analyzer: avoid printing '<unknown>' for SSA names [PR99771]

We don't want to print '<unknown>' in our diagnostics, but PR analyzer/99771 lists various cases where -fanalyzer does, due to using the SSA_NAME for a temporary when determining the best tree to use. This can happen in two ways: (a) ...when a better expression than the SSA_NAME could be built, but finding it requires traversing the relationships in the region_model in a graph-like way, rather than by considering individual svalues and regions. (b) ...when the only remaining user of the underlying svalue is the SSA_NAME, typically due to the diagnostic referring to a temporary. I've been experimenting with fixing (a), but don't have a good fix yet. In the meantime, this patch addresses (b) by detecting if we have the SSA_NAME for a temporary, and, for the cases where it's possible, reconstructing a tree by walking the def-stmts. This fixes various cases of (b) and ameliorates some cases of (a). gcc/analyzer/ChangeLog: PR analyzer/99771 * analyzer.cc (maybe_reconstruct_from_def_stmt): New. (fixup_tree_for_diagnostic_1): New. (fixup_tree_for_diagnostic): New. * analyzer.h (fixup_tree_for_diagnostic): New decl. * checker-path.cc (call_event::get_desc): Call fixup_tree_for_diagnostic and use it for the call_with_state call. (warning_event::get_desc): Likewise for the final_event and make_label_text calls. * engine.cc (impl_region_model_context::on_state_leak): Likewise for the on_leak and add_diagnostic calls. * region-model.cc (region_model::get_representative_tree): Likewise for the result. gcc/testsuite/ChangeLog: PR analyzer/99771 * gcc.dg/analyzer/data-model-10.c: Update expected output. * gcc.dg/analyzer/malloc-ipa-13.c: Likewise. * gcc.dg/analyzer/malloc-ipa-13a.c: New test. * gcc.dg/analyzer/pr99771-1.c: New test.
2021-03-29 16:13:32 -04:00 · 2021-03-29 16:13:32 -04:00 · e4bb1bd60a
commit e4bb1bd60a
parent e7fd3b7832
9 changed files with 244 additions and 11 deletions
--- a/gcc/analyzer/analyzer.cc
+++ b/gcc/analyzer/analyzer.cc
@ -60,6 +60,134 @@ get_stmt_location (const gimple *stmt, function *fun)
  return stmt->location;
 }

