]> git.ipfire.org Git - thirdparty/gcc.git/blob - gcc/gimple-ssa-warn-access.cc
projects / thirdparty / gcc.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Correct a function pre/postcondition [PR102403].
[thirdparty/gcc.git] / gcc / gimple-ssa-warn-access.cc
1 /* Pass to detect and issue warnings for invalid accesses, including
2 invalid or mismatched allocation/deallocation calls.
3
4 Copyright (C) 2020-2021 Free Software Foundation, Inc.
5 Contributed by Martin Sebor <msebor@redhat.com>.
6
7 This file is part of GCC.
8
9 GCC is free software; you can redistribute it and/or modify it under
10 the terms of the GNU General Public License as published by the Free
11 Software Foundation; either version 3, or (at your option) any later
12 version.
13
14 GCC is distributed in the hope that it will be useful, but WITHOUT ANY
15 WARRANTY; without even the implied warranty of MERCHANTABILITY or
16 FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
17 for more details.
18
19 You should have received a copy of the GNU General Public License
20 along with GCC; see the file COPYING3. If not see
21 <http://www.gnu.org/licenses/>. */
22
23 #define INCLUDE_STRING
24 #include "config.h"
25 #include "system.h"
26 #include "coretypes.h"
27 #include "backend.h"
28 #include "tree.h"
29 #include "gimple.h"
30 #include "tree-pass.h"
31 #include "builtins.h"
32 #include "ssa.h"
33 #include "gimple-pretty-print.h"
34 #include "gimple-ssa-warn-access.h"
35 #include "gimple-ssa-warn-restrict.h"
36 #include "diagnostic-core.h"
37 #include "fold-const.h"
38 #include "gimple-fold.h"
39 #include "gimple-iterator.h"
40 #include "langhooks.h"
41 #include "tree-dfa.h"
42 #include "tree-ssa.h"
43 #include "tree-cfg.h"
44 #include "tree-object-size.h"
45 #include "tree-ssa-strlen.h"
46 #include "calls.h"
47 #include "cfgloop.h"
48 #include "intl.h"
49 #include "gimple-range.h"
50 #include "stringpool.h"
51 #include "attribs.h"
52 #include "demangle.h"
53 #include "pointer-query.h"
54
55 /* Return true if tree node X has an associated location. */
56
57 static inline location_t
58 has_location (const_tree x)
59 {
60 if (DECL_P (x))
61 return DECL_SOURCE_LOCATION (x) != UNKNOWN_LOCATION;
62
63 if (EXPR_P (x))
64 return EXPR_HAS_LOCATION (x);
65
66 return false;
67 }
68
69 /* Return the associated location of STMT. */
70
71 static inline location_t
72 get_location (const gimple *stmt)
73 {
74 return gimple_location (stmt);
75 }
76
77 /* Return the associated location of tree node X. */
78
79 static inline location_t
80 get_location (tree x)
81 {
82 if (DECL_P (x))
83 return DECL_SOURCE_LOCATION (x);
84
85 if (EXPR_P (x))
86 return EXPR_LOCATION (x);
87
88 return UNKNOWN_LOCATION;
89 }
90
91 /* Overload of the nascent tree function for GIMPLE STMT. */
92
93 static inline tree
94 get_callee_fndecl (const gimple *stmt)
95 {
96 return gimple_call_fndecl (stmt);
97 }
98
99 static inline unsigned
100 call_nargs (const gimple *stmt)
101 {
102 return gimple_call_num_args (stmt);
103 }
104
105 static inline unsigned
106 call_nargs (const_tree expr)
107 {
108 return call_expr_nargs (expr);
109 }
110
111
112 static inline tree
113 call_arg (const gimple *stmt, unsigned argno)
114 {
115 return gimple_call_arg (stmt, argno);
116 }
117
118 static inline tree
119 call_arg (tree expr, unsigned argno)
120 {
121 return CALL_EXPR_ARG (expr, argno);
122 }
123
124 /* For a call EXPR at LOC to a function FNAME that expects a string
125 in the argument ARG, issue a diagnostic due to it being a called
126 with an argument that is a character array with no terminating
127 NUL. SIZE is the EXACT size of the array, and BNDRNG the number
128 of characters in which the NUL is expected. Either EXPR or FNAME
129 may be null but noth both. SIZE may be null when BNDRNG is null. */
130
131 template <class GimpleOrTree>
132 static void
133 warn_string_no_nul (location_t loc, GimpleOrTree expr, const char *fname,
134 tree arg, tree decl, tree size, bool exact,
135 const wide_int bndrng[2] /* = NULL */)
136 {
137 const opt_code opt = OPT_Wstringop_overread;
138 if ((expr && warning_suppressed_p (expr, opt))
139 || warning_suppressed_p (arg, opt))
140 return;
141
142 loc = expansion_point_location_if_in_system_header (loc);
143 bool warned;
144
145 /* Format the bound range as a string to keep the nuber of messages
146 from exploding. */
147 char bndstr[80];
148 *bndstr = 0;
149 if (bndrng)
150 {
151 if (bndrng[0] == bndrng[1])
152 sprintf (bndstr, "%llu", (unsigned long long) bndrng[0].to_uhwi ());
153 else
154 sprintf (bndstr, "[%llu, %llu]",
155 (unsigned long long) bndrng[0].to_uhwi (),
156 (unsigned long long) bndrng[1].to_uhwi ());
157 }
158
159 const tree maxobjsize = max_object_size ();
160 const wide_int maxsiz = wi::to_wide (maxobjsize);
161 if (expr)
162 {
163 tree func = get_callee_fndecl (expr);
164 if (bndrng)
165 {
166 if (wi::ltu_p (maxsiz, bndrng[0]))
167 warned = warning_at (loc, opt,
168 "%qD specified bound %s exceeds "
169 "maximum object size %E",
170 func, bndstr, maxobjsize);
171 else
172 {
173 bool maybe = wi::to_wide (size) == bndrng[0];
174 warned = warning_at (loc, opt,
175 exact
176 ? G_("%qD specified bound %s exceeds "
177 "the size %E of unterminated array")
178 : (maybe
179 ? G_("%qD specified bound %s may "
180 "exceed the size of at most %E "
181 "of unterminated array")
182 : G_("%qD specified bound %s exceeds "
183 "the size of at most %E "
184 "of unterminated array")),
185 func, bndstr, size);
186 }
187 }
188 else
189 warned = warning_at (loc, opt,
190 "%qD argument missing terminating nul",
191 func);
192 }
193 else
194 {
195 if (bndrng)
196 {
197 if (wi::ltu_p (maxsiz, bndrng[0]))
198 warned = warning_at (loc, opt,
199 "%qs specified bound %s exceeds "
200 "maximum object size %E",
201 fname, bndstr, maxobjsize);
202 else
203 {
204 bool maybe = wi::to_wide (size) == bndrng[0];
205 warned = warning_at (loc, opt,
206 exact
207 ? G_("%qs specified bound %s exceeds "
208 "the size %E of unterminated array")
209 : (maybe
210 ? G_("%qs specified bound %s may "
211 "exceed the size of at most %E "
212 "of unterminated array")
213 : G_("%qs specified bound %s exceeds "
214 "the size of at most %E "
215 "of unterminated array")),
216 fname, bndstr, size);
217 }
218 }
219 else
220 warned = warning_at (loc, opt,
221 "%qs argument missing terminating nul",
222 fname);
223 }
224
225 if (warned)
226 {
227 inform (get_location (decl),
228 "referenced argument declared here");
229 suppress_warning (arg, opt);
230 if (expr)
231 suppress_warning (expr, opt);
232 }
233 }
234
235 void
236 warn_string_no_nul (location_t loc, gimple *stmt, const char *fname,
237 tree arg, tree decl, tree size /* = NULL_TREE */,
238 bool exact /* = false */,
239 const wide_int bndrng[2] /* = NULL */)
240 {
241 return warn_string_no_nul<gimple *> (loc, stmt, fname,
242 arg, decl, size, exact, bndrng);
243 }
244
245 void
246 warn_string_no_nul (location_t loc, tree expr, const char *fname,
247 tree arg, tree decl, tree size /* = NULL_TREE */,
248 bool exact /* = false */,
249 const wide_int bndrng[2] /* = NULL */)
250 {
251 return warn_string_no_nul<tree> (loc, expr, fname,
252 arg, decl, size, exact, bndrng);
253 }
254
255 /* If EXP refers to an unterminated constant character array return
256 the declaration of the object of which the array is a member or
257 element and if SIZE is not null, set *SIZE to the size of
258 the unterminated array and set *EXACT if the size is exact or
259 clear it otherwise. Otherwise return null. */
260
261 tree
262 unterminated_array (tree exp, tree *size /* = NULL */, bool *exact /* = NULL */)
263 {
264 /* C_STRLEN will return NULL and set DECL in the info
265 structure if EXP references a unterminated array. */
266 c_strlen_data lendata = { };
267 tree len = c_strlen (exp, 1, &lendata);
268 if (len || !lendata.minlen || !lendata.decl)
269 return NULL_TREE;
270
271 if (!size)
272 return lendata.decl;
273
274 len = lendata.minlen;
275 if (lendata.off)
276 {
277 /* Constant offsets are already accounted for in LENDATA.MINLEN,
278 but not in a SSA_NAME + CST expression. */
279 if (TREE_CODE (lendata.off) == INTEGER_CST)
280 *exact = true;
281 else if (TREE_CODE (lendata.off) == PLUS_EXPR
282 && TREE_CODE (TREE_OPERAND (lendata.off, 1)) == INTEGER_CST)
283 {
284 /* Subtract the offset from the size of the array. */
285 *exact = false;
286 tree temp = TREE_OPERAND (lendata.off, 1);
287 temp = fold_convert (ssizetype, temp);
288 len = fold_build2 (MINUS_EXPR, ssizetype, len, temp);
289 }
290 else
291 *exact = false;
292 }
293 else
294 *exact = true;
295
296 *size = len;
297 return lendata.decl;
298 }
299
300 /* For a call EXPR (which may be null) that expects a string argument
301 SRC as an argument, returns false if SRC is a character array with
302 no terminating NUL. When nonnull, BOUND is the number of characters
303 in which to expect the terminating NUL. When EXPR is nonnull also
304 issues a warning. */
305
306 template <class GimpleOrTree>
307 static bool
308 check_nul_terminated_array (GimpleOrTree expr, tree src, tree bound)
309 {
310 /* The constant size of the array SRC points to. The actual size
311 may be less of EXACT is true, but not more. */
312 tree size;
313 /* True if SRC involves a non-constant offset into the array. */
314 bool exact;
315 /* The unterminated constant array SRC points to. */
316 tree nonstr = unterminated_array (src, &size, &exact);
317 if (!nonstr)
318 return true;
319
320 /* NONSTR refers to the non-nul terminated constant array and SIZE
321 is the constant size of the array in bytes. EXACT is true when
322 SIZE is exact. */
323
324 wide_int bndrng[2];
325 if (bound)
326 {
327 value_range r;
328
329 get_global_range_query ()->range_of_expr (r, bound);
330
331 if (r.kind () != VR_RANGE)
332 return true;
333
334 bndrng[0] = r.lower_bound ();
335 bndrng[1] = r.upper_bound ();
336
337 if (exact)
338 {
339 if (wi::leu_p (bndrng[0], wi::to_wide (size)))
340 return true;
341 }
342 else if (wi::lt_p (bndrng[0], wi::to_wide (size), UNSIGNED))
343 return true;
344 }
345
346 if (expr)
347 warn_string_no_nul (get_location (expr), expr, NULL, src, nonstr,
348 size, exact, bound ? bndrng : NULL);
349
350 return false;
351 }
352
353 bool
354 check_nul_terminated_array (gimple *stmt, tree src, tree bound /* = NULL_TREE */)
355 {
356 return check_nul_terminated_array<gimple *>(stmt, src, bound);
357 }
358
359 bool
360 check_nul_terminated_array (tree expr, tree src, tree bound /* = NULL_TREE */)
361 {
362 return check_nul_terminated_array<tree>(expr, src, bound);
363 }
364
365 /* Warn about passing a non-string array/pointer to a built-in function
366 that expects a nul-terminated string argument. Returns true if
367 a warning has been issued.*/
368
369 template <class GimpleOrTree>
370 static bool
371 maybe_warn_nonstring_arg (tree fndecl, GimpleOrTree exp)
372 {
373 if (!fndecl || !fndecl_built_in_p (fndecl, BUILT_IN_NORMAL))
374 return false;
375
376 if (!warn_stringop_overread
377 || warning_suppressed_p (exp, OPT_Wstringop_overread))
378 return false;
379
380 /* Avoid clearly invalid calls (more checking done below). */
381 unsigned nargs = call_nargs (exp);
382 if (!nargs)
383 return false;
384
385 /* The bound argument to a bounded string function like strncpy. */
386 tree bound = NULL_TREE;
387
388 /* The longest known or possible string argument to one of the comparison
389 functions. If the length is less than the bound it is used instead.
