]> git.ipfire.org Git - thirdparty/gcc.git/blob - gcc/gimple-ssa-warn-access.cc
projects / thirdparty / gcc.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
docs: Fix expected diagnostics URL [PR107599]
[thirdparty/gcc.git] / gcc / gimple-ssa-warn-access.cc
1 /* Pass to detect and issue warnings for invalid accesses, including
2 invalid or mismatched allocation/deallocation calls.
3
4 Copyright (C) 2020-2022 Free Software Foundation, Inc.
5 Contributed by Martin Sebor <msebor@redhat.com>.
6
7 This file is part of GCC.
8
9 GCC is free software; you can redistribute it and/or modify it under
10 the terms of the GNU General Public License as published by the Free
11 Software Foundation; either version 3, or (at your option) any later
12 version.
13
14 GCC is distributed in the hope that it will be useful, but WITHOUT ANY
15 WARRANTY; without even the implied warranty of MERCHANTABILITY or
16 FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
17 for more details.
18
19 You should have received a copy of the GNU General Public License
20 along with GCC; see the file COPYING3. If not see
21 <http://www.gnu.org/licenses/>. */
22
23 #define INCLUDE_STRING
24 #include "config.h"
25 #include "system.h"
26 #include "coretypes.h"
27 #include "backend.h"
28 #include "tree.h"
29 #include "gimple.h"
30 #include "tree-pass.h"
31 #include "builtins.h"
32 #include "diagnostic.h"
33 #include "ssa.h"
34 #include "gimple-pretty-print.h"
35 #include "gimple-ssa-warn-access.h"
36 #include "gimple-ssa-warn-restrict.h"
37 #include "diagnostic-core.h"
38 #include "fold-const.h"
39 #include "gimple-iterator.h"
40 #include "gimple-fold.h"
41 #include "langhooks.h"
42 #include "memmodel.h"
43 #include "target.h"
44 #include "tree-dfa.h"
45 #include "tree-ssa.h"
46 #include "tree-cfg.h"
47 #include "tree-object-size.h"
48 #include "tree-ssa-strlen.h"
49 #include "calls.h"
50 #include "cfganal.h"
51 #include "intl.h"
52 #include "gimple-range.h"
53 #include "stringpool.h"
54 #include "attribs.h"
55 #include "demangle.h"
56 #include "attr-fnspec.h"
57 #include "pointer-query.h"
58
59 /* Return true if tree node X has an associated location. */
60
61 static inline location_t
62 has_location (const_tree x)
63 {
64 if (DECL_P (x))
65 return DECL_SOURCE_LOCATION (x) != UNKNOWN_LOCATION;
66
67 if (EXPR_P (x))
68 return EXPR_HAS_LOCATION (x);
69
70 return false;
71 }
72
73 /* Return the associated location of STMT. */
74
75 static inline location_t
76 get_location (const gimple *stmt)
77 {
78 return gimple_location (stmt);
79 }
80
81 /* Return the associated location of tree node X. */
82
83 static inline location_t
84 get_location (tree x)
85 {
86 if (DECL_P (x))
87 return DECL_SOURCE_LOCATION (x);
88
89 if (EXPR_P (x))
90 return EXPR_LOCATION (x);
91
92 return UNKNOWN_LOCATION;
93 }
94
95 /* Overload of the nascent tree function for GIMPLE STMT. */
96
97 static inline tree
98 get_callee_fndecl (const gimple *stmt)
99 {
100 return gimple_call_fndecl (stmt);
101 }
102
103 static inline unsigned
104 call_nargs (const gimple *stmt)
105 {
106 return gimple_call_num_args (stmt);
107 }
108
109 static inline unsigned
110 call_nargs (const_tree expr)
111 {
112 return call_expr_nargs (expr);
113 }
114
115
116 static inline tree
117 call_arg (const gimple *stmt, unsigned argno)
118 {
119 return gimple_call_arg (stmt, argno);
120 }
121
122 static inline tree
123 call_arg (tree expr, unsigned argno)
124 {
125 return CALL_EXPR_ARG (expr, argno);
126 }
127
128 /* For a call EXPR at LOC to a function FNAME that expects a string
129 in the argument ARG, issue a diagnostic due to it being a called
130 with an argument that is a character array with no terminating
131 NUL. SIZE is the EXACT size of the array, and BNDRNG the number
132 of characters in which the NUL is expected. Either EXPR or FNAME
133 may be null but noth both. SIZE may be null when BNDRNG is null. */
134
135 template <class GimpleOrTree>
136 static void
137 warn_string_no_nul (location_t loc, GimpleOrTree expr, const char *fname,
138 tree arg, tree decl, tree size, bool exact,
139 const wide_int bndrng[2] /* = NULL */)
140 {
141 const opt_code opt = OPT_Wstringop_overread;
142 if ((expr && warning_suppressed_p (expr, opt))
143 || warning_suppressed_p (arg, opt))
144 return;
145
146 loc = expansion_point_location_if_in_system_header (loc);
147 bool warned;
148
149 /* Format the bound range as a string to keep the number of messages
150 from exploding. */
151 char bndstr[80];
152 *bndstr = 0;
153 if (bndrng)
154 {
155 if (bndrng[0] == bndrng[1])
156 sprintf (bndstr, "%llu", (unsigned long long) bndrng[0].to_uhwi ());
157 else
158 sprintf (bndstr, "[%llu, %llu]",
159 (unsigned long long) bndrng[0].to_uhwi (),
160 (unsigned long long) bndrng[1].to_uhwi ());
161 }
162
163 auto_diagnostic_group d;
164
165 const tree maxobjsize = max_object_size ();
166 const wide_int maxsiz = wi::to_wide (maxobjsize);
167 if (expr)
168 {
169 tree func = get_callee_fndecl (expr);
170 if (bndrng)
171 {
172 if (wi::ltu_p (maxsiz, bndrng[0]))
173 warned = warning_at (loc, opt,
174 "%qD specified bound %s exceeds "
175 "maximum object size %E",
176 func, bndstr, maxobjsize);
177 else
178 {
179 bool maybe = wi::to_wide (size) == bndrng[0];
180 warned = warning_at (loc, opt,
181 exact
182 ? G_("%qD specified bound %s exceeds "
183 "the size %E of unterminated array")
184 : (maybe
185 ? G_("%qD specified bound %s may "
186 "exceed the size of at most %E "
187 "of unterminated array")
188 : G_("%qD specified bound %s exceeds "
189 "the size of at most %E "
190 "of unterminated array")),
191 func, bndstr, size);
192 }
193 }
194 else
195 warned = warning_at (loc, opt,
196 "%qD argument missing terminating nul",
197 func);
198 }
199 else
200 {
201 if (bndrng)
202 {
203 if (wi::ltu_p (maxsiz, bndrng[0]))
204 warned = warning_at (loc, opt,
205 "%qs specified bound %s exceeds "
206 "maximum object size %E",
207 fname, bndstr, maxobjsize);
208 else
209 {
210 bool maybe = wi::to_wide (size) == bndrng[0];
211 warned = warning_at (loc, opt,
212 exact
213 ? G_("%qs specified bound %s exceeds "
214 "the size %E of unterminated array")
215 : (maybe
216 ? G_("%qs specified bound %s may "
217 "exceed the size of at most %E "
218 "of unterminated array")
219 : G_("%qs specified bound %s exceeds "
220 "the size of at most %E "
221 "of unterminated array")),
222 fname, bndstr, size);
223 }
224 }
225 else
226 warned = warning_at (loc, opt,
227 "%qs argument missing terminating nul",
228 fname);
229 }
230
231 if (warned)
232 {
233 inform (get_location (decl),
234 "referenced argument declared here");
235 suppress_warning (arg, opt);
236 if (expr)
237 suppress_warning (expr, opt);
238 }
239 }
240
241 void
242 warn_string_no_nul (location_t loc, gimple *stmt, const char *fname,
243 tree arg, tree decl, tree size /* = NULL_TREE */,
244 bool exact /* = false */,
245 const wide_int bndrng[2] /* = NULL */)
246 {
247 return warn_string_no_nul<gimple *> (loc, stmt, fname,
248 arg, decl, size, exact, bndrng);
249 }
250
251 void
252 warn_string_no_nul (location_t loc, tree expr, const char *fname,
253 tree arg, tree decl, tree size /* = NULL_TREE */,
254 bool exact /* = false */,
255 const wide_int bndrng[2] /* = NULL */)
256 {
257 return warn_string_no_nul<tree> (loc, expr, fname,
258 arg, decl, size, exact, bndrng);
259 }
260
261 /* If EXP refers to an unterminated constant character array return
262 the declaration of the object of which the array is a member or
263 element and if SIZE is not null, set *SIZE to the size of
264 the unterminated array and set *EXACT if the size is exact or
265 clear it otherwise. Otherwise return null. */
266
267 tree
268 unterminated_array (tree exp, tree *size /* = NULL */, bool *exact /* = NULL */)
269 {
270 /* C_STRLEN will return NULL and set DECL in the info
271 structure if EXP references a unterminated array. */
272 c_strlen_data lendata = { };
273 tree len = c_strlen (exp, 1, &lendata);
274 if (len || !lendata.minlen || !lendata.decl)
275 return NULL_TREE;
276
277 if (!size)
278 return lendata.decl;
279
280 len = lendata.minlen;
281 if (lendata.off)
282 {
283 /* Constant offsets are already accounted for in LENDATA.MINLEN,
284 but not in a SSA_NAME + CST expression. */
285 if (TREE_CODE (lendata.off) == INTEGER_CST)
286 *exact = true;
287 else if (TREE_CODE (lendata.off) == PLUS_EXPR
288 && TREE_CODE (TREE_OPERAND (lendata.off, 1)) == INTEGER_CST)
289 {
290 /* Subtract the offset from the size of the array. */
291 *exact = false;
292 tree temp = TREE_OPERAND (lendata.off, 1);
293 temp = fold_convert (ssizetype, temp);
294 len = fold_build2 (MINUS_EXPR, ssizetype, len, temp);
295 }
296 else
297 *exact = false;
298 }
299 else
300 *exact = true;
301
302 *size = len;
303 return lendata.decl;
304 }
305
306 /* For a call EXPR (which may be null) that expects a string argument
307 SRC as an argument, returns false if SRC is a character array with
308 no terminating NUL. When nonnull, BOUND is the number of characters
309 in which to expect the terminating NUL. When EXPR is nonnull also
310 issues a warning. */
311
312 template <class GimpleOrTree>
313 static bool
314 check_nul_terminated_array (GimpleOrTree expr, tree src, tree bound)
315 {
316 /* The constant size of the array SRC points to. The actual size
317 may be less of EXACT is true, but not more. */
318 tree size;
319 /* True if SRC involves a non-constant offset into the array. */
320 bool exact;
321 /* The unterminated constant array SRC points to. */
322 tree nonstr = unterminated_array (src, &size, &exact);
323 if (!nonstr)
324 return true;
325
326 /* NONSTR refers to the non-nul terminated constant array and SIZE
327 is the constant size of the array in bytes. EXACT is true when
328 SIZE is exact. */
329
330 wide_int bndrng[2];
331 if (bound)
332 {
333 Value_Range r (TREE_TYPE (bound));
334
335 get_global_range_query ()->range_of_expr (r, bound);
336
337 if (r.undefined_p () || r.varying_p ())
338 return true;
339
340 bndrng[0] = r.lower_bound ();
341 bndrng[1] = r.upper_bound ();
342
343 if (exact)
344 {
345 if (wi::leu_p (bndrng[0], wi::to_wide (size)))
346 return true;
347 }
348 else if (wi::lt_p (bndrng[0], wi::to_wide (size), UNSIGNED))
349 return true;
350 }
351
352 if (expr)
353 warn_string_no_nul (get_location (expr), expr, NULL, src, nonstr,
354 size, exact, bound ? bndrng : NULL);
355
356 return false;
357 }
358
359 bool
360 check_nul_terminated_array (gimple *stmt, tree src, tree bound /* = NULL_TREE */)
361 {
362 return check_nul_terminated_array<gimple *>(stmt, src, bound);
363 }
364
365 bool
366 check_nul_terminated_array (tree expr, tree src, tree bound /* = NULL_TREE */)
367 {
368 return check_nul_terminated_array<tree>(expr, src, bound);
369 }
370
371 /* Warn about passing a non-string array/pointer to a built-in function
372 that expects a nul-terminated string argument. Returns true if
373 a warning has been issued.*/
374
375 template <class GimpleOrTree>
376 static bool
377 maybe_warn_nonstring_arg (tree fndecl, GimpleOrTree exp)
378 {
379 if (!fndecl || !fndecl_built_in_p (fndecl, BUILT_IN_NORMAL))
380 return false;
381
382 if (!warn_stringop_overread
383 || warning_suppressed_p (exp, OPT_Wstringop_overread))
384 return false;
385
386 /* Avoid clearly invalid calls (more checking done below). */
387 unsigned nargs = call_nargs (exp);
388 if (!nargs)
389 return false;
390
391 /* The bound argument to a bounded string function like strncpy. */
392 tree bound = NULL_TREE;
393
394 /* The longest known or possible string argument to one of the comparison
395 functions. If the length is less than the bound it is used instead.
396 Since the length is only used for warning and not for code generation
397 disable strict mode in the calls to get_range_strlen below. */
398 tree maxlen = NULL_TREE;
399
400 /* It's safe to call "bounded" string functions with a non-string
401 argument since the functions provide an explicit bound for this
402 purpose. The exception is strncat where the bound may refer to
403 either the destination or the source. */
404 int fncode = DECL_FUNCTION_CODE (fndecl);
405 switch (fncode)
406 {
407 case BUILT_IN_STRCMP:
408 case BUILT_IN_STRNCMP:
409 case BUILT_IN_STRNCASECMP:
410 {
411 /* For these, if one argument refers to one or more of a set
412 of string constants or arrays of known size, determine
413 the range of their known or possible lengths and use it
414 conservatively as the bound for the unbounded function,
415 and to adjust the range of the bound of the bounded ones. */
416 for (unsigned argno = 0;
417 argno < MIN (nargs, 2)
418 && !(maxlen && TREE_CODE (maxlen) == INTEGER_CST); argno++)
419 {
420 tree arg = call_arg (exp, argno);
421 if (!get_attr_nonstring_decl (arg))
422 {
423 c_strlen_data lendata = { };
424 /* Set MAXBOUND to an arbitrary non-null non-integer
425 node as a request to have it set to the length of
426 the longest string in a PHI. */
427 lendata.maxbound = arg;
428 get_range_strlen (arg, &lendata, /* eltsize = */ 1);
429 maxlen = lendata.maxbound;
430 }
431 }
432 }
433 /* Fall through. */
434
435 case BUILT_IN_STRNCAT:
436 case BUILT_IN_STPNCPY:
437 case BUILT_IN_STRNCPY:
438 if (nargs > 2)
439 bound = call_arg (exp, 2);
440 break;
441
442 case BUILT_IN_STRNDUP:
443 if (nargs < 2)
444 return false;
445 bound = call_arg (exp, 1);
446 break;
447
448 case BUILT_IN_STRNLEN:
449 {
450 tree arg = call_arg (exp, 0);
451 if (!get_attr_nonstring_decl (arg))
452 {
453 c_strlen_data lendata = { };
454 /* Set MAXBOUND to an arbitrary non-null non-integer
455 node as a request to have it set to the length of
456 the longest string in a PHI. */
457 lendata.maxbound = arg;
458 get_range_strlen (arg, &lendata, /* eltsize = */ 1);
459 maxlen = lendata.maxbound;
460 }
461 if (nargs > 1)
462 bound = call_arg (exp, 1);
463 break;
464 }
465
466 default:
467 break;
468 }
469
470 /* Determine the range of the bound argument (if specified). */
471 tree bndrng[2] = { NULL_TREE, NULL_TREE };
472 if (bound)
473 {
474 STRIP_NOPS (bound);
475 get_size_range (bound, bndrng);
476 }
477
478 location_t loc = get_location (exp);
479
480 if (bndrng[0])
481 {
482 /* Diagnose excessive bound prior to the adjustment below and
483 regardless of attribute nonstring. */
484 tree maxobjsize = max_object_size ();
485 if (tree_int_cst_lt (maxobjsize, bndrng[0]))
486 {
487 bool warned = false;
488 if (tree_int_cst_equal (bndrng[0], bndrng[1]))
489 warned = warning_at (loc, OPT_Wstringop_overread,
490 "%qD specified bound %E "
491 "exceeds maximum object size %E",
492 fndecl, bndrng[0], maxobjsize);
493 else
494 warned = warning_at (loc, OPT_Wstringop_overread,
495 "%qD specified bound [%E, %E] "
496 "exceeds maximum object size %E",
497 fndecl, bndrng[0], bndrng[1],
498 maxobjsize);
499 if (warned)
500 suppress_warning (exp, OPT_Wstringop_overread);
501
502 return warned;
503 }
504 }
505
506 if (maxlen && !integer_all_onesp (maxlen))
507 {
508 /* Add one for the nul. */
509 maxlen = const_binop (PLUS_EXPR, TREE_TYPE (maxlen), maxlen,
510 size_one_node);
511
512 if (!bndrng[0])
513 {
514 /* Conservatively use the upper bound of the lengths for
515 both the lower and the upper bound of the operation. */
516 bndrng[0] = maxlen;
517 bndrng[1] = maxlen;
518 bound = void_type_node;
519 }
520 else if (maxlen)
521 {
522 /* Replace the bound on the operation with the upper bound
523 of the length of the string if the latter is smaller. */
524 if (tree_int_cst_lt (maxlen, bndrng[0]))
525 bndrng[0] = maxlen;
526 else if (tree_int_cst_lt (maxlen, bndrng[1]))
527 bndrng[1] = maxlen;
528 }
529 }
530
531 bool any_arg_warned = false;
532 /* Iterate over the built-in function's formal arguments and check
533 each const char* against the actual argument. If the actual
534 argument is declared attribute non-string issue a warning unless
535 the argument's maximum length is bounded. */
536 function_args_iterator it;
537 function_args_iter_init (&it, TREE_TYPE (fndecl));
538
539 for (unsigned argno = 0; ; ++argno, function_args_iter_next (&it))
540 {
541 /* Avoid iterating past the declared argument in a call
542 to function declared without a prototype. */
543 if (argno >= nargs)
544 break;
545
546 tree argtype = function_args_iter_cond (&it);
547 if (!argtype)
548 break;
549
550 if (TREE_CODE (argtype) != POINTER_TYPE)
551 continue;
552
553 argtype = TREE_TYPE (argtype);
554
555 if (TREE_CODE (argtype) != INTEGER_TYPE
556 || !TYPE_READONLY (argtype))
557 continue;
558
559 argtype = TYPE_MAIN_VARIANT (argtype);
560 if (argtype != char_type_node)
561 continue;
562
563 tree callarg = call_arg (exp, argno);
564 if (TREE_CODE (callarg) == ADDR_EXPR)
565 callarg = TREE_OPERAND (callarg, 0);
566
567 /* See if the destination is declared with attribute "nonstring". */
568 tree decl = get_attr_nonstring_decl (callarg);
569 if (!decl)
570 continue;
571
572 /* The maximum number of array elements accessed. */
573 offset_int wibnd = 0;
574
575 if (argno && fncode == BUILT_IN_STRNCAT)
576 {
577 /* See if the bound in strncat is derived from the length
578 of the strlen of the destination (as it's expected to be).
579 If so, reset BOUND and FNCODE to trigger a warning. */
580 tree dstarg = call_arg (exp, 0);
581 if (is_strlen_related_p (dstarg, bound))
582 {
583 /* The bound applies to the destination, not to the source,
584 so reset these to trigger a warning without mentioning
585 the bound. */
586 bound = NULL;
587 fncode = 0;
588 }
589 else if (bndrng[1])
590 /* Use the upper bound of the range for strncat. */
591 wibnd = wi::to_offset (bndrng[1]);
592 }
593 else if (bndrng[0])
594 /* Use the lower bound of the range for functions other than
595 strncat. */
596 wibnd = wi::to_offset (bndrng[0]);
597
598 /* Determine the size of the argument array if it is one. */
599 offset_int asize = wibnd;
600 bool known_size = false;
601 tree type = TREE_TYPE (decl);
602
603 /* Determine the array size. For arrays of unknown bound and
604 pointers reset BOUND to trigger the appropriate warning. */
605 if (TREE_CODE (type) == ARRAY_TYPE)
606 {
607 if (tree arrbnd = TYPE_DOMAIN (type))
608 {
609 if ((arrbnd = TYPE_MAX_VALUE (arrbnd)))
610 {
611 asize = wi::to_offset (arrbnd) + 1;
612 known_size = true;
613 }
614 }
615 else if (bound == void_type_node)
616 bound = NULL_TREE;
617 }
618 else if (bound == void_type_node)
619 bound = NULL_TREE;
620
621 /* In a call to strncat with a bound in a range whose lower but
622 not upper bound is less than the array size, reset ASIZE to
623 be the same as the bound and the other variable to trigger
624 the appropriate warning below. */
625 if (fncode == BUILT_IN_STRNCAT
626 && bndrng[0] != bndrng[1]
627 && wi::ltu_p (wi::to_offset (bndrng[0]), asize)
628 && (!known_size
629 || wi::ltu_p (asize, wibnd)))
630 {
631 asize = wibnd;
632 bound = NULL_TREE;
633 fncode = 0;
634 }
635
636 bool warned = false;
637
638 auto_diagnostic_group d;
639 if (wi::ltu_p (asize, wibnd))
640 {
641 if (bndrng[0] == bndrng[1])
642 warned = warning_at (loc, OPT_Wstringop_overread,
643 "%qD argument %i declared attribute "
644 "%<nonstring%> is smaller than the specified "
645 "bound %wu",
646 fndecl, argno + 1, wibnd.to_uhwi ());
647 else if (wi::ltu_p (asize, wi::to_offset (bndrng[0])))
648 warned = warning_at (loc, OPT_Wstringop_overread,
649 "%qD argument %i declared attribute "
650 "%<nonstring%> is smaller than "
651 "the specified bound [%E, %E]",
652 fndecl, argno + 1, bndrng[0], bndrng[1]);
653 else
654 warned = warning_at (loc, OPT_Wstringop_overread,
655 "%qD argument %i declared attribute "
656 "%<nonstring%> may be smaller than "
657 "the specified bound [%E, %E]",
658 fndecl, argno + 1, bndrng[0], bndrng[1]);
659 }
660 else if (fncode == BUILT_IN_STRNCAT)
661 ; /* Avoid warning for calls to strncat() when the bound
662 is equal to the size of the non-string argument. */
663 else if (!bound)
664 warned = warning_at (loc, OPT_Wstringop_overread,
665 "%qD argument %i declared attribute %<nonstring%>",
666 fndecl, argno + 1);
667
668 if (warned)
669 {
670 inform (DECL_SOURCE_LOCATION (decl),
671 "argument %qD declared here", decl);
672 any_arg_warned = true;
673 }
674 }
675
676 if (any_arg_warned)
677 suppress_warning (exp, OPT_Wstringop_overread);
678
679 return any_arg_warned;
680 }
681
682 bool
683 maybe_warn_nonstring_arg (tree fndecl, gimple *stmt)
684 {
685 return maybe_warn_nonstring_arg<gimple *>(fndecl, stmt);
686 }
687
688
689 bool
690 maybe_warn_nonstring_arg (tree fndecl, tree expr)
691 {
692 return maybe_warn_nonstring_arg<tree>(fndecl, expr);
693 }
694
695 /* Issue a warning OPT for a bounded call EXP with a bound in RANGE
696 accessing an object with SIZE. */
697
698 template <class GimpleOrTree>
699 static bool
700 maybe_warn_for_bound (opt_code opt, location_t loc, GimpleOrTree exp, tree func,
701 tree bndrng[2], tree size, const access_data *pad)
702 {
703 if (!bndrng[0] || warning_suppressed_p (exp, opt))
704 return false;
705
706 tree maxobjsize = max_object_size ();
707
708 bool warned = false;
709
710 if (opt == OPT_Wstringop_overread)
711 {
712 bool maybe = pad && pad->src.phi ();
713 if (maybe)
714 {
715 /* Issue a "maybe" warning only if the PHI refers to objects
716 at least one of which has more space remaining than the bound.
