]> git.ipfire.org Git - thirdparty/gcc.git/blame - gcc/analyzer/ChangeLog
projects / thirdparty / gcc.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Daily bump.
[thirdparty/gcc.git] / gcc / analyzer / ChangeLog
CommitLineData
5278cd6a
GA		 12023-07-26 David Malcolm <dmalcolm@redhat.com>
2
3 PR analyzer/104940
4 * region-model-manager.cc
5 (region_model_manager::region_model_manager): Update for
6 generalizing region ids to also cover svalues.
7 (region_model_manager::get_or_create_constant_svalue): Likewise.
8 (region_model_manager::get_or_create_unknown_svalue): Likewise.
9 (region_model_manager::create_unique_svalue): Likewise.
10 (region_model_manager::get_or_create_initial_value): Likewise.
11 (region_model_manager::get_or_create_setjmp_svalue): Likewise.
12 (region_model_manager::get_or_create_poisoned_svalue): Likewise.
13 (region_model_manager::get_ptr_svalue): Likewise.
14 (region_model_manager::get_or_create_unaryop): Likewise.
15 (region_model_manager::get_or_create_binop): Likewise.
16 (region_model_manager::get_or_create_sub_svalue): Likewise.
17 (region_model_manager::get_or_create_repeated_svalue): Likewise.
18 (region_model_manager::get_or_create_bits_within): Likewise.
19 (region_model_manager::get_or_create_unmergeable): Likewise.
20 (region_model_manager::get_or_create_widening_svalue): Likewise.
21 (region_model_manager::get_or_create_compound_svalue): Likewise.
22 (region_model_manager::get_or_create_conjured_svalue): Likewise.
23 (region_model_manager::get_or_create_asm_output_svalue): Likewise.
24 (region_model_manager::get_or_create_const_fn_result_svalue):
25 Likewise.
26 (region_model_manager::get_region_for_fndecl): Likewise.
27 (region_model_manager::get_region_for_label): Likewise.
28 (region_model_manager::get_region_for_global): Likewise.
29 (region_model_manager::get_field_region): Likewise.
30 (region_model_manager::get_element_region): Likewise.
31 (region_model_manager::get_offset_region): Likewise.
32 (region_model_manager::get_sized_region): Likewise.
33 (region_model_manager::get_cast_region): Likewise.
34 (region_model_manager::get_frame_region): Likewise.
35 (region_model_manager::get_symbolic_region): Likewise.
36 (region_model_manager::get_region_for_string): Likewise.
37 (region_model_manager::get_bit_range): Likewise.
38 (region_model_manager::get_var_arg_region): Likewise.
39 (region_model_manager::get_region_for_unexpected_tree_code):
40 Likewise.
41 (region_model_manager::get_or_create_region_for_heap_alloc):
42 Likewise.
43 (region_model_manager::create_region_for_alloca): Likewise.
44 (region_model_manager::log_stats): Likewise.
45 * region-model-manager.h (region_model_manager::get_num_regions):
46 Replace with...
47 (region_model_manager::get_num_symbols): ...this.
48 (region_model_manager::alloc_region_id): Replace with...
49 (region_model_manager::alloc_symbol_id): ...this.
50 (region_model_manager::m_next_region_id): Replace with...
51 (region_model_manager::m_next_symbol_id): ...this.
52 * region-model.cc (selftest::test_get_representative_tree): Update
53 for generalizing region ids to also cover svalues.
54 (selftest::test_binop_svalue_folding): Likewise.
55 (selftest::test_state_merging): Likewise.
56 * region.cc (region::cmp_ids): Delete, in favor of
57 symbol::cmp_ids.
58 (region::region): Update for introduction of symbol base class.
59 (frame_region::get_region_for_local): Likewise.
60 (root_region::root_region): Likewise.
61 (symbolic_region::symbolic_region): Likewise.
62 * region.h: Replace include of "analyzer/complexity.h" with
63 "analyzer/symbol.h".
64 (class region): Make a subclass of symbol.
65 (region::get_id): Delete in favor of symbol::get_id.
66 (region::cmp_ids): Delete in favor of symbol::cmp_ids.
67 (region::get_complexity): Delete in favor of
68 symbol::get_complexity.
69 (region::region): Use symbol::id_t for "id" param.
70 (region::m_complexity): Move field to symbol base class.
71 (region::m_id): Likewise.
72 (space_region::space_region): Use symbol::id_t for "id" param.
73 (frame_region::frame_region): Likewise.
74 (globals_region::globals_region): Likewise.
75 (code_region::code_region): Likewise.
76 (function_region::function_region): Likewise.
77 (label_region::label_region): Likewise.
78 (stack_region::stack_region): Likewise.
79 (heap_region::heap_region): Likewise.
80 (thread_local_region::thread_local_region): Likewise.
81 (root_region::root_region): Likewise.
82 (symbolic_region::symbolic_region): Likewise.
83 (decl_region::decl_region): Likewise.
84 (field_region::field_region): Likewise.
85 (element_region::element_region): Likewise.
86 (offset_region::offset_region): Likewise.
87 (sized_region::sized_region): Likewise.
88 (cast_region::cast_region): Likewise.
89 (heap_allocated_region::heap_allocated_region): Likewise.
90 (alloca_region::alloca_region): Likewise.
91 (string_region::string_region): Likewise.
92 (bit_range_region::bit_range_region): Likewise.
93 (var_arg_region::var_arg_region): Likewise.
94 (errno_region::errno_region): Likewise.
95 (unknown_region::unknown_region): Likewise.
96 * svalue.cc (sub_svalue::sub_svalue): Add symbol::id_t param.
97 (repeated_svalue::repeated_svalue): Likewise.
98 (bits_within_svalue::bits_within_svalue): Likewise.
99 (compound_svalue::compound_svalue): Likewise.
100 * svalue.h: Replace include of "analyzer/complexity.h" with
101 "analyzer/symbol.h".
102 (class svalue): Make a subclass of symbol.
103 (svalue::get_complexity): Delete in favor of
104 symbol::get_complexity.
105 (svalue::svalue): Add symbol::id_t param. Update for new base
106 class.
107 (svalue::m_complexity): Delete in favor of
108 symbol::m_complexity.
109 (region_svalue::region_svalue): Add symbol::id_t param
110 (constant_svalue::constant_svalue): Likewise.
111 (unknown_svalue::unknown_svalue): Likewise.
112 (poisoned_svalue::poisoned_svalue): Likewise.
113 (setjmp_svalue::setjmp_svalue): Likewise.
114 (initial_svalue::initial_svalue): Likewise.
115 (unaryop_svalue::unaryop_svalue): Likewise.
116 (binop_svalue::binop_svalue): Likewise.
117 (sub_svalue::sub_svalue): Likewise.
118 (repeated_svalue::repeated_svalue): Likewise.
119 (bits_within_svalue::bits_within_svalue): Likewise.
120 (unmergeable_svalue::unmergeable_svalue): Likewise.
121 (placeholder_svalue::placeholder_svalue): Likewise.
122 (widening_svalue::widening_svalue): Likewise.
123 (compound_svalue::compound_svalue): Likewise.
124 (conjured_svalue::conjured_svalue): Likewise.
125 (asm_output_svalue::asm_output_svalue): Likewise.
126 (const_fn_result_svalue::const_fn_result_svalue): Likewise.
127 * symbol.cc: New file.
128 * symbol.h: New file.
129
0ce63530
GA		 1302023-07-21 David Malcolm <dmalcolm@redhat.com>
131
132 PR analyzer/110455
133 * region-model.cc (region_model::get_gassign_result): Only check
134 for bad shift counts when dealing with an integral type.
135
1362023-07-21 David Malcolm <dmalcolm@redhat.com>
137
138 PR analyzer/110433
139 PR middle-end/110612
140 * access-diagram.cc (class spatial_item): Add virtual dtor.
141
1422023-07-21 David Malcolm <dmalcolm@redhat.com>
143
144 PR analyzer/110387
145 * region.h (struct cast_region::key_t): Support "m_type" being
146 null by using "m_original_region" for empty/deleted slots.
147
49bed11d
GA		 1482023-07-19 David Malcolm <dmalcolm@redhat.com>
149
150 PR analyzer/110700
151 * region-model-manager.cc
152 (region_model_manager::get_or_create_int_cst): Assert that we have
153 an integral or pointer type.
154 * sm-taint.cc (taint_state_machine::check_for_tainted_divisor):
155 Don't check non-integral types.
156
14bfda60
GA		 1572023-06-29 benjamin priour <priour.be@gmail.com>
158
159 PR analyzer/110198
160 * region-model-manager.cc
161 (region_model_manager::get_or_create_initial_value): Take an
162 optional boolean value to bypass poisoning checks
163 * region-model-manager.h: Update declaration of the above function.
164 * region-model.cc (region_model::get_store_value): No longer returns
165 on OOB, but rather gives a boolean to get_or_create_initial_value.
166 (region_model::check_region_access): Update docstring.
167 (region_model::check_region_for_write): Update docstring.
168
7b1076a5
GA		 1692023-06-24 David Malcolm <dmalcolm@redhat.com>
170
171 * access-diagram.cc: Add #define INCLUDE_VECTOR.
172 * bounds-checking.cc: Likewise.
173
270742ce
GA		 1742023-06-22 David Malcolm <dmalcolm@redhat.com>
175
176 PR analyzer/106626
177 * access-diagram.cc: New file.
178 * access-diagram.h: New file.
179 * analyzer.h (class region_offset): Add default ctor.
180 (region_offset::make_byte_offset): New decl.
181 (region_offset::concrete_p): New.
182 (region_offset::get_concrete_byte_offset): New.
183 (region_offset::calc_symbolic_bit_offset): New decl.
184 (region_offset::calc_symbolic_byte_offset): New decl.
185 (region_offset::dump_to_pp): New decl.
186 (region_offset::dump): New decl.
187 (operator<, operator<=, operator>, operator>=): New decls for
188 region_offset.
189 * analyzer.opt
190 (-param=analyzer-text-art-string-ellipsis-threshold=): New.
191 (-param=analyzer-text-art-string-ellipsis-head-len=): New.
192 (-param=analyzer-text-art-string-ellipsis-tail-len=): New.
193 (-param=analyzer-text-art-ideal-canvas-width=): New.
194 (fanalyzer-debug-text-art): New.
195 * bounds-checking.cc: Include "intl.h", "diagnostic-diagram.h",
196 and "analyzer/access-diagram.h".
197 (class out_of_bounds::oob_region_creation_event_capacity): New.
198 (out_of_bounds::out_of_bounds): Add "model" and "sval_hint"
199 params.
200 (out_of_bounds::mark_interesting_stuff): Use the base region.
201 (out_of_bounds::add_region_creation_events): Use
202 oob_region_creation_event_capacity.
203 (out_of_bounds::get_dir): New pure vfunc.
204 (out_of_bounds::maybe_show_notes): New.
205 (out_of_bounds::maybe_show_diagram): New.
206 (out_of_bounds::make_access_diagram): New.
207 (out_of_bounds::m_model): New field.
208 (out_of_bounds::m_sval_hint): New field.
209 (out_of_bounds::m_region_creation_event_id): New field.
210 (concrete_out_of_bounds::concrete_out_of_bounds): Update for new
211 fields.
212 (concrete_past_the_end::concrete_past_the_end): Likewise.
213 (concrete_past_the_end::add_region_creation_events): Use
214 oob_region_creation_event_capacity.
215 (concrete_buffer_overflow::concrete_buffer_overflow): Update for
216 new fields.
217 (concrete_buffer_overflow::emit): Replace call to
218 maybe_describe_array_bounds with maybe_show_notes.
219 (concrete_buffer_overflow::get_dir): New.
220 (concrete_buffer_over_read::concrete_buffer_over_read): Update for
221 new fields.
222 (concrete_buffer_over_read::emit): Replace call to
223 maybe_describe_array_bounds with maybe_show_notes.
224 (concrete_buffer_overflow::get_dir): New.
225 (concrete_buffer_underwrite::concrete_buffer_underwrite): Update
226 for new fields.
227 (concrete_buffer_underwrite::emit): Replace call to
228 maybe_describe_array_bounds with maybe_show_notes.
229 (concrete_buffer_underwrite::get_dir): New.
230 (concrete_buffer_under_read::concrete_buffer_under_read): Update
231 for new fields.
232 (concrete_buffer_under_read::emit): Replace call to
233 maybe_describe_array_bounds with maybe_show_notes.
234 (concrete_buffer_under_read::get_dir): New.
235 (symbolic_past_the_end::symbolic_past_the_end): Update for new
236 fields.
237 (symbolic_buffer_overflow::symbolic_buffer_overflow): Likewise.
238 (symbolic_buffer_overflow::emit): Call maybe_show_notes.
239 (symbolic_buffer_overflow::get_dir): New.
240 (symbolic_buffer_over_read::symbolic_buffer_over_read): Update for
241 new fields.
242 (symbolic_buffer_over_read::emit): Call maybe_show_notes.
243 (symbolic_buffer_over_read::get_dir): New.
244 (region_model::check_symbolic_bounds): Add "sval_hint" param. Pass
245 it and sized_offset_reg to diagnostics.
246 (region_model::check_region_bounds): Add "sval_hint" param, passing
247 it to diagnostics.
248 * diagnostic-manager.cc
249 (diagnostic_manager::emit_saved_diagnostic): Pass logger to
250 pending_diagnostic::emit.
251 * engine.cc: Add logger param to pending_diagnostic::emit
252 implementations.
253 * infinite-recursion.cc: Likewise.
254 * kf-analyzer.cc: Likewise.
255 * kf.cc: Likewise. Add nullptr for new param of
256 check_region_for_write.
257 * pending-diagnostic.h: Likewise in decl.
258 * region-model-manager.cc
259 (region_model_manager::get_or_create_int_cst): Convert param from
260 poly_int64 to const poly_wide_int_ref &.
261 (region_model_manager::maybe_fold_binop): Support type being NULL
262 when checking for floating-point types.
263 Check for (X + Y) - X => Y. Be less strict about types when folding
264 associative ops. Check for (X + Y) * CST => (X * CST) + (Y * CST).
265 * region-model-manager.h
266 (region_model_manager::get_or_create_int_cst): Convert param from
267 poly_int64 to const poly_wide_int_ref &.
268 * region-model.cc: Add logger param to pending_diagnostic::emit
269 implementations.
270 (region_model::check_external_function_for_access_attr): Update
271 for new param of check_region_for_write.
272 (region_model::deref_rvalue): Use nullptr rather than NULL.
273 (region_model::get_capacity): Handle RK_STRING.
274 (region_model::check_region_access): Add "sval_hint" param; pass it to
275 check_region_bounds.
276 (region_model::check_region_for_write): Add "sval_hint" param;
277 pass it to check_region_access.
278 (region_model::check_region_for_read): Add NULL for new param to
279 check_region_access.
280 (region_model::set_value): Pass rhs_sval to
281 check_region_for_write.
282 (region_model::get_representative_path_var_1): Handle SK_CONSTANT
283 in the check for infinite recursion.
284 * region-model.h (region_model::check_region_for_write): Add
285 "sval_hint" param.
286 (region_model::check_region_access): Likewise.
287 (region_model::check_symbolic_bounds): Likewise.
288 (region_model::check_region_bounds): Likewise.
289 * region.cc (region_offset::make_byte_offset): New.
290 (region_offset::calc_symbolic_bit_offset): New.
291 (region_offset::calc_symbolic_byte_offset): New.
292 (region_offset::dump_to_pp): New.
293 (region_offset::dump): New.
294 (struct linear_op): New.
295 (operator<, operator<=, operator>, operator>=): New, for
296 region_offset.
297 (region::get_next_offset): New.
298 (region::get_relative_symbolic_offset): Use ptrdiff_type_node.
299 (field_region::get_relative_symbolic_offset): Likewise.
300 (element_region::get_relative_symbolic_offset): Likewise.
301 (bit_range_region::get_relative_symbolic_offset): Likewise.
302 * region.h (region::get_next_offset): New decl.
303 * sm-fd.cc: Add logger param to pending_diagnostic::emit
304 implementations.
305 * sm-file.cc: Likewise.
306 * sm-malloc.cc: Likewise.
307 * sm-pattern-test.cc: Likewise.
308 * sm-sensitive.cc: Likewise.
309 * sm-signal.cc: Likewise.
310 * sm-taint.cc: Likewise.
311 * store.cc (bit_range::contains_p): Allow "out" to be null.
312 * store.h (byte_range::get_start_bit_offset): New.
313 (byte_range::get_next_bit_offset): New.
314 * varargs.cc: Add logger param to pending_diagnostic::emit
315 implementations.
316
09ae3035
GA		 3172023-06-10 Tim Lange <mail@tim-lange.me>
318
319 PR analyzer/109577
320 * constraint-manager.cc (class sval_finder): Visitor to find
321 childs in svalue trees.
322 (constraint_manager::sval_constrained_p): Add new function to
323 check whether a sval might be part of an constraint.
324 * constraint-manager.h: Add sval_constrained_p function.
325 * region-model.cc (class size_visitor): Reverse behavior to not
326 emit a warning on not explicitly considered cases.
327 (region_model::check_region_size):
328 Adapt to size_visitor changes.
329
a2c019e2
GA		 3302023-06-09 David Malcolm <dmalcolm@redhat.com>
331
332 PR analyzer/110112
333 * region-model.cc (region_model::get_initial_value_for_global):
334 Move code to region::calc_initial_value_at_main.
335 * region.cc (region::get_initial_value_at_main): New function.
336 (region::calc_initial_value_at_main): New function, based on code
337 in region_model::get_initial_value_for_global.
338 (region::region): Initialize m_cached_init_sval_at_main.
339 (decl_region::get_svalue_for_constructor): Add a cache, splitting
340 out body to...
341 (decl_region::calc_svalue_for_constructor): ...this new function.
342 * region.h (region::get_initial_value_at_main): New decl.
343 (region::calc_initial_value_at_main): New decl.
344 (region::m_cached_init_sval_at_main): New field.
345 (decl_region::decl_region): Initialize m_ctor_svalue.
346 (decl_region::calc_svalue_for_constructor): New decl.
347 (decl_region::m_ctor_svalue): New field.
348
feae15ae
GA		 3492023-06-08 Benjamin Priour <vultkayn@gcc.gnu.org>
350
351 * bounds-checking.cc (region_model::check_symbolic_bounds): Returns whether the BASE_REG
352 region access was OOB.
353 (region_model::check_region_bounds): Likewise.
354 * region-model.cc (region_model::get_store_value): Creates an
355 unknown svalue on OOB-read access to REG.
356 (region_model::check_region_access): Returns whether an unknown svalue needs be created.
357 (region_model::check_region_for_read): Passes check_region_access return value.
358 * region-model.h: Update prior function definitions.
359
829d5975
GA		 3602023-06-02 David Malcolm <dmalcolm@redhat.com>
361
362 PR analyzer/109015
363 * kf.cc (class kf_atomic_exchange): New.
364 (class kf_atomic_exchange_n): New.
365 (class kf_atomic_fetch_op): New.
366 (class kf_atomic_op_fetch): New.
367 (class kf_atomic_load): New.
368 (class kf_atomic_load_n): New.
369 (class kf_atomic_store_n): New.
370 (register_atomic_builtins): New function.
371 (register_known_functions): Call register_atomic_builtins.
372
3732023-06-02 David Malcolm <dmalcolm@redhat.com>
374
375 * store.cc (store::eval_alias_1): Regions in different memory
376 spaces can't alias.
377
b2776076
GA		 3782023-05-18 Bernhard Reutner-Fischer <aldot@gcc.gnu.org>
379
380 * region-model-manager.cc (get_code_for_cast): Use _P defines from
381 tree.h.
382 (region_model_manager::get_or_create_cast): Ditto.
383 (region_model_manager::get_region_for_global): Ditto.
384 * region-model.cc (region_model::get_lvalue_1): Ditto.
385 * region.cc (decl_region::maybe_get_constant_value): Ditto.
386
50bd9c41
GA		 3872023-03-22 David Malcolm <dmalcolm@redhat.com>
388
389 PR analyzer/109239
390 * program-point.cc: Include "analyzer/inlining-iterator.h".
391 (program_point::effectively_intraprocedural_p): New function.
392 * program-point.h (program_point::effectively_intraprocedural_p):
393 New decl.
394 * sm-malloc.cc (deref_before_check::emit): Use it when rejecting
395 interprocedural cases, so that we reject interprocedural cases
396 that have become intraprocedural due to inlining.
397
cffcb774
GA		 3982023-03-18 David Malcolm <dmalcolm@redhat.com>
399
400 PR analyzer/109094
401 * region-model.cc (region_model::on_longjmp): Pass false for
402 new "eval_return_svalue" param of pop_frame.
403 (region_model::pop_frame): Add new "eval_return_svalue" param and
404 use it to suppress the call to get_rvalue on the result when
405 needed by on_longjmp.
406 * region-model.h (region_model::pop_frame): Add new
407 "eval_return_svalue" param.
408
c8065441
GA		 4092023-03-10 David Malcolm <dmalcolm@redhat.com>
410
411 PR analyzer/109059
412 * region-model.cc (region_model::mark_region_as_unknown): Gather a
413 set of maybe-live svalues and call on_maybe_live_values with it.
414 * store.cc (binding_map::remove_overlapping_bindings): Add new
415 "maybe_live_values" param; add any removed svalues to it.
416 (binding_cluster::clobber_region): Add NULL as new param of
417 remove_overlapping_bindings.
418 (binding_cluster::mark_region_as_unknown): Add "maybe_live_values"
419 param and pass it to remove_overlapping_bindings.
420 (binding_cluster::maybe_get_compound_binding): Add NULL for new
421 param of binding_map::remove_overlapping_bindings.
422 (binding_cluster::remove_overlapping_bindings): Add
423 "maybe_live_values" param and pass to
424 binding_map::remove_overlapping_bindings.
425 (store::set_value): Capture a set of maybe-live svalues, and call
426 on_maybe_live_values with it.
427 (store::on_maybe_live_values): New.
428 (store::mark_region_as_unknown): Add "maybe_live_values" param
429 and pass it to binding_cluster::mark_region_as_unknown.
430 (store::remove_overlapping_bindings): Pass NULL for new param of
431 binding_cluster::remove_overlapping_bindings.
432 * store.h (binding_map::remove_overlapping_bindings): Add
433 "maybe_live_values" param.
434 (binding_cluster::mark_region_as_unknown): Likewise.
435 (binding_cluster::remove_overlapping_bindings): Likewise.
436 (store::mark_region_as_unknown): Likewise.
437 (store::on_maybe_live_values): New decl.
438
4392023-03-10 David Malcolm <dmalcolm@redhat.com>
440
441 PR analyzer/108475
442 PR analyzer/109060
443 * sm-malloc.cc (deref_before_check::deref_before_check):
444 Initialize new field m_deref_expr. Assert that arg is non-NULL.
445 (deref_before_check::emit): Reject cases where the spelling of the
446 thing that was dereferenced differs from that of what is checked,
447 or if the dereference expression was not found. Remove code to
448 handle NULL m_arg.
449 (deref_before_check::describe_state_change): Remove code to handle
450 NULL m_arg.
451 (deref_before_check::describe_final_event): Likewise.
452 (deref_before_check::sufficiently_similar_p): New.
453 (deref_before_check::m_deref_expr): New field.
454 (malloc_state_machine::maybe_complain_about_deref_before_check):
455 Don't warn if the diag_ptr is NULL.
456
2aa6673e
GA		 4572023-03-03 David Malcolm <dmalcolm@redhat.com>
458
459 * kf.cc (class kf_sprintf): New.
460 (register_known_functions): Register it.
461
14db9ed5
GA		 4622023-03-02 David Malcolm <dmalcolm@redhat.com>
463
464 PR analyzer/108968
465 * region-model.cc (region_model::get_rvalue_1): Handle VAR_DECLs
466 with a DECL_HARD_REGISTER by returning UNKNOWN.
467
4682023-03-02 Hans-Peter Nilsson <hp@axis.com>
469
470 * kf.cc (register_known_functions): Add __errno function for newlib.
471
c88a7c63
GA		 4722023-03-01 David Malcolm <dmalcolm@redhat.com>
473
474 PR analyzer/107565
475 * region-model.cc (region_model::on_call_pre): Flatten logic by
476 returning early. Consolidate logic for detecting const and pure
477 functions. When considering whether an unhandled built-in
478 function has side-effects, consider all kinds of builtin, rather
479 than just BUILT_IN_NORMAL, and don't require
480 gimple_builtin_call_types_compatible_p.
481
4822023-03-01 David Malcolm <dmalcolm@redhat.com>
483
484 PR analyzer/108935
485 * infinite-recursion.cc (contains_unknown_p): New.
486 (sufficiently_different_region_binding_p): New function, splitting
487 out inner loop from...
488 (sufficiently_different_p): ...here. Extend detection of unknown
489 svalues to also include svalues that contain unknown. Treat
490 changes in frames below the entry to the recursion as being
491 sufficiently different to reject being an infinite recursion.
492
c3bf22d9
GA		 4932023-02-21 David Malcolm <dmalcolm@redhat.com>
494
495 PR analyzer/108830
496 * analyzer.opt (fanalyzer-suppress-followups): New option.
497 * engine.cc (impl_region_model_context::warn): Terminate the path
498 if the diagnostic's terminate_path_p vfunc returns true and
499 -fanalyzer-suppress-followups is true (the default).
500 (impl_sm_context::warn): Likewise, for both overloads.
501 * pending-diagnostic.h (pending_diagnostic::terminate_path_p): New
502 vfunc.
503 * program-state.cc (program_state::on_edge): Terminate the path if
504 the ctxt requests it during updating the edge.
505 * region-model.cc (poisoned_value_diagnostic::terminate_path_p):
506 New vfunc.
507 * sm-malloc.cc (null_deref::terminate_path_p): New vfunc.
508 (null_arg::terminate_path_p): New vfunc.
509
88cc4495
GA		 5102023-02-16 David Malcolm <dmalcolm@redhat.com>
511
512 PR analyzer/108806
513 * constraint-manager.cc (bounded_range::dump_to_pp): Use
514 bounded_range::singleton_p.
515 (constraint_manager::add_bounded_ranges): Handle singleton ranges
516 by adding an EQ_EXPR constraint.
517 (constraint_manager::impossible_derived_conditions_p): New.
518 (constraint_manager::eval_condition): Reject EQ_EXPR when it would
519 imply impossible derived conditions.
520 (selftest::test_bits): New.
521 (selftest::run_constraint_manager_tests): Run it.
522 * constraint-manager.h (bounded_range::singleton_p): New.
523 (constraint_manager::impossible_derived_conditions_p): New decl.
524 * region-model.cc (region_model::get_rvalue_1): Handle
525 BIT_AND_EXPR, BIT_IOR_EXPR, and BIT_XOR_EXPR.
526
29a35391
GA		 5272023-02-15 David Malcolm <dmalcolm@redhat.com>
528
529 PR analyzer/108664
530 PR analyzer/108666
531 PR analyzer/108725
532 * diagnostic-manager.cc (epath_finder::get_best_epath): Add
533 "target_stmt" param.
534 (epath_finder::explore_feasible_paths): Likewise.
535 (epath_finder::process_worklist_item): Likewise.
536 (saved_diagnostic::calc_best_epath): Pass m_stmt to
537 epath_finder::get_best_epath.
538 * engine.cc (feasibility_state::maybe_update_for_edge): Move
539 per-stmt logic to...
540 (feasibility_state::update_for_stmt): ...this new function.
541 * exploded-graph.h (feasibility_state::update_for_stmt): New decl.
542 * feasible-graph.cc (feasible_node::get_state_at_stmt): New.
543 * feasible-graph.h: Include "analyzer/exploded-graph.h".
544 (feasible_node::get_state_at_stmt): New decl.
545 * infinite-recursion.cc
546 (infinite_recursion_diagnostic::check_valid_fpath_p): Update for
547 vfunc signature change.
548 * pending-diagnostic.h (pending_diagnostic::check_valid_fpath_p):
549 Convert first param to a reference. Add stmt param.
550 * region-model.cc: Include "analyzer/feasible-graph.h".
551 (poisoned_value_diagnostic::poisoned_value_diagnostic): Add
552 "check_expr" param.
553 (poisoned_value_diagnostic::check_valid_fpath_p): New.
554 (poisoned_value_diagnostic::m_check_expr): New field.
555 (region_model::check_for_poison): Attempt to supply a check_expr
556 to the diagnostic
557 (region_model::deref_rvalue): Add NULL for new check_expr param
558 of poisoned_value_diagnostic.
559 (region_model::get_or_create_region_for_heap_alloc): Don't reuse
560 regions that are marked as TOUCHED.
561
d7a47ed1
GA		 5622023-02-10 David Malcolm <dmalcolm@redhat.com>
563
564 PR analyzer/108745
565 * sm-malloc.cc (deref_before_check::emit): Reject the warning if
566 the check occurs within a macro defintion.
567
e92e2c96
GA		 5682023-02-09 David Malcolm <dmalcolm@redhat.com>
569
570 PR analyzer/108733
571 * state-purge.cc (get_candidate_for_purging): Add ADDR_EXPR
572 and MEM_REF.
573
f6fc79d0
GA		 5742023-02-08 David Malcolm <dmalcolm@redhat.com>
575
576 PR analyzer/108704
577 * state-purge.cc (state_purge_per_decl::process_point_backwards):
578 Don't stop processing the decl if it's fully overwritten by
579 this stmt if it's also used by this stmt.
580
8f3b85ef
GA		 5812023-02-07 David Malcolm <dmalcolm@redhat.com>
582
583 PR analyzer/108661
584 * sm-fd.cc (class kf_read): New.
585 (register_known_fd_functions): Register "read".
586 * sm-file.cc (class kf_fread): Update comment.
587
a37a0cb3
GA		 5882023-02-02 David Malcolm <dmalcolm@redhat.com>
589
590 PR analyzer/108633
591 * sm-fd.cc (fd_state_machine::check_for_fd_attrs): Add missing
592 "continue".
593 (fd_state_machine::on_listen): Don't issue phase-mismatch or
594 type-mismatch warnings for the "invalid" state.
595
0a251e74
GA		 5962023-02-01 David Malcolm <dmalcolm@redhat.com>
597
598 PR analyzer/108616
599 * pending-diagnostic.cc (fixup_location_in_macro_p): Add "alloca"
600 to macros that we shouldn't unwind inside.
601
2371d100
GA		 6022023-01-26 David Malcolm <dmalcolm@redhat.com>
603
604 PR analyzer/108524
605 * analyzer.h (class feasible_node): New forward decl.
606 * diagnostic-manager.cc (epath_finder::get_best_epath): Add "pd"
607 param.
608 (epath_finder::explore_feasible_paths): Likewise.
609 (epath_finder::process_worklist_item): Likewise. Use it to call
610 pending_diagnostic::check_valid_fpath_p on the final fpath to
611 give pending_diagnostic a way to add additional restrictions on
612 feasibility.
613 (saved_diagnostic::calc_best_epath): Pass pending_diagnostic to
614 epath_finder::get_best_epath.
615 * infinite-recursion.cc: Include "analyzer/feasible-graph.h".
616 (infinite_recursion_diagnostic::check_valid_fpath_p): New.
617 (infinite_recursion_diagnostic::fedge_uses_conjured_svalue_p): New.
618 (infinite_recursion_diagnostic::expr_uses_conjured_svalue_p): New.
619 * pending-diagnostic.h (pending_diagnostic::check_valid_fpath_p):
620 New vfunc.
621
0846336d
GA		 6222023-01-19 David Malcolm <dmalcolm@redhat.com>
623
624 PR analyzer/108455
625 * analyzer.h (class checker_event): New forward decl.
626 (class state_change_event): Indent.
627 (class warning_event): New forward decl.
628 * checker-event.cc (state_change_event::state_change_event): Add
629 "enode" param.
630 (warning_event::get_desc): Update for new param of
631 evdesc::final_event ctor.
632 * checker-event.h (state_change_event::state_change_event): Add
633 "enode" param.
634 (state_change_event::get_exploded_node): New accessor.
635 (state_change_event::m_enode): New field.
636 (warning_event::warning_event): New "enode" param.
637 (warning_event::get_exploded_node): New accessor.
638 (warning_event::m_enode): New field.
639 * diagnostic-manager.cc
640 (state_change_event_creator::on_global_state_change): Pass
641 src_node to state_change_event ctor.
642 (state_change_event_creator::on_state_change): Likewise.
643 (null_assignment_sm_context::set_next_state): Pass NULL for
644 new param of state_change_event ctor.
645 * infinite-recursion.cc
646 (infinite_recursion_diagnostic::add_final_event): Update for new
647 param of warning_event ctor.
648 * pending-diagnostic.cc (pending_diagnostic::add_final_event):
649 Pass enode to warning_event ctor.
650 * pending-diagnostic.h (evdesc::final_event): Add reference to
651 warning_event.
652 * sm-malloc.cc: Include "analyzer/checker-event.h" and
653 "analyzer/exploded-graph.h".
654 (deref_before_check::deref_before_check): Initialize new fields.
655 (deref_before_check::emit): Reject warnings in which we were
656 unable to determine the enodes of the dereference and the check.
657 Reject warnings interprocedural warnings. Reject warnings in which
658 the dereference doesn't dominate the check.
659 (deref_before_check::describe_state_change): Set m_deref_enode.
660 (deref_before_check::describe_final_event): Set m_check_enode.
661 (deref_before_check::m_deref_enode): New field.
662 (deref_before_check::m_check_enode): New field.
663
5013c3bb
GA		 6642023-01-13 David Malcolm <dmalcolm@redhat.com>
665
666 PR analyzer/105273
667 * region-model.cc (has_nondefault_case_for_value_p): New.
668 (has_nondefault_cases_for_all_enum_values_p): New.
669 (region_model::apply_constraints_for_gswitch): Skip
670 implicitly-created "default" when switching on an enum
671 and all enum values have non-default cases.
672 (rejected_default_case::dump_to_pp): New.
673 * region-model.h (region_model_context::possibly_tainted_p): New
674 decl.
675 (class rejected_default_case): New.
676 * sm-taint.cc (region_model_context::possibly_tainted_p): New.
677 * supergraph.cc (switch_cfg_superedge::dump_label_to_pp): Dump
678 when implicitly_created_default_p.
679 (switch_cfg_superedge::implicitly_created_default_p): New.
680 * supergraph.h
681 (switch_cfg_superedge::implicitly_created_default_p): New decl.
682
81ed98bc
GA		 6832023-01-11 David Malcolm <dmalcolm@redhat.com>
684
685 PR analyzer/108252
686 * kf.cc (class kf_strdup): New.
687 (class kf_strndup): New.
688 (register_known_functions): Register them.
689 * region-model.cc (region_model::on_call_pre): Use
690 &HEAP_ALLOCATED_REGION for the default result of an external
691 function with the "malloc" attribute, rather than CONJURED_SVALUE.
692 (region_model::get_or_create_region_for_heap_alloc): Allow
693 "size_in_bytes" to be NULL.
694 * store.cc (store::set_value): When handling *UNKNOWN = VAL,
695 mark VAL as "maybe bound".
696
5fb1e674
GA		 6972022-12-16 David Malcolm <dmalcolm@redhat.com>
698
699 PR analyzer/106479
700 * kf.cc (kf_memcpy_memmove::impl_call_pre): Pass in source region
701 to region_model::check_for_poison.
702 * region-model-asm.cc (region_model::on_asm_stmt): Pass NULL
703 region to region_model::check_for_poison.
704 * region-model.cc (region_model::check_for_poison): Add
705 "src_region" param, and pass it to poisoned_value_diagnostic.
706 (region_model::on_assignment): Pass NULL region to
707 region_model::check_for_poison.
708 (region_model::get_rvalue): Likewise.
709 * region-model.h (region_model::check_for_poison): Add
710 "src_region" param.
711 * sm-fd.cc (fd_state_machine::on_accept): Pass in source region
712 to region_model::check_for_poison.
713 * varargs.cc (kf_va_copy::impl_call_pre): Pass NULL region to
714 region_model::check_for_poison.
715 (kf_va_arg::impl_call_pre): Pass in source region to
716 region_model::check_for_poison.
717
26f4aefa
GA		 7182022-12-14 David Malcolm <dmalcolm@redhat.com>
719
720 PR analyzer/108065
721 * region.cc (decl_region::get_svalue_for_initializer): Bail out to
722 avoid calling binding_key::make with an empty region.
723 * store.cc (binding_map::apply_ctor_val_to_range): Likewise.
724 (binding_map::apply_ctor_pair_to_child_region): Likewise.
725 (binding_cluster::bind): Likewise.
726 (binding_cluster::purge_region): Likewise.
727 (binding_cluster::maybe_get_compound_binding): Likewise.
728 (binding_cluster::maybe_get_simple_value): Likewise.
729
40ce6485
GA		 7302022-12-09 David Malcolm <dmalcolm@redhat.com>
731
732 * analyzer.h (class known_function): Expand comment.
733 * region-model-impl-calls.cc: Rename to...
734 * kf.cc: ...this.
735 * known-function-manager.h (class known_function_manager): Add
736 leading comment.
737
7382022-12-09 David Malcolm <dmalcolm@redhat.com>
739
740 PR analyzer/108003
741 * call-summary.cc
742 (call_summary_replay::convert_region_from_summary_1): Convert
743 heap_regs_in_use from auto_sbitmap to auto_bitmap.
744 * region-model-manager.cc
745 (region_model_manager::get_or_create_region_for_heap_alloc):
746 Convert from sbitmap to bitmap.
747 * region-model-manager.h: Likewise.
748 * region-model.cc
749 (region_model::get_or_create_region_for_heap_alloc): Convert from
750 auto_sbitmap to auto_bitmap.
751 (region_model::get_referenced_base_regions): Likewise.
752 * region-model.h: Include "bitmap.h" rather than "sbitmap.h".
753 (region_model::get_referenced_base_regions): Convert from
754 auto_sbitmap to auto_bitmap.
755
7562022-12-09 David Malcolm <dmalcolm@redhat.com>
757
758 * region-model-impl-calls.cc (class kf_memcpy): Rename to...
759 (class kf_memcpy_memmove): ...this.
760 (kf_memcpy::impl_call_pre): Rename to...
761 (kf_memcpy_memmove::impl_call_pre): ...this, and check the src for
762 poison.
763 (register_known_functions): Update for above renaming, and
764 register BUILT_IN_MEMMOVE and BUILT_IN_MEMMOVE_CHK.
765
3fe66f7f
GA		 7662022-12-06 David Malcolm <dmalcolm@redhat.com>
767
768 PR analyzer/107882
769 * region-model.cc (region_model::get_store_value): Return an
770 unknown value for empty regions.
771 (region_model::set_value): Bail on empty regions.
772 * region.cc (region::empty_p): New.
773 * region.h (region::empty_p): New decl.
774 * state-purge.cc (same_binding_p): Bail if either region is empty.
775 * store.cc (binding_key::make): Assert that a concrete binding's
776 bit_size must be > 0.
777 (binding_cluster::mark_region_as_unknown): Bail on empty regions.
778 (binding_cluster::get_binding): Likewise.
779 (binding_cluster::remove_overlapping_bindings): Likewise.
780 (binding_cluster::on_unknown_fncall): Don't conjure values for
781 empty regions.
782 (store::fill_region): Bail on empty regions.
783 * store.h (class concrete_binding): Update comment to reflect that
784 the range of bits must be non-empty.
785 (concrete_binding::concrete_binding): Assert that bit range is
786 non-empty.
787
7882022-12-06 David Malcolm <dmalcolm@redhat.com>
789
790 PR analyzer/106325
791 * region-model-manager.cc
792 (region_model_manager::get_or_create_null_ptr): New.
793 * region-model-manager.h
794 (region_model_manager::get_or_create_null_ptr): New decl.
795 * region-model.cc (region_model::on_top_level_param): Add
796 "nonnull" param and make use of it.
797 (region_model::push_frame): When handling a top-level entrypoint
798 to the analysis, determine which params __attribute__((nonnull))
799 applies to, and pass to on_top_level_param.
800 * region-model.h (region_model::on_top_level_param): Add "nonnull"
801 param.
802
8032022-12-06 David Malcolm <dmalcolm@redhat.com>
804
805 * analyzer.h (register_known_analyzer_functions): New decl.
806 (register_known_functions_lang_cp): New decl.
807 * call-details.cc: New file, split out from
808 region-model-impl-calls.cc.
809 * call-details.h: New file, split out from region-model.h.
810 * call-info.cc: Include "analyzer/call-details.h".
811 * call-summary.h: Likewise.
812 * kf-analyzer.cc: New file, split out from
813 region-model-impl-calls.cc.
814 * kf-lang-cp.cc: Likewise.
815 * known-function-manager.cc: Include "analyzer/call-details.h".
816 * region-model-impl-calls.cc: Move definitions of call_details's
817 member functions to call-details.cc. Move class kf_analyzer_* to
818 kf-analyzer.cc. Move kf_operator_new and kf_operator_delete to
819 kf-lang-cp.cc. Refresh #includes accordingly.
820 (register_known_functions): Replace registration of __analyzer_*
821 functions with a call to register_known_analyzer_functions.
822 Replace registration of C++ support functions with a call to
823 register_known_functions_lang_cp.
824 * region-model.h (class call_details): Move to new call-details.h.
825 * sm-fd.cc: Include "analyzer/call-details.h".
826 * sm-file.cc: Likewise.
827 * sm-malloc.cc: Likewise.
828 * varargs.cc: Likewise.
829
596dbfff
GA		 8302022-12-02 David Malcolm <dmalcolm@redhat.com>
831
832 * analyzer.h (struct event_loc_info): New forward decl.
833 * bounds-checking.cc: Use event_loc_info throughout to bundle the
834 loc, fndecl, depth triples.
835 * call-info.cc: Likewise.
836 * checker-event.cc: Likewise.
837 * checker-event.h (struct event_loc_info): New decl. Use it
838 throughout to bundle the loc, fndecl, depth triples.
839 * checker-path.cc: Likewise.
840 * checker-path.h: Likewise.
841 * diagnostic-manager.cc: Likewise.
842 * engine.cc: Likewise.
843 * infinite-recursion.cc: Likewise.
844 * pending-diagnostic.cc: Likewise.
845 * pending-diagnostic.h: Likewise.
846 * region-model.cc: Likewise.
847 * sm-signal.cc: Likewise.
848 * varargs.cc: Likewise.
849
8502022-12-02 David Malcolm <dmalcolm@redhat.com>
851
852 PR analyzer/107851
853 * analyzer.cc (make_label_text_n): Convert param "n" from int to
854 unsigned HOST_WIDE_INT.
855 * analyzer.h (make_label_text_n): Likewise for decl.
856 * bounds-checking.cc: Include "analyzer/checker-event.h" and
857 "analyzer/checker-path.h".
858 (out_of_bounds::add_region_creation_events): New.
859 (concrete_past_the_end::describe_region_creation_event): Replace
860 with...
861 (concrete_past_the_end::add_region_creation_events): ...this.
862 (symbolic_past_the_end::describe_region_creation_event): Delete.
863 * checker-event.cc (region_creation_event::region_creation_event):
864 Update for dropping all member data.
865 (region_creation_event::get_desc): Delete, splitting out into
866 region_creation_event_memory_space::get_desc,
867 region_creation_event_capacity::get_desc, and
868 region_creation_event_debug::get_desc.
869 (region_creation_event_memory_space::get_desc): New.
870 (region_creation_event_capacity::get_desc): New.
871 (region_creation_event_allocation_size::get_desc): New.
872 (region_creation_event_debug::get_desc): New.
873 * checker-event.h: Include "analyzer/program-state.h".
874 (enum rce_kind): Delete.
875 (class region_creation_event): Drop all member data.
876 (region_creation_event::region_creation_event): Make protected.
877 (region_creation_event::get_desc): Delete.
878 (class region_creation_event_memory_space): New.
879 (class region_creation_event_capacity): New.
880 (class region_creation_event_allocation_size): New.
881 (class region_creation_event_debug): New.
882 * checker-path.cc (checker_path::add_region_creation_events): Add
883 "pd" param. Call pending_diangnostic::add_region_creation_events.
884 Update for conversion of RCE_DEBUG to region_creation_event_debug.
885 * checker-path.h (checker_path::add_region_creation_events): Add
886 "pd" param.
887 * diagnostic-manager.cc (diagnostic_manager::build_emission_path):
888 Pass pending_diagnostic to
889 emission_path::add_region_creation_events.
890 (diagnostic_manager::build_emission_path): Pass path_builder to
891 add_event_on_final_node.
892 (diagnostic_manager::add_event_on_final_node): Add "pb" param.
893 Pass pending_diagnostic to
894 emission_path::add_region_creation_events.
895 (diagnostic_manager::add_events_for_eedge): Pass
896 pending_diagnostic to emission_path::add_region_creation_events.
897 * diagnostic-manager.h
898 (diagnostic_manager::add_event_on_final_node): Add "pb" param.
899 * pending-diagnostic.cc
900 (pending_diagnostic::add_region_creation_events): New.
901 * pending-diagnostic.h (struct region_creation): Delete.
902 (pending_diagnostic::describe_region_creation_event): Delete.
903 (pending_diagnostic::add_region_creation_events): New vfunc.
904 * region-model.cc: Include "analyzer/checker-event.h" and
905 "analyzer/checker-path.h".
906 (dubious_allocation_size::dubious_allocation_size): Initialize
907 m_has_allocation_event.
908 (dubious_allocation_size::describe_region_creation_event): Delete.
909 (dubious_allocation_size::describe_final_event): Update for
910 replacement of m_allocation_event with m_has_allocation_event.
911 (dubious_allocation_size::add_region_creation_events): New.
912 (dubious_allocation_size::m_allocation_event): Replace with...
913 (dubious_allocation_size::m_has_allocation_event): ...this.
914
b35680ec
GA		 9152022-12-02 David Malcolm <dmalcolm@redhat.com>
916
917 PR analyzer/107948
918 * region-model-manager.cc
919 (region_model_manager::maybe_fold_binop): Fold (0 - VAL) to -VAL.
920 * region-model.cc (region_model::eval_condition): Handle e.g.
921 "-X <= 0" as equivalent to X >= 0".
922
9232022-12-01 David Malcolm <dmalcolm@redhat.com>
924
925 PR analyzer/106626
926 * bounds-checking.cc
927 (symbolic_past_the_end::describe_final_event): Delete, moving to
928 symbolic_buffer_overflow::describe_final_event and
929 symbolic_buffer_over_read::describe_final_event, eliminating
930 composition of text strings via "byte_str" and "m_dir_str".
931 (symbolic_past_the_end::m_dir_str): Delete field.
932 (symbolic_buffer_overflow::symbolic_buffer_overflow): Drop
933 m_dir_str.
934 (symbolic_buffer_overflow::describe_final_event): New, as noted
935 above.
936 (symbolic_buffer_over_read::symbolic_buffer_overflow): Drop
937 m_dir_str.
938 (symbolic_buffer_over_read::describe_final_event): New, as noted
939 above.
940
9412022-12-01 David Malcolm <dmalcolm@redhat.com>
942
943 * bounds-checking.cc (class out_of_bounds): Split out from...
944 (class concrete_out_of_bounds): New abstract subclass.
945 (class past_the_end): Rename to...
946 (class concrete_past_the_end): ...this, and make a subclass of
947 concrete_out_of_bounds.
948 (class buffer_overflow): Rename to...
949 (class concrete_buffer_overflow): ...this, and make a subclass of
950 concrete_past_the_end.
951 (class buffer_over_read): Rename to...
952 (class concrete_buffer_over_read): ...this, and make a subclass of
953 concrete_past_the_end.
954 (class buffer_underwrite): Rename to...
955 (class concrete_buffer_underwrite): ...this, and make a subclass
956 of concrete_out_of_bounds.
957 (class buffer_under_read): Rename to...
958 (class concrete_buffer_under_read): ...this, and make a subclass
959 of concrete_out_of_bounds.
960 (class symbolic_past_the_end): Convert to a subclass of
961 out_of_bounds.
962 (symbolic_buffer_overflow::get_kind): New.
963 (symbolic_buffer_over_read::get_kind): New.
964 (region_model::check_region_bounds): Update for renamings.
965 * engine.cc (impl_sm_context::set_next_state): Eliminate
966 "new_ctxt", passing NULL to get_rvalue instead.
967 (impl_sm_context::warn): Likewise.
968
9692022-12-01 David Malcolm <dmalcolm@redhat.com>
970
971 PR analyzer/106626
972 * bounds-checking.cc (out_of_bounds::get_memory_space): New.
973 (buffer_overflow::emit): Use it.
974 (class buffer_overread): Rename to...
975 (class buffer_over_read): ...this.
976 (buffer_over_read::emit): Specify which memory space the read is
977 from, where known. Change "overread" to "over-read".
978 (class buffer_underflow): Rename to...
979 (class buffer_underwrite): ...this.
980 (buffer_underwrite::emit): Specify which memory space the write is
981 to, where known. Change "underflow" to "underwrite".
982 (class buffer_underread): Rename to...
983 (class buffer_under_read): Rename to...
984 (buffer_under_read::emit): Specify which memory space the read is
985 from, where known. Change "underread" to "under-read".
986 (symbolic_past_the_end::get_memory_space): New.
987 (symbolic_buffer_overflow::emit): Use it.
988 (class symbolic_buffer_overread): Rename to...
989 (class symbolic_buffer_over_read): ...this.
990 (symbolic_buffer_over_read::emit): Specify which memory space the
991 read is from, where known. Change "overread" to "over-read".
992 (region_model::check_symbolic_bounds): Update for class renaming.
993 (region_model::check_region_bounds): Likewise.
994
9952022-12-01 David Malcolm <dmalcolm@redhat.com>
996
997 PR analyzer/106626
998 * bounds-checking.cc (out_of_bounds::maybe_describe_array_bounds):
999 New.
1000 (buffer_overflow::emit): Call maybe_describe_array_bounds.
1001 (buffer_overread::emit): Likewise.
1002 (buffer_underflow::emit): Likewise.
1003 (buffer_underread::emit): Likewise.
1004
10052022-12-01 David Malcolm <dmalcolm@redhat.com>
1006
1007 PR analyzer/106626
1008 * bounds-checking.cc (buffer_overflow::emit): Use inform_n.
1009 Update wording to clarify that we're talking about the size of
1010 the bad access, rather than its position.
1011 (buffer_overread::emit): Likewise.
1012
10132022-12-01 David Malcolm <dmalcolm@redhat.com>
1014
1015 * bounds-checking.cc: New file, taken from region-model.cc.
1016 * region-model.cc (class out_of_bounds): Move to
1017 bounds-checking.cc.
1018 (class past_the_end): Likewise.
1019 (class buffer_overflow): Likewise.
1020 (class buffer_overread): Likewise.
1021 (class buffer_underflow): Likewise.
1022 (class buffer_underread): Likewise.
1023 (class symbolic_past_the_end): Likewise.
1024 (class symbolic_buffer_overflow): Likewise.
1025 (class symbolic_buffer_overread): Likewise.
1026 (region_model::check_symbolic_bounds): Likewise.
1027 (maybe_get_integer_cst_tree): Likewise.
1028 (region_model::check_region_bounds): Likewise.
1029 * region-model.h: Add comment.
1030
10312022-12-01 David Malcolm <dmalcolm@redhat.com>
1032
1033 PR analyzer/107928
1034 * sm-fd.cc (fd_state_machine::on_bind): Handle m_constant_fd in
1035 the "success" outcome.
1036 (fd_state_machine::on_connect): Likewise.
1037 * sm-fd.dot: Add "constant_fd" state and its transitions.
1038
6eea85a9
GA		 10392022-11-30 David Malcolm <dmalcolm@redhat.com>
1040
1041 * region-model-impl-calls.cc (class kf_fgets): Move to sm-file.cc.
1042 (kf_fgets::impl_call_pre): Likewise.
1043 (class kf_fread): Likewise.
1044 (kf_fread::impl_call_pre): Likewise.
1045 (class kf_getchar): Likewise.
1046 (class kf_stdio_output_fn): Likewise.
1047 (register_known_functions): Move registration of
1048 BUILT_IN_FPRINTF, BUILT_IN_FPRINTF_UNLOCKED, BUILT_IN_FPUTC,
1049 BUILT_IN_FPUTC_UNLOCKED, BUILT_IN_FPUTS, BUILT_IN_FPUTS_UNLOCKED,
1050 BUILT_IN_FWRITE, BUILT_IN_FWRITE_UNLOCKED, BUILT_IN_PRINTF,
1051 BUILT_IN_PRINTF_UNLOCKED, BUILT_IN_PUTC, BUILT_IN_PUTCHAR,
1052 BUILT_IN_PUTCHAR_UNLOCKED, BUILT_IN_PUTC_UNLOCKED, BUILT_IN_PUTS,
1053 BUILT_IN_PUTS_UNLOCKED, BUILT_IN_VFPRINTF, BUILT_IN_VPRINTF,
1054 "getchar", "fgets", "fgets_unlocked", and "fread" to
1055 register_known_file_functions.
1056 * sm-file.cc (class kf_stdio_output_fn): Move here from
1057 region-model-impl-calls.cc.
1058 (class kf_fgets): Likewise.
1059 (class kf_fread): Likewise.
1060 (class kf_getchar): Likewise.
1061 (register_known_file_functions): Move registration of
1062 BUILT_IN_FPRINTF, BUILT_IN_FPRINTF_UNLOCKED, BUILT_IN_FPUTC,
1063 BUILT_IN_FPUTC_UNLOCKED, BUILT_IN_FPUTS, BUILT_IN_FPUTS_UNLOCKED,
1064 BUILT_IN_FWRITE, BUILT_IN_FWRITE_UNLOCKED, BUILT_IN_PRINTF,
1065 BUILT_IN_PRINTF_UNLOCKED, BUILT_IN_PUTC, BUILT_IN_PUTCHAR,
1066 BUILT_IN_PUTCHAR_UNLOCKED, BUILT_IN_PUTC_UNLOCKED, BUILT_IN_PUTS,
1067 BUILT_IN_PUTS_UNLOCKED, BUILT_IN_VFPRINTF, BUILT_IN_VPRINTF,
1068 "fgets", "fgets_unlocked", "fread", and "getchar" to here from
1069 register_known_functions.
1070
10712022-11-30 David Malcolm <dmalcolm@redhat.com>
1072
1073 PR analyzer/103546
1074 * analyzer.h (register_known_file_functions): New decl.
1075 * program-state.cc (sm_state_map::replay_call_summary): Rejct
1076 attempts to store sm-state for caller_sval that can't have
1077 associated state.
1078 * region-model-impl-calls.cc (register_known_functions): Call
1079 register_known_file_functions.
1080 * sm-fd.cc (class kf_isatty): New.
1081 (register_known_fd_functions): Register it.
1082 * sm-file.cc (class kf_ferror): New.
1083 (class kf_fileno): New.
1084 (class kf_getc): New.
1085 (register_known_file_functions): New.
1086
10872022-11-30 David Malcolm <dmalcolm@redhat.com>
1088
1089 PR analyzer/105784
1090 * region-model-manager.cc
1091 (region_model_manager::maybe_fold_binop): For POINTER_PLUS_EXPR,
1092 PLUS_EXPR and MINUS_EXPR, eliminate requirement that the final
1093 type matches that of arg0 in favor of a cast.
1094
9a1b4f1d
GA		 10952022-11-24 Martin Liska <mliska@suse.cz>
1096
1097 * varargs.cc: Fix Clang warnings.
1098
10992022-11-24 David Malcolm <dmalcolm@redhat.com>
1100
1101 PR analyzer/106473
1102 * call-summary.cc
1103 (call_summary_replay::convert_region_from_summary_1): Update for
1104 change to creation of heap-allocated regions.
1105 * program-state.cc (test_program_state_1): Likewise.
1106 (test_program_state_merging): Likewise.
1107 * region-model-impl-calls.cc (kf_calloc::impl_call_pre): Likewise.
1108 (kf_malloc::impl_call_pre): Likewise.
1109 (kf_operator_new::impl_call_pre): Likewise.
1110 (kf_realloc::impl_call_postsuccess_with_move::update_model): Likewise.
1111 * region-model-manager.cc
1112 (region_model_manager::create_region_for_heap_alloc): Convert
1113 to...
1114 (region_model_manager::get_or_create_region_for_heap_alloc):
1115 ...this, reusing an existing region if it's unreferenced in the
1116 client state.
1117 * region-model-manager.h (region_model_manager::get_num_regions): New.
1118 (region_model_manager::create_region_for_heap_alloc): Convert to...
1119 (region_model_manager::get_or_create_region_for_heap_alloc): ...this.
1120 * region-model.cc (region_to_value_map::can_merge_with_p): Reject
1121 merger when the values are different.
1122 (region_model::create_region_for_heap_alloc): Convert to...
1123 (region_model::get_or_create_region_for_heap_alloc): ...this.
1124 (region_model::get_referenced_base_regions): New.
1125 (selftest::test_state_merging): Update for change to creation of
1126 heap-allocated regions.
1127 (selftest::test_malloc_constraints): Likewise.
1128 (selftest::test_malloc): Likewise.
1129 * region-model.h: Include "sbitmap.h".
1130 (region_model::create_region_for_heap_alloc): Convert to...
1131 (region_model::get_or_create_region_for_heap_alloc): ...this.
1132 (region_model::get_referenced_base_regions): New decl.
1133 * store.cc (store::canonicalize): Don't purge a heap-allocated region
1134 that's been marked as escaping.
1135
11362022-11-24 David Malcolm <dmalcolm@redhat.com>
1137
1138 * checker-path.cc (checker_path::inject_any_inlined_call_events):
1139 Don't dump the address of the block when -fdump-noaddr.
1140
11412022-11-24 David Malcolm <dmalcolm@redhat.com>
1142
1143 * region-model.h (region_model::on_socket): Delete decl.
1144 (region_model::on_bind): Likewise.
1145 (region_model::on_listen): Likewise.
1146 (region_model::on_accept): Likewise.
1147 (region_model::on_connect): Likewise.
1148 * sm-fd.cc (kf_socket::outcome_of_socket::update_model): Move body
1149 of region_model::on_socket into here, ...
1150 (region_model::on_socket): ...eliminating this function.
1151 (kf_bind::outcome_of_bind::update_model): Likewise for on_bind...
1152 (region_model::on_bind): ...eliminating this function.
1153 (kf_listen::outcome_of_listen::update_model): Likewise fo
1154 on_listen...
1155 (region_model::on_listen): ...eliminating this function.
1156 (kf_accept::outcome_of_accept::update_model): Likewise fo
1157 on_accept...
1158 (region_model::on_accept): ...eliminating this function.
1159 (kf_connect::outcome_of_connect::update_model): Likewise fo
1160 on_connect...
1161 (region_model::on_connect): ...eliminating this function.
1162
11632022-11-24 David Malcolm <dmalcolm@redhat.com>
1164
1165 * analyzer.h (register_known_fd_functions): New decl.
1166 * region-model-impl-calls.cc (class kf_accept): Move to sm-fd.cc.
1167 (class kf_bind): Likewise.
1168 (class kf_connect): Likewise.
1169 (class kf_listen): Likewise.
1170 (class kf_pipe): Likewise.
1171 (class kf_socket): Likewise.
1172 (register_known_functions): Remove registration of the above
1173 functions, instead calling register_known_fd_functions.
1174 * sm-fd.cc: Include "analyzer/call-info.h".
1175 (class kf_socket): Move here from region-model-impl-calls.cc.
1176 (class kf_bind): Likewise.
1177 (class kf_listen): Likewise.
1178 (class kf_accept): Likewise.
1179 (class kf_connect): Likewise.
1180 (class kf_pipe): Likewise.
1181 (register_known_fd_functions): New.
1182
d0e4cdb4
GA		 11832022-11-22 David Malcolm <dmalcolm@redhat.com>
1184
1185 PR analyzer/107788
1186 * known-function-manager.cc (known_function_manager::get_match):
1187 Don't look up fndecls by name when they're not in the root
1188 namespace.
1189
11902022-11-22 David Malcolm <dmalcolm@redhat.com>
1191
1192 PR analyzer/107783
1193 * sm-fd.cc (fd_state_machine::check_for_new_socket_fd): Don't
1194 complain when old state is "fd-constant".
1195 (fd_state_machine::on_listen): Likewise.
1196 (fd_state_machine::on_accept): Likewise.
1197
11982022-11-22 David Malcolm <dmalcolm@redhat.com>
1199
1200 PR analyzer/107807
1201 * region-model-impl-calls.cc (register_known_functions): Register
1202 "___errno" and "__error" as synonyms for "__errno_location".
1203
12042022-11-22 David Malcolm <dmalcolm@redhat.com>
1205
1206 * analyzer.h (class internal_known_function): New.
1207 (register_varargs_builtins): New decl.
1208 * engine.cc (exploded_node::on_stmt_pre): Remove
1209 "out_terminate_path" param from call to region_model::on_stmt_pre.
1210 (feasibility_state::maybe_update_for_edge): Likewise.
1211 * known-function-manager.cc: Include "basic-block.h", "gimple.h",
1212 and "analyzer/region-model.h".
1213 (known_function_manager::known_function_manager): Initialize
1214 m_combined_fns_arr.
1215 (known_function_manager::~known_function_manager): Clean up
1216 m_combined_fns_arr.
1217 (known_function_manager::get_by_identifier): Make const.
1218 (known_function_manager::add): New overloaded definitions for
1219 enum built_in_function and enum internal_fn.
1220 (known_function_manager::get_by_fndecl): Delete.
1221 (known_function_manager::get_match): New.
1222 (known_function_manager::get_internal_fn): New.
1223 (known_function_manager::get_normal_builtin): New.
1224 * known-function-manager.h
1225 (known_function_manager::get_by_identifier): Make private and
1226 add const qualifier.
1227 (known_function_manager::get_by_fndecl): Delete.
1228 (known_function_manager::add): Add overloaded decls for
1229 enum built_in_function name and enum internal_fn.
1230 (known_function_manager::get_match): New decl.
1231 (known_function_manager::get_internal_fn): New decl.
1232 (known_function_manager::get_normal_builtin): New decl.
1233 (known_function_manager::m_combined_fns_arr): New field.
1234 * region-model-impl-calls.cc (call_details::arg_is_size_p): New.
1235 (class kf_alloca): New.
1236 (region_model::impl_call_alloca): Convert to...
1237 (kf_alloca::impl_call_pre): ...this.
1238 (kf_analyzer_dump_capacity::matches_call_types_p): Rewrite check
1239 to use call_details::arg_is_pointer_p.
1240 (region_model::impl_call_builtin_expect): Convert to...
1241 (class kf_expect): ...this.
1242 (class kf_calloc): New, adding check that both arguments are
1243 size_t.
1244 (region_model::impl_call_calloc): Convert to...
1245 (kf_calloc::impl_call_pre): ...this.
1246 (kf_connect::matches_call_types_p): Rewrite check to use
1247 call_details::arg_is_pointer_p.
1248 (region_model::impl_call_error): Convert to...
1249 (class kf_error): ...this, and...
1250 (kf_error::impl_call_pre): ...this.
1251 (class kf_fgets): New, adding checks that args 0 and 2 are
1252 pointers.
1253 (region_model::impl_call_fgets): Convert to...
1254 (kf_fgets::impl_call_pre): ...this.
1255 (class kf_fread): New, adding checks on the argument types.
1256 (region_model::impl_call_fread): Convert to...
1257 (kf_fread::impl_call_pre): ...this.
1258 (class kf_free): New, adding check that the argument is a pointer.
1259 (region_model::impl_call_free): Convert to...
1260 (kf_free::impl_call_post): ...this.
1261 (class kf_getchar): New.
1262 (class kf_malloc): New, adding check that the argument is a
1263 size_t.
1264 (region_model::impl_call_malloc): Convert to...
1265 (kf_malloc::impl_call_pre): ...this.
1266 (class kf_memcpy): New, adding checks on arguments.
1267 (region_model::impl_call_memcpy): Convert to...
1268 (kf_memcpy::impl_call_pre): ...this.
1269 (class kf_memset): New.
1270 (region_model::impl_call_memset): Convert to...
1271 (kf_memset::impl_call_pre): ...this.
1272 (kf_pipe::matches_call_types_p): Rewrite check to use
1273 call_details::arg_is_pointer_p.
1274 (kf_putenv::matches_call_types_p): Likewise.
1275 (class kf_realloc): New, adding checks on the argument types.
1276 (region_model::impl_call_realloc): Convert to...
1277 (kf_realloc::impl_call_post): ...this.
1278 (class kf_strchr): New.
1279 (region_model::impl_call_strchr): Convert to...
1280 (kf_strchr::impl_call_post): ...this.
1281 (class kf_stack_restore): New.
1282 (class kf_stack_save): New.
1283 (class kf_stdio_output_fn): New.
1284 (class kf_strcpy): New,
1285 (region_model::impl_call_strcpy): Convert to...
1286 (kf_strcpy::impl_call_pre): ...this.
1287 (class kf_strlen): New.
1288 (region_model::impl_call_strlen): Convert to...
1289 (kf_strlen::impl_call_pre): ...this.
1290 (class kf_ubsan_bounds): New.
1291 (region_model::impl_deallocation_call): Reimplement to avoid call
1292 to impl_call_free.
1293 (register_known_functions): Add handlers for IFN_BUILTIN_EXPECT
1294 and IFN_UBSAN_BOUNDS. Add handlers for BUILT_IN_ALLOCA,
1295 BUILT_IN_ALLOCA_WITH_ALIGN, BUILT_IN_CALLOC, BUILT_IN_EXPECT,
1296 BUILT_IN_EXPECT_WITH_PROBABILITY, BUILT_IN_FPRINTF,
1297 BUILT_IN_FPRINTF_UNLOCKED, BUILT_IN_FPUTC,
1298 BUILT_IN_FPUTC_UNLOCKED, BUILT_IN_FPUTS, BUILT_IN_FPUTS_UNLOCKED,
1299 BUILT_IN_FREE, BUILT_IN_FWRITE, BUILT_IN_FWRITE_UNLOCKED,
1300 BUILT_IN_MALLOC, BUILT_IN_MEMCPY, BUILT_IN_MEMCPY_CHK,
1301 BUILT_IN_MEMSET, BUILT_IN_MEMSET_CHK, BUILT_IN_PRINTF,
1302 BUILT_IN_PRINTF_UNLOCKED, BUILT_IN_PUTC, BUILT_IN_PUTCHAR,
1303 BUILT_IN_PUTCHAR_UNLOCKED, BUILT_IN_PUTC_UNLOCKED, BUILT_IN_PUTS,
1304 BUILT_IN_PUTS_UNLOCKED, BUILT_IN_REALLOC, BUILT_IN_STACK_RESTORE,
1305 BUILT_IN_STACK_SAVE, BUILT_IN_STRCHR, BUILT_IN_STRCPY,
1306 BUILT_IN_STRCPY_CHK, BUILT_IN_STRLEN, BUILT_IN_VFPRINTF, and
1307 BUILT_IN_VPRINTF. Call register_varargs_builtins. Add handlers
1308 for "getchar", "memset", "fgets", "fgets_unlocked", "fread",
1309 "error", and "error_at_line".
