]> git.ipfire.org Git - thirdparty/gcc.git/blame - gcc/gimple-ssa-warn-access.cc
projects / thirdparty / gcc.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
use more get_range_query
[thirdparty/gcc.git] / gcc / gimple-ssa-warn-access.cc
CommitLineData
2a837de2
MS		 1/* Pass to detect and issue warnings for invalid accesses, including
2 invalid or mismatched allocation/deallocation calls.
3
aeee4812 4 Copyright (C) 2020-2023 Free Software Foundation, Inc.
2a837de2
MS		 5 Contributed by Martin Sebor <msebor@redhat.com>.
6
7 This file is part of GCC.
8
9 GCC is free software; you can redistribute it and/or modify it under
10 the terms of the GNU General Public License as published by the Free
11 Software Foundation; either version 3, or (at your option) any later
12 version.
13
14 GCC is distributed in the hope that it will be useful, but WITHOUT ANY
15 WARRANTY; without even the implied warranty of MERCHANTABILITY or
16 FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
17 for more details.
18
19 You should have received a copy of the GNU General Public License
20 along with GCC; see the file COPYING3. If not see
21 <http://www.gnu.org/licenses/>. */
22
b48d4e68 23#define INCLUDE_STRING
2a837de2
MS		 24#include "config.h"
25#include "system.h"
26#include "coretypes.h"
27#include "backend.h"
28#include "tree.h"
29#include "gimple.h"
30#include "tree-pass.h"
31#include "builtins.h"
5a431b60 32#include "diagnostic.h"
2a837de2
MS		 33#include "ssa.h"
34#include "gimple-pretty-print.h"
35#include "gimple-ssa-warn-access.h"
36#include "gimple-ssa-warn-restrict.h"
37#include "diagnostic-core.h"
38#include "fold-const.h"
2a837de2 39#include "gimple-iterator.h"
ba206889 40#include "gimple-fold.h"
b48d4e68 41#include "langhooks.h"
5a431b60
MS		 42#include "memmodel.h"
43#include "target.h"
2a837de2
MS		 44#include "tree-dfa.h"
45#include "tree-ssa.h"
46#include "tree-cfg.h"
47#include "tree-object-size.h"
81d6cdd3 48#include "tree-ssa-strlen.h"
2a837de2 49#include "calls.h"
51149a05 50#include "cfganal.h"
2a837de2
MS		 51#include "intl.h"
52#include "gimple-range.h"
53#include "stringpool.h"
54#include "attribs.h"
55#include "demangle.h"
671a2836 56#include "attr-fnspec.h"
2a837de2
MS		 57#include "pointer-query.h"
58
81d6cdd3
MS		 59/* Return true if tree node X has an associated location. */
60
61static inline location_t
62has_location (const_tree x)
63{
64 if (DECL_P (x))
65 return DECL_SOURCE_LOCATION (x) != UNKNOWN_LOCATION;
66
67 if (EXPR_P (x))
68 return EXPR_HAS_LOCATION (x);
69
70 return false;
71}
72
73/* Return the associated location of STMT. */
74
75static inline location_t
76get_location (const gimple *stmt)
77{
78 return gimple_location (stmt);
79}
80
81/* Return the associated location of tree node X. */
82
83static inline location_t
84get_location (tree x)
85{
86 if (DECL_P (x))
87 return DECL_SOURCE_LOCATION (x);
88
89 if (EXPR_P (x))
90 return EXPR_LOCATION (x);
91
92 return UNKNOWN_LOCATION;
93}
94
95/* Overload of the nascent tree function for GIMPLE STMT. */
96
97static inline tree
98get_callee_fndecl (const gimple *stmt)
99{
100 return gimple_call_fndecl (stmt);
101}
102
103static inline unsigned
104call_nargs (const gimple *stmt)
105{
106 return gimple_call_num_args (stmt);
107}
108
109static inline unsigned
110call_nargs (const_tree expr)
111{
112 return call_expr_nargs (expr);
113}
114
115
116static inline tree
117call_arg (const gimple *stmt, unsigned argno)
118{
119 return gimple_call_arg (stmt, argno);
120}
121
122static inline tree
123call_arg (tree expr, unsigned argno)
124{
125 return CALL_EXPR_ARG (expr, argno);
126}
127
2a837de2
MS		 128/* For a call EXPR at LOC to a function FNAME that expects a string
129 in the argument ARG, issue a diagnostic due to it being a called
130 with an argument that is a character array with no terminating
131 NUL. SIZE is the EXACT size of the array, and BNDRNG the number
132 of characters in which the NUL is expected. Either EXPR or FNAME
133 may be null but noth both. SIZE may be null when BNDRNG is null. */
134
81d6cdd3
MS		 135template <class GimpleOrTree>
136static void
137warn_string_no_nul (location_t loc, GimpleOrTree expr, const char *fname,
138 tree arg, tree decl, tree size, bool exact,
2a837de2
MS		 139 const wide_int bndrng[2] /* = NULL */)
140{
141 const opt_code opt = OPT_Wstringop_overread;
142 if ((expr && warning_suppressed_p (expr, opt))
143 || warning_suppressed_p (arg, opt))
144 return;
145
146 loc = expansion_point_location_if_in_system_header (loc);
147 bool warned;
148
4a1c20df 149 /* Format the bound range as a string to keep the number of messages
2a837de2
MS		 150 from exploding. */
151 char bndstr[80];
152 *bndstr = 0;
153 if (bndrng)
154 {
155 if (bndrng[0] == bndrng[1])
156 sprintf (bndstr, "%llu", (unsigned long long) bndrng[0].to_uhwi ());
157 else
158 sprintf (bndstr, "[%llu, %llu]",
159 (unsigned long long) bndrng[0].to_uhwi (),
160 (unsigned long long) bndrng[1].to_uhwi ());
161 }
162
6ab98d8b
DM		 163 auto_diagnostic_group d;
164
2a837de2
MS		 165 const tree maxobjsize = max_object_size ();
166 const wide_int maxsiz = wi::to_wide (maxobjsize);
167 if (expr)
168 {
169 tree func = get_callee_fndecl (expr);
170 if (bndrng)
171 {
172 if (wi::ltu_p (maxsiz, bndrng[0]))
173 warned = warning_at (loc, opt,
174 "%qD specified bound %s exceeds "
175 "maximum object size %E",
176 func, bndstr, maxobjsize);
177 else
178 {
179 bool maybe = wi::to_wide (size) == bndrng[0];
180 warned = warning_at (loc, opt,
181 exact
182 ? G_("%qD specified bound %s exceeds "
183 "the size %E of unterminated array")
184 : (maybe
185 ? G_("%qD specified bound %s may "
186 "exceed the size of at most %E "
187 "of unterminated array")
188 : G_("%qD specified bound %s exceeds "
189 "the size of at most %E "
190 "of unterminated array")),
191 func, bndstr, size);
192 }
193 }
194 else
195 warned = warning_at (loc, opt,
196 "%qD argument missing terminating nul",
197 func);
198 }
199 else
200 {
201 if (bndrng)
202 {
203 if (wi::ltu_p (maxsiz, bndrng[0]))
204 warned = warning_at (loc, opt,
205 "%qs specified bound %s exceeds "
206 "maximum object size %E",
207 fname, bndstr, maxobjsize);
208 else
209 {
210 bool maybe = wi::to_wide (size) == bndrng[0];
211 warned = warning_at (loc, opt,
212 exact
213 ? G_("%qs specified bound %s exceeds "
214 "the size %E of unterminated array")
215 : (maybe
216 ? G_("%qs specified bound %s may "
217 "exceed the size of at most %E "
218 "of unterminated array")
219 : G_("%qs specified bound %s exceeds "
220 "the size of at most %E "
221 "of unterminated array")),
222 fname, bndstr, size);
223 }
224 }
225 else
226 warned = warning_at (loc, opt,
227 "%qs argument missing terminating nul",
228 fname);
229 }
230
231 if (warned)
232 {
81d6cdd3 233 inform (get_location (decl),
2a837de2
MS		 234 "referenced argument declared here");
235 suppress_warning (arg, opt);
236 if (expr)
237 suppress_warning (expr, opt);
238 }
239}
240
81d6cdd3
MS		 241void
242warn_string_no_nul (location_t loc, gimple *stmt, const char *fname,
243 tree arg, tree decl, tree size /* = NULL_TREE */,
244 bool exact /* = false */,
245 const wide_int bndrng[2] /* = NULL */)
246{
247 return warn_string_no_nul<gimple *> (loc, stmt, fname,
248 arg, decl, size, exact, bndrng);
249}
250
251void
252warn_string_no_nul (location_t loc, tree expr, const char *fname,
253 tree arg, tree decl, tree size /* = NULL_TREE */,
254 bool exact /* = false */,
255 const wide_int bndrng[2] /* = NULL */)
256{
257 return warn_string_no_nul<tree> (loc, expr, fname,
258 arg, decl, size, exact, bndrng);
259}
260
261/* If EXP refers to an unterminated constant character array return
262 the declaration of the object of which the array is a member or
263 element and if SIZE is not null, set *SIZE to the size of
264 the unterminated array and set *EXACT if the size is exact or
265 clear it otherwise. Otherwise return null. */
266
267tree
268unterminated_array (tree exp, tree *size /* = NULL */, bool *exact /* = NULL */)
269{
270 /* C_STRLEN will return NULL and set DECL in the info
271 structure if EXP references a unterminated array. */
272 c_strlen_data lendata = { };
273 tree len = c_strlen (exp, 1, &lendata);
274 if (len || !lendata.minlen || !lendata.decl)
275 return NULL_TREE;
276
277 if (!size)
278 return lendata.decl;
279
280 len = lendata.minlen;
281 if (lendata.off)
282 {
283 /* Constant offsets are already accounted for in LENDATA.MINLEN,
284 but not in a SSA_NAME + CST expression. */
285 if (TREE_CODE (lendata.off) == INTEGER_CST)
286 *exact = true;
287 else if (TREE_CODE (lendata.off) == PLUS_EXPR
288 && TREE_CODE (TREE_OPERAND (lendata.off, 1)) == INTEGER_CST)
289 {
290 /* Subtract the offset from the size of the array. */
291 *exact = false;
292 tree temp = TREE_OPERAND (lendata.off, 1);
293 temp = fold_convert (ssizetype, temp);
294 len = fold_build2 (MINUS_EXPR, ssizetype, len, temp);
295 }
296 else
297 *exact = false;
298 }
299 else
300 *exact = true;
301
302 *size = len;
303 return lendata.decl;
304}
305
2a837de2
MS		 306/* For a call EXPR (which may be null) that expects a string argument
307 SRC as an argument, returns false if SRC is a character array with
308 no terminating NUL. When nonnull, BOUND is the number of characters
81d6cdd3
MS		 309 in which to expect the terminating NUL. When EXPR is nonnull also
310 issues a warning. */
2a837de2 311
81d6cdd3
MS		 312template <class GimpleOrTree>
313static bool
314check_nul_terminated_array (GimpleOrTree expr, tree src, tree bound)
2a837de2
MS		 315{
316 /* The constant size of the array SRC points to. The actual size
317 may be less of EXACT is true, but not more. */
318 tree size;
319 /* True if SRC involves a non-constant offset into the array. */
320 bool exact;
321 /* The unterminated constant array SRC points to. */
322 tree nonstr = unterminated_array (src, &size, &exact);
323 if (!nonstr)
324 return true;
325
326 /* NONSTR refers to the non-nul terminated constant array and SIZE
327 is the constant size of the array in bytes. EXACT is true when
328 SIZE is exact. */
329
330 wide_int bndrng[2];
331 if (bound)
332 {
45c8523d 333 Value_Range r (TREE_TYPE (bound));
2a837de2 334
b7a28c09 335 get_range_query (cfun)->range_of_expr (r, bound);
2a837de2 336
45c8523d 337 if (r.undefined_p () || r.varying_p ())
2a837de2
MS		 338 return true;
339
340 bndrng[0] = r.lower_bound ();
341 bndrng[1] = r.upper_bound ();
342
343 if (exact)
344 {
345 if (wi::leu_p (bndrng[0], wi::to_wide (size)))
346 return true;
347 }
348 else if (wi::lt_p (bndrng[0], wi::to_wide (size), UNSIGNED))
349 return true;
350 }
351
352 if (expr)
81d6cdd3 353 warn_string_no_nul (get_location (expr), expr, NULL, src, nonstr,
2a837de2
MS		 354 size, exact, bound ? bndrng : NULL);
355
356 return false;
357}
358
81d6cdd3
MS		 359bool
360check_nul_terminated_array (gimple *stmt, tree src, tree bound /* = NULL_TREE */)
361{
362 return check_nul_terminated_array<gimple *>(stmt, src, bound);
363}
2a837de2 364
81d6cdd3
MS		 365bool
366check_nul_terminated_array (tree expr, tree src, tree bound /* = NULL_TREE */)
2a837de2 367{
81d6cdd3
MS		 368 return check_nul_terminated_array<tree>(expr, src, bound);
369}
370
371/* Warn about passing a non-string array/pointer to a built-in function
372 that expects a nul-terminated string argument. Returns true if
373 a warning has been issued.*/
374
375template <class GimpleOrTree>
376static bool
377maybe_warn_nonstring_arg (tree fndecl, GimpleOrTree exp)
378{
379 if (!fndecl || !fndecl_built_in_p (fndecl, BUILT_IN_NORMAL))
380 return false;
381
382 if (!warn_stringop_overread
383 || warning_suppressed_p (exp, OPT_Wstringop_overread))
384 return false;
385
386 /* Avoid clearly invalid calls (more checking done below). */
387 unsigned nargs = call_nargs (exp);
388 if (!nargs)
389 return false;
390
391 /* The bound argument to a bounded string function like strncpy. */
392 tree bound = NULL_TREE;
393
394 /* The longest known or possible string argument to one of the comparison
395 functions. If the length is less than the bound it is used instead.
396 Since the length is only used for warning and not for code generation
397 disable strict mode in the calls to get_range_strlen below. */
398 tree maxlen = NULL_TREE;
399
400 /* It's safe to call "bounded" string functions with a non-string
401 argument since the functions provide an explicit bound for this
402 purpose. The exception is strncat where the bound may refer to
403 either the destination or the source. */
404 int fncode = DECL_FUNCTION_CODE (fndecl);
405 switch (fncode)
406 {
407 case BUILT_IN_STRCMP:
408 case BUILT_IN_STRNCMP:
409 case BUILT_IN_STRNCASECMP:
410 {
411 /* For these, if one argument refers to one or more of a set
412 of string constants or arrays of known size, determine
413 the range of their known or possible lengths and use it
414 conservatively as the bound for the unbounded function,
415 and to adjust the range of the bound of the bounded ones. */
416 for (unsigned argno = 0;
417 argno < MIN (nargs, 2)
418 && !(maxlen && TREE_CODE (maxlen) == INTEGER_CST); argno++)
419 {
420 tree arg = call_arg (exp, argno);
421 if (!get_attr_nonstring_decl (arg))
422 {
423 c_strlen_data lendata = { };
424 /* Set MAXBOUND to an arbitrary non-null non-integer
425 node as a request to have it set to the length of
426 the longest string in a PHI. */
427 lendata.maxbound = arg;
428 get_range_strlen (arg, &lendata, /* eltsize = */ 1);
429 maxlen = lendata.maxbound;
430 }
431 }
432 }
433 /* Fall through. */
434
435 case BUILT_IN_STRNCAT:
436 case BUILT_IN_STPNCPY:
437 case BUILT_IN_STRNCPY:
438 if (nargs > 2)
439 bound = call_arg (exp, 2);
440 break;
441
442 case BUILT_IN_STRNDUP:
443 if (nargs < 2)
444 return false;
445 bound = call_arg (exp, 1);
446 break;
447
448 case BUILT_IN_STRNLEN:
449 {
450 tree arg = call_arg (exp, 0);
451 if (!get_attr_nonstring_decl (arg))
452 {
453 c_strlen_data lendata = { };
454 /* Set MAXBOUND to an arbitrary non-null non-integer
455 node as a request to have it set to the length of
456 the longest string in a PHI. */
457 lendata.maxbound = arg;
458 get_range_strlen (arg, &lendata, /* eltsize = */ 1);
459 maxlen = lendata.maxbound;
460 }
461 if (nargs > 1)
462 bound = call_arg (exp, 1);
463 break;
464 }
465
466 default:
467 break;
468 }
469
470 /* Determine the range of the bound argument (if specified). */
471 tree bndrng[2] = { NULL_TREE, NULL_TREE };
472 if (bound)
473 {
474 STRIP_NOPS (bound);
475 get_size_range (bound, bndrng);
476 }
477
478 location_t loc = get_location (exp);
479
480 if (bndrng[0])
481 {
482 /* Diagnose excessive bound prior to the adjustment below and
483 regardless of attribute nonstring. */
484 tree maxobjsize = max_object_size ();
485 if (tree_int_cst_lt (maxobjsize, bndrng[0]))
2a837de2 486 {
81d6cdd3
MS		 487 bool warned = false;
488 if (tree_int_cst_equal (bndrng[0], bndrng[1]))
489 warned = warning_at (loc, OPT_Wstringop_overread,
490 "%qD specified bound %E "
491 "exceeds maximum object size %E",
492 fndecl, bndrng[0], maxobjsize);
493 else
494 warned = warning_at (loc, OPT_Wstringop_overread,
495 "%qD specified bound [%E, %E] "
496 "exceeds maximum object size %E",
497 fndecl, bndrng[0], bndrng[1],
498 maxobjsize);
499 if (warned)
500 suppress_warning (exp, OPT_Wstringop_overread);
501
502 return warned;
503 }
504 }
505
506 if (maxlen && !integer_all_onesp (maxlen))
507 {
508 /* Add one for the nul. */
509 maxlen = const_binop (PLUS_EXPR, TREE_TYPE (maxlen), maxlen,
510 size_one_node);
511
512 if (!bndrng[0])
513 {
514 /* Conservatively use the upper bound of the lengths for
515 both the lower and the upper bound of the operation. */
516 bndrng[0] = maxlen;
517 bndrng[1] = maxlen;
518 bound = void_type_node;
519 }
520 else if (maxlen)
521 {
522 /* Replace the bound on the operation with the upper bound
523 of the length of the string if the latter is smaller. */
524 if (tree_int_cst_lt (maxlen, bndrng[0]))
525 bndrng[0] = maxlen;
526 else if (tree_int_cst_lt (maxlen, bndrng[1]))
527 bndrng[1] = maxlen;
528 }
529 }
530
531 bool any_arg_warned = false;
532 /* Iterate over the built-in function's formal arguments and check
533 each const char* against the actual argument. If the actual
534 argument is declared attribute non-string issue a warning unless
535 the argument's maximum length is bounded. */
536 function_args_iterator it;
537 function_args_iter_init (&it, TREE_TYPE (fndecl));
538
539 for (unsigned argno = 0; ; ++argno, function_args_iter_next (&it))
540 {
541 /* Avoid iterating past the declared argument in a call
542 to function declared without a prototype. */
543 if (argno >= nargs)
544 break;
545
546 tree argtype = function_args_iter_cond (&it);
547 if (!argtype)
548 break;
549
550 if (TREE_CODE (argtype) != POINTER_TYPE)
551 continue;
552
553 argtype = TREE_TYPE (argtype);
554
555 if (TREE_CODE (argtype) != INTEGER_TYPE
556 || !TYPE_READONLY (argtype))
557 continue;
558
559 argtype = TYPE_MAIN_VARIANT (argtype);
560 if (argtype != char_type_node)
561 continue;
562
563 tree callarg = call_arg (exp, argno);
564 if (TREE_CODE (callarg) == ADDR_EXPR)
565 callarg = TREE_OPERAND (callarg, 0);
566
567 /* See if the destination is declared with attribute "nonstring". */
568 tree decl = get_attr_nonstring_decl (callarg);
569 if (!decl)
570 continue;
571
572 /* The maximum number of array elements accessed. */
573 offset_int wibnd = 0;
574
575 if (argno && fncode == BUILT_IN_STRNCAT)
576 {
577 /* See if the bound in strncat is derived from the length
578 of the strlen of the destination (as it's expected to be).
579 If so, reset BOUND and FNCODE to trigger a warning. */
580 tree dstarg = call_arg (exp, 0);
581 if (is_strlen_related_p (dstarg, bound))
582 {
583 /* The bound applies to the destination, not to the source,
584 so reset these to trigger a warning without mentioning
585 the bound. */
586 bound = NULL;
587 fncode = 0;
588 }
589 else if (bndrng[1])
590 /* Use the upper bound of the range for strncat. */
591 wibnd = wi::to_offset (bndrng[1]);
592 }
593 else if (bndrng[0])
594 /* Use the lower bound of the range for functions other than
595 strncat. */
596 wibnd = wi::to_offset (bndrng[0]);
597
598 /* Determine the size of the argument array if it is one. */
599 offset_int asize = wibnd;
600 bool known_size = false;
601 tree type = TREE_TYPE (decl);
602
603 /* Determine the array size. For arrays of unknown bound and
604 pointers reset BOUND to trigger the appropriate warning. */
605 if (TREE_CODE (type) == ARRAY_TYPE)
606 {
607 if (tree arrbnd = TYPE_DOMAIN (type))
2a837de2 608 {
81d6cdd3 609 if ((arrbnd = TYPE_MAX_VALUE (arrbnd)))
2a837de2 610 {
81d6cdd3
MS		 611 asize = wi::to_offset (arrbnd) + 1;
612 known_size = true;
2a837de2 613 }
2a837de2 614 }
81d6cdd3
MS		 615 else if (bound == void_type_node)
616 bound = NULL_TREE;
617 }
618 else if (bound == void_type_node)
619 bound = NULL_TREE;
620
621 /* In a call to strncat with a bound in a range whose lower but
622 not upper bound is less than the array size, reset ASIZE to
623 be the same as the bound and the other variable to trigger
4a1c20df 624 the appropriate warning below. */
81d6cdd3
MS		 625 if (fncode == BUILT_IN_STRNCAT
626 && bndrng[0] != bndrng[1]
627 && wi::ltu_p (wi::to_offset (bndrng[0]), asize)
628 && (!known_size
629 || wi::ltu_p (asize, wibnd)))
630 {
631 asize = wibnd;
632 bound = NULL_TREE;
633 fncode = 0;
634 }
635
636 bool warned = false;
637
638 auto_diagnostic_group d;
639 if (wi::ltu_p (asize, wibnd))
640 {
641 if (bndrng[0] == bndrng[1])
642 warned = warning_at (loc, OPT_Wstringop_overread,
643 "%qD argument %i declared attribute "
644 "%<nonstring%> is smaller than the specified "
645 "bound %wu",
646 fndecl, argno + 1, wibnd.to_uhwi ());
647 else if (wi::ltu_p (asize, wi::to_offset (bndrng[0])))
648 warned = warning_at (loc, OPT_Wstringop_overread,
649 "%qD argument %i declared attribute "
650 "%<nonstring%> is smaller than "
651 "the specified bound [%E, %E]",
652 fndecl, argno + 1, bndrng[0], bndrng[1]);
2a837de2 653 else
81d6cdd3
MS		 654 warned = warning_at (loc, OPT_Wstringop_overread,
655 "%qD argument %i declared attribute "
656 "%<nonstring%> may be smaller than "
657 "the specified bound [%E, %E]",
658 fndecl, argno + 1, bndrng[0], bndrng[1]);
659 }
660 else if (fncode == BUILT_IN_STRNCAT)
661 ; /* Avoid warning for calls to strncat() when the bound
662 is equal to the size of the non-string argument. */
663 else if (!bound)
664 warned = warning_at (loc, OPT_Wstringop_overread,
665 "%qD argument %i declared attribute %<nonstring%>",
666 fndecl, argno + 1);
2a837de2 667
81d6cdd3
MS		 668 if (warned)
669 {
670 inform (DECL_SOURCE_LOCATION (decl),
671 "argument %qD declared here", decl);
672 any_arg_warned = true;
2a837de2 673 }
81d6cdd3
MS		 674 }
675
676 if (any_arg_warned)
677 suppress_warning (exp, OPT_Wstringop_overread);
678
679 return any_arg_warned;
680}
681
682bool
683maybe_warn_nonstring_arg (tree fndecl, gimple *stmt)
684{
685 return maybe_warn_nonstring_arg<gimple *>(fndecl, stmt);
686}
2a837de2 687
81d6cdd3
MS		 688
689bool
690maybe_warn_nonstring_arg (tree fndecl, tree expr)
691{
692 return maybe_warn_nonstring_arg<tree>(fndecl, expr);
2a837de2
MS		 693}
694
695/* Issue a warning OPT for a bounded call EXP with a bound in RANGE
696 accessing an object with SIZE. */
697
81d6cdd3
MS		 698template <class GimpleOrTree>
699static bool
700maybe_warn_for_bound (opt_code opt, location_t loc, GimpleOrTree exp, tree func,
701 tree bndrng[2], tree size, const access_data *pad)
2a837de2
MS		 702{
703 if (!bndrng[0] || warning_suppressed_p (exp, opt))
704 return false;
705
706 tree maxobjsize = max_object_size ();
707
708 bool warned = false;
709
710 if (opt == OPT_Wstringop_overread)
711 {
712 bool maybe = pad && pad->src.phi ();
820f0940
MS		 713 if (maybe)
714 {
715 /* Issue a "maybe" warning only if the PHI refers to objects
716 at least one of which has more space remaining than the bound.
