]> git.ipfire.org Git - thirdparty/gcc.git/blame - gcc/analyzer/ChangeLog
projects / thirdparty / gcc.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Daily bump.
[thirdparty/gcc.git] / gcc / analyzer / ChangeLog
CommitLineData
9daed0b5
GA		 12023-11-02 David Malcolm <dmalcolm@redhat.com>
2
3 PR analyzer/112317
4 * access-diagram.cc (class x_aligned_x_ruler_widget): Eliminate
5 unused field "m_col_widths".
6 (access_diagram_impl::add_valid_vs_invalid_ruler): Update for
7 above change.
8 * region-model.cc
9 (check_one_function_attr_null_terminated_string_arg): Remove
10 unused variables "cd_unchecked", "strlen_sval", and
11 "limited_sval".
12 * region-model.h (region_model_context_decorator::warn): Add
13 missing "override".
14
eac0917b
GA		 152023-10-31 David Malcolm <dmalcolm@redhat.com>
16
17 * record-layout.cc: New file, based on material in region-model.cc.
18 * record-layout.h: Likewise.
19 * region-model.cc: Include "analyzer/record-layout.h".
20 (class record_layout): Move to record-layout.cc and .h
21
ecca503b
GA		 222023-10-26 David Malcolm <dmalcolm@redhat.com>
23
24 * region-model.cc
25 (region_model::check_external_function_for_access_attr): Split
26 out, replacing with...
27 (region_model::check_function_attr_access): ...this new function
28 and...
29 (region_model::check_function_attrs): ...this new function.
30 (region_model::check_one_function_attr_null_terminated_string_arg):
31 New.
32 (region_model::check_function_attr_null_terminated_string_arg):
33 New.
34 (region_model::handle_unrecognized_call): Update for renaming of
35 check_external_function_for_access_attr to check_function_attrs.
36 (region_model::check_for_null_terminated_string_arg): Add return
37 value to one overload. Make both overloads const.
38 * region-model.h: Include "stringpool.h" and "attribs.h".
39 (region_model::check_for_null_terminated_string_arg): Add return
40 value to one overload. Make both overloads const.
41 (region_model::check_external_function_for_access_attr): Delete
42 decl.
43 (region_model::check_function_attr_access): New decl.
44 (region_model::check_function_attr_null_terminated_string_arg):
45 New decl.
46 (region_model::check_one_function_attr_null_terminated_string_arg):
47 New decl.
48 (region_model::check_function_attrs): New decl.
49
fb124f2a
GA		 502023-10-09 David Malcolm <dmalcolm@redhat.com>
51
52 * access-diagram.cc (boundaries::add): Explicitly state
53 "boundaries::" scope for "kind" enum.
54
00c67d62
GA		 552023-10-08 David Malcolm <dmalcolm@redhat.com>
56
57 PR analyzer/111155
58 * access-diagram.cc (boundaries::boundaries): Add logger param
59 (boundaries::add): Add logging.
60 (boundaries::get_hard_boundaries_in_range): New.
61 (boundaries::m_logger): New field.
62 (boundaries::get_table_x_for_offset): Make public.
63 (class svalue_spatial_item): New.
64 (class compound_svalue_spatial_item): New.
65 (add_ellipsis_to_gaps): New.
66 (valid_region_spatial_item::valid_region_spatial_item): Add theme
67 param. Initialize m_boundaries, m_existing_sval, and
68 m_existing_sval_spatial_item.
69 (valid_region_spatial_item::add_boundaries): Set m_boundaries.
70 Add boundaries for any m_existing_sval_spatial_item.
71 (valid_region_spatial_item::add_array_elements_to_table): Rewrite
72 creation of min/max index in terms of
73 maybe_add_array_index_to_table. Rewrite ellipsis code using
74 add_ellipsis_to_gaps. Add index values for any hard boundaries
75 within the valid region.
76 (valid_region_spatial_item::maybe_add_array_index_to_table): New,
77 based on code formerly in add_array_elements_to_table.
78 (valid_region_spatial_item::make_table): Make use of
79 m_existing_sval_spatial_item, if any.
80 (valid_region_spatial_item::m_boundaries): New field.
81 (valid_region_spatial_item::m_existing_sval): New field.
82 (valid_region_spatial_item::m_existing_sval_spatial_item): New
83 field.
84 (class svalue_spatial_item): Rename to...
85 (class written_svalue_spatial_item): ...this.
86 (class string_region_spatial_item): Rename to..
87 (class string_literal_spatial_item): ...this. Add "kind".
88 (string_literal_spatial_item::add_boundaries): Use m_kind to
89 determine kind of boundary. Update for renaming of m_actual_bits
90 to m_bits.
91 (string_literal_spatial_item::make_table): Likewise. Support not
92 displaying a row for byte indexes, and not displaying a row for
93 the type.
94 (string_literal_spatial_item::add_column_for_byte): Make byte index
95 row optional.
96 (svalue_spatial_item::make): Convert to...
97 (make_written_svalue_spatial_item): ...this.
98 (make_existing_svalue_spatial_item): New.
99 (access_diagram_impl::access_diagram_impl): Pass theme to
100 m_valid_region_spatial_item ctor. Update for renaming of
101 m_svalue_spatial_item.
102 (access_diagram_impl::find_boundaries): Pass logger to boundaries.
103 Update for renaming of...
104 (access_diagram_impl::m_svalue_spatial_item): Rename to...
105 (access_diagram_impl::m_written_svalue_spatial_item): ...this.
106
96557ee6
GA		 1072023-10-03 David Malcolm <dmalcolm@redhat.com>
108
109 * analyzer-logging.cc (logger::log_va_partial): Use text_info
110 ctor.
111 * analyzer.cc (make_label_text): Likewise.
112 (make_label_text_n): Likewise.
113 * pending-diagnostic.cc (evdesc::event_desc::formatted_print):
114 Likewise.
115
41d1c9a9
GA		 1162023-10-02 David Malcolm <dmalcolm@redhat.com>
117
118 * program-point.cc: Update for grouping of source printing fields
119 within diagnostic_context.
120
37bbfd1c
GA		 1212023-09-15 David Malcolm <dmalcolm@redhat.com>
122
123 * analyzer.cc (get_stmt_location): Handle null stmt.
124 * diagnostic-manager.cc (saved_diagnostic::saved_diagnostic): Copy
125 m_loc from ploc.
126 (saved_diagnostic::operator==): Compare m_loc.
127 (saved_diagnostic::calc_best_epath): Only use m_stmt_finder if
128 m_loc is unknown.
129 (dedupe_key::dedupe_key): Initialize m_loc.
130 (dedupe_key::operator==): Compare m_loc.
131 (dedupe_key::get_location): Use m_loc if it's known.
132 (dedupe_key::m_loc): New field.
133 (diagnostic_manager::emit_saved_diagnostic): Only call
134 get_emission_location if m_loc is unknown, preferring to use m_loc
135 if it's available.
136 * diagnostic-manager.h (saved_diagnostic::m_loc): New field.
137 (pending_location::pending_location): Initialize m_loc. Add
138 overload taking a location_t rather than a stmt/stmt_finder.
139 (pending_location::m_loc): New field.
140
1412023-09-15 David Malcolm <dmalcolm@redhat.com>
142
143 * analyzer.h (struct pending_location): New forward decl.
144 * diagnostic-manager.cc (saved_diagnostic::saved_diagnostic):
145 Replace params "enode", "snode", "stmt", and "stmt_finder" with
146 "ploc".
147 (diagnostic_manager::add_diagnostic): Likewise for both overloads.
148 * diagnostic-manager.h (saved_diagnostic::saved_diagnostic):
149 Likewise.
150 (struct pending_location): New.
151 (diagnostic_manager::add_diagnostic): Replace params "enode",
152 "snode", "stmt", and "stmt_finder" with "ploc".
153 * engine.cc (impl_region_model_context::warn): Update call to
154 add_diagnostic for above change.
155 (impl_sm_context::warn): Likewise.
156 (impl_region_model_context::on_state_leak): Likewise.
157 * infinite-recursion.cc
158 (exploded_graph::detect_infinite_recursion): Likewise.
159
1602023-09-15 David Malcolm <dmalcolm@redhat.com>
161
162 * region-model.cc (region_model::get_gassign_result): Handle
163 volatile ops by using a conjured_svalue.
164
05cb8730
GA		 1652023-09-14 David Malcolm <dmalcolm@redhat.com>
166
167 * checker-event.h (checker_event::get_thread_id): New.
168 * checker-path.h (class checker_path): Implement thread-related
169 vfuncs via a single simple_diagnostic_thread instance named
170 "main".
171
1722023-09-14 David Malcolm <dmalcolm@redhat.com>
173
174 * diagnostic-manager.cc (compatible_epath_p): Fix missing return.
175
1762023-09-14 David Malcolm <dmalcolm@redhat.com>
177
178 * diagnostic-manager.cc (process_worklist_item): Use
179 std::unique_ptr rather than plain rejected_constraint *.
180 * engine.cc (exploded_path::feasible_p): Likewise.
181 (feasibility_state::maybe_update_for_edge): Likewise.
182 * exploded-graph.h (feasibility_problem::feasibility_problem):
183 Likewise.
184 (feasibility_problem::~feasibility_problem): Delete.
185 (feasibility_problem::m_rc): Use std::unique_ptr.
186 (feasibility_state::maybe_update_for_edge): Likewise.
187 * feasible-graph.cc (feasible_graph::add_feasibility_problem):
188 Likewise.
189 * feasible-graph.h (class infeasible_node): Likewise.
190 (feasible_graph::add_feasibility_problem): Likewise.
191 * region-model.cc (region_model::add_constraint): Likewise.
192 (region_model::maybe_update_for_edge): Likewise.
193 (region_model::apply_constraints_for_gcond): Likewise.
194 (region_model::apply_constraints_for_gswitch): Likewise.
195 (region_model::apply_constraints_for_exception): Likewise.
196 * region-model.h (class region_model): Likewise for decls.
197
a467cfd0
GA		 1982023-09-09 benjamin priour <vultkayn@gcc.gnu.org>
199
200 PR analyzer/96395
201 * region-model.cc
202 (region_model::add_constraints_from_binop): binop_svalues around
203 LT_EXPR, LE_EXPR, GT_EXPR, GE_EXPR are now unwrapped.
204
109c11f6
GA		 2052023-09-07 David Malcolm <dmalcolm@redhat.com>
206
207 PR analyzer/110529
208 * program-point.cc (program_point::on_edge): Don't reject
209 EDGE_ABNORMAL for computed gotos.
210 * region-model.cc (region_model::maybe_update_for_edge): Handle
211 computed goto statements.
212 (region_model::apply_constraints_for_ggoto): New.
213 * region-model.h (region_model::apply_constraints_for_ggoto): New decl.
214 * supergraph.cc (supernode::get_label): New.
215 * supergraph.h (supernode::get_label): New decl.
216
2172023-09-07 benjamin priour <vultkayn@gcc.gnu.org>
218 David Malcolm <dmalcolm@redhat.com>
219
220 PR analyzer/110830
221 * diagnostic-manager.cc
222 (compatible_epaths_p): New function.
223 (saved_diagnostic::supercedes_p): Now calls the above
224 to determine if the diagnostics do overlap and the superseding
225 may proceed.
226
2272023-09-07 David Malcolm <dmalcolm@redhat.com>
228
229 * region-model.h: fix -Wunused-parameter warnings
230
a134b6ce
GA		 2312023-09-06 David Malcolm <dmalcolm@redhat.com>
232
233 PR analyzer/105899
234 * kf.cc (class kf_strstr): New.
235 (kf_strstr::impl_call_post): New.
236 (register_known_functions): Register it.
237
2382023-09-06 David Malcolm <dmalcolm@redhat.com>
239
240 PR analyzer/105899
241 * kf.cc (class kf_strncpy): New.
242 (kf_strncpy::impl_call_post): New.
243 (register_known_functions): Register it.
244 * region-model.cc (region_model::read_bytes): Handle unknown
245 number of bytes.
246
2472023-09-06 David Malcolm <dmalcolm@redhat.com>
248
249 * kf.cc (kf_calloc::impl_call_pre): Pass ctxt to zero_fill_region.
250 (kf_memset::impl_call_pre): Move responsibility for calling
251 check_region_for_write to fill_region.
252 * region-model.cc (region_model::on_assignment): Pass ctxt to
253 zero_fill_region.
254 (region_model::fill_region): Add "ctxt" param, using it to call
255 check_region_for_write.
256 (region_model::zero_fill_region): Likewise.
257 * region-model.h (region_model::fill_region): Add "ctxt" param.
258 (region_model::zero_fill_region): Likewise.
259
80907b03
GA		 2602023-09-01 benjamin priour <priour.be@gmail.com>
261
262 PR analyzer/105948
263 PR analyzer/94355
264 * analyzer.h (is_placement_new_p): New declaration.
265 * call-details.cc
266 (call_details::deref_ptr_arg): New function.
267 Dereference the argument at given index if possible.
268 * call-details.h: Declaration of the above function.
269 * kf-lang-cp.cc (is_placement_new_p): Returns true if the gcall
270 is recognized as a placement new.
271 (kf_operator_delete::impl_call_post): Unbinding a region and its
272 descendents now poisons with POISON_KIND_DELETED.
273 (register_known_functions_lang_cp): Known function "operator
274 delete" is now registered only once independently of its number of
275 arguments.
276 * region-model.cc (region_model::eval_condition): Now
277 recursively calls itself if any of the operand is wrapped in a
278 cast.
279 * sm-malloc.cc (malloc_state_machine::on_stmt):
280 Add placement new recognition.
281 * svalue.cc (poison_kind_to_str): Wording for the new PK.
282 * svalue.h (enum poison_kind): Add value POISON_KIND_DELETED.
283
65c36ecc
GA		 2842023-08-31 Francois-Xavier Coudert <fxcoudert@gcc.gnu.org>
285
286 * kf.cc: Change spelling to macOS.
287
ffb8568a
GA		 2882023-08-30 Eric Feng <ef2648@columbia.edu>
289
290 PR analyzer/107646
291 * engine.cc (impl_region_model_context::warn): New optional
292 parameter.
293 * exploded-graph.h (class impl_region_model_context): Likewise.
294 * region-model.cc (region_model::pop_frame): New callback
295 feature for region_model::pop_frame.
296 * region-model.h (struct append_regions_cb_data): Likewise.
297 (class region_model): Likewise.
298 (class region_model_context): New optional parameter.
299 (class region_model_context_decorator): Likewise.
300
3012023-08-30 Francois-Xavier Coudert <fxcoudert@gcc.gnu.org>
302
303 * region-model.cc: Define INCLUDE_ALGORITHM.
304
ded52c9f
GA		 3052023-08-29 David Malcolm <dmalcolm@redhat.com>
306
307 PR analyzer/99860
308 * analyzer-selftests.cc (selftest::run_analyzer_selftests): Call
309 selftest::analyzer_ranges_cc_tests.
310 * analyzer-selftests.h (selftest::run_analyzer_selftests): New
311 decl.
312 * analyzer.opt (Wanalyzer-overlapping-buffers): New option.
313 * call-details.cc: Include "analyzer/ranges.h" and "make-unique.h".
314 (class overlapping_buffers): New.
315 (call_details::complain_about_overlap): New.
316 * call-details.h (call_details::complain_about_overlap): New decl.
317 * kf.cc (kf_memcpy_memmove::impl_call_pre): Call
318 cd.complain_about_overlap for memcpy and memcpy_chk.
319 (kf_strcat::impl_call_pre): Call cd.complain_about_overlap.
320 (kf_strcpy::impl_call_pre): Likewise.
321 * ranges.cc: New file.
322 * ranges.h: New file.
323
3242023-08-29 David Malcolm <dmalcolm@redhat.com>
325
326 PR analyzer/105899
327 * kf.cc (kf_strdup::impl_call_pre): Set size of
328 dynamically-allocated buffer. Simulate copying the string from
329 the source region to the new buffer.
330
9cc55211
GA		 3312023-08-27 benjamin priour <vultkayn@gcc.gnu.org>
332
333 PR analyzer/96395
334 * analyzer.h (class known_function): Add virtual casts
335 to builtin_known_function.
336 (class builtin_known_function): New subclass of known_function
337 for builtins.
338 * kf.cc (class kf_alloca): Now derived from
339 builtin_known_function.
340 (class kf_calloc): Likewise.
341 (class kf_free): Likewise.
342 (class kf_malloc): Likewise.
343 (class kf_memcpy_memmove): Likewise.
344 (class kf_memset): Likewise.
345 (class kf_realloc): Likewise.
346 (class kf_strchr): Likewise.
347 (class kf_sprintf): Likewise.
348 (class kf_strcat): Likewise.
349 (class kf_strcpy): Likewise.
350 (class kf_strdup): Likewise.
351 (class kf_strlen): Likewise.
352 (class kf_strndup): Likewise.
353 (register_known_functions): Builtins are now registered as
354 known_functions by name rather than by their BUILTIN_CODE.
355 * known-function-manager.cc (get_normal_builtin): New overload.
356 * known-function-manager.h: New overload declaration.
357 * region-model.cc (region_model::get_builtin_kf): New function.
358 * region-model.h (class region_model): Add declaration of
359 get_builtin_kf.
360 * sm-fd.cc: For called recognized as builtins, use the
361 attributes of that builtin as defined in gcc/builtins.def
362 rather than the user's.
363 * sm-malloc.cc (malloc_state_machine::on_stmt): Likewise.
364
b8863640
GA		 3652023-08-25 David Malcolm <dmalcolm@redhat.com>
366
367 * access-diagram.cc (class string_region_spatial_item): Remove
368 assumption that the string is written to the start of the cluster.
369
6d47c9b4
GA		 3702023-08-24 David Malcolm <dmalcolm@redhat.com>
371
372 PR analyzer/105899
373 * call-details.cc
374 (call_details::check_for_null_terminated_string_arg): Split into
375 overloads, one taking just an arg_idx, the other a new
376 "include_terminator" param.
377 * call-details.h: Likewise.
378 * kf.cc (class kf_strcat): New.
379 (kf_strcpy::impl_call_pre): Update for change to
380 check_for_null_terminated_string_arg.
381 (register_known_functions): Register kf_strcat.
382 * region-model.cc
383 (region_model::check_for_null_terminated_string_arg): Split into
384 overloads, one taking just an arg_idx, the other a new
385 "include_terminator" param. When returning an svalue, handle
386 "include_terminator" being false by subtracting one.
387 * region-model.h
388 (region_model::check_for_null_terminated_string_arg): Split into
389 overloads, one taking just an arg_idx, the other a new
390 "include_terminator" param.
391
3922023-08-24 David Malcolm <dmalcolm@redhat.com>
393
394 PR analyzer/105899
395 * region-model.cc (fragment::has_null_terminator): Handle
396 SK_BITS_WITHIN.
397
3982023-08-24 David Malcolm <dmalcolm@redhat.com>
399
400 PR analyzer/105899
401 * region-model-manager.cc
402 (region_model_manager::get_or_create_initial_value): Simplify
403 INIT_VAL(ELEMENT_REG(STRING_REG), CONSTANT_SVAL) to
404 CONSTANT_SVAL(STRING[N]).
405
4062023-08-24 David Malcolm <dmalcolm@redhat.com>
407
408 PR analyzer/105899
409 * region-model.cc (fragment::has_null_terminator): Move STRING_CST
410 handling to fragment::string_cst_has_null_terminator; also use it to
411 handle INIT_VAL(STRING_REG).
412 (fragment::string_cst_has_null_terminator): New, from above.
413
4142023-08-24 David Malcolm <dmalcolm@redhat.com>
415
416 * kf.cc (kf_memcpy_memmove::impl_call_pre): Reimplement using
417 region_model::copy_bytes.
418 * region-model.cc (region_model::read_bytes): New.
419 (region_model::copy_bytes): New.
420 * region-model.h (region_model::read_bytes): New decl.
421 (region_model::copy_bytes): New decl.
422
4232023-08-24 David Malcolm <dmalcolm@redhat.com>
424
425 PR analyzer/105899
426 * region-model.cc (region_model::get_string_size): Delete both.
427 * region-model.h (region_model::get_string_size): Delete both
428 decls.
429
4302023-08-24 David Malcolm <dmalcolm@redhat.com>
431
432 PR analyzer/105899
433 * kf.cc (kf_strcpy::impl_call_pre): Reimplement using
434 check_for_null_terminated_string_arg.
435 * region-model.cc (region_model::get_store_bytes): Shortcut
436 reading all of a string_region.
437 (region_model::scan_for_null_terminator): Use get_store_value for
438 the bytes rather than "unknown" when returning an unknown length.
439 (region_model::write_bytes): New.
440 * region-model.h (region_model::write_bytes): New decl.
441
4422023-08-24 David Malcolm <dmalcolm@redhat.com>
443
444 PR analyzer/105899
445 * region-model.cc (iterable_cluster::iterable_cluster): Add
446 symbolic binding keys to m_symbolic_bindings.
447 (iterable_cluster::has_symbolic_bindings_p): New.
448 (iterable_cluster::m_symbolic_bindings): New field.
449 (region_model::scan_for_null_terminator): Treat clusters with
450 symbolic bindings as having unknown strlen.
451
4522023-08-24 David Malcolm <dmalcolm@redhat.com>
453
454 * engine.cc (impl_path_context::impl_path_context): Add logger
455 param.
456 (impl_path_context::bifurcate): Add log message.
457 (impl_path_context::terminate_path): Likewise.
458 (impl_path_context::m_logger): New field.
459 (exploded_graph::process_node): Pass logger to path_ctxt ctor.
460
6cd85273
GA		 4612023-08-22 David Malcolm <dmalcolm@redhat.com>
462
463 PR analyzer/105899
464 * kf-analyzer.cc (class kf_analyzer_get_strlen): Move to kf.cc.
465 (register_known_analyzer_functions): Use make_kf_strlen.
466 * kf.cc (class kf_strlen::impl_call_pre): Replace with
467 implementation of kf_analyzer_get_strlen from kf-analyzer.cc.
468 Handle "UNKNOWN" return from check_for_null_terminated_string_arg
469 by falling back to a conjured svalue.
470 (make_kf_strlen): New.
471 (register_known_functions): Use make_kf_strlen.
472 * known-function-manager.h (make_kf_strlen): New decl.
473
4742023-08-22 David Malcolm <dmalcolm@redhat.com>
475
476 PR analyzer/105899
477 * call-details.cc (call_details::call_details): New ctor.
478 * call-details.h (call_details::call_details): New ctor decl.
479 (struct call_arg_details): Move here from region-model.cc.
480 * region-model.cc (region_model::check_call_format_attr): New.
481 (region_model::check_call_args): Call it.
482 (struct call_arg_details): Move it to call-details.h.
483 * region-model.h (region_model::check_call_format_attr): New decl.
484
4852023-08-22 David Malcolm <dmalcolm@redhat.com>
486
487 * kf.cc (class kf_fopen): New.
488 (register_known_functions): Register it.
489
4902023-08-22 David Malcolm <dmalcolm@redhat.com>
491
492 PR analyzer/105899
493 * analyzer.opt (Wanalyzer-unterminated-string): Delete.
494 * call-details.cc
495 (call_details::check_for_null_terminated_string_arg): Convert
496 return type from void to const svalue *. Add param "out_sval".
497 * call-details.h
498 (call_details::check_for_null_terminated_string_arg): Likewise.
499 * kf-analyzer.cc (kf_analyzer_get_strlen::impl_call_pre): Wire up
500 to result of check_for_null_terminated_string_arg.
501 * region-model.cc (get_strlen): Delete.
502 (class unterminated_string_arg): Delete.
503 (struct fragment): New.
504 (class iterable_cluster): New.
505 (region_model::get_store_bytes): New.
506 (get_tree_for_byte_offset): New.
507 (region_model::scan_for_null_terminator): New.
508 (region_model::check_for_null_terminated_string_arg): Convert
509 return type from void to const svalue *. Add param "out_sval".
510 Reimplement in terms of scan_for_null_terminator, dropping the
511 special-case for -Wanalyzer-unterminated-string.
512 * region-model.h (region_model::get_store_bytes): New decl.
513 (region_model::scan_for_null_terminator): New decl.
514 (region_model::check_for_null_terminated_string_arg): Convert
515 return type from void to const svalue *. Add param "out_sval".
516 * store.cc (concrete_binding::get_byte_range): New.
517 * store.h (concrete_binding::get_byte_range): New decl.
518 (store_manager::get_concrete_binding): New overload.
519
5202023-08-22 David Malcolm <dmalcolm@redhat.com>
521
522 * region-model.cc (region_model_context_decorator::add_event):
523 Handle m_inner being NULL.
524 * region-model.h (class region_model_context_decorator): Likewise.
525 (annotating_context::warn): Likewise.
526
5272023-08-22 David Malcolm <dmalcolm@redhat.com>
528
529 * diagnostic-manager.cc (saved_diagnostic::add_event): New.
530 (saved_diagnostic::add_any_saved_events): New.
531 (diagnostic_manager::add_event): New.
532 (dedupe_winners::emit_best): New.
533 (diagnostic_manager::emit_saved_diagnostic): Make "sd" param
534 non-const. Call saved_diagnostic::add_any_saved_events.
535 * diagnostic-manager.h (saved_diagnostic::add_event): New decl.
536 (saved_diagnostic::add_any_saved_events): New decl.
537 (saved_diagnostic::m_saved_events): New field.
538 (diagnostic_manager::add_event): New decl.
539 (diagnostic_manager::emit_saved_diagnostic): Make "sd" param
540 non-const.
541 * engine.cc (impl_region_model_context::add_event): New.
542 * exploded-graph.h (impl_region_model_context::add_event): New decl.
543 * region-model.cc
544 (noop_region_model_context::add_event): New.
545 (region_model_context_decorator::add_event): New.
546 * region-model.h (region_model_context::add_event): New vfunc.
547 (noop_region_model_context::add_event): New decl.
548 (region_model_context_decorator::add_event): New decl.
549
5502023-08-22 David Malcolm <dmalcolm@redhat.com>
551
552 * region-model.cc
553 (class check_external_function_for_access_attr::annotating_ctxt):
554 Convert to an annotating_context.
555 * region-model.h (class note_adding_context): Rename to...
556 (class annotating_context): ...this, updating the "warn" method.
557 (note_adding_context::make_note): Replace with...
558 (annotating_context::add_annotations): ...this.
559
3cc78cf2
GA		 5602023-08-14 benjamin priour <vultkayn@gcc.gnu.org>
561
562 PR analyzer/110543
563 * analyzer.opt: Add new option.
564 * diagnostic-manager.cc
565 (diagnostic_manager::prune_path): Call prune_system_headers.
566 (prune_frame): New function that deletes all events in a frame.
567 (diagnostic_manager::prune_system_headers): New function.
568 * diagnostic-manager.h: Add prune_system_headers declaration.
569
886afed6
GA		 5702023-08-11 David Malcolm <dmalcolm@redhat.com>
571
572 PR analyzer/105899
573 * analyzer.opt (Wanalyzer-unterminated-string): New.
574 * call-details.cc
575 (call_details::check_for_null_terminated_string_arg): New.
576 * call-details.h
577 (call_details::check_for_null_terminated_string_arg): New decl.
578 * kf-analyzer.cc (class kf_analyzer_get_strlen): New.
579 (register_known_analyzer_functions): Register it.
580 * kf.cc (kf_error::impl_call_pre): Check that format arg is a
581 valid null-terminated string.
582 (kf_putenv::impl_call_pre): Likewise for the sole param.
583 (kf_strchr::impl_call_pre): Likewise for the first param.
584 (kf_strcpy::impl_call_pre): Likewise for the second param.
585 (kf_strdup::impl_call_pre): Likewise for the sole param.
586 * region-model.cc (get_strlen): New.
587 (struct call_arg_details): New.
588 (inform_about_expected_null_terminated_string_arg): New.
589 (class unterminated_string_arg): New.
590 (region_model::check_for_null_terminated_string_arg): New.
591 * region-model.h
592 (region_model::check_for_null_terminated_string_arg): New decl.
593
5942023-08-11 Eric Feng <ef2648@columbia.edu>
595
596 PR analyzer/107646
597 * call-details.h: New function.
598 * region-model.cc (region_model::get_or_create_region_for_heap_alloc):
599 New optional parameters.
600 * region-model.h (class region_model): New optional parameters.
601 * sm-malloc.cc (on_realloc_with_move): New function.
602 (region_model::transition_ptr_sval_non_null): New function.
603
9b099a83
GA		 6042023-08-09 David Malcolm <dmalcolm@redhat.com>
605
606 * analyzer.h (class pure_known_function_with_default_return): New
607 subclass.
608 * call-details.cc (const_fn_p): Move here from region-model.cc.
609 (maybe_get_const_fn_result): Likewise.
610 (get_result_size_in_bytes): Likewise.
611 (call_details::set_any_lhs_with_defaults): New function, based on
612 code in region_model::on_call_pre.
613 * call-details.h (call_details::set_any_lhs_with_defaults): New
614 decl.
615 * diagnostic-manager.cc
616 (diagnostic_manager::emit_saved_diagnostic): Log the index of the
617 saved_diagnostic.
618 * kf.cc (pure_known_function_with_default_return::impl_call_pre):
619 New.
620 (kf_memset::impl_call_pre): Set the LHS to the first param.
621 (kf_putenv::impl_call_pre): Call cd.set_any_lhs_with_defaults.
622 (kf_sprintf::impl_call_pre): Call cd.set_any_lhs_with_defaults.
623 (class kf_stack_restore): Derive from
624 pure_known_function_with_default_return.
625 (class kf_stack_save): Likewise.
626 (kf_strlen::impl_call_pre): Call cd.set_any_lhs_with_defaults.
627 * region-model-reachability.cc (reachable_regions::handle_sval):
628 Remove logic for symbolic regions for pointers.
629 * region-model.cc (region_model::canonicalize): Remove purging of
630 dynamic extents workaround for surplus values from
631 region_model::on_call_pre's default LHS code.
632 (const_fn_p): Move to call-details.cc.
633 (maybe_get_const_fn_result): Likewise.
634 (get_result_size_in_bytes): Likewise.
635 (region_model::update_for_nonzero_return): Call
636 cd.set_any_lhs_with_defaults.
637 (region_model::on_call_pre): Remove the assignment to the LHS of a
638 default return value, instead requiring all known_function
639 implementations to write to any LHS of the call. Use
640 cd.set_any_lhs_with_defaults on the non-kf paths.
641 * sm-fd.cc (kf_socket::outcome_of_socket::update_model): Use
642 cd.set_any_lhs_with_defaults when failing to get at fd state.
643 (kf_bind::outcome_of_bind::update_model): Likewise.
644 (kf_listen::outcome_of_listen::update_model): Likewise.
645 (kf_accept::outcome_of_accept::update_model): Likewise.
646 (kf_connect::outcome_of_connect::update_model): Likewise.
647 (kf_read::impl_call_pre): Use cd.set_any_lhs_with_defaults.
648 * sm-file.cc (class kf_stdio_output_fn): Derive from
649 pure_known_function_with_default_return.
650 (class kf_ferror): Likewise.
651 (class kf_fileno): Likewise.
652 (kf_fgets::impl_call_pre): Use cd.set_any_lhs_with_defaults.
653 (kf_read::impl_call_pre): Likewise.
654 (class kf_getc): Derive from
655 pure_known_function_with_default_return.
656 (class kf_getchar): Likewise.
657 * varargs.cc (kf_va_arg::impl_call_pre): Use
658 cd.set_any_lhs_with_defaults.
659
5b42ee2c
GA		 6602023-08-04 David Malcolm <dmalcolm@redhat.com>
661
662 PR analyzer/110426
663 * bounds-checking.cc (region_model::check_region_bounds): Handle
664 symbolic base regions.
665 * call-details.cc: Include "stringpool.h" and "attribs.h".
666 (call_details::lookup_function_attribute): New function.
667 * call-details.h (call_details::lookup_function_attribute): New
668 function decl.
669 * region-model-manager.cc
670 (region_model_manager::maybe_fold_binop): Add reference to
671 PR analyzer/110902.
672 * region-model-reachability.cc (reachable_regions::handle_sval):
673 Add symbolic regions for pointers that are conjured svalues for
674 the LHS of a stmt.
675 * region-model.cc (region_model::canonicalize): Purge dynamic
676 extents for regions that aren't referenced.
677 (get_result_size_in_bytes): New function.
678 (region_model::on_call_pre): Use get_result_size_in_bytes and
679 potentially set the dynamic extents of the region pointed to by
680 the return value.
681 (region_model::deref_rvalue): Add param "add_nonnull_constraint"
682 and use it to conditionalize adding the constraint.
683 (pending_diagnostic_subclass::dubious_allocation_size): Add "stmt"
684 param to both ctors and use it to initialize new "m_stmt" field.
685 (pending_diagnostic_subclass::operator==): Use m_stmt; don't use
686 m_lhs or m_rhs.
687 (pending_diagnostic_subclass::m_stmt): New field.
688 (region_model::check_region_size): Generalize to any kind of
689 pointer svalue by using deref_rvalue rather than checking for
690 region_svalue. Pass stmt to dubious_allocation_size ctor.
691 * region-model.h (region_model::deref_rvalue): Add param
692 "add_nonnull_constraint".
693 * svalue.cc (conjured_svalue::lhs_value_p): New function.
694 * svalue.h (conjured_svalue::lhs_value_p): New decl.
695
6962023-08-04 David Malcolm <dmalcolm@redhat.com>
697
698 * svalue.cc (region_svalue::dump_to_pp): Support NULL type.
699 (constant_svalue::dump_to_pp): Likewise.
700 (initial_svalue::dump_to_pp): Likewise.
701 (conjured_svalue::dump_to_pp): Likewise. Fix missing print of the
702 type.
703
86fa4433
GA		 7042023-08-03 David Malcolm <dmalcolm@redhat.com>
705
706 PR analyzer/110882
707 * region.cc (int_size_in_bits): Fail on zero-sized types.
708
4297a08e
GA		 7092023-08-02 Eric Feng <ef2648@columbia.edu>
710
711 PR analyzer/107646
712 * analyzer-language.cc (run_callbacks): New function.
713 (on_finish_translation_unit): New function.
714 * analyzer-language.h (GCC_ANALYZER_LANGUAGE_H): New include.
715 (class translation_unit): New vfuncs.
716
5278cd6a
GA		 7172023-07-26 David Malcolm <dmalcolm@redhat.com>
718
719 PR analyzer/104940
720 * region-model-manager.cc
721 (region_model_manager::region_model_manager): Update for
722 generalizing region ids to also cover svalues.
723 (region_model_manager::get_or_create_constant_svalue): Likewise.
724 (region_model_manager::get_or_create_unknown_svalue): Likewise.
725 (region_model_manager::create_unique_svalue): Likewise.
726 (region_model_manager::get_or_create_initial_value): Likewise.
727 (region_model_manager::get_or_create_setjmp_svalue): Likewise.
728 (region_model_manager::get_or_create_poisoned_svalue): Likewise.
729 (region_model_manager::get_ptr_svalue): Likewise.
730 (region_model_manager::get_or_create_unaryop): Likewise.
731 (region_model_manager::get_or_create_binop): Likewise.
732 (region_model_manager::get_or_create_sub_svalue): Likewise.
733 (region_model_manager::get_or_create_repeated_svalue): Likewise.
734 (region_model_manager::get_or_create_bits_within): Likewise.
735 (region_model_manager::get_or_create_unmergeable): Likewise.
736 (region_model_manager::get_or_create_widening_svalue): Likewise.
737 (region_model_manager::get_or_create_compound_svalue): Likewise.
738 (region_model_manager::get_or_create_conjured_svalue): Likewise.
739 (region_model_manager::get_or_create_asm_output_svalue): Likewise.
740 (region_model_manager::get_or_create_const_fn_result_svalue):
741 Likewise.
742 (region_model_manager::get_region_for_fndecl): Likewise.
743 (region_model_manager::get_region_for_label): Likewise.
744 (region_model_manager::get_region_for_global): Likewise.
745 (region_model_manager::get_field_region): Likewise.
746 (region_model_manager::get_element_region): Likewise.
747 (region_model_manager::get_offset_region): Likewise.
748 (region_model_manager::get_sized_region): Likewise.
749 (region_model_manager::get_cast_region): Likewise.
750 (region_model_manager::get_frame_region): Likewise.
751 (region_model_manager::get_symbolic_region): Likewise.
752 (region_model_manager::get_region_for_string): Likewise.
753 (region_model_manager::get_bit_range): Likewise.
754 (region_model_manager::get_var_arg_region): Likewise.
755 (region_model_manager::get_region_for_unexpected_tree_code):
756 Likewise.
757 (region_model_manager::get_or_create_region_for_heap_alloc):
758 Likewise.
759 (region_model_manager::create_region_for_alloca): Likewise.
760 (region_model_manager::log_stats): Likewise.
761 * region-model-manager.h (region_model_manager::get_num_regions):
762 Replace with...
763 (region_model_manager::get_num_symbols): ...this.
764 (region_model_manager::alloc_region_id): Replace with...
765 (region_model_manager::alloc_symbol_id): ...this.
766 (region_model_manager::m_next_region_id): Replace with...
767 (region_model_manager::m_next_symbol_id): ...this.
768 * region-model.cc (selftest::test_get_representative_tree): Update
769 for generalizing region ids to also cover svalues.
770 (selftest::test_binop_svalue_folding): Likewise.
771 (selftest::test_state_merging): Likewise.
772 * region.cc (region::cmp_ids): Delete, in favor of
773 symbol::cmp_ids.
774 (region::region): Update for introduction of symbol base class.
775 (frame_region::get_region_for_local): Likewise.
776 (root_region::root_region): Likewise.
777 (symbolic_region::symbolic_region): Likewise.
778 * region.h: Replace include of "analyzer/complexity.h" with
779 "analyzer/symbol.h".
780 (class region): Make a subclass of symbol.
781 (region::get_id): Delete in favor of symbol::get_id.
782 (region::cmp_ids): Delete in favor of symbol::cmp_ids.
783 (region::get_complexity): Delete in favor of
784 symbol::get_complexity.
785 (region::region): Use symbol::id_t for "id" param.
786 (region::m_complexity): Move field to symbol base class.
787 (region::m_id): Likewise.
788 (space_region::space_region): Use symbol::id_t for "id" param.
789 (frame_region::frame_region): Likewise.
790 (globals_region::globals_region): Likewise.
791 (code_region::code_region): Likewise.
792 (function_region::function_region): Likewise.
793 (label_region::label_region): Likewise.
794 (stack_region::stack_region): Likewise.
795 (heap_region::heap_region): Likewise.
796 (thread_local_region::thread_local_region): Likewise.
797 (root_region::root_region): Likewise.
798 (symbolic_region::symbolic_region): Likewise.
799 (decl_region::decl_region): Likewise.
800 (field_region::field_region): Likewise.
801 (element_region::element_region): Likewise.
802 (offset_region::offset_region): Likewise.
803 (sized_region::sized_region): Likewise.
804 (cast_region::cast_region): Likewise.
805 (heap_allocated_region::heap_allocated_region): Likewise.
806 (alloca_region::alloca_region): Likewise.
807 (string_region::string_region): Likewise.
808 (bit_range_region::bit_range_region): Likewise.
809 (var_arg_region::var_arg_region): Likewise.
810 (errno_region::errno_region): Likewise.
811 (unknown_region::unknown_region): Likewise.
812 * svalue.cc (sub_svalue::sub_svalue): Add symbol::id_t param.
813 (repeated_svalue::repeated_svalue): Likewise.
814 (bits_within_svalue::bits_within_svalue): Likewise.
815 (compound_svalue::compound_svalue): Likewise.
816 * svalue.h: Replace include of "analyzer/complexity.h" with
817 "analyzer/symbol.h".
818 (class svalue): Make a subclass of symbol.
819 (svalue::get_complexity): Delete in favor of
820 symbol::get_complexity.
821 (svalue::svalue): Add symbol::id_t param. Update for new base
822 class.
823 (svalue::m_complexity): Delete in favor of
824 symbol::m_complexity.
825 (region_svalue::region_svalue): Add symbol::id_t param
826 (constant_svalue::constant_svalue): Likewise.
827 (unknown_svalue::unknown_svalue): Likewise.
828 (poisoned_svalue::poisoned_svalue): Likewise.
829 (setjmp_svalue::setjmp_svalue): Likewise.
830 (initial_svalue::initial_svalue): Likewise.
831 (unaryop_svalue::unaryop_svalue): Likewise.
832 (binop_svalue::binop_svalue): Likewise.
833 (sub_svalue::sub_svalue): Likewise.
834 (repeated_svalue::repeated_svalue): Likewise.
835 (bits_within_svalue::bits_within_svalue): Likewise.
836 (unmergeable_svalue::unmergeable_svalue): Likewise.
837 (placeholder_svalue::placeholder_svalue): Likewise.
838 (widening_svalue::widening_svalue): Likewise.
839 (compound_svalue::compound_svalue): Likewise.
840 (conjured_svalue::conjured_svalue): Likewise.
841 (asm_output_svalue::asm_output_svalue): Likewise.
842 (const_fn_result_svalue::const_fn_result_svalue): Likewise.
843 * symbol.cc: New file.
844 * symbol.h: New file.
845
0ce63530
GA		 8462023-07-21 David Malcolm <dmalcolm@redhat.com>
847
848 PR analyzer/110455
849 * region-model.cc (region_model::get_gassign_result): Only check
850 for bad shift counts when dealing with an integral type.
851
8522023-07-21 David Malcolm <dmalcolm@redhat.com>
853
854 PR analyzer/110433
855 PR middle-end/110612
856 * access-diagram.cc (class spatial_item): Add virtual dtor.
857
8582023-07-21 David Malcolm <dmalcolm@redhat.com>
859
860 PR analyzer/110387
861 * region.h (struct cast_region::key_t): Support "m_type" being
862 null by using "m_original_region" for empty/deleted slots.
863
49bed11d
GA		 8642023-07-19 David Malcolm <dmalcolm@redhat.com>
865
866 PR analyzer/110700
867 * region-model-manager.cc
868 (region_model_manager::get_or_create_int_cst): Assert that we have
869 an integral or pointer type.
870 * sm-taint.cc (taint_state_machine::check_for_tainted_divisor):
871 Don't check non-integral types.
872
14bfda60
GA		 8732023-06-29 benjamin priour <priour.be@gmail.com>
874
875 PR analyzer/110198
876 * region-model-manager.cc
877 (region_model_manager::get_or_create_initial_value): Take an
878 optional boolean value to bypass poisoning checks
879 * region-model-manager.h: Update declaration of the above function.
880 * region-model.cc (region_model::get_store_value): No longer returns
881 on OOB, but rather gives a boolean to get_or_create_initial_value.
882 (region_model::check_region_access): Update docstring.
883 (region_model::check_region_for_write): Update docstring.
884
7b1076a5
GA		 8852023-06-24 David Malcolm <dmalcolm@redhat.com>
886
887 * access-diagram.cc: Add #define INCLUDE_VECTOR.
888 * bounds-checking.cc: Likewise.
889
270742ce
GA		 8902023-06-22 David Malcolm <dmalcolm@redhat.com>
891
892 PR analyzer/106626
893 * access-diagram.cc: New file.
894 * access-diagram.h: New file.
895 * analyzer.h (class region_offset): Add default ctor.
896 (region_offset::make_byte_offset): New decl.
897 (region_offset::concrete_p): New.
898 (region_offset::get_concrete_byte_offset): New.
899 (region_offset::calc_symbolic_bit_offset): New decl.
900 (region_offset::calc_symbolic_byte_offset): New decl.
901 (region_offset::dump_to_pp): New decl.
902 (region_offset::dump): New decl.
903 (operator<, operator<=, operator>, operator>=): New decls for
904 region_offset.
905 * analyzer.opt
906 (-param=analyzer-text-art-string-ellipsis-threshold=): New.
907 (-param=analyzer-text-art-string-ellipsis-head-len=): New.
908 (-param=analyzer-text-art-string-ellipsis-tail-len=): New.
909 (-param=analyzer-text-art-ideal-canvas-width=): New.
910 (fanalyzer-debug-text-art): New.
911 * bounds-checking.cc: Include "intl.h", "diagnostic-diagram.h",
912 and "analyzer/access-diagram.h".
913 (class out_of_bounds::oob_region_creation_event_capacity): New.
914 (out_of_bounds::out_of_bounds): Add "model" and "sval_hint"
915 params.
916 (out_of_bounds::mark_interesting_stuff): Use the base region.
917 (out_of_bounds::add_region_creation_events): Use
918 oob_region_creation_event_capacity.
919 (out_of_bounds::get_dir): New pure vfunc.
920 (out_of_bounds::maybe_show_notes): New.
921 (out_of_bounds::maybe_show_diagram): New.
922 (out_of_bounds::make_access_diagram): New.
923 (out_of_bounds::m_model): New field.
924 (out_of_bounds::m_sval_hint): New field.
925 (out_of_bounds::m_region_creation_event_id): New field.
926 (concrete_out_of_bounds::concrete_out_of_bounds): Update for new
927 fields.
928 (concrete_past_the_end::concrete_past_the_end): Likewise.
929 (concrete_past_the_end::add_region_creation_events): Use
930 oob_region_creation_event_capacity.
931 (concrete_buffer_overflow::concrete_buffer_overflow): Update for
932 new fields.
933 (concrete_buffer_overflow::emit): Replace call to
934 maybe_describe_array_bounds with maybe_show_notes.
935 (concrete_buffer_overflow::get_dir): New.
936 (concrete_buffer_over_read::concrete_buffer_over_read): Update for
937 new fields.
938 (concrete_buffer_over_read::emit): Replace call to
939 maybe_describe_array_bounds with maybe_show_notes.
940 (concrete_buffer_overflow::get_dir): New.
941 (concrete_buffer_underwrite::concrete_buffer_underwrite): Update
942 for new fields.
943 (concrete_buffer_underwrite::emit): Replace call to
944 maybe_describe_array_bounds with maybe_show_notes.
945 (concrete_buffer_underwrite::get_dir): New.
946 (concrete_buffer_under_read::concrete_buffer_under_read): Update
947 for new fields.
948 (concrete_buffer_under_read::emit): Replace call to
949 maybe_describe_array_bounds with maybe_show_notes.
950 (concrete_buffer_under_read::get_dir): New.
951 (symbolic_past_the_end::symbolic_past_the_end): Update for new
952 fields.
953 (symbolic_buffer_overflow::symbolic_buffer_overflow): Likewise.
954 (symbolic_buffer_overflow::emit): Call maybe_show_notes.
955 (symbolic_buffer_overflow::get_dir): New.
956 (symbolic_buffer_over_read::symbolic_buffer_over_read): Update for
957 new fields.
958 (symbolic_buffer_over_read::emit): Call maybe_show_notes.
959 (symbolic_buffer_over_read::get_dir): New.
960 (region_model::check_symbolic_bounds): Add "sval_hint" param. Pass
961 it and sized_offset_reg to diagnostics.
962 (region_model::check_region_bounds): Add "sval_hint" param, passing
963 it to diagnostics.
964 * diagnostic-manager.cc
965 (diagnostic_manager::emit_saved_diagnostic): Pass logger to
966 pending_diagnostic::emit.
967 * engine.cc: Add logger param to pending_diagnostic::emit
968 implementations.
969 * infinite-recursion.cc: Likewise.
970 * kf-analyzer.cc: Likewise.
971 * kf.cc: Likewise. Add nullptr for new param of
972 check_region_for_write.
973 * pending-diagnostic.h: Likewise in decl.
974 * region-model-manager.cc
975 (region_model_manager::get_or_create_int_cst): Convert param from
976 poly_int64 to const poly_wide_int_ref &.
977 (region_model_manager::maybe_fold_binop): Support type being NULL
978 when checking for floating-point types.
979 Check for (X + Y) - X => Y. Be less strict about types when folding
980 associative ops. Check for (X + Y) * CST => (X * CST) + (Y * CST).
981 * region-model-manager.h
982 (region_model_manager::get_or_create_int_cst): Convert param from
983 poly_int64 to const poly_wide_int_ref &.
984 * region-model.cc: Add logger param to pending_diagnostic::emit
985 implementations.
986 (region_model::check_external_function_for_access_attr): Update
987 for new param of check_region_for_write.
988 (region_model::deref_rvalue): Use nullptr rather than NULL.
989 (region_model::get_capacity): Handle RK_STRING.
990 (region_model::check_region_access): Add "sval_hint" param; pass it to
991 check_region_bounds.
992 (region_model::check_region_for_write): Add "sval_hint" param;
993 pass it to check_region_access.
994 (region_model::check_region_for_read): Add NULL for new param to
995 check_region_access.
996 (region_model::set_value): Pass rhs_sval to
997 check_region_for_write.
998 (region_model::get_representative_path_var_1): Handle SK_CONSTANT
999 in the check for infinite recursion.
1000 * region-model.h (region_model::check_region_for_write): Add
1001 "sval_hint" param.
1002 (region_model::check_region_access): Likewise.
1003 (region_model::check_symbolic_bounds): Likewise.
1004 (region_model::check_region_bounds): Likewise.
1005 * region.cc (region_offset::make_byte_offset): New.
1006 (region_offset::calc_symbolic_bit_offset): New.
1007 (region_offset::calc_symbolic_byte_offset): New.
1008 (region_offset::dump_to_pp): New.
1009 (region_offset::dump): New.
1010 (struct linear_op): New.
1011 (operator<, operator<=, operator>, operator>=): New, for
1012 region_offset.
1013 (region::get_next_offset): New.
1014 (region::get_relative_symbolic_offset): Use ptrdiff_type_node.
1015 (field_region::get_relative_symbolic_offset): Likewise.
1016 (element_region::get_relative_symbolic_offset): Likewise.
1017 (bit_range_region::get_relative_symbolic_offset): Likewise.
1018 * region.h (region::get_next_offset): New decl.
1019 * sm-fd.cc: Add logger param to pending_diagnostic::emit
1020 implementations.
1021 * sm-file.cc: Likewise.
1022 * sm-malloc.cc: Likewise.
1023 * sm-pattern-test.cc: Likewise.
1024 * sm-sensitive.cc: Likewise.
1025 * sm-signal.cc: Likewise.
1026 * sm-taint.cc: Likewise.
1027 * store.cc (bit_range::contains_p): Allow "out" to be null.
1028 * store.h (byte_range::get_start_bit_offset): New.
1029 (byte_range::get_next_bit_offset): New.
1030 * varargs.cc: Add logger param to pending_diagnostic::emit
1031 implementations.
1032
09ae3035
GA		 10332023-06-10 Tim Lange <mail@tim-lange.me>
1034
1035 PR analyzer/109577
1036 * constraint-manager.cc (class sval_finder): Visitor to find
1037 childs in svalue trees.
1038 (constraint_manager::sval_constrained_p): Add new function to
1039 check whether a sval might be part of an constraint.
1040 * constraint-manager.h: Add sval_constrained_p function.
1041 * region-model.cc (class size_visitor): Reverse behavior to not
1042 emit a warning on not explicitly considered cases.
1043 (region_model::check_region_size):
1044 Adapt to size_visitor changes.
1045
a2c019e2
GA		 10462023-06-09 David Malcolm <dmalcolm@redhat.com>
1047
1048 PR analyzer/110112
1049 * region-model.cc (region_model::get_initial_value_for_global):
1050 Move code to region::calc_initial_value_at_main.
1051 * region.cc (region::get_initial_value_at_main): New function.
1052 (region::calc_initial_value_at_main): New function, based on code
1053 in region_model::get_initial_value_for_global.
1054 (region::region): Initialize m_cached_init_sval_at_main.
1055 (decl_region::get_svalue_for_constructor): Add a cache, splitting
1056 out body to...
1057 (decl_region::calc_svalue_for_constructor): ...this new function.
1058 * region.h (region::get_initial_value_at_main): New decl.
1059 (region::calc_initial_value_at_main): New decl.
1060 (region::m_cached_init_sval_at_main): New field.
1061 (decl_region::decl_region): Initialize m_ctor_svalue.
1062 (decl_region::calc_svalue_for_constructor): New decl.
1063 (decl_region::m_ctor_svalue): New field.
1064
feae15ae
GA		 10652023-06-08 Benjamin Priour <vultkayn@gcc.gnu.org>
1066
1067 * bounds-checking.cc (region_model::check_symbolic_bounds): Returns whether the BASE_REG
1068 region access was OOB.
1069 (region_model::check_region_bounds): Likewise.
1070 * region-model.cc (region_model::get_store_value): Creates an
1071 unknown svalue on OOB-read access to REG.
1072 (region_model::check_region_access): Returns whether an unknown svalue needs be created.
1073 (region_model::check_region_for_read): Passes check_region_access return value.
1074 * region-model.h: Update prior function definitions.
1075
829d5975
GA		 10762023-06-02 David Malcolm <dmalcolm@redhat.com>
1077
1078 PR analyzer/109015
1079 * kf.cc (class kf_atomic_exchange): New.
1080 (class kf_atomic_exchange_n): New.
1081 (class kf_atomic_fetch_op): New.
1082 (class kf_atomic_op_fetch): New.
1083 (class kf_atomic_load): New.
1084 (class kf_atomic_load_n): New.
1085 (class kf_atomic_store_n): New.
1086 (register_atomic_builtins): New function.
1087 (register_known_functions): Call register_atomic_builtins.
1088
10892023-06-02 David Malcolm <dmalcolm@redhat.com>
1090
1091 * store.cc (store::eval_alias_1): Regions in different memory
1092 spaces can't alias.
1093
b2776076
GA		 10942023-05-18 Bernhard Reutner-Fischer <aldot@gcc.gnu.org>
1095
1096 * region-model-manager.cc (get_code_for_cast): Use _P defines from
1097 tree.h.
1098 (region_model_manager::get_or_create_cast): Ditto.
1099 (region_model_manager::get_region_for_global): Ditto.
1100 * region-model.cc (region_model::get_lvalue_1): Ditto.
1101 * region.cc (decl_region::maybe_get_constant_value): Ditto.
1102
50bd9c41
GA		 11032023-03-22 David Malcolm <dmalcolm@redhat.com>
1104
1105 PR analyzer/109239
1106 * program-point.cc: Include "analyzer/inlining-iterator.h".
1107 (program_point::effectively_intraprocedural_p): New function.
1108 * program-point.h (program_point::effectively_intraprocedural_p):
1109 New decl.
1110 * sm-malloc.cc (deref_before_check::emit): Use it when rejecting
1111 interprocedural cases, so that we reject interprocedural cases
1112 that have become intraprocedural due to inlining.
1113
cffcb774
GA		 11142023-03-18 David Malcolm <dmalcolm@redhat.com>
1115
1116 PR analyzer/109094
1117 * region-model.cc (region_model::on_longjmp): Pass false for
1118 new "eval_return_svalue" param of pop_frame.
1119 (region_model::pop_frame): Add new "eval_return_svalue" param and
1120 use it to suppress the call to get_rvalue on the result when
1121 needed by on_longjmp.
1122 * region-model.h (region_model::pop_frame): Add new
1123 "eval_return_svalue" param.
1124
c8065441
GA		 11252023-03-10 David Malcolm <dmalcolm@redhat.com>
1126
1127 PR analyzer/109059
1128 * region-model.cc (region_model::mark_region_as_unknown): Gather a
1129 set of maybe-live svalues and call on_maybe_live_values with it.
1130 * store.cc (binding_map::remove_overlapping_bindings): Add new
1131 "maybe_live_values" param; add any removed svalues to it.
1132 (binding_cluster::clobber_region): Add NULL as new param of
1133 remove_overlapping_bindings.
1134 (binding_cluster::mark_region_as_unknown): Add "maybe_live_values"
1135 param and pass it to remove_overlapping_bindings.
1136 (binding_cluster::maybe_get_compound_binding): Add NULL for new
1137 param of binding_map::remove_overlapping_bindings.
1138 (binding_cluster::remove_overlapping_bindings): Add
1139 "maybe_live_values" param and pass to
1140 binding_map::remove_overlapping_bindings.
1141 (store::set_value): Capture a set of maybe-live svalues, and call
1142 on_maybe_live_values with it.
1143 (store::on_maybe_live_values): New.
1144 (store::mark_region_as_unknown): Add "maybe_live_values" param
1145 and pass it to binding_cluster::mark_region_as_unknown.
1146 (store::remove_overlapping_bindings): Pass NULL for new param of
1147 binding_cluster::remove_overlapping_bindings.
1148 * store.h (binding_map::remove_overlapping_bindings): Add
1149 "maybe_live_values" param.
1150 (binding_cluster::mark_region_as_unknown): Likewise.
1151 (binding_cluster::remove_overlapping_bindings): Likewise.
1152 (store::mark_region_as_unknown): Likewise.
1153 (store::on_maybe_live_values): New decl.
1154
11552023-03-10 David Malcolm <dmalcolm@redhat.com>
1156
1157 PR analyzer/108475
1158 PR analyzer/109060
1159 * sm-malloc.cc (deref_before_check::deref_before_check):
1160 Initialize new field m_deref_expr. Assert that arg is non-NULL.
1161 (deref_before_check::emit): Reject cases where the spelling of the
1162 thing that was dereferenced differs from that of what is checked,
1163 or if the dereference expression was not found. Remove code to
1164 handle NULL m_arg.
1165 (deref_before_check::describe_state_change): Remove code to handle
1166 NULL m_arg.
1167 (deref_before_check::describe_final_event): Likewise.
1168 (deref_before_check::sufficiently_similar_p): New.
1169 (deref_before_check::m_deref_expr): New field.
1170 (malloc_state_machine::maybe_complain_about_deref_before_check):
1171 Don't warn if the diag_ptr is NULL.
1172
2aa6673e
GA		 11732023-03-03 David Malcolm <dmalcolm@redhat.com>
1174
1175 * kf.cc (class kf_sprintf): New.
1176 (register_known_functions): Register it.
1177
14db9ed5
GA		 11782023-03-02 David Malcolm <dmalcolm@redhat.com>
1179
1180 PR analyzer/108968
1181 * region-model.cc (region_model::get_rvalue_1): Handle VAR_DECLs
1182 with a DECL_HARD_REGISTER by returning UNKNOWN.
1183
11842023-03-02 Hans-Peter Nilsson <hp@axis.com>
1185
1186 * kf.cc (register_known_functions): Add __errno function for newlib.
1187
c88a7c63
GA		 11882023-03-01 David Malcolm <dmalcolm@redhat.com>
1189
1190 PR analyzer/107565
1191 * region-model.cc (region_model::on_call_pre): Flatten logic by
1192 returning early. Consolidate logic for detecting const and pure
1193 functions. When considering whether an unhandled built-in
1194 function has side-effects, consider all kinds of builtin, rather
1195 than just BUILT_IN_NORMAL, and don't require
1196 gimple_builtin_call_types_compatible_p.
1197
11982023-03-01 David Malcolm <dmalcolm@redhat.com>
1199
1200 PR analyzer/108935
1201 * infinite-recursion.cc (contains_unknown_p): New.
1202 (sufficiently_different_region_binding_p): New function, splitting
1203 out inner loop from...
1204 (sufficiently_different_p): ...here. Extend detection of unknown
1205 svalues to also include svalues that contain unknown. Treat
1206 changes in frames below the entry to the recursion as being
1207 sufficiently different to reject being an infinite recursion.
1208
c3bf22d9
GA		 12092023-02-21 David Malcolm <dmalcolm@redhat.com>
1210
1211 PR analyzer/108830
1212 * analyzer.opt (fanalyzer-suppress-followups): New option.
1213 * engine.cc (impl_region_model_context::warn): Terminate the path
1214 if the diagnostic's terminate_path_p vfunc returns true and
1215 -fanalyzer-suppress-followups is true (the default).
1216 (impl_sm_context::warn): Likewise, for both overloads.
1217 * pending-diagnostic.h (pending_diagnostic::terminate_path_p): New
1218 vfunc.
1219 * program-state.cc (program_state::on_edge): Terminate the path if
1220 the ctxt requests it during updating the edge.
1221 * region-model.cc (poisoned_value_diagnostic::terminate_path_p):
1222 New vfunc.
1223 * sm-malloc.cc (null_deref::terminate_path_p): New vfunc.
1224 (null_arg::terminate_path_p): New vfunc.
1225
88cc4495
GA		 12262023-02-16 David Malcolm <dmalcolm@redhat.com>
1227
1228 PR analyzer/108806
1229 * constraint-manager.cc (bounded_range::dump_to_pp): Use
1230 bounded_range::singleton_p.
1231 (constraint_manager::add_bounded_ranges): Handle singleton ranges
1232 by adding an EQ_EXPR constraint.
1233 (constraint_manager::impossible_derived_conditions_p): New.
1234 (constraint_manager::eval_condition): Reject EQ_EXPR when it would
1235 imply impossible derived conditions.
1236 (selftest::test_bits): New.
1237 (selftest::run_constraint_manager_tests): Run it.
1238 * constraint-manager.h (bounded_range::singleton_p): New.
1239 (constraint_manager::impossible_derived_conditions_p): New decl.
1240 * region-model.cc (region_model::get_rvalue_1): Handle
1241 BIT_AND_EXPR, BIT_IOR_EXPR, and BIT_XOR_EXPR.
1242
29a35391
GA		 12432023-02-15 David Malcolm <dmalcolm@redhat.com>
1244
1245 PR analyzer/108664
1246 PR analyzer/108666
1247 PR analyzer/108725
1248 * diagnostic-manager.cc (epath_finder::get_best_epath): Add
1249 "target_stmt" param.
1250 (epath_finder::explore_feasible_paths): Likewise.
1251 (epath_finder::process_worklist_item): Likewise.
1252 (saved_diagnostic::calc_best_epath): Pass m_stmt to
1253 epath_finder::get_best_epath.
1254 * engine.cc (feasibility_state::maybe_update_for_edge): Move
1255 per-stmt logic to...
1256 (feasibility_state::update_for_stmt): ...this new function.
1257 * exploded-graph.h (feasibility_state::update_for_stmt): New decl.
1258 * feasible-graph.cc (feasible_node::get_state_at_stmt): New.
1259 * feasible-graph.h: Include "analyzer/exploded-graph.h".
1260 (feasible_node::get_state_at_stmt): New decl.
1261 * infinite-recursion.cc
1262 (infinite_recursion_diagnostic::check_valid_fpath_p): Update for
1263 vfunc signature change.
1264 * pending-diagnostic.h (pending_diagnostic::check_valid_fpath_p):
1265 Convert first param to a reference. Add stmt param.
1266 * region-model.cc: Include "analyzer/feasible-graph.h".
1267 (poisoned_value_diagnostic::poisoned_value_diagnostic): Add
1268 "check_expr" param.
1269 (poisoned_value_diagnostic::check_valid_fpath_p): New.
1270 (poisoned_value_diagnostic::m_check_expr): New field.
1271 (region_model::check_for_poison): Attempt to supply a check_expr
1272 to the diagnostic
1273 (region_model::deref_rvalue): Add NULL for new check_expr param
1274 of poisoned_value_diagnostic.
1275 (region_model::get_or_create_region_for_heap_alloc): Don't reuse
1276 regions that are marked as TOUCHED.
1277
d7a47ed1
GA		 12782023-02-10 David Malcolm <dmalcolm@redhat.com>
1279
1280 PR analyzer/108745
1281 * sm-malloc.cc (deref_before_check::emit): Reject the warning if
1282 the check occurs within a macro defintion.
1283
e92e2c96
GA		 12842023-02-09 David Malcolm <dmalcolm@redhat.com>
1285
1286 PR analyzer/108733
1287 * state-purge.cc (get_candidate_for_purging): Add ADDR_EXPR
1288 and MEM_REF.
1289
f6fc79d0
GA		 12902023-02-08 David Malcolm <dmalcolm@redhat.com>
1291
1292 PR analyzer/108704
1293 * state-purge.cc (state_purge_per_decl::process_point_backwards):
1294 Don't stop processing the decl if it's fully overwritten by
1295 this stmt if it's also used by this stmt.
1296
8f3b85ef
GA		 12972023-02-07 David Malcolm <dmalcolm@redhat.com>
1298
1299 PR analyzer/108661
1300 * sm-fd.cc (class kf_read): New.
1301 (register_known_fd_functions): Register "read".
1302 * sm-file.cc (class kf_fread): Update comment.
1303
a37a0cb3
GA		 13042023-02-02 David Malcolm <dmalcolm@redhat.com>
1305
1306 PR analyzer/108633
1307 * sm-fd.cc (fd_state_machine::check_for_fd_attrs): Add missing
1308 "continue".
1309 (fd_state_machine::on_listen): Don't issue phase-mismatch or
1310 type-mismatch warnings for the "invalid" state.
1311
0a251e74
GA		 13122023-02-01 David Malcolm <dmalcolm@redhat.com>
1313
1314 PR analyzer/108616
1315 * pending-diagnostic.cc (fixup_location_in_macro_p): Add "alloca"
1316 to macros that we shouldn't unwind inside.
1317
2371d100
GA		 13182023-01-26 David Malcolm <dmalcolm@redhat.com>
1319
1320 PR analyzer/108524
1321 * analyzer.h (class feasible_node): New forward decl.
1322 * diagnostic-manager.cc (epath_finder::get_best_epath): Add "pd"
1323 param.
1324 (epath_finder::explore_feasible_paths): Likewise.
1325 (epath_finder::process_worklist_item): Likewise. Use it to call
1326 pending_diagnostic::check_valid_fpath_p on the final fpath to
1327 give pending_diagnostic a way to add additional restrictions on
1328 feasibility.
1329 (saved_diagnostic::calc_best_epath): Pass pending_diagnostic to
1330 epath_finder::get_best_epath.
1331 * infinite-recursion.cc: Include "analyzer/feasible-graph.h".
1332 (infinite_recursion_diagnostic::check_valid_fpath_p): New.
1333 (infinite_recursion_diagnostic::fedge_uses_conjured_svalue_p): New.
1334 (infinite_recursion_diagnostic::expr_uses_conjured_svalue_p): New.
1335 * pending-diagnostic.h (pending_diagnostic::check_valid_fpath_p):
1336 New vfunc.
1337
0846336d
GA		 13382023-01-19 David Malcolm <dmalcolm@redhat.com>
1339
1340 PR analyzer/108455
1341 * analyzer.h (class checker_event): New forward decl.
1342 (class state_change_event): Indent.
1343 (class warning_event): New forward decl.
1344 * checker-event.cc (state_change_event::state_change_event): Add
1345 "enode" param.
1346 (warning_event::get_desc): Update for new param of
1347 evdesc::final_event ctor.
1348 * checker-event.h (state_change_event::state_change_event): Add
1349 "enode" param.
1350 (state_change_event::get_exploded_node): New accessor.
1351 (state_change_event::m_enode): New field.
1352 (warning_event::warning_event): New "enode" param.
1353 (warning_event::get_exploded_node): New accessor.
1354 (warning_event::m_enode): New field.
1355 * diagnostic-manager.cc
1356 (state_change_event_creator::on_global_state_change): Pass
1357 src_node to state_change_event ctor.
1358 (state_change_event_creator::on_state_change): Likewise.
1359 (null_assignment_sm_context::set_next_state): Pass NULL for
1360 new param of state_change_event ctor.
1361 * infinite-recursion.cc
1362 (infinite_recursion_diagnostic::add_final_event): Update for new
1363 param of warning_event ctor.
1364 * pending-diagnostic.cc (pending_diagnostic::add_final_event):
1365 Pass enode to warning_event ctor.
1366 * pending-diagnostic.h (evdesc::final_event): Add reference to
1367 warning_event.
1368 * sm-malloc.cc: Include "analyzer/checker-event.h" and
1369 "analyzer/exploded-graph.h".
1370 (deref_before_check::deref_before_check): Initialize new fields.
1371 (deref_before_check::emit): Reject warnings in which we were
1372 unable to determine the enodes of the dereference and the check.
1373 Reject warnings interprocedural warnings. Reject warnings in which
1374 the dereference doesn't dominate the check.
1375 (deref_before_check::describe_state_change): Set m_deref_enode.
1376 (deref_before_check::describe_final_event): Set m_check_enode.
1377 (deref_before_check::m_deref_enode): New field.
1378 (deref_before_check::m_check_enode): New field.
1379
5013c3bb
GA		 13802023-01-13 David Malcolm <dmalcolm@redhat.com>
1381
1382 PR analyzer/105273
1383 * region-model.cc (has_nondefault_case_for_value_p): New.
1384 (has_nondefault_cases_for_all_enum_values_p): New.
1385 (region_model::apply_constraints_for_gswitch): Skip
1386 implicitly-created "default" when switching on an enum
1387 and all enum values have non-default cases.
1388 (rejected_default_case::dump_to_pp): New.
1389 * region-model.h (region_model_context::possibly_tainted_p): New
1390 decl.
1391 (class rejected_default_case): New.
1392 * sm-taint.cc (region_model_context::possibly_tainted_p): New.
1393 * supergraph.cc (switch_cfg_superedge::dump_label_to_pp): Dump
1394 when implicitly_created_default_p.
1395 (switch_cfg_superedge::implicitly_created_default_p): New.
1396 * supergraph.h
1397 (switch_cfg_superedge::implicitly_created_default_p): New decl.
1398
81ed98bc
GA		 13992023-01-11 David Malcolm <dmalcolm@redhat.com>
1400
1401 PR analyzer/108252
1402 * kf.cc (class kf_strdup): New.
1403 (class kf_strndup): New.
1404 (register_known_functions): Register them.
1405 * region-model.cc (region_model::on_call_pre): Use
1406 &HEAP_ALLOCATED_REGION for the default result of an external
1407 function with the "malloc" attribute, rather than CONJURED_SVALUE.
1408 (region_model::get_or_create_region_for_heap_alloc): Allow
1409 "size_in_bytes" to be NULL.
1410 * store.cc (store::set_value): When handling *UNKNOWN = VAL,
1411 mark VAL as "maybe bound".
1412
5fb1e674
GA		 14132022-12-16 David Malcolm <dmalcolm@redhat.com>
1414
1415 PR analyzer/106479
1416 * kf.cc (kf_memcpy_memmove::impl_call_pre): Pass in source region
1417 to region_model::check_for_poison.
1418 * region-model-asm.cc (region_model::on_asm_stmt): Pass NULL
1419 region to region_model::check_for_poison.
1420 * region-model.cc (region_model::check_for_poison): Add
1421 "src_region" param, and pass it to poisoned_value_diagnostic.
1422 (region_model::on_assignment): Pass NULL region to
1423 region_model::check_for_poison.
1424 (region_model::get_rvalue): Likewise.
1425 * region-model.h (region_model::check_for_poison): Add
1426 "src_region" param.
1427 * sm-fd.cc (fd_state_machine::on_accept): Pass in source region
1428 to region_model::check_for_poison.
1429 * varargs.cc (kf_va_copy::impl_call_pre): Pass NULL region to
1430 region_model::check_for_poison.
1431 (kf_va_arg::impl_call_pre): Pass in source region to
1432 region_model::check_for_poison.
1433
26f4aefa
GA		 14342022-12-14 David Malcolm <dmalcolm@redhat.com>
1435
1436 PR analyzer/108065
1437 * region.cc (decl_region::get_svalue_for_initializer): Bail out to
1438 avoid calling binding_key::make with an empty region.
