[gcc r15-969] analyzer: detect -Wanalyzer-allocation-size at call stmts [PR106203]
David Malcolm
dmalcolm@gcc.gnu.org
Sat Jun 1 17:57:56 GMT 2024
https://gcc.gnu.org/g:2b0a7fe3abfbd47081f714a0a1263afe00c5cfd9
commit r15-969-g2b0a7fe3abfbd47081f714a0a1263afe00c5cfd9
Author: David Malcolm <dmalcolm@redhat.com>
Date: Sat Jun 1 13:50:32 2024 -0400
analyzer: detect -Wanalyzer-allocation-size at call stmts [PR106203]
gcc/analyzer/ChangeLog:
PR analyzer/106203
* checker-event.h: Include "analyzer/event-loc-info.h".
(struct event_loc_info): Move to its own header file.
* diagnostic-manager.cc
(diagnostic_manager::emit_saved_diagnostic): Move creation of
event_loc_info here from add_final_event, and if we have a
stmt_finder, call its update_event_loc_info method.
* engine.cc (leak_stmt_finder::update_event_loc_info): New.
(exploded_node::detect_leaks): Likewise.
(exploded_node::detect_leaks): Pass nullptr as call_stmt arg to
region_model::pop_frame.
* event-loc-info.h: New file, with content taken from
checker-event.h.
* exploded-graph.h (stmt_finder::update_event_loc_info): New pure
virtual function.
* infinite-loop.cc (infinite_loop_diagnostic::add_final_event):
Update for change to vfunc signature.
* infinite-recursion.cc
(infinite_recursion_diagnostic::add_final_event): Likewise.
* pending-diagnostic.cc (pending_diagnostic::add_final_event):
Pass in the event_loc_info from the caller, rather than generating
it from a gimple stmt and enode.
* pending-diagnostic.h (pending_diagnostic::add_final_event):
Likewise.
* region-model.cc (region_model::on_longjmp): Pass nullptr as
call_stmt arg to region_model::pop_frame.
(region_model::update_for_return_gcall): Likewise, but pass
call_stmt.
(class caller_context): New.
(region_model::pop_frame): Add "call_stmt" argument. Use it
and the frame_region with a caller_context when setting
result_dst_reg's value so that any diagnostic is reported at the
call stmt in the caller.
(selftest::test_stack_frames): Pass nullptr as call_stmt arg to
region_model::pop_frame.
(selftest::test_alloca): Likewise.
* region-model.h (region_model::pop_frame): Add "call_stmt"
argument.
gcc/testsuite/ChangeLog:
PR analyzer/106203
* c-c++-common/analyzer/allocation-size-1.c (test_9): Remove
xfail.
* c-c++-common/analyzer/allocation-size-2.c (test_8): Likewise.
* gcc.dg/analyzer/allocation-size-multiline-4.c: New test.
