]> git.ipfire.org Git - thirdparty/gcc.git/blame - gcc/analyzer/ChangeLog
projects / thirdparty / gcc.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Daily bump.
[thirdparty/gcc.git] / gcc / analyzer / ChangeLog
CommitLineData
af086d19
GA		 12022-07-28 David Malcolm <dmalcolm@redhat.com>
2
3 PR analyzer/105893
4 * analyzer.opt (Wanalyzer-putenv-of-auto-var): New.
5 * region-model-impl-calls.cc (class putenv_of_auto_var): New.
6 (region_model::impl_call_putenv): New.
7 * region-model.cc (region_model::on_call_pre): Handle putenv.
8 * region-model.h (region_model::impl_call_putenv): New decl.
9
102022-07-28 David Malcolm <dmalcolm@redhat.com>
11
12 * sm-malloc.cc (free_of_non_heap::emit): Add comment about CWE.
13 * sm-taint.cc (tainted_size::emit): Likewise.
14
152022-07-28 David Malcolm <dmalcolm@redhat.com>
16
17 * region.h: Add notes to the comment describing the region
18 class hierarchy.
19
1e2c5f4c
GA		 202022-07-27 Immad Mir <mirimmad@outlook.com>
21
22 PR analyzer/106286
23 * sm-fd.cc:
24 (fd_diagnostic::get_meaning_for_state_change): New.
25
fd96c4b5
GA		 262022-07-26 David Malcolm <dmalcolm@redhat.com>
27
28 PR analyzer/106319
29 * store.cc (store::set_value): Don't strip away casts if the
30 region has NULL type.
31
322022-07-26 David Malcolm <dmalcolm@redhat.com>
33
34 * region.h (code_region::get_element): Remove stray decl.
35 (function_region::get_element): Likewise.
36
a5271b14
GA		 372022-07-25 Martin Liska <mliska@suse.cz>
38
39 * sm-fd.cc: Run dos2unix and fix coding style issues.
40
0e6fa997
GA		 412022-07-23 Immad Mir <mirimmad@outlook.com>
42
43 * sm-fd.cc (fd_param_diagnostic): New diagnostic class.
44 (fd_access_mode_mismatch): Change inheritance from fd_diagnostic
45 to fd_param_diagnostic. Add new overloaded constructor.
46 (fd_use_after_close): Likewise.
47 (unchecked_use_of_fd): Likewise and also change name to fd_use_without_check.
48 (double_close): Change name to fd_double_close.
49 (enum access_directions): New.
50 (fd_state_machine::on_stmt): Handle calls to function with the
51 new three function attributes.
52 (fd_state_machine::check_for_fd_attrs): New.
53 (fd_state_machine::on_open): Use the new overloaded constructors
54 of diagnostic classes.
55
b563a8dd
GA		 562022-07-22 David Malcolm <dmalcolm@redhat.com>
57
58 PR analyzer/106413
59 * varargs.cc (region_model::impl_call_va_start): Avoid iterating
60 through non-existant variadic arguments by initializing the
61 impl_region to "UNKNOWN" if the va_start occurs in the top-level
62 function to the analysis.
63
642022-07-22 David Malcolm <dmalcolm@redhat.com>
65
66 PR analyzer/106401
67 * store.cc (binding_cluster::binding_cluster): Remove overzealous
68 assertion; we're checking for tracked_p in
69 store::get_or_create_cluster.
70
712022-07-22 Tim Lange <mail@tim-lange.me>
72
73 PR analyzer/106394
74 * region-model.cc (capacity_compatible_with_type): Always return true
75 if alloc_size is zero.
76
bbb9c030
GA		 772022-07-21 David Malcolm <dmalcolm@redhat.com>
78
79 PR analyzer/106383
80 * varargs.cc (region_model::impl_call_va_arg): When determining if
81 we're doing interprocedural analysis, use the stack depth of the
82 frame in which va_start was called, rather than the current stack
83 depth.
84
852022-07-21 David Malcolm <dmalcolm@redhat.com>
86
87 * sm-taint.cc (tainted_array_index::emit): Bulletproof against
88 NULL m_arg.
89 (tainted_array_index::describe_final_event): Likewise.
90 (tainted_size::emit): Likewise.
91 (tainted_size::describe_final_event): Likewise.
92
932022-07-21 David Malcolm <dmalcolm@redhat.com>
94
95 PR analyzer/106374
96 * region.cc (decl_region::get_svalue_for_initializer): Bail out on
97 untracked regions.
98
e7dfd874
GA		 992022-07-20 David Malcolm <dmalcolm@redhat.com>
100
101 PR analyzer/106373
102 * sm-taint.cc (taint_state_machine::on_condition): Potentially
103 update the state of the RHS as well as the LHS.
104
1052022-07-20 David Malcolm <dmalcolm@redhat.com>
106
107 PR analyzer/106359
108 * region.h (string_region::tracked_p): New.
109 * store.cc (binding_cluster::binding_cluster): Move here from
110 store.h. Add assertion that base_region is tracked_p.
111 * store.h (binding_cluster::binding_cluster): Move to store.cc.
112
7c0c10db
GA		 1132022-07-19 David Malcolm <dmalcolm@redhat.com>
114
115 PR analyzer/106321
116 * constraint-manager.h (bounded_ranges::get_count): New.
117 (bounded_ranges::get_range): New.
118 * engine.cc (impl_region_model_context::on_bounded_ranges): New.
119 * exploded-graph.h (impl_region_model_context::on_bounded_ranges):
120 New decl.
121 * region-model.cc (region_model::apply_constraints_for_gswitch):
122 Potentially call ctxt->on_bounded_ranges.
123 * region-model.h (region_model_context::on_bounded_ranges): New
124 vfunc.
125 (noop_region_model_context::on_bounded_ranges): New.
126 (region_model_context_decorator::on_bounded_ranges): New.
127 * sm-taint.cc: Include "analyzer/constraint-manager.h".
128 (taint_state_machine::on_bounded_ranges): New.
129 * sm.h (state_machine::on_bounded_ranges): New.
130
1312022-07-19 David Malcolm <dmalcolm@redhat.com>
132
133 * engine.cc (exploded_graph::process_node): Show any description
134 of the out-edge when logging it for consideration.
135
bdc7b765
GA		 1362022-07-15 David Malcolm <dmalcolm@redhat.com>
137
138 PR analyzer/106284
139 * sm-taint.cc (taint_state_machine::on_condition): Handle range
140 checks optimized by build_range_check.
141
1422022-07-15 Jonathan Wakely <jwakely@redhat.com>
143
144 * call-info.cc (call_info::print): Adjust to new label_text API.
145 * checker-path.cc (checker_event::dump): Likewise.
146 (region_creation_event::get_desc): Likewise.
147 (state_change_event::get_desc): Likewise.
148 (superedge_event::should_filter_p): Likewise.
149 (start_cfg_edge_event::get_desc): Likewise.
150 (call_event::get_desc): Likewise.
151 (return_event::get_desc): Likewise.
152 (warning_event::get_desc): Likewise.
153 (checker_path::dump): Likewise.
154 (checker_path::debug): Likewise.
155 * diagnostic-manager.cc (diagnostic_manager::prune_for_sm_diagnostic):
156 Likewise.
157 (diagnostic_manager::prune_interproc_events): Likewise.
158 * engine.cc (feasibility_state::maybe_update_for_edge):
159 Likewise.
160 * program-state.cc (sm_state_map::to_json): Likewise.
161 * region-model-impl-calls.cc (region_model::impl_call_analyzer_describe): Likewise.
162 (region_model::impl_call_analyzer_dump_capacity): Likewise.
163 * region.cc (region::to_json): Likewise.
164 * sm-malloc.cc (inform_nonnull_attribute): Likewise.
165 * store.cc (binding_map::to_json): Likewise.
166 (store::to_json): Likewise.
167 * supergraph.cc (superedge::dump): Likewise.
168 * svalue.cc (svalue::to_json): Likewise.
169
6345c414
GA		 1702022-07-07 David Malcolm <dmalcolm@redhat.com>
171
172 * checker-path.cc (start_cfg_edge_event::get_desc): Update for
173 superedge::get_description returning a label_text.
174 * engine.cc (feasibility_state::maybe_update_for_edge): Likewise.
175 * supergraph.cc (superedge::dump): Likewise.
176 (superedge::get_description): Convert return type from char * to
177 label_text.
178 * supergraph.h (superedge::get_description): Likewise.
179
1802022-07-07 David Malcolm <dmalcolm@redhat.com>
181
182 * call-info.cc (call_info::print): Update for removal of
183 label_text::maybe_free in favor of automatic memory management.
184 * checker-path.cc (checker_event::dump): Likewise.
185 (checker_event::prepare_for_emission): Likewise.
186 (state_change_event::get_desc): Likewise.
187 (superedge_event::should_filter_p): Likewise.
188 (start_cfg_edge_event::get_desc): Likewise.
189 (warning_event::get_desc): Likewise.
190 (checker_path::dump): Likewise.
191 (checker_path::debug): Likewise.
192 * diagnostic-manager.cc
193 (diagnostic_manager::prune_for_sm_diagnostic): Likewise.
194 (diagnostic_manager::prune_interproc_events): Likewise.
195 * program-state.cc (sm_state_map::to_json): Likewise.
196 * region.cc (region::to_json): Likewise.
197 * sm-malloc.cc (inform_nonnull_attribute): Likewise.
198 * store.cc (binding_map::to_json): Likewise.
199 (store::to_json): Likewise.
200 * svalue.cc (svalue::to_json): Likewise.
201
2022022-07-07 David Malcolm <dmalcolm@redhat.com>
203
204 PR analyzer/106225
205 * sm-taint.cc (taint_state_machine::on_stmt): Move handling of
206 assignments from division to...
207 (taint_state_machine::check_for_tainted_divisor): ...this new
208 function. Reject warning when the divisor is known to be non-zero.
209 * sm.cc: Include "analyzer/program-state.h".
210 (sm_context::get_old_region_model): New.
211 * sm.h (sm_context::get_old_region_model): New decl.
212
4bc92c3b
GA		 2132022-07-06 Immad Mir <mirimmad@outlook.com>
214
215 PR analyzer/106184
216 * sm-fd.cc (fd_state_machine): Change ordering of initialization
217 of state m_invalid so that the order of initializers is same as
218 the ordering of the fields in the class decl.
219
2202022-07-06 Immad Mir <mirimmad@outlook.com>
221
222 * sm-fd.cc (use_after_close): save the "close" event and
223 show it where possible.
224
2252022-07-06 David Malcolm <dmalcolm@redhat.com>
226
227 PR analyzer/106204
228 * region-model.cc (within_short_circuited_stmt_p): Move extraction
229 of assign_stmt to caller.
230 (due_to_ifn_deferred_init_p): New.
231 (region_model::check_for_poison): Move extraction of assign_stmt
232 from within_short_circuited_stmt_p to here. Share logic with
233 call to due_to_ifn_deferred_init_p.
234
20f0f305
GA		 2352022-07-02 Tim Lange <mail@tim-lange.me>
236
237 PR analyzer/105900
238 * analyzer.opt: Added Wanalyzer-allocation-size.
239 * checker-path.cc (region_creation_event::get_desc): Added call to new
240 virtual function pending_diagnostic::describe_region_creation_event.
241 * checker-path.h: Added region_creation_event::get_desc.
242 * diagnostic-manager.cc (diagnostic_manager::add_event_on_final_node):
243 New function.
244 * diagnostic-manager.h:
245 Added diagnostic_manager::add_event_on_final_node.
246 * pending-diagnostic.h (struct region_creation): New event_desc struct.
247 (pending_diagnostic::describe_region_creation_event): Added virtual
248 function to overwrite description of a region creation.
249 * region-model.cc (class dubious_allocation_size): New class.
250 (capacity_compatible_with_type): New helper function.
251 (class size_visitor): New class.
252 (struct_or_union_with_inheritance_p): New helper function.
253 (is_any_cast_p): New helper function.
254 (region_model::check_region_size): New function.
255 (region_model::set_value): Added call to
256 region_model::check_region_size.
257 * region-model.h (class region_model): New function check_region_size.
258 * svalue.cc (region_svalue::accept): Changed to post-order traversal.
259 (initial_svalue::accept): Likewise.
260 (unaryop_svalue::accept): Likewise.
261 (binop_svalue::accept): Likewise.
262 (sub_svalue::accept): Likewise.
263 (repeated_svalue::accept): Likewise.
264 (bits_within_svalue::accept): Likewise.
265 (widening_svalue::accept): Likewise.
266 (unmergeable_svalue::accept): Likewise.
267 (compound_svalue::accept): Likewise.
268 (conjured_svalue::accept): Likewise.
269 (asm_output_svalue::accept): Likewise.
270 (const_fn_result_svalue::accept): Likewise.
271
2722022-07-02 Immad Mir <mirimmad17@gmail.com>
273
274 PR analyzer/106003
275 * analyzer.opt (Wanalyzer-fd-leak): New option.
276 (Wanalyzer-fd-access-mode-mismatch): New option.
277 (Wanalyzer-fd-use-without-check): New option.
278 (Wanalyzer-fd-double-close): New option.
279 (Wanalyzer-fd-use-after-close): New option.
280 * sm.h (make_fd_state_machine): New decl.
281 * sm.cc (make_checkers): Call make_fd_state_machine.
282 * sm-fd.cc: New file.
283
84c2131d
GA		 2842022-06-24 David Malcolm <dmalcolm@redhat.com>
285
286 * call-string.cc: Add includes of "analyzer/analyzer.h"
287 and "analyzer/analyzer-logging.h".
288 (call_string::call_string): Delete copy ctor.
289 (call_string::operator=): Delete.
290 (call_string::operator==): Delete.
291 (call_string::hash): Delete.
292 (call_string::push_call): Make const, returning the resulting
293 call_string.
294 (call_string::pop): Delete.
295 (call_string::cmp_ptr_ptr): New.
296 (call_string::validate): Assert that m_parent is non-NULL, or
297 m_elements is empty.
298 (call_string::call_string): Move default ctor here from
299 call-string.h and reimplement. Add ctor taking a parent
300 and an element.
301 (call_string::~call_string): New.
302 (call_string::recursive_log): New.
303 * call-string.h (call_string::call_string): Move default ctor's
304 defn to call-string.cc. Delete copy ctor. Add ctor taking a
305 parent and an element.
306 (call_string::operator=): Delete.
307 (call_string::operator==): Delete.
308 (call_string::hash): Delete.
309 (call_string::push_call): Make const, returning the resulting
310 call_string.
311 (call_string::pop): Delete decl.
312 (call_string::get_parent): New.
313 (call_string::cmp_ptr_ptr): New decl.
314 (call_string::get_top_of_stack): New.
315 (struct call_string::hashmap_traits_t): New.
316 (class call_string): Add friend class region_model_manager. Add
317 DISABLE_COPY_AND_ASSIGN.
318 (call_string::~call_string): New decl.
319 (call_string::recursive_log): New decl.
320 (call_string::m_parent): New field.
321 (call_string::m_children): New field.
322 * constraint-manager.cc (selftest::test_many_constants): Pass
323 model manager to program_point::origin.
324 * engine.cc (exploded_graph::exploded_graph): Likewise.
325 (exploded_graph::add_function_entry): Likewise for
326 program_point::from_function_entry.
327 (add_tainted_args_callback): Likewise.
328 (exploded_graph::maybe_process_run_of_before_supernode_enodes):
329 Update for change to program_point.get_call_string.
330 (exploded_graph::process_node): Likewise.
331 (class function_call_string_cluster): Convert m_cs from a
332 call_string to a const call_string &.
333 (struct function_call_string): Likewise.
334 (pod_hash_traits<function_call_string>::hash): Use pointer_hash
335 for m_cs.
336 (pod_hash_traits<function_call_string>::equal): Update for change
337 to m_cs.
338 (root_cluster::add_node): Update for change to
339 function_call_string.
340 (viz_callgraph_node::dump_dot): Update for change to call_string.
341 * exploded-graph.h (per_call_string_data::m_key): Convert to a
342 reference.
343 (struct eg_call_string_hash_map_traits): Delete.
344 (exploded_graph::call_string_data_map_t): Remove traits class.
345 * program-point.cc: Move include of "analyzer/call-string.h" to
346 after "analyzer/analyzer-logging.h".
347 (program_point::print): Update for conversion of m_call_string to
348 a pointer.
349 (program_point::to_json): Likewise.
350 (program_point::push_to_call_stack): Update for immutability of
351 call strings.
352 (program_point::pop_from_call_stack): Likewise.
353 (program_point::hash): Use pointer hashing for m_call_string.
354 (program_point::get_function_at_depth): Update for change to
355 m_call_string.
356 (program_point::validate): Update for changes to call_string.
357 (program_point::on_edge): Likewise.
358 (program_point::origin): Move here from call-string.h. Add
359 region_model_manager param and use it to get empty call string.
360 (program_point::from_function_entry): Likewise.
361 (selftest::test_function_point_ordering): Likewise.
362 (selftest::test_function_point_ordering): Likewise.
363 * program-point.h (program_point::program_point): Update for
364 change to m_call_string.
365 (program_point::get_call_string): Likewise.
366 (program_point::get_stack_depth): Likewise.
367 (program_point::origin): Add region_model_manager param, and move
368 defn to call-string.cc.
369 (program_point::from_function_entry): Likewise.
370 (program_point::empty): Drop call_string.
371 (program_point::deleted): Likewise.
372 (program_point::program_point): New private ctor.
373 (program_point::m_call_string): Convert from call_string to const
374 call_string *.
375 * program-state.cc (selftest::test_program_state_merging): Update
376 for call_string changes.
377 (selftest::test_program_state_merging_2): Likewise.
378 * region-model-manager.cc
379 (region_model_manager::region_model_manager): Construct
380 m_empty_call_string.
381 (region_model_manager::log_stats): Log the call strings.
382 * region-model.cc (assert_region_models_merge): Pass the
383 region_model_manager when creating program_point instances.
384 (selftest::test_state_merging): Likewise.
385 (selftest::test_constraint_merging): Likewise.
386 (selftest::test_widening_constraints): Likewise.
387 (selftest::test_iteration_1): Likewise.
388 * region-model.h (region_model_manager::get_empty_call_string):
389 New.
390 (region_model_manager::m_empty_call_string): New.
391 * sm-signal.cc (register_signal_handler::impl_transition): Update
392 for changes to call_string.
393
3942022-06-24 David Malcolm <dmalcolm@redhat.com>
395
396 * call-string.cc (call_string::calc_recursion_depth): Whitespace
397 cleanups.
398 (call_string::cmp): Likewise.
399 (call_string::get_caller_node): Likewise.
400 (call_string::validate): Likewise.
401 * engine.cc (dynamic_call_info_t::add_events_to_path): Likewise.
402 (exploded_graph::get_per_function_data): Likewise.
403 (exploded_graph::maybe_create_dynamic_call): Likewise.
404 (exploded_graph::maybe_create_dynamic_call): Likewise.
405 (exploded_graph::process_node): Likewise.
406
bc7e9f76
GA		 4072022-06-16 David Malcolm <dmalcolm@redhat.com>
408
409 * varargs.cc (va_arg_type_mismatch::emit): Associate the warning
410 with CWE-686 ("Function Call With Incorrect Argument Type").
411
4122022-06-16 David Malcolm <dmalcolm@redhat.com>
413
414 * varargs.cc: Include "diagnostic-metadata.h".
415 (va_list_exhausted::emit): Associate the warning with
416 CWE-685 ("Function Call With Incorrect Number of Arguments").
417
4182022-06-16 David Malcolm <dmalcolm@redhat.com>
419
420 * sm-file.cc (double_fclose::emit): Associate the warning with
421 CWE-1341 ("Multiple Releases of Same Resource or Handle").
422
499b9c5f
GA		 4232022-06-15 David Malcolm <dmalcolm@redhat.com>
424
425 PR analyzer/105962
426 * analyzer.opt (fanalyzer-undo-inlining): New option.
427 * checker-path.cc: Include "diagnostic-core.h" and
428 "inlining-iterator.h".
429 (event_kind_to_string): Handle EK_INLINED_CALL.
430 (class inlining_info): New class.
431 (checker_event::checker_event): Move here from checker-path.h.
432 Store original fndecl and depth, and calculate effective fndecl
433 and depth based on inlining information.
434 (checker_event::dump): Emit original depth as well as effective
435 depth when they differ; likewise for fndecl.
436 (region_creation_event::get_desc): Use m_effective_fndecl.
437 (inlined_call_event::get_desc): New.
438 (inlined_call_event::get_meaning): New.
439 (checker_path::inject_any_inlined_call_events): New.
440 * checker-path.h (enum event_kind): Add EK_INLINED_CALL.
441 (checker_event::checker_event): Make protected, and move
442 definition to checker-path.cc.
443 (checker_event::get_fndecl): Use effective fndecl.
444 (checker_event::get_stack_depth): Use effective stack depth.
445 (checker_event::get_logical_location): Use effective stack depth.
446 (checker_event::get_original_stack_depth): New.
447 (checker_event::m_fndecl): Rename to...
448 (checker_event::m_original_fndecl): ...this.
449 (checker_event::m_depth): Rename to...
450 (checker_event::m_original_depth): ...this.
451 (checker_event::m_effective_fndecl): New field.
452 (checker_event::m_effective_depth): New field.
453 (class inlined_call_event): New checker_event subclass.
454 (checker_path::inject_any_inlined_call_events): New decl.
455 * diagnostic-manager.cc: Include "inlining-iterator.h".
456 (diagnostic_manager::emit_saved_diagnostic): Call
457 checker_path::inject_any_inlined_call_events.
458 (diagnostic_manager::prune_for_sm_diagnostic): Handle
459 EK_INLINED_CALL.
460 * engine.cc (tainted_args_function_custom_event::get_desc): Use
461 effective fndecl.
462 * inlining-iterator.h: New file.
463
4642022-06-15 David Malcolm <dmalcolm@redhat.com>
465
466 * diagnostic-manager.cc (saved_diagnostic::dump_dot_id): New.
467 (saved_diagnostic::dump_as_dot_node): New.
468 * diagnostic-manager.h (saved_diagnostic::dump_dot_id): New decl.
469 (saved_diagnostic::dump_as_dot_node): New decl.
470 * engine.cc (exploded_node::dump_dot): Add nodes for saved
471 diagnostics.
472
b168441c
GA		 4732022-06-02 David Malcolm <dmalcolm@redhat.com>
474
475 * checker-path.cc (checker_event::get_meaning): New.
476 (function_entry_event::get_meaning): New.
477 (state_change_event::get_desc): Add dump of meaning of the event
478 to the -fanalyzer-verbose-state-changes output.
479 (state_change_event::get_meaning): New.
480 (cfg_edge_event::get_meaning): New.
481 (call_event::get_meaning): New.
482 (return_event::get_meaning): New.
483 (start_consolidated_cfg_edges_event::get_meaning): New.
484 (warning_event::get_meaning): New.
485 * checker-path.h: Include "tree-logical-location.h".
486 (checker_event::checker_event): Construct m_logical_loc.
487 (checker_event::get_logical_location): New.
488 (checker_event::get_meaning): New decl.
489 (checker_event::m_logical_loc): New.
490 (function_entry_event::get_meaning): New decl.
491 (state_change_event::get_meaning): New decl.
492 (cfg_edge_event::get_meaning): New decl.
493 (call_event::get_meaning): New decl.
494 (return_event::get_meaning): New decl.
495 (start_consolidated_cfg_edges_event::get_meaning): New.
496 (warning_event::get_meaning): New decl.
497 * pending-diagnostic.h: Include "diagnostic-path.h".
498 (pending_diagnostic::get_meaning_for_state_change): New vfunc.
499 * sm-file.cc (file_diagnostic::get_meaning_for_state_change): New
500 vfunc impl.
501 * sm-malloc.cc (malloc_diagnostic::get_meaning_for_state_change):
502 Likewise.
503 * sm-sensitive.cc
504 (exposure_through_output_file::get_meaning_for_state_change):
505 Likewise.
506 * sm-taint.cc (taint_diagnostic::get_meaning_for_state_change):
507 Likewise.
508 * varargs.cc
509 (va_list_sm_diagnostic::get_meaning_for_state_change): Likewise.
510
168fc8bd
GA		 5112022-05-23 David Malcolm <dmalcolm@redhat.com>
512
513 * call-info.cc: Add "final" and "override" to all vfunc
514 implementations that were missing them, as appropriate.
515 * engine.cc: Likewise.
516 * region-model.cc: Likewise.
517 * sm-malloc.cc: Likewise.
518 * supergraph.h: Likewise.
519 * svalue.cc: Likewise.
520 * varargs.cc: Likewise.
521
57f2ce6a
GA		 5222022-05-20 David Malcolm <dmalcolm@redhat.com>
523
524 * analyzer-pass.cc: Replace uses of "FINAL" and "OVERRIDE" with
525 "final" and "override".
526 * call-info.h: Likewise.
527 * checker-path.h: Likewise.
528 * constraint-manager.cc: Likewise.
529 * diagnostic-manager.cc: Likewise.
530 * engine.cc: Likewise.
531 * exploded-graph.h: Likewise.
532 * feasible-graph.h: Likewise.
533 * pending-diagnostic.h: Likewise.
534 * region-model-impl-calls.cc: Likewise.
535 * region-model.cc: Likewise.
536 * region-model.h: Likewise.
537 * region.h: Likewise.
538 * sm-file.cc: Likewise.
539 * sm-malloc.cc: Likewise.
540 * sm-pattern-test.cc: Likewise.
541 * sm-sensitive.cc: Likewise.
542 * sm-signal.cc: Likewise.
543 * sm-taint.cc: Likewise.
544 * state-purge.h: Likewise.
545 * store.cc: Likewise.
546 * store.h: Likewise.
547 * supergraph.h: Likewise.
548 * svalue.h: Likewise.
549 * trimmed-graph.h: Likewise.
550 * varargs.cc: Likewise.
551
702bd11f
GA		 5522022-05-16 David Malcolm <dmalcolm@redhat.com>
553
554 PR analyzer/105103
555 * analyzer.cc (make_label_text_n): New.
556 * analyzer.h (class var_arg_region): New forward decl.
557 (make_label_text_n): New decl.
558 * analyzer.opt (Wanalyzer-va-arg-type-mismatch): New option.
559 (Wanalyzer-va-list-exhausted): New option.
560 (Wanalyzer-va-list-leak): New option.
561 (Wanalyzer-va-list-use-after-va-end): New option.
562 * checker-path.cc (call_event::get_desc): Split out decl access
563 into..
564 (call_event::get_caller_fndecl): ...this new function and...
565 (call_event::get_callee_fndecl): ...this new function.
566 * checker-path.h (call_event::get_desc): Drop "FINAL".
567 (call_event::get_caller_fndecl): New decl.
568 (call_event::get_callee_fndecl): New decl.
569 (class call_event): Make fields protected.
570 * diagnostic-manager.cc (null_assignment_sm_context::warn): New
571 overload.
572 (null_assignment_sm_context::get_new_program_state): New.
573 (diagnostic_manager::add_events_for_superedge): Move case
574 SUPEREDGE_CALL to a new pending_diagnostic::add_call_event vfunc.
575 * engine.cc (impl_sm_context::warn): Implement new override.
576 (impl_sm_context::get_new_program_state): New.
577 * pending-diagnostic.cc: Include "analyzer/diagnostic-manager.h",
578 "cpplib.h", "digraph.h", "ordered-hash-map.h", "cfg.h",
579 "basic-block.h", "gimple.h", "gimple-iterator.h", "cgraph.h"
580 "analyzer/supergraph.h", "analyzer/program-state.h",
581 "alloc-pool.h", "fibonacci_heap.h", "shortest-paths.h",
582 "sbitmap.h", "analyzer/exploded-graph.h", "diagnostic-path.h",
583 and "analyzer/checker-path.h".
584 (ht_ident_eq): New.
585 (fixup_location_in_macro_p): New.
586 (pending_diagnostic::fixup_location): New.
587 (pending_diagnostic::add_call_event): New.
588 * pending-diagnostic.h (pending_diagnostic::fixup_location): Drop
589 no-op inline implementation in favor of the more complex
590 implementation above.
591 (pending_diagnostic::add_call_event): New vfunc.
592 * region-model-impl-calls.cc: Include "analyzer/sm.h",
593 "diagnostic-path.h", and "analyzer/pending-diagnostic.h".
594 * region-model-manager.cc
595 (region_model_manager::get_var_arg_region): New.
596 (region_model_manager::log_stats): Log m_var_arg_regions.
597 * region-model.cc (region_model::on_call_pre): Handle IFN_VA_ARG,
598 BUILT_IN_VA_START, and BUILT_IN_VA_COPY.
599 (region_model::on_call_post): Handle BUILT_IN_VA_END.
600 (region_model::get_representative_path_var_1): Handle RK_VAR_ARG.
601 (region_model::push_frame): Push variadic arguments.
602 * region-model.h (region_model_manager::get_var_arg_region): New
603 decl.
604 (region_model_manager::m_var_arg_regions): New field.
605 (region_model::impl_call_va_start): New decl.
606 (region_model::impl_call_va_copy): New decl.
607 (region_model::impl_call_va_arg): New decl.
608 (region_model::impl_call_va_end): New decl.
609 * region.cc (alloca_region::dump_to_pp): Dump the id.
610 (var_arg_region::dump_to_pp): New.
611 (var_arg_region::get_frame_region): New.
612 * region.h (enum region_kind): Add RK_VAR_ARG.
613 (region::dyn_cast_var_arg_region): New.
614 (class var_arg_region): New.
615 (is_a_helper <const var_arg_region *>::test): New.
616 (struct default_hash_traits<var_arg_region::key_t>): New.
617 * sm.cc (make_checkers): Call make_va_list_state_machine.
618 * sm.h (sm_context::warn): New vfunc.
619 (sm_context::get_old_svalue): Drop unused decl.
620 (sm_context::get_new_program_state): New vfunc.
621 (make_va_list_state_machine): New decl.
622 * varargs.cc: New file.
623
6242022-05-16 Martin Liska <mliska@suse.cz>
625
626 * engine.cc (exploded_node::get_dot_fillcolor): Use ARRAY_SIZE.
627 * function-set.cc (test_stdio_example): Likewise.
628 * sm-file.cc (get_file_using_fns): Likewise.
629 * sm-malloc.cc (malloc_state_machine::unaffected_by_call_p): Likewise.
630 * sm-signal.cc (get_async_signal_unsafe_fns): Likewise.
631
9df4ffe4
GA		 6322022-05-13 Richard Biener <rguenther@suse.de>
633
634 * supergraph.cc: Re-order gimple-fold.h include.
635
d0d513b5
GA		 6362022-05-11 David Malcolm <dmalcolm@redhat.com>
637
638 * checker-path.cc (state_change_event::get_desc): Call maybe_free
639 on label_text temporaries.
640 * diagnostic-manager.cc
641 (diagnostic_manager::prune_for_sm_diagnostic): Likewise.
642 * engine.cc (exploded_graph::~exploded_graph): Fix leak of
643 m_per_point_data and m_per_call_string_data values. Simplify
644 cleanup of m_per_function_stats and m_per_point_data values.
645 (feasibility_state::maybe_update_for_edge): Fix leak of result of
646 superedge::get_description.
647 * region-model-manager.cc
648 (region_model_manager::~region_model_manager): Move cleanup of
649 m_setjmp_values to match the ordering of the fields within
650 region_model_manager. Fix leak of values within
651 m_repeated_values_map, m_bits_within_values_map,
652 m_asm_output_values_map, and m_const_fn_result_values_map.
653
6b6f53d8
GA		 6542022-04-28 David Malcolm <dmalcolm@redhat.com>
655
656 PR analyzer/105285
657 * store.cc (binding_cluster::get_any_binding): Handle accessing
658 sub_svalues of clusters where the base region has a symbolic
659 binding.
660
6612022-04-28 David Malcolm <dmalcolm@redhat.com>
662
663 * diagnostic-manager.cc (epath_finder::process_worklist_item):
664 Call dump_feasible_path when a path that reaches the the target
665 enode is found.
666 (epath_finder::dump_feasible_path): New.
667 * engine.cc (feasibility_state::dump_to_pp): New.
668 * exploded-graph.h (feasibility_state::dump_to_pp): New decl.
669 * feasible-graph.cc (feasible_graph::dump_feasible_path): New.
670 * feasible-graph.h (feasible_graph::dump_feasible_path): New
671 decls.
672 * program-point.cc (function_point::print): Fix missing trailing
673 newlines.
674 * program-point.h (program_point::print_source_line): Remove
675 unimplemented decl.
676
98de0da6
GA		 6772022-04-25 David Malcolm <dmalcolm@redhat.com>
678
679 PR analyzer/105365
680 PR analyzer/105366
681 * svalue.cc
682 (cmp_cst): Rename to...
683 (cmp_csts_same_type): ...this. Convert all recursive calls to
684 calls to...
685 (cmp_csts_and_types): ....this new function.
686 (svalue::cmp_ptr): Update for renaming of cmp_cst
687
031bd52e
GA		 6882022-04-14 David Malcolm <dmalcolm@redhat.com>
689
690 PR analyzer/105264
691 * region-model-reachability.cc (reachable_regions::handle_parm):
692 Use maybe_get_deref_base_region rather than just region_svalue, to
693 handle pointer arithmetic also.
694 * svalue.cc (svalue::maybe_get_deref_base_region): New.
695 * svalue.h (svalue::maybe_get_deref_base_region): New decl.
696
6972022-04-14 David Malcolm <dmalcolm@redhat.com>
698
699 PR analyzer/105252
700 * svalue.cc (cmp_cst): When comparing VECTOR_CSTs, compare the
701 types of the encoded elements before calling cmp_cst on them.
702
71cac7de
GA		 7032022-04-09 David Malcolm <dmalcolm@redhat.com>
704
705 PR analyzer/103892
706 * region-model-manager.cc
707 (region_model_manager::get_unknown_symbolic_region): New,
708 extracted from...
709 (region_model_manager::get_field_region): ...here.
710 (region_model_manager::get_element_region): Use it here.
711 (region_model_manager::get_offset_region): Likewise.
712 (region_model_manager::get_sized_region): Likewise.
713 (region_model_manager::get_cast_region): Likewise.
714 (region_model_manager::get_bit_range): Likewise.
715 * region-model.h
716 (region_model_manager::get_unknown_symbolic_region): New decl.
717 * region.cc (symbolic_region::symbolic_region): Handle sval_ptr
718 having NULL type.
719 (symbolic_region::dump_to_pp): Handle having NULL type.
720
df00d103
GA		 7212022-04-07 David Malcolm <dmalcolm@redhat.com>
722
723 PR analyzer/102208
724 * store.cc (binding_map::remove_overlapping_bindings): Add
725 "always_overlap" param, using it to generalize to the case where
726 we want to remove all bindings. Update "uncertainty" logic to
727 only record maybe-bound values for cases where there is a symbolic
728 write involved.
729 (binding_cluster::mark_region_as_unknown): Split param "reg" into
730 "reg_to_bind" and "reg_for_overlap".
731 (binding_cluster::maybe_get_compound_binding): Pass "false" to
732 binding_map::remove_overlapping_bindings new "always_overlap" param.
733 (binding_cluster::remove_overlapping_bindings): Determine
734 "always_overlap" and pass it to
735 binding_map::remove_overlapping_bindings.
736 (store::set_value): Pass uncertainty to remove_overlapping_bindings
737 call. Update for new param of
738 binding_cluster::mark_region_as_unknown, passing both the base
739 region of the iter_cluster, and the lhs_reg.
740 (store::mark_region_as_unknown): Update for new param of
741 binding_cluster::mark_region_as_unknown, passing "reg" for both.
742 (store::remove_overlapping_bindings): Add param "uncertainty", and
743 pass it on to call to
744 binding_cluster::remove_overlapping_bindings.
745 * store.h (binding_map::remove_overlapping_bindings): Add
746 "always_overlap" param.
747 (binding_cluster::mark_region_as_unknown): Split param "reg" into
748 "reg_to_bind" and "reg_for_overlap".
749 (store::remove_overlapping_bindings): Add param "uncertainty".
750
9f774626
GA		 7512022-03-29 David Malcolm <dmalcolm@redhat.com>
752
753 PR testsuite/105085
754 * region-model-manager.cc (dump_untracked_region): Skip decls in
755 the constant pool.
756
7572022-03-29 David Malcolm <dmalcolm@redhat.com>
758
759 PR analyzer/105087
760 * analyzer.h (class conjured_purge): New forward decl.
761 * region-model-asm.cc (region_model::on_asm_stmt): Add
762 conjured_purge param to calls binding_cluster::on_asm and
763 region_model_manager::get_or_create_conjured_svalue.
764 * region-model-impl-calls.cc
765 (call_details::get_or_create_conjured_svalue): Likewise for call
766 to region_model_manager::get_or_create_conjured_svalue.
767 (region_model::impl_call_fgets): Remove call to
768 region_model::purge_state_involving, as this is now done
769 implicitly by call_details::get_or_create_conjured_svalue.
770 (region_model::impl_call_fread): Likewise.
771 (region_model::impl_call_strchr): Pass conjured_purge param to
772 call to region_model_manager::get_or_create_conjured_svalue.
773 * region-model-manager.cc (conjured_purge::purge): New.
774 (region_model_manager::get_or_create_conjured_svalue): Add
775 param "p". Use it to purge state when reusing an existing
776 conjured_svalue.
777 * region-model.cc (region_model::on_call_pre): Replace call to
778 region_model::purge_state_involving with passing conjured_purge
779 to region_model_manager::get_or_create_conjured_svalue.
780 (region_model::handle_unrecognized_call): Pass conjured_purge to
781 store::on_unknown_fncall.
782 * region-model.h
783 (region_model_manager::get_or_create_conjured_svalue): Add param
784 "p".
785 * store.cc (binding_cluster::on_unknown_fncall): Likewise. Pass
786 it on to region_model_manager::get_or_create_conjured_svalue.
787 (binding_cluster::on_asm): Likewise.
788 (store::on_unknown_fncall): Add param "p" and pass it on to
789 binding_cluster::on_unknown_fncall.
790 * store.h (binding_cluster::on_unknown_fncall): Add param p.
791 (binding_cluster::on_asm): Likewise.
792 (store::on_unknown_fncall): Likewise.
793 * svalue.h (class conjured_purge): New.
794
7952022-03-29 David Malcolm <dmalcolm@redhat.com>
796
797 PR analyzer/105074
798 * region.cc (ipa_ref_requires_tracking): Drop "context_fndecl",
799 instead using the ref->referring to get the cgraph node of the
800 caller.
801 (symnode_requires_tracking_p): Likewise.
802
d2906412
GA		 8032022-03-26 David Malcolm <dmalcolm@redhat.com>
804
805 PR analyzer/105057
806 * store.cc (binding_cluster::make_unknown_relative_to): Reject
807 attempts to create a cluster for untracked base regions.
808 (store::set_value): Likewise.
809 (store::fill_region): Likewise.
810 (store::mark_region_as_unknown): Likewise.
811
31e989a2
GA		 8122022-03-25 David Malcolm <dmalcolm@redhat.com>
813
814 PR analyzer/104954
815 * analyzer.opt (-fdump-analyzer-untracked): New option.
816 * engine.cc (impl_run_checkers): Handle it.
817 * region-model-asm.cc (region_model::on_asm_stmt): Don't attempt
818 to clobber regions with !tracked_p ().
819 * region-model-manager.cc (dump_untracked_region): New.
820 (region_model_manager::dump_untracked_regions): New.
821 (frame_region::dump_untracked_regions): New.
822 * region-model.h (region_model_manager::dump_untracked_regions):
823 New decl.
824 * region.cc (ipa_ref_requires_tracking): New.
825 (symnode_requires_tracking_p): New.
826 (decl_region::calc_tracked_p): New.
827 * region.h (region::tracked_p): New vfunc.
828 (frame_region::dump_untracked_regions): New decl.
829 (class decl_region): Note that this is also used fo SSA names.
830 (decl_region::decl_region): Initialize m_tracked.
831 (decl_region::tracked_p): New.
832 (decl_region::calc_tracked_p): New decl.
833 (decl_region::m_tracked): New.
834 * store.cc (store::get_or_create_cluster): Assert that we
835 don't try to create clusters for base regions that aren't
836 trackable.
837 (store::mark_as_escaped): Don't mark base regions that we're not
838 tracking.
839
d1ca63a1
GA		 8402022-03-23 David Malcolm <dmalcolm@redhat.com>
841
842 PR analyzer/104979
843 * engine.cc (impl_run_checkers): Create the engine after the
844 supergraph, and pass the supergraph to the engine.
845 * region-model.cc (region_model::get_lvalue_1): Pass ctxt to
846 frame_region::get_region_for_local.
847 (region_model::update_for_return_gcall): Pass the lvalue for the
848 result to pop_frame as a tree, rather than as a region.
849 (region_model::pop_frame): Update for above change, determining
850 the destination region after the frame is popped and thus with
851 respect to the caller frame rather than the called frame.
852 Likewise, set the value of the region to the return value after
853 the frame is popped.
854 (engine::engine): Add supergraph pointer.
855 (selftest::test_stack_frames): Set the DECL_CONTECT of PARM_DECLs.
856 (selftest::test_get_representative_path_var): Likewise.
857 (selftest::test_state_merging): Likewise.
858 * region-model.h (region_model::pop_frame): Convert first param
859 from a const region * to a tree.
860 (engine::engine): Add param "sg".
861 (engine::m_sg): New field.
862 * region.cc: Include "analyzer/sm.h" and
863 "analyzer/program-state.h".
864 (frame_region::get_region_for_local): Add "ctxt" param.
865 Add assertions that VAR_DECLs are locals, and that expr is for the
866 correct function.
867 * region.h (frame_region::get_region_for_local): Add "ctxt" param.
868
8692022-03-23 David Malcolm <dmalcolm@redhat.com>
870
871 PR analyzer/105017
872 * sm-taint.cc (taint_diagnostic::subclass_equal_p): Check
873 m_has_bounds as well as m_arg.
874 (tainted_allocation_size::subclass_equal_p): Chain up to base
875 class implementation. Also check m_mem_space.
876 (tainted_allocation_size::emit): Add note showing stack-based vs
877 heap-based allocations.
878
8792022-03-23 David Malcolm <dmalcolm@redhat.com>
880
881 PR analyzer/104997
882 * diagnostic-manager.cc (diagnostic_manager::add_diagnostic):
883 Convert return type from "void" to "bool", reporting success vs
884 failure to caller, for both overloads.
885 * diagnostic-manager.h (diagnostic_manager::add_diagnostic):
886 Likewise.
887 * engine.cc (impl_region_model_context::warn): Propagate return
888 value from diagnostic_manager::add_diagnostic.
889
8ca61ad1
GA		 8902022-03-18 David Malcolm <dmalcolm@redhat.com>
891
892 PR analyzer/104943
893 PR analyzer/104954
894 PR analyzer/103533
895 * analyzer.h (class state_purge_per_decl): New forward decl.
896 * engine.cc (impl_run_checkers): Pass region_model_manager to
897 state_purge_map ctor.
898 * program-point.cc (function_point::final_stmt_p): New.
899 (function_point::get_next): New.
900 * program-point.h (function_point::final_stmt_p): New decl.
901 (function_point::get_next): New decl.
902 * program-state.cc (program_state::prune_for_point): Generalize to
903 purge local decls as well as SSA names.
904 (program_state::can_purge_base_region_p): New.
905 * program-state.h (program_state::can_purge_base_region_p): New
906 decl.
907 * region-model.cc (struct append_ssa_names_cb_data): Rename to...
908 (struct append_regions_cb_data): ...this.
909 (region_model::get_ssa_name_regions_for_current_frame): Rename
910 to...
911 (region_model::get_regions_for_current_frame): ...this, updating
912 for other renamings.
913 (region_model::append_ssa_names_cb): Rename to...
914 (region_model::append_regions_cb): ...this, and drop the requirement
915 that the subregion be a SSA name.
916 * region-model.h (struct append_ssa_names_cb_data): Rename decl
917 to...
918 (struct append_regions_cb_data): ...this.
919 (region_model::get_ssa_name_regions_for_current_frame): Rename
920 decl to...
921 (region_model::get_regions_for_current_frame): ...this.
922 (region_model::append_ssa_names_cb): Rename decl to...
923 (region_model::append_regions_cb): ...this.
924 * state-purge.cc: Include "tristate.h", "selftest.h",
925 "analyzer/store.h", "analyzer/region-model.h", and
926 "gimple-walk.h".
927 (get_candidate_for_purging): New.
928 (class gimple_op_visitor): New.
929 (my_load_cb): New.
930 (my_store_cb): New.
931 (my_addr_cb): New.
932 (state_purge_map::state_purge_map): Add "mgr" param. Update for
933 renamings. Find uses of local variables.
934 (state_purge_map::~state_purge_map): Update for renaming of m_map
935 to m_ssa_map. Clean up m_decl_map.
936 (state_purge_map::get_or_create_data_for_decl): New.
937 (state_purge_per_ssa_name::state_purge_per_ssa_name): Update for
938 inheriting from state_purge_per_tree.
939 (state_purge_per_ssa_name::add_to_worklist): Likewise.
940 (state_purge_per_decl::state_purge_per_decl): New.
941 (state_purge_per_decl::add_needed_at): New.
942 (state_purge_per_decl::add_pointed_to_at): New.
943 (state_purge_per_decl::process_worklists): New.
944 (state_purge_per_decl::add_to_worklist): New.
945 (same_binding_p): New.
946 (fully_overwrites_p): New.
947 (state_purge_per_decl::process_point_backwards): New.
948 (state_purge_per_decl::process_point_forwards): New.
949 (state_purge_per_decl::needed_at_point_p): New.
950 (state_purge_annotator::print_needed): Generalize to print local
951 decls as well as SSA names.
952 * state-purge.h (class state_purge_map): Update leading comment.
953 (state_purge_map::map_t): Rename to...
954 (state_purge_map::ssa_map_t): ...this.
955 (state_purge_map::iterator): Rename to...
956 (state_purge_map::ssa_iterator): ...this.
957 (state_purge_map::decl_map_t): New typedef.
958 (state_purge_map::decl_iterator): New typedef.
959 (state_purge_map::state_purge_map): Add "mgr" param.
960 (state_purge_map::get_data_for_ssa_name): Update for renaming.
961 (state_purge_map::get_any_data_for_decl): New.
962 (state_purge_map::get_or_create_data_for_decl): New decl.
963 (state_purge_map::begin): Rename to...
964 (state_purge_map::begin_ssas): ...this.
965 (state_purge_map::end): Rename to...
966 (state_purge_map::end_ssa): ...this.
967 (state_purge_map::begin_decls): New.
968 (state_purge_map::end_decls): New.
969 (state_purge_map::m_map): Rename to...
970 (state_purge_map::m_ssa_map): ...this.
971 (state_purge_map::m_decl_map): New field.
972 (class state_purge_per_tree): New class.
973 (class state_purge_per_ssa_name): Inherit from state_purge_per_tree.
974 (state_purge_per_ssa_name::get_function): Move to base class.
975 (state_purge_per_ssa_name::point_set_t): Likewise.
976 (state_purge_per_ssa_name::m_fun): Likewise.
977 (class state_purge_per_decl): New.
978
e9ea3016
GA		 9792022-03-17 David Malcolm <dmalcolm@redhat.com>
980
981 * state-purge.cc (state_purge_annotator::add_node_annotations):
982 Avoid duplicate before-supernode annotations when returning from
983 an interprocedural call. Show after-supernode annotations.
984
9852022-03-17 David Malcolm <dmalcolm@redhat.com>
986
987 * program-point.cc (program_point::get_next): Fix missing
988 increment of index.
989
9fc8f278
GA		 9902022-03-16 David Malcolm <dmalcolm@redhat.com>
991
992 PR analyzer/104955
993 * diagnostic-manager.cc (get_emission_location): New.
994 (diagnostic_manager::diagnostic_manager): Initialize
995 m_num_disabled_diagnostics.
996 (diagnostic_manager::add_diagnostic): Reject diagnostics that
997 will eventually be rejected due to being disabled.
998 (diagnostic_manager::emit_saved_diagnostics): Log the number
999 of disabled diagnostics.
1000 (diagnostic_manager::emit_saved_diagnostic): Split out logic for
1001 determining emission location to get_emission_location.
1002 * diagnostic-manager.h
1003 (diagnostic_manager::m_num_disabled_diagnostics): New field.
1004 * engine.cc (stale_jmp_buf::get_controlling_option): New.
1005 (stale_jmp_buf::emit): Use it.
1006 * pending-diagnostic.h
1007 (pending_diagnostic::get_controlling_option): New vfunc.
1008 * region-model.cc
1009 (poisoned_value_diagnostic::get_controlling_option): New.
1010 (poisoned_value_diagnostic::emit): Use it.
1011 (shift_count_negative_diagnostic::get_controlling_option): New.
1012 (shift_count_negative_diagnostic::emit): Use it.
1013 (shift_count_overflow_diagnostic::get_controlling_option): New.
1014 (shift_count_overflow_diagnostic::emit): Use it.
1015 (dump_path_diagnostic::get_controlling_option): New.
1016 (dump_path_diagnostic::emit): Use it.
1017 (write_to_const_diagnostic::get_controlling_option): New.
1018 (write_to_const_diagnostic::emit): Use it.
1019 (write_to_string_literal_diagnostic::get_controlling_option): New.
