From e4bb1bd60a9fd1bed36092a990aa5fed5d45bfa6 Mon Sep 17 00:00:00 2001
From: David Malcolm <dmalcolm@redhat.com>
Date: Mon, 29 Mar 2021 16:13:32 -0400
Subject: [PATCH] analyzer: avoid printing '<unknown>' for SSA names [PR99771]

We don't want to print '<unknown>' in our diagnostics, but
PR analyzer/99771 lists various cases where -fanalyzer does, due to
using the SSA_NAME for a temporary when determining the best tree to
use.

This can happen in two ways:

(a) ...when a better expression than the SSA_NAME could be built, but
finding it requires traversing the relationships in the region_model
in a graph-like way, rather than by considering individual svalues and
regions.

(b) ...when the only remaining user of the underlying svalue is the
SSA_NAME, typically due to the diagnostic referring to a temporary.

I've been experimenting with fixing (a), but don't have a good fix yet.
In the meantime, this patch addresses (b) by detecting if we have
the SSA_NAME for a temporary, and, for the cases where it's possible,
reconstructing a tree by walking the def-stmts.  This fixes various
cases of (b) and ameliorates some cases of (a).

gcc/analyzer/ChangeLog:
	PR analyzer/99771
	* analyzer.cc (maybe_reconstruct_from_def_stmt): New.
	(fixup_tree_for_diagnostic_1): New.
	(fixup_tree_for_diagnostic): New.
	* analyzer.h (fixup_tree_for_diagnostic): New decl.
	* checker-path.cc (call_event::get_desc): Call
	fixup_tree_for_diagnostic and use it for the call_with_state call.
	(warning_event::get_desc): Likewise for the final_event and
	make_label_text calls.
	* engine.cc (impl_region_model_context::on_state_leak): Likewise
	for the on_leak and add_diagnostic calls.
	* region-model.cc (region_model::get_representative_tree):
	Likewise for the result.

gcc/testsuite/ChangeLog:
	PR analyzer/99771
	* gcc.dg/analyzer/data-model-10.c: Update expected output.
	* gcc.dg/analyzer/malloc-ipa-13.c: Likewise.
	* gcc.dg/analyzer/malloc-ipa-13a.c: New test.
	* gcc.dg/analyzer/pr99771-1.c: New test.
---
 gcc/analyzer/analyzer.cc                      | 128 ++++++++++++++++++
 gcc/analyzer/analyzer.h                       |   1 +
 gcc/analyzer/checker-path.cc                  |  10 +-
 gcc/analyzer/engine.cc                        |   5 +-
 gcc/analyzer/region-model.cc                  |   4 +-
 gcc/testsuite/gcc.dg/analyzer/data-model-10.c |   3 +-
 gcc/testsuite/gcc.dg/analyzer/malloc-ipa-13.c |   3 +-
 .../gcc.dg/analyzer/malloc-ipa-13a.c          |  38 ++++++
 gcc/testsuite/gcc.dg/analyzer/pr99771-1.c     |  63 +++++++++
 9 files changed, 244 insertions(+), 11 deletions(-)
 create mode 100644 gcc/testsuite/gcc.dg/analyzer/malloc-ipa-13a.c
 create mode 100644 gcc/testsuite/gcc.dg/analyzer/pr99771-1.c

diff --git a/gcc/analyzer/analyzer.cc b/gcc/analyzer/analyzer.cc
index df8d881f3cd..2b4cffd08f5 100644
--- a/gcc/analyzer/analyzer.cc
+++ b/gcc/analyzer/analyzer.cc
@@ -60,6 +60,134 @@ get_stmt_location (const gimple *stmt, function *fun)
   return stmt->location;
 }
 
