]> git.ipfire.org Git - thirdparty/gcc.git/blame - gcc/gimple-ssa-warn-access.cc
projects / thirdparty / gcc.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Avoid -Wformat-diag.
[thirdparty/gcc.git] / gcc / gimple-ssa-warn-access.cc
CommitLineData
2a837de2
MS		 1/* Pass to detect and issue warnings for invalid accesses, including
2 invalid or mismatched allocation/deallocation calls.
3
7adcbafe 4 Copyright (C) 2020-2022 Free Software Foundation, Inc.
2a837de2
MS		 5 Contributed by Martin Sebor <msebor@redhat.com>.
6
7 This file is part of GCC.
8
9 GCC is free software; you can redistribute it and/or modify it under
10 the terms of the GNU General Public License as published by the Free
11 Software Foundation; either version 3, or (at your option) any later
12 version.
13
14 GCC is distributed in the hope that it will be useful, but WITHOUT ANY
15 WARRANTY; without even the implied warranty of MERCHANTABILITY or
16 FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
17 for more details.
18
19 You should have received a copy of the GNU General Public License
20 along with GCC; see the file COPYING3. If not see
21 <http://www.gnu.org/licenses/>. */
22
b48d4e68 23#define INCLUDE_STRING
2a837de2
MS		 24#include "config.h"
25#include "system.h"
26#include "coretypes.h"
27#include "backend.h"
28#include "tree.h"
29#include "gimple.h"
30#include "tree-pass.h"
31#include "builtins.h"
5a431b60 32#include "diagnostic.h"
2a837de2
MS		 33#include "ssa.h"
34#include "gimple-pretty-print.h"
35#include "gimple-ssa-warn-access.h"
36#include "gimple-ssa-warn-restrict.h"
37#include "diagnostic-core.h"
38#include "fold-const.h"
39#include "gimple-fold.h"
40#include "gimple-iterator.h"
b48d4e68 41#include "langhooks.h"
5a431b60
MS		 42#include "memmodel.h"
43#include "target.h"
2a837de2
MS		 44#include "tree-dfa.h"
45#include "tree-ssa.h"
46#include "tree-cfg.h"
47#include "tree-object-size.h"
81d6cdd3 48#include "tree-ssa-strlen.h"
2a837de2
MS		 49#include "calls.h"
50#include "cfgloop.h"
51#include "intl.h"
52#include "gimple-range.h"
53#include "stringpool.h"
54#include "attribs.h"
55#include "demangle.h"
56#include "pointer-query.h"
57
81d6cdd3
MS		 58/* Return true if tree node X has an associated location. */
59
60static inline location_t
61has_location (const_tree x)
62{
63 if (DECL_P (x))
64 return DECL_SOURCE_LOCATION (x) != UNKNOWN_LOCATION;
65
66 if (EXPR_P (x))
67 return EXPR_HAS_LOCATION (x);
68
69 return false;
70}
71
72/* Return the associated location of STMT. */
73
74static inline location_t
75get_location (const gimple *stmt)
76{
77 return gimple_location (stmt);
78}
79
80/* Return the associated location of tree node X. */
81
82static inline location_t
83get_location (tree x)
84{
85 if (DECL_P (x))
86 return DECL_SOURCE_LOCATION (x);
87
88 if (EXPR_P (x))
89 return EXPR_LOCATION (x);
90
91 return UNKNOWN_LOCATION;
92}
93
94/* Overload of the nascent tree function for GIMPLE STMT. */
95
96static inline tree
97get_callee_fndecl (const gimple *stmt)
98{
99 return gimple_call_fndecl (stmt);
100}
101
102static inline unsigned
103call_nargs (const gimple *stmt)
104{
105 return gimple_call_num_args (stmt);
106}
107
108static inline unsigned
109call_nargs (const_tree expr)
110{
111 return call_expr_nargs (expr);
112}
113
114
115static inline tree
116call_arg (const gimple *stmt, unsigned argno)
117{
118 return gimple_call_arg (stmt, argno);
119}
120
121static inline tree
122call_arg (tree expr, unsigned argno)
123{
124 return CALL_EXPR_ARG (expr, argno);
125}
126
2a837de2
MS		 127/* For a call EXPR at LOC to a function FNAME that expects a string
128 in the argument ARG, issue a diagnostic due to it being a called
129 with an argument that is a character array with no terminating
130 NUL. SIZE is the EXACT size of the array, and BNDRNG the number
131 of characters in which the NUL is expected. Either EXPR or FNAME
132 may be null but noth both. SIZE may be null when BNDRNG is null. */
133
81d6cdd3
MS		 134template <class GimpleOrTree>
135static void
136warn_string_no_nul (location_t loc, GimpleOrTree expr, const char *fname,
137 tree arg, tree decl, tree size, bool exact,
2a837de2
MS		 138 const wide_int bndrng[2] /* = NULL */)
139{
140 const opt_code opt = OPT_Wstringop_overread;
141 if ((expr && warning_suppressed_p (expr, opt))
142 || warning_suppressed_p (arg, opt))
143 return;
144
145 loc = expansion_point_location_if_in_system_header (loc);
146 bool warned;
147
148 /* Format the bound range as a string to keep the nuber of messages
149 from exploding. */
150 char bndstr[80];
151 *bndstr = 0;
152 if (bndrng)
153 {
154 if (bndrng[0] == bndrng[1])
155 sprintf (bndstr, "%llu", (unsigned long long) bndrng[0].to_uhwi ());
156 else
157 sprintf (bndstr, "[%llu, %llu]",
158 (unsigned long long) bndrng[0].to_uhwi (),
159 (unsigned long long) bndrng[1].to_uhwi ());
160 }
161
162 const tree maxobjsize = max_object_size ();
163 const wide_int maxsiz = wi::to_wide (maxobjsize);
164 if (expr)
165 {
166 tree func = get_callee_fndecl (expr);
167 if (bndrng)
168 {
169 if (wi::ltu_p (maxsiz, bndrng[0]))
170 warned = warning_at (loc, opt,
171 "%qD specified bound %s exceeds "
172 "maximum object size %E",
173 func, bndstr, maxobjsize);
174 else
175 {
176 bool maybe = wi::to_wide (size) == bndrng[0];
177 warned = warning_at (loc, opt,
178 exact
179 ? G_("%qD specified bound %s exceeds "
180 "the size %E of unterminated array")
181 : (maybe
182 ? G_("%qD specified bound %s may "
183 "exceed the size of at most %E "
184 "of unterminated array")
185 : G_("%qD specified bound %s exceeds "
186 "the size of at most %E "
187 "of unterminated array")),
188 func, bndstr, size);
189 }
190 }
191 else
192 warned = warning_at (loc, opt,
193 "%qD argument missing terminating nul",
194 func);
195 }
196 else
197 {
198 if (bndrng)
199 {
200 if (wi::ltu_p (maxsiz, bndrng[0]))
201 warned = warning_at (loc, opt,
202 "%qs specified bound %s exceeds "
203 "maximum object size %E",
204 fname, bndstr, maxobjsize);
205 else
206 {
207 bool maybe = wi::to_wide (size) == bndrng[0];
208 warned = warning_at (loc, opt,
209 exact
210 ? G_("%qs specified bound %s exceeds "
211 "the size %E of unterminated array")
212 : (maybe
213 ? G_("%qs specified bound %s may "
214 "exceed the size of at most %E "
215 "of unterminated array")
216 : G_("%qs specified bound %s exceeds "
217 "the size of at most %E "
218 "of unterminated array")),
219 fname, bndstr, size);
220 }
221 }
222 else
223 warned = warning_at (loc, opt,
224 "%qs argument missing terminating nul",
225 fname);
226 }
227
228 if (warned)
229 {
81d6cdd3 230 inform (get_location (decl),
2a837de2
MS		 231 "referenced argument declared here");
232 suppress_warning (arg, opt);
233 if (expr)
234 suppress_warning (expr, opt);
235 }
236}
237
81d6cdd3
MS		 238void
239warn_string_no_nul (location_t loc, gimple *stmt, const char *fname,
240 tree arg, tree decl, tree size /* = NULL_TREE */,
241 bool exact /* = false */,
242 const wide_int bndrng[2] /* = NULL */)
243{
244 return warn_string_no_nul<gimple *> (loc, stmt, fname,
245 arg, decl, size, exact, bndrng);
246}
247
248void
249warn_string_no_nul (location_t loc, tree expr, const char *fname,
250 tree arg, tree decl, tree size /* = NULL_TREE */,
251 bool exact /* = false */,
252 const wide_int bndrng[2] /* = NULL */)
253{
254 return warn_string_no_nul<tree> (loc, expr, fname,
255 arg, decl, size, exact, bndrng);
256}
257
258/* If EXP refers to an unterminated constant character array return
259 the declaration of the object of which the array is a member or
260 element and if SIZE is not null, set *SIZE to the size of
261 the unterminated array and set *EXACT if the size is exact or
262 clear it otherwise. Otherwise return null. */
263
264tree
265unterminated_array (tree exp, tree *size /* = NULL */, bool *exact /* = NULL */)
266{
267 /* C_STRLEN will return NULL and set DECL in the info
268 structure if EXP references a unterminated array. */
269 c_strlen_data lendata = { };
270 tree len = c_strlen (exp, 1, &lendata);
271 if (len || !lendata.minlen || !lendata.decl)
272 return NULL_TREE;
273
274 if (!size)
275 return lendata.decl;
276
277 len = lendata.minlen;
278 if (lendata.off)
279 {
280 /* Constant offsets are already accounted for in LENDATA.MINLEN,
281 but not in a SSA_NAME + CST expression. */
282 if (TREE_CODE (lendata.off) == INTEGER_CST)
283 *exact = true;
284 else if (TREE_CODE (lendata.off) == PLUS_EXPR
285 && TREE_CODE (TREE_OPERAND (lendata.off, 1)) == INTEGER_CST)
286 {
287 /* Subtract the offset from the size of the array. */
288 *exact = false;
289 tree temp = TREE_OPERAND (lendata.off, 1);
290 temp = fold_convert (ssizetype, temp);
291 len = fold_build2 (MINUS_EXPR, ssizetype, len, temp);
292 }
293 else
294 *exact = false;
295 }
296 else
297 *exact = true;
298
299 *size = len;
300 return lendata.decl;
301}
302
2a837de2
MS		 303/* For a call EXPR (which may be null) that expects a string argument
304 SRC as an argument, returns false if SRC is a character array with
305 no terminating NUL. When nonnull, BOUND is the number of characters
81d6cdd3
MS		 306 in which to expect the terminating NUL. When EXPR is nonnull also
307 issues a warning. */
2a837de2 308
81d6cdd3
MS		 309template <class GimpleOrTree>
310static bool
311check_nul_terminated_array (GimpleOrTree expr, tree src, tree bound)
2a837de2
MS		 312{
313 /* The constant size of the array SRC points to. The actual size
314 may be less of EXACT is true, but not more. */
315 tree size;
316 /* True if SRC involves a non-constant offset into the array. */
317 bool exact;
318 /* The unterminated constant array SRC points to. */
319 tree nonstr = unterminated_array (src, &size, &exact);
320 if (!nonstr)
321 return true;
322
323 /* NONSTR refers to the non-nul terminated constant array and SIZE
324 is the constant size of the array in bytes. EXACT is true when
325 SIZE is exact. */
326
327 wide_int bndrng[2];
328 if (bound)
329 {
330 value_range r;
331
332 get_global_range_query ()->range_of_expr (r, bound);
333
334 if (r.kind () != VR_RANGE)
335 return true;
336
337 bndrng[0] = r.lower_bound ();
338 bndrng[1] = r.upper_bound ();
339
340 if (exact)
341 {
342 if (wi::leu_p (bndrng[0], wi::to_wide (size)))
343 return true;
344 }
345 else if (wi::lt_p (bndrng[0], wi::to_wide (size), UNSIGNED))
346 return true;
347 }
348
349 if (expr)
81d6cdd3 350 warn_string_no_nul (get_location (expr), expr, NULL, src, nonstr,
2a837de2
MS		 351 size, exact, bound ? bndrng : NULL);
352
353 return false;
354}
355
81d6cdd3
MS		 356bool
357check_nul_terminated_array (gimple *stmt, tree src, tree bound /* = NULL_TREE */)
358{
359 return check_nul_terminated_array<gimple *>(stmt, src, bound);
360}
2a837de2 361
81d6cdd3
MS		 362bool
363check_nul_terminated_array (tree expr, tree src, tree bound /* = NULL_TREE */)
2a837de2 364{
81d6cdd3
MS		 365 return check_nul_terminated_array<tree>(expr, src, bound);
366}
367
368/* Warn about passing a non-string array/pointer to a built-in function
369 that expects a nul-terminated string argument. Returns true if
370 a warning has been issued.*/
371
372template <class GimpleOrTree>
373static bool
374maybe_warn_nonstring_arg (tree fndecl, GimpleOrTree exp)
375{
376 if (!fndecl || !fndecl_built_in_p (fndecl, BUILT_IN_NORMAL))
377 return false;
378
379 if (!warn_stringop_overread
380 || warning_suppressed_p (exp, OPT_Wstringop_overread))
381 return false;
382
383 /* Avoid clearly invalid calls (more checking done below). */
384 unsigned nargs = call_nargs (exp);
385 if (!nargs)
386 return false;
387
388 /* The bound argument to a bounded string function like strncpy. */
389 tree bound = NULL_TREE;
390
391 /* The longest known or possible string argument to one of the comparison
392 functions. If the length is less than the bound it is used instead.
393 Since the length is only used for warning and not for code generation
394 disable strict mode in the calls to get_range_strlen below. */
395 tree maxlen = NULL_TREE;
396
397 /* It's safe to call "bounded" string functions with a non-string
398 argument since the functions provide an explicit bound for this
399 purpose. The exception is strncat where the bound may refer to
400 either the destination or the source. */
401 int fncode = DECL_FUNCTION_CODE (fndecl);
402 switch (fncode)
403 {
404 case BUILT_IN_STRCMP:
405 case BUILT_IN_STRNCMP:
406 case BUILT_IN_STRNCASECMP:
407 {
408 /* For these, if one argument refers to one or more of a set
409 of string constants or arrays of known size, determine
410 the range of their known or possible lengths and use it
411 conservatively as the bound for the unbounded function,
412 and to adjust the range of the bound of the bounded ones. */
413 for (unsigned argno = 0;
414 argno < MIN (nargs, 2)
415 && !(maxlen && TREE_CODE (maxlen) == INTEGER_CST); argno++)
416 {
417 tree arg = call_arg (exp, argno);
418 if (!get_attr_nonstring_decl (arg))
419 {
420 c_strlen_data lendata = { };
421 /* Set MAXBOUND to an arbitrary non-null non-integer
422 node as a request to have it set to the length of
423 the longest string in a PHI. */
424 lendata.maxbound = arg;
425 get_range_strlen (arg, &lendata, /* eltsize = */ 1);
426 maxlen = lendata.maxbound;
427 }
428 }
429 }
430 /* Fall through. */
431
432 case BUILT_IN_STRNCAT:
433 case BUILT_IN_STPNCPY:
434 case BUILT_IN_STRNCPY:
435 if (nargs > 2)
436 bound = call_arg (exp, 2);
437 break;
438
439 case BUILT_IN_STRNDUP:
440 if (nargs < 2)
441 return false;
442 bound = call_arg (exp, 1);
443 break;
444
445 case BUILT_IN_STRNLEN:
446 {
447 tree arg = call_arg (exp, 0);
448 if (!get_attr_nonstring_decl (arg))
449 {
450 c_strlen_data lendata = { };
451 /* Set MAXBOUND to an arbitrary non-null non-integer
452 node as a request to have it set to the length of
453 the longest string in a PHI. */
454 lendata.maxbound = arg;
455 get_range_strlen (arg, &lendata, /* eltsize = */ 1);
456 maxlen = lendata.maxbound;
457 }
458 if (nargs > 1)
459 bound = call_arg (exp, 1);
460 break;
461 }
462
463 default:
464 break;
465 }
466
467 /* Determine the range of the bound argument (if specified). */
468 tree bndrng[2] = { NULL_TREE, NULL_TREE };
469 if (bound)
470 {
471 STRIP_NOPS (bound);
472 get_size_range (bound, bndrng);
473 }
474
475 location_t loc = get_location (exp);
476
477 if (bndrng[0])
478 {
479 /* Diagnose excessive bound prior to the adjustment below and
480 regardless of attribute nonstring. */
481 tree maxobjsize = max_object_size ();
482 if (tree_int_cst_lt (maxobjsize, bndrng[0]))
2a837de2 483 {
81d6cdd3
MS		 484 bool warned = false;
485 if (tree_int_cst_equal (bndrng[0], bndrng[1]))
486 warned = warning_at (loc, OPT_Wstringop_overread,
487 "%qD specified bound %E "
488 "exceeds maximum object size %E",
489 fndecl, bndrng[0], maxobjsize);
490 else
491 warned = warning_at (loc, OPT_Wstringop_overread,
492 "%qD specified bound [%E, %E] "
493 "exceeds maximum object size %E",
494 fndecl, bndrng[0], bndrng[1],
495 maxobjsize);
496 if (warned)
497 suppress_warning (exp, OPT_Wstringop_overread);
498
499 return warned;
500 }
501 }
502
503 if (maxlen && !integer_all_onesp (maxlen))
504 {
505 /* Add one for the nul. */
506 maxlen = const_binop (PLUS_EXPR, TREE_TYPE (maxlen), maxlen,
507 size_one_node);
508
509 if (!bndrng[0])
510 {
511 /* Conservatively use the upper bound of the lengths for
512 both the lower and the upper bound of the operation. */
513 bndrng[0] = maxlen;
514 bndrng[1] = maxlen;
515 bound = void_type_node;
516 }
517 else if (maxlen)
518 {
519 /* Replace the bound on the operation with the upper bound
520 of the length of the string if the latter is smaller. */
521 if (tree_int_cst_lt (maxlen, bndrng[0]))
522 bndrng[0] = maxlen;
523 else if (tree_int_cst_lt (maxlen, bndrng[1]))
524 bndrng[1] = maxlen;
525 }
526 }
527
528 bool any_arg_warned = false;
529 /* Iterate over the built-in function's formal arguments and check
530 each const char* against the actual argument. If the actual
531 argument is declared attribute non-string issue a warning unless
532 the argument's maximum length is bounded. */
533 function_args_iterator it;
534 function_args_iter_init (&it, TREE_TYPE (fndecl));
535
536 for (unsigned argno = 0; ; ++argno, function_args_iter_next (&it))
537 {
538 /* Avoid iterating past the declared argument in a call
539 to function declared without a prototype. */
540 if (argno >= nargs)
541 break;
542
543 tree argtype = function_args_iter_cond (&it);
544 if (!argtype)
545 break;
546
547 if (TREE_CODE (argtype) != POINTER_TYPE)
548 continue;
549
550 argtype = TREE_TYPE (argtype);
551
552 if (TREE_CODE (argtype) != INTEGER_TYPE
553 || !TYPE_READONLY (argtype))
554 continue;
555
556 argtype = TYPE_MAIN_VARIANT (argtype);
557 if (argtype != char_type_node)
558 continue;
559
560 tree callarg = call_arg (exp, argno);
561 if (TREE_CODE (callarg) == ADDR_EXPR)
562 callarg = TREE_OPERAND (callarg, 0);
563
564 /* See if the destination is declared with attribute "nonstring". */
565 tree decl = get_attr_nonstring_decl (callarg);
566 if (!decl)
567 continue;
568
569 /* The maximum number of array elements accessed. */
570 offset_int wibnd = 0;
571
572 if (argno && fncode == BUILT_IN_STRNCAT)
573 {
574 /* See if the bound in strncat is derived from the length
575 of the strlen of the destination (as it's expected to be).