1020 (write_to_string_literal_diagnostic::emit): Use it.
1021 * sm-file.cc (double_fclose::get_controlling_option): New.
1022 (double_fclose::emit): Use it.
1023 (file_leak::get_controlling_option): New.
1024 (file_leak::emit): Use it.
1025 * sm-malloc.cc (mismatching_deallocation::get_controlling_option):
1026 New.
1027 (mismatching_deallocation::emit): Use it.
1028 (double_free::get_controlling_option): New.
1029 (double_free::emit): Use it.
1030 (possible_null_deref::get_controlling_option): New.
1031 (possible_null_deref::emit): Use it.
1032 (possible_null_arg::get_controlling_option): New.
1033 (possible_null_arg::emit): Use it.
1034 (null_deref::get_controlling_option): New.
1035 (null_deref::emit): Use it.
1036 (null_arg::get_controlling_option): New.
1037 (null_arg::emit): Use it.
1038 (use_after_free::get_controlling_option): New.
1039 (use_after_free::emit): Use it.
1040 (malloc_leak::get_controlling_option): New.
1041 (malloc_leak::emit): Use it.
1042 (free_of_non_heap::get_controlling_option): New.
1043 (free_of_non_heap::emit): Use it.
1044 * sm-pattern-test.cc (pattern_match::get_controlling_option): New.
1045 (pattern_match::emit): Use it.
1046 * sm-sensitive.cc
1047 (exposure_through_output_file::get_controlling_option): New.
1048 (exposure_through_output_file::emit): Use it.
1049 * sm-signal.cc (signal_unsafe_call::get_controlling_option): New.
1050 (signal_unsafe_call::emit): Use it.
1051 * sm-taint.cc (tainted_array_index::get_controlling_option): New.
1052 (tainted_array_index::emit): Use it.
1053 (tainted_offset::get_controlling_option): New.
1054 (tainted_offset::emit): Use it.
1055 (tainted_size::get_controlling_option): New.
1056 (tainted_size::emit): Use it.
1057 (tainted_divisor::get_controlling_option): New.
1058 (tainted_divisor::emit): Use it.
1059 (tainted_allocation_size::get_controlling_option): New.
1060 (tainted_allocation_size::emit): Use it.
1061
14d2ac82
GA		 10622022-03-15 David Malcolm <dmalcolm@redhat.com>
1063
1064 * store.cc (store::store): Presize m_cluster_map.
1065
5e28be89
GA		 10662022-03-10 David Malcolm <dmalcolm@redhat.com>
1067
1068 PR analyzer/104863
1069 * constraint-manager.cc (constraint_manager::add_constraint):
1070 Refresh the EC IDs when adding constraints implied by offsets.
1071
10722022-03-10 David Malcolm <dmalcolm@redhat.com>
1073
1074 PR analyzer/104793
1075 * analyzer.h (class pending_note): New forward decl.
1076 * diagnostic-manager.cc (saved_diagnostic::saved_diagnostic):
1077 Initialize m_notes.
1078 (saved_diagnostic::operator==): Compare m_notes.
1079 (saved_diagnostic::add_note): New.
1080 (saved_diagnostic::emit_any_notes): New.
1081 (diagnostic_manager::add_note): New.
1082 (diagnostic_manager::emit_saved_diagnostic): Call emit_any_notes
1083 after emitting the warning.
1084 * diagnostic-manager.h (saved_diagnostic::add_note): New decl.
1085 (saved_diagnostic::emit_any_notes): New decl.
1086 (saved_diagnostic::m_notes): New field.
1087 (diagnostic_manager::add_note): New decl.
1088 * engine.cc (impl_region_model_context::add_note): New.
1089 * exploded-graph.h (impl_region_model_context::add_note): New
1090 decl.
1091 * pending-diagnostic.h (class pending_note): New.
1092 (class pending_note_subclass): New template.
1093 * region-model.cc (class reason_attr_access): New.
1094 (check_external_function_for_access_attr): Add class
1095 annotating_ctxt and use it when checking region.
1096 (noop_region_model_context::add_note): New.
1097 * region-model.h (region_model_context::add_note): New vfunc.
1098 (noop_region_model_context::add_note): New decl.
1099 (class region_model_context_decorator): New.
1100 (class note_adding_context): New.
1101
11022022-03-10 David Malcolm <dmalcolm@redhat.com>
1103
1104 PR analyzer/104793
1105 * region-model.cc
1106 (region_model::check_external_function_for_access_attr): New.
1107 (region_model::handle_unrecognized_call): Call it.
1108 * region-model.h
1109 (region_model::check_external_function_for_access_attr): New decl.
1110 (region_model::handle_unrecognized_call): New decl.
1111
11122022-03-10 David Malcolm <dmalcolm@redhat.com>
1113
1114 * sm-taint.cc (taint_state_machine::check_for_tainted_size_arg):
1115 Avoid generating duplicate saved_diagnostics by only handling the
1116 rdwr_map entry for the ptrarg, not the duplicate entry for the
1117 sizarg.
1118
e6533e2e
GA		 11192022-03-07 David Malcolm <dmalcolm@redhat.com>
1120
1121 PR analyzer/101983
1122 * engine.cc (returning_from_function_p): New.
1123 (impl_region_model_context::on_state_leak): Use it when rejecting
1124 leaks at the return from "main".
1125
11262022-03-07 Jakub Jelinek <jakub@redhat.com>
1127
1128 * store.cc: Fix up duplicated word issue in a comment.
1129 * analyzer.cc: Likewise.
1130 * engine.cc: Likewise.
1131 * sm-taint.cc: Likewise.
1132
8d96e14c
GA		 11332022-03-04 David Malcolm <dmalcolm@redhat.com>
1134
1135 PR analyzer/103521
1136 * analyzer.opt (-param=analyzer-max-svalue-depth=): Reduce from 13
1137 to 12.
1138
4bf3bac1
GA		 11392022-02-23 David Malcolm <dmalcolm@redhat.com>
1140
1141 PR analyzer/104434
1142 * analyzer.h (class const_fn_result_svalue): New decl.
1143 * region-model-impl-calls.cc (call_details::get_manager): New.
1144 * region-model-manager.cc
1145 (region_model_manager::get_or_create_const_fn_result_svalue): New.
1146 (region_model_manager::log_stats): Log
1147 m_const_fn_result_values_map.
1148 * region-model.cc (const_fn_p): New.
1149 (maybe_get_const_fn_result): New.
1150 (region_model::on_call_pre): Handle fndecls with
1151 __attribute__((const)) by calling the above rather than making
1152 a conjured_svalue.
1153 * region-model.h (visitor::visit_const_fn_result_svalue): New.
1154 (region_model_manager::get_or_create_const_fn_result_svalue): New
1155 decl.
1156 (region_model_manager::const_fn_result_values_map_t): New typedef.
1157 (region_model_manager::m_const_fn_result_values_map): New field.
1158 (call_details::get_manager): New decl.
1159 * svalue.cc (svalue::cmp_ptr): Handle SK_CONST_FN_RESULT.
1160 (const_fn_result_svalue::dump_to_pp): New.
1161 (const_fn_result_svalue::dump_input): New.
1162 (const_fn_result_svalue::accept): New.
1163 * svalue.h (enum svalue_kind): Add SK_CONST_FN_RESULT.
1164 (svalue::dyn_cast_const_fn_result_svalue): New.
1165 (class const_fn_result_svalue): New.
1166 (is_a_helper <const const_fn_result_svalue *>::test): New.
1167 (template <> struct default_hash_traits<const_fn_result_svalue::key_t>):
1168 New.
1169
0bdb0498
GA		 11702022-02-17 David Malcolm <dmalcolm@redhat.com>
1171
1172 PR analyzer/104576
1173 * region-model.cc: Include "calls.h".
1174 (region_model::on_call_pre): Use flags_from_decl_or_type to
1175 generalize check for DECL_PURE_P to also check for ECF_CONST.
1176
cb3afcd2
GA		 11772022-02-16 David Malcolm <dmalcolm@redhat.com>
1178
1179 PR analyzer/104560
1180 * diagnostic-manager.cc (diagnostic_manager::build_emission_path):
1181 Add region creation events for globals of interest.
1182 (null_assignment_sm_context::get_old_program_state): New.
1183 (diagnostic_manager::add_events_for_eedge): Move check for
1184 changing dynamic extents from PK_BEFORE_STMT case to after the
1185 switch on the dst_point's kind so that we can emit them for the
1186 final stmt in a basic block.
1187 * engine.cc (impl_sm_context::get_old_program_state): New.
1188 * sm-malloc.cc (malloc_state_machine::get_default_state): Rewrite
1189 detection of m_non_heap to use get_memory_space.
1190 (free_of_non_heap::free_of_non_heap): Add freed_reg param.
1191 (free_of_non_heap::subclass_equal_p): Update for changes to
1192 fields.
1193 (free_of_non_heap::emit): Drop m_kind in favor of
1194 get_memory_space.
1195 (free_of_non_heap::describe_state_change): Remove logic for
1196 detecting alloca.
1197 (free_of_non_heap::mark_interesting_stuff): Add region-creation of
1198 m_freed_reg.
1199 (free_of_non_heap::get_memory_space): New.
1200 (free_of_non_heap::kind): Drop enum.
1201 (free_of_non_heap::m_freed_reg): New field.
1202 (free_of_non_heap::m_kind): Drop field.
1203 (malloc_state_machine::on_stmt): Drop transition to m_non_heap.
1204 (malloc_state_machine::handle_free_of_non_heap): New function,
1205 split out from on_deallocator_call and on_realloc_call, adding
1206 detection of the freed region.
1207 (malloc_state_machine::on_deallocator_call): Use it.
1208 (malloc_state_machine::on_realloc_call): Likewise.
1209 * sm.h (sm_context::get_old_program_state): New vfunc.
1210
875e493b
GA		 12112022-02-15 David Malcolm <dmalcolm@redhat.com>
1212
1213 PR analyzer/104524
1214 * region-model-manager.cc
1215 (region_model_manager::maybe_fold_sub_svalue): Only call
1216 get_or_create_cast if type is non-NULL.
1217
12182022-02-15 David Malcolm <dmalcolm@redhat.com>
1219
1220 PR analyzer/102692
1221 * exploded-graph.h (impl_region_model_context::get_stmt): New.
1222 * region-model.cc: Include "gimple-ssa.h", "tree-phinodes.h",
1223 "tree-ssa-operands.h", and "ssa-iterators.h".
1224 (within_short_circuited_stmt_p): New.
1225 (region_model::check_for_poison): Don't warn about uninit values
1226 if within_short_circuited_stmt_p.
1227 * region-model.h (region_model_context::get_stmt): New vfunc.
1228 (noop_region_model_context::get_stmt): New.
1229
e8d68f0a
GA		 12302022-02-11 David Malcolm <dmalcolm@redhat.com>
1231
1232 PR analyzer/104274
1233 * region-model.cc (region_model::check_for_poison): Ignore
1234 uninitialized uses of empty types.
1235
a645583d
GA		 12362022-02-10 David Malcolm <dmalcolm@redhat.com>
1237
1238 PR analyzer/98797
1239 * region-model-manager.cc
1240 (region_model_manager::maybe_fold_sub_svalue): Generalize getting
1241 individual chars of a STRING_CST from element_region to any
1242 subregion which is a concrete access of a single byte from its
1243 parent region.
1244 * region.cc (region::get_relative_concrete_byte_range): New.
1245 * region.h (region::get_relative_concrete_byte_range): New decl.
1246
3adf509f
GA		 12472022-02-09 David Malcolm <dmalcolm@redhat.com>
1248
1249 PR analyzer/104452
1250 * region-model.cc (selftest::test_bit_range_regions): New.
1251 (selftest::analyzer_region_model_cc_tests): Call it.
1252 * region.h (bit_range_region::key_t::hash): Fix hashing of m_bits
1253 to avoid using uninitialized data.
1254
cc2430c1
GA		 12552022-02-07 David Malcolm <dmalcolm@redhat.com>
1256
1257 PR analyzer/104417
1258 * sm-taint.cc (tainted_allocation_size::tainted_allocation_size):
1259 Remove overzealous assertion.
1260 (tainted_allocation_size::emit): Likewise.
1261 (region_model::check_dynamic_size_for_taint): Likewise.
1262
12632022-02-07 David Malcolm <dmalcolm@redhat.com>
1264
1265 PR analyzer/103872
1266 * region-model-impl-calls.cc (region_model::impl_call_memcpy):
1267 Reimplement in terms of a get_store_value followed by a set_value.
1268
682ede39
GA		 12692022-02-03 David Malcolm <dmalcolm@redhat.com>
1270
1271 PR analyzer/104369
1272 * engine.cc (exploded_graph::process_node): Use the node for any
1273 diagnostics, avoiding ICE if a bifurcation update adds a
1274 saved_diagnostic, such as for a tainted realloc size.
1275 * region-model-impl-calls.cc
1276 (region_model::impl_call_realloc::success_no_move::update_model):
1277 Require the old pointer to be non-NULL to be able successfully
1278 grow in place. Use model->deref_rvalue rather than maybe_get_region
1279 to support the old pointer being symbolic.
1280 (region_model::impl_call_realloc::success_with_move::update_model):
1281 Likewise. Add a constraint that the new pointer != the old pointer.
1282 Use a sized_region when setting the value of the new region.
1283 Handle the case where we don't know the dynamic size of the old
1284 region by marking the new region as unknown.
1285 * sm-taint.cc (tainted_allocation_size::tainted_allocation_size):
1286 Update assertion to also allow for MEMSPACE_UNKNOWN.
1287 (tainted_allocation_size::emit): Likewise.
1288 (region_model::check_dynamic_size_for_taint): Likewise.
1289
12902022-02-03 David Malcolm <dmalcolm@redhat.com>
1291
1292 * region-model-impl-calls.cc (region_model::impl_call_calloc): Use
1293 a sized_region when calling zero_fill_region.
1294
88944e13
GA		 12952022-02-02 David Malcolm <dmalcolm@redhat.com>
1296
1297 * region-model.cc (region_model::on_return): Replace usage of
1298 copy_region with get_rvalue/set_value pair.
1299 (region_model::pop_frame): Likewise.
1300 (selftest::test_compound_assignment): Likewise.
1301 * region-model.h (region_model::copy_region): Delete decl.
1302 * region.cc (region_model::copy_region): Delete.
1303
13042022-02-02 David Malcolm <dmalcolm@redhat.com>
1305
1306 * region.cc (region::calc_offset): Consolidate effectively
1307 identical cases.
1308
13092022-02-02 David Malcolm <dmalcolm@redhat.com>
1310
1311 * analyzer.h (class bit_range_region): New forward decl.
1312 * region-model-manager.cc (region_model_manager::get_bit_range):
1313 New.
1314 (region_model_manager::log_stats): Handle m_bit_range_regions.
1315 * region-model.cc (region_model::get_lvalue_1): Handle
1316 BIT_FIELD_REF.
1317 * region-model.h (region_model_manager::get_bit_range): New decl.
1318 (region_model_manager::m_bit_range_regions): New field.
1319 * region.cc (region::get_base_region): Handle RK_BIT_RANGE.
1320 (region::base_region_p): Likewise.
1321 (region::calc_offset): Likewise.
1322 (bit_range_region::dump_to_pp): New.
1323 (bit_range_region::get_byte_size): New.
1324 (bit_range_region::get_bit_size): New.
1325 (bit_range_region::get_byte_size_sval): New.
1326 (bit_range_region::get_relative_concrete_offset): New.
1327 * region.h (enum region_kind): Add RK_BIT_RANGE.
1328 (region::dyn_cast_bit_range_region): New vfunc.
1329 (class bit_range_region): New.
1330 (is_a_helper <const bit_range_region *>::test): New.
1331 (default_hash_traits<bit_range_region::key_t>): New.
1332
13332022-02-02 David Malcolm <dmalcolm@redhat.com>
1334
1335 PR analyzer/104270
1336 * region-model.cc (region_model::on_call_pre): Handle
1337 IFN_DEFERRED_INIT.
1338
99f17e99
GA		 13392022-01-27 David Malcolm <dmalcolm@redhat.com>
1340
1341 * checker-path.cc (event_kind_to_string): Handle
1342 EK_REGION_CREATION.
1343 (region_creation_event::region_creation_event): New.
1344 (region_creation_event::get_desc): New.
1345 (checker_path::add_region_creation_event): New.
1346 * checker-path.h (enum event_kind): Add EK_REGION_CREATION.
1347 (class region_creation_event): New subclass.
1348 (checker_path::add_region_creation_event): New decl.
1349 * diagnostic-manager.cc
1350 (diagnostic_manager::emit_saved_diagnostic): Pass NULL for new
1351 param to add_events_for_eedge when handling trailing eedge.
1352 (diagnostic_manager::build_emission_path): Create an interesting_t
1353 instance, allow the pending diagnostic to populate it, and pass it
1354 to the calls to add_events_for_eedge.
1355 (diagnostic_manager::add_events_for_eedge): Add "interest" param.
1356 Use it to add region_creation_events for on-stack regions created
1357 within at function entry, and when pertinent dynamically-sized
1358 regions are created.
1359 (diagnostic_manager::prune_for_sm_diagnostic): Add case for
1360 EK_REGION_CREATION.
1361 * diagnostic-manager.h (diagnostic_manager::add_events_for_eedge):
1362 Add "interest" param.
1363 * pending-diagnostic.cc: Include "selftest.h", "tristate.h",
1364 "analyzer/call-string.h", "analyzer/program-point.h",
1365 "analyzer/store.h", and "analyzer/region-model.h".
1366 (interesting_t::add_region_creation): New.
1367 (interesting_t::dump_to_pp): New.
1368 * pending-diagnostic.h (struct interesting_t): New.
1369 (pending_diagnostic::mark_interesting_stuff): New vfunc.
1370 * region-model.cc
1371 (poisoned_value_diagnostic::poisoned_value_diagnostic): Add
1372 (poisoned_value_diagnostic::operator==): Compare m_pkind and
1373 m_src_region fields.
1374 (poisoned_value_diagnostic::mark_interesting_stuff): New.
1375 (poisoned_value_diagnostic::m_src_region): New.
1376 (region_model::check_for_poison): Call
1377 get_region_for_poisoned_expr for uninit values and pass the resul
1378 to the diagnostic.
1379 (region_model::get_region_for_poisoned_expr): New.
1380 (region_model::deref_rvalue): Pass NULL for
1381 poisoned_value_diagnostic's src_region.
1382 * region-model.h (region_model::get_region_for_poisoned_expr): New
1383 decl.
1384 * region.h (frame_region::get_fndecl): New.
1385
13862022-01-27 Martin Liska <mliska@suse.cz>
1387
1388 PR analyzer/104247
1389 * constraint-manager.cc (bounded_ranges_manager::log_stats):
1390 Cast to long for format purpose.
1391 * region-model-manager.cc (log_uniq_map): Likewise.
1392
eaa59070
GA		 13932022-01-26 David Malcolm <dmalcolm@redhat.com>
1394
1395 PR analyzer/104224
1396 * region-model.cc (region_model::check_call_args): New.
1397 (region_model::on_call_pre): Call it when ignoring stdio builtins.
1398 * region-model.h (region_model::check_call_args): New decl
1399
14002022-01-26 David Malcolm <dmalcolm@redhat.com>
1401
1402 PR analyzer/94362
1403 * constraint-manager.cc (range::add_bound): Fix tests for
1404 discarding redundant constraints. Perform test for rejecting
1405 unsatisfiable constraints earlier so that they don't update
1406 the object on failure.
1407 (selftest::test_range): New.
1408 (selftest::test_constant_comparisons): Add test coverage for
1409 existing constraints becoming narrower until they are
1410 unsatisfiable.
1411 (selftest::run_constraint_manager_tests): Call test_range.
1412
d43be9dc
GA		 14132022-01-22 David Malcolm <dmalcolm@redhat.com>
1414
1415 PR analyzer/104159
1416 * region-model-manager.cc
1417 (region_model_manager::get_or_create_cast): Bail out if the types
1418 are the same. Don't attempt to handle casts involving vector
1419 types.
1420
5fa55d55
GA		 14212022-01-20 David Malcolm <dmalcolm@redhat.com>
1422
1423 PR analyzer/94362
1424 * constraint-manager.cc (bound::ensure_closed): Convert param to
1425 enum bound_kind.
1426 (range::constrained_to_single_element): Likewise.
1427 (range::add_bound): New.
1428 (constraint_manager::add_constraint): Handle SVAL + OFFSET
1429 compared to a constant.
1430 (constraint_manager::get_ec_bounds): Rewrite in terms of
1431 range::add_bound.
1432 (constraint_manager::eval_condition): Reject if range::add_bound
1433 fails.
1434 (selftest::test_constant_comparisons): Add test coverage for
1435 various impossible combinations of integer comparisons.
1436 * constraint-manager.h (enum bound_kind): New.
1437 (struct bound): Likewise.
1438 (bound::ensure_closed): Convert to param to enum bound_kind.
1439 (struct range): Convert to...
1440 (class range): ...this, making fields private.
1441 (range::add_bound): New decls.
1442 * region-model.cc (region_model::add_constraint): Fail if
1443 constraint_manager::add_constraint fails.
1444
7a761ae6
GA		 14452022-01-18 David Malcolm <dmalcolm@redhat.com>
1446
1447 PR analyzer/104089
1448 * region-model-manager.cc
1449 (region_model_manager::get_or_create_constant_svalue): Assert that
1450 we have a CONSTANT_CLASS_P.
1451 (region_model_manager::maybe_fold_unaryop): Only fold a constant
1452 when fold_unary's result is a constant or a cast of a constant.
1453
14542022-01-18 David Malcolm <dmalcolm@redhat.com>
1455
1456 PR analyzer/104062
1457 * region-model-manager.cc
1458 (region_model_manager::maybe_fold_sub_svalue): Avoid casting to
1459 NULL type when folding access to repeated svalue.
1460
fc829782
GA		 14612022-01-17 Martin Liska <mliska@suse.cz>
1462
1463 * analyzer.cc (is_special_named_call_p): Rename .c names to .cc.
1464 (is_named_call_p): Likewise.
1465 * region-model-asm.cc (deterministic_p): Likewise.
1466 * region.cc (field_region::get_relative_concrete_offset): Likewise.
1467 * sm-malloc.cc (method_p): Likewise.
1468 * supergraph.cc (superedge::dump_dot): Likewise.
1469
617db51d
GA		 14702022-01-14 David Malcolm <dmalcolm@redhat.com>
1471
1472 * sm-taint.cc (taint_state_machine::combine_states): Handle combination
1473 of has_ub and has_lb.
1474
14752022-01-14 David Malcolm <dmalcolm@redhat.com>
1476
1477 PR analyzer/104029
1478 * sm-taint.cc (taint_state_machine::alt_get_inherited_state):
1479 Remove gcc_unreachable from default case for unary ops.
1480
14812022-01-14 David Malcolm <dmalcolm@redhat.com>
1482
1483 * engine.cc: Include "stringpool.h", "attribs.h", and
1484 "tree-dfa.h".
1485 (mark_params_as_tainted): New.
1486 (class tainted_args_function_custom_event): New.
1487 (class tainted_args_function_info): New.
1488 (exploded_graph::add_function_entry): Handle functions with
1489 "tainted_args" attribute.
1490 (class tainted_args_field_custom_event): New.
1491 (class tainted_args_callback_custom_event): New.
1492 (class tainted_args_call_info): New.
1493 (add_tainted_args_callback): New.
1494 (add_any_callbacks): New.
1495 (exploded_graph::build_initial_worklist): Likewise.
1496 (exploded_graph::build_initial_worklist): Find callbacks that are
1497 reachable from global initializers, calling add_any_callbacks on
1498 them.
1499
02a8a01b
GA		 15002022-01-12 David Malcolm <dmalcolm@redhat.com>
1501
1502 PR analyzer/103940
1503 * engine.cc (impl_sm_context::impl_sm_context): Add
1504 "unknown_side_effects" param and use it to initialize
1505 new m_unknown_side_effects field.
1506 (impl_sm_context::unknown_side_effects_p): New.
1507 (impl_sm_context::m_unknown_side_effects): New.
1508 (exploded_node::on_stmt): Pass unknown_side_effects to sm_ctxt
1509 ctor.
1510 * sm-taint.cc: Include "stringpool.h" and "attribs.h".
1511 (tainted_size::tainted_size): Drop "dir" param.
1512 (tainted_size::get_kind): Drop "FINAL".
1513 (tainted_size::emit): Likewise.
1514 (tainted_size::m_dir): Drop unused field.
1515 (class tainted_access_attrib_size): New subclass.
1516 (taint_state_machine::on_stmt): Call check_for_tainted_size_arg on
1517 external functions with unknown side effects.
1518 (taint_state_machine::check_for_tainted_size_arg): New.
1519 (region_model::check_region_for_taint): Drop "dir" param from
1520 tainted_size ctor.
1521 * sm.h (sm_context::unknown_side_effects_p): New.
1522
01a254e3
GA		 15232022-01-11 David Malcolm <dmalcolm@redhat.com>
1524
1525 PR analyzer/102692
1526 * diagnostic-manager.cc
1527 (class auto_disable_complexity_checks): Rename to...
1528 (class auto_checking_feasibility): ...this, updating
1529 the calls accordingly.
1530 (epath_finder::explore_feasible_paths): Update for renaming.
1531 * region-model-manager.cc
1532 (region_model_manager::region_model_manager): Update for change from
1533 m_check_complexity to m_checking_feasibility.
1534 (region_model_manager::reject_if_too_complex): Likewise.
1535 (region_model_manager::get_or_create_unknown_svalue): Handle
1536 m_checking_feasibility.
1537 (region_model_manager::create_unique_svalue): New.
1538 (region_model_manager::maybe_fold_binop): Handle BIT_AND_EXPR and
1539 BIT_IOR_EXPRs on booleans where we know the result.
1540 * region-model.cc (test_binop_svalue_folding): Add test coverage
1541 for the above.
1542 * region-model.h (region_model_manager::create_unique_svalue): New
1543 decl.
1544 (region_model_manager::enable_complexity_check): Replace with...
1545 (region_model_manager::begin_checking_feasibility): ...this.
1546 (region_model_manager::disable_complexity_check): Replace with...
1547 (region_model_manager::end_checking_feasibility): ...this.
1548 (region_model_manager::m_check_complexity): Replace with...
1549 (region_model_manager::m_checking_feasibility): ...this.
1550 (region_model_manager::m_managed_dynamic_svalues): New field.
1551
55e96bf9
GA		 15522022-01-08 David Malcolm <dmalcolm@redhat.com>
1553
1554 * engine.cc (impl_run_checkers): Pass logger to engine ctor.
1555 * region-model-manager.cc
1556 (region_model_manager::region_model_manager): Add logger param and
1557 use it to initialize m_logger.
1558 * region-model.cc (engine::engine): New.
1559 * region-model.h (region_model_manager::region_model_manager):
1560 Add logger param.
1561 (region_model_manager::get_logger): New.
1562 (region_model_manager::m_logger): New field.
1563 (engine::engine): New.
1564 * store.cc (store_manager::get_logger): New.
1565 (store::set_value): Log scope. Log when marking a cluster as
1566 unknown due to possible aliasing.
1567 * store.h (store_manager::get_logger): New decl.
1568
15692022-01-08 David Malcolm <dmalcolm@redhat.com>
1570
1571 * region-model-impl-calls.cc (cmp_decls): New.
1572 (cmp_decls_ptr_ptr): New.
1573 (region_model::impl_call_analyzer_dump_escaped): New.
1574 * region-model.cc (region_model::on_stmt_pre): Handle
1575 __analyzer_dump_escaped.
1576 * region-model.h (region_model::impl_call_analyzer_dump_escaped):
1577 New decl.
1578 * store.h (binding_cluster::get_base_region): New accessor.
1579
15802022-01-08 David Malcolm <dmalcolm@redhat.com>
1581
1582 * region.cc (region::is_named_decl_p): New.
1583 * region.h (region::is_named_decl_p): New decl.
1584
11ce8d04
GA		 15852022-01-06 David Malcolm <dmalcolm@redhat.com>
1586
1587 PR analyzer/103546
1588 * store.cc (store::eval_alias_1): Refactor handling of decl
1589 regions, adding a test for may_be_aliased, rejecting those for
1590 which it returns false.
1591
c8dcf64b
GA		 15922021-12-12 Jonathan Wakely <jwakely@redhat.com>
1593
1594 * engine.cc: Define INCLUDE_MEMORY instead of INCLUDE_UNIQUE_PTR.
1595
3a580f96
GA		 15962021-12-06 David Malcolm <dmalcolm@redhat.com>
1597
1598 PR analyzer/103533
1599 * constraint-manager.cc (equiv_class::contains_non_constant_p):
1600 New.
1601 (constraint_manager::canonicalize): Call it when determining
1602 redundant ECs.
1603 (selftest::test_purging): New selftest.
1604 (selftest::run_constraint_manager_tests): Likewise.
1605 * constraint-manager.h (equiv_class::contains_non_constant_p):
1606 New decl.
1607
40fa651e
GA		 16082021-12-01 David Malcolm <dmalcolm@redhat.com>
1609
1610 PR analyzer/102471
1611 * region-model-reachability.cc (reachable_regions::handle_parm):
1612 Treat all svalues within a compound parm has reachable, and those
1613 wrapped in a cast.
1614
87cd82c8
GA		 16152021-11-29 David Malcolm <dmalcolm@redhat.com>
1616
1617 PR analyzer/103217
1618 * store.cc (binding_cluster::can_merge_p): For the "key is bound"
1619 vs "key is not bound" merger case, check that the bound svalue
1620 is mergeable before merging it to "unknown", rejecting the merger
1621 otherwise.
1622
9c077398
GA		 16232021-11-19 David Malcolm <dmalcolm@redhat.com>
1624
1625 PR analyzer/103217
1626 * engine.cc (exploded_graph::get_or_create_node): Pass in
1627 m_ext_state to program_state::can_merge_with_p.
1628 (exploded_graph::process_worklist): Likewise.
1629 (exploded_graph::maybe_process_run_of_before_supernode_enodes):
1630 Likewise.
1631 (exploded_graph::process_node): Add missing call to detect_leaks
1632 when handling phi nodes.
1633 * program-state.cc (program_state::can_merge_with_p): Add
1634 "ext_state" param. Pass it and state ptrs to
1635 region_model::can_merge_with_p.
1636 (selftest::test_program_state_merging): Update for new ext_state
1637 param of program_state::can_merge_with_p.
1638 (selftest::test_program_state_merging_2): Likewise.
1639 * program-state.h (program_state::can_purge_p): Make const.
1640 (program_state::can_merge_with_p): Add "ext_state" param.
1641 * region-model.cc: Include "analyzer/program-state.h".
1642 (region_model::can_merge_with_p): Add params "ext_state",
1643 "state_a", and "state_b", use them when creating model_merger
1644 object.
1645 (model_merger::mergeable_svalue_p): New.
1646 * region-model.h (region_model::can_merge_with_p): Add params
1647 "ext_state", "state_a", and "state_b".
1648 (model_merger::model_merger) Likewise, initializing new fields.
1649 (model_merger::mergeable_svalue_p): New decl.
1650 (model_merger::m_ext_state): New field.
1651 (model_merger::m_state_a): New field.
1652 (model_merger::m_state_b): New field.
1653 * svalue.cc (svalue::can_merge_p): Call
1654 model_merger::mergeable_svalue_p on both states and reject the
1655 merger accordingly.
1656
280d2838
GA		 16572021-11-17 David Malcolm <dmalcolm@redhat.com>
1658
1659 PR analyzer/102695
1660 * region-model-impl-calls.cc (region_model::impl_call_strchr): New.
1661 * region-model-manager.cc
1662 (region_model_manager::maybe_fold_unaryop): Simplify cast to
1663 pointer type of an existing pointer to a region.
1664 * region-model.cc (region_model::on_call_pre): Handle
1665 BUILT_IN_STRCHR and "strchr".
1666 (write_to_const_diagnostic::emit): Add auto_diagnostic_group. Add
1667 alternate wordings for functions and labels.
1668 (write_to_const_diagnostic::describe_final_event): Add alternate
1669 wordings for functions and labels.
1670 (region_model::check_for_writable_region): Handle RK_FUNCTION and
1671 RK_LABEL.
1672 * region-model.h (region_model::impl_call_strchr): New decl.
1673
6b1695f4
GA		 16742021-11-16 David Malcolm <dmalcolm@redhat.com>
1675
1676 PR analyzer/102662
1677 * constraint-manager.cc (bounded_range::operator==): Require the
1678 types to be the same for equality.
1679
a8029add
GA		 16802021-11-13 David Malcolm <dmalcolm@redhat.com>
1681
1682 * analyzer.opt (Wanalyzer-tainted-allocation-size): New.
1683 (Wanalyzer-tainted-divisor): New.
1684 (Wanalyzer-tainted-offset): New.
1685 (Wanalyzer-tainted-size): New.
1686 * engine.cc (impl_region_model_context::get_taint_map): New.
1687 * exploded-graph.h (impl_region_model_context::get_taint_map):
1688 New decl.
1689 * program-state.cc (sm_state_map::get_state): Call
1690 alt_get_inherited_state.
1691 (sm_state_map::impl_set_state): Modify states within
1692 compound svalues.
1693 (program_state::impl_call_analyzer_dump_state): Undo casts.
1694 (selftest::test_program_state_1): Update for new context param of
1695 create_region_for_heap_alloc.
1696 (selftest::test_program_state_merging): Likewise.
1697 * region-model-impl-calls.cc (region_model::impl_call_alloca):
1698 Likewise.
1699 (region_model::impl_call_calloc): Likewise.
1700 (region_model::impl_call_malloc): Likewise.
1701 (region_model::impl_call_operator_new): Likewise.
1702 (region_model::impl_call_realloc): Likewise.
1703 * region-model.cc (region_model::check_region_access): Call
1704 check_region_for_taint.
1705 (region_model::get_representative_path_var_1): Handle binops.
1706 (region_model::create_region_for_heap_alloc): Add "ctxt" param and
1707 pass it to set_dynamic_extents.
1708 (region_model::create_region_for_alloca): Likewise.
1709 (region_model::set_dynamic_extents): Add "ctxt" param and use it
1710 to call check_dynamic_size_for_taint.
1711 (selftest::test_state_merging): Update for new context param of
1712 create_region_for_heap_alloc.
1713 (selftest::test_malloc_constraints): Likewise.
1714 (selftest::test_malloc): Likewise.
1715 (selftest::test_alloca): Likewise for create_region_for_alloca.
1716 * region-model.h (region_model::create_region_for_heap_alloc): Add
1717 "ctxt" param.
1718 (region_model::create_region_for_alloca): Likewise.
1719 (region_model::set_dynamic_extents): Likewise.
1720 (region_model::check_dynamic_size_for_taint): New decl.
1721 (region_model::check_region_for_taint): New decl.
1722 (region_model_context::get_taint_map): New vfunc.
1723 (noop_region_model_context::get_taint_map): New.
1724 * sm-taint.cc: Remove include of "diagnostic-event-id.h"; add
1725 includes of "gimple-iterator.h", "tristate.h", "selftest.h",
1726 "ordered-hash-map.h", "cgraph.h", "cfg.h", "digraph.h",
1727 "analyzer/supergraph.h", "analyzer/call-string.h",
1728 "analyzer/program-point.h", "analyzer/store.h",
1729 "analyzer/region-model.h", and "analyzer/program-state.h".
1730 (enum bounds): Move to top of file.
1731 (class taint_diagnostic): New.
1732 (class tainted_array_index): Convert to subclass of taint_diagnostic.
1733 (tainted_array_index::emit): Add CWE-129. Reword warning to use
1734 "attacker-controlled" rather than "tainted".
1735 (tainted_array_index::describe_state_change): Move to
1736 taint_diagnostic::describe_state_change.
1737 (tainted_array_index::describe_final_event): Reword to use
1738 "attacker-controlled" rather than "tainted".
1739 (class tainted_offset): New.
1740 (class tainted_size): New.
1741 (class tainted_divisor): New.
1742 (class tainted_allocation_size): New.
1743 (taint_state_machine::alt_get_inherited_state): New.
1744 (taint_state_machine::on_stmt): In assignment handling, remove
1745 ARRAY_REF handling in favor of check_region_for_taint. Add
1746 detection of tainted divisors.
1747 (taint_state_machine::get_taint): New.
1748 (taint_state_machine::combine_states): New.
1749 (region_model::check_region_for_taint): New.
1750 (region_model::check_dynamic_size_for_taint): New.
1751 * sm.h (state_machine::alt_get_inherited_state): New.
1752
af2852b9
GA		 17532021-11-12 David Malcolm <dmalcolm@redhat.com>
1754
1755 * engine.cc (exploded_node::on_stmt_pre): Return when handling
1756 "__analyzer_dump_state".
1757
b39265d4
GA		 17582021-11-11 Richard Biener <rguenther@suse.de>
1759
1760 * supergraph.cc: Include bitmap.h.
1761
29a1af24
GA		 17622021-11-04 David Malcolm <dmalcolm@redhat.com>
1763
1764 * program-state.cc (sm_state_map::dump): Use default_tree_printer
1765 as format decoder.
1766
e19570d3
GA		 17672021-09-16 Maxim Blinov <maxim.blinov@embecosm.com>
1768
1769 PR bootstrap/102242
1770 * engine.cc (INCLUDE_UNIQUE_PTR): Define.
1771
b6db7cd4
GA		 17722021-09-08 David Malcolm <dmalcolm@redhat.com>
1773
1774 PR analyzer/102225
1775 * analyzer.h (compat_types_p): New decl.
1776 * constraint-manager.cc
1777 (constraint_manager::get_or_add_equiv_class): Guard against NULL
1778 type when checking for pointer types.
1779 * region-model-impl-calls.cc (region_model::impl_call_realloc):
1780 Guard against NULL lhs type/region. Guard against the size value
1781 not being of a compatible type for dynamic extents.
1782 * region-model.cc (compat_types_p): Make non-static.
1783
1e2f030b
GA		 17842021-08-30 David Malcolm <dmalcolm@redhat.com>
1785
1786 PR analyzer/99260
1787 * analyzer.h (class custom_edge_info): New class, adapted from
1788 exploded_edge::custom_info_t. Make member functions const.
1789 Make update_model return bool, converting edge param from
1790 reference to a pointer, and adding a ctxt param.
1791 (class path_context): New class.
1792 * call-info.cc: New file.
1793 * call-info.h: New file.
1794 * engine.cc: Include "analyzer/call-info.h" and <memory>.
1795 (impl_region_model_context::impl_region_model_context): Update for
1796 new m_path_ctxt field.
1797 (impl_region_model_context::bifurcate): New.
1798 (impl_region_model_context::terminate_path): New.
1799 (impl_region_model_context::get_malloc_map): New.
1800 (impl_sm_context::impl_sm_context): Update for new m_path_ctxt
1801 field.
1802 (impl_sm_context::get_fndecl_for_call): Likewise.
1803 (impl_sm_context::set_next_state): Likewise.
1804 (impl_sm_context::warn): Likewise.
1805 (impl_sm_context::is_zero_assignment): Likewise.
1806 (impl_sm_context::get_path_context): New.
1807 (impl_sm_context::m_path_ctxt): New.
1808 (impl_region_model_context::on_condition): Update for new
1809 path_ctxt param. Handle m_enode_for_diag being NULL.
1810 (impl_region_model_context::on_phi): Update for new path_ctxt
1811 param.
1812 (exploded_node::on_stmt): Add path_ctxt param, updating ctor calls
1813 to use it as necessary. Use it to bail out after sm-handling,
1814 if needed.
1815 (exploded_node::detect_leaks): Update for new path_ctxt param.
1816 (dynamic_call_info_t::update_model): Update for conversion of
1817 exploded_edge::custom_info_t to custom_edge_info.
1818 (dynamic_call_info_t::add_events_to_path): Likewise.
1819 (rewind_info_t::update_model): Likewise.
1820 (rewind_info_t::add_events_to_path): Likewise.
1821 (exploded_edge::exploded_edge): Likewise.
1822 (exploded_graph::add_edge): Likewise.
1823 (exploded_graph::maybe_process_run_of_before_supernode_enodes):
1824 Update for new path_ctxt param.
1825 (class impl_path_context): New.
1826 (exploded_graph::process_node): Update for new path_ctxt param.
1827 Create an impl_path_context and pass it to exploded_node::on_stmt.
1828 Use it to terminate iterating stmts if terminate_path is called
1829 on it. After processing a run of stmts, query path_ctxt to
1830 potentially terminate the analysis path, and/or to "bifurcate" the
1831 analysis into multiple additional paths.
1832 (feasibility_state::maybe_update_for_edge): Update for new
1833 update_model ctxt param.
1834 * exploded-graph.h
1835 (impl_region_model_context::impl_region_model_context): Add
1836 path_ctxt param.
1837 (impl_region_model_context::bifurcate): New.
1838 (impl_region_model_context::terminate_path): New
1839 (impl_region_model_context::get_ext_state): New.
1840 (impl_region_model_context::get_malloc_map): New.
1841 (impl_region_model_context::m_path_ctxt): New field.
1842 (exploded_node::on_stmt): Add path_ctxt param.
1843 (class exploded_edge::custom_info_t): Move to analyzer.h, renaming
1844 to custom_edge_info, and making the changes as noted in analyzer.h
1845 above.
1846 (exploded_edge::exploded_edge): Update for these changes to
1847 exploded_edge::custom_info_t.
1848 (exploded_edge::m_custom_info): Likewise.
1849 (class dynamic_call_info_t): Likewise.
1850 (class rewind_info_t): Likewise.
1851 (exploded_graph::add_edge): Likewise.
1852 * program-state.cc (program_state::on_edge): Update for new
1853 path_ctxt param.
1854 (program_state::push_call): Likewise.
1855 (program_state::returning_call): Likewise.
1856 (program_state::prune_for_point): Likewise.
1857 * region-model-impl-calls.cc: Include "analyzer/call-info.h".
1858 (call_details::get_fndecl_for_call): New.
1859 (region_model::impl_call_realloc): Reimplement.
1860 * region-model.cc (region_model::on_call_pre): Move call to
1861 impl_call_realloc to...
1862 (region_model::on_call_post): ...here. Consolidate creation
1863 of call_details instance.
1864 (noop_region_model_context::bifurcate): New.
1865 (noop_region_model_context::terminate_path): New.
1866 * region-model.h (call_details::get_call_stmt): New.
1867 (call_details::get_fndecl_for_call): New.
1868 (region_model::on_realloc_with_move): New.
1869 (region_model_context::bifurcate): New.
1870 (region_model_context::terminate_path): New.
1871 (region_model_context::get_ext_state): New.
1872 (region_model_context::get_malloc_map): New.
1873 (noop_region_model_context::bifurcate): New.
1874 (noop_region_model_context::terminate_path): New.
1875 (noop_region_model_context::get_ext_state): New.
1876 (noop_region_model_context::get_malloc_map): New.
1877 * sm-malloc.cc: Include "analyzer/program-state.h".
1878 (malloc_state_machine::on_realloc_call): Reimplement.
1879 (malloc_state_machine::on_realloc_with_move): New.
1880 (region_model::on_realloc_with_move): New.
1881 * sm-signal.cc (class signal_delivery_edge_info_t): Update for
1882 conversion from exploded_edge::custom_info_t to custom_edge_info.
1883 * sm.h (sm_context::get_path_context): New.
1884 * svalue.cc (svalue::maybe_get_constant): Call
1885 unwrap_any_unmergeable.
1886
85d77ac4
GA		 18872021-08-25 Ankur Saini <arsenic@sourceware.org>
1888
1889 PR analyzer/101980
1890 * engine.cc (exploded_graph::maybe_create_dynamic_call): Don't create
1891 calls if max recursion limit is reached.
1892
38b19c5b
GA		 18932021-08-23 David Malcolm <dmalcolm@redhat.com>
1894
1895 * analyzer.h (struct rejected_constraint): Convert to...
1896 (class rejected_constraint): ...this.
1897 (class bounded_ranges): New forward decl.
1898 (class bounded_ranges_manager): New forward decl.
1899 * constraint-manager.cc: Include "analyzer/analyzer-logging.h" and
1900 "tree-pretty-print.h".
1901 (can_plus_one_p): New.
1902 (plus_one): New.
1903 (can_minus_one_p): New.
1904 (minus_one): New.
1905 (bounded_range::bounded_range): New.
1906 (dump_cst): New.
1907 (bounded_range::dump_to_pp): New.
1908 (bounded_range::dump): New.
1909 (bounded_range::to_json): New.
1910 (bounded_range::set_json_attr): New.
1911 (bounded_range::contains_p): New.
1912 (bounded_range::intersects_p): New.
1913 (bounded_range::operator==): New.
1914 (bounded_range::cmp): New.
1915 (bounded_ranges::bounded_ranges): New.
1916 (bounded_ranges::bounded_ranges): New.
1917 (bounded_ranges::bounded_ranges): New.
1918 (bounded_ranges::canonicalize): New.
1919 (bounded_ranges::validate): New.
1920 (bounded_ranges::operator==): New.
1921 (bounded_ranges::dump_to_pp): New.
1922 (bounded_ranges::dump): New.
1923 (bounded_ranges::to_json): New.
1924 (bounded_ranges::eval_condition): New.
1925 (bounded_ranges::contain_p): New.
1926 (bounded_ranges::cmp): New.
1927 (bounded_ranges_manager::~bounded_ranges_manager): New.
1928 (bounded_ranges_manager::get_or_create_empty): New.
1929 (bounded_ranges_manager::get_or_create_point): New.
1930 (bounded_ranges_manager::get_or_create_range): New.
1931 (bounded_ranges_manager::get_or_create_union): New.
1932 (bounded_ranges_manager::get_or_create_intersection): New.
1933 (bounded_ranges_manager::get_or_create_inverse): New.
1934 (bounded_ranges_manager::consolidate): New.
1935 (bounded_ranges_manager::get_or_create_ranges_for_switch): New.
1936 (bounded_ranges_manager::create_ranges_for_switch): New.
1937 (bounded_ranges_manager::make_case_label_ranges): New.
1938 (bounded_ranges_manager::log_stats): New.
1939 (bounded_ranges_constraint::print): New.
1940 (bounded_ranges_constraint::to_json): New.
1941 (bounded_ranges_constraint::operator==): New.
1942 (bounded_ranges_constraint::add_to_hash): New.
1943 (constraint_manager::constraint_manager): Update for new field
1944 m_bounded_ranges_constraints.
1945 (constraint_manager::operator=): Likewise.
1946 (constraint_manager::hash): Likewise.
1947 (constraint_manager::operator==): Likewise.
1948 (constraint_manager::print): Likewise.
1949 (constraint_manager::dump_to_pp): Likewise.
1950 (constraint_manager::to_json): Likewise.
1951 (constraint_manager::add_unknown_constraint): Update the lhs_ec_id
1952 if necessary in existing constraints when combining equivalence
1953 classes. Add similar code for handling
1954 m_bounded_ranges_constraints.
1955 (constraint_manager::add_constraint_internal): Add comment.
1956 (constraint_manager::add_bounded_ranges): New.
1957 (constraint_manager::eval_condition): Use new field
1958 m_bounded_ranges_constraints.
1959 (constraint_manager::purge): Update bounded_ranges_constraint
1960 instances.
1961 (constraint_manager::canonicalize): Update for new field.
1962 (merger_fact_visitor::on_ranges): New.
1963 (constraint_manager::for_each_fact): Use new field
1964 m_bounded_ranges_constraints.
1965 (constraint_manager::validate): Fix off-by-one error needed due
1966 to bug fixed above in add_unknown_constraint. Validate the EC IDs
1967 in m_bounded_ranges_constraints.
1968 (constraint_manager::get_range_manager): New.
1969 (selftest::assert_dump_bounded_range_eq): New.
1970 (ASSERT_DUMP_BOUNDED_RANGE_EQ): New.
1971 (selftest::test_bounded_range): New.
1972 (selftest::assert_dump_bounded_ranges_eq): New.
1973 (ASSERT_DUMP_BOUNDED_RANGES_EQ): New.
1974 (selftest::test_bounded_ranges): New.
1975 (selftest::run_constraint_manager_tests): Call the new selftests.
1976 * constraint-manager.h (struct bounded_range): New.
1977 (struct bounded_ranges): New.
1978 (template <> struct default_hash_traits<bounded_ranges::key_t>): New.
1979 (class bounded_ranges_manager): New.
1980 (fact_visitor::on_ranges): New pure virtual function.
1981 (class bounded_ranges_constraint): New.
1982 (constraint_manager::add_bounded_ranges): New decl.
1983 (constraint_manager::get_range_manager): New decl.
1984 (constraint_manager::m_bounded_ranges_constraints): New field.
1985 * diagnostic-manager.cc (epath_finder::process_worklist_item):
1986 Transfer ownership of rc to add_feasibility_problem.
1987 * engine.cc (feasibility_problem::dump_to_pp): Use get_model.
1988 * feasible-graph.cc (infeasible_node::dump_dot): Update for
1989 conversion of m_rc to a pointer.
1990 (feasible_graph::add_feasibility_problem): Pass RC by pointer and
1991 take ownership.
1992 * feasible-graph.h (infeasible_node::infeasible_node): Pass RC by
1993 pointer and take ownership.
1994 (infeasible_node::~infeasible_node): New.
1995 (infeasible_node::m_rc): Convert to a pointer.
1996 (feasible_graph::add_feasibility_problem): Pass RC by pointer and
1997 take ownership.