1439 * store.cc (binding_map::apply_ctor_val_to_range): Likewise.
1440 (binding_map::apply_ctor_pair_to_child_region): Likewise.
1441 (binding_cluster::bind): Likewise.
1442 (binding_cluster::purge_region): Likewise.
1443 (binding_cluster::maybe_get_compound_binding): Likewise.
1444 (binding_cluster::maybe_get_simple_value): Likewise.
1445
40ce6485
GA		 14462022-12-09 David Malcolm <dmalcolm@redhat.com>
1447
1448 * analyzer.h (class known_function): Expand comment.
1449 * region-model-impl-calls.cc: Rename to...
1450 * kf.cc: ...this.
1451 * known-function-manager.h (class known_function_manager): Add
1452 leading comment.
1453
14542022-12-09 David Malcolm <dmalcolm@redhat.com>
1455
1456 PR analyzer/108003
1457 * call-summary.cc
1458 (call_summary_replay::convert_region_from_summary_1): Convert
1459 heap_regs_in_use from auto_sbitmap to auto_bitmap.
1460 * region-model-manager.cc
1461 (region_model_manager::get_or_create_region_for_heap_alloc):
1462 Convert from sbitmap to bitmap.
1463 * region-model-manager.h: Likewise.
1464 * region-model.cc
1465 (region_model::get_or_create_region_for_heap_alloc): Convert from
1466 auto_sbitmap to auto_bitmap.
1467 (region_model::get_referenced_base_regions): Likewise.
1468 * region-model.h: Include "bitmap.h" rather than "sbitmap.h".
1469 (region_model::get_referenced_base_regions): Convert from
1470 auto_sbitmap to auto_bitmap.
1471
14722022-12-09 David Malcolm <dmalcolm@redhat.com>
1473
1474 * region-model-impl-calls.cc (class kf_memcpy): Rename to...
1475 (class kf_memcpy_memmove): ...this.
1476 (kf_memcpy::impl_call_pre): Rename to...
1477 (kf_memcpy_memmove::impl_call_pre): ...this, and check the src for
1478 poison.
1479 (register_known_functions): Update for above renaming, and
1480 register BUILT_IN_MEMMOVE and BUILT_IN_MEMMOVE_CHK.
1481
3fe66f7f
GA		 14822022-12-06 David Malcolm <dmalcolm@redhat.com>
1483
1484 PR analyzer/107882
1485 * region-model.cc (region_model::get_store_value): Return an
1486 unknown value for empty regions.
1487 (region_model::set_value): Bail on empty regions.
1488 * region.cc (region::empty_p): New.
1489 * region.h (region::empty_p): New decl.
1490 * state-purge.cc (same_binding_p): Bail if either region is empty.
1491 * store.cc (binding_key::make): Assert that a concrete binding's
1492 bit_size must be > 0.
1493 (binding_cluster::mark_region_as_unknown): Bail on empty regions.
1494 (binding_cluster::get_binding): Likewise.
1495 (binding_cluster::remove_overlapping_bindings): Likewise.
1496 (binding_cluster::on_unknown_fncall): Don't conjure values for
1497 empty regions.
1498 (store::fill_region): Bail on empty regions.
1499 * store.h (class concrete_binding): Update comment to reflect that
1500 the range of bits must be non-empty.
1501 (concrete_binding::concrete_binding): Assert that bit range is
1502 non-empty.
1503
15042022-12-06 David Malcolm <dmalcolm@redhat.com>
1505
1506 PR analyzer/106325
1507 * region-model-manager.cc
1508 (region_model_manager::get_or_create_null_ptr): New.
1509 * region-model-manager.h
1510 (region_model_manager::get_or_create_null_ptr): New decl.
1511 * region-model.cc (region_model::on_top_level_param): Add
1512 "nonnull" param and make use of it.
1513 (region_model::push_frame): When handling a top-level entrypoint
1514 to the analysis, determine which params __attribute__((nonnull))
1515 applies to, and pass to on_top_level_param.
1516 * region-model.h (region_model::on_top_level_param): Add "nonnull"
1517 param.
1518
15192022-12-06 David Malcolm <dmalcolm@redhat.com>
1520
1521 * analyzer.h (register_known_analyzer_functions): New decl.
1522 (register_known_functions_lang_cp): New decl.
1523 * call-details.cc: New file, split out from
1524 region-model-impl-calls.cc.
1525 * call-details.h: New file, split out from region-model.h.
1526 * call-info.cc: Include "analyzer/call-details.h".
1527 * call-summary.h: Likewise.
1528 * kf-analyzer.cc: New file, split out from
1529 region-model-impl-calls.cc.
1530 * kf-lang-cp.cc: Likewise.
1531 * known-function-manager.cc: Include "analyzer/call-details.h".
1532 * region-model-impl-calls.cc: Move definitions of call_details's
1533 member functions to call-details.cc. Move class kf_analyzer_* to
1534 kf-analyzer.cc. Move kf_operator_new and kf_operator_delete to
1535 kf-lang-cp.cc. Refresh #includes accordingly.
1536 (register_known_functions): Replace registration of __analyzer_*
1537 functions with a call to register_known_analyzer_functions.
1538 Replace registration of C++ support functions with a call to
1539 register_known_functions_lang_cp.
1540 * region-model.h (class call_details): Move to new call-details.h.
1541 * sm-fd.cc: Include "analyzer/call-details.h".
1542 * sm-file.cc: Likewise.
1543 * sm-malloc.cc: Likewise.
1544 * varargs.cc: Likewise.
1545
596dbfff
GA		 15462022-12-02 David Malcolm <dmalcolm@redhat.com>
1547
1548 * analyzer.h (struct event_loc_info): New forward decl.
1549 * bounds-checking.cc: Use event_loc_info throughout to bundle the
1550 loc, fndecl, depth triples.
1551 * call-info.cc: Likewise.
1552 * checker-event.cc: Likewise.
1553 * checker-event.h (struct event_loc_info): New decl. Use it
1554 throughout to bundle the loc, fndecl, depth triples.
1555 * checker-path.cc: Likewise.
1556 * checker-path.h: Likewise.
1557 * diagnostic-manager.cc: Likewise.
1558 * engine.cc: Likewise.
1559 * infinite-recursion.cc: Likewise.
1560 * pending-diagnostic.cc: Likewise.
1561 * pending-diagnostic.h: Likewise.
1562 * region-model.cc: Likewise.
1563 * sm-signal.cc: Likewise.
1564 * varargs.cc: Likewise.
1565
15662022-12-02 David Malcolm <dmalcolm@redhat.com>
1567
1568 PR analyzer/107851
1569 * analyzer.cc (make_label_text_n): Convert param "n" from int to
1570 unsigned HOST_WIDE_INT.
1571 * analyzer.h (make_label_text_n): Likewise for decl.
1572 * bounds-checking.cc: Include "analyzer/checker-event.h" and
1573 "analyzer/checker-path.h".
1574 (out_of_bounds::add_region_creation_events): New.
1575 (concrete_past_the_end::describe_region_creation_event): Replace
1576 with...
1577 (concrete_past_the_end::add_region_creation_events): ...this.
1578 (symbolic_past_the_end::describe_region_creation_event): Delete.
1579 * checker-event.cc (region_creation_event::region_creation_event):
1580 Update for dropping all member data.
1581 (region_creation_event::get_desc): Delete, splitting out into
1582 region_creation_event_memory_space::get_desc,
1583 region_creation_event_capacity::get_desc, and
1584 region_creation_event_debug::get_desc.
1585 (region_creation_event_memory_space::get_desc): New.
1586 (region_creation_event_capacity::get_desc): New.
1587 (region_creation_event_allocation_size::get_desc): New.
1588 (region_creation_event_debug::get_desc): New.
1589 * checker-event.h: Include "analyzer/program-state.h".
1590 (enum rce_kind): Delete.
1591 (class region_creation_event): Drop all member data.
1592 (region_creation_event::region_creation_event): Make protected.
1593 (region_creation_event::get_desc): Delete.
1594 (class region_creation_event_memory_space): New.
1595 (class region_creation_event_capacity): New.
1596 (class region_creation_event_allocation_size): New.
1597 (class region_creation_event_debug): New.
1598 * checker-path.cc (checker_path::add_region_creation_events): Add
1599 "pd" param. Call pending_diangnostic::add_region_creation_events.
1600 Update for conversion of RCE_DEBUG to region_creation_event_debug.
1601 * checker-path.h (checker_path::add_region_creation_events): Add
1602 "pd" param.
1603 * diagnostic-manager.cc (diagnostic_manager::build_emission_path):
1604 Pass pending_diagnostic to
1605 emission_path::add_region_creation_events.
1606 (diagnostic_manager::build_emission_path): Pass path_builder to
1607 add_event_on_final_node.
1608 (diagnostic_manager::add_event_on_final_node): Add "pb" param.
1609 Pass pending_diagnostic to
1610 emission_path::add_region_creation_events.
1611 (diagnostic_manager::add_events_for_eedge): Pass
1612 pending_diagnostic to emission_path::add_region_creation_events.
1613 * diagnostic-manager.h
1614 (diagnostic_manager::add_event_on_final_node): Add "pb" param.
1615 * pending-diagnostic.cc
1616 (pending_diagnostic::add_region_creation_events): New.
1617 * pending-diagnostic.h (struct region_creation): Delete.
1618 (pending_diagnostic::describe_region_creation_event): Delete.
1619 (pending_diagnostic::add_region_creation_events): New vfunc.
1620 * region-model.cc: Include "analyzer/checker-event.h" and
1621 "analyzer/checker-path.h".
1622 (dubious_allocation_size::dubious_allocation_size): Initialize
1623 m_has_allocation_event.
1624 (dubious_allocation_size::describe_region_creation_event): Delete.
1625 (dubious_allocation_size::describe_final_event): Update for
1626 replacement of m_allocation_event with m_has_allocation_event.
1627 (dubious_allocation_size::add_region_creation_events): New.
1628 (dubious_allocation_size::m_allocation_event): Replace with...
1629 (dubious_allocation_size::m_has_allocation_event): ...this.
1630
b35680ec
GA		 16312022-12-02 David Malcolm <dmalcolm@redhat.com>
1632
1633 PR analyzer/107948
1634 * region-model-manager.cc
1635 (region_model_manager::maybe_fold_binop): Fold (0 - VAL) to -VAL.
1636 * region-model.cc (region_model::eval_condition): Handle e.g.
1637 "-X <= 0" as equivalent to X >= 0".
1638
16392022-12-01 David Malcolm <dmalcolm@redhat.com>
1640
1641 PR analyzer/106626
1642 * bounds-checking.cc
1643 (symbolic_past_the_end::describe_final_event): Delete, moving to
1644 symbolic_buffer_overflow::describe_final_event and
1645 symbolic_buffer_over_read::describe_final_event, eliminating
1646 composition of text strings via "byte_str" and "m_dir_str".
1647 (symbolic_past_the_end::m_dir_str): Delete field.
1648 (symbolic_buffer_overflow::symbolic_buffer_overflow): Drop
1649 m_dir_str.
1650 (symbolic_buffer_overflow::describe_final_event): New, as noted
1651 above.
1652 (symbolic_buffer_over_read::symbolic_buffer_overflow): Drop
1653 m_dir_str.
1654 (symbolic_buffer_over_read::describe_final_event): New, as noted
1655 above.
1656
16572022-12-01 David Malcolm <dmalcolm@redhat.com>
1658
1659 * bounds-checking.cc (class out_of_bounds): Split out from...
1660 (class concrete_out_of_bounds): New abstract subclass.
1661 (class past_the_end): Rename to...
1662 (class concrete_past_the_end): ...this, and make a subclass of
1663 concrete_out_of_bounds.
1664 (class buffer_overflow): Rename to...
1665 (class concrete_buffer_overflow): ...this, and make a subclass of
1666 concrete_past_the_end.
1667 (class buffer_over_read): Rename to...
1668 (class concrete_buffer_over_read): ...this, and make a subclass of
1669 concrete_past_the_end.
1670 (class buffer_underwrite): Rename to...
1671 (class concrete_buffer_underwrite): ...this, and make a subclass
1672 of concrete_out_of_bounds.
1673 (class buffer_under_read): Rename to...
1674 (class concrete_buffer_under_read): ...this, and make a subclass
1675 of concrete_out_of_bounds.
1676 (class symbolic_past_the_end): Convert to a subclass of
1677 out_of_bounds.
1678 (symbolic_buffer_overflow::get_kind): New.
1679 (symbolic_buffer_over_read::get_kind): New.
1680 (region_model::check_region_bounds): Update for renamings.
1681 * engine.cc (impl_sm_context::set_next_state): Eliminate
1682 "new_ctxt", passing NULL to get_rvalue instead.
1683 (impl_sm_context::warn): Likewise.
1684
16852022-12-01 David Malcolm <dmalcolm@redhat.com>
1686
1687 PR analyzer/106626
1688 * bounds-checking.cc (out_of_bounds::get_memory_space): New.
1689 (buffer_overflow::emit): Use it.
1690 (class buffer_overread): Rename to...
1691 (class buffer_over_read): ...this.
1692 (buffer_over_read::emit): Specify which memory space the read is
1693 from, where known. Change "overread" to "over-read".
1694 (class buffer_underflow): Rename to...
1695 (class buffer_underwrite): ...this.
1696 (buffer_underwrite::emit): Specify which memory space the write is
1697 to, where known. Change "underflow" to "underwrite".
1698 (class buffer_underread): Rename to...
1699 (class buffer_under_read): Rename to...
1700 (buffer_under_read::emit): Specify which memory space the read is
1701 from, where known. Change "underread" to "under-read".
1702 (symbolic_past_the_end::get_memory_space): New.
1703 (symbolic_buffer_overflow::emit): Use it.
1704 (class symbolic_buffer_overread): Rename to...
1705 (class symbolic_buffer_over_read): ...this.
1706 (symbolic_buffer_over_read::emit): Specify which memory space the
1707 read is from, where known. Change "overread" to "over-read".
1708 (region_model::check_symbolic_bounds): Update for class renaming.
1709 (region_model::check_region_bounds): Likewise.
1710
17112022-12-01 David Malcolm <dmalcolm@redhat.com>
1712
1713 PR analyzer/106626
1714 * bounds-checking.cc (out_of_bounds::maybe_describe_array_bounds):
1715 New.
1716 (buffer_overflow::emit): Call maybe_describe_array_bounds.
1717 (buffer_overread::emit): Likewise.
1718 (buffer_underflow::emit): Likewise.
1719 (buffer_underread::emit): Likewise.
1720
17212022-12-01 David Malcolm <dmalcolm@redhat.com>
1722
1723 PR analyzer/106626
1724 * bounds-checking.cc (buffer_overflow::emit): Use inform_n.
1725 Update wording to clarify that we're talking about the size of
1726 the bad access, rather than its position.
1727 (buffer_overread::emit): Likewise.
1728
17292022-12-01 David Malcolm <dmalcolm@redhat.com>
1730
1731 * bounds-checking.cc: New file, taken from region-model.cc.
1732 * region-model.cc (class out_of_bounds): Move to
1733 bounds-checking.cc.
1734 (class past_the_end): Likewise.
1735 (class buffer_overflow): Likewise.
1736 (class buffer_overread): Likewise.
1737 (class buffer_underflow): Likewise.
1738 (class buffer_underread): Likewise.
1739 (class symbolic_past_the_end): Likewise.
1740 (class symbolic_buffer_overflow): Likewise.
1741 (class symbolic_buffer_overread): Likewise.
1742 (region_model::check_symbolic_bounds): Likewise.
1743 (maybe_get_integer_cst_tree): Likewise.
1744 (region_model::check_region_bounds): Likewise.
1745 * region-model.h: Add comment.
1746
17472022-12-01 David Malcolm <dmalcolm@redhat.com>
1748
1749 PR analyzer/107928
1750 * sm-fd.cc (fd_state_machine::on_bind): Handle m_constant_fd in
1751 the "success" outcome.
1752 (fd_state_machine::on_connect): Likewise.
1753 * sm-fd.dot: Add "constant_fd" state and its transitions.
1754
6eea85a9
GA		 17552022-11-30 David Malcolm <dmalcolm@redhat.com>
1756
1757 * region-model-impl-calls.cc (class kf_fgets): Move to sm-file.cc.
1758 (kf_fgets::impl_call_pre): Likewise.
1759 (class kf_fread): Likewise.
1760 (kf_fread::impl_call_pre): Likewise.
1761 (class kf_getchar): Likewise.
1762 (class kf_stdio_output_fn): Likewise.
1763 (register_known_functions): Move registration of
1764 BUILT_IN_FPRINTF, BUILT_IN_FPRINTF_UNLOCKED, BUILT_IN_FPUTC,
1765 BUILT_IN_FPUTC_UNLOCKED, BUILT_IN_FPUTS, BUILT_IN_FPUTS_UNLOCKED,
1766 BUILT_IN_FWRITE, BUILT_IN_FWRITE_UNLOCKED, BUILT_IN_PRINTF,
1767 BUILT_IN_PRINTF_UNLOCKED, BUILT_IN_PUTC, BUILT_IN_PUTCHAR,
1768 BUILT_IN_PUTCHAR_UNLOCKED, BUILT_IN_PUTC_UNLOCKED, BUILT_IN_PUTS,
1769 BUILT_IN_PUTS_UNLOCKED, BUILT_IN_VFPRINTF, BUILT_IN_VPRINTF,
1770 "getchar", "fgets", "fgets_unlocked", and "fread" to
1771 register_known_file_functions.
1772 * sm-file.cc (class kf_stdio_output_fn): Move here from
1773 region-model-impl-calls.cc.
1774 (class kf_fgets): Likewise.
1775 (class kf_fread): Likewise.
1776 (class kf_getchar): Likewise.
1777 (register_known_file_functions): Move registration of
1778 BUILT_IN_FPRINTF, BUILT_IN_FPRINTF_UNLOCKED, BUILT_IN_FPUTC,
1779 BUILT_IN_FPUTC_UNLOCKED, BUILT_IN_FPUTS, BUILT_IN_FPUTS_UNLOCKED,
1780 BUILT_IN_FWRITE, BUILT_IN_FWRITE_UNLOCKED, BUILT_IN_PRINTF,
1781 BUILT_IN_PRINTF_UNLOCKED, BUILT_IN_PUTC, BUILT_IN_PUTCHAR,
1782 BUILT_IN_PUTCHAR_UNLOCKED, BUILT_IN_PUTC_UNLOCKED, BUILT_IN_PUTS,
1783 BUILT_IN_PUTS_UNLOCKED, BUILT_IN_VFPRINTF, BUILT_IN_VPRINTF,
1784 "fgets", "fgets_unlocked", "fread", and "getchar" to here from
1785 register_known_functions.
1786
17872022-11-30 David Malcolm <dmalcolm@redhat.com>
1788
1789 PR analyzer/103546
1790 * analyzer.h (register_known_file_functions): New decl.
1791 * program-state.cc (sm_state_map::replay_call_summary): Rejct
1792 attempts to store sm-state for caller_sval that can't have
1793 associated state.
1794 * region-model-impl-calls.cc (register_known_functions): Call
1795 register_known_file_functions.
1796 * sm-fd.cc (class kf_isatty): New.
1797 (register_known_fd_functions): Register it.
1798 * sm-file.cc (class kf_ferror): New.
1799 (class kf_fileno): New.
1800 (class kf_getc): New.
1801 (register_known_file_functions): New.
1802
18032022-11-30 David Malcolm <dmalcolm@redhat.com>
1804
1805 PR analyzer/105784
1806 * region-model-manager.cc
1807 (region_model_manager::maybe_fold_binop): For POINTER_PLUS_EXPR,
1808 PLUS_EXPR and MINUS_EXPR, eliminate requirement that the final
1809 type matches that of arg0 in favor of a cast.
1810
9a1b4f1d
GA		 18112022-11-24 Martin Liska <mliska@suse.cz>
1812
1813 * varargs.cc: Fix Clang warnings.
1814
18152022-11-24 David Malcolm <dmalcolm@redhat.com>
1816
1817 PR analyzer/106473
1818 * call-summary.cc
1819 (call_summary_replay::convert_region_from_summary_1): Update for
1820 change to creation of heap-allocated regions.
1821 * program-state.cc (test_program_state_1): Likewise.
1822 (test_program_state_merging): Likewise.
1823 * region-model-impl-calls.cc (kf_calloc::impl_call_pre): Likewise.
1824 (kf_malloc::impl_call_pre): Likewise.
1825 (kf_operator_new::impl_call_pre): Likewise.
1826 (kf_realloc::impl_call_postsuccess_with_move::update_model): Likewise.
1827 * region-model-manager.cc
1828 (region_model_manager::create_region_for_heap_alloc): Convert
1829 to...
1830 (region_model_manager::get_or_create_region_for_heap_alloc):
1831 ...this, reusing an existing region if it's unreferenced in the
1832 client state.
1833 * region-model-manager.h (region_model_manager::get_num_regions): New.
1834 (region_model_manager::create_region_for_heap_alloc): Convert to...
1835 (region_model_manager::get_or_create_region_for_heap_alloc): ...this.
1836 * region-model.cc (region_to_value_map::can_merge_with_p): Reject
1837 merger when the values are different.
1838 (region_model::create_region_for_heap_alloc): Convert to...
1839 (region_model::get_or_create_region_for_heap_alloc): ...this.
1840 (region_model::get_referenced_base_regions): New.
1841 (selftest::test_state_merging): Update for change to creation of
1842 heap-allocated regions.
1843 (selftest::test_malloc_constraints): Likewise.
1844 (selftest::test_malloc): Likewise.
1845 * region-model.h: Include "sbitmap.h".
1846 (region_model::create_region_for_heap_alloc): Convert to...
1847 (region_model::get_or_create_region_for_heap_alloc): ...this.
1848 (region_model::get_referenced_base_regions): New decl.
1849 * store.cc (store::canonicalize): Don't purge a heap-allocated region
1850 that's been marked as escaping.
1851
18522022-11-24 David Malcolm <dmalcolm@redhat.com>
1853
1854 * checker-path.cc (checker_path::inject_any_inlined_call_events):
1855 Don't dump the address of the block when -fdump-noaddr.
1856
18572022-11-24 David Malcolm <dmalcolm@redhat.com>
1858
1859 * region-model.h (region_model::on_socket): Delete decl.
1860 (region_model::on_bind): Likewise.
1861 (region_model::on_listen): Likewise.
1862 (region_model::on_accept): Likewise.
1863 (region_model::on_connect): Likewise.
1864 * sm-fd.cc (kf_socket::outcome_of_socket::update_model): Move body
1865 of region_model::on_socket into here, ...
1866 (region_model::on_socket): ...eliminating this function.
1867 (kf_bind::outcome_of_bind::update_model): Likewise for on_bind...
1868 (region_model::on_bind): ...eliminating this function.
1869 (kf_listen::outcome_of_listen::update_model): Likewise fo
1870 on_listen...
1871 (region_model::on_listen): ...eliminating this function.
1872 (kf_accept::outcome_of_accept::update_model): Likewise fo
1873 on_accept...
1874 (region_model::on_accept): ...eliminating this function.
1875 (kf_connect::outcome_of_connect::update_model): Likewise fo
1876 on_connect...
1877 (region_model::on_connect): ...eliminating this function.
1878
18792022-11-24 David Malcolm <dmalcolm@redhat.com>
1880
1881 * analyzer.h (register_known_fd_functions): New decl.
1882 * region-model-impl-calls.cc (class kf_accept): Move to sm-fd.cc.
1883 (class kf_bind): Likewise.
1884 (class kf_connect): Likewise.
1885 (class kf_listen): Likewise.
1886 (class kf_pipe): Likewise.
1887 (class kf_socket): Likewise.
1888 (register_known_functions): Remove registration of the above
1889 functions, instead calling register_known_fd_functions.
1890 * sm-fd.cc: Include "analyzer/call-info.h".
1891 (class kf_socket): Move here from region-model-impl-calls.cc.
1892 (class kf_bind): Likewise.
1893 (class kf_listen): Likewise.
1894 (class kf_accept): Likewise.
1895 (class kf_connect): Likewise.
1896 (class kf_pipe): Likewise.
1897 (register_known_fd_functions): New.
1898
d0e4cdb4
GA		 18992022-11-22 David Malcolm <dmalcolm@redhat.com>
1900
1901 PR analyzer/107788
1902 * known-function-manager.cc (known_function_manager::get_match):
1903 Don't look up fndecls by name when they're not in the root
1904 namespace.
1905
19062022-11-22 David Malcolm <dmalcolm@redhat.com>
1907
1908 PR analyzer/107783
1909 * sm-fd.cc (fd_state_machine::check_for_new_socket_fd): Don't
1910 complain when old state is "fd-constant".
1911 (fd_state_machine::on_listen): Likewise.
1912 (fd_state_machine::on_accept): Likewise.
1913
19142022-11-22 David Malcolm <dmalcolm@redhat.com>
1915
1916 PR analyzer/107807
1917 * region-model-impl-calls.cc (register_known_functions): Register
1918 "___errno" and "__error" as synonyms for "__errno_location".
1919
19202022-11-22 David Malcolm <dmalcolm@redhat.com>
1921
1922 * analyzer.h (class internal_known_function): New.
1923 (register_varargs_builtins): New decl.
1924 * engine.cc (exploded_node::on_stmt_pre): Remove
1925 "out_terminate_path" param from call to region_model::on_stmt_pre.
1926 (feasibility_state::maybe_update_for_edge): Likewise.
1927 * known-function-manager.cc: Include "basic-block.h", "gimple.h",
1928 and "analyzer/region-model.h".
1929 (known_function_manager::known_function_manager): Initialize
1930 m_combined_fns_arr.
1931 (known_function_manager::~known_function_manager): Clean up
1932 m_combined_fns_arr.
1933 (known_function_manager::get_by_identifier): Make const.
1934 (known_function_manager::add): New overloaded definitions for
1935 enum built_in_function and enum internal_fn.
1936 (known_function_manager::get_by_fndecl): Delete.
1937 (known_function_manager::get_match): New.
1938 (known_function_manager::get_internal_fn): New.
1939 (known_function_manager::get_normal_builtin): New.
1940 * known-function-manager.h
1941 (known_function_manager::get_by_identifier): Make private and
1942 add const qualifier.
1943 (known_function_manager::get_by_fndecl): Delete.
1944 (known_function_manager::add): Add overloaded decls for
1945 enum built_in_function name and enum internal_fn.
1946 (known_function_manager::get_match): New decl.
1947 (known_function_manager::get_internal_fn): New decl.
1948 (known_function_manager::get_normal_builtin): New decl.
1949 (known_function_manager::m_combined_fns_arr): New field.
1950 * region-model-impl-calls.cc (call_details::arg_is_size_p): New.
1951 (class kf_alloca): New.
1952 (region_model::impl_call_alloca): Convert to...
1953 (kf_alloca::impl_call_pre): ...this.
1954 (kf_analyzer_dump_capacity::matches_call_types_p): Rewrite check
1955 to use call_details::arg_is_pointer_p.
1956 (region_model::impl_call_builtin_expect): Convert to...
1957 (class kf_expect): ...this.
1958 (class kf_calloc): New, adding check that both arguments are
1959 size_t.
1960 (region_model::impl_call_calloc): Convert to...
1961 (kf_calloc::impl_call_pre): ...this.
1962 (kf_connect::matches_call_types_p): Rewrite check to use
1963 call_details::arg_is_pointer_p.
1964 (region_model::impl_call_error): Convert to...
1965 (class kf_error): ...this, and...
1966 (kf_error::impl_call_pre): ...this.
1967 (class kf_fgets): New, adding checks that args 0 and 2 are
1968 pointers.
1969 (region_model::impl_call_fgets): Convert to...
1970 (kf_fgets::impl_call_pre): ...this.
1971 (class kf_fread): New, adding checks on the argument types.
1972 (region_model::impl_call_fread): Convert to...
1973 (kf_fread::impl_call_pre): ...this.
1974 (class kf_free): New, adding check that the argument is a pointer.
1975 (region_model::impl_call_free): Convert to...
1976 (kf_free::impl_call_post): ...this.
1977 (class kf_getchar): New.
1978 (class kf_malloc): New, adding check that the argument is a
1979 size_t.
1980 (region_model::impl_call_malloc): Convert to...
1981 (kf_malloc::impl_call_pre): ...this.
1982 (class kf_memcpy): New, adding checks on arguments.
1983 (region_model::impl_call_memcpy): Convert to...
1984 (kf_memcpy::impl_call_pre): ...this.
1985 (class kf_memset): New.
1986 (region_model::impl_call_memset): Convert to...
1987 (kf_memset::impl_call_pre): ...this.
1988 (kf_pipe::matches_call_types_p): Rewrite check to use
1989 call_details::arg_is_pointer_p.
1990 (kf_putenv::matches_call_types_p): Likewise.
1991 (class kf_realloc): New, adding checks on the argument types.
1992 (region_model::impl_call_realloc): Convert to...
1993 (kf_realloc::impl_call_post): ...this.
1994 (class kf_strchr): New.
1995 (region_model::impl_call_strchr): Convert to...
1996 (kf_strchr::impl_call_post): ...this.
1997 (class kf_stack_restore): New.
1998 (class kf_stack_save): New.
1999 (class kf_stdio_output_fn): New.
2000 (class kf_strcpy): New,
2001 (region_model::impl_call_strcpy): Convert to...
2002 (kf_strcpy::impl_call_pre): ...this.
2003 (class kf_strlen): New.
2004 (region_model::impl_call_strlen): Convert to...
2005 (kf_strlen::impl_call_pre): ...this.
2006 (class kf_ubsan_bounds): New.
2007 (region_model::impl_deallocation_call): Reimplement to avoid call
2008 to impl_call_free.
2009 (register_known_functions): Add handlers for IFN_BUILTIN_EXPECT
2010 and IFN_UBSAN_BOUNDS. Add handlers for BUILT_IN_ALLOCA,
2011 BUILT_IN_ALLOCA_WITH_ALIGN, BUILT_IN_CALLOC, BUILT_IN_EXPECT,
2012 BUILT_IN_EXPECT_WITH_PROBABILITY, BUILT_IN_FPRINTF,
2013 BUILT_IN_FPRINTF_UNLOCKED, BUILT_IN_FPUTC,
2014 BUILT_IN_FPUTC_UNLOCKED, BUILT_IN_FPUTS, BUILT_IN_FPUTS_UNLOCKED,
2015 BUILT_IN_FREE, BUILT_IN_FWRITE, BUILT_IN_FWRITE_UNLOCKED,
2016 BUILT_IN_MALLOC, BUILT_IN_MEMCPY, BUILT_IN_MEMCPY_CHK,
2017 BUILT_IN_MEMSET, BUILT_IN_MEMSET_CHK, BUILT_IN_PRINTF,
2018 BUILT_IN_PRINTF_UNLOCKED, BUILT_IN_PUTC, BUILT_IN_PUTCHAR,
2019 BUILT_IN_PUTCHAR_UNLOCKED, BUILT_IN_PUTC_UNLOCKED, BUILT_IN_PUTS,
2020 BUILT_IN_PUTS_UNLOCKED, BUILT_IN_REALLOC, BUILT_IN_STACK_RESTORE,
2021 BUILT_IN_STACK_SAVE, BUILT_IN_STRCHR, BUILT_IN_STRCPY,
2022 BUILT_IN_STRCPY_CHK, BUILT_IN_STRLEN, BUILT_IN_VFPRINTF, and
2023 BUILT_IN_VPRINTF. Call register_varargs_builtins. Add handlers
2024 for "getchar", "memset", "fgets", "fgets_unlocked", "fread",
2025 "error", and "error_at_line".
2026 * region-model.cc (region_model::on_stmt_pre): Drop
2027 "out_terminate_path" param.
2028 (region_model::get_known_function): Reimplement by calling
2029 known_function_manager::get_match, passing new "cd" param.
2030 Add overload taking enum internal_fn.
2031 (region_model::on_call_pre): Drop "out_terminate_path" param.
2032 Remove special-case handling of internal fns IFN_BUILTIN_EXPECT,
2033 IFN_UBSAN_BOUNDS, and IFN_VA_ARG, of built-in fns BUILT_IN_ALLOCA,
2034 BUILT_IN_ALLOCA_WITH_ALIGN, BUILT_IN_CALLOC, BUILT_IN_EXPECT,
2035 BUILT_IN_EXPECT_WITH_PROBABILITY, BUILT_IN_FREE, BUILT_IN_MALLOC,
2036 BUILT_IN_MEMCPY, BUILT_IN_MEMCPY_CHK, BUILT_IN_MEMSET,
2037 BUILT_IN_MEMSET_CHK, BUILT_IN_REALLOC, BUILT_IN_STRCHR,
2038 BUILT_IN_STRCPY, BUILT_IN_STRCPY_CHK, BUILT_IN_STRLEN,
2039 BUILT_IN_STACK_SAVE, BUILT_IN_STACK_RESTORE, BUILT_IN_FPRINTF,
2040 BUILT_IN_FPRINTF_UNLOCKED, BUILT_IN_PUTC, BUILT_IN_PUTC_UNLOCKED,
2041 BUILT_IN_FPUTC, BUILT_IN_FPUTC_UNLOCKED, BUILT_IN_FPUTS,
2042 BUILT_IN_FPUTS_UNLOCKED, BUILT_IN_FWRITE,
2043 BUILT_IN_FWRITE_UNLOCKED, BUILT_IN_PRINTF,
2044 BUILT_IN_PRINTF_UNLOCKED, BUILT_IN_PUTCHAR,
2045 BUILT_IN_PUTCHAR_UNLOCKED, BUILT_IN_PUTS, BUILT_IN_PUTS_UNLOCKED,
2046 BUILT_IN_VFPRINTF, BUILT_IN_VPRINTF, BUILT_IN_VA_START, and
2047 BUILT_IN_VA_COPY, and of named functions "malloc", "calloc",
2048 "alloca", "realloc", "error", "error_at_line", "fgets",
2049 "fgets_unlocked", "fread", "getchar", "memset", "strchr", and
2050 "strlen". Replace all this special-casing with calls to
2051 get_known_function for internal fns and for fn decls.
2052 (region_model::on_call_post): Remove special-casing handling for
2053 "free" and "strchr", and for BUILT_IN_REALLOC, BUILT_IN_STRCHR,
2054 and BUILT_IN_VA_END. Replace by consolidating on usage of
2055 get_known_function.
2056 * region-model.h (call_details::arg_is_size_p): New.
2057 (region_model::on_stmt_pre): Drop "out_terminate_path" param.
2058 (region_model::on_call_pre): Likewise.
2059 (region_model::impl_call_alloca): Delete.
2060 (region_model::impl_call_builtin_expect): Delete.
2061 (region_model::impl_call_calloc): Delete.
2062 (region_model::impl_call_error): Delete.
2063 (region_model::impl_call_fgets): Delete.
2064 (region_model::impl_call_fread): Delete.
2065 (region_model::impl_call_free): Delete.
2066 (region_model::impl_call_malloc): Delete.
2067 (region_model::impl_call_memcpy): Delete.
2068 (region_model::impl_call_memset): Delete.
2069 (region_model::impl_call_realloc): Delete.
2070 (region_model::impl_call_strchr): Delete.
2071 (region_model::impl_call_strcpy): Delete.
2072 (region_model::impl_call_strlen): Delete.
2073 (region_model::impl_call_va_start): Delete.
2074 (region_model::impl_call_va_copy): Delete.
2075 (region_model::impl_call_va_arg): Delete.
2076 (region_model::impl_call_va_end): Delete.
2077 (region_model::check_region_for_write): Public.
2078 (region_model::get_known_function): Add "cd" param. Add
2079 overloaded decl taking enum internal_fn.
2080 * sm-malloc.cc: Update comments.
2081 * varargs.cc (class kf_va_start): New.
2082 (region_model::impl_call_va_start): Convert to...
2083 (kf_va_start::impl_call_pre): ...this.
2084 (class kf_va_copy): New.
2085 (region_model::impl_call_va_copy): Convert to...
2086 (kf_va_copy::impl_call_pre): ...this.
2087 (class kf_va_arg): New.
2088 (region_model::impl_call_va_arg): Convert to...
2089 (kf_va_arg::impl_call_pre): ...this.
2090 (class kf_va_end): New.
2091 (region_model::impl_call_va_end): Delete.
2092 (register_varargs_builtins): New.
2093
8b7fee1d
GA		 20942022-11-22 David Malcolm <dmalcolm@redhat.com>
2095
2096 PR analyzer/107788
2097 * region-model.cc (region_model::update_for_int_cst_return):
2098 Require that the return type be an integer type.
2099 (region_model::update_for_nonzero_return): Likewise.
2100
21012022-11-22 David Malcolm <dmalcolm@redhat.com>
2102
2103 PR analyzer/107783
2104 * region-model-impl-calls.cc (kf_accept::matches_call_types_p):
2105 Require that args 1 and 2 be pointers.
2106 (kf_bind::matches_call_types_p): Require that arg 1 be a pointer.
2107 * region-model.h (call_details::arg_is_pointer_p): New
2108
21092022-11-22 David Malcolm <dmalcolm@redhat.com>
2110
2111 PR analyzer/107777
2112 * call-summary.cc
2113 (call_summary_replay::convert_region_from_summary_1): Handle
2114 RK_THREAD_LOCAL and RK_ERRNO in switch.
2115 * region-model.cc (region_model::get_representative_path_var_1):
2116 Likewise.
2117
fb98ede8
GA		 21182022-11-19 David Malcolm <dmalcolm@redhat.com>
2119
2120 PR analyzer/107582
2121 * engine.cc (dynamic_call_info_t::update_model): Update the model
2122 by pushing or pop a frame, rather than by clobbering it with the
2123 model from the exploded_node's state.
2124
21252022-11-18 David Malcolm <dmalcolm@redhat.com>
2126
2127 * analyzer.cc (is_pipe_call_p): Delete.
2128 * analyzer.h (is_pipe_call_p): Delete.
2129 * region-model-impl-calls.cc (call_details::get_location): New.
2130 (class kf_analyzer_break): New, adapted from
2131 region_model::on_stmt_pre.
2132 (region_model::impl_call_analyzer_describe): Convert to...
2133 (class kf_analyzer_describe): ...this.
2134 (region_model::impl_call_analyzer_dump_capacity): Convert to...
2135 (class kf_analyzer_dump_capacity): ...this.
2136 (region_model::impl_call_analyzer_dump_escaped): Convert to...
2137 (class kf_analyzer_dump_escaped): ...this.
2138 (class kf_analyzer_dump_exploded_nodes): New.
2139 (region_model::impl_call_analyzer_dump_named_constant): Convert
2140 to...
2141 (class kf_analyzer_dump_named_constant): ...this.
2142 (class dump_path_diagnostic): Move here from region-model.cc.
2143 (class kf_analyzer_dump_path) New, adapted from
2144 region_model::on_stmt_pre.
2145 (class kf_analyzer_dump_region_model): Likewise.
2146 (region_model::impl_call_analyzer_eval): Convert to...
2147 (class kf_analyzer_eval): ...this.
2148 (region_model::impl_call_analyzer_get_unknown_ptr): Convert to...
2149 (class kf_analyzer_get_unknown_ptr): ...this.
2150 (class known_function_accept): Rename to...
2151 (class kf_accept): ...this.
2152 (class known_function_bind): Rename to...
2153 (class kf_bind): ...this.
2154 (class known_function_connect): Rename to...
2155 (class kf_connect): ...this.
2156 (region_model::impl_call_errno_location): Convert to...
2157 (class kf_errno_location): ...this.
2158 (class known_function_listen): Rename to...
2159 (class kf_listen): ...this.
2160 (region_model::impl_call_pipe): Convert to...
2161 (class kf_pipe): ...this.
2162 (region_model::impl_call_putenv): Convert to...
2163 (class kf_putenv): ...this.
2164 (region_model::impl_call_operator_new): Convert to...
2165 (class kf_operator_new): ...this.
2166 (region_model::impl_call_operator_delete): Convert to...
2167 (class kf_operator_delete): ...this.
2168 (class known_function_socket): Rename to...
2169 (class kf_socket): ...this.
2170 (register_known_functions): Rename param to KFM. Break out
2171 existing known functions into a "POSIX" section, and add "pipe",
2172 "pipe2", and "putenv". Add debugging functions
2173 "__analyzer_break", "__analyzer_describe",
2174 "__analyzer_dump_capacity", "__analyzer_dump_escaped",
2175 "__analyzer_dump_exploded_nodes",
2176 "__analyzer_dump_named_constant", "__analyzer_dump_path",
2177 "__analyzer_dump_region_model", "__analyzer_eval",
2178 "__analyzer_get_unknown_ptr". Add C++ support functions
2179 "operator new", "operator new []", "operator delete", and
2180 "operator delete []".
2181 * region-model.cc (class dump_path_diagnostic): Move to
2182 region-model-impl-calls.cc.
2183 (region_model::on_stmt_pre): Eliminate special-casing of
2184 "__analyzer_describe", "__analyzer_dump_capacity",
2185 "__analyzer_dump_escaped", "__analyzer_dump_named_constant",
2186 "__analyzer_dump_path", "__analyzer_dump_region_model",
2187 "__analyzer_eval", "__analyzer_break",
2188 "__analyzer_dump_exploded_nodes", "__analyzer_get_unknown_ptr",
2189 "__errno_location", "pipe", "pipe2", "putenv", "operator new",
2190 "operator new []", "operator delete", "operator delete []"
2191 "pipe" and "pipe2", handling them instead via the known_functions
2192 mechanism.
2193 * region-model.h (call_details::get_location): New decl.
2194 (region_model::impl_call_analyzer_describe): Delete decl.
2195 (region_model::impl_call_analyzer_dump_capacity): Delete decl.
2196 (region_model::impl_call_analyzer_dump_escaped): Delete decl.
2197 (region_model::impl_call_analyzer_dump_named_constant): Delete decl.
2198 (region_model::impl_call_analyzer_eval): Delete decl.
2199 (region_model::impl_call_analyzer_get_unknown_ptr): Delete decl.
2200 (region_model::impl_call_errno_location): Delete decl.
2201 (region_model::impl_call_pipe): Delete decl.
2202 (region_model::impl_call_putenv): Delete decl.
2203 (region_model::impl_call_operator_new): Delete decl.
2204 (region_model::impl_call_operator_delete): Delete decl.
2205 * sm-fd.cc: Update comments.
2206
80909529
GA		 22072022-11-16 David Malcolm <dmalcolm@redhat.com>
2208
2209 PR analyzer/107711
2210 * analyzer-language.cc: Include "diagnostic.h".
2211 (maybe_stash_named_constant): Add logger param and use it to log
2212 the name being looked up, and the result.
2213 (stash_named_constants): New, splitting out from...
2214 (on_finish_translation_unit): ...this function. Call
2215 get_or_create_logfile and use the result to create a logger
2216 instance, passing it to stash_named_constants.
2217 * analyzer.h (get_or_create_any_logfile): New decl.
2218 * engine.cc (dump_fout, owns_dump_fout): New globals, split out
2219 from run_checkers.
2220 (get_or_create_any_logfile): New function, split out from...
2221 (run_checkers): ...here, so that the logfile can be opened by
2222 on_finish_translation_unit. Clear the globals when closing the
2223 dump file.
2224
22252022-11-16 David Malcolm <dmalcolm@redhat.com>
2226
2227 * analyzer.h (known_function::matches_call_types_p): New vfunc.
2228 (known_function::impl_call_pre): Provide base implementation.
2229 (known_function::impl_call_post): New vfunc.
2230 (register_known_functions): New.
2231 * engine.cc (impl_run_checkers): Call register_known_functions.
2232 * region-model-impl-calls.cc (region_model::impl_call_accept):
2233 Convert to...
2234 (class known_function_accept): ...this.
2235 (region_model::impl_call_bind): Convert to...
2236 (class known_function_bind): ...this.
2237 (region_model::impl_call_connect): Convert to...
2238 (class known_function_connect): ...this.
2239 (region_model::impl_call_listen): Convert to...
2240 (class known_function_listen): ...this.
2241 (region_model::impl_call_socket): Convert to...
2242 (class known_function_socket): ...this.
2243 (register_known_functions): New.
2244 * region-model.cc (region_model::on_call_pre): Remove special
2245 case for "bind" in favor of the known_function-handling dispatch.
2246 Add call to known_function::matches_call_types_p to latter.
2247 (region_model::on_call_post): Remove special cases for "accept",
2248 "bind", "connect", "listen", and "socket" in favor of dispatch
2249 to known_function::impl_call_post.
2250 * region-model.h (region_model::impl_call_accept): Delete decl.
2251 (region_model::impl_call_bind): Delete decl.
2252 (region_model::impl_call_connect): Delete decl.
2253 (region_model::impl_call_listen): Delete decl.
2254 (region_model::impl_call_socket): Delete decl.
2255 * sm-fd.cc: Update comments.
2256
22572022-11-16 David Malcolm <dmalcolm@redhat.com>
2258
2259 * checker-event.cc: New file, split out from...
2260 * checker-path.cc: ...this file.
2261
cdc34229
GA		 22622022-11-15 David Malcolm <dmalcolm@redhat.com>
2263
2264 PR analyzer/106140
2265 * analyzer-language.cc (on_finish_translation_unit): Stash named
2266 constants "SOCK_STREAM" and "SOCK_DGRAM".
2267 * analyzer.opt (Wanalyzer-fd-phase-mismatch): New.
2268 (Wanalyzer-fd-type-mismatch): New.
2269 * engine.cc (impl_region_model_context::get_state_map_by_name):
2270 Add "out_sm_context" param. Allow out_sm_idx to be NULL.
2271 * exploded-graph.h
2272 (impl_region_model_context::get_state_map_by_name):
2273 Add "out_sm_context" param.
2274 * region-model-impl-calls.cc (region_model::impl_call_accept): New.
2275 (region_model::impl_call_bind): New.
2276 (region_model::impl_call_connect): New.
2277 (region_model::impl_call_listen): New.
2278 (region_model::impl_call_socket): New.
2279 * region-model.cc (region_model::on_call_pre): Special-case
2280 "bind".
2281 (region_model::on_call_post): Special-case "accept", "bind",
2282 "connect", "listen", and "socket".
2283 * region-model.h (region_model::impl_call_accept): New decl.
2284 (region_model::impl_call_bind): New decl.
2285 (region_model::impl_call_connect): New decl.
2286 (region_model::impl_call_listen): New decl.
2287 (region_model::impl_call_socket): New decl.
2288 (region_model::on_socket): New decl.
2289 (region_model::on_bind): New decl.
2290 (region_model::on_listen): New decl.
2291 (region_model::on_accept): New decl.
2292 (region_model::on_connect): New decl.
2293 (region_model::add_constraint): Make public.
2294 (region_model::check_for_poison): Make public.
2295 (region_model_context::get_state_map_by_name): Add out_sm_context param.
2296 (region_model_context::get_fd_map): Likewise.
2297 (region_model_context::get_malloc_map): Likewise.
2298 (region_model_context::get_taint_map): Likewise.
2299 (noop_region_model_context::get_state_map_by_name): Likewise.
2300 (region_model_context_decorator::get_state_map_by_name): Likewise.
2301 * sm-fd.cc: Include "analyzer/supergraph.h" and
2302 "analyzer/analyzer-language.h".
2303 (enum expected_phase): New enum.
2304 (fd_state_machine::m_new_datagram_socket): New.
2305 (fd_state_machine::m_new_stream_socket): New.
2306 (fd_state_machine::m_new_unknown_socket): New.
2307 (fd_state_machine::m_bound_datagram_socket): New.
2308 (fd_state_machine::m_bound_stream_socket): New.
2309 (fd_state_machine::m_bound_unknown_socket): New.
2310 (fd_state_machine::m_listening_stream_socket): New.
2311 (fd_state_machine::m_m_connected_stream_socket): New.
2312 (fd_state_machine::m_SOCK_STREAM): New.
2313 (fd_state_machine::m_SOCK_DGRAM): New.
2314 (fd_diagnostic::describe_state_change): Handle socket states.
2315 (fd_diagnostic::get_meaning_for_state_change): Likewise.
2316 (class fd_phase_mismatch): New.
2317 (enum expected_type): New enum.
2318 (class fd_type_mismatch): New.
2319 (fd_state_machine::fd_state_machine): Initialize new states and
2320 stashed named constants.
2321 (fd_state_machine::is_socket_fd_p): New.
2322 (fd_state_machine::is_datagram_socket_fd_p): New.
2323 (fd_state_machine::is_stream_socket_fd_p): New.
2324 (fd_state_machine::on_close): Handle the socket states.
2325 (fd_state_machine::check_for_open_fd): Complain about fncalls on
2326 sockets in the wrong phase. Support socket FDs.
2327 (add_constraint_ge_zero): New.
2328 (fd_state_machine::get_state_for_socket_type): New.
2329 (fd_state_machine::on_socket): New.
2330 (fd_state_machine::check_for_socket_fd): New.
2331 (fd_state_machine::check_for_new_socket_fd): New.
2332 (fd_state_machine::on_bind): New.
2333 (fd_state_machine::on_listen): New.
2334 (fd_state_machine::on_accept): New.
2335 (fd_state_machine::on_connect): New.
2336 (fd_state_machine::can_purge_p): Don't purge socket values.
2337 (get_fd_state): New.
2338 (region_model::mark_as_valid_fd): Use get_fd_state.
2339 (region_model::on_socket): New.
2340 (region_model::on_bind): New.
2341 (region_model::on_listen): New.
2342 (region_model::on_accept): New.
2343 (region_model::on_connect): New.
2344 * sm-fd.dot: Update to reflect sm-fd.cc changes.
2345
23462022-11-15 David Malcolm <dmalcolm@redhat.com>
2347
2348 PR analyzer/106302
2349 * analyzer-language.cc: New file.
2350 * analyzer-language.h: New file.
2351 * analyzer.h (get_stashed_constant_by_name): New decl.
2352 (log_stashed_constants): New decl.
2353 * engine.cc (impl_run_checkers): Call log_stashed_constants.
2354 * region-model-impl-calls.cc
2355 (region_model::impl_call_analyzer_dump_named_constant): New.
2356 * region-model.cc (region_model::on_stmt_pre): Handle
2357 __analyzer_dump_named_constant.
2358 * region-model.h
2359 (region_model::impl_call_analyzer_dump_named_constant): New decl.
2360 * sm-fd.cc (fd_state_machine::m_O_ACCMODE): New.
2361 (fd_state_machine::m_O_RDONLY): New.
2362 (fd_state_machine::m_O_WRONLY): New.
2363 (fd_state_machine::fd_state_machine): Initialize the new fields.
2364 (fd_state_machine::get_access_mode_from_flag): Use the new fields,
2365 rather than using the host values.
2366
eefbfbc7
GA		 23672022-11-13 David Malcolm <dmalcolm@redhat.com>
2368
2369 PR analyzer/106235
2370 * analyzer.opt (Wanalyzer-tainted-assertion): New.
2371 * checker-path.cc (checker_path::fixup_locations): Pass false to
2372 pending_diagnostic::fixup_location.
2373 * diagnostic-manager.cc (get_emission_location): Pass true to
2374 pending_diagnostic::fixup_location.
2375 * pending-diagnostic.cc (pending_diagnostic::fixup_location): Add
2376 bool param.
2377 * pending-diagnostic.h (pending_diagnostic::fixup_location): Add
2378 bool param to decl.
2379 * sm-taint.cc (taint_state_machine::m_tainted_control_flow): New.
2380 (taint_diagnostic::describe_state_change): Drop "final".
2381 (class tainted_assertion): New.
2382 (taint_state_machine::taint_state_machine): Initialize
2383 m_tainted_control_flow.
2384 (taint_state_machine::alt_get_inherited_state): Support
2385 comparisons being tainted, based on their arguments.
2386 (is_assertion_failure_handler_p): New.
2387 (taint_state_machine::on_stmt): Complain about calls to assertion
2388 failure handlers guarded by an attacker-controller conditional.
2389 Detect attacker-controlled gcond conditionals and gswitch index
2390 values.
2391 (taint_state_machine::check_control_flow_arg_for_taint): New.
2392
5b6ce16a
GA		 23932022-11-11 David Malcolm <dmalcolm@redhat.com>
2394
2395 * sm-fd.dot: Fix typo in comment.
2396 * sm-file.dot: New file.
2397 * varargs.cc: Fix typo in comment.
2398 * varargs.dot: New file.
2399
24002022-11-11 David Malcolm <dmalcolm@redhat.com>
2401
2402 * checker-path.h: Split out checker_event and its subclasses to...
2403 * checker-event.h: ...this new header.
2404
24052022-11-11 David Malcolm <dmalcolm@redhat.com>
2406
2407 PR analyzer/106147
2408 * analyzer.opt (Wanalyzer-infinite-recursion): New.
2409 * call-string.cc (call_string::count_occurrences_of_function):
2410 New.
2411 * call-string.h (call_string::count_occurrences_of_function): New
2412 decl.
2413 * checker-path.cc (function_entry_event::function_entry_event):
2414 New ctor.
2415 (checker_path::add_final_event): Delete.
2416 * checker-path.h (function_entry_event::function_entry_event): New
2417 ctor.
2418 (function_entry_event::get_desc): Drop "final".
2419 (checker_path::add_final_event): Delete.
2420 * diagnostic-manager.cc
2421 (diagnostic_manager::emit_saved_diagnostic): Create the final
2422 event via a new pending_diagnostic::add_final_event vfunc, rather
2423 than checker_path::add_final_event.
2424 (diagnostic_manager::add_events_for_eedge): Create function entry
2425 events via a new pending_diagnostic::add_function_entry_event
2426 vfunc.
2427 * engine.cc (exploded_graph::process_node): When creating a new
2428 PK_BEFORE_SUPERNODE node, call
2429 exploded_graph::detect_infinite_recursion on it after adding the
2430 in-edge.
2431 * exploded-graph.h (exploded_graph::detect_infinite_recursion):
2432 New decl.
2433 (exploded_graph::find_previous_entry_to): New decl.
2434 * infinite-recursion.cc: New file.
2435 * pending-diagnostic.cc
2436 (pending_diagnostic::add_function_entry_event): New.
2437 (pending_diagnostic::add_final_event): New.
2438 * pending-diagnostic.h
2439 (pending_diagnostic::add_function_entry_event): New vfunc.
2440 (pending_diagnostic::add_final_event): New vfunc.
2441
f225b813
GA		 24422022-11-10 David Malcolm <dmalcolm@redhat.com>
2443
2444 PR analyzer/99671
2445 * analyzer.opt (Wanalyzer-deref-before-check): New warning.
2446 * diagnostic-manager.cc
2447 (null_assignment_sm_context::set_next_state): Only add state
2448 change events for transition to "null" state.
2449 (null_assignment_sm_context::is_transition_to_null): New.
2450 * engine.cc (impl_region_model_context::on_pop_frame): New.
2451 * exploded-graph.h (impl_region_model_context::on_pop_frame): New
2452 decl.
2453 * program-state.cc (sm_state_map::clear_any_state): New.
2454 (sm_state_map::can_merge_with_p): New.
2455 (program_state::can_merge_with_p): Replace requirement that
2456 sm-states be equal in favor of an attempt to merge them.
2457 * program-state.h (sm_state_map::clear_any_state): New decl.
2458 (sm_state_map::can_merge_with_p): New decl.
2459 * region-model.cc (region_model::eval_condition): Make const.
2460 (region_model::pop_frame): Call ctxt->on_pop_frame.
2461 * region-model.h (region_model::eval_condition): Make const.
2462 (region_model_context::on_pop_frame): New vfunc.
2463 (noop_region_model_context::on_pop_frame): New.
2464 (region_model_context_decorator::on_pop_frame): New.
2465 * sm-malloc.cc (enum resource_state): Add RS_ASSUMED_NON_NULL.
2466 (allocation_state::dump_to_pp): Drop "final".
2467 (struct assumed_non_null_state): New subclass.
2468 (malloc_state_machine::m_assumed_non_null): New.
2469 (assumed_non_null_p): New.
2470 (class deref_before_check): New.
2471 (assumed_non_null_state::dump_to_pp): New.
2472 (malloc_state_machine::get_or_create_assumed_non_null_state_for_frame):
2473 New.
2474 (malloc_state_machine::maybe_assume_non_null): New.
2475 (malloc_state_machine::on_stmt): Transition from start state to
2476 "assumed-non-null" state for pointers passed to
2477 __attribute__((nonnull)) arguments, and for pointers explicitly
2478 dereferenced. Call maybe_complain_about_deref_before_check for
2479 pointers explicitly compared against NULL.
2480 (malloc_state_machine::maybe_complain_about_deref_before_check):
2481 New.
2482 (malloc_state_machine::on_deallocator_call): Also transition
2483 "assumed-non-null" states to "freed".
2484 (malloc_state_machine::on_pop_frame): New.
2485 (malloc_state_machine::maybe_get_merged_states_nonequal): New.
2486 * sm-malloc.dot: Update for changes to sm-malloc.cc.
2487 * sm.h (state_machine::on_pop_frame): New.
2488 (state_machine::maybe_get_merged_state): New.
2489 (state_machine::maybe_get_merged_states_nonequal): New.
2490
1cdfd0e5
GA		 24912022-11-09 David Malcolm <dmalcolm@redhat.com>
2492
2493 * checker-path.cc (checker_event::debug): New.
2494 (checker_path::add_event): Move here from checker-path.h. Add
2495 logging.
2496 * checker-path.h (checker_event::debug): New decl.
2497 (checker_path::checker_path): Add logger param.
2498 (checker_path::add_event): Move definition from here to
2499 checker-path.cc.
2500 (checker_path::m_logger): New field.
2501 * diagnostic-manager.cc
2502 (diagnostic_manager::emit_saved_diagnostic): Pass logger to
2503 checker_path ctor.
2504 (diagnostic_manager::add_events_for_eedge): Log scope when
2505 processing a run of stmts.
2506
69023a9f
GA		 25072022-11-08 David Malcolm <dmalcolm@redhat.com>
2508
2509 PR analyzer/101962
2510 * region-model-impl-calls.cc: Update comment.
2511 * region-model.cc (region_model::check_symbolic_bounds): Fix
2512 layout of "void" return. Replace usage of
2513 eval_condition_without_cm with eval_condition.
2514 (region_model::eval_condition): Take over body of...
2515 (region_model::eval_condition_without_cm): ...this subroutine,
2516 dropping the latter. Eliminating this distinction avoids issues
2517 where constraints were not considered when recursing.
2518 (region_model::compare_initial_and_pointer): Update comment.
2519 (region_model::symbolic_greater_than): Replace usage of
2520 eval_condition_without_cm with eval_condition.
2521 * region-model.h
2522 (region_model::eval_condition_without_cm): Delete decl.
2523
25242022-11-08 David Malcolm <dmalcolm@redhat.com>
2525
2526 * region-model-impl-calls.cc
2527 (region_model::impl_call_errno_location): New.
2528 * region-model-manager.cc
2529 (region_model_manager::region_model_manager): Initialize
2530 m_thread_local_region and m_errno_region.
2531 * region-model-manager.h (region_model_manager::get_errno_region):
2532 New accessor.
2533 (region_model_manager::m_thread_local_region): New.
2534 (region_model_manager::m_errno_region): New.
2535 * region-model.cc (region_model::on_call_pre): Special-case
2536 "__errno_location".
2537 (region_model::set_errno): New.
2538 * region-model.h (impl_call_errno_location): New decl.
2539 (region_model::set_errno): New decl.
2540 * region.cc (thread_local_region::dump_to_pp): New.
2541 (errno_region::dump_to_pp): New.
2542 * region.h (enum memory_space): Add MEMSPACE_THREAD_LOCAL.
2543 (enum region_kind): Add RK_THREAD_LOCAL and RK_ERRNO.
2544 (class thread_local_region): New.
2545 (is_a_helper <const thread_local_region *>::test): New.
2546 (class errno_region): New.
2547 (is_a_helper <const errno_region *>::test): New.
2548 * store.cc (binding_cluster::escaped_p): New.
2549 (store::escaped_p): Treat errno as always having escaped.
2550 (store::replay_call_summary_cluster): Handle RK_THREAD_LOCAL and
2551 RK_ERRNO.
2552 * store.h (binding_cluster::escaped_p): Remove definition.
2553
25542022-11-08 David Malcolm <dmalcolm@redhat.com>
2555
2556 * call-info.cc (success_call_info::get_desc): Delete.
2557 (failed_call_info::get_desc): Likewise.
2558 (succeed_or_fail_call_info::get_desc): New.
2559 * call-info.h (class succeed_or_fail_call_info): New.
2560 (class success_call_info): Convert to a subclass of
2561 succeed_or_fail_call_info.
2562 (class failed_call_info): Likewise.
2563
25642022-11-08 David Malcolm <dmalcolm@redhat.com>
2565
2566 * region-model-impl-calls.cc (region_model::impl_call_strchr):
2567 Move to on_call_post. Handle both outcomes using bifurcation,
2568 rather than just the "not found" case.
2569 * region-model.cc (region_model::on_call_pre): Move
2570 BUILT_IN_STRCHR and "strchr" to...
2571 (region_model::on_call_post): ...here.
2572
d29260ce
GA		 25732022-11-03 David Malcolm <dmalcolm@redhat.com>
2574
2575 * analyzer.h: Use std::unique_ptr for state machines from plugins.
2576 * engine.cc: Likewise.
2577
25782022-11-03 David Malcolm <dmalcolm@redhat.com>
2579
2580 * analyzer.h: Use std::unique_ptr for known functions.
2581 * engine.cc: Likewise.
2582 * known-function-manager.cc: Likewise.
2583 * known-function-manager.h: Likewise.
2584
25852022-11-03 David Malcolm <dmalcolm@redhat.com>
2586
2587 * analysis-plan.cc: Define INCLUDE_MEMORY before including
2588 system.h.
2589 * analyzer-pass.cc: Likewise.
2590 * analyzer-selftests.cc: Likewise.
2591 * analyzer.cc: Likewise.
2592 * analyzer.h: Use std::unique_ptr in bifurcation code.
2593 * call-string.cc: Define INCLUDE_MEMORY before including system.h.
2594 * complexity.cc: Likewise.
2595 * engine.cc: Use std::unique_ptr in bifurcation code.
2596 * exploded-graph.h: Likewise.
2597 * known-function-manager.cc: Define INCLUDE_MEMORY before
2598 including system.h.
2599 * region-model-impl-calls.cc: Use std::unique_ptr in bifurcation
2600 code.
2601 * region-model.cc: Likewise.
2602 * region-model.h: Likewise.
2603 * supergraph.cc: Define INCLUDE_MEMORY before including system.h.
2604
26052022-11-03 David Malcolm <dmalcolm@redhat.com>
2606
2607 * call-info.cc: Use std::unique_ptr for checker_event.
2608 * checker-path.cc: Likewise.
2609 * checker-path.h: Likewise.
2610 * diagnostic-manager.cc: Likewise.
2611 * engine.cc: Likewise.
2612 * pending-diagnostic.cc: Likewise.
2613 * sm-signal.cc: Likewise.
2614 * varargs.cc: Likewise.
2615
26162022-11-03 David Malcolm <dmalcolm@redhat.com>
2617
2618 * diagnostic-manager.cc: Include "make-unique.h".
2619 Use std::unique_ptr for feasibility_problems and exploded_path.
2620 Delete explicit saved_diagnostic dtor.
2621 * diagnostic-manager.h: Likewise.
2622 * engine.cc: Likewise.
2623 * exploded-graph.h: Likewise.
2624 * feasible-graph.cc: Likewise.
2625 * feasible-graph.h: Likewise.
2626
26272022-11-03 David Malcolm <dmalcolm@redhat.com>
2628
2629 * checker-path.cc (rewind_event::rewind_event): Update for usage of
2630 std::unique_ptr on custom_edge_info.
2631 * engine.cc (exploded_node::on_longjmp): Likewise.
2632 (exploded_edge::exploded_edge): Likewise.
2633 (exploded_edge::~exploded_edge): Delete.
2634 (exploded_graph::add_function_entry): Update for usage of
2635 std::unique_ptr on custom_edge_info.
2636 (exploded_graph::add_edge): Likewise.
2637 (add_tainted_args_callback): Likewise.
2638 (exploded_graph::maybe_create_dynamic_call): Likewise.
2639 (exploded_graph::process_node): Likewise.
2640 * exploded-graph.h (exploded_edge::~exploded_edge): Delete.
2641 (exploded_edge::m_custom_info): Use std::unique_ptr.
2642 (exploded_edge::add_edge): Likewise.
2643 * sm-signal.cc (register_signal_handler::impl_transition): Use
2644 make_unique.
2645
26462022-11-03 David Malcolm <dmalcolm@redhat.com>
2647
2648 * diagnostic-manager.cc (saved_diagnostic::saved_diagnostic): Make
2649 stmt_finder const.
2650 (saved_diagnostic::~saved_diagnostic): Remove explicit delete of
2651 m_stmt_finder.
2652 (diagnostic_manager::add_diagnostic): Make stmt_finder const.
2653 * diagnostic-manager.h (saved_diagnostic::saved_diagnostic):
2654 Likewise.
2655 (saved_diagnostic::m_stmt_finder): Convert to std::unique_ptr.
2656 (diagnostic_manager::add_diagnostic): Make stmt_finder const.
2657 * engine.cc (impl_sm_context::impl_sm_context): Likewise.
2658 (impl_sm_context::m_stmt_finder): Likewise.
2659 (leak_stmt_finder::clone): Convert return type to std::unique_ptr.
2660 * exploded-graph.h (stmt_finder::clone): Likewise.
2661
26622022-11-03 David Malcolm <dmalcolm@redhat.com>
2663
2664 * call-info.cc: Add define of INCLUDE_MEMORY.
2665 * call-summary.cc: Likewise.
2666 * checker-path.cc: Likewise.
2667 * constraint-manager.cc: Likewise.
2668 * diagnostic-manager.cc: Likewise.
2669 (saved_diagnostic::saved_diagnostic): Use std::unique_ptr for
2670 param d and field m_d.
2671 (saved_diagnostic::~saved_diagnostic): Remove explicit delete of m_d.
2672 (saved_diagnostic::add_note): Use std::unique_ptr for
2673 param pn.
2674 (saved_diagnostic::get_pending_diagnostic): Update for conversion
2675 of m_sd.m_d to unique_ptr.
2676 (diagnostic_manager::add_diagnostic): Use std::unique_ptr for
2677 param d. Remove explicit deletion.
2678 (diagnostic_manager::add_note): Use std::unique_ptr for param pn.
2679 (diagnostic_manager::emit_saved_diagnostic): Update for conversion
2680 of m_sd.m_d to unique_ptr.
2681 (null_assignment_sm_context::warn): Use std::unique_ptr for
2682 param d. Remove explicit deletion.
2683 * diagnostic-manager.h (saved_diagnostic::saved_diagnostic): Use
2684 std::unique_ptr for param d.
2685 (saved_diagnostic::add_note): Likewise for param pn.
2686 (saved_diagnostic::m_d): Likewise.
2687 (diagnostic_manager::add_diagnostic): Use std::unique_ptr for
2688 param d.
2689 (diagnostic_manager::add_note): Use std::unique_ptr for param pn.
2690 * engine.cc: Include "make-unique.h".
2691 (impl_region_model_context::warn): Update to use std::unique_ptr
2692 for param, removing explicit deletion.
2693 (impl_region_model_context::add_note): Likewise.
2694 (impl_sm_context::warn): Update to use std::unique_ptr
2695 for param.
2696 (impl_region_model_context::on_state_leak): Likewise for result of
2697 on_leak.
2698 (exploded_node::on_longjmp): Use make_unique when creating
2699 pending_diagnostic.
2700 (exploded_graph::process_node): Likewise.
2701 * exploded-graph.h (impl_region_model_context::warn): Update to
2702 use std::unique_ptr for param.
2703 (impl_region_model_context::add_note): Likewise.
2704 * feasible-graph.cc: Add define of INCLUDE_MEMORY.
2705 * pending-diagnostic.cc: Likewise.
2706 * pending-diagnostic.h: Include analyzer.sm.h"
2707 * program-point.cc: Add define of INCLUDE_MEMORY.
2708 * program-state.cc: Likewise.
2709 * region-model-asm.cc: Likewise.
2710 * region-model-impl-calls.cc: Likewise. Include "make-unique.h".
2711 (region_model::impl_call_putenv): Use make_unique when creating
2712 pending_diagnostic.
2713 * region-model-manager.cc: Add define of INCLUDE_MEMORY.
2714 * region-model-reachability.cc: Likewise.
2715 * region-model.cc: Likewise. Include "make-unique.h".
2716 (region_model::get_gassign_result): Use make_unique when creating
2717 pending_diagnostic.
2718 (region_model::check_for_poison): Likewise.
2719 (region_model::on_stmt_pre): Likewise.
2720 (region_model::check_symbolic_bounds): Likewise.
2721 (region_model::check_region_bounds): Likewise.
2722 (annotating_ctxt: make_note): Use std::unique_ptr for result.
2723 (region_model::deref_rvalue): Use make_unique when creating
2724 pending_diagnostic.
2725 (region_model::check_for_writable_region): Likewise.
2726 (region_model::check_region_size): Likewise.
2727 (region_model::check_dynamic_size_for_floats): Likewise.
2728 (region_model::maybe_complain_about_infoleak): Likewise.
2729 (noop_region_model_context::add_note): Use std::unique_ptr for
2730 param. Remove explicit deletion.
2731 * region-model.h: Include "analyzer/pending-diagnostic.h".
2732 (region_model_context::warn): Convert param to std::unique_ptr.
2733 (region_model_context::add_note): Likewise.
2734 (noop_region_model_context::warn): Likewise.
2735 (noop_region_model_context::add_note): Likewise.
2736 (region_model_context_decorator::warn): Likewise.
2737 (region_model_context_decorator::add_note): Likewise.
2738 (note_adding_context::warn): Likewise.
2739 (note_adding_context::make_note): Likewise for return type.
2740 (test_region_model_context::warn): Convert param to
2741 std::unique_ptr.
2742 * region.cc: Add define of INCLUDE_MEMORY.
2743 * sm-fd.cc: Likewise. Include "make-unique.h".
2744 (fd_state_machine::check_for_fd_attrs): Use make_unique when
2745 creating pending_diagnostics.
2746 (fd_state_machine::on_open): Likewise.
2747 (fd_state_machine::on_creat): Likewise.
2748 (fd_state_machine::check_for_dup): Likewise.
2749 (fd_state_machine::on_close): Likewise.
2750 (fd_state_machine::check_for_open_fd): Likewise.
2751 (fd_state_machine::on_leak): Likewise, converting return type to
2752 std::unique_ptr.
2753 * sm-file.cc: Add define of INCLUDE_MEMORY. Include
2754 "make-unique.h".
2755 (fileptr_state_machine::on_stmt): Use make_unique when creating
2756 pending_diagnostic.
2757 (fileptr_state_machine::on_leak): Likewise, converting return type
2758 to std::unique_ptr.
2759 * sm-malloc.cc: Add define of INCLUDE_MEMORY. Include
2760 "make-unique.h".
2761 (malloc_state_machine::on_stmt): Use make_unique when creating
2762 pending_diagnostic.
2763 (malloc_state_machine::handle_free_of_non_heap): Likewise.
2764 (malloc_state_machine::on_deallocator_call): Likewise.