717 Otherwise, if the bound is greater, use the definitive form. */
718 offset_int remmax = pad->src.size_remaining ();
719 if (remmax < wi::to_offset (bndrng[0]))
720 maybe = false;
721 }
722
723 auto_diagnostic_group d;
724 if (tree_int_cst_lt (maxobjsize, bndrng[0]))
725 {
726 if (bndrng[0] == bndrng[1])
727 warned = (func
728 ? warning_at (loc, opt,
729 (maybe
730 ? G_("%qD specified bound %E may "
731 "exceed maximum object size %E")
732 : G_("%qD specified bound %E "
733 "exceeds maximum object size %E")),
734 func, bndrng[0], maxobjsize)
735 : warning_at (loc, opt,
736 (maybe
737 ? G_("specified bound %E may "
738 "exceed maximum object size %E")
739 : G_("specified bound %E "
740 "exceeds maximum object size %E")),
741 bndrng[0], maxobjsize));
742 else
743 warned = (func
744 ? warning_at (loc, opt,
745 (maybe
746 ? G_("%qD specified bound [%E, %E] may "
747 "exceed maximum object size %E")
748 : G_("%qD specified bound [%E, %E] "
749 "exceeds maximum object size %E")),
750 func,
751 bndrng[0], bndrng[1], maxobjsize)
752 : warning_at (loc, opt,
753 (maybe
754 ? G_("specified bound [%E, %E] may "
755 "exceed maximum object size %E")
756 : G_("specified bound [%E, %E] "
757 "exceeds maximum object size %E")),
758 bndrng[0], bndrng[1], maxobjsize));
759 }
760 else if (!size || tree_int_cst_le (bndrng[0], size))
761 return false;
762 else if (tree_int_cst_equal (bndrng[0], bndrng[1]))
763 warned = (func
764 ? warning_at (loc, opt,
765 (maybe
766 ? G_("%qD specified bound %E may exceed "
767 "source size %E")
768 : G_("%qD specified bound %E exceeds "
769 "source size %E")),
770 func, bndrng[0], size)
771 : warning_at (loc, opt,
772 (maybe
773 ? G_("specified bound %E may exceed "
774 "source size %E")
775 : G_("specified bound %E exceeds "
776 "source size %E")),
777 bndrng[0], size));
778 else
779 warned = (func
780 ? warning_at (loc, opt,
781 (maybe
782 ? G_("%qD specified bound [%E, %E] may "
783 "exceed source size %E")
784 : G_("%qD specified bound [%E, %E] exceeds "
785 "source size %E")),
786 func, bndrng[0], bndrng[1], size)
787 : warning_at (loc, opt,
788 (maybe
789 ? G_("specified bound [%E, %E] may exceed "
790 "source size %E")
791 : G_("specified bound [%E, %E] exceeds "
792 "source size %E")),
793 bndrng[0], bndrng[1], size));
794 if (warned)
795 {
796 if (pad && pad->src.ref
797 && has_location (pad->src.ref))
798 inform (get_location (pad->src.ref),
799 "source object allocated here");
800 suppress_warning (exp, opt);
801 }
802
803 return warned;
804 }
805
806 bool maybe = pad && pad->dst.phi ();
807 if (maybe)
808 {
809 /* Issue a "maybe" warning only if the PHI refers to objects
810 at least one of which has more space remaining than the bound.
811 Otherwise, if the bound is greater, use the definitive form. */
812 offset_int remmax = pad->dst.size_remaining ();
813 if (remmax < wi::to_offset (bndrng[0]))
814 maybe = false;
815 }
816 if (tree_int_cst_lt (maxobjsize, bndrng[0]))
817 {
818 if (bndrng[0] == bndrng[1])
819 warned = (func
820 ? warning_at (loc, opt,
821 (maybe
822 ? G_("%qD specified size %E may "
823 "exceed maximum object size %E")
824 : G_("%qD specified size %E "
825 "exceeds maximum object size %E")),
826 func, bndrng[0], maxobjsize)
827 : warning_at (loc, opt,
828 (maybe
829 ? G_("specified size %E may exceed "
830 "maximum object size %E")
831 : G_("specified size %E exceeds "
832 "maximum object size %E")),
833 bndrng[0], maxobjsize));
834 else
835 warned = (func
836 ? warning_at (loc, opt,
837 (maybe
838 ? G_("%qD specified size between %E and %E "
839 "may exceed maximum object size %E")
840 : G_("%qD specified size between %E and %E "
841 "exceeds maximum object size %E")),
842 func, bndrng[0], bndrng[1], maxobjsize)
843 : warning_at (loc, opt,
844 (maybe
845 ? G_("specified size between %E and %E "
846 "may exceed maximum object size %E")
847 : G_("specified size between %E and %E "
848 "exceeds maximum object size %E")),
849 bndrng[0], bndrng[1], maxobjsize));
850 }
851 else if (!size || tree_int_cst_le (bndrng[0], size))
852 return false;
853 else if (tree_int_cst_equal (bndrng[0], bndrng[1]))
854 warned = (func
855 ? warning_at (loc, opt,
856 (maybe
857 ? G_("%qD specified bound %E may exceed "
858 "destination size %E")
859 : G_("%qD specified bound %E exceeds "
860 "destination size %E")),
861 func, bndrng[0], size)
862 : warning_at (loc, opt,
863 (maybe
864 ? G_("specified bound %E may exceed "
865 "destination size %E")
866 : G_("specified bound %E exceeds "
867 "destination size %E")),
868 bndrng[0], size));
869 else
870 warned = (func
871 ? warning_at (loc, opt,
872 (maybe
873 ? G_("%qD specified bound [%E, %E] may exceed "
874 "destination size %E")
875 : G_("%qD specified bound [%E, %E] exceeds "
876 "destination size %E")),
877 func, bndrng[0], bndrng[1], size)
878 : warning_at (loc, opt,
879 (maybe
880 ? G_("specified bound [%E, %E] exceeds "
881 "destination size %E")
882 : G_("specified bound [%E, %E] exceeds "
883 "destination size %E")),
884 bndrng[0], bndrng[1], size));
885
886 if (warned)
887 {
888 if (pad && pad->dst.ref
889 && has_location (pad->dst.ref))
890 inform (get_location (pad->dst.ref),
891 "destination object allocated here");
892 suppress_warning (exp, opt);
893 }
894
895 return warned;
896 }
897
898 bool
899 maybe_warn_for_bound (opt_code opt, location_t loc, gimple *stmt, tree func,
900 tree bndrng[2], tree size,
901 const access_data *pad /* = NULL */)
902 {
903 return maybe_warn_for_bound<gimple *> (opt, loc, stmt, func, bndrng, size,
904 pad);
905 }
906
907 bool
908 maybe_warn_for_bound (opt_code opt, location_t loc, tree expr, tree func,
909 tree bndrng[2], tree size,
910 const access_data *pad /* = NULL */)
911 {
912 return maybe_warn_for_bound<tree> (opt, loc, expr, func, bndrng, size, pad);
913 }
914
915 /* For an expression EXP issue an access warning controlled by option OPT
916 with access to a region SIZE bytes in size in the RANGE of sizes.
917 WRITE is true for a write access, READ for a read access, neither for
918 call that may or may not perform an access but for which the range
919 is expected to valid.
920 Returns true when a warning has been issued. */
921
922 template <class GimpleOrTree>
923 static bool
924 warn_for_access (location_t loc, tree func, GimpleOrTree exp, int opt,
925 tree range[2], tree size, bool write, bool read, bool maybe)
926 {
927 bool warned = false;
928
929 if (write && read)
930 {
931 if (tree_int_cst_equal (range[0], range[1]))
932 warned = (func
933 ? warning_n (loc, opt, tree_to_uhwi (range[0]),
934 (maybe
935 ? G_("%qD may access %E byte in a region "
936 "of size %E")
937 : G_("%qD accessing %E byte in a region "
938 "of size %E")),
939 (maybe
940 ? G_ ("%qD may access %E bytes in a region "
941 "of size %E")
942 : G_ ("%qD accessing %E bytes in a region "
943 "of size %E")),
944 func, range[0], size)
945 : warning_n (loc, opt, tree_to_uhwi (range[0]),
946 (maybe
947 ? G_("may access %E byte in a region "
948 "of size %E")
949 : G_("accessing %E byte in a region "
950 "of size %E")),
951 (maybe
952 ? G_("may access %E bytes in a region "
953 "of size %E")
954 : G_("accessing %E bytes in a region "
955 "of size %E")),
956 range[0], size));
957 else if (tree_int_cst_sign_bit (range[1]))
958 {
959 /* Avoid printing the upper bound if it's invalid. */
960 warned = (func
961 ? warning_at (loc, opt,
962 (maybe
963 ? G_("%qD may access %E or more bytes "
964 "in a region of size %E")
965 : G_("%qD accessing %E or more bytes "
966 "in a region of size %E")),
967 func, range[0], size)
968 : warning_at (loc, opt,
969 (maybe
970 ? G_("may access %E or more bytes "
971 "in a region of size %E")
972 : G_("accessing %E or more bytes "
973 "in a region of size %E")),
974 range[0], size));
975 }
976 else
977 warned = (func
978 ? warning_at (loc, opt,
979 (maybe
980 ? G_("%qD may access between %E and %E "
981 "bytes in a region of size %E")
982 : G_("%qD accessing between %E and %E "
983 "bytes in a region of size %E")),
984 func, range[0], range[1], size)
985 : warning_at (loc, opt,
986 (maybe
987 ? G_("may access between %E and %E bytes "
988 "in a region of size %E")
989 : G_("accessing between %E and %E bytes "
990 "in a region of size %E")),
991 range[0], range[1], size));
992 return warned;
993 }
994
995 if (write)
996 {
997 if (tree_int_cst_equal (range[0], range[1]))
998 warned = (func
999 ? warning_n (loc, opt, tree_to_uhwi (range[0]),
1000 (maybe
1001 ? G_("%qD may write %E byte into a region "
1002 "of size %E")
1003 : G_("%qD writing %E byte into a region "
1004 "of size %E overflows the destination")),
1005 (maybe
1006 ? G_("%qD may write %E bytes into a region "
1007 "of size %E")
1008 : G_("%qD writing %E bytes into a region "
1009 "of size %E overflows the destination")),
1010 func, range[0], size)
1011 : warning_n (loc, opt, tree_to_uhwi (range[0]),
1012 (maybe
1013 ? G_("may write %E byte into a region "
1014 "of size %E")
1015 : G_("writing %E byte into a region "
1016 "of size %E overflows the destination")),
1017 (maybe
1018 ? G_("may write %E bytes into a region "
1019 "of size %E")
1020 : G_("writing %E bytes into a region "
1021 "of size %E overflows the destination")),
1022 range[0], size));
1023 else if (tree_int_cst_sign_bit (range[1]))
1024 {
1025 /* Avoid printing the upper bound if it's invalid. */
1026 warned = (func
1027 ? warning_at (loc, opt,
1028 (maybe
1029 ? G_("%qD may write %E or more bytes "
1030 "into a region of size %E")
1031 : G_("%qD writing %E or more bytes "
1032 "into a region of size %E overflows "
1033 "the destination")),
1034 func, range[0], size)
1035 : warning_at (loc, opt,
1036 (maybe
1037 ? G_("may write %E or more bytes into "
1038 "a region of size %E")
1039 : G_("writing %E or more bytes into "
1040 "a region of size %E overflows "
1041 "the destination")),
1042 range[0], size));
1043 }
1044 else
1045 warned = (func
1046 ? warning_at (loc, opt,
1047 (maybe
1048 ? G_("%qD may write between %E and %E bytes "
1049 "into a region of size %E")
1050 : G_("%qD writing between %E and %E bytes "
1051 "into a region of size %E overflows "
1052 "the destination")),
1053 func, range[0], range[1], size)
1054 : warning_at (loc, opt,
1055 (maybe
1056 ? G_("may write between %E and %E bytes "
1057 "into a region of size %E")
1058 : G_("writing between %E and %E bytes "
1059 "into a region of size %E overflows "
1060 "the destination")),
1061 range[0], range[1], size));
1062 return warned;
1063 }
1064
1065 if (read)
1066 {
1067 if (tree_int_cst_equal (range[0], range[1]))
1068 warned = (func
1069 ? warning_n (loc, OPT_Wstringop_overread,
1070 tree_to_uhwi (range[0]),
1071 (maybe
1072 ? G_("%qD may read %E byte from a region "
1073 "of size %E")
1074 : G_("%qD reading %E byte from a region "
1075 "of size %E")),
1076 (maybe
1077 ? G_("%qD may read %E bytes from a region "
1078 "of size %E")
1079 : G_("%qD reading %E bytes from a region "
1080 "of size %E")),
1081 func, range[0], size)
1082 : warning_n (loc, OPT_Wstringop_overread,
1083 tree_to_uhwi (range[0]),
1084 (maybe
1085 ? G_("may read %E byte from a region "
1086 "of size %E")
1087 : G_("reading %E byte from a region "
1088 "of size %E")),
1089 (maybe
1090 ? G_("may read %E bytes from a region "
1091 "of size %E")
1092 : G_("reading %E bytes from a region "
1093 "of size %E")),
1094 range[0], size));
1095 else if (tree_int_cst_sign_bit (range[1]))
1096 {
1097 /* Avoid printing the upper bound if it's invalid. */
1098 warned = (func
1099 ? warning_at (loc, OPT_Wstringop_overread,
1100 (maybe
1101 ? G_("%qD may read %E or more bytes "
1102 "from a region of size %E")
1103 : G_("%qD reading %E or more bytes "
1104 "from a region of size %E")),
1105 func, range[0], size)
1106 : warning_at (loc, OPT_Wstringop_overread,
1107 (maybe
1108 ? G_("may read %E or more bytes "
1109 "from a region of size %E")
1110 : G_("reading %E or more bytes "
1111 "from a region of size %E")),
1112 range[0], size));
1113 }
1114 else
1115 warned = (func
1116 ? warning_at (loc, OPT_Wstringop_overread,
1117 (maybe
1118 ? G_("%qD may read between %E and %E bytes "
1119 "from a region of size %E")
1120 : G_("%qD reading between %E and %E bytes "
1121 "from a region of size %E")),
1122 func, range[0], range[1], size)
1123 : warning_at (loc, opt,
1124 (maybe
1125 ? G_("may read between %E and %E bytes "
1126 "from a region of size %E")
1127 : G_("reading between %E and %E bytes "
1128 "from a region of size %E")),
1129 range[0], range[1], size));
1130
1131 if (warned)
1132 suppress_warning (exp, OPT_Wstringop_overread);
1133
1134 return warned;
1135 }
1136
1137 if (tree_int_cst_equal (range[0], range[1])
1138 || tree_int_cst_sign_bit (range[1]))
1139 warned = (func
1140 ? warning_n (loc, OPT_Wstringop_overread,
1141 tree_to_uhwi (range[0]),
1142 "%qD expecting %E byte in a region of size %E",
1143 "%qD expecting %E bytes in a region of size %E",
1144 func, range[0], size)
1145 : warning_n (loc, OPT_Wstringop_overread,
1146 tree_to_uhwi (range[0]),
1147 "expecting %E byte in a region of size %E",
1148 "expecting %E bytes in a region of size %E",
1149 range[0], size));
1150 else if (tree_int_cst_sign_bit (range[1]))
1151 {
1152 /* Avoid printing the upper bound if it's invalid. */
1153 warned = (func
1154 ? warning_at (loc, OPT_Wstringop_overread,
1155 "%qD expecting %E or more bytes in a region "
1156 "of size %E",
1157 func, range[0], size)
1158 : warning_at (loc, OPT_Wstringop_overread,
1159 "expecting %E or more bytes in a region "
1160 "of size %E",
1161 range[0], size));
1162 }
1163 else
1164 warned = (func
1165 ? warning_at (loc, OPT_Wstringop_overread,
1166 "%qD expecting between %E and %E bytes in "
1167 "a region of size %E",
1168 func, range[0], range[1], size)
1169 : warning_at (loc, OPT_Wstringop_overread,
1170 "expecting between %E and %E bytes in "
1171 "a region of size %E",
1172 range[0], range[1], size));
1173
1174 if (warned)
1175 suppress_warning (exp, OPT_Wstringop_overread);
1176
1177 return warned;
1178 }
1179
1180 static bool
1181 warn_for_access (location_t loc, tree func, gimple *stmt, int opt,
1182 tree range[2], tree size, bool write, bool read, bool maybe)
1183 {
1184 return warn_for_access<gimple *>(loc, func, stmt, opt, range, size,
1185 write, read, maybe);
1186 }
1187
1188 static bool
1189 warn_for_access (location_t loc, tree func, tree expr, int opt,
1190 tree range[2], tree size, bool write, bool read, bool maybe)
1191 {
1192 return warn_for_access<tree>(loc, func, expr, opt, range, size,
1193 write, read, maybe);
1194 }
1195
1196 /* Helper to set RANGE to the range of BOUND if it's nonnull, bounded
1197 by BNDRNG if nonnull and valid. */
1198
1199 static void
1200 get_size_range (range_query *query, tree bound, gimple *stmt, tree range[2],
1201 const offset_int bndrng[2])
1202 {
1203 if (bound)
1204 get_size_range (query, bound, stmt, range);
1205
1206 if (!bndrng || (bndrng[0] == 0 && bndrng[1] == HOST_WIDE_INT_M1U))
1207 return;
1208
1209 if (range[0] && TREE_CODE (range[0]) == INTEGER_CST)
1210 {
1211 offset_int r[] =
1212 { wi::to_offset (range[0]), wi::to_offset (range[1]) };
1213 if (r[0] < bndrng[0])
1214 range[0] = wide_int_to_tree (sizetype, bndrng[0]);
1215 if (bndrng[1] < r[1])
1216 range[1] = wide_int_to_tree (sizetype, bndrng[1]);
1217 }
1218 else
1219 {
1220 range[0] = wide_int_to_tree (sizetype, bndrng[0]);
1221 range[1] = wide_int_to_tree (sizetype, bndrng[1]);
1222 }
1223 }
1224
1225 /* Try to verify that the sizes and lengths of the arguments to a string
1226 manipulation function given by EXP are within valid bounds and that
1227 the operation does not lead to buffer overflow or read past the end.
1228 Arguments other than EXP may be null. When non-null, the arguments
1229 have the following meaning:
1230 DST is the destination of a copy call or NULL otherwise.
1231 SRC is the source of a copy call or NULL otherwise.
1232 DSTWRITE is the number of bytes written into the destination obtained
1233 from the user-supplied size argument to the function (such as in
1234 memcpy(DST, SRCs, DSTWRITE) or strncpy(DST, DRC, DSTWRITE).
1235 MAXREAD is the user-supplied bound on the length of the source sequence
1236 (such as in strncat(d, s, N). It specifies the upper limit on the number
1237 of bytes to write. If NULL, it's taken to be the same as DSTWRITE.
1238 SRCSTR is the source string (such as in strcpy(DST, SRC)) when the
1239 expression EXP is a string function call (as opposed to a memory call
1240 like memcpy). As an exception, SRCSTR can also be an integer denoting
1241 the precomputed size of the source string or object (for functions like
1242 memcpy).
1243 DSTSIZE is the size of the destination object.
1244
1245 When DSTWRITE is null LEN is checked to verify that it doesn't exceed
1246 SIZE_MAX.
1247
1248 WRITE is true for write accesses, READ is true for reads. Both are
1249 false for simple size checks in calls to functions that neither read
1250 from nor write to the region.