1998 * region-model-manager.cc: Include
1999 "analyzer/constraint-manager.h".
2000 (region_model_manager::region_model_manager): Initializer new
2001 field m_range_mgr.
2002 (region_model_manager::~region_model_manager): Delete it.
2003 (region_model_manager::log_stats): Call log_stats on it.
2004 * region-model.cc (region_model::add_constraint): Use new subclass
2005 rejected_op_constraint.
2006 (region_model::apply_constraints_for_gswitch): Reimplement using
2007 bounded_ranges_manager.
2008 (rejected_constraint::dump_to_pp): Convert to...
2009 (rejected_op_constraint::dump_to_pp): ...this.
2010 (rejected_ranges_constraint::dump_to_pp): New.
2011 * region-model.h (struct purge_stats): Add field
2012 m_num_bounded_ranges_constraints.
2013 (region_model_manager::get_range_manager): New.
2014 (region_model_manager::m_range_mgr): New.
2015 (region_model::get_range_manager): New.
2016 (struct rejected_constraint): Split into...
2017 (class rejected_constraint):...this new abstract base class,
2018 and...
2019 (class rejected_op_constraint): ...this new concrete subclass.
2020 (class rejected_ranges_constraint): New.
2021 * supergraph.cc: Include "tree-cfg.h".
2022 (supergraph::supergraph): Drop idx param from add_cfg_edge.
2023 (supergraph::add_cfg_edge): Drop idx param.
2024 (switch_cfg_superedge::switch_cfg_superedge): Move here from
2025 header. Populate m_case_labels with all cases which go to DST.
2026 (switch_cfg_superedge::dump_label_to_pp): Reimplement to use
2027 m_case_labels.
2028 (switch_cfg_superedge::get_case_label): Delete.
2029 * supergraph.h (supergraphadd_cfg_edge): Drop "idx" param.
2030 (switch_cfg_superedge::switch_cfg_superedge): Drop idx param and
2031 move implementation to supergraph.cc.
2032 (switch_cfg_superedge::get_case_label): Delete.
2033 (switch_cfg_superedge::get_case_labels): New.
2034 (switch_cfg_superedge::m_idx): Delete.
2035 (switch_cfg_superedge::m_case_labels): New field.
2036
20372021-08-23 David Malcolm <dmalcolm@redhat.com>
2038
2039 PR analyzer/101875
2040 * sm-file.cc (file_diagnostic::describe_state_change): Handle
2041 change.m_expr being NULL.
2042
20432021-08-23 David Malcolm <dmalcolm@redhat.com>
2044
2045 PR analyzer/101837
2046 * analyzer.cc (maybe_reconstruct_from_def_stmt): Bail if fn is
2047 NULL, and assert that it's non-NULL before passing it to
2048 build_call_array_loc.
2049
20502021-08-23 David Malcolm <dmalcolm@redhat.com>
2051
2052 PR analyzer/101962
2053 * region-model.cc (region_model::eval_condition_without_cm):
2054 Refactor comparison against zero, adding a check for
2055 POINTER_PLUS_EXPR of non-NULL.
2056
20572021-08-23 David Malcolm <dmalcolm@redhat.com>
2058
2059 * store.cc (bit_range::intersects_p): New overload.
2060 (bit_range::operator-): New.
2061 (binding_cluster::maybe_get_compound_binding): Handle the partial
2062 overlap case.
2063 (selftest::test_bit_range_intersects_p): Add test coverage for
2064 new overload of bit_range::intersects_p.
2065 * store.h (bit_range::intersects_p): New overload.
2066 (bit_range::operator-): New.
2067
20682021-08-23 Ankur Saini <arsenic@sourceware.org>
2069
2070 PR analyzer/102020
2071 * diagnostic-manager.cc
2072 (diagnostic_manager::prune_for_sm_diagnostic)<case EK_CALL_EDGE>: Fix typo.
2073
4be4fa4e
GA		 20742021-08-21 Ankur Saini <arsenic@sourceware.org>
2075
2076 PR analyzer/101980
2077 * diagnostic-manager.cc
2078 (diagnostic_manager::prune_for_sm_diagnostic)<case EK_CALL_EDGE>: Use
2079 caller_model only when the supergraph_edge doesn't exixt.
2080 (diagnostic_manager::prune_for_sm_diagnostic)<case EK_RETURN_EDGE>:
2081 Likewise.
2082 * engine.cc (exploded_graph::create_dynamic_call): Rename to...
2083 (exploded_graph::maybe_create_dynamic_call): ...this, return call
2084 creation status.
2085 (exploded_graph::process_node): Handle calls which were not dynamically
2086 discovered.
2087 * exploded-graph.h (exploded_graph::create_dynamic_call): Rename to...
2088 (exploded_graph::maybe_create_dynamic_call): ...this.
2089 * region-model.cc (region_model::update_for_gcall): New param, use it
2090 to push call to frame.
2091 (region_model::update_for_call_superedge): Pass callee function to
2092 update_for_gcall.
2093 * region-model.h (region_model::update_for_gcall): New param.
2094
6e529985
GA		 20952021-08-18 Ankur Saini <arsenic@sourceware.org>
2096
2097 PR analyzer/97114
2098 * region-model.cc (region_model::get_rvalue_1): Add case for
2099 OBJ_TYPE_REF.
2100
21012021-08-18 Ankur Saini <arsenic@sourceware.org>
2102
2103 PR analyzer/100546
2104 * analysis-plan.cc (analysis_plan::use_summary_p): Don't use call
2105 summaries if there is no callgraph edge
2106 * checker-path.cc (call_event::call_event): Handle calls events that
2107 are not represented by a supergraph call edge
2108 (return_event::return_event): Likewise.
2109 (call_event::get_desc): Work with new call_event structure.
2110 (return_event::get_desc): Likeise.
2111 * checker-path.h (call_event::m_src_snode): New field.
2112 (call_event::m_dest_snode): New field.
2113 (return_event::m_src_snode): New field.
2114 (return_event::m_dest_snode): New field.
2115 * diagnostic-manager.cc
2116 (diagnostic_manager::prune_for_sm_diagnostic)<case EK_CALL_EDGE>:
2117 Refactor to work with edges without callgraph edge.
2118 (diagnostic_manager::prune_for_sm_diagnostic)<case EK_RETURN_EDGE>:
2119 Likewise.
2120 * engine.cc (dynamic_call_info_t::update_model): New function.
2121 (dynamic_call_info_t::add_events_to_path): New function.
2122 (exploded_graph::create_dynamic_call): New function.
2123 (exploded_graph::process_node): Work with dynamically discovered calls.
2124 * exploded-graph.h (class dynamic_call_info_t): New class.
2125 (exploded_graph::create_dynamic_call): New decl.
2126 * program-point.cc (program_point::push_to_call_stack): New function.
2127 (program_point::pop_from_call_stack): New function.
2128 * program-point.h (program_point::push_to_call_stack): New decl.
2129 (program_point::pop_from_call_stack): New decl.
2130 * program-state.cc (program_state::push_call): New function.
2131 (program_state::returning_call): New function.
2132 * program-state.h (program_state::push_call): New decl.
2133 (program_state::returning_call): New decl.
2134 * region-model.cc (region_model::update_for_gcall) New function.
2135 (region_model::update_for_return_gcall): New function.
2136 (egion_model::update_for_call_superedge): Get the underlying gcall and
2137 update for gcall.
2138 (region_model::update_for_return_superedge): Likewise.
2139 * region-model.h (region_model::update_for_gcall): New decl.
2140 (region_model::update_for_return_gcall): New decl.
2141 * state-purge.cc (state_purge_per_ssa_name::process_point): Update to
2142 work with calls without underlying cgraph edge.
2143 * supergraph.cc (supergraph::supergraph) Split snodes at every callsite.
2144 * supergraph.h (supernode::get_returning_call) New accessor.
2145
2697f832
GA		 21462021-08-04 David Malcolm <dmalcolm@redhat.com>
2147
2148 PR analyzer/101570
2149 * analyzer.cc (maybe_reconstruct_from_def_stmt): Add GIMPLE_ASM
2150 case.
2151 * analyzer.h (class asm_output_svalue): New forward decl.
2152 (class reachable_regions): New forward decl.
2153 * complexity.cc (complexity::from_vec_svalue): New.
2154 * complexity.h (complexity::from_vec_svalue): New decl.
2155 * engine.cc (feasibility_state::maybe_update_for_edge): Handle
2156 asm stmts by calling on_asm_stmt.
2157 * region-model-asm.cc: New file.
2158 * region-model-manager.cc
2159 (region_model_manager::maybe_fold_asm_output_svalue): New.
2160 (region_model_manager::get_or_create_asm_output_svalue): New.
2161 (region_model_manager::log_stats): Log m_asm_output_values_map.
2162 * region-model.cc (region_model::on_stmt_pre): Handle GIMPLE_ASM.
2163 * region-model.h (visitor::visit_asm_output_svalue): New.
2164 (region_model_manager::get_or_create_asm_output_svalue): New decl.
2165 (region_model_manager::maybe_fold_asm_output_svalue): New decl.
2166 (region_model_manager::asm_output_values_map_t): New typedef.
2167 (region_model_manager::m_asm_output_values_map): New field.
2168 (region_model::on_asm_stmt): New.
2169 * store.cc (binding_cluster::on_asm): New.
2170 * store.h (binding_cluster::on_asm): New decl.
2171 * svalue.cc (svalue::cmp_ptr): Handle SK_ASM_OUTPUT.
2172 (asm_output_svalue::dump_to_pp): New.
2173 (asm_output_svalue::dump_input): New.
2174 (asm_output_svalue::input_idx_to_asm_idx): New.
2175 (asm_output_svalue::accept): New.
2176 * svalue.h (enum svalue_kind): Add SK_ASM_OUTPUT.
2177 (svalue::dyn_cast_asm_output_svalue): New.
2178 (class asm_output_svalue): New.
2179 (is_a_helper <const asm_output_svalue *>::test): New.
2180 (struct default_hash_traits<asm_output_svalue::key_t>): New.
2181
fa1407c7
GA		 21822021-08-03 Jakub Jelinek <jakub@redhat.com>
2183
2184 PR analyzer/101721
2185 * sm-malloc.cc (known_allocator_p): Only check DECL_FUNCTION_CODE on
2186 BUILT_IN_NORMAL builtins.
2187
4d17ca1b
GA		 21882021-07-29 Ankur Saini <arsenic@sourceware.org>
2189
2190 * call-string.cc (call_string::element_t::operator==): New operator.
2191 (call_String::element_t::operator!=): New operator.
2192 (call_string::element_t::get_caller_function): New function.
2193 (call_string::element_t::get_callee_function): New function.
2194 (call_string::call_string): Refactor to Initialise m_elements.
2195 (call_string::operator=): Refactor to work with m_elements.
2196 (call_string::operator==): Likewise.
2197 (call_string::to_json): Likewise.
2198 (call_string::hash): Refactor to hash e.m_caller.
2199 (call_string::push_call): Refactor to work with m_elements.
2200 (call_string::push_call): New overload to push call via supernodes.
2201 (call_string::pop): Refactor to work with m_elements.
2202 (call_string::calc_recursion_depth): Likewise.
2203 (call_string::cmp): Likewise.
2204 (call_string::validate): Likewise.
2205 (call_string::operator[]): Likewise.
2206 * call-string.h (class supernode): New forward decl.
2207 (struct call_string::element_t): New struct.
2208 (call_string::call_string): Refactor to initialise m_elements.
2209 (call_string::bool empty_p): Refactor to work with m_elements.
2210 (call_string::get_callee_node): New decl.
2211 (call_string::get_caller_node): New decl.
2212 (m_elements): Replaces m_return_edges.
2213 * program-point.cc (program_point::get_function_at_depth): Refactor to
2214 work with new call-string format.
2215 (program_point::validate): Likewise.
2216 (program_point::on_edge): Likewise.
2217
39169029
GA		 22182021-07-28 David Malcolm <dmalcolm@redhat.com>
2219
2220 * region-model.cc (region_model::on_call_pre): Treat
2221 IFN_UBSAN_BOUNDS, BUILT_IN_STACK_SAVE, and BUILT_IN_STACK_RESTORE
2222 as no-ops, rather than handling them as unknown functions.
2223
22242021-07-28 David Malcolm <dmalcolm@redhat.com>
2225
2226 * region-model-impl-calls.cc (region_model::impl_call_alloca):
2227 Drop redundant return value.
2228 (region_model::impl_call_builtin_expect): Likewise.
2229 (region_model::impl_call_calloc): Likewise.
2230 (region_model::impl_call_malloc): Likewise.
2231 (region_model::impl_call_memset): Likewise.
2232 (region_model::impl_call_operator_new): Likewise.
2233 (region_model::impl_call_operator_delete): Likewise.
2234 (region_model::impl_call_strlen): Likewise.
2235 * region-model.cc (region_model::on_call_pre): Fix return value of
2236 known functions that don't have unknown side-effects.
2237 * region-model.h (region_model::impl_call_alloca): Drop redundant
2238 return value.
2239 (region_model::impl_call_builtin_expect): Likewise.
2240 (region_model::impl_call_calloc): Likewise.
2241 (region_model::impl_call_malloc): Likewise.
2242 (region_model::impl_call_memset): Likewise.
2243 (region_model::impl_call_strlen): Likewise.
2244 (region_model::impl_call_operator_new): Likewise.
2245 (region_model::impl_call_operator_delete): Likewise.
2246
22472021-07-28 Siddhesh Poyarekar <siddhesh@gotplt.org>
2248
2249 * analyzer.cc (is_named_call_p, is_std_named_call_p): Make
2250 first argument a const_tree.
2251 * analyzer.h (is_named_call_p, -s_std_named_call_p): Likewise.
2252 * sm-malloc.cc (known_allocator_p): New function.
2253 (malloc_state_machine::on_stmt): Use it.
2254
22552021-07-28 Siddhesh Poyarekar <siddhesh@gotplt.org>
2256
2257 * sm-malloc.cc
2258 (malloc_state_machine::get_or_create_deallocator): Recognize
2259 __builtin_free.
2260
1a7febe9
GA		 22612021-07-26 David Malcolm <dmalcolm@redhat.com>
2262
2263 * region-model.cc (region_model::on_call_pre): Always set conjured
2264 LHS, not just for SSA names.
2265
ead235f6
GA		 22662021-07-23 David Malcolm <dmalcolm@redhat.com>
2267
2268 * diagnostic-manager.cc
2269 (class auto_disable_complexity_checks): New.
2270 (epath_finder::explore_feasible_paths): Use it to disable
2271 complexity checks whilst processing the worklist.
2272 * region-model-manager.cc
2273 (region_model_manager::region_model_manager): Initialize
2274 m_check_complexity.
2275 (region_model_manager::reject_if_too_complex): Bail if
2276 m_check_complexity is false.
2277 * region-model.h
2278 (region_model_manager::enable_complexity_check): New.
2279 (region_model_manager::disable_complexity_check): New.
2280 (region_model_manager::m_check_complexity): New.
2281
419c6c68
GA		 22822021-07-21 David Malcolm <dmalcolm@redhat.com>
2283
2284 PR analyzer/101547
2285 * sm-file.cc (file_leak::emit): Handle m_arg being NULL.
2286 (file_leak::describe_final_event): Handle ev.m_expr being NULL.
2287
22882021-07-21 David Malcolm <dmalcolm@redhat.com>
2289
2290 PR analyzer/101522
2291 * store.cc (binding_cluster::purge_state_involving): Don't change
2292 m_map whilst iterating through it.
2293
22942021-07-21 David Malcolm <dmalcolm@redhat.com>
2295
2296 * region-model.cc (region_model::handle_phi): Add "old_state"
2297 param and use it.
2298 (region_model::update_for_phis): Update so that all of the phi
2299 stmts are effectively handled simultaneously, rather than in
2300 order.
2301 * region-model.h (region_model::handle_phi): Add "old_state"
2302 param.
2303 * state-purge.cc (self_referential_phi_p): Replace with...
2304 (name_used_by_phis_p): ...this new function.
2305 (state_purge_per_ssa_name::process_point): Update to use the
2306 above, so that all phi stmts at a basic block are effectively
2307 considered simultaneously, and only consider the phi arguments for
2308 the pertinent in-edge.
2309 * supergraph.cc (cfg_superedge::get_phi_arg_idx): New.
2310 (cfg_superedge::get_phi_arg): Use the above.
2311 * supergraph.h (cfg_superedge::get_phi_arg_idx): New decl.
2312
23132021-07-21 David Malcolm <dmalcolm@redhat.com>
2314
2315 * state-purge.cc (state_purge_annotator::add_node_annotations):
2316 Rather than erroneously always using the NULL in-edge, determine
2317 each relevant in-edge, and print the appropriate data for each
2318 in-edge. Use print_needed to print the data as comma-separated
2319 lists of SSA names.
2320 (print_vec_of_names): Add "within_table" param and use it.
2321 (state_purge_annotator::add_stmt_annotations): Factor out
2322 collation and printing code into...
2323 (state_purge_annotator::print_needed): ...this new function.
2324 * state-purge.h (state_purge_annotator::print_needed): New decl.
2325
23262021-07-21 David Malcolm <dmalcolm@redhat.com>
2327
2328 * program-point.cc (function_point::print): Show src BB index at
2329 BEFORE_SUPERNODE.
2330
23312021-07-21 David Malcolm <dmalcolm@redhat.com>
2332
2333 * svalue.cc (infix_p): New.
2334 (binop_svalue::dump_to_pp): Use it to print MIN_EXPR and MAX_EXPR
2335 in prefix form, rather than infix.
2336
21ea2f93
GA		 23372021-07-19 David Malcolm <dmalcolm@redhat.com>
2338
2339 PR analyzer/101503
2340 * constraint-manager.cc (constraint_manager::add_constraint): Use
2341 can_have_associated_state_p rather than testing for unknown.
2342 (constraint_manager::get_or_add_equiv_class): Likewise.
2343 * program-state.cc (sm_state_map::set_state): Likewise.
2344 (sm_state_map::impl_set_state): Add assertion.
2345 * region-model-manager.cc
2346 (region_model_manager::maybe_fold_unaryop): Handle poisoned
2347 values.
2348 (region_model_manager::maybe_fold_binop): Move handling of unknown
2349 values...
2350 (region_model_manager::get_or_create_binop): ...to here, and
2351 generalize to use can_have_associated_state_p.
2352 (region_model_manager::maybe_fold_sub_svalue): Use
2353 can_have_associated_state_p rather than testing for unknown.
2354 (region_model_manager::maybe_fold_repeated_svalue): Use unknown
2355 when the size or repeated value is "unknown"/"poisoned".
2356 * region-model.cc (region_model::purge_state_involving): Reject
2357 attempts to purge unknown/poisoned svalues, as these svalues
2358 should not have state associated with them.
2359 * svalue.cc (sub_svalue::sub_svalue): Assert that we're building
2360 on top of an svalue with can_have_associated_state_p.
2361 (repeated_svalue::repeated_svalue): Likewise.
2362 (bits_within_svalue::bits_within_svalue): Likewise.
2363 * svalue.h (svalue::can_have_associated_state_p): New.
2364 (unknown_svalue::can_have_associated_state_p): New.
2365 (poisoned_svalue::can_have_associated_state_p): New.
2366 (unaryop_svalue::unaryop_svalue): Assert that we're building on
2367 top of an svalue with can_have_associated_state_p.
2368 (binop_svalue::binop_svalue): Likewise.
2369 (widening_svalue::widening_svalue): Likewise.
2370
87277b6a
GA		 23712021-07-16 David Malcolm <dmalcolm@redhat.com>
2372
2373 * analyzer.h (enum access_direction): New.
2374 * engine.cc (exploded_node::on_longjmp): Update for new param of
2375 get_store_value.
2376 * program-state.cc (program_state::prune_for_point): Likewise.
2377 * region-model-impl-calls.cc (region_model::impl_call_memcpy):
2378 Replace call to check_for_writable_region with call to
2379 check_region_for_write.
2380 (region_model::impl_call_memset): Likewise.
2381 (region_model::impl_call_strcpy): Likewise.
2382 * region-model-reachability.cc (reachable_regions::add): Update
2383 for new param of get_store_value.
2384 * region-model.cc (region_model::get_rvalue_1): Likewise, also for
2385 get_rvalue_for_bits.
2386 (region_model::get_store_value): Add ctxt param and use it to call
2387 check_region_for_read.
2388 (region_model::get_rvalue_for_bits): Add ctxt param and use it to
2389 call get_store_value.
2390 (region_model::check_region_access): New.
2391 (region_model::check_region_for_write): New.
2392 (region_model::check_region_for_read): New.
2393 (region_model::set_value): Update comment. Replace call to
2394 check_for_writable_region with call to check_region_for_write.
2395 * region-model.h (region_model::get_rvalue_for_bits): Add ctxt
2396 param.
2397 (region_model::get_store_value): Add ctxt param.
2398 (region_model::check_region_access): New decl.
2399 (region_model::check_region_for_write): New decl.
2400 (region_model::check_region_for_read): New decl.
2401 * region.cc (region_model::copy_region): Update call to
2402 get_store_value.
2403 * svalue.cc (initial_svalue::implicitly_live_p): Likewise.
2404
24052021-07-16 David Malcolm <dmalcolm@redhat.com>
2406
2407 * engine.cc (exploded_node::on_stmt_pre): Handle
2408 __analyzer_dump_state.
2409 * program-state.cc (extrinsic_state::get_sm_idx_by_name): New.
2410 (program_state::impl_call_analyzer_dump_state): New.
2411 * program-state.h (extrinsic_state::get_sm_idx_by_name): New decl.
2412 (program_state::impl_call_analyzer_dump_state): New decl.
2413 * region-model-impl-calls.cc
2414 (call_details::get_arg_string_literal): New.
2415 * region-model.h (call_details::get_arg_string_literal): New decl.
2416
24172021-07-16 David Malcolm <dmalcolm@redhat.com>
2418
2419 * program-state.cc (program_state::detect_leaks): Simplify using
2420 svalue::maybe_get_region.
2421 * region-model-impl-calls.cc (region_model::impl_call_fgets): Likewise.
2422 (region_model::impl_call_fread): Likewise.
2423 (region_model::impl_call_free): Likewise.
2424 (region_model::impl_call_operator_delete): Likewise.
2425 * region-model.cc (selftest::test_stack_frames): Likewise.
2426 (selftest::test_state_merging): Likewise.
2427 * svalue.cc (svalue::maybe_get_region): New.
2428 * svalue.h (svalue::maybe_get_region): New decl.
2429
d97d71a1
GA		 24302021-07-15 David Malcolm <dmalcolm@redhat.com>
2431
2432 * svalue.h (is_a_helper <placeholder_svalue *>::test): Make
2433 param and template param const.
2434 (is_a_helper <widening_svalue *>::test): Likewise.
2435 (is_a_helper <compound_svalue *>::test): Likewise.
2436 (is_a_helper <conjured_svalue *>::test): Likewise.
2437
24382021-07-15 David Malcolm <dmalcolm@redhat.com>
2439
2440 PR analyzer/95006
2441 PR analyzer/94713
2442 PR analyzer/94714
2443 * analyzer.cc (maybe_reconstruct_from_def_stmt): Split out
2444 GIMPLE_ASSIGN case into...
2445 (get_diagnostic_tree_for_gassign_1): New.
2446 (get_diagnostic_tree_for_gassign): New.
2447 * analyzer.h (get_diagnostic_tree_for_gassign): New decl.
2448 * analyzer.opt (Wanalyzer-write-to-string-literal): New.
2449 * constraint-manager.cc (class svalue_purger): New.
2450 (constraint_manager::purge_state_involving): New.
2451 * constraint-manager.h
2452 (constraint_manager::purge_state_involving): New.
2453 * diagnostic-manager.cc (saved_diagnostic::supercedes_p): New.
2454 (dedupe_winners::handle_interactions): New.
2455 (diagnostic_manager::emit_saved_diagnostics): Call it.
2456 * diagnostic-manager.h (saved_diagnostic::supercedes_p): New decl.
2457 * engine.cc (impl_region_model_context::warn): Convert return type
2458 to bool. Return false if the diagnostic isn't saved.
2459 (impl_region_model_context::purge_state_involving): New.
2460 (impl_sm_context::get_state): Use NULL ctxt when querying old
2461 rvalue.
2462 (impl_sm_context::set_next_state): Use new sval when querying old
2463 state.
2464 (class dump_path_diagnostic): Move to region-model.cc
2465 (exploded_node::on_stmt): Move to on_stmt_pre and on_stmt_post.
2466 Remove call to purge_state_involving.
2467 (exploded_node::on_stmt_pre): New, based on the above. Move most
2468 of it to region_model::on_stmt_pre.
2469 (exploded_node::on_stmt_post): Likewise, moving to
2470 region_model::on_stmt_post.
2471 (class stale_jmp_buf): Fix parent class to use curiously recurring
2472 template pattern.
2473 (feasibility_state::maybe_update_for_edge): Call on_call_pre and
2474 on_call_post on gcalls.
2475 * exploded-graph.h (impl_region_model_context::warn): Return bool.
2476 (impl_region_model_context::purge_state_involving): New decl.
2477 (exploded_node::on_stmt_pre): New decl.
2478 (exploded_node::on_stmt_post): New decl.
2479 * pending-diagnostic.h (pending_diagnostic::use_of_uninit_p): New.
2480 (pending_diagnostic::supercedes_p): New.
2481 * program-state.cc (sm_state_map::get_state): Inherit state for
2482 conjured_svalue as well as initial_svalue.
2483 (sm_state_map::purge_state_involving): Also support SK_CONJURED.
2484 * region-model-impl-calls.cc (call_details::get_uncertainty):
2485 Handle m_ctxt being NULL.
2486 (call_details::get_or_create_conjured_svalue): New.
2487 (region_model::impl_call_fgets): New.
2488 (region_model::impl_call_fread): New.
2489 * region-model-manager.cc
2490 (region_model_manager::get_or_create_initial_value): Return an
2491 uninitialized poisoned value for regions that can't have initial
2492 values.
2493 * region-model-reachability.cc
2494 (reachable_regions::mark_escaped_clusters): Handle ctxt being
2495 NULL.
2496 * region-model.cc (region_to_value_map::purge_state_involving): New.
2497 (poisoned_value_diagnostic::use_of_uninit_p): New.
2498 (poisoned_value_diagnostic::emit): Handle POISON_KIND_UNINIT.
2499 (poisoned_value_diagnostic::describe_final_event): Likewise.
2500 (region_model::check_for_poison): New.
2501 (region_model::on_assignment): Call it.
2502 (class dump_path_diagnostic): Move here from engine.cc.
2503 (region_model::on_stmt_pre): New, based on exploded_node::on_stmt.
2504 (region_model::on_call_pre): Move the setting of the LHS to a
2505 conjured svalue to before the checks for specific functions.
2506 Handle "fgets", "fgets_unlocked", and "fread".
2507 (region_model::purge_state_involving): New.
2508 (region_model::handle_unrecognized_call): Handle ctxt being NULL.
2509 (region_model::get_rvalue): Call check_for_poison.
2510 (selftest::test_stack_frames): Use NULL for context when getting
2511 uninitialized rvalue.
2512 (selftest::test_alloca): Likewise.
2513 * region-model.h (region_to_value_map::purge_state_involving): New
2514 decl.
2515 (call_details::get_or_create_conjured_svalue): New decl.
2516 (region_model::on_stmt_pre): New decl.
2517 (region_model::purge_state_involving): New decl.
2518 (region_model::impl_call_fgets): New decl.
2519 (region_model::impl_call_fread): New decl.
2520 (region_model::check_for_poison): New decl.
2521 (region_model_context::warn): Return bool.
2522 (region_model_context::purge_state_involving): New.
2523 (noop_region_model_context::warn): Return bool.
2524 (noop_region_model_context::purge_state_involving): New.
2525 (test_region_model_context:: warn): Return bool.
2526 * region.cc (region::get_memory_space): New.
2527 (region::can_have_initial_svalue_p): New.
2528 (region::involves_p): New.
2529 * region.h (enum memory_space): New.
2530 (region::get_memory_space): New decl.
2531 (region::can_have_initial_svalue_p): New decl.
2532 (region::involves_p): New decl.
2533 * sm-malloc.cc (use_after_free::supercedes_p): New.
2534 * store.cc (binding_cluster::purge_state_involving): New.
2535 (store::purge_state_involving): New.
2536 * store.h (class symbolic_binding): New forward decl.
2537 (binding_key::dyn_cast_symbolic_binding): New.
2538 (symbolic_binding::dyn_cast_symbolic_binding): New.
2539 (binding_cluster::purge_state_involving): New.
2540 (store::purge_state_involving): New.
2541 * svalue.cc (svalue::can_merge_p): Reject attempts to merge
2542 poisoned svalues with other svalues, so that we identify
2543 paths in which a variable is conditionally uninitialized.
2544 (involvement_visitor::visit_conjured_svalue): New.
2545 (svalue::involves_p): Also handle SK_CONJURED.
2546 (poison_kind_to_str): Handle POISON_KIND_UNINIT.
2547 (poisoned_svalue::maybe_fold_bits_within): New.
2548 * svalue.h (enum poison_kind): Add POISON_KIND_UNINIT.
2549 (poisoned_svalue::maybe_fold_bits_within): New decl.
2550
25512021-07-15 David Malcolm <dmalcolm@redhat.com>
2552
2553 * analyzer.opt (fdump-analyzer-exploded-paths): New.
2554 * diagnostic-manager.cc
2555 (diagnostic_manager::emit_saved_diagnostic): Implement it.
2556 * engine.cc (exploded_path::dump_to_pp): Add ext_state param and
2557 use it to dump states if non-NULL.
2558 (exploded_path::dump): Likewise.
2559 (exploded_path::dump_to_file): New.
2560 * exploded-graph.h (exploded_path::dump_to_pp): Add ext_state
2561 param.
2562 (exploded_path::dump): Likewise.
2563 (exploded_path::dump): Likewise.
2564 (exploded_path::dump_to_file): New.
2565
25662021-07-15 David Malcolm <dmalcolm@redhat.com>
2567
2568 * analyzer.cc (fixup_tree_for_diagnostic_1): Use DECL_DEBUG_EXPR
2569 if it's available.
2570 * engine.cc (readability): Likewise.
2571
25722021-07-15 David Malcolm <dmalcolm@redhat.com>
2573
2574 * state-purge.cc (self_referential_phi_p): New.
2575 (state_purge_per_ssa_name::process_point): Don't purge an SSA name
2576 at its def-stmt if the def-stmt is self-referential.
2577
c24a9707
GA		 25782021-07-07 David Malcolm <dmalcolm@redhat.com>
2579
2580 * diagnostic-manager.cc (null_assignment_sm_context::get_state):
2581 New overload.
2582 (null_assignment_sm_context::set_next_state): New overload.
2583 (null_assignment_sm_context::get_diagnostic_tree): New.
2584 * engine.cc (impl_sm_context::get_state): New overload.
2585 (impl_sm_context::set_next_state): New overload.
2586 (impl_sm_context::get_diagnostic_tree): New overload.
2587 (impl_region_model_context::on_condition): Convert params from
2588 tree to const svalue *.
2589 * exploded-graph.h (impl_region_model_context::on_condition):
2590 Likewise.
2591 * region-model.cc (region_model::on_call_pre): Move handling of
2592 internal calls to before checking for get_fndecl_for_call.
2593 (region_model::add_constraints_from_binop): New.
2594 (region_model::add_constraint): Split out into a new overload
2595 working on const svalue * rather than tree. Call
2596 add_constraints_from_binop. Drop call to
2597 add_any_constraints_from_ssa_def_stmt.
2598 (region_model::add_any_constraints_from_ssa_def_stmt): Delete.
2599 (region_model::add_any_constraints_from_gassign): Delete.
2600 (region_model::add_any_constraints_from_gcall): Delete.
2601 * region-model.h
2602 (region_model::add_any_constraints_from_ssa_def_stmt): Delete.
2603 (region_model::add_any_constraints_from_gassign): Delete.
2604 (region_model::add_any_constraints_from_gcall): Delete.
2605 (region_model::add_constraint): Add overload decl.
2606 (region_model::add_constraints_from_binop): New decl.
2607 (region_model_context::on_condition): Convert params from tree to
2608 const svalue *.
2609 (noop_region_model_context::on_condition): Likewise.
2610 * sm-file.cc (fileptr_state_machine::condition): Likewise.
2611 * sm-malloc.cc (malloc_state_machine::on_condition): Likewise.
2612 * sm-pattern-test.cc: Include tristate.h, selftest.h,
2613 analyzer/call-string.h, analyzer/program-point.h,
2614 analyzer/store.h, and analyzer/region-model.h.
2615 (pattern_test_state_machine::on_condition): Convert params from tree to
2616 const svalue *.
2617 * sm-sensitive.cc (sensitive_state_machine::on_condition): Delete.
2618 * sm-signal.cc (signal_state_machine::on_condition): Delete.
2619 * sm-taint.cc (taint_state_machine::on_condition): Convert params
2620 from tree to const svalue *.
2621 * sm.cc: Include tristate.h, selftest.h, analyzer/call-string.h,
2622 analyzer/program-point.h, analyzer/store.h, and
2623 analyzer/region-model.h.
2624 (any_pointer_p): Add overload taking const svalue *sval.
2625 * sm.h (any_pointer_p): Add overload taking const svalue *sval.
2626 (state_machine::on_condition): Convert params from tree to
2627 const svalue *. Provide no-op default implementation.
2628 (sm_context::get_state): Add overload taking const svalue *sval.
2629 (sm_context::set_next_state): Likewise.
2630 (sm_context::on_transition): Likewise.
2631 (sm_context::get_diagnostic_tree): Likewise.
2632 * svalue.cc (svalue::all_zeroes_p): New.
2633 (constant_svalue::all_zeroes_p): New.
2634 (repeated_svalue::all_zeroes_p): Convert to vfunc.
2635 * svalue.h (svalue::all_zeroes_p): New decl.
2636 (constant_svalue::all_zeroes_p): New decl.
2637 (repeated_svalue::all_zeroes_p): Convert decl to vfunc.
2638
25b6bfea
GA		 26392021-06-30 David Malcolm <dmalcolm@redhat.com>
2640
2641 PR analyzer/95006
2642 * analyzer.h (class repeated_svalue): New forward decl.
2643 (class bits_within_svalue): New forward decl.
2644 (class sized_region): New forward decl.
2645 (get_field_at_bit_offset): New forward decl.
2646 * engine.cc (exploded_graph::get_or_create_node): Validate the
2647 merged state.
2648 (exploded_graph::maybe_process_run_of_before_supernode_enodes):
2649 Validate the states at each stage.
2650 * program-state.cc (program_state::validate): Validate
2651 m_region_model.
2652 * region-model-impl-calls.cc (region_model::impl_call_memset):
2653 Replace special-case logic for handling constant sizes with
2654 a call to fill_region of a sized_region with the given fill value.
2655 * region-model-manager.cc (maybe_undo_optimize_bit_field_compare):
2656 Drop DK_direct.
2657 (region_model_manager::maybe_fold_sub_svalue): Fold element-based
2658 subregions of an initial value into initial values of an element.
2659 Fold subvalues of repeated svalues.
2660 (region_model_manager::maybe_fold_repeated_svalue): New.
2661 (region_model_manager::get_or_create_repeated_svalue): New.
2662 (get_bit_range_for_field): New.
2663 (get_byte_range_for_field): New.
2664 (get_field_at_byte_range): New.
2665 (region_model_manager::maybe_fold_bits_within_svalue): New.
2666 (region_model_manager::get_or_create_bits_within): New.
2667 (region_model_manager::get_sized_region): New.
2668 (region_model_manager::log_stats): Update for addition of
2669 m_repeated_values_map, m_bits_within_values_map, and
2670 m_sized_regions.
2671 * region-model.cc (region_model::validate): New.
2672 (region_model::on_assignment): Drop enum binding_kind.
2673 (region_model::get_initial_value_for_global): Likewise.
2674 (region_model::get_rvalue_for_bits): Replace body with call to
2675 get_or_create_bits_within.
2676 (region_model::get_capacity): Handle RK_SIZED.
2677 (region_model::set_value): Drop enum binding_kind.
2678 (region_model::fill_region): New.
2679 (region_model::get_representative_path_var_1): Handle RK_SIZED.
2680 * region-model.h (visitor::visit_repeated_svalue): New.
2681 (visitor::visit_bits_within_svalue): New.
2682 (region_model_manager::get_or_create_repeated_svalue): New decl.
2683 (region_model_manager::get_or_create_bits_within): New decl.
2684 (region_model_manager::get_sized_region): New decl.
2685 (region_model_manager::maybe_fold_repeated_svalue): New decl.
2686 (region_model_manager::maybe_fold_bits_within_svalue): New decl.
2687 (region_model_manager::repeated_values_map_t): New typedef.
2688 (region_model_manager::m_repeated_values_map): New field.
2689 (region_model_manager::bits_within_values_map_t): New typedef.
2690 (region_model_manager::m_bits_within_values_map): New field.
2691 (region_model_manager::m_sized_regions): New field.
2692 (region_model::fill_region): New decl.
2693 * region.cc (region::get_base_region): Handle RK_SIZED.
2694 (region::base_region_p): Likewise.
2695 (region::get_byte_size_sval): New.
2696 (get_field_at_bit_offset): Make non-static.
2697 (region::calc_offset): Move implementation of cases to
2698 get_relative_concrete_offset vfunc implementations. Handle
2699 RK_SIZED.
2700 (region::get_relative_concrete_offset): New.
2701 (decl_region::get_svalue_for_initializer): Drop enum binding_kind.
2702 (field_region::get_relative_concrete_offset): New, from
2703 region::calc_offset.
2704 (element_region::get_relative_concrete_offset): Likewise.
2705 (offset_region::get_relative_concrete_offset): Likewise.
2706 (sized_region::accept): New.
2707 (sized_region::dump_to_pp): New.
2708 (sized_region::get_byte_size): New.
2709 (sized_region::get_bit_size): New.
2710 * region.h (enum region_kind): Add RK_SIZED.
2711 (region::dyn_cast_sized_region): New.
2712 (region::get_byte_size): Make virtual.
2713 (region::get_bit_size): Likewise.
2714 (region::get_byte_size_sval): New decl.
2715 (region::get_relative_concrete_offset): New decl.
2716 (field_region::get_relative_concrete_offset): New decl.
2717 (element_region::get_relative_concrete_offset): Likewise.
2718 (offset_region::get_relative_concrete_offset): Likewise.
2719 (class sized_region): New.
2720 * store.cc (binding_kind_to_string): Delete.
2721 (binding_key::make): Drop enum binding_kind.
2722 (binding_key::dump_to_pp): Delete.
2723 (binding_key::cmp_ptrs): Drop enum binding_kind.
2724 (bit_range::contains_p): New.
2725 (byte_range::dump): New.
2726 (byte_range::contains_p): New.
2727 (byte_range::cmp): New.
2728 (concrete_binding::dump_to_pp): Drop enum binding_kind.
2729 (concrete_binding::cmp_ptr_ptr): Likewise.
2730 (symbolic_binding::dump_to_pp): Likewise.
2731 (symbolic_binding::cmp_ptr_ptr): Likewise.
2732 (binding_map::apply_ctor_val_to_range): Likewise.
2733 (binding_map::apply_ctor_pair_to_child_region): Likewise.
2734 (binding_map::get_overlapping_bindings): New.
2735 (binding_map::remove_overlapping_bindings): New.
2736 (binding_cluster::validate): New.
2737 (binding_cluster::bind): Drop enum binding_kind.
2738 (binding_cluster::bind_compound_sval): Likewise.
2739 (binding_cluster::purge_region): Likewise.
2740 (binding_cluster::zero_fill_region): Reimplement in terms of...
2741 (binding_cluster::fill_region): New.
2742 (binding_cluster::mark_region_as_unknown): Drop enum binding_kind.
2743 (binding_cluster::get_binding): Likewise.
2744 (binding_cluster::get_binding_recursive): Likewise.
2745 (binding_cluster::get_any_binding): Likewise.
2746 (binding_cluster::maybe_get_compound_binding): Reimplement.
2747 (binding_cluster::get_overlapping_bindings): Delete.
2748 (binding_cluster::remove_overlapping_bindings): Reimplement in
2749 terms of binding_map::remove_overlapping_bindings.
2750 (binding_cluster::can_merge_p): Update for removal of
2751 enum binding_kind.
2752 (binding_cluster::on_unknown_fncall): Drop enum binding_kind.
2753 (binding_cluster::maybe_get_simple_value): Likewise.
2754 (store_manager::get_concrete_binding): Likewise.
2755 (store_manager::get_symbolic_binding): Likewise.
2756 (store::validate): New.
2757 (store::set_value): Drop enum binding_kind.
2758 (store::zero_fill_region): Reimplement in terms of...
2759 (store::fill_region): New.
2760 (selftest::test_binding_key_overlap): Drop enum binding_kind.
2761 * store.h (enum binding_kind): Delete.
2762 (binding_kind_to_string): Delete decl.
2763 (binding_key::make): Drop enum binding_kind.
2764 (binding_key::dump_to_pp): Make pure virtual.
2765 (binding_key::get_kind): Delete.
2766 (binding_key::mark_deleted): Delete.
2767 (binding_key::mark_empty): Delete.
2768 (binding_key::is_deleted): Delete.
2769 (binding_key::is_empty): Delete.
2770 (binding_key::binding_key): Delete.
2771 (binding_key::impl_hash): Delete.
2772 (binding_key::impl_eq): Delete.
2773 (binding_key::m_kind): Delete.
2774 (bit_range::get_last_bit_offset): New.
2775 (bit_range::contains_p): New.
2776 (byte_range::contains_p): New.
2777 (byte_range::operator==): New.
2778 (byte_range::get_start_byte_offset): New.
2779 (byte_range::get_next_byte_offset): New.
2780 (byte_range::get_last_byte_offset): New.
2781 (byte_range::as_bit_range): New.
2782 (byte_range::cmp): New.
2783 (concrete_binding::concrete_binding): Drop enum binding_kind.
2784 (concrete_binding::hash): Likewise.
2785 (concrete_binding::operator==): Likewise.
2786 (concrete_binding::mark_deleted): New.
2787 (concrete_binding::mark_empty): New.
2788 (concrete_binding::is_deleted): New.
2789 (concrete_binding::is_empty): New.
2790 (default_hash_traits<ana::concrete_binding>::empty_zero_p): Make false.
2791 (symbolic_binding::symbolic_binding): Drop enum binding_kind.
2792 (symbolic_binding::hash): Likewise.
2793 (symbolic_binding::operator==): Likewise.
2794 (symbolic_binding::mark_deleted): New.
2795 (symbolic_binding::mark_empty): New.
2796 (symbolic_binding::is_deleted): New.
2797 (symbolic_binding::is_empty): New.
2798 (binding_map::remove_overlapping_bindings): New decl.
2799 (binding_map::get_overlapping_bindings): New decl.
2800 (binding_cluster::validate): New decl.
2801 (binding_cluster::bind): Drop enum binding_kind.
2802 (binding_cluster::fill_region): New decl.
2803 (binding_cluster::get_binding): Drop enum binding_kind.
2804 (binding_cluster::get_binding_recursive): Likewise.
2805 (binding_cluster::get_overlapping_bindings): Delete.
2806 (store::validate): New decl.
2807 (store::set_value): Drop enum binding_kind.
2808 (store::fill_region): New decl.
2809 (store_manager::get_concrete_binding): Drop enum binding_kind.
2810 (store_manager::get_symbolic_binding): Likewise.
2811 * svalue.cc (svalue::cmp_ptr): Handle SK_REPEATED and
2812 SK_BITS_WITHIN.
2813 (svalue::extract_bit_range): New.
2814 (svalue::maybe_fold_bits_within): New.
2815 (constant_svalue::maybe_fold_bits_within): New.
2816 (unknown_svalue::maybe_fold_bits_within): New.
2817 (unaryop_svalue::maybe_fold_bits_within): New.
2818 (repeated_svalue::repeated_svalue): New.
2819 (repeated_svalue::dump_to_pp): New.
2820 (repeated_svalue::accept): New.
2821 (repeated_svalue::all_zeroes_p): New.
2822 (repeated_svalue::maybe_fold_bits_within): New.
2823 (bits_within_svalue::bits_within_svalue): New.
2824 (bits_within_svalue::dump_to_pp): New.
2825 (bits_within_svalue::maybe_fold_bits_within): New.
2826 (bits_within_svalue::accept): New.
2827 (bits_within_svalue::implicitly_live_p): New.
2828 (compound_svalue::maybe_fold_bits_within): New.
2829 * svalue.h (enum svalue_kind): Add SK_REPEATED and SK_BITS_WITHIN.
2830 (svalue::dyn_cast_repeated_svalue): New.
2831 (svalue::dyn_cast_bits_within_svalue): New.
2832 (svalue::extract_bit_range): New decl.
2833 (svalue::maybe_fold_bits_within): New vfunc decl.
2834 (region_svalue::key_t::mark_empty): Use 2 rather than NULL_TREE.
2835 (region_svalue::key_t::is_empty): Likewise.
2836 (default_hash_traits<region_svalue::key_t>::empty_zero_p): Make false.
2837 (constant_svalue::maybe_fold_bits_within): New.
2838 (unknown_svalue::maybe_fold_bits_within): New.
2839 (poisoned_svalue::key_t::mark_empty): Use 2 rather than NULL_TREE.
2840 (poisoned_svalue::key_t::is_empty): Likewise.
2841 (default_hash_traits<poisoned_svalue::key_t>::empty_zero_p): Make
2842 false.
2843 (setjmp_svalue::key_t::mark_empty): Use 2 rather than NULL_TREE.
2844 (setjmp_svalue::key_t::is_empty): Likewise.
2845 (default_hash_traits<setjmp_svalue::key_t>::empty_zero_p): Make
2846 false.
2847 (unaryop_svalue::key_t::mark_empty): Use 2 rather than NULL_TREE.
2848 (unaryop_svalue::key_t::is_empty): Likewise.
2849 (unaryop_svalue::maybe_fold_bits_within): New.
2850 (default_hash_traits<unaryop_svalue::key_t>::empty_zero_p): Make
2851 false.
2852 (binop_svalue::key_t::mark_empty): Use 2 rather than NULL_TREE.
2853 (binop_svalue::key_t::is_empty): Likewise.
2854 (default_hash_traits<binop_svalue::key_t>::empty_zero_p): Make
2855 false.
2856 (sub_svalue::key_t::mark_empty): Use 2 rather than NULL_TREE.
2857 (sub_svalue::key_t::is_empty): Likewise.
2858 (default_hash_traits<sub_svalue::key_t>::empty_zero_p): Make
2859 false.
2860 (class repeated_svalue): New.
2861 (is_a_helper <const repeated_svalue *>::test): New.
2862 (struct default_hash_traits<repeated_svalue::key_t>): New.
2863 (class bits_within_svalue): New.
2864 (is_a_helper <const bits_within_svalue *>::test): New.
2865 (struct default_hash_traits<bits_within_svalue::key_t>): New.
2866 (widening_svalue::key_t::mark_empty): Use 2 rather than NULL_TREE.
2867 (widening_svalue::key_t::is_empty): Likewise.
2868 (default_hash_traits<widening_svalue::key_t>::empty_zero_p): Make
2869 false.
2870 (compound_svalue::key_t::mark_empty): Use 2 rather than NULL_TREE.
2871 (compound_svalue::key_t::is_empty): Likewise.
2872 (compound_svalue::maybe_fold_bits_within): New.
2873 (default_hash_traits<compound_svalue::key_t>::empty_zero_p): Make
2874 false.
2875
c8abc205
GA		 28762021-06-28 David Malcolm <dmalcolm@redhat.com>
2877
2878 * analyzer.h (byte_offset_t): New typedef.
2879 * store.cc (bit_range::dump_to_pp): Dump as a byte range if
2880 possible.
2881 (bit_range::as_byte_range): New.
2882 (byte_range::dump_to_pp): New.
2883 * store.h (class byte_range): New forward decl.
2884 (struct bit_range): Add comment.
2885 (bit_range::as_byte_range): New decl.
2886 (struct byte_range): New.
2887
419af06a
GA		 28882021-06-22 David Malcolm <dmalcolm@redhat.com>
2889
2890 PR analyzer/101143
2891 * region-model.cc (compat_types_p): New function.
2892 (region_model::create_region_for_heap_alloc): Convert assertion to
2893 an error check.
2894 (region_model::create_region_for_alloca): Likewise.
2895
c5581d48
GA		 28962021-06-18 David Malcolm <dmalcolm@redhat.com>
2897
2898 * store.cc (binding_cluster::get_any_binding): Make symbolic reads
2899 from a cluster with concrete bindings return unknown.
2900
29012021-06-18 David Malcolm <dmalcolm@redhat.com>
2902
2903 * region-model-manager.cc
2904 (region_model_manager::get_or_create_int_cst): New.
2905 (region_model_manager::maybe_undo_optimize_bit_field_compare): Use
2906 it to simplify away a local tree.
2907 * region-model.cc (region_model::on_setjmp): Likewise.
2908 (region_model::on_longjmp): Likewise.
2909 * region-model.h (region_model_manager::get_or_create_int_cst):
2910 New decl.
2911 * store.cc (binding_cluster::zero_fill_region): Use it to simplify
2912 away a local tree.