2765 (malloc_state_machine::on_realloc_call): Likewise.
2766 (malloc_state_machine::on_leak): Likewise, converting return type
2767 to std::unique_ptr.
2768 * sm-pattern-test.cc: Add define of INCLUDE_MEMORY. Include
2769 "make-unique.h".
2770 (pattern_test_state_machine::on_condition): Use make_unique when
2771 creating pending_diagnostic.
2772 * sm-sensitive.cc: Add define of INCLUDE_MEMORY. Include
2773 "make-unique.h".
2774 (sensitive_state_machine::warn_for_any_exposure): Use make_unique
2775 when creating pending_diagnostic.
2776 * sm-signal.cc: Add define of INCLUDE_MEMORY. Include
2777 "make-unique.h".
2778 (signal_state_machine::on_stmt): Use make_unique when creating
2779 pending_diagnostic.
2780 * sm-taint.cc: Add define of INCLUDE_MEMORY. Include
2781 "make-unique.h".
2782 (taint_state_machine::check_for_tainted_size_arg): Use make_unique
2783 when creating pending_diagnostic.
2784 (taint_state_machine::check_for_tainted_divisor): Likewise.
2785 (region_model::check_region_for_taint): Likewise.
2786 (region_model::check_dynamic_size_for_taint): Likewise.
2787 * sm.cc: Add define of INCLUDE_MEMORY. Include
2788 "analyzer/pending-diagnostic.h".
2789 (state_machine::on_leak): Move here from sm.h, changing return
2790 type to std::unique_ptr.
2791 * sm.h (state_machine::on_leak): Change return type to
2792 std::unique_ptr. Move defn of base impl to sm.cc
2793 (sm_context::warn): Convert param d to std_unique_ptr.
2794 * state-purge.cc: Add define of INCLUDE_MEMORY.
2795 * store.cc: Likewise.
2796 * svalue.cc: Likewise.
2797 * trimmed-graph.cc: Likewise.
2798 * varargs.cc: Likewise. Include "make-unique.h".
2799 (va_list_state_machine::check_for_ended_va_list): Use make_unique
2800 when creating pending_diagnostic.
2801 (va_list_state_machine::on_leak): Likewise, converting return type
2802 to std::unique_ptr.
2803 (region_model::impl_call_va_arg): Use make_unique when creating
2804 pending_diagnostic.
2805
28062022-11-03 David Malcolm <dmalcolm@redhat.com>
2807
2808 PR analyzer/107486
2809 * analyzer.cc (is_pipe_call_p): New.
2810 * analyzer.h (is_pipe_call_p): New decl.
2811 * region-model.cc (region_model::on_call_pre): Use it.
2812 (region_model::on_call_post): Likewise.
2813
486a5037
GA		 28142022-10-26 David Malcolm <dmalcolm@redhat.com>
2815
2816 * sm-fd.cc (fd_state_machine::on_open): Transition to "unchecked"
2817 when the mode is symbolic, rather than just on integer constants.
2818 (fd_state_machine::check_for_open_fd): Don't complain about
2819 unchecked values in the start state.
2820
28212022-10-26 David Malcolm <dmalcolm@redhat.com>
2822
2823 * sm-fd.dot: New file.
2824
4e939ae1
GA		 28252022-10-24 David Malcolm <dmalcolm@redhat.com>
2826
2827 PR analyzer/107349
2828 * varargs.cc (get_va_copy_arg): Fix the non-pointer case.
2829
28302022-10-24 David Malcolm <dmalcolm@redhat.com>
2831
2832 PR analyzer/107345
2833 * region-model.cc (region_model::eval_condition_without_cm):
2834 Ensure that constants are on the right-hand side before checking
2835 for them.
2836
28372022-10-24 David Malcolm <dmalcolm@redhat.com>
2838
2839 * engine.cc (impl_region_model_context::get_malloc_map): Replace
2840 with...
2841 (impl_region_model_context::get_state_map_by_name): ...this.
2842 (impl_region_model_context::get_fd_map): Delete.
2843 (impl_region_model_context::get_taint_map): Delete.
2844 * exploded-graph.h (impl_region_model_context::get_fd_map):
2845 Delete.
2846 (impl_region_model_context::get_malloc_map): Delete.
2847 (impl_region_model_context::get_taint_map): Delete.
2848 (impl_region_model_context::get_state_map_by_name): New.
2849 * region-model.h (region_model_context::get_state_map_by_name):
2850 New vfunc.
2851 (region_model_context::get_fd_map): Convert from vfunc to
2852 function.
2853 (region_model_context::get_malloc_map): Likewise.
2854 (region_model_context::get_taint_map): Likewise.
2855 (noop_region_model_context::get_state_map_by_name): New.
2856 (noop_region_model_context::get_fd_map): Delete.
2857 (noop_region_model_context::get_malloc_map): Delete.
2858 (noop_region_model_context::get_taint_map): Delete.
2859 (region_model_context_decorator::get_state_map_by_name): New.
2860 (region_model_context_decorator::get_fd_map): Delete.
2861 (region_model_context_decorator::get_malloc_map): Delete.
2862 (region_model_context_decorator::get_taint_map): Delete.
2863
28642022-10-24 David Malcolm <dmalcolm@redhat.com>
2865
2866 PR analyzer/106300
2867 * engine.cc (impl_region_model_context::get_fd_map): New.
2868 * exploded-graph.h (impl_region_model_context::get_fd_map): New
2869 decl.
2870 * region-model-impl-calls.cc (region_model::impl_call_pipe): New.
2871 * region-model.cc (region_model::update_for_int_cst_return): New,
2872 based on...
2873 (region_model::update_for_zero_return): ...this. Reimplement in
2874 terms of the former.
2875 (region_model::on_call_pre): Handle "pipe" and "pipe2".
2876 (region_model::on_call_post): Likewise.
2877 * region-model.h (region_model::impl_call_pipe): New decl.
2878 (region_model::update_for_int_cst_return): New decl.
2879 (region_model::mark_as_valid_fd): New decl.
2880 (region_model_context::get_fd_map): New pure virtual fn.
2881 (noop_region_model_context::get_fd_map): New.
2882 (region_model_context_decorator::get_fd_map): New.
2883 * sm-fd.cc: Include "analyzer/program-state.h".
2884 (fd_state_machine::describe_state_change): Handle transitions from
2885 start state to valid states.
2886 (fd_state_machine::mark_as_valid_fd): New.
2887 (fd_state_machine::on_stmt): Add missing return for "creat".
2888 (region_model::mark_as_valid_fd): New.
2889
87f9c4a4
GA		 28902022-10-19 David Malcolm <dmalcolm@redhat.com>
2891
2892 PR analyzer/105765
2893 * varargs.cc (get_BT_VALIST_ARG): Rename to...
2894 (get_va_copy_arg): ...this, and update logic for determining level
2895 of indirection of va_copy's argument to use type of argument,
2896 rather than looking at va_list_type_node, to correctly handle
2897 __builtin_ms_va_copy.
2898 (get_stateful_BT_VALIST_ARG): Rename to...
2899 (get_stateful_va_copy_arg): ...this.
2900 (va_list_state_machine::on_va_copy): Update for renaming.
2901 (region_model::impl_call_va_copy): Likewise.
2902
621a911d
GA		 29032022-10-13 David Malcolm <dmalcolm@redhat.com>
2904
2905 PR analyzer/107210
2906 * svalue.cc (constant_svalue::maybe_fold_bits_within): Only
2907 attempt to extract individual bits when tree_fits_uhwi_p.
2908
9ff6c33e
GA		 29092022-10-07 David Malcolm <dmalcolm@redhat.com>
2910
2911 PR analyzer/105783
2912 * region-model.cc (selftest::get_bit): New function.
2913 (selftest::test_bits_within_svalue_folding): New.
2914 (selfftest::analyzer_region_model_cc_tests): Call it.
2915 * svalue.cc (constant_svalue::maybe_fold_bits_within): Handle the
2916 case of extracting a single bit.
2917
629d04d3
GA		 29182022-10-06 David Malcolm <dmalcolm@redhat.com>
2919
2920 PR analyzer/107158
2921 * store.cc (store::replay_call_summary_cluster): Eliminate
2922 special-casing of RK_HEAP_ALLOCATED in favor of sharing code with
2923 RK_DECL, avoiding an ICE due to attempting to bind a
2924 compound_svalue into a binding_cluster when an svalue in the
2925 summary cluster converts to a compound_svalue in the caller.
2926
29272022-10-06 David Malcolm <dmalcolm@redhat.com>
2928
2929 * call-summary.cc (call_summary_replay::dump_to_pp): Bulletproof
2930 against NULL caller regions/svalues.
2931
966010b2
GA		 29322022-10-05 David Malcolm <dmalcolm@redhat.com>
2933
2934 * analysis-plan.cc: Simplify includes.
2935 * analyzer-pass.cc: Likewise.
2936 * analyzer-selftests.cc: Likewise.
2937 * analyzer.cc: Likewise.
2938 * analyzer.h: Add includes of "json.h" and "tristate.h".
2939 * call-info.cc: Simplify includes.
2940 * call-string.cc: Likewise.
2941 * call-summary.cc: Likewise.
2942 * checker-path.cc: Likewise.
2943 * complexity.cc: Likewise.
2944 * constraint-manager.cc: Likewise.
2945 * diagnostic-manager.cc: Likewise.
2946 * engine.cc: Likewise.
2947 * feasible-graph.cc: Likewise.
2948 * known-function-manager.cc: Likewise.
2949 * pending-diagnostic.cc: Likewise.
2950 * program-point.cc: Likewise.
2951 * program-state.cc: Likewise.
2952 * region-model-asm.cc: Likewise.
2953 * region-model-impl-calls.cc: Likewise.
2954 * region-model-manager.cc: Likewise.
2955 * region-model-reachability.cc: Likewise.
2956 * region-model.cc: Likewise.
2957 * region-model.h: Include "selftest.h".
2958 * region.cc: Simplify includes.
2959 * sm-fd.cc: Likewise.
2960 * sm-file.cc: Likewise.
2961 * sm-malloc.cc: Likewise.
2962 * sm-pattern-test.cc: Likewise.
2963 * sm-sensitive.cc: Likewise.
2964 * sm-signal.cc: Likewise.
2965 * sm-taint.cc: Likewise.
2966 * sm.cc: Likewise.
2967 * state-purge.cc: Likewise.
2968 * store.cc: Likewise.
2969 * store.h: Likewise.
2970 * supergraph.cc: Likewise.
2971 * svalue.cc: Likewise.
2972 * svalue.h: Likewise.
2973 * trimmed-graph.cc: Likewise.
2974 * varargs.cc: Likewise.
2975
29762022-10-05 David Malcolm <dmalcolm@redhat.com>
2977
2978 PR analyzer/107060
2979 * call-summary.cc
2980 (call_summary_replay::convert_svalue_from_summary_1): Handle NULL
2981 results from convert_svalue_from_summary in SK_UNARY_OP and
2982 SK_BIN_OP.
2983 * engine.cc (impl_region_model_context::on_unknown_change): Bail
2984 out on svalues that can't have associated state.
2985 * region-model-impl-calls.cc
2986 (region_model::impl_call_analyzer_get_unknown_ptr): New.
2987 * region-model.cc (region_model::on_stmt_pre): Handle
2988 "__analyzer_get_unknown_ptr".
2989 * region-model.h
2990 (region_model::impl_call_analyzer_get_unknown_ptr): New decl.
2991 * store.cc (store::replay_call_summary_cluster): Avoid trying to
2992 create binding clusters for base regions that shouldn't have them.
2993
29942022-10-05 Martin Liska <mliska@suse.cz>
2995
2996 * call-summary.cc (call_summary_replay::call_summary_replay):
3d3b561f 2997 Remove unused variable and arguments.
966010b2
GA		 2998 * call-summary.h: Likewise.
2999 * engine.cc (exploded_node::on_stmt): Likewise.
3000 (exploded_node::replay_call_summaries): Likewise.
3001 (exploded_node::replay_call_summary): Likewise.
3002 * exploded-graph.h (class exploded_node): Likewise.
3003
30042022-10-05 David Malcolm <dmalcolm@redhat.com>
3005
3006 PR analyzer/107072
3007 * analyzer-logging.h: Include "diagnostic-core.h".
3008 * analyzer.h: Include "function.h".
3009 (class call_summary): New forward decl.
3010 (class call_summary_replay): New forward decl.
3011 (struct per_function_data): New forward decl.
3012 (struct interesting_t): New forward decl.
3013 (custom_edge_info::update_state): New vfunc.
3014 * call-info.cc (custom_edge_info::update_state): New.
3015 * call-summary.cc: New file.
3016 * call-summary.h: New file.
3017 * constraint-manager.cc: Include "analyzer/call-summary.h".
3018 (class replay_fact_visitor): New.
3019 (constraint_manager::replay_call_summary): New.
3020 * constraint-manager.h (constraint_manager::replay_call_summary):
3021 New.
3022 * engine.cc: Include "analyzer/call-summary.h".
3023 (exploded_node::on_stmt): Handle call summaries.
3024 (class call_summary_edge_info): New.
3025 (exploded_node::replay_call_summaries): New.
3026 (exploded_node::replay_call_summary): New.
3027 (per_function_data::~per_function_data): New.
3028 (per_function_data::add_call_summary): Move here from header and
3029 reimplement.
3030 (exploded_graph::process_node): Call update_state rather than
3031 update_model when handling bifurcation
3032 (viz_callgraph_node::dump_dot): Use a regular label rather
3033 than an HTML table; add summaries to dump.
3034 * exploded-graph.h: Include "alloc-pool.h", "fibonacci_heap.h",
3035 "supergraph.h", "sbitmap.h", "shortest-paths.h", "analyzer/sm.h",
3036 "analyzer/program-state.h", and "analyzer/diagnostic-manager.h".
3037 (exploded_node::replay_call_summaries): New decl.
3038 (exploded_node::replay_call_summary): New decl.
3039 (per_function_data::~per_function_data): New decl.
3040 (per_function_data::add_call_summary): Move implemention from
3041 header.
3042 (per_function_data::m_summaries): Update type of element.
3043 * known-function-manager.h: Include "analyzer/analyzer-logging.h".
3044 * program-point.h: Include "pretty-print.h" and
3045 "analyzer/call-string.h".
3046 * program-state.cc: Include "analyzer/call-summary.h".
3047 (sm_state_map::replay_call_summary): New.
3048 (program_state::replay_call_summary): New.
3049 * program-state.h (sm_state_map::replay_call_summary): New decl.
3050 (program_state::replay_call_summary): New decl.
3051 * region-model-manager.cc
3052 (region_model_manager::get_or_create_asm_output_svalue): New
3053 overload.
3054 * region-model-manager.h
3055 (region_model_manager::get_or_create_asm_output_svalue): New
3056 overload decl.
3057 * region-model.cc: Include "analyzer/call-summary.h".
3058 (region_model::maybe_update_for_edge): Remove call to
3059 region_model::update_for_call_summary on
3060 SUPEREDGE_INTRAPROCEDURAL_CALL.
3061 (region_model::update_for_call_summary): Delete.
3062 (region_model::replay_call_summary): New.
3063 * region-model.h (region_model::replay_call_summary): New decl.
3064 (region_model::update_for_call_summary): Delete decl.
3065 * store.cc: Include "analyzer/call-summary.h".
3066 (store::replay_call_summary): New.
3067 (store::replay_call_summary_cluster): New.
3068 * store.h: Include "tristate.h".
3069 (is_a_helper <const ana::concrete_binding *>::test): New.
3070 (store::replay_call_summary): New decl.
3071 (store::replay_call_summary_cluster): New decl.
3072 * supergraph.cc (get_ultimate_function_for_cgraph_edge): Remove
3073 "static" from decl.
3074 (supergraph_call_edge): Make stmt param const.
3075 * supergraph.h: Include "ordered-hash-map.h", "cfg.h",
3076 "basic-block.h", "gimple.h", "gimple-iterator.h", and "digraph.h".
3077 (supergraph_call_edge): Make stmt param const.
3078 (get_ultimate_function_for_cgraph_edge): New decl.
3079 * svalue.cc (compound_svalue::compound_svalue): Assert that we're
3080 not nesting compound_svalues.
3081 * svalue.h: Include "json.h", "analyzer/store.h", and
3082 "analyzer/program-point.h".
3083 (asm_output_svalue::get_num_outputs): New accessor.
3084
30852022-10-05 David Malcolm <dmalcolm@redhat.com>
3086
3087 * region-model.h: Include "analyzer/region-model-manager.h"
3088 (class region_model_manager): Move decl to...
3089 * region-model-manager.h: ...this new file.
3090
30912022-10-05 David Malcolm <dmalcolm@redhat.com>
3092
3093 * region-model-manager.cc
3094 (region_model_manager::maybe_fold_unaryop): Fold -(-(VAL)) to VAL.
3095
30962022-10-05 David Malcolm <dmalcolm@redhat.com>
3097
3098 * region-model-manager.cc
3099 (region_model_manager::get_or_create_widening_svalue): Use a
3100 function_point rather than a program_point.
3101 * region-model.cc (selftest::test_widening_constraints): Likewise.
3102 * region-model.h
3103 (region_model_manager::get_or_create_widening_svalue): Likewise.
3104 (model_merger::get_function_point): New.
3105 * svalue.cc (svalue::can_merge_p): Use a function_point rather
3106 than a program_point.
3107 (svalue::can_merge_p): Likewise.
3108 * svalue.h (widening_svalue::key_t): Likewise.
3109 (widening_svalue::widening_svalue): Likewise.
3110
b5f09bd7
GA		 31112022-09-12 Martin Liska <mliska@suse.cz>
3112
3113 * region-model.cc (region_model::maybe_complain_about_infoleak):
3d3b561f 3114 Remove unused fields.
b5f09bd7 3115
5b9111db
GA		 31162022-09-11 Tim Lange <mail@tim-lange.me>
3117
3118 PR analyzer/106845
3119 * region-model.cc (region_model::check_region_bounds):
3120 Bail out if 0 bytes were accessed.
3121 * store.cc (byte_range::dump_to_pp):
3122 Add special case for empty ranges.
3123 (byte_range::exceeds_p): Restrict to non-empty ranges.
3124 (byte_range::falls_short_of_p): Restrict to non-empty ranges.
3125 * store.h (bit_range::empty_p): New function.
3126 (bit_range::get_last_byte_offset): Restrict to non-empty ranges.
3127 (byte_range::empty_p): New function.
3128 (byte_range::get_last_byte_offset): Restrict to non-empty ranges.
3129
861d1a11
GA		 31302022-09-09 David Malcolm <dmalcolm@redhat.com>
3131
3132 * analyzer.opt (Wanalyzer-exposure-through-uninit-copy): New.
3133 * checker-path.cc (region_creation_event::region_creation_event):
3134 Add "capacity" and "kind" params.
3135 (region_creation_event::get_desc): Generalize to different kinds
3136 of event.
3137 (checker_path::add_region_creation_event): Convert to...
3138 (checker_path::add_region_creation_events): ...this.
3139 * checker-path.h (enum rce_kind): New.
3140 (region_creation_event::region_creation_event): Add "capacity" and
3141 "kind" params.
3142 (region_creation_event::m_capacity): New field.
3143 (region_creation_event::m_rce_kind): New field.
3144 (checker_path::add_region_creation_event): Convert to...
3145 (checker_path::add_region_creation_events): ...this.
3146 * diagnostic-manager.cc (diagnostic_manager::build_emission_path):
3147 Update for multiple region creation events.
3148 (diagnostic_manager::add_event_on_final_node): Likewise.
3149 (diagnostic_manager::add_events_for_eedge): Likewise.
3150 * region-model-impl-calls.cc (call_details::get_logger): New.
3151 * region-model.cc: Define INCLUDE_MEMORY before including
3152 "system.h". Include "gcc-rich-location.h".
3153 (class record_layout): New.
3154 (class exposure_through_uninit_copy): New.
3155 (contains_uninit_p): New.
3156 (region_model::maybe_complain_about_infoleak): New.
3157 * region-model.h (call_details::get_logger): New decl.
3158 (region_model::maybe_complain_about_infoleak): New decl.
3159 (region_model::mark_as_tainted): New decl.
3160 * sm-taint.cc (region_model::mark_as_tainted): New.
3161
31622022-09-09 David Malcolm <dmalcolm@redhat.com>
3163
3164 * analyzer.h (class known_function_manager): New forward decl.
3165 (class known_function): New.
3166 (plugin_analyzer_init_iface::register_known_function): New.
3167 * engine.cc: Include "analyzer/known-function-manager.h".
3168 (plugin_analyzer_init_impl::plugin_analyzer_init_impl): Add
3169 known_fn_mgr param.
3170 (plugin_analyzer_init_impl::register_state_machine): Add
3171 LOC_SCOPE.
3172 (plugin_analyzer_init_impl::register_known_function): New.
3173 (plugin_analyzer_init_impl::m_known_fn_mgr): New.
3174 (impl_run_checkers): Update plugin callback invocation to use
3175 eng's known_function_manager.
3176 * known-function-manager.cc: New file.
3177 * known-function-manager.h: New file.
3178 * region-model-manager.cc
3179 (region_model_manager::region_model_manager): Pass logger to
3180 m_known_fn_mgr's ctor.
3181 * region-model.cc (region_model::update_for_zero_return): New.
3182 (region_model::update_for_nonzero_return): New.
3183 (maybe_simplify_upper_bound): New.
3184 (region_model::maybe_get_copy_bounds): New.
3185 (region_model::get_known_function): New.
3186 (region_model::on_call_pre): Handle plugin-supplied known
3187 functions.
3188 * region-model.h: Include "analyzer/known-function-manager.h".
3189 (region_model_manager::get_known_function_manager): New.
3190 (region_model_manager::m_known_fn_mgr): New.
3191 (call_details::get_model): New accessor.
3192 (region_model::maybe_get_copy_bounds): New decl.
3193 (region_model::update_for_zero_return): New decl.
3194 (region_model::update_for_nonzero_return): New decl.
3195 (region_model::get_known_function): New decl.
3196 (region_model::get_known_function_manager): New.
3197
2e7ad70c
GA		 31982022-09-08 Tim Lange <mail@tim-lange.me>
3199
3200 PR analyzer/106625
3201 * analyzer.h (region_offset): Eliminate m_is_symbolic member.
3202 * region-model-impl-calls.cc (region_model::impl_call_realloc):
3203 Refine implementation to be more precise.
3204 * region-model.cc (class symbolic_past_the_end):
3205 Abstract diagnostic class to complain about accesses past the end
3206 with symbolic values.
3207 (class symbolic_buffer_overflow):
3208 Concrete diagnostic class to complain about buffer overflows with
3209 symbolic values.
3210 (class symbolic_buffer_overread):
3211 Concrete diagnostic class to complain about buffer overreads with
3212 symbolic values.
3213 (region_model::check_symbolic_bounds): New function.
3214 (maybe_get_integer_cst_tree): New helper function.
3215 (region_model::check_region_bounds):
3216 Add call to check_symbolic_bounds if offset is not concrete.
3217 (region_model::eval_condition_without_cm):
3218 Add support for EQ_EXPR and GT_EXPR with binaryop_svalues.
3219 (is_positive_svalue): New hleper function.
3220 (region_model::symbolic_greater_than):
3221 New function to handle GT_EXPR comparisons with symbolic values.
3222 (region_model::structural_equality): New function to compare
3223 whether two svalues are structured the same, i.e. evaluate to
3224 the same value.
3225 (test_struct): Reflect changes to region::calc_offset.
3226 (test_var): Likewise.
3227 (test_array_2): Likewise and add selftest with symbolic i.
3228 * region-model.h (class region_model): Add check_symbolic_bounds,
3229 symbolic_greater_than and structural_equality.
3230 * region.cc (region::get_offset):
3231 Reflect changes to region::calc_offset.
3232 (region::calc_offset):
3233 Compute the symbolic offset if the offset is not concrete.
3234 (region::get_relative_symbolic_offset): New function to return the
3235 symbolic offset in bytes relative to its parent.
3236 (field_region::get_relative_symbolic_offset): Likewise.
3237 (element_region::get_relative_symbolic_offset): Likewise.
3238 (offset_region::get_relative_symbolic_offset): Likewise.
3239 (bit_range_region::get_relative_symbolic_offset): Likewise.
3240 * region.h: Add get_relative_symbolic_offset.
3241 * store.cc (binding_key::make):
3242 Reflect changes to region::calc_offset.
3243 (binding_map::apply_ctor_val_to_range): Likewise.
3244 (binding_map::apply_ctor_pair_to_child_region): Likewise.
3245 (binding_cluster::bind_compound_sval): Likewise.
3246 (binding_cluster::get_any_binding): Likewise.
3247 (binding_cluster::maybe_get_compound_binding): Likewise.
3248
47d2dcd1
GA		 32492022-09-05 Tim Lange <mail@tim-lange.me>
3250
3251 * region-model-impl-calls.cc (region_model::impl_call_strcpy):
3252 Handle the constant string case.
3253 * region-model.cc (region_model::get_string_size):
3254 New function to get the string size from a region or svalue.
3255 * region-model.h (class region_model): Add get_string_size.
3256
32572022-09-05 Tim Lange <mail@tim-lange.me>
3258
3259 * region.cc (cast_region::get_relative_concrete_offset):
3260 New overloaded method.
3261 * region.h: Add cast_region::get_relative_concrete_offset.
3262
3b2e3fa3
GA		 32632022-08-22 Martin Liska <mliska@suse.cz>
3264
3265 * region-model.cc: Add missing final keyword.
3266
30afe5e7
GA		 32672022-08-18 Tim Lange <mail@tim-lange.me>
3268
3269 PR analyzer/106181
3270 * analyzer.opt: Add Wanalyzer-imprecise-floating-point-arithmetic.
3271 * region-model.cc (is_any_cast_p): Formatting.
3272 (region_model::check_region_size): Ensure precondition.
3273 (class imprecise_floating_point_arithmetic): New abstract
3274 diagnostic class for all floating-point related warnings.
3275 (class float_as_size_arg): Concrete diagnostic class to complain
3276 about floating-point operands inside the size argument.
3277 (class contains_floating_point_visitor):
3278 New visitor to find floating-point operands inside svalues.
3279 (region_model::check_dynamic_size_for_floats): New function.
3280 (region_model::set_dynamic_extents):
3281 Call to check_dynamic_size_for_floats.
3282 * region-model.h (class region_model):
3283 Add region_model::check_dynamic_size_for_floats.
3284
47a61e65
GA		 32852022-08-16 Martin Liska <mliska@suse.cz>
3286
3287 * region-model.cc: Fix -Winconsistent-missing-override clang
3d3b561f 3288 warning.
47a61e65
GA		 3289 * region.h: Likewise.
3290
ec63a946
GA		 32912022-08-15 David Malcolm <dmalcolm@redhat.com>
3292
3293 PR analyzer/106626
3294 * region-model.cc (buffer_overread::emit): Fix copy&paste error in
3295 direction of the access in the note.
3296
32972022-08-15 David Malcolm <dmalcolm@redhat.com>
3298
3299 PR analyzer/106573
3300 * region-model.cc (region_model::on_call_pre): Use check_call_args
3301 when ensuring that we call get_arg_svalue on all args. Remove
3302 redundant call from handling for stdio builtins.
3303
33042022-08-15 Immad Mir <mirimmad@outlook.com>
3305
3306 PR analyzer/106551
3307 * sm-fd.cc (check_for_dup): exit early if first
3308 argument is invalid for all dup functions.
3309
475ed8fd
GA		 33102022-08-12 Tim Lange <mail@tim-lange.me>
3311
3312 PR analyzer/106000
3313 * analyzer.opt: Add Wanalyzer-out-of-bounds.
3314 * region-model.cc (class out_of_bounds): Diagnostics base class
3315 for all out-of-bounds diagnostics.
3316 (class past_the_end): Base class derived from out_of_bounds for
3317 the buffer_overflow and buffer_overread diagnostics.
3318 (class buffer_overflow): Buffer overflow diagnostics.
3319 (class buffer_overread): Buffer overread diagnostics.
3320 (class buffer_underflow): Buffer underflow diagnostics.
3321 (class buffer_underread): Buffer overread diagnostics.
3322 (region_model::check_region_bounds): New function to check region
3323 bounds for out-of-bounds accesses.
3324 (region_model::check_region_access):
3325 Add call to check_region_bounds.
3326 (region_model::get_representative_tree): New function that accepts
3327 a region instead of an svalue.
3328 * region-model.h (class region_model):
3329 Add region_model::check_region_bounds.
3330 * region.cc (region::symbolic_p): New predicate.
3331 (offset_region::get_byte_size_sval): Only return the remaining
3332 byte size on offset_regions.
3333 * region.h: Add region::symbolic_p.
3334 * store.cc (byte_range::intersects_p):
3335 Add new function equivalent to bit_range::intersects_p.
3336 (byte_range::exceeds_p): New function.
3337 (byte_range::falls_short_of_p): New function.
3338 * store.h (struct byte_range): Add byte_range::intersects_p,
3339 byte_range::exceeds_p and byte_range::falls_short_of_p.
3340
33412022-08-12 Tim Lange <mail@tim-lange.me>
3342
3343 PR analyzer/106539
3344 * region-model-impl-calls.cc (region_model::impl_call_realloc):
3345 Use the result of get_copied_size as the size for the
3346 sized_regions in realloc.
3347 (success_with_move::get_copied_size): New function.
3348
5cd525f0
GA		 33492022-08-11 Immad Mir <mirimmad@outlook.com>
3350
3351 PR analyzer/106551
3352 * sm-fd.cc (check_for_dup): handle the m_start
3353 state when transitioning the state of LHS
3354 of dup, dup2 and dup3 call.
3355
6d001ec1
GA		 33562022-08-09 David Malcolm <dmalcolm@redhat.com>
3357
3358 PR analyzer/106573
3359 * region-model.cc (region_model::on_call_pre): Ensure that we call
3360 get_arg_svalue on all arguments.
3361
36e96748
GA		 33622022-08-05 David Malcolm <dmalcolm@redhat.com>
3363
3364 PR analyzer/105947
3365 * analyzer.opt (Wanalyzer-jump-through-null): New option.
3366 * engine.cc (class jump_through_null): New.
3367 (exploded_graph::process_node): Complain about jumps through NULL
3368 function pointers.
3369
969a989d
GA		 33702022-08-02 Immad Mir <mirimmad@outlook.com>
3371
3372 PR analyzer/106298
3373 * sm-fd.cc (fd_state_machine::on_open): Add
3374 creat, dup, dup2 and dup3 functions.
3375 (enum dup): New.
3376 (fd_state_machine::valid_to_unchecked_state): New.
3377 (fd_state_machine::on_creat): New.
3378 (fd_state_machine::on_dup): New.
3379
af086d19
GA		 33802022-07-28 David Malcolm <dmalcolm@redhat.com>
3381
3382 PR analyzer/105893
3383 * analyzer.opt (Wanalyzer-putenv-of-auto-var): New.
3384 * region-model-impl-calls.cc (class putenv_of_auto_var): New.
3385 (region_model::impl_call_putenv): New.
3386 * region-model.cc (region_model::on_call_pre): Handle putenv.
3387 * region-model.h (region_model::impl_call_putenv): New decl.
3388
33892022-07-28 David Malcolm <dmalcolm@redhat.com>
3390
3391 * sm-malloc.cc (free_of_non_heap::emit): Add comment about CWE.
3392 * sm-taint.cc (tainted_size::emit): Likewise.
3393
33942022-07-28 David Malcolm <dmalcolm@redhat.com>
3395
3396 * region.h: Add notes to the comment describing the region
3397 class hierarchy.
3398
1e2c5f4c
GA		 33992022-07-27 Immad Mir <mirimmad@outlook.com>
3400
3401 PR analyzer/106286
3402 * sm-fd.cc:
3403 (fd_diagnostic::get_meaning_for_state_change): New.
3404
fd96c4b5
GA		 34052022-07-26 David Malcolm <dmalcolm@redhat.com>
3406
3407 PR analyzer/106319
3408 * store.cc (store::set_value): Don't strip away casts if the
3409 region has NULL type.
3410
34112022-07-26 David Malcolm <dmalcolm@redhat.com>
3412
3413 * region.h (code_region::get_element): Remove stray decl.
3414 (function_region::get_element): Likewise.
3415
a5271b14
GA		 34162022-07-25 Martin Liska <mliska@suse.cz>
3417
3418 * sm-fd.cc: Run dos2unix and fix coding style issues.
3419
0e6fa997
GA		 34202022-07-23 Immad Mir <mirimmad@outlook.com>
3421
3422 * sm-fd.cc (fd_param_diagnostic): New diagnostic class.
3423 (fd_access_mode_mismatch): Change inheritance from fd_diagnostic
3424 to fd_param_diagnostic. Add new overloaded constructor.
3425 (fd_use_after_close): Likewise.
3426 (unchecked_use_of_fd): Likewise and also change name to fd_use_without_check.
3427 (double_close): Change name to fd_double_close.
3428 (enum access_directions): New.
3429 (fd_state_machine::on_stmt): Handle calls to function with the
3430 new three function attributes.
3431 (fd_state_machine::check_for_fd_attrs): New.
3432 (fd_state_machine::on_open): Use the new overloaded constructors
3433 of diagnostic classes.
3434
b563a8dd
GA		 34352022-07-22 David Malcolm <dmalcolm@redhat.com>
3436
3437 PR analyzer/106413
3438 * varargs.cc (region_model::impl_call_va_start): Avoid iterating
3439 through non-existant variadic arguments by initializing the
3440 impl_region to "UNKNOWN" if the va_start occurs in the top-level
3441 function to the analysis.
3442
34432022-07-22 David Malcolm <dmalcolm@redhat.com>
3444
3445 PR analyzer/106401
3446 * store.cc (binding_cluster::binding_cluster): Remove overzealous
3447 assertion; we're checking for tracked_p in
3448 store::get_or_create_cluster.
3449
34502022-07-22 Tim Lange <mail@tim-lange.me>
3451
3452 PR analyzer/106394
3453 * region-model.cc (capacity_compatible_with_type): Always return true
3454 if alloc_size is zero.
3455
bbb9c030
GA		 34562022-07-21 David Malcolm <dmalcolm@redhat.com>
3457
3458 PR analyzer/106383
3459 * varargs.cc (region_model::impl_call_va_arg): When determining if
3460 we're doing interprocedural analysis, use the stack depth of the
3461 frame in which va_start was called, rather than the current stack
3462 depth.
3463
34642022-07-21 David Malcolm <dmalcolm@redhat.com>
3465
3466 * sm-taint.cc (tainted_array_index::emit): Bulletproof against
3467 NULL m_arg.
3468 (tainted_array_index::describe_final_event): Likewise.
3469 (tainted_size::emit): Likewise.
3470 (tainted_size::describe_final_event): Likewise.
3471
34722022-07-21 David Malcolm <dmalcolm@redhat.com>
3473
3474 PR analyzer/106374
3475 * region.cc (decl_region::get_svalue_for_initializer): Bail out on
3476 untracked regions.
3477
e7dfd874
GA		 34782022-07-20 David Malcolm <dmalcolm@redhat.com>
3479
3480 PR analyzer/106373
3481 * sm-taint.cc (taint_state_machine::on_condition): Potentially
3482 update the state of the RHS as well as the LHS.
3483
34842022-07-20 David Malcolm <dmalcolm@redhat.com>
3485
3486 PR analyzer/106359
3487 * region.h (string_region::tracked_p): New.
3488 * store.cc (binding_cluster::binding_cluster): Move here from
3489 store.h. Add assertion that base_region is tracked_p.
3490 * store.h (binding_cluster::binding_cluster): Move to store.cc.
3491
7c0c10db
GA		 34922022-07-19 David Malcolm <dmalcolm@redhat.com>
3493
3494 PR analyzer/106321
3495 * constraint-manager.h (bounded_ranges::get_count): New.
3496 (bounded_ranges::get_range): New.
3497 * engine.cc (impl_region_model_context::on_bounded_ranges): New.
3498 * exploded-graph.h (impl_region_model_context::on_bounded_ranges):
3499 New decl.
3500 * region-model.cc (region_model::apply_constraints_for_gswitch):
3501 Potentially call ctxt->on_bounded_ranges.
3502 * region-model.h (region_model_context::on_bounded_ranges): New
3503 vfunc.
3504 (noop_region_model_context::on_bounded_ranges): New.
3505 (region_model_context_decorator::on_bounded_ranges): New.
3506 * sm-taint.cc: Include "analyzer/constraint-manager.h".
3507 (taint_state_machine::on_bounded_ranges): New.
3508 * sm.h (state_machine::on_bounded_ranges): New.
3509
35102022-07-19 David Malcolm <dmalcolm@redhat.com>
3511
3512 * engine.cc (exploded_graph::process_node): Show any description
3513 of the out-edge when logging it for consideration.
3514
bdc7b765
GA		 35152022-07-15 David Malcolm <dmalcolm@redhat.com>
3516
3517 PR analyzer/106284
3518 * sm-taint.cc (taint_state_machine::on_condition): Handle range
3519 checks optimized by build_range_check.
3520
35212022-07-15 Jonathan Wakely <jwakely@redhat.com>
3522
3523 * call-info.cc (call_info::print): Adjust to new label_text API.
3524 * checker-path.cc (checker_event::dump): Likewise.
3525 (region_creation_event::get_desc): Likewise.
3526 (state_change_event::get_desc): Likewise.
3527 (superedge_event::should_filter_p): Likewise.
3528 (start_cfg_edge_event::get_desc): Likewise.
3529 (call_event::get_desc): Likewise.
3530 (return_event::get_desc): Likewise.
3531 (warning_event::get_desc): Likewise.
3532 (checker_path::dump): Likewise.
3533 (checker_path::debug): Likewise.
3534 * diagnostic-manager.cc (diagnostic_manager::prune_for_sm_diagnostic):
3535 Likewise.
3536 (diagnostic_manager::prune_interproc_events): Likewise.
3537 * engine.cc (feasibility_state::maybe_update_for_edge):
3538 Likewise.
3539 * program-state.cc (sm_state_map::to_json): Likewise.
3540 * region-model-impl-calls.cc (region_model::impl_call_analyzer_describe): Likewise.
3541 (region_model::impl_call_analyzer_dump_capacity): Likewise.
3542 * region.cc (region::to_json): Likewise.
3543 * sm-malloc.cc (inform_nonnull_attribute): Likewise.
3544 * store.cc (binding_map::to_json): Likewise.
3545 (store::to_json): Likewise.
3546 * supergraph.cc (superedge::dump): Likewise.
3547 * svalue.cc (svalue::to_json): Likewise.
3548
6345c414
GA		 35492022-07-07 David Malcolm <dmalcolm@redhat.com>
3550
3551 * checker-path.cc (start_cfg_edge_event::get_desc): Update for
3552 superedge::get_description returning a label_text.
3553 * engine.cc (feasibility_state::maybe_update_for_edge): Likewise.
3554 * supergraph.cc (superedge::dump): Likewise.
3555 (superedge::get_description): Convert return type from char * to
3556 label_text.
3557 * supergraph.h (superedge::get_description): Likewise.
3558
35592022-07-07 David Malcolm <dmalcolm@redhat.com>
3560
3561 * call-info.cc (call_info::print): Update for removal of
3562 label_text::maybe_free in favor of automatic memory management.
3563 * checker-path.cc (checker_event::dump): Likewise.
3564 (checker_event::prepare_for_emission): Likewise.
3565 (state_change_event::get_desc): Likewise.
3566 (superedge_event::should_filter_p): Likewise.
3567 (start_cfg_edge_event::get_desc): Likewise.
3568 (warning_event::get_desc): Likewise.
3569 (checker_path::dump): Likewise.
3570 (checker_path::debug): Likewise.
3571 * diagnostic-manager.cc
3572 (diagnostic_manager::prune_for_sm_diagnostic): Likewise.
3573 (diagnostic_manager::prune_interproc_events): Likewise.
3574 * program-state.cc (sm_state_map::to_json): Likewise.
3575 * region.cc (region::to_json): Likewise.
3576 * sm-malloc.cc (inform_nonnull_attribute): Likewise.
3577 * store.cc (binding_map::to_json): Likewise.
3578 (store::to_json): Likewise.
3579 * svalue.cc (svalue::to_json): Likewise.
3580
35812022-07-07 David Malcolm <dmalcolm@redhat.com>
3582
3583 PR analyzer/106225
3584 * sm-taint.cc (taint_state_machine::on_stmt): Move handling of
3585 assignments from division to...
3586 (taint_state_machine::check_for_tainted_divisor): ...this new
3587 function. Reject warning when the divisor is known to be non-zero.
3588 * sm.cc: Include "analyzer/program-state.h".
3589 (sm_context::get_old_region_model): New.
3590 * sm.h (sm_context::get_old_region_model): New decl.
3591
4bc92c3b
GA		 35922022-07-06 Immad Mir <mirimmad@outlook.com>
3593
3594 PR analyzer/106184
3595 * sm-fd.cc (fd_state_machine): Change ordering of initialization
3596 of state m_invalid so that the order of initializers is same as
3597 the ordering of the fields in the class decl.
3598
35992022-07-06 Immad Mir <mirimmad@outlook.com>
3600
3601 * sm-fd.cc (use_after_close): save the "close" event and
3602 show it where possible.
3603
36042022-07-06 David Malcolm <dmalcolm@redhat.com>
3605
3606 PR analyzer/106204
3607 * region-model.cc (within_short_circuited_stmt_p): Move extraction
3608 of assign_stmt to caller.
3609 (due_to_ifn_deferred_init_p): New.
3610 (region_model::check_for_poison): Move extraction of assign_stmt
3611 from within_short_circuited_stmt_p to here. Share logic with
3612 call to due_to_ifn_deferred_init_p.
3613
20f0f305
GA		 36142022-07-02 Tim Lange <mail@tim-lange.me>
3615
3616 PR analyzer/105900
3617 * analyzer.opt: Added Wanalyzer-allocation-size.
3618 * checker-path.cc (region_creation_event::get_desc): Added call to new
3619 virtual function pending_diagnostic::describe_region_creation_event.
3620 * checker-path.h: Added region_creation_event::get_desc.
3621 * diagnostic-manager.cc (diagnostic_manager::add_event_on_final_node):
3622 New function.
3623 * diagnostic-manager.h:
3624 Added diagnostic_manager::add_event_on_final_node.
3625 * pending-diagnostic.h (struct region_creation): New event_desc struct.
3626 (pending_diagnostic::describe_region_creation_event): Added virtual
3627 function to overwrite description of a region creation.
3628 * region-model.cc (class dubious_allocation_size): New class.
3629 (capacity_compatible_with_type): New helper function.
3630 (class size_visitor): New class.
3631 (struct_or_union_with_inheritance_p): New helper function.
3632 (is_any_cast_p): New helper function.
3633 (region_model::check_region_size): New function.
3634 (region_model::set_value): Added call to
3635 region_model::check_region_size.
3636 * region-model.h (class region_model): New function check_region_size.
3637 * svalue.cc (region_svalue::accept): Changed to post-order traversal.
3638 (initial_svalue::accept): Likewise.
3639 (unaryop_svalue::accept): Likewise.
3640 (binop_svalue::accept): Likewise.
3641 (sub_svalue::accept): Likewise.
3642 (repeated_svalue::accept): Likewise.
3643 (bits_within_svalue::accept): Likewise.
3644 (widening_svalue::accept): Likewise.
3645 (unmergeable_svalue::accept): Likewise.
3646 (compound_svalue::accept): Likewise.
3647 (conjured_svalue::accept): Likewise.
3648 (asm_output_svalue::accept): Likewise.
3649 (const_fn_result_svalue::accept): Likewise.
3650
36512022-07-02 Immad Mir <mirimmad17@gmail.com>
3652
3653 PR analyzer/106003
3654 * analyzer.opt (Wanalyzer-fd-leak): New option.
3655 (Wanalyzer-fd-access-mode-mismatch): New option.
3656 (Wanalyzer-fd-use-without-check): New option.
3657 (Wanalyzer-fd-double-close): New option.
3658 (Wanalyzer-fd-use-after-close): New option.
3659 * sm.h (make_fd_state_machine): New decl.
3660 * sm.cc (make_checkers): Call make_fd_state_machine.
3661 * sm-fd.cc: New file.
3662
84c2131d
GA		 36632022-06-24 David Malcolm <dmalcolm@redhat.com>
3664
3665 * call-string.cc: Add includes of "analyzer/analyzer.h"
3666 and "analyzer/analyzer-logging.h".
3667 (call_string::call_string): Delete copy ctor.
3668 (call_string::operator=): Delete.
3669 (call_string::operator==): Delete.
3670 (call_string::hash): Delete.
3671 (call_string::push_call): Make const, returning the resulting
3672 call_string.
3673 (call_string::pop): Delete.
3674 (call_string::cmp_ptr_ptr): New.
3675 (call_string::validate): Assert that m_parent is non-NULL, or
3676 m_elements is empty.
3677 (call_string::call_string): Move default ctor here from
3678 call-string.h and reimplement. Add ctor taking a parent
3679 and an element.
3680 (call_string::~call_string): New.
3681 (call_string::recursive_log): New.
3682 * call-string.h (call_string::call_string): Move default ctor's
3683 defn to call-string.cc. Delete copy ctor. Add ctor taking a
3684 parent and an element.
3685 (call_string::operator=): Delete.
3686 (call_string::operator==): Delete.
3687 (call_string::hash): Delete.
3688 (call_string::push_call): Make const, returning the resulting
3689 call_string.
3690 (call_string::pop): Delete decl.
3691 (call_string::get_parent): New.
3692 (call_string::cmp_ptr_ptr): New decl.
3693 (call_string::get_top_of_stack): New.
3694 (struct call_string::hashmap_traits_t): New.
3695 (class call_string): Add friend class region_model_manager. Add
3696 DISABLE_COPY_AND_ASSIGN.
3697 (call_string::~call_string): New decl.
3698 (call_string::recursive_log): New decl.
3699 (call_string::m_parent): New field.
3700 (call_string::m_children): New field.
3701 * constraint-manager.cc (selftest::test_many_constants): Pass
3702 model manager to program_point::origin.
3703 * engine.cc (exploded_graph::exploded_graph): Likewise.
3704 (exploded_graph::add_function_entry): Likewise for
3705 program_point::from_function_entry.
3706 (add_tainted_args_callback): Likewise.
3707 (exploded_graph::maybe_process_run_of_before_supernode_enodes):
3708 Update for change to program_point.get_call_string.
3709 (exploded_graph::process_node): Likewise.
3710 (class function_call_string_cluster): Convert m_cs from a
3711 call_string to a const call_string &.
3712 (struct function_call_string): Likewise.
3713 (pod_hash_traits<function_call_string>::hash): Use pointer_hash
3714 for m_cs.
3715 (pod_hash_traits<function_call_string>::equal): Update for change
3716 to m_cs.
3717 (root_cluster::add_node): Update for change to
3718 function_call_string.
3719 (viz_callgraph_node::dump_dot): Update for change to call_string.
3720 * exploded-graph.h (per_call_string_data::m_key): Convert to a
3721 reference.
3722 (struct eg_call_string_hash_map_traits): Delete.
3723 (exploded_graph::call_string_data_map_t): Remove traits class.
3724 * program-point.cc: Move include of "analyzer/call-string.h" to
3725 after "analyzer/analyzer-logging.h".
3726 (program_point::print): Update for conversion of m_call_string to
3727 a pointer.
3728 (program_point::to_json): Likewise.
3729 (program_point::push_to_call_stack): Update for immutability of
3730 call strings.
3731 (program_point::pop_from_call_stack): Likewise.
3732 (program_point::hash): Use pointer hashing for m_call_string.
3733 (program_point::get_function_at_depth): Update for change to
3734 m_call_string.
3735 (program_point::validate): Update for changes to call_string.
3736 (program_point::on_edge): Likewise.
3737 (program_point::origin): Move here from call-string.h. Add
3738 region_model_manager param and use it to get empty call string.
3739 (program_point::from_function_entry): Likewise.
3740 (selftest::test_function_point_ordering): Likewise.
3741 (selftest::test_function_point_ordering): Likewise.
3742 * program-point.h (program_point::program_point): Update for
3743 change to m_call_string.
3744 (program_point::get_call_string): Likewise.
3745 (program_point::get_stack_depth): Likewise.
3746 (program_point::origin): Add region_model_manager param, and move
3747 defn to call-string.cc.
3748 (program_point::from_function_entry): Likewise.
3749 (program_point::empty): Drop call_string.
3750 (program_point::deleted): Likewise.
3751 (program_point::program_point): New private ctor.
3752 (program_point::m_call_string): Convert from call_string to const
3753 call_string *.
3754 * program-state.cc (selftest::test_program_state_merging): Update
3755 for call_string changes.
3756 (selftest::test_program_state_merging_2): Likewise.
3757 * region-model-manager.cc
3758 (region_model_manager::region_model_manager): Construct
3759 m_empty_call_string.
3760 (region_model_manager::log_stats): Log the call strings.
3761 * region-model.cc (assert_region_models_merge): Pass the
3762 region_model_manager when creating program_point instances.
3763 (selftest::test_state_merging): Likewise.
3764 (selftest::test_constraint_merging): Likewise.
3765 (selftest::test_widening_constraints): Likewise.
3766 (selftest::test_iteration_1): Likewise.
3767 * region-model.h (region_model_manager::get_empty_call_string):
3768 New.
3769 (region_model_manager::m_empty_call_string): New.
3770 * sm-signal.cc (register_signal_handler::impl_transition): Update
3771 for changes to call_string.
3772
37732022-06-24 David Malcolm <dmalcolm@redhat.com>
3774
3775 * call-string.cc (call_string::calc_recursion_depth): Whitespace
3776 cleanups.
3777 (call_string::cmp): Likewise.
3778 (call_string::get_caller_node): Likewise.
3779 (call_string::validate): Likewise.
3780 * engine.cc (dynamic_call_info_t::add_events_to_path): Likewise.
3781 (exploded_graph::get_per_function_data): Likewise.
3782 (exploded_graph::maybe_create_dynamic_call): Likewise.
3783 (exploded_graph::maybe_create_dynamic_call): Likewise.
3784 (exploded_graph::process_node): Likewise.
3785
bc7e9f76
GA		 37862022-06-16 David Malcolm <dmalcolm@redhat.com>
3787
3788 * varargs.cc (va_arg_type_mismatch::emit): Associate the warning
3789 with CWE-686 ("Function Call With Incorrect Argument Type").
3790
37912022-06-16 David Malcolm <dmalcolm@redhat.com>
3792
3793 * varargs.cc: Include "diagnostic-metadata.h".
3794 (va_list_exhausted::emit): Associate the warning with
3795 CWE-685 ("Function Call With Incorrect Number of Arguments").
3796
37972022-06-16 David Malcolm <dmalcolm@redhat.com>
3798
3799 * sm-file.cc (double_fclose::emit): Associate the warning with
3800 CWE-1341 ("Multiple Releases of Same Resource or Handle").
3801
499b9c5f
GA		 38022022-06-15 David Malcolm <dmalcolm@redhat.com>
3803
3804 PR analyzer/105962
3805 * analyzer.opt (fanalyzer-undo-inlining): New option.
3806 * checker-path.cc: Include "diagnostic-core.h" and
3807 "inlining-iterator.h".
3808 (event_kind_to_string): Handle EK_INLINED_CALL.
3809 (class inlining_info): New class.
3810 (checker_event::checker_event): Move here from checker-path.h.
3811 Store original fndecl and depth, and calculate effective fndecl
3812 and depth based on inlining information.
3813 (checker_event::dump): Emit original depth as well as effective
3814 depth when they differ; likewise for fndecl.
3815 (region_creation_event::get_desc): Use m_effective_fndecl.
3816 (inlined_call_event::get_desc): New.
3817 (inlined_call_event::get_meaning): New.
3818 (checker_path::inject_any_inlined_call_events): New.
3819 * checker-path.h (enum event_kind): Add EK_INLINED_CALL.
3820 (checker_event::checker_event): Make protected, and move
3821 definition to checker-path.cc.
3822 (checker_event::get_fndecl): Use effective fndecl.
3823 (checker_event::get_stack_depth): Use effective stack depth.
3824 (checker_event::get_logical_location): Use effective stack depth.
3825 (checker_event::get_original_stack_depth): New.
3826 (checker_event::m_fndecl): Rename to...
3827 (checker_event::m_original_fndecl): ...this.
3828 (checker_event::m_depth): Rename to...
3829 (checker_event::m_original_depth): ...this.
3830 (checker_event::m_effective_fndecl): New field.
3831 (checker_event::m_effective_depth): New field.
3832 (class inlined_call_event): New checker_event subclass.
3833 (checker_path::inject_any_inlined_call_events): New decl.
3834 * diagnostic-manager.cc: Include "inlining-iterator.h".
3835 (diagnostic_manager::emit_saved_diagnostic): Call
3836 checker_path::inject_any_inlined_call_events.
3837 (diagnostic_manager::prune_for_sm_diagnostic): Handle
3838 EK_INLINED_CALL.
3839 * engine.cc (tainted_args_function_custom_event::get_desc): Use
3840 effective fndecl.
3841 * inlining-iterator.h: New file.
3842
38432022-06-15 David Malcolm <dmalcolm@redhat.com>
3844
3845 * diagnostic-manager.cc (saved_diagnostic::dump_dot_id): New.
3846 (saved_diagnostic::dump_as_dot_node): New.
3847 * diagnostic-manager.h (saved_diagnostic::dump_dot_id): New decl.
3848 (saved_diagnostic::dump_as_dot_node): New decl.
3849 * engine.cc (exploded_node::dump_dot): Add nodes for saved
3850 diagnostics.
3851
b168441c
GA		 38522022-06-02 David Malcolm <dmalcolm@redhat.com>
3853
3854 * checker-path.cc (checker_event::get_meaning): New.
3855 (function_entry_event::get_meaning): New.
3856 (state_change_event::get_desc): Add dump of meaning of the event
3857 to the -fanalyzer-verbose-state-changes output.
3858 (state_change_event::get_meaning): New.
3859 (cfg_edge_event::get_meaning): New.
3860 (call_event::get_meaning): New.
3861 (return_event::get_meaning): New.
3862 (start_consolidated_cfg_edges_event::get_meaning): New.
3863 (warning_event::get_meaning): New.
3864 * checker-path.h: Include "tree-logical-location.h".
3865 (checker_event::checker_event): Construct m_logical_loc.
3866 (checker_event::get_logical_location): New.
3867 (checker_event::get_meaning): New decl.
3868 (checker_event::m_logical_loc): New.
3869 (function_entry_event::get_meaning): New decl.
3870 (state_change_event::get_meaning): New decl.
3871 (cfg_edge_event::get_meaning): New decl.
3872 (call_event::get_meaning): New decl.
3873 (return_event::get_meaning): New decl.
3874 (start_consolidated_cfg_edges_event::get_meaning): New.
3875 (warning_event::get_meaning): New decl.
3876 * pending-diagnostic.h: Include "diagnostic-path.h".
3877 (pending_diagnostic::get_meaning_for_state_change): New vfunc.
3878 * sm-file.cc (file_diagnostic::get_meaning_for_state_change): New
3879 vfunc impl.
3880 * sm-malloc.cc (malloc_diagnostic::get_meaning_for_state_change):
3881 Likewise.
3882 * sm-sensitive.cc
3883 (exposure_through_output_file::get_meaning_for_state_change):
3884 Likewise.
3885 * sm-taint.cc (taint_diagnostic::get_meaning_for_state_change):
3886 Likewise.
3887 * varargs.cc
3888 (va_list_sm_diagnostic::get_meaning_for_state_change): Likewise.
3889
168fc8bd
GA		 38902022-05-23 David Malcolm <dmalcolm@redhat.com>
3891
3892 * call-info.cc: Add "final" and "override" to all vfunc
3893 implementations that were missing them, as appropriate.
3894 * engine.cc: Likewise.
3895 * region-model.cc: Likewise.
3896 * sm-malloc.cc: Likewise.
3897 * supergraph.h: Likewise.
3898 * svalue.cc: Likewise.
3899 * varargs.cc: Likewise.
3900
57f2ce6a
GA		 39012022-05-20 David Malcolm <dmalcolm@redhat.com>
3902
3903 * analyzer-pass.cc: Replace uses of "FINAL" and "OVERRIDE" with
3904 "final" and "override".
3905 * call-info.h: Likewise.
3906 * checker-path.h: Likewise.
3907 * constraint-manager.cc: Likewise.
3908 * diagnostic-manager.cc: Likewise.
3909 * engine.cc: Likewise.
3910 * exploded-graph.h: Likewise.
3911 * feasible-graph.h: Likewise.
3912 * pending-diagnostic.h: Likewise.
3913 * region-model-impl-calls.cc: Likewise.
3914 * region-model.cc: Likewise.
3915 * region-model.h: Likewise.
3916 * region.h: Likewise.
3917 * sm-file.cc: Likewise.
3918 * sm-malloc.cc: Likewise.
3919 * sm-pattern-test.cc: Likewise.
3920 * sm-sensitive.cc: Likewise.
3921 * sm-signal.cc: Likewise.
3922 * sm-taint.cc: Likewise.
3923 * state-purge.h: Likewise.
3924 * store.cc: Likewise.
3925 * store.h: Likewise.
3926 * supergraph.h: Likewise.
3927 * svalue.h: Likewise.
3928 * trimmed-graph.h: Likewise.
3929 * varargs.cc: Likewise.
3930
702bd11f
GA		 39312022-05-16 David Malcolm <dmalcolm@redhat.com>
3932
3933 PR analyzer/105103
3934 * analyzer.cc (make_label_text_n): New.
3935 * analyzer.h (class var_arg_region): New forward decl.
3936 (make_label_text_n): New decl.
3937 * analyzer.opt (Wanalyzer-va-arg-type-mismatch): New option.
3938 (Wanalyzer-va-list-exhausted): New option.
3939 (Wanalyzer-va-list-leak): New option.
3940 (Wanalyzer-va-list-use-after-va-end): New option.
3941 * checker-path.cc (call_event::get_desc): Split out decl access
3942 into..
3943 (call_event::get_caller_fndecl): ...this new function and...
3944 (call_event::get_callee_fndecl): ...this new function.
3945 * checker-path.h (call_event::get_desc): Drop "FINAL".
3946 (call_event::get_caller_fndecl): New decl.
3947 (call_event::get_callee_fndecl): New decl.
3948 (class call_event): Make fields protected.
3949 * diagnostic-manager.cc (null_assignment_sm_context::warn): New
3950 overload.
3951 (null_assignment_sm_context::get_new_program_state): New.
3952 (diagnostic_manager::add_events_for_superedge): Move case
3953 SUPEREDGE_CALL to a new pending_diagnostic::add_call_event vfunc.
3954 * engine.cc (impl_sm_context::warn): Implement new override.
3955 (impl_sm_context::get_new_program_state): New.
3956 * pending-diagnostic.cc: Include "analyzer/diagnostic-manager.h",
3957 "cpplib.h", "digraph.h", "ordered-hash-map.h", "cfg.h",
3958 "basic-block.h", "gimple.h", "gimple-iterator.h", "cgraph.h"
3959 "analyzer/supergraph.h", "analyzer/program-state.h",
3960 "alloc-pool.h", "fibonacci_heap.h", "shortest-paths.h",
3961 "sbitmap.h", "analyzer/exploded-graph.h", "diagnostic-path.h",
3962 and "analyzer/checker-path.h".
3963 (ht_ident_eq): New.
3964 (fixup_location_in_macro_p): New.
3965 (pending_diagnostic::fixup_location): New.
3966 (pending_diagnostic::add_call_event): New.
3967 * pending-diagnostic.h (pending_diagnostic::fixup_location): Drop
3968 no-op inline implementation in favor of the more complex
3969 implementation above.
3970 (pending_diagnostic::add_call_event): New vfunc.
3971 * region-model-impl-calls.cc: Include "analyzer/sm.h",
3972 "diagnostic-path.h", and "analyzer/pending-diagnostic.h".
3973 * region-model-manager.cc
3974 (region_model_manager::get_var_arg_region): New.
3975 (region_model_manager::log_stats): Log m_var_arg_regions.
3976 * region-model.cc (region_model::on_call_pre): Handle IFN_VA_ARG,
3977 BUILT_IN_VA_START, and BUILT_IN_VA_COPY.
3978 (region_model::on_call_post): Handle BUILT_IN_VA_END.
3979 (region_model::get_representative_path_var_1): Handle RK_VAR_ARG.
3980 (region_model::push_frame): Push variadic arguments.
3981 * region-model.h (region_model_manager::get_var_arg_region): New
3982 decl.
3983 (region_model_manager::m_var_arg_regions): New field.
3984 (region_model::impl_call_va_start): New decl.
3985 (region_model::impl_call_va_copy): New decl.
3986 (region_model::impl_call_va_arg): New decl.
3987 (region_model::impl_call_va_end): New decl.
3988 * region.cc (alloca_region::dump_to_pp): Dump the id.
3989 (var_arg_region::dump_to_pp): New.
3990 (var_arg_region::get_frame_region): New.
3991 * region.h (enum region_kind): Add RK_VAR_ARG.
3992 (region::dyn_cast_var_arg_region): New.
3993 (class var_arg_region): New.
3994 (is_a_helper <const var_arg_region *>::test): New.
3995 (struct default_hash_traits<var_arg_region::key_t>): New.
3996 * sm.cc (make_checkers): Call make_va_list_state_machine.
3997 * sm.h (sm_context::warn): New vfunc.
3998 (sm_context::get_old_svalue): Drop unused decl.
3999 (sm_context::get_new_program_state): New vfunc.
4000 (make_va_list_state_machine): New decl.
4001 * varargs.cc: New file.
4002
40032022-05-16 Martin Liska <mliska@suse.cz>
4004
4005 * engine.cc (exploded_node::get_dot_fillcolor): Use ARRAY_SIZE.
4006 * function-set.cc (test_stdio_example): Likewise.
4007 * sm-file.cc (get_file_using_fns): Likewise.
4008 * sm-malloc.cc (malloc_state_machine::unaffected_by_call_p): Likewise.
4009 * sm-signal.cc (get_async_signal_unsafe_fns): Likewise.
4010
9df4ffe4
GA		 40112022-05-13 Richard Biener <rguenther@suse.de>
4012
4013 * supergraph.cc: Re-order gimple-fold.h include.
4014
d0d513b5
GA		 40152022-05-11 David Malcolm <dmalcolm@redhat.com>
4016
4017 * checker-path.cc (state_change_event::get_desc): Call maybe_free
4018 on label_text temporaries.
4019 * diagnostic-manager.cc
4020 (diagnostic_manager::prune_for_sm_diagnostic): Likewise.
4021 * engine.cc (exploded_graph::~exploded_graph): Fix leak of
4022 m_per_point_data and m_per_call_string_data values. Simplify
4023 cleanup of m_per_function_stats and m_per_point_data values.
4024 (feasibility_state::maybe_update_for_edge): Fix leak of result of
4025 superedge::get_description.
4026 * region-model-manager.cc
4027 (region_model_manager::~region_model_manager): Move cleanup of
4028 m_setjmp_values to match the ordering of the fields within
4029 region_model_manager. Fix leak of values within
4030 m_repeated_values_map, m_bits_within_values_map,
4031 m_asm_output_values_map, and m_const_fn_result_values_map.
4032
6b6f53d8
GA		 40332022-04-28 David Malcolm <dmalcolm@redhat.com>
4034
4035 PR analyzer/105285
4036 * store.cc (binding_cluster::get_any_binding): Handle accessing
4037 sub_svalues of clusters where the base region has a symbolic
4038 binding.
4039
40402022-04-28 David Malcolm <dmalcolm@redhat.com>
4041
4042 * diagnostic-manager.cc (epath_finder::process_worklist_item):
4043 Call dump_feasible_path when a path that reaches the the target
4044 enode is found.
4045 (epath_finder::dump_feasible_path): New.
4046 * engine.cc (feasibility_state::dump_to_pp): New.
4047 * exploded-graph.h (feasibility_state::dump_to_pp): New decl.
4048 * feasible-graph.cc (feasible_graph::dump_feasible_path): New.
4049 * feasible-graph.h (feasible_graph::dump_feasible_path): New
4050 decls.
4051 * program-point.cc (function_point::print): Fix missing trailing
4052 newlines.
4053 * program-point.h (program_point::print_source_line): Remove
4054 unimplemented decl.
4055
98de0da6
GA		 40562022-04-25 David Malcolm <dmalcolm@redhat.com>
4057
4058 PR analyzer/105365
4059 PR analyzer/105366
4060 * svalue.cc
4061 (cmp_cst): Rename to...
4062 (cmp_csts_same_type): ...this. Convert all recursive calls to
4063 calls to...
4064 (cmp_csts_and_types): ....this new function.
4065 (svalue::cmp_ptr): Update for renaming of cmp_cst
4066
031bd52e
GA		 40672022-04-14 David Malcolm <dmalcolm@redhat.com>
4068
4069 PR analyzer/105264
4070 * region-model-reachability.cc (reachable_regions::handle_parm):
4071 Use maybe_get_deref_base_region rather than just region_svalue, to
4072 handle pointer arithmetic also.
4073 * svalue.cc (svalue::maybe_get_deref_base_region): New.
4074 * svalue.h (svalue::maybe_get_deref_base_region): New decl.
4075
40762022-04-14 David Malcolm <dmalcolm@redhat.com>
4077
4078 PR analyzer/105252
4079 * svalue.cc (cmp_cst): When comparing VECTOR_CSTs, compare the
4080 types of the encoded elements before calling cmp_cst on them.
4081
71cac7de
GA		 40822022-04-09 David Malcolm <dmalcolm@redhat.com>
4083
4084 PR analyzer/103892
4085 * region-model-manager.cc
4086 (region_model_manager::get_unknown_symbolic_region): New,
4087 extracted from...
4088 (region_model_manager::get_field_region): ...here.
4089 (region_model_manager::get_element_region): Use it here.
4090 (region_model_manager::get_offset_region): Likewise.
4091 (region_model_manager::get_sized_region): Likewise.
4092 (region_model_manager::get_cast_region): Likewise.
4093 (region_model_manager::get_bit_range): Likewise.
4094 * region-model.h
4095 (region_model_manager::get_unknown_symbolic_region): New decl.
4096 * region.cc (symbolic_region::symbolic_region): Handle sval_ptr
4097 having NULL type.
4098 (symbolic_region::dump_to_pp): Handle having NULL type.
4099
df00d103
GA		 41002022-04-07 David Malcolm <dmalcolm@redhat.com>
4101
4102 PR analyzer/102208
4103 * store.cc (binding_map::remove_overlapping_bindings): Add
4104 "always_overlap" param, using it to generalize to the case where
4105 we want to remove all bindings. Update "uncertainty" logic to
4106 only record maybe-bound values for cases where there is a symbolic
4107 write involved.
4108 (binding_cluster::mark_region_as_unknown): Split param "reg" into
4109 "reg_to_bind" and "reg_for_overlap".
4110 (binding_cluster::maybe_get_compound_binding): Pass "false" to
4111 binding_map::remove_overlapping_bindings new "always_overlap" param.
4112 (binding_cluster::remove_overlapping_bindings): Determine
4113 "always_overlap" and pass it to
4114 binding_map::remove_overlapping_bindings.
4115 (store::set_value): Pass uncertainty to remove_overlapping_bindings
4116 call. Update for new param of
4117 binding_cluster::mark_region_as_unknown, passing both the base
4118 region of the iter_cluster, and the lhs_reg.
4119 (store::mark_region_as_unknown): Update for new param of
4120 binding_cluster::mark_region_as_unknown, passing "reg" for both.
4121 (store::remove_overlapping_bindings): Add param "uncertainty", and
4122 pass it on to call to
4123 binding_cluster::remove_overlapping_bindings.
4124 * store.h (binding_map::remove_overlapping_bindings): Add
4125 "always_overlap" param.
4126 (binding_cluster::mark_region_as_unknown): Split param "reg" into
4127 "reg_to_bind" and "reg_for_overlap".
4128 (store::remove_overlapping_bindings): Add param "uncertainty".
4129
9f774626
GA		 41302022-03-29 David Malcolm <dmalcolm@redhat.com>
4131
4132 PR testsuite/105085
4133 * region-model-manager.cc (dump_untracked_region): Skip decls in
4134 the constant pool.
4135
41362022-03-29 David Malcolm <dmalcolm@redhat.com>
4137
4138 PR analyzer/105087
4139 * analyzer.h (class conjured_purge): New forward decl.
4140 * region-model-asm.cc (region_model::on_asm_stmt): Add
4141 conjured_purge param to calls binding_cluster::on_asm and
4142 region_model_manager::get_or_create_conjured_svalue.
4143 * region-model-impl-calls.cc
4144 (call_details::get_or_create_conjured_svalue): Likewise for call
4145 to region_model_manager::get_or_create_conjured_svalue.
4146 (region_model::impl_call_fgets): Remove call to
4147 region_model::purge_state_involving, as this is now done
4148 implicitly by call_details::get_or_create_conjured_svalue.
4149 (region_model::impl_call_fread): Likewise.
4150 (region_model::impl_call_strchr): Pass conjured_purge param to
4151 call to region_model_manager::get_or_create_conjured_svalue.
4152 * region-model-manager.cc (conjured_purge::purge): New.
4153 (region_model_manager::get_or_create_conjured_svalue): Add
4154 param "p". Use it to purge state when reusing an existing
4155 conjured_svalue.
4156 * region-model.cc (region_model::on_call_pre): Replace call to
4157 region_model::purge_state_involving with passing conjured_purge
4158 to region_model_manager::get_or_create_conjured_svalue.
4159 (region_model::handle_unrecognized_call): Pass conjured_purge to
4160 store::on_unknown_fncall.
4161 * region-model.h
4162 (region_model_manager::get_or_create_conjured_svalue): Add param
4163 "p".
4164 * store.cc (binding_cluster::on_unknown_fncall): Likewise. Pass
4165 it on to region_model_manager::get_or_create_conjured_svalue.
4166 (binding_cluster::on_asm): Likewise.
4167 (store::on_unknown_fncall): Add param "p" and pass it on to
4168 binding_cluster::on_unknown_fncall.
4169 * store.h (binding_cluster::on_unknown_fncall): Add param p.
4170 (binding_cluster::on_asm): Likewise.
4171 (store::on_unknown_fncall): Likewise.
4172 * svalue.h (class conjured_purge): New.
4173
41742022-03-29 David Malcolm <dmalcolm@redhat.com>
4175
4176 PR analyzer/105074
4177 * region.cc (ipa_ref_requires_tracking): Drop "context_fndecl",
4178 instead using the ref->referring to get the cgraph node of the
4179 caller.
4180 (symnode_requires_tracking_p): Likewise.
4181
d2906412
GA		 41822022-03-26 David Malcolm <dmalcolm@redhat.com>
4183
4184 PR analyzer/105057
4185 * store.cc (binding_cluster::make_unknown_relative_to): Reject
4186 attempts to create a cluster for untracked base regions.
4187 (store::set_value): Likewise.
4188 (store::fill_region): Likewise.
4189 (store::mark_region_as_unknown): Likewise.
4190
31e989a2
GA		 41912022-03-25 David Malcolm <dmalcolm@redhat.com>
4192
4193 PR analyzer/104954
4194 * analyzer.opt (-fdump-analyzer-untracked): New option.