576 If so, reset BOUND and FNCODE to trigger a warning. */
577 tree dstarg = call_arg (exp, 0);
578 if (is_strlen_related_p (dstarg, bound))
579 {
580 /* The bound applies to the destination, not to the source,
581 so reset these to trigger a warning without mentioning
582 the bound. */
583 bound = NULL;
584 fncode = 0;
585 }
586 else if (bndrng[1])
587 /* Use the upper bound of the range for strncat. */
588 wibnd = wi::to_offset (bndrng[1]);
589 }
590 else if (bndrng[0])
591 /* Use the lower bound of the range for functions other than
592 strncat. */
593 wibnd = wi::to_offset (bndrng[0]);
594
595 /* Determine the size of the argument array if it is one. */
596 offset_int asize = wibnd;
597 bool known_size = false;
598 tree type = TREE_TYPE (decl);
599
600 /* Determine the array size. For arrays of unknown bound and
601 pointers reset BOUND to trigger the appropriate warning. */
602 if (TREE_CODE (type) == ARRAY_TYPE)
603 {
604 if (tree arrbnd = TYPE_DOMAIN (type))
2a837de2 605 {
81d6cdd3 606 if ((arrbnd = TYPE_MAX_VALUE (arrbnd)))
2a837de2 607 {
81d6cdd3
MS		 608 asize = wi::to_offset (arrbnd) + 1;
609 known_size = true;
2a837de2 610 }
2a837de2 611 }
81d6cdd3
MS		 612 else if (bound == void_type_node)
613 bound = NULL_TREE;
614 }
615 else if (bound == void_type_node)
616 bound = NULL_TREE;
617
618 /* In a call to strncat with a bound in a range whose lower but
619 not upper bound is less than the array size, reset ASIZE to
620 be the same as the bound and the other variable to trigger
621 the apprpriate warning below. */
622 if (fncode == BUILT_IN_STRNCAT
623 && bndrng[0] != bndrng[1]
624 && wi::ltu_p (wi::to_offset (bndrng[0]), asize)
625 && (!known_size
626 || wi::ltu_p (asize, wibnd)))
627 {
628 asize = wibnd;
629 bound = NULL_TREE;
630 fncode = 0;
631 }
632
633 bool warned = false;
634
635 auto_diagnostic_group d;
636 if (wi::ltu_p (asize, wibnd))
637 {
638 if (bndrng[0] == bndrng[1])
639 warned = warning_at (loc, OPT_Wstringop_overread,
640 "%qD argument %i declared attribute "
641 "%<nonstring%> is smaller than the specified "
642 "bound %wu",
643 fndecl, argno + 1, wibnd.to_uhwi ());
644 else if (wi::ltu_p (asize, wi::to_offset (bndrng[0])))
645 warned = warning_at (loc, OPT_Wstringop_overread,
646 "%qD argument %i declared attribute "
647 "%<nonstring%> is smaller than "
648 "the specified bound [%E, %E]",
649 fndecl, argno + 1, bndrng[0], bndrng[1]);
2a837de2 650 else
81d6cdd3
MS		 651 warned = warning_at (loc, OPT_Wstringop_overread,
652 "%qD argument %i declared attribute "
653 "%<nonstring%> may be smaller than "
654 "the specified bound [%E, %E]",
655 fndecl, argno + 1, bndrng[0], bndrng[1]);
656 }
657 else if (fncode == BUILT_IN_STRNCAT)
658 ; /* Avoid warning for calls to strncat() when the bound
659 is equal to the size of the non-string argument. */
660 else if (!bound)
661 warned = warning_at (loc, OPT_Wstringop_overread,
662 "%qD argument %i declared attribute %<nonstring%>",
663 fndecl, argno + 1);
2a837de2 664
81d6cdd3
MS		 665 if (warned)
666 {
667 inform (DECL_SOURCE_LOCATION (decl),
668 "argument %qD declared here", decl);
669 any_arg_warned = true;
2a837de2 670 }
81d6cdd3
MS		 671 }
672
673 if (any_arg_warned)
674 suppress_warning (exp, OPT_Wstringop_overread);
675
676 return any_arg_warned;
677}
678
679bool
680maybe_warn_nonstring_arg (tree fndecl, gimple *stmt)
681{
682 return maybe_warn_nonstring_arg<gimple *>(fndecl, stmt);
683}
2a837de2 684
81d6cdd3
MS		 685
686bool
687maybe_warn_nonstring_arg (tree fndecl, tree expr)
688{
689 return maybe_warn_nonstring_arg<tree>(fndecl, expr);
2a837de2
MS		 690}
691
692/* Issue a warning OPT for a bounded call EXP with a bound in RANGE
693 accessing an object with SIZE. */
694
81d6cdd3
MS		 695template <class GimpleOrTree>
696static bool
697maybe_warn_for_bound (opt_code opt, location_t loc, GimpleOrTree exp, tree func,
698 tree bndrng[2], tree size, const access_data *pad)
2a837de2
MS		 699{
700 if (!bndrng[0] || warning_suppressed_p (exp, opt))
701 return false;
702
703 tree maxobjsize = max_object_size ();
704
705 bool warned = false;
706
707 if (opt == OPT_Wstringop_overread)
708 {
709 bool maybe = pad && pad->src.phi ();
820f0940
MS		 710 if (maybe)
711 {
712 /* Issue a "maybe" warning only if the PHI refers to objects
713 at least one of which has more space remaining than the bound.
714 Otherwise, if the bound is greater, use the definitive form. */
715 offset_int remmax = pad->src.size_remaining ();
716 if (remmax < wi::to_offset (bndrng[0]))
717 maybe = false;
718 }
2a837de2
MS		 719
720 if (tree_int_cst_lt (maxobjsize, bndrng[0]))
721 {
722 if (bndrng[0] == bndrng[1])
723 warned = (func
724 ? warning_at (loc, opt,
725 (maybe
726 ? G_("%qD specified bound %E may "
727 "exceed maximum object size %E")
728 : G_("%qD specified bound %E "
729 "exceeds maximum object size %E")),
730 func, bndrng[0], maxobjsize)
731 : warning_at (loc, opt,
732 (maybe
733 ? G_("specified bound %E may "
734 "exceed maximum object size %E")
735 : G_("specified bound %E "
736 "exceeds maximum object size %E")),
737 bndrng[0], maxobjsize));
738 else
739 warned = (func
740 ? warning_at (loc, opt,
741 (maybe
742 ? G_("%qD specified bound [%E, %E] may "
743 "exceed maximum object size %E")
744 : G_("%qD specified bound [%E, %E] "
745 "exceeds maximum object size %E")),
746 func,
747 bndrng[0], bndrng[1], maxobjsize)
748 : warning_at (loc, opt,
749 (maybe
750 ? G_("specified bound [%E, %E] may "
751 "exceed maximum object size %E")
752 : G_("specified bound [%E, %E] "
753 "exceeds maximum object size %E")),
754 bndrng[0], bndrng[1], maxobjsize));
755 }
756 else if (!size || tree_int_cst_le (bndrng[0], size))
757 return false;
758 else if (tree_int_cst_equal (bndrng[0], bndrng[1]))
759 warned = (func
760 ? warning_at (loc, opt,
761 (maybe
762 ? G_("%qD specified bound %E may exceed "
763 "source size %E")
764 : G_("%qD specified bound %E exceeds "
765 "source size %E")),
766 func, bndrng[0], size)
767 : warning_at (loc, opt,
768 (maybe
769 ? G_("specified bound %E may exceed "
770 "source size %E")
771 : G_("specified bound %E exceeds "
772 "source size %E")),
773 bndrng[0], size));
774 else
775 warned = (func
776 ? warning_at (loc, opt,
777 (maybe
778 ? G_("%qD specified bound [%E, %E] may "
779 "exceed source size %E")
780 : G_("%qD specified bound [%E, %E] exceeds "
781 "source size %E")),
782 func, bndrng[0], bndrng[1], size)
783 : warning_at (loc, opt,
784 (maybe
785 ? G_("specified bound [%E, %E] may exceed "
786 "source size %E")
787 : G_("specified bound [%E, %E] exceeds "
788 "source size %E")),
789 bndrng[0], bndrng[1], size));
790 if (warned)
791 {
81d6cdd3
MS		 792 if (pad && pad->src.ref
793 && has_location (pad->src.ref))
794 inform (get_location (pad->src.ref),
795 "source object allocated here");
2a837de2
MS		 796 suppress_warning (exp, opt);
797 }
798
799 return warned;
800 }
801
802 bool maybe = pad && pad->dst.phi ();
820f0940
MS		 803 if (maybe)
804 {
805 /* Issue a "maybe" warning only if the PHI refers to objects
806 at least one of which has more space remaining than the bound.
807 Otherwise, if the bound is greater, use the definitive form. */
808 offset_int remmax = pad->dst.size_remaining ();
809 if (remmax < wi::to_offset (bndrng[0]))
810 maybe = false;
811 }
2a837de2
MS		 812 if (tree_int_cst_lt (maxobjsize, bndrng[0]))
813 {
814 if (bndrng[0] == bndrng[1])
815 warned = (func
816 ? warning_at (loc, opt,
817 (maybe
818 ? G_("%qD specified size %E may "
819 "exceed maximum object size %E")
820 : G_("%qD specified size %E "
821 "exceeds maximum object size %E")),
822 func, bndrng[0], maxobjsize)
823 : warning_at (loc, opt,
824 (maybe
825 ? G_("specified size %E may exceed "
826 "maximum object size %E")
827 : G_("specified size %E exceeds "
828 "maximum object size %E")),
829 bndrng[0], maxobjsize));
830 else
831 warned = (func
832 ? warning_at (loc, opt,
833 (maybe
834 ? G_("%qD specified size between %E and %E "
835 "may exceed maximum object size %E")
836 : G_("%qD specified size between %E and %E "
837 "exceeds maximum object size %E")),
838 func, bndrng[0], bndrng[1], maxobjsize)
839 : warning_at (loc, opt,
840 (maybe
841 ? G_("specified size between %E and %E "
842 "may exceed maximum object size %E")
843 : G_("specified size between %E and %E "
844 "exceeds maximum object size %E")),
845 bndrng[0], bndrng[1], maxobjsize));
846 }
847 else if (!size || tree_int_cst_le (bndrng[0], size))
848 return false;
849 else if (tree_int_cst_equal (bndrng[0], bndrng[1]))
850 warned = (func
851 ? warning_at (loc, opt,
852 (maybe
853 ? G_("%qD specified bound %E may exceed "
854 "destination size %E")
855 : G_("%qD specified bound %E exceeds "
856 "destination size %E")),
857 func, bndrng[0], size)
858 : warning_at (loc, opt,
859 (maybe
860 ? G_("specified bound %E may exceed "
861 "destination size %E")
862 : G_("specified bound %E exceeds "
863 "destination size %E")),
864 bndrng[0], size));
865 else
866 warned = (func
867 ? warning_at (loc, opt,
868 (maybe
869 ? G_("%qD specified bound [%E, %E] may exceed "
870 "destination size %E")
871 : G_("%qD specified bound [%E, %E] exceeds "
872 "destination size %E")),
873 func, bndrng[0], bndrng[1], size)
874 : warning_at (loc, opt,
875 (maybe
876 ? G_("specified bound [%E, %E] exceeds "
877 "destination size %E")
878 : G_("specified bound [%E, %E] exceeds "
879 "destination size %E")),
880 bndrng[0], bndrng[1], size));
881
882 if (warned)
883 {
81d6cdd3
MS		 884 if (pad && pad->dst.ref
885 && has_location (pad->dst.ref))
886 inform (get_location (pad->dst.ref),
887 "destination object allocated here");
2a837de2
MS		 888 suppress_warning (exp, opt);
889 }
890
891 return warned;
892}
893
81d6cdd3
MS		 894bool
895maybe_warn_for_bound (opt_code opt, location_t loc, gimple *stmt, tree func,
896 tree bndrng[2], tree size,
897 const access_data *pad /* = NULL */)
898{
899 return maybe_warn_for_bound<gimple *> (opt, loc, stmt, func, bndrng, size,
900 pad);
901}
902
903bool
904maybe_warn_for_bound (opt_code opt, location_t loc, tree expr, tree func,
905 tree bndrng[2], tree size,
906 const access_data *pad /* = NULL */)
907{
908 return maybe_warn_for_bound<tree> (opt, loc, expr, func, bndrng, size, pad);
909}
910
2a837de2
MS		 911/* For an expression EXP issue an access warning controlled by option OPT
912 with access to a region SIZE bytes in size in the RANGE of sizes.
913 WRITE is true for a write access, READ for a read access, neither for
914 call that may or may not perform an access but for which the range
915 is expected to valid.