+static tree
+fixup_tree_for_diagnostic_1 (tree expr, hash_set<tree> *visited);
+
+/*  Subroutine of fixup_tree_for_diagnostic_1, called on SSA names.
+    Attempt to reconstruct a a tree expression for SSA_NAME
+    based on its def-stmt.
+    SSA_NAME must be non-NULL.
+    VISITED must be non-NULL; it is used to ensure termination.
+
+    Return NULL_TREE if there is a problem.  */
+
+static tree
+maybe_reconstruct_from_def_stmt (tree ssa_name,
+				 hash_set<tree> *visited)
+{
+  /* Ensure termination.  */
+  if (visited->contains (ssa_name))
+    return NULL_TREE;
+  visited->add (ssa_name);
+
+  gimple *def_stmt = SSA_NAME_DEF_STMT (ssa_name);
+
+  switch (gimple_code (def_stmt))
+    {
+    default:
+      gcc_unreachable ();
+    case GIMPLE_NOP:
+    case GIMPLE_PHI:
+      /* Can't handle these.  */
+      return NULL_TREE;
+    case GIMPLE_ASSIGN:
+      {
+	enum tree_code code = gimple_assign_rhs_code (def_stmt);
+
+	/* Reverse the effect of extract_ops_from_tree during
+	   gimplification.  */
+	switch (get_gimple_rhs_class (code))
+	  {
+	  default:
+	  case GIMPLE_INVALID_RHS:
+	    gcc_unreachable ();
+	  case GIMPLE_TERNARY_RHS:
+	  case GIMPLE_BINARY_RHS:
+	  case GIMPLE_UNARY_RHS:
+	    {
+	      tree t = make_node (code);
+	      TREE_TYPE (t) = TREE_TYPE (ssa_name);
+	      unsigned num_rhs_args = gimple_num_ops (def_stmt) - 1;
+	      for (unsigned i = 0; i < num_rhs_args; i++)
+		{
+		  tree op = gimple_op (def_stmt, i + 1);
+		  if (op)
+		    {
+		      op = fixup_tree_for_diagnostic_1 (op, visited);
+		      if (op == NULL_TREE)
+			return NULL_TREE;
+		    }
+		  TREE_OPERAND (t, i) = op;
+		}
+	      return t;
+	    }
+	  case GIMPLE_SINGLE_RHS:
+	    {
+	      tree op = gimple_op (def_stmt, 1);
+	      op = fixup_tree_for_diagnostic_1 (op, visited);
+	      return op;
+	    }
+	  }
+      }
+      break;
+    case GIMPLE_CALL:
+      {
+	gcall *call_stmt = as_a <gcall *> (def_stmt);
+	tree return_type = gimple_call_return_type (call_stmt);
+	tree fn = fixup_tree_for_diagnostic_1 (gimple_call_fn (call_stmt),
+					       visited);
+	unsigned num_args = gimple_call_num_args (call_stmt);
+	auto_vec<tree> args (num_args);
+	for (unsigned i = 0; i < num_args; i++)
+	  {
+	    tree arg = gimple_call_arg (call_stmt, i);
+	    arg = fixup_tree_for_diagnostic_1 (arg, visited);
+	    if (arg == NULL_TREE)
+	      return NULL_TREE;
+	    args.quick_push (arg);
+	  }
+	return build_call_array_loc (gimple_location (call_stmt),
+				     return_type, fn,
+				     num_args, &args[0]);
+      }
+      break;
+    }
+}
+
+/* Subroutine of fixup_tree_for_diagnostic: attempt to fixup EXPR,
+   which can be NULL.
+   VISITED must be non-NULL; it is used to ensure termination.  */
+
+static tree
+fixup_tree_for_diagnostic_1 (tree expr, hash_set<tree> *visited)
+{
+  if (expr
+      && TREE_CODE (expr) == SSA_NAME
+      && (SSA_NAME_VAR (expr) == NULL_TREE
+	  || DECL_ARTIFICIAL (SSA_NAME_VAR (expr))))
+    if (tree expr2 = maybe_reconstruct_from_def_stmt (expr, visited))
+      return expr2;
+  return expr;
+}
+
+/* We don't want to print '<unknown>' in our diagnostics (PR analyzer/99771),
+   but sometimes we generate diagnostics involving an ssa name for a
+   temporary.
+
+   Work around this by attempting to reconstruct a tree expression for
+   such temporaries based on their def-stmts.
+
+   Otherwise return EXPR.
+
+   EXPR can be NULL.  */
+
+tree
+fixup_tree_for_diagnostic (tree expr)
+{
+  hash_set<tree> visited;
+  return fixup_tree_for_diagnostic_1 (expr, &visited);
+}
+
 } // namespace ana
 