1251
1252 When nonnull, PAD points to a more detailed description of the access.
1253
1254 If the call is successfully verified as safe return true, otherwise
1255 return false. */
1256
1257 template <class GimpleOrTree>
1258 static bool
1259 check_access (GimpleOrTree exp, tree dstwrite,
1260 tree maxread, tree srcstr, tree dstsize,
1261 access_mode mode, const access_data *pad,
1262 range_query *rvals)
1263 {
1264 /* The size of the largest object is half the address space, or
1265 PTRDIFF_MAX. (This is way too permissive.) */
1266 tree maxobjsize = max_object_size ();
1267
1268 /* Either an approximate/minimum the length of the source string for
1269 string functions or the size of the source object for raw memory
1270 functions. */
1271 tree slen = NULL_TREE;
1272
1273 /* The range of the access in bytes; first set to the write access
1274 for functions that write and then read for those that also (or
1275 just) read. */
1276 tree range[2] = { NULL_TREE, NULL_TREE };
1277
1278 /* Set to true when the exact number of bytes written by a string
1279 function like strcpy is not known and the only thing that is
1280 known is that it must be at least one (for the terminating nul). */
1281 bool at_least_one = false;
1282 if (srcstr)
1283 {
1284 /* SRCSTR is normally a pointer to string but as a special case
1285 it can be an integer denoting the length of a string. */
1286 if (POINTER_TYPE_P (TREE_TYPE (srcstr)))
1287 {
1288 if (!check_nul_terminated_array (exp, srcstr, maxread))
1289 /* Return if the array is not nul-terminated and a warning
1290 has been issued. */
1291 return false;
1292
1293 /* Try to determine the range of lengths the source string
1294 refers to. If it can be determined and is less than
1295 the upper bound given by MAXREAD add one to it for
1296 the terminating nul. Otherwise, set it to one for
1297 the same reason, or to MAXREAD as appropriate. */
1298 c_strlen_data lendata = { };
1299 get_range_strlen (srcstr, &lendata, /* eltsize = */ 1);
1300 range[0] = lendata.minlen;
1301 range[1] = lendata.maxbound ? lendata.maxbound : lendata.maxlen;
1302 if (range[0]
1303 && TREE_CODE (range[0]) == INTEGER_CST
1304 && TREE_CODE (range[1]) == INTEGER_CST
1305 && (!maxread || TREE_CODE (maxread) == INTEGER_CST))
1306 {
1307 if (maxread && tree_int_cst_le (maxread, range[0]))
1308 range[0] = range[1] = maxread;
1309 else
1310 range[0] = fold_build2 (PLUS_EXPR, size_type_node,
1311 range[0], size_one_node);
1312
1313 if (maxread && tree_int_cst_le (maxread, range[1]))
1314 range[1] = maxread;
1315 else if (!integer_all_onesp (range[1]))
1316 range[1] = fold_build2 (PLUS_EXPR, size_type_node,
1317 range[1], size_one_node);
1318
1319 slen = range[0];
1320 }
1321 else
1322 {
1323 at_least_one = true;
1324 slen = size_one_node;
1325 }
1326 }
1327 else
1328 slen = srcstr;
1329 }
1330
1331 if (!dstwrite && !maxread)
1332 {
1333 /* When the only available piece of data is the object size
1334 there is nothing to do. */
1335 if (!slen)
1336 return true;
1337
1338 /* Otherwise, when the length of the source sequence is known
1339 (as with strlen), set DSTWRITE to it. */
1340 if (!range[0])
1341 dstwrite = slen;
1342 }
1343
1344 if (!dstsize)
1345 dstsize = maxobjsize;
1346
1347 /* Set RANGE to that of DSTWRITE if non-null, bounded by PAD->DST_BNDRNG
1348 if valid. */
1349 gimple *stmt = pad ? pad->stmt : nullptr;
1350 get_size_range (rvals, dstwrite, stmt, range, pad ? pad->dst_bndrng : NULL);
1351
1352 tree func = get_callee_fndecl (exp);
1353 /* Read vs write access by built-ins can be determined from the const
1354 qualifiers on the pointer argument. In the absence of attribute
1355 access, non-const qualified pointer arguments to user-defined
1356 functions are assumed to both read and write the objects. */
1357 const bool builtin = func ? fndecl_built_in_p (func) : false;
1358
1359 /* First check the number of bytes to be written against the maximum
1360 object size. */
1361 if (range[0]
1362 && TREE_CODE (range[0]) == INTEGER_CST
1363 && tree_int_cst_lt (maxobjsize, range[0]))
1364 {
1365 location_t loc = get_location (exp);
1366 maybe_warn_for_bound (OPT_Wstringop_overflow_, loc, exp, func, range,
1367 NULL_TREE, pad);
1368 return false;
1369 }
1370
1371 /* The number of bytes to write is "exact" if DSTWRITE is non-null,
1372 constant, and in range of unsigned HOST_WIDE_INT. */
1373 bool exactwrite = dstwrite && tree_fits_uhwi_p (dstwrite);
1374
1375 /* Next check the number of bytes to be written against the destination
1376 object size. */
1377 if (range[0] || !exactwrite || integer_all_onesp (dstwrite))
1378 {
1379 if (range[0]
1380 && TREE_CODE (range[0]) == INTEGER_CST
1381 && ((tree_fits_uhwi_p (dstsize)
1382 && tree_int_cst_lt (dstsize, range[0]))
1383 || (dstwrite
1384 && tree_fits_uhwi_p (dstwrite)
1385 && tree_int_cst_lt (dstwrite, range[0]))))
1386 {
1387 const opt_code opt = OPT_Wstringop_overflow_;
1388 if (warning_suppressed_p (exp, opt)
1389 || (pad && pad->dst.ref
1390 && warning_suppressed_p (pad->dst.ref, opt)))
1391 return false;
1392
1393 auto_diagnostic_group d;
1394 location_t loc = get_location (exp);
1395 bool warned = false;
1396 if (dstwrite == slen && at_least_one)
1397 {
1398 /* This is a call to strcpy with a destination of 0 size
1399 and a source of unknown length. The call will write
1400 at least one byte past the end of the destination. */
1401 warned = (func
1402 ? warning_at (loc, opt,
1403 "%qD writing %E or more bytes into "
1404 "a region of size %E overflows "
1405 "the destination",
1406 func, range[0], dstsize)
1407 : warning_at (loc, opt,
1408 "writing %E or more bytes into "
1409 "a region of size %E overflows "
1410 "the destination",
1411 range[0], dstsize));
1412 }
1413 else
1414 {
1415 const bool read
1416 = mode == access_read_only || mode == access_read_write;
1417 const bool write
1418 = mode == access_write_only || mode == access_read_write;
1419 const bool maybe = pad && pad->dst.parmarray;
1420 warned = warn_for_access (loc, func, exp,
1421 OPT_Wstringop_overflow_,
1422 range, dstsize,
1423 write, read && !builtin, maybe);
1424 }
1425
1426 if (warned)
1427 {
1428 suppress_warning (exp, OPT_Wstringop_overflow_);
1429 if (pad)
1430 pad->dst.inform_access (pad->mode);
1431 }
1432
1433 /* Return error when an overflow has been detected. */
1434 return false;
1435 }
1436 }
1437
1438 /* Check the maximum length of the source sequence against the size
1439 of the destination object if known, or against the maximum size
1440 of an object. */
1441 if (maxread)
1442 {
1443 /* Set RANGE to that of MAXREAD, bounded by PAD->SRC_BNDRNG if
1444 PAD is nonnull and BNDRNG is valid. */
1445 get_size_range (rvals, maxread, stmt, range, pad ? pad->src_bndrng : NULL);
1446
1447 location_t loc = get_location (exp);
1448 tree size = dstsize;
1449 if (pad && pad->mode == access_read_only)
1450 size = wide_int_to_tree (sizetype, pad->src.size_remaining ());
1451
1452 if (range[0] && maxread && tree_fits_uhwi_p (size))
1453 {
1454 if (tree_int_cst_lt (maxobjsize, range[0]))
1455 {
1456 maybe_warn_for_bound (OPT_Wstringop_overread, loc, exp, func,
1457 range, size, pad);
1458 return false;
1459 }
1460
1461 if (size != maxobjsize && tree_int_cst_lt (size, range[0]))
1462 {
1463 opt_code opt = (dstwrite || mode != access_read_only
1464 ? OPT_Wstringop_overflow_
1465 : OPT_Wstringop_overread);
1466 maybe_warn_for_bound (opt, loc, exp, func, range, size, pad);
1467 return false;
1468 }
1469 }
1470
1471 maybe_warn_nonstring_arg (func, exp);
1472 }
1473
1474 /* Check for reading past the end of SRC. */
1475 bool overread = (slen
1476 && slen == srcstr
1477 && dstwrite
1478 && range[0]
1479 && TREE_CODE (slen) == INTEGER_CST
1480 && tree_int_cst_lt (slen, range[0]));
1481 /* If none is determined try to get a better answer based on the details
1482 in PAD. */
1483 if (!overread
1484 && pad
1485 && pad->src.sizrng[1] >= 0
1486 && pad->src.offrng[0] >= 0
1487 && (pad->src.offrng[1] < 0
1488 || pad->src.offrng[0] <= pad->src.offrng[1]))
1489 {
1490 /* Set RANGE to that of MAXREAD, bounded by PAD->SRC_BNDRNG if
1491 PAD is nonnull and BNDRNG is valid. */
1492 get_size_range (rvals, maxread, stmt, range, pad ? pad->src_bndrng : NULL);
1493 /* Set OVERREAD for reads starting just past the end of an object. */
1494 overread = pad->src.sizrng[1] - pad->src.offrng[0] < pad->src_bndrng[0];
1495 range[0] = wide_int_to_tree (sizetype, pad->src_bndrng[0]);
1496 slen = size_zero_node;
1497 }
1498
1499 if (overread)
1500 {
1501 const opt_code opt = OPT_Wstringop_overread;
1502 if (warning_suppressed_p (exp, opt)
1503 || (srcstr && warning_suppressed_p (srcstr, opt))
1504 || (pad && pad->src.ref
1505 && warning_suppressed_p (pad->src.ref, opt)))
1506 return false;
1507
1508 location_t loc = get_location (exp);
1509 const bool read
1510 = mode == access_read_only || mode == access_read_write;
1511 const bool maybe = pad && pad->dst.parmarray;
1512 auto_diagnostic_group d;
1513 if (warn_for_access (loc, func, exp, opt, range, slen, false, read,
1514 maybe))
1515 {
1516 suppress_warning (exp, opt);
1517 if (pad)
1518 pad->src.inform_access (access_read_only);
1519 }
1520 return false;
1521 }
1522
1523 return true;
1524 }
1525
1526 static bool
1527 check_access (gimple *stmt, tree dstwrite,
1528 tree maxread, tree srcstr, tree dstsize,
1529 access_mode mode, const access_data *pad,
1530 range_query *rvals)
1531 {
1532 return check_access<gimple *> (stmt, dstwrite, maxread, srcstr, dstsize,
1533 mode, pad, rvals);
1534 }
1535
1536 bool
1537 check_access (tree expr, tree dstwrite,
1538 tree maxread, tree srcstr, tree dstsize,
1539 access_mode mode, const access_data *pad /* = NULL */)
1540 {
1541 return check_access<tree> (expr, dstwrite, maxread, srcstr, dstsize,
1542 mode, pad, nullptr);
1543 }
1544
1545 /* Return true if STMT is a call to an allocation function. Unless
1546 ALL_ALLOC is set, consider only functions that return dynamically
1547 allocated objects. Otherwise return true even for all forms of
1548 alloca (including VLA). */
1549
1550 static bool
1551 fndecl_alloc_p (tree fndecl, bool all_alloc)
1552 {
1553 if (!fndecl)
1554 return false;
1555
1556 /* A call to operator new isn't recognized as one to a built-in. */
1557 if (DECL_IS_OPERATOR_NEW_P (fndecl))
1558 return true;
1559
1560 if (fndecl_built_in_p (fndecl, BUILT_IN_NORMAL))
1561 {
1562 switch (DECL_FUNCTION_CODE (fndecl))
1563 {
1564 case BUILT_IN_ALLOCA:
1565 case BUILT_IN_ALLOCA_WITH_ALIGN:
1566 return all_alloc;
1567 case BUILT_IN_ALIGNED_ALLOC:
1568 case BUILT_IN_CALLOC:
1569 case BUILT_IN_GOMP_ALLOC:
1570 case BUILT_IN_MALLOC:
1571 case BUILT_IN_REALLOC:
1572 case BUILT_IN_STRDUP:
1573 case BUILT_IN_STRNDUP:
1574 return true;
1575 default:
1576 break;
1577 }
1578 }
1579
1580 /* A function is considered an allocation function if it's declared
1581 with attribute malloc with an argument naming its associated
1582 deallocation function. */
1583 tree attrs = DECL_ATTRIBUTES (fndecl);
1584 if (!attrs)
1585 return false;
1586
1587 for (tree allocs = attrs;
1588 (allocs = lookup_attribute ("malloc", allocs));
1589 allocs = TREE_CHAIN (allocs))
1590 {
1591 tree args = TREE_VALUE (allocs);
1592 if (!args)
1593 continue;
1594
1595 if (TREE_VALUE (args))
1596 return true;
1597 }
1598
1599 return false;
1600 }
1601
1602 /* Return true if STMT is a call to an allocation function. A wrapper
1603 around fndecl_alloc_p. */
1604
1605 static bool
1606 gimple_call_alloc_p (gimple *stmt, bool all_alloc = false)
1607 {
1608 return fndecl_alloc_p (gimple_call_fndecl (stmt), all_alloc);
1609 }
1610
1611 /* Return true if DELC doesn't refer to an operator delete that's
1612 suitable to call with a pointer returned from the operator new
1613 described by NEWC. */
1614
1615 static bool
1616 new_delete_mismatch_p (const demangle_component &newc,
1617 const demangle_component &delc)
1618 {
1619 if (newc.type != delc.type)
1620 return true;
1621
1622 switch (newc.type)
1623 {
1624 case DEMANGLE_COMPONENT_NAME:
1625 {
1626 int len = newc.u.s_name.len;
1627 const char *news = newc.u.s_name.s;
1628 const char *dels = delc.u.s_name.s;
1629 if (len != delc.u.s_name.len || memcmp (news, dels, len))
1630 return true;
1631
1632 if (news[len] == 'n')
1633 {
1634 if (news[len + 1] == 'a')
1635 return dels[len] != 'd' || dels[len + 1] != 'a';
1636 if (news[len + 1] == 'w')
1637 return dels[len] != 'd' || dels[len + 1] != 'l';
1638 }
1639 return false;
1640 }
1641
1642 case DEMANGLE_COMPONENT_OPERATOR:
1643 /* Operator mismatches are handled above. */
1644 return false;
1645
1646 case DEMANGLE_COMPONENT_EXTENDED_OPERATOR:
1647 if (newc.u.s_extended_operator.args != delc.u.s_extended_operator.args)
1648 return true;
1649 return new_delete_mismatch_p (*newc.u.s_extended_operator.name,
1650 *delc.u.s_extended_operator.name);
1651
1652 case DEMANGLE_COMPONENT_FIXED_TYPE:
1653 if (newc.u.s_fixed.accum != delc.u.s_fixed.accum
1654 || newc.u.s_fixed.sat != delc.u.s_fixed.sat)
1655 return true;
1656 return new_delete_mismatch_p (*newc.u.s_fixed.length,
1657 *delc.u.s_fixed.length);
1658
1659 case DEMANGLE_COMPONENT_CTOR:
1660 if (newc.u.s_ctor.kind != delc.u.s_ctor.kind)
1661 return true;
1662 return new_delete_mismatch_p (*newc.u.s_ctor.name,
1663 *delc.u.s_ctor.name);
1664
1665 case DEMANGLE_COMPONENT_DTOR:
1666 if (newc.u.s_dtor.kind != delc.u.s_dtor.kind)
1667 return true;
1668 return new_delete_mismatch_p (*newc.u.s_dtor.name,
1669 *delc.u.s_dtor.name);
1670
1671 case DEMANGLE_COMPONENT_BUILTIN_TYPE:
1672 {
1673 /* The demangler API provides no better way to compare built-in
1674 types except to by comparing their demangled names. */
1675 size_t nsz, dsz;
1676 demangle_component *pnc = const_cast<demangle_component *>(&newc);
1677 demangle_component *pdc = const_cast<demangle_component *>(&delc);
1678 char *nts = cplus_demangle_print (0, pnc, 16, &nsz);
1679 char *dts = cplus_demangle_print (0, pdc, 16, &dsz);
1680 if (!nts != !dts)
1681 return true;
1682 bool mismatch = strcmp (nts, dts);
1683 free (nts);
1684 free (dts);
1685 return mismatch;
1686 }
1687
1688 case DEMANGLE_COMPONENT_SUB_STD:
1689 if (newc.u.s_string.len != delc.u.s_string.len)
1690 return true;
1691 return memcmp (newc.u.s_string.string, delc.u.s_string.string,
1692 newc.u.s_string.len);
1693
1694 case DEMANGLE_COMPONENT_FUNCTION_PARAM:
1695 case DEMANGLE_COMPONENT_TEMPLATE_PARAM:
1696 return newc.u.s_number.number != delc.u.s_number.number;
1697
1698 case DEMANGLE_COMPONENT_CHARACTER:
1699 return newc.u.s_character.character != delc.u.s_character.character;
1700
1701 case DEMANGLE_COMPONENT_DEFAULT_ARG:
1702 case DEMANGLE_COMPONENT_LAMBDA:
1703 if (newc.u.s_unary_num.num != delc.u.s_unary_num.num)
1704 return true;
1705 return new_delete_mismatch_p (*newc.u.s_unary_num.sub,
1706 *delc.u.s_unary_num.sub);
1707 default:
1708 break;
1709 }
1710
1711 if (!newc.u.s_binary.left != !delc.u.s_binary.left)
1712 return true;
1713
1714 if (!newc.u.s_binary.left)
1715 return false;
1716
1717 if (new_delete_mismatch_p (*newc.u.s_binary.left, *delc.u.s_binary.left)
1718 || !newc.u.s_binary.right != !delc.u.s_binary.right)
1719 return true;
1720
1721 if (newc.u.s_binary.right)
1722 return new_delete_mismatch_p (*newc.u.s_binary.right,
1723 *delc.u.s_binary.right);
1724 return false;
1725 }
1726
1727 /* Return true if DELETE_DECL is an operator delete that's not suitable
1728 to call with a pointer returned from NEW_DECL. */
1729
1730 static bool
1731 new_delete_mismatch_p (tree new_decl, tree delete_decl)
1732 {
1733 tree new_name = DECL_ASSEMBLER_NAME (new_decl);
1734 tree delete_name = DECL_ASSEMBLER_NAME (delete_decl);
1735
1736 /* valid_new_delete_pair_p() returns a conservative result (currently
1737 it only handles global operators). A true result is reliable but
1738 a false result doesn't necessarily mean the operators don't match
1739 unless CERTAIN is set. */
1740 bool certain;
1741 if (valid_new_delete_pair_p (new_name, delete_name, &certain))
1742 return false;
1743 /* CERTAIN is set when the negative result is certain. */
1744 if (certain)
1745 return true;
1746
1747 /* For anything not handled by valid_new_delete_pair_p() such as member
1748 operators compare the individual demangled components of the mangled
1749 name. */
1750 const char *new_str = IDENTIFIER_POINTER (new_name);
1751 const char *del_str = IDENTIFIER_POINTER (delete_name);
1752
1753 void *np = NULL, *dp = NULL;
1754 demangle_component *ndc = cplus_demangle_v3_components (new_str, 0, &np);
1755 demangle_component *ddc = cplus_demangle_v3_components (del_str, 0, &dp);
1756 bool mismatch = new_delete_mismatch_p (*ndc, *ddc);
1757 free (np);
1758 free (dp);
1759 return mismatch;
1760 }
1761
1762 /* ALLOC_DECL and DEALLOC_DECL are pair of allocation and deallocation
1763 functions. Return true if the latter is suitable to deallocate objects
1764 allocated by calls to the former. */
1765
1766 static bool
1767 matching_alloc_calls_p (tree alloc_decl, tree dealloc_decl)
1768 {
1769 /* Set to alloc_kind_t::builtin if ALLOC_DECL is associated with
1770 a built-in deallocator. */
1771 enum class alloc_kind_t { none, builtin, user }
1772 alloc_dealloc_kind = alloc_kind_t::none;
1773
1774 if (DECL_IS_OPERATOR_NEW_P (alloc_decl))
1775 {
1776 if (DECL_IS_OPERATOR_DELETE_P (dealloc_decl))
1777 /* Return true iff both functions are of the same array or
1778 singleton form and false otherwise. */
1779 return !new_delete_mismatch_p (alloc_decl, dealloc_decl);
1780
1781 /* Return false for deallocation functions that are known not
1782 to match. */
1783 if (fndecl_built_in_p (dealloc_decl, BUILT_IN_FREE)
1784 || fndecl_built_in_p (dealloc_decl, BUILT_IN_REALLOC))
1785 return false;
1786 /* Otherwise proceed below to check the deallocation function's
1787 "*dealloc" attributes to look for one that mentions this operator
1788 new. */
1789 }
1790 else if (fndecl_built_in_p (alloc_decl, BUILT_IN_NORMAL))
1791 {
1792 switch (DECL_FUNCTION_CODE (alloc_decl))
1793 {
1794 case BUILT_IN_ALLOCA:
1795 case BUILT_IN_ALLOCA_WITH_ALIGN:
1796 return false;
1797
1798 case BUILT_IN_ALIGNED_ALLOC:
1799 case BUILT_IN_CALLOC:
1800 case BUILT_IN_GOMP_ALLOC:
1801 case BUILT_IN_MALLOC:
1802 case BUILT_IN_REALLOC:
1803 case BUILT_IN_STRDUP:
1804 case BUILT_IN_STRNDUP:
1805 if (DECL_IS_OPERATOR_DELETE_P (dealloc_decl))
1806 return false;
1807
1808 if (fndecl_built_in_p (dealloc_decl, BUILT_IN_FREE)
1809 || fndecl_built_in_p (dealloc_decl, BUILT_IN_REALLOC))
1810 return true;
1811
1812 alloc_dealloc_kind = alloc_kind_t::builtin;
1813 break;
1814
1815 default:
1816 break;
1817 }
1818 }
1819
1820 /* Set if DEALLOC_DECL both allocates and deallocates. */
1821 alloc_kind_t realloc_kind = alloc_kind_t::none;
1822
1823 if (fndecl_built_in_p (dealloc_decl, BUILT_IN_NORMAL))
1824 {
1825 built_in_function dealloc_code = DECL_FUNCTION_CODE (dealloc_decl);
1826 if (dealloc_code == BUILT_IN_REALLOC)
1827 realloc_kind = alloc_kind_t::builtin;
1828
1829 for (tree amats = DECL_ATTRIBUTES (alloc_decl);
1830 (amats = lookup_attribute ("malloc", amats));
1831 amats = TREE_CHAIN (amats))
1832 {
1833 tree args = TREE_VALUE (amats);
1834 if (!args)
1835 continue;
1836
1837 tree fndecl = TREE_VALUE (args);
1838 if (!fndecl || !DECL_P (fndecl))
1839 continue;
1840
1841 if (fndecl_built_in_p (fndecl, BUILT_IN_NORMAL)
1842 && dealloc_code == DECL_FUNCTION_CODE (fndecl))
1843 return true;
1844 }
1845 }
1846
1847 const bool alloc_builtin = fndecl_built_in_p (alloc_decl, BUILT_IN_NORMAL);
1848 alloc_kind_t realloc_dealloc_kind = alloc_kind_t::none;
1849
1850 /* If DEALLOC_DECL has an internal "*dealloc" attribute scan the list
1851 of its associated allocation functions for ALLOC_DECL.
1852 If the corresponding ALLOC_DECL is found they're a matching pair,
1853 otherwise they're not.
