]> git.ipfire.org Git - thirdparty/gcc.git/blame - gcc/analyzer/ChangeLog
projects / thirdparty / gcc.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
changelog: Fix extra space after tab.
[thirdparty/gcc.git] / gcc / analyzer / ChangeLog
CommitLineData
fb98ede8
GA		 12022-11-19 David Malcolm <dmalcolm@redhat.com>
2
3 PR analyzer/107582
4 * engine.cc (dynamic_call_info_t::update_model): Update the model
5 by pushing or pop a frame, rather than by clobbering it with the
6 model from the exploded_node's state.
7
82022-11-18 David Malcolm <dmalcolm@redhat.com>
9
10 * analyzer.cc (is_pipe_call_p): Delete.
11 * analyzer.h (is_pipe_call_p): Delete.
12 * region-model-impl-calls.cc (call_details::get_location): New.
13 (class kf_analyzer_break): New, adapted from
14 region_model::on_stmt_pre.
15 (region_model::impl_call_analyzer_describe): Convert to...
16 (class kf_analyzer_describe): ...this.
17 (region_model::impl_call_analyzer_dump_capacity): Convert to...
18 (class kf_analyzer_dump_capacity): ...this.
19 (region_model::impl_call_analyzer_dump_escaped): Convert to...
20 (class kf_analyzer_dump_escaped): ...this.
21 (class kf_analyzer_dump_exploded_nodes): New.
22 (region_model::impl_call_analyzer_dump_named_constant): Convert
23 to...
24 (class kf_analyzer_dump_named_constant): ...this.
25 (class dump_path_diagnostic): Move here from region-model.cc.
26 (class kf_analyzer_dump_path) New, adapted from
27 region_model::on_stmt_pre.
28 (class kf_analyzer_dump_region_model): Likewise.
29 (region_model::impl_call_analyzer_eval): Convert to...
30 (class kf_analyzer_eval): ...this.
31 (region_model::impl_call_analyzer_get_unknown_ptr): Convert to...
32 (class kf_analyzer_get_unknown_ptr): ...this.
33 (class known_function_accept): Rename to...
34 (class kf_accept): ...this.
35 (class known_function_bind): Rename to...
36 (class kf_bind): ...this.
37 (class known_function_connect): Rename to...
38 (class kf_connect): ...this.
39 (region_model::impl_call_errno_location): Convert to...
40 (class kf_errno_location): ...this.
41 (class known_function_listen): Rename to...
42 (class kf_listen): ...this.
43 (region_model::impl_call_pipe): Convert to...
44 (class kf_pipe): ...this.
45 (region_model::impl_call_putenv): Convert to...
46 (class kf_putenv): ...this.
47 (region_model::impl_call_operator_new): Convert to...
48 (class kf_operator_new): ...this.
49 (region_model::impl_call_operator_delete): Convert to...
50 (class kf_operator_delete): ...this.
51 (class known_function_socket): Rename to...
52 (class kf_socket): ...this.
53 (register_known_functions): Rename param to KFM. Break out
54 existing known functions into a "POSIX" section, and add "pipe",
55 "pipe2", and "putenv". Add debugging functions
56 "__analyzer_break", "__analyzer_describe",
57 "__analyzer_dump_capacity", "__analyzer_dump_escaped",
58 "__analyzer_dump_exploded_nodes",
59 "__analyzer_dump_named_constant", "__analyzer_dump_path",
60 "__analyzer_dump_region_model", "__analyzer_eval",
61 "__analyzer_get_unknown_ptr". Add C++ support functions
62 "operator new", "operator new []", "operator delete", and
63 "operator delete []".
64 * region-model.cc (class dump_path_diagnostic): Move to
65 region-model-impl-calls.cc.
66 (region_model::on_stmt_pre): Eliminate special-casing of
67 "__analyzer_describe", "__analyzer_dump_capacity",
68 "__analyzer_dump_escaped", "__analyzer_dump_named_constant",
69 "__analyzer_dump_path", "__analyzer_dump_region_model",
70 "__analyzer_eval", "__analyzer_break",
71 "__analyzer_dump_exploded_nodes", "__analyzer_get_unknown_ptr",
72 "__errno_location", "pipe", "pipe2", "putenv", "operator new",
73 "operator new []", "operator delete", "operator delete []"
74 "pipe" and "pipe2", handling them instead via the known_functions
75 mechanism.
76 * region-model.h (call_details::get_location): New decl.
77 (region_model::impl_call_analyzer_describe): Delete decl.
78 (region_model::impl_call_analyzer_dump_capacity): Delete decl.
79 (region_model::impl_call_analyzer_dump_escaped): Delete decl.
80 (region_model::impl_call_analyzer_dump_named_constant): Delete decl.
81 (region_model::impl_call_analyzer_eval): Delete decl.
82 (region_model::impl_call_analyzer_get_unknown_ptr): Delete decl.
83 (region_model::impl_call_errno_location): Delete decl.
84 (region_model::impl_call_pipe): Delete decl.
85 (region_model::impl_call_putenv): Delete decl.
86 (region_model::impl_call_operator_new): Delete decl.
87 (region_model::impl_call_operator_delete): Delete decl.
88 * sm-fd.cc: Update comments.
89
80909529
GA		 902022-11-16 David Malcolm <dmalcolm@redhat.com>
91
92 PR analyzer/107711
93 * analyzer-language.cc: Include "diagnostic.h".
94 (maybe_stash_named_constant): Add logger param and use it to log
95 the name being looked up, and the result.
96 (stash_named_constants): New, splitting out from...
97 (on_finish_translation_unit): ...this function. Call
98 get_or_create_logfile and use the result to create a logger
99 instance, passing it to stash_named_constants.
100 * analyzer.h (get_or_create_any_logfile): New decl.
101 * engine.cc (dump_fout, owns_dump_fout): New globals, split out
102 from run_checkers.
103 (get_or_create_any_logfile): New function, split out from...
104 (run_checkers): ...here, so that the logfile can be opened by
105 on_finish_translation_unit. Clear the globals when closing the
106 dump file.
107
1082022-11-16 David Malcolm <dmalcolm@redhat.com>
109
110 * analyzer.h (known_function::matches_call_types_p): New vfunc.
111 (known_function::impl_call_pre): Provide base implementation.
112 (known_function::impl_call_post): New vfunc.
113 (register_known_functions): New.
114 * engine.cc (impl_run_checkers): Call register_known_functions.
115 * region-model-impl-calls.cc (region_model::impl_call_accept):
116 Convert to...
117 (class known_function_accept): ...this.
118 (region_model::impl_call_bind): Convert to...
119 (class known_function_bind): ...this.
120 (region_model::impl_call_connect): Convert to...
121 (class known_function_connect): ...this.
122 (region_model::impl_call_listen): Convert to...
123 (class known_function_listen): ...this.
124 (region_model::impl_call_socket): Convert to...
125 (class known_function_socket): ...this.
126 (register_known_functions): New.
127 * region-model.cc (region_model::on_call_pre): Remove special
128 case for "bind" in favor of the known_function-handling dispatch.
129 Add call to known_function::matches_call_types_p to latter.
130 (region_model::on_call_post): Remove special cases for "accept",
131 "bind", "connect", "listen", and "socket" in favor of dispatch
132 to known_function::impl_call_post.
133 * region-model.h (region_model::impl_call_accept): Delete decl.
134 (region_model::impl_call_bind): Delete decl.
135 (region_model::impl_call_connect): Delete decl.
136 (region_model::impl_call_listen): Delete decl.
137 (region_model::impl_call_socket): Delete decl.
138 * sm-fd.cc: Update comments.
139
1402022-11-16 David Malcolm <dmalcolm@redhat.com>
141
142 * checker-event.cc: New file, split out from...
143 * checker-path.cc: ...this file.
144
cdc34229
GA		 1452022-11-15 David Malcolm <dmalcolm@redhat.com>
146
147 PR analyzer/106140
148 * analyzer-language.cc (on_finish_translation_unit): Stash named
149 constants "SOCK_STREAM" and "SOCK_DGRAM".
150 * analyzer.opt (Wanalyzer-fd-phase-mismatch): New.
151 (Wanalyzer-fd-type-mismatch): New.
152 * engine.cc (impl_region_model_context::get_state_map_by_name):
153 Add "out_sm_context" param. Allow out_sm_idx to be NULL.
154 * exploded-graph.h
155 (impl_region_model_context::get_state_map_by_name):
156 Add "out_sm_context" param.
157 * region-model-impl-calls.cc (region_model::impl_call_accept): New.
158 (region_model::impl_call_bind): New.
159 (region_model::impl_call_connect): New.
160 (region_model::impl_call_listen): New.
161 (region_model::impl_call_socket): New.
162 * region-model.cc (region_model::on_call_pre): Special-case
163 "bind".
164 (region_model::on_call_post): Special-case "accept", "bind",
165 "connect", "listen", and "socket".
166 * region-model.h (region_model::impl_call_accept): New decl.
167 (region_model::impl_call_bind): New decl.
168 (region_model::impl_call_connect): New decl.
169 (region_model::impl_call_listen): New decl.
170 (region_model::impl_call_socket): New decl.
171 (region_model::on_socket): New decl.
172 (region_model::on_bind): New decl.
173 (region_model::on_listen): New decl.
174 (region_model::on_accept): New decl.
175 (region_model::on_connect): New decl.
176 (region_model::add_constraint): Make public.
177 (region_model::check_for_poison): Make public.
178 (region_model_context::get_state_map_by_name): Add out_sm_context param.
179 (region_model_context::get_fd_map): Likewise.
180 (region_model_context::get_malloc_map): Likewise.
181 (region_model_context::get_taint_map): Likewise.
182 (noop_region_model_context::get_state_map_by_name): Likewise.
183 (region_model_context_decorator::get_state_map_by_name): Likewise.
184 * sm-fd.cc: Include "analyzer/supergraph.h" and
185 "analyzer/analyzer-language.h".
186 (enum expected_phase): New enum.
187 (fd_state_machine::m_new_datagram_socket): New.
188 (fd_state_machine::m_new_stream_socket): New.
189 (fd_state_machine::m_new_unknown_socket): New.
190 (fd_state_machine::m_bound_datagram_socket): New.
191 (fd_state_machine::m_bound_stream_socket): New.
192 (fd_state_machine::m_bound_unknown_socket): New.
193 (fd_state_machine::m_listening_stream_socket): New.
194 (fd_state_machine::m_m_connected_stream_socket): New.
195 (fd_state_machine::m_SOCK_STREAM): New.
196 (fd_state_machine::m_SOCK_DGRAM): New.
197 (fd_diagnostic::describe_state_change): Handle socket states.
198 (fd_diagnostic::get_meaning_for_state_change): Likewise.
199 (class fd_phase_mismatch): New.
200 (enum expected_type): New enum.
201 (class fd_type_mismatch): New.
202 (fd_state_machine::fd_state_machine): Initialize new states and
203 stashed named constants.
204 (fd_state_machine::is_socket_fd_p): New.
205 (fd_state_machine::is_datagram_socket_fd_p): New.
206 (fd_state_machine::is_stream_socket_fd_p): New.
207 (fd_state_machine::on_close): Handle the socket states.
208 (fd_state_machine::check_for_open_fd): Complain about fncalls on
209 sockets in the wrong phase. Support socket FDs.
210 (add_constraint_ge_zero): New.
211 (fd_state_machine::get_state_for_socket_type): New.
212 (fd_state_machine::on_socket): New.
213 (fd_state_machine::check_for_socket_fd): New.
214 (fd_state_machine::check_for_new_socket_fd): New.
215 (fd_state_machine::on_bind): New.
216 (fd_state_machine::on_listen): New.
217 (fd_state_machine::on_accept): New.
218 (fd_state_machine::on_connect): New.
219 (fd_state_machine::can_purge_p): Don't purge socket values.
220 (get_fd_state): New.
221 (region_model::mark_as_valid_fd): Use get_fd_state.
222 (region_model::on_socket): New.
223 (region_model::on_bind): New.
224 (region_model::on_listen): New.
225 (region_model::on_accept): New.
226 (region_model::on_connect): New.
227 * sm-fd.dot: Update to reflect sm-fd.cc changes.
228
2292022-11-15 David Malcolm <dmalcolm@redhat.com>
230
231 PR analyzer/106302
232 * analyzer-language.cc: New file.
233 * analyzer-language.h: New file.
234 * analyzer.h (get_stashed_constant_by_name): New decl.
235 (log_stashed_constants): New decl.
236 * engine.cc (impl_run_checkers): Call log_stashed_constants.
237 * region-model-impl-calls.cc
238 (region_model::impl_call_analyzer_dump_named_constant): New.
239 * region-model.cc (region_model::on_stmt_pre): Handle
240 __analyzer_dump_named_constant.
241 * region-model.h
242 (region_model::impl_call_analyzer_dump_named_constant): New decl.
243 * sm-fd.cc (fd_state_machine::m_O_ACCMODE): New.
244 (fd_state_machine::m_O_RDONLY): New.
245 (fd_state_machine::m_O_WRONLY): New.
246 (fd_state_machine::fd_state_machine): Initialize the new fields.
247 (fd_state_machine::get_access_mode_from_flag): Use the new fields,
248 rather than using the host values.
249
eefbfbc7
GA		 2502022-11-13 David Malcolm <dmalcolm@redhat.com>
251
252 PR analyzer/106235
253 * analyzer.opt (Wanalyzer-tainted-assertion): New.
254 * checker-path.cc (checker_path::fixup_locations): Pass false to
255 pending_diagnostic::fixup_location.
256 * diagnostic-manager.cc (get_emission_location): Pass true to
257 pending_diagnostic::fixup_location.
258 * pending-diagnostic.cc (pending_diagnostic::fixup_location): Add
259 bool param.
260 * pending-diagnostic.h (pending_diagnostic::fixup_location): Add
261 bool param to decl.
262 * sm-taint.cc (taint_state_machine::m_tainted_control_flow): New.
263 (taint_diagnostic::describe_state_change): Drop "final".
264 (class tainted_assertion): New.
265 (taint_state_machine::taint_state_machine): Initialize
266 m_tainted_control_flow.
267 (taint_state_machine::alt_get_inherited_state): Support
268 comparisons being tainted, based on their arguments.
269 (is_assertion_failure_handler_p): New.
270 (taint_state_machine::on_stmt): Complain about calls to assertion
271 failure handlers guarded by an attacker-controller conditional.
272 Detect attacker-controlled gcond conditionals and gswitch index
273 values.
274 (taint_state_machine::check_control_flow_arg_for_taint): New.
275
5b6ce16a
GA		 2762022-11-11 David Malcolm <dmalcolm@redhat.com>
277
278 * sm-fd.dot: Fix typo in comment.
279 * sm-file.dot: New file.
280 * varargs.cc: Fix typo in comment.
281 * varargs.dot: New file.
282
2832022-11-11 David Malcolm <dmalcolm@redhat.com>
284
285 * checker-path.h: Split out checker_event and its subclasses to...
286 * checker-event.h: ...this new header.
287
2882022-11-11 David Malcolm <dmalcolm@redhat.com>
289
290 PR analyzer/106147
291 * analyzer.opt (Wanalyzer-infinite-recursion): New.
292 * call-string.cc (call_string::count_occurrences_of_function):
293 New.
294 * call-string.h (call_string::count_occurrences_of_function): New
295 decl.
296 * checker-path.cc (function_entry_event::function_entry_event):
297 New ctor.
298 (checker_path::add_final_event): Delete.
299 * checker-path.h (function_entry_event::function_entry_event): New
300 ctor.
301 (function_entry_event::get_desc): Drop "final".
302 (checker_path::add_final_event): Delete.
303 * diagnostic-manager.cc
304 (diagnostic_manager::emit_saved_diagnostic): Create the final
305 event via a new pending_diagnostic::add_final_event vfunc, rather
306 than checker_path::add_final_event.
307 (diagnostic_manager::add_events_for_eedge): Create function entry
308 events via a new pending_diagnostic::add_function_entry_event
309 vfunc.
310 * engine.cc (exploded_graph::process_node): When creating a new
311 PK_BEFORE_SUPERNODE node, call
312 exploded_graph::detect_infinite_recursion on it after adding the
313 in-edge.
314 * exploded-graph.h (exploded_graph::detect_infinite_recursion):
315 New decl.
316 (exploded_graph::find_previous_entry_to): New decl.
317 * infinite-recursion.cc: New file.
318 * pending-diagnostic.cc
319 (pending_diagnostic::add_function_entry_event): New.
320 (pending_diagnostic::add_final_event): New.
321 * pending-diagnostic.h
322 (pending_diagnostic::add_function_entry_event): New vfunc.
323 (pending_diagnostic::add_final_event): New vfunc.
324
f225b813
GA		 3252022-11-10 David Malcolm <dmalcolm@redhat.com>
326
327 PR analyzer/99671
328 * analyzer.opt (Wanalyzer-deref-before-check): New warning.
329 * diagnostic-manager.cc
330 (null_assignment_sm_context::set_next_state): Only add state
331 change events for transition to "null" state.
332 (null_assignment_sm_context::is_transition_to_null): New.
333 * engine.cc (impl_region_model_context::on_pop_frame): New.
334 * exploded-graph.h (impl_region_model_context::on_pop_frame): New
335 decl.
336 * program-state.cc (sm_state_map::clear_any_state): New.
337 (sm_state_map::can_merge_with_p): New.
338 (program_state::can_merge_with_p): Replace requirement that
339 sm-states be equal in favor of an attempt to merge them.
340 * program-state.h (sm_state_map::clear_any_state): New decl.
341 (sm_state_map::can_merge_with_p): New decl.
342 * region-model.cc (region_model::eval_condition): Make const.
343 (region_model::pop_frame): Call ctxt->on_pop_frame.
344 * region-model.h (region_model::eval_condition): Make const.
345 (region_model_context::on_pop_frame): New vfunc.
346 (noop_region_model_context::on_pop_frame): New.
347 (region_model_context_decorator::on_pop_frame): New.
348 * sm-malloc.cc (enum resource_state): Add RS_ASSUMED_NON_NULL.
349 (allocation_state::dump_to_pp): Drop "final".
350 (struct assumed_non_null_state): New subclass.
351 (malloc_state_machine::m_assumed_non_null): New.
352 (assumed_non_null_p): New.
353 (class deref_before_check): New.
354 (assumed_non_null_state::dump_to_pp): New.
355 (malloc_state_machine::get_or_create_assumed_non_null_state_for_frame):
356 New.
357 (malloc_state_machine::maybe_assume_non_null): New.
358 (malloc_state_machine::on_stmt): Transition from start state to
359 "assumed-non-null" state for pointers passed to
360 __attribute__((nonnull)) arguments, and for pointers explicitly
361 dereferenced. Call maybe_complain_about_deref_before_check for
362 pointers explicitly compared against NULL.
363 (malloc_state_machine::maybe_complain_about_deref_before_check):
364 New.
365 (malloc_state_machine::on_deallocator_call): Also transition
366 "assumed-non-null" states to "freed".
367 (malloc_state_machine::on_pop_frame): New.
368 (malloc_state_machine::maybe_get_merged_states_nonequal): New.
369 * sm-malloc.dot: Update for changes to sm-malloc.cc.
370 * sm.h (state_machine::on_pop_frame): New.
371 (state_machine::maybe_get_merged_state): New.
372 (state_machine::maybe_get_merged_states_nonequal): New.
373
1cdfd0e5
GA		 3742022-11-09 David Malcolm <dmalcolm@redhat.com>
375
376 * checker-path.cc (checker_event::debug): New.
377 (checker_path::add_event): Move here from checker-path.h. Add
378 logging.
379 * checker-path.h (checker_event::debug): New decl.
380 (checker_path::checker_path): Add logger param.
381 (checker_path::add_event): Move definition from here to
382 checker-path.cc.
383 (checker_path::m_logger): New field.
384 * diagnostic-manager.cc
385 (diagnostic_manager::emit_saved_diagnostic): Pass logger to
386 checker_path ctor.
387 (diagnostic_manager::add_events_for_eedge): Log scope when
388 processing a run of stmts.
389
69023a9f
GA		 3902022-11-08 David Malcolm <dmalcolm@redhat.com>
391
392 PR analyzer/101962
393 * region-model-impl-calls.cc: Update comment.
394 * region-model.cc (region_model::check_symbolic_bounds): Fix
395 layout of "void" return. Replace usage of
396 eval_condition_without_cm with eval_condition.
397 (region_model::eval_condition): Take over body of...
398 (region_model::eval_condition_without_cm): ...this subroutine,
399 dropping the latter. Eliminating this distinction avoids issues
400 where constraints were not considered when recursing.
401 (region_model::compare_initial_and_pointer): Update comment.
402 (region_model::symbolic_greater_than): Replace usage of
403 eval_condition_without_cm with eval_condition.
404 * region-model.h
405 (region_model::eval_condition_without_cm): Delete decl.
406
4072022-11-08 David Malcolm <dmalcolm@redhat.com>
408
409 * region-model-impl-calls.cc
410 (region_model::impl_call_errno_location): New.
411 * region-model-manager.cc
412 (region_model_manager::region_model_manager): Initialize
413 m_thread_local_region and m_errno_region.
414 * region-model-manager.h (region_model_manager::get_errno_region):
415 New accessor.
416 (region_model_manager::m_thread_local_region): New.
417 (region_model_manager::m_errno_region): New.
418 * region-model.cc (region_model::on_call_pre): Special-case
419 "__errno_location".
420 (region_model::set_errno): New.
421 * region-model.h (impl_call_errno_location): New decl.
422 (region_model::set_errno): New decl.
423 * region.cc (thread_local_region::dump_to_pp): New.
424 (errno_region::dump_to_pp): New.
425 * region.h (enum memory_space): Add MEMSPACE_THREAD_LOCAL.
426 (enum region_kind): Add RK_THREAD_LOCAL and RK_ERRNO.
427 (class thread_local_region): New.
428 (is_a_helper <const thread_local_region *>::test): New.
429 (class errno_region): New.
430 (is_a_helper <const errno_region *>::test): New.
431 * store.cc (binding_cluster::escaped_p): New.
432 (store::escaped_p): Treat errno as always having escaped.
433 (store::replay_call_summary_cluster): Handle RK_THREAD_LOCAL and
434 RK_ERRNO.
435 * store.h (binding_cluster::escaped_p): Remove definition.
436
4372022-11-08 David Malcolm <dmalcolm@redhat.com>
438
439 * call-info.cc (success_call_info::get_desc): Delete.
440 (failed_call_info::get_desc): Likewise.
441 (succeed_or_fail_call_info::get_desc): New.
442 * call-info.h (class succeed_or_fail_call_info): New.
443 (class success_call_info): Convert to a subclass of
444 succeed_or_fail_call_info.
445 (class failed_call_info): Likewise.
446
4472022-11-08 David Malcolm <dmalcolm@redhat.com>
448
449 * region-model-impl-calls.cc (region_model::impl_call_strchr):
450 Move to on_call_post. Handle both outcomes using bifurcation,
451 rather than just the "not found" case.
452 * region-model.cc (region_model::on_call_pre): Move
453 BUILT_IN_STRCHR and "strchr" to...
454 (region_model::on_call_post): ...here.
455
d29260ce
GA		 4562022-11-03 David Malcolm <dmalcolm@redhat.com>
457
458 * analyzer.h: Use std::unique_ptr for state machines from plugins.
459 * engine.cc: Likewise.
460
4612022-11-03 David Malcolm <dmalcolm@redhat.com>
462
463 * analyzer.h: Use std::unique_ptr for known functions.
464 * engine.cc: Likewise.
465 * known-function-manager.cc: Likewise.
466 * known-function-manager.h: Likewise.
467
4682022-11-03 David Malcolm <dmalcolm@redhat.com>
469
470 * analysis-plan.cc: Define INCLUDE_MEMORY before including
471 system.h.
472 * analyzer-pass.cc: Likewise.
473 * analyzer-selftests.cc: Likewise.
474 * analyzer.cc: Likewise.
475 * analyzer.h: Use std::unique_ptr in bifurcation code.
476 * call-string.cc: Define INCLUDE_MEMORY before including system.h.
477 * complexity.cc: Likewise.
478 * engine.cc: Use std::unique_ptr in bifurcation code.
479 * exploded-graph.h: Likewise.
480 * known-function-manager.cc: Define INCLUDE_MEMORY before
481 including system.h.
482 * region-model-impl-calls.cc: Use std::unique_ptr in bifurcation
483 code.
484 * region-model.cc: Likewise.
485 * region-model.h: Likewise.
486 * supergraph.cc: Define INCLUDE_MEMORY before including system.h.
487
4882022-11-03 David Malcolm <dmalcolm@redhat.com>
489
490 * call-info.cc: Use std::unique_ptr for checker_event.
491 * checker-path.cc: Likewise.
492 * checker-path.h: Likewise.
493 * diagnostic-manager.cc: Likewise.
494 * engine.cc: Likewise.
495 * pending-diagnostic.cc: Likewise.
496 * sm-signal.cc: Likewise.
497 * varargs.cc: Likewise.
498
4992022-11-03 David Malcolm <dmalcolm@redhat.com>
500
501 * diagnostic-manager.cc: Include "make-unique.h".
502 Use std::unique_ptr for feasibility_problems and exploded_path.
503 Delete explicit saved_diagnostic dtor.
504 * diagnostic-manager.h: Likewise.
505 * engine.cc: Likewise.
506 * exploded-graph.h: Likewise.
507 * feasible-graph.cc: Likewise.
508 * feasible-graph.h: Likewise.
509
5102022-11-03 David Malcolm <dmalcolm@redhat.com>
511
512 * checker-path.cc (rewind_event::rewind_event): Update for usage of
513 std::unique_ptr on custom_edge_info.
514 * engine.cc (exploded_node::on_longjmp): Likewise.
515 (exploded_edge::exploded_edge): Likewise.
516 (exploded_edge::~exploded_edge): Delete.
517 (exploded_graph::add_function_entry): Update for usage of
518 std::unique_ptr on custom_edge_info.
519 (exploded_graph::add_edge): Likewise.
520 (add_tainted_args_callback): Likewise.
521 (exploded_graph::maybe_create_dynamic_call): Likewise.
522 (exploded_graph::process_node): Likewise.
523 * exploded-graph.h (exploded_edge::~exploded_edge): Delete.
524 (exploded_edge::m_custom_info): Use std::unique_ptr.
525 (exploded_edge::add_edge): Likewise.
526 * sm-signal.cc (register_signal_handler::impl_transition): Use
527 make_unique.
528
5292022-11-03 David Malcolm <dmalcolm@redhat.com>
530
531 * diagnostic-manager.cc (saved_diagnostic::saved_diagnostic): Make
532 stmt_finder const.
533 (saved_diagnostic::~saved_diagnostic): Remove explicit delete of
534 m_stmt_finder.
535 (diagnostic_manager::add_diagnostic): Make stmt_finder const.
536 * diagnostic-manager.h (saved_diagnostic::saved_diagnostic):
537 Likewise.
538 (saved_diagnostic::m_stmt_finder): Convert to std::unique_ptr.
539 (diagnostic_manager::add_diagnostic): Make stmt_finder const.
540 * engine.cc (impl_sm_context::impl_sm_context): Likewise.
541 (impl_sm_context::m_stmt_finder): Likewise.
542 (leak_stmt_finder::clone): Convert return type to std::unique_ptr.
543 * exploded-graph.h (stmt_finder::clone): Likewise.
544
5452022-11-03 David Malcolm <dmalcolm@redhat.com>
546
547 * call-info.cc: Add define of INCLUDE_MEMORY.
548 * call-summary.cc: Likewise.
549 * checker-path.cc: Likewise.
550 * constraint-manager.cc: Likewise.
551 * diagnostic-manager.cc: Likewise.
552 (saved_diagnostic::saved_diagnostic): Use std::unique_ptr for
553 param d and field m_d.
554 (saved_diagnostic::~saved_diagnostic): Remove explicit delete of m_d.
555 (saved_diagnostic::add_note): Use std::unique_ptr for
556 param pn.
557 (saved_diagnostic::get_pending_diagnostic): Update for conversion
558 of m_sd.m_d to unique_ptr.
559 (diagnostic_manager::add_diagnostic): Use std::unique_ptr for
560 param d. Remove explicit deletion.
561 (diagnostic_manager::add_note): Use std::unique_ptr for param pn.
562 (diagnostic_manager::emit_saved_diagnostic): Update for conversion
563 of m_sd.m_d to unique_ptr.
564 (null_assignment_sm_context::warn): Use std::unique_ptr for
565 param d. Remove explicit deletion.
566 * diagnostic-manager.h (saved_diagnostic::saved_diagnostic): Use
567 std::unique_ptr for param d.
568 (saved_diagnostic::add_note): Likewise for param pn.
569 (saved_diagnostic::m_d): Likewise.
570 (diagnostic_manager::add_diagnostic): Use std::unique_ptr for
571 param d.
572 (diagnostic_manager::add_note): Use std::unique_ptr for param pn.
573 * engine.cc: Include "make-unique.h".
574 (impl_region_model_context::warn): Update to use std::unique_ptr
575 for param, removing explicit deletion.
576 (impl_region_model_context::add_note): Likewise.
577 (impl_sm_context::warn): Update to use std::unique_ptr
578 for param.
579 (impl_region_model_context::on_state_leak): Likewise for result of
580 on_leak.
581 (exploded_node::on_longjmp): Use make_unique when creating
582 pending_diagnostic.
583 (exploded_graph::process_node): Likewise.
584 * exploded-graph.h (impl_region_model_context::warn): Update to
585 use std::unique_ptr for param.
586 (impl_region_model_context::add_note): Likewise.
587 * feasible-graph.cc: Add define of INCLUDE_MEMORY.
588 * pending-diagnostic.cc: Likewise.
589 * pending-diagnostic.h: Include analyzer.sm.h"
590 * program-point.cc: Add define of INCLUDE_MEMORY.
591 * program-state.cc: Likewise.
592 * region-model-asm.cc: Likewise.
593 * region-model-impl-calls.cc: Likewise. Include "make-unique.h".
594 (region_model::impl_call_putenv): Use make_unique when creating
595 pending_diagnostic.
596 * region-model-manager.cc: Add define of INCLUDE_MEMORY.
597 * region-model-reachability.cc: Likewise.
598 * region-model.cc: Likewise. Include "make-unique.h".
599 (region_model::get_gassign_result): Use make_unique when creating
600 pending_diagnostic.
601 (region_model::check_for_poison): Likewise.
602 (region_model::on_stmt_pre): Likewise.
603 (region_model::check_symbolic_bounds): Likewise.
604 (region_model::check_region_bounds): Likewise.
605 (annotating_ctxt: make_note): Use std::unique_ptr for result.
606 (region_model::deref_rvalue): Use make_unique when creating
607 pending_diagnostic.
608 (region_model::check_for_writable_region): Likewise.
609 (region_model::check_region_size): Likewise.
610 (region_model::check_dynamic_size_for_floats): Likewise.
611 (region_model::maybe_complain_about_infoleak): Likewise.
612 (noop_region_model_context::add_note): Use std::unique_ptr for
613 param. Remove explicit deletion.
614 * region-model.h: Include "analyzer/pending-diagnostic.h".
615 (region_model_context::warn): Convert param to std::unique_ptr.
616 (region_model_context::add_note): Likewise.
617 (noop_region_model_context::warn): Likewise.
618 (noop_region_model_context::add_note): Likewise.
619 (region_model_context_decorator::warn): Likewise.
620 (region_model_context_decorator::add_note): Likewise.
621 (note_adding_context::warn): Likewise.
622 (note_adding_context::make_note): Likewise for return type.
623 (test_region_model_context::warn): Convert param to
624 std::unique_ptr.
625 * region.cc: Add define of INCLUDE_MEMORY.
626 * sm-fd.cc: Likewise. Include "make-unique.h".
627 (fd_state_machine::check_for_fd_attrs): Use make_unique when
628 creating pending_diagnostics.
629 (fd_state_machine::on_open): Likewise.
630 (fd_state_machine::on_creat): Likewise.
631 (fd_state_machine::check_for_dup): Likewise.
632 (fd_state_machine::on_close): Likewise.
633 (fd_state_machine::check_for_open_fd): Likewise.
634 (fd_state_machine::on_leak): Likewise, converting return type to
635 std::unique_ptr.
636 * sm-file.cc: Add define of INCLUDE_MEMORY. Include
637 "make-unique.h".
638 (fileptr_state_machine::on_stmt): Use make_unique when creating
639 pending_diagnostic.
640 (fileptr_state_machine::on_leak): Likewise, converting return type
641 to std::unique_ptr.
642 * sm-malloc.cc: Add define of INCLUDE_MEMORY. Include
643 "make-unique.h".
644 (malloc_state_machine::on_stmt): Use make_unique when creating
645 pending_diagnostic.
646 (malloc_state_machine::handle_free_of_non_heap): Likewise.
647 (malloc_state_machine::on_deallocator_call): Likewise.
648 (malloc_state_machine::on_realloc_call): Likewise.
649 (malloc_state_machine::on_leak): Likewise, converting return type
650 to std::unique_ptr.
651 * sm-pattern-test.cc: Add define of INCLUDE_MEMORY. Include
652 "make-unique.h".
653 (pattern_test_state_machine::on_condition): Use make_unique when
654 creating pending_diagnostic.
655 * sm-sensitive.cc: Add define of INCLUDE_MEMORY. Include
656 "make-unique.h".
657 (sensitive_state_machine::warn_for_any_exposure): Use make_unique
658 when creating pending_diagnostic.
659 * sm-signal.cc: Add define of INCLUDE_MEMORY. Include
660 "make-unique.h".
661 (signal_state_machine::on_stmt): Use make_unique when creating
662 pending_diagnostic.
663 * sm-taint.cc: Add define of INCLUDE_MEMORY. Include
664 "make-unique.h".
665 (taint_state_machine::check_for_tainted_size_arg): Use make_unique
666 when creating pending_diagnostic.
667 (taint_state_machine::check_for_tainted_divisor): Likewise.
668 (region_model::check_region_for_taint): Likewise.
669 (region_model::check_dynamic_size_for_taint): Likewise.
670 * sm.cc: Add define of INCLUDE_MEMORY. Include
671 "analyzer/pending-diagnostic.h".
672 (state_machine::on_leak): Move here from sm.h, changing return
673 type to std::unique_ptr.
674 * sm.h (state_machine::on_leak): Change return type to
675 std::unique_ptr. Move defn of base impl to sm.cc
676 (sm_context::warn): Convert param d to std_unique_ptr.
677 * state-purge.cc: Add define of INCLUDE_MEMORY.
678 * store.cc: Likewise.
679 * svalue.cc: Likewise.
680 * trimmed-graph.cc: Likewise.
681 * varargs.cc: Likewise. Include "make-unique.h".
682 (va_list_state_machine::check_for_ended_va_list): Use make_unique
683 when creating pending_diagnostic.
684 (va_list_state_machine::on_leak): Likewise, converting return type
685 to std::unique_ptr.
686 (region_model::impl_call_va_arg): Use make_unique when creating
687 pending_diagnostic.
688
6892022-11-03 David Malcolm <dmalcolm@redhat.com>
690
691 PR analyzer/107486
692 * analyzer.cc (is_pipe_call_p): New.
693 * analyzer.h (is_pipe_call_p): New decl.
694 * region-model.cc (region_model::on_call_pre): Use it.
695 (region_model::on_call_post): Likewise.
696
486a5037
GA		 6972022-10-26 David Malcolm <dmalcolm@redhat.com>
698
699 * sm-fd.cc (fd_state_machine::on_open): Transition to "unchecked"
700 when the mode is symbolic, rather than just on integer constants.
701 (fd_state_machine::check_for_open_fd): Don't complain about
702 unchecked values in the start state.
703
7042022-10-26 David Malcolm <dmalcolm@redhat.com>
705
706 * sm-fd.dot: New file.
707
4e939ae1
GA		 7082022-10-24 David Malcolm <dmalcolm@redhat.com>
709
710 PR analyzer/107349
711 * varargs.cc (get_va_copy_arg): Fix the non-pointer case.
712
7132022-10-24 David Malcolm <dmalcolm@redhat.com>
714
715 PR analyzer/107345
716 * region-model.cc (region_model::eval_condition_without_cm):
717 Ensure that constants are on the right-hand side before checking
718 for them.
719
7202022-10-24 David Malcolm <dmalcolm@redhat.com>
721
722 * engine.cc (impl_region_model_context::get_malloc_map): Replace
723 with...
724 (impl_region_model_context::get_state_map_by_name): ...this.
725 (impl_region_model_context::get_fd_map): Delete.
726 (impl_region_model_context::get_taint_map): Delete.
727 * exploded-graph.h (impl_region_model_context::get_fd_map):
728 Delete.
729 (impl_region_model_context::get_malloc_map): Delete.
730 (impl_region_model_context::get_taint_map): Delete.
731 (impl_region_model_context::get_state_map_by_name): New.
732 * region-model.h (region_model_context::get_state_map_by_name):
733 New vfunc.
734 (region_model_context::get_fd_map): Convert from vfunc to
735 function.
736 (region_model_context::get_malloc_map): Likewise.
737 (region_model_context::get_taint_map): Likewise.
738 (noop_region_model_context::get_state_map_by_name): New.
739 (noop_region_model_context::get_fd_map): Delete.
740 (noop_region_model_context::get_malloc_map): Delete.
741 (noop_region_model_context::get_taint_map): Delete.
742 (region_model_context_decorator::get_state_map_by_name): New.
743 (region_model_context_decorator::get_fd_map): Delete.
744 (region_model_context_decorator::get_malloc_map): Delete.
745 (region_model_context_decorator::get_taint_map): Delete.
746
7472022-10-24 David Malcolm <dmalcolm@redhat.com>
748
749 PR analyzer/106300
750 * engine.cc (impl_region_model_context::get_fd_map): New.
751 * exploded-graph.h (impl_region_model_context::get_fd_map): New
752 decl.
753 * region-model-impl-calls.cc (region_model::impl_call_pipe): New.
754 * region-model.cc (region_model::update_for_int_cst_return): New,
755 based on...
756 (region_model::update_for_zero_return): ...this. Reimplement in
757 terms of the former.
758 (region_model::on_call_pre): Handle "pipe" and "pipe2".
759 (region_model::on_call_post): Likewise.
760 * region-model.h (region_model::impl_call_pipe): New decl.
761 (region_model::update_for_int_cst_return): New decl.
762 (region_model::mark_as_valid_fd): New decl.
763 (region_model_context::get_fd_map): New pure virtual fn.
764 (noop_region_model_context::get_fd_map): New.
765 (region_model_context_decorator::get_fd_map): New.
766 * sm-fd.cc: Include "analyzer/program-state.h".
767 (fd_state_machine::describe_state_change): Handle transitions from
768 start state to valid states.
769 (fd_state_machine::mark_as_valid_fd): New.
770 (fd_state_machine::on_stmt): Add missing return for "creat".
771 (region_model::mark_as_valid_fd): New.
772
87f9c4a4
GA		 7732022-10-19 David Malcolm <dmalcolm@redhat.com>
774
775 PR analyzer/105765
776 * varargs.cc (get_BT_VALIST_ARG): Rename to...
777 (get_va_copy_arg): ...this, and update logic for determining level
778 of indirection of va_copy's argument to use type of argument,
779 rather than looking at va_list_type_node, to correctly handle
780 __builtin_ms_va_copy.
781 (get_stateful_BT_VALIST_ARG): Rename to...
782 (get_stateful_va_copy_arg): ...this.
783 (va_list_state_machine::on_va_copy): Update for renaming.
784 (region_model::impl_call_va_copy): Likewise.
785
621a911d
GA		 7862022-10-13 David Malcolm <dmalcolm@redhat.com>
787
788 PR analyzer/107210
789 * svalue.cc (constant_svalue::maybe_fold_bits_within): Only
790 attempt to extract individual bits when tree_fits_uhwi_p.
791
9ff6c33e
GA		 7922022-10-07 David Malcolm <dmalcolm@redhat.com>
793
794 PR analyzer/105783
795 * region-model.cc (selftest::get_bit): New function.
796 (selftest::test_bits_within_svalue_folding): New.
797 (selfftest::analyzer_region_model_cc_tests): Call it.
798 * svalue.cc (constant_svalue::maybe_fold_bits_within): Handle the
799 case of extracting a single bit.
800
629d04d3
GA		 8012022-10-06 David Malcolm <dmalcolm@redhat.com>
802
803 PR analyzer/107158
804 * store.cc (store::replay_call_summary_cluster): Eliminate
805 special-casing of RK_HEAP_ALLOCATED in favor of sharing code with
806 RK_DECL, avoiding an ICE due to attempting to bind a
807 compound_svalue into a binding_cluster when an svalue in the
808 summary cluster converts to a compound_svalue in the caller.
809
8102022-10-06 David Malcolm <dmalcolm@redhat.com>
811
812 * call-summary.cc (call_summary_replay::dump_to_pp): Bulletproof
813 against NULL caller regions/svalues.
814
966010b2
GA		 8152022-10-05 David Malcolm <dmalcolm@redhat.com>
816
817 * analysis-plan.cc: Simplify includes.
818 * analyzer-pass.cc: Likewise.
819 * analyzer-selftests.cc: Likewise.
820 * analyzer.cc: Likewise.
821 * analyzer.h: Add includes of "json.h" and "tristate.h".
822 * call-info.cc: Simplify includes.
823 * call-string.cc: Likewise.
824 * call-summary.cc: Likewise.
825 * checker-path.cc: Likewise.
826 * complexity.cc: Likewise.
827 * constraint-manager.cc: Likewise.
828 * diagnostic-manager.cc: Likewise.
829 * engine.cc: Likewise.
830 * feasible-graph.cc: Likewise.
831 * known-function-manager.cc: Likewise.
832 * pending-diagnostic.cc: Likewise.
833 * program-point.cc: Likewise.
834 * program-state.cc: Likewise.
835 * region-model-asm.cc: Likewise.
836 * region-model-impl-calls.cc: Likewise.
837 * region-model-manager.cc: Likewise.
838 * region-model-reachability.cc: Likewise.
839 * region-model.cc: Likewise.
840 * region-model.h: Include "selftest.h".
841 * region.cc: Simplify includes.
842 * sm-fd.cc: Likewise.
843 * sm-file.cc: Likewise.
844 * sm-malloc.cc: Likewise.
845 * sm-pattern-test.cc: Likewise.
846 * sm-sensitive.cc: Likewise.
847 * sm-signal.cc: Likewise.
848 * sm-taint.cc: Likewise.
849 * sm.cc: Likewise.
850 * state-purge.cc: Likewise.
851 * store.cc: Likewise.
852 * store.h: Likewise.
853 * supergraph.cc: Likewise.
854 * svalue.cc: Likewise.
855 * svalue.h: Likewise.
856 * trimmed-graph.cc: Likewise.
857 * varargs.cc: Likewise.
858
8592022-10-05 David Malcolm <dmalcolm@redhat.com>
860
861 PR analyzer/107060
862 * call-summary.cc
863 (call_summary_replay::convert_svalue_from_summary_1): Handle NULL
864 results from convert_svalue_from_summary in SK_UNARY_OP and
865 SK_BIN_OP.
866 * engine.cc (impl_region_model_context::on_unknown_change): Bail
867 out on svalues that can't have associated state.
868 * region-model-impl-calls.cc
869 (region_model::impl_call_analyzer_get_unknown_ptr): New.
870 * region-model.cc (region_model::on_stmt_pre): Handle
871 "__analyzer_get_unknown_ptr".
872 * region-model.h
873 (region_model::impl_call_analyzer_get_unknown_ptr): New decl.
874 * store.cc (store::replay_call_summary_cluster): Avoid trying to
875 create binding clusters for base regions that shouldn't have them.
876
8772022-10-05 Martin Liska <mliska@suse.cz>
878
879 * call-summary.cc (call_summary_replay::call_summary_replay):
3d3b561f 880 Remove unused variable and arguments.
966010b2
GA		 881 * call-summary.h: Likewise.
882 * engine.cc (exploded_node::on_stmt): Likewise.
883 (exploded_node::replay_call_summaries): Likewise.
884 (exploded_node::replay_call_summary): Likewise.
885 * exploded-graph.h (class exploded_node): Likewise.
886
8872022-10-05 David Malcolm <dmalcolm@redhat.com>
888
889 PR analyzer/107072
890 * analyzer-logging.h: Include "diagnostic-core.h".
891 * analyzer.h: Include "function.h".
892 (class call_summary): New forward decl.
893 (class call_summary_replay): New forward decl.
894 (struct per_function_data): New forward decl.
895 (struct interesting_t): New forward decl.
896 (custom_edge_info::update_state): New vfunc.
897 * call-info.cc (custom_edge_info::update_state): New.
898 * call-summary.cc: New file.
899 * call-summary.h: New file.
900 * constraint-manager.cc: Include "analyzer/call-summary.h".
901 (class replay_fact_visitor): New.
902 (constraint_manager::replay_call_summary): New.
903 * constraint-manager.h (constraint_manager::replay_call_summary):
904 New.
905 * engine.cc: Include "analyzer/call-summary.h".
906 (exploded_node::on_stmt): Handle call summaries.
907 (class call_summary_edge_info): New.
908 (exploded_node::replay_call_summaries): New.
909 (exploded_node::replay_call_summary): New.
910 (per_function_data::~per_function_data): New.
911 (per_function_data::add_call_summary): Move here from header and
912 reimplement.
913 (exploded_graph::process_node): Call update_state rather than
914 update_model when handling bifurcation
915 (viz_callgraph_node::dump_dot): Use a regular label rather
916 than an HTML table; add summaries to dump.
917 * exploded-graph.h: Include "alloc-pool.h", "fibonacci_heap.h",
918 "supergraph.h", "sbitmap.h", "shortest-paths.h", "analyzer/sm.h",
919 "analyzer/program-state.h", and "analyzer/diagnostic-manager.h".
920 (exploded_node::replay_call_summaries): New decl.
921 (exploded_node::replay_call_summary): New decl.
922 (per_function_data::~per_function_data): New decl.
923 (per_function_data::add_call_summary): Move implemention from
924 header.
925 (per_function_data::m_summaries): Update type of element.
926 * known-function-manager.h: Include "analyzer/analyzer-logging.h".
927 * program-point.h: Include "pretty-print.h" and
928 "analyzer/call-string.h".
929 * program-state.cc: Include "analyzer/call-summary.h".
930 (sm_state_map::replay_call_summary): New.
931 (program_state::replay_call_summary): New.
932 * program-state.h (sm_state_map::replay_call_summary): New decl.
933 (program_state::replay_call_summary): New decl.
934 * region-model-manager.cc
935 (region_model_manager::get_or_create_asm_output_svalue): New
936 overload.
937 * region-model-manager.h
938 (region_model_manager::get_or_create_asm_output_svalue): New
939 overload decl.
940 * region-model.cc: Include "analyzer/call-summary.h".
941 (region_model::maybe_update_for_edge): Remove call to
942 region_model::update_for_call_summary on
943 SUPEREDGE_INTRAPROCEDURAL_CALL.
944 (region_model::update_for_call_summary): Delete.
945 (region_model::replay_call_summary): New.
946 * region-model.h (region_model::replay_call_summary): New decl.
947 (region_model::update_for_call_summary): Delete decl.
948 * store.cc: Include "analyzer/call-summary.h".
949 (store::replay_call_summary): New.
950 (store::replay_call_summary_cluster): New.
951 * store.h: Include "tristate.h".
952 (is_a_helper <const ana::concrete_binding *>::test): New.
953 (store::replay_call_summary): New decl.
954 (store::replay_call_summary_cluster): New decl.
955 * supergraph.cc (get_ultimate_function_for_cgraph_edge): Remove
956 "static" from decl.
957 (supergraph_call_edge): Make stmt param const.
958 * supergraph.h: Include "ordered-hash-map.h", "cfg.h",
959 "basic-block.h", "gimple.h", "gimple-iterator.h", and "digraph.h".
960 (supergraph_call_edge): Make stmt param const.
961 (get_ultimate_function_for_cgraph_edge): New decl.
962 * svalue.cc (compound_svalue::compound_svalue): Assert that we're
963 not nesting compound_svalues.
964 * svalue.h: Include "json.h", "analyzer/store.h", and
965 "analyzer/program-point.h".
966 (asm_output_svalue::get_num_outputs): New accessor.
967
9682022-10-05 David Malcolm <dmalcolm@redhat.com>
969
970 * region-model.h: Include "analyzer/region-model-manager.h"
971 (class region_model_manager): Move decl to...
972 * region-model-manager.h: ...this new file.
973
9742022-10-05 David Malcolm <dmalcolm@redhat.com>
975
976 * region-model-manager.cc
977 (region_model_manager::maybe_fold_unaryop): Fold -(-(VAL)) to VAL.
978
9792022-10-05 David Malcolm <dmalcolm@redhat.com>
980
981 * region-model-manager.cc
982 (region_model_manager::get_or_create_widening_svalue): Use a
983 function_point rather than a program_point.
984 * region-model.cc (selftest::test_widening_constraints): Likewise.
985 * region-model.h
986 (region_model_manager::get_or_create_widening_svalue): Likewise.
987 (model_merger::get_function_point): New.
988 * svalue.cc (svalue::can_merge_p): Use a function_point rather
989 than a program_point.
990 (svalue::can_merge_p): Likewise.
991 * svalue.h (widening_svalue::key_t): Likewise.
992 (widening_svalue::widening_svalue): Likewise.
993
b5f09bd7
GA		 9942022-09-12 Martin Liska <mliska@suse.cz>
995
996 * region-model.cc (region_model::maybe_complain_about_infoleak):
3d3b561f 997 Remove unused fields.
b5f09bd7 998
5b9111db
GA		 9992022-09-11 Tim Lange <mail@tim-lange.me>
1000
1001 PR analyzer/106845
1002 * region-model.cc (region_model::check_region_bounds):
1003 Bail out if 0 bytes were accessed.
1004 * store.cc (byte_range::dump_to_pp):
1005 Add special case for empty ranges.
1006 (byte_range::exceeds_p): Restrict to non-empty ranges.
1007 (byte_range::falls_short_of_p): Restrict to non-empty ranges.
1008 * store.h (bit_range::empty_p): New function.
1009 (bit_range::get_last_byte_offset): Restrict to non-empty ranges.
1010 (byte_range::empty_p): New function.
1011 (byte_range::get_last_byte_offset): Restrict to non-empty ranges.
1012
861d1a11
GA		 10132022-09-09 David Malcolm <dmalcolm@redhat.com>
1014
1015 * analyzer.opt (Wanalyzer-exposure-through-uninit-copy): New.
1016 * checker-path.cc (region_creation_event::region_creation_event):
1017 Add "capacity" and "kind" params.
1018 (region_creation_event::get_desc): Generalize to different kinds
1019 of event.
1020 (checker_path::add_region_creation_event): Convert to...
1021 (checker_path::add_region_creation_events): ...this.
1022 * checker-path.h (enum rce_kind): New.
1023 (region_creation_event::region_creation_event): Add "capacity" and
1024 "kind" params.
1025 (region_creation_event::m_capacity): New field.
1026 (region_creation_event::m_rce_kind): New field.
1027 (checker_path::add_region_creation_event): Convert to...
1028 (checker_path::add_region_creation_events): ...this.
1029 * diagnostic-manager.cc (diagnostic_manager::build_emission_path):
1030 Update for multiple region creation events.
1031 (diagnostic_manager::add_event_on_final_node): Likewise.
1032 (diagnostic_manager::add_events_for_eedge): Likewise.
1033 * region-model-impl-calls.cc (call_details::get_logger): New.
1034 * region-model.cc: Define INCLUDE_MEMORY before including
1035 "system.h". Include "gcc-rich-location.h".
1036 (class record_layout): New.
1037 (class exposure_through_uninit_copy): New.
1038 (contains_uninit_p): New.
1039 (region_model::maybe_complain_about_infoleak): New.
1040 * region-model.h (call_details::get_logger): New decl.
1041 (region_model::maybe_complain_about_infoleak): New decl.
1042 (region_model::mark_as_tainted): New decl.
1043 * sm-taint.cc (region_model::mark_as_tainted): New.
1044
10452022-09-09 David Malcolm <dmalcolm@redhat.com>
1046
1047 * analyzer.h (class known_function_manager): New forward decl.
1048 (class known_function): New.
1049 (plugin_analyzer_init_iface::register_known_function): New.
1050 * engine.cc: Include "analyzer/known-function-manager.h".
1051 (plugin_analyzer_init_impl::plugin_analyzer_init_impl): Add
1052 known_fn_mgr param.
1053 (plugin_analyzer_init_impl::register_state_machine): Add
1054 LOC_SCOPE.
1055 (plugin_analyzer_init_impl::register_known_function): New.
1056 (plugin_analyzer_init_impl::m_known_fn_mgr): New.
1057 (impl_run_checkers): Update plugin callback invocation to use
1058 eng's known_function_manager.
1059 * known-function-manager.cc: New file.
1060 * known-function-manager.h: New file.
1061 * region-model-manager.cc
1062 (region_model_manager::region_model_manager): Pass logger to
1063 m_known_fn_mgr's ctor.
1064 * region-model.cc (region_model::update_for_zero_return): New.
1065 (region_model::update_for_nonzero_return): New.
1066 (maybe_simplify_upper_bound): New.
1067 (region_model::maybe_get_copy_bounds): New.
1068 (region_model::get_known_function): New.
1069 (region_model::on_call_pre): Handle plugin-supplied known
1070 functions.
1071 * region-model.h: Include "analyzer/known-function-manager.h".
1072 (region_model_manager::get_known_function_manager): New.
1073 (region_model_manager::m_known_fn_mgr): New.
1074 (call_details::get_model): New accessor.
1075 (region_model::maybe_get_copy_bounds): New decl.
1076 (region_model::update_for_zero_return): New decl.
1077 (region_model::update_for_nonzero_return): New decl.
1078 (region_model::get_known_function): New decl.
1079 (region_model::get_known_function_manager): New.
1080
2e7ad70c
GA		 10812022-09-08 Tim Lange <mail@tim-lange.me>
1082
1083 PR analyzer/106625
1084 * analyzer.h (region_offset): Eliminate m_is_symbolic member.
1085 * region-model-impl-calls.cc (region_model::impl_call_realloc):
1086 Refine implementation to be more precise.
1087 * region-model.cc (class symbolic_past_the_end):
1088 Abstract diagnostic class to complain about accesses past the end
1089 with symbolic values.
1090 (class symbolic_buffer_overflow):
1091 Concrete diagnostic class to complain about buffer overflows with
1092 symbolic values.
1093 (class symbolic_buffer_overread):
1094 Concrete diagnostic class to complain about buffer overreads with
1095 symbolic values.
1096 (region_model::check_symbolic_bounds): New function.
1097 (maybe_get_integer_cst_tree): New helper function.
1098 (region_model::check_region_bounds):
1099 Add call to check_symbolic_bounds if offset is not concrete.
1100 (region_model::eval_condition_without_cm):
1101 Add support for EQ_EXPR and GT_EXPR with binaryop_svalues.
1102 (is_positive_svalue): New hleper function.
1103 (region_model::symbolic_greater_than):
1104 New function to handle GT_EXPR comparisons with symbolic values.
1105 (region_model::structural_equality): New function to compare
1106 whether two svalues are structured the same, i.e. evaluate to
1107 the same value.
1108 (test_struct): Reflect changes to region::calc_offset.
1109 (test_var): Likewise.
1110 (test_array_2): Likewise and add selftest with symbolic i.
1111 * region-model.h (class region_model): Add check_symbolic_bounds,
1112 symbolic_greater_than and structural_equality.
1113 * region.cc (region::get_offset):
1114 Reflect changes to region::calc_offset.
1115 (region::calc_offset):
1116 Compute the symbolic offset if the offset is not concrete.
1117 (region::get_relative_symbolic_offset): New function to return the
1118 symbolic offset in bytes relative to its parent.
1119 (field_region::get_relative_symbolic_offset): Likewise.
1120 (element_region::get_relative_symbolic_offset): Likewise.
1121 (offset_region::get_relative_symbolic_offset): Likewise.
1122 (bit_range_region::get_relative_symbolic_offset): Likewise.
1123 * region.h: Add get_relative_symbolic_offset.
1124 * store.cc (binding_key::make):
1125 Reflect changes to region::calc_offset.
1126 (binding_map::apply_ctor_val_to_range): Likewise.
1127 (binding_map::apply_ctor_pair_to_child_region): Likewise.
1128 (binding_cluster::bind_compound_sval): Likewise.
1129 (binding_cluster::get_any_binding): Likewise.
1130 (binding_cluster::maybe_get_compound_binding): Likewise.
1131
47d2dcd1
GA		 11322022-09-05 Tim Lange <mail@tim-lange.me>
1133
1134 * region-model-impl-calls.cc (region_model::impl_call_strcpy):
1135 Handle the constant string case.
1136 * region-model.cc (region_model::get_string_size):
1137 New function to get the string size from a region or svalue.
1138 * region-model.h (class region_model): Add get_string_size.
1139
11402022-09-05 Tim Lange <mail@tim-lange.me>
1141
1142 * region.cc (cast_region::get_relative_concrete_offset):
1143 New overloaded method.
1144 * region.h: Add cast_region::get_relative_concrete_offset.
1145
3b2e3fa3
GA		 11462022-08-22 Martin Liska <mliska@suse.cz>
1147
1148 * region-model.cc: Add missing final keyword.