4195 * engine.cc (impl_run_checkers): Handle it.
4196 * region-model-asm.cc (region_model::on_asm_stmt): Don't attempt
4197 to clobber regions with !tracked_p ().
4198 * region-model-manager.cc (dump_untracked_region): New.
4199 (region_model_manager::dump_untracked_regions): New.
4200 (frame_region::dump_untracked_regions): New.
4201 * region-model.h (region_model_manager::dump_untracked_regions):
4202 New decl.
4203 * region.cc (ipa_ref_requires_tracking): New.
4204 (symnode_requires_tracking_p): New.
4205 (decl_region::calc_tracked_p): New.
4206 * region.h (region::tracked_p): New vfunc.
4207 (frame_region::dump_untracked_regions): New decl.
4208 (class decl_region): Note that this is also used fo SSA names.
4209 (decl_region::decl_region): Initialize m_tracked.
4210 (decl_region::tracked_p): New.
4211 (decl_region::calc_tracked_p): New decl.
4212 (decl_region::m_tracked): New.
4213 * store.cc (store::get_or_create_cluster): Assert that we
4214 don't try to create clusters for base regions that aren't
4215 trackable.
4216 (store::mark_as_escaped): Don't mark base regions that we're not
4217 tracking.
4218
d1ca63a1
GA		 42192022-03-23 David Malcolm <dmalcolm@redhat.com>
4220
4221 PR analyzer/104979
4222 * engine.cc (impl_run_checkers): Create the engine after the
4223 supergraph, and pass the supergraph to the engine.
4224 * region-model.cc (region_model::get_lvalue_1): Pass ctxt to
4225 frame_region::get_region_for_local.
4226 (region_model::update_for_return_gcall): Pass the lvalue for the
4227 result to pop_frame as a tree, rather than as a region.
4228 (region_model::pop_frame): Update for above change, determining
4229 the destination region after the frame is popped and thus with
4230 respect to the caller frame rather than the called frame.
4231 Likewise, set the value of the region to the return value after
4232 the frame is popped.
4233 (engine::engine): Add supergraph pointer.
4234 (selftest::test_stack_frames): Set the DECL_CONTECT of PARM_DECLs.
4235 (selftest::test_get_representative_path_var): Likewise.
4236 (selftest::test_state_merging): Likewise.
4237 * region-model.h (region_model::pop_frame): Convert first param
4238 from a const region * to a tree.
4239 (engine::engine): Add param "sg".
4240 (engine::m_sg): New field.
4241 * region.cc: Include "analyzer/sm.h" and
4242 "analyzer/program-state.h".
4243 (frame_region::get_region_for_local): Add "ctxt" param.
4244 Add assertions that VAR_DECLs are locals, and that expr is for the
4245 correct function.
4246 * region.h (frame_region::get_region_for_local): Add "ctxt" param.
4247
42482022-03-23 David Malcolm <dmalcolm@redhat.com>
4249
4250 PR analyzer/105017
4251 * sm-taint.cc (taint_diagnostic::subclass_equal_p): Check
4252 m_has_bounds as well as m_arg.
4253 (tainted_allocation_size::subclass_equal_p): Chain up to base
4254 class implementation. Also check m_mem_space.
4255 (tainted_allocation_size::emit): Add note showing stack-based vs
4256 heap-based allocations.
4257
42582022-03-23 David Malcolm <dmalcolm@redhat.com>
4259
4260 PR analyzer/104997
4261 * diagnostic-manager.cc (diagnostic_manager::add_diagnostic):
4262 Convert return type from "void" to "bool", reporting success vs
4263 failure to caller, for both overloads.
4264 * diagnostic-manager.h (diagnostic_manager::add_diagnostic):
4265 Likewise.
4266 * engine.cc (impl_region_model_context::warn): Propagate return
4267 value from diagnostic_manager::add_diagnostic.
4268
8ca61ad1
GA		 42692022-03-18 David Malcolm <dmalcolm@redhat.com>
4270
4271 PR analyzer/104943
4272 PR analyzer/104954
4273 PR analyzer/103533
4274 * analyzer.h (class state_purge_per_decl): New forward decl.
4275 * engine.cc (impl_run_checkers): Pass region_model_manager to
4276 state_purge_map ctor.
4277 * program-point.cc (function_point::final_stmt_p): New.
4278 (function_point::get_next): New.
4279 * program-point.h (function_point::final_stmt_p): New decl.
4280 (function_point::get_next): New decl.
4281 * program-state.cc (program_state::prune_for_point): Generalize to
4282 purge local decls as well as SSA names.
4283 (program_state::can_purge_base_region_p): New.
4284 * program-state.h (program_state::can_purge_base_region_p): New
4285 decl.
4286 * region-model.cc (struct append_ssa_names_cb_data): Rename to...
4287 (struct append_regions_cb_data): ...this.
4288 (region_model::get_ssa_name_regions_for_current_frame): Rename
4289 to...
4290 (region_model::get_regions_for_current_frame): ...this, updating
4291 for other renamings.
4292 (region_model::append_ssa_names_cb): Rename to...
4293 (region_model::append_regions_cb): ...this, and drop the requirement
4294 that the subregion be a SSA name.
4295 * region-model.h (struct append_ssa_names_cb_data): Rename decl
4296 to...
4297 (struct append_regions_cb_data): ...this.
4298 (region_model::get_ssa_name_regions_for_current_frame): Rename
4299 decl to...
4300 (region_model::get_regions_for_current_frame): ...this.
4301 (region_model::append_ssa_names_cb): Rename decl to...
4302 (region_model::append_regions_cb): ...this.
4303 * state-purge.cc: Include "tristate.h", "selftest.h",
4304 "analyzer/store.h", "analyzer/region-model.h", and
4305 "gimple-walk.h".
4306 (get_candidate_for_purging): New.
4307 (class gimple_op_visitor): New.
4308 (my_load_cb): New.
4309 (my_store_cb): New.
4310 (my_addr_cb): New.
4311 (state_purge_map::state_purge_map): Add "mgr" param. Update for
4312 renamings. Find uses of local variables.
4313 (state_purge_map::~state_purge_map): Update for renaming of m_map
4314 to m_ssa_map. Clean up m_decl_map.
4315 (state_purge_map::get_or_create_data_for_decl): New.
4316 (state_purge_per_ssa_name::state_purge_per_ssa_name): Update for
4317 inheriting from state_purge_per_tree.
4318 (state_purge_per_ssa_name::add_to_worklist): Likewise.
4319 (state_purge_per_decl::state_purge_per_decl): New.
4320 (state_purge_per_decl::add_needed_at): New.
4321 (state_purge_per_decl::add_pointed_to_at): New.
4322 (state_purge_per_decl::process_worklists): New.
4323 (state_purge_per_decl::add_to_worklist): New.
4324 (same_binding_p): New.
4325 (fully_overwrites_p): New.
4326 (state_purge_per_decl::process_point_backwards): New.
4327 (state_purge_per_decl::process_point_forwards): New.
4328 (state_purge_per_decl::needed_at_point_p): New.
4329 (state_purge_annotator::print_needed): Generalize to print local
4330 decls as well as SSA names.
4331 * state-purge.h (class state_purge_map): Update leading comment.
4332 (state_purge_map::map_t): Rename to...
4333 (state_purge_map::ssa_map_t): ...this.
4334 (state_purge_map::iterator): Rename to...
4335 (state_purge_map::ssa_iterator): ...this.
4336 (state_purge_map::decl_map_t): New typedef.
4337 (state_purge_map::decl_iterator): New typedef.
4338 (state_purge_map::state_purge_map): Add "mgr" param.
4339 (state_purge_map::get_data_for_ssa_name): Update for renaming.
4340 (state_purge_map::get_any_data_for_decl): New.
4341 (state_purge_map::get_or_create_data_for_decl): New decl.
4342 (state_purge_map::begin): Rename to...
4343 (state_purge_map::begin_ssas): ...this.
4344 (state_purge_map::end): Rename to...
4345 (state_purge_map::end_ssa): ...this.
4346 (state_purge_map::begin_decls): New.
4347 (state_purge_map::end_decls): New.
4348 (state_purge_map::m_map): Rename to...
4349 (state_purge_map::m_ssa_map): ...this.
4350 (state_purge_map::m_decl_map): New field.
4351 (class state_purge_per_tree): New class.
4352 (class state_purge_per_ssa_name): Inherit from state_purge_per_tree.
4353 (state_purge_per_ssa_name::get_function): Move to base class.
4354 (state_purge_per_ssa_name::point_set_t): Likewise.
4355 (state_purge_per_ssa_name::m_fun): Likewise.
4356 (class state_purge_per_decl): New.
4357
e9ea3016
GA		 43582022-03-17 David Malcolm <dmalcolm@redhat.com>
4359
4360 * state-purge.cc (state_purge_annotator::add_node_annotations):
4361 Avoid duplicate before-supernode annotations when returning from
4362 an interprocedural call. Show after-supernode annotations.
4363
43642022-03-17 David Malcolm <dmalcolm@redhat.com>
4365
4366 * program-point.cc (program_point::get_next): Fix missing
4367 increment of index.
4368
9fc8f278
GA		 43692022-03-16 David Malcolm <dmalcolm@redhat.com>
4370
4371 PR analyzer/104955
4372 * diagnostic-manager.cc (get_emission_location): New.
4373 (diagnostic_manager::diagnostic_manager): Initialize
4374 m_num_disabled_diagnostics.
4375 (diagnostic_manager::add_diagnostic): Reject diagnostics that
4376 will eventually be rejected due to being disabled.
4377 (diagnostic_manager::emit_saved_diagnostics): Log the number
4378 of disabled diagnostics.
4379 (diagnostic_manager::emit_saved_diagnostic): Split out logic for
4380 determining emission location to get_emission_location.
4381 * diagnostic-manager.h
4382 (diagnostic_manager::m_num_disabled_diagnostics): New field.
4383 * engine.cc (stale_jmp_buf::get_controlling_option): New.
4384 (stale_jmp_buf::emit): Use it.
4385 * pending-diagnostic.h
4386 (pending_diagnostic::get_controlling_option): New vfunc.
4387 * region-model.cc
4388 (poisoned_value_diagnostic::get_controlling_option): New.
4389 (poisoned_value_diagnostic::emit): Use it.
4390 (shift_count_negative_diagnostic::get_controlling_option): New.
4391 (shift_count_negative_diagnostic::emit): Use it.
4392 (shift_count_overflow_diagnostic::get_controlling_option): New.
4393 (shift_count_overflow_diagnostic::emit): Use it.
4394 (dump_path_diagnostic::get_controlling_option): New.
4395 (dump_path_diagnostic::emit): Use it.
4396 (write_to_const_diagnostic::get_controlling_option): New.
4397 (write_to_const_diagnostic::emit): Use it.
4398 (write_to_string_literal_diagnostic::get_controlling_option): New.
4399 (write_to_string_literal_diagnostic::emit): Use it.
4400 * sm-file.cc (double_fclose::get_controlling_option): New.
4401 (double_fclose::emit): Use it.
4402 (file_leak::get_controlling_option): New.
4403 (file_leak::emit): Use it.
4404 * sm-malloc.cc (mismatching_deallocation::get_controlling_option):
4405 New.
4406 (mismatching_deallocation::emit): Use it.
4407 (double_free::get_controlling_option): New.
4408 (double_free::emit): Use it.
4409 (possible_null_deref::get_controlling_option): New.
4410 (possible_null_deref::emit): Use it.
4411 (possible_null_arg::get_controlling_option): New.
4412 (possible_null_arg::emit): Use it.
4413 (null_deref::get_controlling_option): New.
4414 (null_deref::emit): Use it.
4415 (null_arg::get_controlling_option): New.
4416 (null_arg::emit): Use it.
4417 (use_after_free::get_controlling_option): New.
4418 (use_after_free::emit): Use it.
4419 (malloc_leak::get_controlling_option): New.
4420 (malloc_leak::emit): Use it.
4421 (free_of_non_heap::get_controlling_option): New.
4422 (free_of_non_heap::emit): Use it.
4423 * sm-pattern-test.cc (pattern_match::get_controlling_option): New.
4424 (pattern_match::emit): Use it.
4425 * sm-sensitive.cc
4426 (exposure_through_output_file::get_controlling_option): New.
4427 (exposure_through_output_file::emit): Use it.
4428 * sm-signal.cc (signal_unsafe_call::get_controlling_option): New.
4429 (signal_unsafe_call::emit): Use it.
4430 * sm-taint.cc (tainted_array_index::get_controlling_option): New.
4431 (tainted_array_index::emit): Use it.
4432 (tainted_offset::get_controlling_option): New.
4433 (tainted_offset::emit): Use it.
4434 (tainted_size::get_controlling_option): New.
4435 (tainted_size::emit): Use it.
4436 (tainted_divisor::get_controlling_option): New.
4437 (tainted_divisor::emit): Use it.
4438 (tainted_allocation_size::get_controlling_option): New.
4439 (tainted_allocation_size::emit): Use it.
4440
14d2ac82
GA		 44412022-03-15 David Malcolm <dmalcolm@redhat.com>
4442
4443 * store.cc (store::store): Presize m_cluster_map.
4444
5e28be89
GA		 44452022-03-10 David Malcolm <dmalcolm@redhat.com>
4446
4447 PR analyzer/104863
4448 * constraint-manager.cc (constraint_manager::add_constraint):
4449 Refresh the EC IDs when adding constraints implied by offsets.
4450
44512022-03-10 David Malcolm <dmalcolm@redhat.com>
4452
4453 PR analyzer/104793
4454 * analyzer.h (class pending_note): New forward decl.
4455 * diagnostic-manager.cc (saved_diagnostic::saved_diagnostic):
4456 Initialize m_notes.
4457 (saved_diagnostic::operator==): Compare m_notes.
4458 (saved_diagnostic::add_note): New.
4459 (saved_diagnostic::emit_any_notes): New.
4460 (diagnostic_manager::add_note): New.
4461 (diagnostic_manager::emit_saved_diagnostic): Call emit_any_notes
4462 after emitting the warning.
4463 * diagnostic-manager.h (saved_diagnostic::add_note): New decl.
4464 (saved_diagnostic::emit_any_notes): New decl.
4465 (saved_diagnostic::m_notes): New field.
4466 (diagnostic_manager::add_note): New decl.
4467 * engine.cc (impl_region_model_context::add_note): New.
4468 * exploded-graph.h (impl_region_model_context::add_note): New
4469 decl.
4470 * pending-diagnostic.h (class pending_note): New.
4471 (class pending_note_subclass): New template.
4472 * region-model.cc (class reason_attr_access): New.
4473 (check_external_function_for_access_attr): Add class
4474 annotating_ctxt and use it when checking region.
4475 (noop_region_model_context::add_note): New.
4476 * region-model.h (region_model_context::add_note): New vfunc.
4477 (noop_region_model_context::add_note): New decl.
4478 (class region_model_context_decorator): New.
4479 (class note_adding_context): New.
4480
44812022-03-10 David Malcolm <dmalcolm@redhat.com>
4482
4483 PR analyzer/104793
4484 * region-model.cc
4485 (region_model::check_external_function_for_access_attr): New.
4486 (region_model::handle_unrecognized_call): Call it.
4487 * region-model.h
4488 (region_model::check_external_function_for_access_attr): New decl.
4489 (region_model::handle_unrecognized_call): New decl.
4490
44912022-03-10 David Malcolm <dmalcolm@redhat.com>
4492
4493 * sm-taint.cc (taint_state_machine::check_for_tainted_size_arg):
4494 Avoid generating duplicate saved_diagnostics by only handling the
4495 rdwr_map entry for the ptrarg, not the duplicate entry for the
4496 sizarg.
4497
e6533e2e
GA		 44982022-03-07 David Malcolm <dmalcolm@redhat.com>
4499
4500 PR analyzer/101983
4501 * engine.cc (returning_from_function_p): New.
4502 (impl_region_model_context::on_state_leak): Use it when rejecting
4503 leaks at the return from "main".
4504
45052022-03-07 Jakub Jelinek <jakub@redhat.com>
4506
4507 * store.cc: Fix up duplicated word issue in a comment.
4508 * analyzer.cc: Likewise.
4509 * engine.cc: Likewise.
4510 * sm-taint.cc: Likewise.
4511
8d96e14c
GA		 45122022-03-04 David Malcolm <dmalcolm@redhat.com>
4513
4514 PR analyzer/103521
4515 * analyzer.opt (-param=analyzer-max-svalue-depth=): Reduce from 13
4516 to 12.
4517
4bf3bac1
GA		 45182022-02-23 David Malcolm <dmalcolm@redhat.com>
4519
4520 PR analyzer/104434
4521 * analyzer.h (class const_fn_result_svalue): New decl.
4522 * region-model-impl-calls.cc (call_details::get_manager): New.
4523 * region-model-manager.cc
4524 (region_model_manager::get_or_create_const_fn_result_svalue): New.
4525 (region_model_manager::log_stats): Log
4526 m_const_fn_result_values_map.
4527 * region-model.cc (const_fn_p): New.
4528 (maybe_get_const_fn_result): New.
4529 (region_model::on_call_pre): Handle fndecls with
4530 __attribute__((const)) by calling the above rather than making
4531 a conjured_svalue.
4532 * region-model.h (visitor::visit_const_fn_result_svalue): New.
4533 (region_model_manager::get_or_create_const_fn_result_svalue): New
4534 decl.
4535 (region_model_manager::const_fn_result_values_map_t): New typedef.
4536 (region_model_manager::m_const_fn_result_values_map): New field.
4537 (call_details::get_manager): New decl.
4538 * svalue.cc (svalue::cmp_ptr): Handle SK_CONST_FN_RESULT.
4539 (const_fn_result_svalue::dump_to_pp): New.
4540 (const_fn_result_svalue::dump_input): New.
4541 (const_fn_result_svalue::accept): New.
4542 * svalue.h (enum svalue_kind): Add SK_CONST_FN_RESULT.
4543 (svalue::dyn_cast_const_fn_result_svalue): New.
4544 (class const_fn_result_svalue): New.
4545 (is_a_helper <const const_fn_result_svalue *>::test): New.
4546 (template <> struct default_hash_traits<const_fn_result_svalue::key_t>):
4547 New.
4548
0bdb0498
GA		 45492022-02-17 David Malcolm <dmalcolm@redhat.com>
4550
4551 PR analyzer/104576
4552 * region-model.cc: Include "calls.h".
4553 (region_model::on_call_pre): Use flags_from_decl_or_type to
4554 generalize check for DECL_PURE_P to also check for ECF_CONST.
4555
cb3afcd2
GA		 45562022-02-16 David Malcolm <dmalcolm@redhat.com>
4557
4558 PR analyzer/104560
4559 * diagnostic-manager.cc (diagnostic_manager::build_emission_path):
4560 Add region creation events for globals of interest.
4561 (null_assignment_sm_context::get_old_program_state): New.
4562 (diagnostic_manager::add_events_for_eedge): Move check for
4563 changing dynamic extents from PK_BEFORE_STMT case to after the
4564 switch on the dst_point's kind so that we can emit them for the
4565 final stmt in a basic block.
4566 * engine.cc (impl_sm_context::get_old_program_state): New.
4567 * sm-malloc.cc (malloc_state_machine::get_default_state): Rewrite
4568 detection of m_non_heap to use get_memory_space.
4569 (free_of_non_heap::free_of_non_heap): Add freed_reg param.
4570 (free_of_non_heap::subclass_equal_p): Update for changes to
4571 fields.
4572 (free_of_non_heap::emit): Drop m_kind in favor of
4573 get_memory_space.
4574 (free_of_non_heap::describe_state_change): Remove logic for
4575 detecting alloca.
4576 (free_of_non_heap::mark_interesting_stuff): Add region-creation of
4577 m_freed_reg.
4578 (free_of_non_heap::get_memory_space): New.
4579 (free_of_non_heap::kind): Drop enum.
4580 (free_of_non_heap::m_freed_reg): New field.
4581 (free_of_non_heap::m_kind): Drop field.
4582 (malloc_state_machine::on_stmt): Drop transition to m_non_heap.
4583 (malloc_state_machine::handle_free_of_non_heap): New function,
4584 split out from on_deallocator_call and on_realloc_call, adding
4585 detection of the freed region.
4586 (malloc_state_machine::on_deallocator_call): Use it.
4587 (malloc_state_machine::on_realloc_call): Likewise.
4588 * sm.h (sm_context::get_old_program_state): New vfunc.
4589
875e493b
GA		 45902022-02-15 David Malcolm <dmalcolm@redhat.com>
4591
4592 PR analyzer/104524
4593 * region-model-manager.cc
4594 (region_model_manager::maybe_fold_sub_svalue): Only call
4595 get_or_create_cast if type is non-NULL.
4596
45972022-02-15 David Malcolm <dmalcolm@redhat.com>
4598
4599 PR analyzer/102692
4600 * exploded-graph.h (impl_region_model_context::get_stmt): New.
4601 * region-model.cc: Include "gimple-ssa.h", "tree-phinodes.h",
4602 "tree-ssa-operands.h", and "ssa-iterators.h".
4603 (within_short_circuited_stmt_p): New.
4604 (region_model::check_for_poison): Don't warn about uninit values
4605 if within_short_circuited_stmt_p.
4606 * region-model.h (region_model_context::get_stmt): New vfunc.
4607 (noop_region_model_context::get_stmt): New.
4608
e8d68f0a
GA		 46092022-02-11 David Malcolm <dmalcolm@redhat.com>
4610
4611 PR analyzer/104274
4612 * region-model.cc (region_model::check_for_poison): Ignore
4613 uninitialized uses of empty types.
4614
a645583d
GA		 46152022-02-10 David Malcolm <dmalcolm@redhat.com>
4616
4617 PR analyzer/98797
4618 * region-model-manager.cc
4619 (region_model_manager::maybe_fold_sub_svalue): Generalize getting
4620 individual chars of a STRING_CST from element_region to any
4621 subregion which is a concrete access of a single byte from its
4622 parent region.
4623 * region.cc (region::get_relative_concrete_byte_range): New.
4624 * region.h (region::get_relative_concrete_byte_range): New decl.
4625
3adf509f
GA		 46262022-02-09 David Malcolm <dmalcolm@redhat.com>
4627
4628 PR analyzer/104452
4629 * region-model.cc (selftest::test_bit_range_regions): New.
4630 (selftest::analyzer_region_model_cc_tests): Call it.
4631 * region.h (bit_range_region::key_t::hash): Fix hashing of m_bits
4632 to avoid using uninitialized data.
4633
cc2430c1
GA		 46342022-02-07 David Malcolm <dmalcolm@redhat.com>
4635
4636 PR analyzer/104417
4637 * sm-taint.cc (tainted_allocation_size::tainted_allocation_size):
4638 Remove overzealous assertion.
4639 (tainted_allocation_size::emit): Likewise.
4640 (region_model::check_dynamic_size_for_taint): Likewise.
4641
46422022-02-07 David Malcolm <dmalcolm@redhat.com>
4643
4644 PR analyzer/103872
4645 * region-model-impl-calls.cc (region_model::impl_call_memcpy):
4646 Reimplement in terms of a get_store_value followed by a set_value.
4647
682ede39
GA		 46482022-02-03 David Malcolm <dmalcolm@redhat.com>
4649
4650 PR analyzer/104369
4651 * engine.cc (exploded_graph::process_node): Use the node for any
4652 diagnostics, avoiding ICE if a bifurcation update adds a
4653 saved_diagnostic, such as for a tainted realloc size.
4654 * region-model-impl-calls.cc
4655 (region_model::impl_call_realloc::success_no_move::update_model):
4656 Require the old pointer to be non-NULL to be able successfully
4657 grow in place. Use model->deref_rvalue rather than maybe_get_region
4658 to support the old pointer being symbolic.
4659 (region_model::impl_call_realloc::success_with_move::update_model):
4660 Likewise. Add a constraint that the new pointer != the old pointer.
4661 Use a sized_region when setting the value of the new region.
4662 Handle the case where we don't know the dynamic size of the old
4663 region by marking the new region as unknown.
4664 * sm-taint.cc (tainted_allocation_size::tainted_allocation_size):
4665 Update assertion to also allow for MEMSPACE_UNKNOWN.
4666 (tainted_allocation_size::emit): Likewise.
4667 (region_model::check_dynamic_size_for_taint): Likewise.
4668
46692022-02-03 David Malcolm <dmalcolm@redhat.com>
4670
4671 * region-model-impl-calls.cc (region_model::impl_call_calloc): Use
4672 a sized_region when calling zero_fill_region.
4673
88944e13
GA		 46742022-02-02 David Malcolm <dmalcolm@redhat.com>
4675
4676 * region-model.cc (region_model::on_return): Replace usage of
4677 copy_region with get_rvalue/set_value pair.
4678 (region_model::pop_frame): Likewise.
4679 (selftest::test_compound_assignment): Likewise.
4680 * region-model.h (region_model::copy_region): Delete decl.
4681 * region.cc (region_model::copy_region): Delete.
4682
46832022-02-02 David Malcolm <dmalcolm@redhat.com>
4684
4685 * region.cc (region::calc_offset): Consolidate effectively
4686 identical cases.
4687
46882022-02-02 David Malcolm <dmalcolm@redhat.com>
4689
4690 * analyzer.h (class bit_range_region): New forward decl.
4691 * region-model-manager.cc (region_model_manager::get_bit_range):
4692 New.
4693 (region_model_manager::log_stats): Handle m_bit_range_regions.
4694 * region-model.cc (region_model::get_lvalue_1): Handle
4695 BIT_FIELD_REF.
4696 * region-model.h (region_model_manager::get_bit_range): New decl.
4697 (region_model_manager::m_bit_range_regions): New field.
4698 * region.cc (region::get_base_region): Handle RK_BIT_RANGE.
4699 (region::base_region_p): Likewise.
4700 (region::calc_offset): Likewise.
4701 (bit_range_region::dump_to_pp): New.
4702 (bit_range_region::get_byte_size): New.
4703 (bit_range_region::get_bit_size): New.
4704 (bit_range_region::get_byte_size_sval): New.
4705 (bit_range_region::get_relative_concrete_offset): New.
4706 * region.h (enum region_kind): Add RK_BIT_RANGE.
4707 (region::dyn_cast_bit_range_region): New vfunc.
4708 (class bit_range_region): New.
4709 (is_a_helper <const bit_range_region *>::test): New.
4710 (default_hash_traits<bit_range_region::key_t>): New.
4711
47122022-02-02 David Malcolm <dmalcolm@redhat.com>
4713
4714 PR analyzer/104270
4715 * region-model.cc (region_model::on_call_pre): Handle
4716 IFN_DEFERRED_INIT.
4717
99f17e99
GA		 47182022-01-27 David Malcolm <dmalcolm@redhat.com>
4719
4720 * checker-path.cc (event_kind_to_string): Handle
4721 EK_REGION_CREATION.
4722 (region_creation_event::region_creation_event): New.
4723 (region_creation_event::get_desc): New.
4724 (checker_path::add_region_creation_event): New.
4725 * checker-path.h (enum event_kind): Add EK_REGION_CREATION.
4726 (class region_creation_event): New subclass.
4727 (checker_path::add_region_creation_event): New decl.
4728 * diagnostic-manager.cc
4729 (diagnostic_manager::emit_saved_diagnostic): Pass NULL for new
4730 param to add_events_for_eedge when handling trailing eedge.
4731 (diagnostic_manager::build_emission_path): Create an interesting_t
4732 instance, allow the pending diagnostic to populate it, and pass it
4733 to the calls to add_events_for_eedge.
4734 (diagnostic_manager::add_events_for_eedge): Add "interest" param.
4735 Use it to add region_creation_events for on-stack regions created
4736 within at function entry, and when pertinent dynamically-sized
4737 regions are created.
4738 (diagnostic_manager::prune_for_sm_diagnostic): Add case for
4739 EK_REGION_CREATION.
4740 * diagnostic-manager.h (diagnostic_manager::add_events_for_eedge):
4741 Add "interest" param.
4742 * pending-diagnostic.cc: Include "selftest.h", "tristate.h",
4743 "analyzer/call-string.h", "analyzer/program-point.h",
4744 "analyzer/store.h", and "analyzer/region-model.h".
4745 (interesting_t::add_region_creation): New.
4746 (interesting_t::dump_to_pp): New.
4747 * pending-diagnostic.h (struct interesting_t): New.
4748 (pending_diagnostic::mark_interesting_stuff): New vfunc.
4749 * region-model.cc
4750 (poisoned_value_diagnostic::poisoned_value_diagnostic): Add
4751 (poisoned_value_diagnostic::operator==): Compare m_pkind and
4752 m_src_region fields.
4753 (poisoned_value_diagnostic::mark_interesting_stuff): New.
4754 (poisoned_value_diagnostic::m_src_region): New.
4755 (region_model::check_for_poison): Call
4756 get_region_for_poisoned_expr for uninit values and pass the resul
4757 to the diagnostic.
4758 (region_model::get_region_for_poisoned_expr): New.
4759 (region_model::deref_rvalue): Pass NULL for
4760 poisoned_value_diagnostic's src_region.
4761 * region-model.h (region_model::get_region_for_poisoned_expr): New
4762 decl.
4763 * region.h (frame_region::get_fndecl): New.
4764
47652022-01-27 Martin Liska <mliska@suse.cz>
4766
4767 PR analyzer/104247
4768 * constraint-manager.cc (bounded_ranges_manager::log_stats):
4769 Cast to long for format purpose.
4770 * region-model-manager.cc (log_uniq_map): Likewise.
4771
eaa59070
GA		 47722022-01-26 David Malcolm <dmalcolm@redhat.com>
4773
4774 PR analyzer/104224
4775 * region-model.cc (region_model::check_call_args): New.
4776 (region_model::on_call_pre): Call it when ignoring stdio builtins.
4777 * region-model.h (region_model::check_call_args): New decl
4778
47792022-01-26 David Malcolm <dmalcolm@redhat.com>
4780
4781 PR analyzer/94362
4782 * constraint-manager.cc (range::add_bound): Fix tests for
4783 discarding redundant constraints. Perform test for rejecting
4784 unsatisfiable constraints earlier so that they don't update
4785 the object on failure.
4786 (selftest::test_range): New.
4787 (selftest::test_constant_comparisons): Add test coverage for
4788 existing constraints becoming narrower until they are
4789 unsatisfiable.
4790 (selftest::run_constraint_manager_tests): Call test_range.
4791
d43be9dc
GA		 47922022-01-22 David Malcolm <dmalcolm@redhat.com>
4793
4794 PR analyzer/104159
4795 * region-model-manager.cc
4796 (region_model_manager::get_or_create_cast): Bail out if the types
4797 are the same. Don't attempt to handle casts involving vector
4798 types.
4799
5fa55d55
GA		 48002022-01-20 David Malcolm <dmalcolm@redhat.com>
4801
4802 PR analyzer/94362
4803 * constraint-manager.cc (bound::ensure_closed): Convert param to
4804 enum bound_kind.
4805 (range::constrained_to_single_element): Likewise.
4806 (range::add_bound): New.
4807 (constraint_manager::add_constraint): Handle SVAL + OFFSET
4808 compared to a constant.
4809 (constraint_manager::get_ec_bounds): Rewrite in terms of
4810 range::add_bound.
4811 (constraint_manager::eval_condition): Reject if range::add_bound
4812 fails.
4813 (selftest::test_constant_comparisons): Add test coverage for
4814 various impossible combinations of integer comparisons.
4815 * constraint-manager.h (enum bound_kind): New.
4816 (struct bound): Likewise.
4817 (bound::ensure_closed): Convert to param to enum bound_kind.
4818 (struct range): Convert to...
4819 (class range): ...this, making fields private.
4820 (range::add_bound): New decls.
4821 * region-model.cc (region_model::add_constraint): Fail if
4822 constraint_manager::add_constraint fails.
4823
7a761ae6
GA		 48242022-01-18 David Malcolm <dmalcolm@redhat.com>
4825
4826 PR analyzer/104089
4827 * region-model-manager.cc
4828 (region_model_manager::get_or_create_constant_svalue): Assert that
4829 we have a CONSTANT_CLASS_P.
4830 (region_model_manager::maybe_fold_unaryop): Only fold a constant
4831 when fold_unary's result is a constant or a cast of a constant.
4832
48332022-01-18 David Malcolm <dmalcolm@redhat.com>
4834
4835 PR analyzer/104062
4836 * region-model-manager.cc
4837 (region_model_manager::maybe_fold_sub_svalue): Avoid casting to
4838 NULL type when folding access to repeated svalue.
4839
fc829782
GA		 48402022-01-17 Martin Liska <mliska@suse.cz>
4841
4842 * analyzer.cc (is_special_named_call_p): Rename .c names to .cc.
4843 (is_named_call_p): Likewise.
4844 * region-model-asm.cc (deterministic_p): Likewise.
4845 * region.cc (field_region::get_relative_concrete_offset): Likewise.
4846 * sm-malloc.cc (method_p): Likewise.
4847 * supergraph.cc (superedge::dump_dot): Likewise.
4848
617db51d
GA		 48492022-01-14 David Malcolm <dmalcolm@redhat.com>
4850
4851 * sm-taint.cc (taint_state_machine::combine_states): Handle combination
4852 of has_ub and has_lb.
4853
48542022-01-14 David Malcolm <dmalcolm@redhat.com>
4855
4856 PR analyzer/104029
4857 * sm-taint.cc (taint_state_machine::alt_get_inherited_state):
4858 Remove gcc_unreachable from default case for unary ops.
4859
48602022-01-14 David Malcolm <dmalcolm@redhat.com>
4861
4862 * engine.cc: Include "stringpool.h", "attribs.h", and
4863 "tree-dfa.h".
4864 (mark_params_as_tainted): New.
4865 (class tainted_args_function_custom_event): New.
4866 (class tainted_args_function_info): New.
4867 (exploded_graph::add_function_entry): Handle functions with
4868 "tainted_args" attribute.
4869 (class tainted_args_field_custom_event): New.
4870 (class tainted_args_callback_custom_event): New.
4871 (class tainted_args_call_info): New.
4872 (add_tainted_args_callback): New.
4873 (add_any_callbacks): New.
4874 (exploded_graph::build_initial_worklist): Likewise.
4875 (exploded_graph::build_initial_worklist): Find callbacks that are
4876 reachable from global initializers, calling add_any_callbacks on
4877 them.
4878
02a8a01b
GA		 48792022-01-12 David Malcolm <dmalcolm@redhat.com>
4880
4881 PR analyzer/103940
4882 * engine.cc (impl_sm_context::impl_sm_context): Add
4883 "unknown_side_effects" param and use it to initialize
4884 new m_unknown_side_effects field.
4885 (impl_sm_context::unknown_side_effects_p): New.
4886 (impl_sm_context::m_unknown_side_effects): New.
4887 (exploded_node::on_stmt): Pass unknown_side_effects to sm_ctxt
4888 ctor.
4889 * sm-taint.cc: Include "stringpool.h" and "attribs.h".
4890 (tainted_size::tainted_size): Drop "dir" param.
4891 (tainted_size::get_kind): Drop "FINAL".
4892 (tainted_size::emit): Likewise.
4893 (tainted_size::m_dir): Drop unused field.
4894 (class tainted_access_attrib_size): New subclass.
4895 (taint_state_machine::on_stmt): Call check_for_tainted_size_arg on
4896 external functions with unknown side effects.
4897 (taint_state_machine::check_for_tainted_size_arg): New.
4898 (region_model::check_region_for_taint): Drop "dir" param from
4899 tainted_size ctor.
4900 * sm.h (sm_context::unknown_side_effects_p): New.
4901
01a254e3
GA		 49022022-01-11 David Malcolm <dmalcolm@redhat.com>
4903
4904 PR analyzer/102692
4905 * diagnostic-manager.cc
4906 (class auto_disable_complexity_checks): Rename to...
4907 (class auto_checking_feasibility): ...this, updating
4908 the calls accordingly.
4909 (epath_finder::explore_feasible_paths): Update for renaming.
4910 * region-model-manager.cc
4911 (region_model_manager::region_model_manager): Update for change from
4912 m_check_complexity to m_checking_feasibility.
4913 (region_model_manager::reject_if_too_complex): Likewise.
4914 (region_model_manager::get_or_create_unknown_svalue): Handle
4915 m_checking_feasibility.
4916 (region_model_manager::create_unique_svalue): New.
4917 (region_model_manager::maybe_fold_binop): Handle BIT_AND_EXPR and
4918 BIT_IOR_EXPRs on booleans where we know the result.
4919 * region-model.cc (test_binop_svalue_folding): Add test coverage
4920 for the above.
4921 * region-model.h (region_model_manager::create_unique_svalue): New
4922 decl.
4923 (region_model_manager::enable_complexity_check): Replace with...
4924 (region_model_manager::begin_checking_feasibility): ...this.
4925 (region_model_manager::disable_complexity_check): Replace with...
4926 (region_model_manager::end_checking_feasibility): ...this.
4927 (region_model_manager::m_check_complexity): Replace with...
4928 (region_model_manager::m_checking_feasibility): ...this.
4929 (region_model_manager::m_managed_dynamic_svalues): New field.
4930
55e96bf9
GA		 49312022-01-08 David Malcolm <dmalcolm@redhat.com>
4932
4933 * engine.cc (impl_run_checkers): Pass logger to engine ctor.
4934 * region-model-manager.cc
4935 (region_model_manager::region_model_manager): Add logger param and
4936 use it to initialize m_logger.
4937 * region-model.cc (engine::engine): New.
4938 * region-model.h (region_model_manager::region_model_manager):
4939 Add logger param.
4940 (region_model_manager::get_logger): New.
4941 (region_model_manager::m_logger): New field.
4942 (engine::engine): New.
4943 * store.cc (store_manager::get_logger): New.
4944 (store::set_value): Log scope. Log when marking a cluster as
4945 unknown due to possible aliasing.
4946 * store.h (store_manager::get_logger): New decl.
4947
49482022-01-08 David Malcolm <dmalcolm@redhat.com>
4949
4950 * region-model-impl-calls.cc (cmp_decls): New.
4951 (cmp_decls_ptr_ptr): New.
4952 (region_model::impl_call_analyzer_dump_escaped): New.
4953 * region-model.cc (region_model::on_stmt_pre): Handle
4954 __analyzer_dump_escaped.
4955 * region-model.h (region_model::impl_call_analyzer_dump_escaped):
4956 New decl.
4957 * store.h (binding_cluster::get_base_region): New accessor.
4958
49592022-01-08 David Malcolm <dmalcolm@redhat.com>
4960
4961 * region.cc (region::is_named_decl_p): New.
4962 * region.h (region::is_named_decl_p): New decl.
4963
11ce8d04
GA		 49642022-01-06 David Malcolm <dmalcolm@redhat.com>
4965
4966 PR analyzer/103546
4967 * store.cc (store::eval_alias_1): Refactor handling of decl
4968 regions, adding a test for may_be_aliased, rejecting those for
4969 which it returns false.
4970
c8dcf64b
GA		 49712021-12-12 Jonathan Wakely <jwakely@redhat.com>
4972
4973 * engine.cc: Define INCLUDE_MEMORY instead of INCLUDE_UNIQUE_PTR.
4974
3a580f96
GA		 49752021-12-06 David Malcolm <dmalcolm@redhat.com>
4976
4977 PR analyzer/103533
4978 * constraint-manager.cc (equiv_class::contains_non_constant_p):
4979 New.
4980 (constraint_manager::canonicalize): Call it when determining
4981 redundant ECs.
4982 (selftest::test_purging): New selftest.
4983 (selftest::run_constraint_manager_tests): Likewise.
4984 * constraint-manager.h (equiv_class::contains_non_constant_p):
4985 New decl.
4986
40fa651e
GA		 49872021-12-01 David Malcolm <dmalcolm@redhat.com>
4988
4989 PR analyzer/102471
4990 * region-model-reachability.cc (reachable_regions::handle_parm):
4991 Treat all svalues within a compound parm has reachable, and those
4992 wrapped in a cast.
4993
87cd82c8
GA		 49942021-11-29 David Malcolm <dmalcolm@redhat.com>
4995
4996 PR analyzer/103217
4997 * store.cc (binding_cluster::can_merge_p): For the "key is bound"
4998 vs "key is not bound" merger case, check that the bound svalue
4999 is mergeable before merging it to "unknown", rejecting the merger
5000 otherwise.
5001
9c077398
GA		 50022021-11-19 David Malcolm <dmalcolm@redhat.com>
5003
5004 PR analyzer/103217
5005 * engine.cc (exploded_graph::get_or_create_node): Pass in
5006 m_ext_state to program_state::can_merge_with_p.
5007 (exploded_graph::process_worklist): Likewise.
5008 (exploded_graph::maybe_process_run_of_before_supernode_enodes):
5009 Likewise.
5010 (exploded_graph::process_node): Add missing call to detect_leaks
5011 when handling phi nodes.
5012 * program-state.cc (program_state::can_merge_with_p): Add
5013 "ext_state" param. Pass it and state ptrs to
5014 region_model::can_merge_with_p.
5015 (selftest::test_program_state_merging): Update for new ext_state
5016 param of program_state::can_merge_with_p.
5017 (selftest::test_program_state_merging_2): Likewise.
5018 * program-state.h (program_state::can_purge_p): Make const.
5019 (program_state::can_merge_with_p): Add "ext_state" param.
5020 * region-model.cc: Include "analyzer/program-state.h".
5021 (region_model::can_merge_with_p): Add params "ext_state",
5022 "state_a", and "state_b", use them when creating model_merger
5023 object.
5024 (model_merger::mergeable_svalue_p): New.
5025 * region-model.h (region_model::can_merge_with_p): Add params
5026 "ext_state", "state_a", and "state_b".
5027 (model_merger::model_merger) Likewise, initializing new fields.
5028 (model_merger::mergeable_svalue_p): New decl.
5029 (model_merger::m_ext_state): New field.
5030 (model_merger::m_state_a): New field.
5031 (model_merger::m_state_b): New field.
5032 * svalue.cc (svalue::can_merge_p): Call
5033 model_merger::mergeable_svalue_p on both states and reject the
5034 merger accordingly.
5035
280d2838
GA		 50362021-11-17 David Malcolm <dmalcolm@redhat.com>
5037
5038 PR analyzer/102695
5039 * region-model-impl-calls.cc (region_model::impl_call_strchr): New.
5040 * region-model-manager.cc
5041 (region_model_manager::maybe_fold_unaryop): Simplify cast to
5042 pointer type of an existing pointer to a region.
5043 * region-model.cc (region_model::on_call_pre): Handle
5044 BUILT_IN_STRCHR and "strchr".
5045 (write_to_const_diagnostic::emit): Add auto_diagnostic_group. Add
5046 alternate wordings for functions and labels.
5047 (write_to_const_diagnostic::describe_final_event): Add alternate
5048 wordings for functions and labels.
5049 (region_model::check_for_writable_region): Handle RK_FUNCTION and
5050 RK_LABEL.
5051 * region-model.h (region_model::impl_call_strchr): New decl.
5052
6b1695f4
GA		 50532021-11-16 David Malcolm <dmalcolm@redhat.com>
5054
5055 PR analyzer/102662
5056 * constraint-manager.cc (bounded_range::operator==): Require the
5057 types to be the same for equality.
5058
a8029add
GA		 50592021-11-13 David Malcolm <dmalcolm@redhat.com>
5060
5061 * analyzer.opt (Wanalyzer-tainted-allocation-size): New.
5062 (Wanalyzer-tainted-divisor): New.
5063 (Wanalyzer-tainted-offset): New.
5064 (Wanalyzer-tainted-size): New.
5065 * engine.cc (impl_region_model_context::get_taint_map): New.
5066 * exploded-graph.h (impl_region_model_context::get_taint_map):
5067 New decl.
5068 * program-state.cc (sm_state_map::get_state): Call
5069 alt_get_inherited_state.
5070 (sm_state_map::impl_set_state): Modify states within
5071 compound svalues.
5072 (program_state::impl_call_analyzer_dump_state): Undo casts.
5073 (selftest::test_program_state_1): Update for new context param of
5074 create_region_for_heap_alloc.
5075 (selftest::test_program_state_merging): Likewise.
5076 * region-model-impl-calls.cc (region_model::impl_call_alloca):
5077 Likewise.
5078 (region_model::impl_call_calloc): Likewise.
5079 (region_model::impl_call_malloc): Likewise.
5080 (region_model::impl_call_operator_new): Likewise.
5081 (region_model::impl_call_realloc): Likewise.
5082 * region-model.cc (region_model::check_region_access): Call
5083 check_region_for_taint.
5084 (region_model::get_representative_path_var_1): Handle binops.
5085 (region_model::create_region_for_heap_alloc): Add "ctxt" param and
5086 pass it to set_dynamic_extents.
5087 (region_model::create_region_for_alloca): Likewise.
5088 (region_model::set_dynamic_extents): Add "ctxt" param and use it
5089 to call check_dynamic_size_for_taint.
5090 (selftest::test_state_merging): Update for new context param of
5091 create_region_for_heap_alloc.
5092 (selftest::test_malloc_constraints): Likewise.
5093 (selftest::test_malloc): Likewise.
5094 (selftest::test_alloca): Likewise for create_region_for_alloca.
5095 * region-model.h (region_model::create_region_for_heap_alloc): Add
5096 "ctxt" param.
5097 (region_model::create_region_for_alloca): Likewise.
5098 (region_model::set_dynamic_extents): Likewise.
5099 (region_model::check_dynamic_size_for_taint): New decl.
5100 (region_model::check_region_for_taint): New decl.
5101 (region_model_context::get_taint_map): New vfunc.
5102 (noop_region_model_context::get_taint_map): New.
5103 * sm-taint.cc: Remove include of "diagnostic-event-id.h"; add
5104 includes of "gimple-iterator.h", "tristate.h", "selftest.h",
5105 "ordered-hash-map.h", "cgraph.h", "cfg.h", "digraph.h",
5106 "analyzer/supergraph.h", "analyzer/call-string.h",
5107 "analyzer/program-point.h", "analyzer/store.h",
5108 "analyzer/region-model.h", and "analyzer/program-state.h".
5109 (enum bounds): Move to top of file.
5110 (class taint_diagnostic): New.
5111 (class tainted_array_index): Convert to subclass of taint_diagnostic.
5112 (tainted_array_index::emit): Add CWE-129. Reword warning to use
5113 "attacker-controlled" rather than "tainted".
5114 (tainted_array_index::describe_state_change): Move to
5115 taint_diagnostic::describe_state_change.
5116 (tainted_array_index::describe_final_event): Reword to use
5117 "attacker-controlled" rather than "tainted".
5118 (class tainted_offset): New.
5119 (class tainted_size): New.
5120 (class tainted_divisor): New.
5121 (class tainted_allocation_size): New.
5122 (taint_state_machine::alt_get_inherited_state): New.
5123 (taint_state_machine::on_stmt): In assignment handling, remove
5124 ARRAY_REF handling in favor of check_region_for_taint. Add
5125 detection of tainted divisors.
5126 (taint_state_machine::get_taint): New.
5127 (taint_state_machine::combine_states): New.
5128 (region_model::check_region_for_taint): New.
5129 (region_model::check_dynamic_size_for_taint): New.
5130 * sm.h (state_machine::alt_get_inherited_state): New.
5131
af2852b9
GA		 51322021-11-12 David Malcolm <dmalcolm@redhat.com>
5133
5134 * engine.cc (exploded_node::on_stmt_pre): Return when handling
5135 "__analyzer_dump_state".
5136
b39265d4
GA		 51372021-11-11 Richard Biener <rguenther@suse.de>
5138
5139 * supergraph.cc: Include bitmap.h.
5140
29a1af24
GA		 51412021-11-04 David Malcolm <dmalcolm@redhat.com>
5142
5143 * program-state.cc (sm_state_map::dump): Use default_tree_printer
5144 as format decoder.
5145
e19570d3
GA		 51462021-09-16 Maxim Blinov <maxim.blinov@embecosm.com>
5147
5148 PR bootstrap/102242
5149 * engine.cc (INCLUDE_UNIQUE_PTR): Define.
5150
b6db7cd4
GA		 51512021-09-08 David Malcolm <dmalcolm@redhat.com>
5152
5153 PR analyzer/102225
5154 * analyzer.h (compat_types_p): New decl.
5155 * constraint-manager.cc
5156 (constraint_manager::get_or_add_equiv_class): Guard against NULL
5157 type when checking for pointer types.
5158 * region-model-impl-calls.cc (region_model::impl_call_realloc):
5159 Guard against NULL lhs type/region. Guard against the size value
5160 not being of a compatible type for dynamic extents.
5161 * region-model.cc (compat_types_p): Make non-static.
5162
1e2f030b
GA		 51632021-08-30 David Malcolm <dmalcolm@redhat.com>
5164
5165 PR analyzer/99260
5166 * analyzer.h (class custom_edge_info): New class, adapted from
5167 exploded_edge::custom_info_t. Make member functions const.
5168 Make update_model return bool, converting edge param from
5169 reference to a pointer, and adding a ctxt param.
5170 (class path_context): New class.
5171 * call-info.cc: New file.
5172 * call-info.h: New file.
5173 * engine.cc: Include "analyzer/call-info.h" and <memory>.
5174 (impl_region_model_context::impl_region_model_context): Update for
5175 new m_path_ctxt field.
5176 (impl_region_model_context::bifurcate): New.
5177 (impl_region_model_context::terminate_path): New.
5178 (impl_region_model_context::get_malloc_map): New.
5179 (impl_sm_context::impl_sm_context): Update for new m_path_ctxt
5180 field.
5181 (impl_sm_context::get_fndecl_for_call): Likewise.
5182 (impl_sm_context::set_next_state): Likewise.
5183 (impl_sm_context::warn): Likewise.
5184 (impl_sm_context::is_zero_assignment): Likewise.
5185 (impl_sm_context::get_path_context): New.
5186 (impl_sm_context::m_path_ctxt): New.
5187 (impl_region_model_context::on_condition): Update for new
5188 path_ctxt param. Handle m_enode_for_diag being NULL.
5189 (impl_region_model_context::on_phi): Update for new path_ctxt
5190 param.
5191 (exploded_node::on_stmt): Add path_ctxt param, updating ctor calls
5192 to use it as necessary. Use it to bail out after sm-handling,
5193 if needed.
5194 (exploded_node::detect_leaks): Update for new path_ctxt param.
5195 (dynamic_call_info_t::update_model): Update for conversion of
5196 exploded_edge::custom_info_t to custom_edge_info.
5197 (dynamic_call_info_t::add_events_to_path): Likewise.
5198 (rewind_info_t::update_model): Likewise.
5199 (rewind_info_t::add_events_to_path): Likewise.
5200 (exploded_edge::exploded_edge): Likewise.
5201 (exploded_graph::add_edge): Likewise.
5202 (exploded_graph::maybe_process_run_of_before_supernode_enodes):
5203 Update for new path_ctxt param.
5204 (class impl_path_context): New.
5205 (exploded_graph::process_node): Update for new path_ctxt param.
5206 Create an impl_path_context and pass it to exploded_node::on_stmt.
5207 Use it to terminate iterating stmts if terminate_path is called
5208 on it. After processing a run of stmts, query path_ctxt to
5209 potentially terminate the analysis path, and/or to "bifurcate" the
5210 analysis into multiple additional paths.
5211 (feasibility_state::maybe_update_for_edge): Update for new
5212 update_model ctxt param.
5213 * exploded-graph.h
5214 (impl_region_model_context::impl_region_model_context): Add
5215 path_ctxt param.
5216 (impl_region_model_context::bifurcate): New.
5217 (impl_region_model_context::terminate_path): New
5218 (impl_region_model_context::get_ext_state): New.
5219 (impl_region_model_context::get_malloc_map): New.
5220 (impl_region_model_context::m_path_ctxt): New field.
5221 (exploded_node::on_stmt): Add path_ctxt param.
5222 (class exploded_edge::custom_info_t): Move to analyzer.h, renaming
5223 to custom_edge_info, and making the changes as noted in analyzer.h
5224 above.
5225 (exploded_edge::exploded_edge): Update for these changes to
5226 exploded_edge::custom_info_t.
5227 (exploded_edge::m_custom_info): Likewise.
5228 (class dynamic_call_info_t): Likewise.
5229 (class rewind_info_t): Likewise.
5230 (exploded_graph::add_edge): Likewise.
5231 * program-state.cc (program_state::on_edge): Update for new
5232 path_ctxt param.
5233 (program_state::push_call): Likewise.
5234 (program_state::returning_call): Likewise.
5235 (program_state::prune_for_point): Likewise.
5236 * region-model-impl-calls.cc: Include "analyzer/call-info.h".
5237 (call_details::get_fndecl_for_call): New.
5238 (region_model::impl_call_realloc): Reimplement.
5239 * region-model.cc (region_model::on_call_pre): Move call to
5240 impl_call_realloc to...
5241 (region_model::on_call_post): ...here. Consolidate creation
5242 of call_details instance.
5243 (noop_region_model_context::bifurcate): New.
5244 (noop_region_model_context::terminate_path): New.
5245 * region-model.h (call_details::get_call_stmt): New.
5246 (call_details::get_fndecl_for_call): New.
5247 (region_model::on_realloc_with_move): New.
5248 (region_model_context::bifurcate): New.
5249 (region_model_context::terminate_path): New.
5250 (region_model_context::get_ext_state): New.
5251 (region_model_context::get_malloc_map): New.
5252 (noop_region_model_context::bifurcate): New.
5253 (noop_region_model_context::terminate_path): New.
5254 (noop_region_model_context::get_ext_state): New.
5255 (noop_region_model_context::get_malloc_map): New.
5256 * sm-malloc.cc: Include "analyzer/program-state.h".
5257 (malloc_state_machine::on_realloc_call): Reimplement.
5258 (malloc_state_machine::on_realloc_with_move): New.
5259 (region_model::on_realloc_with_move): New.
5260 * sm-signal.cc (class signal_delivery_edge_info_t): Update for
5261 conversion from exploded_edge::custom_info_t to custom_edge_info.
5262 * sm.h (sm_context::get_path_context): New.
5263 * svalue.cc (svalue::maybe_get_constant): Call
5264 unwrap_any_unmergeable.
5265
85d77ac4
GA		 52662021-08-25 Ankur Saini <arsenic@sourceware.org>
5267
5268 PR analyzer/101980
5269 * engine.cc (exploded_graph::maybe_create_dynamic_call): Don't create
5270 calls if max recursion limit is reached.
5271
38b19c5b
GA		 52722021-08-23 David Malcolm <dmalcolm@redhat.com>
5273
5274 * analyzer.h (struct rejected_constraint): Convert to...
5275 (class rejected_constraint): ...this.
5276 (class bounded_ranges): New forward decl.
5277 (class bounded_ranges_manager): New forward decl.
5278 * constraint-manager.cc: Include "analyzer/analyzer-logging.h" and
5279 "tree-pretty-print.h".
5280 (can_plus_one_p): New.
5281 (plus_one): New.
5282 (can_minus_one_p): New.
5283 (minus_one): New.
5284 (bounded_range::bounded_range): New.
5285 (dump_cst): New.
5286 (bounded_range::dump_to_pp): New.
5287 (bounded_range::dump): New.
5288 (bounded_range::to_json): New.
5289 (bounded_range::set_json_attr): New.
5290 (bounded_range::contains_p): New.
5291 (bounded_range::intersects_p): New.
5292 (bounded_range::operator==): New.
5293 (bounded_range::cmp): New.
5294 (bounded_ranges::bounded_ranges): New.
5295 (bounded_ranges::bounded_ranges): New.
5296 (bounded_ranges::bounded_ranges): New.
5297 (bounded_ranges::canonicalize): New.
5298 (bounded_ranges::validate): New.
5299 (bounded_ranges::operator==): New.
5300 (bounded_ranges::dump_to_pp): New.
5301 (bounded_ranges::dump): New.
5302 (bounded_ranges::to_json): New.
5303 (bounded_ranges::eval_condition): New.
5304 (bounded_ranges::contain_p): New.
5305 (bounded_ranges::cmp): New.
5306 (bounded_ranges_manager::~bounded_ranges_manager): New.
5307 (bounded_ranges_manager::get_or_create_empty): New.
5308 (bounded_ranges_manager::get_or_create_point): New.
5309 (bounded_ranges_manager::get_or_create_range): New.
5310 (bounded_ranges_manager::get_or_create_union): New.
5311 (bounded_ranges_manager::get_or_create_intersection): New.
5312 (bounded_ranges_manager::get_or_create_inverse): New.
5313 (bounded_ranges_manager::consolidate): New.
5314 (bounded_ranges_manager::get_or_create_ranges_for_switch): New.
5315 (bounded_ranges_manager::create_ranges_for_switch): New.
5316 (bounded_ranges_manager::make_case_label_ranges): New.
5317 (bounded_ranges_manager::log_stats): New.
5318 (bounded_ranges_constraint::print): New.
5319 (bounded_ranges_constraint::to_json): New.
5320 (bounded_ranges_constraint::operator==): New.
5321 (bounded_ranges_constraint::add_to_hash): New.
5322 (constraint_manager::constraint_manager): Update for new field
5323 m_bounded_ranges_constraints.
5324 (constraint_manager::operator=): Likewise.
5325 (constraint_manager::hash): Likewise.
5326 (constraint_manager::operator==): Likewise.
5327 (constraint_manager::print): Likewise.
5328 (constraint_manager::dump_to_pp): Likewise.
5329 (constraint_manager::to_json): Likewise.
5330 (constraint_manager::add_unknown_constraint): Update the lhs_ec_id
5331 if necessary in existing constraints when combining equivalence
5332 classes. Add similar code for handling
5333 m_bounded_ranges_constraints.
5334 (constraint_manager::add_constraint_internal): Add comment.
5335 (constraint_manager::add_bounded_ranges): New.
5336 (constraint_manager::eval_condition): Use new field
5337 m_bounded_ranges_constraints.
5338 (constraint_manager::purge): Update bounded_ranges_constraint
5339 instances.
5340 (constraint_manager::canonicalize): Update for new field.
5341 (merger_fact_visitor::on_ranges): New.
5342 (constraint_manager::for_each_fact): Use new field
5343 m_bounded_ranges_constraints.
5344 (constraint_manager::validate): Fix off-by-one error needed due
5345 to bug fixed above in add_unknown_constraint. Validate the EC IDs
5346 in m_bounded_ranges_constraints.
5347 (constraint_manager::get_range_manager): New.
5348 (selftest::assert_dump_bounded_range_eq): New.
5349 (ASSERT_DUMP_BOUNDED_RANGE_EQ): New.
5350 (selftest::test_bounded_range): New.
5351 (selftest::assert_dump_bounded_ranges_eq): New.
5352 (ASSERT_DUMP_BOUNDED_RANGES_EQ): New.
5353 (selftest::test_bounded_ranges): New.
5354 (selftest::run_constraint_manager_tests): Call the new selftests.
5355 * constraint-manager.h (struct bounded_range): New.
5356 (struct bounded_ranges): New.
5357 (template <> struct default_hash_traits<bounded_ranges::key_t>): New.
5358 (class bounded_ranges_manager): New.
5359 (fact_visitor::on_ranges): New pure virtual function.
5360 (class bounded_ranges_constraint): New.
5361 (constraint_manager::add_bounded_ranges): New decl.
5362 (constraint_manager::get_range_manager): New decl.
5363 (constraint_manager::m_bounded_ranges_constraints): New field.
5364 * diagnostic-manager.cc (epath_finder::process_worklist_item):
5365 Transfer ownership of rc to add_feasibility_problem.
5366 * engine.cc (feasibility_problem::dump_to_pp): Use get_model.
5367 * feasible-graph.cc (infeasible_node::dump_dot): Update for
5368 conversion of m_rc to a pointer.
5369 (feasible_graph::add_feasibility_problem): Pass RC by pointer and
5370 take ownership.
5371 * feasible-graph.h (infeasible_node::infeasible_node): Pass RC by
5372 pointer and take ownership.
5373 (infeasible_node::~infeasible_node): New.
5374 (infeasible_node::m_rc): Convert to a pointer.
5375 (feasible_graph::add_feasibility_problem): Pass RC by pointer and
5376 take ownership.
5377 * region-model-manager.cc: Include
5378 "analyzer/constraint-manager.h".
5379 (region_model_manager::region_model_manager): Initializer new
5380 field m_range_mgr.
5381 (region_model_manager::~region_model_manager): Delete it.
5382 (region_model_manager::log_stats): Call log_stats on it.
5383 * region-model.cc (region_model::add_constraint): Use new subclass
5384 rejected_op_constraint.
5385 (region_model::apply_constraints_for_gswitch): Reimplement using
5386 bounded_ranges_manager.
5387 (rejected_constraint::dump_to_pp): Convert to...
5388 (rejected_op_constraint::dump_to_pp): ...this.
5389 (rejected_ranges_constraint::dump_to_pp): New.
5390 * region-model.h (struct purge_stats): Add field
5391 m_num_bounded_ranges_constraints.
5392 (region_model_manager::get_range_manager): New.
5393 (region_model_manager::m_range_mgr): New.
5394 (region_model::get_range_manager): New.
5395 (struct rejected_constraint): Split into...
5396 (class rejected_constraint):...this new abstract base class,
5397 and...
5398 (class rejected_op_constraint): ...this new concrete subclass.
5399 (class rejected_ranges_constraint): New.
5400 * supergraph.cc: Include "tree-cfg.h".
5401 (supergraph::supergraph): Drop idx param from add_cfg_edge.
5402 (supergraph::add_cfg_edge): Drop idx param.
5403 (switch_cfg_superedge::switch_cfg_superedge): Move here from
5404 header. Populate m_case_labels with all cases which go to DST.
5405 (switch_cfg_superedge::dump_label_to_pp): Reimplement to use
5406 m_case_labels.
5407 (switch_cfg_superedge::get_case_label): Delete.
5408 * supergraph.h (supergraphadd_cfg_edge): Drop "idx" param.
5409 (switch_cfg_superedge::switch_cfg_superedge): Drop idx param and
5410 move implementation to supergraph.cc.
5411 (switch_cfg_superedge::get_case_label): Delete.
5412 (switch_cfg_superedge::get_case_labels): New.
5413 (switch_cfg_superedge::m_idx): Delete.
5414 (switch_cfg_superedge::m_case_labels): New field.
5415
54162021-08-23 David Malcolm <dmalcolm@redhat.com>
5417
5418 PR analyzer/101875
5419 * sm-file.cc (file_diagnostic::describe_state_change): Handle
5420 change.m_expr being NULL.
5421
54222021-08-23 David Malcolm <dmalcolm@redhat.com>
5423
5424 PR analyzer/101837
5425 * analyzer.cc (maybe_reconstruct_from_def_stmt): Bail if fn is
5426 NULL, and assert that it's non-NULL before passing it to
5427 build_call_array_loc.
5428
54292021-08-23 David Malcolm <dmalcolm@redhat.com>
5430
5431 PR analyzer/101962
5432 * region-model.cc (region_model::eval_condition_without_cm):
5433 Refactor comparison against zero, adding a check for
5434 POINTER_PLUS_EXPR of non-NULL.
5435
54362021-08-23 David Malcolm <dmalcolm@redhat.com>
5437
5438 * store.cc (bit_range::intersects_p): New overload.
5439 (bit_range::operator-): New.
5440 (binding_cluster::maybe_get_compound_binding): Handle the partial
5441 overlap case.
5442 (selftest::test_bit_range_intersects_p): Add test coverage for
5443 new overload of bit_range::intersects_p.
5444 * store.h (bit_range::intersects_p): New overload.
5445 (bit_range::operator-): New.
5446
54472021-08-23 Ankur Saini <arsenic@sourceware.org>
5448
5449 PR analyzer/102020
5450 * diagnostic-manager.cc
5451 (diagnostic_manager::prune_for_sm_diagnostic)<case EK_CALL_EDGE>: Fix typo.
5452
4be4fa4e
GA		 54532021-08-21 Ankur Saini <arsenic@sourceware.org>
5454
5455 PR analyzer/101980
5456 * diagnostic-manager.cc
5457 (diagnostic_manager::prune_for_sm_diagnostic)<case EK_CALL_EDGE>: Use
5458 caller_model only when the supergraph_edge doesn't exixt.
5459 (diagnostic_manager::prune_for_sm_diagnostic)<case EK_RETURN_EDGE>:
5460 Likewise.
5461 * engine.cc (exploded_graph::create_dynamic_call): Rename to...
5462 (exploded_graph::maybe_create_dynamic_call): ...this, return call
5463 creation status.
5464 (exploded_graph::process_node): Handle calls which were not dynamically
5465 discovered.
5466 * exploded-graph.h (exploded_graph::create_dynamic_call): Rename to...
5467 (exploded_graph::maybe_create_dynamic_call): ...this.
5468 * region-model.cc (region_model::update_for_gcall): New param, use it
5469 to push call to frame.
5470 (region_model::update_for_call_superedge): Pass callee function to
5471 update_for_gcall.
5472 * region-model.h (region_model::update_for_gcall): New param.
5473
6e529985
GA		 54742021-08-18 Ankur Saini <arsenic@sourceware.org>
5475
5476 PR analyzer/97114
5477 * region-model.cc (region_model::get_rvalue_1): Add case for
5478 OBJ_TYPE_REF.
5479
54802021-08-18 Ankur Saini <arsenic@sourceware.org>
5481
5482 PR analyzer/100546
5483 * analysis-plan.cc (analysis_plan::use_summary_p): Don't use call
5484 summaries if there is no callgraph edge
5485 * checker-path.cc (call_event::call_event): Handle calls events that
5486 are not represented by a supergraph call edge
5487 (return_event::return_event): Likewise.
5488 (call_event::get_desc): Work with new call_event structure.
5489 (return_event::get_desc): Likeise.
5490 * checker-path.h (call_event::m_src_snode): New field.
5491 (call_event::m_dest_snode): New field.
5492 (return_event::m_src_snode): New field.
5493 (return_event::m_dest_snode): New field.
5494 * diagnostic-manager.cc
5495 (diagnostic_manager::prune_for_sm_diagnostic)<case EK_CALL_EDGE>:
5496 Refactor to work with edges without callgraph edge.
5497 (diagnostic_manager::prune_for_sm_diagnostic)<case EK_RETURN_EDGE>:
5498 Likewise.
5499 * engine.cc (dynamic_call_info_t::update_model): New function.
5500 (dynamic_call_info_t::add_events_to_path): New function.
5501 (exploded_graph::create_dynamic_call): New function.
5502 (exploded_graph::process_node): Work with dynamically discovered calls.
5503 * exploded-graph.h (class dynamic_call_info_t): New class.
5504 (exploded_graph::create_dynamic_call): New decl.
5505 * program-point.cc (program_point::push_to_call_stack): New function.
5506 (program_point::pop_from_call_stack): New function.
5507 * program-point.h (program_point::push_to_call_stack): New decl.
5508 (program_point::pop_from_call_stack): New decl.
5509 * program-state.cc (program_state::push_call): New function.
5510 (program_state::returning_call): New function.
5511 * program-state.h (program_state::push_call): New decl.
5512 (program_state::returning_call): New decl.
5513 * region-model.cc (region_model::update_for_gcall) New function.
5514 (region_model::update_for_return_gcall): New function.
5515 (egion_model::update_for_call_superedge): Get the underlying gcall and
5516 update for gcall.
5517 (region_model::update_for_return_superedge): Likewise.
5518 * region-model.h (region_model::update_for_gcall): New decl.
5519 (region_model::update_for_return_gcall): New decl.
5520 * state-purge.cc (state_purge_per_ssa_name::process_point): Update to
5521 work with calls without underlying cgraph edge.
5522 * supergraph.cc (supergraph::supergraph) Split snodes at every callsite.
5523 * supergraph.h (supernode::get_returning_call) New accessor.
5524
2697f832
GA		 55252021-08-04 David Malcolm <dmalcolm@redhat.com>
5526
5527 PR analyzer/101570
5528 * analyzer.cc (maybe_reconstruct_from_def_stmt): Add GIMPLE_ASM
5529 case.
5530 * analyzer.h (class asm_output_svalue): New forward decl.
5531 (class reachable_regions): New forward decl.
5532 * complexity.cc (complexity::from_vec_svalue): New.
5533 * complexity.h (complexity::from_vec_svalue): New decl.
5534 * engine.cc (feasibility_state::maybe_update_for_edge): Handle
5535 asm stmts by calling on_asm_stmt.
5536 * region-model-asm.cc: New file.
5537 * region-model-manager.cc
5538 (region_model_manager::maybe_fold_asm_output_svalue): New.
5539 (region_model_manager::get_or_create_asm_output_svalue): New.
5540 (region_model_manager::log_stats): Log m_asm_output_values_map.
5541 * region-model.cc (region_model::on_stmt_pre): Handle GIMPLE_ASM.
5542 * region-model.h (visitor::visit_asm_output_svalue): New.
5543 (region_model_manager::get_or_create_asm_output_svalue): New decl.
5544 (region_model_manager::maybe_fold_asm_output_svalue): New decl.
5545 (region_model_manager::asm_output_values_map_t): New typedef.
5546 (region_model_manager::m_asm_output_values_map): New field.
5547 (region_model::on_asm_stmt): New.
5548 * store.cc (binding_cluster::on_asm): New.
5549 * store.h (binding_cluster::on_asm): New decl.
5550 * svalue.cc (svalue::cmp_ptr): Handle SK_ASM_OUTPUT.
5551 (asm_output_svalue::dump_to_pp): New.
5552 (asm_output_svalue::dump_input): New.
5553 (asm_output_svalue::input_idx_to_asm_idx): New.
5554 (asm_output_svalue::accept): New.
5555 * svalue.h (enum svalue_kind): Add SK_ASM_OUTPUT.
5556 (svalue::dyn_cast_asm_output_svalue): New.
5557 (class asm_output_svalue): New.
5558 (is_a_helper <const asm_output_svalue *>::test): New.
5559 (struct default_hash_traits<asm_output_svalue::key_t>): New.
5560
fa1407c7
GA		 55612021-08-03 Jakub Jelinek <jakub@redhat.com>
5562
5563 PR analyzer/101721
5564 * sm-malloc.cc (known_allocator_p): Only check DECL_FUNCTION_CODE on
5565 BUILT_IN_NORMAL builtins.
5566
4d17ca1b
GA		 55672021-07-29 Ankur Saini <arsenic@sourceware.org>
5568
5569 * call-string.cc (call_string::element_t::operator==): New operator.
5570 (call_String::element_t::operator!=): New operator.
5571 (call_string::element_t::get_caller_function): New function.
5572 (call_string::element_t::get_callee_function): New function.
5573 (call_string::call_string): Refactor to Initialise m_elements.
5574 (call_string::operator=): Refactor to work with m_elements.
5575 (call_string::operator==): Likewise.
5576 (call_string::to_json): Likewise.
5577 (call_string::hash): Refactor to hash e.m_caller.
5578 (call_string::push_call): Refactor to work with m_elements.
5579 (call_string::push_call): New overload to push call via supernodes.
5580 (call_string::pop): Refactor to work with m_elements.
5581 (call_string::calc_recursion_depth): Likewise.
5582 (call_string::cmp): Likewise.
5583 (call_string::validate): Likewise.
5584 (call_string::operator[]): Likewise.