* gcc.dg/plugin/analyzer_cpython_plugin.c
(refcnt_stmt_finder::update_event_loc_info): New.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
Diff:
---
gcc/analyzer/checker-event.h | 14 +---
gcc/analyzer/diagnostic-manager.cc | 13 +++-
gcc/analyzer/engine.cc | 7 +-
gcc/analyzer/event-loc-info.h | 41 +++++++++++
gcc/analyzer/exploded-graph.h | 1 +
gcc/analyzer/infinite-loop.cc | 2 +-
gcc/analyzer/infinite-recursion.cc | 2 +-
gcc/analyzer/pending-diagnostic.cc | 6 +-
gcc/analyzer/pending-diagnostic.h | 2 +-
gcc/analyzer/region-model.cc | 84 ++++++++++++++++++++--
gcc/analyzer/region-model.h | 1 +
.../c-c++-common/analyzer/allocation-size-1.c | 8 +--
.../c-c++-common/analyzer/allocation-size-2.c | 8 +--
.../gcc.dg/analyzer/allocation-size-multiline-4.c | 64 +++++++++++++++++
.../gcc.dg/plugin/analyzer_cpython_plugin.c | 5 ++
15 files changed, 216 insertions(+), 42 deletions(-)
diff --git a/gcc/analyzer/checker-event.h b/gcc/analyzer/checker-event.h
index 7a4510ee81d..d0935aca985 100644
--- a/gcc/analyzer/checker-event.h
+++ b/gcc/analyzer/checker-event.h
@@ -23,22 +23,10 @@ along with GCC; see the file COPYING3. If not see
#include "tree-logical-location.h"
#include "analyzer/program-state.h"
+#include "analyzer/event-loc-info.h"
namespace ana {
-/* A bundle of location information for a checker_event. */
-
-struct event_loc_info
-{
- event_loc_info (location_t loc, tree fndecl, int depth)
- : m_loc (loc), m_fndecl (fndecl), m_depth (depth)
- {}
-
- location_t m_loc;
- tree m_fndecl;
- int m_depth;
-};
-
/* An enum for discriminating between the concrete subclasses of
checker_event. */
diff --git a/gcc/analyzer/diagnostic-manager.cc b/gcc/analyzer/diagnostic-manager.cc
index da98b9679cb..20e793d72c1 100644
--- a/gcc/analyzer/diagnostic-manager.cc
+++ b/gcc/analyzer/diagnostic-manager.cc
@@ -1588,8 +1588,17 @@ diagnostic_manager::emit_saved_diagnostic (const exploded_graph &eg,
We use the final enode from the epath, which might be different from
the sd.m_enode, as the dedupe code doesn't care about enodes, just
snodes. */
- sd.m_d->add_final_event (sd.m_sm, epath->get_final_enode (), sd.m_stmt,
- sd.m_var, sd.m_state, &emission_path);
+ {
+ const exploded_node *const enode = epath->get_final_enode ();
+ const gimple *stmt = sd.m_stmt;
+ event_loc_info loc_info (get_stmt_location (stmt, enode->get_function ()),
+ enode->get_function ()->decl,
+ enode->get_stack_depth ());
+ if (sd.m_stmt_finder)
+ sd.m_stmt_finder->update_event_loc_info (loc_info);
+ sd.m_d->add_final_event (sd.m_sm, enode, loc_info,
+ sd.m_var, sd.m_state, &emission_path);
+ }
/* The "final" event might not be final; if the saved_diagnostic has a
trailing eedge stashed, add any events for it. This is for use
diff --git a/gcc/analyzer/engine.cc b/gcc/analyzer/engine.cc
index 46d9b80f4f7..8b3706cdfa8 100644
--- a/gcc/analyzer/engine.cc
+++ b/gcc/analyzer/engine.cc
@@ -681,6 +681,11 @@ public:
return NULL;
}
+ void update_event_loc_info (event_loc_info &) final override
+ {
+ /* No-op. */
+ }
+
private:
const exploded_graph &m_eg;
tree m_var;
@@ -2056,7 +2061,7 @@ exploded_node::detect_leaks (exploded_graph &eg)
&old_state, &new_state, &uncertainty, NULL,
get_stmt ());
const svalue *result = NULL;
- new_state.m_region_model->pop_frame (NULL, &result, &ctxt);
+ new_state.m_region_model->pop_frame (NULL, &result, &ctxt, nullptr);
program_state::detect_leaks (old_state, new_state, result,
eg.get_ext_state (), &ctxt);
}
diff --git a/gcc/analyzer/event-loc-info.h b/gcc/analyzer/event-loc-info.h
new file mode 100644
index 00000000000..60b2035bd2c
--- /dev/null
+++ b/gcc/analyzer/event-loc-info.h
@@ -0,0 +1,41 @@
+/* A bundle of location information for a checker_event.
+ Copyright (C) 2019-2024 Free Software Foundation, Inc.
+ Contributed by David Malcolm <dmalcolm@redhat.com>.
+
+This file is part of GCC.
+
+GCC is free software; you can redistribute it and/or modify it
+under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 3, or (at your option)
+any later version.