717 Otherwise, if the bound is greater, use the definitive form. */
718 offset_int remmax = pad->src.size_remaining ();
719 if (remmax < wi::to_offset (bndrng[0]))
720 maybe = false;
721 }
2a837de2 722
6ab98d8b 723 auto_diagnostic_group d;
2a837de2
MS		 724 if (tree_int_cst_lt (maxobjsize, bndrng[0]))
725 {
726 if (bndrng[0] == bndrng[1])
727 warned = (func
728 ? warning_at (loc, opt,
729 (maybe
730 ? G_("%qD specified bound %E may "
731 "exceed maximum object size %E")
732 : G_("%qD specified bound %E "
733 "exceeds maximum object size %E")),
734 func, bndrng[0], maxobjsize)
735 : warning_at (loc, opt,
736 (maybe
737 ? G_("specified bound %E may "
738 "exceed maximum object size %E")
739 : G_("specified bound %E "
740 "exceeds maximum object size %E")),
741 bndrng[0], maxobjsize));
742 else
743 warned = (func
744 ? warning_at (loc, opt,
745 (maybe
746 ? G_("%qD specified bound [%E, %E] may "
747 "exceed maximum object size %E")
748 : G_("%qD specified bound [%E, %E] "
749 "exceeds maximum object size %E")),
750 func,
751 bndrng[0], bndrng[1], maxobjsize)
752 : warning_at (loc, opt,
753 (maybe
754 ? G_("specified bound [%E, %E] may "
755 "exceed maximum object size %E")
756 : G_("specified bound [%E, %E] "
757 "exceeds maximum object size %E")),
758 bndrng[0], bndrng[1], maxobjsize));
759 }
760 else if (!size || tree_int_cst_le (bndrng[0], size))
761 return false;
762 else if (tree_int_cst_equal (bndrng[0], bndrng[1]))
763 warned = (func
764 ? warning_at (loc, opt,
765 (maybe
766 ? G_("%qD specified bound %E may exceed "
767 "source size %E")
768 : G_("%qD specified bound %E exceeds "
769 "source size %E")),
770 func, bndrng[0], size)
771 : warning_at (loc, opt,
772 (maybe
773 ? G_("specified bound %E may exceed "
774 "source size %E")
775 : G_("specified bound %E exceeds "
776 "source size %E")),
777 bndrng[0], size));
778 else
779 warned = (func
780 ? warning_at (loc, opt,
781 (maybe
782 ? G_("%qD specified bound [%E, %E] may "
783 "exceed source size %E")
784 : G_("%qD specified bound [%E, %E] exceeds "
785 "source size %E")),
786 func, bndrng[0], bndrng[1], size)
787 : warning_at (loc, opt,
788 (maybe
789 ? G_("specified bound [%E, %E] may exceed "
790 "source size %E")
791 : G_("specified bound [%E, %E] exceeds "
792 "source size %E")),
793 bndrng[0], bndrng[1], size));
794 if (warned)
795 {
81d6cdd3
MS		 796 if (pad && pad->src.ref
797 && has_location (pad->src.ref))
798 inform (get_location (pad->src.ref),
799 "source object allocated here");
2a837de2
MS		 800 suppress_warning (exp, opt);
801 }
802
803 return warned;
804 }
805
806 bool maybe = pad && pad->dst.phi ();
820f0940
MS		 807 if (maybe)
808 {
809 /* Issue a "maybe" warning only if the PHI refers to objects
810 at least one of which has more space remaining than the bound.
811 Otherwise, if the bound is greater, use the definitive form. */
812 offset_int remmax = pad->dst.size_remaining ();
813 if (remmax < wi::to_offset (bndrng[0]))
814 maybe = false;
815 }
2a837de2
MS		 816 if (tree_int_cst_lt (maxobjsize, bndrng[0]))
817 {
818 if (bndrng[0] == bndrng[1])
819 warned = (func
820 ? warning_at (loc, opt,
821 (maybe
822 ? G_("%qD specified size %E may "
823 "exceed maximum object size %E")
824 : G_("%qD specified size %E "
825 "exceeds maximum object size %E")),
826 func, bndrng[0], maxobjsize)
827 : warning_at (loc, opt,
828 (maybe
829 ? G_("specified size %E may exceed "
830 "maximum object size %E")
831 : G_("specified size %E exceeds "
832 "maximum object size %E")),
833 bndrng[0], maxobjsize));
834 else
835 warned = (func
836 ? warning_at (loc, opt,
837 (maybe
838 ? G_("%qD specified size between %E and %E "
839 "may exceed maximum object size %E")
840 : G_("%qD specified size between %E and %E "
841 "exceeds maximum object size %E")),
842 func, bndrng[0], bndrng[1], maxobjsize)
843 : warning_at (loc, opt,
844 (maybe
845 ? G_("specified size between %E and %E "
846 "may exceed maximum object size %E")
847 : G_("specified size between %E and %E "
848 "exceeds maximum object size %E")),
849 bndrng[0], bndrng[1], maxobjsize));
850 }
851 else if (!size || tree_int_cst_le (bndrng[0], size))
852 return false;
853 else if (tree_int_cst_equal (bndrng[0], bndrng[1]))
854 warned = (func
855 ? warning_at (loc, opt,
856 (maybe
857 ? G_("%qD specified bound %E may exceed "
858 "destination size %E")
859 : G_("%qD specified bound %E exceeds "
860 "destination size %E")),
861 func, bndrng[0], size)
862 : warning_at (loc, opt,
863 (maybe
864 ? G_("specified bound %E may exceed "
865 "destination size %E")
866 : G_("specified bound %E exceeds "
867 "destination size %E")),
868 bndrng[0], size));
869 else
870 warned = (func
871 ? warning_at (loc, opt,
872 (maybe
873 ? G_("%qD specified bound [%E, %E] may exceed "
874 "destination size %E")
875 : G_("%qD specified bound [%E, %E] exceeds "
876 "destination size %E")),
877 func, bndrng[0], bndrng[1], size)
878 : warning_at (loc, opt,
879 (maybe
880 ? G_("specified bound [%E, %E] exceeds "
881 "destination size %E")
882 : G_("specified bound [%E, %E] exceeds "
883 "destination size %E")),
884 bndrng[0], bndrng[1], size));
885
886 if (warned)
887 {
81d6cdd3
MS		 888 if (pad && pad->dst.ref
889 && has_location (pad->dst.ref))
890 inform (get_location (pad->dst.ref),
891 "destination object allocated here");
2a837de2
MS		 892 suppress_warning (exp, opt);
893 }
894
895 return warned;
896}
897
81d6cdd3
MS		 898bool
899maybe_warn_for_bound (opt_code opt, location_t loc, gimple *stmt, tree func,
900 tree bndrng[2], tree size,
901 const access_data *pad /* = NULL */)
902{
903 return maybe_warn_for_bound<gimple *> (opt, loc, stmt, func, bndrng, size,
904 pad);
905}
906
907bool
908maybe_warn_for_bound (opt_code opt, location_t loc, tree expr, tree func,
909 tree bndrng[2], tree size,
910 const access_data *pad /* = NULL */)
911{
912 return maybe_warn_for_bound<tree> (opt, loc, expr, func, bndrng, size, pad);
913}
914
2a837de2
MS		 915/* For an expression EXP issue an access warning controlled by option OPT
916 with access to a region SIZE bytes in size in the RANGE of sizes.
917 WRITE is true for a write access, READ for a read access, neither for
918 call that may or may not perform an access but for which the range
919 is expected to valid.
920 Returns true when a warning has been issued. */
921
81d6cdd3 922template <class GimpleOrTree>
2a837de2 923static bool
81d6cdd3
MS		 924warn_for_access (location_t loc, tree func, GimpleOrTree exp, int opt,
925 tree range[2], tree size, bool write, bool read, bool maybe)
2a837de2
MS		 926{
927 bool warned = false;
928
929 if (write && read)
930 {
931 if (tree_int_cst_equal (range[0], range[1]))
932 warned = (func
933 ? warning_n (loc, opt, tree_to_uhwi (range[0]),
934 (maybe
935 ? G_("%qD may access %E byte in a region "
936 "of size %E")
937 : G_("%qD accessing %E byte in a region "
938 "of size %E")),
939 (maybe
940 ? G_ ("%qD may access %E bytes in a region "
941 "of size %E")
942 : G_ ("%qD accessing %E bytes in a region "
943 "of size %E")),
944 func, range[0], size)
945 : warning_n (loc, opt, tree_to_uhwi (range[0]),
946 (maybe
947 ? G_("may access %E byte in a region "
948 "of size %E")
949 : G_("accessing %E byte in a region "
950 "of size %E")),
951 (maybe
952 ? G_("may access %E bytes in a region "
953 "of size %E")
954 : G_("accessing %E bytes in a region "
955 "of size %E")),
956 range[0], size));
957 else if (tree_int_cst_sign_bit (range[1]))
958 {
959 /* Avoid printing the upper bound if it's invalid. */
960 warned = (func
961 ? warning_at (loc, opt,
962 (maybe
963 ? G_("%qD may access %E or more bytes "
964 "in a region of size %E")
965 : G_("%qD accessing %E or more bytes "
966 "in a region of size %E")),
967 func, range[0], size)
968 : warning_at (loc, opt,
969 (maybe
970 ? G_("may access %E or more bytes "
971 "in a region of size %E")
972 : G_("accessing %E or more bytes "
973 "in a region of size %E")),
974 range[0], size));
975 }
976 else
977 warned = (func
978 ? warning_at (loc, opt,
979 (maybe
980 ? G_("%qD may access between %E and %E "
981 "bytes in a region of size %E")
982 : G_("%qD accessing between %E and %E "
983 "bytes in a region of size %E")),
984 func, range[0], range[1], size)
985 : warning_at (loc, opt,
986 (maybe
987 ? G_("may access between %E and %E bytes "
988 "in a region of size %E")
989 : G_("accessing between %E and %E bytes "
990 "in a region of size %E")),
991 range[0], range[1], size));
992 return warned;
993 }
994
995 if (write)
996 {
997 if (tree_int_cst_equal (range[0], range[1]))
998 warned = (func
999 ? warning_n (loc, opt, tree_to_uhwi (range[0]),
1000 (maybe
1001 ? G_("%qD may write %E byte into a region "
1002 "of size %E")
1003 : G_("%qD writing %E byte into a region "
1004 "of size %E overflows the destination")),
1005 (maybe
1006 ? G_("%qD may write %E bytes into a region "
1007 "of size %E")
1008 : G_("%qD writing %E bytes into a region "
1009 "of size %E overflows the destination")),
1010 func, range[0], size)
1011 : warning_n (loc, opt, tree_to_uhwi (range[0]),
1012 (maybe
1013 ? G_("may write %E byte into a region "
1014 "of size %E")
1015 : G_("writing %E byte into a region "
1016 "of size %E overflows the destination")),
1017 (maybe
1018 ? G_("may write %E bytes into a region "
1019 "of size %E")
1020 : G_("writing %E bytes into a region "
1021 "of size %E overflows the destination")),
1022 range[0], size));
1023 else if (tree_int_cst_sign_bit (range[1]))
1024 {
1025 /* Avoid printing the upper bound if it's invalid. */
1026 warned = (func
1027 ? warning_at (loc, opt,
1028 (maybe
1029 ? G_("%qD may write %E or more bytes "
1030 "into a region of size %E")
1031 : G_("%qD writing %E or more bytes "
1032 "into a region of size %E overflows "
1033 "the destination")),
1034 func, range[0], size)
1035 : warning_at (loc, opt,
1036 (maybe
1037 ? G_("may write %E or more bytes into "
1038 "a region of size %E")
1039 : G_("writing %E or more bytes into "
1040 "a region of size %E overflows "
1041 "the destination")),
1042 range[0], size));
1043 }
1044 else
1045 warned = (func
1046 ? warning_at (loc, opt,
1047 (maybe
1048 ? G_("%qD may write between %E and %E bytes "
1049 "into a region of size %E")
1050 : G_("%qD writing between %E and %E bytes "
1051 "into a region of size %E overflows "
1052 "the destination")),
1053 func, range[0], range[1], size)
1054 : warning_at (loc, opt,
1055 (maybe
1056 ? G_("may write between %E and %E bytes "
1057 "into a region of size %E")
1058 : G_("writing between %E and %E bytes "
1059 "into a region of size %E overflows "
1060 "the destination")),
1061 range[0], range[1], size));
1062 return warned;
1063 }
1064
1065 if (read)
1066 {
1067 if (tree_int_cst_equal (range[0], range[1]))
1068 warned = (func
1069 ? warning_n (loc, OPT_Wstringop_overread,
1070 tree_to_uhwi (range[0]),
1071 (maybe
1072 ? G_("%qD may read %E byte from a region "
1073 "of size %E")
1074 : G_("%qD reading %E byte from a region "
1075 "of size %E")),
1076 (maybe
1077 ? G_("%qD may read %E bytes from a region "
1078 "of size %E")
1079 : G_("%qD reading %E bytes from a region "
1080 "of size %E")),
1081 func, range[0], size)
1082 : warning_n (loc, OPT_Wstringop_overread,
1083 tree_to_uhwi (range[0]),
1084 (maybe
1085 ? G_("may read %E byte from a region "
1086 "of size %E")
1087 : G_("reading %E byte from a region "
1088 "of size %E")),
1089 (maybe
1090 ? G_("may read %E bytes from a region "
1091 "of size %E")
1092 : G_("reading %E bytes from a region "
1093 "of size %E")),
1094 range[0], size));
1095 else if (tree_int_cst_sign_bit (range[1]))
1096 {
1097 /* Avoid printing the upper bound if it's invalid. */
1098 warned = (func
1099 ? warning_at (loc, OPT_Wstringop_overread,
1100 (maybe
1101 ? G_("%qD may read %E or more bytes "
1102 "from a region of size %E")
1103 : G_("%qD reading %E or more bytes "
1104 "from a region of size %E")),
1105 func, range[0], size)
1106 : warning_at (loc, OPT_Wstringop_overread,
1107 (maybe
1108 ? G_("may read %E or more bytes "
1109 "from a region of size %E")
1110 : G_("reading %E or more bytes "
1111 "from a region of size %E")),
1112 range[0], size));
1113 }
1114 else
1115 warned = (func
1116 ? warning_at (loc, OPT_Wstringop_overread,
1117 (maybe
1118 ? G_("%qD may read between %E and %E bytes "
1119 "from a region of size %E")
1120 : G_("%qD reading between %E and %E bytes "
1121 "from a region of size %E")),
1122 func, range[0], range[1], size)
1123 : warning_at (loc, opt,
1124 (maybe
1125 ? G_("may read between %E and %E bytes "
1126 "from a region of size %E")
1127 : G_("reading between %E and %E bytes "
1128 "from a region of size %E")),
1129 range[0], range[1], size));
1130
1131 if (warned)
1132 suppress_warning (exp, OPT_Wstringop_overread);
1133
1134 return warned;
1135 }
1136
1137 if (tree_int_cst_equal (range[0], range[1])
1138 || tree_int_cst_sign_bit (range[1]))
1139 warned = (func
1140 ? warning_n (loc, OPT_Wstringop_overread,
1141 tree_to_uhwi (range[0]),
1142 "%qD expecting %E byte in a region of size %E",
1143 "%qD expecting %E bytes in a region of size %E",
1144 func, range[0], size)
1145 : warning_n (loc, OPT_Wstringop_overread,
1146 tree_to_uhwi (range[0]),
1147 "expecting %E byte in a region of size %E",
1148 "expecting %E bytes in a region of size %E",
1149 range[0], size));
1150 else if (tree_int_cst_sign_bit (range[1]))
1151 {
1152 /* Avoid printing the upper bound if it's invalid. */
1153 warned = (func
1154 ? warning_at (loc, OPT_Wstringop_overread,
1155 "%qD expecting %E or more bytes in a region "
1156 "of size %E",
1157 func, range[0], size)
1158 : warning_at (loc, OPT_Wstringop_overread,
1159 "expecting %E or more bytes in a region "
1160 "of size %E",
1161 range[0], size));
1162 }
1163 else
1164 warned = (func
1165 ? warning_at (loc, OPT_Wstringop_overread,
1166 "%qD expecting between %E and %E bytes in "
1167 "a region of size %E",
1168 func, range[0], range[1], size)
1169 : warning_at (loc, OPT_Wstringop_overread,
1170 "expecting between %E and %E bytes in "
1171 "a region of size %E",
1172 range[0], range[1], size));
1173
1174 if (warned)
1175 suppress_warning (exp, OPT_Wstringop_overread);
1176
1177 return warned;
1178}
1179
81d6cdd3
MS		 1180static bool
1181warn_for_access (location_t loc, tree func, gimple *stmt, int opt,
1182 tree range[2], tree size, bool write, bool read, bool maybe)
1183{
1184 return warn_for_access<gimple *>(loc, func, stmt, opt, range, size,
1185 write, read, maybe);
1186}
1187
1188static bool
1189warn_for_access (location_t loc, tree func, tree expr, int opt,
1190 tree range[2], tree size, bool write, bool read, bool maybe)
1191{
1192 return warn_for_access<tree>(loc, func, expr, opt, range, size,
1193 write, read, maybe);
1194}
1195
2a837de2
MS		 1196/* Helper to set RANGE to the range of BOUND if it's nonnull, bounded
1197 by BNDRNG if nonnull and valid. */
1198
b48d4e68 1199static void
9a27acc3 1200get_size_range (range_query *query, tree bound, gimple *stmt, tree range[2],
04b0a7b1 1201 int flags, const offset_int bndrng[2])
2a837de2
MS		 1202{
1203 if (bound)
04b0a7b1 1204 get_size_range (query, bound, stmt, range, flags);
2a837de2
MS		 1205
1206 if (!bndrng || (bndrng[0] == 0 && bndrng[1] == HOST_WIDE_INT_M1U))
1207 return;
1208
1209 if (range[0] && TREE_CODE (range[0]) == INTEGER_CST)
1210 {
1211 offset_int r[] =
1212 { wi::to_offset (range[0]), wi::to_offset (range[1]) };
1213 if (r[0] < bndrng[0])
1214 range[0] = wide_int_to_tree (sizetype, bndrng[0]);
1215 if (bndrng[1] < r[1])
1216 range[1] = wide_int_to_tree (sizetype, bndrng[1]);
1217 }
1218 else
1219 {
1220 range[0] = wide_int_to_tree (sizetype, bndrng[0]);
1221 range[1] = wide_int_to_tree (sizetype, bndrng[1]);
1222 }
1223}
1224
1225/* Try to verify that the sizes and lengths of the arguments to a string
1226 manipulation function given by EXP are within valid bounds and that
1227 the operation does not lead to buffer overflow or read past the end.
1228 Arguments other than EXP may be null. When non-null, the arguments
1229 have the following meaning:
1230 DST is the destination of a copy call or NULL otherwise.
1231 SRC is the source of a copy call or NULL otherwise.
1232 DSTWRITE is the number of bytes written into the destination obtained
1233 from the user-supplied size argument to the function (such as in
1234 memcpy(DST, SRCs, DSTWRITE) or strncpy(DST, DRC, DSTWRITE).
1235 MAXREAD is the user-supplied bound on the length of the source sequence
1236 (such as in strncat(d, s, N). It specifies the upper limit on the number
1237 of bytes to write. If NULL, it's taken to be the same as DSTWRITE.
1238 SRCSTR is the source string (such as in strcpy(DST, SRC)) when the
1239 expression EXP is a string function call (as opposed to a memory call
1240 like memcpy). As an exception, SRCSTR can also be an integer denoting
1241 the precomputed size of the source string or object (for functions like
1242 memcpy).
1243 DSTSIZE is the size of the destination object.
1244
1245 When DSTWRITE is null LEN is checked to verify that it doesn't exceed
1246 SIZE_MAX.
1247
1248 WRITE is true for write accesses, READ is true for reads. Both are
1249 false for simple size checks in calls to functions that neither read
1250 from nor write to the region.
