. Add complexity.
9622 (region_svalue::compare_fields): Delete.
9623 (region_svalue::clone): Delete.
9624 (region_svalue::dump_dot_to_pp): Delete.
9625 (region_svalue::get_pointee): Port from region_id to
9626 const region_id *.
9627 (region_svalue::remap_region_ids): Delete.
9628 (region_svalue::merge_values): Delete.
9629 (region_svalue::dump_to_pp): New.
9630 (region_svalue::accept): New.
9631 (region_svalue::walk_for_canonicalization): Delete.
9632 (region_svalue::eval_condition): Make params const.
9633 (region_svalue::add_to_hash): Delete.
9634 (region_svalue::print_details): Delete.
9635 (region_svalue::m_rid): Replace with...
9636 (region_svalue::m_reg): ...this.
9637 (is_a_helper <region_svalue *>::test): Convert to...
9638 (is_a_helper <const region_svalue *>::test): ...this.
9639 (template <> struct default_hash_traits<region_svalue::key_t>):
9640 New.
9641 (constant_svalue::constant_svalue): Add complexity.
9642 (constant_svalue::compare_fields): Delete.
9643 (constant_svalue::clone): Delete.
9644 (constant_svalue::add_to_hash): Delete.
9645 (constant_svalue::dump_to_pp): New.
9646 (constant_svalue::accept): New.
9647 (constant_svalue::implicitly_live_p): New.
9648 (constant_svalue::merge_values): Delete.
9649 (constant_svalue::eval_condition): Make params const.
9650 (constant_svalue::get_child_sid): Delete.
9651 (constant_svalue::print_details): Delete.
9652 (is_a_helper <constant_svalue *>::test): Convert to...
9653 (is_a_helper <const constant_svalue *>::test): ...this.
9654 (class unknown_svalue): Update leading comment.
9655 (unknown_svalue::unknown_svalue): Add complexity.
9656 (unknown_svalue::compare_fields): Delete.
9657 (unknown_svalue::add_to_hash): Delete.
9658 (unknown_svalue::dyn_cast_unknown_svalue): Delete.
9659 (unknown_svalue::print_details): Delete.
9660 (unknown_svalue::dump_to_pp): New.
9661 (unknown_svalue::accept): New.
9662 (poisoned_svalue::key_t): New struct.
9663 (poisoned_svalue::poisoned_svalue): Add complexity.
9664 (poisoned_svalue::compare_fields): Delete.
9665 (poisoned_svalue::clone): Delete.
9666 (poisoned_svalue::add_to_hash): Delete.
9667 (poisoned_svalue::dump_to_pp): New.
9668 (poisoned_svalue::accept): New.
9669 (poisoned_svalue::print_details): Delete.
9670 (is_a_helper <poisoned_svalue *>::test): Convert to...
9671 (is_a_helper <const poisoned_svalue *>::test): ...this.
9672 (template <> struct default_hash_traits<poisoned_svalue::key_t>):
9673 New.
9674 (setjmp_record::add_to_hash): New.
9675 (setjmp_svalue::key_t): New struct.
9676 (setjmp_svalue::compare_fields): Delete.
9677 (setjmp_svalue::clone): Delete.
9678 (setjmp_svalue::add_to_hash): Delete.
9679 (setjmp_svalue::setjmp_svalue): Add complexity.
9680 (setjmp_svalue::dump_to_pp): New.
9681 (setjmp_svalue::accept): New.
9682 (setjmp_svalue::void print_details): Delete.
9683 (is_a_helper <const setjmp_svalue *>::test): New.
9684 (template <> struct default_hash_traits<setjmp_svalue::key_t>): New.
9685 (class initial_svalue : public svalue): New.
9686 (is_a_helper <const initial_svalue *>::test): New.
9687 (class unaryop_svalue): New.
9688 (is_a_helper <const unaryop_svalue *>::test): New.
9689 (template <> struct default_hash_traits<unaryop_svalue::key_t>): New.
9690 (class binop_svalue): New.
9691 (is_a_helper <const binop_svalue *>::test): New.
9692 (template <> struct default_hash_traits<binop_svalue::key_t>): New.
9693 (class sub_svalue): New.
9694 (is_a_helper <const sub_svalue *>::test): New.
9695 (template <> struct default_hash_traits<sub_svalue::key_t>): New.
9696 (class unmergeable_svalue): New.
9697 (is_a_helper <const unmergeable_svalue *>::test): New.
9698 (class placeholder_svalue): New.
9699 (is_a_helper <placeholder_svalue *>::test): New.
9700 (class widening_svalue): New.
9701 (is_a_helper <widening_svalue *>::test): New.
9702 (template <> struct default_hash_traits<widening_svalue::key_t>): New.
9703 (class compound_svalue): New.
9704 (is_a_helper <compound_svalue *>::test): New.
9705 (template <> struct default_hash_traits<compound_svalue::key_t>): New.
9706 (class conjured_svalue): New.
9707 (is_a_helper <conjured_svalue *>::test): New.
9708 (template <> struct default_hash_traits<conjured_svalue::key_t>): New.
9709 (enum region_kind): Delete RK_PRIMITIVE, RK_STRUCT, RK_UNION, and
9710 RK_ARRAY. Add RK_LABEL, RK_DECL, RK_FIELD, RK_ELEMENT, RK_OFFSET,
9711 RK_CAST, RK_HEAP_ALLOCATED, RK_ALLOCA, RK_STRING, and RK_UNKNOWN.
9712 (region_kind_to_str): Delete.
9713 (region::~region): Move implementation to region.cc.
9714 (region::operator==): Delete.
9715 (region::operator!=): Delete.
9716 (region::clone): Delete.
9717 (region::get_id): New.
9718 (region::cmp_ids): New.
9719 (region::dyn_cast_map_region): Delete.
9720 (region::dyn_cast_array_region): Delete.
9721 (region::region_id get_parent): Delete.
9722 (region::get_parent_region): Convert to a simple accessor.
9723 (region::void set_value): Delete.
9724 (region::svalue_id get_value): Delete.
9725 (region::svalue_id get_value_direct): Delete.
9726 (region::svalue_id get_inherited_child_sid): Delete.
9727 (region::dyn_cast_frame_region): New.
9728 (region::dyn_cast_function_region): New.
9729 (region::dyn_cast_decl_region): New.
9730 (region::dyn_cast_field_region): New.
9731 (region::dyn_cast_element_region): New.
9732 (region::dyn_cast_offset_region): New.
9733 (region::dyn_cast_cast_region): New.
9734 (region::dyn_cast_string_region): New.
9735 (region::accept): New.
9736 (region::get_base_region): New.
9737 (region::base_region_p): New.
9738 (region::descendent_of_p): New.
9739 (region::maybe_get_frame_region): New.
9740 (region::maybe_get_decl): New.
9741 (region::hash): Delete.
9742 (region::rint): Delete.
9743 (region::dump_dot_to_pp): Delete.
9744 (region::get_desc): New.
9745 (region::dump_to_pp): Convert to vfunc, changing signature.
9746 (region::dump_child_label): Delete.
9747 (region::remap_svalue_ids): Delete.
9748 (region::remap_region_ids): Delete.
9749 (region::dump): New.
9750 (region::walk_for_canonicalization): Delete.
9751 (region::non_null_p): Drop region_model param.
9752 (region::add_view): Delete.
9753 (region::get_view): Delete.
9754 (region::get_active_view): Delete.
9755 (region::is_view_p): Delete.
9756 (region::cmp_ptrs): New.
9757 (region::validate): Delete.
9758 (region::get_offset): New.
9759 (region::get_byte_size): New.
9760 (region::get_bit_size): New.
9761 (region::get_subregions_for_binding): New.
9762 (region::region): Add complexity param. Convert parent from
9763 region_id to const region *. Drop svalue_id. Drop copy ctor.
9764 (region::symbolic_for_unknown_ptr_p): New.
9765 (region::add_to_hash): Delete.
9766 (region::print_fields): Delete.
9767 (region::get_complexity): New accessor.
9768 (region::become_active_view): Delete.
9769 (region::deactivate_any_active_view): Delete.
9770 (region::deactivate_view): Delete.
9771 (region::calc_offset): New.
9772 (region::m_parent_rid): Delete.
9773 (region::m_sval_id): Delete.
9774 (region::m_complexity): New.
9775 (region::m_id): New.
9776 (region::m_parent): New.
9777 (region::m_view_rids): Delete.
9778 (region::m_is_view): Delete.
9779 (region::m_active_view_rid): Delete.
9780 (region::m_cached_offset): New.
9781 (is_a_helper <region *>::test): Convert to...
9782 (is_a_helper <const region *>::test): ... this.
9783 (class primitive_region): Delete.
9784 (class space_region): New.
9785 (class map_region): Delete.
9786 (is_a_helper <map_region *>::test): Delete.
9787 (class frame_region): Reimplement.
9788 (template <> struct default_hash_traits<frame_region::key_t>):
9789 New.
9790 (class globals_region): Reimplement.
9791 (is_a_helper <globals_region *>::test): Convert to...
9792 (is_a_helper <const globals_region *>::test): ...this.
9793 (class struct_or_union_region): Delete.
9794 (is_a_helper <struct_or_union_region *>::test): Delete.
9795 (class code_region): Reimplement.
9796 (is_a_helper <const code_region *>::test): New.
9797 (class struct_region): Delete.
9798 (is_a_helper <struct_region *>::test): Delete.
9799 (class function_region): Reimplement.
9800 (is_a_helper <function_region *>::test): Convert to...
9801 (is_a_helper <const function_region *>::test): ...this.
9802 (class union_region): Delete.
9803 (is_a_helper <union_region *>::test): Delete.
9804 (class label_region): New.
9805 (is_a_helper <const label_region *>::test): New.
9806 (class scope_region): Delete.
9807 (class stack_region): Reimplement.
9808 (is_a_helper <stack_region *>::test): Convert to...
9809 (is_a_helper <const stack_region *>::test): ...this.
9810 (class heap_region): Reimplement.
9811 (is_a_helper <heap_region *>::test): Convert to...
9812 (is_a_helper <const heap_region *>::test): ...this.
9813 (class root_region): Reimplement.
9814 (is_a_helper <root_region *>::test): Convert to...
9815 (is_a_helper <const root_region *>::test): ...this.
9816 (class symbolic_region): Reimplement.
9817 (is_a_helper <const symbolic_region *>::test): New.
9818 (template <> struct default_hash_traits<symbolic_region::key_t>):
9819 New.
9820 (class decl_region): New.
9821 (is_a_helper <const decl_region *>::test): New.
9822 (class field_region): New.
9823 (template <> struct default_hash_traits<field_region::key_t>): New.
9824 (class array_region): Delete.
9825 (class element_region): New.
9826 (is_a_helper <array_region *>::test): Delete.
9827 (is_a_helper <const element_region *>::test): New.
9828 (template <> struct default_hash_traits<element_region::key_t>):
9829 New.
9830 (class offset_region): New.
9831 (is_a_helper <const offset_region *>::test): New.
9832 (template <> struct default_hash_traits<offset_region::key_t>):
9833 New.
9834 (class cast_region): New.
9835 (is_a_helper <const cast_region *>::test): New.
9836 (template <> struct default_hash_traits<cast_region::key_t>): New.
9837 (class heap_allocated_region): New.
9838 (class alloca_region): New.
9839 (class string_region): New.
9840 (is_a_helper <const string_region *>::test): New.
9841 (class unknown_region): New.
9842 (class region_model_manager): New.
9843 (struct append_ssa_names_cb_data): New.
9844 (class call_details): New.
9845 (region_model::region_model): Add region_model_manager param.
9846 (region_model::print_svalue): Delete.