1149
30afe5e7
GA		 11502022-08-18 Tim Lange <mail@tim-lange.me>
1151
1152 PR analyzer/106181
1153 * analyzer.opt: Add Wanalyzer-imprecise-floating-point-arithmetic.
1154 * region-model.cc (is_any_cast_p): Formatting.
1155 (region_model::check_region_size): Ensure precondition.
1156 (class imprecise_floating_point_arithmetic): New abstract
1157 diagnostic class for all floating-point related warnings.
1158 (class float_as_size_arg): Concrete diagnostic class to complain
1159 about floating-point operands inside the size argument.
1160 (class contains_floating_point_visitor):
1161 New visitor to find floating-point operands inside svalues.
1162 (region_model::check_dynamic_size_for_floats): New function.
1163 (region_model::set_dynamic_extents):
1164 Call to check_dynamic_size_for_floats.
1165 * region-model.h (class region_model):
1166 Add region_model::check_dynamic_size_for_floats.
1167
47a61e65
GA		 11682022-08-16 Martin Liska <mliska@suse.cz>
1169
1170 * region-model.cc: Fix -Winconsistent-missing-override clang
3d3b561f 1171 warning.
47a61e65
GA		 1172 * region.h: Likewise.
1173
ec63a946
GA		 11742022-08-15 David Malcolm <dmalcolm@redhat.com>
1175
1176 PR analyzer/106626
1177 * region-model.cc (buffer_overread::emit): Fix copy&paste error in
1178 direction of the access in the note.
1179
11802022-08-15 David Malcolm <dmalcolm@redhat.com>
1181
1182 PR analyzer/106573
1183 * region-model.cc (region_model::on_call_pre): Use check_call_args
1184 when ensuring that we call get_arg_svalue on all args. Remove
1185 redundant call from handling for stdio builtins.
1186
11872022-08-15 Immad Mir <mirimmad@outlook.com>
1188
1189 PR analyzer/106551
1190 * sm-fd.cc (check_for_dup): exit early if first
1191 argument is invalid for all dup functions.
1192
475ed8fd
GA		 11932022-08-12 Tim Lange <mail@tim-lange.me>
1194
1195 PR analyzer/106000
1196 * analyzer.opt: Add Wanalyzer-out-of-bounds.
1197 * region-model.cc (class out_of_bounds): Diagnostics base class
1198 for all out-of-bounds diagnostics.
1199 (class past_the_end): Base class derived from out_of_bounds for
1200 the buffer_overflow and buffer_overread diagnostics.
1201 (class buffer_overflow): Buffer overflow diagnostics.
1202 (class buffer_overread): Buffer overread diagnostics.
1203 (class buffer_underflow): Buffer underflow diagnostics.
1204 (class buffer_underread): Buffer overread diagnostics.
1205 (region_model::check_region_bounds): New function to check region
1206 bounds for out-of-bounds accesses.
1207 (region_model::check_region_access):
1208 Add call to check_region_bounds.
1209 (region_model::get_representative_tree): New function that accepts
1210 a region instead of an svalue.
1211 * region-model.h (class region_model):
1212 Add region_model::check_region_bounds.
1213 * region.cc (region::symbolic_p): New predicate.
1214 (offset_region::get_byte_size_sval): Only return the remaining
1215 byte size on offset_regions.
1216 * region.h: Add region::symbolic_p.
1217 * store.cc (byte_range::intersects_p):
1218 Add new function equivalent to bit_range::intersects_p.
1219 (byte_range::exceeds_p): New function.
1220 (byte_range::falls_short_of_p): New function.
1221 * store.h (struct byte_range): Add byte_range::intersects_p,
1222 byte_range::exceeds_p and byte_range::falls_short_of_p.
1223
12242022-08-12 Tim Lange <mail@tim-lange.me>
1225
1226 PR analyzer/106539
1227 * region-model-impl-calls.cc (region_model::impl_call_realloc):
1228 Use the result of get_copied_size as the size for the
1229 sized_regions in realloc.
1230 (success_with_move::get_copied_size): New function.
1231
5cd525f0
GA		 12322022-08-11 Immad Mir <mirimmad@outlook.com>
1233
1234 PR analyzer/106551
1235 * sm-fd.cc (check_for_dup): handle the m_start
1236 state when transitioning the state of LHS
1237 of dup, dup2 and dup3 call.
1238
6d001ec1
GA		 12392022-08-09 David Malcolm <dmalcolm@redhat.com>
1240
1241 PR analyzer/106573
1242 * region-model.cc (region_model::on_call_pre): Ensure that we call
1243 get_arg_svalue on all arguments.
1244
36e96748
GA		 12452022-08-05 David Malcolm <dmalcolm@redhat.com>
1246
1247 PR analyzer/105947
1248 * analyzer.opt (Wanalyzer-jump-through-null): New option.
1249 * engine.cc (class jump_through_null): New.
1250 (exploded_graph::process_node): Complain about jumps through NULL
1251 function pointers.
1252
969a989d
GA		 12532022-08-02 Immad Mir <mirimmad@outlook.com>
1254
1255 PR analyzer/106298
1256 * sm-fd.cc (fd_state_machine::on_open): Add
1257 creat, dup, dup2 and dup3 functions.
1258 (enum dup): New.
1259 (fd_state_machine::valid_to_unchecked_state): New.
1260 (fd_state_machine::on_creat): New.
1261 (fd_state_machine::on_dup): New.
1262
af086d19
GA		 12632022-07-28 David Malcolm <dmalcolm@redhat.com>
1264
1265 PR analyzer/105893
1266 * analyzer.opt (Wanalyzer-putenv-of-auto-var): New.
1267 * region-model-impl-calls.cc (class putenv_of_auto_var): New.
1268 (region_model::impl_call_putenv): New.
1269 * region-model.cc (region_model::on_call_pre): Handle putenv.
1270 * region-model.h (region_model::impl_call_putenv): New decl.
1271
12722022-07-28 David Malcolm <dmalcolm@redhat.com>
1273
1274 * sm-malloc.cc (free_of_non_heap::emit): Add comment about CWE.
1275 * sm-taint.cc (tainted_size::emit): Likewise.
1276
12772022-07-28 David Malcolm <dmalcolm@redhat.com>
1278
1279 * region.h: Add notes to the comment describing the region
1280 class hierarchy.
1281
1e2c5f4c
GA		 12822022-07-27 Immad Mir <mirimmad@outlook.com>
1283
1284 PR analyzer/106286
1285 * sm-fd.cc:
1286 (fd_diagnostic::get_meaning_for_state_change): New.
1287
fd96c4b5
GA		 12882022-07-26 David Malcolm <dmalcolm@redhat.com>
1289
1290 PR analyzer/106319
1291 * store.cc (store::set_value): Don't strip away casts if the
1292 region has NULL type.
1293
12942022-07-26 David Malcolm <dmalcolm@redhat.com>
1295
1296 * region.h (code_region::get_element): Remove stray decl.
1297 (function_region::get_element): Likewise.
1298
a5271b14
GA		 12992022-07-25 Martin Liska <mliska@suse.cz>
1300
1301 * sm-fd.cc: Run dos2unix and fix coding style issues.
1302
0e6fa997
GA		 13032022-07-23 Immad Mir <mirimmad@outlook.com>
1304
1305 * sm-fd.cc (fd_param_diagnostic): New diagnostic class.
1306 (fd_access_mode_mismatch): Change inheritance from fd_diagnostic
1307 to fd_param_diagnostic. Add new overloaded constructor.
1308 (fd_use_after_close): Likewise.
1309 (unchecked_use_of_fd): Likewise and also change name to fd_use_without_check.
1310 (double_close): Change name to fd_double_close.
1311 (enum access_directions): New.
1312 (fd_state_machine::on_stmt): Handle calls to function with the
1313 new three function attributes.
1314 (fd_state_machine::check_for_fd_attrs): New.
1315 (fd_state_machine::on_open): Use the new overloaded constructors
1316 of diagnostic classes.
1317
b563a8dd
GA		 13182022-07-22 David Malcolm <dmalcolm@redhat.com>
1319
1320 PR analyzer/106413
1321 * varargs.cc (region_model::impl_call_va_start): Avoid iterating
1322 through non-existant variadic arguments by initializing the
1323 impl_region to "UNKNOWN" if the va_start occurs in the top-level
1324 function to the analysis.
1325
13262022-07-22 David Malcolm <dmalcolm@redhat.com>
1327
1328 PR analyzer/106401
1329 * store.cc (binding_cluster::binding_cluster): Remove overzealous
1330 assertion; we're checking for tracked_p in
1331 store::get_or_create_cluster.
1332
13332022-07-22 Tim Lange <mail@tim-lange.me>
1334
1335 PR analyzer/106394
1336 * region-model.cc (capacity_compatible_with_type): Always return true
1337 if alloc_size is zero.
1338
bbb9c030
GA		 13392022-07-21 David Malcolm <dmalcolm@redhat.com>
1340
1341 PR analyzer/106383
1342 * varargs.cc (region_model::impl_call_va_arg): When determining if
1343 we're doing interprocedural analysis, use the stack depth of the
1344 frame in which va_start was called, rather than the current stack
1345 depth.
1346
13472022-07-21 David Malcolm <dmalcolm@redhat.com>
1348
1349 * sm-taint.cc (tainted_array_index::emit): Bulletproof against
1350 NULL m_arg.
1351 (tainted_array_index::describe_final_event): Likewise.
1352 (tainted_size::emit): Likewise.
1353 (tainted_size::describe_final_event): Likewise.
1354
13552022-07-21 David Malcolm <dmalcolm@redhat.com>
1356
1357 PR analyzer/106374
1358 * region.cc (decl_region::get_svalue_for_initializer): Bail out on
1359 untracked regions.
1360
e7dfd874
GA		 13612022-07-20 David Malcolm <dmalcolm@redhat.com>
1362
1363 PR analyzer/106373
1364 * sm-taint.cc (taint_state_machine::on_condition): Potentially
1365 update the state of the RHS as well as the LHS.
1366
13672022-07-20 David Malcolm <dmalcolm@redhat.com>
1368
1369 PR analyzer/106359
1370 * region.h (string_region::tracked_p): New.
1371 * store.cc (binding_cluster::binding_cluster): Move here from
1372 store.h. Add assertion that base_region is tracked_p.
1373 * store.h (binding_cluster::binding_cluster): Move to store.cc.
1374
7c0c10db
GA		 13752022-07-19 David Malcolm <dmalcolm@redhat.com>
1376
1377 PR analyzer/106321
1378 * constraint-manager.h (bounded_ranges::get_count): New.
1379 (bounded_ranges::get_range): New.
1380 * engine.cc (impl_region_model_context::on_bounded_ranges): New.
1381 * exploded-graph.h (impl_region_model_context::on_bounded_ranges):
1382 New decl.
1383 * region-model.cc (region_model::apply_constraints_for_gswitch):
1384 Potentially call ctxt->on_bounded_ranges.
1385 * region-model.h (region_model_context::on_bounded_ranges): New
1386 vfunc.
1387 (noop_region_model_context::on_bounded_ranges): New.
1388 (region_model_context_decorator::on_bounded_ranges): New.
1389 * sm-taint.cc: Include "analyzer/constraint-manager.h".
1390 (taint_state_machine::on_bounded_ranges): New.
1391 * sm.h (state_machine::on_bounded_ranges): New.
1392
13932022-07-19 David Malcolm <dmalcolm@redhat.com>
1394
1395 * engine.cc (exploded_graph::process_node): Show any description
1396 of the out-edge when logging it for consideration.
1397
bdc7b765
GA		 13982022-07-15 David Malcolm <dmalcolm@redhat.com>
1399
1400 PR analyzer/106284
1401 * sm-taint.cc (taint_state_machine::on_condition): Handle range
1402 checks optimized by build_range_check.
1403
14042022-07-15 Jonathan Wakely <jwakely@redhat.com>
1405
1406 * call-info.cc (call_info::print): Adjust to new label_text API.
1407 * checker-path.cc (checker_event::dump): Likewise.
1408 (region_creation_event::get_desc): Likewise.
1409 (state_change_event::get_desc): Likewise.
1410 (superedge_event::should_filter_p): Likewise.
1411 (start_cfg_edge_event::get_desc): Likewise.
1412 (call_event::get_desc): Likewise.
1413 (return_event::get_desc): Likewise.
1414 (warning_event::get_desc): Likewise.
1415 (checker_path::dump): Likewise.
1416 (checker_path::debug): Likewise.
1417 * diagnostic-manager.cc (diagnostic_manager::prune_for_sm_diagnostic):
1418 Likewise.
1419 (diagnostic_manager::prune_interproc_events): Likewise.
1420 * engine.cc (feasibility_state::maybe_update_for_edge):
1421 Likewise.
1422 * program-state.cc (sm_state_map::to_json): Likewise.
1423 * region-model-impl-calls.cc (region_model::impl_call_analyzer_describe): Likewise.
1424 (region_model::impl_call_analyzer_dump_capacity): Likewise.
1425 * region.cc (region::to_json): Likewise.
1426 * sm-malloc.cc (inform_nonnull_attribute): Likewise.
1427 * store.cc (binding_map::to_json): Likewise.
1428 (store::to_json): Likewise.
1429 * supergraph.cc (superedge::dump): Likewise.
1430 * svalue.cc (svalue::to_json): Likewise.
1431
6345c414
GA		 14322022-07-07 David Malcolm <dmalcolm@redhat.com>
1433
1434 * checker-path.cc (start_cfg_edge_event::get_desc): Update for
1435 superedge::get_description returning a label_text.
1436 * engine.cc (feasibility_state::maybe_update_for_edge): Likewise.
1437 * supergraph.cc (superedge::dump): Likewise.
1438 (superedge::get_description): Convert return type from char * to
1439 label_text.
1440 * supergraph.h (superedge::get_description): Likewise.
1441
14422022-07-07 David Malcolm <dmalcolm@redhat.com>
1443
1444 * call-info.cc (call_info::print): Update for removal of
1445 label_text::maybe_free in favor of automatic memory management.
1446 * checker-path.cc (checker_event::dump): Likewise.
1447 (checker_event::prepare_for_emission): Likewise.
1448 (state_change_event::get_desc): Likewise.
1449 (superedge_event::should_filter_p): Likewise.
1450 (start_cfg_edge_event::get_desc): Likewise.
1451 (warning_event::get_desc): Likewise.
1452 (checker_path::dump): Likewise.
1453 (checker_path::debug): Likewise.
1454 * diagnostic-manager.cc
1455 (diagnostic_manager::prune_for_sm_diagnostic): Likewise.
1456 (diagnostic_manager::prune_interproc_events): Likewise.
1457 * program-state.cc (sm_state_map::to_json): Likewise.
1458 * region.cc (region::to_json): Likewise.
1459 * sm-malloc.cc (inform_nonnull_attribute): Likewise.
1460 * store.cc (binding_map::to_json): Likewise.
1461 (store::to_json): Likewise.
1462 * svalue.cc (svalue::to_json): Likewise.
1463
14642022-07-07 David Malcolm <dmalcolm@redhat.com>
1465
1466 PR analyzer/106225
1467 * sm-taint.cc (taint_state_machine::on_stmt): Move handling of
1468 assignments from division to...
1469 (taint_state_machine::check_for_tainted_divisor): ...this new
1470 function. Reject warning when the divisor is known to be non-zero.
1471 * sm.cc: Include "analyzer/program-state.h".
1472 (sm_context::get_old_region_model): New.
1473 * sm.h (sm_context::get_old_region_model): New decl.
1474
4bc92c3b
GA		 14752022-07-06 Immad Mir <mirimmad@outlook.com>
1476
1477 PR analyzer/106184
1478 * sm-fd.cc (fd_state_machine): Change ordering of initialization
1479 of state m_invalid so that the order of initializers is same as
1480 the ordering of the fields in the class decl.
1481
14822022-07-06 Immad Mir <mirimmad@outlook.com>
1483
1484 * sm-fd.cc (use_after_close): save the "close" event and
1485 show it where possible.
1486
14872022-07-06 David Malcolm <dmalcolm@redhat.com>
1488
1489 PR analyzer/106204
1490 * region-model.cc (within_short_circuited_stmt_p): Move extraction
1491 of assign_stmt to caller.
1492 (due_to_ifn_deferred_init_p): New.
1493 (region_model::check_for_poison): Move extraction of assign_stmt
1494 from within_short_circuited_stmt_p to here. Share logic with
1495 call to due_to_ifn_deferred_init_p.
1496
20f0f305
GA		 14972022-07-02 Tim Lange <mail@tim-lange.me>
1498
1499 PR analyzer/105900
1500 * analyzer.opt: Added Wanalyzer-allocation-size.
1501 * checker-path.cc (region_creation_event::get_desc): Added call to new
1502 virtual function pending_diagnostic::describe_region_creation_event.
1503 * checker-path.h: Added region_creation_event::get_desc.
1504 * diagnostic-manager.cc (diagnostic_manager::add_event_on_final_node):
1505 New function.
1506 * diagnostic-manager.h:
1507 Added diagnostic_manager::add_event_on_final_node.
1508 * pending-diagnostic.h (struct region_creation): New event_desc struct.
1509 (pending_diagnostic::describe_region_creation_event): Added virtual
1510 function to overwrite description of a region creation.
1511 * region-model.cc (class dubious_allocation_size): New class.
1512 (capacity_compatible_with_type): New helper function.
1513 (class size_visitor): New class.
1514 (struct_or_union_with_inheritance_p): New helper function.
1515 (is_any_cast_p): New helper function.
1516 (region_model::check_region_size): New function.
1517 (region_model::set_value): Added call to
1518 region_model::check_region_size.
1519 * region-model.h (class region_model): New function check_region_size.
1520 * svalue.cc (region_svalue::accept): Changed to post-order traversal.
1521 (initial_svalue::accept): Likewise.
1522 (unaryop_svalue::accept): Likewise.
1523 (binop_svalue::accept): Likewise.
1524 (sub_svalue::accept): Likewise.
1525 (repeated_svalue::accept): Likewise.
1526 (bits_within_svalue::accept): Likewise.
1527 (widening_svalue::accept): Likewise.
1528 (unmergeable_svalue::accept): Likewise.
1529 (compound_svalue::accept): Likewise.
1530 (conjured_svalue::accept): Likewise.
1531 (asm_output_svalue::accept): Likewise.
1532 (const_fn_result_svalue::accept): Likewise.
1533
15342022-07-02 Immad Mir <mirimmad17@gmail.com>
1535
1536 PR analyzer/106003
1537 * analyzer.opt (Wanalyzer-fd-leak): New option.
1538 (Wanalyzer-fd-access-mode-mismatch): New option.
1539 (Wanalyzer-fd-use-without-check): New option.
1540 (Wanalyzer-fd-double-close): New option.
1541 (Wanalyzer-fd-use-after-close): New option.
1542 * sm.h (make_fd_state_machine): New decl.
1543 * sm.cc (make_checkers): Call make_fd_state_machine.
1544 * sm-fd.cc: New file.
1545
84c2131d
GA		 15462022-06-24 David Malcolm <dmalcolm@redhat.com>
1547
1548 * call-string.cc: Add includes of "analyzer/analyzer.h"
1549 and "analyzer/analyzer-logging.h".
1550 (call_string::call_string): Delete copy ctor.
1551 (call_string::operator=): Delete.
1552 (call_string::operator==): Delete.
1553 (call_string::hash): Delete.
1554 (call_string::push_call): Make const, returning the resulting
1555 call_string.
1556 (call_string::pop): Delete.
1557 (call_string::cmp_ptr_ptr): New.
1558 (call_string::validate): Assert that m_parent is non-NULL, or
1559 m_elements is empty.
1560 (call_string::call_string): Move default ctor here from
1561 call-string.h and reimplement. Add ctor taking a parent
1562 and an element.
1563 (call_string::~call_string): New.
1564 (call_string::recursive_log): New.
1565 * call-string.h (call_string::call_string): Move default ctor's
1566 defn to call-string.cc. Delete copy ctor. Add ctor taking a
1567 parent and an element.
1568 (call_string::operator=): Delete.
1569 (call_string::operator==): Delete.
1570 (call_string::hash): Delete.
1571 (call_string::push_call): Make const, returning the resulting
1572 call_string.
1573 (call_string::pop): Delete decl.
1574 (call_string::get_parent): New.
1575 (call_string::cmp_ptr_ptr): New decl.
1576 (call_string::get_top_of_stack): New.
1577 (struct call_string::hashmap_traits_t): New.
1578 (class call_string): Add friend class region_model_manager. Add
1579 DISABLE_COPY_AND_ASSIGN.
1580 (call_string::~call_string): New decl.
1581 (call_string::recursive_log): New decl.
1582 (call_string::m_parent): New field.
1583 (call_string::m_children): New field.
1584 * constraint-manager.cc (selftest::test_many_constants): Pass
1585 model manager to program_point::origin.
1586 * engine.cc (exploded_graph::exploded_graph): Likewise.
1587 (exploded_graph::add_function_entry): Likewise for
1588 program_point::from_function_entry.
1589 (add_tainted_args_callback): Likewise.
1590 (exploded_graph::maybe_process_run_of_before_supernode_enodes):
1591 Update for change to program_point.get_call_string.
1592 (exploded_graph::process_node): Likewise.
1593 (class function_call_string_cluster): Convert m_cs from a
1594 call_string to a const call_string &.
1595 (struct function_call_string): Likewise.
1596 (pod_hash_traits<function_call_string>::hash): Use pointer_hash
1597 for m_cs.
1598 (pod_hash_traits<function_call_string>::equal): Update for change
1599 to m_cs.
1600 (root_cluster::add_node): Update for change to
1601 function_call_string.
1602 (viz_callgraph_node::dump_dot): Update for change to call_string.
1603 * exploded-graph.h (per_call_string_data::m_key): Convert to a
1604 reference.
1605 (struct eg_call_string_hash_map_traits): Delete.
1606 (exploded_graph::call_string_data_map_t): Remove traits class.
1607 * program-point.cc: Move include of "analyzer/call-string.h" to
1608 after "analyzer/analyzer-logging.h".
1609 (program_point::print): Update for conversion of m_call_string to
1610 a pointer.
1611 (program_point::to_json): Likewise.
1612 (program_point::push_to_call_stack): Update for immutability of
1613 call strings.
1614 (program_point::pop_from_call_stack): Likewise.
1615 (program_point::hash): Use pointer hashing for m_call_string.
1616 (program_point::get_function_at_depth): Update for change to
1617 m_call_string.
1618 (program_point::validate): Update for changes to call_string.
1619 (program_point::on_edge): Likewise.
1620 (program_point::origin): Move here from call-string.h. Add
1621 region_model_manager param and use it to get empty call string.
1622 (program_point::from_function_entry): Likewise.
1623 (selftest::test_function_point_ordering): Likewise.
1624 (selftest::test_function_point_ordering): Likewise.
1625 * program-point.h (program_point::program_point): Update for
1626 change to m_call_string.
1627 (program_point::get_call_string): Likewise.
1628 (program_point::get_stack_depth): Likewise.
1629 (program_point::origin): Add region_model_manager param, and move
1630 defn to call-string.cc.
1631 (program_point::from_function_entry): Likewise.
1632 (program_point::empty): Drop call_string.
1633 (program_point::deleted): Likewise.
1634 (program_point::program_point): New private ctor.
1635 (program_point::m_call_string): Convert from call_string to const
1636 call_string *.
1637 * program-state.cc (selftest::test_program_state_merging): Update
1638 for call_string changes.
1639 (selftest::test_program_state_merging_2): Likewise.
1640 * region-model-manager.cc
1641 (region_model_manager::region_model_manager): Construct
1642 m_empty_call_string.
1643 (region_model_manager::log_stats): Log the call strings.
1644 * region-model.cc (assert_region_models_merge): Pass the
1645 region_model_manager when creating program_point instances.
1646 (selftest::test_state_merging): Likewise.
1647 (selftest::test_constraint_merging): Likewise.
1648 (selftest::test_widening_constraints): Likewise.
1649 (selftest::test_iteration_1): Likewise.
1650 * region-model.h (region_model_manager::get_empty_call_string):
1651 New.
1652 (region_model_manager::m_empty_call_string): New.
1653 * sm-signal.cc (register_signal_handler::impl_transition): Update
1654 for changes to call_string.
1655
16562022-06-24 David Malcolm <dmalcolm@redhat.com>
1657
1658 * call-string.cc (call_string::calc_recursion_depth): Whitespace
1659 cleanups.
1660 (call_string::cmp): Likewise.
1661 (call_string::get_caller_node): Likewise.
1662 (call_string::validate): Likewise.
1663 * engine.cc (dynamic_call_info_t::add_events_to_path): Likewise.
1664 (exploded_graph::get_per_function_data): Likewise.
1665 (exploded_graph::maybe_create_dynamic_call): Likewise.
1666 (exploded_graph::maybe_create_dynamic_call): Likewise.
1667 (exploded_graph::process_node): Likewise.
1668
bc7e9f76
GA		 16692022-06-16 David Malcolm <dmalcolm@redhat.com>
1670
1671 * varargs.cc (va_arg_type_mismatch::emit): Associate the warning
1672 with CWE-686 ("Function Call With Incorrect Argument Type").
1673
16742022-06-16 David Malcolm <dmalcolm@redhat.com>
1675
1676 * varargs.cc: Include "diagnostic-metadata.h".
1677 (va_list_exhausted::emit): Associate the warning with
1678 CWE-685 ("Function Call With Incorrect Number of Arguments").
1679
16802022-06-16 David Malcolm <dmalcolm@redhat.com>
1681
1682 * sm-file.cc (double_fclose::emit): Associate the warning with
1683 CWE-1341 ("Multiple Releases of Same Resource or Handle").
1684
499b9c5f
GA		 16852022-06-15 David Malcolm <dmalcolm@redhat.com>
1686
1687 PR analyzer/105962
1688 * analyzer.opt (fanalyzer-undo-inlining): New option.
1689 * checker-path.cc: Include "diagnostic-core.h" and
1690 "inlining-iterator.h".
1691 (event_kind_to_string): Handle EK_INLINED_CALL.
1692 (class inlining_info): New class.
1693 (checker_event::checker_event): Move here from checker-path.h.
1694 Store original fndecl and depth, and calculate effective fndecl
1695 and depth based on inlining information.
1696 (checker_event::dump): Emit original depth as well as effective
1697 depth when they differ; likewise for fndecl.
1698 (region_creation_event::get_desc): Use m_effective_fndecl.
1699 (inlined_call_event::get_desc): New.
1700 (inlined_call_event::get_meaning): New.
1701 (checker_path::inject_any_inlined_call_events): New.
1702 * checker-path.h (enum event_kind): Add EK_INLINED_CALL.
1703 (checker_event::checker_event): Make protected, and move
1704 definition to checker-path.cc.
1705 (checker_event::get_fndecl): Use effective fndecl.
1706 (checker_event::get_stack_depth): Use effective stack depth.
1707 (checker_event::get_logical_location): Use effective stack depth.
1708 (checker_event::get_original_stack_depth): New.
1709 (checker_event::m_fndecl): Rename to...
1710 (checker_event::m_original_fndecl): ...this.
1711 (checker_event::m_depth): Rename to...
1712 (checker_event::m_original_depth): ...this.
1713 (checker_event::m_effective_fndecl): New field.
1714 (checker_event::m_effective_depth): New field.
1715 (class inlined_call_event): New checker_event subclass.
1716 (checker_path::inject_any_inlined_call_events): New decl.
1717 * diagnostic-manager.cc: Include "inlining-iterator.h".
1718 (diagnostic_manager::emit_saved_diagnostic): Call
1719 checker_path::inject_any_inlined_call_events.
1720 (diagnostic_manager::prune_for_sm_diagnostic): Handle
1721 EK_INLINED_CALL.
1722 * engine.cc (tainted_args_function_custom_event::get_desc): Use
1723 effective fndecl.
1724 * inlining-iterator.h: New file.
1725
17262022-06-15 David Malcolm <dmalcolm@redhat.com>
1727
1728 * diagnostic-manager.cc (saved_diagnostic::dump_dot_id): New.
1729 (saved_diagnostic::dump_as_dot_node): New.
1730 * diagnostic-manager.h (saved_diagnostic::dump_dot_id): New decl.
1731 (saved_diagnostic::dump_as_dot_node): New decl.
1732 * engine.cc (exploded_node::dump_dot): Add nodes for saved
1733 diagnostics.
1734
b168441c
GA		 17352022-06-02 David Malcolm <dmalcolm@redhat.com>
1736
1737 * checker-path.cc (checker_event::get_meaning): New.
1738 (function_entry_event::get_meaning): New.
1739 (state_change_event::get_desc): Add dump of meaning of the event
1740 to the -fanalyzer-verbose-state-changes output.
1741 (state_change_event::get_meaning): New.
1742 (cfg_edge_event::get_meaning): New.
1743 (call_event::get_meaning): New.
1744 (return_event::get_meaning): New.
1745 (start_consolidated_cfg_edges_event::get_meaning): New.
1746 (warning_event::get_meaning): New.
1747 * checker-path.h: Include "tree-logical-location.h".
1748 (checker_event::checker_event): Construct m_logical_loc.
1749 (checker_event::get_logical_location): New.
1750 (checker_event::get_meaning): New decl.
1751 (checker_event::m_logical_loc): New.
1752 (function_entry_event::get_meaning): New decl.
1753 (state_change_event::get_meaning): New decl.
1754 (cfg_edge_event::get_meaning): New decl.
1755 (call_event::get_meaning): New decl.
1756 (return_event::get_meaning): New decl.
1757 (start_consolidated_cfg_edges_event::get_meaning): New.
1758 (warning_event::get_meaning): New decl.
1759 * pending-diagnostic.h: Include "diagnostic-path.h".
1760 (pending_diagnostic::get_meaning_for_state_change): New vfunc.
1761 * sm-file.cc (file_diagnostic::get_meaning_for_state_change): New
1762 vfunc impl.
1763 * sm-malloc.cc (malloc_diagnostic::get_meaning_for_state_change):
1764 Likewise.
1765 * sm-sensitive.cc
1766 (exposure_through_output_file::get_meaning_for_state_change):
1767 Likewise.
1768 * sm-taint.cc (taint_diagnostic::get_meaning_for_state_change):
1769 Likewise.
1770 * varargs.cc
1771 (va_list_sm_diagnostic::get_meaning_for_state_change): Likewise.
1772
168fc8bd
GA		 17732022-05-23 David Malcolm <dmalcolm@redhat.com>
1774
1775 * call-info.cc: Add "final" and "override" to all vfunc
1776 implementations that were missing them, as appropriate.
1777 * engine.cc: Likewise.
1778 * region-model.cc: Likewise.
1779 * sm-malloc.cc: Likewise.
1780 * supergraph.h: Likewise.
1781 * svalue.cc: Likewise.
1782 * varargs.cc: Likewise.
1783
57f2ce6a
GA		 17842022-05-20 David Malcolm <dmalcolm@redhat.com>
1785
1786 * analyzer-pass.cc: Replace uses of "FINAL" and "OVERRIDE" with
1787 "final" and "override".
1788 * call-info.h: Likewise.
1789 * checker-path.h: Likewise.
1790 * constraint-manager.cc: Likewise.
1791 * diagnostic-manager.cc: Likewise.
1792 * engine.cc: Likewise.
1793 * exploded-graph.h: Likewise.
1794 * feasible-graph.h: Likewise.
1795 * pending-diagnostic.h: Likewise.
1796 * region-model-impl-calls.cc: Likewise.
1797 * region-model.cc: Likewise.
1798 * region-model.h: Likewise.
1799 * region.h: Likewise.
1800 * sm-file.cc: Likewise.
1801 * sm-malloc.cc: Likewise.
1802 * sm-pattern-test.cc: Likewise.
1803 * sm-sensitive.cc: Likewise.
1804 * sm-signal.cc: Likewise.
1805 * sm-taint.cc: Likewise.
1806 * state-purge.h: Likewise.
1807 * store.cc: Likewise.
1808 * store.h: Likewise.
1809 * supergraph.h: Likewise.
1810 * svalue.h: Likewise.
1811 * trimmed-graph.h: Likewise.
1812 * varargs.cc: Likewise.
1813
702bd11f
GA		 18142022-05-16 David Malcolm <dmalcolm@redhat.com>
1815
1816 PR analyzer/105103
1817 * analyzer.cc (make_label_text_n): New.
1818 * analyzer.h (class var_arg_region): New forward decl.
1819 (make_label_text_n): New decl.
1820 * analyzer.opt (Wanalyzer-va-arg-type-mismatch): New option.
1821 (Wanalyzer-va-list-exhausted): New option.
1822 (Wanalyzer-va-list-leak): New option.
1823 (Wanalyzer-va-list-use-after-va-end): New option.
1824 * checker-path.cc (call_event::get_desc): Split out decl access
1825 into..
1826 (call_event::get_caller_fndecl): ...this new function and...
1827 (call_event::get_callee_fndecl): ...this new function.
1828 * checker-path.h (call_event::get_desc): Drop "FINAL".
1829 (call_event::get_caller_fndecl): New decl.
1830 (call_event::get_callee_fndecl): New decl.
1831 (class call_event): Make fields protected.
1832 * diagnostic-manager.cc (null_assignment_sm_context::warn): New
1833 overload.
1834 (null_assignment_sm_context::get_new_program_state): New.
1835 (diagnostic_manager::add_events_for_superedge): Move case
1836 SUPEREDGE_CALL to a new pending_diagnostic::add_call_event vfunc.
1837 * engine.cc (impl_sm_context::warn): Implement new override.
1838 (impl_sm_context::get_new_program_state): New.
1839 * pending-diagnostic.cc: Include "analyzer/diagnostic-manager.h",
1840 "cpplib.h", "digraph.h", "ordered-hash-map.h", "cfg.h",
1841 "basic-block.h", "gimple.h", "gimple-iterator.h", "cgraph.h"
1842 "analyzer/supergraph.h", "analyzer/program-state.h",
1843 "alloc-pool.h", "fibonacci_heap.h", "shortest-paths.h",
1844 "sbitmap.h", "analyzer/exploded-graph.h", "diagnostic-path.h",
1845 and "analyzer/checker-path.h".
1846 (ht_ident_eq): New.
1847 (fixup_location_in_macro_p): New.
1848 (pending_diagnostic::fixup_location): New.
1849 (pending_diagnostic::add_call_event): New.
1850 * pending-diagnostic.h (pending_diagnostic::fixup_location): Drop
1851 no-op inline implementation in favor of the more complex
1852 implementation above.
1853 (pending_diagnostic::add_call_event): New vfunc.
1854 * region-model-impl-calls.cc: Include "analyzer/sm.h",
1855 "diagnostic-path.h", and "analyzer/pending-diagnostic.h".
1856 * region-model-manager.cc
1857 (region_model_manager::get_var_arg_region): New.
1858 (region_model_manager::log_stats): Log m_var_arg_regions.
1859 * region-model.cc (region_model::on_call_pre): Handle IFN_VA_ARG,
1860 BUILT_IN_VA_START, and BUILT_IN_VA_COPY.
1861 (region_model::on_call_post): Handle BUILT_IN_VA_END.
1862 (region_model::get_representative_path_var_1): Handle RK_VAR_ARG.
1863 (region_model::push_frame): Push variadic arguments.
1864 * region-model.h (region_model_manager::get_var_arg_region): New
1865 decl.
1866 (region_model_manager::m_var_arg_regions): New field.
1867 (region_model::impl_call_va_start): New decl.
1868 (region_model::impl_call_va_copy): New decl.
1869 (region_model::impl_call_va_arg): New decl.
1870 (region_model::impl_call_va_end): New decl.
1871 * region.cc (alloca_region::dump_to_pp): Dump the id.
1872 (var_arg_region::dump_to_pp): New.
1873 (var_arg_region::get_frame_region): New.
1874 * region.h (enum region_kind): Add RK_VAR_ARG.
1875 (region::dyn_cast_var_arg_region): New.
1876 (class var_arg_region): New.
1877 (is_a_helper <const var_arg_region *>::test): New.
1878 (struct default_hash_traits<var_arg_region::key_t>): New.
1879 * sm.cc (make_checkers): Call make_va_list_state_machine.
1880 * sm.h (sm_context::warn): New vfunc.
1881 (sm_context::get_old_svalue): Drop unused decl.
1882 (sm_context::get_new_program_state): New vfunc.
1883 (make_va_list_state_machine): New decl.
1884 * varargs.cc: New file.
1885
18862022-05-16 Martin Liska <mliska@suse.cz>
1887
1888 * engine.cc (exploded_node::get_dot_fillcolor): Use ARRAY_SIZE.
1889 * function-set.cc (test_stdio_example): Likewise.
1890 * sm-file.cc (get_file_using_fns): Likewise.
1891 * sm-malloc.cc (malloc_state_machine::unaffected_by_call_p): Likewise.
1892 * sm-signal.cc (get_async_signal_unsafe_fns): Likewise.
1893
9df4ffe4
GA		 18942022-05-13 Richard Biener <rguenther@suse.de>
1895
1896 * supergraph.cc: Re-order gimple-fold.h include.
1897
d0d513b5
GA		 18982022-05-11 David Malcolm <dmalcolm@redhat.com>
1899
1900 * checker-path.cc (state_change_event::get_desc): Call maybe_free
1901 on label_text temporaries.
1902 * diagnostic-manager.cc
1903 (diagnostic_manager::prune_for_sm_diagnostic): Likewise.
1904 * engine.cc (exploded_graph::~exploded_graph): Fix leak of
1905 m_per_point_data and m_per_call_string_data values. Simplify
1906 cleanup of m_per_function_stats and m_per_point_data values.
1907 (feasibility_state::maybe_update_for_edge): Fix leak of result of
1908 superedge::get_description.
1909 * region-model-manager.cc
1910 (region_model_manager::~region_model_manager): Move cleanup of
1911 m_setjmp_values to match the ordering of the fields within
1912 region_model_manager. Fix leak of values within
1913 m_repeated_values_map, m_bits_within_values_map,
1914 m_asm_output_values_map, and m_const_fn_result_values_map.
1915
6b6f53d8
GA		 19162022-04-28 David Malcolm <dmalcolm@redhat.com>
1917
1918 PR analyzer/105285
1919 * store.cc (binding_cluster::get_any_binding): Handle accessing
1920 sub_svalues of clusters where the base region has a symbolic
1921 binding.
1922
19232022-04-28 David Malcolm <dmalcolm@redhat.com>
1924
1925 * diagnostic-manager.cc (epath_finder::process_worklist_item):
1926 Call dump_feasible_path when a path that reaches the the target
1927 enode is found.
1928 (epath_finder::dump_feasible_path): New.
1929 * engine.cc (feasibility_state::dump_to_pp): New.
1930 * exploded-graph.h (feasibility_state::dump_to_pp): New decl.
1931 * feasible-graph.cc (feasible_graph::dump_feasible_path): New.
1932 * feasible-graph.h (feasible_graph::dump_feasible_path): New
1933 decls.
1934 * program-point.cc (function_point::print): Fix missing trailing
1935 newlines.
1936 * program-point.h (program_point::print_source_line): Remove
1937 unimplemented decl.
1938
98de0da6
GA		 19392022-04-25 David Malcolm <dmalcolm@redhat.com>
1940
1941 PR analyzer/105365
1942 PR analyzer/105366
1943 * svalue.cc
1944 (cmp_cst): Rename to...
1945 (cmp_csts_same_type): ...this. Convert all recursive calls to
1946 calls to...
1947 (cmp_csts_and_types): ....this new function.
1948 (svalue::cmp_ptr): Update for renaming of cmp_cst
1949
031bd52e
GA		 19502022-04-14 David Malcolm <dmalcolm@redhat.com>
1951
1952 PR analyzer/105264
1953 * region-model-reachability.cc (reachable_regions::handle_parm):
1954 Use maybe_get_deref_base_region rather than just region_svalue, to
1955 handle pointer arithmetic also.
1956 * svalue.cc (svalue::maybe_get_deref_base_region): New.
1957 * svalue.h (svalue::maybe_get_deref_base_region): New decl.
1958
19592022-04-14 David Malcolm <dmalcolm@redhat.com>
1960
1961 PR analyzer/105252
1962 * svalue.cc (cmp_cst): When comparing VECTOR_CSTs, compare the
1963 types of the encoded elements before calling cmp_cst on them.
1964
71cac7de
GA		 19652022-04-09 David Malcolm <dmalcolm@redhat.com>
1966
1967 PR analyzer/103892
1968 * region-model-manager.cc
1969 (region_model_manager::get_unknown_symbolic_region): New,
1970 extracted from...
1971 (region_model_manager::get_field_region): ...here.
1972 (region_model_manager::get_element_region): Use it here.
1973 (region_model_manager::get_offset_region): Likewise.
1974 (region_model_manager::get_sized_region): Likewise.
1975 (region_model_manager::get_cast_region): Likewise.
1976 (region_model_manager::get_bit_range): Likewise.
1977 * region-model.h
1978 (region_model_manager::get_unknown_symbolic_region): New decl.
1979 * region.cc (symbolic_region::symbolic_region): Handle sval_ptr
1980 having NULL type.
1981 (symbolic_region::dump_to_pp): Handle having NULL type.
1982
df00d103
GA		 19832022-04-07 David Malcolm <dmalcolm@redhat.com>
1984
1985 PR analyzer/102208
1986 * store.cc (binding_map::remove_overlapping_bindings): Add
1987 "always_overlap" param, using it to generalize to the case where
1988 we want to remove all bindings. Update "uncertainty" logic to
1989 only record maybe-bound values for cases where there is a symbolic
1990 write involved.
1991 (binding_cluster::mark_region_as_unknown): Split param "reg" into
1992 "reg_to_bind" and "reg_for_overlap".
1993 (binding_cluster::maybe_get_compound_binding): Pass "false" to
1994 binding_map::remove_overlapping_bindings new "always_overlap" param.
1995 (binding_cluster::remove_overlapping_bindings): Determine
1996 "always_overlap" and pass it to
1997 binding_map::remove_overlapping_bindings.
1998 (store::set_value): Pass uncertainty to remove_overlapping_bindings
1999 call. Update for new param of
2000 binding_cluster::mark_region_as_unknown, passing both the base
2001 region of the iter_cluster, and the lhs_reg.
2002 (store::mark_region_as_unknown): Update for new param of
2003 binding_cluster::mark_region_as_unknown, passing "reg" for both.
2004 (store::remove_overlapping_bindings): Add param "uncertainty", and
2005 pass it on to call to
2006 binding_cluster::remove_overlapping_bindings.
2007 * store.h (binding_map::remove_overlapping_bindings): Add
2008 "always_overlap" param.
2009 (binding_cluster::mark_region_as_unknown): Split param "reg" into
2010 "reg_to_bind" and "reg_for_overlap".
2011 (store::remove_overlapping_bindings): Add param "uncertainty".
2012
9f774626
GA		 20132022-03-29 David Malcolm <dmalcolm@redhat.com>
2014
2015 PR testsuite/105085
2016 * region-model-manager.cc (dump_untracked_region): Skip decls in
2017 the constant pool.
2018
20192022-03-29 David Malcolm <dmalcolm@redhat.com>
2020
2021 PR analyzer/105087
2022 * analyzer.h (class conjured_purge): New forward decl.
2023 * region-model-asm.cc (region_model::on_asm_stmt): Add
2024 conjured_purge param to calls binding_cluster::on_asm and
2025 region_model_manager::get_or_create_conjured_svalue.
2026 * region-model-impl-calls.cc
2027 (call_details::get_or_create_conjured_svalue): Likewise for call
2028 to region_model_manager::get_or_create_conjured_svalue.
2029 (region_model::impl_call_fgets): Remove call to
2030 region_model::purge_state_involving, as this is now done
2031 implicitly by call_details::get_or_create_conjured_svalue.
2032 (region_model::impl_call_fread): Likewise.
2033 (region_model::impl_call_strchr): Pass conjured_purge param to
2034 call to region_model_manager::get_or_create_conjured_svalue.
2035 * region-model-manager.cc (conjured_purge::purge): New.
2036 (region_model_manager::get_or_create_conjured_svalue): Add
2037 param "p". Use it to purge state when reusing an existing
2038 conjured_svalue.
2039 * region-model.cc (region_model::on_call_pre): Replace call to
2040 region_model::purge_state_involving with passing conjured_purge
2041 to region_model_manager::get_or_create_conjured_svalue.
2042 (region_model::handle_unrecognized_call): Pass conjured_purge to
2043 store::on_unknown_fncall.
2044 * region-model.h
2045 (region_model_manager::get_or_create_conjured_svalue): Add param
2046 "p".
2047 * store.cc (binding_cluster::on_unknown_fncall): Likewise. Pass
2048 it on to region_model_manager::get_or_create_conjured_svalue.
2049 (binding_cluster::on_asm): Likewise.
2050 (store::on_unknown_fncall): Add param "p" and pass it on to
2051 binding_cluster::on_unknown_fncall.
2052 * store.h (binding_cluster::on_unknown_fncall): Add param p.
2053 (binding_cluster::on_asm): Likewise.
2054 (store::on_unknown_fncall): Likewise.
2055 * svalue.h (class conjured_purge): New.
2056
20572022-03-29 David Malcolm <dmalcolm@redhat.com>
2058
2059 PR analyzer/105074
2060 * region.cc (ipa_ref_requires_tracking): Drop "context_fndecl",
2061 instead using the ref->referring to get the cgraph node of the
2062 caller.
2063 (symnode_requires_tracking_p): Likewise.
2064
d2906412
GA		 20652022-03-26 David Malcolm <dmalcolm@redhat.com>
2066
2067 PR analyzer/105057
2068 * store.cc (binding_cluster::make_unknown_relative_to): Reject
2069 attempts to create a cluster for untracked base regions.
2070 (store::set_value): Likewise.
2071 (store::fill_region): Likewise.
2072 (store::mark_region_as_unknown): Likewise.
2073
31e989a2
GA		 20742022-03-25 David Malcolm <dmalcolm@redhat.com>
2075
2076 PR analyzer/104954
2077 * analyzer.opt (-fdump-analyzer-untracked): New option.
2078 * engine.cc (impl_run_checkers): Handle it.
2079 * region-model-asm.cc (region_model::on_asm_stmt): Don't attempt
2080 to clobber regions with !tracked_p ().
2081 * region-model-manager.cc (dump_untracked_region): New.
2082 (region_model_manager::dump_untracked_regions): New.
2083 (frame_region::dump_untracked_regions): New.
2084 * region-model.h (region_model_manager::dump_untracked_regions):
2085 New decl.
2086 * region.cc (ipa_ref_requires_tracking): New.
2087 (symnode_requires_tracking_p): New.
2088 (decl_region::calc_tracked_p): New.
2089 * region.h (region::tracked_p): New vfunc.
2090 (frame_region::dump_untracked_regions): New decl.
2091 (class decl_region): Note that this is also used fo SSA names.
2092 (decl_region::decl_region): Initialize m_tracked.
2093 (decl_region::tracked_p): New.
2094 (decl_region::calc_tracked_p): New decl.
2095 (decl_region::m_tracked): New.
2096 * store.cc (store::get_or_create_cluster): Assert that we
2097 don't try to create clusters for base regions that aren't
2098 trackable.
2099 (store::mark_as_escaped): Don't mark base regions that we're not
2100 tracking.
2101
d1ca63a1
GA		 21022022-03-23 David Malcolm <dmalcolm@redhat.com>
2103
2104 PR analyzer/104979
2105 * engine.cc (impl_run_checkers): Create the engine after the
2106 supergraph, and pass the supergraph to the engine.
2107 * region-model.cc (region_model::get_lvalue_1): Pass ctxt to
2108 frame_region::get_region_for_local.
2109 (region_model::update_for_return_gcall): Pass the lvalue for the
2110 result to pop_frame as a tree, rather than as a region.
2111 (region_model::pop_frame): Update for above change, determining
2112 the destination region after the frame is popped and thus with
2113 respect to the caller frame rather than the called frame.
2114 Likewise, set the value of the region to the return value after
2115 the frame is popped.
2116 (engine::engine): Add supergraph pointer.
2117 (selftest::test_stack_frames): Set the DECL_CONTECT of PARM_DECLs.
2118 (selftest::test_get_representative_path_var): Likewise.
2119 (selftest::test_state_merging): Likewise.
2120 * region-model.h (region_model::pop_frame): Convert first param
2121 from a const region * to a tree.
2122 (engine::engine): Add param "sg".
2123 (engine::m_sg): New field.
2124 * region.cc: Include "analyzer/sm.h" and
2125 "analyzer/program-state.h".
2126 (frame_region::get_region_for_local): Add "ctxt" param.
2127 Add assertions that VAR_DECLs are locals, and that expr is for the
2128 correct function.
2129 * region.h (frame_region::get_region_for_local): Add "ctxt" param.
2130
21312022-03-23 David Malcolm <dmalcolm@redhat.com>
2132
2133 PR analyzer/105017
2134 * sm-taint.cc (taint_diagnostic::subclass_equal_p): Check
2135 m_has_bounds as well as m_arg.
2136 (tainted_allocation_size::subclass_equal_p): Chain up to base
2137 class implementation. Also check m_mem_space.
2138 (tainted_allocation_size::emit): Add note showing stack-based vs
2139 heap-based allocations.
2140
21412022-03-23 David Malcolm <dmalcolm@redhat.com>
2142
2143 PR analyzer/104997
2144 * diagnostic-manager.cc (diagnostic_manager::add_diagnostic):
2145 Convert return type from "void" to "bool", reporting success vs
2146 failure to caller, for both overloads.
2147 * diagnostic-manager.h (diagnostic_manager::add_diagnostic):
2148 Likewise.
2149 * engine.cc (impl_region_model_context::warn): Propagate return
2150 value from diagnostic_manager::add_diagnostic.
2151
8ca61ad1
GA		 21522022-03-18 David Malcolm <dmalcolm@redhat.com>
2153
2154 PR analyzer/104943
2155 PR analyzer/104954
2156 PR analyzer/103533
2157 * analyzer.h (class state_purge_per_decl): New forward decl.
2158 * engine.cc (impl_run_checkers): Pass region_model_manager to
2159 state_purge_map ctor.
2160 * program-point.cc (function_point::final_stmt_p): New.
2161 (function_point::get_next): New.
2162 * program-point.h (function_point::final_stmt_p): New decl.
2163 (function_point::get_next): New decl.
2164 * program-state.cc (program_state::prune_for_point): Generalize to
2165 purge local decls as well as SSA names.
2166 (program_state::can_purge_base_region_p): New.
2167 * program-state.h (program_state::can_purge_base_region_p): New
2168 decl.
2169 * region-model.cc (struct append_ssa_names_cb_data): Rename to...
2170 (struct append_regions_cb_data): ...this.
2171 (region_model::get_ssa_name_regions_for_current_frame): Rename
2172 to...
2173 (region_model::get_regions_for_current_frame): ...this, updating
2174 for other renamings.
2175 (region_model::append_ssa_names_cb): Rename to...
2176 (region_model::append_regions_cb): ...this, and drop the requirement
2177 that the subregion be a SSA name.
2178 * region-model.h (struct append_ssa_names_cb_data): Rename decl
2179 to...
2180 (struct append_regions_cb_data): ...this.
2181 (region_model::get_ssa_name_regions_for_current_frame): Rename
2182 decl to...
2183 (region_model::get_regions_for_current_frame): ...this.
2184 (region_model::append_ssa_names_cb): Rename decl to...
2185 (region_model::append_regions_cb): ...this.
2186 * state-purge.cc: Include "tristate.h", "selftest.h",
2187 "analyzer/store.h", "analyzer/region-model.h", and
2188 "gimple-walk.h".
2189 (get_candidate_for_purging): New.
2190 (class gimple_op_visitor): New.
2191 (my_load_cb): New.
2192 (my_store_cb): New.
2193 (my_addr_cb): New.
2194 (state_purge_map::state_purge_map): Add "mgr" param. Update for
2195 renamings. Find uses of local variables.
2196 (state_purge_map::~state_purge_map): Update for renaming of m_map
2197 to m_ssa_map. Clean up m_decl_map.
2198 (state_purge_map::get_or_create_data_for_decl): New.
2199 (state_purge_per_ssa_name::state_purge_per_ssa_name): Update for
2200 inheriting from state_purge_per_tree.
2201 (state_purge_per_ssa_name::add_to_worklist): Likewise.
2202 (state_purge_per_decl::state_purge_per_decl): New.
2203 (state_purge_per_decl::add_needed_at): New.
2204 (state_purge_per_decl::add_pointed_to_at): New.
2205 (state_purge_per_decl::process_worklists): New.
2206 (state_purge_per_decl::add_to_worklist): New.
2207 (same_binding_p): New.
2208 (fully_overwrites_p): New.
2209 (state_purge_per_decl::process_point_backwards): New.
2210 (state_purge_per_decl::process_point_forwards): New.
2211 (state_purge_per_decl::needed_at_point_p): New.
2212 (state_purge_annotator::print_needed): Generalize to print local
2213 decls as well as SSA names.
2214 * state-purge.h (class state_purge_map): Update leading comment.
2215 (state_purge_map::map_t): Rename to...
2216 (state_purge_map::ssa_map_t): ...this.
2217 (state_purge_map::iterator): Rename to...
2218 (state_purge_map::ssa_iterator): ...this.
2219 (state_purge_map::decl_map_t): New typedef.
2220 (state_purge_map::decl_iterator): New typedef.
2221 (state_purge_map::state_purge_map): Add "mgr" param.
2222 (state_purge_map::get_data_for_ssa_name): Update for renaming.
2223 (state_purge_map::get_any_data_for_decl): New.
2224 (state_purge_map::get_or_create_data_for_decl): New decl.
2225 (state_purge_map::begin): Rename to...
2226 (state_purge_map::begin_ssas): ...this.
2227 (state_purge_map::end): Rename to...
2228 (state_purge_map::end_ssa): ...this.
2229 (state_purge_map::begin_decls): New.
2230 (state_purge_map::end_decls): New.
2231 (state_purge_map::m_map): Rename to...
2232 (state_purge_map::m_ssa_map): ...this.
2233 (state_purge_map::m_decl_map): New field.
2234 (class state_purge_per_tree): New class.
2235 (class state_purge_per_ssa_name): Inherit from state_purge_per_tree.
2236 (state_purge_per_ssa_name::get_function): Move to base class.
2237 (state_purge_per_ssa_name::point_set_t): Likewise.
2238 (state_purge_per_ssa_name::m_fun): Likewise.
2239 (class state_purge_per_decl): New.
2240
e9ea3016
GA		 22412022-03-17 David Malcolm <dmalcolm@redhat.com>
2242
2243 * state-purge.cc (state_purge_annotator::add_node_annotations):
2244 Avoid duplicate before-supernode annotations when returning from
2245 an interprocedural call. Show after-supernode annotations.
2246
22472022-03-17 David Malcolm <dmalcolm@redhat.com>
2248
2249 * program-point.cc (program_point::get_next): Fix missing
2250 increment of index.
2251
9fc8f278
GA		 22522022-03-16 David Malcolm <dmalcolm@redhat.com>
2253
2254 PR analyzer/104955
2255 * diagnostic-manager.cc (get_emission_location): New.
2256 (diagnostic_manager::diagnostic_manager): Initialize
2257 m_num_disabled_diagnostics.
2258 (diagnostic_manager::add_diagnostic): Reject diagnostics that
2259 will eventually be rejected due to being disabled.
2260 (diagnostic_manager::emit_saved_diagnostics): Log the number
2261 of disabled diagnostics.
2262 (diagnostic_manager::emit_saved_diagnostic): Split out logic for
2263 determining emission location to get_emission_location.
2264 * diagnostic-manager.h
2265 (diagnostic_manager::m_num_disabled_diagnostics): New field.
2266 * engine.cc (stale_jmp_buf::get_controlling_option): New.
2267 (stale_jmp_buf::emit): Use it.
2268 * pending-diagnostic.h
2269 (pending_diagnostic::get_controlling_option): New vfunc.
2270 * region-model.cc
2271 (poisoned_value_diagnostic::get_controlling_option): New.
2272 (poisoned_value_diagnostic::emit): Use it.
2273 (shift_count_negative_diagnostic::get_controlling_option): New.
2274 (shift_count_negative_diagnostic::emit): Use it.
2275 (shift_count_overflow_diagnostic::get_controlling_option): New.
2276 (shift_count_overflow_diagnostic::emit): Use it.
2277 (dump_path_diagnostic::get_controlling_option): New.
2278 (dump_path_diagnostic::emit): Use it.
2279 (write_to_const_diagnostic::get_controlling_option): New.
2280 (write_to_const_diagnostic::emit): Use it.
2281 (write_to_string_literal_diagnostic::get_controlling_option): New.
2282 (write_to_string_literal_diagnostic::emit): Use it.
2283 * sm-file.cc (double_fclose::get_controlling_option): New.
2284 (double_fclose::emit): Use it.
2285 (file_leak::get_controlling_option): New.
2286 (file_leak::emit): Use it.
2287 * sm-malloc.cc (mismatching_deallocation::get_controlling_option):
2288 New.
2289 (mismatching_deallocation::emit): Use it.
2290 (double_free::get_controlling_option): New.
2291 (double_free::emit): Use it.
2292 (possible_null_deref::get_controlling_option): New.
2293 (possible_null_deref::emit): Use it.
2294 (possible_null_arg::get_controlling_option): New.
2295 (possible_null_arg::emit): Use it.
2296 (null_deref::get_controlling_option): New.
2297 (null_deref::emit): Use it.
2298 (null_arg::get_controlling_option): New.
2299 (null_arg::emit): Use it.
2300 (use_after_free::get_controlling_option): New.