5585 * call-string.h (class supernode): New forward decl.
5586 (struct call_string::element_t): New struct.
5587 (call_string::call_string): Refactor to initialise m_elements.
5588 (call_string::bool empty_p): Refactor to work with m_elements.
5589 (call_string::get_callee_node): New decl.
5590 (call_string::get_caller_node): New decl.
5591 (m_elements): Replaces m_return_edges.
5592 * program-point.cc (program_point::get_function_at_depth): Refactor to
5593 work with new call-string format.
5594 (program_point::validate): Likewise.
5595 (program_point::on_edge): Likewise.
5596
39169029
GA		 55972021-07-28 David Malcolm <dmalcolm@redhat.com>
5598
5599 * region-model.cc (region_model::on_call_pre): Treat
5600 IFN_UBSAN_BOUNDS, BUILT_IN_STACK_SAVE, and BUILT_IN_STACK_RESTORE
5601 as no-ops, rather than handling them as unknown functions.
5602
56032021-07-28 David Malcolm <dmalcolm@redhat.com>
5604
5605 * region-model-impl-calls.cc (region_model::impl_call_alloca):
5606 Drop redundant return value.
5607 (region_model::impl_call_builtin_expect): Likewise.
5608 (region_model::impl_call_calloc): Likewise.
5609 (region_model::impl_call_malloc): Likewise.
5610 (region_model::impl_call_memset): Likewise.
5611 (region_model::impl_call_operator_new): Likewise.
5612 (region_model::impl_call_operator_delete): Likewise.
5613 (region_model::impl_call_strlen): Likewise.
5614 * region-model.cc (region_model::on_call_pre): Fix return value of
5615 known functions that don't have unknown side-effects.
5616 * region-model.h (region_model::impl_call_alloca): Drop redundant
5617 return value.
5618 (region_model::impl_call_builtin_expect): Likewise.
5619 (region_model::impl_call_calloc): Likewise.
5620 (region_model::impl_call_malloc): Likewise.
5621 (region_model::impl_call_memset): Likewise.
5622 (region_model::impl_call_strlen): Likewise.
5623 (region_model::impl_call_operator_new): Likewise.
5624 (region_model::impl_call_operator_delete): Likewise.
5625
56262021-07-28 Siddhesh Poyarekar <siddhesh@gotplt.org>
5627
5628 * analyzer.cc (is_named_call_p, is_std_named_call_p): Make
5629 first argument a const_tree.
5630 * analyzer.h (is_named_call_p, -s_std_named_call_p): Likewise.
5631 * sm-malloc.cc (known_allocator_p): New function.
5632 (malloc_state_machine::on_stmt): Use it.
5633
56342021-07-28 Siddhesh Poyarekar <siddhesh@gotplt.org>
5635
5636 * sm-malloc.cc
5637 (malloc_state_machine::get_or_create_deallocator): Recognize
5638 __builtin_free.
5639
1a7febe9
GA		 56402021-07-26 David Malcolm <dmalcolm@redhat.com>
5641
5642 * region-model.cc (region_model::on_call_pre): Always set conjured
5643 LHS, not just for SSA names.
5644
ead235f6
GA		 56452021-07-23 David Malcolm <dmalcolm@redhat.com>
5646
5647 * diagnostic-manager.cc
5648 (class auto_disable_complexity_checks): New.
5649 (epath_finder::explore_feasible_paths): Use it to disable
5650 complexity checks whilst processing the worklist.
5651 * region-model-manager.cc
5652 (region_model_manager::region_model_manager): Initialize
5653 m_check_complexity.
5654 (region_model_manager::reject_if_too_complex): Bail if
5655 m_check_complexity is false.
5656 * region-model.h
5657 (region_model_manager::enable_complexity_check): New.
5658 (region_model_manager::disable_complexity_check): New.
5659 (region_model_manager::m_check_complexity): New.
5660
419c6c68
GA		 56612021-07-21 David Malcolm <dmalcolm@redhat.com>
5662
5663 PR analyzer/101547
5664 * sm-file.cc (file_leak::emit): Handle m_arg being NULL.
5665 (file_leak::describe_final_event): Handle ev.m_expr being NULL.
5666
56672021-07-21 David Malcolm <dmalcolm@redhat.com>
5668
5669 PR analyzer/101522
5670 * store.cc (binding_cluster::purge_state_involving): Don't change
5671 m_map whilst iterating through it.
5672
56732021-07-21 David Malcolm <dmalcolm@redhat.com>
5674
5675 * region-model.cc (region_model::handle_phi): Add "old_state"
5676 param and use it.
5677 (region_model::update_for_phis): Update so that all of the phi
5678 stmts are effectively handled simultaneously, rather than in
5679 order.
5680 * region-model.h (region_model::handle_phi): Add "old_state"
5681 param.
5682 * state-purge.cc (self_referential_phi_p): Replace with...
5683 (name_used_by_phis_p): ...this new function.
5684 (state_purge_per_ssa_name::process_point): Update to use the
5685 above, so that all phi stmts at a basic block are effectively
5686 considered simultaneously, and only consider the phi arguments for
5687 the pertinent in-edge.
5688 * supergraph.cc (cfg_superedge::get_phi_arg_idx): New.
5689 (cfg_superedge::get_phi_arg): Use the above.
5690 * supergraph.h (cfg_superedge::get_phi_arg_idx): New decl.
5691
56922021-07-21 David Malcolm <dmalcolm@redhat.com>
5693
5694 * state-purge.cc (state_purge_annotator::add_node_annotations):
5695 Rather than erroneously always using the NULL in-edge, determine
5696 each relevant in-edge, and print the appropriate data for each
5697 in-edge. Use print_needed to print the data as comma-separated
5698 lists of SSA names.
5699 (print_vec_of_names): Add "within_table" param and use it.
5700 (state_purge_annotator::add_stmt_annotations): Factor out
5701 collation and printing code into...
5702 (state_purge_annotator::print_needed): ...this new function.
5703 * state-purge.h (state_purge_annotator::print_needed): New decl.
5704
57052021-07-21 David Malcolm <dmalcolm@redhat.com>
5706
5707 * program-point.cc (function_point::print): Show src BB index at
5708 BEFORE_SUPERNODE.
5709
57102021-07-21 David Malcolm <dmalcolm@redhat.com>
5711
5712 * svalue.cc (infix_p): New.
5713 (binop_svalue::dump_to_pp): Use it to print MIN_EXPR and MAX_EXPR
5714 in prefix form, rather than infix.
5715
21ea2f93
GA		 57162021-07-19 David Malcolm <dmalcolm@redhat.com>
5717
5718 PR analyzer/101503
5719 * constraint-manager.cc (constraint_manager::add_constraint): Use
5720 can_have_associated_state_p rather than testing for unknown.
5721 (constraint_manager::get_or_add_equiv_class): Likewise.
5722 * program-state.cc (sm_state_map::set_state): Likewise.
5723 (sm_state_map::impl_set_state): Add assertion.
5724 * region-model-manager.cc
5725 (region_model_manager::maybe_fold_unaryop): Handle poisoned
5726 values.
5727 (region_model_manager::maybe_fold_binop): Move handling of unknown
5728 values...
5729 (region_model_manager::get_or_create_binop): ...to here, and
5730 generalize to use can_have_associated_state_p.
5731 (region_model_manager::maybe_fold_sub_svalue): Use
5732 can_have_associated_state_p rather than testing for unknown.
5733 (region_model_manager::maybe_fold_repeated_svalue): Use unknown
5734 when the size or repeated value is "unknown"/"poisoned".
5735 * region-model.cc (region_model::purge_state_involving): Reject
5736 attempts to purge unknown/poisoned svalues, as these svalues
5737 should not have state associated with them.
5738 * svalue.cc (sub_svalue::sub_svalue): Assert that we're building
5739 on top of an svalue with can_have_associated_state_p.
5740 (repeated_svalue::repeated_svalue): Likewise.
5741 (bits_within_svalue::bits_within_svalue): Likewise.
5742 * svalue.h (svalue::can_have_associated_state_p): New.
5743 (unknown_svalue::can_have_associated_state_p): New.
5744 (poisoned_svalue::can_have_associated_state_p): New.
5745 (unaryop_svalue::unaryop_svalue): Assert that we're building on
5746 top of an svalue with can_have_associated_state_p.
5747 (binop_svalue::binop_svalue): Likewise.
5748 (widening_svalue::widening_svalue): Likewise.
5749
87277b6a
GA		 57502021-07-16 David Malcolm <dmalcolm@redhat.com>
5751
5752 * analyzer.h (enum access_direction): New.
5753 * engine.cc (exploded_node::on_longjmp): Update for new param of
5754 get_store_value.
5755 * program-state.cc (program_state::prune_for_point): Likewise.
5756 * region-model-impl-calls.cc (region_model::impl_call_memcpy):
5757 Replace call to check_for_writable_region with call to
5758 check_region_for_write.
5759 (region_model::impl_call_memset): Likewise.
5760 (region_model::impl_call_strcpy): Likewise.
5761 * region-model-reachability.cc (reachable_regions::add): Update
5762 for new param of get_store_value.
5763 * region-model.cc (region_model::get_rvalue_1): Likewise, also for
5764 get_rvalue_for_bits.
5765 (region_model::get_store_value): Add ctxt param and use it to call
5766 check_region_for_read.
5767 (region_model::get_rvalue_for_bits): Add ctxt param and use it to
5768 call get_store_value.
5769 (region_model::check_region_access): New.
5770 (region_model::check_region_for_write): New.
5771 (region_model::check_region_for_read): New.
5772 (region_model::set_value): Update comment. Replace call to
5773 check_for_writable_region with call to check_region_for_write.
5774 * region-model.h (region_model::get_rvalue_for_bits): Add ctxt
5775 param.
5776 (region_model::get_store_value): Add ctxt param.
5777 (region_model::check_region_access): New decl.
5778 (region_model::check_region_for_write): New decl.
5779 (region_model::check_region_for_read): New decl.
5780 * region.cc (region_model::copy_region): Update call to
5781 get_store_value.
5782 * svalue.cc (initial_svalue::implicitly_live_p): Likewise.
5783
57842021-07-16 David Malcolm <dmalcolm@redhat.com>
5785
5786 * engine.cc (exploded_node::on_stmt_pre): Handle
5787 __analyzer_dump_state.
5788 * program-state.cc (extrinsic_state::get_sm_idx_by_name): New.
5789 (program_state::impl_call_analyzer_dump_state): New.
5790 * program-state.h (extrinsic_state::get_sm_idx_by_name): New decl.
5791 (program_state::impl_call_analyzer_dump_state): New decl.
5792 * region-model-impl-calls.cc
5793 (call_details::get_arg_string_literal): New.
5794 * region-model.h (call_details::get_arg_string_literal): New decl.
5795
57962021-07-16 David Malcolm <dmalcolm@redhat.com>
5797
5798 * program-state.cc (program_state::detect_leaks): Simplify using
5799 svalue::maybe_get_region.
5800 * region-model-impl-calls.cc (region_model::impl_call_fgets): Likewise.
5801 (region_model::impl_call_fread): Likewise.
5802 (region_model::impl_call_free): Likewise.
5803 (region_model::impl_call_operator_delete): Likewise.
5804 * region-model.cc (selftest::test_stack_frames): Likewise.
5805 (selftest::test_state_merging): Likewise.
5806 * svalue.cc (svalue::maybe_get_region): New.
5807 * svalue.h (svalue::maybe_get_region): New decl.
5808
d97d71a1
GA		 58092021-07-15 David Malcolm <dmalcolm@redhat.com>
5810
5811 * svalue.h (is_a_helper <placeholder_svalue *>::test): Make
5812 param and template param const.
5813 (is_a_helper <widening_svalue *>::test): Likewise.
5814 (is_a_helper <compound_svalue *>::test): Likewise.
5815 (is_a_helper <conjured_svalue *>::test): Likewise.
5816
58172021-07-15 David Malcolm <dmalcolm@redhat.com>
5818
5819 PR analyzer/95006
5820 PR analyzer/94713
5821 PR analyzer/94714
5822 * analyzer.cc (maybe_reconstruct_from_def_stmt): Split out
5823 GIMPLE_ASSIGN case into...
5824 (get_diagnostic_tree_for_gassign_1): New.
5825 (get_diagnostic_tree_for_gassign): New.
5826 * analyzer.h (get_diagnostic_tree_for_gassign): New decl.
5827 * analyzer.opt (Wanalyzer-write-to-string-literal): New.
5828 * constraint-manager.cc (class svalue_purger): New.
5829 (constraint_manager::purge_state_involving): New.
5830 * constraint-manager.h
5831 (constraint_manager::purge_state_involving): New.
5832 * diagnostic-manager.cc (saved_diagnostic::supercedes_p): New.
5833 (dedupe_winners::handle_interactions): New.
5834 (diagnostic_manager::emit_saved_diagnostics): Call it.
5835 * diagnostic-manager.h (saved_diagnostic::supercedes_p): New decl.
5836 * engine.cc (impl_region_model_context::warn): Convert return type
5837 to bool. Return false if the diagnostic isn't saved.
5838 (impl_region_model_context::purge_state_involving): New.
5839 (impl_sm_context::get_state): Use NULL ctxt when querying old
5840 rvalue.
5841 (impl_sm_context::set_next_state): Use new sval when querying old
5842 state.
5843 (class dump_path_diagnostic): Move to region-model.cc
5844 (exploded_node::on_stmt): Move to on_stmt_pre and on_stmt_post.
5845 Remove call to purge_state_involving.
5846 (exploded_node::on_stmt_pre): New, based on the above. Move most
5847 of it to region_model::on_stmt_pre.
5848 (exploded_node::on_stmt_post): Likewise, moving to
5849 region_model::on_stmt_post.
5850 (class stale_jmp_buf): Fix parent class to use curiously recurring
5851 template pattern.
5852 (feasibility_state::maybe_update_for_edge): Call on_call_pre and
5853 on_call_post on gcalls.
5854 * exploded-graph.h (impl_region_model_context::warn): Return bool.
5855 (impl_region_model_context::purge_state_involving): New decl.
5856 (exploded_node::on_stmt_pre): New decl.
5857 (exploded_node::on_stmt_post): New decl.
5858 * pending-diagnostic.h (pending_diagnostic::use_of_uninit_p): New.
5859 (pending_diagnostic::supercedes_p): New.
5860 * program-state.cc (sm_state_map::get_state): Inherit state for
5861 conjured_svalue as well as initial_svalue.
5862 (sm_state_map::purge_state_involving): Also support SK_CONJURED.
5863 * region-model-impl-calls.cc (call_details::get_uncertainty):
5864 Handle m_ctxt being NULL.
5865 (call_details::get_or_create_conjured_svalue): New.
5866 (region_model::impl_call_fgets): New.
5867 (region_model::impl_call_fread): New.
5868 * region-model-manager.cc
5869 (region_model_manager::get_or_create_initial_value): Return an
5870 uninitialized poisoned value for regions that can't have initial
5871 values.
5872 * region-model-reachability.cc
5873 (reachable_regions::mark_escaped_clusters): Handle ctxt being
5874 NULL.
5875 * region-model.cc (region_to_value_map::purge_state_involving): New.
5876 (poisoned_value_diagnostic::use_of_uninit_p): New.
5877 (poisoned_value_diagnostic::emit): Handle POISON_KIND_UNINIT.
5878 (poisoned_value_diagnostic::describe_final_event): Likewise.
5879 (region_model::check_for_poison): New.
5880 (region_model::on_assignment): Call it.
5881 (class dump_path_diagnostic): Move here from engine.cc.
5882 (region_model::on_stmt_pre): New, based on exploded_node::on_stmt.
5883 (region_model::on_call_pre): Move the setting of the LHS to a
5884 conjured svalue to before the checks for specific functions.
5885 Handle "fgets", "fgets_unlocked", and "fread".
5886 (region_model::purge_state_involving): New.
5887 (region_model::handle_unrecognized_call): Handle ctxt being NULL.
5888 (region_model::get_rvalue): Call check_for_poison.
5889 (selftest::test_stack_frames): Use NULL for context when getting
5890 uninitialized rvalue.
5891 (selftest::test_alloca): Likewise.
5892 * region-model.h (region_to_value_map::purge_state_involving): New
5893 decl.
5894 (call_details::get_or_create_conjured_svalue): New decl.
5895 (region_model::on_stmt_pre): New decl.
5896 (region_model::purge_state_involving): New decl.
5897 (region_model::impl_call_fgets): New decl.
5898 (region_model::impl_call_fread): New decl.
5899 (region_model::check_for_poison): New decl.
5900 (region_model_context::warn): Return bool.
5901 (region_model_context::purge_state_involving): New.
5902 (noop_region_model_context::warn): Return bool.
5903 (noop_region_model_context::purge_state_involving): New.
5904 (test_region_model_context:: warn): Return bool.
5905 * region.cc (region::get_memory_space): New.
5906 (region::can_have_initial_svalue_p): New.
5907 (region::involves_p): New.
5908 * region.h (enum memory_space): New.
5909 (region::get_memory_space): New decl.
5910 (region::can_have_initial_svalue_p): New decl.
5911 (region::involves_p): New decl.
5912 * sm-malloc.cc (use_after_free::supercedes_p): New.
5913 * store.cc (binding_cluster::purge_state_involving): New.
5914 (store::purge_state_involving): New.
5915 * store.h (class symbolic_binding): New forward decl.
5916 (binding_key::dyn_cast_symbolic_binding): New.
5917 (symbolic_binding::dyn_cast_symbolic_binding): New.
5918 (binding_cluster::purge_state_involving): New.
5919 (store::purge_state_involving): New.
5920 * svalue.cc (svalue::can_merge_p): Reject attempts to merge
5921 poisoned svalues with other svalues, so that we identify
5922 paths in which a variable is conditionally uninitialized.
5923 (involvement_visitor::visit_conjured_svalue): New.
5924 (svalue::involves_p): Also handle SK_CONJURED.
5925 (poison_kind_to_str): Handle POISON_KIND_UNINIT.
5926 (poisoned_svalue::maybe_fold_bits_within): New.
5927 * svalue.h (enum poison_kind): Add POISON_KIND_UNINIT.
5928 (poisoned_svalue::maybe_fold_bits_within): New decl.
5929
59302021-07-15 David Malcolm <dmalcolm@redhat.com>
5931
5932 * analyzer.opt (fdump-analyzer-exploded-paths): New.
5933 * diagnostic-manager.cc
5934 (diagnostic_manager::emit_saved_diagnostic): Implement it.
5935 * engine.cc (exploded_path::dump_to_pp): Add ext_state param and
5936 use it to dump states if non-NULL.
5937 (exploded_path::dump): Likewise.
5938 (exploded_path::dump_to_file): New.
5939 * exploded-graph.h (exploded_path::dump_to_pp): Add ext_state
5940 param.
5941 (exploded_path::dump): Likewise.
5942 (exploded_path::dump): Likewise.
5943 (exploded_path::dump_to_file): New.
5944
59452021-07-15 David Malcolm <dmalcolm@redhat.com>
5946
5947 * analyzer.cc (fixup_tree_for_diagnostic_1): Use DECL_DEBUG_EXPR
5948 if it's available.
5949 * engine.cc (readability): Likewise.
5950
59512021-07-15 David Malcolm <dmalcolm@redhat.com>
5952
5953 * state-purge.cc (self_referential_phi_p): New.
5954 (state_purge_per_ssa_name::process_point): Don't purge an SSA name
5955 at its def-stmt if the def-stmt is self-referential.
5956
c24a9707
GA		 59572021-07-07 David Malcolm <dmalcolm@redhat.com>
5958
5959 * diagnostic-manager.cc (null_assignment_sm_context::get_state):
5960 New overload.
5961 (null_assignment_sm_context::set_next_state): New overload.
5962 (null_assignment_sm_context::get_diagnostic_tree): New.
5963 * engine.cc (impl_sm_context::get_state): New overload.
5964 (impl_sm_context::set_next_state): New overload.
5965 (impl_sm_context::get_diagnostic_tree): New overload.
5966 (impl_region_model_context::on_condition): Convert params from
5967 tree to const svalue *.
5968 * exploded-graph.h (impl_region_model_context::on_condition):
5969 Likewise.
5970 * region-model.cc (region_model::on_call_pre): Move handling of
5971 internal calls to before checking for get_fndecl_for_call.
5972 (region_model::add_constraints_from_binop): New.
5973 (region_model::add_constraint): Split out into a new overload
5974 working on const svalue * rather than tree. Call
5975 add_constraints_from_binop. Drop call to
5976 add_any_constraints_from_ssa_def_stmt.
5977 (region_model::add_any_constraints_from_ssa_def_stmt): Delete.
5978 (region_model::add_any_constraints_from_gassign): Delete.
5979 (region_model::add_any_constraints_from_gcall): Delete.
5980 * region-model.h
5981 (region_model::add_any_constraints_from_ssa_def_stmt): Delete.
5982 (region_model::add_any_constraints_from_gassign): Delete.
5983 (region_model::add_any_constraints_from_gcall): Delete.
5984 (region_model::add_constraint): Add overload decl.
5985 (region_model::add_constraints_from_binop): New decl.
5986 (region_model_context::on_condition): Convert params from tree to
5987 const svalue *.
5988 (noop_region_model_context::on_condition): Likewise.
5989 * sm-file.cc (fileptr_state_machine::condition): Likewise.
5990 * sm-malloc.cc (malloc_state_machine::on_condition): Likewise.
5991 * sm-pattern-test.cc: Include tristate.h, selftest.h,
5992 analyzer/call-string.h, analyzer/program-point.h,
5993 analyzer/store.h, and analyzer/region-model.h.
5994 (pattern_test_state_machine::on_condition): Convert params from tree to
5995 const svalue *.
5996 * sm-sensitive.cc (sensitive_state_machine::on_condition): Delete.
5997 * sm-signal.cc (signal_state_machine::on_condition): Delete.
5998 * sm-taint.cc (taint_state_machine::on_condition): Convert params
5999 from tree to const svalue *.
6000 * sm.cc: Include tristate.h, selftest.h, analyzer/call-string.h,
6001 analyzer/program-point.h, analyzer/store.h, and
6002 analyzer/region-model.h.
6003 (any_pointer_p): Add overload taking const svalue *sval.
6004 * sm.h (any_pointer_p): Add overload taking const svalue *sval.
6005 (state_machine::on_condition): Convert params from tree to
6006 const svalue *. Provide no-op default implementation.
6007 (sm_context::get_state): Add overload taking const svalue *sval.
6008 (sm_context::set_next_state): Likewise.
6009 (sm_context::on_transition): Likewise.
6010 (sm_context::get_diagnostic_tree): Likewise.
6011 * svalue.cc (svalue::all_zeroes_p): New.
6012 (constant_svalue::all_zeroes_p): New.
6013 (repeated_svalue::all_zeroes_p): Convert to vfunc.
6014 * svalue.h (svalue::all_zeroes_p): New decl.
6015 (constant_svalue::all_zeroes_p): New decl.
6016 (repeated_svalue::all_zeroes_p): Convert decl to vfunc.
6017
25b6bfea
GA		 60182021-06-30 David Malcolm <dmalcolm@redhat.com>
6019
6020 PR analyzer/95006
6021 * analyzer.h (class repeated_svalue): New forward decl.
6022 (class bits_within_svalue): New forward decl.
6023 (class sized_region): New forward decl.
6024 (get_field_at_bit_offset): New forward decl.
6025 * engine.cc (exploded_graph::get_or_create_node): Validate the
6026 merged state.
6027 (exploded_graph::maybe_process_run_of_before_supernode_enodes):
6028 Validate the states at each stage.
6029 * program-state.cc (program_state::validate): Validate
6030 m_region_model.
6031 * region-model-impl-calls.cc (region_model::impl_call_memset):
6032 Replace special-case logic for handling constant sizes with
6033 a call to fill_region of a sized_region with the given fill value.
6034 * region-model-manager.cc (maybe_undo_optimize_bit_field_compare):
6035 Drop DK_direct.
6036 (region_model_manager::maybe_fold_sub_svalue): Fold element-based
6037 subregions of an initial value into initial values of an element.
6038 Fold subvalues of repeated svalues.
6039 (region_model_manager::maybe_fold_repeated_svalue): New.
6040 (region_model_manager::get_or_create_repeated_svalue): New.
6041 (get_bit_range_for_field): New.
6042 (get_byte_range_for_field): New.
6043 (get_field_at_byte_range): New.
6044 (region_model_manager::maybe_fold_bits_within_svalue): New.
6045 (region_model_manager::get_or_create_bits_within): New.
6046 (region_model_manager::get_sized_region): New.
6047 (region_model_manager::log_stats): Update for addition of
6048 m_repeated_values_map, m_bits_within_values_map, and
6049 m_sized_regions.
6050 * region-model.cc (region_model::validate): New.
6051 (region_model::on_assignment): Drop enum binding_kind.
6052 (region_model::get_initial_value_for_global): Likewise.
6053 (region_model::get_rvalue_for_bits): Replace body with call to
6054 get_or_create_bits_within.
6055 (region_model::get_capacity): Handle RK_SIZED.
6056 (region_model::set_value): Drop enum binding_kind.
6057 (region_model::fill_region): New.
6058 (region_model::get_representative_path_var_1): Handle RK_SIZED.
6059 * region-model.h (visitor::visit_repeated_svalue): New.
6060 (visitor::visit_bits_within_svalue): New.
6061 (region_model_manager::get_or_create_repeated_svalue): New decl.
6062 (region_model_manager::get_or_create_bits_within): New decl.
6063 (region_model_manager::get_sized_region): New decl.
6064 (region_model_manager::maybe_fold_repeated_svalue): New decl.
6065 (region_model_manager::maybe_fold_bits_within_svalue): New decl.
6066 (region_model_manager::repeated_values_map_t): New typedef.
6067 (region_model_manager::m_repeated_values_map): New field.
6068 (region_model_manager::bits_within_values_map_t): New typedef.
6069 (region_model_manager::m_bits_within_values_map): New field.
6070 (region_model_manager::m_sized_regions): New field.
6071 (region_model::fill_region): New decl.
6072 * region.cc (region::get_base_region): Handle RK_SIZED.
6073 (region::base_region_p): Likewise.
6074 (region::get_byte_size_sval): New.
6075 (get_field_at_bit_offset): Make non-static.
6076 (region::calc_offset): Move implementation of cases to
6077 get_relative_concrete_offset vfunc implementations. Handle
6078 RK_SIZED.
6079 (region::get_relative_concrete_offset): New.
6080 (decl_region::get_svalue_for_initializer): Drop enum binding_kind.
6081 (field_region::get_relative_concrete_offset): New, from
6082 region::calc_offset.
6083 (element_region::get_relative_concrete_offset): Likewise.
6084 (offset_region::get_relative_concrete_offset): Likewise.
6085 (sized_region::accept): New.
6086 (sized_region::dump_to_pp): New.
6087 (sized_region::get_byte_size): New.
6088 (sized_region::get_bit_size): New.
6089 * region.h (enum region_kind): Add RK_SIZED.
6090 (region::dyn_cast_sized_region): New.
6091 (region::get_byte_size): Make virtual.
6092 (region::get_bit_size): Likewise.
6093 (region::get_byte_size_sval): New decl.
6094 (region::get_relative_concrete_offset): New decl.
6095 (field_region::get_relative_concrete_offset): New decl.
6096 (element_region::get_relative_concrete_offset): Likewise.
6097 (offset_region::get_relative_concrete_offset): Likewise.
6098 (class sized_region): New.
6099 * store.cc (binding_kind_to_string): Delete.
6100 (binding_key::make): Drop enum binding_kind.
6101 (binding_key::dump_to_pp): Delete.
6102 (binding_key::cmp_ptrs): Drop enum binding_kind.
6103 (bit_range::contains_p): New.
6104 (byte_range::dump): New.
6105 (byte_range::contains_p): New.
6106 (byte_range::cmp): New.
6107 (concrete_binding::dump_to_pp): Drop enum binding_kind.
6108 (concrete_binding::cmp_ptr_ptr): Likewise.
6109 (symbolic_binding::dump_to_pp): Likewise.
6110 (symbolic_binding::cmp_ptr_ptr): Likewise.
6111 (binding_map::apply_ctor_val_to_range): Likewise.
6112 (binding_map::apply_ctor_pair_to_child_region): Likewise.
6113 (binding_map::get_overlapping_bindings): New.
6114 (binding_map::remove_overlapping_bindings): New.
6115 (binding_cluster::validate): New.
6116 (binding_cluster::bind): Drop enum binding_kind.
6117 (binding_cluster::bind_compound_sval): Likewise.
6118 (binding_cluster::purge_region): Likewise.
6119 (binding_cluster::zero_fill_region): Reimplement in terms of...
6120 (binding_cluster::fill_region): New.
6121 (binding_cluster::mark_region_as_unknown): Drop enum binding_kind.
6122 (binding_cluster::get_binding): Likewise.
6123 (binding_cluster::get_binding_recursive): Likewise.
6124 (binding_cluster::get_any_binding): Likewise.
6125 (binding_cluster::maybe_get_compound_binding): Reimplement.
6126 (binding_cluster::get_overlapping_bindings): Delete.
6127 (binding_cluster::remove_overlapping_bindings): Reimplement in
6128 terms of binding_map::remove_overlapping_bindings.
6129 (binding_cluster::can_merge_p): Update for removal of
6130 enum binding_kind.
6131 (binding_cluster::on_unknown_fncall): Drop enum binding_kind.
6132 (binding_cluster::maybe_get_simple_value): Likewise.
6133 (store_manager::get_concrete_binding): Likewise.
6134 (store_manager::get_symbolic_binding): Likewise.
6135 (store::validate): New.
6136 (store::set_value): Drop enum binding_kind.
6137 (store::zero_fill_region): Reimplement in terms of...
6138 (store::fill_region): New.
6139 (selftest::test_binding_key_overlap): Drop enum binding_kind.
6140 * store.h (enum binding_kind): Delete.
6141 (binding_kind_to_string): Delete decl.
6142 (binding_key::make): Drop enum binding_kind.
6143 (binding_key::dump_to_pp): Make pure virtual.
6144 (binding_key::get_kind): Delete.
6145 (binding_key::mark_deleted): Delete.
6146 (binding_key::mark_empty): Delete.
6147 (binding_key::is_deleted): Delete.
6148 (binding_key::is_empty): Delete.
6149 (binding_key::binding_key): Delete.
6150 (binding_key::impl_hash): Delete.
6151 (binding_key::impl_eq): Delete.
6152 (binding_key::m_kind): Delete.
6153 (bit_range::get_last_bit_offset): New.
6154 (bit_range::contains_p): New.
6155 (byte_range::contains_p): New.
6156 (byte_range::operator==): New.
6157 (byte_range::get_start_byte_offset): New.
6158 (byte_range::get_next_byte_offset): New.
6159 (byte_range::get_last_byte_offset): New.
6160 (byte_range::as_bit_range): New.
6161 (byte_range::cmp): New.
6162 (concrete_binding::concrete_binding): Drop enum binding_kind.
6163 (concrete_binding::hash): Likewise.
6164 (concrete_binding::operator==): Likewise.
6165 (concrete_binding::mark_deleted): New.
6166 (concrete_binding::mark_empty): New.
6167 (concrete_binding::is_deleted): New.
6168 (concrete_binding::is_empty): New.
6169 (default_hash_traits<ana::concrete_binding>::empty_zero_p): Make false.
6170 (symbolic_binding::symbolic_binding): Drop enum binding_kind.
6171 (symbolic_binding::hash): Likewise.
6172 (symbolic_binding::operator==): Likewise.
6173 (symbolic_binding::mark_deleted): New.
6174 (symbolic_binding::mark_empty): New.
6175 (symbolic_binding::is_deleted): New.
6176 (symbolic_binding::is_empty): New.
6177 (binding_map::remove_overlapping_bindings): New decl.
6178 (binding_map::get_overlapping_bindings): New decl.
6179 (binding_cluster::validate): New decl.
6180 (binding_cluster::bind): Drop enum binding_kind.
6181 (binding_cluster::fill_region): New decl.
6182 (binding_cluster::get_binding): Drop enum binding_kind.
6183 (binding_cluster::get_binding_recursive): Likewise.
6184 (binding_cluster::get_overlapping_bindings): Delete.
6185 (store::validate): New decl.
6186 (store::set_value): Drop enum binding_kind.
6187 (store::fill_region): New decl.
6188 (store_manager::get_concrete_binding): Drop enum binding_kind.
6189 (store_manager::get_symbolic_binding): Likewise.
6190 * svalue.cc (svalue::cmp_ptr): Handle SK_REPEATED and
6191 SK_BITS_WITHIN.
6192 (svalue::extract_bit_range): New.
6193 (svalue::maybe_fold_bits_within): New.
6194 (constant_svalue::maybe_fold_bits_within): New.
6195 (unknown_svalue::maybe_fold_bits_within): New.
6196 (unaryop_svalue::maybe_fold_bits_within): New.
6197 (repeated_svalue::repeated_svalue): New.
6198 (repeated_svalue::dump_to_pp): New.
6199 (repeated_svalue::accept): New.
6200 (repeated_svalue::all_zeroes_p): New.
6201 (repeated_svalue::maybe_fold_bits_within): New.
6202 (bits_within_svalue::bits_within_svalue): New.
6203 (bits_within_svalue::dump_to_pp): New.
6204 (bits_within_svalue::maybe_fold_bits_within): New.
6205 (bits_within_svalue::accept): New.
6206 (bits_within_svalue::implicitly_live_p): New.
6207 (compound_svalue::maybe_fold_bits_within): New.
6208 * svalue.h (enum svalue_kind): Add SK_REPEATED and SK_BITS_WITHIN.
6209 (svalue::dyn_cast_repeated_svalue): New.
6210 (svalue::dyn_cast_bits_within_svalue): New.
6211 (svalue::extract_bit_range): New decl.
6212 (svalue::maybe_fold_bits_within): New vfunc decl.
6213 (region_svalue::key_t::mark_empty): Use 2 rather than NULL_TREE.
6214 (region_svalue::key_t::is_empty): Likewise.
6215 (default_hash_traits<region_svalue::key_t>::empty_zero_p): Make false.
6216 (constant_svalue::maybe_fold_bits_within): New.
6217 (unknown_svalue::maybe_fold_bits_within): New.
6218 (poisoned_svalue::key_t::mark_empty): Use 2 rather than NULL_TREE.
6219 (poisoned_svalue::key_t::is_empty): Likewise.
6220 (default_hash_traits<poisoned_svalue::key_t>::empty_zero_p): Make
6221 false.
6222 (setjmp_svalue::key_t::mark_empty): Use 2 rather than NULL_TREE.
6223 (setjmp_svalue::key_t::is_empty): Likewise.
6224 (default_hash_traits<setjmp_svalue::key_t>::empty_zero_p): Make
6225 false.
6226 (unaryop_svalue::key_t::mark_empty): Use 2 rather than NULL_TREE.
6227 (unaryop_svalue::key_t::is_empty): Likewise.
6228 (unaryop_svalue::maybe_fold_bits_within): New.
6229 (default_hash_traits<unaryop_svalue::key_t>::empty_zero_p): Make
6230 false.
6231 (binop_svalue::key_t::mark_empty): Use 2 rather than NULL_TREE.
6232 (binop_svalue::key_t::is_empty): Likewise.
6233 (default_hash_traits<binop_svalue::key_t>::empty_zero_p): Make
6234 false.
6235 (sub_svalue::key_t::mark_empty): Use 2 rather than NULL_TREE.
6236 (sub_svalue::key_t::is_empty): Likewise.
6237 (default_hash_traits<sub_svalue::key_t>::empty_zero_p): Make
6238 false.
6239 (class repeated_svalue): New.
6240 (is_a_helper <const repeated_svalue *>::test): New.
6241 (struct default_hash_traits<repeated_svalue::key_t>): New.
6242 (class bits_within_svalue): New.
6243 (is_a_helper <const bits_within_svalue *>::test): New.
6244 (struct default_hash_traits<bits_within_svalue::key_t>): New.
6245 (widening_svalue::key_t::mark_empty): Use 2 rather than NULL_TREE.
6246 (widening_svalue::key_t::is_empty): Likewise.
6247 (default_hash_traits<widening_svalue::key_t>::empty_zero_p): Make
6248 false.
6249 (compound_svalue::key_t::mark_empty): Use 2 rather than NULL_TREE.
6250 (compound_svalue::key_t::is_empty): Likewise.
6251 (compound_svalue::maybe_fold_bits_within): New.
6252 (default_hash_traits<compound_svalue::key_t>::empty_zero_p): Make
6253 false.
6254
c8abc205
GA		 62552021-06-28 David Malcolm <dmalcolm@redhat.com>
6256
6257 * analyzer.h (byte_offset_t): New typedef.
6258 * store.cc (bit_range::dump_to_pp): Dump as a byte range if
6259 possible.
6260 (bit_range::as_byte_range): New.
6261 (byte_range::dump_to_pp): New.
6262 * store.h (class byte_range): New forward decl.
6263 (struct bit_range): Add comment.
6264 (bit_range::as_byte_range): New decl.
6265 (struct byte_range): New.
6266
419af06a
GA		 62672021-06-22 David Malcolm <dmalcolm@redhat.com>
6268
6269 PR analyzer/101143
6270 * region-model.cc (compat_types_p): New function.
6271 (region_model::create_region_for_heap_alloc): Convert assertion to
6272 an error check.
6273 (region_model::create_region_for_alloca): Likewise.
6274
c5581d48
GA		 62752021-06-18 David Malcolm <dmalcolm@redhat.com>
6276
6277 * store.cc (binding_cluster::get_any_binding): Make symbolic reads
6278 from a cluster with concrete bindings return unknown.
6279
62802021-06-18 David Malcolm <dmalcolm@redhat.com>
6281
6282 * region-model-manager.cc
6283 (region_model_manager::get_or_create_int_cst): New.
6284 (region_model_manager::maybe_undo_optimize_bit_field_compare): Use
6285 it to simplify away a local tree.
6286 * region-model.cc (region_model::on_setjmp): Likewise.
6287 (region_model::on_longjmp): Likewise.
6288 * region-model.h (region_model_manager::get_or_create_int_cst):
6289 New decl.
6290 * store.cc (binding_cluster::zero_fill_region): Use it to simplify
6291 away a local tree.
6292
62932021-06-18 David Malcolm <dmalcolm@redhat.com>
6294
6295 * checker-path.cc (class custom_event): Make abstract to allow for
6296 custom vfuncs, splitting existing implementation into...
6297 (class precanned_custom_event): New subclass.
6298 (custom_event::get_desc): Move to...
6299 (precanned_custom_event::get_desc): ...subclass.
6300 * checker-path.h (class custom_event): Make abstract to allow for
6301 custom vfuncs, splitting existing implementation into...
6302 (class precanned_custom_event): New subclass.
6303 * diagnostic-manager.cc (diagnostic_manager::add_events_for_eedge):
6304 Use precanned_custom_event.
6305 * engine.cc
6306 (stale_jmp_buf::maybe_add_custom_events_for_superedge): Likewise.
6307 * sm-signal.cc (signal_delivery_edge_info_t::add_events_to_path):
6308 Likewise.
6309
ede6c356
GA		 63102021-06-15 David Malcolm <dmalcolm@redhat.com>
6311
6312 PR analyzer/99212
6313 PR analyzer/101082
6314 * engine.cc: Include "target.h".
6315 (impl_run_checkers): Log BITS_BIG_ENDIAN, BYTES_BIG_ENDIAN, and
6316 WORDS_BIG_ENDIAN.
6317 * region-model-manager.cc
6318 (region_model_manager::maybe_fold_binop): Move support for masking
6319 via ARG0 & CST into...
6320 (region_model_manager::maybe_undo_optimize_bit_field_compare):
6321 ...this new function. Flatten by converting from nested
6322 conditionals to a series of early return statements to reject
6323 failures. Reject if type is not unsigned_char_type_node.
6324 Handle BYTES_BIG_ENDIAN when determining which bits are bound
6325 in the binding_map.
6326 * region-model.h
6327 (region_model_manager::maybe_undo_optimize_bit_field_compare):
6328 New decl.
6329 * store.cc (bit_range::dump): New function.
6330 * store.h (bit_range::dump): New decl.
6331
63322021-06-15 David Malcolm <dmalcolm@redhat.com>
6333
6334 * engine.cc (exploded_node::on_stmt): Handle __analyzer_dump_capacity.
6335 (exploded_node::on_stmt): Drop m_sm_changes from on_stmt_flags.
6336 (state_change_requires_new_enode_p): New function...
6337 (exploded_graph::process_node): Call it, rather than querying
6338 flags.m_sm_changes, so that dynamic-extent differences can also
6339 trigger the splitting of nodes.
6340 * exploded-graph.h (struct on_stmt_flags): Drop field m_sm_changes.
6341 * program-state.cc (program_state::detect_leaks): Purge dead
6342 heap-allocated regions from dynamic extents.
6343 (selftest::test_program_state_1): Fix type of "size_in_bytes".
6344 (selftest::test_program_state_merging): Likewise.
6345 * region-model-impl-calls.cc
6346 (region_model::impl_call_analyzer_dump_capacity): New.
6347 (region_model::impl_call_free): Remove dynamic extents from the
6348 freed region.
6349 * region-model-reachability.h
6350 (reachable_regions::begin_mutable_base_regs): New.
6351 (reachable_regions::end_mutable_base_regs): New.
6352 * region-model.cc: Include "tree-object-size.h".
6353 (region_model::region_model): Support new field m_dynamic_extents.
6354 (region_model::operator=): Likewise.
6355 (region_model::operator==): Likewise.
6356 (region_model::dump_to_pp): Dump sizes of dynamic regions.
6357 (region_model::handle_unrecognized_call): Purge dynamic extents
6358 from any regions that have escaped mutably:.
6359 (region_model::get_capacity): New function.
6360 (region_model::add_constraint): Unset dynamic extents when a
6361 heap-allocated region's address is NULL.
6362 (region_model::unbind_region_and_descendents): Purge dynamic
6363 extents of unbound regions.
6364 (region_model::can_merge_with_p): Call
6365 m_dynamic_extents.can_merge_with_p.
6366 (region_model::create_region_for_heap_alloc): Assert that
6367 size_in_bytes's type is compatible with size_type_node. Update
6368 for renaming of record_dynamic_extents to set_dynamic_extents.
6369 (region_model::create_region_for_alloca): Likewise.
6370 (region_model::record_dynamic_extents): Rename to...
6371 (region_model::set_dynamic_extents): ...this. Assert that
6372 size_in_bytes's type is compatible with size_type_node. Add it
6373 to the m_dynamic_extents map.
6374 (region_model::get_dynamic_extents): New.
6375 (region_model::unset_dynamic_extents): New.
6376 (selftest::test_state_merging): Fix type of "size".
6377 (selftest::test_malloc_constraints): Likewise.
6378 (selftest::test_malloc): Verify dynamic extents.
6379 (selftest::test_alloca): Likewise.
6380 * region-model.h (region_to_value_map::is_empty): New.
6381 (region_model::dynamic_extents_t): New typedef.
6382 (region_model::impl_call_analyzer_dump_capacity): New decl.
6383 (region_model::get_dynamic_extents): New function.
6384 (region_model::get_dynamic_extents): New decl.
6385 (region_model::set_dynamic_extents): New decl.
6386 (region_model::unset_dynamic_extents): New decl.
6387 (region_model::get_capacity): New decl.
6388 (region_model::record_dynamic_extents): Rename to set_dynamic_extents.
6389 (region_model::m_dynamic_extents): New field.
6390
63912021-06-15 David Malcolm <dmalcolm@redhat.com>
6392
6393 * region-model.cc (region_to_value_map::operator=): New.
6394 (region_to_value_map::operator==): New.
6395 (region_to_value_map::dump_to_pp): New.
6396 (region_to_value_map::dump): New.
6397 (region_to_value_map::can_merge_with_p): New.
6398 * region-model.h (class region_to_value_map): New class.
6399
4e70c34e
GA		 64002021-06-13 Trevor Saunders <tbsaunde@tbsaunde.org>
6401
6402 * call-string.cc (call_string::call_string): Use range based for
6403 to iterate over vec<>.
6404 (call_string::to_json): Likewise.
6405 (call_string::hash): Likewise.
6406 (call_string::calc_recursion_depth): Likewise.
6407 * checker-path.cc (checker_path::fixup_locations): Likewise.
6408 * constraint-manager.cc (equiv_class::equiv_class): Likewise.
6409 (equiv_class::to_json): Likewise.
6410 (equiv_class::hash): Likewise.
6411 (constraint_manager::to_json): Likewise.
6412 * engine.cc (impl_region_model_context::on_svalue_leak):
6413 Likewise.
6414 (on_liveness_change): Likewise.
6415 (impl_region_model_context::on_unknown_change): Likewise.
6416 * program-state.cc (sm_state_map::set_state): Likewise.
6417 * region-model.cc (test_canonicalization_4): Likewise.
6418
f16f65f8
GA		 64192021-06-11 David Malcolm <dmalcolm@redhat.com>
6420
6421 * engine.cc (worklist::key_t::cmp): Move sort by call_string to
6422 before SCC.
6423
4f625f47
GA		 64242021-06-09 David Malcolm <dmalcolm@redhat.com>
6425
6426 * region-model.cc (region_model::get_lvalue_1): Make const.
6427 (region_model::get_lvalue): Likewise.
6428 (region_model::get_rvalue_1): Likewise.
6429 (region_model::get_rvalue): Likewise.
6430 (region_model::deref_rvalue): Likewise.
6431 (region_model::get_rvalue_for_bits): Likewise.
6432 * region-model.h (region_model::get_lvalue): Likewise.
6433 (region_model::get_rvalue): Likewise.
6434 (region_model::deref_rvalue): Likewise.
6435 (region_model::get_rvalue_for_bits): Likewise.
6436 (region_model::get_lvalue_1): Likewise.
6437 (region_model::get_rvalue_1): Likewise.
6438
c6038721
GA		 64392021-06-08 David Malcolm <dmalcolm@redhat.com>
6440
6441 PR analyzer/99212
6442 * region-model-manager.cc
6443 (region_model_manager::maybe_fold_binop): Add support for folding
6444 BIT_AND_EXPR of compound_svalue and a mask constant.
6445 * region-model.cc (region_model::get_rvalue_1): Implement
6446 BIT_FIELD_REF in terms of...
6447 (region_model::get_rvalue_for_bits): New function.
6448 * region-model.h (region_model::get_rvalue_for_bits): New decl.
6449 * store.cc (bit_range::from_mask): New function.
6450 (selftest::test_bit_range_intersects_p): New selftest.
6451 (selftest::assert_bit_range_from_mask_eq): New.
6452 (ASSERT_BIT_RANGE_FROM_MASK_EQ): New macro.
6453 (selftest::assert_no_bit_range_from_mask_eq): New.
6454 (ASSERT_NO_BIT_RANGE_FROM_MASK): New macro.
6455 (selftest::test_bit_range_from_mask): New selftest.
6456 (selftest::analyzer_store_cc_tests): Call the new selftests.
6457 * store.h (bit_range::intersects_p): New.
6458 (bit_range::from_mask): New decl.
6459 (concrete_binding::get_bit_range): New accessor.
6460 (store_manager::get_concrete_binding): New overload taking
6461 const bit_range &.
6462
64632021-06-08 David Malcolm <dmalcolm@redhat.com>
6464
6465 * analyzer.h (int_size_in_bits): New decl.
6466 * region.cc (int_size_in_bits): New function.
6467 (region::get_bit_size): Reimplement in terms of the above.
6468
64692021-06-08 David Malcolm <dmalcolm@redhat.com>
6470
6471 * store.cc (concrete_binding::dump_to_pp): Move bulk of
6472 implementation to...
6473 (bit_range::dump_to_pp): ...this new function.
6474 (bit_range::cmp): New.
6475 (concrete_binding::overlaps_p): Update for use of bit_range.
6476 (concrete_binding::cmp_ptr_ptr): Likewise.
6477 * store.h (struct bit_range): New.
6478 (class concrete_binding): Replace fields m_start_bit_offset and
6479 m_size_in_bits with new field m_bit_range.
6480
64812021-06-08 David Malcolm <dmalcolm@redhat.com>
6482
6483 * svalue.h (conjured_svalue::iterator_t): Delete.
6484
440c8a0a
GA		 64852021-06-03 David Malcolm <dmalcolm@redhat.com>
6486
6487 * store.h (store::get_direct_binding): Remove unused decl.
6488 (store::get_default_binding): Likewise.
6489
64902021-06-03 David Malcolm <dmalcolm@redhat.com>
6491
6492 * svalue.cc (poisoned_svalue::dump_to_pp): Dump type.
6493 (compound_svalue::dump_to_pp): Dump any type.
6494
a8daf9a1
GA		 64952021-05-18 David Malcolm <dmalcolm@redhat.com>
6496
6497 PR analyzer/100615
6498 * sm-malloc.cc: Include "analyzer/function-set.h".
6499 (malloc_state_machine::on_stmt): Call unaffected_by_call_p and
6500 bail on the functions it recognizes.
6501 (malloc_state_machine::unaffected_by_call_p): New.
6502
aa891c56
GA		 65032021-05-10 Martin Liska <mliska@suse.cz>
6504
6505 * sm-file.cc (is_file_using_fn_p): Use startswith
6506 function instead of strncmp.
6507
65082021-05-10 Martin Liska <mliska@suse.cz>
6509
6510 * program-state.cc (program_state::operator=): Remove
6511 __cplusplus >= 201103.
6512 (program_state::program_state): Likewise.
6513 * program-state.h: Likewise.
6514 * region-model.h (class region_model): Remove dead code.
6515
502ef97c
GA		 65162021-04-24 David Malcolm <dmalcolm@redhat.com>
6517
6518 PR analyzer/100244
6519 * sm-malloc.cc (free_of_non_heap::describe_state_change):
6520 Bulletproof against change.m_expr being NULL.
6521
6d0d35d5
GA		 65222021-04-13 David Malcolm <dmalcolm@redhat.com>
6523
6524 PR analyzer/98599
6525 * supergraph.cc (saved_uids::make_uid_unique): New.
6526 (saved_uids::restore_uids): New.
6527 (supergraph::supergraph): Replace assignments to stmt->uid with
6528 calls to m_stmt_uids.make_uid_unique.
6529 (supergraph::~supergraph): New.
6530 * supergraph.h (class saved_uids): New.
6531 (supergraph::~supergraph): New decl.
6532 (supergraph::m_stmt_uids): New field.
6533
1d54b138
GA		 65342021-04-10 David Malcolm <dmalcolm@redhat.com>
6535
6536 PR analyzer/100011
6537 * region-model.cc (region_model::on_assignment): Avoid NULL
6538 dereference if ctxt is NULL when assigning from a STRING_CST.
6539
019a9220
GA		 65402021-04-08 David Malcolm <dmalcolm@redhat.com>
6541
6542 PR analyzer/99042
6543 PR analyzer/99774
6544 * engine.cc
6545 (impl_region_model_context::impl_region_model_context): Add
6546 uncertainty param and use it to initialize m_uncertainty.
6547 (impl_region_model_context::get_uncertainty): New.
6548 (impl_sm_context::get_fndecl_for_call): Add NULL for new
6549 uncertainty param when constructing impl_region_model_context.
6550 (impl_sm_context::get_state): Likewise.
6551 (impl_sm_context::set_next_state): Likewise.
6552 (impl_sm_context::warn): Likewise.
6553 (exploded_node::on_stmt): Add uncertainty param
6554 and use it when constructing impl_region_model_context.
6555 (exploded_node::on_edge): Add uncertainty param and pass
6556 to on_edge call.
6557 (exploded_node::detect_leaks): Create uncertainty_t and pass to
6558 impl_region_model_context.
6559 (exploded_graph::get_or_create_node): Create uncertainty_t and
6560 pass to prune_for_point.
6561 (maybe_process_run_of_before_supernode_enodes): Create
6562 uncertainty_t and pass to impl_region_model_context.
6563 (exploded_graph::process_node): Create uncertainty_t instances and
6564 pass around as needed.
6565 * exploded-graph.h
6566 (impl_region_model_context::impl_region_model_context): Add
6567 uncertainty param.
6568 (impl_region_model_context::get_uncertainty): New decl.
6569 (impl_region_model_context::m_uncertainty): New field.
6570 (exploded_node::on_stmt): Add uncertainty param.
6571 (exploded_node::on_edge): Likewise.
6572 * program-state.cc (sm_state_map::on_liveness_change): Get
6573 uncertainty from context and use it to unset sm-state from
6574 svalues as appropriate.
6575 (program_state::on_edge): Add uncertainty param and use it when
6576 constructing impl_region_model_context. Fix indentation.
6577 (program_state::prune_for_point): Add uncertainty param and use it
6578 when constructing impl_region_model_context.
6579 (program_state::detect_leaks): Get any uncertainty from ctxt and
6580 use it to get maybe-live svalues for dest_state, rather than
6581 definitely-live ones; use this when determining which svalues
6582 have leaked.
6583 (selftest::test_program_state_merging): Create uncertainty_t and
6584 pass to impl_region_model_context.
6585 * program-state.h (program_state::on_edge): Add uncertainty param.
6586 (program_state::prune_for_point): Likewise.
6587 * region-model-impl-calls.cc (call_details::get_uncertainty): New.
6588 (region_model::impl_call_memcpy): Pass uncertainty to
6589 mark_region_as_unknown call.
6590 (region_model::impl_call_memset): Likewise.
6591 (region_model::impl_call_strcpy): Likewise.
6592 * region-model-reachability.cc (reachable_regions::handle_sval):
6593 Also add sval to m_mutable_svals.
6594 * region-model.cc (region_model::on_assignment): Pass any
6595 uncertainty from ctxt to the store::set_value call.
6596 (region_model::handle_unrecognized_call): Get any uncertainty from
6597 ctxt and use it to record mutable svalues at the unknown call.
6598 (region_model::get_reachable_svalues): Add uncertainty param and
6599 use it to mark any maybe-bound svalues as being reachable.
6600 (region_model::set_value): Pass any uncertainty from ctxt to the
6601 store::set_value call.
6602 (region_model::mark_region_as_unknown): Add uncertainty param and
6603 pass it on to the store::mark_region_as_unknown call.
6604 (region_model::update_for_call_summary): Add uncertainty param and
6605 pass it on to the region_model::mark_region_as_unknown call.
6606 * region-model.h (call_details::get_uncertainty): New decl.
6607 (region_model::get_reachable_svalues): Add uncertainty param.
6608 (region_model::mark_region_as_unknown): Add uncertainty param.
6609 (region_model_context::get_uncertainty): New vfunc.
6610 (noop_region_model_context::get_uncertainty): New vfunc
6611 implementation.
6612 * store.cc (dump_svalue_set): New.
6613 (uncertainty_t::dump_to_pp): New.
6614 (uncertainty_t::dump): New.
6615 (binding_cluster::clobber_region): Pass NULL for uncertainty to
6616 remove_overlapping_bindings.
6617 (binding_cluster::mark_region_as_unknown): Add uncertainty param
6618 and pass it to remove_overlapping_bindings.
6619 (binding_cluster::remove_overlapping_bindings): Add uncertainty param.
6620 Use it to record any svalues that were in clobbered bindings.
6621 (store::set_value): Add uncertainty param. Pass it to
6622 binding_cluster::mark_region_as_unknown when handling symbolic
6623 regions.
6624 (store::mark_region_as_unknown): Add uncertainty param and pass it
6625 to binding_cluster::mark_region_as_unknown.
6626 (store::remove_overlapping_bindings): Add uncertainty param and
6627 pass it to binding_cluster::remove_overlapping_bindings.
6628 * store.h (binding_cluster::mark_region_as_unknown): Add
6629 uncertainty param.
6630 (binding_cluster::remove_overlapping_bindings): Likewise.
6631 (store::set_value): Likewise.
6632 (store::mark_region_as_unknown): Likewise.
6633
b1da9916
GA		 66342021-04-05 David Malcolm <dmalcolm@redhat.com>
6635
6636 PR analyzer/99906
6637 * analyzer.cc (maybe_reconstruct_from_def_stmt): Fix NULL
6638 dereference on calls with zero arguments.
6639 * sm-malloc.cc (malloc_state_machine::on_stmt): When handling
6640 __attribute__((nonnull)), only call get_diagnostic_tree if the
6641 result will be used.
6642
66432021-04-05 David Malcolm <dmalcolm@redhat.com>
6644
6645 PR analyzer/99886
6646 * diagnostic-manager.cc
6647 (diagnostic_manager::prune_interproc_events): Use signed integers
6648 when subtracting one from path->num_events ().
6649 (diagnostic_manager::consolidate_conditions): Likewise. Convert
6650 next_idx to a signed int.
6651
f1607029
GA		 66522021-04-01 David Malcolm <dmalcolm@redhat.com>
6653
6654 * diagnostic-manager.cc (diagnostic_manager::add_diagnostic): Make
6655 enode param non-constant, and call add_diagnostic on it. Add
6656 enode index to log message.
6657 (diagnostic_manager::add_diagnostic): Make enode param
6658 non-constant.
6659 * diagnostic-manager.h (diagnostic_manager::add_diagnostic):
6660 Likewise for both decls.
6661 * engine.cc
6662 (impl_region_model_context::impl_region_model_context): Likewise
6663 for enode_for_diag.
6664 (impl_sm_context::impl_sm_context): Likewise.
6665 (impl_sm_context::m_enode_for_diag): Likewise.
6666 (exploded_node::dump_dot): Don't pass the diagnostic manager
6667 to dump_saved_diagnostics.
6668 (exploded_node::dump_saved_diagnostics): Drop param. Iterate
6669 directly through all saved diagnostics for the enode, rather
6670 than all saved diagnostics in the diagnostic_manager and
6671 filtering.
6672 (exploded_node::on_stmt): Make non-const.
6673 (exploded_node::on_edge): Likewise.
6674 (exploded_node::on_longjmp): Likewise.
6675 (exploded_node::detect_leaks): Likewise.
6676 (exploded_graph::get_or_create_node): Make enode_for_diag param
6677 non-const.
6678 (exploded_graph_annotator::print_enode): Iterate
6679 directly through all saved diagnostics for the enode, rather
6680 than all saved diagnostics in the diagnostic_manager and
6681 filtering.
6682 * exploded-graph.h
6683 (impl_region_model_context::impl_region_model_context): Make
6684 enode_for_diag param non-constant.
6685 (impl_region_model_context::m_enode_for_diag): Likewise.
6686 (exploded_node::dump_saved_diagnostics): Drop param.
6687 (exploded_node::on_stmt): Make non-const.
6688 (exploded_node::on_edge): Likewise.
6689 (exploded_node::on_longjmp): Likewise.
6690 (exploded_node::detect_leaks): Likewise.
6691 (exploded_node::add_diagnostic): New.
6692 (exploded_node::get_num_diagnostics): New.
6693 (exploded_node::get_saved_diagnostic): New.
6694 (exploded_node::m_saved_diagnostics): New.
6695 (exploded_graph::get_or_create_node): Make enode_for_diag param
6696 non-constant.
6697 * feasible-graph.cc (feasible_node::dump_dot): Drop
6698 diagnostic_manager from call to dump_saved_diagnostics.
6699 * program-state.cc (program_state::on_edge): Convert enode param
6700 to non-const pointer.
6701 (program_state::prune_for_point): Likewise for enode_for_diag
6702 param.
6703 * program-state.h (program_state::on_edge): Convert enode param
6704 to non-const pointer.
6705 (program_state::prune_for_point): Likewise for enode_for_diag
6706 param.
6707
95d217ab
GA		 67082021-03-31 David Malcolm <dmalcolm@redhat.com>
6709
6710 PR analyzer/99771
6711 * analyzer.cc (maybe_reconstruct_from_def_stmt): New.
6712 (fixup_tree_for_diagnostic_1): New.
6713 (fixup_tree_for_diagnostic): New.
6714 * analyzer.h (fixup_tree_for_diagnostic): New decl.
6715 * checker-path.cc (call_event::get_desc): Call
6716 fixup_tree_for_diagnostic and use it for the call_with_state call.
6717 (warning_event::get_desc): Likewise for the final_event and
6718 make_label_text calls.
6719 * engine.cc (impl_region_model_context::on_state_leak): Likewise
6720 for the on_leak and add_diagnostic calls.
6721 * region-model.cc (region_model::get_representative_tree):
6722 Likewise for the result.
6723
08d2edae
GA		 67242021-03-30 David Malcolm <dmalcolm@redhat.com>
6725
6726 * region.h (region::dump_to_pp): Remove old decl.
6727
67282021-03-30 David Malcolm <dmalcolm@redhat.com>
6729
6730 * sm-file.cc (fileptr_state_machine::on_stmt): Only call
6731 get_diagnostic_tree if the result will be used.
6732 * sm-malloc.cc (malloc_state_machine::on_stmt): Likewise.
6733 (malloc_state_machine::on_deallocator_call): Likewise.
6734 (malloc_state_machine::on_realloc_call): Likewise.
6735 (malloc_state_machine::on_realloc_call): Likewise.
6736 * sm-sensitive.cc
6737 (sensitive_state_machine::warn_for_any_exposure): Likewise.
6738 * sm-taint.cc (taint_state_machine::on_stmt): Likewise.
6739
4493b1c1
GA		 67402021-03-25 David Malcolm <dmalcolm@redhat.com>
6741
6742 PR analyzer/93695
6743 PR analyzer/99044
6744 PR analyzer/99716
6745 * engine.cc (exploded_node::on_stmt): Clear sm-state involving
6746 an SSA name at the def-stmt of that SSA name.
6747 * program-state.cc (sm_state_map::purge_state_involving): New.
6748 * program-state.h (sm_state_map::purge_state_involving): New decl.
6749 * region-model.cc (selftest::test_involves_p): New.
6750 (selftest::analyzer_region_model_cc_tests): Call it.
6751 * svalue.cc (class involvement_visitor): New class
6752 (svalue::involves_p): New.
6753 * svalue.h (svalue::involves_p): New decl.
6754
5f256a70
GA		 67552021-03-19 David Malcolm <dmalcolm@redhat.com>
6756
6757 PR analyzer/99614
6758 * diagnostic-manager.cc (class epath_finder): Add
6759 DISABLE_COPY_AND_ASSIGN.
6760
3c5b6d24
GA		 67612021-03-15 Martin Liska <mliska@suse.cz>
6762
6763 * sm-file.cc (get_file_using_fns): Add missing comma in initializer.
6764
48ff383f
GA		 67652021-03-11 David Malcolm <dmalcolm@redhat.com>
6766
6767 PR analyzer/96374
6768 * analyzer.opt (-param=analyzer-max-infeasible-edges=): New param.
6769 (fdump-analyzer-feasibility): New flag.
6770 * diagnostic-manager.cc: Include "analyzer/trimmed-graph.h" and
6771 "analyzer/feasible-graph.h".
6772 (epath_finder::epath_finder): Convert m_sep to a pointer and
6773 only create it if !flag_analyzer_feasibility.
6774 (epath_finder::~epath_finder): New.
6775 (epath_finder::m_sep): Convert to a pointer.
6776 (epath_finder::get_best_epath): Add param "diag_idx" and use it
6777 when logging. Rather than finding the shortest path and then
6778 checking feasibility, instead use explore_feasible_paths unless
6779 !flag_analyzer_feasibility, in which case simply use the shortest
6780 path, and note if it is infeasible. Update for m_sep becoming a
6781 pointer.
6782 (class feasible_worklist): New.
6783 (epath_finder::explore_feasible_paths): New.
6784 (epath_finder::process_worklist_item): New.
6785 (class dump_eg_with_shortest_path): New.
6786 (epath_finder::dump_trimmed_graph): New.
6787 (epath_finder::dump_feasible_graph): New.
6788 (saved_diagnostic::saved_diagnostic): Add "idx" param, using it
6789 on new field m_idx.
6790 (saved_diagnostic::to_json): Dump m_idx.
6791 (saved_diagnostic::calc_best_epath): Pass m_idx to get_best_epath.
6792 Remove assertion that m_problem was set when m_best_epath is NULL.
6793 (diagnostic_manager::add_diagnostic): Pass an index when created
6794 saved_diagnostic instances.
6795 * diagnostic-manager.h (saved_diagnostic::saved_diagnostic): Add
6796 "idx" param.
6797 (saved_diagnostic::get_index): New accessor.
6798 (saved_diagnostic::m_idx): New field.
6799 * engine.cc (exploded_node::dump_dot): Call args.dump_extra_info.
6800 Move code to...
6801 (exploded_node::dump_processed_stmts): ...this new function and...
6802 (exploded_node::dump_saved_diagnostics): ...this new function.
6803 Add index of each diagnostic.
6804 (exploded_edge::dump_dot): Move bulk of code to...
6805 (exploded_edge::dump_dot_label): ...this new function.
6806 * exploded-graph.h (eg_traits::dump_args_t::dump_extra_info): New
6807 vfunc.
6808 (exploded_node::dump_processed_stmts): New decl.
6809 (exploded_node::dump_saved_diagnostics): New decl.
6810 (exploded_edge::dump_dot_label): New decl.
6811 * feasible-graph.cc: New file.
6812 * feasible-graph.h: New file.
6813 * trimmed-graph.cc: New file.
6814 * trimmed-graph.h: New file.
6815
68162021-03-11 David Malcolm <dmalcolm@redhat.com>
6817
6818 * diagnostic-manager.cc (epath_finder::epath_finder):
6819 Update shortest_paths init for new param.
6820
e9800852
GA		 68212021-03-10 David Malcolm <dmalcolm@redhat.com>
6822
6823 PR analyzer/96374
6824 * engine.cc (exploded_path::feasible_p): Move "snodes_visited" and
6825 "model" locals into a new class feasibility_state. Move heart
6826 of per-edge processing into
6827 feasibility_state::maybe_update_for_edge.
6828 (feasibility_state::feasibility_state): New.
6829 (feasibility_state::maybe_update_for_edge): New, based on loop
6830 body in exploded_path::feasible_p.
6831 * exploded-graph.h (class feasibility_state): New.
6832
68332021-03-10 David Malcolm <dmalcolm@redhat.com>
6834
6835 * supergraph.h
6836 (callgraph_superedge::dyn_cast_callgraph_superedge): New.
6837 (call_superedge::dyn_cast_callgraph_superedge): Delete.
6838 (return_superedge::dyn_cast_callgraph_superedge): Delete.
6839
d97a92dc
GA		 68402021-03-02 Martin Liska <mliska@suse.cz>
6841
6842 * diagnostic-manager.cc (diagnostic_manager::emit_saved_diagnostics):
6843 Do not pass engine.
6844
06a9f20f
GA		 68452021-02-26 David Malcolm <dmalcolm@redhat.com>
6846
6847 * engine.cc (exploded_path::exploded_path): New copy-ctor.
6848 * exploded-graph.h (exploded_path::operator=): Drop decl.
6849
68502021-02-26 David Malcolm <dmalcolm@redhat.com>
6851
6852 PR analyzer/96374
6853 * diagnostic-manager.cc (class epath_finder): New.
6854 (epath_finder::get_best_epath): New.
6855 (saved_diagnostic::saved_diagnostic): Update for replacement of
6856 m_state and m_epath_length with m_best_epath.
6857 (saved_diagnostic::~saved_diagnostic): Delete m_best_epath.
6858 (saved_diagnostic::to_json): Update "path_length" to be optional.
6859 (saved_diagnostic::calc_best_epath): New, based on
6860 dedupe_winners::add and parts of dedupe_key::dedupe_key.
6861 (saved_diagnostic::get_epath_length): New.
6862 (saved_diagnostic::add_duplicate): New.
6863 (dedupe_key::dedupe_key): Drop epath param. Move invocation of
6864 stmt_finder to saved_diagnostic::calc_best_epath.
6865 (class dedupe_candidate): Delete.
6866 (class dedupe_hash_map_traits): Update to use saved_diagnotic *
6867 rather than dedupe_candidate * as the value_type/compare_type.
6868 (dedupe_winners::~dedupe_winners): Don't delete the values.
6869 (dedupe_winners::add): Convert param from shortest_exploded_paths to
6870 epath_finder. Drop "eg" param. Drop dedupe_candidate, moving
6871 path generation and feasiblity checking to
6872 epath_finder::get_best_epath. Update winner-selection for move
6873 of epaths from dedupe_candidate to saved_diagnostic.
6874 (dedupe_winners::emit_best): Update for removal of class
6875 dedupe_candidate.
6876 (dedupe_winners::map_t): Update to use saved_diagnotic * rather
6877 than dedupe_candidate * as the value_type/compare_type.
6878 (diagnostic_manager::emit_saved_diagnostics): Move
6879 shortest_exploded_paths instance into epath_finder and pass that
6880 around instead.
6881 (diagnostic_manager::emit_saved_diagnostic): Drop epath, stmt
6882 and num_dupes params, instead getting these from the
6883 saved_diagnostic. Use correct location in inform_n call.
6884 * diagnostic-manager.h (class epath_finder): New forward decl.
6885 (saved_diagnostic::status): Drop enum.
6886 (saved_diagnostic::set_feasible): Drop.
6887 (saved_diagnostic::set_infeasible): Drop.
6888 (saved_diagnostic::get_status): Drop.
6889 (saved_diagnostic::calc_best_epath): New decl.
6890 (saved_diagnostic::get_best_epath): New decl.
6891 (saved_diagnostic::get_epath_length): New decl.
6892 (saved_diagnostic::set_epath_length): Drop.
6893 (saved_diagnostic::get_epath_length): Drop inline implementation.
6894 (saved_diagnostic::add_duplicate): New.
6895 (saved_diagnostic::get_num_dupes): New.
6896 (saved_diagnostic::m_d): Document ownership.
6897 (saved_diagnostic::m_trailing_eedge): Make const.
6898 (saved_diagnostic::m_status): Drop field.
6899 (saved_diagnostic::m_epath_length): Drop field.
6900 (saved_diagnostic::m_best_epath): New field.
6901 (saved_diagnostic::m_problem): Document ownership.
6902 (saved_diagnostic::m_duplicates): New field.
6903 (diagnostic_manager::emit_saved_diagnostic): Drop params epath,
6904 stmt, and num_dupes.
6905 * engine.cc (exploded_graph_annotator::print_saved_diagnostic):
6906 Update for changes to saved_diagnostic class.
6907 * exploded-graph.h (exploded_path::feasible_p): Drop unused
6908 overloaded decl.
6909
daa68844
GA		 69102021-02-25 David Malcolm <dmalcolm@redhat.com>
6911
6912 PR analyzer/99193
6913 * region-model-impl-calls.cc (region_model::impl_call_realloc): New.
6914 * region-model.cc (region_model::on_call_pre): Call it.
6915 * region-model.h (region_model::impl_call_realloc): New decl.
6916 * sm-malloc.cc (enum wording): Add WORDING_REALLOCATED.
6917 (malloc_state_machine::m_realloc): New field.
6918 (use_after_free::describe_state_change): Add case for
6919 WORDING_REALLOCATED.
6920 (use_after_free::describe_final_event): Likewise.
6921 (malloc_state_machine::malloc_state_machine): Initialize
6922 m_realloc.
6923 (malloc_state_machine::on_stmt): Handle realloc by calling...
6924 (malloc_state_machine::on_realloc_call): New.
