]> git.ipfire.org Git - thirdparty/gcc.git/blame - gcc/gimple-ssa-warn-restrict.cc
projects / thirdparty / gcc.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Don't build readline/libreadline.a, when --with-system-readline is supplied
[thirdparty/gcc.git] / gcc / gimple-ssa-warn-restrict.cc
CommitLineData
cc8bea0a
MS		 1/* Pass to detect and issue warnings for violations of the restrict
2 qualifier.
7adcbafe 3 Copyright (C) 2017-2022 Free Software Foundation, Inc.
cc8bea0a
MS		 4 Contributed by Martin Sebor <msebor@redhat.com>.
5
6 This file is part of GCC.
7
8 GCC is free software; you can redistribute it and/or modify it under
9 the terms of the GNU General Public License as published by the Free
10 Software Foundation; either version 3, or (at your option) any later
11 version.
12
13 GCC is distributed in the hope that it will be useful, but WITHOUT ANY
14 WARRANTY; without even the implied warranty of MERCHANTABILITY or
15 FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
16 for more details.
17
18 You should have received a copy of the GNU General Public License
19 along with GCC; see the file COPYING3. If not see
20 <http://www.gnu.org/licenses/>. */
21
22#include "config.h"
23#include "system.h"
24#include "coretypes.h"
25#include "backend.h"
26#include "tree.h"
27#include "gimple.h"
cc8bea0a 28#include "tree-pass.h"
2a837de2 29#include "pointer-query.h"
cc8bea0a
MS		 30#include "ssa.h"
31#include "gimple-pretty-print.h"
b48d4e68 32#include "gimple-ssa-warn-access.h"
cc8bea0a
MS		 33#include "gimple-ssa-warn-restrict.h"
34#include "diagnostic-core.h"
35#include "fold-const.h"
36#include "gimple-iterator.h"
37#include "tree-dfa.h"
38#include "tree-ssa.h"
cc8bea0a
MS		 39#include "tree-cfg.h"
40#include "tree-object-size.h"
41#include "calls.h"
42#include "cfgloop.h"
43#include "intl.h"
e864d395 44#include "gimple-range.h"
cc8bea0a
MS		 45
46namespace {
47
48const pass_data pass_data_wrestrict = {
49 GIMPLE_PASS,
50 "wrestrict",
51 OPTGROUP_NONE,
52 TV_NONE,
53 PROP_cfg, /* Properties_required. */
54 0, /* properties_provided. */
55 0, /* properties_destroyed. */
56 0, /* properties_start */
57 0, /* properties_finish */
58};
59
60/* Pass to detect violations of strict aliasing requirements in calls
61 to built-in string and raw memory functions. */
62class pass_wrestrict : public gimple_opt_pass
63{
64 public:
30d15b51 65 pass_wrestrict (gcc::context *);
cc8bea0a 66
725793af
DM		 67 bool gate (function *) final override;
68 unsigned int execute (function *) final override;
30d15b51
MS		 69
70 void check_call (gimple *);
71
72 void check_block (basic_block);
73
74 /* A pointer_query object to store information about pointers and
75 their targets in. */
76 pointer_query m_ptr_qry;
cc8bea0a
MS		 77};
78
30d15b51
MS		 79pass_wrestrict::pass_wrestrict (gcc::context *ctxt)
80 : gimple_opt_pass (pass_data_wrestrict, ctxt),
81 m_ptr_qry ()
82{ }
83
cc8bea0a
MS		 84bool
85pass_wrestrict::gate (function *fun ATTRIBUTE_UNUSED)
86{
287ef129 87 return warn_array_bounds || warn_restrict || warn_stringop_overflow;
cc8bea0a
MS		 88}
89
30d15b51
MS		 90void
91pass_wrestrict::check_block (basic_block bb)
cc8bea0a
MS		 92{
93 /* Iterate over statements, looking for function calls. */
30d15b51 94 for (auto si = gsi_start_bb (bb); !gsi_end_p (si); gsi_next (&si))
cc8bea0a
MS		 95 {
96 gimple *stmt = gsi_stmt (si);
97 if (!is_gimple_call (stmt))
98 continue;
99
30d15b51 100 check_call (stmt);
cc8bea0a 101 }
cc8bea0a
MS		 102}
103
cc8bea0a
MS		 104unsigned
105pass_wrestrict::execute (function *fun)
106{
30d15b51
MS		 107 /* Create a new ranger instance and associate it with FUN. */
108 m_ptr_qry.rvals = enable_ranger (fun);
109
e864d395
AH		 110 basic_block bb;
111 FOR_EACH_BB_FN (bb, fun)
30d15b51
MS		 112 check_block (bb);
113
114 m_ptr_qry.flush_cache ();
115
116 /* Release the ranger instance and replace it with a global ranger.
117 Also reset the pointer since calling disable_ranger() deletes it. */
118 disable_ranger (fun);
119 m_ptr_qry.rvals = NULL;
cc8bea0a
MS		 120
121 return 0;
122}
123
124/* Description of a memory reference by a built-in function. This
125 is similar to ao_ref but made especially suitable for -Wrestrict
126 and not for optimization. */
6c1dae73 127class builtin_memref
cc8bea0a 128{
6c1dae73 129public:
cc8bea0a
MS		 130 /* The original pointer argument to the built-in function. */
131 tree ptr;
132 /* The referenced subobject or NULL if not available, and the base
133 object of the memory reference or NULL. */
134 tree ref;
135 tree base;
136
137 /* The size of the BASE object, PTRDIFF_MAX if indeterminate,
138 and negative until (possibly lazily) initialized. */
139 offset_int basesize;
6889a3ac
MS		 140 /* Same for the subobject. */
141 offset_int refsize;
cc8bea0a
MS		 142
143 /* The non-negative offset of the referenced subobject. Used to avoid
144 warnings for (apparently) possibly but not definitively overlapping
145 accesses to member arrays. Negative when unknown/invalid. */
146 offset_int refoff;
147
148 /* The offset range relative to the base. */
149 offset_int offrange[2];
150 /* The size range of the access to this reference. */
151 offset_int sizrange[2];
152
a411ae9b
MS		 153 /* Cached result of get_max_objsize(). */
154 const offset_int maxobjsize;
155
cc8bea0a
MS		 156 /* True for "bounded" string functions like strncat, and strncpy
157 and their variants that specify either an exact or upper bound
158 on the size of the accesses they perform. For strncat both
159 the source and destination references are bounded. For strncpy
160 only the destination reference is. */
161 bool strbounded_p;
162
30d15b51 163 builtin_memref (pointer_query &, gimple *, tree, tree);
cc8bea0a 164
6889a3ac 165 tree offset_out_of_bounds (int, offset_int[3]) const;
5e27f0d5
MS		 166
167private:
e864d395
AH		 168 /* Call statement to the built-in. */
169 gimple *stmt;
170
30d15b51 171 pointer_query &m_ptr_qry;
5e27f0d5
MS		 172
173 /* Ctor helper to set or extend OFFRANGE based on argument. */
174 void extend_offset_range (tree);
175
176 /* Ctor helper to determine BASE and OFFRANGE from argument. */
177 void set_base_and_offset (tree);
cc8bea0a
MS		 178};
179
180/* Description of a memory access by a raw memory or string built-in
181 function involving a pair of builtin_memref's. */
182class builtin_access
183{
184 public:
185 /* Destination and source memory reference. */
186 builtin_memref* const dstref;
187 builtin_memref* const srcref;
188 /* The size range of the access. It's the greater of the accesses
189 to the two references. */
190 HOST_WIDE_INT sizrange[2];
191
192 /* The minimum and maximum offset of an overlap of the access
193 (if it does, in fact, overlap), and the size of the overlap. */
194 HOST_WIDE_INT ovloff[2];
195 HOST_WIDE_INT ovlsiz[2];
196
197 /* True to consider valid only accesses to the smallest subobject
198 and false for raw memory functions. */
199 bool strict () const
200 {
6889a3ac
MS		 201 return (detect_overlap != &builtin_access::generic_overlap
202 && detect_overlap != &builtin_access::no_overlap);
cc8bea0a
MS		 203 }
204
30d15b51
MS		 205 builtin_access (pointer_query &, gimple *,
206 builtin_memref &, builtin_memref &);
cc8bea0a
MS		 207
208 /* Entry point to determine overlap. */
209 bool overlap ();
210
6889a3ac
MS		 211 offset_int write_off (tree) const;
212
213 void dump (FILE *) const;
214
cc8bea0a
MS		 215 private:
216 /* Implementation functions used to determine overlap. */
217 bool generic_overlap ();
218 bool strcat_overlap ();
219 bool strcpy_overlap ();
220
221 bool no_overlap ()
222 {
223 return false;
224 }
225
226 offset_int overlap_size (const offset_int [2], const offset_int[2],
227 offset_int [2]);
228
229 private:
230 /* Temporaries used to compute the final result. */
231 offset_int dstoff[2];
232 offset_int srcoff[2];
233 offset_int dstsiz[2];
234 offset_int srcsiz[2];
235
236 /* Pointer to a member function to call to determine overlap. */
237 bool (builtin_access::*detect_overlap) ();
238};
239
240/* Initialize a memory reference representation from a pointer EXPR and
241 a size SIZE in bytes. If SIZE is NULL_TREE then the size is assumed
e864d395 242 to be unknown. STMT is the statement in which expr appears in. */
cc8bea0a 243
30d15b51 244builtin_memref::builtin_memref (pointer_query &ptrqry, gimple *stmt, tree expr,
e864d395 245 tree size)
cc8bea0a
MS		 246: ptr (expr),
247 ref (),
248 base (),
249 basesize (-1),
6889a3ac 250 refsize (-1),
cc8bea0a
MS		 251 refoff (HOST_WIDE_INT_MIN),
252 offrange (),
253 sizrange (),
a411ae9b 254 maxobjsize (tree_to_shwi (max_object_size ())),
e864d395
AH		 255 strbounded_p (),
256 stmt (stmt),
30d15b51 257 m_ptr_qry (ptrqry)
cc8bea0a
MS		 258{
259 /* Unfortunately, wide_int default ctor is a no-op so array members
260 of the type must be set individually. */
261 offrange[0] = offrange[1] = 0;
262 sizrange[0] = sizrange[1] = 0;
263
a411ae9b
MS		 264 if (!expr)
265 return;
cc8bea0a 266
5e27f0d5
MS		 267 /* Find the BASE object or pointer referenced by EXPR and set
268 the offset range OFFRANGE in the process. */
269 set_base_and_offset (expr);
270
271 if (size)
272 {
273 tree range[2];
274 /* Determine the size range, allowing for the result to be [0, 0]
275 for SIZE in the anti-range ~[0, N] where N >= PTRDIFF_MAX. */
30d15b51 276 get_size_range (m_ptr_qry.rvals, size, stmt, range, SR_ALLOW_ZERO);
5e27f0d5
MS		 277 sizrange[0] = wi::to_offset (range[0]);
278 sizrange[1] = wi::to_offset (range[1]);
279 /* get_size_range returns SIZE_MAX for the maximum size.
280 Constrain it to the real maximum of PTRDIFF_MAX. */
287ef129 281 if (sizrange[0] <= maxobjsize && sizrange[1] > maxobjsize)
5e27f0d5
MS		 282 sizrange[1] = maxobjsize;
283 }
284 else
285 sizrange[1] = maxobjsize;
286
7ad491c6
MS		 287 if (!DECL_P (base))
288 return;
289
290 /* If the offset could be in the range of the referenced object
291 constrain its bounds so neither exceeds those of the object. */
292 if (offrange[0] < 0 && offrange[1] > 0)
293 offrange[0] = 0;
294
295 offset_int maxoff = maxobjsize;
5e27f0d5 296 tree basetype = TREE_TYPE (base);
1486eb79
MS		 297 if (TREE_CODE (basetype) == ARRAY_TYPE)
298 {
299 if (ref && array_at_struct_end_p (ref))
300 ; /* Use the maximum possible offset for last member arrays. */
301 else if (tree basesize = TYPE_SIZE_UNIT (basetype))
302 if (TREE_CODE (basesize) == INTEGER_CST)
303 /* Size could be non-constant for a variable-length type such
304 as a struct with a VLA member (a GCC extension). */
305 maxoff = wi::to_offset (basesize);
306 }
7ad491c6
MS		 307
308 if (offrange[0] >= 0)
5e27f0d5 309 {
7ad491c6
MS		 310 if (offrange[1] < 0)
311 offrange[1] = offrange[0] <= maxoff ? maxoff : maxobjsize;
312 else if (offrange[0] <= maxoff && offrange[1] > maxoff)
313 offrange[1] = maxoff;
5e27f0d5
MS		 314 }
315}
316
6889a3ac
MS		 317/* Based on the initial length of the destination STARTLEN, returns
318 the offset of the first write access from the beginning of
319 the destination. Nonzero only for strcat-type of calls. */
320
321offset_int builtin_access::write_off (tree startlen) const
322{
323 if (detect_overlap != &builtin_access::strcat_overlap
324 || !startlen || TREE_CODE (startlen) != INTEGER_CST)
325 return 0;
326
327 return wi::to_offset (startlen);
328}
329
a411ae9b
MS		 330/* Ctor helper to set or extend OFFRANGE based on the OFFSET argument.
