| /* Classes for modeling the state of memory. |
| Copyright (C) 2020-2022 Free Software Foundation, Inc. |
| Contributed by David Malcolm <dmalcolm@redhat.com>. |
| |
| This file is part of GCC. |
| |
| GCC is free software; you can redistribute it and/or modify it |
| under the terms of the GNU General Public License as published by |
| the Free Software Foundation; either version 3, or (at your option) |
| any later version. |
| |
| GCC is distributed in the hope that it will be useful, but |
| WITHOUT ANY WARRANTY; without even the implied warranty of |
| MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU |
| General Public License for more details. |
| |
| You should have received a copy of the GNU General Public License |
| along with GCC; see the file COPYING3. If not see |
| <http://www.gnu.org/licenses/>. */ |
| |
| #include "config.h" |
| #define INCLUDE_MEMORY |
| #include "system.h" |
| #include "coretypes.h" |
| #include "tree.h" |
| #include "function.h" |
| #include "basic-block.h" |
| #include "gimple.h" |
| #include "gimple-iterator.h" |
| #include "diagnostic-core.h" |
| #include "graphviz.h" |
| #include "options.h" |
| #include "cgraph.h" |
| #include "tree-dfa.h" |
| #include "stringpool.h" |
| #include "convert.h" |
| #include "target.h" |
| #include "fold-const.h" |
| #include "tree-pretty-print.h" |
| #include "diagnostic-color.h" |
| #include "diagnostic-metadata.h" |
| #include "bitmap.h" |
| #include "selftest.h" |
| #include "analyzer/analyzer.h" |
| #include "analyzer/analyzer-logging.h" |
| #include "ordered-hash-map.h" |
| #include "options.h" |
| #include "cfg.h" |
| #include "analyzer/supergraph.h" |
| #include "sbitmap.h" |
| #include "analyzer/call-string.h" |
| #include "analyzer/program-point.h" |
| #include "analyzer/store.h" |
| #include "analyzer/region-model.h" |
| #include "analyzer/call-summary.h" |
| #include "analyzer/analyzer-selftests.h" |
| #include "stor-layout.h" |
| |
| #if ENABLE_ANALYZER |
| |
| namespace ana { |
| |
| /* Dump SVALS to PP, sorting them to ensure determinism. */ |
| |
| static void |
| dump_svalue_set (const hash_set <const svalue *> &svals, |
| pretty_printer *pp, bool simple) |
| { |
| auto_vec <const svalue *> v; |
| for (hash_set<const svalue *>::iterator iter = svals.begin (); |
| iter != svals.end (); ++iter) |
| { |
| v.safe_push (*iter); |
| } |
| v.qsort (svalue::cmp_ptr_ptr); |
| |
| pp_character (pp, '{'); |
| const svalue *sval; |
| unsigned i; |
| FOR_EACH_VEC_ELT (v, i, sval) |
| { |
| if (i > 0) |
| pp_string (pp, ", "); |
| sval->dump_to_pp (pp, simple); |
| } |
| pp_character (pp, '}'); |
| } |
| |
| /* class uncertainty_t. */ |
| |
| /* Dump this object to PP. */ |
| |
| void |
| uncertainty_t::dump_to_pp (pretty_printer *pp, bool simple) const |
| { |
| pp_string (pp, "{m_maybe_bound_svals: "); |
| dump_svalue_set (m_maybe_bound_svals, pp, simple); |
| |
| pp_string (pp, ", m_mutable_at_unknown_call_svals: "); |
| dump_svalue_set (m_mutable_at_unknown_call_svals, pp, simple); |
| pp_string (pp, "}"); |
| } |
| |
| /* Dump this object to stderr. */ |
| |
| DEBUG_FUNCTION void |
| uncertainty_t::dump (bool simple) const |
| { |
| pretty_printer pp; |
| pp_format_decoder (&pp) = default_tree_printer; |
| pp_show_color (&pp) = pp_show_color (global_dc->printer); |
| pp.buffer->stream = stderr; |
| dump_to_pp (&pp, simple); |
| pp_newline (&pp); |
| pp_flush (&pp); |
| } |
| |
| /* class binding_key. */ |
| |
| const binding_key * |
| binding_key::make (store_manager *mgr, const region *r) |
| { |
| region_offset offset = r->get_offset (mgr->get_svalue_manager ()); |
| if (offset.symbolic_p ()) |
| return mgr->get_symbolic_binding (r); |
| else |
| { |
| bit_size_t bit_size; |
| if (r->get_bit_size (&bit_size)) |
| return mgr->get_concrete_binding (offset.get_bit_offset (), |
| bit_size); |
| else |
| return mgr->get_symbolic_binding (r); |
| } |
| } |
| |
| /* Dump this binding_key to stderr. */ |
| |
| DEBUG_FUNCTION void |
| binding_key::dump (bool simple) const |
| { |
| pretty_printer pp; |
| pp_format_decoder (&pp) = default_tree_printer; |
| pp_show_color (&pp) = pp_show_color (global_dc->printer); |
| pp.buffer->stream = stderr; |
| dump_to_pp (&pp, simple); |
| pp_newline (&pp); |
| pp_flush (&pp); |
| } |
| |
| /* Get a description of this binding_key. */ |
| |
| label_text |
| binding_key::get_desc (bool simple) const |
| { |
| pretty_printer pp; |
| pp_format_decoder (&pp) = default_tree_printer; |
| dump_to_pp (&pp, simple); |
| return label_text::take (xstrdup (pp_formatted_text (&pp))); |
| } |
| |
| /* qsort callback. */ |
| |
| int |
| binding_key::cmp_ptrs (const void *p1, const void *p2) |
| { |
| const binding_key * const *pk1 = (const binding_key * const *)p1; |
| const binding_key * const *pk2 = (const binding_key * const *)p2; |
| return cmp (*pk1, *pk2); |
| } |
| |
| /* Comparator for binding_keys. */ |
| |
| int |
| binding_key::cmp (const binding_key *k1, const binding_key *k2) |
| { |
| int concrete1 = k1->concrete_p (); |
| int concrete2 = k2->concrete_p (); |
| if (int concrete_cmp = concrete1 - concrete2) |
| return concrete_cmp; |
| if (concrete1) |
| { |
| const concrete_binding *b1 = (const concrete_binding *)k1; |
| const concrete_binding *b2 = (const concrete_binding *)k2; |
| if (int start_cmp = wi::cmp (b1->get_start_bit_offset (), |
| b2->get_start_bit_offset (), |
| SIGNED)) |
| return start_cmp; |
| return wi::cmp (b1->get_next_bit_offset (), b2->get_next_bit_offset (), |
| SIGNED); |
| } |
| else |
| { |
| const symbolic_binding *s1 = (const symbolic_binding *)k1; |
| const symbolic_binding *s2 = (const symbolic_binding *)k2; |
| if (s1 > s2) |
| return 1; |
| if (s1 < s2) |
| return -1; |
| return 0; |
| } |
| } |
| |
| /* struct bit_range. */ |
| |
| void |
| bit_range::dump_to_pp (pretty_printer *pp) const |
| { |
| byte_range bytes (0, 0); |
| if (as_byte_range (&bytes)) |
| bytes.dump_to_pp (pp); |
| else |
| { |
| pp_string (pp, "start: "); |
| pp_wide_int (pp, m_start_bit_offset, SIGNED); |
| pp_string (pp, ", size: "); |
| pp_wide_int (pp, m_size_in_bits, SIGNED); |
| pp_string (pp, ", next: "); |
| pp_wide_int (pp, get_next_bit_offset (), SIGNED); |
| } |
| } |
| |
| /* Dump this object to stderr. */ |
| |
| DEBUG_FUNCTION void |
| bit_range::dump () const |
| { |
| pretty_printer pp; |
| pp.buffer->stream = stderr; |
| dump_to_pp (&pp); |
| pp_newline (&pp); |
| pp_flush (&pp); |
| } |
| |
| /* If OTHER is a subset of this, return true and write |
| to *OUT the relative range of OTHER within this. |
| Otherwise return false. */ |
| |
| bool |
| bit_range::contains_p (const bit_range &other, bit_range *out) const |
| { |
| if (contains_p (other.get_start_bit_offset ()) |
| && contains_p (other.get_last_bit_offset ())) |
| { |
| out->m_start_bit_offset = other.m_start_bit_offset - m_start_bit_offset; |
| out->m_size_in_bits = other.m_size_in_bits; |
| return true; |
| } |
| else |
| return false; |
| } |
| |
| /* If OTHER intersects this, return true and write |
| the relative range of OTHER within THIS to *OUT_THIS, |
| and the relative range of THIS within OTHER to *OUT_OTHER. |
| Otherwise return false. */ |
| |
| bool |
| bit_range::intersects_p (const bit_range &other, |
| bit_range *out_this, |
| bit_range *out_other) const |
| { |
| if (get_start_bit_offset () < other.get_next_bit_offset () |
| && other.get_start_bit_offset () < get_next_bit_offset ()) |
| { |
| bit_offset_t overlap_start |
| = MAX (get_start_bit_offset (), |
| other.get_start_bit_offset ()); |
| bit_offset_t overlap_next |
| = MIN (get_next_bit_offset (), |
| other.get_next_bit_offset ()); |
| gcc_assert (overlap_next > overlap_start); |
| bit_range abs_overlap_bits (overlap_start, overlap_next - overlap_start); |
| *out_this = abs_overlap_bits - get_start_bit_offset (); |
| *out_other = abs_overlap_bits - other.get_start_bit_offset (); |
| return true; |
| } |
| else |
| return false; |
| } |
| |
| int |
| bit_range::cmp (const bit_range &br1, const bit_range &br2) |
| { |
| if (int start_cmp = wi::cmps (br1.m_start_bit_offset, |
| br2.m_start_bit_offset)) |
| return start_cmp; |
| |
| return wi::cmpu (br1.m_size_in_bits, br2.m_size_in_bits); |
| } |
| |
| /* Offset this range by OFFSET. */ |
| |
| bit_range |
| bit_range::operator- (bit_offset_t offset) const |
| { |
| return bit_range (m_start_bit_offset - offset, m_size_in_bits); |
| } |
| |
| /* If MASK is a contiguous range of set bits, write them |
| to *OUT and return true. |
| Otherwise return false. */ |
| |
| bool |
| bit_range::from_mask (unsigned HOST_WIDE_INT mask, bit_range *out) |
| { |
| unsigned iter_bit_idx = 0; |
| unsigned HOST_WIDE_INT iter_bit_mask = 1; |
| |
| /* Find the first contiguous run of set bits in MASK. */ |
| |
| /* Find first set bit in MASK. */ |
| while (iter_bit_idx < HOST_BITS_PER_WIDE_INT) |
| { |
| if (mask & iter_bit_mask) |
| break; |
| iter_bit_idx++; |
| iter_bit_mask <<= 1; |
| } |
| if (iter_bit_idx == HOST_BITS_PER_WIDE_INT) |
| /* MASK is zero. */ |
| return false; |
| |
| unsigned first_set_iter_bit_idx = iter_bit_idx; |
| unsigned num_set_bits = 1; |
| iter_bit_idx++; |
| iter_bit_mask <<= 1; |
| |
| /* Find next unset bit in MASK. */ |
| while (iter_bit_idx < HOST_BITS_PER_WIDE_INT) |
| { |
| if (!(mask & iter_bit_mask)) |
| break; |
| num_set_bits++; |
| iter_bit_idx++; |
| iter_bit_mask <<= 1; |
| } |
| if (iter_bit_idx == HOST_BITS_PER_WIDE_INT) |
| { |
| *out = bit_range (first_set_iter_bit_idx, num_set_bits); |
| return true; |
| } |
| |
| /* We now have the first contiguous run of set bits in MASK. |
| Fail if any other bits are set. */ |
| while (iter_bit_idx < HOST_BITS_PER_WIDE_INT) |
| { |
| if (mask & iter_bit_mask) |
| return false; |
| iter_bit_idx++; |
| iter_bit_mask <<= 1; |
| } |
| |
| *out = bit_range (first_set_iter_bit_idx, num_set_bits); |
| return true; |
| } |
| |
| /* Attempt to convert this bit_range to a byte_range. |
| Return true if it is possible, writing the result to *OUT. |
| Otherwise return false. */ |
| |
| bool |
| bit_range::as_byte_range (byte_range *out) const |
| { |
| if (m_start_bit_offset % BITS_PER_UNIT == 0 |
| && m_size_in_bits % BITS_PER_UNIT == 0) |
| { |
| out->m_start_byte_offset = m_start_bit_offset / BITS_PER_UNIT; |
| out->m_size_in_bytes = m_size_in_bits / BITS_PER_UNIT; |
| return true; |
| } |
| return false; |
| } |
| |
| /* Dump this object to PP. */ |
| |
| void |
| byte_range::dump_to_pp (pretty_printer *pp) const |
| { |
| if (m_size_in_bytes == 0) |
| { |
| pp_string (pp, "empty"); |
| } |
| else if (m_size_in_bytes == 1) |
| { |
| pp_string (pp, "byte "); |
| pp_wide_int (pp, m_start_byte_offset, SIGNED); |
| } |
| else |
| { |
| pp_string (pp, "bytes "); |
| pp_wide_int (pp, m_start_byte_offset, SIGNED); |
| pp_string (pp, "-"); |
| pp_wide_int (pp, get_last_byte_offset (), SIGNED); |
| } |
| } |
| |
| /* Dump this object to stderr. */ |
| |
| DEBUG_FUNCTION void |
| byte_range::dump () const |
| { |
| pretty_printer pp; |
| pp.buffer->stream = stderr; |
| dump_to_pp (&pp); |
| pp_newline (&pp); |
| pp_flush (&pp); |
| } |
| |
| /* If OTHER is a subset of this, return true and write |
| to *OUT the relative range of OTHER within this. |
| Otherwise return false. */ |
| |
| bool |
| byte_range::contains_p (const byte_range &other, byte_range *out) const |
| { |
| if (contains_p (other.get_start_byte_offset ()) |
| && contains_p (other.get_last_byte_offset ())) |
| { |
| out->m_start_byte_offset = other.m_start_byte_offset - m_start_byte_offset; |
| out->m_size_in_bytes = other.m_size_in_bytes; |
| return true; |
| } |
| else |
| return false; |
| } |
| |
| /* Return true if THIS and OTHER intersect and write the number |
| of bytes both buffers overlap to *OUT_NUM_OVERLAP_BYTES. |
| |
| Otherwise return false. */ |
| |
| bool |
| byte_range::intersects_p (const byte_range &other, |
| byte_size_t *out_num_overlap_bytes) const |
| { |
| if (get_start_byte_offset () < other.get_next_byte_offset () |
| && other.get_start_byte_offset () < get_next_byte_offset ()) |
| { |
| byte_offset_t overlap_start = MAX (get_start_byte_offset (), |
| other.get_start_byte_offset ()); |
| byte_offset_t overlap_next = MIN (get_next_byte_offset (), |
| other.get_next_byte_offset ()); |
