]> git.ipfire.org Git - thirdparty/gcc.git/blob - gcc/analyzer/region-model.h
projects / thirdparty / gcc.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
c, analyzer: support named constants in analyzer [PR106302]
[thirdparty/gcc.git] / gcc / analyzer / region-model.h
1 /* Classes for modeling the state of memory.
2 Copyright (C) 2019-2022 Free Software Foundation, Inc.
3 Contributed by David Malcolm <dmalcolm@redhat.com>.
4
5 This file is part of GCC.
6
7 GCC is free software; you can redistribute it and/or modify it
8 under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3, or (at your option)
10 any later version.
11
12 GCC is distributed in the hope that it will be useful, but
13 WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 General Public License for more details.
16
17 You should have received a copy of the GNU General Public License
18 along with GCC; see the file COPYING3. If not see
19 <http://www.gnu.org/licenses/>. */
20
21 #ifndef GCC_ANALYZER_REGION_MODEL_H
22 #define GCC_ANALYZER_REGION_MODEL_H
23
24 /* Implementation of the region-based ternary model described in:
25 "A Memory Model for Static Analysis of C Programs"
26 (Zhongxing Xu, Ted Kremenek, and Jian Zhang)
27 http://lcs.ios.ac.cn/~xuzb/canalyze/memmodel.pdf */
28
29 #include "selftest.h"
30 #include "analyzer/svalue.h"
31 #include "analyzer/region.h"
32 #include "analyzer/known-function-manager.h"
33 #include "analyzer/region-model-manager.h"
34 #include "analyzer/pending-diagnostic.h"
35
36 using namespace ana;
37
38 namespace inchash
39 {
40 extern void add_path_var (path_var pv, hash &hstate);
41 } // namespace inchash
42
43 namespace ana {
44
45 template <typename T>
46 class one_way_id_map
47 {
48 public:
49 one_way_id_map (int num_ids);
50 void put (T src, T dst);
51 T get_dst_for_src (T src) const;
52 void dump_to_pp (pretty_printer *pp) const;
53 void dump () const;
54 void update (T *) const;
55
56 private:
57 auto_vec<T> m_src_to_dst;
58 };
59
60 /* class one_way_id_map. */
61
62 /* one_way_id_map's ctor, which populates the map with dummy null values. */
63
64 template <typename T>
65 inline one_way_id_map<T>::one_way_id_map (int num_svalues)
66 : m_src_to_dst (num_svalues)
67 {
68 for (int i = 0; i < num_svalues; i++)
69 m_src_to_dst.quick_push (T::null ());
70 }
71
72 /* Record that SRC is to be mapped to DST. */
73
74 template <typename T>
75 inline void
76 one_way_id_map<T>::put (T src, T dst)
77 {
78 m_src_to_dst[src.as_int ()] = dst;
79 }
80
81 /* Get the new value for SRC within the map. */
82
83 template <typename T>
84 inline T
85 one_way_id_map<T>::get_dst_for_src (T src) const
86 {
87 if (src.null_p ())
88 return src;
89 return m_src_to_dst[src.as_int ()];
90 }
91
92 /* Dump this map to PP. */
93
94 template <typename T>
95 inline void
96 one_way_id_map<T>::dump_to_pp (pretty_printer *pp) const
97 {
98 pp_string (pp, "src to dst: {");
99 unsigned i;
100 T *dst;
101 FOR_EACH_VEC_ELT (m_src_to_dst, i, dst)
102 {
103 if (i > 0)
104 pp_string (pp, ", ");
105 T src (T::from_int (i));
106 src.print (pp);
107 pp_string (pp, " -> ");
108 dst->print (pp);
109 }
110 pp_string (pp, "}");
111 pp_newline (pp);
112 }
113
114 /* Dump this map to stderr. */
115
116 template <typename T>
117 DEBUG_FUNCTION inline void
118 one_way_id_map<T>::dump () const
119 {
120 pretty_printer pp;
121 pp.buffer->stream = stderr;
122 dump_to_pp (&pp);
123 pp_flush (&pp);
124 }
125
126 /* Update *ID from the old value to its new value in this map. */
127
128 template <typename T>
129 inline void
130 one_way_id_map<T>::update (T *id) const
131 {
132 *id = get_dst_for_src (*id);
133 }
134
135 /* A mapping from region to svalue for use when tracking state. */
136
137 class region_to_value_map
138 {
139 public:
140 typedef hash_map<const region *, const svalue *> hash_map_t;
141 typedef hash_map_t::iterator iterator;
142
143 region_to_value_map () : m_hash_map () {}
144 region_to_value_map (const region_to_value_map &other)
145 : m_hash_map (other.m_hash_map) {}
146 region_to_value_map &operator= (const region_to_value_map &other);
147
148 bool operator== (const region_to_value_map &other) const;
149 bool operator!= (const region_to_value_map &other) const
150 {
151 return !(*this == other);
152 }
153
154 iterator begin () const { return m_hash_map.begin (); }
155 iterator end () const { return m_hash_map.end (); }
156
157 const svalue * const *get (const region *reg) const
158 {
159 return const_cast <hash_map_t &> (m_hash_map).get (reg);
160 }
161 void put (const region *reg, const svalue *sval)
162 {
163 m_hash_map.put (reg, sval);
164 }
165 void remove (const region *reg)
166 {
167 m_hash_map.remove (reg);
168 }
169
170 bool is_empty () const { return m_hash_map.is_empty (); }
171
172 void dump_to_pp (pretty_printer *pp, bool simple, bool multiline) const;
173 void dump (bool simple) const;
174
175 bool can_merge_with_p (const region_to_value_map &other,
176 region_to_value_map *out) const;
177
178 void purge_state_involving (const svalue *sval);
179
180 private:
181 hash_map_t m_hash_map;
182 };
183
184 /* Various operations delete information from a region_model.