331 Pointer offsets are represented as unsigned sizetype but must be
332 treated as signed. */
5e27f0d5
MS		 333
334void
335builtin_memref::extend_offset_range (tree offset)
336{
5e27f0d5
MS		 337 if (TREE_CODE (offset) == INTEGER_CST)
338 {
339 offset_int off = int_cst_value (offset);
340 if (off != 0)
341 {
342 offrange[0] += off;
343 offrange[1] += off;
344 }
345 return;
346 }
347
348 if (TREE_CODE (offset) == SSA_NAME)
349 {
a411ae9b
MS		 350 /* A pointer offset is represented as sizetype but treated
351 as signed. */
5e27f0d5 352 wide_int min, max;
30d15b51 353 value_range_kind rng = VR_VARYING;
e864d395 354 value_range vr;
30d15b51 355 if (m_ptr_qry.rvals->range_of_expr (vr, offset, stmt))
e864d395
AH		 356 {
357 rng = vr.kind ();
358 if (!vr.undefined_p ())
359 {
360 min = wi::to_wide (vr.min ());
361 max = wi::to_wide (vr.max ());
362 }
363 }
30d15b51 364
a411ae9b
MS		 365 if (rng == VR_ANTI_RANGE && wi::lts_p (max, min))
366 {
367 /* Convert an anti-range whose upper bound is less than
368 its lower bound to a signed range. */
369 offrange[0] += offset_int::from (max + 1, SIGNED);
370 offrange[1] += offset_int::from (min - 1, SIGNED);
371 return;
372 }
373
374 if (rng == VR_RANGE
375 && (DECL_P (base) || wi::lts_p (min, max)))
5e27f0d5 376 {
a411ae9b
MS		 377 /* Preserve the bounds of the range for an offset into
378 a known object (it may be adjusted later relative to
379 a constant offset from its beginning). Otherwise use
380 the bounds only when they are ascending when treated
381 as signed. */
5e27f0d5
MS		 382 offrange[0] += offset_int::from (min, SIGNED);
383 offrange[1] += offset_int::from (max, SIGNED);
a411ae9b 384 return;
5e27f0d5 385 }
a411ae9b
MS		 386
387 /* Handle an anti-range the same as no range at all. */
388 gimple *stmt = SSA_NAME_DEF_STMT (offset);
389 tree type;
390 if (is_gimple_assign (stmt)
391 && (type = TREE_TYPE (gimple_assign_rhs1 (stmt)))
392 && INTEGRAL_TYPE_P (type))
5e27f0d5 393 {
a411ae9b
MS		 394 tree_code code = gimple_assign_rhs_code (stmt);
395 if (code == NOP_EXPR)
5e27f0d5
MS		 396 {
397 /* Use the bounds of the type of the NOP_EXPR operand
398 even if it's signed. The result doesn't trigger
399 warnings but makes their output more readable. */
400 offrange[0] += wi::to_offset (TYPE_MIN_VALUE (type));
401 offrange[1] += wi::to_offset (TYPE_MAX_VALUE (type));
a411ae9b 402 return;
5e27f0d5 403 }
5e27f0d5 404 }
5e27f0d5
MS		 405 }
406
a411ae9b
MS		 407 const offset_int maxoff = tree_to_shwi (max_object_size ()) >> 1;
408 const offset_int minoff = -maxoff - 1;
409
410 offrange[0] += minoff;
411 offrange[1] += maxoff;
5e27f0d5
MS		 412}
413
414/* Determines the base object or pointer of the reference EXPR
415 and the offset range from the beginning of the base. */
416
417void
418builtin_memref::set_base_and_offset (tree expr)
419{
a411ae9b 420 tree offset = NULL_TREE;
5e27f0d5 421
cc8bea0a
MS		 422 if (TREE_CODE (expr) == SSA_NAME)
423 {
424 /* Try to tease the offset out of the pointer. */
425 gimple *stmt = SSA_NAME_DEF_STMT (expr);
5e27f0d5
MS		 426 if (!base
427 && gimple_assign_single_p (stmt)
cc8bea0a
MS		 428 && gimple_assign_rhs_code (stmt) == ADDR_EXPR)
429 expr = gimple_assign_rhs1 (stmt);
430 else if (is_gimple_assign (stmt))
431 {
432 tree_code code = gimple_assign_rhs_code (stmt);
0c0feae6 433 if (CONVERT_EXPR_CODE_P (code))
cc8bea0a
MS		 434 {
435 tree rhs = gimple_assign_rhs1 (stmt);
436 if (POINTER_TYPE_P (TREE_TYPE (rhs)))
437 expr = gimple_assign_rhs1 (stmt);
5e27f0d5
MS		 438 else
439 {
440 base = expr;
441 return;
442 }
cc8bea0a
MS		 443 }
444 else if (code == POINTER_PLUS_EXPR)
445 {
446 expr = gimple_assign_rhs1 (stmt);
a411ae9b 447 offset = gimple_assign_rhs2 (stmt);
cc8bea0a 448 }
5e27f0d5
MS		 449 else
450 {
451 base = expr;
452 return;
453 }
454 }
455 else
456 {
a411ae9b
MS		 457 /* FIXME: Handle PHI nodes in case like:
458 _12 = &MEM[(void *)&a + 2B] + _10;
459
460 <bb> [local count: 1073741824]:
461 # prephitmp_13 = PHI <_12, &MEM[(void *)&a + 2B]>
462 memcpy (prephitmp_13, p_7(D), 6); */
5e27f0d5
MS		 463 base = expr;
464 return;
cc8bea0a
MS		 465 }
466 }
467
468 if (TREE_CODE (expr) == ADDR_EXPR)
5e27f0d5 469 expr = TREE_OPERAND (expr, 0);
cc8bea0a 470
8286793a
MS		 471 /* Stash the reference for offset validation. */
472 ref = expr;
473
5e27f0d5
MS		 474 poly_int64 bitsize, bitpos;
475 tree var_off;
476 machine_mode mode;
477 int sign, reverse, vol;
cc8bea0a 478
5e27f0d5
MS		 479 /* Determine the base object or pointer of the reference and
480 the constant bit offset from the beginning of the base.
481 If the offset has a non-constant component, it will be in
482 VAR_OFF. MODE, SIGN, REVERSE, and VOL are write only and
483 unused here. */
484 base = get_inner_reference (expr, &bitsize, &bitpos, &var_off,
485 &mode, &sign, &reverse, &vol);
cc8bea0a 486
8286793a
MS		 487 /* get_inner_reference is not expected to return null. */
488 gcc_assert (base != NULL);
489
a411ae9b
MS		 490 if (offset)
491 extend_offset_range (offset);
492
5e27f0d5 493 poly_int64 bytepos = exact_div (bitpos, BITS_PER_UNIT);
cc8bea0a 494
ce811fc4 495 /* Convert the poly_int64 offset to offset_int. The offset
8286793a
MS		 496 should be constant but be prepared for it not to be just in
497 case. */
498 offset_int cstoff;
499 if (bytepos.is_constant (&cstoff))
5e27f0d5 500 {
8286793a
MS		 501 offrange[0] += cstoff;
502 offrange[1] += cstoff;
cc8bea0a 503
8286793a
MS		 504 /* Besides the reference saved above, also stash the offset
505 for validation. */
506 if (TREE_CODE (expr) == COMPONENT_REF)
507 refoff = cstoff;
508 }
509 else
510 offrange[1] += maxobjsize;
cc8bea0a 511
5e27f0d5 512 if (var_off)
cc8bea0a 513 {
5e27f0d5 514 if (TREE_CODE (var_off) == INTEGER_CST)
aca52e6f 515 {
8286793a 516 cstoff = wi::to_offset (var_off);
5e27f0d5
MS		 517 offrange[0] += cstoff;
518 offrange[1] += cstoff;
aca52e6f
RS		 519 }
520 else
5e27f0d5 521 offrange[1] += maxobjsize;
cc8bea0a
MS		 522 }
523
5e27f0d5 524 if (TREE_CODE (base) == MEM_REF)
816fad6e 525 {
6889a3ac 526 tree memrefoff = fold_convert (ptrdiff_type_node, TREE_OPERAND (base, 1));
5e27f0d5 527 extend_offset_range (memrefoff);
6889a3ac
MS		 528
529 if (refoff != HOST_WIDE_INT_MIN
530 && TREE_CODE (expr) == COMPONENT_REF)
531 {
532 /* Bump up the offset of the referenced subobject to reflect
533 the offset to the enclosing object. For example, so that
534 in
535 struct S { char a, b[3]; } s[2];
536 strcpy (s[1].b, "1234");
537 REFOFF is set to s[1].b - (char*)s. */
81011859
MS		 538 offset_int off = tree_to_shwi (memrefoff);
539 refoff += off;
e7c482b0
RB		 540
541 if (!integer_zerop (memrefoff)
542 && !COMPLETE_TYPE_P (TREE_TYPE (expr))
543 && multiple_of_p (sizetype, memrefoff,
544 TYPE_SIZE_UNIT (TREE_TYPE (base)), true))
545 /* A non-zero offset into an array of struct with flexible array
546 members implies that the array is empty because there is no
547 way to initialize such a member when it belongs to an array.
548 This must be some sort of a bug. */
549 refsize = 0;
550 }
551
552 base = TREE_OPERAND (base, 0);
816fad6e
MS		 553 }
554
6889a3ac
MS		 555 if (TREE_CODE (ref) == COMPONENT_REF)
556 if (tree size = component_ref_size (ref))
557 if (TREE_CODE (size) == INTEGER_CST)
558 refsize = wi::to_offset (size);
559
5e27f0d5
MS		 560 if (TREE_CODE (base) == SSA_NAME)
561 set_base_and_offset (base);
cc8bea0a
MS		 562}
563
564/* Return error_mark_node if the signed offset exceeds the bounds
6889a3ac
MS		 565 of the address space (PTRDIFF_MAX). Otherwise, return either BASE
566 or REF when the offset exceeds the bounds of the BASE or REF object,
567 and set OOBOFF to the past-the-end offset formed by the reference,
568 including its size. OOBOFF is initially setto the range of offsets,
569 and OOBOFF[2] to the offset of the first write access (nonzero for
570 the strcat family). When STRICT is nonzero use REF size, when
571 available, otherwise use BASE size. When STRICT is greater than 1,
572 use the size of the last array member as the bound, otherwise treat
573 such a member as a flexible array member. Return NULL when the offset
574 is in bounds. */
cc8bea0a
MS		 575
576tree
6889a3ac 577builtin_memref::offset_out_of_bounds (int strict, offset_int ooboff[3]) const
cc8bea0a 578{
a411ae9b
MS		 579 if (!ptr)
580 return NULL_TREE;
cc8bea0a 581
6889a3ac
MS		 582 /* The offset of the first write access or zero. */
583 offset_int wroff = ooboff[2];
584
cc8bea0a 585 /* A temporary, possibly adjusted, copy of the offset range. */
6889a3ac 586 offset_int offrng[2] = { ooboff[0], ooboff[1] };
cc8bea0a
MS		 587
588 if (DECL_P (base) && TREE_CODE (TREE_TYPE (base)) == ARRAY_TYPE)
589 {
56735d40
MS		 590 /* Check for offset in an anti-range with a negative lower bound.