| gcc_assert (overlap_next > overlap_start); |
| *out_num_overlap_bytes = overlap_next - overlap_start; |
| return true; |
| } |
| else |
| return false; |
| } |
| |
| /* Return true if THIS exceeds OTHER and write the overhanging |
| byte range to OUT_OVERHANGING_BYTE_RANGE. */ |
| |
| bool |
| byte_range::exceeds_p (const byte_range &other, |
| byte_range *out_overhanging_byte_range) const |
| { |
| gcc_assert (!empty_p ()); |
| |
| if (other.get_next_byte_offset () < get_next_byte_offset ()) |
| { |
| /* THIS definitely exceeds OTHER. */ |
| byte_offset_t start = MAX (get_start_byte_offset (), |
| other.get_next_byte_offset ()); |
| byte_offset_t size = get_next_byte_offset () - start; |
| gcc_assert (size > 0); |
| out_overhanging_byte_range->m_start_byte_offset = start; |
| out_overhanging_byte_range->m_size_in_bytes = size; |
| return true; |
| } |
| else |
| return false; |
| } |
| |
| /* Return true if THIS falls short of OFFSET and write the |
| byte range fallen short to OUT_FALL_SHORT_BYTES. */ |
| |
| bool |
| byte_range::falls_short_of_p (byte_offset_t offset, |
| byte_range *out_fall_short_bytes) const |
| { |
| gcc_assert (!empty_p ()); |
| |
| if (get_start_byte_offset () < offset) |
| { |
| /* THIS falls short of OFFSET. */ |
| byte_offset_t start = get_start_byte_offset (); |
| byte_offset_t size = MIN (offset, get_next_byte_offset ()) - start; |
| gcc_assert (size > 0); |
| out_fall_short_bytes->m_start_byte_offset = start; |
| out_fall_short_bytes->m_size_in_bytes = size; |
| return true; |
| } |
| else |
| return false; |
| } |
| |
| /* qsort comparator for byte ranges. */ |
| |
| int |
| byte_range::cmp (const byte_range &br1, const byte_range &br2) |
| { |
| /* Order first by offset. */ |
| if (int start_cmp = wi::cmps (br1.m_start_byte_offset, |
| br2.m_start_byte_offset)) |
| return start_cmp; |
| |
| /* ...then by size. */ |
| return wi::cmpu (br1.m_size_in_bytes, br2.m_size_in_bytes); |
| } |
| |
| /* class concrete_binding : public binding_key. */ |
| |
| /* Implementation of binding_key::dump_to_pp vfunc for concrete_binding. */ |
| |
| void |
| concrete_binding::dump_to_pp (pretty_printer *pp, bool) const |
| { |
| m_bit_range.dump_to_pp (pp); |
| } |
| |
| /* Return true if this binding overlaps with OTHER. */ |
| |
| bool |
| concrete_binding::overlaps_p (const concrete_binding &other) const |
| { |
| if (get_start_bit_offset () < other.get_next_bit_offset () |
| && get_next_bit_offset () > other.get_start_bit_offset ()) |
| return true; |
| return false; |
| } |
| |
| /* Comparator for use by vec<const concrete_binding *>::qsort. */ |
| |
| int |
| concrete_binding::cmp_ptr_ptr (const void *p1, const void *p2) |
| { |
| const concrete_binding *b1 = *(const concrete_binding * const *)p1; |
| const concrete_binding *b2 = *(const concrete_binding * const *)p2; |
| |
| return bit_range::cmp (b1->m_bit_range, b2->m_bit_range); |
| } |
| |
| /* class symbolic_binding : public binding_key. */ |
| |
| void |
| symbolic_binding::dump_to_pp (pretty_printer *pp, bool simple) const |
| { |
| //binding_key::dump_to_pp (pp, simple); |
| pp_string (pp, "region: "); |
| m_region->dump_to_pp (pp, simple); |
| } |
| |
| /* Comparator for use by vec<const symbolic_binding *>::qsort. */ |
| |
| int |
| symbolic_binding::cmp_ptr_ptr (const void *p1, const void *p2) |
| { |
| const symbolic_binding *b1 = *(const symbolic_binding * const *)p1; |
| const symbolic_binding *b2 = *(const symbolic_binding * const *)p2; |
| |
| return region::cmp_ids (b1->get_region (), b2->get_region ()); |
| } |
| |
| /* The store is oblivious to the types of the svalues bound within |
| it: any type can get bound at any location. |
| Simplify any casts before binding. |
| |
| For example, if we have: |
| struct big { int ia[1024]; }; |
| struct big src, dst; |
| memcpy (&dst, &src, sizeof (struct big)); |
| this reaches us in gimple form as: |
| MEM <unsigned char[4096]> [(char * {ref-all})&dst] |
| = MEM <unsigned char[4096]> [(char * {ref-all})&src]; |
| Using cast_region when handling the MEM_REF would give us: |
| INIT_VAL(CAST_REG(unsigned char[4096], src)) |
| as rhs_sval, but we can fold that into a cast svalue: |
| CAST(unsigned char[4096], INIT_VAL(src)) |
| We can discard that cast from the svalue when binding it in |
| the store for "dst", and simply store: |
| cluster for: dst |
| key: {kind: direct, start: 0, size: 32768, next: 32768} |
| value: ‘struct big’ {INIT_VAL(src)}. */ |
| |
| static const svalue * |
| simplify_for_binding (const svalue *sval) |
| { |
| if (const svalue *cast_sval = sval->maybe_undo_cast ()) |
| sval = cast_sval; |
| return sval; |
| } |
| |
| /* class binding_map. */ |
| |
| /* binding_map's copy ctor. */ |
| |
| binding_map::binding_map (const binding_map &other) |
| : m_map (other.m_map) |
| { |
| } |
| |
| /* binding_map's assignment operator. */ |
| |
| binding_map& |
| binding_map::operator=(const binding_map &other) |
| { |
| /* For now, assume we only ever copy to an empty cluster. */ |
| gcc_assert (m_map.elements () == 0); |
| for (map_t::iterator iter = other.m_map.begin (); iter != other.m_map.end (); |
| ++iter) |
| { |
| const binding_key *key = (*iter).first; |
| const svalue *sval = (*iter).second; |
| m_map.put (key, sval); |
| } |
| return *this; |
| } |
| |
| /* binding_map's equality operator. */ |
| |
| bool |
| binding_map::operator== (const binding_map &other) const |
| { |
| if (m_map.elements () != other.m_map.elements ()) |
| return false; |
| |
| for (map_t::iterator iter = m_map.begin (); iter != m_map.end (); ++iter) |
| { |
| const binding_key *key = (*iter).first; |
| const svalue *sval = (*iter).second; |
| const svalue **other_slot |
| = const_cast <map_t &> (other.m_map).get (key); |
| if (other_slot == NULL) |
| return false; |
| if (sval != *other_slot) |
| return false; |
| } |
| gcc_checking_assert (hash () == other.hash ()); |
| return true; |
| } |
| |
| /* Generate a hash value for this binding_map. */ |
| |
| hashval_t |
| binding_map::hash () const |
| { |
| hashval_t result = 0; |
| for (map_t::iterator iter = m_map.begin (); iter != m_map.end (); ++iter) |
| { |
| /* Use a new hasher for each key to avoid depending on the ordering |
| of keys when accumulating the result. */ |
| inchash::hash hstate; |
| hstate.add_ptr ((*iter).first); |
| hstate.add_ptr ((*iter).second); |
| result ^= hstate.end (); |
| } |
| return result; |
| } |
| |
| /* Dump a representation of this binding_map to PP. |
| SIMPLE controls how values and regions are to be printed. |
| If MULTILINE, then split the dump over multiple lines and |
| use whitespace for readability, otherwise put all on one line. */ |
| |
| void |
| binding_map::dump_to_pp (pretty_printer *pp, bool simple, |
| bool multiline) const |
| { |
| auto_vec <const binding_key *> binding_keys; |
| for (map_t::iterator iter = m_map.begin (); |
| iter != m_map.end (); ++iter) |
| { |
| const binding_key *key = (*iter).first; |
| binding_keys.safe_push (key); |
| } |
| binding_keys.qsort (binding_key::cmp_ptrs); |
| |
| const binding_key *key; |
| unsigned i; |
| FOR_EACH_VEC_ELT (binding_keys, i, key) |
| { |
| const svalue *value = *const_cast <map_t &> (m_map).get (key); |
| if (multiline) |
| { |
| pp_string (pp, " key: {"); |
| key->dump_to_pp (pp, simple); |
| pp_string (pp, "}"); |
| pp_newline (pp); |
| pp_string (pp, " value: "); |
| if (tree t = value->get_type ()) |
| dump_quoted_tree (pp, t); |
| pp_string (pp, " {"); |
| value->dump_to_pp (pp, simple); |
| pp_string (pp, "}"); |
| pp_newline (pp); |
| } |
| else |
| { |
| if (i > 0) |
| pp_string (pp, ", "); |
| pp_string (pp, "binding key: {"); |
| key->dump_to_pp (pp, simple); |
| pp_string (pp, "}, value: {"); |
| value->dump_to_pp (pp, simple); |
| pp_string (pp, "}"); |
| } |
| } |
| } |
| |
| /* Dump a multiline representation of this binding_map to stderr. */ |
| |
| DEBUG_FUNCTION void |
| binding_map::dump (bool simple) const |
| { |
| pretty_printer pp; |
| pp_format_decoder (&pp) = default_tree_printer; |
| pp_show_color (&pp) = pp_show_color (global_dc->printer); |
| pp.buffer->stream = stderr; |
| dump_to_pp (&pp, simple, true); |
| pp_newline (&pp); |
| pp_flush (&pp); |
| } |
| |
| /* Return a new json::object of the form |
| {KEY_DESC : SVALUE_DESC, |
| ...for the various key/value pairs in this binding_map}. */ |
| |
| json::object * |
| binding_map::to_json () const |
| { |
| json::object *map_obj = new json::object (); |
| |
| auto_vec <const binding_key *> binding_keys; |
| for (map_t::iterator iter = m_map.begin (); |
| iter != m_map.end (); ++iter) |
| { |
| const binding_key *key = (*iter).first; |
| binding_keys.safe_push (key); |
| } |
| binding_keys.qsort (binding_key::cmp_ptrs); |
| |
| const binding_key *key; |
| unsigned i; |
| FOR_EACH_VEC_ELT (binding_keys, i, key) |
| { |
| const svalue *value = *const_cast <map_t &> (m_map).get (key); |
| label_text key_desc = key->get_desc (); |
| map_obj->set (key_desc.get (), value->to_json ()); |
| } |
| |
| return map_obj; |
| } |
| |
| /* Comparator for imposing an order on binding_maps. */ |
| |
| int |
| binding_map::cmp (const binding_map &map1, const binding_map &map2) |
| { |
| if (int count_cmp = map1.elements () - map2.elements ()) |
| return count_cmp; |
| |
| auto_vec <const binding_key *> keys1 (map1.elements ()); |
| for (map_t::iterator iter = map1.begin (); |
| iter != map1.end (); ++iter) |
| keys1.quick_push ((*iter).first); |
| keys1.qsort (binding_key::cmp_ptrs); |
| |
| auto_vec <const binding_key *> keys2 (map2.elements ()); |
| for (map_t::iterator iter = map2.begin (); |
| iter != map2.end (); ++iter) |
| keys2.quick_push ((*iter).first); |
| keys2.qsort (binding_key::cmp_ptrs); |
| |
| for (size_t i = 0; i < keys1.length (); i++) |
| { |
| const binding_key *k1 = keys1[i]; |
| const binding_key *k2 = keys2[i]; |
| if (int key_cmp = binding_key::cmp (k1, k2)) |
| return key_cmp; |
| gcc_assert (k1 == k2); |
| if (int sval_cmp = svalue::cmp_ptr (map1.get (k1), map2.get (k2))) |
| return sval_cmp; |
| } |
| |
| return 0; |
| } |
| |
| /* Get the child region of PARENT_REG based upon INDEX within a |
| CONSTRUCTOR. */ |
| |
| static const region * |
| get_subregion_within_ctor (const region *parent_reg, tree index, |
| region_model_manager *mgr) |
| { |
| switch (TREE_CODE (index)) |
| { |
| default: |
| gcc_unreachable (); |
| case INTEGER_CST: |
| { |
| const svalue *index_sval |
| = mgr->get_or_create_constant_svalue (index); |
| return mgr->get_element_region (parent_reg, |
| TREE_TYPE (parent_reg->get_type ()), |
| index_sval); |
| } |
| break; |
| case FIELD_DECL: |
| return mgr->get_field_region (parent_reg, index); |
| } |
| } |
| |
| /* Get the svalue for VAL, a non-CONSTRUCTOR value within a CONSTRUCTOR. */ |
| |
| static const svalue * |
| get_svalue_for_ctor_val (tree val, region_model_manager *mgr) |
| { |
| /* Reuse the get_rvalue logic from region_model. */ |
| region_model m (mgr); |
| return m.get_rvalue (path_var (val, 0), NULL); |
| } |
| |
| /* Bind values from CONSTRUCTOR to this map, relative to |
| PARENT_REG's relationship to its base region. |
| Return true if successful, false if there was a problem (e.g. due |
| to hitting a complexity limit). */ |
| |
| bool |
| binding_map::apply_ctor_to_region (const region *parent_reg, tree ctor, |
| region_model_manager *mgr) |
| { |
| gcc_assert (parent_reg); |
| gcc_assert (TREE_CODE (ctor) == CONSTRUCTOR); |
| |
| unsigned ix; |
| tree index; |
| tree val; |
| tree parent_type = parent_reg->get_type (); |
| tree field; |
| if (TREE_CODE (parent_type) == RECORD_TYPE) |
| field = TYPE_FIELDS (parent_type); |
| else |
| field = NULL_TREE; |
| FOR_EACH_CONSTRUCTOR_ELT (CONSTRUCTOR_ELTS (ctor), ix, index, val) |
| { |
| if (!index) |
| { |
| /* If index is NULL, then iterate through the fields for |
| a RECORD_TYPE, or use an INTEGER_CST otherwise. |
| Compare with similar logic in output_constructor. */ |
| if (field) |
| { |
| index = field; |
| field = DECL_CHAIN (field); |
| } |
| else |
| index = build_int_cst (integer_type_node, ix); |
| } |
| else if (TREE_CODE (index) == RANGE_EXPR) |
| { |
| tree min_index = TREE_OPERAND (index, 0); |
| tree max_index = TREE_OPERAND (index, 1); |