185
186 This struct tracks how many of each kind of entity were purged (e.g.
187 for selftests, and for debugging). */
188
189 struct purge_stats
190 {
191 purge_stats ()
192 : m_num_svalues (0),
193 m_num_regions (0),
194 m_num_equiv_classes (0),
195 m_num_constraints (0),
196 m_num_bounded_ranges_constraints (0),
197 m_num_client_items (0)
198 {}
199
200 int m_num_svalues;
201 int m_num_regions;
202 int m_num_equiv_classes;
203 int m_num_constraints;
204 int m_num_bounded_ranges_constraints;
205 int m_num_client_items;
206 };
207
208 /* A base class for visiting regions and svalues, with do-nothing
209 base implementations of the per-subclass vfuncs. */
210
211 class visitor
212 {
213 public:
214 virtual void visit_region_svalue (const region_svalue *) {}
215 virtual void visit_constant_svalue (const constant_svalue *) {}
216 virtual void visit_unknown_svalue (const unknown_svalue *) {}
217 virtual void visit_poisoned_svalue (const poisoned_svalue *) {}
218 virtual void visit_setjmp_svalue (const setjmp_svalue *) {}
219 virtual void visit_initial_svalue (const initial_svalue *) {}
220 virtual void visit_unaryop_svalue (const unaryop_svalue *) {}
221 virtual void visit_binop_svalue (const binop_svalue *) {}
222 virtual void visit_sub_svalue (const sub_svalue *) {}
223 virtual void visit_repeated_svalue (const repeated_svalue *) {}
224 virtual void visit_bits_within_svalue (const bits_within_svalue *) {}
225 virtual void visit_unmergeable_svalue (const unmergeable_svalue *) {}
226 virtual void visit_placeholder_svalue (const placeholder_svalue *) {}
227 virtual void visit_widening_svalue (const widening_svalue *) {}
228 virtual void visit_compound_svalue (const compound_svalue *) {}
229 virtual void visit_conjured_svalue (const conjured_svalue *) {}
230 virtual void visit_asm_output_svalue (const asm_output_svalue *) {}
231 virtual void visit_const_fn_result_svalue (const const_fn_result_svalue *) {}
232
233 virtual void visit_region (const region *) {}
234 };
235
236 struct append_regions_cb_data;
237
238 /* Helper class for handling calls to functions with known behavior.
239 Implemented in region-model-impl-calls.c. */
240
241 class call_details
242 {
243 public:
244 call_details (const gcall *call, region_model *model,
245 region_model_context *ctxt);
246
247 region_model *get_model () const { return m_model; }
248 region_model_manager *get_manager () const;
249 region_model_context *get_ctxt () const { return m_ctxt; }
250 logger *get_logger () const;
251
252 uncertainty_t *get_uncertainty () const;
253 tree get_lhs_type () const { return m_lhs_type; }
254 const region *get_lhs_region () const { return m_lhs_region; }
255
256 bool maybe_set_lhs (const svalue *result) const;
257
258 unsigned num_args () const;
259
260 const gcall *get_call_stmt () const { return m_call; }
261
262 tree get_arg_tree (unsigned idx) const;
263 tree get_arg_type (unsigned idx) const;
264 const svalue *get_arg_svalue (unsigned idx) const;
265 const char *get_arg_string_literal (unsigned idx) const;
266
267 tree get_fndecl_for_call () const;
268
269 void dump_to_pp (pretty_printer *pp, bool simple) const;
270 void dump (bool simple) const;
271
272 const svalue *get_or_create_conjured_svalue (const region *) const;
273
274 private:
275 const gcall *m_call;
276 region_model *m_model;
277 region_model_context *m_ctxt;
278 tree m_lhs_type;
279 const region *m_lhs_region;
280 };
281
282 /* A region_model encapsulates a representation of the state of memory, with
283 a tree of regions, along with their associated values.
284 The representation is graph-like because values can be pointers to
285 regions.