1251
1252 When nonnull, PAD points to a more detailed description of the access.
1253
1254 If the call is successfully verified as safe return true, otherwise
1255 return false. */
1256
81d6cdd3
MS		 1257template <class GimpleOrTree>
1258static bool
1259check_access (GimpleOrTree exp, tree dstwrite,
2a837de2 1260 tree maxread, tree srcstr, tree dstsize,
9a27acc3
MS		 1261 access_mode mode, const access_data *pad,
1262 range_query *rvals)
2a837de2
MS		 1263{
1264 /* The size of the largest object is half the address space, or
1265 PTRDIFF_MAX. (This is way too permissive.) */
1266 tree maxobjsize = max_object_size ();
1267
1268 /* Either an approximate/minimum the length of the source string for
1269 string functions or the size of the source object for raw memory
1270 functions. */
1271 tree slen = NULL_TREE;
1272
1273 /* The range of the access in bytes; first set to the write access
1274 for functions that write and then read for those that also (or
1275 just) read. */
1276 tree range[2] = { NULL_TREE, NULL_TREE };
1277
1278 /* Set to true when the exact number of bytes written by a string
1279 function like strcpy is not known and the only thing that is
1280 known is that it must be at least one (for the terminating nul). */
1281 bool at_least_one = false;
1282 if (srcstr)
1283 {
1284 /* SRCSTR is normally a pointer to string but as a special case
1285 it can be an integer denoting the length of a string. */
1286 if (POINTER_TYPE_P (TREE_TYPE (srcstr)))
1287 {
1288 if (!check_nul_terminated_array (exp, srcstr, maxread))
81d6cdd3
MS		 1289 /* Return if the array is not nul-terminated and a warning
1290 has been issued. */
2a837de2 1291 return false;
81d6cdd3 1292
2a837de2
MS		 1293 /* Try to determine the range of lengths the source string
1294 refers to. If it can be determined and is less than
1295 the upper bound given by MAXREAD add one to it for
1296 the terminating nul. Otherwise, set it to one for
1297 the same reason, or to MAXREAD as appropriate. */
1298 c_strlen_data lendata = { };
1299 get_range_strlen (srcstr, &lendata, /* eltsize = */ 1);
1300 range[0] = lendata.minlen;
1301 range[1] = lendata.maxbound ? lendata.maxbound : lendata.maxlen;
1302 if (range[0]
1303 && TREE_CODE (range[0]) == INTEGER_CST
1304 && TREE_CODE (range[1]) == INTEGER_CST
1305 && (!maxread || TREE_CODE (maxread) == INTEGER_CST))
1306 {
1307 if (maxread && tree_int_cst_le (maxread, range[0]))
1308 range[0] = range[1] = maxread;
1309 else
1310 range[0] = fold_build2 (PLUS_EXPR, size_type_node,
1311 range[0], size_one_node);
1312
1313 if (maxread && tree_int_cst_le (maxread, range[1]))
1314 range[1] = maxread;
1315 else if (!integer_all_onesp (range[1]))
1316 range[1] = fold_build2 (PLUS_EXPR, size_type_node,
1317 range[1], size_one_node);
1318
1319 slen = range[0];
1320 }
1321 else
1322 {
1323 at_least_one = true;
1324 slen = size_one_node;
1325 }
1326 }
1327 else
1328 slen = srcstr;
1329 }
1330
1331 if (!dstwrite && !maxread)
1332 {
1333 /* When the only available piece of data is the object size
1334 there is nothing to do. */
1335 if (!slen)
1336 return true;
1337
1338 /* Otherwise, when the length of the source sequence is known
1339 (as with strlen), set DSTWRITE to it. */
1340 if (!range[0])
1341 dstwrite = slen;
1342 }
1343
1344 if (!dstsize)
1345 dstsize = maxobjsize;
1346
f9379fcb 1347 /* Set RANGE to that of DSTWRITE if non-null, bounded by PAD->DST_BNDRNG
2a837de2 1348 if valid. */
9a27acc3 1349 gimple *stmt = pad ? pad->stmt : nullptr;
04b0a7b1
RB		 1350 get_size_range (rvals, dstwrite, stmt, range,
1351 /* If the destination has known zero size prefer a zero
1352 size range to avoid false positives if that's a
1353 possibility. */
1354 integer_zerop (dstsize) ? SR_ALLOW_ZERO : 0,
1355 pad ? pad->dst_bndrng : NULL);
2a837de2
MS		 1356
1357 tree func = get_callee_fndecl (exp);
1358 /* Read vs write access by built-ins can be determined from the const
1359 qualifiers on the pointer argument. In the absence of attribute
1360 access, non-const qualified pointer arguments to user-defined
1361 functions are assumed to both read and write the objects. */
1362 const bool builtin = func ? fndecl_built_in_p (func) : false;
1363
1364 /* First check the number of bytes to be written against the maximum
1365 object size. */
1366 if (range[0]
1367 && TREE_CODE (range[0]) == INTEGER_CST
1368 && tree_int_cst_lt (maxobjsize, range[0]))
1369 {
81d6cdd3 1370 location_t loc = get_location (exp);
2a837de2
MS		 1371 maybe_warn_for_bound (OPT_Wstringop_overflow_, loc, exp, func, range,
1372 NULL_TREE, pad);
1373 return false;
1374 }
1375
1376 /* The number of bytes to write is "exact" if DSTWRITE is non-null,
1377 constant, and in range of unsigned HOST_WIDE_INT. */
1378 bool exactwrite = dstwrite && tree_fits_uhwi_p (dstwrite);
1379
1380 /* Next check the number of bytes to be written against the destination
1381 object size. */
1382 if (range[0] || !exactwrite || integer_all_onesp (dstwrite))
1383 {
1384 if (range[0]
1385 && TREE_CODE (range[0]) == INTEGER_CST
1386 && ((tree_fits_uhwi_p (dstsize)
1387 && tree_int_cst_lt (dstsize, range[0]))
1388 || (dstwrite
1389 && tree_fits_uhwi_p (dstwrite)
1390 && tree_int_cst_lt (dstwrite, range[0]))))
1391 {
1392 const opt_code opt = OPT_Wstringop_overflow_;
1393 if (warning_suppressed_p (exp, opt)
1394 || (pad && pad->dst.ref
1395 && warning_suppressed_p (pad->dst.ref, opt)))
1396 return false;
1397
6ab98d8b 1398 auto_diagnostic_group d;
81d6cdd3 1399 location_t loc = get_location (exp);
2a837de2
MS		 1400 bool warned = false;
1401 if (dstwrite == slen && at_least_one)
1402 {
1403 /* This is a call to strcpy with a destination of 0 size
1404 and a source of unknown length. The call will write
1405 at least one byte past the end of the destination. */
1406 warned = (func
1407 ? warning_at (loc, opt,
1408 "%qD writing %E or more bytes into "
1409 "a region of size %E overflows "
1410 "the destination",
1411 func, range[0], dstsize)
1412 : warning_at (loc, opt,
1413 "writing %E or more bytes into "
1414 "a region of size %E overflows "
1415 "the destination",
1416 range[0], dstsize));
1417 }
1418 else
1419 {
1420 const bool read
1421 = mode == access_read_only || mode == access_read_write;
1422 const bool write
1423 = mode == access_write_only || mode == access_read_write;
1424 const bool maybe = pad && pad->dst.parmarray;
1425 warned = warn_for_access (loc, func, exp,
1426 OPT_Wstringop_overflow_,
1427 range, dstsize,
1428 write, read && !builtin, maybe);
1429 }
1430
1431 if (warned)
1432 {
1433 suppress_warning (exp, OPT_Wstringop_overflow_);
1434 if (pad)
1435 pad->dst.inform_access (pad->mode);
1436 }
1437
1438 /* Return error when an overflow has been detected. */
1439 return false;
1440 }
1441 }
1442
1443 /* Check the maximum length of the source sequence against the size
1444 of the destination object if known, or against the maximum size
1445 of an object. */
1446 if (maxread)
1447 {
f9379fcb 1448 /* Set RANGE to that of MAXREAD, bounded by PAD->SRC_BNDRNG if
2a837de2 1449 PAD is nonnull and BNDRNG is valid. */
04b0a7b1
RB		 1450 get_size_range (rvals, maxread, stmt, range, 0,
1451 pad ? pad->src_bndrng : NULL);
2a837de2 1452
81d6cdd3 1453 location_t loc = get_location (exp);
2a837de2
MS		 1454 tree size = dstsize;
1455 if (pad && pad->mode == access_read_only)
820f0940 1456 size = wide_int_to_tree (sizetype, pad->src.size_remaining ());
2a837de2
MS		 1457
1458 if (range[0] && maxread && tree_fits_uhwi_p (size))
1459 {
1460 if (tree_int_cst_lt (maxobjsize, range[0]))
1461 {
1462 maybe_warn_for_bound (OPT_Wstringop_overread, loc, exp, func,
1463 range, size, pad);
1464 return false;
1465 }
1466
1467 if (size != maxobjsize && tree_int_cst_lt (size, range[0]))
1468 {
1469 opt_code opt = (dstwrite || mode != access_read_only
1470 ? OPT_Wstringop_overflow_
1471 : OPT_Wstringop_overread);
1472 maybe_warn_for_bound (opt, loc, exp, func, range, size, pad);
1473 return false;
1474 }
1475 }
1476
1477 maybe_warn_nonstring_arg (func, exp);
1478 }
1479
1480 /* Check for reading past the end of SRC. */
1481 bool overread = (slen
1482 && slen == srcstr
1483 && dstwrite
1484 && range[0]
1485 && TREE_CODE (slen) == INTEGER_CST
1486 && tree_int_cst_lt (slen, range[0]));
1487 /* If none is determined try to get a better answer based on the details
1488 in PAD. */
1489 if (!overread
1490 && pad
1491 && pad->src.sizrng[1] >= 0
1492 && pad->src.offrng[0] >= 0
1493 && (pad->src.offrng[1] < 0
1494 || pad->src.offrng[0] <= pad->src.offrng[1]))
1495 {
f9379fcb 1496 /* Set RANGE to that of MAXREAD, bounded by PAD->SRC_BNDRNG if
2a837de2 1497 PAD is nonnull and BNDRNG is valid. */
04b0a7b1
RB		 1498 get_size_range (rvals, maxread, stmt, range, 0,
1499 pad ? pad->src_bndrng : NULL);
2a837de2 1500 /* Set OVERREAD for reads starting just past the end of an object. */
f9379fcb
MS		 1501 overread = pad->src.sizrng[1] - pad->src.offrng[0] < pad->src_bndrng[0];
1502 range[0] = wide_int_to_tree (sizetype, pad->src_bndrng[0]);
2a837de2
MS		 1503 slen = size_zero_node;
1504 }
1505
1506 if (overread)
1507 {
1508 const opt_code opt = OPT_Wstringop_overread;
1509 if (warning_suppressed_p (exp, opt)
1510 || (srcstr && warning_suppressed_p (srcstr, opt))
1511 || (pad && pad->src.ref
1512 && warning_suppressed_p (pad->src.ref, opt)))
1513 return false;
1514
81d6cdd3 1515 location_t loc = get_location (exp);
2a837de2
MS		 1516 const bool read
1517 = mode == access_read_only || mode == access_read_write;
1518 const bool maybe = pad && pad->dst.parmarray;
6ab98d8b 1519 auto_diagnostic_group d;
2a837de2
MS		 1520 if (warn_for_access (loc, func, exp, opt, range, slen, false, read,
1521 maybe))
1522 {
1523 suppress_warning (exp, opt);
1524 if (pad)
1525 pad->src.inform_access (access_read_only);
1526 }
1527 return false;
1528 }
1529
1530 return true;
1531}
1532
9a27acc3 1533static bool
81d6cdd3
MS		 1534check_access (gimple *stmt, tree dstwrite,
1535 tree maxread, tree srcstr, tree dstsize,
9a27acc3
MS		 1536 access_mode mode, const access_data *pad,
1537 range_query *rvals)
81d6cdd3 1538{
9a27acc3
MS		 1539 return check_access<gimple *> (stmt, dstwrite, maxread, srcstr, dstsize,
1540 mode, pad, rvals);
81d6cdd3
MS		 1541}
1542
1543bool
1544check_access (tree expr, tree dstwrite,
1545 tree maxread, tree srcstr, tree dstsize,
1546 access_mode mode, const access_data *pad /* = NULL */)
1547{
9a27acc3
MS		 1548 return check_access<tree> (expr, dstwrite, maxread, srcstr, dstsize,
1549 mode, pad, nullptr);
81d6cdd3
MS		 1550}
1551
2a837de2 1552/* Return true if STMT is a call to an allocation function. Unless
4a1c20df 1553 ALL_ALLOC is set, consider only functions that return dynamically
2a837de2
MS		 1554 allocated objects. Otherwise return true even for all forms of
1555 alloca (including VLA). */
1556
1557static bool
1558fndecl_alloc_p (tree fndecl, bool all_alloc)
1559{
1560 if (!fndecl)
1561 return false;
1562
1563 /* A call to operator new isn't recognized as one to a built-in. */
1564 if (DECL_IS_OPERATOR_NEW_P (fndecl))
1565 return true;
1566
1567 if (fndecl_built_in_p (fndecl, BUILT_IN_NORMAL))
1568 {
1569 switch (DECL_FUNCTION_CODE (fndecl))
1570 {
1571 case BUILT_IN_ALLOCA:
1572 case BUILT_IN_ALLOCA_WITH_ALIGN:
1573 return all_alloc;
1574 case BUILT_IN_ALIGNED_ALLOC:
1575 case BUILT_IN_CALLOC:
1576 case BUILT_IN_GOMP_ALLOC:
1577 case BUILT_IN_MALLOC:
1578 case BUILT_IN_REALLOC:
1579 case BUILT_IN_STRDUP:
1580 case BUILT_IN_STRNDUP:
1581 return true;
1582 default:
1583 break;
1584 }
1585 }
1586
1587 /* A function is considered an allocation function if it's declared
1588 with attribute malloc with an argument naming its associated
1589 deallocation function. */
1590 tree attrs = DECL_ATTRIBUTES (fndecl);
1591 if (!attrs)
1592 return false;
1593
1594 for (tree allocs = attrs;
1595 (allocs = lookup_attribute ("malloc", allocs));
1596 allocs = TREE_CHAIN (allocs))
1597 {
1598 tree args = TREE_VALUE (allocs);
1599 if (!args)
1600 continue;
1601
1602 if (TREE_VALUE (args))
1603 return true;
1604 }
1605
1606 return false;
1607}
1608
1609/* Return true if STMT is a call to an allocation function. A wrapper
1610 around fndecl_alloc_p. */
1611
1612static bool
1613gimple_call_alloc_p (gimple *stmt, bool all_alloc = false)
1614{
1615 return fndecl_alloc_p (gimple_call_fndecl (stmt), all_alloc);
1616}
1617
1618/* Return true if DELC doesn't refer to an operator delete that's
1619 suitable to call with a pointer returned from the operator new
1620 described by NEWC. */
1621
1622static bool
1623new_delete_mismatch_p (const demangle_component &newc,
1624 const demangle_component &delc)
1625{
1626 if (newc.type != delc.type)
1627 return true;
1628
1629 switch (newc.type)
1630 {
1631 case DEMANGLE_COMPONENT_NAME:
1632 {
1633 int len = newc.u.s_name.len;
1634 const char *news = newc.u.s_name.s;
1635 const char *dels = delc.u.s_name.s;
1636 if (len != delc.u.s_name.len || memcmp (news, dels, len))
1637 return true;
1638
1639 if (news[len] == 'n')
1640 {
1641 if (news[len + 1] == 'a')
1642 return dels[len] != 'd' || dels[len + 1] != 'a';
1643 if (news[len + 1] == 'w')
1644 return dels[len] != 'd' || dels[len + 1] != 'l';
1645 }
1646 return false;
1647 }
1648
1649 case DEMANGLE_COMPONENT_OPERATOR:
1650 /* Operator mismatches are handled above. */
1651 return false;
1652
1653 case DEMANGLE_COMPONENT_EXTENDED_OPERATOR:
1654 if (newc.u.s_extended_operator.args != delc.u.s_extended_operator.args)
1655 return true;
1656 return new_delete_mismatch_p (*newc.u.s_extended_operator.name,
1657 *delc.u.s_extended_operator.name);
1658
1659 case DEMANGLE_COMPONENT_FIXED_TYPE:
1660 if (newc.u.s_fixed.accum != delc.u.s_fixed.accum
1661 || newc.u.s_fixed.sat != delc.u.s_fixed.sat)
1662 return true;
1663 return new_delete_mismatch_p (*newc.u.s_fixed.length,
1664 *delc.u.s_fixed.length);
1665
1666 case DEMANGLE_COMPONENT_CTOR:
1667 if (newc.u.s_ctor.kind != delc.u.s_ctor.kind)
1668 return true;
1669 return new_delete_mismatch_p (*newc.u.s_ctor.name,
1670 *delc.u.s_ctor.name);
1671
1672 case DEMANGLE_COMPONENT_DTOR:
1673 if (newc.u.s_dtor.kind != delc.u.s_dtor.kind)
1674 return true;
1675 return new_delete_mismatch_p (*newc.u.s_dtor.name,
1676 *delc.u.s_dtor.name);
1677
1678 case DEMANGLE_COMPONENT_BUILTIN_TYPE:
1679 {
1680 /* The demangler API provides no better way to compare built-in
1681 types except to by comparing their demangled names. */
1682 size_t nsz, dsz;
1683 demangle_component *pnc = const_cast<demangle_component *>(&newc);
1684 demangle_component *pdc = const_cast<demangle_component *>(&delc);
1685 char *nts = cplus_demangle_print (0, pnc, 16, &nsz);
1686 char *dts = cplus_demangle_print (0, pdc, 16, &dsz);
1687 if (!nts != !dts)
1688 return true;
1689 bool mismatch = strcmp (nts, dts);
1690 free (nts);
1691 free (dts);
1692 return mismatch;
1693 }
1694
1695 case DEMANGLE_COMPONENT_SUB_STD:
1696 if (newc.u.s_string.len != delc.u.s_string.len)
1697 return true;
1698 return memcmp (newc.u.s_string.string, delc.u.s_string.string,
1699 newc.u.s_string.len);
1700
1701 case DEMANGLE_COMPONENT_FUNCTION_PARAM:
1702 case DEMANGLE_COMPONENT_TEMPLATE_PARAM:
1703 return newc.u.s_number.number != delc.u.s_number.number;
1704
1705 case DEMANGLE_COMPONENT_CHARACTER:
1706 return newc.u.s_character.character != delc.u.s_character.character;
1707
1708 case DEMANGLE_COMPONENT_DEFAULT_ARG:
1709 case DEMANGLE_COMPONENT_LAMBDA:
1710 if (newc.u.s_unary_num.num != delc.u.s_unary_num.num)
1711 return true;
1712 return new_delete_mismatch_p (*newc.u.s_unary_num.sub,
1713 *delc.u.s_unary_num.sub);
1714 default:
1715 break;
1716 }
1717
1718 if (!newc.u.s_binary.left != !delc.u.s_binary.left)
1719 return true;
1720
1721 if (!newc.u.s_binary.left)
1722 return false;
1723
1724 if (new_delete_mismatch_p (*newc.u.s_binary.left, *delc.u.s_binary.left)
1725 || !newc.u.s_binary.right != !delc.u.s_binary.right)
1726 return true;
1727
1728 if (newc.u.s_binary.right)
1729 return new_delete_mismatch_p (*newc.u.s_binary.right,
1730 *delc.u.s_binary.right);
1731 return false;
1732}
1733
1734/* Return true if DELETE_DECL is an operator delete that's not suitable
4a1c20df 1735 to call with a pointer returned from NEW_DECL. */
2a837de2
MS		 1736
1737static bool
1738new_delete_mismatch_p (tree new_decl, tree delete_decl)
1739{
1740 tree new_name = DECL_ASSEMBLER_NAME (new_decl);
1741 tree delete_name = DECL_ASSEMBLER_NAME (delete_decl);
1742
1743 /* valid_new_delete_pair_p() returns a conservative result (currently
1744 it only handles global operators). A true result is reliable but
96194a07
MS		 1745 a false result doesn't necessarily mean the operators don't match
1746 unless CERTAIN is set. */
1747 bool certain;
1748 if (valid_new_delete_pair_p (new_name, delete_name, &certain))
2a837de2 1749 return false;
96194a07
MS		 1750 /* CERTAIN is set when the negative result is certain. */
1751 if (certain)
1752 return true;
2a837de2
MS		 1753
1754 /* For anything not handled by valid_new_delete_pair_p() such as member
1755 operators compare the individual demangled components of the mangled
1756 name. */
1757 const char *new_str = IDENTIFIER_POINTER (new_name);
1758 const char *del_str = IDENTIFIER_POINTER (delete_name);
1759
1760 void *np = NULL, *dp = NULL;
1761 demangle_component *ndc = cplus_demangle_v3_components (new_str, 0, &np);
1762 demangle_component *ddc = cplus_demangle_v3_components (del_str, 0, &dp);
1763 bool mismatch = new_delete_mismatch_p (*ndc, *ddc);
1764 free (np);
1765 free (dp);
1766 return mismatch;
1767}
1768
1769/* ALLOC_DECL and DEALLOC_DECL are pair of allocation and deallocation
1770 functions. Return true if the latter is suitable to deallocate objects
1771 allocated by calls to the former. */
1772
1773static bool
1774matching_alloc_calls_p (tree alloc_decl, tree dealloc_decl)
1775{
1776 /* Set to alloc_kind_t::builtin if ALLOC_DECL is associated with
1777 a built-in deallocator. */
1778 enum class alloc_kind_t { none, builtin, user }
1779 alloc_dealloc_kind = alloc_kind_t::none;
1780
1781 if (DECL_IS_OPERATOR_NEW_P (alloc_decl))
1782 {
1783 if (DECL_IS_OPERATOR_DELETE_P (dealloc_decl))
1784 /* Return true iff both functions are of the same array or
1785 singleton form and false otherwise. */
1786 return !new_delete_mismatch_p (alloc_decl, dealloc_decl);
1787
1788 /* Return false for deallocation functions that are known not
1789 to match. */
1edcb2ea 1790 if (fndecl_built_in_p (dealloc_decl, BUILT_IN_FREE, BUILT_IN_REALLOC))
2a837de2
MS		 1791 return false;
1792 /* Otherwise proceed below to check the deallocation function's
1793 "*dealloc" attributes to look for one that mentions this operator
1794 new. */
1795 }
1796 else if (fndecl_built_in_p (alloc_decl, BUILT_IN_NORMAL))
1797 {
1798 switch (DECL_FUNCTION_CODE (alloc_decl))
1799 {
1800 case BUILT_IN_ALLOCA:
1801 case BUILT_IN_ALLOCA_WITH_ALIGN:
1802 return false;
1803
1804 case BUILT_IN_ALIGNED_ALLOC:
1805 case BUILT_IN_CALLOC:
1806 case BUILT_IN_GOMP_ALLOC:
1807 case BUILT_IN_MALLOC:
1808 case BUILT_IN_REALLOC:
1809 case BUILT_IN_STRDUP:
1810 case BUILT_IN_STRNDUP:
1811 if (DECL_IS_OPERATOR_DELETE_P (dealloc_decl))
1812 return false;
1813
1edcb2ea
JJ		 1814 if (fndecl_built_in_p (dealloc_decl, BUILT_IN_FREE,
1815 BUILT_IN_REALLOC))
2a837de2
MS		 1816 return true;
1817
1818 alloc_dealloc_kind = alloc_kind_t::builtin;
1819 break;
1820
1821 default:
1822 break;
1823 }
1824 }
1825
1826 /* Set if DEALLOC_DECL both allocates and deallocates. */
1827 alloc_kind_t realloc_kind = alloc_kind_t::none;
1828
1829 if (fndecl_built_in_p (dealloc_decl, BUILT_IN_NORMAL))
1830 {
1831 built_in_function dealloc_code = DECL_FUNCTION_CODE (dealloc_decl);
1832 if (dealloc_code == BUILT_IN_REALLOC)
1833 realloc_kind = alloc_kind_t::builtin;
1834
1835 for (tree amats = DECL_ATTRIBUTES (alloc_decl);
1836 (amats = lookup_attribute ("malloc", amats));
1837 amats = TREE_CHAIN (amats))
1838 {
1839 tree args = TREE_VALUE (amats);
1840 if (!args)
1841 continue;
1842
1843 tree fndecl = TREE_VALUE (args);
1844 if (!fndecl || !DECL_P (fndecl))
1845 continue;
1846
1847 if (fndecl_built_in_p (fndecl, BUILT_IN_NORMAL)
1848 && dealloc_code == DECL_FUNCTION_CODE (fndecl))
1849 return true;
1850 }
1851 }
1852
1853 const bool alloc_builtin = fndecl_built_in_p (alloc_decl, BUILT_IN_NORMAL);
1854 alloc_kind_t realloc_dealloc_kind = alloc_kind_t::none;
1855
1856 /* If DEALLOC_DECL has an internal "*dealloc" attribute scan the list
1857 of its associated allocation functions for ALLOC_DECL.
1858 If the corresponding ALLOC_DECL is found they're a matching pair,
1859 otherwise they're not.
1860 With DDATS set to the Deallocator's *Dealloc ATtributes... */
1861 for (tree ddats = DECL_ATTRIBUTES (dealloc_decl);
1862 (ddats = lookup_attribute ("*dealloc", ddats));
1863 ddats = TREE_CHAIN (ddats))
1864 {
1865 tree args = TREE_VALUE (ddats);
1866 if (!args)
1867 continue;
1868
1869 tree alloc = TREE_VALUE (args);
1870 if (!alloc)
1871 continue;
1872
1873 if (alloc == DECL_NAME (dealloc_decl))
1874 realloc_kind = alloc_kind_t::user;
1875
1876 if (DECL_P (alloc))
1877 {
1878 gcc_checking_assert (fndecl_built_in_p (alloc, BUILT_IN_NORMAL));
1879
1880 switch (DECL_FUNCTION_CODE (alloc))
1881 {
1882 case BUILT_IN_ALIGNED_ALLOC:
1883 case BUILT_IN_CALLOC:
1884 case BUILT_IN_GOMP_ALLOC:
1885 case BUILT_IN_MALLOC:
1886 case BUILT_IN_REALLOC:
1887 case BUILT_IN_STRDUP:
1888 case BUILT_IN_STRNDUP:
1889 realloc_dealloc_kind = alloc_kind_t::builtin;
1890 break;
1891 default:
1892 break;
1893 }
1894
1895 if (!alloc_builtin)
1896 continue;
1897
1898 if (DECL_FUNCTION_CODE (alloc) != DECL_FUNCTION_CODE (alloc_decl))
1899 continue;
1900
1901 return true;
1902 }
1903
1904 if (alloc == DECL_NAME (alloc_decl))
1905 return true;
1906 }
1907
1908 if (realloc_kind == alloc_kind_t::none)
1909 return false;
1910
1911 hash_set<tree> common_deallocs;
1912 /* Special handling for deallocators. Iterate over both the allocator's
1913 and the reallocator's associated deallocator functions looking for
1914 the first one in common. If one is found, the de/reallocator is
1915 a match for the allocator even though the latter isn't directly
1916 associated with the former. This simplifies declarations in system
1917 headers.