1310 * region-model.cc (region_model::on_stmt_pre): Drop
1311 "out_terminate_path" param.
1312 (region_model::get_known_function): Reimplement by calling
1313 known_function_manager::get_match, passing new "cd" param.
1314 Add overload taking enum internal_fn.
1315 (region_model::on_call_pre): Drop "out_terminate_path" param.
1316 Remove special-case handling of internal fns IFN_BUILTIN_EXPECT,
1317 IFN_UBSAN_BOUNDS, and IFN_VA_ARG, of built-in fns BUILT_IN_ALLOCA,
1318 BUILT_IN_ALLOCA_WITH_ALIGN, BUILT_IN_CALLOC, BUILT_IN_EXPECT,
1319 BUILT_IN_EXPECT_WITH_PROBABILITY, BUILT_IN_FREE, BUILT_IN_MALLOC,
1320 BUILT_IN_MEMCPY, BUILT_IN_MEMCPY_CHK, BUILT_IN_MEMSET,
1321 BUILT_IN_MEMSET_CHK, BUILT_IN_REALLOC, BUILT_IN_STRCHR,
1322 BUILT_IN_STRCPY, BUILT_IN_STRCPY_CHK, BUILT_IN_STRLEN,
1323 BUILT_IN_STACK_SAVE, BUILT_IN_STACK_RESTORE, BUILT_IN_FPRINTF,
1324 BUILT_IN_FPRINTF_UNLOCKED, BUILT_IN_PUTC, BUILT_IN_PUTC_UNLOCKED,
1325 BUILT_IN_FPUTC, BUILT_IN_FPUTC_UNLOCKED, BUILT_IN_FPUTS,
1326 BUILT_IN_FPUTS_UNLOCKED, BUILT_IN_FWRITE,
1327 BUILT_IN_FWRITE_UNLOCKED, BUILT_IN_PRINTF,
1328 BUILT_IN_PRINTF_UNLOCKED, BUILT_IN_PUTCHAR,
1329 BUILT_IN_PUTCHAR_UNLOCKED, BUILT_IN_PUTS, BUILT_IN_PUTS_UNLOCKED,
1330 BUILT_IN_VFPRINTF, BUILT_IN_VPRINTF, BUILT_IN_VA_START, and
1331 BUILT_IN_VA_COPY, and of named functions "malloc", "calloc",
1332 "alloca", "realloc", "error", "error_at_line", "fgets",
1333 "fgets_unlocked", "fread", "getchar", "memset", "strchr", and
1334 "strlen". Replace all this special-casing with calls to
1335 get_known_function for internal fns and for fn decls.
1336 (region_model::on_call_post): Remove special-casing handling for
1337 "free" and "strchr", and for BUILT_IN_REALLOC, BUILT_IN_STRCHR,
1338 and BUILT_IN_VA_END. Replace by consolidating on usage of
1339 get_known_function.
1340 * region-model.h (call_details::arg_is_size_p): New.
1341 (region_model::on_stmt_pre): Drop "out_terminate_path" param.
1342 (region_model::on_call_pre): Likewise.
1343 (region_model::impl_call_alloca): Delete.
1344 (region_model::impl_call_builtin_expect): Delete.
1345 (region_model::impl_call_calloc): Delete.
1346 (region_model::impl_call_error): Delete.
1347 (region_model::impl_call_fgets): Delete.
1348 (region_model::impl_call_fread): Delete.
1349 (region_model::impl_call_free): Delete.
1350 (region_model::impl_call_malloc): Delete.
1351 (region_model::impl_call_memcpy): Delete.
1352 (region_model::impl_call_memset): Delete.
1353 (region_model::impl_call_realloc): Delete.
1354 (region_model::impl_call_strchr): Delete.
1355 (region_model::impl_call_strcpy): Delete.
1356 (region_model::impl_call_strlen): Delete.
1357 (region_model::impl_call_va_start): Delete.
1358 (region_model::impl_call_va_copy): Delete.
1359 (region_model::impl_call_va_arg): Delete.
1360 (region_model::impl_call_va_end): Delete.
1361 (region_model::check_region_for_write): Public.
1362 (region_model::get_known_function): Add "cd" param. Add
1363 overloaded decl taking enum internal_fn.
1364 * sm-malloc.cc: Update comments.
1365 * varargs.cc (class kf_va_start): New.
1366 (region_model::impl_call_va_start): Convert to...
1367 (kf_va_start::impl_call_pre): ...this.
1368 (class kf_va_copy): New.
1369 (region_model::impl_call_va_copy): Convert to...
1370 (kf_va_copy::impl_call_pre): ...this.
1371 (class kf_va_arg): New.
1372 (region_model::impl_call_va_arg): Convert to...
1373 (kf_va_arg::impl_call_pre): ...this.
1374 (class kf_va_end): New.
1375 (region_model::impl_call_va_end): Delete.
1376 (register_varargs_builtins): New.
1377
8b7fee1d
GA		 13782022-11-22 David Malcolm <dmalcolm@redhat.com>
1379
1380 PR analyzer/107788
1381 * region-model.cc (region_model::update_for_int_cst_return):
1382 Require that the return type be an integer type.
1383 (region_model::update_for_nonzero_return): Likewise.
1384
13852022-11-22 David Malcolm <dmalcolm@redhat.com>
1386
1387 PR analyzer/107783
1388 * region-model-impl-calls.cc (kf_accept::matches_call_types_p):
1389 Require that args 1 and 2 be pointers.
1390 (kf_bind::matches_call_types_p): Require that arg 1 be a pointer.
1391 * region-model.h (call_details::arg_is_pointer_p): New
1392
13932022-11-22 David Malcolm <dmalcolm@redhat.com>
1394
1395 PR analyzer/107777
1396 * call-summary.cc
1397 (call_summary_replay::convert_region_from_summary_1): Handle
1398 RK_THREAD_LOCAL and RK_ERRNO in switch.
1399 * region-model.cc (region_model::get_representative_path_var_1):
1400 Likewise.
1401
fb98ede8
GA		 14022022-11-19 David Malcolm <dmalcolm@redhat.com>
1403
1404 PR analyzer/107582
1405 * engine.cc (dynamic_call_info_t::update_model): Update the model
1406 by pushing or pop a frame, rather than by clobbering it with the
1407 model from the exploded_node's state.
1408
14092022-11-18 David Malcolm <dmalcolm@redhat.com>
1410
1411 * analyzer.cc (is_pipe_call_p): Delete.
1412 * analyzer.h (is_pipe_call_p): Delete.
1413 * region-model-impl-calls.cc (call_details::get_location): New.
1414 (class kf_analyzer_break): New, adapted from
1415 region_model::on_stmt_pre.
1416 (region_model::impl_call_analyzer_describe): Convert to...
1417 (class kf_analyzer_describe): ...this.
1418 (region_model::impl_call_analyzer_dump_capacity): Convert to...
1419 (class kf_analyzer_dump_capacity): ...this.
1420 (region_model::impl_call_analyzer_dump_escaped): Convert to...
1421 (class kf_analyzer_dump_escaped): ...this.
1422 (class kf_analyzer_dump_exploded_nodes): New.
1423 (region_model::impl_call_analyzer_dump_named_constant): Convert
1424 to...
1425 (class kf_analyzer_dump_named_constant): ...this.
1426 (class dump_path_diagnostic): Move here from region-model.cc.
1427 (class kf_analyzer_dump_path) New, adapted from
1428 region_model::on_stmt_pre.
1429 (class kf_analyzer_dump_region_model): Likewise.
1430 (region_model::impl_call_analyzer_eval): Convert to...
1431 (class kf_analyzer_eval): ...this.
1432 (region_model::impl_call_analyzer_get_unknown_ptr): Convert to...
1433 (class kf_analyzer_get_unknown_ptr): ...this.
1434 (class known_function_accept): Rename to...
1435 (class kf_accept): ...this.
1436 (class known_function_bind): Rename to...
1437 (class kf_bind): ...this.
1438 (class known_function_connect): Rename to...
1439 (class kf_connect): ...this.
1440 (region_model::impl_call_errno_location): Convert to...
1441 (class kf_errno_location): ...this.
1442 (class known_function_listen): Rename to...
1443 (class kf_listen): ...this.
1444 (region_model::impl_call_pipe): Convert to...
1445 (class kf_pipe): ...this.
1446 (region_model::impl_call_putenv): Convert to...
1447 (class kf_putenv): ...this.
1448 (region_model::impl_call_operator_new): Convert to...
1449 (class kf_operator_new): ...this.
1450 (region_model::impl_call_operator_delete): Convert to...
1451 (class kf_operator_delete): ...this.
1452 (class known_function_socket): Rename to...
1453 (class kf_socket): ...this.
1454 (register_known_functions): Rename param to KFM. Break out
1455 existing known functions into a "POSIX" section, and add "pipe",
1456 "pipe2", and "putenv". Add debugging functions
1457 "__analyzer_break", "__analyzer_describe",
1458 "__analyzer_dump_capacity", "__analyzer_dump_escaped",
1459 "__analyzer_dump_exploded_nodes",
1460 "__analyzer_dump_named_constant", "__analyzer_dump_path",
1461 "__analyzer_dump_region_model", "__analyzer_eval",
1462 "__analyzer_get_unknown_ptr". Add C++ support functions
1463 "operator new", "operator new []", "operator delete", and
1464 "operator delete []".
1465 * region-model.cc (class dump_path_diagnostic): Move to
1466 region-model-impl-calls.cc.
1467 (region_model::on_stmt_pre): Eliminate special-casing of
1468 "__analyzer_describe", "__analyzer_dump_capacity",
1469 "__analyzer_dump_escaped", "__analyzer_dump_named_constant",
1470 "__analyzer_dump_path", "__analyzer_dump_region_model",
1471 "__analyzer_eval", "__analyzer_break",
1472 "__analyzer_dump_exploded_nodes", "__analyzer_get_unknown_ptr",
1473 "__errno_location", "pipe", "pipe2", "putenv", "operator new",
1474 "operator new []", "operator delete", "operator delete []"
1475 "pipe" and "pipe2", handling them instead via the known_functions
1476 mechanism.
1477 * region-model.h (call_details::get_location): New decl.
1478 (region_model::impl_call_analyzer_describe): Delete decl.
1479 (region_model::impl_call_analyzer_dump_capacity): Delete decl.
1480 (region_model::impl_call_analyzer_dump_escaped): Delete decl.
1481 (region_model::impl_call_analyzer_dump_named_constant): Delete decl.
1482 (region_model::impl_call_analyzer_eval): Delete decl.
1483 (region_model::impl_call_analyzer_get_unknown_ptr): Delete decl.
1484 (region_model::impl_call_errno_location): Delete decl.
1485 (region_model::impl_call_pipe): Delete decl.
1486 (region_model::impl_call_putenv): Delete decl.
1487 (region_model::impl_call_operator_new): Delete decl.
1488 (region_model::impl_call_operator_delete): Delete decl.
1489 * sm-fd.cc: Update comments.
1490
80909529
GA		 14912022-11-16 David Malcolm <dmalcolm@redhat.com>
1492
1493 PR analyzer/107711
1494 * analyzer-language.cc: Include "diagnostic.h".
1495 (maybe_stash_named_constant): Add logger param and use it to log
1496 the name being looked up, and the result.
1497 (stash_named_constants): New, splitting out from...
1498 (on_finish_translation_unit): ...this function. Call
1499 get_or_create_logfile and use the result to create a logger
1500 instance, passing it to stash_named_constants.
1501 * analyzer.h (get_or_create_any_logfile): New decl.
1502 * engine.cc (dump_fout, owns_dump_fout): New globals, split out
1503 from run_checkers.
1504 (get_or_create_any_logfile): New function, split out from...
1505 (run_checkers): ...here, so that the logfile can be opened by
1506 on_finish_translation_unit. Clear the globals when closing the
1507 dump file.
1508
15092022-11-16 David Malcolm <dmalcolm@redhat.com>
1510
1511 * analyzer.h (known_function::matches_call_types_p): New vfunc.
1512 (known_function::impl_call_pre): Provide base implementation.
1513 (known_function::impl_call_post): New vfunc.
1514 (register_known_functions): New.
1515 * engine.cc (impl_run_checkers): Call register_known_functions.
1516 * region-model-impl-calls.cc (region_model::impl_call_accept):
1517 Convert to...
1518 (class known_function_accept): ...this.
1519 (region_model::impl_call_bind): Convert to...
1520 (class known_function_bind): ...this.
1521 (region_model::impl_call_connect): Convert to...
1522 (class known_function_connect): ...this.
1523 (region_model::impl_call_listen): Convert to...
1524 (class known_function_listen): ...this.
1525 (region_model::impl_call_socket): Convert to...
1526 (class known_function_socket): ...this.
1527 (register_known_functions): New.
1528 * region-model.cc (region_model::on_call_pre): Remove special
1529 case for "bind" in favor of the known_function-handling dispatch.
1530 Add call to known_function::matches_call_types_p to latter.
1531 (region_model::on_call_post): Remove special cases for "accept",
1532 "bind", "connect", "listen", and "socket" in favor of dispatch
1533 to known_function::impl_call_post.
1534 * region-model.h (region_model::impl_call_accept): Delete decl.
1535 (region_model::impl_call_bind): Delete decl.
1536 (region_model::impl_call_connect): Delete decl.
1537 (region_model::impl_call_listen): Delete decl.
1538 (region_model::impl_call_socket): Delete decl.
1539 * sm-fd.cc: Update comments.
1540
15412022-11-16 David Malcolm <dmalcolm@redhat.com>
1542
1543 * checker-event.cc: New file, split out from...
1544 * checker-path.cc: ...this file.
1545
cdc34229
GA		 15462022-11-15 David Malcolm <dmalcolm@redhat.com>
1547
1548 PR analyzer/106140
1549 * analyzer-language.cc (on_finish_translation_unit): Stash named
1550 constants "SOCK_STREAM" and "SOCK_DGRAM".
1551 * analyzer.opt (Wanalyzer-fd-phase-mismatch): New.
1552 (Wanalyzer-fd-type-mismatch): New.
1553 * engine.cc (impl_region_model_context::get_state_map_by_name):
1554 Add "out_sm_context" param. Allow out_sm_idx to be NULL.
1555 * exploded-graph.h
1556 (impl_region_model_context::get_state_map_by_name):
1557 Add "out_sm_context" param.
1558 * region-model-impl-calls.cc (region_model::impl_call_accept): New.
1559 (region_model::impl_call_bind): New.
1560 (region_model::impl_call_connect): New.
1561 (region_model::impl_call_listen): New.
1562 (region_model::impl_call_socket): New.
1563 * region-model.cc (region_model::on_call_pre): Special-case
1564 "bind".
1565 (region_model::on_call_post): Special-case "accept", "bind",
1566 "connect", "listen", and "socket".
1567 * region-model.h (region_model::impl_call_accept): New decl.
1568 (region_model::impl_call_bind): New decl.
1569 (region_model::impl_call_connect): New decl.
1570 (region_model::impl_call_listen): New decl.
1571 (region_model::impl_call_socket): New decl.
1572 (region_model::on_socket): New decl.
1573 (region_model::on_bind): New decl.
1574 (region_model::on_listen): New decl.
1575 (region_model::on_accept): New decl.
1576 (region_model::on_connect): New decl.
1577 (region_model::add_constraint): Make public.
1578 (region_model::check_for_poison): Make public.
1579 (region_model_context::get_state_map_by_name): Add out_sm_context param.
1580 (region_model_context::get_fd_map): Likewise.
1581 (region_model_context::get_malloc_map): Likewise.
1582 (region_model_context::get_taint_map): Likewise.
1583 (noop_region_model_context::get_state_map_by_name): Likewise.
1584 (region_model_context_decorator::get_state_map_by_name): Likewise.
1585 * sm-fd.cc: Include "analyzer/supergraph.h" and
1586 "analyzer/analyzer-language.h".
1587 (enum expected_phase): New enum.
1588 (fd_state_machine::m_new_datagram_socket): New.
1589 (fd_state_machine::m_new_stream_socket): New.
1590 (fd_state_machine::m_new_unknown_socket): New.
1591 (fd_state_machine::m_bound_datagram_socket): New.
1592 (fd_state_machine::m_bound_stream_socket): New.
1593 (fd_state_machine::m_bound_unknown_socket): New.
1594 (fd_state_machine::m_listening_stream_socket): New.
1595 (fd_state_machine::m_m_connected_stream_socket): New.
1596 (fd_state_machine::m_SOCK_STREAM): New.
1597 (fd_state_machine::m_SOCK_DGRAM): New.
1598 (fd_diagnostic::describe_state_change): Handle socket states.
1599 (fd_diagnostic::get_meaning_for_state_change): Likewise.
1600 (class fd_phase_mismatch): New.
1601 (enum expected_type): New enum.
1602 (class fd_type_mismatch): New.
1603 (fd_state_machine::fd_state_machine): Initialize new states and
1604 stashed named constants.
1605 (fd_state_machine::is_socket_fd_p): New.
1606 (fd_state_machine::is_datagram_socket_fd_p): New.
1607 (fd_state_machine::is_stream_socket_fd_p): New.
1608 (fd_state_machine::on_close): Handle the socket states.
1609 (fd_state_machine::check_for_open_fd): Complain about fncalls on
1610 sockets in the wrong phase. Support socket FDs.
1611 (add_constraint_ge_zero): New.
1612 (fd_state_machine::get_state_for_socket_type): New.
1613 (fd_state_machine::on_socket): New.
1614 (fd_state_machine::check_for_socket_fd): New.
1615 (fd_state_machine::check_for_new_socket_fd): New.
1616 (fd_state_machine::on_bind): New.
1617 (fd_state_machine::on_listen): New.
1618 (fd_state_machine::on_accept): New.
1619 (fd_state_machine::on_connect): New.
1620 (fd_state_machine::can_purge_p): Don't purge socket values.
1621 (get_fd_state): New.
1622 (region_model::mark_as_valid_fd): Use get_fd_state.
1623 (region_model::on_socket): New.
1624 (region_model::on_bind): New.
1625 (region_model::on_listen): New.
1626 (region_model::on_accept): New.
1627 (region_model::on_connect): New.
1628 * sm-fd.dot: Update to reflect sm-fd.cc changes.
1629
16302022-11-15 David Malcolm <dmalcolm@redhat.com>
1631
1632 PR analyzer/106302
1633 * analyzer-language.cc: New file.
1634 * analyzer-language.h: New file.
1635 * analyzer.h (get_stashed_constant_by_name): New decl.
1636 (log_stashed_constants): New decl.
1637 * engine.cc (impl_run_checkers): Call log_stashed_constants.
1638 * region-model-impl-calls.cc
1639 (region_model::impl_call_analyzer_dump_named_constant): New.
1640 * region-model.cc (region_model::on_stmt_pre): Handle
1641 __analyzer_dump_named_constant.
1642 * region-model.h
1643 (region_model::impl_call_analyzer_dump_named_constant): New decl.
1644 * sm-fd.cc (fd_state_machine::m_O_ACCMODE): New.
1645 (fd_state_machine::m_O_RDONLY): New.
1646 (fd_state_machine::m_O_WRONLY): New.
1647 (fd_state_machine::fd_state_machine): Initialize the new fields.
1648 (fd_state_machine::get_access_mode_from_flag): Use the new fields,
1649 rather than using the host values.
1650
eefbfbc7
GA		 16512022-11-13 David Malcolm <dmalcolm@redhat.com>
1652
1653 PR analyzer/106235
1654 * analyzer.opt (Wanalyzer-tainted-assertion): New.
1655 * checker-path.cc (checker_path::fixup_locations): Pass false to
1656 pending_diagnostic::fixup_location.
1657 * diagnostic-manager.cc (get_emission_location): Pass true to
1658 pending_diagnostic::fixup_location.
1659 * pending-diagnostic.cc (pending_diagnostic::fixup_location): Add
1660 bool param.
1661 * pending-diagnostic.h (pending_diagnostic::fixup_location): Add
1662 bool param to decl.
1663 * sm-taint.cc (taint_state_machine::m_tainted_control_flow): New.
1664 (taint_diagnostic::describe_state_change): Drop "final".
1665 (class tainted_assertion): New.
1666 (taint_state_machine::taint_state_machine): Initialize
1667 m_tainted_control_flow.
1668 (taint_state_machine::alt_get_inherited_state): Support
1669 comparisons being tainted, based on their arguments.
1670 (is_assertion_failure_handler_p): New.
1671 (taint_state_machine::on_stmt): Complain about calls to assertion
1672 failure handlers guarded by an attacker-controller conditional.
1673 Detect attacker-controlled gcond conditionals and gswitch index
1674 values.
1675 (taint_state_machine::check_control_flow_arg_for_taint): New.
1676
5b6ce16a
GA		 16772022-11-11 David Malcolm <dmalcolm@redhat.com>
1678
1679 * sm-fd.dot: Fix typo in comment.
1680 * sm-file.dot: New file.
1681 * varargs.cc: Fix typo in comment.
1682 * varargs.dot: New file.
1683
16842022-11-11 David Malcolm <dmalcolm@redhat.com>
1685
1686 * checker-path.h: Split out checker_event and its subclasses to...
1687 * checker-event.h: ...this new header.
1688
16892022-11-11 David Malcolm <dmalcolm@redhat.com>
1690
1691 PR analyzer/106147
1692 * analyzer.opt (Wanalyzer-infinite-recursion): New.
1693 * call-string.cc (call_string::count_occurrences_of_function):
1694 New.
1695 * call-string.h (call_string::count_occurrences_of_function): New
1696 decl.
1697 * checker-path.cc (function_entry_event::function_entry_event):
1698 New ctor.
1699 (checker_path::add_final_event): Delete.
1700 * checker-path.h (function_entry_event::function_entry_event): New
1701 ctor.
1702 (function_entry_event::get_desc): Drop "final".
1703 (checker_path::add_final_event): Delete.
1704 * diagnostic-manager.cc
1705 (diagnostic_manager::emit_saved_diagnostic): Create the final
1706 event via a new pending_diagnostic::add_final_event vfunc, rather
1707 than checker_path::add_final_event.
1708 (diagnostic_manager::add_events_for_eedge): Create function entry
1709 events via a new pending_diagnostic::add_function_entry_event
1710 vfunc.
1711 * engine.cc (exploded_graph::process_node): When creating a new
1712 PK_BEFORE_SUPERNODE node, call
1713 exploded_graph::detect_infinite_recursion on it after adding the
1714 in-edge.
1715 * exploded-graph.h (exploded_graph::detect_infinite_recursion):
1716 New decl.
1717 (exploded_graph::find_previous_entry_to): New decl.
1718 * infinite-recursion.cc: New file.
1719 * pending-diagnostic.cc
1720 (pending_diagnostic::add_function_entry_event): New.
1721 (pending_diagnostic::add_final_event): New.
1722 * pending-diagnostic.h
1723 (pending_diagnostic::add_function_entry_event): New vfunc.
1724 (pending_diagnostic::add_final_event): New vfunc.
1725
f225b813
GA		 17262022-11-10 David Malcolm <dmalcolm@redhat.com>
1727
1728 PR analyzer/99671
1729 * analyzer.opt (Wanalyzer-deref-before-check): New warning.
1730 * diagnostic-manager.cc
1731 (null_assignment_sm_context::set_next_state): Only add state
1732 change events for transition to "null" state.
1733 (null_assignment_sm_context::is_transition_to_null): New.
1734 * engine.cc (impl_region_model_context::on_pop_frame): New.
1735 * exploded-graph.h (impl_region_model_context::on_pop_frame): New
1736 decl.
1737 * program-state.cc (sm_state_map::clear_any_state): New.
1738 (sm_state_map::can_merge_with_p): New.
1739 (program_state::can_merge_with_p): Replace requirement that
1740 sm-states be equal in favor of an attempt to merge them.
1741 * program-state.h (sm_state_map::clear_any_state): New decl.
1742 (sm_state_map::can_merge_with_p): New decl.
1743 * region-model.cc (region_model::eval_condition): Make const.
1744 (region_model::pop_frame): Call ctxt->on_pop_frame.
1745 * region-model.h (region_model::eval_condition): Make const.
1746 (region_model_context::on_pop_frame): New vfunc.
1747 (noop_region_model_context::on_pop_frame): New.
1748 (region_model_context_decorator::on_pop_frame): New.
1749 * sm-malloc.cc (enum resource_state): Add RS_ASSUMED_NON_NULL.
1750 (allocation_state::dump_to_pp): Drop "final".
1751 (struct assumed_non_null_state): New subclass.
1752 (malloc_state_machine::m_assumed_non_null): New.
1753 (assumed_non_null_p): New.
1754 (class deref_before_check): New.
1755 (assumed_non_null_state::dump_to_pp): New.
1756 (malloc_state_machine::get_or_create_assumed_non_null_state_for_frame):
1757 New.
1758 (malloc_state_machine::maybe_assume_non_null): New.
1759 (malloc_state_machine::on_stmt): Transition from start state to
1760 "assumed-non-null" state for pointers passed to
1761 __attribute__((nonnull)) arguments, and for pointers explicitly
1762 dereferenced. Call maybe_complain_about_deref_before_check for
1763 pointers explicitly compared against NULL.
1764 (malloc_state_machine::maybe_complain_about_deref_before_check):
1765 New.
1766 (malloc_state_machine::on_deallocator_call): Also transition
1767 "assumed-non-null" states to "freed".
1768 (malloc_state_machine::on_pop_frame): New.
1769 (malloc_state_machine::maybe_get_merged_states_nonequal): New.
1770 * sm-malloc.dot: Update for changes to sm-malloc.cc.
1771 * sm.h (state_machine::on_pop_frame): New.
1772 (state_machine::maybe_get_merged_state): New.
1773 (state_machine::maybe_get_merged_states_nonequal): New.
1774
1cdfd0e5
GA		 17752022-11-09 David Malcolm <dmalcolm@redhat.com>
1776
1777 * checker-path.cc (checker_event::debug): New.
1778 (checker_path::add_event): Move here from checker-path.h. Add
1779 logging.
1780 * checker-path.h (checker_event::debug): New decl.
1781 (checker_path::checker_path): Add logger param.
1782 (checker_path::add_event): Move definition from here to
1783 checker-path.cc.
1784 (checker_path::m_logger): New field.
1785 * diagnostic-manager.cc
1786 (diagnostic_manager::emit_saved_diagnostic): Pass logger to
1787 checker_path ctor.
1788 (diagnostic_manager::add_events_for_eedge): Log scope when
1789 processing a run of stmts.
1790
69023a9f
GA		 17912022-11-08 David Malcolm <dmalcolm@redhat.com>
1792
1793 PR analyzer/101962
1794 * region-model-impl-calls.cc: Update comment.
1795 * region-model.cc (region_model::check_symbolic_bounds): Fix
1796 layout of "void" return. Replace usage of
1797 eval_condition_without_cm with eval_condition.
1798 (region_model::eval_condition): Take over body of...
1799 (region_model::eval_condition_without_cm): ...this subroutine,
1800 dropping the latter. Eliminating this distinction avoids issues
1801 where constraints were not considered when recursing.
1802 (region_model::compare_initial_and_pointer): Update comment.
1803 (region_model::symbolic_greater_than): Replace usage of
1804 eval_condition_without_cm with eval_condition.
1805 * region-model.h
1806 (region_model::eval_condition_without_cm): Delete decl.
1807
18082022-11-08 David Malcolm <dmalcolm@redhat.com>
1809
1810 * region-model-impl-calls.cc
1811 (region_model::impl_call_errno_location): New.
1812 * region-model-manager.cc
1813 (region_model_manager::region_model_manager): Initialize
1814 m_thread_local_region and m_errno_region.
1815 * region-model-manager.h (region_model_manager::get_errno_region):
1816 New accessor.
1817 (region_model_manager::m_thread_local_region): New.
1818 (region_model_manager::m_errno_region): New.
1819 * region-model.cc (region_model::on_call_pre): Special-case
1820 "__errno_location".
1821 (region_model::set_errno): New.
1822 * region-model.h (impl_call_errno_location): New decl.
1823 (region_model::set_errno): New decl.
1824 * region.cc (thread_local_region::dump_to_pp): New.
1825 (errno_region::dump_to_pp): New.
1826 * region.h (enum memory_space): Add MEMSPACE_THREAD_LOCAL.
1827 (enum region_kind): Add RK_THREAD_LOCAL and RK_ERRNO.
1828 (class thread_local_region): New.
1829 (is_a_helper <const thread_local_region *>::test): New.
1830 (class errno_region): New.
1831 (is_a_helper <const errno_region *>::test): New.
1832 * store.cc (binding_cluster::escaped_p): New.
1833 (store::escaped_p): Treat errno as always having escaped.
1834 (store::replay_call_summary_cluster): Handle RK_THREAD_LOCAL and
1835 RK_ERRNO.
1836 * store.h (binding_cluster::escaped_p): Remove definition.
1837
18382022-11-08 David Malcolm <dmalcolm@redhat.com>
1839
1840 * call-info.cc (success_call_info::get_desc): Delete.
1841 (failed_call_info::get_desc): Likewise.
1842 (succeed_or_fail_call_info::get_desc): New.
1843 * call-info.h (class succeed_or_fail_call_info): New.
1844 (class success_call_info): Convert to a subclass of
1845 succeed_or_fail_call_info.
1846 (class failed_call_info): Likewise.
1847
18482022-11-08 David Malcolm <dmalcolm@redhat.com>
1849
1850 * region-model-impl-calls.cc (region_model::impl_call_strchr):
1851 Move to on_call_post. Handle both outcomes using bifurcation,
1852 rather than just the "not found" case.
1853 * region-model.cc (region_model::on_call_pre): Move
1854 BUILT_IN_STRCHR and "strchr" to...
1855 (region_model::on_call_post): ...here.
1856
d29260ce
GA		 18572022-11-03 David Malcolm <dmalcolm@redhat.com>
1858
1859 * analyzer.h: Use std::unique_ptr for state machines from plugins.
1860 * engine.cc: Likewise.
1861
18622022-11-03 David Malcolm <dmalcolm@redhat.com>
1863
1864 * analyzer.h: Use std::unique_ptr for known functions.
1865 * engine.cc: Likewise.
1866 * known-function-manager.cc: Likewise.
1867 * known-function-manager.h: Likewise.
1868
18692022-11-03 David Malcolm <dmalcolm@redhat.com>
1870
1871 * analysis-plan.cc: Define INCLUDE_MEMORY before including
1872 system.h.
1873 * analyzer-pass.cc: Likewise.
1874 * analyzer-selftests.cc: Likewise.
1875 * analyzer.cc: Likewise.
1876 * analyzer.h: Use std::unique_ptr in bifurcation code.
1877 * call-string.cc: Define INCLUDE_MEMORY before including system.h.
1878 * complexity.cc: Likewise.
1879 * engine.cc: Use std::unique_ptr in bifurcation code.
1880 * exploded-graph.h: Likewise.
1881 * known-function-manager.cc: Define INCLUDE_MEMORY before
1882 including system.h.
1883 * region-model-impl-calls.cc: Use std::unique_ptr in bifurcation
1884 code.
1885 * region-model.cc: Likewise.
1886 * region-model.h: Likewise.
1887 * supergraph.cc: Define INCLUDE_MEMORY before including system.h.
1888
18892022-11-03 David Malcolm <dmalcolm@redhat.com>
1890
1891 * call-info.cc: Use std::unique_ptr for checker_event.
1892 * checker-path.cc: Likewise.
1893 * checker-path.h: Likewise.
1894 * diagnostic-manager.cc: Likewise.
1895 * engine.cc: Likewise.
1896 * pending-diagnostic.cc: Likewise.
1897 * sm-signal.cc: Likewise.
1898 * varargs.cc: Likewise.
1899
19002022-11-03 David Malcolm <dmalcolm@redhat.com>
1901
1902 * diagnostic-manager.cc: Include "make-unique.h".
1903 Use std::unique_ptr for feasibility_problems and exploded_path.
1904 Delete explicit saved_diagnostic dtor.
1905 * diagnostic-manager.h: Likewise.
1906 * engine.cc: Likewise.
1907 * exploded-graph.h: Likewise.
1908 * feasible-graph.cc: Likewise.
1909 * feasible-graph.h: Likewise.
1910
19112022-11-03 David Malcolm <dmalcolm@redhat.com>
1912
1913 * checker-path.cc (rewind_event::rewind_event): Update for usage of
1914 std::unique_ptr on custom_edge_info.
1915 * engine.cc (exploded_node::on_longjmp): Likewise.
1916 (exploded_edge::exploded_edge): Likewise.
1917 (exploded_edge::~exploded_edge): Delete.
1918 (exploded_graph::add_function_entry): Update for usage of
1919 std::unique_ptr on custom_edge_info.
1920 (exploded_graph::add_edge): Likewise.
1921 (add_tainted_args_callback): Likewise.
1922 (exploded_graph::maybe_create_dynamic_call): Likewise.
1923 (exploded_graph::process_node): Likewise.
1924 * exploded-graph.h (exploded_edge::~exploded_edge): Delete.
1925 (exploded_edge::m_custom_info): Use std::unique_ptr.
1926 (exploded_edge::add_edge): Likewise.
1927 * sm-signal.cc (register_signal_handler::impl_transition): Use
1928 make_unique.
1929
19302022-11-03 David Malcolm <dmalcolm@redhat.com>
1931
1932 * diagnostic-manager.cc (saved_diagnostic::saved_diagnostic): Make
1933 stmt_finder const.
1934 (saved_diagnostic::~saved_diagnostic): Remove explicit delete of
1935 m_stmt_finder.
1936 (diagnostic_manager::add_diagnostic): Make stmt_finder const.
1937 * diagnostic-manager.h (saved_diagnostic::saved_diagnostic):
1938 Likewise.
1939 (saved_diagnostic::m_stmt_finder): Convert to std::unique_ptr.
1940 (diagnostic_manager::add_diagnostic): Make stmt_finder const.
1941 * engine.cc (impl_sm_context::impl_sm_context): Likewise.
1942 (impl_sm_context::m_stmt_finder): Likewise.
1943 (leak_stmt_finder::clone): Convert return type to std::unique_ptr.
1944 * exploded-graph.h (stmt_finder::clone): Likewise.
1945
19462022-11-03 David Malcolm <dmalcolm@redhat.com>
1947
1948 * call-info.cc: Add define of INCLUDE_MEMORY.
1949 * call-summary.cc: Likewise.
1950 * checker-path.cc: Likewise.
1951 * constraint-manager.cc: Likewise.
1952 * diagnostic-manager.cc: Likewise.
1953 (saved_diagnostic::saved_diagnostic): Use std::unique_ptr for
1954 param d and field m_d.
1955 (saved_diagnostic::~saved_diagnostic): Remove explicit delete of m_d.
1956 (saved_diagnostic::add_note): Use std::unique_ptr for
1957 param pn.
1958 (saved_diagnostic::get_pending_diagnostic): Update for conversion
1959 of m_sd.m_d to unique_ptr.
1960 (diagnostic_manager::add_diagnostic): Use std::unique_ptr for
1961 param d. Remove explicit deletion.
1962 (diagnostic_manager::add_note): Use std::unique_ptr for param pn.
1963 (diagnostic_manager::emit_saved_diagnostic): Update for conversion
1964 of m_sd.m_d to unique_ptr.
1965 (null_assignment_sm_context::warn): Use std::unique_ptr for
1966 param d. Remove explicit deletion.
1967 * diagnostic-manager.h (saved_diagnostic::saved_diagnostic): Use
1968 std::unique_ptr for param d.
1969 (saved_diagnostic::add_note): Likewise for param pn.
1970 (saved_diagnostic::m_d): Likewise.
1971 (diagnostic_manager::add_diagnostic): Use std::unique_ptr for
1972 param d.
1973 (diagnostic_manager::add_note): Use std::unique_ptr for param pn.
1974 * engine.cc: Include "make-unique.h".
1975 (impl_region_model_context::warn): Update to use std::unique_ptr
1976 for param, removing explicit deletion.
1977 (impl_region_model_context::add_note): Likewise.
1978 (impl_sm_context::warn): Update to use std::unique_ptr
1979 for param.
1980 (impl_region_model_context::on_state_leak): Likewise for result of
1981 on_leak.
1982 (exploded_node::on_longjmp): Use make_unique when creating
1983 pending_diagnostic.
1984 (exploded_graph::process_node): Likewise.
1985 * exploded-graph.h (impl_region_model_context::warn): Update to
1986 use std::unique_ptr for param.
1987 (impl_region_model_context::add_note): Likewise.
1988 * feasible-graph.cc: Add define of INCLUDE_MEMORY.
1989 * pending-diagnostic.cc: Likewise.
1990 * pending-diagnostic.h: Include analyzer.sm.h"
1991 * program-point.cc: Add define of INCLUDE_MEMORY.
1992 * program-state.cc: Likewise.
1993 * region-model-asm.cc: Likewise.
1994 * region-model-impl-calls.cc: Likewise. Include "make-unique.h".
1995 (region_model::impl_call_putenv): Use make_unique when creating
1996 pending_diagnostic.
1997 * region-model-manager.cc: Add define of INCLUDE_MEMORY.
1998 * region-model-reachability.cc: Likewise.
1999 * region-model.cc: Likewise. Include "make-unique.h".
2000 (region_model::get_gassign_result): Use make_unique when creating
2001 pending_diagnostic.
2002 (region_model::check_for_poison): Likewise.
2003 (region_model::on_stmt_pre): Likewise.
2004 (region_model::check_symbolic_bounds): Likewise.
2005 (region_model::check_region_bounds): Likewise.
2006 (annotating_ctxt: make_note): Use std::unique_ptr for result.
2007 (region_model::deref_rvalue): Use make_unique when creating
2008 pending_diagnostic.
2009 (region_model::check_for_writable_region): Likewise.
2010 (region_model::check_region_size): Likewise.
2011 (region_model::check_dynamic_size_for_floats): Likewise.
2012 (region_model::maybe_complain_about_infoleak): Likewise.
2013 (noop_region_model_context::add_note): Use std::unique_ptr for
2014 param. Remove explicit deletion.
2015 * region-model.h: Include "analyzer/pending-diagnostic.h".
2016 (region_model_context::warn): Convert param to std::unique_ptr.
2017 (region_model_context::add_note): Likewise.
2018 (noop_region_model_context::warn): Likewise.
2019 (noop_region_model_context::add_note): Likewise.
2020 (region_model_context_decorator::warn): Likewise.
2021 (region_model_context_decorator::add_note): Likewise.
2022 (note_adding_context::warn): Likewise.
2023 (note_adding_context::make_note): Likewise for return type.
2024 (test_region_model_context::warn): Convert param to
2025 std::unique_ptr.
2026 * region.cc: Add define of INCLUDE_MEMORY.
2027 * sm-fd.cc: Likewise. Include "make-unique.h".
2028 (fd_state_machine::check_for_fd_attrs): Use make_unique when
2029 creating pending_diagnostics.
2030 (fd_state_machine::on_open): Likewise.
2031 (fd_state_machine::on_creat): Likewise.
2032 (fd_state_machine::check_for_dup): Likewise.
2033 (fd_state_machine::on_close): Likewise.
2034 (fd_state_machine::check_for_open_fd): Likewise.
2035 (fd_state_machine::on_leak): Likewise, converting return type to
2036 std::unique_ptr.
2037 * sm-file.cc: Add define of INCLUDE_MEMORY. Include
2038 "make-unique.h".
2039 (fileptr_state_machine::on_stmt): Use make_unique when creating
2040 pending_diagnostic.
2041 (fileptr_state_machine::on_leak): Likewise, converting return type
2042 to std::unique_ptr.
2043 * sm-malloc.cc: Add define of INCLUDE_MEMORY. Include
2044 "make-unique.h".
2045 (malloc_state_machine::on_stmt): Use make_unique when creating
2046 pending_diagnostic.
2047 (malloc_state_machine::handle_free_of_non_heap): Likewise.
2048 (malloc_state_machine::on_deallocator_call): Likewise.
2049 (malloc_state_machine::on_realloc_call): Likewise.
2050 (malloc_state_machine::on_leak): Likewise, converting return type
2051 to std::unique_ptr.
2052 * sm-pattern-test.cc: Add define of INCLUDE_MEMORY. Include
2053 "make-unique.h".
2054 (pattern_test_state_machine::on_condition): Use make_unique when
2055 creating pending_diagnostic.
2056 * sm-sensitive.cc: Add define of INCLUDE_MEMORY. Include
2057 "make-unique.h".
2058 (sensitive_state_machine::warn_for_any_exposure): Use make_unique
2059 when creating pending_diagnostic.
2060 * sm-signal.cc: Add define of INCLUDE_MEMORY. Include
2061 "make-unique.h".
2062 (signal_state_machine::on_stmt): Use make_unique when creating
2063 pending_diagnostic.
2064 * sm-taint.cc: Add define of INCLUDE_MEMORY. Include
2065 "make-unique.h".
2066 (taint_state_machine::check_for_tainted_size_arg): Use make_unique
2067 when creating pending_diagnostic.
2068 (taint_state_machine::check_for_tainted_divisor): Likewise.
2069 (region_model::check_region_for_taint): Likewise.
2070 (region_model::check_dynamic_size_for_taint): Likewise.
2071 * sm.cc: Add define of INCLUDE_MEMORY. Include
2072 "analyzer/pending-diagnostic.h".
2073 (state_machine::on_leak): Move here from sm.h, changing return
2074 type to std::unique_ptr.
2075 * sm.h (state_machine::on_leak): Change return type to
2076 std::unique_ptr. Move defn of base impl to sm.cc
2077 (sm_context::warn): Convert param d to std_unique_ptr.
2078 * state-purge.cc: Add define of INCLUDE_MEMORY.
2079 * store.cc: Likewise.
2080 * svalue.cc: Likewise.
2081 * trimmed-graph.cc: Likewise.
2082 * varargs.cc: Likewise. Include "make-unique.h".
2083 (va_list_state_machine::check_for_ended_va_list): Use make_unique
2084 when creating pending_diagnostic.
2085 (va_list_state_machine::on_leak): Likewise, converting return type
2086 to std::unique_ptr.
2087 (region_model::impl_call_va_arg): Use make_unique when creating
2088 pending_diagnostic.
2089
20902022-11-03 David Malcolm <dmalcolm@redhat.com>
2091
2092 PR analyzer/107486
2093 * analyzer.cc (is_pipe_call_p): New.
2094 * analyzer.h (is_pipe_call_p): New decl.
2095 * region-model.cc (region_model::on_call_pre): Use it.
2096 (region_model::on_call_post): Likewise.
2097
486a5037
GA		 20982022-10-26 David Malcolm <dmalcolm@redhat.com>
2099
2100 * sm-fd.cc (fd_state_machine::on_open): Transition to "unchecked"
2101 when the mode is symbolic, rather than just on integer constants.
2102 (fd_state_machine::check_for_open_fd): Don't complain about
2103 unchecked values in the start state.
2104
21052022-10-26 David Malcolm <dmalcolm@redhat.com>
2106
2107 * sm-fd.dot: New file.
2108
4e939ae1
GA		 21092022-10-24 David Malcolm <dmalcolm@redhat.com>
2110
2111 PR analyzer/107349
2112 * varargs.cc (get_va_copy_arg): Fix the non-pointer case.
2113
21142022-10-24 David Malcolm <dmalcolm@redhat.com>
2115
2116 PR analyzer/107345
2117 * region-model.cc (region_model::eval_condition_without_cm):
2118 Ensure that constants are on the right-hand side before checking
2119 for them.
2120
21212022-10-24 David Malcolm <dmalcolm@redhat.com>
2122
2123 * engine.cc (impl_region_model_context::get_malloc_map): Replace
2124 with...
2125 (impl_region_model_context::get_state_map_by_name): ...this.
2126 (impl_region_model_context::get_fd_map): Delete.
2127 (impl_region_model_context::get_taint_map): Delete.
2128 * exploded-graph.h (impl_region_model_context::get_fd_map):
2129 Delete.
2130 (impl_region_model_context::get_malloc_map): Delete.
2131 (impl_region_model_context::get_taint_map): Delete.
2132 (impl_region_model_context::get_state_map_by_name): New.
2133 * region-model.h (region_model_context::get_state_map_by_name):
2134 New vfunc.
2135 (region_model_context::get_fd_map): Convert from vfunc to
2136 function.
2137 (region_model_context::get_malloc_map): Likewise.
2138 (region_model_context::get_taint_map): Likewise.
2139 (noop_region_model_context::get_state_map_by_name): New.
2140 (noop_region_model_context::get_fd_map): Delete.
2141 (noop_region_model_context::get_malloc_map): Delete.
2142 (noop_region_model_context::get_taint_map): Delete.
2143 (region_model_context_decorator::get_state_map_by_name): New.
2144 (region_model_context_decorator::get_fd_map): Delete.
2145 (region_model_context_decorator::get_malloc_map): Delete.
2146 (region_model_context_decorator::get_taint_map): Delete.
2147
21482022-10-24 David Malcolm <dmalcolm@redhat.com>
2149
2150 PR analyzer/106300
2151 * engine.cc (impl_region_model_context::get_fd_map): New.
2152 * exploded-graph.h (impl_region_model_context::get_fd_map): New
2153 decl.
2154 * region-model-impl-calls.cc (region_model::impl_call_pipe): New.
2155 * region-model.cc (region_model::update_for_int_cst_return): New,
2156 based on...
2157 (region_model::update_for_zero_return): ...this. Reimplement in
2158 terms of the former.
2159 (region_model::on_call_pre): Handle "pipe" and "pipe2".
2160 (region_model::on_call_post): Likewise.
2161 * region-model.h (region_model::impl_call_pipe): New decl.
2162 (region_model::update_for_int_cst_return): New decl.
2163 (region_model::mark_as_valid_fd): New decl.
2164 (region_model_context::get_fd_map): New pure virtual fn.
2165 (noop_region_model_context::get_fd_map): New.
2166 (region_model_context_decorator::get_fd_map): New.
2167 * sm-fd.cc: Include "analyzer/program-state.h".
2168 (fd_state_machine::describe_state_change): Handle transitions from
2169 start state to valid states.
2170 (fd_state_machine::mark_as_valid_fd): New.
2171 (fd_state_machine::on_stmt): Add missing return for "creat".
2172 (region_model::mark_as_valid_fd): New.
2173
87f9c4a4
GA		 21742022-10-19 David Malcolm <dmalcolm@redhat.com>
2175
2176 PR analyzer/105765
2177 * varargs.cc (get_BT_VALIST_ARG): Rename to...
2178 (get_va_copy_arg): ...this, and update logic for determining level
2179 of indirection of va_copy's argument to use type of argument,
2180 rather than looking at va_list_type_node, to correctly handle
2181 __builtin_ms_va_copy.
2182 (get_stateful_BT_VALIST_ARG): Rename to...
2183 (get_stateful_va_copy_arg): ...this.
2184 (va_list_state_machine::on_va_copy): Update for renaming.
2185 (region_model::impl_call_va_copy): Likewise.
2186
621a911d
GA		 21872022-10-13 David Malcolm <dmalcolm@redhat.com>
2188
2189 PR analyzer/107210
2190 * svalue.cc (constant_svalue::maybe_fold_bits_within): Only
2191 attempt to extract individual bits when tree_fits_uhwi_p.
2192
9ff6c33e
GA		 21932022-10-07 David Malcolm <dmalcolm@redhat.com>
2194
2195 PR analyzer/105783
2196 * region-model.cc (selftest::get_bit): New function.
2197 (selftest::test_bits_within_svalue_folding): New.
2198 (selfftest::analyzer_region_model_cc_tests): Call it.
2199 * svalue.cc (constant_svalue::maybe_fold_bits_within): Handle the
2200 case of extracting a single bit.
2201
629d04d3
GA		 22022022-10-06 David Malcolm <dmalcolm@redhat.com>
2203
2204 PR analyzer/107158
2205 * store.cc (store::replay_call_summary_cluster): Eliminate
2206 special-casing of RK_HEAP_ALLOCATED in favor of sharing code with
2207 RK_DECL, avoiding an ICE due to attempting to bind a
2208 compound_svalue into a binding_cluster when an svalue in the
2209 summary cluster converts to a compound_svalue in the caller.
2210
22112022-10-06 David Malcolm <dmalcolm@redhat.com>
2212
2213 * call-summary.cc (call_summary_replay::dump_to_pp): Bulletproof
2214 against NULL caller regions/svalues.
2215
966010b2
GA		 22162022-10-05 David Malcolm <dmalcolm@redhat.com>
2217
2218 * analysis-plan.cc: Simplify includes.
2219 * analyzer-pass.cc: Likewise.
2220 * analyzer-selftests.cc: Likewise.
2221 * analyzer.cc: Likewise.
2222 * analyzer.h: Add includes of "json.h" and "tristate.h".
2223 * call-info.cc: Simplify includes.
2224 * call-string.cc: Likewise.
2225 * call-summary.cc: Likewise.
2226 * checker-path.cc: Likewise.
2227 * complexity.cc: Likewise.
2228 * constraint-manager.cc: Likewise.
2229 * diagnostic-manager.cc: Likewise.
2230 * engine.cc: Likewise.
2231 * feasible-graph.cc: Likewise.
2232 * known-function-manager.cc: Likewise.
2233 * pending-diagnostic.cc: Likewise.
2234 * program-point.cc: Likewise.
2235 * program-state.cc: Likewise.
2236 * region-model-asm.cc: Likewise.
2237 * region-model-impl-calls.cc: Likewise.
2238 * region-model-manager.cc: Likewise.
2239 * region-model-reachability.cc: Likewise.
2240 * region-model.cc: Likewise.
2241 * region-model.h: Include "selftest.h".
2242 * region.cc: Simplify includes.
2243 * sm-fd.cc: Likewise.
2244 * sm-file.cc: Likewise.
2245 * sm-malloc.cc: Likewise.
2246 * sm-pattern-test.cc: Likewise.
2247 * sm-sensitive.cc: Likewise.
2248 * sm-signal.cc: Likewise.
2249 * sm-taint.cc: Likewise.
2250 * sm.cc: Likewise.
2251 * state-purge.cc: Likewise.
2252 * store.cc: Likewise.
2253 * store.h: Likewise.
2254 * supergraph.cc: Likewise.
2255 * svalue.cc: Likewise.
2256 * svalue.h: Likewise.
2257 * trimmed-graph.cc: Likewise.
2258 * varargs.cc: Likewise.
2259
22602022-10-05 David Malcolm <dmalcolm@redhat.com>
2261
2262 PR analyzer/107060
2263 * call-summary.cc
2264 (call_summary_replay::convert_svalue_from_summary_1): Handle NULL
2265 results from convert_svalue_from_summary in SK_UNARY_OP and
2266 SK_BIN_OP.
2267 * engine.cc (impl_region_model_context::on_unknown_change): Bail
2268 out on svalues that can't have associated state.
2269 * region-model-impl-calls.cc
2270 (region_model::impl_call_analyzer_get_unknown_ptr): New.
2271 * region-model.cc (region_model::on_stmt_pre): Handle
2272 "__analyzer_get_unknown_ptr".
2273 * region-model.h
2274 (region_model::impl_call_analyzer_get_unknown_ptr): New decl.
2275 * store.cc (store::replay_call_summary_cluster): Avoid trying to
2276 create binding clusters for base regions that shouldn't have them.
2277
22782022-10-05 Martin Liska <mliska@suse.cz>
2279
2280 * call-summary.cc (call_summary_replay::call_summary_replay):
3d3b561f 2281 Remove unused variable and arguments.
966010b2
GA		 2282 * call-summary.h: Likewise.
2283 * engine.cc (exploded_node::on_stmt): Likewise.
2284 (exploded_node::replay_call_summaries): Likewise.
2285 (exploded_node::replay_call_summary): Likewise.
2286 * exploded-graph.h (class exploded_node): Likewise.
2287
22882022-10-05 David Malcolm <dmalcolm@redhat.com>
2289
2290 PR analyzer/107072
2291 * analyzer-logging.h: Include "diagnostic-core.h".
2292 * analyzer.h: Include "function.h".
2293 (class call_summary): New forward decl.
2294 (class call_summary_replay): New forward decl.
2295 (struct per_function_data): New forward decl.
2296 (struct interesting_t): New forward decl.
2297 (custom_edge_info::update_state): New vfunc.
2298 * call-info.cc (custom_edge_info::update_state): New.
2299 * call-summary.cc: New file.
2300 * call-summary.h: New file.
2301 * constraint-manager.cc: Include "analyzer/call-summary.h".
2302 (class replay_fact_visitor): New.
2303 (constraint_manager::replay_call_summary): New.
2304 * constraint-manager.h (constraint_manager::replay_call_summary):
2305 New.
2306 * engine.cc: Include "analyzer/call-summary.h".
2307 (exploded_node::on_stmt): Handle call summaries.
2308 (class call_summary_edge_info): New.
2309 (exploded_node::replay_call_summaries): New.
2310 (exploded_node::replay_call_summary): New.
2311 (per_function_data::~per_function_data): New.
2312 (per_function_data::add_call_summary): Move here from header and
2313 reimplement.
2314 (exploded_graph::process_node): Call update_state rather than
2315 update_model when handling bifurcation
2316 (viz_callgraph_node::dump_dot): Use a regular label rather
2317 than an HTML table; add summaries to dump.
2318 * exploded-graph.h: Include "alloc-pool.h", "fibonacci_heap.h",
2319 "supergraph.h", "sbitmap.h", "shortest-paths.h", "analyzer/sm.h",
2320 "analyzer/program-state.h", and "analyzer/diagnostic-manager.h".
2321 (exploded_node::replay_call_summaries): New decl.
2322 (exploded_node::replay_call_summary): New decl.
2323 (per_function_data::~per_function_data): New decl.
2324 (per_function_data::add_call_summary): Move implemention from
2325 header.
2326 (per_function_data::m_summaries): Update type of element.
2327 * known-function-manager.h: Include "analyzer/analyzer-logging.h".
2328 * program-point.h: Include "pretty-print.h" and
2329 "analyzer/call-string.h".
2330 * program-state.cc: Include "analyzer/call-summary.h".
2331 (sm_state_map::replay_call_summary): New.
2332 (program_state::replay_call_summary): New.
2333 * program-state.h (sm_state_map::replay_call_summary): New decl.
2334 (program_state::replay_call_summary): New decl.
2335 * region-model-manager.cc
2336 (region_model_manager::get_or_create_asm_output_svalue): New
2337 overload.
2338 * region-model-manager.h
2339 (region_model_manager::get_or_create_asm_output_svalue): New
2340 overload decl.
2341 * region-model.cc: Include "analyzer/call-summary.h".
2342 (region_model::maybe_update_for_edge): Remove call to
2343 region_model::update_for_call_summary on
2344 SUPEREDGE_INTRAPROCEDURAL_CALL.
2345 (region_model::update_for_call_summary): Delete.
2346 (region_model::replay_call_summary): New.
2347 * region-model.h (region_model::replay_call_summary): New decl.
2348 (region_model::update_for_call_summary): Delete decl.
2349 * store.cc: Include "analyzer/call-summary.h".
2350 (store::replay_call_summary): New.
2351 (store::replay_call_summary_cluster): New.
2352 * store.h: Include "tristate.h".
2353 (is_a_helper <const ana::concrete_binding *>::test): New.
2354 (store::replay_call_summary): New decl.
2355 (store::replay_call_summary_cluster): New decl.
2356 * supergraph.cc (get_ultimate_function_for_cgraph_edge): Remove
2357 "static" from decl.
2358 (supergraph_call_edge): Make stmt param const.
2359 * supergraph.h: Include "ordered-hash-map.h", "cfg.h",
2360 "basic-block.h", "gimple.h", "gimple-iterator.h", and "digraph.h".
2361 (supergraph_call_edge): Make stmt param const.
2362 (get_ultimate_function_for_cgraph_edge): New decl.
2363 * svalue.cc (compound_svalue::compound_svalue): Assert that we're
2364 not nesting compound_svalues.
2365 * svalue.h: Include "json.h", "analyzer/store.h", and
2366 "analyzer/program-point.h".
2367 (asm_output_svalue::get_num_outputs): New accessor.
2368
23692022-10-05 David Malcolm <dmalcolm@redhat.com>
2370
2371 * region-model.h: Include "analyzer/region-model-manager.h"
2372 (class region_model_manager): Move decl to...
2373 * region-model-manager.h: ...this new file.
2374
23752022-10-05 David Malcolm <dmalcolm@redhat.com>
2376
2377 * region-model-manager.cc
2378 (region_model_manager::maybe_fold_unaryop): Fold -(-(VAL)) to VAL.
2379
23802022-10-05 David Malcolm <dmalcolm@redhat.com>
2381
2382 * region-model-manager.cc
2383 (region_model_manager::get_or_create_widening_svalue): Use a
2384 function_point rather than a program_point.
2385 * region-model.cc (selftest::test_widening_constraints): Likewise.
2386 * region-model.h
2387 (region_model_manager::get_or_create_widening_svalue): Likewise.
2388 (model_merger::get_function_point): New.
2389 * svalue.cc (svalue::can_merge_p): Use a function_point rather
2390 than a program_point.
2391 (svalue::can_merge_p): Likewise.
2392 * svalue.h (widening_svalue::key_t): Likewise.
2393 (widening_svalue::widening_svalue): Likewise.
2394
b5f09bd7
GA		 23952022-09-12 Martin Liska <mliska@suse.cz>
2396
2397 * region-model.cc (region_model::maybe_complain_about_infoleak):
3d3b561f 2398 Remove unused fields.
b5f09bd7 2399
5b9111db
GA		 24002022-09-11 Tim Lange <mail@tim-lange.me>
2401
2402 PR analyzer/106845
2403 * region-model.cc (region_model::check_region_bounds):
2404 Bail out if 0 bytes were accessed.
2405 * store.cc (byte_range::dump_to_pp):
2406 Add special case for empty ranges.
2407 (byte_range::exceeds_p): Restrict to non-empty ranges.
2408 (byte_range::falls_short_of_p): Restrict to non-empty ranges.
2409 * store.h (bit_range::empty_p): New function.
2410 (bit_range::get_last_byte_offset): Restrict to non-empty ranges.
2411 (byte_range::empty_p): New function.
2412 (byte_range::get_last_byte_offset): Restrict to non-empty ranges.
2413
861d1a11
GA		 24142022-09-09 David Malcolm <dmalcolm@redhat.com>
2415
2416 * analyzer.opt (Wanalyzer-exposure-through-uninit-copy): New.
2417 * checker-path.cc (region_creation_event::region_creation_event):
2418 Add "capacity" and "kind" params.
2419 (region_creation_event::get_desc): Generalize to different kinds
2420 of event.
2421 (checker_path::add_region_creation_event): Convert to...
2422 (checker_path::add_region_creation_events): ...this.
2423 * checker-path.h (enum rce_kind): New.
2424 (region_creation_event::region_creation_event): Add "capacity" and
2425 "kind" params.
2426 (region_creation_event::m_capacity): New field.
2427 (region_creation_event::m_rce_kind): New field.
2428 (checker_path::add_region_creation_event): Convert to...
2429 (checker_path::add_region_creation_events): ...this.
2430 * diagnostic-manager.cc (diagnostic_manager::build_emission_path):
2431 Update for multiple region creation events.
2432 (diagnostic_manager::add_event_on_final_node): Likewise.
2433 (diagnostic_manager::add_events_for_eedge): Likewise.
2434 * region-model-impl-calls.cc (call_details::get_logger): New.
2435 * region-model.cc: Define INCLUDE_MEMORY before including
2436 "system.h". Include "gcc-rich-location.h".
2437 (class record_layout): New.
2438 (class exposure_through_uninit_copy): New.
2439 (contains_uninit_p): New.
2440 (region_model::maybe_complain_about_infoleak): New.
2441 * region-model.h (call_details::get_logger): New decl.
2442 (region_model::maybe_complain_about_infoleak): New decl.
2443 (region_model::mark_as_tainted): New decl.
2444 * sm-taint.cc (region_model::mark_as_tainted): New.
2445
24462022-09-09 David Malcolm <dmalcolm@redhat.com>
2447
2448 * analyzer.h (class known_function_manager): New forward decl.
2449 (class known_function): New.
2450 (plugin_analyzer_init_iface::register_known_function): New.
2451 * engine.cc: Include "analyzer/known-function-manager.h".
2452 (plugin_analyzer_init_impl::plugin_analyzer_init_impl): Add
2453 known_fn_mgr param.
2454 (plugin_analyzer_init_impl::register_state_machine): Add
2455 LOC_SCOPE.
2456 (plugin_analyzer_init_impl::register_known_function): New.
2457 (plugin_analyzer_init_impl::m_known_fn_mgr): New.
2458 (impl_run_checkers): Update plugin callback invocation to use
2459 eng's known_function_manager.
2460 * known-function-manager.cc: New file.
2461 * known-function-manager.h: New file.
2462 * region-model-manager.cc
2463 (region_model_manager::region_model_manager): Pass logger to
2464 m_known_fn_mgr's ctor.
2465 * region-model.cc (region_model::update_for_zero_return): New.
2466 (region_model::update_for_nonzero_return): New.
2467 (maybe_simplify_upper_bound): New.
2468 (region_model::maybe_get_copy_bounds): New.
2469 (region_model::get_known_function): New.
2470 (region_model::on_call_pre): Handle plugin-supplied known
2471 functions.
2472 * region-model.h: Include "analyzer/known-function-manager.h".
2473 (region_model_manager::get_known_function_manager): New.
2474 (region_model_manager::m_known_fn_mgr): New.
2475 (call_details::get_model): New accessor.
2476 (region_model::maybe_get_copy_bounds): New decl.
2477 (region_model::update_for_zero_return): New decl.
2478 (region_model::update_for_nonzero_return): New decl.
2479 (region_model::get_known_function): New decl.
2480 (region_model::get_known_function_manager): New.
2481
2e7ad70c
GA		 24822022-09-08 Tim Lange <mail@tim-lange.me>
2483
2484 PR analyzer/106625
2485 * analyzer.h (region_offset): Eliminate m_is_symbolic member.
2486 * region-model-impl-calls.cc (region_model::impl_call_realloc):
2487 Refine implementation to be more precise.
2488 * region-model.cc (class symbolic_past_the_end):
2489 Abstract diagnostic class to complain about accesses past the end
2490 with symbolic values.
2491 (class symbolic_buffer_overflow):
2492 Concrete diagnostic class to complain about buffer overflows with
2493 symbolic values.
2494 (class symbolic_buffer_overread):
2495 Concrete diagnostic class to complain about buffer overreads with
2496 symbolic values.
2497 (region_model::check_symbolic_bounds): New function.
2498 (maybe_get_integer_cst_tree): New helper function.
2499 (region_model::check_region_bounds):
2500 Add call to check_symbolic_bounds if offset is not concrete.
2501 (region_model::eval_condition_without_cm):
2502 Add support for EQ_EXPR and GT_EXPR with binaryop_svalues.
2503 (is_positive_svalue): New hleper function.
2504 (region_model::symbolic_greater_than):
2505 New function to handle GT_EXPR comparisons with symbolic values.
2506 (region_model::structural_equality): New function to compare
2507 whether two svalues are structured the same, i.e. evaluate to
2508 the same value.
2509 (test_struct): Reflect changes to region::calc_offset.
2510 (test_var): Likewise.
2511 (test_array_2): Likewise and add selftest with symbolic i.
2512 * region-model.h (class region_model): Add check_symbolic_bounds,
2513 symbolic_greater_than and structural_equality.
2514 * region.cc (region::get_offset):
2515 Reflect changes to region::calc_offset.
2516 (region::calc_offset):
2517 Compute the symbolic offset if the offset is not concrete.
2518 (region::get_relative_symbolic_offset): New function to return the
2519 symbolic offset in bytes relative to its parent.
2520 (field_region::get_relative_symbolic_offset): Likewise.
2521 (element_region::get_relative_symbolic_offset): Likewise.
2522 (offset_region::get_relative_symbolic_offset): Likewise.
2523 (bit_range_region::get_relative_symbolic_offset): Likewise.
2524 * region.h: Add get_relative_symbolic_offset.
2525 * store.cc (binding_key::make):
2526 Reflect changes to region::calc_offset.
2527 (binding_map::apply_ctor_val_to_range): Likewise.
2528 (binding_map::apply_ctor_pair_to_child_region): Likewise.
2529 (binding_cluster::bind_compound_sval): Likewise.
2530 (binding_cluster::get_any_binding): Likewise.
2531 (binding_cluster::maybe_get_compound_binding): Likewise.
2532
47d2dcd1
GA		 25332022-09-05 Tim Lange <mail@tim-lange.me>
2534
2535 * region-model-impl-calls.cc (region_model::impl_call_strcpy):
2536 Handle the constant string case.
2537 * region-model.cc (region_model::get_string_size):
2538 New function to get the string size from a region or svalue.
2539 * region-model.h (class region_model): Add get_string_size.
2540
25412022-09-05 Tim Lange <mail@tim-lange.me>
2542
2543 * region.cc (cast_region::get_relative_concrete_offset):
2544 New overloaded method.
2545 * region.h: Add cast_region::get_relative_concrete_offset.
2546
3b2e3fa3
GA		 25472022-08-22 Martin Liska <mliska@suse.cz>
2548
2549 * region-model.cc: Add missing final keyword.
2550
30afe5e7
GA		 25512022-08-18 Tim Lange <mail@tim-lange.me>
2552
2553 PR analyzer/106181
2554 * analyzer.opt: Add Wanalyzer-imprecise-floating-point-arithmetic.
2555 * region-model.cc (is_any_cast_p): Formatting.
2556 (region_model::check_region_size): Ensure precondition.
2557 (class imprecise_floating_point_arithmetic): New abstract
2558 diagnostic class for all floating-point related warnings.
2559 (class float_as_size_arg): Concrete diagnostic class to complain
2560 about floating-point operands inside the size argument.
2561 (class contains_floating_point_visitor):
2562 New visitor to find floating-point operands inside svalues.
2563 (region_model::check_dynamic_size_for_floats): New function.
2564 (region_model::set_dynamic_extents):
2565 Call to check_dynamic_size_for_floats.
2566 * region-model.h (class region_model):
2567 Add region_model::check_dynamic_size_for_floats.
2568
47a61e65
GA		 25692022-08-16 Martin Liska <mliska@suse.cz>
2570
2571 * region-model.cc: Fix -Winconsistent-missing-override clang
3d3b561f 2572 warning.
47a61e65
GA		 2573 * region.h: Likewise.