286 It also stores:
287 - a constraint_manager, capturing relationships between the values, and
288 - dynamic extents, mapping dynamically-allocated regions to svalues (their
289 capacities). */
290
291 class region_model
292 {
293 public:
294 typedef region_to_value_map dynamic_extents_t;
295
296 region_model (region_model_manager *mgr);
297 region_model (const region_model &other);
298 ~region_model ();
299 region_model &operator= (const region_model &other);
300
301 bool operator== (const region_model &other) const;
302 bool operator!= (const region_model &other) const
303 {
304 return !(*this == other);
305 }
306
307 hashval_t hash () const;
308
309 void print (pretty_printer *pp) const;
310
311 void dump_to_pp (pretty_printer *pp, bool simple, bool multiline) const;
312 void dump (FILE *fp, bool simple, bool multiline) const;
313 void dump (bool simple) const;
314
315 void debug () const;
316
317 void validate () const;
318
319 void canonicalize ();
320 bool canonicalized_p () const;
321
322 void
323 on_stmt_pre (const gimple *stmt,
324 bool *out_terminate_path,
325 bool *out_unknown_side_effects,
326 region_model_context *ctxt);
327
328 void on_assignment (const gassign *stmt, region_model_context *ctxt);
329 const svalue *get_gassign_result (const gassign *assign,
330 region_model_context *ctxt);
331 void on_asm_stmt (const gasm *asm_stmt, region_model_context *ctxt);
332 bool on_call_pre (const gcall *stmt, region_model_context *ctxt,
333 bool *out_terminate_path);
334 void on_call_post (const gcall *stmt,
335 bool unknown_side_effects,
336 region_model_context *ctxt);
337
338 void purge_state_involving (const svalue *sval, region_model_context *ctxt);
339
340 /* Specific handling for on_call_pre. */
341 void impl_call_alloca (const call_details &cd);
342 void impl_call_analyzer_describe (const gcall *call,
343 region_model_context *ctxt);
344 void impl_call_analyzer_dump_capacity (const gcall *call,
345 region_model_context *ctxt);
346 void impl_call_analyzer_dump_escaped (const gcall *call);
347 void impl_call_analyzer_dump_named_constant (const gcall *call,
348 region_model_context *ctxt);
349 void impl_call_analyzer_eval (const gcall *call,
350 region_model_context *ctxt);
351 void impl_call_analyzer_get_unknown_ptr (const call_details &cd);
352 void impl_call_builtin_expect (const call_details &cd);
353 void impl_call_calloc (const call_details &cd);
354 void impl_call_errno_location (const call_details &cd);
355 bool impl_call_error (const call_details &cd, unsigned min_args,
356 bool *out_terminate_path);
357 void impl_call_fgets (const call_details &cd);
358 void impl_call_fread (const call_details &cd);
359 void impl_call_free (const call_details &cd);
360 void impl_call_malloc (const call_details &cd);
361 void impl_call_memcpy (const call_details &cd);
362 void impl_call_memset (const call_details &cd);
363 void impl_call_pipe (const call_details &cd);
364 void impl_call_putenv (const call_details &cd);
365 void impl_call_realloc (const call_details &cd);
366 void impl_call_strchr (const call_details &cd);
367 void impl_call_strcpy (const call_details &cd);
368 void impl_call_strlen (const call_details &cd);
369 void impl_call_operator_new (const call_details &cd);
370 void impl_call_operator_delete (const call_details &cd);
371 void impl_deallocation_call (const call_details &cd);
372
373 /* Implemented in varargs.cc. */
374 void impl_call_va_start (const call_details &cd);
375 void impl_call_va_copy (const call_details &cd);
376 void impl_call_va_arg (const call_details &cd);
377 void impl_call_va_end (const call_details &cd);
378
379 const svalue *maybe_get_copy_bounds (const region *src_reg,
380 const svalue *num_bytes_sval);
381 void update_for_int_cst_return (const call_details &cd,
382 int retval,
383 bool unmergeable);
384 void update_for_zero_return (const call_details &cd,
385 bool unmergeable);
386 void update_for_nonzero_return (const call_details &cd);
387
388 void handle_unrecognized_call (const gcall *call,
389 region_model_context *ctxt);
390 void get_reachable_svalues (svalue_set *out,
391 const svalue *extra_sval,
392 const uncertainty_t *uncertainty);
393
394 void on_return (const greturn *stmt, region_model_context *ctxt);
395 void on_setjmp (const gcall *stmt, const exploded_node *enode,
396 region_model_context *ctxt);
397 void on_longjmp (const gcall *longjmp_call, const gcall *setjmp_call,
398 int setjmp_stack_depth, region_model_context *ctxt);
399
400 void update_for_phis (const supernode *snode,
401 const cfg_superedge *last_cfg_superedge,
402 region_model_context *ctxt);
403
404 void handle_phi (const gphi *phi, tree lhs, tree rhs,
405 const region_model &old_state,
406 region_model_context *ctxt);
407
408 bool maybe_update_for_edge (const superedge &edge,
409 const gimple *last_stmt,
410 region_model_context *ctxt,
411 rejected_constraint **out);
412
413 void update_for_gcall (const gcall *call_stmt,
414 region_model_context *ctxt,
415 function *callee = NULL);
416
417 void update_for_return_gcall (const gcall *call_stmt,
418 region_model_context *ctxt);
419
420 const region *push_frame (function *fun, const vec<const svalue *> *arg_sids,
421 region_model_context *ctxt);
422 const frame_region *get_current_frame () const { return m_current_frame; }
423 function * get_current_function () const;
