analyzer: fix missing check for uninit of return values

When moving the -fanalyzer tests for -ftrivial-auto-var-init to the "torture" subdirectory of gcc.dg/analyzer I noticed that -fanalyzer wasn't always properly checking for initialization of return values. The issue was that some "return" handling was using region_model::copy_region to copy to the RESULT_DECL, and copy_region wasn't checking for poisoned svalues. This patch eliminates region_model::copy_region in favor of simply doing a get_ravlue/set_value pair, fixing the issue. gcc/analyzer/ChangeLog: * region-model.cc (region_model::on_return): Replace usage of copy_region with get_rvalue/set_value pair. (region_model::pop_frame): Likewise. (selftest::test_compound_assignment): Likewise. * region-model.h (region_model::copy_region): Delete decl. * region.cc (region_model::copy_region): Delete. gcc/testsuite/ChangeLog: * gcc.dg/analyzer/torture/ubsan-1.c: Add missing return stmts. * gcc.dg/analyzer/uninit-trivial-auto-var-init-pattern.c: Move to... * gcc.dg/analyzer/torture/uninit-trivial-auto-var-init-pattern.c: ...here. * gcc.dg/analyzer/uninit-trivial-auto-var-init-uninitialized.c: Move to... * gcc.dg/analyzer/torture/uninit-trivial-auto-var-init-uninitialized.c: ...here. * gcc.dg/analyzer/uninit-trivial-auto-var-init-zero.c: Move to... * gcc.dg/analyzer/torture/uninit-trivial-auto-var-init-zero.c: ...here. Signed-off-by: David Malcolm <dmalcolm@redhat.com>
2022-01-28 13:37:51 -05:00 · 2022-01-28 13:37:51 -05:00 · 13ad6d9f50
commit 13ad6d9f50
parent ea3e191595
10 changed files with 43 additions and 48 deletions
--- a/gcc/analyzer/region-model.cc
+++ b/gcc/analyzer/region-model.cc
@ -1559,7 +1559,11 @@ region_model::on_return (const greturn *return_stmt, region_model_context *ctxt)
  tree rhs = gimple_return_retval (return_stmt);

  if (lhs && rhs)
-    copy_region (get_lvalue (lhs, ctxt), get_lvalue (rhs, ctxt), ctxt);
+    {
+      const svalue *sval = get_rvalue (rhs, ctxt);
+      const region *ret_reg = get_lvalue (lhs, ctxt);
+      set_value (ret_reg, sval, ctxt);
+    }
 }

 /* Update this model for a call and return of setjmp/sigsetjmp at CALL within
@ -3618,15 +3622,11 @@ region_model::pop_frame (const region *result_dst_reg,
  tree result = DECL_RESULT (fndecl);
  if (result && TREE_TYPE (result) != void_type_node)
    {
+      const svalue *retval = get_rvalue (result, ctxt);
      if (result_dst_reg)
-	{
-	  /* Copy the result to RESULT_DST_REG.  */
-	  copy_region (result_dst_reg,
-		       get_lvalue (result, ctxt),
-		       ctxt);
-	}
+	set_value (result_dst_reg, retval, ctxt);
      if (out_result)
-	*out_result = get_rvalue (result, ctxt);
+	*out_result = retval;
    }

  /* Pop the frame.  */
@ -4758,8 +4758,9 @@ test_compound_assignment ()
  model.set_value (c_y, int_m3, NULL);

  /* Copy c to d.  */
-  model.copy_region (model.get_lvalue (d, NULL), model.get_lvalue (c, NULL),
-		     NULL);
+  const svalue *sval = model.get_rvalue (c, NULL);
+  model.set_value (model.get_lvalue (d, NULL), sval, NULL);
+
  /* Check that the fields have the same svalues.  */
  ASSERT_EQ (model.get_rvalue (c_x, NULL), model.get_rvalue (d_x, NULL));
  ASSERT_EQ (model.get_rvalue (c_y, NULL), model.get_rvalue (d_y, NULL));
--- a/gcc/analyzer/region-model.h
+++ b/gcc/analyzer/region-model.h
@ -676,8 +676,6 @@ class region_model
  void zero_fill_region (const region *reg);
  void mark_region_as_unknown (const region *reg, uncertainty_t *uncertainty);

-  void copy_region (const region *dst_reg, const region *src_reg,
-		    region_model_context *ctxt);
  tristate eval_condition (const svalue *lhs,
 			   enum tree_code op,
 			   const svalue *rhs) const;
--- a/gcc/analyzer/region.cc
+++ b/gcc/analyzer/region.cc
@ -539,21 +539,6 @@ region::get_relative_concrete_offset (bit_offset_t *) const
  return false;
 }

-/* Copy from SRC_REG to DST_REG, using CTXT for any issues that occur.  */
-
-void
-region_model::copy_region (const region *dst_reg, const region *src_reg,
-			   region_model_context *ctxt)
-{
-  gcc_assert (dst_reg);
-  gcc_assert (src_reg);
-  if (dst_reg == src_reg)
-    return;
-
-  const svalue *sval = get_store_value (src_reg, ctxt);
-  set_value (dst_reg, sval, ctxt);
-}
-
 /* Dump a description of this region to stderr.  */