2574
ec63a946
GA		 25752022-08-15 David Malcolm <dmalcolm@redhat.com>
2576
2577 PR analyzer/106626
2578 * region-model.cc (buffer_overread::emit): Fix copy&paste error in
2579 direction of the access in the note.
2580
25812022-08-15 David Malcolm <dmalcolm@redhat.com>
2582
2583 PR analyzer/106573
2584 * region-model.cc (region_model::on_call_pre): Use check_call_args
2585 when ensuring that we call get_arg_svalue on all args. Remove
2586 redundant call from handling for stdio builtins.
2587
25882022-08-15 Immad Mir <mirimmad@outlook.com>
2589
2590 PR analyzer/106551
2591 * sm-fd.cc (check_for_dup): exit early if first
2592 argument is invalid for all dup functions.
2593
475ed8fd
GA		 25942022-08-12 Tim Lange <mail@tim-lange.me>
2595
2596 PR analyzer/106000
2597 * analyzer.opt: Add Wanalyzer-out-of-bounds.
2598 * region-model.cc (class out_of_bounds): Diagnostics base class
2599 for all out-of-bounds diagnostics.
2600 (class past_the_end): Base class derived from out_of_bounds for
2601 the buffer_overflow and buffer_overread diagnostics.
2602 (class buffer_overflow): Buffer overflow diagnostics.
2603 (class buffer_overread): Buffer overread diagnostics.
2604 (class buffer_underflow): Buffer underflow diagnostics.
2605 (class buffer_underread): Buffer overread diagnostics.
2606 (region_model::check_region_bounds): New function to check region
2607 bounds for out-of-bounds accesses.
2608 (region_model::check_region_access):
2609 Add call to check_region_bounds.
2610 (region_model::get_representative_tree): New function that accepts
2611 a region instead of an svalue.
2612 * region-model.h (class region_model):
2613 Add region_model::check_region_bounds.
2614 * region.cc (region::symbolic_p): New predicate.
2615 (offset_region::get_byte_size_sval): Only return the remaining
2616 byte size on offset_regions.
2617 * region.h: Add region::symbolic_p.
2618 * store.cc (byte_range::intersects_p):
2619 Add new function equivalent to bit_range::intersects_p.
2620 (byte_range::exceeds_p): New function.
2621 (byte_range::falls_short_of_p): New function.
2622 * store.h (struct byte_range): Add byte_range::intersects_p,
2623 byte_range::exceeds_p and byte_range::falls_short_of_p.
2624
26252022-08-12 Tim Lange <mail@tim-lange.me>
2626
2627 PR analyzer/106539
2628 * region-model-impl-calls.cc (region_model::impl_call_realloc):
2629 Use the result of get_copied_size as the size for the
2630 sized_regions in realloc.
2631 (success_with_move::get_copied_size): New function.
2632
5cd525f0
GA		 26332022-08-11 Immad Mir <mirimmad@outlook.com>
2634
2635 PR analyzer/106551
2636 * sm-fd.cc (check_for_dup): handle the m_start
2637 state when transitioning the state of LHS
2638 of dup, dup2 and dup3 call.
2639
6d001ec1
GA		 26402022-08-09 David Malcolm <dmalcolm@redhat.com>
2641
2642 PR analyzer/106573
2643 * region-model.cc (region_model::on_call_pre): Ensure that we call
2644 get_arg_svalue on all arguments.
2645
36e96748
GA		 26462022-08-05 David Malcolm <dmalcolm@redhat.com>
2647
2648 PR analyzer/105947
2649 * analyzer.opt (Wanalyzer-jump-through-null): New option.
2650 * engine.cc (class jump_through_null): New.
2651 (exploded_graph::process_node): Complain about jumps through NULL
2652 function pointers.
2653
969a989d
GA		 26542022-08-02 Immad Mir <mirimmad@outlook.com>
2655
2656 PR analyzer/106298
2657 * sm-fd.cc (fd_state_machine::on_open): Add
2658 creat, dup, dup2 and dup3 functions.
2659 (enum dup): New.
2660 (fd_state_machine::valid_to_unchecked_state): New.
2661 (fd_state_machine::on_creat): New.
2662 (fd_state_machine::on_dup): New.
2663
af086d19
GA		 26642022-07-28 David Malcolm <dmalcolm@redhat.com>
2665
2666 PR analyzer/105893
2667 * analyzer.opt (Wanalyzer-putenv-of-auto-var): New.
2668 * region-model-impl-calls.cc (class putenv_of_auto_var): New.
2669 (region_model::impl_call_putenv): New.
2670 * region-model.cc (region_model::on_call_pre): Handle putenv.
2671 * region-model.h (region_model::impl_call_putenv): New decl.
2672
26732022-07-28 David Malcolm <dmalcolm@redhat.com>
2674
2675 * sm-malloc.cc (free_of_non_heap::emit): Add comment about CWE.
2676 * sm-taint.cc (tainted_size::emit): Likewise.
2677
26782022-07-28 David Malcolm <dmalcolm@redhat.com>
2679
2680 * region.h: Add notes to the comment describing the region
2681 class hierarchy.
2682
1e2c5f4c
GA		 26832022-07-27 Immad Mir <mirimmad@outlook.com>
2684
2685 PR analyzer/106286
2686 * sm-fd.cc:
2687 (fd_diagnostic::get_meaning_for_state_change): New.
2688
fd96c4b5
GA		 26892022-07-26 David Malcolm <dmalcolm@redhat.com>
2690
2691 PR analyzer/106319
2692 * store.cc (store::set_value): Don't strip away casts if the
2693 region has NULL type.
2694
26952022-07-26 David Malcolm <dmalcolm@redhat.com>
2696
2697 * region.h (code_region::get_element): Remove stray decl.
2698 (function_region::get_element): Likewise.
2699
a5271b14
GA		 27002022-07-25 Martin Liska <mliska@suse.cz>
2701
2702 * sm-fd.cc: Run dos2unix and fix coding style issues.
2703
0e6fa997
GA		 27042022-07-23 Immad Mir <mirimmad@outlook.com>
2705
2706 * sm-fd.cc (fd_param_diagnostic): New diagnostic class.
2707 (fd_access_mode_mismatch): Change inheritance from fd_diagnostic
2708 to fd_param_diagnostic. Add new overloaded constructor.
2709 (fd_use_after_close): Likewise.
2710 (unchecked_use_of_fd): Likewise and also change name to fd_use_without_check.
2711 (double_close): Change name to fd_double_close.
2712 (enum access_directions): New.
2713 (fd_state_machine::on_stmt): Handle calls to function with the
2714 new three function attributes.
2715 (fd_state_machine::check_for_fd_attrs): New.
2716 (fd_state_machine::on_open): Use the new overloaded constructors
2717 of diagnostic classes.
2718
b563a8dd
GA		 27192022-07-22 David Malcolm <dmalcolm@redhat.com>
2720
2721 PR analyzer/106413
2722 * varargs.cc (region_model::impl_call_va_start): Avoid iterating
2723 through non-existant variadic arguments by initializing the
2724 impl_region to "UNKNOWN" if the va_start occurs in the top-level
2725 function to the analysis.
2726
27272022-07-22 David Malcolm <dmalcolm@redhat.com>
2728
2729 PR analyzer/106401
2730 * store.cc (binding_cluster::binding_cluster): Remove overzealous
2731 assertion; we're checking for tracked_p in
2732 store::get_or_create_cluster.
2733
27342022-07-22 Tim Lange <mail@tim-lange.me>
2735
2736 PR analyzer/106394
2737 * region-model.cc (capacity_compatible_with_type): Always return true
2738 if alloc_size is zero.
2739
bbb9c030
GA		 27402022-07-21 David Malcolm <dmalcolm@redhat.com>
2741
2742 PR analyzer/106383
2743 * varargs.cc (region_model::impl_call_va_arg): When determining if
2744 we're doing interprocedural analysis, use the stack depth of the
2745 frame in which va_start was called, rather than the current stack
2746 depth.
2747
27482022-07-21 David Malcolm <dmalcolm@redhat.com>
2749
2750 * sm-taint.cc (tainted_array_index::emit): Bulletproof against
2751 NULL m_arg.
2752 (tainted_array_index::describe_final_event): Likewise.
2753 (tainted_size::emit): Likewise.
2754 (tainted_size::describe_final_event): Likewise.
2755
27562022-07-21 David Malcolm <dmalcolm@redhat.com>
2757
2758 PR analyzer/106374
2759 * region.cc (decl_region::get_svalue_for_initializer): Bail out on
2760 untracked regions.
2761
e7dfd874
GA		 27622022-07-20 David Malcolm <dmalcolm@redhat.com>
2763
2764 PR analyzer/106373
2765 * sm-taint.cc (taint_state_machine::on_condition): Potentially
2766 update the state of the RHS as well as the LHS.
2767
27682022-07-20 David Malcolm <dmalcolm@redhat.com>
2769
2770 PR analyzer/106359
2771 * region.h (string_region::tracked_p): New.
2772 * store.cc (binding_cluster::binding_cluster): Move here from
2773 store.h. Add assertion that base_region is tracked_p.
2774 * store.h (binding_cluster::binding_cluster): Move to store.cc.
2775
7c0c10db
GA		 27762022-07-19 David Malcolm <dmalcolm@redhat.com>
2777
2778 PR analyzer/106321
2779 * constraint-manager.h (bounded_ranges::get_count): New.
2780 (bounded_ranges::get_range): New.
2781 * engine.cc (impl_region_model_context::on_bounded_ranges): New.
2782 * exploded-graph.h (impl_region_model_context::on_bounded_ranges):
2783 New decl.
2784 * region-model.cc (region_model::apply_constraints_for_gswitch):
2785 Potentially call ctxt->on_bounded_ranges.
2786 * region-model.h (region_model_context::on_bounded_ranges): New
2787 vfunc.
2788 (noop_region_model_context::on_bounded_ranges): New.
2789 (region_model_context_decorator::on_bounded_ranges): New.
2790 * sm-taint.cc: Include "analyzer/constraint-manager.h".
2791 (taint_state_machine::on_bounded_ranges): New.
2792 * sm.h (state_machine::on_bounded_ranges): New.
2793
27942022-07-19 David Malcolm <dmalcolm@redhat.com>
2795
2796 * engine.cc (exploded_graph::process_node): Show any description
2797 of the out-edge when logging it for consideration.
2798
bdc7b765
GA		 27992022-07-15 David Malcolm <dmalcolm@redhat.com>
2800
2801 PR analyzer/106284
2802 * sm-taint.cc (taint_state_machine::on_condition): Handle range
2803 checks optimized by build_range_check.
2804
28052022-07-15 Jonathan Wakely <jwakely@redhat.com>
2806
2807 * call-info.cc (call_info::print): Adjust to new label_text API.
2808 * checker-path.cc (checker_event::dump): Likewise.
2809 (region_creation_event::get_desc): Likewise.
2810 (state_change_event::get_desc): Likewise.
2811 (superedge_event::should_filter_p): Likewise.
2812 (start_cfg_edge_event::get_desc): Likewise.
2813 (call_event::get_desc): Likewise.
2814 (return_event::get_desc): Likewise.
2815 (warning_event::get_desc): Likewise.
2816 (checker_path::dump): Likewise.
2817 (checker_path::debug): Likewise.
2818 * diagnostic-manager.cc (diagnostic_manager::prune_for_sm_diagnostic):
2819 Likewise.
2820 (diagnostic_manager::prune_interproc_events): Likewise.
2821 * engine.cc (feasibility_state::maybe_update_for_edge):
2822 Likewise.
2823 * program-state.cc (sm_state_map::to_json): Likewise.
2824 * region-model-impl-calls.cc (region_model::impl_call_analyzer_describe): Likewise.
2825 (region_model::impl_call_analyzer_dump_capacity): Likewise.
2826 * region.cc (region::to_json): Likewise.
2827 * sm-malloc.cc (inform_nonnull_attribute): Likewise.
2828 * store.cc (binding_map::to_json): Likewise.
2829 (store::to_json): Likewise.
2830 * supergraph.cc (superedge::dump): Likewise.
2831 * svalue.cc (svalue::to_json): Likewise.
2832
6345c414
GA		 28332022-07-07 David Malcolm <dmalcolm@redhat.com>
2834
2835 * checker-path.cc (start_cfg_edge_event::get_desc): Update for
2836 superedge::get_description returning a label_text.
2837 * engine.cc (feasibility_state::maybe_update_for_edge): Likewise.
2838 * supergraph.cc (superedge::dump): Likewise.
2839 (superedge::get_description): Convert return type from char * to
2840 label_text.
2841 * supergraph.h (superedge::get_description): Likewise.
2842
28432022-07-07 David Malcolm <dmalcolm@redhat.com>
2844
2845 * call-info.cc (call_info::print): Update for removal of
2846 label_text::maybe_free in favor of automatic memory management.
2847 * checker-path.cc (checker_event::dump): Likewise.
2848 (checker_event::prepare_for_emission): Likewise.
2849 (state_change_event::get_desc): Likewise.
2850 (superedge_event::should_filter_p): Likewise.
2851 (start_cfg_edge_event::get_desc): Likewise.
2852 (warning_event::get_desc): Likewise.
2853 (checker_path::dump): Likewise.
2854 (checker_path::debug): Likewise.
2855 * diagnostic-manager.cc
2856 (diagnostic_manager::prune_for_sm_diagnostic): Likewise.
2857 (diagnostic_manager::prune_interproc_events): Likewise.
2858 * program-state.cc (sm_state_map::to_json): Likewise.
2859 * region.cc (region::to_json): Likewise.
2860 * sm-malloc.cc (inform_nonnull_attribute): Likewise.
2861 * store.cc (binding_map::to_json): Likewise.
2862 (store::to_json): Likewise.
2863 * svalue.cc (svalue::to_json): Likewise.
2864
28652022-07-07 David Malcolm <dmalcolm@redhat.com>
2866
2867 PR analyzer/106225
2868 * sm-taint.cc (taint_state_machine::on_stmt): Move handling of
2869 assignments from division to...
2870 (taint_state_machine::check_for_tainted_divisor): ...this new
2871 function. Reject warning when the divisor is known to be non-zero.
2872 * sm.cc: Include "analyzer/program-state.h".
2873 (sm_context::get_old_region_model): New.
2874 * sm.h (sm_context::get_old_region_model): New decl.
2875
4bc92c3b
GA		 28762022-07-06 Immad Mir <mirimmad@outlook.com>
2877
2878 PR analyzer/106184
2879 * sm-fd.cc (fd_state_machine): Change ordering of initialization
2880 of state m_invalid so that the order of initializers is same as
2881 the ordering of the fields in the class decl.
2882
28832022-07-06 Immad Mir <mirimmad@outlook.com>
2884
2885 * sm-fd.cc (use_after_close): save the "close" event and
2886 show it where possible.
2887
28882022-07-06 David Malcolm <dmalcolm@redhat.com>
2889
2890 PR analyzer/106204
2891 * region-model.cc (within_short_circuited_stmt_p): Move extraction
2892 of assign_stmt to caller.
2893 (due_to_ifn_deferred_init_p): New.
2894 (region_model::check_for_poison): Move extraction of assign_stmt
2895 from within_short_circuited_stmt_p to here. Share logic with
2896 call to due_to_ifn_deferred_init_p.
2897
20f0f305
GA		 28982022-07-02 Tim Lange <mail@tim-lange.me>
2899
2900 PR analyzer/105900
2901 * analyzer.opt: Added Wanalyzer-allocation-size.
2902 * checker-path.cc (region_creation_event::get_desc): Added call to new
2903 virtual function pending_diagnostic::describe_region_creation_event.
2904 * checker-path.h: Added region_creation_event::get_desc.
2905 * diagnostic-manager.cc (diagnostic_manager::add_event_on_final_node):
2906 New function.
2907 * diagnostic-manager.h:
2908 Added diagnostic_manager::add_event_on_final_node.
2909 * pending-diagnostic.h (struct region_creation): New event_desc struct.
2910 (pending_diagnostic::describe_region_creation_event): Added virtual
2911 function to overwrite description of a region creation.
2912 * region-model.cc (class dubious_allocation_size): New class.
2913 (capacity_compatible_with_type): New helper function.
2914 (class size_visitor): New class.
2915 (struct_or_union_with_inheritance_p): New helper function.
2916 (is_any_cast_p): New helper function.
2917 (region_model::check_region_size): New function.
2918 (region_model::set_value): Added call to
2919 region_model::check_region_size.
2920 * region-model.h (class region_model): New function check_region_size.
2921 * svalue.cc (region_svalue::accept): Changed to post-order traversal.
2922 (initial_svalue::accept): Likewise.
2923 (unaryop_svalue::accept): Likewise.
2924 (binop_svalue::accept): Likewise.
2925 (sub_svalue::accept): Likewise.
2926 (repeated_svalue::accept): Likewise.
2927 (bits_within_svalue::accept): Likewise.
2928 (widening_svalue::accept): Likewise.
2929 (unmergeable_svalue::accept): Likewise.
2930 (compound_svalue::accept): Likewise.
2931 (conjured_svalue::accept): Likewise.
2932 (asm_output_svalue::accept): Likewise.
2933 (const_fn_result_svalue::accept): Likewise.
2934
29352022-07-02 Immad Mir <mirimmad17@gmail.com>
2936
2937 PR analyzer/106003
2938 * analyzer.opt (Wanalyzer-fd-leak): New option.
2939 (Wanalyzer-fd-access-mode-mismatch): New option.
2940 (Wanalyzer-fd-use-without-check): New option.
2941 (Wanalyzer-fd-double-close): New option.
2942 (Wanalyzer-fd-use-after-close): New option.
2943 * sm.h (make_fd_state_machine): New decl.
2944 * sm.cc (make_checkers): Call make_fd_state_machine.
2945 * sm-fd.cc: New file.
2946
84c2131d
GA		 29472022-06-24 David Malcolm <dmalcolm@redhat.com>
2948
2949 * call-string.cc: Add includes of "analyzer/analyzer.h"
2950 and "analyzer/analyzer-logging.h".
2951 (call_string::call_string): Delete copy ctor.
2952 (call_string::operator=): Delete.
2953 (call_string::operator==): Delete.
2954 (call_string::hash): Delete.
2955 (call_string::push_call): Make const, returning the resulting
2956 call_string.
2957 (call_string::pop): Delete.
2958 (call_string::cmp_ptr_ptr): New.
2959 (call_string::validate): Assert that m_parent is non-NULL, or
2960 m_elements is empty.
2961 (call_string::call_string): Move default ctor here from
2962 call-string.h and reimplement. Add ctor taking a parent
2963 and an element.
2964 (call_string::~call_string): New.
2965 (call_string::recursive_log): New.
2966 * call-string.h (call_string::call_string): Move default ctor's
2967 defn to call-string.cc. Delete copy ctor. Add ctor taking a
2968 parent and an element.
2969 (call_string::operator=): Delete.
2970 (call_string::operator==): Delete.
2971 (call_string::hash): Delete.
2972 (call_string::push_call): Make const, returning the resulting
2973 call_string.
2974 (call_string::pop): Delete decl.
2975 (call_string::get_parent): New.
2976 (call_string::cmp_ptr_ptr): New decl.
2977 (call_string::get_top_of_stack): New.
2978 (struct call_string::hashmap_traits_t): New.
2979 (class call_string): Add friend class region_model_manager. Add
2980 DISABLE_COPY_AND_ASSIGN.
2981 (call_string::~call_string): New decl.
2982 (call_string::recursive_log): New decl.
2983 (call_string::m_parent): New field.
2984 (call_string::m_children): New field.
2985 * constraint-manager.cc (selftest::test_many_constants): Pass
2986 model manager to program_point::origin.
2987 * engine.cc (exploded_graph::exploded_graph): Likewise.
2988 (exploded_graph::add_function_entry): Likewise for
2989 program_point::from_function_entry.
2990 (add_tainted_args_callback): Likewise.
2991 (exploded_graph::maybe_process_run_of_before_supernode_enodes):
2992 Update for change to program_point.get_call_string.
2993 (exploded_graph::process_node): Likewise.
2994 (class function_call_string_cluster): Convert m_cs from a
2995 call_string to a const call_string &.
2996 (struct function_call_string): Likewise.
2997 (pod_hash_traits<function_call_string>::hash): Use pointer_hash
2998 for m_cs.
2999 (pod_hash_traits<function_call_string>::equal): Update for change
3000 to m_cs.
3001 (root_cluster::add_node): Update for change to
3002 function_call_string.
3003 (viz_callgraph_node::dump_dot): Update for change to call_string.
3004 * exploded-graph.h (per_call_string_data::m_key): Convert to a
3005 reference.
3006 (struct eg_call_string_hash_map_traits): Delete.
3007 (exploded_graph::call_string_data_map_t): Remove traits class.
3008 * program-point.cc: Move include of "analyzer/call-string.h" to
3009 after "analyzer/analyzer-logging.h".
3010 (program_point::print): Update for conversion of m_call_string to
3011 a pointer.
3012 (program_point::to_json): Likewise.
3013 (program_point::push_to_call_stack): Update for immutability of
3014 call strings.
3015 (program_point::pop_from_call_stack): Likewise.
3016 (program_point::hash): Use pointer hashing for m_call_string.
3017 (program_point::get_function_at_depth): Update for change to
3018 m_call_string.
3019 (program_point::validate): Update for changes to call_string.
3020 (program_point::on_edge): Likewise.
3021 (program_point::origin): Move here from call-string.h. Add
3022 region_model_manager param and use it to get empty call string.
3023 (program_point::from_function_entry): Likewise.
3024 (selftest::test_function_point_ordering): Likewise.
3025 (selftest::test_function_point_ordering): Likewise.
3026 * program-point.h (program_point::program_point): Update for
3027 change to m_call_string.
3028 (program_point::get_call_string): Likewise.
3029 (program_point::get_stack_depth): Likewise.
3030 (program_point::origin): Add region_model_manager param, and move
3031 defn to call-string.cc.
3032 (program_point::from_function_entry): Likewise.
3033 (program_point::empty): Drop call_string.
3034 (program_point::deleted): Likewise.
3035 (program_point::program_point): New private ctor.
3036 (program_point::m_call_string): Convert from call_string to const
3037 call_string *.
3038 * program-state.cc (selftest::test_program_state_merging): Update
3039 for call_string changes.
3040 (selftest::test_program_state_merging_2): Likewise.
3041 * region-model-manager.cc
3042 (region_model_manager::region_model_manager): Construct
3043 m_empty_call_string.
3044 (region_model_manager::log_stats): Log the call strings.
3045 * region-model.cc (assert_region_models_merge): Pass the
3046 region_model_manager when creating program_point instances.
3047 (selftest::test_state_merging): Likewise.
3048 (selftest::test_constraint_merging): Likewise.
3049 (selftest::test_widening_constraints): Likewise.
3050 (selftest::test_iteration_1): Likewise.
3051 * region-model.h (region_model_manager::get_empty_call_string):
3052 New.
3053 (region_model_manager::m_empty_call_string): New.
3054 * sm-signal.cc (register_signal_handler::impl_transition): Update
3055 for changes to call_string.
3056
30572022-06-24 David Malcolm <dmalcolm@redhat.com>
3058
3059 * call-string.cc (call_string::calc_recursion_depth): Whitespace
3060 cleanups.
3061 (call_string::cmp): Likewise.
3062 (call_string::get_caller_node): Likewise.
3063 (call_string::validate): Likewise.
3064 * engine.cc (dynamic_call_info_t::add_events_to_path): Likewise.
3065 (exploded_graph::get_per_function_data): Likewise.
3066 (exploded_graph::maybe_create_dynamic_call): Likewise.
3067 (exploded_graph::maybe_create_dynamic_call): Likewise.
3068 (exploded_graph::process_node): Likewise.
3069
bc7e9f76
GA		 30702022-06-16 David Malcolm <dmalcolm@redhat.com>
3071
3072 * varargs.cc (va_arg_type_mismatch::emit): Associate the warning
3073 with CWE-686 ("Function Call With Incorrect Argument Type").
3074
30752022-06-16 David Malcolm <dmalcolm@redhat.com>
3076
3077 * varargs.cc: Include "diagnostic-metadata.h".
3078 (va_list_exhausted::emit): Associate the warning with
3079 CWE-685 ("Function Call With Incorrect Number of Arguments").
3080
30812022-06-16 David Malcolm <dmalcolm@redhat.com>
3082
3083 * sm-file.cc (double_fclose::emit): Associate the warning with
3084 CWE-1341 ("Multiple Releases of Same Resource or Handle").
3085
499b9c5f
GA		 30862022-06-15 David Malcolm <dmalcolm@redhat.com>
3087
3088 PR analyzer/105962
3089 * analyzer.opt (fanalyzer-undo-inlining): New option.
3090 * checker-path.cc: Include "diagnostic-core.h" and
3091 "inlining-iterator.h".
3092 (event_kind_to_string): Handle EK_INLINED_CALL.
3093 (class inlining_info): New class.
3094 (checker_event::checker_event): Move here from checker-path.h.
3095 Store original fndecl and depth, and calculate effective fndecl
3096 and depth based on inlining information.
3097 (checker_event::dump): Emit original depth as well as effective
3098 depth when they differ; likewise for fndecl.
3099 (region_creation_event::get_desc): Use m_effective_fndecl.
3100 (inlined_call_event::get_desc): New.
3101 (inlined_call_event::get_meaning): New.
3102 (checker_path::inject_any_inlined_call_events): New.
3103 * checker-path.h (enum event_kind): Add EK_INLINED_CALL.
3104 (checker_event::checker_event): Make protected, and move
3105 definition to checker-path.cc.
3106 (checker_event::get_fndecl): Use effective fndecl.
3107 (checker_event::get_stack_depth): Use effective stack depth.
3108 (checker_event::get_logical_location): Use effective stack depth.
3109 (checker_event::get_original_stack_depth): New.
3110 (checker_event::m_fndecl): Rename to...
3111 (checker_event::m_original_fndecl): ...this.
3112 (checker_event::m_depth): Rename to...
3113 (checker_event::m_original_depth): ...this.
3114 (checker_event::m_effective_fndecl): New field.
3115 (checker_event::m_effective_depth): New field.
3116 (class inlined_call_event): New checker_event subclass.
3117 (checker_path::inject_any_inlined_call_events): New decl.
3118 * diagnostic-manager.cc: Include "inlining-iterator.h".
3119 (diagnostic_manager::emit_saved_diagnostic): Call
3120 checker_path::inject_any_inlined_call_events.
3121 (diagnostic_manager::prune_for_sm_diagnostic): Handle
3122 EK_INLINED_CALL.
3123 * engine.cc (tainted_args_function_custom_event::get_desc): Use
3124 effective fndecl.
3125 * inlining-iterator.h: New file.
3126
31272022-06-15 David Malcolm <dmalcolm@redhat.com>
3128
3129 * diagnostic-manager.cc (saved_diagnostic::dump_dot_id): New.
3130 (saved_diagnostic::dump_as_dot_node): New.
3131 * diagnostic-manager.h (saved_diagnostic::dump_dot_id): New decl.
3132 (saved_diagnostic::dump_as_dot_node): New decl.
3133 * engine.cc (exploded_node::dump_dot): Add nodes for saved
3134 diagnostics.
3135
b168441c
GA		 31362022-06-02 David Malcolm <dmalcolm@redhat.com>
3137
3138 * checker-path.cc (checker_event::get_meaning): New.
3139 (function_entry_event::get_meaning): New.
3140 (state_change_event::get_desc): Add dump of meaning of the event
3141 to the -fanalyzer-verbose-state-changes output.
3142 (state_change_event::get_meaning): New.
3143 (cfg_edge_event::get_meaning): New.
3144 (call_event::get_meaning): New.
3145 (return_event::get_meaning): New.
3146 (start_consolidated_cfg_edges_event::get_meaning): New.
3147 (warning_event::get_meaning): New.
3148 * checker-path.h: Include "tree-logical-location.h".
3149 (checker_event::checker_event): Construct m_logical_loc.
3150 (checker_event::get_logical_location): New.
3151 (checker_event::get_meaning): New decl.
3152 (checker_event::m_logical_loc): New.
3153 (function_entry_event::get_meaning): New decl.
3154 (state_change_event::get_meaning): New decl.
3155 (cfg_edge_event::get_meaning): New decl.
3156 (call_event::get_meaning): New decl.
3157 (return_event::get_meaning): New decl.
3158 (start_consolidated_cfg_edges_event::get_meaning): New.
3159 (warning_event::get_meaning): New decl.
3160 * pending-diagnostic.h: Include "diagnostic-path.h".
3161 (pending_diagnostic::get_meaning_for_state_change): New vfunc.
3162 * sm-file.cc (file_diagnostic::get_meaning_for_state_change): New
3163 vfunc impl.
3164 * sm-malloc.cc (malloc_diagnostic::get_meaning_for_state_change):
3165 Likewise.
3166 * sm-sensitive.cc
3167 (exposure_through_output_file::get_meaning_for_state_change):
3168 Likewise.
3169 * sm-taint.cc (taint_diagnostic::get_meaning_for_state_change):
3170 Likewise.
3171 * varargs.cc
3172 (va_list_sm_diagnostic::get_meaning_for_state_change): Likewise.
3173
168fc8bd
GA		 31742022-05-23 David Malcolm <dmalcolm@redhat.com>
3175
3176 * call-info.cc: Add "final" and "override" to all vfunc
3177 implementations that were missing them, as appropriate.
3178 * engine.cc: Likewise.
3179 * region-model.cc: Likewise.
3180 * sm-malloc.cc: Likewise.
3181 * supergraph.h: Likewise.
3182 * svalue.cc: Likewise.
3183 * varargs.cc: Likewise.
3184
57f2ce6a
GA		 31852022-05-20 David Malcolm <dmalcolm@redhat.com>
3186
3187 * analyzer-pass.cc: Replace uses of "FINAL" and "OVERRIDE" with
3188 "final" and "override".
3189 * call-info.h: Likewise.
3190 * checker-path.h: Likewise.
3191 * constraint-manager.cc: Likewise.
3192 * diagnostic-manager.cc: Likewise.
3193 * engine.cc: Likewise.
3194 * exploded-graph.h: Likewise.
3195 * feasible-graph.h: Likewise.
3196 * pending-diagnostic.h: Likewise.
3197 * region-model-impl-calls.cc: Likewise.
3198 * region-model.cc: Likewise.
3199 * region-model.h: Likewise.
3200 * region.h: Likewise.
3201 * sm-file.cc: Likewise.
3202 * sm-malloc.cc: Likewise.
3203 * sm-pattern-test.cc: Likewise.
3204 * sm-sensitive.cc: Likewise.
3205 * sm-signal.cc: Likewise.
3206 * sm-taint.cc: Likewise.
3207 * state-purge.h: Likewise.
3208 * store.cc: Likewise.
3209 * store.h: Likewise.
3210 * supergraph.h: Likewise.
3211 * svalue.h: Likewise.
3212 * trimmed-graph.h: Likewise.
3213 * varargs.cc: Likewise.
3214
702bd11f
GA		 32152022-05-16 David Malcolm <dmalcolm@redhat.com>
3216
3217 PR analyzer/105103
3218 * analyzer.cc (make_label_text_n): New.
3219 * analyzer.h (class var_arg_region): New forward decl.
3220 (make_label_text_n): New decl.
3221 * analyzer.opt (Wanalyzer-va-arg-type-mismatch): New option.
3222 (Wanalyzer-va-list-exhausted): New option.
3223 (Wanalyzer-va-list-leak): New option.
3224 (Wanalyzer-va-list-use-after-va-end): New option.
3225 * checker-path.cc (call_event::get_desc): Split out decl access
3226 into..
3227 (call_event::get_caller_fndecl): ...this new function and...
3228 (call_event::get_callee_fndecl): ...this new function.
3229 * checker-path.h (call_event::get_desc): Drop "FINAL".
3230 (call_event::get_caller_fndecl): New decl.
3231 (call_event::get_callee_fndecl): New decl.
3232 (class call_event): Make fields protected.
3233 * diagnostic-manager.cc (null_assignment_sm_context::warn): New
3234 overload.
3235 (null_assignment_sm_context::get_new_program_state): New.
3236 (diagnostic_manager::add_events_for_superedge): Move case
3237 SUPEREDGE_CALL to a new pending_diagnostic::add_call_event vfunc.
3238 * engine.cc (impl_sm_context::warn): Implement new override.
3239 (impl_sm_context::get_new_program_state): New.
3240 * pending-diagnostic.cc: Include "analyzer/diagnostic-manager.h",
3241 "cpplib.h", "digraph.h", "ordered-hash-map.h", "cfg.h",
3242 "basic-block.h", "gimple.h", "gimple-iterator.h", "cgraph.h"
3243 "analyzer/supergraph.h", "analyzer/program-state.h",
3244 "alloc-pool.h", "fibonacci_heap.h", "shortest-paths.h",
3245 "sbitmap.h", "analyzer/exploded-graph.h", "diagnostic-path.h",
3246 and "analyzer/checker-path.h".
3247 (ht_ident_eq): New.
3248 (fixup_location_in_macro_p): New.
3249 (pending_diagnostic::fixup_location): New.
3250 (pending_diagnostic::add_call_event): New.
3251 * pending-diagnostic.h (pending_diagnostic::fixup_location): Drop
3252 no-op inline implementation in favor of the more complex
3253 implementation above.
3254 (pending_diagnostic::add_call_event): New vfunc.
3255 * region-model-impl-calls.cc: Include "analyzer/sm.h",
3256 "diagnostic-path.h", and "analyzer/pending-diagnostic.h".
3257 * region-model-manager.cc
3258 (region_model_manager::get_var_arg_region): New.
3259 (region_model_manager::log_stats): Log m_var_arg_regions.
3260 * region-model.cc (region_model::on_call_pre): Handle IFN_VA_ARG,
3261 BUILT_IN_VA_START, and BUILT_IN_VA_COPY.
3262 (region_model::on_call_post): Handle BUILT_IN_VA_END.
3263 (region_model::get_representative_path_var_1): Handle RK_VAR_ARG.
3264 (region_model::push_frame): Push variadic arguments.
3265 * region-model.h (region_model_manager::get_var_arg_region): New
3266 decl.
3267 (region_model_manager::m_var_arg_regions): New field.
3268 (region_model::impl_call_va_start): New decl.
3269 (region_model::impl_call_va_copy): New decl.
3270 (region_model::impl_call_va_arg): New decl.
3271 (region_model::impl_call_va_end): New decl.
3272 * region.cc (alloca_region::dump_to_pp): Dump the id.
3273 (var_arg_region::dump_to_pp): New.
3274 (var_arg_region::get_frame_region): New.
3275 * region.h (enum region_kind): Add RK_VAR_ARG.
3276 (region::dyn_cast_var_arg_region): New.
3277 (class var_arg_region): New.
3278 (is_a_helper <const var_arg_region *>::test): New.
3279 (struct default_hash_traits<var_arg_region::key_t>): New.
3280 * sm.cc (make_checkers): Call make_va_list_state_machine.
3281 * sm.h (sm_context::warn): New vfunc.
3282 (sm_context::get_old_svalue): Drop unused decl.
3283 (sm_context::get_new_program_state): New vfunc.
3284 (make_va_list_state_machine): New decl.
3285 * varargs.cc: New file.
3286
32872022-05-16 Martin Liska <mliska@suse.cz>
3288
3289 * engine.cc (exploded_node::get_dot_fillcolor): Use ARRAY_SIZE.
3290 * function-set.cc (test_stdio_example): Likewise.
3291 * sm-file.cc (get_file_using_fns): Likewise.
3292 * sm-malloc.cc (malloc_state_machine::unaffected_by_call_p): Likewise.
3293 * sm-signal.cc (get_async_signal_unsafe_fns): Likewise.
3294
9df4ffe4
GA		 32952022-05-13 Richard Biener <rguenther@suse.de>
3296
3297 * supergraph.cc: Re-order gimple-fold.h include.
3298
d0d513b5
GA		 32992022-05-11 David Malcolm <dmalcolm@redhat.com>
3300
3301 * checker-path.cc (state_change_event::get_desc): Call maybe_free
3302 on label_text temporaries.
3303 * diagnostic-manager.cc
3304 (diagnostic_manager::prune_for_sm_diagnostic): Likewise.
3305 * engine.cc (exploded_graph::~exploded_graph): Fix leak of
3306 m_per_point_data and m_per_call_string_data values. Simplify
3307 cleanup of m_per_function_stats and m_per_point_data values.
3308 (feasibility_state::maybe_update_for_edge): Fix leak of result of
3309 superedge::get_description.
3310 * region-model-manager.cc
3311 (region_model_manager::~region_model_manager): Move cleanup of
3312 m_setjmp_values to match the ordering of the fields within
3313 region_model_manager. Fix leak of values within
3314 m_repeated_values_map, m_bits_within_values_map,
3315 m_asm_output_values_map, and m_const_fn_result_values_map.
3316
6b6f53d8
GA		 33172022-04-28 David Malcolm <dmalcolm@redhat.com>
3318
3319 PR analyzer/105285
3320 * store.cc (binding_cluster::get_any_binding): Handle accessing
3321 sub_svalues of clusters where the base region has a symbolic
3322 binding.
3323
33242022-04-28 David Malcolm <dmalcolm@redhat.com>
3325
3326 * diagnostic-manager.cc (epath_finder::process_worklist_item):
3327 Call dump_feasible_path when a path that reaches the the target
3328 enode is found.
3329 (epath_finder::dump_feasible_path): New.
3330 * engine.cc (feasibility_state::dump_to_pp): New.
3331 * exploded-graph.h (feasibility_state::dump_to_pp): New decl.
3332 * feasible-graph.cc (feasible_graph::dump_feasible_path): New.
3333 * feasible-graph.h (feasible_graph::dump_feasible_path): New
3334 decls.
3335 * program-point.cc (function_point::print): Fix missing trailing
3336 newlines.
3337 * program-point.h (program_point::print_source_line): Remove
3338 unimplemented decl.
3339
98de0da6
GA		 33402022-04-25 David Malcolm <dmalcolm@redhat.com>
3341
3342 PR analyzer/105365
3343 PR analyzer/105366
3344 * svalue.cc
3345 (cmp_cst): Rename to...
3346 (cmp_csts_same_type): ...this. Convert all recursive calls to
3347 calls to...
3348 (cmp_csts_and_types): ....this new function.
3349 (svalue::cmp_ptr): Update for renaming of cmp_cst
3350
031bd52e
GA		 33512022-04-14 David Malcolm <dmalcolm@redhat.com>
3352
3353 PR analyzer/105264
3354 * region-model-reachability.cc (reachable_regions::handle_parm):
3355 Use maybe_get_deref_base_region rather than just region_svalue, to
3356 handle pointer arithmetic also.
3357 * svalue.cc (svalue::maybe_get_deref_base_region): New.
3358 * svalue.h (svalue::maybe_get_deref_base_region): New decl.
3359
33602022-04-14 David Malcolm <dmalcolm@redhat.com>
3361
3362 PR analyzer/105252
3363 * svalue.cc (cmp_cst): When comparing VECTOR_CSTs, compare the
3364 types of the encoded elements before calling cmp_cst on them.
3365
71cac7de
GA		 33662022-04-09 David Malcolm <dmalcolm@redhat.com>
3367
3368 PR analyzer/103892
3369 * region-model-manager.cc
3370 (region_model_manager::get_unknown_symbolic_region): New,
3371 extracted from...
3372 (region_model_manager::get_field_region): ...here.
3373 (region_model_manager::get_element_region): Use it here.
3374 (region_model_manager::get_offset_region): Likewise.
3375 (region_model_manager::get_sized_region): Likewise.
3376 (region_model_manager::get_cast_region): Likewise.
3377 (region_model_manager::get_bit_range): Likewise.
3378 * region-model.h
3379 (region_model_manager::get_unknown_symbolic_region): New decl.
3380 * region.cc (symbolic_region::symbolic_region): Handle sval_ptr
3381 having NULL type.
3382 (symbolic_region::dump_to_pp): Handle having NULL type.
3383
df00d103
GA		 33842022-04-07 David Malcolm <dmalcolm@redhat.com>
3385
3386 PR analyzer/102208
3387 * store.cc (binding_map::remove_overlapping_bindings): Add
3388 "always_overlap" param, using it to generalize to the case where
3389 we want to remove all bindings. Update "uncertainty" logic to
3390 only record maybe-bound values for cases where there is a symbolic
3391 write involved.
3392 (binding_cluster::mark_region_as_unknown): Split param "reg" into
3393 "reg_to_bind" and "reg_for_overlap".
3394 (binding_cluster::maybe_get_compound_binding): Pass "false" to
3395 binding_map::remove_overlapping_bindings new "always_overlap" param.
3396 (binding_cluster::remove_overlapping_bindings): Determine
3397 "always_overlap" and pass it to
3398 binding_map::remove_overlapping_bindings.
3399 (store::set_value): Pass uncertainty to remove_overlapping_bindings
3400 call. Update for new param of
3401 binding_cluster::mark_region_as_unknown, passing both the base
3402 region of the iter_cluster, and the lhs_reg.
3403 (store::mark_region_as_unknown): Update for new param of
3404 binding_cluster::mark_region_as_unknown, passing "reg" for both.
3405 (store::remove_overlapping_bindings): Add param "uncertainty", and
3406 pass it on to call to
3407 binding_cluster::remove_overlapping_bindings.
3408 * store.h (binding_map::remove_overlapping_bindings): Add
3409 "always_overlap" param.
3410 (binding_cluster::mark_region_as_unknown): Split param "reg" into
3411 "reg_to_bind" and "reg_for_overlap".
3412 (store::remove_overlapping_bindings): Add param "uncertainty".
3413
9f774626
GA		 34142022-03-29 David Malcolm <dmalcolm@redhat.com>
3415
3416 PR testsuite/105085
3417 * region-model-manager.cc (dump_untracked_region): Skip decls in
3418 the constant pool.
3419
34202022-03-29 David Malcolm <dmalcolm@redhat.com>
3421
3422 PR analyzer/105087
3423 * analyzer.h (class conjured_purge): New forward decl.
3424 * region-model-asm.cc (region_model::on_asm_stmt): Add
3425 conjured_purge param to calls binding_cluster::on_asm and
3426 region_model_manager::get_or_create_conjured_svalue.
3427 * region-model-impl-calls.cc
3428 (call_details::get_or_create_conjured_svalue): Likewise for call
3429 to region_model_manager::get_or_create_conjured_svalue.
3430 (region_model::impl_call_fgets): Remove call to
3431 region_model::purge_state_involving, as this is now done
3432 implicitly by call_details::get_or_create_conjured_svalue.
3433 (region_model::impl_call_fread): Likewise.
3434 (region_model::impl_call_strchr): Pass conjured_purge param to
3435 call to region_model_manager::get_or_create_conjured_svalue.
3436 * region-model-manager.cc (conjured_purge::purge): New.
3437 (region_model_manager::get_or_create_conjured_svalue): Add
3438 param "p". Use it to purge state when reusing an existing
3439 conjured_svalue.
3440 * region-model.cc (region_model::on_call_pre): Replace call to
3441 region_model::purge_state_involving with passing conjured_purge
3442 to region_model_manager::get_or_create_conjured_svalue.
3443 (region_model::handle_unrecognized_call): Pass conjured_purge to
3444 store::on_unknown_fncall.
3445 * region-model.h
3446 (region_model_manager::get_or_create_conjured_svalue): Add param
3447 "p".
3448 * store.cc (binding_cluster::on_unknown_fncall): Likewise. Pass
3449 it on to region_model_manager::get_or_create_conjured_svalue.
3450 (binding_cluster::on_asm): Likewise.
3451 (store::on_unknown_fncall): Add param "p" and pass it on to
3452 binding_cluster::on_unknown_fncall.
3453 * store.h (binding_cluster::on_unknown_fncall): Add param p.
3454 (binding_cluster::on_asm): Likewise.
3455 (store::on_unknown_fncall): Likewise.
3456 * svalue.h (class conjured_purge): New.
3457
34582022-03-29 David Malcolm <dmalcolm@redhat.com>
3459
3460 PR analyzer/105074
3461 * region.cc (ipa_ref_requires_tracking): Drop "context_fndecl",
3462 instead using the ref->referring to get the cgraph node of the
3463 caller.
3464 (symnode_requires_tracking_p): Likewise.
3465
d2906412
GA		 34662022-03-26 David Malcolm <dmalcolm@redhat.com>
3467
3468 PR analyzer/105057
3469 * store.cc (binding_cluster::make_unknown_relative_to): Reject
3470 attempts to create a cluster for untracked base regions.
3471 (store::set_value): Likewise.
3472 (store::fill_region): Likewise.
3473 (store::mark_region_as_unknown): Likewise.
3474
31e989a2
GA		 34752022-03-25 David Malcolm <dmalcolm@redhat.com>
3476
3477 PR analyzer/104954
3478 * analyzer.opt (-fdump-analyzer-untracked): New option.
3479 * engine.cc (impl_run_checkers): Handle it.
3480 * region-model-asm.cc (region_model::on_asm_stmt): Don't attempt
3481 to clobber regions with !tracked_p ().
3482 * region-model-manager.cc (dump_untracked_region): New.
3483 (region_model_manager::dump_untracked_regions): New.
3484 (frame_region::dump_untracked_regions): New.
3485 * region-model.h (region_model_manager::dump_untracked_regions):
3486 New decl.
3487 * region.cc (ipa_ref_requires_tracking): New.
3488 (symnode_requires_tracking_p): New.
3489 (decl_region::calc_tracked_p): New.
3490 * region.h (region::tracked_p): New vfunc.
3491 (frame_region::dump_untracked_regions): New decl.
3492 (class decl_region): Note that this is also used fo SSA names.
3493 (decl_region::decl_region): Initialize m_tracked.
3494 (decl_region::tracked_p): New.
3495 (decl_region::calc_tracked_p): New decl.
3496 (decl_region::m_tracked): New.
3497 * store.cc (store::get_or_create_cluster): Assert that we
3498 don't try to create clusters for base regions that aren't
3499 trackable.
3500 (store::mark_as_escaped): Don't mark base regions that we're not
3501 tracking.
3502
d1ca63a1
GA		 35032022-03-23 David Malcolm <dmalcolm@redhat.com>
3504
3505 PR analyzer/104979
3506 * engine.cc (impl_run_checkers): Create the engine after the
3507 supergraph, and pass the supergraph to the engine.
3508 * region-model.cc (region_model::get_lvalue_1): Pass ctxt to
3509 frame_region::get_region_for_local.
3510 (region_model::update_for_return_gcall): Pass the lvalue for the
3511 result to pop_frame as a tree, rather than as a region.
3512 (region_model::pop_frame): Update for above change, determining
3513 the destination region after the frame is popped and thus with
3514 respect to the caller frame rather than the called frame.
3515 Likewise, set the value of the region to the return value after
3516 the frame is popped.
3517 (engine::engine): Add supergraph pointer.
3518 (selftest::test_stack_frames): Set the DECL_CONTECT of PARM_DECLs.
3519 (selftest::test_get_representative_path_var): Likewise.
3520 (selftest::test_state_merging): Likewise.
3521 * region-model.h (region_model::pop_frame): Convert first param
3522 from a const region * to a tree.
3523 (engine::engine): Add param "sg".
3524 (engine::m_sg): New field.
3525 * region.cc: Include "analyzer/sm.h" and
3526 "analyzer/program-state.h".
3527 (frame_region::get_region_for_local): Add "ctxt" param.
3528 Add assertions that VAR_DECLs are locals, and that expr is for the
3529 correct function.
3530 * region.h (frame_region::get_region_for_local): Add "ctxt" param.
3531
35322022-03-23 David Malcolm <dmalcolm@redhat.com>
3533
3534 PR analyzer/105017
3535 * sm-taint.cc (taint_diagnostic::subclass_equal_p): Check
3536 m_has_bounds as well as m_arg.
3537 (tainted_allocation_size::subclass_equal_p): Chain up to base
3538 class implementation. Also check m_mem_space.
3539 (tainted_allocation_size::emit): Add note showing stack-based vs
3540 heap-based allocations.
3541
35422022-03-23 David Malcolm <dmalcolm@redhat.com>
3543
3544 PR analyzer/104997
3545 * diagnostic-manager.cc (diagnostic_manager::add_diagnostic):
3546 Convert return type from "void" to "bool", reporting success vs
3547 failure to caller, for both overloads.
3548 * diagnostic-manager.h (diagnostic_manager::add_diagnostic):
3549 Likewise.
3550 * engine.cc (impl_region_model_context::warn): Propagate return
3551 value from diagnostic_manager::add_diagnostic.
3552
8ca61ad1
GA		 35532022-03-18 David Malcolm <dmalcolm@redhat.com>
3554
3555 PR analyzer/104943
3556 PR analyzer/104954
3557 PR analyzer/103533
3558 * analyzer.h (class state_purge_per_decl): New forward decl.
3559 * engine.cc (impl_run_checkers): Pass region_model_manager to
3560 state_purge_map ctor.
3561 * program-point.cc (function_point::final_stmt_p): New.
3562 (function_point::get_next): New.
3563 * program-point.h (function_point::final_stmt_p): New decl.
3564 (function_point::get_next): New decl.
3565 * program-state.cc (program_state::prune_for_point): Generalize to
3566 purge local decls as well as SSA names.
3567 (program_state::can_purge_base_region_p): New.
3568 * program-state.h (program_state::can_purge_base_region_p): New
3569 decl.
3570 * region-model.cc (struct append_ssa_names_cb_data): Rename to...
3571 (struct append_regions_cb_data): ...this.
3572 (region_model::get_ssa_name_regions_for_current_frame): Rename
3573 to...
3574 (region_model::get_regions_for_current_frame): ...this, updating
3575 for other renamings.
3576 (region_model::append_ssa_names_cb): Rename to...
3577 (region_model::append_regions_cb): ...this, and drop the requirement
3578 that the subregion be a SSA name.
3579 * region-model.h (struct append_ssa_names_cb_data): Rename decl
3580 to...
3581 (struct append_regions_cb_data): ...this.
3582 (region_model::get_ssa_name_regions_for_current_frame): Rename
3583 decl to...
3584 (region_model::get_regions_for_current_frame): ...this.
3585 (region_model::append_ssa_names_cb): Rename decl to...
3586 (region_model::append_regions_cb): ...this.
3587 * state-purge.cc: Include "tristate.h", "selftest.h",
3588 "analyzer/store.h", "analyzer/region-model.h", and
3589 "gimple-walk.h".
3590 (get_candidate_for_purging): New.
3591 (class gimple_op_visitor): New.
3592 (my_load_cb): New.
3593 (my_store_cb): New.
3594 (my_addr_cb): New.
3595 (state_purge_map::state_purge_map): Add "mgr" param. Update for
3596 renamings. Find uses of local variables.
3597 (state_purge_map::~state_purge_map): Update for renaming of m_map
3598 to m_ssa_map. Clean up m_decl_map.
3599 (state_purge_map::get_or_create_data_for_decl): New.
3600 (state_purge_per_ssa_name::state_purge_per_ssa_name): Update for
3601 inheriting from state_purge_per_tree.
3602 (state_purge_per_ssa_name::add_to_worklist): Likewise.
3603 (state_purge_per_decl::state_purge_per_decl): New.
3604 (state_purge_per_decl::add_needed_at): New.
3605 (state_purge_per_decl::add_pointed_to_at): New.
3606 (state_purge_per_decl::process_worklists): New.
3607 (state_purge_per_decl::add_to_worklist): New.
3608 (same_binding_p): New.
3609 (fully_overwrites_p): New.
3610 (state_purge_per_decl::process_point_backwards): New.
3611 (state_purge_per_decl::process_point_forwards): New.
3612 (state_purge_per_decl::needed_at_point_p): New.
3613 (state_purge_annotator::print_needed): Generalize to print local
3614 decls as well as SSA names.
3615 * state-purge.h (class state_purge_map): Update leading comment.
3616 (state_purge_map::map_t): Rename to...
3617 (state_purge_map::ssa_map_t): ...this.
3618 (state_purge_map::iterator): Rename to...
3619 (state_purge_map::ssa_iterator): ...this.
3620 (state_purge_map::decl_map_t): New typedef.
3621 (state_purge_map::decl_iterator): New typedef.
3622 (state_purge_map::state_purge_map): Add "mgr" param.
3623 (state_purge_map::get_data_for_ssa_name): Update for renaming.
3624 (state_purge_map::get_any_data_for_decl): New.
3625 (state_purge_map::get_or_create_data_for_decl): New decl.
3626 (state_purge_map::begin): Rename to...
3627 (state_purge_map::begin_ssas): ...this.
3628 (state_purge_map::end): Rename to...
3629 (state_purge_map::end_ssa): ...this.
3630 (state_purge_map::begin_decls): New.
3631 (state_purge_map::end_decls): New.
3632 (state_purge_map::m_map): Rename to...
3633 (state_purge_map::m_ssa_map): ...this.
3634 (state_purge_map::m_decl_map): New field.
3635 (class state_purge_per_tree): New class.
3636 (class state_purge_per_ssa_name): Inherit from state_purge_per_tree.
3637 (state_purge_per_ssa_name::get_function): Move to base class.
3638 (state_purge_per_ssa_name::point_set_t): Likewise.
3639 (state_purge_per_ssa_name::m_fun): Likewise.
3640 (class state_purge_per_decl): New.
3641
e9ea3016
GA		 36422022-03-17 David Malcolm <dmalcolm@redhat.com>
3643
3644 * state-purge.cc (state_purge_annotator::add_node_annotations):
3645 Avoid duplicate before-supernode annotations when returning from
3646 an interprocedural call. Show after-supernode annotations.
3647
36482022-03-17 David Malcolm <dmalcolm@redhat.com>
3649
3650 * program-point.cc (program_point::get_next): Fix missing
3651 increment of index.
3652
9fc8f278
GA		 36532022-03-16 David Malcolm <dmalcolm@redhat.com>
3654
3655 PR analyzer/104955
3656 * diagnostic-manager.cc (get_emission_location): New.
3657 (diagnostic_manager::diagnostic_manager): Initialize
3658 m_num_disabled_diagnostics.
3659 (diagnostic_manager::add_diagnostic): Reject diagnostics that
3660 will eventually be rejected due to being disabled.
3661 (diagnostic_manager::emit_saved_diagnostics): Log the number
3662 of disabled diagnostics.
3663 (diagnostic_manager::emit_saved_diagnostic): Split out logic for
3664 determining emission location to get_emission_location.
3665 * diagnostic-manager.h
3666 (diagnostic_manager::m_num_disabled_diagnostics): New field.
3667 * engine.cc (stale_jmp_buf::get_controlling_option): New.
3668 (stale_jmp_buf::emit): Use it.
3669 * pending-diagnostic.h
3670 (pending_diagnostic::get_controlling_option): New vfunc.
3671 * region-model.cc
3672 (poisoned_value_diagnostic::get_controlling_option): New.
3673 (poisoned_value_diagnostic::emit): Use it.
3674 (shift_count_negative_diagnostic::get_controlling_option): New.
3675 (shift_count_negative_diagnostic::emit): Use it.
3676 (shift_count_overflow_diagnostic::get_controlling_option): New.
3677 (shift_count_overflow_diagnostic::emit): Use it.
3678 (dump_path_diagnostic::get_controlling_option): New.
3679 (dump_path_diagnostic::emit): Use it.
3680 (write_to_const_diagnostic::get_controlling_option): New.
3681 (write_to_const_diagnostic::emit): Use it.
3682 (write_to_string_literal_diagnostic::get_controlling_option): New.
3683 (write_to_string_literal_diagnostic::emit): Use it.
3684 * sm-file.cc (double_fclose::get_controlling_option): New.
3685 (double_fclose::emit): Use it.
3686 (file_leak::get_controlling_option): New.
3687 (file_leak::emit): Use it.
3688 * sm-malloc.cc (mismatching_deallocation::get_controlling_option):
3689 New.
3690 (mismatching_deallocation::emit): Use it.
3691 (double_free::get_controlling_option): New.
3692 (double_free::emit): Use it.
3693 (possible_null_deref::get_controlling_option): New.
3694 (possible_null_deref::emit): Use it.
3695 (possible_null_arg::get_controlling_option): New.
3696 (possible_null_arg::emit): Use it.
3697 (null_deref::get_controlling_option): New.
3698 (null_deref::emit): Use it.
3699 (null_arg::get_controlling_option): New.
3700 (null_arg::emit): Use it.
3701 (use_after_free::get_controlling_option): New.
3702 (use_after_free::emit): Use it.
3703 (malloc_leak::get_controlling_option): New.
3704 (malloc_leak::emit): Use it.
3705 (free_of_non_heap::get_controlling_option): New.
3706 (free_of_non_heap::emit): Use it.
3707 * sm-pattern-test.cc (pattern_match::get_controlling_option): New.
3708 (pattern_match::emit): Use it.
3709 * sm-sensitive.cc
3710 (exposure_through_output_file::get_controlling_option): New.
3711 (exposure_through_output_file::emit): Use it.
3712 * sm-signal.cc (signal_unsafe_call::get_controlling_option): New.
3713 (signal_unsafe_call::emit): Use it.
3714 * sm-taint.cc (tainted_array_index::get_controlling_option): New.
3715 (tainted_array_index::emit): Use it.
3716 (tainted_offset::get_controlling_option): New.
3717 (tainted_offset::emit): Use it.
3718 (tainted_size::get_controlling_option): New.
3719 (tainted_size::emit): Use it.
3720 (tainted_divisor::get_controlling_option): New.
3721 (tainted_divisor::emit): Use it.
3722 (tainted_allocation_size::get_controlling_option): New.
3723 (tainted_allocation_size::emit): Use it.
3724
14d2ac82
GA		 37252022-03-15 David Malcolm <dmalcolm@redhat.com>
3726
3727 * store.cc (store::store): Presize m_cluster_map.
3728
5e28be89
GA		 37292022-03-10 David Malcolm <dmalcolm@redhat.com>
3730
3731 PR analyzer/104863
3732 * constraint-manager.cc (constraint_manager::add_constraint):
3733 Refresh the EC IDs when adding constraints implied by offsets.
3734
37352022-03-10 David Malcolm <dmalcolm@redhat.com>
3736
3737 PR analyzer/104793
3738 * analyzer.h (class pending_note): New forward decl.
3739 * diagnostic-manager.cc (saved_diagnostic::saved_diagnostic):
3740 Initialize m_notes.
3741 (saved_diagnostic::operator==): Compare m_notes.
3742 (saved_diagnostic::add_note): New.
3743 (saved_diagnostic::emit_any_notes): New.
3744 (diagnostic_manager::add_note): New.
3745 (diagnostic_manager::emit_saved_diagnostic): Call emit_any_notes
3746 after emitting the warning.
3747 * diagnostic-manager.h (saved_diagnostic::add_note): New decl.
3748 (saved_diagnostic::emit_any_notes): New decl.
3749 (saved_diagnostic::m_notes): New field.
3750 (diagnostic_manager::add_note): New decl.
3751 * engine.cc (impl_region_model_context::add_note): New.
3752 * exploded-graph.h (impl_region_model_context::add_note): New
3753 decl.
3754 * pending-diagnostic.h (class pending_note): New.
3755 (class pending_note_subclass): New template.
3756 * region-model.cc (class reason_attr_access): New.
3757 (check_external_function_for_access_attr): Add class
3758 annotating_ctxt and use it when checking region.
3759 (noop_region_model_context::add_note): New.
3760 * region-model.h (region_model_context::add_note): New vfunc.
3761 (noop_region_model_context::add_note): New decl.
3762 (class region_model_context_decorator): New.
3763 (class note_adding_context): New.
3764
37652022-03-10 David Malcolm <dmalcolm@redhat.com>
3766
3767 PR analyzer/104793
3768 * region-model.cc
3769 (region_model::check_external_function_for_access_attr): New.
3770 (region_model::handle_unrecognized_call): Call it.
3771 * region-model.h
3772 (region_model::check_external_function_for_access_attr): New decl.
3773 (region_model::handle_unrecognized_call): New decl.
3774
37752022-03-10 David Malcolm <dmalcolm@redhat.com>
3776
3777 * sm-taint.cc (taint_state_machine::check_for_tainted_size_arg):
3778 Avoid generating duplicate saved_diagnostics by only handling the
3779 rdwr_map entry for the ptrarg, not the duplicate entry for the
3780 sizarg.
3781
e6533e2e
GA		 37822022-03-07 David Malcolm <dmalcolm@redhat.com>
3783
3784 PR analyzer/101983
3785 * engine.cc (returning_from_function_p): New.
3786 (impl_region_model_context::on_state_leak): Use it when rejecting
3787 leaks at the return from "main".
3788
37892022-03-07 Jakub Jelinek <jakub@redhat.com>
3790
3791 * store.cc: Fix up duplicated word issue in a comment.
3792 * analyzer.cc: Likewise.
3793 * engine.cc: Likewise.
3794 * sm-taint.cc: Likewise.
3795
8d96e14c
GA		 37962022-03-04 David Malcolm <dmalcolm@redhat.com>
3797
3798 PR analyzer/103521
3799 * analyzer.opt (-param=analyzer-max-svalue-depth=): Reduce from 13
3800 to 12.
3801
4bf3bac1
GA		 38022022-02-23 David Malcolm <dmalcolm@redhat.com>
3803
3804 PR analyzer/104434
3805 * analyzer.h (class const_fn_result_svalue): New decl.
3806 * region-model-impl-calls.cc (call_details::get_manager): New.
3807 * region-model-manager.cc
3808 (region_model_manager::get_or_create_const_fn_result_svalue): New.
3809 (region_model_manager::log_stats): Log
3810 m_const_fn_result_values_map.
3811 * region-model.cc (const_fn_p): New.
3812 (maybe_get_const_fn_result): New.
3813 (region_model::on_call_pre): Handle fndecls with
3814 __attribute__((const)) by calling the above rather than making
3815 a conjured_svalue.
3816 * region-model.h (visitor::visit_const_fn_result_svalue): New.
3817 (region_model_manager::get_or_create_const_fn_result_svalue): New
3818 decl.
3819 (region_model_manager::const_fn_result_values_map_t): New typedef.
3820 (region_model_manager::m_const_fn_result_values_map): New field.
3821 (call_details::get_manager): New decl.
3822 * svalue.cc (svalue::cmp_ptr): Handle SK_CONST_FN_RESULT.
3823 (const_fn_result_svalue::dump_to_pp): New.
3824 (const_fn_result_svalue::dump_input): New.
3825 (const_fn_result_svalue::accept): New.
3826 * svalue.h (enum svalue_kind): Add SK_CONST_FN_RESULT.
3827 (svalue::dyn_cast_const_fn_result_svalue): New.
3828 (class const_fn_result_svalue): New.
3829 (is_a_helper <const const_fn_result_svalue *>::test): New.
3830 (template <> struct default_hash_traits<const_fn_result_svalue::key_t>):
3831 New.
3832
0bdb0498
GA		 38332022-02-17 David Malcolm <dmalcolm@redhat.com>
3834
3835 PR analyzer/104576
3836 * region-model.cc: Include "calls.h".
3837 (region_model::on_call_pre): Use flags_from_decl_or_type to
3838 generalize check for DECL_PURE_P to also check for ECF_CONST.
3839
cb3afcd2
GA		 38402022-02-16 David Malcolm <dmalcolm@redhat.com>
3841
3842 PR analyzer/104560
3843 * diagnostic-manager.cc (diagnostic_manager::build_emission_path):
3844 Add region creation events for globals of interest.
3845 (null_assignment_sm_context::get_old_program_state): New.
3846 (diagnostic_manager::add_events_for_eedge): Move check for
3847 changing dynamic extents from PK_BEFORE_STMT case to after the
3848 switch on the dst_point's kind so that we can emit them for the
3849 final stmt in a basic block.
3850 * engine.cc (impl_sm_context::get_old_program_state): New.
3851 * sm-malloc.cc (malloc_state_machine::get_default_state): Rewrite
3852 detection of m_non_heap to use get_memory_space.
3853 (free_of_non_heap::free_of_non_heap): Add freed_reg param.
3854 (free_of_non_heap::subclass_equal_p): Update for changes to
3855 fields.
3856 (free_of_non_heap::emit): Drop m_kind in favor of
3857 get_memory_space.
3858 (free_of_non_heap::describe_state_change): Remove logic for
3859 detecting alloca.
3860 (free_of_non_heap::mark_interesting_stuff): Add region-creation of
3861 m_freed_reg.
3862 (free_of_non_heap::get_memory_space): New.
3863 (free_of_non_heap::kind): Drop enum.
3864 (free_of_non_heap::m_freed_reg): New field.
3865 (free_of_non_heap::m_kind): Drop field.
3866 (malloc_state_machine::on_stmt): Drop transition to m_non_heap.
3867 (malloc_state_machine::handle_free_of_non_heap): New function,
3868 split out from on_deallocator_call and on_realloc_call, adding
3869 detection of the freed region.
3870 (malloc_state_machine::on_deallocator_call): Use it.
3871 (malloc_state_machine::on_realloc_call): Likewise.
3872 * sm.h (sm_context::get_old_program_state): New vfunc.
3873
875e493b
GA		 38742022-02-15 David Malcolm <dmalcolm@redhat.com>
3875
3876 PR analyzer/104524
3877 * region-model-manager.cc
3878 (region_model_manager::maybe_fold_sub_svalue): Only call
3879 get_or_create_cast if type is non-NULL.
3880
38812022-02-15 David Malcolm <dmalcolm@redhat.com>
3882
3883 PR analyzer/102692
3884 * exploded-graph.h (impl_region_model_context::get_stmt): New.
3885 * region-model.cc: Include "gimple-ssa.h", "tree-phinodes.h",
3886 "tree-ssa-operands.h", and "ssa-iterators.h".
3887 (within_short_circuited_stmt_p): New.
3888 (region_model::check_for_poison): Don't warn about uninit values
3889 if within_short_circuited_stmt_p.
3890 * region-model.h (region_model_context::get_stmt): New vfunc.
3891 (noop_region_model_context::get_stmt): New.
3892
e8d68f0a
GA		 38932022-02-11 David Malcolm <dmalcolm@redhat.com>
3894
3895 PR analyzer/104274
3896 * region-model.cc (region_model::check_for_poison): Ignore
3897 uninitialized uses of empty types.
3898
a645583d
GA		 38992022-02-10 David Malcolm <dmalcolm@redhat.com>
3900
3901 PR analyzer/98797
3902 * region-model-manager.cc
3903 (region_model_manager::maybe_fold_sub_svalue): Generalize getting
3904 individual chars of a STRING_CST from element_region to any
3905 subregion which is a concrete access of a single byte from its
3906 parent region.
3907 * region.cc (region::get_relative_concrete_byte_range): New.
3908 * region.h (region::get_relative_concrete_byte_range): New decl.
3909
3adf509f
GA		 39102022-02-09 David Malcolm <dmalcolm@redhat.com>
3911
3912 PR analyzer/104452
3913 * region-model.cc (selftest::test_bit_range_regions): New.