9847 (region_model::dump_dot_to_pp): Delete.
9848 (region_model::dump_dot_to_file): Delete.
9849 (region_model::dump_dot): Delete.
9850 (region_model::dump_to_pp): Drop summarize param in favor of
9851 simple and multiline.
9852 (region_model::dump): Likewise.
9853 (region_model::summarize_to_pp): Delete.
9854 (region_model::summarize): Delete.
9855 (region_model::void canonicalize): Drop ctxt param.
9856 (region_model::void check_for_poison): Delete.
9857 (region_model::get_gassign_result): New.
9858 (region_model::impl_call_alloca): New.
9859 (region_model::impl_call_analyzer_describe): New.
9860 (region_model::impl_call_analyzer_eval): New.
9861 (region_model::impl_call_builtin_expect): New.
9862 (region_model::impl_call_calloc): New.
9863 (region_model::impl_call_free): New.
9864 (region_model::impl_call_malloc): New.
9865 (region_model::impl_call_memset): New.
9866 (region_model::impl_call_strlen): New.
9867 (region_model::get_reachable_svalues): New.
9868 (region_model::handle_phi): Drop is_back_edge param.
9869 (region_model::region_id get_root_rid): Delete.
9870 (region_model::root_region *get_root_region): Delete.
9871 (region_model::region_id get_stack_region_id): Delete.
9872 (region_model::push_frame): Convert from region_id and svalue_id
9873 to const region * and const svalue *.
9874 (region_model::get_current_frame_id): Replace with...
9875 (region_model::get_current_frame): ...this.
9876 (region_model::pop_frame): Convert from region_id to
9877 const region *. Drop purge and stats param. Add out_result.
9878 (region_model::function *get_function_at_depth): Delete.
9879 (region_model::get_globals_region_id): Delete.
9880 (region_model::add_svalue): Delete.
9881 (region_model::replace_svalue): Delete.
9882 (region_model::add_region): Delete.
9883 (region_model::add_region_for_type): Delete.
9884 (region_model::get_svalue): Delete.
9885 (region_model::get_region): Delete.
9886 (region_model::get_lvalue): Convert from region_id to
9887 const region *.
9888 (region_model::get_rvalue): Convert from svalue_id to
9889 const svalue *.
9890 (region_model::get_or_create_ptr_svalue): Delete.
9891 (region_model::get_or_create_constant_svalue): Delete.
9892 (region_model::get_svalue_for_fndecl): Delete.
9893 (region_model::get_svalue_for_label): Delete.
9894 (region_model::get_region_for_fndecl): Delete.
9895 (region_model::get_region_for_label): Delete.
9896 (region_model::get_frame_at_index (int index) const;): New.
9897 (region_model::maybe_cast): Delete.
9898 (region_model::maybe_cast_1): Delete.
9899 (region_model::get_field_region): Delete.
9900 (region_model::id deref_rvalue): Convert from region_id and
9901 svalue_id to const region * and const svalue *. Drop overload,
9902 passing in both a tree and an svalue.
9903 (region_model::set_value): Convert from region_id and svalue_id to
9904 const region * and const svalue *.
9905 (region_model::set_to_new_unknown_value): Delete.
9906 (region_model::clobber_region (const region *reg);): New.
9907 (region_model::purge_region (const region *reg);): New.
9908 (region_model::zero_fill_region (const region *reg);): New.
9909 (region_model::mark_region_as_unknown (const region *reg);): New.
9910 (region_model::copy_region): Convert from region_id to
9911 const region *.
9912 (region_model::eval_condition): Convert from svalue_id to
9913 const svalue *.
9914 (region_model::eval_condition_without_cm): Likewise.
9915 (region_model::compare_initial_and_pointer): New.
9916 (region_model:maybe_get_constant): Delete.
9917 (region_model::add_new_malloc_region): Delete.
9918 (region_model::get_representative_tree): Convert from svalue_id to
9919 const svalue *.
9920 (region_model::get_representative_path_var): Delete decl taking a
9921 region_id in favor of two decls, for svalue vs region, with an
9922 svalue_set to ensure termination.
9923 (region_model::get_path_vars_for_svalue): Delete.
9924 (region_model::create_region_for_heap_alloc): New.
9925 (region_model::create_region_for_alloca): New.
9926 (region_model::purge_unused_svalues): Delete.
9927 (region_model::remap_svalue_ids): Delete.
9928 (region_model::remap_region_ids): Delete.
9929 (region_model::purge_regions): Delete.
9930 (region_model::get_num_svalues): Delete.
9931 (region_model::get_num_regions): Delete.
9932 (region_model::get_descendents): Delete.
9933 (region_model::get_store): New.
9934 (region_model::delete_region_and_descendents): Delete.
9935 (region_model::get_manager): New.
9936 (region_model::unbind_region_and_descendents): New.
9937 (region_model::can_merge_with_p): Add point param. Drop
9938 svalue_id_merger_mapping.
9939 (region_model::get_value_by_name): Delete.
9940 (region_model::convert_byte_offset_to_array_index): Delete.
9941 (region_model::get_or_create_mem_ref): Delete.
9942 (region_model::get_or_create_pointer_plus_expr): Delete.
9943 (region_model::get_or_create_view): Delete.
9944 (region_model::get_lvalue_1): Convert from region_id to
9945 const region *.
9946 (region_model::get_rvalue_1): Convert from svalue_id to
9947 const svalue *.
9948 (region_model::get_ssa_name_regions_for_current_frame): New.
9949 (region_model::append_ssa_names_cb): New.
9950 (region_model::get_store_value): New.
9951 (region_model::copy_struct_region): Delete.
9952 (region_model::copy_union_region): Delete.
9953 (region_model::copy_array_region): Delete.
9954 (region_model::region_exists_p): New.
9955 (region_model::make_region_for_unexpected_tree_code): Delete.
9956 (region_model::loop_replay_fixup): New.
9957 (region_model::poison_any_pointers_to_bad_regions): Delete.
9958 (region_model::poison_any_pointers_to_descendents): New.
9959 (region_model::dump_summary_of_rep_path_vars): Delete.
9960 (region_model::on_top_level_param): New.
9961 (region_model::record_dynamic_extents): New.
9962 (region_model::m_mgr;): New.
9963 (region_model::m_store;): New.
9964 (region_model::m_svalues;): Delete.
9965 (region_model::m_regions;): Delete.
9966 (region_model::m_root_rid;): Delete.
9967 (region_model::m_current_frame;): New.
9968 (region_model_context::remap_svalue_ids): Delete.
9969 (region_model_context::can_purge_p): Delete.
9970 (region_model_context::on_svalue_leak): New.
9971 (region_model_context::on_svalue_purge): Delete.
9972 (region_model_context::on_liveness_change): New.
9973 (region_model_context::on_inherited_svalue): Delete.
9974 (region_model_context::on_cast): Delete.
9975 (region_model_context::on_unknown_change): Convert from svalue_id to
9976 const svalue * and add is_mutable.
9977 (class noop_region_model_context): Update for region_model_context
9978 changes.
9979 (model_merger::model_merger): Add program_point. Drop
9980 svalue_id_merger_mapping.
9981 (model_merger::dump_to_pp): Add "simple" param.
9982 (model_merger::dump): Likewise.
9983 (model_merger::get_region_a): Delete.
9984 (model_merger::get_region_b): Delete.
9985 (model_merger::can_merge_values_p): Delete.
9986 (model_merger::record_regions): Delete.
9987 (model_merger::record_svalues): Delete.
9988 (model_merger::m_point): New field.
9989 (model_merger::m_map_regions_from_a_to_m): Delete.
9990 (model_merger::m_map_regions_from_b_to_m): Delete.
9991 (model_merger::m_sid_mapping): Delete.
9992 (struct svalue_id_merger_mapping): Delete.
9993 (class engine): New.
9994 (struct canonicalization): Delete.
9995 (inchash::add): Delete decls for hashing svalue_id and region_id.
9996 (test_region_model_context::on_unexpected_tree_code): Require t to
9997 be non-NULL.
9998 (selftest::assert_condition): Add overload comparing a pair of
9999 const svalue *.
10000 * sm-file.cc: Include "tristate.h", "selftest.h",
10001 "analyzer/call-string.h", "analyzer/program-point.h",
10002 "analyzer/store.h", and "analyzer/region-model.h".
10003 (fileptr_state_machine::get_default_state): New.
10004 (fileptr_state_machine::on_stmt): Remove calls to
10005 get_readable_tree in favor of get_diagnostic_tree.
10006 * sm-malloc.cc: Include "tristate.h", "selftest.h",
10007 "analyzer/call-string.h", "analyzer/program-point.h",
10008 "analyzer/store.h", and "analyzer/region-model.h".
10009 (malloc_state_machine::get_default_state): New.
10010 (malloc_state_machine::reset_when_passed_to_unknown_fn_p): New.
10011 (malloc_diagnostic::describe_state_change): Handle change.m_expr
10012 being NULL.
10013 (null_arg::emit): Avoid printing "NULL '0'".
10014 (null_arg::describe_final_event): Avoid printing "(0) NULL".
10015 (malloc_leak::emit): Handle m_arg being NULL.
10016 (malloc_leak::describe_final_event): Handle ev.m_expr being NULL.
10017 (malloc_state_machine::on_stmt): Don't call get_readable_tree.
10018 Call get_diagnostic_tree when creating pending diagnostics.
10019 Update for is_zero_assignment becoming a member function of
10020 sm_ctxt.
10021 Don't transition to m_non_heap for ADDR_EXPR(MEM_REF()).
10022 (malloc_state_machine::reset_when_passed_to_unknown_fn_p): New
10023 vfunc implementation.
10024 * sm-sensitive.cc (sensitive_state_machine::warn_for_any_exposure): Call
10025 get_diagnostic_tree and pass the result to warn_for_state.
10026 * sm-signal.cc: Move includes of "analyzer/call-string.h" and
10027 "analyzer/program-point.h" to before "analyzer/region-model.h",
10028 and also include "analyzer/store.h" before it.
10029 (signal_unsafe_call::describe_state_change): Use
10030 get_dest_function to get handler.
10031 (update_model_for_signal_handler): Pass manager to region_model
10032 ctor.
10033 (register_signal_handler::impl_transition): Update for changes to
10034 get_or_create_node and add_edge.
10035 * sm-taint.cc (taint_state_machine::on_stmt): Remove calls to
10036 get_readable_tree, replacing them when calling warn_for_state with
10037 calls to get_diagnostic_tree.
10038 * sm.cc (is_zero_assignment): Delete.
10039 (any_pointer_p): Move to within namespace ana.
10040 * sm.h (is_zero_assignment): Remove decl.
10041 (any_pointer_p): Move decl to within namespace ana.
10042 (state_machine::get_default_state): New vfunc.
10043 (state_machine::reset_when_passed_to_unknown_fn_p): New vfunc.
10044 (sm_context::get_readable_tree): Rename to...
10045 (sm_context::get_diagnostic_tree): ...this.
10046 (sm_context::is_zero_assignment): New vfunc.
10047 * store.cc: New file.
10048 * store.h: New file.
10049 * svalue.cc: New file.
10050
2221fb6f
MW		 100512020-05-22 Mark Wielaard <mark@klomp.org>
10052
10053 * sm-signal.cc(signal_unsafe_call::emit): Possibly add
10054 gcc_rich_location note for replacement.
10055 (signal_unsafe_call::get_replacement_fn): New private function.
10056 (get_async_signal_unsafe_fns): Add "exit".