2301 (use_after_free::emit): Use it.
2302 (malloc_leak::get_controlling_option): New.
2303 (malloc_leak::emit): Use it.
2304 (free_of_non_heap::get_controlling_option): New.
2305 (free_of_non_heap::emit): Use it.
2306 * sm-pattern-test.cc (pattern_match::get_controlling_option): New.
2307 (pattern_match::emit): Use it.
2308 * sm-sensitive.cc
2309 (exposure_through_output_file::get_controlling_option): New.
2310 (exposure_through_output_file::emit): Use it.
2311 * sm-signal.cc (signal_unsafe_call::get_controlling_option): New.
2312 (signal_unsafe_call::emit): Use it.
2313 * sm-taint.cc (tainted_array_index::get_controlling_option): New.
2314 (tainted_array_index::emit): Use it.
2315 (tainted_offset::get_controlling_option): New.
2316 (tainted_offset::emit): Use it.
2317 (tainted_size::get_controlling_option): New.
2318 (tainted_size::emit): Use it.
2319 (tainted_divisor::get_controlling_option): New.
2320 (tainted_divisor::emit): Use it.
2321 (tainted_allocation_size::get_controlling_option): New.
2322 (tainted_allocation_size::emit): Use it.
2323
14d2ac82
GA		 23242022-03-15 David Malcolm <dmalcolm@redhat.com>
2325
2326 * store.cc (store::store): Presize m_cluster_map.
2327
5e28be89
GA		 23282022-03-10 David Malcolm <dmalcolm@redhat.com>
2329
2330 PR analyzer/104863
2331 * constraint-manager.cc (constraint_manager::add_constraint):
2332 Refresh the EC IDs when adding constraints implied by offsets.
2333
23342022-03-10 David Malcolm <dmalcolm@redhat.com>
2335
2336 PR analyzer/104793
2337 * analyzer.h (class pending_note): New forward decl.
2338 * diagnostic-manager.cc (saved_diagnostic::saved_diagnostic):
2339 Initialize m_notes.
2340 (saved_diagnostic::operator==): Compare m_notes.
2341 (saved_diagnostic::add_note): New.
2342 (saved_diagnostic::emit_any_notes): New.
2343 (diagnostic_manager::add_note): New.
2344 (diagnostic_manager::emit_saved_diagnostic): Call emit_any_notes
2345 after emitting the warning.
2346 * diagnostic-manager.h (saved_diagnostic::add_note): New decl.
2347 (saved_diagnostic::emit_any_notes): New decl.
2348 (saved_diagnostic::m_notes): New field.
2349 (diagnostic_manager::add_note): New decl.
2350 * engine.cc (impl_region_model_context::add_note): New.
2351 * exploded-graph.h (impl_region_model_context::add_note): New
2352 decl.
2353 * pending-diagnostic.h (class pending_note): New.
2354 (class pending_note_subclass): New template.
2355 * region-model.cc (class reason_attr_access): New.
2356 (check_external_function_for_access_attr): Add class
2357 annotating_ctxt and use it when checking region.
2358 (noop_region_model_context::add_note): New.
2359 * region-model.h (region_model_context::add_note): New vfunc.
2360 (noop_region_model_context::add_note): New decl.
2361 (class region_model_context_decorator): New.
2362 (class note_adding_context): New.
2363
23642022-03-10 David Malcolm <dmalcolm@redhat.com>
2365
2366 PR analyzer/104793
2367 * region-model.cc
2368 (region_model::check_external_function_for_access_attr): New.
2369 (region_model::handle_unrecognized_call): Call it.
2370 * region-model.h
2371 (region_model::check_external_function_for_access_attr): New decl.
2372 (region_model::handle_unrecognized_call): New decl.
2373
23742022-03-10 David Malcolm <dmalcolm@redhat.com>
2375
2376 * sm-taint.cc (taint_state_machine::check_for_tainted_size_arg):
2377 Avoid generating duplicate saved_diagnostics by only handling the
2378 rdwr_map entry for the ptrarg, not the duplicate entry for the
2379 sizarg.
2380
e6533e2e
GA		 23812022-03-07 David Malcolm <dmalcolm@redhat.com>
2382
2383 PR analyzer/101983
2384 * engine.cc (returning_from_function_p): New.
2385 (impl_region_model_context::on_state_leak): Use it when rejecting
2386 leaks at the return from "main".
2387
23882022-03-07 Jakub Jelinek <jakub@redhat.com>
2389
2390 * store.cc: Fix up duplicated word issue in a comment.
2391 * analyzer.cc: Likewise.
2392 * engine.cc: Likewise.
2393 * sm-taint.cc: Likewise.
2394
8d96e14c
GA		 23952022-03-04 David Malcolm <dmalcolm@redhat.com>
2396
2397 PR analyzer/103521
2398 * analyzer.opt (-param=analyzer-max-svalue-depth=): Reduce from 13
2399 to 12.
2400
4bf3bac1
GA		 24012022-02-23 David Malcolm <dmalcolm@redhat.com>
2402
2403 PR analyzer/104434
2404 * analyzer.h (class const_fn_result_svalue): New decl.
2405 * region-model-impl-calls.cc (call_details::get_manager): New.
2406 * region-model-manager.cc
2407 (region_model_manager::get_or_create_const_fn_result_svalue): New.
2408 (region_model_manager::log_stats): Log
2409 m_const_fn_result_values_map.
2410 * region-model.cc (const_fn_p): New.
2411 (maybe_get_const_fn_result): New.
2412 (region_model::on_call_pre): Handle fndecls with
2413 __attribute__((const)) by calling the above rather than making
2414 a conjured_svalue.
2415 * region-model.h (visitor::visit_const_fn_result_svalue): New.
2416 (region_model_manager::get_or_create_const_fn_result_svalue): New
2417 decl.
2418 (region_model_manager::const_fn_result_values_map_t): New typedef.
2419 (region_model_manager::m_const_fn_result_values_map): New field.
2420 (call_details::get_manager): New decl.
2421 * svalue.cc (svalue::cmp_ptr): Handle SK_CONST_FN_RESULT.
2422 (const_fn_result_svalue::dump_to_pp): New.
2423 (const_fn_result_svalue::dump_input): New.
2424 (const_fn_result_svalue::accept): New.
2425 * svalue.h (enum svalue_kind): Add SK_CONST_FN_RESULT.
2426 (svalue::dyn_cast_const_fn_result_svalue): New.
2427 (class const_fn_result_svalue): New.
2428 (is_a_helper <const const_fn_result_svalue *>::test): New.
2429 (template <> struct default_hash_traits<const_fn_result_svalue::key_t>):
2430 New.
2431
0bdb0498
GA		 24322022-02-17 David Malcolm <dmalcolm@redhat.com>
2433
2434 PR analyzer/104576
2435 * region-model.cc: Include "calls.h".
2436 (region_model::on_call_pre): Use flags_from_decl_or_type to
2437 generalize check for DECL_PURE_P to also check for ECF_CONST.
2438
cb3afcd2
GA		 24392022-02-16 David Malcolm <dmalcolm@redhat.com>
2440
2441 PR analyzer/104560
2442 * diagnostic-manager.cc (diagnostic_manager::build_emission_path):
2443 Add region creation events for globals of interest.
2444 (null_assignment_sm_context::get_old_program_state): New.
2445 (diagnostic_manager::add_events_for_eedge): Move check for
2446 changing dynamic extents from PK_BEFORE_STMT case to after the
2447 switch on the dst_point's kind so that we can emit them for the
2448 final stmt in a basic block.
2449 * engine.cc (impl_sm_context::get_old_program_state): New.
2450 * sm-malloc.cc (malloc_state_machine::get_default_state): Rewrite
2451 detection of m_non_heap to use get_memory_space.
2452 (free_of_non_heap::free_of_non_heap): Add freed_reg param.
2453 (free_of_non_heap::subclass_equal_p): Update for changes to
2454 fields.
2455 (free_of_non_heap::emit): Drop m_kind in favor of
2456 get_memory_space.
2457 (free_of_non_heap::describe_state_change): Remove logic for
2458 detecting alloca.
2459 (free_of_non_heap::mark_interesting_stuff): Add region-creation of
2460 m_freed_reg.
2461 (free_of_non_heap::get_memory_space): New.
2462 (free_of_non_heap::kind): Drop enum.
2463 (free_of_non_heap::m_freed_reg): New field.
2464 (free_of_non_heap::m_kind): Drop field.
2465 (malloc_state_machine::on_stmt): Drop transition to m_non_heap.
2466 (malloc_state_machine::handle_free_of_non_heap): New function,
2467 split out from on_deallocator_call and on_realloc_call, adding
2468 detection of the freed region.
2469 (malloc_state_machine::on_deallocator_call): Use it.
2470 (malloc_state_machine::on_realloc_call): Likewise.
2471 * sm.h (sm_context::get_old_program_state): New vfunc.
2472
875e493b
GA		 24732022-02-15 David Malcolm <dmalcolm@redhat.com>
2474
2475 PR analyzer/104524
2476 * region-model-manager.cc
2477 (region_model_manager::maybe_fold_sub_svalue): Only call
2478 get_or_create_cast if type is non-NULL.
2479
24802022-02-15 David Malcolm <dmalcolm@redhat.com>
2481
2482 PR analyzer/102692
2483 * exploded-graph.h (impl_region_model_context::get_stmt): New.
2484 * region-model.cc: Include "gimple-ssa.h", "tree-phinodes.h",
2485 "tree-ssa-operands.h", and "ssa-iterators.h".
2486 (within_short_circuited_stmt_p): New.
2487 (region_model::check_for_poison): Don't warn about uninit values
2488 if within_short_circuited_stmt_p.
2489 * region-model.h (region_model_context::get_stmt): New vfunc.
2490 (noop_region_model_context::get_stmt): New.
2491
e8d68f0a
GA		 24922022-02-11 David Malcolm <dmalcolm@redhat.com>
2493
2494 PR analyzer/104274
2495 * region-model.cc (region_model::check_for_poison): Ignore
2496 uninitialized uses of empty types.
2497
a645583d
GA		 24982022-02-10 David Malcolm <dmalcolm@redhat.com>
2499
2500 PR analyzer/98797
2501 * region-model-manager.cc
2502 (region_model_manager::maybe_fold_sub_svalue): Generalize getting
2503 individual chars of a STRING_CST from element_region to any
2504 subregion which is a concrete access of a single byte from its
2505 parent region.
2506 * region.cc (region::get_relative_concrete_byte_range): New.
2507 * region.h (region::get_relative_concrete_byte_range): New decl.
2508
3adf509f
GA		 25092022-02-09 David Malcolm <dmalcolm@redhat.com>
2510
2511 PR analyzer/104452
2512 * region-model.cc (selftest::test_bit_range_regions): New.
2513 (selftest::analyzer_region_model_cc_tests): Call it.
2514 * region.h (bit_range_region::key_t::hash): Fix hashing of m_bits
2515 to avoid using uninitialized data.
2516
cc2430c1
GA		 25172022-02-07 David Malcolm <dmalcolm@redhat.com>
2518
2519 PR analyzer/104417
2520 * sm-taint.cc (tainted_allocation_size::tainted_allocation_size):
2521 Remove overzealous assertion.
2522 (tainted_allocation_size::emit): Likewise.
2523 (region_model::check_dynamic_size_for_taint): Likewise.
2524
25252022-02-07 David Malcolm <dmalcolm@redhat.com>
2526
2527 PR analyzer/103872
2528 * region-model-impl-calls.cc (region_model::impl_call_memcpy):
2529 Reimplement in terms of a get_store_value followed by a set_value.
2530
682ede39
GA		 25312022-02-03 David Malcolm <dmalcolm@redhat.com>
2532
2533 PR analyzer/104369
2534 * engine.cc (exploded_graph::process_node): Use the node for any
2535 diagnostics, avoiding ICE if a bifurcation update adds a
2536 saved_diagnostic, such as for a tainted realloc size.
2537 * region-model-impl-calls.cc
2538 (region_model::impl_call_realloc::success_no_move::update_model):
2539 Require the old pointer to be non-NULL to be able successfully
2540 grow in place. Use model->deref_rvalue rather than maybe_get_region
2541 to support the old pointer being symbolic.
2542 (region_model::impl_call_realloc::success_with_move::update_model):
2543 Likewise. Add a constraint that the new pointer != the old pointer.
2544 Use a sized_region when setting the value of the new region.
2545 Handle the case where we don't know the dynamic size of the old
2546 region by marking the new region as unknown.
2547 * sm-taint.cc (tainted_allocation_size::tainted_allocation_size):
2548 Update assertion to also allow for MEMSPACE_UNKNOWN.
2549 (tainted_allocation_size::emit): Likewise.
2550 (region_model::check_dynamic_size_for_taint): Likewise.
2551
25522022-02-03 David Malcolm <dmalcolm@redhat.com>
2553
2554 * region-model-impl-calls.cc (region_model::impl_call_calloc): Use
2555 a sized_region when calling zero_fill_region.
2556
88944e13
GA		 25572022-02-02 David Malcolm <dmalcolm@redhat.com>
2558
2559 * region-model.cc (region_model::on_return): Replace usage of
2560 copy_region with get_rvalue/set_value pair.
2561 (region_model::pop_frame): Likewise.
2562 (selftest::test_compound_assignment): Likewise.
2563 * region-model.h (region_model::copy_region): Delete decl.
2564 * region.cc (region_model::copy_region): Delete.
2565
25662022-02-02 David Malcolm <dmalcolm@redhat.com>
2567
2568 * region.cc (region::calc_offset): Consolidate effectively
2569 identical cases.
2570
25712022-02-02 David Malcolm <dmalcolm@redhat.com>
2572
2573 * analyzer.h (class bit_range_region): New forward decl.
2574 * region-model-manager.cc (region_model_manager::get_bit_range):
2575 New.
2576 (region_model_manager::log_stats): Handle m_bit_range_regions.
2577 * region-model.cc (region_model::get_lvalue_1): Handle
2578 BIT_FIELD_REF.
2579 * region-model.h (region_model_manager::get_bit_range): New decl.
2580 (region_model_manager::m_bit_range_regions): New field.
2581 * region.cc (region::get_base_region): Handle RK_BIT_RANGE.
2582 (region::base_region_p): Likewise.
2583 (region::calc_offset): Likewise.
2584 (bit_range_region::dump_to_pp): New.
2585 (bit_range_region::get_byte_size): New.
2586 (bit_range_region::get_bit_size): New.
2587 (bit_range_region::get_byte_size_sval): New.
2588 (bit_range_region::get_relative_concrete_offset): New.
2589 * region.h (enum region_kind): Add RK_BIT_RANGE.
2590 (region::dyn_cast_bit_range_region): New vfunc.
2591 (class bit_range_region): New.
2592 (is_a_helper <const bit_range_region *>::test): New.
2593 (default_hash_traits<bit_range_region::key_t>): New.
2594
25952022-02-02 David Malcolm <dmalcolm@redhat.com>
2596
2597 PR analyzer/104270
2598 * region-model.cc (region_model::on_call_pre): Handle
2599 IFN_DEFERRED_INIT.
2600
99f17e99
GA		 26012022-01-27 David Malcolm <dmalcolm@redhat.com>
2602
2603 * checker-path.cc (event_kind_to_string): Handle
2604 EK_REGION_CREATION.
2605 (region_creation_event::region_creation_event): New.
2606 (region_creation_event::get_desc): New.
2607 (checker_path::add_region_creation_event): New.
2608 * checker-path.h (enum event_kind): Add EK_REGION_CREATION.
2609 (class region_creation_event): New subclass.
2610 (checker_path::add_region_creation_event): New decl.
2611 * diagnostic-manager.cc
2612 (diagnostic_manager::emit_saved_diagnostic): Pass NULL for new
2613 param to add_events_for_eedge when handling trailing eedge.
2614 (diagnostic_manager::build_emission_path): Create an interesting_t
2615 instance, allow the pending diagnostic to populate it, and pass it
2616 to the calls to add_events_for_eedge.
2617 (diagnostic_manager::add_events_for_eedge): Add "interest" param.
2618 Use it to add region_creation_events for on-stack regions created
2619 within at function entry, and when pertinent dynamically-sized
2620 regions are created.
2621 (diagnostic_manager::prune_for_sm_diagnostic): Add case for
2622 EK_REGION_CREATION.
2623 * diagnostic-manager.h (diagnostic_manager::add_events_for_eedge):
2624 Add "interest" param.
2625 * pending-diagnostic.cc: Include "selftest.h", "tristate.h",
2626 "analyzer/call-string.h", "analyzer/program-point.h",
2627 "analyzer/store.h", and "analyzer/region-model.h".
2628 (interesting_t::add_region_creation): New.
2629 (interesting_t::dump_to_pp): New.
2630 * pending-diagnostic.h (struct interesting_t): New.
2631 (pending_diagnostic::mark_interesting_stuff): New vfunc.
2632 * region-model.cc
2633 (poisoned_value_diagnostic::poisoned_value_diagnostic): Add
2634 (poisoned_value_diagnostic::operator==): Compare m_pkind and
2635 m_src_region fields.
2636 (poisoned_value_diagnostic::mark_interesting_stuff): New.
2637 (poisoned_value_diagnostic::m_src_region): New.
2638 (region_model::check_for_poison): Call
2639 get_region_for_poisoned_expr for uninit values and pass the resul
2640 to the diagnostic.
2641 (region_model::get_region_for_poisoned_expr): New.
2642 (region_model::deref_rvalue): Pass NULL for
2643 poisoned_value_diagnostic's src_region.
2644 * region-model.h (region_model::get_region_for_poisoned_expr): New
2645 decl.
2646 * region.h (frame_region::get_fndecl): New.
2647
26482022-01-27 Martin Liska <mliska@suse.cz>
2649
2650 PR analyzer/104247
2651 * constraint-manager.cc (bounded_ranges_manager::log_stats):
2652 Cast to long for format purpose.
2653 * region-model-manager.cc (log_uniq_map): Likewise.
2654
eaa59070
GA		 26552022-01-26 David Malcolm <dmalcolm@redhat.com>
2656
2657 PR analyzer/104224
2658 * region-model.cc (region_model::check_call_args): New.
2659 (region_model::on_call_pre): Call it when ignoring stdio builtins.
2660 * region-model.h (region_model::check_call_args): New decl
2661
26622022-01-26 David Malcolm <dmalcolm@redhat.com>
2663
2664 PR analyzer/94362
2665 * constraint-manager.cc (range::add_bound): Fix tests for
2666 discarding redundant constraints. Perform test for rejecting
2667 unsatisfiable constraints earlier so that they don't update
2668 the object on failure.
2669 (selftest::test_range): New.
2670 (selftest::test_constant_comparisons): Add test coverage for
2671 existing constraints becoming narrower until they are
2672 unsatisfiable.
2673 (selftest::run_constraint_manager_tests): Call test_range.
2674
d43be9dc
GA		 26752022-01-22 David Malcolm <dmalcolm@redhat.com>
2676
2677 PR analyzer/104159
2678 * region-model-manager.cc
2679 (region_model_manager::get_or_create_cast): Bail out if the types
2680 are the same. Don't attempt to handle casts involving vector
2681 types.
2682
5fa55d55
GA		 26832022-01-20 David Malcolm <dmalcolm@redhat.com>
2684
2685 PR analyzer/94362
2686 * constraint-manager.cc (bound::ensure_closed): Convert param to
2687 enum bound_kind.
2688 (range::constrained_to_single_element): Likewise.
2689 (range::add_bound): New.
2690 (constraint_manager::add_constraint): Handle SVAL + OFFSET
2691 compared to a constant.
2692 (constraint_manager::get_ec_bounds): Rewrite in terms of
2693 range::add_bound.
2694 (constraint_manager::eval_condition): Reject if range::add_bound
2695 fails.
2696 (selftest::test_constant_comparisons): Add test coverage for
2697 various impossible combinations of integer comparisons.
2698 * constraint-manager.h (enum bound_kind): New.
2699 (struct bound): Likewise.
2700 (bound::ensure_closed): Convert to param to enum bound_kind.
2701 (struct range): Convert to...
2702 (class range): ...this, making fields private.
2703 (range::add_bound): New decls.
2704 * region-model.cc (region_model::add_constraint): Fail if
2705 constraint_manager::add_constraint fails.
2706
7a761ae6
GA		 27072022-01-18 David Malcolm <dmalcolm@redhat.com>
2708
2709 PR analyzer/104089
2710 * region-model-manager.cc
2711 (region_model_manager::get_or_create_constant_svalue): Assert that
2712 we have a CONSTANT_CLASS_P.
2713 (region_model_manager::maybe_fold_unaryop): Only fold a constant
2714 when fold_unary's result is a constant or a cast of a constant.
2715
27162022-01-18 David Malcolm <dmalcolm@redhat.com>
2717
2718 PR analyzer/104062
2719 * region-model-manager.cc
2720 (region_model_manager::maybe_fold_sub_svalue): Avoid casting to
2721 NULL type when folding access to repeated svalue.
2722
fc829782
GA		 27232022-01-17 Martin Liska <mliska@suse.cz>
2724
2725 * analyzer.cc (is_special_named_call_p): Rename .c names to .cc.
2726 (is_named_call_p): Likewise.
2727 * region-model-asm.cc (deterministic_p): Likewise.
2728 * region.cc (field_region::get_relative_concrete_offset): Likewise.
2729 * sm-malloc.cc (method_p): Likewise.
2730 * supergraph.cc (superedge::dump_dot): Likewise.
2731
617db51d
GA		 27322022-01-14 David Malcolm <dmalcolm@redhat.com>
2733
2734 * sm-taint.cc (taint_state_machine::combine_states): Handle combination
2735 of has_ub and has_lb.
2736
27372022-01-14 David Malcolm <dmalcolm@redhat.com>
2738
2739 PR analyzer/104029
2740 * sm-taint.cc (taint_state_machine::alt_get_inherited_state):
2741 Remove gcc_unreachable from default case for unary ops.
2742
27432022-01-14 David Malcolm <dmalcolm@redhat.com>
2744
2745 * engine.cc: Include "stringpool.h", "attribs.h", and
2746 "tree-dfa.h".
2747 (mark_params_as_tainted): New.
2748 (class tainted_args_function_custom_event): New.
2749 (class tainted_args_function_info): New.
2750 (exploded_graph::add_function_entry): Handle functions with
2751 "tainted_args" attribute.
2752 (class tainted_args_field_custom_event): New.
2753 (class tainted_args_callback_custom_event): New.
2754 (class tainted_args_call_info): New.
2755 (add_tainted_args_callback): New.
2756 (add_any_callbacks): New.
2757 (exploded_graph::build_initial_worklist): Likewise.
2758 (exploded_graph::build_initial_worklist): Find callbacks that are
2759 reachable from global initializers, calling add_any_callbacks on
2760 them.
2761
02a8a01b
GA		 27622022-01-12 David Malcolm <dmalcolm@redhat.com>
2763
2764 PR analyzer/103940
2765 * engine.cc (impl_sm_context::impl_sm_context): Add
2766 "unknown_side_effects" param and use it to initialize
2767 new m_unknown_side_effects field.
2768 (impl_sm_context::unknown_side_effects_p): New.
2769 (impl_sm_context::m_unknown_side_effects): New.
2770 (exploded_node::on_stmt): Pass unknown_side_effects to sm_ctxt
2771 ctor.
2772 * sm-taint.cc: Include "stringpool.h" and "attribs.h".
2773 (tainted_size::tainted_size): Drop "dir" param.
2774 (tainted_size::get_kind): Drop "FINAL".
2775 (tainted_size::emit): Likewise.
2776 (tainted_size::m_dir): Drop unused field.
2777 (class tainted_access_attrib_size): New subclass.
2778 (taint_state_machine::on_stmt): Call check_for_tainted_size_arg on
2779 external functions with unknown side effects.
2780 (taint_state_machine::check_for_tainted_size_arg): New.
2781 (region_model::check_region_for_taint): Drop "dir" param from
2782 tainted_size ctor.
2783 * sm.h (sm_context::unknown_side_effects_p): New.
2784
01a254e3
GA		 27852022-01-11 David Malcolm <dmalcolm@redhat.com>
2786
2787 PR analyzer/102692
2788 * diagnostic-manager.cc
2789 (class auto_disable_complexity_checks): Rename to...
2790 (class auto_checking_feasibility): ...this, updating
2791 the calls accordingly.
2792 (epath_finder::explore_feasible_paths): Update for renaming.
2793 * region-model-manager.cc
2794 (region_model_manager::region_model_manager): Update for change from
2795 m_check_complexity to m_checking_feasibility.
2796 (region_model_manager::reject_if_too_complex): Likewise.
2797 (region_model_manager::get_or_create_unknown_svalue): Handle
2798 m_checking_feasibility.
2799 (region_model_manager::create_unique_svalue): New.
2800 (region_model_manager::maybe_fold_binop): Handle BIT_AND_EXPR and
2801 BIT_IOR_EXPRs on booleans where we know the result.
2802 * region-model.cc (test_binop_svalue_folding): Add test coverage
2803 for the above.
2804 * region-model.h (region_model_manager::create_unique_svalue): New
2805 decl.
2806 (region_model_manager::enable_complexity_check): Replace with...
2807 (region_model_manager::begin_checking_feasibility): ...this.
2808 (region_model_manager::disable_complexity_check): Replace with...
2809 (region_model_manager::end_checking_feasibility): ...this.
2810 (region_model_manager::m_check_complexity): Replace with...
2811 (region_model_manager::m_checking_feasibility): ...this.
2812 (region_model_manager::m_managed_dynamic_svalues): New field.
2813
55e96bf9
GA		 28142022-01-08 David Malcolm <dmalcolm@redhat.com>
2815
2816 * engine.cc (impl_run_checkers): Pass logger to engine ctor.
2817 * region-model-manager.cc
2818 (region_model_manager::region_model_manager): Add logger param and
2819 use it to initialize m_logger.
2820 * region-model.cc (engine::engine): New.
2821 * region-model.h (region_model_manager::region_model_manager):
2822 Add logger param.
2823 (region_model_manager::get_logger): New.
2824 (region_model_manager::m_logger): New field.
2825 (engine::engine): New.
2826 * store.cc (store_manager::get_logger): New.
2827 (store::set_value): Log scope. Log when marking a cluster as
2828 unknown due to possible aliasing.
2829 * store.h (store_manager::get_logger): New decl.
2830
28312022-01-08 David Malcolm <dmalcolm@redhat.com>
2832
2833 * region-model-impl-calls.cc (cmp_decls): New.
2834 (cmp_decls_ptr_ptr): New.
2835 (region_model::impl_call_analyzer_dump_escaped): New.
2836 * region-model.cc (region_model::on_stmt_pre): Handle
2837 __analyzer_dump_escaped.
2838 * region-model.h (region_model::impl_call_analyzer_dump_escaped):
2839 New decl.
2840 * store.h (binding_cluster::get_base_region): New accessor.
2841
28422022-01-08 David Malcolm <dmalcolm@redhat.com>
2843
2844 * region.cc (region::is_named_decl_p): New.
2845 * region.h (region::is_named_decl_p): New decl.
2846
11ce8d04
GA		 28472022-01-06 David Malcolm <dmalcolm@redhat.com>
2848
2849 PR analyzer/103546
2850 * store.cc (store::eval_alias_1): Refactor handling of decl
2851 regions, adding a test for may_be_aliased, rejecting those for
2852 which it returns false.
2853
c8dcf64b
GA		 28542021-12-12 Jonathan Wakely <jwakely@redhat.com>
2855
2856 * engine.cc: Define INCLUDE_MEMORY instead of INCLUDE_UNIQUE_PTR.
2857
3a580f96
GA		 28582021-12-06 David Malcolm <dmalcolm@redhat.com>
2859
2860 PR analyzer/103533
2861 * constraint-manager.cc (equiv_class::contains_non_constant_p):
2862 New.
2863 (constraint_manager::canonicalize): Call it when determining
2864 redundant ECs.
2865 (selftest::test_purging): New selftest.
2866 (selftest::run_constraint_manager_tests): Likewise.
2867 * constraint-manager.h (equiv_class::contains_non_constant_p):
2868 New decl.
2869
40fa651e
GA		 28702021-12-01 David Malcolm <dmalcolm@redhat.com>
2871
2872 PR analyzer/102471
2873 * region-model-reachability.cc (reachable_regions::handle_parm):
2874 Treat all svalues within a compound parm has reachable, and those
2875 wrapped in a cast.
2876
87cd82c8
GA		 28772021-11-29 David Malcolm <dmalcolm@redhat.com>
2878
2879 PR analyzer/103217
2880 * store.cc (binding_cluster::can_merge_p): For the "key is bound"
2881 vs "key is not bound" merger case, check that the bound svalue
2882 is mergeable before merging it to "unknown", rejecting the merger
2883 otherwise.
2884
9c077398
GA		 28852021-11-19 David Malcolm <dmalcolm@redhat.com>
2886
2887 PR analyzer/103217
2888 * engine.cc (exploded_graph::get_or_create_node): Pass in
2889 m_ext_state to program_state::can_merge_with_p.
2890 (exploded_graph::process_worklist): Likewise.
2891 (exploded_graph::maybe_process_run_of_before_supernode_enodes):
2892 Likewise.
2893 (exploded_graph::process_node): Add missing call to detect_leaks
2894 when handling phi nodes.
2895 * program-state.cc (program_state::can_merge_with_p): Add
2896 "ext_state" param. Pass it and state ptrs to
2897 region_model::can_merge_with_p.
2898 (selftest::test_program_state_merging): Update for new ext_state
2899 param of program_state::can_merge_with_p.
2900 (selftest::test_program_state_merging_2): Likewise.
2901 * program-state.h (program_state::can_purge_p): Make const.
2902 (program_state::can_merge_with_p): Add "ext_state" param.
2903 * region-model.cc: Include "analyzer/program-state.h".
2904 (region_model::can_merge_with_p): Add params "ext_state",
2905 "state_a", and "state_b", use them when creating model_merger
2906 object.
2907 (model_merger::mergeable_svalue_p): New.
2908 * region-model.h (region_model::can_merge_with_p): Add params
2909 "ext_state", "state_a", and "state_b".
2910 (model_merger::model_merger) Likewise, initializing new fields.
2911 (model_merger::mergeable_svalue_p): New decl.
2912 (model_merger::m_ext_state): New field.
2913 (model_merger::m_state_a): New field.
2914 (model_merger::m_state_b): New field.
2915 * svalue.cc (svalue::can_merge_p): Call
2916 model_merger::mergeable_svalue_p on both states and reject the
2917 merger accordingly.
2918
280d2838
GA		 29192021-11-17 David Malcolm <dmalcolm@redhat.com>
2920
2921 PR analyzer/102695
2922 * region-model-impl-calls.cc (region_model::impl_call_strchr): New.
2923 * region-model-manager.cc
2924 (region_model_manager::maybe_fold_unaryop): Simplify cast to
2925 pointer type of an existing pointer to a region.
2926 * region-model.cc (region_model::on_call_pre): Handle
2927 BUILT_IN_STRCHR and "strchr".
2928 (write_to_const_diagnostic::emit): Add auto_diagnostic_group. Add
2929 alternate wordings for functions and labels.
2930 (write_to_const_diagnostic::describe_final_event): Add alternate
2931 wordings for functions and labels.
2932 (region_model::check_for_writable_region): Handle RK_FUNCTION and
2933 RK_LABEL.
2934 * region-model.h (region_model::impl_call_strchr): New decl.
2935
6b1695f4
GA		 29362021-11-16 David Malcolm <dmalcolm@redhat.com>
2937
2938 PR analyzer/102662
2939 * constraint-manager.cc (bounded_range::operator==): Require the
2940 types to be the same for equality.
2941
a8029add
GA		 29422021-11-13 David Malcolm <dmalcolm@redhat.com>
2943
2944 * analyzer.opt (Wanalyzer-tainted-allocation-size): New.
2945 (Wanalyzer-tainted-divisor): New.
2946 (Wanalyzer-tainted-offset): New.
2947 (Wanalyzer-tainted-size): New.
2948 * engine.cc (impl_region_model_context::get_taint_map): New.
2949 * exploded-graph.h (impl_region_model_context::get_taint_map):
2950 New decl.
2951 * program-state.cc (sm_state_map::get_state): Call
2952 alt_get_inherited_state.
2953 (sm_state_map::impl_set_state): Modify states within
2954 compound svalues.
2955 (program_state::impl_call_analyzer_dump_state): Undo casts.
2956 (selftest::test_program_state_1): Update for new context param of
2957 create_region_for_heap_alloc.
2958 (selftest::test_program_state_merging): Likewise.
2959 * region-model-impl-calls.cc (region_model::impl_call_alloca):
2960 Likewise.
2961 (region_model::impl_call_calloc): Likewise.
2962 (region_model::impl_call_malloc): Likewise.
2963 (region_model::impl_call_operator_new): Likewise.
2964 (region_model::impl_call_realloc): Likewise.
2965 * region-model.cc (region_model::check_region_access): Call
2966 check_region_for_taint.
2967 (region_model::get_representative_path_var_1): Handle binops.
2968 (region_model::create_region_for_heap_alloc): Add "ctxt" param and
2969 pass it to set_dynamic_extents.
2970 (region_model::create_region_for_alloca): Likewise.
2971 (region_model::set_dynamic_extents): Add "ctxt" param and use it
2972 to call check_dynamic_size_for_taint.
2973 (selftest::test_state_merging): Update for new context param of
2974 create_region_for_heap_alloc.
2975 (selftest::test_malloc_constraints): Likewise.
2976 (selftest::test_malloc): Likewise.
2977 (selftest::test_alloca): Likewise for create_region_for_alloca.
2978 * region-model.h (region_model::create_region_for_heap_alloc): Add
2979 "ctxt" param.
2980 (region_model::create_region_for_alloca): Likewise.
2981 (region_model::set_dynamic_extents): Likewise.
2982 (region_model::check_dynamic_size_for_taint): New decl.
2983 (region_model::check_region_for_taint): New decl.
2984 (region_model_context::get_taint_map): New vfunc.
2985 (noop_region_model_context::get_taint_map): New.
2986 * sm-taint.cc: Remove include of "diagnostic-event-id.h"; add
2987 includes of "gimple-iterator.h", "tristate.h", "selftest.h",
2988 "ordered-hash-map.h", "cgraph.h", "cfg.h", "digraph.h",
2989 "analyzer/supergraph.h", "analyzer/call-string.h",
2990 "analyzer/program-point.h", "analyzer/store.h",
2991 "analyzer/region-model.h", and "analyzer/program-state.h".
2992 (enum bounds): Move to top of file.
2993 (class taint_diagnostic): New.
2994 (class tainted_array_index): Convert to subclass of taint_diagnostic.
2995 (tainted_array_index::emit): Add CWE-129. Reword warning to use
2996 "attacker-controlled" rather than "tainted".
2997 (tainted_array_index::describe_state_change): Move to
2998 taint_diagnostic::describe_state_change.
2999 (tainted_array_index::describe_final_event): Reword to use
3000 "attacker-controlled" rather than "tainted".
3001 (class tainted_offset): New.
3002 (class tainted_size): New.
3003 (class tainted_divisor): New.
3004 (class tainted_allocation_size): New.
3005 (taint_state_machine::alt_get_inherited_state): New.
3006 (taint_state_machine::on_stmt): In assignment handling, remove
3007 ARRAY_REF handling in favor of check_region_for_taint. Add
3008 detection of tainted divisors.
3009 (taint_state_machine::get_taint): New.
3010 (taint_state_machine::combine_states): New.
3011 (region_model::check_region_for_taint): New.
3012 (region_model::check_dynamic_size_for_taint): New.
3013 * sm.h (state_machine::alt_get_inherited_state): New.
3014
af2852b9
GA		 30152021-11-12 David Malcolm <dmalcolm@redhat.com>
3016
3017 * engine.cc (exploded_node::on_stmt_pre): Return when handling
3018 "__analyzer_dump_state".
3019
b39265d4
GA		 30202021-11-11 Richard Biener <rguenther@suse.de>
3021
3022 * supergraph.cc: Include bitmap.h.
3023
29a1af24
GA		 30242021-11-04 David Malcolm <dmalcolm@redhat.com>
3025
3026 * program-state.cc (sm_state_map::dump): Use default_tree_printer
3027 as format decoder.
3028
e19570d3
GA		 30292021-09-16 Maxim Blinov <maxim.blinov@embecosm.com>
3030
3031 PR bootstrap/102242
3032 * engine.cc (INCLUDE_UNIQUE_PTR): Define.
3033
b6db7cd4
GA		 30342021-09-08 David Malcolm <dmalcolm@redhat.com>
3035
3036 PR analyzer/102225
3037 * analyzer.h (compat_types_p): New decl.
3038 * constraint-manager.cc
3039 (constraint_manager::get_or_add_equiv_class): Guard against NULL
3040 type when checking for pointer types.
3041 * region-model-impl-calls.cc (region_model::impl_call_realloc):
3042 Guard against NULL lhs type/region. Guard against the size value
3043 not being of a compatible type for dynamic extents.
3044 * region-model.cc (compat_types_p): Make non-static.
3045
1e2f030b
GA		 30462021-08-30 David Malcolm <dmalcolm@redhat.com>
3047
3048 PR analyzer/99260
3049 * analyzer.h (class custom_edge_info): New class, adapted from
3050 exploded_edge::custom_info_t. Make member functions const.
3051 Make update_model return bool, converting edge param from
3052 reference to a pointer, and adding a ctxt param.
3053 (class path_context): New class.
3054 * call-info.cc: New file.
3055 * call-info.h: New file.
3056 * engine.cc: Include "analyzer/call-info.h" and <memory>.
3057 (impl_region_model_context::impl_region_model_context): Update for
3058 new m_path_ctxt field.
3059 (impl_region_model_context::bifurcate): New.
3060 (impl_region_model_context::terminate_path): New.
3061 (impl_region_model_context::get_malloc_map): New.
3062 (impl_sm_context::impl_sm_context): Update for new m_path_ctxt
3063 field.
3064 (impl_sm_context::get_fndecl_for_call): Likewise.
3065 (impl_sm_context::set_next_state): Likewise.
3066 (impl_sm_context::warn): Likewise.
3067 (impl_sm_context::is_zero_assignment): Likewise.
3068 (impl_sm_context::get_path_context): New.
3069 (impl_sm_context::m_path_ctxt): New.
3070 (impl_region_model_context::on_condition): Update for new
3071 path_ctxt param. Handle m_enode_for_diag being NULL.
3072 (impl_region_model_context::on_phi): Update for new path_ctxt
3073 param.
3074 (exploded_node::on_stmt): Add path_ctxt param, updating ctor calls
3075 to use it as necessary. Use it to bail out after sm-handling,
3076 if needed.
3077 (exploded_node::detect_leaks): Update for new path_ctxt param.
3078 (dynamic_call_info_t::update_model): Update for conversion of
3079 exploded_edge::custom_info_t to custom_edge_info.
3080 (dynamic_call_info_t::add_events_to_path): Likewise.
3081 (rewind_info_t::update_model): Likewise.
3082 (rewind_info_t::add_events_to_path): Likewise.
3083 (exploded_edge::exploded_edge): Likewise.
3084 (exploded_graph::add_edge): Likewise.
3085 (exploded_graph::maybe_process_run_of_before_supernode_enodes):
3086 Update for new path_ctxt param.
3087 (class impl_path_context): New.
3088 (exploded_graph::process_node): Update for new path_ctxt param.
3089 Create an impl_path_context and pass it to exploded_node::on_stmt.
3090 Use it to terminate iterating stmts if terminate_path is called
3091 on it. After processing a run of stmts, query path_ctxt to
3092 potentially terminate the analysis path, and/or to "bifurcate" the
3093 analysis into multiple additional paths.
3094 (feasibility_state::maybe_update_for_edge): Update for new
3095 update_model ctxt param.
3096 * exploded-graph.h
3097 (impl_region_model_context::impl_region_model_context): Add
3098 path_ctxt param.
3099 (impl_region_model_context::bifurcate): New.
3100 (impl_region_model_context::terminate_path): New
3101 (impl_region_model_context::get_ext_state): New.
3102 (impl_region_model_context::get_malloc_map): New.
3103 (impl_region_model_context::m_path_ctxt): New field.
3104 (exploded_node::on_stmt): Add path_ctxt param.
3105 (class exploded_edge::custom_info_t): Move to analyzer.h, renaming
3106 to custom_edge_info, and making the changes as noted in analyzer.h
3107 above.
3108 (exploded_edge::exploded_edge): Update for these changes to
3109 exploded_edge::custom_info_t.
3110 (exploded_edge::m_custom_info): Likewise.
3111 (class dynamic_call_info_t): Likewise.
3112 (class rewind_info_t): Likewise.
3113 (exploded_graph::add_edge): Likewise.
3114 * program-state.cc (program_state::on_edge): Update for new
3115 path_ctxt param.
3116 (program_state::push_call): Likewise.
3117 (program_state::returning_call): Likewise.
3118 (program_state::prune_for_point): Likewise.
3119 * region-model-impl-calls.cc: Include "analyzer/call-info.h".
3120 (call_details::get_fndecl_for_call): New.
3121 (region_model::impl_call_realloc): Reimplement.
3122 * region-model.cc (region_model::on_call_pre): Move call to
3123 impl_call_realloc to...
3124 (region_model::on_call_post): ...here. Consolidate creation
3125 of call_details instance.
3126 (noop_region_model_context::bifurcate): New.
3127 (noop_region_model_context::terminate_path): New.
3128 * region-model.h (call_details::get_call_stmt): New.
3129 (call_details::get_fndecl_for_call): New.
3130 (region_model::on_realloc_with_move): New.
3131 (region_model_context::bifurcate): New.
3132 (region_model_context::terminate_path): New.
3133 (region_model_context::get_ext_state): New.
3134 (region_model_context::get_malloc_map): New.
3135 (noop_region_model_context::bifurcate): New.
3136 (noop_region_model_context::terminate_path): New.
3137 (noop_region_model_context::get_ext_state): New.
3138 (noop_region_model_context::get_malloc_map): New.
3139 * sm-malloc.cc: Include "analyzer/program-state.h".
3140 (malloc_state_machine::on_realloc_call): Reimplement.
3141 (malloc_state_machine::on_realloc_with_move): New.
3142 (region_model::on_realloc_with_move): New.
3143 * sm-signal.cc (class signal_delivery_edge_info_t): Update for
3144 conversion from exploded_edge::custom_info_t to custom_edge_info.
3145 * sm.h (sm_context::get_path_context): New.
3146 * svalue.cc (svalue::maybe_get_constant): Call
3147 unwrap_any_unmergeable.
3148
85d77ac4
GA		 31492021-08-25 Ankur Saini <arsenic@sourceware.org>
3150
3151 PR analyzer/101980
3152 * engine.cc (exploded_graph::maybe_create_dynamic_call): Don't create
3153 calls if max recursion limit is reached.
3154
38b19c5b
GA		 31552021-08-23 David Malcolm <dmalcolm@redhat.com>
3156
3157 * analyzer.h (struct rejected_constraint): Convert to...
3158 (class rejected_constraint): ...this.
3159 (class bounded_ranges): New forward decl.
3160 (class bounded_ranges_manager): New forward decl.
3161 * constraint-manager.cc: Include "analyzer/analyzer-logging.h" and
3162 "tree-pretty-print.h".
3163 (can_plus_one_p): New.
3164 (plus_one): New.
3165 (can_minus_one_p): New.
3166 (minus_one): New.
3167 (bounded_range::bounded_range): New.
3168 (dump_cst): New.
3169 (bounded_range::dump_to_pp): New.
3170 (bounded_range::dump): New.
3171 (bounded_range::to_json): New.
3172 (bounded_range::set_json_attr): New.
3173 (bounded_range::contains_p): New.
3174 (bounded_range::intersects_p): New.
3175 (bounded_range::operator==): New.
3176 (bounded_range::cmp): New.
3177 (bounded_ranges::bounded_ranges): New.
3178 (bounded_ranges::bounded_ranges): New.
3179 (bounded_ranges::bounded_ranges): New.
3180 (bounded_ranges::canonicalize): New.
3181 (bounded_ranges::validate): New.
3182 (bounded_ranges::operator==): New.
3183 (bounded_ranges::dump_to_pp): New.
3184 (bounded_ranges::dump): New.
3185 (bounded_ranges::to_json): New.
3186 (bounded_ranges::eval_condition): New.
3187 (bounded_ranges::contain_p): New.
3188 (bounded_ranges::cmp): New.
3189 (bounded_ranges_manager::~bounded_ranges_manager): New.
3190 (bounded_ranges_manager::get_or_create_empty): New.
3191 (bounded_ranges_manager::get_or_create_point): New.
3192 (bounded_ranges_manager::get_or_create_range): New.
3193 (bounded_ranges_manager::get_or_create_union): New.
3194 (bounded_ranges_manager::get_or_create_intersection): New.
3195 (bounded_ranges_manager::get_or_create_inverse): New.
3196 (bounded_ranges_manager::consolidate): New.
3197 (bounded_ranges_manager::get_or_create_ranges_for_switch): New.
3198 (bounded_ranges_manager::create_ranges_for_switch): New.
3199 (bounded_ranges_manager::make_case_label_ranges): New.
3200 (bounded_ranges_manager::log_stats): New.
3201 (bounded_ranges_constraint::print): New.
3202 (bounded_ranges_constraint::to_json): New.
3203 (bounded_ranges_constraint::operator==): New.
3204 (bounded_ranges_constraint::add_to_hash): New.
3205 (constraint_manager::constraint_manager): Update for new field
3206 m_bounded_ranges_constraints.
3207 (constraint_manager::operator=): Likewise.
3208 (constraint_manager::hash): Likewise.
3209 (constraint_manager::operator==): Likewise.
3210 (constraint_manager::print): Likewise.
3211 (constraint_manager::dump_to_pp): Likewise.
3212 (constraint_manager::to_json): Likewise.
3213 (constraint_manager::add_unknown_constraint): Update the lhs_ec_id
3214 if necessary in existing constraints when combining equivalence
3215 classes. Add similar code for handling
3216 m_bounded_ranges_constraints.
3217 (constraint_manager::add_constraint_internal): Add comment.
3218 (constraint_manager::add_bounded_ranges): New.
3219 (constraint_manager::eval_condition): Use new field
3220 m_bounded_ranges_constraints.
3221 (constraint_manager::purge): Update bounded_ranges_constraint
3222 instances.
3223 (constraint_manager::canonicalize): Update for new field.
3224 (merger_fact_visitor::on_ranges): New.
3225 (constraint_manager::for_each_fact): Use new field
3226 m_bounded_ranges_constraints.
3227 (constraint_manager::validate): Fix off-by-one error needed due
3228 to bug fixed above in add_unknown_constraint. Validate the EC IDs
3229 in m_bounded_ranges_constraints.
3230 (constraint_manager::get_range_manager): New.
3231 (selftest::assert_dump_bounded_range_eq): New.
3232 (ASSERT_DUMP_BOUNDED_RANGE_EQ): New.
3233 (selftest::test_bounded_range): New.
3234 (selftest::assert_dump_bounded_ranges_eq): New.
3235 (ASSERT_DUMP_BOUNDED_RANGES_EQ): New.
3236 (selftest::test_bounded_ranges): New.
3237 (selftest::run_constraint_manager_tests): Call the new selftests.
3238 * constraint-manager.h (struct bounded_range): New.
3239 (struct bounded_ranges): New.
3240 (template <> struct default_hash_traits<bounded_ranges::key_t>): New.
3241 (class bounded_ranges_manager): New.
3242 (fact_visitor::on_ranges): New pure virtual function.
3243 (class bounded_ranges_constraint): New.
3244 (constraint_manager::add_bounded_ranges): New decl.
3245 (constraint_manager::get_range_manager): New decl.
3246 (constraint_manager::m_bounded_ranges_constraints): New field.
3247 * diagnostic-manager.cc (epath_finder::process_worklist_item):
3248 Transfer ownership of rc to add_feasibility_problem.
3249 * engine.cc (feasibility_problem::dump_to_pp): Use get_model.
3250 * feasible-graph.cc (infeasible_node::dump_dot): Update for
3251 conversion of m_rc to a pointer.
3252 (feasible_graph::add_feasibility_problem): Pass RC by pointer and
3253 take ownership.
3254 * feasible-graph.h (infeasible_node::infeasible_node): Pass RC by
3255 pointer and take ownership.
3256 (infeasible_node::~infeasible_node): New.
3257 (infeasible_node::m_rc): Convert to a pointer.
3258 (feasible_graph::add_feasibility_problem): Pass RC by pointer and
3259 take ownership.
3260 * region-model-manager.cc: Include
3261 "analyzer/constraint-manager.h".
3262 (region_model_manager::region_model_manager): Initializer new
3263 field m_range_mgr.
3264 (region_model_manager::~region_model_manager): Delete it.
3265 (region_model_manager::log_stats): Call log_stats on it.
3266 * region-model.cc (region_model::add_constraint): Use new subclass
3267 rejected_op_constraint.
3268 (region_model::apply_constraints_for_gswitch): Reimplement using
3269 bounded_ranges_manager.
3270 (rejected_constraint::dump_to_pp): Convert to...
3271 (rejected_op_constraint::dump_to_pp): ...this.
3272 (rejected_ranges_constraint::dump_to_pp): New.
3273 * region-model.h (struct purge_stats): Add field
3274 m_num_bounded_ranges_constraints.
3275 (region_model_manager::get_range_manager): New.
3276 (region_model_manager::m_range_mgr): New.
3277 (region_model::get_range_manager): New.
3278 (struct rejected_constraint): Split into...
3279 (class rejected_constraint):...this new abstract base class,
3280 and...
3281 (class rejected_op_constraint): ...this new concrete subclass.
3282 (class rejected_ranges_constraint): New.
3283 * supergraph.cc: Include "tree-cfg.h".
3284 (supergraph::supergraph): Drop idx param from add_cfg_edge.
3285 (supergraph::add_cfg_edge): Drop idx param.
3286 (switch_cfg_superedge::switch_cfg_superedge): Move here from
3287 header. Populate m_case_labels with all cases which go to DST.
3288 (switch_cfg_superedge::dump_label_to_pp): Reimplement to use
3289 m_case_labels.
3290 (switch_cfg_superedge::get_case_label): Delete.
3291 * supergraph.h (supergraphadd_cfg_edge): Drop "idx" param.
3292 (switch_cfg_superedge::switch_cfg_superedge): Drop idx param and
3293 move implementation to supergraph.cc.
3294 (switch_cfg_superedge::get_case_label): Delete.
3295 (switch_cfg_superedge::get_case_labels): New.
3296 (switch_cfg_superedge::m_idx): Delete.
3297 (switch_cfg_superedge::m_case_labels): New field.
3298
32992021-08-23 David Malcolm <dmalcolm@redhat.com>
3300
3301 PR analyzer/101875
3302 * sm-file.cc (file_diagnostic::describe_state_change): Handle
3303 change.m_expr being NULL.
3304
33052021-08-23 David Malcolm <dmalcolm@redhat.com>
3306
3307 PR analyzer/101837
3308 * analyzer.cc (maybe_reconstruct_from_def_stmt): Bail if fn is
3309 NULL, and assert that it's non-NULL before passing it to
3310 build_call_array_loc.
3311
33122021-08-23 David Malcolm <dmalcolm@redhat.com>
3313
3314 PR analyzer/101962
3315 * region-model.cc (region_model::eval_condition_without_cm):
3316 Refactor comparison against zero, adding a check for
3317 POINTER_PLUS_EXPR of non-NULL.
3318
33192021-08-23 David Malcolm <dmalcolm@redhat.com>
3320
3321 * store.cc (bit_range::intersects_p): New overload.
3322 (bit_range::operator-): New.
3323 (binding_cluster::maybe_get_compound_binding): Handle the partial
3324 overlap case.
3325 (selftest::test_bit_range_intersects_p): Add test coverage for
3326 new overload of bit_range::intersects_p.
3327 * store.h (bit_range::intersects_p): New overload.
3328 (bit_range::operator-): New.
3329
33302021-08-23 Ankur Saini <arsenic@sourceware.org>
3331
3332 PR analyzer/102020
3333 * diagnostic-manager.cc
3334 (diagnostic_manager::prune_for_sm_diagnostic)<case EK_CALL_EDGE>: Fix typo.
3335
4be4fa4e
GA		 33362021-08-21 Ankur Saini <arsenic@sourceware.org>
3337
3338 PR analyzer/101980
3339 * diagnostic-manager.cc
3340 (diagnostic_manager::prune_for_sm_diagnostic)<case EK_CALL_EDGE>: Use
3341 caller_model only when the supergraph_edge doesn't exixt.
3342 (diagnostic_manager::prune_for_sm_diagnostic)<case EK_RETURN_EDGE>:
3343 Likewise.
3344 * engine.cc (exploded_graph::create_dynamic_call): Rename to...
3345 (exploded_graph::maybe_create_dynamic_call): ...this, return call
3346 creation status.
3347 (exploded_graph::process_node): Handle calls which were not dynamically
3348 discovered.
3349 * exploded-graph.h (exploded_graph::create_dynamic_call): Rename to...
3350 (exploded_graph::maybe_create_dynamic_call): ...this.
3351 * region-model.cc (region_model::update_for_gcall): New param, use it
3352 to push call to frame.
3353 (region_model::update_for_call_superedge): Pass callee function to
3354 update_for_gcall.
3355 * region-model.h (region_model::update_for_gcall): New param.
3356
6e529985
GA		 33572021-08-18 Ankur Saini <arsenic@sourceware.org>
3358
3359 PR analyzer/97114
3360 * region-model.cc (region_model::get_rvalue_1): Add case for
3361 OBJ_TYPE_REF.
3362
33632021-08-18 Ankur Saini <arsenic@sourceware.org>
3364
3365 PR analyzer/100546
3366 * analysis-plan.cc (analysis_plan::use_summary_p): Don't use call
3367 summaries if there is no callgraph edge
3368 * checker-path.cc (call_event::call_event): Handle calls events that
3369 are not represented by a supergraph call edge
3370 (return_event::return_event): Likewise.
3371 (call_event::get_desc): Work with new call_event structure.
3372 (return_event::get_desc): Likeise.
3373 * checker-path.h (call_event::m_src_snode): New field.
3374 (call_event::m_dest_snode): New field.
3375 (return_event::m_src_snode): New field.
3376 (return_event::m_dest_snode): New field.
3377 * diagnostic-manager.cc
3378 (diagnostic_manager::prune_for_sm_diagnostic)<case EK_CALL_EDGE>:
3379 Refactor to work with edges without callgraph edge.
3380 (diagnostic_manager::prune_for_sm_diagnostic)<case EK_RETURN_EDGE>:
3381 Likewise.
3382 * engine.cc (dynamic_call_info_t::update_model): New function.
3383 (dynamic_call_info_t::add_events_to_path): New function.
3384 (exploded_graph::create_dynamic_call): New function.
3385 (exploded_graph::process_node): Work with dynamically discovered calls.
3386 * exploded-graph.h (class dynamic_call_info_t): New class.
3387 (exploded_graph::create_dynamic_call): New decl.
3388 * program-point.cc (program_point::push_to_call_stack): New function.
3389 (program_point::pop_from_call_stack): New function.
3390 * program-point.h (program_point::push_to_call_stack): New decl.
3391 (program_point::pop_from_call_stack): New decl.
3392 * program-state.cc (program_state::push_call): New function.
3393 (program_state::returning_call): New function.
3394 * program-state.h (program_state::push_call): New decl.
3395 (program_state::returning_call): New decl.
3396 * region-model.cc (region_model::update_for_gcall) New function.
3397 (region_model::update_for_return_gcall): New function.
3398 (egion_model::update_for_call_superedge): Get the underlying gcall and
3399 update for gcall.
3400 (region_model::update_for_return_superedge): Likewise.
3401 * region-model.h (region_model::update_for_gcall): New decl.
3402 (region_model::update_for_return_gcall): New decl.
3403 * state-purge.cc (state_purge_per_ssa_name::process_point): Update to
3404 work with calls without underlying cgraph edge.
3405 * supergraph.cc (supergraph::supergraph) Split snodes at every callsite.
3406 * supergraph.h (supernode::get_returning_call) New accessor.
3407
2697f832
GA		 34082021-08-04 David Malcolm <dmalcolm@redhat.com>
3409
3410 PR analyzer/101570
3411 * analyzer.cc (maybe_reconstruct_from_def_stmt): Add GIMPLE_ASM
3412 case.
3413 * analyzer.h (class asm_output_svalue): New forward decl.
3414 (class reachable_regions): New forward decl.
3415 * complexity.cc (complexity::from_vec_svalue): New.
3416 * complexity.h (complexity::from_vec_svalue): New decl.
3417 * engine.cc (feasibility_state::maybe_update_for_edge): Handle
3418 asm stmts by calling on_asm_stmt.
3419 * region-model-asm.cc: New file.
3420 * region-model-manager.cc
3421 (region_model_manager::maybe_fold_asm_output_svalue): New.
3422 (region_model_manager::get_or_create_asm_output_svalue): New.
3423 (region_model_manager::log_stats): Log m_asm_output_values_map.
3424 * region-model.cc (region_model::on_stmt_pre): Handle GIMPLE_ASM.
3425 * region-model.h (visitor::visit_asm_output_svalue): New.
3426 (region_model_manager::get_or_create_asm_output_svalue): New decl.
3427 (region_model_manager::maybe_fold_asm_output_svalue): New decl.
3428 (region_model_manager::asm_output_values_map_t): New typedef.