6925
2f5765cf
GA		 69262021-02-22 David Malcolm <dmalcolm@redhat.com>
6927
6928 PR analyzer/99196
6929 * engine.cc (exploded_node::on_stmt): Provide terminate_path
6930 flag as a way for on_call_pre to terminate the current analysis
6931 path.
6932 * region-model-impl-calls.cc (call_details::num_args): New.
6933 (region_model::impl_call_error): New.
6934 * region-model.cc (region_model::on_call_pre): Add param
6935 "out_terminate_path". Handle "error" and "error_at_line".
6936 * region-model.h (call_details::num_args): New decl.
6937 (region_model::on_call_pre): Add param "out_terminate_path".
6938 (region_model::impl_call_error): New decl.
6939
acc0ee5c
GA		 69402021-02-17 David Malcolm <dmalcolm@redhat.com>
6941
6942 PR analyzer/98969
6943 * constraint-manager.cc (dead_svalue_purger::should_purge_p):
6944 Update for change to svalue::live_p.
6945 * program-state.cc (sm_state_map::on_liveness_change): Likewise.
6946 (program_state::detect_leaks): Likewise.
6947 * region-model-reachability.cc (reachable_regions::init_cluster):
6948 When dealing with a symbolic region, if the underlying pointer is
6949 implicitly live, add the region to the reachable regions.
6950 * region-model.cc (region_model::compare_initial_and_pointer):
6951 Move logic for detecting initial values of params to
6952 initial_svalue::initial_value_of_param_p.
6953 * svalue.cc (svalue::live_p): Convert "live_svalues" from a
6954 reference to a pointer; support it being NULL.
6955 (svalue::implicitly_live_p): Convert first param from a
6956 refererence to a pointer.
6957 (region_svalue::implicitly_live_p): Likewise.
6958 (constant_svalue::implicitly_live_p): Likewise.
6959 (initial_svalue::implicitly_live_p): Likewise. Treat the initial
6960 values of params for the top level frame as still live.
6961 (initial_svalue::initial_value_of_param_p): New function, taken
6962 from a test in region_model::compare_initial_and_pointer.
6963 (unaryop_svalue::implicitly_live_p): Convert first param from a
6964 refererence to a pointer.
6965 (binop_svalue::implicitly_live_p): Likewise.
6966 (sub_svalue::implicitly_live_p): Likewise.
6967 (unmergeable_svalue::implicitly_live_p): Likewise.
6968 * svalue.h (svalue::live_p): Likewise.
6969 (svalue::implicitly_live_p): Likewise.
6970 (region_svalue::implicitly_live_p): Likewise.
6971 (constant_svalue::implicitly_live_p): Likewise.
6972 (initial_svalue::implicitly_live_p): Likewise.
6973 (initial_svalue::initial_value_of_param_p): New decl.
6974 (unaryop_svalue::implicitly_live_p): Convert first param from a
6975 refererence to a pointer.
6976 (binop_svalue::implicitly_live_p): Likewise.
6977 (sub_svalue::implicitly_live_p): Likewise.
6978 (unmergeable_svalue::implicitly_live_p): Likewise.
6979
fab095da
GA		 69802021-02-12 David Malcolm <dmalcolm@redhat.com>
6981
6982 PR analyzer/98969
6983 * engine.cc (readability): Add names for the various arbitrary
6984 values. Handle NOP_EXPR and INTEGER_CST.
6985 (readability_comparator): Combine the readability tests for
6986 tree and stack depth, rather than performing them sequentially.
6987 (impl_region_model_context::on_state_leak): Strip off top-level
6988 casts.
6989 * region-model.cc (region_model::get_representative_path_var): Add
6990 type-checking, moving the bulk of the implementation to...
6991 (region_model::get_representative_path_var_1): ...here. Respect
6992 types in casts by recursing and re-adding the cast, rather than
6993 merely stripping them off. Use the correct type when handling
6994 region_svalue.
6995 (region_model::get_representative_tree): Strip off any top-level
6996 cast.
6997 (region_model::get_representative_path_var): Add type-checking,
6998 moving the bulk of the implementation to...
6999 (region_model::get_representative_path_var_1): ...here.
7000 * region-model.h (region_model::get_representative_path_var_1):
7001 New decl
7002 (region_model::get_representative_path_var_1): New decl.
7003 * store.cc (append_pathvar_with_type): New.
7004 (binding_cluster::get_representative_path_vars): Cast path_vars
7005 to the correct type when adding them to *OUT_PVS.
7006
0a91b73e
GA		 70072021-02-09 David Malcolm <dmalcolm@redhat.com>
7008
7009 PR analyzer/98575
7010 * sm-file.cc (is_file_using_fn_p): Support "_IO_"-prefixed
7011 variants.
7012
70132021-02-09 David Malcolm <dmalcolm@redhat.com>
7014
7015 PR analyzer/98575
7016 * store.cc (store::set_value): Treat a pointer written to *UNKNOWN
7017 as having escaped.
7018
548b75d8
GA		 70192021-02-02 David Malcolm <dmalcolm@redhat.com>
7020
7021 PR analyzer/93355
7022 PR analyzer/96374
7023 * engine.cc (toplevel_function_p): Simplify so that
7024 we only reject functions with a "__analyzer_" prefix.
7025 (add_any_callbacks): Delete.
7026 (exploded_graph::build_initial_worklist): Update for
7027 dropped param of toplevel_function_p.
7028 (exploded_graph::build_initial_worklist): Don't bother
7029 looking for callbacks that are reachable from global
7030 initializers.
7031
f7884fb1
GA		 70322021-02-01 David Malcolm <dmalcolm@redhat.com>
7033
7034 PR analyzer/98918
7035 * region-model-manager.cc
7036 (region_model_manager::get_or_create_initial_value):
7037 Fold the initial value of *UNKNOWN_PTR to an UNKNOWN value.
7038 (region_model_manager::get_field_region): Fold the value
7039 of UNKNOWN_PTR->FIELD to *UNKNOWN_PTR_OF_&FIELD_TYPE.
7040
2900f2f2
GA		 70412021-01-29 David Malcolm <dmalcolm@redhat.com>
7042
7043 * checker-path.cc (event_kind_to_string): Handle
7044 EK_START_CONSOLIDATED_CFG_EDGES and
7045 EK_END_CONSOLIDATED_CFG_EDGES.
7046 (start_consolidated_cfg_edges_event::get_desc): New.
7047 (checker_path::cfg_edge_pair_at_p): New.
7048 * checker-path.h (enum event_kind): Add
7049 EK_START_CONSOLIDATED_CFG_EDGES and
7050 EK_END_CONSOLIDATED_CFG_EDGES.
7051 (class start_consolidated_cfg_edges_event): New class.
7052 (class end_consolidated_cfg_edges_event): New class.
7053 (checker_path::delete_events): New.
7054 (checker_path::replace_event): New.
7055 (checker_path::cfg_edge_pair_at_p): New decl.
7056 * diagnostic-manager.cc (diagnostic_manager::prune_path): Call
7057 consolidate_conditions.
7058 (same_line_as_p): New.
7059 (diagnostic_manager::consolidate_conditions): New.
7060 * diagnostic-manager.h
7061 (diagnostic_manager::consolidate_conditions): New decl.
7062
ef1f8ee6
GA		 70632021-01-18 David Malcolm <dmalcolm@redhat.com>
7064
7065 * analyzer.h (is_std_named_call_p): New decl.
7066 * diagnostic-manager.cc (path_builder::get_sm): New.
7067 (state_change_event_creator::state_change_event_creator): Add "pb"
7068 param.
7069 (state_change_event_creator::on_global_state_change): Don't consider
7070 state changes affecting other state_machines.
7071 (state_change_event_creator::on_state_change): Likewise.
7072 (state_change_event_creator::m_pb): New field.
7073 (diagnostic_manager::add_events_for_eedge): Pass pb to visitor
7074 ctor.
7075 * region-model-impl-calls.cc
7076 (region_model::impl_deallocation_call): New.
7077 * region-model.cc: Include "attribs.h".
7078 (region_model::on_call_post): Handle fndecls referenced by
7079 __attribute__((deallocated_by(FOO))).
7080 * region-model.h (region_model::impl_deallocation_call): New decl.
7081 * sm-malloc.cc: Include "stringpool.h" and "attribs.h". Add
7082 leading comment.
7083 (class api): Delete.
7084 (enum resource_state): Update comment for change from api to
7085 deallocator and deallocator_set.
7086 (allocation_state::allocation_state): Drop api param. Add
7087 "deallocators" and "deallocator".
7088 (allocation_state::m_api): Drop field in favor of...
7089 (allocation_state::m_deallocators): New field.
7090 (allocation_state::m_deallocator): New field.
7091 (enum wording): Add WORDING_DEALLOCATED.
7092 (struct deallocator): New.
7093 (struct standard_deallocator): New.
7094 (struct custom_deallocator): New.
7095 (struct deallocator_set): New.
7096 (struct custom_deallocator_set): New.
7097 (struct standard_deallocator_set): New.
7098 (struct deallocator_set_map_traits): New.
7099 (malloc_state_machine::m_malloc): Drop field
7100 (malloc_state_machine::m_scalar_new): Likewise.
7101 (malloc_state_machine::m_vector_new): Likewise.
7102 (malloc_state_machine::m_free): New field
7103 (malloc_state_machine::m_scalar_delete): Likewise.
7104 (malloc_state_machine::m_vector_delete): Likewise.
7105 (malloc_state_machine::deallocator_map_t): New typedef.
7106 (malloc_state_machine::m_deallocator_map): New field.
7107 (malloc_state_machine::deallocator_set_cache_t): New typedef.
7108 (malloc_state_machine::m_custom_deallocator_set_cache): New field.
7109 (malloc_state_machine::custom_deallocator_set_map_t): New typedef.
7110 (malloc_state_machine::m_custom_deallocator_set_map): New field.
7111 (malloc_state_machine::m_dynamic_sets): New field.
7112 (malloc_state_machine::m_dynamic_deallocators): New field.
7113 (api::api): Delete.
7114 (deallocator::deallocator): New ctor.
7115 (deallocator::hash): New.
7116 (deallocator::dump_to_pp): New.
7117 (deallocator::cmp): New.
7118 (deallocator::cmp_ptr_ptr): New.
7119 (standard_deallocator::standard_deallocator): New ctor.
7120 (deallocator_set::deallocator_set): New ctor.
7121 (deallocator_set::dump): New.
7122 (custom_deallocator_set::custom_deallocator_set): New ctor.
7123 (custom_deallocator_set::contains_p): New.
7124 (custom_deallocator_set::maybe_get_single): New.
7125 (custom_deallocator_set::dump_to_pp): New.
7126 (standard_deallocator_set::standard_deallocator_set): New ctor.
7127 (standard_deallocator_set::contains_p): New.
7128 (standard_deallocator_set::maybe_get_single): New.
7129 (standard_deallocator_set::dump_to_pp): New.
7130 (start_p): New.
7131 (class mismatching_deallocation): Update for conversion from api
7132 to deallocator_set and deallocator.
7133 (double_free::emit): Use %qs.
7134 (class use_after_free): Update for conversion from api to
7135 deallocator_set and deallocator.
7136 (malloc_leak::describe_state_change): Only emit "allocated here" on
7137 a start->nonnull transition, rather than on other transitions to
7138 nonnull.
7139 (allocation_state::dump_to_pp): Update for conversion from api to
7140 deallocator_set.
7141 (allocation_state::get_nonnull): Likewise.
7142 (malloc_state_machine::malloc_state_machine): Likewise.
7143 (malloc_state_machine::~malloc_state_machine): New.
7144 (malloc_state_machine::add_state): Update for conversion from api
7145 to deallocator_set.
7146 (malloc_state_machine::get_or_create_custom_deallocator_set): New.
7147 (malloc_state_machine::maybe_create_custom_deallocator_set): New.
7148 (malloc_state_machine::get_or_create_deallocator): New.
7149 (malloc_state_machine::on_stmt): Update for conversion from api
7150 to deallocator_set. Handle "__attribute__((malloc(FOO)))", and
7151 the special attribute set on FOO.
7152 (malloc_state_machine::on_allocator_call): Update for conversion
7153 from api to deallocator_set. Add "returns_nonnull" param and use
7154 it to affect which state to transition to.
7155 (malloc_state_machine::on_deallocator_call): Update for conversion
7156 from api to deallocator_set.
7157
5fff80fd
GA		 71582021-01-14 David Malcolm <dmalcolm@redhat.com>
7159
7160 * engine.cc (strongly_connected_components::to_json): New.
7161 (worklist::to_json): New.
7162 (exploded_graph::to_json): JSON-ify the worklist.
7163 * exploded-graph.h (strongly_connected_components::to_json): New
7164 decl.
7165 (worklist::to_json): New decl.
7166 * store.cc (store::to_json): Fix comment.
7167 * supergraph.cc (supernode::to_json): Fix reference to
7168 "returning_call" in comment. Add optional "fun" to JSON.
7169 (edge_kind_to_string): New.
7170 (superedge::to_json): Add "kind" to JSON.
7171
71722021-01-14 David Malcolm <dmalcolm@redhat.com>
7173
7174 PR analyzer/98679
7175 * analyzer.h (region_offset::operator==): Make const.
7176 * pending-diagnostic.h (pending_diagnostic::equal_p): Likewise.
7177 * store.h (binding_cluster::for_each_value): Likewise.
7178 (binding_cluster::for_each_binding): Likewise.
7179
6851dda2
GA		 71802021-01-12 David Malcolm <dmalcolm@redhat.com>
7181
7182 PR analyzer/98628
7183 * store.cc (binding_cluster::make_unknown_relative_to): Don't mark
7184 dereferenced unknown pointers as having escaped.
7185
7d187e4f
GA		 71862021-01-07 David Malcolm <dmalcolm@redhat.com>
7187
7188 PR analyzer/98580
7189 * region.cc (decl_region::get_svalue_for_initializer): Gracefully
7190 handle when LTO writes out DECL_INITIAL as error_mark_node.
7191
71922021-01-07 David Malcolm <dmalcolm@redhat.com>
7193
7194 PR analyzer/97074
7195 * store.cc (binding_cluster::can_merge_p): Add "out_store" param
7196 and pass to calls to binding_cluster::make_unknown_relative_to.
7197 (binding_cluster::make_unknown_relative_to): Add "out_store"
7198 param. Use it to mark base regions that are pointed to by
7199 pointers that become unknown as having escaped.
7200 (store::can_merge_p): Pass out_store to
7201 binding_cluster::can_merge_p.
7202 * store.h (binding_cluster::can_merge_p): Add "out_store" param.
7203 (binding_cluster::make_unknown_relative_to): Likewise.
7204 * svalue.cc (region_svalue::implicitly_live_p): New vfunc.
7205 * svalue.h (region_svalue::implicitly_live_p): New vfunc decl.
7206
72072021-01-07 David Malcolm <dmalcolm@redhat.com>
7208
7209 PR analyzer/98564
7210 * engine.cc (exploded_path::feasible_p): Add missing call to
7211 bitmap_clear.
7212
942ae5be
GA		 72132021-01-06 David Malcolm <dmalcolm@redhat.com>
7214
7215 PR analyzer/97072
7216 * region-model-reachability.cc (reachable_regions::init_cluster):
7217 Convert symbolic region handling to a switch statement. Add cases
7218 to handle SK_UNKNOWN and SK_CONJURED.
7219
651b8a50
GA		 72202021-01-05 David Malcolm <dmalcolm@redhat.com>
7221
7222 PR analyzer/98293
7223 * store.cc (binding_map::apply_ctor_to_region): When "index" is
7224 NULL, iterate through the fields for RECORD_TYPEs, rather than
7225 creating an INTEGER_CST index.
7226
94358e47
GA		 72272020-11-30 David Malcolm <dmalcolm@redhat.com>
7228
7229 * analyzer-pass.cc: Include "analyzer/analyzer.h" for the
7230 declaration of sorry_no_analyzer; include "tree.h" and
7231 "function.h" as these are needed by it.
7232
72332020-11-30 David Malcolm <dmalcolm@redhat.com>
7234
7235 * analyzer-pass.cc (pass_analyzer::execute): Move sorry call to...
7236 (sorry_no_analyzer): New.
7237 * analyzer.h (class state_machine): New forward decl.
7238 (class logger): New forward decl.
7239 (class plugin_analyzer_init_iface): New.
7240 (sorry_no_analyzer): New decl.
7241 * checker-path.cc (checker_path::fixup_locations): New.
7242 * checker-path.h (checker_event::set_location): New.
7243 (checker_path::fixup_locations): New decl.
7244 * diagnostic-manager.cc
7245 (diagnostic_manager::emit_saved_diagnostic): Call
7246 checker_path::fixup_locations, and call fixup_location
7247 on the primary location.
7248 * engine.cc: Include "plugin.h".
7249 (class plugin_analyzer_init_impl): New.
7250 (impl_run_checkers): Invoke PLUGIN_ANALYZER_INIT callbacks.
7251 * pending-diagnostic.h (pending_diagnostic::fixup_location): New
7252 vfunc.
7253
25bb75f8
GA		 72542020-11-18 David Malcolm <dmalcolm@redhat.com>
7255
7256 PR analyzer/97893
7257 * sm-malloc.cc (null_deref::emit): Use CWE-476 rather than
7258 CWE-690, as this isn't due to an unchecked return value.
7259 (null_arg::emit): Likewise.
7260
a5a11525
GA		 72612020-11-12 David Malcolm <dmalcolm@redhat.com>
7262
7263 * checker-path.h (checker_event::get_id_ptr): New.
7264 * diagnostic-manager.cc (path_builder::path_builder): Add "sd"
7265 param and use it to initialize new field "m_sd".
7266 (path_builder::get_pending_diagnostic): New.
7267 (path_builder::m_sd): New field.
7268 (diagnostic_manager::emit_saved_diagnostic): Pass sd to
7269 path_builder ctor.
7270 (diagnostic_manager::add_events_for_superedge): Call new
7271 maybe_add_custom_events_for_superedge vfunc.
7272 * engine.cc (stale_jmp_buf::stale_jmp_buf): Add "setjmp_point"
7273 param and use it to initialize new field "m_setjmp_point".
7274 Initialize new field "m_stack_pop_event".
7275 (stale_jmp_buf::maybe_add_custom_events_for_superedge): New vfunc
7276 implementation.
7277 (stale_jmp_buf::describe_final_event): New vfunc implementation.
7278 (stale_jmp_buf::m_setjmp_point): New field.
7279 (stale_jmp_buf::m_stack_pop_event): New field.
7280 (exploded_node::on_longjmp): Pass setjmp_point to stale_jmp_buf
7281 ctor.
7282 * pending-diagnostic.h
7283 (pending_diagnostic::maybe_add_custom_events_for_superedge): New
7284 vfunc.
7285
72862020-11-12 David Malcolm <dmalcolm@redhat.com>
7287
7288 PR tree-optimization/97424
7289 * analyzer.opt (Wanalyzer-shift-count-negative): New.
7290 (Wanalyzer-shift-count-overflow): New.
7291 * region-model.cc (class shift_count_negative_diagnostic): New.
7292 (class shift_count_overflow_diagnostic): New.
7293 (region_model::get_gassign_result): Complain about shift counts that
7294 are negative or are >= the operand's type's width.
7295
bb622641
GA		 72962020-11-10 Martin Liska <mliska@suse.cz>
7297
7298 * constraint-manager.cc (constraint_manager::merge): Remove
7299 unused code.
7300 * constraint-manager.h: Likewise.
7301 * program-state.cc (sm_state_map::sm_state_map): Likewise.
7302 (program_state::program_state): Likewise.
7303 (test_sm_state_map): Likewise.
7304 * program-state.h: Likewise.
7305 * region-model-reachability.cc (reachable_regions::reachable_regions): Likewise.
7306 * region-model-reachability.h: Likewise.
7307 * region-model.cc (region_model::handle_unrecognized_call): Likewise.
7308 (region_model::get_reachable_svalues): Likewise.
7309 (region_model::can_merge_with_p): Likewise.
7310
0cfd9109
GA		 73112020-11-05 David Malcolm <dmalcolm@redhat.com>
7312
7313 PR analyzer/97668
7314 * svalue.cc (cmp_cst): Handle COMPLEX_CST.
7315
e93aae4a
GA		 73162020-10-29 David Malcolm <dmalcolm@redhat.com>
7317
7318 * program-state.cc (sm_state_map::on_liveness_change): Sort the
7319 leaking svalues before calling on_state_leak.
7320 (program_state::detect_leaks): Likewise when calling
7321 on_svalue_leak.
7322 * region-model-reachability.cc
7323 (reachable_regions::mark_escaped_clusters): Likewise when
7324 calling on_escaped_function.
7325
73262020-10-29 David Malcolm <dmalcolm@redhat.com>
7327
7328 PR analyzer/97608
7329 * region-model-reachability.cc (reachable_regions::handle_sval):
7330 Operands of reachable reversible operations are reachable.
7331
73322020-10-29 David Malcolm <dmalcolm@redhat.com>
7333
7334 * analyzer.h (class state_machine): New forward decl.
7335 (class logger): Likewise.
7336 (class visitor): Likewise.
7337 * complexity.cc: New file, taken from svalue.cc.
7338 * complexity.h: New file, taken from region-model.h.
7339 * region-model.h: Include "analyzer/svalue.h" and
7340 "analyzer/region.h". Move struct complexity to complexity.h.
7341 Move svalue, its subclasses and supporting decls to svalue.h.
7342 Move region, its subclasses and supporting decls to region.h.
7343 * region.cc: Include "analyzer/region.h".
7344 (symbolic_region::symbolic_region): Move here from region-model.h.
7345 * region.h: New file, based on material from region-model.h.
7346 * svalue.cc: Include "analyzer/svalue.h".
7347 (complexity::complexity): Move to complexity.cc.
7348 (complexity::from_pair): Likewise.
7349 * svalue.h: New file, based on material from region-model.h.
7350
73512020-10-29 David Malcolm <dmalcolm@redhat.com>
7352
7353 * program-state.cc (sm_state_map::print): Guard the printing of
7354 the origin pointer with !flag_dump_noaddr.
7355 * region.cc (string_region::dump_to_pp): Likewise for
7356 m_string_cst.
7357
89bb01e7
GA		 73582020-10-27 David Malcolm <dmalcolm@redhat.com>
7359
7360 PR analyzer/97568
7361 * region-model.cc (region_model::get_initial_value_for_global):
7362 Move check that !DECL_EXTERNAL from here to...
7363 * region.cc (decl_region::get_svalue_for_initializer): ...here,
7364 using it to reject zero initialization.
7365
73662020-10-27 Markus Böck <markus.boeck02@gmail.com>
7367
7368 PR analyzer/96608
7369 * store.h (hash): Cast to intptr_t instead of long
7370
73712020-10-27 David Malcolm <dmalcolm@redhat.com>
7372
7373 * constraint-manager.cc (svalue_cmp_by_ptr): Delete.
7374 (equiv_class::canonicalize): Use svalue::cmp_ptr_ptr instead.
7375 (equiv_class_cmp): Eliminate pointer comparison.
7376 * diagnostic-manager.cc (dedupe_key::comparator): If they are at
7377 the same location, also compare epath ength and pending_diagnostic
7378 kind.
7379 * engine.cc (readability_comparator): If two path_vars have the
7380 same readability, then impose an arbitrary ordering on them.
7381 (worklist::key_t::cmp): If two points have the same plan ordering,
7382 continue the comparison. Call sm_state_map::cmp rather than
7383 comparing hash values.
7384 * program-state.cc (sm_state_map::entry_t::cmp): New.
7385 (sm_state_map::cmp): New.
7386 * program-state.h (sm_state_map::entry_t::cmp): New decl.
7387 (sm_state_map::elements): New.
7388 (sm_state_map::cmp): New.
7389
73902020-10-27 David Malcolm <dmalcolm@redhat.com>
7391
7392 * engine.cc (setjmp_record::cmp): New.
7393 (supernode_cluster::dump_dot): Avoid embedding pointer in cluster
7394 name.
7395 (supernode_cluster::cmp_ptr_ptr): New.
7396 (function_call_string_cluster::dump_dot): Avoid embedding pointer
7397 in cluster name. Sort m_map when dumping child clusters.
7398 (function_call_string_cluster::cmp_ptr_ptr): New.
7399 (root_cluster::dump_dot): Sort m_map when dumping child clusters.
7400 * program-point.cc (function_point::cmp): New.
7401 (function_point::cmp_ptr): New.
7402 * program-point.h (function_point::cmp): New decl.
7403 (function_point::cmp_ptr): New decl.
7404 * program-state.cc (sm_state_map::print): Sort the values. Guard
7405 the printing of pointers with !flag_dump_noaddr.
7406 (program_state::prune_for_point): Sort the regions.
7407 (log_set_of_svalues): Sort the values. Guard the printing of
7408 pointers with !flag_dump_noaddr.
7409 * region-model-manager.cc (log_uniq_map): Sort the values.
7410 * region-model-reachability.cc (dump_set): New function template.
7411 (reachable_regions::dump_to_pp): Use it.
7412 * region-model.h (svalue::cmp_ptr): New decl.
7413 (svalue::cmp_ptr_ptr): New decl.
7414 (setjmp_record::cmp): New decl.
7415 (placeholder_svalue::get_name): New accessor.
7416 (widening_svalue::get_point): New accessor.
7417 (compound_svalue::get_map): New accessor.
7418 (conjured_svalue::get_stmt): New accessor.
7419 (conjured_svalue::get_id_region): New accessor.
7420 (region::cmp_ptrs): Rename to...
7421 (region::cmp_ptr_ptr): ...this.
7422 * region.cc (region::cmp_ptrs): Rename to...
7423 (region::cmp_ptr_ptr): ...this.
7424 * state-purge.cc
7425 (state_purge_per_ssa_name::state_purge_per_ssa_name): Sort
7426 m_points_needing_name when dumping.
7427 * store.cc (concrete_binding::cmp_ptr_ptr): New.
7428 (symbolic_binding::cmp_ptr_ptr): New.
7429 (binding_map::cmp): New.
7430 (get_sorted_parent_regions): Update for renaming of
7431 region::cmp_ptrs to region::cmp_ptr_ptr.
7432 (store::dump_to_pp): Likewise.
7433 (store::to_json): Likewise.
7434 (store::can_merge_p): Sort the base regions before considering
7435 them.
7436 * store.h (concrete_binding::cmp_ptr_ptr): New decl.
7437 (symbolic_binding::cmp_ptr_ptr): New decl.
7438 (binding_map::cmp): New decl.
7439 * supergraph.cc (supergraph::supergraph): Assign UIDs to the
7440 gimple stmts.
7441 * svalue.cc (cmp_cst): New.
7442 (svalue::cmp_ptr): New.
7443 (svalue::cmp_ptr_ptr): New.
7444
74452020-10-27 David Malcolm <dmalcolm@redhat.com>
7446
7447 * engine.cc (exploded_graph::get_or_create_node): Fix off-by-one
7448 when imposing param_analyzer_max_enodes_per_program_point limit.
7449
74502020-10-27 David Malcolm <dmalcolm@redhat.com>
7451
7452 * region-model.cc (region_model::get_representative_path_var):
7453 Implement case RK_LABEL.
7454 * region-model.h (label_region::get_label): New accessor.
7455
43868df3
GA		 74562020-10-22 David Malcolm <dmalcolm@redhat.com>
7457
7458 PR analyzer/97514
7459 * engine.cc (exploded_graph::add_function_entry): Handle failure
7460 to create an enode, rather than asserting.
7461
74622020-10-22 David Malcolm <dmalcolm@redhat.com>
7463
7464 PR analyzer/97489
7465 * engine.cc (exploded_graph::add_function_entry): Assert that we
7466 have a function body.
7467 (exploded_graph::on_escaped_function): Reject fndecls that don't
7468 have a function body.
7469
b2698c21
GA		 74702020-10-14 David Malcolm <dmalcolm@redhat.com>
7471
7472 PR analyzer/93388
7473 * region-model.cc (region_model::get_initial_value_for_global):
7474 Fall back to returning an initial_svalue if
7475 decl_region::get_svalue_for_initializer fails.
7476 * region.cc (decl_region::get_svalue_for_initializer): Don't
7477 attempt to create a compound_svalue if the region has an unknown
7478 size.
7479
74802020-10-14 David Malcolm <dmalcolm@redhat.com>
7481
7482 PR analyzer/93723
7483 * store.cc (binding_map::apply_ctor_to_region): Remove redundant
7484 assertion.
7485
8be127ca
GA		 74862020-10-12 David Malcolm <dmalcolm@redhat.com>
7487
7488 PR analyzer/97258
7489 * engine.cc (impl_region_model_context::on_escaped_function): New
7490 vfunc.
7491 (exploded_graph::add_function_entry): Use m_functions_with_enodes
7492 to implement idempotency.
7493 (add_any_callbacks): New.
7494 (exploded_graph::build_initial_worklist): Use the above to find
7495 callbacks that are reachable from global initializers.
7496 (exploded_graph::on_escaped_function): New.
7497 * exploded-graph.h
7498 (impl_region_model_context::on_escaped_function): New decl.
7499 (exploded_graph::on_escaped_function): New decl.
7500 (exploded_graph::m_functions_with_enodes): New field.
7501 * region-model-reachability.cc
7502 (reachable_regions::reachable_regions): Replace "store" param with
7503 "model" param; use it to initialize m_model.
7504 (reachable_regions::add): When getting the svalue for the region,
7505 call get_store_value on the model rather than using an initial
7506 value.
7507 (reachable_regions::mark_escaped_clusters): Add ctxt param and
7508 use it to call on_escaped_function when a function_region escapes.
7509 * region-model-reachability.h
7510 (reachable_regions::reachable_regions): Replace "store" param with
7511 "model" param.
7512 (reachable_regions::mark_escaped_clusters): Add ctxt param.
7513 (reachable_regions::m_model): New field.
7514 * region-model.cc (region_model::handle_unrecognized_call): Update
7515 for change in reachable_regions ctor.
7516 (region_model::handle_unrecognized_call): Pass ctxt to
7517 mark_escaped_clusters.
7518 (region_model::get_reachable_svalues): Update for change in
7519 reachable_regions ctor.
7520 (region_model::get_initial_value_for_global): Read-only variables
7521 keep their initial values.
7522 * region-model.h (region_model_context::on_escaped_function): New
7523 vfunc.
7524 (noop_region_model_context::on_escaped_function): New.
7525
75262020-10-12 David Malcolm <dmalcolm@redhat.com>
7527
7528 * analyzer.opt (Wanalyzer-write-to-const): New.
7529 (Wanalyzer-write-to-string-literal): New.
7530 * region-model-impl-calls.cc (region_model::impl_call_memcpy):
7531 Call check_for_writable_region.
7532 (region_model::impl_call_memset): Likewise.
7533 (region_model::impl_call_strcpy): Likewise.
7534 * region-model.cc (class write_to_const_diagnostic): New.
7535 (class write_to_string_literal_diagnostic): New.
7536 (region_model::check_for_writable_region): New.
7537 (region_model::set_value): Call check_for_writable_region.
7538 * region-model.h (region_model::check_for_writable_region): New
7539 decl.
7540
6caec77e
GA		 75412020-10-07 David Malcolm <dmalcolm@redhat.com>
7542
7543 PR analyzer/97116
7544 * sm-malloc.cc (method_p): New.
7545 (describe_argument_index): New.
7546 (inform_nonnull_attribute): Use describe_argument_index.
7547 (possible_null_arg::describe_final_event): Likewise.
7548 (null_arg::describe_final_event): Likewise.
7549
93bca37c
GA		 75502020-09-29 David Malcolm <dmalcolm@redhat.com>
7551
7552 PR analyzer/95188
7553 * engine.cc (stmt_requires_new_enode_p): Split enodes before
7554 "signal" calls.
7555
75562020-09-29 David Malcolm <dmalcolm@redhat.com>
7557
7558 * constraint-manager.cc
7559 (constraint_manager::add_constraint_internal): Whitespace fixes.
7560 Silence -Wsign-compare warning.
7561 * engine.cc (maybe_process_run_of_before_supernode_enodes):
7562 Silence -Wsign-compare warning.
7563
e84761c6
GA		 75642020-09-28 David Malcolm <dmalcolm@redhat.com>
7565
7566 * region-model.h (binop_svalue::dyn_cast_binop_svalue): Remove
7567 redundant "virtual". Add FINAL OVERRIDE.
7568 (widening_svalue::dyn_cast_widening_svalue): Add FINAL OVERRIDE.
7569 (compound_svalue::dyn_cast_compound_svalue): Likewise.
7570 (conjured_svalue::dyn_cast_conjured_svalue): Likewise.
7571
75722020-09-28 David Malcolm <dmalcolm@redhat.com>
7573
7574 * diagnostic-manager.cc (null_assignment_sm_context::m_visitor):
7575 Remove unused field.
7576
75772020-09-28 David Malcolm <dmalcolm@redhat.com>
7578
7579 PR analyzer/97233
7580 * analyzer.cc (is_longjmp_call_p): Require the initial argument
7581 to be a pointer.
7582 * engine.cc (exploded_node::on_longjmp): Likewise.
7583
75842020-09-28 David Malcolm <dmalcolm@redhat.com>
7585
7586 * program-state.cc (sm_state_map::print): Update check
7587 for m_global_state being the start state.
7588
91dd4a38
GA		 75892020-09-26 David Malcolm <dmalcolm@redhat.com>
7590
7591 PR analyzer/96646
7592 PR analyzer/96841
7593 * region-model.cc (region_model::get_representative_path_var):
7594 When handling offset_region, wrap the MEM_REF's first argument in
7595 an ADDR_EXPR of pointer type, rather than simply using the tree
7596 for the parent region. Require the MEM_REF's second argument to
7597 be an integer constant.
7598
a2b7397b
GA		 75992020-09-24 David Malcolm <dmalcolm@redhat.com>
7600
7601 * analyzer.h (struct rejected_constraint): New decl.
7602 * analyzer.opt (fanalyzer-feasibility): New option.
7603 * diagnostic-manager.cc (path_builder::path_builder): Add
7604 "problem" param and use it to initialize new field.
7605 (path_builder::get_feasibility_problem): New accessor.
7606 (path_builder::m_feasibility_problem): New field.
7607 (dedupe_winners::add): Remove inversion of logic in "if" clause,
7608 swapping if/else suites. In the !feasible_p suite, inspect
7609 flag_analyzer_feasibility and add code to handle when this
7610 is off, accepting the infeasible path, but recording the
7611 feasibility_problem.
7612 (diagnostic_manager::emit_saved_diagnostic): Pass the
7613 feasibility_problem to the path_builder.
7614 (diagnostic_manager::add_events_for_eedge): If we have
7615 a feasibility_problem at this edge, use it to add a custom event.
7616 * engine.cc (exploded_path::feasible_p): Pass a
7617 rejected_constraint ** to model.maybe_update_for_edge and transfer
7618 ownership of any created instance to any feasibility_problem.
7619 (feasibility_problem::dump_to_pp): New.
7620 * exploded-graph.h (feasibility_problem::feasibility_problem):
7621 Drop "model" param; add rejected_constraint * param.
7622 (feasibility_problem::~feasibility_problem): New.
7623 (feasibility_problem::dump_to_pp): New decl.
7624 (feasibility_problem::m_model): Drop field.
7625 (feasibility_problem::m_rc): New field.
7626 * program-point.cc (function_point::get_location): Handle
7627 PK_BEFORE_SUPERNODE and PK_AFTER_SUPERNODE.
7628 * program-state.cc (program_state::on_edge): Pass NULL to new
7629 param of region_model::maybe_update_for_edge.
7630 * region-model.cc (region_model::add_constraint): New overload
7631 adding a rejected_constraint ** param.
7632 (region_model::maybe_update_for_edge): Add rejected_constraint **
7633 param and pass it to the various apply_constraints_for_ calls.
7634 (region_model::apply_constraints_for_gcond): Add
7635 rejected_constraint ** param and pass it to add_constraint calls.
7636 (region_model::apply_constraints_for_gswitch): Likewise.
7637 (region_model::apply_constraints_for_exception): Likewise.
7638 (rejected_constraint::dump_to_pp): New.
7639 * region-model.h (region_model::maybe_update_for_edge):
7640 Add rejected_constraint ** param.
7641 (region_model::add_constraint): New overload adding a
7642 rejected_constraint ** param.
7643 (region_model::apply_constraints_for_gcond): Add
7644 rejected_constraint ** param.
7645 (region_model::apply_constraints_for_gswitch): Likewise.
7646 (region_model::apply_constraints_for_exception): Likewise.
7647 (struct rejected_constraint): New.
7648
82b77dee
GA		 76492020-09-23 David Malcolm <dmalcolm@redhat.com>
7650
7651 PR analyzer/97178
7652 * engine.cc (impl_run_checkers): Update for change to ext_state
7653 ctor.
7654 * program-state.cc (selftest::test_sm_state_map): Pass an engine
7655 instance to ext_state ctor.
7656 (selftest::test_program_state_1): Likewise.
7657 (selftest::test_program_state_2): Likewise.
7658 (selftest::test_program_state_merging): Likewise.
7659 (selftest::test_program_state_merging_2): Likewise.
7660 * program-state.h (extrinsic_state::extrinsic_state): Remove NULL
7661 default value for "eng" param.
7662
76632020-09-23 Tobias Burnus <tobias@codesourcery.com>
7664
7665 * analyzer-logging.cc: Guard '#pragma ... ignored "-Wformat-diag"'
7666 by '#if __GNUC__ >= 10'
7667 * analyzer.h: Likewise.
7668 * call-string.cc: Likewise.
7669
76702020-09-23 David Malcolm <dmalcolm@redhat.com>
7671
7672 * engine.cc (exploded_node::on_stmt): Replace sequence of dyn_cast
7673 with switch.
7674
521d2711
GA		 76752020-09-22 David Malcolm <dmalcolm@redhat.com>
7676
7677 * analysis-plan.cc: Include "json.h".
7678 * analyzer.opt (fdump-analyzer-json): New.
7679 * call-string.cc: Include "json.h".
7680 (call_string::to_json): New.
7681 * call-string.h (call_string::to_json): New decl.
7682 * checker-path.cc: Include "json.h".
7683 * constraint-manager.cc: Include "json.h".
7684 (equiv_class::to_json): New.
7685 (constraint::to_json): New.
7686 (constraint_manager::to_json): New.
7687 * constraint-manager.h (equiv_class::to_json): New decl.
7688 (constraint::to_json): New decl.
7689 (constraint_manager::to_json): New decl.
7690 * diagnostic-manager.cc: Include "json.h".
7691 (saved_diagnostic::to_json): New.
7692 (diagnostic_manager::to_json): New.
7693 * diagnostic-manager.h (saved_diagnostic::to_json): New decl.
7694 (diagnostic_manager::to_json): New decl.
7695 * engine.cc: Include "json.h", <zlib.h>.
7696 (exploded_node::status_to_str): New.
7697 (exploded_node::to_json): New.
7698 (exploded_edge::to_json): New.
7699 (exploded_graph::to_json): New.
7700 (dump_analyzer_json): New.
7701 (impl_run_checkers): Call it.
7702 * exploded-graph.h (exploded_node::status_to_str): New decl.
7703 (exploded_node::to_json): New.
7704 (exploded_edge::to_json): New.
7705 (exploded_graph::to_json): New.
7706 * pending-diagnostic.cc: Include "json.h".
7707 * program-point.cc: Include "json.h".
7708 (program_point::to_json): New.
7709 * program-point.h (program_point::to_json): New decl.
7710 * program-state.cc: Include "json.h".
7711 (extrinsic_state::to_json): New.
7712 (sm_state_map::to_json): New.
7713 (program_state::to_json): New.
7714 * program-state.h (extrinsic_state::to_json): New decl.
7715 (sm_state_map::to_json): New decl.
7716 (program_state::to_json): New decl.
7717 * region-model-impl-calls.cc: Include "json.h".
7718 * region-model-manager.cc: Include "json.h".
7719 * region-model-reachability.cc: Include "json.h".
7720 * region-model.cc: Include "json.h".
7721 * region-model.h (svalue::to_json): New decl.
7722 (region::to_json): New decl.
7723 * region.cc: Include "json.h".
7724 (region::to_json: New.
7725 * sm-file.cc: Include "json.h".
7726 * sm-malloc.cc: Include "json.h".
7727 * sm-pattern-test.cc: Include "json.h".
7728 * sm-sensitive.cc: Include "json.h".
7729 * sm-signal.cc: Include "json.h".
7730 (signal_delivery_edge_info_t::to_json): New.
7731 * sm-taint.cc: Include "json.h".
7732 * sm.cc: Include "diagnostic.h", "tree-diagnostic.h", and
7733 "json.h".
7734 (state_machine::state::to_json): New.
7735 (state_machine::to_json): New.
7736 * sm.h (state_machine::state::to_json): New.
7737 (state_machine::to_json): New.
7738 * state-purge.cc: Include "json.h".
7739 * store.cc: Include "json.h".
7740 (binding_key::get_desc): New.
7741 (binding_map::to_json): New.
7742 (binding_cluster::to_json): New.
7743 (store::to_json): New.
7744 * store.h (binding_key::get_desc): New decl.
7745 (binding_map::to_json): New decl.
7746 (binding_cluster::to_json): New decl.
7747 (store::to_json): New decl.
7748 * supergraph.cc: Include "json.h".
7749 (supergraph::to_json): New.
7750 (supernode::to_json): New.
7751 (superedge::to_json): New.
7752 * supergraph.h (supergraph::to_json): New decl.
7753 (supernode::to_json): New decl.
7754 (superedge::to_json): New decl.
7755 * svalue.cc: Include "json.h".
7756 (svalue::to_json): New.
7757
44135373
GA		 77582020-09-21 David Malcolm <dmalcolm@redhat.com>
7759
7760 PR analyzer/97130
7761 * region-model-impl-calls.cc (call_details::get_arg_type): New.
7762 * region-model.cc (region_model::on_call_pre): Check that the
7763 initial arg is a pointer before calling impl_call_memset and
7764 impl_call_strlen.
7765 * region-model.h (call_details::get_arg_type): New decl.
7766
77672020-09-21 David Malcolm <dmalcolm@redhat.com>
7768
7769 PR analyzer/93355
7770 * sm-malloc.cc (malloc_state_machine::get_default_state): Look at
7771 the base region when considering pointers. Treat pointers to
7772 decls as being non-heap.
7773
239601c5
GA		 77742020-09-18 David Malcolm <dmalcolm@redhat.com>
7775
7776 * checker-path.cc (warning_event::get_desc): Handle global state
7777 changes.
7778
77792020-09-18 David Malcolm <dmalcolm@redhat.com>
7780
7781 * sm-malloc.cc (malloc_state_machine::on_stmt): Handle strdup and
7782 strndup as being malloc-like allocators.
7783
ecde1b0a
GA		 77842020-09-16 David Malcolm <dmalcolm@redhat.com>
7785
7786 * engine.cc (strongly_connected_components::strong_connect): Only
7787 consider intraprocedural edges when creating SCCs.
7788 (worklist::key_t::cmp): Add comment. Treat call_string
7789 differences as more important than differences of program_point
7790 within a supernode.
7791
77922020-09-16 David Malcolm <dmalcolm@redhat.com>
7793
7794 * engine.cc (supernode_cluster::dump_dot): Show the SCC id
7795 in the per-supernode clusters in FILENAME.eg.dot output.
7796 (exploded_graph_annotator::add_node_annotations):
7797 Show the SCC of the supernode in FILENAME.supernode.eg.dot output.
7798 * exploded-graph.h (worklist::scc_id): New.
7799 (exploded_graph::get_scc_id): New.
7800
78012020-09-16 David Malcolm <dmalcolm@redhat.com>
7802
7803 * engine.cc (exploded_node::dump_dot): Show STATUS_BULK_MERGED.
7804 (exploded_graph::process_worklist): Call
7805 maybe_process_run_of_before_supernode_enodes.
7806 (exploded_graph::maybe_process_run_of_before_supernode_enodes):
7807 New.
7808 (exploded_graph_annotator::print_enode): Show STATUS_BULK_MERGED.
7809 * exploded-graph.h (enum exploded_node::status): Add
7810 STATUS_BULK_MERGED.
7811
78122020-09-16 David Malcolm <dmalcolm@redhat.com>
7813
7814 * engine.cc
7815 (exploded_graph::process_node) <case PK_BEFORE_SUPERNODE>:
7816 Simplify by using program_point::get_next.
7817 * program-point.cc (program_point::get_next): New.
7818 * program-point.h (program_point::get_next): New decl.
7819
78202020-09-16 David Malcolm <dmalcolm@redhat.com>
7821
7822 * engine.cc (exploded_graph::get_or_create_node): Show the
7823 program point when issuing -Wanalyzer-too-complex due to hitting
7824 the per-program-point limit.
7825
78262020-09-16 David Malcolm <dmalcolm@redhat.com>
7827
7828 * region-model.cc (region_model::on_call_pre): Treat getchar as
7829 having no side-effects.
7830
9f7ab8c5
GA		 78312020-09-15 David Malcolm <dmalcolm@redhat.com>
7832
7833 PR analyzer/96650
7834 * constraint-manager.cc (merger_fact_visitor::on_fact): Replace
7835 assertion that add_constraint succeeded with an assertion that
7836 if it fails, -fanalyzer-transitivity is off.
7837
50a71cd0
GA		 78382020-09-14 David Malcolm <dmalcolm@redhat.com>
7839
7840 * analyzer.opt (-param=analyzer-max-constraints=): New param.
7841 * constraint-manager.cc
7842 (constraint_manager::add_constraint_internal): Silently reject
7843 attempts to add constraints when the above limit is reached.
7844
78452020-09-14 David Malcolm <dmalcolm@redhat.com>
7846
7847 PR analyzer/96653
7848 * constraint-manager.cc
7849 (constraint_manager::get_or_add_equiv_class): Don't accumulate
7850 transitive closure of all constraints on constants.
7851
78522020-09-14 David Malcolm <dmalcolm@redhat.com>
7853
7854 PR analyzer/97029
7855 * analyzer.cc (is_setjmp_call_p): Require the initial arg to be a
7856 pointer.
7857 * region-model.cc (region_model::deref_rvalue): Assert that the
7858 svalue is of pointer type.
7859
ac35c090
GA		 78602020-09-11 David Malcolm <dmalcolm@redhat.com>
7861
7862 PR analyzer/96798
7863 * region-model-impl-calls.cc (region_model::impl_call_memcpy):
7864 New.
7865 (region_model::impl_call_strcpy): New.
7866 * region-model.cc (region_model::on_call_pre): Flag unhandled
7867 builtins that are non-pure as having unknown side-effects.
7868 Implement BUILT_IN_MEMCPY, BUILT_IN_MEMCPY_CHK, BUILT_IN_STRCPY,
7869 BUILT_IN_STRCPY_CHK, BUILT_IN_FPRINTF, BUILT_IN_FPRINTF_UNLOCKED,
7870 BUILT_IN_PUTC, BUILT_IN_PUTC_UNLOCKED, BUILT_IN_FPUTC,
7871 BUILT_IN_FPUTC_UNLOCKED, BUILT_IN_FPUTS, BUILT_IN_FPUTS_UNLOCKED,
7872 BUILT_IN_FWRITE, BUILT_IN_FWRITE_UNLOCKED, BUILT_IN_PRINTF,
7873 BUILT_IN_PRINTF_UNLOCKED, BUILT_IN_PUTCHAR,
7874 BUILT_IN_PUTCHAR_UNLOCKED, BUILT_IN_PUTS, BUILT_IN_PUTS_UNLOCKED,
7875 BUILT_IN_VFPRINTF, BUILT_IN_VPRINTF.
7876 * region-model.h (region_model::impl_call_memcpy): New decl.
7877 (region_model::impl_call_strcpy): New decl.
7878
80f86e78
GA		 78792020-09-09 David Malcolm <dmalcolm@redhat.com>
7880
7881 PR analyzer/94355
7882 * analyzer.opt (Wanalyzer-mismatching-deallocation): New warning.
7883 * region-model-impl-calls.cc
7884 (region_model::impl_call_operator_new): New.
7885 (region_model::impl_call_operator_delete): New.
7886 * region-model.cc (region_model::on_call_pre): Detect operator new
7887 and operator delete.
7888 (region_model::on_call_post): Likewise.
7889 (region_model::maybe_update_for_edge): Detect EH edges and call...
7890 (region_model::apply_constraints_for_exception): New function.
7891 * region-model.h (region_model::impl_call_operator_new): New decl.
7892 (region_model::impl_call_operator_delete): New decl.
7893 (region_model::apply_constraints_for_exception): New decl.
7894 * sm-malloc.cc (enum resource_state): New.
7895 (struct allocation_state): New state subclass.
7896 (enum wording): New.
7897 (struct api): New.
7898 (malloc_state_machine::custom_data_t): New typedef.
7899 (malloc_state_machine::add_state): New decl.
7900 (malloc_state_machine::m_unchecked)
7901 (malloc_state_machine::m_nonnull)
7902 (malloc_state_machine::m_freed): Delete these states in favor
7903 of...
7904 (malloc_state_machine::m_malloc)
7905 (malloc_state_machine::m_scalar_new)
7906 (malloc_state_machine::m_vector_new): ...this new api instances,
7907 which own their own versions of these states.
7908 (malloc_state_machine::on_allocator_call): New decl.
7909 (malloc_state_machine::on_deallocator_call): New decl.
7910 (api::api): New ctor.
7911 (dyn_cast_allocation_state): New.
7912 (as_a_allocation_state): New.
7913 (get_rs): New.
7914 (unchecked_p): New.
7915 (nonnull_p): New.
7916 (freed_p): New.
7917 (malloc_diagnostic::describe_state_change): Use unchecked_p and
7918 nonnull_p.
7919 (class mismatching_deallocation): New.
7920 (double_free::double_free): Add funcname param for initializing
7921 m_funcname.
7922 (double_free::emit): Use m_funcname in warning message rather
7923 than hardcoding "free".
7924 (double_free::describe_state_change): Likewise. Use freed_p.
7925 (double_free::describe_call_with_state): Use freed_p.
7926 (double_free::describe_final_event): Use m_funcname in message
7927 rather than hardcoding "free".
7928 (double_free::m_funcname): New field.
7929 (possible_null::describe_state_change): Use unchecked_p.
7930 (possible_null::describe_return_of_state): Likewise.
7931 (use_after_free::use_after_free): Add param for initializing m_api.
7932 (use_after_free::emit): Use m_api->m_dealloc_funcname in message
7933 rather than hardcoding "free".
7934 (use_after_free::describe_state_change): Use freed_p. Change the
7935 wording of the message based on the API.
7936 (use_after_free::describe_final_event): Use
7937 m_api->m_dealloc_funcname in message rather than hardcoding
7938 "free". Change the wording of the message based on the API.
7939 (use_after_free::m_api): New field.
7940 (malloc_leak::describe_state_change): Use unchecked_p. Update
7941 for renaming of m_malloc_event to m_alloc_event.
7942 (malloc_leak::describe_final_event): Update for renaming of
7943 m_malloc_event to m_alloc_event.
7944 (malloc_leak::m_malloc_event): Rename...
7945 (malloc_leak::m_alloc_event): ...to this.
7946 (free_of_non_heap::free_of_non_heap): Add param for initializing
7947 m_funcname.
7948 (free_of_non_heap::emit): Use m_funcname in message rather than
7949 hardcoding "free".
7950 (free_of_non_heap::describe_final_event): Likewise.
7951 (free_of_non_heap::m_funcname): New field.
7952 (allocation_state::dump_to_pp): New.
7953 (allocation_state::get_nonnull): New.
7954 (malloc_state_machine::malloc_state_machine): Update for changes
7955 to state fields and new api fields.
7956 (malloc_state_machine::add_state): New.
7957 (malloc_state_machine::on_stmt): Move malloc/calloc handling to
7958 on_allocator_call and call it, passing in the API pointer.
7959 Likewise for free, moving it to on_deallocator_call. Handle calls
7960 to operator new and delete in an analogous way. Use unchecked_p
7961 when testing for possibly-null-arg and possibly-null-deref, and
7962 transition to the non-null for the correct API. Remove redundant
7963 node param from call to on_zero_assignment. Use freed_p for
7964 use-after-free check, and pass in API.
7965 (malloc_state_machine::on_allocator_call): New, based on code in
7966 on_stmt.
7967 (malloc_state_machine::on_deallocator_call): Likewise.
7968 (malloc_state_machine::on_phi): Mark node param with
7969 ATTRIBUTE_UNUSED; don't pass it to on_zero_assignment.
7970 (malloc_state_machine::on_condition): Mark node param with
7971 ATTRIBUTE_UNUSED. Replace on_transition calls with get_state and
7972 set_next_state pairs, transitioning to the non-null state for the
7973 appropriate API.
7974 (malloc_state_machine::can_purge_p): Port to new state approach.
7975 (malloc_state_machine::on_zero_assignment): Replace on_transition
7976 calls with get_state and set_next_state pairs. Drop redundant
7977 node param.
7978 * sm.h (state_machine::add_custom_state): New.
7979
79802020-09-09 David Malcolm <dmalcolm@redhat.com>
7981
7982 * diagnostic-manager.cc
7983 (null_assignment_sm_context::warn_for_state): Replace with...
7984 (null_assignment_sm_context::warn): ...this.
7985 * engine.cc (impl_sm_context::warn_for_state): Replace with...
7986 (impl_sm_context::warn): ...this.
7987 * sm-file.cc (fileptr_state_machine::on_stmt): Replace
7988 warn_for_state and on_transition calls with a get_state
7989 test guarding warn and set_next_state calls.
7990 * sm-malloc.cc (malloc_state_machine::on_stmt): Likewise.
7991 * sm-pattern-test.cc (pattern_test_state_machine::on_condition):
7992 Replace warn_for_state call with warn call.
7993 * sm-sensitive.cc
7994 (sensitive_state_machine::warn_for_any_exposure): Replace
7995 warn_for_state call with a get_state test guarding a warn call.
7996 * sm-signal.cc (signal_state_machine::on_stmt): Likewise.
7997 * sm-taint.cc (taint_state_machine::on_stmt): Replace
7998 warn_for_state and on_transition calls with a get_state
7999 test guarding warn and set_next_state calls.
8000 * sm.h (sm_context::warn_for_state): Replace with...
8001 (sm_context::warn): ...this.
8002
80032020-09-09 David Malcolm <dmalcolm@redhat.com>
8004
8005 * diagnostic-manager.cc
8006 (null_assignment_sm_context::null_assignment_sm_context): Add old_state
8007 and ext_state params, initializing m_old_state and m_ext_state.
8008 (null_assignment_sm_context::on_transition): Split into...
8009 (null_assignment_sm_context::get_state): ...this new vfunc
8010 implementation and...
8011 (null_assignment_sm_context::set_next_state): ...this new vfunc
8012 implementation.
8013 (null_assignment_sm_context::m_old_state): New field.
8014 (null_assignment_sm_context::m_ext_state): New field.
8015 (diagnostic_manager::add_events_for_eedge): Pass in old state and
8016 ext_state when creating sm_ctxt.
8017 * engine.cc (impl_sm_context::on_transition): Split into...
8018 (impl_sm_context::get_state): ...this new vfunc
8019 implementation and...
8020 (impl_sm_context::set_next_state): ...this new vfunc
8021 implementation.
8022 * sm.h (sm_context::get_state): New pure virtual function.
8023 (sm_context::set_next_state): Likewise.
8024 (sm_context::on_transition): Convert from a pure virtual function
8025 to a regular function implemented in terms of get_state and
8026 set_next_state.
8027
80282020-09-09 David Malcolm <dmalcolm@redhat.com>
8029
8030 * checker-path.cc (state_change_event::get_desc): Update
8031 state_machine::get_state_name calls to state::get_name.
8032 (warning_event::get_desc): Likewise.
8033 * diagnostic-manager.cc
8034 (null_assignment_sm_context::on_transition): Update comparison
8035 against 0 with comparison with m_sm.get_start_state.
8036 (diagnostic_manager::prune_for_sm_diagnostic): Update
8037 state_machine::get_state_name calls to state::get_name.
8038 * engine.cc (impl_sm_context::on_transition): Likewise.
8039 (exploded_node::get_dot_fillcolor): Use get_id when summing
8040 the sm states.
8041 * program-state.cc (sm_state_map::sm_state_map): Don't hardcode
8042 0 as the start state when initializing m_global_state.
8043 (sm_state_map::print): Use dump_to_pp rather than get_state_name
8044 when dumping states.
8045 (sm_state_map::is_empty_p): Don't hardcode 0 as the start state
8046 when examining m_global_state.
8047 (sm_state_map::hash): Use get_id when hashing states.
8048 (selftest::test_sm_state_map): Use state objects rather than
8049 arbitrary hardcoded integers.
8050 (selftest::test_program_state_merging): Likewise.
8051 (selftest::test_program_state_merging_2): Likewise.
8052 * sm-file.cc (fileptr_state_machine::m_start): Move to base class.
8053 (file_diagnostic::describe_state_change): Use get_start_state.
8054 (fileptr_state_machine::fileptr_state_machine): Drop m_start
8055 initialization.
8056 * sm-malloc.cc (malloc_state_machine::m_start): Move to base
8057 class.
8058 (malloc_diagnostic::describe_state_change): Use get_start_state.
8059 (possible_null::describe_state_change): Likewise.
8060 (malloc_state_machine::malloc_state_machine): Drop m_start
8061 initialization.
8062 * sm-pattern-test.cc (pattern_test_state_machine::m_start): Move
8063 to base class.
8064 (pattern_test_state_machine::pattern_test_state_machine): Drop
8065 m_start initialization.
8066 * sm-sensitive.cc (sensitive_state_machine::m_start): Move to base
8067 class.
8068 (sensitive_state_machine::sensitive_state_machine): Drop m_start
8069 initialization.
8070 * sm-signal.cc (signal_state_machine::m_start): Move to base
8071 class.
8072 (signal_state_machine::signal_state_machine): Drop m_start
8073 initialization.
8074 * sm-taint.cc (taint_state_machine::m_start): Move to base class.
8075 (taint_state_machine::taint_state_machine): Drop m_start
8076 initialization.
8077 * sm.cc (state_machine::state::dump_to_pp): New.
8078 (state_machine::state_machine): Move here from sm.h. Initialize
8079 m_next_state_id and m_start.
8080 (state_machine::add_state): Reimplement in terms of state objects.
8081 (state_machine::get_state_name): Delete.
8082 (state_machine::get_state_by_name): Reimplement in terms of state
8083 objects. Make const.
8084 (state_machine::validate): Delete.
8085 (state_machine::dump_to_pp): Reimplement in terms of state
8086 objects.
8087 * sm.h (state_machine::state): New class.
8088 (state_machine::state_t): Convert typedef from "unsigned" to
8089 "const state_machine::state *".
8090 (state_machine::state_machine): Move to sm.cc.
8091 (state_machine::get_default_state): Use m_start rather than
8092 hardcoding 0.
8093 (state_machine::get_state_name): Delete.
8094 (state_machine::get_state_by_name): Make const.
8095 (state_machine::get_start_state): New accessor.
8096 (state_machine::alloc_state_id): New.
8097 (state_machine::m_state_names): Drop in favor of...
8098 (state_machine::m_states): New field
8099 (state_machine::m_start): New field
8100 (start_start_p): Delete.
8101
31a05046
GA		 81022020-09-08 David Malcolm <dmalcolm@redhat.com>
8103
8104 PR analyzer/96949
8105 * store.cc (binding_map::apply_ctor_val_to_range): Add
8106 error-handling for the cases where we have symbolic offsets.
8107
81082020-09-08 David Malcolm <dmalcolm@redhat.com>
8109
8110 PR analyzer/96950
8111 * store.cc (binding_map::apply_ctor_to_region): Handle RANGE_EXPR
8112 where min_index == max_index.
8113 (binding_map::apply_ctor_val_to_range): Replace assertion that we
8114 don't have a CONSTRUCTOR value with error-handling.
8115
81162020-09-08 David Malcolm <dmalcolm@redhat.com>
8117
8118 PR analyzer/96962
8119 * region-model.cc (region_model::on_call_pre): Fix guard on switch
8120 on built-ins to only consider BUILT_IN_NORMAL, rather than other
8121 kinds of build-ins.
8122
e1a4a8a0
GA		 81232020-09-01 David Malcolm <dmalcolm@redhat.com>
8124
8125 PR analyzer/96792
8126 * region-model.cc (region_model::deref_rvalue): Add the constraint
8127 that PTR_SVAL is non-NULL.
8128
13e4ba28
GA		 81292020-08-31 David Malcolm <dmalcolm@redhat.com>
8130
8131 PR analyzer/96798
8132 * region-model.cc (region_model::on_call_pre): Handle
8133 BUILT_IN_MEMSET_CHK.
8134
81352020-08-31 David Malcolm <dmalcolm@redhat.com>
8136
8137 * region-model.cc (region_model::on_call_pre): Gather handling of
8138 builtins and of internal fns into switch statements. Handle
8139 "alloca" and BUILT_IN_ALLOCA_WITH_ALIGN.
8140
81412020-08-31 David Malcolm <dmalcolm@redhat.com>
8142
8143 PR analyzer/96860
8144 * region.cc (decl_region::get_svalue_for_constructor): Support
8145 apply_ctor_to_region failing.
8146 * store.cc (binding_map::apply_ctor_to_region): Add failure
8147 handling.
8148 (binding_map::apply_ctor_val_to_range): Likewise.
8149 (binding_map::apply_ctor_pair_to_child_region): Likewise. Replace
8150 assertion that child_base_offset is not symbolic with error
8151 handling.
8152 * store.h (binding_map::apply_ctor_to_region): Convert return type
8153 from void to bool.
8154 (binding_map::apply_ctor_val_to_range): Likewise.
8155 (binding_map::apply_ctor_pair_to_child_region): Likewise.
8156
81572020-08-31 David Malcolm <dmalcolm@redhat.com>
8158
8159 PR analyzer/96763
8160 * store.cc (binding_map::apply_ctor_to_region): Handle RANGE_EXPR
8161 by calling a new binding_map::apply_ctor_val_to_range subroutine.
8162 Split out the existing non-CONSTRUCTOR-handling code to a new
8163 apply_ctor_pair_to_child_region subroutine.
8164 (binding_map::apply_ctor_val_to_range): New.
8165 (binding_map::apply_ctor_pair_to_child_region): New, split out
8166 from binding_map::apply_ctor_to_region as noted above.
8167 * store.h (binding_map::apply_ctor_val_to_range): New decl.
8168 (binding_map::apply_ctor_pair_to_child_region): New decl.
8169
81702020-08-31 David Malcolm <dmalcolm@redhat.com>
8171
8172 PR analyzer/96764
8173 * region-model-manager.cc
8174 (region_model_manager::maybe_fold_unaryop): Handle VIEW_CONVERT_EXPR.
8175 (region_model_manager::get_or_create_cast): Move logic for
8176 real->integer casting to...
8177 (get_code_for_cast): ...this new function, and add logic for
8178 real->non-integer casts.
8179 (region_model_manager::maybe_fold_sub_svalue): Handle
8180 VIEW_CONVERT_EXPR.
8181 * region-model.cc
8182 (region_model::add_any_constraints_from_gassign): Likewise.
8183 * svalue.cc (svalue::maybe_undo_cast): Likewise.
8184 (unaryop_svalue::dump_to_pp): Likewise.
8185
57ea0894
GA		 81862020-08-26 David Malcolm <dmalcolm@redhat.com>
8187
8188 PR analyzer/94858
8189 * region-model-manager.cc
8190 (region_model_manager::get_or_create_widening_svalue): Assert that
8191 neither of the inputs are themselves widenings.
8192 * store.cc (store::eval_alias_1): The initial value of a pointer
8193 can't point to a region that was allocated on the heap after the
8194 beginning of the path. A widened pointer value can't alias anything
8195 that the initial pointer value can't alias.
8196 * svalue.cc (svalue::can_merge_p): Merge BINOP (X, OP, CST) with X
8197 to a widening svalue. Merge
8198 BINOP(WIDENING(BASE, BINOP(BASE, X)), X) and BINOP(BASE, X) to
8199 to the LHS of the first BINOP.
8200
82012020-08-26 David Malcolm <dmalcolm@redhat.com>
8202
8203 PR analyzer/96777
8204 * region-model.h (class compound_svalue): Document that all keys
8205 must be concrete.
8206 (compound_svalue::compound_svalue): Move definition to svalue.cc.
8207 * store.cc (binding_map::apply_ctor_to_region): Handle
8208 initializers for trailing arrays with incomplete size.
8209 * svalue.cc (compound_svalue::compound_svalue): Move definition
8210 here from region-model.h. Add assertion that all keys are
8211 concrete.
8212
e769f970
GA		 82132020-08-22 David Malcolm <dmalcolm@redhat.com>
8214
8215 PR analyzer/94851
8216 * region-model-manager.cc
8217 (region_model_manager::maybe_fold_binop): Fold bitwise "& 0" to 0.
8218
82192020-08-22 David Malcolm <dmalcolm@redhat.com>
8220
8221 * store.cc (store::eval_alias): Make const. Split out 2nd half
8222 into store::eval_alias_1 and call it twice for symmetry, avoiding
8223 test duplication.
8224 (store::eval_alias_1): New function, split out from the above.
8225 * store.h (store::eval_alias): Make const.
8226 (store::eval_alias_1): New decl.
8227
82282020-08-22 David Malcolm <dmalcolm@redhat.com>
8229
8230 * region-model.cc (region_model::push_frame): Bind the default
8231 SSA name for each parm if it exists, falling back to the parm
8232 itself otherwise, rather than doing both.
8233
5b9a3d2a
GA		 82342020-08-20 David Malcolm <dmalcolm@redhat.com>
8235
8236 PR analyzer/96723
8237 * region-model-manager.cc
8238 (region_model_manager::get_field_region): Assert that field is a
8239 FIELD_DECL.
8240 * region.cc (region::get_subregions_for_binding): In
8241 union-handling, filter the TYPE_FIELDS traversal to just FIELD_DECLs.
8242
82432020-08-20 David Malcolm <dmalcolm@redhat.com>
8244
8245 PR analyzer/96713
8246 * region-model.cc (region_model::get_gassign_result): For
8247 comparisons, only use eval_condition when the lhs has boolean
8248 type, and use get_or_create_constant_svalue on the boolean
8249 constants directly rather than via get_rvalue.
8250
04e23a40
GA		 82512020-08-19 David Malcolm <dmalcolm@redhat.com>
8252
8253 PR analyzer/96643
8254 * region-model.cc (region_model::deref_rvalue): Rather than
8255 attempting to handle all svalue kinds in the switch, only cover
8256 the special cases, and move symbolic-region handling to after
8257 the switch, thus implicitly handling the missing case SK_COMPOUND.
8258
82592020-08-19 David Malcolm <dmalcolm@redhat.com>
8260
8261 PR analyzer/96705
8262 * region-model-manager.cc
8263 (region_model_manager::maybe_fold_binop): Check that we have an
8264 integral type before calling build_int_cst.
8265
82662020-08-19 David Malcolm <dmalcolm@redhat.com>
8267
8268 PR analyzer/96699
8269 * region-model-manager.cc
8270 (region_model_manager::get_or_create_cast): Use FIX_TRUNC_EXPR for
8271 casting from REAL_TYPE to INTEGER_TYPE.
8272
82732020-08-19 David Malcolm <dmalcolm@redhat.com>
8274
8275 PR analyzer/96651
8276 * region-model.cc (region_model::called_from_main_p): New.
8277 (region_model::get_store_value): Move handling for globals into...
8278 (region_model::get_initial_value_for_global): ...this new
8279 function, and add logic for extracting values from decl
8280 initializers.
8281 * region-model.h (decl_region::get_svalue_for_constructor): New
8282 decl.
8283 (decl_region::get_svalue_for_initializer): New decl.
8284 (region_model::called_from_main_p): New decl.
8285 (region_model::get_initial_value_for_global): New.
8286 * region.cc (decl_region::maybe_get_constant_value): Move logic
8287 for getting an svalue from a CONSTRUCTOR node to...
8288 (decl_region::get_svalue_for_constructor): ...this new function.
8289 (decl_region::get_svalue_for_initializer): New.
8290 * store.cc (get_svalue_for_ctor_val): Rewrite in terms of
8291 region_model::get_rvalue.
8292 * store.h (binding_cluster::get_map): New accessor.
8293
82942020-08-19 David Malcolm <dmalcolm@redhat.com>
8295
8296 PR analyzer/96648
8297 * region.cc (get_field_at_bit_offset): Gracefully handle negative
8298 values for bit_offset.
8299
5c265693
GA		 83002020-08-18 David Malcolm <dmalcolm@redhat.com>
8301
8302 * region-model.cc (region_model::get_rvalue_1): Fix name of local.
8303
83042020-08-18 David Malcolm <dmalcolm@redhat.com>
8305
8306 PR analyzer/96641
8307 * region-model.cc (region_model::get_rvalue_1): Handle
8308 unrecognized tree codes by returning "UNKNOWN.
8309
83102020-08-18 David Malcolm <dmalcolm@redhat.com>
8311
8312 PR analyzer/96640
8313 * region-model.cc (region_model::get_gassign_result): Handle various
8314 VEC_* tree codes by returning UNKNOWN.
8315 (region_model::on_assignment): Handle unrecognized tree codes by
8316 setting lhs to an unknown value, rather than issuing a "sorry" and
8317 asserting.
8318
deee2322
GA		 83192020-08-17 David Malcolm <dmalcolm@redhat.com>
8320
8321 PR analyzer/96644
8322 * region-model-manager.cc (get_region_for_unexpected_tree_code):
8323 Handle ctxt being NULL.
8324
83252020-08-17 David Malcolm <dmalcolm@redhat.com>
8326
8327 PR analyzer/96639
8328 * region.cc (region::get_subregions_for_binding): Check for "type"
8329 being NULL.
8330
83312020-08-17 David Malcolm <dmalcolm@redhat.com>
8332
8333 PR analyzer/96642
8334 * store.cc (get_svalue_for_ctor_val): New.
8335 (binding_map::apply_ctor_to_region): Call it.
8336
661ee09b
GA		 83372020-08-14 David Malcolm <dmalcolm@redhat.com>
8338
8339 PR testsuite/96609
8340 PR analyzer/96616
8341 * region-model.cc (region_model::get_store_value): Call
8342 maybe_get_constant_value on decl_regions first.
8343 * region-model.h (decl_region::maybe_get_constant_value): New decl.
8344 * region.cc (decl_region::get_stack_depth): Likewise.
8345 (decl_region::maybe_get_constant_value): New.
8346 * store.cc (get_subregion_within_ctor): New.
8347 (binding_map::apply_ctor_to_region): New.
8348 * store.h (binding_map::apply_ctor_to_region): New decl.
8349
83502020-08-14 David Malcolm <dmalcolm@redhat.com>
8351
8352 PR analyzer/96611
8353 * store.cc (store::mark_as_escaped): Reject attempts to
8354 get a cluster for an unknown pointer.