| if (min_index == max_index) |
| { |
| if (!apply_ctor_pair_to_child_region (parent_reg, mgr, |
| min_index, val)) |
| return false; |
| } |
| else |
| { |
| if (!apply_ctor_val_to_range (parent_reg, mgr, |
| min_index, max_index, val)) |
| return false; |
| } |
| continue; |
| } |
| if (!apply_ctor_pair_to_child_region (parent_reg, mgr, index, val)) |
| return false; |
| } |
| return true; |
| } |
| |
| /* Bind the value VAL into the range of elements within PARENT_REF |
| from MIN_INDEX to MAX_INDEX (including endpoints). |
| For use in handling RANGE_EXPR within a CONSTRUCTOR. |
| Return true if successful, false if there was a problem (e.g. due |
| to hitting a complexity limit). */ |
| |
| bool |
| binding_map::apply_ctor_val_to_range (const region *parent_reg, |
| region_model_manager *mgr, |
| tree min_index, tree max_index, |
| tree val) |
| { |
| gcc_assert (TREE_CODE (min_index) == INTEGER_CST); |
| gcc_assert (TREE_CODE (max_index) == INTEGER_CST); |
| |
| /* Generate a binding key for the range. */ |
| const region *min_element |
| = get_subregion_within_ctor (parent_reg, min_index, mgr); |
| const region *max_element |
| = get_subregion_within_ctor (parent_reg, max_index, mgr); |
| region_offset min_offset = min_element->get_offset (mgr); |
| if (min_offset.symbolic_p ()) |
| return false; |
| bit_offset_t start_bit_offset = min_offset.get_bit_offset (); |
| store_manager *smgr = mgr->get_store_manager (); |
| const binding_key *max_element_key = binding_key::make (smgr, max_element); |
| if (max_element_key->symbolic_p ()) |
| return false; |
| const concrete_binding *max_element_ckey |
| = max_element_key->dyn_cast_concrete_binding (); |
| bit_size_t range_size_in_bits |
| = max_element_ckey->get_next_bit_offset () - start_bit_offset; |
| const concrete_binding *range_key |
| = smgr->get_concrete_binding (start_bit_offset, range_size_in_bits); |
| if (range_key->symbolic_p ()) |
| return false; |
| |
| /* Get the value. */ |
| if (TREE_CODE (val) == CONSTRUCTOR) |
| return false; |
| const svalue *sval = get_svalue_for_ctor_val (val, mgr); |
| |
| /* Bind the value to the range. */ |
| put (range_key, sval); |
| return true; |
| } |
| |
| /* Bind the value VAL into INDEX within PARENT_REF. |
| For use in handling a pair of entries within a CONSTRUCTOR. |
| Return true if successful, false if there was a problem (e.g. due |
| to hitting a complexity limit). */ |
| |
| bool |
| binding_map::apply_ctor_pair_to_child_region (const region *parent_reg, |
| region_model_manager *mgr, |
| tree index, tree val) |
| { |
| const region *child_reg |
| = get_subregion_within_ctor (parent_reg, index, mgr); |
| if (TREE_CODE (val) == CONSTRUCTOR) |
| return apply_ctor_to_region (child_reg, val, mgr); |
| else |
| { |
| const svalue *sval = get_svalue_for_ctor_val (val, mgr); |
| const binding_key *k |
| = binding_key::make (mgr->get_store_manager (), child_reg); |
| /* Handle the case where we have an unknown size for child_reg |
| (e.g. due to it being a trailing field with incomplete array |
| type. */ |
| if (!k->concrete_p ()) |
| { |
| /* Assume that sval has a well-defined size for this case. */ |
| tree sval_type = sval->get_type (); |
| gcc_assert (sval_type); |
| HOST_WIDE_INT sval_byte_size = int_size_in_bytes (sval_type); |
| gcc_assert (sval_byte_size != -1); |
| bit_size_t sval_bit_size = sval_byte_size * BITS_PER_UNIT; |
| /* Get offset of child relative to base region. */ |
| region_offset child_base_offset = child_reg->get_offset (mgr); |
| if (child_base_offset.symbolic_p ()) |
| return false; |
| /* Convert to an offset relative to the parent region. */ |
| region_offset parent_base_offset = parent_reg->get_offset (mgr); |
| gcc_assert (!parent_base_offset.symbolic_p ()); |
| bit_offset_t child_parent_offset |
| = (child_base_offset.get_bit_offset () |
| - parent_base_offset.get_bit_offset ()); |
| /* Create a concrete key for the child within the parent. */ |
| k = mgr->get_store_manager ()->get_concrete_binding |
| (child_parent_offset, sval_bit_size); |
| } |
| gcc_assert (k->concrete_p ()); |
| put (k, sval); |
| return true; |
| } |
| } |
| |
| /* Populate OUT with all bindings within this map that overlap KEY. */ |
| |
| void |
| binding_map::get_overlapping_bindings (const binding_key *key, |
| auto_vec<const binding_key *> *out) |
| { |
| for (auto iter : *this) |
| { |
| const binding_key *iter_key = iter.first; |
| if (const concrete_binding *ckey |
| = key->dyn_cast_concrete_binding ()) |
| { |
| if (const concrete_binding *iter_ckey |
| = iter_key->dyn_cast_concrete_binding ()) |
| { |
| if (ckey->overlaps_p (*iter_ckey)) |
| out->safe_push (iter_key); |
| } |
| else |
| { |
| /* Assume overlap. */ |
| out->safe_push (iter_key); |
| } |
| } |
| else |
| { |
| /* Assume overlap. */ |
| out->safe_push (iter_key); |
| } |
| } |
| } |
| |
| /* Remove, truncate, and/or split any bindings within this map that |
| overlap DROP_KEY. |
| |
| For example, if we have: |
| |
| +------------------------------------+ |
| | old binding | |
| +------------------------------------+ |
| |
| which is to be overwritten with: |
| |
| .......+----------------------+....... |
| .......| new binding |....... |
| .......+----------------------+....... |
| |
| this function "cuts a hole" out of the old binding: |
| |
| +------+......................+------+ |
| |prefix| hole for new binding |suffix| |
| +------+......................+------+ |
| |
| into which the new binding can be added without |
| overlapping the prefix or suffix. |
| |
| The prefix and suffix (if added) will be bound to the pertinent |
| parts of the value of the old binding. |
| |
| For example, given: |
| struct s5 |
| { |
| char arr[8]; |
| }; |
| void test_5 (struct s5 *p) |
| { |
| struct s5 f = *p; |
| f.arr[3] = 42; |
| } |
| then after the "f = *p;" we have: |
| cluster for: f: INIT_VAL((*INIT_VAL(p_33(D)))) |
| and at the "f.arr[3] = 42;" we remove the bindings overlapping |
| "f.arr[3]", replacing it with a prefix (bytes 0-2) and suffix (bytes 4-7) |
| giving: |
| cluster for: f |
| key: {bytes 0-2} |
| value: {BITS_WITHIN(bytes 0-2, inner_val: INIT_VAL((*INIT_VAL(p_33(D))).arr))} |
| key: {bytes 4-7} |
| value: {BITS_WITHIN(bytes 4-7, inner_val: INIT_VAL((*INIT_VAL(p_33(D))).arr))} |
| punching a hole into which the new value can be written at byte 3: |
| cluster for: f |
| key: {bytes 0-2} |
| value: {BITS_WITHIN(bytes 0-2, inner_val: INIT_VAL((*INIT_VAL(p_33(D))).arr))} |
| key: {byte 3} |
| value: 'char' {(char)42} |
| key: {bytes 4-7} |
| value: {BITS_WITHIN(bytes 4-7, inner_val: INIT_VAL((*INIT_VAL(p_33(D))).arr))} |
| |
| If UNCERTAINTY is non-NULL, use it to record any svalues that |
| were removed, as being maybe-bound. |
| |
| If ALWAYS_OVERLAP, then assume that DROP_KEY can overlap anything |
| in the map, due to one or both of the underlying clusters being |
| symbolic (but not the same symbolic region). Hence even if DROP_KEY is a |
| concrete binding it could actually be referring to the same memory as |
| distinct concrete bindings in the map. Remove all bindings, but |
| register any svalues with *UNCERTAINTY. */ |
| |
| void |
| binding_map::remove_overlapping_bindings (store_manager *mgr, |
| const binding_key *drop_key, |
| uncertainty_t *uncertainty, |
| bool always_overlap) |
| { |
| /* Get the bindings of interest within this map. */ |
| auto_vec<const binding_key *> bindings; |
| if (always_overlap) |
| for (auto iter : *this) |
| bindings.safe_push (iter.first); /* Add all bindings. */ |
| else |
| /* Just add overlapping bindings. */ |
| get_overlapping_bindings (drop_key, &bindings); |
| |
| unsigned i; |
| const binding_key *iter_binding; |
| FOR_EACH_VEC_ELT (bindings, i, iter_binding) |
| { |
| /* Record any svalues that were removed to *UNCERTAINTY as being |
| maybe-bound, provided at least some part of the binding is symbolic. |
| |
| Specifically, if at least one of the bindings is symbolic, or we |
| have ALWAYS_OVERLAP for the case where we have possibly aliasing |
| regions, then we don't know that the svalue has been overwritten, |
| and should record that to *UNCERTAINTY. |
| |
| However, if we have concrete keys accessing within the same symbolic |
| region, then we *know* that the symbolic region has been overwritten, |
| so we don't record it to *UNCERTAINTY, as this could be a genuine |
| leak. */ |
| const svalue *old_sval = get (iter_binding); |
| if (uncertainty |
| && (drop_key->symbolic_p () |
| || iter_binding->symbolic_p () |
| || always_overlap)) |
| uncertainty->on_maybe_bound_sval (old_sval); |
| |
| /* Begin by removing the old binding. */ |
| m_map.remove (iter_binding); |
| |
| /* Don't attempt to handle prefixes/suffixes for the |
| "always_overlap" case; everything's being removed. */ |
| if (always_overlap) |
| continue; |
| |
| /* Now potentially add the prefix and suffix. */ |
| if (const concrete_binding *drop_ckey |
| = drop_key->dyn_cast_concrete_binding ()) |
| if (const concrete_binding *iter_ckey |
| = iter_binding->dyn_cast_concrete_binding ()) |
| { |
| gcc_assert (drop_ckey->overlaps_p (*iter_ckey)); |
| |
| const bit_range &drop_bits = drop_ckey->get_bit_range (); |
| const bit_range &iter_bits = iter_ckey->get_bit_range (); |
| |
| if (iter_bits.get_start_bit_offset () |
| < drop_bits.get_start_bit_offset ()) |
| { |
| /* We have a truncated prefix. */ |
| bit_range prefix_bits (iter_bits.get_start_bit_offset (), |
| (drop_bits.get_start_bit_offset () |
| - iter_bits.get_start_bit_offset ())); |
| const concrete_binding *prefix_key |
| = mgr->get_concrete_binding (prefix_bits); |
| bit_range rel_prefix (0, prefix_bits.m_size_in_bits); |
| const svalue *prefix_sval |
| = old_sval->extract_bit_range (NULL_TREE, |
| rel_prefix, |
| mgr->get_svalue_manager ()); |
| m_map.put (prefix_key, prefix_sval); |
| } |
| |
| if (iter_bits.get_next_bit_offset () |
| > drop_bits.get_next_bit_offset ()) |
| { |
| /* We have a truncated suffix. */ |
| bit_range suffix_bits (drop_bits.get_next_bit_offset (), |
| (iter_bits.get_next_bit_offset () |
| - drop_bits.get_next_bit_offset ())); |
| const concrete_binding *suffix_key |
| = mgr->get_concrete_binding (suffix_bits); |
| bit_range rel_suffix (drop_bits.get_next_bit_offset () |
| - iter_bits.get_start_bit_offset (), |
| suffix_bits.m_size_in_bits); |
| const svalue *suffix_sval |
| = old_sval->extract_bit_range (NULL_TREE, |
| rel_suffix, |
| mgr->get_svalue_manager ()); |
| m_map.put (suffix_key, suffix_sval); |
| } |
| } |
| } |
| } |
| |
| /* class binding_cluster. */ |
| |
| binding_cluster::binding_cluster (const region *base_region) |
| : m_base_region (base_region), m_map (), |
| m_escaped (false), m_touched (false) |
| { |
| } |
| |
| /* binding_cluster's copy ctor. */ |
| |
| binding_cluster::binding_cluster (const binding_cluster &other) |
| : m_base_region (other.m_base_region), m_map (other.m_map), |
| m_escaped (other.m_escaped), m_touched (other.m_touched) |
| { |
| } |
| |
| /* binding_cluster's assignment operator. */ |
| |
| binding_cluster& |
| binding_cluster::operator= (const binding_cluster &other) |
| { |
| gcc_assert (m_base_region == other.m_base_region); |
| m_map = other.m_map; |
| m_escaped = other.m_escaped; |
| m_touched = other.m_touched; |
| return *this; |
| } |
| |
| /* binding_cluster's equality operator. */ |
| |
| bool |
| binding_cluster::operator== (const binding_cluster &other) const |
| { |
| if (m_map != other.m_map) |
| return false; |
| |
| if (m_base_region != other.m_base_region) |
| return false; |
| |
| if (m_escaped != other.m_escaped) |
| return false; |
| |
| if (m_touched != other.m_touched) |
| return false; |
| |
| gcc_checking_assert (hash () == other.hash ()); |
| |
| return true; |
| } |
| |
| /* Generate a hash value for this binding_cluster. */ |
| |
| hashval_t |
| binding_cluster::hash () const |
| { |
| return m_map.hash (); |
| } |
| |
| /* Return true if this binding_cluster is symbolic |
| i.e. its base region is symbolic. */ |
| |
| bool |
| binding_cluster::symbolic_p () const |
| { |
| return m_base_region->get_kind () == RK_SYMBOLIC; |
| } |
| |
| /* Dump a representation of this binding_cluster to PP. |
| SIMPLE controls how values and regions are to be printed. |