916 Returns true when a warning has been issued. */
917
81d6cdd3 918template <class GimpleOrTree>
2a837de2 919static bool
81d6cdd3
MS		 920warn_for_access (location_t loc, tree func, GimpleOrTree exp, int opt,
921 tree range[2], tree size, bool write, bool read, bool maybe)
2a837de2
MS		 922{
923 bool warned = false;
924
925 if (write && read)
926 {
927 if (tree_int_cst_equal (range[0], range[1]))
928 warned = (func
929 ? warning_n (loc, opt, tree_to_uhwi (range[0]),
930 (maybe
931 ? G_("%qD may access %E byte in a region "
932 "of size %E")
933 : G_("%qD accessing %E byte in a region "
934 "of size %E")),
935 (maybe
936 ? G_ ("%qD may access %E bytes in a region "
937 "of size %E")
938 : G_ ("%qD accessing %E bytes in a region "
939 "of size %E")),
940 func, range[0], size)
941 : warning_n (loc, opt, tree_to_uhwi (range[0]),
942 (maybe
943 ? G_("may access %E byte in a region "
944 "of size %E")
945 : G_("accessing %E byte in a region "
946 "of size %E")),
947 (maybe
948 ? G_("may access %E bytes in a region "
949 "of size %E")
950 : G_("accessing %E bytes in a region "
951 "of size %E")),
952 range[0], size));
953 else if (tree_int_cst_sign_bit (range[1]))
954 {
955 /* Avoid printing the upper bound if it's invalid. */
956 warned = (func
957 ? warning_at (loc, opt,
958 (maybe
959 ? G_("%qD may access %E or more bytes "
960 "in a region of size %E")
961 : G_("%qD accessing %E or more bytes "
962 "in a region of size %E")),
963 func, range[0], size)
964 : warning_at (loc, opt,
965 (maybe
966 ? G_("may access %E or more bytes "
967 "in a region of size %E")
968 : G_("accessing %E or more bytes "
969 "in a region of size %E")),
970 range[0], size));
971 }
972 else
973 warned = (func
974 ? warning_at (loc, opt,
975 (maybe
976 ? G_("%qD may access between %E and %E "
977 "bytes in a region of size %E")
978 : G_("%qD accessing between %E and %E "
979 "bytes in a region of size %E")),
980 func, range[0], range[1], size)
981 : warning_at (loc, opt,
982 (maybe
983 ? G_("may access between %E and %E bytes "
984 "in a region of size %E")
985 : G_("accessing between %E and %E bytes "
986 "in a region of size %E")),
987 range[0], range[1], size));
988 return warned;
989 }
990
991 if (write)
992 {
993 if (tree_int_cst_equal (range[0], range[1]))
994 warned = (func
995 ? warning_n (loc, opt, tree_to_uhwi (range[0]),
996 (maybe
997 ? G_("%qD may write %E byte into a region "
998 "of size %E")
999 : G_("%qD writing %E byte into a region "
1000 "of size %E overflows the destination")),
1001 (maybe
1002 ? G_("%qD may write %E bytes into a region "
1003 "of size %E")
1004 : G_("%qD writing %E bytes into a region "
1005 "of size %E overflows the destination")),
1006 func, range[0], size)
1007 : warning_n (loc, opt, tree_to_uhwi (range[0]),
1008 (maybe
1009 ? G_("may write %E byte into a region "
1010 "of size %E")
1011 : G_("writing %E byte into a region "
1012 "of size %E overflows the destination")),
1013 (maybe
1014 ? G_("may write %E bytes into a region "
1015 "of size %E")
1016 : G_("writing %E bytes into a region "
1017 "of size %E overflows the destination")),
1018 range[0], size));
1019 else if (tree_int_cst_sign_bit (range[1]))
1020 {
1021 /* Avoid printing the upper bound if it's invalid. */
1022 warned = (func
1023 ? warning_at (loc, opt,
1024 (maybe
1025 ? G_("%qD may write %E or more bytes "
1026 "into a region of size %E")
1027 : G_("%qD writing %E or more bytes "
1028 "into a region of size %E overflows "
1029 "the destination")),
1030 func, range[0], size)
1031 : warning_at (loc, opt,
1032 (maybe
1033 ? G_("may write %E or more bytes into "
1034 "a region of size %E")
1035 : G_("writing %E or more bytes into "
1036 "a region of size %E overflows "
1037 "the destination")),
1038 range[0], size));
1039 }
1040 else
1041 warned = (func
1042 ? warning_at (loc, opt,
1043 (maybe
1044 ? G_("%qD may write between %E and %E bytes "
1045 "into a region of size %E")
1046 : G_("%qD writing between %E and %E bytes "
1047 "into a region of size %E overflows "
1048 "the destination")),
1049 func, range[0], range[1], size)
1050 : warning_at (loc, opt,
1051 (maybe
1052 ? G_("may write between %E and %E bytes "
1053 "into a region of size %E")
1054 : G_("writing between %E and %E bytes "
1055 "into a region of size %E overflows "
1056 "the destination")),
1057 range[0], range[1], size));
1058 return warned;
1059 }
1060
1061 if (read)
1062 {
1063 if (tree_int_cst_equal (range[0], range[1]))
1064 warned = (func
1065 ? warning_n (loc, OPT_Wstringop_overread,
1066 tree_to_uhwi (range[0]),
1067 (maybe
1068 ? G_("%qD may read %E byte from a region "
1069 "of size %E")
1070 : G_("%qD reading %E byte from a region "
1071 "of size %E")),
1072 (maybe
1073 ? G_("%qD may read %E bytes from a region "
1074 "of size %E")
1075 : G_("%qD reading %E bytes from a region "
1076 "of size %E")),
1077 func, range[0], size)
1078 : warning_n (loc, OPT_Wstringop_overread,
1079 tree_to_uhwi (range[0]),
1080 (maybe
1081 ? G_("may read %E byte from a region "
1082 "of size %E")
1083 : G_("reading %E byte from a region "
1084 "of size %E")),
1085 (maybe
1086 ? G_("may read %E bytes from a region "
1087 "of size %E")
1088 : G_("reading %E bytes from a region "
1089 "of size %E")),
1090 range[0], size));
1091 else if (tree_int_cst_sign_bit (range[1]))
1092 {
1093 /* Avoid printing the upper bound if it's invalid. */
1094 warned = (func
1095 ? warning_at (loc, OPT_Wstringop_overread,
1096 (maybe
1097 ? G_("%qD may read %E or more bytes "
1098 "from a region of size %E")
1099 : G_("%qD reading %E or more bytes "
1100 "from a region of size %E")),
1101 func, range[0], size)
1102 : warning_at (loc, OPT_Wstringop_overread,
1103 (maybe
1104 ? G_("may read %E or more bytes "
1105 "from a region of size %E")
1106 : G_("reading %E or more bytes "
1107 "from a region of size %E")),
1108 range[0], size));
1109 }
1110 else
1111 warned = (func
1112 ? warning_at (loc, OPT_Wstringop_overread,
1113 (maybe
1114 ? G_("%qD may read between %E and %E bytes "
1115 "from a region of size %E")
1116 : G_("%qD reading between %E and %E bytes "
1117 "from a region of size %E")),
1118 func, range[0], range[1], size)
1119 : warning_at (loc, opt,
1120 (maybe
1121 ? G_("may read between %E and %E bytes "
1122 "from a region of size %E")
1123 : G_("reading between %E and %E bytes "
1124 "from a region of size %E")),
1125 range[0], range[1], size));
1126
1127 if (warned)
1128 suppress_warning (exp, OPT_Wstringop_overread);
1129
1130 return warned;
1131 }
1132
1133 if (tree_int_cst_equal (range[0], range[1])
1134 || tree_int_cst_sign_bit (range[1]))
1135 warned = (func
1136 ? warning_n (loc, OPT_Wstringop_overread,
1137 tree_to_uhwi (range[0]),
1138 "%qD expecting %E byte in a region of size %E",
1139 "%qD expecting %E bytes in a region of size %E",
1140 func, range[0], size)
1141 : warning_n (loc, OPT_Wstringop_overread,
1142 tree_to_uhwi (range[0]),
1143 "expecting %E byte in a region of size %E",
1144 "expecting %E bytes in a region of size %E",
1145 range[0], size));
1146 else if (tree_int_cst_sign_bit (range[1]))
1147 {
1148 /* Avoid printing the upper bound if it's invalid. */
1149 warned = (func
1150 ? warning_at (loc, OPT_Wstringop_overread,
1151 "%qD expecting %E or more bytes in a region "
1152 "of size %E",
1153 func, range[0], size)
1154 : warning_at (loc, OPT_Wstringop_overread,
1155 "expecting %E or more bytes in a region "
1156 "of size %E",
1157 range[0], size));
1158 }
1159 else
1160 warned = (func
1161 ? warning_at (loc, OPT_Wstringop_overread,
1162 "%qD expecting between %E and %E bytes in "
1163 "a region of size %E",
1164 func, range[0], range[1], size)
1165 : warning_at (loc, OPT_Wstringop_overread,
1166 "expecting between %E and %E bytes in "
1167 "a region of size %E",
1168 range[0], range[1], size));
1169
1170 if (warned)
1171 suppress_warning (exp, OPT_Wstringop_overread);
1172
1173 return warned;
1174}
1175
81d6cdd3
MS		 1176static bool
1177warn_for_access (location_t loc, tree func, gimple *stmt, int opt,
1178 tree range[2], tree size, bool write, bool read, bool maybe)
1179{
1180 return warn_for_access<gimple *>(loc, func, stmt, opt, range, size,
1181 write, read, maybe);
1182}
1183
1184static bool
1185warn_for_access (location_t loc, tree func, tree expr, int opt,
1186 tree range[2], tree size, bool write, bool read, bool maybe)
1187{
1188 return warn_for_access<tree>(loc, func, expr, opt, range, size,
1189 write, read, maybe);
1190}
1191
2a837de2
MS		 1192/* Helper to set RANGE to the range of BOUND if it's nonnull, bounded
1193 by BNDRNG if nonnull and valid. */
1194
b48d4e68 1195static void
9a27acc3 1196get_size_range (range_query *query, tree bound, gimple *stmt, tree range[2],
ece28da9 1197 const offset_int bndrng[2])
2a837de2
MS		 1198{
1199 if (bound)
9a27acc3 1200 get_size_range (query, bound, stmt, range);
2a837de2
MS		 1201
1202 if (!bndrng || (bndrng[0] == 0 && bndrng[1] == HOST_WIDE_INT_M1U))
1203 return;
1204
1205 if (range[0] && TREE_CODE (range[0]) == INTEGER_CST)
1206 {
1207 offset_int r[] =
1208 { wi::to_offset (range[0]), wi::to_offset (range[1]) };
1209 if (r[0] < bndrng[0])
1210 range[0] = wide_int_to_tree (sizetype, bndrng[0]);
1211 if (bndrng[1] < r[1])
1212 range[1] = wide_int_to_tree (sizetype, bndrng[1]);
1213 }
1214 else
1215 {
1216 range[0] = wide_int_to_tree (sizetype, bndrng[0]);
1217 range[1] = wide_int_to_tree (sizetype, bndrng[1]);
1218 }
1219}
1220
1221/* Try to verify that the sizes and lengths of the arguments to a string
1222 manipulation function given by EXP are within valid bounds and that
1223 the operation does not lead to buffer overflow or read past the end.
1224 Arguments other than EXP may be null. When non-null, the arguments
1225 have the following meaning:
1226 DST is the destination of a copy call or NULL otherwise.
1227 SRC is the source of a copy call or NULL otherwise.
1228 DSTWRITE is the number of bytes written into the destination obtained
1229 from the user-supplied size argument to the function (such as in
1230 memcpy(DST, SRCs, DSTWRITE) or strncpy(DST, DRC, DSTWRITE).
1231 MAXREAD is the user-supplied bound on the length of the source sequence
1232 (such as in strncat(d, s, N). It specifies the upper limit on the number
1233 of bytes to write. If NULL, it's taken to be the same as DSTWRITE.
1234 SRCSTR is the source string (such as in strcpy(DST, SRC)) when the
1235 expression EXP is a string function call (as opposed to a memory call
1236 like memcpy). As an exception, SRCSTR can also be an integer denoting
1237 the precomputed size of the source string or object (for functions like
1238 memcpy).
1239 DSTSIZE is the size of the destination object.
1240
1241 When DSTWRITE is null LEN is checked to verify that it doesn't exceed
1242 SIZE_MAX.
1243
1244 WRITE is true for write accesses, READ is true for reads. Both are
1245 false for simple size checks in calls to functions that neither read
1246 from nor write to the region.
1247
1248 When nonnull, PAD points to a more detailed description of the access.
1249
1250 If the call is successfully verified as safe return true, otherwise
1251 return false. */
1252
81d6cdd3
MS		 1253template <class GimpleOrTree>
1254static bool
1255check_access (GimpleOrTree exp, tree dstwrite,
2a837de2 1256 tree maxread, tree srcstr, tree dstsize,
9a27acc3
MS		 1257 access_mode mode, const access_data *pad,
1258 range_query *rvals)
2a837de2
MS		 1259{
1260 /* The size of the largest object is half the address space, or
1261 PTRDIFF_MAX. (This is way too permissive.) */
1262 tree maxobjsize = max_object_size ();
1263
1264 /* Either an approximate/minimum the length of the source string for
1265 string functions or the size of the source object for raw memory
1266 functions. */
1267 tree slen = NULL_TREE;
1268
1269 /* The range of the access in bytes; first set to the write access
1270 for functions that write and then read for those that also (or
1271 just) read. */
1272 tree range[2] = { NULL_TREE, NULL_TREE };
1273
1274 /* Set to true when the exact number of bytes written by a string
1275 function like strcpy is not known and the only thing that is
1276 known is that it must be at least one (for the terminating nul). */
1277 bool at_least_one = false;
1278 if (srcstr)
1279 {
1280 /* SRCSTR is normally a pointer to string but as a special case
1281 it can be an integer denoting the length of a string. */
1282 if (POINTER_TYPE_P (TREE_TYPE (srcstr)))
1283 {
1284 if (!check_nul_terminated_array (exp, srcstr, maxread))
81d6cdd3
MS		 1285 /* Return if the array is not nul-terminated and a warning
1286 has been issued. */
2a837de2 1287 return false;
81d6cdd3 1288
2a837de2
MS		 1289 /* Try to determine the range of lengths the source string
1290 refers to. If it can be determined and is less than
1291 the upper bound given by MAXREAD add one to it for
1292 the terminating nul. Otherwise, set it to one for
1293 the same reason, or to MAXREAD as appropriate. */
1294 c_strlen_data lendata = { };
1295 get_range_strlen (srcstr, &lendata, /* eltsize = */ 1);
1296 range[0] = lendata.minlen;
1297 range[1] = lendata.maxbound ? lendata.maxbound : lendata.maxlen;
1298 if (range[0]
1299 && TREE_CODE (range[0]) == INTEGER_CST
1300 && TREE_CODE (range[1]) == INTEGER_CST
1301 && (!maxread || TREE_CODE (maxread) == INTEGER_CST))
1302 {
1303 if (maxread && tree_int_cst_le (maxread, range[0]))
1304 range[0] = range[1] = maxread;
1305 else
1306 range[0] = fold_build2 (PLUS_EXPR, size_type_node,
1307 range[0], size_one_node);
1308
1309 if (maxread && tree_int_cst_le (maxread, range[1]))
1310 range[1] = maxread;
1311 else if (!integer_all_onesp (range[1]))
1312 range[1] = fold_build2 (PLUS_EXPR, size_type_node,
1313 range[1], size_one_node);
1314
1315 slen = range[0];
1316 }
1317 else
1318 {
1319 at_least_one = true;
1320 slen = size_one_node;
1321 }
1322 }
1323 else
1324 slen = srcstr;
1325 }
1326
1327 if (!dstwrite && !maxread)
1328 {
1329 /* When the only available piece of data is the object size
1330 there is nothing to do. */
1331 if (!slen)
1332 return true;
1333
1334 /* Otherwise, when the length of the source sequence is known
1335 (as with strlen), set DSTWRITE to it. */
1336 if (!range[0])
1337 dstwrite = slen;
1338 }
1339
1340 if (!dstsize)
1341 dstsize = maxobjsize;
1342
f9379fcb 1343 /* Set RANGE to that of DSTWRITE if non-null, bounded by PAD->DST_BNDRNG
2a837de2 1344 if valid. */
9a27acc3 1345 gimple *stmt = pad ? pad->stmt : nullptr;
f9379fcb 1346 get_size_range (rvals, dstwrite, stmt, range, pad ? pad->dst_bndrng : NULL);
2a837de2
MS		 1347
1348 tree func = get_callee_fndecl (exp);
1349 /* Read vs write access by built-ins can be determined from the const
1350 qualifiers on the pointer argument. In the absence of attribute
1351 access, non-const qualified pointer arguments to user-defined
1352 functions are assumed to both read and write the objects. */
1353 const bool builtin = func ? fndecl_built_in_p (func) : false;
1354
1355 /* First check the number of bytes to be written against the maximum
1356 object size. */
1357 if (range[0]
1358 && TREE_CODE (range[0]) == INTEGER_CST
1359 && tree_int_cst_lt (maxobjsize, range[0]))
1360 {
81d6cdd3 1361 location_t loc = get_location (exp);
2a837de2
MS		 1362 maybe_warn_for_bound (OPT_Wstringop_overflow_, loc, exp, func, range,
1363 NULL_TREE, pad);
1364 return false;
1365 }
1366
1367 /* The number of bytes to write is "exact" if DSTWRITE is non-null,
1368 constant, and in range of unsigned HOST_WIDE_INT. */
1369 bool exactwrite = dstwrite && tree_fits_uhwi_p (dstwrite);
1370
1371 /* Next check the number of bytes to be written against the destination
1372 object size. */
1373 if (range[0] || !exactwrite || integer_all_onesp (dstwrite))
1374 {
1375 if (range[0]
1376 && TREE_CODE (range[0]) == INTEGER_CST
1377 && ((tree_fits_uhwi_p (dstsize)
1378 && tree_int_cst_lt (dstsize, range[0]))
1379 || (dstwrite
1380 && tree_fits_uhwi_p (dstwrite)
1381 && tree_int_cst_lt (dstwrite, range[0]))))
1382 {
1383 const opt_code opt = OPT_Wstringop_overflow_;
1384 if (warning_suppressed_p (exp, opt)
1385 || (pad && pad->dst.ref
1386 && warning_suppressed_p (pad->dst.ref, opt)))
1387 return false;
1388
81d6cdd3 1389 location_t loc = get_location (exp);
2a837de2
MS		 1390 bool warned = false;
1391 if (dstwrite == slen && at_least_one)
1392 {
1393 /* This is a call to strcpy with a destination of 0 size