390 Since the length is only used for warning and not for code generation
391 disable strict mode in the calls to get_range_strlen below. */
392 tree maxlen = NULL_TREE;
393
394 /* It's safe to call "bounded" string functions with a non-string
395 argument since the functions provide an explicit bound for this
396 purpose. The exception is strncat where the bound may refer to
397 either the destination or the source. */
398 int fncode = DECL_FUNCTION_CODE (fndecl);
399 switch (fncode)
400 {
401 case BUILT_IN_STRCMP:
402 case BUILT_IN_STRNCMP:
403 case BUILT_IN_STRNCASECMP:
404 {
405 /* For these, if one argument refers to one or more of a set
406 of string constants or arrays of known size, determine
407 the range of their known or possible lengths and use it
408 conservatively as the bound for the unbounded function,
409 and to adjust the range of the bound of the bounded ones. */
410 for (unsigned argno = 0;
411 argno < MIN (nargs, 2)
412 && !(maxlen && TREE_CODE (maxlen) == INTEGER_CST); argno++)
413 {
414 tree arg = call_arg (exp, argno);
415 if (!get_attr_nonstring_decl (arg))
416 {
417 c_strlen_data lendata = { };
418 /* Set MAXBOUND to an arbitrary non-null non-integer
419 node as a request to have it set to the length of
420 the longest string in a PHI. */
421 lendata.maxbound = arg;
422 get_range_strlen (arg, &lendata, /* eltsize = */ 1);
423 maxlen = lendata.maxbound;
424 }
425 }
426 }
427 /* Fall through. */
428
429 case BUILT_IN_STRNCAT:
430 case BUILT_IN_STPNCPY:
431 case BUILT_IN_STRNCPY:
432 if (nargs > 2)
433 bound = call_arg (exp, 2);
434 break;
435
436 case BUILT_IN_STRNDUP:
437 if (nargs < 2)
438 return false;
439 bound = call_arg (exp, 1);
440 break;
441
442 case BUILT_IN_STRNLEN:
443 {
444 tree arg = call_arg (exp, 0);
445 if (!get_attr_nonstring_decl (arg))
446 {
447 c_strlen_data lendata = { };
448 /* Set MAXBOUND to an arbitrary non-null non-integer
449 node as a request to have it set to the length of
450 the longest string in a PHI. */
451 lendata.maxbound = arg;
452 get_range_strlen (arg, &lendata, /* eltsize = */ 1);
453 maxlen = lendata.maxbound;
454 }
455 if (nargs > 1)
456 bound = call_arg (exp, 1);
457 break;
458 }
459
460 default:
461 break;
462 }
463
464 /* Determine the range of the bound argument (if specified). */
465 tree bndrng[2] = { NULL_TREE, NULL_TREE };
466 if (bound)
467 {
468 STRIP_NOPS (bound);
469 get_size_range (bound, bndrng);
470 }
471
472 location_t loc = get_location (exp);
473
474 if (bndrng[0])
475 {
476 /* Diagnose excessive bound prior to the adjustment below and
477 regardless of attribute nonstring. */
478 tree maxobjsize = max_object_size ();
479 if (tree_int_cst_lt (maxobjsize, bndrng[0]))
480 {
481 bool warned = false;
482 if (tree_int_cst_equal (bndrng[0], bndrng[1]))
483 warned = warning_at (loc, OPT_Wstringop_overread,
484 "%qD specified bound %E "
485 "exceeds maximum object size %E",
486 fndecl, bndrng[0], maxobjsize);
487 else
488 warned = warning_at (loc, OPT_Wstringop_overread,
489 "%qD specified bound [%E, %E] "
490 "exceeds maximum object size %E",
491 fndecl, bndrng[0], bndrng[1],
492 maxobjsize);
493 if (warned)
494 suppress_warning (exp, OPT_Wstringop_overread);
495
496 return warned;
497 }
498 }
499
500 if (maxlen && !integer_all_onesp (maxlen))
501 {
502 /* Add one for the nul. */
503 maxlen = const_binop (PLUS_EXPR, TREE_TYPE (maxlen), maxlen,
504 size_one_node);
505
506 if (!bndrng[0])
507 {
508 /* Conservatively use the upper bound of the lengths for
509 both the lower and the upper bound of the operation. */
510 bndrng[0] = maxlen;
511 bndrng[1] = maxlen;
512 bound = void_type_node;
513 }
514 else if (maxlen)
515 {
516 /* Replace the bound on the operation with the upper bound
517 of the length of the string if the latter is smaller. */
518 if (tree_int_cst_lt (maxlen, bndrng[0]))
519 bndrng[0] = maxlen;
520 else if (tree_int_cst_lt (maxlen, bndrng[1]))
521 bndrng[1] = maxlen;
522 }
523 }
524
525 bool any_arg_warned = false;
526 /* Iterate over the built-in function's formal arguments and check
527 each const char* against the actual argument. If the actual
528 argument is declared attribute non-string issue a warning unless
529 the argument's maximum length is bounded. */
530 function_args_iterator it;
531 function_args_iter_init (&it, TREE_TYPE (fndecl));
532
533 for (unsigned argno = 0; ; ++argno, function_args_iter_next (&it))
534 {
535 /* Avoid iterating past the declared argument in a call
536 to function declared without a prototype. */
537 if (argno >= nargs)
538 break;
539
540 tree argtype = function_args_iter_cond (&it);
541 if (!argtype)
542 break;
543
544 if (TREE_CODE (argtype) != POINTER_TYPE)
545 continue;
546
547 argtype = TREE_TYPE (argtype);
548
549 if (TREE_CODE (argtype) != INTEGER_TYPE
550 || !TYPE_READONLY (argtype))
551 continue;
552
553 argtype = TYPE_MAIN_VARIANT (argtype);
554 if (argtype != char_type_node)
555 continue;
556
557 tree callarg = call_arg (exp, argno);
558 if (TREE_CODE (callarg) == ADDR_EXPR)
559 callarg = TREE_OPERAND (callarg, 0);
560
561 /* See if the destination is declared with attribute "nonstring". */
562 tree decl = get_attr_nonstring_decl (callarg);
563 if (!decl)
564 continue;
565
566 /* The maximum number of array elements accessed. */
567 offset_int wibnd = 0;
568
569 if (argno && fncode == BUILT_IN_STRNCAT)
570 {
571 /* See if the bound in strncat is derived from the length
572 of the strlen of the destination (as it's expected to be).
573 If so, reset BOUND and FNCODE to trigger a warning. */
574 tree dstarg = call_arg (exp, 0);
575 if (is_strlen_related_p (dstarg, bound))
576 {
577 /* The bound applies to the destination, not to the source,
578 so reset these to trigger a warning without mentioning
579 the bound. */
580 bound = NULL;
581 fncode = 0;
582 }
583 else if (bndrng[1])
584 /* Use the upper bound of the range for strncat. */
585 wibnd = wi::to_offset (bndrng[1]);
586 }
587 else if (bndrng[0])
588 /* Use the lower bound of the range for functions other than
589 strncat. */
590 wibnd = wi::to_offset (bndrng[0]);
591
592 /* Determine the size of the argument array if it is one. */
593 offset_int asize = wibnd;
594 bool known_size = false;
595 tree type = TREE_TYPE (decl);
596
597 /* Determine the array size. For arrays of unknown bound and
598 pointers reset BOUND to trigger the appropriate warning. */
599 if (TREE_CODE (type) == ARRAY_TYPE)
600 {
601 if (tree arrbnd = TYPE_DOMAIN (type))
602 {
603 if ((arrbnd = TYPE_MAX_VALUE (arrbnd)))
604 {
605 asize = wi::to_offset (arrbnd) + 1;
606 known_size = true;
607 }
608 }
609 else if (bound == void_type_node)
610 bound = NULL_TREE;
611 }
612 else if (bound == void_type_node)
613 bound = NULL_TREE;
614
615 /* In a call to strncat with a bound in a range whose lower but
616 not upper bound is less than the array size, reset ASIZE to
617 be the same as the bound and the other variable to trigger
618 the apprpriate warning below. */
619 if (fncode == BUILT_IN_STRNCAT
620 && bndrng[0] != bndrng[1]
621 && wi::ltu_p (wi::to_offset (bndrng[0]), asize)
622 && (!known_size
623 || wi::ltu_p (asize, wibnd)))
624 {
625 asize = wibnd;
626 bound = NULL_TREE;
627 fncode = 0;
628 }
629
630 bool warned = false;
631
632 auto_diagnostic_group d;
633 if (wi::ltu_p (asize, wibnd))
634 {
635 if (bndrng[0] == bndrng[1])
636 warned = warning_at (loc, OPT_Wstringop_overread,
637 "%qD argument %i declared attribute "
638 "%<nonstring%> is smaller than the specified "
639 "bound %wu",
640 fndecl, argno + 1, wibnd.to_uhwi ());
641 else if (wi::ltu_p (asize, wi::to_offset (bndrng[0])))
642 warned = warning_at (loc, OPT_Wstringop_overread,
643 "%qD argument %i declared attribute "
644 "%<nonstring%> is smaller than "
645 "the specified bound [%E, %E]",
646 fndecl, argno + 1, bndrng[0], bndrng[1]);
647 else
648 warned = warning_at (loc, OPT_Wstringop_overread,
649 "%qD argument %i declared attribute "
650 "%<nonstring%> may be smaller than "
651 "the specified bound [%E, %E]",
652 fndecl, argno + 1, bndrng[0], bndrng[1]);
653 }
654 else if (fncode == BUILT_IN_STRNCAT)
655 ; /* Avoid warning for calls to strncat() when the bound
656 is equal to the size of the non-string argument. */
657 else if (!bound)
658 warned = warning_at (loc, OPT_Wstringop_overread,
659 "%qD argument %i declared attribute %<nonstring%>",
660 fndecl, argno + 1);
661
662 if (warned)
663 {
664 inform (DECL_SOURCE_LOCATION (decl),
665 "argument %qD declared here", decl);
666 any_arg_warned = true;
667 }
668 }
669
670 if (any_arg_warned)
671 suppress_warning (exp, OPT_Wstringop_overread);
672
673 return any_arg_warned;
674 }
675
676 bool
677 maybe_warn_nonstring_arg (tree fndecl, gimple *stmt)
678 {
679 return maybe_warn_nonstring_arg<gimple *>(fndecl, stmt);
680 }
681
682
683 bool
684 maybe_warn_nonstring_arg (tree fndecl, tree expr)
685 {
686 return maybe_warn_nonstring_arg<tree>(fndecl, expr);
687 }
688
689 /* Issue a warning OPT for a bounded call EXP with a bound in RANGE
690 accessing an object with SIZE. */
691
692 template <class GimpleOrTree>
693 static bool
694 maybe_warn_for_bound (opt_code opt, location_t loc, GimpleOrTree exp, tree func,
695 tree bndrng[2], tree size, const access_data *pad)
696 {
697 if (!bndrng[0] || warning_suppressed_p (exp, opt))
698 return false;
699
700 tree maxobjsize = max_object_size ();
701
702 bool warned = false;
703
704 if (opt == OPT_Wstringop_overread)
705 {
706 bool maybe = pad && pad->src.phi ();
707 if (maybe)
708 {
709 /* Issue a "maybe" warning only if the PHI refers to objects
710 at least one of which has more space remaining than the bound.
711 Otherwise, if the bound is greater, use the definitive form. */
712 offset_int remmax = pad->src.size_remaining ();
713 if (remmax < wi::to_offset (bndrng[0]))
714 maybe = false;
715 }
716
717 if (tree_int_cst_lt (maxobjsize, bndrng[0]))
718 {
719 if (bndrng[0] == bndrng[1])
720 warned = (func
721 ? warning_at (loc, opt,
722 (maybe
723 ? G_("%qD specified bound %E may "
724 "exceed maximum object size %E")
725 : G_("%qD specified bound %E "
726 "exceeds maximum object size %E")),
727 func, bndrng[0], maxobjsize)
728 : warning_at (loc, opt,
729 (maybe
730 ? G_("specified bound %E may "
731 "exceed maximum object size %E")
732 : G_("specified bound %E "
733 "exceeds maximum object size %E")),
734 bndrng[0], maxobjsize));
735 else
736 warned = (func
737 ? warning_at (loc, opt,
738 (maybe
739 ? G_("%qD specified bound [%E, %E] may "
740 "exceed maximum object size %E")
741 : G_("%qD specified bound [%E, %E] "
742 "exceeds maximum object size %E")),
743 func,
744 bndrng[0], bndrng[1], maxobjsize)
745 : warning_at (loc, opt,
746 (maybe
747 ? G_("specified bound [%E, %E] may "
748 "exceed maximum object size %E")
749 : G_("specified bound [%E, %E] "
750 "exceeds maximum object size %E")),
751 bndrng[0], bndrng[1], maxobjsize));
752 }
753 else if (!size || tree_int_cst_le (bndrng[0], size))
754 return false;
755 else if (tree_int_cst_equal (bndrng[0], bndrng[1]))
756 warned = (func
757 ? warning_at (loc, opt,
758 (maybe
759 ? G_("%qD specified bound %E may exceed "
760 "source size %E")
761 : G_("%qD specified bound %E exceeds "
762 "source size %E")),
763 func, bndrng[0], size)
764 : warning_at (loc, opt,
765 (maybe
766 ? G_("specified bound %E may exceed "
767 "source size %E")
768 : G_("specified bound %E exceeds "
769 "source size %E")),
770 bndrng[0], size));
771 else
772 warned = (func
773 ? warning_at (loc, opt,
774 (maybe
775 ? G_("%qD specified bound [%E, %E] may "
776 "exceed source size %E")
777 : G_("%qD specified bound [%E, %E] exceeds "
778 "source size %E")),
779 func, bndrng[0], bndrng[1], size)
780 : warning_at (loc, opt,
781 (maybe
782 ? G_("specified bound [%E, %E] may exceed "
783 "source size %E")
784 : G_("specified bound [%E, %E] exceeds "
785 "source size %E")),
786 bndrng[0], bndrng[1], size));
787 if (warned)
788 {
789 if (pad && pad->src.ref
790 && has_location (pad->src.ref))
791 inform (get_location (pad->src.ref),
792 "source object allocated here");
793 suppress_warning (exp, opt);
794 }
795
796 return warned;
797 }
798
799 bool maybe = pad && pad->dst.phi ();
800 if (maybe)
801 {
802 /* Issue a "maybe" warning only if the PHI refers to objects
803 at least one of which has more space remaining than the bound.
804 Otherwise, if the bound is greater, use the definitive form. */
805 offset_int remmax = pad->dst.size_remaining ();
806 if (remmax < wi::to_offset (bndrng[0]))
807 maybe = false;
808 }
809 if (tree_int_cst_lt (maxobjsize, bndrng[0]))
810 {
811 if (bndrng[0] == bndrng[1])
812 warned = (func
813 ? warning_at (loc, opt,
814 (maybe
815 ? G_("%qD specified size %E may "
816 "exceed maximum object size %E")
817 : G_("%qD specified size %E "
818 "exceeds maximum object size %E")),
819 func, bndrng[0], maxobjsize)
820 : warning_at (loc, opt,
821 (maybe
822 ? G_("specified size %E may exceed "
823 "maximum object size %E")
824 : G_("specified size %E exceeds "
825 "maximum object size %E")),
826 bndrng[0], maxobjsize));
827 else
828 warned = (func
829 ? warning_at (loc, opt,
830 (maybe
831 ? G_("%qD specified size between %E and %E "
832 "may exceed maximum object size %E")
833 : G_("%qD specified size between %E and %E "
834 "exceeds maximum object size %E")),
835 func, bndrng[0], bndrng[1], maxobjsize)
836 : warning_at (loc, opt,
837 (maybe
838 ? G_("specified size between %E and %E "
839 "may exceed maximum object size %E")
840 : G_("specified size between %E and %E "
841 "exceeds maximum object size %E")),
842 bndrng[0], bndrng[1], maxobjsize));
843 }
844 else if (!size || tree_int_cst_le (bndrng[0], size))
845 return false;
846 else if (tree_int_cst_equal (bndrng[0], bndrng[1]))
847 warned = (func
848 ? warning_at (loc, opt,
849 (maybe
850 ? G_("%qD specified bound %E may exceed "
851 "destination size %E")
852 : G_("%qD specified bound %E exceeds "
853 "destination size %E")),
854 func, bndrng[0], size)
855 : warning_at (loc, opt,
856 (maybe
857 ? G_("specified bound %E may exceed "
858 "destination size %E")
859 : G_("specified bound %E exceeds "
860 "destination size %E")),
861 bndrng[0], size));
862 else
863 warned = (func
864 ? warning_at (loc, opt,
865 (maybe
866 ? G_("%qD specified bound [%E, %E] may exceed "
867 "destination size %E")
868 : G_("%qD specified bound [%E, %E] exceeds "
869 "destination size %E")),
870 func, bndrng[0], bndrng[1], size)
871 : warning_at (loc, opt,
872 (maybe
873 ? G_("specified bound [%E, %E] exceeds "
874 "destination size %E")
875 : G_("specified bound [%E, %E] exceeds "
876 "destination size %E")),
877 bndrng[0], bndrng[1], size));
878
879 if (warned)
880 {
881 if (pad && pad->dst.ref
882 && has_location (pad->dst.ref))
883 inform (get_location (pad->dst.ref),
884 "destination object allocated here");
885 suppress_warning (exp, opt);
886 }
887
888 return warned;
889 }
890
891 bool
892 maybe_warn_for_bound (opt_code opt, location_t loc, gimple *stmt, tree func,
893 tree bndrng[2], tree size,
894 const access_data *pad /* = NULL */)
895 {
896 return maybe_warn_for_bound<gimple *> (opt, loc, stmt, func, bndrng, size,
897 pad);
898 }
899
900 bool
901 maybe_warn_for_bound (opt_code opt, location_t loc, tree expr, tree func,
902 tree bndrng[2], tree size,
903 const access_data *pad /* = NULL */)
904 {
905 return maybe_warn_for_bound<tree> (opt, loc, expr, func, bndrng, size, pad);
906 }
907
908 /* For an expression EXP issue an access warning controlled by option OPT
909 with access to a region SIZE bytes in size in the RANGE of sizes.
910 WRITE is true for a write access, READ for a read access, neither for
911 call that may or may not perform an access but for which the range
912 is expected to valid.