1918 With AMATS set to the Allocator's Malloc ATtributes,
1919 and RMATS set to Reallocator's Malloc ATtributes... */
1920 for (tree amats = DECL_ATTRIBUTES (alloc_decl),
1921 rmats = DECL_ATTRIBUTES (dealloc_decl);
1922 (amats = lookup_attribute ("malloc", amats))
1923 || (rmats = lookup_attribute ("malloc", rmats));
1924 amats = amats ? TREE_CHAIN (amats) : NULL_TREE,
1925 rmats = rmats ? TREE_CHAIN (rmats) : NULL_TREE)
1926 {
1927 if (tree args = amats ? TREE_VALUE (amats) : NULL_TREE)
1928 if (tree adealloc = TREE_VALUE (args))
1929 {
1930 if (DECL_P (adealloc)
1931 && fndecl_built_in_p (adealloc, BUILT_IN_NORMAL))
1932 {
1933 built_in_function fncode = DECL_FUNCTION_CODE (adealloc);
1934 if (fncode == BUILT_IN_FREE || fncode == BUILT_IN_REALLOC)
1935 {
1936 if (realloc_kind == alloc_kind_t::builtin)
1937 return true;
1938 alloc_dealloc_kind = alloc_kind_t::builtin;
1939 }
1940 continue;
1941 }
1942
1943 common_deallocs.add (adealloc);
1944 }
1945
1946 if (tree args = rmats ? TREE_VALUE (rmats) : NULL_TREE)
1947 if (tree ddealloc = TREE_VALUE (args))
1948 {
1949 if (DECL_P (ddealloc)
1950 && fndecl_built_in_p (ddealloc, BUILT_IN_NORMAL))
1951 {
1952 built_in_function fncode = DECL_FUNCTION_CODE (ddealloc);
1953 if (fncode == BUILT_IN_FREE || fncode == BUILT_IN_REALLOC)
1954 {
1955 if (alloc_dealloc_kind == alloc_kind_t::builtin)
1956 return true;
1957 realloc_dealloc_kind = alloc_kind_t::builtin;
1958 }
1959 continue;
1960 }
1961
1962 if (common_deallocs.add (ddealloc))
1963 return true;
1964 }
1965 }
1966
1967 /* Succeed only if ALLOC_DECL and the reallocator DEALLOC_DECL share
1968 a built-in deallocator. */
1969 return (alloc_dealloc_kind == alloc_kind_t::builtin
1970 && realloc_dealloc_kind == alloc_kind_t::builtin);
1971}
1972
1973/* Return true if DEALLOC_DECL is a function suitable to deallocate
4a1c20df 1974 objects allocated by the ALLOC call. */
2a837de2
MS		 1975
1976static bool
1977matching_alloc_calls_p (gimple *alloc, tree dealloc_decl)
1978{
1979 tree alloc_decl = gimple_call_fndecl (alloc);
1980 if (!alloc_decl)
1981 return true;
1982
1983 return matching_alloc_calls_p (alloc_decl, dealloc_decl);
1984}
1985
1986/* Diagnose a call EXP to deallocate a pointer referenced by AREF if it
1987 includes a nonzero offset. Such a pointer cannot refer to the beginning
1988 of an allocated object. A negative offset may refer to it only if
1989 the target pointer is unknown. */
1990
1991static bool
1992warn_dealloc_offset (location_t loc, gimple *call, const access_ref &aref)
1993{
1994 if (aref.deref || aref.offrng[0] <= 0 || aref.offrng[1] <= 0)
1995 return false;
1996
1997 tree dealloc_decl = gimple_call_fndecl (call);
1998 if (!dealloc_decl)
1999 return false;
2000
2001 if (DECL_IS_OPERATOR_DELETE_P (dealloc_decl)
2002 && !DECL_IS_REPLACEABLE_OPERATOR (dealloc_decl))
2003 {
2004 /* A call to a user-defined operator delete with a pointer plus offset
2005 may be valid if it's returned from an unknown function (i.e., one
2006 that's not operator new). */
2007 if (TREE_CODE (aref.ref) == SSA_NAME)
2008 {
2009 gimple *def_stmt = SSA_NAME_DEF_STMT (aref.ref);
2010 if (is_gimple_call (def_stmt))
2011 {
2012 tree alloc_decl = gimple_call_fndecl (def_stmt);
2013 if (!alloc_decl || !DECL_IS_OPERATOR_NEW_P (alloc_decl))
2014 return false;
2015 }
2016 }
2017 }
2018
2019 char offstr[80];
2020 offstr[0] = '\0';
2021 if (wi::fits_shwi_p (aref.offrng[0]))
2022 {
2023 if (aref.offrng[0] == aref.offrng[1]
2024 || !wi::fits_shwi_p (aref.offrng[1]))
2025 sprintf (offstr, " %lli",
2026 (long long)aref.offrng[0].to_shwi ());
2027 else
2028 sprintf (offstr, " [%lli, %lli]",
2029 (long long)aref.offrng[0].to_shwi (),
2030 (long long)aref.offrng[1].to_shwi ());
2031 }
2032
6ab98d8b 2033 auto_diagnostic_group d;
2a837de2
MS		 2034 if (!warning_at (loc, OPT_Wfree_nonheap_object,
2035 "%qD called on pointer %qE with nonzero offset%s",
2036 dealloc_decl, aref.ref, offstr))
2037 return false;
2038
2039 if (DECL_P (aref.ref))
81d6cdd3 2040 inform (get_location (aref.ref), "declared here");
2a837de2
MS		 2041 else if (TREE_CODE (aref.ref) == SSA_NAME)
2042 {
2043 gimple *def_stmt = SSA_NAME_DEF_STMT (aref.ref);
2044 if (is_gimple_call (def_stmt))
2045 {
81d6cdd3 2046 location_t def_loc = get_location (def_stmt);
2a837de2
MS		 2047 tree alloc_decl = gimple_call_fndecl (def_stmt);
2048 if (alloc_decl)
2049 inform (def_loc,
2050 "returned from %qD", alloc_decl);
2051 else if (tree alloc_fntype = gimple_call_fntype (def_stmt))
2052 inform (def_loc,
2053 "returned from %qT", alloc_fntype);
2054 else
2055 inform (def_loc, "obtained here");
2056 }
2057 }
2058
2059 return true;
2060}
2061
2a837de2
MS		 2062namespace {
2063
2064const pass_data pass_data_waccess = {
2065 GIMPLE_PASS,
2066 "waccess",
2067 OPTGROUP_NONE,
58ec0964 2068 TV_WARN_ACCESS, /* timer variable */
2a837de2
MS		 2069 PROP_cfg, /* properties_required */
2070 0, /* properties_provided */
2071 0, /* properties_destroyed */
2072 0, /* properties_start */
2073 0, /* properties_finish */
2074};
2075
2076/* Pass to detect invalid accesses. */
2077class pass_waccess : public gimple_opt_pass
2078{
2079 public:
b48d4e68
MS		 2080 pass_waccess (gcc::context *);
2081
2082 ~pass_waccess ();
2a837de2 2083
725793af 2084 opt_pass *clone () final override;
2a837de2 2085
725793af 2086 bool gate (function *) final override;
671a2836 2087
725793af 2088 void set_pass_param (unsigned, bool) final override;
9d6a0f38 2089
725793af 2090 unsigned int execute (function *) final override;
2a837de2 2091
ece28da9
MS		 2092private:
2093 /* Not copyable or assignable. */
2094 pass_waccess (pass_waccess &) = delete;
2095 void operator= (pass_waccess &) = delete;
2096
88b504b7
MS		 2097 /* Check a call to an atomic built-in function. */
2098 bool check_atomic_builtin (gcall *);
2099
81d6cdd3
MS		 2100 /* Check a call to a built-in function. */
2101 bool check_builtin (gcall *);
2102
671a2836
MS		 2103 /* Check a call to an ordinary function for invalid accesses. */
2104 bool check_call_access (gcall *);
b48d4e68 2105
9d6a0f38
MS		 2106 /* Check a non-call statement. */
2107 void check_stmt (gimple *);
2108
81d6cdd3 2109 /* Check statements in a basic block. */
671a2836 2110 void check_block (basic_block);
81d6cdd3
MS		 2111
2112 /* Check a call to a function. */
671a2836 2113 void check_call (gcall *);
2a837de2 2114
ece28da9
MS		 2115 /* Check a call to the named built-in function. */
2116 void check_alloca (gcall *);
2117 void check_alloc_size_call (gcall *);
2118 void check_strcat (gcall *);
2119 void check_strncat (gcall *);
2120 void check_stxcpy (gcall *);
2121 void check_stxncpy (gcall *);
2122 void check_strncmp (gcall *);
2123 void check_memop_access (gimple *, tree, tree, tree);
9a27acc3 2124 void check_read_access (gimple *, tree, tree = NULL_TREE, int = 1);
ece28da9
MS		 2125
2126 void maybe_check_dealloc_call (gcall *);
2127 void maybe_check_access_sizes (rdwr_map *, tree, tree, gimple *);
5a431b60
MS		 2128 bool maybe_warn_memmodel (gimple *, tree, tree, const unsigned char *);
2129 void check_atomic_memmodel (gimple *, tree, tree, const unsigned char *);
b48d4e68 2130
671a2836 2131 /* Check for uses of indeterminate pointers. */
9d6a0f38 2132 void check_pointer_uses (gimple *, tree, tree = NULL_TREE, bool = false);
671a2836
MS		 2133
2134 /* Return the argument that a call returns. */
2135 tree gimple_call_return_arg (gcall *);
9d6a0f38
MS		 2136
2137 /* Check a call for uses of a dangling pointer arguments. */
2138 void check_call_dangling (gcall *);
2139
2140 /* Check uses of a dangling pointer or those derived from it. */
2141 void check_dangling_uses (tree, tree, bool = false, bool = false);
2142 void check_dangling_uses ();
2143 void check_dangling_stores ();
f194c684 2144 bool check_dangling_stores (basic_block, hash_set<tree> &);
671a2836 2145
9d6a0f38 2146 void warn_invalid_pointer (tree, gimple *, gimple *, tree, bool, bool = false);
671a2836
MS		 2147
2148 /* Return true if use follows an invalidating statement. */
9d6a0f38 2149 bool use_after_inval_p (gimple *, gimple *, bool = false);
671a2836 2150
68e9b7b6
MS		 2151 /* A pointer_query object to store information about pointers and
2152 their targets in. */
ece28da9 2153 pointer_query m_ptr_qry;
9d6a0f38
MS		 2154 /* Mapping from DECLs and their clobber statements in the function. */
2155 hash_map<tree, gimple *> m_clobbers;
671a2836
MS		 2156 /* A bit is set for each basic block whose statements have been assigned
2157 valid UIDs. */
2158 bitmap m_bb_uids_set;
2159 /* The current function. */
2160 function *m_func;
9d6a0f38
MS		 2161 /* True to run checks for uses of dangling pointers. */
2162 bool m_check_dangling_p;
2163 /* True to run checks early on in the optimization pipeline. */
2164 bool m_early_checks_p;
2a837de2
MS		 2165};
2166
b48d4e68
MS		 2167/* Construct the pass. */
2168
2169pass_waccess::pass_waccess (gcc::context *ctxt)
2170 : gimple_opt_pass (pass_data_waccess, ctxt),
68e9b7b6 2171 m_ptr_qry (NULL),
9d6a0f38 2172 m_clobbers (),
671a2836 2173 m_bb_uids_set (),
9d6a0f38
MS		 2174 m_func (),
2175 m_check_dangling_p (),
2176 m_early_checks_p ()
b48d4e68
MS		 2177{
2178}
2179
9d6a0f38
MS		 2180/* Return a copy of the pass with RUN_NUMBER one greater than THIS. */
2181
2182opt_pass*
2183pass_waccess::clone ()
2184{
2185 return new pass_waccess (m_ctxt);
2186}
2187
b48d4e68
MS		 2188/* Release pointer_query cache. */
2189
2190pass_waccess::~pass_waccess ()
2191{
ece28da9 2192 m_ptr_qry.flush_cache ();
b48d4e68
MS		 2193}
2194
9d6a0f38
MS		 2195void
2196pass_waccess::set_pass_param (unsigned int n, bool early)
2197{
2198 gcc_assert (n == 0);
2199
2200 m_early_checks_p = early;
2201}
2202
2a837de2
MS		 2203/* Return true when any checks performed by the pass are enabled. */
2204
2205bool
2206pass_waccess::gate (function *)
2207{
2208 return (warn_free_nonheap_object
2209 || warn_mismatched_alloc
2210 || warn_mismatched_new_delete);
2211}
2212
b48d4e68
MS		 2213/* Initialize ALLOC_OBJECT_SIZE_LIMIT based on the -Walloc-size-larger-than=
2214 setting if the option is specified, or to the maximum object size if it
2215 is not. Return the initialized value. */
2216
2217static tree
2218alloc_max_size (void)
2219{
2220 HOST_WIDE_INT limit = warn_alloc_size_limit;
2221 if (limit == HOST_WIDE_INT_MAX)
2222 limit = tree_to_shwi (TYPE_MAX_VALUE (ptrdiff_type_node));
2223
2224 return build_int_cst (size_type_node, limit);
2225}
2226
2227/* Diagnose a call EXP to function FN decorated with attribute alloc_size
2228 whose argument numbers given by IDX with values given by ARGS exceed
4a1c20df 2229 the maximum object size or cause an unsigned overflow (wrapping) when
b48d4e68
MS		 2230 multiplied. FN is null when EXP is a call via a function pointer.
2231 When ARGS[0] is null the function does nothing. ARGS[1] may be null
2232 for functions like malloc, and non-null for those like calloc that
2233 are decorated with a two-argument attribute alloc_size. */
2234
2235void
2236maybe_warn_alloc_args_overflow (gimple *stmt, const tree args[2],
2237 const int idx[2])
2238{
2239 /* The range each of the (up to) two arguments is known to be in. */
2240 tree argrange[2][2] = { { NULL_TREE, NULL_TREE }, { NULL_TREE, NULL_TREE } };
2241
2242 /* Maximum object size set by -Walloc-size-larger-than= or SIZE_MAX / 2. */
2243 tree maxobjsize = alloc_max_size ();
2244
2245 location_t loc = get_location (stmt);
2246
2247 tree fn = gimple_call_fndecl (stmt);
2248 tree fntype = fn ? TREE_TYPE (fn) : gimple_call_fntype (stmt);
2249 bool warned = false;
2250
2251 /* Validate each argument individually. */
2252 for (unsigned i = 0; i != 2 && args[i]; ++i)
2253 {
2254 if (TREE_CODE (args[i]) == INTEGER_CST)
2255 {
2256 argrange[i][0] = args[i];
2257 argrange[i][1] = args[i];
2258
2259 if (tree_int_cst_lt (args[i], integer_zero_node))
2260 {
2261 warned = warning_at (loc, OPT_Walloc_size_larger_than_,
2262 "argument %i value %qE is negative",
2263 idx[i] + 1, args[i]);
2264 }
2265 else if (integer_zerop (args[i]))
2266 {
2267 /* Avoid issuing -Walloc-zero for allocation functions other
2268 than __builtin_alloca that are declared with attribute
2269 returns_nonnull because there's no portability risk. This
2270 avoids warning for such calls to libiberty's xmalloc and
2271 friends.
2272 Also avoid issuing the warning for calls to function named
2273 "alloca". */
2274 if (fn && fndecl_built_in_p (fn, BUILT_IN_ALLOCA)
2275 ? IDENTIFIER_LENGTH (DECL_NAME (fn)) != 6
2276 : !lookup_attribute ("returns_nonnull",
2277 TYPE_ATTRIBUTES (fntype)))
2278 warned = warning_at (loc, OPT_Walloc_zero,
2279 "argument %i value is zero",
2280 idx[i] + 1);
2281 }
2282 else if (tree_int_cst_lt (maxobjsize, args[i]))
2283 {
2284 /* G++ emits calls to ::operator new[](SIZE_MAX) in C++98
2285 mode and with -fno-exceptions as a way to indicate array
2286 size overflow. There's no good way to detect C++98 here
2287 so avoid diagnosing these calls for all C++ modes. */
2288 if (i == 0
2289 && fn
2290 && !args[1]
2291 && lang_GNU_CXX ()
2292 && DECL_IS_OPERATOR_NEW_P (fn)
2293 && integer_all_onesp (args[i]))
2294 continue;
2295
2296 warned = warning_at (loc, OPT_Walloc_size_larger_than_,
2297 "argument %i value %qE exceeds "
2298 "maximum object size %E",
2299 idx[i] + 1, args[i], maxobjsize);
2300 }
2301 }
2302 else if (TREE_CODE (args[i]) == SSA_NAME
2303 && get_size_range (args[i], argrange[i]))
2304 {
2305 /* Verify that the argument's range is not negative (including
2306 upper bound of zero). */
2307 if (tree_int_cst_lt (argrange[i][0], integer_zero_node)
2308 && tree_int_cst_le (argrange[i][1], integer_zero_node))
2309 {
2310 warned = warning_at (loc, OPT_Walloc_size_larger_than_,
2311 "argument %i range [%E, %E] is negative",
2312 idx[i] + 1,
2313 argrange[i][0], argrange[i][1]);
2314 }
2315 else if (tree_int_cst_lt (maxobjsize, argrange[i][0]))
2316 {
2317 warned = warning_at (loc, OPT_Walloc_size_larger_than_,
2318 "argument %i range [%E, %E] exceeds "
2319 "maximum object size %E",
2320 idx[i] + 1,
2321 argrange[i][0], argrange[i][1],
2322 maxobjsize);
2323 }
2324 }
2325 }
2326
b3aa3288 2327 if (!argrange[0][0])
b48d4e68
MS		 2328 return;
2329
2330 /* For a two-argument alloc_size, validate the product of the two
2331 arguments if both of their values or ranges are known. */
2332 if (!warned && tree_fits_uhwi_p (argrange[0][0])
2333 && argrange[1][0] && tree_fits_uhwi_p (argrange[1][0])
2334 && !integer_onep (argrange[0][0])
2335 && !integer_onep (argrange[1][0]))
2336 {
2337 /* Check for overflow in the product of a function decorated with
2338 attribute alloc_size (X, Y). */
2339 unsigned szprec = TYPE_PRECISION (size_type_node);
2340 wide_int x = wi::to_wide (argrange[0][0], szprec);
2341 wide_int y = wi::to_wide (argrange[1][0], szprec);
2342
2343 wi::overflow_type vflow;
2344 wide_int prod = wi::umul (x, y, &vflow);
2345
2346 if (vflow)
2347 warned = warning_at (loc, OPT_Walloc_size_larger_than_,
2348 "product %<%E * %E%> of arguments %i and %i "
2349 "exceeds %<SIZE_MAX%>",
2350 argrange[0][0], argrange[1][0],
2351 idx[0] + 1, idx[1] + 1);
2352 else if (wi::ltu_p (wi::to_wide (maxobjsize, szprec), prod))
2353 warned = warning_at (loc, OPT_Walloc_size_larger_than_,
2354 "product %<%E * %E%> of arguments %i and %i "
2355 "exceeds maximum object size %E",
2356 argrange[0][0], argrange[1][0],
2357 idx[0] + 1, idx[1] + 1,
2358 maxobjsize);
2359
2360 if (warned)
2361 {
2362 /* Print the full range of each of the two arguments to make
2363 it clear when it is, in fact, in a range and not constant. */
2364 if (argrange[0][0] != argrange [0][1])
2365 inform (loc, "argument %i in the range [%E, %E]",
2366 idx[0] + 1, argrange[0][0], argrange[0][1]);
2367 if (argrange[1][0] != argrange [1][1])
2368 inform (loc, "argument %i in the range [%E, %E]",
2369 idx[1] + 1, argrange[1][0], argrange[1][1]);
2370 }
2371 }
2372
2373 if (warned && fn)
2374 {
2375 location_t fnloc = DECL_SOURCE_LOCATION (fn);
2376
2377 if (DECL_IS_UNDECLARED_BUILTIN (fn))
2378 inform (loc,
2379 "in a call to built-in allocation function %qD", fn);
2380 else
2381 inform (fnloc,
2382 "in a call to allocation function %qD declared here", fn);
2383 }
2384}
2385
2386/* Check a call to an alloca function for an excessive size. */
2387
ece28da9
MS		 2388void
2389pass_waccess::check_alloca (gcall *stmt)
b48d4e68 2390{
9d6a0f38
MS		 2391 if (m_early_checks_p)
2392 return;
2393
b48d4e68
MS		 2394 if ((warn_vla_limit >= HOST_WIDE_INT_MAX
2395 && warn_alloc_size_limit < warn_vla_limit)
2396 || (warn_alloca_limit >= HOST_WIDE_INT_MAX
2397 && warn_alloc_size_limit < warn_alloca_limit))
2398 {
2399 /* -Walloca-larger-than and -Wvla-larger-than settings of less
2400 than HWI_MAX override the more general -Walloc-size-larger-than
2401 so unless either of the former options is smaller than the last
4a1c20df 2402 one (which would imply that the call was already checked), check
b48d4e68
MS		 2403 the alloca arguments for overflow. */
2404 const tree alloc_args[] = { call_arg (stmt, 0), NULL_TREE };
2405 const int idx[] = { 0, -1 };
2406 maybe_warn_alloc_args_overflow (stmt, alloc_args, idx);
2407 }
2408}
2409
2410/* Check a call to an allocation function for an excessive size. */
2411
ece28da9
MS		 2412void
2413pass_waccess::check_alloc_size_call (gcall *stmt)
b48d4e68 2414{
9d6a0f38
MS		 2415 if (m_early_checks_p)
2416 return;
2417
2418 if (gimple_call_num_args (stmt) < 1)
2419 /* Avoid invalid calls to functions without a prototype. */
2420 return;
2421
b48d4e68
MS		 2422 tree fndecl = gimple_call_fndecl (stmt);
2423 if (fndecl && gimple_call_builtin_p (stmt, BUILT_IN_NORMAL))
2424 {
2425 /* Alloca is handled separately. */
2426 switch (DECL_FUNCTION_CODE (fndecl))
2427 {
2428 case BUILT_IN_ALLOCA:
2429 case BUILT_IN_ALLOCA_WITH_ALIGN:
2430 case BUILT_IN_ALLOCA_WITH_ALIGN_AND_MAX:
2431 return;
2432 default:
2433 break;
2434 }
2435 }
2436
2437 tree fntype = gimple_call_fntype (stmt);
2438 tree fntypeattrs = TYPE_ATTRIBUTES (fntype);
2439
2440 tree alloc_size = lookup_attribute ("alloc_size", fntypeattrs);
2441 if (!alloc_size)
2442 return;
2443
2444 /* Extract attribute alloc_size from the type of the called expression
2445 (which could be a function or a function pointer) and if set, store
2446 the indices of the corresponding arguments in ALLOC_IDX, and then
2447 the actual argument(s) at those indices in ALLOC_ARGS. */
2448 int idx[2] = { -1, -1 };
2449 tree alloc_args[] = { NULL_TREE, NULL_TREE };
eacdfaf7 2450 unsigned nargs = gimple_call_num_args (stmt);
b48d4e68
MS		 2451
2452 tree args = TREE_VALUE (alloc_size);
2453 idx[0] = TREE_INT_CST_LOW (TREE_VALUE (args)) - 1;
eacdfaf7
JJ		 2454 /* Avoid invalid calls to functions without a prototype. */
2455 if ((unsigned) idx[0] >= nargs)
2456 return;
b48d4e68
MS		 2457 alloc_args[0] = call_arg (stmt, idx[0]);
2458 if (TREE_CHAIN (args))
2459 {
2460 idx[1] = TREE_INT_CST_LOW (TREE_VALUE (TREE_CHAIN (args))) - 1;
eacdfaf7
JJ		 2461 if ((unsigned) idx[1] >= nargs)
2462 return;
b48d4e68
MS		 2463 alloc_args[1] = call_arg (stmt, idx[1]);
2464 }
2465
2466 maybe_warn_alloc_args_overflow (stmt, alloc_args, idx);
2467}
2468
81d6cdd3
MS		 2469/* Check a call STMT to strcat() for overflow and warn if it does. */
2470
ece28da9
MS		 2471void
2472pass_waccess::check_strcat (gcall *stmt)
81d6cdd3 2473{
9d6a0f38
MS		 2474 if (m_early_checks_p)
2475 return;
2476
b48d4e68 2477 if (!warn_stringop_overflow && !warn_stringop_overread)
81d6cdd3
MS		 2478 return;
2479
2480 tree dest = call_arg (stmt, 0);
2481 tree src = call_arg (stmt, 1);
2482
2483 /* There is no way here to determine the length of the string in
2484 the destination to which the SRC string is being appended so
4a1c20df 2485 just diagnose cases when the source string is longer than
81d6cdd3 2486 the destination object. */
9a27acc3
MS		 2487 access_data data (m_ptr_qry.rvals, stmt, access_read_write, NULL_TREE,
2488 true, NULL_TREE, true);
81d6cdd3 2489 const int ost = warn_stringop_overflow ? warn_stringop_overflow - 1 : 1;
9a27acc3
MS		 2490 compute_objsize (src, stmt, ost, &data.src, &m_ptr_qry);
2491 tree destsize = compute_objsize (dest, stmt, ost, &data.dst, &m_ptr_qry);
81d6cdd3
MS		 2492
2493 check_access (stmt, /*dstwrite=*/NULL_TREE, /*maxread=*/NULL_TREE,
9a27acc3 2494 src, destsize, data.mode, &data, m_ptr_qry.rvals);
81d6cdd3
MS		 2495}
2496
2497/* Check a call STMT to strcat() for overflow and warn if it does. */
2498
ece28da9
MS		 2499void
2500pass_waccess::check_strncat (gcall *stmt)
81d6cdd3 2501{
9d6a0f38
MS		 2502 if (m_early_checks_p)
2503 return;
2504