1394 and a source of unknown length. The call will write
1395 at least one byte past the end of the destination. */
1396 warned = (func
1397 ? warning_at (loc, opt,
1398 "%qD writing %E or more bytes into "
1399 "a region of size %E overflows "
1400 "the destination",
1401 func, range[0], dstsize)
1402 : warning_at (loc, opt,
1403 "writing %E or more bytes into "
1404 "a region of size %E overflows "
1405 "the destination",
1406 range[0], dstsize));
1407 }
1408 else
1409 {
1410 const bool read
1411 = mode == access_read_only || mode == access_read_write;
1412 const bool write
1413 = mode == access_write_only || mode == access_read_write;
1414 const bool maybe = pad && pad->dst.parmarray;
1415 warned = warn_for_access (loc, func, exp,
1416 OPT_Wstringop_overflow_,
1417 range, dstsize,
1418 write, read && !builtin, maybe);
1419 }
1420
1421 if (warned)
1422 {
1423 suppress_warning (exp, OPT_Wstringop_overflow_);
1424 if (pad)
1425 pad->dst.inform_access (pad->mode);
1426 }
1427
1428 /* Return error when an overflow has been detected. */
1429 return false;
1430 }
1431 }
1432
1433 /* Check the maximum length of the source sequence against the size
1434 of the destination object if known, or against the maximum size
1435 of an object. */
1436 if (maxread)
1437 {
f9379fcb 1438 /* Set RANGE to that of MAXREAD, bounded by PAD->SRC_BNDRNG if
2a837de2 1439 PAD is nonnull and BNDRNG is valid. */
f9379fcb 1440 get_size_range (rvals, maxread, stmt, range, pad ? pad->src_bndrng : NULL);
2a837de2 1441
81d6cdd3 1442 location_t loc = get_location (exp);
2a837de2
MS		 1443 tree size = dstsize;
1444 if (pad && pad->mode == access_read_only)
820f0940 1445 size = wide_int_to_tree (sizetype, pad->src.size_remaining ());
2a837de2
MS		 1446
1447 if (range[0] && maxread && tree_fits_uhwi_p (size))
1448 {
1449 if (tree_int_cst_lt (maxobjsize, range[0]))
1450 {
1451 maybe_warn_for_bound (OPT_Wstringop_overread, loc, exp, func,
1452 range, size, pad);
1453 return false;
1454 }
1455
1456 if (size != maxobjsize && tree_int_cst_lt (size, range[0]))
1457 {
1458 opt_code opt = (dstwrite || mode != access_read_only
1459 ? OPT_Wstringop_overflow_
1460 : OPT_Wstringop_overread);
1461 maybe_warn_for_bound (opt, loc, exp, func, range, size, pad);
1462 return false;
1463 }
1464 }
1465
1466 maybe_warn_nonstring_arg (func, exp);
1467 }
1468
1469 /* Check for reading past the end of SRC. */
1470 bool overread = (slen
1471 && slen == srcstr
1472 && dstwrite
1473 && range[0]
1474 && TREE_CODE (slen) == INTEGER_CST
1475 && tree_int_cst_lt (slen, range[0]));
1476 /* If none is determined try to get a better answer based on the details
1477 in PAD. */
1478 if (!overread
1479 && pad
1480 && pad->src.sizrng[1] >= 0
1481 && pad->src.offrng[0] >= 0
1482 && (pad->src.offrng[1] < 0
1483 || pad->src.offrng[0] <= pad->src.offrng[1]))
1484 {
f9379fcb 1485 /* Set RANGE to that of MAXREAD, bounded by PAD->SRC_BNDRNG if
2a837de2 1486 PAD is nonnull and BNDRNG is valid. */
f9379fcb 1487 get_size_range (rvals, maxread, stmt, range, pad ? pad->src_bndrng : NULL);
2a837de2 1488 /* Set OVERREAD for reads starting just past the end of an object. */
f9379fcb
MS		 1489 overread = pad->src.sizrng[1] - pad->src.offrng[0] < pad->src_bndrng[0];
1490 range[0] = wide_int_to_tree (sizetype, pad->src_bndrng[0]);
2a837de2
MS		 1491 slen = size_zero_node;
1492 }
1493
1494 if (overread)
1495 {
1496 const opt_code opt = OPT_Wstringop_overread;
1497 if (warning_suppressed_p (exp, opt)
1498 || (srcstr && warning_suppressed_p (srcstr, opt))
1499 || (pad && pad->src.ref
1500 && warning_suppressed_p (pad->src.ref, opt)))
1501 return false;
1502
81d6cdd3 1503 location_t loc = get_location (exp);
2a837de2
MS		 1504 const bool read
1505 = mode == access_read_only || mode == access_read_write;
1506 const bool maybe = pad && pad->dst.parmarray;
1507 if (warn_for_access (loc, func, exp, opt, range, slen, false, read,
1508 maybe))
1509 {
1510 suppress_warning (exp, opt);
1511 if (pad)
1512 pad->src.inform_access (access_read_only);
1513 }
1514 return false;
1515 }
1516
1517 return true;
1518}
1519
9a27acc3 1520static bool
81d6cdd3
MS		 1521check_access (gimple *stmt, tree dstwrite,
1522 tree maxread, tree srcstr, tree dstsize,
9a27acc3
MS		 1523 access_mode mode, const access_data *pad,
1524 range_query *rvals)
81d6cdd3 1525{
9a27acc3
MS		 1526 return check_access<gimple *> (stmt, dstwrite, maxread, srcstr, dstsize,
1527 mode, pad, rvals);
81d6cdd3
MS		 1528}
1529
1530bool
1531check_access (tree expr, tree dstwrite,
1532 tree maxread, tree srcstr, tree dstsize,
1533 access_mode mode, const access_data *pad /* = NULL */)
1534{
9a27acc3
MS		 1535 return check_access<tree> (expr, dstwrite, maxread, srcstr, dstsize,
1536 mode, pad, nullptr);
81d6cdd3
MS		 1537}
1538
2a837de2
MS		 1539/* Return true if STMT is a call to an allocation function. Unless
1540 ALL_ALLOC is set, consider only functions that return dynmamically
1541 allocated objects. Otherwise return true even for all forms of
1542 alloca (including VLA). */
1543
1544static bool
1545fndecl_alloc_p (tree fndecl, bool all_alloc)
1546{
1547 if (!fndecl)
1548 return false;
1549
1550 /* A call to operator new isn't recognized as one to a built-in. */
1551 if (DECL_IS_OPERATOR_NEW_P (fndecl))
1552 return true;
1553
1554 if (fndecl_built_in_p (fndecl, BUILT_IN_NORMAL))
1555 {
1556 switch (DECL_FUNCTION_CODE (fndecl))
1557 {
1558 case BUILT_IN_ALLOCA:
1559 case BUILT_IN_ALLOCA_WITH_ALIGN:
1560 return all_alloc;
1561 case BUILT_IN_ALIGNED_ALLOC:
1562 case BUILT_IN_CALLOC:
1563 case BUILT_IN_GOMP_ALLOC:
1564 case BUILT_IN_MALLOC:
1565 case BUILT_IN_REALLOC:
1566 case BUILT_IN_STRDUP:
1567 case BUILT_IN_STRNDUP:
1568 return true;
1569 default:
1570 break;
1571 }
1572 }
1573
1574 /* A function is considered an allocation function if it's declared
1575 with attribute malloc with an argument naming its associated
1576 deallocation function. */
1577 tree attrs = DECL_ATTRIBUTES (fndecl);
1578 if (!attrs)
1579 return false;
1580
1581 for (tree allocs = attrs;
1582 (allocs = lookup_attribute ("malloc", allocs));
1583 allocs = TREE_CHAIN (allocs))
1584 {
1585 tree args = TREE_VALUE (allocs);
1586 if (!args)
1587 continue;
1588
1589 if (TREE_VALUE (args))
1590 return true;
1591 }
1592
1593 return false;
1594}
1595
1596/* Return true if STMT is a call to an allocation function. A wrapper
1597 around fndecl_alloc_p. */
1598
1599static bool
1600gimple_call_alloc_p (gimple *stmt, bool all_alloc = false)
1601{
1602 return fndecl_alloc_p (gimple_call_fndecl (stmt), all_alloc);
1603}
1604
1605/* Return true if DELC doesn't refer to an operator delete that's
1606 suitable to call with a pointer returned from the operator new
1607 described by NEWC. */
1608
1609static bool
1610new_delete_mismatch_p (const demangle_component &newc,
1611 const demangle_component &delc)
1612{
1613 if (newc.type != delc.type)
1614 return true;
1615
1616 switch (newc.type)
1617 {
1618 case DEMANGLE_COMPONENT_NAME:
1619 {
1620 int len = newc.u.s_name.len;
1621 const char *news = newc.u.s_name.s;
1622 const char *dels = delc.u.s_name.s;
1623 if (len != delc.u.s_name.len || memcmp (news, dels, len))
1624 return true;
1625
1626 if (news[len] == 'n')
1627 {
1628 if (news[len + 1] == 'a')
1629 return dels[len] != 'd' || dels[len + 1] != 'a';
1630 if (news[len + 1] == 'w')
1631 return dels[len] != 'd' || dels[len + 1] != 'l';
1632 }
1633 return false;
1634 }
1635
1636 case DEMANGLE_COMPONENT_OPERATOR:
1637 /* Operator mismatches are handled above. */
1638 return false;
1639
1640 case DEMANGLE_COMPONENT_EXTENDED_OPERATOR:
1641 if (newc.u.s_extended_operator.args != delc.u.s_extended_operator.args)
1642 return true;
1643 return new_delete_mismatch_p (*newc.u.s_extended_operator.name,
1644 *delc.u.s_extended_operator.name);
1645
1646 case DEMANGLE_COMPONENT_FIXED_TYPE:
1647 if (newc.u.s_fixed.accum != delc.u.s_fixed.accum
1648 || newc.u.s_fixed.sat != delc.u.s_fixed.sat)
1649 return true;
1650 return new_delete_mismatch_p (*newc.u.s_fixed.length,
1651 *delc.u.s_fixed.length);
1652
1653 case DEMANGLE_COMPONENT_CTOR:
1654 if (newc.u.s_ctor.kind != delc.u.s_ctor.kind)
1655 return true;
1656 return new_delete_mismatch_p (*newc.u.s_ctor.name,
1657 *delc.u.s_ctor.name);
1658
1659 case DEMANGLE_COMPONENT_DTOR:
1660 if (newc.u.s_dtor.kind != delc.u.s_dtor.kind)
1661 return true;
1662 return new_delete_mismatch_p (*newc.u.s_dtor.name,
1663 *delc.u.s_dtor.name);
1664
1665 case DEMANGLE_COMPONENT_BUILTIN_TYPE:
1666 {
1667 /* The demangler API provides no better way to compare built-in
1668 types except to by comparing their demangled names. */
1669 size_t nsz, dsz;
1670 demangle_component *pnc = const_cast<demangle_component *>(&newc);
1671 demangle_component *pdc = const_cast<demangle_component *>(&delc);
1672 char *nts = cplus_demangle_print (0, pnc, 16, &nsz);
1673 char *dts = cplus_demangle_print (0, pdc, 16, &dsz);
1674 if (!nts != !dts)
1675 return true;
1676 bool mismatch = strcmp (nts, dts);
1677 free (nts);
1678 free (dts);
1679 return mismatch;
1680 }
1681
1682 case DEMANGLE_COMPONENT_SUB_STD:
1683 if (newc.u.s_string.len != delc.u.s_string.len)
1684 return true;
1685 return memcmp (newc.u.s_string.string, delc.u.s_string.string,
1686 newc.u.s_string.len);
1687
1688 case DEMANGLE_COMPONENT_FUNCTION_PARAM:
1689 case DEMANGLE_COMPONENT_TEMPLATE_PARAM:
1690 return newc.u.s_number.number != delc.u.s_number.number;
1691
1692 case DEMANGLE_COMPONENT_CHARACTER:
1693 return newc.u.s_character.character != delc.u.s_character.character;
1694
1695 case DEMANGLE_COMPONENT_DEFAULT_ARG:
1696 case DEMANGLE_COMPONENT_LAMBDA:
1697 if (newc.u.s_unary_num.num != delc.u.s_unary_num.num)
1698 return true;
1699 return new_delete_mismatch_p (*newc.u.s_unary_num.sub,
1700 *delc.u.s_unary_num.sub);
1701 default:
1702 break;
1703 }
1704
1705 if (!newc.u.s_binary.left != !delc.u.s_binary.left)
1706 return true;
1707
1708 if (!newc.u.s_binary.left)
1709 return false;
1710
1711 if (new_delete_mismatch_p (*newc.u.s_binary.left, *delc.u.s_binary.left)
1712 || !newc.u.s_binary.right != !delc.u.s_binary.right)
1713 return true;
1714
1715 if (newc.u.s_binary.right)
1716 return new_delete_mismatch_p (*newc.u.s_binary.right,
1717 *delc.u.s_binary.right);
1718 return false;
1719}
1720
1721/* Return true if DELETE_DECL is an operator delete that's not suitable
1722 to call with a pointer returned fron NEW_DECL. */
1723
1724static bool
1725new_delete_mismatch_p (tree new_decl, tree delete_decl)
1726{
1727 tree new_name = DECL_ASSEMBLER_NAME (new_decl);
1728 tree delete_name = DECL_ASSEMBLER_NAME (delete_decl);
1729
1730 /* valid_new_delete_pair_p() returns a conservative result (currently
1731 it only handles global operators). A true result is reliable but
96194a07
MS		 1732 a false result doesn't necessarily mean the operators don't match
1733 unless CERTAIN is set. */
1734 bool certain;
1735 if (valid_new_delete_pair_p (new_name, delete_name, &certain))
2a837de2 1736 return false;
96194a07
MS		 1737 /* CERTAIN is set when the negative result is certain. */
1738 if (certain)
1739 return true;
2a837de2
MS		 1740
1741 /* For anything not handled by valid_new_delete_pair_p() such as member
1742 operators compare the individual demangled components of the mangled
1743 name. */
1744 const char *new_str = IDENTIFIER_POINTER (new_name);
1745 const char *del_str = IDENTIFIER_POINTER (delete_name);
1746
1747 void *np = NULL, *dp = NULL;
1748 demangle_component *ndc = cplus_demangle_v3_components (new_str, 0, &np);
1749 demangle_component *ddc = cplus_demangle_v3_components (del_str, 0, &dp);
1750 bool mismatch = new_delete_mismatch_p (*ndc, *ddc);
1751 free (np);
1752 free (dp);
1753 return mismatch;
1754}
1755
1756/* ALLOC_DECL and DEALLOC_DECL are pair of allocation and deallocation
1757 functions. Return true if the latter is suitable to deallocate objects
1758 allocated by calls to the former. */
1759
1760static bool
1761matching_alloc_calls_p (tree alloc_decl, tree dealloc_decl)
1762{
1763 /* Set to alloc_kind_t::builtin if ALLOC_DECL is associated with
1764 a built-in deallocator. */
1765 enum class alloc_kind_t { none, builtin, user }
1766 alloc_dealloc_kind = alloc_kind_t::none;
1767
1768 if (DECL_IS_OPERATOR_NEW_P (alloc_decl))
1769 {
1770 if (DECL_IS_OPERATOR_DELETE_P (dealloc_decl))
1771 /* Return true iff both functions are of the same array or
1772 singleton form and false otherwise. */
1773 return !new_delete_mismatch_p (alloc_decl, dealloc_decl);
1774
1775 /* Return false for deallocation functions that are known not
1776 to match. */
1777 if (fndecl_built_in_p (dealloc_decl, BUILT_IN_FREE)
1778 || fndecl_built_in_p (dealloc_decl, BUILT_IN_REALLOC))
1779 return false;
1780 /* Otherwise proceed below to check the deallocation function's
1781 "*dealloc" attributes to look for one that mentions this operator
1782 new. */
1783 }
1784 else if (fndecl_built_in_p (alloc_decl, BUILT_IN_NORMAL))
1785 {
1786 switch (DECL_FUNCTION_CODE (alloc_decl))
1787 {
1788 case BUILT_IN_ALLOCA:
1789 case BUILT_IN_ALLOCA_WITH_ALIGN:
1790 return false;
1791
1792 case BUILT_IN_ALIGNED_ALLOC:
1793 case BUILT_IN_CALLOC:
1794 case BUILT_IN_GOMP_ALLOC:
1795 case BUILT_IN_MALLOC:
1796 case BUILT_IN_REALLOC:
1797 case BUILT_IN_STRDUP:
1798 case BUILT_IN_STRNDUP:
1799 if (DECL_IS_OPERATOR_DELETE_P (dealloc_decl))
1800 return false;
1801
1802 if (fndecl_built_in_p (dealloc_decl, BUILT_IN_FREE)
1803 || fndecl_built_in_p (dealloc_decl, BUILT_IN_REALLOC))
1804 return true;
1805
1806 alloc_dealloc_kind = alloc_kind_t::builtin;
1807 break;
1808
1809 default:
1810 break;
1811 }
1812 }
1813
1814 /* Set if DEALLOC_DECL both allocates and deallocates. */
1815 alloc_kind_t realloc_kind = alloc_kind_t::none;
1816
1817 if (fndecl_built_in_p (dealloc_decl, BUILT_IN_NORMAL))
1818 {
1819 built_in_function dealloc_code = DECL_FUNCTION_CODE (dealloc_decl);
1820 if (dealloc_code == BUILT_IN_REALLOC)
1821 realloc_kind = alloc_kind_t::builtin;
1822
1823 for (tree amats = DECL_ATTRIBUTES (alloc_decl);
1824 (amats = lookup_attribute ("malloc", amats));
1825 amats = TREE_CHAIN (amats))
1826 {
1827 tree args = TREE_VALUE (amats);
1828 if (!args)
1829 continue;
1830
1831 tree fndecl = TREE_VALUE (args);
1832 if (!fndecl || !DECL_P (fndecl))
1833 continue;
1834
1835 if (fndecl_built_in_p (fndecl, BUILT_IN_NORMAL)
1836 && dealloc_code == DECL_FUNCTION_CODE (fndecl))
1837 return true;
1838 }
1839 }
1840
1841 const bool alloc_builtin = fndecl_built_in_p (alloc_decl, BUILT_IN_NORMAL);
1842 alloc_kind_t realloc_dealloc_kind = alloc_kind_t::none;
1843
1844 /* If DEALLOC_DECL has an internal "*dealloc" attribute scan the list
1845 of its associated allocation functions for ALLOC_DECL.
1846 If the corresponding ALLOC_DECL is found they're a matching pair,
1847 otherwise they're not.
1848 With DDATS set to the Deallocator's *Dealloc ATtributes... */
1849 for (tree ddats = DECL_ATTRIBUTES (dealloc_decl);
1850 (ddats = lookup_attribute ("*dealloc", ddats));
1851 ddats = TREE_CHAIN (ddats))
1852 {
1853 tree args = TREE_VALUE (ddats);
1854 if (!args)
1855 continue;
1856
1857 tree alloc = TREE_VALUE (args);
1858 if (!alloc)
1859 continue;
1860
1861 if (alloc == DECL_NAME (dealloc_decl))
1862 realloc_kind = alloc_kind_t::user;
1863
1864 if (DECL_P (alloc))
1865 {
1866 gcc_checking_assert (fndecl_built_in_p (alloc, BUILT_IN_NORMAL));
1867
1868 switch (DECL_FUNCTION_CODE (alloc))
1869 {
1870 case BUILT_IN_ALIGNED_ALLOC:
1871 case BUILT_IN_CALLOC:
1872 case BUILT_IN_GOMP_ALLOC:
1873 case BUILT_IN_MALLOC:
1874 case BUILT_IN_REALLOC:
1875 case BUILT_IN_STRDUP:
1876 case BUILT_IN_STRNDUP:
1877 realloc_dealloc_kind = alloc_kind_t::builtin;
1878 break;
1879 default:
1880 break;
1881 }
1882
1883 if (!alloc_builtin)
1884 continue;
1885
1886 if (DECL_FUNCTION_CODE (alloc) != DECL_FUNCTION_CODE (alloc_decl))
1887 continue;
1888
1889 return true;
1890 }
1891
1892 if (alloc == DECL_NAME (alloc_decl))
1893 return true;
1894 }
1895
1896 if (realloc_kind == alloc_kind_t::none)
1897 return false;
1898
1899 hash_set<tree> common_deallocs;
1900 /* Special handling for deallocators. Iterate over both the allocator's
1901 and the reallocator's associated deallocator functions looking for
1902 the first one in common. If one is found, the de/reallocator is
1903 a match for the allocator even though the latter isn't directly
1904 associated with the former. This simplifies declarations in system
1905 headers.