591 For such a range, consider only the non-negative subrange. */
592 if (offrng[1] < offrng[0] && offrng[1] < 0)
cc8bea0a
MS		 593 offrng[1] = maxobjsize;
594 }
595
596 /* Conservative offset of the last byte of the referenced object. */
597 offset_int endoff;
598
599 /* The bounds need not be ordered. Set HIB to use as the index
600 of the larger of the bounds and LOB as the opposite. */
601 bool hib = wi::les_p (offrng[0], offrng[1]);
602 bool lob = !hib;
603
700d4cb0 604 /* Set to the size remaining in the object after subtracting
6889a3ac
MS		 605 REFOFF. It may become negative as a result of negative indices
606 into the enclosing object, such as in:
607 extern struct S { char a[4], b[3], c[1]; } *p;
608 strcpy (p[-3].b, "123"); */
609 offset_int size = basesize;
610 tree obj = base;
611
612 const bool decl_p = DECL_P (obj);
613
cc8bea0a
MS		 614 if (basesize < 0)
615 {
6889a3ac 616 endoff = offrng[lob] + (sizrange[0] - wroff);
cc8bea0a
MS		 617
618 /* For a reference through a pointer to an object of unknown size
619 all initial offsets are considered valid, positive as well as
620 negative, since the pointer itself can point past the beginning
621 of the object. However, the sum of the lower bound of the offset
622 and that of the size must be less than or equal than PTRDIFF_MAX. */
623 if (endoff > maxobjsize)
624 return error_mark_node;
625
6889a3ac
MS		 626 /* When the referenced subobject is known, the end offset must be
627 within its bounds. Otherwise there is nothing to do. */
628 if (strict
629 && !decl_p
630 && ref
631 && refsize >= 0
632 && TREE_CODE (ref) == COMPONENT_REF)
633 {
634 /* If REFOFF is negative, SIZE will become negative here. */
635 size = refoff + refsize;
636 obj = ref;
637 }
638 else
639 return NULL_TREE;
cc8bea0a
MS		 640 }
641
642 /* A reference to an object of known size must be within the bounds
6889a3ac
MS		 643 of either the base object or the subobject (see above for when
644 a subobject can be used). */
645 if ((decl_p && offrng[hib] < 0) || offrng[lob] > size)
646 return obj;
cc8bea0a
MS		 647
648 /* The extent of the reference must also be within the bounds of
6889a3ac
MS		 649 the base object (if known) or the subobject or the maximum object
650 size otherwise. */
651 endoff = offrng[lob] + sizrange[0];
cc8bea0a
MS		 652 if (endoff > maxobjsize)
653 return error_mark_node;
654
cc8bea0a 655 if (strict
6889a3ac 656 && decl_p
cc8bea0a 657 && ref
6889a3ac
MS		 658 && refsize >= 0
659 && TREE_CODE (ref) == COMPONENT_REF)
cc8bea0a 660 {
6889a3ac
MS		 661 /* If the reference is to a member subobject of a declared object,
662 the offset must be within the bounds of the subobject. */
663 size = refoff + refsize;
664 obj = ref;
cc8bea0a
MS		 665 }
666
667 if (endoff <= size)
668 return NULL_TREE;
669
670 /* Set the out-of-bounds offset range to be one greater than
671 that delimited by the reference including its size. */
6889a3ac 672 ooboff[lob] = size;
cc8bea0a
MS		 673
674 if (endoff > ooboff[lob])
6889a3ac 675 ooboff[hib] = endoff - 1;
cc8bea0a 676 else
6889a3ac 677 ooboff[hib] = offrng[lob] + sizrange[1];
cc8bea0a
MS		 678
679 return obj;
680}
681
682/* Create an association between the memory references DST and SRC
683 for access by a call EXPR to a memory or string built-in funtion. */
684
30d15b51 685builtin_access::builtin_access (pointer_query &ptrqry, gimple *call,
e864d395 686 builtin_memref &dst,
cc8bea0a
MS		 687 builtin_memref &src)
688: dstref (&dst), srcref (&src), sizrange (), ovloff (), ovlsiz (),
689 dstoff (), srcoff (), dstsiz (), srcsiz ()
690{
6889a3ac
MS		 691 dstoff[0] = dst.offrange[0];
692 dstoff[1] = dst.offrange[1];
693
cc8bea0a 694 /* Zero out since the offset_int ctors invoked above are no-op. */
cc8bea0a
MS		 695 srcoff[0] = srcoff[1] = 0;
696 dstsiz[0] = dstsiz[1] = 0;
697 srcsiz[0] = srcsiz[1] = 0;
698
699 /* Object Size Type to use to determine the size of the destination
700 and source objects. Overridden below for raw memory functions. */
701 int ostype = 1;
702
703 /* True when the size of one reference depends on the offset of
704 itself or the other. */
705 bool depends_p = true;
706
707 /* True when the size of the destination reference DSTREF has been
708 determined from SRCREF and so needs to be adjusted by the latter's
709 offset. Only meaningful for bounded string functions like strncpy. */
710 bool dstadjust_p = false;
711
712 /* The size argument number (depends on the built-in). */
713 unsigned sizeargno = 2;
cc8bea0a
MS		 714
715 tree func = gimple_call_fndecl (call);
716 switch (DECL_FUNCTION_CODE (func))
717 {
718 case BUILT_IN_MEMCPY:
719 case BUILT_IN_MEMCPY_CHK:
cc8bea0a
MS		 720 case BUILT_IN_MEMPCPY:
721 case BUILT_IN_MEMPCPY_CHK:
cc8bea0a
MS		 722 ostype = 0;
723 depends_p = false;
724 detect_overlap = &builtin_access::generic_overlap;
725 break;
726
727 case BUILT_IN_MEMMOVE:
728 case BUILT_IN_MEMMOVE_CHK:
cc8bea0a
MS		 729 /* For memmove there is never any overlap to check for. */
730 ostype = 0;
731 depends_p = false;
732 detect_overlap = &builtin_access::no_overlap;
733 break;
734
a411ae9b
MS		 735 case BUILT_IN_MEMSET:
736 case BUILT_IN_MEMSET_CHK:
737 /* For memset there is never any overlap to check for. */
738 ostype = 0;
739 depends_p = false;
740 detect_overlap = &builtin_access::no_overlap;
741 break;
742
cc8bea0a
MS		 743 case BUILT_IN_STPNCPY:
744 case BUILT_IN_STPNCPY_CHK:
745 case BUILT_IN_STRNCPY:
746 case BUILT_IN_STRNCPY_CHK:
747 dstref->strbounded_p = true;
748 detect_overlap = &builtin_access::strcpy_overlap;
749 break;
750
751 case BUILT_IN_STPCPY:
752 case BUILT_IN_STPCPY_CHK:
cc8bea0a
MS		 753 case BUILT_IN_STRCPY:
754 case BUILT_IN_STRCPY_CHK:
cc8bea0a
MS		 755 detect_overlap = &builtin_access::strcpy_overlap;
756 break;
757
758 case BUILT_IN_STRCAT:
759 case BUILT_IN_STRCAT_CHK:
cc8bea0a
MS		 760 detect_overlap = &builtin_access::strcat_overlap;
761 break;
762
763 case BUILT_IN_STRNCAT:
764 case BUILT_IN_STRNCAT_CHK:
765 dstref->strbounded_p = true;
766 srcref->strbounded_p = true;
767 detect_overlap = &builtin_access::strcat_overlap;
768 break;
769
770 default:
771 /* Handle other string functions here whose access may need
772 to be validated for in-bounds offsets and non-overlapping
31db0fe0 773 copies. */
cc8bea0a
MS		 774 return;
775 }
776
cc8bea0a
MS		 777 /* Try to determine the size of the base object. compute_objsize
778 expects a pointer so create one if BASE is a non-pointer object. */
cc8bea0a
MS		 779 if (dst.basesize < 0)
780 {
30d15b51
MS		 781 access_ref aref;
782 if (ptrqry.get_ref (dst.base, call, &aref, ostype) && aref.base0)
783 dst.basesize = aref.sizrng[1];
cc8bea0a 784 else
30d15b51 785 dst.basesize = HOST_WIDE_INT_MIN;
cc8bea0a
MS		 786 }
787
a411ae9b 788 if (src.base && src.basesize < 0)
cc8bea0a 789 {
30d15b51
MS		 790 access_ref aref;
791 if (ptrqry.get_ref (src.base, call, &aref, ostype) && aref.base0)
792 src.basesize = aref.sizrng[1];
cc8bea0a 793 else
30d15b51 794 src.basesize = HOST_WIDE_INT_MIN;
cc8bea0a
MS		 795 }
796
30d15b51
MS		 797 const offset_int maxobjsize = dst.maxobjsize;
798
6889a3ac
MS		 799 /* Make adjustments for references to the same object by string
800 built-in functions to reflect the constraints imposed by
801 the function. */
cc8bea0a
MS		 802
803 /* For bounded string functions determine the range of the bound
804 on the access. For others, the range stays unbounded. */
805 offset_int bounds[2] = { maxobjsize, maxobjsize };
806 if (dstref->strbounded_p)
807 {
9a0cbb60
MS		 808 unsigned nargs = gimple_call_num_args (call);
809 if (nargs <= sizeargno)
810 return;
811
cc8bea0a
MS		 812 tree size = gimple_call_arg (call, sizeargno);
813 tree range[2];
30d15b51 814 if (get_size_range (ptrqry.rvals, size, call, range, true))
cc8bea0a
MS		 815 {
816 bounds[0] = wi::to_offset (range[0]);
817 bounds[1] = wi::to_offset (range[1]);
818 }
819
820 /* If both references' size ranges are indeterminate use the last
821 (size) argument from the function call as a substitute. This
822 may only be necessary for strncpy (but not for memcpy where
823 the size range would have been already determined this way). */
824 if (dstref->sizrange[0] == 0 && dstref->sizrange[1] == maxobjsize
825 && srcref->sizrange[0] == 0 && srcref->sizrange[1] == maxobjsize)
826 {
827 dstref->sizrange[0] = bounds[0];
828 dstref->sizrange[1] = bounds[1];
829 }
830 }
831
6889a3ac 832 bool dstsize_set = false;
cc8bea0a
MS		 833 /* The size range of one reference involving the same base object
834 can be determined from the size range of the other reference.