913 Returns true when a warning has been issued. */
914
915 template <class GimpleOrTree>
916 static bool
917 warn_for_access (location_t loc, tree func, GimpleOrTree exp, int opt,
918 tree range[2], tree size, bool write, bool read, bool maybe)
919 {
920 bool warned = false;
921
922 if (write && read)
923 {
924 if (tree_int_cst_equal (range[0], range[1]))
925 warned = (func
926 ? warning_n (loc, opt, tree_to_uhwi (range[0]),
927 (maybe
928 ? G_("%qD may access %E byte in a region "
929 "of size %E")
930 : G_("%qD accessing %E byte in a region "
931 "of size %E")),
932 (maybe
933 ? G_ ("%qD may access %E bytes in a region "
934 "of size %E")
935 : G_ ("%qD accessing %E bytes in a region "
936 "of size %E")),
937 func, range[0], size)
938 : warning_n (loc, opt, tree_to_uhwi (range[0]),
939 (maybe
940 ? G_("may access %E byte in a region "
941 "of size %E")
942 : G_("accessing %E byte in a region "
943 "of size %E")),
944 (maybe
945 ? G_("may access %E bytes in a region "
946 "of size %E")
947 : G_("accessing %E bytes in a region "
948 "of size %E")),
949 range[0], size));
950 else if (tree_int_cst_sign_bit (range[1]))
951 {
952 /* Avoid printing the upper bound if it's invalid. */
953 warned = (func
954 ? warning_at (loc, opt,
955 (maybe
956 ? G_("%qD may access %E or more bytes "
957 "in a region of size %E")
958 : G_("%qD accessing %E or more bytes "
959 "in a region of size %E")),
960 func, range[0], size)
961 : warning_at (loc, opt,
962 (maybe
963 ? G_("may access %E or more bytes "
964 "in a region of size %E")
965 : G_("accessing %E or more bytes "
966 "in a region of size %E")),
967 range[0], size));
968 }
969 else
970 warned = (func
971 ? warning_at (loc, opt,
972 (maybe
973 ? G_("%qD may access between %E and %E "
974 "bytes in a region of size %E")
975 : G_("%qD accessing between %E and %E "
976 "bytes in a region of size %E")),
977 func, range[0], range[1], size)
978 : warning_at (loc, opt,
979 (maybe
980 ? G_("may access between %E and %E bytes "
981 "in a region of size %E")
982 : G_("accessing between %E and %E bytes "
983 "in a region of size %E")),
984 range[0], range[1], size));
985 return warned;
986 }
987
988 if (write)
989 {
990 if (tree_int_cst_equal (range[0], range[1]))
991 warned = (func
992 ? warning_n (loc, opt, tree_to_uhwi (range[0]),
993 (maybe
994 ? G_("%qD may write %E byte into a region "
995 "of size %E")
996 : G_("%qD writing %E byte into a region "
997 "of size %E overflows the destination")),
998 (maybe
999 ? G_("%qD may write %E bytes into a region "
1000 "of size %E")
1001 : G_("%qD writing %E bytes into a region "
1002 "of size %E overflows the destination")),
1003 func, range[0], size)
1004 : warning_n (loc, opt, tree_to_uhwi (range[0]),
1005 (maybe
1006 ? G_("may write %E byte into a region "
1007 "of size %E")
1008 : G_("writing %E byte into a region "
1009 "of size %E overflows the destination")),
1010 (maybe
1011 ? G_("may write %E bytes into a region "
1012 "of size %E")
1013 : G_("writing %E bytes into a region "
1014 "of size %E overflows the destination")),
1015 range[0], size));
1016 else if (tree_int_cst_sign_bit (range[1]))
1017 {
1018 /* Avoid printing the upper bound if it's invalid. */
1019 warned = (func
1020 ? warning_at (loc, opt,
1021 (maybe
1022 ? G_("%qD may write %E or more bytes "
1023 "into a region of size %E")
1024 : G_("%qD writing %E or more bytes "
1025 "into a region of size %E overflows "
1026 "the destination")),
1027 func, range[0], size)
1028 : warning_at (loc, opt,
1029 (maybe
1030 ? G_("may write %E or more bytes into "
1031 "a region of size %E")
1032 : G_("writing %E or more bytes into "
1033 "a region of size %E overflows "
1034 "the destination")),
1035 range[0], size));
1036 }
1037 else
1038 warned = (func
1039 ? warning_at (loc, opt,
1040 (maybe
1041 ? G_("%qD may write between %E and %E bytes "
1042 "into a region of size %E")
1043 : G_("%qD writing between %E and %E bytes "
1044 "into a region of size %E overflows "
1045 "the destination")),
1046 func, range[0], range[1], size)
1047 : warning_at (loc, opt,
1048 (maybe
1049 ? G_("may write between %E and %E bytes "
1050 "into a region of size %E")
1051 : G_("writing between %E and %E bytes "
1052 "into a region of size %E overflows "
1053 "the destination")),
1054 range[0], range[1], size));
1055 return warned;
1056 }
1057
1058 if (read)
1059 {
1060 if (tree_int_cst_equal (range[0], range[1]))
1061 warned = (func
1062 ? warning_n (loc, OPT_Wstringop_overread,
1063 tree_to_uhwi (range[0]),
1064 (maybe
1065 ? G_("%qD may read %E byte from a region "
1066 "of size %E")
1067 : G_("%qD reading %E byte from a region "
1068 "of size %E")),
1069 (maybe
1070 ? G_("%qD may read %E bytes from a region "
1071 "of size %E")
1072 : G_("%qD reading %E bytes from a region "
1073 "of size %E")),
1074 func, range[0], size)
1075 : warning_n (loc, OPT_Wstringop_overread,
1076 tree_to_uhwi (range[0]),
1077 (maybe
1078 ? G_("may read %E byte from a region "
1079 "of size %E")
1080 : G_("reading %E byte from a region "
1081 "of size %E")),
1082 (maybe
1083 ? G_("may read %E bytes from a region "
1084 "of size %E")
1085 : G_("reading %E bytes from a region "
1086 "of size %E")),
1087 range[0], size));
1088 else if (tree_int_cst_sign_bit (range[1]))
1089 {
1090 /* Avoid printing the upper bound if it's invalid. */
1091 warned = (func
1092 ? warning_at (loc, OPT_Wstringop_overread,
1093 (maybe
1094 ? G_("%qD may read %E or more bytes "
1095 "from a region of size %E")
1096 : G_("%qD reading %E or more bytes "
1097 "from a region of size %E")),
1098 func, range[0], size)
1099 : warning_at (loc, OPT_Wstringop_overread,
1100 (maybe
1101 ? G_("may read %E or more bytes "
1102 "from a region of size %E")
1103 : G_("reading %E or more bytes "
1104 "from a region of size %E")),
1105 range[0], size));
1106 }
1107 else
1108 warned = (func
1109 ? warning_at (loc, OPT_Wstringop_overread,
1110 (maybe
1111 ? G_("%qD may read between %E and %E bytes "
1112 "from a region of size %E")
1113 : G_("%qD reading between %E and %E bytes "
1114 "from a region of size %E")),
1115 func, range[0], range[1], size)
1116 : warning_at (loc, opt,
1117 (maybe
1118 ? G_("may read between %E and %E bytes "
1119 "from a region of size %E")
1120 : G_("reading between %E and %E bytes "
1121 "from a region of size %E")),
1122 range[0], range[1], size));
1123
1124 if (warned)
1125 suppress_warning (exp, OPT_Wstringop_overread);
1126
1127 return warned;
1128 }
1129
1130 if (tree_int_cst_equal (range[0], range[1])
1131 || tree_int_cst_sign_bit (range[1]))
1132 warned = (func
1133 ? warning_n (loc, OPT_Wstringop_overread,
1134 tree_to_uhwi (range[0]),
1135 "%qD expecting %E byte in a region of size %E",
1136 "%qD expecting %E bytes in a region of size %E",
1137 func, range[0], size)
1138 : warning_n (loc, OPT_Wstringop_overread,
1139 tree_to_uhwi (range[0]),
1140 "expecting %E byte in a region of size %E",
1141 "expecting %E bytes in a region of size %E",
1142 range[0], size));
1143 else if (tree_int_cst_sign_bit (range[1]))
1144 {
1145 /* Avoid printing the upper bound if it's invalid. */
1146 warned = (func
1147 ? warning_at (loc, OPT_Wstringop_overread,
1148 "%qD expecting %E or more bytes in a region "
1149 "of size %E",
1150 func, range[0], size)
1151 : warning_at (loc, OPT_Wstringop_overread,
1152 "expecting %E or more bytes in a region "
1153 "of size %E",
1154 range[0], size));
1155 }
1156 else
1157 warned = (func
1158 ? warning_at (loc, OPT_Wstringop_overread,
1159 "%qD expecting between %E and %E bytes in "
1160 "a region of size %E",
1161 func, range[0], range[1], size)
1162 : warning_at (loc, OPT_Wstringop_overread,
1163 "expecting between %E and %E bytes in "
1164 "a region of size %E",
1165 range[0], range[1], size));
1166
1167 if (warned)
1168 suppress_warning (exp, OPT_Wstringop_overread);
1169
1170 return warned;
1171 }
1172
1173 static bool
1174 warn_for_access (location_t loc, tree func, gimple *stmt, int opt,
1175 tree range[2], tree size, bool write, bool read, bool maybe)
1176 {
1177 return warn_for_access<gimple *>(loc, func, stmt, opt, range, size,
1178 write, read, maybe);
1179 }
1180
1181 static bool
1182 warn_for_access (location_t loc, tree func, tree expr, int opt,
1183 tree range[2], tree size, bool write, bool read, bool maybe)
1184 {
1185 return warn_for_access<tree>(loc, func, expr, opt, range, size,
1186 write, read, maybe);
1187 }
1188
1189 /* Helper to set RANGE to the range of BOUND if it's nonnull, bounded
1190 by BNDRNG if nonnull and valid. */
1191
1192 static void
1193 get_size_range (range_query *query, tree bound, tree range[2],
1194 const offset_int bndrng[2])
1195 {
1196 if (bound)
1197 get_size_range (query, bound, NULL, range);
1198
1199 if (!bndrng || (bndrng[0] == 0 && bndrng[1] == HOST_WIDE_INT_M1U))
1200 return;
1201
1202 if (range[0] && TREE_CODE (range[0]) == INTEGER_CST)
1203 {
1204 offset_int r[] =
1205 { wi::to_offset (range[0]), wi::to_offset (range[1]) };
1206 if (r[0] < bndrng[0])
1207 range[0] = wide_int_to_tree (sizetype, bndrng[0]);
1208 if (bndrng[1] < r[1])
1209 range[1] = wide_int_to_tree (sizetype, bndrng[1]);
1210 }
1211 else
1212 {
1213 range[0] = wide_int_to_tree (sizetype, bndrng[0]);
1214 range[1] = wide_int_to_tree (sizetype, bndrng[1]);
1215 }
1216 }
1217
1218 /* Try to verify that the sizes and lengths of the arguments to a string
1219 manipulation function given by EXP are within valid bounds and that
1220 the operation does not lead to buffer overflow or read past the end.
1221 Arguments other than EXP may be null. When non-null, the arguments
1222 have the following meaning:
1223 DST is the destination of a copy call or NULL otherwise.
1224 SRC is the source of a copy call or NULL otherwise.
1225 DSTWRITE is the number of bytes written into the destination obtained
1226 from the user-supplied size argument to the function (such as in
1227 memcpy(DST, SRCs, DSTWRITE) or strncpy(DST, DRC, DSTWRITE).
1228 MAXREAD is the user-supplied bound on the length of the source sequence
1229 (such as in strncat(d, s, N). It specifies the upper limit on the number
1230 of bytes to write. If NULL, it's taken to be the same as DSTWRITE.
1231 SRCSTR is the source string (such as in strcpy(DST, SRC)) when the
1232 expression EXP is a string function call (as opposed to a memory call
1233 like memcpy). As an exception, SRCSTR can also be an integer denoting
1234 the precomputed size of the source string or object (for functions like
1235 memcpy).
1236 DSTSIZE is the size of the destination object.
1237
1238 When DSTWRITE is null LEN is checked to verify that it doesn't exceed
1239 SIZE_MAX.
1240
1241 WRITE is true for write accesses, READ is true for reads. Both are
1242 false for simple size checks in calls to functions that neither read
1243 from nor write to the region.