10057
5eae0ac7
DM		 100582020-04-28 David Malcolm <dmalcolm@redhat.com>
10059
10060 PR analyzer/94816
10061 * engine.cc (impl_region_model_context::on_unexpected_tree_code):
10062 Handle NULL tree.
10063 * region-model.cc (region_model::add_region_for_type): Handle
10064 NULL type.
10065 * region-model.h
10066 (test_region_model_context::on_unexpected_tree_code): Handle NULL
10067 tree.
10068
78b97837
DM		 100692020-04-28 David Malcolm <dmalcolm@redhat.com>
10070
10071 PR analyzer/94447
10072 PR analyzer/94639
10073 PR analyzer/94732
10074 PR analyzer/94754
10075 * analyzer.opt (Wanalyzer-use-of-uninitialized-value): Delete.
10076 * program-state.cc (selftest::test_program_state_dumping): Update
10077 expected dump result for removal of "uninit".
10078 * region-model.cc (poison_kind_to_str): Delete POISON_KIND_UNINIT
10079 case.
10080 (root_region::ensure_stack_region): Initialize stack with null
10081 svalue_id rather than with a typeless POISON_KIND_UNINIT value.
10082 (root_region::ensure_heap_region): Likewise for the heap.
10083 (region_model::dump_summary_of_rep_path_vars): Remove
10084 summarization of uninit values.
10085 (region_model::validate): Remove check that the stack has a
10086 POISON_KIND_UNINIT value.
10087 (poisoned_value_diagnostic::emit): Remove POISON_KIND_UNINIT
10088 case.
10089 (poisoned_value_diagnostic::describe_final_event): Likewise.
10090 (selftest::test_dump): Update expected dump result for removal of
10091 "uninit".
10092 (selftest::test_svalue_equality): Remove "uninit" and "freed".
10093 * region-model.h (enum poison_kind): Remove POISON_KIND_UNINIT.
10094
a96f1c38
DM		 100952020-04-01 David Malcolm <dmalcolm@redhat.com>
10096
10097 PR analyzer/94378
10098 * checker-path.cc: Include "bitmap.h".
10099 * constraint-manager.cc: Likewise.
10100 * diagnostic-manager.cc: Likewise.
10101 * engine.cc: Likewise.
10102 (exploded_node::detect_leaks): Pass null region_id to pop_frame.
10103 * program-point.cc: Include "bitmap.h".
10104 * program-state.cc: Likewise.
10105 * region-model.cc (id_set<region_id>::id_set): Convert to...
10106 (region_id_set::region_id_set): ...this.
10107 (svalue_id_set::svalue_id_set): New ctor.
10108 (region_model::copy_region): New function.
10109 (region_model::copy_struct_region): New function.
10110 (region_model::copy_union_region): New function.
10111 (region_model::copy_array_region): New function.
10112 (stack_region::pop_frame): Drop return value. Add
10113 "result_dst_rid" param; if it is non-null, use copy_region to copy
10114 the result to it. Rather than capture and pass a single "known
10115 used" return value to be used by purge_unused_values, instead
10116 gather and pass a set of known used return values.
10117 (root_region::pop_frame): Drop return value. Add "result_dst_rid"
10118 param.
10119 (region_model::on_assignment): Use copy_region.
10120 (region_model::on_return): Likewise for the result.
10121 (region_model::on_longjmp): Pass null for pop_frame's
10122 result_dst_rid.
10123 (region_model::update_for_return_superedge): Pass the region for the
10124 return value of the call, if any, to pop_frame, rather than setting
10125 the lvalue for the lhs of the result.
10126 (region_model::pop_frame): Drop return value. Add
10127 "result_dst_rid" param.
10128 (region_model::purge_unused_svalues): Convert third param from an
10129 svalue_id * to an svalue_id_set *, updating the initial populating
10130 of the "used" bitmap accordingly. Don't remap it when done.
10131 (struct selftest::coord_test): New selftest fixture, extracted from...
10132 (selftest::test_dump_2): ...here.
10133 (selftest::test_compound_assignment): New selftest.
10134 (selftest::test_stack_frames): Pass null to new param of pop_frame.
10135 (selftest::analyzer_region_model_cc_tests): Call the new selftest.
10136 * region-model.h (class id_set): Delete template.
10137 (class region_id_set): Reimplement, using old id_set implementation.
10138 (class svalue_id_set): Likewise. Convert from auto_sbitmap to
10139 auto_bitmap.
10140 (region::get_active_view): New accessor.
10141 (stack_region::pop_frame): Drop return value. Add
10142 "result_dst_rid" param.
10143 (root_region::pop_frame): Likewise.
10144 (region_model::pop_frame): Likewise.
10145 (region_model::copy_region): New decl.
10146 (region_model::purge_unused_svalues): Convert third param from an
10147 svalue_id * to an svalue_id_set *.
10148 (region_model::copy_struct_region): New decl.
10149 (region_model::copy_union_region): New decl.
10150 (region_model::copy_array_region): New decl.
10151
6969ac30
DM		 101522020-03-27 David Malcolm <dmalcolm@redhat.com>
10153
10154 * program-state.cc (selftest::test_program_state_dumping): Update
10155 expected dump to include symbolic_region's possibly_null field.
10156 * region-model.cc (symbolic_region::print_fields): New vfunc
10157 implementation.
10158 (region_model::add_constraint): Clear m_possibly_null from
10159 symbolic_regions now known to be non-NULL.
10160 (selftest::test_malloc_constraints): New selftest.
10161 (selftest::analyzer_region_model_cc_tests): Call it.
10162 * region-model.h (region::dyn_cast_symbolic_region): Add non-const
10163 overload.
10164 (symbolic_region::dyn_cast_symbolic_region): Implement it.
10165 (symbolic_region::print_fields): New vfunc override decl.
10166
42c63313
DM		 101672020-03-27 David Malcolm <dmalcolm@redhat.com>
10168
10169 * analyzer.h (class feasibility_problem): New forward decl.
10170 * diagnostic-manager.cc (saved_diagnostic::saved_diagnostic):
10171 Initialize new fields m_status, m_epath_length, and m_problem.
10172 (saved_diagnostic::~saved_diagnostic): Delete m_problem.
10173 (dedupe_candidate::dedupe_candidate): Convert "sd" param from a
10174 const ref to a mutable ptr.
10175 (dedupe_winners::add): Convert "sd" param from a const ref to a
10176 mutable ptr. Record the length of the exploded_path. Record the
10177 feasibility/infeasibility of sd into sd, capturing a
10178 feasibility_problem when feasible_p fails, and storing it in sd.
10179 (diagnostic_manager::emit_saved_diagnostics): Update for pass by
10180 ptr rather than by const ref.
10181 * diagnostic-manager.h (class saved_diagnostic): Add new enum
10182 status. Add fields m_status, m_epath_length and m_problem.
10183 (saved_diagnostic::set_feasible): New member function.
10184 (saved_diagnostic::set_infeasible): New member function.
10185 (saved_diagnostic::get_feasibility_problem): New accessor.
10186 (saved_diagnostic::get_status): New accessor.
10187 (saved_diagnostic::set_epath_length): New member function.
10188 (saved_diagnostic::get_epath_length): New accessor.
10189 * engine.cc: Include "gimple-pretty-print.h".
10190 (exploded_path::feasible_p): Add OUT param and, if non-NULL, write
10191 a new feasibility_problem to it on failure.
10192 (viz_callgraph_node::dump_dot): Convert begin_tr calls to
10193 begin_trtd. Convert end_tr calls to end_tdtr.
10194 (class exploded_graph_annotator): New subclass of dot_annotator.
10195 (impl_run_checkers): Add a second -fdump-analyzer-supergraph dump
10196 after the analysis runs, using exploded_graph_annotator. dumping
10197 to DUMP_BASE_NAME.supergraph-eg.dot.
10198 * exploded-graph.h (exploded_node::get_dot_fillcolor): Make
10199 public.
10200 (exploded_path::feasible_p): Add OUT param.
10201 (class feasibility_problem): New class.
10202 * state-purge.cc (state_purge_annotator::add_node_annotations):
10203 Return a bool, add a "within_table" param.
10204 (print_vec_of_names): Convert begin_tr calls to begin_trtd.
10205 Convert end_tr calls to end_tdtr.
10206 (state_purge_annotator::add_stmt_annotations): Add "within_row"
10207 param.
10208 * state-purge.h ((state_purge_annotator::add_node_annotations):
10209 Return a bool, add a "within_table" param.
10210 (state_purge_annotator::add_stmt_annotations): Add "within_row"
10211 param.
10212 * supergraph.cc (supernode::dump_dot): Call add_node_annotations
10213 twice: as before, passing false for "within_table", then again
10214 with true when within the TABLE element. Convert some begin_tr
10215 calls to begin_trtd, and some end_tr calls to end_tdtr.
10216 Repeat each add_stmt_annotations call, distinguishing between
10217 calls that add TRs and those that add TDs to an existing TR.
10218 Add a call to add_after_node_annotations.
10219 * supergraph.h (dot_annotator::add_node_annotations): Add a
10220 "within_table" param.
10221 (dot_annotator::add_stmt_annotations): Add a "within_row" param.
10222 (dot_annotator::add_after_node_annotations): New vfunc.
10223
8f023575
DM		 102242020-03-27 David Malcolm <dmalcolm@redhat.com>
10225
10226 * diagnostic-manager.cc (dedupe_winners::add): Show the
10227 exploded_node index in the log messages.
10228 (diagnostic_manager::emit_saved_diagnostics): Log a summary of
10229 m_saved_diagnostics at entry.
10230
4d661bb7
DM		 102312020-03-27 David Malcolm <dmalcolm@redhat.com>
10232
10233 * supergraph.cc (superedge::dump): Add space before description;
10234 move newline to non-pretty_printer overload.
10235
884d9141
DM		 102362020-03-18 David Malcolm <dmalcolm@redhat.com>
10237
10238 * region-model.cc: Include "stor-layout.h".
10239 (region_model::dump_to_pp): Rather than calling
10240 dump_summary_of_map on each of the current frame and the globals,
10241 instead get a vec of representative path_vars for all regions,
10242 and then dump a summary of all of them.
10243 (region_model::dump_summary_of_map): Delete, rewriting into...
10244 (region_model::dump_summary_of_rep_path_vars): ...this new
10245 function, working on a vec of path_vars.
10246 (region_model::set_value): New overload.
10247 (region_model::get_representative_path_var): Rename
10248 "parent_region" local to "parent_reg" and consolidate with other
10249 local. Guard test for grandparent being stack on parent_reg being
10250 non-NULL. Move handling for parent being an array_region to
10251 within guard for parent_reg being non-NULL.
10252 (selftest::make_test_compound_type): New function.
10253 (selftest::test_dump_2): New selftest.
10254 (selftest::test_dump_3): New selftest.
10255 (selftest::test_stack_frames): Update expected output from
10256 simplified dump to show "a" and "b" from parent frame and "y" in
10257 child frame.
10258 (selftest::analyzer_region_model_cc_tests): Call test_dump_2 and
10259 test_dump_3.
10260 * region-model.h (region_model::set_value): New overload decl.
10261 (region_model::dump_summary_of_map): Delete.
10262 (region_model::dump_summary_of_rep_path_vars): New.
10263
7d9c107a
DM		 102642020-03-18 David Malcolm <dmalcolm@redhat.com>
10265
10266 * region-model.h (class noop_region_model_context): New subclass
10267 of region_model_context.
10268 (class tentative_region_model_context): Inherit from
10269 noop_region_model_context rather than from region_model_context;
10270 drop redundant vfunc implementations.
10271 (class test_region_model_context): Likewise.
10272
0db2cd17
DM		 102732020-03-18 David Malcolm <dmalcolm@redhat.com>
10274
10275 * engine.cc (exploded_node::exploded_node): Move implementation
10276 here from header; accept point_and_state by const reference rather
10277 than by value.