1854 With DDATS set to the Deallocator's *Dealloc ATtributes... */
1855 for (tree ddats = DECL_ATTRIBUTES (dealloc_decl);
1856 (ddats = lookup_attribute ("*dealloc", ddats));
1857 ddats = TREE_CHAIN (ddats))
1858 {
1859 tree args = TREE_VALUE (ddats);
1860 if (!args)
1861 continue;
1862
1863 tree alloc = TREE_VALUE (args);
1864 if (!alloc)
1865 continue;
1866
1867 if (alloc == DECL_NAME (dealloc_decl))
1868 realloc_kind = alloc_kind_t::user;
1869
1870 if (DECL_P (alloc))
1871 {
1872 gcc_checking_assert (fndecl_built_in_p (alloc, BUILT_IN_NORMAL));
1873
1874 switch (DECL_FUNCTION_CODE (alloc))
1875 {
1876 case BUILT_IN_ALIGNED_ALLOC:
1877 case BUILT_IN_CALLOC:
1878 case BUILT_IN_GOMP_ALLOC:
1879 case BUILT_IN_MALLOC:
1880 case BUILT_IN_REALLOC:
1881 case BUILT_IN_STRDUP:
1882 case BUILT_IN_STRNDUP:
1883 realloc_dealloc_kind = alloc_kind_t::builtin;
1884 break;
1885 default:
1886 break;
1887 }
1888
1889 if (!alloc_builtin)
1890 continue;
1891
1892 if (DECL_FUNCTION_CODE (alloc) != DECL_FUNCTION_CODE (alloc_decl))
1893 continue;
1894
1895 return true;
1896 }
1897
1898 if (alloc == DECL_NAME (alloc_decl))
1899 return true;
1900 }
1901
1902 if (realloc_kind == alloc_kind_t::none)
1903 return false;
1904
1905 hash_set<tree> common_deallocs;
1906 /* Special handling for deallocators. Iterate over both the allocator's
1907 and the reallocator's associated deallocator functions looking for
1908 the first one in common. If one is found, the de/reallocator is
1909 a match for the allocator even though the latter isn't directly
1910 associated with the former. This simplifies declarations in system
1911 headers.
1912 With AMATS set to the Allocator's Malloc ATtributes,
1913 and RMATS set to Reallocator's Malloc ATtributes... */
1914 for (tree amats = DECL_ATTRIBUTES (alloc_decl),
1915 rmats = DECL_ATTRIBUTES (dealloc_decl);
1916 (amats = lookup_attribute ("malloc", amats))
1917 || (rmats = lookup_attribute ("malloc", rmats));
1918 amats = amats ? TREE_CHAIN (amats) : NULL_TREE,
1919 rmats = rmats ? TREE_CHAIN (rmats) : NULL_TREE)
1920 {
1921 if (tree args = amats ? TREE_VALUE (amats) : NULL_TREE)
1922 if (tree adealloc = TREE_VALUE (args))
1923 {
1924 if (DECL_P (adealloc)
1925 && fndecl_built_in_p (adealloc, BUILT_IN_NORMAL))
1926 {
1927 built_in_function fncode = DECL_FUNCTION_CODE (adealloc);
1928 if (fncode == BUILT_IN_FREE || fncode == BUILT_IN_REALLOC)
1929 {
1930 if (realloc_kind == alloc_kind_t::builtin)
1931 return true;
1932 alloc_dealloc_kind = alloc_kind_t::builtin;
1933 }
1934 continue;
1935 }
1936
1937 common_deallocs.add (adealloc);
1938 }
1939
1940 if (tree args = rmats ? TREE_VALUE (rmats) : NULL_TREE)
1941 if (tree ddealloc = TREE_VALUE (args))
1942 {
1943 if (DECL_P (ddealloc)
1944 && fndecl_built_in_p (ddealloc, BUILT_IN_NORMAL))
1945 {
1946 built_in_function fncode = DECL_FUNCTION_CODE (ddealloc);
1947 if (fncode == BUILT_IN_FREE || fncode == BUILT_IN_REALLOC)
1948 {
1949 if (alloc_dealloc_kind == alloc_kind_t::builtin)
1950 return true;
1951 realloc_dealloc_kind = alloc_kind_t::builtin;
1952 }
1953 continue;
1954 }
1955
1956 if (common_deallocs.add (ddealloc))
1957 return true;
1958 }
1959 }
1960
1961 /* Succeed only if ALLOC_DECL and the reallocator DEALLOC_DECL share
1962 a built-in deallocator. */
1963 return (alloc_dealloc_kind == alloc_kind_t::builtin
1964 && realloc_dealloc_kind == alloc_kind_t::builtin);
1965 }
1966
1967 /* Return true if DEALLOC_DECL is a function suitable to deallocate
1968 objects allocated by the ALLOC call. */
1969
1970 static bool
1971 matching_alloc_calls_p (gimple *alloc, tree dealloc_decl)
1972 {
1973 tree alloc_decl = gimple_call_fndecl (alloc);
1974 if (!alloc_decl)
1975 return true;
1976
1977 return matching_alloc_calls_p (alloc_decl, dealloc_decl);
1978 }
1979
1980 /* Diagnose a call EXP to deallocate a pointer referenced by AREF if it
1981 includes a nonzero offset. Such a pointer cannot refer to the beginning
1982 of an allocated object. A negative offset may refer to it only if
1983 the target pointer is unknown. */
1984
1985 static bool
1986 warn_dealloc_offset (location_t loc, gimple *call, const access_ref &aref)
1987 {
1988 if (aref.deref || aref.offrng[0] <= 0 || aref.offrng[1] <= 0)
1989 return false;
1990
1991 tree dealloc_decl = gimple_call_fndecl (call);
1992 if (!dealloc_decl)
1993 return false;
1994
1995 if (DECL_IS_OPERATOR_DELETE_P (dealloc_decl)
1996 && !DECL_IS_REPLACEABLE_OPERATOR (dealloc_decl))
1997 {
1998 /* A call to a user-defined operator delete with a pointer plus offset
1999 may be valid if it's returned from an unknown function (i.e., one
2000 that's not operator new). */
2001 if (TREE_CODE (aref.ref) == SSA_NAME)
2002 {
2003 gimple *def_stmt = SSA_NAME_DEF_STMT (aref.ref);
2004 if (is_gimple_call (def_stmt))
2005 {
2006 tree alloc_decl = gimple_call_fndecl (def_stmt);
2007 if (!alloc_decl || !DECL_IS_OPERATOR_NEW_P (alloc_decl))
2008 return false;
2009 }
2010 }
2011 }
2012
2013 char offstr[80];
2014 offstr[0] = '\0';
2015 if (wi::fits_shwi_p (aref.offrng[0]))
2016 {
2017 if (aref.offrng[0] == aref.offrng[1]
2018 || !wi::fits_shwi_p (aref.offrng[1]))
2019 sprintf (offstr, " %lli",
2020 (long long)aref.offrng[0].to_shwi ());
2021 else
2022 sprintf (offstr, " [%lli, %lli]",
2023 (long long)aref.offrng[0].to_shwi (),
2024 (long long)aref.offrng[1].to_shwi ());
2025 }
2026
2027 auto_diagnostic_group d;
2028 if (!warning_at (loc, OPT_Wfree_nonheap_object,
2029 "%qD called on pointer %qE with nonzero offset%s",
2030 dealloc_decl, aref.ref, offstr))
2031 return false;
2032
2033 if (DECL_P (aref.ref))
2034 inform (get_location (aref.ref), "declared here");
2035 else if (TREE_CODE (aref.ref) == SSA_NAME)
2036 {
2037 gimple *def_stmt = SSA_NAME_DEF_STMT (aref.ref);
2038 if (is_gimple_call (def_stmt))
2039 {
2040 location_t def_loc = get_location (def_stmt);
2041 tree alloc_decl = gimple_call_fndecl (def_stmt);
2042 if (alloc_decl)
2043 inform (def_loc,
2044 "returned from %qD", alloc_decl);
2045 else if (tree alloc_fntype = gimple_call_fntype (def_stmt))
2046 inform (def_loc,
2047 "returned from %qT", alloc_fntype);
2048 else
2049 inform (def_loc, "obtained here");
2050 }
2051 }
2052
2053 return true;
2054 }
2055
2056 namespace {
2057
2058 const pass_data pass_data_waccess = {
2059 GIMPLE_PASS,
2060 "waccess",
2061 OPTGROUP_NONE,
2062 TV_WARN_ACCESS, /* timer variable */
2063 PROP_cfg, /* properties_required */
2064 0, /* properties_provided */
2065 0, /* properties_destroyed */
2066 0, /* properties_start */
2067 0, /* properties_finish */
2068 };
2069
2070 /* Pass to detect invalid accesses. */
2071 class pass_waccess : public gimple_opt_pass
2072 {
2073 public:
2074 pass_waccess (gcc::context *);
2075
2076 ~pass_waccess ();
2077
2078 opt_pass *clone () final override;
2079
2080 bool gate (function *) final override;
2081
2082 void set_pass_param (unsigned, bool) final override;
2083
2084 unsigned int execute (function *) final override;
2085
2086 private:
2087 /* Not copyable or assignable. */
2088 pass_waccess (pass_waccess &) = delete;
2089 void operator= (pass_waccess &) = delete;
2090
2091 /* Check a call to an atomic built-in function. */
2092 bool check_atomic_builtin (gcall *);
2093
2094 /* Check a call to a built-in function. */
2095 bool check_builtin (gcall *);
2096
2097 /* Check a call to an ordinary function for invalid accesses. */
2098 bool check_call_access (gcall *);
2099
2100 /* Check a non-call statement. */
2101 void check_stmt (gimple *);
2102
2103 /* Check statements in a basic block. */
2104 void check_block (basic_block);
2105
2106 /* Check a call to a function. */
2107 void check_call (gcall *);
2108
2109 /* Check a call to the named built-in function. */
2110 void check_alloca (gcall *);
2111 void check_alloc_size_call (gcall *);
2112 void check_strcat (gcall *);
2113 void check_strncat (gcall *);
2114 void check_stxcpy (gcall *);
2115 void check_stxncpy (gcall *);
2116 void check_strncmp (gcall *);
2117 void check_memop_access (gimple *, tree, tree, tree);
2118 void check_read_access (gimple *, tree, tree = NULL_TREE, int = 1);
2119
2120 void maybe_check_dealloc_call (gcall *);
2121 void maybe_check_access_sizes (rdwr_map *, tree, tree, gimple *);
2122 bool maybe_warn_memmodel (gimple *, tree, tree, const unsigned char *);
2123 void check_atomic_memmodel (gimple *, tree, tree, const unsigned char *);
2124
2125 /* Check for uses of indeterminate pointers. */
2126 void check_pointer_uses (gimple *, tree, tree = NULL_TREE, bool = false);
2127
2128 /* Return the argument that a call returns. */
2129 tree gimple_call_return_arg (gcall *);
2130 tree gimple_call_return_arg_ref (gcall *);
2131
2132 /* Check a call for uses of a dangling pointer arguments. */
2133 void check_call_dangling (gcall *);
2134
2135 /* Check uses of a dangling pointer or those derived from it. */
2136 void check_dangling_uses (tree, tree, bool = false, bool = false);
2137 void check_dangling_uses ();
2138 void check_dangling_stores ();
2139 void check_dangling_stores (basic_block, hash_set<tree> &, auto_bitmap &);
2140
2141 void warn_invalid_pointer (tree, gimple *, gimple *, tree, bool, bool = false);
2142
2143 /* Return true if use follows an invalidating statement. */
2144 bool use_after_inval_p (gimple *, gimple *, bool = false);
2145
2146 /* A pointer_query object to store information about pointers and
2147 their targets in. */
2148 pointer_query m_ptr_qry;
2149 /* Mapping from DECLs and their clobber statements in the function. */
2150 hash_map<tree, gimple *> m_clobbers;
2151 /* A bit is set for each basic block whose statements have been assigned
2152 valid UIDs. */
2153 bitmap m_bb_uids_set;
2154 /* The current function. */
2155 function *m_func;
2156 /* True to run checks for uses of dangling pointers. */
2157 bool m_check_dangling_p;
2158 /* True to run checks early on in the optimization pipeline. */
2159 bool m_early_checks_p;
2160 };
2161
2162 /* Construct the pass. */
2163
2164 pass_waccess::pass_waccess (gcc::context *ctxt)
2165 : gimple_opt_pass (pass_data_waccess, ctxt),
2166 m_ptr_qry (NULL),
2167 m_clobbers (),
2168 m_bb_uids_set (),
2169 m_func (),
2170 m_check_dangling_p (),
2171 m_early_checks_p ()
2172 {
2173 }
2174
2175 /* Return a copy of the pass with RUN_NUMBER one greater than THIS. */
2176
2177 opt_pass*
2178 pass_waccess::clone ()
2179 {
2180 return new pass_waccess (m_ctxt);
2181 }
2182
2183 /* Release pointer_query cache. */
2184
2185 pass_waccess::~pass_waccess ()
2186 {
2187 m_ptr_qry.flush_cache ();
2188 }
2189
2190 void
2191 pass_waccess::set_pass_param (unsigned int n, bool early)
2192 {
2193 gcc_assert (n == 0);
2194
2195 m_early_checks_p = early;
2196 }
2197
2198 /* Return true when any checks performed by the pass are enabled. */
2199
2200 bool
2201 pass_waccess::gate (function *)
2202 {
2203 return (warn_free_nonheap_object
2204 || warn_mismatched_alloc
2205 || warn_mismatched_new_delete);
2206 }
2207
2208 /* Initialize ALLOC_OBJECT_SIZE_LIMIT based on the -Walloc-size-larger-than=
2209 setting if the option is specified, or to the maximum object size if it
2210 is not. Return the initialized value. */
2211
2212 static tree
2213 alloc_max_size (void)
2214 {
2215 HOST_WIDE_INT limit = warn_alloc_size_limit;
2216 if (limit == HOST_WIDE_INT_MAX)
2217 limit = tree_to_shwi (TYPE_MAX_VALUE (ptrdiff_type_node));
2218
2219 return build_int_cst (size_type_node, limit);
2220 }
2221
2222 /* Diagnose a call EXP to function FN decorated with attribute alloc_size
2223 whose argument numbers given by IDX with values given by ARGS exceed
2224 the maximum object size or cause an unsigned overflow (wrapping) when
2225 multiplied. FN is null when EXP is a call via a function pointer.
2226 When ARGS[0] is null the function does nothing. ARGS[1] may be null
2227 for functions like malloc, and non-null for those like calloc that
2228 are decorated with a two-argument attribute alloc_size. */
2229
2230 void
2231 maybe_warn_alloc_args_overflow (gimple *stmt, const tree args[2],
2232 const int idx[2])
2233 {
2234 /* The range each of the (up to) two arguments is known to be in. */
2235 tree argrange[2][2] = { { NULL_TREE, NULL_TREE }, { NULL_TREE, NULL_TREE } };
2236
2237 /* Maximum object size set by -Walloc-size-larger-than= or SIZE_MAX / 2. */
2238 tree maxobjsize = alloc_max_size ();
2239
2240 location_t loc = get_location (stmt);
2241
2242 tree fn = gimple_call_fndecl (stmt);
2243 tree fntype = fn ? TREE_TYPE (fn) : gimple_call_fntype (stmt);
2244 bool warned = false;
2245
2246 /* Validate each argument individually. */
2247 for (unsigned i = 0; i != 2 && args[i]; ++i)
2248 {
2249 if (TREE_CODE (args[i]) == INTEGER_CST)
2250 {
2251 argrange[i][0] = args[i];
2252 argrange[i][1] = args[i];
2253
2254 if (tree_int_cst_lt (args[i], integer_zero_node))
2255 {
2256 warned = warning_at (loc, OPT_Walloc_size_larger_than_,
2257 "argument %i value %qE is negative",
2258 idx[i] + 1, args[i]);
2259 }
2260 else if (integer_zerop (args[i]))
2261 {
2262 /* Avoid issuing -Walloc-zero for allocation functions other
2263 than __builtin_alloca that are declared with attribute
2264 returns_nonnull because there's no portability risk. This
2265 avoids warning for such calls to libiberty's xmalloc and
2266 friends.
2267 Also avoid issuing the warning for calls to function named
2268 "alloca". */
2269 if (fn && fndecl_built_in_p (fn, BUILT_IN_ALLOCA)
2270 ? IDENTIFIER_LENGTH (DECL_NAME (fn)) != 6
2271 : !lookup_attribute ("returns_nonnull",
2272 TYPE_ATTRIBUTES (fntype)))
2273 warned = warning_at (loc, OPT_Walloc_zero,
2274 "argument %i value is zero",
2275 idx[i] + 1);
2276 }
2277 else if (tree_int_cst_lt (maxobjsize, args[i]))
2278 {
2279 /* G++ emits calls to ::operator new[](SIZE_MAX) in C++98
2280 mode and with -fno-exceptions as a way to indicate array
2281 size overflow. There's no good way to detect C++98 here
2282 so avoid diagnosing these calls for all C++ modes. */
2283 if (i == 0
2284 && fn
2285 && !args[1]
2286 && lang_GNU_CXX ()
2287 && DECL_IS_OPERATOR_NEW_P (fn)
2288 && integer_all_onesp (args[i]))
2289 continue;
2290
2291 warned = warning_at (loc, OPT_Walloc_size_larger_than_,
2292 "argument %i value %qE exceeds "
2293 "maximum object size %E",
2294 idx[i] + 1, args[i], maxobjsize);
2295 }
2296 }
2297 else if (TREE_CODE (args[i]) == SSA_NAME
2298 && get_size_range (args[i], argrange[i]))
2299 {
2300 /* Verify that the argument's range is not negative (including
2301 upper bound of zero). */
2302 if (tree_int_cst_lt (argrange[i][0], integer_zero_node)
2303 && tree_int_cst_le (argrange[i][1], integer_zero_node))
2304 {
2305 warned = warning_at (loc, OPT_Walloc_size_larger_than_,
2306 "argument %i range [%E, %E] is negative",
2307 idx[i] + 1,
2308 argrange[i][0], argrange[i][1]);
2309 }
2310 else if (tree_int_cst_lt (maxobjsize, argrange[i][0]))
2311 {
2312 warned = warning_at (loc, OPT_Walloc_size_larger_than_,
2313 "argument %i range [%E, %E] exceeds "
2314 "maximum object size %E",
2315 idx[i] + 1,
2316 argrange[i][0], argrange[i][1],
2317 maxobjsize);
2318 }
2319 }
2320 }
2321
2322 if (!argrange[0][0])
2323 return;
2324
2325 /* For a two-argument alloc_size, validate the product of the two
2326 arguments if both of their values or ranges are known. */
2327 if (!warned && tree_fits_uhwi_p (argrange[0][0])
2328 && argrange[1][0] && tree_fits_uhwi_p (argrange[1][0])
2329 && !integer_onep (argrange[0][0])
2330 && !integer_onep (argrange[1][0]))
2331 {
2332 /* Check for overflow in the product of a function decorated with
2333 attribute alloc_size (X, Y). */
2334 unsigned szprec = TYPE_PRECISION (size_type_node);
2335 wide_int x = wi::to_wide (argrange[0][0], szprec);
2336 wide_int y = wi::to_wide (argrange[1][0], szprec);
2337
2338 wi::overflow_type vflow;
2339 wide_int prod = wi::umul (x, y, &vflow);
2340
2341 if (vflow)
2342 warned = warning_at (loc, OPT_Walloc_size_larger_than_,
2343 "product %<%E * %E%> of arguments %i and %i "
2344 "exceeds %<SIZE_MAX%>",
2345 argrange[0][0], argrange[1][0],
2346 idx[0] + 1, idx[1] + 1);
2347 else if (wi::ltu_p (wi::to_wide (maxobjsize, szprec), prod))
2348 warned = warning_at (loc, OPT_Walloc_size_larger_than_,
2349 "product %<%E * %E%> of arguments %i and %i "
2350 "exceeds maximum object size %E",
2351 argrange[0][0], argrange[1][0],
2352 idx[0] + 1, idx[1] + 1,
2353 maxobjsize);
2354
2355 if (warned)
2356 {
2357 /* Print the full range of each of the two arguments to make
2358 it clear when it is, in fact, in a range and not constant. */
2359 if (argrange[0][0] != argrange [0][1])
2360 inform (loc, "argument %i in the range [%E, %E]",
2361 idx[0] + 1, argrange[0][0], argrange[0][1]);
2362 if (argrange[1][0] != argrange [1][1])
2363 inform (loc, "argument %i in the range [%E, %E]",
2364 idx[1] + 1, argrange[1][0], argrange[1][1]);
2365 }
2366 }
2367
2368 if (warned && fn)
2369 {
2370 location_t fnloc = DECL_SOURCE_LOCATION (fn);
2371
2372 if (DECL_IS_UNDECLARED_BUILTIN (fn))
2373 inform (loc,
2374 "in a call to built-in allocation function %qD", fn);
2375 else
2376 inform (fnloc,
2377 "in a call to allocation function %qD declared here", fn);
2378 }
2379 }
2380
2381 /* Check a call to an alloca function for an excessive size. */
2382
2383 void
2384 pass_waccess::check_alloca (gcall *stmt)
2385 {
2386 if (m_early_checks_p)
2387 return;
2388
2389 if ((warn_vla_limit >= HOST_WIDE_INT_MAX
2390 && warn_alloc_size_limit < warn_vla_limit)
2391 || (warn_alloca_limit >= HOST_WIDE_INT_MAX
2392 && warn_alloc_size_limit < warn_alloca_limit))
2393 {
2394 /* -Walloca-larger-than and -Wvla-larger-than settings of less
2395 than HWI_MAX override the more general -Walloc-size-larger-than
2396 so unless either of the former options is smaller than the last
2397 one (which would imply that the call was already checked), check
2398 the alloca arguments for overflow. */
2399 const tree alloc_args[] = { call_arg (stmt, 0), NULL_TREE };
2400 const int idx[] = { 0, -1 };
2401 maybe_warn_alloc_args_overflow (stmt, alloc_args, idx);
2402 }
2403 }
2404
2405 /* Check a call to an allocation function for an excessive size. */
2406
2407 void
2408 pass_waccess::check_alloc_size_call (gcall *stmt)
2409 {
2410 if (m_early_checks_p)
2411 return;
2412
2413 if (gimple_call_num_args (stmt) < 1)
2414 /* Avoid invalid calls to functions without a prototype. */
2415 return;
2416
2417 tree fndecl = gimple_call_fndecl (stmt);
2418 if (fndecl && gimple_call_builtin_p (stmt, BUILT_IN_NORMAL))
2419 {
2420 /* Alloca is handled separately. */
2421 switch (DECL_FUNCTION_CODE (fndecl))
2422 {
2423 case BUILT_IN_ALLOCA:
2424 case BUILT_IN_ALLOCA_WITH_ALIGN:
2425 case BUILT_IN_ALLOCA_WITH_ALIGN_AND_MAX:
2426 return;
2427 default:
2428 break;
2429 }
2430 }
2431
2432 tree fntype = gimple_call_fntype (stmt);
2433 tree fntypeattrs = TYPE_ATTRIBUTES (fntype);
2434
2435 tree alloc_size = lookup_attribute ("alloc_size", fntypeattrs);
2436 if (!alloc_size)
2437 return;
2438
2439 /* Extract attribute alloc_size from the type of the called expression
2440 (which could be a function or a function pointer) and if set, store
2441 the indices of the corresponding arguments in ALLOC_IDX, and then
2442 the actual argument(s) at those indices in ALLOC_ARGS. */
2443 int idx[2] = { -1, -1 };
2444 tree alloc_args[] = { NULL_TREE, NULL_TREE };
2445 unsigned nargs = gimple_call_num_args (stmt);
2446
2447 tree args = TREE_VALUE (alloc_size);
2448 idx[0] = TREE_INT_CST_LOW (TREE_VALUE (args)) - 1;
2449 /* Avoid invalid calls to functions without a prototype. */
2450 if ((unsigned) idx[0] >= nargs)
2451 return;
2452 alloc_args[0] = call_arg (stmt, idx[0]);
2453 if (TREE_CHAIN (args))
2454 {
2455 idx[1] = TREE_INT_CST_LOW (TREE_VALUE (TREE_CHAIN (args))) - 1;
2456 if ((unsigned) idx[1] >= nargs)
2457 return;
2458 alloc_args[1] = call_arg (stmt, idx[1]);
2459 }
2460
2461 maybe_warn_alloc_args_overflow (stmt, alloc_args, idx);
2462 }
2463
2464 /* Check a call STMT to strcat() for overflow and warn if it does. */
2465
2466 void
2467 pass_waccess::check_strcat (gcall *stmt)
2468 {
2469 if (m_early_checks_p)
2470 return;
2471
2472 if (!warn_stringop_overflow && !warn_stringop_overread)