3914 (selftest::analyzer_region_model_cc_tests): Call it.
3915 * region.h (bit_range_region::key_t::hash): Fix hashing of m_bits
3916 to avoid using uninitialized data.
3917
cc2430c1
GA		 39182022-02-07 David Malcolm <dmalcolm@redhat.com>
3919
3920 PR analyzer/104417
3921 * sm-taint.cc (tainted_allocation_size::tainted_allocation_size):
3922 Remove overzealous assertion.
3923 (tainted_allocation_size::emit): Likewise.
3924 (region_model::check_dynamic_size_for_taint): Likewise.
3925
39262022-02-07 David Malcolm <dmalcolm@redhat.com>
3927
3928 PR analyzer/103872
3929 * region-model-impl-calls.cc (region_model::impl_call_memcpy):
3930 Reimplement in terms of a get_store_value followed by a set_value.
3931
682ede39
GA		 39322022-02-03 David Malcolm <dmalcolm@redhat.com>
3933
3934 PR analyzer/104369
3935 * engine.cc (exploded_graph::process_node): Use the node for any
3936 diagnostics, avoiding ICE if a bifurcation update adds a
3937 saved_diagnostic, such as for a tainted realloc size.
3938 * region-model-impl-calls.cc
3939 (region_model::impl_call_realloc::success_no_move::update_model):
3940 Require the old pointer to be non-NULL to be able successfully
3941 grow in place. Use model->deref_rvalue rather than maybe_get_region
3942 to support the old pointer being symbolic.
3943 (region_model::impl_call_realloc::success_with_move::update_model):
3944 Likewise. Add a constraint that the new pointer != the old pointer.
3945 Use a sized_region when setting the value of the new region.
3946 Handle the case where we don't know the dynamic size of the old
3947 region by marking the new region as unknown.
3948 * sm-taint.cc (tainted_allocation_size::tainted_allocation_size):
3949 Update assertion to also allow for MEMSPACE_UNKNOWN.
3950 (tainted_allocation_size::emit): Likewise.
3951 (region_model::check_dynamic_size_for_taint): Likewise.
3952
39532022-02-03 David Malcolm <dmalcolm@redhat.com>
3954
3955 * region-model-impl-calls.cc (region_model::impl_call_calloc): Use
3956 a sized_region when calling zero_fill_region.
3957
88944e13
GA		 39582022-02-02 David Malcolm <dmalcolm@redhat.com>
3959
3960 * region-model.cc (region_model::on_return): Replace usage of
3961 copy_region with get_rvalue/set_value pair.
3962 (region_model::pop_frame): Likewise.
3963 (selftest::test_compound_assignment): Likewise.
3964 * region-model.h (region_model::copy_region): Delete decl.
3965 * region.cc (region_model::copy_region): Delete.
3966
39672022-02-02 David Malcolm <dmalcolm@redhat.com>
3968
3969 * region.cc (region::calc_offset): Consolidate effectively
3970 identical cases.
3971
39722022-02-02 David Malcolm <dmalcolm@redhat.com>
3973
3974 * analyzer.h (class bit_range_region): New forward decl.
3975 * region-model-manager.cc (region_model_manager::get_bit_range):
3976 New.
3977 (region_model_manager::log_stats): Handle m_bit_range_regions.
3978 * region-model.cc (region_model::get_lvalue_1): Handle
3979 BIT_FIELD_REF.
3980 * region-model.h (region_model_manager::get_bit_range): New decl.
3981 (region_model_manager::m_bit_range_regions): New field.
3982 * region.cc (region::get_base_region): Handle RK_BIT_RANGE.
3983 (region::base_region_p): Likewise.
3984 (region::calc_offset): Likewise.
3985 (bit_range_region::dump_to_pp): New.
3986 (bit_range_region::get_byte_size): New.
3987 (bit_range_region::get_bit_size): New.
3988 (bit_range_region::get_byte_size_sval): New.
3989 (bit_range_region::get_relative_concrete_offset): New.
3990 * region.h (enum region_kind): Add RK_BIT_RANGE.
3991 (region::dyn_cast_bit_range_region): New vfunc.
3992 (class bit_range_region): New.
3993 (is_a_helper <const bit_range_region *>::test): New.
3994 (default_hash_traits<bit_range_region::key_t>): New.
3995
39962022-02-02 David Malcolm <dmalcolm@redhat.com>
3997
3998 PR analyzer/104270
3999 * region-model.cc (region_model::on_call_pre): Handle
4000 IFN_DEFERRED_INIT.
4001
99f17e99
GA		 40022022-01-27 David Malcolm <dmalcolm@redhat.com>
4003
4004 * checker-path.cc (event_kind_to_string): Handle
4005 EK_REGION_CREATION.
4006 (region_creation_event::region_creation_event): New.
4007 (region_creation_event::get_desc): New.
4008 (checker_path::add_region_creation_event): New.
4009 * checker-path.h (enum event_kind): Add EK_REGION_CREATION.
4010 (class region_creation_event): New subclass.
4011 (checker_path::add_region_creation_event): New decl.
4012 * diagnostic-manager.cc
4013 (diagnostic_manager::emit_saved_diagnostic): Pass NULL for new
4014 param to add_events_for_eedge when handling trailing eedge.
4015 (diagnostic_manager::build_emission_path): Create an interesting_t
4016 instance, allow the pending diagnostic to populate it, and pass it
4017 to the calls to add_events_for_eedge.
4018 (diagnostic_manager::add_events_for_eedge): Add "interest" param.
4019 Use it to add region_creation_events for on-stack regions created
4020 within at function entry, and when pertinent dynamically-sized
4021 regions are created.
4022 (diagnostic_manager::prune_for_sm_diagnostic): Add case for
4023 EK_REGION_CREATION.
4024 * diagnostic-manager.h (diagnostic_manager::add_events_for_eedge):
4025 Add "interest" param.
4026 * pending-diagnostic.cc: Include "selftest.h", "tristate.h",
4027 "analyzer/call-string.h", "analyzer/program-point.h",
4028 "analyzer/store.h", and "analyzer/region-model.h".
4029 (interesting_t::add_region_creation): New.
4030 (interesting_t::dump_to_pp): New.
4031 * pending-diagnostic.h (struct interesting_t): New.
4032 (pending_diagnostic::mark_interesting_stuff): New vfunc.
4033 * region-model.cc
4034 (poisoned_value_diagnostic::poisoned_value_diagnostic): Add
4035 (poisoned_value_diagnostic::operator==): Compare m_pkind and
4036 m_src_region fields.
4037 (poisoned_value_diagnostic::mark_interesting_stuff): New.
4038 (poisoned_value_diagnostic::m_src_region): New.
4039 (region_model::check_for_poison): Call
4040 get_region_for_poisoned_expr for uninit values and pass the resul
4041 to the diagnostic.
4042 (region_model::get_region_for_poisoned_expr): New.
4043 (region_model::deref_rvalue): Pass NULL for
4044 poisoned_value_diagnostic's src_region.
4045 * region-model.h (region_model::get_region_for_poisoned_expr): New
4046 decl.
4047 * region.h (frame_region::get_fndecl): New.
4048
40492022-01-27 Martin Liska <mliska@suse.cz>
4050
4051 PR analyzer/104247
4052 * constraint-manager.cc (bounded_ranges_manager::log_stats):
4053 Cast to long for format purpose.
4054 * region-model-manager.cc (log_uniq_map): Likewise.
4055
eaa59070
GA		 40562022-01-26 David Malcolm <dmalcolm@redhat.com>
4057
4058 PR analyzer/104224
4059 * region-model.cc (region_model::check_call_args): New.
4060 (region_model::on_call_pre): Call it when ignoring stdio builtins.
4061 * region-model.h (region_model::check_call_args): New decl
4062
40632022-01-26 David Malcolm <dmalcolm@redhat.com>
4064
4065 PR analyzer/94362
4066 * constraint-manager.cc (range::add_bound): Fix tests for
4067 discarding redundant constraints. Perform test for rejecting
4068 unsatisfiable constraints earlier so that they don't update
4069 the object on failure.
4070 (selftest::test_range): New.
4071 (selftest::test_constant_comparisons): Add test coverage for
4072 existing constraints becoming narrower until they are
4073 unsatisfiable.
4074 (selftest::run_constraint_manager_tests): Call test_range.
4075
d43be9dc
GA		 40762022-01-22 David Malcolm <dmalcolm@redhat.com>
4077
4078 PR analyzer/104159
4079 * region-model-manager.cc
4080 (region_model_manager::get_or_create_cast): Bail out if the types
4081 are the same. Don't attempt to handle casts involving vector
4082 types.
4083
5fa55d55
GA		 40842022-01-20 David Malcolm <dmalcolm@redhat.com>
4085
4086 PR analyzer/94362
4087 * constraint-manager.cc (bound::ensure_closed): Convert param to
4088 enum bound_kind.
4089 (range::constrained_to_single_element): Likewise.
4090 (range::add_bound): New.
4091 (constraint_manager::add_constraint): Handle SVAL + OFFSET
4092 compared to a constant.
4093 (constraint_manager::get_ec_bounds): Rewrite in terms of
4094 range::add_bound.
4095 (constraint_manager::eval_condition): Reject if range::add_bound
4096 fails.
4097 (selftest::test_constant_comparisons): Add test coverage for
4098 various impossible combinations of integer comparisons.
4099 * constraint-manager.h (enum bound_kind): New.
4100 (struct bound): Likewise.
4101 (bound::ensure_closed): Convert to param to enum bound_kind.
4102 (struct range): Convert to...
4103 (class range): ...this, making fields private.
4104 (range::add_bound): New decls.
4105 * region-model.cc (region_model::add_constraint): Fail if
4106 constraint_manager::add_constraint fails.
4107
7a761ae6
GA		 41082022-01-18 David Malcolm <dmalcolm@redhat.com>
4109
4110 PR analyzer/104089
4111 * region-model-manager.cc
4112 (region_model_manager::get_or_create_constant_svalue): Assert that
4113 we have a CONSTANT_CLASS_P.
4114 (region_model_manager::maybe_fold_unaryop): Only fold a constant
4115 when fold_unary's result is a constant or a cast of a constant.
4116
41172022-01-18 David Malcolm <dmalcolm@redhat.com>
4118
4119 PR analyzer/104062
4120 * region-model-manager.cc
4121 (region_model_manager::maybe_fold_sub_svalue): Avoid casting to
4122 NULL type when folding access to repeated svalue.
4123
fc829782
GA		 41242022-01-17 Martin Liska <mliska@suse.cz>
4125
4126 * analyzer.cc (is_special_named_call_p): Rename .c names to .cc.
4127 (is_named_call_p): Likewise.
4128 * region-model-asm.cc (deterministic_p): Likewise.
4129 * region.cc (field_region::get_relative_concrete_offset): Likewise.
4130 * sm-malloc.cc (method_p): Likewise.
4131 * supergraph.cc (superedge::dump_dot): Likewise.
4132
617db51d
GA		 41332022-01-14 David Malcolm <dmalcolm@redhat.com>
4134
4135 * sm-taint.cc (taint_state_machine::combine_states): Handle combination
4136 of has_ub and has_lb.
4137
41382022-01-14 David Malcolm <dmalcolm@redhat.com>
4139
4140 PR analyzer/104029
4141 * sm-taint.cc (taint_state_machine::alt_get_inherited_state):
4142 Remove gcc_unreachable from default case for unary ops.
4143
41442022-01-14 David Malcolm <dmalcolm@redhat.com>
4145
4146 * engine.cc: Include "stringpool.h", "attribs.h", and
4147 "tree-dfa.h".
4148 (mark_params_as_tainted): New.
4149 (class tainted_args_function_custom_event): New.
4150 (class tainted_args_function_info): New.
4151 (exploded_graph::add_function_entry): Handle functions with
4152 "tainted_args" attribute.
4153 (class tainted_args_field_custom_event): New.
4154 (class tainted_args_callback_custom_event): New.
4155 (class tainted_args_call_info): New.
4156 (add_tainted_args_callback): New.
4157 (add_any_callbacks): New.
4158 (exploded_graph::build_initial_worklist): Likewise.
4159 (exploded_graph::build_initial_worklist): Find callbacks that are
4160 reachable from global initializers, calling add_any_callbacks on
4161 them.
4162
02a8a01b
GA		 41632022-01-12 David Malcolm <dmalcolm@redhat.com>
4164
4165 PR analyzer/103940
4166 * engine.cc (impl_sm_context::impl_sm_context): Add
4167 "unknown_side_effects" param and use it to initialize
4168 new m_unknown_side_effects field.
4169 (impl_sm_context::unknown_side_effects_p): New.
4170 (impl_sm_context::m_unknown_side_effects): New.
4171 (exploded_node::on_stmt): Pass unknown_side_effects to sm_ctxt
4172 ctor.
4173 * sm-taint.cc: Include "stringpool.h" and "attribs.h".
4174 (tainted_size::tainted_size): Drop "dir" param.
4175 (tainted_size::get_kind): Drop "FINAL".
4176 (tainted_size::emit): Likewise.
4177 (tainted_size::m_dir): Drop unused field.
4178 (class tainted_access_attrib_size): New subclass.
4179 (taint_state_machine::on_stmt): Call check_for_tainted_size_arg on
4180 external functions with unknown side effects.
4181 (taint_state_machine::check_for_tainted_size_arg): New.
4182 (region_model::check_region_for_taint): Drop "dir" param from
4183 tainted_size ctor.
4184 * sm.h (sm_context::unknown_side_effects_p): New.
4185
01a254e3
GA		 41862022-01-11 David Malcolm <dmalcolm@redhat.com>
4187
4188 PR analyzer/102692
4189 * diagnostic-manager.cc
4190 (class auto_disable_complexity_checks): Rename to...
4191 (class auto_checking_feasibility): ...this, updating
4192 the calls accordingly.
4193 (epath_finder::explore_feasible_paths): Update for renaming.
4194 * region-model-manager.cc
4195 (region_model_manager::region_model_manager): Update for change from
4196 m_check_complexity to m_checking_feasibility.
4197 (region_model_manager::reject_if_too_complex): Likewise.
4198 (region_model_manager::get_or_create_unknown_svalue): Handle
4199 m_checking_feasibility.
4200 (region_model_manager::create_unique_svalue): New.
4201 (region_model_manager::maybe_fold_binop): Handle BIT_AND_EXPR and
4202 BIT_IOR_EXPRs on booleans where we know the result.
4203 * region-model.cc (test_binop_svalue_folding): Add test coverage
4204 for the above.
4205 * region-model.h (region_model_manager::create_unique_svalue): New
4206 decl.
4207 (region_model_manager::enable_complexity_check): Replace with...
4208 (region_model_manager::begin_checking_feasibility): ...this.
4209 (region_model_manager::disable_complexity_check): Replace with...
4210 (region_model_manager::end_checking_feasibility): ...this.
4211 (region_model_manager::m_check_complexity): Replace with...
4212 (region_model_manager::m_checking_feasibility): ...this.
4213 (region_model_manager::m_managed_dynamic_svalues): New field.
4214
55e96bf9
GA		 42152022-01-08 David Malcolm <dmalcolm@redhat.com>
4216
4217 * engine.cc (impl_run_checkers): Pass logger to engine ctor.
4218 * region-model-manager.cc
4219 (region_model_manager::region_model_manager): Add logger param and
4220 use it to initialize m_logger.
4221 * region-model.cc (engine::engine): New.
4222 * region-model.h (region_model_manager::region_model_manager):
4223 Add logger param.
4224 (region_model_manager::get_logger): New.
4225 (region_model_manager::m_logger): New field.
4226 (engine::engine): New.
4227 * store.cc (store_manager::get_logger): New.
4228 (store::set_value): Log scope. Log when marking a cluster as
4229 unknown due to possible aliasing.
4230 * store.h (store_manager::get_logger): New decl.
4231
42322022-01-08 David Malcolm <dmalcolm@redhat.com>
4233
4234 * region-model-impl-calls.cc (cmp_decls): New.
4235 (cmp_decls_ptr_ptr): New.
4236 (region_model::impl_call_analyzer_dump_escaped): New.
4237 * region-model.cc (region_model::on_stmt_pre): Handle
4238 __analyzer_dump_escaped.
4239 * region-model.h (region_model::impl_call_analyzer_dump_escaped):
4240 New decl.
4241 * store.h (binding_cluster::get_base_region): New accessor.
4242
42432022-01-08 David Malcolm <dmalcolm@redhat.com>
4244
4245 * region.cc (region::is_named_decl_p): New.
4246 * region.h (region::is_named_decl_p): New decl.
4247
11ce8d04
GA		 42482022-01-06 David Malcolm <dmalcolm@redhat.com>
4249
4250 PR analyzer/103546
4251 * store.cc (store::eval_alias_1): Refactor handling of decl
4252 regions, adding a test for may_be_aliased, rejecting those for
4253 which it returns false.
4254
c8dcf64b
GA		 42552021-12-12 Jonathan Wakely <jwakely@redhat.com>
4256
4257 * engine.cc: Define INCLUDE_MEMORY instead of INCLUDE_UNIQUE_PTR.
4258
3a580f96
GA		 42592021-12-06 David Malcolm <dmalcolm@redhat.com>
4260
4261 PR analyzer/103533
4262 * constraint-manager.cc (equiv_class::contains_non_constant_p):
4263 New.
4264 (constraint_manager::canonicalize): Call it when determining
4265 redundant ECs.
4266 (selftest::test_purging): New selftest.
4267 (selftest::run_constraint_manager_tests): Likewise.
4268 * constraint-manager.h (equiv_class::contains_non_constant_p):
4269 New decl.
4270
40fa651e
GA		 42712021-12-01 David Malcolm <dmalcolm@redhat.com>
4272
4273 PR analyzer/102471
4274 * region-model-reachability.cc (reachable_regions::handle_parm):
4275 Treat all svalues within a compound parm has reachable, and those
4276 wrapped in a cast.
4277
87cd82c8
GA		 42782021-11-29 David Malcolm <dmalcolm@redhat.com>
4279
4280 PR analyzer/103217
4281 * store.cc (binding_cluster::can_merge_p): For the "key is bound"
4282 vs "key is not bound" merger case, check that the bound svalue
4283 is mergeable before merging it to "unknown", rejecting the merger
4284 otherwise.
4285
9c077398
GA		 42862021-11-19 David Malcolm <dmalcolm@redhat.com>
4287
4288 PR analyzer/103217
4289 * engine.cc (exploded_graph::get_or_create_node): Pass in
4290 m_ext_state to program_state::can_merge_with_p.
4291 (exploded_graph::process_worklist): Likewise.
4292 (exploded_graph::maybe_process_run_of_before_supernode_enodes):
4293 Likewise.
4294 (exploded_graph::process_node): Add missing call to detect_leaks
4295 when handling phi nodes.
4296 * program-state.cc (program_state::can_merge_with_p): Add
4297 "ext_state" param. Pass it and state ptrs to
4298 region_model::can_merge_with_p.
4299 (selftest::test_program_state_merging): Update for new ext_state
4300 param of program_state::can_merge_with_p.
4301 (selftest::test_program_state_merging_2): Likewise.
4302 * program-state.h (program_state::can_purge_p): Make const.
4303 (program_state::can_merge_with_p): Add "ext_state" param.
4304 * region-model.cc: Include "analyzer/program-state.h".
4305 (region_model::can_merge_with_p): Add params "ext_state",
4306 "state_a", and "state_b", use them when creating model_merger
4307 object.
4308 (model_merger::mergeable_svalue_p): New.
4309 * region-model.h (region_model::can_merge_with_p): Add params
4310 "ext_state", "state_a", and "state_b".
4311 (model_merger::model_merger) Likewise, initializing new fields.
4312 (model_merger::mergeable_svalue_p): New decl.
4313 (model_merger::m_ext_state): New field.
4314 (model_merger::m_state_a): New field.
4315 (model_merger::m_state_b): New field.
4316 * svalue.cc (svalue::can_merge_p): Call
4317 model_merger::mergeable_svalue_p on both states and reject the
4318 merger accordingly.
4319
280d2838
GA		 43202021-11-17 David Malcolm <dmalcolm@redhat.com>
4321
4322 PR analyzer/102695
4323 * region-model-impl-calls.cc (region_model::impl_call_strchr): New.
4324 * region-model-manager.cc
4325 (region_model_manager::maybe_fold_unaryop): Simplify cast to
4326 pointer type of an existing pointer to a region.
4327 * region-model.cc (region_model::on_call_pre): Handle
4328 BUILT_IN_STRCHR and "strchr".
4329 (write_to_const_diagnostic::emit): Add auto_diagnostic_group. Add
4330 alternate wordings for functions and labels.
4331 (write_to_const_diagnostic::describe_final_event): Add alternate
4332 wordings for functions and labels.
4333 (region_model::check_for_writable_region): Handle RK_FUNCTION and
4334 RK_LABEL.
4335 * region-model.h (region_model::impl_call_strchr): New decl.
4336
6b1695f4
GA		 43372021-11-16 David Malcolm <dmalcolm@redhat.com>
4338
4339 PR analyzer/102662
4340 * constraint-manager.cc (bounded_range::operator==): Require the
4341 types to be the same for equality.
4342
a8029add
GA		 43432021-11-13 David Malcolm <dmalcolm@redhat.com>
4344
4345 * analyzer.opt (Wanalyzer-tainted-allocation-size): New.
4346 (Wanalyzer-tainted-divisor): New.
4347 (Wanalyzer-tainted-offset): New.
4348 (Wanalyzer-tainted-size): New.
4349 * engine.cc (impl_region_model_context::get_taint_map): New.
4350 * exploded-graph.h (impl_region_model_context::get_taint_map):
4351 New decl.
4352 * program-state.cc (sm_state_map::get_state): Call
4353 alt_get_inherited_state.
4354 (sm_state_map::impl_set_state): Modify states within
4355 compound svalues.
4356 (program_state::impl_call_analyzer_dump_state): Undo casts.
4357 (selftest::test_program_state_1): Update for new context param of
4358 create_region_for_heap_alloc.
4359 (selftest::test_program_state_merging): Likewise.
4360 * region-model-impl-calls.cc (region_model::impl_call_alloca):
4361 Likewise.
4362 (region_model::impl_call_calloc): Likewise.
4363 (region_model::impl_call_malloc): Likewise.
4364 (region_model::impl_call_operator_new): Likewise.
4365 (region_model::impl_call_realloc): Likewise.
4366 * region-model.cc (region_model::check_region_access): Call
4367 check_region_for_taint.
4368 (region_model::get_representative_path_var_1): Handle binops.
4369 (region_model::create_region_for_heap_alloc): Add "ctxt" param and
4370 pass it to set_dynamic_extents.
4371 (region_model::create_region_for_alloca): Likewise.
4372 (region_model::set_dynamic_extents): Add "ctxt" param and use it
4373 to call check_dynamic_size_for_taint.
4374 (selftest::test_state_merging): Update for new context param of
4375 create_region_for_heap_alloc.
4376 (selftest::test_malloc_constraints): Likewise.
4377 (selftest::test_malloc): Likewise.
4378 (selftest::test_alloca): Likewise for create_region_for_alloca.
4379 * region-model.h (region_model::create_region_for_heap_alloc): Add
4380 "ctxt" param.
4381 (region_model::create_region_for_alloca): Likewise.
4382 (region_model::set_dynamic_extents): Likewise.
4383 (region_model::check_dynamic_size_for_taint): New decl.
4384 (region_model::check_region_for_taint): New decl.
4385 (region_model_context::get_taint_map): New vfunc.
4386 (noop_region_model_context::get_taint_map): New.
4387 * sm-taint.cc: Remove include of "diagnostic-event-id.h"; add
4388 includes of "gimple-iterator.h", "tristate.h", "selftest.h",
4389 "ordered-hash-map.h", "cgraph.h", "cfg.h", "digraph.h",
4390 "analyzer/supergraph.h", "analyzer/call-string.h",
4391 "analyzer/program-point.h", "analyzer/store.h",
4392 "analyzer/region-model.h", and "analyzer/program-state.h".
4393 (enum bounds): Move to top of file.
4394 (class taint_diagnostic): New.
4395 (class tainted_array_index): Convert to subclass of taint_diagnostic.
4396 (tainted_array_index::emit): Add CWE-129. Reword warning to use
4397 "attacker-controlled" rather than "tainted".
4398 (tainted_array_index::describe_state_change): Move to
4399 taint_diagnostic::describe_state_change.
4400 (tainted_array_index::describe_final_event): Reword to use
4401 "attacker-controlled" rather than "tainted".
4402 (class tainted_offset): New.
4403 (class tainted_size): New.
4404 (class tainted_divisor): New.
4405 (class tainted_allocation_size): New.
4406 (taint_state_machine::alt_get_inherited_state): New.
4407 (taint_state_machine::on_stmt): In assignment handling, remove
4408 ARRAY_REF handling in favor of check_region_for_taint. Add
4409 detection of tainted divisors.
4410 (taint_state_machine::get_taint): New.
4411 (taint_state_machine::combine_states): New.
4412 (region_model::check_region_for_taint): New.
4413 (region_model::check_dynamic_size_for_taint): New.
4414 * sm.h (state_machine::alt_get_inherited_state): New.
4415
af2852b9
GA		 44162021-11-12 David Malcolm <dmalcolm@redhat.com>
4417
4418 * engine.cc (exploded_node::on_stmt_pre): Return when handling
4419 "__analyzer_dump_state".
4420
b39265d4
GA		 44212021-11-11 Richard Biener <rguenther@suse.de>
4422
4423 * supergraph.cc: Include bitmap.h.
4424
29a1af24
GA		 44252021-11-04 David Malcolm <dmalcolm@redhat.com>
4426
4427 * program-state.cc (sm_state_map::dump): Use default_tree_printer
4428 as format decoder.
4429
e19570d3
GA		 44302021-09-16 Maxim Blinov <maxim.blinov@embecosm.com>
4431
4432 PR bootstrap/102242
4433 * engine.cc (INCLUDE_UNIQUE_PTR): Define.
4434
b6db7cd4
GA		 44352021-09-08 David Malcolm <dmalcolm@redhat.com>
4436
4437 PR analyzer/102225
4438 * analyzer.h (compat_types_p): New decl.
4439 * constraint-manager.cc
4440 (constraint_manager::get_or_add_equiv_class): Guard against NULL
4441 type when checking for pointer types.
4442 * region-model-impl-calls.cc (region_model::impl_call_realloc):
4443 Guard against NULL lhs type/region. Guard against the size value
4444 not being of a compatible type for dynamic extents.
4445 * region-model.cc (compat_types_p): Make non-static.
4446
1e2f030b
GA		 44472021-08-30 David Malcolm <dmalcolm@redhat.com>
4448
4449 PR analyzer/99260
4450 * analyzer.h (class custom_edge_info): New class, adapted from
4451 exploded_edge::custom_info_t. Make member functions const.
4452 Make update_model return bool, converting edge param from
4453 reference to a pointer, and adding a ctxt param.
4454 (class path_context): New class.
4455 * call-info.cc: New file.
4456 * call-info.h: New file.
4457 * engine.cc: Include "analyzer/call-info.h" and <memory>.
4458 (impl_region_model_context::impl_region_model_context): Update for
4459 new m_path_ctxt field.
4460 (impl_region_model_context::bifurcate): New.
4461 (impl_region_model_context::terminate_path): New.
4462 (impl_region_model_context::get_malloc_map): New.
4463 (impl_sm_context::impl_sm_context): Update for new m_path_ctxt
4464 field.
4465 (impl_sm_context::get_fndecl_for_call): Likewise.
4466 (impl_sm_context::set_next_state): Likewise.
4467 (impl_sm_context::warn): Likewise.
4468 (impl_sm_context::is_zero_assignment): Likewise.
4469 (impl_sm_context::get_path_context): New.
4470 (impl_sm_context::m_path_ctxt): New.
4471 (impl_region_model_context::on_condition): Update for new
4472 path_ctxt param. Handle m_enode_for_diag being NULL.
4473 (impl_region_model_context::on_phi): Update for new path_ctxt
4474 param.
4475 (exploded_node::on_stmt): Add path_ctxt param, updating ctor calls
4476 to use it as necessary. Use it to bail out after sm-handling,
4477 if needed.
4478 (exploded_node::detect_leaks): Update for new path_ctxt param.
4479 (dynamic_call_info_t::update_model): Update for conversion of
4480 exploded_edge::custom_info_t to custom_edge_info.
4481 (dynamic_call_info_t::add_events_to_path): Likewise.
4482 (rewind_info_t::update_model): Likewise.
4483 (rewind_info_t::add_events_to_path): Likewise.
4484 (exploded_edge::exploded_edge): Likewise.
4485 (exploded_graph::add_edge): Likewise.
4486 (exploded_graph::maybe_process_run_of_before_supernode_enodes):
4487 Update for new path_ctxt param.
4488 (class impl_path_context): New.
4489 (exploded_graph::process_node): Update for new path_ctxt param.
4490 Create an impl_path_context and pass it to exploded_node::on_stmt.
4491 Use it to terminate iterating stmts if terminate_path is called
4492 on it. After processing a run of stmts, query path_ctxt to
4493 potentially terminate the analysis path, and/or to "bifurcate" the
4494 analysis into multiple additional paths.
4495 (feasibility_state::maybe_update_for_edge): Update for new
4496 update_model ctxt param.
4497 * exploded-graph.h
4498 (impl_region_model_context::impl_region_model_context): Add
4499 path_ctxt param.
4500 (impl_region_model_context::bifurcate): New.
4501 (impl_region_model_context::terminate_path): New
4502 (impl_region_model_context::get_ext_state): New.
4503 (impl_region_model_context::get_malloc_map): New.
4504 (impl_region_model_context::m_path_ctxt): New field.
4505 (exploded_node::on_stmt): Add path_ctxt param.
4506 (class exploded_edge::custom_info_t): Move to analyzer.h, renaming
4507 to custom_edge_info, and making the changes as noted in analyzer.h
4508 above.
4509 (exploded_edge::exploded_edge): Update for these changes to
4510 exploded_edge::custom_info_t.
4511 (exploded_edge::m_custom_info): Likewise.
4512 (class dynamic_call_info_t): Likewise.
4513 (class rewind_info_t): Likewise.
4514 (exploded_graph::add_edge): Likewise.
4515 * program-state.cc (program_state::on_edge): Update for new
4516 path_ctxt param.
4517 (program_state::push_call): Likewise.
4518 (program_state::returning_call): Likewise.
4519 (program_state::prune_for_point): Likewise.
4520 * region-model-impl-calls.cc: Include "analyzer/call-info.h".
4521 (call_details::get_fndecl_for_call): New.
4522 (region_model::impl_call_realloc): Reimplement.
4523 * region-model.cc (region_model::on_call_pre): Move call to
4524 impl_call_realloc to...
4525 (region_model::on_call_post): ...here. Consolidate creation
4526 of call_details instance.
4527 (noop_region_model_context::bifurcate): New.
4528 (noop_region_model_context::terminate_path): New.
4529 * region-model.h (call_details::get_call_stmt): New.
4530 (call_details::get_fndecl_for_call): New.
4531 (region_model::on_realloc_with_move): New.
4532 (region_model_context::bifurcate): New.
4533 (region_model_context::terminate_path): New.
4534 (region_model_context::get_ext_state): New.
4535 (region_model_context::get_malloc_map): New.
4536 (noop_region_model_context::bifurcate): New.
4537 (noop_region_model_context::terminate_path): New.
4538 (noop_region_model_context::get_ext_state): New.
4539 (noop_region_model_context::get_malloc_map): New.
4540 * sm-malloc.cc: Include "analyzer/program-state.h".
4541 (malloc_state_machine::on_realloc_call): Reimplement.
4542 (malloc_state_machine::on_realloc_with_move): New.
4543 (region_model::on_realloc_with_move): New.
4544 * sm-signal.cc (class signal_delivery_edge_info_t): Update for
4545 conversion from exploded_edge::custom_info_t to custom_edge_info.
4546 * sm.h (sm_context::get_path_context): New.
4547 * svalue.cc (svalue::maybe_get_constant): Call
4548 unwrap_any_unmergeable.
4549
85d77ac4
GA		 45502021-08-25 Ankur Saini <arsenic@sourceware.org>
4551
4552 PR analyzer/101980
4553 * engine.cc (exploded_graph::maybe_create_dynamic_call): Don't create
4554 calls if max recursion limit is reached.
4555
38b19c5b
GA		 45562021-08-23 David Malcolm <dmalcolm@redhat.com>
4557
4558 * analyzer.h (struct rejected_constraint): Convert to...
4559 (class rejected_constraint): ...this.
4560 (class bounded_ranges): New forward decl.
4561 (class bounded_ranges_manager): New forward decl.
4562 * constraint-manager.cc: Include "analyzer/analyzer-logging.h" and
4563 "tree-pretty-print.h".
4564 (can_plus_one_p): New.
4565 (plus_one): New.
4566 (can_minus_one_p): New.
4567 (minus_one): New.
4568 (bounded_range::bounded_range): New.
4569 (dump_cst): New.
4570 (bounded_range::dump_to_pp): New.
4571 (bounded_range::dump): New.
4572 (bounded_range::to_json): New.
4573 (bounded_range::set_json_attr): New.
4574 (bounded_range::contains_p): New.
4575 (bounded_range::intersects_p): New.
4576 (bounded_range::operator==): New.
4577 (bounded_range::cmp): New.
4578 (bounded_ranges::bounded_ranges): New.
4579 (bounded_ranges::bounded_ranges): New.
4580 (bounded_ranges::bounded_ranges): New.
4581 (bounded_ranges::canonicalize): New.
4582 (bounded_ranges::validate): New.
4583 (bounded_ranges::operator==): New.
4584 (bounded_ranges::dump_to_pp): New.
4585 (bounded_ranges::dump): New.
4586 (bounded_ranges::to_json): New.
4587 (bounded_ranges::eval_condition): New.
4588 (bounded_ranges::contain_p): New.
4589 (bounded_ranges::cmp): New.
4590 (bounded_ranges_manager::~bounded_ranges_manager): New.
4591 (bounded_ranges_manager::get_or_create_empty): New.
4592 (bounded_ranges_manager::get_or_create_point): New.
4593 (bounded_ranges_manager::get_or_create_range): New.
4594 (bounded_ranges_manager::get_or_create_union): New.
4595 (bounded_ranges_manager::get_or_create_intersection): New.
4596 (bounded_ranges_manager::get_or_create_inverse): New.
4597 (bounded_ranges_manager::consolidate): New.
4598 (bounded_ranges_manager::get_or_create_ranges_for_switch): New.
4599 (bounded_ranges_manager::create_ranges_for_switch): New.
4600 (bounded_ranges_manager::make_case_label_ranges): New.
4601 (bounded_ranges_manager::log_stats): New.
4602 (bounded_ranges_constraint::print): New.
4603 (bounded_ranges_constraint::to_json): New.
4604 (bounded_ranges_constraint::operator==): New.
4605 (bounded_ranges_constraint::add_to_hash): New.
4606 (constraint_manager::constraint_manager): Update for new field
4607 m_bounded_ranges_constraints.
4608 (constraint_manager::operator=): Likewise.
4609 (constraint_manager::hash): Likewise.
4610 (constraint_manager::operator==): Likewise.
4611 (constraint_manager::print): Likewise.
4612 (constraint_manager::dump_to_pp): Likewise.
4613 (constraint_manager::to_json): Likewise.
4614 (constraint_manager::add_unknown_constraint): Update the lhs_ec_id
4615 if necessary in existing constraints when combining equivalence
4616 classes. Add similar code for handling
4617 m_bounded_ranges_constraints.
4618 (constraint_manager::add_constraint_internal): Add comment.
4619 (constraint_manager::add_bounded_ranges): New.
4620 (constraint_manager::eval_condition): Use new field
4621 m_bounded_ranges_constraints.
4622 (constraint_manager::purge): Update bounded_ranges_constraint
4623 instances.
4624 (constraint_manager::canonicalize): Update for new field.
4625 (merger_fact_visitor::on_ranges): New.
4626 (constraint_manager::for_each_fact): Use new field
4627 m_bounded_ranges_constraints.
4628 (constraint_manager::validate): Fix off-by-one error needed due
4629 to bug fixed above in add_unknown_constraint. Validate the EC IDs
4630 in m_bounded_ranges_constraints.
4631 (constraint_manager::get_range_manager): New.
4632 (selftest::assert_dump_bounded_range_eq): New.
4633 (ASSERT_DUMP_BOUNDED_RANGE_EQ): New.
4634 (selftest::test_bounded_range): New.
4635 (selftest::assert_dump_bounded_ranges_eq): New.
4636 (ASSERT_DUMP_BOUNDED_RANGES_EQ): New.
4637 (selftest::test_bounded_ranges): New.
4638 (selftest::run_constraint_manager_tests): Call the new selftests.
4639 * constraint-manager.h (struct bounded_range): New.
4640 (struct bounded_ranges): New.
4641 (template <> struct default_hash_traits<bounded_ranges::key_t>): New.
4642 (class bounded_ranges_manager): New.
4643 (fact_visitor::on_ranges): New pure virtual function.
4644 (class bounded_ranges_constraint): New.
4645 (constraint_manager::add_bounded_ranges): New decl.
4646 (constraint_manager::get_range_manager): New decl.
4647 (constraint_manager::m_bounded_ranges_constraints): New field.
4648 * diagnostic-manager.cc (epath_finder::process_worklist_item):
4649 Transfer ownership of rc to add_feasibility_problem.
4650 * engine.cc (feasibility_problem::dump_to_pp): Use get_model.
4651 * feasible-graph.cc (infeasible_node::dump_dot): Update for
4652 conversion of m_rc to a pointer.
4653 (feasible_graph::add_feasibility_problem): Pass RC by pointer and
4654 take ownership.
4655 * feasible-graph.h (infeasible_node::infeasible_node): Pass RC by
4656 pointer and take ownership.
4657 (infeasible_node::~infeasible_node): New.
4658 (infeasible_node::m_rc): Convert to a pointer.
4659 (feasible_graph::add_feasibility_problem): Pass RC by pointer and
4660 take ownership.
4661 * region-model-manager.cc: Include
4662 "analyzer/constraint-manager.h".
4663 (region_model_manager::region_model_manager): Initializer new
4664 field m_range_mgr.
4665 (region_model_manager::~region_model_manager): Delete it.
4666 (region_model_manager::log_stats): Call log_stats on it.
4667 * region-model.cc (region_model::add_constraint): Use new subclass
4668 rejected_op_constraint.
4669 (region_model::apply_constraints_for_gswitch): Reimplement using
4670 bounded_ranges_manager.
4671 (rejected_constraint::dump_to_pp): Convert to...
4672 (rejected_op_constraint::dump_to_pp): ...this.
4673 (rejected_ranges_constraint::dump_to_pp): New.
4674 * region-model.h (struct purge_stats): Add field
4675 m_num_bounded_ranges_constraints.
4676 (region_model_manager::get_range_manager): New.
4677 (region_model_manager::m_range_mgr): New.
4678 (region_model::get_range_manager): New.
4679 (struct rejected_constraint): Split into...
4680 (class rejected_constraint):...this new abstract base class,
4681 and...
4682 (class rejected_op_constraint): ...this new concrete subclass.
4683 (class rejected_ranges_constraint): New.
4684 * supergraph.cc: Include "tree-cfg.h".
4685 (supergraph::supergraph): Drop idx param from add_cfg_edge.
4686 (supergraph::add_cfg_edge): Drop idx param.
4687 (switch_cfg_superedge::switch_cfg_superedge): Move here from
4688 header. Populate m_case_labels with all cases which go to DST.
4689 (switch_cfg_superedge::dump_label_to_pp): Reimplement to use
4690 m_case_labels.
4691 (switch_cfg_superedge::get_case_label): Delete.
4692 * supergraph.h (supergraphadd_cfg_edge): Drop "idx" param.
4693 (switch_cfg_superedge::switch_cfg_superedge): Drop idx param and
4694 move implementation to supergraph.cc.
4695 (switch_cfg_superedge::get_case_label): Delete.
4696 (switch_cfg_superedge::get_case_labels): New.
4697 (switch_cfg_superedge::m_idx): Delete.
4698 (switch_cfg_superedge::m_case_labels): New field.
4699
47002021-08-23 David Malcolm <dmalcolm@redhat.com>
4701
4702 PR analyzer/101875
4703 * sm-file.cc (file_diagnostic::describe_state_change): Handle
4704 change.m_expr being NULL.
4705
47062021-08-23 David Malcolm <dmalcolm@redhat.com>
4707
4708 PR analyzer/101837
4709 * analyzer.cc (maybe_reconstruct_from_def_stmt): Bail if fn is
4710 NULL, and assert that it's non-NULL before passing it to
4711 build_call_array_loc.
4712
47132021-08-23 David Malcolm <dmalcolm@redhat.com>
4714
4715 PR analyzer/101962
4716 * region-model.cc (region_model::eval_condition_without_cm):
4717 Refactor comparison against zero, adding a check for
4718 POINTER_PLUS_EXPR of non-NULL.
4719
47202021-08-23 David Malcolm <dmalcolm@redhat.com>
4721
4722 * store.cc (bit_range::intersects_p): New overload.
4723 (bit_range::operator-): New.
4724 (binding_cluster::maybe_get_compound_binding): Handle the partial
4725 overlap case.
4726 (selftest::test_bit_range_intersects_p): Add test coverage for
4727 new overload of bit_range::intersects_p.
4728 * store.h (bit_range::intersects_p): New overload.
4729 (bit_range::operator-): New.
4730
47312021-08-23 Ankur Saini <arsenic@sourceware.org>
4732
4733 PR analyzer/102020
4734 * diagnostic-manager.cc
4735 (diagnostic_manager::prune_for_sm_diagnostic)<case EK_CALL_EDGE>: Fix typo.
4736
4be4fa4e
GA		 47372021-08-21 Ankur Saini <arsenic@sourceware.org>
4738
4739 PR analyzer/101980
4740 * diagnostic-manager.cc
4741 (diagnostic_manager::prune_for_sm_diagnostic)<case EK_CALL_EDGE>: Use
4742 caller_model only when the supergraph_edge doesn't exixt.
4743 (diagnostic_manager::prune_for_sm_diagnostic)<case EK_RETURN_EDGE>:
4744 Likewise.
4745 * engine.cc (exploded_graph::create_dynamic_call): Rename to...
4746 (exploded_graph::maybe_create_dynamic_call): ...this, return call
4747 creation status.
4748 (exploded_graph::process_node): Handle calls which were not dynamically
4749 discovered.
4750 * exploded-graph.h (exploded_graph::create_dynamic_call): Rename to...
4751 (exploded_graph::maybe_create_dynamic_call): ...this.
4752 * region-model.cc (region_model::update_for_gcall): New param, use it
4753 to push call to frame.
4754 (region_model::update_for_call_superedge): Pass callee function to
4755 update_for_gcall.
4756 * region-model.h (region_model::update_for_gcall): New param.
4757
6e529985
GA		 47582021-08-18 Ankur Saini <arsenic@sourceware.org>
4759
4760 PR analyzer/97114
4761 * region-model.cc (region_model::get_rvalue_1): Add case for
4762 OBJ_TYPE_REF.
4763
47642021-08-18 Ankur Saini <arsenic@sourceware.org>
4765
4766 PR analyzer/100546
4767 * analysis-plan.cc (analysis_plan::use_summary_p): Don't use call
4768 summaries if there is no callgraph edge
4769 * checker-path.cc (call_event::call_event): Handle calls events that
4770 are not represented by a supergraph call edge
4771 (return_event::return_event): Likewise.
4772 (call_event::get_desc): Work with new call_event structure.
4773 (return_event::get_desc): Likeise.
4774 * checker-path.h (call_event::m_src_snode): New field.
4775 (call_event::m_dest_snode): New field.
4776 (return_event::m_src_snode): New field.
4777 (return_event::m_dest_snode): New field.
4778 * diagnostic-manager.cc
4779 (diagnostic_manager::prune_for_sm_diagnostic)<case EK_CALL_EDGE>:
4780 Refactor to work with edges without callgraph edge.
4781 (diagnostic_manager::prune_for_sm_diagnostic)<case EK_RETURN_EDGE>:
4782 Likewise.
4783 * engine.cc (dynamic_call_info_t::update_model): New function.
4784 (dynamic_call_info_t::add_events_to_path): New function.
4785 (exploded_graph::create_dynamic_call): New function.
4786 (exploded_graph::process_node): Work with dynamically discovered calls.
4787 * exploded-graph.h (class dynamic_call_info_t): New class.
4788 (exploded_graph::create_dynamic_call): New decl.
4789 * program-point.cc (program_point::push_to_call_stack): New function.
4790 (program_point::pop_from_call_stack): New function.
4791 * program-point.h (program_point::push_to_call_stack): New decl.
4792 (program_point::pop_from_call_stack): New decl.
4793 * program-state.cc (program_state::push_call): New function.
4794 (program_state::returning_call): New function.
4795 * program-state.h (program_state::push_call): New decl.
4796 (program_state::returning_call): New decl.
4797 * region-model.cc (region_model::update_for_gcall) New function.
4798 (region_model::update_for_return_gcall): New function.
4799 (egion_model::update_for_call_superedge): Get the underlying gcall and
4800 update for gcall.
4801 (region_model::update_for_return_superedge): Likewise.
4802 * region-model.h (region_model::update_for_gcall): New decl.
4803 (region_model::update_for_return_gcall): New decl.
4804 * state-purge.cc (state_purge_per_ssa_name::process_point): Update to
4805 work with calls without underlying cgraph edge.
4806 * supergraph.cc (supergraph::supergraph) Split snodes at every callsite.
4807 * supergraph.h (supernode::get_returning_call) New accessor.
4808
2697f832
GA		 48092021-08-04 David Malcolm <dmalcolm@redhat.com>
4810
4811 PR analyzer/101570
4812 * analyzer.cc (maybe_reconstruct_from_def_stmt): Add GIMPLE_ASM
4813 case.
4814 * analyzer.h (class asm_output_svalue): New forward decl.
4815 (class reachable_regions): New forward decl.
4816 * complexity.cc (complexity::from_vec_svalue): New.
4817 * complexity.h (complexity::from_vec_svalue): New decl.
4818 * engine.cc (feasibility_state::maybe_update_for_edge): Handle
4819 asm stmts by calling on_asm_stmt.
4820 * region-model-asm.cc: New file.
4821 * region-model-manager.cc
4822 (region_model_manager::maybe_fold_asm_output_svalue): New.
4823 (region_model_manager::get_or_create_asm_output_svalue): New.
4824 (region_model_manager::log_stats): Log m_asm_output_values_map.
4825 * region-model.cc (region_model::on_stmt_pre): Handle GIMPLE_ASM.
4826 * region-model.h (visitor::visit_asm_output_svalue): New.
4827 (region_model_manager::get_or_create_asm_output_svalue): New decl.
4828 (region_model_manager::maybe_fold_asm_output_svalue): New decl.
4829 (region_model_manager::asm_output_values_map_t): New typedef.
4830 (region_model_manager::m_asm_output_values_map): New field.
4831 (region_model::on_asm_stmt): New.
4832 * store.cc (binding_cluster::on_asm): New.
4833 * store.h (binding_cluster::on_asm): New decl.
4834 * svalue.cc (svalue::cmp_ptr): Handle SK_ASM_OUTPUT.
4835 (asm_output_svalue::dump_to_pp): New.
4836 (asm_output_svalue::dump_input): New.
4837 (asm_output_svalue::input_idx_to_asm_idx): New.
4838 (asm_output_svalue::accept): New.
4839 * svalue.h (enum svalue_kind): Add SK_ASM_OUTPUT.
4840 (svalue::dyn_cast_asm_output_svalue): New.
4841 (class asm_output_svalue): New.
4842 (is_a_helper <const asm_output_svalue *>::test): New.
4843 (struct default_hash_traits<asm_output_svalue::key_t>): New.
4844
fa1407c7
GA		 48452021-08-03 Jakub Jelinek <jakub@redhat.com>
4846
4847 PR analyzer/101721
4848 * sm-malloc.cc (known_allocator_p): Only check DECL_FUNCTION_CODE on
4849 BUILT_IN_NORMAL builtins.
4850
4d17ca1b
GA		 48512021-07-29 Ankur Saini <arsenic@sourceware.org>
4852
4853 * call-string.cc (call_string::element_t::operator==): New operator.
4854 (call_String::element_t::operator!=): New operator.
4855 (call_string::element_t::get_caller_function): New function.
4856 (call_string::element_t::get_callee_function): New function.
4857 (call_string::call_string): Refactor to Initialise m_elements.
4858 (call_string::operator=): Refactor to work with m_elements.
4859 (call_string::operator==): Likewise.
4860 (call_string::to_json): Likewise.
4861 (call_string::hash): Refactor to hash e.m_caller.
4862 (call_string::push_call): Refactor to work with m_elements.
4863 (call_string::push_call): New overload to push call via supernodes.
4864 (call_string::pop): Refactor to work with m_elements.
4865 (call_string::calc_recursion_depth): Likewise.
4866 (call_string::cmp): Likewise.
4867 (call_string::validate): Likewise.
4868 (call_string::operator[]): Likewise.
4869 * call-string.h (class supernode): New forward decl.
4870 (struct call_string::element_t): New struct.
4871 (call_string::call_string): Refactor to initialise m_elements.
4872 (call_string::bool empty_p): Refactor to work with m_elements.
4873 (call_string::get_callee_node): New decl.
4874 (call_string::get_caller_node): New decl.
4875 (m_elements): Replaces m_return_edges.
4876 * program-point.cc (program_point::get_function_at_depth): Refactor to
4877 work with new call-string format.
4878 (program_point::validate): Likewise.
4879 (program_point::on_edge): Likewise.
4880
39169029
GA		 48812021-07-28 David Malcolm <dmalcolm@redhat.com>
4882
4883 * region-model.cc (region_model::on_call_pre): Treat
4884 IFN_UBSAN_BOUNDS, BUILT_IN_STACK_SAVE, and BUILT_IN_STACK_RESTORE
4885 as no-ops, rather than handling them as unknown functions.
4886
48872021-07-28 David Malcolm <dmalcolm@redhat.com>
4888
4889 * region-model-impl-calls.cc (region_model::impl_call_alloca):
4890 Drop redundant return value.
4891 (region_model::impl_call_builtin_expect): Likewise.
4892 (region_model::impl_call_calloc): Likewise.
4893 (region_model::impl_call_malloc): Likewise.
4894 (region_model::impl_call_memset): Likewise.
4895 (region_model::impl_call_operator_new): Likewise.
4896 (region_model::impl_call_operator_delete): Likewise.
4897 (region_model::impl_call_strlen): Likewise.
4898 * region-model.cc (region_model::on_call_pre): Fix return value of
4899 known functions that don't have unknown side-effects.
4900 * region-model.h (region_model::impl_call_alloca): Drop redundant
4901 return value.
4902 (region_model::impl_call_builtin_expect): Likewise.
4903 (region_model::impl_call_calloc): Likewise.
4904 (region_model::impl_call_malloc): Likewise.
4905 (region_model::impl_call_memset): Likewise.
4906 (region_model::impl_call_strlen): Likewise.
4907 (region_model::impl_call_operator_new): Likewise.
4908 (region_model::impl_call_operator_delete): Likewise.
4909
49102021-07-28 Siddhesh Poyarekar <siddhesh@gotplt.org>
4911
4912 * analyzer.cc (is_named_call_p, is_std_named_call_p): Make
4913 first argument a const_tree.
4914 * analyzer.h (is_named_call_p, -s_std_named_call_p): Likewise.
4915 * sm-malloc.cc (known_allocator_p): New function.
4916 (malloc_state_machine::on_stmt): Use it.
4917
49182021-07-28 Siddhesh Poyarekar <siddhesh@gotplt.org>
4919
4920 * sm-malloc.cc
4921 (malloc_state_machine::get_or_create_deallocator): Recognize
4922 __builtin_free.
4923
1a7febe9
GA		 49242021-07-26 David Malcolm <dmalcolm@redhat.com>
4925
4926 * region-model.cc (region_model::on_call_pre): Always set conjured
4927 LHS, not just for SSA names.
4928
ead235f6
GA		 49292021-07-23 David Malcolm <dmalcolm@redhat.com>
4930
4931 * diagnostic-manager.cc
4932 (class auto_disable_complexity_checks): New.
4933 (epath_finder::explore_feasible_paths): Use it to disable
4934 complexity checks whilst processing the worklist.
4935 * region-model-manager.cc
4936 (region_model_manager::region_model_manager): Initialize
4937 m_check_complexity.
4938 (region_model_manager::reject_if_too_complex): Bail if
4939 m_check_complexity is false.
4940 * region-model.h
4941 (region_model_manager::enable_complexity_check): New.
4942 (region_model_manager::disable_complexity_check): New.
4943 (region_model_manager::m_check_complexity): New.
4944
419c6c68
GA		 49452021-07-21 David Malcolm <dmalcolm@redhat.com>
4946
4947 PR analyzer/101547
4948 * sm-file.cc (file_leak::emit): Handle m_arg being NULL.
4949 (file_leak::describe_final_event): Handle ev.m_expr being NULL.
4950
49512021-07-21 David Malcolm <dmalcolm@redhat.com>
4952
4953 PR analyzer/101522
4954 * store.cc (binding_cluster::purge_state_involving): Don't change
4955 m_map whilst iterating through it.
4956
49572021-07-21 David Malcolm <dmalcolm@redhat.com>
4958
4959 * region-model.cc (region_model::handle_phi): Add "old_state"
4960 param and use it.
4961 (region_model::update_for_phis): Update so that all of the phi
4962 stmts are effectively handled simultaneously, rather than in
4963 order.
4964 * region-model.h (region_model::handle_phi): Add "old_state"
4965 param.
4966 * state-purge.cc (self_referential_phi_p): Replace with...
4967 (name_used_by_phis_p): ...this new function.
4968 (state_purge_per_ssa_name::process_point): Update to use the
4969 above, so that all phi stmts at a basic block are effectively
4970 considered simultaneously, and only consider the phi arguments for
4971 the pertinent in-edge.
4972 * supergraph.cc (cfg_superedge::get_phi_arg_idx): New.
4973 (cfg_superedge::get_phi_arg): Use the above.
4974 * supergraph.h (cfg_superedge::get_phi_arg_idx): New decl.
4975
49762021-07-21 David Malcolm <dmalcolm@redhat.com>
4977
4978 * state-purge.cc (state_purge_annotator::add_node_annotations):
4979 Rather than erroneously always using the NULL in-edge, determine
4980 each relevant in-edge, and print the appropriate data for each
4981 in-edge. Use print_needed to print the data as comma-separated
4982 lists of SSA names.
4983 (print_vec_of_names): Add "within_table" param and use it.
4984 (state_purge_annotator::add_stmt_annotations): Factor out
4985 collation and printing code into...
4986 (state_purge_annotator::print_needed): ...this new function.
4987 * state-purge.h (state_purge_annotator::print_needed): New decl.
4988
49892021-07-21 David Malcolm <dmalcolm@redhat.com>
4990
4991 * program-point.cc (function_point::print): Show src BB index at
4992 BEFORE_SUPERNODE.
4993
49942021-07-21 David Malcolm <dmalcolm@redhat.com>
4995
4996 * svalue.cc (infix_p): New.
4997 (binop_svalue::dump_to_pp): Use it to print MIN_EXPR and MAX_EXPR
4998 in prefix form, rather than infix.
4999
21ea2f93
GA		 50002021-07-19 David Malcolm <dmalcolm@redhat.com>
5001
5002 PR analyzer/101503
5003 * constraint-manager.cc (constraint_manager::add_constraint): Use
5004 can_have_associated_state_p rather than testing for unknown.
5005 (constraint_manager::get_or_add_equiv_class): Likewise.
5006 * program-state.cc (sm_state_map::set_state): Likewise.
5007 (sm_state_map::impl_set_state): Add assertion.
5008 * region-model-manager.cc
5009 (region_model_manager::maybe_fold_unaryop): Handle poisoned
5010 values.
5011 (region_model_manager::maybe_fold_binop): Move handling of unknown
5012 values...
5013 (region_model_manager::get_or_create_binop): ...to here, and
5014 generalize to use can_have_associated_state_p.
5015 (region_model_manager::maybe_fold_sub_svalue): Use
5016 can_have_associated_state_p rather than testing for unknown.
5017 (region_model_manager::maybe_fold_repeated_svalue): Use unknown
5018 when the size or repeated value is "unknown"/"poisoned".
5019 * region-model.cc (region_model::purge_state_involving): Reject
5020 attempts to purge unknown/poisoned svalues, as these svalues
5021 should not have state associated with them.
5022 * svalue.cc (sub_svalue::sub_svalue): Assert that we're building
5023 on top of an svalue with can_have_associated_state_p.
5024 (repeated_svalue::repeated_svalue): Likewise.
5025 (bits_within_svalue::bits_within_svalue): Likewise.
5026 * svalue.h (svalue::can_have_associated_state_p): New.
5027 (unknown_svalue::can_have_associated_state_p): New.
5028 (poisoned_svalue::can_have_associated_state_p): New.
5029 (unaryop_svalue::unaryop_svalue): Assert that we're building on
5030 top of an svalue with can_have_associated_state_p.
5031 (binop_svalue::binop_svalue): Likewise.
5032 (widening_svalue::widening_svalue): Likewise.
5033
87277b6a
GA		 50342021-07-16 David Malcolm <dmalcolm@redhat.com>
5035
5036 * analyzer.h (enum access_direction): New.
5037 * engine.cc (exploded_node::on_longjmp): Update for new param of
5038 get_store_value.
5039 * program-state.cc (program_state::prune_for_point): Likewise.
5040 * region-model-impl-calls.cc (region_model::impl_call_memcpy):
5041 Replace call to check_for_writable_region with call to
5042 check_region_for_write.
5043 (region_model::impl_call_memset): Likewise.
5044 (region_model::impl_call_strcpy): Likewise.
5045 * region-model-reachability.cc (reachable_regions::add): Update
5046 for new param of get_store_value.
5047 * region-model.cc (region_model::get_rvalue_1): Likewise, also for
5048 get_rvalue_for_bits.
5049 (region_model::get_store_value): Add ctxt param and use it to call
5050 check_region_for_read.
5051 (region_model::get_rvalue_for_bits): Add ctxt param and use it to
5052 call get_store_value.
5053 (region_model::check_region_access): New.
5054 (region_model::check_region_for_write): New.
5055 (region_model::check_region_for_read): New.
5056 (region_model::set_value): Update comment. Replace call to
5057 check_for_writable_region with call to check_region_for_write.
5058 * region-model.h (region_model::get_rvalue_for_bits): Add ctxt
5059 param.
5060 (region_model::get_store_value): Add ctxt param.
5061 (region_model::check_region_access): New decl.
5062 (region_model::check_region_for_write): New decl.
5063 (region_model::check_region_for_read): New decl.
5064 * region.cc (region_model::copy_region): Update call to
5065 get_store_value.
5066 * svalue.cc (initial_svalue::implicitly_live_p): Likewise.
5067
50682021-07-16 David Malcolm <dmalcolm@redhat.com>
5069
5070 * engine.cc (exploded_node::on_stmt_pre): Handle
5071 __analyzer_dump_state.
5072 * program-state.cc (extrinsic_state::get_sm_idx_by_name): New.
5073 (program_state::impl_call_analyzer_dump_state): New.
5074 * program-state.h (extrinsic_state::get_sm_idx_by_name): New decl.
5075 (program_state::impl_call_analyzer_dump_state): New decl.
5076 * region-model-impl-calls.cc
5077 (call_details::get_arg_string_literal): New.
5078 * region-model.h (call_details::get_arg_string_literal): New decl.
5079
50802021-07-16 David Malcolm <dmalcolm@redhat.com>
5081
5082 * program-state.cc (program_state::detect_leaks): Simplify using
5083 svalue::maybe_get_region.
5084 * region-model-impl-calls.cc (region_model::impl_call_fgets): Likewise.
5085 (region_model::impl_call_fread): Likewise.
5086 (region_model::impl_call_free): Likewise.
5087 (region_model::impl_call_operator_delete): Likewise.
5088 * region-model.cc (selftest::test_stack_frames): Likewise.
5089 (selftest::test_state_merging): Likewise.
5090 * svalue.cc (svalue::maybe_get_region): New.
5091 * svalue.h (svalue::maybe_get_region): New decl.
5092
d97d71a1
GA		 50932021-07-15 David Malcolm <dmalcolm@redhat.com>
5094
5095 * svalue.h (is_a_helper <placeholder_svalue *>::test): Make
5096 param and template param const.
5097 (is_a_helper <widening_svalue *>::test): Likewise.
5098 (is_a_helper <compound_svalue *>::test): Likewise.
5099 (is_a_helper <conjured_svalue *>::test): Likewise.
5100
51012021-07-15 David Malcolm <dmalcolm@redhat.com>
5102
5103 PR analyzer/95006
5104 PR analyzer/94713
5105 PR analyzer/94714
5106 * analyzer.cc (maybe_reconstruct_from_def_stmt): Split out
5107 GIMPLE_ASSIGN case into...
5108 (get_diagnostic_tree_for_gassign_1): New.
5109 (get_diagnostic_tree_for_gassign): New.
5110 * analyzer.h (get_diagnostic_tree_for_gassign): New decl.
5111 * analyzer.opt (Wanalyzer-write-to-string-literal): New.
5112 * constraint-manager.cc (class svalue_purger): New.
5113 (constraint_manager::purge_state_involving): New.
5114 * constraint-manager.h
5115 (constraint_manager::purge_state_involving): New.
5116 * diagnostic-manager.cc (saved_diagnostic::supercedes_p): New.
5117 (dedupe_winners::handle_interactions): New.
5118 (diagnostic_manager::emit_saved_diagnostics): Call it.
5119 * diagnostic-manager.h (saved_diagnostic::supercedes_p): New decl.
5120 * engine.cc (impl_region_model_context::warn): Convert return type
5121 to bool. Return false if the diagnostic isn't saved.
5122 (impl_region_model_context::purge_state_involving): New.
5123 (impl_sm_context::get_state): Use NULL ctxt when querying old
5124 rvalue.
5125 (impl_sm_context::set_next_state): Use new sval when querying old
5126 state.
5127 (class dump_path_diagnostic): Move to region-model.cc
5128 (exploded_node::on_stmt): Move to on_stmt_pre and on_stmt_post.
5129 Remove call to purge_state_involving.
5130 (exploded_node::on_stmt_pre): New, based on the above. Move most
5131 of it to region_model::on_stmt_pre.
5132 (exploded_node::on_stmt_post): Likewise, moving to
5133 region_model::on_stmt_post.
5134 (class stale_jmp_buf): Fix parent class to use curiously recurring
5135 template pattern.
5136 (feasibility_state::maybe_update_for_edge): Call on_call_pre and
5137 on_call_post on gcalls.
5138 * exploded-graph.h (impl_region_model_context::warn): Return bool.
5139 (impl_region_model_context::purge_state_involving): New decl.
5140 (exploded_node::on_stmt_pre): New decl.
5141 (exploded_node::on_stmt_post): New decl.
5142 * pending-diagnostic.h (pending_diagnostic::use_of_uninit_p): New.
5143 (pending_diagnostic::supercedes_p): New.
5144 * program-state.cc (sm_state_map::get_state): Inherit state for
5145 conjured_svalue as well as initial_svalue.
5146 (sm_state_map::purge_state_involving): Also support SK_CONJURED.
5147 * region-model-impl-calls.cc (call_details::get_uncertainty):
5148 Handle m_ctxt being NULL.
5149 (call_details::get_or_create_conjured_svalue): New.
5150 (region_model::impl_call_fgets): New.
5151 (region_model::impl_call_fread): New.
5152 * region-model-manager.cc
5153 (region_model_manager::get_or_create_initial_value): Return an
5154 uninitialized poisoned value for regions that can't have initial
5155 values.
5156 * region-model-reachability.cc
5157 (reachable_regions::mark_escaped_clusters): Handle ctxt being
5158 NULL.
5159 * region-model.cc (region_to_value_map::purge_state_involving): New.
5160 (poisoned_value_diagnostic::use_of_uninit_p): New.
5161 (poisoned_value_diagnostic::emit): Handle POISON_KIND_UNINIT.
5162 (poisoned_value_diagnostic::describe_final_event): Likewise.
5163 (region_model::check_for_poison): New.
5164 (region_model::on_assignment): Call it.
5165 (class dump_path_diagnostic): Move here from engine.cc.
5166 (region_model::on_stmt_pre): New, based on exploded_node::on_stmt.
5167 (region_model::on_call_pre): Move the setting of the LHS to a
5168 conjured svalue to before the checks for specific functions.
5169 Handle "fgets", "fgets_unlocked", and "fread".
5170 (region_model::purge_state_involving): New.
5171 (region_model::handle_unrecognized_call): Handle ctxt being NULL.
5172 (region_model::get_rvalue): Call check_for_poison.
5173 (selftest::test_stack_frames): Use NULL for context when getting
5174 uninitialized rvalue.
5175 (selftest::test_alloca): Likewise.
5176 * region-model.h (region_to_value_map::purge_state_involving): New
5177 decl.
5178 (call_details::get_or_create_conjured_svalue): New decl.
5179 (region_model::on_stmt_pre): New decl.
5180 (region_model::purge_state_involving): New decl.
5181 (region_model::impl_call_fgets): New decl.
5182 (region_model::impl_call_fread): New decl.
5183 (region_model::check_for_poison): New decl.
5184 (region_model_context::warn): Return bool.
5185 (region_model_context::purge_state_involving): New.
5186 (noop_region_model_context::warn): Return bool.
5187 (noop_region_model_context::purge_state_involving): New.
5188 (test_region_model_context:: warn): Return bool.
5189 * region.cc (region::get_memory_space): New.
5190 (region::can_have_initial_svalue_p): New.
5191 (region::involves_p): New.
5192 * region.h (enum memory_space): New.
5193 (region::get_memory_space): New decl.
5194 (region::can_have_initial_svalue_p): New decl.
5195 (region::involves_p): New decl.
5196 * sm-malloc.cc (use_after_free::supercedes_p): New.
5197 * store.cc (binding_cluster::purge_state_involving): New.
5198 (store::purge_state_involving): New.
5199 * store.h (class symbolic_binding): New forward decl.
5200 (binding_key::dyn_cast_symbolic_binding): New.
5201 (symbolic_binding::dyn_cast_symbolic_binding): New.
5202 (binding_cluster::purge_state_involving): New.
5203 (store::purge_state_involving): New.
5204 * svalue.cc (svalue::can_merge_p): Reject attempts to merge
5205 poisoned svalues with other svalues, so that we identify
5206 paths in which a variable is conditionally uninitialized.
5207 (involvement_visitor::visit_conjured_svalue): New.
5208 (svalue::involves_p): Also handle SK_CONJURED.
5209 (poison_kind_to_str): Handle POISON_KIND_UNINIT.
