From: David Malcolm <dmalcolm@redhat.com>
Date: Fri, 2 Jul 2021 19:19:47 +0000 (-0400)
Subject: analyzer: fix issue with symbolic reads with concrete bindings
X-Git-Tag: releases/gcc-11.2.0~119
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a9636a1ea430a2145c84f8b713a5eb5d7a857f66;p=thirdparty%2Fgcc.git

analyzer: fix issue with symbolic reads with concrete bindings

gcc/analyzer/ChangeLog:
	* store.cc (binding_cluster::get_any_binding): Make symbolic reads
	from a cluster with concrete bindings return unknown.

gcc/testsuite/ChangeLog:
	* gcc.dg/analyzer/symbolic-7.c: New test.

Signed-off-by: David Malcolm <dmalcolm@redhat.com>
---

diff --git a/gcc/analyzer/store.cc b/gcc/analyzer/store.cc
index b643b6318635..320370326bde 100644
--- a/gcc/analyzer/store.cc
+++ b/gcc/analyzer/store.cc
@@ -1177,6 +1177,16 @@ binding_cluster::get_any_binding (store_manager *mgr,
       return rmm_mgr->get_or_create_unknown_svalue (reg->get_type ());
     }
 
+  /* Alternatively, if this is a symbolic read and the cluster has any bindings,
+     then we don't know if we're reading those values or not, so the result
+     is also "UNKNOWN".  */
+  if (reg->get_offset ().symbolic_p ()
+      && m_map.elements () > 0)
+    {
+      region_model_manager *rmm_mgr = mgr->get_svalue_manager ();
+      return rmm_mgr->get_or_create_unknown_svalue (reg->get_type ());
+    }
+
   if (const svalue *compound_sval = maybe_get_compound_binding (mgr, reg))
     return compound_sval;
 
diff --git a/gcc/testsuite/gcc.dg/analyzer/symbolic-7.c b/gcc/testsuite/gcc.dg/analyzer/symbolic-7.c
new file mode 100644
index 000000000000..4f013677f86a
--- /dev/null
+++ b/gcc/testsuite/gcc.dg/analyzer/symbolic-7.c
@@ -0,0 +1,44 @@
+#include "analyzer-decls.h"
+
+extern void maybe_write (int *);
+
+void test_1 (int i)
+{
+  /* An array with purely concrete bindings.  */
+  int arr[2];
+  arr[0] = 1066;
+  arr[1] = 1776;
+
+  /* Concrete reads.  */
+  __analyzer_eval (arr[0] == 1066); /* { dg-warning "TRUE" } */
+  __analyzer_eval (arr[1] == 1776); /* { dg-warning "TRUE" } */
+
+  /* Symbolic read.  */
+  __analyzer_describe (0, arr[i]); /* { dg-warning "svalue: 'UNKNOWN\\(int\\)'" } */
+  __analyzer_eval (arr[i] == 1776); /* { dg-warning "UNKNOWN" } */
+}
+
+void test_2 (int i)
+{
+  /* An array that could have been touched.  */
+  int arr[2];
+  maybe_write (arr);
+  
+  /* Concrete reads.  */
+  __analyzer_eval (arr[0] == 42); /* { dg-warning "UNKNOWN" } */
+
+  /* Symbolic read.  */
+  __analyzer_eval (arr[i] == 42); /* { dg-warning "UNKNOWN" } */
+}
+
+void test_3 (int i)
+{
+  /* An array that can't have been touched.  */
+  int arr[2];
+  
+  /* Concrete reads.  */
+  __analyzer_eval (arr[0] == 42); /* { dg-warning "UNKNOWN" } */
+
+  /* Symbolic read.  */
+  __analyzer_eval (arr[i] == 42); /* { dg-warning "UNKNOWN" } */
+}