2473 return;
2474
2475 tree dest = call_arg (stmt, 0);
2476 tree src = call_arg (stmt, 1);
2477
2478 /* There is no way here to determine the length of the string in
2479 the destination to which the SRC string is being appended so
2480 just diagnose cases when the source string is longer than
2481 the destination object. */
2482 access_data data (m_ptr_qry.rvals, stmt, access_read_write, NULL_TREE,
2483 true, NULL_TREE, true);
2484 const int ost = warn_stringop_overflow ? warn_stringop_overflow - 1 : 1;
2485 compute_objsize (src, stmt, ost, &data.src, &m_ptr_qry);
2486 tree destsize = compute_objsize (dest, stmt, ost, &data.dst, &m_ptr_qry);
2487
2488 check_access (stmt, /*dstwrite=*/NULL_TREE, /*maxread=*/NULL_TREE,
2489 src, destsize, data.mode, &data, m_ptr_qry.rvals);
2490 }
2491
2492 /* Check a call STMT to strcat() for overflow and warn if it does. */
2493
2494 void
2495 pass_waccess::check_strncat (gcall *stmt)
2496 {
2497 if (m_early_checks_p)
2498 return;
2499
2500 if (!warn_stringop_overflow && !warn_stringop_overread)
2501 return;
2502
2503 tree dest = call_arg (stmt, 0);
2504 tree src = call_arg (stmt, 1);
2505 /* The upper bound on the number of bytes to write. */
2506 tree maxread = call_arg (stmt, 2);
2507
2508 /* Detect unterminated source (only). */
2509 if (!check_nul_terminated_array (stmt, src, maxread))
2510 return;
2511
2512 /* The length of the source sequence. */
2513 tree slen = c_strlen (src, 1);
2514
2515 /* Try to determine the range of lengths that the source expression
2516 refers to. Since the lengths are only used for warning and not
2517 for code generation disable strict mode below. */
2518 tree maxlen = slen;
2519 if (!maxlen)
2520 {
2521 c_strlen_data lendata = { };
2522 get_range_strlen (src, &lendata, /* eltsize = */ 1);
2523 maxlen = lendata.maxbound;
2524 }
2525
2526 access_data data (m_ptr_qry.rvals, stmt, access_read_write);
2527 /* Try to verify that the destination is big enough for the shortest
2528 string. First try to determine the size of the destination object
2529 into which the source is being copied. */
2530 const int ost = warn_stringop_overflow - 1;
2531 tree destsize = compute_objsize (dest, stmt, ost, &data.dst, &m_ptr_qry);
2532
2533 /* Add one for the terminating nul. */
2534 tree srclen = (maxlen
2535 ? fold_build2 (PLUS_EXPR, size_type_node, maxlen,
2536 size_one_node)
2537 : NULL_TREE);
2538
2539 /* The strncat function copies at most MAXREAD bytes and always appends
2540 the terminating nul so the specified upper bound should never be equal
2541 to (or greater than) the size of the destination. */
2542 if (tree_fits_uhwi_p (maxread) && tree_fits_uhwi_p (destsize)
2543 && tree_int_cst_equal (destsize, maxread))
2544 {
2545 location_t loc = get_location (stmt);
2546 warning_at (loc, OPT_Wstringop_overflow_,
2547 "%qD specified bound %E equals destination size",
2548 get_callee_fndecl (stmt), maxread);
2549
2550 return;
2551 }
2552
2553 if (!srclen
2554 || (maxread && tree_fits_uhwi_p (maxread)
2555 && tree_fits_uhwi_p (srclen)
2556 && tree_int_cst_lt (maxread, srclen)))
2557 srclen = maxread;
2558
2559 check_access (stmt, /*dstwrite=*/NULL_TREE, maxread, srclen,
2560 destsize, data.mode, &data, m_ptr_qry.rvals);
2561 }
2562
2563 /* Check a call STMT to stpcpy() or strcpy() for overflow and warn
2564 if it does. */
2565
2566 void
2567 pass_waccess::check_stxcpy (gcall *stmt)
2568 {
2569 if (m_early_checks_p)
2570 return;
2571
2572 tree dst = call_arg (stmt, 0);
2573 tree src = call_arg (stmt, 1);
2574
2575 tree size;
2576 bool exact;
2577 if (tree nonstr = unterminated_array (src, &size, &exact))
2578 {
2579 /* NONSTR refers to the non-nul terminated constant array. */
2580 warn_string_no_nul (get_location (stmt), stmt, NULL, src, nonstr,
2581 size, exact);
2582 return;
2583 }
2584
2585 if (warn_stringop_overflow)
2586 {
2587 access_data data (m_ptr_qry.rvals, stmt, access_read_write, NULL_TREE,
2588 true, NULL_TREE, true);
2589 const int ost = warn_stringop_overflow ? warn_stringop_overflow - 1 : 1;
2590 compute_objsize (src, stmt, ost, &data.src, &m_ptr_qry);
2591 tree dstsize = compute_objsize (dst, stmt, ost, &data.dst, &m_ptr_qry);
2592 check_access (stmt, /*dstwrite=*/ NULL_TREE,
2593 /*maxread=*/ NULL_TREE, /*srcstr=*/ src,
2594 dstsize, data.mode, &data, m_ptr_qry.rvals);
2595 }
2596
2597 /* Check to see if the argument was declared attribute nonstring
2598 and if so, issue a warning since at this point it's not known
2599 to be nul-terminated. */
2600 tree fndecl = get_callee_fndecl (stmt);
2601 maybe_warn_nonstring_arg (fndecl, stmt);
2602 }
2603
2604 /* Check a call STMT to stpncpy() or strncpy() for overflow and warn
2605 if it does. */
2606
2607 void
2608 pass_waccess::check_stxncpy (gcall *stmt)
2609 {
2610 if (m_early_checks_p || !warn_stringop_overflow)
2611 return;
2612
2613 tree dst = call_arg (stmt, 0);
2614 tree src = call_arg (stmt, 1);
2615 /* The number of bytes to write (not the maximum). */
2616 tree len = call_arg (stmt, 2);
2617
2618 access_data data (m_ptr_qry.rvals, stmt, access_read_write, len, true, len,
2619 true);
2620 const int ost = warn_stringop_overflow ? warn_stringop_overflow - 1 : 1;
2621 compute_objsize (src, stmt, ost, &data.src, &m_ptr_qry);
2622 tree dstsize = compute_objsize (dst, stmt, ost, &data.dst, &m_ptr_qry);
2623
2624 check_access (stmt, /*dstwrite=*/len, /*maxread=*/len, src, dstsize,
2625 data.mode, &data, m_ptr_qry.rvals);
2626 }
2627
2628 /* Check a call STMT to stpncpy() or strncpy() for overflow and warn
2629 if it does. */
2630
2631 void
2632 pass_waccess::check_strncmp (gcall *stmt)
2633 {
2634 if (m_early_checks_p || !warn_stringop_overread)
2635 return;
2636
2637 tree arg1 = call_arg (stmt, 0);
2638 tree arg2 = call_arg (stmt, 1);
2639 tree bound = call_arg (stmt, 2);
2640
2641 /* First check each argument separately, considering the bound. */
2642 if (!check_nul_terminated_array (stmt, arg1, bound)
2643 || !check_nul_terminated_array (stmt, arg2, bound))
2644 return;
2645
2646 /* A strncmp read from each argument is constrained not just by
2647 the bound but also by the length of the shorter string. Specifying
2648 a bound that's larger than the size of either array makes no sense
2649 and is likely a bug. When the length of neither of the two strings
2650 is known but the sizes of both of the arrays they are stored in is,
2651 issue a warning if the bound is larger than the size of
2652 the larger of the two arrays. */
2653
2654 c_strlen_data lendata1{ }, lendata2{ };
2655 tree len1 = c_strlen (arg1, 1, &lendata1);
2656 tree len2 = c_strlen (arg2, 1, &lendata2);
2657
2658 if (len1 && TREE_CODE (len1) != INTEGER_CST)
2659 len1 = NULL_TREE;
2660 if (len2 && TREE_CODE (len2) != INTEGER_CST)
2661 len2 = NULL_TREE;
2662
2663 if (len1 && len2)
2664 /* If the length of both arguments was computed they must both be
2665 nul-terminated and no further checking is necessary regardless
2666 of the bound. */
2667 return;
2668
2669 /* Check to see if the argument was declared with attribute nonstring
2670 and if so, issue a warning since at this point it's not known to be
2671 nul-terminated. */
2672 if (maybe_warn_nonstring_arg (get_callee_fndecl (stmt), stmt))
2673 return;
2674
2675 access_data adata1 (m_ptr_qry.rvals, stmt, access_read_only, NULL_TREE, false,
2676 bound, true);
2677 access_data adata2 (m_ptr_qry.rvals, stmt, access_read_only, NULL_TREE, false,
2678 bound, true);
2679
2680 /* Determine the range of the bound first and bail if it fails; it's
2681 cheaper than computing the size of the objects. */
2682 tree bndrng[2] = { NULL_TREE, NULL_TREE };
2683 get_size_range (m_ptr_qry.rvals, bound, stmt, bndrng, adata1.src_bndrng);
2684 if (!bndrng[0] || integer_zerop (bndrng[0]))
2685 return;
2686
2687 if (len1 && tree_int_cst_lt (len1, bndrng[0]))
2688 bndrng[0] = len1;
2689 if (len2 && tree_int_cst_lt (len2, bndrng[0]))
2690 bndrng[0] = len2;
2691
2692 /* compute_objsize almost never fails (and ultimately should never
2693 fail). Don't bother to handle the rare case when it does. */
2694 if (!compute_objsize (arg1, stmt, 1, &adata1.src, &m_ptr_qry)
2695 || !compute_objsize (arg2, stmt, 1, &adata2.src, &m_ptr_qry))
2696 return;
2697
2698 /* Compute the size of the remaining space in each array after
2699 subtracting any offset into it. */
2700 offset_int rem1 = adata1.src.size_remaining ();
2701 offset_int rem2 = adata2.src.size_remaining ();
2702
2703 /* Cap REM1 and REM2 at the other if the other's argument is known
2704 to be an unterminated array, either because there's no space
2705 left in it after adding its offset or because it's constant and
2706 has no nul. */
2707 if (rem1 == 0 || (rem1 < rem2 && lendata1.decl))
2708 rem2 = rem1;
2709 else if (rem2 == 0 || (rem2 < rem1 && lendata2.decl))
2710 rem1 = rem2;
2711
2712 /* Point PAD at the array to reference in the note if a warning
2713 is issued. */
2714 access_data *pad = len1 ? &adata2 : &adata1;
2715 offset_int maxrem = wi::max (rem1, rem2, UNSIGNED);
2716 if (lendata1.decl || lendata2.decl
2717 || maxrem < wi::to_offset (bndrng[0]))
2718 {
2719 /* Warn when either argument isn't nul-terminated or the maximum
2720 remaining space in the two arrays is less than the bound. */
2721 tree func = get_callee_fndecl (stmt);
2722 location_t loc = gimple_location (stmt);
2723 maybe_warn_for_bound (OPT_Wstringop_overread, loc, stmt, func,
2724 bndrng, wide_int_to_tree (sizetype, maxrem),
2725 pad);
2726 }
2727 }
2728
2729 /* Determine and check the sizes of the source and the destination
2730 of calls to __builtin_{bzero,memcpy,mempcpy,memset} calls. STMT is
2731 the call statement, DEST is the destination argument, SRC is the source
2732 argument or null, and SIZE is the number of bytes being accessed. Use
2733 Object Size type-0 regardless of the OPT_Wstringop_overflow_ setting.
2734 Return true on success (no overflow or invalid sizes), false otherwise. */
2735
2736 void
2737 pass_waccess::check_memop_access (gimple *stmt, tree dest, tree src, tree size)
2738 {
2739 if (m_early_checks_p)
2740 return;
2741
2742 /* For functions like memset and memcpy that operate on raw memory
2743 try to determine the size of the largest source and destination
2744 object using type-0 Object Size regardless of the object size
2745 type specified by the option. */
2746 access_data data (m_ptr_qry.rvals, stmt, access_read_write);
2747 tree srcsize
2748 = src ? compute_objsize (src, stmt, 0, &data.src, &m_ptr_qry) : NULL_TREE;
2749 tree dstsize = compute_objsize (dest, stmt, 0, &data.dst, &m_ptr_qry);
2750
2751 check_access (stmt, size, /*maxread=*/NULL_TREE, srcsize, dstsize,
2752 data.mode, &data, m_ptr_qry.rvals);
2753 }
2754
2755 /* A convenience wrapper for check_access to check access by a read-only
2756 function like puts or strcmp. */
2757
2758 void
2759 pass_waccess::check_read_access (gimple *stmt, tree src,
2760 tree bound /* = NULL_TREE */,
2761 int ost /* = 1 */)
2762 {
2763 if (m_early_checks_p || !warn_stringop_overread)
2764 return;
2765
2766 if (bound && !useless_type_conversion_p (size_type_node, TREE_TYPE (bound)))
2767 bound = fold_convert (size_type_node, bound);
2768
2769 tree fndecl = get_callee_fndecl (stmt);
2770 maybe_warn_nonstring_arg (fndecl, stmt);
2771
2772 access_data data (m_ptr_qry.rvals, stmt, access_read_only, NULL_TREE,
2773 false, bound, true);
2774 compute_objsize (src, stmt, ost, &data.src, &m_ptr_qry);
2775 check_access (stmt, /*dstwrite=*/ NULL_TREE, /*maxread=*/ bound,
2776 /*srcstr=*/ src, /*dstsize=*/ NULL_TREE, data.mode,
2777 &data, m_ptr_qry.rvals);
2778 }
2779
2780 /* Return true if memory model ORD is constant in the context of STMT and
2781 set *CSTVAL to the constant value. Otherwise return false. Warn for
2782 invalid ORD. */
2783
2784 bool
2785 memmodel_to_uhwi (tree ord, gimple *stmt, unsigned HOST_WIDE_INT *cstval)
2786 {
2787 unsigned HOST_WIDE_INT val;
2788
2789 if (TREE_CODE (ord) == INTEGER_CST)
2790 {
2791 if (!tree_fits_uhwi_p (ord))
2792 return false;
2793 val = tree_to_uhwi (ord);
2794 }
2795 else
2796 {
2797 /* Use the range query to determine constant values in the absence
2798 of constant propagation (such as at -O0). */
2799 Value_Range rng (TREE_TYPE (ord));
2800 if (!get_range_query (cfun)->range_of_expr (rng, ord, stmt)
2801 || !rng.singleton_p (&ord))
2802 return false;
2803
2804 wide_int lob = rng.lower_bound ();
2805 if (!wi::fits_uhwi_p (lob))
2806 return false;
2807
2808 val = lob.to_shwi ();
2809 }
2810
2811 if (targetm.memmodel_check)
2812 /* This might warn for an invalid VAL but return a conservatively
2813 valid result. */
2814 val = targetm.memmodel_check (val);
2815 else if (val & ~MEMMODEL_MASK)
2816 {
2817 tree fndecl = gimple_call_fndecl (stmt);
2818 location_t loc = gimple_location (stmt);
2819 loc = expansion_point_location_if_in_system_header (loc);
2820
2821 warning_at (loc, OPT_Winvalid_memory_model,
2822 "unknown architecture specifier in memory model "
2823 "%wi for %qD", val, fndecl);
2824 return false;
2825 }
2826
2827 *cstval = val;
2828
2829 return true;
2830 }
2831
2832 /* Valid memory model for each set of atomic built-in functions. */
2833
2834 struct memmodel_pair
2835 {
2836 memmodel modval;
2837 const char* modname;
2838
2839 #define MEMMODEL_PAIR(val, str) \
2840 { MEMMODEL_ ## val, "memory_order_" str }
2841 };
2842
2843 /* Valid memory models in the order of increasing strength. */
2844
2845 static const memmodel_pair memory_models[] =
2846 { MEMMODEL_PAIR (RELAXED, "relaxed"),
2847 MEMMODEL_PAIR (SEQ_CST, "seq_cst"),
2848 MEMMODEL_PAIR (ACQUIRE, "acquire"),
2849 MEMMODEL_PAIR (CONSUME, "consume"),
2850 MEMMODEL_PAIR (RELEASE, "release"),
2851 MEMMODEL_PAIR (ACQ_REL, "acq_rel")
2852 };
2853
2854 /* Return the name of the memory model VAL. */
2855
2856 static const char*
2857 memmodel_name (unsigned HOST_WIDE_INT val)
2858 {
2859 val = memmodel_base (val);
2860
2861 for (unsigned i = 0; i != ARRAY_SIZE (memory_models); ++i)
2862 {
2863 if (val == memory_models[i].modval)
2864 return memory_models[i].modname;
2865 }
2866 return NULL;
2867 }
2868
2869 /* Indices of valid MEMORY_MODELS above for corresponding atomic operations. */
2870 static const unsigned char load_models[] = { 0, 1, 2, 3, UCHAR_MAX };
2871 static const unsigned char store_models[] = { 0, 1, 4, UCHAR_MAX };
2872 static const unsigned char xchg_models[] = { 0, 1, 3, 4, 5, UCHAR_MAX };
2873 static const unsigned char flag_clr_models[] = { 0, 1, 4, UCHAR_MAX };
2874 static const unsigned char all_models[] = { 0, 1, 2, 3, 4, 5, UCHAR_MAX };
2875
2876 /* Check the success memory model argument ORD_SUCS to the call STMT to
2877 an atomic function and warn if it's invalid. If nonnull, also check
2878 the failure memory model ORD_FAIL and warn if it's invalid. Return
2879 true if a warning has been issued. */
2880
2881 bool
2882 pass_waccess::maybe_warn_memmodel (gimple *stmt, tree ord_sucs,
2883 tree ord_fail, const unsigned char *valid)
2884 {
2885 unsigned HOST_WIDE_INT sucs, fail = 0;
2886 if (!memmodel_to_uhwi (ord_sucs, stmt, &sucs)
2887 || (ord_fail && !memmodel_to_uhwi (ord_fail, stmt, &fail)))
2888 return false;
2889
2890 bool is_valid = false;
2891 if (valid)
2892 for (unsigned i = 0; valid[i] != UCHAR_MAX; ++i)
2893 {
2894 memmodel model = memory_models[valid[i]].modval;
2895 if (memmodel_base (sucs) == model)
2896 {
2897 is_valid = true;
2898 break;
2899 }
2900 }
2901 else
2902 is_valid = true;
2903
2904 tree fndecl = gimple_call_fndecl (stmt);
2905 location_t loc = gimple_location (stmt);
2906 loc = expansion_point_location_if_in_system_header (loc);
2907
2908 if (!is_valid)
2909 {
2910 bool warned = false;
2911 auto_diagnostic_group d;
2912 if (const char *modname = memmodel_name (sucs))
2913 warned = warning_at (loc, OPT_Winvalid_memory_model,
2914 "invalid memory model %qs for %qD",
2915 modname, fndecl);
2916 else
2917 warned = warning_at (loc, OPT_Winvalid_memory_model,
2918 "invalid memory model %wi for %qD",
2919 sucs, fndecl);
2920
2921 if (!warned)
2922 return false;
2923
2924 /* Print a note with the valid memory models. */
2925 pretty_printer pp;
2926 pp_show_color (&pp) = pp_show_color (global_dc->printer);
2927 for (unsigned i = 0; valid[i] != UCHAR_MAX; ++i)
2928 {
2929 const char *modname = memory_models[valid[i]].modname;
2930 pp_printf (&pp, "%s%qs", i ? ", " : "", modname);
2931 }
2932
2933 inform (loc, "valid models are %s", pp_formatted_text (&pp));
2934 return true;
2935 }
2936
2937 if (!ord_fail)
2938 return false;
2939
2940 if (fail == MEMMODEL_RELEASE || fail == MEMMODEL_ACQ_REL)
2941 if (const char *failname = memmodel_name (fail))
2942 {
2943 /* If both memory model arguments are valid but their combination
2944 is not, use their names in the warning. */
2945 auto_diagnostic_group d;
2946 if (!warning_at (loc, OPT_Winvalid_memory_model,
2947 "invalid failure memory model %qs for %qD",
2948 failname, fndecl))
2949 return false;
2950
2951 inform (loc,
2952 "valid failure models are %qs, %qs, %qs, %qs",
2953 "memory_order_relaxed", "memory_order_seq_cst",
2954 "memory_order_acquire", "memory_order_consume");
2955 return true;
2956 }
2957
2958 if (memmodel_base (fail) <= memmodel_base (sucs))
2959 return false;
2960
2961 if (const char *sucsname = memmodel_name (sucs))
2962 if (const char *failname = memmodel_name (fail))
2963 {
2964 /* If both memory model arguments are valid but their combination
2965 is not, use their names in the warning. */
2966 auto_diagnostic_group d;
2967 if (!warning_at (loc, OPT_Winvalid_memory_model,
2968 "failure memory model %qs cannot be stronger "
2969 "than success memory model %qs for %qD",
2970 failname, sucsname, fndecl))
2971 return false;
2972
2973 /* Print a note with the valid failure memory models which are
2974 those with a value less than or equal to the success mode. */
2975 char buf[120];
2976 *buf = '\0';
2977 for (unsigned i = 0;
2978 memory_models[i].modval <= memmodel_base (sucs); ++i)
2979 {
2980 if (*buf)
2981 strcat (buf, ", ");
2982
2983 const char *modname = memory_models[valid[i]].modname;
2984 sprintf (buf + strlen (buf), "'%s'", modname);
2985 }
2986
2987 inform (loc, "valid models are %s", buf);
2988 return true;
2989 }
2990
2991 /* If either memory model argument value is invalid use the numerical
2992 value of both in the message. */
2993 return warning_at (loc, OPT_Winvalid_memory_model,
2994 "failure memory model %wi cannot be stronger "
2995 "than success memory model %wi for %qD",
2996 fail, sucs, fndecl);
2997 }
2998
2999 /* Wrapper for the above. */
3000
3001 void
3002 pass_waccess::check_atomic_memmodel (gimple *stmt, tree ord_sucs,
3003 tree ord_fail, const unsigned char *valid)
3004 {
3005 if (warning_suppressed_p (stmt, OPT_Winvalid_memory_model))
3006 return;
3007
3008 if (!maybe_warn_memmodel (stmt, ord_sucs, ord_fail, valid))
3009 return;
3010
3011 suppress_warning (stmt, OPT_Winvalid_memory_model);
3012 }
3013
3014 /* Check a call STMT to an atomic or sync built-in. */
3015
3016 bool
3017 pass_waccess::check_atomic_builtin (gcall *stmt)
3018 {
3019 tree callee = gimple_call_fndecl (stmt);
3020 if (!callee)
3021 return false;
3022
3023 /* The size in bytes of the access by the function, and the number
3024 of the second argument to check (if any). */
3025 unsigned bytes = 0, arg2 = UINT_MAX;
3026 unsigned sucs_arg = UINT_MAX, fail_arg = UINT_MAX;
3027 /* Points to the array of indices of valid memory models. */
3028 const unsigned char *pvalid_models = NULL;
3029
3030 switch (DECL_FUNCTION_CODE (callee))
3031 {
3032 #define BUILTIN_ACCESS_SIZE_FNSPEC(N) \
3033 BUILT_IN_SYNC_FETCH_AND_ADD_ ## N: \
3034 case BUILT_IN_SYNC_FETCH_AND_SUB_ ## N: \
3035 case BUILT_IN_SYNC_FETCH_AND_OR_ ## N: \
3036 case BUILT_IN_SYNC_FETCH_AND_AND_ ## N: \
3037 case BUILT_IN_SYNC_FETCH_AND_XOR_ ## N: \
3038 case BUILT_IN_SYNC_FETCH_AND_NAND_ ## N: \
3039 case BUILT_IN_SYNC_ADD_AND_FETCH_ ## N: \
3040 case BUILT_IN_SYNC_SUB_AND_FETCH_ ## N: \
3041 case BUILT_IN_SYNC_OR_AND_FETCH_ ## N: \
3042 case BUILT_IN_SYNC_AND_AND_FETCH_ ## N: \
3043 case BUILT_IN_SYNC_XOR_AND_FETCH_ ## N: \