835 This makes it possible to compute accurate offsets for warnings
836 involving functions like strcpy where the length of just one of
837 the two arguments is known (determined by tree-ssa-strlen). */
838 if (dstref->sizrange[0] == 0 && dstref->sizrange[1] == maxobjsize)
839 {
840 /* When the destination size is unknown set it to the size of
841 the source. */
842 dstref->sizrange[0] = srcref->sizrange[0];
843 dstref->sizrange[1] = srcref->sizrange[1];
6889a3ac 844 dstsize_set = true;
cc8bea0a
MS		 845 }
846 else if (srcref->sizrange[0] == 0 && srcref->sizrange[1] == maxobjsize)
847 {
3942060c
MS		 848 /* When the size of the source access is unknown set it to the size
849 of the destination first and adjust it later if necessary. */
cc8bea0a
MS		 850 srcref->sizrange[0] = dstref->sizrange[0];
851 srcref->sizrange[1] = dstref->sizrange[1];
852
853 if (depends_p)
854 {
855 if (dstref->strbounded_p)
856 {
6889a3ac
MS		 857 /* Read access by strncpy is constrained by the third
858 argument but except for a zero bound is at least one. */
3942060c
MS		 859 srcref->sizrange[0] = bounds[1] > 0 ? 1 : 0;
860 offset_int bound = wi::umin (srcref->basesize, bounds[1]);
6889a3ac
MS		 861 if (bound < srcref->sizrange[1])
862 srcref->sizrange[1] = bound;
cc8bea0a 863 }
cc8bea0a
MS		 864 /* For string functions, adjust the size range of the source
865 reference by the inverse boundaries of the offset (because
c7c9468a 866 the higher the offset into the string the shorter its
cc8bea0a 867 length). */
c7c9468a
JL		 868 if (srcref->offrange[1] >= 0
869 && srcref->offrange[1] < srcref->sizrange[0])
cc8bea0a
MS		 870 srcref->sizrange[0] -= srcref->offrange[1];
871 else
3942060c 872 srcref->sizrange[0] = 1;
cc8bea0a
MS		 873
874 if (srcref->offrange[0] > 0)
875 {
876 if (srcref->offrange[0] < srcref->sizrange[1])
877 srcref->sizrange[1] -= srcref->offrange[0];
878 else
879 srcref->sizrange[1] = 0;
880 }
881
882 dstadjust_p = true;
883 }
884 }
885
886 if (detect_overlap == &builtin_access::generic_overlap)
887 {
888 if (dstref->strbounded_p)
889 {
890 dstref->sizrange[0] = bounds[0];
891 dstref->sizrange[1] = bounds[1];
892
893 if (dstref->sizrange[0] < srcref->sizrange[0])
894 srcref->sizrange[0] = dstref->sizrange[0];
895
896 if (dstref->sizrange[1] < srcref->sizrange[1])
897 srcref->sizrange[1] = dstref->sizrange[1];
898 }
899 }
900 else if (detect_overlap == &builtin_access::strcpy_overlap)
901 {
902 if (!dstref->strbounded_p)
903 {
904 /* For strcpy, adjust the destination size range to match that
905 of the source computed above. */
906 if (depends_p && dstadjust_p)
907 {
908 dstref->sizrange[0] = srcref->sizrange[0];
909 dstref->sizrange[1] = srcref->sizrange[1];
910 }
911 }
912 }
6889a3ac
MS		 913 else if (!dstsize_set && detect_overlap == &builtin_access::strcat_overlap)
914 {
915 dstref->sizrange[0] += srcref->sizrange[0] - 1;
916 dstref->sizrange[1] += srcref->sizrange[1] - 1;
917 }
cc8bea0a
MS		 918
919 if (dstref->strbounded_p)
920 {
921 /* For strncpy, adjust the destination size range to match that
922 of the source computed above. */
923 dstref->sizrange[0] = bounds[0];
924 dstref->sizrange[1] = bounds[1];
925
926 if (bounds[0] < srcref->sizrange[0])
927 srcref->sizrange[0] = bounds[0];
928
929 if (bounds[1] < srcref->sizrange[1])
930 srcref->sizrange[1] = bounds[1];
931 }
932}
933
934offset_int
935builtin_access::overlap_size (const offset_int a[2], const offset_int b[2],
936 offset_int *off)
937{
938 const offset_int *p = a;
939 const offset_int *q = b;
940
941 /* Point P at the bigger of the two ranges and Q at the smaller. */
942 if (wi::lts_p (a[1] - a[0], b[1] - b[0]))
943 {
944 p = b;
945 q = a;
946 }
947
948 if (p[0] < q[0])
949 {
950 if (p[1] < q[0])
951 return 0;
952
953 *off = q[0];
954 return wi::smin (p[1], q[1]) - q[0];
955 }
956
957 if (q[1] < p[0])
958 return 0;
959
960 off[0] = p[0];
961 return q[1] - p[0];
962}
963
964/* Return true if the bounded mempry (memcpy amd similar) or string function
965 access (strncpy and similar) ACS overlaps. */
966
967bool
968builtin_access::generic_overlap ()
969{
970 builtin_access &acs = *this;
971 const builtin_memref *dstref = acs.dstref;
972 const builtin_memref *srcref = acs.srcref;
973
974 gcc_assert (dstref->base == srcref->base);
975
a411ae9b 976 const offset_int maxobjsize = acs.dstref->maxobjsize;
cc8bea0a
MS		 977
978 offset_int maxsize = dstref->basesize < 0 ? maxobjsize : dstref->basesize;
cc8bea0a
MS		 979
980 /* Adjust the larger bounds of the offsets (which may be the first
981 element if the lower bound is larger than the upper bound) to
982 make them valid for the smallest access (if possible) but no smaller
983 than the smaller bounds. */
984 gcc_assert (wi::les_p (acs.dstoff[0], acs.dstoff[1]));
985
986 if (maxsize < acs.dstoff[1] + acs.dstsiz[0])
987 acs.dstoff[1] = maxsize - acs.dstsiz[0];
988 if (acs.dstoff[1] < acs.dstoff[0])
989 acs.dstoff[1] = acs.dstoff[0];
990
991 gcc_assert (wi::les_p (acs.srcoff[0], acs.srcoff[1]));
992
993 if (maxsize < acs.srcoff[1] + acs.srcsiz[0])
994 acs.srcoff[1] = maxsize - acs.srcsiz[0];
995 if (acs.srcoff[1] < acs.srcoff[0])
996 acs.srcoff[1] = acs.srcoff[0];
997
998 /* Determine the minimum and maximum space for the access given
999 the offsets. */
1000 offset_int space[2];
1001 space[0] = wi::abs (acs.dstoff[0] - acs.srcoff[0]);
1002 space[1] = space[0];
1003
1004 offset_int d = wi::abs (acs.dstoff[0] - acs.srcoff[1]);
1005 if (acs.srcsiz[0] > 0)
1006 {
1007 if (d < space[0])
1008 space[0] = d;
1009
1010 if (space[1] < d)
1011 space[1] = d;
1012 }
1013 else
1014 space[1] = acs.dstsiz[1];
1015
1016 d = wi::abs (acs.dstoff[1] - acs.srcoff[0]);
1017 if (d < space[0])
1018 space[0] = d;
1019
1020 if (space[1] < d)
1021 space[1] = d;
1022
1023 /* Treat raw memory functions both of whose references are bounded
1024 as special and permit uncertain overlaps to go undetected. For
1025 all kinds of constant offset and constant size accesses, if
1026 overlap isn't certain it is not possible. */
1027 bool overlap_possible = space[0] < acs.dstsiz[1];
1028 if (!overlap_possible)
1029 return false;
1030
1031 bool overlap_certain = space[1] < acs.dstsiz[0];
1032
1033 /* True when the size of one reference depends on the offset of
1034 the other. */
1035 bool depends_p = detect_overlap != &builtin_access::generic_overlap;
1036
5e27f0d5
MS		 1037 if (!overlap_certain)
1038 {
1039 if (!dstref->strbounded_p && !depends_p)
8286793a 1040 /* Memcpy only considers certain overlap. */
5e27f0d5
MS		 1041 return false;
1042
1043 /* There's no way to distinguish an access to the same member
1044 of a structure from one to two distinct members of the same
1045 structure. Give up to avoid excessive false positives. */
8286793a
MS		 1046 tree basetype = TREE_TYPE (dstref->base);
1047
1048 if (POINTER_TYPE_P (basetype))
1049 basetype = TREE_TYPE (basetype);
1050 else
1051 while (TREE_CODE (basetype) == ARRAY_TYPE)
1052 basetype = TREE_TYPE (basetype);
1053
5e27f0d5
MS		 1054 if (RECORD_OR_UNION_TYPE_P (basetype))
1055 return false;
1056 }
cc8bea0a
MS		 1057
1058 /* True for stpcpy and strcpy. */
1059 bool stxcpy_p = (!dstref->strbounded_p
1060 && detect_overlap == &builtin_access::strcpy_overlap);
1061
1062 if (dstref->refoff >= 0
1063 && srcref->refoff >= 0
1064 && dstref->refoff != srcref->refoff
1065 && (stxcpy_p || dstref->strbounded_p || srcref->strbounded_p))
1066 return false;
1067
1068 offset_int siz[2] = { maxobjsize + 1, 0 };
1069
1070 ovloff[0] = HOST_WIDE_INT_MAX;
1071 ovloff[1] = HOST_WIDE_INT_MIN;
1072
cc8bea0a
MS		 1073 if (stxcpy_p)
1074 {
cc8bea0a
MS		 1075 /* Iterate over the extreme locations (on the horizontal axis formed
1076 by their offsets) and sizes of two regions and find their smallest
1077 and largest overlap and the corresponding offsets. */
1078 for (unsigned i = 0; i != 2; ++i)
1079 {
1080 const offset_int a[2] = {
1081 acs.dstoff[i], acs.dstoff[i] + acs.dstsiz[!i]
1082 };
1083
1084 const offset_int b[2] = {
1085 acs.srcoff[i], acs.srcoff[i] + acs.srcsiz[!i]
1086 };
1087
1088 offset_int off;
1089 offset_int sz = overlap_size (a, b, &off);
1090 if (sz < siz[0])
1091 siz[0] = sz;
1092
1093 if (siz[1] <= sz)
1094 siz[1] = sz;
1095
1096 if (sz != 0)
1097 {
1098 if (wi::lts_p (off, ovloff[0]))
1099 ovloff[0] = off.to_shwi ();
1100 if (wi::lts_p (ovloff[1], off))
1101 ovloff[1] = off.to_shwi ();
1102 }
1103 }
1104 }
1105 else
1106 {
cc8bea0a 1107 /* Iterate over the extreme locations (on the horizontal axis
3942060c
MS		 1108 formed by their offsets) and sizes of the two regions and
1109 find their smallest and largest overlap and the corresponding
cc8bea0a
MS		 1110 offsets. */
1111
1112 for (unsigned io = 0; io != 2; ++io)
1113 for (unsigned is = 0; is != 2; ++is)
1114 {
1115 const offset_int a[2] = {
1116 acs.dstoff[io], acs.dstoff[io] + acs.dstsiz[is]
1117 };
1118
1119 for (unsigned jo = 0; jo != 2; ++jo)
1120 for (unsigned js = 0; js != 2; ++js)
1121 {
cc8bea0a
MS		 1122 const offset_int b[2] = {
1123 acs.srcoff[jo], acs.srcoff[jo] + acs.srcsiz[js]
1124 };
1125
1126 offset_int off;
1127 offset_int sz = overlap_size (a, b, &off);
1128 if (sz < siz[0])
1129 siz[0] = sz;
1130
1131 if (siz[1] <= sz)
1132 siz[1] = sz;
1133
1134 if (sz != 0)
1135 {
1136 if (wi::lts_p (off, ovloff[0]))
1137 ovloff[0] = off.to_shwi ();
1138 if (wi::lts_p (ovloff[1], off))
1139 ovloff[1] = off.to_shwi ();
1140 }
1141 }
1142 }
1143 }
1144
1145 ovlsiz[0] = siz[0].to_shwi ();
1146 ovlsiz[1] = siz[1].to_shwi ();
1147
3942060c 1148 /* Adjust the overlap offset range to reflect the overlap size range. */
cc8bea0a 1149 if (ovlsiz[0] == 0 && ovlsiz[1] > 1)
3942060c 1150 ovloff[1] = ovloff[0] + ovlsiz[1] - 1;
cc8bea0a
MS		 1151
1152 return true;
1153}
1154
1155/* Return true if the strcat-like access overlaps. */
1156
1157bool
1158builtin_access::strcat_overlap ()
1159{
1160 builtin_access &acs = *this;
1161 const builtin_memref *dstref = acs.dstref;