1244
1245 When nonnull, PAD points to a more detailed description of the access.
1246
1247 If the call is successfully verified as safe return true, otherwise
1248 return false. */
1249
1250 template <class GimpleOrTree>
1251 static bool
1252 check_access (GimpleOrTree exp, tree dstwrite,
1253 tree maxread, tree srcstr, tree dstsize,
1254 access_mode mode, const access_data *pad /* = NULL */)
1255 {
1256 /* The size of the largest object is half the address space, or
1257 PTRDIFF_MAX. (This is way too permissive.) */
1258 tree maxobjsize = max_object_size ();
1259
1260 /* Either an approximate/minimum the length of the source string for
1261 string functions or the size of the source object for raw memory
1262 functions. */
1263 tree slen = NULL_TREE;
1264
1265 /* The range of the access in bytes; first set to the write access
1266 for functions that write and then read for those that also (or
1267 just) read. */
1268 tree range[2] = { NULL_TREE, NULL_TREE };
1269
1270 /* Set to true when the exact number of bytes written by a string
1271 function like strcpy is not known and the only thing that is
1272 known is that it must be at least one (for the terminating nul). */
1273 bool at_least_one = false;
1274 if (srcstr)
1275 {
1276 /* SRCSTR is normally a pointer to string but as a special case
1277 it can be an integer denoting the length of a string. */
1278 if (POINTER_TYPE_P (TREE_TYPE (srcstr)))
1279 {
1280 if (!check_nul_terminated_array (exp, srcstr, maxread))
1281 /* Return if the array is not nul-terminated and a warning
1282 has been issued. */
1283 return false;
1284
1285 /* Try to determine the range of lengths the source string
1286 refers to. If it can be determined and is less than
1287 the upper bound given by MAXREAD add one to it for
1288 the terminating nul. Otherwise, set it to one for
1289 the same reason, or to MAXREAD as appropriate. */
1290 c_strlen_data lendata = { };
1291 get_range_strlen (srcstr, &lendata, /* eltsize = */ 1);
1292 range[0] = lendata.minlen;
1293 range[1] = lendata.maxbound ? lendata.maxbound : lendata.maxlen;
1294 if (range[0]
1295 && TREE_CODE (range[0]) == INTEGER_CST
1296 && TREE_CODE (range[1]) == INTEGER_CST
1297 && (!maxread || TREE_CODE (maxread) == INTEGER_CST))
1298 {
1299 if (maxread && tree_int_cst_le (maxread, range[0]))
1300 range[0] = range[1] = maxread;
1301 else
1302 range[0] = fold_build2 (PLUS_EXPR, size_type_node,
1303 range[0], size_one_node);
1304
1305 if (maxread && tree_int_cst_le (maxread, range[1]))
1306 range[1] = maxread;
1307 else if (!integer_all_onesp (range[1]))
1308 range[1] = fold_build2 (PLUS_EXPR, size_type_node,
1309 range[1], size_one_node);
1310
1311 slen = range[0];
1312 }
1313 else
1314 {
1315 at_least_one = true;
1316 slen = size_one_node;
1317 }
1318 }
1319 else
1320 slen = srcstr;
1321 }
1322
1323 if (!dstwrite && !maxread)
1324 {
1325 /* When the only available piece of data is the object size
1326 there is nothing to do. */
1327 if (!slen)
1328 return true;
1329
1330 /* Otherwise, when the length of the source sequence is known
1331 (as with strlen), set DSTWRITE to it. */
1332 if (!range[0])
1333 dstwrite = slen;
1334 }
1335
1336 if (!dstsize)
1337 dstsize = maxobjsize;
1338
1339 /* Set RANGE to that of DSTWRITE if non-null, bounded by PAD->DST.BNDRNG
1340 if valid. */
1341 get_size_range (NULL, dstwrite, range, pad ? pad->dst.bndrng : NULL);
1342
1343 tree func = get_callee_fndecl (exp);
1344 /* Read vs write access by built-ins can be determined from the const
1345 qualifiers on the pointer argument. In the absence of attribute
1346 access, non-const qualified pointer arguments to user-defined
1347 functions are assumed to both read and write the objects. */
1348 const bool builtin = func ? fndecl_built_in_p (func) : false;
1349
1350 /* First check the number of bytes to be written against the maximum
1351 object size. */
1352 if (range[0]
1353 && TREE_CODE (range[0]) == INTEGER_CST
1354 && tree_int_cst_lt (maxobjsize, range[0]))
1355 {
1356 location_t loc = get_location (exp);
1357 maybe_warn_for_bound (OPT_Wstringop_overflow_, loc, exp, func, range,
1358 NULL_TREE, pad);
1359 return false;
1360 }
1361
1362 /* The number of bytes to write is "exact" if DSTWRITE is non-null,
1363 constant, and in range of unsigned HOST_WIDE_INT. */
1364 bool exactwrite = dstwrite && tree_fits_uhwi_p (dstwrite);
1365
1366 /* Next check the number of bytes to be written against the destination
1367 object size. */
1368 if (range[0] || !exactwrite || integer_all_onesp (dstwrite))
1369 {
1370 if (range[0]
1371 && TREE_CODE (range[0]) == INTEGER_CST
1372 && ((tree_fits_uhwi_p (dstsize)
1373 && tree_int_cst_lt (dstsize, range[0]))
1374 || (dstwrite
1375 && tree_fits_uhwi_p (dstwrite)
1376 && tree_int_cst_lt (dstwrite, range[0]))))
1377 {
1378 const opt_code opt = OPT_Wstringop_overflow_;
1379 if (warning_suppressed_p (exp, opt)
1380 || (pad && pad->dst.ref
1381 && warning_suppressed_p (pad->dst.ref, opt)))
1382 return false;
1383
1384 location_t loc = get_location (exp);
1385 bool warned = false;
1386 if (dstwrite == slen && at_least_one)
1387 {
1388 /* This is a call to strcpy with a destination of 0 size
1389 and a source of unknown length. The call will write
1390 at least one byte past the end of the destination. */
1391 warned = (func
1392 ? warning_at (loc, opt,
1393 "%qD writing %E or more bytes into "
1394 "a region of size %E overflows "
1395 "the destination",
1396 func, range[0], dstsize)
1397 : warning_at (loc, opt,
1398 "writing %E or more bytes into "
1399 "a region of size %E overflows "
1400 "the destination",
1401 range[0], dstsize));
1402 }
1403 else
1404 {
1405 const bool read
1406 = mode == access_read_only || mode == access_read_write;
1407 const bool write
1408 = mode == access_write_only || mode == access_read_write;
1409 const bool maybe = pad && pad->dst.parmarray;
1410 warned = warn_for_access (loc, func, exp,
1411 OPT_Wstringop_overflow_,
1412 range, dstsize,
1413 write, read && !builtin, maybe);
1414 }
1415
1416 if (warned)
1417 {
1418 suppress_warning (exp, OPT_Wstringop_overflow_);
1419 if (pad)
1420 pad->dst.inform_access (pad->mode);
1421 }
1422
1423 /* Return error when an overflow has been detected. */
1424 return false;
1425 }
1426 }
1427
1428 /* Check the maximum length of the source sequence against the size
1429 of the destination object if known, or against the maximum size
1430 of an object. */
1431 if (maxread)
1432 {
1433 /* Set RANGE to that of MAXREAD, bounded by PAD->SRC.BNDRNG if
1434 PAD is nonnull and BNDRNG is valid. */
1435 get_size_range (NULL, maxread, range, pad ? pad->src.bndrng : NULL);
1436
1437 location_t loc = get_location (exp);
1438 tree size = dstsize;
1439 if (pad && pad->mode == access_read_only)
1440 size = wide_int_to_tree (sizetype, pad->src.size_remaining ());
1441
1442 if (range[0] && maxread && tree_fits_uhwi_p (size))
1443 {
1444 if (tree_int_cst_lt (maxobjsize, range[0]))
1445 {
1446 maybe_warn_for_bound (OPT_Wstringop_overread, loc, exp, func,
1447 range, size, pad);
1448 return false;
1449 }
1450
1451 if (size != maxobjsize && tree_int_cst_lt (size, range[0]))
1452 {
1453 opt_code opt = (dstwrite || mode != access_read_only
1454 ? OPT_Wstringop_overflow_
1455 : OPT_Wstringop_overread);
1456 maybe_warn_for_bound (opt, loc, exp, func, range, size, pad);
1457 return false;
1458 }
1459 }
1460
1461 maybe_warn_nonstring_arg (func, exp);
1462 }
1463
1464 /* Check for reading past the end of SRC. */
1465 bool overread = (slen
1466 && slen == srcstr
1467 && dstwrite
1468 && range[0]
1469 && TREE_CODE (slen) == INTEGER_CST
1470 && tree_int_cst_lt (slen, range[0]));
1471 /* If none is determined try to get a better answer based on the details
1472 in PAD. */
1473 if (!overread
1474 && pad
1475 && pad->src.sizrng[1] >= 0
1476 && pad->src.offrng[0] >= 0
1477 && (pad->src.offrng[1] < 0
1478 || pad->src.offrng[0] <= pad->src.offrng[1]))
1479 {
1480 /* Set RANGE to that of MAXREAD, bounded by PAD->SRC.BNDRNG if
1481 PAD is nonnull and BNDRNG is valid. */
1482 get_size_range (NULL, maxread, range, pad ? pad->src.bndrng : NULL);
1483 /* Set OVERREAD for reads starting just past the end of an object. */
1484 overread = pad->src.sizrng[1] - pad->src.offrng[0] < pad->src.bndrng[0];
1485 range[0] = wide_int_to_tree (sizetype, pad->src.bndrng[0]);
1486 slen = size_zero_node;
1487 }
1488
1489 if (overread)
1490 {
1491 const opt_code opt = OPT_Wstringop_overread;
1492 if (warning_suppressed_p (exp, opt)
1493 || (srcstr && warning_suppressed_p (srcstr, opt))
1494 || (pad && pad->src.ref
1495 && warning_suppressed_p (pad->src.ref, opt)))
1496 return false;
1497
1498 location_t loc = get_location (exp);
1499 const bool read
1500 = mode == access_read_only || mode == access_read_write;
1501 const bool maybe = pad && pad->dst.parmarray;
1502 if (warn_for_access (loc, func, exp, opt, range, slen, false, read,
1503 maybe))
1504 {
1505 suppress_warning (exp, opt);
1506 if (pad)
1507 pad->src.inform_access (access_read_only);
1508 }
1509 return false;
1510 }
1511
1512 return true;
1513 }
1514
1515 bool
1516 check_access (gimple *stmt, tree dstwrite,
1517 tree maxread, tree srcstr, tree dstsize,
1518 access_mode mode, const access_data *pad /* = NULL */)
1519 {
1520 return check_access<gimple *>(stmt, dstwrite, maxread, srcstr, dstsize,
1521 mode, pad);
1522 }
1523
1524 bool
1525 check_access (tree expr, tree dstwrite,
1526 tree maxread, tree srcstr, tree dstsize,
1527 access_mode mode, const access_data *pad /* = NULL */)
1528 {
1529 return check_access<tree>(expr, dstwrite, maxread, srcstr, dstsize,
1530 mode, pad);
1531 }
1532
1533 /* A convenience wrapper for check_access above to check access
1534 by a read-only function like puts. */
1535
1536 template <class GimpleOrTree>
1537 static bool
1538 check_read_access (GimpleOrTree expr, tree src, tree bound, int ost)
1539 {
1540 if (!warn_stringop_overread)
1541 return true;
1542
1543 if (bound && !useless_type_conversion_p (size_type_node, TREE_TYPE (bound)))
1544 bound = fold_convert (size_type_node, bound);
1545
1546 tree fndecl = get_callee_fndecl (expr);
1547 maybe_warn_nonstring_arg (fndecl, expr);
1548
1549 access_data data (expr, access_read_only, NULL_TREE, false, bound, true);
1550 compute_objsize (src, ost, &data.src);
1551 return check_access (expr, /*dstwrite=*/ NULL_TREE, /*maxread=*/ bound,
1552 /*srcstr=*/ src, /*dstsize=*/ NULL_TREE, data.mode,
1553 &data);
1554 }
1555
1556 bool
1557 check_read_access (gimple *stmt, tree src, tree bound /* = NULL_TREE */,
1558 int ost /* = 1 */)
1559 {
1560 return check_read_access<gimple *>(stmt, src, bound, ost);
1561 }
1562
1563 bool
1564 check_read_access (tree expr, tree src, tree bound /* = NULL_TREE */,
1565 int ost /* = 1 */)
1566 {
1567 return check_read_access<tree>(expr, src, bound, ost);
1568 }
1569
1570 /* Return true if STMT is a call to an allocation function. Unless
1571 ALL_ALLOC is set, consider only functions that return dynmamically
1572 allocated objects. Otherwise return true even for all forms of
1573 alloca (including VLA). */
1574
1575 static bool
1576 fndecl_alloc_p (tree fndecl, bool all_alloc)
1577 {
1578 if (!fndecl)
1579 return false;
1580
1581 /* A call to operator new isn't recognized as one to a built-in. */
1582 if (DECL_IS_OPERATOR_NEW_P (fndecl))
1583 return true;
1584
1585 if (fndecl_built_in_p (fndecl, BUILT_IN_NORMAL))
1586 {
1587 switch (DECL_FUNCTION_CODE (fndecl))
1588 {
1589 case BUILT_IN_ALLOCA:
1590 case BUILT_IN_ALLOCA_WITH_ALIGN:
1591 return all_alloc;
1592 case BUILT_IN_ALIGNED_ALLOC:
1593 case BUILT_IN_CALLOC:
1594 case BUILT_IN_GOMP_ALLOC:
1595 case BUILT_IN_MALLOC:
1596 case BUILT_IN_REALLOC:
1597 case BUILT_IN_STRDUP:
1598 case BUILT_IN_STRNDUP:
1599 return true;
1600 default:
1601 break;
1602 }
1603 }
1604
1605 /* A function is considered an allocation function if it's declared
1606 with attribute malloc with an argument naming its associated
1607 deallocation function. */
1608 tree attrs = DECL_ATTRIBUTES (fndecl);
1609 if (!attrs)
1610 return false;
1611
1612 for (tree allocs = attrs;
1613 (allocs = lookup_attribute ("malloc", allocs));
1614 allocs = TREE_CHAIN (allocs))
1615 {
1616 tree args = TREE_VALUE (allocs);
1617 if (!args)
1618 continue;
1619
1620 if (TREE_VALUE (args))
1621 return true;
1622 }
1623
1624 return false;
1625 }
1626
1627 /* Return true if STMT is a call to an allocation function. A wrapper
1628 around fndecl_alloc_p. */
1629
1630 static bool
1631 gimple_call_alloc_p (gimple *stmt, bool all_alloc = false)
1632 {
1633 return fndecl_alloc_p (gimple_call_fndecl (stmt), all_alloc);
1634 }
1635
1636 /* Return true if DELC doesn't refer to an operator delete that's
1637 suitable to call with a pointer returned from the operator new
1638 described by NEWC. */
1639
1640 static bool
1641 new_delete_mismatch_p (const demangle_component &newc,
1642 const demangle_component &delc)
1643 {
1644 if (newc.type != delc.type)
1645 return true;
1646
1647 switch (newc.type)
1648 {
1649 case DEMANGLE_COMPONENT_NAME:
1650 {
1651 int len = newc.u.s_name.len;
1652 const char *news = newc.u.s_name.s;
1653 const char *dels = delc.u.s_name.s;
1654 if (len != delc.u.s_name.len || memcmp (news, dels, len))
1655 return true;
1656
1657 if (news[len] == 'n')
1658 {
1659 if (news[len + 1] == 'a')
1660 return dels[len] != 'd' || dels[len + 1] != 'a';
1661 if (news[len + 1] == 'w')
1662 return dels[len] != 'd' || dels[len + 1] != 'l';
1663 }
1664 return false;
1665 }
1666
1667 case DEMANGLE_COMPONENT_OPERATOR:
1668 /* Operator mismatches are handled above. */
1669 return false;
1670
1671 case DEMANGLE_COMPONENT_EXTENDED_OPERATOR:
1672 if (newc.u.s_extended_operator.args != delc.u.s_extended_operator.args)
1673 return true;
1674 return new_delete_mismatch_p (*newc.u.s_extended_operator.name,
1675 *delc.u.s_extended_operator.name);
1676
1677 case DEMANGLE_COMPONENT_FIXED_TYPE:
1678 if (newc.u.s_fixed.accum != delc.u.s_fixed.accum
1679 || newc.u.s_fixed.sat != delc.u.s_fixed.sat)
1680 return true;
1681 return new_delete_mismatch_p (*newc.u.s_fixed.length,
1682 *delc.u.s_fixed.length);
1683
1684 case DEMANGLE_COMPONENT_CTOR:
1685 if (newc.u.s_ctor.kind != delc.u.s_ctor.kind)
1686 return true;
1687 return new_delete_mismatch_p (*newc.u.s_ctor.name,
1688 *delc.u.s_ctor.name);
1689
1690 case DEMANGLE_COMPONENT_DTOR:
1691 if (newc.u.s_dtor.kind != delc.u.s_dtor.kind)
1692 return true;
1693 return new_delete_mismatch_p (*newc.u.s_dtor.name,
1694 *delc.u.s_dtor.name);
1695
1696 case DEMANGLE_COMPONENT_BUILTIN_TYPE:
1697 {
1698 /* The demangler API provides no better way to compare built-in
1699 types except to by comparing their demangled names. */
1700 size_t nsz, dsz;
1701 demangle_component *pnc = const_cast<demangle_component *>(&newc);
1702 demangle_component *pdc = const_cast<demangle_component *>(&delc);
1703 char *nts = cplus_demangle_print (0, pnc, 16, &nsz);
1704 char *dts = cplus_demangle_print (0, pdc, 16, &dsz);
1705 if (!nts != !dts)
1706 return true;
1707 bool mismatch = strcmp (nts, dts);
1708 free (nts);
1709 free (dts);
1710 return mismatch;