+static tree
+fixup_tree_for_diagnostic_1 (tree expr, hash_set<tree> *visited);
+
+/*  Subroutine of fixup_tree_for_diagnostic_1, called on SSA names.
+    Attempt to reconstruct a a tree expression for SSA_NAME
+    based on its def-stmt.
+    SSA_NAME must be non-NULL.
+    VISITED must be non-NULL; it is used to ensure termination.
+
+    Return NULL_TREE if there is a problem.  */
+
+static tree
+maybe_reconstruct_from_def_stmt (tree ssa_name,
+				 hash_set<tree> *visited)
+{
+  /* Ensure termination.  */
+  if (visited->contains (ssa_name))
+    return NULL_TREE;
+  visited->add (ssa_name);
+
+  gimple *def_stmt = SSA_NAME_DEF_STMT (ssa_name);
+
+  switch (gimple_code (def_stmt))
+    {
+    default:
+      gcc_unreachable ();
+    case GIMPLE_NOP:
+    case GIMPLE_PHI:
+      /* Can't handle these.  */
+      return NULL_TREE;
+    case GIMPLE_ASSIGN:
+      {
+	enum tree_code code = gimple_assign_rhs_code (def_stmt);
+
+	/* Reverse the effect of extract_ops_from_tree during
+	   gimplification.  */
+	switch (get_gimple_rhs_class (code))
+	  {
+	  default:
+	  case GIMPLE_INVALID_RHS:
+	    gcc_unreachable ();
+	  case GIMPLE_TERNARY_RHS:
+	  case GIMPLE_BINARY_RHS:
+	  case GIMPLE_UNARY_RHS:
+	    {
+	      tree t = make_node (code);
+	      TREE_TYPE (t) = TREE_TYPE (ssa_name);
+	      unsigned num_rhs_args = gimple_num_ops (def_stmt) - 1;
+	      for (unsigned i = 0; i < num_rhs_args; i++)
+		{
+		  tree op = gimple_op (def_stmt, i + 1);
+		  if (op)
+		    {
+		      op = fixup_tree_for_diagnostic_1 (op, visited);
+		      if (op == NULL_TREE)
+			return NULL_TREE;
+		    }
+		  TREE_OPERAND (t, i) = op;
+		}
+	      return t;
+	    }
+	  case GIMPLE_SINGLE_RHS:
+	    {
+	      tree op = gimple_op (def_stmt, 1);
+	      op = fixup_tree_for_diagnostic_1 (op, visited);
+	      return op;
+	    }
+	  }
+      }
+      break;
+    case GIMPLE_CALL:
+      {
+	gcall *call_stmt = as_a <gcall *> (def_stmt);
+	tree return_type = gimple_call_return_type (call_stmt);
+	tree fn = fixup_tree_for_diagnostic_1 (gimple_call_fn (call_stmt),
+					       visited);
+	unsigned num_args = gimple_call_num_args (call_stmt);
+	auto_vec<tree> args (num_args);
+	for (unsigned i = 0; i < num_args; i++)
+	  {
+	    tree arg = gimple_call_arg (call_stmt, i);
+	    arg = fixup_tree_for_diagnostic_1 (arg, visited);
+	    if (arg == NULL_TREE)
+	      return NULL_TREE;
+	    args.quick_push (arg);
+	  }
+	return build_call_array_loc (gimple_location (call_stmt),
+				     return_type, fn,
+				     num_args, &args[0]);
+      }
+      break;
+    }
+}
+
+/* Subroutine of fixup_tree_for_diagnostic: attempt to fixup EXPR,
+   which can be NULL.
+   VISITED must be non-NULL; it is used to ensure termination.  */
+
+static tree
+fixup_tree_for_diagnostic_1 (tree expr, hash_set<tree> *visited)
+{
+  if (expr
+      && TREE_CODE (expr) == SSA_NAME
+      && (SSA_NAME_VAR (expr) == NULL_TREE
+	  || DECL_ARTIFICIAL (SSA_NAME_VAR (expr))))
+    if (tree expr2 = maybe_reconstruct_from_def_stmt (expr, visited))
+      return expr2;
+  return expr;
+}
+
+/* We don't want to print '<unknown>' in our diagnostics (PR analyzer/99771),
+   but sometimes we generate diagnostics involving an ssa name for a
+   temporary.
+
+   Work around this by attempting to reconstruct a tree expression for
+   such temporaries based on their def-stmts.
+
+   Otherwise return EXPR.
+
+   EXPR can be NULL.  */
+
+tree
+fixup_tree_for_diagnostic (tree expr)
+{
+  hash_set<tree> visited;
+  return fixup_tree_for_diagnostic_1 (expr, &visited);
+}
+
 } // namespace ana

 /* Helper function for checkers.  Is the CALL to the given function name,
--- a/gcc/analyzer/analyzer.h
+++ b/gcc/analyzer/analyzer.h
@ -108,6 +108,7 @@ extern void dump_quoted_tree (pretty_printer *pp, tree t);
 extern void print_quoted_type (pretty_printer *pp, tree t);
 extern int readability_comparator (const void *p1, const void *p2);
 extern int tree_cmp (const void *p1, const void *p2);
+extern tree fixup_tree_for_diagnostic (tree);

 /* A tree, extended with stack frame information for locals, so that
   we can distinguish between different values of locals within a potentially
--- a/gcc/analyzer/checker-path.cc
+++ b/gcc/analyzer/checker-path.cc
@ -634,12 +634,13 @@ call_event::get_desc (bool can_colorize) const
  if (m_critical_state && m_pending_diagnostic)
    {
      gcc_assert (m_var);
+      tree var = fixup_tree_for_diagnostic (m_var);
      label_text custom_desc
 	= m_pending_diagnostic->describe_call_with_state
 	    (evdesc::call_with_state (can_colorize,
 				      m_sedge->m_src->m_fun->decl,
 				      m_sedge->m_dest->m_fun->decl,
-				      m_var,
+				      var,
 				      m_critical_state));
      if (custom_desc.m_buffer)
 	return custom_desc;
@ -880,19 +881,20 @@ warning_event::get_desc (bool can_colorize) const
 {
  if (m_pending_diagnostic)
    {
+      tree var = fixup_tree_for_diagnostic (m_var);
      label_text ev_desc
 	= m_pending_diagnostic->describe_final_event
-	    (evdesc::final_event (can_colorize, m_var, m_state));
+	    (evdesc::final_event (can_colorize, var, m_state));
      if (ev_desc.m_buffer)
 	{
 	  if (m_sm && flag_analyzer_verbose_state_changes)
 	    {
 	      label_text result;
-	      if (m_var)
+	      if (var)
 		result = make_label_text (can_colorize,
 					  "%s (%qE is in state %qs)",
 					  ev_desc.m_buffer,
-					  m_var, m_state->get_name ());
+					  var, m_state->get_name ());
 	      else
 		result = make_label_text (can_colorize,
 					  "%s (in global state %qs)",
--- a/gcc/analyzer/engine.cc
+++ b/gcc/analyzer/engine.cc
@ -634,12 +634,13 @@ impl_region_model_context::on_state_leak (const state_machine &sm,
 	}
    }