3429 (region_model_manager::m_asm_output_values_map): New field.
3430 (region_model::on_asm_stmt): New.
3431 * store.cc (binding_cluster::on_asm): New.
3432 * store.h (binding_cluster::on_asm): New decl.
3433 * svalue.cc (svalue::cmp_ptr): Handle SK_ASM_OUTPUT.
3434 (asm_output_svalue::dump_to_pp): New.
3435 (asm_output_svalue::dump_input): New.
3436 (asm_output_svalue::input_idx_to_asm_idx): New.
3437 (asm_output_svalue::accept): New.
3438 * svalue.h (enum svalue_kind): Add SK_ASM_OUTPUT.
3439 (svalue::dyn_cast_asm_output_svalue): New.
3440 (class asm_output_svalue): New.
3441 (is_a_helper <const asm_output_svalue *>::test): New.
3442 (struct default_hash_traits<asm_output_svalue::key_t>): New.
3443
fa1407c7
GA		 34442021-08-03 Jakub Jelinek <jakub@redhat.com>
3445
3446 PR analyzer/101721
3447 * sm-malloc.cc (known_allocator_p): Only check DECL_FUNCTION_CODE on
3448 BUILT_IN_NORMAL builtins.
3449
4d17ca1b
GA		 34502021-07-29 Ankur Saini <arsenic@sourceware.org>
3451
3452 * call-string.cc (call_string::element_t::operator==): New operator.
3453 (call_String::element_t::operator!=): New operator.
3454 (call_string::element_t::get_caller_function): New function.
3455 (call_string::element_t::get_callee_function): New function.
3456 (call_string::call_string): Refactor to Initialise m_elements.
3457 (call_string::operator=): Refactor to work with m_elements.
3458 (call_string::operator==): Likewise.
3459 (call_string::to_json): Likewise.
3460 (call_string::hash): Refactor to hash e.m_caller.
3461 (call_string::push_call): Refactor to work with m_elements.
3462 (call_string::push_call): New overload to push call via supernodes.
3463 (call_string::pop): Refactor to work with m_elements.
3464 (call_string::calc_recursion_depth): Likewise.
3465 (call_string::cmp): Likewise.
3466 (call_string::validate): Likewise.
3467 (call_string::operator[]): Likewise.
3468 * call-string.h (class supernode): New forward decl.
3469 (struct call_string::element_t): New struct.
3470 (call_string::call_string): Refactor to initialise m_elements.
3471 (call_string::bool empty_p): Refactor to work with m_elements.
3472 (call_string::get_callee_node): New decl.
3473 (call_string::get_caller_node): New decl.
3474 (m_elements): Replaces m_return_edges.
3475 * program-point.cc (program_point::get_function_at_depth): Refactor to
3476 work with new call-string format.
3477 (program_point::validate): Likewise.
3478 (program_point::on_edge): Likewise.
3479
39169029
GA		 34802021-07-28 David Malcolm <dmalcolm@redhat.com>
3481
3482 * region-model.cc (region_model::on_call_pre): Treat
3483 IFN_UBSAN_BOUNDS, BUILT_IN_STACK_SAVE, and BUILT_IN_STACK_RESTORE
3484 as no-ops, rather than handling them as unknown functions.
3485
34862021-07-28 David Malcolm <dmalcolm@redhat.com>
3487
3488 * region-model-impl-calls.cc (region_model::impl_call_alloca):
3489 Drop redundant return value.
3490 (region_model::impl_call_builtin_expect): Likewise.
3491 (region_model::impl_call_calloc): Likewise.
3492 (region_model::impl_call_malloc): Likewise.
3493 (region_model::impl_call_memset): Likewise.
3494 (region_model::impl_call_operator_new): Likewise.
3495 (region_model::impl_call_operator_delete): Likewise.
3496 (region_model::impl_call_strlen): Likewise.
3497 * region-model.cc (region_model::on_call_pre): Fix return value of
3498 known functions that don't have unknown side-effects.
3499 * region-model.h (region_model::impl_call_alloca): Drop redundant
3500 return value.
3501 (region_model::impl_call_builtin_expect): Likewise.
3502 (region_model::impl_call_calloc): Likewise.
3503 (region_model::impl_call_malloc): Likewise.
3504 (region_model::impl_call_memset): Likewise.
3505 (region_model::impl_call_strlen): Likewise.
3506 (region_model::impl_call_operator_new): Likewise.
3507 (region_model::impl_call_operator_delete): Likewise.
3508
35092021-07-28 Siddhesh Poyarekar <siddhesh@gotplt.org>
3510
3511 * analyzer.cc (is_named_call_p, is_std_named_call_p): Make
3512 first argument a const_tree.
3513 * analyzer.h (is_named_call_p, -s_std_named_call_p): Likewise.
3514 * sm-malloc.cc (known_allocator_p): New function.
3515 (malloc_state_machine::on_stmt): Use it.
3516
35172021-07-28 Siddhesh Poyarekar <siddhesh@gotplt.org>
3518
3519 * sm-malloc.cc
3520 (malloc_state_machine::get_or_create_deallocator): Recognize
3521 __builtin_free.
3522
1a7febe9
GA		 35232021-07-26 David Malcolm <dmalcolm@redhat.com>
3524
3525 * region-model.cc (region_model::on_call_pre): Always set conjured
3526 LHS, not just for SSA names.
3527
ead235f6
GA		 35282021-07-23 David Malcolm <dmalcolm@redhat.com>
3529
3530 * diagnostic-manager.cc
3531 (class auto_disable_complexity_checks): New.
3532 (epath_finder::explore_feasible_paths): Use it to disable
3533 complexity checks whilst processing the worklist.
3534 * region-model-manager.cc
3535 (region_model_manager::region_model_manager): Initialize
3536 m_check_complexity.
3537 (region_model_manager::reject_if_too_complex): Bail if
3538 m_check_complexity is false.
3539 * region-model.h
3540 (region_model_manager::enable_complexity_check): New.
3541 (region_model_manager::disable_complexity_check): New.
3542 (region_model_manager::m_check_complexity): New.
3543
419c6c68
GA		 35442021-07-21 David Malcolm <dmalcolm@redhat.com>
3545
3546 PR analyzer/101547
3547 * sm-file.cc (file_leak::emit): Handle m_arg being NULL.
3548 (file_leak::describe_final_event): Handle ev.m_expr being NULL.
3549
35502021-07-21 David Malcolm <dmalcolm@redhat.com>
3551
3552 PR analyzer/101522
3553 * store.cc (binding_cluster::purge_state_involving): Don't change
3554 m_map whilst iterating through it.
3555
35562021-07-21 David Malcolm <dmalcolm@redhat.com>
3557
3558 * region-model.cc (region_model::handle_phi): Add "old_state"
3559 param and use it.
3560 (region_model::update_for_phis): Update so that all of the phi
3561 stmts are effectively handled simultaneously, rather than in
3562 order.
3563 * region-model.h (region_model::handle_phi): Add "old_state"
3564 param.
3565 * state-purge.cc (self_referential_phi_p): Replace with...
3566 (name_used_by_phis_p): ...this new function.
3567 (state_purge_per_ssa_name::process_point): Update to use the
3568 above, so that all phi stmts at a basic block are effectively
3569 considered simultaneously, and only consider the phi arguments for
3570 the pertinent in-edge.
3571 * supergraph.cc (cfg_superedge::get_phi_arg_idx): New.
3572 (cfg_superedge::get_phi_arg): Use the above.
3573 * supergraph.h (cfg_superedge::get_phi_arg_idx): New decl.
3574
35752021-07-21 David Malcolm <dmalcolm@redhat.com>
3576
3577 * state-purge.cc (state_purge_annotator::add_node_annotations):
3578 Rather than erroneously always using the NULL in-edge, determine
3579 each relevant in-edge, and print the appropriate data for each
3580 in-edge. Use print_needed to print the data as comma-separated
3581 lists of SSA names.
3582 (print_vec_of_names): Add "within_table" param and use it.
3583 (state_purge_annotator::add_stmt_annotations): Factor out
3584 collation and printing code into...
3585 (state_purge_annotator::print_needed): ...this new function.
3586 * state-purge.h (state_purge_annotator::print_needed): New decl.
3587
35882021-07-21 David Malcolm <dmalcolm@redhat.com>
3589
3590 * program-point.cc (function_point::print): Show src BB index at
3591 BEFORE_SUPERNODE.
3592
35932021-07-21 David Malcolm <dmalcolm@redhat.com>
3594
3595 * svalue.cc (infix_p): New.
3596 (binop_svalue::dump_to_pp): Use it to print MIN_EXPR and MAX_EXPR
3597 in prefix form, rather than infix.
3598
21ea2f93
GA		 35992021-07-19 David Malcolm <dmalcolm@redhat.com>
3600
3601 PR analyzer/101503
3602 * constraint-manager.cc (constraint_manager::add_constraint): Use
3603 can_have_associated_state_p rather than testing for unknown.
3604 (constraint_manager::get_or_add_equiv_class): Likewise.
3605 * program-state.cc (sm_state_map::set_state): Likewise.
3606 (sm_state_map::impl_set_state): Add assertion.
3607 * region-model-manager.cc
3608 (region_model_manager::maybe_fold_unaryop): Handle poisoned
3609 values.
3610 (region_model_manager::maybe_fold_binop): Move handling of unknown
3611 values...
3612 (region_model_manager::get_or_create_binop): ...to here, and
3613 generalize to use can_have_associated_state_p.
3614 (region_model_manager::maybe_fold_sub_svalue): Use
3615 can_have_associated_state_p rather than testing for unknown.
3616 (region_model_manager::maybe_fold_repeated_svalue): Use unknown
3617 when the size or repeated value is "unknown"/"poisoned".
3618 * region-model.cc (region_model::purge_state_involving): Reject
3619 attempts to purge unknown/poisoned svalues, as these svalues
3620 should not have state associated with them.
3621 * svalue.cc (sub_svalue::sub_svalue): Assert that we're building
3622 on top of an svalue with can_have_associated_state_p.
3623 (repeated_svalue::repeated_svalue): Likewise.
3624 (bits_within_svalue::bits_within_svalue): Likewise.
3625 * svalue.h (svalue::can_have_associated_state_p): New.
3626 (unknown_svalue::can_have_associated_state_p): New.
3627 (poisoned_svalue::can_have_associated_state_p): New.
3628 (unaryop_svalue::unaryop_svalue): Assert that we're building on
3629 top of an svalue with can_have_associated_state_p.
3630 (binop_svalue::binop_svalue): Likewise.
3631 (widening_svalue::widening_svalue): Likewise.
3632
87277b6a
GA		 36332021-07-16 David Malcolm <dmalcolm@redhat.com>
3634
3635 * analyzer.h (enum access_direction): New.
3636 * engine.cc (exploded_node::on_longjmp): Update for new param of
3637 get_store_value.
3638 * program-state.cc (program_state::prune_for_point): Likewise.
3639 * region-model-impl-calls.cc (region_model::impl_call_memcpy):
3640 Replace call to check_for_writable_region with call to
3641 check_region_for_write.
3642 (region_model::impl_call_memset): Likewise.
3643 (region_model::impl_call_strcpy): Likewise.
3644 * region-model-reachability.cc (reachable_regions::add): Update
3645 for new param of get_store_value.
3646 * region-model.cc (region_model::get_rvalue_1): Likewise, also for
3647 get_rvalue_for_bits.
3648 (region_model::get_store_value): Add ctxt param and use it to call
3649 check_region_for_read.
3650 (region_model::get_rvalue_for_bits): Add ctxt param and use it to
3651 call get_store_value.
3652 (region_model::check_region_access): New.
3653 (region_model::check_region_for_write): New.
3654 (region_model::check_region_for_read): New.
3655 (region_model::set_value): Update comment. Replace call to
3656 check_for_writable_region with call to check_region_for_write.
3657 * region-model.h (region_model::get_rvalue_for_bits): Add ctxt
3658 param.
3659 (region_model::get_store_value): Add ctxt param.
3660 (region_model::check_region_access): New decl.
3661 (region_model::check_region_for_write): New decl.
3662 (region_model::check_region_for_read): New decl.
3663 * region.cc (region_model::copy_region): Update call to
3664 get_store_value.
3665 * svalue.cc (initial_svalue::implicitly_live_p): Likewise.
3666
36672021-07-16 David Malcolm <dmalcolm@redhat.com>
3668
3669 * engine.cc (exploded_node::on_stmt_pre): Handle
3670 __analyzer_dump_state.
3671 * program-state.cc (extrinsic_state::get_sm_idx_by_name): New.
3672 (program_state::impl_call_analyzer_dump_state): New.
3673 * program-state.h (extrinsic_state::get_sm_idx_by_name): New decl.
3674 (program_state::impl_call_analyzer_dump_state): New decl.
3675 * region-model-impl-calls.cc
3676 (call_details::get_arg_string_literal): New.
3677 * region-model.h (call_details::get_arg_string_literal): New decl.
3678
36792021-07-16 David Malcolm <dmalcolm@redhat.com>
3680
3681 * program-state.cc (program_state::detect_leaks): Simplify using
3682 svalue::maybe_get_region.
3683 * region-model-impl-calls.cc (region_model::impl_call_fgets): Likewise.
3684 (region_model::impl_call_fread): Likewise.
3685 (region_model::impl_call_free): Likewise.
3686 (region_model::impl_call_operator_delete): Likewise.
3687 * region-model.cc (selftest::test_stack_frames): Likewise.
3688 (selftest::test_state_merging): Likewise.
3689 * svalue.cc (svalue::maybe_get_region): New.
3690 * svalue.h (svalue::maybe_get_region): New decl.
3691
d97d71a1
GA		 36922021-07-15 David Malcolm <dmalcolm@redhat.com>
3693
3694 * svalue.h (is_a_helper <placeholder_svalue *>::test): Make
3695 param and template param const.
3696 (is_a_helper <widening_svalue *>::test): Likewise.
3697 (is_a_helper <compound_svalue *>::test): Likewise.
3698 (is_a_helper <conjured_svalue *>::test): Likewise.
3699
37002021-07-15 David Malcolm <dmalcolm@redhat.com>
3701
3702 PR analyzer/95006
3703 PR analyzer/94713
3704 PR analyzer/94714
3705 * analyzer.cc (maybe_reconstruct_from_def_stmt): Split out
3706 GIMPLE_ASSIGN case into...
3707 (get_diagnostic_tree_for_gassign_1): New.
3708 (get_diagnostic_tree_for_gassign): New.
3709 * analyzer.h (get_diagnostic_tree_for_gassign): New decl.
3710 * analyzer.opt (Wanalyzer-write-to-string-literal): New.
3711 * constraint-manager.cc (class svalue_purger): New.
3712 (constraint_manager::purge_state_involving): New.
3713 * constraint-manager.h
3714 (constraint_manager::purge_state_involving): New.
3715 * diagnostic-manager.cc (saved_diagnostic::supercedes_p): New.
3716 (dedupe_winners::handle_interactions): New.
3717 (diagnostic_manager::emit_saved_diagnostics): Call it.
3718 * diagnostic-manager.h (saved_diagnostic::supercedes_p): New decl.
3719 * engine.cc (impl_region_model_context::warn): Convert return type
3720 to bool. Return false if the diagnostic isn't saved.
3721 (impl_region_model_context::purge_state_involving): New.
3722 (impl_sm_context::get_state): Use NULL ctxt when querying old
3723 rvalue.
3724 (impl_sm_context::set_next_state): Use new sval when querying old
3725 state.
3726 (class dump_path_diagnostic): Move to region-model.cc
3727 (exploded_node::on_stmt): Move to on_stmt_pre and on_stmt_post.
3728 Remove call to purge_state_involving.
3729 (exploded_node::on_stmt_pre): New, based on the above. Move most
3730 of it to region_model::on_stmt_pre.
3731 (exploded_node::on_stmt_post): Likewise, moving to
3732 region_model::on_stmt_post.
3733 (class stale_jmp_buf): Fix parent class to use curiously recurring
3734 template pattern.
3735 (feasibility_state::maybe_update_for_edge): Call on_call_pre and
3736 on_call_post on gcalls.
3737 * exploded-graph.h (impl_region_model_context::warn): Return bool.
3738 (impl_region_model_context::purge_state_involving): New decl.
3739 (exploded_node::on_stmt_pre): New decl.
3740 (exploded_node::on_stmt_post): New decl.
3741 * pending-diagnostic.h (pending_diagnostic::use_of_uninit_p): New.
3742 (pending_diagnostic::supercedes_p): New.
3743 * program-state.cc (sm_state_map::get_state): Inherit state for
3744 conjured_svalue as well as initial_svalue.
3745 (sm_state_map::purge_state_involving): Also support SK_CONJURED.
3746 * region-model-impl-calls.cc (call_details::get_uncertainty):
3747 Handle m_ctxt being NULL.
3748 (call_details::get_or_create_conjured_svalue): New.
3749 (region_model::impl_call_fgets): New.
3750 (region_model::impl_call_fread): New.
3751 * region-model-manager.cc
3752 (region_model_manager::get_or_create_initial_value): Return an
3753 uninitialized poisoned value for regions that can't have initial
3754 values.
3755 * region-model-reachability.cc
3756 (reachable_regions::mark_escaped_clusters): Handle ctxt being
3757 NULL.
3758 * region-model.cc (region_to_value_map::purge_state_involving): New.
3759 (poisoned_value_diagnostic::use_of_uninit_p): New.
3760 (poisoned_value_diagnostic::emit): Handle POISON_KIND_UNINIT.
3761 (poisoned_value_diagnostic::describe_final_event): Likewise.
3762 (region_model::check_for_poison): New.
3763 (region_model::on_assignment): Call it.
3764 (class dump_path_diagnostic): Move here from engine.cc.
3765 (region_model::on_stmt_pre): New, based on exploded_node::on_stmt.
3766 (region_model::on_call_pre): Move the setting of the LHS to a
3767 conjured svalue to before the checks for specific functions.
3768 Handle "fgets", "fgets_unlocked", and "fread".
3769 (region_model::purge_state_involving): New.
3770 (region_model::handle_unrecognized_call): Handle ctxt being NULL.
3771 (region_model::get_rvalue): Call check_for_poison.
3772 (selftest::test_stack_frames): Use NULL for context when getting
3773 uninitialized rvalue.
3774 (selftest::test_alloca): Likewise.
3775 * region-model.h (region_to_value_map::purge_state_involving): New
3776 decl.
3777 (call_details::get_or_create_conjured_svalue): New decl.
3778 (region_model::on_stmt_pre): New decl.
3779 (region_model::purge_state_involving): New decl.
3780 (region_model::impl_call_fgets): New decl.
3781 (region_model::impl_call_fread): New decl.
3782 (region_model::check_for_poison): New decl.
3783 (region_model_context::warn): Return bool.
3784 (region_model_context::purge_state_involving): New.
3785 (noop_region_model_context::warn): Return bool.
3786 (noop_region_model_context::purge_state_involving): New.
3787 (test_region_model_context:: warn): Return bool.
3788 * region.cc (region::get_memory_space): New.
3789 (region::can_have_initial_svalue_p): New.
3790 (region::involves_p): New.
3791 * region.h (enum memory_space): New.
3792 (region::get_memory_space): New decl.
3793 (region::can_have_initial_svalue_p): New decl.
3794 (region::involves_p): New decl.
3795 * sm-malloc.cc (use_after_free::supercedes_p): New.
3796 * store.cc (binding_cluster::purge_state_involving): New.
3797 (store::purge_state_involving): New.
3798 * store.h (class symbolic_binding): New forward decl.
3799 (binding_key::dyn_cast_symbolic_binding): New.
3800 (symbolic_binding::dyn_cast_symbolic_binding): New.
3801 (binding_cluster::purge_state_involving): New.
3802 (store::purge_state_involving): New.
3803 * svalue.cc (svalue::can_merge_p): Reject attempts to merge
3804 poisoned svalues with other svalues, so that we identify
3805 paths in which a variable is conditionally uninitialized.
3806 (involvement_visitor::visit_conjured_svalue): New.
3807 (svalue::involves_p): Also handle SK_CONJURED.
3808 (poison_kind_to_str): Handle POISON_KIND_UNINIT.
3809 (poisoned_svalue::maybe_fold_bits_within): New.
3810 * svalue.h (enum poison_kind): Add POISON_KIND_UNINIT.
3811 (poisoned_svalue::maybe_fold_bits_within): New decl.
3812
38132021-07-15 David Malcolm <dmalcolm@redhat.com>
3814
3815 * analyzer.opt (fdump-analyzer-exploded-paths): New.
3816 * diagnostic-manager.cc
3817 (diagnostic_manager::emit_saved_diagnostic): Implement it.
3818 * engine.cc (exploded_path::dump_to_pp): Add ext_state param and
3819 use it to dump states if non-NULL.
3820 (exploded_path::dump): Likewise.
3821 (exploded_path::dump_to_file): New.
3822 * exploded-graph.h (exploded_path::dump_to_pp): Add ext_state
3823 param.
3824 (exploded_path::dump): Likewise.
3825 (exploded_path::dump): Likewise.
3826 (exploded_path::dump_to_file): New.
3827
38282021-07-15 David Malcolm <dmalcolm@redhat.com>
3829
3830 * analyzer.cc (fixup_tree_for_diagnostic_1): Use DECL_DEBUG_EXPR
3831 if it's available.
3832 * engine.cc (readability): Likewise.
3833
38342021-07-15 David Malcolm <dmalcolm@redhat.com>
3835
3836 * state-purge.cc (self_referential_phi_p): New.
3837 (state_purge_per_ssa_name::process_point): Don't purge an SSA name
3838 at its def-stmt if the def-stmt is self-referential.
3839
c24a9707
GA		 38402021-07-07 David Malcolm <dmalcolm@redhat.com>
3841
3842 * diagnostic-manager.cc (null_assignment_sm_context::get_state):
3843 New overload.
3844 (null_assignment_sm_context::set_next_state): New overload.
3845 (null_assignment_sm_context::get_diagnostic_tree): New.
3846 * engine.cc (impl_sm_context::get_state): New overload.
3847 (impl_sm_context::set_next_state): New overload.
3848 (impl_sm_context::get_diagnostic_tree): New overload.
3849 (impl_region_model_context::on_condition): Convert params from
3850 tree to const svalue *.
3851 * exploded-graph.h (impl_region_model_context::on_condition):
3852 Likewise.
3853 * region-model.cc (region_model::on_call_pre): Move handling of
3854 internal calls to before checking for get_fndecl_for_call.
3855 (region_model::add_constraints_from_binop): New.
3856 (region_model::add_constraint): Split out into a new overload
3857 working on const svalue * rather than tree. Call
3858 add_constraints_from_binop. Drop call to
3859 add_any_constraints_from_ssa_def_stmt.
3860 (region_model::add_any_constraints_from_ssa_def_stmt): Delete.
3861 (region_model::add_any_constraints_from_gassign): Delete.
3862 (region_model::add_any_constraints_from_gcall): Delete.
3863 * region-model.h
3864 (region_model::add_any_constraints_from_ssa_def_stmt): Delete.
3865 (region_model::add_any_constraints_from_gassign): Delete.
3866 (region_model::add_any_constraints_from_gcall): Delete.
3867 (region_model::add_constraint): Add overload decl.
3868 (region_model::add_constraints_from_binop): New decl.
3869 (region_model_context::on_condition): Convert params from tree to
3870 const svalue *.
3871 (noop_region_model_context::on_condition): Likewise.
3872 * sm-file.cc (fileptr_state_machine::condition): Likewise.
3873 * sm-malloc.cc (malloc_state_machine::on_condition): Likewise.
3874 * sm-pattern-test.cc: Include tristate.h, selftest.h,
3875 analyzer/call-string.h, analyzer/program-point.h,
3876 analyzer/store.h, and analyzer/region-model.h.
3877 (pattern_test_state_machine::on_condition): Convert params from tree to
3878 const svalue *.
3879 * sm-sensitive.cc (sensitive_state_machine::on_condition): Delete.
3880 * sm-signal.cc (signal_state_machine::on_condition): Delete.
3881 * sm-taint.cc (taint_state_machine::on_condition): Convert params
3882 from tree to const svalue *.
3883 * sm.cc: Include tristate.h, selftest.h, analyzer/call-string.h,
3884 analyzer/program-point.h, analyzer/store.h, and
3885 analyzer/region-model.h.
3886 (any_pointer_p): Add overload taking const svalue *sval.
3887 * sm.h (any_pointer_p): Add overload taking const svalue *sval.
3888 (state_machine::on_condition): Convert params from tree to
3889 const svalue *. Provide no-op default implementation.
3890 (sm_context::get_state): Add overload taking const svalue *sval.
3891 (sm_context::set_next_state): Likewise.
3892 (sm_context::on_transition): Likewise.
3893 (sm_context::get_diagnostic_tree): Likewise.
3894 * svalue.cc (svalue::all_zeroes_p): New.
3895 (constant_svalue::all_zeroes_p): New.
3896 (repeated_svalue::all_zeroes_p): Convert to vfunc.
3897 * svalue.h (svalue::all_zeroes_p): New decl.
3898 (constant_svalue::all_zeroes_p): New decl.
3899 (repeated_svalue::all_zeroes_p): Convert decl to vfunc.
3900
25b6bfea
GA		 39012021-06-30 David Malcolm <dmalcolm@redhat.com>
3902
3903 PR analyzer/95006
3904 * analyzer.h (class repeated_svalue): New forward decl.
3905 (class bits_within_svalue): New forward decl.
3906 (class sized_region): New forward decl.
3907 (get_field_at_bit_offset): New forward decl.
3908 * engine.cc (exploded_graph::get_or_create_node): Validate the
3909 merged state.
3910 (exploded_graph::maybe_process_run_of_before_supernode_enodes):
3911 Validate the states at each stage.
3912 * program-state.cc (program_state::validate): Validate
3913 m_region_model.
3914 * region-model-impl-calls.cc (region_model::impl_call_memset):
3915 Replace special-case logic for handling constant sizes with
3916 a call to fill_region of a sized_region with the given fill value.
3917 * region-model-manager.cc (maybe_undo_optimize_bit_field_compare):
3918 Drop DK_direct.
3919 (region_model_manager::maybe_fold_sub_svalue): Fold element-based
3920 subregions of an initial value into initial values of an element.
3921 Fold subvalues of repeated svalues.
3922 (region_model_manager::maybe_fold_repeated_svalue): New.
3923 (region_model_manager::get_or_create_repeated_svalue): New.
3924 (get_bit_range_for_field): New.
3925 (get_byte_range_for_field): New.
3926 (get_field_at_byte_range): New.
3927 (region_model_manager::maybe_fold_bits_within_svalue): New.
3928 (region_model_manager::get_or_create_bits_within): New.
3929 (region_model_manager::get_sized_region): New.
3930 (region_model_manager::log_stats): Update for addition of
3931 m_repeated_values_map, m_bits_within_values_map, and
3932 m_sized_regions.
3933 * region-model.cc (region_model::validate): New.
3934 (region_model::on_assignment): Drop enum binding_kind.
3935 (region_model::get_initial_value_for_global): Likewise.
3936 (region_model::get_rvalue_for_bits): Replace body with call to
3937 get_or_create_bits_within.
3938 (region_model::get_capacity): Handle RK_SIZED.
3939 (region_model::set_value): Drop enum binding_kind.
3940 (region_model::fill_region): New.
3941 (region_model::get_representative_path_var_1): Handle RK_SIZED.
3942 * region-model.h (visitor::visit_repeated_svalue): New.
3943 (visitor::visit_bits_within_svalue): New.
3944 (region_model_manager::get_or_create_repeated_svalue): New decl.
3945 (region_model_manager::get_or_create_bits_within): New decl.
3946 (region_model_manager::get_sized_region): New decl.
3947 (region_model_manager::maybe_fold_repeated_svalue): New decl.
3948 (region_model_manager::maybe_fold_bits_within_svalue): New decl.
3949 (region_model_manager::repeated_values_map_t): New typedef.
3950 (region_model_manager::m_repeated_values_map): New field.
3951 (region_model_manager::bits_within_values_map_t): New typedef.
3952 (region_model_manager::m_bits_within_values_map): New field.
3953 (region_model_manager::m_sized_regions): New field.
3954 (region_model::fill_region): New decl.
3955 * region.cc (region::get_base_region): Handle RK_SIZED.
3956 (region::base_region_p): Likewise.
3957 (region::get_byte_size_sval): New.
3958 (get_field_at_bit_offset): Make non-static.
3959 (region::calc_offset): Move implementation of cases to
3960 get_relative_concrete_offset vfunc implementations. Handle
3961 RK_SIZED.
3962 (region::get_relative_concrete_offset): New.
3963 (decl_region::get_svalue_for_initializer): Drop enum binding_kind.
3964 (field_region::get_relative_concrete_offset): New, from
3965 region::calc_offset.
3966 (element_region::get_relative_concrete_offset): Likewise.
3967 (offset_region::get_relative_concrete_offset): Likewise.
3968 (sized_region::accept): New.
3969 (sized_region::dump_to_pp): New.
3970 (sized_region::get_byte_size): New.
3971 (sized_region::get_bit_size): New.
3972 * region.h (enum region_kind): Add RK_SIZED.
3973 (region::dyn_cast_sized_region): New.
3974 (region::get_byte_size): Make virtual.
3975 (region::get_bit_size): Likewise.
3976 (region::get_byte_size_sval): New decl.
3977 (region::get_relative_concrete_offset): New decl.
3978 (field_region::get_relative_concrete_offset): New decl.
3979 (element_region::get_relative_concrete_offset): Likewise.
3980 (offset_region::get_relative_concrete_offset): Likewise.
3981 (class sized_region): New.
3982 * store.cc (binding_kind_to_string): Delete.
3983 (binding_key::make): Drop enum binding_kind.
3984 (binding_key::dump_to_pp): Delete.
3985 (binding_key::cmp_ptrs): Drop enum binding_kind.
3986 (bit_range::contains_p): New.
3987 (byte_range::dump): New.
3988 (byte_range::contains_p): New.
3989 (byte_range::cmp): New.
3990 (concrete_binding::dump_to_pp): Drop enum binding_kind.
3991 (concrete_binding::cmp_ptr_ptr): Likewise.
3992 (symbolic_binding::dump_to_pp): Likewise.
3993 (symbolic_binding::cmp_ptr_ptr): Likewise.
3994 (binding_map::apply_ctor_val_to_range): Likewise.
3995 (binding_map::apply_ctor_pair_to_child_region): Likewise.
3996 (binding_map::get_overlapping_bindings): New.
3997 (binding_map::remove_overlapping_bindings): New.
3998 (binding_cluster::validate): New.
3999 (binding_cluster::bind): Drop enum binding_kind.
4000 (binding_cluster::bind_compound_sval): Likewise.
4001 (binding_cluster::purge_region): Likewise.
4002 (binding_cluster::zero_fill_region): Reimplement in terms of...
4003 (binding_cluster::fill_region): New.
4004 (binding_cluster::mark_region_as_unknown): Drop enum binding_kind.
4005 (binding_cluster::get_binding): Likewise.
4006 (binding_cluster::get_binding_recursive): Likewise.
4007 (binding_cluster::get_any_binding): Likewise.
4008 (binding_cluster::maybe_get_compound_binding): Reimplement.
4009 (binding_cluster::get_overlapping_bindings): Delete.
4010 (binding_cluster::remove_overlapping_bindings): Reimplement in
4011 terms of binding_map::remove_overlapping_bindings.
4012 (binding_cluster::can_merge_p): Update for removal of
4013 enum binding_kind.
4014 (binding_cluster::on_unknown_fncall): Drop enum binding_kind.
4015 (binding_cluster::maybe_get_simple_value): Likewise.
4016 (store_manager::get_concrete_binding): Likewise.
4017 (store_manager::get_symbolic_binding): Likewise.
4018 (store::validate): New.
4019 (store::set_value): Drop enum binding_kind.
4020 (store::zero_fill_region): Reimplement in terms of...
4021 (store::fill_region): New.
4022 (selftest::test_binding_key_overlap): Drop enum binding_kind.
4023 * store.h (enum binding_kind): Delete.
4024 (binding_kind_to_string): Delete decl.
4025 (binding_key::make): Drop enum binding_kind.
4026 (binding_key::dump_to_pp): Make pure virtual.
4027 (binding_key::get_kind): Delete.
4028 (binding_key::mark_deleted): Delete.
4029 (binding_key::mark_empty): Delete.
4030 (binding_key::is_deleted): Delete.
4031 (binding_key::is_empty): Delete.
4032 (binding_key::binding_key): Delete.
4033 (binding_key::impl_hash): Delete.
4034 (binding_key::impl_eq): Delete.
4035 (binding_key::m_kind): Delete.
4036 (bit_range::get_last_bit_offset): New.
4037 (bit_range::contains_p): New.
4038 (byte_range::contains_p): New.
4039 (byte_range::operator==): New.
4040 (byte_range::get_start_byte_offset): New.
4041 (byte_range::get_next_byte_offset): New.
4042 (byte_range::get_last_byte_offset): New.
4043 (byte_range::as_bit_range): New.
4044 (byte_range::cmp): New.
4045 (concrete_binding::concrete_binding): Drop enum binding_kind.
4046 (concrete_binding::hash): Likewise.
4047 (concrete_binding::operator==): Likewise.
4048 (concrete_binding::mark_deleted): New.
4049 (concrete_binding::mark_empty): New.
4050 (concrete_binding::is_deleted): New.
4051 (concrete_binding::is_empty): New.
4052 (default_hash_traits<ana::concrete_binding>::empty_zero_p): Make false.
4053 (symbolic_binding::symbolic_binding): Drop enum binding_kind.
4054 (symbolic_binding::hash): Likewise.
4055 (symbolic_binding::operator==): Likewise.
4056 (symbolic_binding::mark_deleted): New.
4057 (symbolic_binding::mark_empty): New.
4058 (symbolic_binding::is_deleted): New.
4059 (symbolic_binding::is_empty): New.
4060 (binding_map::remove_overlapping_bindings): New decl.
4061 (binding_map::get_overlapping_bindings): New decl.
4062 (binding_cluster::validate): New decl.
4063 (binding_cluster::bind): Drop enum binding_kind.
4064 (binding_cluster::fill_region): New decl.
4065 (binding_cluster::get_binding): Drop enum binding_kind.
4066 (binding_cluster::get_binding_recursive): Likewise.
4067 (binding_cluster::get_overlapping_bindings): Delete.
4068 (store::validate): New decl.
4069 (store::set_value): Drop enum binding_kind.
4070 (store::fill_region): New decl.
4071 (store_manager::get_concrete_binding): Drop enum binding_kind.
4072 (store_manager::get_symbolic_binding): Likewise.
4073 * svalue.cc (svalue::cmp_ptr): Handle SK_REPEATED and
4074 SK_BITS_WITHIN.
4075 (svalue::extract_bit_range): New.
4076 (svalue::maybe_fold_bits_within): New.
4077 (constant_svalue::maybe_fold_bits_within): New.
4078 (unknown_svalue::maybe_fold_bits_within): New.
4079 (unaryop_svalue::maybe_fold_bits_within): New.
4080 (repeated_svalue::repeated_svalue): New.
4081 (repeated_svalue::dump_to_pp): New.
4082 (repeated_svalue::accept): New.
4083 (repeated_svalue::all_zeroes_p): New.
4084 (repeated_svalue::maybe_fold_bits_within): New.
4085 (bits_within_svalue::bits_within_svalue): New.
4086 (bits_within_svalue::dump_to_pp): New.
4087 (bits_within_svalue::maybe_fold_bits_within): New.
4088 (bits_within_svalue::accept): New.
4089 (bits_within_svalue::implicitly_live_p): New.
4090 (compound_svalue::maybe_fold_bits_within): New.
4091 * svalue.h (enum svalue_kind): Add SK_REPEATED and SK_BITS_WITHIN.
4092 (svalue::dyn_cast_repeated_svalue): New.
4093 (svalue::dyn_cast_bits_within_svalue): New.
4094 (svalue::extract_bit_range): New decl.
4095 (svalue::maybe_fold_bits_within): New vfunc decl.
4096 (region_svalue::key_t::mark_empty): Use 2 rather than NULL_TREE.
4097 (region_svalue::key_t::is_empty): Likewise.
4098 (default_hash_traits<region_svalue::key_t>::empty_zero_p): Make false.
4099 (constant_svalue::maybe_fold_bits_within): New.
4100 (unknown_svalue::maybe_fold_bits_within): New.
4101 (poisoned_svalue::key_t::mark_empty): Use 2 rather than NULL_TREE.
4102 (poisoned_svalue::key_t::is_empty): Likewise.
4103 (default_hash_traits<poisoned_svalue::key_t>::empty_zero_p): Make
4104 false.
4105 (setjmp_svalue::key_t::mark_empty): Use 2 rather than NULL_TREE.
4106 (setjmp_svalue::key_t::is_empty): Likewise.
4107 (default_hash_traits<setjmp_svalue::key_t>::empty_zero_p): Make
4108 false.
4109 (unaryop_svalue::key_t::mark_empty): Use 2 rather than NULL_TREE.
4110 (unaryop_svalue::key_t::is_empty): Likewise.
4111 (unaryop_svalue::maybe_fold_bits_within): New.
4112 (default_hash_traits<unaryop_svalue::key_t>::empty_zero_p): Make
4113 false.
4114 (binop_svalue::key_t::mark_empty): Use 2 rather than NULL_TREE.
4115 (binop_svalue::key_t::is_empty): Likewise.
4116 (default_hash_traits<binop_svalue::key_t>::empty_zero_p): Make
4117 false.
4118 (sub_svalue::key_t::mark_empty): Use 2 rather than NULL_TREE.
4119 (sub_svalue::key_t::is_empty): Likewise.
4120 (default_hash_traits<sub_svalue::key_t>::empty_zero_p): Make
4121 false.
4122 (class repeated_svalue): New.
4123 (is_a_helper <const repeated_svalue *>::test): New.
4124 (struct default_hash_traits<repeated_svalue::key_t>): New.
4125 (class bits_within_svalue): New.
4126 (is_a_helper <const bits_within_svalue *>::test): New.
4127 (struct default_hash_traits<bits_within_svalue::key_t>): New.
4128 (widening_svalue::key_t::mark_empty): Use 2 rather than NULL_TREE.
4129 (widening_svalue::key_t::is_empty): Likewise.
4130 (default_hash_traits<widening_svalue::key_t>::empty_zero_p): Make
4131 false.
4132 (compound_svalue::key_t::mark_empty): Use 2 rather than NULL_TREE.
4133 (compound_svalue::key_t::is_empty): Likewise.
4134 (compound_svalue::maybe_fold_bits_within): New.
4135 (default_hash_traits<compound_svalue::key_t>::empty_zero_p): Make
4136 false.
4137
c8abc205
GA		 41382021-06-28 David Malcolm <dmalcolm@redhat.com>
4139
4140 * analyzer.h (byte_offset_t): New typedef.
4141 * store.cc (bit_range::dump_to_pp): Dump as a byte range if
4142 possible.
4143 (bit_range::as_byte_range): New.
4144 (byte_range::dump_to_pp): New.
4145 * store.h (class byte_range): New forward decl.
4146 (struct bit_range): Add comment.
4147 (bit_range::as_byte_range): New decl.
4148 (struct byte_range): New.
4149
419af06a
GA		 41502021-06-22 David Malcolm <dmalcolm@redhat.com>
4151
4152 PR analyzer/101143
4153 * region-model.cc (compat_types_p): New function.
4154 (region_model::create_region_for_heap_alloc): Convert assertion to
4155 an error check.
4156 (region_model::create_region_for_alloca): Likewise.
4157
c5581d48
GA		 41582021-06-18 David Malcolm <dmalcolm@redhat.com>
4159
4160 * store.cc (binding_cluster::get_any_binding): Make symbolic reads
4161 from a cluster with concrete bindings return unknown.
4162
41632021-06-18 David Malcolm <dmalcolm@redhat.com>
4164
4165 * region-model-manager.cc
4166 (region_model_manager::get_or_create_int_cst): New.
4167 (region_model_manager::maybe_undo_optimize_bit_field_compare): Use
4168 it to simplify away a local tree.
4169 * region-model.cc (region_model::on_setjmp): Likewise.
4170 (region_model::on_longjmp): Likewise.
4171 * region-model.h (region_model_manager::get_or_create_int_cst):
4172 New decl.
4173 * store.cc (binding_cluster::zero_fill_region): Use it to simplify
4174 away a local tree.
4175
41762021-06-18 David Malcolm <dmalcolm@redhat.com>
4177
4178 * checker-path.cc (class custom_event): Make abstract to allow for
4179 custom vfuncs, splitting existing implementation into...
4180 (class precanned_custom_event): New subclass.
4181 (custom_event::get_desc): Move to...
4182 (precanned_custom_event::get_desc): ...subclass.
4183 * checker-path.h (class custom_event): Make abstract to allow for
4184 custom vfuncs, splitting existing implementation into...
4185 (class precanned_custom_event): New subclass.
4186 * diagnostic-manager.cc (diagnostic_manager::add_events_for_eedge):
4187 Use precanned_custom_event.
4188 * engine.cc
4189 (stale_jmp_buf::maybe_add_custom_events_for_superedge): Likewise.
4190 * sm-signal.cc (signal_delivery_edge_info_t::add_events_to_path):
4191 Likewise.
4192
ede6c356
GA		 41932021-06-15 David Malcolm <dmalcolm@redhat.com>
4194
4195 PR analyzer/99212
4196 PR analyzer/101082
4197 * engine.cc: Include "target.h".
4198 (impl_run_checkers): Log BITS_BIG_ENDIAN, BYTES_BIG_ENDIAN, and
4199 WORDS_BIG_ENDIAN.
4200 * region-model-manager.cc
4201 (region_model_manager::maybe_fold_binop): Move support for masking
4202 via ARG0 & CST into...
4203 (region_model_manager::maybe_undo_optimize_bit_field_compare):
4204 ...this new function. Flatten by converting from nested
4205 conditionals to a series of early return statements to reject
4206 failures. Reject if type is not unsigned_char_type_node.
4207 Handle BYTES_BIG_ENDIAN when determining which bits are bound
4208 in the binding_map.
4209 * region-model.h
4210 (region_model_manager::maybe_undo_optimize_bit_field_compare):
4211 New decl.
4212 * store.cc (bit_range::dump): New function.
4213 * store.h (bit_range::dump): New decl.
4214
42152021-06-15 David Malcolm <dmalcolm@redhat.com>
4216
4217 * engine.cc (exploded_node::on_stmt): Handle __analyzer_dump_capacity.
4218 (exploded_node::on_stmt): Drop m_sm_changes from on_stmt_flags.
4219 (state_change_requires_new_enode_p): New function...
4220 (exploded_graph::process_node): Call it, rather than querying
4221 flags.m_sm_changes, so that dynamic-extent differences can also
4222 trigger the splitting of nodes.
4223 * exploded-graph.h (struct on_stmt_flags): Drop field m_sm_changes.
4224 * program-state.cc (program_state::detect_leaks): Purge dead
4225 heap-allocated regions from dynamic extents.
4226 (selftest::test_program_state_1): Fix type of "size_in_bytes".
4227 (selftest::test_program_state_merging): Likewise.
4228 * region-model-impl-calls.cc
4229 (region_model::impl_call_analyzer_dump_capacity): New.
4230 (region_model::impl_call_free): Remove dynamic extents from the
4231 freed region.
4232 * region-model-reachability.h
4233 (reachable_regions::begin_mutable_base_regs): New.
4234 (reachable_regions::end_mutable_base_regs): New.
4235 * region-model.cc: Include "tree-object-size.h".
4236 (region_model::region_model): Support new field m_dynamic_extents.
4237 (region_model::operator=): Likewise.
4238 (region_model::operator==): Likewise.
4239 (region_model::dump_to_pp): Dump sizes of dynamic regions.
4240 (region_model::handle_unrecognized_call): Purge dynamic extents
4241 from any regions that have escaped mutably:.
4242 (region_model::get_capacity): New function.
4243 (region_model::add_constraint): Unset dynamic extents when a
4244 heap-allocated region's address is NULL.
4245 (region_model::unbind_region_and_descendents): Purge dynamic
4246 extents of unbound regions.
4247 (region_model::can_merge_with_p): Call
4248 m_dynamic_extents.can_merge_with_p.
4249 (region_model::create_region_for_heap_alloc): Assert that
4250 size_in_bytes's type is compatible with size_type_node. Update
4251 for renaming of record_dynamic_extents to set_dynamic_extents.
4252 (region_model::create_region_for_alloca): Likewise.
4253 (region_model::record_dynamic_extents): Rename to...
4254 (region_model::set_dynamic_extents): ...this. Assert that
4255 size_in_bytes's type is compatible with size_type_node. Add it
4256 to the m_dynamic_extents map.
4257 (region_model::get_dynamic_extents): New.
4258 (region_model::unset_dynamic_extents): New.
4259 (selftest::test_state_merging): Fix type of "size".
4260 (selftest::test_malloc_constraints): Likewise.
4261 (selftest::test_malloc): Verify dynamic extents.
4262 (selftest::test_alloca): Likewise.
4263 * region-model.h (region_to_value_map::is_empty): New.
4264 (region_model::dynamic_extents_t): New typedef.
4265 (region_model::impl_call_analyzer_dump_capacity): New decl.
4266 (region_model::get_dynamic_extents): New function.
4267 (region_model::get_dynamic_extents): New decl.
4268 (region_model::set_dynamic_extents): New decl.
4269 (region_model::unset_dynamic_extents): New decl.
4270 (region_model::get_capacity): New decl.
4271 (region_model::record_dynamic_extents): Rename to set_dynamic_extents.
4272 (region_model::m_dynamic_extents): New field.
4273
42742021-06-15 David Malcolm <dmalcolm@redhat.com>
4275
4276 * region-model.cc (region_to_value_map::operator=): New.
4277 (region_to_value_map::operator==): New.
4278 (region_to_value_map::dump_to_pp): New.
4279 (region_to_value_map::dump): New.
4280 (region_to_value_map::can_merge_with_p): New.
4281 * region-model.h (class region_to_value_map): New class.
4282
4e70c34e
GA		 42832021-06-13 Trevor Saunders <tbsaunde@tbsaunde.org>
4284
4285 * call-string.cc (call_string::call_string): Use range based for
4286 to iterate over vec<>.
4287 (call_string::to_json): Likewise.
4288 (call_string::hash): Likewise.
4289 (call_string::calc_recursion_depth): Likewise.
4290 * checker-path.cc (checker_path::fixup_locations): Likewise.
4291 * constraint-manager.cc (equiv_class::equiv_class): Likewise.
4292 (equiv_class::to_json): Likewise.
4293 (equiv_class::hash): Likewise.
4294 (constraint_manager::to_json): Likewise.
4295 * engine.cc (impl_region_model_context::on_svalue_leak):
4296 Likewise.
4297 (on_liveness_change): Likewise.
4298 (impl_region_model_context::on_unknown_change): Likewise.
4299 * program-state.cc (sm_state_map::set_state): Likewise.
4300 * region-model.cc (test_canonicalization_4): Likewise.
4301
f16f65f8
GA		 43022021-06-11 David Malcolm <dmalcolm@redhat.com>
4303
4304 * engine.cc (worklist::key_t::cmp): Move sort by call_string to
4305 before SCC.
4306
4f625f47
GA		 43072021-06-09 David Malcolm <dmalcolm@redhat.com>
4308
4309 * region-model.cc (region_model::get_lvalue_1): Make const.
4310 (region_model::get_lvalue): Likewise.
4311 (region_model::get_rvalue_1): Likewise.
4312 (region_model::get_rvalue): Likewise.
4313 (region_model::deref_rvalue): Likewise.
4314 (region_model::get_rvalue_for_bits): Likewise.
4315 * region-model.h (region_model::get_lvalue): Likewise.
4316 (region_model::get_rvalue): Likewise.
4317 (region_model::deref_rvalue): Likewise.
4318 (region_model::get_rvalue_for_bits): Likewise.
4319 (region_model::get_lvalue_1): Likewise.
4320 (region_model::get_rvalue_1): Likewise.
4321
c6038721
GA		 43222021-06-08 David Malcolm <dmalcolm@redhat.com>
4323
4324 PR analyzer/99212
4325 * region-model-manager.cc
4326 (region_model_manager::maybe_fold_binop): Add support for folding
4327 BIT_AND_EXPR of compound_svalue and a mask constant.
4328 * region-model.cc (region_model::get_rvalue_1): Implement
4329 BIT_FIELD_REF in terms of...
4330 (region_model::get_rvalue_for_bits): New function.
4331 * region-model.h (region_model::get_rvalue_for_bits): New decl.
4332 * store.cc (bit_range::from_mask): New function.
4333 (selftest::test_bit_range_intersects_p): New selftest.
4334 (selftest::assert_bit_range_from_mask_eq): New.
4335 (ASSERT_BIT_RANGE_FROM_MASK_EQ): New macro.
4336 (selftest::assert_no_bit_range_from_mask_eq): New.
4337 (ASSERT_NO_BIT_RANGE_FROM_MASK): New macro.
4338 (selftest::test_bit_range_from_mask): New selftest.
4339 (selftest::analyzer_store_cc_tests): Call the new selftests.
4340 * store.h (bit_range::intersects_p): New.
4341 (bit_range::from_mask): New decl.
4342 (concrete_binding::get_bit_range): New accessor.
4343 (store_manager::get_concrete_binding): New overload taking
4344 const bit_range &.
4345
43462021-06-08 David Malcolm <dmalcolm@redhat.com>
4347
4348 * analyzer.h (int_size_in_bits): New decl.
4349 * region.cc (int_size_in_bits): New function.
4350 (region::get_bit_size): Reimplement in terms of the above.
4351
43522021-06-08 David Malcolm <dmalcolm@redhat.com>
4353
4354 * store.cc (concrete_binding::dump_to_pp): Move bulk of
4355 implementation to...
4356 (bit_range::dump_to_pp): ...this new function.
4357 (bit_range::cmp): New.
4358 (concrete_binding::overlaps_p): Update for use of bit_range.
4359 (concrete_binding::cmp_ptr_ptr): Likewise.
4360 * store.h (struct bit_range): New.
4361 (class concrete_binding): Replace fields m_start_bit_offset and
4362 m_size_in_bits with new field m_bit_range.
4363
43642021-06-08 David Malcolm <dmalcolm@redhat.com>
4365
4366 * svalue.h (conjured_svalue::iterator_t): Delete.
4367
440c8a0a
GA		 43682021-06-03 David Malcolm <dmalcolm@redhat.com>
4369
4370 * store.h (store::get_direct_binding): Remove unused decl.
4371 (store::get_default_binding): Likewise.
4372
43732021-06-03 David Malcolm <dmalcolm@redhat.com>
4374
4375 * svalue.cc (poisoned_svalue::dump_to_pp): Dump type.
4376 (compound_svalue::dump_to_pp): Dump any type.
4377
a8daf9a1
GA		 43782021-05-18 David Malcolm <dmalcolm@redhat.com>
4379
4380 PR analyzer/100615
4381 * sm-malloc.cc: Include "analyzer/function-set.h".
4382 (malloc_state_machine::on_stmt): Call unaffected_by_call_p and
4383 bail on the functions it recognizes.
4384 (malloc_state_machine::unaffected_by_call_p): New.
4385
aa891c56
GA		 43862021-05-10 Martin Liska <mliska@suse.cz>
4387
4388 * sm-file.cc (is_file_using_fn_p): Use startswith
4389 function instead of strncmp.
4390
43912021-05-10 Martin Liska <mliska@suse.cz>
4392
4393 * program-state.cc (program_state::operator=): Remove
4394 __cplusplus >= 201103.
4395 (program_state::program_state): Likewise.
4396 * program-state.h: Likewise.
4397 * region-model.h (class region_model): Remove dead code.
4398
502ef97c
GA		 43992021-04-24 David Malcolm <dmalcolm@redhat.com>
4400
4401 PR analyzer/100244
4402 * sm-malloc.cc (free_of_non_heap::describe_state_change):
4403 Bulletproof against change.m_expr being NULL.
4404
6d0d35d5
GA		 44052021-04-13 David Malcolm <dmalcolm@redhat.com>
4406
4407 PR analyzer/98599
4408 * supergraph.cc (saved_uids::make_uid_unique): New.
4409 (saved_uids::restore_uids): New.
4410 (supergraph::supergraph): Replace assignments to stmt->uid with
4411 calls to m_stmt_uids.make_uid_unique.
4412 (supergraph::~supergraph): New.
4413 * supergraph.h (class saved_uids): New.
4414 (supergraph::~supergraph): New decl.
4415 (supergraph::m_stmt_uids): New field.
4416
1d54b138
GA		 44172021-04-10 David Malcolm <dmalcolm@redhat.com>
4418
4419 PR analyzer/100011
4420 * region-model.cc (region_model::on_assignment): Avoid NULL
4421 dereference if ctxt is NULL when assigning from a STRING_CST.
4422
019a9220
GA		 44232021-04-08 David Malcolm <dmalcolm@redhat.com>
4424
4425 PR analyzer/99042
4426 PR analyzer/99774
4427 * engine.cc
4428 (impl_region_model_context::impl_region_model_context): Add
4429 uncertainty param and use it to initialize m_uncertainty.
4430 (impl_region_model_context::get_uncertainty): New.
4431 (impl_sm_context::get_fndecl_for_call): Add NULL for new
4432 uncertainty param when constructing impl_region_model_context.
4433 (impl_sm_context::get_state): Likewise.
4434 (impl_sm_context::set_next_state): Likewise.
4435 (impl_sm_context::warn): Likewise.
4436 (exploded_node::on_stmt): Add uncertainty param
4437 and use it when constructing impl_region_model_context.
4438 (exploded_node::on_edge): Add uncertainty param and pass
4439 to on_edge call.
4440 (exploded_node::detect_leaks): Create uncertainty_t and pass to
4441 impl_region_model_context.
4442 (exploded_graph::get_or_create_node): Create uncertainty_t and
4443 pass to prune_for_point.
4444 (maybe_process_run_of_before_supernode_enodes): Create
4445 uncertainty_t and pass to impl_region_model_context.
4446 (exploded_graph::process_node): Create uncertainty_t instances and
4447 pass around as needed.
4448 * exploded-graph.h
4449 (impl_region_model_context::impl_region_model_context): Add
4450 uncertainty param.
4451 (impl_region_model_context::get_uncertainty): New decl.
4452 (impl_region_model_context::m_uncertainty): New field.
4453 (exploded_node::on_stmt): Add uncertainty param.
4454 (exploded_node::on_edge): Likewise.
4455 * program-state.cc (sm_state_map::on_liveness_change): Get
4456 uncertainty from context and use it to unset sm-state from
4457 svalues as appropriate.
4458 (program_state::on_edge): Add uncertainty param and use it when
4459 constructing impl_region_model_context. Fix indentation.
4460 (program_state::prune_for_point): Add uncertainty param and use it
4461 when constructing impl_region_model_context.
4462 (program_state::detect_leaks): Get any uncertainty from ctxt and
4463 use it to get maybe-live svalues for dest_state, rather than
4464 definitely-live ones; use this when determining which svalues
4465 have leaked.
4466 (selftest::test_program_state_merging): Create uncertainty_t and
4467 pass to impl_region_model_context.
4468 * program-state.h (program_state::on_edge): Add uncertainty param.
4469 (program_state::prune_for_point): Likewise.
4470 * region-model-impl-calls.cc (call_details::get_uncertainty): New.
4471 (region_model::impl_call_memcpy): Pass uncertainty to
4472 mark_region_as_unknown call.
4473 (region_model::impl_call_memset): Likewise.
4474 (region_model::impl_call_strcpy): Likewise.
4475 * region-model-reachability.cc (reachable_regions::handle_sval):
4476 Also add sval to m_mutable_svals.
4477 * region-model.cc (region_model::on_assignment): Pass any
4478 uncertainty from ctxt to the store::set_value call.
4479 (region_model::handle_unrecognized_call): Get any uncertainty from
4480 ctxt and use it to record mutable svalues at the unknown call.
4481 (region_model::get_reachable_svalues): Add uncertainty param and
4482 use it to mark any maybe-bound svalues as being reachable.
4483 (region_model::set_value): Pass any uncertainty from ctxt to the
4484 store::set_value call.
4485 (region_model::mark_region_as_unknown): Add uncertainty param and
4486 pass it on to the store::mark_region_as_unknown call.
4487 (region_model::update_for_call_summary): Add uncertainty param and
4488 pass it on to the region_model::mark_region_as_unknown call.
4489 * region-model.h (call_details::get_uncertainty): New decl.
4490 (region_model::get_reachable_svalues): Add uncertainty param.
4491 (region_model::mark_region_as_unknown): Add uncertainty param.
4492 (region_model_context::get_uncertainty): New vfunc.
4493 (noop_region_model_context::get_uncertainty): New vfunc
4494 implementation.
4495 * store.cc (dump_svalue_set): New.
4496 (uncertainty_t::dump_to_pp): New.
4497 (uncertainty_t::dump): New.
4498 (binding_cluster::clobber_region): Pass NULL for uncertainty to
4499 remove_overlapping_bindings.
4500 (binding_cluster::mark_region_as_unknown): Add uncertainty param
4501 and pass it to remove_overlapping_bindings.
4502 (binding_cluster::remove_overlapping_bindings): Add uncertainty param.
4503 Use it to record any svalues that were in clobbered bindings.
4504 (store::set_value): Add uncertainty param. Pass it to
4505 binding_cluster::mark_region_as_unknown when handling symbolic
4506 regions.