1711 }
1712
1713 case DEMANGLE_COMPONENT_SUB_STD:
1714 if (newc.u.s_string.len != delc.u.s_string.len)
1715 return true;
1716 return memcmp (newc.u.s_string.string, delc.u.s_string.string,
1717 newc.u.s_string.len);
1718
1719 case DEMANGLE_COMPONENT_FUNCTION_PARAM:
1720 case DEMANGLE_COMPONENT_TEMPLATE_PARAM:
1721 return newc.u.s_number.number != delc.u.s_number.number;
1722
1723 case DEMANGLE_COMPONENT_CHARACTER:
1724 return newc.u.s_character.character != delc.u.s_character.character;
1725
1726 case DEMANGLE_COMPONENT_DEFAULT_ARG:
1727 case DEMANGLE_COMPONENT_LAMBDA:
1728 if (newc.u.s_unary_num.num != delc.u.s_unary_num.num)
1729 return true;
1730 return new_delete_mismatch_p (*newc.u.s_unary_num.sub,
1731 *delc.u.s_unary_num.sub);
1732 default:
1733 break;
1734 }
1735
1736 if (!newc.u.s_binary.left != !delc.u.s_binary.left)
1737 return true;
1738
1739 if (!newc.u.s_binary.left)
1740 return false;
1741
1742 if (new_delete_mismatch_p (*newc.u.s_binary.left, *delc.u.s_binary.left)
1743 || !newc.u.s_binary.right != !delc.u.s_binary.right)
1744 return true;
1745
1746 if (newc.u.s_binary.right)
1747 return new_delete_mismatch_p (*newc.u.s_binary.right,
1748 *delc.u.s_binary.right);
1749 return false;
1750 }
1751
1752 /* Return true if DELETE_DECL is an operator delete that's not suitable
1753 to call with a pointer returned fron NEW_DECL. */
1754
1755 static bool
1756 new_delete_mismatch_p (tree new_decl, tree delete_decl)
1757 {
1758 tree new_name = DECL_ASSEMBLER_NAME (new_decl);
1759 tree delete_name = DECL_ASSEMBLER_NAME (delete_decl);
1760
1761 /* valid_new_delete_pair_p() returns a conservative result (currently
1762 it only handles global operators). A true result is reliable but
1763 a false result doesn't necessarily mean the operators don't match
1764 unless CERTAIN is set. */
1765 bool certain;
1766 if (valid_new_delete_pair_p (new_name, delete_name, &certain))
1767 return false;
1768 /* CERTAIN is set when the negative result is certain. */
1769 if (certain)
1770 return true;
1771
1772 /* For anything not handled by valid_new_delete_pair_p() such as member
1773 operators compare the individual demangled components of the mangled
1774 name. */
1775 const char *new_str = IDENTIFIER_POINTER (new_name);
1776 const char *del_str = IDENTIFIER_POINTER (delete_name);
1777
1778 void *np = NULL, *dp = NULL;
1779 demangle_component *ndc = cplus_demangle_v3_components (new_str, 0, &np);
1780 demangle_component *ddc = cplus_demangle_v3_components (del_str, 0, &dp);
1781 bool mismatch = new_delete_mismatch_p (*ndc, *ddc);
1782 free (np);
1783 free (dp);
1784 return mismatch;
1785 }
1786
1787 /* ALLOC_DECL and DEALLOC_DECL are pair of allocation and deallocation
1788 functions. Return true if the latter is suitable to deallocate objects
1789 allocated by calls to the former. */
1790
1791 static bool
1792 matching_alloc_calls_p (tree alloc_decl, tree dealloc_decl)
1793 {
1794 /* Set to alloc_kind_t::builtin if ALLOC_DECL is associated with
1795 a built-in deallocator. */
1796 enum class alloc_kind_t { none, builtin, user }
1797 alloc_dealloc_kind = alloc_kind_t::none;
1798
1799 if (DECL_IS_OPERATOR_NEW_P (alloc_decl))
1800 {
1801 if (DECL_IS_OPERATOR_DELETE_P (dealloc_decl))
1802 /* Return true iff both functions are of the same array or
1803 singleton form and false otherwise. */
1804 return !new_delete_mismatch_p (alloc_decl, dealloc_decl);
1805
1806 /* Return false for deallocation functions that are known not
1807 to match. */
1808 if (fndecl_built_in_p (dealloc_decl, BUILT_IN_FREE)
1809 || fndecl_built_in_p (dealloc_decl, BUILT_IN_REALLOC))
1810 return false;
1811 /* Otherwise proceed below to check the deallocation function's
1812 "*dealloc" attributes to look for one that mentions this operator
1813 new. */
1814 }
1815 else if (fndecl_built_in_p (alloc_decl, BUILT_IN_NORMAL))
1816 {
1817 switch (DECL_FUNCTION_CODE (alloc_decl))
1818 {
1819 case BUILT_IN_ALLOCA:
1820 case BUILT_IN_ALLOCA_WITH_ALIGN:
1821 return false;
1822
1823 case BUILT_IN_ALIGNED_ALLOC:
1824 case BUILT_IN_CALLOC:
1825 case BUILT_IN_GOMP_ALLOC:
1826 case BUILT_IN_MALLOC:
1827 case BUILT_IN_REALLOC:
1828 case BUILT_IN_STRDUP:
1829 case BUILT_IN_STRNDUP:
1830 if (DECL_IS_OPERATOR_DELETE_P (dealloc_decl))
1831 return false;
1832
1833 if (fndecl_built_in_p (dealloc_decl, BUILT_IN_FREE)
1834 || fndecl_built_in_p (dealloc_decl, BUILT_IN_REALLOC))
1835 return true;
1836
1837 alloc_dealloc_kind = alloc_kind_t::builtin;
1838 break;
1839
1840 default:
1841 break;
1842 }
1843 }
1844
1845 /* Set if DEALLOC_DECL both allocates and deallocates. */
1846 alloc_kind_t realloc_kind = alloc_kind_t::none;
1847
1848 if (fndecl_built_in_p (dealloc_decl, BUILT_IN_NORMAL))
1849 {
1850 built_in_function dealloc_code = DECL_FUNCTION_CODE (dealloc_decl);
1851 if (dealloc_code == BUILT_IN_REALLOC)
1852 realloc_kind = alloc_kind_t::builtin;
1853
1854 for (tree amats = DECL_ATTRIBUTES (alloc_decl);
1855 (amats = lookup_attribute ("malloc", amats));
1856 amats = TREE_CHAIN (amats))
1857 {
1858 tree args = TREE_VALUE (amats);
1859 if (!args)
1860 continue;
1861
1862 tree fndecl = TREE_VALUE (args);
1863 if (!fndecl || !DECL_P (fndecl))
1864 continue;
1865
1866 if (fndecl_built_in_p (fndecl, BUILT_IN_NORMAL)
1867 && dealloc_code == DECL_FUNCTION_CODE (fndecl))
1868 return true;
1869 }
1870 }
1871
1872 const bool alloc_builtin = fndecl_built_in_p (alloc_decl, BUILT_IN_NORMAL);
1873 alloc_kind_t realloc_dealloc_kind = alloc_kind_t::none;
1874
1875 /* If DEALLOC_DECL has an internal "*dealloc" attribute scan the list
1876 of its associated allocation functions for ALLOC_DECL.
1877 If the corresponding ALLOC_DECL is found they're a matching pair,
1878 otherwise they're not.
1879 With DDATS set to the Deallocator's *Dealloc ATtributes... */
1880 for (tree ddats = DECL_ATTRIBUTES (dealloc_decl);
1881 (ddats = lookup_attribute ("*dealloc", ddats));
1882 ddats = TREE_CHAIN (ddats))
1883 {
1884 tree args = TREE_VALUE (ddats);
1885 if (!args)
1886 continue;
1887
1888 tree alloc = TREE_VALUE (args);
1889 if (!alloc)
1890 continue;
1891
1892 if (alloc == DECL_NAME (dealloc_decl))
1893 realloc_kind = alloc_kind_t::user;
1894
1895 if (DECL_P (alloc))
1896 {
1897 gcc_checking_assert (fndecl_built_in_p (alloc, BUILT_IN_NORMAL));
1898
1899 switch (DECL_FUNCTION_CODE (alloc))
1900 {
1901 case BUILT_IN_ALIGNED_ALLOC:
1902 case BUILT_IN_CALLOC:
1903 case BUILT_IN_GOMP_ALLOC:
1904 case BUILT_IN_MALLOC:
1905 case BUILT_IN_REALLOC:
1906 case BUILT_IN_STRDUP:
1907 case BUILT_IN_STRNDUP:
1908 realloc_dealloc_kind = alloc_kind_t::builtin;
1909 break;
1910 default:
1911 break;
1912 }
1913
1914 if (!alloc_builtin)
1915 continue;
1916
1917 if (DECL_FUNCTION_CODE (alloc) != DECL_FUNCTION_CODE (alloc_decl))
1918 continue;
1919
1920 return true;
1921 }
1922
1923 if (alloc == DECL_NAME (alloc_decl))
1924 return true;
1925 }
1926
1927 if (realloc_kind == alloc_kind_t::none)
1928 return false;
1929
1930 hash_set<tree> common_deallocs;
1931 /* Special handling for deallocators. Iterate over both the allocator's
1932 and the reallocator's associated deallocator functions looking for
1933 the first one in common. If one is found, the de/reallocator is
1934 a match for the allocator even though the latter isn't directly
1935 associated with the former. This simplifies declarations in system
1936 headers.
1937 With AMATS set to the Allocator's Malloc ATtributes,
1938 and RMATS set to Reallocator's Malloc ATtributes... */
1939 for (tree amats = DECL_ATTRIBUTES (alloc_decl),
1940 rmats = DECL_ATTRIBUTES (dealloc_decl);
1941 (amats = lookup_attribute ("malloc", amats))
1942 || (rmats = lookup_attribute ("malloc", rmats));
1943 amats = amats ? TREE_CHAIN (amats) : NULL_TREE,
1944 rmats = rmats ? TREE_CHAIN (rmats) : NULL_TREE)
1945 {
1946 if (tree args = amats ? TREE_VALUE (amats) : NULL_TREE)
1947 if (tree adealloc = TREE_VALUE (args))
1948 {
1949 if (DECL_P (adealloc)
1950 && fndecl_built_in_p (adealloc, BUILT_IN_NORMAL))
1951 {
1952 built_in_function fncode = DECL_FUNCTION_CODE (adealloc);
1953 if (fncode == BUILT_IN_FREE || fncode == BUILT_IN_REALLOC)
1954 {
1955 if (realloc_kind == alloc_kind_t::builtin)
1956 return true;
1957 alloc_dealloc_kind = alloc_kind_t::builtin;
1958 }
1959 continue;
1960 }
1961
1962 common_deallocs.add (adealloc);
1963 }
1964
1965 if (tree args = rmats ? TREE_VALUE (rmats) : NULL_TREE)
1966 if (tree ddealloc = TREE_VALUE (args))
1967 {
1968 if (DECL_P (ddealloc)
1969 && fndecl_built_in_p (ddealloc, BUILT_IN_NORMAL))
1970 {
1971 built_in_function fncode = DECL_FUNCTION_CODE (ddealloc);
1972 if (fncode == BUILT_IN_FREE || fncode == BUILT_IN_REALLOC)
1973 {
1974 if (alloc_dealloc_kind == alloc_kind_t::builtin)
1975 return true;
1976 realloc_dealloc_kind = alloc_kind_t::builtin;
1977 }
1978 continue;
1979 }
1980
1981 if (common_deallocs.add (ddealloc))
1982 return true;
1983 }
1984 }
1985
1986 /* Succeed only if ALLOC_DECL and the reallocator DEALLOC_DECL share
1987 a built-in deallocator. */
1988 return (alloc_dealloc_kind == alloc_kind_t::builtin
1989 && realloc_dealloc_kind == alloc_kind_t::builtin);
1990 }
1991
1992 /* Return true if DEALLOC_DECL is a function suitable to deallocate
1993 objectes allocated by the ALLOC call. */
1994
1995 static bool
1996 matching_alloc_calls_p (gimple *alloc, tree dealloc_decl)
1997 {
1998 tree alloc_decl = gimple_call_fndecl (alloc);
1999 if (!alloc_decl)
2000 return true;
2001
2002 return matching_alloc_calls_p (alloc_decl, dealloc_decl);
2003 }
2004
2005 /* Diagnose a call EXP to deallocate a pointer referenced by AREF if it
2006 includes a nonzero offset. Such a pointer cannot refer to the beginning
2007 of an allocated object. A negative offset may refer to it only if
2008 the target pointer is unknown. */
2009
2010 static bool
2011 warn_dealloc_offset (location_t loc, gimple *call, const access_ref &aref)
2012 {
2013 if (aref.deref || aref.offrng[0] <= 0 || aref.offrng[1] <= 0)
2014 return false;
2015
2016 tree dealloc_decl = gimple_call_fndecl (call);
2017 if (!dealloc_decl)
2018 return false;
2019
2020 if (DECL_IS_OPERATOR_DELETE_P (dealloc_decl)
2021 && !DECL_IS_REPLACEABLE_OPERATOR (dealloc_decl))
2022 {
2023 /* A call to a user-defined operator delete with a pointer plus offset
2024 may be valid if it's returned from an unknown function (i.e., one
2025 that's not operator new). */
2026 if (TREE_CODE (aref.ref) == SSA_NAME)
2027 {
2028 gimple *def_stmt = SSA_NAME_DEF_STMT (aref.ref);
2029 if (is_gimple_call (def_stmt))
2030 {
2031 tree alloc_decl = gimple_call_fndecl (def_stmt);
2032 if (!alloc_decl || !DECL_IS_OPERATOR_NEW_P (alloc_decl))
2033 return false;
2034 }
2035 }
2036 }
2037
2038 char offstr[80];
2039 offstr[0] = '\0';
2040 if (wi::fits_shwi_p (aref.offrng[0]))
2041 {
2042 if (aref.offrng[0] == aref.offrng[1]
2043 || !wi::fits_shwi_p (aref.offrng[1]))
2044 sprintf (offstr, " %lli",
2045 (long long)aref.offrng[0].to_shwi ());
2046 else
2047 sprintf (offstr, " [%lli, %lli]",
2048 (long long)aref.offrng[0].to_shwi (),
2049 (long long)aref.offrng[1].to_shwi ());
2050 }
2051
2052 if (!warning_at (loc, OPT_Wfree_nonheap_object,
2053 "%qD called on pointer %qE with nonzero offset%s",
2054 dealloc_decl, aref.ref, offstr))
2055 return false;
2056
2057 if (DECL_P (aref.ref))
2058 inform (get_location (aref.ref), "declared here");
2059 else if (TREE_CODE (aref.ref) == SSA_NAME)
2060 {
2061 gimple *def_stmt = SSA_NAME_DEF_STMT (aref.ref);
2062 if (is_gimple_call (def_stmt))
2063 {
2064 location_t def_loc = get_location (def_stmt);
2065 tree alloc_decl = gimple_call_fndecl (def_stmt);
2066 if (alloc_decl)
2067 inform (def_loc,
2068 "returned from %qD", alloc_decl);
2069 else if (tree alloc_fntype = gimple_call_fntype (def_stmt))
2070 inform (def_loc,
2071 "returned from %qT", alloc_fntype);
2072 else
2073 inform (def_loc, "obtained here");
2074 }
2075 }
2076
2077 return true;
2078 }
2079
2080 namespace {
2081
2082 const pass_data pass_data_waccess = {
2083 GIMPLE_PASS,
2084 "waccess",
2085 OPTGROUP_NONE,
2086 TV_NONE,
2087 PROP_cfg, /* properties_required */
2088 0, /* properties_provided */
2089 0, /* properties_destroyed */
2090 0, /* properties_start */
2091 0, /* properties_finish */
2092 };
2093
2094 /* Pass to detect invalid accesses. */
2095 class pass_waccess : public gimple_opt_pass
2096 {
2097 public:
2098 pass_waccess (gcc::context *);
2099
2100 ~pass_waccess ();
2101
2102 opt_pass *clone () { return new pass_waccess (m_ctxt); }
2103
2104 virtual bool gate (function *);
2105 virtual unsigned int execute (function *);
2106
2107 private:
2108 /* Not copyable or assignable. */
2109 pass_waccess (pass_waccess &) = delete;
2110 void operator= (pass_waccess &) = delete;
2111
2112 /* Check a call to a built-in function. */
2113 bool check_builtin (gcall *);
2114
2115 /* Check a call to an ordinary function. */
2116 bool check_call (gcall *);
2117
2118 /* Check statements in a basic block. */
2119 void check (basic_block);
2120
2121 /* Check a call to a function. */
2122 void check (gcall *);
2123
2124 /* Check a call to the named built-in function. */
2125 void check_alloca (gcall *);
2126 void check_alloc_size_call (gcall *);
2127 void check_strcat (gcall *);
2128 void check_strncat (gcall *);
2129 void check_stxcpy (gcall *);
2130 void check_stxncpy (gcall *);
2131 void check_strncmp (gcall *);
2132 void check_memop_access (gimple *, tree, tree, tree);
2133
2134 void maybe_check_dealloc_call (gcall *);
2135 void maybe_check_access_sizes (rdwr_map *, tree, tree, gimple *);
2136
2137 /* A pointer_query object and its cache to store information about
2138 pointers and their targets in. */
2139 pointer_query m_ptr_qry;
2140 pointer_query::cache_type m_var_cache;
2141 };
2142
2143 /* Construct the pass. */
2144
2145 pass_waccess::pass_waccess (gcc::context *ctxt)
2146 : gimple_opt_pass (pass_data_waccess, ctxt),
2147 m_ptr_qry (NULL, &m_var_cache),
2148 m_var_cache ()
2149 {
2150 }
2151
2152 /* Release pointer_query cache. */
2153
2154 pass_waccess::~pass_waccess ()
2155 {
2156 m_ptr_qry.flush_cache ();
2157 }
2158
2159 /* Return true when any checks performed by the pass are enabled. */
2160
2161 bool
2162 pass_waccess::gate (function *)
2163 {
2164 return (warn_free_nonheap_object
2165 || warn_mismatched_alloc
2166 || warn_mismatched_new_delete);
2167 }
2168
2169 /* Initialize ALLOC_OBJECT_SIZE_LIMIT based on the -Walloc-size-larger-than=
2170 setting if the option is specified, or to the maximum object size if it
2171 is not. Return the initialized value. */
2172
2173 static tree
2174 alloc_max_size (void)
2175 {
2176 HOST_WIDE_INT limit = warn_alloc_size_limit;
2177 if (limit == HOST_WIDE_INT_MAX)
2178 limit = tree_to_shwi (TYPE_MAX_VALUE (ptrdiff_type_node));
2179
2180 return build_int_cst (size_type_node, limit);
2181 }
2182
2183 /* Diagnose a call EXP to function FN decorated with attribute alloc_size
2184 whose argument numbers given by IDX with values given by ARGS exceed
2185 the maximum object size or cause an unsigned oveflow (wrapping) when
2186 multiplied. FN is null when EXP is a call via a function pointer.