 /* Helper function for checkers.  Is the CALL to the given function name,
diff --git a/gcc/analyzer/analyzer.h b/gcc/analyzer/analyzer.h
index f50ac662516..fb568e44d38 100644
--- a/gcc/analyzer/analyzer.h
+++ b/gcc/analyzer/analyzer.h
@@ -108,6 +108,7 @@ extern void dump_quoted_tree (pretty_printer *pp, tree t);
 extern void print_quoted_type (pretty_printer *pp, tree t);
 extern int readability_comparator (const void *p1, const void *p2);
 extern int tree_cmp (const void *p1, const void *p2);
+extern tree fixup_tree_for_diagnostic (tree);
 
 /* A tree, extended with stack frame information for locals, so that
    we can distinguish between different values of locals within a potentially
diff --git a/gcc/analyzer/checker-path.cc b/gcc/analyzer/checker-path.cc
index e6e3ec18688..7d229bbf823 100644
--- a/gcc/analyzer/checker-path.cc
+++ b/gcc/analyzer/checker-path.cc
@@ -634,12 +634,13 @@ call_event::get_desc (bool can_colorize) const
   if (m_critical_state && m_pending_diagnostic)
     {
       gcc_assert (m_var);
+      tree var = fixup_tree_for_diagnostic (m_var);
       label_text custom_desc
 	= m_pending_diagnostic->describe_call_with_state
 	    (evdesc::call_with_state (can_colorize,
 				      m_sedge->m_src->m_fun->decl,
 				      m_sedge->m_dest->m_fun->decl,
-				      m_var,
+				      var,
 				      m_critical_state));
       if (custom_desc.m_buffer)
 	return custom_desc;
@@ -880,19 +881,20 @@ warning_event::get_desc (bool can_colorize) const
 {
   if (m_pending_diagnostic)
     {
+      tree var = fixup_tree_for_diagnostic (m_var);
       label_text ev_desc
 	= m_pending_diagnostic->describe_final_event
-	    (evdesc::final_event (can_colorize, m_var, m_state));
+	    (evdesc::final_event (can_colorize, var, m_state));
       if (ev_desc.m_buffer)
 	{
 	  if (m_sm && flag_analyzer_verbose_state_changes)
 	    {
 	      label_text result;
-	      if (m_var)
+	      if (var)
 		result = make_label_text (can_colorize,
 					  "%s (%qE is in state %qs)",
 					  ev_desc.m_buffer,
-					  m_var, m_state->get_name ());
+					  var, m_state->get_name ());
 	      else
 		result = make_label_text (can_colorize,
 					  "%s (in global state %qs)",
diff --git a/gcc/analyzer/engine.cc b/gcc/analyzer/engine.cc
index d7866b5598b..1fb96de6082 100644
--- a/gcc/analyzer/engine.cc
+++ b/gcc/analyzer/engine.cc
@@ -634,12 +634,13 @@ impl_region_model_context::on_state_leak (const state_machine &sm,
 	}
     }
 
-  pending_diagnostic *pd = sm.on_leak (leaked_tree);
+  tree leaked_tree_for_diag = fixup_tree_for_diagnostic (leaked_tree);
+  pending_diagnostic *pd = sm.on_leak (leaked_tree_for_diag);
   if (pd)
     m_eg->get_diagnostic_manager ().add_diagnostic
       (&sm, m_enode_for_diag, m_enode_for_diag->get_supernode (),
        m_stmt, &stmt_finder,
-       leaked_tree, sval, state, pd);
+       leaked_tree_for_diag, sval, state, pd);
 }
 
 /* Implementation of region_model_context::on_condition vfunc.
diff --git a/gcc/analyzer/region-model.cc b/gcc/analyzer/region-model.cc
index fb5dc39fc66..c245bfe0512 100644
--- a/gcc/analyzer/region-model.cc
+++ b/gcc/analyzer/region-model.cc
@@ -2325,9 +2325,9 @@ region_model::get_representative_tree (const svalue *sval) const
 