4507 (store::mark_region_as_unknown): Add uncertainty param and pass it
4508 to binding_cluster::mark_region_as_unknown.
4509 (store::remove_overlapping_bindings): Add uncertainty param and
4510 pass it to binding_cluster::remove_overlapping_bindings.
4511 * store.h (binding_cluster::mark_region_as_unknown): Add
4512 uncertainty param.
4513 (binding_cluster::remove_overlapping_bindings): Likewise.
4514 (store::set_value): Likewise.
4515 (store::mark_region_as_unknown): Likewise.
4516
b1da9916
GA		 45172021-04-05 David Malcolm <dmalcolm@redhat.com>
4518
4519 PR analyzer/99906
4520 * analyzer.cc (maybe_reconstruct_from_def_stmt): Fix NULL
4521 dereference on calls with zero arguments.
4522 * sm-malloc.cc (malloc_state_machine::on_stmt): When handling
4523 __attribute__((nonnull)), only call get_diagnostic_tree if the
4524 result will be used.
4525
45262021-04-05 David Malcolm <dmalcolm@redhat.com>
4527
4528 PR analyzer/99886
4529 * diagnostic-manager.cc
4530 (diagnostic_manager::prune_interproc_events): Use signed integers
4531 when subtracting one from path->num_events ().
4532 (diagnostic_manager::consolidate_conditions): Likewise. Convert
4533 next_idx to a signed int.
4534
f1607029
GA		 45352021-04-01 David Malcolm <dmalcolm@redhat.com>
4536
4537 * diagnostic-manager.cc (diagnostic_manager::add_diagnostic): Make
4538 enode param non-constant, and call add_diagnostic on it. Add
4539 enode index to log message.
4540 (diagnostic_manager::add_diagnostic): Make enode param
4541 non-constant.
4542 * diagnostic-manager.h (diagnostic_manager::add_diagnostic):
4543 Likewise for both decls.
4544 * engine.cc
4545 (impl_region_model_context::impl_region_model_context): Likewise
4546 for enode_for_diag.
4547 (impl_sm_context::impl_sm_context): Likewise.
4548 (impl_sm_context::m_enode_for_diag): Likewise.
4549 (exploded_node::dump_dot): Don't pass the diagnostic manager
4550 to dump_saved_diagnostics.
4551 (exploded_node::dump_saved_diagnostics): Drop param. Iterate
4552 directly through all saved diagnostics for the enode, rather
4553 than all saved diagnostics in the diagnostic_manager and
4554 filtering.
4555 (exploded_node::on_stmt): Make non-const.
4556 (exploded_node::on_edge): Likewise.
4557 (exploded_node::on_longjmp): Likewise.
4558 (exploded_node::detect_leaks): Likewise.
4559 (exploded_graph::get_or_create_node): Make enode_for_diag param
4560 non-const.
4561 (exploded_graph_annotator::print_enode): Iterate
4562 directly through all saved diagnostics for the enode, rather
4563 than all saved diagnostics in the diagnostic_manager and
4564 filtering.
4565 * exploded-graph.h
4566 (impl_region_model_context::impl_region_model_context): Make
4567 enode_for_diag param non-constant.
4568 (impl_region_model_context::m_enode_for_diag): Likewise.
4569 (exploded_node::dump_saved_diagnostics): Drop param.
4570 (exploded_node::on_stmt): Make non-const.
4571 (exploded_node::on_edge): Likewise.
4572 (exploded_node::on_longjmp): Likewise.
4573 (exploded_node::detect_leaks): Likewise.
4574 (exploded_node::add_diagnostic): New.
4575 (exploded_node::get_num_diagnostics): New.
4576 (exploded_node::get_saved_diagnostic): New.
4577 (exploded_node::m_saved_diagnostics): New.
4578 (exploded_graph::get_or_create_node): Make enode_for_diag param
4579 non-constant.
4580 * feasible-graph.cc (feasible_node::dump_dot): Drop
4581 diagnostic_manager from call to dump_saved_diagnostics.
4582 * program-state.cc (program_state::on_edge): Convert enode param
4583 to non-const pointer.
4584 (program_state::prune_for_point): Likewise for enode_for_diag
4585 param.
4586 * program-state.h (program_state::on_edge): Convert enode param
4587 to non-const pointer.
4588 (program_state::prune_for_point): Likewise for enode_for_diag
4589 param.
4590
95d217ab
GA		 45912021-03-31 David Malcolm <dmalcolm@redhat.com>
4592
4593 PR analyzer/99771
4594 * analyzer.cc (maybe_reconstruct_from_def_stmt): New.
4595 (fixup_tree_for_diagnostic_1): New.
4596 (fixup_tree_for_diagnostic): New.
4597 * analyzer.h (fixup_tree_for_diagnostic): New decl.
4598 * checker-path.cc (call_event::get_desc): Call
4599 fixup_tree_for_diagnostic and use it for the call_with_state call.
4600 (warning_event::get_desc): Likewise for the final_event and
4601 make_label_text calls.
4602 * engine.cc (impl_region_model_context::on_state_leak): Likewise
4603 for the on_leak and add_diagnostic calls.
4604 * region-model.cc (region_model::get_representative_tree):
4605 Likewise for the result.
4606
08d2edae
GA		 46072021-03-30 David Malcolm <dmalcolm@redhat.com>
4608
4609 * region.h (region::dump_to_pp): Remove old decl.
4610
46112021-03-30 David Malcolm <dmalcolm@redhat.com>
4612
4613 * sm-file.cc (fileptr_state_machine::on_stmt): Only call
4614 get_diagnostic_tree if the result will be used.
4615 * sm-malloc.cc (malloc_state_machine::on_stmt): Likewise.
4616 (malloc_state_machine::on_deallocator_call): Likewise.
4617 (malloc_state_machine::on_realloc_call): Likewise.
4618 (malloc_state_machine::on_realloc_call): Likewise.
4619 * sm-sensitive.cc
4620 (sensitive_state_machine::warn_for_any_exposure): Likewise.
4621 * sm-taint.cc (taint_state_machine::on_stmt): Likewise.
4622
4493b1c1
GA		 46232021-03-25 David Malcolm <dmalcolm@redhat.com>
4624
4625 PR analyzer/93695
4626 PR analyzer/99044
4627 PR analyzer/99716
4628 * engine.cc (exploded_node::on_stmt): Clear sm-state involving
4629 an SSA name at the def-stmt of that SSA name.
4630 * program-state.cc (sm_state_map::purge_state_involving): New.
4631 * program-state.h (sm_state_map::purge_state_involving): New decl.
4632 * region-model.cc (selftest::test_involves_p): New.
4633 (selftest::analyzer_region_model_cc_tests): Call it.
4634 * svalue.cc (class involvement_visitor): New class
4635 (svalue::involves_p): New.
4636 * svalue.h (svalue::involves_p): New decl.
4637
5f256a70
GA		 46382021-03-19 David Malcolm <dmalcolm@redhat.com>
4639
4640 PR analyzer/99614
4641 * diagnostic-manager.cc (class epath_finder): Add
4642 DISABLE_COPY_AND_ASSIGN.
4643
3c5b6d24
GA		 46442021-03-15 Martin Liska <mliska@suse.cz>
4645
4646 * sm-file.cc (get_file_using_fns): Add missing comma in initializer.
4647
48ff383f
GA		 46482021-03-11 David Malcolm <dmalcolm@redhat.com>
4649
4650 PR analyzer/96374
4651 * analyzer.opt (-param=analyzer-max-infeasible-edges=): New param.
4652 (fdump-analyzer-feasibility): New flag.
4653 * diagnostic-manager.cc: Include "analyzer/trimmed-graph.h" and
4654 "analyzer/feasible-graph.h".
4655 (epath_finder::epath_finder): Convert m_sep to a pointer and
4656 only create it if !flag_analyzer_feasibility.
4657 (epath_finder::~epath_finder): New.
4658 (epath_finder::m_sep): Convert to a pointer.
4659 (epath_finder::get_best_epath): Add param "diag_idx" and use it
4660 when logging. Rather than finding the shortest path and then
4661 checking feasibility, instead use explore_feasible_paths unless
4662 !flag_analyzer_feasibility, in which case simply use the shortest
4663 path, and note if it is infeasible. Update for m_sep becoming a
4664 pointer.
4665 (class feasible_worklist): New.
4666 (epath_finder::explore_feasible_paths): New.
4667 (epath_finder::process_worklist_item): New.
4668 (class dump_eg_with_shortest_path): New.
4669 (epath_finder::dump_trimmed_graph): New.
4670 (epath_finder::dump_feasible_graph): New.
4671 (saved_diagnostic::saved_diagnostic): Add "idx" param, using it
4672 on new field m_idx.
4673 (saved_diagnostic::to_json): Dump m_idx.
4674 (saved_diagnostic::calc_best_epath): Pass m_idx to get_best_epath.
4675 Remove assertion that m_problem was set when m_best_epath is NULL.
4676 (diagnostic_manager::add_diagnostic): Pass an index when created
4677 saved_diagnostic instances.
4678 * diagnostic-manager.h (saved_diagnostic::saved_diagnostic): Add
4679 "idx" param.
4680 (saved_diagnostic::get_index): New accessor.
4681 (saved_diagnostic::m_idx): New field.
4682 * engine.cc (exploded_node::dump_dot): Call args.dump_extra_info.
4683 Move code to...
4684 (exploded_node::dump_processed_stmts): ...this new function and...
4685 (exploded_node::dump_saved_diagnostics): ...this new function.
4686 Add index of each diagnostic.
4687 (exploded_edge::dump_dot): Move bulk of code to...
4688 (exploded_edge::dump_dot_label): ...this new function.
4689 * exploded-graph.h (eg_traits::dump_args_t::dump_extra_info): New
4690 vfunc.
4691 (exploded_node::dump_processed_stmts): New decl.
4692 (exploded_node::dump_saved_diagnostics): New decl.
4693 (exploded_edge::dump_dot_label): New decl.
4694 * feasible-graph.cc: New file.
4695 * feasible-graph.h: New file.
4696 * trimmed-graph.cc: New file.
4697 * trimmed-graph.h: New file.
4698
46992021-03-11 David Malcolm <dmalcolm@redhat.com>
4700
4701 * diagnostic-manager.cc (epath_finder::epath_finder):
4702 Update shortest_paths init for new param.
4703
e9800852
GA		 47042021-03-10 David Malcolm <dmalcolm@redhat.com>
4705
4706 PR analyzer/96374
4707 * engine.cc (exploded_path::feasible_p): Move "snodes_visited" and
4708 "model" locals into a new class feasibility_state. Move heart
4709 of per-edge processing into
4710 feasibility_state::maybe_update_for_edge.
4711 (feasibility_state::feasibility_state): New.
4712 (feasibility_state::maybe_update_for_edge): New, based on loop
4713 body in exploded_path::feasible_p.
4714 * exploded-graph.h (class feasibility_state): New.
4715
47162021-03-10 David Malcolm <dmalcolm@redhat.com>
4717
4718 * supergraph.h
4719 (callgraph_superedge::dyn_cast_callgraph_superedge): New.
4720 (call_superedge::dyn_cast_callgraph_superedge): Delete.
4721 (return_superedge::dyn_cast_callgraph_superedge): Delete.
4722
d97a92dc
GA		 47232021-03-02 Martin Liska <mliska@suse.cz>
4724
4725 * diagnostic-manager.cc (diagnostic_manager::emit_saved_diagnostics):
4726 Do not pass engine.
4727
06a9f20f
GA		 47282021-02-26 David Malcolm <dmalcolm@redhat.com>
4729
4730 * engine.cc (exploded_path::exploded_path): New copy-ctor.
4731 * exploded-graph.h (exploded_path::operator=): Drop decl.
4732
47332021-02-26 David Malcolm <dmalcolm@redhat.com>
4734
4735 PR analyzer/96374
4736 * diagnostic-manager.cc (class epath_finder): New.
4737 (epath_finder::get_best_epath): New.
4738 (saved_diagnostic::saved_diagnostic): Update for replacement of
4739 m_state and m_epath_length with m_best_epath.
4740 (saved_diagnostic::~saved_diagnostic): Delete m_best_epath.
4741 (saved_diagnostic::to_json): Update "path_length" to be optional.
4742 (saved_diagnostic::calc_best_epath): New, based on
4743 dedupe_winners::add and parts of dedupe_key::dedupe_key.
4744 (saved_diagnostic::get_epath_length): New.
4745 (saved_diagnostic::add_duplicate): New.
4746 (dedupe_key::dedupe_key): Drop epath param. Move invocation of
4747 stmt_finder to saved_diagnostic::calc_best_epath.
4748 (class dedupe_candidate): Delete.
4749 (class dedupe_hash_map_traits): Update to use saved_diagnotic *
4750 rather than dedupe_candidate * as the value_type/compare_type.
4751 (dedupe_winners::~dedupe_winners): Don't delete the values.
4752 (dedupe_winners::add): Convert param from shortest_exploded_paths to
4753 epath_finder. Drop "eg" param. Drop dedupe_candidate, moving
4754 path generation and feasiblity checking to
4755 epath_finder::get_best_epath. Update winner-selection for move
4756 of epaths from dedupe_candidate to saved_diagnostic.
4757 (dedupe_winners::emit_best): Update for removal of class
4758 dedupe_candidate.
4759 (dedupe_winners::map_t): Update to use saved_diagnotic * rather
4760 than dedupe_candidate * as the value_type/compare_type.
4761 (diagnostic_manager::emit_saved_diagnostics): Move
4762 shortest_exploded_paths instance into epath_finder and pass that
4763 around instead.
4764 (diagnostic_manager::emit_saved_diagnostic): Drop epath, stmt
4765 and num_dupes params, instead getting these from the
4766 saved_diagnostic. Use correct location in inform_n call.
4767 * diagnostic-manager.h (class epath_finder): New forward decl.
4768 (saved_diagnostic::status): Drop enum.
4769 (saved_diagnostic::set_feasible): Drop.
4770 (saved_diagnostic::set_infeasible): Drop.
4771 (saved_diagnostic::get_status): Drop.
4772 (saved_diagnostic::calc_best_epath): New decl.
4773 (saved_diagnostic::get_best_epath): New decl.
4774 (saved_diagnostic::get_epath_length): New decl.
4775 (saved_diagnostic::set_epath_length): Drop.
4776 (saved_diagnostic::get_epath_length): Drop inline implementation.
4777 (saved_diagnostic::add_duplicate): New.
4778 (saved_diagnostic::get_num_dupes): New.
4779 (saved_diagnostic::m_d): Document ownership.
4780 (saved_diagnostic::m_trailing_eedge): Make const.
4781 (saved_diagnostic::m_status): Drop field.
4782 (saved_diagnostic::m_epath_length): Drop field.
4783 (saved_diagnostic::m_best_epath): New field.
4784 (saved_diagnostic::m_problem): Document ownership.
4785 (saved_diagnostic::m_duplicates): New field.
4786 (diagnostic_manager::emit_saved_diagnostic): Drop params epath,
4787 stmt, and num_dupes.
4788 * engine.cc (exploded_graph_annotator::print_saved_diagnostic):
4789 Update for changes to saved_diagnostic class.
4790 * exploded-graph.h (exploded_path::feasible_p): Drop unused
4791 overloaded decl.
4792
daa68844
GA		 47932021-02-25 David Malcolm <dmalcolm@redhat.com>
4794
4795 PR analyzer/99193
4796 * region-model-impl-calls.cc (region_model::impl_call_realloc): New.
4797 * region-model.cc (region_model::on_call_pre): Call it.
4798 * region-model.h (region_model::impl_call_realloc): New decl.
4799 * sm-malloc.cc (enum wording): Add WORDING_REALLOCATED.
4800 (malloc_state_machine::m_realloc): New field.
4801 (use_after_free::describe_state_change): Add case for
4802 WORDING_REALLOCATED.
4803 (use_after_free::describe_final_event): Likewise.
4804 (malloc_state_machine::malloc_state_machine): Initialize
4805 m_realloc.
4806 (malloc_state_machine::on_stmt): Handle realloc by calling...
4807 (malloc_state_machine::on_realloc_call): New.
4808
2f5765cf
GA		 48092021-02-22 David Malcolm <dmalcolm@redhat.com>
4810
4811 PR analyzer/99196
4812 * engine.cc (exploded_node::on_stmt): Provide terminate_path
4813 flag as a way for on_call_pre to terminate the current analysis
4814 path.
4815 * region-model-impl-calls.cc (call_details::num_args): New.
4816 (region_model::impl_call_error): New.
4817 * region-model.cc (region_model::on_call_pre): Add param
4818 "out_terminate_path". Handle "error" and "error_at_line".
4819 * region-model.h (call_details::num_args): New decl.
4820 (region_model::on_call_pre): Add param "out_terminate_path".
4821 (region_model::impl_call_error): New decl.
4822
acc0ee5c
GA		 48232021-02-17 David Malcolm <dmalcolm@redhat.com>
4824
4825 PR analyzer/98969
4826 * constraint-manager.cc (dead_svalue_purger::should_purge_p):
4827 Update for change to svalue::live_p.
4828 * program-state.cc (sm_state_map::on_liveness_change): Likewise.
4829 (program_state::detect_leaks): Likewise.
4830 * region-model-reachability.cc (reachable_regions::init_cluster):
4831 When dealing with a symbolic region, if the underlying pointer is
4832 implicitly live, add the region to the reachable regions.
4833 * region-model.cc (region_model::compare_initial_and_pointer):
4834 Move logic for detecting initial values of params to
4835 initial_svalue::initial_value_of_param_p.
4836 * svalue.cc (svalue::live_p): Convert "live_svalues" from a
4837 reference to a pointer; support it being NULL.
4838 (svalue::implicitly_live_p): Convert first param from a
4839 refererence to a pointer.
4840 (region_svalue::implicitly_live_p): Likewise.
4841 (constant_svalue::implicitly_live_p): Likewise.
4842 (initial_svalue::implicitly_live_p): Likewise. Treat the initial
4843 values of params for the top level frame as still live.
4844 (initial_svalue::initial_value_of_param_p): New function, taken
4845 from a test in region_model::compare_initial_and_pointer.
4846 (unaryop_svalue::implicitly_live_p): Convert first param from a
4847 refererence to a pointer.
4848 (binop_svalue::implicitly_live_p): Likewise.
4849 (sub_svalue::implicitly_live_p): Likewise.
4850 (unmergeable_svalue::implicitly_live_p): Likewise.
4851 * svalue.h (svalue::live_p): Likewise.
4852 (svalue::implicitly_live_p): Likewise.
4853 (region_svalue::implicitly_live_p): Likewise.
4854 (constant_svalue::implicitly_live_p): Likewise.
4855 (initial_svalue::implicitly_live_p): Likewise.
4856 (initial_svalue::initial_value_of_param_p): New decl.
4857 (unaryop_svalue::implicitly_live_p): Convert first param from a
4858 refererence to a pointer.
4859 (binop_svalue::implicitly_live_p): Likewise.
4860 (sub_svalue::implicitly_live_p): Likewise.
4861 (unmergeable_svalue::implicitly_live_p): Likewise.
4862
fab095da
GA		 48632021-02-12 David Malcolm <dmalcolm@redhat.com>
4864
4865 PR analyzer/98969
4866 * engine.cc (readability): Add names for the various arbitrary
4867 values. Handle NOP_EXPR and INTEGER_CST.
4868 (readability_comparator): Combine the readability tests for
4869 tree and stack depth, rather than performing them sequentially.
4870 (impl_region_model_context::on_state_leak): Strip off top-level
4871 casts.
4872 * region-model.cc (region_model::get_representative_path_var): Add
4873 type-checking, moving the bulk of the implementation to...
4874 (region_model::get_representative_path_var_1): ...here. Respect
4875 types in casts by recursing and re-adding the cast, rather than
4876 merely stripping them off. Use the correct type when handling
4877 region_svalue.
4878 (region_model::get_representative_tree): Strip off any top-level
4879 cast.
4880 (region_model::get_representative_path_var): Add type-checking,
4881 moving the bulk of the implementation to...
4882 (region_model::get_representative_path_var_1): ...here.
4883 * region-model.h (region_model::get_representative_path_var_1):
4884 New decl
4885 (region_model::get_representative_path_var_1): New decl.
4886 * store.cc (append_pathvar_with_type): New.
4887 (binding_cluster::get_representative_path_vars): Cast path_vars
4888 to the correct type when adding them to *OUT_PVS.
4889
0a91b73e
GA		 48902021-02-09 David Malcolm <dmalcolm@redhat.com>
4891
4892 PR analyzer/98575
4893 * sm-file.cc (is_file_using_fn_p): Support "_IO_"-prefixed
4894 variants.
4895
48962021-02-09 David Malcolm <dmalcolm@redhat.com>
4897
4898 PR analyzer/98575
4899 * store.cc (store::set_value): Treat a pointer written to *UNKNOWN
4900 as having escaped.
4901
548b75d8
GA		 49022021-02-02 David Malcolm <dmalcolm@redhat.com>
4903
4904 PR analyzer/93355
4905 PR analyzer/96374
4906 * engine.cc (toplevel_function_p): Simplify so that
4907 we only reject functions with a "__analyzer_" prefix.
4908 (add_any_callbacks): Delete.
4909 (exploded_graph::build_initial_worklist): Update for
4910 dropped param of toplevel_function_p.
4911 (exploded_graph::build_initial_worklist): Don't bother
4912 looking for callbacks that are reachable from global
4913 initializers.
4914
f7884fb1
GA		 49152021-02-01 David Malcolm <dmalcolm@redhat.com>
4916
4917 PR analyzer/98918
4918 * region-model-manager.cc
4919 (region_model_manager::get_or_create_initial_value):
4920 Fold the initial value of *UNKNOWN_PTR to an UNKNOWN value.
4921 (region_model_manager::get_field_region): Fold the value
4922 of UNKNOWN_PTR->FIELD to *UNKNOWN_PTR_OF_&FIELD_TYPE.
4923
2900f2f2
GA		 49242021-01-29 David Malcolm <dmalcolm@redhat.com>
4925
4926 * checker-path.cc (event_kind_to_string): Handle
4927 EK_START_CONSOLIDATED_CFG_EDGES and
4928 EK_END_CONSOLIDATED_CFG_EDGES.
4929 (start_consolidated_cfg_edges_event::get_desc): New.
4930 (checker_path::cfg_edge_pair_at_p): New.
4931 * checker-path.h (enum event_kind): Add
4932 EK_START_CONSOLIDATED_CFG_EDGES and
4933 EK_END_CONSOLIDATED_CFG_EDGES.
4934 (class start_consolidated_cfg_edges_event): New class.
4935 (class end_consolidated_cfg_edges_event): New class.
4936 (checker_path::delete_events): New.
4937 (checker_path::replace_event): New.
4938 (checker_path::cfg_edge_pair_at_p): New decl.
4939 * diagnostic-manager.cc (diagnostic_manager::prune_path): Call
4940 consolidate_conditions.
4941 (same_line_as_p): New.
4942 (diagnostic_manager::consolidate_conditions): New.
4943 * diagnostic-manager.h
4944 (diagnostic_manager::consolidate_conditions): New decl.
4945
ef1f8ee6
GA		 49462021-01-18 David Malcolm <dmalcolm@redhat.com>
4947
4948 * analyzer.h (is_std_named_call_p): New decl.
4949 * diagnostic-manager.cc (path_builder::get_sm): New.
4950 (state_change_event_creator::state_change_event_creator): Add "pb"
4951 param.
4952 (state_change_event_creator::on_global_state_change): Don't consider
4953 state changes affecting other state_machines.
4954 (state_change_event_creator::on_state_change): Likewise.
4955 (state_change_event_creator::m_pb): New field.
4956 (diagnostic_manager::add_events_for_eedge): Pass pb to visitor
4957 ctor.
4958 * region-model-impl-calls.cc
4959 (region_model::impl_deallocation_call): New.
4960 * region-model.cc: Include "attribs.h".
4961 (region_model::on_call_post): Handle fndecls referenced by
4962 __attribute__((deallocated_by(FOO))).
4963 * region-model.h (region_model::impl_deallocation_call): New decl.
4964 * sm-malloc.cc: Include "stringpool.h" and "attribs.h". Add
4965 leading comment.
4966 (class api): Delete.
4967 (enum resource_state): Update comment for change from api to
4968 deallocator and deallocator_set.
4969 (allocation_state::allocation_state): Drop api param. Add
4970 "deallocators" and "deallocator".
4971 (allocation_state::m_api): Drop field in favor of...
4972 (allocation_state::m_deallocators): New field.
4973 (allocation_state::m_deallocator): New field.
4974 (enum wording): Add WORDING_DEALLOCATED.
4975 (struct deallocator): New.
4976 (struct standard_deallocator): New.
4977 (struct custom_deallocator): New.
4978 (struct deallocator_set): New.
4979 (struct custom_deallocator_set): New.
4980 (struct standard_deallocator_set): New.
4981 (struct deallocator_set_map_traits): New.
4982 (malloc_state_machine::m_malloc): Drop field
4983 (malloc_state_machine::m_scalar_new): Likewise.
4984 (malloc_state_machine::m_vector_new): Likewise.
4985 (malloc_state_machine::m_free): New field
4986 (malloc_state_machine::m_scalar_delete): Likewise.
4987 (malloc_state_machine::m_vector_delete): Likewise.
4988 (malloc_state_machine::deallocator_map_t): New typedef.
4989 (malloc_state_machine::m_deallocator_map): New field.
4990 (malloc_state_machine::deallocator_set_cache_t): New typedef.
4991 (malloc_state_machine::m_custom_deallocator_set_cache): New field.
4992 (malloc_state_machine::custom_deallocator_set_map_t): New typedef.
4993 (malloc_state_machine::m_custom_deallocator_set_map): New field.
4994 (malloc_state_machine::m_dynamic_sets): New field.
4995 (malloc_state_machine::m_dynamic_deallocators): New field.
4996 (api::api): Delete.
4997 (deallocator::deallocator): New ctor.
4998 (deallocator::hash): New.
4999 (deallocator::dump_to_pp): New.
5000 (deallocator::cmp): New.
5001 (deallocator::cmp_ptr_ptr): New.
5002 (standard_deallocator::standard_deallocator): New ctor.
5003 (deallocator_set::deallocator_set): New ctor.
5004 (deallocator_set::dump): New.
5005 (custom_deallocator_set::custom_deallocator_set): New ctor.
5006 (custom_deallocator_set::contains_p): New.
5007 (custom_deallocator_set::maybe_get_single): New.
5008 (custom_deallocator_set::dump_to_pp): New.
5009 (standard_deallocator_set::standard_deallocator_set): New ctor.
5010 (standard_deallocator_set::contains_p): New.
5011 (standard_deallocator_set::maybe_get_single): New.
5012 (standard_deallocator_set::dump_to_pp): New.
5013 (start_p): New.
5014 (class mismatching_deallocation): Update for conversion from api
5015 to deallocator_set and deallocator.
5016 (double_free::emit): Use %qs.
5017 (class use_after_free): Update for conversion from api to
5018 deallocator_set and deallocator.
5019 (malloc_leak::describe_state_change): Only emit "allocated here" on
5020 a start->nonnull transition, rather than on other transitions to
5021 nonnull.
5022 (allocation_state::dump_to_pp): Update for conversion from api to
5023 deallocator_set.
5024 (allocation_state::get_nonnull): Likewise.
5025 (malloc_state_machine::malloc_state_machine): Likewise.
5026 (malloc_state_machine::~malloc_state_machine): New.
5027 (malloc_state_machine::add_state): Update for conversion from api
5028 to deallocator_set.
5029 (malloc_state_machine::get_or_create_custom_deallocator_set): New.
5030 (malloc_state_machine::maybe_create_custom_deallocator_set): New.
5031 (malloc_state_machine::get_or_create_deallocator): New.
5032 (malloc_state_machine::on_stmt): Update for conversion from api
5033 to deallocator_set. Handle "__attribute__((malloc(FOO)))", and
5034 the special attribute set on FOO.
5035 (malloc_state_machine::on_allocator_call): Update for conversion
5036 from api to deallocator_set. Add "returns_nonnull" param and use
5037 it to affect which state to transition to.
5038 (malloc_state_machine::on_deallocator_call): Update for conversion
5039 from api to deallocator_set.
5040
5fff80fd
GA		 50412021-01-14 David Malcolm <dmalcolm@redhat.com>
5042
5043 * engine.cc (strongly_connected_components::to_json): New.
5044 (worklist::to_json): New.
5045 (exploded_graph::to_json): JSON-ify the worklist.
5046 * exploded-graph.h (strongly_connected_components::to_json): New
5047 decl.
5048 (worklist::to_json): New decl.
5049 * store.cc (store::to_json): Fix comment.
5050 * supergraph.cc (supernode::to_json): Fix reference to
5051 "returning_call" in comment. Add optional "fun" to JSON.
5052 (edge_kind_to_string): New.
5053 (superedge::to_json): Add "kind" to JSON.
5054
50552021-01-14 David Malcolm <dmalcolm@redhat.com>
5056
5057 PR analyzer/98679
5058 * analyzer.h (region_offset::operator==): Make const.
5059 * pending-diagnostic.h (pending_diagnostic::equal_p): Likewise.
5060 * store.h (binding_cluster::for_each_value): Likewise.
5061 (binding_cluster::for_each_binding): Likewise.
5062
6851dda2
GA		 50632021-01-12 David Malcolm <dmalcolm@redhat.com>
5064
5065 PR analyzer/98628
5066 * store.cc (binding_cluster::make_unknown_relative_to): Don't mark
5067 dereferenced unknown pointers as having escaped.
5068
7d187e4f
GA		 50692021-01-07 David Malcolm <dmalcolm@redhat.com>
5070
5071 PR analyzer/98580
5072 * region.cc (decl_region::get_svalue_for_initializer): Gracefully
5073 handle when LTO writes out DECL_INITIAL as error_mark_node.
5074
50752021-01-07 David Malcolm <dmalcolm@redhat.com>
5076
5077 PR analyzer/97074
5078 * store.cc (binding_cluster::can_merge_p): Add "out_store" param
5079 and pass to calls to binding_cluster::make_unknown_relative_to.
5080 (binding_cluster::make_unknown_relative_to): Add "out_store"
5081 param. Use it to mark base regions that are pointed to by
5082 pointers that become unknown as having escaped.
5083 (store::can_merge_p): Pass out_store to
5084 binding_cluster::can_merge_p.
5085 * store.h (binding_cluster::can_merge_p): Add "out_store" param.
5086 (binding_cluster::make_unknown_relative_to): Likewise.
5087 * svalue.cc (region_svalue::implicitly_live_p): New vfunc.
5088 * svalue.h (region_svalue::implicitly_live_p): New vfunc decl.
5089
50902021-01-07 David Malcolm <dmalcolm@redhat.com>
5091
5092 PR analyzer/98564
5093 * engine.cc (exploded_path::feasible_p): Add missing call to
5094 bitmap_clear.
5095
942ae5be
GA		 50962021-01-06 David Malcolm <dmalcolm@redhat.com>
5097
5098 PR analyzer/97072
5099 * region-model-reachability.cc (reachable_regions::init_cluster):
5100 Convert symbolic region handling to a switch statement. Add cases
5101 to handle SK_UNKNOWN and SK_CONJURED.
5102
651b8a50
GA		 51032021-01-05 David Malcolm <dmalcolm@redhat.com>
5104
5105 PR analyzer/98293
5106 * store.cc (binding_map::apply_ctor_to_region): When "index" is
5107 NULL, iterate through the fields for RECORD_TYPEs, rather than
5108 creating an INTEGER_CST index.
5109
94358e47
GA		 51102020-11-30 David Malcolm <dmalcolm@redhat.com>
5111
5112 * analyzer-pass.cc: Include "analyzer/analyzer.h" for the
5113 declaration of sorry_no_analyzer; include "tree.h" and
5114 "function.h" as these are needed by it.
5115
51162020-11-30 David Malcolm <dmalcolm@redhat.com>
5117
5118 * analyzer-pass.cc (pass_analyzer::execute): Move sorry call to...
5119 (sorry_no_analyzer): New.
5120 * analyzer.h (class state_machine): New forward decl.
5121 (class logger): New forward decl.
5122 (class plugin_analyzer_init_iface): New.
5123 (sorry_no_analyzer): New decl.
5124 * checker-path.cc (checker_path::fixup_locations): New.
5125 * checker-path.h (checker_event::set_location): New.
5126 (checker_path::fixup_locations): New decl.
5127 * diagnostic-manager.cc
5128 (diagnostic_manager::emit_saved_diagnostic): Call
5129 checker_path::fixup_locations, and call fixup_location
5130 on the primary location.
5131 * engine.cc: Include "plugin.h".
5132 (class plugin_analyzer_init_impl): New.
5133 (impl_run_checkers): Invoke PLUGIN_ANALYZER_INIT callbacks.
5134 * pending-diagnostic.h (pending_diagnostic::fixup_location): New
5135 vfunc.
5136
25bb75f8
GA		 51372020-11-18 David Malcolm <dmalcolm@redhat.com>
5138
5139 PR analyzer/97893
5140 * sm-malloc.cc (null_deref::emit): Use CWE-476 rather than
5141 CWE-690, as this isn't due to an unchecked return value.
5142 (null_arg::emit): Likewise.
5143
a5a11525
GA		 51442020-11-12 David Malcolm <dmalcolm@redhat.com>
5145
5146 * checker-path.h (checker_event::get_id_ptr): New.
5147 * diagnostic-manager.cc (path_builder::path_builder): Add "sd"
5148 param and use it to initialize new field "m_sd".
5149 (path_builder::get_pending_diagnostic): New.
5150 (path_builder::m_sd): New field.
5151 (diagnostic_manager::emit_saved_diagnostic): Pass sd to
5152 path_builder ctor.
5153 (diagnostic_manager::add_events_for_superedge): Call new
5154 maybe_add_custom_events_for_superedge vfunc.
5155 * engine.cc (stale_jmp_buf::stale_jmp_buf): Add "setjmp_point"
5156 param and use it to initialize new field "m_setjmp_point".
5157 Initialize new field "m_stack_pop_event".
5158 (stale_jmp_buf::maybe_add_custom_events_for_superedge): New vfunc
5159 implementation.
5160 (stale_jmp_buf::describe_final_event): New vfunc implementation.
5161 (stale_jmp_buf::m_setjmp_point): New field.
5162 (stale_jmp_buf::m_stack_pop_event): New field.
5163 (exploded_node::on_longjmp): Pass setjmp_point to stale_jmp_buf
5164 ctor.
5165 * pending-diagnostic.h
5166 (pending_diagnostic::maybe_add_custom_events_for_superedge): New
5167 vfunc.
5168
51692020-11-12 David Malcolm <dmalcolm@redhat.com>
5170
5171 PR tree-optimization/97424
5172 * analyzer.opt (Wanalyzer-shift-count-negative): New.
5173 (Wanalyzer-shift-count-overflow): New.
5174 * region-model.cc (class shift_count_negative_diagnostic): New.
5175 (class shift_count_overflow_diagnostic): New.
5176 (region_model::get_gassign_result): Complain about shift counts that
5177 are negative or are >= the operand's type's width.
5178
bb622641
GA		 51792020-11-10 Martin Liska <mliska@suse.cz>
5180
5181 * constraint-manager.cc (constraint_manager::merge): Remove
5182 unused code.
5183 * constraint-manager.h: Likewise.
5184 * program-state.cc (sm_state_map::sm_state_map): Likewise.
5185 (program_state::program_state): Likewise.
5186 (test_sm_state_map): Likewise.
5187 * program-state.h: Likewise.
5188 * region-model-reachability.cc (reachable_regions::reachable_regions): Likewise.
5189 * region-model-reachability.h: Likewise.
5190 * region-model.cc (region_model::handle_unrecognized_call): Likewise.
5191 (region_model::get_reachable_svalues): Likewise.
5192 (region_model::can_merge_with_p): Likewise.
5193
0cfd9109
GA		 51942020-11-05 David Malcolm <dmalcolm@redhat.com>
5195
5196 PR analyzer/97668
5197 * svalue.cc (cmp_cst): Handle COMPLEX_CST.
5198
e93aae4a
GA		 51992020-10-29 David Malcolm <dmalcolm@redhat.com>
5200
5201 * program-state.cc (sm_state_map::on_liveness_change): Sort the
5202 leaking svalues before calling on_state_leak.
5203 (program_state::detect_leaks): Likewise when calling
5204 on_svalue_leak.
5205 * region-model-reachability.cc
5206 (reachable_regions::mark_escaped_clusters): Likewise when
5207 calling on_escaped_function.
5208
52092020-10-29 David Malcolm <dmalcolm@redhat.com>
5210
5211 PR analyzer/97608
5212 * region-model-reachability.cc (reachable_regions::handle_sval):
5213 Operands of reachable reversible operations are reachable.
5214
52152020-10-29 David Malcolm <dmalcolm@redhat.com>
5216
5217 * analyzer.h (class state_machine): New forward decl.
5218 (class logger): Likewise.
5219 (class visitor): Likewise.
5220 * complexity.cc: New file, taken from svalue.cc.
5221 * complexity.h: New file, taken from region-model.h.
5222 * region-model.h: Include "analyzer/svalue.h" and
5223 "analyzer/region.h". Move struct complexity to complexity.h.
5224 Move svalue, its subclasses and supporting decls to svalue.h.
5225 Move region, its subclasses and supporting decls to region.h.
5226 * region.cc: Include "analyzer/region.h".
5227 (symbolic_region::symbolic_region): Move here from region-model.h.
5228 * region.h: New file, based on material from region-model.h.
5229 * svalue.cc: Include "analyzer/svalue.h".
5230 (complexity::complexity): Move to complexity.cc.
5231 (complexity::from_pair): Likewise.
5232 * svalue.h: New file, based on material from region-model.h.
5233
52342020-10-29 David Malcolm <dmalcolm@redhat.com>
5235
5236 * program-state.cc (sm_state_map::print): Guard the printing of
5237 the origin pointer with !flag_dump_noaddr.
5238 * region.cc (string_region::dump_to_pp): Likewise for
5239 m_string_cst.
5240
89bb01e7
GA		 52412020-10-27 David Malcolm <dmalcolm@redhat.com>
5242
5243 PR analyzer/97568
5244 * region-model.cc (region_model::get_initial_value_for_global):
5245 Move check that !DECL_EXTERNAL from here to...
5246 * region.cc (decl_region::get_svalue_for_initializer): ...here,
5247 using it to reject zero initialization.
5248
52492020-10-27 Markus Böck <markus.boeck02@gmail.com>
5250
5251 PR analyzer/96608
5252 * store.h (hash): Cast to intptr_t instead of long
5253
52542020-10-27 David Malcolm <dmalcolm@redhat.com>
5255
5256 * constraint-manager.cc (svalue_cmp_by_ptr): Delete.
5257 (equiv_class::canonicalize): Use svalue::cmp_ptr_ptr instead.
5258 (equiv_class_cmp): Eliminate pointer comparison.
5259 * diagnostic-manager.cc (dedupe_key::comparator): If they are at
5260 the same location, also compare epath ength and pending_diagnostic
5261 kind.
5262 * engine.cc (readability_comparator): If two path_vars have the
5263 same readability, then impose an arbitrary ordering on them.
5264 (worklist::key_t::cmp): If two points have the same plan ordering,
5265 continue the comparison. Call sm_state_map::cmp rather than
5266 comparing hash values.
5267 * program-state.cc (sm_state_map::entry_t::cmp): New.
5268 (sm_state_map::cmp): New.
5269 * program-state.h (sm_state_map::entry_t::cmp): New decl.
5270 (sm_state_map::elements): New.
5271 (sm_state_map::cmp): New.
5272
52732020-10-27 David Malcolm <dmalcolm@redhat.com>
5274
5275 * engine.cc (setjmp_record::cmp): New.
5276 (supernode_cluster::dump_dot): Avoid embedding pointer in cluster
5277 name.
5278 (supernode_cluster::cmp_ptr_ptr): New.
5279 (function_call_string_cluster::dump_dot): Avoid embedding pointer
5280 in cluster name. Sort m_map when dumping child clusters.
5281 (function_call_string_cluster::cmp_ptr_ptr): New.
5282 (root_cluster::dump_dot): Sort m_map when dumping child clusters.
5283 * program-point.cc (function_point::cmp): New.
5284 (function_point::cmp_ptr): New.
5285 * program-point.h (function_point::cmp): New decl.
5286 (function_point::cmp_ptr): New decl.
5287 * program-state.cc (sm_state_map::print): Sort the values. Guard
5288 the printing of pointers with !flag_dump_noaddr.
5289 (program_state::prune_for_point): Sort the regions.
5290 (log_set_of_svalues): Sort the values. Guard the printing of
5291 pointers with !flag_dump_noaddr.
5292 * region-model-manager.cc (log_uniq_map): Sort the values.
5293 * region-model-reachability.cc (dump_set): New function template.
5294 (reachable_regions::dump_to_pp): Use it.
5295 * region-model.h (svalue::cmp_ptr): New decl.
5296 (svalue::cmp_ptr_ptr): New decl.
5297 (setjmp_record::cmp): New decl.
5298 (placeholder_svalue::get_name): New accessor.
5299 (widening_svalue::get_point): New accessor.
5300 (compound_svalue::get_map): New accessor.
5301 (conjured_svalue::get_stmt): New accessor.
5302 (conjured_svalue::get_id_region): New accessor.
5303 (region::cmp_ptrs): Rename to...
5304 (region::cmp_ptr_ptr): ...this.
5305 * region.cc (region::cmp_ptrs): Rename to...
5306 (region::cmp_ptr_ptr): ...this.
5307 * state-purge.cc
5308 (state_purge_per_ssa_name::state_purge_per_ssa_name): Sort
5309 m_points_needing_name when dumping.
5310 * store.cc (concrete_binding::cmp_ptr_ptr): New.
5311 (symbolic_binding::cmp_ptr_ptr): New.
5312 (binding_map::cmp): New.
5313 (get_sorted_parent_regions): Update for renaming of
5314 region::cmp_ptrs to region::cmp_ptr_ptr.
5315 (store::dump_to_pp): Likewise.
5316 (store::to_json): Likewise.
5317 (store::can_merge_p): Sort the base regions before considering
5318 them.
5319 * store.h (concrete_binding::cmp_ptr_ptr): New decl.
5320 (symbolic_binding::cmp_ptr_ptr): New decl.
5321 (binding_map::cmp): New decl.
5322 * supergraph.cc (supergraph::supergraph): Assign UIDs to the
5323 gimple stmts.
5324 * svalue.cc (cmp_cst): New.
5325 (svalue::cmp_ptr): New.
5326 (svalue::cmp_ptr_ptr): New.
5327
53282020-10-27 David Malcolm <dmalcolm@redhat.com>
5329
5330 * engine.cc (exploded_graph::get_or_create_node): Fix off-by-one
5331 when imposing param_analyzer_max_enodes_per_program_point limit.
5332
53332020-10-27 David Malcolm <dmalcolm@redhat.com>
5334
5335 * region-model.cc (region_model::get_representative_path_var):
5336 Implement case RK_LABEL.
5337 * region-model.h (label_region::get_label): New accessor.
5338
43868df3
GA		 53392020-10-22 David Malcolm <dmalcolm@redhat.com>
5340
5341 PR analyzer/97514
5342 * engine.cc (exploded_graph::add_function_entry): Handle failure
5343 to create an enode, rather than asserting.
5344
53452020-10-22 David Malcolm <dmalcolm@redhat.com>
5346
5347 PR analyzer/97489
5348 * engine.cc (exploded_graph::add_function_entry): Assert that we
5349 have a function body.
5350 (exploded_graph::on_escaped_function): Reject fndecls that don't
5351 have a function body.
5352
b2698c21
GA		 53532020-10-14 David Malcolm <dmalcolm@redhat.com>
5354
5355 PR analyzer/93388
5356 * region-model.cc (region_model::get_initial_value_for_global):
5357 Fall back to returning an initial_svalue if
5358 decl_region::get_svalue_for_initializer fails.
5359 * region.cc (decl_region::get_svalue_for_initializer): Don't
5360 attempt to create a compound_svalue if the region has an unknown
5361 size.
5362
53632020-10-14 David Malcolm <dmalcolm@redhat.com>
5364
5365 PR analyzer/93723
5366 * store.cc (binding_map::apply_ctor_to_region): Remove redundant
5367 assertion.
5368
8be127ca
GA		 53692020-10-12 David Malcolm <dmalcolm@redhat.com>
5370
5371 PR analyzer/97258
5372 * engine.cc (impl_region_model_context::on_escaped_function): New
5373 vfunc.
5374 (exploded_graph::add_function_entry): Use m_functions_with_enodes
5375 to implement idempotency.
5376 (add_any_callbacks): New.
5377 (exploded_graph::build_initial_worklist): Use the above to find
5378 callbacks that are reachable from global initializers.
5379 (exploded_graph::on_escaped_function): New.
5380 * exploded-graph.h
5381 (impl_region_model_context::on_escaped_function): New decl.
5382 (exploded_graph::on_escaped_function): New decl.
5383 (exploded_graph::m_functions_with_enodes): New field.
5384 * region-model-reachability.cc
5385 (reachable_regions::reachable_regions): Replace "store" param with
5386 "model" param; use it to initialize m_model.
5387 (reachable_regions::add): When getting the svalue for the region,
5388 call get_store_value on the model rather than using an initial
5389 value.
5390 (reachable_regions::mark_escaped_clusters): Add ctxt param and
5391 use it to call on_escaped_function when a function_region escapes.
5392 * region-model-reachability.h
5393 (reachable_regions::reachable_regions): Replace "store" param with
5394 "model" param.
5395 (reachable_regions::mark_escaped_clusters): Add ctxt param.
5396 (reachable_regions::m_model): New field.
5397 * region-model.cc (region_model::handle_unrecognized_call): Update
5398 for change in reachable_regions ctor.
5399 (region_model::handle_unrecognized_call): Pass ctxt to
5400 mark_escaped_clusters.
5401 (region_model::get_reachable_svalues): Update for change in
5402 reachable_regions ctor.
5403 (region_model::get_initial_value_for_global): Read-only variables
5404 keep their initial values.
5405 * region-model.h (region_model_context::on_escaped_function): New
5406 vfunc.
5407 (noop_region_model_context::on_escaped_function): New.
5408
54092020-10-12 David Malcolm <dmalcolm@redhat.com>
5410
5411 * analyzer.opt (Wanalyzer-write-to-const): New.
5412 (Wanalyzer-write-to-string-literal): New.
5413 * region-model-impl-calls.cc (region_model::impl_call_memcpy):
5414 Call check_for_writable_region.
5415 (region_model::impl_call_memset): Likewise.
5416 (region_model::impl_call_strcpy): Likewise.
5417 * region-model.cc (class write_to_const_diagnostic): New.
5418 (class write_to_string_literal_diagnostic): New.
5419 (region_model::check_for_writable_region): New.
5420 (region_model::set_value): Call check_for_writable_region.
5421 * region-model.h (region_model::check_for_writable_region): New
5422 decl.
5423
6caec77e
GA		 54242020-10-07 David Malcolm <dmalcolm@redhat.com>
5425
5426 PR analyzer/97116
5427 * sm-malloc.cc (method_p): New.
5428 (describe_argument_index): New.
5429 (inform_nonnull_attribute): Use describe_argument_index.
5430 (possible_null_arg::describe_final_event): Likewise.
5431 (null_arg::describe_final_event): Likewise.
5432
93bca37c
GA		 54332020-09-29 David Malcolm <dmalcolm@redhat.com>
5434
5435 PR analyzer/95188
5436 * engine.cc (stmt_requires_new_enode_p): Split enodes before
5437 "signal" calls.
5438
54392020-09-29 David Malcolm <dmalcolm@redhat.com>
5440
5441 * constraint-manager.cc
5442 (constraint_manager::add_constraint_internal): Whitespace fixes.
5443 Silence -Wsign-compare warning.
5444 * engine.cc (maybe_process_run_of_before_supernode_enodes):
5445 Silence -Wsign-compare warning.
5446
e84761c6
GA		 54472020-09-28 David Malcolm <dmalcolm@redhat.com>
5448
5449 * region-model.h (binop_svalue::dyn_cast_binop_svalue): Remove
5450 redundant "virtual". Add FINAL OVERRIDE.
5451 (widening_svalue::dyn_cast_widening_svalue): Add FINAL OVERRIDE.
5452 (compound_svalue::dyn_cast_compound_svalue): Likewise.
5453 (conjured_svalue::dyn_cast_conjured_svalue): Likewise.
5454
54552020-09-28 David Malcolm <dmalcolm@redhat.com>
5456
5457 * diagnostic-manager.cc (null_assignment_sm_context::m_visitor):
5458 Remove unused field.
5459
54602020-09-28 David Malcolm <dmalcolm@redhat.com>
5461
5462 PR analyzer/97233
5463 * analyzer.cc (is_longjmp_call_p): Require the initial argument
5464 to be a pointer.
5465 * engine.cc (exploded_node::on_longjmp): Likewise.
5466
54672020-09-28 David Malcolm <dmalcolm@redhat.com>
5468
5469 * program-state.cc (sm_state_map::print): Update check
5470 for m_global_state being the start state.
5471
91dd4a38
GA		 54722020-09-26 David Malcolm <dmalcolm@redhat.com>
5473
5474 PR analyzer/96646
5475 PR analyzer/96841
5476 * region-model.cc (region_model::get_representative_path_var):
5477 When handling offset_region, wrap the MEM_REF's first argument in
5478 an ADDR_EXPR of pointer type, rather than simply using the tree
5479 for the parent region. Require the MEM_REF's second argument to
5480 be an integer constant.
5481
a2b7397b
GA		 54822020-09-24 David Malcolm <dmalcolm@redhat.com>
5483
5484 * analyzer.h (struct rejected_constraint): New decl.
5485 * analyzer.opt (fanalyzer-feasibility): New option.
5486 * diagnostic-manager.cc (path_builder::path_builder): Add
5487 "problem" param and use it to initialize new field.
5488 (path_builder::get_feasibility_problem): New accessor.
5489 (path_builder::m_feasibility_problem): New field.
5490 (dedupe_winners::add): Remove inversion of logic in "if" clause,
5491 swapping if/else suites. In the !feasible_p suite, inspect
5492 flag_analyzer_feasibility and add code to handle when this
5493 is off, accepting the infeasible path, but recording the
5494 feasibility_problem.
5495 (diagnostic_manager::emit_saved_diagnostic): Pass the
5496 feasibility_problem to the path_builder.
5497 (diagnostic_manager::add_events_for_eedge): If we have
5498 a feasibility_problem at this edge, use it to add a custom event.
5499 * engine.cc (exploded_path::feasible_p): Pass a
5500 rejected_constraint ** to model.maybe_update_for_edge and transfer
5501 ownership of any created instance to any feasibility_problem.
5502 (feasibility_problem::dump_to_pp): New.
5503 * exploded-graph.h (feasibility_problem::feasibility_problem):
5504 Drop "model" param; add rejected_constraint * param.
5505 (feasibility_problem::~feasibility_problem): New.
5506 (feasibility_problem::dump_to_pp): New decl.
5507 (feasibility_problem::m_model): Drop field.
5508 (feasibility_problem::m_rc): New field.
5509 * program-point.cc (function_point::get_location): Handle
5510 PK_BEFORE_SUPERNODE and PK_AFTER_SUPERNODE.
5511 * program-state.cc (program_state::on_edge): Pass NULL to new
5512 param of region_model::maybe_update_for_edge.
5513 * region-model.cc (region_model::add_constraint): New overload
5514 adding a rejected_constraint ** param.
5515 (region_model::maybe_update_for_edge): Add rejected_constraint **
5516 param and pass it to the various apply_constraints_for_ calls.
5517 (region_model::apply_constraints_for_gcond): Add
5518 rejected_constraint ** param and pass it to add_constraint calls.
5519 (region_model::apply_constraints_for_gswitch): Likewise.
5520 (region_model::apply_constraints_for_exception): Likewise.
5521 (rejected_constraint::dump_to_pp): New.
5522 * region-model.h (region_model::maybe_update_for_edge):
5523 Add rejected_constraint ** param.
5524 (region_model::add_constraint): New overload adding a
5525 rejected_constraint ** param.
5526 (region_model::apply_constraints_for_gcond): Add
5527 rejected_constraint ** param.
5528 (region_model::apply_constraints_for_gswitch): Likewise.
5529 (region_model::apply_constraints_for_exception): Likewise.
5530 (struct rejected_constraint): New.
5531
82b77dee
GA		 55322020-09-23 David Malcolm <dmalcolm@redhat.com>
5533
5534 PR analyzer/97178
5535 * engine.cc (impl_run_checkers): Update for change to ext_state
5536 ctor.
5537 * program-state.cc (selftest::test_sm_state_map): Pass an engine
5538 instance to ext_state ctor.
5539 (selftest::test_program_state_1): Likewise.
5540 (selftest::test_program_state_2): Likewise.
5541 (selftest::test_program_state_merging): Likewise.
5542 (selftest::test_program_state_merging_2): Likewise.
5543 * program-state.h (extrinsic_state::extrinsic_state): Remove NULL
5544 default value for "eng" param.
5545
55462020-09-23 Tobias Burnus <tobias@codesourcery.com>
5547
5548 * analyzer-logging.cc: Guard '#pragma ... ignored "-Wformat-diag"'
5549 by '#if __GNUC__ >= 10'
5550 * analyzer.h: Likewise.
5551 * call-string.cc: Likewise.
5552
55532020-09-23 David Malcolm <dmalcolm@redhat.com>
5554
5555 * engine.cc (exploded_node::on_stmt): Replace sequence of dyn_cast
5556 with switch.
5557
521d2711
GA		 55582020-09-22 David Malcolm <dmalcolm@redhat.com>
5559
5560 * analysis-plan.cc: Include "json.h".
5561 * analyzer.opt (fdump-analyzer-json): New.
5562 * call-string.cc: Include "json.h".
5563 (call_string::to_json): New.
5564 * call-string.h (call_string::to_json): New decl.
5565 * checker-path.cc: Include "json.h".
5566 * constraint-manager.cc: Include "json.h".
5567 (equiv_class::to_json): New.
5568 (constraint::to_json): New.
5569 (constraint_manager::to_json): New.
5570 * constraint-manager.h (equiv_class::to_json): New decl.
5571 (constraint::to_json): New decl.
5572 (constraint_manager::to_json): New decl.
5573 * diagnostic-manager.cc: Include "json.h".
5574 (saved_diagnostic::to_json): New.
5575 (diagnostic_manager::to_json): New.
5576 * diagnostic-manager.h (saved_diagnostic::to_json): New decl.
5577 (diagnostic_manager::to_json): New decl.
5578 * engine.cc: Include "json.h", <zlib.h>.
5579 (exploded_node::status_to_str): New.
5580 (exploded_node::to_json): New.
5581 (exploded_edge::to_json): New.
5582 (exploded_graph::to_json): New.
5583 (dump_analyzer_json): New.
5584 (impl_run_checkers): Call it.
5585 * exploded-graph.h (exploded_node::status_to_str): New decl.
5586 (exploded_node::to_json): New.
5587 (exploded_edge::to_json): New.
5588 (exploded_graph::to_json): New.
5589 * pending-diagnostic.cc: Include "json.h".
5590 * program-point.cc: Include "json.h".
5591 (program_point::to_json): New.
5592 * program-point.h (program_point::to_json): New decl.
5593 * program-state.cc: Include "json.h".
5594 (extrinsic_state::to_json): New.
5595 (sm_state_map::to_json): New.
5596 (program_state::to_json): New.
5597 * program-state.h (extrinsic_state::to_json): New decl.
5598 (sm_state_map::to_json): New decl.
5599 (program_state::to_json): New decl.
5600 * region-model-impl-calls.cc: Include "json.h".
5601 * region-model-manager.cc: Include "json.h".
5602 * region-model-reachability.cc: Include "json.h".
5603 * region-model.cc: Include "json.h".
5604 * region-model.h (svalue::to_json): New decl.
5605 (region::to_json): New decl.
5606 * region.cc: Include "json.h".
5607 (region::to_json: New.
5608 * sm-file.cc: Include "json.h".
5609 * sm-malloc.cc: Include "json.h".
5610 * sm-pattern-test.cc: Include "json.h".
5611 * sm-sensitive.cc: Include "json.h".
5612 * sm-signal.cc: Include "json.h".
5613 (signal_delivery_edge_info_t::to_json): New.
5614 * sm-taint.cc: Include "json.h".
5615 * sm.cc: Include "diagnostic.h", "tree-diagnostic.h", and
5616 "json.h".
5617 (state_machine::state::to_json): New.
5618 (state_machine::to_json): New.
5619 * sm.h (state_machine::state::to_json): New.
5620 (state_machine::to_json): New.
5621 * state-purge.cc: Include "json.h".
5622 * store.cc: Include "json.h".
5623 (binding_key::get_desc): New.
5624 (binding_map::to_json): New.
5625 (binding_cluster::to_json): New.
5626 (store::to_json): New.
5627 * store.h (binding_key::get_desc): New decl.
5628 (binding_map::to_json): New decl.
5629 (binding_cluster::to_json): New decl.
5630 (store::to_json): New decl.
5631 * supergraph.cc: Include "json.h".
5632 (supergraph::to_json): New.
5633 (supernode::to_json): New.
5634 (superedge::to_json): New.
5635 * supergraph.h (supergraph::to_json): New decl.
5636 (supernode::to_json): New decl.
5637 (superedge::to_json): New decl.