2187 When ARGS[0] is null the function does nothing. ARGS[1] may be null
2188 for functions like malloc, and non-null for those like calloc that
2189 are decorated with a two-argument attribute alloc_size. */
2190
2191 void
2192 maybe_warn_alloc_args_overflow (gimple *stmt, const tree args[2],
2193 const int idx[2])
2194 {
2195 /* The range each of the (up to) two arguments is known to be in. */
2196 tree argrange[2][2] = { { NULL_TREE, NULL_TREE }, { NULL_TREE, NULL_TREE } };
2197
2198 /* Maximum object size set by -Walloc-size-larger-than= or SIZE_MAX / 2. */
2199 tree maxobjsize = alloc_max_size ();
2200
2201 location_t loc = get_location (stmt);
2202
2203 tree fn = gimple_call_fndecl (stmt);
2204 tree fntype = fn ? TREE_TYPE (fn) : gimple_call_fntype (stmt);
2205 bool warned = false;
2206
2207 /* Validate each argument individually. */
2208 for (unsigned i = 0; i != 2 && args[i]; ++i)
2209 {
2210 if (TREE_CODE (args[i]) == INTEGER_CST)
2211 {
2212 argrange[i][0] = args[i];
2213 argrange[i][1] = args[i];
2214
2215 if (tree_int_cst_lt (args[i], integer_zero_node))
2216 {
2217 warned = warning_at (loc, OPT_Walloc_size_larger_than_,
2218 "argument %i value %qE is negative",
2219 idx[i] + 1, args[i]);
2220 }
2221 else if (integer_zerop (args[i]))
2222 {
2223 /* Avoid issuing -Walloc-zero for allocation functions other
2224 than __builtin_alloca that are declared with attribute
2225 returns_nonnull because there's no portability risk. This
2226 avoids warning for such calls to libiberty's xmalloc and
2227 friends.
2228 Also avoid issuing the warning for calls to function named
2229 "alloca". */
2230 if (fn && fndecl_built_in_p (fn, BUILT_IN_ALLOCA)
2231 ? IDENTIFIER_LENGTH (DECL_NAME (fn)) != 6
2232 : !lookup_attribute ("returns_nonnull",
2233 TYPE_ATTRIBUTES (fntype)))
2234 warned = warning_at (loc, OPT_Walloc_zero,
2235 "argument %i value is zero",
2236 idx[i] + 1);
2237 }
2238 else if (tree_int_cst_lt (maxobjsize, args[i]))
2239 {
2240 /* G++ emits calls to ::operator new[](SIZE_MAX) in C++98
2241 mode and with -fno-exceptions as a way to indicate array
2242 size overflow. There's no good way to detect C++98 here
2243 so avoid diagnosing these calls for all C++ modes. */
2244 if (i == 0
2245 && fn
2246 && !args[1]
2247 && lang_GNU_CXX ()
2248 && DECL_IS_OPERATOR_NEW_P (fn)
2249 && integer_all_onesp (args[i]))
2250 continue;
2251
2252 warned = warning_at (loc, OPT_Walloc_size_larger_than_,
2253 "argument %i value %qE exceeds "
2254 "maximum object size %E",
2255 idx[i] + 1, args[i], maxobjsize);
2256 }
2257 }
2258 else if (TREE_CODE (args[i]) == SSA_NAME
2259 && get_size_range (args[i], argrange[i]))
2260 {
2261 /* Verify that the argument's range is not negative (including
2262 upper bound of zero). */
2263 if (tree_int_cst_lt (argrange[i][0], integer_zero_node)
2264 && tree_int_cst_le (argrange[i][1], integer_zero_node))
2265 {
2266 warned = warning_at (loc, OPT_Walloc_size_larger_than_,
2267 "argument %i range [%E, %E] is negative",
2268 idx[i] + 1,
2269 argrange[i][0], argrange[i][1]);
2270 }
2271 else if (tree_int_cst_lt (maxobjsize, argrange[i][0]))
2272 {
2273 warned = warning_at (loc, OPT_Walloc_size_larger_than_,
2274 "argument %i range [%E, %E] exceeds "
2275 "maximum object size %E",
2276 idx[i] + 1,
2277 argrange[i][0], argrange[i][1],
2278 maxobjsize);
2279 }
2280 }
2281 }
2282
2283 if (!argrange[0][0])
2284 return;
2285
2286 /* For a two-argument alloc_size, validate the product of the two
2287 arguments if both of their values or ranges are known. */
2288 if (!warned && tree_fits_uhwi_p (argrange[0][0])
2289 && argrange[1][0] && tree_fits_uhwi_p (argrange[1][0])
2290 && !integer_onep (argrange[0][0])
2291 && !integer_onep (argrange[1][0]))
2292 {
2293 /* Check for overflow in the product of a function decorated with
2294 attribute alloc_size (X, Y). */
2295 unsigned szprec = TYPE_PRECISION (size_type_node);
2296 wide_int x = wi::to_wide (argrange[0][0], szprec);
2297 wide_int y = wi::to_wide (argrange[1][0], szprec);
2298
2299 wi::overflow_type vflow;
2300 wide_int prod = wi::umul (x, y, &vflow);
2301
2302 if (vflow)
2303 warned = warning_at (loc, OPT_Walloc_size_larger_than_,
2304 "product %<%E * %E%> of arguments %i and %i "
2305 "exceeds %<SIZE_MAX%>",
2306 argrange[0][0], argrange[1][0],
2307 idx[0] + 1, idx[1] + 1);
2308 else if (wi::ltu_p (wi::to_wide (maxobjsize, szprec), prod))
2309 warned = warning_at (loc, OPT_Walloc_size_larger_than_,
2310 "product %<%E * %E%> of arguments %i and %i "
2311 "exceeds maximum object size %E",
2312 argrange[0][0], argrange[1][0],
2313 idx[0] + 1, idx[1] + 1,
2314 maxobjsize);
2315
2316 if (warned)
2317 {
2318 /* Print the full range of each of the two arguments to make
2319 it clear when it is, in fact, in a range and not constant. */
2320 if (argrange[0][0] != argrange [0][1])
2321 inform (loc, "argument %i in the range [%E, %E]",
2322 idx[0] + 1, argrange[0][0], argrange[0][1]);
2323 if (argrange[1][0] != argrange [1][1])
2324 inform (loc, "argument %i in the range [%E, %E]",
2325 idx[1] + 1, argrange[1][0], argrange[1][1]);
2326 }
2327 }
2328
2329 if (warned && fn)
2330 {
2331 location_t fnloc = DECL_SOURCE_LOCATION (fn);
2332
2333 if (DECL_IS_UNDECLARED_BUILTIN (fn))
2334 inform (loc,
2335 "in a call to built-in allocation function %qD", fn);
2336 else
2337 inform (fnloc,
2338 "in a call to allocation function %qD declared here", fn);
2339 }
2340 }
2341
2342 /* Check a call to an alloca function for an excessive size. */
2343
2344 void
2345 pass_waccess::check_alloca (gcall *stmt)
2346 {
2347 if ((warn_vla_limit >= HOST_WIDE_INT_MAX
2348 && warn_alloc_size_limit < warn_vla_limit)
2349 || (warn_alloca_limit >= HOST_WIDE_INT_MAX
2350 && warn_alloc_size_limit < warn_alloca_limit))
2351 {
2352 /* -Walloca-larger-than and -Wvla-larger-than settings of less
2353 than HWI_MAX override the more general -Walloc-size-larger-than
2354 so unless either of the former options is smaller than the last
2355 one (wchich would imply that the call was already checked), check
2356 the alloca arguments for overflow. */
2357 const tree alloc_args[] = { call_arg (stmt, 0), NULL_TREE };
2358 const int idx[] = { 0, -1 };
2359 maybe_warn_alloc_args_overflow (stmt, alloc_args, idx);
2360 }
2361 }
2362
2363 /* Check a call to an allocation function for an excessive size. */
2364
2365 void
2366 pass_waccess::check_alloc_size_call (gcall *stmt)
2367 {
2368 if (gimple_call_num_args (stmt) < 1)
2369 /* Avoid invalid calls to functions without a prototype. */
2370 return;
2371
2372 tree fndecl = gimple_call_fndecl (stmt);
2373 if (fndecl && gimple_call_builtin_p (stmt, BUILT_IN_NORMAL))
2374 {
2375 /* Alloca is handled separately. */
2376 switch (DECL_FUNCTION_CODE (fndecl))
2377 {
2378 case BUILT_IN_ALLOCA:
2379 case BUILT_IN_ALLOCA_WITH_ALIGN:
2380 case BUILT_IN_ALLOCA_WITH_ALIGN_AND_MAX:
2381 return;
2382 default:
2383 break;
2384 }
2385 }
2386
2387 tree fntype = gimple_call_fntype (stmt);
2388 tree fntypeattrs = TYPE_ATTRIBUTES (fntype);
2389
2390 tree alloc_size = lookup_attribute ("alloc_size", fntypeattrs);
2391 if (!alloc_size)
2392 return;
2393
2394 /* Extract attribute alloc_size from the type of the called expression
2395 (which could be a function or a function pointer) and if set, store
2396 the indices of the corresponding arguments in ALLOC_IDX, and then
2397 the actual argument(s) at those indices in ALLOC_ARGS. */
2398 int idx[2] = { -1, -1 };
2399 tree alloc_args[] = { NULL_TREE, NULL_TREE };
2400
2401 tree args = TREE_VALUE (alloc_size);
2402 idx[0] = TREE_INT_CST_LOW (TREE_VALUE (args)) - 1;
2403 alloc_args[0] = call_arg (stmt, idx[0]);
2404 if (TREE_CHAIN (args))
2405 {
2406 idx[1] = TREE_INT_CST_LOW (TREE_VALUE (TREE_CHAIN (args))) - 1;
2407 alloc_args[1] = call_arg (stmt, idx[1]);
2408 }
2409
2410 maybe_warn_alloc_args_overflow (stmt, alloc_args, idx);
2411 }
2412
2413 /* Check a call STMT to strcat() for overflow and warn if it does. */
2414
2415 void
2416 pass_waccess::check_strcat (gcall *stmt)
2417 {
2418 if (!warn_stringop_overflow && !warn_stringop_overread)
2419 return;
2420
2421 tree dest = call_arg (stmt, 0);
2422 tree src = call_arg (stmt, 1);
2423
2424 /* There is no way here to determine the length of the string in
2425 the destination to which the SRC string is being appended so
2426 just diagnose cases when the souce string is longer than
2427 the destination object. */
2428 access_data data (stmt, access_read_write, NULL_TREE, true,
2429 NULL_TREE, true);
2430 const int ost = warn_stringop_overflow ? warn_stringop_overflow - 1 : 1;
2431 compute_objsize (src, ost, &data.src, &m_ptr_qry);
2432 tree destsize = compute_objsize (dest, ost, &data.dst, &m_ptr_qry);
2433
2434 check_access (stmt, /*dstwrite=*/NULL_TREE, /*maxread=*/NULL_TREE,
2435 src, destsize, data.mode, &data);
2436 }
2437
2438 /* Check a call STMT to strcat() for overflow and warn if it does. */
2439
2440 void
2441 pass_waccess::check_strncat (gcall *stmt)
2442 {
2443 if (!warn_stringop_overflow && !warn_stringop_overread)
2444 return;
2445
2446 tree dest = call_arg (stmt, 0);
2447 tree src = call_arg (stmt, 1);
2448 /* The upper bound on the number of bytes to write. */
2449 tree maxread = call_arg (stmt, 2);
2450
2451 /* Detect unterminated source (only). */
2452 if (!check_nul_terminated_array (stmt, src, maxread))
2453 return;
2454
2455 /* The length of the source sequence. */
2456 tree slen = c_strlen (src, 1);
2457
2458 /* Try to determine the range of lengths that the source expression
2459 refers to. Since the lengths are only used for warning and not
2460 for code generation disable strict mode below. */
2461 tree maxlen = slen;
2462 if (!maxlen)
2463 {
2464 c_strlen_data lendata = { };
2465 get_range_strlen (src, &lendata, /* eltsize = */ 1);
2466 maxlen = lendata.maxbound;
2467 }
2468
2469 access_data data (stmt, access_read_write);
2470 /* Try to verify that the destination is big enough for the shortest
2471 string. First try to determine the size of the destination object
2472 into which the source is being copied. */
2473 const int ost = warn_stringop_overflow - 1;
2474 tree destsize = compute_objsize (dest, ost, &data.dst, &m_ptr_qry);
2475
2476 /* Add one for the terminating nul. */
2477 tree srclen = (maxlen
2478 ? fold_build2 (PLUS_EXPR, size_type_node, maxlen,
2479 size_one_node)
2480 : NULL_TREE);
2481
2482 /* The strncat function copies at most MAXREAD bytes and always appends
2483 the terminating nul so the specified upper bound should never be equal
2484 to (or greater than) the size of the destination. */
2485 if (tree_fits_uhwi_p (maxread) && tree_fits_uhwi_p (destsize)
2486 && tree_int_cst_equal (destsize, maxread))
2487 {
2488 location_t loc = get_location (stmt);
2489 warning_at (loc, OPT_Wstringop_overflow_,
2490 "%qD specified bound %E equals destination size",
2491 get_callee_fndecl (stmt), maxread);
2492
2493 return;
2494 }
2495
2496 if (!srclen
2497 || (maxread && tree_fits_uhwi_p (maxread)
2498 && tree_fits_uhwi_p (srclen)
2499 && tree_int_cst_lt (maxread, srclen)))
2500 srclen = maxread;
2501
2502 check_access (stmt, /*dstwrite=*/NULL_TREE, maxread, srclen,
2503 destsize, data.mode, &data);
2504 }
2505
2506 /* Check a call STMT to stpcpy() or strcpy() for overflow and warn
2507 if it does. */
2508
2509 void
2510 pass_waccess::check_stxcpy (gcall *stmt)
2511 {
2512 tree dst = call_arg (stmt, 0);
2513 tree src = call_arg (stmt, 1);
2514
2515 tree size;
2516 bool exact;
2517 if (tree nonstr = unterminated_array (src, &size, &exact))
2518 {
2519 /* NONSTR refers to the non-nul terminated constant array. */
2520 warn_string_no_nul (get_location (stmt), stmt, NULL, src, nonstr,
2521 size, exact);
2522 return;
2523 }
2524
2525 if (warn_stringop_overflow)
2526 {
2527 access_data data (stmt, access_read_write, NULL_TREE, true,
2528 NULL_TREE, true);
2529 const int ost = warn_stringop_overflow ? warn_stringop_overflow - 1 : 1;
2530 compute_objsize (src, ost, &data.src, &m_ptr_qry);
2531 tree dstsize = compute_objsize (dst, ost, &data.dst, &m_ptr_qry);
2532 check_access (stmt, /*dstwrite=*/ NULL_TREE,
2533 /*maxread=*/ NULL_TREE, /*srcstr=*/ src,
2534 dstsize, data.mode, &data);
2535 }
2536
2537 /* Check to see if the argument was declared attribute nonstring
2538 and if so, issue a warning since at this point it's not known
2539 to be nul-terminated. */
2540 tree fndecl = get_callee_fndecl (stmt);
2541 maybe_warn_nonstring_arg (fndecl, stmt);
2542 }
2543
2544 /* Check a call STMT to stpncpy() or strncpy() for overflow and warn
2545 if it does. */
2546
2547 void
2548 pass_waccess::check_stxncpy (gcall *stmt)
2549 {
2550 if (!warn_stringop_overflow)
2551 return;
2552
2553 tree dst = call_arg (stmt, 0);
2554 tree src = call_arg (stmt, 1);
2555 /* The number of bytes to write (not the maximum). */