5210 (poisoned_svalue::maybe_fold_bits_within): New.
5211 * svalue.h (enum poison_kind): Add POISON_KIND_UNINIT.
5212 (poisoned_svalue::maybe_fold_bits_within): New decl.
5213
52142021-07-15 David Malcolm <dmalcolm@redhat.com>
5215
5216 * analyzer.opt (fdump-analyzer-exploded-paths): New.
5217 * diagnostic-manager.cc
5218 (diagnostic_manager::emit_saved_diagnostic): Implement it.
5219 * engine.cc (exploded_path::dump_to_pp): Add ext_state param and
5220 use it to dump states if non-NULL.
5221 (exploded_path::dump): Likewise.
5222 (exploded_path::dump_to_file): New.
5223 * exploded-graph.h (exploded_path::dump_to_pp): Add ext_state
5224 param.
5225 (exploded_path::dump): Likewise.
5226 (exploded_path::dump): Likewise.
5227 (exploded_path::dump_to_file): New.
5228
52292021-07-15 David Malcolm <dmalcolm@redhat.com>
5230
5231 * analyzer.cc (fixup_tree_for_diagnostic_1): Use DECL_DEBUG_EXPR
5232 if it's available.
5233 * engine.cc (readability): Likewise.
5234
52352021-07-15 David Malcolm <dmalcolm@redhat.com>
5236
5237 * state-purge.cc (self_referential_phi_p): New.
5238 (state_purge_per_ssa_name::process_point): Don't purge an SSA name
5239 at its def-stmt if the def-stmt is self-referential.
5240
c24a9707
GA		 52412021-07-07 David Malcolm <dmalcolm@redhat.com>
5242
5243 * diagnostic-manager.cc (null_assignment_sm_context::get_state):
5244 New overload.
5245 (null_assignment_sm_context::set_next_state): New overload.
5246 (null_assignment_sm_context::get_diagnostic_tree): New.
5247 * engine.cc (impl_sm_context::get_state): New overload.
5248 (impl_sm_context::set_next_state): New overload.
5249 (impl_sm_context::get_diagnostic_tree): New overload.
5250 (impl_region_model_context::on_condition): Convert params from
5251 tree to const svalue *.
5252 * exploded-graph.h (impl_region_model_context::on_condition):
5253 Likewise.
5254 * region-model.cc (region_model::on_call_pre): Move handling of
5255 internal calls to before checking for get_fndecl_for_call.
5256 (region_model::add_constraints_from_binop): New.
5257 (region_model::add_constraint): Split out into a new overload
5258 working on const svalue * rather than tree. Call
5259 add_constraints_from_binop. Drop call to
5260 add_any_constraints_from_ssa_def_stmt.
5261 (region_model::add_any_constraints_from_ssa_def_stmt): Delete.
5262 (region_model::add_any_constraints_from_gassign): Delete.
5263 (region_model::add_any_constraints_from_gcall): Delete.
5264 * region-model.h
5265 (region_model::add_any_constraints_from_ssa_def_stmt): Delete.
5266 (region_model::add_any_constraints_from_gassign): Delete.
5267 (region_model::add_any_constraints_from_gcall): Delete.
5268 (region_model::add_constraint): Add overload decl.
5269 (region_model::add_constraints_from_binop): New decl.
5270 (region_model_context::on_condition): Convert params from tree to
5271 const svalue *.
5272 (noop_region_model_context::on_condition): Likewise.
5273 * sm-file.cc (fileptr_state_machine::condition): Likewise.
5274 * sm-malloc.cc (malloc_state_machine::on_condition): Likewise.
5275 * sm-pattern-test.cc: Include tristate.h, selftest.h,
5276 analyzer/call-string.h, analyzer/program-point.h,
5277 analyzer/store.h, and analyzer/region-model.h.
5278 (pattern_test_state_machine::on_condition): Convert params from tree to
5279 const svalue *.
5280 * sm-sensitive.cc (sensitive_state_machine::on_condition): Delete.
5281 * sm-signal.cc (signal_state_machine::on_condition): Delete.
5282 * sm-taint.cc (taint_state_machine::on_condition): Convert params
5283 from tree to const svalue *.
5284 * sm.cc: Include tristate.h, selftest.h, analyzer/call-string.h,
5285 analyzer/program-point.h, analyzer/store.h, and
5286 analyzer/region-model.h.
5287 (any_pointer_p): Add overload taking const svalue *sval.
5288 * sm.h (any_pointer_p): Add overload taking const svalue *sval.
5289 (state_machine::on_condition): Convert params from tree to
5290 const svalue *. Provide no-op default implementation.
5291 (sm_context::get_state): Add overload taking const svalue *sval.
5292 (sm_context::set_next_state): Likewise.
5293 (sm_context::on_transition): Likewise.
5294 (sm_context::get_diagnostic_tree): Likewise.
5295 * svalue.cc (svalue::all_zeroes_p): New.
5296 (constant_svalue::all_zeroes_p): New.
5297 (repeated_svalue::all_zeroes_p): Convert to vfunc.
5298 * svalue.h (svalue::all_zeroes_p): New decl.
5299 (constant_svalue::all_zeroes_p): New decl.
5300 (repeated_svalue::all_zeroes_p): Convert decl to vfunc.
5301
25b6bfea
GA		 53022021-06-30 David Malcolm <dmalcolm@redhat.com>
5303
5304 PR analyzer/95006
5305 * analyzer.h (class repeated_svalue): New forward decl.
5306 (class bits_within_svalue): New forward decl.
5307 (class sized_region): New forward decl.
5308 (get_field_at_bit_offset): New forward decl.
5309 * engine.cc (exploded_graph::get_or_create_node): Validate the
5310 merged state.
5311 (exploded_graph::maybe_process_run_of_before_supernode_enodes):
5312 Validate the states at each stage.
5313 * program-state.cc (program_state::validate): Validate
5314 m_region_model.
5315 * region-model-impl-calls.cc (region_model::impl_call_memset):
5316 Replace special-case logic for handling constant sizes with
5317 a call to fill_region of a sized_region with the given fill value.
5318 * region-model-manager.cc (maybe_undo_optimize_bit_field_compare):
5319 Drop DK_direct.
5320 (region_model_manager::maybe_fold_sub_svalue): Fold element-based
5321 subregions of an initial value into initial values of an element.
5322 Fold subvalues of repeated svalues.
5323 (region_model_manager::maybe_fold_repeated_svalue): New.
5324 (region_model_manager::get_or_create_repeated_svalue): New.
5325 (get_bit_range_for_field): New.
5326 (get_byte_range_for_field): New.
5327 (get_field_at_byte_range): New.
5328 (region_model_manager::maybe_fold_bits_within_svalue): New.
5329 (region_model_manager::get_or_create_bits_within): New.
5330 (region_model_manager::get_sized_region): New.
5331 (region_model_manager::log_stats): Update for addition of
5332 m_repeated_values_map, m_bits_within_values_map, and
5333 m_sized_regions.
5334 * region-model.cc (region_model::validate): New.
5335 (region_model::on_assignment): Drop enum binding_kind.
5336 (region_model::get_initial_value_for_global): Likewise.
5337 (region_model::get_rvalue_for_bits): Replace body with call to
5338 get_or_create_bits_within.
5339 (region_model::get_capacity): Handle RK_SIZED.
5340 (region_model::set_value): Drop enum binding_kind.
5341 (region_model::fill_region): New.
5342 (region_model::get_representative_path_var_1): Handle RK_SIZED.
5343 * region-model.h (visitor::visit_repeated_svalue): New.
5344 (visitor::visit_bits_within_svalue): New.
5345 (region_model_manager::get_or_create_repeated_svalue): New decl.
5346 (region_model_manager::get_or_create_bits_within): New decl.
5347 (region_model_manager::get_sized_region): New decl.
5348 (region_model_manager::maybe_fold_repeated_svalue): New decl.
5349 (region_model_manager::maybe_fold_bits_within_svalue): New decl.
5350 (region_model_manager::repeated_values_map_t): New typedef.
5351 (region_model_manager::m_repeated_values_map): New field.
5352 (region_model_manager::bits_within_values_map_t): New typedef.
5353 (region_model_manager::m_bits_within_values_map): New field.
5354 (region_model_manager::m_sized_regions): New field.
5355 (region_model::fill_region): New decl.
5356 * region.cc (region::get_base_region): Handle RK_SIZED.
5357 (region::base_region_p): Likewise.
5358 (region::get_byte_size_sval): New.
5359 (get_field_at_bit_offset): Make non-static.
5360 (region::calc_offset): Move implementation of cases to
5361 get_relative_concrete_offset vfunc implementations. Handle
5362 RK_SIZED.
5363 (region::get_relative_concrete_offset): New.
5364 (decl_region::get_svalue_for_initializer): Drop enum binding_kind.
5365 (field_region::get_relative_concrete_offset): New, from
5366 region::calc_offset.
5367 (element_region::get_relative_concrete_offset): Likewise.
5368 (offset_region::get_relative_concrete_offset): Likewise.
5369 (sized_region::accept): New.
5370 (sized_region::dump_to_pp): New.
5371 (sized_region::get_byte_size): New.
5372 (sized_region::get_bit_size): New.
5373 * region.h (enum region_kind): Add RK_SIZED.
5374 (region::dyn_cast_sized_region): New.
5375 (region::get_byte_size): Make virtual.
5376 (region::get_bit_size): Likewise.
5377 (region::get_byte_size_sval): New decl.
5378 (region::get_relative_concrete_offset): New decl.
5379 (field_region::get_relative_concrete_offset): New decl.
5380 (element_region::get_relative_concrete_offset): Likewise.
5381 (offset_region::get_relative_concrete_offset): Likewise.
5382 (class sized_region): New.
5383 * store.cc (binding_kind_to_string): Delete.
5384 (binding_key::make): Drop enum binding_kind.
5385 (binding_key::dump_to_pp): Delete.
5386 (binding_key::cmp_ptrs): Drop enum binding_kind.
5387 (bit_range::contains_p): New.
5388 (byte_range::dump): New.
5389 (byte_range::contains_p): New.
5390 (byte_range::cmp): New.
5391 (concrete_binding::dump_to_pp): Drop enum binding_kind.
5392 (concrete_binding::cmp_ptr_ptr): Likewise.
5393 (symbolic_binding::dump_to_pp): Likewise.
5394 (symbolic_binding::cmp_ptr_ptr): Likewise.
5395 (binding_map::apply_ctor_val_to_range): Likewise.
5396 (binding_map::apply_ctor_pair_to_child_region): Likewise.
5397 (binding_map::get_overlapping_bindings): New.
5398 (binding_map::remove_overlapping_bindings): New.
5399 (binding_cluster::validate): New.
5400 (binding_cluster::bind): Drop enum binding_kind.
5401 (binding_cluster::bind_compound_sval): Likewise.
5402 (binding_cluster::purge_region): Likewise.
5403 (binding_cluster::zero_fill_region): Reimplement in terms of...
5404 (binding_cluster::fill_region): New.
5405 (binding_cluster::mark_region_as_unknown): Drop enum binding_kind.
5406 (binding_cluster::get_binding): Likewise.
5407 (binding_cluster::get_binding_recursive): Likewise.
5408 (binding_cluster::get_any_binding): Likewise.
5409 (binding_cluster::maybe_get_compound_binding): Reimplement.
5410 (binding_cluster::get_overlapping_bindings): Delete.
5411 (binding_cluster::remove_overlapping_bindings): Reimplement in
5412 terms of binding_map::remove_overlapping_bindings.
5413 (binding_cluster::can_merge_p): Update for removal of
5414 enum binding_kind.
5415 (binding_cluster::on_unknown_fncall): Drop enum binding_kind.
5416 (binding_cluster::maybe_get_simple_value): Likewise.
5417 (store_manager::get_concrete_binding): Likewise.
5418 (store_manager::get_symbolic_binding): Likewise.
5419 (store::validate): New.
5420 (store::set_value): Drop enum binding_kind.
5421 (store::zero_fill_region): Reimplement in terms of...
5422 (store::fill_region): New.
5423 (selftest::test_binding_key_overlap): Drop enum binding_kind.
5424 * store.h (enum binding_kind): Delete.
5425 (binding_kind_to_string): Delete decl.
5426 (binding_key::make): Drop enum binding_kind.
5427 (binding_key::dump_to_pp): Make pure virtual.
5428 (binding_key::get_kind): Delete.
5429 (binding_key::mark_deleted): Delete.
5430 (binding_key::mark_empty): Delete.
5431 (binding_key::is_deleted): Delete.
5432 (binding_key::is_empty): Delete.
5433 (binding_key::binding_key): Delete.
5434 (binding_key::impl_hash): Delete.
5435 (binding_key::impl_eq): Delete.
5436 (binding_key::m_kind): Delete.
5437 (bit_range::get_last_bit_offset): New.
5438 (bit_range::contains_p): New.
5439 (byte_range::contains_p): New.
5440 (byte_range::operator==): New.
5441 (byte_range::get_start_byte_offset): New.
5442 (byte_range::get_next_byte_offset): New.
5443 (byte_range::get_last_byte_offset): New.
5444 (byte_range::as_bit_range): New.
5445 (byte_range::cmp): New.
5446 (concrete_binding::concrete_binding): Drop enum binding_kind.
5447 (concrete_binding::hash): Likewise.
5448 (concrete_binding::operator==): Likewise.
5449 (concrete_binding::mark_deleted): New.
5450 (concrete_binding::mark_empty): New.
5451 (concrete_binding::is_deleted): New.
5452 (concrete_binding::is_empty): New.
5453 (default_hash_traits<ana::concrete_binding>::empty_zero_p): Make false.
5454 (symbolic_binding::symbolic_binding): Drop enum binding_kind.
5455 (symbolic_binding::hash): Likewise.
5456 (symbolic_binding::operator==): Likewise.
5457 (symbolic_binding::mark_deleted): New.
5458 (symbolic_binding::mark_empty): New.
5459 (symbolic_binding::is_deleted): New.
5460 (symbolic_binding::is_empty): New.
5461 (binding_map::remove_overlapping_bindings): New decl.
5462 (binding_map::get_overlapping_bindings): New decl.
5463 (binding_cluster::validate): New decl.
5464 (binding_cluster::bind): Drop enum binding_kind.
5465 (binding_cluster::fill_region): New decl.
5466 (binding_cluster::get_binding): Drop enum binding_kind.
5467 (binding_cluster::get_binding_recursive): Likewise.
5468 (binding_cluster::get_overlapping_bindings): Delete.
5469 (store::validate): New decl.
5470 (store::set_value): Drop enum binding_kind.
5471 (store::fill_region): New decl.
5472 (store_manager::get_concrete_binding): Drop enum binding_kind.
5473 (store_manager::get_symbolic_binding): Likewise.
5474 * svalue.cc (svalue::cmp_ptr): Handle SK_REPEATED and
5475 SK_BITS_WITHIN.
5476 (svalue::extract_bit_range): New.
5477 (svalue::maybe_fold_bits_within): New.
5478 (constant_svalue::maybe_fold_bits_within): New.
5479 (unknown_svalue::maybe_fold_bits_within): New.
5480 (unaryop_svalue::maybe_fold_bits_within): New.
5481 (repeated_svalue::repeated_svalue): New.
5482 (repeated_svalue::dump_to_pp): New.
5483 (repeated_svalue::accept): New.
5484 (repeated_svalue::all_zeroes_p): New.
5485 (repeated_svalue::maybe_fold_bits_within): New.
5486 (bits_within_svalue::bits_within_svalue): New.
5487 (bits_within_svalue::dump_to_pp): New.
5488 (bits_within_svalue::maybe_fold_bits_within): New.
5489 (bits_within_svalue::accept): New.
5490 (bits_within_svalue::implicitly_live_p): New.
5491 (compound_svalue::maybe_fold_bits_within): New.
5492 * svalue.h (enum svalue_kind): Add SK_REPEATED and SK_BITS_WITHIN.
5493 (svalue::dyn_cast_repeated_svalue): New.
5494 (svalue::dyn_cast_bits_within_svalue): New.
5495 (svalue::extract_bit_range): New decl.
5496 (svalue::maybe_fold_bits_within): New vfunc decl.
5497 (region_svalue::key_t::mark_empty): Use 2 rather than NULL_TREE.
5498 (region_svalue::key_t::is_empty): Likewise.
5499 (default_hash_traits<region_svalue::key_t>::empty_zero_p): Make false.
5500 (constant_svalue::maybe_fold_bits_within): New.
5501 (unknown_svalue::maybe_fold_bits_within): New.
5502 (poisoned_svalue::key_t::mark_empty): Use 2 rather than NULL_TREE.
5503 (poisoned_svalue::key_t::is_empty): Likewise.
5504 (default_hash_traits<poisoned_svalue::key_t>::empty_zero_p): Make
5505 false.
5506 (setjmp_svalue::key_t::mark_empty): Use 2 rather than NULL_TREE.
5507 (setjmp_svalue::key_t::is_empty): Likewise.
5508 (default_hash_traits<setjmp_svalue::key_t>::empty_zero_p): Make
5509 false.
5510 (unaryop_svalue::key_t::mark_empty): Use 2 rather than NULL_TREE.
5511 (unaryop_svalue::key_t::is_empty): Likewise.
5512 (unaryop_svalue::maybe_fold_bits_within): New.
5513 (default_hash_traits<unaryop_svalue::key_t>::empty_zero_p): Make
5514 false.
5515 (binop_svalue::key_t::mark_empty): Use 2 rather than NULL_TREE.
5516 (binop_svalue::key_t::is_empty): Likewise.
5517 (default_hash_traits<binop_svalue::key_t>::empty_zero_p): Make
5518 false.
5519 (sub_svalue::key_t::mark_empty): Use 2 rather than NULL_TREE.
5520 (sub_svalue::key_t::is_empty): Likewise.
5521 (default_hash_traits<sub_svalue::key_t>::empty_zero_p): Make
5522 false.
5523 (class repeated_svalue): New.
5524 (is_a_helper <const repeated_svalue *>::test): New.
5525 (struct default_hash_traits<repeated_svalue::key_t>): New.
5526 (class bits_within_svalue): New.
5527 (is_a_helper <const bits_within_svalue *>::test): New.
5528 (struct default_hash_traits<bits_within_svalue::key_t>): New.
5529 (widening_svalue::key_t::mark_empty): Use 2 rather than NULL_TREE.
5530 (widening_svalue::key_t::is_empty): Likewise.
5531 (default_hash_traits<widening_svalue::key_t>::empty_zero_p): Make
5532 false.
5533 (compound_svalue::key_t::mark_empty): Use 2 rather than NULL_TREE.
5534 (compound_svalue::key_t::is_empty): Likewise.
5535 (compound_svalue::maybe_fold_bits_within): New.
5536 (default_hash_traits<compound_svalue::key_t>::empty_zero_p): Make
5537 false.
5538
c8abc205
GA		 55392021-06-28 David Malcolm <dmalcolm@redhat.com>
5540
5541 * analyzer.h (byte_offset_t): New typedef.
5542 * store.cc (bit_range::dump_to_pp): Dump as a byte range if
5543 possible.
5544 (bit_range::as_byte_range): New.
5545 (byte_range::dump_to_pp): New.
5546 * store.h (class byte_range): New forward decl.
5547 (struct bit_range): Add comment.
5548 (bit_range::as_byte_range): New decl.
5549 (struct byte_range): New.
5550
419af06a
GA		 55512021-06-22 David Malcolm <dmalcolm@redhat.com>
5552
5553 PR analyzer/101143
5554 * region-model.cc (compat_types_p): New function.
5555 (region_model::create_region_for_heap_alloc): Convert assertion to
5556 an error check.
5557 (region_model::create_region_for_alloca): Likewise.
5558
c5581d48
GA		 55592021-06-18 David Malcolm <dmalcolm@redhat.com>
5560
5561 * store.cc (binding_cluster::get_any_binding): Make symbolic reads
5562 from a cluster with concrete bindings return unknown.
5563
55642021-06-18 David Malcolm <dmalcolm@redhat.com>
5565
5566 * region-model-manager.cc
5567 (region_model_manager::get_or_create_int_cst): New.
5568 (region_model_manager::maybe_undo_optimize_bit_field_compare): Use
5569 it to simplify away a local tree.
5570 * region-model.cc (region_model::on_setjmp): Likewise.
5571 (region_model::on_longjmp): Likewise.
5572 * region-model.h (region_model_manager::get_or_create_int_cst):
5573 New decl.
5574 * store.cc (binding_cluster::zero_fill_region): Use it to simplify
5575 away a local tree.
5576
55772021-06-18 David Malcolm <dmalcolm@redhat.com>
5578
5579 * checker-path.cc (class custom_event): Make abstract to allow for
5580 custom vfuncs, splitting existing implementation into...
5581 (class precanned_custom_event): New subclass.
5582 (custom_event::get_desc): Move to...
5583 (precanned_custom_event::get_desc): ...subclass.
5584 * checker-path.h (class custom_event): Make abstract to allow for
5585 custom vfuncs, splitting existing implementation into...
5586 (class precanned_custom_event): New subclass.
5587 * diagnostic-manager.cc (diagnostic_manager::add_events_for_eedge):
5588 Use precanned_custom_event.
5589 * engine.cc
5590 (stale_jmp_buf::maybe_add_custom_events_for_superedge): Likewise.
5591 * sm-signal.cc (signal_delivery_edge_info_t::add_events_to_path):
5592 Likewise.
5593
ede6c356
GA		 55942021-06-15 David Malcolm <dmalcolm@redhat.com>
5595
5596 PR analyzer/99212
5597 PR analyzer/101082
5598 * engine.cc: Include "target.h".
5599 (impl_run_checkers): Log BITS_BIG_ENDIAN, BYTES_BIG_ENDIAN, and
5600 WORDS_BIG_ENDIAN.
5601 * region-model-manager.cc
5602 (region_model_manager::maybe_fold_binop): Move support for masking
5603 via ARG0 & CST into...
5604 (region_model_manager::maybe_undo_optimize_bit_field_compare):
5605 ...this new function. Flatten by converting from nested
5606 conditionals to a series of early return statements to reject
5607 failures. Reject if type is not unsigned_char_type_node.
5608 Handle BYTES_BIG_ENDIAN when determining which bits are bound
5609 in the binding_map.
5610 * region-model.h
5611 (region_model_manager::maybe_undo_optimize_bit_field_compare):
5612 New decl.
5613 * store.cc (bit_range::dump): New function.
5614 * store.h (bit_range::dump): New decl.
5615
56162021-06-15 David Malcolm <dmalcolm@redhat.com>
5617
5618 * engine.cc (exploded_node::on_stmt): Handle __analyzer_dump_capacity.
5619 (exploded_node::on_stmt): Drop m_sm_changes from on_stmt_flags.
5620 (state_change_requires_new_enode_p): New function...
5621 (exploded_graph::process_node): Call it, rather than querying
5622 flags.m_sm_changes, so that dynamic-extent differences can also
5623 trigger the splitting of nodes.
5624 * exploded-graph.h (struct on_stmt_flags): Drop field m_sm_changes.
5625 * program-state.cc (program_state::detect_leaks): Purge dead
5626 heap-allocated regions from dynamic extents.
5627 (selftest::test_program_state_1): Fix type of "size_in_bytes".
5628 (selftest::test_program_state_merging): Likewise.
5629 * region-model-impl-calls.cc
5630 (region_model::impl_call_analyzer_dump_capacity): New.
5631 (region_model::impl_call_free): Remove dynamic extents from the
5632 freed region.
5633 * region-model-reachability.h
5634 (reachable_regions::begin_mutable_base_regs): New.
5635 (reachable_regions::end_mutable_base_regs): New.
5636 * region-model.cc: Include "tree-object-size.h".
5637 (region_model::region_model): Support new field m_dynamic_extents.
5638 (region_model::operator=): Likewise.
5639 (region_model::operator==): Likewise.
5640 (region_model::dump_to_pp): Dump sizes of dynamic regions.
5641 (region_model::handle_unrecognized_call): Purge dynamic extents
5642 from any regions that have escaped mutably:.
5643 (region_model::get_capacity): New function.
5644 (region_model::add_constraint): Unset dynamic extents when a
5645 heap-allocated region's address is NULL.
5646 (region_model::unbind_region_and_descendents): Purge dynamic
5647 extents of unbound regions.
5648 (region_model::can_merge_with_p): Call
5649 m_dynamic_extents.can_merge_with_p.
5650 (region_model::create_region_for_heap_alloc): Assert that
5651 size_in_bytes's type is compatible with size_type_node. Update
5652 for renaming of record_dynamic_extents to set_dynamic_extents.
5653 (region_model::create_region_for_alloca): Likewise.
5654 (region_model::record_dynamic_extents): Rename to...
5655 (region_model::set_dynamic_extents): ...this. Assert that
5656 size_in_bytes's type is compatible with size_type_node. Add it
5657 to the m_dynamic_extents map.
5658 (region_model::get_dynamic_extents): New.
5659 (region_model::unset_dynamic_extents): New.
5660 (selftest::test_state_merging): Fix type of "size".
5661 (selftest::test_malloc_constraints): Likewise.
5662 (selftest::test_malloc): Verify dynamic extents.
5663 (selftest::test_alloca): Likewise.
5664 * region-model.h (region_to_value_map::is_empty): New.
5665 (region_model::dynamic_extents_t): New typedef.
5666 (region_model::impl_call_analyzer_dump_capacity): New decl.
5667 (region_model::get_dynamic_extents): New function.
5668 (region_model::get_dynamic_extents): New decl.
5669 (region_model::set_dynamic_extents): New decl.
5670 (region_model::unset_dynamic_extents): New decl.
5671 (region_model::get_capacity): New decl.
5672 (region_model::record_dynamic_extents): Rename to set_dynamic_extents.
5673 (region_model::m_dynamic_extents): New field.
5674
56752021-06-15 David Malcolm <dmalcolm@redhat.com>
5676
5677 * region-model.cc (region_to_value_map::operator=): New.
5678 (region_to_value_map::operator==): New.
5679 (region_to_value_map::dump_to_pp): New.
5680 (region_to_value_map::dump): New.
5681 (region_to_value_map::can_merge_with_p): New.
5682 * region-model.h (class region_to_value_map): New class.
5683
4e70c34e
GA		 56842021-06-13 Trevor Saunders <tbsaunde@tbsaunde.org>
5685
5686 * call-string.cc (call_string::call_string): Use range based for
5687 to iterate over vec<>.
5688 (call_string::to_json): Likewise.
5689 (call_string::hash): Likewise.
5690 (call_string::calc_recursion_depth): Likewise.
5691 * checker-path.cc (checker_path::fixup_locations): Likewise.
5692 * constraint-manager.cc (equiv_class::equiv_class): Likewise.
5693 (equiv_class::to_json): Likewise.
5694 (equiv_class::hash): Likewise.
5695 (constraint_manager::to_json): Likewise.
5696 * engine.cc (impl_region_model_context::on_svalue_leak):
5697 Likewise.
5698 (on_liveness_change): Likewise.
5699 (impl_region_model_context::on_unknown_change): Likewise.
5700 * program-state.cc (sm_state_map::set_state): Likewise.
5701 * region-model.cc (test_canonicalization_4): Likewise.
5702
f16f65f8
GA		 57032021-06-11 David Malcolm <dmalcolm@redhat.com>
5704
5705 * engine.cc (worklist::key_t::cmp): Move sort by call_string to
5706 before SCC.
5707
4f625f47
GA		 57082021-06-09 David Malcolm <dmalcolm@redhat.com>
5709
5710 * region-model.cc (region_model::get_lvalue_1): Make const.
5711 (region_model::get_lvalue): Likewise.
5712 (region_model::get_rvalue_1): Likewise.
5713 (region_model::get_rvalue): Likewise.
5714 (region_model::deref_rvalue): Likewise.
5715 (region_model::get_rvalue_for_bits): Likewise.
5716 * region-model.h (region_model::get_lvalue): Likewise.
5717 (region_model::get_rvalue): Likewise.
5718 (region_model::deref_rvalue): Likewise.
5719 (region_model::get_rvalue_for_bits): Likewise.
5720 (region_model::get_lvalue_1): Likewise.
5721 (region_model::get_rvalue_1): Likewise.
5722
c6038721
GA		 57232021-06-08 David Malcolm <dmalcolm@redhat.com>
5724
5725 PR analyzer/99212
5726 * region-model-manager.cc
5727 (region_model_manager::maybe_fold_binop): Add support for folding
5728 BIT_AND_EXPR of compound_svalue and a mask constant.
5729 * region-model.cc (region_model::get_rvalue_1): Implement
5730 BIT_FIELD_REF in terms of...
5731 (region_model::get_rvalue_for_bits): New function.
5732 * region-model.h (region_model::get_rvalue_for_bits): New decl.
5733 * store.cc (bit_range::from_mask): New function.
5734 (selftest::test_bit_range_intersects_p): New selftest.
5735 (selftest::assert_bit_range_from_mask_eq): New.
5736 (ASSERT_BIT_RANGE_FROM_MASK_EQ): New macro.
5737 (selftest::assert_no_bit_range_from_mask_eq): New.
5738 (ASSERT_NO_BIT_RANGE_FROM_MASK): New macro.
5739 (selftest::test_bit_range_from_mask): New selftest.
5740 (selftest::analyzer_store_cc_tests): Call the new selftests.
5741 * store.h (bit_range::intersects_p): New.
5742 (bit_range::from_mask): New decl.
5743 (concrete_binding::get_bit_range): New accessor.
5744 (store_manager::get_concrete_binding): New overload taking
5745 const bit_range &.
5746
57472021-06-08 David Malcolm <dmalcolm@redhat.com>
5748
5749 * analyzer.h (int_size_in_bits): New decl.
5750 * region.cc (int_size_in_bits): New function.
5751 (region::get_bit_size): Reimplement in terms of the above.
5752
57532021-06-08 David Malcolm <dmalcolm@redhat.com>
5754
5755 * store.cc (concrete_binding::dump_to_pp): Move bulk of
5756 implementation to...
5757 (bit_range::dump_to_pp): ...this new function.
5758 (bit_range::cmp): New.
5759 (concrete_binding::overlaps_p): Update for use of bit_range.
5760 (concrete_binding::cmp_ptr_ptr): Likewise.
5761 * store.h (struct bit_range): New.
5762 (class concrete_binding): Replace fields m_start_bit_offset and
5763 m_size_in_bits with new field m_bit_range.
5764
57652021-06-08 David Malcolm <dmalcolm@redhat.com>
5766
5767 * svalue.h (conjured_svalue::iterator_t): Delete.
5768
440c8a0a
GA		 57692021-06-03 David Malcolm <dmalcolm@redhat.com>
5770
5771 * store.h (store::get_direct_binding): Remove unused decl.
5772 (store::get_default_binding): Likewise.
5773
57742021-06-03 David Malcolm <dmalcolm@redhat.com>
5775
5776 * svalue.cc (poisoned_svalue::dump_to_pp): Dump type.
5777 (compound_svalue::dump_to_pp): Dump any type.
5778
a8daf9a1
GA		 57792021-05-18 David Malcolm <dmalcolm@redhat.com>
5780
5781 PR analyzer/100615
5782 * sm-malloc.cc: Include "analyzer/function-set.h".
5783 (malloc_state_machine::on_stmt): Call unaffected_by_call_p and
5784 bail on the functions it recognizes.
5785 (malloc_state_machine::unaffected_by_call_p): New.
5786
aa891c56
GA		 57872021-05-10 Martin Liska <mliska@suse.cz>
5788
5789 * sm-file.cc (is_file_using_fn_p): Use startswith
5790 function instead of strncmp.
5791
57922021-05-10 Martin Liska <mliska@suse.cz>
5793
5794 * program-state.cc (program_state::operator=): Remove
5795 __cplusplus >= 201103.
5796 (program_state::program_state): Likewise.
5797 * program-state.h: Likewise.
5798 * region-model.h (class region_model): Remove dead code.
5799
502ef97c
GA		 58002021-04-24 David Malcolm <dmalcolm@redhat.com>
5801
5802 PR analyzer/100244
5803 * sm-malloc.cc (free_of_non_heap::describe_state_change):
5804 Bulletproof against change.m_expr being NULL.
5805
6d0d35d5
GA		 58062021-04-13 David Malcolm <dmalcolm@redhat.com>
5807
5808 PR analyzer/98599
5809 * supergraph.cc (saved_uids::make_uid_unique): New.
5810 (saved_uids::restore_uids): New.
5811 (supergraph::supergraph): Replace assignments to stmt->uid with
5812 calls to m_stmt_uids.make_uid_unique.
5813 (supergraph::~supergraph): New.
5814 * supergraph.h (class saved_uids): New.
5815 (supergraph::~supergraph): New decl.
5816 (supergraph::m_stmt_uids): New field.
5817
1d54b138
GA		 58182021-04-10 David Malcolm <dmalcolm@redhat.com>
5819
5820 PR analyzer/100011
5821 * region-model.cc (region_model::on_assignment): Avoid NULL
5822 dereference if ctxt is NULL when assigning from a STRING_CST.
5823
019a9220
GA		 58242021-04-08 David Malcolm <dmalcolm@redhat.com>
5825
5826 PR analyzer/99042
5827 PR analyzer/99774
5828 * engine.cc
5829 (impl_region_model_context::impl_region_model_context): Add
5830 uncertainty param and use it to initialize m_uncertainty.
5831 (impl_region_model_context::get_uncertainty): New.
5832 (impl_sm_context::get_fndecl_for_call): Add NULL for new
5833 uncertainty param when constructing impl_region_model_context.
5834 (impl_sm_context::get_state): Likewise.
5835 (impl_sm_context::set_next_state): Likewise.
5836 (impl_sm_context::warn): Likewise.
5837 (exploded_node::on_stmt): Add uncertainty param
5838 and use it when constructing impl_region_model_context.
5839 (exploded_node::on_edge): Add uncertainty param and pass
5840 to on_edge call.
5841 (exploded_node::detect_leaks): Create uncertainty_t and pass to
5842 impl_region_model_context.
5843 (exploded_graph::get_or_create_node): Create uncertainty_t and
5844 pass to prune_for_point.
5845 (maybe_process_run_of_before_supernode_enodes): Create
5846 uncertainty_t and pass to impl_region_model_context.
5847 (exploded_graph::process_node): Create uncertainty_t instances and
5848 pass around as needed.
5849 * exploded-graph.h
5850 (impl_region_model_context::impl_region_model_context): Add
5851 uncertainty param.
5852 (impl_region_model_context::get_uncertainty): New decl.
5853 (impl_region_model_context::m_uncertainty): New field.
5854 (exploded_node::on_stmt): Add uncertainty param.
5855 (exploded_node::on_edge): Likewise.
5856 * program-state.cc (sm_state_map::on_liveness_change): Get
5857 uncertainty from context and use it to unset sm-state from
5858 svalues as appropriate.
5859 (program_state::on_edge): Add uncertainty param and use it when
5860 constructing impl_region_model_context. Fix indentation.
5861 (program_state::prune_for_point): Add uncertainty param and use it
5862 when constructing impl_region_model_context.
5863 (program_state::detect_leaks): Get any uncertainty from ctxt and
5864 use it to get maybe-live svalues for dest_state, rather than
5865 definitely-live ones; use this when determining which svalues
5866 have leaked.
5867 (selftest::test_program_state_merging): Create uncertainty_t and
5868 pass to impl_region_model_context.
5869 * program-state.h (program_state::on_edge): Add uncertainty param.
5870 (program_state::prune_for_point): Likewise.
5871 * region-model-impl-calls.cc (call_details::get_uncertainty): New.
5872 (region_model::impl_call_memcpy): Pass uncertainty to
5873 mark_region_as_unknown call.
5874 (region_model::impl_call_memset): Likewise.
5875 (region_model::impl_call_strcpy): Likewise.
5876 * region-model-reachability.cc (reachable_regions::handle_sval):
5877 Also add sval to m_mutable_svals.
5878 * region-model.cc (region_model::on_assignment): Pass any
5879 uncertainty from ctxt to the store::set_value call.
5880 (region_model::handle_unrecognized_call): Get any uncertainty from
5881 ctxt and use it to record mutable svalues at the unknown call.
5882 (region_model::get_reachable_svalues): Add uncertainty param and
5883 use it to mark any maybe-bound svalues as being reachable.
5884 (region_model::set_value): Pass any uncertainty from ctxt to the
5885 store::set_value call.
5886 (region_model::mark_region_as_unknown): Add uncertainty param and
5887 pass it on to the store::mark_region_as_unknown call.
5888 (region_model::update_for_call_summary): Add uncertainty param and
5889 pass it on to the region_model::mark_region_as_unknown call.
5890 * region-model.h (call_details::get_uncertainty): New decl.
5891 (region_model::get_reachable_svalues): Add uncertainty param.
5892 (region_model::mark_region_as_unknown): Add uncertainty param.
5893 (region_model_context::get_uncertainty): New vfunc.
5894 (noop_region_model_context::get_uncertainty): New vfunc
5895 implementation.
5896 * store.cc (dump_svalue_set): New.
5897 (uncertainty_t::dump_to_pp): New.
5898 (uncertainty_t::dump): New.
5899 (binding_cluster::clobber_region): Pass NULL for uncertainty to
5900 remove_overlapping_bindings.
5901 (binding_cluster::mark_region_as_unknown): Add uncertainty param
5902 and pass it to remove_overlapping_bindings.
5903 (binding_cluster::remove_overlapping_bindings): Add uncertainty param.
5904 Use it to record any svalues that were in clobbered bindings.
5905 (store::set_value): Add uncertainty param. Pass it to
5906 binding_cluster::mark_region_as_unknown when handling symbolic
5907 regions.
5908 (store::mark_region_as_unknown): Add uncertainty param and pass it
5909 to binding_cluster::mark_region_as_unknown.
5910 (store::remove_overlapping_bindings): Add uncertainty param and
5911 pass it to binding_cluster::remove_overlapping_bindings.
5912 * store.h (binding_cluster::mark_region_as_unknown): Add
5913 uncertainty param.
5914 (binding_cluster::remove_overlapping_bindings): Likewise.
5915 (store::set_value): Likewise.
5916 (store::mark_region_as_unknown): Likewise.
5917
b1da9916
GA		 59182021-04-05 David Malcolm <dmalcolm@redhat.com>
5919
5920 PR analyzer/99906
5921 * analyzer.cc (maybe_reconstruct_from_def_stmt): Fix NULL
5922 dereference on calls with zero arguments.
5923 * sm-malloc.cc (malloc_state_machine::on_stmt): When handling
5924 __attribute__((nonnull)), only call get_diagnostic_tree if the
5925 result will be used.
5926
59272021-04-05 David Malcolm <dmalcolm@redhat.com>
5928
5929 PR analyzer/99886
5930 * diagnostic-manager.cc
5931 (diagnostic_manager::prune_interproc_events): Use signed integers
5932 when subtracting one from path->num_events ().
5933 (diagnostic_manager::consolidate_conditions): Likewise. Convert
5934 next_idx to a signed int.
5935
f1607029
GA		 59362021-04-01 David Malcolm <dmalcolm@redhat.com>
5937
5938 * diagnostic-manager.cc (diagnostic_manager::add_diagnostic): Make
5939 enode param non-constant, and call add_diagnostic on it. Add
5940 enode index to log message.
5941 (diagnostic_manager::add_diagnostic): Make enode param
5942 non-constant.
5943 * diagnostic-manager.h (diagnostic_manager::add_diagnostic):
5944 Likewise for both decls.
5945 * engine.cc
5946 (impl_region_model_context::impl_region_model_context): Likewise
5947 for enode_for_diag.
5948 (impl_sm_context::impl_sm_context): Likewise.
5949 (impl_sm_context::m_enode_for_diag): Likewise.
5950 (exploded_node::dump_dot): Don't pass the diagnostic manager
5951 to dump_saved_diagnostics.
5952 (exploded_node::dump_saved_diagnostics): Drop param. Iterate
5953 directly through all saved diagnostics for the enode, rather
5954 than all saved diagnostics in the diagnostic_manager and
5955 filtering.
5956 (exploded_node::on_stmt): Make non-const.
5957 (exploded_node::on_edge): Likewise.
5958 (exploded_node::on_longjmp): Likewise.
5959 (exploded_node::detect_leaks): Likewise.
5960 (exploded_graph::get_or_create_node): Make enode_for_diag param
5961 non-const.
5962 (exploded_graph_annotator::print_enode): Iterate
5963 directly through all saved diagnostics for the enode, rather
5964 than all saved diagnostics in the diagnostic_manager and
5965 filtering.
5966 * exploded-graph.h
5967 (impl_region_model_context::impl_region_model_context): Make
5968 enode_for_diag param non-constant.
5969 (impl_region_model_context::m_enode_for_diag): Likewise.
5970 (exploded_node::dump_saved_diagnostics): Drop param.
5971 (exploded_node::on_stmt): Make non-const.
5972 (exploded_node::on_edge): Likewise.
5973 (exploded_node::on_longjmp): Likewise.
5974 (exploded_node::detect_leaks): Likewise.
5975 (exploded_node::add_diagnostic): New.
5976 (exploded_node::get_num_diagnostics): New.
5977 (exploded_node::get_saved_diagnostic): New.
5978 (exploded_node::m_saved_diagnostics): New.
5979 (exploded_graph::get_or_create_node): Make enode_for_diag param
5980 non-constant.
5981 * feasible-graph.cc (feasible_node::dump_dot): Drop
5982 diagnostic_manager from call to dump_saved_diagnostics.
5983 * program-state.cc (program_state::on_edge): Convert enode param
5984 to non-const pointer.
5985 (program_state::prune_for_point): Likewise for enode_for_diag
5986 param.
5987 * program-state.h (program_state::on_edge): Convert enode param
5988 to non-const pointer.
5989 (program_state::prune_for_point): Likewise for enode_for_diag
5990 param.
5991
95d217ab
GA		 59922021-03-31 David Malcolm <dmalcolm@redhat.com>
5993
5994 PR analyzer/99771
5995 * analyzer.cc (maybe_reconstruct_from_def_stmt): New.
5996 (fixup_tree_for_diagnostic_1): New.
5997 (fixup_tree_for_diagnostic): New.
5998 * analyzer.h (fixup_tree_for_diagnostic): New decl.
5999 * checker-path.cc (call_event::get_desc): Call
6000 fixup_tree_for_diagnostic and use it for the call_with_state call.
6001 (warning_event::get_desc): Likewise for the final_event and
6002 make_label_text calls.
6003 * engine.cc (impl_region_model_context::on_state_leak): Likewise
6004 for the on_leak and add_diagnostic calls.
6005 * region-model.cc (region_model::get_representative_tree):
6006 Likewise for the result.
6007
08d2edae
GA		 60082021-03-30 David Malcolm <dmalcolm@redhat.com>
6009
6010 * region.h (region::dump_to_pp): Remove old decl.
6011
60122021-03-30 David Malcolm <dmalcolm@redhat.com>
6013
6014 * sm-file.cc (fileptr_state_machine::on_stmt): Only call
6015 get_diagnostic_tree if the result will be used.
6016 * sm-malloc.cc (malloc_state_machine::on_stmt): Likewise.
6017 (malloc_state_machine::on_deallocator_call): Likewise.
6018 (malloc_state_machine::on_realloc_call): Likewise.
6019 (malloc_state_machine::on_realloc_call): Likewise.
6020 * sm-sensitive.cc
6021 (sensitive_state_machine::warn_for_any_exposure): Likewise.
6022 * sm-taint.cc (taint_state_machine::on_stmt): Likewise.
6023
4493b1c1
GA		 60242021-03-25 David Malcolm <dmalcolm@redhat.com>
6025
6026 PR analyzer/93695
6027 PR analyzer/99044
6028 PR analyzer/99716
6029 * engine.cc (exploded_node::on_stmt): Clear sm-state involving
6030 an SSA name at the def-stmt of that SSA name.
6031 * program-state.cc (sm_state_map::purge_state_involving): New.
6032 * program-state.h (sm_state_map::purge_state_involving): New decl.
6033 * region-model.cc (selftest::test_involves_p): New.
6034 (selftest::analyzer_region_model_cc_tests): Call it.
6035 * svalue.cc (class involvement_visitor): New class
6036 (svalue::involves_p): New.
6037 * svalue.h (svalue::involves_p): New decl.
6038
5f256a70
GA		 60392021-03-19 David Malcolm <dmalcolm@redhat.com>
6040
6041 PR analyzer/99614
6042 * diagnostic-manager.cc (class epath_finder): Add
6043 DISABLE_COPY_AND_ASSIGN.
6044
3c5b6d24
GA		 60452021-03-15 Martin Liska <mliska@suse.cz>
6046
6047 * sm-file.cc (get_file_using_fns): Add missing comma in initializer.
6048
48ff383f
GA		 60492021-03-11 David Malcolm <dmalcolm@redhat.com>
6050
6051 PR analyzer/96374
6052 * analyzer.opt (-param=analyzer-max-infeasible-edges=): New param.
6053 (fdump-analyzer-feasibility): New flag.
6054 * diagnostic-manager.cc: Include "analyzer/trimmed-graph.h" and
6055 "analyzer/feasible-graph.h".
6056 (epath_finder::epath_finder): Convert m_sep to a pointer and
6057 only create it if !flag_analyzer_feasibility.
6058 (epath_finder::~epath_finder): New.
6059 (epath_finder::m_sep): Convert to a pointer.
6060 (epath_finder::get_best_epath): Add param "diag_idx" and use it
6061 when logging. Rather than finding the shortest path and then
6062 checking feasibility, instead use explore_feasible_paths unless
6063 !flag_analyzer_feasibility, in which case simply use the shortest
6064 path, and note if it is infeasible. Update for m_sep becoming a
6065 pointer.
6066 (class feasible_worklist): New.
6067 (epath_finder::explore_feasible_paths): New.
6068 (epath_finder::process_worklist_item): New.
6069 (class dump_eg_with_shortest_path): New.
6070 (epath_finder::dump_trimmed_graph): New.
6071 (epath_finder::dump_feasible_graph): New.
6072 (saved_diagnostic::saved_diagnostic): Add "idx" param, using it
6073 on new field m_idx.
6074 (saved_diagnostic::to_json): Dump m_idx.
6075 (saved_diagnostic::calc_best_epath): Pass m_idx to get_best_epath.
6076 Remove assertion that m_problem was set when m_best_epath is NULL.
6077 (diagnostic_manager::add_diagnostic): Pass an index when created
6078 saved_diagnostic instances.
6079 * diagnostic-manager.h (saved_diagnostic::saved_diagnostic): Add
6080 "idx" param.
6081 (saved_diagnostic::get_index): New accessor.
6082 (saved_diagnostic::m_idx): New field.
6083 * engine.cc (exploded_node::dump_dot): Call args.dump_extra_info.
6084 Move code to...
6085 (exploded_node::dump_processed_stmts): ...this new function and...
6086 (exploded_node::dump_saved_diagnostics): ...this new function.
6087 Add index of each diagnostic.
6088 (exploded_edge::dump_dot): Move bulk of code to...
6089 (exploded_edge::dump_dot_label): ...this new function.
6090 * exploded-graph.h (eg_traits::dump_args_t::dump_extra_info): New
6091 vfunc.
6092 (exploded_node::dump_processed_stmts): New decl.
6093 (exploded_node::dump_saved_diagnostics): New decl.
6094 (exploded_edge::dump_dot_label): New decl.
6095 * feasible-graph.cc: New file.
6096 * feasible-graph.h: New file.
6097 * trimmed-graph.cc: New file.
6098 * trimmed-graph.h: New file.
6099
61002021-03-11 David Malcolm <dmalcolm@redhat.com>
6101
6102 * diagnostic-manager.cc (epath_finder::epath_finder):
6103 Update shortest_paths init for new param.
6104
e9800852
GA		 61052021-03-10 David Malcolm <dmalcolm@redhat.com>
6106
6107 PR analyzer/96374
6108 * engine.cc (exploded_path::feasible_p): Move "snodes_visited" and
6109 "model" locals into a new class feasibility_state. Move heart
6110 of per-edge processing into
6111 feasibility_state::maybe_update_for_edge.
6112 (feasibility_state::feasibility_state): New.
6113 (feasibility_state::maybe_update_for_edge): New, based on loop
6114 body in exploded_path::feasible_p.
6115 * exploded-graph.h (class feasibility_state): New.
6116
61172021-03-10 David Malcolm <dmalcolm@redhat.com>
6118
6119 * supergraph.h
6120 (callgraph_superedge::dyn_cast_callgraph_superedge): New.
6121 (call_superedge::dyn_cast_callgraph_superedge): Delete.
6122 (return_superedge::dyn_cast_callgraph_superedge): Delete.
6123
d97a92dc
GA		 61242021-03-02 Martin Liska <mliska@suse.cz>
6125
6126 * diagnostic-manager.cc (diagnostic_manager::emit_saved_diagnostics):
6127 Do not pass engine.
6128
06a9f20f
GA		 61292021-02-26 David Malcolm <dmalcolm@redhat.com>
6130
6131 * engine.cc (exploded_path::exploded_path): New copy-ctor.
6132 * exploded-graph.h (exploded_path::operator=): Drop decl.
6133
61342021-02-26 David Malcolm <dmalcolm@redhat.com>
6135
6136 PR analyzer/96374
6137 * diagnostic-manager.cc (class epath_finder): New.
6138 (epath_finder::get_best_epath): New.
6139 (saved_diagnostic::saved_diagnostic): Update for replacement of
6140 m_state and m_epath_length with m_best_epath.
6141 (saved_diagnostic::~saved_diagnostic): Delete m_best_epath.
6142 (saved_diagnostic::to_json): Update "path_length" to be optional.
6143 (saved_diagnostic::calc_best_epath): New, based on
6144 dedupe_winners::add and parts of dedupe_key::dedupe_key.
6145 (saved_diagnostic::get_epath_length): New.
6146 (saved_diagnostic::add_duplicate): New.
6147 (dedupe_key::dedupe_key): Drop epath param. Move invocation of
6148 stmt_finder to saved_diagnostic::calc_best_epath.
6149 (class dedupe_candidate): Delete.
6150 (class dedupe_hash_map_traits): Update to use saved_diagnotic *
6151 rather than dedupe_candidate * as the value_type/compare_type.
6152 (dedupe_winners::~dedupe_winners): Don't delete the values.
6153 (dedupe_winners::add): Convert param from shortest_exploded_paths to
6154 epath_finder. Drop "eg" param. Drop dedupe_candidate, moving
6155 path generation and feasiblity checking to
6156 epath_finder::get_best_epath. Update winner-selection for move
6157 of epaths from dedupe_candidate to saved_diagnostic.
6158 (dedupe_winners::emit_best): Update for removal of class
6159 dedupe_candidate.
6160 (dedupe_winners::map_t): Update to use saved_diagnotic * rather
6161 than dedupe_candidate * as the value_type/compare_type.
6162 (diagnostic_manager::emit_saved_diagnostics): Move
6163 shortest_exploded_paths instance into epath_finder and pass that
6164 around instead.
6165 (diagnostic_manager::emit_saved_diagnostic): Drop epath, stmt
6166 and num_dupes params, instead getting these from the
6167 saved_diagnostic. Use correct location in inform_n call.
6168 * diagnostic-manager.h (class epath_finder): New forward decl.
6169 (saved_diagnostic::status): Drop enum.
6170 (saved_diagnostic::set_feasible): Drop.
6171 (saved_diagnostic::set_infeasible): Drop.
6172 (saved_diagnostic::get_status): Drop.
6173 (saved_diagnostic::calc_best_epath): New decl.
6174 (saved_diagnostic::get_best_epath): New decl.
6175 (saved_diagnostic::get_epath_length): New decl.
6176 (saved_diagnostic::set_epath_length): Drop.
6177 (saved_diagnostic::get_epath_length): Drop inline implementation.
6178 (saved_diagnostic::add_duplicate): New.
6179 (saved_diagnostic::get_num_dupes): New.
6180 (saved_diagnostic::m_d): Document ownership.
6181 (saved_diagnostic::m_trailing_eedge): Make const.
6182 (saved_diagnostic::m_status): Drop field.
6183 (saved_diagnostic::m_epath_length): Drop field.
6184 (saved_diagnostic::m_best_epath): New field.
6185 (saved_diagnostic::m_problem): Document ownership.
6186 (saved_diagnostic::m_duplicates): New field.
6187 (diagnostic_manager::emit_saved_diagnostic): Drop params epath,
6188 stmt, and num_dupes.
6189 * engine.cc (exploded_graph_annotator::print_saved_diagnostic):
6190 Update for changes to saved_diagnostic class.
6191 * exploded-graph.h (exploded_path::feasible_p): Drop unused
6192 overloaded decl.
6193
daa68844
GA		 61942021-02-25 David Malcolm <dmalcolm@redhat.com>
6195
6196 PR analyzer/99193
6197 * region-model-impl-calls.cc (region_model::impl_call_realloc): New.
6198 * region-model.cc (region_model::on_call_pre): Call it.
6199 * region-model.h (region_model::impl_call_realloc): New decl.
6200 * sm-malloc.cc (enum wording): Add WORDING_REALLOCATED.
6201 (malloc_state_machine::m_realloc): New field.
6202 (use_after_free::describe_state_change): Add case for
6203 WORDING_REALLOCATED.
6204 (use_after_free::describe_final_event): Likewise.
6205 (malloc_state_machine::malloc_state_machine): Initialize
6206 m_realloc.
6207 (malloc_state_machine::on_stmt): Handle realloc by calling...
6208 (malloc_state_machine::on_realloc_call): New.
6209
2f5765cf
GA		 62102021-02-22 David Malcolm <dmalcolm@redhat.com>
6211
6212 PR analyzer/99196
6213 * engine.cc (exploded_node::on_stmt): Provide terminate_path
6214 flag as a way for on_call_pre to terminate the current analysis
6215 path.
6216 * region-model-impl-calls.cc (call_details::num_args): New.
6217 (region_model::impl_call_error): New.
6218 * region-model.cc (region_model::on_call_pre): Add param
6219 "out_terminate_path". Handle "error" and "error_at_line".
6220 * region-model.h (call_details::num_args): New decl.
6221 (region_model::on_call_pre): Add param "out_terminate_path".
6222 (region_model::impl_call_error): New decl.
6223
acc0ee5c
GA		 62242021-02-17 David Malcolm <dmalcolm@redhat.com>
6225
6226 PR analyzer/98969
6227 * constraint-manager.cc (dead_svalue_purger::should_purge_p):
6228 Update for change to svalue::live_p.
6229 * program-state.cc (sm_state_map::on_liveness_change): Likewise.
6230 (program_state::detect_leaks): Likewise.
6231 * region-model-reachability.cc (reachable_regions::init_cluster):
6232 When dealing with a symbolic region, if the underlying pointer is
6233 implicitly live, add the region to the reachable regions.
6234 * region-model.cc (region_model::compare_initial_and_pointer):
6235 Move logic for detecting initial values of params to
6236 initial_svalue::initial_value_of_param_p.
6237 * svalue.cc (svalue::live_p): Convert "live_svalues" from a
6238 reference to a pointer; support it being NULL.
6239 (svalue::implicitly_live_p): Convert first param from a
6240 refererence to a pointer.
6241 (region_svalue::implicitly_live_p): Likewise.
6242 (constant_svalue::implicitly_live_p): Likewise.
6243 (initial_svalue::implicitly_live_p): Likewise. Treat the initial
6244 values of params for the top level frame as still live.
6245 (initial_svalue::initial_value_of_param_p): New function, taken
6246 from a test in region_model::compare_initial_and_pointer.
6247 (unaryop_svalue::implicitly_live_p): Convert first param from a
6248 refererence to a pointer.
6249 (binop_svalue::implicitly_live_p): Likewise.
6250 (sub_svalue::implicitly_live_p): Likewise.
6251 (unmergeable_svalue::implicitly_live_p): Likewise.
6252 * svalue.h (svalue::live_p): Likewise.
6253 (svalue::implicitly_live_p): Likewise.
6254 (region_svalue::implicitly_live_p): Likewise.
6255 (constant_svalue::implicitly_live_p): Likewise.
6256 (initial_svalue::implicitly_live_p): Likewise.
6257 (initial_svalue::initial_value_of_param_p): New decl.
6258 (unaryop_svalue::implicitly_live_p): Convert first param from a
6259 refererence to a pointer.
6260 (binop_svalue::implicitly_live_p): Likewise.
6261 (sub_svalue::implicitly_live_p): Likewise.
6262 (unmergeable_svalue::implicitly_live_p): Likewise.
6263
fab095da
GA		 62642021-02-12 David Malcolm <dmalcolm@redhat.com>
6265
6266 PR analyzer/98969
6267 * engine.cc (readability): Add names for the various arbitrary
6268 values. Handle NOP_EXPR and INTEGER_CST.
6269 (readability_comparator): Combine the readability tests for
6270 tree and stack depth, rather than performing them sequentially.
6271 (impl_region_model_context::on_state_leak): Strip off top-level
6272 casts.
6273 * region-model.cc (region_model::get_representative_path_var): Add
6274 type-checking, moving the bulk of the implementation to...
6275 (region_model::get_representative_path_var_1): ...here. Respect
6276 types in casts by recursing and re-adding the cast, rather than
6277 merely stripping them off. Use the correct type when handling
6278 region_svalue.
6279 (region_model::get_representative_tree): Strip off any top-level
6280 cast.
6281 (region_model::get_representative_path_var): Add type-checking,
6282 moving the bulk of the implementation to...
6283 (region_model::get_representative_path_var_1): ...here.
6284 * region-model.h (region_model::get_representative_path_var_1):
6285 New decl
6286 (region_model::get_representative_path_var_1): New decl.
6287 * store.cc (append_pathvar_with_type): New.
6288 (binding_cluster::get_representative_path_vars): Cast path_vars
6289 to the correct type when adding them to *OUT_PVS.
6290
0a91b73e
GA		 62912021-02-09 David Malcolm <dmalcolm@redhat.com>
6292
6293 PR analyzer/98575
6294 * sm-file.cc (is_file_using_fn_p): Support "_IO_"-prefixed
6295 variants.
6296
62972021-02-09 David Malcolm <dmalcolm@redhat.com>
6298
6299 PR analyzer/98575
6300 * store.cc (store::set_value): Treat a pointer written to *UNKNOWN
6301 as having escaped.
6302
548b75d8
GA		 63032021-02-02 David Malcolm <dmalcolm@redhat.com>
6304
6305 PR analyzer/93355
6306 PR analyzer/96374
6307 * engine.cc (toplevel_function_p): Simplify so that
6308 we only reject functions with a "__analyzer_" prefix.
6309 (add_any_callbacks): Delete.
6310 (exploded_graph::build_initial_worklist): Update for
6311 dropped param of toplevel_function_p.
6312 (exploded_graph::build_initial_worklist): Don't bother
6313 looking for callbacks that are reachable from global
6314 initializers.
6315
f7884fb1
GA		 63162021-02-01 David Malcolm <dmalcolm@redhat.com>
6317
6318 PR analyzer/98918
6319 * region-model-manager.cc
6320 (region_model_manager::get_or_create_initial_value):
6321 Fold the initial value of *UNKNOWN_PTR to an UNKNOWN value.
6322 (region_model_manager::get_field_region): Fold the value
6323 of UNKNOWN_PTR->FIELD to *UNKNOWN_PTR_OF_&FIELD_TYPE.
6324
2900f2f2
GA		 63252021-01-29 David Malcolm <dmalcolm@redhat.com>
6326
6327 * checker-path.cc (event_kind_to_string): Handle
6328 EK_START_CONSOLIDATED_CFG_EDGES and
6329 EK_END_CONSOLIDATED_CFG_EDGES.
6330 (start_consolidated_cfg_edges_event::get_desc): New.
6331 (checker_path::cfg_edge_pair_at_p): New.
6332 * checker-path.h (enum event_kind): Add
6333 EK_START_CONSOLIDATED_CFG_EDGES and
6334 EK_END_CONSOLIDATED_CFG_EDGES.
6335 (class start_consolidated_cfg_edges_event): New class.
6336 (class end_consolidated_cfg_edges_event): New class.
6337 (checker_path::delete_events): New.
6338 (checker_path::replace_event): New.
6339 (checker_path::cfg_edge_pair_at_p): New decl.
6340 * diagnostic-manager.cc (diagnostic_manager::prune_path): Call
6341 consolidate_conditions.
6342 (same_line_as_p): New.
6343 (diagnostic_manager::consolidate_conditions): New.
6344 * diagnostic-manager.h
6345 (diagnostic_manager::consolidate_conditions): New decl.
6346
ef1f8ee6
GA		 63472021-01-18 David Malcolm <dmalcolm@redhat.com>
6348
6349 * analyzer.h (is_std_named_call_p): New decl.
6350 * diagnostic-manager.cc (path_builder::get_sm): New.
6351 (state_change_event_creator::state_change_event_creator): Add "pb"
6352 param.
6353 (state_change_event_creator::on_global_state_change): Don't consider
6354 state changes affecting other state_machines.
6355 (state_change_event_creator::on_state_change): Likewise.
6356 (state_change_event_creator::m_pb): New field.
6357 (diagnostic_manager::add_events_for_eedge): Pass pb to visitor
6358 ctor.
6359 * region-model-impl-calls.cc
6360 (region_model::impl_deallocation_call): New.
6361 * region-model.cc: Include "attribs.h".
6362 (region_model::on_call_post): Handle fndecls referenced by
6363 __attribute__((deallocated_by(FOO))).
6364 * region-model.h (region_model::impl_deallocation_call): New decl.
6365 * sm-malloc.cc: Include "stringpool.h" and "attribs.h". Add
6366 leading comment.
6367 (class api): Delete.
6368 (enum resource_state): Update comment for change from api to
6369 deallocator and deallocator_set.
6370 (allocation_state::allocation_state): Drop api param. Add
6371 "deallocators" and "deallocator".
6372 (allocation_state::m_api): Drop field in favor of...
6373 (allocation_state::m_deallocators): New field.
6374 (allocation_state::m_deallocator): New field.
6375 (enum wording): Add WORDING_DEALLOCATED.
6376 (struct deallocator): New.
6377 (struct standard_deallocator): New.
6378 (struct custom_deallocator): New.
6379 (struct deallocator_set): New.
6380 (struct custom_deallocator_set): New.
6381 (struct standard_deallocator_set): New.
6382 (struct deallocator_set_map_traits): New.
6383 (malloc_state_machine::m_malloc): Drop field
6384 (malloc_state_machine::m_scalar_new): Likewise.
6385 (malloc_state_machine::m_vector_new): Likewise.
6386 (malloc_state_machine::m_free): New field
6387 (malloc_state_machine::m_scalar_delete): Likewise.
6388 (malloc_state_machine::m_vector_delete): Likewise.
6389 (malloc_state_machine::deallocator_map_t): New typedef.
6390 (malloc_state_machine::m_deallocator_map): New field.
6391 (malloc_state_machine::deallocator_set_cache_t): New typedef.
6392 (malloc_state_machine::m_custom_deallocator_set_cache): New field.
6393 (malloc_state_machine::custom_deallocator_set_map_t): New typedef.
6394 (malloc_state_machine::m_custom_deallocator_set_map): New field.
6395 (malloc_state_machine::m_dynamic_sets): New field.
6396 (malloc_state_machine::m_dynamic_deallocators): New field.
6397 (api::api): Delete.
6398 (deallocator::deallocator): New ctor.
6399 (deallocator::hash): New.
6400 (deallocator::dump_to_pp): New.
6401 (deallocator::cmp): New.
6402 (deallocator::cmp_ptr_ptr): New.
6403 (standard_deallocator::standard_deallocator): New ctor.
6404 (deallocator_set::deallocator_set): New ctor.
6405 (deallocator_set::dump): New.
6406 (custom_deallocator_set::custom_deallocator_set): New ctor.
6407 (custom_deallocator_set::contains_p): New.
6408 (custom_deallocator_set::maybe_get_single): New.
6409 (custom_deallocator_set::dump_to_pp): New.
6410 (standard_deallocator_set::standard_deallocator_set): New ctor.
6411 (standard_deallocator_set::contains_p): New.
6412 (standard_deallocator_set::maybe_get_single): New.
6413 (standard_deallocator_set::dump_to_pp): New.
6414 (start_p): New.
6415 (class mismatching_deallocation): Update for conversion from api
6416 to deallocator_set and deallocator.
6417 (double_free::emit): Use %qs.
6418 (class use_after_free): Update for conversion from api to
6419 deallocator_set and deallocator.
6420 (malloc_leak::describe_state_change): Only emit "allocated here" on
6421 a start->nonnull transition, rather than on other transitions to
6422 nonnull.
6423 (allocation_state::dump_to_pp): Update for conversion from api to
6424 deallocator_set.
6425 (allocation_state::get_nonnull): Likewise.
6426 (malloc_state_machine::malloc_state_machine): Likewise.
6427 (malloc_state_machine::~malloc_state_machine): New.
6428 (malloc_state_machine::add_state): Update for conversion from api
6429 to deallocator_set.
6430 (malloc_state_machine::get_or_create_custom_deallocator_set): New.
6431 (malloc_state_machine::maybe_create_custom_deallocator_set): New.
6432 (malloc_state_machine::get_or_create_deallocator): New.
6433 (malloc_state_machine::on_stmt): Update for conversion from api
6434 to deallocator_set. Handle "__attribute__((malloc(FOO)))", and
6435 the special attribute set on FOO.
6436 (malloc_state_machine::on_allocator_call): Update for conversion
6437 from api to deallocator_set. Add "returns_nonnull" param and use
6438 it to affect which state to transition to.
6439 (malloc_state_machine::on_deallocator_call): Update for conversion
6440 from api to deallocator_set.
6441
5fff80fd
GA		 64422021-01-14 David Malcolm <dmalcolm@redhat.com>
6443
6444 * engine.cc (strongly_connected_components::to_json): New.
6445 (worklist::to_json): New.
6446 (exploded_graph::to_json): JSON-ify the worklist.
6447 * exploded-graph.h (strongly_connected_components::to_json): New
6448 decl.
6449 (worklist::to_json): New decl.
6450 * store.cc (store::to_json): Fix comment.
6451 * supergraph.cc (supernode::to_json): Fix reference to
6452 "returning_call" in comment. Add optional "fun" to JSON.
6453 (edge_kind_to_string): New.
6454 (superedge::to_json): Add "kind" to JSON.
6455
64562021-01-14 David Malcolm <dmalcolm@redhat.com>
6457
6458 PR analyzer/98679
6459 * analyzer.h (region_offset::operator==): Make const.
6460 * pending-diagnostic.h (pending_diagnostic::equal_p): Likewise.
6461 * store.h (binding_cluster::for_each_value): Likewise.
6462 (binding_cluster::for_each_binding): Likewise.