+
+GCC is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GCC; see the file COPYING3. If not see
+<http://www.gnu.org/licenses/>. */
+
+#ifndef GCC_ANALYZER_EVENT_LOC_INFO_H
+#define GCC_ANALYZER_EVENT_LOC_INFO_H
+
+namespace ana {
+
+/* A bundle of location information for a checker_event. */
+
+struct event_loc_info
+{
+ event_loc_info (location_t loc, tree fndecl, int depth)
+ : m_loc (loc), m_fndecl (fndecl), m_depth (depth)
+ {}
+
+ location_t m_loc;
+ tree m_fndecl;
+ int m_depth;
+};
+
+} // namespace ana
+
+#endif /* GCC_ANALYZER_EVENT_LOC_INFO_H */
diff --git a/gcc/analyzer/exploded-graph.h b/gcc/analyzer/exploded-graph.h
index 642d69bbcc0..f847c01132a 100644
--- a/gcc/analyzer/exploded-graph.h
+++ b/gcc/analyzer/exploded-graph.h
@@ -1035,6 +1035,7 @@ public:
virtual ~stmt_finder () {}
virtual std::unique_ptr<stmt_finder> clone () const = 0;
virtual const gimple *find_stmt (const exploded_path &epath) = 0;
+ virtual void update_event_loc_info (event_loc_info &) = 0;
};
// TODO: split the above up?
diff --git a/gcc/analyzer/infinite-loop.cc b/gcc/analyzer/infinite-loop.cc
index a83b8130e43..8ba8e70acff 100644
--- a/gcc/analyzer/infinite-loop.cc
+++ b/gcc/analyzer/infinite-loop.cc
@@ -229,7 +229,7 @@ public:
/* Customize the location where the warning_event appears. */
void add_final_event (const state_machine *,
const exploded_node *enode,
- const gimple *,
+ const event_loc_info &,
tree,
state_machine::state_t,
checker_path *emission_path) final override
diff --git a/gcc/analyzer/infinite-recursion.cc b/gcc/analyzer/infinite-recursion.cc
index 6103c2b564f..ef8ae90ab08 100644
--- a/gcc/analyzer/infinite-recursion.cc
+++ b/gcc/analyzer/infinite-recursion.cc
@@ -183,7 +183,7 @@ public:
it at the topmost entrypoint to the function. */
void add_final_event (const state_machine *,
const exploded_node *enode,
- const gimple *,
+ const event_loc_info &,
tree,
state_machine::state_t,
checker_path *emission_path) final override
diff --git a/gcc/analyzer/pending-diagnostic.cc b/gcc/analyzer/pending-diagnostic.cc
index ff37ae6f7b4..b0637be179f 100644
--- a/gcc/analyzer/pending-diagnostic.cc
+++ b/gcc/analyzer/pending-diagnostic.cc
@@ -270,15 +270,13 @@ pending_diagnostic::add_region_creation_events (const region *reg,
void
pending_diagnostic::add_final_event (const state_machine *sm,
const exploded_node *enode,
- const gimple *stmt,
+ const event_loc_info &loc_info,
tree var, state_machine::state_t state,
checker_path *emission_path)
{
emission_path->add_event
(make_unique<warning_event>
- (event_loc_info (get_stmt_location (stmt, enode->get_function ()),
- enode->get_function ()->decl,
- enode->get_stack_depth ()),
+ (loc_info,
enode,
sm, var, state));
}
diff --git a/gcc/analyzer/pending-diagnostic.h b/gcc/analyzer/pending-diagnostic.h
index 288410af71a..ee1f6204f2d 100644
--- a/gcc/analyzer/pending-diagnostic.h
+++ b/gcc/analyzer/pending-diagnostic.h
@@ -371,7 +371,7 @@ class pending_diagnostic
of the called function. */
virtual void add_final_event (const state_machine *sm,
const exploded_node *enode,
- const gimple *stmt,
+ const event_loc_info &loc_info,
tree var, state_machine::state_t state,
checker_path *emission_path);
diff --git a/gcc/analyzer/region-model.cc b/gcc/analyzer/region-model.cc