2556 tree len = call_arg (stmt, 2);
2557
2558 access_data data (stmt, access_read_write, len, true, len, true);
2559 const int ost = warn_stringop_overflow ? warn_stringop_overflow - 1 : 1;
2560 compute_objsize (src, ost, &data.src, &m_ptr_qry);
2561 tree dstsize = compute_objsize (dst, ost, &data.dst, &m_ptr_qry);
2562
2563 check_access (stmt, /*dstwrite=*/len,
2564 /*maxread=*/len, src, dstsize, data.mode, &data);
2565 }
2566
2567 /* Check a call STMT to stpncpy() or strncpy() for overflow and warn
2568 if it does. */
2569
2570 void
2571 pass_waccess::check_strncmp (gcall *stmt)
2572 {
2573 if (!warn_stringop_overread)
2574 return;
2575
2576 tree arg1 = call_arg (stmt, 0);
2577 tree arg2 = call_arg (stmt, 1);
2578 tree bound = call_arg (stmt, 2);
2579
2580 /* First check each argument separately, considering the bound. */
2581 if (!check_nul_terminated_array (stmt, arg1, bound)
2582 || !check_nul_terminated_array (stmt, arg2, bound))
2583 return;
2584
2585 /* A strncmp read from each argument is constrained not just by
2586 the bound but also by the length of the shorter string. Specifying
2587 a bound that's larger than the size of either array makes no sense
2588 and is likely a bug. When the length of neither of the two strings
2589 is known but the sizes of both of the arrays they are stored in is,
2590 issue a warning if the bound is larger than than the size of
2591 the larger of the two arrays. */
2592
2593 c_strlen_data lendata1{ }, lendata2{ };
2594 tree len1 = c_strlen (arg1, 1, &lendata1);
2595 tree len2 = c_strlen (arg2, 1, &lendata2);
2596
2597 if (len1 && len2)
2598 /* If the length of both arguments was computed they must both be
2599 nul-terminated and no further checking is necessary regardless
2600 of the bound. */
2601 return;
2602
2603 /* Check to see if the argument was declared with attribute nonstring
2604 and if so, issue a warning since at this point it's not known to be
2605 nul-terminated. */
2606 if (maybe_warn_nonstring_arg (get_callee_fndecl (stmt), stmt))
2607 return;
2608
2609 access_data adata1 (stmt, access_read_only, NULL_TREE, false, bound, true);
2610 access_data adata2 (stmt, access_read_only, NULL_TREE, false, bound, true);
2611
2612 /* Determine the range of the bound first and bail if it fails; it's
2613 cheaper than computing the size of the objects. */
2614 tree bndrng[2] = { NULL_TREE, NULL_TREE };
2615 get_size_range (m_ptr_qry.rvals, bound, bndrng, adata1.src.bndrng);
2616 if (!bndrng[0] || integer_zerop (bndrng[0]))
2617 return;
2618
2619 if (len1 && tree_int_cst_lt (len1, bndrng[0]))
2620 bndrng[0] = len1;
2621 if (len2 && tree_int_cst_lt (len2, bndrng[0]))
2622 bndrng[0] = len2;
2623
2624 /* compute_objsize almost never fails (and ultimately should never
2625 fail). Don't bother to handle the rare case when it does. */
2626 if (!compute_objsize (arg1, 1, &adata1.src, &m_ptr_qry)
2627 || !compute_objsize (arg2, 1, &adata2.src, &m_ptr_qry))
2628 return;
2629
2630 /* Compute the size of the remaining space in each array after
2631 subtracting any offset into it. */
2632 offset_int rem1 = adata1.src.size_remaining ();
2633 offset_int rem2 = adata2.src.size_remaining ();
2634
2635 /* Cap REM1 and REM2 at the other if the other's argument is known
2636 to be an unterminated array, either because there's no space
2637 left in it after adding its offset or because it's constant and
2638 has no nul. */
2639 if (rem1 == 0 || (rem1 < rem2 && lendata1.decl))
2640 rem2 = rem1;
2641 else if (rem2 == 0 || (rem2 < rem1 && lendata2.decl))
2642 rem1 = rem2;
2643
2644 /* Point PAD at the array to reference in the note if a warning
2645 is issued. */
2646 access_data *pad = len1 ? &adata2 : &adata1;
2647 offset_int maxrem = wi::max (rem1, rem2, UNSIGNED);
2648 if (lendata1.decl || lendata2.decl
2649 || maxrem < wi::to_offset (bndrng[0]))
2650 {
2651 /* Warn when either argument isn't nul-terminated or the maximum
2652 remaining space in the two arrays is less than the bound. */
2653 tree func = get_callee_fndecl (stmt);
2654 location_t loc = gimple_location (stmt);
2655 maybe_warn_for_bound (OPT_Wstringop_overread, loc, stmt, func,
2656 bndrng, wide_int_to_tree (sizetype, maxrem),
2657 pad);
2658 }
2659 }
2660
2661 /* Determine and check the sizes of the source and the destination
2662 of calls to __builtin_{bzero,memcpy,mempcpy,memset} calls. STMT is
2663 the call statement, DEST is the destination argument, SRC is the source
2664 argument or null, and SIZE is the number of bytes being accessed. Use
2665 Object Size type-0 regardless of the OPT_Wstringop_overflow_ setting.
2666 Return true on success (no overflow or invalid sizes), false otherwise. */
2667
2668 void
2669 pass_waccess::check_memop_access (gimple *stmt, tree dest, tree src, tree size)
2670 {
2671 /* For functions like memset and memcpy that operate on raw memory
2672 try to determine the size of the largest source and destination
2673 object using type-0 Object Size regardless of the object size
2674 type specified by the option. */
2675 access_data data (stmt, access_read_write);
2676 tree srcsize
2677 = src ? compute_objsize (src, 0, &data.src, &m_ptr_qry) : NULL_TREE;
2678 tree dstsize = compute_objsize (dest, 0, &data.dst, &m_ptr_qry);
2679
2680 check_access (stmt, size, /*maxread=*/NULL_TREE,
2681 srcsize, dstsize, data.mode, &data);
2682 }
2683
2684 /* Check call STMT to a built-in function for invalid accesses. Return
2685 true if a call has been handled. */
2686
2687 bool
2688 pass_waccess::check_builtin (gcall *stmt)
2689 {
2690 tree callee = gimple_call_fndecl (stmt);
2691 if (!callee)
2692 return false;
2693
2694 switch (DECL_FUNCTION_CODE (callee))
2695 {
2696 case BUILT_IN_ALLOCA:
2697 case BUILT_IN_ALLOCA_WITH_ALIGN:
2698 case BUILT_IN_ALLOCA_WITH_ALIGN_AND_MAX:
2699 check_alloca (stmt);
2700 return true;
2701
2702 case BUILT_IN_GETTEXT:
2703 case BUILT_IN_PUTS:
2704 case BUILT_IN_PUTS_UNLOCKED:
2705 case BUILT_IN_STRDUP:
2706 check_read_access (stmt, call_arg (stmt, 0));
2707 return true;
2708
2709 case BUILT_IN_INDEX:
2710 case BUILT_IN_RINDEX:
2711 case BUILT_IN_STRCHR:
2712 case BUILT_IN_STRRCHR:
2713 case BUILT_IN_STRLEN:
2714 check_read_access (stmt, call_arg (stmt, 0));
2715 return true;
2716
2717 case BUILT_IN_FPUTS:
2718 case BUILT_IN_FPUTS_UNLOCKED:
2719 check_read_access (stmt, call_arg (stmt, 0));
2720 return true;
2721
2722 case BUILT_IN_STRNDUP:
2723 case BUILT_IN_STRNLEN:
2724 check_read_access (stmt, call_arg (stmt, 0), call_arg (stmt, 1));
2725 return true;
2726
2727 case BUILT_IN_STRCAT:
2728 check_strcat (stmt);
2729 return true;
2730
2731 case BUILT_IN_STRNCAT:
2732 check_strncat (stmt);
2733 return true;
2734
2735 case BUILT_IN_STPCPY:
2736 case BUILT_IN_STRCPY:
2737 check_stxcpy (stmt);
2738 return true;
2739
2740 case BUILT_IN_STPNCPY:
2741 case BUILT_IN_STRNCPY:
2742 check_stxncpy (stmt);
2743 return true;
2744
2745 case BUILT_IN_STRCASECMP:
2746 case BUILT_IN_STRCMP:
2747 case BUILT_IN_STRPBRK:
2748 case BUILT_IN_STRSPN:
2749 case BUILT_IN_STRCSPN:
2750 case BUILT_IN_STRSTR:
2751 check_read_access (stmt, call_arg (stmt, 0));
2752 check_read_access (stmt, call_arg (stmt, 1));
2753 return true;
2754
2755 case BUILT_IN_STRNCASECMP:
2756 case BUILT_IN_STRNCMP:
2757 check_strncmp (stmt);
2758 return true;
2759
2760 case BUILT_IN_MEMCMP:
2761 {
2762 tree a1 = call_arg (stmt, 0);
2763 tree a2 = call_arg (stmt, 1);
2764 tree len = call_arg (stmt, 2);
2765 check_read_access (stmt, a1, len, 0);
2766 check_read_access (stmt, a2, len, 0);
2767 return true;
2768 }
2769
2770 case BUILT_IN_MEMCPY:
2771 case BUILT_IN_MEMPCPY:
2772 case BUILT_IN_MEMMOVE:
2773 {
2774 tree dst = call_arg (stmt, 0);
2775 tree src = call_arg (stmt, 1);
2776 tree len = call_arg (stmt, 2);
2777 check_memop_access (stmt, dst, src, len);
2778 return true;
2779 }
2780
2781 case BUILT_IN_MEMCHR:
2782 {
2783 tree src = call_arg (stmt, 0);
2784 tree len = call_arg (stmt, 2);
2785 check_read_access (stmt, src, len, 0);
2786 return true;
2787 }
2788
2789 case BUILT_IN_MEMSET:
2790 {
2791 tree dst = call_arg (stmt, 0);
2792 tree len = call_arg (stmt, 2);
2793 check_memop_access (stmt, dst, NULL_TREE, len);
2794 return true;
2795 }
2796
2797 default:
2798 return false;
2799 }
2800
2801 return true;
2802 }
2803
2804 /* Returns the type of the argument ARGNO to function with type FNTYPE
2805 or null when the typoe cannot be determined or no such argument exists. */
2806
2807 static tree
2808 fntype_argno_type (tree fntype, unsigned argno)
2809 {
2810 if (!prototype_p (fntype))
2811 return NULL_TREE;
2812
2813 tree argtype;
2814 function_args_iterator it;
2815 FOREACH_FUNCTION_ARGS (fntype, argtype, it)
2816 if (argno-- == 0)
2817 return argtype;
2818
2819 return NULL_TREE;
2820 }
2821
2822 /* Helper to append the "human readable" attribute access specification
2823 described by ACCESS to the array ATTRSTR with size STRSIZE. Used in
2824 diagnostics. */
2825
2826 static inline void
2827 append_attrname (const std::pair<int, attr_access> &access,
2828 char *attrstr, size_t strsize)
2829 {
2830 if (access.second.internal_p)
2831 return;
2832
2833 tree str = access.second.to_external_string ();
2834 gcc_assert (strsize >= (size_t) TREE_STRING_LENGTH (str));
2835 strcpy (attrstr, TREE_STRING_POINTER (str));
2836 }
2837
2838 /* Iterate over attribute access read-only, read-write, and write-only
2839 arguments and diagnose past-the-end accesses and related problems
2840 in the function call EXP. */
2841
2842 void
2843 pass_waccess::maybe_check_access_sizes (rdwr_map *rwm, tree fndecl, tree fntype,
2844 gimple *stmt)
2845 {
2846 auto_diagnostic_group adg;
2847
2848 /* Set if a warning has been issued for any argument (used to decide
2849 whether to emit an informational note at the end). */
2850 opt_code opt_warned = no_warning;
2851
2852 /* A string describing the attributes that the warnings issued by this
2853 function apply to. Used to print one informational note per function
2854 call, rather than one per warning. That reduces clutter. */
2855 char attrstr[80];
2856 attrstr[0] = 0;
2857
2858 for (rdwr_map::iterator it = rwm->begin (); it != rwm->end (); ++it)
2859 {
2860 std::pair<int, attr_access> access = *it;
2861
2862 /* Get the function call arguments corresponding to the attribute's
2863 positional arguments. When both arguments have been specified
2864 there will be two entries in *RWM, one for each. They are
2865 cross-referenced by their respective argument numbers in
2866 ACCESS.PTRARG and ACCESS.SIZARG. */
2867 const int ptridx = access.second.ptrarg;
2868 const int sizidx = access.second.sizarg;
2869
2870 gcc_assert (ptridx != -1);
2871 gcc_assert (access.first == ptridx || access.first == sizidx);
2872
2873 /* The pointer is set to null for the entry corresponding to
2874 the size argument. Skip it. It's handled when the entry
2875 corresponding to the pointer argument comes up. */
2876 if (!access.second.ptr)
2877 continue;
2878
2879 tree ptrtype = fntype_argno_type (fntype, ptridx);
2880 tree argtype = TREE_TYPE (ptrtype);
2881
2882 /* The size of the access by the call. */
2883 tree access_size;
2884 if (sizidx == -1)
2885 {
2886 /* If only the pointer attribute operand was specified and
2887 not size, set SIZE to the greater of MINSIZE or size of
2888 one element of the pointed to type to detect smaller
2889 objects (null pointers are diagnosed in this case only
2890 if the pointer is also declared with attribute nonnull. */
2891 if (access.second.minsize
2892 && access.second.minsize != HOST_WIDE_INT_M1U)
2893 access_size = build_int_cstu (sizetype, access.second.minsize);
2894 else
2895 access_size = size_one_node;
2896 }
2897 else
2898 access_size = rwm->get (sizidx)->size;
2899
2900 /* Format the value or range to avoid an explosion of messages. */
2901 char sizstr[80];
2902 tree sizrng[2] = { size_zero_node, build_all_ones_cst (sizetype) };
2903 if (get_size_range (m_ptr_qry.rvals, access_size, NULL, sizrng, 1))
2904 {
2905 char *s0 = print_generic_expr_to_str (sizrng[0]);
2906 if (tree_int_cst_equal (sizrng[0], sizrng[1]))
2907 {
2908 gcc_checking_assert (strlen (s0) < sizeof sizstr);
2909 strcpy (sizstr, s0);
2910 }
2911 else
2912 {
2913 char *s1 = print_generic_expr_to_str (sizrng[1]);
2914 gcc_checking_assert (strlen (s0) + strlen (s1)
2915 < sizeof sizstr - 4);
2916 sprintf (sizstr, "[%s, %s]", s0, s1);
2917 free (s1);
2918 }
2919 free (s0);
2920 }
2921 else
2922 *sizstr = '\0';
2923
2924 /* Set if a warning has been issued for the current argument. */
2925 opt_code arg_warned = no_warning;
2926 location_t loc = get_location (stmt);
2927 tree ptr = access.second.ptr;
2928 if (*sizstr
2929 && tree_int_cst_sgn (sizrng[0]) < 0
2930 && tree_int_cst_sgn (sizrng[1]) < 0)
2931 {
2932 /* Warn about negative sizes. */
