467a482052
PR analyzer/98969 and PR analyzer/99064 describes ICEs, in both cases within print_mem_ref, when falsely reporting memory leaks - though it is possible to generate the ICE on other diagnostics (which I added in one of the test cases). This patch fixes the ICE, leaving the fix for the leak false positives as followup work. The analyzer uses region_model::get_representative_path_var and region_model::get_representative_tree to map back from its svalue and region classes to the tree type used by the rest of the compiler, and, in particular, for diagnostics. The root cause of the ICE is sloppiness about types within those functions; specifically when casts were stripped off svalues. To track these down I added wrapper functions that verify that the types of the results are correct, and in doing so found various other type-safety issues, which the patch also fixes. Doing so led to various changes in diagnostics messages due to more accurate types, but I felt that these changes weren't desirable. For example, the warning at CVE-2005-1689-minimal.c line 48 which expects: double-'free' of 'inbuf.data' changed fo double-'free' of '(char *)inbuf.data' So I added stripping of top-level casts where necessary to avoid cluttering diagnostics. Finally, the more accurate types led to worse results from readability_comparator, where e.g. the event message at line 50 of sensitive-1.c regressed from the precise: passing sensitive value 'password' in call to 'called_by_test_5' from 'test_5' to the vaguer: calling 'called_by_test_5' from 'test_5' This was due to erroneously picking the initial value of "password" in the caller frame as the best value within the *callee* frame, due to "char *" vs "const char *", which confuses the logic for tracking values that pass along callgraph edges. The patch fixes this by combining the readability tests for tree and stack depth, rather than performing them in sequence, so that it favors the value in the deepest frame. As noted above, the patch fixes the ICEs, but does not fix the leak false positives. gcc/analyzer/ChangeLog: PR analyzer/98969 * engine.cc (readability): Add names for the various arbitrary values. Handle NOP_EXPR and INTEGER_CST. (readability_comparator): Combine the readability tests for tree and stack depth, rather than performing them sequentially. (impl_region_model_context::on_state_leak): Strip off top-level casts. * region-model.cc (region_model::get_representative_path_var): Add type-checking, moving the bulk of the implementation to... (region_model::get_representative_path_var_1): ...here. Respect types in casts by recursing and re-adding the cast, rather than merely stripping them off. Use the correct type when handling region_svalue. (region_model::get_representative_tree): Strip off any top-level cast. (region_model::get_representative_path_var): Add type-checking, moving the bulk of the implementation to... (region_model::get_representative_path_var_1): ...here. * region-model.h (region_model::get_representative_path_var_1): New decl (region_model::get_representative_path_var_1): New decl. * store.cc (append_pathvar_with_type): New. (binding_cluster::get_representative_path_vars): Cast path_vars to the correct type when adding them to *OUT_PVS. gcc/testsuite/ChangeLog: PR analyzer/98969 * g++.dg/analyzer/pr99064.C: New test. * gcc.dg/analyzer/pr98969.c: New test. |
||
|---|---|---|
| c++tools | ||
| config | ||
| contrib | ||
| fixincludes | ||
| gcc | ||
| gnattools | ||
| gotools | ||
| include | ||
| INSTALL | ||
| intl | ||
| libada | ||
| libatomic | ||
| libbacktrace | ||
| libcc1 | ||
| libcody | ||
| libcpp | ||
| libdecnumber | ||
| libffi | ||
| libgcc | ||
| libgfortran | ||
| libgo | ||
| libgomp | ||
| libhsail-rt | ||
| libiberty | ||
| libitm | ||
| libobjc | ||
| liboffloadmic | ||
| libphobos | ||
| libquadmath | ||
| libsanitizer | ||
| libssp | ||
| libstdc++-v3 | ||
| libvtv | ||
| lto-plugin | ||
| maintainer-scripts | ||
| zlib | ||
| .dir-locals.el | ||
| .gitattributes | ||
| .gitignore | ||
| ABOUT-NLS | ||
| ar-lib | ||
| ChangeLog | ||
| ChangeLog.jit | ||
| ChangeLog.tree-ssa | ||
| compile | ||
| config-ml.in | ||
| config.guess | ||
| config.rpath | ||
| config.sub | ||
| configure | ||
| configure.ac | ||
| COPYING | ||
| COPYING3 | ||
| COPYING3.LIB | ||
| COPYING.LIB | ||
| COPYING.RUNTIME | ||
| depcomp | ||
| install-sh | ||
| libtool-ldflags | ||
| libtool.m4 | ||
| lt~obsolete.m4 | ||
| ltgcc.m4 | ||
| ltmain.sh | ||
| ltoptions.m4 | ||
| ltsugar.m4 | ||
| ltversion.m4 | ||
| MAINTAINERS | ||
| Makefile.def | ||
| Makefile.in | ||
| Makefile.tpl | ||
| missing | ||
| mkdep | ||
| mkinstalldirs | ||
| move-if-change | ||
| multilib.am | ||
| README | ||
| symlink-tree | ||
| test-driver | ||
| ylwrap | ||
This directory contains the GNU Compiler Collection (GCC). The GNU Compiler Collection is free software. See the files whose names start with COPYING for copying permission. The manuals, and some of the runtime libraries, are under different terms; see the individual source files for details. The directory INSTALL contains copies of the installation information as HTML and plain text. The source of this information is gcc/doc/install.texi. The installation information includes details of what is included in the GCC sources and what files GCC installs. See the file gcc/doc/gcc.texi (together with other files that it includes) for usage and porting information. An online readable version of the manual is in the files gcc/doc/gcc.info*. See http://gcc.gnu.org/bugs/ for how to report bugs usefully. Copyright years on GCC source files may be listed using range notation, e.g., 1987-2012, indicating that every year in the range, inclusive, is a copyrightable year that could otherwise be listed individually.