index e71c6ec693b..d142d851a26 100644
--- a/gcc/analyzer/region-model.cc
+++ b/gcc/analyzer/region-model.cc
@@ -2331,7 +2331,7 @@ region_model::on_longjmp (const gcall *longjmp_call, const gcall *setjmp_call,
setjmp was called. */
gcc_assert (get_stack_depth () >= setjmp_stack_depth);
while (get_stack_depth () > setjmp_stack_depth)
- pop_frame (NULL, NULL, ctxt, false);
+ pop_frame (NULL, NULL, ctxt, nullptr, false);
gcc_assert (get_stack_depth () == setjmp_stack_depth);
@@ -5673,7 +5673,7 @@ region_model::update_for_return_gcall (const gcall *call_stmt,
so that pop_frame can determine the region with respect to the
*caller* frame. */
tree lhs = gimple_call_lhs (call_stmt);
- pop_frame (lhs, NULL, ctxt);
+ pop_frame (lhs, NULL, ctxt, call_stmt);
}
/* Extract calling information from the superedge and update the model for the
@@ -6083,6 +6083,70 @@ region_model::get_current_function () const
return &frame->get_function ();
}
+/* Custom region_model_context for the assignment to the result
+ at a call statement when popping a frame (PR analyzer/106203). */
+
+class caller_context : public region_model_context_decorator
+{
+public:
+ caller_context (region_model_context *inner,
+ const gcall *call_stmt,
+ const frame_region &caller_frame)
+ : region_model_context_decorator (inner),
+ m_call_stmt (call_stmt),
+ m_caller_frame (caller_frame)
+ {}
+ bool warn (std::unique_ptr<pending_diagnostic> d,
+ const stmt_finder *custom_finder) override
+ {
+ if (m_inner && custom_finder == nullptr)
+ {
+ /* Custom stmt_finder to use m_call_stmt for the
+ diagnostic. */
+ class my_finder : public stmt_finder
+ {
+ public:
+ my_finder (const gcall *call_stmt,
+ const frame_region &caller_frame)
+ : m_call_stmt (call_stmt),
+ m_caller_frame (caller_frame)
+ {}
+ std::unique_ptr<stmt_finder> clone () const override
+ {
+ return ::make_unique<my_finder> (m_call_stmt, m_caller_frame);
+ }
+ const gimple *find_stmt (const exploded_path &) override
+ {
+ return m_call_stmt;
+ }
+ void update_event_loc_info (event_loc_info &loc_info) final override
+ {
+ loc_info.m_fndecl = m_caller_frame.get_fndecl ();
+ loc_info.m_depth = m_caller_frame.get_stack_depth ();
+ }
+
+ private:
+ const gcall *m_call_stmt;
+ const frame_region &m_caller_frame;
+ };
+ my_finder finder (m_call_stmt, m_caller_frame);
+ return m_inner->warn (std::move (d), &finder);
+ }
+ else
+ return region_model_context_decorator::warn (std::move (d),
+ custom_finder);
+ }
+ const gimple *get_stmt () const override
+ {
+ return m_call_stmt;
+ };
+
+private:
+ const gcall *m_call_stmt;
+ const frame_region &m_caller_frame;
+};
+
+
/* Pop the topmost frame_region from this region_model's stack;
If RESULT_LVALUE is non-null, copy any return value from the frame
@@ -6091,6 +6155,9 @@ region_model::get_current_function () const
If OUT_RESULT is non-null, copy any return value from the frame
into *OUT_RESULT.
+ If non-null, use CALL_STMT as the location when complaining about
+ assignment of the return value to RESULT_LVALUE.
+
If EVAL_RETURN_SVALUE is false, then don't evaluate the return value.
This is for use when unwinding frames e.g. due to longjmp, to suppress
erroneously reporting uninitialized return values.