-  pending_diagnostic *pd = sm.on_leak (leaked_tree);
+  tree leaked_tree_for_diag = fixup_tree_for_diagnostic (leaked_tree);
+  pending_diagnostic *pd = sm.on_leak (leaked_tree_for_diag);
  if (pd)
    m_eg->get_diagnostic_manager ().add_diagnostic
      (&sm, m_enode_for_diag, m_enode_for_diag->get_supernode (),
       m_stmt, &stmt_finder,
-       leaked_tree, sval, state, pd);
+       leaked_tree_for_diag, sval, state, pd);
 }

 /* Implementation of region_model_context::on_condition vfunc.
--- a/gcc/analyzer/region-model.cc
+++ b/gcc/analyzer/region-model.cc
@ -2325,9 +2325,9 @@ region_model::get_representative_tree (const svalue *sval) const

  /* Strip off any top-level cast.  */
  if (expr && TREE_CODE (expr) == NOP_EXPR)
-    return TREE_OPERAND (expr, 0);
+    expr = TREE_OPERAND (expr, 0);

-  return expr;
+  return fixup_tree_for_diagnostic (expr);
 }

 /* Implementation of region_model::get_representative_path_var.
--- a/gcc/testsuite/gcc.dg/analyzer/data-model-10.c
+++ b/gcc/testsuite/gcc.dg/analyzer/data-model-10.c
@ -12,6 +12,7 @@ test (void)
  if (!new_table)
    return NULL;
  new_table->m_f = (char **)malloc(sizeof(char **));
-  *new_table->m_f = NULL; /* { dg-warning "dereference of possibly-NULL '<unknown>'" } */ // FIXME: something better than "unknown" here
+  *new_table->m_f = NULL; /* { dg-warning "dereference of possibly-NULL '\\*new_table.m_f'" } */
+  /* { dg-message "'\\*new_table.m_f' could be NULL" "final event wording" { target *-*-* } .-1 } */
  return new_table;
 }
--- a/gcc/testsuite/gcc.dg/analyzer/malloc-ipa-13.c
+++ b/gcc/testsuite/gcc.dg/analyzer/malloc-ipa-13.c
@ -23,8 +23,7 @@ void test (struct foo f)

  do_stuff ();

-  calls_free (f.m_p); /* { dg-message "passing freed pointer '<unknown>' in call to 'calls_free' from 'test'" } */
-  // TODO: something better than '<unknown>'
+  calls_free (f.m_p); /* { dg-message "passing freed pointer 'f\\.m_p' in call to 'calls_free' from 'test'" } */