1906 With AMATS set to the Allocator's Malloc ATtributes,
1907 and RMATS set to Reallocator's Malloc ATtributes... */
1908 for (tree amats = DECL_ATTRIBUTES (alloc_decl),
1909 rmats = DECL_ATTRIBUTES (dealloc_decl);
1910 (amats = lookup_attribute ("malloc", amats))
1911 || (rmats = lookup_attribute ("malloc", rmats));
1912 amats = amats ? TREE_CHAIN (amats) : NULL_TREE,
1913 rmats = rmats ? TREE_CHAIN (rmats) : NULL_TREE)
1914 {
1915 if (tree args = amats ? TREE_VALUE (amats) : NULL_TREE)
1916 if (tree adealloc = TREE_VALUE (args))
1917 {
1918 if (DECL_P (adealloc)
1919 && fndecl_built_in_p (adealloc, BUILT_IN_NORMAL))
1920 {
1921 built_in_function fncode = DECL_FUNCTION_CODE (adealloc);
1922 if (fncode == BUILT_IN_FREE || fncode == BUILT_IN_REALLOC)
1923 {
1924 if (realloc_kind == alloc_kind_t::builtin)
1925 return true;
1926 alloc_dealloc_kind = alloc_kind_t::builtin;
1927 }
1928 continue;
1929 }
1930
1931 common_deallocs.add (adealloc);
1932 }
1933
1934 if (tree args = rmats ? TREE_VALUE (rmats) : NULL_TREE)
1935 if (tree ddealloc = TREE_VALUE (args))
1936 {
1937 if (DECL_P (ddealloc)
1938 && fndecl_built_in_p (ddealloc, BUILT_IN_NORMAL))
1939 {
1940 built_in_function fncode = DECL_FUNCTION_CODE (ddealloc);
1941 if (fncode == BUILT_IN_FREE || fncode == BUILT_IN_REALLOC)
1942 {
1943 if (alloc_dealloc_kind == alloc_kind_t::builtin)
1944 return true;
1945 realloc_dealloc_kind = alloc_kind_t::builtin;
1946 }
1947 continue;
1948 }
1949
1950 if (common_deallocs.add (ddealloc))
1951 return true;
1952 }
1953 }
1954
1955 /* Succeed only if ALLOC_DECL and the reallocator DEALLOC_DECL share
1956 a built-in deallocator. */
1957 return (alloc_dealloc_kind == alloc_kind_t::builtin
1958 && realloc_dealloc_kind == alloc_kind_t::builtin);
1959}
1960
1961/* Return true if DEALLOC_DECL is a function suitable to deallocate
1962 objectes allocated by the ALLOC call. */
1963
1964static bool
1965matching_alloc_calls_p (gimple *alloc, tree dealloc_decl)
1966{
1967 tree alloc_decl = gimple_call_fndecl (alloc);
1968 if (!alloc_decl)
1969 return true;
1970
1971 return matching_alloc_calls_p (alloc_decl, dealloc_decl);
1972}
1973
1974/* Diagnose a call EXP to deallocate a pointer referenced by AREF if it
1975 includes a nonzero offset. Such a pointer cannot refer to the beginning
1976 of an allocated object. A negative offset may refer to it only if
1977 the target pointer is unknown. */
1978
1979static bool
1980warn_dealloc_offset (location_t loc, gimple *call, const access_ref &aref)
1981{
1982 if (aref.deref || aref.offrng[0] <= 0 || aref.offrng[1] <= 0)
1983 return false;
1984
1985 tree dealloc_decl = gimple_call_fndecl (call);
1986 if (!dealloc_decl)
1987 return false;
1988
1989 if (DECL_IS_OPERATOR_DELETE_P (dealloc_decl)
1990 && !DECL_IS_REPLACEABLE_OPERATOR (dealloc_decl))
1991 {
1992 /* A call to a user-defined operator delete with a pointer plus offset
1993 may be valid if it's returned from an unknown function (i.e., one
1994 that's not operator new). */
1995 if (TREE_CODE (aref.ref) == SSA_NAME)
1996 {
1997 gimple *def_stmt = SSA_NAME_DEF_STMT (aref.ref);
1998 if (is_gimple_call (def_stmt))
1999 {
2000 tree alloc_decl = gimple_call_fndecl (def_stmt);
2001 if (!alloc_decl || !DECL_IS_OPERATOR_NEW_P (alloc_decl))
2002 return false;
2003 }
2004 }
2005 }
2006
2007 char offstr[80];
2008 offstr[0] = '\0';
2009 if (wi::fits_shwi_p (aref.offrng[0]))
2010 {
2011 if (aref.offrng[0] == aref.offrng[1]
2012 || !wi::fits_shwi_p (aref.offrng[1]))
2013 sprintf (offstr, " %lli",
2014 (long long)aref.offrng[0].to_shwi ());
2015 else
2016 sprintf (offstr, " [%lli, %lli]",
2017 (long long)aref.offrng[0].to_shwi (),
2018 (long long)aref.offrng[1].to_shwi ());
2019 }
2020
2021 if (!warning_at (loc, OPT_Wfree_nonheap_object,
2022 "%qD called on pointer %qE with nonzero offset%s",
2023 dealloc_decl, aref.ref, offstr))
2024 return false;
2025
2026 if (DECL_P (aref.ref))
81d6cdd3 2027 inform (get_location (aref.ref), "declared here");
2a837de2
MS		 2028 else if (TREE_CODE (aref.ref) == SSA_NAME)
2029 {
2030 gimple *def_stmt = SSA_NAME_DEF_STMT (aref.ref);
2031 if (is_gimple_call (def_stmt))
2032 {
81d6cdd3 2033 location_t def_loc = get_location (def_stmt);
2a837de2
MS		 2034 tree alloc_decl = gimple_call_fndecl (def_stmt);
2035 if (alloc_decl)
2036 inform (def_loc,
2037 "returned from %qD", alloc_decl);
2038 else if (tree alloc_fntype = gimple_call_fntype (def_stmt))
2039 inform (def_loc,
2040 "returned from %qT", alloc_fntype);
2041 else
2042 inform (def_loc, "obtained here");
2043 }
2044 }
2045
2046 return true;
2047}
2048
2a837de2
MS		 2049namespace {
2050
2051const pass_data pass_data_waccess = {
2052 GIMPLE_PASS,
2053 "waccess",
2054 OPTGROUP_NONE,
2055 TV_NONE,
2056 PROP_cfg, /* properties_required */
2057 0, /* properties_provided */
2058 0, /* properties_destroyed */
2059 0, /* properties_start */
2060 0, /* properties_finish */
2061};
2062
2063/* Pass to detect invalid accesses. */
2064class pass_waccess : public gimple_opt_pass
2065{
2066 public:
b48d4e68
MS		 2067 pass_waccess (gcc::context *);
2068
2069 ~pass_waccess ();
2a837de2
MS		 2070
2071 opt_pass *clone () { return new pass_waccess (m_ctxt); }
2072
2073 virtual bool gate (function *);
2074 virtual unsigned int execute (function *);
2075
ece28da9
MS		 2076private:
2077 /* Not copyable or assignable. */
2078 pass_waccess (pass_waccess &) = delete;
2079 void operator= (pass_waccess &) = delete;
2080
88b504b7
MS		 2081 /* Check a call to an atomic built-in function. */
2082 bool check_atomic_builtin (gcall *);
2083
81d6cdd3
MS		 2084 /* Check a call to a built-in function. */
2085 bool check_builtin (gcall *);
2086
b48d4e68
MS		 2087 /* Check a call to an ordinary function. */
2088 bool check_call (gcall *);
2089
81d6cdd3 2090 /* Check statements in a basic block. */
2a837de2 2091 void check (basic_block);
81d6cdd3
MS		 2092
2093 /* Check a call to a function. */
ece28da9 2094 void check (gcall *);
2a837de2 2095
ece28da9
MS		 2096 /* Check a call to the named built-in function. */
2097 void check_alloca (gcall *);
2098 void check_alloc_size_call (gcall *);
2099 void check_strcat (gcall *);
2100 void check_strncat (gcall *);
2101 void check_stxcpy (gcall *);
2102 void check_stxncpy (gcall *);
2103 void check_strncmp (gcall *);
2104 void check_memop_access (gimple *, tree, tree, tree);
9a27acc3 2105 void check_read_access (gimple *, tree, tree = NULL_TREE, int = 1);
ece28da9
MS		 2106
2107 void maybe_check_dealloc_call (gcall *);
2108 void maybe_check_access_sizes (rdwr_map *, tree, tree, gimple *);
5a431b60
MS		 2109 bool maybe_warn_memmodel (gimple *, tree, tree, const unsigned char *);
2110 void check_atomic_memmodel (gimple *, tree, tree, const unsigned char *);
b48d4e68
MS		 2111
2112 /* A pointer_query object and its cache to store information about
2113 pointers and their targets in. */
ece28da9
MS		 2114 pointer_query m_ptr_qry;
2115 pointer_query::cache_type m_var_cache;
2a837de2
MS		 2116};
2117
b48d4e68
MS		 2118/* Construct the pass. */
2119
2120pass_waccess::pass_waccess (gcc::context *ctxt)
2121 : gimple_opt_pass (pass_data_waccess, ctxt),
ece28da9
MS		 2122 m_ptr_qry (NULL, &m_var_cache),
2123 m_var_cache ()
b48d4e68
MS		 2124{
2125}
2126
2127/* Release pointer_query cache. */
2128
2129pass_waccess::~pass_waccess ()
2130{
ece28da9 2131 m_ptr_qry.flush_cache ();
b48d4e68
MS		 2132}
2133
2a837de2
MS		 2134/* Return true when any checks performed by the pass are enabled. */
2135
2136bool
2137pass_waccess::gate (function *)
2138{
2139 return (warn_free_nonheap_object
2140 || warn_mismatched_alloc
2141 || warn_mismatched_new_delete);
2142}
2143
b48d4e68
MS		 2144/* Initialize ALLOC_OBJECT_SIZE_LIMIT based on the -Walloc-size-larger-than=
2145 setting if the option is specified, or to the maximum object size if it
2146 is not. Return the initialized value. */
2147
2148static tree
2149alloc_max_size (void)
2150{
2151 HOST_WIDE_INT limit = warn_alloc_size_limit;
2152 if (limit == HOST_WIDE_INT_MAX)
2153 limit = tree_to_shwi (TYPE_MAX_VALUE (ptrdiff_type_node));
2154
2155 return build_int_cst (size_type_node, limit);
2156}
2157
2158/* Diagnose a call EXP to function FN decorated with attribute alloc_size
2159 whose argument numbers given by IDX with values given by ARGS exceed
2160 the maximum object size or cause an unsigned oveflow (wrapping) when
2161 multiplied. FN is null when EXP is a call via a function pointer.
2162 When ARGS[0] is null the function does nothing. ARGS[1] may be null
2163 for functions like malloc, and non-null for those like calloc that
2164 are decorated with a two-argument attribute alloc_size. */
2165
2166void
2167maybe_warn_alloc_args_overflow (gimple *stmt, const tree args[2],
2168 const int idx[2])
2169{
2170 /* The range each of the (up to) two arguments is known to be in. */
2171 tree argrange[2][2] = { { NULL_TREE, NULL_TREE }, { NULL_TREE, NULL_TREE } };
2172
2173 /* Maximum object size set by -Walloc-size-larger-than= or SIZE_MAX / 2. */
2174 tree maxobjsize = alloc_max_size ();
2175
2176 location_t loc = get_location (stmt);
2177
2178 tree fn = gimple_call_fndecl (stmt);
2179 tree fntype = fn ? TREE_TYPE (fn) : gimple_call_fntype (stmt);
2180 bool warned = false;
2181
2182 /* Validate each argument individually. */
2183 for (unsigned i = 0; i != 2 && args[i]; ++i)
2184 {
2185 if (TREE_CODE (args[i]) == INTEGER_CST)
2186 {
2187 argrange[i][0] = args[i];
2188 argrange[i][1] = args[i];
2189
2190 if (tree_int_cst_lt (args[i], integer_zero_node))
2191 {
2192 warned = warning_at (loc, OPT_Walloc_size_larger_than_,
2193 "argument %i value %qE is negative",
2194 idx[i] + 1, args[i]);
2195 }
2196 else if (integer_zerop (args[i]))
2197 {
2198 /* Avoid issuing -Walloc-zero for allocation functions other
2199 than __builtin_alloca that are declared with attribute
2200 returns_nonnull because there's no portability risk. This
2201 avoids warning for such calls to libiberty's xmalloc and
2202 friends.
2203 Also avoid issuing the warning for calls to function named
2204 "alloca". */
2205 if (fn && fndecl_built_in_p (fn, BUILT_IN_ALLOCA)
2206 ? IDENTIFIER_LENGTH (DECL_NAME (fn)) != 6
2207 : !lookup_attribute ("returns_nonnull",
2208 TYPE_ATTRIBUTES (fntype)))
2209 warned = warning_at (loc, OPT_Walloc_zero,
2210 "argument %i value is zero",
2211 idx[i] + 1);
2212 }
2213 else if (tree_int_cst_lt (maxobjsize, args[i]))
2214 {
2215 /* G++ emits calls to ::operator new[](SIZE_MAX) in C++98
2216 mode and with -fno-exceptions as a way to indicate array
2217 size overflow. There's no good way to detect C++98 here
2218 so avoid diagnosing these calls for all C++ modes. */
2219 if (i == 0
2220 && fn
2221 && !args[1]
2222 && lang_GNU_CXX ()
2223 && DECL_IS_OPERATOR_NEW_P (fn)
2224 && integer_all_onesp (args[i]))
2225 continue;
2226
2227 warned = warning_at (loc, OPT_Walloc_size_larger_than_,
2228 "argument %i value %qE exceeds "
2229 "maximum object size %E",
2230 idx[i] + 1, args[i], maxobjsize);
2231 }
2232 }
2233 else if (TREE_CODE (args[i]) == SSA_NAME
2234 && get_size_range (args[i], argrange[i]))
2235 {
2236 /* Verify that the argument's range is not negative (including
2237 upper bound of zero). */
2238 if (tree_int_cst_lt (argrange[i][0], integer_zero_node)
2239 && tree_int_cst_le (argrange[i][1], integer_zero_node))
2240 {
2241 warned = warning_at (loc, OPT_Walloc_size_larger_than_,
2242 "argument %i range [%E, %E] is negative",
2243 idx[i] + 1,
2244 argrange[i][0], argrange[i][1]);
2245 }
2246 else if (tree_int_cst_lt (maxobjsize, argrange[i][0]))
2247 {
2248 warned = warning_at (loc, OPT_Walloc_size_larger_than_,
2249 "argument %i range [%E, %E] exceeds "
2250 "maximum object size %E",
2251 idx[i] + 1,
2252 argrange[i][0], argrange[i][1],
2253 maxobjsize);
2254 }
2255 }
2256 }
2257
b3aa3288 2258 if (!argrange[0][0])
b48d4e68
MS		 2259 return;
2260
2261 /* For a two-argument alloc_size, validate the product of the two
2262 arguments if both of their values or ranges are known. */
2263 if (!warned && tree_fits_uhwi_p (argrange[0][0])
2264 && argrange[1][0] && tree_fits_uhwi_p (argrange[1][0])
2265 && !integer_onep (argrange[0][0])
2266 && !integer_onep (argrange[1][0]))
2267 {
2268 /* Check for overflow in the product of a function decorated with
2269 attribute alloc_size (X, Y). */
2270 unsigned szprec = TYPE_PRECISION (size_type_node);
2271 wide_int x = wi::to_wide (argrange[0][0], szprec);
2272 wide_int y = wi::to_wide (argrange[1][0], szprec);
2273
2274 wi::overflow_type vflow;
2275 wide_int prod = wi::umul (x, y, &vflow);
2276
2277 if (vflow)
2278 warned = warning_at (loc, OPT_Walloc_size_larger_than_,
2279 "product %<%E * %E%> of arguments %i and %i "
2280 "exceeds %<SIZE_MAX%>",
2281 argrange[0][0], argrange[1][0],
2282 idx[0] + 1, idx[1] + 1);
2283 else if (wi::ltu_p (wi::to_wide (maxobjsize, szprec), prod))
2284 warned = warning_at (loc, OPT_Walloc_size_larger_than_,
2285 "product %<%E * %E%> of arguments %i and %i "
2286 "exceeds maximum object size %E",
2287 argrange[0][0], argrange[1][0],
2288 idx[0] + 1, idx[1] + 1,
2289 maxobjsize);
2290
2291 if (warned)
2292 {
2293 /* Print the full range of each of the two arguments to make
2294 it clear when it is, in fact, in a range and not constant. */
2295 if (argrange[0][0] != argrange [0][1])
2296 inform (loc, "argument %i in the range [%E, %E]",
2297 idx[0] + 1, argrange[0][0], argrange[0][1]);
2298 if (argrange[1][0] != argrange [1][1])
2299 inform (loc, "argument %i in the range [%E, %E]",
2300 idx[1] + 1, argrange[1][0], argrange[1][1]);
2301 }
2302 }
2303
2304 if (warned && fn)
2305 {
2306 location_t fnloc = DECL_SOURCE_LOCATION (fn);
2307
2308 if (DECL_IS_UNDECLARED_BUILTIN (fn))
2309 inform (loc,
2310 "in a call to built-in allocation function %qD", fn);
2311 else
2312 inform (fnloc,
2313 "in a call to allocation function %qD declared here", fn);
2314 }
2315}
2316
2317/* Check a call to an alloca function for an excessive size. */
2318
ece28da9
MS		 2319void
2320pass_waccess::check_alloca (gcall *stmt)
b48d4e68
MS		 2321{
2322 if ((warn_vla_limit >= HOST_WIDE_INT_MAX
2323 && warn_alloc_size_limit < warn_vla_limit)
2324 || (warn_alloca_limit >= HOST_WIDE_INT_MAX
2325 && warn_alloc_size_limit < warn_alloca_limit))
2326 {
2327 /* -Walloca-larger-than and -Wvla-larger-than settings of less
2328 than HWI_MAX override the more general -Walloc-size-larger-than
2329 so unless either of the former options is smaller than the last
2330 one (wchich would imply that the call was already checked), check
2331 the alloca arguments for overflow. */
2332 const tree alloc_args[] = { call_arg (stmt, 0), NULL_TREE };
2333 const int idx[] = { 0, -1 };
2334 maybe_warn_alloc_args_overflow (stmt, alloc_args, idx);
2335 }
2336}
2337
2338/* Check a call to an allocation function for an excessive size. */
2339
ece28da9
MS		 2340void
2341pass_waccess::check_alloc_size_call (gcall *stmt)
b48d4e68 2342{
b48d4e68
MS		 2343 tree fndecl = gimple_call_fndecl (stmt);
2344 if (fndecl && gimple_call_builtin_p (stmt, BUILT_IN_NORMAL))
2345 {
2346 /* Alloca is handled separately. */
2347 switch (DECL_FUNCTION_CODE (fndecl))
2348 {
2349 case BUILT_IN_ALLOCA:
2350 case BUILT_IN_ALLOCA_WITH_ALIGN:
2351 case BUILT_IN_ALLOCA_WITH_ALIGN_AND_MAX:
2352 return;
2353 default:
2354 break;
2355 }
2356 }
2357
2358 tree fntype = gimple_call_fntype (stmt);
2359 tree fntypeattrs = TYPE_ATTRIBUTES (fntype);
2360
2361 tree alloc_size = lookup_attribute ("alloc_size", fntypeattrs);
2362 if (!alloc_size)
2363 return;
2364