   /* Strip off any top-level cast.  */
   if (expr && TREE_CODE (expr) == NOP_EXPR)
-    return TREE_OPERAND (expr, 0);
+    expr = TREE_OPERAND (expr, 0);
 
-  return expr;
+  return fixup_tree_for_diagnostic (expr);
 }
 
 /* Implementation of region_model::get_representative_path_var.
diff --git a/gcc/testsuite/gcc.dg/analyzer/data-model-10.c b/gcc/testsuite/gcc.dg/analyzer/data-model-10.c
index c261edcc827..04c9891d89b 100644
--- a/gcc/testsuite/gcc.dg/analyzer/data-model-10.c
+++ b/gcc/testsuite/gcc.dg/analyzer/data-model-10.c
@@ -12,6 +12,7 @@ test (void)
   if (!new_table)
     return NULL;
   new_table->m_f = (char **)malloc(sizeof(char **));
-  *new_table->m_f = NULL; /* { dg-warning "dereference of possibly-NULL '<unknown>'" } */ // FIXME: something better than "unknown" here
+  *new_table->m_f = NULL; /* { dg-warning "dereference of possibly-NULL '\\*new_table.m_f'" } */
+  /* { dg-message "'\\*new_table.m_f' could be NULL" "final event wording" { target *-*-* } .-1 } */
   return new_table;
 }
diff --git a/gcc/testsuite/gcc.dg/analyzer/malloc-ipa-13.c b/gcc/testsuite/gcc.dg/analyzer/malloc-ipa-13.c
index 2e3d80ed5cc..a08386a4626 100644
--- a/gcc/testsuite/gcc.dg/analyzer/malloc-ipa-13.c
+++ b/gcc/testsuite/gcc.dg/analyzer/malloc-ipa-13.c
@@ -23,8 +23,7 @@ void test (struct foo f)
 
   do_stuff ();
 
-  calls_free (f.m_p); /* { dg-message "passing freed pointer '<unknown>' in call to 'calls_free' from 'test'" } */
-  // TODO: something better than '<unknown>'
+  calls_free (f.m_p); /* { dg-message "passing freed pointer 'f\\.m_p' in call to 'calls_free' from 'test'" } */
 