  do_stuff ();
 }
--- a/gcc/testsuite/gcc.dg/analyzer/malloc-ipa-13a.c
+++ b/gcc/testsuite/gcc.dg/analyzer/malloc-ipa-13a.c
@ -0,0 +1,38 @@
+/* { dg-additional-options "-fanalyzer-verbosity=1" } */
+
+#include <stdlib.h>
+
+void
+calls_free (void *victim)
+{
+  free (victim); /* { dg-warning "double-'free' of 'victim'" } */
+}
+
+extern void do_stuff (void);
+
+struct foo
+{
+  void *m_p;
+};
+
+static void *  __attribute__((noinline))
+test_a (struct foo f)
+{
+  do_stuff ();
+
+  calls_free (f.m_p);
+
+  do_stuff ();
+
+  return f.m_p;
+}
+
+void test_b (void *p)
+{
+  void *q;
+  struct foo f;
+  f.m_p = p;
+  q = test_a (f);
+  calls_free (q); /* { dg-message "passing freed pointer 'q' in call to 'calls_free' from 'test_b'" } */
+  do_stuff ();
+}
--- a/gcc/testsuite/gcc.dg/analyzer/pr99771-1.c
+++ b/gcc/testsuite/gcc.dg/analyzer/pr99771-1.c
@ -0,0 +1,63 @@
+/* Verify that we don't print "<unknown>" in various diagnostics
+   (PR analyzer/99771). */
+
+#include <stdlib.h>
+
+void test_1 (void)
+{
+  *(char*)malloc (1024) = 42; /* { dg-warning "dereference of possibly-NULL 'malloc\\(1024\\)'" } */
+} /* { dg-warning "leak of 'malloc\\(1024\\)'" "warning" } */
+  /* { dg-message "'malloc\\(1024\\)' leaks here" "final event" { target *-*-* } .-1 } */
+
+void test_2 (size_t n)
+{
+  *(char*)malloc (4 * n) = 42; /* { dg-warning "dereference of possibly-NULL 'malloc\\(n \\* 4\\)'" "warning" } */
+  /* { dg-message "'malloc\\(n \\* 4\\)' could be NULL" "final event" { target *-*-* } .-1 } */
+} /* { dg-warning "leak of 'malloc\\(n \\* 4\\)'" "warning" } */
+  /* { dg-message "'malloc\\(n \\* 4\\)' leaks here" "final event" { target *-*-* } .-1 } */
+
+/* A compound example.  */
+
+void test_3 (size_t a, size_t b, size_t c)
+{
+  *(char*)malloc (a + (b * c)) = 42; /* { dg-warning "dereference of possibly-NULL 'malloc\\(a \\+ b \\* c\\)'" "warning" } */
+  /* { dg-message "'malloc\\(a \\+ b \\* c\\)' could be NULL" "final event" { target *-*-* } .-1 } */
+} /* { dg-warning "leak of 'malloc\\(a \\+ b \\* c\\)'" "warning" } */
+  /* { dg-message "'malloc\\(a \\+ b \\* c\\)' leaks here" "final event" { target *-*-* } .-1 } */
+
+void test_4 (size_t a, size_t b, size_t c)
+{
+  *(char *)malloc (a ? b : c) = 42; /* { dg-warning "dereference of possibly-NULL 'malloc\\(<unknown>\\)'" "warning" } */
+  /* { dg-message "'malloc\\(<unknown>\\)' could be NULL" "final event" { target *-*-* } .-1 } */
+} /* { dg-warning "leak of 'malloc\\(<unknown>\\)'" "warning" } */
+  /* { dg-message "'malloc\\(<unknown>\\)' leaks here" "final event" { target *-*-* } .-1 } */
+
+/* Unary operators.  */
+
+void test_5 (size_t a)
+{
+  *(char*)malloc (-a) = 42; /* { dg-warning "dereference of possibly-NULL 'malloc\\(-a\\)'" } */
+} /* { dg-warning "leak of 'malloc\\(-a\\)'" "warning" } */
+  /* { dg-message "'malloc\\(-a\\)' leaks here" "final event" { target *-*-* } .-1 } */
+
+void test_6 (size_t a)
+{
+  *(char*)malloc (~a) = 42; /* { dg-warning "dereference of possibly-NULL 'malloc\\(~a\\)'" } */
+} /* { dg-warning "leak of 'malloc\\(~a\\)'" "warning" } */
+  /* { dg-message "'malloc\\(~a\\)' leaks here" "final event" { target *-*-* } .-1 } */
+
+/* Field access.  */
+
+struct s7 { size_t sz; };
+
+void test_7a(struct s7 s)
+{
+  *(char*)malloc (s.sz) = 42; /* { dg-warning "dereference of possibly-NULL 'malloc\\(s\\.sz\\)'" } */
+} /* { dg-warning "leak of 'malloc\\(s\\.sz\\)'" "warning" } */
+  /* { dg-message "'malloc\\(s\\.sz\\)' leaks here" "final event" { target *-*-* } .-1 } */
+
+void test_7b (struct s7 *s)
+{
+  *(char*)malloc (s->sz) = 42; /* { dg-warning "dereference of possibly-NULL 'malloc\\(\\*s\\.sz\\)'" } */
+} /* { dg-warning "leak of 'malloc\\(\\*s\\.sz\\)'" "warning" } */
+  /* { dg-message "'malloc\\(\\*s\\.sz\\)' leaks here" "final event" { target *-*-* } .-1 } */