analyzer: extract bits from integer constants [PR105783]

Fix a false positive from -Wanalyzer-null-dereference due to -fanalyzer
failing to grok the value of a particular boolean field initialized to a
constant.

gcc/analyzer/ChangeLog:
	PR analyzer/105783
	* region-model.cc (selftest::get_bit): New function.
	(selftest::test_bits_within_svalue_folding): New.
	(selfftest::analyzer_region_model_cc_tests): Call it.
	* svalue.cc (constant_svalue::maybe_fold_bits_within): Handle the
	case of extracting a single bit.

gcc/testsuite/ChangeLog:
	PR analyzer/105783
	* gcc.dg/analyzer/pr105783.c: New test.

Signed-off-by: David Malcolm <dmalcolm@redhat.com>

gcc/analyzer/region-model.cc

@@ -7132,6 +7132,57 @@ test_sub_svalue_folding ()
   ASSERT_EQ (sub->get_type (), TREE_TYPE (ct.m_x_field));
 }
 
+/* Get BIT within VAL as a symbolic value within MGR.  */
+
+static const svalue *
+get_bit (region_model_manager *mgr,
+	 bit_offset_t bit,
+	 unsigned HOST_WIDE_INT val)
+{
+  const svalue *inner_svalue
+    = mgr->get_or_create_int_cst (unsigned_type_node, val);
+  return mgr->get_or_create_bits_within (boolean_type_node,
+					 bit_range (bit, 1),
+					 inner_svalue);
+}
+
+/* Verify that bits_within_svalues are folded as expected.  */
+
+static void
+test_bits_within_svalue_folding ()
+{
+  region_model_manager mgr;
+
+  const svalue *zero = mgr.get_or_create_int_cst (boolean_type_node, 0);
+  const svalue *one = mgr.get_or_create_int_cst (boolean_type_node, 1);
+
+  {
+    const unsigned val = 0x0000;
+    for (unsigned bit = 0; bit < 16; bit++)
+      ASSERT_EQ (get_bit (&mgr, bit, val), zero);
+  }
+
+  {
+    const unsigned val = 0x0001;
+    ASSERT_EQ (get_bit (&mgr, 0, val), one);
+    for (unsigned bit = 1; bit < 16; bit++)
+      ASSERT_EQ (get_bit (&mgr, bit, val), zero);
+  }
+
+  {
+    const unsigned val = 0x8000;
+    for (unsigned bit = 0; bit < 15; bit++)
+      ASSERT_EQ (get_bit (&mgr, bit, val), zero);
+    ASSERT_EQ (get_bit (&mgr, 15, val), one);
+  }
+
+  {
+    const unsigned val = 0xFFFF;
+    for (unsigned bit = 0; bit < 16; bit++)
+      ASSERT_EQ (get_bit (&mgr, bit, val), one);
+  }
+}
+
 /* Test that region::descendent_of_p works as expected.  */
 
 static void
@@ -8488,6 +8539,7 @@ analyzer_region_model_cc_tests ()
   test_unaryop_svalue_folding ();
   test_binop_svalue_folding ();
   test_sub_svalue_folding ();
+  test_bits_within_svalue_folding ();
   test_descendent_of_p ();
   test_bit_range_regions ();
   test_assignment ();

gcc/analyzer/svalue.cc

@@ -868,7 +868,7 @@ constant_svalue::eval_condition (const constant_svalue *lhs,
 
 const svalue *
 constant_svalue::maybe_fold_bits_within (tree type,
-					 const bit_range &,
+					 const bit_range &bits,
 					 region_model_manager *mgr) const
 {
   /* Bits within an all-zero value are also all zero.  */
@@ -879,6 +879,21 @@ constant_svalue::maybe_fold_bits_within (tree type,
       else
 	return this;
     }
+
+  /* Handle the case of extracting a single bit. */
+  if (bits.m_size_in_bits == 1
+      && TREE_CODE (m_cst_expr) == INTEGER_CST
+      && type
+      && INTEGRAL_TYPE_P (type))
+    {
+      unsigned HOST_WIDE_INT bit = bits.m_start_bit_offset.to_uhwi ();
+      unsigned HOST_WIDE_INT mask = (1 << bit);
+      unsigned HOST_WIDE_INT val_as_hwi = tree_to_uhwi (m_cst_expr);
+      unsigned HOST_WIDE_INT masked_val = val_as_hwi & mask;
+      int result = masked_val ? 1 : 0;
+      return mgr->get_or_create_int_cst (type, result);
+    }
+
   /* Otherwise, don't fold.  */
   return NULL;
 }

gcc/testsuite/gcc.dg/analyzer/pr105783.c

@@ -0,0 +1,26 @@
+/* { dg-additional-options "-O" } */
+
+struct ss_s {
+    union out_or_counting_u {
+    	char *newstr;
+    	unsigned long long cnt;
+    } uu;
+    _Bool counting;
+};
+
+struct ss_s ss_init(void) {
+   struct ss_s rr = { .counting = 1 };
+   return rr;
+}
+
+void ss_out(struct ss_s *t, char cc) {
+   if (!t->counting) {
+       *t->uu.newstr++ = cc;
+   }
+}
+
+int main() {
+    struct ss_s ss = ss_init();
+    ss_out(&ss, 'a');
+}
+