| If MULTILINE, then split the dump over multiple lines and |
| use whitespace for readability, otherwise put all on one line. */ |
| |
| void |
| binding_cluster::dump_to_pp (pretty_printer *pp, bool simple, |
| bool multiline) const |
| { |
| if (m_escaped) |
| { |
| if (multiline) |
| { |
| pp_string (pp, " ESCAPED"); |
| pp_newline (pp); |
| } |
| else |
| pp_string (pp, "(ESCAPED)"); |
| } |
| if (m_touched) |
| { |
| if (multiline) |
| { |
| pp_string (pp, " TOUCHED"); |
| pp_newline (pp); |
| } |
| else |
| pp_string (pp, "(TOUCHED)"); |
| } |
| |
| m_map.dump_to_pp (pp, simple, multiline); |
| } |
| |
| /* Dump a multiline representation of this binding_cluster to stderr. */ |
| |
| DEBUG_FUNCTION void |
| binding_cluster::dump (bool simple) const |
| { |
| pretty_printer pp; |
| pp_format_decoder (&pp) = default_tree_printer; |
| pp_show_color (&pp) = pp_show_color (global_dc->printer); |
| pp.buffer->stream = stderr; |
| pp_string (&pp, " cluster for: "); |
| m_base_region->dump_to_pp (&pp, simple); |
| pp_string (&pp, ": "); |
| pp_newline (&pp); |
| dump_to_pp (&pp, simple, true); |
| pp_newline (&pp); |
| pp_flush (&pp); |
| } |
| |
| /* Assert that this object is valid. */ |
| |
| void |
| binding_cluster::validate () const |
| { |
| int num_symbolic = 0; |
| int num_concrete = 0; |
| for (auto iter : m_map) |
| { |
| if (iter.first->symbolic_p ()) |
| num_symbolic++; |
| else |
| num_concrete++; |
| } |
| /* We shouldn't have more than one symbolic key per cluster |
| (or one would have clobbered the other). */ |
| gcc_assert (num_symbolic < 2); |
| /* We can't have both concrete and symbolic keys. */ |
| gcc_assert (num_concrete == 0 || num_symbolic == 0); |
| } |
| |
| /* Return a new json::object of the form |
| {"escaped": true/false, |
| "touched": true/false, |
| "map" : object for the binding_map. */ |
| |
| json::object * |
| binding_cluster::to_json () const |
| { |
| json::object *cluster_obj = new json::object (); |
| |
| cluster_obj->set ("escaped", new json::literal (m_escaped)); |
| cluster_obj->set ("touched", new json::literal (m_touched)); |
| cluster_obj->set ("map", m_map.to_json ()); |
| |
| return cluster_obj; |
| } |
| |
| /* Add a binding of SVAL of kind KIND to REG, unpacking SVAL if it is a |
| compound_sval. */ |
| |
| void |
| binding_cluster::bind (store_manager *mgr, |
| const region *reg, const svalue *sval) |
| { |
| if (const compound_svalue *compound_sval |
| = sval->dyn_cast_compound_svalue ()) |
| { |
| bind_compound_sval (mgr, reg, compound_sval); |
| return; |
| } |
| |
| const binding_key *binding = binding_key::make (mgr, reg); |
| bind_key (binding, sval); |
| } |
| |
| /* Bind SVAL to KEY. |
| Unpacking of compound_svalues should already have been done by the |
| time this is called. */ |
| |
| void |
| binding_cluster::bind_key (const binding_key *key, const svalue *sval) |
| { |
| gcc_assert (sval->get_kind () != SK_COMPOUND); |
| |
| m_map.put (key, sval); |
| if (key->symbolic_p ()) |
| m_touched = true; |
| } |
| |
| /* Subroutine of binding_cluster::bind. |
| Unpack compound_svals when binding them, so that we bind them |
| element-wise. */ |
| |
| void |
| binding_cluster::bind_compound_sval (store_manager *mgr, |
| const region *reg, |
| const compound_svalue *compound_sval) |
| { |
| region_offset reg_offset |
| = reg->get_offset (mgr->get_svalue_manager ()); |
| if (reg_offset.symbolic_p ()) |
| { |
| m_touched = true; |
| clobber_region (mgr, reg); |
| return; |
| } |
| |
| for (map_t::iterator iter = compound_sval->begin (); |
| iter != compound_sval->end (); ++iter) |
| { |
| const binding_key *iter_key = (*iter).first; |
| const svalue *iter_sval = (*iter).second; |
| |
| if (const concrete_binding *concrete_key |
| = iter_key->dyn_cast_concrete_binding ()) |
| { |
| bit_offset_t effective_start |
| = (concrete_key->get_start_bit_offset () |
| + reg_offset.get_bit_offset ()); |
| const concrete_binding *effective_concrete_key |
| = mgr->get_concrete_binding (effective_start, |
| concrete_key->get_size_in_bits ()); |
| bind_key (effective_concrete_key, iter_sval); |
| } |
| else |
| gcc_unreachable (); |
| } |
| } |
| |
| /* Remove all bindings overlapping REG within this cluster. */ |
| |
| void |
| binding_cluster::clobber_region (store_manager *mgr, const region *reg) |
| { |
| remove_overlapping_bindings (mgr, reg, NULL); |
| } |
| |
| /* Remove any bindings for REG within this cluster. */ |
| |
| void |
| binding_cluster::purge_region (store_manager *mgr, const region *reg) |
| { |
| gcc_assert (reg->get_kind () == RK_DECL); |
| const binding_key *binding |
| = binding_key::make (mgr, const_cast<region *> (reg)); |
| m_map.remove (binding); |
| } |
| |
| /* Clobber REG and fill it with repeated copies of SVAL. */ |
| |
| void |
| binding_cluster::fill_region (store_manager *mgr, |
| const region *reg, |
| const svalue *sval) |
| { |
| clobber_region (mgr, reg); |
| |
| region_model_manager *sval_mgr = mgr->get_svalue_manager (); |
| const svalue *byte_size_sval = reg->get_byte_size_sval (sval_mgr); |
| const svalue *fill_sval |
| = sval_mgr->get_or_create_repeated_svalue (reg->get_type (), |
| byte_size_sval, sval); |
| bind (mgr, reg, fill_sval); |
| } |
| |
| /* Clobber REG within this cluster and fill it with zeroes. */ |
| |
| void |
| binding_cluster::zero_fill_region (store_manager *mgr, const region *reg) |
| { |
| region_model_manager *sval_mgr = mgr->get_svalue_manager (); |
| const svalue *zero_sval = sval_mgr->get_or_create_int_cst (char_type_node, 0); |
| fill_region (mgr, reg, zero_sval); |
| } |
| |
| /* Mark REG_TO_BIND within this cluster as being unknown. |
| |
| Remove any bindings overlapping REG_FOR_OVERLAP. |
| If UNCERTAINTY is non-NULL, use it to record any svalues that |
| had bindings to them removed, as being maybe-bound. |
| |
| REG_TO_BIND and REG_FOR_OVERLAP are the same for |
| store::mark_region_as_unknown, but are different in |
| store::set_value's alias handling, for handling the case where |
| we have a write to a symbolic REG_FOR_OVERLAP. */ |
| |
| void |
| binding_cluster::mark_region_as_unknown (store_manager *mgr, |
| const region *reg_to_bind, |
| const region *reg_for_overlap, |
| uncertainty_t *uncertainty) |
| { |
| remove_overlapping_bindings (mgr, reg_for_overlap, uncertainty); |
| |
| /* Add a default binding to "unknown". */ |
| region_model_manager *sval_mgr = mgr->get_svalue_manager (); |
| const svalue *sval |
| = sval_mgr->get_or_create_unknown_svalue (reg_to_bind->get_type ()); |
| bind (mgr, reg_to_bind, sval); |
| } |
| |
| /* Purge state involving SVAL. */ |
| |
| void |
| binding_cluster::purge_state_involving (const svalue *sval, |
| region_model_manager *sval_mgr) |
| { |
| auto_vec<const binding_key *> to_remove; |
| auto_vec<std::pair<const binding_key *, tree> > to_make_unknown; |
| for (auto iter : m_map) |
| { |
| const binding_key *iter_key = iter.first; |
| if (const symbolic_binding *symbolic_key |
| = iter_key->dyn_cast_symbolic_binding ()) |
| { |
| const region *reg = symbolic_key->get_region (); |
| if (reg->involves_p (sval)) |
| to_remove.safe_push (iter_key); |
| } |
| const svalue *iter_sval = iter.second; |
| if (iter_sval->involves_p (sval)) |
| to_make_unknown.safe_push (std::make_pair(iter_key, |
| iter_sval->get_type ())); |
| } |
| for (auto iter : to_remove) |
| { |
| m_map.remove (iter); |
| m_touched = true; |
| } |
| for (auto iter : to_make_unknown) |
| { |
| const svalue *new_sval |
| = sval_mgr->get_or_create_unknown_svalue (iter.second); |
| m_map.put (iter.first, new_sval); |
| } |
| } |
| |
| /* Get any SVAL bound to REG within this cluster via kind KIND, |
| without checking parent regions of REG. */ |
| |
| const svalue * |
| binding_cluster::get_binding (store_manager *mgr, |
| const region *reg) const |
| { |
| const binding_key *reg_binding = binding_key::make (mgr, reg); |
| const svalue *sval = m_map.get (reg_binding); |
| if (sval) |
| { |
| /* If we have a struct with a single field, then the binding of |
| the field will equal that of the struct, and looking up e.g. |
| PARENT_REG.field within: |
| cluster for PARENT_REG: INIT_VAL(OTHER_REG) |
| will erroneously return INIT_VAL(OTHER_REG), rather than |
| SUB_VALUE(INIT_VAL(OTHER_REG), FIELD) == INIT_VAL(OTHER_REG.FIELD). |
| Fix this issue by iterating upwards whilst the bindings are equal, |
| expressing the lookups as subvalues. |
| We have to gather a list of subregion accesses, then walk it |
| in reverse to get the subvalues. */ |
| auto_vec<const region *> regions; |
| while (const region *parent_reg = reg->get_parent_region ()) |
| { |
| const binding_key *parent_reg_binding |
| = binding_key::make (mgr, parent_reg); |
| if (parent_reg_binding == reg_binding |
| && sval->get_type () |
| && reg->get_type () |
| && sval->get_type () != reg->get_type ()) |
| { |
| regions.safe_push (reg); |
| reg = parent_reg; |
| } |
| else |
| break; |
| } |
| if (sval->get_type () |
| && reg->get_type () |
| && sval->get_type () == reg->get_type ()) |
| { |
| unsigned i; |
| const region *iter_reg; |
| FOR_EACH_VEC_ELT_REVERSE (regions, i, iter_reg) |
| { |
| region_model_manager *rmm_mgr = mgr->get_svalue_manager (); |
| sval = rmm_mgr->get_or_create_sub_svalue (iter_reg->get_type (), |
| sval, iter_reg); |
| } |
| } |
| } |
| return sval; |
| } |
| |
| /* Get any SVAL bound to REG within this cluster, |
| either directly for REG, or recursively checking for bindings within |
| parent regions and extracting subvalues if need be. */ |
| |
| const svalue * |
| binding_cluster::get_binding_recursive (store_manager *mgr, |
| const region *reg) const |
| { |
| if (const svalue *sval = get_binding (mgr, reg)) |
| return sval; |
| if (reg != m_base_region) |
| if (const region *parent_reg = reg->get_parent_region ()) |
| if (const svalue *parent_sval |
| = get_binding_recursive (mgr, parent_reg)) |
| { |
| /* Extract child svalue from parent svalue. */ |
| region_model_manager *rmm_mgr = mgr->get_svalue_manager (); |
| return rmm_mgr->get_or_create_sub_svalue (reg->get_type (), |
| parent_sval, reg); |
| } |
| return NULL; |
| } |
| |
| /* Get any value bound for REG within this cluster. */ |
| |
| const svalue * |
| binding_cluster::get_any_binding (store_manager *mgr, |
| const region *reg) const |
| { |
| /* Look for a direct binding. */ |
| if (const svalue *direct_sval |
| = get_binding_recursive (mgr, reg)) |
| return direct_sval; |
| |
| /* If we had a write to a cluster of unknown size, we might |
| have a self-binding of the whole base region with an svalue, |
| where the base region is symbolic. |
| Handle such cases by returning sub_svalue instances. */ |
| if (const svalue *cluster_sval = maybe_get_simple_value (mgr)) |
| { |
| /* Extract child svalue from parent svalue. */ |
| region_model_manager *rmm_mgr = mgr->get_svalue_manager (); |
| return rmm_mgr->get_or_create_sub_svalue (reg->get_type (), |
| cluster_sval, reg); |
| } |
| |
| /* If this cluster has been touched by a symbolic write, then the content |
| of any subregion not currently specifically bound is "UNKNOWN". */ |
| if (m_touched) |
| { |
| region_model_manager *rmm_mgr = mgr->get_svalue_manager (); |
| return rmm_mgr->get_or_create_unknown_svalue (reg->get_type ()); |
| } |
| |
| /* Alternatively, if this is a symbolic read and the cluster has any bindings, |
| then we don't know if we're reading those values or not, so the result |
| is also "UNKNOWN". */ |
| if (reg->get_offset (mgr->get_svalue_manager ()).symbolic_p () |
| && m_map.elements () > 0) |
| { |
| region_model_manager *rmm_mgr = mgr->get_svalue_manager (); |
| return rmm_mgr->get_or_create_unknown_svalue (reg->get_type ()); |
| } |
| |
| if (const svalue *compound_sval = maybe_get_compound_binding (mgr, reg)) |
| return compound_sval; |
| |
| /* Otherwise, the initial value, or uninitialized. */ |
| return NULL; |
| } |
| |
| /* Attempt to get a compound_svalue for the bindings within the cluster |
| affecting REG (which could be the base region itself). |
| |
| Create a compound_svalue with the subset of bindings the affect REG, |
| offsetting them so that the offsets are relative to the start of REG |
| within the cluster. |
| |