10278 * exploded-graph.h (exploded_node::exploded_node): Pass
10279 point_and_state by const reference rather than by value. Move
10280 body to engine.cc.
10281
d5029d45
JJ		 102822020-03-18 Jakub Jelinek <jakub@redhat.com>
10283
10284 * sm-malloc.cc (malloc_state_machine::on_stmt): Fix up duplicated word
10285 issue in a comment.
10286 * region-model.cc (region_model::make_region_for_unexpected_tree_code,
10287 region_model::delete_region_and_descendents): Likewise.
10288 * engine.cc (class exploded_cluster): Likewise.
10289 * diagnostic-manager.cc (class path_builder): Likewise.
10290
5c048755
DM		 102912020-03-13 David Malcolm <dmalcolm@redhat.com>
10292
10293 PR analyzer/94099
10294 PR analyzer/94105
10295 * diagnostic-manager.cc (for_each_state_change): Bulletproof
10296 against errors in get_rvalue by passing a
10297 tentative_region_model_context and rejecting if there's an error.
10298 * region-model.cc (region_model::get_lvalue_1): When handling
10299 ARRAY_REF, handle results of error-handling. Handle NOP_EXPR.
10300
90f7c300
DM		 103012020-03-06 David Malcolm <dmalcolm@redhat.com>
10302
10303 * analyzer.h (class array_region): New forward decl.
10304 * program-state.cc (selftest::test_program_state_dumping_2): New.
10305 (selftest::analyzer_program_state_cc_tests): Call it.
10306 * region-model.cc (array_region::constant_from_key): New.
10307 (region_model::get_representative_tree): Handle region_svalue by
10308 generating an ADDR_EXPR.
10309 (region_model::get_representative_path_var): In view handling,
10310 remove erroneous TREE_TYPE when determining the type of the tree.
10311 Handle array regions and STRING_CST.
10312 (selftest::assert_dump_tree_eq): New.
10313 (ASSERT_DUMP_TREE_EQ): New macro.
10314 (selftest::test_get_representative_tree): New selftest.
10315 (selftest::analyzer_region_model_cc_tests): Call it.
10316 * region-model.h (region::dyn_cast_array_region): New vfunc.
10317 (array_region::dyn_cast_array_region): New vfunc implementation.
10318 (array_region::constant_from_key): New decl.
10319
41f99ba6
DM		 103202020-03-06 David Malcolm <dmalcolm@redhat.com>
10321
10322 * analyzer.h (dump_quoted_tree): New decl.
10323 * engine.cc (exploded_node::dump_dot): Pass region model to
10324 sm_state_map::print.
10325 * program-state.cc: Include diagnostic-core.h.
10326 (sm_state_map::print): Add "model" param and use it to print
10327 representative trees. Only print origin information if non-null.
10328 (sm_state_map::dump): Pass NULL for model to print call.
10329 (program_state::print): Pass region model to sm_state_map::print.
10330 (program_state::dump_to_pp): Use spaces rather than newlines when
10331 summarizing. Pass region_model to sm_state_map::print.
10332 (ana::selftest::assert_dump_eq): New function.
10333 (ASSERT_DUMP_EQ): New macro.
10334 (ana::selftest::test_program_state_dumping): New function.
10335 (ana::selftest::analyzer_program_state_cc_tests): Call it.
10336 * program-state.h (program_state::print): Add model param.
10337 * region-model.cc (dump_quoted_tree): New function.
10338 (map_region::print_fields): Use dump_quoted_tree rather than
10339 %qE to avoid lang-dependent output.
10340 (map_region::dump_child_label): Likewise.
10341 (region_model::dump_summary_of_map): For SK_REGION, when
10342 get_representative_path_var fails, print the region id rather than
10343 erroneously printing NULL.
10344 * sm.cc (state_machine::get_state_by_name): New function.
10345 * sm.h (state_machine::get_state_by_name): New decl.
10346
3c1645a3
DM		 103472020-03-04 David Malcolm <dmalcolm@redhat.com>
10348
10349 * region-model.cc (region::validate): Convert model param from ptr
10350 to reference. Update comment to reflect that it's now a vfunc.
10351 (map_region::validate): New vfunc implementation.
10352 (array_region::validate): New vfunc implementation.
10353 (stack_region::validate): New vfunc implementation.
10354 (root_region::validate): New vfunc implementation.
10355 (region_model::validate): Pass a reference rather than a pointer
10356 to the region::validate vfunc.
10357 * region-model.h (region::validate): Make virtual. Convert model
10358 param from ptr to reference.
10359 (map_region::validate): New vfunc decl.
10360 (array_region::validate): New vfunc decl.
10361 (stack_region::validate): New vfunc decl.
10362 (root_region::validate): New vfunc decl.
10363
e516294a
DM		 103642020-03-04 David Malcolm <dmalcolm@redhat.com>
10365
10366 PR analyzer/93993
10367 * region-model.cc (region_model::on_call_pre): Handle
10368 BUILT_IN_EXPECT and its variants.
10369 (region_model::add_any_constraints_from_ssa_def_stmt): Split out
10370 gassign handling into add_any_constraints_from_gassign; add gcall
10371 handling.
10372 (region_model::add_any_constraints_from_gassign): New function,
10373 based on the above. Add handling for NOP_EXPR.
10374 (region_model::add_any_constraints_from_gcall): New function.
10375 (region_model::get_representative_path_var): Handle views.
10376 * region-model.h
10377 (region_model::add_any_constraints_from_ssa_def_stmt): New decl.
10378 (region_model::add_any_constraints_from_gassign): New decl.
10379
3d66e153
DM		 103802020-03-04 David Malcolm <dmalcolm@redhat.com>
10381
10382 PR analyzer/93993
10383 * checker-path.h (state_change_event::get_lvalue): Add ctxt param
10384 and pass it to region_model::get_value call.
10385 * diagnostic-manager.cc (get_any_origin): Pass a
10386 tentative_region_model_context to the calls to get_lvalue and reject
10387 the comparison if errors occur.
10388 (can_be_expr_of_interest_p): New function.
10389 (diagnostic_manager::prune_for_sm_diagnostic): Replace checks for
10390 CONSTANT_CLASS_P with calls to update_for_unsuitable_sm_exprs.
10391 Pass a tentative_region_model_context to the calls to
10392 state_change_event::get_lvalue and reject the comparison if errors
10393 occur.
10394 (diagnostic_manager::update_for_unsuitable_sm_exprs): New.
10395 * diagnostic-manager.h
10396 (diagnostic_manager::update_for_unsuitable_sm_exprs): New decl.
10397 * region-model.h (class tentative_region_model_context): New class.
10398
13e3ba14
DM		 103992020-03-04 David Malcolm <dmalcolm@redhat.com>
10400
10401 * engine.cc (worklist::worklist): Remove unused field m_eg.
10402 (class viz_callgraph_edge): Remove unused field m_call_sedge.
10403 (class viz_callgraph): Remove unused field m_sg.
10404 * exploded-graph.h (worklist::::m_eg): Remove unused field.
10405
13b76912
DM		 104062020-03-02 David Malcolm <dmalcolm@redhat.com>
10407
10408 * analyzer.opt (fanalyzer-show-duplicate-count): New option.
10409 * diagnostic-manager.cc
10410 (diagnostic_manager::emit_saved_diagnostic): Use the above to
10411 guard the printing of the duplicate count.
10412
9f00b22f
DM		 104132020-03-02 David Malcolm <dmalcolm@redhat.com>
10414
10415 PR analyzer/93959
10416 * analyzer.cc (is_std_function_p): New function.
10417 (is_std_named_call_p): New functions.
10418 * analyzer.h (is_std_named_call_p): New decl.
10419 * sm-malloc.cc (malloc_state_machine::on_stmt): Check for "std::"
10420 variants when checking for malloc, calloc and free.
10421
71b633aa
DM		 104222020-02-26 David Malcolm <dmalcolm@redhat.com>
10423
10424 PR analyzer/93950
10425 * diagnostic-manager.cc
10426 (diagnostic_manager::prune_for_sm_diagnostic): Assert that var is
10427 either NULL or not a constant. When updating var, bulletproof
10428 against constant values.
10429
0ba70d1b
DM		 104302020-02-26 David Malcolm <dmalcolm@redhat.com>
10431
10432 PR analyzer/93947
10433 * region-model.cc (region_model::get_fndecl_for_call): Gracefully
10434 fail for fn_decls that don't have a cgraph_node.
10435
67fa274c
DM		 104362020-02-26 David Malcolm <dmalcolm@redhat.com>
10437
10438 * bar-chart.cc: New file.
10439 * bar-chart.h: New file.
10440 * engine.cc: Include "analyzer/bar-chart.h".
10441 (stats::log): Only log the m_num_nodes kinds that are non-zero.
10442 (stats::dump): Likewise when dumping.
10443 (stats::get_total_enodes): New.
10444 (exploded_graph::get_or_create_node): Increment the per-point-data
10445 m_excess_enodes when hitting the per-program-point limit on
10446 enodes.
10447 (exploded_graph::print_bar_charts): New.
10448 (exploded_graph::log_stats): Log the number of unprocessed enodes
10449 in the worklist. Call print_bar_charts.
10450 (exploded_graph::dump_stats): Print the number of unprocessed
10451 enodes in the worklist.
10452 * exploded-graph.h (stats::get_total_enodes): New decl.
10453 (struct per_program_point_data): Add field m_excess_enodes.
10454 (exploded_graph::print_bar_charts): New decl.
10455 * supergraph.cc (superedge::dump): New.
10456 (superedge::dump): New.
10457 * supergraph.h (supernode::get_function): New.
10458 (superedge::dump): New decl.
10459 (superedge::dump): New decl.
10460
f2ca2088
DM		 104612020-02-24 David Malcolm <dmalcolm@redhat.com>
10462
10463 * engine.cc (exploded_graph::get_or_create_node): Dump the
10464 program_state to the pp, rather than to stderr.
10465
b3d788a2
DM		 104662020-02-24 David Malcolm <dmalcolm@redhat.com>
10467
10468 PR analyzer/93032
10469 * sm.cc (make_checkers): Require the "taint" checker to be
10470 explicitly enabled.
10471
3a25f345
DM		 104722020-02-24 David Malcolm <dmalcolm@redhat.com>
10473
10474 PR analyzer/93899
10475 * engine.cc
10476 (impl_region_model_context::impl_region_model_context): Add logger
10477 param.
10478 * engine.cc (exploded_graph::add_function_entry): Create an
10479 impl_region_model_context and pass it to the push_frame call.
10480 Bail if the resulting state is invalid.
10481 (exploded_graph::build_initial_worklist): Likewise.
10482 (exploded_graph::build_initial_worklist): Handle the case where
10483 add_function_entry fails.
10484 * exploded-graph.h
10485 (impl_region_model_context::impl_region_model_context): Add logger
10486 param.
10487 * region-model.cc (map_region::get_or_create): Add ctxt param and
10488 pass it to add_region_for_type.
10489 (map_region::can_merge_p): Pass NULL as a ctxt to call to
10490 get_or_create.
10491 (array_region::get_element): Pass ctxt to call to get_or_create.
10492 (array_region::get_or_create): Add ctxt param and pass it to
10493 add_region_for_type.
10494 (root_region::push_frame): Pass ctxt to get_or_create calls.
10495 (region_model::get_lvalue_1): Likewise.
10496 (region_model::make_region_for_unexpected_tree_code): Assert that
10497 ctxt is non-NULL.
10498 (region_model::get_rvalue_1): Pass ctxt to get_svalue_for_fndecl
10499 and get_svalue_for_label calls.
10500 (region_model::get_svalue_for_fndecl): Add ctxt param and pass it
10501 to get_region_for_fndecl.