1162 const builtin_memref *srcref = acs.srcref;
1163
1164 gcc_assert (dstref->base == srcref->base);
1165
a411ae9b 1166 const offset_int maxobjsize = acs.dstref->maxobjsize;
cc8bea0a
MS		 1167
1168 gcc_assert (dstref->base && dstref->base == srcref->base);
1169
1170 /* Adjust for strcat-like accesses. */
1171
1172 /* As a special case for strcat, set the DSTREF offsets to the length
6889a3ac
MS		 1173 of the destination string since the function starts writing over
1174 its terminating nul, and set the destination size to 1 for the length
1175 of the nul. */
1176 acs.dstoff[0] += dstsiz[0] - srcref->sizrange[0];
1177 acs.dstoff[1] += dstsiz[1] - srcref->sizrange[1];
cc8bea0a
MS		 1178
1179 bool strfunc_unknown_args = acs.dstsiz[0] == 0 && acs.dstsiz[1] != 0;
1180
1181 /* The lower bound is zero when the size is unknown because then
1182 overlap is not certain. */
1183 acs.dstsiz[0] = strfunc_unknown_args ? 0 : 1;
1184 acs.dstsiz[1] = 1;
1185
1186 offset_int maxsize = dstref->basesize < 0 ? maxobjsize : dstref->basesize;
cc8bea0a
MS		 1187
1188 /* For references to the same base object, determine if there's a pair
1189 of valid offsets into the two references such that access between
1190 them doesn't overlap. Adjust both upper bounds to be valid for
1191 the smaller size (i.e., at most MAXSIZE - SIZE). */
1192
1193 if (maxsize < acs.dstoff[1] + acs.dstsiz[0])
1194 acs.dstoff[1] = maxsize - acs.dstsiz[0];
1195
1196 if (maxsize < acs.srcoff[1] + acs.srcsiz[0])
1197 acs.srcoff[1] = maxsize - acs.srcsiz[0];
1198
1199 /* Check to see if there's enough space for both accesses without
1200 overlap. Determine the optimistic (maximum) amount of available
1201 space. */
1202 offset_int space;
1203 if (acs.dstoff[0] <= acs.srcoff[0])
1204 {
1205 if (acs.dstoff[1] < acs.srcoff[1])
1206 space = acs.srcoff[1] + acs.srcsiz[0] - acs.dstoff[0];
1207 else
1208 space = acs.dstoff[1] + acs.dstsiz[0] - acs.srcoff[0];
1209 }
1210 else
1211 space = acs.dstoff[1] + acs.dstsiz[0] - acs.srcoff[0];
1212
1213 /* Overlap is certain if the distance between the farthest offsets
1214 of the opposite accesses is less than the sum of the lower bounds
1215 of the sizes of the two accesses. */
1216 bool overlap_certain = space < acs.dstsiz[0] + acs.srcsiz[0];
1217
1218 /* For a constant-offset, constant size access, consider the largest
1219 distance between the offset bounds and the lower bound of the access
1220 size. If the overlap isn't certain return success. */
1221 if (!overlap_certain
1222 && acs.dstoff[0] == acs.dstoff[1]
1223 && acs.srcoff[0] == acs.srcoff[1]
1224 && acs.dstsiz[0] == acs.dstsiz[1]
1225 && acs.srcsiz[0] == acs.srcsiz[1])
1226 return false;
1227
1228 /* Overlap is not certain but may be possible. */
1229
1230 offset_int access_min = acs.dstsiz[0] + acs.srcsiz[0];
1231
1232 /* Determine the conservative (minimum) amount of space. */
1233 space = wi::abs (acs.dstoff[0] - acs.srcoff[0]);
1234 offset_int d = wi::abs (acs.dstoff[0] - acs.srcoff[1]);
1235 if (d < space)
1236 space = d;
1237 d = wi::abs (acs.dstoff[1] - acs.srcoff[0]);
1238 if (d < space)
1239 space = d;
1240
1241 /* For a strict test (used for strcpy and similar with unknown or
1242 variable bounds or sizes), consider the smallest distance between
1243 the offset bounds and either the upper bound of the access size
1244 if known, or the lower bound otherwise. */
1245 if (access_min <= space && (access_min != 0 || !strfunc_unknown_args))
1246 return false;
1247
1248 /* When strcat overlap is certain it is always a single byte:
816fad6e 1249 the terminating NUL, regardless of offsets and sizes. When
cc8bea0a
MS		 1250 overlap is only possible its range is [0, 1]. */
1251 acs.ovlsiz[0] = dstref->sizrange[0] == dstref->sizrange[1] ? 1 : 0;
1252 acs.ovlsiz[1] = 1;
cc8bea0a 1253
6889a3ac
MS		 1254 offset_int endoff
1255 = dstref->offrange[0] + (dstref->sizrange[0] - srcref->sizrange[0]);
816fad6e
MS		 1256 if (endoff <= srcref->offrange[0])
1257 acs.ovloff[0] = wi::smin (maxobjsize, srcref->offrange[0]).to_shwi ();
1258 else
1259 acs.ovloff[0] = wi::smin (maxobjsize, endoff).to_shwi ();
1260
1261 acs.sizrange[0] = wi::smax (wi::abs (endoff - srcref->offrange[0]) + 1,
1262 srcref->sizrange[0]).to_shwi ();
1263 if (dstref->offrange[0] == dstref->offrange[1])
1264 {
1265 if (srcref->offrange[0] == srcref->offrange[1])
1266 acs.ovloff[1] = acs.ovloff[0];
1267 else
1268 acs.ovloff[1]
1269 = wi::smin (maxobjsize,
1270 srcref->offrange[1] + srcref->sizrange[1]).to_shwi ();
1271 }
1272 else
1273 acs.ovloff[1]
1274 = wi::smin (maxobjsize,
1275 dstref->offrange[1] + dstref->sizrange[1]).to_shwi ();
1276
1277 if (acs.sizrange[0] == 0)
1278 acs.sizrange[0] = 1;
cc8bea0a
MS		 1279 acs.sizrange[1] = wi::smax (acs.dstsiz[1], srcref->sizrange[1]).to_shwi ();
1280 return true;
1281}
1282
1283/* Return true if the strcpy-like access overlaps. */
1284
1285bool
1286builtin_access::strcpy_overlap ()
1287{
1288 return generic_overlap ();
1289}
1290
a2c2cee9
MS		 1291/* For a BASE of array type, clamp REFOFF to at most [0, BASE_SIZE]
1292 if known, or [0, MAXOBJSIZE] otherwise. */
1293
1294static void
1295clamp_offset (tree base, offset_int refoff[2], offset_int maxobjsize)
1296{
1297 if (!base || TREE_CODE (TREE_TYPE (base)) != ARRAY_TYPE)
1298 return;
1299
1300 if (refoff[0] < 0 && refoff[1] >= 0)
1301 refoff[0] = 0;
1302
1303 if (refoff[1] < refoff[0])
1304 {
1305 offset_int maxsize = maxobjsize;
1306 if (tree size = TYPE_SIZE_UNIT (TREE_TYPE (base)))
1307 maxsize = wi::to_offset (size);
1308
1309 refoff[1] = wi::umin (refoff[1], maxsize);
1310 }
1311}
cc8bea0a
MS		 1312
1313/* Return true if DSTREF and SRCREF describe accesses that either overlap
1314 one another or that, in order not to overlap, would imply that the size
1315 of the referenced object(s) exceeds the maximum size of an object. Set
1316 Otherwise, if DSTREF and SRCREF do not definitely overlap (even though
1317 they may overlap in a way that's not apparent from the available data),
1318 return false. */
1319
1320bool
1321builtin_access::overlap ()
1322{
1323 builtin_access &acs = *this;
1324
a411ae9b 1325 const offset_int maxobjsize = dstref->maxobjsize;
cc8bea0a
MS		 1326
1327 acs.sizrange[0] = wi::smax (dstref->sizrange[0],
1328 srcref->sizrange[0]).to_shwi ();
1329 acs.sizrange[1] = wi::smax (dstref->sizrange[1],
1330 srcref->sizrange[1]).to_shwi ();
1331
1332 /* Check to see if the two references refer to regions that are
1333 too large not to overlap in the address space (whose maximum
1334 size is PTRDIFF_MAX). */
1335 offset_int size = dstref->sizrange[0] + srcref->sizrange[0];
1336 if (maxobjsize < size)
1337 {
1338 acs.ovloff[0] = (maxobjsize - dstref->sizrange[0]).to_shwi ();
1339 acs.ovlsiz[0] = (size - maxobjsize).to_shwi ();
1340 return true;
1341 }
1342
1343 /* If both base objects aren't known return the maximum possible
1344 offset that would make them not overlap. */
1345 if (!dstref->base || !srcref->base)
1346 return false;
1347
c7c9468a
JL		 1348 /* If the base object is an array adjust the bounds of the offset
1349 to be non-negative and within the bounds of the array if possible. */
a2c2cee9 1350 clamp_offset (dstref->base, acs.dstoff, maxobjsize);
c7c9468a
JL		 1351
1352 acs.srcoff[0] = srcref->offrange[0];
1353 acs.srcoff[1] = srcref->offrange[1];
cc8bea0a 1354
a2c2cee9 1355 clamp_offset (srcref->base, acs.srcoff, maxobjsize);
cc8bea0a 1356
c7c9468a
JL		 1357 /* When the upper bound of the offset is less than the lower bound
1358 the former is the result of a negative offset being represented
1359 as a large positive value or vice versa. The resulting range is
1360 a union of two subranges: [MIN, UB] and [LB, MAX]. Since such
1361 a union is not representable using the current data structure
1362 replace it with the full range of offsets. */
cc8bea0a 1363 if (acs.dstoff[1] < acs.dstoff[0])
c7c9468a
JL		 1364 {
1365 acs.dstoff[0] = -maxobjsize - 1;
1366 acs.dstoff[1] = maxobjsize;
1367 }
cc8bea0a
MS		 1368
1369 /* Validate the offset and size of each reference on its own first.
1370 This is independent of whether or not the base objects are the
1371 same. Normally, this would have already been detected and
1372 diagnosed by -Warray-bounds, unless it has been disabled. */
1373 offset_int maxoff = acs.dstoff[0] + dstref->sizrange[0];
1374 if (maxobjsize < maxoff)
1375 {
1376 acs.ovlsiz[0] = (maxoff - maxobjsize).to_shwi ();
1377 acs.ovloff[0] = acs.dstoff[0].to_shwi () - acs.ovlsiz[0];
1378 return true;
1379 }
1380
1381 /* Repeat the same as above but for the source offsets. */
1382 if (acs.srcoff[1] < acs.srcoff[0])
c7c9468a
JL		 1383 {
1384 acs.srcoff[0] = -maxobjsize - 1;
1385 acs.srcoff[1] = maxobjsize;
1386 }
cc8bea0a
MS		 1387
1388 maxoff = acs.srcoff[0] + srcref->sizrange[0];
1389 if (maxobjsize < maxoff)
1390 {
1391 acs.ovlsiz[0] = (maxoff - maxobjsize).to_shwi ();
1392 acs.ovlsiz[1] = (acs.srcoff[0] + srcref->sizrange[1]
1393 - maxobjsize).to_shwi ();
1394 acs.ovloff[0] = acs.srcoff[0].to_shwi () - acs.ovlsiz[0];
1395 return true;
1396 }
1397
1398 if (dstref->base != srcref->base)
1399 return false;
1400
1401 acs.dstsiz[0] = dstref->sizrange[0];
1402 acs.dstsiz[1] = dstref->sizrange[1];
1403
1404 acs.srcsiz[0] = srcref->sizrange[0];
1405 acs.srcsiz[1] = srcref->sizrange[1];
1406
1407 /* Call the appropriate function to determine the overlap. */
1408 if ((this->*detect_overlap) ())
1409 {
816fad6e
MS		 1410 if (!sizrange[1])
1411 {
1412 /* Unless the access size range has already been set, do so here. */
1413 sizrange[0] = wi::smax (acs.dstsiz[0], srcref->sizrange[0]).to_shwi ();
1414 sizrange[1] = wi::smax (acs.dstsiz[1], srcref->sizrange[1]).to_shwi ();
1415 }
cc8bea0a
MS		 1416 return true;
1417 }
1418
1419 return false;
1420}
1421
1422/* Attempt to detect and diagnose an overlapping copy in a call expression
700d4cb0 1423 EXPR involving an access ACS to a built-in memory or string function.