@@ -6103,6 +6170,7 @@ void
region_model::pop_frame (tree result_lvalue,
const svalue **out_result,
region_model_context *ctxt,
+ const gcall *call_stmt,
bool eval_return_svalue)
{
gcc_assert (m_current_frame);
@@ -6137,7 +6205,13 @@ region_model::pop_frame (tree result_lvalue,
/* Compute result_dst_reg using RESULT_LVALUE *after* popping
the frame, but before poisoning pointers into the old frame. */
const region *result_dst_reg = get_lvalue (result_lvalue, ctxt);
- set_value (result_dst_reg, retval, ctxt);
+
+ /* Assign retval to result_dst_reg, using caller_context
+ to set the call_stmt and the popped_frame for any diagnostics
+ due to the assignment. */
+ gcc_assert (m_current_frame);
+ caller_context caller_ctxt (ctxt, call_stmt, *m_current_frame);
+ set_value (result_dst_reg, retval, call_stmt ? &caller_ctxt : ctxt);
}
unbind_region_and_descendents (frame_reg,POISON_KIND_POPPED_STACK);
@@ -8130,7 +8204,7 @@ test_stack_frames ()
ASSERT_FALSE (a_in_parent_reg->descendent_of_p (child_frame_reg));
/* Pop the "child_fn" frame from the stack. */
- model.pop_frame (NULL, NULL, &ctxt);
+ model.pop_frame (NULL, NULL, &ctxt, nullptr);
ASSERT_FALSE (model.region_exists_p (child_frame_reg));
ASSERT_TRUE (model.region_exists_p (parent_frame_reg));
@@ -9243,7 +9317,7 @@ test_alloca ()
/* Verify that the pointers to the alloca region are replaced by
poisoned values when the frame is popped. */
- model.pop_frame (NULL, NULL, &ctxt);
+ model.pop_frame (NULL, NULL, &ctxt, nullptr);
ASSERT_EQ (model.get_rvalue (p, NULL)->get_kind (), SK_POISONED);
}
diff --git a/gcc/analyzer/region-model.h b/gcc/analyzer/region-model.h
index 400d80b2568..1a0233f2e8a 100644
--- a/gcc/analyzer/region-model.h
+++ b/gcc/analyzer/region-model.h
@@ -363,6 +363,7 @@ class region_model
void pop_frame (tree result_lvalue,
const svalue **out_result,
region_model_context *ctxt,
+ const gcall *call_stmt,
bool eval_return_svalue = true);
int get_stack_depth () const;
const frame_region *get_frame_at_index (int index) const;
diff --git a/gcc/testsuite/c-c++-common/analyzer/allocation-size-1.c b/gcc/testsuite/c-c++-common/analyzer/allocation-size-1.c
index 05efc4f8028..5b4e7392782 100644
--- a/gcc/testsuite/c-c++-common/analyzer/allocation-size-1.c
+++ b/gcc/testsuite/c-c++-common/analyzer/allocation-size-1.c
@@ -103,13 +103,7 @@ void test_8 (void)
void test_9 (void)
{
- /* FIXME: At the moment, region_model::set_value (lhs, <return_value>)
- is called at the src_node of the return edge. This edge has no stmts
- associated with it, leading to a rejection of the warning inside
- impl_region_model_context::warn. To ensure that the indentation
- in the diagnostic is right, the warning has to be emitted on an EN
- that is after the return edge. */
- int32_t *buf = (int32_t *) create_buffer(42); /* { dg-warning "" "" { xfail *-*-* } } */
+ int32_t *buf = (int32_t *) create_buffer(42); /* { dg-warning "allocated buffer size is not a multiple of the pointee's size" } */
free (buf);
}
diff --git a/gcc/testsuite/c-c++-common/analyzer/allocation-size-2.c b/gcc/testsuite/c-c++-common/analyzer/allocation-size-2.c
index ff4cb563469..a9f92cf2d02 100644
--- a/gcc/testsuite/c-c++-common/analyzer/allocation-size-2.c
+++ b/gcc/testsuite/c-c++-common/analyzer/allocation-size-2.c
@@ -86,13 +86,7 @@ void test_7(int32_t n)
void test_8(int32_t n)
{
- /* FIXME: At the moment, region_model::set_value (lhs, <return_value>)
- is called at the src_node of the return edge. This edge has no stmts
- associated with it, leading to a rejection of the warning inside
- impl_region_model_context::warn. To ensure that the indentation
- in the diagnostic is right, the warning has to be emitted on an EN
- that is after the return edge. */
- int32_t *buf = (int32_t *)create_buffer(n * sizeof(int16_t)); /* { dg-warning "" "" { xfail *-*-* } } */
+ int32_t *buf = (int32_t *)create_buffer(n * sizeof(int16_t)); /* { dg-warning "allocated buffer size is not a multiple of the pointee's size" } */
free (buf);
}
diff --git a/gcc/testsuite/gcc.dg/analyzer/allocation-size-multiline-4.c b/gcc/testsuite/gcc.dg/analyzer/allocation-size-multiline-4.c
new file mode 100644
index 00000000000..6408ef800e1
--- /dev/null
+++ b/gcc/testsuite/gcc.dg/analyzer/allocation-size-multiline-4.c
@@ -0,0 +1,64 @@
+/* Verify that we report events that occur at returns from functions
+ with valid-looking interprocedural paths.