5638 * svalue.cc: Include "json.h".
5639 (svalue::to_json): New.
5640
44135373
GA		 56412020-09-21 David Malcolm <dmalcolm@redhat.com>
5642
5643 PR analyzer/97130
5644 * region-model-impl-calls.cc (call_details::get_arg_type): New.
5645 * region-model.cc (region_model::on_call_pre): Check that the
5646 initial arg is a pointer before calling impl_call_memset and
5647 impl_call_strlen.
5648 * region-model.h (call_details::get_arg_type): New decl.
5649
56502020-09-21 David Malcolm <dmalcolm@redhat.com>
5651
5652 PR analyzer/93355
5653 * sm-malloc.cc (malloc_state_machine::get_default_state): Look at
5654 the base region when considering pointers. Treat pointers to
5655 decls as being non-heap.
5656
239601c5
GA		 56572020-09-18 David Malcolm <dmalcolm@redhat.com>
5658
5659 * checker-path.cc (warning_event::get_desc): Handle global state
5660 changes.
5661
56622020-09-18 David Malcolm <dmalcolm@redhat.com>
5663
5664 * sm-malloc.cc (malloc_state_machine::on_stmt): Handle strdup and
5665 strndup as being malloc-like allocators.
5666
ecde1b0a
GA		 56672020-09-16 David Malcolm <dmalcolm@redhat.com>
5668
5669 * engine.cc (strongly_connected_components::strong_connect): Only
5670 consider intraprocedural edges when creating SCCs.
5671 (worklist::key_t::cmp): Add comment. Treat call_string
5672 differences as more important than differences of program_point
5673 within a supernode.
5674
56752020-09-16 David Malcolm <dmalcolm@redhat.com>
5676
5677 * engine.cc (supernode_cluster::dump_dot): Show the SCC id
5678 in the per-supernode clusters in FILENAME.eg.dot output.
5679 (exploded_graph_annotator::add_node_annotations):
5680 Show the SCC of the supernode in FILENAME.supernode.eg.dot output.
5681 * exploded-graph.h (worklist::scc_id): New.
5682 (exploded_graph::get_scc_id): New.
5683
56842020-09-16 David Malcolm <dmalcolm@redhat.com>
5685
5686 * engine.cc (exploded_node::dump_dot): Show STATUS_BULK_MERGED.
5687 (exploded_graph::process_worklist): Call
5688 maybe_process_run_of_before_supernode_enodes.
5689 (exploded_graph::maybe_process_run_of_before_supernode_enodes):
5690 New.
5691 (exploded_graph_annotator::print_enode): Show STATUS_BULK_MERGED.
5692 * exploded-graph.h (enum exploded_node::status): Add
5693 STATUS_BULK_MERGED.
5694
56952020-09-16 David Malcolm <dmalcolm@redhat.com>
5696
5697 * engine.cc
5698 (exploded_graph::process_node) <case PK_BEFORE_SUPERNODE>:
5699 Simplify by using program_point::get_next.
5700 * program-point.cc (program_point::get_next): New.
5701 * program-point.h (program_point::get_next): New decl.
5702
57032020-09-16 David Malcolm <dmalcolm@redhat.com>
5704
5705 * engine.cc (exploded_graph::get_or_create_node): Show the
5706 program point when issuing -Wanalyzer-too-complex due to hitting
5707 the per-program-point limit.
5708
57092020-09-16 David Malcolm <dmalcolm@redhat.com>
5710
5711 * region-model.cc (region_model::on_call_pre): Treat getchar as
5712 having no side-effects.
5713
9f7ab8c5
GA		 57142020-09-15 David Malcolm <dmalcolm@redhat.com>
5715
5716 PR analyzer/96650
5717 * constraint-manager.cc (merger_fact_visitor::on_fact): Replace
5718 assertion that add_constraint succeeded with an assertion that
5719 if it fails, -fanalyzer-transitivity is off.
5720
50a71cd0
GA		 57212020-09-14 David Malcolm <dmalcolm@redhat.com>
5722
5723 * analyzer.opt (-param=analyzer-max-constraints=): New param.
5724 * constraint-manager.cc
5725 (constraint_manager::add_constraint_internal): Silently reject
5726 attempts to add constraints when the above limit is reached.
5727
57282020-09-14 David Malcolm <dmalcolm@redhat.com>
5729
5730 PR analyzer/96653
5731 * constraint-manager.cc
5732 (constraint_manager::get_or_add_equiv_class): Don't accumulate
5733 transitive closure of all constraints on constants.
5734
57352020-09-14 David Malcolm <dmalcolm@redhat.com>
5736
5737 PR analyzer/97029
5738 * analyzer.cc (is_setjmp_call_p): Require the initial arg to be a
5739 pointer.
5740 * region-model.cc (region_model::deref_rvalue): Assert that the
5741 svalue is of pointer type.
5742
ac35c090
GA		 57432020-09-11 David Malcolm <dmalcolm@redhat.com>
5744
5745 PR analyzer/96798
5746 * region-model-impl-calls.cc (region_model::impl_call_memcpy):
5747 New.
5748 (region_model::impl_call_strcpy): New.
5749 * region-model.cc (region_model::on_call_pre): Flag unhandled
5750 builtins that are non-pure as having unknown side-effects.
5751 Implement BUILT_IN_MEMCPY, BUILT_IN_MEMCPY_CHK, BUILT_IN_STRCPY,
5752 BUILT_IN_STRCPY_CHK, BUILT_IN_FPRINTF, BUILT_IN_FPRINTF_UNLOCKED,
5753 BUILT_IN_PUTC, BUILT_IN_PUTC_UNLOCKED, BUILT_IN_FPUTC,
5754 BUILT_IN_FPUTC_UNLOCKED, BUILT_IN_FPUTS, BUILT_IN_FPUTS_UNLOCKED,
5755 BUILT_IN_FWRITE, BUILT_IN_FWRITE_UNLOCKED, BUILT_IN_PRINTF,
5756 BUILT_IN_PRINTF_UNLOCKED, BUILT_IN_PUTCHAR,
5757 BUILT_IN_PUTCHAR_UNLOCKED, BUILT_IN_PUTS, BUILT_IN_PUTS_UNLOCKED,
5758 BUILT_IN_VFPRINTF, BUILT_IN_VPRINTF.
5759 * region-model.h (region_model::impl_call_memcpy): New decl.
5760 (region_model::impl_call_strcpy): New decl.
5761
80f86e78
GA		 57622020-09-09 David Malcolm <dmalcolm@redhat.com>
5763
5764 PR analyzer/94355
5765 * analyzer.opt (Wanalyzer-mismatching-deallocation): New warning.
5766 * region-model-impl-calls.cc
5767 (region_model::impl_call_operator_new): New.
5768 (region_model::impl_call_operator_delete): New.
5769 * region-model.cc (region_model::on_call_pre): Detect operator new
5770 and operator delete.
5771 (region_model::on_call_post): Likewise.
5772 (region_model::maybe_update_for_edge): Detect EH edges and call...
5773 (region_model::apply_constraints_for_exception): New function.
5774 * region-model.h (region_model::impl_call_operator_new): New decl.
5775 (region_model::impl_call_operator_delete): New decl.
5776 (region_model::apply_constraints_for_exception): New decl.
5777 * sm-malloc.cc (enum resource_state): New.
5778 (struct allocation_state): New state subclass.
5779 (enum wording): New.
5780 (struct api): New.
5781 (malloc_state_machine::custom_data_t): New typedef.
5782 (malloc_state_machine::add_state): New decl.
5783 (malloc_state_machine::m_unchecked)
5784 (malloc_state_machine::m_nonnull)
5785 (malloc_state_machine::m_freed): Delete these states in favor
5786 of...
5787 (malloc_state_machine::m_malloc)
5788 (malloc_state_machine::m_scalar_new)
5789 (malloc_state_machine::m_vector_new): ...this new api instances,
5790 which own their own versions of these states.
5791 (malloc_state_machine::on_allocator_call): New decl.
5792 (malloc_state_machine::on_deallocator_call): New decl.
5793 (api::api): New ctor.
5794 (dyn_cast_allocation_state): New.
5795 (as_a_allocation_state): New.
5796 (get_rs): New.
5797 (unchecked_p): New.
5798 (nonnull_p): New.
5799 (freed_p): New.
5800 (malloc_diagnostic::describe_state_change): Use unchecked_p and
5801 nonnull_p.
5802 (class mismatching_deallocation): New.
5803 (double_free::double_free): Add funcname param for initializing
5804 m_funcname.
5805 (double_free::emit): Use m_funcname in warning message rather
5806 than hardcoding "free".
5807 (double_free::describe_state_change): Likewise. Use freed_p.
5808 (double_free::describe_call_with_state): Use freed_p.
5809 (double_free::describe_final_event): Use m_funcname in message
5810 rather than hardcoding "free".
5811 (double_free::m_funcname): New field.
5812 (possible_null::describe_state_change): Use unchecked_p.
5813 (possible_null::describe_return_of_state): Likewise.
5814 (use_after_free::use_after_free): Add param for initializing m_api.
5815 (use_after_free::emit): Use m_api->m_dealloc_funcname in message
5816 rather than hardcoding "free".
5817 (use_after_free::describe_state_change): Use freed_p. Change the
5818 wording of the message based on the API.
5819 (use_after_free::describe_final_event): Use
5820 m_api->m_dealloc_funcname in message rather than hardcoding
5821 "free". Change the wording of the message based on the API.
5822 (use_after_free::m_api): New field.
5823 (malloc_leak::describe_state_change): Use unchecked_p. Update
5824 for renaming of m_malloc_event to m_alloc_event.
5825 (malloc_leak::describe_final_event): Update for renaming of
5826 m_malloc_event to m_alloc_event.
5827 (malloc_leak::m_malloc_event): Rename...
5828 (malloc_leak::m_alloc_event): ...to this.
5829 (free_of_non_heap::free_of_non_heap): Add param for initializing
5830 m_funcname.
5831 (free_of_non_heap::emit): Use m_funcname in message rather than
5832 hardcoding "free".
5833 (free_of_non_heap::describe_final_event): Likewise.
5834 (free_of_non_heap::m_funcname): New field.
5835 (allocation_state::dump_to_pp): New.
5836 (allocation_state::get_nonnull): New.
5837 (malloc_state_machine::malloc_state_machine): Update for changes
5838 to state fields and new api fields.
5839 (malloc_state_machine::add_state): New.
5840 (malloc_state_machine::on_stmt): Move malloc/calloc handling to
5841 on_allocator_call and call it, passing in the API pointer.
5842 Likewise for free, moving it to on_deallocator_call. Handle calls
5843 to operator new and delete in an analogous way. Use unchecked_p
5844 when testing for possibly-null-arg and possibly-null-deref, and
5845 transition to the non-null for the correct API. Remove redundant
5846 node param from call to on_zero_assignment. Use freed_p for
5847 use-after-free check, and pass in API.
5848 (malloc_state_machine::on_allocator_call): New, based on code in
5849 on_stmt.
5850 (malloc_state_machine::on_deallocator_call): Likewise.
5851 (malloc_state_machine::on_phi): Mark node param with
5852 ATTRIBUTE_UNUSED; don't pass it to on_zero_assignment.
5853 (malloc_state_machine::on_condition): Mark node param with
5854 ATTRIBUTE_UNUSED. Replace on_transition calls with get_state and
5855 set_next_state pairs, transitioning to the non-null state for the
5856 appropriate API.
5857 (malloc_state_machine::can_purge_p): Port to new state approach.
5858 (malloc_state_machine::on_zero_assignment): Replace on_transition
5859 calls with get_state and set_next_state pairs. Drop redundant
5860 node param.
5861 * sm.h (state_machine::add_custom_state): New.
5862
58632020-09-09 David Malcolm <dmalcolm@redhat.com>
5864
5865 * diagnostic-manager.cc
5866 (null_assignment_sm_context::warn_for_state): Replace with...
5867 (null_assignment_sm_context::warn): ...this.
5868 * engine.cc (impl_sm_context::warn_for_state): Replace with...
5869 (impl_sm_context::warn): ...this.
5870 * sm-file.cc (fileptr_state_machine::on_stmt): Replace
5871 warn_for_state and on_transition calls with a get_state
5872 test guarding warn and set_next_state calls.
5873 * sm-malloc.cc (malloc_state_machine::on_stmt): Likewise.
5874 * sm-pattern-test.cc (pattern_test_state_machine::on_condition):
5875 Replace warn_for_state call with warn call.
5876 * sm-sensitive.cc
5877 (sensitive_state_machine::warn_for_any_exposure): Replace
5878 warn_for_state call with a get_state test guarding a warn call.
5879 * sm-signal.cc (signal_state_machine::on_stmt): Likewise.
5880 * sm-taint.cc (taint_state_machine::on_stmt): Replace
5881 warn_for_state and on_transition calls with a get_state
5882 test guarding warn and set_next_state calls.
5883 * sm.h (sm_context::warn_for_state): Replace with...
5884 (sm_context::warn): ...this.
5885
58862020-09-09 David Malcolm <dmalcolm@redhat.com>
5887
5888 * diagnostic-manager.cc
5889 (null_assignment_sm_context::null_assignment_sm_context): Add old_state
5890 and ext_state params, initializing m_old_state and m_ext_state.
5891 (null_assignment_sm_context::on_transition): Split into...
5892 (null_assignment_sm_context::get_state): ...this new vfunc
5893 implementation and...
5894 (null_assignment_sm_context::set_next_state): ...this new vfunc
5895 implementation.
5896 (null_assignment_sm_context::m_old_state): New field.
5897 (null_assignment_sm_context::m_ext_state): New field.
5898 (diagnostic_manager::add_events_for_eedge): Pass in old state and
5899 ext_state when creating sm_ctxt.
5900 * engine.cc (impl_sm_context::on_transition): Split into...
5901 (impl_sm_context::get_state): ...this new vfunc
5902 implementation and...
5903 (impl_sm_context::set_next_state): ...this new vfunc
5904 implementation.
5905 * sm.h (sm_context::get_state): New pure virtual function.
5906 (sm_context::set_next_state): Likewise.
5907 (sm_context::on_transition): Convert from a pure virtual function
5908 to a regular function implemented in terms of get_state and
5909 set_next_state.
5910
59112020-09-09 David Malcolm <dmalcolm@redhat.com>
5912
5913 * checker-path.cc (state_change_event::get_desc): Update
5914 state_machine::get_state_name calls to state::get_name.
5915 (warning_event::get_desc): Likewise.
5916 * diagnostic-manager.cc
5917 (null_assignment_sm_context::on_transition): Update comparison
5918 against 0 with comparison with m_sm.get_start_state.
5919 (diagnostic_manager::prune_for_sm_diagnostic): Update
5920 state_machine::get_state_name calls to state::get_name.
5921 * engine.cc (impl_sm_context::on_transition): Likewise.
5922 (exploded_node::get_dot_fillcolor): Use get_id when summing
5923 the sm states.
5924 * program-state.cc (sm_state_map::sm_state_map): Don't hardcode
5925 0 as the start state when initializing m_global_state.
5926 (sm_state_map::print): Use dump_to_pp rather than get_state_name
5927 when dumping states.
5928 (sm_state_map::is_empty_p): Don't hardcode 0 as the start state
5929 when examining m_global_state.
5930 (sm_state_map::hash): Use get_id when hashing states.
5931 (selftest::test_sm_state_map): Use state objects rather than
5932 arbitrary hardcoded integers.
5933 (selftest::test_program_state_merging): Likewise.
5934 (selftest::test_program_state_merging_2): Likewise.
5935 * sm-file.cc (fileptr_state_machine::m_start): Move to base class.
5936 (file_diagnostic::describe_state_change): Use get_start_state.
5937 (fileptr_state_machine::fileptr_state_machine): Drop m_start
5938 initialization.
5939 * sm-malloc.cc (malloc_state_machine::m_start): Move to base
5940 class.
5941 (malloc_diagnostic::describe_state_change): Use get_start_state.
5942 (possible_null::describe_state_change): Likewise.
5943 (malloc_state_machine::malloc_state_machine): Drop m_start
5944 initialization.
5945 * sm-pattern-test.cc (pattern_test_state_machine::m_start): Move
5946 to base class.
5947 (pattern_test_state_machine::pattern_test_state_machine): Drop
5948 m_start initialization.
5949 * sm-sensitive.cc (sensitive_state_machine::m_start): Move to base
5950 class.
5951 (sensitive_state_machine::sensitive_state_machine): Drop m_start
5952 initialization.
5953 * sm-signal.cc (signal_state_machine::m_start): Move to base
5954 class.
5955 (signal_state_machine::signal_state_machine): Drop m_start
5956 initialization.
5957 * sm-taint.cc (taint_state_machine::m_start): Move to base class.
5958 (taint_state_machine::taint_state_machine): Drop m_start
5959 initialization.
5960 * sm.cc (state_machine::state::dump_to_pp): New.
5961 (state_machine::state_machine): Move here from sm.h. Initialize
5962 m_next_state_id and m_start.
5963 (state_machine::add_state): Reimplement in terms of state objects.
5964 (state_machine::get_state_name): Delete.
5965 (state_machine::get_state_by_name): Reimplement in terms of state
5966 objects. Make const.
5967 (state_machine::validate): Delete.
5968 (state_machine::dump_to_pp): Reimplement in terms of state
5969 objects.
5970 * sm.h (state_machine::state): New class.
5971 (state_machine::state_t): Convert typedef from "unsigned" to
5972 "const state_machine::state *".
5973 (state_machine::state_machine): Move to sm.cc.
5974 (state_machine::get_default_state): Use m_start rather than
5975 hardcoding 0.
5976 (state_machine::get_state_name): Delete.
5977 (state_machine::get_state_by_name): Make const.
5978 (state_machine::get_start_state): New accessor.
5979 (state_machine::alloc_state_id): New.
5980 (state_machine::m_state_names): Drop in favor of...
5981 (state_machine::m_states): New field
5982 (state_machine::m_start): New field
5983 (start_start_p): Delete.
5984
31a05046
GA		 59852020-09-08 David Malcolm <dmalcolm@redhat.com>
5986
5987 PR analyzer/96949
5988 * store.cc (binding_map::apply_ctor_val_to_range): Add
5989 error-handling for the cases where we have symbolic offsets.
5990
59912020-09-08 David Malcolm <dmalcolm@redhat.com>
5992
5993 PR analyzer/96950
5994 * store.cc (binding_map::apply_ctor_to_region): Handle RANGE_EXPR
5995 where min_index == max_index.
5996 (binding_map::apply_ctor_val_to_range): Replace assertion that we
5997 don't have a CONSTRUCTOR value with error-handling.
5998
59992020-09-08 David Malcolm <dmalcolm@redhat.com>
6000
6001 PR analyzer/96962
6002 * region-model.cc (region_model::on_call_pre): Fix guard on switch
6003 on built-ins to only consider BUILT_IN_NORMAL, rather than other
6004 kinds of build-ins.
6005
e1a4a8a0
GA		 60062020-09-01 David Malcolm <dmalcolm@redhat.com>
6007
6008 PR analyzer/96792
6009 * region-model.cc (region_model::deref_rvalue): Add the constraint
6010 that PTR_SVAL is non-NULL.
6011
13e4ba28
GA		 60122020-08-31 David Malcolm <dmalcolm@redhat.com>
6013
6014 PR analyzer/96798
6015 * region-model.cc (region_model::on_call_pre): Handle
6016 BUILT_IN_MEMSET_CHK.
6017
60182020-08-31 David Malcolm <dmalcolm@redhat.com>
6019
6020 * region-model.cc (region_model::on_call_pre): Gather handling of
6021 builtins and of internal fns into switch statements. Handle
6022 "alloca" and BUILT_IN_ALLOCA_WITH_ALIGN.
6023
60242020-08-31 David Malcolm <dmalcolm@redhat.com>
6025
6026 PR analyzer/96860
6027 * region.cc (decl_region::get_svalue_for_constructor): Support
6028 apply_ctor_to_region failing.
6029 * store.cc (binding_map::apply_ctor_to_region): Add failure
6030 handling.
6031 (binding_map::apply_ctor_val_to_range): Likewise.
6032 (binding_map::apply_ctor_pair_to_child_region): Likewise. Replace
6033 assertion that child_base_offset is not symbolic with error
6034 handling.
6035 * store.h (binding_map::apply_ctor_to_region): Convert return type
6036 from void to bool.
6037 (binding_map::apply_ctor_val_to_range): Likewise.
6038 (binding_map::apply_ctor_pair_to_child_region): Likewise.
6039
60402020-08-31 David Malcolm <dmalcolm@redhat.com>
6041
6042 PR analyzer/96763
6043 * store.cc (binding_map::apply_ctor_to_region): Handle RANGE_EXPR
6044 by calling a new binding_map::apply_ctor_val_to_range subroutine.
6045 Split out the existing non-CONSTRUCTOR-handling code to a new
6046 apply_ctor_pair_to_child_region subroutine.
6047 (binding_map::apply_ctor_val_to_range): New.
6048 (binding_map::apply_ctor_pair_to_child_region): New, split out
6049 from binding_map::apply_ctor_to_region as noted above.
6050 * store.h (binding_map::apply_ctor_val_to_range): New decl.
6051 (binding_map::apply_ctor_pair_to_child_region): New decl.
6052
60532020-08-31 David Malcolm <dmalcolm@redhat.com>
6054
6055 PR analyzer/96764
6056 * region-model-manager.cc
6057 (region_model_manager::maybe_fold_unaryop): Handle VIEW_CONVERT_EXPR.
6058 (region_model_manager::get_or_create_cast): Move logic for
6059 real->integer casting to...
6060 (get_code_for_cast): ...this new function, and add logic for
6061 real->non-integer casts.
6062 (region_model_manager::maybe_fold_sub_svalue): Handle
6063 VIEW_CONVERT_EXPR.
6064 * region-model.cc
6065 (region_model::add_any_constraints_from_gassign): Likewise.
6066 * svalue.cc (svalue::maybe_undo_cast): Likewise.
6067 (unaryop_svalue::dump_to_pp): Likewise.
6068
57ea0894
GA		 60692020-08-26 David Malcolm <dmalcolm@redhat.com>
6070
6071 PR analyzer/94858
6072 * region-model-manager.cc
6073 (region_model_manager::get_or_create_widening_svalue): Assert that
6074 neither of the inputs are themselves widenings.
6075 * store.cc (store::eval_alias_1): The initial value of a pointer
6076 can't point to a region that was allocated on the heap after the
6077 beginning of the path. A widened pointer value can't alias anything
6078 that the initial pointer value can't alias.
6079 * svalue.cc (svalue::can_merge_p): Merge BINOP (X, OP, CST) with X
6080 to a widening svalue. Merge
6081 BINOP(WIDENING(BASE, BINOP(BASE, X)), X) and BINOP(BASE, X) to
6082 to the LHS of the first BINOP.
6083
60842020-08-26 David Malcolm <dmalcolm@redhat.com>
6085
6086 PR analyzer/96777
6087 * region-model.h (class compound_svalue): Document that all keys
6088 must be concrete.
6089 (compound_svalue::compound_svalue): Move definition to svalue.cc.
6090 * store.cc (binding_map::apply_ctor_to_region): Handle
6091 initializers for trailing arrays with incomplete size.
6092 * svalue.cc (compound_svalue::compound_svalue): Move definition
6093 here from region-model.h. Add assertion that all keys are
6094 concrete.
6095
e769f970
GA		 60962020-08-22 David Malcolm <dmalcolm@redhat.com>
6097
6098 PR analyzer/94851
6099 * region-model-manager.cc
6100 (region_model_manager::maybe_fold_binop): Fold bitwise "& 0" to 0.
6101
61022020-08-22 David Malcolm <dmalcolm@redhat.com>
6103
6104 * store.cc (store::eval_alias): Make const. Split out 2nd half
6105 into store::eval_alias_1 and call it twice for symmetry, avoiding
6106 test duplication.
6107 (store::eval_alias_1): New function, split out from the above.
6108 * store.h (store::eval_alias): Make const.
6109 (store::eval_alias_1): New decl.
6110
61112020-08-22 David Malcolm <dmalcolm@redhat.com>
6112
6113 * region-model.cc (region_model::push_frame): Bind the default
6114 SSA name for each parm if it exists, falling back to the parm
6115 itself otherwise, rather than doing both.
6116
5b9a3d2a
GA		 61172020-08-20 David Malcolm <dmalcolm@redhat.com>
6118
6119 PR analyzer/96723
6120 * region-model-manager.cc
6121 (region_model_manager::get_field_region): Assert that field is a
6122 FIELD_DECL.
6123 * region.cc (region::get_subregions_for_binding): In
6124 union-handling, filter the TYPE_FIELDS traversal to just FIELD_DECLs.
6125
61262020-08-20 David Malcolm <dmalcolm@redhat.com>
6127
6128 PR analyzer/96713
6129 * region-model.cc (region_model::get_gassign_result): For
6130 comparisons, only use eval_condition when the lhs has boolean
6131 type, and use get_or_create_constant_svalue on the boolean
6132 constants directly rather than via get_rvalue.
6133
04e23a40
GA		 61342020-08-19 David Malcolm <dmalcolm@redhat.com>
6135
6136 PR analyzer/96643
6137 * region-model.cc (region_model::deref_rvalue): Rather than
6138 attempting to handle all svalue kinds in the switch, only cover
6139 the special cases, and move symbolic-region handling to after
6140 the switch, thus implicitly handling the missing case SK_COMPOUND.
6141
61422020-08-19 David Malcolm <dmalcolm@redhat.com>
6143
6144 PR analyzer/96705
6145 * region-model-manager.cc
6146 (region_model_manager::maybe_fold_binop): Check that we have an
6147 integral type before calling build_int_cst.
6148
61492020-08-19 David Malcolm <dmalcolm@redhat.com>
6150
6151 PR analyzer/96699
6152 * region-model-manager.cc
6153 (region_model_manager::get_or_create_cast): Use FIX_TRUNC_EXPR for
6154 casting from REAL_TYPE to INTEGER_TYPE.
6155
61562020-08-19 David Malcolm <dmalcolm@redhat.com>
6157
6158 PR analyzer/96651
6159 * region-model.cc (region_model::called_from_main_p): New.
6160 (region_model::get_store_value): Move handling for globals into...
6161 (region_model::get_initial_value_for_global): ...this new
6162 function, and add logic for extracting values from decl
6163 initializers.
6164 * region-model.h (decl_region::get_svalue_for_constructor): New
6165 decl.
6166 (decl_region::get_svalue_for_initializer): New decl.
6167 (region_model::called_from_main_p): New decl.
6168 (region_model::get_initial_value_for_global): New.
6169 * region.cc (decl_region::maybe_get_constant_value): Move logic
6170 for getting an svalue from a CONSTRUCTOR node to...
6171 (decl_region::get_svalue_for_constructor): ...this new function.
6172 (decl_region::get_svalue_for_initializer): New.
6173 * store.cc (get_svalue_for_ctor_val): Rewrite in terms of
6174 region_model::get_rvalue.
6175 * store.h (binding_cluster::get_map): New accessor.
6176
61772020-08-19 David Malcolm <dmalcolm@redhat.com>
6178
6179 PR analyzer/96648
6180 * region.cc (get_field_at_bit_offset): Gracefully handle negative
6181 values for bit_offset.
6182
5c265693
GA		 61832020-08-18 David Malcolm <dmalcolm@redhat.com>
6184
6185 * region-model.cc (region_model::get_rvalue_1): Fix name of local.
6186
61872020-08-18 David Malcolm <dmalcolm@redhat.com>
6188
6189 PR analyzer/96641
6190 * region-model.cc (region_model::get_rvalue_1): Handle
6191 unrecognized tree codes by returning "UNKNOWN.
6192
61932020-08-18 David Malcolm <dmalcolm@redhat.com>
6194
6195 PR analyzer/96640
6196 * region-model.cc (region_model::get_gassign_result): Handle various
6197 VEC_* tree codes by returning UNKNOWN.
6198 (region_model::on_assignment): Handle unrecognized tree codes by
6199 setting lhs to an unknown value, rather than issuing a "sorry" and
6200 asserting.
6201
deee2322
GA		 62022020-08-17 David Malcolm <dmalcolm@redhat.com>
6203
6204 PR analyzer/96644
6205 * region-model-manager.cc (get_region_for_unexpected_tree_code):
6206 Handle ctxt being NULL.
6207
62082020-08-17 David Malcolm <dmalcolm@redhat.com>
6209
6210 PR analyzer/96639
6211 * region.cc (region::get_subregions_for_binding): Check for "type"
6212 being NULL.
6213
62142020-08-17 David Malcolm <dmalcolm@redhat.com>
6215
6216 PR analyzer/96642
6217 * store.cc (get_svalue_for_ctor_val): New.
6218 (binding_map::apply_ctor_to_region): Call it.
6219
661ee09b
GA		 62202020-08-14 David Malcolm <dmalcolm@redhat.com>
6221
6222 PR testsuite/96609
6223 PR analyzer/96616
6224 * region-model.cc (region_model::get_store_value): Call
6225 maybe_get_constant_value on decl_regions first.
6226 * region-model.h (decl_region::maybe_get_constant_value): New decl.
6227 * region.cc (decl_region::get_stack_depth): Likewise.
6228 (decl_region::maybe_get_constant_value): New.
6229 * store.cc (get_subregion_within_ctor): New.
6230 (binding_map::apply_ctor_to_region): New.
6231 * store.h (binding_map::apply_ctor_to_region): New decl.
6232
62332020-08-14 David Malcolm <dmalcolm@redhat.com>
6234
6235 PR analyzer/96611
6236 * store.cc (store::mark_as_escaped): Reject attempts to
6237 get a cluster for an unknown pointer.
6238
b3cb5606
GA		 62392020-08-13 David Malcolm <dmalcolm@redhat.com>
6240
5afd1882
ML		 6241 PR analyzer/93032
6242 PR analyzer/93938
6243 PR analyzer/94011
6244 PR analyzer/94099
6245 PR analyzer/94399
6246 PR analyzer/94458
6247 PR analyzer/94503
6248 PR analyzer/94640
6249 PR analyzer/94688
6250 PR analyzer/94689
6251 PR analyzer/94839
6252 PR analyzer/95026
6253 PR analyzer/95042
6254 PR analyzer/95240
b3cb5606
GA		 6255 * analyzer-logging.cc: Ignore "-Wformat-diag".
6256 (logger::enter_scope): Use inc_indent in both overloads.
6257 (logger::exit_scope): Use dec_indent.
6258 * analyzer-logging.h (logger::inc_indent): New.
6259 (logger::dec_indent): New.
6260 * analyzer-selftests.cc (run_analyzer_selftests): Call
6261 analyzer_store_cc_tests.
6262 * analyzer-selftests.h (analyzer_store_cc_tests): New decl.
6263 * analyzer.cc (get_stmt_location): New function.
6264 * analyzer.h (class initial_svalue): New forward decl.
6265 (class unaryop_svalue): New forward decl.
6266 (class binop_svalue): New forward decl.
6267 (class sub_svalue): New forward decl.
6268 (class unmergeable_svalue): New forward decl.
6269 (class placeholder_svalue): New forward decl.
6270 (class widening_svalue): New forward decl.
6271 (class compound_svalue): New forward decl.
6272 (class conjured_svalue): New forward decl.
6273 (svalue_set): New typedef.
6274 (class map_region): Delete.
6275 (class array_region): Delete.
6276 (class frame_region): New forward decl.
6277 (class function_region): New forward decl.
6278 (class label_region): New forward decl.
6279 (class decl_region): New forward decl.
6280 (class element_region): New forward decl.
6281 (class offset_region): New forward decl.
6282 (class cast_region): New forward decl.
6283 (class field_region): New forward decl.
6284 (class string_region): New forward decl.
6285 (class region_model_manager): New forward decl.
6286 (class store_manager): New forward decl.
6287 (class store): New forward decl.
6288 (class call_details): New forward decl.
6289 (struct svalue_id_merger_mapping): Delete.
6290 (struct canonicalization): Delete.
6291 (class function_point): New forward decl.
6292 (class engine): New forward decl.
6293 (dump_tree): New function decl.
6294 (print_quoted_type): New function decl.
6295 (readability_comparator): New function decl.
6296 (tree_cmp): New function decl.
6297 (class path_var): Move here from region-model.h
6298 (bit_offset_t, bit_size_t, byte_size_t): New typedefs.
6299 (class region_offset): New class.
6300 (get_stmt_location): New decl.
6301 (struct member_function_hash_traits): New struct.
6302 (class consolidation_map): New class.
6303 Ignore "-Wformat-diag".
6304 * analyzer.opt (-param=analyzer-max-svalue-depth=): New param.
6305 (-param=analyzer-max-enodes-for-full-dump=): New param.
6306 * call-string.cc: Ignore -Wformat-diag.
6307 * checker-path.cc: Move includes of "analyzer/call-string.h" and
6308 "analyzer/program-point.h" to before "analyzer/region-model.h",
6309 and also include "analyzer/store.h" before it.
6310 (state_change_event::state_change_event): Replace "tree var" param
6311 with "const svalue *sval". Convert "origin" param from tree to
6312 "const svalue *".
6313 (state_change_event::get_desc): Call get_representative_tree to
6314 convert the var and origin from const svalue * to tree. Use
6315 svalue::get_desc rather than %qE when describing state changes.
6316 (checker_path::add_final_event): Use get_stmt_location.
6317 * checker-path.h (state_change_event::state_change_event): Port
6318 from tree to const svalue *.
6319 (state_change_event::get_lvalue): Delete.
6320 (state_change_event::get_dest_function): New.
6321 (state_change_event::m_var): Replace with...
6322 (state_change_event::m_sval): ...this.
6323 (state_change_event::m_origin): Convert from tree to
6324 const svalue *.
6325 * constraint-manager.cc: Include "analyzer/call-string.h",
6326 "analyzer/program-point.h", and "analyzer/store.h" before
6327 "analyzer/region-model.h".
6328 (struct bound, struct range): Move to constraint-manager.h.
6329 (compare_constants): New function.
6330 (range::dump): Rename to...
6331 (range::dump_to_pp): ...this. Support NULL constants.
6332 (range::dump): Reintroduce for dumping to stderr.
6333 (range::constrained_to_single_element): Return result, rather than
6334 writing to *OUT.
6335 (range::eval_condition): New.
6336 (range::below_lower_bound): New.
6337 (range::above_upper_bound): New.
6338 (equiv_class::equiv_class): Port from svalue_id to const svalue *.
6339 (equiv_class::print): Likewise.
6340 (equiv_class::hash): Likewise.
6341 (equiv_class::operator==): Port from svalue_id to const svalue *.
6342 (equiv_class::add): Port from svalue_id to const svalue *. Drop
6343 "cm" param.
6344 (equiv_class::del): Port from svalue_id to const svalue *.
6345 (equiv_class::get_representative): Likewise.
6346 (equiv_class::remap_svalue_ids): Delete.
6347 (svalue_id_cmp_by_id): Rename to...
6348 (svalue_cmp_by_ptr): ...this, porting from svalue_id to
6349 const svalue *.
6350 (equiv_class::canonicalize): Update qsort comparator.
6351 (constraint::implied_by): New.
6352 (constraint_manager::constraint_manager): Copy m_mgr in copy ctor.
6353 (constraint_manager::dump_to_pp): Add "multiline" param
6354 (constraint_manager::dump): Pass "true" for "multiline".
6355 (constraint_manager::add_constraint): Port from svalue_id to
6356 const svalue *. Split out second part into...
6357 (constraint_manager::add_unknown_constraint): ...this new
6358 function. Remove self-constraints when merging equivalence
6359 classes.
6360 (constraint_manager::add_constraint_internal): Remove constraints
6361 that would be implied by the new constraint. Port from svalue_id
6362 to const svalue *.
6363 (constraint_manager::get_equiv_class_by_sid): Rename to...
6364 (constraint_manager::get_equiv_class_by_svalue): ...this, porting
6365 from svalue_id to const svalue *.
6366 (constraint_manager::get_or_add_equiv_class): Port from svalue_id
6367 to const svalue *.
6368 (constraint_manager::eval_condition): Make const. Call
6369 compare_constants and return early if it provides a known result.
6370 (constraint_manager::get_ec_bounds): New.
6371 (constraint_manager::eval_condition): New overloads. Make
6372 existing one const, and use compare_constants.
6373 (constraint_manager::purge): Convert "p" param to a template
6374 rather that an abstract base class. Port from svalue_id to
6375 const svalue *.
6376 (class dead_svalue_purger): New class.
6377 (constraint_manager::remap_svalue_ids): Delete.
6378 (constraint_manager::on_liveness_change): New.
6379 (equiv_class_cmp): Port from svalue_id to const svalue *.
6380 (constraint_manager::canonicalize): Likewise. Combine with
6381 purging of redundant equivalence classes and constraints.
6382 (class cleaned_constraint_manager): Delete.
6383 (class merger_fact_visitor): Make "m_cm_b" const. Add "m_merger"
6384 field.
6385 (merger_fact_visitor::fact): Port from svalue_id to const svalue *.
6386 Add special case for widening.
6387 (constraint_manager::merge): Port from svalue_id to const svalue *.
6388 (constraint_manager::clean_merger_input): Delete.
6389 (constraint_manager::for_each_fact): Port from svalue_id to
6390 const svalue *.
6391 (constraint_manager::validate): Likewise.
6392 (selftest::test_constraint_conditions): Provide a
6393 region_model_manager when creating region_model instances.
6394 Add test for self-equality not creating equivalence classes.
6395 (selftest::test_transitivity): Provide a region_model_manager when
6396 creating region_model instances. Verify that EC-merging happens
6397 when constraints are implied.
6398 (selftest::test_constant_comparisons): Provide a
6399 region_model_manager when creating region_model instances.
6400 (selftest::test_constraint_impl): Likewise. Remove over-specified
6401 assertions.
6402 (selftest::test_equality): Provide a region_model_manager when
6403 creating region_model instances.
6404 (selftest::test_many_constants): Likewise. Provide a
6405 program_point when testing merging.
6406 (selftest::run_constraint_manager_tests): Move call to
6407 test_constant_comparisons to outside the transitivity guard.
6408 * constraint-manager.h (struct bound): Move here from
6409 constraint-manager.cc.
6410 (struct range): Likewise.
6411 (struct::eval_condition): New decl.
6412 (struct::below_lower_bound): New decl.
6413 (struct::above_upper_bound): New decl.
6414 (equiv_class::add): Port from svalue_id to const svalue *.
6415 (equiv_class::del): Likewise.
6416 (equiv_class::get_representative): Likewise.
6417 (equiv_class::remap_svalue_ids): Drop.
6418 (equiv_class::m_cst_sid): Convert to..
6419 (equiv_class::m_cst_sval): ...this.
6420 (equiv_class::m_vars): Port from svalue_id to const svalue *.
6421 (constraint::bool implied_by): New decl.
6422 (fact_visitor::on_fact): Port from svalue_id to const svalue *.
6423 (constraint_manager::constraint_manager): Add mgr param.
6424 (constraint_manager::clone): Delete.
6425 (constraint_manager::maybe_get_constant): Delete.
6426 (constraint_manager::get_sid_for_constant): Delete.
6427 (constraint_manager::get_num_svalues): Delete.
6428 (constraint_manager::dump_to_pp): Add "multiline" param.
6429 (constraint_manager::get_equiv_class): Port from svalue_id to
6430 const svalue *.
6431 (constraint_manager::add_constraint): Likewise.
6432 (constraint_manager::get_equiv_class_by_sid): Rename to...
6433 (constraint_manager::get_equiv_class_by_svalue): ...this, porting
6434 from svalue_id to const svalue *.
6435 (constraint_manager::add_unknown_constraint): New decl.
6436 (constraint_manager::get_or_add_equiv_class): Port from svalue_id
6437 to const svalue *.
6438 (constraint_manager::eval_condition): Likewise. Add overloads.
6439 (constraint_manager::get_ec_bounds): New decl.
6440 (constraint_manager::purge): Convert to template.
6441 (constraint_manager::remap_svalue_ids): Delete.
6442 (constraint_manager::on_liveness_change): New decl.
6443 (constraint_manager::canonicalize): Drop param.
6444 (constraint_manager::clean_merger_input): Delete.
6445 (constraint_manager::m_mgr): New field.
6446 * diagnostic-manager.cc: Move includes of
6447 "analyzer/call-string.h" and "analyzer/program-point.h" to before
6448 "analyzer/region-model.h", and also include "analyzer/store.h"
6449 before it.
6450 (saved_diagnostic::saved_diagnostic): Add "sval" param.
6451 (diagnostic_manager::diagnostic_manager): Add engine param.
6452 (diagnostic_manager::add_diagnostic): Add "sval" param, passing it
6453 to saved_diagnostic ctor. Update overload to pass NULL for it.
6454 (dedupe_winners::dedupe_winners): Add engine param.
6455 (dedupe_winners::add): Add "eg" param. Pass m_engine to
6456 feasible_p.
6457 (dedupe_winner::m_engine): New field.
6458 (diagnostic_manager::emit_saved_diagnostics): Pass engine to
6459 dedupe_winners. Pass &eg when adding candidates. Pass svalue
6460 rather than tree to prune_path. Use get_stmt_location to get
6461 primary location of diagnostic.
6462 (diagnostic_manager::emit_saved_diagnostic): Likewise.
6463 (get_any_origin): Drop.
6464 (state_change_event_creator::on_global_state_change): Pass NULL
6465 const svalue * rather than NULL_TREE trees to state_change_event
6466 ctor.
6467 (state_change_event_creator::on_state_change): Port from tree and
6468 svalue_id to const svalue *.
6469 (for_each_state_change): Port from svalue_id to const svalue *.
6470 (struct null_assignment_sm_context): New.
6471 (diagnostic_manager::add_events_for_eedge): Add state change
6472 events for assignment to NULL.
6473 (diagnostic_manager::prune_path): Update param from tree to
6474 const svalue *.
6475 (diagnostic_manager::prune_for_sm_diagnostic): Port from tracking
6476 by tree to by const svalue *.
6477 * diagnostic-manager.h (saved_diagnostic::saved_diagnostic): Add sval
6478 param.
6479 (saved_diagnostic::m_sval): New field.
6480 (diagnostic_manager::diagnostic_manager): Add engine param.
6481 (diagnostic_manager::get_engine): New.
6482 (diagnostic_manager::add_diagnostic): Add "sval" param.
6483 (diagnostic_manager::prune_path): Likewise.
6484 (diagnostic_manager::prune_for_sm_diagnostic): New overload.
6485 (diagnostic_manager::m_eng): New field.
6486 * engine.cc: Move includes of "analyzer/call-string.h" and
6487 "analyzer/program-point.h" to before "analyzer/region-model.h",
6488 and also include "analyzer/store.h" before it.
6489 (impl_region_model_context::impl_region_model_context): Update for
6490 removal of m_change field.
6491 (impl_region_model_context::remap_svalue_ids): Delete.
6492 (impl_region_model_context::on_svalue_leak): New.
6493 (impl_region_model_context::on_svalue_purge): Delete.
6494 (impl_region_model_context::on_liveness_change): New.
6495 (impl_region_model_context::on_unknown_change): Update param
6496 from svalue_id to const svalue *. Add is_mutable param.
6497 (setjmp_svalue::compare_fields): Delete.
6498 (setjmp_svalue::accept): New.
6499 (setjmp_svalue::add_to_hash): Delete.
6500 (setjmp_svalue::dump_to_pp): New.
6501 (setjmp_svalue::print_details): Delete.
6502 (impl_sm_context::impl_sm_context): Drop "change" param.
6503 (impl_sm_context::get_fndecl_for_call): Drop "m_change".
6504 (impl_sm_context::on_transition): Drop ATTRIBUTE_UNUSED from
6505 "stmt" param. Drop m_change. Port from svalue_id to
6506 const svalue *.
6507 (impl_sm_context::warn_for_state): Drop m_change. Port from
6508 svalue_id to const svalue *.
6509 (impl_sm_context::get_readable_tree): Rename to...
6510 (impl_sm_context::get_diagnostic_tree): ...this. Port from
6511 svalue_id to const svalue *.
6512 (impl_sm_context::is_zero_assignment): New.
6513 (impl_sm_context::m_change): Delete field.
6514 (leak_stmt_finder::find_stmt): Handle m_var being NULL.
6515 (readability): Increase penalty for MEM_REF. For SSA_NAMEs,
6516 slightly favor the underlying var over the SSA name. Heavily
6517 penalize temporaries. Handle RESULT_DECL.
6518 (readability_comparator): Make non-static. Consider stack depths.
6519 (impl_region_model_context::on_state_leak): Convert from svalue_id
6520 to const svalue *, updating for region_model changes. Use
6521 id_equal.
6522 (impl_region_model_context::on_inherited_svalue): Delete.
6523 (impl_region_model_context::on_cast): Delete.
6524 (impl_region_model_context::on_condition): Drop m_change.
6525 (impl_region_model_context::on_phi): Likewise.
6526 (impl_region_model_context::on_unexpected_tree_code): Handle t
6527 being NULL.
6528 (point_and_state::validate): Update stack checking for
6529 region_model changes.
6530 (eg_traits::dump_args_t::show_enode_details_p): New.
6531 (exploded_node::exploded_node): Initialize m_num_processed_stmts.
6532 (exploded_node::get_processed_stmt): New function.
6533 (exploded_node::get_dot_fillcolor): Add more colors.
6534 (exploded_node::dump_dot): Guard the printing of the point and
6535 state with show_enode_details_p. Print the processed stmts for
6536 this enode after the initial state.
6537 (exploded_node::dump_to_pp): Pass true for new multiline param
6538 of program_state::dump_to_pp.
6539 (exploded_node::on_stmt): Drop "change" param. Log the stmt.
6540 Set input_location. Implement __analyzer_describe. Update
6541 implementation of __analyzer_dump and __analyzer_eval.
6542 Remove purging of sm-state for unknown fncalls from here.
6543 (exploded_node::on_edge): Drop "change" param.
6544 (exploded_node::on_longjmp): Port from region_id/svalue_id to
6545 const region */const svalue *. Call program_state::detect_leaks.
6546 Drop state_change.
6547 (exploded_node::detect_leaks): Update for changes to region_model.
6548 Call program_state::detect_leaks.
6549 (exploded_edge::exploded_edge): Drop ext_state and change params.
6550 (exploded_edge::dump_dot): "args" is no longer used. Drop dumping
6551 of m_change.
6552 (exploded_graph::exploded_graph): Pass engine to
6553 m_diagnostic_manager ctor. Use program_point::origin.
6554 (exploded_graph::add_function_entry): Drop ctxt. Use
6555 program_state::push_frame. Drop state_change.
6556 (exploded_graph::get_or_create_node): Drop "change" param. Add
6557 "enode_for_diag" param. Update dumping calls for API changes.
6558 Pass point to can_merge_with_p. Show enode indices
6559 within -Wanalyzer-too-complex diagnostic for hitting the per-point
6560 limit.
6561 (exploded_graph::add_edge): Drop "change" param. Log which nodes
6562 are being connected. Update for changes to exploded_edge ctor.
6563 (exploded_graph::get_per_program_point_data): New.
6564 (exploded_graph::process_worklist): Pass point to
6565 can_merge_with_p. Drop state_change. Update dumping call for API
6566 change.
6567 (exploded_graph::process_node): Drop state_change. Split the
6568 node in-place if an sm-state-change occurs. Update
6569 m_num_processed_stmts. Update dumping calls for API change.
6570 (exploded_graph::log_stats): Call engine::log_stats.
6571 (exploded_graph::dump_states_for_supernode): Update dumping
6572 call.
6573 (exploded_path::feasible_p): Add "eng" and "eg" params.
6574 Rename "i" to "end_idx". Pass the manager to the region_model
6575 ctor. Update for every processed stmt in the enode, not just the
6576 first. Keep track of which snodes have been visited, and call
6577 loop_replay_fixup when revisiting one.
6578 (enode_label::get_text): Update dump call for new param.
6579 (exploded_graph::dump_exploded_nodes): Likewise.
6580 (exploded_graph::get_node_by_index): New.
6581 (impl_run_checkers): Create engine instance and pass its address
6582 to extrinsic_state ctor.
6583 * exploded-graph.h
6584 (impl_region_model_context::impl_region_model_context): Drop
6585 "change" params.
6586 (impl_region_model_context::void remap_svalue_ids): Delete.
6587 (impl_region_model_context::on_svalue_purge): Delete.
6588 (impl_region_model_context::on_svalue_leak): New.
6589 (impl_region_model_context::on_liveness_change): New.
6590 (impl_region_model_context::on_state_leak): Update signature.
6591 (impl_region_model_context::on_inherited_svalue): Delete.
6592 (impl_region_model_context::on_cast): Delete.
6593 (impl_region_model_context::on_unknown_change): Update signature.
6594 (impl_region_model_context::m_change): Delete.
6595 (eg_traits::dump_args_t::show_enode_details_p): New.
6596 (exploded_node::on_stmt): Drop "change" param.
6597 (exploded_node::on_edge): Likewise.
6598 (exploded_node::get_processed_stmt): New decl.
6599 (exploded_node::m_num_processed_stmts): New field.
6600 (exploded_edge::exploded_edge): Drop ext_state and change params.
6601 (exploded_edge::m_change): Delete.
6602 (exploded_graph::get_engine): New accessor.
6603 (exploded_graph::get_or_create_node): Drop "change" param. Add
6604 "enode_for_diag" param.
6605 (exploded_graph::add_edge): Drop "change" param.
6606 (exploded_graph::get_per_program_point_data): New decl.
6607 (exploded_graph::get_node_by_index): New decl.
6608 (exploded_path::feasible_p): Add "eng" and "eg" params.
6609 * program-point.cc: Include "analyzer/store.h" before including
6610 "analyzer/region-model.h".
6611 (function_point::function_point): Move here from
6612 program-point.h.
6613 (function_point::get_function): Likewise.
6614 (function_point::from_function_entry): Likewise.
6615 (function_point::before_supernode): Likewise.
6616 (function_point::next_stmt): New function.
6617 * program-point.h (function_point::function_point): Move
6618 implementation from here to program-point.cc.
6619 (function_point::get_function): Likewise.
6620 (function_point::from_function_entry): Likewise.
6621 (function_point::before_supernode): Likewise.
6622 (function_point::next_stmt): New decl.
6623 (program_point::operator!=): New.
6624 (program_point::origin): New.
6625 (program_point::next_stmt): New.
6626 (program_point::m_function_point): Make non-const.
6627 * program-state.cc: Move includes of "analyzer/call-string.h" and
6628 "analyzer/program-point.h" to before "analyzer/region-model.h",
6629 and also include "analyzer/store.h" before it.
6630 (extrinsic_state::get_model_manager): New.
6631 (sm_state_map::sm_state_map): Pass in sm and sm_idx to ctor,
6632 rather than pass the around.
6633 (sm_state_map::clone_with_remapping): Delete.
6634 (sm_state_map::print): Remove "sm" param in favor of "m_sm". Add
6635 "simple" and "multiline" params and support multiline vs single
6636 line dumping.
6637 (sm_state_map::dump): Remove "sm" param in favor of "m_sm". Add
6638 "simple" param.
6639 (sm_state_map::hash): Port from svalue_id to const svalue *.
6640 (sm_state_map::operator==): Likewise.
6641 (sm_state_map::get_state): Likewise. Call canonicalize_svalue on
6642 input. Handle inheritance of sm-state. Call get_default_state.
6643 (sm_state_map::get_origin): Port from svalue_id to const svalue *.
6644 (sm_state_map::set_state): Likewise. Pass in ext_state. Reject
6645 attempts to set state on UNKNOWN.
6646 (sm_state_map::impl_set_state): Port from svalue_id to
6647 const svalue *. Pass in ext_state. Call canonicalize_svalue on
6648 input.
6649 (sm_state_map::purge_for_unknown_fncall): Delete.
6650 (sm_state_map::on_svalue_leak): New.
6651 (sm_state_map::remap_svalue_ids): Delete.
6652 (sm_state_map::on_liveness_change): New.
6653 (sm_state_map::on_unknown_change): Reimplement.
6654 (sm_state_map::on_svalue_purge): Delete.
6655 (sm_state_map::on_inherited_svalue): Delete.
6656 (sm_state_map::on_cast): Delete.
6657 (sm_state_map::validate): Delete.
6658 (sm_state_map::canonicalize_svalue): New.
6659 (program_state::program_state): Update to pass manager to
6660 region_model's ctor. Constify num_states and pass state machine
6661 and index to sm_state_map ctor.
6662 (program_state::print): Update for changes to dump API.
6663 (program_state::dump_to_pp): Ignore the summarize param. Add
6664 "multiline" param.
6665 (program_state::dump_to_file): Add "multiline" param.
6666 (program_state::dump): Pass "true" for new "multiline" param.
6667 (program_state::push_frame): New.
6668 (program_state::on_edge): Drop "change" param. Call
6669 program_state::detect_leaks.
6670 (program_state::prune_for_point): Add enode_for_diag param.
6671 Reimplement based on store class. Call detect_leaks
6672 (program_state::remap_svalue_ids): Delete.
6673 (program_state::get_representative_tree): Port from svalue_id to
6674 const svalue *.
6675 (program_state::can_merge_with_p): Add "point" param. Add early
6676 reject for sm-differences. Drop id remapping.
6677 (program_state::validate): Drop region model and sm_state_map
6678 validation.
6679 (state_change::sm_change::dump): Delete.
6680 (state_change::sm_change::remap_svalue_ids): Delete.
6681 (state_change::sm_change::on_svalue_purge): Delete.
6682 (log_set_of_svalues): New.
6683 (state_change::sm_change::validate): Delete.
6684 (state_change::state_change): Delete.
6685 (state_change::add_sm_change): Delete.
6686 (state_change::affects_p): Delete.
6687 (state_change::dump): Delete.
6688 (state_change::remap_svalue_ids): Delete.
6689 (state_change::on_svalue_purge): Delete.
6690 (state_change::validate): Delete.
6691 (selftest::assert_dump_eq): Delete.
6692 (ASSERT_DUMP_EQ): Delete.
6693 (selftest::test_sm_state_map): Update for changes to region_model
6694 and sm_state_map, porting from svalue_id to const svalue *.
6695 (selftest::test_program_state_dumping): Likewise. Drop test of
6696 dumping, renaming to...
6697 (selftest::test_program_state_1): ...this.
6698 (selftest::test_program_state_dumping_2): Likewise, renaming to...
6699 (selftest::test_program_state_2): ...this.
6700 (selftest::test_program_state_merging): Update for changes to
6701 region_model.
6702 (selftest::test_program_state_merging_2): Likewise.
6703 (selftest::analyzer_program_state_cc_tests): Update for renamed
6704 tests.
6705 * program-state.h (extrinsic_state::extrinsic_state): Add logger
6706 and engine params.
6707 (extrinsic_state::get_logger): New accessor.
6708 (extrinsic_state::get_engine): New accessor.
6709 (extrinsic_state::get_model_manager): New accessor.
6710 (extrinsic_state::m_logger): New field.
6711 (extrinsic_state::m_engine): New field.
6712 (struct default_hash_traits<svalue_id>): Delete.
6713 (pod_hash_traits<svalue_id>::hash): Delete.
6714 (pod_hash_traits<svalue_id>::equal): Delete.
6715 (pod_hash_traits<svalue_id>::mark_deleted): Delete.
6716 (pod_hash_traits<svalue_id>::mark_empty): Delete.
6717 (pod_hash_traits<svalue_id>::is_deleted): Delete.
6718 (pod_hash_traits<svalue_id>::is_empty): Delete.
6719 (sm_state_map::entry_t::entry_t): Port from svalue_id to
6720 const svalue *.
6721 (sm_state_map::entry_t::m_origin): Likewise.
6722 (sm_state_map::map_t): Likewise.
6723 (sm_state_map::sm_state_map): Add state_machine and index params.
6724 (sm_state_map::clone_with_remapping): Delete.
6725 (sm_state_map::print): Drop sm param; add simple and multiline
6726 params.
6727 (sm_state_map::dump): Drop sm param; add simple param.
6728 (sm_state_map::get_state): Port from svalue_id to const svalue *.
6729 Add ext_state param.
6730 (sm_state_map::get_origin): Likewise.
6731 (sm_state_map::set_state): Likewise.
6732 (sm_state_map::impl_set_state): Likewise.
6733 (sm_state_map::purge_for_unknown_fncall): Delete.
6734 (sm_state_map::remap_svalue_ids): Delete.
6735 (sm_state_map::on_svalue_purge): Delete.
6736 (sm_state_map::on_svalue_leak): New.
6737 (sm_state_map::on_liveness_change): New.
6738 (sm_state_map::on_inherited_svalue): Delete.
6739 (sm_state_map::on_cast): Delete.
6740 (sm_state_map::validate): Delete.
6741 (sm_state_map::on_unknown_change): Port from svalue_id to
6742 const svalue *. Add is_mutable and ext_state params.
6743 (sm_state_map::canonicalize_svalue): New.
6744 (sm_state_map::m_sm): New field.
6745 (sm_state_map::m_sm_idx): New field.
6746 (program_state::operator=): Delete.
6747 (program_state::dump_to_pp): Drop "summarize" param, adding
6748 "simple" and "multiline".
6749 (program_state::dump_to_file): Likewise.
6750 (program_state::dump): Rename "summarize" to "simple".
6751 (program_state::push_frame): New.
6752 (program_state::get_current_function): New.
6753 (program_state::on_edge): Drop "change" param.
6754 (program_state::prune_for_point): Likewise. Add enode_for_diag
6755 param.