2365 /* Extract attribute alloc_size from the type of the called expression
2366 (which could be a function or a function pointer) and if set, store
2367 the indices of the corresponding arguments in ALLOC_IDX, and then
2368 the actual argument(s) at those indices in ALLOC_ARGS. */
2369 int idx[2] = { -1, -1 };
2370 tree alloc_args[] = { NULL_TREE, NULL_TREE };
eacdfaf7 2371 unsigned nargs = gimple_call_num_args (stmt);
b48d4e68
MS		 2372
2373 tree args = TREE_VALUE (alloc_size);
2374 idx[0] = TREE_INT_CST_LOW (TREE_VALUE (args)) - 1;
eacdfaf7
JJ		 2375 /* Avoid invalid calls to functions without a prototype. */
2376 if ((unsigned) idx[0] >= nargs)
2377 return;
b48d4e68
MS		 2378 alloc_args[0] = call_arg (stmt, idx[0]);
2379 if (TREE_CHAIN (args))
2380 {
2381 idx[1] = TREE_INT_CST_LOW (TREE_VALUE (TREE_CHAIN (args))) - 1;
eacdfaf7
JJ		 2382 if ((unsigned) idx[1] >= nargs)
2383 return;
b48d4e68
MS		 2384 alloc_args[1] = call_arg (stmt, idx[1]);
2385 }
2386
2387 maybe_warn_alloc_args_overflow (stmt, alloc_args, idx);
2388}
2389
81d6cdd3
MS		 2390/* Check a call STMT to strcat() for overflow and warn if it does. */
2391
ece28da9
MS		 2392void
2393pass_waccess::check_strcat (gcall *stmt)
81d6cdd3 2394{
b48d4e68 2395 if (!warn_stringop_overflow && !warn_stringop_overread)
81d6cdd3
MS		 2396 return;
2397
2398 tree dest = call_arg (stmt, 0);
2399 tree src = call_arg (stmt, 1);
2400
2401 /* There is no way here to determine the length of the string in
2402 the destination to which the SRC string is being appended so
2403 just diagnose cases when the souce string is longer than
2404 the destination object. */
9a27acc3
MS		 2405 access_data data (m_ptr_qry.rvals, stmt, access_read_write, NULL_TREE,
2406 true, NULL_TREE, true);
81d6cdd3 2407 const int ost = warn_stringop_overflow ? warn_stringop_overflow - 1 : 1;
9a27acc3
MS		 2408 compute_objsize (src, stmt, ost, &data.src, &m_ptr_qry);
2409 tree destsize = compute_objsize (dest, stmt, ost, &data.dst, &m_ptr_qry);
81d6cdd3
MS		 2410
2411 check_access (stmt, /*dstwrite=*/NULL_TREE, /*maxread=*/NULL_TREE,
9a27acc3 2412 src, destsize, data.mode, &data, m_ptr_qry.rvals);
81d6cdd3
MS		 2413}
2414
2415/* Check a call STMT to strcat() for overflow and warn if it does. */
2416
ece28da9
MS		 2417void
2418pass_waccess::check_strncat (gcall *stmt)
81d6cdd3 2419{
b48d4e68 2420 if (!warn_stringop_overflow && !warn_stringop_overread)
81d6cdd3
MS		 2421 return;
2422
2423 tree dest = call_arg (stmt, 0);
2424 tree src = call_arg (stmt, 1);
2425 /* The upper bound on the number of bytes to write. */
2426 tree maxread = call_arg (stmt, 2);
2427
2428 /* Detect unterminated source (only). */
2429 if (!check_nul_terminated_array (stmt, src, maxread))
2430 return;
2431
2432 /* The length of the source sequence. */
2433 tree slen = c_strlen (src, 1);
2434
2435 /* Try to determine the range of lengths that the source expression
2436 refers to. Since the lengths are only used for warning and not
2437 for code generation disable strict mode below. */
2438 tree maxlen = slen;
2439 if (!maxlen)
2440 {
2441 c_strlen_data lendata = { };
2442 get_range_strlen (src, &lendata, /* eltsize = */ 1);
2443 maxlen = lendata.maxbound;
2444 }
2445
9a27acc3 2446 access_data data (m_ptr_qry.rvals, stmt, access_read_write);
81d6cdd3
MS		 2447 /* Try to verify that the destination is big enough for the shortest
2448 string. First try to determine the size of the destination object
2449 into which the source is being copied. */
ece28da9 2450 const int ost = warn_stringop_overflow - 1;
9a27acc3 2451 tree destsize = compute_objsize (dest, stmt, ost, &data.dst, &m_ptr_qry);
81d6cdd3
MS		 2452
2453 /* Add one for the terminating nul. */
2454 tree srclen = (maxlen
2455 ? fold_build2 (PLUS_EXPR, size_type_node, maxlen,
2456 size_one_node)
2457 : NULL_TREE);
2458
2459 /* The strncat function copies at most MAXREAD bytes and always appends
2460 the terminating nul so the specified upper bound should never be equal
2461 to (or greater than) the size of the destination. */
2462 if (tree_fits_uhwi_p (maxread) && tree_fits_uhwi_p (destsize)
2463 && tree_int_cst_equal (destsize, maxread))
2464 {
2465 location_t loc = get_location (stmt);
2466 warning_at (loc, OPT_Wstringop_overflow_,
2467 "%qD specified bound %E equals destination size",
2468 get_callee_fndecl (stmt), maxread);
2469
2470 return;
2471 }
2472
2473 if (!srclen
2474 || (maxread && tree_fits_uhwi_p (maxread)
2475 && tree_fits_uhwi_p (srclen)
2476 && tree_int_cst_lt (maxread, srclen)))
2477 srclen = maxread;
2478
2479 check_access (stmt, /*dstwrite=*/NULL_TREE, maxread, srclen,
9a27acc3 2480 destsize, data.mode, &data, m_ptr_qry.rvals);
81d6cdd3
MS		 2481}
2482
2483/* Check a call STMT to stpcpy() or strcpy() for overflow and warn
2484 if it does. */
2485
ece28da9
MS		 2486void
2487pass_waccess::check_stxcpy (gcall *stmt)
81d6cdd3
MS		 2488{
2489 tree dst = call_arg (stmt, 0);
2490 tree src = call_arg (stmt, 1);
2491
2492 tree size;
2493 bool exact;
2494 if (tree nonstr = unterminated_array (src, &size, &exact))
2495 {
2496 /* NONSTR refers to the non-nul terminated constant array. */
2497 warn_string_no_nul (get_location (stmt), stmt, NULL, src, nonstr,
2498 size, exact);
2499 return;
2500 }
2501
2502 if (warn_stringop_overflow)
2503 {
9a27acc3
MS		 2504 access_data data (m_ptr_qry.rvals, stmt, access_read_write, NULL_TREE,
2505 true, NULL_TREE, true);
81d6cdd3 2506 const int ost = warn_stringop_overflow ? warn_stringop_overflow - 1 : 1;
9a27acc3
MS		 2507 compute_objsize (src, stmt, ost, &data.src, &m_ptr_qry);
2508 tree dstsize = compute_objsize (dst, stmt, ost, &data.dst, &m_ptr_qry);
81d6cdd3
MS		 2509 check_access (stmt, /*dstwrite=*/ NULL_TREE,
2510 /*maxread=*/ NULL_TREE, /*srcstr=*/ src,
9a27acc3 2511 dstsize, data.mode, &data, m_ptr_qry.rvals);
81d6cdd3
MS		 2512 }
2513
2514 /* Check to see if the argument was declared attribute nonstring
2515 and if so, issue a warning since at this point it's not known
2516 to be nul-terminated. */
2517 tree fndecl = get_callee_fndecl (stmt);
2518 maybe_warn_nonstring_arg (fndecl, stmt);
2519}
2520
2521/* Check a call STMT to stpncpy() or strncpy() for overflow and warn
2522 if it does. */
2523
ece28da9
MS		 2524void
2525pass_waccess::check_stxncpy (gcall *stmt)
81d6cdd3
MS		 2526{
2527 if (!warn_stringop_overflow)
2528 return;
2529
2530 tree dst = call_arg (stmt, 0);
2531 tree src = call_arg (stmt, 1);
2532 /* The number of bytes to write (not the maximum). */
2533 tree len = call_arg (stmt, 2);
2534
9a27acc3
MS		 2535 access_data data (m_ptr_qry.rvals, stmt, access_read_write, len, true, len,
2536 true);
81d6cdd3 2537 const int ost = warn_stringop_overflow ? warn_stringop_overflow - 1 : 1;
9a27acc3
MS		 2538 compute_objsize (src, stmt, ost, &data.src, &m_ptr_qry);
2539 tree dstsize = compute_objsize (dst, stmt, ost, &data.dst, &m_ptr_qry);
81d6cdd3 2540
9a27acc3
MS		 2541 check_access (stmt, /*dstwrite=*/len, /*maxread=*/len, src, dstsize,
2542 data.mode, &data, m_ptr_qry.rvals);
81d6cdd3
MS		 2543}
2544
2545/* Check a call STMT to stpncpy() or strncpy() for overflow and warn
2546 if it does. */
2547
ece28da9
MS		 2548void
2549pass_waccess::check_strncmp (gcall *stmt)
81d6cdd3
MS		 2550{
2551 if (!warn_stringop_overread)
2552 return;
2553
2554 tree arg1 = call_arg (stmt, 0);
2555 tree arg2 = call_arg (stmt, 1);
2556 tree bound = call_arg (stmt, 2);
2557
2558 /* First check each argument separately, considering the bound. */
2559 if (!check_nul_terminated_array (stmt, arg1, bound)
2560 || !check_nul_terminated_array (stmt, arg2, bound))
2561 return;
2562
2563 /* A strncmp read from each argument is constrained not just by
2564 the bound but also by the length of the shorter string. Specifying
2565 a bound that's larger than the size of either array makes no sense
2566 and is likely a bug. When the length of neither of the two strings
2567 is known but the sizes of both of the arrays they are stored in is,
2568 issue a warning if the bound is larger than than the size of
2569 the larger of the two arrays. */
2570
2571 c_strlen_data lendata1{ }, lendata2{ };
2572 tree len1 = c_strlen (arg1, 1, &lendata1);
2573 tree len2 = c_strlen (arg2, 1, &lendata2);
2574
9a27acc3
MS		 2575 if (len1 && TREE_CODE (len1) != INTEGER_CST)
2576 len1 = NULL_TREE;
2577 if (len2 && TREE_CODE (len2) != INTEGER_CST)
2578 len2 = NULL_TREE;
2579
81d6cdd3
MS		 2580 if (len1 && len2)
2581 /* If the length of both arguments was computed they must both be
2582 nul-terminated and no further checking is necessary regardless
2583 of the bound. */
2584 return;
2585
2586 /* Check to see if the argument was declared with attribute nonstring
2587 and if so, issue a warning since at this point it's not known to be
2588 nul-terminated. */
2589 if (maybe_warn_nonstring_arg (get_callee_fndecl (stmt), stmt))
2590 return;
2591
9a27acc3
MS		 2592 access_data adata1 (m_ptr_qry.rvals, stmt, access_read_only, NULL_TREE, false,
2593 bound, true);
2594 access_data adata2 (m_ptr_qry.rvals, stmt, access_read_only, NULL_TREE, false,
2595 bound, true);
81d6cdd3
MS		 2596
2597 /* Determine the range of the bound first and bail if it fails; it's
2598 cheaper than computing the size of the objects. */
2599 tree bndrng[2] = { NULL_TREE, NULL_TREE };
f9379fcb 2600 get_size_range (m_ptr_qry.rvals, bound, stmt, bndrng, adata1.src_bndrng);
81d6cdd3
MS		 2601 if (!bndrng[0] || integer_zerop (bndrng[0]))
2602 return;
2603
2604 if (len1 && tree_int_cst_lt (len1, bndrng[0]))
2605 bndrng[0] = len1;
2606 if (len2 && tree_int_cst_lt (len2, bndrng[0]))
2607 bndrng[0] = len2;
2608
2609 /* compute_objsize almost never fails (and ultimately should never
2610 fail). Don't bother to handle the rare case when it does. */
9a27acc3
MS		 2611 if (!compute_objsize (arg1, stmt, 1, &adata1.src, &m_ptr_qry)
2612 || !compute_objsize (arg2, stmt, 1, &adata2.src, &m_ptr_qry))
81d6cdd3
MS		 2613 return;
2614
2615 /* Compute the size of the remaining space in each array after
2616 subtracting any offset into it. */
2617 offset_int rem1 = adata1.src.size_remaining ();
2618 offset_int rem2 = adata2.src.size_remaining ();
2619
2620 /* Cap REM1 and REM2 at the other if the other's argument is known
2621 to be an unterminated array, either because there's no space
2622 left in it after adding its offset or because it's constant and
2623 has no nul. */
2624 if (rem1 == 0 || (rem1 < rem2 && lendata1.decl))
2625 rem2 = rem1;
2626 else if (rem2 == 0 || (rem2 < rem1 && lendata2.decl))
2627 rem1 = rem2;
2628
2629 /* Point PAD at the array to reference in the note if a warning
2630 is issued. */
2631 access_data *pad = len1 ? &adata2 : &adata1;
2632 offset_int maxrem = wi::max (rem1, rem2, UNSIGNED);
2633 if (lendata1.decl || lendata2.decl
2634 || maxrem < wi::to_offset (bndrng[0]))
2635 {
2636 /* Warn when either argument isn't nul-terminated or the maximum
2637 remaining space in the two arrays is less than the bound. */
2638 tree func = get_callee_fndecl (stmt);
2639 location_t loc = gimple_location (stmt);
2640 maybe_warn_for_bound (OPT_Wstringop_overread, loc, stmt, func,
2641 bndrng, wide_int_to_tree (sizetype, maxrem),
2642 pad);
2643 }
2644}
2645
ece28da9
MS		 2646/* Determine and check the sizes of the source and the destination
2647 of calls to __builtin_{bzero,memcpy,mempcpy,memset} calls. STMT is
2648 the call statement, DEST is the destination argument, SRC is the source
2649 argument or null, and SIZE is the number of bytes being accessed. Use
2650 Object Size type-0 regardless of the OPT_Wstringop_overflow_ setting.
2651 Return true on success (no overflow or invalid sizes), false otherwise. */
2652
2653void
2654pass_waccess::check_memop_access (gimple *stmt, tree dest, tree src, tree size)
2655{
2656 /* For functions like memset and memcpy that operate on raw memory
2657 try to determine the size of the largest source and destination
2658 object using type-0 Object Size regardless of the object size
2659 type specified by the option. */
9a27acc3 2660 access_data data (m_ptr_qry.rvals, stmt, access_read_write);
ece28da9 2661 tree srcsize
9a27acc3
MS		 2662 = src ? compute_objsize (src, stmt, 0, &data.src, &m_ptr_qry) : NULL_TREE;
2663 tree dstsize = compute_objsize (dest, stmt, 0, &data.dst, &m_ptr_qry);
2664
2665 check_access (stmt, size, /*maxread=*/NULL_TREE, srcsize, dstsize,
2666 data.mode, &data, m_ptr_qry.rvals);
2667}
2668
2669/* A convenience wrapper for check_access to check access by a read-only
2670 function like puts or strcmp. */
2671
2672void
2673pass_waccess::check_read_access (gimple *stmt, tree src,
2674 tree bound /* = NULL_TREE */,
2675 int ost /* = 1 */)
2676{
2677 if (!warn_stringop_overread)
2678 return;
2679
2680 if (bound && !useless_type_conversion_p (size_type_node, TREE_TYPE (bound)))
2681 bound = fold_convert (size_type_node, bound);
2682
2683 tree fndecl = get_callee_fndecl (stmt);
2684 maybe_warn_nonstring_arg (fndecl, stmt);
ece28da9 2685
9a27acc3
MS		 2686 access_data data (m_ptr_qry.rvals, stmt, access_read_only, NULL_TREE,
2687 false, bound, true);
2688 compute_objsize (src, stmt, ost, &data.src, &m_ptr_qry);
2689 check_access (stmt, /*dstwrite=*/ NULL_TREE, /*maxread=*/ bound,
2690 /*srcstr=*/ src, /*dstsize=*/ NULL_TREE, data.mode,
2691 &data, m_ptr_qry.rvals);
ece28da9
MS		 2692}
2693
5a431b60
MS		 2694/* Return true if memory model ORD is constant in the context of STMT and
2695 set *CSTVAL to the constant value. Otherwise return false. Warn for
2696 invalid ORD. */
2697
2698bool
2699memmodel_to_uhwi (tree ord, gimple *stmt, unsigned HOST_WIDE_INT *cstval)
2700{
2701 unsigned HOST_WIDE_INT val;
2702
2703 if (TREE_CODE (ord) == INTEGER_CST)
2704 {
2705 if (!tree_fits_uhwi_p (ord))
2706 return false;
2707 val = tree_to_uhwi (ord);
2708 }
2709 else
2710 {
2711 /* Use the range query to determine constant values in the absence
2712 of constant proppagation (such as at -O0). */
2713 value_range rng;
2714 if (!get_range_query (cfun)->range_of_expr (rng, ord, stmt)
2715 || !rng.constant_p ()
2716 || !rng.singleton_p (&ord))
2717 return false;
2718
2719 wide_int lob = rng.lower_bound ();
2720 if (!wi::fits_uhwi_p (lob))
2721 return false;
2722
2723 val = lob.to_shwi ();
2724 }
2725
2726 if (targetm.memmodel_check)
2727 /* This might warn for an invalid VAL but return a conservatively
2728 valid result. */
2729 val = targetm.memmodel_check (val);
2730 else if (val & ~MEMMODEL_MASK)
2731 {
2732 tree fndecl = gimple_call_fndecl (stmt);
2733 location_t loc = gimple_location (stmt);
2734 loc = expansion_point_location_if_in_system_header (loc);
2735
2736 warning_at (loc, OPT_Winvalid_memory_model,
2737 "unknown architecture specifier in memory model "
2738 "%wi for %qD", val, fndecl);
2739 return false;
2740 }
2741
2742 *cstval = val;
2743
2744 return true;
2745}
2746
2747/* Valid memory model for each set of atomic built-in functions. */
2748
2749struct memmodel_pair
2750{
2751 memmodel modval;
2752 const char* modname;
2753
2754#define MEMMODEL_PAIR(val, str) \
2755 { MEMMODEL_ ## val, "memory_order_" str }
2756};
2757
2758/* Valid memory models in the order of increasing strength. */
2759
2760static const memmodel_pair memory_models[] =
2761 { MEMMODEL_PAIR (RELAXED, "relaxed"),
2762 MEMMODEL_PAIR (SEQ_CST, "seq_cst"),
2763 MEMMODEL_PAIR (ACQUIRE, "acquire"),
2764 MEMMODEL_PAIR (CONSUME, "consume"),
2765 MEMMODEL_PAIR (RELEASE, "release"),
2766 MEMMODEL_PAIR (ACQ_REL, "acq_rel")
2767 };
2768
2769/* Return the name of the memory model VAL. */
2770
2771static const char*
2772memmodel_name (unsigned HOST_WIDE_INT val)