3044 case BUILT_IN_SYNC_NAND_AND_FETCH_ ## N: \
3045 case BUILT_IN_SYNC_LOCK_TEST_AND_SET_ ## N: \
3046 case BUILT_IN_SYNC_BOOL_COMPARE_AND_SWAP_ ## N: \
3047 case BUILT_IN_SYNC_VAL_COMPARE_AND_SWAP_ ## N: \
3048 case BUILT_IN_SYNC_LOCK_RELEASE_ ## N: \
3049 bytes = N; \
3050 break; \
3051 case BUILT_IN_ATOMIC_LOAD_ ## N: \
3052 pvalid_models = load_models; \
3053 sucs_arg = 1; \
3054 /* FALLTHROUGH */ \
3055 case BUILT_IN_ATOMIC_STORE_ ## N: \
3056 if (!pvalid_models) \
3057 pvalid_models = store_models; \
3058 /* FALLTHROUGH */ \
3059 case BUILT_IN_ATOMIC_ADD_FETCH_ ## N: \
3060 case BUILT_IN_ATOMIC_SUB_FETCH_ ## N: \
3061 case BUILT_IN_ATOMIC_AND_FETCH_ ## N: \
3062 case BUILT_IN_ATOMIC_NAND_FETCH_ ## N: \
3063 case BUILT_IN_ATOMIC_XOR_FETCH_ ## N: \
3064 case BUILT_IN_ATOMIC_OR_FETCH_ ## N: \
3065 case BUILT_IN_ATOMIC_FETCH_ADD_ ## N: \
3066 case BUILT_IN_ATOMIC_FETCH_SUB_ ## N: \
3067 case BUILT_IN_ATOMIC_FETCH_AND_ ## N: \
3068 case BUILT_IN_ATOMIC_FETCH_NAND_ ## N: \
3069 case BUILT_IN_ATOMIC_FETCH_OR_ ## N: \
3070 case BUILT_IN_ATOMIC_FETCH_XOR_ ## N: \
3071 bytes = N; \
3072 if (sucs_arg == UINT_MAX) \
3073 sucs_arg = 2; \
3074 if (!pvalid_models) \
3075 pvalid_models = all_models; \
3076 break; \
3077 case BUILT_IN_ATOMIC_EXCHANGE_ ## N: \
3078 bytes = N; \
3079 sucs_arg = 3; \
3080 pvalid_models = xchg_models; \
3081 break; \
3082 case BUILT_IN_ATOMIC_COMPARE_EXCHANGE_ ## N: \
3083 bytes = N; \
3084 sucs_arg = 4; \
3085 fail_arg = 5; \
3086 pvalid_models = all_models; \
3087 arg2 = 1
3088
3089 case BUILTIN_ACCESS_SIZE_FNSPEC (1);
3090 break;
3091 case BUILTIN_ACCESS_SIZE_FNSPEC (2);
3092 break;
3093 case BUILTIN_ACCESS_SIZE_FNSPEC (4);
3094 break;
3095 case BUILTIN_ACCESS_SIZE_FNSPEC (8);
3096 break;
3097 case BUILTIN_ACCESS_SIZE_FNSPEC (16);
3098 break;
3099
3100 case BUILT_IN_ATOMIC_CLEAR:
3101 sucs_arg = 1;
3102 pvalid_models = flag_clr_models;
3103 break;
3104
3105 default:
3106 return false;
3107 }
3108
3109 unsigned nargs = gimple_call_num_args (stmt);
3110 if (sucs_arg < nargs)
3111 {
3112 tree ord_sucs = gimple_call_arg (stmt, sucs_arg);
3113 tree ord_fail = NULL_TREE;
3114 if (fail_arg < nargs)
3115 ord_fail = gimple_call_arg (stmt, fail_arg);
3116 check_atomic_memmodel (stmt, ord_sucs, ord_fail, pvalid_models);
3117 }
3118
3119 if (!bytes)
3120 return true;
3121
3122 tree size = build_int_cstu (sizetype, bytes);
3123 tree dst = gimple_call_arg (stmt, 0);
3124 check_memop_access (stmt, dst, NULL_TREE, size);
3125
3126 if (arg2 != UINT_MAX)
3127 {
3128 tree dst = gimple_call_arg (stmt, arg2);
3129 check_memop_access (stmt, dst, NULL_TREE, size);
3130 }
3131
3132 return true;
3133 }
3134
3135 /* Check call STMT to a built-in function for invalid accesses. Return
3136 true if a call has been handled. */
3137
3138 bool
3139 pass_waccess::check_builtin (gcall *stmt)
3140 {
3141 tree callee = gimple_call_fndecl (stmt);
3142 if (!callee)
3143 return false;
3144
3145 switch (DECL_FUNCTION_CODE (callee))
3146 {
3147 case BUILT_IN_ALLOCA:
3148 case BUILT_IN_ALLOCA_WITH_ALIGN:
3149 case BUILT_IN_ALLOCA_WITH_ALIGN_AND_MAX:
3150 check_alloca (stmt);
3151 return true;
3152
3153 case BUILT_IN_EXECL:
3154 case BUILT_IN_EXECLE:
3155 case BUILT_IN_EXECLP:
3156 case BUILT_IN_EXECV:
3157 case BUILT_IN_EXECVE:
3158 case BUILT_IN_EXECVP:
3159 check_read_access (stmt, call_arg (stmt, 0));
3160 return true;
3161
3162 case BUILT_IN_FREE:
3163 case BUILT_IN_REALLOC:
3164 if (!m_early_checks_p)
3165 {
3166 tree arg = call_arg (stmt, 0);
3167 if (TREE_CODE (arg) == SSA_NAME)
3168 check_pointer_uses (stmt, arg);
3169 }
3170 return true;
3171
3172 case BUILT_IN_GETTEXT:
3173 case BUILT_IN_PUTS:
3174 case BUILT_IN_PUTS_UNLOCKED:
3175 case BUILT_IN_STRDUP:
3176 check_read_access (stmt, call_arg (stmt, 0));
3177 return true;
3178
3179 case BUILT_IN_INDEX:
3180 case BUILT_IN_RINDEX:
3181 case BUILT_IN_STRCHR:
3182 case BUILT_IN_STRRCHR:
3183 case BUILT_IN_STRLEN:
3184 check_read_access (stmt, call_arg (stmt, 0));
3185 return true;
3186
3187 case BUILT_IN_FPUTS:
3188 case BUILT_IN_FPUTS_UNLOCKED:
3189 check_read_access (stmt, call_arg (stmt, 0));
3190 return true;
3191
3192 case BUILT_IN_STRNDUP:
3193 case BUILT_IN_STRNLEN:
3194 {
3195 tree str = call_arg (stmt, 0);
3196 tree len = call_arg (stmt, 1);
3197 check_read_access (stmt, str, len);
3198 return true;
3199 }
3200
3201 case BUILT_IN_STRCAT:
3202 check_strcat (stmt);
3203 return true;
3204
3205 case BUILT_IN_STRNCAT:
3206 check_strncat (stmt);
3207 return true;
3208
3209 case BUILT_IN_STPCPY:
3210 case BUILT_IN_STRCPY:
3211 check_stxcpy (stmt);
3212 return true;
3213
3214 case BUILT_IN_STPNCPY:
3215 case BUILT_IN_STRNCPY:
3216 check_stxncpy (stmt);
3217 return true;
3218
3219 case BUILT_IN_STRCASECMP:
3220 case BUILT_IN_STRCMP:
3221 case BUILT_IN_STRPBRK:
3222 case BUILT_IN_STRSPN:
3223 case BUILT_IN_STRCSPN:
3224 case BUILT_IN_STRSTR:
3225 check_read_access (stmt, call_arg (stmt, 0));
3226 check_read_access (stmt, call_arg (stmt, 1));
3227 return true;
3228
3229 case BUILT_IN_STRNCASECMP:
3230 case BUILT_IN_STRNCMP:
3231 check_strncmp (stmt);
3232 return true;
3233
3234 case BUILT_IN_MEMCMP:
3235 {
3236 tree a1 = call_arg (stmt, 0);
3237 tree a2 = call_arg (stmt, 1);
3238 tree len = call_arg (stmt, 2);
3239 check_read_access (stmt, a1, len, 0);
3240 check_read_access (stmt, a2, len, 0);
3241 return true;
3242 }
3243
3244 case BUILT_IN_MEMCPY:
3245 case BUILT_IN_MEMPCPY:
3246 case BUILT_IN_MEMMOVE:
3247 {
3248 tree dst = call_arg (stmt, 0);
3249 tree src = call_arg (stmt, 1);
3250 tree len = call_arg (stmt, 2);
3251 check_memop_access (stmt, dst, src, len);
3252 return true;
3253 }
3254
3255 case BUILT_IN_MEMCHR:
3256 {
3257 tree src = call_arg (stmt, 0);
3258 tree len = call_arg (stmt, 2);
3259 check_read_access (stmt, src, len, 0);
3260 return true;
3261 }
3262
3263 case BUILT_IN_MEMSET:
3264 {
3265 tree dst = call_arg (stmt, 0);
3266 tree len = call_arg (stmt, 2);
3267 check_memop_access (stmt, dst, NULL_TREE, len);
3268 return true;
3269 }
3270
3271 default:
3272 if (check_atomic_builtin (stmt))
3273 return true;
3274 break;
3275 }
3276
3277 return false;
3278 }
3279
3280 /* Returns the type of the argument ARGNO to function with type FNTYPE
3281 or null when the type cannot be determined or no such argument exists. */
3282
3283 static tree
3284 fntype_argno_type (tree fntype, unsigned argno)
3285 {
3286 if (!prototype_p (fntype))
3287 return NULL_TREE;
3288
3289 tree argtype;
3290 function_args_iterator it;
3291 FOREACH_FUNCTION_ARGS (fntype, argtype, it)
3292 if (argno-- == 0)
3293 return argtype;
3294
3295 return NULL_TREE;
3296 }
3297
3298 /* Helper to append the "human readable" attribute access specification
3299 described by ACCESS to the array ATTRSTR with size STRSIZE. Used in
3300 diagnostics. */
3301
3302 static inline void
3303 append_attrname (const std::pair<int, attr_access> &access,
3304 char *attrstr, size_t strsize)
3305 {
3306 if (access.second.internal_p)
3307 return;
3308
3309 tree str = access.second.to_external_string ();
3310 gcc_assert (strsize >= (size_t) TREE_STRING_LENGTH (str));
3311 strcpy (attrstr, TREE_STRING_POINTER (str));
3312 }
3313
3314 /* Iterate over attribute access read-only, read-write, and write-only
3315 arguments and diagnose past-the-end accesses and related problems
3316 in the function call EXP. */
3317
3318 void
3319 pass_waccess::maybe_check_access_sizes (rdwr_map *rwm, tree fndecl, tree fntype,
3320 gimple *stmt)
3321 {
3322 auto_diagnostic_group adg;
3323
3324 /* Set if a warning has been issued for any argument (used to decide
3325 whether to emit an informational note at the end). */
3326 opt_code opt_warned = no_warning;
3327
3328 /* A string describing the attributes that the warnings issued by this
3329 function apply to. Used to print one informational note per function
3330 call, rather than one per warning. That reduces clutter. */
3331 char attrstr[80];
3332 attrstr[0] = 0;
3333
3334 for (rdwr_map::iterator it = rwm->begin (); it != rwm->end (); ++it)
3335 {
3336 std::pair<int, attr_access> access = *it;
3337
3338 /* Get the function call arguments corresponding to the attribute's
3339 positional arguments. When both arguments have been specified
3340 there will be two entries in *RWM, one for each. They are
3341 cross-referenced by their respective argument numbers in
3342 ACCESS.PTRARG and ACCESS.SIZARG. */
3343 const int ptridx = access.second.ptrarg;
3344 const int sizidx = access.second.sizarg;
3345
3346 gcc_assert (ptridx != -1);
3347 gcc_assert (access.first == ptridx || access.first == sizidx);
3348
3349 /* The pointer is set to null for the entry corresponding to
3350 the size argument. Skip it. It's handled when the entry
3351 corresponding to the pointer argument comes up. */
3352 if (!access.second.ptr)
3353 continue;
3354
3355 tree ptrtype = fntype_argno_type (fntype, ptridx);
3356 if (!ptrtype)
3357 /* A function with a prototype was redeclared without one and
3358 the prototype has been lost. See pr102759. Avoid dealing
3359 with this pathological case. */
3360 return;
3361
3362 tree argtype = TREE_TYPE (ptrtype);
3363
3364 /* The size of the access by the call in elements. */
3365 tree access_nelts;
3366 if (sizidx == -1)
3367 {
3368 /* If only the pointer attribute operand was specified and
3369 not size, set SIZE to the greater of MINSIZE or size of
3370 one element of the pointed to type to detect smaller
3371 objects (null pointers are diagnosed in this case only
3372 if the pointer is also declared with attribute nonnull. */
3373 if (access.second.minsize
3374 && access.second.minsize != HOST_WIDE_INT_M1U)
3375 access_nelts = build_int_cstu (sizetype, access.second.minsize);
3376 else if (VOID_TYPE_P (argtype) && access.second.mode == access_none)
3377 /* Treat access mode none on a void* argument as expecting
3378 as little as zero bytes. */
3379 access_nelts = size_zero_node;
3380 else
3381 access_nelts = size_one_node;
3382 }
3383 else
3384 access_nelts = rwm->get (sizidx)->size;
3385
3386 /* Format the value or range to avoid an explosion of messages. */
3387 char sizstr[80];
3388 tree sizrng[2] = { size_zero_node, build_all_ones_cst (sizetype) };
3389 if (get_size_range (m_ptr_qry.rvals, access_nelts, stmt, sizrng, 1))
3390 {
3391 char *s0 = print_generic_expr_to_str (sizrng[0]);
3392 if (tree_int_cst_equal (sizrng[0], sizrng[1]))
3393 {
3394 gcc_checking_assert (strlen (s0) < sizeof sizstr);
3395 strcpy (sizstr, s0);
3396 }
3397 else
3398 {
3399 char *s1 = print_generic_expr_to_str (sizrng[1]);
3400 gcc_checking_assert (strlen (s0) + strlen (s1)
3401 < sizeof sizstr - 4);
3402 sprintf (sizstr, "[%.37s, %.37s]", s0, s1);
3403 free (s1);
3404 }
3405 free (s0);
3406 }
3407 else
3408 *sizstr = '\0';
3409
3410 /* Set if a warning has been issued for the current argument. */
3411 opt_code arg_warned = no_warning;
3412 location_t loc = get_location (stmt);
3413 tree ptr = access.second.ptr;
3414 if (*sizstr
3415 && tree_int_cst_sgn (sizrng[0]) < 0
3416 && tree_int_cst_sgn (sizrng[1]) < 0)
3417 {
3418 /* Warn about negative sizes. */
3419 if (access.second.internal_p)
3420 {
3421 const std::string argtypestr
3422 = access.second.array_as_string (ptrtype);
3423
3424 if (warning_at (loc, OPT_Wstringop_overflow_,
3425 "bound argument %i value %s is "
3426 "negative for a variable length array "
3427 "argument %i of type %s",
3428 sizidx + 1, sizstr,
3429 ptridx + 1, argtypestr.c_str ()))
3430 arg_warned = OPT_Wstringop_overflow_;
3431 }
3432 else if (warning_at (loc, OPT_Wstringop_overflow_,
3433 "argument %i value %s is negative",
3434 sizidx + 1, sizstr))
3435 arg_warned = OPT_Wstringop_overflow_;
3436
3437 if (arg_warned != no_warning)
3438 {
3439 append_attrname (access, attrstr, sizeof attrstr);
3440 /* Remember a warning has been issued and avoid warning
3441 again below for the same attribute. */
3442 opt_warned = arg_warned;
3443 continue;
3444 }
3445 }
3446
3447 /* The size of the access by the call in bytes. */
3448 tree access_size = NULL_TREE;
3449 if (tree_int_cst_sgn (sizrng[0]) >= 0)
3450 {
3451 if (COMPLETE_TYPE_P (argtype))
3452 {
3453 /* Multiply ACCESS_SIZE by the size of the type the pointer
3454 argument points to. If it's incomplete the size is used
3455 as is. */
3456 if (tree argsize = TYPE_SIZE_UNIT (argtype))
3457 if (TREE_CODE (argsize) == INTEGER_CST)
3458 {
3459 const int prec = TYPE_PRECISION (sizetype);
3460 wide_int minsize = wi::to_wide (sizrng[0], prec);
3461 minsize *= wi::to_wide (argsize, prec);
3462 access_size = wide_int_to_tree (sizetype, minsize);
3463 }
3464 }
3465 else
3466 access_size = access_nelts;
3467 }
3468
3469 if (integer_zerop (ptr))
3470 {
3471 if (sizidx >= 0 && tree_int_cst_sgn (sizrng[0]) > 0)
3472 {
3473 /* Warn about null pointers with positive sizes. This is
3474 different from also declaring the pointer argument with
3475 attribute nonnull when the function accepts null pointers
3476 only when the corresponding size is zero. */
3477 if (access.second.internal_p)
3478 {
3479 const std::string argtypestr
3480 = access.second.array_as_string (ptrtype);
3481
3482 if (warning_at (loc, OPT_Wnonnull,
3483 "argument %i of variable length "
3484 "array %s is null but "
3485 "the corresponding bound argument "
3486 "%i value is %s",
3487 ptridx + 1, argtypestr.c_str (),
3488 sizidx + 1, sizstr))
3489 arg_warned = OPT_Wnonnull;
3490 }
3491 else if (warning_at (loc, OPT_Wnonnull,
3492 "argument %i is null but "
3493 "the corresponding size argument "
3494 "%i value is %s",
3495 ptridx + 1, sizidx + 1, sizstr))
3496 arg_warned = OPT_Wnonnull;
3497 }
3498 else if (access_size && access.second.static_p)
3499 {
3500 /* Warn about null pointers for [static N] array arguments
3501 but do not warn for ordinary (i.e., nonstatic) arrays. */
3502 if (warning_at (loc, OPT_Wnonnull,
3503 "argument %i to %<%T[static %E]%> "
3504 "is null where non-null expected",
3505 ptridx + 1, argtype, access_size))
3506 arg_warned = OPT_Wnonnull;
3507 }
3508
3509 if (arg_warned != no_warning)
3510 {
3511 append_attrname (access, attrstr, sizeof attrstr);
3512 /* Remember a warning has been issued and avoid warning
3513 again below for the same attribute. */
3514 opt_warned = OPT_Wnonnull;
3515 continue;
3516 }
3517 }
3518
3519 access_data data (m_ptr_qry.rvals, stmt, access.second.mode,
3520 NULL_TREE, false, NULL_TREE, false);
3521 access_ref* const pobj = (access.second.mode == access_write_only
3522 ? &data.dst : &data.src);
3523 tree objsize = compute_objsize (ptr, stmt, 1, pobj, &m_ptr_qry);
3524
3525 /* The size of the destination or source object. */
3526 tree dstsize = NULL_TREE, srcsize = NULL_TREE;
3527 if (access.second.mode == access_read_only
3528 || access.second.mode == access_none)
3529 {
3530 /* For a read-only argument there is no destination. For
3531 no access, set the source as well and differentiate via
3532 the access flag below. */
3533 srcsize = objsize;
3534 if (access.second.mode == access_read_only
3535 || access.second.mode == access_none)
3536 {
3537 /* For a read-only attribute there is no destination so
3538 clear OBJSIZE. This emits "reading N bytes" kind of
3539 diagnostics instead of the "writing N bytes" kind,
3540 unless MODE is none. */
3541 objsize = NULL_TREE;
3542 }
3543 }
3544 else
3545 dstsize = objsize;
3546
3547 /* Clear the no-warning bit in case it was set by check_access
3548 in a prior iteration so that accesses via different arguments
3549 are diagnosed. */
3550 suppress_warning (stmt, OPT_Wstringop_overflow_, false);
3551 access_mode mode = data.mode;
3552 if (mode == access_deferred)
3553 mode = TYPE_READONLY (argtype) ? access_read_only : access_read_write;
3554 check_access (stmt, access_size, /*maxread=*/ NULL_TREE, srcsize,
3555 dstsize, mode, &data, m_ptr_qry.rvals);
3556
3557 if (warning_suppressed_p (stmt, OPT_Wstringop_overflow_))
3558 opt_warned = OPT_Wstringop_overflow_;
3559 if (opt_warned != no_warning)
3560 {
3561 if (access.second.internal_p)
3562 {
3563 unsigned HOST_WIDE_INT nelts =
3564 access_nelts ? access.second.minsize : HOST_WIDE_INT_M1U;
3565 tree arrtype = build_printable_array_type (argtype, nelts);
3566 inform (loc, "referencing argument %u of type %qT",
3567 ptridx + 1, arrtype);
3568 }
3569 else
3570 /* If check_access issued a warning above, append the relevant
3571 attribute to the string. */
3572 append_attrname (access, attrstr, sizeof attrstr);
3573 }
3574 }
3575
3576 if (*attrstr)
3577 {
3578 if (fndecl)
3579 inform (get_location (fndecl),
3580 "in a call to function %qD declared with attribute %qs",
3581 fndecl, attrstr);
3582 else
3583 inform (get_location (stmt),
3584 "in a call with type %qT and attribute %qs",
3585 fntype, attrstr);
3586 }
3587 else if (opt_warned != no_warning)
3588 {
3589 if (fndecl)
3590 inform (get_location (fndecl),
3591 "in a call to function %qD", fndecl);
3592 else
3593 inform (get_location (stmt),
3594 "in a call with type %qT", fntype);
3595 }
3596
3597 /* Set the bit in case if was cleared and not set above. */
3598 if (opt_warned != no_warning)
3599 suppress_warning (stmt, opt_warned);
3600 }
3601
3602 /* Check call STMT to an ordinary (non-built-in) function for invalid
3603 accesses. Return true if a call has been handled. */
3604
3605 bool
3606 pass_waccess::check_call_access (gcall *stmt)
3607 {
3608 tree fntype = gimple_call_fntype (stmt);
3609 if (!fntype)
3610 return false;
3611
3612 tree fntypeattrs = TYPE_ATTRIBUTES (fntype);
3613 if (!fntypeattrs)
3614 return false;
3615
3616 /* Map of attribute access specifications for function arguments. */
3617 rdwr_map rdwr_idx;
3618 init_attr_rdwr_indices (&rdwr_idx, fntypeattrs);
3619
3620 unsigned nargs = call_nargs (stmt);
3621 for (unsigned i = 0; i != nargs; ++i)
3622 {
3623 tree arg = call_arg (stmt, i);
3624
3625 /* Save the actual argument that corresponds to the access attribute
3626 operand for later processing. */
3627 if (attr_access *access = rdwr_idx.get (i))
3628 {
3629 if (POINTER_TYPE_P (TREE_TYPE (arg)))
3630 {
3631 access->ptr = arg;
3632 /* A nonnull ACCESS->SIZE contains VLA bounds. */
3633 }
3634 else
3635 {
3636 access->size = arg;
3637 gcc_assert (access->ptr == NULL_TREE);
3638 }
3639 }
3640 }
3641
3642 /* Check attribute access arguments. */
3643 tree fndecl = gimple_call_fndecl (stmt);
3644 maybe_check_access_sizes (&rdwr_idx, fndecl, fntype, stmt);
3645
3646 check_alloc_size_call (stmt);
3647 return true;
3648 }
3649
3650 /* Check arguments in a call STMT for attribute nonstring. */
3651
3652 static void
3653 check_nonstring_args (gcall *stmt)
3654 {
3655 tree fndecl = gimple_call_fndecl (stmt);
3656
3657 /* Detect passing non-string arguments to functions expecting
3658 nul-terminated strings. */
3659 maybe_warn_nonstring_arg (fndecl, stmt);
3660 }
3661
3662 /* Issue a warning if a deallocation function such as free, realloc,
3663 or C++ operator delete is called with an argument not returned by
3664 a matching allocation function such as malloc or the corresponding
3665 form of C++ operator new. */
3666
3667 void
3668 pass_waccess::maybe_check_dealloc_call (gcall *call)
3669 {
3670 tree fndecl = gimple_call_fndecl (call);
3671 if (!fndecl)
3672 return;
3673
3674 unsigned argno = fndecl_dealloc_argno (fndecl);
3675 if ((unsigned) call_nargs (call) <= argno)
3676 return;
3677
3678 tree ptr = gimple_call_arg (call, argno);
3679 if (integer_zerop (ptr))
3680 return;
3681
3682 access_ref aref;
3683 if (!compute_objsize (ptr, call, 0, &aref, &m_ptr_qry))
3684 return;
3685
3686 tree ref = aref.ref;
3687 if (integer_zerop (ref))
3688 return;
3689
3690 tree dealloc_decl = fndecl;
3691 location_t loc = gimple_location (call);
3692
3693 if (DECL_P (ref) || EXPR_P (ref))
3694 {
3695 /* Diagnose freeing a declared object. */
3696 if (aref.ref_declared ())
3697 {
3698 auto_diagnostic_group d;
3699 if (warning_at (loc, OPT_Wfree_nonheap_object,
3700 "%qD called on unallocated object %qD",
3701 dealloc_decl, ref))
3702 {
3703 inform (get_location (ref), "declared here");
3704 return;
3705 }
3706 }
3707
3708 /* Diagnose freeing a pointer that includes a positive offset.