cc8bea0a
MS		 1424 Return true when one has been detected, false otherwise. */
1425
1426static bool
8a45b051 1427maybe_diag_overlap (location_t loc, gimple *call, builtin_access &acs)
cc8bea0a
MS		 1428{
1429 if (!acs.overlap ())
1430 return false;
1431
e9e2bad7 1432 if (warning_suppressed_p (call, OPT_Wrestrict))
213694e5
MS		 1433 return true;
1434
cc8bea0a
MS		 1435 /* For convenience. */
1436 const builtin_memref &dstref = *acs.dstref;
1437 const builtin_memref &srcref = *acs.srcref;
1438
1439 /* Determine the range of offsets and sizes of the overlap if it
1440 exists and issue diagnostics. */
1441 HOST_WIDE_INT *ovloff = acs.ovloff;
1442 HOST_WIDE_INT *ovlsiz = acs.ovlsiz;
1443 HOST_WIDE_INT *sizrange = acs.sizrange;
1444
1445 tree func = gimple_call_fndecl (call);
1446
1447 /* To avoid a combinatorial explosion of diagnostics format the offsets
1448 or their ranges as strings and use them in the warning calls below. */
1449 char offstr[3][64];
1450
1451 if (dstref.offrange[0] == dstref.offrange[1]
1452 || dstref.offrange[1] > HOST_WIDE_INT_MAX)
a6fd2cd7
MS		 1453 sprintf (offstr[0], HOST_WIDE_INT_PRINT_DEC,
1454 dstref.offrange[0].to_shwi ());
cc8bea0a 1455 else
a6fd2cd7
MS		 1456 sprintf (offstr[0],
1457 "[" HOST_WIDE_INT_PRINT_DEC ", " HOST_WIDE_INT_PRINT_DEC "]",
1458 dstref.offrange[0].to_shwi (),
1459 dstref.offrange[1].to_shwi ());
cc8bea0a
MS		 1460
1461 if (srcref.offrange[0] == srcref.offrange[1]
1462 || srcref.offrange[1] > HOST_WIDE_INT_MAX)
a6fd2cd7
MS		 1463 sprintf (offstr[1],
1464 HOST_WIDE_INT_PRINT_DEC,
1465 srcref.offrange[0].to_shwi ());
cc8bea0a 1466 else
a6fd2cd7
MS		 1467 sprintf (offstr[1],
1468 "[" HOST_WIDE_INT_PRINT_DEC ", " HOST_WIDE_INT_PRINT_DEC "]",
1469 srcref.offrange[0].to_shwi (),
1470 srcref.offrange[1].to_shwi ());
cc8bea0a
MS		 1471
1472 if (ovloff[0] == ovloff[1] || !ovloff[1])
a6fd2cd7 1473 sprintf (offstr[2], HOST_WIDE_INT_PRINT_DEC, ovloff[0]);
cc8bea0a 1474 else
a6fd2cd7
MS		 1475 sprintf (offstr[2],
1476 "[" HOST_WIDE_INT_PRINT_DEC ", " HOST_WIDE_INT_PRINT_DEC "]",
1477 ovloff[0], ovloff[1]);
cc8bea0a 1478
a411ae9b 1479 const offset_int maxobjsize = dstref.maxobjsize;
cc8bea0a
MS		 1480 bool must_overlap = ovlsiz[0] > 0;
1481
1482 if (ovlsiz[1] == 0)
1483 ovlsiz[1] = ovlsiz[0];
1484
1485 if (must_overlap)
1486 {
1487 /* Issue definitive "overlaps" diagnostic in this block. */
1488
1489 if (sizrange[0] == sizrange[1])
1490 {
1491 if (ovlsiz[0] == ovlsiz[1])
1492 warning_at (loc, OPT_Wrestrict,
1493 sizrange[0] == 1
1494 ? (ovlsiz[0] == 1
6d3bab5d 1495 ? G_("%qD accessing %wu byte at offsets %s "
cc8bea0a 1496 "and %s overlaps %wu byte at offset %s")
6d3bab5d 1497 : G_("%qD accessing %wu byte at offsets %s "
cc8bea0a
MS		 1498 "and %s overlaps %wu bytes at offset "
1499 "%s"))
1500 : (ovlsiz[0] == 1
6d3bab5d 1501 ? G_("%qD accessing %wu bytes at offsets %s "
cc8bea0a 1502 "and %s overlaps %wu byte at offset %s")
6d3bab5d 1503 : G_("%qD accessing %wu bytes at offsets %s "
cc8bea0a
MS		 1504 "and %s overlaps %wu bytes at offset "
1505 "%s")),
6d3bab5d 1506 func, sizrange[0],
cc8bea0a
MS		 1507 offstr[0], offstr[1], ovlsiz[0], offstr[2]);
1508 else if (ovlsiz[1] >= 0 && ovlsiz[1] < maxobjsize.to_shwi ())
15d3974b 1509 warning_n (loc, OPT_Wrestrict, sizrange[0],
6d3bab5d 1510 "%qD accessing %wu byte at offsets %s "
15d3974b
JJ		 1511 "and %s overlaps between %wu and %wu bytes "
1512 "at offset %s",
6d3bab5d 1513 "%qD accessing %wu bytes at offsets %s "
15d3974b
JJ		 1514 "and %s overlaps between %wu and %wu bytes "
1515 "at offset %s",
6d3bab5d 1516 func, sizrange[0], offstr[0], offstr[1],
15d3974b 1517 ovlsiz[0], ovlsiz[1], offstr[2]);
cc8bea0a 1518 else
15d3974b 1519 warning_n (loc, OPT_Wrestrict, sizrange[0],
6d3bab5d 1520 "%qD accessing %wu byte at offsets %s and "
15d3974b 1521 "%s overlaps %wu or more bytes at offset %s",
6d3bab5d 1522 "%qD accessing %wu bytes at offsets %s and "
15d3974b 1523 "%s overlaps %wu or more bytes at offset %s",
6d3bab5d 1524 func, sizrange[0],
15d3974b 1525 offstr[0], offstr[1], ovlsiz[0], offstr[2]);
cc8bea0a
MS		 1526 return true;
1527 }
1528
1529 if (sizrange[1] >= 0 && sizrange[1] < maxobjsize.to_shwi ())
1530 {
1531 if (ovlsiz[0] == ovlsiz[1])
15d3974b 1532 warning_n (loc, OPT_Wrestrict, ovlsiz[0],
6d3bab5d 1533 "%qD accessing between %wu and %wu bytes "
15d3974b
JJ		 1534 "at offsets %s and %s overlaps %wu byte at "
1535 "offset %s",
6d3bab5d 1536 "%qD accessing between %wu and %wu bytes "
15d3974b
JJ		 1537 "at offsets %s and %s overlaps %wu bytes "
1538 "at offset %s",
6d3bab5d 1539 func, sizrange[0], sizrange[1],
15d3974b 1540 offstr[0], offstr[1], ovlsiz[0], offstr[2]);
cc8bea0a
MS		 1541 else if (ovlsiz[1] >= 0 && ovlsiz[1] < maxobjsize.to_shwi ())
1542 warning_at (loc, OPT_Wrestrict,
6d3bab5d 1543 "%qD accessing between %wu and %wu bytes at "
cc8bea0a
MS		 1544 "offsets %s and %s overlaps between %wu and %wu "
1545 "bytes at offset %s",
6d3bab5d 1546 func, sizrange[0], sizrange[1],
cc8bea0a
MS		 1547 offstr[0], offstr[1], ovlsiz[0], ovlsiz[1],
1548 offstr[2]);
1549 else
1550 warning_at (loc, OPT_Wrestrict,
6d3bab5d 1551 "%qD accessing between %wu and %wu bytes at "
cc8bea0a
MS		 1552 "offsets %s and %s overlaps %wu or more bytes "
1553 "at offset %s",
6d3bab5d 1554 func, sizrange[0], sizrange[1],
cc8bea0a
MS		 1555 offstr[0], offstr[1], ovlsiz[0], offstr[2]);
1556 return true;
1557 }
1558
1559 if (ovlsiz[0] != ovlsiz[1])
1560 ovlsiz[1] = maxobjsize.to_shwi ();
1561
1562 if (ovlsiz[0] == ovlsiz[1])
15d3974b 1563 warning_n (loc, OPT_Wrestrict, ovlsiz[0],
6d3bab5d 1564 "%qD accessing %wu or more bytes at offsets "
15d3974b 1565 "%s and %s overlaps %wu byte at offset %s",
6d3bab5d 1566 "%qD accessing %wu or more bytes at offsets "
15d3974b 1567 "%s and %s overlaps %wu bytes at offset %s",
6d3bab5d 1568 func, sizrange[0], offstr[0], offstr[1],
15d3974b 1569 ovlsiz[0], offstr[2]);
cc8bea0a
MS		 1570 else if (ovlsiz[1] >= 0 && ovlsiz[1] < maxobjsize.to_shwi ())
1571 warning_at (loc, OPT_Wrestrict,
6d3bab5d 1572 "%qD accessing %wu or more bytes at offsets %s "
cc8bea0a
MS		 1573 "and %s overlaps between %wu and %wu bytes "
1574 "at offset %s",
6d3bab5d 1575 func, sizrange[0], offstr[0], offstr[1],
cc8bea0a
MS		 1576 ovlsiz[0], ovlsiz[1], offstr[2]);
1577 else
1578 warning_at (loc, OPT_Wrestrict,
6d3bab5d 1579 "%qD accessing %wu or more bytes at offsets %s "
cc8bea0a 1580 "and %s overlaps %wu or more bytes at offset %s",
6d3bab5d 1581 func, sizrange[0], offstr[0], offstr[1],
cc8bea0a
MS		 1582 ovlsiz[0], offstr[2]);
1583 return true;
1584 }
1585
cc8bea0a
MS		 1586 /* Use more concise wording when one of the offsets is unbounded
1587 to avoid confusing the user with large and mostly meaningless
1588 numbers. */
816fad6e
MS		 1589 bool open_range;
1590 if (DECL_P (dstref.base) && TREE_CODE (TREE_TYPE (dstref.base)) == ARRAY_TYPE)
1591 open_range = ((dstref.offrange[0] == 0
1592 && dstref.offrange[1] == maxobjsize)
1593 || (srcref.offrange[0] == 0
1594 && srcref.offrange[1] == maxobjsize));
1595 else
1596 open_range = ((dstref.offrange[0] == -maxobjsize - 1
1597 && dstref.offrange[1] == maxobjsize)
1598 || (srcref.offrange[0] == -maxobjsize - 1
1599 && srcref.offrange[1] == maxobjsize));
cc8bea0a
MS		 1600
1601 if (sizrange[0] == sizrange[1] || sizrange[1] == 1)
1602 {
1603 if (ovlsiz[1] == 1)
1604 {
1605 if (open_range)
15d3974b 1606 warning_n (loc, OPT_Wrestrict, sizrange[1],
6d3bab5d 1607 "%qD accessing %wu byte may overlap "
15d3974b 1608 "%wu byte",
6d3bab5d 1609 "%qD accessing %wu bytes may overlap "
15d3974b 1610 "%wu byte",
6d3bab5d 1611 func, sizrange[1], ovlsiz[1]);
cc8bea0a 1612 else
15d3974b 1613 warning_n (loc, OPT_Wrestrict, sizrange[1],
6d3bab5d 1614 "%qD accessing %wu byte at offsets %s "
15d3974b 1615 "and %s may overlap %wu byte at offset %s",
6d3bab5d 1616 "%qD accessing %wu bytes at offsets %s "
15d3974b 1617 "and %s may overlap %wu byte at offset %s",
6d3bab5d 1618 func, sizrange[1], offstr[0], offstr[1],
15d3974b 1619 ovlsiz[1], offstr[2]);
cc8bea0a
MS		 1620 return true;
1621 }
1622
1623 if (open_range)
15d3974b 1624 warning_n (loc, OPT_Wrestrict, sizrange[1],
6d3bab5d 1625 "%qD accessing %wu byte may overlap "
15d3974b 1626 "up to %wu bytes",
6d3bab5d 1627 "%qD accessing %wu bytes may overlap "
15d3974b 1628 "up to %wu bytes",
6d3bab5d 1629 func, sizrange[1], ovlsiz[1]);
cc8bea0a 1630 else
15d3974b 1631 warning_n (loc, OPT_Wrestrict, sizrange[1],
6d3bab5d 1632 "%qD accessing %wu byte at offsets %s and "
15d3974b 1633 "%s may overlap up to %wu bytes at offset %s",
6d3bab5d 1634 "%qD accessing %wu bytes at offsets %s and "
15d3974b 1635 "%s may overlap up to %wu bytes at offset %s",
6d3bab5d 1636 func, sizrange[1], offstr[0], offstr[1],
15d3974b 1637 ovlsiz[1], offstr[2]);
cc8bea0a
MS		 1638 return true;
1639 }
1640
1641 if (sizrange[1] >= 0 && sizrange[1] < maxobjsize.to_shwi ())
1642 {
1643 if (open_range)
15d3974b 1644 warning_n (loc, OPT_Wrestrict, ovlsiz[1],
6d3bab5d 1645 "%qD accessing between %wu and %wu bytes "
15d3974b 1646 "may overlap %wu byte",
6d3bab5d 1647 "%qD accessing between %wu and %wu bytes "
15d3974b 1648 "may overlap up to %wu bytes",
6d3bab5d 1649 func, sizrange[0], sizrange[1], ovlsiz[1]);
cc8bea0a 1650 else
15d3974b 1651 warning_n (loc, OPT_Wrestrict, ovlsiz[1],
6d3bab5d 1652 "%qD accessing between %wu and %wu bytes "
15d3974b
JJ		 1653 "at offsets %s and %s may overlap %wu byte "
1654 "at offset %s",
6d3bab5d 1655 "%qD accessing between %wu and %wu bytes "
15d3974b
JJ		 1656 "at offsets %s and %s may overlap up to %wu "
1657 "bytes at offset %s",
6d3bab5d 1658 func, sizrange[0], sizrange[1],
15d3974b 1659 offstr[0], offstr[1], ovlsiz[1], offstr[2]);
cc8bea0a
MS		 1660 return true;
1661 }
1662
15d3974b 1663 warning_n (loc, OPT_Wrestrict, ovlsiz[1],
6d3bab5d 1664 "%qD accessing %wu or more bytes at offsets %s "
15d3974b 1665 "and %s may overlap %wu byte at offset %s",
6d3bab5d 1666 "%qD accessing %wu or more bytes at offsets %s "
15d3974b 1667 "and %s may overlap up to %wu bytes at offset %s",
6d3bab5d 1668 func, sizrange[0], offstr[0], offstr[1],
15d3974b 1669 ovlsiz[1], offstr[2]);
cc8bea0a
MS		 1670
1671 return true;
1672}
1673
287ef129
MS		 1674/* Validate REF size and offsets in an expression passed as an argument
1675 to a CALL to a built-in function FUNC to make sure they are within
1676 the bounds of the referenced object if its size is known, or
1677 PTRDIFF_MAX otherwise. DO_WARN is true when a diagnostic should
1678 be issued, false otherwise.