2773{
2774 val = memmodel_base (val);
2775
2776 for (unsigned i = 0; i != sizeof memory_models / sizeof *memory_models; ++i)
2777 {
2778 if (val == memory_models[i].modval)
2779 return memory_models[i].modname;
2780 }
2781 return NULL;
2782}
2783
2784/* Indices of valid MEMORY_MODELS above for corresponding atomic operations. */
2785static const unsigned char load_models[] = { 0, 1, 2, 3, UCHAR_MAX };
2786static const unsigned char store_models[] = { 0, 1, 4, UCHAR_MAX };
2787static const unsigned char xchg_models[] = { 0, 1, 3, 4, 5, UCHAR_MAX };
2788static const unsigned char flag_clr_models[] = { 0, 1, 4, UCHAR_MAX };
2789static const unsigned char all_models[] = { 0, 1, 2, 3, 4, 5, UCHAR_MAX };
2790
2791/* Check the success memory model argument ORD_SUCS to the call STMT to
2792 an atomic function and warn if it's invalid. If nonnull, also check
2793 the failure memory model ORD_FAIL and warn if it's invalid. Return
2794 true if a warning has been issued. */
2795
2796bool
2797pass_waccess::maybe_warn_memmodel (gimple *stmt, tree ord_sucs,
2798 tree ord_fail, const unsigned char *valid)
2799{
2800 unsigned HOST_WIDE_INT sucs, fail = 0;
2801 if (!memmodel_to_uhwi (ord_sucs, stmt, &sucs)
2802 || (ord_fail && !memmodel_to_uhwi (ord_fail, stmt, &fail)))
2803 return false;
2804
2805 bool is_valid = false;
2806 if (valid)
2807 for (unsigned i = 0; valid[i] != UCHAR_MAX; ++i)
2808 {
2809 memmodel model = memory_models[valid[i]].modval;
2810 if (memmodel_base (sucs) == model)
2811 {
2812 is_valid = true;
2813 break;
2814 }
2815 }
2816 else
2817 is_valid = true;
2818
2819 tree fndecl = gimple_call_fndecl (stmt);
2820 location_t loc = gimple_location (stmt);
2821 loc = expansion_point_location_if_in_system_header (loc);
2822
2823 if (!is_valid)
2824 {
2825 bool warned = false;
2826 if (const char *modname = memmodel_name (sucs))
2827 warned = warning_at (loc, OPT_Winvalid_memory_model,
2828 "invalid memory model %qs for %qD",
2829 modname, fndecl);
2830 else
2831 warned = warning_at (loc, OPT_Winvalid_memory_model,
2832 "invalid memory model %wi for %qD",
2833 sucs, fndecl);
2834
2835 if (!warned)
2836 return false;
2837
2838 /* Print a note with the valid memory models. */
2839 pretty_printer pp;
2840 pp_show_color (&pp) = pp_show_color (global_dc->printer);
2841 for (unsigned i = 0; valid[i] != UCHAR_MAX; ++i)
2842 {
2843 const char *modname = memory_models[valid[i]].modname;
194f712f 2844 pp_printf (&pp, "%s%qs", i ? ", " : "", modname);
5a431b60
MS		 2845 }
2846
2847 inform (loc, "valid models are %s", pp_formatted_text (&pp));
2848 return true;
2849 }
2850
2851 if (!ord_fail)
2852 return false;
2853
2854 if (fail == MEMMODEL_RELEASE || fail == MEMMODEL_ACQ_REL)
2855 if (const char *failname = memmodel_name (fail))
2856 {
2857 /* If both memory model arguments are valid but their combination
2858 is not, use their names in the warning. */
2859 if (!warning_at (loc, OPT_Winvalid_memory_model,
2860 "invalid failure memory model %qs for %qD",
2861 failname, fndecl))
2862 return false;
2863
2864 inform (loc,
2865 "valid failure models are %qs, %qs, %qs, %qs",
2866 "memory_order_relaxed", "memory_order_seq_cst",
2867 "memory_order_acquire", "memory_order_consume");
2868 return true;
2869 }
2870
2871 if (memmodel_base (fail) <= memmodel_base (sucs))
2872 return false;
2873
2874 if (const char *sucsname = memmodel_name (sucs))
2875 if (const char *failname = memmodel_name (fail))
2876 {
2877 /* If both memory model arguments are valid but their combination
2878 is not, use their names in the warning. */
2879 if (!warning_at (loc, OPT_Winvalid_memory_model,
2880 "failure memory model %qs cannot be stronger "
2881 "than success memory model %qs for %qD",
2882 failname, sucsname, fndecl))
2883 return false;
2884
2885 /* Print a note with the valid failure memory models which are
2886 those with a value less than or equal to the success mode. */
2887 char buf[120];
2888 *buf = '\0';
2889 for (unsigned i = 0;
2890 memory_models[i].modval <= memmodel_base (sucs); ++i)
2891 {
2892 if (*buf)
2893 strcat (buf, ", ");
2894
2895 const char *modname = memory_models[valid[i]].modname;
2896 sprintf (buf + strlen (buf), "'%s'", modname);
2897 }
2898
2899 inform (loc, "valid models are %s", buf);
2900 return true;
2901 }
2902
2903 /* If either memory model argument value is invalid use the numerical
2904 value of both in the message. */
2905 return warning_at (loc, OPT_Winvalid_memory_model,
2906 "failure memory model %wi cannot be stronger "
2907 "than success memory model %wi for %qD",
2908 fail, sucs, fndecl);
2909}
2910
2911/* Wrapper for the above. */
2912
2913void
2914pass_waccess::check_atomic_memmodel (gimple *stmt, tree ord_sucs,
2915 tree ord_fail, const unsigned char *valid)
2916{
2917 if (warning_suppressed_p (stmt, OPT_Winvalid_memory_model))
2918 return;
2919
2920 if (maybe_warn_memmodel (stmt, ord_sucs, ord_fail, valid))
2921 return;
2922
2923 suppress_warning (stmt, OPT_Winvalid_memory_model);
2924}
9a27acc3 2925
88b504b7
MS		 2926/* Check a call STMT to an atomic or sync built-in. */
2927
2928bool
2929pass_waccess::check_atomic_builtin (gcall *stmt)
2930{
2931 tree callee = gimple_call_fndecl (stmt);
2932 if (!callee)
2933 return false;
2934
2935 /* The size in bytes of the access by the function, and the number
2936 of the second argument to check (if any). */
2937 unsigned bytes = 0, arg2 = UINT_MAX;
5a431b60
MS		 2938 unsigned sucs_arg = UINT_MAX, fail_arg = UINT_MAX;
2939 /* Points to the array of indices of valid memory models. */
2940 const unsigned char *pvalid_models = NULL;
88b504b7
MS		 2941
2942 switch (DECL_FUNCTION_CODE (callee))
2943 {
2944#define BUILTIN_ACCESS_SIZE_FNSPEC(N) \
5a431b60 2945 BUILT_IN_SYNC_FETCH_AND_ADD_ ## N: \
88b504b7
MS		 2946 case BUILT_IN_SYNC_FETCH_AND_SUB_ ## N: \
2947 case BUILT_IN_SYNC_FETCH_AND_OR_ ## N: \
2948 case BUILT_IN_SYNC_FETCH_AND_AND_ ## N: \
2949 case BUILT_IN_SYNC_FETCH_AND_XOR_ ## N: \
2950 case BUILT_IN_SYNC_FETCH_AND_NAND_ ## N: \
2951 case BUILT_IN_SYNC_ADD_AND_FETCH_ ## N: \
2952 case BUILT_IN_SYNC_SUB_AND_FETCH_ ## N: \
2953 case BUILT_IN_SYNC_OR_AND_FETCH_ ## N: \
2954 case BUILT_IN_SYNC_AND_AND_FETCH_ ## N: \
2955 case BUILT_IN_SYNC_XOR_AND_FETCH_ ## N: \
2956 case BUILT_IN_SYNC_NAND_AND_FETCH_ ## N: \
2957 case BUILT_IN_SYNC_LOCK_TEST_AND_SET_ ## N: \
2958 case BUILT_IN_SYNC_BOOL_COMPARE_AND_SWAP_ ## N: \
2959 case BUILT_IN_SYNC_VAL_COMPARE_AND_SWAP_ ## N: \
2960 case BUILT_IN_SYNC_LOCK_RELEASE_ ## N: \
5a431b60
MS		 2961 bytes = N; \
2962 break; \
2963 case BUILT_IN_ATOMIC_LOAD_ ## N: \
2964 pvalid_models = load_models; \
2965 sucs_arg = 1; \
2966 /* FALLTHROUGH */ \
88b504b7 2967 case BUILT_IN_ATOMIC_STORE_ ## N: \
5a431b60
MS		 2968 if (!pvalid_models) \
2969 pvalid_models = store_models; \
2970 /* FALLTHROUGH */ \
88b504b7
MS		 2971 case BUILT_IN_ATOMIC_ADD_FETCH_ ## N: \
2972 case BUILT_IN_ATOMIC_SUB_FETCH_ ## N: \
2973 case BUILT_IN_ATOMIC_AND_FETCH_ ## N: \
2974 case BUILT_IN_ATOMIC_NAND_FETCH_ ## N: \
2975 case BUILT_IN_ATOMIC_XOR_FETCH_ ## N: \
2976 case BUILT_IN_ATOMIC_OR_FETCH_ ## N: \
2977 case BUILT_IN_ATOMIC_FETCH_ADD_ ## N: \
2978 case BUILT_IN_ATOMIC_FETCH_SUB_ ## N: \
2979 case BUILT_IN_ATOMIC_FETCH_AND_ ## N: \
2980 case BUILT_IN_ATOMIC_FETCH_NAND_ ## N: \
2981 case BUILT_IN_ATOMIC_FETCH_OR_ ## N: \
2982 case BUILT_IN_ATOMIC_FETCH_XOR_ ## N: \
2983 bytes = N; \
5a431b60
MS		 2984 if (sucs_arg == UINT_MAX) \
2985 sucs_arg = 2; \
2986 if (!pvalid_models) \
2987 pvalid_models = all_models; \
2988 break; \
2989 case BUILT_IN_ATOMIC_EXCHANGE_ ## N: \
2990 bytes = N; \
2991 sucs_arg = 3; \
2992 pvalid_models = xchg_models; \
88b504b7
MS		 2993 break; \
2994 case BUILT_IN_ATOMIC_COMPARE_EXCHANGE_ ## N: \
2995 bytes = N; \
5a431b60
MS		 2996 sucs_arg = 4; \
2997 fail_arg = 5; \
2998 pvalid_models = all_models; \
88b504b7
MS		 2999 arg2 = 1
3000
3001 case BUILTIN_ACCESS_SIZE_FNSPEC (1);
3002 break;
3003 case BUILTIN_ACCESS_SIZE_FNSPEC (2);
3004 break;
3005 case BUILTIN_ACCESS_SIZE_FNSPEC (4);
3006 break;
3007 case BUILTIN_ACCESS_SIZE_FNSPEC (8);
3008 break;
3009 case BUILTIN_ACCESS_SIZE_FNSPEC (16);
3010 break;
3011
5a431b60
MS		 3012 case BUILT_IN_ATOMIC_CLEAR:
3013 sucs_arg = 1;
3014 pvalid_models = flag_clr_models;
3015 break;
3016
88b504b7
MS		 3017 default:
3018 return false;
3019 }
3020
5a431b60
MS		 3021 unsigned nargs = gimple_call_num_args (stmt);
3022 if (sucs_arg < nargs)
3023 {
3024 tree ord_sucs = gimple_call_arg (stmt, sucs_arg);
3025 tree ord_fail = NULL_TREE;
3026 if (fail_arg < nargs)
3027 ord_fail = gimple_call_arg (stmt, fail_arg);
3028 check_atomic_memmodel (stmt, ord_sucs, ord_fail, pvalid_models);
3029 }
3030
3031 if (!bytes)
3032 return true;
3033
88b504b7
MS		 3034 tree size = build_int_cstu (sizetype, bytes);
3035 tree dst = gimple_call_arg (stmt, 0);
3036 check_memop_access (stmt, dst, NULL_TREE, size);
3037
3038 if (arg2 != UINT_MAX)
3039 {
3040 tree dst = gimple_call_arg (stmt, arg2);
3041 check_memop_access (stmt, dst, NULL_TREE, size);
3042 }
3043
3044 return true;
3045}
3046
81d6cdd3
MS		 3047/* Check call STMT to a built-in function for invalid accesses. Return
3048 true if a call has been handled. */
3049
3050bool
3051pass_waccess::check_builtin (gcall *stmt)
3052{
3053 tree callee = gimple_call_fndecl (stmt);
3054 if (!callee)
3055 return false;
3056
3057 switch (DECL_FUNCTION_CODE (callee))
3058 {
b48d4e68
MS		 3059 case BUILT_IN_ALLOCA:
3060 case BUILT_IN_ALLOCA_WITH_ALIGN:
3061 case BUILT_IN_ALLOCA_WITH_ALIGN_AND_MAX:
3062 check_alloca (stmt);
3063 return true;
3064
9a27acc3
MS		 3065 case BUILT_IN_EXECL:
3066 case BUILT_IN_EXECLE:
3067 case BUILT_IN_EXECLP:
3068 case BUILT_IN_EXECV:
3069 case BUILT_IN_EXECVE:
3070 case BUILT_IN_EXECVP:
3071 check_read_access (stmt, call_arg (stmt, 0));
3072 return true;
3073
81d6cdd3
MS		 3074 case BUILT_IN_GETTEXT:
3075 case BUILT_IN_PUTS:
3076 case BUILT_IN_PUTS_UNLOCKED:
3077 case BUILT_IN_STRDUP:
3078 check_read_access (stmt, call_arg (stmt, 0));
3079 return true;
3080
3081 case BUILT_IN_INDEX:
3082 case BUILT_IN_RINDEX:
3083 case BUILT_IN_STRCHR:
3084 case BUILT_IN_STRRCHR:
3085 case BUILT_IN_STRLEN:
3086 check_read_access (stmt, call_arg (stmt, 0));
3087 return true;
3088
3089 case BUILT_IN_FPUTS:
3090 case BUILT_IN_FPUTS_UNLOCKED:
3091 check_read_access (stmt, call_arg (stmt, 0));
3092 return true;
3093
3094 case BUILT_IN_STRNDUP:
3095 case BUILT_IN_STRNLEN:
9a27acc3
MS		 3096 {
3097 tree str = call_arg (stmt, 0);
3098 tree len = call_arg (stmt, 1);
3099 check_read_access (stmt, str, len);
3100 return true;
3101 }
81d6cdd3
MS		 3102
3103 case BUILT_IN_STRCAT:
3104 check_strcat (stmt);
3105 return true;
3106
3107 case BUILT_IN_STRNCAT:
3108 check_strncat (stmt);
3109 return true;
3110
3111 case BUILT_IN_STPCPY:
3112 case BUILT_IN_STRCPY:
3113 check_stxcpy (stmt);
3114 return true;
3115
3116 case BUILT_IN_STPNCPY:
3117 case BUILT_IN_STRNCPY:
3118 check_stxncpy (stmt);
3119 return true;
3120
3121 case BUILT_IN_STRCASECMP:
3122 case BUILT_IN_STRCMP:
3123 case BUILT_IN_STRPBRK:
3124 case BUILT_IN_STRSPN:
3125 case BUILT_IN_STRCSPN:
3126 case BUILT_IN_STRSTR:
3127 check_read_access (stmt, call_arg (stmt, 0));
3128 check_read_access (stmt, call_arg (stmt, 1));
3129 return true;
3130
3131 case BUILT_IN_STRNCASECMP:
3132 case BUILT_IN_STRNCMP:
3133 check_strncmp (stmt);
3134 return true;
3135
3136 case BUILT_IN_MEMCMP:
3137 {
3138 tree a1 = call_arg (stmt, 0);
3139 tree a2 = call_arg (stmt, 1);
3140 tree len = call_arg (stmt, 2);
3141 check_read_access (stmt, a1, len, 0);
3142 check_read_access (stmt, a2, len, 0);
3143 return true;
3144 }
3145
3146 case BUILT_IN_MEMCPY:
3147 case BUILT_IN_MEMPCPY:
3148 case BUILT_IN_MEMMOVE:
3149 {
3150 tree dst = call_arg (stmt, 0);
3151 tree src = call_arg (stmt, 1);
3152 tree len = call_arg (stmt, 2);
3153 check_memop_access (stmt, dst, src, len);
3154 return true;
3155 }
3156
3157 case BUILT_IN_MEMCHR:
3158 {
3159 tree src = call_arg (stmt, 0);
3160 tree len = call_arg (stmt, 2);
3161 check_read_access (stmt, src, len, 0);
3162 return true;
3163 }
3164
3165 case BUILT_IN_MEMSET:
3166 {
3167 tree dst = call_arg (stmt, 0);
3168 tree len = call_arg (stmt, 2);
3169 check_memop_access (stmt, dst, NULL_TREE, len);
3170 return true;
3171 }
3172
3173 default:
88b504b7
MS		 3174 if (check_atomic_builtin (stmt))
3175 return true;
3176 break;
81d6cdd3 3177 }
88b504b7 3178 return false;
81d6cdd3
MS		 3179}
3180
b48d4e68
MS		 3181/* Returns the type of the argument ARGNO to function with type FNTYPE
3182 or null when the typoe cannot be determined or no such argument exists. */
3183
3184static tree
3185fntype_argno_type (tree fntype, unsigned argno)
3186{
3187 if (!prototype_p (fntype))
3188 return NULL_TREE;
3189
3190 tree argtype;
3191 function_args_iterator it;
3192 FOREACH_FUNCTION_ARGS (fntype, argtype, it)
3193 if (argno-- == 0)
3194 return argtype;
3195
3196 return NULL_TREE;
3197}
3198
3199/* Helper to append the "human readable" attribute access specification
3200 described by ACCESS to the array ATTRSTR with size STRSIZE. Used in
3201 diagnostics. */
3202
3203static inline void
3204append_attrname (const std::pair<int, attr_access> &access,
3205 char *attrstr, size_t strsize)
3206{
3207 if (access.second.internal_p)
3208 return;
3209
3210 tree str = access.second.to_external_string ();
3211 gcc_assert (strsize >= (size_t) TREE_STRING_LENGTH (str));
3212 strcpy (attrstr, TREE_STRING_POINTER (str));
3213}
3214
3215/* Iterate over attribute access read-only, read-write, and write-only
3216 arguments and diagnose past-the-end accesses and related problems
3217 in the function call EXP. */
3218
ece28da9
MS		 3219void
3220pass_waccess::maybe_check_access_sizes (rdwr_map *rwm, tree fndecl, tree fntype,
3221 gimple *stmt)
b48d4e68
MS		 3222{
3223 auto_diagnostic_group adg;
3224
3225 /* Set if a warning has been issued for any argument (used to decide
3226 whether to emit an informational note at the end). */
3227 opt_code opt_warned = no_warning;
3228
3229 /* A string describing the attributes that the warnings issued by this
3230 function apply to. Used to print one informational note per function
3231 call, rather than one per warning. That reduces clutter. */
3232 char attrstr[80];
3233 attrstr[0] = 0;
3234
3235 for (rdwr_map::iterator it = rwm->begin (); it != rwm->end (); ++it)
3236 {
3237 std::pair<int, attr_access> access = *it;
3238
3239 /* Get the function call arguments corresponding to the attribute's
3240 positional arguments. When both arguments have been specified
3241 there will be two entries in *RWM, one for each. They are
3242 cross-referenced by their respective argument numbers in
3243 ACCESS.PTRARG and ACCESS.SIZARG. */
3244 const int ptridx = access.second.ptrarg;
3245 const int sizidx = access.second.sizarg;
3246
3247 gcc_assert (ptridx != -1);
3248 gcc_assert (access.first == ptridx || access.first == sizidx);
3249
3250 /* The pointer is set to null for the entry corresponding to
3251 the size argument. Skip it. It's handled when the entry
3252 corresponding to the pointer argument comes up. */
3253 if (!access.second.ptr)
3254 continue;
3255
3256 tree ptrtype = fntype_argno_type (fntype, ptridx);
ea9e0d6c
MS		 3257 if (!ptrtype)
3258 /* A function with a prototype was redeclared without one and
3259 the protype has been lost. See pr102759. Avoid dealing
3260 with this pathological case. */
3261 return;
3262
b48d4e68
MS		 3263 tree argtype = TREE_TYPE (ptrtype);
3264
ea9e0d6c