2913
29142021-06-18 David Malcolm <dmalcolm@redhat.com>
2915
2916 * checker-path.cc (class custom_event): Make abstract to allow for
2917 custom vfuncs, splitting existing implementation into...
2918 (class precanned_custom_event): New subclass.
2919 (custom_event::get_desc): Move to...
2920 (precanned_custom_event::get_desc): ...subclass.
2921 * checker-path.h (class custom_event): Make abstract to allow for
2922 custom vfuncs, splitting existing implementation into...
2923 (class precanned_custom_event): New subclass.
2924 * diagnostic-manager.cc (diagnostic_manager::add_events_for_eedge):
2925 Use precanned_custom_event.
2926 * engine.cc
2927 (stale_jmp_buf::maybe_add_custom_events_for_superedge): Likewise.
2928 * sm-signal.cc (signal_delivery_edge_info_t::add_events_to_path):
2929 Likewise.
2930
ede6c356
GA		 29312021-06-15 David Malcolm <dmalcolm@redhat.com>
2932
2933 PR analyzer/99212
2934 PR analyzer/101082
2935 * engine.cc: Include "target.h".
2936 (impl_run_checkers): Log BITS_BIG_ENDIAN, BYTES_BIG_ENDIAN, and
2937 WORDS_BIG_ENDIAN.
2938 * region-model-manager.cc
2939 (region_model_manager::maybe_fold_binop): Move support for masking
2940 via ARG0 & CST into...
2941 (region_model_manager::maybe_undo_optimize_bit_field_compare):
2942 ...this new function. Flatten by converting from nested
2943 conditionals to a series of early return statements to reject
2944 failures. Reject if type is not unsigned_char_type_node.
2945 Handle BYTES_BIG_ENDIAN when determining which bits are bound
2946 in the binding_map.
2947 * region-model.h
2948 (region_model_manager::maybe_undo_optimize_bit_field_compare):
2949 New decl.
2950 * store.cc (bit_range::dump): New function.
2951 * store.h (bit_range::dump): New decl.
2952
29532021-06-15 David Malcolm <dmalcolm@redhat.com>
2954
2955 * engine.cc (exploded_node::on_stmt): Handle __analyzer_dump_capacity.
2956 (exploded_node::on_stmt): Drop m_sm_changes from on_stmt_flags.
2957 (state_change_requires_new_enode_p): New function...
2958 (exploded_graph::process_node): Call it, rather than querying
2959 flags.m_sm_changes, so that dynamic-extent differences can also
2960 trigger the splitting of nodes.
2961 * exploded-graph.h (struct on_stmt_flags): Drop field m_sm_changes.
2962 * program-state.cc (program_state::detect_leaks): Purge dead
2963 heap-allocated regions from dynamic extents.
2964 (selftest::test_program_state_1): Fix type of "size_in_bytes".
2965 (selftest::test_program_state_merging): Likewise.
2966 * region-model-impl-calls.cc
2967 (region_model::impl_call_analyzer_dump_capacity): New.
2968 (region_model::impl_call_free): Remove dynamic extents from the
2969 freed region.
2970 * region-model-reachability.h
2971 (reachable_regions::begin_mutable_base_regs): New.
2972 (reachable_regions::end_mutable_base_regs): New.
2973 * region-model.cc: Include "tree-object-size.h".
2974 (region_model::region_model): Support new field m_dynamic_extents.
2975 (region_model::operator=): Likewise.
2976 (region_model::operator==): Likewise.
2977 (region_model::dump_to_pp): Dump sizes of dynamic regions.
2978 (region_model::handle_unrecognized_call): Purge dynamic extents
2979 from any regions that have escaped mutably:.
2980 (region_model::get_capacity): New function.
2981 (region_model::add_constraint): Unset dynamic extents when a
2982 heap-allocated region's address is NULL.
2983 (region_model::unbind_region_and_descendents): Purge dynamic
2984 extents of unbound regions.
2985 (region_model::can_merge_with_p): Call
2986 m_dynamic_extents.can_merge_with_p.
2987 (region_model::create_region_for_heap_alloc): Assert that
2988 size_in_bytes's type is compatible with size_type_node. Update
2989 for renaming of record_dynamic_extents to set_dynamic_extents.
2990 (region_model::create_region_for_alloca): Likewise.
2991 (region_model::record_dynamic_extents): Rename to...
2992 (region_model::set_dynamic_extents): ...this. Assert that
2993 size_in_bytes's type is compatible with size_type_node. Add it
2994 to the m_dynamic_extents map.
2995 (region_model::get_dynamic_extents): New.
2996 (region_model::unset_dynamic_extents): New.
2997 (selftest::test_state_merging): Fix type of "size".
2998 (selftest::test_malloc_constraints): Likewise.
2999 (selftest::test_malloc): Verify dynamic extents.
3000 (selftest::test_alloca): Likewise.
3001 * region-model.h (region_to_value_map::is_empty): New.
3002 (region_model::dynamic_extents_t): New typedef.
3003 (region_model::impl_call_analyzer_dump_capacity): New decl.
3004 (region_model::get_dynamic_extents): New function.
3005 (region_model::get_dynamic_extents): New decl.
3006 (region_model::set_dynamic_extents): New decl.
3007 (region_model::unset_dynamic_extents): New decl.
3008 (region_model::get_capacity): New decl.
3009 (region_model::record_dynamic_extents): Rename to set_dynamic_extents.
3010 (region_model::m_dynamic_extents): New field.
3011
30122021-06-15 David Malcolm <dmalcolm@redhat.com>
3013
3014 * region-model.cc (region_to_value_map::operator=): New.
3015 (region_to_value_map::operator==): New.
3016 (region_to_value_map::dump_to_pp): New.
3017 (region_to_value_map::dump): New.
3018 (region_to_value_map::can_merge_with_p): New.
3019 * region-model.h (class region_to_value_map): New class.
3020
4e70c34e
GA		 30212021-06-13 Trevor Saunders <tbsaunde@tbsaunde.org>
3022
3023 * call-string.cc (call_string::call_string): Use range based for
3024 to iterate over vec<>.
3025 (call_string::to_json): Likewise.
3026 (call_string::hash): Likewise.
3027 (call_string::calc_recursion_depth): Likewise.
3028 * checker-path.cc (checker_path::fixup_locations): Likewise.
3029 * constraint-manager.cc (equiv_class::equiv_class): Likewise.
3030 (equiv_class::to_json): Likewise.
3031 (equiv_class::hash): Likewise.
3032 (constraint_manager::to_json): Likewise.
3033 * engine.cc (impl_region_model_context::on_svalue_leak):
3034 Likewise.
3035 (on_liveness_change): Likewise.
3036 (impl_region_model_context::on_unknown_change): Likewise.
3037 * program-state.cc (sm_state_map::set_state): Likewise.
3038 * region-model.cc (test_canonicalization_4): Likewise.
3039
f16f65f8
GA		 30402021-06-11 David Malcolm <dmalcolm@redhat.com>
3041
3042 * engine.cc (worklist::key_t::cmp): Move sort by call_string to
3043 before SCC.
3044
4f625f47
GA		 30452021-06-09 David Malcolm <dmalcolm@redhat.com>
3046
3047 * region-model.cc (region_model::get_lvalue_1): Make const.
3048 (region_model::get_lvalue): Likewise.
3049 (region_model::get_rvalue_1): Likewise.
3050 (region_model::get_rvalue): Likewise.
3051 (region_model::deref_rvalue): Likewise.
3052 (region_model::get_rvalue_for_bits): Likewise.
3053 * region-model.h (region_model::get_lvalue): Likewise.
3054 (region_model::get_rvalue): Likewise.
3055 (region_model::deref_rvalue): Likewise.
3056 (region_model::get_rvalue_for_bits): Likewise.
3057 (region_model::get_lvalue_1): Likewise.
3058 (region_model::get_rvalue_1): Likewise.
3059
c6038721
GA		 30602021-06-08 David Malcolm <dmalcolm@redhat.com>
3061
3062 PR analyzer/99212
3063 * region-model-manager.cc
3064 (region_model_manager::maybe_fold_binop): Add support for folding
3065 BIT_AND_EXPR of compound_svalue and a mask constant.
3066 * region-model.cc (region_model::get_rvalue_1): Implement
3067 BIT_FIELD_REF in terms of...
3068 (region_model::get_rvalue_for_bits): New function.
3069 * region-model.h (region_model::get_rvalue_for_bits): New decl.
3070 * store.cc (bit_range::from_mask): New function.
3071 (selftest::test_bit_range_intersects_p): New selftest.
3072 (selftest::assert_bit_range_from_mask_eq): New.
3073 (ASSERT_BIT_RANGE_FROM_MASK_EQ): New macro.
3074 (selftest::assert_no_bit_range_from_mask_eq): New.
3075 (ASSERT_NO_BIT_RANGE_FROM_MASK): New macro.
3076 (selftest::test_bit_range_from_mask): New selftest.
3077 (selftest::analyzer_store_cc_tests): Call the new selftests.
3078 * store.h (bit_range::intersects_p): New.
3079 (bit_range::from_mask): New decl.
3080 (concrete_binding::get_bit_range): New accessor.
3081 (store_manager::get_concrete_binding): New overload taking
3082 const bit_range &.
3083
30842021-06-08 David Malcolm <dmalcolm@redhat.com>
3085
3086 * analyzer.h (int_size_in_bits): New decl.
3087 * region.cc (int_size_in_bits): New function.
3088 (region::get_bit_size): Reimplement in terms of the above.
3089
30902021-06-08 David Malcolm <dmalcolm@redhat.com>
3091
3092 * store.cc (concrete_binding::dump_to_pp): Move bulk of
3093 implementation to...
3094 (bit_range::dump_to_pp): ...this new function.
3095 (bit_range::cmp): New.
3096 (concrete_binding::overlaps_p): Update for use of bit_range.
3097 (concrete_binding::cmp_ptr_ptr): Likewise.
3098 * store.h (struct bit_range): New.
3099 (class concrete_binding): Replace fields m_start_bit_offset and
3100 m_size_in_bits with new field m_bit_range.
3101
31022021-06-08 David Malcolm <dmalcolm@redhat.com>
3103
3104 * svalue.h (conjured_svalue::iterator_t): Delete.
3105
440c8a0a
GA		 31062021-06-03 David Malcolm <dmalcolm@redhat.com>
3107
3108 * store.h (store::get_direct_binding): Remove unused decl.
3109 (store::get_default_binding): Likewise.
3110
31112021-06-03 David Malcolm <dmalcolm@redhat.com>
3112
3113 * svalue.cc (poisoned_svalue::dump_to_pp): Dump type.
3114 (compound_svalue::dump_to_pp): Dump any type.
3115
a8daf9a1
GA		 31162021-05-18 David Malcolm <dmalcolm@redhat.com>
3117
3118 PR analyzer/100615
3119 * sm-malloc.cc: Include "analyzer/function-set.h".
3120 (malloc_state_machine::on_stmt): Call unaffected_by_call_p and
3121 bail on the functions it recognizes.
3122 (malloc_state_machine::unaffected_by_call_p): New.
3123
aa891c56
GA		 31242021-05-10 Martin Liska <mliska@suse.cz>
3125
3126 * sm-file.cc (is_file_using_fn_p): Use startswith
3127 function instead of strncmp.
3128
31292021-05-10 Martin Liska <mliska@suse.cz>
3130
3131 * program-state.cc (program_state::operator=): Remove
3132 __cplusplus >= 201103.
3133 (program_state::program_state): Likewise.
3134 * program-state.h: Likewise.
3135 * region-model.h (class region_model): Remove dead code.
3136
502ef97c
GA		 31372021-04-24 David Malcolm <dmalcolm@redhat.com>
3138
3139 PR analyzer/100244
3140 * sm-malloc.cc (free_of_non_heap::describe_state_change):
3141 Bulletproof against change.m_expr being NULL.
3142
6d0d35d5
GA		 31432021-04-13 David Malcolm <dmalcolm@redhat.com>
3144
3145 PR analyzer/98599
3146 * supergraph.cc (saved_uids::make_uid_unique): New.
3147 (saved_uids::restore_uids): New.
3148 (supergraph::supergraph): Replace assignments to stmt->uid with
3149 calls to m_stmt_uids.make_uid_unique.
3150 (supergraph::~supergraph): New.
3151 * supergraph.h (class saved_uids): New.
3152 (supergraph::~supergraph): New decl.
3153 (supergraph::m_stmt_uids): New field.
3154
1d54b138
GA		 31552021-04-10 David Malcolm <dmalcolm@redhat.com>
3156
3157 PR analyzer/100011
3158 * region-model.cc (region_model::on_assignment): Avoid NULL
3159 dereference if ctxt is NULL when assigning from a STRING_CST.
3160
019a9220
GA		 31612021-04-08 David Malcolm <dmalcolm@redhat.com>
3162
3163 PR analyzer/99042
3164 PR analyzer/99774
3165 * engine.cc
3166 (impl_region_model_context::impl_region_model_context): Add
3167 uncertainty param and use it to initialize m_uncertainty.
3168 (impl_region_model_context::get_uncertainty): New.
3169 (impl_sm_context::get_fndecl_for_call): Add NULL for new
3170 uncertainty param when constructing impl_region_model_context.
3171 (impl_sm_context::get_state): Likewise.
3172 (impl_sm_context::set_next_state): Likewise.
3173 (impl_sm_context::warn): Likewise.
3174 (exploded_node::on_stmt): Add uncertainty param
3175 and use it when constructing impl_region_model_context.
3176 (exploded_node::on_edge): Add uncertainty param and pass
3177 to on_edge call.
3178 (exploded_node::detect_leaks): Create uncertainty_t and pass to
3179 impl_region_model_context.
3180 (exploded_graph::get_or_create_node): Create uncertainty_t and
3181 pass to prune_for_point.
3182 (maybe_process_run_of_before_supernode_enodes): Create
3183 uncertainty_t and pass to impl_region_model_context.
3184 (exploded_graph::process_node): Create uncertainty_t instances and
3185 pass around as needed.
3186 * exploded-graph.h
3187 (impl_region_model_context::impl_region_model_context): Add
3188 uncertainty param.
3189 (impl_region_model_context::get_uncertainty): New decl.
3190 (impl_region_model_context::m_uncertainty): New field.
3191 (exploded_node::on_stmt): Add uncertainty param.
3192 (exploded_node::on_edge): Likewise.
3193 * program-state.cc (sm_state_map::on_liveness_change): Get
3194 uncertainty from context and use it to unset sm-state from
3195 svalues as appropriate.
3196 (program_state::on_edge): Add uncertainty param and use it when
3197 constructing impl_region_model_context. Fix indentation.
3198 (program_state::prune_for_point): Add uncertainty param and use it
3199 when constructing impl_region_model_context.
3200 (program_state::detect_leaks): Get any uncertainty from ctxt and
3201 use it to get maybe-live svalues for dest_state, rather than
3202 definitely-live ones; use this when determining which svalues
3203 have leaked.
3204 (selftest::test_program_state_merging): Create uncertainty_t and
3205 pass to impl_region_model_context.
3206 * program-state.h (program_state::on_edge): Add uncertainty param.
3207 (program_state::prune_for_point): Likewise.
3208 * region-model-impl-calls.cc (call_details::get_uncertainty): New.
3209 (region_model::impl_call_memcpy): Pass uncertainty to
3210 mark_region_as_unknown call.
3211 (region_model::impl_call_memset): Likewise.
3212 (region_model::impl_call_strcpy): Likewise.
3213 * region-model-reachability.cc (reachable_regions::handle_sval):
3214 Also add sval to m_mutable_svals.
3215 * region-model.cc (region_model::on_assignment): Pass any
3216 uncertainty from ctxt to the store::set_value call.
3217 (region_model::handle_unrecognized_call): Get any uncertainty from
3218 ctxt and use it to record mutable svalues at the unknown call.
3219 (region_model::get_reachable_svalues): Add uncertainty param and
3220 use it to mark any maybe-bound svalues as being reachable.
3221 (region_model::set_value): Pass any uncertainty from ctxt to the
3222 store::set_value call.
3223 (region_model::mark_region_as_unknown): Add uncertainty param and
3224 pass it on to the store::mark_region_as_unknown call.
3225 (region_model::update_for_call_summary): Add uncertainty param and
3226 pass it on to the region_model::mark_region_as_unknown call.
3227 * region-model.h (call_details::get_uncertainty): New decl.
3228 (region_model::get_reachable_svalues): Add uncertainty param.
3229 (region_model::mark_region_as_unknown): Add uncertainty param.
3230 (region_model_context::get_uncertainty): New vfunc.
3231 (noop_region_model_context::get_uncertainty): New vfunc
3232 implementation.
3233 * store.cc (dump_svalue_set): New.
3234 (uncertainty_t::dump_to_pp): New.
3235 (uncertainty_t::dump): New.
3236 (binding_cluster::clobber_region): Pass NULL for uncertainty to
3237 remove_overlapping_bindings.
3238 (binding_cluster::mark_region_as_unknown): Add uncertainty param
3239 and pass it to remove_overlapping_bindings.
3240 (binding_cluster::remove_overlapping_bindings): Add uncertainty param.
3241 Use it to record any svalues that were in clobbered bindings.
3242 (store::set_value): Add uncertainty param. Pass it to
3243 binding_cluster::mark_region_as_unknown when handling symbolic
3244 regions.
3245 (store::mark_region_as_unknown): Add uncertainty param and pass it
3246 to binding_cluster::mark_region_as_unknown.
3247 (store::remove_overlapping_bindings): Add uncertainty param and
3248 pass it to binding_cluster::remove_overlapping_bindings.
3249 * store.h (binding_cluster::mark_region_as_unknown): Add
3250 uncertainty param.
3251 (binding_cluster::remove_overlapping_bindings): Likewise.
3252 (store::set_value): Likewise.
3253 (store::mark_region_as_unknown): Likewise.
3254
b1da9916
GA		 32552021-04-05 David Malcolm <dmalcolm@redhat.com>
3256
3257 PR analyzer/99906
3258 * analyzer.cc (maybe_reconstruct_from_def_stmt): Fix NULL
3259 dereference on calls with zero arguments.
3260 * sm-malloc.cc (malloc_state_machine::on_stmt): When handling
3261 __attribute__((nonnull)), only call get_diagnostic_tree if the
3262 result will be used.
3263
32642021-04-05 David Malcolm <dmalcolm@redhat.com>
3265
3266 PR analyzer/99886
3267 * diagnostic-manager.cc
3268 (diagnostic_manager::prune_interproc_events): Use signed integers
3269 when subtracting one from path->num_events ().
3270 (diagnostic_manager::consolidate_conditions): Likewise. Convert
3271 next_idx to a signed int.
3272
f1607029
GA		 32732021-04-01 David Malcolm <dmalcolm@redhat.com>
3274
3275 * diagnostic-manager.cc (diagnostic_manager::add_diagnostic): Make
3276 enode param non-constant, and call add_diagnostic on it. Add
3277 enode index to log message.
3278 (diagnostic_manager::add_diagnostic): Make enode param
3279 non-constant.
3280 * diagnostic-manager.h (diagnostic_manager::add_diagnostic):
3281 Likewise for both decls.
3282 * engine.cc
3283 (impl_region_model_context::impl_region_model_context): Likewise
3284 for enode_for_diag.
3285 (impl_sm_context::impl_sm_context): Likewise.
3286 (impl_sm_context::m_enode_for_diag): Likewise.
3287 (exploded_node::dump_dot): Don't pass the diagnostic manager
3288 to dump_saved_diagnostics.
3289 (exploded_node::dump_saved_diagnostics): Drop param. Iterate
3290 directly through all saved diagnostics for the enode, rather
3291 than all saved diagnostics in the diagnostic_manager and
3292 filtering.
3293 (exploded_node::on_stmt): Make non-const.
3294 (exploded_node::on_edge): Likewise.
3295 (exploded_node::on_longjmp): Likewise.
3296 (exploded_node::detect_leaks): Likewise.
3297 (exploded_graph::get_or_create_node): Make enode_for_diag param
3298 non-const.
3299 (exploded_graph_annotator::print_enode): Iterate
3300 directly through all saved diagnostics for the enode, rather
3301 than all saved diagnostics in the diagnostic_manager and
3302 filtering.
3303 * exploded-graph.h
3304 (impl_region_model_context::impl_region_model_context): Make
3305 enode_for_diag param non-constant.
3306 (impl_region_model_context::m_enode_for_diag): Likewise.
3307 (exploded_node::dump_saved_diagnostics): Drop param.
3308 (exploded_node::on_stmt): Make non-const.
3309 (exploded_node::on_edge): Likewise.
3310 (exploded_node::on_longjmp): Likewise.
3311 (exploded_node::detect_leaks): Likewise.
3312 (exploded_node::add_diagnostic): New.
3313 (exploded_node::get_num_diagnostics): New.
3314 (exploded_node::get_saved_diagnostic): New.
3315 (exploded_node::m_saved_diagnostics): New.
3316 (exploded_graph::get_or_create_node): Make enode_for_diag param
3317 non-constant.
3318 * feasible-graph.cc (feasible_node::dump_dot): Drop
3319 diagnostic_manager from call to dump_saved_diagnostics.
3320 * program-state.cc (program_state::on_edge): Convert enode param
3321 to non-const pointer.
3322 (program_state::prune_for_point): Likewise for enode_for_diag
3323 param.
3324 * program-state.h (program_state::on_edge): Convert enode param
3325 to non-const pointer.
3326 (program_state::prune_for_point): Likewise for enode_for_diag
3327 param.
3328
95d217ab
GA		 33292021-03-31 David Malcolm <dmalcolm@redhat.com>
3330
3331 PR analyzer/99771
3332 * analyzer.cc (maybe_reconstruct_from_def_stmt): New.
3333 (fixup_tree_for_diagnostic_1): New.
3334 (fixup_tree_for_diagnostic): New.
3335 * analyzer.h (fixup_tree_for_diagnostic): New decl.
3336 * checker-path.cc (call_event::get_desc): Call
3337 fixup_tree_for_diagnostic and use it for the call_with_state call.
3338 (warning_event::get_desc): Likewise for the final_event and
3339 make_label_text calls.
3340 * engine.cc (impl_region_model_context::on_state_leak): Likewise
3341 for the on_leak and add_diagnostic calls.
3342 * region-model.cc (region_model::get_representative_tree):
3343 Likewise for the result.
3344
08d2edae
GA		 33452021-03-30 David Malcolm <dmalcolm@redhat.com>
3346
3347 * region.h (region::dump_to_pp): Remove old decl.
3348
33492021-03-30 David Malcolm <dmalcolm@redhat.com>
3350
3351 * sm-file.cc (fileptr_state_machine::on_stmt): Only call
3352 get_diagnostic_tree if the result will be used.
3353 * sm-malloc.cc (malloc_state_machine::on_stmt): Likewise.
3354 (malloc_state_machine::on_deallocator_call): Likewise.
3355 (malloc_state_machine::on_realloc_call): Likewise.
3356 (malloc_state_machine::on_realloc_call): Likewise.
3357 * sm-sensitive.cc
3358 (sensitive_state_machine::warn_for_any_exposure): Likewise.
3359 * sm-taint.cc (taint_state_machine::on_stmt): Likewise.
3360
4493b1c1
GA		 33612021-03-25 David Malcolm <dmalcolm@redhat.com>
3362
3363 PR analyzer/93695
3364 PR analyzer/99044
3365 PR analyzer/99716
3366 * engine.cc (exploded_node::on_stmt): Clear sm-state involving
3367 an SSA name at the def-stmt of that SSA name.
3368 * program-state.cc (sm_state_map::purge_state_involving): New.
3369 * program-state.h (sm_state_map::purge_state_involving): New decl.
3370 * region-model.cc (selftest::test_involves_p): New.
3371 (selftest::analyzer_region_model_cc_tests): Call it.
3372 * svalue.cc (class involvement_visitor): New class
3373 (svalue::involves_p): New.
3374 * svalue.h (svalue::involves_p): New decl.
3375
5f256a70
GA		 33762021-03-19 David Malcolm <dmalcolm@redhat.com>
3377
3378 PR analyzer/99614
3379 * diagnostic-manager.cc (class epath_finder): Add
3380 DISABLE_COPY_AND_ASSIGN.
3381
3c5b6d24
GA		 33822021-03-15 Martin Liska <mliska@suse.cz>
3383
3384 * sm-file.cc (get_file_using_fns): Add missing comma in initializer.
3385
48ff383f
GA		 33862021-03-11 David Malcolm <dmalcolm@redhat.com>
3387
3388 PR analyzer/96374
3389 * analyzer.opt (-param=analyzer-max-infeasible-edges=): New param.
3390 (fdump-analyzer-feasibility): New flag.
3391 * diagnostic-manager.cc: Include "analyzer/trimmed-graph.h" and
3392 "analyzer/feasible-graph.h".
3393 (epath_finder::epath_finder): Convert m_sep to a pointer and
3394 only create it if !flag_analyzer_feasibility.
3395 (epath_finder::~epath_finder): New.
3396 (epath_finder::m_sep): Convert to a pointer.
3397 (epath_finder::get_best_epath): Add param "diag_idx" and use it
3398 when logging. Rather than finding the shortest path and then
3399 checking feasibility, instead use explore_feasible_paths unless
3400 !flag_analyzer_feasibility, in which case simply use the shortest
3401 path, and note if it is infeasible. Update for m_sep becoming a
3402 pointer.
3403 (class feasible_worklist): New.
3404 (epath_finder::explore_feasible_paths): New.
3405 (epath_finder::process_worklist_item): New.
3406 (class dump_eg_with_shortest_path): New.
3407 (epath_finder::dump_trimmed_graph): New.
3408 (epath_finder::dump_feasible_graph): New.
3409 (saved_diagnostic::saved_diagnostic): Add "idx" param, using it
3410 on new field m_idx.
3411 (saved_diagnostic::to_json): Dump m_idx.
3412 (saved_diagnostic::calc_best_epath): Pass m_idx to get_best_epath.
3413 Remove assertion that m_problem was set when m_best_epath is NULL.
3414 (diagnostic_manager::add_diagnostic): Pass an index when created
3415 saved_diagnostic instances.
3416 * diagnostic-manager.h (saved_diagnostic::saved_diagnostic): Add
3417 "idx" param.
3418 (saved_diagnostic::get_index): New accessor.
3419 (saved_diagnostic::m_idx): New field.
3420 * engine.cc (exploded_node::dump_dot): Call args.dump_extra_info.
3421 Move code to...
3422 (exploded_node::dump_processed_stmts): ...this new function and...
3423 (exploded_node::dump_saved_diagnostics): ...this new function.
3424 Add index of each diagnostic.
3425 (exploded_edge::dump_dot): Move bulk of code to...
3426 (exploded_edge::dump_dot_label): ...this new function.
3427 * exploded-graph.h (eg_traits::dump_args_t::dump_extra_info): New
3428 vfunc.
3429 (exploded_node::dump_processed_stmts): New decl.
3430 (exploded_node::dump_saved_diagnostics): New decl.
3431 (exploded_edge::dump_dot_label): New decl.
3432 * feasible-graph.cc: New file.
3433 * feasible-graph.h: New file.
3434 * trimmed-graph.cc: New file.
3435 * trimmed-graph.h: New file.
3436
34372021-03-11 David Malcolm <dmalcolm@redhat.com>
3438
3439 * diagnostic-manager.cc (epath_finder::epath_finder):
3440 Update shortest_paths init for new param.
3441
e9800852
GA		 34422021-03-10 David Malcolm <dmalcolm@redhat.com>
3443
3444 PR analyzer/96374
3445 * engine.cc (exploded_path::feasible_p): Move "snodes_visited" and
3446 "model" locals into a new class feasibility_state. Move heart
3447 of per-edge processing into
3448 feasibility_state::maybe_update_for_edge.
3449 (feasibility_state::feasibility_state): New.
3450 (feasibility_state::maybe_update_for_edge): New, based on loop
3451 body in exploded_path::feasible_p.
3452 * exploded-graph.h (class feasibility_state): New.
3453
34542021-03-10 David Malcolm <dmalcolm@redhat.com>
3455
3456 * supergraph.h
3457 (callgraph_superedge::dyn_cast_callgraph_superedge): New.
3458 (call_superedge::dyn_cast_callgraph_superedge): Delete.
3459 (return_superedge::dyn_cast_callgraph_superedge): Delete.
3460
d97a92dc
GA		 34612021-03-02 Martin Liska <mliska@suse.cz>
3462
3463 * diagnostic-manager.cc (diagnostic_manager::emit_saved_diagnostics):
3464 Do not pass engine.
3465
06a9f20f
GA		 34662021-02-26 David Malcolm <dmalcolm@redhat.com>
3467
3468 * engine.cc (exploded_path::exploded_path): New copy-ctor.
3469 * exploded-graph.h (exploded_path::operator=): Drop decl.
3470
34712021-02-26 David Malcolm <dmalcolm@redhat.com>
3472
3473 PR analyzer/96374
3474 * diagnostic-manager.cc (class epath_finder): New.
3475 (epath_finder::get_best_epath): New.
3476 (saved_diagnostic::saved_diagnostic): Update for replacement of
3477 m_state and m_epath_length with m_best_epath.
3478 (saved_diagnostic::~saved_diagnostic): Delete m_best_epath.
3479 (saved_diagnostic::to_json): Update "path_length" to be optional.
3480 (saved_diagnostic::calc_best_epath): New, based on
3481 dedupe_winners::add and parts of dedupe_key::dedupe_key.
3482 (saved_diagnostic::get_epath_length): New.
3483 (saved_diagnostic::add_duplicate): New.
3484 (dedupe_key::dedupe_key): Drop epath param. Move invocation of
3485 stmt_finder to saved_diagnostic::calc_best_epath.
3486 (class dedupe_candidate): Delete.
3487 (class dedupe_hash_map_traits): Update to use saved_diagnotic *
3488 rather than dedupe_candidate * as the value_type/compare_type.
3489 (dedupe_winners::~dedupe_winners): Don't delete the values.
3490 (dedupe_winners::add): Convert param from shortest_exploded_paths to
3491 epath_finder. Drop "eg" param. Drop dedupe_candidate, moving
3492 path generation and feasiblity checking to
3493 epath_finder::get_best_epath. Update winner-selection for move
3494 of epaths from dedupe_candidate to saved_diagnostic.
3495 (dedupe_winners::emit_best): Update for removal of class
3496 dedupe_candidate.
3497 (dedupe_winners::map_t): Update to use saved_diagnotic * rather
3498 than dedupe_candidate * as the value_type/compare_type.
3499 (diagnostic_manager::emit_saved_diagnostics): Move
3500 shortest_exploded_paths instance into epath_finder and pass that
3501 around instead.
3502 (diagnostic_manager::emit_saved_diagnostic): Drop epath, stmt
3503 and num_dupes params, instead getting these from the
3504 saved_diagnostic. Use correct location in inform_n call.
3505 * diagnostic-manager.h (class epath_finder): New forward decl.
3506 (saved_diagnostic::status): Drop enum.
3507 (saved_diagnostic::set_feasible): Drop.
3508 (saved_diagnostic::set_infeasible): Drop.
3509 (saved_diagnostic::get_status): Drop.
3510 (saved_diagnostic::calc_best_epath): New decl.
3511 (saved_diagnostic::get_best_epath): New decl.
3512 (saved_diagnostic::get_epath_length): New decl.
3513 (saved_diagnostic::set_epath_length): Drop.
3514 (saved_diagnostic::get_epath_length): Drop inline implementation.
3515 (saved_diagnostic::add_duplicate): New.
3516 (saved_diagnostic::get_num_dupes): New.
3517 (saved_diagnostic::m_d): Document ownership.
3518 (saved_diagnostic::m_trailing_eedge): Make const.
3519 (saved_diagnostic::m_status): Drop field.
3520 (saved_diagnostic::m_epath_length): Drop field.
3521 (saved_diagnostic::m_best_epath): New field.
3522 (saved_diagnostic::m_problem): Document ownership.
3523 (saved_diagnostic::m_duplicates): New field.
3524 (diagnostic_manager::emit_saved_diagnostic): Drop params epath,
3525 stmt, and num_dupes.
3526 * engine.cc (exploded_graph_annotator::print_saved_diagnostic):
3527 Update for changes to saved_diagnostic class.
3528 * exploded-graph.h (exploded_path::feasible_p): Drop unused
3529 overloaded decl.
3530
daa68844
GA		 35312021-02-25 David Malcolm <dmalcolm@redhat.com>
3532
3533 PR analyzer/99193
3534 * region-model-impl-calls.cc (region_model::impl_call_realloc): New.
3535 * region-model.cc (region_model::on_call_pre): Call it.
3536 * region-model.h (region_model::impl_call_realloc): New decl.
3537 * sm-malloc.cc (enum wording): Add WORDING_REALLOCATED.
3538 (malloc_state_machine::m_realloc): New field.
3539 (use_after_free::describe_state_change): Add case for
3540 WORDING_REALLOCATED.
3541 (use_after_free::describe_final_event): Likewise.
3542 (malloc_state_machine::malloc_state_machine): Initialize
3543 m_realloc.
3544 (malloc_state_machine::on_stmt): Handle realloc by calling...
3545 (malloc_state_machine::on_realloc_call): New.
3546
2f5765cf
GA		 35472021-02-22 David Malcolm <dmalcolm@redhat.com>
3548
3549 PR analyzer/99196
3550 * engine.cc (exploded_node::on_stmt): Provide terminate_path
3551 flag as a way for on_call_pre to terminate the current analysis
3552 path.
3553 * region-model-impl-calls.cc (call_details::num_args): New.
3554 (region_model::impl_call_error): New.
3555 * region-model.cc (region_model::on_call_pre): Add param
3556 "out_terminate_path". Handle "error" and "error_at_line".
3557 * region-model.h (call_details::num_args): New decl.
3558 (region_model::on_call_pre): Add param "out_terminate_path".
3559 (region_model::impl_call_error): New decl.
3560
acc0ee5c
GA		 35612021-02-17 David Malcolm <dmalcolm@redhat.com>
3562
3563 PR analyzer/98969
3564 * constraint-manager.cc (dead_svalue_purger::should_purge_p):
3565 Update for change to svalue::live_p.
3566 * program-state.cc (sm_state_map::on_liveness_change): Likewise.
3567 (program_state::detect_leaks): Likewise.
3568 * region-model-reachability.cc (reachable_regions::init_cluster):
3569 When dealing with a symbolic region, if the underlying pointer is
3570 implicitly live, add the region to the reachable regions.
3571 * region-model.cc (region_model::compare_initial_and_pointer):
3572 Move logic for detecting initial values of params to
3573 initial_svalue::initial_value_of_param_p.
3574 * svalue.cc (svalue::live_p): Convert "live_svalues" from a
3575 reference to a pointer; support it being NULL.
3576 (svalue::implicitly_live_p): Convert first param from a
3577 refererence to a pointer.
3578 (region_svalue::implicitly_live_p): Likewise.
3579 (constant_svalue::implicitly_live_p): Likewise.
3580 (initial_svalue::implicitly_live_p): Likewise. Treat the initial
3581 values of params for the top level frame as still live.
3582 (initial_svalue::initial_value_of_param_p): New function, taken
3583 from a test in region_model::compare_initial_and_pointer.
3584 (unaryop_svalue::implicitly_live_p): Convert first param from a
3585 refererence to a pointer.
3586 (binop_svalue::implicitly_live_p): Likewise.
3587 (sub_svalue::implicitly_live_p): Likewise.
3588 (unmergeable_svalue::implicitly_live_p): Likewise.
3589 * svalue.h (svalue::live_p): Likewise.
3590 (svalue::implicitly_live_p): Likewise.
3591 (region_svalue::implicitly_live_p): Likewise.
3592 (constant_svalue::implicitly_live_p): Likewise.
3593 (initial_svalue::implicitly_live_p): Likewise.
3594 (initial_svalue::initial_value_of_param_p): New decl.
3595 (unaryop_svalue::implicitly_live_p): Convert first param from a
3596 refererence to a pointer.
3597 (binop_svalue::implicitly_live_p): Likewise.
3598 (sub_svalue::implicitly_live_p): Likewise.
3599 (unmergeable_svalue::implicitly_live_p): Likewise.
3600
fab095da
GA		 36012021-02-12 David Malcolm <dmalcolm@redhat.com>
3602
3603 PR analyzer/98969
3604 * engine.cc (readability): Add names for the various arbitrary
3605 values. Handle NOP_EXPR and INTEGER_CST.
3606 (readability_comparator): Combine the readability tests for
3607 tree and stack depth, rather than performing them sequentially.
3608 (impl_region_model_context::on_state_leak): Strip off top-level
3609 casts.
3610 * region-model.cc (region_model::get_representative_path_var): Add
3611 type-checking, moving the bulk of the implementation to...
3612 (region_model::get_representative_path_var_1): ...here. Respect
3613 types in casts by recursing and re-adding the cast, rather than
3614 merely stripping them off. Use the correct type when handling
3615 region_svalue.
3616 (region_model::get_representative_tree): Strip off any top-level
3617 cast.
3618 (region_model::get_representative_path_var): Add type-checking,
3619 moving the bulk of the implementation to...
3620 (region_model::get_representative_path_var_1): ...here.
3621 * region-model.h (region_model::get_representative_path_var_1):
3622 New decl
3623 (region_model::get_representative_path_var_1): New decl.
3624 * store.cc (append_pathvar_with_type): New.
3625 (binding_cluster::get_representative_path_vars): Cast path_vars
3626 to the correct type when adding them to *OUT_PVS.
3627
0a91b73e
GA		 36282021-02-09 David Malcolm <dmalcolm@redhat.com>
3629
3630 PR analyzer/98575
3631 * sm-file.cc (is_file_using_fn_p): Support "_IO_"-prefixed
3632 variants.
3633
36342021-02-09 David Malcolm <dmalcolm@redhat.com>
3635
3636 PR analyzer/98575
3637 * store.cc (store::set_value): Treat a pointer written to *UNKNOWN
3638 as having escaped.
3639
548b75d8
GA		 36402021-02-02 David Malcolm <dmalcolm@redhat.com>
3641
3642 PR analyzer/93355
3643 PR analyzer/96374
3644 * engine.cc (toplevel_function_p): Simplify so that
3645 we only reject functions with a "__analyzer_" prefix.
3646 (add_any_callbacks): Delete.
3647 (exploded_graph::build_initial_worklist): Update for
3648 dropped param of toplevel_function_p.
3649 (exploded_graph::build_initial_worklist): Don't bother
3650 looking for callbacks that are reachable from global
3651 initializers.
3652
f7884fb1
GA		 36532021-02-01 David Malcolm <dmalcolm@redhat.com>
3654
3655 PR analyzer/98918
3656 * region-model-manager.cc
3657 (region_model_manager::get_or_create_initial_value):
3658 Fold the initial value of *UNKNOWN_PTR to an UNKNOWN value.
3659 (region_model_manager::get_field_region): Fold the value
3660 of UNKNOWN_PTR->FIELD to *UNKNOWN_PTR_OF_&FIELD_TYPE.
3661
2900f2f2
GA		 36622021-01-29 David Malcolm <dmalcolm@redhat.com>
3663
3664 * checker-path.cc (event_kind_to_string): Handle
3665 EK_START_CONSOLIDATED_CFG_EDGES and
3666 EK_END_CONSOLIDATED_CFG_EDGES.
3667 (start_consolidated_cfg_edges_event::get_desc): New.
3668 (checker_path::cfg_edge_pair_at_p): New.
3669 * checker-path.h (enum event_kind): Add
3670 EK_START_CONSOLIDATED_CFG_EDGES and
3671 EK_END_CONSOLIDATED_CFG_EDGES.
3672 (class start_consolidated_cfg_edges_event): New class.
3673 (class end_consolidated_cfg_edges_event): New class.
3674 (checker_path::delete_events): New.
3675 (checker_path::replace_event): New.
3676 (checker_path::cfg_edge_pair_at_p): New decl.
3677 * diagnostic-manager.cc (diagnostic_manager::prune_path): Call
3678 consolidate_conditions.
3679 (same_line_as_p): New.
3680 (diagnostic_manager::consolidate_conditions): New.
3681 * diagnostic-manager.h
3682 (diagnostic_manager::consolidate_conditions): New decl.
3683
ef1f8ee6
GA		 36842021-01-18 David Malcolm <dmalcolm@redhat.com>
3685
3686 * analyzer.h (is_std_named_call_p): New decl.
3687 * diagnostic-manager.cc (path_builder::get_sm): New.
3688 (state_change_event_creator::state_change_event_creator): Add "pb"
3689 param.
3690 (state_change_event_creator::on_global_state_change): Don't consider
3691 state changes affecting other state_machines.
3692 (state_change_event_creator::on_state_change): Likewise.
3693 (state_change_event_creator::m_pb): New field.
3694 (diagnostic_manager::add_events_for_eedge): Pass pb to visitor
3695 ctor.
3696 * region-model-impl-calls.cc
3697 (region_model::impl_deallocation_call): New.
3698 * region-model.cc: Include "attribs.h".
3699 (region_model::on_call_post): Handle fndecls referenced by
3700 __attribute__((deallocated_by(FOO))).
3701 * region-model.h (region_model::impl_deallocation_call): New decl.
3702 * sm-malloc.cc: Include "stringpool.h" and "attribs.h". Add
3703 leading comment.
3704 (class api): Delete.
3705 (enum resource_state): Update comment for change from api to
3706 deallocator and deallocator_set.
3707 (allocation_state::allocation_state): Drop api param. Add
3708 "deallocators" and "deallocator".
3709 (allocation_state::m_api): Drop field in favor of...
3710 (allocation_state::m_deallocators): New field.
3711 (allocation_state::m_deallocator): New field.
3712 (enum wording): Add WORDING_DEALLOCATED.
3713 (struct deallocator): New.
3714 (struct standard_deallocator): New.
3715 (struct custom_deallocator): New.
3716 (struct deallocator_set): New.
3717 (struct custom_deallocator_set): New.
3718 (struct standard_deallocator_set): New.
3719 (struct deallocator_set_map_traits): New.
3720 (malloc_state_machine::m_malloc): Drop field
3721 (malloc_state_machine::m_scalar_new): Likewise.
3722 (malloc_state_machine::m_vector_new): Likewise.
3723 (malloc_state_machine::m_free): New field
3724 (malloc_state_machine::m_scalar_delete): Likewise.
3725 (malloc_state_machine::m_vector_delete): Likewise.
3726 (malloc_state_machine::deallocator_map_t): New typedef.
3727 (malloc_state_machine::m_deallocator_map): New field.
3728 (malloc_state_machine::deallocator_set_cache_t): New typedef.
3729 (malloc_state_machine::m_custom_deallocator_set_cache): New field.
3730 (malloc_state_machine::custom_deallocator_set_map_t): New typedef.
3731 (malloc_state_machine::m_custom_deallocator_set_map): New field.
3732 (malloc_state_machine::m_dynamic_sets): New field.
3733 (malloc_state_machine::m_dynamic_deallocators): New field.
3734 (api::api): Delete.
3735 (deallocator::deallocator): New ctor.
3736 (deallocator::hash): New.
3737 (deallocator::dump_to_pp): New.
3738 (deallocator::cmp): New.
3739 (deallocator::cmp_ptr_ptr): New.
3740 (standard_deallocator::standard_deallocator): New ctor.
3741 (deallocator_set::deallocator_set): New ctor.
3742 (deallocator_set::dump): New.
3743 (custom_deallocator_set::custom_deallocator_set): New ctor.
3744 (custom_deallocator_set::contains_p): New.
3745 (custom_deallocator_set::maybe_get_single): New.
3746 (custom_deallocator_set::dump_to_pp): New.
3747 (standard_deallocator_set::standard_deallocator_set): New ctor.
3748 (standard_deallocator_set::contains_p): New.
3749 (standard_deallocator_set::maybe_get_single): New.
3750 (standard_deallocator_set::dump_to_pp): New.
3751 (start_p): New.
3752 (class mismatching_deallocation): Update for conversion from api
3753 to deallocator_set and deallocator.
3754 (double_free::emit): Use %qs.
3755 (class use_after_free): Update for conversion from api to
3756 deallocator_set and deallocator.
3757 (malloc_leak::describe_state_change): Only emit "allocated here" on
3758 a start->nonnull transition, rather than on other transitions to
3759 nonnull.
3760 (allocation_state::dump_to_pp): Update for conversion from api to
3761 deallocator_set.
3762 (allocation_state::get_nonnull): Likewise.
3763 (malloc_state_machine::malloc_state_machine): Likewise.
3764 (malloc_state_machine::~malloc_state_machine): New.
3765 (malloc_state_machine::add_state): Update for conversion from api
3766 to deallocator_set.
3767 (malloc_state_machine::get_or_create_custom_deallocator_set): New.
3768 (malloc_state_machine::maybe_create_custom_deallocator_set): New.
3769 (malloc_state_machine::get_or_create_deallocator): New.
3770 (malloc_state_machine::on_stmt): Update for conversion from api
3771 to deallocator_set. Handle "__attribute__((malloc(FOO)))", and
3772 the special attribute set on FOO.
3773 (malloc_state_machine::on_allocator_call): Update for conversion
3774 from api to deallocator_set. Add "returns_nonnull" param and use
3775 it to affect which state to transition to.
3776 (malloc_state_machine::on_deallocator_call): Update for conversion
3777 from api to deallocator_set.
3778
5fff80fd
GA		 37792021-01-14 David Malcolm <dmalcolm@redhat.com>
3780
3781 * engine.cc (strongly_connected_components::to_json): New.
3782 (worklist::to_json): New.
3783 (exploded_graph::to_json): JSON-ify the worklist.
3784 * exploded-graph.h (strongly_connected_components::to_json): New
3785 decl.
3786 (worklist::to_json): New decl.
3787 * store.cc (store::to_json): Fix comment.
3788 * supergraph.cc (supernode::to_json): Fix reference to
3789 "returning_call" in comment. Add optional "fun" to JSON.
3790 (edge_kind_to_string): New.
3791 (superedge::to_json): Add "kind" to JSON.
3792
37932021-01-14 David Malcolm <dmalcolm@redhat.com>
3794
3795 PR analyzer/98679
3796 * analyzer.h (region_offset::operator==): Make const.
3797 * pending-diagnostic.h (pending_diagnostic::equal_p): Likewise.
3798 * store.h (binding_cluster::for_each_value): Likewise.
3799 (binding_cluster::for_each_binding): Likewise.
3800
6851dda2
GA		 38012021-01-12 David Malcolm <dmalcolm@redhat.com>
3802
3803 PR analyzer/98628
3804 * store.cc (binding_cluster::make_unknown_relative_to): Don't mark
3805 dereferenced unknown pointers as having escaped.
3806
7d187e4f
GA		 38072021-01-07 David Malcolm <dmalcolm@redhat.com>
3808
3809 PR analyzer/98580
3810 * region.cc (decl_region::get_svalue_for_initializer): Gracefully
3811 handle when LTO writes out DECL_INITIAL as error_mark_node.
3812
38132021-01-07 David Malcolm <dmalcolm@redhat.com>
3814
3815 PR analyzer/97074
3816 * store.cc (binding_cluster::can_merge_p): Add "out_store" param
3817 and pass to calls to binding_cluster::make_unknown_relative_to.
3818 (binding_cluster::make_unknown_relative_to): Add "out_store"
3819 param. Use it to mark base regions that are pointed to by
3820 pointers that become unknown as having escaped.
3821 (store::can_merge_p): Pass out_store to
3822 binding_cluster::can_merge_p.
3823 * store.h (binding_cluster::can_merge_p): Add "out_store" param.
3824 (binding_cluster::make_unknown_relative_to): Likewise.
3825 * svalue.cc (region_svalue::implicitly_live_p): New vfunc.
3826 * svalue.h (region_svalue::implicitly_live_p): New vfunc decl.
3827
38282021-01-07 David Malcolm <dmalcolm@redhat.com>
3829
3830 PR analyzer/98564
3831 * engine.cc (exploded_path::feasible_p): Add missing call to
3832 bitmap_clear.
3833
942ae5be
GA		 38342021-01-06 David Malcolm <dmalcolm@redhat.com>
3835
3836 PR analyzer/97072
3837 * region-model-reachability.cc (reachable_regions::init_cluster):
3838 Convert symbolic region handling to a switch statement. Add cases
3839 to handle SK_UNKNOWN and SK_CONJURED.
3840
651b8a50
GA		 38412021-01-05 David Malcolm <dmalcolm@redhat.com>
3842
3843 PR analyzer/98293
3844 * store.cc (binding_map::apply_ctor_to_region): When "index" is
3845 NULL, iterate through the fields for RECORD_TYPEs, rather than
3846 creating an INTEGER_CST index.
3847
94358e47
GA		 38482020-11-30 David Malcolm <dmalcolm@redhat.com>
3849
3850 * analyzer-pass.cc: Include "analyzer/analyzer.h" for the
3851 declaration of sorry_no_analyzer; include "tree.h" and
3852 "function.h" as these are needed by it.
3853
38542020-11-30 David Malcolm <dmalcolm@redhat.com>
3855
3856 * analyzer-pass.cc (pass_analyzer::execute): Move sorry call to...
3857 (sorry_no_analyzer): New.
3858 * analyzer.h (class state_machine): New forward decl.
3859 (class logger): New forward decl.
3860 (class plugin_analyzer_init_iface): New.
3861 (sorry_no_analyzer): New decl.
3862 * checker-path.cc (checker_path::fixup_locations): New.
3863 * checker-path.h (checker_event::set_location): New.
3864 (checker_path::fixup_locations): New decl.