10502 (region_model::get_region_for_fndecl): Add ctxt param and pass it
10503 to get_or_create.
10504 (region_model::get_svalue_for_label): Add ctxt param and pass it
10505 to get_region_for_label.
10506 (region_model::get_region_for_label): Add ctxt param and pass it
10507 to get_region_for_fndecl and get_or_create.
10508 (region_model::get_field_region): Add ctxt param and pass it to
10509 get_or_create_view and get_or_create.
10510 (make_region_for_type): Replace gcc_unreachable with return NULL.
10511 (region_model::add_region_for_type): Add ctxt param. Handle a
10512 return of NULL from make_region_for_type by calling
10513 make_region_for_unexpected_tree_code.
10514 (region_model::get_or_create_mem_ref): Pass ctxt to calls to
10515 get_or_create_view.
10516 (region_model::get_or_create_view): Add ctxt param and pass it to
10517 add_region_for_type.
10518 (selftest::test_state_merging): Pass ctxt to get_or_create_view.
10519 * region-model.h (region_model::get_or_create): Add ctxt param.
10520 (region_model::add_region_for_type): Likewise.
10521 (region_model::get_svalue_for_fndecl): Likewise.
10522 (region_model::get_svalue_for_label): Likewise.
10523 (region_model::get_region_for_fndecl): Likewise.
10524 (region_model::get_region_for_label): Likewise.
10525 (region_model::get_field_region): Likewise.
10526 (region_model::get_or_create_view): Likewise.
10527
004f2c07
DM		 105282020-02-24 David Malcolm <dmalcolm@redhat.com>
10529
10530 * checker-path.cc (superedge_event::should_filter_p): Update
10531 filter for empty descriptions to cover verbosity level 3 as well
10532 as 2.
10533 * diagnostic-manager.cc: Include "analyzer/reachability.h".
10534 (class path_builder): New class.
10535 (diagnostic_manager::emit_saved_diagnostic): Create a path_builder
10536 and pass it to build_emission_path, rather passing eg; similarly
10537 for add_events_for_eedge and ext_state.
10538 (diagnostic_manager::build_emission_path): Replace "eg" param
10539 with a path_builder, pass it to add_events_for_eedge.
10540 (diagnostic_manager::add_events_for_eedge): Replace ext_state
10541 param with path_builder; pass it to add_events_for_superedge.
10542 (diagnostic_manager::significant_edge_p): New.
10543 (diagnostic_manager::add_events_for_superedge): Add path_builder
10544 param. Reject insignificant edges at verbosity levels below 3.
10545 (diagnostic_manager::prune_for_sm_diagnostic): Update highest
10546 verbosity level to 4.
10547 * diagnostic-manager.h (class path_builder): New forward decl.
10548 (diagnostic_manager::build_emission_path): Replace "eg" param
10549 with a path_builder.
10550 (diagnostic_manager::add_events_for_eedge): Replace ext_state
10551 param with path_builder.
10552 (diagnostic_manager::significant_edge_p): New.
10553 (diagnostic_manager::add_events_for_superedge): Add path_builder
10554 param.
10555 * reachability.h: New file.
10556
0b2b45a6
DM		 105572020-02-18 David Malcolm <dmalcolm@redhat.com>
10558
10559 PR analyzer/93692
10560 * analyzer.opt (fdump-analyzer-callgraph): Rewrite description.
10561
4f40164a
DM		 105622020-02-18 David Malcolm <dmalcolm@redhat.com>
10563
10564 PR analyzer/93777
10565 * region-model.cc (region_model::maybe_cast_1): Replace assertion
10566 that build_cast returns non-NULL with a conditional, falling
10567 through to the logic which returns a new unknown value of the
10568 desired type if it fails.
10569
2e623393
DM		 105702020-02-18 David Malcolm <dmalcolm@redhat.com>
10571
10572 PR analyzer/93778
10573 * engine.cc (impl_region_model_context::on_unknown_tree_code):
10574 Rename to...
10575 (impl_region_model_context::on_unexpected_tree_code): ...this and
10576 convert first argument from path_var to tree.
10577 (exploded_node::on_stmt): Pass ctxt to purge_for_unknown_fncall.
10578 * exploded-graph.h (region_model_context::on_unknown_tree_code):
10579 Rename to...
10580 (region_model_context::on_unexpected_tree_code): ...this and
10581 convert first argument from path_var to tree.
10582 * program-state.cc (sm_state_map::purge_for_unknown_fncall): Add
10583 ctxt param and pass on to calls to get_rvalue.
10584 * program-state.h (sm_state_map::purge_for_unknown_fncall): Add
10585 ctxt param.
10586 * region-model.cc (region_model::handle_unrecognized_call): Pass
10587 ctxt on to call to get_rvalue.
10588 (region_model::get_lvalue_1): Move body of default case to
10589 region_model::make_region_for_unexpected_tree_code and call it.
10590 Within COMPONENT_REF case, reject attempts to handle types other
10591 than RECORD_TYPE and UNION_TYPE.
10592 (region_model::make_region_for_unexpected_tree_code): New
10593 function, based on default case of region_model::get_lvalue_1.
10594 * region-model.h
10595 (region_model::make_region_for_unexpected_tree_code): New decl.
10596 (region_model::on_unknown_tree_code): Rename to...
10597 (region_model::on_unexpected_tree_code): ...this and convert first
10598 argument from path_var to tree.
10599 (class test_region_model_context): Update vfunc implementation for
10600 above change.
10601
a674c7b8
DM		 106022020-02-18 David Malcolm <dmalcolm@redhat.com>
10603
10604 PR analyzer/93774
10605 * region-model.cc
10606 (region_model::convert_byte_offset_to_array_index): Use
10607 int_size_in_bytes before calling size_in_bytes, to gracefully fail
10608 on incomplete types.
10609
d8cde6f9
DM		 106102020-02-17 David Malcolm <dmalcolm@redhat.com>
10611
10612 PR analyzer/93775
10613 * region-model.cc (region_model::get_fndecl_for_call): Handle the
10614 case where the code_region's get_tree_for_child_region returns
10615 NULL.
10616
f76a88eb
DM		 106172020-02-17 David Malcolm <dmalcolm@redhat.com>
10618
10619 PR analyzer/93388
10620 * engine.cc (impl_region_model_context::on_unknown_tree_code):
10621 New.
10622 (exploded_graph::get_or_create_node): Reject invalid states.
10623 * exploded-graph.h
10624 (impl_region_model_context::on_unknown_tree_code): New decl.
10625 (point_and_state::point_and_state): Assert that the state is
10626 valid.
10627 * program-state.cc (program_state::program_state): Initialize
10628 m_valid to true.
10629 (program_state::operator=): Copy m_valid.
10630 (program_state::program_state): Likewise for move constructor.
10631 (program_state::print): Print m_valid.
10632 (program_state::dump_to_pp): Likewise.
10633 * program-state.h (program_state::m_valid): New field.
10634 * region-model.cc (region_model::get_lvalue_1): Implement the
10635 default case by returning a new symbolic region and calling
10636 the context's on_unknown_tree_code, rather than issuing an
10637 internal_error. Implement VIEW_CONVERT_EXPR.
10638 * region-model.h (region_model_context::on_unknown_tree_code): New
10639 vfunc.
10640 (test_region_model_context::on_unknown_tree_code): New.
10641
0993ad65
DM		 106422020-02-17 David Malcolm <dmalcolm@redhat.com>
10643
10644 * sm-malloc.cc (malloc_diagnostic::describe_state_change): For
10645 transition to the "null" state, only say "assuming" when
10646 transitioning from the "unchecked" state.
10647
67098787
DM		 106482020-02-17 David Malcolm <dmalcolm@redhat.com>
10649
10650 * diagnostic-manager.h (diagnostic_manager::get_saved_diagnostic):
10651 Add const overload.
10652 * engine.cc (exploded_node::dump_dot): Dump saved_diagnostics.
10653 * exploded-graph.h (exploded_graph::get_diagnostic_manager): Add
10654 const overload.
10655
91f993b7
DM		 106562020-02-11 David Malcolm <dmalcolm@redhat.com>
10657
10658 PR analyzer/93288
10659 * analysis-plan.cc (analysis_plan::use_summary_p): Look through
10660 the ultimate_alias_target when getting the called function.
10661 * engine.cc (exploded_node::on_stmt): Rename second "ctxt" to
10662 "sm_ctxt". Use the region_model's get_fndecl_for_call rather than
10663 gimple_call_fndecl.
10664 * region-model.cc (region_model::get_fndecl_for_call): Use
10665 ultimate_alias_target on fndecl.
10666 * supergraph.cc (get_ultimate_function_for_cgraph_edge): New
10667 function.
10668 (supergraph_call_edge): Use it when rejecting edges without
10669 functions.
10670 (supergraph::supergraph): Use it to get the function for the
10671 cgraph_edge when building interprocedural superedges.
10672 (callgraph_superedge::get_callee_function): Use it.
10673 * supergraph.h (supergraph::get_num_snodes): Make param const.
10674 (supergraph::function_to_num_snodes_t): Make first type param
10675 const.
10676
a60d9889
DM		 106772020-02-11 David Malcolm <dmalcolm@redhat.com>
10678
10679 PR analyzer/93374
10680 * engine.cc (exploded_edge::exploded_edge): Add ext_state param
10681 and pass it to change.validate.
10682 (exploded_graph::get_or_create_node): Move purging of change
10683 svalues to also cover the case of reusing an existing enode.
10684 (exploded_graph::add_edge): Pass m_ext_state to exploded_edge's
10685 ctor.
10686 * exploded-graph.h (exploded_edge::exploded_edge): Add ext_state
10687 param.
10688 * program-state.cc (state_change::sm_change::validate): Likewise.
10689 Assert that m_sm_idx is sane. Use ext_state to validate
10690 m_old_state and m_new_state.
10691 (state_change::validate): Add ext_state param and pass it to
10692 the sm_change validate calls.
10693 * program-state.h (state_change::sm_change::validate): Add
10694 ext_state param.
10695 (state_change::validate): Likewise.
10696
a0e4929b
DM		 106972020-02-11 David Malcolm <dmalcolm@redhat.com>
10698
10699 PR analyzer/93669
10700 * engine.cc (exploded_graph::dump_exploded_nodes): Handle missing
10701 case of STATUS_WORKLIST in implementation of
10702 "__analyzer_dump_exploded_nodes".
10703
cd28b759
DM		 107042020-02-11 David Malcolm <dmalcolm@redhat.com>
10705
10706 PR analyzer/93649
10707 * constraint-manager.cc (constraint_manager::add_constraint): When
10708 merging equivalence classes and updating m_constant, also update
10709 m_cst_sid.
10710 (constraint_manager::validate): If m_constant is non-NULL assert
10711 that m_cst_sid is non-null and is valid.
10712
5e17c1bd
DM		 107132020-02-11 David Malcolm <dmalcolm@redhat.com>
10714
10715 PR analyzer/93657
10716 * analyzer.opt (fdump-analyzer): Reword description.
10717 (fdump-analyzer-stderr): Likewise.
10718
c46d057f
DM		 107192020-02-11 David Malcolm <dmalcolm@redhat.com>
10720
10721 * region-model.cc (print_quoted_type): New function.
10722 (svalue::print): Use it to replace %qT.
10723 (region::dump_to_pp): Likewise.
10724 (region::dump_child_label): Likewise.
10725 (region::print_fields): Likewise.
10726
eb031d4b
DM		 107272020-02-10 David Malcolm <dmalcolm@redhat.com>
10728
10729 PR analyzer/93659
10730 * analyzer.opt (-param=analyzer-max-recursion-depth=): Fix "tha"
10731 -> "that" typo.