b48d4e68 2505 if (!warn_stringop_overflow && !warn_stringop_overread)
81d6cdd3
MS		 2506 return;
2507
2508 tree dest = call_arg (stmt, 0);
2509 tree src = call_arg (stmt, 1);
2510 /* The upper bound on the number of bytes to write. */
2511 tree maxread = call_arg (stmt, 2);
2512
2513 /* Detect unterminated source (only). */
2514 if (!check_nul_terminated_array (stmt, src, maxread))
2515 return;
2516
2517 /* The length of the source sequence. */
2518 tree slen = c_strlen (src, 1);
2519
2520 /* Try to determine the range of lengths that the source expression
2521 refers to. Since the lengths are only used for warning and not
2522 for code generation disable strict mode below. */
2523 tree maxlen = slen;
2524 if (!maxlen)
2525 {
2526 c_strlen_data lendata = { };
2527 get_range_strlen (src, &lendata, /* eltsize = */ 1);
2528 maxlen = lendata.maxbound;
2529 }
2530
9a27acc3 2531 access_data data (m_ptr_qry.rvals, stmt, access_read_write);
81d6cdd3
MS		 2532 /* Try to verify that the destination is big enough for the shortest
2533 string. First try to determine the size of the destination object
2534 into which the source is being copied. */
ece28da9 2535 const int ost = warn_stringop_overflow - 1;
9a27acc3 2536 tree destsize = compute_objsize (dest, stmt, ost, &data.dst, &m_ptr_qry);
81d6cdd3
MS		 2537
2538 /* Add one for the terminating nul. */
2539 tree srclen = (maxlen
2540 ? fold_build2 (PLUS_EXPR, size_type_node, maxlen,
2541 size_one_node)
2542 : NULL_TREE);
2543
2544 /* The strncat function copies at most MAXREAD bytes and always appends
2545 the terminating nul so the specified upper bound should never be equal
2546 to (or greater than) the size of the destination. */
2547 if (tree_fits_uhwi_p (maxread) && tree_fits_uhwi_p (destsize)
2548 && tree_int_cst_equal (destsize, maxread))
2549 {
2550 location_t loc = get_location (stmt);
2551 warning_at (loc, OPT_Wstringop_overflow_,
2552 "%qD specified bound %E equals destination size",
2553 get_callee_fndecl (stmt), maxread);
2554
2555 return;
2556 }
2557
2558 if (!srclen
2559 || (maxread && tree_fits_uhwi_p (maxread)
2560 && tree_fits_uhwi_p (srclen)
2561 && tree_int_cst_lt (maxread, srclen)))
2562 srclen = maxread;
2563
2564 check_access (stmt, /*dstwrite=*/NULL_TREE, maxread, srclen,
9a27acc3 2565 destsize, data.mode, &data, m_ptr_qry.rvals);
81d6cdd3
MS		 2566}
2567
2568/* Check a call STMT to stpcpy() or strcpy() for overflow and warn
2569 if it does. */
2570
ece28da9
MS		 2571void
2572pass_waccess::check_stxcpy (gcall *stmt)
81d6cdd3 2573{
9d6a0f38
MS		 2574 if (m_early_checks_p)
2575 return;
2576
81d6cdd3
MS		 2577 tree dst = call_arg (stmt, 0);
2578 tree src = call_arg (stmt, 1);
2579
2580 tree size;
2581 bool exact;
2582 if (tree nonstr = unterminated_array (src, &size, &exact))
2583 {
2584 /* NONSTR refers to the non-nul terminated constant array. */
2585 warn_string_no_nul (get_location (stmt), stmt, NULL, src, nonstr,
2586 size, exact);
2587 return;
2588 }
2589
2590 if (warn_stringop_overflow)
2591 {
9a27acc3
MS		 2592 access_data data (m_ptr_qry.rvals, stmt, access_read_write, NULL_TREE,
2593 true, NULL_TREE, true);
81d6cdd3 2594 const int ost = warn_stringop_overflow ? warn_stringop_overflow - 1 : 1;
9a27acc3
MS		 2595 compute_objsize (src, stmt, ost, &data.src, &m_ptr_qry);
2596 tree dstsize = compute_objsize (dst, stmt, ost, &data.dst, &m_ptr_qry);
81d6cdd3
MS		 2597 check_access (stmt, /*dstwrite=*/ NULL_TREE,
2598 /*maxread=*/ NULL_TREE, /*srcstr=*/ src,
9a27acc3 2599 dstsize, data.mode, &data, m_ptr_qry.rvals);
81d6cdd3
MS		 2600 }
2601
2602 /* Check to see if the argument was declared attribute nonstring
2603 and if so, issue a warning since at this point it's not known
2604 to be nul-terminated. */
2605 tree fndecl = get_callee_fndecl (stmt);
2606 maybe_warn_nonstring_arg (fndecl, stmt);
2607}
2608
2609/* Check a call STMT to stpncpy() or strncpy() for overflow and warn
2610 if it does. */
2611
ece28da9
MS		 2612void
2613pass_waccess::check_stxncpy (gcall *stmt)
81d6cdd3 2614{
9d6a0f38 2615 if (m_early_checks_p || !warn_stringop_overflow)
81d6cdd3
MS		 2616 return;
2617
2618 tree dst = call_arg (stmt, 0);
2619 tree src = call_arg (stmt, 1);
2620 /* The number of bytes to write (not the maximum). */
2621 tree len = call_arg (stmt, 2);
2622
9a27acc3
MS		 2623 access_data data (m_ptr_qry.rvals, stmt, access_read_write, len, true, len,
2624 true);
81d6cdd3 2625 const int ost = warn_stringop_overflow ? warn_stringop_overflow - 1 : 1;
9a27acc3
MS		 2626 compute_objsize (src, stmt, ost, &data.src, &m_ptr_qry);
2627 tree dstsize = compute_objsize (dst, stmt, ost, &data.dst, &m_ptr_qry);
81d6cdd3 2628
9a27acc3
MS		 2629 check_access (stmt, /*dstwrite=*/len, /*maxread=*/len, src, dstsize,
2630 data.mode, &data, m_ptr_qry.rvals);
81d6cdd3
MS		 2631}
2632
2633/* Check a call STMT to stpncpy() or strncpy() for overflow and warn
2634 if it does. */
2635
ece28da9
MS		 2636void
2637pass_waccess::check_strncmp (gcall *stmt)
81d6cdd3 2638{
9d6a0f38 2639 if (m_early_checks_p || !warn_stringop_overread)
81d6cdd3
MS		 2640 return;
2641
2642 tree arg1 = call_arg (stmt, 0);
2643 tree arg2 = call_arg (stmt, 1);
2644 tree bound = call_arg (stmt, 2);
2645
2646 /* First check each argument separately, considering the bound. */
2647 if (!check_nul_terminated_array (stmt, arg1, bound)
2648 || !check_nul_terminated_array (stmt, arg2, bound))
2649 return;
2650
2651 /* A strncmp read from each argument is constrained not just by
2652 the bound but also by the length of the shorter string. Specifying
2653 a bound that's larger than the size of either array makes no sense
2654 and is likely a bug. When the length of neither of the two strings
2655 is known but the sizes of both of the arrays they are stored in is,
027e3041 2656 issue a warning if the bound is larger than the size of
81d6cdd3
MS		 2657 the larger of the two arrays. */
2658
2659 c_strlen_data lendata1{ }, lendata2{ };
2660 tree len1 = c_strlen (arg1, 1, &lendata1);
2661 tree len2 = c_strlen (arg2, 1, &lendata2);
2662
9a27acc3
MS		 2663 if (len1 && TREE_CODE (len1) != INTEGER_CST)
2664 len1 = NULL_TREE;
2665 if (len2 && TREE_CODE (len2) != INTEGER_CST)
2666 len2 = NULL_TREE;
2667
81d6cdd3
MS		 2668 if (len1 && len2)
2669 /* If the length of both arguments was computed they must both be
2670 nul-terminated and no further checking is necessary regardless
2671 of the bound. */
2672 return;
2673
2674 /* Check to see if the argument was declared with attribute nonstring
2675 and if so, issue a warning since at this point it's not known to be
2676 nul-terminated. */
2677 if (maybe_warn_nonstring_arg (get_callee_fndecl (stmt), stmt))
2678 return;
2679
9a27acc3
MS		 2680 access_data adata1 (m_ptr_qry.rvals, stmt, access_read_only, NULL_TREE, false,
2681 bound, true);
2682 access_data adata2 (m_ptr_qry.rvals, stmt, access_read_only, NULL_TREE, false,
2683 bound, true);
81d6cdd3
MS		 2684
2685 /* Determine the range of the bound first and bail if it fails; it's
2686 cheaper than computing the size of the objects. */
2687 tree bndrng[2] = { NULL_TREE, NULL_TREE };
04b0a7b1 2688 get_size_range (m_ptr_qry.rvals, bound, stmt, bndrng, 0, adata1.src_bndrng);
81d6cdd3
MS		 2689 if (!bndrng[0] || integer_zerop (bndrng[0]))
2690 return;
2691
2692 if (len1 && tree_int_cst_lt (len1, bndrng[0]))
2693 bndrng[0] = len1;
2694 if (len2 && tree_int_cst_lt (len2, bndrng[0]))
2695 bndrng[0] = len2;
2696
2697 /* compute_objsize almost never fails (and ultimately should never
2698 fail). Don't bother to handle the rare case when it does. */
9a27acc3
MS		 2699 if (!compute_objsize (arg1, stmt, 1, &adata1.src, &m_ptr_qry)
2700 || !compute_objsize (arg2, stmt, 1, &adata2.src, &m_ptr_qry))
81d6cdd3
MS		 2701 return;
2702
2703 /* Compute the size of the remaining space in each array after
2704 subtracting any offset into it. */
2705 offset_int rem1 = adata1.src.size_remaining ();
2706 offset_int rem2 = adata2.src.size_remaining ();
2707
2708 /* Cap REM1 and REM2 at the other if the other's argument is known
2709 to be an unterminated array, either because there's no space
2710 left in it after adding its offset or because it's constant and
2711 has no nul. */
2712 if (rem1 == 0 || (rem1 < rem2 && lendata1.decl))
2713 rem2 = rem1;
2714 else if (rem2 == 0 || (rem2 < rem1 && lendata2.decl))
2715 rem1 = rem2;
2716
2717 /* Point PAD at the array to reference in the note if a warning
2718 is issued. */
2719 access_data *pad = len1 ? &adata2 : &adata1;
2720 offset_int maxrem = wi::max (rem1, rem2, UNSIGNED);
2721 if (lendata1.decl || lendata2.decl
2722 || maxrem < wi::to_offset (bndrng[0]))
2723 {
2724 /* Warn when either argument isn't nul-terminated or the maximum
2725 remaining space in the two arrays is less than the bound. */
2726 tree func = get_callee_fndecl (stmt);
2727 location_t loc = gimple_location (stmt);
2728 maybe_warn_for_bound (OPT_Wstringop_overread, loc, stmt, func,
2729 bndrng, wide_int_to_tree (sizetype, maxrem),
2730 pad);
2731 }
2732}
2733
ece28da9
MS		 2734/* Determine and check the sizes of the source and the destination
2735 of calls to __builtin_{bzero,memcpy,mempcpy,memset} calls. STMT is
2736 the call statement, DEST is the destination argument, SRC is the source
2737 argument or null, and SIZE is the number of bytes being accessed. Use
2738 Object Size type-0 regardless of the OPT_Wstringop_overflow_ setting.
2739 Return true on success (no overflow or invalid sizes), false otherwise. */
2740
2741void
2742pass_waccess::check_memop_access (gimple *stmt, tree dest, tree src, tree size)
2743{
9d6a0f38
MS		 2744 if (m_early_checks_p)
2745 return;
2746
ece28da9
MS		 2747 /* For functions like memset and memcpy that operate on raw memory
2748 try to determine the size of the largest source and destination
2749 object using type-0 Object Size regardless of the object size
2750 type specified by the option. */
9a27acc3 2751 access_data data (m_ptr_qry.rvals, stmt, access_read_write);
ece28da9 2752 tree srcsize
9a27acc3
MS		 2753 = src ? compute_objsize (src, stmt, 0, &data.src, &m_ptr_qry) : NULL_TREE;
2754 tree dstsize = compute_objsize (dest, stmt, 0, &data.dst, &m_ptr_qry);
2755
2756 check_access (stmt, size, /*maxread=*/NULL_TREE, srcsize, dstsize,
2757 data.mode, &data, m_ptr_qry.rvals);
2758}
2759
2760/* A convenience wrapper for check_access to check access by a read-only
2761 function like puts or strcmp. */
2762
2763void
2764pass_waccess::check_read_access (gimple *stmt, tree src,
2765 tree bound /* = NULL_TREE */,
2766 int ost /* = 1 */)
2767{
9d6a0f38 2768 if (m_early_checks_p || !warn_stringop_overread)
9a27acc3
MS		 2769 return;
2770
2771 if (bound && !useless_type_conversion_p (size_type_node, TREE_TYPE (bound)))
2772 bound = fold_convert (size_type_node, bound);
2773
2774 tree fndecl = get_callee_fndecl (stmt);
2775 maybe_warn_nonstring_arg (fndecl, stmt);
ece28da9 2776
9a27acc3
MS		 2777 access_data data (m_ptr_qry.rvals, stmt, access_read_only, NULL_TREE,
2778 false, bound, true);
2779 compute_objsize (src, stmt, ost, &data.src, &m_ptr_qry);
2780 check_access (stmt, /*dstwrite=*/ NULL_TREE, /*maxread=*/ bound,
2781 /*srcstr=*/ src, /*dstsize=*/ NULL_TREE, data.mode,
2782 &data, m_ptr_qry.rvals);
ece28da9
MS		 2783}
2784
5a431b60
MS		 2785/* Return true if memory model ORD is constant in the context of STMT and
2786 set *CSTVAL to the constant value. Otherwise return false. Warn for
2787 invalid ORD. */
2788
2789bool
2790memmodel_to_uhwi (tree ord, gimple *stmt, unsigned HOST_WIDE_INT *cstval)
2791{
2792 unsigned HOST_WIDE_INT val;
2793
2794 if (TREE_CODE (ord) == INTEGER_CST)
2795 {
2796 if (!tree_fits_uhwi_p (ord))
2797 return false;
2798 val = tree_to_uhwi (ord);
2799 }
2800 else
2801 {
2802 /* Use the range query to determine constant values in the absence
4a1c20df 2803 of constant propagation (such as at -O0). */
45c8523d 2804 Value_Range rng (TREE_TYPE (ord));
5a431b60 2805 if (!get_range_query (cfun)->range_of_expr (rng, ord, stmt)
5a431b60
MS		 2806 || !rng.singleton_p (&ord))
2807 return false;
2808
2809 wide_int lob = rng.lower_bound ();
2810 if (!wi::fits_uhwi_p (lob))
2811 return false;
2812
2813 val = lob.to_shwi ();
2814 }
2815
2816 if (targetm.memmodel_check)
2817 /* This might warn for an invalid VAL but return a conservatively
2818 valid result. */
2819 val = targetm.memmodel_check (val);
2820 else if (val & ~MEMMODEL_MASK)
2821 {
2822 tree fndecl = gimple_call_fndecl (stmt);
2823 location_t loc = gimple_location (stmt);
2824 loc = expansion_point_location_if_in_system_header (loc);
2825
2826 warning_at (loc, OPT_Winvalid_memory_model,
2827 "unknown architecture specifier in memory model "
2828 "%wi for %qD", val, fndecl);
2829 return false;
2830 }
2831
2832 *cstval = val;
2833
2834 return true;
2835}
2836
2837/* Valid memory model for each set of atomic built-in functions. */
2838
2839struct memmodel_pair
2840{
2841 memmodel modval;
2842 const char* modname;
2843
2844#define MEMMODEL_PAIR(val, str) \
2845 { MEMMODEL_ ## val, "memory_order_" str }
2846};
2847
2848/* Valid memory models in the order of increasing strength. */
2849
2850static const memmodel_pair memory_models[] =
2851 { MEMMODEL_PAIR (RELAXED, "relaxed"),
2852 MEMMODEL_PAIR (SEQ_CST, "seq_cst"),
2853 MEMMODEL_PAIR (ACQUIRE, "acquire"),
2854 MEMMODEL_PAIR (CONSUME, "consume"),
2855 MEMMODEL_PAIR (RELEASE, "release"),
2856 MEMMODEL_PAIR (ACQ_REL, "acq_rel")
2857 };
2858
2859/* Return the name of the memory model VAL. */
2860
2861static const char*
2862memmodel_name (unsigned HOST_WIDE_INT val)
2863{
2864 val = memmodel_base (val);
2865
ca32b29e 2866 for (unsigned i = 0; i != ARRAY_SIZE (memory_models); ++i)
5a431b60
MS		 2867 {
2868 if (val == memory_models[i].modval)
2869 return memory_models[i].modname;
2870 }
2871 return NULL;
2872}
2873
2874/* Indices of valid MEMORY_MODELS above for corresponding atomic operations. */
2875static const unsigned char load_models[] = { 0, 1, 2, 3, UCHAR_MAX };
2876static const unsigned char store_models[] = { 0, 1, 4, UCHAR_MAX };
2877static const unsigned char xchg_models[] = { 0, 1, 3, 4, 5, UCHAR_MAX };
2878static const unsigned char flag_clr_models[] = { 0, 1, 4, UCHAR_MAX };
2879static const unsigned char all_models[] = { 0, 1, 2, 3, 4, 5, UCHAR_MAX };
2880
2881/* Check the success memory model argument ORD_SUCS to the call STMT to
2882 an atomic function and warn if it's invalid. If nonnull, also check
2883 the failure memory model ORD_FAIL and warn if it's invalid. Return
2884 true if a warning has been issued. */
2885
2886bool
2887pass_waccess::maybe_warn_memmodel (gimple *stmt, tree ord_sucs,
2888 tree ord_fail, const unsigned char *valid)
2889{
2890 unsigned HOST_WIDE_INT sucs, fail = 0;
2891 if (!memmodel_to_uhwi (ord_sucs, stmt, &sucs)
2892 || (ord_fail && !memmodel_to_uhwi (ord_fail, stmt, &fail)))
2893 return false;
2894
2895 bool is_valid = false;
2896 if (valid)
2897 for (unsigned i = 0; valid[i] != UCHAR_MAX; ++i)
2898 {
2899 memmodel model = memory_models[valid[i]].modval;
2900 if (memmodel_base (sucs) == model)
2901 {
2902 is_valid = true;
2903 break;
2904 }
2905 }
2906 else
2907 is_valid = true;
2908
2909 tree fndecl = gimple_call_fndecl (stmt);
2910 location_t loc = gimple_location (stmt);
2911 loc = expansion_point_location_if_in_system_header (loc);
2912
2913 if (!is_valid)
2914 {
2915 bool warned = false;
6ab98d8b 2916 auto_diagnostic_group d;
5a431b60
MS		 2917 if (const char *modname = memmodel_name (sucs))
2918 warned = warning_at (loc, OPT_Winvalid_memory_model,
2919 "invalid memory model %qs for %qD",
2920 modname, fndecl);
2921 else
2922 warned = warning_at (loc, OPT_Winvalid_memory_model,
2923 "invalid memory model %wi for %qD",
2924 sucs, fndecl);
2925
2926 if (!warned)
2927 return false;
2928
2929 /* Print a note with the valid memory models. */
2930 pretty_printer pp;
2931 pp_show_color (&pp) = pp_show_color (global_dc->printer);
2932 for (unsigned i = 0; valid[i] != UCHAR_MAX; ++i)
2933 {
2934 const char *modname = memory_models[valid[i]].modname;
194f712f 2935 pp_printf (&pp, "%s%qs", i ? ", " : "", modname);
5a431b60
MS		 2936 }
2937
2938 inform (loc, "valid models are %s", pp_formatted_text (&pp));
2939 return true;
2940 }
2941
2942 if (!ord_fail)
2943 return false;
2944
2945 if (fail == MEMMODEL_RELEASE || fail == MEMMODEL_ACQ_REL)
2946 if (const char *failname = memmodel_name (fail))
2947 {
2948 /* If both memory model arguments are valid but their combination
2949 is not, use their names in the warning. */
6ab98d8b 2950 auto_diagnostic_group d;
5a431b60
MS		 2951 if (!warning_at (loc, OPT_Winvalid_memory_model,
2952 "invalid failure memory model %qs for %qD",
2953 failname, fndecl))
2954 return false;
2955
2956 inform (loc,
2957 "valid failure models are %qs, %qs, %qs, %qs",
2958 "memory_order_relaxed", "memory_order_seq_cst",
2959 "memory_order_acquire", "memory_order_consume");
2960 return true;
2961 }
2962
2963 if (memmodel_base (fail) <= memmodel_base (sucs))
2964 return false;
2965
2966 if (const char *sucsname = memmodel_name (sucs))
2967 if (const char *failname = memmodel_name (fail))
2968 {
2969 /* If both memory model arguments are valid but their combination
2970 is not, use their names in the warning. */
6ab98d8b 2971 auto_diagnostic_group d;
5a431b60
MS		 2972 if (!warning_at (loc, OPT_Winvalid_memory_model,
2973 "failure memory model %qs cannot be stronger "
2974 "than success memory model %qs for %qD",
2975 failname, sucsname, fndecl))
2976 return false;
2977
2978 /* Print a note with the valid failure memory models which are
2979 those with a value less than or equal to the success mode. */
2980 char buf[120];
2981 *buf = '\0';
2982 for (unsigned i = 0;
2983 memory_models[i].modval <= memmodel_base (sucs); ++i)
2984 {
2985 if (*buf)
2986 strcat (buf, ", ");
2987
2988 const char *modname = memory_models[valid[i]].modname;
2989 sprintf (buf + strlen (buf), "'%s'", modname);
2990 }
2991
2992 inform (loc, "valid models are %s", buf);
2993 return true;
2994 }
2995
2996 /* If either memory model argument value is invalid use the numerical
2997 value of both in the message. */
2998 return warning_at (loc, OPT_Winvalid_memory_model,
2999 "failure memory model %wi cannot be stronger "
3000 "than success memory model %wi for %qD",
3001 fail, sucs, fndecl);
3002}
3003
3004/* Wrapper for the above. */
3005
3006void
3007pass_waccess::check_atomic_memmodel (gimple *stmt, tree ord_sucs,
3008 tree ord_fail, const unsigned char *valid)
3009{
3010 if (warning_suppressed_p (stmt, OPT_Winvalid_memory_model))
3011 return;
3012
9d6a0f38 3013 if (!maybe_warn_memmodel (stmt, ord_sucs, ord_fail, valid))
5a431b60
MS		 3014 return;
3015
3016 suppress_warning (stmt, OPT_Winvalid_memory_model);
3017}
9a27acc3 3018
88b504b7
MS		 3019/* Check a call STMT to an atomic or sync built-in. */
3020
3021bool
3022pass_waccess::check_atomic_builtin (gcall *stmt)
3023{
3024 tree callee = gimple_call_fndecl (stmt);
3025 if (!callee)
3026 return false;
3027
3028 /* The size in bytes of the access by the function, and the number
3029 of the second argument to check (if any). */
3030 unsigned bytes = 0, arg2 = UINT_MAX;
5a431b60
MS		 3031 unsigned sucs_arg = UINT_MAX, fail_arg = UINT_MAX;
3032 /* Points to the array of indices of valid memory models. */
3033 const unsigned char *pvalid_models = NULL;
88b504b7
MS		 3034
3035 switch (DECL_FUNCTION_CODE (callee))
3036 {
3037#define BUILTIN_ACCESS_SIZE_FNSPEC(N) \
5a431b60 3038 BUILT_IN_SYNC_FETCH_AND_ADD_ ## N: \
88b504b7
MS		 3039 case BUILT_IN_SYNC_FETCH_AND_SUB_ ## N: \
3040 case BUILT_IN_SYNC_FETCH_AND_OR_ ## N: \
3041 case BUILT_IN_SYNC_FETCH_AND_AND_ ## N: \
3042 case BUILT_IN_SYNC_FETCH_AND_XOR_ ## N: \
3043 case BUILT_IN_SYNC_FETCH_AND_NAND_ ## N: \
3044 case BUILT_IN_SYNC_ADD_AND_FETCH_ ## N: \
3045 case BUILT_IN_SYNC_SUB_AND_FETCH_ ## N: \
3046 case BUILT_IN_SYNC_OR_AND_FETCH_ ## N: \
3047 case BUILT_IN_SYNC_AND_AND_FETCH_ ## N: \
3048 case BUILT_IN_SYNC_XOR_AND_FETCH_ ## N: \
3049 case BUILT_IN_SYNC_NAND_AND_FETCH_ ## N: \
3050 case BUILT_IN_SYNC_LOCK_TEST_AND_SET_ ## N: \
3051 case BUILT_IN_SYNC_BOOL_COMPARE_AND_SWAP_ ## N: \
3052 case BUILT_IN_SYNC_VAL_COMPARE_AND_SWAP_ ## N: \
3053 case BUILT_IN_SYNC_LOCK_RELEASE_ ## N: \
5a431b60
MS		 3054 bytes = N; \
3055 break; \
3056 case BUILT_IN_ATOMIC_LOAD_ ## N: \
3057 pvalid_models = load_models; \
3058 sucs_arg = 1; \
3059 /* FALLTHROUGH */ \
88b504b7 3060 case BUILT_IN_ATOMIC_STORE_ ## N: \
5a431b60
MS		 3061 if (!pvalid_models) \
3062 pvalid_models = store_models; \
3063 /* FALLTHROUGH */ \
88b504b7
MS		 3064 case BUILT_IN_ATOMIC_ADD_FETCH_ ## N: \