3709 Such a pointer cannot refer to the beginning of an allocated
3710 object. A negative offset may refer to it. */
3711 if (aref.sizrng[0] != aref.sizrng[1]
3712 && warn_dealloc_offset (loc, call, aref))
3713 return;
3714 }
3715 else if (CONSTANT_CLASS_P (ref))
3716 {
3717 auto_diagnostic_group d;
3718 if (warning_at (loc, OPT_Wfree_nonheap_object,
3719 "%qD called on a pointer to an unallocated "
3720 "object %qE", dealloc_decl, ref))
3721 {
3722 if (TREE_CODE (ptr) == SSA_NAME)
3723 {
3724 gimple *def_stmt = SSA_NAME_DEF_STMT (ptr);
3725 if (is_gimple_assign (def_stmt))
3726 {
3727 location_t loc = gimple_location (def_stmt);
3728 inform (loc, "assigned here");
3729 }
3730 }
3731 return;
3732 }
3733 }
3734 else if (TREE_CODE (ref) == SSA_NAME)
3735 {
3736 /* Also warn if the pointer argument refers to the result
3737 of an allocation call like alloca or VLA. */
3738 gimple *def_stmt = SSA_NAME_DEF_STMT (ref);
3739 if (!def_stmt)
3740 return;
3741
3742 if (is_gimple_call (def_stmt))
3743 {
3744 bool warned = false;
3745 if (gimple_call_alloc_p (def_stmt))
3746 {
3747 if (matching_alloc_calls_p (def_stmt, dealloc_decl))
3748 {
3749 if (warn_dealloc_offset (loc, call, aref))
3750 return;
3751 }
3752 else
3753 {
3754 tree alloc_decl = gimple_call_fndecl (def_stmt);
3755 const opt_code opt =
3756 (DECL_IS_OPERATOR_NEW_P (alloc_decl)
3757 || DECL_IS_OPERATOR_DELETE_P (dealloc_decl)
3758 ? OPT_Wmismatched_new_delete
3759 : OPT_Wmismatched_dealloc);
3760 warned = warning_at (loc, opt,
3761 "%qD called on pointer returned "
3762 "from a mismatched allocation "
3763 "function", dealloc_decl);
3764 }
3765 }
3766 else if (gimple_call_builtin_p (def_stmt, BUILT_IN_ALLOCA)
3767 || gimple_call_builtin_p (def_stmt,
3768 BUILT_IN_ALLOCA_WITH_ALIGN))
3769 warned = warning_at (loc, OPT_Wfree_nonheap_object,
3770 "%qD called on pointer to "
3771 "an unallocated object",
3772 dealloc_decl);
3773 else if (warn_dealloc_offset (loc, call, aref))
3774 return;
3775
3776 if (warned)
3777 {
3778 tree fndecl = gimple_call_fndecl (def_stmt);
3779 inform (gimple_location (def_stmt),
3780 "returned from %qD", fndecl);
3781 return;
3782 }
3783 }
3784 else if (gimple_nop_p (def_stmt))
3785 {
3786 ref = SSA_NAME_VAR (ref);
3787 /* Diagnose freeing a pointer that includes a positive offset. */
3788 if (TREE_CODE (ref) == PARM_DECL
3789 && !aref.deref
3790 && aref.sizrng[0] != aref.sizrng[1]
3791 && aref.offrng[0] > 0 && aref.offrng[1] > 0
3792 && warn_dealloc_offset (loc, call, aref))
3793 return;
3794 }
3795 }
3796 }
3797
3798 /* Return true if either USE_STMT's basic block (that of a pointer's use)
3799 is dominated by INVAL_STMT's (that of a pointer's invalidating statement,
3800 which is either a clobber or a deallocation call), or if they're in
3801 the same block, USE_STMT follows INVAL_STMT. */
3802
3803 bool
3804 pass_waccess::use_after_inval_p (gimple *inval_stmt, gimple *use_stmt,
3805 bool last_block /* = false */)
3806 {
3807 tree clobvar =
3808 gimple_clobber_p (inval_stmt) ? gimple_assign_lhs (inval_stmt) : NULL_TREE;
3809
3810 basic_block inval_bb = gimple_bb (inval_stmt);
3811 basic_block use_bb = gimple_bb (use_stmt);
3812
3813 if (!inval_bb || !use_bb)
3814 return false;
3815
3816 if (inval_bb != use_bb)
3817 {
3818 if (dominated_by_p (CDI_DOMINATORS, use_bb, inval_bb))
3819 return true;
3820
3821 if (!clobvar || !last_block)
3822 return false;
3823
3824 /* Proceed only when looking for uses of dangling pointers. */
3825 auto gsi = gsi_for_stmt (use_stmt);
3826
3827 /* A use statement in the last basic block in a function or one that
3828 falls through to it is after any other prior clobber of the used
3829 variable unless it's followed by a clobber of the same variable. */
3830 basic_block bb = use_bb;
3831 while (bb != inval_bb
3832 && single_succ_p (bb)
3833 && !(single_succ_edge (bb)->flags
3834 & (EDGE_EH | EDGE_ABNORMAL | EDGE_DFS_BACK)))
3835 {
3836 for (; !gsi_end_p (gsi); gsi_next_nondebug (&gsi))
3837 {
3838 gimple *stmt = gsi_stmt (gsi);
3839 if (gimple_clobber_p (stmt))
3840 {
3841 if (clobvar == gimple_assign_lhs (stmt))
3842 /* The use is followed by a clobber. */
3843 return false;
3844 }
3845 }
3846
3847 bb = single_succ (bb);
3848 gsi = gsi_start_bb (bb);
3849 }
3850
3851 /* The use is one of a dangling pointer if a clobber of the variable
3852 [the pointer points to] has not been found before the function exit
3853 point. */
3854 return bb == EXIT_BLOCK_PTR_FOR_FN (cfun);
3855 }
3856
3857 if (bitmap_set_bit (m_bb_uids_set, inval_bb->index))
3858 /* The first time this basic block is visited assign increasing ids
3859 to consecutive statements in it. Use the ids to determine which
3860 precedes which. This avoids the linear traversal on subsequent
3861 visits to the same block. */
3862 for (auto si = gsi_start_bb (inval_bb); !gsi_end_p (si);
3863 gsi_next_nondebug (&si))
3864 {
3865 gimple *stmt = gsi_stmt (si);
3866 unsigned uid = inc_gimple_stmt_max_uid (m_func);
3867 gimple_set_uid (stmt, uid);
3868 }
3869
3870 return gimple_uid (inval_stmt) < gimple_uid (use_stmt);
3871 }
3872
3873 /* Issue a warning for the USE_STMT of pointer or reference REF rendered
3874 invalid by INVAL_STMT. REF may be null when it's been optimized away.
3875 When nonnull, INVAL_STMT is the deallocation function that rendered
3876 the pointer or reference dangling. Otherwise, VAR is the auto variable
3877 (including an unnamed temporary such as a compound literal) whose
3878 lifetime's rended it dangling. MAYBE is true to issue the "maybe"
3879 kind of warning. EQUALITY is true when the pointer is used in
3880 an equality expression. */
3881
3882 void
3883 pass_waccess::warn_invalid_pointer (tree ref, gimple *use_stmt,
3884 gimple *inval_stmt, tree var,
3885 bool maybe, bool equality /* = false */)
3886 {
3887 /* Avoid printing the unhelpful "<unknown>" in the diagnostics. */
3888 if (ref && TREE_CODE (ref) == SSA_NAME)
3889 {
3890 tree var = SSA_NAME_VAR (ref);
3891 if (!var)
3892 ref = NULL_TREE;
3893 /* Don't warn for cases like when a cdtor returns 'this' on ARM. */
3894 else if (warning_suppressed_p (var, OPT_Wuse_after_free))
3895 return;
3896 else if (DECL_ARTIFICIAL (var))
3897 ref = NULL_TREE;
3898 }
3899
3900 location_t use_loc = gimple_location (use_stmt);
3901 if (use_loc == UNKNOWN_LOCATION)
3902 {
3903 use_loc = m_func->function_end_locus;
3904 if (!ref)
3905 /* Avoid issuing a warning with no context other than
3906 the function. That would make it difficult to debug
3907 in any but very simple cases. */
3908 return;
3909 }
3910
3911 if (is_gimple_call (inval_stmt))
3912 {
3913 if ((equality && warn_use_after_free < 3)
3914 || (maybe && warn_use_after_free < 2)
3915 || warning_suppressed_p (use_stmt, OPT_Wuse_after_free))
3916 return;
3917
3918 const tree inval_decl = gimple_call_fndecl (inval_stmt);
3919
3920 auto_diagnostic_group d;
3921 if ((ref && warning_at (use_loc, OPT_Wuse_after_free,
3922 (maybe
3923 ? G_("pointer %qE may be used after %qD")
3924 : G_("pointer %qE used after %qD")),
3925 ref, inval_decl))
3926 || (!ref && warning_at (use_loc, OPT_Wuse_after_free,
3927 (maybe
3928 ? G_("pointer may be used after %qD")
3929 : G_("pointer used after %qD")),
3930 inval_decl)))
3931 {
3932 location_t loc = gimple_location (inval_stmt);
3933 inform (loc, "call to %qD here", inval_decl);
3934 suppress_warning (use_stmt, OPT_Wuse_after_free);
3935 }
3936 return;
3937 }
3938
3939 if (equality
3940 || (maybe && warn_dangling_pointer < 2)
3941 || warning_suppressed_p (use_stmt, OPT_Wdangling_pointer_))
3942 return;
3943
3944 if (DECL_NAME (var))
3945 {
3946 auto_diagnostic_group d;
3947 if ((ref
3948 && warning_at (use_loc, OPT_Wdangling_pointer_,
3949 (maybe
3950 ? G_("dangling pointer %qE to %qD may be used")
3951 : G_("using dangling pointer %qE to %qD")),
3952 ref, var))
3953 || (!ref
3954 && warning_at (use_loc, OPT_Wdangling_pointer_,
3955 (maybe
3956 ? G_("dangling pointer to %qD may be used")
3957 : G_("using a dangling pointer to %qD")),
3958 var)))
3959 inform (DECL_SOURCE_LOCATION (var),
3960 "%qD declared here", var);
3961 suppress_warning (use_stmt, OPT_Wdangling_pointer_);
3962 return;
3963 }
3964
3965 if ((ref
3966 && warning_at (use_loc, OPT_Wdangling_pointer_,
3967 (maybe
3968 ? G_("dangling pointer %qE to an unnamed temporary "
3969 "may be used")
3970 : G_("using dangling pointer %qE to an unnamed "
3971 "temporary")),
3972 ref))
3973 || (!ref
3974 && warning_at (use_loc, OPT_Wdangling_pointer_,
3975 (maybe
3976 ? G_("dangling pointer to an unnamed temporary "
3977 "may be used")
3978 : G_("using a dangling pointer to an unnamed "
3979 "temporary")))))
3980 {
3981 inform (DECL_SOURCE_LOCATION (var),
3982 "unnamed temporary defined here");
3983 suppress_warning (use_stmt, OPT_Wdangling_pointer_);
3984 }
3985 }
3986
3987 /* If STMT is a call to either the standard realloc or to a user-defined
3988 reallocation function returns its LHS and set *PTR to the reallocated
3989 pointer. Otherwise return null. */
3990
3991 static tree
3992 get_realloc_lhs (gimple *stmt, tree *ptr)
3993 {
3994 if (gimple_call_builtin_p (stmt, BUILT_IN_REALLOC))
3995 {
3996 *ptr = gimple_call_arg (stmt, 0);
3997 return gimple_call_lhs (stmt);
3998 }
3999
4000 gcall *call = dyn_cast<gcall *>(stmt);
4001 if (!call)
4002 return NULL_TREE;
4003
4004 tree fnattr = NULL_TREE;
4005 tree fndecl = gimple_call_fndecl (call);
4006 if (fndecl)
4007 fnattr = DECL_ATTRIBUTES (fndecl);
4008 else
4009 {
4010 tree fntype = gimple_call_fntype (stmt);
4011 if (!fntype)
4012 return NULL_TREE;
4013 fnattr = TYPE_ATTRIBUTES (fntype);
4014 }
4015
4016 if (!fnattr)
4017 return NULL_TREE;
4018
4019 for (tree ats = fnattr; (ats = lookup_attribute ("*dealloc", ats));
4020 ats = TREE_CHAIN (ats))
4021 {
4022 tree args = TREE_VALUE (ats);
4023 if (!args)
4024 continue;
4025
4026 tree alloc = TREE_VALUE (args);
4027 if (!alloc)
4028 continue;
4029
4030 if (alloc == DECL_NAME (fndecl))
4031 {
4032 unsigned argno = 0;
4033 if (tree index = TREE_CHAIN (args))
4034 argno = TREE_INT_CST_LOW (TREE_VALUE (index)) - 1;
4035 *ptr = gimple_call_arg (stmt, argno);
4036 return gimple_call_lhs (stmt);
4037 }
4038 }
4039
4040 return NULL_TREE;
4041 }
4042
4043 /* Warn if STMT is a call to a deallocation function that's not a match
4044 for the REALLOC_STMT call. Return true if warned. */
4045
4046 static bool
4047 maybe_warn_mismatched_realloc (tree ptr, gimple *realloc_stmt, gimple *stmt)
4048 {
4049 if (!is_gimple_call (stmt))
4050 return false;
4051
4052 tree fndecl = gimple_call_fndecl (stmt);
4053 if (!fndecl)
4054 return false;
4055
4056 unsigned argno = fndecl_dealloc_argno (fndecl);
4057 if (call_nargs (stmt) <= argno)
4058 return false;
4059
4060 if (matching_alloc_calls_p (realloc_stmt, fndecl))
4061 return false;
4062
4063 /* Avoid printing the unhelpful "<unknown>" in the diagnostics. */
4064 if (ptr && TREE_CODE (ptr) == SSA_NAME
4065 && (!SSA_NAME_VAR (ptr) || DECL_ARTIFICIAL (SSA_NAME_VAR (ptr))))
4066 ptr = NULL_TREE;
4067
4068 location_t loc = gimple_location (stmt);
4069 tree realloc_decl = gimple_call_fndecl (realloc_stmt);
4070 tree dealloc_decl = gimple_call_fndecl (stmt);
4071 if (ptr && !warning_at (loc, OPT_Wmismatched_dealloc,
4072 "%qD called on pointer %qE passed to mismatched "
4073 "allocation function %qD",
4074 dealloc_decl, ptr, realloc_decl))
4075 return false;
4076 if (!ptr && !warning_at (loc, OPT_Wmismatched_dealloc,
4077 "%qD called on a pointer passed to mismatched "
4078 "reallocation function %qD",
4079 dealloc_decl, realloc_decl))
4080 return false;
4081
4082 inform (gimple_location (realloc_stmt),
4083 "call to %qD", realloc_decl);
4084 return true;
4085 }
4086
4087 /* Return true if P and Q point to the same object, and false if they
4088 either don't or their relationship cannot be determined. */
4089
4090 static bool
4091 pointers_related_p (gimple *stmt, tree p, tree q, pointer_query &qry,
4092 auto_bitmap &visited)
4093 {
4094 if (!ptr_derefs_may_alias_p (p, q))
4095 return false;
4096
4097 /* TODO: Work harder to rule out relatedness. */
4098 access_ref pref, qref;
4099 if (!qry.get_ref (p, stmt, &pref, 0)
4100 || !qry.get_ref (q, stmt, &qref, 0))
4101 /* GET_REF() only rarely fails. When it does, it's likely because
4102 it involves a self-referential PHI. Return a conservative result. */
4103 return false;
4104
4105 if (pref.ref == qref.ref)
4106 return true;
4107
4108 /* If either pointer is a PHI, iterate over all its operands and
4109 return true if they're all related to the other pointer. */
4110 tree ptr = q;
4111 unsigned version;
4112 gphi *phi = pref.phi ();
4113 if (phi)
4114 version = SSA_NAME_VERSION (pref.ref);
4115 else
4116 {
4117 phi = qref.phi ();
4118 if (!phi)
4119 return false;
4120
4121 ptr = p;
4122 version = SSA_NAME_VERSION (qref.ref);
4123 }
4124
4125 if (!bitmap_set_bit (visited, version))
4126 return true;
4127
4128 unsigned nargs = gimple_phi_num_args (phi);
4129 for (unsigned i = 0; i != nargs; ++i)
4130 {
4131 tree arg = gimple_phi_arg_def (phi, i);
4132 if (!pointers_related_p (stmt, arg, ptr, qry, visited))
4133 return false;
4134 }
4135
4136 return true;
4137 }
4138
4139 /* Convenience wrapper for the above. */
4140
4141 static bool
4142 pointers_related_p (gimple *stmt, tree p, tree q, pointer_query &qry)
4143 {
4144 auto_bitmap visited;
4145 return pointers_related_p (stmt, p, q, qry, visited);
4146 }
4147
4148 /* For a STMT either a call to a deallocation function or a clobber, warn
4149 for uses of the pointer PTR it was called with (including its copies
4150 or others derived from it by pointer arithmetic). If STMT is a clobber,
4151 VAR is the decl of the clobbered variable. When MAYBE is true use
4152 a "maybe" form of diagnostic. */
4153
4154 void
4155 pass_waccess::check_pointer_uses (gimple *stmt, tree ptr,
4156 tree var /* = NULL_TREE */,
4157 bool maybe /* = false */)
4158 {
4159 gcc_assert (TREE_CODE (ptr) == SSA_NAME);
4160
4161 const bool check_dangling = !is_gimple_call (stmt);
4162 basic_block stmt_bb = gimple_bb (stmt);
4163
4164 /* If STMT is a reallocation function set to the reallocated pointer
4165 and the LHS of the call, respectively. */
4166 tree realloc_ptr = NULL_TREE;
4167 tree realloc_lhs = get_realloc_lhs (stmt, &realloc_ptr);
4168
4169 auto_bitmap visited;
4170
4171 auto_vec<tree> pointers;
4172 pointers.safe_push (ptr);
4173
4174 /* Starting with PTR, iterate over POINTERS added by the loop, and
4175 either warn for their uses in basic blocks dominated by the STMT
4176 or in statements that follow it in the same basic block, or add
4177 them to POINTERS if they point into the same object as PTR (i.e.,
4178 are obtained by pointer arithmetic on PTR). */
4179 for (unsigned i = 0; i != pointers.length (); ++i)
4180 {
4181 tree ptr = pointers[i];
4182 if (!bitmap_set_bit (visited, SSA_NAME_VERSION (ptr)))
4183 /* Avoid revisiting the same pointer. */
4184 continue;
4185
4186 use_operand_p use_p;
4187 imm_use_iterator iter;
4188 FOR_EACH_IMM_USE_FAST (use_p, iter, ptr)
4189 {
4190 gimple *use_stmt = USE_STMT (use_p);
4191 if (use_stmt == stmt || is_gimple_debug (use_stmt))
4192 continue;
4193
4194 if (realloc_lhs)
4195 {
4196 /* Check to see if USE_STMT is a mismatched deallocation
4197 call for the pointer passed to realloc. That's a bug
4198 regardless of the pointer's value and so warn. */
4199 if (maybe_warn_mismatched_realloc (*use_p->use, stmt, use_stmt))
4200 continue;
4201
4202 /* Pointers passed to realloc that are used in basic blocks
4203 where the realloc call is known to have failed are valid.