| For example, REG could be one element within an array of structs. |
| |
| Return the resulting compound_svalue, or NULL if there's a problem. */ |
| |
| const svalue * |
| binding_cluster::maybe_get_compound_binding (store_manager *mgr, |
| const region *reg) const |
| { |
| region_offset cluster_offset |
| = m_base_region->get_offset (mgr->get_svalue_manager ()); |
| if (cluster_offset.symbolic_p ()) |
| return NULL; |
| region_offset reg_offset = reg->get_offset (mgr->get_svalue_manager ()); |
| if (reg_offset.symbolic_p ()) |
| return NULL; |
| |
| region_model_manager *sval_mgr = mgr->get_svalue_manager (); |
| |
| /* We will a build the result map in two parts: |
| (a) result_map, holding the concrete keys from this cluster, |
| |
| (b) default_map, holding the initial values for the region |
| (e.g. uninitialized, initializer values, or zero), unless this |
| cluster has been touched. |
| |
| We will populate (a), and as we do, clobber (b), trimming and |
| splitting its bindings as necessary. |
| Finally, we will merge (b) into (a), giving a concrete map |
| that merges both the initial values and the bound values from |
| the binding_cluster. |
| Doing it this way reduces N for the O(N^2) intersection-finding, |
| perhaps we should have a spatial-organized data structure for |
| concrete keys, though. */ |
| |
| binding_map result_map; |
| binding_map default_map; |
| |
| /* Set up default values in default_map. */ |
| const svalue *default_sval; |
| if (m_touched) |
| default_sval = sval_mgr->get_or_create_unknown_svalue (reg->get_type ()); |
| else |
| default_sval = sval_mgr->get_or_create_initial_value (reg); |
| const binding_key *default_key = binding_key::make (mgr, reg); |
| default_map.put (default_key, default_sval); |
| |
| for (map_t::iterator iter = m_map.begin (); iter != m_map.end (); ++iter) |
| { |
| const binding_key *key = (*iter).first; |
| const svalue *sval = (*iter).second; |
| |
| if (const concrete_binding *concrete_key |
| = key->dyn_cast_concrete_binding ()) |
| { |
| const bit_range &bound_range = concrete_key->get_bit_range (); |
| |
| bit_size_t reg_bit_size; |
| if (!reg->get_bit_size (®_bit_size)) |
| return NULL; |
| |
| bit_range reg_range (reg_offset.get_bit_offset (), |
| reg_bit_size); |
| |
| /* Skip bindings that are outside the bit range of REG. */ |
| if (!bound_range.intersects_p (reg_range)) |
| continue; |
| |
| /* We shouldn't have an exact match; that should have been |
| handled already. */ |
| gcc_assert (!(reg_range == bound_range)); |
| |
| bit_range subrange (0, 0); |
| if (reg_range.contains_p (bound_range, &subrange)) |
| { |
| /* We have a bound range fully within REG. |
| Add it to map, offsetting accordingly. */ |
| |
| /* Get offset of KEY relative to REG, rather than to |
| the cluster. */ |
| const concrete_binding *offset_concrete_key |
| = mgr->get_concrete_binding (subrange); |
| result_map.put (offset_concrete_key, sval); |
| |
| /* Clobber default_map, removing/trimming/spliting where |
| it overlaps with offset_concrete_key. */ |
| default_map.remove_overlapping_bindings (mgr, |
| offset_concrete_key, |
| NULL, false); |
| } |
| else if (bound_range.contains_p (reg_range, &subrange)) |
| { |
| /* REG is fully within the bound range, but |
| is not equal to it; we're extracting a subvalue. */ |
| return sval->extract_bit_range (reg->get_type (), |
| subrange, |
| mgr->get_svalue_manager ()); |
| } |
| else |
| { |
| /* REG and the bound range partially overlap. */ |
| bit_range reg_subrange (0, 0); |
| bit_range bound_subrange (0, 0); |
| reg_range.intersects_p (bound_range, |
| ®_subrange, &bound_subrange); |
| |
| /* Get the bits from the bound value for the bits at the |
| intersection (relative to the bound value). */ |
| const svalue *overlap_sval |
| = sval->extract_bit_range (NULL_TREE, |
| bound_subrange, |
| mgr->get_svalue_manager ()); |
| |
| /* Get key for overlap, relative to the REG. */ |
| const concrete_binding *overlap_concrete_key |
| = mgr->get_concrete_binding (reg_subrange); |
| result_map.put (overlap_concrete_key, overlap_sval); |
| |
| /* Clobber default_map, removing/trimming/spliting where |
| it overlaps with overlap_concrete_key. */ |
| default_map.remove_overlapping_bindings (mgr, |
| overlap_concrete_key, |
| NULL, false); |
| } |
| } |
| else |
| /* Can't handle symbolic bindings. */ |
| return NULL; |
| } |
| |
| if (result_map.elements () == 0) |
| return NULL; |
| |
| /* Merge any bindings from default_map into result_map. */ |
| for (auto iter : default_map) |
| { |
| const binding_key *key = iter.first; |
| const svalue *sval = iter.second; |
| result_map.put (key, sval); |
| } |
| |
| return sval_mgr->get_or_create_compound_svalue (reg->get_type (), result_map); |
| } |
| |
| /* Remove, truncate, and/or split any bindings within this map that |
| could overlap REG. |
| |
| If REG's base region or this cluster is symbolic and they're different |
| base regions, then remove everything in this cluster's map, on the |
| grounds that REG could be referring to the same memory as anything |
| in the map. |
| |
| If UNCERTAINTY is non-NULL, use it to record any svalues that |
| were removed, as being maybe-bound. */ |
| |
| void |
| binding_cluster::remove_overlapping_bindings (store_manager *mgr, |
| const region *reg, |
| uncertainty_t *uncertainty) |
| { |
| const binding_key *reg_binding = binding_key::make (mgr, reg); |
| |
| const region *cluster_base_reg = get_base_region (); |
| const region *other_base_reg = reg->get_base_region (); |
| /* If at least one of the base regions involved is symbolic, and they're |
| not the same base region, then consider everything in the map as |
| potentially overlapping with reg_binding (even if it's a concrete |
| binding and things in the map are concrete - they could be referring |
| to the same memory when the symbolic base regions are taken into |
| account). */ |
| bool always_overlap = (cluster_base_reg != other_base_reg |
| && (cluster_base_reg->get_kind () == RK_SYMBOLIC |
| || other_base_reg->get_kind () == RK_SYMBOLIC)); |
| m_map.remove_overlapping_bindings (mgr, reg_binding, uncertainty, |
| always_overlap); |
| } |
| |
| /* Attempt to merge CLUSTER_A and CLUSTER_B into OUT_CLUSTER, using |
| MGR and MERGER. |
| Return true if they can be merged, false otherwise. */ |
| |
| bool |
| binding_cluster::can_merge_p (const binding_cluster *cluster_a, |
| const binding_cluster *cluster_b, |
| binding_cluster *out_cluster, |
| store *out_store, |
| store_manager *mgr, |
| model_merger *merger) |
| { |
| gcc_assert (out_cluster); |
| |
| /* Merge flags ("ESCAPED" and "TOUCHED") by setting the merged flag to |
| true if either of the inputs is true. */ |
| if ((cluster_a && cluster_a->m_escaped) |
| || (cluster_b && cluster_b->m_escaped)) |
| out_cluster->m_escaped = true; |
| if ((cluster_a && cluster_a->m_touched) |
| || (cluster_b && cluster_b->m_touched)) |
| out_cluster->m_touched = true; |
| |
| /* At least one of CLUSTER_A and CLUSTER_B are non-NULL, but either |
| could be NULL. Handle these cases. */ |
| if (cluster_a == NULL) |
| { |
| gcc_assert (cluster_b != NULL); |
| gcc_assert (cluster_b->m_base_region == out_cluster->m_base_region); |
| out_cluster->make_unknown_relative_to (cluster_b, out_store, mgr); |
| return true; |
| } |
| if (cluster_b == NULL) |
| { |
| gcc_assert (cluster_a != NULL); |
| gcc_assert (cluster_a->m_base_region == out_cluster->m_base_region); |
| out_cluster->make_unknown_relative_to (cluster_a, out_store, mgr); |
| return true; |
| } |
| |
| /* The "both inputs are non-NULL" case. */ |
| gcc_assert (cluster_a != NULL && cluster_b != NULL); |
| gcc_assert (cluster_a->m_base_region == out_cluster->m_base_region); |
| gcc_assert (cluster_b->m_base_region == out_cluster->m_base_region); |
| |
| hash_set<const binding_key *> keys; |
| for (map_t::iterator iter_a = cluster_a->m_map.begin (); |
| iter_a != cluster_a->m_map.end (); ++iter_a) |
| { |
| const binding_key *key_a = (*iter_a).first; |
| keys.add (key_a); |
| } |
| for (map_t::iterator iter_b = cluster_b->m_map.begin (); |
| iter_b != cluster_b->m_map.end (); ++iter_b) |
| { |
| const binding_key *key_b = (*iter_b).first; |
| keys.add (key_b); |
| } |
| int num_symbolic_keys = 0; |
| int num_concrete_keys = 0; |
| for (hash_set<const binding_key *>::iterator iter = keys.begin (); |
| iter != keys.end (); ++iter) |
| { |
| region_model_manager *sval_mgr = mgr->get_svalue_manager (); |
| const binding_key *key = *iter; |
| const svalue *sval_a = cluster_a->get_any_value (key); |
| const svalue *sval_b = cluster_b->get_any_value (key); |
| |
| if (key->symbolic_p ()) |
| num_symbolic_keys++; |
| else |
| num_concrete_keys++; |
| |
| if (sval_a == sval_b) |
| { |
| gcc_assert (sval_a); |
| out_cluster->m_map.put (key, sval_a); |
| continue; |
| } |
| else if (sval_a && sval_b) |
| { |
| if (const svalue *merged_sval |
| = sval_a->can_merge_p (sval_b, sval_mgr, merger)) |
| { |
| out_cluster->m_map.put (key, merged_sval); |
| continue; |
| } |
| /* Merger of the svalues failed. Reject merger of the cluster. */ |
| return false; |
| } |
| |
| /* If we get here, then one cluster binds this key and the other |
| doesn't; merge them as "UNKNOWN". */ |
| gcc_assert (sval_a || sval_b); |
| |
| const svalue *bound_sval = sval_a ? sval_a : sval_b; |
| tree type = bound_sval->get_type (); |
| const svalue *unknown_sval |
| = mgr->get_svalue_manager ()->get_or_create_unknown_svalue (type); |
| |
| /* ...but reject the merger if this sval shouldn't be mergeable |
| (e.g. reject merging svalues that have non-purgable sm-state, |
| to avoid falsely reporting memory leaks by merging them |
| with something else). */ |
| if (!bound_sval->can_merge_p (unknown_sval, sval_mgr, merger)) |
| return false; |
| |
| out_cluster->m_map.put (key, unknown_sval); |
| } |
| |
| /* We can only have at most one symbolic key per cluster, |
| and if we do, we can't have any concrete keys. |
| If this happens, mark the cluster as touched, with no keys. */ |
| if (num_symbolic_keys >= 2 |
| || (num_concrete_keys > 0 && num_symbolic_keys > 0)) |
| { |
| out_cluster->m_touched = true; |
| out_cluster->m_map.empty (); |
| } |
| |
| /* We don't handle other kinds of overlaps yet. */ |
| |
| return true; |
| } |
| |
| /* Update this cluster to reflect an attempt to merge OTHER where there |
| is no other cluster to merge with, and so we're notionally merging the |
| bound values in OTHER with the initial value of the relevant regions. |
| |
| Any bound keys in OTHER should be bound to unknown in this. */ |
| |
| void |
| binding_cluster::make_unknown_relative_to (const binding_cluster *other, |
| store *out_store, |
| store_manager *mgr) |
| { |
| for (map_t::iterator iter = other->m_map.begin (); |
| iter != other->m_map.end (); ++iter) |
| { |
| const binding_key *iter_key = (*iter).first; |
| const svalue *iter_sval = (*iter).second; |
| const svalue *unknown_sval |
| = mgr->get_svalue_manager ()->get_or_create_unknown_svalue |
| (iter_sval->get_type ()); |
| m_map.put (iter_key, unknown_sval); |
| |
| /* For any pointers in OTHER, the merger means that the |
| concrete pointer becomes an unknown value, which could |
| show up as a false report of a leak when considering what |
| pointers are live before vs after. |
| Avoid this by marking the base regions they point to as having |
| escaped. */ |
| if (const region_svalue *region_sval |
| = iter_sval->dyn_cast_region_svalue ()) |
| { |
| const region *base_reg |
| = region_sval->get_pointee ()->get_base_region (); |
| if (base_reg->tracked_p () |
| && !base_reg->symbolic_for_unknown_ptr_p ()) |
| { |
| binding_cluster *c = out_store->get_or_create_cluster (base_reg); |
| c->mark_as_escaped (); |
| } |
| } |
| } |
| } |
| |
| /* Mark this cluster as having escaped. */ |
| |
| void |
| binding_cluster::mark_as_escaped () |
| { |
| m_escaped = true; |
| } |
| |
| /* If this cluster has escaped (by this call, or by an earlier one, or |
| by being an external param), then unbind all values and mark it |
| as "touched", so that it has a conjured value, rather than an |
| initial_svalue. |
| Use P to purge state involving conjured_svalues. */ |
| |
| void |
| binding_cluster::on_unknown_fncall (const gcall *call, |