424 void pop_frame (tree result_lvalue,
425 const svalue **out_result,
426 region_model_context *ctxt);
427 int get_stack_depth () const;
428 const frame_region *get_frame_at_index (int index) const;
429
430 const region *get_lvalue (path_var pv, region_model_context *ctxt) const;
431 const region *get_lvalue (tree expr, region_model_context *ctxt) const;
432 const svalue *get_rvalue (path_var pv, region_model_context *ctxt) const;
433 const svalue *get_rvalue (tree expr, region_model_context *ctxt) const;
434
435 const region *deref_rvalue (const svalue *ptr_sval, tree ptr_tree,
436 region_model_context *ctxt) const;
437
438 const svalue *get_rvalue_for_bits (tree type,
439 const region *reg,
440 const bit_range &bits,
441 region_model_context *ctxt) const;
442
443 void set_value (const region *lhs_reg, const svalue *rhs_sval,
444 region_model_context *ctxt);
445 void set_value (tree lhs, tree rhs, region_model_context *ctxt);
446 void clobber_region (const region *reg);
447 void purge_region (const region *reg);
448 void fill_region (const region *reg, const svalue *sval);
449 void zero_fill_region (const region *reg);
450 void mark_region_as_unknown (const region *reg, uncertainty_t *uncertainty);
451
452 tristate eval_condition (const svalue *lhs,
453 enum tree_code op,
454 const svalue *rhs) const;
455 tristate compare_initial_and_pointer (const initial_svalue *init,
456 const region_svalue *ptr) const;
457 tristate symbolic_greater_than (const binop_svalue *a,
458 const svalue *b) const;
459 tristate structural_equality (const svalue *a, const svalue *b) const;
460 tristate eval_condition (tree lhs,
461 enum tree_code op,
462 tree rhs,
463 region_model_context *ctxt) const;
464 bool add_constraint (tree lhs, enum tree_code op, tree rhs,
465 region_model_context *ctxt);
466 bool add_constraint (tree lhs, enum tree_code op, tree rhs,
467 region_model_context *ctxt,
468 rejected_constraint **out);
469
470 const region *create_region_for_heap_alloc (const svalue *size_in_bytes,
471 region_model_context *ctxt);
472 const region *create_region_for_alloca (const svalue *size_in_bytes,
473 region_model_context *ctxt);
474
475 tree get_representative_tree (const svalue *sval) const;
476 tree get_representative_tree (const region *reg) const;
477 path_var
478 get_representative_path_var (const svalue *sval,
479 svalue_set *visited) const;
480 path_var
481 get_representative_path_var (const region *reg,
482 svalue_set *visited) const;
483
484 /* For selftests. */
485 constraint_manager *get_constraints ()
486 {
487 return m_constraints;
488 }
489
490 store *get_store () { return &m_store; }
491 const store *get_store () const { return &m_store; }
492
493 const dynamic_extents_t &
494 get_dynamic_extents () const
495 {
496 return m_dynamic_extents;
497 }
498 const svalue *get_dynamic_extents (const region *reg) const;
499 void set_dynamic_extents (const region *reg,
500 const svalue *size_in_bytes,
501 region_model_context *ctxt);
502 void unset_dynamic_extents (const region *reg);
503
504 region_model_manager *get_manager () const { return m_mgr; }
505 bounded_ranges_manager *get_range_manager () const
506 {
507 return m_mgr->get_range_manager ();
508 }
509
510 void unbind_region_and_descendents (const region *reg,
511 enum poison_kind pkind);
512
513 bool can_merge_with_p (const region_model &other_model,
514 const program_point &point,
515 region_model *out_model,
516 const extrinsic_state *ext_state = NULL,
517 const program_state *state_a = NULL,
518 const program_state *state_b = NULL) const;
519
520 tree get_fndecl_for_call (const gcall *call,
521 region_model_context *ctxt);
522
523 void get_regions_for_current_frame (auto_vec<const decl_region *> *out) const;
524 static void append_regions_cb (const region *base_reg,
525 struct append_regions_cb_data *data);
526
527 const svalue *get_store_value (const region *reg,
528 region_model_context *ctxt) const;
529
530 bool region_exists_p (const region *reg) const;
531
532 void loop_replay_fixup (const region_model *dst_state);
533
534 const svalue *get_capacity (const region *reg) const;
535
536 const svalue *get_string_size (const svalue *sval) const;
537 const svalue *get_string_size (const region *reg) const;
538
539 bool replay_call_summary (call_summary_replay &r,
540 const region_model &summary);
541
542 void maybe_complain_about_infoleak (const region *dst_reg,
543 const svalue *copied_sval,
544 const region *src_reg,
545 region_model_context *ctxt);
546
547 void set_errno (const call_details &cd);
548
549 /* Implemented in sm-fd.cc */
550 void mark_as_valid_fd (const svalue *sval, region_model_context *ctxt);
551
552 /* Implemented in sm-malloc.cc */
553 void on_realloc_with_move (const call_details &cd,
554 const svalue *old_ptr_sval,
555 const svalue *new_ptr_sval);
556
557 /* Implemented in sm-taint.cc. */
558 void mark_as_tainted (const svalue *sval,
559 region_model_context *ctxt);
560
561 private:
562 const region *get_lvalue_1 (path_var pv, region_model_context *ctxt) const;
563 const svalue *get_rvalue_1 (path_var pv, region_model_context *ctxt) const;
564
565 path_var
566 get_representative_path_var_1 (const svalue *sval,
567 svalue_set *visited) const;
568 path_var
569 get_representative_path_var_1 (const region *reg,