6756 (program_state::remap_svalue_ids): Delete.
6757 (program_state::get_representative_tree): Port from svalue_id to
6758 const svalue *.
6759 (program_state::can_purge_p): Likewise. Pass ext_state to get_state.
6760 (program_state::can_merge_with_p): Add point param.
6761 (program_state::detect_leaks): New.
6762 (state_change_visitor::on_state_change): Port from tree and
6763 svalue_id to a pair of const svalue *.
6764 (class state_change): Delete.
6765 * region.cc: New file.
6766 * region-model-impl-calls.cc: New file.
6767 * region-model-manager.cc: New file.
6768 * region-model-reachability.cc: New file.
6769 * region-model-reachability.h: New file.
6770 * region-model.cc: Include "analyzer/call-string.h",
6771 "analyzer/program-point.h", and "analyzer/store.h" before
6772 "analyzer/region-model.h". Include
6773 "analyzer/region-model-reachability.h".
6774 (dump_tree): Make non-static.
6775 (dump_quoted_tree): Make non-static.
6776 (print_quoted_type): Make non-static.
6777 (path_var::dump): Delete.
6778 (dump_separator): Delete.
6779 (class impl_constraint_manager): Delete.
6780 (svalue_id::print): Delete.
6781 (svalue_id::dump_node_name_to_pp): Delete.
6782 (svalue_id::validate): Delete.
6783 (region_id::print): Delete.
6784 (region_id::dump_node_name_to_pp): Delete.
6785 (region_id::validate): Delete.
6786 (region_id_set::region_id_set): Delete.
6787 (svalue_id_set::svalue_id_set): Delete.
6788 (svalue::operator==): Delete.
6789 (svalue::hash): Delete.
6790 (svalue::print): Delete.
6791 (svalue::dump_dot_to_pp): Delete.
6792 (svalue::remap_region_ids): Delete.
6793 (svalue::walk_for_canonicalization): Delete.
6794 (svalue::get_child_sid): Delete.
6795 (svalue::maybe_get_constant): Delete.
6796 (region_svalue::compare_fields): Delete.
6797 (region_svalue::add_to_hash): Delete.
6798 (region_svalue::print_details): Delete.
6799 (region_svalue::dump_dot_to_pp): Delete.
6800 (region_svalue::remap_region_ids): Delete.
6801 (region_svalue::merge_values): Delete.
6802 (region_svalue::walk_for_canonicalization): Delete.
6803 (region_svalue::eval_condition): Delete.
6804 (constant_svalue::compare_fields): Delete.
6805 (constant_svalue::add_to_hash): Delete.
6806 (constant_svalue::merge_values): Delete.
6807 (constant_svalue::eval_condition): Move to svalue.cc.
6808 (constant_svalue::print_details): Delete.
6809 (constant_svalue::get_child_sid): Delete.
6810 (unknown_svalue::compare_fields): Delete.
6811 (unknown_svalue::add_to_hash): Delete.
6812 (unknown_svalue::print_details): Delete.
6813 (poison_kind_to_str): Move to svalue.cc.
6814 (poisoned_svalue::compare_fields): Delete.
6815 (poisoned_svalue::add_to_hash): Delete.
6816 (poisoned_svalue::print_details): Delete.
6817 (region_kind_to_str): Move to region.cc and reimplement.
6818 (region::operator==): Delete.
6819 (region::get_parent_region): Delete.
6820 (region::set_value): Delete.
6821 (region::become_active_view): Delete.
6822 (region::deactivate_any_active_view): Delete.
6823 (region::deactivate_view): Delete.
6824 (region::get_value): Delete.
6825 (region::get_inherited_child_sid): Delete.
6826 (region_model::copy_region): Delete.
6827 (region_model::copy_struct_region): Delete.
6828 (region_model::copy_union_region): Delete.
6829 (region_model::copy_array_region): Delete.
6830 (region::hash): Delete.
6831 (region::print): Delete.
6832 (region::dump_dot_to_pp): Delete.
6833 (region::dump_to_pp): Delete.
6834 (region::dump_child_label): Delete.
6835 (region::validate): Delete.
6836 (region::remap_svalue_ids): Delete.
6837 (region::remap_region_ids): Delete.
6838 (region::add_view): Delete.
6839 (region::get_view): Delete.
6840 (region::region): Move to region.cc.
6841 (region::add_to_hash): Delete.
6842 (region::print_fields): Delete.
6843 (region::non_null_p): Delete.
6844 (primitive_region::clone): Delete.
6845 (primitive_region::walk_for_canonicalization): Delete.
6846 (map_region::map_region): Delete.
6847 (map_region::compare_fields): Delete.
6848 (map_region::print_fields): Delete.
6849 (map_region::validate): Delete.
6850 (map_region::dump_dot_to_pp): Delete.
6851 (map_region::dump_child_label): Delete.
6852 (map_region::get_or_create): Delete.
6853 (map_region::get): Delete.
6854 (map_region::add_to_hash): Delete.
6855 (map_region::remap_region_ids): Delete.
6856 (map_region::unbind): Delete.
6857 (map_region::get_tree_for_child_region): Delete.
6858 (map_region::get_tree_for_child_region): Delete.
6859 (tree_cmp): Move to region.cc.
6860 (map_region::can_merge_p): Delete.
6861 (map_region::walk_for_canonicalization): Delete.
6862 (map_region::get_value_by_name): Delete.
6863 (struct_or_union_region::valid_key_p): Delete.
6864 (struct_or_union_region::compare_fields): Delete.
6865 (struct_region::clone): Delete.
6866 (struct_region::compare_fields): Delete.
6867 (union_region::clone): Delete.
6868 (union_region::compare_fields): Delete.
6869 (frame_region::compare_fields): Delete.
6870 (frame_region::clone): Delete.
6871 (frame_region::valid_key_p): Delete.
6872 (frame_region::print_fields): Delete.
6873 (frame_region::add_to_hash): Delete.
6874 (globals_region::compare_fields): Delete.
6875 (globals_region::clone): Delete.
6876 (globals_region::valid_key_p): Delete.
6877 (code_region::compare_fields): Delete.
6878 (code_region::clone): Delete.
6879 (code_region::valid_key_p): Delete.
6880 (array_region::array_region): Delete.
6881 (array_region::get_element): Delete.
6882 (array_region::clone): Delete.
6883 (array_region::compare_fields): Delete.
6884 (array_region::print_fields): Delete.
6885 (array_region::validate): Delete.
6886 (array_region::dump_dot_to_pp): Delete.
6887 (array_region::dump_child_label): Delete.
6888 (array_region::get_or_create): Delete.
6889 (array_region::get): Delete.
6890 (array_region::add_to_hash): Delete.
6891 (array_region::remap_region_ids): Delete.
6892 (array_region::get_key_for_child_region): Delete.
6893 (array_region::key_cmp): Delete.
6894 (array_region::walk_for_canonicalization): Delete.
6895 (array_region::key_from_constant): Delete.
6896 (array_region::constant_from_key): Delete.
6897 (function_region::compare_fields): Delete.
6898 (function_region::clone): Delete.
6899 (function_region::valid_key_p): Delete.
6900 (stack_region::stack_region): Delete.
6901 (stack_region::compare_fields): Delete.
6902 (stack_region::clone): Delete.
6903 (stack_region::print_fields): Delete.
6904 (stack_region::dump_child_label): Delete.
6905 (stack_region::validate): Delete.
6906 (stack_region::push_frame): Delete.
6907 (stack_region::get_current_frame_id): Delete.
6908 (stack_region::pop_frame): Delete.
6909 (stack_region::add_to_hash): Delete.
6910 (stack_region::remap_region_ids): Delete.
6911 (stack_region::can_merge_p): Delete.
6912 (stack_region::walk_for_canonicalization): Delete.
6913 (stack_region::get_value_by_name): Delete.
6914 (heap_region::heap_region): Delete.
6915 (heap_region::compare_fields): Delete.
6916 (heap_region::clone): Delete.
6917 (heap_region::walk_for_canonicalization): Delete.
6918 (root_region::root_region): Delete.
6919 (root_region::compare_fields): Delete.
6920 (root_region::clone): Delete.
6921 (root_region::print_fields): Delete.
6922 (root_region::validate): Delete.
6923 (root_region::dump_child_label): Delete.
6924 (root_region::push_frame): Delete.
6925 (root_region::get_current_frame_id): Delete.
6926 (root_region::pop_frame): Delete.
6927 (root_region::ensure_stack_region): Delete.
6928 (root_region::get_stack_region): Delete.
6929 (root_region::ensure_globals_region): Delete.
6930 (root_region::get_code_region): Delete.
6931 (root_region::ensure_code_region): Delete.
6932 (root_region::get_globals_region): Delete.
6933 (root_region::ensure_heap_region): Delete.
6934 (root_region::get_heap_region): Delete.
6935 (root_region::remap_region_ids): Delete.
6936 (root_region::can_merge_p): Delete.
6937 (root_region::add_to_hash): Delete.
6938 (root_region::walk_for_canonicalization): Delete.
6939 (root_region::get_value_by_name): Delete.
6940 (symbolic_region::symbolic_region): Delete.
6941 (symbolic_region::compare_fields): Delete.
6942 (symbolic_region::clone): Delete.
6943 (symbolic_region::walk_for_canonicalization): Delete.
6944 (symbolic_region::print_fields): Delete.
6945 (region_model::region_model): Add region_model_manager * param.
6946 Reimplement in terms of store, dropping impl_constraint_manager
6947 subclass.
6948 (region_model::operator=): Reimplement in terms of store
6949 (region_model::operator==): Likewise.
6950 (region_model::hash): Likewise.
6951 (region_model::print): Delete.
6952 (region_model::print_svalue): Delete.
6953 (region_model::dump_dot_to_pp): Delete.
6954 (region_model::dump_dot_to_file): Delete.
6955 (region_model::dump_dot): Delete.
6956 (region_model::dump_to_pp): Replace "summarize" param with
6957 "simple" and "multiline". Port to store-based implementation.
6958 (region_model::dump): Replace "summarize" param with "simple" and
6959 "multiline".
6960 (dump_vec_of_tree): Delete.
6961 (region_model::dump_summary_of_rep_path_vars): Delete.
6962 (region_model::validate): Delete.
6963 (svalue_id_cmp_by_constant_svalue_model): Delete.
6964 (svalue_id_cmp_by_constant_svalue): Delete.
6965 (region_model::canonicalize): Drop "ctxt" param. Reimplement in
6966 terms of store and constraints.
6967 (region_model::canonicalized_p): Remove NULL arg to canonicalize.
6968 (region_model::loop_replay_fixup): New.
6969 (poisoned_value_diagnostic::emit): Tweak wording of warnings.
6970 (region_model::check_for_poison): Delete.
6971 (region_model::get_gassign_result): New.
6972 (region_model::on_assignment): Port to store-based implementation.
6973 (region_model::on_call_pre): Delete calls to check_for_poison.
6974 Move implementations to region-model-impl-calls.c and port to
6975 store-based implementation.
6976 (region_model::on_call_post): Likewise.
6977 (class reachable_regions): Move to region-model-reachability.h/cc
6978 and port to store-based implementation.
6979 (region_model::handle_unrecognized_call): Port to store-based
6980 implementation.
6981 (region_model::get_reachable_svalues): New.
6982 (region_model::on_setjmp): Port to store-based implementation.
6983 (region_model::on_longjmp): Likewise.
6984 (region_model::handle_phi): Drop is_back_edge param and the logic
6985 using it.
6986 (region_model::get_lvalue_1): Port from region_id to const region *.
6987 (region_model::make_region_for_unexpected_tree_code): Delete.
6988 (assert_compat_types): If the check fails, use internal_error to
6989 show the types.
6990 (region_model::get_lvalue): Port from region_id to const region *.
6991 (region_model::get_rvalue_1): Port from svalue_id to const svalue *.
6992 (region_model::get_rvalue): Likewise.
6993 (region_model::get_or_create_ptr_svalue): Delete.
6994 (region_model::get_or_create_constant_svalue): Delete.
6995 (region_model::get_svalue_for_fndecl): Delete.
6996 (region_model::get_region_for_fndecl): Delete.
6997 (region_model::get_svalue_for_label): Delete.
6998 (region_model::get_region_for_label): Delete.
6999 (build_cast): Delete.
7000 (region_model::maybe_cast_1): Delete.
7001 (region_model::maybe_cast): Delete.
7002 (region_model::get_field_region): Delete.
7003 (region_model::get_store_value): New.
7004 (region_model::region_exists_p): New.
7005 (region_model::deref_rvalue): Port from svalue_id to const svalue *.
7006 (region_model::set_value): Likewise.
7007 (region_model::clobber_region): New.
7008 (region_model::purge_region): New.
7009 (region_model::zero_fill_region): New.
7010 (region_model::mark_region_as_unknown): New.
7011 (region_model::eval_condition): Port from svalue_id to
7012 const svalue *.
7013 (region_model::eval_condition_without_cm): Likewise.
7014 (region_model::compare_initial_and_pointer): New.
7015 (region_model::add_constraint): Port from svalue_id to
7016 const svalue *.
7017 (region_model::maybe_get_constant): Delete.
7018 (region_model::get_representative_path_var): New.
7019 (region_model::add_new_malloc_region): Delete.
7020 (region_model::get_representative_tree): Port to const svalue *.
7021 (region_model::get_representative_path_var): Port to
7022 const region *.
7023 (region_model::get_path_vars_for_svalue): Delete.
7024 (region_model::set_to_new_unknown_value): Delete.
7025 (region_model::update_for_phis): Don't pass is_back_edge to handle_phi.
7026 (region_model::update_for_call_superedge): Port from svalue_id to
7027 const svalue *.
7028 (region_model::update_for_return_superedge): Port to store-based
7029 implementation.
7030 (region_model::update_for_call_summary): Replace
7031 set_to_new_unknown_value with mark_region_as_unknown.
7032 (region_model::get_root_region): Delete.
7033 (region_model::get_stack_region_id): Delete.
7034 (region_model::push_frame): Delete.
7035 (region_model::get_current_frame_id): Delete.
7036 (region_model::get_current_function): Delete.
7037 (region_model::pop_frame): Delete.
7038 (region_model::on_top_level_param): New.
7039 (region_model::get_stack_depth): Delete.
7040 (region_model::get_function_at_depth): Delete.
7041 (region_model::get_globals_region_id): Delete.
7042 (region_model::add_svalue): Delete.
7043 (region_model::replace_svalue): Delete.
7044 (region_model::add_region): Delete.
7045 (region_model::get_svalue): Delete.
7046 (region_model::get_region): Delete.
7047 (make_region_for_type): Delete.
7048 (region_model::add_region_for_type): Delete.
7049 (region_model::on_top_level_param): New.
7050 (class restrict_to_used_svalues): Delete.
7051 (region_model::purge_unused_svalues): Delete.
7052 (region_model::push_frame): New.
7053 (region_model::remap_svalue_ids): Delete.
7054 (region_model::remap_region_ids): Delete.
7055 (region_model::purge_regions): Delete.
7056 (region_model::get_descendents): Delete.
7057 (region_model::delete_region_and_descendents): Delete.
7058 (region_model::poison_any_pointers_to_bad_regions): Delete.
7059 (region_model::can_merge_with_p): Delete.
7060 (region_model::get_current_function): New.
7061 (region_model::get_value_by_name): Delete.
7062 (region_model::convert_byte_offset_to_array_index): Delete.
7063 (region_model::pop_frame): New.
7064 (region_model::get_or_create_mem_ref): Delete.
7065 (region_model::get_stack_depth): New.
7066 (region_model::get_frame_at_index): New.
7067 (region_model::unbind_region_and_descendents): New.
7068 (struct bad_pointer_finder): New.
7069 (region_model::get_or_create_pointer_plus_expr): Delete.
7070 (region_model::poison_any_pointers_to_descendents): New.
7071 (region_model::get_or_create_view): Delete.
7072 (region_model::can_merge_with_p): New.
7073 (region_model::get_fndecl_for_call): Port from svalue_id to
7074 const svalue *.
7075 (struct append_ssa_names_cb_data): New.
7076 (get_ssa_name_regions_for_current_frame): New.
7077 (region_model::append_ssa_names_cb): New.
7078 (model_merger::dump_to_pp): Add "simple" param. Drop dumping of
7079 remappings.
7080 (model_merger::dump): Add "simple" param to both overloads.
7081 (model_merger::can_merge_values_p): Delete.
7082 (model_merger::record_regions): Delete.
7083 (model_merger::record_svalues): Delete.
7084 (svalue_id_merger_mapping::svalue_id_merger_mapping): Delete.
7085 (svalue_id_merger_mapping::dump_to_pp): Delete.
7086 (svalue_id_merger_mapping::dump): Delete.
7087 (region_model::create_region_for_heap_alloc): New.
7088 (region_model::create_region_for_alloca): New.
7089 (region_model::record_dynamic_extents): New.
7090 (canonicalization::canonicalization): Delete.
7091 (canonicalization::walk_rid): Delete.
7092 (canonicalization::walk_sid): Delete.
7093 (canonicalization::dump_to_pp): Delete.
7094 (canonicalization::dump): Delete.
7095 (inchash::add): Delete overloads for svalue_id and region_id.
7096 (engine::log_stats): New.
7097 (assert_condition): Add overload comparing svalues.
7098 (assert_dump_eq): Pass "true" for multiline.
7099 (selftest::test_dump): Update for rewrite of region_model.
7100 (selftest::test_dump_2): Rename to...
7101 (selftest::test_struct): ...this. Provide a region_model_manager
7102 when creating region_model instance. Remove dump test. Add
7103 checks for get_offset.
7104 (selftest::test_dump_3): Rename to...
7105 (selftest::test_array_1): ...this. Provide a region_model_manager
7106 when creating region_model instance. Remove dump test.
7107 (selftest::test_get_representative_tree): Port from svalue_id to
7108 new API. Add test coverage for various expressions.
7109 (selftest::test_unique_constants): Provide a region_model_manager
7110 for the region_model. Add test coverage for comparing const vs
7111 non-const.
7112 (selftest::test_svalue_equality): Delete.
7113 (selftest::test_region_equality): Delete.
7114 (selftest::test_unique_unknowns): New.
7115 (class purge_all_svalue_ids): Delete.
7116 (class purge_one_svalue_id): Delete.
7117 (selftest::test_purging_by_criteria): Delete.
7118 (selftest::test_initial_svalue_folding): New.
7119 (selftest::test_unaryop_svalue_folding): New.
7120 (selftest::test_binop_svalue_folding): New.
7121 (selftest::test_sub_svalue_folding): New.
7122 (selftest::test_purge_unused_svalues): Delete.
7123 (selftest::test_descendent_of_p): New.
7124 (selftest::test_assignment): Provide a region_model_manager for
7125 the region_model. Drop the dump test.
7126 (selftest::test_compound_assignment): Likewise.
7127 (selftest::test_stack_frames): Port to new implementation.
7128 (selftest::test_get_representative_path_var): Likewise.
7129 (selftest::test_canonicalization_1): Rename to...
7130 (selftest::test_equality_1): ...this. Port to new API, and add
7131 (selftest::test_canonicalization_2): Provide a
7132 region_model_manager when creating region_model instances.
7133 Remove redundant canicalization.
7134 (selftest::test_canonicalization_3): Provide a
7135 region_model_manager when creating region_model instances.
7136 Remove param from calls to region_model::canonicalize.
7137 (selftest::test_canonicalization_4): Likewise.
7138 (selftest::assert_region_models_merge): Constify
7139 out_merged_svalue. Port to new API.
7140 (selftest::test_state_merging): Provide a
7141 region_model_manager when creating region_model instances.
7142 Provide a program_point point when merging them. Replace
7143 set_to_new_unknown_value with usage of placeholder_svalues.
7144 Drop get_value_by_name. Port from svalue_id to const svalue *.
7145 Add test of heap allocation.
7146 (selftest::test_constraint_merging): Provide a
7147 region_model_manager when creating region_model instances.
7148 Provide a program_point point when merging them. Eliminate use
7149 of set_to_new_unknown_value.
7150 (selftest::test_widening_constraints): New.
7151 (selftest::test_iteration_1): New.
7152 (selftest::test_malloc_constraints): Port to store-based
7153 implementation.
7154 (selftest::test_var): New test.
7155 (selftest::test_array_2): New test.
7156 (selftest::test_mem_ref): New test.
7157 (selftest::test_POINTER_PLUS_EXPR_then_MEM_REF): New.
7158 (selftest::test_malloc): New.
7159 (selftest::test_alloca): New.
7160 (selftest::analyzer_region_model_cc_tests): Update for renamings.
7161 Call new functions.
7162 * region-model.h (class path_var): Move to analyzer.h.
7163 (class svalue_id): Delete.
7164 (class region_id): Delete.
7165 (class id_map): Delete.
7166 (svalue_id_map): Delete.
7167 (region_id_map): Delete.
7168 (id_map<T>::id_map): Delete.
7169 (id_map<T>::put): Delete.
7170 (id_map<T>::get_dst_for_src): Delete.
7171 (id_map<T>::get_src_for_dst): Delete.
7172 (id_map<T>::dump_to_pp): Delete.
7173 (id_map<T>::dump): Delete.
7174 (id_map<T>::update): Delete.
7175 (one_way_svalue_id_map): Delete.
7176 (one_way_region_id_map): Delete.
7177 (class region_id_set): Delete.
7178 (class svalue_id_set): Delete.
7179 (struct complexity): New.
7180 (class visitor): New.
7181 (enum svalue_kind): Add SK_SETJMP, SK_INITIAL, SK_UNARYOP,
7182 SK_BINOP, SK_SUB,SK_UNMERGEABLE, SK_PLACEHOLDER, SK_WIDENING,
7183 SK_COMPOUND, and SK_CONJURED.
7184 (svalue::operator==): Delete.
7185 (svalue::operator!=): Delete.
7186 (svalue::clone): Delete.
7187 (svalue::hash): Delete.
7188 (svalue::dump_dot_to_pp): Delete.
7189 (svalue::dump_to_pp): New.
7190 (svalue::dump): New.
7191 (svalue::get_desc): New.
7192 (svalue::dyn_cast_initial_svalue): New.
7193 (svalue::dyn_cast_unaryop_svalue): New.
7194 (svalue::dyn_cast_binop_svalue): New.
7195 (svalue::dyn_cast_sub_svalue): New.
7196 (svalue::dyn_cast_unmergeable_svalue): New.
7197 (svalue::dyn_cast_widening_svalue): New.
7198 (svalue::dyn_cast_compound_svalue): New.
7199 (svalue::dyn_cast_conjured_svalue): New.
7200 (svalue::maybe_undo_cast): New.
7201 (svalue::unwrap_any_unmergeable): New.
7202 (svalue::remap_region_ids): Delete
7203 (svalue::can_merge_p): New.
7204 (svalue::walk_for_canonicalization): Delete
7205 (svalue::get_complexity): New.
7206 (svalue::get_child_sid): Delete
7207 (svalue::accept): New.
7208 (svalue::live_p): New.
7209 (svalue::implicitly_live_p): New.
7210 (svalue::svalue): Add complexity param.
7211 (svalue::add_to_hash): Delete
7212 (svalue::print_details): Delete
7213 (svalue::m_complexity): New field.
7214 (region_svalue::key_t): New struct.
7215 (region_svalue::region_svalue): Port from region_id to
7216 const region_id *. Add complexity.
7217 (region_svalue::compare_fields): Delete.
7218 (region_svalue::clone): Delete.
7219 (region_svalue::dump_dot_to_pp): Delete.
7220 (region_svalue::get_pointee): Port from region_id to
7221 const region_id *.
7222 (region_svalue::remap_region_ids): Delete.
7223 (region_svalue::merge_values): Delete.
7224 (region_svalue::dump_to_pp): New.
7225 (region_svalue::accept): New.
7226 (region_svalue::walk_for_canonicalization): Delete.
7227 (region_svalue::eval_condition): Make params const.
7228 (region_svalue::add_to_hash): Delete.
7229 (region_svalue::print_details): Delete.
7230 (region_svalue::m_rid): Replace with...
7231 (region_svalue::m_reg): ...this.
7232 (is_a_helper <region_svalue *>::test): Convert to...
7233 (is_a_helper <const region_svalue *>::test): ...this.
7234 (template <> struct default_hash_traits<region_svalue::key_t>):
7235 New.
7236 (constant_svalue::constant_svalue): Add complexity.
7237 (constant_svalue::compare_fields): Delete.
7238 (constant_svalue::clone): Delete.
7239 (constant_svalue::add_to_hash): Delete.
7240 (constant_svalue::dump_to_pp): New.
7241 (constant_svalue::accept): New.
7242 (constant_svalue::implicitly_live_p): New.
7243 (constant_svalue::merge_values): Delete.
7244 (constant_svalue::eval_condition): Make params const.
7245 (constant_svalue::get_child_sid): Delete.
7246 (constant_svalue::print_details): Delete.
7247 (is_a_helper <constant_svalue *>::test): Convert to...
7248 (is_a_helper <const constant_svalue *>::test): ...this.
7249 (class unknown_svalue): Update leading comment.
7250 (unknown_svalue::unknown_svalue): Add complexity.
7251 (unknown_svalue::compare_fields): Delete.
7252 (unknown_svalue::add_to_hash): Delete.
7253 (unknown_svalue::dyn_cast_unknown_svalue): Delete.
7254 (unknown_svalue::print_details): Delete.
7255 (unknown_svalue::dump_to_pp): New.
7256 (unknown_svalue::accept): New.
7257 (poisoned_svalue::key_t): New struct.
7258 (poisoned_svalue::poisoned_svalue): Add complexity.
7259 (poisoned_svalue::compare_fields): Delete.
7260 (poisoned_svalue::clone): Delete.
7261 (poisoned_svalue::add_to_hash): Delete.
7262 (poisoned_svalue::dump_to_pp): New.
7263 (poisoned_svalue::accept): New.
7264 (poisoned_svalue::print_details): Delete.
7265 (is_a_helper <poisoned_svalue *>::test): Convert to...
7266 (is_a_helper <const poisoned_svalue *>::test): ...this.
7267 (template <> struct default_hash_traits<poisoned_svalue::key_t>):
7268 New.
7269 (setjmp_record::add_to_hash): New.
7270 (setjmp_svalue::key_t): New struct.
7271 (setjmp_svalue::compare_fields): Delete.
7272 (setjmp_svalue::clone): Delete.
7273 (setjmp_svalue::add_to_hash): Delete.
7274 (setjmp_svalue::setjmp_svalue): Add complexity.
7275 (setjmp_svalue::dump_to_pp): New.
7276 (setjmp_svalue::accept): New.
7277 (setjmp_svalue::void print_details): Delete.
7278 (is_a_helper <const setjmp_svalue *>::test): New.
7279 (template <> struct default_hash_traits<setjmp_svalue::key_t>): New.
7280 (class initial_svalue : public svalue): New.
7281 (is_a_helper <const initial_svalue *>::test): New.
7282 (class unaryop_svalue): New.
7283 (is_a_helper <const unaryop_svalue *>::test): New.
7284 (template <> struct default_hash_traits<unaryop_svalue::key_t>): New.
7285 (class binop_svalue): New.
7286 (is_a_helper <const binop_svalue *>::test): New.
7287 (template <> struct default_hash_traits<binop_svalue::key_t>): New.
7288 (class sub_svalue): New.
7289 (is_a_helper <const sub_svalue *>::test): New.
7290 (template <> struct default_hash_traits<sub_svalue::key_t>): New.
7291 (class unmergeable_svalue): New.
7292 (is_a_helper <const unmergeable_svalue *>::test): New.
7293 (class placeholder_svalue): New.
7294 (is_a_helper <placeholder_svalue *>::test): New.
7295 (class widening_svalue): New.
7296 (is_a_helper <widening_svalue *>::test): New.
7297 (template <> struct default_hash_traits<widening_svalue::key_t>): New.
7298 (class compound_svalue): New.
7299 (is_a_helper <compound_svalue *>::test): New.
7300 (template <> struct default_hash_traits<compound_svalue::key_t>): New.
7301 (class conjured_svalue): New.
7302 (is_a_helper <conjured_svalue *>::test): New.
7303 (template <> struct default_hash_traits<conjured_svalue::key_t>): New.
7304 (enum region_kind): Delete RK_PRIMITIVE, RK_STRUCT, RK_UNION, and
7305 RK_ARRAY. Add RK_LABEL, RK_DECL, RK_FIELD, RK_ELEMENT, RK_OFFSET,
7306 RK_CAST, RK_HEAP_ALLOCATED, RK_ALLOCA, RK_STRING, and RK_UNKNOWN.
7307 (region_kind_to_str): Delete.
7308 (region::~region): Move implementation to region.cc.
7309 (region::operator==): Delete.
7310 (region::operator!=): Delete.
7311 (region::clone): Delete.
7312 (region::get_id): New.
7313 (region::cmp_ids): New.
7314 (region::dyn_cast_map_region): Delete.
7315 (region::dyn_cast_array_region): Delete.
7316 (region::region_id get_parent): Delete.
7317 (region::get_parent_region): Convert to a simple accessor.
7318 (region::void set_value): Delete.
7319 (region::svalue_id get_value): Delete.
7320 (region::svalue_id get_value_direct): Delete.
7321 (region::svalue_id get_inherited_child_sid): Delete.
7322 (region::dyn_cast_frame_region): New.
7323 (region::dyn_cast_function_region): New.
7324 (region::dyn_cast_decl_region): New.
7325 (region::dyn_cast_field_region): New.
7326 (region::dyn_cast_element_region): New.
7327 (region::dyn_cast_offset_region): New.
7328 (region::dyn_cast_cast_region): New.
7329 (region::dyn_cast_string_region): New.
7330 (region::accept): New.
7331 (region::get_base_region): New.
7332 (region::base_region_p): New.
7333 (region::descendent_of_p): New.
7334 (region::maybe_get_frame_region): New.
7335 (region::maybe_get_decl): New.
7336 (region::hash): Delete.
7337 (region::rint): Delete.
7338 (region::dump_dot_to_pp): Delete.
7339 (region::get_desc): New.
7340 (region::dump_to_pp): Convert to vfunc, changing signature.
7341 (region::dump_child_label): Delete.
7342 (region::remap_svalue_ids): Delete.
7343 (region::remap_region_ids): Delete.
7344 (region::dump): New.
7345 (region::walk_for_canonicalization): Delete.
7346 (region::non_null_p): Drop region_model param.
7347 (region::add_view): Delete.
7348 (region::get_view): Delete.
7349 (region::get_active_view): Delete.
7350 (region::is_view_p): Delete.
7351 (region::cmp_ptrs): New.
7352 (region::validate): Delete.
7353 (region::get_offset): New.
7354 (region::get_byte_size): New.
7355 (region::get_bit_size): New.
7356 (region::get_subregions_for_binding): New.
7357 (region::region): Add complexity param. Convert parent from
7358 region_id to const region *. Drop svalue_id. Drop copy ctor.
7359 (region::symbolic_for_unknown_ptr_p): New.
7360 (region::add_to_hash): Delete.
7361 (region::print_fields): Delete.
7362 (region::get_complexity): New accessor.
7363 (region::become_active_view): Delete.
7364 (region::deactivate_any_active_view): Delete.
7365 (region::deactivate_view): Delete.
7366 (region::calc_offset): New.
7367 (region::m_parent_rid): Delete.
7368 (region::m_sval_id): Delete.
7369 (region::m_complexity): New.
7370 (region::m_id): New.
7371 (region::m_parent): New.
7372 (region::m_view_rids): Delete.
7373 (region::m_is_view): Delete.
7374 (region::m_active_view_rid): Delete.
7375 (region::m_cached_offset): New.
7376 (is_a_helper <region *>::test): Convert to...
7377 (is_a_helper <const region *>::test): ... this.
7378 (class primitive_region): Delete.
7379 (class space_region): New.
7380 (class map_region): Delete.
7381 (is_a_helper <map_region *>::test): Delete.
7382 (class frame_region): Reimplement.
7383 (template <> struct default_hash_traits<frame_region::key_t>):
7384 New.
7385 (class globals_region): Reimplement.
7386 (is_a_helper <globals_region *>::test): Convert to...
7387 (is_a_helper <const globals_region *>::test): ...this.
7388 (class struct_or_union_region): Delete.
7389 (is_a_helper <struct_or_union_region *>::test): Delete.
7390 (class code_region): Reimplement.
7391 (is_a_helper <const code_region *>::test): New.
7392 (class struct_region): Delete.
7393 (is_a_helper <struct_region *>::test): Delete.
7394 (class function_region): Reimplement.
7395 (is_a_helper <function_region *>::test): Convert to...
7396 (is_a_helper <const function_region *>::test): ...this.
7397 (class union_region): Delete.
7398 (is_a_helper <union_region *>::test): Delete.
7399 (class label_region): New.
7400 (is_a_helper <const label_region *>::test): New.
7401 (class scope_region): Delete.
7402 (class stack_region): Reimplement.
7403 (is_a_helper <stack_region *>::test): Convert to...
7404 (is_a_helper <const stack_region *>::test): ...this.
7405 (class heap_region): Reimplement.
7406 (is_a_helper <heap_region *>::test): Convert to...
7407 (is_a_helper <const heap_region *>::test): ...this.
7408 (class root_region): Reimplement.
7409 (is_a_helper <root_region *>::test): Convert to...
7410 (is_a_helper <const root_region *>::test): ...this.
7411 (class symbolic_region): Reimplement.
7412 (is_a_helper <const symbolic_region *>::test): New.
7413 (template <> struct default_hash_traits<symbolic_region::key_t>):
7414 New.
7415 (class decl_region): New.
7416 (is_a_helper <const decl_region *>::test): New.
7417 (class field_region): New.
7418 (template <> struct default_hash_traits<field_region::key_t>): New.
7419 (class array_region): Delete.
7420 (class element_region): New.
7421 (is_a_helper <array_region *>::test): Delete.
7422 (is_a_helper <const element_region *>::test): New.
7423 (template <> struct default_hash_traits<element_region::key_t>):
7424 New.
7425 (class offset_region): New.
7426 (is_a_helper <const offset_region *>::test): New.
7427 (template <> struct default_hash_traits<offset_region::key_t>):
7428 New.
7429 (class cast_region): New.
7430 (is_a_helper <const cast_region *>::test): New.
7431 (template <> struct default_hash_traits<cast_region::key_t>): New.
7432 (class heap_allocated_region): New.
7433 (class alloca_region): New.
7434 (class string_region): New.
7435 (is_a_helper <const string_region *>::test): New.
7436 (class unknown_region): New.
7437 (class region_model_manager): New.
7438 (struct append_ssa_names_cb_data): New.
7439 (class call_details): New.
7440 (region_model::region_model): Add region_model_manager param.
7441 (region_model::print_svalue): Delete.
7442 (region_model::dump_dot_to_pp): Delete.
7443 (region_model::dump_dot_to_file): Delete.
7444 (region_model::dump_dot): Delete.
7445 (region_model::dump_to_pp): Drop summarize param in favor of
7446 simple and multiline.
7447 (region_model::dump): Likewise.
7448 (region_model::summarize_to_pp): Delete.
7449 (region_model::summarize): Delete.
7450 (region_model::void canonicalize): Drop ctxt param.
7451 (region_model::void check_for_poison): Delete.
7452 (region_model::get_gassign_result): New.
7453 (region_model::impl_call_alloca): New.
7454 (region_model::impl_call_analyzer_describe): New.
7455 (region_model::impl_call_analyzer_eval): New.
7456 (region_model::impl_call_builtin_expect): New.
7457 (region_model::impl_call_calloc): New.
7458 (region_model::impl_call_free): New.
7459 (region_model::impl_call_malloc): New.
7460 (region_model::impl_call_memset): New.
7461 (region_model::impl_call_strlen): New.
7462 (region_model::get_reachable_svalues): New.
7463 (region_model::handle_phi): Drop is_back_edge param.
7464 (region_model::region_id get_root_rid): Delete.
7465 (region_model::root_region *get_root_region): Delete.
7466 (region_model::region_id get_stack_region_id): Delete.
7467 (region_model::push_frame): Convert from region_id and svalue_id
7468 to const region * and const svalue *.
7469 (region_model::get_current_frame_id): Replace with...
7470 (region_model::get_current_frame): ...this.
7471 (region_model::pop_frame): Convert from region_id to
7472 const region *. Drop purge and stats param. Add out_result.
7473 (region_model::function *get_function_at_depth): Delete.
7474 (region_model::get_globals_region_id): Delete.
7475 (region_model::add_svalue): Delete.
7476 (region_model::replace_svalue): Delete.
7477 (region_model::add_region): Delete.
7478 (region_model::add_region_for_type): Delete.
7479 (region_model::get_svalue): Delete.
7480 (region_model::get_region): Delete.
7481 (region_model::get_lvalue): Convert from region_id to
7482 const region *.
7483 (region_model::get_rvalue): Convert from svalue_id to
7484 const svalue *.
7485 (region_model::get_or_create_ptr_svalue): Delete.
7486 (region_model::get_or_create_constant_svalue): Delete.
7487 (region_model::get_svalue_for_fndecl): Delete.
7488 (region_model::get_svalue_for_label): Delete.
7489 (region_model::get_region_for_fndecl): Delete.
7490 (region_model::get_region_for_label): Delete.
7491 (region_model::get_frame_at_index (int index) const;): New.
7492 (region_model::maybe_cast): Delete.
7493 (region_model::maybe_cast_1): Delete.
7494 (region_model::get_field_region): Delete.
7495 (region_model::id deref_rvalue): Convert from region_id and
7496 svalue_id to const region * and const svalue *. Drop overload,
7497 passing in both a tree and an svalue.
7498 (region_model::set_value): Convert from region_id and svalue_id to
7499 const region * and const svalue *.
7500 (region_model::set_to_new_unknown_value): Delete.
7501 (region_model::clobber_region (const region *reg);): New.
7502 (region_model::purge_region (const region *reg);): New.
7503 (region_model::zero_fill_region (const region *reg);): New.
7504 (region_model::mark_region_as_unknown (const region *reg);): New.
7505 (region_model::copy_region): Convert from region_id to
7506 const region *.
7507 (region_model::eval_condition): Convert from svalue_id to
7508 const svalue *.
7509 (region_model::eval_condition_without_cm): Likewise.
7510 (region_model::compare_initial_and_pointer): New.
7511 (region_model:maybe_get_constant): Delete.
7512 (region_model::add_new_malloc_region): Delete.
7513 (region_model::get_representative_tree): Convert from svalue_id to
7514 const svalue *.
7515 (region_model::get_representative_path_var): Delete decl taking a
7516 region_id in favor of two decls, for svalue vs region, with an
7517 svalue_set to ensure termination.
7518 (region_model::get_path_vars_for_svalue): Delete.
7519 (region_model::create_region_for_heap_alloc): New.
7520 (region_model::create_region_for_alloca): New.
7521 (region_model::purge_unused_svalues): Delete.
7522 (region_model::remap_svalue_ids): Delete.
7523 (region_model::remap_region_ids): Delete.
7524 (region_model::purge_regions): Delete.
7525 (region_model::get_num_svalues): Delete.
7526 (region_model::get_num_regions): Delete.
7527 (region_model::get_descendents): Delete.
7528 (region_model::get_store): New.
7529 (region_model::delete_region_and_descendents): Delete.
7530 (region_model::get_manager): New.
7531 (region_model::unbind_region_and_descendents): New.
7532 (region_model::can_merge_with_p): Add point param. Drop
7533 svalue_id_merger_mapping.
7534 (region_model::get_value_by_name): Delete.
7535 (region_model::convert_byte_offset_to_array_index): Delete.
7536 (region_model::get_or_create_mem_ref): Delete.
7537 (region_model::get_or_create_pointer_plus_expr): Delete.
7538 (region_model::get_or_create_view): Delete.
7539 (region_model::get_lvalue_1): Convert from region_id to
7540 const region *.
7541 (region_model::get_rvalue_1): Convert from svalue_id to
7542 const svalue *.
7543 (region_model::get_ssa_name_regions_for_current_frame): New.
7544 (region_model::append_ssa_names_cb): New.
7545 (region_model::get_store_value): New.
7546 (region_model::copy_struct_region): Delete.
7547 (region_model::copy_union_region): Delete.
7548 (region_model::copy_array_region): Delete.
7549 (region_model::region_exists_p): New.
7550 (region_model::make_region_for_unexpected_tree_code): Delete.
7551 (region_model::loop_replay_fixup): New.
7552 (region_model::poison_any_pointers_to_bad_regions): Delete.
7553 (region_model::poison_any_pointers_to_descendents): New.
7554 (region_model::dump_summary_of_rep_path_vars): Delete.
7555 (region_model::on_top_level_param): New.
7556 (region_model::record_dynamic_extents): New.
7557 (region_model::m_mgr;): New.
7558 (region_model::m_store;): New.
7559 (region_model::m_svalues;): Delete.
7560 (region_model::m_regions;): Delete.
7561 (region_model::m_root_rid;): Delete.
7562 (region_model::m_current_frame;): New.
7563 (region_model_context::remap_svalue_ids): Delete.
7564 (region_model_context::can_purge_p): Delete.
7565 (region_model_context::on_svalue_leak): New.
7566 (region_model_context::on_svalue_purge): Delete.
7567 (region_model_context::on_liveness_change): New.
7568 (region_model_context::on_inherited_svalue): Delete.
7569 (region_model_context::on_cast): Delete.
7570 (region_model_context::on_unknown_change): Convert from svalue_id to
7571 const svalue * and add is_mutable.
7572 (class noop_region_model_context): Update for region_model_context
7573 changes.
7574 (model_merger::model_merger): Add program_point. Drop
7575 svalue_id_merger_mapping.
7576 (model_merger::dump_to_pp): Add "simple" param.
7577 (model_merger::dump): Likewise.
7578 (model_merger::get_region_a): Delete.
7579 (model_merger::get_region_b): Delete.
7580 (model_merger::can_merge_values_p): Delete.
7581 (model_merger::record_regions): Delete.
7582 (model_merger::record_svalues): Delete.
7583 (model_merger::m_point): New field.
7584 (model_merger::m_map_regions_from_a_to_m): Delete.
7585 (model_merger::m_map_regions_from_b_to_m): Delete.
7586 (model_merger::m_sid_mapping): Delete.
7587 (struct svalue_id_merger_mapping): Delete.
7588 (class engine): New.
7589 (struct canonicalization): Delete.
7590 (inchash::add): Delete decls for hashing svalue_id and region_id.
7591 (test_region_model_context::on_unexpected_tree_code): Require t to
7592 be non-NULL.
7593 (selftest::assert_condition): Add overload comparing a pair of
7594 const svalue *.
7595 * sm-file.cc: Include "tristate.h", "selftest.h",
7596 "analyzer/call-string.h", "analyzer/program-point.h",
7597 "analyzer/store.h", and "analyzer/region-model.h".
7598 (fileptr_state_machine::get_default_state): New.
7599 (fileptr_state_machine::on_stmt): Remove calls to
7600 get_readable_tree in favor of get_diagnostic_tree.
7601 * sm-malloc.cc: Include "tristate.h", "selftest.h",
7602 "analyzer/call-string.h", "analyzer/program-point.h",
7603 "analyzer/store.h", and "analyzer/region-model.h".
7604 (malloc_state_machine::get_default_state): New.
7605 (malloc_state_machine::reset_when_passed_to_unknown_fn_p): New.
7606 (malloc_diagnostic::describe_state_change): Handle change.m_expr
7607 being NULL.
7608 (null_arg::emit): Avoid printing "NULL '0'".
7609 (null_arg::describe_final_event): Avoid printing "(0) NULL".
7610 (malloc_leak::emit): Handle m_arg being NULL.
7611 (malloc_leak::describe_final_event): Handle ev.m_expr being NULL.
7612 (malloc_state_machine::on_stmt): Don't call get_readable_tree.
7613 Call get_diagnostic_tree when creating pending diagnostics.
7614 Update for is_zero_assignment becoming a member function of
7615 sm_ctxt.
7616 Don't transition to m_non_heap for ADDR_EXPR(MEM_REF()).
7617 (malloc_state_machine::reset_when_passed_to_unknown_fn_p): New
7618 vfunc implementation.
7619 * sm-sensitive.cc (sensitive_state_machine::warn_for_any_exposure): Call
7620 get_diagnostic_tree and pass the result to warn_for_state.
7621 * sm-signal.cc: Move includes of "analyzer/call-string.h" and
7622 "analyzer/program-point.h" to before "analyzer/region-model.h",
7623 and also include "analyzer/store.h" before it.
7624 (signal_unsafe_call::describe_state_change): Use
7625 get_dest_function to get handler.
7626 (update_model_for_signal_handler): Pass manager to region_model
7627 ctor.
7628 (register_signal_handler::impl_transition): Update for changes to
7629 get_or_create_node and add_edge.
7630 * sm-taint.cc (taint_state_machine::on_stmt): Remove calls to
7631 get_readable_tree, replacing them when calling warn_for_state with
7632 calls to get_diagnostic_tree.
7633 * sm.cc (is_zero_assignment): Delete.
7634 (any_pointer_p): Move to within namespace ana.
7635 * sm.h (is_zero_assignment): Remove decl.
7636 (any_pointer_p): Move decl to within namespace ana.
7637 (state_machine::get_default_state): New vfunc.
7638 (state_machine::reset_when_passed_to_unknown_fn_p): New vfunc.
7639 (sm_context::get_readable_tree): Rename to...
7640 (sm_context::get_diagnostic_tree): ...this.
7641 (sm_context::is_zero_assignment): New vfunc.
7642 * store.cc: New file.
7643 * store.h: New file.
7644 * svalue.cc: New file.
7645
2221fb6f
MW		 76462020-05-22 Mark Wielaard <mark@klomp.org>
7647
7648 * sm-signal.cc(signal_unsafe_call::emit): Possibly add
7649 gcc_rich_location note for replacement.
7650 (signal_unsafe_call::get_replacement_fn): New private function.
7651 (get_async_signal_unsafe_fns): Add "exit".
7652
5eae0ac7
DM		 76532020-04-28 David Malcolm <dmalcolm@redhat.com>
7654
7655 PR analyzer/94816
7656 * engine.cc (impl_region_model_context::on_unexpected_tree_code):
7657 Handle NULL tree.
7658 * region-model.cc (region_model::add_region_for_type): Handle
7659 NULL type.
7660 * region-model.h
7661 (test_region_model_context::on_unexpected_tree_code): Handle NULL
7662 tree.
7663
78b97837
DM		 76642020-04-28 David Malcolm <dmalcolm@redhat.com>
7665
7666 PR analyzer/94447
7667 PR analyzer/94639
7668 PR analyzer/94732
7669 PR analyzer/94754
7670 * analyzer.opt (Wanalyzer-use-of-uninitialized-value): Delete.
7671 * program-state.cc (selftest::test_program_state_dumping): Update
7672 expected dump result for removal of "uninit".
7673 * region-model.cc (poison_kind_to_str): Delete POISON_KIND_UNINIT
7674 case.
7675 (root_region::ensure_stack_region): Initialize stack with null
7676 svalue_id rather than with a typeless POISON_KIND_UNINIT value.
7677 (root_region::ensure_heap_region): Likewise for the heap.
7678 (region_model::dump_summary_of_rep_path_vars): Remove
7679 summarization of uninit values.
7680 (region_model::validate): Remove check that the stack has a
7681 POISON_KIND_UNINIT value.
7682 (poisoned_value_diagnostic::emit): Remove POISON_KIND_UNINIT
7683 case.
7684 (poisoned_value_diagnostic::describe_final_event): Likewise.
7685 (selftest::test_dump): Update expected dump result for removal of
7686 "uninit".
7687 (selftest::test_svalue_equality): Remove "uninit" and "freed".
7688 * region-model.h (enum poison_kind): Remove POISON_KIND_UNINIT.
7689
a96f1c38
DM		 76902020-04-01 David Malcolm <dmalcolm@redhat.com>
7691
7692 PR analyzer/94378
7693 * checker-path.cc: Include "bitmap.h".
7694 * constraint-manager.cc: Likewise.
7695 * diagnostic-manager.cc: Likewise.
7696 * engine.cc: Likewise.
7697 (exploded_node::detect_leaks): Pass null region_id to pop_frame.
7698 * program-point.cc: Include "bitmap.h".
7699 * program-state.cc: Likewise.
7700 * region-model.cc (id_set<region_id>::id_set): Convert to...
7701 (region_id_set::region_id_set): ...this.
7702 (svalue_id_set::svalue_id_set): New ctor.
7703 (region_model::copy_region): New function.
7704 (region_model::copy_struct_region): New function.
7705 (region_model::copy_union_region): New function.
7706 (region_model::copy_array_region): New function.
7707 (stack_region::pop_frame): Drop return value. Add
7708 "result_dst_rid" param; if it is non-null, use copy_region to copy
7709 the result to it. Rather than capture and pass a single "known
7710 used" return value to be used by purge_unused_values, instead
7711 gather and pass a set of known used return values.
7712 (root_region::pop_frame): Drop return value. Add "result_dst_rid"
7713 param.
7714 (region_model::on_assignment): Use copy_region.
7715 (region_model::on_return): Likewise for the result.
7716 (region_model::on_longjmp): Pass null for pop_frame's
7717 result_dst_rid.
7718 (region_model::update_for_return_superedge): Pass the region for the
7719 return value of the call, if any, to pop_frame, rather than setting
7720 the lvalue for the lhs of the result.
7721 (region_model::pop_frame): Drop return value. Add
7722 "result_dst_rid" param.
7723 (region_model::purge_unused_svalues): Convert third param from an
7724 svalue_id * to an svalue_id_set *, updating the initial populating
7725 of the "used" bitmap accordingly. Don't remap it when done.
7726 (struct selftest::coord_test): New selftest fixture, extracted from...
7727 (selftest::test_dump_2): ...here.
7728 (selftest::test_compound_assignment): New selftest.
7729 (selftest::test_stack_frames): Pass null to new param of pop_frame.
7730 (selftest::analyzer_region_model_cc_tests): Call the new selftest.
7731 * region-model.h (class id_set): Delete template.
7732 (class region_id_set): Reimplement, using old id_set implementation.
7733 (class svalue_id_set): Likewise. Convert from auto_sbitmap to
7734 auto_bitmap.
7735 (region::get_active_view): New accessor.
7736 (stack_region::pop_frame): Drop return value. Add
7737 "result_dst_rid" param.
7738 (root_region::pop_frame): Likewise.
7739 (region_model::pop_frame): Likewise.
7740 (region_model::copy_region): New decl.
7741 (region_model::purge_unused_svalues): Convert third param from an
7742 svalue_id * to an svalue_id_set *.
7743 (region_model::copy_struct_region): New decl.
7744 (region_model::copy_union_region): New decl.
7745 (region_model::copy_array_region): New decl.
7746
6969ac30
DM		 77472020-03-27 David Malcolm <dmalcolm@redhat.com>
7748
7749 * program-state.cc (selftest::test_program_state_dumping): Update
7750 expected dump to include symbolic_region's possibly_null field.
7751 * region-model.cc (symbolic_region::print_fields): New vfunc
7752 implementation.
7753 (region_model::add_constraint): Clear m_possibly_null from
7754 symbolic_regions now known to be non-NULL.
7755 (selftest::test_malloc_constraints): New selftest.
7756 (selftest::analyzer_region_model_cc_tests): Call it.
7757 * region-model.h (region::dyn_cast_symbolic_region): Add non-const
7758 overload.
7759 (symbolic_region::dyn_cast_symbolic_region): Implement it.
7760 (symbolic_region::print_fields): New vfunc override decl.
7761
42c63313
DM		 77622020-03-27 David Malcolm <dmalcolm@redhat.com>
7763
7764 * analyzer.h (class feasibility_problem): New forward decl.
7765 * diagnostic-manager.cc (saved_diagnostic::saved_diagnostic):
7766 Initialize new fields m_status, m_epath_length, and m_problem.
7767 (saved_diagnostic::~saved_diagnostic): Delete m_problem.
7768 (dedupe_candidate::dedupe_candidate): Convert "sd" param from a
7769 const ref to a mutable ptr.
7770 (dedupe_winners::add): Convert "sd" param from a const ref to a
7771 mutable ptr. Record the length of the exploded_path. Record the
7772 feasibility/infeasibility of sd into sd, capturing a
7773 feasibility_problem when feasible_p fails, and storing it in sd.
7774 (diagnostic_manager::emit_saved_diagnostics): Update for pass by
7775 ptr rather than by const ref.
7776 * diagnostic-manager.h (class saved_diagnostic): Add new enum
7777 status. Add fields m_status, m_epath_length and m_problem.
7778 (saved_diagnostic::set_feasible): New member function.
7779 (saved_diagnostic::set_infeasible): New member function.
7780 (saved_diagnostic::get_feasibility_problem): New accessor.
7781 (saved_diagnostic::get_status): New accessor.
7782 (saved_diagnostic::set_epath_length): New member function.
7783 (saved_diagnostic::get_epath_length): New accessor.
7784 * engine.cc: Include "gimple-pretty-print.h".
7785 (exploded_path::feasible_p): Add OUT param and, if non-NULL, write
7786 a new feasibility_problem to it on failure.
7787 (viz_callgraph_node::dump_dot): Convert begin_tr calls to
7788 begin_trtd. Convert end_tr calls to end_tdtr.
7789 (class exploded_graph_annotator): New subclass of dot_annotator.
7790 (impl_run_checkers): Add a second -fdump-analyzer-supergraph dump
7791 after the analysis runs, using exploded_graph_annotator. dumping
7792 to DUMP_BASE_NAME.supergraph-eg.dot.
7793 * exploded-graph.h (exploded_node::get_dot_fillcolor): Make
7794 public.
7795 (exploded_path::feasible_p): Add OUT param.
7796 (class feasibility_problem): New class.
7797 * state-purge.cc (state_purge_annotator::add_node_annotations):
7798 Return a bool, add a "within_table" param.
7799 (print_vec_of_names): Convert begin_tr calls to begin_trtd.
7800 Convert end_tr calls to end_tdtr.
7801 (state_purge_annotator::add_stmt_annotations): Add "within_row"
7802 param.
7803 * state-purge.h ((state_purge_annotator::add_node_annotations):
7804 Return a bool, add a "within_table" param.
7805 (state_purge_annotator::add_stmt_annotations): Add "within_row"
7806 param.
7807 * supergraph.cc (supernode::dump_dot): Call add_node_annotations
7808 twice: as before, passing false for "within_table", then again
7809 with true when within the TABLE element. Convert some begin_tr
7810 calls to begin_trtd, and some end_tr calls to end_tdtr.
7811 Repeat each add_stmt_annotations call, distinguishing between
7812 calls that add TRs and those that add TDs to an existing TR.
7813 Add a call to add_after_node_annotations.
7814 * supergraph.h (dot_annotator::add_node_annotations): Add a
7815 "within_table" param.
7816 (dot_annotator::add_stmt_annotations): Add a "within_row" param.
7817 (dot_annotator::add_after_node_annotations): New vfunc.
7818
8f023575
DM		 78192020-03-27 David Malcolm <dmalcolm@redhat.com>
7820
7821 * diagnostic-manager.cc (dedupe_winners::add): Show the
7822 exploded_node index in the log messages.
7823 (diagnostic_manager::emit_saved_diagnostics): Log a summary of
7824 m_saved_diagnostics at entry.
7825
4d661bb7
DM		 78262020-03-27 David Malcolm <dmalcolm@redhat.com>
7827
7828 * supergraph.cc (superedge::dump): Add space before description;
7829 move newline to non-pretty_printer overload.
7830
884d9141
DM		 78312020-03-18 David Malcolm <dmalcolm@redhat.com>
7832
7833 * region-model.cc: Include "stor-layout.h".
7834 (region_model::dump_to_pp): Rather than calling
7835 dump_summary_of_map on each of the current frame and the globals,
7836 instead get a vec of representative path_vars for all regions,
7837 and then dump a summary of all of them.
7838 (region_model::dump_summary_of_map): Delete, rewriting into...
7839 (region_model::dump_summary_of_rep_path_vars): ...this new
7840 function, working on a vec of path_vars.
7841 (region_model::set_value): New overload.
7842 (region_model::get_representative_path_var): Rename
7843 "parent_region" local to "parent_reg" and consolidate with other
7844 local. Guard test for grandparent being stack on parent_reg being
7845 non-NULL. Move handling for parent being an array_region to
7846 within guard for parent_reg being non-NULL.
7847 (selftest::make_test_compound_type): New function.
7848 (selftest::test_dump_2): New selftest.
7849 (selftest::test_dump_3): New selftest.
7850 (selftest::test_stack_frames): Update expected output from
7851 simplified dump to show "a" and "b" from parent frame and "y" in
7852 child frame.
7853 (selftest::analyzer_region_model_cc_tests): Call test_dump_2 and
7854 test_dump_3.
7855 * region-model.h (region_model::set_value): New overload decl.
7856 (region_model::dump_summary_of_map): Delete.
7857 (region_model::dump_summary_of_rep_path_vars): New.
7858
7d9c107a
DM		 78592020-03-18 David Malcolm <dmalcolm@redhat.com>
7860
7861 * region-model.h (class noop_region_model_context): New subclass
7862 of region_model_context.
7863 (class tentative_region_model_context): Inherit from
7864 noop_region_model_context rather than from region_model_context;
7865 drop redundant vfunc implementations.
7866 (class test_region_model_context): Likewise.