| store_manager *mgr, |
| const conjured_purge &p) |
| { |
| if (m_escaped) |
| { |
| m_map.empty (); |
| |
| /* Bind it to a new "conjured" value using CALL. */ |
| const svalue *sval |
| = mgr->get_svalue_manager ()->get_or_create_conjured_svalue |
| (m_base_region->get_type (), call, m_base_region, p); |
| bind (mgr, m_base_region, sval); |
| |
| m_touched = true; |
| } |
| } |
| |
| /* Mark this cluster as having been clobbered by STMT. |
| Use P to purge state involving conjured_svalues. */ |
| |
| void |
| binding_cluster::on_asm (const gasm *stmt, |
| store_manager *mgr, |
| const conjured_purge &p) |
| { |
| m_map.empty (); |
| |
| /* Bind it to a new "conjured" value using CALL. */ |
| const svalue *sval |
| = mgr->get_svalue_manager ()->get_or_create_conjured_svalue |
| (m_base_region->get_type (), stmt, m_base_region, p); |
| bind (mgr, m_base_region, sval); |
| |
| m_touched = true; |
| } |
| |
| /* Return true if this cluster has escaped. */ |
| |
| bool |
| binding_cluster::escaped_p () const |
| { |
| /* Consider the "errno" region to always have escaped. */ |
| if (m_base_region->get_kind () == RK_ERRNO) |
| return true; |
| return m_escaped; |
| } |
| |
| /* Return true if this binding_cluster has no information |
| i.e. if there are no bindings, and it hasn't been marked as having |
| escaped, or touched symbolically. */ |
| |
| bool |
| binding_cluster::redundant_p () const |
| { |
| return (m_map.elements () == 0 |
| && !m_escaped |
| && !m_touched); |
| } |
| |
| /* Add PV to OUT_PVS, casting it to TYPE if it is not already of that type. */ |
| |
| static void |
| append_pathvar_with_type (path_var pv, |
| tree type, |
| auto_vec<path_var> *out_pvs) |
| { |
| gcc_assert (pv.m_tree); |
| |
| if (TREE_TYPE (pv.m_tree) != type) |
| pv.m_tree = build1 (NOP_EXPR, type, pv.m_tree); |
| |
| out_pvs->safe_push (pv); |
| } |
| |
| /* Find representative path_vars for SVAL within this binding of BASE_REG, |
| appending the results to OUT_PVS. */ |
| |
| void |
| binding_cluster::get_representative_path_vars (const region_model *model, |
| svalue_set *visited, |
| const region *base_reg, |
| const svalue *sval, |
| auto_vec<path_var> *out_pvs) |
| const |
| { |
| sval = simplify_for_binding (sval); |
| |
| for (map_t::iterator iter = m_map.begin (); iter != m_map.end (); ++iter) |
| { |
| const binding_key *key = (*iter).first; |
| const svalue *bound_sval = (*iter).second; |
| if (bound_sval == sval) |
| { |
| if (const concrete_binding *ckey |
| = key->dyn_cast_concrete_binding ()) |
| { |
| auto_vec <const region *> subregions; |
| base_reg->get_subregions_for_binding |
| (model->get_manager (), |
| ckey->get_start_bit_offset (), |
| ckey->get_size_in_bits (), |
| sval->get_type (), |
| &subregions); |
| unsigned i; |
| const region *subregion; |
| FOR_EACH_VEC_ELT (subregions, i, subregion) |
| { |
| if (path_var pv |
| = model->get_representative_path_var (subregion, |
| visited)) |
| append_pathvar_with_type (pv, sval->get_type (), out_pvs); |
| } |
| } |
| else |
| { |
| const symbolic_binding *skey = (const symbolic_binding *)key; |
| if (path_var pv |
| = model->get_representative_path_var (skey->get_region (), |
| visited)) |
| append_pathvar_with_type (pv, sval->get_type (), out_pvs); |
| } |
| } |
| } |
| } |
| |
| /* Get any svalue bound to KEY, or NULL. */ |
| |
| const svalue * |
| binding_cluster::get_any_value (const binding_key *key) const |
| { |
| return m_map.get (key); |
| } |
| |
| /* If this cluster has a single direct binding for the whole of the region, |
| return it. |
| For use in simplifying dumps. */ |
| |
| const svalue * |
| binding_cluster::maybe_get_simple_value (store_manager *mgr) const |
| { |
| /* Fail gracefully if MGR is NULL to make it easier to dump store |
| instances in the debugger. */ |
| if (mgr == NULL) |
| return NULL; |
| |
| if (m_map.elements () != 1) |
| return NULL; |
| |
| const binding_key *key = binding_key::make (mgr, m_base_region); |
| return get_any_value (key); |
| } |
| |
| /* class store_manager. */ |
| |
| logger * |
| store_manager::get_logger () const |
| { |
| return m_mgr->get_logger (); |
| } |
| |
| /* binding consolidation. */ |
| |
| const concrete_binding * |
| store_manager::get_concrete_binding (bit_offset_t start_bit_offset, |
| bit_offset_t size_in_bits) |
| { |
| concrete_binding b (start_bit_offset, size_in_bits); |
| if (concrete_binding *existing = m_concrete_binding_key_mgr.get (b)) |
| return existing; |
| |
| concrete_binding *to_save = new concrete_binding (b); |
| m_concrete_binding_key_mgr.put (b, to_save); |
| return to_save; |
| } |
| |
| const symbolic_binding * |
| store_manager::get_symbolic_binding (const region *reg) |
| { |
| symbolic_binding b (reg); |
| if (symbolic_binding *existing = m_symbolic_binding_key_mgr.get (b)) |
| return existing; |
| |
| symbolic_binding *to_save = new symbolic_binding (b); |
| m_symbolic_binding_key_mgr.put (b, to_save); |
| return to_save; |
| } |
| |
| /* class store. */ |
| |
| /* store's default ctor. */ |
| |
| store::store () |
| : m_called_unknown_fn (false) |
| { |
| } |
| |
| /* store's copy ctor. */ |
| |
| store::store (const store &other) |
| : m_cluster_map (other.m_cluster_map.elements ()), |
| m_called_unknown_fn (other.m_called_unknown_fn) |
| { |
| for (cluster_map_t::iterator iter = other.m_cluster_map.begin (); |
| iter != other.m_cluster_map.end (); |
| ++iter) |
| { |
| const region *reg = (*iter).first; |
| gcc_assert (reg); |
| binding_cluster *c = (*iter).second; |
| gcc_assert (c); |
| m_cluster_map.put (reg, new binding_cluster (*c)); |
| } |
| } |
| |
| /* store's dtor. */ |
| |
| store::~store () |
| { |
| for (cluster_map_t::iterator iter = m_cluster_map.begin (); |
| iter != m_cluster_map.end (); |
| ++iter) |
| delete (*iter).second; |
| } |
| |
| /* store's assignment operator. */ |
| |
| store & |
| store::operator= (const store &other) |
| { |
| /* Delete existing cluster map. */ |
| for (cluster_map_t::iterator iter = m_cluster_map.begin (); |
| iter != m_cluster_map.end (); |
| ++iter) |
| delete (*iter).second; |
| m_cluster_map.empty (); |
| |
| m_called_unknown_fn = other.m_called_unknown_fn; |
| |
| for (cluster_map_t::iterator iter = other.m_cluster_map.begin (); |
| iter != other.m_cluster_map.end (); |
| ++iter) |
| { |
| const region *reg = (*iter).first; |
| gcc_assert (reg); |
| binding_cluster *c = (*iter).second; |
| gcc_assert (c); |
| m_cluster_map.put (reg, new binding_cluster (*c)); |
| } |
| return *this; |
| } |
| |
| /* store's equality operator. */ |
| |
| bool |
| store::operator== (const store &other) const |
| { |
| if (m_called_unknown_fn != other.m_called_unknown_fn) |
| return false; |
| |
| if (m_cluster_map.elements () != other.m_cluster_map.elements ()) |
| return false; |
| |
| for (cluster_map_t::iterator iter = m_cluster_map.begin (); |
| iter != m_cluster_map.end (); |
| ++iter) |
| { |
| const region *reg = (*iter).first; |
| binding_cluster *c = (*iter).second; |
| binding_cluster **other_slot |
| = const_cast <cluster_map_t &> (other.m_cluster_map).get (reg); |
| if (other_slot == NULL) |
| return false; |
| if (*c != **other_slot) |
| return false; |
| } |
| |
| gcc_checking_assert (hash () == other.hash ()); |
| |
| return true; |
| } |
| |
| /* Get a hash value for this store. */ |
| |
| hashval_t |
| store::hash () const |
| { |
| hashval_t result = 0; |
| for (cluster_map_t::iterator iter = m_cluster_map.begin (); |
| iter != m_cluster_map.end (); |
| ++iter) |
| result ^= (*iter).second->hash (); |
| return result; |
| } |
| |
| /* Populate OUT with a sorted list of parent regions for the regions in IN, |
| removing duplicate parents. */ |
| |
| static void |
| get_sorted_parent_regions (auto_vec<const region *> *out, |
| auto_vec<const region *> &in) |
| { |
| /* Get the set of parent regions. */ |
| hash_set<const region *> parent_regions; |
| const region *iter_reg; |
| unsigned i; |
| FOR_EACH_VEC_ELT (in, i, iter_reg) |
| { |
| const region *parent_reg = iter_reg->get_parent_region (); |
| gcc_assert (parent_reg); |
| parent_regions.add (parent_reg); |
| } |
| |
| /* Write to OUT. */ |
| for (hash_set<const region *>::iterator iter = parent_regions.begin(); |
| iter != parent_regions.end(); ++iter) |
| out->safe_push (*iter); |
| |
| /* Sort OUT. */ |
| out->qsort (region::cmp_ptr_ptr); |
| } |
| |
| /* Dump a representation of this store to PP, using SIMPLE to control how |
| svalues and regions are printed. |
| MGR is used for simplifying dumps if non-NULL, but can also be NULL |
| (to make it easier to use from the debugger). */ |
| |
| void |
| store::dump_to_pp (pretty_printer *pp, bool simple, bool multiline, |
| store_manager *mgr) const |
| { |
| /* Sort into some deterministic order. */ |
| auto_vec<const region *> base_regions; |
| for (cluster_map_t::iterator iter = m_cluster_map.begin (); |
| iter != m_cluster_map.end (); ++iter) |
| { |
| const region *base_reg = (*iter).first; |
| base_regions.safe_push (base_reg); |
| } |
| base_regions.qsort (region::cmp_ptr_ptr); |
| |
| /* Gather clusters, organize by parent region, so that we can group |
| together locals, globals, etc. */ |
| auto_vec<const region *> parent_regions; |
| get_sorted_parent_regions (&parent_regions, base_regions); |
| |
| const region *parent_reg; |
| unsigned i; |
| FOR_EACH_VEC_ELT (parent_regions, i, parent_reg) |
| { |
| gcc_assert (parent_reg); |
| pp_string (pp, "clusters within "); |
| parent_reg->dump_to_pp (pp, simple); |
| if (multiline) |
| pp_newline (pp); |
| else |
| pp_string (pp, " {"); |
| |
| const region *base_reg; |
| unsigned j; |
| FOR_EACH_VEC_ELT (base_regions, j, base_reg) |
| { |
| /* This is O(N * M), but N ought to be small. */ |
| if (base_reg->get_parent_region () != parent_reg) |
| continue; |
| binding_cluster *cluster |
| = *const_cast<cluster_map_t &> (m_cluster_map).get (base_reg); |
| if (!multiline) |
| { |
| if (j > 0) |
| pp_string (pp, ", "); |
| } |
| if (const svalue *sval = cluster->maybe_get_simple_value (mgr)) |
| { |
| /* Special-case to simplify dumps for the common case where |
| we just have one value directly bound to the whole of a |
| region. */ |
| if (multiline) |
| { |
| pp_string (pp, " cluster for: "); |
| base_reg->dump_to_pp (pp, simple); |
| pp_string (pp, ": "); |
| sval->dump_to_pp (pp, simple); |
| if (cluster->escaped_p ()) |
| pp_string (pp, " (ESCAPED)"); |
| if (cluster->touched_p ()) |
| pp_string (pp, " (TOUCHED)"); |
| pp_newline (pp); |
| } |
| else |
| { |
| pp_string (pp, "region: {"); |
| base_reg->dump_to_pp (pp, simple); |
| pp_string (pp, ", value: "); |
| sval->dump_to_pp (pp, simple); |
| if (cluster->escaped_p ()) |
| pp_string (pp, " (ESCAPED)"); |
| if (cluster->touched_p ()) |
| pp_string (pp, " (TOUCHED)"); |
| pp_string (pp, "}"); |
| } |
| } |
| else if (multiline) |
| { |
| pp_string (pp, " cluster for: "); |
| base_reg->dump_to_pp (pp, simple); |
| pp_newline (pp); |
| cluster->dump_to_pp (pp, simple, multiline); |
| } |
| else |
| { |
| pp_string (pp, "base region: {"); |
| base_reg->dump_to_pp (pp, simple); |
| pp_string (pp, "} has cluster: {"); |
| cluster->dump_to_pp (pp, simple, multiline); |
| pp_string (pp, "}"); |
| } |
| } |
| if (!multiline) |
| pp_string (pp, "}"); |
| } |
| pp_printf (pp, "m_called_unknown_fn: %s", |
| m_called_unknown_fn ? "TRUE" : "FALSE"); |
| if (multiline) |
| pp_newline (pp); |
| } |
| |
| /* Dump a multiline representation of this store to stderr. */ |
| |
| DEBUG_FUNCTION void |
| store::dump (bool simple) const |
| { |
| pretty_printer pp; |
| pp_format_decoder (&pp) = default_tree_printer; |
| pp_show_color (&pp) = pp_show_color (global_dc->printer); |
| pp.buffer->stream = stderr; |
| dump_to_pp (&pp, simple, true, NULL); |
| pp_newline (&pp); |
| pp_flush (&pp); |
| } |
| |
| /* Assert that this object is valid. */ |
| |
| void |
| store::validate () const |
| { |
| for (auto iter : m_cluster_map) |
| iter.second->validate (); |
| } |
| |
| /* Return a new json::object of the form |
| {PARENT_REGION_DESC: {BASE_REGION_DESC: object for binding_map, |
| ... for each cluster within parent region}, |
| ...for each parent region, |
| "called_unknown_fn": true/false}. */ |
| |