570 svalue_set *visited) const;
571
572 const known_function *get_known_function (tree fndecl) const;
573
574 bool add_constraint (const svalue *lhs,
575 enum tree_code op,
576 const svalue *rhs,
577 region_model_context *ctxt);
578 bool add_constraints_from_binop (const svalue *outer_lhs,
579 enum tree_code outer_op,
580 const svalue *outer_rhs,
581 bool *out,
582 region_model_context *ctxt);
583
584 void update_for_call_superedge (const call_superedge &call_edge,
585 region_model_context *ctxt);
586 void update_for_return_superedge (const return_superedge &return_edge,
587 region_model_context *ctxt);
588 bool apply_constraints_for_gcond (const cfg_superedge &edge,
589 const gcond *cond_stmt,
590 region_model_context *ctxt,
591 rejected_constraint **out);
592 bool apply_constraints_for_gswitch (const switch_cfg_superedge &edge,
593 const gswitch *switch_stmt,
594 region_model_context *ctxt,
595 rejected_constraint **out);
596 bool apply_constraints_for_exception (const gimple *last_stmt,
597 region_model_context *ctxt,
598 rejected_constraint **out);
599
600 int poison_any_pointers_to_descendents (const region *reg,
601 enum poison_kind pkind);
602
603 void on_top_level_param (tree param, region_model_context *ctxt);
604
605 bool called_from_main_p () const;
606 const svalue *get_initial_value_for_global (const region *reg) const;
607
608 const svalue *check_for_poison (const svalue *sval,
609 tree expr,
610 region_model_context *ctxt) const;
611 const region * get_region_for_poisoned_expr (tree expr) const;
612
613 void check_dynamic_size_for_taint (enum memory_space mem_space,
614 const svalue *size_in_bytes,
615 region_model_context *ctxt) const;
616 void check_dynamic_size_for_floats (const svalue *size_in_bytes,
617 region_model_context *ctxt) const;
618
619 void check_region_for_taint (const region *reg,
620 enum access_direction dir,
621 region_model_context *ctxt) const;
622
623 void check_for_writable_region (const region* dest_reg,
624 region_model_context *ctxt) const;
625 void check_region_access (const region *reg,
626 enum access_direction dir,
627 region_model_context *ctxt) const;
628 void check_region_for_write (const region *dest_reg,
629 region_model_context *ctxt) const;
630 void check_region_for_read (const region *src_reg,
631 region_model_context *ctxt) const;
632 void check_region_size (const region *lhs_reg, const svalue *rhs_sval,
633 region_model_context *ctxt) const;
634 void check_symbolic_bounds (const region *base_reg,
635 const svalue *sym_byte_offset,
636 const svalue *num_bytes_sval,
637 const svalue *capacity,
638 enum access_direction dir,
639 region_model_context *ctxt) const;
640 void check_region_bounds (const region *reg, enum access_direction dir,
641 region_model_context *ctxt) const;
642
643 void check_call_args (const call_details &cd) const;
644 void check_external_function_for_access_attr (const gcall *call,
645 tree callee_fndecl,
646 region_model_context *ctxt) const;
647
648 /* Storing this here to avoid passing it around everywhere. */
649 region_model_manager *const m_mgr;
650
651 store m_store;
652
653 constraint_manager *m_constraints; // TODO: embed, rather than dynalloc?
654
655 const frame_region *m_current_frame;
656
657 /* Map from base region to size in bytes, for tracking the sizes of
658 dynamically-allocated regions.
659 This is part of the region_model rather than the region to allow for
660 memory regions to be resized (e.g. by realloc). */
661 dynamic_extents_t m_dynamic_extents;
662 };
663
664 /* Some region_model activity could lead to warnings (e.g. attempts to use an
665 uninitialized value). This abstract base class encapsulates an interface
666 for the region model to use when emitting such warnings.
667
668 Having this as an abstract base class allows us to support the various
669 operations needed by program_state in the analyzer within region_model,
670 whilst keeping them somewhat modularized. */
671
672 class region_model_context
673 {
674 public:
675 /* Hook for clients to store pending diagnostics.
676 Return true if the diagnostic was stored, or false if it was deleted. */
677 virtual bool warn (std::unique_ptr<pending_diagnostic> d) = 0;
678
679 /* Hook for clients to add a note to the last previously stored
680 pending diagnostic. */
681 virtual void add_note (std::unique_ptr<pending_note> pn) = 0;
682
683 /* Hook for clients to be notified when an SVAL that was reachable
684 in a previous state is no longer live, so that clients can emit warnings
685 about leaks. */
686 virtual void on_svalue_leak (const svalue *sval) = 0;
687
688 /* Hook for clients to be notified when the set of explicitly live
689 svalues changes, so that they can purge state relating to dead
690 svalues. */
691 virtual void on_liveness_change (const svalue_set &live_svalues,
692 const region_model *model) = 0;
693
694 virtual logger *get_logger () = 0;
695
696 /* Hook for clients to be notified when the condition
697 "LHS OP RHS" is added to the region model.
698 This exists so that state machines can detect tests on edges,
699 and use them to trigger sm-state transitions (e.g. transitions due
700 to ptrs becoming known to be NULL or non-NULL, rather than just
701 "unchecked") */
702 virtual void on_condition (const svalue *lhs,
703 enum tree_code op,
704 const svalue *rhs) = 0;