7867
0db2cd17
DM		 78682020-03-18 David Malcolm <dmalcolm@redhat.com>
7869
7870 * engine.cc (exploded_node::exploded_node): Move implementation
7871 here from header; accept point_and_state by const reference rather
7872 than by value.
7873 * exploded-graph.h (exploded_node::exploded_node): Pass
7874 point_and_state by const reference rather than by value. Move
7875 body to engine.cc.
7876
d5029d45
JJ		 78772020-03-18 Jakub Jelinek <jakub@redhat.com>
7878
7879 * sm-malloc.cc (malloc_state_machine::on_stmt): Fix up duplicated word
7880 issue in a comment.
7881 * region-model.cc (region_model::make_region_for_unexpected_tree_code,
7882 region_model::delete_region_and_descendents): Likewise.
7883 * engine.cc (class exploded_cluster): Likewise.
7884 * diagnostic-manager.cc (class path_builder): Likewise.
7885
5c048755
DM		 78862020-03-13 David Malcolm <dmalcolm@redhat.com>
7887
7888 PR analyzer/94099
7889 PR analyzer/94105
7890 * diagnostic-manager.cc (for_each_state_change): Bulletproof
7891 against errors in get_rvalue by passing a
7892 tentative_region_model_context and rejecting if there's an error.
7893 * region-model.cc (region_model::get_lvalue_1): When handling
7894 ARRAY_REF, handle results of error-handling. Handle NOP_EXPR.
7895
90f7c300
DM		 78962020-03-06 David Malcolm <dmalcolm@redhat.com>
7897
7898 * analyzer.h (class array_region): New forward decl.
7899 * program-state.cc (selftest::test_program_state_dumping_2): New.
7900 (selftest::analyzer_program_state_cc_tests): Call it.
7901 * region-model.cc (array_region::constant_from_key): New.
7902 (region_model::get_representative_tree): Handle region_svalue by
7903 generating an ADDR_EXPR.
7904 (region_model::get_representative_path_var): In view handling,
7905 remove erroneous TREE_TYPE when determining the type of the tree.
7906 Handle array regions and STRING_CST.
7907 (selftest::assert_dump_tree_eq): New.
7908 (ASSERT_DUMP_TREE_EQ): New macro.
7909 (selftest::test_get_representative_tree): New selftest.
7910 (selftest::analyzer_region_model_cc_tests): Call it.
7911 * region-model.h (region::dyn_cast_array_region): New vfunc.
7912 (array_region::dyn_cast_array_region): New vfunc implementation.
7913 (array_region::constant_from_key): New decl.
7914
41f99ba6
DM		 79152020-03-06 David Malcolm <dmalcolm@redhat.com>
7916
7917 * analyzer.h (dump_quoted_tree): New decl.
7918 * engine.cc (exploded_node::dump_dot): Pass region model to
7919 sm_state_map::print.
7920 * program-state.cc: Include diagnostic-core.h.
7921 (sm_state_map::print): Add "model" param and use it to print
7922 representative trees. Only print origin information if non-null.
7923 (sm_state_map::dump): Pass NULL for model to print call.
7924 (program_state::print): Pass region model to sm_state_map::print.
7925 (program_state::dump_to_pp): Use spaces rather than newlines when
7926 summarizing. Pass region_model to sm_state_map::print.
7927 (ana::selftest::assert_dump_eq): New function.
7928 (ASSERT_DUMP_EQ): New macro.
7929 (ana::selftest::test_program_state_dumping): New function.
7930 (ana::selftest::analyzer_program_state_cc_tests): Call it.
7931 * program-state.h (program_state::print): Add model param.
7932 * region-model.cc (dump_quoted_tree): New function.
7933 (map_region::print_fields): Use dump_quoted_tree rather than
7934 %qE to avoid lang-dependent output.
7935 (map_region::dump_child_label): Likewise.
7936 (region_model::dump_summary_of_map): For SK_REGION, when
7937 get_representative_path_var fails, print the region id rather than
7938 erroneously printing NULL.
7939 * sm.cc (state_machine::get_state_by_name): New function.
7940 * sm.h (state_machine::get_state_by_name): New decl.
7941
3c1645a3
DM		 79422020-03-04 David Malcolm <dmalcolm@redhat.com>
7943
7944 * region-model.cc (region::validate): Convert model param from ptr
7945 to reference. Update comment to reflect that it's now a vfunc.
7946 (map_region::validate): New vfunc implementation.
7947 (array_region::validate): New vfunc implementation.
7948 (stack_region::validate): New vfunc implementation.
7949 (root_region::validate): New vfunc implementation.
7950 (region_model::validate): Pass a reference rather than a pointer
7951 to the region::validate vfunc.
7952 * region-model.h (region::validate): Make virtual. Convert model
7953 param from ptr to reference.
7954 (map_region::validate): New vfunc decl.
7955 (array_region::validate): New vfunc decl.
7956 (stack_region::validate): New vfunc decl.
7957 (root_region::validate): New vfunc decl.
7958
e516294a
DM		 79592020-03-04 David Malcolm <dmalcolm@redhat.com>
7960
7961 PR analyzer/93993
7962 * region-model.cc (region_model::on_call_pre): Handle
7963 BUILT_IN_EXPECT and its variants.
7964 (region_model::add_any_constraints_from_ssa_def_stmt): Split out
7965 gassign handling into add_any_constraints_from_gassign; add gcall
7966 handling.
7967 (region_model::add_any_constraints_from_gassign): New function,
7968 based on the above. Add handling for NOP_EXPR.
7969 (region_model::add_any_constraints_from_gcall): New function.
7970 (region_model::get_representative_path_var): Handle views.
7971 * region-model.h
7972 (region_model::add_any_constraints_from_ssa_def_stmt): New decl.
7973 (region_model::add_any_constraints_from_gassign): New decl.
7974
3d66e153
DM		 79752020-03-04 David Malcolm <dmalcolm@redhat.com>
7976
7977 PR analyzer/93993
7978 * checker-path.h (state_change_event::get_lvalue): Add ctxt param
7979 and pass it to region_model::get_value call.
7980 * diagnostic-manager.cc (get_any_origin): Pass a
7981 tentative_region_model_context to the calls to get_lvalue and reject
7982 the comparison if errors occur.
7983 (can_be_expr_of_interest_p): New function.
7984 (diagnostic_manager::prune_for_sm_diagnostic): Replace checks for
7985 CONSTANT_CLASS_P with calls to update_for_unsuitable_sm_exprs.
7986 Pass a tentative_region_model_context to the calls to
7987 state_change_event::get_lvalue and reject the comparison if errors
7988 occur.
7989 (diagnostic_manager::update_for_unsuitable_sm_exprs): New.
7990 * diagnostic-manager.h
7991 (diagnostic_manager::update_for_unsuitable_sm_exprs): New decl.
7992 * region-model.h (class tentative_region_model_context): New class.
7993
13e3ba14
DM		 79942020-03-04 David Malcolm <dmalcolm@redhat.com>
7995
7996 * engine.cc (worklist::worklist): Remove unused field m_eg.
7997 (class viz_callgraph_edge): Remove unused field m_call_sedge.
7998 (class viz_callgraph): Remove unused field m_sg.
7999 * exploded-graph.h (worklist::::m_eg): Remove unused field.
8000
13b76912
DM		 80012020-03-02 David Malcolm <dmalcolm@redhat.com>
8002
8003 * analyzer.opt (fanalyzer-show-duplicate-count): New option.
8004 * diagnostic-manager.cc
8005 (diagnostic_manager::emit_saved_diagnostic): Use the above to
8006 guard the printing of the duplicate count.
8007
9f00b22f
DM		 80082020-03-02 David Malcolm <dmalcolm@redhat.com>
8009
8010 PR analyzer/93959
8011 * analyzer.cc (is_std_function_p): New function.
8012 (is_std_named_call_p): New functions.
8013 * analyzer.h (is_std_named_call_p): New decl.
8014 * sm-malloc.cc (malloc_state_machine::on_stmt): Check for "std::"
8015 variants when checking for malloc, calloc and free.
8016
71b633aa
DM		 80172020-02-26 David Malcolm <dmalcolm@redhat.com>
8018
8019 PR analyzer/93950
8020 * diagnostic-manager.cc
8021 (diagnostic_manager::prune_for_sm_diagnostic): Assert that var is
8022 either NULL or not a constant. When updating var, bulletproof
8023 against constant values.
8024
0ba70d1b
DM		 80252020-02-26 David Malcolm <dmalcolm@redhat.com>
8026
8027 PR analyzer/93947
8028 * region-model.cc (region_model::get_fndecl_for_call): Gracefully
8029 fail for fn_decls that don't have a cgraph_node.
8030
67fa274c
DM		 80312020-02-26 David Malcolm <dmalcolm@redhat.com>
8032
8033 * bar-chart.cc: New file.
8034 * bar-chart.h: New file.
8035 * engine.cc: Include "analyzer/bar-chart.h".
8036 (stats::log): Only log the m_num_nodes kinds that are non-zero.
8037 (stats::dump): Likewise when dumping.
8038 (stats::get_total_enodes): New.
8039 (exploded_graph::get_or_create_node): Increment the per-point-data
8040 m_excess_enodes when hitting the per-program-point limit on
8041 enodes.
8042 (exploded_graph::print_bar_charts): New.
8043 (exploded_graph::log_stats): Log the number of unprocessed enodes
8044 in the worklist. Call print_bar_charts.
8045 (exploded_graph::dump_stats): Print the number of unprocessed
8046 enodes in the worklist.
8047 * exploded-graph.h (stats::get_total_enodes): New decl.
8048 (struct per_program_point_data): Add field m_excess_enodes.
8049 (exploded_graph::print_bar_charts): New decl.
8050 * supergraph.cc (superedge::dump): New.
8051 (superedge::dump): New.
8052 * supergraph.h (supernode::get_function): New.
8053 (superedge::dump): New decl.
8054 (superedge::dump): New decl.
8055
f2ca2088
DM		 80562020-02-24 David Malcolm <dmalcolm@redhat.com>
8057
8058 * engine.cc (exploded_graph::get_or_create_node): Dump the
8059 program_state to the pp, rather than to stderr.
8060
b3d788a2
DM		 80612020-02-24 David Malcolm <dmalcolm@redhat.com>
8062
8063 PR analyzer/93032
8064 * sm.cc (make_checkers): Require the "taint" checker to be
8065 explicitly enabled.
8066
3a25f345
DM		 80672020-02-24 David Malcolm <dmalcolm@redhat.com>
8068
8069 PR analyzer/93899
8070 * engine.cc
8071 (impl_region_model_context::impl_region_model_context): Add logger
8072 param.
8073 * engine.cc (exploded_graph::add_function_entry): Create an
8074 impl_region_model_context and pass it to the push_frame call.
8075 Bail if the resulting state is invalid.
8076 (exploded_graph::build_initial_worklist): Likewise.
8077 (exploded_graph::build_initial_worklist): Handle the case where
8078 add_function_entry fails.
8079 * exploded-graph.h
8080 (impl_region_model_context::impl_region_model_context): Add logger
8081 param.
8082 * region-model.cc (map_region::get_or_create): Add ctxt param and
8083 pass it to add_region_for_type.
8084 (map_region::can_merge_p): Pass NULL as a ctxt to call to
8085 get_or_create.
8086 (array_region::get_element): Pass ctxt to call to get_or_create.
8087 (array_region::get_or_create): Add ctxt param and pass it to
8088 add_region_for_type.
8089 (root_region::push_frame): Pass ctxt to get_or_create calls.
8090 (region_model::get_lvalue_1): Likewise.
8091 (region_model::make_region_for_unexpected_tree_code): Assert that
8092 ctxt is non-NULL.
8093 (region_model::get_rvalue_1): Pass ctxt to get_svalue_for_fndecl
8094 and get_svalue_for_label calls.
8095 (region_model::get_svalue_for_fndecl): Add ctxt param and pass it
8096 to get_region_for_fndecl.
8097 (region_model::get_region_for_fndecl): Add ctxt param and pass it
8098 to get_or_create.
8099 (region_model::get_svalue_for_label): Add ctxt param and pass it
8100 to get_region_for_label.
8101 (region_model::get_region_for_label): Add ctxt param and pass it
8102 to get_region_for_fndecl and get_or_create.
8103 (region_model::get_field_region): Add ctxt param and pass it to
8104 get_or_create_view and get_or_create.
8105 (make_region_for_type): Replace gcc_unreachable with return NULL.
8106 (region_model::add_region_for_type): Add ctxt param. Handle a
8107 return of NULL from make_region_for_type by calling
8108 make_region_for_unexpected_tree_code.
8109 (region_model::get_or_create_mem_ref): Pass ctxt to calls to
8110 get_or_create_view.
8111 (region_model::get_or_create_view): Add ctxt param and pass it to
8112 add_region_for_type.
8113 (selftest::test_state_merging): Pass ctxt to get_or_create_view.
8114 * region-model.h (region_model::get_or_create): Add ctxt param.
8115 (region_model::add_region_for_type): Likewise.
8116 (region_model::get_svalue_for_fndecl): Likewise.
8117 (region_model::get_svalue_for_label): Likewise.
8118 (region_model::get_region_for_fndecl): Likewise.
8119 (region_model::get_region_for_label): Likewise.
8120 (region_model::get_field_region): Likewise.
8121 (region_model::get_or_create_view): Likewise.
8122
004f2c07
DM		 81232020-02-24 David Malcolm <dmalcolm@redhat.com>
8124
8125 * checker-path.cc (superedge_event::should_filter_p): Update
8126 filter for empty descriptions to cover verbosity level 3 as well
8127 as 2.
8128 * diagnostic-manager.cc: Include "analyzer/reachability.h".
8129 (class path_builder): New class.
8130 (diagnostic_manager::emit_saved_diagnostic): Create a path_builder
8131 and pass it to build_emission_path, rather passing eg; similarly
8132 for add_events_for_eedge and ext_state.
8133 (diagnostic_manager::build_emission_path): Replace "eg" param
8134 with a path_builder, pass it to add_events_for_eedge.
8135 (diagnostic_manager::add_events_for_eedge): Replace ext_state
8136 param with path_builder; pass it to add_events_for_superedge.
8137 (diagnostic_manager::significant_edge_p): New.
8138 (diagnostic_manager::add_events_for_superedge): Add path_builder
8139 param. Reject insignificant edges at verbosity levels below 3.
8140 (diagnostic_manager::prune_for_sm_diagnostic): Update highest
8141 verbosity level to 4.
8142 * diagnostic-manager.h (class path_builder): New forward decl.
8143 (diagnostic_manager::build_emission_path): Replace "eg" param
8144 with a path_builder.
8145 (diagnostic_manager::add_events_for_eedge): Replace ext_state
8146 param with path_builder.
8147 (diagnostic_manager::significant_edge_p): New.
8148 (diagnostic_manager::add_events_for_superedge): Add path_builder
8149 param.
8150 * reachability.h: New file.
8151
0b2b45a6
DM		 81522020-02-18 David Malcolm <dmalcolm@redhat.com>
8153
8154 PR analyzer/93692
8155 * analyzer.opt (fdump-analyzer-callgraph): Rewrite description.
8156
4f40164a
DM		 81572020-02-18 David Malcolm <dmalcolm@redhat.com>
8158
8159 PR analyzer/93777
8160 * region-model.cc (region_model::maybe_cast_1): Replace assertion
8161 that build_cast returns non-NULL with a conditional, falling
8162 through to the logic which returns a new unknown value of the
8163 desired type if it fails.
8164
2e623393
DM		 81652020-02-18 David Malcolm <dmalcolm@redhat.com>
8166
8167 PR analyzer/93778
8168 * engine.cc (impl_region_model_context::on_unknown_tree_code):
8169 Rename to...
8170 (impl_region_model_context::on_unexpected_tree_code): ...this and
8171 convert first argument from path_var to tree.
8172 (exploded_node::on_stmt): Pass ctxt to purge_for_unknown_fncall.
8173 * exploded-graph.h (region_model_context::on_unknown_tree_code):
8174 Rename to...
8175 (region_model_context::on_unexpected_tree_code): ...this and
8176 convert first argument from path_var to tree.
8177 * program-state.cc (sm_state_map::purge_for_unknown_fncall): Add
8178 ctxt param and pass on to calls to get_rvalue.
8179 * program-state.h (sm_state_map::purge_for_unknown_fncall): Add
8180 ctxt param.
8181 * region-model.cc (region_model::handle_unrecognized_call): Pass
8182 ctxt on to call to get_rvalue.
8183 (region_model::get_lvalue_1): Move body of default case to
8184 region_model::make_region_for_unexpected_tree_code and call it.
8185 Within COMPONENT_REF case, reject attempts to handle types other
8186 than RECORD_TYPE and UNION_TYPE.
8187 (region_model::make_region_for_unexpected_tree_code): New
8188 function, based on default case of region_model::get_lvalue_1.
8189 * region-model.h
8190 (region_model::make_region_for_unexpected_tree_code): New decl.
8191 (region_model::on_unknown_tree_code): Rename to...
8192 (region_model::on_unexpected_tree_code): ...this and convert first
8193 argument from path_var to tree.
8194 (class test_region_model_context): Update vfunc implementation for
8195 above change.
8196
a674c7b8
DM		 81972020-02-18 David Malcolm <dmalcolm@redhat.com>
8198
8199 PR analyzer/93774
8200 * region-model.cc
8201 (region_model::convert_byte_offset_to_array_index): Use
8202 int_size_in_bytes before calling size_in_bytes, to gracefully fail
8203 on incomplete types.
8204
d8cde6f9
DM		 82052020-02-17 David Malcolm <dmalcolm@redhat.com>
8206
8207 PR analyzer/93775
8208 * region-model.cc (region_model::get_fndecl_for_call): Handle the
8209 case where the code_region's get_tree_for_child_region returns
8210 NULL.
8211
f76a88eb
DM		 82122020-02-17 David Malcolm <dmalcolm@redhat.com>
8213
8214 PR analyzer/93388
8215 * engine.cc (impl_region_model_context::on_unknown_tree_code):
8216 New.
8217 (exploded_graph::get_or_create_node): Reject invalid states.
8218 * exploded-graph.h
8219 (impl_region_model_context::on_unknown_tree_code): New decl.
8220 (point_and_state::point_and_state): Assert that the state is
8221 valid.
8222 * program-state.cc (program_state::program_state): Initialize
8223 m_valid to true.
8224 (program_state::operator=): Copy m_valid.
8225 (program_state::program_state): Likewise for move constructor.
8226 (program_state::print): Print m_valid.
8227 (program_state::dump_to_pp): Likewise.
8228 * program-state.h (program_state::m_valid): New field.
8229 * region-model.cc (region_model::get_lvalue_1): Implement the
8230 default case by returning a new symbolic region and calling
8231 the context's on_unknown_tree_code, rather than issuing an
8232 internal_error. Implement VIEW_CONVERT_EXPR.
8233 * region-model.h (region_model_context::on_unknown_tree_code): New
8234 vfunc.
8235 (test_region_model_context::on_unknown_tree_code): New.
8236
0993ad65
DM		 82372020-02-17 David Malcolm <dmalcolm@redhat.com>
8238
8239 * sm-malloc.cc (malloc_diagnostic::describe_state_change): For
8240 transition to the "null" state, only say "assuming" when
8241 transitioning from the "unchecked" state.
8242
67098787
DM		 82432020-02-17 David Malcolm <dmalcolm@redhat.com>
8244
8245 * diagnostic-manager.h (diagnostic_manager::get_saved_diagnostic):
8246 Add const overload.
8247 * engine.cc (exploded_node::dump_dot): Dump saved_diagnostics.
8248 * exploded-graph.h (exploded_graph::get_diagnostic_manager): Add
8249 const overload.
8250
91f993b7
DM		 82512020-02-11 David Malcolm <dmalcolm@redhat.com>
8252
8253 PR analyzer/93288
8254 * analysis-plan.cc (analysis_plan::use_summary_p): Look through
8255 the ultimate_alias_target when getting the called function.
8256 * engine.cc (exploded_node::on_stmt): Rename second "ctxt" to
8257 "sm_ctxt". Use the region_model's get_fndecl_for_call rather than
8258 gimple_call_fndecl.
8259 * region-model.cc (region_model::get_fndecl_for_call): Use
8260 ultimate_alias_target on fndecl.
8261 * supergraph.cc (get_ultimate_function_for_cgraph_edge): New
8262 function.
8263 (supergraph_call_edge): Use it when rejecting edges without
8264 functions.
8265 (supergraph::supergraph): Use it to get the function for the
8266 cgraph_edge when building interprocedural superedges.
8267 (callgraph_superedge::get_callee_function): Use it.
8268 * supergraph.h (supergraph::get_num_snodes): Make param const.
8269 (supergraph::function_to_num_snodes_t): Make first type param
8270 const.
8271
a60d9889
DM		 82722020-02-11 David Malcolm <dmalcolm@redhat.com>
8273
8274 PR analyzer/93374
8275 * engine.cc (exploded_edge::exploded_edge): Add ext_state param
8276 and pass it to change.validate.
8277 (exploded_graph::get_or_create_node): Move purging of change
8278 svalues to also cover the case of reusing an existing enode.
8279 (exploded_graph::add_edge): Pass m_ext_state to exploded_edge's
8280 ctor.
8281 * exploded-graph.h (exploded_edge::exploded_edge): Add ext_state
8282 param.
8283 * program-state.cc (state_change::sm_change::validate): Likewise.
8284 Assert that m_sm_idx is sane. Use ext_state to validate
8285 m_old_state and m_new_state.
8286 (state_change::validate): Add ext_state param and pass it to
8287 the sm_change validate calls.
8288 * program-state.h (state_change::sm_change::validate): Add
8289 ext_state param.
8290 (state_change::validate): Likewise.
8291
a0e4929b
DM		 82922020-02-11 David Malcolm <dmalcolm@redhat.com>
8293
8294 PR analyzer/93669
8295 * engine.cc (exploded_graph::dump_exploded_nodes): Handle missing
8296 case of STATUS_WORKLIST in implementation of
8297 "__analyzer_dump_exploded_nodes".
8298
cd28b759
DM		 82992020-02-11 David Malcolm <dmalcolm@redhat.com>
8300
8301 PR analyzer/93649
8302 * constraint-manager.cc (constraint_manager::add_constraint): When
8303 merging equivalence classes and updating m_constant, also update
8304 m_cst_sid.
8305 (constraint_manager::validate): If m_constant is non-NULL assert
8306 that m_cst_sid is non-null and is valid.
8307
5e17c1bd
DM		 83082020-02-11 David Malcolm <dmalcolm@redhat.com>
8309
8310 PR analyzer/93657
8311 * analyzer.opt (fdump-analyzer): Reword description.
8312 (fdump-analyzer-stderr): Likewise.
8313
c46d057f
DM		 83142020-02-11 David Malcolm <dmalcolm@redhat.com>
8315
8316 * region-model.cc (print_quoted_type): New function.
8317 (svalue::print): Use it to replace %qT.
8318 (region::dump_to_pp): Likewise.
8319 (region::dump_child_label): Likewise.
8320 (region::print_fields): Likewise.
8321
eb031d4b
DM		 83222020-02-10 David Malcolm <dmalcolm@redhat.com>
8323
8324 PR analyzer/93659
8325 * analyzer.opt (-param=analyzer-max-recursion-depth=): Fix "tha"
8326 -> "that" typo.
8327 (Wanalyzer-use-of-uninitialized-value): Fix "initialized" ->
8328 "uninitialized" typo.
8329
e87deb37
DM		 83302020-02-10 David Malcolm <dmalcolm@redhat.com>
8331
8332 PR analyzer/93350
8333 * region-model.cc (region_model::get_lvalue_1):
8334 Handle BIT_FIELD_REF.
8335 (make_region_for_type): Handle VECTOR_TYPE.
8336
e953f958
DM		 83372020-02-10 David Malcolm <dmalcolm@redhat.com>
8338
8339 PR analyzer/93647
8340 * diagnostic-manager.cc
8341 (diagnostic_manager::prune_for_sm_diagnostic): Bulletproof against
8342 VAR being constant.
8343 * region-model.cc (region_model::get_lvalue_1): Provide a better
8344 error message when encountering an unhandled tree code.
8345
41a9e940
DM		 83462020-02-10 David Malcolm <dmalcolm@redhat.com>
8347
8348 PR analyzer/93405
8349 * region-model.cc (region_model::get_lvalue_1): Implement
8350 CONST_DECL.
8351
cb273d81
DM		 83522020-02-06 David Malcolm <dmalcolm@redhat.com>
8353
8354 * region-model.cc (region_model::maybe_cast_1): Attempt to provide
8355 a region_svalue if either type is a pointer, rather than if both
8356 types are pointers.
8357
a4d3bfc0
DM		 83582020-02-05 David Malcolm <dmalcolm@redhat.com>
8359
8360 * engine.cc (exploded_node::dump_dot): Show merger enodes.
8361 (worklist::add_node): Assert that the node's m_status is
8362 STATUS_WORKLIST.
8363 (exploded_graph::process_worklist): Likewise for nodes from the
8364 worklist. Set status of merged nodes to STATUS_MERGER.
8365 (exploded_graph::process_node): Set status of node to
8366 STATUS_PROCESSED.
8367 (exploded_graph::dump_exploded_nodes): Rework handling of
8368 "__analyzer_dump_exploded_nodes", splitting enodes by status into
8369 "processed" and "merger", showing the count of just the processed
8370 enodes at the call, rather than the count of all enodes.
8371 * exploded-graph.h (exploded_node::status): New enum.
8372 (exploded_node::exploded_node): Initialize m_status to
8373 STATUS_WORKLIST.
8374 (exploded_node::get_status): New getter.
8375 (exploded_node::set_status): New setter.
8376
1dae549d
DM		 83772020-02-04 David Malcolm <dmalcolm@redhat.com>
8378
8379 PR analyzer/93543
8380 * engine.cc (pod_hash_traits<function_call_string>::mark_empty):
8381 Eliminate reinterpret_cast.
8382 (pod_hash_traits<function_call_string>::is_empty): Likewise.
8383
833f1e66
DM		 83842020-02-03 David Malcolm <dmalcolm@redhat.com>
8385
8386 * constraint-manager.cc (range::constrained_to_single_element):
8387 Replace fold_build2 with fold_binary. Remove unnecessary newline.
8388 (constraint_manager::get_or_add_equiv_class): Replace fold_build2
8389 with fold_binary in two places, and remove out-of-date comment.
8390 (constraint_manager::eval_condition): Replace fold_build2 with
8391 fold_binary.
8392 * region-model.cc (constant_svalue::eval_condition): Likewise.
8393 (region_model::on_assignment): Likewise.
8394
8525d1f5
DM		 83952020-02-03 David Malcolm <dmalcolm@redhat.com>
8396
8397 PR analyzer/93544
8398 * diagnostic-manager.cc
8399 (diagnostic_manager::prune_for_sm_diagnostic): Bulletproof
8400 against bad choices due to bad paths.
8401 * engine.cc (impl_region_model_context::on_phi): New.
8402 * exploded-graph.h (impl_region_model_context::on_phi): New decl.
8403 * region-model.cc (region_model::on_longjmp): Likewise.
8404 (region_model::handle_phi): Add phi param. Call the ctxt's on_phi
8405 vfunc.
8406 (region_model::update_for_phis): Pass phi to handle_phi.
8407 * region-model.h (region_model::handle_phi): Add phi param.
8408 (region_model_context::on_phi): New vfunc.
8409 (test_region_model_context::on_phi): New.
8410 * sm-malloc.cc (malloc_state_machine::on_phi): New.
8411 (malloc_state_machine::on_zero_assignment): New.
8412 * sm.h (state_machine::on_phi): New vfunc.
8413
73f38658
DM		 84142020-02-03 David Malcolm <dmalcolm@redhat.com>
8415
8416 * engine.cc (supernode_cluster::dump_dot): Show BB index as
8417 well as SN index.
8418 * supergraph.cc (supernode::dump_dot): Likewise.
8419
5e10b9a2
DM		 84202020-02-03 David Malcolm <dmalcolm@redhat.com>
8421
8422 PR analyzer/93546
8423 * region-model.cc (region_model::on_call_pre): Update for new
8424 param of symbolic_region ctor.
8425 (region_model::deref_rvalue): Likewise.
8426 (region_model::add_new_malloc_region): Likewise.
8427 (make_region_for_type): Likewise, preserving type.
8428 * region-model.h (symbolic_region::symbolic_region): Add "type"
8429 param and pass it to base class ctor.
8430
287ccd3b
DM		 84312020-02-03 David Malcolm <dmalcolm@redhat.com>
8432
8433 PR analyzer/93547
8434 * constraint-manager.cc
8435 (constraint_manager::get_or_add_equiv_class): Ensure types are
8436 compatible before comparing constants.
8437
67751724
DM		 84382020-01-31 David Malcolm <dmalcolm@redhat.com>
8439
8440 PR analyzer/93457
8441 * region-model.cc (make_region_for_type): Use VOID_TYPE_P rather
8442 than checking against void_type_node.
8443
09bea584
DM		 84442020-01-31 David Malcolm <dmalcolm@redhat.com>
8445
8446 PR analyzer/93373
8447 * region-model.cc (ASSERT_COMPAT_TYPES): Convert to...
8448 (assert_compat_types): ...this, and bail when either type is NULL,
8449 or when VOID_TYPE_P (dst_type).
8450 (region_model::get_lvalue): Update for above conversion.
8451 (region_model::get_rvalue): Likewise.
8452
f1c807e8
DM		 84532020-01-31 David Malcolm <dmalcolm@redhat.com>
8454
8455 PR analyzer/93379
8456 * region-model.cc (region_model::update_for_return_superedge):
8457 Move check for null result so that it also guards setting the
8458 lhs.
8459
455f58ec
DM		 84602020-01-31 David Malcolm <dmalcolm@redhat.com>
8461
8462 PR analyzer/93438
8463 * region-model.cc (stack_region::can_merge_p): Split into a two
8464 pass approach, creating all stack regions first, then populating
8465 them.
8466 (selftest::test_state_merging): Add test coverage for (a) the case
8467 of self-merging a model in which a local in an older stack frame
8468 points to a local in a more recent stack frame (which previously
8469 would ICE), and (b) the case of self-merging a model in which a
8470 local points to a global (which previously worked OK).
8471
182ce042
DM		 84722020-01-31 David Malcolm <dmalcolm@redhat.com>
8473
8474 * analyzer.cc (is_named_call_p): Replace tests for fndecl being
8475 extern at file scope and having a non-NULL DECL_NAME with a call
8476 to maybe_special_function_p.
8477 * function-set.cc (function_set::contains_decl_p): Add call to
8478 maybe_special_function_p.
8479
45eb3e49
DM		 84802020-01-31 David Malcolm <dmalcolm@redhat.com>
8481
8482 PR analyzer/93450
8483 * constraint-manager.cc
8484 (constraint_manager::get_or_add_equiv_class): Only compare constants
8485 if their types are compatible.
8486 * region-model.cc (constant_svalue::eval_condition): Replace check
8487 for identical types with call to types_compatible_p.
8488
42f36563
DM		 84892020-01-30 David Malcolm <dmalcolm@redhat.com>
8490
8491 * program-state.cc (extrinsic_state::dump_to_pp): New.
8492 (extrinsic_state::dump_to_file): New.
8493 (extrinsic_state::dump): New.
8494 * program-state.h (extrinsic_state::dump_to_pp): New decl.
8495 (extrinsic_state::dump_to_file): New decl.
8496 (extrinsic_state::dump): New decl.
8497 * sm.cc: Include "pretty-print.h".
8498 (state_machine::dump_to_pp): New.
8499 * sm.h (state_machine::dump_to_pp): New decl.
8500
ebe9174e
DM		 85012020-01-30 David Malcolm <dmalcolm@redhat.com>
8502
8503 * diagnostic-manager.cc (for_each_state_change): Use
8504 extrinsic_state::get_num_checkers rather than accessing m_checkers
8505 directly.
8506 * program-state.cc (program_state::program_state): Likewise.
8507 * program-state.h (extrinsic_state::m_checkers): Make private.
8508
e978955d
DM		 85092020-01-30 David Malcolm <dmalcolm@redhat.com>
8510
8511 PR analyzer/93356
8512 * region-model.cc (region_model::eval_condition): In both
8513 overloads, bail out immediately on floating-point types.
8514 (region_model::eval_condition_without_cm): Likewise.
8515 (region_model::add_constraint): Likewise.
8516
d177c49c
DM		 85172020-01-30 David Malcolm <dmalcolm@redhat.com>
8518
8519 PR analyzer/93450
8520 * program-state.cc (sm_state_map::set_state): For the overload
8521 taking an svalue_id, bail out if the set_state on the ec does
8522 nothing. Convert the latter's return type from void to bool,
8523 returning true if anything changed.
8524 (sm_state_map::impl_set_state): Convert the return type from void
8525 to bool, returning true if the state changed.
8526 * program-state.h (sm_state_map::set_state): Convert return type
8527 from void to bool.
8528 (sm_state_map::impl_set_state): Likewise.
8529 * region-model.cc (constant_svalue::eval_condition): Only call
8530 fold_build2 if the types are the same.
8531
7892ff37
JJ		 85322020-01-29 Jakub Jelinek <jakub@redhat.com>
8533
8534 * analyzer.h (PUSH_IGNORE_WFORMAT, POP_IGNORE_WFORMAT): Remove.
8535 * constraint-manager.cc: Include diagnostic-core.h before graphviz.h.
8536 (range::dump, equiv_class::print): Don't use PUSH_IGNORE_WFORMAT or
8537 POP_IGNORE_WFORMAT.
8538 * state-purge.cc: Include diagnostic-core.h before
8539 gimple-pretty-print.h.
8540 (state_purge_annotator::add_node_annotations, print_vec_of_names):
8541 Don't use PUSH_IGNORE_WFORMAT or POP_IGNORE_WFORMAT.
8542 * region-model.cc: Move diagnostic-core.h include before graphviz.h.
8543 (path_var::dump, svalue::print, constant_svalue::print_details,
8544 region::dump_to_pp, region::dump_child_label, region::print_fields,
8545 map_region::print_fields, map_region::dump_dot_to_pp,
8546 map_region::dump_child_label, array_region::print_fields,
8547 array_region::dump_dot_to_pp): Don't use PUSH_IGNORE_WFORMAT or
8548 POP_IGNORE_WFORMAT.
8549
5aebfb71
DM		 85502020-01-28 David Malcolm <dmalcolm@redhat.com>
8551
8552 PR analyzer/93316
8553 * engine.cc (rewind_info_t::update_model): Get the longjmp call
8554 stmt via get_longjmp_call () rather than assuming it is the last
8555 stmt in the longjmp's supernode.
8556 (rewind_info_t::add_events_to_path): Get the location_t for the
8557 rewind_from_longjmp_event via get_longjmp_call () rather than from
8558 the supernode's get_end_location ().
8559
6c8e5844
DM		 85602020-01-28 David Malcolm <dmalcolm@redhat.com>
8561
8562 * region-model.cc (poisoned_value_diagnostic::emit): Update for
8563 renaming of warning_at overload to warning_meta.
8564 * sm-file.cc (file_leak::emit): Likewise.
8565 * sm-malloc.cc (double_free::emit): Likewise.
8566 (possible_null_deref::emit): Likewise.
8567 (possible_null_arg::emit): Likewise.
8568 (null_deref::emit): Likewise.
8569 (null_arg::emit): Likewise.
8570 (use_after_free::emit): Likewise.
8571 (malloc_leak::emit): Likewise.
8572 (free_of_non_heap::emit): Likewise.
8573 * sm-sensitive.cc (exposure_through_output_file::emit): Likewise.
8574 * sm-signal.cc (signal_unsafe_call::emit): Likewise.
8575 * sm-taint.cc (tainted_array_index::emit): Likewise.
8576
8c08c983
DM		 85772020-01-27 David Malcolm <dmalcolm@redhat.com>
8578
8579 PR analyzer/93451
8580 * region-model.cc (tree_cmp): For the REAL_CST case, impose an
8581 arbitrary order on NaNs relative to other NaNs and to non-NaNs;
8582 const-correctness tweak.
8583 (ana::selftests::build_real_cst_from_string): New function.
8584 (ana::selftests::append_interesting_constants): New function.
8585 (ana::selftests::test_tree_cmp_on_constants): New test.
8586 (ana::selftests::test_canonicalization_4): New test.
8587 (ana::selftests::analyzer_region_model_cc_tests): Call the new
8588 tests.
8589
2fbea419
DM		 85902020-01-27 David Malcolm <dmalcolm@redhat.com>
8591
8592 PR analyzer/93349
8593 * engine.cc (run_checkers): Save and restore input_location.
8594
6a81cabc
DM		 85952020-01-27 David Malcolm <dmalcolm@redhat.com>
8596
8597 * call-string.cc (call_string::cmp_1): Delete, moving body to...
8598 (call_string::cmp): ...here.
8599 * call-string.h (call_string::cmp_1): Delete decl.
8600 * engine.cc (worklist::key_t::cmp_1): Delete, moving body to...
8601 (worklist::key_t::cmp): ...here. Implement hash comparisons
8602 via comparison rather than subtraction to avoid overflow issues.
8603 * exploded-graph.h (worklist::key_t::cmp_1): Delete decl.
8604 * region-model.cc (tree_cmp): Eliminate buggy checking for
8605 symmetry.
8606
342e14ff
DM		 86072020-01-27 David Malcolm <dmalcolm@redhat.com>
8608
8609 * analyzer.cc (is_named_call_p): Check that fndecl is "extern"
8610 and at file scope. Potentially disregard prefix _ or __ in
8611 fndecl's name. Bail if the identifier is NULL.
8612 (is_setjmp_call_p): Expect a gcall rather than plain gimple.
8613 Remove special-case check for leading prefix, and also check for
8614 sigsetjmp.
8615 (is_longjmp_call_p): Also check for siglongjmp.
8616 (get_user_facing_name): New function.
8617 * analyzer.h (is_setjmp_call_p): Expect a gcall rather than plain
8618 gimple.
8619 (get_user_facing_name): New decl.
8620 * checker-path.cc (setjmp_event::get_desc): Use
8621 get_user_facing_name to avoid hardcoding the function name.
8622 (rewind_event::rewind_event): Add rewind_info param, using it to
8623 initialize new m_rewind_info field, and strengthen the assertion.
8624 (rewind_from_longjmp_event::get_desc): Use get_user_facing_name to
8625 avoid hardcoding the function name.
8626 (rewind_to_setjmp_event::get_desc): Likewise.
8627 * checker-path.h (setjmp_event::setjmp_event): Add setjmp_call
8628 param and use it to initialize...
8629 (setjmp_event::m_setjmp_call): New field.
8630 (rewind_event::rewind_event): Add rewind_info param.
8631 (rewind_event::m_rewind_info): New protected field.
8632 (rewind_from_longjmp_event::rewind_from_longjmp_event): Add
8633 rewind_info param.
8634 (class rewind_to_setjmp_event): Move rewind_info field to parent
8635 class.
8636 * diagnostic-manager.cc (diagnostic_manager::add_events_for_eedge):
8637 Update setjmp-handling for is_setjmp_call_p requiring a gcall;
8638 pass the call to the new setjmp_event.
8639 * engine.cc (exploded_node::on_stmt): Update for is_setjmp_call_p
8640 requiring a gcall.
8641 (stale_jmp_buf::emit): Use get_user_facing_name to avoid
8642 hardcoding the function names.
8643 (exploded_node::on_longjmp): Pass the longjmp_call when
8644 constructing rewind_info.
8645 (rewind_info_t::add_events_to_path): Pass the rewind_info_t to the
8646 rewind_from_longjmp_event's ctor.
8647 * exploded-graph.h (rewind_info_t::rewind_info_t): Add
8648 longjmp_call param.
8649 (rewind_info_t::get_longjmp_call): New.
8650 (rewind_info_t::m_longjmp_call): New.
8651 * region-model.cc (region_model::on_setjmp): Update comment to
8652 indicate this is also for sigsetjmp.
8653 * region-model.h (struct setjmp_record): Likewise.
8654 (class setjmp_svalue): Likewise.
8655
26d949c8
DM		 86562020-01-27 David Malcolm <dmalcolm@redhat.com>
8657
8658 PR analyzer/93276
8659 * analyzer.h (PUSH_IGNORE_WFORMAT, POP_IGNORE_WFORMAT): Guard these
8660 macros with GCC_VERSION >= 4006, making them no-op otherwise.
8661 * engine.cc (exploded_edge::exploded_edge): Specify template for
8662 base class initializer.
8663 (exploded_graph::add_edge): Specify template when chaining up to
8664 base class add_edge implementation.
8665 (viz_callgraph_node::dump_dot): Drop redundant "typename".
8666 (viz_callgraph_edge::viz_callgraph_edge): Specify template for
8667 base class initializer.
8668 * program-state.cc (sm_state_map::clone_with_remapping): Drop
8669 redundant "typename".
8670 (sm_state_map::print): Likewise.
8671 (sm_state_map::hash): Likewise.
8672 (sm_state_map::operator==): Likewise.
8673 (sm_state_map::remap_svalue_ids): Likewise.
8674 (sm_state_map::on_svalue_purge): Likewise.
8675 (sm_state_map::validate): Likewise.
8676 * program-state.h (sm_state_map::iterator_t): Likewise.
8677 * supergraph.h (superedge::superedge): Specify template for base
8678 class initializer.
8679
648796da
DM		 86802020-01-23 David Malcolm <dmalcolm@redhat.com>
8681
8682 PR analyzer/93375
8683 * supergraph.cc (callgraph_superedge::get_arg_for_parm): Fail
8684 gracefully is the number of parameters at the callee exceeds the
8685 number of arguments at the call stmt.
8686 (callgraph_superedge::get_parm_for_arg): Likewise.
8687
591b59eb
DM		 86882020-01-22 David Malcolm <dmalcolm@redhat.com>
8689
8690 PR analyzer/93382
8691 * program-state.cc (sm_state_map::on_svalue_purge): If the
8692 entry survives, but the origin is being purged, then reset the
8693 origin to null.
8694
c9c8aef4
DM		 86952020-01-22 David Malcolm <dmalcolm@redhat.com>
8696
8697 * sm-signal.cc: Fix nesting of CHECKING_P and namespace ana.
8698
fd9982bb
DM		 86992020-01-22 David Malcolm <dmalcolm@redhat.com>
8700
8701 PR analyzer/93378
8702 * engine.cc (setjmp_svalue::compare_fields): Update for
8703 replacement of m_enode with m_setjmp_record.
8704 (setjmp_svalue::add_to_hash): Likewise.
8705 (setjmp_svalue::get_index): Rename...
8706 (setjmp_svalue::get_enode_index): ...to this.
8707 (setjmp_svalue::print_details): Update for replacement of m_enode
8708 with m_setjmp_record.
8709 (exploded_node::on_longjmp): Likewise.
8710 * exploded-graph.h (rewind_info_t::m_enode_origin): Replace...
8711 (rewind_info_t::m_setjmp_record): ...with this.
8712 (rewind_info_t::rewind_info_t): Update for replacement of m_enode
8713 with m_setjmp_record.
8714 (rewind_info_t::get_setjmp_point): Likewise.
8715 (rewind_info_t::get_setjmp_call): Likewise.
8716 * region-model.cc (region_model::dump_summary_of_map): Likewise.
8717 (region_model::on_setjmp): Likewise.
8718 * region-model.h (struct setjmp_record): New struct.
8719 (setjmp_svalue::m_enode): Replace...
8720 (setjmp_svalue::m_setjmp_record): ...with this.
8721 (setjmp_svalue::setjmp_svalue): Update for replacement of m_enode
8722 with m_setjmp_record.
8723 (setjmp_svalue::clone): Likewise.
8724 (setjmp_svalue::get_index): Rename...
8725 (setjmp_svalue::get_enode_index): ...to this.
8726 (setjmp_svalue::get_exploded_node): Replace...
8727 (setjmp_svalue::get_setjmp_record): ...with this.
8728
da7cf663
DM		 87292020-01-22 David Malcolm <dmalcolm@redhat.com>
8730
8731 PR analyzer/93316
8732 * analyzer.cc (is_setjmp_call_p): Check for "setjmp" as well as
8733 "_setjmp".
8734
75038aa6
DM		 87352020-01-22 David Malcolm <dmalcolm@redhat.com>
8736
8737 PR analyzer/93307
8738 * analysis-plan.h: Wrap everything namespace "ana".
8739 * analyzer-logging.cc: Likewise.
8740 * analyzer-logging.h: Likewise.
8741 * analyzer-pass.cc (pass_analyzer::execute): Update for "ana"
8742 namespace.
8743 * analyzer-selftests.cc: Wrap everything namespace "ana".
8744 * analyzer-selftests.h: Likewise.
8745 * analyzer.h: Likewise for forward decls of types.
8746 * call-string.h: Likewise.
8747 * checker-path.cc: Likewise.
8748 * checker-path.h: Likewise.
8749 * constraint-manager.cc: Likewise.
8750 * constraint-manager.h: Likewise.
8751 * diagnostic-manager.cc: Likewise.
8752 * diagnostic-manager.h: Likewise.
8753 * engine.cc: Likewise.
8754 * engine.h: Likewise.
8755 * exploded-graph.h: Likewise.
8756 * function-set.cc: Likewise.
8757 * function-set.h: Likewise.
8758 * pending-diagnostic.cc: Likewise.
8759 * pending-diagnostic.h: Likewise.
8760 * program-point.cc: Likewise.
8761 * program-point.h: Likewise.
8762 * program-state.cc: Likewise.
8763 * program-state.h: Likewise.
8764 * region-model.cc: Likewise.
8765 * region-model.h: Likewise.
8766 * sm-file.cc: Likewise.
8767 * sm-malloc.cc: Likewise.
8768 * sm-pattern-test.cc: Likewise.
8769 * sm-sensitive.cc: Likewise.
8770 * sm-signal.cc: Likewise.
8771 * sm-taint.cc: Likewise.
8772 * sm.cc: Likewise.
8773 * sm.h: Likewise.
8774 * state-purge.h: Likewise.
8775 * supergraph.cc: Likewise.
8776 * supergraph.h: Likewise.
8777
4f01e577
DM		 87782020-01-21 David Malcolm <dmalcolm@redhat.com>
8779
8780 PR analyzer/93352
8781 * region-model.cc (int_cmp): Rename to...
8782 (array_region::key_cmp): ...this, using key_t rather than int.
8783 Rewrite in terms of comparisons rather than subtraction to
8784 ensure qsort is anti-symmetric when handling extreme values.
8785 (array_region::walk_for_canonicalization): Update for above
8786 renaming.
8787 * region-model.h (array_region::key_cmp): New decl.
8788
07c86323
DM		 87892020-01-17 David Malcolm <dmalcolm@redhat.com>
8790
8791 PR analyzer/93290
8792 * region-model.cc (region_model::eval_condition_without_cm): Avoid
8793 gcc_unreachable for unexpected operations for the case where
8794 we're comparing an svalue against itself.
8795
5f030383
DM		 87962020-01-17 David Malcolm <dmalcolm@redhat.com>
8797
8798 PR analyzer/93281
8799 * region-model.cc
8800 (region_model::convert_byte_offset_to_array_index): Convert to
8801 ssizetype before dividing by byte_size. Use fold_binary rather
8802 than fold_build2 to avoid needlessly constructing a tree for the
8803 non-const case.
8804
49e9a999
DM		 88052020-01-15 David Malcolm <dmalcolm@redhat.com>
8806
8807 * engine.cc (class impl_region_model_context): Fix comment.
8808
32077b69
DM		 88092020-01-14 David Malcolm <dmalcolm@redhat.com>
8810
8811 PR analyzer/93212
8812 * region-model.cc (make_region_for_type): Use
8813 FUNC_OR_METHOD_TYPE_P rather than comparing against FUNCTION_TYPE.
8814 * region-model.h (function_region::function_region): Likewise.
8815
7fb3669e
DM		 88162020-01-14 David Malcolm <dmalcolm@redhat.com>
8817
8818 * program-state.cc (sm_state_map::clone_with_remapping): Copy
8819 m_global_state.
8820 (selftest::test_program_state_merging_2): New selftest.
8821 (selftest::analyzer_program_state_cc_tests): Call it.
8822
e2a538b1
DM		 88232020-01-14 David Malcolm <dmalcolm@redhat.com>
8824
8825 * checker-path.h (checker_path::get_checker_event): New function.
8826 (checker_path): Add DISABLE_COPY_AND_ASSIGN; make fields private.
8827 * diagnostic-manager.cc
8828 (diagnostic_manager::prune_for_sm_diagnostic): Replace direct
8829 access to checker_path::m_events with accessor functions. Fix
8830 overlong line.
8831 (diagnostic_manager::prune_interproc_events): Replace direct
8832 access to checker_path::m_events with accessor functions.
8833 (diagnostic_manager::finish_pruning): Likewise.
8834
94946989
DM		 88352020-01-14 David Malcolm <dmalcolm@redhat.com>
8836
8837 * checker-path.h (checker_event::clone): Delete vfunc decl.
8838 (debug_event::clone): Delete vfunc impl.
8839 (custom_event::clone): Delete vfunc impl.
8840 (statement_event::clone): Delete vfunc impl.
8841 (function_entry_event::clone): Delete vfunc impl.
8842 (state_change_event::clone): Delete vfunc impl.
8843 (start_cfg_edge_event::clone): Delete vfunc impl.
8844 (end_cfg_edge_event::clone): Delete vfunc impl.
8845 (call_event::clone): Delete vfunc impl.
8846 (return_event::clone): Delete vfunc impl.
8847 (setjmp_event::clone): Delete vfunc impl.
8848 (rewind_from_longjmp_event::clone): Delete vfunc impl.
8849 (rewind_to_setjmp_event::clone): Delete vfunc impl.
8850 (warning_event::clone): Delete vfunc impl.
8851
718930c0
DM		 88522020-01-14 David Malcolm <dmalcolm@redhat.com>
8853
8854 * supergraph.cc (supernode::dump_dot): Ensure that the TABLE
8855 element has at least one TR.
8856
8397af8e
DM		 88572020-01-14 David Malcolm <dmalcolm@redhat.com>
8858
8859 PR analyzer/58237
8860 * engine.cc (leak_stmt_finder::find_stmt): Use get_pure_location
8861 when comparing against UNKNOWN_LOCATION.
8862 (stmt_requires_new_enode_p): Likewise.
8863 (exploded_graph::dump_exploded_nodes): Likewise.
8864 * supergraph.cc (supernode::get_start_location): Likewise.
8865 (supernode::get_end_location): Likewise.
8866
697251b7
DM		 88672020-01-14 David Malcolm <dmalcolm@redhat.com>
8868
8869 PR analyzer/58237
8870 * analyzer-selftests.cc (selftest::run_analyzer_selftests): Call
8871 selftest::analyzer_sm_file_cc_tests.
8872 * analyzer-selftests.h (selftest::analyzer_sm_file_cc_tests): New
8873 decl.
8874 * sm-file.cc: Include "analyzer/function-set.h" and
8875 "analyzer/analyzer-selftests.h".
8876 (get_file_using_fns): New function.
8877 (is_file_using_fn_p): New function.
8878 (fileptr_state_machine::on_stmt): Return true for known functions.
8879 (selftest::analyzer_sm_file_cc_tests): New function.
8880
4804c5fe
DM		 88812020-01-14 David Malcolm <dmalcolm@redhat.com>
8882
8883 * analyzer-selftests.cc (selftest::run_analyzer_selftests): Call
8884 selftest::analyzer_sm_signal_cc_tests.
8885 * analyzer-selftests.h (selftest::analyzer_sm_signal_cc_tests):
8886 New decl.
8887 * sm-signal.cc: Include "analyzer/function-set.h" and
8888 "analyzer/analyzer-selftests.h".
8889 (get_async_signal_unsafe_fns): New function.
8890 (signal_unsafe_p): Reimplement in terms of the above.
8891 (selftest::analyzer_sm_signal_cc_tests): New function.
8892
a6b5f19c
DM		 88932020-01-14 David Malcolm <dmalcolm@redhat.com>
8894
8895 * analyzer-selftests.cc (selftest::run_analyzer_selftests): Call
8896 selftest::analyzer_function_set_cc_tests.
8897 * analyzer-selftests.h (selftest::analyzer_function_set_cc_tests):
8898 New decl.
8899 * function-set.cc: New file.
8900 * function-set.h: New file.
8901
ef7827b0
DM		 89022020-01-14 David Malcolm <dmalcolm@redhat.com>
8903
8904 * analyzer.h (fndecl_has_gimple_body_p): New decl.
8905 * engine.cc (impl_region_model_context::on_unknown_change): New
8906 function.
8907 (fndecl_has_gimple_body_p): Make non-static.
8908 (exploded_node::on_stmt): Treat __analyzer_dump_exploded_nodes as
8909 known. Track whether we have a call with unknown side-effects and
8910 pass it to on_call_post.
8911 * exploded-graph.h (impl_region_model_context::on_unknown_change):
8912 New decl.
8913 * program-state.cc (sm_state_map::on_unknown_change): New function.
8914 * program-state.h (sm_state_map::on_unknown_change): New decl.
8915 * region-model.cc: Include "bitmap.h".
8916 (region_model::on_call_pre): Return a bool, capturing whether the
8917 call has unknown side effects.
8918 (region_model::on_call_post): Add arg "bool unknown_side_effects"
8919 and if true, call handle_unrecognized_call.
8920 (class reachable_regions): New class.
8921 (region_model::handle_unrecognized_call): New function.
8922 * region-model.h (region_model::on_call_pre): Return a bool.
8923 (region_model::on_call_post): Add arg "bool unknown_side_effects".
8924 (region_model::handle_unrecognized_call): New decl.
8925 (region_model_context::on_unknown_change): New vfunc.
8926 (test_region_model_context::on_unknown_change): New function.
8927
14f9d7b9
DM		 89282020-01-14 David Malcolm <dmalcolm@redhat.com>
8929
8930 * diagnostic-manager.cc (saved_diagnostic::operator==): Move here
8931 from header. Replace pointer equality test on m_var with call to
8932 pending_diagnostic::same_tree_p.
8933 * diagnostic-manager.h (saved_diagnostic::operator==): Move to
8934 diagnostic-manager.cc.
8935 * pending-diagnostic.cc (pending_diagnostic::same_tree_p): New.
8936 * pending-diagnostic.h (pending_diagnostic::same_tree_p): New.
8937 * sm-file.cc (file_diagnostic::subclass_equal_p): Replace pointer
8938 equality on m_arg with call to pending_diagnostic::same_tree_p.
8939 * sm-malloc.cc (malloc_diagnostic::subclass_equal_p): Likewise.
8940 (possible_null_arg::subclass_equal_p): Likewise.
8941 (null_arg::subclass_equal_p): Likewise.
8942 (free_of_non_heap::subclass_equal_p): Likewise.
8943 * sm-pattern-test.cc (pattern_match::operator==): Likewise.
8944 * sm-sensitive.cc (exposure_through_output_file::operator==):
8945 Likewise.
8946 * sm-taint.cc (tainted_array_index::operator==): Likewise.
8947
f474fbd5
DM		 89482020-01-14 David Malcolm <dmalcolm@redhat.com>
8949
8950 * diagnostic-manager.cc (dedupe_winners::add): Add logging
8951 of deduplication decisions made.
8952
757bf1df
DM		 89532020-01-14 David Malcolm <dmalcolm@redhat.com>
8954
8955 * ChangeLog: New file.
8956 * analyzer-selftests.cc: New file.
8957 * analyzer-selftests.h: New file.
8958 * analyzer.opt: New file.
8959 * analysis-plan.cc: New file.
8960 * analysis-plan.h: New file.
8961 * analyzer-logging.cc: New file.
8962 * analyzer-logging.h: New file.
8963 * analyzer-pass.cc: New file.
8964 * analyzer.cc: New file.
8965 * analyzer.h: New file.
8966 * call-string.cc: New file.
8967 * call-string.h: New file.
8968 * checker-path.cc: New file.
8969 * checker-path.h: New file.
8970 * constraint-manager.cc: New file.
8971 * constraint-manager.h: New file.
8972 * diagnostic-manager.cc: New file.
8973 * diagnostic-manager.h: New file.
8974 * engine.cc: New file.
8975 * engine.h: New file.
8976 * exploded-graph.h: New file.
8977 * pending-diagnostic.cc: New file.
8978 * pending-diagnostic.h: New file.
8979 * program-point.cc: New file.
8980 * program-point.h: New file.
8981 * program-state.cc: New file.
8982 * program-state.h: New file.
8983 * region-model.cc: New file.
8984 * region-model.h: New file.
8985 * sm-file.cc: New file.
8986 * sm-malloc.cc: New file.
8987 * sm-malloc.dot: New file.
8988 * sm-pattern-test.cc: New file.
8989 * sm-sensitive.cc: New file.
8990 * sm-signal.cc: New file.
8991 * sm-taint.cc: New file.
8992 * sm.cc: New file.
8993 * sm.h: New file.
8994 * state-purge.cc: New file.
8995 * state-purge.h: New file.
8996 * supergraph.cc: New file.
8997 * supergraph.h: New file.
8998
89992019-12-13 David Malcolm <dmalcolm@redhat.com>
9000
9001 * Initial creation
9002
9003\f
877e3c2a 9004Copyright (C) 2019-2022 Free Software Foundation, Inc.
757bf1df
DM		 9005
9006Copying and distribution of this file, with or without modification,
9007are permitted in any medium without royalty provided the copyright
9008notice and this notice are preserved.
Mirror of https://gcc.gnu.org/git/gcc.git