10732 (Wanalyzer-use-of-uninitialized-value): Fix "initialized" ->
10733 "uninitialized" typo.
10734
e87deb37
DM		 107352020-02-10 David Malcolm <dmalcolm@redhat.com>
10736
10737 PR analyzer/93350
10738 * region-model.cc (region_model::get_lvalue_1):
10739 Handle BIT_FIELD_REF.
10740 (make_region_for_type): Handle VECTOR_TYPE.
10741
e953f958
DM		 107422020-02-10 David Malcolm <dmalcolm@redhat.com>
10743
10744 PR analyzer/93647
10745 * diagnostic-manager.cc
10746 (diagnostic_manager::prune_for_sm_diagnostic): Bulletproof against
10747 VAR being constant.
10748 * region-model.cc (region_model::get_lvalue_1): Provide a better
10749 error message when encountering an unhandled tree code.
10750
41a9e940
DM		 107512020-02-10 David Malcolm <dmalcolm@redhat.com>
10752
10753 PR analyzer/93405
10754 * region-model.cc (region_model::get_lvalue_1): Implement
10755 CONST_DECL.
10756
cb273d81
DM		 107572020-02-06 David Malcolm <dmalcolm@redhat.com>
10758
10759 * region-model.cc (region_model::maybe_cast_1): Attempt to provide
10760 a region_svalue if either type is a pointer, rather than if both
10761 types are pointers.
10762
a4d3bfc0
DM		 107632020-02-05 David Malcolm <dmalcolm@redhat.com>
10764
10765 * engine.cc (exploded_node::dump_dot): Show merger enodes.
10766 (worklist::add_node): Assert that the node's m_status is
10767 STATUS_WORKLIST.
10768 (exploded_graph::process_worklist): Likewise for nodes from the
10769 worklist. Set status of merged nodes to STATUS_MERGER.
10770 (exploded_graph::process_node): Set status of node to
10771 STATUS_PROCESSED.
10772 (exploded_graph::dump_exploded_nodes): Rework handling of
10773 "__analyzer_dump_exploded_nodes", splitting enodes by status into
10774 "processed" and "merger", showing the count of just the processed
10775 enodes at the call, rather than the count of all enodes.
10776 * exploded-graph.h (exploded_node::status): New enum.
10777 (exploded_node::exploded_node): Initialize m_status to
10778 STATUS_WORKLIST.
10779 (exploded_node::get_status): New getter.
10780 (exploded_node::set_status): New setter.
10781
1dae549d
DM		 107822020-02-04 David Malcolm <dmalcolm@redhat.com>
10783
10784 PR analyzer/93543
10785 * engine.cc (pod_hash_traits<function_call_string>::mark_empty):
10786 Eliminate reinterpret_cast.
10787 (pod_hash_traits<function_call_string>::is_empty): Likewise.
10788
833f1e66
DM		 107892020-02-03 David Malcolm <dmalcolm@redhat.com>
10790
10791 * constraint-manager.cc (range::constrained_to_single_element):
10792 Replace fold_build2 with fold_binary. Remove unnecessary newline.
10793 (constraint_manager::get_or_add_equiv_class): Replace fold_build2
10794 with fold_binary in two places, and remove out-of-date comment.
10795 (constraint_manager::eval_condition): Replace fold_build2 with
10796 fold_binary.
10797 * region-model.cc (constant_svalue::eval_condition): Likewise.
10798 (region_model::on_assignment): Likewise.
10799
8525d1f5
DM		 108002020-02-03 David Malcolm <dmalcolm@redhat.com>
10801
10802 PR analyzer/93544
10803 * diagnostic-manager.cc
10804 (diagnostic_manager::prune_for_sm_diagnostic): Bulletproof
10805 against bad choices due to bad paths.
10806 * engine.cc (impl_region_model_context::on_phi): New.
10807 * exploded-graph.h (impl_region_model_context::on_phi): New decl.
10808 * region-model.cc (region_model::on_longjmp): Likewise.
10809 (region_model::handle_phi): Add phi param. Call the ctxt's on_phi
10810 vfunc.
10811 (region_model::update_for_phis): Pass phi to handle_phi.
10812 * region-model.h (region_model::handle_phi): Add phi param.
10813 (region_model_context::on_phi): New vfunc.
10814 (test_region_model_context::on_phi): New.
10815 * sm-malloc.cc (malloc_state_machine::on_phi): New.
10816 (malloc_state_machine::on_zero_assignment): New.
10817 * sm.h (state_machine::on_phi): New vfunc.
10818
73f38658
DM		 108192020-02-03 David Malcolm <dmalcolm@redhat.com>
10820
10821 * engine.cc (supernode_cluster::dump_dot): Show BB index as
10822 well as SN index.
10823 * supergraph.cc (supernode::dump_dot): Likewise.
10824
5e10b9a2
DM		 108252020-02-03 David Malcolm <dmalcolm@redhat.com>
10826
10827 PR analyzer/93546
10828 * region-model.cc (region_model::on_call_pre): Update for new
10829 param of symbolic_region ctor.
10830 (region_model::deref_rvalue): Likewise.
10831 (region_model::add_new_malloc_region): Likewise.
10832 (make_region_for_type): Likewise, preserving type.
10833 * region-model.h (symbolic_region::symbolic_region): Add "type"
10834 param and pass it to base class ctor.
10835
287ccd3b
DM		 108362020-02-03 David Malcolm <dmalcolm@redhat.com>
10837
10838 PR analyzer/93547
10839 * constraint-manager.cc
10840 (constraint_manager::get_or_add_equiv_class): Ensure types are
10841 compatible before comparing constants.
10842
67751724
DM		 108432020-01-31 David Malcolm <dmalcolm@redhat.com>
10844
10845 PR analyzer/93457
10846 * region-model.cc (make_region_for_type): Use VOID_TYPE_P rather
10847 than checking against void_type_node.
10848
09bea584
DM		 108492020-01-31 David Malcolm <dmalcolm@redhat.com>
10850
10851 PR analyzer/93373
10852 * region-model.cc (ASSERT_COMPAT_TYPES): Convert to...
10853 (assert_compat_types): ...this, and bail when either type is NULL,
10854 or when VOID_TYPE_P (dst_type).
10855 (region_model::get_lvalue): Update for above conversion.
10856 (region_model::get_rvalue): Likewise.
10857
f1c807e8
DM		 108582020-01-31 David Malcolm <dmalcolm@redhat.com>
10859
10860 PR analyzer/93379
10861 * region-model.cc (region_model::update_for_return_superedge):
10862 Move check for null result so that it also guards setting the
10863 lhs.
10864
455f58ec
DM		 108652020-01-31 David Malcolm <dmalcolm@redhat.com>
10866
10867 PR analyzer/93438
10868 * region-model.cc (stack_region::can_merge_p): Split into a two
10869 pass approach, creating all stack regions first, then populating
10870 them.
10871 (selftest::test_state_merging): Add test coverage for (a) the case
10872 of self-merging a model in which a local in an older stack frame
10873 points to a local in a more recent stack frame (which previously
10874 would ICE), and (b) the case of self-merging a model in which a
10875 local points to a global (which previously worked OK).
10876
182ce042
DM		 108772020-01-31 David Malcolm <dmalcolm@redhat.com>
10878
10879 * analyzer.cc (is_named_call_p): Replace tests for fndecl being
10880 extern at file scope and having a non-NULL DECL_NAME with a call
10881 to maybe_special_function_p.
10882 * function-set.cc (function_set::contains_decl_p): Add call to
10883 maybe_special_function_p.
10884
45eb3e49
DM		 108852020-01-31 David Malcolm <dmalcolm@redhat.com>
10886
10887 PR analyzer/93450
10888 * constraint-manager.cc
10889 (constraint_manager::get_or_add_equiv_class): Only compare constants
10890 if their types are compatible.
10891 * region-model.cc (constant_svalue::eval_condition): Replace check
10892 for identical types with call to types_compatible_p.
10893
42f36563
DM		 108942020-01-30 David Malcolm <dmalcolm@redhat.com>
10895
10896 * program-state.cc (extrinsic_state::dump_to_pp): New.
10897 (extrinsic_state::dump_to_file): New.
10898 (extrinsic_state::dump): New.
10899 * program-state.h (extrinsic_state::dump_to_pp): New decl.
10900 (extrinsic_state::dump_to_file): New decl.
10901 (extrinsic_state::dump): New decl.
10902 * sm.cc: Include "pretty-print.h".
10903 (state_machine::dump_to_pp): New.
10904 * sm.h (state_machine::dump_to_pp): New decl.
10905
ebe9174e
DM		 109062020-01-30 David Malcolm <dmalcolm@redhat.com>
10907
10908 * diagnostic-manager.cc (for_each_state_change): Use
10909 extrinsic_state::get_num_checkers rather than accessing m_checkers
10910 directly.
10911 * program-state.cc (program_state::program_state): Likewise.
10912 * program-state.h (extrinsic_state::m_checkers): Make private.
10913
e978955d
DM		 109142020-01-30 David Malcolm <dmalcolm@redhat.com>
10915
10916 PR analyzer/93356
10917 * region-model.cc (region_model::eval_condition): In both
10918 overloads, bail out immediately on floating-point types.
10919 (region_model::eval_condition_without_cm): Likewise.
10920 (region_model::add_constraint): Likewise.
10921
d177c49c
DM		 109222020-01-30 David Malcolm <dmalcolm@redhat.com>
10923
10924 PR analyzer/93450
10925 * program-state.cc (sm_state_map::set_state): For the overload
10926 taking an svalue_id, bail out if the set_state on the ec does
10927 nothing. Convert the latter's return type from void to bool,
10928 returning true if anything changed.
10929 (sm_state_map::impl_set_state): Convert the return type from void
10930 to bool, returning true if the state changed.
10931 * program-state.h (sm_state_map::set_state): Convert return type
10932 from void to bool.
10933 (sm_state_map::impl_set_state): Likewise.
10934 * region-model.cc (constant_svalue::eval_condition): Only call
10935 fold_build2 if the types are the same.
10936
7892ff37
JJ		 109372020-01-29 Jakub Jelinek <jakub@redhat.com>
10938
10939 * analyzer.h (PUSH_IGNORE_WFORMAT, POP_IGNORE_WFORMAT): Remove.
10940 * constraint-manager.cc: Include diagnostic-core.h before graphviz.h.
10941 (range::dump, equiv_class::print): Don't use PUSH_IGNORE_WFORMAT or
10942 POP_IGNORE_WFORMAT.
10943 * state-purge.cc: Include diagnostic-core.h before
10944 gimple-pretty-print.h.
10945 (state_purge_annotator::add_node_annotations, print_vec_of_names):
10946 Don't use PUSH_IGNORE_WFORMAT or POP_IGNORE_WFORMAT.
10947 * region-model.cc: Move diagnostic-core.h include before graphviz.h.
10948 (path_var::dump, svalue::print, constant_svalue::print_details,
10949 region::dump_to_pp, region::dump_child_label, region::print_fields,
10950 map_region::print_fields, map_region::dump_dot_to_pp,
10951 map_region::dump_child_label, array_region::print_fields,
10952 array_region::dump_dot_to_pp): Don't use PUSH_IGNORE_WFORMAT or
10953 POP_IGNORE_WFORMAT.
10954
5aebfb71
DM		 109552020-01-28 David Malcolm <dmalcolm@redhat.com>
10956
10957 PR analyzer/93316
10958 * engine.cc (rewind_info_t::update_model): Get the longjmp call
10959 stmt via get_longjmp_call () rather than assuming it is the last
10960 stmt in the longjmp's supernode.