3065 case BUILT_IN_ATOMIC_SUB_FETCH_ ## N: \
3066 case BUILT_IN_ATOMIC_AND_FETCH_ ## N: \
3067 case BUILT_IN_ATOMIC_NAND_FETCH_ ## N: \
3068 case BUILT_IN_ATOMIC_XOR_FETCH_ ## N: \
3069 case BUILT_IN_ATOMIC_OR_FETCH_ ## N: \
3070 case BUILT_IN_ATOMIC_FETCH_ADD_ ## N: \
3071 case BUILT_IN_ATOMIC_FETCH_SUB_ ## N: \
3072 case BUILT_IN_ATOMIC_FETCH_AND_ ## N: \
3073 case BUILT_IN_ATOMIC_FETCH_NAND_ ## N: \
3074 case BUILT_IN_ATOMIC_FETCH_OR_ ## N: \
3075 case BUILT_IN_ATOMIC_FETCH_XOR_ ## N: \
3076 bytes = N; \
5a431b60
MS		 3077 if (sucs_arg == UINT_MAX) \
3078 sucs_arg = 2; \
3079 if (!pvalid_models) \
3080 pvalid_models = all_models; \
3081 break; \
3082 case BUILT_IN_ATOMIC_EXCHANGE_ ## N: \
3083 bytes = N; \
3084 sucs_arg = 3; \
3085 pvalid_models = xchg_models; \
88b504b7
MS		 3086 break; \
3087 case BUILT_IN_ATOMIC_COMPARE_EXCHANGE_ ## N: \
3088 bytes = N; \
5a431b60
MS		 3089 sucs_arg = 4; \
3090 fail_arg = 5; \
3091 pvalid_models = all_models; \
88b504b7
MS		 3092 arg2 = 1
3093
3094 case BUILTIN_ACCESS_SIZE_FNSPEC (1);
3095 break;
3096 case BUILTIN_ACCESS_SIZE_FNSPEC (2);
3097 break;
3098 case BUILTIN_ACCESS_SIZE_FNSPEC (4);
3099 break;
3100 case BUILTIN_ACCESS_SIZE_FNSPEC (8);
3101 break;
3102 case BUILTIN_ACCESS_SIZE_FNSPEC (16);
3103 break;
3104
5a431b60
MS		 3105 case BUILT_IN_ATOMIC_CLEAR:
3106 sucs_arg = 1;
3107 pvalid_models = flag_clr_models;
3108 break;
3109
88b504b7
MS		 3110 default:
3111 return false;
3112 }
3113
5a431b60
MS		 3114 unsigned nargs = gimple_call_num_args (stmt);
3115 if (sucs_arg < nargs)
3116 {
3117 tree ord_sucs = gimple_call_arg (stmt, sucs_arg);
3118 tree ord_fail = NULL_TREE;
3119 if (fail_arg < nargs)
3120 ord_fail = gimple_call_arg (stmt, fail_arg);
3121 check_atomic_memmodel (stmt, ord_sucs, ord_fail, pvalid_models);
3122 }
3123
3124 if (!bytes)
3125 return true;
3126
88b504b7
MS		 3127 tree size = build_int_cstu (sizetype, bytes);
3128 tree dst = gimple_call_arg (stmt, 0);
3129 check_memop_access (stmt, dst, NULL_TREE, size);
3130
3131 if (arg2 != UINT_MAX)
3132 {
3133 tree dst = gimple_call_arg (stmt, arg2);
3134 check_memop_access (stmt, dst, NULL_TREE, size);
3135 }
3136
3137 return true;
3138}
3139
81d6cdd3
MS		 3140/* Check call STMT to a built-in function for invalid accesses. Return
3141 true if a call has been handled. */
3142
3143bool
3144pass_waccess::check_builtin (gcall *stmt)
3145{
3146 tree callee = gimple_call_fndecl (stmt);
3147 if (!callee)
3148 return false;
3149
3150 switch (DECL_FUNCTION_CODE (callee))
3151 {
b48d4e68
MS		 3152 case BUILT_IN_ALLOCA:
3153 case BUILT_IN_ALLOCA_WITH_ALIGN:
3154 case BUILT_IN_ALLOCA_WITH_ALIGN_AND_MAX:
3155 check_alloca (stmt);
3156 return true;
3157
9a27acc3
MS		 3158 case BUILT_IN_EXECL:
3159 case BUILT_IN_EXECLE:
3160 case BUILT_IN_EXECLP:
3161 case BUILT_IN_EXECV:
3162 case BUILT_IN_EXECVE:
3163 case BUILT_IN_EXECVP:
3164 check_read_access (stmt, call_arg (stmt, 0));
3165 return true;
3166
671a2836
MS		 3167 case BUILT_IN_FREE:
3168 case BUILT_IN_REALLOC:
9d6a0f38
MS		 3169 if (!m_early_checks_p)
3170 {
3171 tree arg = call_arg (stmt, 0);
3172 if (TREE_CODE (arg) == SSA_NAME)
3173 check_pointer_uses (stmt, arg);
3174 }
671a2836
MS		 3175 return true;
3176
81d6cdd3
MS		 3177 case BUILT_IN_GETTEXT:
3178 case BUILT_IN_PUTS:
3179 case BUILT_IN_PUTS_UNLOCKED:
3180 case BUILT_IN_STRDUP:
3181 check_read_access (stmt, call_arg (stmt, 0));
3182 return true;
3183
3184 case BUILT_IN_INDEX:
3185 case BUILT_IN_RINDEX:
3186 case BUILT_IN_STRCHR:
3187 case BUILT_IN_STRRCHR:
3188 case BUILT_IN_STRLEN:
3189 check_read_access (stmt, call_arg (stmt, 0));
3190 return true;
3191
3192 case BUILT_IN_FPUTS:
3193 case BUILT_IN_FPUTS_UNLOCKED:
3194 check_read_access (stmt, call_arg (stmt, 0));
3195 return true;
3196
3197 case BUILT_IN_STRNDUP:
3198 case BUILT_IN_STRNLEN:
9a27acc3
MS		 3199 {
3200 tree str = call_arg (stmt, 0);
3201 tree len = call_arg (stmt, 1);
3202 check_read_access (stmt, str, len);
3203 return true;
3204 }
81d6cdd3
MS		 3205
3206 case BUILT_IN_STRCAT:
3207 check_strcat (stmt);
3208 return true;
3209
3210 case BUILT_IN_STRNCAT:
3211 check_strncat (stmt);
3212 return true;
3213
3214 case BUILT_IN_STPCPY:
3215 case BUILT_IN_STRCPY:
3216 check_stxcpy (stmt);
3217 return true;
3218
3219 case BUILT_IN_STPNCPY:
3220 case BUILT_IN_STRNCPY:
3221 check_stxncpy (stmt);
3222 return true;
3223
3224 case BUILT_IN_STRCASECMP:
3225 case BUILT_IN_STRCMP:
3226 case BUILT_IN_STRPBRK:
3227 case BUILT_IN_STRSPN:
3228 case BUILT_IN_STRCSPN:
3229 case BUILT_IN_STRSTR:
3230 check_read_access (stmt, call_arg (stmt, 0));
3231 check_read_access (stmt, call_arg (stmt, 1));
3232 return true;
3233
3234 case BUILT_IN_STRNCASECMP:
3235 case BUILT_IN_STRNCMP:
3236 check_strncmp (stmt);
3237 return true;
3238
3239 case BUILT_IN_MEMCMP:
3240 {
3241 tree a1 = call_arg (stmt, 0);
3242 tree a2 = call_arg (stmt, 1);
3243 tree len = call_arg (stmt, 2);
3244 check_read_access (stmt, a1, len, 0);
3245 check_read_access (stmt, a2, len, 0);
3246 return true;
3247 }
3248
3249 case BUILT_IN_MEMCPY:
3250 case BUILT_IN_MEMPCPY:
3251 case BUILT_IN_MEMMOVE:
3252 {
3253 tree dst = call_arg (stmt, 0);
3254 tree src = call_arg (stmt, 1);
3255 tree len = call_arg (stmt, 2);
3256 check_memop_access (stmt, dst, src, len);
3257 return true;
3258 }
3259
3260 case BUILT_IN_MEMCHR:
3261 {
3262 tree src = call_arg (stmt, 0);
3263 tree len = call_arg (stmt, 2);
3264 check_read_access (stmt, src, len, 0);
3265 return true;
3266 }
3267
3268 case BUILT_IN_MEMSET:
3269 {
3270 tree dst = call_arg (stmt, 0);
3271 tree len = call_arg (stmt, 2);
3272 check_memop_access (stmt, dst, NULL_TREE, len);
3273 return true;
3274 }
3275
3276 default:
88b504b7
MS		 3277 if (check_atomic_builtin (stmt))
3278 return true;
3279 break;
81d6cdd3 3280 }
671a2836 3281
88b504b7 3282 return false;
81d6cdd3
MS		 3283}
3284
b48d4e68 3285/* Returns the type of the argument ARGNO to function with type FNTYPE
4a1c20df 3286 or null when the type cannot be determined or no such argument exists. */
b48d4e68
MS		 3287
3288static tree
3289fntype_argno_type (tree fntype, unsigned argno)
3290{
3291 if (!prototype_p (fntype))
3292 return NULL_TREE;
3293
3294 tree argtype;
3295 function_args_iterator it;
3296 FOREACH_FUNCTION_ARGS (fntype, argtype, it)
3297 if (argno-- == 0)
3298 return argtype;
3299
3300 return NULL_TREE;
3301}
3302
3303/* Helper to append the "human readable" attribute access specification
3304 described by ACCESS to the array ATTRSTR with size STRSIZE. Used in
3305 diagnostics. */
3306
3307static inline void
3308append_attrname (const std::pair<int, attr_access> &access,
3309 char *attrstr, size_t strsize)
3310{
3311 if (access.second.internal_p)
3312 return;
3313
3314 tree str = access.second.to_external_string ();
3315 gcc_assert (strsize >= (size_t) TREE_STRING_LENGTH (str));
3316 strcpy (attrstr, TREE_STRING_POINTER (str));
3317}
3318
3319/* Iterate over attribute access read-only, read-write, and write-only
3320 arguments and diagnose past-the-end accesses and related problems
3321 in the function call EXP. */
3322
ece28da9
MS		 3323void
3324pass_waccess::maybe_check_access_sizes (rdwr_map *rwm, tree fndecl, tree fntype,
3325 gimple *stmt)
b48d4e68 3326{
1b0e3f8c
JJ		 3327 if (warning_suppressed_p (stmt, OPT_Wnonnull)
3328 || warning_suppressed_p (stmt, OPT_Wstringop_overflow_))
3329 return;
3330
b48d4e68
MS		 3331 auto_diagnostic_group adg;
3332
3333 /* Set if a warning has been issued for any argument (used to decide
3334 whether to emit an informational note at the end). */
3335 opt_code opt_warned = no_warning;
3336
3337 /* A string describing the attributes that the warnings issued by this
3338 function apply to. Used to print one informational note per function
3339 call, rather than one per warning. That reduces clutter. */
3340 char attrstr[80];
3341 attrstr[0] = 0;
3342
3343 for (rdwr_map::iterator it = rwm->begin (); it != rwm->end (); ++it)
3344 {
3345 std::pair<int, attr_access> access = *it;
3346
3347 /* Get the function call arguments corresponding to the attribute's
3348 positional arguments. When both arguments have been specified
3349 there will be two entries in *RWM, one for each. They are
3350 cross-referenced by their respective argument numbers in
3351 ACCESS.PTRARG and ACCESS.SIZARG. */
3352 const int ptridx = access.second.ptrarg;
3353 const int sizidx = access.second.sizarg;
3354
3355 gcc_assert (ptridx != -1);
3356 gcc_assert (access.first == ptridx || access.first == sizidx);
3357
3358 /* The pointer is set to null for the entry corresponding to
3359 the size argument. Skip it. It's handled when the entry
3360 corresponding to the pointer argument comes up. */
3361 if (!access.second.ptr)
3362 continue;
3363
3364 tree ptrtype = fntype_argno_type (fntype, ptridx);
ea9e0d6c
MS		 3365 if (!ptrtype)
3366 /* A function with a prototype was redeclared without one and
4a1c20df 3367 the prototype has been lost. See pr102759. Avoid dealing
ea9e0d6c
MS		 3368 with this pathological case. */
3369 return;
3370
b48d4e68
MS		 3371 tree argtype = TREE_TYPE (ptrtype);
3372
ea9e0d6c
MS		 3373 /* The size of the access by the call in elements. */
3374 tree access_nelts;
b48d4e68
MS		 3375 if (sizidx == -1)
3376 {
3377 /* If only the pointer attribute operand was specified and
3378 not size, set SIZE to the greater of MINSIZE or size of
3379 one element of the pointed to type to detect smaller
3380 objects (null pointers are diagnosed in this case only
3381 if the pointer is also declared with attribute nonnull. */
3382 if (access.second.minsize
3383 && access.second.minsize != HOST_WIDE_INT_M1U)
ea9e0d6c 3384 access_nelts = build_int_cstu (sizetype, access.second.minsize);
9eeca99c
MS		 3385 else if (VOID_TYPE_P (argtype) && access.second.mode == access_none)
3386 /* Treat access mode none on a void* argument as expecting
3387 as little as zero bytes. */
3388 access_nelts = size_zero_node;
b48d4e68 3389 else
ea9e0d6c 3390 access_nelts = size_one_node;
b48d4e68
MS		 3391 }
3392 else
ea9e0d6c 3393 access_nelts = rwm->get (sizidx)->size;
b48d4e68
MS		 3394
3395 /* Format the value or range to avoid an explosion of messages. */
3396 char sizstr[80];
3397 tree sizrng[2] = { size_zero_node, build_all_ones_cst (sizetype) };
ea9e0d6c 3398 if (get_size_range (m_ptr_qry.rvals, access_nelts, stmt, sizrng, 1))
b48d4e68
MS		 3399 {
3400 char *s0 = print_generic_expr_to_str (sizrng[0]);
3401 if (tree_int_cst_equal (sizrng[0], sizrng[1]))
3402 {
3403 gcc_checking_assert (strlen (s0) < sizeof sizstr);
3404 strcpy (sizstr, s0);
3405 }
3406 else
3407 {
3408 char *s1 = print_generic_expr_to_str (sizrng[1]);
3409 gcc_checking_assert (strlen (s0) + strlen (s1)
3410 < sizeof sizstr - 4);
6b8b9596 3411 sprintf (sizstr, "[%.37s, %.37s]", s0, s1);
b48d4e68
MS		 3412 free (s1);
3413 }
3414 free (s0);
3415 }
3416 else
3417 *sizstr = '\0';
3418
3419 /* Set if a warning has been issued for the current argument. */
3420 opt_code arg_warned = no_warning;
3421 location_t loc = get_location (stmt);
3422 tree ptr = access.second.ptr;
3423 if (*sizstr
3424 && tree_int_cst_sgn (sizrng[0]) < 0
3425 && tree_int_cst_sgn (sizrng[1]) < 0)
3426 {
3427 /* Warn about negative sizes. */
3428 if (access.second.internal_p)
3429 {
3430 const std::string argtypestr
3431 = access.second.array_as_string (ptrtype);
3432
3433 if (warning_at (loc, OPT_Wstringop_overflow_,
3434 "bound argument %i value %s is "
3435 "negative for a variable length array "
3436 "argument %i of type %s",
3437 sizidx + 1, sizstr,
3438 ptridx + 1, argtypestr.c_str ()))
3439 arg_warned = OPT_Wstringop_overflow_;
3440 }
3441 else if (warning_at (loc, OPT_Wstringop_overflow_,
3442 "argument %i value %s is negative",
3443 sizidx + 1, sizstr))
3444 arg_warned = OPT_Wstringop_overflow_;
3445
3446 if (arg_warned != no_warning)
3447 {
3448 append_attrname (access, attrstr, sizeof attrstr);
3449 /* Remember a warning has been issued and avoid warning
3450 again below for the same attribute. */
3451 opt_warned = arg_warned;
3452 continue;
3453 }
3454 }
3455
ea9e0d6c
MS		 3456 /* The size of the access by the call in bytes. */
3457 tree access_size = NULL_TREE;
b48d4e68
MS		 3458 if (tree_int_cst_sgn (sizrng[0]) >= 0)
3459 {
3460 if (COMPLETE_TYPE_P (argtype))
3461 {
3462 /* Multiply ACCESS_SIZE by the size of the type the pointer
3463 argument points to. If it's incomplete the size is used
3464 as is. */
3465 if (tree argsize = TYPE_SIZE_UNIT (argtype))
3466 if (TREE_CODE (argsize) == INTEGER_CST)
3467 {
3468 const int prec = TYPE_PRECISION (sizetype);
3469 wide_int minsize = wi::to_wide (sizrng[0], prec);
3470 minsize *= wi::to_wide (argsize, prec);
3471 access_size = wide_int_to_tree (sizetype, minsize);
3472 }
3473 }
ea9e0d6c
MS		 3474 else
3475 access_size = access_nelts;
b48d4e68 3476 }
b48d4e68
MS		 3477
3478 if (integer_zerop (ptr))
3479 {
3480 if (sizidx >= 0 && tree_int_cst_sgn (sizrng[0]) > 0)
3481 {
3482 /* Warn about null pointers with positive sizes. This is
3483 different from also declaring the pointer argument with
3484 attribute nonnull when the function accepts null pointers
3485 only when the corresponding size is zero. */
3486 if (access.second.internal_p)
3487 {
3488 const std::string argtypestr
3489 = access.second.array_as_string (ptrtype);
3490
3491 if (warning_at (loc, OPT_Wnonnull,
3492 "argument %i of variable length "
3493 "array %s is null but "
3494 "the corresponding bound argument "
3495 "%i value is %s",
3496 ptridx + 1, argtypestr.c_str (),
3497 sizidx + 1, sizstr))
3498 arg_warned = OPT_Wnonnull;
3499 }
3500 else if (warning_at (loc, OPT_Wnonnull,
3501 "argument %i is null but "
3502 "the corresponding size argument "
3503 "%i value is %s",
3504 ptridx + 1, sizidx + 1, sizstr))
3505 arg_warned = OPT_Wnonnull;
3506 }
3507 else if (access_size && access.second.static_p)
3508 {
3509 /* Warn about null pointers for [static N] array arguments
3510 but do not warn for ordinary (i.e., nonstatic) arrays. */
3511 if (warning_at (loc, OPT_Wnonnull,
3512 "argument %i to %<%T[static %E]%> "
3513 "is null where non-null expected",
1b0e3f8c 3514 ptridx + 1, argtype, access_nelts))
b48d4e68
MS		 3515 arg_warned = OPT_Wnonnull;
3516 }
3517
3518 if (arg_warned != no_warning)
3519 {
3520 append_attrname (access, attrstr, sizeof attrstr);
3521 /* Remember a warning has been issued and avoid warning
3522 again below for the same attribute. */
3523 opt_warned = OPT_Wnonnull;
3524 continue;
3525 }
3526 }
3527
9a27acc3
MS		 3528 access_data data (m_ptr_qry.rvals, stmt, access.second.mode,
3529 NULL_TREE, false, NULL_TREE, false);
b48d4e68
MS		 3530 access_ref* const pobj = (access.second.mode == access_write_only
3531 ? &data.dst : &data.src);
9a27acc3 3532 tree objsize = compute_objsize (ptr, stmt, 1, pobj, &m_ptr_qry);
b48d4e68
MS		 3533
3534 /* The size of the destination or source object. */
3535 tree dstsize = NULL_TREE, srcsize = NULL_TREE;
3536 if (access.second.mode == access_read_only
3537 || access.second.mode == access_none)
3538 {
3539 /* For a read-only argument there is no destination. For
3540 no access, set the source as well and differentiate via
3541 the access flag below. */
3542 srcsize = objsize;
3543 if (access.second.mode == access_read_only
3544 || access.second.mode == access_none)
3545 {
3546 /* For a read-only attribute there is no destination so
3547 clear OBJSIZE. This emits "reading N bytes" kind of
3548 diagnostics instead of the "writing N bytes" kind,
3549 unless MODE is none. */
3550 objsize = NULL_TREE;
3551 }
3552 }
3553 else
3554 dstsize = objsize;
3555
3556 /* Clear the no-warning bit in case it was set by check_access
3557 in a prior iteration so that accesses via different arguments
3558 are diagnosed. */
3559 suppress_warning (stmt, OPT_Wstringop_overflow_, false);
3560 access_mode mode = data.mode;
3561 if (mode == access_deferred)
3562 mode = TYPE_READONLY (argtype) ? access_read_only : access_read_write;
3563 check_access (stmt, access_size, /*maxread=*/ NULL_TREE, srcsize,
9a27acc3 3564 dstsize, mode, &data, m_ptr_qry.rvals);
b48d4e68
MS		 3565
3566 if (warning_suppressed_p (stmt, OPT_Wstringop_overflow_))
3567 opt_warned = OPT_Wstringop_overflow_;
3568 if (opt_warned != no_warning)
3569 {
3570 if (access.second.internal_p)
ea9e0d6c
MS		 3571 {
3572 unsigned HOST_WIDE_INT nelts =
3573 access_nelts ? access.second.minsize : HOST_WIDE_INT_M1U;
3574 tree arrtype = build_printable_array_type (argtype, nelts);
3575 inform (loc, "referencing argument %u of type %qT",
3576 ptridx + 1, arrtype);
3577 }
b48d4e68
MS		 3578 else
3579 /* If check_access issued a warning above, append the relevant
3580 attribute to the string. */
3581 append_attrname (access, attrstr, sizeof attrstr);
3582 }
3583 }
3584
3585 if (*attrstr)
3586 {
3587 if (fndecl)
3588 inform (get_location (fndecl),
3589 "in a call to function %qD declared with attribute %qs",
3590 fndecl, attrstr);
3591 else
3592 inform (get_location (stmt),
3593 "in a call with type %qT and attribute %qs",
3594 fntype, attrstr);
3595 }
3596 else if (opt_warned != no_warning)
3597 {
3598 if (fndecl)
3599 inform (get_location (fndecl),
3600 "in a call to function %qD", fndecl);
3601 else
3602 inform (get_location (stmt),
3603 "in a call with type %qT", fntype);
3604 }
3605
1b0e3f8c 3606 /* Set the bit in case it was cleared and not set above. */
b48d4e68
MS		 3607 if (opt_warned != no_warning)
3608 suppress_warning (stmt, opt_warned);
3609}
3610
3611/* Check call STMT to an ordinary (non-built-in) function for invalid
3612 accesses. Return true if a call has been handled. */
3613
3614bool
671a2836 3615pass_waccess::check_call_access (gcall *stmt)
b48d4e68
MS		 3616{
3617 tree fntype = gimple_call_fntype (stmt);
3618 if (!fntype)
3619 return false;
3620
3621 tree fntypeattrs = TYPE_ATTRIBUTES (fntype);
3622 if (!fntypeattrs)
3623 return false;
3624
4a1c20df 3625 /* Map of attribute access specifications for function arguments. */
b48d4e68
MS		 3626 rdwr_map rdwr_idx;
3627 init_attr_rdwr_indices (&rdwr_idx, fntypeattrs);
3628
3629 unsigned nargs = call_nargs (stmt);
3630 for (unsigned i = 0; i != nargs; ++i)
3631 {
3632 tree arg = call_arg (stmt, i);
3633
3634 /* Save the actual argument that corresponds to the access attribute
3635 operand for later processing. */
3636 if (attr_access *access = rdwr_idx.get (i))
3637 {
3638 if (POINTER_TYPE_P (TREE_TYPE (arg)))
3639 {
3640 access->ptr = arg;
4a1c20df 3641 /* A nonnull ACCESS->SIZE contains VLA bounds. */
b48d4e68
MS		 3642 }
3643 else
3644 {
3645 access->size = arg;
3646 gcc_assert (access->ptr == NULL_TREE);
3647 }
3648 }
3649 }
3650
3651 /* Check attribute access arguments. */
3652 tree fndecl = gimple_call_fndecl (stmt);
ece28da9 3653 maybe_check_access_sizes (&rdwr_idx, fndecl, fntype, stmt);
b48d4e68
MS		 3654
3655 check_alloc_size_call (stmt);
3656 return true;
3657}
3658
3659/* Check arguments in a call STMT for attribute nonstring. */
3660
3661static void
3662check_nonstring_args (gcall *stmt)
3663{
3664 tree fndecl = gimple_call_fndecl (stmt);
3665
3666 /* Detect passing non-string arguments to functions expecting
3667 nul-terminated strings. */
3668 maybe_warn_nonstring_arg (fndecl, stmt);
3669}
3670
ece28da9
MS		 3671/* Issue a warning if a deallocation function such as free, realloc,
3672 or C++ operator delete is called with an argument not returned by
3673 a matching allocation function such as malloc or the corresponding
4a1c20df 3674 form of C++ operator new. */
ece28da9
MS		 3675
3676void
3677pass_waccess::maybe_check_dealloc_call (gcall *call)
3678{
3679 tree fndecl = gimple_call_fndecl (call);
3680 if (!fndecl)
3681 return;
3682
3683 unsigned argno = fndecl_dealloc_argno (fndecl);
3684 if ((unsigned) call_nargs (call) <= argno)
3685 return;
3686
3687 tree ptr = gimple_call_arg (call, argno);
3688 if (integer_zerop (ptr))
3689 return;
3690
3691 access_ref aref;
9a27acc3 3692 if (!compute_objsize (ptr, call, 0, &aref, &m_ptr_qry))
ece28da9
MS		 3693 return;
3694
3695 tree ref = aref.ref;
3696 if (integer_zerop (ref))
3697 return;
3698
3699 tree dealloc_decl = fndecl;
3700 location_t loc = gimple_location (call);
3701
3702 if (DECL_P (ref) || EXPR_P (ref))
3703 {
3704 /* Diagnose freeing a declared object. */
6ab98d8b 3705 if (aref.ref_declared ())
ece28da9 3706 {
6ab98d8b
DM		 3707 auto_diagnostic_group d;
3708 if (warning_at (loc, OPT_Wfree_nonheap_object,
3709 "%qD called on unallocated object %qD",
3710 dealloc_decl, ref))
3711 {
3712 inform (get_location (ref), "declared here");
3713 return;
3714 }
ece28da9
MS		 3715 }
3716
3717 /* Diagnose freeing a pointer that includes a positive offset.