4204 Ignore pointers that nothing is known about. Those could
4205 have escaped along with their nullness. */
4206 value_range vr;
4207 if (m_ptr_qry.rvals->range_of_expr (vr, realloc_lhs, use_stmt))
4208 {
4209 if (vr.zero_p ())
4210 continue;
4211
4212 if (!pointers_related_p (stmt, ptr, realloc_ptr, m_ptr_qry))
4213 continue;
4214 }
4215 }
4216
4217 if (check_dangling
4218 && gimple_code (use_stmt) == GIMPLE_RETURN)
4219 /* Avoid interfering with -Wreturn-local-addr (which runs only
4220 with optimization enabled so it won't diagnose cases that
4221 would be caught here when optimization is disabled). */
4222 continue;
4223
4224 bool equality = false;
4225 if (is_gimple_assign (use_stmt))
4226 {
4227 tree_code code = gimple_assign_rhs_code (use_stmt);
4228 equality = code == EQ_EXPR || code == NE_EXPR;
4229 }
4230 else if (gcond *cond = dyn_cast<gcond *>(use_stmt))
4231 {
4232 tree_code code = gimple_cond_code (cond);
4233 equality = code == EQ_EXPR || code == NE_EXPR;
4234 }
4235
4236 /* Warn if USE_STMT is dominated by the deallocation STMT.
4237 Otherwise, add the pointer to POINTERS so that the uses
4238 of any other pointers derived from it can be checked. */
4239 if (use_after_inval_p (stmt, use_stmt, check_dangling))
4240 {
4241 if (gimple_code (use_stmt) == GIMPLE_PHI)
4242 {
4243 /* Only add a PHI result to POINTERS if all its
4244 operands are related to PTR, otherwise continue. */
4245 tree lhs = gimple_phi_result (use_stmt);
4246 if (!pointers_related_p (stmt, lhs, ptr, m_ptr_qry))
4247 continue;
4248
4249 if (TREE_CODE (lhs) == SSA_NAME)
4250 {
4251 pointers.safe_push (lhs);
4252 continue;
4253 }
4254 }
4255
4256 basic_block use_bb = gimple_bb (use_stmt);
4257 bool this_maybe
4258 = (maybe
4259 || !dominated_by_p (CDI_POST_DOMINATORS, stmt_bb, use_bb));
4260 warn_invalid_pointer (*use_p->use, use_stmt, stmt, var,
4261 this_maybe, equality);
4262 continue;
4263 }
4264
4265 if (is_gimple_assign (use_stmt))
4266 {
4267 tree lhs = gimple_assign_lhs (use_stmt);
4268 if (TREE_CODE (lhs) == SSA_NAME)
4269 {
4270 tree_code rhs_code = gimple_assign_rhs_code (use_stmt);
4271 if (rhs_code == POINTER_PLUS_EXPR || rhs_code == SSA_NAME)
4272 pointers.safe_push (lhs);
4273 }
4274 continue;
4275 }
4276
4277 if (gcall *call = dyn_cast <gcall *>(use_stmt))
4278 {
4279 if (gimple_call_return_arg (call) == ptr)
4280 if (tree lhs = gimple_call_lhs (call))
4281 if (TREE_CODE (lhs) == SSA_NAME)
4282 pointers.safe_push (lhs);
4283 continue;
4284 }
4285 }
4286 }
4287 }
4288
4289 /* Check call STMT for invalid accesses. */
4290
4291 void
4292 pass_waccess::check_call (gcall *stmt)
4293 {
4294 /* Skip special calls generated by the compiler. */
4295 if (gimple_call_from_thunk_p (stmt))
4296 return;
4297
4298 /* .ASAN_MARK doesn't access any vars, only modifies shadow memory. */
4299 if (gimple_call_internal_p (stmt)
4300 && gimple_call_internal_fn (stmt) == IFN_ASAN_MARK)
4301 return;
4302
4303 if (gimple_call_builtin_p (stmt, BUILT_IN_NORMAL))
4304 check_builtin (stmt);
4305
4306 if (!m_early_checks_p)
4307 if (tree callee = gimple_call_fndecl (stmt))
4308 {
4309 /* Check for uses of the pointer passed to either a standard
4310 or a user-defined deallocation function. */
4311 unsigned argno = fndecl_dealloc_argno (callee);
4312 if (argno < (unsigned) call_nargs (stmt))
4313 {
4314 tree arg = call_arg (stmt, argno);
4315 if (TREE_CODE (arg) == SSA_NAME)
4316 check_pointer_uses (stmt, arg);
4317 }
4318 }
4319
4320 check_call_access (stmt);
4321 check_call_dangling (stmt);
4322
4323 if (m_early_checks_p)
4324 return;
4325
4326 maybe_check_dealloc_call (stmt);
4327 check_nonstring_args (stmt);
4328 }
4329
4330
4331 /* Return true of X is a DECL with automatic storage duration. */
4332
4333 static inline bool
4334 is_auto_decl (tree x)
4335 {
4336 return DECL_P (x) && !DECL_EXTERNAL (x) && !TREE_STATIC (x);
4337 }
4338
4339 /* Check non-call STMT for invalid accesses. */
4340
4341 void
4342 pass_waccess::check_stmt (gimple *stmt)
4343 {
4344 if (m_check_dangling_p
4345 && gimple_clobber_p (stmt, CLOBBER_EOL))
4346 {
4347 /* Ignore clobber statements in blocks with exceptional edges. */
4348 basic_block bb = gimple_bb (stmt);
4349 edge e = EDGE_PRED (bb, 0);
4350 if (e->flags & EDGE_EH)
4351 return;
4352
4353 tree var = gimple_assign_lhs (stmt);
4354 m_clobbers.put (var, stmt);
4355 return;
4356 }
4357
4358 if (is_gimple_assign (stmt))
4359 {
4360 /* Clobbered unnamed temporaries such as compound literals can be
4361 revived. Check for an assignment to one and remove it from
4362 M_CLOBBERS. */
4363 tree lhs = gimple_assign_lhs (stmt);
4364 while (handled_component_p (lhs))
4365 lhs = TREE_OPERAND (lhs, 0);
4366
4367 if (is_auto_decl (lhs))
4368 m_clobbers.remove (lhs);
4369 return;
4370 }
4371
4372 if (greturn *ret = dyn_cast <greturn *> (stmt))
4373 {
4374 if (optimize && flag_isolate_erroneous_paths_dereference)
4375 /* Avoid interfering with -Wreturn-local-addr (which runs only
4376 with optimization enabled). */
4377 return;
4378
4379 tree arg = gimple_return_retval (ret);
4380 if (!arg || TREE_CODE (arg) != ADDR_EXPR)
4381 return;
4382
4383 arg = TREE_OPERAND (arg, 0);
4384 while (handled_component_p (arg))
4385 arg = TREE_OPERAND (arg, 0);
4386
4387 if (!is_auto_decl (arg))
4388 return;
4389
4390 gimple **pclobber = m_clobbers.get (arg);
4391 if (!pclobber)
4392 return;
4393
4394 if (!use_after_inval_p (*pclobber, stmt))
4395 return;
4396
4397 warn_invalid_pointer (NULL_TREE, stmt, *pclobber, arg, false);
4398 }
4399 }
4400
4401 /* Check basic block BB for invalid accesses. */
4402
4403 void
4404 pass_waccess::check_block (basic_block bb)
4405 {
4406 /* Iterate over statements, looking for function calls. */
4407 for (auto si = gsi_start_bb (bb); !gsi_end_p (si);
4408 gsi_next_nondebug (&si))
4409 {
4410 gimple *stmt = gsi_stmt (si);
4411 if (gcall *call = dyn_cast <gcall *> (stmt))
4412 check_call (call);
4413 else
4414 check_stmt (stmt);
4415 }
4416 }
4417
4418 /* Return the argument that the call STMT to a built-in function returns
4419 (including with an offset) or null if it doesn't. */
4420
4421 tree
4422 pass_waccess::gimple_call_return_arg (gcall *call)
4423 {
4424 /* Check for attribute fn spec to see if the function returns one
4425 of its arguments. */
4426 attr_fnspec fnspec = gimple_call_fnspec (call);
4427 unsigned int argno;
4428 if (!fnspec.returns_arg (&argno))
4429 {
4430 if (gimple_call_num_args (call) < 1)
4431 return NULL_TREE;
4432
4433 if (!gimple_call_builtin_p (call, BUILT_IN_NORMAL))
4434 return NULL_TREE;
4435
4436 tree fndecl = gimple_call_fndecl (call);
4437 switch (DECL_FUNCTION_CODE (fndecl))
4438 {
4439 case BUILT_IN_MEMPCPY:
4440 case BUILT_IN_MEMPCPY_CHK:
4441 case BUILT_IN_MEMCHR:
4442 case BUILT_IN_STRCHR:
4443 case BUILT_IN_STRRCHR:
4444 case BUILT_IN_STRSTR:
4445 case BUILT_IN_STPCPY:
4446 case BUILT_IN_STPCPY_CHK:
4447 case BUILT_IN_STPNCPY:
4448 case BUILT_IN_STPNCPY_CHK:
4449 argno = 0;
4450 break;
4451
4452 default:
4453 return NULL_TREE;
4454 }
4455 }
4456
4457 if (gimple_call_num_args (call) <= argno)
4458 return NULL_TREE;
4459
4460 return gimple_call_arg (call, argno);
4461 }
4462
4463 /* Return the decl referenced by the argument that the call STMT to
4464 a built-in function returns (including with an offset) or null if
4465 it doesn't. */
4466
4467 tree
4468 pass_waccess::gimple_call_return_arg_ref (gcall *call)
4469 {
4470 if (tree arg = gimple_call_return_arg (call))
4471 {
4472 access_ref aref;
4473 if (m_ptr_qry.get_ref (arg, call, &aref, 0)
4474 && DECL_P (aref.ref))
4475 return aref.ref;
4476 }
4477
4478 return NULL_TREE;
4479 }
4480
4481 /* Check for and diagnose all uses of the dangling pointer VAR to the auto
4482 object DECL whose lifetime has ended. OBJREF is true when VAR denotes
4483 an access to a DECL that may have been clobbered. */
4484
4485 void
4486 pass_waccess::check_dangling_uses (tree var, tree decl, bool maybe /* = false */,
4487 bool objref /* = false */)
4488 {
4489 if (!decl || !is_auto_decl (decl))
4490 return;
4491
4492 gimple **pclob = m_clobbers.get (decl);
4493 if (!pclob)
4494 return;
4495
4496 if (!objref)
4497 {
4498 check_pointer_uses (*pclob, var, decl, maybe);
4499 return;
4500 }
4501
4502 gimple *use_stmt = SSA_NAME_DEF_STMT (var);
4503 if (!use_after_inval_p (*pclob, use_stmt, true))
4504 return;
4505
4506 basic_block use_bb = gimple_bb (use_stmt);
4507 basic_block clob_bb = gimple_bb (*pclob);
4508 maybe = maybe || !dominated_by_p (CDI_POST_DOMINATORS, clob_bb, use_bb);
4509 warn_invalid_pointer (var, use_stmt, *pclob, decl, maybe, false);
4510 }
4511
4512 /* Diagnose stores in BB and (recursively) its predecessors of the addresses
4513 of local variables into nonlocal pointers that are left dangling after
4514 the function returns. BBS is a bitmap of basic blocks visited. */
4515
4516 void
4517 pass_waccess::check_dangling_stores (basic_block bb,
4518 hash_set<tree> &stores,
4519 auto_bitmap &bbs)
4520 {
4521 if (!bitmap_set_bit (bbs, bb->index))
4522 /* Avoid cycles. */
4523 return;
4524
4525 /* Iterate backwards over the statements looking for a store of
4526 the address of a local variable into a nonlocal pointer. */
4527 for (auto gsi = gsi_last_nondebug_bb (bb); ; gsi_prev_nondebug (&gsi))
4528 {
4529 gimple *stmt = gsi_stmt (gsi);
4530 if (!stmt)
4531 break;
4532
4533 if (warning_suppressed_p (stmt, OPT_Wdangling_pointer_))
4534 continue;
4535
4536 if (is_gimple_call (stmt)
4537 && !(gimple_call_flags (stmt) & (ECF_CONST | ECF_PURE)))
4538 /* Avoid looking before nonconst, nonpure calls since those might
4539 use the escaped locals. */
4540 return;
4541
4542 if (!is_gimple_assign (stmt) || gimple_clobber_p (stmt))
4543 continue;
4544
4545 access_ref lhs_ref;
4546 tree lhs = gimple_assign_lhs (stmt);
4547 if (!m_ptr_qry.get_ref (lhs, stmt, &lhs_ref, 0))
4548 continue;
4549
4550 if (is_auto_decl (lhs_ref.ref))
4551 continue;
4552
4553 if (DECL_P (lhs_ref.ref))
4554 {
4555 if (!POINTER_TYPE_P (TREE_TYPE (lhs_ref.ref))
4556 || lhs_ref.deref > 0)
4557 continue;
4558 }
4559 else if (TREE_CODE (lhs_ref.ref) == SSA_NAME)
4560 {
4561 gimple *def_stmt = SSA_NAME_DEF_STMT (lhs_ref.ref);
4562 if (!gimple_nop_p (def_stmt))
4563 /* Avoid looking at or before stores into unknown objects. */
4564 return;
4565
4566 tree var = SSA_NAME_VAR (lhs_ref.ref);
4567 if (TREE_CODE (var) == PARM_DECL && DECL_BY_REFERENCE (var))
4568 /* Avoid by-value arguments transformed into by-reference. */
4569 continue;
4570
4571 }
4572 else if (TREE_CODE (lhs_ref.ref) == MEM_REF)
4573 {
4574 tree arg = TREE_OPERAND (lhs_ref.ref, 0);
4575 if (TREE_CODE (arg) == SSA_NAME)
4576 {
4577 gimple *def_stmt = SSA_NAME_DEF_STMT (arg);
4578 if (!gimple_nop_p (def_stmt))
4579 return;
4580 }
4581 }
4582 else
4583 continue;
4584
4585 if (stores.add (lhs_ref.ref))
4586 continue;
4587
4588 /* FIXME: Handle stores of alloca() and VLA. */
4589 access_ref rhs_ref;
4590 tree rhs = gimple_assign_rhs1 (stmt);
4591 if (!m_ptr_qry.get_ref (rhs, stmt, &rhs_ref, 0)
4592 || rhs_ref.deref != -1)
4593 continue;
4594
4595 if (!is_auto_decl (rhs_ref.ref))
4596 continue;
4597
4598 auto_diagnostic_group d;
4599 location_t loc = gimple_location (stmt);
4600 if (warning_at (loc, OPT_Wdangling_pointer_,
4601 "storing the address of local variable %qD in %qE",
4602 rhs_ref.ref, lhs))
4603 {
4604 suppress_warning (stmt, OPT_Wdangling_pointer_);
4605
4606 location_t loc = DECL_SOURCE_LOCATION (rhs_ref.ref);
4607 inform (loc, "%qD declared here", rhs_ref.ref);
4608
4609 if (DECL_P (lhs_ref.ref))
4610 loc = DECL_SOURCE_LOCATION (lhs_ref.ref);
4611 else if (EXPR_HAS_LOCATION (lhs_ref.ref))
4612 loc = EXPR_LOCATION (lhs_ref.ref);
4613
4614 if (loc != UNKNOWN_LOCATION)
4615 inform (loc, "%qE declared here", lhs_ref.ref);
4616 }
4617 }
4618
4619 edge e;
4620 edge_iterator ei;
4621 FOR_EACH_EDGE (e, ei, bb->preds)
4622 {
4623 basic_block pred = e->src;
4624 check_dangling_stores (pred, stores, bbs);
4625 }
4626 }
4627
4628 /* Diagnose stores of the addresses of local variables into nonlocal
4629 pointers that are left dangling after the function returns. */
4630
4631 void
4632 pass_waccess::check_dangling_stores ()
4633 {
4634 auto_bitmap bbs;
4635 hash_set<tree> stores;
4636 check_dangling_stores (EXIT_BLOCK_PTR_FOR_FN (m_func), stores, bbs);
4637 }
4638
4639 /* Check for and diagnose uses of dangling pointers to auto objects
4640 whose lifetime has ended. */
4641
4642 void
4643 pass_waccess::check_dangling_uses ()
4644 {
4645 tree var;
4646 unsigned i;
4647 FOR_EACH_SSA_NAME (i, var, m_func)
4648 {
4649 /* For each SSA_NAME pointer VAR find the DECL it points to.
4650 If the DECL is a clobbered local variable, check to see
4651 if any of VAR's uses (or those of other pointers derived
4652 from VAR) happens after the clobber. If so, warn. */
4653 tree decl = NULL_TREE;
4654
4655 gimple *def_stmt = SSA_NAME_DEF_STMT (var);
4656 if (is_gimple_assign (def_stmt))
4657 {
4658 tree rhs = gimple_assign_rhs1 (def_stmt);
4659 if (TREE_CODE (rhs) == ADDR_EXPR)
4660 {
4661 if (!POINTER_TYPE_P (TREE_TYPE (var)))
4662 continue;
4663 decl = TREE_OPERAND (rhs, 0);
4664 }
4665 else
4666 {
4667 /* For other expressions, check the base DECL to see
4668 if it's been clobbered, most likely as a result of
4669 inlining a reference to it. */
4670 decl = get_base_address (rhs);
4671 if (DECL_P (decl))
4672 check_dangling_uses (var, decl, false, true);
4673 continue;
4674 }
4675 }
4676 else if (POINTER_TYPE_P (TREE_TYPE (var)))
4677 {
4678 if (gcall *call = dyn_cast<gcall *>(def_stmt))
4679 decl = gimple_call_return_arg_ref (call);
4680 else if (gphi *phi = dyn_cast <gphi *>(def_stmt))
4681 {
4682 unsigned nargs = gimple_phi_num_args (phi);
4683 for (unsigned i = 0; i != nargs; ++i)
4684 {
4685 access_ref aref;
4686 tree arg = gimple_phi_arg_def (phi, i);
4687 if (!m_ptr_qry.get_ref (arg, phi, &aref, 0)
4688 || (aref.deref == 0
4689 && POINTER_TYPE_P (TREE_TYPE (aref.ref))))
4690 continue;
4691 check_dangling_uses (var, aref.ref, true);
4692 }
4693 continue;
4694 }
4695 else
4696 continue;
4697 }
4698
4699 check_dangling_uses (var, decl);
4700 }
4701 }
4702
4703 /* Check CALL arguments for dangling pointers (those that have been
4704 clobbered) and warn if found. */
4705
4706 void
4707 pass_waccess::check_call_dangling (gcall *call)
4708 {
4709 unsigned nargs = gimple_call_num_args (call);
4710 for (unsigned i = 0; i != nargs; ++i)
4711 {
4712 tree arg = gimple_call_arg (call, i);
4713 if (TREE_CODE (arg) != ADDR_EXPR)
4714 continue;
4715
4716 arg = TREE_OPERAND (arg, 0);
4717 if (!DECL_P (arg))
4718 continue;
4719
4720 gimple **pclobber = m_clobbers.get (arg);
4721 if (!pclobber)
4722 continue;
4723
4724 if (!use_after_inval_p (*pclobber, call))
4725 continue;
4726
4727 warn_invalid_pointer (NULL_TREE, call, *pclobber, arg, false);
4728 }
4729 }
4730
4731 /* Check function FUN for invalid accesses. */
4732
4733 unsigned
4734 pass_waccess::execute (function *fun)
4735 {
4736 calculate_dominance_info (CDI_DOMINATORS);
4737 calculate_dominance_info (CDI_POST_DOMINATORS);
4738
4739 /* Set or clear EDGE_DFS_BACK bits on back edges. */
4740 mark_dfs_back_edges (fun);
4741
4742 /* Create a new ranger instance and associate it with FUN. */
4743 m_ptr_qry.rvals = enable_ranger (fun);
4744 m_func = fun;
4745
4746 /* Check for dangling pointers in the earliest run of the pass.
4747 The latest point -Wdangling-pointer should run is just before
4748 loop unrolling which introduces uses after clobbers. Most cases
4749 can be detected without optimization; cases where the address of
4750 the local variable is passed to and then returned from a user-
4751 defined function before its lifetime ends and the returned pointer
4752 becomes dangling depend on inlining. */
4753 m_check_dangling_p = m_early_checks_p;
4754
4755 auto_bitmap bb_uids_set (&bitmap_default_obstack);
4756 m_bb_uids_set = bb_uids_set;
4757
4758 set_gimple_stmt_max_uid (m_func, 0);
4759
4760 basic_block bb;
4761 FOR_EACH_BB_FN (bb, fun)
4762 check_block (bb);
4763
4764 if (m_check_dangling_p)
4765 {
4766 check_dangling_uses ();
4767 check_dangling_stores ();
4768 }
4769
4770 if (dump_file)
4771 m_ptr_qry.dump (dump_file, (dump_flags & TDF_DETAILS) != 0);
4772
4773 m_ptr_qry.flush_cache ();
4774
4775 /* Release the ranger instance and replace it with a global ranger.
4776 Also reset the pointer since calling disable_ranger() deletes it. */
4777 disable_ranger (fun);
4778 m_ptr_qry.rvals = NULL;
4779
4780 m_clobbers.empty ();
4781 m_bb_uids_set = NULL;
4782
4783 free_dominance_info (CDI_POST_DOMINATORS);
4784 free_dominance_info (CDI_DOMINATORS);
4785 return 0;
4786 }
4787
4788 } // namespace
4789
4790 /* Return a new instance of the pass. */
4791
4792 gimple_opt_pass *
4793 make_pass_warn_access (gcc::context *ctxt)
4794 {
4795 return new pass_waccess (ctxt);
4796 }
Mirror of https://gcc.gnu.org/git/gcc.git