10961 (rewind_info_t::add_events_to_path): Get the location_t for the
10962 rewind_from_longjmp_event via get_longjmp_call () rather than from
10963 the supernode's get_end_location ().
10964
6c8e5844
DM		 109652020-01-28 David Malcolm <dmalcolm@redhat.com>
10966
10967 * region-model.cc (poisoned_value_diagnostic::emit): Update for
10968 renaming of warning_at overload to warning_meta.
10969 * sm-file.cc (file_leak::emit): Likewise.
10970 * sm-malloc.cc (double_free::emit): Likewise.
10971 (possible_null_deref::emit): Likewise.
10972 (possible_null_arg::emit): Likewise.
10973 (null_deref::emit): Likewise.
10974 (null_arg::emit): Likewise.
10975 (use_after_free::emit): Likewise.
10976 (malloc_leak::emit): Likewise.
10977 (free_of_non_heap::emit): Likewise.
10978 * sm-sensitive.cc (exposure_through_output_file::emit): Likewise.
10979 * sm-signal.cc (signal_unsafe_call::emit): Likewise.
10980 * sm-taint.cc (tainted_array_index::emit): Likewise.
10981
8c08c983
DM		 109822020-01-27 David Malcolm <dmalcolm@redhat.com>
10983
10984 PR analyzer/93451
10985 * region-model.cc (tree_cmp): For the REAL_CST case, impose an
10986 arbitrary order on NaNs relative to other NaNs and to non-NaNs;
10987 const-correctness tweak.
10988 (ana::selftests::build_real_cst_from_string): New function.
10989 (ana::selftests::append_interesting_constants): New function.
10990 (ana::selftests::test_tree_cmp_on_constants): New test.
10991 (ana::selftests::test_canonicalization_4): New test.
10992 (ana::selftests::analyzer_region_model_cc_tests): Call the new
10993 tests.
10994
2fbea419
DM		 109952020-01-27 David Malcolm <dmalcolm@redhat.com>
10996
10997 PR analyzer/93349
10998 * engine.cc (run_checkers): Save and restore input_location.
10999
6a81cabc
DM		 110002020-01-27 David Malcolm <dmalcolm@redhat.com>
11001
11002 * call-string.cc (call_string::cmp_1): Delete, moving body to...
11003 (call_string::cmp): ...here.
11004 * call-string.h (call_string::cmp_1): Delete decl.
11005 * engine.cc (worklist::key_t::cmp_1): Delete, moving body to...
11006 (worklist::key_t::cmp): ...here. Implement hash comparisons
11007 via comparison rather than subtraction to avoid overflow issues.
11008 * exploded-graph.h (worklist::key_t::cmp_1): Delete decl.
11009 * region-model.cc (tree_cmp): Eliminate buggy checking for
11010 symmetry.
11011
342e14ff
DM		 110122020-01-27 David Malcolm <dmalcolm@redhat.com>
11013
11014 * analyzer.cc (is_named_call_p): Check that fndecl is "extern"
11015 and at file scope. Potentially disregard prefix _ or __ in
11016 fndecl's name. Bail if the identifier is NULL.
11017 (is_setjmp_call_p): Expect a gcall rather than plain gimple.
11018 Remove special-case check for leading prefix, and also check for
11019 sigsetjmp.
11020 (is_longjmp_call_p): Also check for siglongjmp.
11021 (get_user_facing_name): New function.
11022 * analyzer.h (is_setjmp_call_p): Expect a gcall rather than plain
11023 gimple.
11024 (get_user_facing_name): New decl.
11025 * checker-path.cc (setjmp_event::get_desc): Use
11026 get_user_facing_name to avoid hardcoding the function name.
11027 (rewind_event::rewind_event): Add rewind_info param, using it to
11028 initialize new m_rewind_info field, and strengthen the assertion.
11029 (rewind_from_longjmp_event::get_desc): Use get_user_facing_name to
11030 avoid hardcoding the function name.
11031 (rewind_to_setjmp_event::get_desc): Likewise.
11032 * checker-path.h (setjmp_event::setjmp_event): Add setjmp_call
11033 param and use it to initialize...
11034 (setjmp_event::m_setjmp_call): New field.
11035 (rewind_event::rewind_event): Add rewind_info param.
11036 (rewind_event::m_rewind_info): New protected field.
11037 (rewind_from_longjmp_event::rewind_from_longjmp_event): Add
11038 rewind_info param.
11039 (class rewind_to_setjmp_event): Move rewind_info field to parent
11040 class.
11041 * diagnostic-manager.cc (diagnostic_manager::add_events_for_eedge):
11042 Update setjmp-handling for is_setjmp_call_p requiring a gcall;
11043 pass the call to the new setjmp_event.
11044 * engine.cc (exploded_node::on_stmt): Update for is_setjmp_call_p
11045 requiring a gcall.
11046 (stale_jmp_buf::emit): Use get_user_facing_name to avoid
11047 hardcoding the function names.
11048 (exploded_node::on_longjmp): Pass the longjmp_call when
11049 constructing rewind_info.
11050 (rewind_info_t::add_events_to_path): Pass the rewind_info_t to the
11051 rewind_from_longjmp_event's ctor.
11052 * exploded-graph.h (rewind_info_t::rewind_info_t): Add
11053 longjmp_call param.
11054 (rewind_info_t::get_longjmp_call): New.
11055 (rewind_info_t::m_longjmp_call): New.
11056 * region-model.cc (region_model::on_setjmp): Update comment to
11057 indicate this is also for sigsetjmp.
11058 * region-model.h (struct setjmp_record): Likewise.
11059 (class setjmp_svalue): Likewise.
11060
26d949c8
DM		 110612020-01-27 David Malcolm <dmalcolm@redhat.com>
11062
11063 PR analyzer/93276
11064 * analyzer.h (PUSH_IGNORE_WFORMAT, POP_IGNORE_WFORMAT): Guard these
11065 macros with GCC_VERSION >= 4006, making them no-op otherwise.
11066 * engine.cc (exploded_edge::exploded_edge): Specify template for
11067 base class initializer.
11068 (exploded_graph::add_edge): Specify template when chaining up to
11069 base class add_edge implementation.
11070 (viz_callgraph_node::dump_dot): Drop redundant "typename".
11071 (viz_callgraph_edge::viz_callgraph_edge): Specify template for
11072 base class initializer.
11073 * program-state.cc (sm_state_map::clone_with_remapping): Drop
11074 redundant "typename".
11075 (sm_state_map::print): Likewise.
11076 (sm_state_map::hash): Likewise.
11077 (sm_state_map::operator==): Likewise.
11078 (sm_state_map::remap_svalue_ids): Likewise.
11079 (sm_state_map::on_svalue_purge): Likewise.
11080 (sm_state_map::validate): Likewise.
11081 * program-state.h (sm_state_map::iterator_t): Likewise.
11082 * supergraph.h (superedge::superedge): Specify template for base
11083 class initializer.
11084
648796da
DM		 110852020-01-23 David Malcolm <dmalcolm@redhat.com>
11086
11087 PR analyzer/93375
11088 * supergraph.cc (callgraph_superedge::get_arg_for_parm): Fail
11089 gracefully is the number of parameters at the callee exceeds the
11090 number of arguments at the call stmt.
11091 (callgraph_superedge::get_parm_for_arg): Likewise.
11092
591b59eb
DM		 110932020-01-22 David Malcolm <dmalcolm@redhat.com>
11094
11095 PR analyzer/93382
11096 * program-state.cc (sm_state_map::on_svalue_purge): If the
11097 entry survives, but the origin is being purged, then reset the
11098 origin to null.
11099
c9c8aef4
DM		 111002020-01-22 David Malcolm <dmalcolm@redhat.com>
11101
11102 * sm-signal.cc: Fix nesting of CHECKING_P and namespace ana.
11103
fd9982bb
DM		 111042020-01-22 David Malcolm <dmalcolm@redhat.com>
11105
11106 PR analyzer/93378
11107 * engine.cc (setjmp_svalue::compare_fields): Update for
11108 replacement of m_enode with m_setjmp_record.
11109 (setjmp_svalue::add_to_hash): Likewise.
11110 (setjmp_svalue::get_index): Rename...
11111 (setjmp_svalue::get_enode_index): ...to this.
11112 (setjmp_svalue::print_details): Update for replacement of m_enode
11113 with m_setjmp_record.
11114 (exploded_node::on_longjmp): Likewise.
11115 * exploded-graph.h (rewind_info_t::m_enode_origin): Replace...
11116 (rewind_info_t::m_setjmp_record): ...with this.
11117 (rewind_info_t::rewind_info_t): Update for replacement of m_enode
11118 with m_setjmp_record.
11119 (rewind_info_t::get_setjmp_point): Likewise.
11120 (rewind_info_t::get_setjmp_call): Likewise.
11121 * region-model.cc (region_model::dump_summary_of_map): Likewise.
11122 (region_model::on_setjmp): Likewise.
11123 * region-model.h (struct setjmp_record): New struct.
11124 (setjmp_svalue::m_enode): Replace...
11125 (setjmp_svalue::m_setjmp_record): ...with this.
11126 (setjmp_svalue::setjmp_svalue): Update for replacement of m_enode
11127 with m_setjmp_record.
11128 (setjmp_svalue::clone): Likewise.
11129 (setjmp_svalue::get_index): Rename...
11130 (setjmp_svalue::get_enode_index): ...to this.
11131 (setjmp_svalue::get_exploded_node): Replace...
11132 (setjmp_svalue::get_setjmp_record): ...with this.
11133
da7cf663
DM		 111342020-01-22 David Malcolm <dmalcolm@redhat.com>
11135
11136 PR analyzer/93316
11137 * analyzer.cc (is_setjmp_call_p): Check for "setjmp" as well as
11138 "_setjmp".
11139
75038aa6
DM		 111402020-01-22 David Malcolm <dmalcolm@redhat.com>
11141
11142 PR analyzer/93307
11143 * analysis-plan.h: Wrap everything namespace "ana".
11144 * analyzer-logging.cc: Likewise.
11145 * analyzer-logging.h: Likewise.
11146 * analyzer-pass.cc (pass_analyzer::execute): Update for "ana"
11147 namespace.
11148 * analyzer-selftests.cc: Wrap everything namespace "ana".
11149 * analyzer-selftests.h: Likewise.
11150 * analyzer.h: Likewise for forward decls of types.
11151 * call-string.h: Likewise.
11152 * checker-path.cc: Likewise.
11153 * checker-path.h: Likewise.
11154 * constraint-manager.cc: Likewise.
11155 * constraint-manager.h: Likewise.
11156 * diagnostic-manager.cc: Likewise.
11157 * diagnostic-manager.h: Likewise.
11158 * engine.cc: Likewise.
11159 * engine.h: Likewise.
11160 * exploded-graph.h: Likewise.
11161 * function-set.cc: Likewise.
11162 * function-set.h: Likewise.
11163 * pending-diagnostic.cc: Likewise.
11164 * pending-diagnostic.h: Likewise.
11165 * program-point.cc: Likewise.
11166 * program-point.h: Likewise.
11167 * program-state.cc: Likewise.
11168 * program-state.h: Likewise.
11169 * region-model.cc: Likewise.
11170 * region-model.h: Likewise.
11171 * sm-file.cc: Likewise.
11172 * sm-malloc.cc: Likewise.
11173 * sm-pattern-test.cc: Likewise.
11174 * sm-sensitive.cc: Likewise.
11175 * sm-signal.cc: Likewise.
11176 * sm-taint.cc: Likewise.
11177 * sm.cc: Likewise.
11178 * sm.h: Likewise.
11179 * state-purge.h: Likewise.
11180 * supergraph.cc: Likewise.
11181 * supergraph.h: Likewise.