1679 Both initial values of the offsets and their final value computed
1680 by the function by incrementing the initial value by the size are
e9e2bad7
MS		 1681 validated. Return the warning number if the offsets are not valid
1682 and a diagnostic has been issued, or would have been issued if
1683 DO_WARN had been true, otherwise an invalid warning number. */
cc8bea0a 1684
e9e2bad7 1685static opt_code
55ace4d1 1686maybe_diag_access_bounds (gimple *call, tree func, int strict,
6889a3ac
MS		 1687 const builtin_memref &ref, offset_int wroff,
1688 bool do_warn)
cc8bea0a 1689{
6d3bab5d 1690 location_t loc = gimple_location (call);
a411ae9b 1691 const offset_int maxobjsize = ref.maxobjsize;
287ef129
MS		 1692
1693 /* Check for excessive size first and regardless of warning options
1694 since the result is used to make codegen decisions. */
1695 if (ref.sizrange[0] > maxobjsize)
1696 {
e9e2bad7 1697 const opt_code opt = OPT_Wstringop_overflow_;
287ef129
MS		 1698 /* Return true without issuing a warning. */
1699 if (!do_warn)
e9e2bad7 1700 return opt;
287ef129 1701
e9e2bad7
MS		 1702 if (ref.ref && warning_suppressed_p (ref.ref, OPT_Wstringop_overflow_))
1703 return no_warning;
287ef129 1704
e9e2bad7 1705 bool warned = false;
287ef129
MS		 1706 if (warn_stringop_overflow)
1707 {
287ef129 1708 if (ref.sizrange[0] == ref.sizrange[1])
e9e2bad7 1709 warned = warning_at (loc, opt,
6d3bab5d 1710 "%qD specified bound %wu "
e9e2bad7 1711 "exceeds maximum object size %wu",
6d3bab5d 1712 func, ref.sizrange[0].to_uhwi (),
e9e2bad7
MS		 1713 maxobjsize.to_uhwi ());
1714 else
1715 warned = warning_at (loc, opt,
6d3bab5d 1716 "%qD specified bound between %wu and %wu "
e9e2bad7 1717 "exceeds maximum object size %wu",
6d3bab5d 1718 func, ref.sizrange[0].to_uhwi (),
e9e2bad7
MS		 1719 ref.sizrange[1].to_uhwi (),
1720 maxobjsize.to_uhwi ());
1721 return warned ? opt : no_warning;
287ef129
MS		 1722 }
1723 }
1724
213694e5 1725 /* Check for out-bounds pointers regardless of warning options since
6889a3ac
MS		 1726 the result is used to make codegen decisions. An excessive WROFF
1727 can only come up as a result of an invalid strncat bound and is
1728 diagnosed separately using a more meaningful warning. */
1729 if (maxobjsize < wroff)
1730 wroff = 0;
1731 offset_int ooboff[] = { ref.offrange[0], ref.offrange[1], wroff };
213694e5
MS		 1732 tree oobref = ref.offset_out_of_bounds (strict, ooboff);
1733 if (!oobref)
e9e2bad7 1734 return no_warning;
cc8bea0a 1735
e9e2bad7 1736 const opt_code opt = OPT_Warray_bounds;
213694e5
MS		 1737 /* Return true without issuing a warning. */
1738 if (!do_warn)
e9e2bad7 1739 return opt;
213694e5
MS		 1740
1741 if (!warn_array_bounds)
e9e2bad7 1742 return no_warning;
21150aba 1743
e9e2bad7
MS		 1744 if (warning_suppressed_p (ref.ptr, opt)
1745 || (ref.ref && warning_suppressed_p (ref.ref, opt)))
1746 return no_warning;
cc8bea0a 1747
cc8bea0a
MS		 1748 char rangestr[2][64];
1749 if (ooboff[0] == ooboff[1]
1750 || (ooboff[0] != ref.offrange[0]
1751 && ooboff[0].to_shwi () >= ooboff[1].to_shwi ()))
1752 sprintf (rangestr[0], "%lli", (long long) ooboff[0].to_shwi ());
1753 else
1754 sprintf (rangestr[0], "[%lli, %lli]",
1755 (long long) ooboff[0].to_shwi (),
1756 (long long) ooboff[1].to_shwi ());
1757
e3329a78
MS		 1758 bool warned = false;
1759
cc8bea0a
MS		 1760 if (oobref == error_mark_node)
1761 {
1762 if (ref.sizrange[0] == ref.sizrange[1])
287ef129
MS		 1763 sprintf (rangestr[1], "%llu",
1764 (unsigned long long) ref.sizrange[0].to_shwi ());
cc8bea0a
MS		 1765 else
1766 sprintf (rangestr[1], "[%lli, %lli]",
287ef129
MS		 1767 (unsigned long long) ref.sizrange[0].to_uhwi (),
1768 (unsigned long long) ref.sizrange[1].to_uhwi ());
cc8bea0a 1769
e3329a78
MS		 1770 tree type;
1771
cc8bea0a
MS		 1772 if (DECL_P (ref.base)
1773 && TREE_CODE (type = TREE_TYPE (ref.base)) == ARRAY_TYPE)
1774 {
097f82ec 1775 auto_diagnostic_group d;
e9e2bad7 1776 if (warning_at (loc, opt,
6d3bab5d 1777 "%qD pointer overflow between offset %s "
cc8bea0a 1778 "and size %s accessing array %qD with type %qT",
6d3bab5d 1779 func, rangestr[0], rangestr[1], ref.base, type))
e3329a78
MS		 1780 {
1781 inform (DECL_SOURCE_LOCATION (ref.base),
1782 "array %qD declared here", ref.base);
1783 warned = true;
1784 }
cc8bea0a 1785 else
e9e2bad7 1786 warned = warning_at (loc, opt,
6d3bab5d 1787 "%qD pointer overflow between offset %s "
e3329a78 1788 "and size %s",
6d3bab5d 1789 func, rangestr[0], rangestr[1]);
cc8bea0a
MS		 1790 }
1791 else
e9e2bad7 1792 warned = warning_at (loc, opt,
6d3bab5d 1793 "%qD pointer overflow between offset %s "
e3329a78 1794 "and size %s",
6d3bab5d 1795 func, rangestr[0], rangestr[1]);
cc8bea0a
MS		 1796 }
1797 else if (oobref == ref.base)
1798 {
cc8bea0a
MS		 1799 /* True when the offset formed by an access to the reference
1800 is out of bounds, rather than the initial offset wich is
1801 in bounds. This implies access past the end. */
1802 bool form = ooboff[0] != ref.offrange[0];
1803
1804 if (DECL_P (ref.base))
1805 {
097f82ec 1806 auto_diagnostic_group d;
cc8bea0a 1807 if ((ref.basesize < maxobjsize
e9e2bad7 1808 && warning_at (loc, opt,
cc8bea0a 1809 form
6d3bab5d 1810 ? G_("%qD forming offset %s is out of "
cc8bea0a
MS		 1811 "the bounds [0, %wu] of object %qD with "
1812 "type %qT")
6d3bab5d 1813 : G_("%qD offset %s is out of the bounds "
cc8bea0a 1814 "[0, %wu] of object %qD with type %qT"),
6d3bab5d 1815 func, rangestr[0], ref.basesize.to_uhwi (),
cc8bea0a 1816 ref.base, TREE_TYPE (ref.base)))
e9e2bad7 1817 || warning_at (loc, opt,
cc8bea0a 1818 form
6d3bab5d 1819 ? G_("%qD forming offset %s is out of "
cc8bea0a 1820 "the bounds of object %qD with type %qT")
6d3bab5d 1821 : G_("%qD offset %s is out of the bounds "
cc8bea0a 1822 "of object %qD with type %qT"),
6d3bab5d 1823 func, rangestr[0],
cc8bea0a 1824 ref.base, TREE_TYPE (ref.base)))
e3329a78
MS		 1825 {
1826 inform (DECL_SOURCE_LOCATION (ref.base),
1827 "%qD declared here", ref.base);
1828 warned = true;
1829 }
cc8bea0a
MS		 1830 }
1831 else if (ref.basesize < maxobjsize)
e9e2bad7 1832 warned = warning_at (loc, opt,
e3329a78 1833 form
6d3bab5d 1834 ? G_("%qD forming offset %s is out "
e3329a78 1835 "of the bounds [0, %wu]")
6d3bab5d 1836 : G_("%qD offset %s is out "
e3329a78 1837 "of the bounds [0, %wu]"),
6d3bab5d 1838 func, rangestr[0], ref.basesize.to_uhwi ());
cc8bea0a 1839 else
e9e2bad7 1840 warned = warning_at (loc, opt,
e3329a78 1841 form
6d3bab5d
MS		 1842 ? G_("%qD forming offset %s is out of bounds")
1843 : G_("%qD offset %s is out of bounds"),
1844 func, rangestr[0]);
cc8bea0a
MS		 1845 }
1846 else if (TREE_CODE (ref.ref) == MEM_REF)
1847 {
6889a3ac
MS		 1848 tree refop = TREE_OPERAND (ref.ref, 0);
1849 tree type = TREE_TYPE (refop);
cc8bea0a
MS		 1850 if (POINTER_TYPE_P (type))
1851 type = TREE_TYPE (type);
1852 type = TYPE_MAIN_VARIANT (type);
1853
e9e2bad7 1854 if (warning_at (loc, opt,
6d3bab5d 1855 "%qD offset %s from the object at %qE is out "
6889a3ac 1856 "of the bounds of %qT",
6d3bab5d 1857 func, rangestr[0], ref.base, type))
6889a3ac
MS		 1858 {
1859 if (TREE_CODE (ref.ref) == COMPONENT_REF)
1860 refop = TREE_OPERAND (ref.ref, 1);
1861 if (DECL_P (refop))
1862 inform (DECL_SOURCE_LOCATION (refop),
1863 "subobject %qD declared here", refop);
1864 warned = true;
1865 }
cc8bea0a
MS		 1866 }
1867 else
1868 {
6889a3ac 1869 tree refop = TREE_OPERAND (ref.ref, 0);
e3329a78
MS		 1870 tree type = TYPE_MAIN_VARIANT (TREE_TYPE (ref.ref));
1871
e9e2bad7 1872 if (warning_at (loc, opt,
6d3bab5d 1873 "%qD offset %s from the object at %qE is out "
6889a3ac
MS		 1874 "of the bounds of referenced subobject %qD with "
1875 "type %qT at offset %wi",
6d3bab5d 1876 func, rangestr[0], ref.base,
6889a3ac
MS		 1877 TREE_OPERAND (ref.ref, 1), type,
1878 ref.refoff.to_shwi ()))
1879 {
1880 if (TREE_CODE (ref.ref) == COMPONENT_REF)
1881 refop = TREE_OPERAND (ref.ref, 1);
1882 if (DECL_P (refop))
1883 inform (DECL_SOURCE_LOCATION (refop),
1884 "subobject %qD declared here", refop);
1885 warned = true;
1886 }
cc8bea0a
MS		 1887 }
1888
e9e2bad7 1889 return warned ? opt : no_warning;
cc8bea0a
MS		 1890}
1891
1892/* Check a CALL statement for restrict-violations and issue warnings
1893 if/when appropriate. */
1894
30d15b51
MS		 1895void
1896pass_wrestrict::check_call (gimple *call)
cc8bea0a
MS		 1897{
1898 /* Avoid checking the call if it has already been diagnosed for
1899 some reason. */
e9e2bad7 1900 if (warning_suppressed_p (call, OPT_Wrestrict))
cc8bea0a
MS		 1901 return;
1902
1903 tree func = gimple_call_fndecl (call);
3d78e008 1904 if (!func || !fndecl_built_in_p (func, BUILT_IN_NORMAL))
cc8bea0a
MS		 1905 return;
1906
cc8bea0a
MS		 1907 /* Argument number to extract from the call (depends on the built-in
1908 and its kind). */
1909 unsigned dst_idx = -1;
1910 unsigned src_idx = -1;
1911 unsigned bnd_idx = -1;
1912
1913 /* Is this CALL to a string function (as opposed to one to a raw
1914 memory function). */
1915 bool strfun = true;
1916