| json::object * |
| store::to_json () const |
| { |
| json::object *store_obj = new json::object (); |
| |
| /* Sort into some deterministic order. */ |
| auto_vec<const region *> base_regions; |
| for (cluster_map_t::iterator iter = m_cluster_map.begin (); |
| iter != m_cluster_map.end (); ++iter) |
| { |
| const region *base_reg = (*iter).first; |
| base_regions.safe_push (base_reg); |
| } |
| base_regions.qsort (region::cmp_ptr_ptr); |
| |
| /* Gather clusters, organize by parent region, so that we can group |
| together locals, globals, etc. */ |
| auto_vec<const region *> parent_regions; |
| get_sorted_parent_regions (&parent_regions, base_regions); |
| |
| const region *parent_reg; |
| unsigned i; |
| FOR_EACH_VEC_ELT (parent_regions, i, parent_reg) |
| { |
| gcc_assert (parent_reg); |
| |
| json::object *clusters_in_parent_reg_obj = new json::object (); |
| |
| const region *base_reg; |
| unsigned j; |
| FOR_EACH_VEC_ELT (base_regions, j, base_reg) |
| { |
| /* This is O(N * M), but N ought to be small. */ |
| if (base_reg->get_parent_region () != parent_reg) |
| continue; |
| binding_cluster *cluster |
| = *const_cast<cluster_map_t &> (m_cluster_map).get (base_reg); |
| label_text base_reg_desc = base_reg->get_desc (); |
| clusters_in_parent_reg_obj->set (base_reg_desc.get (), |
| cluster->to_json ()); |
| } |
| label_text parent_reg_desc = parent_reg->get_desc (); |
| store_obj->set (parent_reg_desc.get (), clusters_in_parent_reg_obj); |
| } |
| |
| store_obj->set ("called_unknown_fn", new json::literal (m_called_unknown_fn)); |
| |
| return store_obj; |
| } |
| |
| /* Get any svalue bound to REG, or NULL. */ |
| |
| const svalue * |
| store::get_any_binding (store_manager *mgr, const region *reg) const |
| { |
| const region *base_reg = reg->get_base_region (); |
| binding_cluster **cluster_slot |
| = const_cast <cluster_map_t &> (m_cluster_map).get (base_reg); |
| if (!cluster_slot) |
| return NULL; |
| return (*cluster_slot)->get_any_binding (mgr, reg); |
| } |
| |
| /* Set the value of LHS_REG to RHS_SVAL. */ |
| |
| void |
| store::set_value (store_manager *mgr, const region *lhs_reg, |
| const svalue *rhs_sval, |
| uncertainty_t *uncertainty) |
| { |
| logger *logger = mgr->get_logger (); |
| LOG_SCOPE (logger); |
| |
| remove_overlapping_bindings (mgr, lhs_reg, uncertainty); |
| |
| if (lhs_reg->get_type ()) |
| rhs_sval = simplify_for_binding (rhs_sval); |
| /* ...but if we have no type for the region, retain any cast. */ |
| |
| const region *lhs_base_reg = lhs_reg->get_base_region (); |
| binding_cluster *lhs_cluster; |
| if (lhs_base_reg->symbolic_for_unknown_ptr_p ()) |
| { |
| /* Reject attempting to bind values into a symbolic region |
| for an unknown ptr; merely invalidate values below. */ |
| lhs_cluster = NULL; |
| |
| /* The LHS of the write is *UNKNOWN. If the RHS is a pointer, |
| then treat the region being pointed to as having escaped. */ |
| if (const region_svalue *ptr_sval = rhs_sval->dyn_cast_region_svalue ()) |
| { |
| const region *ptr_dst = ptr_sval->get_pointee (); |
| const region *ptr_base_reg = ptr_dst->get_base_region (); |
| mark_as_escaped (ptr_base_reg); |
| } |
| } |
| else if (lhs_base_reg->tracked_p ()) |
| { |
| lhs_cluster = get_or_create_cluster (lhs_base_reg); |
| lhs_cluster->bind (mgr, lhs_reg, rhs_sval); |
| } |
| else |
| { |
| /* Reject attempting to bind values into an untracked region; |
| merely invalidate values below. */ |
| lhs_cluster = NULL; |
| } |
| |
| /* Bindings to a cluster can affect other clusters if a symbolic |
| base region is involved. |
| Writes to concrete clusters can't affect other concrete clusters, |
| but can affect symbolic clusters. |
| Writes to symbolic clusters can affect both concrete and symbolic |
| clusters. |
| Invalidate our knowledge of other clusters that might have been |
| affected by the write. */ |
| for (cluster_map_t::iterator iter = m_cluster_map.begin (); |
| iter != m_cluster_map.end (); ++iter) |
| { |
| const region *iter_base_reg = (*iter).first; |
| binding_cluster *iter_cluster = (*iter).second; |
| if (iter_base_reg != lhs_base_reg |
| && (lhs_cluster == NULL |
| || lhs_cluster->symbolic_p () |
| || iter_cluster->symbolic_p ())) |
| { |
| tristate t_alias = eval_alias (lhs_base_reg, iter_base_reg); |
| switch (t_alias.get_value ()) |
| { |
| default: |
| gcc_unreachable (); |
| |
| case tristate::TS_UNKNOWN: |
| if (logger) |
| { |
| pretty_printer *pp = logger->get_printer (); |
| logger->start_log_line (); |
| logger->log_partial ("possible aliasing of "); |
| iter_base_reg->dump_to_pp (pp, true); |
| logger->log_partial (" when writing SVAL: "); |
| rhs_sval->dump_to_pp (pp, true); |
| logger->log_partial (" to LHS_REG: "); |
| lhs_reg->dump_to_pp (pp, true); |
| logger->end_log_line (); |
| } |
| /* Mark all of iter_cluster's iter_base_reg as unknown, |
| using LHS_REG when considering overlaps, to handle |
| symbolic vs concrete issues. */ |
| iter_cluster->mark_region_as_unknown |
| (mgr, |
| iter_base_reg, /* reg_to_bind */ |
| lhs_reg, /* reg_for_overlap */ |
| uncertainty); |
| break; |
| |
| case tristate::TS_TRUE: |
| gcc_unreachable (); |
| break; |
| |
| case tristate::TS_FALSE: |
| /* If they can't be aliases, then don't invalidate this |
| cluster. */ |
| break; |
| } |
| } |
| } |
| } |
| |
| /* Determine if BASE_REG_A could be an alias of BASE_REG_B. */ |
| |
| tristate |
| store::eval_alias (const region *base_reg_a, |
| const region *base_reg_b) const |
| { |
| /* SSA names can't alias. */ |
| tree decl_a = base_reg_a->maybe_get_decl (); |
| if (decl_a && TREE_CODE (decl_a) == SSA_NAME) |
| return tristate::TS_FALSE; |
| tree decl_b = base_reg_b->maybe_get_decl (); |
| if (decl_b && TREE_CODE (decl_b) == SSA_NAME) |
| return tristate::TS_FALSE; |
| |
| /* Try both ways, for symmetry. */ |
| tristate ts_ab = eval_alias_1 (base_reg_a, base_reg_b); |
| if (ts_ab.is_false ()) |
| return tristate::TS_FALSE; |
| tristate ts_ba = eval_alias_1 (base_reg_b, base_reg_a); |
| if (ts_ba.is_false ()) |
| return tristate::TS_FALSE; |
| return tristate::TS_UNKNOWN; |
| } |
| |
| /* Half of store::eval_alias; called twice for symmetry. */ |
| |
| tristate |
| store::eval_alias_1 (const region *base_reg_a, |
| const region *base_reg_b) const |
| { |
| if (const symbolic_region *sym_reg_a |
| = base_reg_a->dyn_cast_symbolic_region ()) |
| { |
| const svalue *sval_a = sym_reg_a->get_pointer (); |
| if (tree decl_b = base_reg_b->maybe_get_decl ()) |
| { |
| if (!may_be_aliased (decl_b)) |
| return tristate::TS_FALSE; |
| if (sval_a->get_kind () == SK_INITIAL) |
| if (!is_global_var (decl_b)) |
| { |
| /* The initial value of a pointer can't point to a local. */ |
| return tristate::TS_FALSE; |
| } |
| } |
| if (sval_a->get_kind () == SK_INITIAL |
| && base_reg_b->get_kind () == RK_HEAP_ALLOCATED) |
| { |
| /* The initial value of a pointer can't point to a |
| region that was allocated on the heap after the beginning of the |
| path. */ |
| return tristate::TS_FALSE; |
| } |
| if (const widening_svalue *widening_sval_a |
| = sval_a->dyn_cast_widening_svalue ()) |
| { |
| const svalue *base = widening_sval_a->get_base_svalue (); |
| if (const region_svalue *region_sval |
| = base->dyn_cast_region_svalue ()) |
| { |
| const region *pointee = region_sval->get_pointee (); |
| /* If we have sval_a is WIDENING(®ION, OP), and |
| B can't alias REGION, then B can't alias A either. |
| For example, A might arise from |
| for (ptr = ®ION; ...; ptr++) |
| where sval_a is ptr in the 2nd iteration of the loop. |
| We want to ensure that "*ptr" can only clobber things |
| within REGION's base region. */ |
| tristate ts = eval_alias (pointee->get_base_region (), |
| base_reg_b); |
| if (ts.is_false ()) |
| return tristate::TS_FALSE; |
| } |
| } |
| } |
| return tristate::TS_UNKNOWN; |
| } |
| |
| /* Remove all bindings overlapping REG within this store. */ |
| |
| void |
| store::clobber_region (store_manager *mgr, const region *reg) |
| { |
| const region *base_reg = reg->get_base_region (); |
| binding_cluster **slot = m_cluster_map.get (base_reg); |
| if (!slot) |
| return; |
| binding_cluster *cluster = *slot; |
| cluster->clobber_region (mgr, reg); |
| if (cluster->redundant_p ()) |
| { |
| delete cluster; |
| m_cluster_map.remove (base_reg); |
| } |
| } |
| |
| /* Remove any bindings for REG within this store. */ |
| |
| void |
| store::purge_region (store_manager *mgr, const region *reg) |
| { |
| const region *base_reg = reg->get_base_region (); |
| binding_cluster **slot = m_cluster_map.get (base_reg); |
| if (!slot) |
| return; |
| binding_cluster *cluster = *slot; |
| cluster->purge_region (mgr, reg); |
| if (cluster->redundant_p ()) |
| { |
| delete cluster; |
| m_cluster_map.remove (base_reg); |
| } |
| } |
| |
| /* Fill REG with SVAL. */ |
| |
| void |
| store::fill_region (store_manager *mgr, const region *reg, const svalue *sval) |
| { |
| const region *base_reg = reg->get_base_region (); |
| if (base_reg->symbolic_for_unknown_ptr_p () |
| || !base_reg->tracked_p ()) |
| return; |
| binding_cluster *cluster = get_or_create_cluster (base_reg); |
| cluster->fill_region (mgr, reg, sval); |
| } |
| |
| /* Zero-fill REG. */ |
| |
| void |
| store::zero_fill_region (store_manager *mgr, const region *reg) |
| { |
| region_model_manager *sval_mgr = mgr->get_svalue_manager (); |
| const svalue *zero_sval = sval_mgr->get_or_create_int_cst (char_type_node, 0); |
| fill_region (mgr, reg, zero_sval); |
| } |
| |
| /* Mark REG as having unknown content. */ |
| |
| void |
| store::mark_region_as_unknown (store_manager *mgr, const region *reg, |
| uncertainty_t *uncertainty) |
| { |
| const region *base_reg = reg->get_base_region (); |
| if (base_reg->symbolic_for_unknown_ptr_p () |
| || !base_reg->tracked_p ()) |
| return; |
| binding_cluster *cluster = get_or_create_cluster (base_reg); |
| cluster->mark_region_as_unknown (mgr, reg, reg, uncertainty); |
| } |
| |
| /* Purge state involving SVAL. */ |
| |
| void |
| store::purge_state_involving (const svalue *sval, |
| region_model_manager *sval_mgr) |
| { |
| auto_vec <const region *> base_regs_to_purge; |
| for (auto iter : m_cluster_map) |
| { |
| const region *base_reg = iter.first; |
| if (base_reg->involves_p (sval)) |
| base_regs_to_purge.safe_push (base_reg); |
| else |
| { |
| binding_cluster *cluster = iter.second; |
| cluster->purge_state_involving (sval, sval_mgr); |
| } |
| } |
| |
| for (auto iter : base_regs_to_purge) |
| purge_cluster (iter); |
| } |
| |
| /* Get the cluster for BASE_REG, or NULL (const version). */ |
| |
| const binding_cluster * |
| store::get_cluster (const region *base_reg) const |
| { |
| gcc_assert (base_reg); |
| gcc_assert (base_reg->get_base_region () == base_reg); |
| if (binding_cluster **slot |
| = const_cast <cluster_map_t &> (m_cluster_map).get (base_reg)) |
| return *slot; |
| else |
| return NULL; |
| } |
| |
| /* Get the cluster for BASE_REG, or NULL (non-const version). */ |
| |
| binding_cluster * |
| store::get_cluster (const region *base_reg) |
| { |
| gcc_assert (base_reg); |
| gcc_assert (base_reg->get_base_region () == base_reg); |
| if (binding_cluster **slot = m_cluster_map.get (base_reg)) |
| return *slot; |
| else |
| return NULL; |
| } |
| |
| /* Get the cluster for BASE_REG, creating it if doesn't already exist. */ |
| |
| binding_cluster * |
| store::get_or_create_cluster (const region *base_reg) |
| { |
| gcc_assert (base_reg); |
| gcc_assert (base_reg->get_base_region () == base_reg); |
| |
| /* We shouldn't create clusters for dereferencing an UNKNOWN ptr. */ |
| gcc_assert (!base_reg->symbolic_for_unknown_ptr_p ()); |
| |
| /* We shouldn't create clusters for base regions that aren't trackable. */ |
| gcc_assert (base_reg->tracked_p ()); |
| |
| if (binding_cluster **slot = m_cluster_map.get (base_reg)) |
| return *slot; |
| |
| binding_cluster *cluster = new binding_cluster (base_reg); |
| m_cluster_map.put (base_reg, cluster); |
| |
| return cluster; |
| } |
| |
| /* Remove any cluster for BASE_REG, for use by |
| region_model::unbind_region_and_descendents |
| when popping stack frames and handling deleted heap regions. */ |
| |
| void |
| store::purge_cluster (const region *base_reg) |
| { |