2933 if (access.second.internal_p)
2934 {
2935 const std::string argtypestr
2936 = access.second.array_as_string (ptrtype);
2937
2938 if (warning_at (loc, OPT_Wstringop_overflow_,
2939 "bound argument %i value %s is "
2940 "negative for a variable length array "
2941 "argument %i of type %s",
2942 sizidx + 1, sizstr,
2943 ptridx + 1, argtypestr.c_str ()))
2944 arg_warned = OPT_Wstringop_overflow_;
2945 }
2946 else if (warning_at (loc, OPT_Wstringop_overflow_,
2947 "argument %i value %s is negative",
2948 sizidx + 1, sizstr))
2949 arg_warned = OPT_Wstringop_overflow_;
2950
2951 if (arg_warned != no_warning)
2952 {
2953 append_attrname (access, attrstr, sizeof attrstr);
2954 /* Remember a warning has been issued and avoid warning
2955 again below for the same attribute. */
2956 opt_warned = arg_warned;
2957 continue;
2958 }
2959 }
2960
2961 if (tree_int_cst_sgn (sizrng[0]) >= 0)
2962 {
2963 if (COMPLETE_TYPE_P (argtype))
2964 {
2965 /* Multiply ACCESS_SIZE by the size of the type the pointer
2966 argument points to. If it's incomplete the size is used
2967 as is. */
2968 if (tree argsize = TYPE_SIZE_UNIT (argtype))
2969 if (TREE_CODE (argsize) == INTEGER_CST)
2970 {
2971 const int prec = TYPE_PRECISION (sizetype);
2972 wide_int minsize = wi::to_wide (sizrng[0], prec);
2973 minsize *= wi::to_wide (argsize, prec);
2974 access_size = wide_int_to_tree (sizetype, minsize);
2975 }
2976 }
2977 }
2978 else
2979 access_size = NULL_TREE;
2980
2981 if (integer_zerop (ptr))
2982 {
2983 if (sizidx >= 0 && tree_int_cst_sgn (sizrng[0]) > 0)
2984 {
2985 /* Warn about null pointers with positive sizes. This is
2986 different from also declaring the pointer argument with
2987 attribute nonnull when the function accepts null pointers
2988 only when the corresponding size is zero. */
2989 if (access.second.internal_p)
2990 {
2991 const std::string argtypestr
2992 = access.second.array_as_string (ptrtype);
2993
2994 if (warning_at (loc, OPT_Wnonnull,
2995 "argument %i of variable length "
2996 "array %s is null but "
2997 "the corresponding bound argument "
2998 "%i value is %s",
2999 ptridx + 1, argtypestr.c_str (),
3000 sizidx + 1, sizstr))
3001 arg_warned = OPT_Wnonnull;
3002 }
3003 else if (warning_at (loc, OPT_Wnonnull,
3004 "argument %i is null but "
3005 "the corresponding size argument "
3006 "%i value is %s",
3007 ptridx + 1, sizidx + 1, sizstr))
3008 arg_warned = OPT_Wnonnull;
3009 }
3010 else if (access_size && access.second.static_p)
3011 {
3012 /* Warn about null pointers for [static N] array arguments
3013 but do not warn for ordinary (i.e., nonstatic) arrays. */
3014 if (warning_at (loc, OPT_Wnonnull,
3015 "argument %i to %<%T[static %E]%> "
3016 "is null where non-null expected",
3017 ptridx + 1, argtype, access_size))
3018 arg_warned = OPT_Wnonnull;
3019 }
3020
3021 if (arg_warned != no_warning)
3022 {
3023 append_attrname (access, attrstr, sizeof attrstr);
3024 /* Remember a warning has been issued and avoid warning
3025 again below for the same attribute. */
3026 opt_warned = OPT_Wnonnull;
3027 continue;
3028 }
3029 }
3030
3031 access_data data (ptr, access.second.mode, NULL_TREE, false,
3032 NULL_TREE, false);
3033 access_ref* const pobj = (access.second.mode == access_write_only
3034 ? &data.dst : &data.src);
3035 tree objsize = compute_objsize (ptr, 1, pobj, &m_ptr_qry);
3036
3037 /* The size of the destination or source object. */
3038 tree dstsize = NULL_TREE, srcsize = NULL_TREE;
3039 if (access.second.mode == access_read_only
3040 || access.second.mode == access_none)
3041 {
3042 /* For a read-only argument there is no destination. For
3043 no access, set the source as well and differentiate via
3044 the access flag below. */
3045 srcsize = objsize;
3046 if (access.second.mode == access_read_only
3047 || access.second.mode == access_none)
3048 {
3049 /* For a read-only attribute there is no destination so
3050 clear OBJSIZE. This emits "reading N bytes" kind of
3051 diagnostics instead of the "writing N bytes" kind,
3052 unless MODE is none. */
3053 objsize = NULL_TREE;
3054 }
3055 }
3056 else
3057 dstsize = objsize;
3058
3059 /* Clear the no-warning bit in case it was set by check_access
3060 in a prior iteration so that accesses via different arguments
3061 are diagnosed. */
3062 suppress_warning (stmt, OPT_Wstringop_overflow_, false);
3063 access_mode mode = data.mode;
3064 if (mode == access_deferred)
3065 mode = TYPE_READONLY (argtype) ? access_read_only : access_read_write;
3066 check_access (stmt, access_size, /*maxread=*/ NULL_TREE, srcsize,
3067 dstsize, mode, &data);
3068
3069 if (warning_suppressed_p (stmt, OPT_Wstringop_overflow_))
3070 opt_warned = OPT_Wstringop_overflow_;
3071 if (opt_warned != no_warning)
3072 {
3073 if (access.second.internal_p)
3074 inform (loc, "referencing argument %u of type %qT",
3075 ptridx + 1, ptrtype);
3076 else
3077 /* If check_access issued a warning above, append the relevant
3078 attribute to the string. */
3079 append_attrname (access, attrstr, sizeof attrstr);
3080 }
3081 }
3082
3083 if (*attrstr)
3084 {
3085 if (fndecl)
3086 inform (get_location (fndecl),
3087 "in a call to function %qD declared with attribute %qs",
3088 fndecl, attrstr);
3089 else
3090 inform (get_location (stmt),
3091 "in a call with type %qT and attribute %qs",
3092 fntype, attrstr);
3093 }
3094 else if (opt_warned != no_warning)
3095 {
3096 if (fndecl)
3097 inform (get_location (fndecl),
3098 "in a call to function %qD", fndecl);
3099 else
3100 inform (get_location (stmt),
3101 "in a call with type %qT", fntype);
3102 }
3103
3104 /* Set the bit in case if was cleared and not set above. */
3105 if (opt_warned != no_warning)
3106 suppress_warning (stmt, opt_warned);
3107 }
3108
3109 /* Check call STMT to an ordinary (non-built-in) function for invalid
3110 accesses. Return true if a call has been handled. */
3111
3112 bool
3113 pass_waccess::check_call (gcall *stmt)
3114 {
3115 tree fntype = gimple_call_fntype (stmt);
3116 if (!fntype)
3117 return false;
3118
3119 tree fntypeattrs = TYPE_ATTRIBUTES (fntype);
3120 if (!fntypeattrs)
3121 return false;
3122
3123 /* Map of attribute accewss specifications for function arguments. */
3124 rdwr_map rdwr_idx;
3125 init_attr_rdwr_indices (&rdwr_idx, fntypeattrs);
3126
3127 unsigned nargs = call_nargs (stmt);
3128 for (unsigned i = 0; i != nargs; ++i)
3129 {
3130 tree arg = call_arg (stmt, i);
3131
3132 /* Save the actual argument that corresponds to the access attribute
3133 operand for later processing. */
3134 if (attr_access *access = rdwr_idx.get (i))
3135 {
3136 if (POINTER_TYPE_P (TREE_TYPE (arg)))
3137 {
3138 access->ptr = arg;
3139 // A nonnull ACCESS->SIZE contains VLA bounds. */
3140 }
3141 else
3142 {
3143 access->size = arg;
3144 gcc_assert (access->ptr == NULL_TREE);
3145 }
3146 }
3147 }
3148
3149 /* Check attribute access arguments. */
3150 tree fndecl = gimple_call_fndecl (stmt);
3151 maybe_check_access_sizes (&rdwr_idx, fndecl, fntype, stmt);
3152
3153 check_alloc_size_call (stmt);
3154 return true;
3155 }
3156
3157 /* Check arguments in a call STMT for attribute nonstring. */
3158
3159 static void
3160 check_nonstring_args (gcall *stmt)
3161 {
3162 tree fndecl = gimple_call_fndecl (stmt);
3163
3164 /* Detect passing non-string arguments to functions expecting
3165 nul-terminated strings. */
3166 maybe_warn_nonstring_arg (fndecl, stmt);
3167 }
3168
3169 /* Issue a warning if a deallocation function such as free, realloc,
3170 or C++ operator delete is called with an argument not returned by
3171 a matching allocation function such as malloc or the corresponding
3172 form of C++ operatorn new. */
3173
3174 void
3175 pass_waccess::maybe_check_dealloc_call (gcall *call)
3176 {
3177 tree fndecl = gimple_call_fndecl (call);
3178 if (!fndecl)
3179 return;
3180
3181 unsigned argno = fndecl_dealloc_argno (fndecl);
3182 if ((unsigned) call_nargs (call) <= argno)
3183 return;
3184
3185 tree ptr = gimple_call_arg (call, argno);
3186 if (integer_zerop (ptr))
3187 return;
3188
3189 access_ref aref;
3190 if (!compute_objsize (ptr, 0, &aref, &m_ptr_qry))
3191 return;
3192
3193 tree ref = aref.ref;
3194 if (integer_zerop (ref))
3195 return;
3196
3197 tree dealloc_decl = fndecl;
3198 location_t loc = gimple_location (call);
3199
3200 if (DECL_P (ref) || EXPR_P (ref))
3201 {
3202 /* Diagnose freeing a declared object. */
3203 if (aref.ref_declared ()
3204 && warning_at (loc, OPT_Wfree_nonheap_object,
3205 "%qD called on unallocated object %qD",
3206 dealloc_decl, ref))
3207 {
3208 inform (get_location (ref), "declared here");
3209 return;
3210 }
3211
3212 /* Diagnose freeing a pointer that includes a positive offset.
3213 Such a pointer cannot refer to the beginning of an allocated
3214 object. A negative offset may refer to it. */
3215 if (aref.sizrng[0] != aref.sizrng[1]
3216 && warn_dealloc_offset (loc, call, aref))
3217 return;
3218 }
3219 else if (CONSTANT_CLASS_P (ref))
3220 {
3221 if (warning_at (loc, OPT_Wfree_nonheap_object,
3222 "%qD called on a pointer to an unallocated "
3223 "object %qE", dealloc_decl, ref))
3224 {
3225 if (TREE_CODE (ptr) == SSA_NAME)
3226 {
3227 gimple *def_stmt = SSA_NAME_DEF_STMT (ptr);
3228 if (is_gimple_assign (def_stmt))
3229 {
3230 location_t loc = gimple_location (def_stmt);
3231 inform (loc, "assigned here");
3232 }
3233 }
3234 return;
3235 }
3236 }
3237 else if (TREE_CODE (ref) == SSA_NAME)
3238 {
3239 /* Also warn if the pointer argument refers to the result
3240 of an allocation call like alloca or VLA. */
3241 gimple *def_stmt = SSA_NAME_DEF_STMT (ref);
3242 if (!def_stmt)
3243 return;
3244
3245 if (is_gimple_call (def_stmt))
3246 {
3247 bool warned = false;
3248 if (gimple_call_alloc_p (def_stmt))
3249 {
3250 if (matching_alloc_calls_p (def_stmt, dealloc_decl))
3251 {
3252 if (warn_dealloc_offset (loc, call, aref))
3253 return;
3254 }
3255 else
3256 {
3257 tree alloc_decl = gimple_call_fndecl (def_stmt);
3258 const opt_code opt =
3259 (DECL_IS_OPERATOR_NEW_P (alloc_decl)
3260 || DECL_IS_OPERATOR_DELETE_P (dealloc_decl)
3261 ? OPT_Wmismatched_new_delete
3262 : OPT_Wmismatched_dealloc);
3263 warned = warning_at (loc, opt,
3264 "%qD called on pointer returned "
3265 "from a mismatched allocation "
3266 "function", dealloc_decl);
3267 }
3268 }
3269 else if (gimple_call_builtin_p (def_stmt, BUILT_IN_ALLOCA)
3270 || gimple_call_builtin_p (def_stmt,
3271 BUILT_IN_ALLOCA_WITH_ALIGN))
3272 warned = warning_at (loc, OPT_Wfree_nonheap_object,
3273 "%qD called on pointer to "
3274 "an unallocated object",
3275 dealloc_decl);
3276 else if (warn_dealloc_offset (loc, call, aref))
3277 return;
3278
3279 if (warned)
3280 {
3281 tree fndecl = gimple_call_fndecl (def_stmt);
3282 inform (gimple_location (def_stmt),
3283 "returned from %qD", fndecl);
3284 return;
3285 }
3286 }
3287 else if (gimple_nop_p (def_stmt))
3288 {
3289 ref = SSA_NAME_VAR (ref);
3290 /* Diagnose freeing a pointer that includes a positive offset. */
3291 if (TREE_CODE (ref) == PARM_DECL
3292 && !aref.deref
3293 && aref.sizrng[0] != aref.sizrng[1]
3294 && aref.offrng[0] > 0 && aref.offrng[1] > 0
3295 && warn_dealloc_offset (loc, call, aref))
3296 return;
3297 }
3298 }
3299 }
3300
3301 /* Check call STMT for invalid accesses. */
3302
3303 void
3304 pass_waccess::check (gcall *stmt)
3305 {
3306 if (gimple_call_builtin_p (stmt, BUILT_IN_NORMAL))
3307 check_builtin (stmt);
3308
3309 if (is_gimple_call (stmt))
3310 check_call (stmt);
3311
3312 maybe_check_dealloc_call (stmt);
3313
3314 check_nonstring_args (stmt);
3315 }
3316
3317 /* Check basic block BB for invalid accesses. */
3318
3319 void
3320 pass_waccess::check (basic_block bb)
3321 {
3322 /* Iterate over statements, looking for function calls. */
3323 for (auto si = gsi_start_bb (bb); !gsi_end_p (si); gsi_next (&si))
3324 {
3325 if (gcall *call = dyn_cast <gcall *> (gsi_stmt (si)))
3326 check (call);
3327 }
3328 }
3329
3330 /* Check function FUN for invalid accesses. */
3331
3332 unsigned
3333 pass_waccess::execute (function *fun)
3334 {
3335 /* Create a new ranger instance and associate it with FUN. */
3336 m_ptr_qry.rvals = enable_ranger (fun);
3337
3338 basic_block bb;
3339 FOR_EACH_BB_FN (bb, fun)
3340 check (bb);
3341
3342 if (dump_file)
3343 m_ptr_qry.dump (dump_file, (dump_flags & TDF_DETAILS) != 0);
3344
3345 m_ptr_qry.flush_cache ();
3346
3347 /* Release the ranger instance and replace it with a global ranger.
3348 Also reset the pointer since calling disable_ranger() deletes it. */
3349 disable_ranger (fun);
3350 m_ptr_qry.rvals = NULL;
3351
3352 return 0;
3353 }
3354
3355 } // namespace
3356
3357 /* Return a new instance of the pass. */
3358
3359 gimple_opt_pass *
3360 make_pass_warn_access (gcc::context *ctxt)
3361 {
3362 return new pass_waccess (ctxt);
3363 }
Mirror of https://gcc.gnu.org/git/gcc.git