   do_stuff ();
 }
diff --git a/gcc/testsuite/gcc.dg/analyzer/malloc-ipa-13a.c b/gcc/testsuite/gcc.dg/analyzer/malloc-ipa-13a.c
new file mode 100644
index 00000000000..d74ef59c7cf
--- /dev/null
+++ b/gcc/testsuite/gcc.dg/analyzer/malloc-ipa-13a.c
@@ -0,0 +1,38 @@
+/* { dg-additional-options "-fanalyzer-verbosity=1" } */
+
+#include <stdlib.h>
+
+void
+calls_free (void *victim)
+{
+  free (victim); /* { dg-warning "double-'free' of 'victim'" } */
+}
+
+extern void do_stuff (void);
+
+struct foo
+{
+  void *m_p;
+};
+
+static void *  __attribute__((noinline))
+test_a (struct foo f)
+{
+  do_stuff ();
+
+  calls_free (f.m_p);
+
+  do_stuff ();
+
+  return f.m_p;
+}
+
+void test_b (void *p)
+{
+  void *q;
+  struct foo f;
+  f.m_p = p;
+  q = test_a (f);
+  calls_free (q); /* { dg-message "passing freed pointer 'q' in call to 'calls_free' from 'test_b'" } */
+  do_stuff ();
+}
diff --git a/gcc/testsuite/gcc.dg/analyzer/pr99771-1.c b/gcc/testsuite/gcc.dg/analyzer/pr99771-1.c
new file mode 100644
index 00000000000..08449f9249e
--- /dev/null
+++ b/gcc/testsuite/gcc.dg/analyzer/pr99771-1.c
@@ -0,0 +1,63 @@
+/* Verify that we don't print "<unknown>" in various diagnostics
+   (PR analyzer/99771). */
+
+#include <stdlib.h>
+
+void test_1 (void)
+{
+  *(char*)malloc (1024) = 42; /* { dg-warning "dereference of possibly-NULL 'malloc\\(1024\\)'" } */
+} /* { dg-warning "leak of 'malloc\\(1024\\)'" "warning" } */
+  /* { dg-message "'malloc\\(1024\\)' leaks here" "final event" { target *-*-* } .-1 } */
+
+void test_2 (size_t n)
+{
+  *(char*)malloc (4 * n) = 42; /* { dg-warning "dereference of possibly-NULL 'malloc\\(n \\* 4\\)'" "warning" } */
+  /* { dg-message "'malloc\\(n \\* 4\\)' could be NULL" "final event" { target *-*-* } .-1 } */
+} /* { dg-warning "leak of 'malloc\\(n \\* 4\\)'" "warning" } */
+  /* { dg-message "'malloc\\(n \\* 4\\)' leaks here" "final event" { target *-*-* } .-1 } */
+
+/* A compound example.  */
+
+void test_3 (size_t a, size_t b, size_t c)
+{
+  *(char*)malloc (a + (b * c)) = 42; /* { dg-warning "dereference of possibly-NULL 'malloc\\(a \\+ b \\* c\\)'" "warning" } */
+  /* { dg-message "'malloc\\(a \\+ b \\* c\\)' could be NULL" "final event" { target *-*-* } .-1 } */
+} /* { dg-warning "leak of 'malloc\\(a \\+ b \\* c\\)'" "warning" } */
+  /* { dg-message "'malloc\\(a \\+ b \\* c\\)' leaks here" "final event" { target *-*-* } .-1 } */
+
+void test_4 (size_t a, size_t b, size_t c)
+{
+  *(char *)malloc (a ? b : c) = 42; /* { dg-warning "dereference of possibly-NULL 'malloc\\(<unknown>\\)'" "warning" } */
+  /* { dg-message "'malloc\\(<unknown>\\)' could be NULL" "final event" { target *-*-* } .-1 } */
+} /* { dg-warning "leak of 'malloc\\(<unknown>\\)'" "warning" } */
+  /* { dg-message "'malloc\\(<unknown>\\)' leaks here" "final event" { target *-*-* } .-1 } */
+
+/* Unary operators.  */
+
+void test_5 (size_t a)
+{
+  *(char*)malloc (-a) = 42; /* { dg-warning "dereference of possibly-NULL 'malloc\\(-a\\)'" } */
+} /* { dg-warning "leak of 'malloc\\(-a\\)'" "warning" } */
+  /* { dg-message "'malloc\\(-a\\)' leaks here" "final event" { target *-*-* } .-1 } */
+
+void test_6 (size_t a)
+{
+  *(char*)malloc (~a) = 42; /* { dg-warning "dereference of possibly-NULL 'malloc\\(~a\\)'" } */
+} /* { dg-warning "leak of 'malloc\\(~a\\)'" "warning" } */
+  /* { dg-message "'malloc\\(~a\\)' leaks here" "final event" { target *-*-* } .-1 } */
+
+/* Field access.  */
+
+struct s7 { size_t sz; };
+
+void test_7a(struct s7 s)
+{
+  *(char*)malloc (s.sz) = 42; /* { dg-warning "dereference of possibly-NULL 'malloc\\(s\\.sz\\)'" } */
+} /* { dg-warning "leak of 'malloc\\(s\\.sz\\)'" "warning" } */
+  /* { dg-message "'malloc\\(s\\.sz\\)' leaks here" "final event" { target *-*-* } .-1 } */
+
+void test_7b (struct s7 *s)
+{
+  *(char*)malloc (s->sz) = 42; /* { dg-warning "dereference of possibly-NULL 'malloc\\(\\*s\\.sz\\)'" } */
+} /* { dg-warning "leak of 'malloc\\(\\*s\\.sz\\)'" "warning" } */
+  /* { dg-message "'malloc\\(\\*s\\.sz\\)' leaks here" "final event" { target *-*-* } .-1 } */