| gcc_assert (base_reg->get_base_region () == base_reg); |
| binding_cluster **slot = m_cluster_map.get (base_reg); |
| if (!slot) |
| return; |
| binding_cluster *cluster = *slot; |
| delete cluster; |
| m_cluster_map.remove (base_reg); |
| } |
| |
| /* Attempt to merge STORE_A and STORE_B into OUT_STORE. |
| Return true if successful, or false if the stores can't be merged. */ |
| |
| bool |
| store::can_merge_p (const store *store_a, const store *store_b, |
| store *out_store, store_manager *mgr, |
| model_merger *merger) |
| { |
| if (store_a->m_called_unknown_fn || store_b->m_called_unknown_fn) |
| out_store->m_called_unknown_fn = true; |
| |
| /* Get the union of all base regions for STORE_A and STORE_B. */ |
| hash_set<const region *> base_regions; |
| for (cluster_map_t::iterator iter_a = store_a->m_cluster_map.begin (); |
| iter_a != store_a->m_cluster_map.end (); ++iter_a) |
| { |
| const region *base_reg_a = (*iter_a).first; |
| base_regions.add (base_reg_a); |
| } |
| for (cluster_map_t::iterator iter_b = store_b->m_cluster_map.begin (); |
| iter_b != store_b->m_cluster_map.end (); ++iter_b) |
| { |
| const region *base_reg_b = (*iter_b).first; |
| base_regions.add (base_reg_b); |
| } |
| |
| /* Sort the base regions before considering them. This ought not to |
| affect the results, but can affect which types UNKNOWN_REGIONs are |
| created for in a run; sorting them thus avoids minor differences |
| in logfiles. */ |
| auto_vec<const region *> vec_base_regions (base_regions.elements ()); |
| for (hash_set<const region *>::iterator iter = base_regions.begin (); |
| iter != base_regions.end (); ++iter) |
| vec_base_regions.quick_push (*iter); |
| vec_base_regions.qsort (region::cmp_ptr_ptr); |
| unsigned i; |
| const region *base_reg; |
| FOR_EACH_VEC_ELT (vec_base_regions, i, base_reg) |
| { |
| const binding_cluster *cluster_a = store_a->get_cluster (base_reg); |
| const binding_cluster *cluster_b = store_b->get_cluster (base_reg); |
| /* At least one of cluster_a and cluster_b must be non-NULL. */ |
| binding_cluster *out_cluster |
| = out_store->get_or_create_cluster (base_reg); |
| if (!binding_cluster::can_merge_p (cluster_a, cluster_b, |
| out_cluster, out_store, mgr, merger)) |
| return false; |
| } |
| return true; |
| } |
| |
| /* Mark the cluster for BASE_REG as having escaped. |
| For use when handling an unrecognized function call, and |
| for params to "top-level" calls. |
| Further unknown function calls could touch it, even if the cluster |
| isn't reachable from args of those calls. */ |
| |
| void |
| store::mark_as_escaped (const region *base_reg) |
| { |
| gcc_assert (base_reg); |
| gcc_assert (base_reg->get_base_region () == base_reg); |
| |
| if (base_reg->symbolic_for_unknown_ptr_p () |
| || !base_reg->tracked_p ()) |
| return; |
| |
| binding_cluster *cluster = get_or_create_cluster (base_reg); |
| cluster->mark_as_escaped (); |
| } |
| |
| /* Handle an unknown fncall by updating any clusters that have escaped |
| (either in this fncall, or in a prior one). */ |
| |
| void |
| store::on_unknown_fncall (const gcall *call, store_manager *mgr, |
| const conjured_purge &p) |
| { |
| m_called_unknown_fn = true; |
| |
| for (cluster_map_t::iterator iter = m_cluster_map.begin (); |
| iter != m_cluster_map.end (); ++iter) |
| (*iter).second->on_unknown_fncall (call, mgr, p); |
| } |
| |
| /* Return true if a non-const pointer to BASE_REG (or something within it) |
| has escaped to code outside of the TU being analyzed. */ |
| |
| bool |
| store::escaped_p (const region *base_reg) const |
| { |
| gcc_assert (base_reg); |
| gcc_assert (base_reg->get_base_region () == base_reg); |
| |
| /* "errno" can always be modified by external code. */ |
| if (base_reg->get_kind () == RK_ERRNO) |
| return true; |
| |
| if (binding_cluster **cluster_slot |
| = const_cast <cluster_map_t &>(m_cluster_map).get (base_reg)) |
| return (*cluster_slot)->escaped_p (); |
| return false; |
| } |
| |
| /* Populate OUT_PVS with a list of path_vars for describing SVAL based on |
| this store, using VISITED to ensure the traversal terminates. */ |
| |
| void |
| store::get_representative_path_vars (const region_model *model, |
| svalue_set *visited, |
| const svalue *sval, |
| auto_vec<path_var> *out_pvs) const |
| { |
| gcc_assert (sval); |
| |
| /* Find all bindings that reference SVAL. */ |
| for (cluster_map_t::iterator iter = m_cluster_map.begin (); |
| iter != m_cluster_map.end (); ++iter) |
| { |
| const region *base_reg = (*iter).first; |
| binding_cluster *cluster = (*iter).second; |
| cluster->get_representative_path_vars (model, visited, base_reg, sval, |
| out_pvs); |
| } |
| |
| if (const initial_svalue *init_sval = sval->dyn_cast_initial_svalue ()) |
| { |
| const region *reg = init_sval->get_region (); |
| if (path_var pv = model->get_representative_path_var (reg, |
| visited)) |
| out_pvs->safe_push (pv); |
| } |
| } |
| |
| /* Remove all bindings overlapping REG within this store, removing |
| any clusters that become redundant. |
| |
| If UNCERTAINTY is non-NULL, use it to record any svalues that |
| were removed, as being maybe-bound. */ |
| |
| void |
| store::remove_overlapping_bindings (store_manager *mgr, const region *reg, |
| uncertainty_t *uncertainty) |
| { |
| const region *base_reg = reg->get_base_region (); |
| if (binding_cluster **cluster_slot = m_cluster_map.get (base_reg)) |
| { |
| binding_cluster *cluster = *cluster_slot; |
| if (reg == base_reg && !escaped_p (base_reg)) |
| { |
| /* Remove whole cluster. */ |
| m_cluster_map.remove (base_reg); |
| delete cluster; |
| return; |
| } |
| cluster->remove_overlapping_bindings (mgr, reg, uncertainty); |
| } |
| } |
| |
| /* Subclass of visitor that accumulates a hash_set of the regions that |
| were visited. */ |
| |
| struct region_finder : public visitor |
| { |
| void visit_region (const region *reg) final override |
| { |
| m_regs.add (reg); |
| } |
| |
| hash_set<const region *> m_regs; |
| }; |
| |
| /* Canonicalize this store, to maximize the chance of equality between |
| instances. */ |
| |
| void |
| store::canonicalize (store_manager *mgr) |
| { |
| /* If we have e.g.: |
| cluster for: HEAP_ALLOCATED_REGION(543) |
| ESCAPED |
| TOUCHED |
| where the heap region is empty and unreferenced, then purge that |
| cluster, to avoid unbounded state chains involving these. */ |
| |
| /* Find regions that are referenced by bound values in the store. */ |
| region_finder s; |
| for (cluster_map_t::iterator iter = m_cluster_map.begin (); |
| iter != m_cluster_map.end (); ++iter) |
| { |
| binding_cluster *cluster = (*iter).second; |
| for (binding_cluster::iterator_t bind_iter = cluster->m_map.begin (); |
| bind_iter != cluster->m_map.end (); ++bind_iter) |
| (*bind_iter).second->accept (&s); |
| } |
| |
| /* Locate heap-allocated regions that have empty bindings that weren't |
| found above. */ |
| hash_set<const region *> purgeable_regions; |
| for (cluster_map_t::iterator iter = m_cluster_map.begin (); |
| iter != m_cluster_map.end (); ++iter) |
| { |
| const region *base_reg = (*iter).first; |
| binding_cluster *cluster = (*iter).second; |
| if (base_reg->get_kind () == RK_HEAP_ALLOCATED) |
| { |
| /* Don't purge a heap-allocated region that's been marked as |
| escaping, since this could be recording that a ptr to it |
| was written to an unknown symbolic region along this |
| path, and so we don't know whether it's referenced or |
| not, and hence should report it as leaking |
| (PR analyzer/106473). */ |
| if (cluster->escaped_p ()) |
| continue; |
| |
| if (cluster->empty_p ()) |
| if (!s.m_regs.contains (base_reg)) |
| purgeable_regions.add (base_reg); |
| |
| /* Also cover the UNKNOWN case. */ |
| if (const svalue *sval = cluster->maybe_get_simple_value (mgr)) |
| if (sval->get_kind () == SK_UNKNOWN) |
| if (!s.m_regs.contains (base_reg)) |
| purgeable_regions.add (base_reg); |
| } |
| } |
| |
| /* Purge them. */ |
| for (hash_set<const region *>::iterator iter = purgeable_regions.begin (); |
| iter != purgeable_regions.end (); ++iter) |
| { |
| const region *base_reg = *iter; |
| purge_cluster (base_reg); |
| } |
| } |
| |
| /* Subroutine for use by exploded_path::feasible_p. |
| |
| We need to deal with state differences between: |
| (a) when the exploded_graph is being initially constructed and |
| (b) when replaying the state changes along a specific path in |
| in exploded_path::feasible_p. |
| |
| In (a), state merging happens, so when exploring a loop |
| for (i = 0; i < 1024; i++) |
| on successive iterations we have i == 0, then i == WIDENING. |
| |
| In (b), no state merging happens, so naively replaying the path |
| that goes twice through the loop then exits it |
| would lead to i == 0, then i == 1, and then a (i >= 1024) eedge |
| that exits the loop, which would be found to be infeasible as i == 1, |
| and the path would be rejected. |
| |
| We need to fix up state during replay. This subroutine is |
| called whenever we enter a supernode that we've already |
| visited along this exploded_path, passing in OTHER_STORE |
| from the destination enode's state. |
| |
| Find bindings to widening values in OTHER_STORE. |
| For all that are found, update the binding in this store to UNKNOWN. */ |
| |
| void |
| store::loop_replay_fixup (const store *other_store, |
| region_model_manager *mgr) |
| { |
| gcc_assert (other_store); |
| for (cluster_map_t::iterator iter = other_store->m_cluster_map.begin (); |
| iter != other_store->m_cluster_map.end (); ++iter) |
| { |
| const region *base_reg = (*iter).first; |
| binding_cluster *cluster = (*iter).second; |
| for (binding_cluster::iterator_t bind_iter = cluster->m_map.begin (); |
| bind_iter != cluster->m_map.end (); ++bind_iter) |
| { |
| const binding_key *key = (*bind_iter).first; |
| const svalue *sval = (*bind_iter).second; |
| if (sval->get_kind () == SK_WIDENING) |
| { |
| binding_cluster *this_cluster |
| = get_or_create_cluster (base_reg); |
| const svalue *unknown |
| = mgr->get_or_create_unknown_svalue (sval->get_type ()); |
| this_cluster->bind_key (key, unknown); |
| } |
| } |
| } |
| } |
| |
| /* Use R to replay the bindings from SUMMARY into this object. */ |
| |
| void |
| store::replay_call_summary (call_summary_replay &r, |
| const store &summary) |
| { |
| if (summary.m_called_unknown_fn) |
| { |
| /* A call to an external function occurred in the summary. |
| Hence we need to invalidate our knownledge of globals, |
| escaped regions, etc. */ |
| on_unknown_fncall (r.get_call_stmt (), |
| r.get_store_manager (), |
| conjured_purge (r.get_caller_model (), |
| r.get_ctxt ())); |
| } |
| |
| auto_vec<const region *> keys (summary.m_cluster_map.elements ()); |
| for (auto kv : summary.m_cluster_map) |
| keys.quick_push (kv.first); |
| keys.qsort (region::cmp_ptr_ptr); |
| for (auto base_reg : keys) |
| replay_call_summary_cluster (r, summary, base_reg); |
| } |
| |
| /* Use R and SUMMARY to replay the bindings in SUMMARY_CLUSTER |
| into this object. */ |
| |
| void |
| store::replay_call_summary_cluster (call_summary_replay &r, |
| const store &summary, |
| const region *summary_base_reg) |
| { |
| const call_details &cd = r.get_call_details (); |
| region_model_manager *reg_mgr = r.get_manager (); |
| store_manager *mgr = reg_mgr->get_store_manager (); |
| const binding_cluster *summary_cluster |
| = summary.get_cluster (summary_base_reg); |
| |
| /* Handle "ESCAPED" and "TOUCHED" flags. */ |
| if (summary_cluster->escaped_p () || summary_cluster->touched_p ()) |
| if (const region *caller_reg |
| = r.convert_region_from_summary (summary_base_reg)) |
| { |
| const region *caller_base_reg = caller_reg->get_base_region (); |
| if (caller_base_reg->tracked_p () |
| && !caller_base_reg->symbolic_for_unknown_ptr_p ()) |
| { |
| binding_cluster *caller_cluster |
| = get_or_create_cluster (caller_base_reg); |
| if (summary_cluster->escaped_p ()) |
| caller_cluster->mark_as_escaped (); |
| if (summary_cluster->touched_p ()) |
| caller_cluster->m_touched = true; |
| } |
| } |
| |
| switch (summary_base_reg->get_kind ()) |
| { |
| /* Top-level regions. */ |
| case RK_FRAME: |
| case RK_GLOBALS: |
| case RK_CODE: |
| case RK_STACK: |
| case RK_HEAP: |
| case RK_THREAD_LOCAL: |
| case RK_ROOT:
|