8355
b3cb5606
GA		 83562020-08-13 David Malcolm <dmalcolm@redhat.com>
8357
5afd1882
ML		 8358 PR analyzer/93032
8359 PR analyzer/93938
8360 PR analyzer/94011
8361 PR analyzer/94099
8362 PR analyzer/94399
8363 PR analyzer/94458
8364 PR analyzer/94503
8365 PR analyzer/94640
8366 PR analyzer/94688
8367 PR analyzer/94689
8368 PR analyzer/94839
8369 PR analyzer/95026
8370 PR analyzer/95042
8371 PR analyzer/95240
b3cb5606
GA		 8372 * analyzer-logging.cc: Ignore "-Wformat-diag".
8373 (logger::enter_scope): Use inc_indent in both overloads.
8374 (logger::exit_scope): Use dec_indent.
8375 * analyzer-logging.h (logger::inc_indent): New.
8376 (logger::dec_indent): New.
8377 * analyzer-selftests.cc (run_analyzer_selftests): Call
8378 analyzer_store_cc_tests.
8379 * analyzer-selftests.h (analyzer_store_cc_tests): New decl.
8380 * analyzer.cc (get_stmt_location): New function.
8381 * analyzer.h (class initial_svalue): New forward decl.
8382 (class unaryop_svalue): New forward decl.
8383 (class binop_svalue): New forward decl.
8384 (class sub_svalue): New forward decl.
8385 (class unmergeable_svalue): New forward decl.
8386 (class placeholder_svalue): New forward decl.
8387 (class widening_svalue): New forward decl.
8388 (class compound_svalue): New forward decl.
8389 (class conjured_svalue): New forward decl.
8390 (svalue_set): New typedef.
8391 (class map_region): Delete.
8392 (class array_region): Delete.
8393 (class frame_region): New forward decl.
8394 (class function_region): New forward decl.
8395 (class label_region): New forward decl.
8396 (class decl_region): New forward decl.
8397 (class element_region): New forward decl.
8398 (class offset_region): New forward decl.
8399 (class cast_region): New forward decl.
8400 (class field_region): New forward decl.
8401 (class string_region): New forward decl.
8402 (class region_model_manager): New forward decl.
8403 (class store_manager): New forward decl.
8404 (class store): New forward decl.
8405 (class call_details): New forward decl.
8406 (struct svalue_id_merger_mapping): Delete.
8407 (struct canonicalization): Delete.
8408 (class function_point): New forward decl.
8409 (class engine): New forward decl.
8410 (dump_tree): New function decl.
8411 (print_quoted_type): New function decl.
8412 (readability_comparator): New function decl.
8413 (tree_cmp): New function decl.
8414 (class path_var): Move here from region-model.h
8415 (bit_offset_t, bit_size_t, byte_size_t): New typedefs.
8416 (class region_offset): New class.
8417 (get_stmt_location): New decl.
8418 (struct member_function_hash_traits): New struct.
8419 (class consolidation_map): New class.
8420 Ignore "-Wformat-diag".
8421 * analyzer.opt (-param=analyzer-max-svalue-depth=): New param.
8422 (-param=analyzer-max-enodes-for-full-dump=): New param.
8423 * call-string.cc: Ignore -Wformat-diag.
8424 * checker-path.cc: Move includes of "analyzer/call-string.h" and
8425 "analyzer/program-point.h" to before "analyzer/region-model.h",
8426 and also include "analyzer/store.h" before it.
8427 (state_change_event::state_change_event): Replace "tree var" param
8428 with "const svalue *sval". Convert "origin" param from tree to
8429 "const svalue *".
8430 (state_change_event::get_desc): Call get_representative_tree to
8431 convert the var and origin from const svalue * to tree. Use
8432 svalue::get_desc rather than %qE when describing state changes.
8433 (checker_path::add_final_event): Use get_stmt_location.
8434 * checker-path.h (state_change_event::state_change_event): Port
8435 from tree to const svalue *.
8436 (state_change_event::get_lvalue): Delete.
8437 (state_change_event::get_dest_function): New.
8438 (state_change_event::m_var): Replace with...
8439 (state_change_event::m_sval): ...this.
8440 (state_change_event::m_origin): Convert from tree to
8441 const svalue *.
8442 * constraint-manager.cc: Include "analyzer/call-string.h",
8443 "analyzer/program-point.h", and "analyzer/store.h" before
8444 "analyzer/region-model.h".
8445 (struct bound, struct range): Move to constraint-manager.h.
8446 (compare_constants): New function.
8447 (range::dump): Rename to...
8448 (range::dump_to_pp): ...this. Support NULL constants.
8449 (range::dump): Reintroduce for dumping to stderr.
8450 (range::constrained_to_single_element): Return result, rather than
8451 writing to *OUT.
8452 (range::eval_condition): New.
8453 (range::below_lower_bound): New.
8454 (range::above_upper_bound): New.
8455 (equiv_class::equiv_class): Port from svalue_id to const svalue *.
8456 (equiv_class::print): Likewise.
8457 (equiv_class::hash): Likewise.
8458 (equiv_class::operator==): Port from svalue_id to const svalue *.
8459 (equiv_class::add): Port from svalue_id to const svalue *. Drop
8460 "cm" param.
8461 (equiv_class::del): Port from svalue_id to const svalue *.
8462 (equiv_class::get_representative): Likewise.
8463 (equiv_class::remap_svalue_ids): Delete.
8464 (svalue_id_cmp_by_id): Rename to...
8465 (svalue_cmp_by_ptr): ...this, porting from svalue_id to
8466 const svalue *.
8467 (equiv_class::canonicalize): Update qsort comparator.
8468 (constraint::implied_by): New.
8469 (constraint_manager::constraint_manager): Copy m_mgr in copy ctor.
8470 (constraint_manager::dump_to_pp): Add "multiline" param
8471 (constraint_manager::dump): Pass "true" for "multiline".
8472 (constraint_manager::add_constraint): Port from svalue_id to
8473 const svalue *. Split out second part into...
8474 (constraint_manager::add_unknown_constraint): ...this new
8475 function. Remove self-constraints when merging equivalence
8476 classes.
8477 (constraint_manager::add_constraint_internal): Remove constraints
8478 that would be implied by the new constraint. Port from svalue_id
8479 to const svalue *.
8480 (constraint_manager::get_equiv_class_by_sid): Rename to...
8481 (constraint_manager::get_equiv_class_by_svalue): ...this, porting
8482 from svalue_id to const svalue *.
8483 (constraint_manager::get_or_add_equiv_class): Port from svalue_id
8484 to const svalue *.
8485 (constraint_manager::eval_condition): Make const. Call
8486 compare_constants and return early if it provides a known result.
8487 (constraint_manager::get_ec_bounds): New.
8488 (constraint_manager::eval_condition): New overloads. Make
8489 existing one const, and use compare_constants.
8490 (constraint_manager::purge): Convert "p" param to a template
8491 rather that an abstract base class. Port from svalue_id to
8492 const svalue *.
8493 (class dead_svalue_purger): New class.
8494 (constraint_manager::remap_svalue_ids): Delete.
8495 (constraint_manager::on_liveness_change): New.
8496 (equiv_class_cmp): Port from svalue_id to const svalue *.
8497 (constraint_manager::canonicalize): Likewise. Combine with
8498 purging of redundant equivalence classes and constraints.
8499 (class cleaned_constraint_manager): Delete.
8500 (class merger_fact_visitor): Make "m_cm_b" const. Add "m_merger"
8501 field.
8502 (merger_fact_visitor::fact): Port from svalue_id to const svalue *.
8503 Add special case for widening.
8504 (constraint_manager::merge): Port from svalue_id to const svalue *.
8505 (constraint_manager::clean_merger_input): Delete.
8506 (constraint_manager::for_each_fact): Port from svalue_id to
8507 const svalue *.
8508 (constraint_manager::validate): Likewise.
8509 (selftest::test_constraint_conditions): Provide a
8510 region_model_manager when creating region_model instances.
8511 Add test for self-equality not creating equivalence classes.
8512 (selftest::test_transitivity): Provide a region_model_manager when
8513 creating region_model instances. Verify that EC-merging happens
8514 when constraints are implied.
8515 (selftest::test_constant_comparisons): Provide a
8516 region_model_manager when creating region_model instances.
8517 (selftest::test_constraint_impl): Likewise. Remove over-specified
8518 assertions.
8519 (selftest::test_equality): Provide a region_model_manager when
8520 creating region_model instances.
8521 (selftest::test_many_constants): Likewise. Provide a
8522 program_point when testing merging.
8523 (selftest::run_constraint_manager_tests): Move call to
8524 test_constant_comparisons to outside the transitivity guard.
8525 * constraint-manager.h (struct bound): Move here from
8526 constraint-manager.cc.
8527 (struct range): Likewise.
8528 (struct::eval_condition): New decl.
8529 (struct::below_lower_bound): New decl.
8530 (struct::above_upper_bound): New decl.
8531 (equiv_class::add): Port from svalue_id to const svalue *.
8532 (equiv_class::del): Likewise.
8533 (equiv_class::get_representative): Likewise.
8534 (equiv_class::remap_svalue_ids): Drop.
8535 (equiv_class::m_cst_sid): Convert to..
8536 (equiv_class::m_cst_sval): ...this.
8537 (equiv_class::m_vars): Port from svalue_id to const svalue *.
8538 (constraint::bool implied_by): New decl.
8539 (fact_visitor::on_fact): Port from svalue_id to const svalue *.
8540 (constraint_manager::constraint_manager): Add mgr param.
8541 (constraint_manager::clone): Delete.
8542 (constraint_manager::maybe_get_constant): Delete.
8543 (constraint_manager::get_sid_for_constant): Delete.
8544 (constraint_manager::get_num_svalues): Delete.
8545 (constraint_manager::dump_to_pp): Add "multiline" param.
8546 (constraint_manager::get_equiv_class): Port from svalue_id to
8547 const svalue *.
8548 (constraint_manager::add_constraint): Likewise.
8549 (constraint_manager::get_equiv_class_by_sid): Rename to...
8550 (constraint_manager::get_equiv_class_by_svalue): ...this, porting
8551 from svalue_id to const svalue *.
8552 (constraint_manager::add_unknown_constraint): New decl.
8553 (constraint_manager::get_or_add_equiv_class): Port from svalue_id
8554 to const svalue *.
8555 (constraint_manager::eval_condition): Likewise. Add overloads.
8556 (constraint_manager::get_ec_bounds): New decl.
8557 (constraint_manager::purge): Convert to template.
8558 (constraint_manager::remap_svalue_ids): Delete.
8559 (constraint_manager::on_liveness_change): New decl.
8560 (constraint_manager::canonicalize): Drop param.
8561 (constraint_manager::clean_merger_input): Delete.
8562 (constraint_manager::m_mgr): New field.
8563 * diagnostic-manager.cc: Move includes of
8564 "analyzer/call-string.h" and "analyzer/program-point.h" to before
8565 "analyzer/region-model.h", and also include "analyzer/store.h"
8566 before it.
8567 (saved_diagnostic::saved_diagnostic): Add "sval" param.
8568 (diagnostic_manager::diagnostic_manager): Add engine param.
8569 (diagnostic_manager::add_diagnostic): Add "sval" param, passing it
8570 to saved_diagnostic ctor. Update overload to pass NULL for it.
8571 (dedupe_winners::dedupe_winners): Add engine param.
8572 (dedupe_winners::add): Add "eg" param. Pass m_engine to
8573 feasible_p.
8574 (dedupe_winner::m_engine): New field.
8575 (diagnostic_manager::emit_saved_diagnostics): Pass engine to
8576 dedupe_winners. Pass &eg when adding candidates. Pass svalue
8577 rather than tree to prune_path. Use get_stmt_location to get
8578 primary location of diagnostic.
8579 (diagnostic_manager::emit_saved_diagnostic): Likewise.
8580 (get_any_origin): Drop.
8581 (state_change_event_creator::on_global_state_change): Pass NULL
8582 const svalue * rather than NULL_TREE trees to state_change_event
8583 ctor.
8584 (state_change_event_creator::on_state_change): Port from tree and
8585 svalue_id to const svalue *.
8586 (for_each_state_change): Port from svalue_id to const svalue *.
8587 (struct null_assignment_sm_context): New.
8588 (diagnostic_manager::add_events_for_eedge): Add state change
8589 events for assignment to NULL.
8590 (diagnostic_manager::prune_path): Update param from tree to
8591 const svalue *.
8592 (diagnostic_manager::prune_for_sm_diagnostic): Port from tracking
8593 by tree to by const svalue *.
8594 * diagnostic-manager.h (saved_diagnostic::saved_diagnostic): Add sval
8595 param.
8596 (saved_diagnostic::m_sval): New field.
8597 (diagnostic_manager::diagnostic_manager): Add engine param.
8598 (diagnostic_manager::get_engine): New.
8599 (diagnostic_manager::add_diagnostic): Add "sval" param.
8600 (diagnostic_manager::prune_path): Likewise.
8601 (diagnostic_manager::prune_for_sm_diagnostic): New overload.
8602 (diagnostic_manager::m_eng): New field.
8603 * engine.cc: Move includes of "analyzer/call-string.h" and
8604 "analyzer/program-point.h" to before "analyzer/region-model.h",
8605 and also include "analyzer/store.h" before it.
8606 (impl_region_model_context::impl_region_model_context): Update for
8607 removal of m_change field.
8608 (impl_region_model_context::remap_svalue_ids): Delete.
8609 (impl_region_model_context::on_svalue_leak): New.
8610 (impl_region_model_context::on_svalue_purge): Delete.
8611 (impl_region_model_context::on_liveness_change): New.
8612 (impl_region_model_context::on_unknown_change): Update param
8613 from svalue_id to const svalue *. Add is_mutable param.
8614 (setjmp_svalue::compare_fields): Delete.
8615 (setjmp_svalue::accept): New.
8616 (setjmp_svalue::add_to_hash): Delete.
8617 (setjmp_svalue::dump_to_pp): New.
8618 (setjmp_svalue::print_details): Delete.
8619 (impl_sm_context::impl_sm_context): Drop "change" param.
8620 (impl_sm_context::get_fndecl_for_call): Drop "m_change".
8621 (impl_sm_context::on_transition): Drop ATTRIBUTE_UNUSED from
8622 "stmt" param. Drop m_change. Port from svalue_id to
8623 const svalue *.
8624 (impl_sm_context::warn_for_state): Drop m_change. Port from
8625 svalue_id to const svalue *.
8626 (impl_sm_context::get_readable_tree): Rename to...
8627 (impl_sm_context::get_diagnostic_tree): ...this. Port from
8628 svalue_id to const svalue *.
8629 (impl_sm_context::is_zero_assignment): New.
8630 (impl_sm_context::m_change): Delete field.
8631 (leak_stmt_finder::find_stmt): Handle m_var being NULL.
8632 (readability): Increase penalty for MEM_REF. For SSA_NAMEs,
8633 slightly favor the underlying var over the SSA name. Heavily
8634 penalize temporaries. Handle RESULT_DECL.
8635 (readability_comparator): Make non-static. Consider stack depths.
8636 (impl_region_model_context::on_state_leak): Convert from svalue_id
8637 to const svalue *, updating for region_model changes. Use
8638 id_equal.
8639 (impl_region_model_context::on_inherited_svalue): Delete.
8640 (impl_region_model_context::on_cast): Delete.
8641 (impl_region_model_context::on_condition): Drop m_change.
8642 (impl_region_model_context::on_phi): Likewise.
8643 (impl_region_model_context::on_unexpected_tree_code): Handle t
8644 being NULL.
8645 (point_and_state::validate): Update stack checking for
8646 region_model changes.
8647 (eg_traits::dump_args_t::show_enode_details_p): New.
8648 (exploded_node::exploded_node): Initialize m_num_processed_stmts.
8649 (exploded_node::get_processed_stmt): New function.
8650 (exploded_node::get_dot_fillcolor): Add more colors.
8651 (exploded_node::dump_dot): Guard the printing of the point and
8652 state with show_enode_details_p. Print the processed stmts for
8653 this enode after the initial state.
8654 (exploded_node::dump_to_pp): Pass true for new multiline param
8655 of program_state::dump_to_pp.
8656 (exploded_node::on_stmt): Drop "change" param. Log the stmt.
8657 Set input_location. Implement __analyzer_describe. Update
8658 implementation of __analyzer_dump and __analyzer_eval.
8659 Remove purging of sm-state for unknown fncalls from here.
8660 (exploded_node::on_edge): Drop "change" param.
8661 (exploded_node::on_longjmp): Port from region_id/svalue_id to
8662 const region */const svalue *. Call program_state::detect_leaks.
8663 Drop state_change.
8664 (exploded_node::detect_leaks): Update for changes to region_model.
8665 Call program_state::detect_leaks.
8666 (exploded_edge::exploded_edge): Drop ext_state and change params.
8667 (exploded_edge::dump_dot): "args" is no longer used. Drop dumping
8668 of m_change.
8669 (exploded_graph::exploded_graph): Pass engine to
8670 m_diagnostic_manager ctor. Use program_point::origin.
8671 (exploded_graph::add_function_entry): Drop ctxt. Use
8672 program_state::push_frame. Drop state_change.
8673 (exploded_graph::get_or_create_node): Drop "change" param. Add
8674 "enode_for_diag" param. Update dumping calls for API changes.
8675 Pass point to can_merge_with_p. Show enode indices
8676 within -Wanalyzer-too-complex diagnostic for hitting the per-point
8677 limit.
8678 (exploded_graph::add_edge): Drop "change" param. Log which nodes
8679 are being connected. Update for changes to exploded_edge ctor.
8680 (exploded_graph::get_per_program_point_data): New.
8681 (exploded_graph::process_worklist): Pass point to
8682 can_merge_with_p. Drop state_change. Update dumping call for API
8683 change.
8684 (exploded_graph::process_node): Drop state_change. Split the
8685 node in-place if an sm-state-change occurs. Update
8686 m_num_processed_stmts. Update dumping calls for API change.
8687 (exploded_graph::log_stats): Call engine::log_stats.
8688 (exploded_graph::dump_states_for_supernode): Update dumping
8689 call.
8690 (exploded_path::feasible_p): Add "eng" and "eg" params.
8691 Rename "i" to "end_idx". Pass the manager to the region_model
8692 ctor. Update for every processed stmt in the enode, not just the
8693 first. Keep track of which snodes have been visited, and call
8694 loop_replay_fixup when revisiting one.
8695 (enode_label::get_text): Update dump call for new param.
8696 (exploded_graph::dump_exploded_nodes): Likewise.
8697 (exploded_graph::get_node_by_index): New.
8698 (impl_run_checkers): Create engine instance and pass its address
8699 to extrinsic_state ctor.
8700 * exploded-graph.h
8701 (impl_region_model_context::impl_region_model_context): Drop
8702 "change" params.
8703 (impl_region_model_context::void remap_svalue_ids): Delete.
8704 (impl_region_model_context::on_svalue_purge): Delete.
8705 (impl_region_model_context::on_svalue_leak): New.
8706 (impl_region_model_context::on_liveness_change): New.
8707 (impl_region_model_context::on_state_leak): Update signature.
8708 (impl_region_model_context::on_inherited_svalue): Delete.
8709 (impl_region_model_context::on_cast): Delete.
8710 (impl_region_model_context::on_unknown_change): Update signature.
8711 (impl_region_model_context::m_change): Delete.
8712 (eg_traits::dump_args_t::show_enode_details_p): New.
8713 (exploded_node::on_stmt): Drop "change" param.
8714 (exploded_node::on_edge): Likewise.
8715 (exploded_node::get_processed_stmt): New decl.
8716 (exploded_node::m_num_processed_stmts): New field.
8717 (exploded_edge::exploded_edge): Drop ext_state and change params.
8718 (exploded_edge::m_change): Delete.
8719 (exploded_graph::get_engine): New accessor.
8720 (exploded_graph::get_or_create_node): Drop "change" param. Add
8721 "enode_for_diag" param.
8722 (exploded_graph::add_edge): Drop "change" param.
8723 (exploded_graph::get_per_program_point_data): New decl.
8724 (exploded_graph::get_node_by_index): New decl.
8725 (exploded_path::feasible_p): Add "eng" and "eg" params.
8726 * program-point.cc: Include "analyzer/store.h" before including
8727 "analyzer/region-model.h".
8728 (function_point::function_point): Move here from
8729 program-point.h.
8730 (function_point::get_function): Likewise.
8731 (function_point::from_function_entry): Likewise.
8732 (function_point::before_supernode): Likewise.
8733 (function_point::next_stmt): New function.
8734 * program-point.h (function_point::function_point): Move
8735 implementation from here to program-point.cc.
8736 (function_point::get_function): Likewise.
8737 (function_point::from_function_entry): Likewise.
8738 (function_point::before_supernode): Likewise.
8739 (function_point::next_stmt): New decl.
8740 (program_point::operator!=): New.
8741 (program_point::origin): New.
8742 (program_point::next_stmt): New.
8743 (program_point::m_function_point): Make non-const.
8744 * program-state.cc: Move includes of "analyzer/call-string.h" and
8745 "analyzer/program-point.h" to before "analyzer/region-model.h",
8746 and also include "analyzer/store.h" before it.
8747 (extrinsic_state::get_model_manager): New.
8748 (sm_state_map::sm_state_map): Pass in sm and sm_idx to ctor,
8749 rather than pass the around.
8750 (sm_state_map::clone_with_remapping): Delete.
8751 (sm_state_map::print): Remove "sm" param in favor of "m_sm". Add
8752 "simple" and "multiline" params and support multiline vs single
8753 line dumping.
8754 (sm_state_map::dump): Remove "sm" param in favor of "m_sm". Add
8755 "simple" param.
8756 (sm_state_map::hash): Port from svalue_id to const svalue *.
8757 (sm_state_map::operator==): Likewise.
8758 (sm_state_map::get_state): Likewise. Call canonicalize_svalue on
8759 input. Handle inheritance of sm-state. Call get_default_state.
8760 (sm_state_map::get_origin): Port from svalue_id to const svalue *.
8761 (sm_state_map::set_state): Likewise. Pass in ext_state. Reject
8762 attempts to set state on UNKNOWN.
8763 (sm_state_map::impl_set_state): Port from svalue_id to
8764 const svalue *. Pass in ext_state. Call canonicalize_svalue on
8765 input.
8766 (sm_state_map::purge_for_unknown_fncall): Delete.
8767 (sm_state_map::on_svalue_leak): New.
8768 (sm_state_map::remap_svalue_ids): Delete.
8769 (sm_state_map::on_liveness_change): New.
8770 (sm_state_map::on_unknown_change): Reimplement.
8771 (sm_state_map::on_svalue_purge): Delete.
8772 (sm_state_map::on_inherited_svalue): Delete.
8773 (sm_state_map::on_cast): Delete.
8774 (sm_state_map::validate): Delete.
8775 (sm_state_map::canonicalize_svalue): New.
8776 (program_state::program_state): Update to pass manager to
8777 region_model's ctor. Constify num_states and pass state machine
8778 and index to sm_state_map ctor.
8779 (program_state::print): Update for changes to dump API.
8780 (program_state::dump_to_pp): Ignore the summarize param. Add
8781 "multiline" param.
8782 (program_state::dump_to_file): Add "multiline" param.
8783 (program_state::dump): Pass "true" for new "multiline" param.
8784 (program_state::push_frame): New.
8785 (program_state::on_edge): Drop "change" param. Call
8786 program_state::detect_leaks.
8787 (program_state::prune_for_point): Add enode_for_diag param.
8788 Reimplement based on store class. Call detect_leaks
8789 (program_state::remap_svalue_ids): Delete.
8790 (program_state::get_representative_tree): Port from svalue_id to
8791 const svalue *.
8792 (program_state::can_merge_with_p): Add "point" param. Add early
8793 reject for sm-differences. Drop id remapping.
8794 (program_state::validate): Drop region model and sm_state_map
8795 validation.
8796 (state_change::sm_change::dump): Delete.
8797 (state_change::sm_change::remap_svalue_ids): Delete.
8798 (state_change::sm_change::on_svalue_purge): Delete.
8799 (log_set_of_svalues): New.
8800 (state_change::sm_change::validate): Delete.
8801 (state_change::state_change): Delete.
8802 (state_change::add_sm_change): Delete.
8803 (state_change::affects_p): Delete.
8804 (state_change::dump): Delete.
8805 (state_change::remap_svalue_ids): Delete.
8806 (state_change::on_svalue_purge): Delete.
8807 (state_change::validate): Delete.
8808 (selftest::assert_dump_eq): Delete.
8809 (ASSERT_DUMP_EQ): Delete.
8810 (selftest::test_sm_state_map): Update for changes to region_model
8811 and sm_state_map, porting from svalue_id to const svalue *.
8812 (selftest::test_program_state_dumping): Likewise. Drop test of
8813 dumping, renaming to...
8814 (selftest::test_program_state_1): ...this.
8815 (selftest::test_program_state_dumping_2): Likewise, renaming to...
8816 (selftest::test_program_state_2): ...this.
8817 (selftest::test_program_state_merging): Update for changes to
8818 region_model.
8819 (selftest::test_program_state_merging_2): Likewise.
8820 (selftest::analyzer_program_state_cc_tests): Update for renamed
8821 tests.
8822 * program-state.h (extrinsic_state::extrinsic_state): Add logger
8823 and engine params.
8824 (extrinsic_state::get_logger): New accessor.
8825 (extrinsic_state::get_engine): New accessor.
8826 (extrinsic_state::get_model_manager): New accessor.
8827 (extrinsic_state::m_logger): New field.
8828 (extrinsic_state::m_engine): New field.
8829 (struct default_hash_traits<svalue_id>): Delete.
8830 (pod_hash_traits<svalue_id>::hash): Delete.
8831 (pod_hash_traits<svalue_id>::equal): Delete.
8832 (pod_hash_traits<svalue_id>::mark_deleted): Delete.
8833 (pod_hash_traits<svalue_id>::mark_empty): Delete.
8834 (pod_hash_traits<svalue_id>::is_deleted): Delete.
8835 (pod_hash_traits<svalue_id>::is_empty): Delete.
8836 (sm_state_map::entry_t::entry_t): Port from svalue_id to
8837 const svalue *.
8838 (sm_state_map::entry_t::m_origin): Likewise.
8839 (sm_state_map::map_t): Likewise.
8840 (sm_state_map::sm_state_map): Add state_machine and index params.
8841 (sm_state_map::clone_with_remapping): Delete.
8842 (sm_state_map::print): Drop sm param; add simple and multiline
8843 params.
8844 (sm_state_map::dump): Drop sm param; add simple param.
8845 (sm_state_map::get_state): Port from svalue_id to const svalue *.
8846 Add ext_state param.
8847 (sm_state_map::get_origin): Likewise.
8848 (sm_state_map::set_state): Likewise.
8849 (sm_state_map::impl_set_state): Likewise.
8850 (sm_state_map::purge_for_unknown_fncall): Delete.
8851 (sm_state_map::remap_svalue_ids): Delete.
8852 (sm_state_map::on_svalue_purge): Delete.
8853 (sm_state_map::on_svalue_leak): New.
8854 (sm_state_map::on_liveness_change): New.
8855 (sm_state_map::on_inherited_svalue): Delete.
8856 (sm_state_map::on_cast): Delete.
8857 (sm_state_map::validate): Delete.
8858 (sm_state_map::on_unknown_change): Port from svalue_id to
8859 const svalue *. Add is_mutable and ext_state params.
8860 (sm_state_map::canonicalize_svalue): New.
8861 (sm_state_map::m_sm): New field.
8862 (sm_state_map::m_sm_idx): New field.
8863 (program_state::operator=): Delete.
8864 (program_state::dump_to_pp): Drop "summarize" param, adding
8865 "simple" and "multiline".
8866 (program_state::dump_to_file): Likewise.
8867 (program_state::dump): Rename "summarize" to "simple".
8868 (program_state::push_frame): New.
8869 (program_state::get_current_function): New.
8870 (program_state::on_edge): Drop "change" param.
8871 (program_state::prune_for_point): Likewise. Add enode_for_diag
8872 param.
8873 (program_state::remap_svalue_ids): Delete.
8874 (program_state::get_representative_tree): Port from svalue_id to
8875 const svalue *.
8876 (program_state::can_purge_p): Likewise. Pass ext_state to get_state.
8877 (program_state::can_merge_with_p): Add point param.
8878 (program_state::detect_leaks): New.
8879 (state_change_visitor::on_state_change): Port from tree and
8880 svalue_id to a pair of const svalue *.
8881 (class state_change): Delete.
8882 * region.cc: New file.
8883 * region-model-impl-calls.cc: New file.
8884 * region-model-manager.cc: New file.
8885 * region-model-reachability.cc: New file.
8886 * region-model-reachability.h: New file.
8887 * region-model.cc: Include "analyzer/call-string.h",
8888 "analyzer/program-point.h", and "analyzer/store.h" before
8889 "analyzer/region-model.h". Include
8890 "analyzer/region-model-reachability.h".
8891 (dump_tree): Make non-static.
8892 (dump_quoted_tree): Make non-static.
8893 (print_quoted_type): Make non-static.
8894 (path_var::dump): Delete.
8895 (dump_separator): Delete.
8896 (class impl_constraint_manager): Delete.
8897 (svalue_id::print): Delete.
8898 (svalue_id::dump_node_name_to_pp): Delete.
8899 (svalue_id::validate): Delete.
8900 (region_id::print): Delete.
8901 (region_id::dump_node_name_to_pp): Delete.
8902 (region_id::validate): Delete.
8903 (region_id_set::region_id_set): Delete.
8904 (svalue_id_set::svalue_id_set): Delete.
8905 (svalue::operator==): Delete.
8906 (svalue::hash): Delete.
8907 (svalue::print): Delete.
8908 (svalue::dump_dot_to_pp): Delete.
8909 (svalue::remap_region_ids): Delete.
8910 (svalue::walk_for_canonicalization): Delete.
8911 (svalue::get_child_sid): Delete.
8912 (svalue::maybe_get_constant): Delete.
8913 (region_svalue::compare_fields): Delete.
8914 (region_svalue::add_to_hash): Delete.
8915 (region_svalue::print_details): Delete.
8916 (region_svalue::dump_dot_to_pp): Delete.
8917 (region_svalue::remap_region_ids): Delete.
8918 (region_svalue::merge_values): Delete.
8919 (region_svalue::walk_for_canonicalization): Delete.
8920 (region_svalue::eval_condition): Delete.
8921 (constant_svalue::compare_fields): Delete.
8922 (constant_svalue::add_to_hash): Delete.
8923 (constant_svalue::merge_values): Delete.
8924 (constant_svalue::eval_condition): Move to svalue.cc.
8925 (constant_svalue::print_details): Delete.
8926 (constant_svalue::get_child_sid): Delete.
8927 (unknown_svalue::compare_fields): Delete.
8928 (unknown_svalue::add_to_hash): Delete.
8929 (unknown_svalue::print_details): Delete.
8930 (poison_kind_to_str): Move to svalue.cc.
8931 (poisoned_svalue::compare_fields): Delete.
8932 (poisoned_svalue::add_to_hash): Delete.
8933 (poisoned_svalue::print_details): Delete.
8934 (region_kind_to_str): Move to region.cc and reimplement.
8935 (region::operator==): Delete.
8936 (region::get_parent_region): Delete.
8937 (region::set_value): Delete.
8938 (region::become_active_view): Delete.
8939 (region::deactivate_any_active_view): Delete.
8940 (region::deactivate_view): Delete.
8941 (region::get_value): Delete.
8942 (region::get_inherited_child_sid): Delete.
8943 (region_model::copy_region): Delete.
8944 (region_model::copy_struct_region): Delete.
8945 (region_model::copy_union_region): Delete.
8946 (region_model::copy_array_region): Delete.
8947 (region::hash): Delete.
8948 (region::print): Delete.
8949 (region::dump_dot_to_pp): Delete.
8950 (region::dump_to_pp): Delete.
8951 (region::dump_child_label): Delete.
8952 (region::validate): Delete.
8953 (region::remap_svalue_ids): Delete.
8954 (region::remap_region_ids): Delete.
8955 (region::add_view): Delete.
8956 (region::get_view): Delete.
8957 (region::region): Move to region.cc.
8958 (region::add_to_hash): Delete.
8959 (region::print_fields): Delete.
8960 (region::non_null_p): Delete.
8961 (primitive_region::clone): Delete.
8962 (primitive_region::walk_for_canonicalization): Delete.
8963 (map_region::map_region): Delete.
8964 (map_region::compare_fields): Delete.
8965 (map_region::print_fields): Delete.
8966 (map_region::validate): Delete.
8967 (map_region::dump_dot_to_pp): Delete.
8968 (map_region::dump_child_label): Delete.
8969 (map_region::get_or_create): Delete.
8970 (map_region::get): Delete.
8971 (map_region::add_to_hash): Delete.
8972 (map_region::remap_region_ids): Delete.
8973 (map_region::unbind): Delete.
8974 (map_region::get_tree_for_child_region): Delete.
8975 (map_region::get_tree_for_child_region): Delete.
8976 (tree_cmp): Move to region.cc.
8977 (map_region::can_merge_p): Delete.
8978 (map_region::walk_for_canonicalization): Delete.
8979 (map_region::get_value_by_name): Delete.
8980 (struct_or_union_region::valid_key_p): Delete.
8981 (struct_or_union_region::compare_fields): Delete.
8982 (struct_region::clone): Delete.
8983 (struct_region::compare_fields): Delete.
8984 (union_region::clone): Delete.
8985 (union_region::compare_fields): Delete.
8986 (frame_region::compare_fields): Delete.
8987 (frame_region::clone): Delete.
8988 (frame_region::valid_key_p): Delete.
8989 (frame_region::print_fields): Delete.
8990 (frame_region::add_to_hash): Delete.
8991 (globals_region::compare_fields): Delete.
8992 (globals_region::clone): Delete.
8993 (globals_region::valid_key_p): Delete.
8994 (code_region::compare_fields): Delete.
8995 (code_region::clone): Delete.
8996 (code_region::valid_key_p): Delete.
8997 (array_region::array_region): Delete.
8998 (array_region::get_element): Delete.
8999 (array_region::clone): Delete.
9000 (array_region::compare_fields): Delete.
9001 (array_region::print_fields): Delete.
9002 (array_region::validate): Delete.
9003 (array_region::dump_dot_to_pp): Delete.
9004 (array_region::dump_child_label): Delete.
9005 (array_region::get_or_create): Delete.
9006 (array_region::get): Delete.
9007 (array_region::add_to_hash): Delete.
9008 (array_region::remap_region_ids): Delete.
9009 (array_region::get_key_for_child_region): Delete.
9010 (array_region::key_cmp): Delete.
9011 (array_region::walk_for_canonicalization): Delete.
9012 (array_region::key_from_constant): Delete.
9013 (array_region::constant_from_key): Delete.
9014 (function_region::compare_fields): Delete.
9015 (function_region::clone): Delete.
9016 (function_region::valid_key_p): Delete.
9017 (stack_region::stack_region): Delete.
9018 (stack_region::compare_fields): Delete.
9019 (stack_region::clone): Delete.
9020 (stack_region::print_fields): Delete.
9021 (stack_region::dump_child_label): Delete.
9022 (stack_region::validate): Delete.
9023 (stack_region::push_frame): Delete.
9024 (stack_region::get_current_frame_id): Delete.
9025 (stack_region::pop_frame): Delete.
9026 (stack_region::add_to_hash): Delete.
9027 (stack_region::remap_region_ids): Delete.
9028 (stack_region::can_merge_p): Delete.
9029 (stack_region::walk_for_canonicalization): Delete.
9030 (stack_region::get_value_by_name): Delete.
9031 (heap_region::heap_region): Delete.
9032 (heap_region::compare_fields): Delete.
9033 (heap_region::clone): Delete.
9034 (heap_region::walk_for_canonicalization): Delete.
9035 (root_region::root_region): Delete.
9036 (root_region::compare_fields): Delete.
9037 (root_region::clone): Delete.
9038 (root_region::print_fields): Delete.
9039 (root_region::validate): Delete.
9040 (root_region::dump_child_label): Delete.
9041 (root_region::push_frame): Delete.
9042 (root_region::get_current_frame_id): Delete.
9043 (root_region::pop_frame): Delete.
9044 (root_region::ensure_stack_region): Delete.
9045 (root_region::get_stack_region): Delete.
9046 (root_region::ensure_globals_region): Delete.
9047 (root_region::get_code_region): Delete.
9048 (root_region::ensure_code_region): Delete.
9049 (root_region::get_globals_region): Delete.
9050 (root_region::ensure_heap_region): Delete.
9051 (root_region::get_heap_region): Delete.
9052 (root_region::remap_region_ids): Delete.
9053 (root_region::can_merge_p): Delete.
9054 (root_region::add_to_hash): Delete.
9055 (root_region::walk_for_canonicalization): Delete.
9056 (root_region::get_value_by_name): Delete.
9057 (symbolic_region::symbolic_region): Delete.
9058 (symbolic_region::compare_fields): Delete.
9059 (symbolic_region::clone): Delete.
9060 (symbolic_region::walk_for_canonicalization): Delete.
9061 (symbolic_region::print_fields): Delete.
9062 (region_model::region_model): Add region_model_manager * param.
9063 Reimplement in terms of store, dropping impl_constraint_manager
9064 subclass.
9065 (region_model::operator=): Reimplement in terms of store
9066 (region_model::operator==): Likewise.
9067 (region_model::hash): Likewise.
9068 (region_model::print): Delete.
9069 (region_model::print_svalue): Delete.
9070 (region_model::dump_dot_to_pp): Delete.
9071 (region_model::dump_dot_to_file): Delete.
9072 (region_model::dump_dot): Delete.
9073 (region_model::dump_to_pp): Replace "summarize" param with
9074 "simple" and "multiline". Port to store-based implementation.
9075 (region_model::dump): Replace "summarize" param with "simple" and
9076 "multiline".
9077 (dump_vec_of_tree): Delete.
9078 (region_model::dump_summary_of_rep_path_vars): Delete.
9079 (region_model::validate): Delete.
9080 (svalue_id_cmp_by_constant_svalue_model): Delete.
9081 (svalue_id_cmp_by_constant_svalue): Delete.
9082 (region_model::canonicalize): Drop "ctxt" param. Reimplement in
9083 terms of store and constraints.
9084 (region_model::canonicalized_p): Remove NULL arg to canonicalize.
9085 (region_model::loop_replay_fixup): New.
9086 (poisoned_value_diagnostic::emit): Tweak wording of warnings.
9087 (region_model::check_for_poison): Delete.
9088 (region_model::get_gassign_result): New.
9089 (region_model::on_assignment): Port to store-based implementation.
9090 (region_model::on_call_pre): Delete calls to check_for_poison.
9091 Move implementations to region-model-impl-calls.c and port to
9092 store-based implementation.
9093 (region_model::on_call_post): Likewise.
9094 (class reachable_regions): Move to region-model-reachability.h/cc
9095 and port to store-based implementation.
9096 (region_model::handle_unrecognized_call): Port to store-based
9097 implementation.
9098 (region_model::get_reachable_svalues): New.
9099 (region_model::on_setjmp): Port to store-based implementation.
9100 (region_model::on_longjmp): Likewise.
9101 (region_model::handle_phi): Drop is_back_edge param and the logic
9102 using it.
9103 (region_model::get_lvalue_1): Port from region_id to const region *.
9104 (region_model::make_region_for_unexpected_tree_code): Delete.
9105 (assert_compat_types): If the check fails, use internal_error to
9106 show the types.
9107 (region_model::get_lvalue): Port from region_id to const region *.
9108 (region_model::get_rvalue_1): Port from svalue_id to const svalue *.
9109 (region_model::get_rvalue): Likewise.
9110 (region_model::get_or_create_ptr_svalue): Delete.
9111 (region_model::get_or_create_constant_svalue): Delete.
9112 (region_model::get_svalue_for_fndecl): Delete.
9113 (region_model::get_region_for_fndecl): Delete.
9114 (region_model::get_svalue_for_label): Delete.
9115 (region_model::get_region_for_label): Delete.
9116 (build_cast): Delete.
9117 (region_model::maybe_cast_1): Delete.
9118 (region_model::maybe_cast): Delete.
9119 (region_model::get_field_region): Delete.
9120 (region_model::get_store_value): New.
9121 (region_model::region_exists_p): New.
9122 (region_model::deref_rvalue): Port from svalue_id to const svalue *.
9123 (region_model::set_value): Likewise.
9124 (region_model::clobber_region): New.
9125 (region_model::purge_region): New.
9126 (region_model::zero_fill_region): New.
9127 (region_model::mark_region_as_unknown): New.
9128 (region_model::eval_condition): Port from svalue_id to
9129 const svalue *.
9130 (region_model::eval_condition_without_cm): Likewise.
9131 (region_model::compare_initial_and_pointer): New.
9132 (region_model::add_constraint): Port from svalue_id to
9133 const svalue *.
9134 (region_model::maybe_get_constant): Delete.
9135 (region_model::get_representative_path_var): New.
9136 (region_model::add_new_malloc_region): Delete.
9137 (region_model::get_representative_tree): Port to const svalue *.
9138 (region_model::get_representative_path_var): Port to
9139 const region *.
9140 (region_model::get_path_vars_for_svalue): Delete.
9141 (region_model::set_to_new_unknown_value): Delete.
9142 (region_model::update_for_phis): Don't pass is_back_edge to handle_phi.
9143 (region_model::update_for_call_superedge): Port from svalue_id to
9144 const svalue *.
9145 (region_model::update_for_return_superedge): Port to store-based
9146 implementation.
9147 (region_model::update_for_call_summary): Replace
9148 set_to_new_unknown_value with mark_region_as_unknown.
9149 (region_model::get_root_region): Delete.
9150 (region_model::get_stack_region_id): Delete.
9151 (region_model::push_frame): Delete.
9152 (region_model::get_current_frame_id): Delete.
9153 (region_model::get_current_function): Delete.
9154 (region_model::pop_frame): Delete.
9155 (region_model::on_top_level_param): New.
9156 (region_model::get_stack_depth): Delete.
9157 (region_model::get_function_at_depth): Delete.
9158 (region_model::get_globals_region_id): Delete.
9159 (region_model::add_svalue): Delete.
9160 (region_model::replace_svalue): Delete.
9161 (region_model::add_region): Delete.
9162 (region_model::get_svalue): Delete.
9163 (region_model::get_region): Delete.
9164 (make_region_for_type): Delete.
9165 (region_model::add_region_for_type): Delete.
9166 (region_model::on_top_level_param): New.
9167 (class restrict_to_used_svalues): Delete.
9168 (region_model::purge_unused_svalues): Delete.
9169 (region_model::push_frame): New.
9170 (region_model::remap_svalue_ids): Delete.
9171 (region_model::remap_region_ids): Delete.
9172 (region_model::purge_regions): Delete.
9173 (region_model::get_descendents): Delete.
9174 (region_model::delete_region_and_descendents): Delete.
9175 (region_model::poison_any_pointers_to_bad_regions): Delete.
9176 (region_model::can_merge_with_p): Delete.
9177 (region_model::get_current_function): New.
9178 (region_model::get_value_by_name): Delete.
9179 (region_model::convert_byte_offset_to_array_index): Delete.
9180 (region_model::pop_frame): New.
9181 (region_model::get_or_create_mem_ref): Delete.
9182 (region_model::get_stack_depth): New.
9183 (region_model::get_frame_at_index): New.
9184 (region_model::unbind_region_and_descendents): New.
9185 (struct bad_pointer_finder): New.
9186 (region_model::get_or_create_pointer_plus_expr): Delete.
9187 (region_model::poison_any_pointers_to_descendents): New.
9188 (region_model::get_or_create_view): Delete.
9189 (region_model::can_merge_with_p): New.
9190 (region_model::get_fndecl_for_call): Port from svalue_id to
9191 const svalue *.
9192 (struct append_ssa_names_cb_data): New.
9193 (get_ssa_name_regions_for_current_frame): New.
9194 (region_model::append_ssa_names_cb): New.
9195 (model_merger::dump_to_pp): Add "simple" param. Drop dumping of
9196 remappings.
9197 (model_merger::dump): Add "simple" param to both overloads.
9198 (model_merger::can_merge_values_p): Delete.
9199 (model_merger::record_regions): Delete.
9200 (model_merger::record_svalues): Delete.
9201 (svalue_id_merger_mapping::svalue_id_merger_mapping): Delete.
9202 (svalue_id_merger_mapping::dump_to_pp): Delete.
9203 (svalue_id_merger_mapping::dump): Delete.
9204 (region_model::create_region_for_heap_alloc): New.
9205 (region_model::create_region_for_alloca): New.
9206 (region_model::record_dynamic_extents): New.
9207 (canonicalization::canonicalization): Delete.
9208 (canonicalization::walk_rid): Delete.
9209 (canonicalization::walk_sid): Delete.
9210 (canonicalization::dump_to_pp): Delete.
9211 (canonicalization::dump): Delete.
9212 (inchash::add): Delete overloads for svalue_id and region_id.
9213 (engine::log_stats): New.
9214 (assert_condition): Add overload comparing svalues.
9215 (assert_dump_eq): Pass "true" for multiline.
9216 (selftest::test_dump): Update for rewrite of region_model.
9217 (selftest::test_dump_2): Rename to...
9218 (selftest::test_struct): ...this. Provide a region_model_manager
9219 when creating region_model instance. Remove dump test. Add
9220 checks for get_offset.
9221 (selftest::test_dump_3): Rename to...
9222 (selftest::test_array_1): ...this. Provide a region_model_manager
9223 when creating region_model instance. Remove dump test.
9224 (selftest::test_get_representative_tree): Port from svalue_id to
9225 new API. Add test coverage for various expressions.
9226 (selftest::test_unique_constants): Provide a region_model_manager
9227 for the region_model. Add test coverage for comparing const vs
9228 non-const.
9229 (selftest::test_svalue_equality): Delete.
9230 (selftest::test_region_equality): Delete.
9231 (selftest::test_unique_unknowns): New.
9232 (class purge_all_svalue_ids): Delete.
9233 (class purge_one_svalue_id): Delete.
9234 (selftest::test_purging_by_criteria): Delete.
9235 (selftest::test_initial_svalue_folding): New.
9236 (selftest::test_unaryop_svalue_folding): New.
9237 (selftest::test_binop_svalue_folding): New.
9238 (selftest::test_sub_svalue_folding): New.
9239 (selftest::test_purge_unused_svalues): Delete.
9240 (selftest::test_descendent_of_p): New.
9241 (selftest::test_assignment): Provide a region_model_manager for
9242 the region_model. Drop the dump test.
9243 (selftest::test_compound_assignment): Likewise.
9244 (selftest::test_stack_frames): Port to new implementation.
9245 (selftest::test_get_representative_path_var): Likewise.
9246 (selftest::test_canonicalization_1): Rename to...
9247 (selftest::test_equality_1): ...this. Port to new API, and add
9248 (selftest::test_canonicalization_2): Provide a
9249 region_model_manager when creating region_model instances.
9250 Remove redundant canicalization.
9251 (selftest::test_canonicalization_3): Provide a
9252 region_model_manager when creating region_model instances.
9253 Remove param from calls to region_model::canonicalize.
9254 (selftest::test_canonicalization_4): Likewise.
9255 (selftest::assert_region_models_merge): Constify
9256 out_merged_svalue. Port to new API.
9257 (selftest::test_state_merging): Provide a
9258 region_model_manager when creating region_model instances.
9259 Provide a program_point point when merging them. Replace
9260 set_to_new_unknown_value with usage of placeholder_svalues.
9261 Drop get_value_by_name. Port from svalue_id to const svalue *.
9262 Add test of heap allocation.
9263 (selftest::test_constraint_merging): Provide a
9264 region_model_manager when creating region_model instances.
9265 Provide a program_point point when merging them. Eliminate use
9266 of set_to_new_unknown_value.
9267 (selftest::test_widening_constraints): New.
9268 (selftest::test_iteration_1): New.
9269 (selftest::test_malloc_constraints): Port to store-based
9270 implementation.
9271 (selftest::test_var): New test.
9272 (selftest::test_array_2): New test.
9273 (selftest::test_mem_ref): New test.
9274 (selftest::test_POINTER_PLUS_EXPR_then_MEM_REF): New.
9275 (selftest::test_malloc): New.
9276 (selftest::test_alloca): New.
9277 (selftest::analyzer_region_model_cc_tests): Update for renamings.
9278 Call new functions.
9279 * region-model.h (class path_var): Move to analyzer.h.
9280 (class svalue_id): Delete.
9281 (class region_id): Delete.
9282 (class id_map): Delete.
9283 (svalue_id_map): Delete.
9284 (region_id_map): Delete.
9285 (id_map<T>::id_map): Delete.
9286 (id_map<T>::put): Delete.
9287 (id_map<T>::get_dst_for_src): Delete.
9288 (id_map<T>::get_src_for_dst): Delete.
9289 (id_map<T>::dump_to_pp): Delete.
9290 (id_map<T>::dump): Delete.
9291 (id_map<T>::update): Delete.
9292 (one_way_svalue_id_map): Delete.
9293 (one_way_region_id_map): Delete.
9294 (class region_id_set): Delete.
9295 (class svalue_id_set): Delete.
9296 (struct complexity): New.
9297 (class visitor): New.
9298 (enum svalue_kind): Add SK_SETJMP, SK_INITIAL, SK_UNARYOP,
9299 SK_BINOP, SK_SUB,SK_UNMERGEABLE, SK_PLACEHOLDER, SK_WIDENING,
9300 SK_COMPOUND, and SK_CONJURED.
9301 (svalue::operator==): Delete.
9302 (svalue::operator!=): Delete.
9303 (svalue::clone): Delete.
9304 (svalue::hash): Delete.
9305 (svalue::dump_dot_to_pp): Delete.
9306 (svalue::dump_to_pp): New.
9307 (svalue::dump): New.
9308 (svalue::get_desc): New.
9309 (svalue::dyn_cast_initial_svalue): New.
9310 (svalue::dyn_cast_unaryop_svalue): New.
9311 (svalue::dyn_cast_binop_svalue): New.
9312 (svalue::dyn_cast_sub_svalue): New.
9313 (svalue::dyn_cast_unmergeable_svalue): New.
9314 (svalue::dyn_cast_widening_svalue): New.
9315 (svalue::dyn_cast_compound_svalue): New.
9316 (svalue::dyn_cast_conjured_svalue): New.
9317 (svalue::maybe_undo_cast): New.
9318 (svalue::unwrap_any_unmergeable): New.
9319 (svalue::remap_region_ids): Delete
9320 (svalue::can_merge_p): New.
9321 (svalue::walk_for_canonicalization): Delete
9322 (svalue::get_complexity): New.
9323 (svalue::get_child_sid): Delete
9324 (svalue::accept): New.
9325 (svalue::live_p): New.
9326 (svalue::implicitly_live_p): New.
9327 (svalue::svalue): Add complexity param.
9328 (svalue::add_to_hash): Delete
9329 (svalue::print_details): Delete
9330 (svalue::m_complexity): New field.
9331 (region_svalue::key_t): New struct.
9332 (region_svalue::region_svalue): Port from region_id to
9333 const region_id *. Add complexity.
9334 (region_svalue::compare_fields): Delete.
9335 (region_svalue::clone): Delete.
9336 (region_svalue::dump_dot_to_pp): Delete.
9337 (region_svalue::get_pointee): Port from region_id to
9338 const region_id *.
9339 (region_svalue::remap_region_ids): Delete.
9340 (region_svalue::merge_values): Delete.
9341 (region_svalue::dump_to_pp): New.
9342 (region_svalue::accept): New.
9343 (region_svalue::walk_for_canonicalization): Delete.
9344 (region_svalue::eval_condition): Make params const.
9345 (region_svalue::add_to_hash): Delete.
9346 (region_svalue::print_details): Delete.
9347 (region_svalue::m_rid): Replace with...
9348 (region_svalue::m_reg): ...this.
9349 (is_a_helper <region_svalue *>::test): Convert to...
9350 (is_a_helper <const region_svalue *>::test): ...this.
9351 (template <> struct default_hash_traits<region_svalue::key_t>):
9352 New.
9353 (constant_svalue::constant_svalue): Add complexity.
9354 (constant_svalue::compare_fields): Delete.
9355 (constant_svalue::clone): Delete.
9356 (constant_svalue::add_to_hash): Delete.
9357 (constant_svalue::dump_to_pp): New.
9358 (constant_svalue::accept): New.
9359 (constant_svalue::implicitly_live_p): New.
9360 (constant_svalue::merge_values): Delete.
9361 (constant_svalue::eval_condition): Make params const.
9362 (constant_svalue::get_child_sid): Delete.
9363 (constant_svalue::print_details): Delete.
9364 (is_a_helper <constant_svalue *>::test): Convert to...
9365 (is_a_helper <const constant_svalue *>::test): ...this.
9366 (class unknown_svalue): Update leading comment.
9367 (unknown_svalue::unknown_svalue): Add complexity.
9368 (unknown_svalue::compare_fields): Delete.
9369 (unknown_svalue::add_to_hash): Delete.
9370 (unknown_svalue::dyn_cast_unknown_svalue): Delete.
9371 (unknown_svalue::print_details): Delete.
9372 (unknown_svalue::dump_to_pp): New.
9373 (unknown_svalue::accept): New.
9374 (poisoned_svalue::key_t): New struct.
9375 (poisoned_svalue::poisoned_svalue): Add complexity.
9376 (poisoned_svalue::compare_fields): Delete.
9377 (poisoned_svalue::clone): Delete.
9378 (poisoned_svalue::add_to_hash): Delete.
9379 (poisoned_svalue::dump_to_pp): New.
9380 (poisoned_svalue::accept): New.
9381 (poisoned_svalue::print_details): Delete.
9382 (is_a_helper <poisoned_svalue *>::test): Convert to...
9383 (is_a_helper <const poisoned_svalue *>::test): ...this.
9384 (template <> struct default_hash_traits<poisoned_svalue::key_t>):
9385 New.
9386 (setjmp_record::add_to_hash): New.
9387 (setjmp_svalue::key_t): New struct.
9388 (setjmp_svalue::compare_fields): Delete.
9389 (setjmp_svalue::clone): Delete.
9390 (setjmp_svalue::add_to_hash): Delete.
9391 (setjmp_svalue::setjmp_svalue): Add complexity.
9392 (setjmp_svalue::dump_to_pp): New.
9393 (setjmp_svalue::accept): New.
9394 (setjmp_svalue::void print_details): Delete.
9395 (is_a_helper <const setjmp_svalue *>::test): New.
9396 (template <> struct default_hash_traits<setjmp_svalue::key_t>): New.
9397 (class initial_svalue : public svalue): New.
9398 (is_a_helper <const initial_svalue *>::test): New.
9399 (class unaryop_svalue): New.
9400 (is_a_helper <const unaryop_svalue *>::test): New.
9401 (template <> struct default_hash_traits<unaryop_svalue::key_t>): New.
9402 (class binop_svalue): New.
9403 (is_a_helper <const binop_svalue *>::test): New.
9404 (template <> struct default_hash_traits<binop_svalue::key_t>): New.
9405 (class sub_svalue): New.
9406 (is_a_helper <const sub_svalue *>::test): New.
9407 (template <> struct default_hash_traits<sub_svalue::key_t>): New.
9408 (class unmergeable_svalue): New.
9409 (is_a_helper <const unmergeable_svalue *>::test): New.
9410 (class placeholder_svalue): New.
9411 (is_a_helper <placeholder_svalue *>::test): New.
9412 (class widening_svalue): New.
9413 (is_a_helper <widening_svalue *>::test): New.
9414 (template <> struct default_hash_traits<widening_svalue::key_t>): New.
9415 (class compound_svalue): New.
9416 (is_a_helper <compound_svalue *>::test): New.
9417 (template <> struct default_hash_traits<compound_svalue::key_t>): New.
9418 (class conjured_svalue): New.
9419 (is_a_helper <conjured_svalue *>::test): New.
9420 (template <> struct default_hash_traits<conjured_svalue::key_t>): New.
9421 (enum region_kind): Delete RK_PRIMITIVE, RK_STRUCT, RK_UNION, and
9422 RK_ARRAY. Add RK_LABEL, RK_DECL, RK_FIELD, RK_ELEMENT, RK_OFFSET,
9423 RK_CAST, RK_HEAP_ALLOCATED, RK_ALLOCA, RK_STRING, and RK_UNKNOWN.
9424 (region_kind_to_str): Delete.
9425 (region::~region): Move implementation to region.cc.
9426 (region::operator==): Delete.
9427 (region::operator!=): Delete.
9428 (region::clone): Delete.
9429 (region::get_id): New.
9430 (region::cmp_ids): New.
9431 (region::dyn_cast_map_region): Delete.
9432 (region::dyn_cast_array_region): Delete.
9433 (region::region_id get_parent): Delete.
9434 (region::get_parent_region): Convert to a simple accessor.
9435 (region::void set_value): Delete.
9436 (region::svalue_id get_value): Delete.
9437 (region::svalue_id get_value_direct): Delete.
9438 (region::svalue_id get_inherited_child_sid): Delete.
9439 (region::dyn_cast_frame_region): New.
9440 (region::dyn_cast_function_region): New.
9441 (region::dyn_cast_decl_region): New.
9442 (region::dyn_cast_field_region): New.
9443 (region::dyn_cast_element_region): New.
9444 (region::dyn_cast_offset_region): New.
9445 (region::dyn_cast_cast_region): New.
9446 (region::dyn_cast_string_region): New.
9447 (region::accept): New.
9448 (region::get_base_region): New.
9449 (region::base_region_p): New.
9450 (region::descendent_of_p): New.
9451 (region::maybe_get_frame_region): New.
9452 (region::maybe_get_decl): New.
9453 (region::hash): Delete.
9454 (region::rint): Delete.
9455 (region::dump_dot_to_pp): Delete.
9456 (region::get_desc): New.
9457 (region::dump_to_pp): Convert to vfunc, changing signature.
9458 (region::dump_child_label): Delete.
9459 (region::remap_svalue_ids): Delete.
9460 (region::remap_region_ids): Delete.
9461 (region::dump): New.
9462 (region::walk_for_canonicalization): Delete.
9463 (region::non_null_p): Drop region_model param.
9464 (region::add_view): Delete.
9465 (region::get_view): Delete.
9466 (region::get_active_view): Delete.
9467 (region::is_view_p): Delete.
9468 (region::cmp_ptrs): New.
9469 (region::validate): Delete.
9470 (region::get_offset): New.
9471 (region::get_byte_size): New.
9472 (region::get_bit_size): New.
9473 (region::get_subregions_for_binding): New.
9474 (region::region): Add complexity param. Convert parent from
9475 region_id to const region *. Drop svalue_id. Drop copy ctor.
9476 (region::symbolic_for_unknown_ptr_p): New.
9477 (region::add_to_hash): Delete.
9478 (region::print_fields): Delete.
9479 (region::get_complexity): New accessor.
9480 (region::become_active_view): Delete.
9481 (region::deactivate_any_active_view): Delete.
9482 (region::deactivate_view): Delete.
9483 (region::calc_offset): New.
9484 (region::m_parent_rid): Delete.
9485 (region::m_sval_id): Delete.
9486 (region::m_complexity): New.
9487 (region::m_id): New.
9488 (region::m_parent): New.
9489 (region::m_view_rids): Delete.
9490 (region::m_is_view): Delete.
9491 (region::m_active_view_rid): Delete.
9492 (region::m_cached_offset): New.
9493 (is_a_helper <region *>::test): Convert to...
9494 (is_a_helper <const region *>::test): ... this.
9495 (class primitive_region): Delete.
9496 (class space_region): New.
9497 (class map_region): Delete.
9498 (is_a_helper <map_region *>::test): Delete.
9499 (class frame_region): Reimplement.
9500 (template <> struct default_hash_traits<frame_region::key_t>):
9501 New.
9502 (class globals_region): Reimplement.
9503 (is_a_helper <globals_region *>::test): Convert to...
9504 (is_a_helper <const globals_region *>::test): ...this.
9505 (class struct_or_union_region): Delete.
9506 (is_a_helper <struct_or_union_region *>::test): Delete.
9507 (class code_region): Reimplement.
9508 (is_a_helper <const code_region *>::test): New.
9509 (class struct_region): Delete.
9510 (is_a_helper <struct_region *>::test): Delete.
9511 (class function_region): Reimplement.
9512 (is_a_helper <function_region *>::test): Convert to...
9513 (is_a_helper <const function_region *>::test): ...this.
9514 (class union_region): Delete.
9515 (is_a_helper <union_region *>::test): Delete.
9516 (class label_region): New.
9517 (is_a_helper <const label_region *>::test): New.
9518 (class scope_region): Delete.
9519 (class stack_region): Reimplement.
9520 (is_a_helper <stack_region *>::test): Convert to...
9521 (is_a_helper <const stack_region *>::test): ...this.
9522 (class heap_region): Reimplement.
9523 (is_a_helper <heap_region *>::test): Convert to...
9524 (is_a_helper <const heap_region *>::test): ...this.
9525 (class root_region): Reimplement.
9526 (is_a_helper <root_region *>::test): Convert to...
9527 (is_a_helper <const root_region *>::test): ...this.
9528 (class symbolic_region): Reimplement.
9529 (is_a_helper <const symbolic_region *>::test): New.
9530 (template <> struct default_hash_traits<symbolic_region::key_t>):
9531 New.
9532 (class decl_region): New.
9533 (is_a_helper <const decl_region *>::test): New.
9534 (class field_region): New.
9535 (template <> struct default_hash_traits<field_region::key_t>): New.
9536 (class array_region): Delete.
9537 (class element_region): New.
9538 (is_a_helper <array_region *>::test): Delete.
9539 (is_a_helper <const element_region *>::test): New.
9540 (template <> struct default_hash_traits<element_region::key_t>):
9541 New.
9542 (class offset_region): New.
9543 (is_a_helper <const offset_region *>::test): New.
9544 (template <> struct default_hash_traits<offset_region::key_t>):
9545 New.
9546 (class cast_region): New.
9547 (is_a_helper <const cast_region *>::test): New.
9548 (template <> struct default_hash_traits<cast_region::key_t>): New.
9549 (class heap_allocated_region): New.
9550 (class alloca_region): New.
9551 (class string_region): New.
9552 (is_a_helper <const string_region *>::test): New.
9553 (class unknown_region): New.
9554 (class region_model_manager): New.
9555 (struct append_ssa_names_cb_data): New.
9556 (class call_details): New.
9557 (region_model::region_model): Add region_model_manager param.
9558 (region_model::print_svalue): Delete.
9559 (region_model::dump_dot_to_pp): Delete.
9560 (region_model::dump_dot_to_file): Delete.
9561 (region_model::dump_dot): Delete.
9562 (region_model::dump_to_pp): Drop summarize param in favor of
9563 simple and multiline.
9564 (region_model::dump): Likewise.
9565 (region_model::summarize_to_pp): Delete.
9566 (region_model::summarize): Delete.
9567 (region_model::void canonicalize): Drop ctxt param.
9568 (region_model::void check_for_poison): Delete.
9569 (region_model::get_gassign_result): New.
9570 (region_model::impl_call_alloca): New.
9571 (region_model::impl_call_analyzer_describe): New.
9572 (region_model::impl_call_analyzer_eval): New.
9573 (region_model::impl_call_builtin_expect): New.
9574 (region_model::impl_call_calloc): New.
9575 (region_model::impl_call_free): New.
9576 (region_model::impl_call_malloc): New.
9577 (region_model::impl_call_memset): New.
9578 (region_model::impl_call_strlen): New.
9579 (region_model::get_reachable_svalues): New.
9580 (region_model::handle_phi): Drop is_back_edge param.
9581 (region_model::region_id get_root_rid): Delete.
9582 (region_model::root_region *get_root_region): Delete.
9583 (region_model::region_id get_stack_region_id): Delete.
9584 (region_model::push_frame): Convert from region_id and svalue_id
9585 to const region * and const svalue *.
9586 (region_model::get_current_frame_id): Replace with...
9587 (region_model::get_current_frame): ...this.
9588 (region_model::pop_frame): Convert from region_id to
9589 const region *. Drop purge and stats param. Add out_result.
9590 (region_model::function *get_function_at_depth): Delete.
9591 (region_model::get_globals_region_id): Delete.
9592 (region_model::add_svalue): Delete.
9593 (region_model::replace_svalue): Delete.
9594 (region_model::add_region): Delete.
9595 (region_model::add_region_for_type): Delete.
9596 (region_model::get_svalue): Delete.
9597 (region_model::get_region): Delete.
9598 (region_model::get_lvalue): Convert from region_id to
9599 const region *.
9600 (region_model::get_rvalue): Convert from svalue_id to
9601 const svalue *.
9602 (region_model::get_or_create_ptr_svalue): Delete.
9603 (region_model::get_or_create_constant_svalue): Delete.
9604 (region_model::get_svalue_for_fndecl): Delete.
9605 (region_model::get_svalue_for_label): Delete.
9606 (region_model::get_region_for_fndecl): Delete.
9607 (region_model::get_region_for_label): Delete.
9608 (region_model::get_frame_at_index (int index) const;): New.
9609 (region_model::maybe_cast): Delete.
9610 (region_model::maybe_cast_1): Delete.
9611 (region_model::get_field_region): Delete.
9612 (region_model::id deref_rvalue): Convert from region_id and
9613 svalue_id to const region * and const svalue *. Drop overload,
9614 passing in both a tree and an svalue.
9615 (region_model::set_value): Convert from region_id and svalue_id to
9616 const region * and const svalue *.
9617 (region_model::set_to_new_unknown_value): Delete.
9618 (region_model::clobber_region (const region *reg);): New.
9619 (region_model::purge_region (const region *reg);): New.
9620 (region_model::zero_fill_region (const region *reg);): New.
9621 (region_model::mark_region_as_unknown (const region *reg);): New.
9622 (region_model::copy_region): Convert from region_id to
9623 const region *.
9624 (region_model::eval_condition): Convert from svalue_id to
9625 const svalue *.
9626 (region_model::eval_condition_without_cm): Likewise.
9627 (region_model::compare_initial_and_pointer): New.
9628 (region_model:maybe_get_constant): Delete.
9629 (region_model::add_new_malloc_region): Delete.
9630 (region_model::get_representative_tree): Convert from svalue_id to
9631 const svalue *.
9632 (region_model::get_representative_path_var): Delete decl taking a
9633 region_id in favor of two decls, for svalue vs region, with an
9634 svalue_set to ensure termination.
9635 (region_model::get_path_vars_for_svalue): Delete.
9636 (region_model::create_region_for_heap_alloc): New.
9637 (region_model::create_region_for_alloca): New.
9638 (region_model::purge_unused_svalues): Delete.
9639 (region_model::remap_svalue_ids): Delete.
9640 (region_model::remap_region_ids): Delete.
9641 (region_model::purge_regions): Delete.
9642 (region_model::get_num_svalues): Delete.
9643 (region_model::get_num_regions): Delete.
9644 (region_model::get_descendents): Delete.
9645 (region_model::get_store): New.
9646 (region_model::delete_region_and_descendents): Delete.
9647 (region_model::get_manager): New.
9648 (region_model::unbind_region_and_descendents): New.
9649 (region_model::can_merge_with_p): Add point param. Drop
9650 svalue_id_merger_mapping.
9651 (region_model::get_value_by_name): Delete.
9652 (region_model::convert_byte_offset_to_array_index): Delete.
9653 (region_model::get_or_create_mem_ref): Delete.
9654 (region_model::get_or_create_pointer_plus_expr): Delete.
9655 (region_model::get_or_create_view): Delete.
9656 (region_model::get_lvalue_1): Convert from region_id to
9657 const region *.
9658 (region_model::get_rvalue_1): Convert from svalue_id to
9659 const svalue *.
9660 (region_model::get_ssa_name_regions_for_current_frame): New.
9661 (region_model::append_ssa_names_cb): New.
9662 (region_model::get_store_value): New.
9663 (region_model::copy_struct_region): Delete.
9664 (region_model::copy_union_region): Delete.
9665 (region_model::copy_array_region): Delete.
9666 (region_model::region_exists_p): New.
9667 (region_model::make_region_for_unexpected_tree_code): Delete.
9668 (region_model::loop_replay_fixup): New.
9669 (region_model::poison_any_pointers_to_bad_regions): Delete.
9670 (region_model::poison_any_pointers_to_descendents): New.
9671 (region_model::dump_summary_of_rep_path_vars): Delete.
9672 (region_model::on_top_level_param): New.
9673 (region_model::record_dynamic_extents): New.
9674 (region_model::m_mgr;): New.
9675 (region_model::m_store;): New.
9676 (region_model::m_svalues;): Delete.
9677 (region_model::m_regions;): Delete.
9678 (region_model::m_root_rid;): Delete.
9679 (region_model::m_current_frame;): New.
9680 (region_model_context::remap_svalue_ids): Delete.
9681 (region_model_context::can_purge_p): Delete.
9682 (region_model_context::on_svalue_leak): New.
9683 (region_model_context::on_svalue_purge): Delete.
9684 (region_model_context::on_liveness_change): New.
9685 (region_model_context::on_inherited_svalue): Delete.
9686 (region_model_context::on_cast): Delete.
9687 (region_model_context::on_unknown_change): Convert from svalue_id to
9688 const svalue * and add is_mutable.
9689 (class noop_region_model_context): Update for region_model_context
9690 changes.
9691 (model_merger::model_merger): Add program_point. Drop
9692 svalue_id_merger_mapping.
9693 (model_merger::dump_to_pp): Add "simple" param.
9694 (model_merger::dump): Likewise.
9695 (model_merger::get_region_a): Delete.
9696 (model_merger::get_region_b): Delete.
9697 (model_merger::can_merge_values_p): Delete.
9698 (model_merger::record_regions): Delete.
9699 (model_merger::record_svalues): Delete.
9700 (model_merger::m_point): New field.
9701 (model_merger::m_map_regions_from_a_to_m): Delete.
9702 (model_merger::m_map_regions_from_b_to_m): Delete.
9703 (model_merger::m_sid_mapping): Delete.
9704 (struct svalue_id_merger_mapping): Delete.
9705 (class engine): New.
9706 (struct canonicalization): Delete.
9707 (inchash::add): Delete decls for hashing svalue_id and region_id.
9708 (test_region_model_context::on_unexpected_tree_code): Require t to
9709 be non-NULL.
9710 (selftest::assert_condition): Add overload comparing a pair of
9711 const svalue *.
9712 * sm-file.cc: Include "tristate.h", "selftest.h",
9713 "analyzer/call-string.h", "analyzer/program-point.h",
9714 "analyzer/store.h", and "analyzer/region-model.h".
9715 (fileptr_state_machine::get_default_state): New.
9716 (fileptr_state_machine::on_stmt): Remove calls to
9717 get_readable_tree in favor of get_diagnostic_tree.
9718 * sm-malloc.cc: Include "tristate.h", "selftest.h",
9719 "analyzer/call-string.h", "analyzer/program-point.h",
9720 "analyzer/store.h", and "analyzer/region-model.h".
9721 (malloc_state_machine::get_default_state): New.
9722 (malloc_state_machine::reset_when_passed_to_unknown_fn_p): New.
9723 (malloc_diagnostic::describe_state_change): Handle change.m_expr
9724 being NULL.
9725 (null_arg::emit): Avoid printing "NULL '0'".
9726 (null_arg::describe_final_event): Avoid printing "(0) NULL".
9727 (malloc_leak::emit): Handle m_arg being NULL.