3865 * diagnostic-manager.cc
3866 (diagnostic_manager::emit_saved_diagnostic): Call
3867 checker_path::fixup_locations, and call fixup_location
3868 on the primary location.
3869 * engine.cc: Include "plugin.h".
3870 (class plugin_analyzer_init_impl): New.
3871 (impl_run_checkers): Invoke PLUGIN_ANALYZER_INIT callbacks.
3872 * pending-diagnostic.h (pending_diagnostic::fixup_location): New
3873 vfunc.
3874
25bb75f8
GA		 38752020-11-18 David Malcolm <dmalcolm@redhat.com>
3876
3877 PR analyzer/97893
3878 * sm-malloc.cc (null_deref::emit): Use CWE-476 rather than
3879 CWE-690, as this isn't due to an unchecked return value.
3880 (null_arg::emit): Likewise.
3881
a5a11525
GA		 38822020-11-12 David Malcolm <dmalcolm@redhat.com>
3883
3884 * checker-path.h (checker_event::get_id_ptr): New.
3885 * diagnostic-manager.cc (path_builder::path_builder): Add "sd"
3886 param and use it to initialize new field "m_sd".
3887 (path_builder::get_pending_diagnostic): New.
3888 (path_builder::m_sd): New field.
3889 (diagnostic_manager::emit_saved_diagnostic): Pass sd to
3890 path_builder ctor.
3891 (diagnostic_manager::add_events_for_superedge): Call new
3892 maybe_add_custom_events_for_superedge vfunc.
3893 * engine.cc (stale_jmp_buf::stale_jmp_buf): Add "setjmp_point"
3894 param and use it to initialize new field "m_setjmp_point".
3895 Initialize new field "m_stack_pop_event".
3896 (stale_jmp_buf::maybe_add_custom_events_for_superedge): New vfunc
3897 implementation.
3898 (stale_jmp_buf::describe_final_event): New vfunc implementation.
3899 (stale_jmp_buf::m_setjmp_point): New field.
3900 (stale_jmp_buf::m_stack_pop_event): New field.
3901 (exploded_node::on_longjmp): Pass setjmp_point to stale_jmp_buf
3902 ctor.
3903 * pending-diagnostic.h
3904 (pending_diagnostic::maybe_add_custom_events_for_superedge): New
3905 vfunc.
3906
39072020-11-12 David Malcolm <dmalcolm@redhat.com>
3908
3909 PR tree-optimization/97424
3910 * analyzer.opt (Wanalyzer-shift-count-negative): New.
3911 (Wanalyzer-shift-count-overflow): New.
3912 * region-model.cc (class shift_count_negative_diagnostic): New.
3913 (class shift_count_overflow_diagnostic): New.
3914 (region_model::get_gassign_result): Complain about shift counts that
3915 are negative or are >= the operand's type's width.
3916
bb622641
GA		 39172020-11-10 Martin Liska <mliska@suse.cz>
3918
3919 * constraint-manager.cc (constraint_manager::merge): Remove
3920 unused code.
3921 * constraint-manager.h: Likewise.
3922 * program-state.cc (sm_state_map::sm_state_map): Likewise.
3923 (program_state::program_state): Likewise.
3924 (test_sm_state_map): Likewise.
3925 * program-state.h: Likewise.
3926 * region-model-reachability.cc (reachable_regions::reachable_regions): Likewise.
3927 * region-model-reachability.h: Likewise.
3928 * region-model.cc (region_model::handle_unrecognized_call): Likewise.
3929 (region_model::get_reachable_svalues): Likewise.
3930 (region_model::can_merge_with_p): Likewise.
3931
0cfd9109
GA		 39322020-11-05 David Malcolm <dmalcolm@redhat.com>
3933
3934 PR analyzer/97668
3935 * svalue.cc (cmp_cst): Handle COMPLEX_CST.
3936
e93aae4a
GA		 39372020-10-29 David Malcolm <dmalcolm@redhat.com>
3938
3939 * program-state.cc (sm_state_map::on_liveness_change): Sort the
3940 leaking svalues before calling on_state_leak.
3941 (program_state::detect_leaks): Likewise when calling
3942 on_svalue_leak.
3943 * region-model-reachability.cc
3944 (reachable_regions::mark_escaped_clusters): Likewise when
3945 calling on_escaped_function.
3946
39472020-10-29 David Malcolm <dmalcolm@redhat.com>
3948
3949 PR analyzer/97608
3950 * region-model-reachability.cc (reachable_regions::handle_sval):
3951 Operands of reachable reversible operations are reachable.
3952
39532020-10-29 David Malcolm <dmalcolm@redhat.com>
3954
3955 * analyzer.h (class state_machine): New forward decl.
3956 (class logger): Likewise.
3957 (class visitor): Likewise.
3958 * complexity.cc: New file, taken from svalue.cc.
3959 * complexity.h: New file, taken from region-model.h.
3960 * region-model.h: Include "analyzer/svalue.h" and
3961 "analyzer/region.h". Move struct complexity to complexity.h.
3962 Move svalue, its subclasses and supporting decls to svalue.h.
3963 Move region, its subclasses and supporting decls to region.h.
3964 * region.cc: Include "analyzer/region.h".
3965 (symbolic_region::symbolic_region): Move here from region-model.h.
3966 * region.h: New file, based on material from region-model.h.
3967 * svalue.cc: Include "analyzer/svalue.h".
3968 (complexity::complexity): Move to complexity.cc.
3969 (complexity::from_pair): Likewise.
3970 * svalue.h: New file, based on material from region-model.h.
3971
39722020-10-29 David Malcolm <dmalcolm@redhat.com>
3973
3974 * program-state.cc (sm_state_map::print): Guard the printing of
3975 the origin pointer with !flag_dump_noaddr.
3976 * region.cc (string_region::dump_to_pp): Likewise for
3977 m_string_cst.
3978
89bb01e7
GA		 39792020-10-27 David Malcolm <dmalcolm@redhat.com>
3980
3981 PR analyzer/97568
3982 * region-model.cc (region_model::get_initial_value_for_global):
3983 Move check that !DECL_EXTERNAL from here to...
3984 * region.cc (decl_region::get_svalue_for_initializer): ...here,
3985 using it to reject zero initialization.
3986
39872020-10-27 Markus Böck <markus.boeck02@gmail.com>
3988
3989 PR analyzer/96608
3990 * store.h (hash): Cast to intptr_t instead of long
3991
39922020-10-27 David Malcolm <dmalcolm@redhat.com>
3993
3994 * constraint-manager.cc (svalue_cmp_by_ptr): Delete.
3995 (equiv_class::canonicalize): Use svalue::cmp_ptr_ptr instead.
3996 (equiv_class_cmp): Eliminate pointer comparison.
3997 * diagnostic-manager.cc (dedupe_key::comparator): If they are at
3998 the same location, also compare epath ength and pending_diagnostic
3999 kind.
4000 * engine.cc (readability_comparator): If two path_vars have the
4001 same readability, then impose an arbitrary ordering on them.
4002 (worklist::key_t::cmp): If two points have the same plan ordering,
4003 continue the comparison. Call sm_state_map::cmp rather than
4004 comparing hash values.
4005 * program-state.cc (sm_state_map::entry_t::cmp): New.
4006 (sm_state_map::cmp): New.
4007 * program-state.h (sm_state_map::entry_t::cmp): New decl.
4008 (sm_state_map::elements): New.
4009 (sm_state_map::cmp): New.
4010
40112020-10-27 David Malcolm <dmalcolm@redhat.com>
4012
4013 * engine.cc (setjmp_record::cmp): New.
4014 (supernode_cluster::dump_dot): Avoid embedding pointer in cluster
4015 name.
4016 (supernode_cluster::cmp_ptr_ptr): New.
4017 (function_call_string_cluster::dump_dot): Avoid embedding pointer
4018 in cluster name. Sort m_map when dumping child clusters.
4019 (function_call_string_cluster::cmp_ptr_ptr): New.
4020 (root_cluster::dump_dot): Sort m_map when dumping child clusters.
4021 * program-point.cc (function_point::cmp): New.
4022 (function_point::cmp_ptr): New.
4023 * program-point.h (function_point::cmp): New decl.
4024 (function_point::cmp_ptr): New decl.
4025 * program-state.cc (sm_state_map::print): Sort the values. Guard
4026 the printing of pointers with !flag_dump_noaddr.
4027 (program_state::prune_for_point): Sort the regions.
4028 (log_set_of_svalues): Sort the values. Guard the printing of
4029 pointers with !flag_dump_noaddr.
4030 * region-model-manager.cc (log_uniq_map): Sort the values.
4031 * region-model-reachability.cc (dump_set): New function template.
4032 (reachable_regions::dump_to_pp): Use it.
4033 * region-model.h (svalue::cmp_ptr): New decl.
4034 (svalue::cmp_ptr_ptr): New decl.
4035 (setjmp_record::cmp): New decl.
4036 (placeholder_svalue::get_name): New accessor.
4037 (widening_svalue::get_point): New accessor.
4038 (compound_svalue::get_map): New accessor.
4039 (conjured_svalue::get_stmt): New accessor.
4040 (conjured_svalue::get_id_region): New accessor.
4041 (region::cmp_ptrs): Rename to...
4042 (region::cmp_ptr_ptr): ...this.
4043 * region.cc (region::cmp_ptrs): Rename to...
4044 (region::cmp_ptr_ptr): ...this.
4045 * state-purge.cc
4046 (state_purge_per_ssa_name::state_purge_per_ssa_name): Sort
4047 m_points_needing_name when dumping.
4048 * store.cc (concrete_binding::cmp_ptr_ptr): New.
4049 (symbolic_binding::cmp_ptr_ptr): New.
4050 (binding_map::cmp): New.
4051 (get_sorted_parent_regions): Update for renaming of
4052 region::cmp_ptrs to region::cmp_ptr_ptr.
4053 (store::dump_to_pp): Likewise.
4054 (store::to_json): Likewise.
4055 (store::can_merge_p): Sort the base regions before considering
4056 them.
4057 * store.h (concrete_binding::cmp_ptr_ptr): New decl.
4058 (symbolic_binding::cmp_ptr_ptr): New decl.
4059 (binding_map::cmp): New decl.
4060 * supergraph.cc (supergraph::supergraph): Assign UIDs to the
4061 gimple stmts.
4062 * svalue.cc (cmp_cst): New.
4063 (svalue::cmp_ptr): New.
4064 (svalue::cmp_ptr_ptr): New.
4065
40662020-10-27 David Malcolm <dmalcolm@redhat.com>
4067
4068 * engine.cc (exploded_graph::get_or_create_node): Fix off-by-one
4069 when imposing param_analyzer_max_enodes_per_program_point limit.
4070
40712020-10-27 David Malcolm <dmalcolm@redhat.com>
4072
4073 * region-model.cc (region_model::get_representative_path_var):
4074 Implement case RK_LABEL.
4075 * region-model.h (label_region::get_label): New accessor.
4076
43868df3
GA		 40772020-10-22 David Malcolm <dmalcolm@redhat.com>
4078
4079 PR analyzer/97514
4080 * engine.cc (exploded_graph::add_function_entry): Handle failure
4081 to create an enode, rather than asserting.
4082
40832020-10-22 David Malcolm <dmalcolm@redhat.com>
4084
4085 PR analyzer/97489
4086 * engine.cc (exploded_graph::add_function_entry): Assert that we
4087 have a function body.
4088 (exploded_graph::on_escaped_function): Reject fndecls that don't
4089 have a function body.
4090
b2698c21
GA		 40912020-10-14 David Malcolm <dmalcolm@redhat.com>
4092
4093 PR analyzer/93388
4094 * region-model.cc (region_model::get_initial_value_for_global):
4095 Fall back to returning an initial_svalue if
4096 decl_region::get_svalue_for_initializer fails.
4097 * region.cc (decl_region::get_svalue_for_initializer): Don't
4098 attempt to create a compound_svalue if the region has an unknown
4099 size.
4100
41012020-10-14 David Malcolm <dmalcolm@redhat.com>
4102
4103 PR analyzer/93723
4104 * store.cc (binding_map::apply_ctor_to_region): Remove redundant
4105 assertion.
4106
8be127ca
GA		 41072020-10-12 David Malcolm <dmalcolm@redhat.com>
4108
4109 PR analyzer/97258
4110 * engine.cc (impl_region_model_context::on_escaped_function): New
4111 vfunc.
4112 (exploded_graph::add_function_entry): Use m_functions_with_enodes
4113 to implement idempotency.
4114 (add_any_callbacks): New.
4115 (exploded_graph::build_initial_worklist): Use the above to find
4116 callbacks that are reachable from global initializers.
4117 (exploded_graph::on_escaped_function): New.
4118 * exploded-graph.h
4119 (impl_region_model_context::on_escaped_function): New decl.
4120 (exploded_graph::on_escaped_function): New decl.
4121 (exploded_graph::m_functions_with_enodes): New field.
4122 * region-model-reachability.cc
4123 (reachable_regions::reachable_regions): Replace "store" param with
4124 "model" param; use it to initialize m_model.
4125 (reachable_regions::add): When getting the svalue for the region,
4126 call get_store_value on the model rather than using an initial
4127 value.
4128 (reachable_regions::mark_escaped_clusters): Add ctxt param and
4129 use it to call on_escaped_function when a function_region escapes.
4130 * region-model-reachability.h
4131 (reachable_regions::reachable_regions): Replace "store" param with
4132 "model" param.
4133 (reachable_regions::mark_escaped_clusters): Add ctxt param.
4134 (reachable_regions::m_model): New field.
4135 * region-model.cc (region_model::handle_unrecognized_call): Update
4136 for change in reachable_regions ctor.
4137 (region_model::handle_unrecognized_call): Pass ctxt to
4138 mark_escaped_clusters.
4139 (region_model::get_reachable_svalues): Update for change in
4140 reachable_regions ctor.
4141 (region_model::get_initial_value_for_global): Read-only variables
4142 keep their initial values.
4143 * region-model.h (region_model_context::on_escaped_function): New
4144 vfunc.
4145 (noop_region_model_context::on_escaped_function): New.
4146
41472020-10-12 David Malcolm <dmalcolm@redhat.com>
4148
4149 * analyzer.opt (Wanalyzer-write-to-const): New.
4150 (Wanalyzer-write-to-string-literal): New.
4151 * region-model-impl-calls.cc (region_model::impl_call_memcpy):
4152 Call check_for_writable_region.
4153 (region_model::impl_call_memset): Likewise.
4154 (region_model::impl_call_strcpy): Likewise.
4155 * region-model.cc (class write_to_const_diagnostic): New.
4156 (class write_to_string_literal_diagnostic): New.
4157 (region_model::check_for_writable_region): New.
4158 (region_model::set_value): Call check_for_writable_region.
4159 * region-model.h (region_model::check_for_writable_region): New
4160 decl.
4161
6caec77e
GA		 41622020-10-07 David Malcolm <dmalcolm@redhat.com>
4163
4164 PR analyzer/97116
4165 * sm-malloc.cc (method_p): New.
4166 (describe_argument_index): New.
4167 (inform_nonnull_attribute): Use describe_argument_index.
4168 (possible_null_arg::describe_final_event): Likewise.
4169 (null_arg::describe_final_event): Likewise.
4170
93bca37c
GA		 41712020-09-29 David Malcolm <dmalcolm@redhat.com>
4172
4173 PR analyzer/95188
4174 * engine.cc (stmt_requires_new_enode_p): Split enodes before
4175 "signal" calls.
4176
41772020-09-29 David Malcolm <dmalcolm@redhat.com>
4178
4179 * constraint-manager.cc
4180 (constraint_manager::add_constraint_internal): Whitespace fixes.
4181 Silence -Wsign-compare warning.
4182 * engine.cc (maybe_process_run_of_before_supernode_enodes):
4183 Silence -Wsign-compare warning.
4184
e84761c6
GA		 41852020-09-28 David Malcolm <dmalcolm@redhat.com>
4186
4187 * region-model.h (binop_svalue::dyn_cast_binop_svalue): Remove
4188 redundant "virtual". Add FINAL OVERRIDE.
4189 (widening_svalue::dyn_cast_widening_svalue): Add FINAL OVERRIDE.
4190 (compound_svalue::dyn_cast_compound_svalue): Likewise.
4191 (conjured_svalue::dyn_cast_conjured_svalue): Likewise.
4192
41932020-09-28 David Malcolm <dmalcolm@redhat.com>
4194
4195 * diagnostic-manager.cc (null_assignment_sm_context::m_visitor):
4196 Remove unused field.
4197
41982020-09-28 David Malcolm <dmalcolm@redhat.com>
4199
4200 PR analyzer/97233
4201 * analyzer.cc (is_longjmp_call_p): Require the initial argument
4202 to be a pointer.
4203 * engine.cc (exploded_node::on_longjmp): Likewise.
4204
42052020-09-28 David Malcolm <dmalcolm@redhat.com>
4206
4207 * program-state.cc (sm_state_map::print): Update check
4208 for m_global_state being the start state.
4209
91dd4a38
GA		 42102020-09-26 David Malcolm <dmalcolm@redhat.com>
4211
4212 PR analyzer/96646
4213 PR analyzer/96841
4214 * region-model.cc (region_model::get_representative_path_var):
4215 When handling offset_region, wrap the MEM_REF's first argument in
4216 an ADDR_EXPR of pointer type, rather than simply using the tree
4217 for the parent region. Require the MEM_REF's second argument to
4218 be an integer constant.
4219
a2b7397b
GA		 42202020-09-24 David Malcolm <dmalcolm@redhat.com>
4221
4222 * analyzer.h (struct rejected_constraint): New decl.
4223 * analyzer.opt (fanalyzer-feasibility): New option.
4224 * diagnostic-manager.cc (path_builder::path_builder): Add
4225 "problem" param and use it to initialize new field.
4226 (path_builder::get_feasibility_problem): New accessor.
4227 (path_builder::m_feasibility_problem): New field.
4228 (dedupe_winners::add): Remove inversion of logic in "if" clause,
4229 swapping if/else suites. In the !feasible_p suite, inspect
4230 flag_analyzer_feasibility and add code to handle when this
4231 is off, accepting the infeasible path, but recording the
4232 feasibility_problem.
4233 (diagnostic_manager::emit_saved_diagnostic): Pass the
4234 feasibility_problem to the path_builder.
4235 (diagnostic_manager::add_events_for_eedge): If we have
4236 a feasibility_problem at this edge, use it to add a custom event.
4237 * engine.cc (exploded_path::feasible_p): Pass a
4238 rejected_constraint ** to model.maybe_update_for_edge and transfer
4239 ownership of any created instance to any feasibility_problem.
4240 (feasibility_problem::dump_to_pp): New.
4241 * exploded-graph.h (feasibility_problem::feasibility_problem):
4242 Drop "model" param; add rejected_constraint * param.
4243 (feasibility_problem::~feasibility_problem): New.
4244 (feasibility_problem::dump_to_pp): New decl.
4245 (feasibility_problem::m_model): Drop field.
4246 (feasibility_problem::m_rc): New field.
4247 * program-point.cc (function_point::get_location): Handle
4248 PK_BEFORE_SUPERNODE and PK_AFTER_SUPERNODE.
4249 * program-state.cc (program_state::on_edge): Pass NULL to new
4250 param of region_model::maybe_update_for_edge.
4251 * region-model.cc (region_model::add_constraint): New overload
4252 adding a rejected_constraint ** param.
4253 (region_model::maybe_update_for_edge): Add rejected_constraint **
4254 param and pass it to the various apply_constraints_for_ calls.
4255 (region_model::apply_constraints_for_gcond): Add
4256 rejected_constraint ** param and pass it to add_constraint calls.
4257 (region_model::apply_constraints_for_gswitch): Likewise.
4258 (region_model::apply_constraints_for_exception): Likewise.
4259 (rejected_constraint::dump_to_pp): New.
4260 * region-model.h (region_model::maybe_update_for_edge):
4261 Add rejected_constraint ** param.
4262 (region_model::add_constraint): New overload adding a
4263 rejected_constraint ** param.
4264 (region_model::apply_constraints_for_gcond): Add
4265 rejected_constraint ** param.
4266 (region_model::apply_constraints_for_gswitch): Likewise.
4267 (region_model::apply_constraints_for_exception): Likewise.
4268 (struct rejected_constraint): New.
4269
82b77dee
GA		 42702020-09-23 David Malcolm <dmalcolm@redhat.com>
4271
4272 PR analyzer/97178
4273 * engine.cc (impl_run_checkers): Update for change to ext_state
4274 ctor.
4275 * program-state.cc (selftest::test_sm_state_map): Pass an engine
4276 instance to ext_state ctor.
4277 (selftest::test_program_state_1): Likewise.
4278 (selftest::test_program_state_2): Likewise.
4279 (selftest::test_program_state_merging): Likewise.
4280 (selftest::test_program_state_merging_2): Likewise.
4281 * program-state.h (extrinsic_state::extrinsic_state): Remove NULL
4282 default value for "eng" param.
4283
42842020-09-23 Tobias Burnus <tobias@codesourcery.com>
4285
4286 * analyzer-logging.cc: Guard '#pragma ... ignored "-Wformat-diag"'
4287 by '#if __GNUC__ >= 10'
4288 * analyzer.h: Likewise.
4289 * call-string.cc: Likewise.
4290
42912020-09-23 David Malcolm <dmalcolm@redhat.com>
4292
4293 * engine.cc (exploded_node::on_stmt): Replace sequence of dyn_cast
4294 with switch.
4295
521d2711
GA		 42962020-09-22 David Malcolm <dmalcolm@redhat.com>
4297
4298 * analysis-plan.cc: Include "json.h".
4299 * analyzer.opt (fdump-analyzer-json): New.
4300 * call-string.cc: Include "json.h".
4301 (call_string::to_json): New.
4302 * call-string.h (call_string::to_json): New decl.
4303 * checker-path.cc: Include "json.h".
4304 * constraint-manager.cc: Include "json.h".
4305 (equiv_class::to_json): New.
4306 (constraint::to_json): New.
4307 (constraint_manager::to_json): New.
4308 * constraint-manager.h (equiv_class::to_json): New decl.
4309 (constraint::to_json): New decl.
4310 (constraint_manager::to_json): New decl.
4311 * diagnostic-manager.cc: Include "json.h".
4312 (saved_diagnostic::to_json): New.
4313 (diagnostic_manager::to_json): New.
4314 * diagnostic-manager.h (saved_diagnostic::to_json): New decl.
4315 (diagnostic_manager::to_json): New decl.
4316 * engine.cc: Include "json.h", <zlib.h>.
4317 (exploded_node::status_to_str): New.
4318 (exploded_node::to_json): New.
4319 (exploded_edge::to_json): New.
4320 (exploded_graph::to_json): New.
4321 (dump_analyzer_json): New.
4322 (impl_run_checkers): Call it.
4323 * exploded-graph.h (exploded_node::status_to_str): New decl.
4324 (exploded_node::to_json): New.
4325 (exploded_edge::to_json): New.
4326 (exploded_graph::to_json): New.
4327 * pending-diagnostic.cc: Include "json.h".
4328 * program-point.cc: Include "json.h".
4329 (program_point::to_json): New.
4330 * program-point.h (program_point::to_json): New decl.
4331 * program-state.cc: Include "json.h".
4332 (extrinsic_state::to_json): New.
4333 (sm_state_map::to_json): New.
4334 (program_state::to_json): New.
4335 * program-state.h (extrinsic_state::to_json): New decl.
4336 (sm_state_map::to_json): New decl.
4337 (program_state::to_json): New decl.
4338 * region-model-impl-calls.cc: Include "json.h".
4339 * region-model-manager.cc: Include "json.h".
4340 * region-model-reachability.cc: Include "json.h".
4341 * region-model.cc: Include "json.h".
4342 * region-model.h (svalue::to_json): New decl.
4343 (region::to_json): New decl.
4344 * region.cc: Include "json.h".
4345 (region::to_json: New.
4346 * sm-file.cc: Include "json.h".
4347 * sm-malloc.cc: Include "json.h".
4348 * sm-pattern-test.cc: Include "json.h".
4349 * sm-sensitive.cc: Include "json.h".
4350 * sm-signal.cc: Include "json.h".
4351 (signal_delivery_edge_info_t::to_json): New.
4352 * sm-taint.cc: Include "json.h".
4353 * sm.cc: Include "diagnostic.h", "tree-diagnostic.h", and
4354 "json.h".
4355 (state_machine::state::to_json): New.
4356 (state_machine::to_json): New.
4357 * sm.h (state_machine::state::to_json): New.
4358 (state_machine::to_json): New.
4359 * state-purge.cc: Include "json.h".
4360 * store.cc: Include "json.h".
4361 (binding_key::get_desc): New.
4362 (binding_map::to_json): New.
4363 (binding_cluster::to_json): New.
4364 (store::to_json): New.
4365 * store.h (binding_key::get_desc): New decl.
4366 (binding_map::to_json): New decl.
4367 (binding_cluster::to_json): New decl.
4368 (store::to_json): New decl.
4369 * supergraph.cc: Include "json.h".
4370 (supergraph::to_json): New.
4371 (supernode::to_json): New.
4372 (superedge::to_json): New.
4373 * supergraph.h (supergraph::to_json): New decl.
4374 (supernode::to_json): New decl.
4375 (superedge::to_json): New decl.
4376 * svalue.cc: Include "json.h".
4377 (svalue::to_json): New.
4378
44135373
GA		 43792020-09-21 David Malcolm <dmalcolm@redhat.com>
4380
4381 PR analyzer/97130
4382 * region-model-impl-calls.cc (call_details::get_arg_type): New.
4383 * region-model.cc (region_model::on_call_pre): Check that the
4384 initial arg is a pointer before calling impl_call_memset and
4385 impl_call_strlen.
4386 * region-model.h (call_details::get_arg_type): New decl.
4387
43882020-09-21 David Malcolm <dmalcolm@redhat.com>
4389
4390 PR analyzer/93355
4391 * sm-malloc.cc (malloc_state_machine::get_default_state): Look at
4392 the base region when considering pointers. Treat pointers to
4393 decls as being non-heap.
4394
239601c5
GA		 43952020-09-18 David Malcolm <dmalcolm@redhat.com>
4396
4397 * checker-path.cc (warning_event::get_desc): Handle global state
4398 changes.
4399
44002020-09-18 David Malcolm <dmalcolm@redhat.com>
4401
4402 * sm-malloc.cc (malloc_state_machine::on_stmt): Handle strdup and
4403 strndup as being malloc-like allocators.
4404
ecde1b0a
GA		 44052020-09-16 David Malcolm <dmalcolm@redhat.com>
4406
4407 * engine.cc (strongly_connected_components::strong_connect): Only
4408 consider intraprocedural edges when creating SCCs.
4409 (worklist::key_t::cmp): Add comment. Treat call_string
4410 differences as more important than differences of program_point
4411 within a supernode.
4412
44132020-09-16 David Malcolm <dmalcolm@redhat.com>
4414
4415 * engine.cc (supernode_cluster::dump_dot): Show the SCC id
4416 in the per-supernode clusters in FILENAME.eg.dot output.
4417 (exploded_graph_annotator::add_node_annotations):
4418 Show the SCC of the supernode in FILENAME.supernode.eg.dot output.
4419 * exploded-graph.h (worklist::scc_id): New.
4420 (exploded_graph::get_scc_id): New.
4421
44222020-09-16 David Malcolm <dmalcolm@redhat.com>
4423
4424 * engine.cc (exploded_node::dump_dot): Show STATUS_BULK_MERGED.
4425 (exploded_graph::process_worklist): Call
4426 maybe_process_run_of_before_supernode_enodes.
4427 (exploded_graph::maybe_process_run_of_before_supernode_enodes):
4428 New.
4429 (exploded_graph_annotator::print_enode): Show STATUS_BULK_MERGED.
4430 * exploded-graph.h (enum exploded_node::status): Add
4431 STATUS_BULK_MERGED.
4432
44332020-09-16 David Malcolm <dmalcolm@redhat.com>
4434
4435 * engine.cc
4436 (exploded_graph::process_node) <case PK_BEFORE_SUPERNODE>:
4437 Simplify by using program_point::get_next.
4438 * program-point.cc (program_point::get_next): New.
4439 * program-point.h (program_point::get_next): New decl.
4440
44412020-09-16 David Malcolm <dmalcolm@redhat.com>
4442
4443 * engine.cc (exploded_graph::get_or_create_node): Show the
4444 program point when issuing -Wanalyzer-too-complex due to hitting
4445 the per-program-point limit.
4446
44472020-09-16 David Malcolm <dmalcolm@redhat.com>
4448
4449 * region-model.cc (region_model::on_call_pre): Treat getchar as
4450 having no side-effects.
4451
9f7ab8c5
GA		 44522020-09-15 David Malcolm <dmalcolm@redhat.com>
4453
4454 PR analyzer/96650
4455 * constraint-manager.cc (merger_fact_visitor::on_fact): Replace
4456 assertion that add_constraint succeeded with an assertion that
4457 if it fails, -fanalyzer-transitivity is off.
4458
50a71cd0
GA		 44592020-09-14 David Malcolm <dmalcolm@redhat.com>
4460
4461 * analyzer.opt (-param=analyzer-max-constraints=): New param.
4462 * constraint-manager.cc
4463 (constraint_manager::add_constraint_internal): Silently reject
4464 attempts to add constraints when the above limit is reached.
4465
44662020-09-14 David Malcolm <dmalcolm@redhat.com>
4467
4468 PR analyzer/96653
4469 * constraint-manager.cc
4470 (constraint_manager::get_or_add_equiv_class): Don't accumulate
4471 transitive closure of all constraints on constants.
4472
44732020-09-14 David Malcolm <dmalcolm@redhat.com>
4474
4475 PR analyzer/97029
4476 * analyzer.cc (is_setjmp_call_p): Require the initial arg to be a
4477 pointer.
4478 * region-model.cc (region_model::deref_rvalue): Assert that the
4479 svalue is of pointer type.
4480
ac35c090
GA		 44812020-09-11 David Malcolm <dmalcolm@redhat.com>
4482
4483 PR analyzer/96798
4484 * region-model-impl-calls.cc (region_model::impl_call_memcpy):
4485 New.
4486 (region_model::impl_call_strcpy): New.
4487 * region-model.cc (region_model::on_call_pre): Flag unhandled
4488 builtins that are non-pure as having unknown side-effects.
4489 Implement BUILT_IN_MEMCPY, BUILT_IN_MEMCPY_CHK, BUILT_IN_STRCPY,
4490 BUILT_IN_STRCPY_CHK, BUILT_IN_FPRINTF, BUILT_IN_FPRINTF_UNLOCKED,
4491 BUILT_IN_PUTC, BUILT_IN_PUTC_UNLOCKED, BUILT_IN_FPUTC,
4492 BUILT_IN_FPUTC_UNLOCKED, BUILT_IN_FPUTS, BUILT_IN_FPUTS_UNLOCKED,
4493 BUILT_IN_FWRITE, BUILT_IN_FWRITE_UNLOCKED, BUILT_IN_PRINTF,
4494 BUILT_IN_PRINTF_UNLOCKED, BUILT_IN_PUTCHAR,
4495 BUILT_IN_PUTCHAR_UNLOCKED, BUILT_IN_PUTS, BUILT_IN_PUTS_UNLOCKED,
4496 BUILT_IN_VFPRINTF, BUILT_IN_VPRINTF.
4497 * region-model.h (region_model::impl_call_memcpy): New decl.
4498 (region_model::impl_call_strcpy): New decl.
4499
80f86e78
GA		 45002020-09-09 David Malcolm <dmalcolm@redhat.com>
4501
4502 PR analyzer/94355
4503 * analyzer.opt (Wanalyzer-mismatching-deallocation): New warning.
4504 * region-model-impl-calls.cc
4505 (region_model::impl_call_operator_new): New.
4506 (region_model::impl_call_operator_delete): New.
4507 * region-model.cc (region_model::on_call_pre): Detect operator new
4508 and operator delete.
4509 (region_model::on_call_post): Likewise.
4510 (region_model::maybe_update_for_edge): Detect EH edges and call...
4511 (region_model::apply_constraints_for_exception): New function.
4512 * region-model.h (region_model::impl_call_operator_new): New decl.
4513 (region_model::impl_call_operator_delete): New decl.
4514 (region_model::apply_constraints_for_exception): New decl.
4515 * sm-malloc.cc (enum resource_state): New.
4516 (struct allocation_state): New state subclass.
4517 (enum wording): New.
4518 (struct api): New.
4519 (malloc_state_machine::custom_data_t): New typedef.
4520 (malloc_state_machine::add_state): New decl.
4521 (malloc_state_machine::m_unchecked)
4522 (malloc_state_machine::m_nonnull)
4523 (malloc_state_machine::m_freed): Delete these states in favor
4524 of...
4525 (malloc_state_machine::m_malloc)
4526 (malloc_state_machine::m_scalar_new)
4527 (malloc_state_machine::m_vector_new): ...this new api instances,
4528 which own their own versions of these states.
4529 (malloc_state_machine::on_allocator_call): New decl.
4530 (malloc_state_machine::on_deallocator_call): New decl.
4531 (api::api): New ctor.
4532 (dyn_cast_allocation_state): New.
4533 (as_a_allocation_state): New.
4534 (get_rs): New.
4535 (unchecked_p): New.
4536 (nonnull_p): New.
4537 (freed_p): New.
4538 (malloc_diagnostic::describe_state_change): Use unchecked_p and
4539 nonnull_p.
4540 (class mismatching_deallocation): New.
4541 (double_free::double_free): Add funcname param for initializing
4542 m_funcname.
4543 (double_free::emit): Use m_funcname in warning message rather
4544 than hardcoding "free".
4545 (double_free::describe_state_change): Likewise. Use freed_p.
4546 (double_free::describe_call_with_state): Use freed_p.
4547 (double_free::describe_final_event): Use m_funcname in message
4548 rather than hardcoding "free".
4549 (double_free::m_funcname): New field.
4550 (possible_null::describe_state_change): Use unchecked_p.
4551 (possible_null::describe_return_of_state): Likewise.
4552 (use_after_free::use_after_free): Add param for initializing m_api.
4553 (use_after_free::emit): Use m_api->m_dealloc_funcname in message
4554 rather than hardcoding "free".
4555 (use_after_free::describe_state_change): Use freed_p. Change the
4556 wording of the message based on the API.
4557 (use_after_free::describe_final_event): Use
4558 m_api->m_dealloc_funcname in message rather than hardcoding
4559 "free". Change the wording of the message based on the API.
4560 (use_after_free::m_api): New field.
4561 (malloc_leak::describe_state_change): Use unchecked_p. Update
4562 for renaming of m_malloc_event to m_alloc_event.
4563 (malloc_leak::describe_final_event): Update for renaming of
4564 m_malloc_event to m_alloc_event.
4565 (malloc_leak::m_malloc_event): Rename...
4566 (malloc_leak::m_alloc_event): ...to this.
4567 (free_of_non_heap::free_of_non_heap): Add param for initializing
4568 m_funcname.
4569 (free_of_non_heap::emit): Use m_funcname in message rather than
4570 hardcoding "free".
4571 (free_of_non_heap::describe_final_event): Likewise.
4572 (free_of_non_heap::m_funcname): New field.
4573 (allocation_state::dump_to_pp): New.
4574 (allocation_state::get_nonnull): New.
4575 (malloc_state_machine::malloc_state_machine): Update for changes
4576 to state fields and new api fields.
4577 (malloc_state_machine::add_state): New.
4578 (malloc_state_machine::on_stmt): Move malloc/calloc handling to
4579 on_allocator_call and call it, passing in the API pointer.
4580 Likewise for free, moving it to on_deallocator_call. Handle calls
4581 to operator new and delete in an analogous way. Use unchecked_p
4582 when testing for possibly-null-arg and possibly-null-deref, and
4583 transition to the non-null for the correct API. Remove redundant
4584 node param from call to on_zero_assignment. Use freed_p for
4585 use-after-free check, and pass in API.
4586 (malloc_state_machine::on_allocator_call): New, based on code in
4587 on_stmt.
4588 (malloc_state_machine::on_deallocator_call): Likewise.
4589 (malloc_state_machine::on_phi): Mark node param with
4590 ATTRIBUTE_UNUSED; don't pass it to on_zero_assignment.
4591 (malloc_state_machine::on_condition): Mark node param with
4592 ATTRIBUTE_UNUSED. Replace on_transition calls with get_state and
4593 set_next_state pairs, transitioning to the non-null state for the
4594 appropriate API.
4595 (malloc_state_machine::can_purge_p): Port to new state approach.
4596 (malloc_state_machine::on_zero_assignment): Replace on_transition
4597 calls with get_state and set_next_state pairs. Drop redundant
4598 node param.
4599 * sm.h (state_machine::add_custom_state): New.
4600
46012020-09-09 David Malcolm <dmalcolm@redhat.com>
4602
4603 * diagnostic-manager.cc
4604 (null_assignment_sm_context::warn_for_state): Replace with...
4605 (null_assignment_sm_context::warn): ...this.
4606 * engine.cc (impl_sm_context::warn_for_state): Replace with...
4607 (impl_sm_context::warn): ...this.
4608 * sm-file.cc (fileptr_state_machine::on_stmt): Replace
4609 warn_for_state and on_transition calls with a get_state
4610 test guarding warn and set_next_state calls.
4611 * sm-malloc.cc (malloc_state_machine::on_stmt): Likewise.
4612 * sm-pattern-test.cc (pattern_test_state_machine::on_condition):
4613 Replace warn_for_state call with warn call.
4614 * sm-sensitive.cc
4615 (sensitive_state_machine::warn_for_any_exposure): Replace
4616 warn_for_state call with a get_state test guarding a warn call.
4617 * sm-signal.cc (signal_state_machine::on_stmt): Likewise.
4618 * sm-taint.cc (taint_state_machine::on_stmt): Replace
4619 warn_for_state and on_transition calls with a get_state
4620 test guarding warn and set_next_state calls.
4621 * sm.h (sm_context::warn_for_state): Replace with...
4622 (sm_context::warn): ...this.
4623
46242020-09-09 David Malcolm <dmalcolm@redhat.com>
4625
4626 * diagnostic-manager.cc
4627 (null_assignment_sm_context::null_assignment_sm_context): Add old_state
4628 and ext_state params, initializing m_old_state and m_ext_state.
4629 (null_assignment_sm_context::on_transition): Split into...
4630 (null_assignment_sm_context::get_state): ...this new vfunc
4631 implementation and...
4632 (null_assignment_sm_context::set_next_state): ...this new vfunc
4633 implementation.
4634 (null_assignment_sm_context::m_old_state): New field.
4635 (null_assignment_sm_context::m_ext_state): New field.
4636 (diagnostic_manager::add_events_for_eedge): Pass in old state and
4637 ext_state when creating sm_ctxt.
4638 * engine.cc (impl_sm_context::on_transition): Split into...
4639 (impl_sm_context::get_state): ...this new vfunc
4640 implementation and...
4641 (impl_sm_context::set_next_state): ...this new vfunc
4642 implementation.
4643 * sm.h (sm_context::get_state): New pure virtual function.
4644 (sm_context::set_next_state): Likewise.
4645 (sm_context::on_transition): Convert from a pure virtual function
4646 to a regular function implemented in terms of get_state and
4647 set_next_state.
4648
46492020-09-09 David Malcolm <dmalcolm@redhat.com>
4650
4651 * checker-path.cc (state_change_event::get_desc): Update
4652 state_machine::get_state_name calls to state::get_name.
4653 (warning_event::get_desc): Likewise.
4654 * diagnostic-manager.cc
4655 (null_assignment_sm_context::on_transition): Update comparison
4656 against 0 with comparison with m_sm.get_start_state.
4657 (diagnostic_manager::prune_for_sm_diagnostic): Update
4658 state_machine::get_state_name calls to state::get_name.
4659 * engine.cc (impl_sm_context::on_transition): Likewise.
4660 (exploded_node::get_dot_fillcolor): Use get_id when summing
4661 the sm states.
4662 * program-state.cc (sm_state_map::sm_state_map): Don't hardcode
4663 0 as the start state when initializing m_global_state.
4664 (sm_state_map::print): Use dump_to_pp rather than get_state_name
4665 when dumping states.
4666 (sm_state_map::is_empty_p): Don't hardcode 0 as the start state
4667 when examining m_global_state.
4668 (sm_state_map::hash): Use get_id when hashing states.
4669 (selftest::test_sm_state_map): Use state objects rather than
4670 arbitrary hardcoded integers.
4671 (selftest::test_program_state_merging): Likewise.
4672 (selftest::test_program_state_merging_2): Likewise.
4673 * sm-file.cc (fileptr_state_machine::m_start): Move to base class.
4674 (file_diagnostic::describe_state_change): Use get_start_state.
4675 (fileptr_state_machine::fileptr_state_machine): Drop m_start
4676 initialization.
4677 * sm-malloc.cc (malloc_state_machine::m_start): Move to base
4678 class.
4679 (malloc_diagnostic::describe_state_change): Use get_start_state.
4680 (possible_null::describe_state_change): Likewise.
4681 (malloc_state_machine::malloc_state_machine): Drop m_start
4682 initialization.
4683 * sm-pattern-test.cc (pattern_test_state_machine::m_start): Move
4684 to base class.
4685 (pattern_test_state_machine::pattern_test_state_machine): Drop
4686 m_start initialization.
4687 * sm-sensitive.cc (sensitive_state_machine::m_start): Move to base
4688 class.
4689 (sensitive_state_machine::sensitive_state_machine): Drop m_start
4690 initialization.
4691 * sm-signal.cc (signal_state_machine::m_start): Move to base
4692 class.
4693 (signal_state_machine::signal_state_machine): Drop m_start
4694 initialization.
4695 * sm-taint.cc (taint_state_machine::m_start): Move to base class.
4696 (taint_state_machine::taint_state_machine): Drop m_start
4697 initialization.
4698 * sm.cc (state_machine::state::dump_to_pp): New.
4699 (state_machine::state_machine): Move here from sm.h. Initialize
4700 m_next_state_id and m_start.
4701 (state_machine::add_state): Reimplement in terms of state objects.
4702 (state_machine::get_state_name): Delete.
4703 (state_machine::get_state_by_name): Reimplement in terms of state
4704 objects. Make const.
4705 (state_machine::validate): Delete.
4706 (state_machine::dump_to_pp): Reimplement in terms of state
4707 objects.
4708 * sm.h (state_machine::state): New class.
4709 (state_machine::state_t): Convert typedef from "unsigned" to
4710 "const state_machine::state *".
4711 (state_machine::state_machine): Move to sm.cc.
4712 (state_machine::get_default_state): Use m_start rather than
4713 hardcoding 0.
4714 (state_machine::get_state_name): Delete.
4715 (state_machine::get_state_by_name): Make const.
4716 (state_machine::get_start_state): New accessor.
4717 (state_machine::alloc_state_id): New.
4718 (state_machine::m_state_names): Drop in favor of...
4719 (state_machine::m_states): New field
4720 (state_machine::m_start): New field
4721 (start_start_p): Delete.
4722
31a05046
GA		 47232020-09-08 David Malcolm <dmalcolm@redhat.com>
4724
4725 PR analyzer/96949
4726 * store.cc (binding_map::apply_ctor_val_to_range): Add
4727 error-handling for the cases where we have symbolic offsets.
4728
47292020-09-08 David Malcolm <dmalcolm@redhat.com>
4730
4731 PR analyzer/96950
4732 * store.cc (binding_map::apply_ctor_to_region): Handle RANGE_EXPR
4733 where min_index == max_index.
4734 (binding_map::apply_ctor_val_to_range): Replace assertion that we
4735 don't have a CONSTRUCTOR value with error-handling.
4736
47372020-09-08 David Malcolm <dmalcolm@redhat.com>
4738
4739 PR analyzer/96962
4740 * region-model.cc (region_model::on_call_pre): Fix guard on switch
4741 on built-ins to only consider BUILT_IN_NORMAL, rather than other
4742 kinds of build-ins.
4743
e1a4a8a0
GA		 47442020-09-01 David Malcolm <dmalcolm@redhat.com>
4745
4746 PR analyzer/96792
4747 * region-model.cc (region_model::deref_rvalue): Add the constraint
4748 that PTR_SVAL is non-NULL.
4749
13e4ba28
GA		 47502020-08-31 David Malcolm <dmalcolm@redhat.com>
4751
4752 PR analyzer/96798
4753 * region-model.cc (region_model::on_call_pre): Handle
4754 BUILT_IN_MEMSET_CHK.
4755
47562020-08-31 David Malcolm <dmalcolm@redhat.com>
4757
4758 * region-model.cc (region_model::on_call_pre): Gather handling of
4759 builtins and of internal fns into switch statements. Handle
4760 "alloca" and BUILT_IN_ALLOCA_WITH_ALIGN.
4761
47622020-08-31 David Malcolm <dmalcolm@redhat.com>
4763
4764 PR analyzer/96860
4765 * region.cc (decl_region::get_svalue_for_constructor): Support
4766 apply_ctor_to_region failing.
4767 * store.cc (binding_map::apply_ctor_to_region): Add failure
4768 handling.
4769 (binding_map::apply_ctor_val_to_range): Likewise.
4770 (binding_map::apply_ctor_pair_to_child_region): Likewise. Replace
4771 assertion that child_base_offset is not symbolic with error
4772 handling.
4773 * store.h (binding_map::apply_ctor_to_region): Convert return type
4774 from void to bool.
4775 (binding_map::apply_ctor_val_to_range): Likewise.
4776 (binding_map::apply_ctor_pair_to_child_region): Likewise.
4777
47782020-08-31 David Malcolm <dmalcolm@redhat.com>
4779
4780 PR analyzer/96763
4781 * store.cc (binding_map::apply_ctor_to_region): Handle RANGE_EXPR
4782 by calling a new binding_map::apply_ctor_val_to_range subroutine.
4783 Split out the existing non-CONSTRUCTOR-handling code to a new
4784 apply_ctor_pair_to_child_region subroutine.
4785 (binding_map::apply_ctor_val_to_range): New.
4786 (binding_map::apply_ctor_pair_to_child_region): New, split out
4787 from binding_map::apply_ctor_to_region as noted above.
4788 * store.h (binding_map::apply_ctor_val_to_range): New decl.
4789 (binding_map::apply_ctor_pair_to_child_region): New decl.
4790
47912020-08-31 David Malcolm <dmalcolm@redhat.com>
4792
4793 PR analyzer/96764
4794 * region-model-manager.cc
4795 (region_model_manager::maybe_fold_unaryop): Handle VIEW_CONVERT_EXPR.
4796 (region_model_manager::get_or_create_cast): Move logic for
4797 real->integer casting to...
4798 (get_code_for_cast): ...this new function, and add logic for
4799 real->non-integer casts.
4800 (region_model_manager::maybe_fold_sub_svalue): Handle
4801 VIEW_CONVERT_EXPR.
4802 * region-model.cc
4803 (region_model::add_any_constraints_from_gassign): Likewise.
4804 * svalue.cc (svalue::maybe_undo_cast): Likewise.
4805 (unaryop_svalue::dump_to_pp): Likewise.
4806
57ea0894
GA		 48072020-08-26 David Malcolm <dmalcolm@redhat.com>
4808
4809 PR analyzer/94858
4810 * region-model-manager.cc
4811 (region_model_manager::get_or_create_widening_svalue): Assert that
4812 neither of the inputs are themselves widenings.
4813 * store.cc (store::eval_alias_1): The initial value of a pointer
4814 can't point to a region that was allocated on the heap after the
4815 beginning of the path. A widened pointer value can't alias anything
4816 that the initial pointer value can't alias.
4817 * svalue.cc (svalue::can_merge_p): Merge BINOP (X, OP, CST) with X
4818 to a widening svalue. Merge
4819 BINOP(WIDENING(BASE, BINOP(BASE, X)), X) and BINOP(BASE, X) to
4820 to the LHS of the first BINOP.
4821
48222020-08-26 David Malcolm <dmalcolm@redhat.com>
4823
4824 PR analyzer/96777
4825 * region-model.h (class compound_svalue): Document that all keys
4826 must be concrete.
4827 (compound_svalue::compound_svalue): Move definition to svalue.cc.
4828 * store.cc (binding_map::apply_ctor_to_region): Handle
4829 initializers for trailing arrays with incomplete size.
4830 * svalue.cc (compound_svalue::compound_svalue): Move definition
4831 here from region-model.h. Add assertion that all keys are
4832 concrete.
4833
e769f970
GA		 48342020-08-22 David Malcolm <dmalcolm@redhat.com>
4835
4836 PR analyzer/94851
4837 * region-model-manager.cc
4838 (region_model_manager::maybe_fold_binop): Fold bitwise "& 0" to 0.
4839
48402020-08-22 David Malcolm <dmalcolm@redhat.com>
4841
4842 * store.cc (store::eval_alias): Make const. Split out 2nd half
4843 into store::eval_alias_1 and call it twice for symmetry, avoiding
4844 test duplication.
4845 (store::eval_alias_1): New function, split out from the above.
4846 * store.h (store::eval_alias): Make const.
4847 (store::eval_alias_1): New decl.
4848
48492020-08-22 David Malcolm <dmalcolm@redhat.com>
4850
4851 * region-model.cc (region_model::push_frame): Bind the default
4852 SSA name for each parm if it exists, falling back to the parm
4853 itself otherwise, rather than doing both.