705
706 /* Hook for clients to be notified when the condition that
707 SVAL is within RANGES is added to the region model.
708 Similar to on_condition, but for use when handling switch statements.
709 RANGES is non-empty. */
710 virtual void on_bounded_ranges (const svalue &sval,
711 const bounded_ranges &ranges) = 0;
712
713 /* Hook for clients to be notified when a frame is popped from the stack. */
714 virtual void on_pop_frame (const frame_region *) = 0;
715
716 /* Hooks for clients to be notified when an unknown change happens
717 to SVAL (in response to a call to an unknown function). */
718 virtual void on_unknown_change (const svalue *sval, bool is_mutable) = 0;
719
720 /* Hooks for clients to be notified when a phi node is handled,
721 where RHS is the pertinent argument. */
722 virtual void on_phi (const gphi *phi, tree rhs) = 0;
723
724 /* Hooks for clients to be notified when the region model doesn't
725 know how to handle the tree code of T at LOC. */
726 virtual void on_unexpected_tree_code (tree t,
727 const dump_location_t &loc) = 0;
728
729 /* Hook for clients to be notified when a function_decl escapes. */
730 virtual void on_escaped_function (tree fndecl) = 0;
731
732 virtual uncertainty_t *get_uncertainty () = 0;
733
734 /* Hook for clients to purge state involving SVAL. */
735 virtual void purge_state_involving (const svalue *sval) = 0;
736
737 /* Hook for clients to split state with a non-standard path. */
738 virtual void bifurcate (std::unique_ptr<custom_edge_info> info) = 0;
739
740 /* Hook for clients to terminate the standard path. */
741 virtual void terminate_path () = 0;
742
743 virtual const extrinsic_state *get_ext_state () const = 0;
744
745 /* Hook for clients to access the a specific state machine in
746 any underlying program_state. */
747 virtual bool get_state_map_by_name (const char *name,
748 sm_state_map **out_smap,
749 const state_machine **out_sm,
750 unsigned *out_sm_idx) = 0;
751
752 /* Precanned ways for clients to access specific state machines. */
753 bool get_fd_map (sm_state_map **out_smap,
754 const state_machine **out_sm,
755 unsigned *out_sm_idx)
756 {
757 return get_state_map_by_name ("file-descriptor", out_smap, out_sm,
758 out_sm_idx);
759 }
760 bool get_malloc_map (sm_state_map **out_smap,
761 const state_machine **out_sm,
762 unsigned *out_sm_idx)
763 {
764 return get_state_map_by_name ("malloc", out_smap, out_sm, out_sm_idx);
765 }
766 bool get_taint_map (sm_state_map **out_smap,
767 const state_machine **out_sm,
768 unsigned *out_sm_idx)
769 {
770 return get_state_map_by_name ("taint", out_smap, out_sm, out_sm_idx);
771 }
772
773 /* Get the current statement, if any. */
774 virtual const gimple *get_stmt () const = 0;
775 };
776
777 /* A "do nothing" subclass of region_model_context. */
778
779 class noop_region_model_context : public region_model_context
780 {
781 public:
782 bool warn (std::unique_ptr<pending_diagnostic>) override { return false; }
783 void add_note (std::unique_ptr<pending_note>) override;
784 void on_svalue_leak (const svalue *) override {}
785 void on_liveness_change (const svalue_set &,
786 const region_model *) override {}
787 logger *get_logger () override { return NULL; }
788 void on_condition (const svalue *lhs ATTRIBUTE_UNUSED,
789 enum tree_code op ATTRIBUTE_UNUSED,
790 const svalue *rhs ATTRIBUTE_UNUSED) override
791 {
792 }
793 void on_bounded_ranges (const svalue &,
794 const bounded_ranges &) override
795 {
796 }
797 void on_pop_frame (const frame_region *) override {}
798 void on_unknown_change (const svalue *sval ATTRIBUTE_UNUSED,
799 bool is_mutable ATTRIBUTE_UNUSED) override
800 {
801 }
802 void on_phi (const gphi *phi ATTRIBUTE_UNUSED,
803 tree rhs ATTRIBUTE_UNUSED) override
804 {
805 }
806 void on_unexpected_tree_code (tree, const dump_location_t &) override {}
807
808 void on_escaped_function (tree) override {}
809
810 uncertainty_t *get_uncertainty () override { return NULL; }
811
812 void purge_state_involving (const svalue *sval ATTRIBUTE_UNUSED) override {}
813
814 void bifurcate (std::unique_ptr<custom_edge_info> info) override;
815 void terminate_path () override;
816
817 const extrinsic_state *get_ext_state () const override { return NULL; }
818
819 bool get_state_map_by_name (const char *,
820 sm_state_map **,
821 const state_machine **,
822 unsigned *) override
823 {
824 return false;
825 }
826
827 const gimple *get_stmt () const override { return NULL; }
828 };
829
830 /* A subclass of region_model_context for determining if operations fail
831 e.g. "can we generate a region for the lvalue of EXPR?". */
832
833 class tentative_region_model_context : public noop_region_model_context
834 {
835 public:
836 tentative_region_model_context () : m_num_unexpected_codes (0) {}
837
838 void on_unexpected_tree_code (tree, const dump_location_t &)
839 final override
840 {
841 m_num_unexpected_codes++;
842 }
843
844 bool had_errors_p () const { return m_num_unexpected_codes > 0; }