+
+ C only: there are only minor C/C++ differences in e.g. how the
+ function names are printed. Trying to handle both would overcomplicate
+ the test. */
+
+/* { dg-additional-options "-fdiagnostics-show-line-numbers" } */
+/* { dg-enable-nn-line-numbers "" } */
+/* { dg-additional-options "-fdiagnostics-path-format=inline-events" } */
+/* { dg-additional-options "-fdiagnostics-show-caret" } */
+/* { dg-additional-options "-fdiagnostics-show-path-depths" } */
+
+#include <stdlib.h>
+#include <stdint.h>
+
+void *create_buffer (int32_t n)
+{
+ return malloc(n);
+}
+
+void test_9 (void)
+{
+ int32_t *buf = (int32_t *) create_buffer(42); /* { dg-warning "allocated buffer size is not a multiple of the pointee's size" } */
+ free (buf);
+}
+
+/* { dg-begin-multiline-output "" }
+ NN | int32_t *buf = (int32_t *) create_buffer(42);
+ | ^~~~~~~~~~~~~~~~~
+ 'test_9': events 1-2 (depth 1)
+ |
+ | NN | void test_9 (void)
+ | | ^~~~~~
+ | | |
+ | | (1) entry to 'test_9'
+ | NN | {
+ | NN | int32_t *buf = (int32_t *) create_buffer(42);
+ | | ~~~~~~~~~~~~~~~~~
+ | | |
+ | | (2) calling 'create_buffer' from 'test_9'
+ |
+ +--> 'create_buffer': events 3-4 (depth 2)
+ |
+ | NN | void *create_buffer (int32_t n)
+ | | ^~~~~~~~~~~~~
+ | | |
+ | | (3) entry to 'create_buffer'
+ | NN | {
+ | NN | return malloc(n);
+ | | ~~~~~~~~~
+ | | |
+ | | (4) allocated 42 bytes here
+ |
+ <------+
+ |
+ 'test_9': event 5 (depth 1)
+ |
+ | NN | int32_t *buf = (int32_t *) create_buffer(42);
+ | | ^~~~~~~~~~~~~~~~~
+ | | |
+ | | (5) assigned to 'int32_t *'
+ |
+ { dg-end-multiline-output "" } */
diff --git a/gcc/testsuite/gcc.dg/plugin/analyzer_cpython_plugin.c b/gcc/testsuite/gcc.dg/plugin/analyzer_cpython_plugin.c
index 1fc43007cf1..b53b347bb4f 100644
--- a/gcc/testsuite/gcc.dg/plugin/analyzer_cpython_plugin.c
+++ b/gcc/testsuite/gcc.dg/plugin/analyzer_cpython_plugin.c
@@ -274,6 +274,11 @@ public:
return NULL;
}
+ void update_event_loc_info (event_loc_info &) final override
+ {
+ /* No-op. */
+ }
+
private:
const exploded_graph &m_eg;
tree m_var;
More information about the Gcc-cvs
mailing list