4854
5b9a3d2a
GA		 48552020-08-20 David Malcolm <dmalcolm@redhat.com>
4856
4857 PR analyzer/96723
4858 * region-model-manager.cc
4859 (region_model_manager::get_field_region): Assert that field is a
4860 FIELD_DECL.
4861 * region.cc (region::get_subregions_for_binding): In
4862 union-handling, filter the TYPE_FIELDS traversal to just FIELD_DECLs.
4863
48642020-08-20 David Malcolm <dmalcolm@redhat.com>
4865
4866 PR analyzer/96713
4867 * region-model.cc (region_model::get_gassign_result): For
4868 comparisons, only use eval_condition when the lhs has boolean
4869 type, and use get_or_create_constant_svalue on the boolean
4870 constants directly rather than via get_rvalue.
4871
04e23a40
GA		 48722020-08-19 David Malcolm <dmalcolm@redhat.com>
4873
4874 PR analyzer/96643
4875 * region-model.cc (region_model::deref_rvalue): Rather than
4876 attempting to handle all svalue kinds in the switch, only cover
4877 the special cases, and move symbolic-region handling to after
4878 the switch, thus implicitly handling the missing case SK_COMPOUND.
4879
48802020-08-19 David Malcolm <dmalcolm@redhat.com>
4881
4882 PR analyzer/96705
4883 * region-model-manager.cc
4884 (region_model_manager::maybe_fold_binop): Check that we have an
4885 integral type before calling build_int_cst.
4886
48872020-08-19 David Malcolm <dmalcolm@redhat.com>
4888
4889 PR analyzer/96699
4890 * region-model-manager.cc
4891 (region_model_manager::get_or_create_cast): Use FIX_TRUNC_EXPR for
4892 casting from REAL_TYPE to INTEGER_TYPE.
4893
48942020-08-19 David Malcolm <dmalcolm@redhat.com>
4895
4896 PR analyzer/96651
4897 * region-model.cc (region_model::called_from_main_p): New.
4898 (region_model::get_store_value): Move handling for globals into...
4899 (region_model::get_initial_value_for_global): ...this new
4900 function, and add logic for extracting values from decl
4901 initializers.
4902 * region-model.h (decl_region::get_svalue_for_constructor): New
4903 decl.
4904 (decl_region::get_svalue_for_initializer): New decl.
4905 (region_model::called_from_main_p): New decl.
4906 (region_model::get_initial_value_for_global): New.
4907 * region.cc (decl_region::maybe_get_constant_value): Move logic
4908 for getting an svalue from a CONSTRUCTOR node to...
4909 (decl_region::get_svalue_for_constructor): ...this new function.
4910 (decl_region::get_svalue_for_initializer): New.
4911 * store.cc (get_svalue_for_ctor_val): Rewrite in terms of
4912 region_model::get_rvalue.
4913 * store.h (binding_cluster::get_map): New accessor.
4914
49152020-08-19 David Malcolm <dmalcolm@redhat.com>
4916
4917 PR analyzer/96648
4918 * region.cc (get_field_at_bit_offset): Gracefully handle negative
4919 values for bit_offset.
4920
5c265693
GA		 49212020-08-18 David Malcolm <dmalcolm@redhat.com>
4922
4923 * region-model.cc (region_model::get_rvalue_1): Fix name of local.
4924
49252020-08-18 David Malcolm <dmalcolm@redhat.com>
4926
4927 PR analyzer/96641
4928 * region-model.cc (region_model::get_rvalue_1): Handle
4929 unrecognized tree codes by returning "UNKNOWN.
4930
49312020-08-18 David Malcolm <dmalcolm@redhat.com>
4932
4933 PR analyzer/96640
4934 * region-model.cc (region_model::get_gassign_result): Handle various
4935 VEC_* tree codes by returning UNKNOWN.
4936 (region_model::on_assignment): Handle unrecognized tree codes by
4937 setting lhs to an unknown value, rather than issuing a "sorry" and
4938 asserting.
4939
deee2322
GA		 49402020-08-17 David Malcolm <dmalcolm@redhat.com>
4941
4942 PR analyzer/96644
4943 * region-model-manager.cc (get_region_for_unexpected_tree_code):
4944 Handle ctxt being NULL.
4945
49462020-08-17 David Malcolm <dmalcolm@redhat.com>
4947
4948 PR analyzer/96639
4949 * region.cc (region::get_subregions_for_binding): Check for "type"
4950 being NULL.
4951
49522020-08-17 David Malcolm <dmalcolm@redhat.com>
4953
4954 PR analyzer/96642
4955 * store.cc (get_svalue_for_ctor_val): New.
4956 (binding_map::apply_ctor_to_region): Call it.
4957
661ee09b
GA		 49582020-08-14 David Malcolm <dmalcolm@redhat.com>
4959
4960 PR testsuite/96609
4961 PR analyzer/96616
4962 * region-model.cc (region_model::get_store_value): Call
4963 maybe_get_constant_value on decl_regions first.
4964 * region-model.h (decl_region::maybe_get_constant_value): New decl.
4965 * region.cc (decl_region::get_stack_depth): Likewise.
4966 (decl_region::maybe_get_constant_value): New.
4967 * store.cc (get_subregion_within_ctor): New.
4968 (binding_map::apply_ctor_to_region): New.
4969 * store.h (binding_map::apply_ctor_to_region): New decl.
4970
49712020-08-14 David Malcolm <dmalcolm@redhat.com>
4972
4973 PR analyzer/96611
4974 * store.cc (store::mark_as_escaped): Reject attempts to
4975 get a cluster for an unknown pointer.
4976
b3cb5606
GA		 49772020-08-13 David Malcolm <dmalcolm@redhat.com>
4978
5afd1882
ML		 4979 PR analyzer/93032
4980 PR analyzer/93938
4981 PR analyzer/94011
4982 PR analyzer/94099
4983 PR analyzer/94399
4984 PR analyzer/94458
4985 PR analyzer/94503
4986 PR analyzer/94640
4987 PR analyzer/94688
4988 PR analyzer/94689
4989 PR analyzer/94839
4990 PR analyzer/95026
4991 PR analyzer/95042
4992 PR analyzer/95240
b3cb5606
GA		 4993 * analyzer-logging.cc: Ignore "-Wformat-diag".
4994 (logger::enter_scope): Use inc_indent in both overloads.
4995 (logger::exit_scope): Use dec_indent.
4996 * analyzer-logging.h (logger::inc_indent): New.
4997 (logger::dec_indent): New.
4998 * analyzer-selftests.cc (run_analyzer_selftests): Call
4999 analyzer_store_cc_tests.
5000 * analyzer-selftests.h (analyzer_store_cc_tests): New decl.
5001 * analyzer.cc (get_stmt_location): New function.
5002 * analyzer.h (class initial_svalue): New forward decl.
5003 (class unaryop_svalue): New forward decl.
5004 (class binop_svalue): New forward decl.
5005 (class sub_svalue): New forward decl.
5006 (class unmergeable_svalue): New forward decl.
5007 (class placeholder_svalue): New forward decl.
5008 (class widening_svalue): New forward decl.
5009 (class compound_svalue): New forward decl.
5010 (class conjured_svalue): New forward decl.
5011 (svalue_set): New typedef.
5012 (class map_region): Delete.
5013 (class array_region): Delete.
5014 (class frame_region): New forward decl.
5015 (class function_region): New forward decl.
5016 (class label_region): New forward decl.
5017 (class decl_region): New forward decl.
5018 (class element_region): New forward decl.
5019 (class offset_region): New forward decl.
5020 (class cast_region): New forward decl.
5021 (class field_region): New forward decl.
5022 (class string_region): New forward decl.
5023 (class region_model_manager): New forward decl.
5024 (class store_manager): New forward decl.
5025 (class store): New forward decl.
5026 (class call_details): New forward decl.
5027 (struct svalue_id_merger_mapping): Delete.
5028 (struct canonicalization): Delete.
5029 (class function_point): New forward decl.
5030 (class engine): New forward decl.
5031 (dump_tree): New function decl.
5032 (print_quoted_type): New function decl.
5033 (readability_comparator): New function decl.
5034 (tree_cmp): New function decl.
5035 (class path_var): Move here from region-model.h
5036 (bit_offset_t, bit_size_t, byte_size_t): New typedefs.
5037 (class region_offset): New class.
5038 (get_stmt_location): New decl.
5039 (struct member_function_hash_traits): New struct.
5040 (class consolidation_map): New class.
5041 Ignore "-Wformat-diag".
5042 * analyzer.opt (-param=analyzer-max-svalue-depth=): New param.
5043 (-param=analyzer-max-enodes-for-full-dump=): New param.
5044 * call-string.cc: Ignore -Wformat-diag.
5045 * checker-path.cc: Move includes of "analyzer/call-string.h" and
5046 "analyzer/program-point.h" to before "analyzer/region-model.h",
5047 and also include "analyzer/store.h" before it.
5048 (state_change_event::state_change_event): Replace "tree var" param
5049 with "const svalue *sval". Convert "origin" param from tree to
5050 "const svalue *".
5051 (state_change_event::get_desc): Call get_representative_tree to
5052 convert the var and origin from const svalue * to tree. Use
5053 svalue::get_desc rather than %qE when describing state changes.
5054 (checker_path::add_final_event): Use get_stmt_location.
5055 * checker-path.h (state_change_event::state_change_event): Port
5056 from tree to const svalue *.
5057 (state_change_event::get_lvalue): Delete.
5058 (state_change_event::get_dest_function): New.
5059 (state_change_event::m_var): Replace with...
5060 (state_change_event::m_sval): ...this.
5061 (state_change_event::m_origin): Convert from tree to
5062 const svalue *.
5063 * constraint-manager.cc: Include "analyzer/call-string.h",
5064 "analyzer/program-point.h", and "analyzer/store.h" before
5065 "analyzer/region-model.h".
5066 (struct bound, struct range): Move to constraint-manager.h.
5067 (compare_constants): New function.
5068 (range::dump): Rename to...
5069 (range::dump_to_pp): ...this. Support NULL constants.
5070 (range::dump): Reintroduce for dumping to stderr.
5071 (range::constrained_to_single_element): Return result, rather than
5072 writing to *OUT.
5073 (range::eval_condition): New.
5074 (range::below_lower_bound): New.
5075 (range::above_upper_bound): New.
5076 (equiv_class::equiv_class): Port from svalue_id to const svalue *.
5077 (equiv_class::print): Likewise.
5078 (equiv_class::hash): Likewise.
5079 (equiv_class::operator==): Port from svalue_id to const svalue *.
5080 (equiv_class::add): Port from svalue_id to const svalue *. Drop
5081 "cm" param.
5082 (equiv_class::del): Port from svalue_id to const svalue *.
5083 (equiv_class::get_representative): Likewise.
5084 (equiv_class::remap_svalue_ids): Delete.
5085 (svalue_id_cmp_by_id): Rename to...
5086 (svalue_cmp_by_ptr): ...this, porting from svalue_id to
5087 const svalue *.
5088 (equiv_class::canonicalize): Update qsort comparator.
5089 (constraint::implied_by): New.
5090 (constraint_manager::constraint_manager): Copy m_mgr in copy ctor.
5091 (constraint_manager::dump_to_pp): Add "multiline" param
5092 (constraint_manager::dump): Pass "true" for "multiline".
5093 (constraint_manager::add_constraint): Port from svalue_id to
5094 const svalue *. Split out second part into...
5095 (constraint_manager::add_unknown_constraint): ...this new
5096 function. Remove self-constraints when merging equivalence
5097 classes.
5098 (constraint_manager::add_constraint_internal): Remove constraints
5099 that would be implied by the new constraint. Port from svalue_id
5100 to const svalue *.
5101 (constraint_manager::get_equiv_class_by_sid): Rename to...
5102 (constraint_manager::get_equiv_class_by_svalue): ...this, porting
5103 from svalue_id to const svalue *.
5104 (constraint_manager::get_or_add_equiv_class): Port from svalue_id
5105 to const svalue *.
5106 (constraint_manager::eval_condition): Make const. Call
5107 compare_constants and return early if it provides a known result.
5108 (constraint_manager::get_ec_bounds): New.
5109 (constraint_manager::eval_condition): New overloads. Make
5110 existing one const, and use compare_constants.
5111 (constraint_manager::purge): Convert "p" param to a template
5112 rather that an abstract base class. Port from svalue_id to
5113 const svalue *.
5114 (class dead_svalue_purger): New class.
5115 (constraint_manager::remap_svalue_ids): Delete.
5116 (constraint_manager::on_liveness_change): New.
5117 (equiv_class_cmp): Port from svalue_id to const svalue *.
5118 (constraint_manager::canonicalize): Likewise. Combine with
5119 purging of redundant equivalence classes and constraints.
5120 (class cleaned_constraint_manager): Delete.
5121 (class merger_fact_visitor): Make "m_cm_b" const. Add "m_merger"
5122 field.
5123 (merger_fact_visitor::fact): Port from svalue_id to const svalue *.
5124 Add special case for widening.
5125 (constraint_manager::merge): Port from svalue_id to const svalue *.
5126 (constraint_manager::clean_merger_input): Delete.
5127 (constraint_manager::for_each_fact): Port from svalue_id to
5128 const svalue *.
5129 (constraint_manager::validate): Likewise.
5130 (selftest::test_constraint_conditions): Provide a
5131 region_model_manager when creating region_model instances.
5132 Add test for self-equality not creating equivalence classes.
5133 (selftest::test_transitivity): Provide a region_model_manager when
5134 creating region_model instances. Verify that EC-merging happens
5135 when constraints are implied.
5136 (selftest::test_constant_comparisons): Provide a
5137 region_model_manager when creating region_model instances.
5138 (selftest::test_constraint_impl): Likewise. Remove over-specified
5139 assertions.
5140 (selftest::test_equality): Provide a region_model_manager when
5141 creating region_model instances.
5142 (selftest::test_many_constants): Likewise. Provide a
5143 program_point when testing merging.
5144 (selftest::run_constraint_manager_tests): Move call to
5145 test_constant_comparisons to outside the transitivity guard.
5146 * constraint-manager.h (struct bound): Move here from
5147 constraint-manager.cc.
5148 (struct range): Likewise.
5149 (struct::eval_condition): New decl.
5150 (struct::below_lower_bound): New decl.
5151 (struct::above_upper_bound): New decl.
5152 (equiv_class::add): Port from svalue_id to const svalue *.
5153 (equiv_class::del): Likewise.
5154 (equiv_class::get_representative): Likewise.
5155 (equiv_class::remap_svalue_ids): Drop.
5156 (equiv_class::m_cst_sid): Convert to..
5157 (equiv_class::m_cst_sval): ...this.
5158 (equiv_class::m_vars): Port from svalue_id to const svalue *.
5159 (constraint::bool implied_by): New decl.
5160 (fact_visitor::on_fact): Port from svalue_id to const svalue *.
5161 (constraint_manager::constraint_manager): Add mgr param.
5162 (constraint_manager::clone): Delete.
5163 (constraint_manager::maybe_get_constant): Delete.
5164 (constraint_manager::get_sid_for_constant): Delete.
5165 (constraint_manager::get_num_svalues): Delete.
5166 (constraint_manager::dump_to_pp): Add "multiline" param.
5167 (constraint_manager::get_equiv_class): Port from svalue_id to
5168 const svalue *.
5169 (constraint_manager::add_constraint): Likewise.
5170 (constraint_manager::get_equiv_class_by_sid): Rename to...
5171 (constraint_manager::get_equiv_class_by_svalue): ...this, porting
5172 from svalue_id to const svalue *.
5173 (constraint_manager::add_unknown_constraint): New decl.
5174 (constraint_manager::get_or_add_equiv_class): Port from svalue_id
5175 to const svalue *.
5176 (constraint_manager::eval_condition): Likewise. Add overloads.
5177 (constraint_manager::get_ec_bounds): New decl.
5178 (constraint_manager::purge): Convert to template.
5179 (constraint_manager::remap_svalue_ids): Delete.
5180 (constraint_manager::on_liveness_change): New decl.
5181 (constraint_manager::canonicalize): Drop param.
5182 (constraint_manager::clean_merger_input): Delete.
5183 (constraint_manager::m_mgr): New field.
5184 * diagnostic-manager.cc: Move includes of
5185 "analyzer/call-string.h" and "analyzer/program-point.h" to before
5186 "analyzer/region-model.h", and also include "analyzer/store.h"
5187 before it.
5188 (saved_diagnostic::saved_diagnostic): Add "sval" param.
5189 (diagnostic_manager::diagnostic_manager): Add engine param.
5190 (diagnostic_manager::add_diagnostic): Add "sval" param, passing it
5191 to saved_diagnostic ctor. Update overload to pass NULL for it.
5192 (dedupe_winners::dedupe_winners): Add engine param.
5193 (dedupe_winners::add): Add "eg" param. Pass m_engine to
5194 feasible_p.
5195 (dedupe_winner::m_engine): New field.
5196 (diagnostic_manager::emit_saved_diagnostics): Pass engine to
5197 dedupe_winners. Pass &eg when adding candidates. Pass svalue
5198 rather than tree to prune_path. Use get_stmt_location to get
5199 primary location of diagnostic.
5200 (diagnostic_manager::emit_saved_diagnostic): Likewise.
5201 (get_any_origin): Drop.
5202 (state_change_event_creator::on_global_state_change): Pass NULL
5203 const svalue * rather than NULL_TREE trees to state_change_event
5204 ctor.
5205 (state_change_event_creator::on_state_change): Port from tree and
5206 svalue_id to const svalue *.
5207 (for_each_state_change): Port from svalue_id to const svalue *.
5208 (struct null_assignment_sm_context): New.
5209 (diagnostic_manager::add_events_for_eedge): Add state change
5210 events for assignment to NULL.
5211 (diagnostic_manager::prune_path): Update param from tree to
5212 const svalue *.
5213 (diagnostic_manager::prune_for_sm_diagnostic): Port from tracking
5214 by tree to by const svalue *.
5215 * diagnostic-manager.h (saved_diagnostic::saved_diagnostic): Add sval
5216 param.
5217 (saved_diagnostic::m_sval): New field.
5218 (diagnostic_manager::diagnostic_manager): Add engine param.
5219 (diagnostic_manager::get_engine): New.
5220 (diagnostic_manager::add_diagnostic): Add "sval" param.
5221 (diagnostic_manager::prune_path): Likewise.
5222 (diagnostic_manager::prune_for_sm_diagnostic): New overload.
5223 (diagnostic_manager::m_eng): New field.
5224 * engine.cc: Move includes of "analyzer/call-string.h" and
5225 "analyzer/program-point.h" to before "analyzer/region-model.h",
5226 and also include "analyzer/store.h" before it.
5227 (impl_region_model_context::impl_region_model_context): Update for
5228 removal of m_change field.
5229 (impl_region_model_context::remap_svalue_ids): Delete.
5230 (impl_region_model_context::on_svalue_leak): New.
5231 (impl_region_model_context::on_svalue_purge): Delete.
5232 (impl_region_model_context::on_liveness_change): New.
5233 (impl_region_model_context::on_unknown_change): Update param
5234 from svalue_id to const svalue *. Add is_mutable param.
5235 (setjmp_svalue::compare_fields): Delete.
5236 (setjmp_svalue::accept): New.
5237 (setjmp_svalue::add_to_hash): Delete.
5238 (setjmp_svalue::dump_to_pp): New.
5239 (setjmp_svalue::print_details): Delete.
5240 (impl_sm_context::impl_sm_context): Drop "change" param.
5241 (impl_sm_context::get_fndecl_for_call): Drop "m_change".
5242 (impl_sm_context::on_transition): Drop ATTRIBUTE_UNUSED from
5243 "stmt" param. Drop m_change. Port from svalue_id to
5244 const svalue *.
5245 (impl_sm_context::warn_for_state): Drop m_change. Port from
5246 svalue_id to const svalue *.
5247 (impl_sm_context::get_readable_tree): Rename to...
5248 (impl_sm_context::get_diagnostic_tree): ...this. Port from
5249 svalue_id to const svalue *.
5250 (impl_sm_context::is_zero_assignment): New.
5251 (impl_sm_context::m_change): Delete field.
5252 (leak_stmt_finder::find_stmt): Handle m_var being NULL.
5253 (readability): Increase penalty for MEM_REF. For SSA_NAMEs,
5254 slightly favor the underlying var over the SSA name. Heavily
5255 penalize temporaries. Handle RESULT_DECL.
5256 (readability_comparator): Make non-static. Consider stack depths.
5257 (impl_region_model_context::on_state_leak): Convert from svalue_id
5258 to const svalue *, updating for region_model changes. Use
5259 id_equal.
5260 (impl_region_model_context::on_inherited_svalue): Delete.
5261 (impl_region_model_context::on_cast): Delete.
5262 (impl_region_model_context::on_condition): Drop m_change.
5263 (impl_region_model_context::on_phi): Likewise.
5264 (impl_region_model_context::on_unexpected_tree_code): Handle t
5265 being NULL.
5266 (point_and_state::validate): Update stack checking for
5267 region_model changes.
5268 (eg_traits::dump_args_t::show_enode_details_p): New.
5269 (exploded_node::exploded_node): Initialize m_num_processed_stmts.
5270 (exploded_node::get_processed_stmt): New function.
5271 (exploded_node::get_dot_fillcolor): Add more colors.
5272 (exploded_node::dump_dot): Guard the printing of the point and
5273 state with show_enode_details_p. Print the processed stmts for
5274 this enode after the initial state.
5275 (exploded_node::dump_to_pp): Pass true for new multiline param
5276 of program_state::dump_to_pp.
5277 (exploded_node::on_stmt): Drop "change" param. Log the stmt.
5278 Set input_location. Implement __analyzer_describe. Update
5279 implementation of __analyzer_dump and __analyzer_eval.
5280 Remove purging of sm-state for unknown fncalls from here.
5281 (exploded_node::on_edge): Drop "change" param.
5282 (exploded_node::on_longjmp): Port from region_id/svalue_id to
5283 const region */const svalue *. Call program_state::detect_leaks.
5284 Drop state_change.
5285 (exploded_node::detect_leaks): Update for changes to region_model.
5286 Call program_state::detect_leaks.
5287 (exploded_edge::exploded_edge): Drop ext_state and change params.
5288 (exploded_edge::dump_dot): "args" is no longer used. Drop dumping
5289 of m_change.
5290 (exploded_graph::exploded_graph): Pass engine to
5291 m_diagnostic_manager ctor. Use program_point::origin.
5292 (exploded_graph::add_function_entry): Drop ctxt. Use
5293 program_state::push_frame. Drop state_change.
5294 (exploded_graph::get_or_create_node): Drop "change" param. Add
5295 "enode_for_diag" param. Update dumping calls for API changes.
5296 Pass point to can_merge_with_p. Show enode indices
5297 within -Wanalyzer-too-complex diagnostic for hitting the per-point
5298 limit.
5299 (exploded_graph::add_edge): Drop "change" param. Log which nodes
5300 are being connected. Update for changes to exploded_edge ctor.
5301 (exploded_graph::get_per_program_point_data): New.
5302 (exploded_graph::process_worklist): Pass point to
5303 can_merge_with_p. Drop state_change. Update dumping call for API
5304 change.
5305 (exploded_graph::process_node): Drop state_change. Split the
5306 node in-place if an sm-state-change occurs. Update
5307 m_num_processed_stmts. Update dumping calls for API change.
5308 (exploded_graph::log_stats): Call engine::log_stats.
5309 (exploded_graph::dump_states_for_supernode): Update dumping
5310 call.
5311 (exploded_path::feasible_p): Add "eng" and "eg" params.
5312 Rename "i" to "end_idx". Pass the manager to the region_model
5313 ctor. Update for every processed stmt in the enode, not just the
5314 first. Keep track of which snodes have been visited, and call
5315 loop_replay_fixup when revisiting one.
5316 (enode_label::get_text): Update dump call for new param.
5317 (exploded_graph::dump_exploded_nodes): Likewise.
5318 (exploded_graph::get_node_by_index): New.
5319 (impl_run_checkers): Create engine instance and pass its address
5320 to extrinsic_state ctor.
5321 * exploded-graph.h
5322 (impl_region_model_context::impl_region_model_context): Drop
5323 "change" params.
5324 (impl_region_model_context::void remap_svalue_ids): Delete.
5325 (impl_region_model_context::on_svalue_purge): Delete.
5326 (impl_region_model_context::on_svalue_leak): New.
5327 (impl_region_model_context::on_liveness_change): New.
5328 (impl_region_model_context::on_state_leak): Update signature.
5329 (impl_region_model_context::on_inherited_svalue): Delete.
5330 (impl_region_model_context::on_cast): Delete.
5331 (impl_region_model_context::on_unknown_change): Update signature.
5332 (impl_region_model_context::m_change): Delete.
5333 (eg_traits::dump_args_t::show_enode_details_p): New.
5334 (exploded_node::on_stmt): Drop "change" param.
5335 (exploded_node::on_edge): Likewise.
5336 (exploded_node::get_processed_stmt): New decl.
5337 (exploded_node::m_num_processed_stmts): New field.
5338 (exploded_edge::exploded_edge): Drop ext_state and change params.
5339 (exploded_edge::m_change): Delete.
5340 (exploded_graph::get_engine): New accessor.
5341 (exploded_graph::get_or_create_node): Drop "change" param. Add
5342 "enode_for_diag" param.
5343 (exploded_graph::add_edge): Drop "change" param.
5344 (exploded_graph::get_per_program_point_data): New decl.
5345 (exploded_graph::get_node_by_index): New decl.
5346 (exploded_path::feasible_p): Add "eng" and "eg" params.
5347 * program-point.cc: Include "analyzer/store.h" before including
5348 "analyzer/region-model.h".
5349 (function_point::function_point): Move here from
5350 program-point.h.
5351 (function_point::get_function): Likewise.
5352 (function_point::from_function_entry): Likewise.
5353 (function_point::before_supernode): Likewise.
5354 (function_point::next_stmt): New function.
5355 * program-point.h (function_point::function_point): Move
5356 implementation from here to program-point.cc.
5357 (function_point::get_function): Likewise.
5358 (function_point::from_function_entry): Likewise.
5359 (function_point::before_supernode): Likewise.
5360 (function_point::next_stmt): New decl.
5361 (program_point::operator!=): New.
5362 (program_point::origin): New.
5363 (program_point::next_stmt): New.
5364 (program_point::m_function_point): Make non-const.
5365 * program-state.cc: Move includes of "analyzer/call-string.h" and
5366 "analyzer/program-point.h" to before "analyzer/region-model.h",
5367 and also include "analyzer/store.h" before it.
5368 (extrinsic_state::get_model_manager): New.
5369 (sm_state_map::sm_state_map): Pass in sm and sm_idx to ctor,
5370 rather than pass the around.
5371 (sm_state_map::clone_with_remapping): Delete.
5372 (sm_state_map::print): Remove "sm" param in favor of "m_sm". Add
5373 "simple" and "multiline" params and support multiline vs single
5374 line dumping.
5375 (sm_state_map::dump): Remove "sm" param in favor of "m_sm". Add
5376 "simple" param.
5377 (sm_state_map::hash): Port from svalue_id to const svalue *.
5378 (sm_state_map::operator==): Likewise.
5379 (sm_state_map::get_state): Likewise. Call canonicalize_svalue on
5380 input. Handle inheritance of sm-state. Call get_default_state.
5381 (sm_state_map::get_origin): Port from svalue_id to const svalue *.
5382 (sm_state_map::set_state): Likewise. Pass in ext_state. Reject
5383 attempts to set state on UNKNOWN.
5384 (sm_state_map::impl_set_state): Port from svalue_id to
5385 const svalue *. Pass in ext_state. Call canonicalize_svalue on
5386 input.
5387 (sm_state_map::purge_for_unknown_fncall): Delete.
5388 (sm_state_map::on_svalue_leak): New.
5389 (sm_state_map::remap_svalue_ids): Delete.
5390 (sm_state_map::on_liveness_change): New.
5391 (sm_state_map::on_unknown_change): Reimplement.
5392 (sm_state_map::on_svalue_purge): Delete.
5393 (sm_state_map::on_inherited_svalue): Delete.
5394 (sm_state_map::on_cast): Delete.
5395 (sm_state_map::validate): Delete.
5396 (sm_state_map::canonicalize_svalue): New.
5397 (program_state::program_state): Update to pass manager to
5398 region_model's ctor. Constify num_states and pass state machine
5399 and index to sm_state_map ctor.
5400 (program_state::print): Update for changes to dump API.
5401 (program_state::dump_to_pp): Ignore the summarize param. Add
5402 "multiline" param.
5403 (program_state::dump_to_file): Add "multiline" param.
5404 (program_state::dump): Pass "true" for new "multiline" param.
5405 (program_state::push_frame): New.
5406 (program_state::on_edge): Drop "change" param. Call
5407 program_state::detect_leaks.
5408 (program_state::prune_for_point): Add enode_for_diag param.
5409 Reimplement based on store class. Call detect_leaks
5410 (program_state::remap_svalue_ids): Delete.
5411 (program_state::get_representative_tree): Port from svalue_id to
5412 const svalue *.
5413 (program_state::can_merge_with_p): Add "point" param. Add early
5414 reject for sm-differences. Drop id remapping.
5415 (program_state::validate): Drop region model and sm_state_map
5416 validation.
5417 (state_change::sm_change::dump): Delete.
5418 (state_change::sm_change::remap_svalue_ids): Delete.
5419 (state_change::sm_change::on_svalue_purge): Delete.
5420 (log_set_of_svalues): New.
5421 (state_change::sm_change::validate): Delete.
5422 (state_change::state_change): Delete.
5423 (state_change::add_sm_change): Delete.
5424 (state_change::affects_p): Delete.
5425 (state_change::dump): Delete.
5426 (state_change::remap_svalue_ids): Delete.
5427 (state_change::on_svalue_purge): Delete.
5428 (state_change::validate): Delete.
5429 (selftest::assert_dump_eq): Delete.
5430 (ASSERT_DUMP_EQ): Delete.
5431 (selftest::test_sm_state_map): Update for changes to region_model
5432 and sm_state_map, porting from svalue_id to const svalue *.
5433 (selftest::test_program_state_dumping): Likewise. Drop test of
5434 dumping, renaming to...
5435 (selftest::test_program_state_1): ...this.
5436 (selftest::test_program_state_dumping_2): Likewise, renaming to...
5437 (selftest::test_program_state_2): ...this.
5438 (selftest::test_program_state_merging): Update for changes to
5439 region_model.
5440 (selftest::test_program_state_merging_2): Likewise.
5441 (selftest::analyzer_program_state_cc_tests): Update for renamed
5442 tests.
5443 * program-state.h (extrinsic_state::extrinsic_state): Add logger
5444 and engine params.
5445 (extrinsic_state::get_logger): New accessor.
5446 (extrinsic_state::get_engine): New accessor.
5447 (extrinsic_state::get_model_manager): New accessor.
5448 (extrinsic_state::m_logger): New field.
5449 (extrinsic_state::m_engine): New field.
5450 (struct default_hash_traits<svalue_id>): Delete.
5451 (pod_hash_traits<svalue_id>::hash): Delete.
5452 (pod_hash_traits<svalue_id>::equal): Delete.
5453 (pod_hash_traits<svalue_id>::mark_deleted): Delete.
5454 (pod_hash_traits<svalue_id>::mark_empty): Delete.
5455 (pod_hash_traits<svalue_id>::is_deleted): Delete.
5456 (pod_hash_traits<svalue_id>::is_empty): Delete.
5457 (sm_state_map::entry_t::entry_t): Port from svalue_id to
5458 const svalue *.
5459 (sm_state_map::entry_t::m_origin): Likewise.
5460 (sm_state_map::map_t): Likewise.
5461 (sm_state_map::sm_state_map): Add state_machine and index params.
5462 (sm_state_map::clone_with_remapping): Delete.
5463 (sm_state_map::print): Drop sm param; add simple and multiline
5464 params.
5465 (sm_state_map::dump): Drop sm param; add simple param.
5466 (sm_state_map::get_state): Port from svalue_id to const svalue *.
5467 Add ext_state param.
5468 (sm_state_map::get_origin): Likewise.
5469 (sm_state_map::set_state): Likewise.
5470 (sm_state_map::impl_set_state): Likewise.
5471 (sm_state_map::purge_for_unknown_fncall): Delete.
5472 (sm_state_map::remap_svalue_ids): Delete.
5473 (sm_state_map::on_svalue_purge): Delete.
5474 (sm_state_map::on_svalue_leak): New.
5475 (sm_state_map::on_liveness_change): New.
5476 (sm_state_map::on_inherited_svalue): Delete.
5477 (sm_state_map::on_cast): Delete.
5478 (sm_state_map::validate): Delete.
5479 (sm_state_map::on_unknown_change): Port from svalue_id to
5480 const svalue *. Add is_mutable and ext_state params.
5481 (sm_state_map::canonicalize_svalue): New.
5482 (sm_state_map::m_sm): New field.
5483 (sm_state_map::m_sm_idx): New field.
5484 (program_state::operator=): Delete.
5485 (program_state::dump_to_pp): Drop "summarize" param, adding
5486 "simple" and "multiline".
5487 (program_state::dump_to_file): Likewise.
5488 (program_state::dump): Rename "summarize" to "simple".
5489 (program_state::push_frame): New.
5490 (program_state::get_current_function): New.
5491 (program_state::on_edge): Drop "change" param.
5492 (program_state::prune_for_point): Likewise. Add enode_for_diag
5493 param.
5494 (program_state::remap_svalue_ids): Delete.
5495 (program_state::get_representative_tree): Port from svalue_id to
5496 const svalue *.
5497 (program_state::can_purge_p): Likewise. Pass ext_state to get_state.
5498 (program_state::can_merge_with_p): Add point param.
5499 (program_state::detect_leaks): New.
5500 (state_change_visitor::on_state_change): Port from tree and
5501 svalue_id to a pair of const svalue *.
5502 (class state_change): Delete.
5503 * region.cc: New file.
5504 * region-model-impl-calls.cc: New file.
5505 * region-model-manager.cc: New file.
5506 * region-model-reachability.cc: New file.
5507 * region-model-reachability.h: New file.
5508 * region-model.cc: Include "analyzer/call-string.h",
5509 "analyzer/program-point.h", and "analyzer/store.h" before
5510 "analyzer/region-model.h". Include
5511 "analyzer/region-model-reachability.h".
5512 (dump_tree): Make non-static.
5513 (dump_quoted_tree): Make non-static.
5514 (print_quoted_type): Make non-static.
5515 (path_var::dump): Delete.
5516 (dump_separator): Delete.
5517 (class impl_constraint_manager): Delete.
5518 (svalue_id::print): Delete.
5519 (svalue_id::dump_node_name_to_pp): Delete.
5520 (svalue_id::validate): Delete.
5521 (region_id::print): Delete.
5522 (region_id::dump_node_name_to_pp): Delete.
5523 (region_id::validate): Delete.
5524 (region_id_set::region_id_set): Delete.
5525 (svalue_id_set::svalue_id_set): Delete.
5526 (svalue::operator==): Delete.
5527 (svalue::hash): Delete.
5528 (svalue::print): Delete.
5529 (svalue::dump_dot_to_pp): Delete.
5530 (svalue::remap_region_ids): Delete.
5531 (svalue::walk_for_canonicalization): Delete.
5532 (svalue::get_child_sid): Delete.
5533 (svalue::maybe_get_constant): Delete.
5534 (region_svalue::compare_fields): Delete.
5535 (region_svalue::add_to_hash): Delete.
5536 (region_svalue::print_details): Delete.
5537 (region_svalue::dump_dot_to_pp): Delete.
5538 (region_svalue::remap_region_ids): Delete.
5539 (region_svalue::merge_values): Delete.
5540 (region_svalue::walk_for_canonicalization): Delete.
5541 (region_svalue::eval_condition): Delete.
5542 (constant_svalue::compare_fields): Delete.
5543 (constant_svalue::add_to_hash): Delete.
5544 (constant_svalue::merge_values): Delete.
5545 (constant_svalue::eval_condition): Move to svalue.cc.
5546 (constant_svalue::print_details): Delete.
5547 (constant_svalue::get_child_sid): Delete.
5548 (unknown_svalue::compare_fields): Delete.
5549 (unknown_svalue::add_to_hash): Delete.
5550 (unknown_svalue::print_details): Delete.
5551 (poison_kind_to_str): Move to svalue.cc.
5552 (poisoned_svalue::compare_fields): Delete.
5553 (poisoned_svalue::add_to_hash): Delete.
5554 (poisoned_svalue::print_details): Delete.
5555 (region_kind_to_str): Move to region.cc and reimplement.
5556 (region::operator==): Delete.
5557 (region::get_parent_region): Delete.
5558 (region::set_value): Delete.
5559 (region::become_active_view): Delete.
5560 (region::deactivate_any_active_view): Delete.
5561 (region::deactivate_view): Delete.
5562 (region::get_value): Delete.
5563 (region::get_inherited_child_sid): Delete.
5564 (region_model::copy_region): Delete.
5565 (region_model::copy_struct_region): Delete.
5566 (region_model::copy_union_region): Delete.
5567 (region_model::copy_array_region): Delete.
5568 (region::hash): Delete.
5569 (region::print): Delete.
5570 (region::dump_dot_to_pp): Delete.
5571 (region::dump_to_pp): Delete.
5572 (region::dump_child_label): Delete.
5573 (region::validate): Delete.
5574 (region::remap_svalue_ids): Delete.
5575 (region::remap_region_ids): Delete.
5576 (region::add_view): Delete.
5577 (region::get_view): Delete.
5578 (region::region): Move to region.cc.
5579 (region::add_to_hash): Delete.
5580 (region::print_fields): Delete.
5581 (region::non_null_p): Delete.
5582 (primitive_region::clone): Delete.
5583 (primitive_region::walk_for_canonicalization): Delete.
5584 (map_region::map_region): Delete.
5585 (map_region::compare_fields): Delete.
5586 (map_region::print_fields): Delete.
5587 (map_region::validate): Delete.
5588 (map_region::dump_dot_to_pp): Delete.
5589 (map_region::dump_child_label): Delete.
5590 (map_region::get_or_create): Delete.
5591 (map_region::get): Delete.
5592 (map_region::add_to_hash): Delete.
5593 (map_region::remap_region_ids): Delete.
5594 (map_region::unbind): Delete.
5595 (map_region::get_tree_for_child_region): Delete.
5596 (map_region::get_tree_for_child_region): Delete.
5597 (tree_cmp): Move to region.cc.
5598 (map_region::can_merge_p): Delete.
5599 (map_region::walk_for_canonicalization): Delete.
5600 (map_region::get_value_by_name): Delete.
5601 (struct_or_union_region::valid_key_p): Delete.
5602 (struct_or_union_region::compare_fields): Delete.
5603 (struct_region::clone): Delete.
5604 (struct_region::compare_fields): Delete.
5605 (union_region::clone): Delete.
5606 (union_region::compare_fields): Delete.
5607 (frame_region::compare_fields): Delete.
5608 (frame_region::clone): Delete.
5609 (frame_region::valid_key_p): Delete.
5610 (frame_region::print_fields): Delete.
5611 (frame_region::add_to_hash): Delete.
5612 (globals_region::compare_fields): Delete.
5613 (globals_region::clone): Delete.
5614 (globals_region::valid_key_p): Delete.
5615 (code_region::compare_fields): Delete.
5616 (code_region::clone): Delete.
5617 (code_region::valid_key_p): Delete.
5618 (array_region::array_region): Delete.
5619 (array_region::get_element): Delete.
5620 (array_region::clone): Delete.
5621 (array_region::compare_fields): Delete.
5622 (array_region::print_fields): Delete.
5623 (array_region::validate): Delete.
5624 (array_region::dump_dot_to_pp): Delete.
5625 (array_region::dump_child_label): Delete.
5626 (array_region::get_or_create): Delete.
5627 (array_region::get): Delete.
5628 (array_region::add_to_hash): Delete.
5629 (array_region::remap_region_ids): Delete.
5630 (array_region::get_key_for_child_region): Delete.
5631 (array_region::key_cmp): Delete.
5632 (array_region::walk_for_canonicalization): Delete.
5633 (array_region::key_from_constant): Delete.
5634 (array_region::constant_from_key): Delete.
5635 (function_region::compare_fields): Delete.
5636 (function_region::clone): Delete.
5637 (function_region::valid_key_p): Delete.
5638 (stack_region::stack_region): Delete.
5639 (stack_region::compare_fields): Delete.
5640 (stack_region::clone): Delete.
5641 (stack_region::print_fields): Delete.
5642 (stack_region::dump_child_label): Delete.
5643 (stack_region::validate): Delete.
5644 (stack_region::push_frame): Delete.
5645 (stack_region::get_current_frame_id): Delete.
5646 (stack_region::pop_frame): Delete.
5647 (stack_region::add_to_hash): Delete.
5648 (stack_region::remap_region_ids): Delete.
5649 (stack_region::can_merge_p): Delete.
5650 (stack_region::walk_for_canonicalization): Delete.
5651 (stack_region::get_value_by_name): Delete.
5652 (heap_region::heap_region): Delete.
5653 (heap_region::compare_fields): Delete.
5654 (heap_region::clone): Delete.
5655 (heap_region::walk_for_canonicalization): Delete.
5656 (root_region::root_region): Delete.
5657 (root_region::compare_fields): Delete.
5658 (root_region::clone): Delete.
5659 (root_region::print_fields): Delete.
5660 (root_region::validate): Delete.
5661 (root_region::dump_child_label): Delete.
5662 (root_region::push_frame): Delete.
5663 (root_region::get_current_frame_id): Delete.
5664 (root_region::pop_frame): Delete.
5665 (root_region::ensure_stack_region): Delete.
5666 (root_region::get_stack_region): Delete.
5667 (root_region::ensure_globals_region): Delete.
5668 (root_region::get_code_region): Delete.
5669 (root_region::ensure_code_region): Delete.
5670 (root_region::get_globals_region): Delete.
5671 (root_region::ensure_heap_region): Delete.
5672 (root_region::get_heap_region): Delete.
5673 (root_region::remap_region_ids): Delete.
5674 (root_region::can_merge_p): Delete.
5675 (root_region::add_to_hash): Delete.
5676 (root_region::walk_for_canonicalization): Delete.
5677 (root_region::get_value_by_name): Delete.
5678 (symbolic_region::symbolic_region): Delete.
5679 (symbolic_region::compare_fields): Delete.
5680 (symbolic_region::clone): Delete.
5681 (symbolic_region::walk_for_canonicalization): Delete.
5682 (symbolic_region::print_fields): Delete.
5683 (region_model::region_model): Add region_model_manager * param.
5684 Reimplement in terms of store, dropping impl_constraint_manager
5685 subclass.
5686 (region_model::operator=): Reimplement in terms of store
5687 (region_model::operator==): Likewise.
5688 (region_model::hash): Likewise.
5689 (region_model::print): Delete.
5690 (region_model::print_svalue): Delete.
5691 (region_model::dump_dot_to_pp): Delete.
5692 (region_model::dump_dot_to_file): Delete.
5693 (region_model::dump_dot): Delete.
5694 (region_model::dump_to_pp): Replace "summarize" param with
5695 "simple" and "multiline". Port to store-based implementation.
5696 (region_model::dump): Replace "summarize" param with "simple" and
5697 "multiline".
5698 (dump_vec_of_tree): Delete.
5699 (region_model::dump_summary_of_rep_path_vars): Delete.
5700 (region_model::validate): Delete.
5701 (svalue_id_cmp_by_constant_svalue_model): Delete.
5702 (svalue_id_cmp_by_constant_svalue): Delete.
5703 (region_model::canonicalize): Drop "ctxt" param. Reimplement in
5704 terms of store and constraints.
5705 (region_model::canonicalized_p): Remove NULL arg to canonicalize.
5706 (region_model::loop_replay_fixup): New.
5707 (poisoned_value_diagnostic::emit): Tweak wording of warnings.
5708 (region_model::check_for_poison): Delete.
5709 (region_model::get_gassign_result): New.
5710 (region_model::on_assignment): Port to store-based implementation.
5711 (region_model::on_call_pre): Delete calls to check_for_poison.
5712 Move implementations to region-model-impl-calls.c and port to
5713 store-based implementation.
5714 (region_model::on_call_post): Likewise.
5715 (class reachable_regions): Move to region-model-reachability.h/cc
5716 and port to store-based implementation.
5717 (region_model::handle_unrecognized_call): Port to store-based
5718 implementation.
5719 (region_model::get_reachable_svalues): New.
5720 (region_model::on_setjmp): Port to store-based implementation.
5721 (region_model::on_longjmp): Likewise.
5722 (region_model::handle_phi): Drop is_back_edge param and the logic
5723 using it.
5724 (region_model::get_lvalue_1): Port from region_id to const region *.
5725 (region_model::make_region_for_unexpected_tree_code): Delete.
5726 (assert_compat_types): If the check fails, use internal_error to
5727 show the types.
5728 (region_model::get_lvalue): Port from region_id to const region *.
5729 (region_model::get_rvalue_1): Port from svalue_id to const svalue *.
5730 (region_model::get_rvalue): Likewise.
5731 (region_model::get_or_create_ptr_svalue): Delete.
5732 (region_model::get_or_create_constant_svalue): Delete.
5733 (region_model::get_svalue_for_fndecl): Delete.
5734 (region_model::get_region_for_fndecl): Delete.
5735 (region_model::get_svalue_for_label): Delete.
5736 (region_model::get_region_for_label): Delete.
5737 (build_cast): Delete.
5738 (region_model::maybe_cast_1): Delete.
5739 (region_model::maybe_cast): Delete.
5740 (region_model::get_field_region): Delete.
5741 (region_model::get_store_value): New.
5742 (region_model::region_exists_p): New.
5743 (region_model::deref_rvalue): Port from svalue_id to const svalue *.
5744 (region_model::set_value): Likewise.
5745 (region_model::clobber_region): New.
5746 (region_model::purge_region): New.
5747 (region_model::zero_fill_region): New.
5748 (region_model::mark_region_as_unknown): New.
5749 (region_model::eval_condition): Port from svalue_id to
5750 const svalue *.
5751 (region_model::eval_condition_without_cm): Likewise.
5752 (region_model::compare_initial_and_pointer): New.
5753 (region_model::add_constraint): Port from svalue_id to
5754 const svalue *.
5755 (region_model::maybe_get_constant): Delete.
5756 (region_model::get_representative_path_var): New.
5757 (region_model::add_new_malloc_region): Delete.
5758 (region_model::get_representative_tree): Port to const svalue *.
5759 (region_model::get_representative_path_var): Port to
5760 const region *.
5761 (region_model::get_path_vars_for_svalue): Delete.
5762 (region_model::set_to_new_unknown_value): Delete.
5763 (region_model::update_for_phis): Don't pass is_back_edge to handle_phi.
5764 (region_model::update_for_call_superedge): Port from svalue_id to
5765 const svalue *.
5766 (region_model::update_for_return_superedge): Port to store-based
5767 implementation.
5768 (region_model::update_for_call_summary): Replace
5769 set_to_new_unknown_value with mark_region_as_unknown.
5770 (region_model::get_root_region): Delete.
5771 (region_model::get_stack_region_id): Delete.
5772 (region_model::push_frame): Delete.
5773 (region_model::get_current_frame_id): Delete.
5774 (region_model::get_current_function): Delete.
5775 (region_model::pop_frame): Delete.
5776 (region_model::on_top_level_param): New.
5777 (region_model::get_stack_depth): Delete.
5778 (region_model::get_function_at_depth): Delete.
5779 (region_model::get_globals_region_id): Delete.
5780 (region_model::add_svalue): Delete.
5781 (region_model::replace_svalue): Delete.
5782 (region_model::add_region): Delete.
5783 (region_model::get_svalue): Delete.
5784 (region_model::get_region): Delete.
5785 (make_region_for_type): Delete.
5786 (region_model::add_region_for_type): Delete.
5787 (region_model::on_top_level_param): New.
5788 (class restrict_to_used_svalues): Delete.
5789 (region_model::purge_unused_svalues): Delete.
5790 (region_model::push_frame): New.
5791 (region_model::remap_svalue_ids): Delete.
5792 (region_model::remap_region_ids): Delete.
5793 (region_model::purge_regions): Delete.
5794 (region_model::get_descendents): Delete.
5795 (region_model::delete_region_and_descendents): Delete.
5796 (region_model::poison_any_pointers_to_bad_regions): Delete.
5797 (region_model::can_merge_with_p): Delete.
5798 (region_model::get_current_function): New.
5799 (region_model::get_value_by_name): Delete.
5800 (region_model::convert_byte_offset_to_array_index): Delete.
5801 (region_model::pop_frame): New.
5802 (region_model::get_or_create_mem_ref): Delete.
5803 (region_model::get_stack_depth): New.
5804 (region_model::get_frame_at_index): New.
5805 (region_model::unbind_region_and_descendents): New.
5806 (struct bad_pointer_finder): New.
5807 (region_model::get_or_create_pointer_plus_expr): Delete.
5808 (region_model::poison_any_pointers_to_descendents): New.
5809 (region_model::get_or_create_view): Delete.
5810 (region_model::can_merge_with_p): New.
5811 (region_model::get_fndecl_for_call): Port from svalue_id to
5812 const svalue *.
5813 (struct append_ssa_names_cb_data): New.
5814 (get_ssa_name_regions_for_current_frame): New.
5815 (region_model::append_ssa_names_cb): New.
5816 (model_merger::dump_to_pp): Add "simple" param. Drop dumping of
5817 remappings.