6463
6851dda2
GA		 64642021-01-12 David Malcolm <dmalcolm@redhat.com>
6465
6466 PR analyzer/98628
6467 * store.cc (binding_cluster::make_unknown_relative_to): Don't mark
6468 dereferenced unknown pointers as having escaped.
6469
7d187e4f
GA		 64702021-01-07 David Malcolm <dmalcolm@redhat.com>
6471
6472 PR analyzer/98580
6473 * region.cc (decl_region::get_svalue_for_initializer): Gracefully
6474 handle when LTO writes out DECL_INITIAL as error_mark_node.
6475
64762021-01-07 David Malcolm <dmalcolm@redhat.com>
6477
6478 PR analyzer/97074
6479 * store.cc (binding_cluster::can_merge_p): Add "out_store" param
6480 and pass to calls to binding_cluster::make_unknown_relative_to.
6481 (binding_cluster::make_unknown_relative_to): Add "out_store"
6482 param. Use it to mark base regions that are pointed to by
6483 pointers that become unknown as having escaped.
6484 (store::can_merge_p): Pass out_store to
6485 binding_cluster::can_merge_p.
6486 * store.h (binding_cluster::can_merge_p): Add "out_store" param.
6487 (binding_cluster::make_unknown_relative_to): Likewise.
6488 * svalue.cc (region_svalue::implicitly_live_p): New vfunc.
6489 * svalue.h (region_svalue::implicitly_live_p): New vfunc decl.
6490
64912021-01-07 David Malcolm <dmalcolm@redhat.com>
6492
6493 PR analyzer/98564
6494 * engine.cc (exploded_path::feasible_p): Add missing call to
6495 bitmap_clear.
6496
942ae5be
GA		 64972021-01-06 David Malcolm <dmalcolm@redhat.com>
6498
6499 PR analyzer/97072
6500 * region-model-reachability.cc (reachable_regions::init_cluster):
6501 Convert symbolic region handling to a switch statement. Add cases
6502 to handle SK_UNKNOWN and SK_CONJURED.
6503
651b8a50
GA		 65042021-01-05 David Malcolm <dmalcolm@redhat.com>
6505
6506 PR analyzer/98293
6507 * store.cc (binding_map::apply_ctor_to_region): When "index" is
6508 NULL, iterate through the fields for RECORD_TYPEs, rather than
6509 creating an INTEGER_CST index.
6510
94358e47
GA		 65112020-11-30 David Malcolm <dmalcolm@redhat.com>
6512
6513 * analyzer-pass.cc: Include "analyzer/analyzer.h" for the
6514 declaration of sorry_no_analyzer; include "tree.h" and
6515 "function.h" as these are needed by it.
6516
65172020-11-30 David Malcolm <dmalcolm@redhat.com>
6518
6519 * analyzer-pass.cc (pass_analyzer::execute): Move sorry call to...
6520 (sorry_no_analyzer): New.
6521 * analyzer.h (class state_machine): New forward decl.
6522 (class logger): New forward decl.
6523 (class plugin_analyzer_init_iface): New.
6524 (sorry_no_analyzer): New decl.
6525 * checker-path.cc (checker_path::fixup_locations): New.
6526 * checker-path.h (checker_event::set_location): New.
6527 (checker_path::fixup_locations): New decl.
6528 * diagnostic-manager.cc
6529 (diagnostic_manager::emit_saved_diagnostic): Call
6530 checker_path::fixup_locations, and call fixup_location
6531 on the primary location.
6532 * engine.cc: Include "plugin.h".
6533 (class plugin_analyzer_init_impl): New.
6534 (impl_run_checkers): Invoke PLUGIN_ANALYZER_INIT callbacks.
6535 * pending-diagnostic.h (pending_diagnostic::fixup_location): New
6536 vfunc.
6537
25bb75f8
GA		 65382020-11-18 David Malcolm <dmalcolm@redhat.com>
6539
6540 PR analyzer/97893
6541 * sm-malloc.cc (null_deref::emit): Use CWE-476 rather than
6542 CWE-690, as this isn't due to an unchecked return value.
6543 (null_arg::emit): Likewise.
6544
a5a11525
GA		 65452020-11-12 David Malcolm <dmalcolm@redhat.com>
6546
6547 * checker-path.h (checker_event::get_id_ptr): New.
6548 * diagnostic-manager.cc (path_builder::path_builder): Add "sd"
6549 param and use it to initialize new field "m_sd".
6550 (path_builder::get_pending_diagnostic): New.
6551 (path_builder::m_sd): New field.
6552 (diagnostic_manager::emit_saved_diagnostic): Pass sd to
6553 path_builder ctor.
6554 (diagnostic_manager::add_events_for_superedge): Call new
6555 maybe_add_custom_events_for_superedge vfunc.
6556 * engine.cc (stale_jmp_buf::stale_jmp_buf): Add "setjmp_point"
6557 param and use it to initialize new field "m_setjmp_point".
6558 Initialize new field "m_stack_pop_event".
6559 (stale_jmp_buf::maybe_add_custom_events_for_superedge): New vfunc
6560 implementation.
6561 (stale_jmp_buf::describe_final_event): New vfunc implementation.
6562 (stale_jmp_buf::m_setjmp_point): New field.
6563 (stale_jmp_buf::m_stack_pop_event): New field.
6564 (exploded_node::on_longjmp): Pass setjmp_point to stale_jmp_buf
6565 ctor.
6566 * pending-diagnostic.h
6567 (pending_diagnostic::maybe_add_custom_events_for_superedge): New
6568 vfunc.
6569
65702020-11-12 David Malcolm <dmalcolm@redhat.com>
6571
6572 PR tree-optimization/97424
6573 * analyzer.opt (Wanalyzer-shift-count-negative): New.
6574 (Wanalyzer-shift-count-overflow): New.
6575 * region-model.cc (class shift_count_negative_diagnostic): New.
6576 (class shift_count_overflow_diagnostic): New.
6577 (region_model::get_gassign_result): Complain about shift counts that
6578 are negative or are >= the operand's type's width.
6579
bb622641
GA		 65802020-11-10 Martin Liska <mliska@suse.cz>
6581
6582 * constraint-manager.cc (constraint_manager::merge): Remove
6583 unused code.
6584 * constraint-manager.h: Likewise.
6585 * program-state.cc (sm_state_map::sm_state_map): Likewise.
6586 (program_state::program_state): Likewise.
6587 (test_sm_state_map): Likewise.
6588 * program-state.h: Likewise.
6589 * region-model-reachability.cc (reachable_regions::reachable_regions): Likewise.
6590 * region-model-reachability.h: Likewise.
6591 * region-model.cc (region_model::handle_unrecognized_call): Likewise.
6592 (region_model::get_reachable_svalues): Likewise.
6593 (region_model::can_merge_with_p): Likewise.
6594
0cfd9109
GA		 65952020-11-05 David Malcolm <dmalcolm@redhat.com>
6596
6597 PR analyzer/97668
6598 * svalue.cc (cmp_cst): Handle COMPLEX_CST.
6599
e93aae4a
GA		 66002020-10-29 David Malcolm <dmalcolm@redhat.com>
6601
6602 * program-state.cc (sm_state_map::on_liveness_change): Sort the
6603 leaking svalues before calling on_state_leak.
6604 (program_state::detect_leaks): Likewise when calling
6605 on_svalue_leak.
6606 * region-model-reachability.cc
6607 (reachable_regions::mark_escaped_clusters): Likewise when
6608 calling on_escaped_function.
6609
66102020-10-29 David Malcolm <dmalcolm@redhat.com>
6611
6612 PR analyzer/97608
6613 * region-model-reachability.cc (reachable_regions::handle_sval):
6614 Operands of reachable reversible operations are reachable.
6615
66162020-10-29 David Malcolm <dmalcolm@redhat.com>
6617
6618 * analyzer.h (class state_machine): New forward decl.
6619 (class logger): Likewise.
6620 (class visitor): Likewise.
6621 * complexity.cc: New file, taken from svalue.cc.
6622 * complexity.h: New file, taken from region-model.h.
6623 * region-model.h: Include "analyzer/svalue.h" and
6624 "analyzer/region.h". Move struct complexity to complexity.h.
6625 Move svalue, its subclasses and supporting decls to svalue.h.
6626 Move region, its subclasses and supporting decls to region.h.
6627 * region.cc: Include "analyzer/region.h".
6628 (symbolic_region::symbolic_region): Move here from region-model.h.
6629 * region.h: New file, based on material from region-model.h.
6630 * svalue.cc: Include "analyzer/svalue.h".
6631 (complexity::complexity): Move to complexity.cc.
6632 (complexity::from_pair): Likewise.
6633 * svalue.h: New file, based on material from region-model.h.
6634
66352020-10-29 David Malcolm <dmalcolm@redhat.com>
6636
6637 * program-state.cc (sm_state_map::print): Guard the printing of
6638 the origin pointer with !flag_dump_noaddr.
6639 * region.cc (string_region::dump_to_pp): Likewise for
6640 m_string_cst.
6641
89bb01e7
GA		 66422020-10-27 David Malcolm <dmalcolm@redhat.com>
6643
6644 PR analyzer/97568
6645 * region-model.cc (region_model::get_initial_value_for_global):
6646 Move check that !DECL_EXTERNAL from here to...
6647 * region.cc (decl_region::get_svalue_for_initializer): ...here,
6648 using it to reject zero initialization.
6649
66502020-10-27 Markus Böck <markus.boeck02@gmail.com>
6651
6652 PR analyzer/96608
6653 * store.h (hash): Cast to intptr_t instead of long
6654
66552020-10-27 David Malcolm <dmalcolm@redhat.com>
6656
6657 * constraint-manager.cc (svalue_cmp_by_ptr): Delete.
6658 (equiv_class::canonicalize): Use svalue::cmp_ptr_ptr instead.
6659 (equiv_class_cmp): Eliminate pointer comparison.
6660 * diagnostic-manager.cc (dedupe_key::comparator): If they are at
6661 the same location, also compare epath ength and pending_diagnostic
6662 kind.
6663 * engine.cc (readability_comparator): If two path_vars have the
6664 same readability, then impose an arbitrary ordering on them.
6665 (worklist::key_t::cmp): If two points have the same plan ordering,
6666 continue the comparison. Call sm_state_map::cmp rather than
6667 comparing hash values.
6668 * program-state.cc (sm_state_map::entry_t::cmp): New.
6669 (sm_state_map::cmp): New.
6670 * program-state.h (sm_state_map::entry_t::cmp): New decl.
6671 (sm_state_map::elements): New.
6672 (sm_state_map::cmp): New.
6673
66742020-10-27 David Malcolm <dmalcolm@redhat.com>
6675
6676 * engine.cc (setjmp_record::cmp): New.
6677 (supernode_cluster::dump_dot): Avoid embedding pointer in cluster
6678 name.
6679 (supernode_cluster::cmp_ptr_ptr): New.
6680 (function_call_string_cluster::dump_dot): Avoid embedding pointer
6681 in cluster name. Sort m_map when dumping child clusters.
6682 (function_call_string_cluster::cmp_ptr_ptr): New.
6683 (root_cluster::dump_dot): Sort m_map when dumping child clusters.
6684 * program-point.cc (function_point::cmp): New.
6685 (function_point::cmp_ptr): New.
6686 * program-point.h (function_point::cmp): New decl.
6687 (function_point::cmp_ptr): New decl.
6688 * program-state.cc (sm_state_map::print): Sort the values. Guard
6689 the printing of pointers with !flag_dump_noaddr.
6690 (program_state::prune_for_point): Sort the regions.
6691 (log_set_of_svalues): Sort the values. Guard the printing of
6692 pointers with !flag_dump_noaddr.
6693 * region-model-manager.cc (log_uniq_map): Sort the values.
6694 * region-model-reachability.cc (dump_set): New function template.
6695 (reachable_regions::dump_to_pp): Use it.
6696 * region-model.h (svalue::cmp_ptr): New decl.
6697 (svalue::cmp_ptr_ptr): New decl.
6698 (setjmp_record::cmp): New decl.
6699 (placeholder_svalue::get_name): New accessor.
6700 (widening_svalue::get_point): New accessor.
6701 (compound_svalue::get_map): New accessor.
6702 (conjured_svalue::get_stmt): New accessor.
6703 (conjured_svalue::get_id_region): New accessor.
6704 (region::cmp_ptrs): Rename to...
6705 (region::cmp_ptr_ptr): ...this.
6706 * region.cc (region::cmp_ptrs): Rename to...
6707 (region::cmp_ptr_ptr): ...this.
6708 * state-purge.cc
6709 (state_purge_per_ssa_name::state_purge_per_ssa_name): Sort
6710 m_points_needing_name when dumping.
6711 * store.cc (concrete_binding::cmp_ptr_ptr): New.
6712 (symbolic_binding::cmp_ptr_ptr): New.
6713 (binding_map::cmp): New.
6714 (get_sorted_parent_regions): Update for renaming of
6715 region::cmp_ptrs to region::cmp_ptr_ptr.
6716 (store::dump_to_pp): Likewise.
6717 (store::to_json): Likewise.
6718 (store::can_merge_p): Sort the base regions before considering
6719 them.
6720 * store.h (concrete_binding::cmp_ptr_ptr): New decl.
6721 (symbolic_binding::cmp_ptr_ptr): New decl.
6722 (binding_map::cmp): New decl.
6723 * supergraph.cc (supergraph::supergraph): Assign UIDs to the
6724 gimple stmts.
6725 * svalue.cc (cmp_cst): New.
6726 (svalue::cmp_ptr): New.
6727 (svalue::cmp_ptr_ptr): New.
6728
67292020-10-27 David Malcolm <dmalcolm@redhat.com>
6730
6731 * engine.cc (exploded_graph::get_or_create_node): Fix off-by-one
6732 when imposing param_analyzer_max_enodes_per_program_point limit.
6733
67342020-10-27 David Malcolm <dmalcolm@redhat.com>
6735
6736 * region-model.cc (region_model::get_representative_path_var):
6737 Implement case RK_LABEL.
6738 * region-model.h (label_region::get_label): New accessor.
6739
43868df3
GA		 67402020-10-22 David Malcolm <dmalcolm@redhat.com>
6741
6742 PR analyzer/97514
6743 * engine.cc (exploded_graph::add_function_entry): Handle failure
6744 to create an enode, rather than asserting.
6745
67462020-10-22 David Malcolm <dmalcolm@redhat.com>
6747
6748 PR analyzer/97489
6749 * engine.cc (exploded_graph::add_function_entry): Assert that we
6750 have a function body.
6751 (exploded_graph::on_escaped_function): Reject fndecls that don't
6752 have a function body.
6753
b2698c21
GA		 67542020-10-14 David Malcolm <dmalcolm@redhat.com>
6755
6756 PR analyzer/93388
6757 * region-model.cc (region_model::get_initial_value_for_global):
6758 Fall back to returning an initial_svalue if
6759 decl_region::get_svalue_for_initializer fails.
6760 * region.cc (decl_region::get_svalue_for_initializer): Don't
6761 attempt to create a compound_svalue if the region has an unknown
6762 size.
6763
67642020-10-14 David Malcolm <dmalcolm@redhat.com>
6765
6766 PR analyzer/93723
6767 * store.cc (binding_map::apply_ctor_to_region): Remove redundant
6768 assertion.
6769
8be127ca
GA		 67702020-10-12 David Malcolm <dmalcolm@redhat.com>
6771
6772 PR analyzer/97258
6773 * engine.cc (impl_region_model_context::on_escaped_function): New
6774 vfunc.
6775 (exploded_graph::add_function_entry): Use m_functions_with_enodes
6776 to implement idempotency.
6777 (add_any_callbacks): New.
6778 (exploded_graph::build_initial_worklist): Use the above to find
6779 callbacks that are reachable from global initializers.
6780 (exploded_graph::on_escaped_function): New.
6781 * exploded-graph.h
6782 (impl_region_model_context::on_escaped_function): New decl.
6783 (exploded_graph::on_escaped_function): New decl.
6784 (exploded_graph::m_functions_with_enodes): New field.
6785 * region-model-reachability.cc
6786 (reachable_regions::reachable_regions): Replace "store" param with
6787 "model" param; use it to initialize m_model.
6788 (reachable_regions::add): When getting the svalue for the region,
6789 call get_store_value on the model rather than using an initial
6790 value.
6791 (reachable_regions::mark_escaped_clusters): Add ctxt param and
6792 use it to call on_escaped_function when a function_region escapes.
6793 * region-model-reachability.h
6794 (reachable_regions::reachable_regions): Replace "store" param with
6795 "model" param.
6796 (reachable_regions::mark_escaped_clusters): Add ctxt param.
6797 (reachable_regions::m_model): New field.
6798 * region-model.cc (region_model::handle_unrecognized_call): Update
6799 for change in reachable_regions ctor.
6800 (region_model::handle_unrecognized_call): Pass ctxt to
6801 mark_escaped_clusters.
6802 (region_model::get_reachable_svalues): Update for change in
6803 reachable_regions ctor.
6804 (region_model::get_initial_value_for_global): Read-only variables
6805 keep their initial values.
6806 * region-model.h (region_model_context::on_escaped_function): New
6807 vfunc.
6808 (noop_region_model_context::on_escaped_function): New.
6809
68102020-10-12 David Malcolm <dmalcolm@redhat.com>
6811
6812 * analyzer.opt (Wanalyzer-write-to-const): New.
6813 (Wanalyzer-write-to-string-literal): New.
6814 * region-model-impl-calls.cc (region_model::impl_call_memcpy):
6815 Call check_for_writable_region.
6816 (region_model::impl_call_memset): Likewise.
6817 (region_model::impl_call_strcpy): Likewise.
6818 * region-model.cc (class write_to_const_diagnostic): New.
6819 (class write_to_string_literal_diagnostic): New.
6820 (region_model::check_for_writable_region): New.
6821 (region_model::set_value): Call check_for_writable_region.
6822 * region-model.h (region_model::check_for_writable_region): New
6823 decl.
6824
6caec77e
GA		 68252020-10-07 David Malcolm <dmalcolm@redhat.com>
6826
6827 PR analyzer/97116
6828 * sm-malloc.cc (method_p): New.
6829 (describe_argument_index): New.
6830 (inform_nonnull_attribute): Use describe_argument_index.
6831 (possible_null_arg::describe_final_event): Likewise.
6832 (null_arg::describe_final_event): Likewise.
6833
93bca37c
GA		 68342020-09-29 David Malcolm <dmalcolm@redhat.com>
6835
6836 PR analyzer/95188
6837 * engine.cc (stmt_requires_new_enode_p): Split enodes before
6838 "signal" calls.
6839
68402020-09-29 David Malcolm <dmalcolm@redhat.com>
6841
6842 * constraint-manager.cc
6843 (constraint_manager::add_constraint_internal): Whitespace fixes.
6844 Silence -Wsign-compare warning.
6845 * engine.cc (maybe_process_run_of_before_supernode_enodes):
6846 Silence -Wsign-compare warning.
6847
e84761c6
GA		 68482020-09-28 David Malcolm <dmalcolm@redhat.com>
6849
6850 * region-model.h (binop_svalue::dyn_cast_binop_svalue): Remove
6851 redundant "virtual". Add FINAL OVERRIDE.
6852 (widening_svalue::dyn_cast_widening_svalue): Add FINAL OVERRIDE.
6853 (compound_svalue::dyn_cast_compound_svalue): Likewise.
6854 (conjured_svalue::dyn_cast_conjured_svalue): Likewise.
6855
68562020-09-28 David Malcolm <dmalcolm@redhat.com>
6857
6858 * diagnostic-manager.cc (null_assignment_sm_context::m_visitor):
6859 Remove unused field.
6860
68612020-09-28 David Malcolm <dmalcolm@redhat.com>
6862
6863 PR analyzer/97233
6864 * analyzer.cc (is_longjmp_call_p): Require the initial argument
6865 to be a pointer.
6866 * engine.cc (exploded_node::on_longjmp): Likewise.
6867
68682020-09-28 David Malcolm <dmalcolm@redhat.com>
6869
6870 * program-state.cc (sm_state_map::print): Update check
6871 for m_global_state being the start state.
6872
91dd4a38
GA		 68732020-09-26 David Malcolm <dmalcolm@redhat.com>
6874
6875 PR analyzer/96646
6876 PR analyzer/96841
6877 * region-model.cc (region_model::get_representative_path_var):
6878 When handling offset_region, wrap the MEM_REF's first argument in
6879 an ADDR_EXPR of pointer type, rather than simply using the tree
6880 for the parent region. Require the MEM_REF's second argument to
6881 be an integer constant.
6882
a2b7397b
GA		 68832020-09-24 David Malcolm <dmalcolm@redhat.com>
6884
6885 * analyzer.h (struct rejected_constraint): New decl.
6886 * analyzer.opt (fanalyzer-feasibility): New option.
6887 * diagnostic-manager.cc (path_builder::path_builder): Add
6888 "problem" param and use it to initialize new field.
6889 (path_builder::get_feasibility_problem): New accessor.
6890 (path_builder::m_feasibility_problem): New field.
6891 (dedupe_winners::add): Remove inversion of logic in "if" clause,
6892 swapping if/else suites. In the !feasible_p suite, inspect
6893 flag_analyzer_feasibility and add code to handle when this
6894 is off, accepting the infeasible path, but recording the
6895 feasibility_problem.
6896 (diagnostic_manager::emit_saved_diagnostic): Pass the
6897 feasibility_problem to the path_builder.
6898 (diagnostic_manager::add_events_for_eedge): If we have
6899 a feasibility_problem at this edge, use it to add a custom event.
6900 * engine.cc (exploded_path::feasible_p): Pass a
6901 rejected_constraint ** to model.maybe_update_for_edge and transfer
6902 ownership of any created instance to any feasibility_problem.
6903 (feasibility_problem::dump_to_pp): New.
6904 * exploded-graph.h (feasibility_problem::feasibility_problem):
6905 Drop "model" param; add rejected_constraint * param.
6906 (feasibility_problem::~feasibility_problem): New.
6907 (feasibility_problem::dump_to_pp): New decl.
6908 (feasibility_problem::m_model): Drop field.
6909 (feasibility_problem::m_rc): New field.
6910 * program-point.cc (function_point::get_location): Handle
6911 PK_BEFORE_SUPERNODE and PK_AFTER_SUPERNODE.
6912 * program-state.cc (program_state::on_edge): Pass NULL to new
6913 param of region_model::maybe_update_for_edge.
6914 * region-model.cc (region_model::add_constraint): New overload
6915 adding a rejected_constraint ** param.
6916 (region_model::maybe_update_for_edge): Add rejected_constraint **
6917 param and pass it to the various apply_constraints_for_ calls.
6918 (region_model::apply_constraints_for_gcond): Add
6919 rejected_constraint ** param and pass it to add_constraint calls.
6920 (region_model::apply_constraints_for_gswitch): Likewise.
6921 (region_model::apply_constraints_for_exception): Likewise.
6922 (rejected_constraint::dump_to_pp): New.
6923 * region-model.h (region_model::maybe_update_for_edge):
6924 Add rejected_constraint ** param.
6925 (region_model::add_constraint): New overload adding a
6926 rejected_constraint ** param.
6927 (region_model::apply_constraints_for_gcond): Add
6928 rejected_constraint ** param.
6929 (region_model::apply_constraints_for_gswitch): Likewise.
6930 (region_model::apply_constraints_for_exception): Likewise.
6931 (struct rejected_constraint): New.
6932
82b77dee
GA		 69332020-09-23 David Malcolm <dmalcolm@redhat.com>
6934
6935 PR analyzer/97178
6936 * engine.cc (impl_run_checkers): Update for change to ext_state
6937 ctor.
6938 * program-state.cc (selftest::test_sm_state_map): Pass an engine
6939 instance to ext_state ctor.
6940 (selftest::test_program_state_1): Likewise.
6941 (selftest::test_program_state_2): Likewise.
6942 (selftest::test_program_state_merging): Likewise.
6943 (selftest::test_program_state_merging_2): Likewise.
6944 * program-state.h (extrinsic_state::extrinsic_state): Remove NULL
6945 default value for "eng" param.
6946
69472020-09-23 Tobias Burnus <tobias@codesourcery.com>
6948
6949 * analyzer-logging.cc: Guard '#pragma ... ignored "-Wformat-diag"'
6950 by '#if __GNUC__ >= 10'
6951 * analyzer.h: Likewise.
6952 * call-string.cc: Likewise.
6953
69542020-09-23 David Malcolm <dmalcolm@redhat.com>
6955
6956 * engine.cc (exploded_node::on_stmt): Replace sequence of dyn_cast
6957 with switch.
6958
521d2711
GA		 69592020-09-22 David Malcolm <dmalcolm@redhat.com>
6960
6961 * analysis-plan.cc: Include "json.h".
6962 * analyzer.opt (fdump-analyzer-json): New.
6963 * call-string.cc: Include "json.h".
6964 (call_string::to_json): New.
6965 * call-string.h (call_string::to_json): New decl.
6966 * checker-path.cc: Include "json.h".
6967 * constraint-manager.cc: Include "json.h".
6968 (equiv_class::to_json): New.
6969 (constraint::to_json): New.
6970 (constraint_manager::to_json): New.
6971 * constraint-manager.h (equiv_class::to_json): New decl.
6972 (constraint::to_json): New decl.
6973 (constraint_manager::to_json): New decl.
6974 * diagnostic-manager.cc: Include "json.h".
6975 (saved_diagnostic::to_json): New.
6976 (diagnostic_manager::to_json): New.
6977 * diagnostic-manager.h (saved_diagnostic::to_json): New decl.
6978 (diagnostic_manager::to_json): New decl.
6979 * engine.cc: Include "json.h", <zlib.h>.
6980 (exploded_node::status_to_str): New.
6981 (exploded_node::to_json): New.
6982 (exploded_edge::to_json): New.
6983 (exploded_graph::to_json): New.
6984 (dump_analyzer_json): New.
6985 (impl_run_checkers): Call it.
6986 * exploded-graph.h (exploded_node::status_to_str): New decl.
6987 (exploded_node::to_json): New.
6988 (exploded_edge::to_json): New.
6989 (exploded_graph::to_json): New.
6990 * pending-diagnostic.cc: Include "json.h".
6991 * program-point.cc: Include "json.h".
6992 (program_point::to_json): New.
6993 * program-point.h (program_point::to_json): New decl.
6994 * program-state.cc: Include "json.h".
6995 (extrinsic_state::to_json): New.
6996 (sm_state_map::to_json): New.
6997 (program_state::to_json): New.
6998 * program-state.h (extrinsic_state::to_json): New decl.
6999 (sm_state_map::to_json): New decl.
7000 (program_state::to_json): New decl.
7001 * region-model-impl-calls.cc: Include "json.h".
7002 * region-model-manager.cc: Include "json.h".
7003 * region-model-reachability.cc: Include "json.h".
7004 * region-model.cc: Include "json.h".
7005 * region-model.h (svalue::to_json): New decl.
7006 (region::to_json): New decl.
7007 * region.cc: Include "json.h".
7008 (region::to_json: New.
7009 * sm-file.cc: Include "json.h".
7010 * sm-malloc.cc: Include "json.h".
7011 * sm-pattern-test.cc: Include "json.h".
7012 * sm-sensitive.cc: Include "json.h".
7013 * sm-signal.cc: Include "json.h".
7014 (signal_delivery_edge_info_t::to_json): New.
7015 * sm-taint.cc: Include "json.h".
7016 * sm.cc: Include "diagnostic.h", "tree-diagnostic.h", and
7017 "json.h".
7018 (state_machine::state::to_json): New.
7019 (state_machine::to_json): New.
7020 * sm.h (state_machine::state::to_json): New.
7021 (state_machine::to_json): New.
7022 * state-purge.cc: Include "json.h".
7023 * store.cc: Include "json.h".
7024 (binding_key::get_desc): New.
7025 (binding_map::to_json): New.
7026 (binding_cluster::to_json): New.
7027 (store::to_json): New.
7028 * store.h (binding_key::get_desc): New decl.
7029 (binding_map::to_json): New decl.
7030 (binding_cluster::to_json): New decl.
7031 (store::to_json): New decl.
7032 * supergraph.cc: Include "json.h".
7033 (supergraph::to_json): New.
7034 (supernode::to_json): New.
7035 (superedge::to_json): New.
7036 * supergraph.h (supergraph::to_json): New decl.
7037 (supernode::to_json): New decl.
7038 (superedge::to_json): New decl.
7039 * svalue.cc: Include "json.h".
7040 (svalue::to_json): New.
7041
44135373
GA		 70422020-09-21 David Malcolm <dmalcolm@redhat.com>
7043
7044 PR analyzer/97130
7045 * region-model-impl-calls.cc (call_details::get_arg_type): New.
7046 * region-model.cc (region_model::on_call_pre): Check that the
7047 initial arg is a pointer before calling impl_call_memset and
7048 impl_call_strlen.
7049 * region-model.h (call_details::get_arg_type): New decl.
7050
70512020-09-21 David Malcolm <dmalcolm@redhat.com>
7052
7053 PR analyzer/93355
7054 * sm-malloc.cc (malloc_state_machine::get_default_state): Look at
7055 the base region when considering pointers. Treat pointers to
7056 decls as being non-heap.
7057
239601c5
GA		 70582020-09-18 David Malcolm <dmalcolm@redhat.com>
7059
7060 * checker-path.cc (warning_event::get_desc): Handle global state
7061 changes.
7062
70632020-09-18 David Malcolm <dmalcolm@redhat.com>
7064
7065 * sm-malloc.cc (malloc_state_machine::on_stmt): Handle strdup and
7066 strndup as being malloc-like allocators.
7067
ecde1b0a
GA		 70682020-09-16 David Malcolm <dmalcolm@redhat.com>
7069
7070 * engine.cc (strongly_connected_components::strong_connect): Only
7071 consider intraprocedural edges when creating SCCs.
7072 (worklist::key_t::cmp): Add comment. Treat call_string
7073 differences as more important than differences of program_point
7074 within a supernode.
7075
70762020-09-16 David Malcolm <dmalcolm@redhat.com>
7077
7078 * engine.cc (supernode_cluster::dump_dot): Show the SCC id
7079 in the per-supernode clusters in FILENAME.eg.dot output.
7080 (exploded_graph_annotator::add_node_annotations):
7081 Show the SCC of the supernode in FILENAME.supernode.eg.dot output.
7082 * exploded-graph.h (worklist::scc_id): New.
7083 (exploded_graph::get_scc_id): New.
7084
70852020-09-16 David Malcolm <dmalcolm@redhat.com>
7086
7087 * engine.cc (exploded_node::dump_dot): Show STATUS_BULK_MERGED.
7088 (exploded_graph::process_worklist): Call
7089 maybe_process_run_of_before_supernode_enodes.
7090 (exploded_graph::maybe_process_run_of_before_supernode_enodes):
7091 New.
7092 (exploded_graph_annotator::print_enode): Show STATUS_BULK_MERGED.
7093 * exploded-graph.h (enum exploded_node::status): Add
7094 STATUS_BULK_MERGED.
7095
70962020-09-16 David Malcolm <dmalcolm@redhat.com>
7097
7098 * engine.cc
7099 (exploded_graph::process_node) <case PK_BEFORE_SUPERNODE>:
7100 Simplify by using program_point::get_next.
7101 * program-point.cc (program_point::get_next): New.
7102 * program-point.h (program_point::get_next): New decl.
7103
71042020-09-16 David Malcolm <dmalcolm@redhat.com>
7105
7106 * engine.cc (exploded_graph::get_or_create_node): Show the
7107 program point when issuing -Wanalyzer-too-complex due to hitting
7108 the per-program-point limit.
7109
71102020-09-16 David Malcolm <dmalcolm@redhat.com>
7111
7112 * region-model.cc (region_model::on_call_pre): Treat getchar as
7113 having no side-effects.
7114
9f7ab8c5
GA		 71152020-09-15 David Malcolm <dmalcolm@redhat.com>
7116
7117 PR analyzer/96650
7118 * constraint-manager.cc (merger_fact_visitor::on_fact): Replace
7119 assertion that add_constraint succeeded with an assertion that
7120 if it fails, -fanalyzer-transitivity is off.
7121
50a71cd0
GA		 71222020-09-14 David Malcolm <dmalcolm@redhat.com>
7123
7124 * analyzer.opt (-param=analyzer-max-constraints=): New param.
7125 * constraint-manager.cc
7126 (constraint_manager::add_constraint_internal): Silently reject
7127 attempts to add constraints when the above limit is reached.
7128
71292020-09-14 David Malcolm <dmalcolm@redhat.com>
7130
7131 PR analyzer/96653
7132 * constraint-manager.cc
7133 (constraint_manager::get_or_add_equiv_class): Don't accumulate
7134 transitive closure of all constraints on constants.
7135
71362020-09-14 David Malcolm <dmalcolm@redhat.com>
7137
7138 PR analyzer/97029
7139 * analyzer.cc (is_setjmp_call_p): Require the initial arg to be a
7140 pointer.
7141 * region-model.cc (region_model::deref_rvalue): Assert that the
7142 svalue is of pointer type.
7143
ac35c090
GA		 71442020-09-11 David Malcolm <dmalcolm@redhat.com>
7145
7146 PR analyzer/96798
7147 * region-model-impl-calls.cc (region_model::impl_call_memcpy):
7148 New.
7149 (region_model::impl_call_strcpy): New.
7150 * region-model.cc (region_model::on_call_pre): Flag unhandled
7151 builtins that are non-pure as having unknown side-effects.
7152 Implement BUILT_IN_MEMCPY, BUILT_IN_MEMCPY_CHK, BUILT_IN_STRCPY,
7153 BUILT_IN_STRCPY_CHK, BUILT_IN_FPRINTF, BUILT_IN_FPRINTF_UNLOCKED,
7154 BUILT_IN_PUTC, BUILT_IN_PUTC_UNLOCKED, BUILT_IN_FPUTC,
7155 BUILT_IN_FPUTC_UNLOCKED, BUILT_IN_FPUTS, BUILT_IN_FPUTS_UNLOCKED,
7156 BUILT_IN_FWRITE, BUILT_IN_FWRITE_UNLOCKED, BUILT_IN_PRINTF,
7157 BUILT_IN_PRINTF_UNLOCKED, BUILT_IN_PUTCHAR,
7158 BUILT_IN_PUTCHAR_UNLOCKED, BUILT_IN_PUTS, BUILT_IN_PUTS_UNLOCKED,
7159 BUILT_IN_VFPRINTF, BUILT_IN_VPRINTF.
7160 * region-model.h (region_model::impl_call_memcpy): New decl.
7161 (region_model::impl_call_strcpy): New decl.
7162
80f86e78
GA		 71632020-09-09 David Malcolm <dmalcolm@redhat.com>
7164
7165 PR analyzer/94355
7166 * analyzer.opt (Wanalyzer-mismatching-deallocation): New warning.
7167 * region-model-impl-calls.cc
7168 (region_model::impl_call_operator_new): New.
7169 (region_model::impl_call_operator_delete): New.
7170 * region-model.cc (region_model::on_call_pre): Detect operator new
7171 and operator delete.
7172 (region_model::on_call_post): Likewise.
7173 (region_model::maybe_update_for_edge): Detect EH edges and call...
7174 (region_model::apply_constraints_for_exception): New function.
7175 * region-model.h (region_model::impl_call_operator_new): New decl.
7176 (region_model::impl_call_operator_delete): New decl.
7177 (region_model::apply_constraints_for_exception): New decl.
7178 * sm-malloc.cc (enum resource_state): New.
7179 (struct allocation_state): New state subclass.
7180 (enum wording): New.
7181 (struct api): New.
7182 (malloc_state_machine::custom_data_t): New typedef.
7183 (malloc_state_machine::add_state): New decl.
7184 (malloc_state_machine::m_unchecked)
7185 (malloc_state_machine::m_nonnull)
7186 (malloc_state_machine::m_freed): Delete these states in favor
7187 of...
7188 (malloc_state_machine::m_malloc)
7189 (malloc_state_machine::m_scalar_new)
7190 (malloc_state_machine::m_vector_new): ...this new api instances,
7191 which own their own versions of these states.
7192 (malloc_state_machine::on_allocator_call): New decl.
7193 (malloc_state_machine::on_deallocator_call): New decl.
7194 (api::api): New ctor.
7195 (dyn_cast_allocation_state): New.
7196 (as_a_allocation_state): New.
7197 (get_rs): New.
7198 (unchecked_p): New.
7199 (nonnull_p): New.
7200 (freed_p): New.
7201 (malloc_diagnostic::describe_state_change): Use unchecked_p and
7202 nonnull_p.
7203 (class mismatching_deallocation): New.
7204 (double_free::double_free): Add funcname param for initializing
7205 m_funcname.
7206 (double_free::emit): Use m_funcname in warning message rather
7207 than hardcoding "free".
7208 (double_free::describe_state_change): Likewise. Use freed_p.
7209 (double_free::describe_call_with_state): Use freed_p.
7210 (double_free::describe_final_event): Use m_funcname in message
7211 rather than hardcoding "free".
7212 (double_free::m_funcname): New field.
7213 (possible_null::describe_state_change): Use unchecked_p.
7214 (possible_null::describe_return_of_state): Likewise.
7215 (use_after_free::use_after_free): Add param for initializing m_api.
7216 (use_after_free::emit): Use m_api->m_dealloc_funcname in message
7217 rather than hardcoding "free".
7218 (use_after_free::describe_state_change): Use freed_p. Change the
7219 wording of the message based on the API.
7220 (use_after_free::describe_final_event): Use
7221 m_api->m_dealloc_funcname in message rather than hardcoding
7222 "free". Change the wording of the message based on the API.
7223 (use_after_free::m_api): New field.
7224 (malloc_leak::describe_state_change): Use unchecked_p. Update
7225 for renaming of m_malloc_event to m_alloc_event.
7226 (malloc_leak::describe_final_event): Update for renaming of
7227 m_malloc_event to m_alloc_event.
7228 (malloc_leak::m_malloc_event): Rename...
7229 (malloc_leak::m_alloc_event): ...to this.
7230 (free_of_non_heap::free_of_non_heap): Add param for initializing
7231 m_funcname.
7232 (free_of_non_heap::emit): Use m_funcname in message rather than
7233 hardcoding "free".
7234 (free_of_non_heap::describe_final_event): Likewise.
7235 (free_of_non_heap::m_funcname): New field.
7236 (allocation_state::dump_to_pp): New.
7237 (allocation_state::get_nonnull): New.
7238 (malloc_state_machine::malloc_state_machine): Update for changes
7239 to state fields and new api fields.
7240 (malloc_state_machine::add_state): New.
7241 (malloc_state_machine::on_stmt): Move malloc/calloc handling to
7242 on_allocator_call and call it, passing in the API pointer.
7243 Likewise for free, moving it to on_deallocator_call. Handle calls
7244 to operator new and delete in an analogous way. Use unchecked_p
7245 when testing for possibly-null-arg and possibly-null-deref, and
7246 transition to the non-null for the correct API. Remove redundant
7247 node param from call to on_zero_assignment. Use freed_p for
7248 use-after-free check, and pass in API.
7249 (malloc_state_machine::on_allocator_call): New, based on code in
7250 on_stmt.
7251 (malloc_state_machine::on_deallocator_call): Likewise.
7252 (malloc_state_machine::on_phi): Mark node param with
7253 ATTRIBUTE_UNUSED; don't pass it to on_zero_assignment.
7254 (malloc_state_machine::on_condition): Mark node param with
7255 ATTRIBUTE_UNUSED. Replace on_transition calls with get_state and
7256 set_next_state pairs, transitioning to the non-null state for the
7257 appropriate API.
7258 (malloc_state_machine::can_purge_p): Port to new state approach.
7259 (malloc_state_machine::on_zero_assignment): Replace on_transition
7260 calls with get_state and set_next_state pairs. Drop redundant
7261 node param.
7262 * sm.h (state_machine::add_custom_state): New.
7263
72642020-09-09 David Malcolm <dmalcolm@redhat.com>
7265
7266 * diagnostic-manager.cc
7267 (null_assignment_sm_context::warn_for_state): Replace with...
7268 (null_assignment_sm_context::warn): ...this.
7269 * engine.cc (impl_sm_context::warn_for_state): Replace with...
7270 (impl_sm_context::warn): ...this.
7271 * sm-file.cc (fileptr_state_machine::on_stmt): Replace
7272 warn_for_state and on_transition calls with a get_state
7273 test guarding warn and set_next_state calls.
7274 * sm-malloc.cc (malloc_state_machine::on_stmt): Likewise.
7275 * sm-pattern-test.cc (pattern_test_state_machine::on_condition):
7276 Replace warn_for_state call with warn call.
7277 * sm-sensitive.cc
7278 (sensitive_state_machine::warn_for_any_exposure): Replace
7279 warn_for_state call with a get_state test guarding a warn call.
7280 * sm-signal.cc (signal_state_machine::on_stmt): Likewise.
7281 * sm-taint.cc (taint_state_machine::on_stmt): Replace
7282 warn_for_state and on_transition calls with a get_state
7283 test guarding warn and set_next_state calls.
7284 * sm.h (sm_context::warn_for_state): Replace with...
7285 (sm_context::warn): ...this.
7286
72872020-09-09 David Malcolm <dmalcolm@redhat.com>
7288
7289 * diagnostic-manager.cc
7290 (null_assignment_sm_context::null_assignment_sm_context): Add old_state
7291 and ext_state params, initializing m_old_state and m_ext_state.
7292 (null_assignment_sm_context::on_transition): Split into...
7293 (null_assignment_sm_context::get_state): ...this new vfunc
7294 implementation and...
7295 (null_assignment_sm_context::set_next_state): ...this new vfunc
7296 implementation.
7297 (null_assignment_sm_context::m_old_state): New field.
7298 (null_assignment_sm_context::m_ext_state): New field.
7299 (diagnostic_manager::add_events_for_eedge): Pass in old state and
7300 ext_state when creating sm_ctxt.
7301 * engine.cc (impl_sm_context::on_transition): Split into...
7302 (impl_sm_context::get_state): ...this new vfunc
7303 implementation and...
7304 (impl_sm_context::set_next_state): ...this new vfunc
7305 implementation.
7306 * sm.h (sm_context::get_state): New pure virtual function.
7307 (sm_context::set_next_state): Likewise.
7308 (sm_context::on_transition): Convert from a pure virtual function
7309 to a regular function implemented in terms of get_state and
7310 set_next_state.
7311
73122020-09-09 David Malcolm <dmalcolm@redhat.com>
7313
7314 * checker-path.cc (state_change_event::get_desc): Update
7315 state_machine::get_state_name calls to state::get_name.
7316 (warning_event::get_desc): Likewise.
7317 * diagnostic-manager.cc
7318 (null_assignment_sm_context::on_transition): Update comparison
7319 against 0 with comparison with m_sm.get_start_state.
7320 (diagnostic_manager::prune_for_sm_diagnostic): Update
7321 state_machine::get_state_name calls to state::get_name.
7322 * engine.cc (impl_sm_context::on_transition): Likewise.
7323 (exploded_node::get_dot_fillcolor): Use get_id when summing
7324 the sm states.
7325 * program-state.cc (sm_state_map::sm_state_map): Don't hardcode
7326 0 as the start state when initializing m_global_state.
7327 (sm_state_map::print): Use dump_to_pp rather than get_state_name
7328 when dumping states.
7329 (sm_state_map::is_empty_p): Don't hardcode 0 as the start state
7330 when examining m_global_state.
7331 (sm_state_map::hash): Use get_id when hashing states.
7332 (selftest::test_sm_state_map): Use state objects rather than
7333 arbitrary hardcoded integers.
7334 (selftest::test_program_state_merging): Likewise.
7335 (selftest::test_program_state_merging_2): Likewise.
7336 * sm-file.cc (fileptr_state_machine::m_start): Move to base class.
7337 (file_diagnostic::describe_state_change): Use get_start_state.
7338 (fileptr_state_machine::fileptr_state_machine): Drop m_start
7339 initialization.
7340 * sm-malloc.cc (malloc_state_machine::m_start): Move to base
7341 class.
7342 (malloc_diagnostic::describe_state_change): Use get_start_state.
7343 (possible_null::describe_state_change): Likewise.
7344 (malloc_state_machine::malloc_state_machine): Drop m_start
7345 initialization.
7346 * sm-pattern-test.cc (pattern_test_state_machine::m_start): Move
7347 to base class.
7348 (pattern_test_state_machine::pattern_test_state_machine): Drop
7349 m_start initialization.
7350 * sm-sensitive.cc (sensitive_state_machine::m_start): Move to base
7351 class.
7352 (sensitive_state_machine::sensitive_state_machine): Drop m_start
7353 initialization.
7354 * sm-signal.cc (signal_state_machine::m_start): Move to base
7355 class.
7356 (signal_state_machine::signal_state_machine): Drop m_start
7357 initialization.
7358 * sm-taint.cc (taint_state_machine::m_start): Move to base class.
7359 (taint_state_machine::taint_state_machine): Drop m_start
7360 initialization.
7361 * sm.cc (state_machine::state::dump_to_pp): New.
7362 (state_machine::state_machine): Move here from sm.h. Initialize
7363 m_next_state_id and m_start.
7364 (state_machine::add_state): Reimplement in terms of state objects.
7365 (state_machine::get_state_name): Delete.
7366 (state_machine::get_state_by_name): Reimplement in terms of state
7367 objects. Make const.
7368 (state_machine::validate): Delete.
7369 (state_machine::dump_to_pp): Reimplement in terms of state
7370 objects.
7371 * sm.h (state_machine::state): New class.
7372 (state_machine::state_t): Convert typedef from "unsigned" to
7373 "const state_machine::state *".
7374 (state_machine::state_machine): Move to sm.cc.
7375 (state_machine::get_default_state): Use m_start rather than
7376 hardcoding 0.
7377 (state_machine::get_state_name): Delete.
7378 (state_machine::get_state_by_name): Make const.
7379 (state_machine::get_start_state): New accessor.
7380 (state_machine::alloc_state_id): New.
7381 (state_machine::m_state_names): Drop in favor of...
7382 (state_machine::m_states): New field
7383 (state_machine::m_start): New field
7384 (start_start_p): Delete.
7385
31a05046
GA		 73862020-09-08 David Malcolm <dmalcolm@redhat.com>
7387
7388 PR analyzer/96949
7389 * store.cc (binding_map::apply_ctor_val_to_range): Add
7390 error-handling for the cases where we have symbolic offsets.
7391
73922020-09-08 David Malcolm <dmalcolm@redhat.com>
7393
7394 PR analyzer/96950
7395 * store.cc (binding_map::apply_ctor_to_region): Handle RANGE_EXPR
7396 where min_index == max_index.
7397 (binding_map::apply_ctor_val_to_range): Replace assertion that we
7398 don't have a CONSTRUCTOR value with error-handling.
7399
74002020-09-08 David Malcolm <dmalcolm@redhat.com>
7401
7402 PR analyzer/96962
7403 * region-model.cc (region_model::on_call_pre): Fix guard on switch
7404 on built-ins to only consider BUILT_IN_NORMAL, rather than other
7405 kinds of build-ins.
7406
e1a4a8a0
GA		 74072020-09-01 David Malcolm <dmalcolm@redhat.com>
7408
7409 PR analyzer/96792
7410 * region-model.cc (region_model::deref_rvalue): Add the constraint
7411 that PTR_SVAL is non-NULL.
7412
13e4ba28
GA		 74132020-08-31 David Malcolm <dmalcolm@redhat.com>
7414
7415 PR analyzer/96798
7416 * region-model.cc (region_model::on_call_pre): Handle
7417 BUILT_IN_MEMSET_CHK.
7418
74192020-08-31 David Malcolm <dmalcolm@redhat.com>
7420
7421 * region-model.cc (region_model::on_call_pre): Gather handling of
7422 builtins and of internal fns into switch statements. Handle
7423 "alloca" and BUILT_IN_ALLOCA_WITH_ALIGN.
7424
74252020-08-31 David Malcolm <dmalcolm@redhat.com>
7426
7427 PR analyzer/96860
7428 * region.cc (decl_region::get_svalue_for_constructor): Support
7429 apply_ctor_to_region failing.
7430 * store.cc (binding_map::apply_ctor_to_region): Add failure
7431 handling.
7432 (binding_map::apply_ctor_val_to_range): Likewise.
7433 (binding_map::apply_ctor_pair_to_child_region): Likewise. Replace
7434 assertion that child_base_offset is not symbolic with error
7435 handling.
7436 * store.h (binding_map::apply_ctor_to_region): Convert return type
7437 from void to bool.
7438 (binding_map::apply_ctor_val_to_range): Likewise.
7439 (binding_map::apply_ctor_pair_to_child_region): Likewise.
7440
74412020-08-31 David Malcolm <dmalcolm@redhat.com>
7442
7443 PR analyzer/96763
7444 * store.cc (binding_map::apply_ctor_to_region): Handle RANGE_EXPR
7445 by calling a new binding_map::apply_ctor_val_to_range subroutine.
7446 Split out the existing non-CONSTRUCTOR-handling code to a new
7447 apply_ctor_pair_to_child_region subroutine.
7448 (binding_map::apply_ctor_val_to_range): New.
7449 (binding_map::apply_ctor_pair_to_child_region): New, split out
7450 from binding_map::apply_ctor_to_region as noted above.
7451 * store.h (binding_map::apply_ctor_val_to_range): New decl.
7452 (binding_map::apply_ctor_pair_to_child_region): New decl.
7453
74542020-08-31 David Malcolm <dmalcolm@redhat.com>
7455
7456 PR analyzer/96764
7457 * region-model-manager.cc
7458 (region_model_manager::maybe_fold_unaryop): Handle VIEW_CONVERT_EXPR.
7459 (region_model_manager::get_or_create_cast): Move logic for
7460 real->integer casting to...
7461 (get_code_for_cast): ...this new function, and add logic for
7462 real->non-integer casts.
7463 (region_model_manager::maybe_fold_sub_svalue): Handle
7464 VIEW_CONVERT_EXPR.
7465 * region-model.cc
7466 (region_model::add_any_constraints_from_gassign): Likewise.
7467 * svalue.cc (svalue::maybe_undo_cast): Likewise.
7468 (unaryop_svalue::dump_to_pp): Likewise.
7469
57ea0894
GA		 74702020-08-26 David Malcolm <dmalcolm@redhat.com>
7471
7472 PR analyzer/94858
7473 * region-model-manager.cc
7474 (region_model_manager::get_or_create_widening_svalue): Assert that
7475 neither of the inputs are themselves widenings.
7476 * store.cc (store::eval_alias_1): The initial value of a pointer
7477 can't point to a region that was allocated on the heap after the
7478 beginning of the path. A widened pointer value can't alias anything
7479 that the initial pointer value can't alias.
7480 * svalue.cc (svalue::can_merge_p): Merge BINOP (X, OP, CST) with X
7481 to a widening svalue. Merge
7482 BINOP(WIDENING(BASE, BINOP(BASE, X)), X) and BINOP(BASE, X) to
7483 to the LHS of the first BINOP.
7484
74852020-08-26 David Malcolm <dmalcolm@redhat.com>
7486
7487 PR analyzer/96777
7488 * region-model.h (class compound_svalue): Document that all keys
7489 must be concrete.
7490 (compound_svalue::compound_svalue): Move definition to svalue.cc.
7491 * store.cc (binding_map::apply_ctor_to_region): Handle
7492 initializers for trailing arrays with incomplete size.
7493 * svalue.cc (compound_svalue::compound_svalue): Move definition
7494 here from region-model.h. Add assertion that all keys are
7495 concrete.
7496
e769f970
GA		 74972020-08-22 David Malcolm <dmalcolm@redhat.com>
7498
7499 PR analyzer/94851
7500 * region-model-manager.cc
7501 (region_model_manager::maybe_fold_binop): Fold bitwise "& 0" to 0.
7502
75032020-08-22 David Malcolm <dmalcolm@redhat.com>
7504
7505 * store.cc (store::eval_alias): Make const. Split out 2nd half
7506 into store::eval_alias_1 and call it twice for symmetry, avoiding
7507 test duplication.
7508 (store::eval_alias_1): New function, split out from the above.
7509 * store.h (store::eval_alias): Make const.
7510 (store::eval_alias_1): New decl.
7511
75122020-08-22 David Malcolm <dmalcolm@redhat.com>
7513
7514 * region-model.cc (region_model::push_frame): Bind the default
7515 SSA name for each parm if it exists, falling back to the parm
7516 itself otherwise, rather than doing both.
7517
5b9a3d2a
GA		 75182020-08-20 David Malcolm <dmalcolm@redhat.com>
7519
7520 PR analyzer/96723
7521 * region-model-manager.cc
7522 (region_model_manager::get_field_region): Assert that field is a
7523 FIELD_DECL.
7524 * region.cc (region::get_subregions_for_binding): In
7525 union-handling, filter the TYPE_FIELDS traversal to just FIELD_DECLs.
7526
75272020-08-20 David Malcolm <dmalcolm@redhat.com>
7528
7529 PR analyzer/96713
7530 * region-model.cc (region_model::get_gassign_result): For
7531 comparisons, only use eval_condition when the lhs has boolean
7532 type, and use get_or_create_constant_svalue on the boolean
7533 constants directly rather than via get_rvalue.
7534
04e23a40
GA		 75352020-08-19 David Malcolm <dmalcolm@redhat.com>
7536
7537 PR analyzer/96643
7538 * region-model.cc (region_model::deref_rvalue): Rather than
7539 attempting to handle all svalue kinds in the switch, only cover
7540 the special cases, and move symbolic-region handling to after
7541 the switch, thus implicitly handling the missing case SK_COMPOUND.
7542
75432020-08-19 David Malcolm <dmalcolm@redhat.com>
7544
7545 PR analyzer/96705
7546 * region-model-manager.cc
7547 (region_model_manager::maybe_fold_binop): Check that we have an
7548 integral type before calling build_int_cst.
7549
75502020-08-19 David Malcolm <dmalcolm@redhat.com>
7551
7552 PR analyzer/96699
7553 * region-model-manager.cc
7554 (region_model_manager::get_or_create_cast): Use FIX_TRUNC_EXPR for
7555 casting from REAL_TYPE to INTEGER_TYPE.
7556
75572020-08-19 David Malcolm <dmalcolm@redhat.com>
7558
7559 PR analyzer/96651
7560 * region-model.cc (region_model::called_from_main_p): New.
7561 (region_model::get_store_value): Move handling for globals into...
7562 (region_model::get_initial_value_for_global): ...this new
7563 function, and add logic for extracting values from decl
7564 initializers.
7565 * region-model.h (decl_region::get_svalue_for_constructor): New
7566 decl.
7567 (decl_region::get_svalue_for_initializer): New decl.
7568 (region_model::called_from_main_p): New decl.
7569 (region_model::get_initial_value_for_global): New.
7570 * region.cc (decl_region::maybe_get_constant_value): Move logic
7571 for getting an svalue from a CONSTRUCTOR node to...
7572 (decl_region::get_svalue_for_constructor): ...this new function.
7573 (decl_region::get_svalue_for_initializer): New.
7574 * store.cc (get_svalue_for_ctor_val): Rewrite in terms of
7575 region_model::get_rvalue.
7576 * store.h (binding_cluster::get_map): New accessor.
7577
75782020-08-19 David Malcolm <dmalcolm@redhat.com>
7579
7580 PR analyzer/96648
7581 * region.cc (get_field_at_bit_offset): Gracefully handle negative
7582 values for bit_offset.
7583
5c265693
GA		 75842020-08-18 David Malcolm <dmalcolm@redhat.com>
7585
7586 * region-model.cc (region_model::get_rvalue_1): Fix name of local.
7587
75882020-08-18 David Malcolm <dmalcolm@redhat.com>
7589
7590 PR analyzer/96641
7591 * region-model.cc (region_model::get_rvalue_1): Handle
7592 unrecognized tree codes by returning "UNKNOWN.
7593
75942020-08-18 David Malcolm <dmalcolm@redhat.com>
7595
7596 PR analyzer/96640
7597 * region-model.cc (region_model::get_gassign_result): Handle various
7598 VEC_* tree codes by returning UNKNOWN.
7599 (region_model::on_assignment): Handle unrecognized tree codes by
7600 setting lhs to an unknown value, rather than issuing a "sorry" and
7601 asserting.
7602
deee2322
GA		 76032020-08-17 David Malcolm <dmalcolm@redhat.com>
7604
7605 PR analyzer/96644
7606 * region-model-manager.cc (get_region_for_unexpected_tree_code):
7607 Handle ctxt being NULL.
7608
76092020-08-17 David Malcolm <dmalcolm@redhat.com>
7610
7611 PR analyzer/96639
7612 * region.cc (region::get_subregions_for_binding): Check for "type"
7613 being NULL.
7614
76152020-08-17 David Malcolm <dmalcolm@redhat.com>
7616
7617 PR analyzer/96642
7618 * store.cc (get_svalue_for_ctor_val): New.
7619 (binding_map::apply_ctor_to_region): Call it.
7620
661ee09b
GA		 76212020-08-14 David Malcolm <dmalcolm@redhat.com>
7622
7623 PR testsuite/96609
7624 PR analyzer/96616
7625 * region-model.cc (region_model::get_store_value): Call
7626 maybe_get_constant_value on decl_regions first.
7627 * region-model.h (decl_region::maybe_get_constant_value): New decl.
7628 * region.cc (decl_region::get_stack_depth): Likewise.
7629 (decl_region::maybe_get_constant_value): New.
7630 * store.cc (get_subregion_within_ctor): New.
7631 (binding_map::apply_ctor_to_region): New.
7632 * store.h (binding_map::apply_ctor_to_region): New decl.
7633
76342020-08-14 David Malcolm <dmalcolm@redhat.com>
7635
7636 PR analyzer/96611
7637 * store.cc (store::mark_as_escaped): Reject attempts to
7638 get a cluster for an unknown pointer.
7639
b3cb5606
GA		 76402020-08-13 David Malcolm <dmalcolm@redhat.com>
7641
5afd1882
ML		 7642 PR analyzer/93032
7643 PR analyzer/93938
7644 PR analyzer/94011
7645 PR analyzer/94099
7646 PR analyzer/94399
7647 PR analyzer/94458
7648 PR analyzer/94503
7649 PR analyzer/94640
7650 PR analyzer/94688
7651 PR analyzer/94689
7652 PR analyzer/94839
7653 PR analyzer/95026
7654 PR analyzer/95042
7655 PR analyzer/95240
b3cb5606
GA		 7656 * analyzer-logging.cc: Ignore "-Wformat-diag".
7657 (logger::enter_scope): Use inc_indent in both overloads.
7658 (logger::exit_scope): Use dec_indent.
7659 * analyzer-logging.h (logger::inc_indent): New.
7660 (logger::dec_indent): New.
7661 * analyzer-selftests.cc (run_analyzer_selftests): Call
7662 analyzer_store_cc_tests.
7663 * analyzer-selftests.h (analyzer_store_cc_tests): New decl.
7664 * analyzer.cc (get_stmt_location): New function.
7665 * analyzer.h (class initial_svalue): New forward decl.
7666 (class unaryop_svalue): New forward decl.
7667 (class binop_svalue): New forward decl.
7668 (class sub_svalue): New forward decl.
7669 (class unmergeable_svalue): New forward decl.
7670 (class placeholder_svalue): New forward decl.
7671 (class widening_svalue): New forward decl.
7672 (class compound_svalue): New forward decl.
7673 (class conjured_svalue): New forward decl.
7674 (svalue_set): New typedef.
7675 (class map_region): Delete.
7676 (class array_region): Delete.
7677 (class frame_region): New forward decl.
7678 (class function_region): New forward decl.
7679 (class label_region): New forward decl.
7680 (class decl_region): New forward decl.
7681 (class element_region): New forward decl.
7682 (class offset_region): New forward decl.
7683 (class cast_region): New forward decl.
7684 (class field_region): New forward decl.
7685 (class string_region): New forward decl.
7686 (class region_model_manager): New forward decl.
7687 (class store_manager): New forward decl.
7688 (class store): New forward decl.
7689 (class call_details): New forward decl.
7690 (struct svalue_id_merger_mapping): Delete.
7691 (struct canonicalization): Delete.
7692 (class function_point): New forward decl.
7693 (class engine): New forward decl.
7694 (dump_tree): New function decl.
7695 (print_quoted_type): New function decl.
7696 (readability_comparator): New function decl.
7697 (tree_cmp): New function decl.
7698 (class path_var): Move here from region-model.h
7699 (bit_offset_t, bit_size_t, byte_size_t): New typedefs.
7700 (class region_offset): New class.
7701 (get_stmt_location): New decl.
7702 (struct member_function_hash_traits): New struct.
7703 (class consolidation_map): New class.
7704 Ignore "-Wformat-diag".
7705 * analyzer.opt (-param=analyzer-max-svalue-depth=): New param.
7706 (-param=analyzer-max-enodes-for-full-dump=): New param.
7707 * call-string.cc: Ignore -Wformat-diag.
7708 * checker-path.cc: Move includes of "analyzer/call-string.h" and
7709 "analyzer/program-point.h" to before "analyzer/region-model.h",
7710 and also include "analyzer/store.h" before it.
7711 (state_change_event::state_change_event): Replace "tree var" param
7712 with "const svalue *sval". Convert "origin" param from tree to
7713 "const svalue *".
7714 (state_change_event::get_desc): Call get_representative_tree to
7715 convert the var and origin from const svalue * to tree. Use
7716 svalue::get_desc rather than %qE when describing state changes.
7717 (checker_path::add_final_event): Use get_stmt_location.
7718 * checker-path.h (state_change_event::state_change_event): Port
7719 from tree to const svalue *.
7720 (state_change_event::get_lvalue): Delete.
7721 (state_change_event::get_dest_function): New.
7722 (state_change_event::m_var): Replace with...
7723 (state_change_event::m_sval): ...this.
7724 (state_change_event::m_origin): Convert from tree to
7725 const svalue *.
7726 * constraint-manager.cc: Include "analyzer/call-string.h",
7727 "analyzer/program-point.h", and "analyzer/store.h" before
7728 "analyzer/region-model.h".
7729 (struct bound, struct range): Move to constraint-manager.h.
7730 (compare_constants): New function.
7731 (range::dump): Rename to...
7732 (range::dump_to_pp): ...this. Support NULL constants.
7733 (range::dump): Reintroduce for dumping to stderr.
7734 (range::constrained_to_single_element): Return result, rather than
7735 writing to *OUT.
7736 (range::eval_condition): New.
7737 (range::below_lower_bound): New.
7738 (range::above_upper_bound): New.
7739 (equiv_class::equiv_class): Port from svalue_id to const svalue *.
7740 (equiv_class::print): Likewise.
7741 (equiv_class::hash): Likewise.
7742 (equiv_class::operator==): Port from svalue_id to const svalue *.
7743 (equiv_class::add): Port from svalue_id to const svalue *. Drop
7744 "cm" param.
7745 (equiv_class::del): Port from svalue_id to const svalue *.
7746 (equiv_class::get_representative): Likewise.
7747 (equiv_class::remap_svalue_ids): Delete.
7748 (svalue_id_cmp_by_id): Rename to...
7749 (svalue_cmp_by_ptr): ...this, porting from svalue_id to
7750 const svalue *.
7751 (equiv_class::canonicalize): Update qsort comparator.
7752 (constraint::implied_by): New.
7753 (constraint_manager::constraint_manager): Copy m_mgr in copy ctor.
7754 (constraint_manager::dump_to_pp): Add "multiline" param
7755 (constraint_manager::dump): Pass "true" for "multiline".
7756 (constraint_manager::add_constraint): Port from svalue_id to
7757 const svalue *. Split out second part into...
7758 (constraint_manager::add_unknown_constraint): ...this new
7759 function. Remove self-constraints when merging equivalence
7760 classes.
7761 (constraint_manager::add_constraint_internal): Remove constraints
7762 that would be implied by the new constraint. Port from svalue_id
7763 to const svalue *.
7764 (constraint_manager::get_equiv_class_by_sid): Rename to...
7765 (constraint_manager::get_equiv_class_by_svalue): ...this, porting
7766 from svalue_id to const svalue *.
7767 (constraint_manager::get_or_add_equiv_class): Port from svalue_id
7768 to const svalue *.
7769 (constraint_manager::eval_condition): Make const. Call
7770 compare_constants and return early if it provides a known result.
7771 (constraint_manager::get_ec_bounds): New.
7772 (constraint_manager::eval_condition): New overloads. Make
7773 existing one const, and use compare_constants.
7774 (constraint_manager::purge): Convert "p" param to a template
7775 rather that an abstract base class. Port from svalue_id to
7776 const svalue *.
7777 (class dead_svalue_purger): New class.
7778 (constraint_manager::remap_svalue_ids): Delete.
7779 (constraint_manager::on_liveness_change): New.
7780 (equiv_class_cmp): Port from svalue_id to const svalue *.
7781 (constraint_manager::canonicalize): Likewise. Combine with
7782 purging of redundant equivalence classes and constraints.
7783 (class cleaned_constraint_manager): Delete.
7784 (class merger_fact_visitor): Make "m_cm_b" const. Add "m_merger"
7785 field.
7786 (merger_fact_visitor::fact): Port from svalue_id to const svalue *.
7787 Add special case for widening.
7788 (constraint_manager::merge): Port from svalue_id to const svalue *.
7789 (constraint_manager::clean_merger_input): Delete.
7790 (constraint_manager::for_each_fact): Port from svalue_id to
7791 const svalue *.
7792 (constraint_manager::validate): Likewise.
7793 (selftest::test_constraint_conditions): Provide a
7794 region_model_manager when creating region_model instances.
7795 Add test for self-equality not creating equivalence classes.
7796 (selftest::test_transitivity): Provide a region_model_manager when
7797 creating region_model instances. Verify that EC-merging happens
7798 when constraints are implied.
7799 (selftest::test_constant_comparisons): Provide a
7800 region_model_manager when creating region_model instances.
7801 (selftest::test_constraint_impl): Likewise. Remove over-specified
7802 assertions.
7803 (selftest::test_equality): Provide a region_model_manager when
7804 creating region_model instances.
7805 (selftest::test_many_constants): Likewise. Provide a
7806 program_point when testing merging.
7807 (selftest::run_constraint_manager_tests): Move call to
7808 test_constant_comparisons to outside the transitivity guard.
7809 * constraint-manager.h (struct bound): Move here from
7810 constraint-manager.cc.
7811 (struct range): Likewise.
7812 (struct::eval_condition): New decl.
7813 (struct::below_lower_bound): New decl.
7814 (struct::above_upper_bound): New decl.
7815 (equiv_class::add): Port from svalue_id to const svalue *.
7816 (equiv_class::del): Likewise.
7817 (equiv_class::get_representative): Likewise.
7818 (equiv_class::remap_svalue_ids): Drop.
7819 (equiv_class::m_cst_sid): Convert to..
7820 (equiv_class::m_cst_sval): ...this.
7821 (equiv_class::m_vars): Port from svalue_id to const svalue *.