3718 Such a pointer cannot refer to the beginning of an allocated
3719 object. A negative offset may refer to it. */
3720 if (aref.sizrng[0] != aref.sizrng[1]
3721 && warn_dealloc_offset (loc, call, aref))
3722 return;
3723 }
3724 else if (CONSTANT_CLASS_P (ref))
3725 {
6ab98d8b 3726 auto_diagnostic_group d;
ece28da9
MS		 3727 if (warning_at (loc, OPT_Wfree_nonheap_object,
3728 "%qD called on a pointer to an unallocated "
3729 "object %qE", dealloc_decl, ref))
3730 {
3731 if (TREE_CODE (ptr) == SSA_NAME)
3732 {
3733 gimple *def_stmt = SSA_NAME_DEF_STMT (ptr);
3734 if (is_gimple_assign (def_stmt))
3735 {
3736 location_t loc = gimple_location (def_stmt);
3737 inform (loc, "assigned here");
3738 }
3739 }
3740 return;
3741 }
3742 }
3743 else if (TREE_CODE (ref) == SSA_NAME)
3744 {
3745 /* Also warn if the pointer argument refers to the result
3746 of an allocation call like alloca or VLA. */
3747 gimple *def_stmt = SSA_NAME_DEF_STMT (ref);
3748 if (!def_stmt)
3749 return;
3750
3751 if (is_gimple_call (def_stmt))
3752 {
3753 bool warned = false;
3754 if (gimple_call_alloc_p (def_stmt))
3755 {
3756 if (matching_alloc_calls_p (def_stmt, dealloc_decl))
3757 {
3758 if (warn_dealloc_offset (loc, call, aref))
3759 return;
3760 }
3761 else
3762 {
3763 tree alloc_decl = gimple_call_fndecl (def_stmt);
3764 const opt_code opt =
3765 (DECL_IS_OPERATOR_NEW_P (alloc_decl)
3766 || DECL_IS_OPERATOR_DELETE_P (dealloc_decl)
3767 ? OPT_Wmismatched_new_delete
3768 : OPT_Wmismatched_dealloc);
3769 warned = warning_at (loc, opt,
3770 "%qD called on pointer returned "
3771 "from a mismatched allocation "
3772 "function", dealloc_decl);
3773 }
3774 }
3775 else if (gimple_call_builtin_p (def_stmt, BUILT_IN_ALLOCA)
3776 || gimple_call_builtin_p (def_stmt,
3777 BUILT_IN_ALLOCA_WITH_ALIGN))
3778 warned = warning_at (loc, OPT_Wfree_nonheap_object,
3779 "%qD called on pointer to "
3780 "an unallocated object",
3781 dealloc_decl);
3782 else if (warn_dealloc_offset (loc, call, aref))
3783 return;
3784
3785 if (warned)
3786 {
3787 tree fndecl = gimple_call_fndecl (def_stmt);
3788 inform (gimple_location (def_stmt),
3789 "returned from %qD", fndecl);
3790 return;
3791 }
3792 }
3793 else if (gimple_nop_p (def_stmt))
3794 {
3795 ref = SSA_NAME_VAR (ref);
3796 /* Diagnose freeing a pointer that includes a positive offset. */
3797 if (TREE_CODE (ref) == PARM_DECL
3798 && !aref.deref
3799 && aref.sizrng[0] != aref.sizrng[1]
3800 && aref.offrng[0] > 0 && aref.offrng[1] > 0
3801 && warn_dealloc_offset (loc, call, aref))
3802 return;
3803 }
3804 }
3805}
3806
671a2836
MS		 3807/* Return true if either USE_STMT's basic block (that of a pointer's use)
3808 is dominated by INVAL_STMT's (that of a pointer's invalidating statement,
9d6a0f38
MS		 3809 which is either a clobber or a deallocation call), or if they're in
3810 the same block, USE_STMT follows INVAL_STMT. */
671a2836
MS		 3811
3812bool
9d6a0f38
MS		 3813pass_waccess::use_after_inval_p (gimple *inval_stmt, gimple *use_stmt,
3814 bool last_block /* = false */)
671a2836 3815{
9d6a0f38
MS		 3816 tree clobvar =
3817 gimple_clobber_p (inval_stmt) ? gimple_assign_lhs (inval_stmt) : NULL_TREE;
3818
671a2836
MS		 3819 basic_block inval_bb = gimple_bb (inval_stmt);
3820 basic_block use_bb = gimple_bb (use_stmt);
3821
9d6a0f38
MS		 3822 if (!inval_bb || !use_bb)
3823 return false;
3824
671a2836 3825 if (inval_bb != use_bb)
9d6a0f38
MS		 3826 {
3827 if (dominated_by_p (CDI_DOMINATORS, use_bb, inval_bb))
3828 return true;
3829
3830 if (!clobvar || !last_block)
3831 return false;
3832
3833 /* Proceed only when looking for uses of dangling pointers. */
3834 auto gsi = gsi_for_stmt (use_stmt);
3835
9d6a0f38
MS		 3836 /* A use statement in the last basic block in a function or one that
3837 falls through to it is after any other prior clobber of the used
3838 variable unless it's followed by a clobber of the same variable. */
3839 basic_block bb = use_bb;
3840 while (bb != inval_bb
3841 && single_succ_p (bb)
dab41c9d
JJ		 3842 && !(single_succ_edge (bb)->flags
3843 & (EDGE_EH | EDGE_ABNORMAL | EDGE_DFS_BACK)))
9d6a0f38 3844 {
9d6a0f38
MS		 3845 for (; !gsi_end_p (gsi); gsi_next_nondebug (&gsi))
3846 {
3847 gimple *stmt = gsi_stmt (gsi);
3848 if (gimple_clobber_p (stmt))
3849 {
3850 if (clobvar == gimple_assign_lhs (stmt))
3851 /* The use is followed by a clobber. */
3852 return false;
3853 }
3854 }
3855
3856 bb = single_succ (bb);
3857 gsi = gsi_start_bb (bb);
3858 }
3859
3860 /* The use is one of a dangling pointer if a clobber of the variable
3861 [the pointer points to] has not been found before the function exit
3862 point. */
3863 return bb == EXIT_BLOCK_PTR_FOR_FN (cfun);
3864 }
671a2836
MS		 3865
3866 if (bitmap_set_bit (m_bb_uids_set, inval_bb->index))
3867 /* The first time this basic block is visited assign increasing ids
3868 to consecutive statements in it. Use the ids to determine which
3869 precedes which. This avoids the linear traversal on subsequent
3870 visits to the same block. */
adb70c2d 3871 renumber_gimple_stmt_uids_in_block (m_func, inval_bb);
671a2836
MS		 3872
3873 return gimple_uid (inval_stmt) < gimple_uid (use_stmt);
3874}
3875
9d6a0f38
MS		 3876/* Issue a warning for the USE_STMT of pointer or reference REF rendered
3877 invalid by INVAL_STMT. REF may be null when it's been optimized away.
3878 When nonnull, INVAL_STMT is the deallocation function that rendered
3879 the pointer or reference dangling. Otherwise, VAR is the auto variable
3880 (including an unnamed temporary such as a compound literal) whose
3881 lifetime's rended it dangling. MAYBE is true to issue the "maybe"
3882 kind of warning. EQUALITY is true when the pointer is used in
3883 an equality expression. */
671a2836
MS		 3884
3885void
9d6a0f38
MS		 3886pass_waccess::warn_invalid_pointer (tree ref, gimple *use_stmt,
3887 gimple *inval_stmt, tree var,
3888 bool maybe, bool equality /* = false */)
671a2836
MS		 3889{
3890 /* Avoid printing the unhelpful "<unknown>" in the diagnostics. */
7bd1e129
MP		 3891 if (ref && TREE_CODE (ref) == SSA_NAME)
3892 {
3893 tree var = SSA_NAME_VAR (ref);
3894 if (!var)
3895 ref = NULL_TREE;
3896 /* Don't warn for cases like when a cdtor returns 'this' on ARM. */
3897 else if (warning_suppressed_p (var, OPT_Wuse_after_free))
3898 return;
3899 else if (DECL_ARTIFICIAL (var))
3900 ref = NULL_TREE;
3901 }
671a2836
MS		 3902
3903 location_t use_loc = gimple_location (use_stmt);
3904 if (use_loc == UNKNOWN_LOCATION)
3905 {
9d6a0f38
MS		 3906 use_loc = m_func->function_end_locus;
3907 if (!ref)
671a2836
MS		 3908 /* Avoid issuing a warning with no context other than
3909 the function. That would make it difficult to debug
3910 in any but very simple cases. */
3911 return;
3912 }
3913
3914 if (is_gimple_call (inval_stmt))
3915 {
0a07bfad
RB		 3916 if (!m_early_checks_p
3917 || (equality && warn_use_after_free < 3)
671a2836
MS		 3918 || (maybe && warn_use_after_free < 2)
3919 || warning_suppressed_p (use_stmt, OPT_Wuse_after_free))
3920 return;
3921
3922 const tree inval_decl = gimple_call_fndecl (inval_stmt);
3923
6ab98d8b 3924 auto_diagnostic_group d;
9d6a0f38 3925 if ((ref && warning_at (use_loc, OPT_Wuse_after_free,
671a2836
MS		 3926 (maybe
3927 ? G_("pointer %qE may be used after %qD")
3928 : G_("pointer %qE used after %qD")),
9d6a0f38
MS		 3929 ref, inval_decl))
3930 || (!ref && warning_at (use_loc, OPT_Wuse_after_free,
671a2836
MS		 3931 (maybe
3932 ? G_("pointer may be used after %qD")
3933 : G_("pointer used after %qD")),
3934 inval_decl)))
3935 {
3936 location_t loc = gimple_location (inval_stmt);
3937 inform (loc, "call to %qD here", inval_decl);
3938 suppress_warning (use_stmt, OPT_Wuse_after_free);
3939 }
3940 return;
3941 }
9d6a0f38 3942
9aaaae7e
RB		 3943 if (equality
3944 || (maybe && warn_dangling_pointer < 2)
9d6a0f38
MS		 3945 || warning_suppressed_p (use_stmt, OPT_Wdangling_pointer_))
3946 return;
3947
3948 if (DECL_NAME (var))
3949 {
6ab98d8b 3950 auto_diagnostic_group d;
9d6a0f38
MS		 3951 if ((ref
3952 && warning_at (use_loc, OPT_Wdangling_pointer_,
3953 (maybe
3954 ? G_("dangling pointer %qE to %qD may be used")
3955 : G_("using dangling pointer %qE to %qD")),
3956 ref, var))
3957 || (!ref
3958 && warning_at (use_loc, OPT_Wdangling_pointer_,
3959 (maybe
3960 ? G_("dangling pointer to %qD may be used")
3961 : G_("using a dangling pointer to %qD")),
3962 var)))
3963 inform (DECL_SOURCE_LOCATION (var),
3964 "%qD declared here", var);
3965 suppress_warning (use_stmt, OPT_Wdangling_pointer_);
3966 return;
3967 }
3968
3969 if ((ref
3970 && warning_at (use_loc, OPT_Wdangling_pointer_,
3971 (maybe
3972 ? G_("dangling pointer %qE to an unnamed temporary "
3973 "may be used")
3974 : G_("using dangling pointer %qE to an unnamed "
3975 "temporary")),
3e0b19f1 3976 ref))
9d6a0f38
MS		 3977 || (!ref
3978 && warning_at (use_loc, OPT_Wdangling_pointer_,
3979 (maybe
3980 ? G_("dangling pointer to an unnamed temporary "
3981 "may be used")
3982 : G_("using a dangling pointer to an unnamed "
3e0b19f1 3983 "temporary")))))
9d6a0f38
MS		 3984 {
3985 inform (DECL_SOURCE_LOCATION (var),
3986 "unnamed temporary defined here");
3987 suppress_warning (use_stmt, OPT_Wdangling_pointer_);
3988 }
671a2836
MS		 3989}
3990
3991/* If STMT is a call to either the standard realloc or to a user-defined
3992 reallocation function returns its LHS and set *PTR to the reallocated
3993 pointer. Otherwise return null. */
3994
3995static tree
3996get_realloc_lhs (gimple *stmt, tree *ptr)
3997{
3998 if (gimple_call_builtin_p (stmt, BUILT_IN_REALLOC))
3999 {
4000 *ptr = gimple_call_arg (stmt, 0);
4001 return gimple_call_lhs (stmt);
4002 }
4003
4004 gcall *call = dyn_cast<gcall *>(stmt);
4005 if (!call)
4006 return NULL_TREE;
4007
4008 tree fnattr = NULL_TREE;
4009 tree fndecl = gimple_call_fndecl (call);
4010 if (fndecl)
4011 fnattr = DECL_ATTRIBUTES (fndecl);
4012 else
4013 {
4014 tree fntype = gimple_call_fntype (stmt);
4015 if (!fntype)
4016 return NULL_TREE;
4017 fnattr = TYPE_ATTRIBUTES (fntype);
4018 }
4019
4020 if (!fnattr)
4021 return NULL_TREE;
4022
4023 for (tree ats = fnattr; (ats = lookup_attribute ("*dealloc", ats));
4024 ats = TREE_CHAIN (ats))
4025 {
4026 tree args = TREE_VALUE (ats);
4027 if (!args)
4028 continue;
4029
4030 tree alloc = TREE_VALUE (args);
4031 if (!alloc)
4032 continue;
4033
4034 if (alloc == DECL_NAME (fndecl))
4035 {
4036 unsigned argno = 0;
4037 if (tree index = TREE_CHAIN (args))
4038 argno = TREE_INT_CST_LOW (TREE_VALUE (index)) - 1;
4039 *ptr = gimple_call_arg (stmt, argno);
4040 return gimple_call_lhs (stmt);
4041 }
4042 }
4043
4044 return NULL_TREE;
4045}
4046
4047/* Warn if STMT is a call to a deallocation function that's not a match
4048 for the REALLOC_STMT call. Return true if warned. */
4049
4050static bool
4051maybe_warn_mismatched_realloc (tree ptr, gimple *realloc_stmt, gimple *stmt)
4052{
4053 if (!is_gimple_call (stmt))
4054 return false;
4055
4056 tree fndecl = gimple_call_fndecl (stmt);
4057 if (!fndecl)
4058 return false;
4059
4060 unsigned argno = fndecl_dealloc_argno (fndecl);
4061 if (call_nargs (stmt) <= argno)
4062 return false;
4063
4064 if (matching_alloc_calls_p (realloc_stmt, fndecl))
4065 return false;
4066
4067 /* Avoid printing the unhelpful "<unknown>" in the diagnostics. */
4068 if (ptr && TREE_CODE (ptr) == SSA_NAME
4069 && (!SSA_NAME_VAR (ptr) || DECL_ARTIFICIAL (SSA_NAME_VAR (ptr))))
4070 ptr = NULL_TREE;
4071
4072 location_t loc = gimple_location (stmt);
4073 tree realloc_decl = gimple_call_fndecl (realloc_stmt);
4074 tree dealloc_decl = gimple_call_fndecl (stmt);
4075 if (ptr && !warning_at (loc, OPT_Wmismatched_dealloc,
4076 "%qD called on pointer %qE passed to mismatched "
4077 "allocation function %qD",
4078 dealloc_decl, ptr, realloc_decl))
4079 return false;
4080 if (!ptr && !warning_at (loc, OPT_Wmismatched_dealloc,
4081 "%qD called on a pointer passed to mismatched "
4082 "reallocation function %qD",
4083 dealloc_decl, realloc_decl))
4084 return false;
4085
4086 inform (gimple_location (realloc_stmt),
4087 "call to %qD", realloc_decl);
4088 return true;
4089}
4090
4091/* Return true if P and Q point to the same object, and false if they
4092 either don't or their relationship cannot be determined. */
4093
4094static bool
48d3191e
MS		 4095pointers_related_p (gimple *stmt, tree p, tree q, pointer_query &qry,
4096 auto_bitmap &visited)
671a2836
MS		 4097{
4098 if (!ptr_derefs_may_alias_p (p, q))
4099 return false;
4100
4101 /* TODO: Work harder to rule out relatedness. */
4102 access_ref pref, qref;
4103 if (!qry.get_ref (p, stmt, &pref, 0)
4104 || !qry.get_ref (q, stmt, &qref, 0))
2f714642
MS		 4105 /* GET_REF() only rarely fails. When it does, it's likely because
4106 it involves a self-referential PHI. Return a conservative result. */
4107 return false;
671a2836 4108
48d3191e
MS		 4109 if (pref.ref == qref.ref)
4110 return true;
4111
4112 /* If either pointer is a PHI, iterate over all its operands and
4113 return true if they're all related to the other pointer. */
4114 tree ptr = q;
4115 unsigned version;
4116 gphi *phi = pref.phi ();
4117 if (phi)
4118 version = SSA_NAME_VERSION (pref.ref);
4119 else
4120 {
4121 phi = qref.phi ();
4122 if (!phi)
4123 return false;
4124
4125 ptr = p;
4126 version = SSA_NAME_VERSION (qref.ref);
4127 }
4128
4129 if (!bitmap_set_bit (visited, version))
4130 return true;
4131
4132 unsigned nargs = gimple_phi_num_args (phi);
4133 for (unsigned i = 0; i != nargs; ++i)
4134 {
4135 tree arg = gimple_phi_arg_def (phi, i);
4136 if (!pointers_related_p (stmt, arg, ptr, qry, visited))
4137 return false;
4138 }
4139
4140 return true;
4141}
4142
4143/* Convenience wrapper for the above. */
4144
4145static bool
4146pointers_related_p (gimple *stmt, tree p, tree q, pointer_query &qry)
4147{
4148 auto_bitmap visited;
4149 return pointers_related_p (stmt, p, q, qry, visited);
671a2836
MS		 4150}
4151
4152/* For a STMT either a call to a deallocation function or a clobber, warn
4153 for uses of the pointer PTR it was called with (including its copies
9d6a0f38
MS		 4154 or others derived from it by pointer arithmetic). If STMT is a clobber,
4155 VAR is the decl of the clobbered variable. When MAYBE is true use
4156 a "maybe" form of diagnostic. */
671a2836
MS		 4157
4158void
9d6a0f38
MS		 4159pass_waccess::check_pointer_uses (gimple *stmt, tree ptr,
4160 tree var /* = NULL_TREE */,
4161 bool maybe /* = false */)
671a2836
MS		 4162{
4163 gcc_assert (TREE_CODE (ptr) == SSA_NAME);
4164
4165 const bool check_dangling = !is_gimple_call (stmt);
4166 basic_block stmt_bb = gimple_bb (stmt);
4167
4168 /* If STMT is a reallocation function set to the reallocated pointer
4169 and the LHS of the call, respectively. */
4170 tree realloc_ptr = NULL_TREE;
4171 tree realloc_lhs = get_realloc_lhs (stmt, &realloc_ptr);
4172
4173 auto_bitmap visited;
4174
fdbaab2d
RB		 4175 auto_vec<tree, 8> pointers;
4176 pointers.quick_push (ptr);
4177 hash_map<tree, int> *phi_map = nullptr;
671a2836
MS		 4178
4179 /* Starting with PTR, iterate over POINTERS added by the loop, and
4180 either warn for their uses in basic blocks dominated by the STMT
4181 or in statements that follow it in the same basic block, or add
4182 them to POINTERS if they point into the same object as PTR (i.e.,
4183 are obtained by pointer arithmetic on PTR). */
4184 for (unsigned i = 0; i != pointers.length (); ++i)
4185 {
4186 tree ptr = pointers[i];
1a0e3bba 4187 if (!bitmap_set_bit (visited, SSA_NAME_VERSION (ptr)))
671a2836
MS		 4188 /* Avoid revisiting the same pointer. */
4189 continue;
4190
4191 use_operand_p use_p;
4192 imm_use_iterator iter;
4193 FOR_EACH_IMM_USE_FAST (use_p, iter, ptr)
4194 {
4195 gimple *use_stmt = USE_STMT (use_p);
4196 if (use_stmt == stmt || is_gimple_debug (use_stmt))
4197 continue;
4198
dc35778a
RB		 4199 /* A clobber isn't a use. */
4200 if (gimple_clobber_p (use_stmt))
4201 continue;
4202
671a2836
MS		 4203 if (realloc_lhs)
4204 {
4205 /* Check to see if USE_STMT is a mismatched deallocation
4206 call for the pointer passed to realloc. That's a bug
4207 regardless of the pointer's value and so warn. */
4208 if (maybe_warn_mismatched_realloc (*use_p->use, stmt, use_stmt))
4209 continue;
4210
4211 /* Pointers passed to realloc that are used in basic blocks
4212 where the realloc call is known to have failed are valid.