5818 (model_merger::dump): Add "simple" param to both overloads.
5819 (model_merger::can_merge_values_p): Delete.
5820 (model_merger::record_regions): Delete.
5821 (model_merger::record_svalues): Delete.
5822 (svalue_id_merger_mapping::svalue_id_merger_mapping): Delete.
5823 (svalue_id_merger_mapping::dump_to_pp): Delete.
5824 (svalue_id_merger_mapping::dump): Delete.
5825 (region_model::create_region_for_heap_alloc): New.
5826 (region_model::create_region_for_alloca): New.
5827 (region_model::record_dynamic_extents): New.
5828 (canonicalization::canonicalization): Delete.
5829 (canonicalization::walk_rid): Delete.
5830 (canonicalization::walk_sid): Delete.
5831 (canonicalization::dump_to_pp): Delete.
5832 (canonicalization::dump): Delete.
5833 (inchash::add): Delete overloads for svalue_id and region_id.
5834 (engine::log_stats): New.
5835 (assert_condition): Add overload comparing svalues.
5836 (assert_dump_eq): Pass "true" for multiline.
5837 (selftest::test_dump): Update for rewrite of region_model.
5838 (selftest::test_dump_2): Rename to...
5839 (selftest::test_struct): ...this. Provide a region_model_manager
5840 when creating region_model instance. Remove dump test. Add
5841 checks for get_offset.
5842 (selftest::test_dump_3): Rename to...
5843 (selftest::test_array_1): ...this. Provide a region_model_manager
5844 when creating region_model instance. Remove dump test.
5845 (selftest::test_get_representative_tree): Port from svalue_id to
5846 new API. Add test coverage for various expressions.
5847 (selftest::test_unique_constants): Provide a region_model_manager
5848 for the region_model. Add test coverage for comparing const vs
5849 non-const.
5850 (selftest::test_svalue_equality): Delete.
5851 (selftest::test_region_equality): Delete.
5852 (selftest::test_unique_unknowns): New.
5853 (class purge_all_svalue_ids): Delete.
5854 (class purge_one_svalue_id): Delete.
5855 (selftest::test_purging_by_criteria): Delete.
5856 (selftest::test_initial_svalue_folding): New.
5857 (selftest::test_unaryop_svalue_folding): New.
5858 (selftest::test_binop_svalue_folding): New.
5859 (selftest::test_sub_svalue_folding): New.
5860 (selftest::test_purge_unused_svalues): Delete.
5861 (selftest::test_descendent_of_p): New.
5862 (selftest::test_assignment): Provide a region_model_manager for
5863 the region_model. Drop the dump test.
5864 (selftest::test_compound_assignment): Likewise.
5865 (selftest::test_stack_frames): Port to new implementation.
5866 (selftest::test_get_representative_path_var): Likewise.
5867 (selftest::test_canonicalization_1): Rename to...
5868 (selftest::test_equality_1): ...this. Port to new API, and add
5869 (selftest::test_canonicalization_2): Provide a
5870 region_model_manager when creating region_model instances.
5871 Remove redundant canicalization.
5872 (selftest::test_canonicalization_3): Provide a
5873 region_model_manager when creating region_model instances.
5874 Remove param from calls to region_model::canonicalize.
5875 (selftest::test_canonicalization_4): Likewise.
5876 (selftest::assert_region_models_merge): Constify
5877 out_merged_svalue. Port to new API.
5878 (selftest::test_state_merging): Provide a
5879 region_model_manager when creating region_model instances.
5880 Provide a program_point point when merging them. Replace
5881 set_to_new_unknown_value with usage of placeholder_svalues.
5882 Drop get_value_by_name. Port from svalue_id to const svalue *.
5883 Add test of heap allocation.
5884 (selftest::test_constraint_merging): Provide a
5885 region_model_manager when creating region_model instances.
5886 Provide a program_point point when merging them. Eliminate use
5887 of set_to_new_unknown_value.
5888 (selftest::test_widening_constraints): New.
5889 (selftest::test_iteration_1): New.
5890 (selftest::test_malloc_constraints): Port to store-based
5891 implementation.
5892 (selftest::test_var): New test.
5893 (selftest::test_array_2): New test.
5894 (selftest::test_mem_ref): New test.
5895 (selftest::test_POINTER_PLUS_EXPR_then_MEM_REF): New.
5896 (selftest::test_malloc): New.
5897 (selftest::test_alloca): New.
5898 (selftest::analyzer_region_model_cc_tests): Update for renamings.
5899 Call new functions.
5900 * region-model.h (class path_var): Move to analyzer.h.
5901 (class svalue_id): Delete.
5902 (class region_id): Delete.
5903 (class id_map): Delete.
5904 (svalue_id_map): Delete.
5905 (region_id_map): Delete.
5906 (id_map<T>::id_map): Delete.
5907 (id_map<T>::put): Delete.
5908 (id_map<T>::get_dst_for_src): Delete.
5909 (id_map<T>::get_src_for_dst): Delete.
5910 (id_map<T>::dump_to_pp): Delete.
5911 (id_map<T>::dump): Delete.
5912 (id_map<T>::update): Delete.
5913 (one_way_svalue_id_map): Delete.
5914 (one_way_region_id_map): Delete.
5915 (class region_id_set): Delete.
5916 (class svalue_id_set): Delete.
5917 (struct complexity): New.
5918 (class visitor): New.
5919 (enum svalue_kind): Add SK_SETJMP, SK_INITIAL, SK_UNARYOP,
5920 SK_BINOP, SK_SUB,SK_UNMERGEABLE, SK_PLACEHOLDER, SK_WIDENING,
5921 SK_COMPOUND, and SK_CONJURED.
5922 (svalue::operator==): Delete.
5923 (svalue::operator!=): Delete.
5924 (svalue::clone): Delete.
5925 (svalue::hash): Delete.
5926 (svalue::dump_dot_to_pp): Delete.
5927 (svalue::dump_to_pp): New.
5928 (svalue::dump): New.
5929 (svalue::get_desc): New.
5930 (svalue::dyn_cast_initial_svalue): New.
5931 (svalue::dyn_cast_unaryop_svalue): New.
5932 (svalue::dyn_cast_binop_svalue): New.
5933 (svalue::dyn_cast_sub_svalue): New.
5934 (svalue::dyn_cast_unmergeable_svalue): New.
5935 (svalue::dyn_cast_widening_svalue): New.
5936 (svalue::dyn_cast_compound_svalue): New.
5937 (svalue::dyn_cast_conjured_svalue): New.
5938 (svalue::maybe_undo_cast): New.
5939 (svalue::unwrap_any_unmergeable): New.
5940 (svalue::remap_region_ids): Delete
5941 (svalue::can_merge_p): New.
5942 (svalue::walk_for_canonicalization): Delete
5943 (svalue::get_complexity): New.
5944 (svalue::get_child_sid): Delete
5945 (svalue::accept): New.
5946 (svalue::live_p): New.
5947 (svalue::implicitly_live_p): New.
5948 (svalue::svalue): Add complexity param.
5949 (svalue::add_to_hash): Delete
5950 (svalue::print_details): Delete
5951 (svalue::m_complexity): New field.
5952 (region_svalue::key_t): New struct.
5953 (region_svalue::region_svalue): Port from region_id to
5954 const region_id *. Add complexity.
5955 (region_svalue::compare_fields): Delete.
5956 (region_svalue::clone): Delete.
5957 (region_svalue::dump_dot_to_pp): Delete.
5958 (region_svalue::get_pointee): Port from region_id to
5959 const region_id *.
5960 (region_svalue::remap_region_ids): Delete.
5961 (region_svalue::merge_values): Delete.
5962 (region_svalue::dump_to_pp): New.
5963 (region_svalue::accept): New.
5964 (region_svalue::walk_for_canonicalization): Delete.
5965 (region_svalue::eval_condition): Make params const.
5966 (region_svalue::add_to_hash): Delete.
5967 (region_svalue::print_details): Delete.
5968 (region_svalue::m_rid): Replace with...
5969 (region_svalue::m_reg): ...this.
5970 (is_a_helper <region_svalue *>::test): Convert to...
5971 (is_a_helper <const region_svalue *>::test): ...this.
5972 (template <> struct default_hash_traits<region_svalue::key_t>):
5973 New.
5974 (constant_svalue::constant_svalue): Add complexity.
5975 (constant_svalue::compare_fields): Delete.
5976 (constant_svalue::clone): Delete.
5977 (constant_svalue::add_to_hash): Delete.
5978 (constant_svalue::dump_to_pp): New.
5979 (constant_svalue::accept): New.
5980 (constant_svalue::implicitly_live_p): New.
5981 (constant_svalue::merge_values): Delete.
5982 (constant_svalue::eval_condition): Make params const.
5983 (constant_svalue::get_child_sid): Delete.
5984 (constant_svalue::print_details): Delete.
5985 (is_a_helper <constant_svalue *>::test): Convert to...
5986 (is_a_helper <const constant_svalue *>::test): ...this.
5987 (class unknown_svalue): Update leading comment.
5988 (unknown_svalue::unknown_svalue): Add complexity.
5989 (unknown_svalue::compare_fields): Delete.
5990 (unknown_svalue::add_to_hash): Delete.
5991 (unknown_svalue::dyn_cast_unknown_svalue): Delete.
5992 (unknown_svalue::print_details): Delete.
5993 (unknown_svalue::dump_to_pp): New.
5994 (unknown_svalue::accept): New.
5995 (poisoned_svalue::key_t): New struct.
5996 (poisoned_svalue::poisoned_svalue): Add complexity.
5997 (poisoned_svalue::compare_fields): Delete.
5998 (poisoned_svalue::clone): Delete.
5999 (poisoned_svalue::add_to_hash): Delete.
6000 (poisoned_svalue::dump_to_pp): New.
6001 (poisoned_svalue::accept): New.
6002 (poisoned_svalue::print_details): Delete.
6003 (is_a_helper <poisoned_svalue *>::test): Convert to...
6004 (is_a_helper <const poisoned_svalue *>::test): ...this.
6005 (template <> struct default_hash_traits<poisoned_svalue::key_t>):
6006 New.
6007 (setjmp_record::add_to_hash): New.
6008 (setjmp_svalue::key_t): New struct.
6009 (setjmp_svalue::compare_fields): Delete.
6010 (setjmp_svalue::clone): Delete.
6011 (setjmp_svalue::add_to_hash): Delete.
6012 (setjmp_svalue::setjmp_svalue): Add complexity.
6013 (setjmp_svalue::dump_to_pp): New.
6014 (setjmp_svalue::accept): New.
6015 (setjmp_svalue::void print_details): Delete.
6016 (is_a_helper <const setjmp_svalue *>::test): New.
6017 (template <> struct default_hash_traits<setjmp_svalue::key_t>): New.
6018 (class initial_svalue : public svalue): New.
6019 (is_a_helper <const initial_svalue *>::test): New.
6020 (class unaryop_svalue): New.
6021 (is_a_helper <const unaryop_svalue *>::test): New.
6022 (template <> struct default_hash_traits<unaryop_svalue::key_t>): New.
6023 (class binop_svalue): New.
6024 (is_a_helper <const binop_svalue *>::test): New.
6025 (template <> struct default_hash_traits<binop_svalue::key_t>): New.
6026 (class sub_svalue): New.
6027 (is_a_helper <const sub_svalue *>::test): New.
6028 (template <> struct default_hash_traits<sub_svalue::key_t>): New.
6029 (class unmergeable_svalue): New.
6030 (is_a_helper <const unmergeable_svalue *>::test): New.
6031 (class placeholder_svalue): New.
6032 (is_a_helper <placeholder_svalue *>::test): New.
6033 (class widening_svalue): New.
6034 (is_a_helper <widening_svalue *>::test): New.
6035 (template <> struct default_hash_traits<widening_svalue::key_t>): New.
6036 (class compound_svalue): New.
6037 (is_a_helper <compound_svalue *>::test): New.
6038 (template <> struct default_hash_traits<compound_svalue::key_t>): New.
6039 (class conjured_svalue): New.
6040 (is_a_helper <conjured_svalue *>::test): New.
6041 (template <> struct default_hash_traits<conjured_svalue::key_t>): New.
6042 (enum region_kind): Delete RK_PRIMITIVE, RK_STRUCT, RK_UNION, and
6043 RK_ARRAY. Add RK_LABEL, RK_DECL, RK_FIELD, RK_ELEMENT, RK_OFFSET,
6044 RK_CAST, RK_HEAP_ALLOCATED, RK_ALLOCA, RK_STRING, and RK_UNKNOWN.
6045 (region_kind_to_str): Delete.
6046 (region::~region): Move implementation to region.cc.
6047 (region::operator==): Delete.
6048 (region::operator!=): Delete.
6049 (region::clone): Delete.
6050 (region::get_id): New.
6051 (region::cmp_ids): New.
6052 (region::dyn_cast_map_region): Delete.
6053 (region::dyn_cast_array_region): Delete.
6054 (region::region_id get_parent): Delete.
6055 (region::get_parent_region): Convert to a simple accessor.
6056 (region::void set_value): Delete.
6057 (region::svalue_id get_value): Delete.
6058 (region::svalue_id get_value_direct): Delete.
6059 (region::svalue_id get_inherited_child_sid): Delete.
6060 (region::dyn_cast_frame_region): New.
6061 (region::dyn_cast_function_region): New.
6062 (region::dyn_cast_decl_region): New.
6063 (region::dyn_cast_field_region): New.
6064 (region::dyn_cast_element_region): New.
6065 (region::dyn_cast_offset_region): New.
6066 (region::dyn_cast_cast_region): New.
6067 (region::dyn_cast_string_region): New.
6068 (region::accept): New.
6069 (region::get_base_region): New.
6070 (region::base_region_p): New.
6071 (region::descendent_of_p): New.
6072 (region::maybe_get_frame_region): New.
6073 (region::maybe_get_decl): New.
6074 (region::hash): Delete.
6075 (region::rint): Delete.
6076 (region::dump_dot_to_pp): Delete.
6077 (region::get_desc): New.
6078 (region::dump_to_pp): Convert to vfunc, changing signature.
6079 (region::dump_child_label): Delete.
6080 (region::remap_svalue_ids): Delete.
6081 (region::remap_region_ids): Delete.
6082 (region::dump): New.
6083 (region::walk_for_canonicalization): Delete.
6084 (region::non_null_p): Drop region_model param.
6085 (region::add_view): Delete.
6086 (region::get_view): Delete.
6087 (region::get_active_view): Delete.
6088 (region::is_view_p): Delete.
6089 (region::cmp_ptrs): New.
6090 (region::validate): Delete.
6091 (region::get_offset): New.
6092 (region::get_byte_size): New.
6093 (region::get_bit_size): New.
6094 (region::get_subregions_for_binding): New.
6095 (region::region): Add complexity param. Convert parent from
6096 region_id to const region *. Drop svalue_id. Drop copy ctor.
6097 (region::symbolic_for_unknown_ptr_p): New.
6098 (region::add_to_hash): Delete.
6099 (region::print_fields): Delete.
6100 (region::get_complexity): New accessor.
6101 (region::become_active_view): Delete.
6102 (region::deactivate_any_active_view): Delete.
6103 (region::deactivate_view): Delete.
6104 (region::calc_offset): New.
6105 (region::m_parent_rid): Delete.
6106 (region::m_sval_id): Delete.
6107 (region::m_complexity): New.
6108 (region::m_id): New.
6109 (region::m_parent): New.
6110 (region::m_view_rids): Delete.
6111 (region::m_is_view): Delete.
6112 (region::m_active_view_rid): Delete.
6113 (region::m_cached_offset): New.
6114 (is_a_helper <region *>::test): Convert to...
6115 (is_a_helper <const region *>::test): ... this.
6116 (class primitive_region): Delete.
6117 (class space_region): New.
6118 (class map_region): Delete.
6119 (is_a_helper <map_region *>::test): Delete.
6120 (class frame_region): Reimplement.
6121 (template <> struct default_hash_traits<frame_region::key_t>):
6122 New.
6123 (class globals_region): Reimplement.
6124 (is_a_helper <globals_region *>::test): Convert to...
6125 (is_a_helper <const globals_region *>::test): ...this.
6126 (class struct_or_union_region): Delete.
6127 (is_a_helper <struct_or_union_region *>::test): Delete.
6128 (class code_region): Reimplement.
6129 (is_a_helper <const code_region *>::test): New.
6130 (class struct_region): Delete.
6131 (is_a_helper <struct_region *>::test): Delete.
6132 (class function_region): Reimplement.
6133 (is_a_helper <function_region *>::test): Convert to...
6134 (is_a_helper <const function_region *>::test): ...this.
6135 (class union_region): Delete.
6136 (is_a_helper <union_region *>::test): Delete.
6137 (class label_region): New.
6138 (is_a_helper <const label_region *>::test): New.
6139 (class scope_region): Delete.
6140 (class stack_region): Reimplement.
6141 (is_a_helper <stack_region *>::test): Convert to...
6142 (is_a_helper <const stack_region *>::test): ...this.
6143 (class heap_region): Reimplement.
6144 (is_a_helper <heap_region *>::test): Convert to...
6145 (is_a_helper <const heap_region *>::test): ...this.
6146 (class root_region): Reimplement.
6147 (is_a_helper <root_region *>::test): Convert to...
6148 (is_a_helper <const root_region *>::test): ...this.
6149 (class symbolic_region): Reimplement.
6150 (is_a_helper <const symbolic_region *>::test): New.
6151 (template <> struct default_hash_traits<symbolic_region::key_t>):
6152 New.
6153 (class decl_region): New.
6154 (is_a_helper <const decl_region *>::test): New.
6155 (class field_region): New.
6156 (template <> struct default_hash_traits<field_region::key_t>): New.
6157 (class array_region): Delete.
6158 (class element_region): New.
6159 (is_a_helper <array_region *>::test): Delete.
6160 (is_a_helper <const element_region *>::test): New.
6161 (template <> struct default_hash_traits<element_region::key_t>):
6162 New.
6163 (class offset_region): New.
6164 (is_a_helper <const offset_region *>::test): New.
6165 (template <> struct default_hash_traits<offset_region::key_t>):
6166 New.
6167 (class cast_region): New.
6168 (is_a_helper <const cast_region *>::test): New.
6169 (template <> struct default_hash_traits<cast_region::key_t>): New.
6170 (class heap_allocated_region): New.
6171 (class alloca_region): New.
6172 (class string_region): New.
6173 (is_a_helper <const string_region *>::test): New.
6174 (class unknown_region): New.
6175 (class region_model_manager): New.
6176 (struct append_ssa_names_cb_data): New.
6177 (class call_details): New.
6178 (region_model::region_model): Add region_model_manager param.
6179 (region_model::print_svalue): Delete.
6180 (region_model::dump_dot_to_pp): Delete.
6181 (region_model::dump_dot_to_file): Delete.
6182 (region_model::dump_dot): Delete.
6183 (region_model::dump_to_pp): Drop summarize param in favor of
6184 simple and multiline.
6185 (region_model::dump): Likewise.
6186 (region_model::summarize_to_pp): Delete.
6187 (region_model::summarize): Delete.
6188 (region_model::void canonicalize): Drop ctxt param.
6189 (region_model::void check_for_poison): Delete.
6190 (region_model::get_gassign_result): New.
6191 (region_model::impl_call_alloca): New.
6192 (region_model::impl_call_analyzer_describe): New.
6193 (region_model::impl_call_analyzer_eval): New.
6194 (region_model::impl_call_builtin_expect): New.
6195 (region_model::impl_call_calloc): New.
6196 (region_model::impl_call_free): New.
6197 (region_model::impl_call_malloc): New.
6198 (region_model::impl_call_memset): New.
6199 (region_model::impl_call_strlen): New.
6200 (region_model::get_reachable_svalues): New.
6201 (region_model::handle_phi): Drop is_back_edge param.
6202 (region_model::region_id get_root_rid): Delete.
6203 (region_model::root_region *get_root_region): Delete.
6204 (region_model::region_id get_stack_region_id): Delete.
6205 (region_model::push_frame): Convert from region_id and svalue_id
6206 to const region * and const svalue *.
6207 (region_model::get_current_frame_id): Replace with...
6208 (region_model::get_current_frame): ...this.
6209 (region_model::pop_frame): Convert from region_id to
6210 const region *. Drop purge and stats param. Add out_result.
6211 (region_model::function *get_function_at_depth): Delete.
6212 (region_model::get_globals_region_id): Delete.
6213 (region_model::add_svalue): Delete.
6214 (region_model::replace_svalue): Delete.
6215 (region_model::add_region): Delete.
6216 (region_model::add_region_for_type): Delete.
6217 (region_model::get_svalue): Delete.
6218 (region_model::get_region): Delete.
6219 (region_model::get_lvalue): Convert from region_id to
6220 const region *.
6221 (region_model::get_rvalue): Convert from svalue_id to
6222 const svalue *.
6223 (region_model::get_or_create_ptr_svalue): Delete.
6224 (region_model::get_or_create_constant_svalue): Delete.
6225 (region_model::get_svalue_for_fndecl): Delete.
6226 (region_model::get_svalue_for_label): Delete.
6227 (region_model::get_region_for_fndecl): Delete.
6228 (region_model::get_region_for_label): Delete.
6229 (region_model::get_frame_at_index (int index) const;): New.
6230 (region_model::maybe_cast): Delete.
6231 (region_model::maybe_cast_1): Delete.
6232 (region_model::get_field_region): Delete.
6233 (region_model::id deref_rvalue): Convert from region_id and
6234 svalue_id to const region * and const svalue *. Drop overload,
6235 passing in both a tree and an svalue.
6236 (region_model::set_value): Convert from region_id and svalue_id to
6237 const region * and const svalue *.
6238 (region_model::set_to_new_unknown_value): Delete.
6239 (region_model::clobber_region (const region *reg);): New.
6240 (region_model::purge_region (const region *reg);): New.
6241 (region_model::zero_fill_region (const region *reg);): New.
6242 (region_model::mark_region_as_unknown (const region *reg);): New.
6243 (region_model::copy_region): Convert from region_id to
6244 const region *.
6245 (region_model::eval_condition): Convert from svalue_id to
6246 const svalue *.
6247 (region_model::eval_condition_without_cm): Likewise.
6248 (region_model::compare_initial_and_pointer): New.
6249 (region_model:maybe_get_constant): Delete.
6250 (region_model::add_new_malloc_region): Delete.
6251 (region_model::get_representative_tree): Convert from svalue_id to
6252 const svalue *.
6253 (region_model::get_representative_path_var): Delete decl taking a
6254 region_id in favor of two decls, for svalue vs region, with an
6255 svalue_set to ensure termination.
6256 (region_model::get_path_vars_for_svalue): Delete.
6257 (region_model::create_region_for_heap_alloc): New.
6258 (region_model::create_region_for_alloca): New.
6259 (region_model::purge_unused_svalues): Delete.
6260 (region_model::remap_svalue_ids): Delete.
6261 (region_model::remap_region_ids): Delete.
6262 (region_model::purge_regions): Delete.
6263 (region_model::get_num_svalues): Delete.
6264 (region_model::get_num_regions): Delete.
6265 (region_model::get_descendents): Delete.
6266 (region_model::get_store): New.
6267 (region_model::delete_region_and_descendents): Delete.
6268 (region_model::get_manager): New.
6269 (region_model::unbind_region_and_descendents): New.
6270 (region_model::can_merge_with_p): Add point param. Drop
6271 svalue_id_merger_mapping.
6272 (region_model::get_value_by_name): Delete.
6273 (region_model::convert_byte_offset_to_array_index): Delete.
6274 (region_model::get_or_create_mem_ref): Delete.
6275 (region_model::get_or_create_pointer_plus_expr): Delete.
6276 (region_model::get_or_create_view): Delete.
6277 (region_model::get_lvalue_1): Convert from region_id to
6278 const region *.
6279 (region_model::get_rvalue_1): Convert from svalue_id to
6280 const svalue *.
6281 (region_model::get_ssa_name_regions_for_current_frame): New.
6282 (region_model::append_ssa_names_cb): New.
6283 (region_model::get_store_value): New.
6284 (region_model::copy_struct_region): Delete.
6285 (region_model::copy_union_region): Delete.
6286 (region_model::copy_array_region): Delete.
6287 (region_model::region_exists_p): New.
6288 (region_model::make_region_for_unexpected_tree_code): Delete.
6289 (region_model::loop_replay_fixup): New.
6290 (region_model::poison_any_pointers_to_bad_regions): Delete.
6291 (region_model::poison_any_pointers_to_descendents): New.
6292 (region_model::dump_summary_of_rep_path_vars): Delete.
6293 (region_model::on_top_level_param): New.
6294 (region_model::record_dynamic_extents): New.
6295 (region_model::m_mgr;): New.
6296 (region_model::m_store;): New.
6297 (region_model::m_svalues;): Delete.
6298 (region_model::m_regions;): Delete.
6299 (region_model::m_root_rid;): Delete.
6300 (region_model::m_current_frame;): New.
6301 (region_model_context::remap_svalue_ids): Delete.
6302 (region_model_context::can_purge_p): Delete.
6303 (region_model_context::on_svalue_leak): New.
6304 (region_model_context::on_svalue_purge): Delete.
6305 (region_model_context::on_liveness_change): New.
6306 (region_model_context::on_inherited_svalue): Delete.
6307 (region_model_context::on_cast): Delete.
6308 (region_model_context::on_unknown_change): Convert from svalue_id to
6309 const svalue * and add is_mutable.
6310 (class noop_region_model_context): Update for region_model_context
6311 changes.
6312 (model_merger::model_merger): Add program_point. Drop
6313 svalue_id_merger_mapping.
6314 (model_merger::dump_to_pp): Add "simple" param.
6315 (model_merger::dump): Likewise.
6316 (model_merger::get_region_a): Delete.
6317 (model_merger::get_region_b): Delete.
6318 (model_merger::can_merge_values_p): Delete.
6319 (model_merger::record_regions): Delete.
6320 (model_merger::record_svalues): Delete.
6321 (model_merger::m_point): New field.
6322 (model_merger::m_map_regions_from_a_to_m): Delete.
6323 (model_merger::m_map_regions_from_b_to_m): Delete.
6324 (model_merger::m_sid_mapping): Delete.
6325 (struct svalue_id_merger_mapping): Delete.
6326 (class engine): New.
6327 (struct canonicalization): Delete.
6328 (inchash::add): Delete decls for hashing svalue_id and region_id.
6329 (test_region_model_context::on_unexpected_tree_code): Require t to
6330 be non-NULL.
6331 (selftest::assert_condition): Add overload comparing a pair of
6332 const svalue *.
6333 * sm-file.cc: Include "tristate.h", "selftest.h",
6334 "analyzer/call-string.h", "analyzer/program-point.h",
6335 "analyzer/store.h", and "analyzer/region-model.h".
6336 (fileptr_state_machine::get_default_state): New.
6337 (fileptr_state_machine::on_stmt): Remove calls to
6338 get_readable_tree in favor of get_diagnostic_tree.
6339 * sm-malloc.cc: Include "tristate.h", "selftest.h",
6340 "analyzer/call-string.h", "analyzer/program-point.h",
6341 "analyzer/store.h", and "analyzer/region-model.h".
6342 (malloc_state_machine::get_default_state): New.
6343 (malloc_state_machine::reset_when_passed_to_unknown_fn_p): New.
6344 (malloc_diagnostic::describe_state_change): Handle change.m_expr
6345 being NULL.
6346 (null_arg::emit): Avoid printing "NULL '0'".
6347 (null_arg::describe_final_event): Avoid printing "(0) NULL".
6348 (malloc_leak::emit): Handle m_arg being NULL.
6349 (malloc_leak::describe_final_event): Handle ev.m_expr being NULL.
6350 (malloc_state_machine::on_stmt): Don't call get_readable_tree.
6351 Call get_diagnostic_tree when creating pending diagnostics.
6352 Update for is_zero_assignment becoming a member function of
6353 sm_ctxt.
6354 Don't transition to m_non_heap for ADDR_EXPR(MEM_REF()).
6355 (malloc_state_machine::reset_when_passed_to_unknown_fn_p): New
6356 vfunc implementation.
6357 * sm-sensitive.cc (sensitive_state_machine::warn_for_any_exposure): Call
6358 get_diagnostic_tree and pass the result to warn_for_state.
6359 * sm-signal.cc: Move includes of "analyzer/call-string.h" and
6360 "analyzer/program-point.h" to before "analyzer/region-model.h",
6361 and also include "analyzer/store.h" before it.
6362 (signal_unsafe_call::describe_state_change): Use
6363 get_dest_function to get handler.
6364 (update_model_for_signal_handler): Pass manager to region_model
6365 ctor.
6366 (register_signal_handler::impl_transition): Update for changes to
6367 get_or_create_node and add_edge.
6368 * sm-taint.cc (taint_state_machine::on_stmt): Remove calls to
6369 get_readable_tree, replacing them when calling warn_for_state with
6370 calls to get_diagnostic_tree.
6371 * sm.cc (is_zero_assignment): Delete.
6372 (any_pointer_p): Move to within namespace ana.
6373 * sm.h (is_zero_assignment): Remove decl.
6374 (any_pointer_p): Move decl to within namespace ana.
6375 (state_machine::get_default_state): New vfunc.
6376 (state_machine::reset_when_passed_to_unknown_fn_p): New vfunc.
6377 (sm_context::get_readable_tree): Rename to...
6378 (sm_context::get_diagnostic_tree): ...this.
6379 (sm_context::is_zero_assignment): New vfunc.
6380 * store.cc: New file.
6381 * store.h: New file.
6382 * svalue.cc: New file.
6383
2221fb6f
MW		 63842020-05-22 Mark Wielaard <mark@klomp.org>
6385
6386 * sm-signal.cc(signal_unsafe_call::emit): Possibly add
6387 gcc_rich_location note for replacement.
6388 (signal_unsafe_call::get_replacement_fn): New private function.
6389 (get_async_signal_unsafe_fns): Add "exit".
6390
5eae0ac7
DM		 63912020-04-28 David Malcolm <dmalcolm@redhat.com>
6392
6393 PR analyzer/94816
6394 * engine.cc (impl_region_model_context::on_unexpected_tree_code):
6395 Handle NULL tree.
6396 * region-model.cc (region_model::add_region_for_type): Handle
6397 NULL type.
6398 * region-model.h
6399 (test_region_model_context::on_unexpected_tree_code): Handle NULL
6400 tree.
6401
78b97837
DM		 64022020-04-28 David Malcolm <dmalcolm@redhat.com>
6403
6404 PR analyzer/94447
6405 PR analyzer/94639
6406 PR analyzer/94732
6407 PR analyzer/94754
6408 * analyzer.opt (Wanalyzer-use-of-uninitialized-value): Delete.
6409 * program-state.cc (selftest::test_program_state_dumping): Update
6410 expected dump result for removal of "uninit".
6411 * region-model.cc (poison_kind_to_str): Delete POISON_KIND_UNINIT
6412 case.
6413 (root_region::ensure_stack_region): Initialize stack with null
6414 svalue_id rather than with a typeless POISON_KIND_UNINIT value.
6415 (root_region::ensure_heap_region): Likewise for the heap.
6416 (region_model::dump_summary_of_rep_path_vars): Remove
6417 summarization of uninit values.
6418 (region_model::validate): Remove check that the stack has a
6419 POISON_KIND_UNINIT value.
6420 (poisoned_value_diagnostic::emit): Remove POISON_KIND_UNINIT
6421 case.
6422 (poisoned_value_diagnostic::describe_final_event): Likewise.
6423 (selftest::test_dump): Update expected dump result for removal of
6424 "uninit".
6425 (selftest::test_svalue_equality): Remove "uninit" and "freed".
6426 * region-model.h (enum poison_kind): Remove POISON_KIND_UNINIT.
6427
a96f1c38
DM		 64282020-04-01 David Malcolm <dmalcolm@redhat.com>
6429
6430 PR analyzer/94378
6431 * checker-path.cc: Include "bitmap.h".
6432 * constraint-manager.cc: Likewise.
6433 * diagnostic-manager.cc: Likewise.
6434 * engine.cc: Likewise.
6435 (exploded_node::detect_leaks): Pass null region_id to pop_frame.
6436 * program-point.cc: Include "bitmap.h".
6437 * program-state.cc: Likewise.
6438 * region-model.cc (id_set<region_id>::id_set): Convert to...
6439 (region_id_set::region_id_set): ...this.
6440 (svalue_id_set::svalue_id_set): New ctor.
6441 (region_model::copy_region): New function.
6442 (region_model::copy_struct_region): New function.
6443 (region_model::copy_union_region): New function.
6444 (region_model::copy_array_region): New function.
6445 (stack_region::pop_frame): Drop return value. Add
6446 "result_dst_rid" param; if it is non-null, use copy_region to copy
6447 the result to it. Rather than capture and pass a single "known
6448 used" return value to be used by purge_unused_values, instead
6449 gather and pass a set of known used return values.
6450 (root_region::pop_frame): Drop return value. Add "result_dst_rid"
6451 param.
6452 (region_model::on_assignment): Use copy_region.
6453 (region_model::on_return): Likewise for the result.
6454 (region_model::on_longjmp): Pass null for pop_frame's
6455 result_dst_rid.
6456 (region_model::update_for_return_superedge): Pass the region for the
6457 return value of the call, if any, to pop_frame, rather than setting
6458 the lvalue for the lhs of the result.
6459 (region_model::pop_frame): Drop return value. Add
6460 "result_dst_rid" param.
6461 (region_model::purge_unused_svalues): Convert third param from an
6462 svalue_id * to an svalue_id_set *, updating the initial populating
6463 of the "used" bitmap accordingly. Don't remap it when done.
6464 (struct selftest::coord_test): New selftest fixture, extracted from...
6465 (selftest::test_dump_2): ...here.
6466 (selftest::test_compound_assignment): New selftest.
6467 (selftest::test_stack_frames): Pass null to new param of pop_frame.
6468 (selftest::analyzer_region_model_cc_tests): Call the new selftest.
6469 * region-model.h (class id_set): Delete template.
6470 (class region_id_set): Reimplement, using old id_set implementation.
6471 (class svalue_id_set): Likewise. Convert from auto_sbitmap to
6472 auto_bitmap.
6473 (region::get_active_view): New accessor.
6474 (stack_region::pop_frame): Drop return value. Add
6475 "result_dst_rid" param.
6476 (root_region::pop_frame): Likewise.
6477 (region_model::pop_frame): Likewise.
6478 (region_model::copy_region): New decl.
6479 (region_model::purge_unused_svalues): Convert third param from an
6480 svalue_id * to an svalue_id_set *.
6481 (region_model::copy_struct_region): New decl.
6482 (region_model::copy_union_region): New decl.
6483 (region_model::copy_array_region): New decl.
6484
6969ac30
DM		 64852020-03-27 David Malcolm <dmalcolm@redhat.com>
6486
6487 * program-state.cc (selftest::test_program_state_dumping): Update
6488 expected dump to include symbolic_region's possibly_null field.
6489 * region-model.cc (symbolic_region::print_fields): New vfunc
6490 implementation.
6491 (region_model::add_constraint): Clear m_possibly_null from
6492 symbolic_regions now known to be non-NULL.
6493 (selftest::test_malloc_constraints): New selftest.
6494 (selftest::analyzer_region_model_cc_tests): Call it.
6495 * region-model.h (region::dyn_cast_symbolic_region): Add non-const
6496 overload.
6497 (symbolic_region::dyn_cast_symbolic_region): Implement it.
6498 (symbolic_region::print_fields): New vfunc override decl.
6499
42c63313
DM		 65002020-03-27 David Malcolm <dmalcolm@redhat.com>
6501
6502 * analyzer.h (class feasibility_problem): New forward decl.
6503 * diagnostic-manager.cc (saved_diagnostic::saved_diagnostic):
6504 Initialize new fields m_status, m_epath_length, and m_problem.
6505 (saved_diagnostic::~saved_diagnostic): Delete m_problem.
6506 (dedupe_candidate::dedupe_candidate): Convert "sd" param from a
6507 const ref to a mutable ptr.
6508 (dedupe_winners::add): Convert "sd" param from a const ref to a
6509 mutable ptr. Record the length of the exploded_path. Record the
6510 feasibility/infeasibility of sd into sd, capturing a
6511 feasibility_problem when feasible_p fails, and storing it in sd.
6512 (diagnostic_manager::emit_saved_diagnostics): Update for pass by
6513 ptr rather than by const ref.
6514 * diagnostic-manager.h (class saved_diagnostic): Add new enum
6515 status. Add fields m_status, m_epath_length and m_problem.
6516 (saved_diagnostic::set_feasible): New member function.
6517 (saved_diagnostic::set_infeasible): New member function.
6518 (saved_diagnostic::get_feasibility_problem): New accessor.
6519 (saved_diagnostic::get_status): New accessor.
6520 (saved_diagnostic::set_epath_length): New member function.
6521 (saved_diagnostic::get_epath_length): New accessor.
6522 * engine.cc: Include "gimple-pretty-print.h".
6523 (exploded_path::feasible_p): Add OUT param and, if non-NULL, write
6524 a new feasibility_problem to it on failure.
6525 (viz_callgraph_node::dump_dot): Convert begin_tr calls to
6526 begin_trtd. Convert end_tr calls to end_tdtr.
6527 (class exploded_graph_annotator): New subclass of dot_annotator.
6528 (impl_run_checkers): Add a second -fdump-analyzer-supergraph dump
6529 after the analysis runs, using exploded_graph_annotator. dumping
6530 to DUMP_BASE_NAME.supergraph-eg.dot.
6531 * exploded-graph.h (exploded_node::get_dot_fillcolor): Make
6532 public.
6533 (exploded_path::feasible_p): Add OUT param.
6534 (class feasibility_problem): New class.
6535 * state-purge.cc (state_purge_annotator::add_node_annotations):
6536 Return a bool, add a "within_table" param.
6537 (print_vec_of_names): Convert begin_tr calls to begin_trtd.
6538 Convert end_tr calls to end_tdtr.
6539 (state_purge_annotator::add_stmt_annotations): Add "within_row"
6540 param.
6541 * state-purge.h ((state_purge_annotator::add_node_annotations):
6542 Return a bool, add a "within_table" param.
6543 (state_purge_annotator::add_stmt_annotations): Add "within_row"
6544 param.
6545 * supergraph.cc (supernode::dump_dot): Call add_node_annotations
6546 twice: as before, passing false for "within_table", then again
6547 with true when within the TABLE element. Convert some begin_tr
6548 calls to begin_trtd, and some end_tr calls to end_tdtr.
6549 Repeat each add_stmt_annotations call, distinguishing between
6550 calls that add TRs and those that add TDs to an existing TR.
6551 Add a call to add_after_node_annotations.
6552 * supergraph.h (dot_annotator::add_node_annotations): Add a
6553 "within_table" param.
6554 (dot_annotator::add_stmt_annotations): Add a "within_row" param.
6555 (dot_annotator::add_after_node_annotations): New vfunc.
6556
8f023575
DM		 65572020-03-27 David Malcolm <dmalcolm@redhat.com>
6558
6559 * diagnostic-manager.cc (dedupe_winners::add): Show the
6560 exploded_node index in the log messages.
6561 (diagnostic_manager::emit_saved_diagnostics): Log a summary of
6562 m_saved_diagnostics at entry.
6563
4d661bb7
DM		 65642020-03-27 David Malcolm <dmalcolm@redhat.com>
6565
6566 * supergraph.cc (superedge::dump): Add space before description;
6567 move newline to non-pretty_printer overload.
6568
884d9141
DM		 65692020-03-18 David Malcolm <dmalcolm@redhat.com>
6570
6571 * region-model.cc: Include "stor-layout.h".
6572 (region_model::dump_to_pp): Rather than calling
6573 dump_summary_of_map on each of the current frame and the globals,
6574 instead get a vec of representative path_vars for all regions,
6575 and then dump a summary of all of them.
6576 (region_model::dump_summary_of_map): Delete, rewriting into...
6577 (region_model::dump_summary_of_rep_path_vars): ...this new
6578 function, working on a vec of path_vars.
6579 (region_model::set_value): New overload.
6580 (region_model::get_representative_path_var): Rename
6581 "parent_region" local to "parent_reg" and consolidate with other
6582 local. Guard test for grandparent being stack on parent_reg being
6583 non-NULL. Move handling for parent being an array_region to
6584 within guard for parent_reg being non-NULL.
6585 (selftest::make_test_compound_type): New function.
6586 (selftest::test_dump_2): New selftest.
6587 (selftest::test_dump_3): New selftest.
6588 (selftest::test_stack_frames): Update expected output from
6589 simplified dump to show "a" and "b" from parent frame and "y" in
6590 child frame.
6591 (selftest::analyzer_region_model_cc_tests): Call test_dump_2 and
6592 test_dump_3.
6593 * region-model.h (region_model::set_value): New overload decl.
6594 (region_model::dump_summary_of_map): Delete.
6595 (region_model::dump_summary_of_rep_path_vars): New.
6596
7d9c107a
DM		 65972020-03-18 David Malcolm <dmalcolm@redhat.com>
6598
6599 * region-model.h (class noop_region_model_context): New subclass
6600 of region_model_context.
6601 (class tentative_region_model_context): Inherit from
6602 noop_region_model_context rather than from region_model_context;
6603 drop redundant vfunc implementations.
6604 (class test_region_model_context): Likewise.
6605
0db2cd17
DM		 66062020-03-18 David Malcolm <dmalcolm@redhat.com>
6607
6608 * engine.cc (exploded_node::exploded_node): Move implementation
6609 here from header; accept point_and_state by const reference rather
6610 than by value.
6611 * exploded-graph.h (exploded_node::exploded_node): Pass
6612 point_and_state by const reference rather than by value. Move
6613 body to engine.cc.
6614
d5029d45
JJ		 66152020-03-18 Jakub Jelinek <jakub@redhat.com>
6616
6617 * sm-malloc.cc (malloc_state_machine::on_stmt): Fix up duplicated word
6618 issue in a comment.
6619 * region-model.cc (region_model::make_region_for_unexpected_tree_code,
6620 region_model::delete_region_and_descendents): Likewise.
6621 * engine.cc (class exploded_cluster): Likewise.
6622 * diagnostic-manager.cc (class path_builder): Likewise.
6623
5c048755
DM		 66242020-03-13 David Malcolm <dmalcolm@redhat.com>
6625
6626 PR analyzer/94099
6627 PR analyzer/94105
6628 * diagnostic-manager.cc (for_each_state_change): Bulletproof
6629 against errors in get_rvalue by passing a
6630 tentative_region_model_context and rejecting if there's an error.
6631 * region-model.cc (region_model::get_lvalue_1): When handling
6632 ARRAY_REF, handle results of error-handling. Handle NOP_EXPR.
6633
90f7c300
DM		 66342020-03-06 David Malcolm <dmalcolm@redhat.com>
6635
6636 * analyzer.h (class array_region): New forward decl.
6637 * program-state.cc (selftest::test_program_state_dumping_2): New.
6638 (selftest::analyzer_program_state_cc_tests): Call it.
6639 * region-model.cc (array_region::constant_from_key): New.
6640 (region_model::get_representative_tree): Handle region_svalue by
6641 generating an ADDR_EXPR.
6642 (region_model::get_representative_path_var): In view handling,
6643 remove erroneous TREE_TYPE when determining the type of the tree.
6644 Handle array regions and STRING_CST.
6645 (selftest::assert_dump_tree_eq): New.
6646 (ASSERT_DUMP_TREE_EQ): New macro.
6647 (selftest::test_get_representative_tree): New selftest.
6648 (selftest::analyzer_region_model_cc_tests): Call it.
6649 * region-model.h (region::dyn_cast_array_region): New vfunc.
6650 (array_region::dyn_cast_array_region): New vfunc implementation.
6651 (array_region::constant_from_key): New decl.
6652
41f99ba6
DM		 66532020-03-06 David Malcolm <dmalcolm@redhat.com>
6654
6655 * analyzer.h (dump_quoted_tree): New decl.
6656 * engine.cc (exploded_node::dump_dot): Pass region model to
6657 sm_state_map::print.
6658 * program-state.cc: Include diagnostic-core.h.
6659 (sm_state_map::print): Add "model" param and use it to print
6660 representative trees. Only print origin information if non-null.
6661 (sm_state_map::dump): Pass NULL for model to print call.
6662 (program_state::print): Pass region model to sm_state_map::print.
6663 (program_state::dump_to_pp): Use spaces rather than newlines when
6664 summarizing. Pass region_model to sm_state_map::print.
6665 (ana::selftest::assert_dump_eq): New function.
6666 (ASSERT_DUMP_EQ): New macro.
6667 (ana::selftest::test_program_state_dumping): New function.
6668 (ana::selftest::analyzer_program_state_cc_tests): Call it.
6669 * program-state.h (program_state::print): Add model param.
6670 * region-model.cc (dump_quoted_tree): New function.
6671 (map_region::print_fields): Use dump_quoted_tree rather than
6672 %qE to avoid lang-dependent output.
6673 (map_region::dump_child_label): Likewise.
6674 (region_model::dump_summary_of_map): For SK_REGION, when
6675 get_representative_path_var fails, print the region id rather than
6676 erroneously printing NULL.
6677 * sm.cc (state_machine::get_state_by_name): New function.
6678 * sm.h (state_machine::get_state_by_name): New decl.
6679
3c1645a3
DM		 66802020-03-04 David Malcolm <dmalcolm@redhat.com>
6681
6682 * region-model.cc (region::validate): Convert model param from ptr
6683 to reference. Update comment to reflect that it's now a vfunc.
6684 (map_region::validate): New vfunc implementation.
6685 (array_region::validate): New vfunc implementation.
6686 (stack_region::validate): New vfunc implementation.
6687 (root_region::validate): New vfunc implementation.
6688 (region_model::validate): Pass a reference rather than a pointer
6689 to the region::validate vfunc.
6690 * region-model.h (region::validate): Make virtual. Convert model
6691 param from ptr to reference.
6692 (map_region::validate): New vfunc decl.
6693 (array_region::validate): New vfunc decl.
6694 (stack_region::validate): New vfunc decl.
6695 (root_region::validate): New vfunc decl.
6696
e516294a
DM		 66972020-03-04 David Malcolm <dmalcolm@redhat.com>
6698
6699 PR analyzer/93993
6700 * region-model.cc (region_model::on_call_pre): Handle
6701 BUILT_IN_EXPECT and its variants.
6702 (region_model::add_any_constraints_from_ssa_def_stmt): Split out
6703 gassign handling into add_any_constraints_from_gassign; add gcall
6704 handling.
6705 (region_model::add_any_constraints_from_gassign): New function,
6706 based on the above. Add handling for NOP_EXPR.
6707 (region_model::add_any_constraints_from_gcall): New function.
6708 (region_model::get_representative_path_var): Handle views.
6709 * region-model.h
6710 (region_model::add_any_constraints_from_ssa_def_stmt): New decl.
6711 (region_model::add_any_constraints_from_gassign): New decl.
6712
3d66e153
DM		 67132020-03-04 David Malcolm <dmalcolm@redhat.com>
6714
6715 PR analyzer/93993
6716 * checker-path.h (state_change_event::get_lvalue): Add ctxt param
6717 and pass it to region_model::get_value call.
6718 * diagnostic-manager.cc (get_any_origin): Pass a
6719 tentative_region_model_context to the calls to get_lvalue and reject
6720 the comparison if errors occur.
6721 (can_be_expr_of_interest_p): New function.
6722 (diagnostic_manager::prune_for_sm_diagnostic): Replace checks for
6723 CONSTANT_CLASS_P with calls to update_for_unsuitable_sm_exprs.
6724 Pass a tentative_region_model_context to the calls to
6725 state_change_event::get_lvalue and reject the comparison if errors
6726 occur.
6727 (diagnostic_manager::update_for_unsuitable_sm_exprs): New.
6728 * diagnostic-manager.h
6729 (diagnostic_manager::update_for_unsuitable_sm_exprs): New decl.
6730 * region-model.h (class tentative_region_model_context): New class.
6731
13e3ba14
DM		 67322020-03-04 David Malcolm <dmalcolm@redhat.com>
6733
6734 * engine.cc (worklist::worklist): Remove unused field m_eg.
6735 (class viz_callgraph_edge): Remove unused field m_call_sedge.
6736 (class viz_callgraph): Remove unused field m_sg.
6737 * exploded-graph.h (worklist::::m_eg): Remove unused field.
6738
13b76912
DM		 67392020-03-02 David Malcolm <dmalcolm@redhat.com>
6740
6741 * analyzer.opt (fanalyzer-show-duplicate-count): New option.
6742 * diagnostic-manager.cc
6743 (diagnostic_manager::emit_saved_diagnostic): Use the above to
6744 guard the printing of the duplicate count.
6745
9f00b22f
DM		 67462020-03-02 David Malcolm <dmalcolm@redhat.com>
6747
6748 PR analyzer/93959
6749 * analyzer.cc (is_std_function_p): New function.
6750 (is_std_named_call_p): New functions.
6751 * analyzer.h (is_std_named_call_p): New decl.
6752 * sm-malloc.cc (malloc_state_machine::on_stmt): Check for "std::"
6753 variants when checking for malloc, calloc and free.
6754
71b633aa
DM		 67552020-02-26 David Malcolm <dmalcolm@redhat.com>
6756
6757 PR analyzer/93950
6758 * diagnostic-manager.cc
6759 (diagnostic_manager::prune_for_sm_diagnostic): Assert that var is
6760 either NULL or not a constant. When updating var, bulletproof
6761 against constant values.