7822 (constraint::bool implied_by): New decl.
7823 (fact_visitor::on_fact): Port from svalue_id to const svalue *.
7824 (constraint_manager::constraint_manager): Add mgr param.
7825 (constraint_manager::clone): Delete.
7826 (constraint_manager::maybe_get_constant): Delete.
7827 (constraint_manager::get_sid_for_constant): Delete.
7828 (constraint_manager::get_num_svalues): Delete.
7829 (constraint_manager::dump_to_pp): Add "multiline" param.
7830 (constraint_manager::get_equiv_class): Port from svalue_id to
7831 const svalue *.
7832 (constraint_manager::add_constraint): Likewise.
7833 (constraint_manager::get_equiv_class_by_sid): Rename to...
7834 (constraint_manager::get_equiv_class_by_svalue): ...this, porting
7835 from svalue_id to const svalue *.
7836 (constraint_manager::add_unknown_constraint): New decl.
7837 (constraint_manager::get_or_add_equiv_class): Port from svalue_id
7838 to const svalue *.
7839 (constraint_manager::eval_condition): Likewise. Add overloads.
7840 (constraint_manager::get_ec_bounds): New decl.
7841 (constraint_manager::purge): Convert to template.
7842 (constraint_manager::remap_svalue_ids): Delete.
7843 (constraint_manager::on_liveness_change): New decl.
7844 (constraint_manager::canonicalize): Drop param.
7845 (constraint_manager::clean_merger_input): Delete.
7846 (constraint_manager::m_mgr): New field.
7847 * diagnostic-manager.cc: Move includes of
7848 "analyzer/call-string.h" and "analyzer/program-point.h" to before
7849 "analyzer/region-model.h", and also include "analyzer/store.h"
7850 before it.
7851 (saved_diagnostic::saved_diagnostic): Add "sval" param.
7852 (diagnostic_manager::diagnostic_manager): Add engine param.
7853 (diagnostic_manager::add_diagnostic): Add "sval" param, passing it
7854 to saved_diagnostic ctor. Update overload to pass NULL for it.
7855 (dedupe_winners::dedupe_winners): Add engine param.
7856 (dedupe_winners::add): Add "eg" param. Pass m_engine to
7857 feasible_p.
7858 (dedupe_winner::m_engine): New field.
7859 (diagnostic_manager::emit_saved_diagnostics): Pass engine to
7860 dedupe_winners. Pass &eg when adding candidates. Pass svalue
7861 rather than tree to prune_path. Use get_stmt_location to get
7862 primary location of diagnostic.
7863 (diagnostic_manager::emit_saved_diagnostic): Likewise.
7864 (get_any_origin): Drop.
7865 (state_change_event_creator::on_global_state_change): Pass NULL
7866 const svalue * rather than NULL_TREE trees to state_change_event
7867 ctor.
7868 (state_change_event_creator::on_state_change): Port from tree and
7869 svalue_id to const svalue *.
7870 (for_each_state_change): Port from svalue_id to const svalue *.
7871 (struct null_assignment_sm_context): New.
7872 (diagnostic_manager::add_events_for_eedge): Add state change
7873 events for assignment to NULL.
7874 (diagnostic_manager::prune_path): Update param from tree to
7875 const svalue *.
7876 (diagnostic_manager::prune_for_sm_diagnostic): Port from tracking
7877 by tree to by const svalue *.
7878 * diagnostic-manager.h (saved_diagnostic::saved_diagnostic): Add sval
7879 param.
7880 (saved_diagnostic::m_sval): New field.
7881 (diagnostic_manager::diagnostic_manager): Add engine param.
7882 (diagnostic_manager::get_engine): New.
7883 (diagnostic_manager::add_diagnostic): Add "sval" param.
7884 (diagnostic_manager::prune_path): Likewise.
7885 (diagnostic_manager::prune_for_sm_diagnostic): New overload.
7886 (diagnostic_manager::m_eng): New field.
7887 * engine.cc: Move includes of "analyzer/call-string.h" and
7888 "analyzer/program-point.h" to before "analyzer/region-model.h",
7889 and also include "analyzer/store.h" before it.
7890 (impl_region_model_context::impl_region_model_context): Update for
7891 removal of m_change field.
7892 (impl_region_model_context::remap_svalue_ids): Delete.
7893 (impl_region_model_context::on_svalue_leak): New.
7894 (impl_region_model_context::on_svalue_purge): Delete.
7895 (impl_region_model_context::on_liveness_change): New.
7896 (impl_region_model_context::on_unknown_change): Update param
7897 from svalue_id to const svalue *. Add is_mutable param.
7898 (setjmp_svalue::compare_fields): Delete.
7899 (setjmp_svalue::accept): New.
7900 (setjmp_svalue::add_to_hash): Delete.
7901 (setjmp_svalue::dump_to_pp): New.
7902 (setjmp_svalue::print_details): Delete.
7903 (impl_sm_context::impl_sm_context): Drop "change" param.
7904 (impl_sm_context::get_fndecl_for_call): Drop "m_change".
7905 (impl_sm_context::on_transition): Drop ATTRIBUTE_UNUSED from
7906 "stmt" param. Drop m_change. Port from svalue_id to
7907 const svalue *.
7908 (impl_sm_context::warn_for_state): Drop m_change. Port from
7909 svalue_id to const svalue *.
7910 (impl_sm_context::get_readable_tree): Rename to...
7911 (impl_sm_context::get_diagnostic_tree): ...this. Port from
7912 svalue_id to const svalue *.
7913 (impl_sm_context::is_zero_assignment): New.
7914 (impl_sm_context::m_change): Delete field.
7915 (leak_stmt_finder::find_stmt): Handle m_var being NULL.
7916 (readability): Increase penalty for MEM_REF. For SSA_NAMEs,
7917 slightly favor the underlying var over the SSA name. Heavily
7918 penalize temporaries. Handle RESULT_DECL.
7919 (readability_comparator): Make non-static. Consider stack depths.
7920 (impl_region_model_context::on_state_leak): Convert from svalue_id
7921 to const svalue *, updating for region_model changes. Use
7922 id_equal.
7923 (impl_region_model_context::on_inherited_svalue): Delete.
7924 (impl_region_model_context::on_cast): Delete.
7925 (impl_region_model_context::on_condition): Drop m_change.
7926 (impl_region_model_context::on_phi): Likewise.
7927 (impl_region_model_context::on_unexpected_tree_code): Handle t
7928 being NULL.
7929 (point_and_state::validate): Update stack checking for
7930 region_model changes.
7931 (eg_traits::dump_args_t::show_enode_details_p): New.
7932 (exploded_node::exploded_node): Initialize m_num_processed_stmts.
7933 (exploded_node::get_processed_stmt): New function.
7934 (exploded_node::get_dot_fillcolor): Add more colors.
7935 (exploded_node::dump_dot): Guard the printing of the point and
7936 state with show_enode_details_p. Print the processed stmts for
7937 this enode after the initial state.
7938 (exploded_node::dump_to_pp): Pass true for new multiline param
7939 of program_state::dump_to_pp.
7940 (exploded_node::on_stmt): Drop "change" param. Log the stmt.
7941 Set input_location. Implement __analyzer_describe. Update
7942 implementation of __analyzer_dump and __analyzer_eval.
7943 Remove purging of sm-state for unknown fncalls from here.
7944 (exploded_node::on_edge): Drop "change" param.
7945 (exploded_node::on_longjmp): Port from region_id/svalue_id to
7946 const region */const svalue *. Call program_state::detect_leaks.
7947 Drop state_change.
7948 (exploded_node::detect_leaks): Update for changes to region_model.
7949 Call program_state::detect_leaks.
7950 (exploded_edge::exploded_edge): Drop ext_state and change params.
7951 (exploded_edge::dump_dot): "args" is no longer used. Drop dumping
7952 of m_change.
7953 (exploded_graph::exploded_graph): Pass engine to
7954 m_diagnostic_manager ctor. Use program_point::origin.
7955 (exploded_graph::add_function_entry): Drop ctxt. Use
7956 program_state::push_frame. Drop state_change.
7957 (exploded_graph::get_or_create_node): Drop "change" param. Add
7958 "enode_for_diag" param. Update dumping calls for API changes.
7959 Pass point to can_merge_with_p. Show enode indices
7960 within -Wanalyzer-too-complex diagnostic for hitting the per-point
7961 limit.
7962 (exploded_graph::add_edge): Drop "change" param. Log which nodes
7963 are being connected. Update for changes to exploded_edge ctor.
7964 (exploded_graph::get_per_program_point_data): New.
7965 (exploded_graph::process_worklist): Pass point to
7966 can_merge_with_p. Drop state_change. Update dumping call for API
7967 change.
7968 (exploded_graph::process_node): Drop state_change. Split the
7969 node in-place if an sm-state-change occurs. Update
7970 m_num_processed_stmts. Update dumping calls for API change.
7971 (exploded_graph::log_stats): Call engine::log_stats.
7972 (exploded_graph::dump_states_for_supernode): Update dumping
7973 call.
7974 (exploded_path::feasible_p): Add "eng" and "eg" params.
7975 Rename "i" to "end_idx". Pass the manager to the region_model
7976 ctor. Update for every processed stmt in the enode, not just the
7977 first. Keep track of which snodes have been visited, and call
7978 loop_replay_fixup when revisiting one.
7979 (enode_label::get_text): Update dump call for new param.
7980 (exploded_graph::dump_exploded_nodes): Likewise.
7981 (exploded_graph::get_node_by_index): New.
7982 (impl_run_checkers): Create engine instance and pass its address
7983 to extrinsic_state ctor.
7984 * exploded-graph.h
7985 (impl_region_model_context::impl_region_model_context): Drop
7986 "change" params.
7987 (impl_region_model_context::void remap_svalue_ids): Delete.
7988 (impl_region_model_context::on_svalue_purge): Delete.
7989 (impl_region_model_context::on_svalue_leak): New.
7990 (impl_region_model_context::on_liveness_change): New.
7991 (impl_region_model_context::on_state_leak): Update signature.
7992 (impl_region_model_context::on_inherited_svalue): Delete.
7993 (impl_region_model_context::on_cast): Delete.
7994 (impl_region_model_context::on_unknown_change): Update signature.
7995 (impl_region_model_context::m_change): Delete.
7996 (eg_traits::dump_args_t::show_enode_details_p): New.
7997 (exploded_node::on_stmt): Drop "change" param.
7998 (exploded_node::on_edge): Likewise.
7999 (exploded_node::get_processed_stmt): New decl.
8000 (exploded_node::m_num_processed_stmts): New field.
8001 (exploded_edge::exploded_edge): Drop ext_state and change params.
8002 (exploded_edge::m_change): Delete.
8003 (exploded_graph::get_engine): New accessor.
8004 (exploded_graph::get_or_create_node): Drop "change" param. Add
8005 "enode_for_diag" param.
8006 (exploded_graph::add_edge): Drop "change" param.
8007 (exploded_graph::get_per_program_point_data): New decl.
8008 (exploded_graph::get_node_by_index): New decl.
8009 (exploded_path::feasible_p): Add "eng" and "eg" params.
8010 * program-point.cc: Include "analyzer/store.h" before including
8011 "analyzer/region-model.h".
8012 (function_point::function_point): Move here from
8013 program-point.h.
8014 (function_point::get_function): Likewise.
8015 (function_point::from_function_entry): Likewise.
8016 (function_point::before_supernode): Likewise.
8017 (function_point::next_stmt): New function.
8018 * program-point.h (function_point::function_point): Move
8019 implementation from here to program-point.cc.
8020 (function_point::get_function): Likewise.
8021 (function_point::from_function_entry): Likewise.
8022 (function_point::before_supernode): Likewise.
8023 (function_point::next_stmt): New decl.
8024 (program_point::operator!=): New.
8025 (program_point::origin): New.
8026 (program_point::next_stmt): New.
8027 (program_point::m_function_point): Make non-const.
8028 * program-state.cc: Move includes of "analyzer/call-string.h" and
8029 "analyzer/program-point.h" to before "analyzer/region-model.h",
8030 and also include "analyzer/store.h" before it.
8031 (extrinsic_state::get_model_manager): New.
8032 (sm_state_map::sm_state_map): Pass in sm and sm_idx to ctor,
8033 rather than pass the around.
8034 (sm_state_map::clone_with_remapping): Delete.
8035 (sm_state_map::print): Remove "sm" param in favor of "m_sm". Add
8036 "simple" and "multiline" params and support multiline vs single
8037 line dumping.
8038 (sm_state_map::dump): Remove "sm" param in favor of "m_sm". Add
8039 "simple" param.
8040 (sm_state_map::hash): Port from svalue_id to const svalue *.
8041 (sm_state_map::operator==): Likewise.
8042 (sm_state_map::get_state): Likewise. Call canonicalize_svalue on
8043 input. Handle inheritance of sm-state. Call get_default_state.
8044 (sm_state_map::get_origin): Port from svalue_id to const svalue *.
8045 (sm_state_map::set_state): Likewise. Pass in ext_state. Reject
8046 attempts to set state on UNKNOWN.
8047 (sm_state_map::impl_set_state): Port from svalue_id to
8048 const svalue *. Pass in ext_state. Call canonicalize_svalue on
8049 input.
8050 (sm_state_map::purge_for_unknown_fncall): Delete.
8051 (sm_state_map::on_svalue_leak): New.
8052 (sm_state_map::remap_svalue_ids): Delete.
8053 (sm_state_map::on_liveness_change): New.
8054 (sm_state_map::on_unknown_change): Reimplement.
8055 (sm_state_map::on_svalue_purge): Delete.
8056 (sm_state_map::on_inherited_svalue): Delete.
8057 (sm_state_map::on_cast): Delete.
8058 (sm_state_map::validate): Delete.
8059 (sm_state_map::canonicalize_svalue): New.
8060 (program_state::program_state): Update to pass manager to
8061 region_model's ctor. Constify num_states and pass state machine
8062 and index to sm_state_map ctor.
8063 (program_state::print): Update for changes to dump API.
8064 (program_state::dump_to_pp): Ignore the summarize param. Add
8065 "multiline" param.
8066 (program_state::dump_to_file): Add "multiline" param.
8067 (program_state::dump): Pass "true" for new "multiline" param.
8068 (program_state::push_frame): New.
8069 (program_state::on_edge): Drop "change" param. Call
8070 program_state::detect_leaks.
8071 (program_state::prune_for_point): Add enode_for_diag param.
8072 Reimplement based on store class. Call detect_leaks
8073 (program_state::remap_svalue_ids): Delete.
8074 (program_state::get_representative_tree): Port from svalue_id to
8075 const svalue *.
8076 (program_state::can_merge_with_p): Add "point" param. Add early
8077 reject for sm-differences. Drop id remapping.
8078 (program_state::validate): Drop region model and sm_state_map
8079 validation.
8080 (state_change::sm_change::dump): Delete.
8081 (state_change::sm_change::remap_svalue_ids): Delete.
8082 (state_change::sm_change::on_svalue_purge): Delete.
8083 (log_set_of_svalues): New.
8084 (state_change::sm_change::validate): Delete.
8085 (state_change::state_change): Delete.
8086 (state_change::add_sm_change): Delete.
8087 (state_change::affects_p): Delete.
8088 (state_change::dump): Delete.
8089 (state_change::remap_svalue_ids): Delete.
8090 (state_change::on_svalue_purge): Delete.
8091 (state_change::validate): Delete.
8092 (selftest::assert_dump_eq): Delete.
8093 (ASSERT_DUMP_EQ): Delete.
8094 (selftest::test_sm_state_map): Update for changes to region_model
8095 and sm_state_map, porting from svalue_id to const svalue *.
8096 (selftest::test_program_state_dumping): Likewise. Drop test of
8097 dumping, renaming to...
8098 (selftest::test_program_state_1): ...this.
8099 (selftest::test_program_state_dumping_2): Likewise, renaming to...
8100 (selftest::test_program_state_2): ...this.
8101 (selftest::test_program_state_merging): Update for changes to
8102 region_model.
8103 (selftest::test_program_state_merging_2): Likewise.
8104 (selftest::analyzer_program_state_cc_tests): Update for renamed
8105 tests.
8106 * program-state.h (extrinsic_state::extrinsic_state): Add logger
8107 and engine params.
8108 (extrinsic_state::get_logger): New accessor.
8109 (extrinsic_state::get_engine): New accessor.
8110 (extrinsic_state::get_model_manager): New accessor.
8111 (extrinsic_state::m_logger): New field.
8112 (extrinsic_state::m_engine): New field.
8113 (struct default_hash_traits<svalue_id>): Delete.
8114 (pod_hash_traits<svalue_id>::hash): Delete.
8115 (pod_hash_traits<svalue_id>::equal): Delete.
8116 (pod_hash_traits<svalue_id>::mark_deleted): Delete.
8117 (pod_hash_traits<svalue_id>::mark_empty): Delete.
8118 (pod_hash_traits<svalue_id>::is_deleted): Delete.
8119 (pod_hash_traits<svalue_id>::is_empty): Delete.
8120 (sm_state_map::entry_t::entry_t): Port from svalue_id to
8121 const svalue *.
8122 (sm_state_map::entry_t::m_origin): Likewise.
8123 (sm_state_map::map_t): Likewise.
8124 (sm_state_map::sm_state_map): Add state_machine and index params.
8125 (sm_state_map::clone_with_remapping): Delete.
8126 (sm_state_map::print): Drop sm param; add simple and multiline
8127 params.
8128 (sm_state_map::dump): Drop sm param; add simple param.
8129 (sm_state_map::get_state): Port from svalue_id to const svalue *.
8130 Add ext_state param.
8131 (sm_state_map::get_origin): Likewise.
8132 (sm_state_map::set_state): Likewise.
8133 (sm_state_map::impl_set_state): Likewise.
8134 (sm_state_map::purge_for_unknown_fncall): Delete.
8135 (sm_state_map::remap_svalue_ids): Delete.
8136 (sm_state_map::on_svalue_purge): Delete.
8137 (sm_state_map::on_svalue_leak): New.
8138 (sm_state_map::on_liveness_change): New.
8139 (sm_state_map::on_inherited_svalue): Delete.
8140 (sm_state_map::on_cast): Delete.
8141 (sm_state_map::validate): Delete.
8142 (sm_state_map::on_unknown_change): Port from svalue_id to
8143 const svalue *. Add is_mutable and ext_state params.
8144 (sm_state_map::canonicalize_svalue): New.
8145 (sm_state_map::m_sm): New field.
8146 (sm_state_map::m_sm_idx): New field.
8147 (program_state::operator=): Delete.
8148 (program_state::dump_to_pp): Drop "summarize" param, adding
8149 "simple" and "multiline".
8150 (program_state::dump_to_file): Likewise.
8151 (program_state::dump): Rename "summarize" to "simple".
8152 (program_state::push_frame): New.
8153 (program_state::get_current_function): New.
8154 (program_state::on_edge): Drop "change" param.
8155 (program_state::prune_for_point): Likewise. Add enode_for_diag
8156 param.
8157 (program_state::remap_svalue_ids): Delete.
8158 (program_state::get_representative_tree): Port from svalue_id to
8159 const svalue *.
8160 (program_state::can_purge_p): Likewise. Pass ext_state to get_state.
8161 (program_state::can_merge_with_p): Add point param.
8162 (program_state::detect_leaks): New.
8163 (state_change_visitor::on_state_change): Port from tree and
8164 svalue_id to a pair of const svalue *.
8165 (class state_change): Delete.
8166 * region.cc: New file.
8167 * region-model-impl-calls.cc: New file.
8168 * region-model-manager.cc: New file.
8169 * region-model-reachability.cc: New file.
8170 * region-model-reachability.h: New file.
8171 * region-model.cc: Include "analyzer/call-string.h",
8172 "analyzer/program-point.h", and "analyzer/store.h" before
8173 "analyzer/region-model.h". Include
8174 "analyzer/region-model-reachability.h".
8175 (dump_tree): Make non-static.
8176 (dump_quoted_tree): Make non-static.
8177 (print_quoted_type): Make non-static.
8178 (path_var::dump): Delete.
8179 (dump_separator): Delete.
8180 (class impl_constraint_manager): Delete.
8181 (svalue_id::print): Delete.
8182 (svalue_id::dump_node_name_to_pp): Delete.
8183 (svalue_id::validate): Delete.
8184 (region_id::print): Delete.
8185 (region_id::dump_node_name_to_pp): Delete.
8186 (region_id::validate): Delete.
8187 (region_id_set::region_id_set): Delete.
8188 (svalue_id_set::svalue_id_set): Delete.
8189 (svalue::operator==): Delete.
8190 (svalue::hash): Delete.
8191 (svalue::print): Delete.
8192 (svalue::dump_dot_to_pp): Delete.
8193 (svalue::remap_region_ids): Delete.
8194 (svalue::walk_for_canonicalization): Delete.
8195 (svalue::get_child_sid): Delete.
8196 (svalue::maybe_get_constant): Delete.
8197 (region_svalue::compare_fields): Delete.
8198 (region_svalue::add_to_hash): Delete.
8199 (region_svalue::print_details): Delete.
8200 (region_svalue::dump_dot_to_pp): Delete.
8201 (region_svalue::remap_region_ids): Delete.
8202 (region_svalue::merge_values): Delete.
8203 (region_svalue::walk_for_canonicalization): Delete.
8204 (region_svalue::eval_condition): Delete.
8205 (constant_svalue::compare_fields): Delete.
8206 (constant_svalue::add_to_hash): Delete.
8207 (constant_svalue::merge_values): Delete.
8208 (constant_svalue::eval_condition): Move to svalue.cc.
8209 (constant_svalue::print_details): Delete.
8210 (constant_svalue::get_child_sid): Delete.
8211 (unknown_svalue::compare_fields): Delete.
8212 (unknown_svalue::add_to_hash): Delete.
8213 (unknown_svalue::print_details): Delete.
8214 (poison_kind_to_str): Move to svalue.cc.
8215 (poisoned_svalue::compare_fields): Delete.
8216 (poisoned_svalue::add_to_hash): Delete.
8217 (poisoned_svalue::print_details): Delete.
8218 (region_kind_to_str): Move to region.cc and reimplement.
8219 (region::operator==): Delete.
8220 (region::get_parent_region): Delete.
8221 (region::set_value): Delete.
8222 (region::become_active_view): Delete.
8223 (region::deactivate_any_active_view): Delete.
8224 (region::deactivate_view): Delete.
8225 (region::get_value): Delete.
8226 (region::get_inherited_child_sid): Delete.
8227 (region_model::copy_region): Delete.
8228 (region_model::copy_struct_region): Delete.
8229 (region_model::copy_union_region): Delete.
8230 (region_model::copy_array_region): Delete.
8231 (region::hash): Delete.
8232 (region::print): Delete.
8233 (region::dump_dot_to_pp): Delete.
8234 (region::dump_to_pp): Delete.
8235 (region::dump_child_label): Delete.
8236 (region::validate): Delete.
8237 (region::remap_svalue_ids): Delete.
8238 (region::remap_region_ids): Delete.
8239 (region::add_view): Delete.
8240 (region::get_view): Delete.
8241 (region::region): Move to region.cc.
8242 (region::add_to_hash): Delete.
8243 (region::print_fields): Delete.
8244 (region::non_null_p): Delete.
8245 (primitive_region::clone): Delete.
8246 (primitive_region::walk_for_canonicalization): Delete.
8247 (map_region::map_region): Delete.
8248 (map_region::compare_fields): Delete.
8249 (map_region::print_fields): Delete.
8250 (map_region::validate): Delete.
8251 (map_region::dump_dot_to_pp): Delete.
8252 (map_region::dump_child_label): Delete.
8253 (map_region::get_or_create): Delete.
8254 (map_region::get): Delete.
8255 (map_region::add_to_hash): Delete.
8256 (map_region::remap_region_ids): Delete.
8257 (map_region::unbind): Delete.
8258 (map_region::get_tree_for_child_region): Delete.
8259 (map_region::get_tree_for_child_region): Delete.
8260 (tree_cmp): Move to region.cc.
8261 (map_region::can_merge_p): Delete.
8262 (map_region::walk_for_canonicalization): Delete.
8263 (map_region::get_value_by_name): Delete.
8264 (struct_or_union_region::valid_key_p): Delete.
8265 (struct_or_union_region::compare_fields): Delete.
8266 (struct_region::clone): Delete.
8267 (struct_region::compare_fields): Delete.
8268 (union_region::clone): Delete.
8269 (union_region::compare_fields): Delete.
8270 (frame_region::compare_fields): Delete.
8271 (frame_region::clone): Delete.
8272 (frame_region::valid_key_p): Delete.
8273 (frame_region::print_fields): Delete.
8274 (frame_region::add_to_hash): Delete.
8275 (globals_region::compare_fields): Delete.
8276 (globals_region::clone): Delete.
8277 (globals_region::valid_key_p): Delete.
8278 (code_region::compare_fields): Delete.
8279 (code_region::clone): Delete.
8280 (code_region::valid_key_p): Delete.
8281 (array_region::array_region): Delete.
8282 (array_region::get_element): Delete.
8283 (array_region::clone): Delete.
8284 (array_region::compare_fields): Delete.
8285 (array_region::print_fields): Delete.
8286 (array_region::validate): Delete.
8287 (array_region::dump_dot_to_pp): Delete.
8288 (array_region::dump_child_label): Delete.
8289 (array_region::get_or_create): Delete.
8290 (array_region::get): Delete.
8291 (array_region::add_to_hash): Delete.
8292 (array_region::remap_region_ids): Delete.
8293 (array_region::get_key_for_child_region): Delete.
8294 (array_region::key_cmp): Delete.
8295 (array_region::walk_for_canonicalization): Delete.
8296 (array_region::key_from_constant): Delete.
8297 (array_region::constant_from_key): Delete.
8298 (function_region::compare_fields): Delete.
8299 (function_region::clone): Delete.
8300 (function_region::valid_key_p): Delete.
8301 (stack_region::stack_region): Delete.
8302 (stack_region::compare_fields): Delete.
8303 (stack_region::clone): Delete.
8304 (stack_region::print_fields): Delete.
8305 (stack_region::dump_child_label): Delete.
8306 (stack_region::validate): Delete.
8307 (stack_region::push_frame): Delete.
8308 (stack_region::get_current_frame_id): Delete.
8309 (stack_region::pop_frame): Delete.
8310 (stack_region::add_to_hash): Delete.
8311 (stack_region::remap_region_ids): Delete.
8312 (stack_region::can_merge_p): Delete.
8313 (stack_region::walk_for_canonicalization): Delete.
8314 (stack_region::get_value_by_name): Delete.
8315 (heap_region::heap_region): Delete.
8316 (heap_region::compare_fields): Delete.
8317 (heap_region::clone): Delete.
8318 (heap_region::walk_for_canonicalization): Delete.
8319 (root_region::root_region): Delete.
8320 (root_region::compare_fields): Delete.
8321 (root_region::clone): Delete.
8322 (root_region::print_fields): Delete.
8323 (root_region::validate): Delete.
8324 (root_region::dump_child_label): Delete.
8325 (root_region::push_frame): Delete.
8326 (root_region::get_current_frame_id): Delete.
8327 (root_region::pop_frame): Delete.
8328 (root_region::ensure_stack_region): Delete.
8329 (root_region::get_stack_region): Delete.
8330 (root_region::ensure_globals_region): Delete.
8331 (root_region::get_code_region): Delete.
8332 (root_region::ensure_code_region): Delete.
8333 (root_region::get_globals_region): Delete.
8334 (root_region::ensure_heap_region): Delete.
8335 (root_region::get_heap_region): Delete.
8336 (root_region::remap_region_ids): Delete.
8337 (root_region::can_merge_p): Delete.
8338 (root_region::add_to_hash): Delete.
8339 (root_region::walk_for_canonicalization): Delete.
8340 (root_region::get_value_by_name): Delete.
8341 (symbolic_region::symbolic_region): Delete.
8342 (symbolic_region::compare_fields): Delete.
8343 (symbolic_region::clone): Delete.
8344 (symbolic_region::walk_for_canonicalization): Delete.
8345 (symbolic_region::print_fields): Delete.
8346 (region_model::region_model): Add region_model_manager * param.
8347 Reimplement in terms of store, dropping impl_constraint_manager
8348 subclass.
8349 (region_model::operator=): Reimplement in terms of store
8350 (region_model::operator==): Likewise.
8351 (region_model::hash): Likewise.
8352 (region_model::print): Delete.
8353 (region_model::print_svalue): Delete.
8354 (region_model::dump_dot_to_pp): Delete.
8355 (region_model::dump_dot_to_file): Delete.
8356 (region_model::dump_dot): Delete.
8357 (region_model::dump_to_pp): Replace "summarize" param with
8358 "simple" and "multiline". Port to store-based implementation.
8359 (region_model::dump): Replace "summarize" param with "simple" and
8360 "multiline".
8361 (dump_vec_of_tree): Delete.
8362 (region_model::dump_summary_of_rep_path_vars): Delete.
8363 (region_model::validate): Delete.
8364 (svalue_id_cmp_by_constant_svalue_model): Delete.
8365 (svalue_id_cmp_by_constant_svalue): Delete.
8366 (region_model::canonicalize): Drop "ctxt" param. Reimplement in
8367 terms of store and constraints.
8368 (region_model::canonicalized_p): Remove NULL arg to canonicalize.
8369 (region_model::loop_replay_fixup): New.
8370 (poisoned_value_diagnostic::emit): Tweak wording of warnings.
8371 (region_model::check_for_poison): Delete.
8372 (region_model::get_gassign_result): New.
8373 (region_model::on_assignment): Port to store-based implementation.
8374 (region_model::on_call_pre): Delete calls to check_for_poison.
8375 Move implementations to region-model-impl-calls.c and port to
8376 store-based implementation.
8377 (region_model::on_call_post): Likewise.
8378 (class reachable_regions): Move to region-model-reachability.h/cc
8379 and port to store-based implementation.
8380 (region_model::handle_unrecognized_call): Port to store-based
8381 implementation.
8382 (region_model::get_reachable_svalues): New.
8383 (region_model::on_setjmp): Port to store-based implementation.
8384 (region_model::on_longjmp): Likewise.
8385 (region_model::handle_phi): Drop is_back_edge param and the logic
8386 using it.
8387 (region_model::get_lvalue_1): Port from region_id to const region *.
8388 (region_model::make_region_for_unexpected_tree_code): Delete.
8389 (assert_compat_types): If the check fails, use internal_error to
8390 show the types.
8391 (region_model::get_lvalue): Port from region_id to const region *.
8392 (region_model::get_rvalue_1): Port from svalue_id to const svalue *.
8393 (region_model::get_rvalue): Likewise.
8394 (region_model::get_or_create_ptr_svalue): Delete.
8395 (region_model::get_or_create_constant_svalue): Delete.
8396 (region_model::get_svalue_for_fndecl): Delete.
8397 (region_model::get_region_for_fndecl): Delete.
8398 (region_model::get_svalue_for_label): Delete.
8399 (region_model::get_region_for_label): Delete.
8400 (build_cast): Delete.
8401 (region_model::maybe_cast_1): Delete.
8402 (region_model::maybe_cast): Delete.
8403 (region_model::get_field_region): Delete.
8404 (region_model::get_store_value): New.
8405 (region_model::region_exists_p): New.
8406 (region_model::deref_rvalue): Port from svalue_id to const svalue *.
8407 (region_model::set_value): Likewise.
8408 (region_model::clobber_region): New.
8409 (region_model::purge_region): New.
8410 (region_model::zero_fill_region): New.
8411 (region_model::mark_region_as_unknown): New.
8412 (region_model::eval_condition): Port from svalue_id to
8413 const svalue *.
8414 (region_model::eval_condition_without_cm): Likewise.
8415 (region_model::compare_initial_and_pointer): New.
8416 (region_model::add_constraint): Port from svalue_id to
8417 const svalue *.
8418 (region_model::maybe_get_constant): Delete.
8419 (region_model::get_representative_path_var): New.
8420 (region_model::add_new_malloc_region): Delete.
8421 (region_model::get_representative_tree): Port to const svalue *.
8422 (region_model::get_representative_path_var): Port to
8423 const region *.
8424 (region_model::get_path_vars_for_svalue): Delete.
8425 (region_model::set_to_new_unknown_value): Delete.
8426 (region_model::update_for_phis): Don't pass is_back_edge to handle_phi.
8427 (region_model::update_for_call_superedge): Port from svalue_id to
8428 const svalue *.
8429 (region_model::update_for_return_superedge): Port to store-based
8430 implementation.
8431 (region_model::update_for_call_summary): Replace
8432 set_to_new_unknown_value with mark_region_as_unknown.
8433 (region_model::get_root_region): Delete.
8434 (region_model::get_stack_region_id): Delete.
8435 (region_model::push_frame): Delete.
8436 (region_model::get_current_frame_id): Delete.
8437 (region_model::get_current_function): Delete.
8438 (region_model::pop_frame): Delete.
8439 (region_model::on_top_level_param): New.
8440 (region_model::get_stack_depth): Delete.
8441 (region_model::get_function_at_depth): Delete.
8442 (region_model::get_globals_region_id): Delete.
8443 (region_model::add_svalue): Delete.
8444 (region_model::replace_svalue): Delete.
8445 (region_model::add_region): Delete.
8446 (region_model::get_svalue): Delete.
8447 (region_model::get_region): Delete.
8448 (make_region_for_type): Delete.
8449 (region_model::add_region_for_type): Delete.
8450 (region_model::on_top_level_param): New.
8451 (class restrict_to_used_svalues): Delete.
8452 (region_model::purge_unused_svalues): Delete.
8453 (region_model::push_frame): New.
8454 (region_model::remap_svalue_ids): Delete.
8455 (region_model::remap_region_ids): Delete.
8456 (region_model::purge_regions): Delete.
8457 (region_model::get_descendents): Delete.
8458 (region_model::delete_region_and_descendents): Delete.
8459 (region_model::poison_any_pointers_to_bad_regions): Delete.
8460 (region_model::can_merge_with_p): Delete.
8461 (region_model::get_current_function): New.
8462 (region_model::get_value_by_name): Delete.
8463 (region_model::convert_byte_offset_to_array_index): Delete.
8464 (region_model::pop_frame): New.
8465 (region_model::get_or_create_mem_ref): Delete.
8466 (region_model::get_stack_depth): New.
8467 (region_model::get_frame_at_index): New.
8468 (region_model::unbind_region_and_descendents): New.
8469 (struct bad_pointer_finder): New.
8470 (region_model::get_or_create_pointer_plus_expr): Delete.
8471 (region_model::poison_any_pointers_to_descendents): New.
8472 (region_model::get_or_create_view): Delete.
8473 (region_model::can_merge_with_p): New.
8474 (region_model::get_fndecl_for_call): Port from svalue_id to
8475 const svalue *.
8476 (struct append_ssa_names_cb_data): New.
8477 (get_ssa_name_regions_for_current_frame): New.
8478 (region_model::append_ssa_names_cb): New.
8479 (model_merger::dump_to_pp): Add "simple" param. Drop dumping of
8480 remappings.
8481 (model_merger::dump): Add "simple" param to both overloads.
8482 (model_merger::can_merge_values_p): Delete.
8483 (model_merger::record_regions): Delete.
8484 (model_merger::record_svalues): Delete.
8485 (svalue_id_merger_mapping::svalue_id_merger_mapping): Delete.
8486 (svalue_id_merger_mapping::dump_to_pp): Delete.
8487 (svalue_id_merger_mapping::dump): Delete.
8488 (region_model::create_region_for_heap_alloc): New.
8489 (region_model::create_region_for_alloca): New.
8490 (region_model::record_dynamic_extents): New.
8491 (canonicalization::canonicalization): Delete.
8492 (canonicalization::walk_rid): Delete.
8493 (canonicalization::walk_sid): Delete.
8494 (canonicalization::dump_to_pp): Delete.
8495 (canonicalization::dump): Delete.
8496 (inchash::add): Delete overloads for svalue_id and region_id.
8497 (engine::log_stats): New.
8498 (assert_condition): Add overload comparing svalues.
8499 (assert_dump_eq): Pass "true" for multiline.
8500 (selftest::test_dump): Update for rewrite of region_model.
8501 (selftest::test_dump_2): Rename to...
8502 (selftest::test_struct): ...this. Provide a region_model_manager
8503 when creating region_model instance. Remove dump test. Add
8504 checks for get_offset.
8505 (selftest::test_dump_3): Rename to...
8506 (selftest::test_array_1): ...this. Provide a region_model_manager
8507 when creating region_model instance. Remove dump test.
8508 (selftest::test_get_representative_tree): Port from svalue_id to
8509 new API. Add test coverage for various expressions.
8510 (selftest::test_unique_constants): Provide a region_model_manager
8511 for the region_model. Add test coverage for comparing const vs
8512 non-const.
8513 (selftest::test_svalue_equality): Delete.
8514 (selftest::test_region_equality): Delete.
8515 (selftest::test_unique_unknowns): New.
8516 (class purge_all_svalue_ids): Delete.
8517 (class purge_one_svalue_id): Delete.
8518 (selftest::test_purging_by_criteria): Delete.
8519 (selftest::test_initial_svalue_folding): New.
8520 (selftest::test_unaryop_svalue_folding): New.
8521 (selftest::test_binop_svalue_folding): New.
8522 (selftest::test_sub_svalue_folding): New.
8523 (selftest::test_purge_unused_svalues): Delete.
8524 (selftest::test_descendent_of_p): New.
8525 (selftest::test_assignment): Provide a region_model_manager for
8526 the region_model. Drop the dump test.
8527 (selftest::test_compound_assignment): Likewise.
8528 (selftest::test_stack_frames): Port to new implementation.
8529 (selftest::test_get_representative_path_var): Likewise.
8530 (selftest::test_canonicalization_1): Rename to...
8531 (selftest::test_equality_1): ...this. Port to new API, and add
8532 (selftest::test_canonicalization_2): Provide a
8533 region_model_manager when creating region_model instances.
8534 Remove redundant canicalization.
8535 (selftest::test_canonicalization_3): Provide a
8536 region_model_manager when creating region_model instances.
8537 Remove param from calls to region_model::canonicalize.
8538 (selftest::test_canonicalization_4): Likewise.
8539 (selftest::assert_region_models_merge): Constify
8540 out_merged_svalue. Port to new API.
8541 (selftest::test_state_merging): Provide a
8542 region_model_manager when creating region_model instances.
8543 Provide a program_point point when merging them. Replace
8544 set_to_new_unknown_value with usage of placeholder_svalues.
8545 Drop get_value_by_name. Port from svalue_id to const svalue *.
8546 Add test of heap allocation.
8547 (selftest::test_constraint_merging): Provide a
8548 region_model_manager when creating region_model instances.
8549 Provide a program_point point when merging them. Eliminate use
8550 of set_to_new_unknown_value.
8551 (selftest::test_widening_constraints): New.
8552 (selftest::test_iteration_1): New.
8553 (selftest::test_malloc_constraints): Port to store-based
8554 implementation.
8555 (selftest::test_var): New test.
8556 (selftest::test_array_2): New test.
8557 (selftest::test_mem_ref): New test.
8558 (selftest::test_POINTER_PLUS_EXPR_then_MEM_REF): New.
8559 (selftest::test_malloc): New.
8560 (selftest::test_alloca): New.
8561 (selftest::analyzer_region_model_cc_tests): Update for renamings.
8562 Call new functions.
8563 * region-model.h (class path_var): Move to analyzer.h.
8564 (class svalue_id): Delete.
8565 (class region_id): Delete.
8566 (class id_map): Delete.
8567 (svalue_id_map): Delete.
8568 (region_id_map): Delete.
8569 (id_map<T>::id_map): Delete.
8570 (id_map<T>::put): Delete.
8571 (id_map<T>::get_dst_for_src): Delete.
8572 (id_map<T>::get_src_for_dst): Delete.
8573 (id_map<T>::dump_to_pp): Delete.
8574 (id_map<T>::dump): Delete.
8575 (id_map<T>::update): Delete.
8576 (one_way_svalue_id_map): Delete.
8577 (one_way_region_id_map): Delete.
8578 (class region_id_set): Delete.
8579 (class svalue_id_set): Delete.
8580 (struct complexity): New.
8581 (class visitor): New.
8582 (enum svalue_kind): Add SK_SETJMP, SK_INITIAL, SK_UNARYOP,
8583 SK_BINOP, SK_SUB,SK_UNMERGEABLE, SK_PLACEHOLDER, SK_WIDENING,
8584 SK_COMPOUND, and SK_CONJURED.
8585 (svalue::operator==): Delete.
8586 (svalue::operator!=): Delete.
8587 (svalue::clone): Delete.
8588 (svalue::hash): Delete.
8589 (svalue::dump_dot_to_pp): Delete.
8590 (svalue::dump_to_pp): New.
8591 (svalue::dump): New.
8592 (svalue::get_desc): New.
8593 (svalue::dyn_cast_initial_svalue): New.
8594 (svalue::dyn_cast_unaryop_svalue): New.
8595 (svalue::dyn_cast_binop_svalue): New.
8596 (svalue::dyn_cast_sub_svalue): New.
8597 (svalue::dyn_cast_unmergeable_svalue): New.
8598 (svalue::dyn_cast_widening_svalue): New.
8599 (svalue::dyn_cast_compound_svalue): New.
8600 (svalue::dyn_cast_conjured_svalue): New.
8601 (svalue::maybe_undo_cast): New.
8602 (svalue::unwrap_any_unmergeable): New.
8603 (svalue::remap_region_ids): Delete
8604 (svalue::can_merge_p): New.
8605 (svalue::walk_for_canonicalization): Delete
8606 (svalue::get_complexity): New.
8607 (svalue::get_child_sid): Delete
8608 (svalue::accept): New.
8609 (svalue::live_p): New.
8610 (svalue::implicitly_live_p): New.
8611 (svalue::svalue): Add complexity param.
8612 (svalue::add_to_hash): Delete
8613 (svalue::print_details): Delete
8614 (svalue::m_complexity): New field.
8615 (region_svalue::key_t): New struct.
8616 (region_svalue::region_svalue): Port from region_id to
8617 const region_id *. Add complexity.
8618 (region_svalue::compare_fields): Delete.
8619 (region_svalue::clone): Delete.
8620 (region_svalue::dump_dot_to_pp): Delete.
8621 (region_svalue::get_pointee): Port from region_id to
8622 const region_id *.
8623 (region_svalue::remap_region_ids): Delete.
8624 (region_svalue::merge_values): Delete.
8625 (region_svalue::dump_to_pp): New.
8626 (region_svalue::accept): New.
8627 (region_svalue::walk_for_canonicalization): Delete.
8628 (region_svalue::eval_condition): Make params const.
8629 (region_svalue::add_to_hash): Delete.
8630 (region_svalue::print_details): Delete.
8631 (region_svalue::m_rid): Replace with...
8632 (region_svalue::m_reg): ...this.
8633 (is_a_helper <region_svalue *>::test): Convert to...
8634 (is_a_helper <const region_svalue *>::test): ...this.
8635 (template <> struct default_hash_traits<region_svalue::key_t>):
8636 New.
8637 (constant_svalue::constant_svalue): Add complexity.
8638 (constant_svalue::compare_fields): Delete.
8639 (constant_svalue::clone): Delete.
8640 (constant_svalue::add_to_hash): Delete.
8641 (constant_svalue::dump_to_pp): New.
8642 (constant_svalue::accept): New.
8643 (constant_svalue::implicitly_live_p): New.
8644 (constant_svalue::merge_values): Delete.
8645 (constant_svalue::eval_condition): Make params const.
8646 (constant_svalue::get_child_sid): Delete.
8647 (constant_svalue::print_details): Delete.
8648 (is_a_helper <constant_svalue *>::test): Convert to...
8649 (is_a_helper <const constant_svalue *>::test): ...this.
8650 (class unknown_svalue): Update leading comment.
8651 (unknown_svalue::unknown_svalue): Add complexity.
8652 (unknown_svalue::compare_fields): Delete.
8653 (unknown_svalue::add_to_hash): Delete.
8654 (unknown_svalue::dyn_cast_unknown_svalue): Delete.
8655 (unknown_svalue::print_details): Delete.
8656 (unknown_svalue::dump_to_pp): New.
8657 (unknown_svalue::accept): New.
8658 (poisoned_svalue::key_t): New struct.
8659 (poisoned_svalue::poisoned_svalue): Add complexity.
8660 (poisoned_svalue::compare_fields): Delete.
8661 (poisoned_svalue::clone): Delete.
8662 (poisoned_svalue::add_to_hash): Delete.
8663 (poisoned_svalue::dump_to_pp): New.
8664 (poisoned_svalue::accept): New.
8665 (poisoned_svalue::print_details): Delete.
8666 (is_a_helper <poisoned_svalue *>::test): Convert to...
8667 (is_a_helper <const poisoned_svalue *>::test): ...this.
8668 (template <> struct default_hash_traits<poisoned_svalue::key_t>):
8669 New.
8670 (setjmp_record::add_to_hash): New.
8671 (setjmp_svalue::key_t): New struct.
8672 (setjmp_svalue::compare_fields): Delete.
8673 (setjmp_svalue::clone): Delete.
8674 (setjmp_svalue::add_to_hash): Delete.
8675 (setjmp_svalue::setjmp_svalue): Add complexity.
8676 (setjmp_svalue::dump_to_pp): New.
8677 (setjmp_svalue::accept): New.
8678 (setjmp_svalue::void print_details): Delete.
8679 (is_a_helper <const setjmp_svalue *>::test): New.
8680 (template <> struct default_hash_traits<setjmp_svalue::key_t>): New.
8681 (class initial_svalue : public svalue): New.
8682 (is_a_helper <const initial_svalue *>::test): New.
8683 (class unaryop_svalue): New.
8684 (is_a_helper <const unaryop_svalue *>::test): New.
8685 (template <> struct default_hash_traits<unaryop_svalue::key_t>): New.
8686 (class binop_svalue): New.
8687 (is_a_helper <const binop_svalue *>::test): New.
8688 (template <> struct default_hash_traits<binop_svalue::key_t>): New.
8689 (class sub_svalue): New.
8690 (is_a_helper <const sub_svalue *>::test): New.
8691 (template <> struct default_hash_traits<sub_svalue::key_t>): New.
8692 (class unmergeable_svalue): New.
8693 (is_a_helper <const unmergeable_svalue *>::test): New.
8694 (class placeholder_svalue): New.
8695 (is_a_helper <placeholder_svalue *>::test): New.
8696 (class widening_svalue): New.
8697 (is_a_helper <widening_svalue *>::test): New.
8698 (template <> struct default_hash_traits<widening_svalue::key_t>): New.
8699 (class compound_svalue): New.
8700 (is_a_helper <compound_svalue *>::test): New.
8701 (template <> struct default_hash_traits<compound_svalue::key_t>): New.
8702 (class conjured_svalue): New.
8703 (is_a_helper <conjured_svalue *>::test): New.
8704 (template <> struct default_hash_traits<conjured_svalue::key_t>): New.
8705 (enum region_kind): Delete RK_PRIMITIVE, RK_STRUCT, RK_UNION, and
8706 RK_ARRAY. Add RK_LABEL, RK_DECL, RK_FIELD, RK_ELEMENT, RK_OFFSET,
8707 RK_CAST, RK_HEAP_ALLOCATED, RK_ALLOCA, RK_STRING, and RK_UNKNOWN.
8708 (region_kind_to_str): Delete.
8709 (region::~region): Move implementation to region.cc.
8710 (region::operator==): Delete.
8711 (region::operator!=): Delete.
8712 (region::clone): Delete.
8713 (region::get_id): New.
8714 (region::cmp_ids): New.
8715 (region::dyn_cast_map_region): Delete.
8716 (region::dyn_cast_array_region): Delete.
8717 (region::region_id get_parent): Delete.
8718 (region::get_parent_region): Convert to a simple accessor.
8719 (region::void set_value): Delete.
8720 (region::svalue_id get_value): Delete.
8721 (region::svalue_id get_value_direct): Delete.
8722 (region::svalue_id get_inherited_child_sid): Delete.
8723 (region::dyn_cast_frame_region): New.
8724 (region::dyn_cast_function_region): New.
8725 (region::dyn_cast_decl_region): New.
8726 (region::dyn_cast_field_region): New.
8727 (region::dyn_cast_element_region): New.
8728 (region::dyn_cast_offset_region): New.
8729 (region::dyn_cast_cast_region): New.
8730 (region::dyn_cast_string_region): New.
8731 (region::accept): New.
8732 (region::get_base_region): New.
8733 (region::base_region_p): New.
8734 (region::descendent_of_p): New.
8735 (region::maybe_get_frame_region): New.
8736 (region::maybe_get_decl): New.
8737 (region::hash): Delete.
8738 (region::rint): Delete.
8739 (region::dump_dot_to_pp): Delete.
8740 (region::get_desc): New.
8741 (region::dump_to_pp): Convert to vfunc, changing signature.
8742 (region::dump_child_label): Delete.
8743 (region::remap_svalue_ids): Delete.
8744 (region::remap_region_ids): Delete.
8745 (region::dump): New.
8746 (region::walk_for_canonicalization): Delete.
8747 (region::non_null_p): Drop region_model param.
8748 (region::add_view): Delete.
8749 (region::get_view): Delete.
8750 (region::get_active_view): Delete.
8751 (region::is_view_p): Delete.
8752 (region::cmp_ptrs): New.
8753 (region::validate): Delete.
8754 (region::get_offset): New.
8755 (region::get_byte_size): New.
8756 (region::get_bit_size): New.
8757 (region::get_subregions_for_binding): New.
8758 (region::region): Add complexity param. Convert parent from
8759 region_id to const region *. Drop svalue_id. Drop copy ctor.
8760 (region::symbolic_for_unknown_ptr_p): New.
8761 (region::add_to_hash): Delete.
8762 (region::print_fields): Delete.
8763 (region::get_complexity): New accessor.
8764 (region::become_active_view): Delete.
8765 (region::deactivate_any_active_view): Delete.
8766 (region::deactivate_view): Delete.
8767 (region::calc_offset): New.
8768 (region::m_parent_rid): Delete.
8769 (region::m_sval_id): Delete.
8770 (region::m_complexity): New.
8771 (region::m_id): New.
8772 (region::m_parent): New.
8773 (region::m_view_rids): Delete.
8774 (region::m_is_view): Delete.
8775 (region::m_active_view_rid): Delete.
8776 (region::m_cached_offset): New.
8777 (is_a_helper <region *>::test): Convert to...
8778 (is_a_helper <const region *>::test): ... this.
8779 (class primitive_region): Delete.
8780 (class space_region): New.
8781 (class map_region): Delete.
8782 (is_a_helper <map_region *>::test): Delete.
8783 (class frame_region): Reimplement.
8784 (template <> struct default_hash_traits<frame_region::key_t>):
8785 New.
8786 (class globals_region): Reimplement.
8787 (is_a_helper <globals_region *>::test): Convert to...
8788 (is_a_helper <const globals_region *>::test): ...this.
8789 (class struct_or_union_region): Delete.
8790 (is_a_helper <struct_or_union_region *>::test): Delete.
8791 (class code_region): Reimplement.
8792 (is_a_helper <const code_region *>::test): New.
8793 (class struct_region): Delete.
8794 (is_a_helper <struct_region *>::test): Delete.
8795 (class function_region): Reimplement.
8796 (is_a_helper <function_region *>::test): Convert to...
8797 (is_a_helper <const function_region *>::test): ...this.
8798 (class union_region): Delete.
8799 (is_a_helper <union_region *>::test): Delete.
8800 (class label_region): New.
8801 (is_a_helper <const label_region *>::test): New.
8802 (class scope_region): Delete.
8803 (class stack_region): Reimplement.
8804 (is_a_helper <stack_region *>::test): Convert to...
8805 (is_a_helper <const stack_region *>::test): ...this.
8806 (class heap_region): Reimplement.
8807 (is_a_helper <heap_region *>::test): Convert to...
8808 (is_a_helper <const heap_region *>::test): ...this.
8809 (class root_region): Reimplement.
8810 (is_a_helper <root_region *>::test): Convert to...
8811 (is_a_helper <const root_region *>::test): ...this.
8812 (class symbolic_region): Reimplement.
8813 (is_a_helper <const symbolic_region *>::test): New.
8814 (template <> struct default_hash_traits<symbolic_region::key_t>):
8815 New.
8816 (class decl_region): New.
8817 (is_a_helper <const decl_region *>::test): New.
8818 (class field_region): New.
8819 (template <> struct default_hash_traits<field_region::key_t>): New.
8820 (class array_region): Delete.
8821 (class element_region): New.
8822 (is_a_helper <array_region *>::test): Delete.
8823 (is_a_helper <const element_region *>::test): New.
8824 (template <> struct default_hash_traits<element_region::key_t>):
8825 New.
8826 (class offset_region): New.
8827 (is_a_helper <const offset_region *>::test): New.
8828 (template <> struct default_hash_traits<offset_region::key_t>):
8829 New.
8830 (class cast_region): New.
8831 (is_a_helper <const cast_region *>::test): New.
8832 (template <> struct default_hash_traits<cast_region::key_t>): New.
8833 (class heap_allocated_region): New.
8834 (class alloca_region): New.
8835 (class string_region): New.
8836 (is_a_helper <const string_region *>::test): New.
8837 (class unknown_region): New.
8838 (class region_model_manager): New.
8839 (struct append_ssa_names_cb_data): New.
8840 (class call_details): New.
8841 (region_model::region_model): Add region_model_manager param.
8842 (region_model::print_svalue): Delete.
8843 (region_model::dump_dot_to_pp): Delete.
8844 (region_model::dump_dot_to_file): Delete.
8845 (region_model::dump_dot): Delete.
8846 (region_model::dump_to_pp): Drop summarize param in favor of
8847 simple and multiline.
8848 (region_model::dump): Likewise.
8849 (region_model::summarize_to_pp): Delete.
8850 (region_model::summarize): Delete.
8851 (region_model::void canonicalize): Drop ctxt param.
8852 (region_model::void check_for_poison): Delete.
8853 (region_model::get_gassign_result): New.
8854 (region_model::impl_call_alloca): New.
8855 (region_model::impl_call_analyzer_describe): New.
8856 (region_model::impl_call_analyzer_eval): New.
8857 (region_model::impl_call_builtin_expect): New.
8858 (region_model::impl_call_calloc): New.
8859 (region_model::impl_call_free): New.
8860 (region_model::impl_call_malloc): New.
8861 (region_model::impl_call_memset): New.
8862 (region_model::impl_call_strlen): New.
8863 (region_model::get_reachable_svalues): New.
8864 (region_model::handle_phi): Drop is_back_edge param.
8865 (region_model::region_id get_root_rid): Delete.
8866 (region_model::root_region *get_root_region): Delete.
8867 (region_model::region_id get_stack_region_id): Delete.
8868 (region_model::push_frame): Convert from region_id and svalue_id
8869 to const region * and const svalue *.
8870 (region_model::get_current_frame_id): Replace with...
8871 (region_model::get_current_frame): ...this.
8872 (region_model::pop_frame): Convert from region_id to
8873 const region *. Drop purge and stats param. Add out_result.
8874 (region_model::function *get_function_at_depth): Delete.
8875 (region_model::get_globals_region_id): Delete.
8876 (region_model::add_svalue): Delete.
8877 (region_model::replace_svalue): Delete.
8878 (region_model::add_region): Delete.
8879 (region_model::add_region_for_type): Delete.
8880 (region_model::get_svalue): Delete.
8881 (region_model::get_region): Delete.
8882 (region_model::get_lvalue): Convert from region_id to
8883 const region *.
8884 (region_model::get_rvalue): Convert from svalue_id to
8885 const svalue *.
8886 (region_model::get_or_create_ptr_svalue): Delete.
8887 (region_model::get_or_create_constant_svalue): Delete.
8888 (region_model::get_svalue_for_fndecl): Delete.
8889 (region_model::get_svalue_for_label): Delete.
8890 (region_model::get_region_for_fndecl): Delete.
8891 (region_model::get_region_for_label): Delete.
8892 (region_model::get_frame_at_index (int index) const;): New.
8893 (region_model::maybe_cast): Delete.
8894 (region_model::maybe_cast_1): Delete.
8895 (region_model::get_field_region): Delete.
8896 (region_model::id deref_rvalue): Convert from region_id and
8897 svalue_id to const region * and const svalue *. Drop overload,
8898 passing in both a tree and an svalue.
8899 (region_model::set_value): Convert from region_id and svalue_id to
8900 const region * and const svalue *.
8901 (region_model::set_to_new_unknown_value): Delete.
8902 (region_model::clobber_region (const region *reg);): New.
8903 (region_model::purge_region (const region *reg);): New.
8904 (region_model::zero_fill_region (const region *reg);): New.
8905 (region_model::mark_region_as_unknown (const region *reg);): New.
8906 (region_model::copy_region): Convert from region_id to
8907 const region *.
8908 (region_model::eval_condition): Convert from svalue_id to
8909 const svalue *.
8910 (region_model::eval_condition_without_cm): Likewise.
8911 (region_model::compare_initial_and_pointer): New.
8912 (region_model:maybe_get_constant): Delete.
8913 (region_model::add_new_malloc_region): Delete.
8914 (region_model::get_representative_tree): Convert from svalue_id to
8915 const svalue *.
8916 (region_model::get_representative_path_var): Delete decl taking a
8917 region_id in favor of two decls, for svalue vs region, with an
8918 svalue_set to ensure termination.
8919 (region_model::get_path_vars_for_svalue): Delete.
8920 (region_model::create_region_for_heap_alloc): New.
8921 (region_model::create_region_for_alloca): New.
8922 (region_model::purge_unused_svalues): Delete.
8923 (region_model::remap_svalue_ids): Delete.
8924 (region_model::remap_region_ids): Delete.
8925 (region_model::purge_regions): Delete.
8926 (region_model::get_num_svalues): Delete.
8927 (region_model::get_num_regions): Delete.
8928 (region_model::get_descendents): Delete.
8929 (region_model::get_store): New.
8930 (region_model::delete_region_and_descendents): Delete.
8931 (region_model::get_manager): New.
8932 (region_model::unbind_region_and_descendents): New.
8933 (region_model::can_merge_with_p): Add point param. Drop
8934 svalue_id_merger_mapping.
8935 (region_model::get_value_by_name): Delete.
8936 (region_model::convert_byte_offset_to_array_index): Delete.
8937 (region_model::get_or_create_mem_ref): Delete.
8938 (region_model::get_or_create_pointer_plus_expr): Delete.
8939 (region_model::get_or_create_view): Delete.
8940 (region_model::get_lvalue_1): Convert from region_id to
8941 const region *.
8942 (region_model::get_rvalue_1): Convert from svalue_id to
8943 const svalue *.
8944 (region_model::get_ssa_name_regions_for_current_frame): New.
8945 (region_model::append_ssa_names_cb): New.
8946 (region_model::get_store_value): New.
8947 (region_model::copy_struct_region): Delete.
8948 (region_model::copy_union_region): Delete.
8949 (region_model::copy_array_region): Delete.
8950 (region_model::region_exists_p): New.
8951 (region_model::make_region_for_unexpected_tree_code): Delete.
8952 (region_model::loop_replay_fixup): New.
8953 (region_model::poison_any_pointers_to_bad_regions): Delete.
8954 (region_model::poison_any_pointers_to_descendents): New.
8955 (region_model::dump_summary_of_rep_path_vars): Delete.
8956 (region_model::on_top_level_param): New.
8957 (region_model::record_dynamic_extents): New.
8958 (region_model::m_mgr;): New.
8959 (region_model::m_store;): New.
8960 (region_model::m_svalues;): Delete.
8961 (region_model::m_regions;): Delete.
8962 (region_model::m_root_rid;): Delete.
8963 (region_model::m_current_frame;): New.
8964 (region_model_context::remap_svalue_ids): Delete.
8965 (region_model_context::can_purge_p): Delete.
8966 (region_model_context::on_svalue_leak): New.
8967 (region_model_context::on_svalue_purge): Delete.
8968 (region_model_context::on_liveness_change): New.
8969 (region_model_context::on_inherited_svalue): Delete.
8970 (region_model_context::on_cast): Delete.
8971 (region_model_context::on_unknown_change): Convert from svalue_id to
8972 const svalue * and add is_mutable.
8973 (class noop_region_model_context): Update for region_model_context
8974 changes.
8975 (model_merger::model_merger): Add program_point. Drop
8976 svalue_id_merger_mapping.
8977 (model_merger::dump_to_pp): Add "simple" param.
8978 (model_merger::dump): Likewise.
8979 (model_merger::get_region_a): Delete.
8980 (model_merger::get_region_b): Delete.
8981 (model_merger::can_merge_values_p): Delete.
8982 (model_merger::record_regions): Delete.
8983 (model_merger::record_svalues): Delete.
8984 (model_merger::m_point): New field.
8985 (model_merger::m_map_regions_from_a_to_m): Delete.
8986 (model_merger::m_map_regions_from_b_to_m): Delete.
8987 (model_merger::m_sid_mapping): Delete.
8988 (struct svalue_id_merger_mapping): Delete.
8989 (class engine): New.
8990 (struct canonicalization): Delete.
8991 (inchash::add): Delete decls for hashing svalue_id and region_id.
8992 (test_region_model_context::on_unexpected_tree_code): Require t to
8993 be non-NULL.
8994 (selftest::assert_condition): Add overload comparing a pair of
8995 const svalue *.
8996 * sm-file.cc: Include "tristate.h", "selftest.h",
8997 "analyzer/call-string.h", "analyzer/program-point.h",
8998 "analyzer/store.h", and "analyzer/region-model.h".
8999 (fileptr_state_machine::get_default_state): New.
9000 (fileptr_state_machine::on_stmt): Remove calls to
9001 get_readable_tree in favor of get_diagnostic_tree.
9002 * sm-malloc.cc: Include "tristate.h", "selftest.h",
9003 "analyzer/call-string.h", "analyzer/program-point.h",
9004 "analyzer/store.h", and "analyzer/region-model.h".
9005 (malloc_state_machine::get_default_state): New.
9006 (malloc_state_machine::reset_when_passed_to_unknown_fn_p): New.
9007 (malloc_diagnostic::describe_state_change): Handle change.m_expr
9008 being NULL.
9009 (null_arg::emit): Avoid printing "NULL '0'".
9010 (null_arg::describe_final_event): Avoid printing "(0) NULL".
9011 (malloc_leak::emit): Handle m_arg being NULL.
9012 (malloc_leak::describe_final_event): Handle ev.m_expr being NULL.
9013 (malloc_state_machine::on_stmt): Don't call get_readable_tree.
9014 Call get_diagnostic_tree when creating pending diagnostics.
9015 Update for is_zero_assignment becoming a member function of
9016 sm_ctxt.
9017 Don't transition to m_non_heap for ADDR_EXPR(MEM_REF()).
9018 (malloc_state_machine::reset_when_passed_to_unknown_fn_p): New
9019 vfunc implementation.
9020 * sm-sensitive.cc (sensitive_state_machine::warn_for_any_exposure): Call
9021 get_diagnostic_tree and pass the result to warn_for_state.
9022 * sm-signal.cc: Move includes of "analyzer/call-string.h" and
9023 "analyzer/program-point.h" to before "analyzer/region-model.h",
9024 and also include "analyzer/store.h" before it.
9025 (signal_unsafe_call::describe_state_change): Use
9026 get_dest_function to get handler.
9027 (update_model_for_signal_handler): Pass manager to region_model
9028 ctor.
9029 (register_signal_handler::impl_transition): Update for changes to
9030 get_or_create_node and add_edge.
9031 * sm-taint.cc (taint_state_machine::on_stmt): Remove calls to
9032 get_readable_tree, replacing them when calling warn_for_state with
9033 calls to get_diagnostic_tree.
9034 * sm.cc (is_zero_assignment): Delete.
9035 (any_pointer_p): Move to within namespace ana.
9036 * sm.h (is_zero_assignment): Remove decl.
9037 (any_pointer_p): Move decl to within namespace ana.
9038 (state_machine::get_default_state): New vfunc.
9039 (state_machine::reset_when_passed_to_unknown_fn_p): New vfunc.
9040 (sm_context::get_readable_tree): Rename to...
9041 (sm_context::get_diagnostic_tree): ...this.
9042 (sm_context::is_zero_assignment): New vfunc.
9043 * store.cc: New file.
9044 * store.h: New file.
9045 * svalue.cc: New file.
9046
2221fb6f
MW		 90472020-05-22 Mark Wielaard <mark@klomp.org>
9048
9049 * sm-signal.cc(signal_unsafe_call::emit): Possibly add
9050 gcc_rich_location note for replacement.
9051 (signal_unsafe_call::get_replacement_fn): New private function.
9052 (get_async_signal_unsafe_fns): Add "exit".
9053
5eae0ac7
DM		 90542020-04-28 David Malcolm <dmalcolm@redhat.com>
9055
9056 PR analyzer/94816
9057 * engine.cc (impl_region_model_context::on_unexpected_tree_code):
9058 Handle NULL tree.
9059 * region-model.cc (region_model::add_region_for_type): Handle
9060 NULL type.
9061 * region-model.h
9062 (test_region_model_context::on_unexpected_tree_code): Handle NULL
9063 tree.
9064
78b97837
DM		 90652020-04-28 David Malcolm <dmalcolm@redhat.com>
9066
9067 PR analyzer/94447
9068 PR analyzer/94639
9069 PR analyzer/94732
9070 PR analyzer/94754
9071 * analyzer.opt (Wanalyzer-use-of-uninitialized-value): Delete.
9072 * program-state.cc (selftest::test_program_state_dumping): Update
9073 expected dump result for removal of "uninit".
9074 * region-model.cc (poison_kind_to_str): Delete POISON_KIND_UNINIT
9075 case.
9076 (root_region::ensure_stack_region): Initialize stack with null
9077 svalue_id rather than with a typeless POISON_KIND_UNINIT value.
9078 (root_region::ensure_heap_region): Likewise for the heap.
9079 (region_model::dump_summary_of_rep_path_vars): Remove
9080 summarization of uninit values.
9081 (region_model::validate): Remove check that the stack has a
9082 POISON_KIND_UNINIT value.
9083 (poisoned_value_diagnostic::emit): Remove POISON_KIND_UNINIT
9084 case.
9085 (poisoned_value_diagnostic::describe_final_event): Likewise.
9086 (selftest::test_dump): Update expected dump result for removal of
9087 "uninit".
9088 (selftest::test_svalue_equality): Remove "uninit" and "freed".
9089 * region-model.h (enum poison_kind): Remove POISON_KIND_UNINIT.
9090
a96f1c38
DM		 90912020-04-01 David Malcolm <dmalcolm@redhat.com>
9092
9093 PR analyzer/94378
9094 * checker-path.cc: Include "bitmap.h".
9095 * constraint-manager.cc: Likewise.
9096 * diagnostic-manager.cc: Likewise.
9097 * engine.cc: Likewise.