MS		 3265 /* The size of the access by the call in elements. */
3266 tree access_nelts;
b48d4e68
MS		 3267 if (sizidx == -1)
3268 {
3269 /* If only the pointer attribute operand was specified and
3270 not size, set SIZE to the greater of MINSIZE or size of
3271 one element of the pointed to type to detect smaller
3272 objects (null pointers are diagnosed in this case only
3273 if the pointer is also declared with attribute nonnull. */
3274 if (access.second.minsize
3275 && access.second.minsize != HOST_WIDE_INT_M1U)
ea9e0d6c 3276 access_nelts = build_int_cstu (sizetype, access.second.minsize);
9eeca99c
MS		 3277 else if (VOID_TYPE_P (argtype) && access.second.mode == access_none)
3278 /* Treat access mode none on a void* argument as expecting
3279 as little as zero bytes. */
3280 access_nelts = size_zero_node;
b48d4e68 3281 else
ea9e0d6c 3282 access_nelts = size_one_node;
b48d4e68
MS		 3283 }
3284 else
ea9e0d6c 3285 access_nelts = rwm->get (sizidx)->size;
b48d4e68
MS		 3286
3287 /* Format the value or range to avoid an explosion of messages. */
3288 char sizstr[80];
3289 tree sizrng[2] = { size_zero_node, build_all_ones_cst (sizetype) };
ea9e0d6c 3290 if (get_size_range (m_ptr_qry.rvals, access_nelts, stmt, sizrng, 1))
b48d4e68
MS		 3291 {
3292 char *s0 = print_generic_expr_to_str (sizrng[0]);
3293 if (tree_int_cst_equal (sizrng[0], sizrng[1]))
3294 {
3295 gcc_checking_assert (strlen (s0) < sizeof sizstr);
3296 strcpy (sizstr, s0);
3297 }
3298 else
3299 {
3300 char *s1 = print_generic_expr_to_str (sizrng[1]);
3301 gcc_checking_assert (strlen (s0) + strlen (s1)
3302 < sizeof sizstr - 4);
6b8b9596 3303 sprintf (sizstr, "[%.37s, %.37s]", s0, s1);
b48d4e68
MS		 3304 free (s1);
3305 }
3306 free (s0);
3307 }
3308 else
3309 *sizstr = '\0';
3310
3311 /* Set if a warning has been issued for the current argument. */
3312 opt_code arg_warned = no_warning;
3313 location_t loc = get_location (stmt);
3314 tree ptr = access.second.ptr;
3315 if (*sizstr
3316 && tree_int_cst_sgn (sizrng[0]) < 0
3317 && tree_int_cst_sgn (sizrng[1]) < 0)
3318 {
3319 /* Warn about negative sizes. */
3320 if (access.second.internal_p)
3321 {
3322 const std::string argtypestr
3323 = access.second.array_as_string (ptrtype);
3324
3325 if (warning_at (loc, OPT_Wstringop_overflow_,
3326 "bound argument %i value %s is "
3327 "negative for a variable length array "
3328 "argument %i of type %s",
3329 sizidx + 1, sizstr,
3330 ptridx + 1, argtypestr.c_str ()))
3331 arg_warned = OPT_Wstringop_overflow_;
3332 }
3333 else if (warning_at (loc, OPT_Wstringop_overflow_,
3334 "argument %i value %s is negative",
3335 sizidx + 1, sizstr))
3336 arg_warned = OPT_Wstringop_overflow_;
3337
3338 if (arg_warned != no_warning)
3339 {
3340 append_attrname (access, attrstr, sizeof attrstr);
3341 /* Remember a warning has been issued and avoid warning
3342 again below for the same attribute. */
3343 opt_warned = arg_warned;
3344 continue;
3345 }
3346 }
3347
ea9e0d6c
MS		 3348 /* The size of the access by the call in bytes. */
3349 tree access_size = NULL_TREE;
b48d4e68
MS		 3350 if (tree_int_cst_sgn (sizrng[0]) >= 0)
3351 {
3352 if (COMPLETE_TYPE_P (argtype))
3353 {
3354 /* Multiply ACCESS_SIZE by the size of the type the pointer
3355 argument points to. If it's incomplete the size is used
3356 as is. */
3357 if (tree argsize = TYPE_SIZE_UNIT (argtype))
3358 if (TREE_CODE (argsize) == INTEGER_CST)
3359 {
3360 const int prec = TYPE_PRECISION (sizetype);
3361 wide_int minsize = wi::to_wide (sizrng[0], prec);
3362 minsize *= wi::to_wide (argsize, prec);
3363 access_size = wide_int_to_tree (sizetype, minsize);
3364 }
3365 }
ea9e0d6c
MS		 3366 else
3367 access_size = access_nelts;
b48d4e68 3368 }
b48d4e68
MS		 3369
3370 if (integer_zerop (ptr))
3371 {
3372 if (sizidx >= 0 && tree_int_cst_sgn (sizrng[0]) > 0)
3373 {
3374 /* Warn about null pointers with positive sizes. This is
3375 different from also declaring the pointer argument with
3376 attribute nonnull when the function accepts null pointers
3377 only when the corresponding size is zero. */
3378 if (access.second.internal_p)
3379 {
3380 const std::string argtypestr
3381 = access.second.array_as_string (ptrtype);
3382
3383 if (warning_at (loc, OPT_Wnonnull,
3384 "argument %i of variable length "
3385 "array %s is null but "
3386 "the corresponding bound argument "
3387 "%i value is %s",
3388 ptridx + 1, argtypestr.c_str (),
3389 sizidx + 1, sizstr))
3390 arg_warned = OPT_Wnonnull;
3391 }
3392 else if (warning_at (loc, OPT_Wnonnull,
3393 "argument %i is null but "
3394 "the corresponding size argument "
3395 "%i value is %s",
3396 ptridx + 1, sizidx + 1, sizstr))
3397 arg_warned = OPT_Wnonnull;
3398 }
3399 else if (access_size && access.second.static_p)
3400 {
3401 /* Warn about null pointers for [static N] array arguments
3402 but do not warn for ordinary (i.e., nonstatic) arrays. */
3403 if (warning_at (loc, OPT_Wnonnull,
3404 "argument %i to %<%T[static %E]%> "
3405 "is null where non-null expected",
3406 ptridx + 1, argtype, access_size))
3407 arg_warned = OPT_Wnonnull;
3408 }
3409
3410 if (arg_warned != no_warning)
3411 {
3412 append_attrname (access, attrstr, sizeof attrstr);
3413 /* Remember a warning has been issued and avoid warning
3414 again below for the same attribute. */
3415 opt_warned = OPT_Wnonnull;
3416 continue;
3417 }
3418 }
3419
9a27acc3
MS		 3420 access_data data (m_ptr_qry.rvals, stmt, access.second.mode,
3421 NULL_TREE, false, NULL_TREE, false);
b48d4e68
MS		 3422 access_ref* const pobj = (access.second.mode == access_write_only
3423 ? &data.dst : &data.src);
9a27acc3 3424 tree objsize = compute_objsize (ptr, stmt, 1, pobj, &m_ptr_qry);
b48d4e68
MS		 3425
3426 /* The size of the destination or source object. */
3427 tree dstsize = NULL_TREE, srcsize = NULL_TREE;
3428 if (access.second.mode == access_read_only
3429 || access.second.mode == access_none)
3430 {
3431 /* For a read-only argument there is no destination. For
3432 no access, set the source as well and differentiate via
3433 the access flag below. */
3434 srcsize = objsize;
3435 if (access.second.mode == access_read_only
3436 || access.second.mode == access_none)
3437 {
3438 /* For a read-only attribute there is no destination so
3439 clear OBJSIZE. This emits "reading N bytes" kind of
3440 diagnostics instead of the "writing N bytes" kind,
3441 unless MODE is none. */
3442 objsize = NULL_TREE;
3443 }
3444 }
3445 else
3446 dstsize = objsize;
3447
3448 /* Clear the no-warning bit in case it was set by check_access
3449 in a prior iteration so that accesses via different arguments
3450 are diagnosed. */
3451 suppress_warning (stmt, OPT_Wstringop_overflow_, false);
3452 access_mode mode = data.mode;
3453 if (mode == access_deferred)
3454 mode = TYPE_READONLY (argtype) ? access_read_only : access_read_write;
3455 check_access (stmt, access_size, /*maxread=*/ NULL_TREE, srcsize,
9a27acc3 3456 dstsize, mode, &data, m_ptr_qry.rvals);
b48d4e68
MS		 3457
3458 if (warning_suppressed_p (stmt, OPT_Wstringop_overflow_))
3459 opt_warned = OPT_Wstringop_overflow_;
3460 if (opt_warned != no_warning)
3461 {
3462 if (access.second.internal_p)
ea9e0d6c
MS		 3463 {
3464 unsigned HOST_WIDE_INT nelts =
3465 access_nelts ? access.second.minsize : HOST_WIDE_INT_M1U;
3466 tree arrtype = build_printable_array_type (argtype, nelts);
3467 inform (loc, "referencing argument %u of type %qT",
3468 ptridx + 1, arrtype);
3469 }
b48d4e68
MS		 3470 else
3471 /* If check_access issued a warning above, append the relevant
3472 attribute to the string. */
3473 append_attrname (access, attrstr, sizeof attrstr);
3474 }
3475 }
3476
3477 if (*attrstr)
3478 {
3479 if (fndecl)
3480 inform (get_location (fndecl),
3481 "in a call to function %qD declared with attribute %qs",
3482 fndecl, attrstr);
3483 else
3484 inform (get_location (stmt),
3485 "in a call with type %qT and attribute %qs",
3486 fntype, attrstr);
3487 }
3488 else if (opt_warned != no_warning)
3489 {
3490 if (fndecl)
3491 inform (get_location (fndecl),
3492 "in a call to function %qD", fndecl);
3493 else
3494 inform (get_location (stmt),
3495 "in a call with type %qT", fntype);
3496 }
3497
3498 /* Set the bit in case if was cleared and not set above. */
3499 if (opt_warned != no_warning)
3500 suppress_warning (stmt, opt_warned);
3501}
3502
3503/* Check call STMT to an ordinary (non-built-in) function for invalid
3504 accesses. Return true if a call has been handled. */
3505
3506bool
3507pass_waccess::check_call (gcall *stmt)
3508{
3509 tree fntype = gimple_call_fntype (stmt);
3510 if (!fntype)
3511 return false;
3512
3513 tree fntypeattrs = TYPE_ATTRIBUTES (fntype);
3514 if (!fntypeattrs)
3515 return false;
3516
3517 /* Map of attribute accewss specifications for function arguments. */
3518 rdwr_map rdwr_idx;
3519 init_attr_rdwr_indices (&rdwr_idx, fntypeattrs);
3520
3521 unsigned nargs = call_nargs (stmt);
3522 for (unsigned i = 0; i != nargs; ++i)
3523 {
3524 tree arg = call_arg (stmt, i);
3525
3526 /* Save the actual argument that corresponds to the access attribute
3527 operand for later processing. */
3528 if (attr_access *access = rdwr_idx.get (i))
3529 {
3530 if (POINTER_TYPE_P (TREE_TYPE (arg)))
3531 {
3532 access->ptr = arg;
3533 // A nonnull ACCESS->SIZE contains VLA bounds. */
3534 }
3535 else
3536 {
3537 access->size = arg;
3538 gcc_assert (access->ptr == NULL_TREE);
3539 }
3540 }
3541 }
3542
3543 /* Check attribute access arguments. */
3544 tree fndecl = gimple_call_fndecl (stmt);
ece28da9 3545 maybe_check_access_sizes (&rdwr_idx, fndecl, fntype, stmt);
b48d4e68
MS		 3546
3547 check_alloc_size_call (stmt);
3548 return true;
3549}
3550
3551/* Check arguments in a call STMT for attribute nonstring. */
3552
3553static void
3554check_nonstring_args (gcall *stmt)
3555{
3556 tree fndecl = gimple_call_fndecl (stmt);
3557
3558 /* Detect passing non-string arguments to functions expecting
3559 nul-terminated strings. */
3560 maybe_warn_nonstring_arg (fndecl, stmt);
3561}
3562
ece28da9
MS		 3563/* Issue a warning if a deallocation function such as free, realloc,
3564 or C++ operator delete is called with an argument not returned by
3565 a matching allocation function such as malloc or the corresponding
3566 form of C++ operatorn new. */
3567
3568void
3569pass_waccess::maybe_check_dealloc_call (gcall *call)
3570{
3571 tree fndecl = gimple_call_fndecl (call);
3572 if (!fndecl)
3573 return;
3574
3575 unsigned argno = fndecl_dealloc_argno (fndecl);
3576 if ((unsigned) call_nargs (call) <= argno)
3577 return;
3578
3579 tree ptr = gimple_call_arg (call, argno);
3580 if (integer_zerop (ptr))
3581 return;
3582
3583 access_ref aref;
9a27acc3 3584 if (!compute_objsize (ptr, call, 0, &aref, &m_ptr_qry))
ece28da9
MS		 3585 return;
3586
3587 tree ref = aref.ref;
3588 if (integer_zerop (ref))
3589 return;
3590
3591 tree dealloc_decl = fndecl;
3592 location_t loc = gimple_location (call);
3593
3594 if (DECL_P (ref) || EXPR_P (ref))
3595 {
3596 /* Diagnose freeing a declared object. */
3597 if (aref.ref_declared ()
3598 && warning_at (loc, OPT_Wfree_nonheap_object,
3599 "%qD called on unallocated object %qD",
3600 dealloc_decl, ref))
3601 {
3602 inform (get_location (ref), "declared here");
3603 return;
3604 }
3605
3606 /* Diagnose freeing a pointer that includes a positive offset.
3607 Such a pointer cannot refer to the beginning of an allocated
3608 object. A negative offset may refer to it. */
3609 if (aref.sizrng[0] != aref.sizrng[1]
3610 && warn_dealloc_offset (loc, call, aref))
3611 return;
3612 }
3613 else if (CONSTANT_CLASS_P (ref))
3614 {
3615 if (warning_at (loc, OPT_Wfree_nonheap_object,
3616 "%qD called on a pointer to an unallocated "
3617 "object %qE", dealloc_decl, ref))
3618 {
3619 if (TREE_CODE (ptr) == SSA_NAME)
3620 {
3621 gimple *def_stmt = SSA_NAME_DEF_STMT (ptr);
3622 if (is_gimple_assign (def_stmt))
3623 {
3624 location_t loc = gimple_location (def_stmt);
3625 inform (loc, "assigned here");
3626 }
3627 }
3628 return;
3629 }
3630 }
3631 else if (TREE_CODE (ref) == SSA_NAME)
3632 {
3633 /* Also warn if the pointer argument refers to the result
3634 of an allocation call like alloca or VLA. */
3635 gimple *def_stmt = SSA_NAME_DEF_STMT (ref);
3636 if (!def_stmt)
3637 return;
3638
3639 if (is_gimple_call (def_stmt))
3640 {
3641 bool warned = false;
3642 if (gimple_call_alloc_p (def_stmt))
3643 {
3644 if (matching_alloc_calls_p (def_stmt, dealloc_decl))
3645 {
3646 if (warn_dealloc_offset (loc, call, aref))
3647 return;
3648 }
3649 else
3650 {
3651 tree alloc_decl = gimple_call_fndecl (def_stmt);
3652 const opt_code opt =
3653 (DECL_IS_OPERATOR_NEW_P (alloc_decl)
3654 || DECL_IS_OPERATOR_DELETE_P (dealloc_decl)
3655 ? OPT_Wmismatched_new_delete
3656 : OPT_Wmismatched_dealloc);
3657 warned = warning_at (loc, opt,
3658 "%qD called on pointer returned "
3659 "from a mismatched allocation "
3660 "function", dealloc_decl);
3661 }
3662 }
3663 else if (gimple_call_builtin_p (def_stmt, BUILT_IN_ALLOCA)
3664 || gimple_call_builtin_p (def_stmt,
3665 BUILT_IN_ALLOCA_WITH_ALIGN))
3666 warned = warning_at (loc, OPT_Wfree_nonheap_object,
3667 "%qD called on pointer to "
3668 "an unallocated object",
3669 dealloc_decl);
3670 else if (warn_dealloc_offset (loc, call, aref))
3671 return;
3672
3673 if (warned)
3674 {
3675 tree fndecl = gimple_call_fndecl (def_stmt);
3676 inform (gimple_location (def_stmt),
3677 "returned from %qD", fndecl);
3678 return;
3679 }
3680 }
3681 else if (gimple_nop_p (def_stmt))
3682 {
3683 ref = SSA_NAME_VAR (ref);
3684 /* Diagnose freeing a pointer that includes a positive offset. */
3685 if (TREE_CODE (ref) == PARM_DECL
3686 && !aref.deref
3687 && aref.sizrng[0] != aref.sizrng[1]
3688 && aref.offrng[0] > 0 && aref.offrng[1] > 0
3689 && warn_dealloc_offset (loc, call, aref))
3690 return;
3691 }
3692 }
3693}
3694
2a837de2
MS		 3695/* Check call STMT for invalid accesses. */
3696
3697void
3698pass_waccess::check (gcall *stmt)
3699{
b48d4e68
MS		 3700 if (gimple_call_builtin_p (stmt, BUILT_IN_NORMAL))
3701 check_builtin (stmt);
81d6cdd3 3702
b48d4e68
MS		 3703 if (is_gimple_call (stmt))
3704 check_call (stmt);
3705
3706 maybe_check_dealloc_call (stmt);
3707
3708 check_nonstring_args (stmt);
2a837de2
MS		 3709}
3710
3711/* Check basic block BB for invalid accesses. */
3712
3713void
3714pass_waccess::check (basic_block bb)
3715{
3716 /* Iterate over statements, looking for function calls. */
3717 for (auto si = gsi_start_bb (bb); !gsi_end_p (si); gsi_next (&si))
3718 {
3719 if (gcall *call = dyn_cast <gcall *> (gsi_stmt (si)))
3720 check (call);
3721 }
3722}
3723
3724/* Check function FUN for invalid accesses. */
3725
3726unsigned
3727pass_waccess::execute (function *fun)
3728{
81501087 3729 /* Create a new ranger instance and associate it with FUN. */
ece28da9 3730 m_ptr_qry.rvals = enable_ranger (fun);
b48d4e68 3731
2a837de2
MS		 3732 basic_block bb;
3733 FOR_EACH_BB_FN (bb, fun)
3734 check (bb);
3735
ece28da9
MS		 3736 if (dump_file)
3737 m_ptr_qry.dump (dump_file, (dump_flags & TDF_DETAILS) != 0);
3738
3739 m_ptr_qry.flush_cache ();
3740
3741 /* Release the ranger instance and replace it with a global ranger.
3742 Also reset the pointer since calling disable_ranger() deletes it. */
81501087 3743 disable_ranger (fun);
ece28da9 3744 m_ptr_qry.rvals = NULL;
81501087 3745
2a837de2
MS		 3746 return 0;
3747}
3748
3749} // namespace
3750
3751/* Return a new instance of the pass. */
3752
3753gimple_opt_pass *
3754make_pass_warn_access (gcc::context *ctxt)
3755{
3756 return new pass_waccess (ctxt);
3757}
Mirror of https://gcc.gnu.org/git/gcc.git