845
846 private:
847 int m_num_unexpected_codes;
848 };
849
850 /* Subclass of region_model_context that wraps another context, allowing
851 for extra code to be added to the various hooks. */
852
853 class region_model_context_decorator : public region_model_context
854 {
855 public:
856 bool warn (std::unique_ptr<pending_diagnostic> d) override
857 {
858 return m_inner->warn (std::move (d));
859 }
860
861 void add_note (std::unique_ptr<pending_note> pn) override
862 {
863 m_inner->add_note (std::move (pn));
864 }
865
866 void on_svalue_leak (const svalue *sval) override
867 {
868 m_inner->on_svalue_leak (sval);
869 }
870
871 void on_liveness_change (const svalue_set &live_svalues,
872 const region_model *model) override
873 {
874 m_inner->on_liveness_change (live_svalues, model);
875 }
876
877 logger *get_logger () override
878 {
879 return m_inner->get_logger ();
880 }
881
882 void on_condition (const svalue *lhs,
883 enum tree_code op,
884 const svalue *rhs) override
885 {
886 m_inner->on_condition (lhs, op, rhs);
887 }
888
889 void on_bounded_ranges (const svalue &sval,
890 const bounded_ranges &ranges) override
891 {
892 m_inner->on_bounded_ranges (sval, ranges);
893 }
894
895 void on_pop_frame (const frame_region *frame_reg) override
896 {
897 m_inner->on_pop_frame (frame_reg);
898 }
899
900 void on_unknown_change (const svalue *sval, bool is_mutable) override
901 {
902 m_inner->on_unknown_change (sval, is_mutable);
903 }
904
905 void on_phi (const gphi *phi, tree rhs) override
906 {
907 m_inner->on_phi (phi, rhs);
908 }
909
910 void on_unexpected_tree_code (tree t,
911 const dump_location_t &loc) override
912 {
913 m_inner->on_unexpected_tree_code (t, loc);
914 }
915
916 void on_escaped_function (tree fndecl) override
917 {
918 m_inner->on_escaped_function (fndecl);
919 }
920
921 uncertainty_t *get_uncertainty () override
922 {
923 return m_inner->get_uncertainty ();
924 }
925
926 void purge_state_involving (const svalue *sval) override
927 {
928 m_inner->purge_state_involving (sval);
929 }
930
931 void bifurcate (std::unique_ptr<custom_edge_info> info) override
932 {
933 m_inner->bifurcate (std::move (info));
934 }
935
936 void terminate_path () override
937 {
938 m_inner->terminate_path ();
939 }
940
941 const extrinsic_state *get_ext_state () const override
942 {
943 return m_inner->get_ext_state ();
944 }
945
946 bool get_state_map_by_name (const char *name,
947 sm_state_map **out_smap,
948 const state_machine **out_sm,
949 unsigned *out_sm_idx) override
950 {
951 return m_inner->get_state_map_by_name (name, out_smap, out_sm, out_sm_idx);
952 }
953
954 const gimple *get_stmt () const override
955 {
956 return m_inner->get_stmt ();
957 }
958
959 protected:
960 region_model_context_decorator (region_model_context *inner)
961 : m_inner (inner)
962 {
963 gcc_assert (m_inner);
964 }
965
966 region_model_context *m_inner;
967 };
968
969 /* Subclass of region_model_context_decorator that adds a note
970 when saving diagnostics. */
971
972 class note_adding_context : public region_model_context_decorator
973 {
974 public:
975 bool warn (std::unique_ptr<pending_diagnostic> d) override
976 {
977 if (m_inner->warn (std::move (d)))
978 {
979 add_note (make_note ());
980 return true;
981 }
982 else
983 return false;
984 }
985
986 /* Hook to make the new note. */
987 virtual std::unique_ptr<pending_note> make_note () = 0;
988
989 protected:
990 note_adding_context (region_model_context *inner)
991 : region_model_context_decorator (inner)
992 {
993 }
994 };
995
996 /* A bundle of data for use when attempting to merge two region_model
997 instances to make a third. */
998
999 struct model_merger
1000 {
1001 model_merger (const region_model *model_a,
1002 const region_model *model_b,
1003 const program_point &point,
1004 region_model *merged_model,
1005 const extrinsic_state *ext_state,
1006 const program_state *state_a,
1007 const program_state *state_b)
1008 : m_model_a (model_a), m_model_b (model_b),
1009 m_point (point),
1010 m_merged_model (merged_model),
1011 m_ext_state (ext_state),
1012 m_state_a (state_a), m_state_b (state_b)
1013 {
1014 }
1015
1016 void dump_to_pp (pretty_printer *pp, bool simple) const;
1017 void dump (FILE *fp, bool simple) const;
1018 void dump (bool simple) const;
1019
1020 region_model_manager *get_manager () const
1021 {
1022 return m_model_a->get_manager ();
1023 }
1024
1025 bool mergeable_svalue_p (const svalue *) const;
1026 const function_point &get_function_point () const
1027 {
1028 return m_point.get_function_point ();
1029 }
1030
1031 const region_model *m_model_a;
1032 const region_model *m_model_b;
1033 const program_point &m_point;
1034 region_model *m_merged_model;
1035
1036 const extrinsic_state *m_ext_state;
1037 const program_state *m_state_a;
1038 const program_state *m_state_b;
1039 };
1040
1041 /* A record that can (optionally) be written out when
1042 region_model::add_constraint fails. */
1043