4213 Ignore pointers that nothing is known about. Those could
4214 have escaped along with their nullness. */
4215 value_range vr;
4216 if (m_ptr_qry.rvals->range_of_expr (vr, realloc_lhs, use_stmt))
4217 {
4218 if (vr.zero_p ())
4219 continue;
4220
4221 if (!pointers_related_p (stmt, ptr, realloc_ptr, m_ptr_qry))
4222 continue;
4223 }
4224 }
4225
4226 if (check_dangling
4227 && gimple_code (use_stmt) == GIMPLE_RETURN)
4228 /* Avoid interfering with -Wreturn-local-addr (which runs only
4229 with optimization enabled so it won't diagnose cases that
4230 would be caught here when optimization is disabled). */
4231 continue;
4232
4233 bool equality = false;
4234 if (is_gimple_assign (use_stmt))
4235 {
4236 tree_code code = gimple_assign_rhs_code (use_stmt);
4237 equality = code == EQ_EXPR || code == NE_EXPR;
4238 }
4239 else if (gcond *cond = dyn_cast<gcond *>(use_stmt))
4240 {
4241 tree_code code = gimple_cond_code (cond);
4242 equality = code == EQ_EXPR || code == NE_EXPR;
4243 }
fdbaab2d 4244 else if (gphi *phi = dyn_cast <gphi *> (use_stmt))
adb70c2d
RB		 4245 {
4246 /* Only add a PHI result to POINTERS if all its
fdbaab2d
RB		 4247 operands are related to PTR, otherwise continue. The
4248 PHI result is related once we've reached all arguments
4249 through this iteration. That also means any invariant
4250 argument will make the PHI not related. For arguments
4251 flowing over natural loop backedges we are optimistic
4252 (and diagnose the first iteration). */
4253 tree lhs = gimple_phi_result (phi);
4254 if (!phi_map)
4255 phi_map = new hash_map<tree, int>;
4256 bool existed_p;
4257 int &related = phi_map->get_or_insert (lhs, &existed_p);
4258 if (!existed_p)
adb70c2d 4259 {
fdbaab2d
RB		 4260 related = gimple_phi_num_args (phi) - 1;
4261 for (unsigned j = 0; j < gimple_phi_num_args (phi); ++j)
4262 {
4263 if ((unsigned) phi_arg_index_from_use (use_p) == j)
4264 continue;
4265 tree arg = gimple_phi_arg_def (phi, j);
4266 edge e = gimple_phi_arg_edge (phi, j);
4267 basic_block arg_bb;
4268 if (dominated_by_p (CDI_DOMINATORS, e->src, e->dest)
4269 /* Make sure we are not forward visiting a
4270 backedge argument. */
4271 && (TREE_CODE (arg) != SSA_NAME
4272 || (!SSA_NAME_IS_DEFAULT_DEF (arg)
4273 && ((arg_bb
4274 = gimple_bb (SSA_NAME_DEF_STMT (arg)))
4275 != e->dest)
4276 && !dominated_by_p (CDI_DOMINATORS,
4277 e->dest, arg_bb))))
4278 related--;
4279 }
adb70c2d 4280 }
fdbaab2d
RB		 4281 else
4282 related--;
4283
4284 if (related == 0)
4285 pointers.safe_push (lhs);
4286 continue;
adb70c2d 4287 }
671a2836
MS		 4288
4289 /* Warn if USE_STMT is dominated by the deallocation STMT.
4290 Otherwise, add the pointer to POINTERS so that the uses
4291 of any other pointers derived from it can be checked. */
9d6a0f38 4292 if (use_after_inval_p (stmt, use_stmt, check_dangling))
671a2836 4293 {
9d6a0f38
MS		 4294 basic_block use_bb = gimple_bb (use_stmt);
4295 bool this_maybe
4296 = (maybe
9aaaae7e 4297 || !dominated_by_p (CDI_POST_DOMINATORS, stmt_bb, use_bb));
9d6a0f38
MS		 4298 warn_invalid_pointer (*use_p->use, use_stmt, stmt, var,
4299 this_maybe, equality);
4300 continue;
671a2836
MS		 4301 }
4302
4303 if (is_gimple_assign (use_stmt))
4304 {
4305 tree lhs = gimple_assign_lhs (use_stmt);
4306 if (TREE_CODE (lhs) == SSA_NAME)
4307 {
4308 tree_code rhs_code = gimple_assign_rhs_code (use_stmt);
4309 if (rhs_code == POINTER_PLUS_EXPR || rhs_code == SSA_NAME)
4310 pointers.safe_push (lhs);
4311 }
4312 continue;
4313 }
4314
4315 if (gcall *call = dyn_cast <gcall *>(use_stmt))
4316 {
1a0e3bba 4317 if (gimple_call_return_arg (call) == ptr)
671a2836
MS		 4318 if (tree lhs = gimple_call_lhs (call))
4319 if (TREE_CODE (lhs) == SSA_NAME)
4320 pointers.safe_push (lhs);
4321 continue;
4322 }
4323 }
4324 }
fdbaab2d
RB		 4325
4326 if (phi_map)
4327 delete phi_map;
671a2836
MS		 4328}
4329
2a837de2
MS		 4330/* Check call STMT for invalid accesses. */
4331
4332void
671a2836 4333pass_waccess::check_call (gcall *stmt)
2a837de2 4334{
c26d335f
EB		 4335 /* Skip special calls generated by the compiler. */
4336 if (gimple_call_from_thunk_p (stmt))
4337 return;
81d6cdd3 4338
53836c88
JJ		 4339 /* .ASAN_MARK doesn't access any vars, only modifies shadow memory. */
4340 if (gimple_call_internal_p (stmt)
4341 && gimple_call_internal_fn (stmt) == IFN_ASAN_MARK)
4342 return;
4343
c26d335f
EB		 4344 if (gimple_call_builtin_p (stmt, BUILT_IN_NORMAL))
4345 check_builtin (stmt);
4346
0a07bfad
RB		 4347 if (tree callee = gimple_call_fndecl (stmt))
4348 {
4349 /* Check for uses of the pointer passed to either a standard
4350 or a user-defined deallocation function. */
4351 unsigned argno = fndecl_dealloc_argno (callee);
4352 if (argno < (unsigned) call_nargs (stmt))
4353 {
4354 tree arg = call_arg (stmt, argno);
4355 if (TREE_CODE (arg) == SSA_NAME)
4356 check_pointer_uses (stmt, arg);
4357 }
4358 }
b48d4e68 4359
671a2836 4360 check_call_access (stmt);
9d6a0f38
MS		 4361 check_call_dangling (stmt);
4362
4363 if (m_early_checks_p)
4364 return;
b48d4e68 4365
671a2836 4366 maybe_check_dealloc_call (stmt);
b48d4e68 4367 check_nonstring_args (stmt);
2a837de2
MS		 4368}
4369
9d6a0f38
MS		 4370/* Check non-call STMT for invalid accesses. */
4371
4372void
4373pass_waccess::check_stmt (gimple *stmt)
4374{
551aa757
RB		 4375 if (m_check_dangling_p
4376 && gimple_clobber_p (stmt, CLOBBER_EOL))
9d6a0f38 4377 {
4a1c20df 4378 /* Ignore clobber statements in blocks with exceptional edges. */
9d6a0f38
MS		 4379 basic_block bb = gimple_bb (stmt);
4380 edge e = EDGE_PRED (bb, 0);
4381 if (e->flags & EDGE_EH)
4382 return;
4383
4384 tree var = gimple_assign_lhs (stmt);
4385 m_clobbers.put (var, stmt);
4386 return;
4387 }
4388
4389 if (is_gimple_assign (stmt))
4390 {
4391 /* Clobbered unnamed temporaries such as compound literals can be
4392 revived. Check for an assignment to one and remove it from
4393 M_CLOBBERS. */
4394 tree lhs = gimple_assign_lhs (stmt);
4395 while (handled_component_p (lhs))
4396 lhs = TREE_OPERAND (lhs, 0);
4397
d482b20f 4398 if (auto_var_p (lhs))
9d6a0f38
MS		 4399 m_clobbers.remove (lhs);
4400 return;
4401 }
4402
4403 if (greturn *ret = dyn_cast <greturn *> (stmt))
4404 {
4405 if (optimize && flag_isolate_erroneous_paths_dereference)
4406 /* Avoid interfering with -Wreturn-local-addr (which runs only
4407 with optimization enabled). */
4408 return;
4409
4410 tree arg = gimple_return_retval (ret);
4411 if (!arg || TREE_CODE (arg) != ADDR_EXPR)
4412 return;
4413
4414 arg = TREE_OPERAND (arg, 0);
4415 while (handled_component_p (arg))
4416 arg = TREE_OPERAND (arg, 0);
4417
d482b20f 4418 if (!auto_var_p (arg))
9d6a0f38
MS		 4419 return;
4420
4421 gimple **pclobber = m_clobbers.get (arg);
4422 if (!pclobber)
4423 return;
4424
4425 if (!use_after_inval_p (*pclobber, stmt))
4426 return;
4427
4428 warn_invalid_pointer (NULL_TREE, stmt, *pclobber, arg, false);
4429 }
4430}
4431
2a837de2
MS		 4432/* Check basic block BB for invalid accesses. */
4433
4434void
671a2836 4435pass_waccess::check_block (basic_block bb)
2a837de2
MS		 4436{
4437 /* Iterate over statements, looking for function calls. */
671a2836
MS		 4438 for (auto si = gsi_start_bb (bb); !gsi_end_p (si);
4439 gsi_next_nondebug (&si))
2a837de2 4440 {
671a2836
MS		 4441 gimple *stmt = gsi_stmt (si);
4442 if (gcall *call = dyn_cast <gcall *> (stmt))
4443 check_call (call);
9d6a0f38
MS		 4444 else
4445 check_stmt (stmt);
2a837de2
MS		 4446 }
4447}
4448
671a2836
MS		 4449/* Return the argument that the call STMT to a built-in function returns
4450 (including with an offset) or null if it doesn't. */
4451
4452tree
4453pass_waccess::gimple_call_return_arg (gcall *call)
4454{
4455 /* Check for attribute fn spec to see if the function returns one
4456 of its arguments. */
4457 attr_fnspec fnspec = gimple_call_fnspec (call);
4458 unsigned int argno;
4459 if (!fnspec.returns_arg (&argno))
4460 {
4461 if (gimple_call_num_args (call) < 1)
4462 return NULL_TREE;
4463
4464 if (!gimple_call_builtin_p (call, BUILT_IN_NORMAL))
4465 return NULL_TREE;
4466
4467 tree fndecl = gimple_call_fndecl (call);
4468 switch (DECL_FUNCTION_CODE (fndecl))
4469 {
4470 case BUILT_IN_MEMPCPY:
4471 case BUILT_IN_MEMPCPY_CHK:
4472 case BUILT_IN_MEMCHR:
4473 case BUILT_IN_STRCHR:
4474 case BUILT_IN_STRRCHR:
4475 case BUILT_IN_STRSTR:
4476 case BUILT_IN_STPCPY:
4477 case BUILT_IN_STPCPY_CHK:
4478 case BUILT_IN_STPNCPY:
4479 case BUILT_IN_STPNCPY_CHK:
4480 argno = 0;
4481 break;
4482
4483 default:
4484 return NULL_TREE;
4485 }
4486 }
4487
4488 if (gimple_call_num_args (call) <= argno)
4489 return NULL_TREE;
4490
4491 return gimple_call_arg (call, argno);
4492}
4493
9d6a0f38
MS		 4494/* Check for and diagnose all uses of the dangling pointer VAR to the auto
4495 object DECL whose lifetime has ended. OBJREF is true when VAR denotes
4496 an access to a DECL that may have been clobbered. */
4497
4498void
4499pass_waccess::check_dangling_uses (tree var, tree decl, bool maybe /* = false */,
4500 bool objref /* = false */)
4501{
d482b20f 4502 if (!decl || !auto_var_p (decl))
9d6a0f38
MS		 4503 return;
4504
4505 gimple **pclob = m_clobbers.get (decl);
4506 if (!pclob)
4507 return;
4508
4509 if (!objref)
4510 {
4511 check_pointer_uses (*pclob, var, decl, maybe);
4512 return;
4513 }
4514
4515 gimple *use_stmt = SSA_NAME_DEF_STMT (var);
4516 if (!use_after_inval_p (*pclob, use_stmt, true))
4517 return;
4518
4519 basic_block use_bb = gimple_bb (use_stmt);
4520 basic_block clob_bb = gimple_bb (*pclob);
9aaaae7e 4521 maybe = maybe || !dominated_by_p (CDI_POST_DOMINATORS, clob_bb, use_bb);
9d6a0f38
MS		 4522 warn_invalid_pointer (var, use_stmt, *pclob, decl, maybe, false);
4523}
4524
4525/* Diagnose stores in BB and (recursively) its predecessors of the addresses
4526 of local variables into nonlocal pointers that are left dangling after
f194c684
RB		 4527 the function returns. Returns true when we can continue walking
4528 the CFG to predecessors. */
9d6a0f38 4529
f194c684 4530bool
9d6a0f38 4531pass_waccess::check_dangling_stores (basic_block bb,
f194c684 4532 hash_set<tree> &stores)
9d6a0f38 4533{
9d6a0f38
MS		 4534 /* Iterate backwards over the statements looking for a store of
4535 the address of a local variable into a nonlocal pointer. */
4536 for (auto gsi = gsi_last_nondebug_bb (bb); ; gsi_prev_nondebug (&gsi))
4537 {
4538 gimple *stmt = gsi_stmt (gsi);
4539 if (!stmt)
4540 break;
4541
373a2dc2
MS		 4542 if (warning_suppressed_p (stmt, OPT_Wdangling_pointer_))
4543 continue;
4544
9d6a0f38
MS		 4545 if (is_gimple_call (stmt)
4546 && !(gimple_call_flags (stmt) & (ECF_CONST | ECF_PURE)))
4547 /* Avoid looking before nonconst, nonpure calls since those might
4548 use the escaped locals. */
f194c684 4549 return false;
9d6a0f38 4550
fdac2bea
AO		 4551 if (!is_gimple_assign (stmt) || gimple_clobber_p (stmt)
4552 || !gimple_store_p (stmt))
9d6a0f38
MS		 4553 continue;
4554
4555 access_ref lhs_ref;
4556 tree lhs = gimple_assign_lhs (stmt);
4557 if (!m_ptr_qry.get_ref (lhs, stmt, &lhs_ref, 0))
4558 continue;
4559
9964df74 4560 if (TREE_CODE (lhs_ref.ref) == MEM_REF)
9d6a0f38 4561 {
9964df74
JM		 4562 lhs_ref.ref = TREE_OPERAND (lhs_ref.ref, 0);
4563 ++lhs_ref.deref;
9d6a0f38 4564 }
9964df74
JM		 4565 if (TREE_CODE (lhs_ref.ref) == ADDR_EXPR)
4566 {
4567 lhs_ref.ref = TREE_OPERAND (lhs_ref.ref, 0);
4568 --lhs_ref.deref;
4569 }
4570 if (TREE_CODE (lhs_ref.ref) == SSA_NAME)
9d6a0f38 4571 {
9d6a0f38
MS		 4572 gimple *def_stmt = SSA_NAME_DEF_STMT (lhs_ref.ref);
4573 if (!gimple_nop_p (def_stmt))
373a2dc2 4574 /* Avoid looking at or before stores into unknown objects. */
f194c684 4575 return false;
373a2dc2 4576
9964df74 4577 lhs_ref.ref = SSA_NAME_VAR (lhs_ref.ref);
9d6a0f38 4578 }
9964df74
JM		 4579
4580 if (TREE_CODE (lhs_ref.ref) == PARM_DECL
4581 && (lhs_ref.deref - DECL_BY_REFERENCE (lhs_ref.ref)) > 0)
4582 /* Assignment through a (real) pointer/reference parameter. */;
ca2007a9 4583 else if (VAR_P (lhs_ref.ref)
9964df74
JM		 4584 && !auto_var_p (lhs_ref.ref))
4585 /* Assignment to/through a non-local variable. */;
9d6a0f38 4586 else
9964df74 4587 /* Something else, don't warn. */
9d6a0f38
MS		 4588 continue;
4589
4590 if (stores.add (lhs_ref.ref))
4591 continue;
4592
4593 /* FIXME: Handle stores of alloca() and VLA. */
4594 access_ref rhs_ref;
4595 tree rhs = gimple_assign_rhs1 (stmt);
4596 if (!m_ptr_qry.get_ref (rhs, stmt, &rhs_ref, 0)
4597 || rhs_ref.deref != -1)
4598 continue;
4599
d482b20f 4600 if (!auto_var_p (rhs_ref.ref))
9d6a0f38
MS		 4601 continue;
4602
6ab98d8b 4603 auto_diagnostic_group d;
9d6a0f38
MS		 4604 location_t loc = gimple_location (stmt);
4605 if (warning_at (loc, OPT_Wdangling_pointer_,
4606 "storing the address of local variable %qD in %qE",
4607 rhs_ref.ref, lhs))
4608 {
373a2dc2
MS		 4609 suppress_warning (stmt, OPT_Wdangling_pointer_);
4610
9d6a0f38
MS		 4611 location_t loc = DECL_SOURCE_LOCATION (rhs_ref.ref);
4612 inform (loc, "%qD declared here", rhs_ref.ref);
4613
9964df74
JM		 4614 loc = DECL_SOURCE_LOCATION (lhs_ref.ref);
4615 inform (loc, "%qD declared here", lhs_ref.ref);
9d6a0f38
MS		 4616 }
4617 }
4618
f194c684 4619 return true;
9d6a0f38
MS		 4620}
4621
4622/* Diagnose stores of the addresses of local variables into nonlocal
4623 pointers that are left dangling after the function returns. */
4624
4625void
4626pass_waccess::check_dangling_stores ()
4627{
f194c684
RB		 4628 if (EDGE_COUNT (EXIT_BLOCK_PTR_FOR_FN (m_func)->preds) == 0)
4629 return;
4630
9d6a0f38
MS		 4631 auto_bitmap bbs;
4632 hash_set<tree> stores;
f194c684
RB		 4633 auto_vec<edge_iterator, 8> worklist (n_basic_blocks_for_fn (cfun) + 1);
4634 worklist.quick_push (ei_start (EXIT_BLOCK_PTR_FOR_FN (m_func)->preds));
4635 do
4636 {
4637 edge_iterator ei = worklist.last ();
4638 basic_block src = ei_edge (ei)->src;
4639 if (bitmap_set_bit (bbs, src->index))
4640 {
4641 if (check_dangling_stores (src, stores)
4642 && EDGE_COUNT (src->preds) > 0)
4643 worklist.quick_push (ei_start (src->preds));
4644 }
4645 else
4646 {
4647 if (ei_one_before_end_p (ei))
4648 worklist.pop ();
4649 else
4650 ei_next (&worklist.last ());
4651 }
4652 }
4653 while (!worklist.is_empty ());
9d6a0f38
MS		 4654}
4655
4656/* Check for and diagnose uses of dangling pointers to auto objects
4657 whose lifetime has ended. */
4658
4659void
4660pass_waccess::check_dangling_uses ()
4661{
4662 tree var;
4663 unsigned i;
4664 FOR_EACH_SSA_NAME (i, var, m_func)
4665 {
d492d50f
RB		 4666 /* For each SSA_NAME pointer VAR find the object it points to.
4667 If the object is a clobbered local variable, check to see
9d6a0f38
MS		 4668 if any of VAR's uses (or those of other pointers derived
4669 from VAR) happens after the clobber. If so, warn. */
9d6a0f38
MS		 4670
4671 gimple *def_stmt = SSA_NAME_DEF_STMT (var);
4672 if (is_gimple_assign (def_stmt))
4673 {
4674 tree rhs = gimple_assign_rhs1 (def_stmt);
4675 if (TREE_CODE (rhs) == ADDR_EXPR)
4676 {
4677 if (!POINTER_TYPE_P (TREE_TYPE (var)))
4678 continue;
d492d50f 4679 check_dangling_uses (var, TREE_OPERAND (rhs, 0));
9d6a0f38
MS		 4680 }
4681 else
4682 {
4683 /* For other expressions, check the base DECL to see
4684 if it's been clobbered, most likely as a result of
4685 inlining a reference to it. */
d492d50f 4686 tree decl = get_base_address (rhs);
9d6a0f38
MS		 4687 if (DECL_P (decl))
4688 check_dangling_uses (var, decl, false, true);
9d6a0f38
MS		 4689 }
4690 }
4691 else if (POINTER_TYPE_P (TREE_TYPE (var)))
4692 {
4693 if (gcall *call = dyn_cast<gcall *>(def_stmt))
d492d50f
RB		 4694 {
4695 if (tree arg = gimple_call_return_arg (call))
4696 {
4697 access_ref aref;
4698 if (m_ptr_qry.get_ref (arg, call, &aref, 0)
4699 && aref.deref < 0)
4700 check_dangling_uses (var, aref.ref);
4701 }
4702 }
9d6a0f38
MS		 4703 else if (gphi *phi = dyn_cast <gphi *>(def_stmt))
4704 {
4705 unsigned nargs = gimple_phi_num_args (phi);
4706 for (unsigned i = 0; i != nargs; ++i)
4707 {
4708 access_ref aref;
4709 tree arg = gimple_phi_arg_def (phi, i);
d492d50f
RB		 4710 if (m_ptr_qry.get_ref (arg, phi, &aref, 0)
4711 && aref.deref < 0)
4712 check_dangling_uses (var, aref.ref, true);
9d6a0f38 4713 }
9d6a0f38 4714 }
9d6a0f38 4715 }
9d6a0f38
MS		 4716 }
4717}
4718
4719/* Check CALL arguments for dangling pointers (those that have been
4720 clobbered) and warn if found. */
4721
4722void
4723pass_waccess::check_call_dangling (gcall *call)
4724{
4725 unsigned nargs = gimple_call_num_args (call);
4726 for (unsigned i = 0; i != nargs; ++i)
4727 {
4728 tree arg = gimple_call_arg (call, i);
4729 if (TREE_CODE (arg) != ADDR_EXPR)
4730 continue;
4731
4732 arg = TREE_OPERAND (arg, 0);
4733 if (!DECL_P (arg))
4734 continue;
4735
4736 gimple **pclobber = m_clobbers.get (arg);
4737 if (!pclobber)
4738 continue;
4739
4740 if (!use_after_inval_p (*pclobber, call))
4741 continue;
4742
4743 warn_invalid_pointer (NULL_TREE, call, *pclobber, arg, false);
4744 }
4745}
4746
2a837de2
MS		 4747/* Check function FUN for invalid accesses. */
4748
4749unsigned
4750pass_waccess::execute (function *fun)
4751{
671a2836
MS		 4752 calculate_dominance_info (CDI_DOMINATORS);
4753 calculate_dominance_info (CDI_POST_DOMINATORS);
4754
51149a05
MS		 4755 /* Set or clear EDGE_DFS_BACK bits on back edges. */
4756 mark_dfs_back_edges (fun);
4757
81501087 4758 /* Create a new ranger instance and associate it with FUN. */
ece28da9 4759 m_ptr_qry.rvals = enable_ranger (fun);
671a2836
MS		 4760 m_func = fun;
4761
9d6a0f38
MS		 4762 /* Check for dangling pointers in the earliest run of the pass.
4763 The latest point -Wdangling-pointer should run is just before
4764 loop unrolling which introduces uses after clobbers. Most cases
4765 can be detected without optimization; cases where the address of
4766 the local variable is passed to and then returned from a user-
4767 defined function before its lifetime ends and the returned pointer
4768 becomes dangling depend on inlining. */
4769 m_check_dangling_p = m_early_checks_p;
4770
671a2836
MS		 4771 auto_bitmap bb_uids_set (&bitmap_default_obstack);
4772 m_bb_uids_set = bb_uids_set;
4773
4774 set_gimple_stmt_max_uid (m_func, 0);
b48d4e68 4775
2a837de2
MS		 4776 basic_block bb;
4777 FOR_EACH_BB_FN (bb, fun)
671a2836 4778 check_block (bb);
2a837de2 4779
9d6a0f38
MS		 4780 if (m_check_dangling_p)
4781 {
4782 check_dangling_uses ();
4783 check_dangling_stores ();
4784 }
4785
ece28da9
MS		 4786 if (dump_file)
4787 m_ptr_qry.dump (dump_file, (dump_flags & TDF_DETAILS) != 0);
4788
4789 m_ptr_qry.flush_cache ();
4790
4791 /* Release the ranger instance and replace it with a global ranger.
4792 Also reset the pointer since calling disable_ranger() deletes it. */
81501087 4793 disable_ranger (fun);
ece28da9 4794 m_ptr_qry.rvals = NULL;
81501087 4795
9d6a0f38 4796 m_clobbers.empty ();
671a2836
MS		 4797 m_bb_uids_set = NULL;
4798
4799 free_dominance_info (CDI_POST_DOMINATORS);
4800 free_dominance_info (CDI_DOMINATORS);
2a837de2
MS		 4801 return 0;
4802}
4803
4804} // namespace
4805
4806/* Return a new instance of the pass. */
4807
4808gimple_opt_pass *
4809make_pass_warn_access (gcc::context *ctxt)
4810{
4811 return new pass_waccess (ctxt);
4812}
Mirror of https://gcc.gnu.org/git/gcc.git