6762
0ba70d1b
DM		 67632020-02-26 David Malcolm <dmalcolm@redhat.com>
6764
6765 PR analyzer/93947
6766 * region-model.cc (region_model::get_fndecl_for_call): Gracefully
6767 fail for fn_decls that don't have a cgraph_node.
6768
67fa274c
DM		 67692020-02-26 David Malcolm <dmalcolm@redhat.com>
6770
6771 * bar-chart.cc: New file.
6772 * bar-chart.h: New file.
6773 * engine.cc: Include "analyzer/bar-chart.h".
6774 (stats::log): Only log the m_num_nodes kinds that are non-zero.
6775 (stats::dump): Likewise when dumping.
6776 (stats::get_total_enodes): New.
6777 (exploded_graph::get_or_create_node): Increment the per-point-data
6778 m_excess_enodes when hitting the per-program-point limit on
6779 enodes.
6780 (exploded_graph::print_bar_charts): New.
6781 (exploded_graph::log_stats): Log the number of unprocessed enodes
6782 in the worklist. Call print_bar_charts.
6783 (exploded_graph::dump_stats): Print the number of unprocessed
6784 enodes in the worklist.
6785 * exploded-graph.h (stats::get_total_enodes): New decl.
6786 (struct per_program_point_data): Add field m_excess_enodes.
6787 (exploded_graph::print_bar_charts): New decl.
6788 * supergraph.cc (superedge::dump): New.
6789 (superedge::dump): New.
6790 * supergraph.h (supernode::get_function): New.
6791 (superedge::dump): New decl.
6792 (superedge::dump): New decl.
6793
f2ca2088
DM		 67942020-02-24 David Malcolm <dmalcolm@redhat.com>
6795
6796 * engine.cc (exploded_graph::get_or_create_node): Dump the
6797 program_state to the pp, rather than to stderr.
6798
b3d788a2
DM		 67992020-02-24 David Malcolm <dmalcolm@redhat.com>
6800
6801 PR analyzer/93032
6802 * sm.cc (make_checkers): Require the "taint" checker to be
6803 explicitly enabled.
6804
3a25f345
DM		 68052020-02-24 David Malcolm <dmalcolm@redhat.com>
6806
6807 PR analyzer/93899
6808 * engine.cc
6809 (impl_region_model_context::impl_region_model_context): Add logger
6810 param.
6811 * engine.cc (exploded_graph::add_function_entry): Create an
6812 impl_region_model_context and pass it to the push_frame call.
6813 Bail if the resulting state is invalid.
6814 (exploded_graph::build_initial_worklist): Likewise.
6815 (exploded_graph::build_initial_worklist): Handle the case where
6816 add_function_entry fails.
6817 * exploded-graph.h
6818 (impl_region_model_context::impl_region_model_context): Add logger
6819 param.
6820 * region-model.cc (map_region::get_or_create): Add ctxt param and
6821 pass it to add_region_for_type.
6822 (map_region::can_merge_p): Pass NULL as a ctxt to call to
6823 get_or_create.
6824 (array_region::get_element): Pass ctxt to call to get_or_create.
6825 (array_region::get_or_create): Add ctxt param and pass it to
6826 add_region_for_type.
6827 (root_region::push_frame): Pass ctxt to get_or_create calls.
6828 (region_model::get_lvalue_1): Likewise.
6829 (region_model::make_region_for_unexpected_tree_code): Assert that
6830 ctxt is non-NULL.
6831 (region_model::get_rvalue_1): Pass ctxt to get_svalue_for_fndecl
6832 and get_svalue_for_label calls.
6833 (region_model::get_svalue_for_fndecl): Add ctxt param and pass it
6834 to get_region_for_fndecl.
6835 (region_model::get_region_for_fndecl): Add ctxt param and pass it
6836 to get_or_create.
6837 (region_model::get_svalue_for_label): Add ctxt param and pass it
6838 to get_region_for_label.
6839 (region_model::get_region_for_label): Add ctxt param and pass it
6840 to get_region_for_fndecl and get_or_create.
6841 (region_model::get_field_region): Add ctxt param and pass it to
6842 get_or_create_view and get_or_create.
6843 (make_region_for_type): Replace gcc_unreachable with return NULL.
6844 (region_model::add_region_for_type): Add ctxt param. Handle a
6845 return of NULL from make_region_for_type by calling
6846 make_region_for_unexpected_tree_code.
6847 (region_model::get_or_create_mem_ref): Pass ctxt to calls to
6848 get_or_create_view.
6849 (region_model::get_or_create_view): Add ctxt param and pass it to
6850 add_region_for_type.
6851 (selftest::test_state_merging): Pass ctxt to get_or_create_view.
6852 * region-model.h (region_model::get_or_create): Add ctxt param.
6853 (region_model::add_region_for_type): Likewise.
6854 (region_model::get_svalue_for_fndecl): Likewise.
6855 (region_model::get_svalue_for_label): Likewise.
6856 (region_model::get_region_for_fndecl): Likewise.
6857 (region_model::get_region_for_label): Likewise.
6858 (region_model::get_field_region): Likewise.
6859 (region_model::get_or_create_view): Likewise.
6860
004f2c07
DM		 68612020-02-24 David Malcolm <dmalcolm@redhat.com>
6862
6863 * checker-path.cc (superedge_event::should_filter_p): Update
6864 filter for empty descriptions to cover verbosity level 3 as well
6865 as 2.
6866 * diagnostic-manager.cc: Include "analyzer/reachability.h".
6867 (class path_builder): New class.
6868 (diagnostic_manager::emit_saved_diagnostic): Create a path_builder
6869 and pass it to build_emission_path, rather passing eg; similarly
6870 for add_events_for_eedge and ext_state.
6871 (diagnostic_manager::build_emission_path): Replace "eg" param
6872 with a path_builder, pass it to add_events_for_eedge.
6873 (diagnostic_manager::add_events_for_eedge): Replace ext_state
6874 param with path_builder; pass it to add_events_for_superedge.
6875 (diagnostic_manager::significant_edge_p): New.
6876 (diagnostic_manager::add_events_for_superedge): Add path_builder
6877 param. Reject insignificant edges at verbosity levels below 3.
6878 (diagnostic_manager::prune_for_sm_diagnostic): Update highest
6879 verbosity level to 4.
6880 * diagnostic-manager.h (class path_builder): New forward decl.
6881 (diagnostic_manager::build_emission_path): Replace "eg" param
6882 with a path_builder.
6883 (diagnostic_manager::add_events_for_eedge): Replace ext_state
6884 param with path_builder.
6885 (diagnostic_manager::significant_edge_p): New.
6886 (diagnostic_manager::add_events_for_superedge): Add path_builder
6887 param.
6888 * reachability.h: New file.
6889
0b2b45a6
DM		 68902020-02-18 David Malcolm <dmalcolm@redhat.com>
6891
6892 PR analyzer/93692
6893 * analyzer.opt (fdump-analyzer-callgraph): Rewrite description.
6894
4f40164a
DM		 68952020-02-18 David Malcolm <dmalcolm@redhat.com>
6896
6897 PR analyzer/93777
6898 * region-model.cc (region_model::maybe_cast_1): Replace assertion
6899 that build_cast returns non-NULL with a conditional, falling
6900 through to the logic which returns a new unknown value of the
6901 desired type if it fails.
6902
2e623393
DM		 69032020-02-18 David Malcolm <dmalcolm@redhat.com>
6904
6905 PR analyzer/93778
6906 * engine.cc (impl_region_model_context::on_unknown_tree_code):
6907 Rename to...
6908 (impl_region_model_context::on_unexpected_tree_code): ...this and
6909 convert first argument from path_var to tree.
6910 (exploded_node::on_stmt): Pass ctxt to purge_for_unknown_fncall.
6911 * exploded-graph.h (region_model_context::on_unknown_tree_code):
6912 Rename to...
6913 (region_model_context::on_unexpected_tree_code): ...this and
6914 convert first argument from path_var to tree.
6915 * program-state.cc (sm_state_map::purge_for_unknown_fncall): Add
6916 ctxt param and pass on to calls to get_rvalue.
6917 * program-state.h (sm_state_map::purge_for_unknown_fncall): Add
6918 ctxt param.
6919 * region-model.cc (region_model::handle_unrecognized_call): Pass
6920 ctxt on to call to get_rvalue.
6921 (region_model::get_lvalue_1): Move body of default case to
6922 region_model::make_region_for_unexpected_tree_code and call it.
6923 Within COMPONENT_REF case, reject attempts to handle types other
6924 than RECORD_TYPE and UNION_TYPE.
6925 (region_model::make_region_for_unexpected_tree_code): New
6926 function, based on default case of region_model::get_lvalue_1.
6927 * region-model.h
6928 (region_model::make_region_for_unexpected_tree_code): New decl.
6929 (region_model::on_unknown_tree_code): Rename to...
6930 (region_model::on_unexpected_tree_code): ...this and convert first
6931 argument from path_var to tree.
6932 (class test_region_model_context): Update vfunc implementation for
6933 above change.
6934
a674c7b8
DM		 69352020-02-18 David Malcolm <dmalcolm@redhat.com>
6936
6937 PR analyzer/93774
6938 * region-model.cc
6939 (region_model::convert_byte_offset_to_array_index): Use
6940 int_size_in_bytes before calling size_in_bytes, to gracefully fail
6941 on incomplete types.
6942
d8cde6f9
DM		 69432020-02-17 David Malcolm <dmalcolm@redhat.com>
6944
6945 PR analyzer/93775
6946 * region-model.cc (region_model::get_fndecl_for_call): Handle the
6947 case where the code_region's get_tree_for_child_region returns
6948 NULL.
6949
f76a88eb
DM		 69502020-02-17 David Malcolm <dmalcolm@redhat.com>
6951
6952 PR analyzer/93388
6953 * engine.cc (impl_region_model_context::on_unknown_tree_code):
6954 New.
6955 (exploded_graph::get_or_create_node): Reject invalid states.
6956 * exploded-graph.h
6957 (impl_region_model_context::on_unknown_tree_code): New decl.
6958 (point_and_state::point_and_state): Assert that the state is
6959 valid.
6960 * program-state.cc (program_state::program_state): Initialize
6961 m_valid to true.
6962 (program_state::operator=): Copy m_valid.
6963 (program_state::program_state): Likewise for move constructor.
6964 (program_state::print): Print m_valid.
6965 (program_state::dump_to_pp): Likewise.
6966 * program-state.h (program_state::m_valid): New field.
6967 * region-model.cc (region_model::get_lvalue_1): Implement the
6968 default case by returning a new symbolic region and calling
6969 the context's on_unknown_tree_code, rather than issuing an
6970 internal_error. Implement VIEW_CONVERT_EXPR.
6971 * region-model.h (region_model_context::on_unknown_tree_code): New
6972 vfunc.
6973 (test_region_model_context::on_unknown_tree_code): New.
6974
0993ad65
DM		 69752020-02-17 David Malcolm <dmalcolm@redhat.com>
6976
6977 * sm-malloc.cc (malloc_diagnostic::describe_state_change): For
6978 transition to the "null" state, only say "assuming" when
6979 transitioning from the "unchecked" state.
6980
67098787
DM		 69812020-02-17 David Malcolm <dmalcolm@redhat.com>
6982
6983 * diagnostic-manager.h (diagnostic_manager::get_saved_diagnostic):
6984 Add const overload.
6985 * engine.cc (exploded_node::dump_dot): Dump saved_diagnostics.
6986 * exploded-graph.h (exploded_graph::get_diagnostic_manager): Add
6987 const overload.
6988
91f993b7
DM		 69892020-02-11 David Malcolm <dmalcolm@redhat.com>
6990
6991 PR analyzer/93288
6992 * analysis-plan.cc (analysis_plan::use_summary_p): Look through
6993 the ultimate_alias_target when getting the called function.
6994 * engine.cc (exploded_node::on_stmt): Rename second "ctxt" to
6995 "sm_ctxt". Use the region_model's get_fndecl_for_call rather than
6996 gimple_call_fndecl.
6997 * region-model.cc (region_model::get_fndecl_for_call): Use
6998 ultimate_alias_target on fndecl.
6999 * supergraph.cc (get_ultimate_function_for_cgraph_edge): New
7000 function.
7001 (supergraph_call_edge): Use it when rejecting edges without
7002 functions.
7003 (supergraph::supergraph): Use it to get the function for the
7004 cgraph_edge when building interprocedural superedges.
7005 (callgraph_superedge::get_callee_function): Use it.
7006 * supergraph.h (supergraph::get_num_snodes): Make param const.
7007 (supergraph::function_to_num_snodes_t): Make first type param
7008 const.
7009
a60d9889
DM		 70102020-02-11 David Malcolm <dmalcolm@redhat.com>
7011
7012 PR analyzer/93374
7013 * engine.cc (exploded_edge::exploded_edge): Add ext_state param
7014 and pass it to change.validate.
7015 (exploded_graph::get_or_create_node): Move purging of change
7016 svalues to also cover the case of reusing an existing enode.
7017 (exploded_graph::add_edge): Pass m_ext_state to exploded_edge's
7018 ctor.
7019 * exploded-graph.h (exploded_edge::exploded_edge): Add ext_state
7020 param.
7021 * program-state.cc (state_change::sm_change::validate): Likewise.
7022 Assert that m_sm_idx is sane. Use ext_state to validate
7023 m_old_state and m_new_state.
7024 (state_change::validate): Add ext_state param and pass it to
7025 the sm_change validate calls.
7026 * program-state.h (state_change::sm_change::validate): Add
7027 ext_state param.
7028 (state_change::validate): Likewise.
7029
a0e4929b
DM		 70302020-02-11 David Malcolm <dmalcolm@redhat.com>
7031
7032 PR analyzer/93669
7033 * engine.cc (exploded_graph::dump_exploded_nodes): Handle missing
7034 case of STATUS_WORKLIST in implementation of
7035 "__analyzer_dump_exploded_nodes".
7036
cd28b759
DM		 70372020-02-11 David Malcolm <dmalcolm@redhat.com>
7038
7039 PR analyzer/93649
7040 * constraint-manager.cc (constraint_manager::add_constraint): When
7041 merging equivalence classes and updating m_constant, also update
7042 m_cst_sid.
7043 (constraint_manager::validate): If m_constant is non-NULL assert
7044 that m_cst_sid is non-null and is valid.
7045
5e17c1bd
DM		 70462020-02-11 David Malcolm <dmalcolm@redhat.com>
7047
7048 PR analyzer/93657
7049 * analyzer.opt (fdump-analyzer): Reword description.
7050 (fdump-analyzer-stderr): Likewise.
7051
c46d057f
DM		 70522020-02-11 David Malcolm <dmalcolm@redhat.com>
7053
7054 * region-model.cc (print_quoted_type): New function.
7055 (svalue::print): Use it to replace %qT.
7056 (region::dump_to_pp): Likewise.
7057 (region::dump_child_label): Likewise.
7058 (region::print_fields): Likewise.
7059
eb031d4b
DM		 70602020-02-10 David Malcolm <dmalcolm@redhat.com>
7061
7062 PR analyzer/93659
7063 * analyzer.opt (-param=analyzer-max-recursion-depth=): Fix "tha"
7064 -> "that" typo.
7065 (Wanalyzer-use-of-uninitialized-value): Fix "initialized" ->
7066 "uninitialized" typo.
7067
e87deb37
DM		 70682020-02-10 David Malcolm <dmalcolm@redhat.com>
7069
7070 PR analyzer/93350
7071 * region-model.cc (region_model::get_lvalue_1):
7072 Handle BIT_FIELD_REF.
7073 (make_region_for_type): Handle VECTOR_TYPE.
7074
e953f958
DM		 70752020-02-10 David Malcolm <dmalcolm@redhat.com>
7076
7077 PR analyzer/93647
7078 * diagnostic-manager.cc
7079 (diagnostic_manager::prune_for_sm_diagnostic): Bulletproof against
7080 VAR being constant.
7081 * region-model.cc (region_model::get_lvalue_1): Provide a better
7082 error message when encountering an unhandled tree code.
7083
41a9e940
DM		 70842020-02-10 David Malcolm <dmalcolm@redhat.com>
7085
7086 PR analyzer/93405
7087 * region-model.cc (region_model::get_lvalue_1): Implement
7088 CONST_DECL.
7089
cb273d81
DM		 70902020-02-06 David Malcolm <dmalcolm@redhat.com>
7091
7092 * region-model.cc (region_model::maybe_cast_1): Attempt to provide
7093 a region_svalue if either type is a pointer, rather than if both
7094 types are pointers.
7095
a4d3bfc0
DM		 70962020-02-05 David Malcolm <dmalcolm@redhat.com>
7097
7098 * engine.cc (exploded_node::dump_dot): Show merger enodes.
7099 (worklist::add_node): Assert that the node's m_status is
7100 STATUS_WORKLIST.
7101 (exploded_graph::process_worklist): Likewise for nodes from the
7102 worklist. Set status of merged nodes to STATUS_MERGER.
7103 (exploded_graph::process_node): Set status of node to
7104 STATUS_PROCESSED.
7105 (exploded_graph::dump_exploded_nodes): Rework handling of
7106 "__analyzer_dump_exploded_nodes", splitting enodes by status into
7107 "processed" and "merger", showing the count of just the processed
7108 enodes at the call, rather than the count of all enodes.
7109 * exploded-graph.h (exploded_node::status): New enum.
7110 (exploded_node::exploded_node): Initialize m_status to
7111 STATUS_WORKLIST.
7112 (exploded_node::get_status): New getter.
7113 (exploded_node::set_status): New setter.
7114
1dae549d
DM		 71152020-02-04 David Malcolm <dmalcolm@redhat.com>
7116
7117 PR analyzer/93543
7118 * engine.cc (pod_hash_traits<function_call_string>::mark_empty):
7119 Eliminate reinterpret_cast.
7120 (pod_hash_traits<function_call_string>::is_empty): Likewise.
7121
833f1e66
DM		 71222020-02-03 David Malcolm <dmalcolm@redhat.com>
7123
7124 * constraint-manager.cc (range::constrained_to_single_element):
7125 Replace fold_build2 with fold_binary. Remove unnecessary newline.
7126 (constraint_manager::get_or_add_equiv_class): Replace fold_build2
7127 with fold_binary in two places, and remove out-of-date comment.
7128 (constraint_manager::eval_condition): Replace fold_build2 with
7129 fold_binary.
7130 * region-model.cc (constant_svalue::eval_condition): Likewise.
7131 (region_model::on_assignment): Likewise.
7132
8525d1f5
DM		 71332020-02-03 David Malcolm <dmalcolm@redhat.com>
7134
7135 PR analyzer/93544
7136 * diagnostic-manager.cc
7137 (diagnostic_manager::prune_for_sm_diagnostic): Bulletproof
7138 against bad choices due to bad paths.
7139 * engine.cc (impl_region_model_context::on_phi): New.
7140 * exploded-graph.h (impl_region_model_context::on_phi): New decl.
7141 * region-model.cc (region_model::on_longjmp): Likewise.
7142 (region_model::handle_phi): Add phi param. Call the ctxt's on_phi
7143 vfunc.
7144 (region_model::update_for_phis): Pass phi to handle_phi.
7145 * region-model.h (region_model::handle_phi): Add phi param.
7146 (region_model_context::on_phi): New vfunc.
7147 (test_region_model_context::on_phi): New.
7148 * sm-malloc.cc (malloc_state_machine::on_phi): New.
7149 (malloc_state_machine::on_zero_assignment): New.
7150 * sm.h (state_machine::on_phi): New vfunc.
7151
73f38658
DM		 71522020-02-03 David Malcolm <dmalcolm@redhat.com>
7153
7154 * engine.cc (supernode_cluster::dump_dot): Show BB index as
7155 well as SN index.
7156 * supergraph.cc (supernode::dump_dot): Likewise.
7157
5e10b9a2
DM		 71582020-02-03 David Malcolm <dmalcolm@redhat.com>
7159
7160 PR analyzer/93546
7161 * region-model.cc (region_model::on_call_pre): Update for new
7162 param of symbolic_region ctor.
7163 (region_model::deref_rvalue): Likewise.
7164 (region_model::add_new_malloc_region): Likewise.
7165 (make_region_for_type): Likewise, preserving type.
7166 * region-model.h (symbolic_region::symbolic_region): Add "type"
7167 param and pass it to base class ctor.
7168
287ccd3b
DM		 71692020-02-03 David Malcolm <dmalcolm@redhat.com>
7170
7171 PR analyzer/93547
7172 * constraint-manager.cc
7173 (constraint_manager::get_or_add_equiv_class): Ensure types are
7174 compatible before comparing constants.
7175
67751724
DM		 71762020-01-31 David Malcolm <dmalcolm@redhat.com>
7177
7178 PR analyzer/93457
7179 * region-model.cc (make_region_for_type): Use VOID_TYPE_P rather
7180 than checking against void_type_node.
7181
09bea584
DM		 71822020-01-31 David Malcolm <dmalcolm@redhat.com>
7183
7184 PR analyzer/93373
7185 * region-model.cc (ASSERT_COMPAT_TYPES): Convert to...
7186 (assert_compat_types): ...this, and bail when either type is NULL,
7187 or when VOID_TYPE_P (dst_type).
7188 (region_model::get_lvalue): Update for above conversion.
7189 (region_model::get_rvalue): Likewise.
7190
f1c807e8
DM		 71912020-01-31 David Malcolm <dmalcolm@redhat.com>
7192
7193 PR analyzer/93379
7194 * region-model.cc (region_model::update_for_return_superedge):
7195 Move check for null result so that it also guards setting the
7196 lhs.
7197
455f58ec
DM		 71982020-01-31 David Malcolm <dmalcolm@redhat.com>
7199
7200 PR analyzer/93438
7201 * region-model.cc (stack_region::can_merge_p): Split into a two
7202 pass approach, creating all stack regions first, then populating
7203 them.
7204 (selftest::test_state_merging): Add test coverage for (a) the case
7205 of self-merging a model in which a local in an older stack frame
7206 points to a local in a more recent stack frame (which previously
7207 would ICE), and (b) the case of self-merging a model in which a
7208 local points to a global (which previously worked OK).
7209
182ce042
DM		 72102020-01-31 David Malcolm <dmalcolm@redhat.com>
7211
7212 * analyzer.cc (is_named_call_p): Replace tests for fndecl being
7213 extern at file scope and having a non-NULL DECL_NAME with a call
7214 to maybe_special_function_p.
7215 * function-set.cc (function_set::contains_decl_p): Add call to
7216 maybe_special_function_p.
7217
45eb3e49
DM		 72182020-01-31 David Malcolm <dmalcolm@redhat.com>
7219
7220 PR analyzer/93450
7221 * constraint-manager.cc
7222 (constraint_manager::get_or_add_equiv_class): Only compare constants
7223 if their types are compatible.
7224 * region-model.cc (constant_svalue::eval_condition): Replace check
7225 for identical types with call to types_compatible_p.
7226
42f36563
DM		 72272020-01-30 David Malcolm <dmalcolm@redhat.com>
7228
7229 * program-state.cc (extrinsic_state::dump_to_pp): New.
7230 (extrinsic_state::dump_to_file): New.
7231 (extrinsic_state::dump): New.
7232 * program-state.h (extrinsic_state::dump_to_pp): New decl.
7233 (extrinsic_state::dump_to_file): New decl.
7234 (extrinsic_state::dump): New decl.
7235 * sm.cc: Include "pretty-print.h".
7236 (state_machine::dump_to_pp): New.
7237 * sm.h (state_machine::dump_to_pp): New decl.
7238
ebe9174e
DM		 72392020-01-30 David Malcolm <dmalcolm@redhat.com>
7240
7241 * diagnostic-manager.cc (for_each_state_change): Use
7242 extrinsic_state::get_num_checkers rather than accessing m_checkers
7243 directly.
7244 * program-state.cc (program_state::program_state): Likewise.
7245 * program-state.h (extrinsic_state::m_checkers): Make private.
7246
e978955d
DM		 72472020-01-30 David Malcolm <dmalcolm@redhat.com>
7248
7249 PR analyzer/93356
7250 * region-model.cc (region_model::eval_condition): In both
7251 overloads, bail out immediately on floating-point types.
7252 (region_model::eval_condition_without_cm): Likewise.
7253 (region_model::add_constraint): Likewise.
7254
d177c49c
DM		 72552020-01-30 David Malcolm <dmalcolm@redhat.com>
7256
7257 PR analyzer/93450
7258 * program-state.cc (sm_state_map::set_state): For the overload
7259 taking an svalue_id, bail out if the set_state on the ec does
7260 nothing. Convert the latter's return type from void to bool,
7261 returning true if anything changed.
7262 (sm_state_map::impl_set_state): Convert the return type from void
7263 to bool, returning true if the state changed.
7264 * program-state.h (sm_state_map::set_state): Convert return type
7265 from void to bool.
7266 (sm_state_map::impl_set_state): Likewise.
7267 * region-model.cc (constant_svalue::eval_condition): Only call
7268 fold_build2 if the types are the same.
7269
7892ff37
JJ		 72702020-01-29 Jakub Jelinek <jakub@redhat.com>
7271
7272 * analyzer.h (PUSH_IGNORE_WFORMAT, POP_IGNORE_WFORMAT): Remove.
7273 * constraint-manager.cc: Include diagnostic-core.h before graphviz.h.
7274 (range::dump, equiv_class::print): Don't use PUSH_IGNORE_WFORMAT or
7275 POP_IGNORE_WFORMAT.
7276 * state-purge.cc: Include diagnostic-core.h before
7277 gimple-pretty-print.h.
7278 (state_purge_annotator::add_node_annotations, print_vec_of_names):
7279 Don't use PUSH_IGNORE_WFORMAT or POP_IGNORE_WFORMAT.
7280 * region-model.cc: Move diagnostic-core.h include before graphviz.h.
7281 (path_var::dump, svalue::print, constant_svalue::print_details,
7282 region::dump_to_pp, region::dump_child_label, region::print_fields,
7283 map_region::print_fields, map_region::dump_dot_to_pp,
7284 map_region::dump_child_label, array_region::print_fields,
7285 array_region::dump_dot_to_pp): Don't use PUSH_IGNORE_WFORMAT or
7286 POP_IGNORE_WFORMAT.
7287
5aebfb71
DM		 72882020-01-28 David Malcolm <dmalcolm@redhat.com>
7289
7290 PR analyzer/93316
7291 * engine.cc (rewind_info_t::update_model): Get the longjmp call
7292 stmt via get_longjmp_call () rather than assuming it is the last
7293 stmt in the longjmp's supernode.
7294 (rewind_info_t::add_events_to_path): Get the location_t for the
7295 rewind_from_longjmp_event via get_longjmp_call () rather than from
7296 the supernode's get_end_location ().
7297
6c8e5844
DM		 72982020-01-28 David Malcolm <dmalcolm@redhat.com>
7299
7300 * region-model.cc (poisoned_value_diagnostic::emit): Update for
7301 renaming of warning_at overload to warning_meta.
7302 * sm-file.cc (file_leak::emit): Likewise.
7303 * sm-malloc.cc (double_free::emit): Likewise.
7304 (possible_null_deref::emit): Likewise.
7305 (possible_null_arg::emit): Likewise.
7306 (null_deref::emit): Likewise.
7307 (null_arg::emit): Likewise.
7308 (use_after_free::emit): Likewise.
7309 (malloc_leak::emit): Likewise.
7310 (free_of_non_heap::emit): Likewise.
7311 * sm-sensitive.cc (exposure_through_output_file::emit): Likewise.
7312 * sm-signal.cc (signal_unsafe_call::emit): Likewise.
7313 * sm-taint.cc (tainted_array_index::emit): Likewise.
7314
8c08c983
DM		 73152020-01-27 David Malcolm <dmalcolm@redhat.com>
7316
7317 PR analyzer/93451
7318 * region-model.cc (tree_cmp): For the REAL_CST case, impose an
7319 arbitrary order on NaNs relative to other NaNs and to non-NaNs;
7320 const-correctness tweak.
7321 (ana::selftests::build_real_cst_from_string): New function.
7322 (ana::selftests::append_interesting_constants): New function.
7323 (ana::selftests::test_tree_cmp_on_constants): New test.
7324 (ana::selftests::test_canonicalization_4): New test.
7325 (ana::selftests::analyzer_region_model_cc_tests): Call the new
7326 tests.
7327
2fbea419
DM		 73282020-01-27 David Malcolm <dmalcolm@redhat.com>
7329
7330 PR analyzer/93349
7331 * engine.cc (run_checkers): Save and restore input_location.
7332
6a81cabc
DM		 73332020-01-27 David Malcolm <dmalcolm@redhat.com>
7334
7335 * call-string.cc (call_string::cmp_1): Delete, moving body to...
7336 (call_string::cmp): ...here.
7337 * call-string.h (call_string::cmp_1): Delete decl.
7338 * engine.cc (worklist::key_t::cmp_1): Delete, moving body to...
7339 (worklist::key_t::cmp): ...here. Implement hash comparisons
7340 via comparison rather than subtraction to avoid overflow issues.
7341 * exploded-graph.h (worklist::key_t::cmp_1): Delete decl.
7342 * region-model.cc (tree_cmp): Eliminate buggy checking for
7343 symmetry.
7344
342e14ff
DM		 73452020-01-27 David Malcolm <dmalcolm@redhat.com>
7346
7347 * analyzer.cc (is_named_call_p): Check that fndecl is "extern"
7348 and at file scope. Potentially disregard prefix _ or __ in
7349 fndecl's name. Bail if the identifier is NULL.
7350 (is_setjmp_call_p): Expect a gcall rather than plain gimple.
7351 Remove special-case check for leading prefix, and also check for
7352 sigsetjmp.
7353 (is_longjmp_call_p): Also check for siglongjmp.
7354 (get_user_facing_name): New function.
7355 * analyzer.h (is_setjmp_call_p): Expect a gcall rather than plain
7356 gimple.
7357 (get_user_facing_name): New decl.
7358 * checker-path.cc (setjmp_event::get_desc): Use
7359 get_user_facing_name to avoid hardcoding the function name.
7360 (rewind_event::rewind_event): Add rewind_info param, using it to
7361 initialize new m_rewind_info field, and strengthen the assertion.
7362 (rewind_from_longjmp_event::get_desc): Use get_user_facing_name to
7363 avoid hardcoding the function name.
7364 (rewind_to_setjmp_event::get_desc): Likewise.
7365 * checker-path.h (setjmp_event::setjmp_event): Add setjmp_call
7366 param and use it to initialize...
7367 (setjmp_event::m_setjmp_call): New field.
7368 (rewind_event::rewind_event): Add rewind_info param.
7369 (rewind_event::m_rewind_info): New protected field.
7370 (rewind_from_longjmp_event::rewind_from_longjmp_event): Add
7371 rewind_info param.
7372 (class rewind_to_setjmp_event): Move rewind_info field to parent
7373 class.
7374 * diagnostic-manager.cc (diagnostic_manager::add_events_for_eedge):
7375 Update setjmp-handling for is_setjmp_call_p requiring a gcall;
7376 pass the call to the new setjmp_event.
7377 * engine.cc (exploded_node::on_stmt): Update for is_setjmp_call_p
7378 requiring a gcall.
7379 (stale_jmp_buf::emit): Use get_user_facing_name to avoid
7380 hardcoding the function names.
7381 (exploded_node::on_longjmp): Pass the longjmp_call when
7382 constructing rewind_info.
7383 (rewind_info_t::add_events_to_path): Pass the rewind_info_t to the
7384 rewind_from_longjmp_event's ctor.
7385 * exploded-graph.h (rewind_info_t::rewind_info_t): Add
7386 longjmp_call param.
7387 (rewind_info_t::get_longjmp_call): New.
7388 (rewind_info_t::m_longjmp_call): New.
7389 * region-model.cc (region_model::on_setjmp): Update comment to
7390 indicate this is also for sigsetjmp.
7391 * region-model.h (struct setjmp_record): Likewise.
7392 (class setjmp_svalue): Likewise.
7393
26d949c8
DM		 73942020-01-27 David Malcolm <dmalcolm@redhat.com>
7395
7396 PR analyzer/93276
7397 * analyzer.h (PUSH_IGNORE_WFORMAT, POP_IGNORE_WFORMAT): Guard these
7398 macros with GCC_VERSION >= 4006, making them no-op otherwise.
7399 * engine.cc (exploded_edge::exploded_edge): Specify template for
7400 base class initializer.
7401 (exploded_graph::add_edge): Specify template when chaining up to
7402 base class add_edge implementation.
7403 (viz_callgraph_node::dump_dot): Drop redundant "typename".
7404 (viz_callgraph_edge::viz_callgraph_edge): Specify template for
7405 base class initializer.
7406 * program-state.cc (sm_state_map::clone_with_remapping): Drop
7407 redundant "typename".
7408 (sm_state_map::print): Likewise.
7409 (sm_state_map::hash): Likewise.
7410 (sm_state_map::operator==): Likewise.
7411 (sm_state_map::remap_svalue_ids): Likewise.
7412 (sm_state_map::on_svalue_purge): Likewise.
7413 (sm_state_map::validate): Likewise.
7414 * program-state.h (sm_state_map::iterator_t): Likewise.
7415 * supergraph.h (superedge::superedge): Specify template for base
7416 class initializer.
7417
648796da
DM		 74182020-01-23 David Malcolm <dmalcolm@redhat.com>
7419
7420 PR analyzer/93375
7421 * supergraph.cc (callgraph_superedge::get_arg_for_parm): Fail
7422 gracefully is the number of parameters at the callee exceeds the
7423 number of arguments at the call stmt.
7424 (callgraph_superedge::get_parm_for_arg): Likewise.
7425
591b59eb
DM		 74262020-01-22 David Malcolm <dmalcolm@redhat.com>
7427
7428 PR analyzer/93382
7429 * program-state.cc (sm_state_map::on_svalue_purge): If the
7430 entry survives, but the origin is being purged, then reset the
7431 origin to null.
7432
c9c8aef4
DM		 74332020-01-22 David Malcolm <dmalcolm@redhat.com>
7434
7435 * sm-signal.cc: Fix nesting of CHECKING_P and namespace ana.
7436
fd9982bb
DM		 74372020-01-22 David Malcolm <dmalcolm@redhat.com>
7438
7439 PR analyzer/93378
7440 * engine.cc (setjmp_svalue::compare_fields): Update for
7441 replacement of m_enode with m_setjmp_record.
7442 (setjmp_svalue::add_to_hash): Likewise.
7443 (setjmp_svalue::get_index): Rename...
7444 (setjmp_svalue::get_enode_index): ...to this.
7445 (setjmp_svalue::print_details): Update for replacement of m_enode
7446 with m_setjmp_record.
7447 (exploded_node::on_longjmp): Likewise.
7448 * exploded-graph.h (rewind_info_t::m_enode_origin): Replace...
7449 (rewind_info_t::m_setjmp_record): ...with this.
7450 (rewind_info_t::rewind_info_t): Update for replacement of m_enode
7451 with m_setjmp_record.
7452 (rewind_info_t::get_setjmp_point): Likewise.
7453 (rewind_info_t::get_setjmp_call): Likewise.
7454 * region-model.cc (region_model::dump_summary_of_map): Likewise.
7455 (region_model::on_setjmp): Likewise.
7456 * region-model.h (struct setjmp_record): New struct.
7457 (setjmp_svalue::m_enode): Replace...
7458 (setjmp_svalue::m_setjmp_record): ...with this.
7459 (setjmp_svalue::setjmp_svalue): Update for replacement of m_enode
7460 with m_setjmp_record.
7461 (setjmp_svalue::clone): Likewise.
7462 (setjmp_svalue::get_index): Rename...
7463 (setjmp_svalue::get_enode_index): ...to this.
7464 (setjmp_svalue::get_exploded_node): Replace...
7465 (setjmp_svalue::get_setjmp_record): ...with this.
7466
da7cf663
DM		 74672020-01-22 David Malcolm <dmalcolm@redhat.com>
7468
7469 PR analyzer/93316
7470 * analyzer.cc (is_setjmp_call_p): Check for "setjmp" as well as
7471 "_setjmp".
7472
75038aa6
DM		 74732020-01-22 David Malcolm <dmalcolm@redhat.com>
7474
7475 PR analyzer/93307
7476 * analysis-plan.h: Wrap everything namespace "ana".
7477 * analyzer-logging.cc: Likewise.
7478 * analyzer-logging.h: Likewise.
7479 * analyzer-pass.cc (pass_analyzer::execute): Update for "ana"
7480 namespace.
7481 * analyzer-selftests.cc: Wrap everything namespace "ana".
7482 * analyzer-selftests.h: Likewise.
7483 * analyzer.h: Likewise for forward decls of types.
7484 * call-string.h: Likewise.
7485 * checker-path.cc: Likewise.
7486 * checker-path.h: Likewise.
7487 * constraint-manager.cc: Likewise.
7488 * constraint-manager.h: Likewise.
7489 * diagnostic-manager.cc: Likewise.
7490 * diagnostic-manager.h: Likewise.
7491 * engine.cc: Likewise.
7492 * engine.h: Likewise.
7493 * exploded-graph.h: Likewise.
7494 * function-set.cc: Likewise.
7495 * function-set.h: Likewise.
7496 * pending-diagnostic.cc: Likewise.
7497 * pending-diagnostic.h: Likewise.
7498 * program-point.cc: Likewise.
7499 * program-point.h: Likewise.
7500 * program-state.cc: Likewise.
7501 * program-state.h: Likewise.
7502 * region-model.cc: Likewise.
7503 * region-model.h: Likewise.
7504 * sm-file.cc: Likewise.
7505 * sm-malloc.cc: Likewise.
7506 * sm-pattern-test.cc: Likewise.
7507 * sm-sensitive.cc: Likewise.
7508 * sm-signal.cc: Likewise.
7509 * sm-taint.cc: Likewise.
7510 * sm.cc: Likewise.
7511 * sm.h: Likewise.
7512 * state-purge.h: Likewise.
7513 * supergraph.cc: Likewise.
7514 * supergraph.h: Likewise.
7515
4f01e577
DM		 75162020-01-21 David Malcolm <dmalcolm@redhat.com>
7517
7518 PR analyzer/93352
7519 * region-model.cc (int_cmp): Rename to...
7520 (array_region::key_cmp): ...this, using key_t rather than int.
7521 Rewrite in terms of comparisons rather than subtraction to
7522 ensure qsort is anti-symmetric when handling extreme values.
7523 (array_region::walk_for_canonicalization): Update for above
7524 renaming.
7525 * region-model.h (array_region::key_cmp): New decl.
7526
07c86323
DM		 75272020-01-17 David Malcolm <dmalcolm@redhat.com>
7528
7529 PR analyzer/93290
7530 * region-model.cc (region_model::eval_condition_without_cm): Avoid
7531 gcc_unreachable for unexpected operations for the case where
7532 we're comparing an svalue against itself.
7533
5f030383
DM		 75342020-01-17 David Malcolm <dmalcolm@redhat.com>
7535
7536 PR analyzer/93281
7537 * region-model.cc
7538 (region_model::convert_byte_offset_to_array_index): Convert to
7539 ssizetype before dividing by byte_size. Use fold_binary rather
7540 than fold_build2 to avoid needlessly constructing a tree for the
7541 non-const case.
7542
49e9a999
DM		 75432020-01-15 David Malcolm <dmalcolm@redhat.com>
7544
7545 * engine.cc (class impl_region_model_context): Fix comment.
7546
32077b69
DM		 75472020-01-14 David Malcolm <dmalcolm@redhat.com>
7548
7549 PR analyzer/93212
7550 * region-model.cc (make_region_for_type): Use
7551 FUNC_OR_METHOD_TYPE_P rather than comparing against FUNCTION_TYPE.
7552 * region-model.h (function_region::function_region): Likewise.
7553
7fb3669e
DM		 75542020-01-14 David Malcolm <dmalcolm@redhat.com>
7555
7556 * program-state.cc (sm_state_map::clone_with_remapping): Copy
7557 m_global_state.
7558 (selftest::test_program_state_merging_2): New selftest.
7559 (selftest::analyzer_program_state_cc_tests): Call it.
7560
e2a538b1
DM		 75612020-01-14 David Malcolm <dmalcolm@redhat.com>
7562
7563 * checker-path.h (checker_path::get_checker_event): New function.
7564 (checker_path): Add DISABLE_COPY_AND_ASSIGN; make fields private.
7565 * diagnostic-manager.cc
7566 (diagnostic_manager::prune_for_sm_diagnostic): Replace direct
7567 access to checker_path::m_events with accessor functions. Fix
7568 overlong line.
7569 (diagnostic_manager::prune_interproc_events): Replace direct
7570 access to checker_path::m_events with accessor functions.
7571 (diagnostic_manager::finish_pruning): Likewise.
7572
94946989
DM		 75732020-01-14 David Malcolm <dmalcolm@redhat.com>
7574
7575 * checker-path.h (checker_event::clone): Delete vfunc decl.
7576 (debug_event::clone): Delete vfunc impl.
7577 (custom_event::clone): Delete vfunc impl.
7578 (statement_event::clone): Delete vfunc impl.
7579 (function_entry_event::clone): Delete vfunc impl.
7580 (state_change_event::clone): Delete vfunc impl.
7581 (start_cfg_edge_event::clone): Delete vfunc impl.
7582 (end_cfg_edge_event::clone): Delete vfunc impl.
7583 (call_event::clone): Delete vfunc impl.
7584 (return_event::clone): Delete vfunc impl.
7585 (setjmp_event::clone): Delete vfunc impl.
7586 (rewind_from_longjmp_event::clone): Delete vfunc impl.
7587 (rewind_to_setjmp_event::clone): Delete vfunc impl.
7588 (warning_event::clone): Delete vfunc impl.
7589
718930c0
DM		 75902020-01-14 David Malcolm <dmalcolm@redhat.com>
7591
7592 * supergraph.cc (supernode::dump_dot): Ensure that the TABLE
7593 element has at least one TR.
7594
8397af8e
DM		 75952020-01-14 David Malcolm <dmalcolm@redhat.com>
7596
7597 PR analyzer/58237
7598 * engine.cc (leak_stmt_finder::find_stmt): Use get_pure_location
7599 when comparing against UNKNOWN_LOCATION.
7600 (stmt_requires_new_enode_p): Likewise.
7601 (exploded_graph::dump_exploded_nodes): Likewise.
7602 * supergraph.cc (supernode::get_start_location): Likewise.
7603 (supernode::get_end_location): Likewise.
7604
697251b7
DM		 76052020-01-14 David Malcolm <dmalcolm@redhat.com>
7606
7607 PR analyzer/58237
7608 * analyzer-selftests.cc (selftest::run_analyzer_selftests): Call
7609 selftest::analyzer_sm_file_cc_tests.
7610 * analyzer-selftests.h (selftest::analyzer_sm_file_cc_tests): New
7611 decl.
7612 * sm-file.cc: Include "analyzer/function-set.h" and
7613 "analyzer/analyzer-selftests.h".
7614 (get_file_using_fns): New function.
7615 (is_file_using_fn_p): New function.
7616 (fileptr_state_machine::on_stmt): Return true for known functions.
7617 (selftest::analyzer_sm_file_cc_tests): New function.
7618
4804c5fe
DM		 76192020-01-14 David Malcolm <dmalcolm@redhat.com>
7620
7621 * analyzer-selftests.cc (selftest::run_analyzer_selftests): Call
7622 selftest::analyzer_sm_signal_cc_tests.
7623 * analyzer-selftests.h (selftest::analyzer_sm_signal_cc_tests):
7624 New decl.
7625 * sm-signal.cc: Include "analyzer/function-set.h" and
7626 "analyzer/analyzer-selftests.h".
7627 (get_async_signal_unsafe_fns): New function.
7628 (signal_unsafe_p): Reimplement in terms of the above.
7629 (selftest::analyzer_sm_signal_cc_tests): New function.
7630
a6b5f19c
DM		 76312020-01-14 David Malcolm <dmalcolm@redhat.com>
7632
7633 * analyzer-selftests.cc (selftest::run_analyzer_selftests): Call
7634 selftest::analyzer_function_set_cc_tests.
7635 * analyzer-selftests.h (selftest::analyzer_function_set_cc_tests):
7636 New decl.
7637 * function-set.cc: New file.
7638 * function-set.h: New file.
7639
ef7827b0
DM		 76402020-01-14 David Malcolm <dmalcolm@redhat.com>
7641
7642 * analyzer.h (fndecl_has_gimple_body_p): New decl.
7643 * engine.cc (impl_region_model_context::on_unknown_change): New
7644 function.
7645 (fndecl_has_gimple_body_p): Make non-static.
7646 (exploded_node::on_stmt): Treat __analyzer_dump_exploded_nodes as
7647 known. Track whether we have a call with unknown side-effects and
7648 pass it to on_call_post.
7649 * exploded-graph.h (impl_region_model_context::on_unknown_change):
7650 New decl.
7651 * program-state.cc (sm_state_map::on_unknown_change): New function.
7652 * program-state.h (sm_state_map::on_unknown_change): New decl.
7653 * region-model.cc: Include "bitmap.h".
7654 (region_model::on_call_pre): Return a bool, capturing whether the
7655 call has unknown side effects.
7656 (region_model::on_call_post): Add arg "bool unknown_side_effects"
7657 and if true, call handle_unrecognized_call.
7658 (class reachable_regions): New class.
7659 (region_model::handle_unrecognized_call): New function.
7660 * region-model.h (region_model::on_call_pre): Return a bool.
7661 (region_model::on_call_post): Add arg "bool unknown_side_effects".
7662 (region_model::handle_unrecognized_call): New decl.
7663 (region_model_context::on_unknown_change): New vfunc.
7664 (test_region_model_context::on_unknown_change): New function.
7665
14f9d7b9
DM		 76662020-01-14 David Malcolm <dmalcolm@redhat.com>
7667
7668 * diagnostic-manager.cc (saved_diagnostic::operator==): Move here
7669 from header. Replace pointer equality test on m_var with call to
7670 pending_diagnostic::same_tree_p.
7671 * diagnostic-manager.h (saved_diagnostic::operator==): Move to
7672 diagnostic-manager.cc.
7673 * pending-diagnostic.cc (pending_diagnostic::same_tree_p): New.
7674 * pending-diagnostic.h (pending_diagnostic::same_tree_p): New.
7675 * sm-file.cc (file_diagnostic::subclass_equal_p): Replace pointer
7676 equality on m_arg with call to pending_diagnostic::same_tree_p.
7677 * sm-malloc.cc (malloc_diagnostic::subclass_equal_p): Likewise.
7678 (possible_null_arg::subclass_equal_p): Likewise.
7679 (null_arg::subclass_equal_p): Likewise.
7680 (free_of_non_heap::subclass_equal_p): Likewise.
7681 * sm-pattern-test.cc (pattern_match::operator==): Likewise.
7682 * sm-sensitive.cc (exposure_through_output_file::operator==):
7683 Likewise.
7684 * sm-taint.cc (tainted_array_index::operator==): Likewise.
7685
f474fbd5
DM		 76862020-01-14 David Malcolm <dmalcolm@redhat.com>
7687
7688 * diagnostic-manager.cc (dedupe_winners::add): Add logging
7689 of deduplication decisions made.
7690
757bf1df
DM		 76912020-01-14 David Malcolm <dmalcolm@redhat.com>
7692
7693 * ChangeLog: New file.
7694 * analyzer-selftests.cc: New file.
7695 * analyzer-selftests.h: New file.
7696 * analyzer.opt: New file.
7697 * analysis-plan.cc: New file.
7698 * analysis-plan.h: New file.
7699 * analyzer-logging.cc: New file.
7700 * analyzer-logging.h: New file.
7701 * analyzer-pass.cc: New file.
7702 * analyzer.cc: New file.
7703 * analyzer.h: New file.
7704 * call-string.cc: New file.
7705 * call-string.h: New file.
7706 * checker-path.cc: New file.
7707 * checker-path.h: New file.
7708 * constraint-manager.cc: New file.
7709 * constraint-manager.h: New file.
7710 * diagnostic-manager.cc: New file.
7711 * diagnostic-manager.h: New file.
7712 * engine.cc: New file.
7713 * engine.h: New file.
7714 * exploded-graph.h: New file.
7715 * pending-diagnostic.cc: New file.
7716 * pending-diagnostic.h: New file.
7717 * program-point.cc: New file.
7718 * program-point.h: New file.
7719 * program-state.cc: New file.
7720 * program-state.h: New file.
7721 * region-model.cc: New file.
7722 * region-model.h: New file.
7723 * sm-file.cc: New file.
7724 * sm-malloc.cc: New file.
7725 * sm-malloc.dot: New file.
7726 * sm-pattern-test.cc: New file.
7727 * sm-sensitive.cc: New file.
7728 * sm-signal.cc: New file.
7729 * sm-taint.cc: New file.
7730 * sm.cc: New file.
7731 * sm.h: New file.
7732 * state-purge.cc: New file.
7733 * state-purge.h: New file.
7734 * supergraph.cc: New file.
7735 * supergraph.h: New file.
7736
77372019-12-13 David Malcolm <dmalcolm@redhat.com>
7738
7739 * Initial creation
7740
7741\f
877e3c2a 7742Copyright (C) 2019-2022 Free Software Foundation, Inc.
757bf1df
DM		 7743
7744Copying and distribution of this file, with or without modification,
7745are permitted in any medium without royalty provided the copyright
7746notice and this notice are preserved.
Mirror of https://gcc.gnu.org/git/gcc.git