11182
4f01e577
DM		 111832020-01-21 David Malcolm <dmalcolm@redhat.com>
11184
11185 PR analyzer/93352
11186 * region-model.cc (int_cmp): Rename to...
11187 (array_region::key_cmp): ...this, using key_t rather than int.
11188 Rewrite in terms of comparisons rather than subtraction to
11189 ensure qsort is anti-symmetric when handling extreme values.
11190 (array_region::walk_for_canonicalization): Update for above
11191 renaming.
11192 * region-model.h (array_region::key_cmp): New decl.
11193
07c86323
DM		 111942020-01-17 David Malcolm <dmalcolm@redhat.com>
11195
11196 PR analyzer/93290
11197 * region-model.cc (region_model::eval_condition_without_cm): Avoid
11198 gcc_unreachable for unexpected operations for the case where
11199 we're comparing an svalue against itself.
11200
5f030383
DM		 112012020-01-17 David Malcolm <dmalcolm@redhat.com>
11202
11203 PR analyzer/93281
11204 * region-model.cc
11205 (region_model::convert_byte_offset_to_array_index): Convert to
11206 ssizetype before dividing by byte_size. Use fold_binary rather
11207 than fold_build2 to avoid needlessly constructing a tree for the
11208 non-const case.
11209
49e9a999
DM		 112102020-01-15 David Malcolm <dmalcolm@redhat.com>
11211
11212 * engine.cc (class impl_region_model_context): Fix comment.
11213
32077b69
DM		 112142020-01-14 David Malcolm <dmalcolm@redhat.com>
11215
11216 PR analyzer/93212
11217 * region-model.cc (make_region_for_type): Use
11218 FUNC_OR_METHOD_TYPE_P rather than comparing against FUNCTION_TYPE.
11219 * region-model.h (function_region::function_region): Likewise.
11220
7fb3669e
DM		 112212020-01-14 David Malcolm <dmalcolm@redhat.com>
11222
11223 * program-state.cc (sm_state_map::clone_with_remapping): Copy
11224 m_global_state.
11225 (selftest::test_program_state_merging_2): New selftest.
11226 (selftest::analyzer_program_state_cc_tests): Call it.
11227
e2a538b1
DM		 112282020-01-14 David Malcolm <dmalcolm@redhat.com>
11229
11230 * checker-path.h (checker_path::get_checker_event): New function.
11231 (checker_path): Add DISABLE_COPY_AND_ASSIGN; make fields private.
11232 * diagnostic-manager.cc
11233 (diagnostic_manager::prune_for_sm_diagnostic): Replace direct
11234 access to checker_path::m_events with accessor functions. Fix
11235 overlong line.
11236 (diagnostic_manager::prune_interproc_events): Replace direct
11237 access to checker_path::m_events with accessor functions.
11238 (diagnostic_manager::finish_pruning): Likewise.
11239
94946989
DM		 112402020-01-14 David Malcolm <dmalcolm@redhat.com>
11241
11242 * checker-path.h (checker_event::clone): Delete vfunc decl.
11243 (debug_event::clone): Delete vfunc impl.
11244 (custom_event::clone): Delete vfunc impl.
11245 (statement_event::clone): Delete vfunc impl.
11246 (function_entry_event::clone): Delete vfunc impl.
11247 (state_change_event::clone): Delete vfunc impl.
11248 (start_cfg_edge_event::clone): Delete vfunc impl.
11249 (end_cfg_edge_event::clone): Delete vfunc impl.
11250 (call_event::clone): Delete vfunc impl.
11251 (return_event::clone): Delete vfunc impl.
11252 (setjmp_event::clone): Delete vfunc impl.
11253 (rewind_from_longjmp_event::clone): Delete vfunc impl.
11254 (rewind_to_setjmp_event::clone): Delete vfunc impl.
11255 (warning_event::clone): Delete vfunc impl.
11256
718930c0
DM		 112572020-01-14 David Malcolm <dmalcolm@redhat.com>
11258
11259 * supergraph.cc (supernode::dump_dot): Ensure that the TABLE
11260 element has at least one TR.
11261
8397af8e
DM		 112622020-01-14 David Malcolm <dmalcolm@redhat.com>
11263
11264 PR analyzer/58237
11265 * engine.cc (leak_stmt_finder::find_stmt): Use get_pure_location
11266 when comparing against UNKNOWN_LOCATION.
11267 (stmt_requires_new_enode_p): Likewise.
11268 (exploded_graph::dump_exploded_nodes): Likewise.
11269 * supergraph.cc (supernode::get_start_location): Likewise.
11270 (supernode::get_end_location): Likewise.
11271
697251b7
DM		 112722020-01-14 David Malcolm <dmalcolm@redhat.com>
11273
11274 PR analyzer/58237
11275 * analyzer-selftests.cc (selftest::run_analyzer_selftests): Call
11276 selftest::analyzer_sm_file_cc_tests.
11277 * analyzer-selftests.h (selftest::analyzer_sm_file_cc_tests): New
11278 decl.
11279 * sm-file.cc: Include "analyzer/function-set.h" and
11280 "analyzer/analyzer-selftests.h".
11281 (get_file_using_fns): New function.
11282 (is_file_using_fn_p): New function.
11283 (fileptr_state_machine::on_stmt): Return true for known functions.
11284 (selftest::analyzer_sm_file_cc_tests): New function.
11285
4804c5fe
DM		 112862020-01-14 David Malcolm <dmalcolm@redhat.com>
11287
11288 * analyzer-selftests.cc (selftest::run_analyzer_selftests): Call
11289 selftest::analyzer_sm_signal_cc_tests.
11290 * analyzer-selftests.h (selftest::analyzer_sm_signal_cc_tests):
11291 New decl.
11292 * sm-signal.cc: Include "analyzer/function-set.h" and
11293 "analyzer/analyzer-selftests.h".
11294 (get_async_signal_unsafe_fns): New function.
11295 (signal_unsafe_p): Reimplement in terms of the above.
11296 (selftest::analyzer_sm_signal_cc_tests): New function.
11297
a6b5f19c
DM		 112982020-01-14 David Malcolm <dmalcolm@redhat.com>
11299
11300 * analyzer-selftests.cc (selftest::run_analyzer_selftests): Call
11301 selftest::analyzer_function_set_cc_tests.
11302 * analyzer-selftests.h (selftest::analyzer_function_set_cc_tests):
11303 New decl.
11304 * function-set.cc: New file.
11305 * function-set.h: New file.
11306
ef7827b0
DM		 113072020-01-14 David Malcolm <dmalcolm@redhat.com>
11308
11309 * analyzer.h (fndecl_has_gimple_body_p): New decl.
11310 * engine.cc (impl_region_model_context::on_unknown_change): New
11311 function.
11312 (fndecl_has_gimple_body_p): Make non-static.
11313 (exploded_node::on_stmt): Treat __analyzer_dump_exploded_nodes as
11314 known. Track whether we have a call with unknown side-effects and
11315 pass it to on_call_post.
11316 * exploded-graph.h (impl_region_model_context::on_unknown_change):
11317 New decl.
11318 * program-state.cc (sm_state_map::on_unknown_change): New function.
11319 * program-state.h (sm_state_map::on_unknown_change): New decl.
11320 * region-model.cc: Include "bitmap.h".
11321 (region_model::on_call_pre): Return a bool, capturing whether the
11322 call has unknown side effects.
11323 (region_model::on_call_post): Add arg "bool unknown_side_effects"
11324 and if true, call handle_unrecognized_call.
11325 (class reachable_regions): New class.
11326 (region_model::handle_unrecognized_call): New function.
11327 * region-model.h (region_model::on_call_pre): Return a bool.
11328 (region_model::on_call_post): Add arg "bool unknown_side_effects".
11329 (region_model::handle_unrecognized_call): New decl.
11330 (region_model_context::on_unknown_change): New vfunc.
11331 (test_region_model_context::on_unknown_change): New function.
11332
14f9d7b9
DM		 113332020-01-14 David Malcolm <dmalcolm@redhat.com>
11334
11335 * diagnostic-manager.cc (saved_diagnostic::operator==): Move here
11336 from header. Replace pointer equality test on m_var with call to
11337 pending_diagnostic::same_tree_p.
11338 * diagnostic-manager.h (saved_diagnostic::operator==): Move to
11339 diagnostic-manager.cc.
11340 * pending-diagnostic.cc (pending_diagnostic::same_tree_p): New.
11341 * pending-diagnostic.h (pending_diagnostic::same_tree_p): New.
11342 * sm-file.cc (file_diagnostic::subclass_equal_p): Replace pointer
11343 equality on m_arg with call to pending_diagnostic::same_tree_p.
11344 * sm-malloc.cc (malloc_diagnostic::subclass_equal_p): Likewise.
11345 (possible_null_arg::subclass_equal_p): Likewise.
11346 (null_arg::subclass_equal_p): Likewise.
11347 (free_of_non_heap::subclass_equal_p): Likewise.
11348 * sm-pattern-test.cc (pattern_match::operator==): Likewise.
11349 * sm-sensitive.cc (exposure_through_output_file::operator==):
11350 Likewise.
11351 * sm-taint.cc (tainted_array_index::operator==): Likewise.
11352
f474fbd5
DM		 113532020-01-14 David Malcolm <dmalcolm@redhat.com>
11354
11355 * diagnostic-manager.cc (dedupe_winners::add): Add logging
11356 of deduplication decisions made.
11357
757bf1df
DM		 113582020-01-14 David Malcolm <dmalcolm@redhat.com>
11359
11360 * ChangeLog: New file.
11361 * analyzer-selftests.cc: New file.
11362 * analyzer-selftests.h: New file.
11363 * analyzer.opt: New file.
11364 * analysis-plan.cc: New file.
11365 * analysis-plan.h: New file.
11366 * analyzer-logging.cc: New file.
11367 * analyzer-logging.h: New file.
11368 * analyzer-pass.cc: New file.
11369 * analyzer.cc: New file.
11370 * analyzer.h: New file.
11371 * call-string.cc: New file.
11372 * call-string.h: New file.
11373 * checker-path.cc: New file.
11374 * checker-path.h: New file.
11375 * constraint-manager.cc: New file.
11376 * constraint-manager.h: New file.
11377 * diagnostic-manager.cc: New file.
11378 * diagnostic-manager.h: New file.
11379 * engine.cc: New file.
11380 * engine.h: New file.
11381 * exploded-graph.h: New file.
11382 * pending-diagnostic.cc: New file.
11383 * pending-diagnostic.h: New file.
11384 * program-point.cc: New file.
11385 * program-point.h: New file.
11386 * program-state.cc: New file.
11387 * program-state.h: New file.
11388 * region-model.cc: New file.
11389 * region-model.h: New file.
11390 * sm-file.cc: New file.
11391 * sm-malloc.cc: New file.
11392 * sm-malloc.dot: New file.
11393 * sm-pattern-test.cc: New file.
11394 * sm-sensitive.cc: New file.
11395 * sm-signal.cc: New file.
11396 * sm-taint.cc: New file.
11397 * sm.cc: New file.
11398 * sm.h: New file.
11399 * state-purge.cc: New file.
11400 * state-purge.h: New file.
11401 * supergraph.cc: New file.
11402 * supergraph.h: New file.
11403
114042019-12-13 David Malcolm <dmalcolm@redhat.com>
11405
11406 * Initial creation
11407
11408\f
68127a8e 11409Copyright (C) 2019-2023 Free Software Foundation, Inc.
757bf1df
DM		 11410
11411Copying and distribution of this file, with or without modification,
11412are permitted in any medium without royalty provided the copyright
11413notice and this notice are preserved.
Mirror of https://gcc.gnu.org/git/gcc.git