 DEBUG_FUNCTION void
--- a/gcc/testsuite/gcc.dg/analyzer/torture/ubsan-1.c
+++ b/gcc/testsuite/gcc.dg/analyzer/torture/ubsan-1.c
@ -19,6 +19,7 @@ int test_2 (int *arr, int i, int n)
    __analyzer_eval (arr[i]); /* { dg-warning "TRUE" } */
  else
    __analyzer_eval (arr[i]); /* { dg-warning "FALSE" } */
+  return 1;
 }

 int test_3 (int arr[], int i, int n)
@ -29,6 +30,7 @@ int test_3 (int arr[], int i, int n)
    __analyzer_eval (arr[i]); /* { dg-warning "TRUE" } */
  else
    __analyzer_eval (arr[i]); /* { dg-warning "FALSE" } */
+  return 1;
 }

 void test_4 (int i, int n)
--- a/gcc/testsuite/gcc.dg/analyzer/torture/uninit-trivial-auto-var-init-pattern.c
+++ b/gcc/testsuite/gcc.dg/analyzer/torture/uninit-trivial-auto-var-init-pattern.c
@ -0,0 +1,10 @@
+/* { dg-skip-if "" { *-*-* } { "-fno-fat-lto-objects" } { "" } } */
+/* { dg-additional-options "-ftrivial-auto-var-init=pattern" } */
+
+int test_1 (void)
+{
+  int i; /* { dg-message "region created on stack here" } */
+  return i; /* { dg-warning "use of uninitialized value 'i.*'" } */
+  /* FIXME: the LTO build sometimes shows SSA names here
+     (PR analyzer/94976).  */
+}
--- a/gcc/testsuite/gcc.dg/analyzer/torture/uninit-trivial-auto-var-init-uninitialized.c
+++ b/gcc/testsuite/gcc.dg/analyzer/torture/uninit-trivial-auto-var-init-uninitialized.c
@ -0,0 +1,10 @@
+/* { dg-skip-if "" { *-*-* } { "-fno-fat-lto-objects" } { "" } } */
+/* { dg-additional-options "-ftrivial-auto-var-init=uninitialized" } */
+
+int test_1 (void)
+{
+  int i; /* { dg-message "region created on stack here" } */
+  return i; /* { dg-warning "use of uninitialized value 'i.*'" } */
+  /* FIXME: the LTO build sometimes shows SSA names here
+     (PR analyzer/94976).  */
+}
--- a/gcc/testsuite/gcc.dg/analyzer/torture/uninit-trivial-auto-var-init-zero.c
+++ b/gcc/testsuite/gcc.dg/analyzer/torture/uninit-trivial-auto-var-init-zero.c
@ -0,0 +1,10 @@
+/* { dg-skip-if "" { *-*-* } { "-fno-fat-lto-objects" } { "" } } */
+/* { dg-additional-options "-ftrivial-auto-var-init=zero" } */
+
+int test_1 (void)
+{
+  int i; /* { dg-message "region created on stack here" } */
+  return i; /* { dg-warning "use of uninitialized value 'i.*'" } */
+  /* FIXME: the LTO build sometimes shows SSA names here
+     (PR analyzer/94976).  */
+}
--- a/gcc/testsuite/gcc.dg/analyzer/uninit-trivial-auto-var-init-pattern.c
+++ b/gcc/testsuite/gcc.dg/analyzer/uninit-trivial-auto-var-init-pattern.c
@ -1,7 +0,0 @@
-/* { dg-additional-options "-ftrivial-auto-var-init=pattern" } */
-
-int test_1 (void)
-{
-  int i; /* { dg-message "region created on stack here" } */
-  return i; /* { dg-warning "use of uninitialized value 'i'" } */
-}
--- a/gcc/testsuite/gcc.dg/analyzer/uninit-trivial-auto-var-init-uninitialized.c
+++ b/gcc/testsuite/gcc.dg/analyzer/uninit-trivial-auto-var-init-uninitialized.c
@ -1,7 +0,0 @@
-/* { dg-additional-options "-ftrivial-auto-var-init=uninitialized" } */
-
-int test_1 (void)
-{
-  int i; /* { dg-message "region created on stack here" } */
-  return i; /* { dg-warning "use of uninitialized value 'i'" } */
-}
--- a/gcc/testsuite/gcc.dg/analyzer/uninit-trivial-auto-var-init-zero.c
+++ b/gcc/testsuite/gcc.dg/analyzer/uninit-trivial-auto-var-init-zero.c
@ -1,7 +0,0 @@
-/* { dg-additional-options "-ftrivial-auto-var-init=zero" } */
-
-int test_1 (void)
-{
-  int i; /* { dg-message "region created on stack here" } */
-  return i; /* { dg-warning "use of uninitialized value 'i'" } */
-}