9098 (exploded_node::detect_leaks): Pass null region_id to pop_frame.
9099 * program-point.cc: Include "bitmap.h".
9100 * program-state.cc: Likewise.
9101 * region-model.cc (id_set<region_id>::id_set): Convert to...
9102 (region_id_set::region_id_set): ...this.
9103 (svalue_id_set::svalue_id_set): New ctor.
9104 (region_model::copy_region): New function.
9105 (region_model::copy_struct_region): New function.
9106 (region_model::copy_union_region): New function.
9107 (region_model::copy_array_region): New function.
9108 (stack_region::pop_frame): Drop return value. Add
9109 "result_dst_rid" param; if it is non-null, use copy_region to copy
9110 the result to it. Rather than capture and pass a single "known
9111 used" return value to be used by purge_unused_values, instead
9112 gather and pass a set of known used return values.
9113 (root_region::pop_frame): Drop return value. Add "result_dst_rid"
9114 param.
9115 (region_model::on_assignment): Use copy_region.
9116 (region_model::on_return): Likewise for the result.
9117 (region_model::on_longjmp): Pass null for pop_frame's
9118 result_dst_rid.
9119 (region_model::update_for_return_superedge): Pass the region for the
9120 return value of the call, if any, to pop_frame, rather than setting
9121 the lvalue for the lhs of the result.
9122 (region_model::pop_frame): Drop return value. Add
9123 "result_dst_rid" param.
9124 (region_model::purge_unused_svalues): Convert third param from an
9125 svalue_id * to an svalue_id_set *, updating the initial populating
9126 of the "used" bitmap accordingly. Don't remap it when done.
9127 (struct selftest::coord_test): New selftest fixture, extracted from...
9128 (selftest::test_dump_2): ...here.
9129 (selftest::test_compound_assignment): New selftest.
9130 (selftest::test_stack_frames): Pass null to new param of pop_frame.
9131 (selftest::analyzer_region_model_cc_tests): Call the new selftest.
9132 * region-model.h (class id_set): Delete template.
9133 (class region_id_set): Reimplement, using old id_set implementation.
9134 (class svalue_id_set): Likewise. Convert from auto_sbitmap to
9135 auto_bitmap.
9136 (region::get_active_view): New accessor.
9137 (stack_region::pop_frame): Drop return value. Add
9138 "result_dst_rid" param.
9139 (root_region::pop_frame): Likewise.
9140 (region_model::pop_frame): Likewise.
9141 (region_model::copy_region): New decl.
9142 (region_model::purge_unused_svalues): Convert third param from an
9143 svalue_id * to an svalue_id_set *.
9144 (region_model::copy_struct_region): New decl.
9145 (region_model::copy_union_region): New decl.
9146 (region_model::copy_array_region): New decl.
9147
6969ac30
DM		 91482020-03-27 David Malcolm <dmalcolm@redhat.com>
9149
9150 * program-state.cc (selftest::test_program_state_dumping): Update
9151 expected dump to include symbolic_region's possibly_null field.
9152 * region-model.cc (symbolic_region::print_fields): New vfunc
9153 implementation.
9154 (region_model::add_constraint): Clear m_possibly_null from
9155 symbolic_regions now known to be non-NULL.
9156 (selftest::test_malloc_constraints): New selftest.
9157 (selftest::analyzer_region_model_cc_tests): Call it.
9158 * region-model.h (region::dyn_cast_symbolic_region): Add non-const
9159 overload.
9160 (symbolic_region::dyn_cast_symbolic_region): Implement it.
9161 (symbolic_region::print_fields): New vfunc override decl.
9162
42c63313
DM		 91632020-03-27 David Malcolm <dmalcolm@redhat.com>
9164
9165 * analyzer.h (class feasibility_problem): New forward decl.
9166 * diagnostic-manager.cc (saved_diagnostic::saved_diagnostic):
9167 Initialize new fields m_status, m_epath_length, and m_problem.
9168 (saved_diagnostic::~saved_diagnostic): Delete m_problem.
9169 (dedupe_candidate::dedupe_candidate): Convert "sd" param from a
9170 const ref to a mutable ptr.
9171 (dedupe_winners::add): Convert "sd" param from a const ref to a
9172 mutable ptr. Record the length of the exploded_path. Record the
9173 feasibility/infeasibility of sd into sd, capturing a
9174 feasibility_problem when feasible_p fails, and storing it in sd.
9175 (diagnostic_manager::emit_saved_diagnostics): Update for pass by
9176 ptr rather than by const ref.
9177 * diagnostic-manager.h (class saved_diagnostic): Add new enum
9178 status. Add fields m_status, m_epath_length and m_problem.
9179 (saved_diagnostic::set_feasible): New member function.
9180 (saved_diagnostic::set_infeasible): New member function.
9181 (saved_diagnostic::get_feasibility_problem): New accessor.
9182 (saved_diagnostic::get_status): New accessor.
9183 (saved_diagnostic::set_epath_length): New member function.
9184 (saved_diagnostic::get_epath_length): New accessor.
9185 * engine.cc: Include "gimple-pretty-print.h".
9186 (exploded_path::feasible_p): Add OUT param and, if non-NULL, write
9187 a new feasibility_problem to it on failure.
9188 (viz_callgraph_node::dump_dot): Convert begin_tr calls to
9189 begin_trtd. Convert end_tr calls to end_tdtr.
9190 (class exploded_graph_annotator): New subclass of dot_annotator.
9191 (impl_run_checkers): Add a second -fdump-analyzer-supergraph dump
9192 after the analysis runs, using exploded_graph_annotator. dumping
9193 to DUMP_BASE_NAME.supergraph-eg.dot.
9194 * exploded-graph.h (exploded_node::get_dot_fillcolor): Make
9195 public.
9196 (exploded_path::feasible_p): Add OUT param.
9197 (class feasibility_problem): New class.
9198 * state-purge.cc (state_purge_annotator::add_node_annotations):
9199 Return a bool, add a "within_table" param.
9200 (print_vec_of_names): Convert begin_tr calls to begin_trtd.
9201 Convert end_tr calls to end_tdtr.
9202 (state_purge_annotator::add_stmt_annotations): Add "within_row"
9203 param.
9204 * state-purge.h ((state_purge_annotator::add_node_annotations):
9205 Return a bool, add a "within_table" param.
9206 (state_purge_annotator::add_stmt_annotations): Add "within_row"
9207 param.
9208 * supergraph.cc (supernode::dump_dot): Call add_node_annotations
9209 twice: as before, passing false for "within_table", then again
9210 with true when within the TABLE element. Convert some begin_tr
9211 calls to begin_trtd, and some end_tr calls to end_tdtr.
9212 Repeat each add_stmt_annotations call, distinguishing between
9213 calls that add TRs and those that add TDs to an existing TR.
9214 Add a call to add_after_node_annotations.
9215 * supergraph.h (dot_annotator::add_node_annotations): Add a
9216 "within_table" param.
9217 (dot_annotator::add_stmt_annotations): Add a "within_row" param.
9218 (dot_annotator::add_after_node_annotations): New vfunc.
9219
8f023575
DM		 92202020-03-27 David Malcolm <dmalcolm@redhat.com>
9221
9222 * diagnostic-manager.cc (dedupe_winners::add): Show the
9223 exploded_node index in the log messages.
9224 (diagnostic_manager::emit_saved_diagnostics): Log a summary of
9225 m_saved_diagnostics at entry.
9226
4d661bb7
DM		 92272020-03-27 David Malcolm <dmalcolm@redhat.com>
9228
9229 * supergraph.cc (superedge::dump): Add space before description;
9230 move newline to non-pretty_printer overload.
9231
884d9141
DM		 92322020-03-18 David Malcolm <dmalcolm@redhat.com>
9233
9234 * region-model.cc: Include "stor-layout.h".
9235 (region_model::dump_to_pp): Rather than calling
9236 dump_summary_of_map on each of the current frame and the globals,
9237 instead get a vec of representative path_vars for all regions,
9238 and then dump a summary of all of them.
9239 (region_model::dump_summary_of_map): Delete, rewriting into...
9240 (region_model::dump_summary_of_rep_path_vars): ...this new
9241 function, working on a vec of path_vars.
9242 (region_model::set_value): New overload.
9243 (region_model::get_representative_path_var): Rename
9244 "parent_region" local to "parent_reg" and consolidate with other
9245 local. Guard test for grandparent being stack on parent_reg being
9246 non-NULL. Move handling for parent being an array_region to
9247 within guard for parent_reg being non-NULL.
9248 (selftest::make_test_compound_type): New function.
9249 (selftest::test_dump_2): New selftest.
9250 (selftest::test_dump_3): New selftest.
9251 (selftest::test_stack_frames): Update expected output from
9252 simplified dump to show "a" and "b" from parent frame and "y" in
9253 child frame.
9254 (selftest::analyzer_region_model_cc_tests): Call test_dump_2 and
9255 test_dump_3.
9256 * region-model.h (region_model::set_value): New overload decl.
9257 (region_model::dump_summary_of_map): Delete.
9258 (region_model::dump_summary_of_rep_path_vars): New.
9259
7d9c107a
DM		 92602020-03-18 David Malcolm <dmalcolm@redhat.com>
9261
9262 * region-model.h (class noop_region_model_context): New subclass
9263 of region_model_context.
9264 (class tentative_region_model_context): Inherit from
9265 noop_region_model_context rather than from region_model_context;
9266 drop redundant vfunc implementations.
9267 (class test_region_model_context): Likewise.
9268
0db2cd17
DM		 92692020-03-18 David Malcolm <dmalcolm@redhat.com>
9270
9271 * engine.cc (exploded_node::exploded_node): Move implementation
9272 here from header; accept point_and_state by const reference rather
9273 than by value.
9274 * exploded-graph.h (exploded_node::exploded_node): Pass
9275 point_and_state by const reference rather than by value. Move
9276 body to engine.cc.
9277
d5029d45
JJ		 92782020-03-18 Jakub Jelinek <jakub@redhat.com>
9279
9280 * sm-malloc.cc (malloc_state_machine::on_stmt): Fix up duplicated word
9281 issue in a comment.
9282 * region-model.cc (region_model::make_region_for_unexpected_tree_code,
9283 region_model::delete_region_and_descendents): Likewise.
9284 * engine.cc (class exploded_cluster): Likewise.
9285 * diagnostic-manager.cc (class path_builder): Likewise.
9286
5c048755
DM		 92872020-03-13 David Malcolm <dmalcolm@redhat.com>
9288
9289 PR analyzer/94099
9290 PR analyzer/94105
9291 * diagnostic-manager.cc (for_each_state_change): Bulletproof
9292 against errors in get_rvalue by passing a
9293 tentative_region_model_context and rejecting if there's an error.
9294 * region-model.cc (region_model::get_lvalue_1): When handling
9295 ARRAY_REF, handle results of error-handling. Handle NOP_EXPR.
9296
90f7c300
DM		 92972020-03-06 David Malcolm <dmalcolm@redhat.com>
9298
9299 * analyzer.h (class array_region): New forward decl.
9300 * program-state.cc (selftest::test_program_state_dumping_2): New.
9301 (selftest::analyzer_program_state_cc_tests): Call it.
9302 * region-model.cc (array_region::constant_from_key): New.
9303 (region_model::get_representative_tree): Handle region_svalue by
9304 generating an ADDR_EXPR.
9305 (region_model::get_representative_path_var): In view handling,
9306 remove erroneous TREE_TYPE when determining the type of the tree.
9307 Handle array regions and STRING_CST.
9308 (selftest::assert_dump_tree_eq): New.
9309 (ASSERT_DUMP_TREE_EQ): New macro.
9310 (selftest::test_get_representative_tree): New selftest.
9311 (selftest::analyzer_region_model_cc_tests): Call it.
9312 * region-model.h (region::dyn_cast_array_region): New vfunc.
9313 (array_region::dyn_cast_array_region): New vfunc implementation.
9314 (array_region::constant_from_key): New decl.
9315
41f99ba6
DM		 93162020-03-06 David Malcolm <dmalcolm@redhat.com>
9317
9318 * analyzer.h (dump_quoted_tree): New decl.
9319 * engine.cc (exploded_node::dump_dot): Pass region model to
9320 sm_state_map::print.
9321 * program-state.cc: Include diagnostic-core.h.
9322 (sm_state_map::print): Add "model" param and use it to print
9323 representative trees. Only print origin information if non-null.
9324 (sm_state_map::dump): Pass NULL for model to print call.
9325 (program_state::print): Pass region model to sm_state_map::print.
9326 (program_state::dump_to_pp): Use spaces rather than newlines when
9327 summarizing. Pass region_model to sm_state_map::print.
9328 (ana::selftest::assert_dump_eq): New function.
9329 (ASSERT_DUMP_EQ): New macro.
9330 (ana::selftest::test_program_state_dumping): New function.
9331 (ana::selftest::analyzer_program_state_cc_tests): Call it.
9332 * program-state.h (program_state::print): Add model param.
9333 * region-model.cc (dump_quoted_tree): New function.
9334 (map_region::print_fields): Use dump_quoted_tree rather than
9335 %qE to avoid lang-dependent output.
9336 (map_region::dump_child_label): Likewise.
9337 (region_model::dump_summary_of_map): For SK_REGION, when
9338 get_representative_path_var fails, print the region id rather than
9339 erroneously printing NULL.
9340 * sm.cc (state_machine::get_state_by_name): New function.
9341 * sm.h (state_machine::get_state_by_name): New decl.
9342
3c1645a3
DM		 93432020-03-04 David Malcolm <dmalcolm@redhat.com>
9344
9345 * region-model.cc (region::validate): Convert model param from ptr
9346 to reference. Update comment to reflect that it's now a vfunc.
9347 (map_region::validate): New vfunc implementation.
9348 (array_region::validate): New vfunc implementation.
9349 (stack_region::validate): New vfunc implementation.
9350 (root_region::validate): New vfunc implementation.
9351 (region_model::validate): Pass a reference rather than a pointer
9352 to the region::validate vfunc.
9353 * region-model.h (region::validate): Make virtual. Convert model
9354 param from ptr to reference.
9355 (map_region::validate): New vfunc decl.
9356 (array_region::validate): New vfunc decl.
9357 (stack_region::validate): New vfunc decl.
9358 (root_region::validate): New vfunc decl.
9359
e516294a
DM		 93602020-03-04 David Malcolm <dmalcolm@redhat.com>
9361
9362 PR analyzer/93993
9363 * region-model.cc (region_model::on_call_pre): Handle
9364 BUILT_IN_EXPECT and its variants.
9365 (region_model::add_any_constraints_from_ssa_def_stmt): Split out
9366 gassign handling into add_any_constraints_from_gassign; add gcall
9367 handling.
9368 (region_model::add_any_constraints_from_gassign): New function,
9369 based on the above. Add handling for NOP_EXPR.
9370 (region_model::add_any_constraints_from_gcall): New function.
9371 (region_model::get_representative_path_var): Handle views.
9372 * region-model.h
9373 (region_model::add_any_constraints_from_ssa_def_stmt): New decl.
9374 (region_model::add_any_constraints_from_gassign): New decl.
9375
3d66e153
DM		 93762020-03-04 David Malcolm <dmalcolm@redhat.com>
9377
9378 PR analyzer/93993
9379 * checker-path.h (state_change_event::get_lvalue): Add ctxt param
9380 and pass it to region_model::get_value call.
9381 * diagnostic-manager.cc (get_any_origin): Pass a
9382 tentative_region_model_context to the calls to get_lvalue and reject
9383 the comparison if errors occur.
9384 (can_be_expr_of_interest_p): New function.
9385 (diagnostic_manager::prune_for_sm_diagnostic): Replace checks for
9386 CONSTANT_CLASS_P with calls to update_for_unsuitable_sm_exprs.
9387 Pass a tentative_region_model_context to the calls to
9388 state_change_event::get_lvalue and reject the comparison if errors
9389 occur.
9390 (diagnostic_manager::update_for_unsuitable_sm_exprs): New.
9391 * diagnostic-manager.h
9392 (diagnostic_manager::update_for_unsuitable_sm_exprs): New decl.
9393 * region-model.h (class tentative_region_model_context): New class.
9394
13e3ba14
DM		 93952020-03-04 David Malcolm <dmalcolm@redhat.com>
9396
9397 * engine.cc (worklist::worklist): Remove unused field m_eg.
9398 (class viz_callgraph_edge): Remove unused field m_call_sedge.
9399 (class viz_callgraph): Remove unused field m_sg.
9400 * exploded-graph.h (worklist::::m_eg): Remove unused field.
9401
13b76912
DM		 94022020-03-02 David Malcolm <dmalcolm@redhat.com>
9403
9404 * analyzer.opt (fanalyzer-show-duplicate-count): New option.
9405 * diagnostic-manager.cc
9406 (diagnostic_manager::emit_saved_diagnostic): Use the above to
9407 guard the printing of the duplicate count.
9408
9f00b22f
DM		 94092020-03-02 David Malcolm <dmalcolm@redhat.com>
9410
9411 PR analyzer/93959
9412 * analyzer.cc (is_std_function_p): New function.
9413 (is_std_named_call_p): New functions.
9414 * analyzer.h (is_std_named_call_p): New decl.
9415 * sm-malloc.cc (malloc_state_machine::on_stmt): Check for "std::"
9416 variants when checking for malloc, calloc and free.
9417
71b633aa
DM		 94182020-02-26 David Malcolm <dmalcolm@redhat.com>
9419
9420 PR analyzer/93950
9421 * diagnostic-manager.cc
9422 (diagnostic_manager::prune_for_sm_diagnostic): Assert that var is
9423 either NULL or not a constant. When updating var, bulletproof
9424 against constant values.
9425
0ba70d1b
DM		 94262020-02-26 David Malcolm <dmalcolm@redhat.com>
9427
9428 PR analyzer/93947
9429 * region-model.cc (region_model::get_fndecl_for_call): Gracefully
9430 fail for fn_decls that don't have a cgraph_node.
9431
67fa274c
DM		 94322020-02-26 David Malcolm <dmalcolm@redhat.com>
9433
9434 * bar-chart.cc: New file.
9435 * bar-chart.h: New file.
9436 * engine.cc: Include "analyzer/bar-chart.h".
9437 (stats::log): Only log the m_num_nodes kinds that are non-zero.
9438 (stats::dump): Likewise when dumping.
9439 (stats::get_total_enodes): New.
9440 (exploded_graph::get_or_create_node): Increment the per-point-data
9441 m_excess_enodes when hitting the per-program-point limit on
9442 enodes.
9443 (exploded_graph::print_bar_charts): New.
9444 (exploded_graph::log_stats): Log the number of unprocessed enodes
9445 in the worklist. Call print_bar_charts.
9446 (exploded_graph::dump_stats): Print the number of unprocessed
9447 enodes in the worklist.
9448 * exploded-graph.h (stats::get_total_enodes): New decl.
9449 (struct per_program_point_data): Add field m_excess_enodes.
9450 (exploded_graph::print_bar_charts): New decl.
9451 * supergraph.cc (superedge::dump): New.
9452 (superedge::dump): New.
9453 * supergraph.h (supernode::get_function): New.
9454 (superedge::dump): New decl.
9455 (superedge::dump): New decl.
9456
f2ca2088
DM		 94572020-02-24 David Malcolm <dmalcolm@redhat.com>
9458
9459 * engine.cc (exploded_graph::get_or_create_node): Dump the
9460 program_state to the pp, rather than to stderr.
9461
b3d788a2
DM		 94622020-02-24 David Malcolm <dmalcolm@redhat.com>
9463
9464 PR analyzer/93032
9465 * sm.cc (make_checkers): Require the "taint" checker to be
9466 explicitly enabled.
9467
3a25f345
DM		 94682020-02-24 David Malcolm <dmalcolm@redhat.com>
9469
9470 PR analyzer/93899
9471 * engine.cc
9472 (impl_region_model_context::impl_region_model_context): Add logger
9473 param.
9474 * engine.cc (exploded_graph::add_function_entry): Create an
9475 impl_region_model_context and pass it to the push_frame call.
9476 Bail if the resulting state is invalid.
9477 (exploded_graph::build_initial_worklist): Likewise.
9478 (exploded_graph::build_initial_worklist): Handle the case where
9479 add_function_entry fails.
9480 * exploded-graph.h
9481 (impl_region_model_context::impl_region_model_context): Add logger
9482 param.
9483 * region-model.cc (map_region::get_or_create): Add ctxt param and
9484 pass it to add_region_for_type.
9485 (map_region::can_merge_p): Pass NULL as a ctxt to call to
9486 get_or_create.
9487 (array_region::get_element): Pass ctxt to call to get_or_create.
9488 (array_region::get_or_create): Add ctxt param and pass it to
9489 add_region_for_type.
9490 (root_region::push_frame): Pass ctxt to get_or_create calls.
9491 (region_model::get_lvalue_1): Likewise.
9492 (region_model::make_region_for_unexpected_tree_code): Assert that
9493 ctxt is non-NULL.
9494 (region_model::get_rvalue_1): Pass ctxt to get_svalue_for_fndecl
9495 and get_svalue_for_label calls.
9496 (region_model::get_svalue_for_fndecl): Add ctxt param and pass it
9497 to get_region_for_fndecl.
9498 (region_model::get_region_for_fndecl): Add ctxt param and pass it
9499 to get_or_create.
9500 (region_model::get_svalue_for_label): Add ctxt param and pass it
9501 to get_region_for_label.
9502 (region_model::get_region_for_label): Add ctxt param and pass it
9503 to get_region_for_fndecl and get_or_create.
9504 (region_model::get_field_region): Add ctxt param and pass it to
9505 get_or_create_view and get_or_create.
9506 (make_region_for_type): Replace gcc_unreachable with return NULL.
9507 (region_model::add_region_for_type): Add ctxt param. Handle a
9508 return of NULL from make_region_for_type by calling
9509 make_region_for_unexpected_tree_code.
9510 (region_model::get_or_create_mem_ref): Pass ctxt to calls to
9511 get_or_create_view.
9512 (region_model::get_or_create_view): Add ctxt param and pass it to
9513 add_region_for_type.
9514 (selftest::test_state_merging): Pass ctxt to get_or_create_view.
9515 * region-model.h (region_model::get_or_create): Add ctxt param.
9516 (region_model::add_region_for_type): Likewise.
9517 (region_model::get_svalue_for_fndecl): Likewise.
9518 (region_model::get_svalue_for_label): Likewise.
9519 (region_model::get_region_for_fndecl): Likewise.
9520 (region_model::get_region_for_label): Likewise.
9521 (region_model::get_field_region): Likewise.
9522 (region_model::get_or_create_view): Likewise.
9523
004f2c07
DM		 95242020-02-24 David Malcolm <dmalcolm@redhat.com>
9525
9526 * checker-path.cc (superedge_event::should_filter_p): Update
9527 filter for empty descriptions to cover verbosity level 3 as well
9528 as 2.
9529 * diagnostic-manager.cc: Include "analyzer/reachability.h".
9530 (class path_builder): New class.
9531 (diagnostic_manager::emit_saved_diagnostic): Create a path_builder
9532 and pass it to build_emission_path, rather passing eg; similarly
9533 for add_events_for_eedge and ext_state.
9534 (diagnostic_manager::build_emission_path): Replace "eg" param
9535 with a path_builder, pass it to add_events_for_eedge.
9536 (diagnostic_manager::add_events_for_eedge): Replace ext_state
9537 param with path_builder; pass it to add_events_for_superedge.
9538 (diagnostic_manager::significant_edge_p): New.
9539 (diagnostic_manager::add_events_for_superedge): Add path_builder
9540 param. Reject insignificant edges at verbosity levels below 3.
9541 (diagnostic_manager::prune_for_sm_diagnostic): Update highest
9542 verbosity level to 4.
9543 * diagnostic-manager.h (class path_builder): New forward decl.
9544 (diagnostic_manager::build_emission_path): Replace "eg" param
9545 with a path_builder.
9546 (diagnostic_manager::add_events_for_eedge): Replace ext_state
9547 param with path_builder.
9548 (diagnostic_manager::significant_edge_p): New.
9549 (diagnostic_manager::add_events_for_superedge): Add path_builder
9550 param.
9551 * reachability.h: New file.
9552
0b2b45a6
DM		 95532020-02-18 David Malcolm <dmalcolm@redhat.com>
9554
9555 PR analyzer/93692
9556 * analyzer.opt (fdump-analyzer-callgraph): Rewrite description.
9557
4f40164a
DM		 95582020-02-18 David Malcolm <dmalcolm@redhat.com>
9559
9560 PR analyzer/93777
9561 * region-model.cc (region_model::maybe_cast_1): Replace assertion
9562 that build_cast returns non-NULL with a conditional, falling
9563 through to the logic which returns a new unknown value of the
9564 desired type if it fails.
9565
2e623393
DM		 95662020-02-18 David Malcolm <dmalcolm@redhat.com>
9567
9568 PR analyzer/93778
9569 * engine.cc (impl_region_model_context::on_unknown_tree_code):
9570 Rename to...
9571 (impl_region_model_context::on_unexpected_tree_code): ...this and
9572 convert first argument from path_var to tree.
9573 (exploded_node::on_stmt): Pass ctxt to purge_for_unknown_fncall.
9574 * exploded-graph.h (region_model_context::on_unknown_tree_code):
9575 Rename to...
9576 (region_model_context::on_unexpected_tree_code): ...this and
9577 convert first argument from path_var to tree.
9578 * program-state.cc (sm_state_map::purge_for_unknown_fncall): Add
9579 ctxt param and pass on to calls to get_rvalue.
9580 * program-state.h (sm_state_map::purge_for_unknown_fncall): Add
9581 ctxt param.
9582 * region-model.cc (region_model::handle_unrecognized_call): Pass
9583 ctxt on to call to get_rvalue.
9584 (region_model::get_lvalue_1): Move body of default case to
9585 region_model::make_region_for_unexpected_tree_code and call it.
9586 Within COMPONENT_REF case, reject attempts to handle types other
9587 than RECORD_TYPE and UNION_TYPE.
9588 (region_model::make_region_for_unexpected_tree_code): New
9589 function, based on default case of region_model::get_lvalue_1.
9590 * region-model.h
9591 (region_model::make_region_for_unexpected_tree_code): New decl.
9592 (region_model::on_unknown_tree_code): Rename to...
9593 (region_model::on_unexpected_tree_code): ...this and convert first
9594 argument from path_var to tree.
9595 (class test_region_model_context): Update vfunc implementation for
9596 above change.
9597
a674c7b8
DM		 95982020-02-18 David Malcolm <dmalcolm@redhat.com>
9599
9600 PR analyzer/93774
9601 * region-model.cc
9602 (region_model::convert_byte_offset_to_array_index): Use
9603 int_size_in_bytes before calling size_in_bytes, to gracefully fail
9604 on incomplete types.
9605
d8cde6f9
DM		 96062020-02-17 David Malcolm <dmalcolm@redhat.com>
9607
9608 PR analyzer/93775
9609 * region-model.cc (region_model::get_fndecl_for_call): Handle the
9610 case where the code_region's get_tree_for_child_region returns
9611 NULL.
9612
f76a88eb
DM		 96132020-02-17 David Malcolm <dmalcolm@redhat.com>
9614
9615 PR analyzer/93388
9616 * engine.cc (impl_region_model_context::on_unknown_tree_code):
9617 New.
9618 (exploded_graph::get_or_create_node): Reject invalid states.
9619 * exploded-graph.h
9620 (impl_region_model_context::on_unknown_tree_code): New decl.
9621 (point_and_state::point_and_state): Assert that the state is
9622 valid.
9623 * program-state.cc (program_state::program_state): Initialize
9624 m_valid to true.
9625 (program_state::operator=): Copy m_valid.
9626 (program_state::program_state): Likewise for move constructor.
9627 (program_state::print): Print m_valid.
9628 (program_state::dump_to_pp): Likewise.
9629 * program-state.h (program_state::m_valid): New field.
9630 * region-model.cc (region_model::get_lvalue_1): Implement the
9631 default case by returning a new symbolic region and calling
9632 the context's on_unknown_tree_code, rather than issuing an
9633 internal_error. Implement VIEW_CONVERT_EXPR.
9634 * region-model.h (region_model_context::on_unknown_tree_code): New
9635 vfunc.
9636 (test_region_model_context::on_unknown_tree_code): New.
9637
0993ad65
DM		 96382020-02-17 David Malcolm <dmalcolm@redhat.com>
9639
9640 * sm-malloc.cc (malloc_diagnostic::describe_state_change): For
9641 transition to the "null" state, only say "assuming" when
9642 transitioning from the "unchecked" state.
9643
67098787
DM		 96442020-02-17 David Malcolm <dmalcolm@redhat.com>
9645
9646 * diagnostic-manager.h (diagnostic_manager::get_saved_diagnostic):
9647 Add const overload.
9648 * engine.cc (exploded_node::dump_dot): Dump saved_diagnostics.
9649 * exploded-graph.h (exploded_graph::get_diagnostic_manager): Add
9650 const overload.
9651
91f993b7
DM		 96522020-02-11 David Malcolm <dmalcolm@redhat.com>
9653
9654 PR analyzer/93288
9655 * analysis-plan.cc (analysis_plan::use_summary_p): Look through
9656 the ultimate_alias_target when getting the called function.
9657 * engine.cc (exploded_node::on_stmt): Rename second "ctxt" to
9658 "sm_ctxt". Use the region_model's get_fndecl_for_call rather than
9659 gimple_call_fndecl.
9660 * region-model.cc (region_model::get_fndecl_for_call): Use
9661 ultimate_alias_target on fndecl.
9662 * supergraph.cc (get_ultimate_function_for_cgraph_edge): New
9663 function.
9664 (supergraph_call_edge): Use it when rejecting edges without
9665 functions.
9666 (supergraph::supergraph): Use it to get the function for the
9667 cgraph_edge when building interprocedural superedges.
9668 (callgraph_superedge::get_callee_function): Use it.
9669 * supergraph.h (supergraph::get_num_snodes): Make param const.
9670 (supergraph::function_to_num_snodes_t): Make first type param
9671 const.
9672
a60d9889
DM		 96732020-02-11 David Malcolm <dmalcolm@redhat.com>
9674
9675 PR analyzer/93374
9676 * engine.cc (exploded_edge::exploded_edge): Add ext_state param
9677 and pass it to change.validate.
9678 (exploded_graph::get_or_create_node): Move purging of change
9679 svalues to also cover the case of reusing an existing enode.
9680 (exploded_graph::add_edge): Pass m_ext_state to exploded_edge's
9681 ctor.
9682 * exploded-graph.h (exploded_edge::exploded_edge): Add ext_state
9683 param.
9684 * program-state.cc (state_change::sm_change::validate): Likewise.
9685 Assert that m_sm_idx is sane. Use ext_state to validate
9686 m_old_state and m_new_state.
9687 (state_change::validate): Add ext_state param and pass it to
9688 the sm_change validate calls.
9689 * program-state.h (state_change::sm_change::validate): Add
9690 ext_state param.
9691 (state_change::validate): Likewise.
9692
a0e4929b
DM		 96932020-02-11 David Malcolm <dmalcolm@redhat.com>
9694
9695 PR analyzer/93669
9696 * engine.cc (exploded_graph::dump_exploded_nodes): Handle missing
9697 case of STATUS_WORKLIST in implementation of
9698 "__analyzer_dump_exploded_nodes".
9699
cd28b759
DM		 97002020-02-11 David Malcolm <dmalcolm@redhat.com>
9701
9702 PR analyzer/93649
9703 * constraint-manager.cc (constraint_manager::add_constraint): When
9704 merging equivalence classes and updating m_constant, also update
9705 m_cst_sid.
9706 (constraint_manager::validate): If m_constant is non-NULL assert
9707 that m_cst_sid is non-null and is valid.
9708
5e17c1bd
DM		 97092020-02-11 David Malcolm <dmalcolm@redhat.com>
9710
9711 PR analyzer/93657
9712 * analyzer.opt (fdump-analyzer): Reword description.
9713 (fdump-analyzer-stderr): Likewise.
9714
c46d057f
DM		 97152020-02-11 David Malcolm <dmalcolm@redhat.com>
9716
9717 * region-model.cc (print_quoted_type): New function.
9718 (svalue::print): Use it to replace %qT.
9719 (region::dump_to_pp): Likewise.
9720 (region::dump_child_label): Likewise.
9721 (region::print_fields): Likewise.
9722
eb031d4b
DM		 97232020-02-10 David Malcolm <dmalcolm@redhat.com>
9724
9725 PR analyzer/93659
9726 * analyzer.opt (-param=analyzer-max-recursion-depth=): Fix "tha"
9727 -> "that" typo.
9728 (Wanalyzer-use-of-uninitialized-value): Fix "initialized" ->
9729 "uninitialized" typo.
9730
e87deb37
DM		 97312020-02-10 David Malcolm <dmalcolm@redhat.com>
9732
9733 PR analyzer/93350
9734 * region-model.cc (region_model::get_lvalue_1):
9735 Handle BIT_FIELD_REF.
9736 (make_region_for_type): Handle VECTOR_TYPE.
9737
e953f958
DM		 97382020-02-10 David Malcolm <dmalcolm@redhat.com>
9739
9740 PR analyzer/93647
9741 * diagnostic-manager.cc
9742 (diagnostic_manager::prune_for_sm_diagnostic): Bulletproof against
9743 VAR being constant.
9744 * region-model.cc (region_model::get_lvalue_1): Provide a better
9745 error message when encountering an unhandled tree code.
9746
41a9e940
DM		 97472020-02-10 David Malcolm <dmalcolm@redhat.com>
9748
9749 PR analyzer/93405
9750 * region-model.cc (region_model::get_lvalue_1): Implement
9751 CONST_DECL.
9752
cb273d81
DM		 97532020-02-06 David Malcolm <dmalcolm@redhat.com>
9754
9755 * region-model.cc (region_model::maybe_cast_1): Attempt to provide
9756 a region_svalue if either type is a pointer, rather than if both
9757 types are pointers.
9758
a4d3bfc0
DM		 97592020-02-05 David Malcolm <dmalcolm@redhat.com>
9760
9761 * engine.cc (exploded_node::dump_dot): Show merger enodes.
9762 (worklist::add_node): Assert that the node's m_status is
9763 STATUS_WORKLIST.
9764 (exploded_graph::process_worklist): Likewise for nodes from the
9765 worklist. Set status of merged nodes to STATUS_MERGER.
9766 (exploded_graph::process_node): Set status of node to
9767 STATUS_PROCESSED.
9768 (exploded_graph::dump_exploded_nodes): Rework handling of
9769 "__analyzer_dump_exploded_nodes", splitting enodes by status into
9770 "processed" and "merger", showing the count of just the processed
9771 enodes at the call, rather than the count of all enodes.
9772 * exploded-graph.h (exploded_node::status): New enum.
9773 (exploded_node::exploded_node): Initialize m_status to
9774 STATUS_WORKLIST.
9775 (exploded_node::get_status): New getter.
9776 (exploded_node::set_status): New setter.
9777
1dae549d
DM		 97782020-02-04 David Malcolm <dmalcolm@redhat.com>
9779
9780 PR analyzer/93543
9781 * engine.cc (pod_hash_traits<function_call_string>::mark_empty):
9782 Eliminate reinterpret_cast.
9783 (pod_hash_traits<function_call_string>::is_empty): Likewise.
9784
833f1e66
DM		 97852020-02-03 David Malcolm <dmalcolm@redhat.com>
9786
9787 * constraint-manager.cc (range::constrained_to_single_element):
9788 Replace fold_build2 with fold_binary. Remove unnecessary newline.
9789 (constraint_manager::get_or_add_equiv_class): Replace fold_build2
9790 with fold_binary in two places, and remove out-of-date comment.
9791 (constraint_manager::eval_condition): Replace fold_build2 with
9792 fold_binary.
9793 * region-model.cc (constant_svalue::eval_condition): Likewise.
9794 (region_model::on_assignment): Likewise.
9795
8525d1f5
DM		 97962020-02-03 David Malcolm <dmalcolm@redhat.com>
9797
9798 PR analyzer/93544
9799 * diagnostic-manager.cc
9800 (diagnostic_manager::prune_for_sm_diagnostic): Bulletproof
9801 against bad choices due to bad paths.
9802 * engine.cc (impl_region_model_context::on_phi): New.
9803 * exploded-graph.h (impl_region_model_context::on_phi): New decl.
9804 * region-model.cc (region_model::on_longjmp): Likewise.
9805 (region_model::handle_phi): Add phi param. Call the ctxt's on_phi
9806 vfunc.
9807 (region_model::update_for_phis): Pass phi to handle_phi.
9808 * region-model.h (region_model::handle_phi): Add phi param.
9809 (region_model_context::on_phi): New vfunc.
9810 (test_region_model_context::on_phi): New.
9811 * sm-malloc.cc (malloc_state_machine::on_phi): New.
9812 (malloc_state_machine::on_zero_assignment): New.
9813 * sm.h (state_machine::on_phi): New vfunc.
9814
73f38658
DM		 98152020-02-03 David Malcolm <dmalcolm@redhat.com>
9816
9817 * engine.cc (supernode_cluster::dump_dot): Show BB index as
9818 well as SN index.
9819 * supergraph.cc (supernode::dump_dot): Likewise.
9820
5e10b9a2
DM		 98212020-02-03 David Malcolm <dmalcolm@redhat.com>
9822
9823 PR analyzer/93546
9824 * region-model.cc (region_model::on_call_pre): Update for new
9825 param of symbolic_region ctor.
9826 (region_model::deref_rvalue): Likewise.
9827 (region_model::add_new_malloc_region): Likewise.
9828 (make_region_for_type): Likewise, preserving type.
9829 * region-model.h (symbolic_region::symbolic_region): Add "type"
9830 param and pass it to base class ctor.
9831
287ccd3b
DM		 98322020-02-03 David Malcolm <dmalcolm@redhat.com>
9833
9834 PR analyzer/93547
9835 * constraint-manager.cc
9836 (constraint_manager::get_or_add_equiv_class): Ensure types are
9837 compatible before comparing constants.
9838
67751724
DM		 98392020-01-31 David Malcolm <dmalcolm@redhat.com>
9840
9841 PR analyzer/93457
9842 * region-model.cc (make_region_for_type): Use VOID_TYPE_P rather
9843 than checking against void_type_node.
9844
09bea584
DM		 98452020-01-31 David Malcolm <dmalcolm@redhat.com>
9846
9847 PR analyzer/93373
9848 * region-model.cc (ASSERT_COMPAT_TYPES): Convert to...
9849 (assert_compat_types): ...this, and bail when either type is NULL,
9850 or when VOID_TYPE_P (dst_type).
9851 (region_model::get_lvalue): Update for above conversion.
9852 (region_model::get_rvalue): Likewise.
9853
f1c807e8
DM		 98542020-01-31 David Malcolm <dmalcolm@redhat.com>
9855
9856 PR analyzer/93379
9857 * region-model.cc (region_model::update_for_return_superedge):
9858 Move check for null result so that it also guards setting the
9859 lhs.
9860
455f58ec
DM		 98612020-01-31 David Malcolm <dmalcolm@redhat.com>
9862
9863 PR analyzer/93438
9864 * region-model.cc (stack_region::can_merge_p): Split into a two
9865 pass approach, creating all stack regions first, then populating
9866 them.
9867 (selftest::test_state_merging): Add test coverage for (a) the case
9868 of self-merging a model in which a local in an older stack frame
9869 points to a local in a more recent stack frame (which previously
9870 would ICE), and (b) the case of self-merging a model in which a
9871 local points to a global (which previously worked OK).
9872
182ce042
DM		 98732020-01-31 David Malcolm <dmalcolm@redhat.com>
9874
9875 * analyzer.cc (is_named_call_p): Replace tests for fndecl being
9876 extern at file scope and having a non-NULL DECL_NAME with a call
9877 to maybe_special_function_p.
9878 * function-set.cc (function_set::contains_decl_p): Add call to
9879 maybe_special_function_p.
9880
45eb3e49
DM		 98812020-01-31 David Malcolm <dmalcolm@redhat.com>
9882
9883 PR analyzer/93450
9884 * constraint-manager.cc
9885 (constraint_manager::get_or_add_equiv_class): Only compare constants
9886 if their types are compatible.
9887 * region-model.cc (constant_svalue::eval_condition): Replace check
9888 for identical types with call to types_compatible_p.
9889
42f36563
DM		 98902020-01-30 David Malcolm <dmalcolm@redhat.com>
9891
9892 * program-state.cc (extrinsic_state::dump_to_pp): New.
9893 (extrinsic_state::dump_to_file): New.
9894 (extrinsic_state::dump): New.
9895 * program-state.h (extrinsic_state::dump_to_pp): New decl.
9896 (extrinsic_state::dump_to_file): New decl.
9897 (extrinsic_state::dump): New decl.
9898 * sm.cc: Include "pretty-print.h".
9899 (state_machine::dump_to_pp): New.
9900 * sm.h (state_machine::dump_to_pp): New decl.
9901
ebe9174e
DM		 99022020-01-30 David Malcolm <dmalcolm@redhat.com>
9903
9904 * diagnostic-manager.cc (for_each_state_change): Use
9905 extrinsic_state::get_num_checkers rather than accessing m_checkers
9906 directly.
9907 * program-state.cc (program_state::program_state): Likewise.
9908 * program-state.h (extrinsic_state::m_checkers): Make private.
9909
e978955d
DM		 99102020-01-30 David Malcolm <dmalcolm@redhat.com>
9911
9912 PR analyzer/93356
9913 * region-model.cc (region_model::eval_condition): In both
9914 overloads, bail out immediately on floating-point types.
9915 (region_model::eval_condition_without_cm): Likewise.
9916 (region_model::add_constraint): Likewise.
9917
d177c49c
DM		 99182020-01-30 David Malcolm <dmalcolm@redhat.com>
9919
9920 PR analyzer/93450
9921 * program-state.cc (sm_state_map::set_state): For the overload
9922 taking an svalue_id, bail out if the set_state on the ec does
9923 nothing. Convert the latter's return type from void to bool,
9924 returning true if anything changed.
9925 (sm_state_map::impl_set_state): Convert the return type from void
9926 to bool, returning true if the state changed.
9927 * program-state.h (sm_state_map::set_state): Convert return type
9928 from void to bool.
9929 (sm_state_map::impl_set_state): Likewise.
9930 * region-model.cc (constant_svalue::eval_condition): Only call
9931 fold_build2 if the types are the same.
9932
7892ff37
JJ		 99332020-01-29 Jakub Jelinek <jakub@redhat.com>
9934
9935 * analyzer.h (PUSH_IGNORE_WFORMAT, POP_IGNORE_WFORMAT): Remove.
9936 * constraint-manager.cc: Include diagnostic-core.h before graphviz.h.
9937 (range::dump, equiv_class::print): Don't use PUSH_IGNORE_WFORMAT or
9938 POP_IGNORE_WFORMAT.
9939 * state-purge.cc: Include diagnostic-core.h before
9940 gimple-pretty-print.h.
9941 (state_purge_annotator::add_node_annotations, print_vec_of_names):
9942 Don't use PUSH_IGNORE_WFORMAT or POP_IGNORE_WFORMAT.
9943 * region-model.cc: Move diagnostic-core.h include before graphviz.h.
9944 (path_var::dump, svalue::print, constant_svalue::print_details,
9945 region::dump_to_pp, region::dump_child_label, region::print_fields,
9946 map_region::print_fields, map_region::dump_dot_to_pp,
9947 map_region::dump_child_label, array_region::print_fields,
9948 array_region::dump_dot_to_pp): Don't use PUSH_IGNORE_WFORMAT or
9949 POP_IGNORE_WFORMAT.
9950
5aebfb71
DM		 99512020-01-28 David Malcolm <dmalcolm@redhat.com>
9952
9953 PR analyzer/93316
9954 * engine.cc (rewind_info_t::update_model): Get the longjmp call
9955 stmt via get_longjmp_call () rather than assuming it is the last
9956 stmt in the longjmp's supernode.
9957 (rewind_info_t::add_events_to_path): Get the location_t for the
9958 rewind_from_longjmp_event via get_longjmp_call () rather than from
9959 the supernode's get_end_location ().
9960
6c8e5844
DM		 99612020-01-28 David Malcolm <dmalcolm@redhat.com>
9962
9963 * region-model.cc (poisoned_value_diagnostic::emit): Update for
9964 renaming of warning_at overload to warning_meta.
9965 * sm-file.cc (file_leak::emit): Likewise.
9966 * sm-malloc.cc (double_free::emit): Likewise.
9967 (possible_null_deref::emit): Likewise.
9968 (possible_null_arg::emit): Likewise.
9969 (null_deref::emit): Likewise.
9970 (null_arg::emit): Likewise.
9971 (use_after_free::emit): Likewise.
9972 (malloc_leak::emit): Likewise.
9973 (free_of_non_heap::emit): Likewise.
9974 * sm-sensitive.cc (exposure_through_output_file::emit): Likewise.
9975 * sm-signal.cc (signal_unsafe_call::emit): Likewise.
9976 * sm-taint.cc (tainted_array_index::emit): Likewise.
9977
8c08c983
DM		 99782020-01-27 David Malcolm <dmalcolm@redhat.com>
9979
9980 PR analyzer/93451
9981 * region-model.cc (tree_cmp): For the REAL_CST case, impose an
9982 arbitrary order on NaNs relative to other NaNs and to non-NaNs;
9983 const-correctness tweak.
9984 (ana::selftests::build_real_cst_from_string): New function.
9985 (ana::selftests::append_interesting_constants): New function.
9986 (ana::selftests::test_tree_cmp_on_constants): New test.
9987 (ana::selftests::test_canonicalization_4): New test.
9988 (ana::selftests::analyzer_region_model_cc_tests): Call the new
9989 tests.
9990
2fbea419
DM		 99912020-01-27 David Malcolm <dmalcolm@redhat.com>
9992
9993 PR analyzer/93349
9994 * engine.cc (run_checkers): Save and restore input_location.
9995
6a81cabc
DM		 99962020-01-27 David Malcolm <dmalcolm@redhat.com>
9997
9998 * call-string.cc (call_string::cmp_1): Delete, moving body to...
9999 (call_string::cmp): ...here.
10000 * call-string.h (call_string::cmp_1): Delete decl.
10001 * engine.cc (worklist::key_t::cmp_1): Delete, moving body to...
10002 (worklist::key_t::cmp): ...here. Implement hash comparisons
10003 via comparison rather than subtraction to avoid overflow issues.
10004 * exploded-graph.h (worklist::key_t::cmp_1): Delete decl.
10005 * region-model.cc (tree_cmp): Eliminate buggy checking for
10006 symmetry.
10007
342e14ff
DM		 100082020-01-27 David Malcolm <dmalcolm@redhat.com>
10009
10010 * analyzer.cc (is_named_call_p): Check that fndecl is "extern"
10011 and at file scope. Potentially disregard prefix _ or __ in
10012 fndecl's name. Bail if the identifier is NULL.
10013 (is_setjmp_call_p): Expect a gcall rather than plain gimple.
10014 Remove special-case check for leading prefix, and also check for
10015 sigsetjmp.
10016 (is_longjmp_call_p): Also check for siglongjmp.
10017 (get_user_facing_name): New function.
10018 * analyzer.h (is_setjmp_call_p): Expect a gcall rather than plain
10019 gimple.
10020 (get_user_facing_name): New decl.
10021 * checker-path.cc (setjmp_event::get_desc): Use
10022 get_user_facing_name to avoid hardcoding the function name.
10023 (rewind_event::rewind_event): Add rewind_info param, using it to
10024 initialize new m_rewind_info field, and strengthen the assertion.
10025 (rewind_from_longjmp_event::get_desc): Use get_user_facing_name to
10026 avoid hardcoding the function name.
10027 (rewind_to_setjmp_event::get_desc): Likewise.
10028 * checker-path.h (setjmp_event::setjmp_event): Add setjmp_call
10029 param and use it to initialize...
10030 (setjmp_event::m_setjmp_call): New field.
10031 (rewind_event::rewind_event): Add rewind_info param.
10032 (rewind_event::m_rewind_info): New protected field.
10033 (rewind_from_longjmp_event::rewind_from_longjmp_event): Add
10034 rewind_info param.
10035 (class rewind_to_setjmp_event): Move rewind_info field to parent
10036 class.
10037 * diagnostic-manager.cc (diagnostic_manager::add_events_for_eedge):
10038 Update setjmp-handling for is_setjmp_call_p requiring a gcall;
10039 pass the call to the new setjmp_event.
10040 * engine.cc (exploded_node::on_stmt): Update for is_setjmp_call_p
10041 requiring a gcall.
10042 (stale_jmp_buf::emit): Use get_user_facing_name to avoid
10043 hardcoding the function names.
10044 (exploded_node::on_longjmp): Pass the longjmp_call when
10045 constructing rewind_info.
10046 (rewind_info_t::add_events_to_path): Pass the rewind_info_t to the
10047 rewind_from_longjmp_event's ctor.
10048 * exploded-graph.h (rewind_info_t::rewind_info_t): Add
10049 longjmp_call param.
10050 (rewind_info_t::get_longjmp_call): New.
10051 (rewind_info_t::m_longjmp_call): New.
10052 * region-model.cc (region_model::on_setjmp): Update comment to
10053 indicate this is also for sigsetjmp.
10054 * region-model.h (struct setjmp_record): Likewise.
10055 (class setjmp_svalue): Likewise.
10056
26d949c8
DM		 100572020-01-27 David Malcolm <dmalcolm@redhat.com>
10058
10059 PR analyzer/93276
10060 * analyzer.h (PUSH_IGNORE_WFORMAT, POP_IGNORE_WFORMAT): Guard these
10061 macros with GCC_VERSION >= 4006, making them no-op otherwise.
10062 * engine.cc (exploded_edge::exploded_edge): Specify template for
10063 base class initializer.
10064 (exploded_graph::add_edge): Specify template when chaining up to
10065 base class add_edge implementation.
10066 (viz_callgraph_node::dump_dot): Drop redundant "typename".
10067 (viz_callgraph_edge::viz_callgraph_edge): Specify template for
10068 base class initializer.
10069 * program-state.cc (sm_state_map::clone_with_remapping): Drop
10070 redundant "typename".
10071 (sm_state_map::print): Likewise.
10072 (sm_state_map::hash): Likewise.
10073 (sm_state_map::operator==): Likewise.
10074 (sm_state_map::remap_svalue_ids): Likewise.
10075 (sm_state_map::on_svalue_purge): Likewise.
10076 (sm_state_map::validate): Likewise.
10077 * program-state.h (sm_state_map::iterator_t): Likewise.
10078 * supergraph.h (superedge::superedge): Specify template for base
10079 class initializer.
10080
648796da
DM		 100812020-01-23 David Malcolm <dmalcolm@redhat.com>
10082
10083 PR analyzer/93375
10084 * supergraph.cc (callgraph_superedge::get_arg_for_parm): Fail
10085 gracefully is the number of parameters at the callee exceeds the
10086 number of arguments at the call stmt.
10087 (callgraph_superedge::get_parm_for_arg): Likewise.
10088
591b59eb
DM		 100892020-01-22 David Malcolm <dmalcolm@redhat.com>
10090
10091 PR analyzer/93382
10092 * program-state.cc (sm_state_map::on_svalue_purge): If the
10093 entry survives, but the origin is being purged, then reset the
10094 origin to null.
10095
c9c8aef4
DM		 100962020-01-22 David Malcolm <dmalcolm@redhat.com>
10097
10098 * sm-signal.cc: Fix nesting of CHECKING_P and namespace ana.
10099
fd9982bb
DM		 101002020-01-22 David Malcolm <dmalcolm@redhat.com>
10101
10102 PR analyzer/93378
10103 * engine.cc (setjmp_svalue::compare_fields): Update for
10104 replacement of m_enode with m_setjmp_record.
10105 (setjmp_svalue::add_to_hash): Likewise.
10106 (setjmp_svalue::get_index): Rename...
10107 (setjmp_svalue::get_enode_index): ...to this.
10108 (setjmp_svalue::print_details): Update for replacement of m_enode
10109 with m_setjmp_record.
10110 (exploded_node::on_longjmp): Likewise.
10111 * exploded-graph.h (rewind_info_t::m_enode_origin): Replace...
10112 (rewind_info_t::m_setjmp_record): ...with this.
10113 (rewind_info_t::rewind_info_t): Update for replacement of m_enode
10114 with m_setjmp_record.
10115 (rewind_info_t::get_setjmp_point): Likewise.
10116 (rewind_info_t::get_setjmp_call): Likewise.
10117 * region-model.cc (region_model::dump_summary_of_map): Likewise.
10118 (region_model::on_setjmp): Likewise.
10119 * region-model.h (struct setjmp_record): New struct.
10120 (setjmp_svalue::m_enode): Replace...
10121 (setjmp_svalue::m_setjmp_record): ...with this.
10122 (setjmp_svalue::setjmp_svalue): Update for replacement of m_enode
10123 with m_setjmp_record.
10124 (setjmp_svalue::clone): Likewise.
10125 (setjmp_svalue::get_index): Rename...
10126 (setjmp_svalue::get_enode_index): ...to this.
10127 (setjmp_svalue::get_exploded_node): Replace...
10128 (setjmp_svalue::get_setjmp_record): ...with this.
10129
da7cf663
DM		 101302020-01-22 David Malcolm <dmalcolm@redhat.com>
10131
10132 PR analyzer/93316
10133 * analyzer.cc (is_setjmp_call_p): Check for "setjmp" as well as
10134 "_setjmp".
10135
75038aa6
DM		 101362020-01-22 David Malcolm <dmalcolm@redhat.com>
10137
10138 PR analyzer/93307
10139 * analysis-plan.h: Wrap everything namespace "ana".
10140 * analyzer-logging.cc: Likewise.
10141 * analyzer-logging.h: Likewise.
10142 * analyzer-pass.cc (pass_analyzer::execute): Update for "ana"
10143 namespace.
10144 * analyzer-selftests.cc: Wrap everything namespace "ana".
10145 * analyzer-selftests.h: Likewise.
10146 * analyzer.h: Likewise for forward decls of types.
10147 * call-string.h: Likewise.
10148 * checker-path.cc: Likewise.
10149 * checker-path.h: Likewise.
10150 * constraint-manager.cc: Likewise.
10151 * constraint-manager.h: Likewise.
10152 * diagnostic-manager.cc: Likewise.
10153 * diagnostic-manager.h: Likewise.
10154 * engine.cc: Likewise.
10155 * engine.h: Likewise.
10156 * exploded-graph.h: Likewise.
10157 * function-set.cc: Likewise.
10158 * function-set.h: Likewise.
10159 * pending-diagnostic.cc: Likewise.
10160 * pending-diagnostic.h: Likewise.
10161 * program-point.cc: Likewise.
10162 * program-point.h: Likewise.
10163 * program-state.cc: Likewise.
10164 * program-state.h: Likewise.
10165 * region-model.cc: Likewise.
10166 * region-model.h: Likewise.
10167 * sm-file.cc: Likewise.
10168 * sm-malloc.cc: Likewise.
10169 * sm-pattern-test.cc: Likewise.
10170 * sm-sensitive.cc: Likewise.
10171 * sm-signal.cc: Likewise.
10172 * sm-taint.cc: Likewise.
10173 * sm.cc: Likewise.
10174 * sm.h: Likewise.
10175 * state-purge.h: Likewise.
10176 * supergraph.cc: Likewise.
10177 * supergraph.h: Likewise.
10178
4f01e577
DM		 101792020-01-21 David Malcolm <dmalcolm@redhat.com>
10180
10181 PR analyzer/93352
10182 * region-model.cc (int_cmp): Rename to...
10183 (array_region::key_cmp): ...this, using key_t rather than int.
10184 Rewrite in terms of comparisons rather than subtraction to
10185 ensure qsort is anti-symmetric when handling extreme values.
10186 (array_region::walk_for_canonicalization): Update for above
10187 renaming.
10188 * region-model.h (array_region::key_cmp): New decl.
10189
07c86323
DM		 101902020-01-17 David Malcolm <dmalcolm@redhat.com>
10191
10192 PR analyzer/93290
10193 * region-model.cc (region_model::eval_condition_without_cm): Avoid
10194 gcc_unreachable for unexpected operations for the case where
10195 we're comparing an svalue against itself.
10196
5f030383
DM		 101972020-01-17 David Malcolm <dmalcolm@redhat.com>
10198
10199 PR analyzer/93281
10200 * region-model.cc
10201 (region_model::convert_byte_offset_to_array_index): Convert to
10202 ssizetype before dividing by byte_size. Use fold_binary rather
10203 than fold_build2 to avoid needlessly constructing a tree for the
10204 non-const case.
10205
49e9a999
DM		 102062020-01-15 David Malcolm <dmalcolm@redhat.com>
10207
10208 * engine.cc (class impl_region_model_context): Fix comment.
10209
32077b69
DM		 102102020-01-14 David Malcolm <dmalcolm@redhat.com>
10211
10212 PR analyzer/93212
10213 * region-model.cc (make_region_for_type): Use
10214 FUNC_OR_METHOD_TYPE_P rather than comparing against FUNCTION_TYPE.
10215 * region-model.h (function_region::function_region): Likewise.
10216
7fb3669e
DM		 102172020-01-14 David Malcolm <dmalcolm@redhat.com>
10218
10219 * program-state.cc (sm_state_map::clone_with_remapping): Copy
10220 m_global_state.
10221 (selftest::test_program_state_merging_2): New selftest.
10222 (selftest::analyzer_program_state_cc_tests): Call it.
10223
e2a538b1
DM		 102242020-01-14 David Malcolm <dmalcolm@redhat.com>
10225
10226 * checker-path.h (checker_path::get_checker_event): New function.
10227 (checker_path): Add DISABLE_COPY_AND_ASSIGN; make fields private.
10228 * diagnostic-manager.cc
10229 (diagnostic_manager::prune_for_sm_diagnostic): Replace direct
10230 access to checker_path::m_events with accessor functions. Fix
10231 overlong line.
10232 (diagnostic_manager::prune_interproc_events): Replace direct
10233 access to checker_path::m_events with accessor functions.
10234 (diagnostic_manager::finish_pruning): Likewise.
10235
94946989
DM		 102362020-01-14 David Malcolm <dmalcolm@redhat.com>
10237
10238 * checker-path.h (checker_event::clone): Delete vfunc decl.
10239 (debug_event::clone): Delete vfunc impl.
10240 (custom_event::clone): Delete vfunc impl.
10241 (statement_event::clone): Delete vfunc impl.
10242 (function_entry_event::clone): Delete vfunc impl.
10243 (state_change_event::clone): Delete vfunc impl.
10244 (start_cfg_edge_event::clone): Delete vfunc impl.
10245 (end_cfg_edge_event::clone): Delete vfunc impl.
10246 (call_event::clone): Delete vfunc impl.
10247 (return_event::clone): Delete vfunc impl.
10248 (setjmp_event::clone): Delete vfunc impl.
10249 (rewind_from_longjmp_event::clone): Delete vfunc impl.
10250 (rewind_to_setjmp_event::clone): Delete vfunc impl.
10251 (warning_event::clone): Delete vfunc impl.
10252
718930c0
DM		 102532020-01-14 David Malcolm <dmalcolm@redhat.com>
10254
10255 * supergraph.cc (supernode::dump_dot): Ensure that the TABLE
10256 element has at least one TR.
10257
8397af8e
DM		 102582020-01-14 David Malcolm <dmalcolm@redhat.com>
10259
10260 PR analyzer/58237
10261 * engine.cc (leak_stmt_finder::find_stmt): Use get_pure_location
10262 when comparing against UNKNOWN_LOCATION.
10263 (stmt_requires_new_enode_p): Likewise.
10264 (exploded_graph::dump_exploded_nodes): Likewise.
10265 * supergraph.cc (supernode::get_start_location): Likewise.
10266 (supernode::get_end_location): Likewise.
10267
697251b7
DM		 102682020-01-14 David Malcolm <dmalcolm@redhat.com>
10269
10270 PR analyzer/58237
10271 * analyzer-selftests.cc (selftest::run_analyzer_selftests): Call
10272 selftest::analyzer_sm_file_cc_tests.
10273 * analyzer-selftests.h (selftest::analyzer_sm_file_cc_tests): New
10274 decl.
10275 * sm-file.cc: Include "analyzer/function-set.h" and
10276 "analyzer/analyzer-selftests.h".
10277 (get_file_using_fns): New function.
10278 (is_file_using_fn_p): New function.
10279 (fileptr_state_machine::on_stmt): Return true for known functions.
10280 (selftest::analyzer_sm_file_cc_tests): New function.
10281
4804c5fe
DM		 102822020-01-14 David Malcolm <dmalcolm@redhat.com>
10283
10284 * analyzer-selftests.cc (selftest::run_analyzer_selftests): Call
10285 selftest::analyzer_sm_signal_cc_tests.
10286 * analyzer-selftests.h (selftest::analyzer_sm_signal_cc_tests):
10287 New decl.
10288 * sm-signal.cc: Include "analyzer/function-set.h" and
10289 "analyzer/analyzer-selftests.h".
10290 (get_async_signal_unsafe_fns): New function.
10291 (signal_unsafe_p): Reimplement in terms of the above.
10292 (selftest::analyzer_sm_signal_cc_tests): New function.
10293
a6b5f19c
DM		 102942020-01-14 David Malcolm <dmalcolm@redhat.com>
10295
10296 * analyzer-selftests.cc (selftest::run_analyzer_selftests): Call
10297 selftest::analyzer_function_set_cc_tests.
10298 * analyzer-selftests.h (selftest::analyzer_function_set_cc_tests):
10299 New decl.
10300 * function-set.cc: New file.
10301 * function-set.h: New file.
10302
ef7827b0
DM		 103032020-01-14 David Malcolm <dmalcolm@redhat.com>
10304
10305 * analyzer.h (fndecl_has_gimple_body_p): New decl.
10306 * engine.cc (impl_region_model_context::on_unknown_change): New
10307 function.
10308 (fndecl_has_gimple_body_p): Make non-static.
10309 (exploded_node::on_stmt): Treat __analyzer_dump_exploded_nodes as
10310 known. Track whether we have a call with unknown side-effects and
10311 pass it to on_call_post.
10312 * exploded-graph.h (impl_region_model_context::on_unknown_change):
10313 New decl.
10314 * program-state.cc (sm_state_map::on_unknown_change): New function.
10315 * program-state.h (sm_state_map::on_unknown_change): New decl.
10316 * region-model.cc: Include "bitmap.h".
10317 (region_model::on_call_pre): Return a bool, capturing whether the
10318 call has unknown side effects.
10319 (region_model::on_call_post): Add arg "bool unknown_side_effects"
10320 and if true, call handle_unrecognized_call.
10321 (class reachable_regions): New class.
10322 (region_model::handle_unrecognized_call): New function.
10323 * region-model.h (region_model::on_call_pre): Return a bool.
10324 (region_model::on_call_post): Add arg "bool unknown_side_effects".
10325 (region_model::handle_unrecognized_call): New decl.
10326 (region_model_context::on_unknown_change): New vfunc.
10327 (test_region_model_context::on_unknown_change): New function.
10328
14f9d7b9
DM		 103292020-01-14 David Malcolm <dmalcolm@redhat.com>
10330
10331 * diagnostic-manager.cc (saved_diagnostic::operator==): Move here
10332 from header. Replace pointer equality test on m_var with call to
10333 pending_diagnostic::same_tree_p.
10334 * diagnostic-manager.h (saved_diagnostic::operator==): Move to
10335 diagnostic-manager.cc.
10336 * pending-diagnostic.cc (pending_diagnostic::same_tree_p): New.
10337 * pending-diagnostic.h (pending_diagnostic::same_tree_p): New.
10338 * sm-file.cc (file_diagnostic::subclass_equal_p): Replace pointer
10339 equality on m_arg with call to pending_diagnostic::same_tree_p.
10340 * sm-malloc.cc (malloc_diagnostic::subclass_equal_p): Likewise.
10341 (possible_null_arg::subclass_equal_p): Likewise.
10342 (null_arg::subclass_equal_p): Likewise.
10343 (free_of_non_heap::subclass_equal_p): Likewise.
10344 * sm-pattern-test.cc (pattern_match::operator==): Likewise.
10345 * sm-sensitive.cc (exposure_through_output_file::operator==):
10346 Likewise.
10347 * sm-taint.cc (tainted_array_index::operator==): Likewise.
10348
f474fbd5
DM		 103492020-01-14 David Malcolm <dmalcolm@redhat.com>
10350
10351 * diagnostic-manager.cc (dedupe_winners::add): Add logging
10352 of deduplication decisions made.
10353
757bf1df
DM		 103542020-01-14 David Malcolm <dmalcolm@redhat.com>
10355
10356 * ChangeLog: New file.
10357 * analyzer-selftests.cc: New file.
10358 * analyzer-selftests.h: New file.
10359 * analyzer.opt: New file.
10360 * analysis-plan.cc: New file.
10361 * analysis-plan.h: New file.
10362 * analyzer-logging.cc: New file.
10363 * analyzer-logging.h: New file.
10364 * analyzer-pass.cc: New file.
10365 * analyzer.cc: New file.
10366 * analyzer.h: New file.
10367 * call-string.cc: New file.
10368 * call-string.h: New file.
10369 * checker-path.cc: New file.
10370 * checker-path.h: New file.
10371 * constraint-manager.cc: New file.
10372 * constraint-manager.h: New file.
10373 * diagnostic-manager.cc: New file.
10374 * diagnostic-manager.h: New file.
10375 * engine.cc: New file.
10376 * engine.h: New file.
10377 * exploded-graph.h: New file.
10378 * pending-diagnostic.cc: New file.
10379 * pending-diagnostic.h: New file.
10380 * program-point.cc: New file.
10381 * program-point.h: New file.
10382 * program-state.cc: New file.
10383 * program-state.h: New file.
10384 * region-model.cc: New file.
10385 * region-model.h: New file.
10386 * sm-file.cc: New file.
10387 * sm-malloc.cc: New file.
10388 * sm-malloc.dot: New file.
10389 * sm-pattern-test.cc: New file.
10390 * sm-sensitive.cc: New file.
10391 * sm-signal.cc: New file.
10392 * sm-taint.cc: New file.
10393 * sm.cc: New file.
10394 * sm.h: New file.
10395 * state-purge.cc: New file.
10396 * state-purge.h: New file.
10397 * supergraph.cc: New file.
10398 * supergraph.h: New file.
10399
104002019-12-13 David Malcolm <dmalcolm@redhat.com>
10401
10402 * Initial creation
10403
10404\f
68127a8e 10405Copyright (C) 2019-2023 Free Software Foundation, Inc.
757bf1df
DM		 10406
10407Copying and distribution of this file, with or without modification,
10408are permitted in any medium without royalty provided the copyright
10409notice and this notice are preserved.
Mirror of https://gcc.gnu.org/git/gcc.git