analyzer: fix escaping of pointer arithmetic [PR105264]

PR analyzer/105264 reports that the analyzer can fail to treat
(PTR + IDX) and PTR[IDX] as referring to the same memory under
some situations.

There are various ways in which this can happen when IDX is a
symbolic value, due to having several ways in which such memory
regions can be referred to symbolically.  I attempted to fix this by
being smarter when folding svalues and regions, but this fix
seems too fiddly to attempt in stage 4.

Instead, this less ambitious patch fixes a false positive from
-Wanalyzer-use-of-uninitialized-value by making the analyzer's escape
analysis smarter, so that it treats *PTR as escaping when
(PTR + OFFSET) is passed to an external function, and thus
it treats *PTR as possibly-initialized (the "passing &PTR[IDX]" case
was already working).

gcc/analyzer/ChangeLog:
	PR analyzer/105264
	* region-model-reachability.cc (reachable_regions::handle_parm):
	Use maybe_get_deref_base_region rather than just region_svalue, to
	handle pointer arithmetic also.
	* svalue.cc (svalue::maybe_get_deref_base_region): New.
	* svalue.h (svalue::maybe_get_deref_base_region): New decl.

gcc/testsuite/ChangeLog:
	PR analyzer/105264
	* gcc.dg/analyzer/torture/symbolic-10.c: New test.

Signed-off-by: David Malcolm <dmalcolm@redhat.com>
This commit is contained in:
David Malcolm 2022-04-14 09:52:00 -04:00
parent af27d545dc
commit a358e4b608
4 changed files with 86 additions and 6 deletions

View File

@ -252,12 +252,8 @@ reachable_regions::handle_parm (const svalue *sval, tree param_type)
m_mutable_svals.add (sval); m_mutable_svals.add (sval);
else else
m_reachable_svals.add (sval); m_reachable_svals.add (sval);
if (const region_svalue *parm_ptr if (const region *base_reg = sval->maybe_get_deref_base_region ())
= sval->dyn_cast_region_svalue ()) add (base_reg, is_mutable);
{
const region *pointee_reg = parm_ptr->get_pointee ();
add (pointee_reg, is_mutable);
}
/* Treat all svalues within a compound_svalue as reachable. */ /* Treat all svalues within a compound_svalue as reachable. */
if (const compound_svalue *compound_sval if (const compound_svalue *compound_sval
= sval->dyn_cast_compound_svalue ()) = sval->dyn_cast_compound_svalue ())

View File

@ -651,6 +651,48 @@ svalue::all_zeroes_p () const
return false; return false;
} }
/* If this svalue is a pointer, attempt to determine the base region it points
to. Return NULL on any problems. */
const region *
svalue::maybe_get_deref_base_region () const
{
const svalue *iter = this;
while (1)
{
switch (iter->get_kind ())
{
default:
return NULL;
case SK_REGION:
{
const region_svalue *region_sval
= as_a <const region_svalue *> (iter);
return region_sval->get_pointee ()->get_base_region ();
}
case SK_BINOP:
{
const binop_svalue *binop_sval
= as_a <const binop_svalue *> (iter);
switch (binop_sval->get_op ())
{
case POINTER_PLUS_EXPR:
/* If we have a symbolic value expressing pointer arithmetic,
use the LHS. */
iter = binop_sval->get_arg0 ();
continue;
default:
return NULL;
}
return NULL;
}
}
}
}
/* class region_svalue : public svalue. */ /* class region_svalue : public svalue. */
/* Implementation of svalue::dump_to_pp vfunc for region_svalue. */ /* Implementation of svalue::dump_to_pp vfunc for region_svalue. */

View File

@ -175,6 +175,8 @@ public:
per-type and thus it's meaningless for them to "have state". */ per-type and thus it's meaningless for them to "have state". */
virtual bool can_have_associated_state_p () const { return true; } virtual bool can_have_associated_state_p () const { return true; }
const region *maybe_get_deref_base_region () const;
protected: protected:
svalue (complexity c, tree type) svalue (complexity c, tree type)
: m_complexity (c), m_type (type) : m_complexity (c), m_type (type)

View File

@ -0,0 +1,40 @@
/* Verify that -fanalyzer considers that mmfs escapes when passing either:
*(mmfs + i)
and
(&mmfs[i])
to an external function (for symbolic i). */
typedef struct s_mmfile {
char *ptr;
long size;
} mmfile_t;
void init_mmfile(mmfile_t *ptr);
long test__init_via_ptr_arith__read_via_array_idx(int i)
{
mmfile_t mmfs[3];
init_mmfile(mmfs + i);
return mmfs[i].size; /* { dg-bogus "uninit" } */
}
long test__init_via_array_idx__read_via_ptr_arith(int i)
{
mmfile_t mmfs[3];
init_mmfile(&mmfs[i]);
return (mmfs + i)->size; /* { dg-bogus "uninit" } */
}
long test__ptr_arith_for_both(int i)
{
mmfile_t mmfs[3];
init_mmfile(mmfs + i);
return (mmfs + i)->size; /* { dg-bogus "uninit" } */
}
long test__array_idx_for_both(int i)
{
mmfile_t mmfs[3];
init_mmfile(&mmfs[i]);
return mmfs[i].size; /* { dg-bogus "uninit" } */
}