1044 class rejected_constraint
1045 {
1046 public:
1047 virtual ~rejected_constraint () {}
1048 virtual void dump_to_pp (pretty_printer *pp) const = 0;
1049
1050 const region_model &get_model () const { return m_model; }
1051
1052 protected:
1053 rejected_constraint (const region_model &model)
1054 : m_model (model)
1055 {}
1056
1057 region_model m_model;
1058 };
1059
1060 class rejected_op_constraint : public rejected_constraint
1061 {
1062 public:
1063 rejected_op_constraint (const region_model &model,
1064 tree lhs, enum tree_code op, tree rhs)
1065 : rejected_constraint (model),
1066 m_lhs (lhs), m_op (op), m_rhs (rhs)
1067 {}
1068
1069 void dump_to_pp (pretty_printer *pp) const final override;
1070
1071 tree m_lhs;
1072 enum tree_code m_op;
1073 tree m_rhs;
1074 };
1075
1076 class rejected_ranges_constraint : public rejected_constraint
1077 {
1078 public:
1079 rejected_ranges_constraint (const region_model &model,
1080 tree expr, const bounded_ranges *ranges)
1081 : rejected_constraint (model),
1082 m_expr (expr), m_ranges (ranges)
1083 {}
1084
1085 void dump_to_pp (pretty_printer *pp) const final override;
1086
1087 private:
1088 tree m_expr;
1089 const bounded_ranges *m_ranges;
1090 };
1091
1092 /* A bundle of state. */
1093
1094 class engine
1095 {
1096 public:
1097 engine (const supergraph *sg = NULL, logger *logger = NULL);
1098 const supergraph *get_supergraph () { return m_sg; }
1099 region_model_manager *get_model_manager () { return &m_mgr; }
1100 known_function_manager *get_known_function_manager ()
1101 {
1102 return m_mgr.get_known_function_manager ();
1103 }
1104
1105 void log_stats (logger *logger) const;
1106
1107 private:
1108 const supergraph *m_sg;
1109 region_model_manager m_mgr;
1110 };
1111
1112 } // namespace ana
1113
1114 extern void debug (const region_model &rmodel);
1115
1116 namespace ana {
1117
1118 #if CHECKING_P
1119
1120 namespace selftest {
1121
1122 using namespace ::selftest;
1123
1124 /* An implementation of region_model_context for use in selftests, which
1125 stores any pending_diagnostic instances passed to it. */
1126
1127 class test_region_model_context : public noop_region_model_context
1128 {
1129 public:
1130 bool warn (std::unique_ptr<pending_diagnostic> d) final override
1131 {
1132 m_diagnostics.safe_push (d.release ());
1133 return true;
1134 }
1135
1136 unsigned get_num_diagnostics () const { return m_diagnostics.length (); }
1137
1138 void on_unexpected_tree_code (tree t, const dump_location_t &)
1139 final override
1140 {
1141 internal_error ("unhandled tree code: %qs",
1142 get_tree_code_name (TREE_CODE (t)));
1143 }
1144
1145 private:
1146 /* Implicitly delete any diagnostics in the dtor. */
1147 auto_delete_vec<pending_diagnostic> m_diagnostics;
1148 };
1149
1150 /* Attempt to add the constraint (LHS OP RHS) to MODEL.
1151 Verify that MODEL remains satisfiable. */
1152
1153 #define ADD_SAT_CONSTRAINT(MODEL, LHS, OP, RHS) \
1154 SELFTEST_BEGIN_STMT \
1155 bool sat = (MODEL).add_constraint (LHS, OP, RHS, NULL); \
1156 ASSERT_TRUE (sat); \
1157 SELFTEST_END_STMT
1158
1159 /* Attempt to add the constraint (LHS OP RHS) to MODEL.
1160 Verify that the result is not satisfiable. */
1161
1162 #define ADD_UNSAT_CONSTRAINT(MODEL, LHS, OP, RHS) \
1163 SELFTEST_BEGIN_STMT \
1164 bool sat = (MODEL).add_constraint (LHS, OP, RHS, NULL); \
1165 ASSERT_FALSE (sat); \
1166 SELFTEST_END_STMT
1167
1168 /* Implementation detail of the ASSERT_CONDITION_* macros. */
1169
1170 void assert_condition (const location &loc,
1171 region_model &model,
1172 const svalue *lhs, tree_code op, const svalue *rhs,
1173 tristate expected);
1174
1175 void assert_condition (const location &loc,
1176 region_model &model,
1177 tree lhs, tree_code op, tree rhs,
1178 tristate expected);
1179
1180 /* Assert that REGION_MODEL evaluates the condition "LHS OP RHS"
1181 as "true". */
1182
1183 #define ASSERT_CONDITION_TRUE(REGION_MODEL, LHS, OP, RHS) \
1184 SELFTEST_BEGIN_STMT \
1185 assert_condition (SELFTEST_LOCATION, REGION_MODEL, LHS, OP, RHS, \
1186 tristate (tristate::TS_TRUE)); \
1187 SELFTEST_END_STMT
1188
1189 /* Assert that REGION_MODEL evaluates the condition "LHS OP RHS"
1190 as "false". */
1191
1192 #define ASSERT_CONDITION_FALSE(REGION_MODEL, LHS, OP, RHS) \
1193 SELFTEST_BEGIN_STMT \
1194 assert_condition (SELFTEST_LOCATION, REGION_MODEL, LHS, OP, RHS, \
1195 tristate (tristate::TS_FALSE)); \
1196 SELFTEST_END_STMT
1197
1198 /* Assert that REGION_MODEL evaluates the condition "LHS OP RHS"
1199 as "unknown". */
1200
1201 #define ASSERT_CONDITION_UNKNOWN(REGION_MODEL, LHS, OP, RHS) \
1202 SELFTEST_BEGIN_STMT \
1203 assert_condition (SELFTEST_LOCATION, REGION_MODEL, LHS, OP, RHS, \
1204 tristate (tristate::TS_UNKNOWN)); \
1205 SELFTEST_END_STMT
1206
1207 } /* end of namespace selftest. */
1208
1209 #endif /* #if CHECKING_P */
1210
1211 } // namespace ana
1212
1213 #endif /* GCC_ANALYZER_REGION_MODEL_H */
Mirror of https://gcc.gnu.org/git/gcc.git