9728 (malloc_leak::describe_final_event): Handle ev.m_expr being NULL.
9729 (malloc_state_machine::on_stmt): Don't call get_readable_tree.
9730 Call get_diagnostic_tree when creating pending diagnostics.
9731 Update for is_zero_assignment becoming a member function of
9732 sm_ctxt.
9733 Don't transition to m_non_heap for ADDR_EXPR(MEM_REF()).
9734 (malloc_state_machine::reset_when_passed_to_unknown_fn_p): New
9735 vfunc implementation.
9736 * sm-sensitive.cc (sensitive_state_machine::warn_for_any_exposure): Call
9737 get_diagnostic_tree and pass the result to warn_for_state.
9738 * sm-signal.cc: Move includes of "analyzer/call-string.h" and
9739 "analyzer/program-point.h" to before "analyzer/region-model.h",
9740 and also include "analyzer/store.h" before it.
9741 (signal_unsafe_call::describe_state_change): Use
9742 get_dest_function to get handler.
9743 (update_model_for_signal_handler): Pass manager to region_model
9744 ctor.
9745 (register_signal_handler::impl_transition): Update for changes to
9746 get_or_create_node and add_edge.
9747 * sm-taint.cc (taint_state_machine::on_stmt): Remove calls to
9748 get_readable_tree, replacing them when calling warn_for_state with
9749 calls to get_diagnostic_tree.
9750 * sm.cc (is_zero_assignment): Delete.
9751 (any_pointer_p): Move to within namespace ana.
9752 * sm.h (is_zero_assignment): Remove decl.
9753 (any_pointer_p): Move decl to within namespace ana.
9754 (state_machine::get_default_state): New vfunc.
9755 (state_machine::reset_when_passed_to_unknown_fn_p): New vfunc.
9756 (sm_context::get_readable_tree): Rename to...
9757 (sm_context::get_diagnostic_tree): ...this.
9758 (sm_context::is_zero_assignment): New vfunc.
9759 * store.cc: New file.
9760 * store.h: New file.
9761 * svalue.cc: New file.
9762
2221fb6f
MW		 97632020-05-22 Mark Wielaard <mark@klomp.org>
9764
9765 * sm-signal.cc(signal_unsafe_call::emit): Possibly add
9766 gcc_rich_location note for replacement.
9767 (signal_unsafe_call::get_replacement_fn): New private function.
9768 (get_async_signal_unsafe_fns): Add "exit".
9769
5eae0ac7
DM		 97702020-04-28 David Malcolm <dmalcolm@redhat.com>
9771
9772 PR analyzer/94816
9773 * engine.cc (impl_region_model_context::on_unexpected_tree_code):
9774 Handle NULL tree.
9775 * region-model.cc (region_model::add_region_for_type): Handle
9776 NULL type.
9777 * region-model.h
9778 (test_region_model_context::on_unexpected_tree_code): Handle NULL
9779 tree.
9780
78b97837
DM		 97812020-04-28 David Malcolm <dmalcolm@redhat.com>
9782
9783 PR analyzer/94447
9784 PR analyzer/94639
9785 PR analyzer/94732
9786 PR analyzer/94754
9787 * analyzer.opt (Wanalyzer-use-of-uninitialized-value): Delete.
9788 * program-state.cc (selftest::test_program_state_dumping): Update
9789 expected dump result for removal of "uninit".
9790 * region-model.cc (poison_kind_to_str): Delete POISON_KIND_UNINIT
9791 case.
9792 (root_region::ensure_stack_region): Initialize stack with null
9793 svalue_id rather than with a typeless POISON_KIND_UNINIT value.
9794 (root_region::ensure_heap_region): Likewise for the heap.
9795 (region_model::dump_summary_of_rep_path_vars): Remove
9796 summarization of uninit values.
9797 (region_model::validate): Remove check that the stack has a
9798 POISON_KIND_UNINIT value.
9799 (poisoned_value_diagnostic::emit): Remove POISON_KIND_UNINIT
9800 case.
9801 (poisoned_value_diagnostic::describe_final_event): Likewise.
9802 (selftest::test_dump): Update expected dump result for removal of
9803 "uninit".
9804 (selftest::test_svalue_equality): Remove "uninit" and "freed".
9805 * region-model.h (enum poison_kind): Remove POISON_KIND_UNINIT.
9806
a96f1c38
DM		 98072020-04-01 David Malcolm <dmalcolm@redhat.com>
9808
9809 PR analyzer/94378
9810 * checker-path.cc: Include "bitmap.h".
9811 * constraint-manager.cc: Likewise.
9812 * diagnostic-manager.cc: Likewise.
9813 * engine.cc: Likewise.
9814 (exploded_node::detect_leaks): Pass null region_id to pop_frame.
9815 * program-point.cc: Include "bitmap.h".
9816 * program-state.cc: Likewise.
9817 * region-model.cc (id_set<region_id>::id_set): Convert to...
9818 (region_id_set::region_id_set): ...this.
9819 (svalue_id_set::svalue_id_set): New ctor.
9820 (region_model::copy_region): New function.
9821 (region_model::copy_struct_region): New function.
9822 (region_model::copy_union_region): New function.
9823 (region_model::copy_array_region): New function.
9824 (stack_region::pop_frame): Drop return value. Add
9825 "result_dst_rid" param; if it is non-null, use copy_region to copy
9826 the result to it. Rather than capture and pass a single "known
9827 used" return value to be used by purge_unused_values, instead
9828 gather and pass a set of known used return values.
9829 (root_region::pop_frame): Drop return value. Add "result_dst_rid"
9830 param.
9831 (region_model::on_assignment): Use copy_region.
9832 (region_model::on_return): Likewise for the result.
9833 (region_model::on_longjmp): Pass null for pop_frame's
9834 result_dst_rid.
9835 (region_model::update_for_return_superedge): Pass the region for the
9836 return value of the call, if any, to pop_frame, rather than setting
9837 the lvalue for the lhs of the result.
9838 (region_model::pop_frame): Drop return value. Add
9839 "result_dst_rid" param.
9840 (region_model::purge_unused_svalues): Convert third param from an
9841 svalue_id * to an svalue_id_set *, updating the initial populating
9842 of the "used" bitmap accordingly. Don't remap it when done.
9843 (struct selftest::coord_test): New selftest fixture, extracted from...
9844 (selftest::test_dump_2): ...here.
9845 (selftest::test_compound_assignment): New selftest.
9846 (selftest::test_stack_frames): Pass null to new param of pop_frame.
9847 (selftest::analyzer_region_model_cc_tests): Call the new selftest.
9848 * region-model.h (class id_set): Delete template.
9849 (class region_id_set): Reimplement, using old id_set implementation.
9850 (class svalue_id_set): Likewise. Convert from auto_sbitmap to
9851 auto_bitmap.
9852 (region::get_active_view): New accessor.
9853 (stack_region::pop_frame): Drop return value. Add
9854 "result_dst_rid" param.
9855 (root_region::pop_frame): Likewise.
9856 (region_model::pop_frame): Likewise.
9857 (region_model::copy_region): New decl.
9858 (region_model::purge_unused_svalues): Convert third param from an
9859 svalue_id * to an svalue_id_set *.
9860 (region_model::copy_struct_region): New decl.
9861 (region_model::copy_union_region): New decl.
9862 (region_model::copy_array_region): New decl.
9863
6969ac30
DM		 98642020-03-27 David Malcolm <dmalcolm@redhat.com>
9865
9866 * program-state.cc (selftest::test_program_state_dumping): Update
9867 expected dump to include symbolic_region's possibly_null field.
9868 * region-model.cc (symbolic_region::print_fields): New vfunc
9869 implementation.
9870 (region_model::add_constraint): Clear m_possibly_null from
9871 symbolic_regions now known to be non-NULL.
9872 (selftest::test_malloc_constraints): New selftest.
9873 (selftest::analyzer_region_model_cc_tests): Call it.
9874 * region-model.h (region::dyn_cast_symbolic_region): Add non-const
9875 overload.
9876 (symbolic_region::dyn_cast_symbolic_region): Implement it.
9877 (symbolic_region::print_fields): New vfunc override decl.
9878
42c63313
DM		 98792020-03-27 David Malcolm <dmalcolm@redhat.com>
9880
9881 * analyzer.h (class feasibility_problem): New forward decl.
9882 * diagnostic-manager.cc (saved_diagnostic::saved_diagnostic):
9883 Initialize new fields m_status, m_epath_length, and m_problem.
9884 (saved_diagnostic::~saved_diagnostic): Delete m_problem.
9885 (dedupe_candidate::dedupe_candidate): Convert "sd" param from a
9886 const ref to a mutable ptr.
9887 (dedupe_winners::add): Convert "sd" param from a const ref to a
9888 mutable ptr. Record the length of the exploded_path. Record the
9889 feasibility/infeasibility of sd into sd, capturing a
9890 feasibility_problem when feasible_p fails, and storing it in sd.
9891 (diagnostic_manager::emit_saved_diagnostics): Update for pass by
9892 ptr rather than by const ref.
9893 * diagnostic-manager.h (class saved_diagnostic): Add new enum
9894 status. Add fields m_status, m_epath_length and m_problem.
9895 (saved_diagnostic::set_feasible): New member function.
9896 (saved_diagnostic::set_infeasible): New member function.
9897 (saved_diagnostic::get_feasibility_problem): New accessor.
9898 (saved_diagnostic::get_status): New accessor.
9899 (saved_diagnostic::set_epath_length): New member function.
9900 (saved_diagnostic::get_epath_length): New accessor.
9901 * engine.cc: Include "gimple-pretty-print.h".
9902 (exploded_path::feasible_p): Add OUT param and, if non-NULL, write
9903 a new feasibility_problem to it on failure.
9904 (viz_callgraph_node::dump_dot): Convert begin_tr calls to
9905 begin_trtd. Convert end_tr calls to end_tdtr.
9906 (class exploded_graph_annotator): New subclass of dot_annotator.
9907 (impl_run_checkers): Add a second -fdump-analyzer-supergraph dump
9908 after the analysis runs, using exploded_graph_annotator. dumping
9909 to DUMP_BASE_NAME.supergraph-eg.dot.
9910 * exploded-graph.h (exploded_node::get_dot_fillcolor): Make
9911 public.
9912 (exploded_path::feasible_p): Add OUT param.
9913 (class feasibility_problem): New class.
9914 * state-purge.cc (state_purge_annotator::add_node_annotations):
9915 Return a bool, add a "within_table" param.
9916 (print_vec_of_names): Convert begin_tr calls to begin_trtd.
9917 Convert end_tr calls to end_tdtr.
9918 (state_purge_annotator::add_stmt_annotations): Add "within_row"
9919 param.
9920 * state-purge.h ((state_purge_annotator::add_node_annotations):
9921 Return a bool, add a "within_table" param.
9922 (state_purge_annotator::add_stmt_annotations): Add "within_row"
9923 param.
9924 * supergraph.cc (supernode::dump_dot): Call add_node_annotations
9925 twice: as before, passing false for "within_table", then again
9926 with true when within the TABLE element. Convert some begin_tr
9927 calls to begin_trtd, and some end_tr calls to end_tdtr.
9928 Repeat each add_stmt_annotations call, distinguishing between
9929 calls that add TRs and those that add TDs to an existing TR.
9930 Add a call to add_after_node_annotations.
9931 * supergraph.h (dot_annotator::add_node_annotations): Add a
9932 "within_table" param.
9933 (dot_annotator::add_stmt_annotations): Add a "within_row" param.
9934 (dot_annotator::add_after_node_annotations): New vfunc.
9935
8f023575
DM		 99362020-03-27 David Malcolm <dmalcolm@redhat.com>
9937
9938 * diagnostic-manager.cc (dedupe_winners::add): Show the
9939 exploded_node index in the log messages.
9940 (diagnostic_manager::emit_saved_diagnostics): Log a summary of
9941 m_saved_diagnostics at entry.
9942
4d661bb7
DM		 99432020-03-27 David Malcolm <dmalcolm@redhat.com>
9944
9945 * supergraph.cc (superedge::dump): Add space before description;
9946 move newline to non-pretty_printer overload.
9947
884d9141
DM		 99482020-03-18 David Malcolm <dmalcolm@redhat.com>
9949
9950 * region-model.cc: Include "stor-layout.h".
9951 (region_model::dump_to_pp): Rather than calling
9952 dump_summary_of_map on each of the current frame and the globals,
9953 instead get a vec of representative path_vars for all regions,
9954 and then dump a summary of all of them.
9955 (region_model::dump_summary_of_map): Delete, rewriting into...
9956 (region_model::dump_summary_of_rep_path_vars): ...this new
9957 function, working on a vec of path_vars.
9958 (region_model::set_value): New overload.
9959 (region_model::get_representative_path_var): Rename
9960 "parent_region" local to "parent_reg" and consolidate with other
9961 local. Guard test for grandparent being stack on parent_reg being
9962 non-NULL. Move handling for parent being an array_region to
9963 within guard for parent_reg being non-NULL.
9964 (selftest::make_test_compound_type): New function.
9965 (selftest::test_dump_2): New selftest.
9966 (selftest::test_dump_3): New selftest.
9967 (selftest::test_stack_frames): Update expected output from
9968 simplified dump to show "a" and "b" from parent frame and "y" in
9969 child frame.
9970 (selftest::analyzer_region_model_cc_tests): Call test_dump_2 and
9971 test_dump_3.
9972 * region-model.h (region_model::set_value): New overload decl.
9973 (region_model::dump_summary_of_map): Delete.
9974 (region_model::dump_summary_of_rep_path_vars): New.
9975
7d9c107a
DM		 99762020-03-18 David Malcolm <dmalcolm@redhat.com>
9977
9978 * region-model.h (class noop_region_model_context): New subclass
9979 of region_model_context.
9980 (class tentative_region_model_context): Inherit from
9981 noop_region_model_context rather than from region_model_context;
9982 drop redundant vfunc implementations.
9983 (class test_region_model_context): Likewise.
9984
0db2cd17
DM		 99852020-03-18 David Malcolm <dmalcolm@redhat.com>
9986
9987 * engine.cc (exploded_node::exploded_node): Move implementation
9988 here from header; accept point_and_state by const reference rather
9989 than by value.
9990 * exploded-graph.h (exploded_node::exploded_node): Pass
9991 point_and_state by const reference rather than by value. Move
9992 body to engine.cc.
9993
d5029d45
JJ		 99942020-03-18 Jakub Jelinek <jakub@redhat.com>
9995
9996 * sm-malloc.cc (malloc_state_machine::on_stmt): Fix up duplicated word
9997 issue in a comment.
9998 * region-model.cc (region_model::make_region_for_unexpected_tree_code,
9999 region_model::delete_region_and_descendents): Likewise.
10000 * engine.cc (class exploded_cluster): Likewise.
10001 * diagnostic-manager.cc (class path_builder): Likewise.
10002
5c048755
DM		 100032020-03-13 David Malcolm <dmalcolm@redhat.com>
10004
10005 PR analyzer/94099
10006 PR analyzer/94105
10007 * diagnostic-manager.cc (for_each_state_change): Bulletproof
10008 against errors in get_rvalue by passing a
10009 tentative_region_model_context and rejecting if there's an error.
10010 * region-model.cc (region_model::get_lvalue_1): When handling
10011 ARRAY_REF, handle results of error-handling. Handle NOP_EXPR.
10012
90f7c300
DM		 100132020-03-06 David Malcolm <dmalcolm@redhat.com>
10014
10015 * analyzer.h (class array_region): New forward decl.
10016 * program-state.cc (selftest::test_program_state_dumping_2): New.
10017 (selftest::analyzer_program_state_cc_tests): Call it.
10018 * region-model.cc (array_region::constant_from_key): New.
10019 (region_model::get_representative_tree): Handle region_svalue by
10020 generating an ADDR_EXPR.
10021 (region_model::get_representative_path_var): In view handling,
10022 remove erroneous TREE_TYPE when determining the type of the tree.
10023 Handle array regions and STRING_CST.
10024 (selftest::assert_dump_tree_eq): New.
10025 (ASSERT_DUMP_TREE_EQ): New macro.
10026 (selftest::test_get_representative_tree): New selftest.
10027 (selftest::analyzer_region_model_cc_tests): Call it.
10028 * region-model.h (region::dyn_cast_array_region): New vfunc.
10029 (array_region::dyn_cast_array_region): New vfunc implementation.
10030 (array_region::constant_from_key): New decl.
10031
41f99ba6
DM		 100322020-03-06 David Malcolm <dmalcolm@redhat.com>
10033
10034 * analyzer.h (dump_quoted_tree): New decl.
10035 * engine.cc (exploded_node::dump_dot): Pass region model to
10036 sm_state_map::print.
10037 * program-state.cc: Include diagnostic-core.h.
10038 (sm_state_map::print): Add "model" param and use it to print
10039 representative trees. Only print origin information if non-null.
10040 (sm_state_map::dump): Pass NULL for model to print call.
10041 (program_state::print): Pass region model to sm_state_map::print.
10042 (program_state::dump_to_pp): Use spaces rather than newlines when
10043 summarizing. Pass region_model to sm_state_map::print.
10044 (ana::selftest::assert_dump_eq): New function.
10045 (ASSERT_DUMP_EQ): New macro.
10046 (ana::selftest::test_program_state_dumping): New function.
10047 (ana::selftest::analyzer_program_state_cc_tests): Call it.
10048 * program-state.h (program_state::print): Add model param.
10049 * region-model.cc (dump_quoted_tree): New function.
10050 (map_region::print_fields): Use dump_quoted_tree rather than
10051 %qE to avoid lang-dependent output.
10052 (map_region::dump_child_label): Likewise.
10053 (region_model::dump_summary_of_map): For SK_REGION, when
10054 get_representative_path_var fails, print the region id rather than
10055 erroneously printing NULL.
10056 * sm.cc (state_machine::get_state_by_name): New function.
10057 * sm.h (state_machine::get_state_by_name): New decl.
10058
3c1645a3
DM		 100592020-03-04 David Malcolm <dmalcolm@redhat.com>
10060
10061 * region-model.cc (region::validate): Convert model param from ptr
10062 to reference. Update comment to reflect that it's now a vfunc.
10063 (map_region::validate): New vfunc implementation.
10064 (array_region::validate): New vfunc implementation.
10065 (stack_region::validate): New vfunc implementation.
10066 (root_region::validate): New vfunc implementation.
10067 (region_model::validate): Pass a reference rather than a pointer
10068 to the region::validate vfunc.
10069 * region-model.h (region::validate): Make virtual. Convert model
10070 param from ptr to reference.
10071 (map_region::validate): New vfunc decl.
10072 (array_region::validate): New vfunc decl.
10073 (stack_region::validate): New vfunc decl.
10074 (root_region::validate): New vfunc decl.
10075
e516294a
DM		 100762020-03-04 David Malcolm <dmalcolm@redhat.com>
10077
10078 PR analyzer/93993
10079 * region-model.cc (region_model::on_call_pre): Handle
10080 BUILT_IN_EXPECT and its variants.
10081 (region_model::add_any_constraints_from_ssa_def_stmt): Split out
10082 gassign handling into add_any_constraints_from_gassign; add gcall
10083 handling.
10084 (region_model::add_any_constraints_from_gassign): New function,
10085 based on the above. Add handling for NOP_EXPR.
10086 (region_model::add_any_constraints_from_gcall): New function.
10087 (region_model::get_representative_path_var): Handle views.
10088 * region-model.h
10089 (region_model::add_any_constraints_from_ssa_def_stmt): New decl.
10090 (region_model::add_any_constraints_from_gassign): New decl.
10091
3d66e153
DM		 100922020-03-04 David Malcolm <dmalcolm@redhat.com>
10093
10094 PR analyzer/93993
10095 * checker-path.h (state_change_event::get_lvalue): Add ctxt param
10096 and pass it to region_model::get_value call.
10097 * diagnostic-manager.cc (get_any_origin): Pass a
10098 tentative_region_model_context to the calls to get_lvalue and reject
10099 the comparison if errors occur.
10100 (can_be_expr_of_interest_p): New function.
10101 (diagnostic_manager::prune_for_sm_diagnostic): Replace checks for
10102 CONSTANT_CLASS_P with calls to update_for_unsuitable_sm_exprs.
10103 Pass a tentative_region_model_context to the calls to
10104 state_change_event::get_lvalue and reject the comparison if errors
10105 occur.
10106 (diagnostic_manager::update_for_unsuitable_sm_exprs): New.
10107 * diagnostic-manager.h
10108 (diagnostic_manager::update_for_unsuitable_sm_exprs): New decl.
10109 * region-model.h (class tentative_region_model_context): New class.
10110
13e3ba14
DM		 101112020-03-04 David Malcolm <dmalcolm@redhat.com>
10112
10113 * engine.cc (worklist::worklist): Remove unused field m_eg.
10114 (class viz_callgraph_edge): Remove unused field m_call_sedge.
10115 (class viz_callgraph): Remove unused field m_sg.
10116 * exploded-graph.h (worklist::::m_eg): Remove unused field.
10117
13b76912
DM		 101182020-03-02 David Malcolm <dmalcolm@redhat.com>
10119
10120 * analyzer.opt (fanalyzer-show-duplicate-count): New option.
10121 * diagnostic-manager.cc
10122 (diagnostic_manager::emit_saved_diagnostic): Use the above to
10123 guard the printing of the duplicate count.
10124
9f00b22f
DM		 101252020-03-02 David Malcolm <dmalcolm@redhat.com>
10126
10127 PR analyzer/93959
10128 * analyzer.cc (is_std_function_p): New function.
10129 (is_std_named_call_p): New functions.
10130 * analyzer.h (is_std_named_call_p): New decl.
10131 * sm-malloc.cc (malloc_state_machine::on_stmt): Check for "std::"
10132 variants when checking for malloc, calloc and free.
10133
71b633aa
DM		 101342020-02-26 David Malcolm <dmalcolm@redhat.com>
10135
10136 PR analyzer/93950
10137 * diagnostic-manager.cc
10138 (diagnostic_manager::prune_for_sm_diagnostic): Assert that var is
10139 either NULL or not a constant. When updating var, bulletproof
10140 against constant values.
10141
0ba70d1b
DM		 101422020-02-26 David Malcolm <dmalcolm@redhat.com>
10143
10144 PR analyzer/93947
10145 * region-model.cc (region_model::get_fndecl_for_call): Gracefully
10146 fail for fn_decls that don't have a cgraph_node.
10147
67fa274c
DM		 101482020-02-26 David Malcolm <dmalcolm@redhat.com>
10149
10150 * bar-chart.cc: New file.
10151 * bar-chart.h: New file.
10152 * engine.cc: Include "analyzer/bar-chart.h".
10153 (stats::log): Only log the m_num_nodes kinds that are non-zero.
10154 (stats::dump): Likewise when dumping.
10155 (stats::get_total_enodes): New.
10156 (exploded_graph::get_or_create_node): Increment the per-point-data
10157 m_excess_enodes when hitting the per-program-point limit on
10158 enodes.
10159 (exploded_graph::print_bar_charts): New.
10160 (exploded_graph::log_stats): Log the number of unprocessed enodes
10161 in the worklist. Call print_bar_charts.
10162 (exploded_graph::dump_stats): Print the number of unprocessed
10163 enodes in the worklist.
10164 * exploded-graph.h (stats::get_total_enodes): New decl.
10165 (struct per_program_point_data): Add field m_excess_enodes.
10166 (exploded_graph::print_bar_charts): New decl.
10167 * supergraph.cc (superedge::dump): New.
10168 (superedge::dump): New.
10169 * supergraph.h (supernode::get_function): New.
10170 (superedge::dump): New decl.
10171 (superedge::dump): New decl.
10172
f2ca2088
DM		 101732020-02-24 David Malcolm <dmalcolm@redhat.com>
10174
10175 * engine.cc (exploded_graph::get_or_create_node): Dump the
10176 program_state to the pp, rather than to stderr.
10177
b3d788a2
DM		 101782020-02-24 David Malcolm <dmalcolm@redhat.com>
10179
10180 PR analyzer/93032
10181 * sm.cc (make_checkers): Require the "taint" checker to be
10182 explicitly enabled.
10183
3a25f345
DM		 101842020-02-24 David Malcolm <dmalcolm@redhat.com>
10185
10186 PR analyzer/93899
10187 * engine.cc
10188 (impl_region_model_context::impl_region_model_context): Add logger
10189 param.
10190 * engine.cc (exploded_graph::add_function_entry): Create an
10191 impl_region_model_context and pass it to the push_frame call.
10192 Bail if the resulting state is invalid.
10193 (exploded_graph::build_initial_worklist): Likewise.
10194 (exploded_graph::build_initial_worklist): Handle the case where
10195 add_function_entry fails.
10196 * exploded-graph.h
10197 (impl_region_model_context::impl_region_model_context): Add logger
10198 param.
10199 * region-model.cc (map_region::get_or_create): Add ctxt param and
10200 pass it to add_region_for_type.
10201 (map_region::can_merge_p): Pass NULL as a ctxt to call to
10202 get_or_create.
10203 (array_region::get_element): Pass ctxt to call to get_or_create.
10204 (array_region::get_or_create): Add ctxt param and pass it to
10205 add_region_for_type.
10206 (root_region::push_frame): Pass ctxt to get_or_create calls.
10207 (region_model::get_lvalue_1): Likewise.
10208 (region_model::make_region_for_unexpected_tree_code): Assert that
10209 ctxt is non-NULL.
10210 (region_model::get_rvalue_1): Pass ctxt to get_svalue_for_fndecl
10211 and get_svalue_for_label calls.
10212 (region_model::get_svalue_for_fndecl): Add ctxt param and pass it
10213 to get_region_for_fndecl.
10214 (region_model::get_region_for_fndecl): Add ctxt param and pass it
10215 to get_or_create.
10216 (region_model::get_svalue_for_label): Add ctxt param and pass it
10217 to get_region_for_label.
10218 (region_model::get_region_for_label): Add ctxt param and pass it
10219 to get_region_for_fndecl and get_or_create.
10220 (region_model::get_field_region): Add ctxt param and pass it to
10221 get_or_create_view and get_or_create.
10222 (make_region_for_type): Replace gcc_unreachable with return NULL.
10223 (region_model::add_region_for_type): Add ctxt param. Handle a
10224 return of NULL from make_region_for_type by calling
10225 make_region_for_unexpected_tree_code.
10226 (region_model::get_or_create_mem_ref): Pass ctxt to calls to
10227 get_or_create_view.
10228 (region_model::get_or_create_view): Add ctxt param and pass it to
10229 add_region_for_type.
10230 (selftest::test_state_merging): Pass ctxt to get_or_create_view.
10231 * region-model.h (region_model::get_or_create): Add ctxt param.
10232 (region_model::add_region_for_type): Likewise.
10233 (region_model::get_svalue_for_fndecl): Likewise.
10234 (region_model::get_svalue_for_label): Likewise.
10235 (region_model::get_region_for_fndecl): Likewise.
10236 (region_model::get_region_for_label): Likewise.
10237 (region_model::get_field_region): Likewise.
10238 (region_model::get_or_create_view): Likewise.
10239
004f2c07
DM		 102402020-02-24 David Malcolm <dmalcolm@redhat.com>
10241
10242 * checker-path.cc (superedge_event::should_filter_p): Update
10243 filter for empty descriptions to cover verbosity level 3 as well
10244 as 2.
10245 * diagnostic-manager.cc: Include "analyzer/reachability.h".
10246 (class path_builder): New class.
10247 (diagnostic_manager::emit_saved_diagnostic): Create a path_builder
10248 and pass it to build_emission_path, rather passing eg; similarly
10249 for add_events_for_eedge and ext_state.
10250 (diagnostic_manager::build_emission_path): Replace "eg" param
10251 with a path_builder, pass it to add_events_for_eedge.
10252 (diagnostic_manager::add_events_for_eedge): Replace ext_state
10253 param with path_builder; pass it to add_events_for_superedge.
10254 (diagnostic_manager::significant_edge_p): New.
10255 (diagnostic_manager::add_events_for_superedge): Add path_builder
10256 param. Reject insignificant edges at verbosity levels below 3.
10257 (diagnostic_manager::prune_for_sm_diagnostic): Update highest
10258 verbosity level to 4.
10259 * diagnostic-manager.h (class path_builder): New forward decl.
10260 (diagnostic_manager::build_emission_path): Replace "eg" param
10261 with a path_builder.
10262 (diagnostic_manager::add_events_for_eedge): Replace ext_state
10263 param with path_builder.
10264 (diagnostic_manager::significant_edge_p): New.
10265 (diagnostic_manager::add_events_for_superedge): Add path_builder
10266 param.
10267 * reachability.h: New file.
10268
0b2b45a6
DM		 102692020-02-18 David Malcolm <dmalcolm@redhat.com>
10270
10271 PR analyzer/93692
10272 * analyzer.opt (fdump-analyzer-callgraph): Rewrite description.
10273
4f40164a
DM		 102742020-02-18 David Malcolm <dmalcolm@redhat.com>
10275
10276 PR analyzer/93777
10277 * region-model.cc (region_model::maybe_cast_1): Replace assertion
10278 that build_cast returns non-NULL with a conditional, falling
10279 through to the logic which returns a new unknown value of the
10280 desired type if it fails.
10281
2e623393
DM		 102822020-02-18 David Malcolm <dmalcolm@redhat.com>
10283
10284 PR analyzer/93778
10285 * engine.cc (impl_region_model_context::on_unknown_tree_code):
10286 Rename to...
10287 (impl_region_model_context::on_unexpected_tree_code): ...this and
10288 convert first argument from path_var to tree.
10289 (exploded_node::on_stmt): Pass ctxt to purge_for_unknown_fncall.
10290 * exploded-graph.h (region_model_context::on_unknown_tree_code):
10291 Rename to...
10292 (region_model_context::on_unexpected_tree_code): ...this and
10293 convert first argument from path_var to tree.
10294 * program-state.cc (sm_state_map::purge_for_unknown_fncall): Add
10295 ctxt param and pass on to calls to get_rvalue.
10296 * program-state.h (sm_state_map::purge_for_unknown_fncall): Add
10297 ctxt param.
10298 * region-model.cc (region_model::handle_unrecognized_call): Pass
10299 ctxt on to call to get_rvalue.
10300 (region_model::get_lvalue_1): Move body of default case to
10301 region_model::make_region_for_unexpected_tree_code and call it.
10302 Within COMPONENT_REF case, reject attempts to handle types other
10303 than RECORD_TYPE and UNION_TYPE.
10304 (region_model::make_region_for_unexpected_tree_code): New
10305 function, based on default case of region_model::get_lvalue_1.
10306 * region-model.h
10307 (region_model::make_region_for_unexpected_tree_code): New decl.
10308 (region_model::on_unknown_tree_code): Rename to...
10309 (region_model::on_unexpected_tree_code): ...this and convert first
10310 argument from path_var to tree.
10311 (class test_region_model_context): Update vfunc implementation for
10312 above change.
10313
a674c7b8
DM		 103142020-02-18 David Malcolm <dmalcolm@redhat.com>
10315
10316 PR analyzer/93774
10317 * region-model.cc
10318 (region_model::convert_byte_offset_to_array_index): Use
10319 int_size_in_bytes before calling size_in_bytes, to gracefully fail
10320 on incomplete types.
10321
d8cde6f9
DM		 103222020-02-17 David Malcolm <dmalcolm@redhat.com>
10323
10324 PR analyzer/93775
10325 * region-model.cc (region_model::get_fndecl_for_call): Handle the
10326 case where the code_region's get_tree_for_child_region returns
10327 NULL.
10328
f76a88eb
DM		 103292020-02-17 David Malcolm <dmalcolm@redhat.com>
10330
10331 PR analyzer/93388
10332 * engine.cc (impl_region_model_context::on_unknown_tree_code):
10333 New.
10334 (exploded_graph::get_or_create_node): Reject invalid states.
10335 * exploded-graph.h
10336 (impl_region_model_context::on_unknown_tree_code): New decl.
10337 (point_and_state::point_and_state): Assert that the state is
10338 valid.
10339 * program-state.cc (program_state::program_state): Initialize
10340 m_valid to true.
10341 (program_state::operator=): Copy m_valid.
10342 (program_state::program_state): Likewise for move constructor.
10343 (program_state::print): Print m_valid.
10344 (program_state::dump_to_pp): Likewise.
10345 * program-state.h (program_state::m_valid): New field.
10346 * region-model.cc (region_model::get_lvalue_1): Implement the
10347 default case by returning a new symbolic region and calling
10348 the context's on_unknown_tree_code, rather than issuing an
10349 internal_error. Implement VIEW_CONVERT_EXPR.
10350 * region-model.h (region_model_context::on_unknown_tree_code): New
10351 vfunc.
10352 (test_region_model_context::on_unknown_tree_code): New.
10353
0993ad65
DM		 103542020-02-17 David Malcolm <dmalcolm@redhat.com>
10355
10356 * sm-malloc.cc (malloc_diagnostic::describe_state_change): For
10357 transition to the "null" state, only say "assuming" when
10358 transitioning from the "unchecked" state.
10359
67098787
DM		 103602020-02-17 David Malcolm <dmalcolm@redhat.com>
10361
10362 * diagnostic-manager.h (diagnostic_manager::get_saved_diagnostic):
10363 Add const overload.
10364 * engine.cc (exploded_node::dump_dot): Dump saved_diagnostics.
10365 * exploded-graph.h (exploded_graph::get_diagnostic_manager): Add
10366 const overload.
10367
91f993b7
DM		 103682020-02-11 David Malcolm <dmalcolm@redhat.com>
10369
10370 PR analyzer/93288
10371 * analysis-plan.cc (analysis_plan::use_summary_p): Look through
10372 the ultimate_alias_target when getting the called function.
10373 * engine.cc (exploded_node::on_stmt): Rename second "ctxt" to
10374 "sm_ctxt". Use the region_model's get_fndecl_for_call rather than
10375 gimple_call_fndecl.
10376 * region-model.cc (region_model::get_fndecl_for_call): Use
10377 ultimate_alias_target on fndecl.
10378 * supergraph.cc (get_ultimate_function_for_cgraph_edge): New
10379 function.
10380 (supergraph_call_edge): Use it when rejecting edges without
10381 functions.
10382 (supergraph::supergraph): Use it to get the function for the
10383 cgraph_edge when building interprocedural superedges.
10384 (callgraph_superedge::get_callee_function): Use it.
10385 * supergraph.h (supergraph::get_num_snodes): Make param const.
10386 (supergraph::function_to_num_snodes_t): Make first type param
10387 const.
10388
a60d9889
DM		 103892020-02-11 David Malcolm <dmalcolm@redhat.com>
10390
10391 PR analyzer/93374
10392 * engine.cc (exploded_edge::exploded_edge): Add ext_state param
10393 and pass it to change.validate.
10394 (exploded_graph::get_or_create_node): Move purging of change
10395 svalues to also cover the case of reusing an existing enode.
10396 (exploded_graph::add_edge): Pass m_ext_state to exploded_edge's
10397 ctor.
10398 * exploded-graph.h (exploded_edge::exploded_edge): Add ext_state
10399 param.
10400 * program-state.cc (state_change::sm_change::validate): Likewise.
10401 Assert that m_sm_idx is sane. Use ext_state to validate
10402 m_old_state and m_new_state.
10403 (state_change::validate): Add ext_state param and pass it to
10404 the sm_change validate calls.
10405 * program-state.h (state_change::sm_change::validate): Add
10406 ext_state param.
10407 (state_change::validate): Likewise.
10408
a0e4929b
DM		 104092020-02-11 David Malcolm <dmalcolm@redhat.com>
10410
10411 PR analyzer/93669
10412 * engine.cc (exploded_graph::dump_exploded_nodes): Handle missing
10413 case of STATUS_WORKLIST in implementation of
10414 "__analyzer_dump_exploded_nodes".
10415
cd28b759
DM		 104162020-02-11 David Malcolm <dmalcolm@redhat.com>
10417
10418 PR analyzer/93649
10419 * constraint-manager.cc (constraint_manager::add_constraint): When
10420 merging equivalence classes and updating m_constant, also update
10421 m_cst_sid.
10422 (constraint_manager::validate): If m_constant is non-NULL assert
10423 that m_cst_sid is non-null and is valid.
10424
5e17c1bd
DM		 104252020-02-11 David Malcolm <dmalcolm@redhat.com>
10426
10427 PR analyzer/93657
10428 * analyzer.opt (fdump-analyzer): Reword description.
10429 (fdump-analyzer-stderr): Likewise.
10430
c46d057f
DM		 104312020-02-11 David Malcolm <dmalcolm@redhat.com>
10432
10433 * region-model.cc (print_quoted_type): New function.
10434 (svalue::print): Use it to replace %qT.
10435 (region::dump_to_pp): Likewise.
10436 (region::dump_child_label): Likewise.
10437 (region::print_fields): Likewise.
10438
eb031d4b
DM		 104392020-02-10 David Malcolm <dmalcolm@redhat.com>
10440
10441 PR analyzer/93659
10442 * analyzer.opt (-param=analyzer-max-recursion-depth=): Fix "tha"
10443 -> "that" typo.
10444 (Wanalyzer-use-of-uninitialized-value): Fix "initialized" ->
10445 "uninitialized" typo.
10446
e87deb37
DM		 104472020-02-10 David Malcolm <dmalcolm@redhat.com>
10448
10449 PR analyzer/93350
10450 * region-model.cc (region_model::get_lvalue_1):
10451 Handle BIT_FIELD_REF.
10452 (make_region_for_type): Handle VECTOR_TYPE.
10453
e953f958
DM		 104542020-02-10 David Malcolm <dmalcolm@redhat.com>
10455
10456 PR analyzer/93647
10457 * diagnostic-manager.cc
10458 (diagnostic_manager::prune_for_sm_diagnostic): Bulletproof against
10459 VAR being constant.
10460 * region-model.cc (region_model::get_lvalue_1): Provide a better
10461 error message when encountering an unhandled tree code.
10462
41a9e940
DM		 104632020-02-10 David Malcolm <dmalcolm@redhat.com>
10464
10465 PR analyzer/93405
10466 * region-model.cc (region_model::get_lvalue_1): Implement
10467 CONST_DECL.
10468
cb273d81
DM		 104692020-02-06 David Malcolm <dmalcolm@redhat.com>
10470
10471 * region-model.cc (region_model::maybe_cast_1): Attempt to provide
10472 a region_svalue if either type is a pointer, rather than if both
10473 types are pointers.
10474
a4d3bfc0
DM		 104752020-02-05 David Malcolm <dmalcolm@redhat.com>
10476
10477 * engine.cc (exploded_node::dump_dot): Show merger enodes.
10478 (worklist::add_node): Assert that the node's m_status is
10479 STATUS_WORKLIST.
10480 (exploded_graph::process_worklist): Likewise for nodes from the
10481 worklist. Set status of merged nodes to STATUS_MERGER.
10482 (exploded_graph::process_node): Set status of node to
10483 STATUS_PROCESSED.
10484 (exploded_graph::dump_exploded_nodes): Rework handling of
10485 "__analyzer_dump_exploded_nodes", splitting enodes by status into
10486 "processed" and "merger", showing the count of just the processed
10487 enodes at the call, rather than the count of all enodes.
10488 * exploded-graph.h (exploded_node::status): New enum.
10489 (exploded_node::exploded_node): Initialize m_status to
10490 STATUS_WORKLIST.
10491 (exploded_node::get_status): New getter.
10492 (exploded_node::set_status): New setter.
10493
1dae549d
DM		 104942020-02-04 David Malcolm <dmalcolm@redhat.com>
10495
10496 PR analyzer/93543
10497 * engine.cc (pod_hash_traits<function_call_string>::mark_empty):
10498 Eliminate reinterpret_cast.
10499 (pod_hash_traits<function_call_string>::is_empty): Likewise.
10500
833f1e66
DM		 105012020-02-03 David Malcolm <dmalcolm@redhat.com>
10502
10503 * constraint-manager.cc (range::constrained_to_single_element):
10504 Replace fold_build2 with fold_binary. Remove unnecessary newline.
10505 (constraint_manager::get_or_add_equiv_class): Replace fold_build2
10506 with fold_binary in two places, and remove out-of-date comment.
10507 (constraint_manager::eval_condition): Replace fold_build2 with
10508 fold_binary.
10509 * region-model.cc (constant_svalue::eval_condition): Likewise.
10510 (region_model::on_assignment): Likewise.
10511
8525d1f5
DM		 105122020-02-03 David Malcolm <dmalcolm@redhat.com>
10513
10514 PR analyzer/93544
10515 * diagnostic-manager.cc
10516 (diagnostic_manager::prune_for_sm_diagnostic): Bulletproof
10517 against bad choices due to bad paths.
10518 * engine.cc (impl_region_model_context::on_phi): New.
10519 * exploded-graph.h (impl_region_model_context::on_phi): New decl.
10520 * region-model.cc (region_model::on_longjmp): Likewise.
10521 (region_model::handle_phi): Add phi param. Call the ctxt's on_phi
10522 vfunc.
10523 (region_model::update_for_phis): Pass phi to handle_phi.
10524 * region-model.h (region_model::handle_phi): Add phi param.
10525 (region_model_context::on_phi): New vfunc.
10526 (test_region_model_context::on_phi): New.
10527 * sm-malloc.cc (malloc_state_machine::on_phi): New.
10528 (malloc_state_machine::on_zero_assignment): New.
10529 * sm.h (state_machine::on_phi): New vfunc.
10530
73f38658
DM		 105312020-02-03 David Malcolm <dmalcolm@redhat.com>
10532
10533 * engine.cc (supernode_cluster::dump_dot): Show BB index as
10534 well as SN index.
10535 * supergraph.cc (supernode::dump_dot): Likewise.
10536
5e10b9a2
DM		 105372020-02-03 David Malcolm <dmalcolm@redhat.com>
10538
10539 PR analyzer/93546
10540 * region-model.cc (region_model::on_call_pre): Update for new
10541 param of symbolic_region ctor.
10542 (region_model::deref_rvalue): Likewise.
10543 (region_model::add_new_malloc_region): Likewise.
10544 (make_region_for_type): Likewise, preserving type.
10545 * region-model.h (symbolic_region::symbolic_region): Add "type"
10546 param and pass it to base class ctor.
10547
287ccd3b
DM		 105482020-02-03 David Malcolm <dmalcolm@redhat.com>
10549
10550 PR analyzer/93547
10551 * constraint-manager.cc
10552 (constraint_manager::get_or_add_equiv_class): Ensure types are
10553 compatible before comparing constants.
10554
67751724
DM		 105552020-01-31 David Malcolm <dmalcolm@redhat.com>
10556
10557 PR analyzer/93457
10558 * region-model.cc (make_region_for_type): Use VOID_TYPE_P rather
10559 than checking against void_type_node.
10560
09bea584
DM		 105612020-01-31 David Malcolm <dmalcolm@redhat.com>
10562
10563 PR analyzer/93373
10564 * region-model.cc (ASSERT_COMPAT_TYPES): Convert to...
10565 (assert_compat_types): ...this, and bail when either type is NULL,
10566 or when VOID_TYPE_P (dst_type).
10567 (region_model::get_lvalue): Update for above conversion.
10568 (region_model::get_rvalue): Likewise.
10569
f1c807e8
DM		 105702020-01-31 David Malcolm <dmalcolm@redhat.com>
10571
10572 PR analyzer/93379
10573 * region-model.cc (region_model::update_for_return_superedge):
10574 Move check for null result so that it also guards setting the
10575 lhs.
10576
455f58ec
DM		 105772020-01-31 David Malcolm <dmalcolm@redhat.com>
10578
10579 PR analyzer/93438
10580 * region-model.cc (stack_region::can_merge_p): Split into a two
10581 pass approach, creating all stack regions first, then populating
10582 them.
10583 (selftest::test_state_merging): Add test coverage for (a) the case
10584 of self-merging a model in which a local in an older stack frame
10585 points to a local in a more recent stack frame (which previously
10586 would ICE), and (b) the case of self-merging a model in which a
10587 local points to a global (which previously worked OK).
10588
182ce042
DM		 105892020-01-31 David Malcolm <dmalcolm@redhat.com>
10590
10591 * analyzer.cc (is_named_call_p): Replace tests for fndecl being
10592 extern at file scope and having a non-NULL DECL_NAME with a call
10593 to maybe_special_function_p.
10594 * function-set.cc (function_set::contains_decl_p): Add call to
10595 maybe_special_function_p.
10596
45eb3e49
DM		 105972020-01-31 David Malcolm <dmalcolm@redhat.com>
10598
10599 PR analyzer/93450
10600 * constraint-manager.cc
10601 (constraint_manager::get_or_add_equiv_class): Only compare constants
10602 if their types are compatible.
10603 * region-model.cc (constant_svalue::eval_condition): Replace check
10604 for identical types with call to types_compatible_p.
10605
42f36563
DM		 106062020-01-30 David Malcolm <dmalcolm@redhat.com>
10607
10608 * program-state.cc (extrinsic_state::dump_to_pp): New.
10609 (extrinsic_state::dump_to_file): New.
10610 (extrinsic_state::dump): New.
10611 * program-state.h (extrinsic_state::dump_to_pp): New decl.
10612 (extrinsic_state::dump_to_file): New decl.
10613 (extrinsic_state::dump): New decl.
10614 * sm.cc: Include "pretty-print.h".
10615 (state_machine::dump_to_pp): New.
10616 * sm.h (state_machine::dump_to_pp): New decl.
10617
ebe9174e
DM		 106182020-01-30 David Malcolm <dmalcolm@redhat.com>
10619
10620 * diagnostic-manager.cc (for_each_state_change): Use
10621 extrinsic_state::get_num_checkers rather than accessing m_checkers
10622 directly.
10623 * program-state.cc (program_state::program_state): Likewise.
10624 * program-state.h (extrinsic_state::m_checkers): Make private.
10625
e978955d
DM		 106262020-01-30 David Malcolm <dmalcolm@redhat.com>
10627
10628 PR analyzer/93356
10629 * region-model.cc (region_model::eval_condition): In both
10630 overloads, bail out immediately on floating-point types.
10631 (region_model::eval_condition_without_cm): Likewise.
10632 (region_model::add_constraint): Likewise.
10633
d177c49c
DM		 106342020-01-30 David Malcolm <dmalcolm@redhat.com>
10635
10636 PR analyzer/93450
10637 * program-state.cc (sm_state_map::set_state): For the overload
10638 taking an svalue_id, bail out if the set_state on the ec does
10639 nothing. Convert the latter's return type from void to bool,
10640 returning true if anything changed.
10641 (sm_state_map::impl_set_state): Convert the return type from void
10642 to bool, returning true if the state changed.
10643 * program-state.h (sm_state_map::set_state): Convert return type
10644 from void to bool.
10645 (sm_state_map::impl_set_state): Likewise.
10646 * region-model.cc (constant_svalue::eval_condition): Only call
10647 fold_build2 if the types are the same.
10648
7892ff37
JJ		 106492020-01-29 Jakub Jelinek <jakub@redhat.com>
10650
10651 * analyzer.h (PUSH_IGNORE_WFORMAT, POP_IGNORE_WFORMAT): Remove.
10652 * constraint-manager.cc: Include diagnostic-core.h before graphviz.h.
10653 (range::dump, equiv_class::print): Don't use PUSH_IGNORE_WFORMAT or
10654 POP_IGNORE_WFORMAT.
10655 * state-purge.cc: Include diagnostic-core.h before
10656 gimple-pretty-print.h.
10657 (state_purge_annotator::add_node_annotations, print_vec_of_names):
10658 Don't use PUSH_IGNORE_WFORMAT or POP_IGNORE_WFORMAT.
10659 * region-model.cc: Move diagnostic-core.h include before graphviz.h.
10660 (path_var::dump, svalue::print, constant_svalue::print_details,
10661 region::dump_to_pp, region::dump_child_label, region::print_fields,
10662 map_region::print_fields, map_region::dump_dot_to_pp,
10663 map_region::dump_child_label, array_region::print_fields,
10664 array_region::dump_dot_to_pp): Don't use PUSH_IGNORE_WFORMAT or
10665 POP_IGNORE_WFORMAT.
10666
5aebfb71
DM		 106672020-01-28 David Malcolm <dmalcolm@redhat.com>
10668
10669 PR analyzer/93316
10670 * engine.cc (rewind_info_t::update_model): Get the longjmp call
10671 stmt via get_longjmp_call () rather than assuming it is the last
10672 stmt in the longjmp's supernode.
10673 (rewind_info_t::add_events_to_path): Get the location_t for the
10674 rewind_from_longjmp_event via get_longjmp_call () rather than from
10675 the supernode's get_end_location ().
10676
6c8e5844
DM		 106772020-01-28 David Malcolm <dmalcolm@redhat.com>
10678
10679 * region-model.cc (poisoned_value_diagnostic::emit): Update for
10680 renaming of warning_at overload to warning_meta.
10681 * sm-file.cc (file_leak::emit): Likewise.
10682 * sm-malloc.cc (double_free::emit): Likewise.
10683 (possible_null_deref::emit): Likewise.
10684 (possible_null_arg::emit): Likewise.
10685 (null_deref::emit): Likewise.
10686 (null_arg::emit): Likewise.
10687 (use_after_free::emit): Likewise.
10688 (malloc_leak::emit): Likewise.
10689 (free_of_non_heap::emit): Likewise.
10690 * sm-sensitive.cc (exposure_through_output_file::emit): Likewise.
10691 * sm-signal.cc (signal_unsafe_call::emit): Likewise.
10692 * sm-taint.cc (tainted_array_index::emit): Likewise.
10693
8c08c983
DM		 106942020-01-27 David Malcolm <dmalcolm@redhat.com>
10695
10696 PR analyzer/93451
10697 * region-model.cc (tree_cmp): For the REAL_CST case, impose an
10698 arbitrary order on NaNs relative to other NaNs and to non-NaNs;
10699 const-correctness tweak.
10700 (ana::selftests::build_real_cst_from_string): New function.
10701 (ana::selftests::append_interesting_constants): New function.
10702 (ana::selftests::test_tree_cmp_on_constants): New test.
10703 (ana::selftests::test_canonicalization_4): New test.
10704 (ana::selftests::analyzer_region_model_cc_tests): Call the new
10705 tests.
10706
2fbea419
DM		 107072020-01-27 David Malcolm <dmalcolm@redhat.com>
10708
10709 PR analyzer/93349
10710 * engine.cc (run_checkers): Save and restore input_location.
10711
6a81cabc
DM		 107122020-01-27 David Malcolm <dmalcolm@redhat.com>
10713
10714 * call-string.cc (call_string::cmp_1): Delete, moving body to...
10715 (call_string::cmp): ...here.
10716 * call-string.h (call_string::cmp_1): Delete decl.
10717 * engine.cc (worklist::key_t::cmp_1): Delete, moving body to...
10718 (worklist::key_t::cmp): ...here. Implement hash comparisons
10719 via comparison rather than subtraction to avoid overflow issues.
10720 * exploded-graph.h (worklist::key_t::cmp_1): Delete decl.
10721 * region-model.cc (tree_cmp): Eliminate buggy checking for
10722 symmetry.
10723
342e14ff
DM		 107242020-01-27 David Malcolm <dmalcolm@redhat.com>
10725
10726 * analyzer.cc (is_named_call_p): Check that fndecl is "extern"
10727 and at file scope. Potentially disregard prefix _ or __ in
10728 fndecl's name. Bail if the identifier is NULL.
10729 (is_setjmp_call_p): Expect a gcall rather than plain gimple.
10730 Remove special-case check for leading prefix, and also check for
10731 sigsetjmp.
10732 (is_longjmp_call_p): Also check for siglongjmp.
10733 (get_user_facing_name): New function.
10734 * analyzer.h (is_setjmp_call_p): Expect a gcall rather than plain
10735 gimple.
10736 (get_user_facing_name): New decl.
10737 * checker-path.cc (setjmp_event::get_desc): Use
10738 get_user_facing_name to avoid hardcoding the function name.
10739 (rewind_event::rewind_event): Add rewind_info param, using it to
10740 initialize new m_rewind_info field, and strengthen the assertion.
10741 (rewind_from_longjmp_event::get_desc): Use get_user_facing_name to
10742 avoid hardcoding the function name.
10743 (rewind_to_setjmp_event::get_desc): Likewise.
10744 * checker-path.h (setjmp_event::setjmp_event): Add setjmp_call
10745 param and use it to initialize...
10746 (setjmp_event::m_setjmp_call): New field.
10747 (rewind_event::rewind_event): Add rewind_info param.
10748 (rewind_event::m_rewind_info): New protected field.
10749 (rewind_from_longjmp_event::rewind_from_longjmp_event): Add
10750 rewind_info param.
10751 (class rewind_to_setjmp_event): Move rewind_info field to parent
10752 class.
10753 * diagnostic-manager.cc (diagnostic_manager::add_events_for_eedge):
10754 Update setjmp-handling for is_setjmp_call_p requiring a gcall;
10755 pass the call to the new setjmp_event.
10756 * engine.cc (exploded_node::on_stmt): Update for is_setjmp_call_p
10757 requiring a gcall.
10758 (stale_jmp_buf::emit): Use get_user_facing_name to avoid
10759 hardcoding the function names.
10760 (exploded_node::on_longjmp): Pass the longjmp_call when
10761 constructing rewind_info.
10762 (rewind_info_t::add_events_to_path): Pass the rewind_info_t to the
10763 rewind_from_longjmp_event's ctor.
10764 * exploded-graph.h (rewind_info_t::rewind_info_t): Add
10765 longjmp_call param.
10766 (rewind_info_t::get_longjmp_call): New.
10767 (rewind_info_t::m_longjmp_call): New.
10768 * region-model.cc (region_model::on_setjmp): Update comment to
10769 indicate this is also for sigsetjmp.
10770 * region-model.h (struct setjmp_record): Likewise.
10771 (class setjmp_svalue): Likewise.
10772
26d949c8
DM		 107732020-01-27 David Malcolm <dmalcolm@redhat.com>
10774
10775 PR analyzer/93276
10776 * analyzer.h (PUSH_IGNORE_WFORMAT, POP_IGNORE_WFORMAT): Guard these
10777 macros with GCC_VERSION >= 4006, making them no-op otherwise.
10778 * engine.cc (exploded_edge::exploded_edge): Specify template for
10779 base class initializer.
10780 (exploded_graph::add_edge): Specify template when chaining up to
10781 base class add_edge implementation.
10782 (viz_callgraph_node::dump_dot): Drop redundant "typename".
10783 (viz_callgraph_edge::viz_callgraph_edge): Specify template for
10784 base class initializer.
10785 * program-state.cc (sm_state_map::clone_with_remapping): Drop
10786 redundant "typename".
10787 (sm_state_map::print): Likewise.
10788 (sm_state_map::hash): Likewise.
10789 (sm_state_map::operator==): Likewise.
10790 (sm_state_map::remap_svalue_ids): Likewise.
10791 (sm_state_map::on_svalue_purge): Likewise.
10792 (sm_state_map::validate): Likewise.
10793 * program-state.h (sm_state_map::iterator_t): Likewise.
10794 * supergraph.h (superedge::superedge): Specify template for base
10795 class initializer.
10796
648796da
DM		 107972020-01-23 David Malcolm <dmalcolm@redhat.com>
10798
10799 PR analyzer/93375
10800 * supergraph.cc (callgraph_superedge::get_arg_for_parm): Fail
10801 gracefully is the number of parameters at the callee exceeds the
10802 number of arguments at the call stmt.
10803 (callgraph_superedge::get_parm_for_arg): Likewise.
10804
591b59eb
DM		 108052020-01-22 David Malcolm <dmalcolm@redhat.com>
10806
10807 PR analyzer/93382
10808 * program-state.cc (sm_state_map::on_svalue_purge): If the
10809 entry survives, but the origin is being purged, then reset the
10810 origin to null.
10811
c9c8aef4
DM		 108122020-01-22 David Malcolm <dmalcolm@redhat.com>
10813
10814 * sm-signal.cc: Fix nesting of CHECKING_P and namespace ana.
10815
fd9982bb
DM		 108162020-01-22 David Malcolm <dmalcolm@redhat.com>
10817
10818 PR analyzer/93378
10819 * engine.cc (setjmp_svalue::compare_fields): Update for
10820 replacement of m_enode with m_setjmp_record.
10821 (setjmp_svalue::add_to_hash): Likewise.
10822 (setjmp_svalue::get_index): Rename...
10823 (setjmp_svalue::get_enode_index): ...to this.
10824 (setjmp_svalue::print_details): Update for replacement of m_enode
10825 with m_setjmp_record.
10826 (exploded_node::on_longjmp): Likewise.
10827 * exploded-graph.h (rewind_info_t::m_enode_origin): Replace...
10828 (rewind_info_t::m_setjmp_record): ...with this.
10829 (rewind_info_t::rewind_info_t): Update for replacement of m_enode
10830 with m_setjmp_record.
10831 (rewind_info_t::get_setjmp_point): Likewise.
10832 (rewind_info_t::get_setjmp_call): Likewise.
10833 * region-model.cc (region_model::dump_summary_of_map): Likewise.
10834 (region_model::on_setjmp): Likewise.
10835 * region-model.h (struct setjmp_record): New struct.
10836 (setjmp_svalue::m_enode): Replace...
10837 (setjmp_svalue::m_setjmp_record): ...with this.
10838 (setjmp_svalue::setjmp_svalue): Update for replacement of m_enode
10839 with m_setjmp_record.
10840 (setjmp_svalue::clone): Likewise.
10841 (setjmp_svalue::get_index): Rename...
10842 (setjmp_svalue::get_enode_index): ...to this.
10843 (setjmp_svalue::get_exploded_node): Replace...
10844 (setjmp_svalue::get_setjmp_record): ...with this.
10845
da7cf663
DM		 108462020-01-22 David Malcolm <dmalcolm@redhat.com>
10847
10848 PR analyzer/93316
10849 * analyzer.cc (is_setjmp_call_p): Check for "setjmp" as well as
10850 "_setjmp".
10851
75038aa6
DM		 108522020-01-22 David Malcolm <dmalcolm@redhat.com>
10853
10854 PR analyzer/93307
10855 * analysis-plan.h: Wrap everything namespace "ana".
10856 * analyzer-logging.cc: Likewise.
10857 * analyzer-logging.h: Likewise.
10858 * analyzer-pass.cc (pass_analyzer::execute): Update for "ana"
10859 namespace.
10860 * analyzer-selftests.cc: Wrap everything namespace "ana".
10861 * analyzer-selftests.h: Likewise.
10862 * analyzer.h: Likewise for forward decls of types.
10863 * call-string.h: Likewise.
10864 * checker-path.cc: Likewise.
10865 * checker-path.h: Likewise.
10866 * constraint-manager.cc: Likewise.
10867 * constraint-manager.h: Likewise.
10868 * diagnostic-manager.cc: Likewise.
10869 * diagnostic-manager.h: Likewise.
10870 * engine.cc: Likewise.
10871 * engine.h: Likewise.
10872 * exploded-graph.h: Likewise.
10873 * function-set.cc: Likewise.
10874 * function-set.h: Likewise.
10875 * pending-diagnostic.cc: Likewise.
10876 * pending-diagnostic.h: Likewise.
10877 * program-point.cc: Likewise.
10878 * program-point.h: Likewise.
10879 * program-state.cc: Likewise.
10880 * program-state.h: Likewise.
10881 * region-model.cc: Likewise.
10882 * region-model.h: Likewise.
10883 * sm-file.cc: Likewise.
10884 * sm-malloc.cc: Likewise.
10885 * sm-pattern-test.cc: Likewise.
10886 * sm-sensitive.cc: Likewise.
10887 * sm-signal.cc: Likewise.
10888 * sm-taint.cc: Likewise.
10889 * sm.cc: Likewise.
10890 * sm.h: Likewise.
10891 * state-purge.h: Likewise.
10892 * supergraph.cc: Likewise.
10893 * supergraph.h: Likewise.
10894
4f01e577
DM		 108952020-01-21 David Malcolm <dmalcolm@redhat.com>
10896
10897 PR analyzer/93352
10898 * region-model.cc (int_cmp): Rename to...
10899 (array_region::key_cmp): ...this, using key_t rather than int.
10900 Rewrite in terms of comparisons rather than subtraction to
10901 ensure qsort is anti-symmetric when handling extreme values.
10902 (array_region::walk_for_canonicalization): Update for above
10903 renaming.
10904 * region-model.h (array_region::key_cmp): New decl.
10905
07c86323
DM		 109062020-01-17 David Malcolm <dmalcolm@redhat.com>
10907
10908 PR analyzer/93290
10909 * region-model.cc (region_model::eval_condition_without_cm): Avoid
10910 gcc_unreachable for unexpected operations for the case where
10911 we're comparing an svalue against itself.
10912
5f030383
DM		 109132020-01-17 David Malcolm <dmalcolm@redhat.com>
10914
10915 PR analyzer/93281
10916 * region-model.cc
10917 (region_model::convert_byte_offset_to_array_index): Convert to
10918 ssizetype before dividing by byte_size. Use fold_binary rather
10919 than fold_build2 to avoid needlessly constructing a tree for the
10920 non-const case.
10921
49e9a999
DM		 109222020-01-15 David Malcolm <dmalcolm@redhat.com>
10923
10924 * engine.cc (class impl_region_model_context): Fix comment.
10925
32077b69
DM		 109262020-01-14 David Malcolm <dmalcolm@redhat.com>
10927
10928 PR analyzer/93212
10929 * region-model.cc (make_region_for_type): Use
10930 FUNC_OR_METHOD_TYPE_P rather than comparing against FUNCTION_TYPE.
10931 * region-model.h (function_region::function_region): Likewise.
10932
7fb3669e
DM		 109332020-01-14 David Malcolm <dmalcolm@redhat.com>
10934
10935 * program-state.cc (sm_state_map::clone_with_remapping): Copy
10936 m_global_state.
10937 (selftest::test_program_state_merging_2): New selftest.
10938 (selftest::analyzer_program_state_cc_tests): Call it.
10939
e2a538b1
DM		 109402020-01-14 David Malcolm <dmalcolm@redhat.com>
10941
10942 * checker-path.h (checker_path::get_checker_event): New function.
10943 (checker_path): Add DISABLE_COPY_AND_ASSIGN; make fields private.
10944 * diagnostic-manager.cc
10945 (diagnostic_manager::prune_for_sm_diagnostic): Replace direct
10946 access to checker_path::m_events with accessor functions. Fix
10947 overlong line.
10948 (diagnostic_manager::prune_interproc_events): Replace direct
10949 access to checker_path::m_events with accessor functions.
10950 (diagnostic_manager::finish_pruning): Likewise.
10951
94946989
DM		 109522020-01-14 David Malcolm <dmalcolm@redhat.com>
10953
10954 * checker-path.h (checker_event::clone): Delete vfunc decl.
10955 (debug_event::clone): Delete vfunc impl.
10956 (custom_event::clone): Delete vfunc impl.
10957 (statement_event::clone): Delete vfunc impl.
10958 (function_entry_event::clone): Delete vfunc impl.
10959 (state_change_event::clone): Delete vfunc impl.
10960 (start_cfg_edge_event::clone): Delete vfunc impl.
10961 (end_cfg_edge_event::clone): Delete vfunc impl.
10962 (call_event::clone): Delete vfunc impl.
10963 (return_event::clone): Delete vfunc impl.
10964 (setjmp_event::clone): Delete vfunc impl.
10965 (rewind_from_longjmp_event::clone): Delete vfunc impl.
10966 (rewind_to_setjmp_event::clone): Delete vfunc impl.
10967 (warning_event::clone): Delete vfunc impl.
10968
718930c0
DM		 109692020-01-14 David Malcolm <dmalcolm@redhat.com>
10970
10971 * supergraph.cc (supernode::dump_dot): Ensure that the TABLE
10972 element has at least one TR.
10973
8397af8e
DM		 109742020-01-14 David Malcolm <dmalcolm@redhat.com>
10975
10976 PR analyzer/58237
10977 * engine.cc (leak_stmt_finder::find_stmt): Use get_pure_location
10978 when comparing against UNKNOWN_LOCATION.
10979 (stmt_requires_new_enode_p): Likewise.
10980 (exploded_graph::dump_exploded_nodes): Likewise.
10981 * supergraph.cc (supernode::get_start_location): Likewise.
10982 (supernode::get_end_location): Likewise.
10983
697251b7
DM		 109842020-01-14 David Malcolm <dmalcolm@redhat.com>
10985
10986 PR analyzer/58237
10987 * analyzer-selftests.cc (selftest::run_analyzer_selftests): Call
10988 selftest::analyzer_sm_file_cc_tests.
10989 * analyzer-selftests.h (selftest::analyzer_sm_file_cc_tests): New
10990 decl.
10991 * sm-file.cc: Include "analyzer/function-set.h" and
10992 "analyzer/analyzer-selftests.h".
10993 (get_file_using_fns): New function.
10994 (is_file_using_fn_p): New function.
10995 (fileptr_state_machine::on_stmt): Return true for known functions.
10996 (selftest::analyzer_sm_file_cc_tests): New function.
10997
4804c5fe
DM		 109982020-01-14 David Malcolm <dmalcolm@redhat.com>
10999
11000 * analyzer-selftests.cc (selftest::run_analyzer_selftests): Call
11001 selftest::analyzer_sm_signal_cc_tests.
11002 * analyzer-selftests.h (selftest::analyzer_sm_signal_cc_tests):
11003 New decl.
11004 * sm-signal.cc: Include "analyzer/function-set.h" and
11005 "analyzer/analyzer-selftests.h".
11006 (get_async_signal_unsafe_fns): New function.
11007 (signal_unsafe_p): Reimplement in terms of the above.
11008 (selftest::analyzer_sm_signal_cc_tests): New function.
11009
a6b5f19c
DM		 110102020-01-14 David Malcolm <dmalcolm@redhat.com>
11011
11012 * analyzer-selftests.cc (selftest::run_analyzer_selftests): Call
11013 selftest::analyzer_function_set_cc_tests.
11014 * analyzer-selftests.h (selftest::analyzer_function_set_cc_tests):
11015 New decl.
11016 * function-set.cc: New file.
11017 * function-set.h: New file.
11018
ef7827b0
DM		 110192020-01-14 David Malcolm <dmalcolm@redhat.com>
11020
11021 * analyzer.h (fndecl_has_gimple_body_p): New decl.
11022 * engine.cc (impl_region_model_context::on_unknown_change): New
11023 function.
11024 (fndecl_has_gimple_body_p): Make non-static.
11025 (exploded_node::on_stmt): Treat __analyzer_dump_exploded_nodes as
11026 known. Track whether we have a call with unknown side-effects and
11027 pass it to on_call_post.
11028 * exploded-graph.h (impl_region_model_context::on_unknown_change):
11029 New decl.
11030 * program-state.cc (sm_state_map::on_unknown_change): New function.
11031 * program-state.h (sm_state_map::on_unknown_change): New decl.
11032 * region-model.cc: Include "bitmap.h".
11033 (region_model::on_call_pre): Return a bool, capturing whether the
11034 call has unknown side effects.
11035 (region_model::on_call_post): Add arg "bool unknown_side_effects"
11036 and if true, call handle_unrecognized_call.
11037 (class reachable_regions): New class.
11038 (region_model::handle_unrecognized_call): New function.
11039 * region-model.h (region_model::on_call_pre): Return a bool.
11040 (region_model::on_call_post): Add arg "bool unknown_side_effects".
11041 (region_model::handle_unrecognized_call): New decl.
11042 (region_model_context::on_unknown_change): New vfunc.
11043 (test_region_model_context::on_unknown_change): New function.
11044
14f9d7b9
DM		 110452020-01-14 David Malcolm <dmalcolm@redhat.com>
11046
11047 * diagnostic-manager.cc (saved_diagnostic::operator==): Move here
11048 from header. Replace pointer equality test on m_var with call to
11049 pending_diagnostic::same_tree_p.
11050 * diagnostic-manager.h (saved_diagnostic::operator==): Move to
11051 diagnostic-manager.cc.
11052 * pending-diagnostic.cc (pending_diagnostic::same_tree_p): New.
11053 * pending-diagnostic.h (pending_diagnostic::same_tree_p): New.
11054 * sm-file.cc (file_diagnostic::subclass_equal_p): Replace pointer
11055 equality on m_arg with call to pending_diagnostic::same_tree_p.
11056 * sm-malloc.cc (malloc_diagnostic::subclass_equal_p): Likewise.
11057 (possible_null_arg::subclass_equal_p): Likewise.
11058 (null_arg::subclass_equal_p): Likewise.
11059 (free_of_non_heap::subclass_equal_p): Likewise.
11060 * sm-pattern-test.cc (pattern_match::operator==): Likewise.
11061 * sm-sensitive.cc (exposure_through_output_file::operator==):
11062 Likewise.
11063 * sm-taint.cc (tainted_array_index::operator==): Likewise.
11064
f474fbd5
DM		 110652020-01-14 David Malcolm <dmalcolm@redhat.com>
11066
11067 * diagnostic-manager.cc (dedupe_winners::add): Add logging
11068 of deduplication decisions made.
11069
757bf1df
DM		 110702020-01-14 David Malcolm <dmalcolm@redhat.com>
11071
11072 * ChangeLog: New file.
11073 * analyzer-selftests.cc: New file.
11074 * analyzer-selftests.h: New file.
11075 * analyzer.opt: New file.
11076 * analysis-plan.cc: New file.
11077 * analysis-plan.h: New file.
11078 * analyzer-logging.cc: New file.
11079 * analyzer-logging.h: New file.
11080 * analyzer-pass.cc: New file.
11081 * analyzer.cc: New file.
11082 * analyzer.h: New file.
11083 * call-string.cc: New file.
11084 * call-string.h: New file.
11085 * checker-path.cc: New file.
11086 * checker-path.h: New file.
11087 * constraint-manager.cc: New file.
11088 * constraint-manager.h: New file.
11089 * diagnostic-manager.cc: New file.
11090 * diagnostic-manager.h: New file.
11091 * engine.cc: New file.
11092 * engine.h: New file.
11093 * exploded-graph.h: New file.
11094 * pending-diagnostic.cc: New file.
11095 * pending-diagnostic.h: New file.
11096 * program-point.cc: New file.
11097 * program-point.h: New file.
11098 * program-state.cc: New file.
11099 * program-state.h: New file.
11100 * region-model.cc: New file.
11101 * region-model.h: New file.
11102 * sm-file.cc: New file.
11103 * sm-malloc.cc: New file.
11104 * sm-malloc.dot: New file.
11105 * sm-pattern-test.cc: New file.
11106 * sm-sensitive.cc: New file.
11107 * sm-signal.cc: New file.
11108 * sm-taint.cc: New file.
11109 * sm.cc: New file.
11110 * sm.h: New file.
11111 * state-purge.cc: New file.
11112 * state-purge.h: New file.
11113 * supergraph.cc: New file.
11114 * supergraph.h: New file.
11115
111162019-12-13 David Malcolm <dmalcolm@redhat.com>
11117
11118 * Initial creation
11119
11120\f
68127a8e 11121Copyright (C) 2019-2023 Free Software Foundation, Inc.
757bf1df
DM		 11122
11123Copying and distribution of this file, with or without modification,
11124are permitted in any medium without royalty provided the copyright
11125notice and this notice are preserved.
Mirror of https://gcc.gnu.org/git/gcc.git