1917 switch (DECL_FUNCTION_CODE (func))
1918 {
1919 case BUILT_IN_MEMCPY:
1920 case BUILT_IN_MEMCPY_CHK:
cc8bea0a
MS		 1921 case BUILT_IN_MEMPCPY:
1922 case BUILT_IN_MEMPCPY_CHK:
cc8bea0a
MS		 1923 case BUILT_IN_MEMMOVE:
1924 case BUILT_IN_MEMMOVE_CHK:
cc8bea0a
MS		 1925 strfun = false;
1926 /* Fall through. */
1927
1928 case BUILT_IN_STPNCPY:
1929 case BUILT_IN_STPNCPY_CHK:
1930 case BUILT_IN_STRNCAT:
1931 case BUILT_IN_STRNCAT_CHK:
1932 case BUILT_IN_STRNCPY:
1933 case BUILT_IN_STRNCPY_CHK:
1934 dst_idx = 0;
31db0fe0
ML		 1935 src_idx = 1;
1936 bnd_idx = 2;
cc8bea0a
MS		 1937 break;
1938
a411ae9b
MS		 1939 case BUILT_IN_MEMSET:
1940 case BUILT_IN_MEMSET_CHK:
1941 dst_idx = 0;
1942 bnd_idx = 2;
1943 break;
1944
cc8bea0a
MS		 1945 case BUILT_IN_STPCPY:
1946 case BUILT_IN_STPCPY_CHK:
cc8bea0a
MS		 1947 case BUILT_IN_STRCPY:
1948 case BUILT_IN_STRCPY_CHK:
cc8bea0a
MS		 1949 case BUILT_IN_STRCAT:
1950 case BUILT_IN_STRCAT_CHK:
cc8bea0a 1951 dst_idx = 0;
31db0fe0 1952 src_idx = 1;
cc8bea0a
MS		 1953 break;
1954
1955 default:
1956 /* Handle other string functions here whose access may need
1957 to be validated for in-bounds offsets and non-overlapping
31db0fe0 1958 copies. */
cc8bea0a
MS		 1959 return;
1960 }
1961
1962 unsigned nargs = gimple_call_num_args (call);
1963
1964 tree dst = dst_idx < nargs ? gimple_call_arg (call, dst_idx) : NULL_TREE;
1965 tree src = src_idx < nargs ? gimple_call_arg (call, src_idx) : NULL_TREE;
1966 tree dstwr = bnd_idx < nargs ? gimple_call_arg (call, bnd_idx) : NULL_TREE;
1967
1968 /* For string functions with an unspecified or unknown bound,
1969 assume the size of the access is one. */
1970 if (!dstwr && strfun)
1971 dstwr = size_one_node;
1972
2438cb6a
MS		 1973 /* DST and SRC can be null for a call with an insufficient number
1974 of arguments to a built-in function declared without a protype. */
a411ae9b 1975 if (!dst || (src_idx < nargs && !src))
cf3fc0e8
MS		 1976 return;
1977
1978 /* DST, SRC, or DSTWR can also have the wrong type in a call to
1979 a function declared without a prototype. Avoid checking such
1980 invalid calls. */
1981 if (TREE_CODE (TREE_TYPE (dst)) != POINTER_TYPE
a411ae9b 1982 || (src && TREE_CODE (TREE_TYPE (src)) != POINTER_TYPE)
cf3fc0e8
MS		 1983 || (dstwr && !INTEGRAL_TYPE_P (TREE_TYPE (dstwr))))
1984 return;
1985
30d15b51 1986 opt_code opt = check_bounds_or_overlap (m_ptr_qry, call, dst, src, dstwr,
e9e2bad7 1987 NULL_TREE);
cc8bea0a 1988 /* Avoid diagnosing the call again. */
e9e2bad7 1989 suppress_warning (call, opt);
cc8bea0a
MS		 1990}
1991
1992} /* anonymous namespace */
1993
1994/* Attempt to detect and diagnose invalid offset bounds and (except for
1995 memmove) overlapping copy in a call expression EXPR from SRC to DST
1996 and DSTSIZE and SRCSIZE bytes, respectively. Both DSTSIZE and
213694e5
MS		 1997 SRCSIZE may be NULL. DO_WARN is false to detect either problem
1998 without issue a warning. Return the OPT_Wxxx constant corresponding
1999 to the warning if one has been detected and zero otherwise. */
cc8bea0a 2000
e9e2bad7 2001opt_code
8a45b051 2002check_bounds_or_overlap (gimple *call, tree dst, tree src, tree dstsize,
213694e5
MS		 2003 tree srcsize, bool bounds_only /* = false */,
2004 bool do_warn /* = true */)
e864d395 2005{
30d15b51
MS		 2006 pointer_query ptrqry (get_range_query (cfun));
2007 return check_bounds_or_overlap (ptrqry,
e864d395
AH		 2008 call, dst, src, dstsize, srcsize,
2009 bounds_only, do_warn);
2010}
2011
e9e2bad7 2012opt_code
30d15b51 2013check_bounds_or_overlap (pointer_query &ptrqry,
e864d395
AH		 2014 gimple *call, tree dst, tree src, tree dstsize,
2015 tree srcsize, bool bounds_only /* = false */,
2016 bool do_warn /* = true */)
cc8bea0a 2017{
cc8bea0a
MS		 2018 tree func = gimple_call_fndecl (call);
2019
30d15b51
MS		 2020 builtin_memref dstref (ptrqry, call, dst, dstsize);
2021 builtin_memref srcref (ptrqry, call, src, srcsize);
cc8bea0a 2022
6889a3ac
MS		 2023 /* Create a descriptor of the access. This may adjust both DSTREF
2024 and SRCREF based on one another and the kind of the access. */
30d15b51 2025 builtin_access acs (ptrqry, call, dstref, srcref);
cc8bea0a
MS		 2026
2027 /* Set STRICT to the value of the -Warray-bounds=N argument for
2028 string functions or when N > 1. */
2029 int strict = (acs.strict () || warn_array_bounds > 1 ? warn_array_bounds : 0);
2030
6889a3ac
MS		 2031 /* The starting offset of the destination write access. Nonzero only
2032 for the strcat family of functions. */
2033 offset_int wroff = acs.write_off (dstsize);
2034
2035 /* Validate offsets to each reference before the access first to make
2036 sure they are within the bounds of the destination object if its
2037 size is known, or PTRDIFF_MAX otherwise. */
e9e2bad7
MS		 2038 opt_code opt
2039 = maybe_diag_access_bounds (call, func, strict, dstref, wroff, do_warn);
2040 if (opt == no_warning)
2041 opt = maybe_diag_access_bounds (call, func, strict, srcref, 0, do_warn);
2042
2043 if (opt != no_warning)
cc8bea0a 2044 {
213694e5 2045 if (do_warn)
e9e2bad7
MS		 2046 suppress_warning (call, opt);
2047 return opt;
cc8bea0a
MS		 2048 }
2049
a411ae9b 2050 if (!warn_restrict || bounds_only || !src)
e9e2bad7 2051 return no_warning;
cc8bea0a 2052
a411ae9b
MS		 2053 if (!bounds_only)
2054 {
2055 switch (DECL_FUNCTION_CODE (func))
2056 {
2057 case BUILT_IN_MEMMOVE:
2058 case BUILT_IN_MEMMOVE_CHK:
2059 case BUILT_IN_MEMSET:
2060 case BUILT_IN_MEMSET_CHK:
e9e2bad7 2061 return no_warning;
a411ae9b
MS		 2062 default:
2063 break;
2064 }
2065 }
2066
6d3bab5d 2067 location_t loc = gimple_location (call);
cc8bea0a
MS		 2068 if (operand_equal_p (dst, src, 0))
2069 {
8cd95cec
MS		 2070 /* Issue -Wrestrict unless the pointers are null (those do
2071 not point to objects and so do not indicate an overlap;
2072 such calls could be the result of sanitization and jump
2073 threading). */
e9e2bad7 2074 if (!integer_zerop (dst) && !warning_suppressed_p (call, OPT_Wrestrict))
8cd95cec
MS		 2075 {
2076 warning_at (loc, OPT_Wrestrict,
6d3bab5d
MS		 2077 "%qD source argument is the same as destination",
2078 func);
e9e2bad7 2079 suppress_warning (call, OPT_Wrestrict);
213694e5 2080 return OPT_Wrestrict;
8cd95cec
MS		 2081 }
2082
e9e2bad7 2083 return no_warning;
cc8bea0a
MS		 2084 }
2085
2086 /* Return false when overlap has been detected. */
2087 if (maybe_diag_overlap (loc, call, acs))
2088 {
e9e2bad7 2089 suppress_warning (call, OPT_Wrestrict);
213694e5 2090 return OPT_Wrestrict;
cc8bea0a
MS		 2091 }
2092
e9e2bad7 2093 return no_warning;
cc8bea0a
MS		 2094}
2095
2096gimple_opt_pass *
2097make_pass_warn_restrict (gcc::context *ctxt)
2098{
2099 return new pass_wrestrict (ctxt);
2100}
6889a3ac
MS		 2101
2102DEBUG_FUNCTION void
2103dump_builtin_memref (FILE *fp, const builtin_memref &ref)
2104{
2105 fprintf (fp, "\n ptr = ");
2106 print_generic_expr (fp, ref.ptr, TDF_LINENO);
2107 fprintf (fp, "\n ref = ");
2108 if (ref.ref)
2109 print_generic_expr (fp, ref.ref, TDF_LINENO);
2110 else
2111 fputs ("null", fp);
2112 fprintf (fp, "\n base = ");
2113 print_generic_expr (fp, ref.base, TDF_LINENO);
2114 fprintf (fp,
2115 "\n basesize = %lli"
2116 "\n refsize = %lli"
2117 "\n refoff = %lli"
2118 "\n offrange = [%lli, %lli]"
2119 "\n sizrange = [%lli, %lli]"
2120 "\n strbounded_p = %s\n",
2121 (long long)ref.basesize.to_shwi (),
2122 (long long)ref.refsize.to_shwi (),
2123 (long long)ref.refoff.to_shwi (),
2124 (long long)ref.offrange[0].to_shwi (),
2125 (long long)ref.offrange[1].to_shwi (),
2126 (long long)ref.sizrange[0].to_shwi (),
2127 (long long)ref.sizrange[1].to_shwi (),
2128 ref.strbounded_p ? "true" : "false");
2129}
2130
2131void
2132builtin_access::dump (FILE *fp) const
2133{
2134 fprintf (fp, " dstref:");
2135 dump_builtin_memref (fp, *dstref);
2136 fprintf (fp, "\n srcref:");
2137 dump_builtin_memref (fp, *srcref);
2138
2139 fprintf (fp,
2140 " sizrange = [%lli, %lli]\n"
2141 " ovloff = [%lli, %lli]\n"
2142 " ovlsiz = [%lli, %lli]\n"
2143 " dstoff = [%lli, %lli]\n"
2144 " dstsiz = [%lli, %lli]\n"
2145 " srcoff = [%lli, %lli]\n"
2146 " srcsiz = [%lli, %lli]\n",
2147 (long long)sizrange[0], (long long)sizrange[1],
2148 (long long)ovloff[0], (long long)ovloff[1],
2149 (long long)ovlsiz[0], (long long)ovlsiz[1],
2150 (long long)dstoff[0].to_shwi (), (long long)dstoff[1].to_shwi (),
2151 (long long)dstsiz[0].to_shwi (), (long long)dstsiz[1].to_shwi (),
2152 (long long)srcoff[0].to_shwi (), (long long)srcoff[1].to_shwi (),
2153 (long long)srcsiz[0].to_shwi (), (long long)srcsiz[1].to_shwi ());
2154}
2155
2156DEBUG_FUNCTION void
2157dump_builtin_access (FILE *fp, gimple *stmt, const builtin_access &acs)
2158{
2159 if (stmt)
2160 {
2161 fprintf (fp, "\nDumping builtin_access for ");
2162 print_gimple_expr (fp, stmt, TDF_LINENO);
2163 fputs (":\n", fp);
2164 }
2165
2166 acs.dump (fp);
2167}
2168
2169DEBUG_FUNCTION void
2170debug (gimple *stmt, const builtin_access &acs)
2171{
2172 dump_builtin_access (stdout, stmt, acs);
2173}
Mirror of https://gcc.gnu.org/git/gcc.git