@@ -60,6 +60,134 @@ get_stmt_location (const gimple *stmt, function *fun)
return stmt->location;
}
+static tree
+fixup_tree_for_diagnostic_1 (tree expr, hash_set<tree> *visited);
+
+/* Subroutine of fixup_tree_for_diagnostic_1, called on SSA names.
+ Attempt to reconstruct a a tree expression for SSA_NAME
+ based on its def-stmt.
+ SSA_NAME must be non-NULL.
+ VISITED must be non-NULL; it is used to ensure termination.
+
+ Return NULL_TREE if there is a problem. */
+
+static tree
+maybe_reconstruct_from_def_stmt (tree ssa_name,
+ hash_set<tree> *visited)
+{
+ /* Ensure termination. */
+ if (visited->contains (ssa_name))
+ return NULL_TREE;
+ visited->add (ssa_name);
+
+ gimple *def_stmt = SSA_NAME_DEF_STMT (ssa_name);
+
+ switch (gimple_code (def_stmt))
+ {
+ default:
+ gcc_unreachable ();
+ case GIMPLE_NOP:
+ case GIMPLE_PHI:
+ /* Can't handle these. */
+ return NULL_TREE;
+ case GIMPLE_ASSIGN:
+ {
+ enum tree_code code = gimple_assign_rhs_code (def_stmt);
+
+ /* Reverse the effect of extract_ops_from_tree during
+ gimplification. */
+ switch (get_gimple_rhs_class (code))
+ {
+ default:
+ case GIMPLE_INVALID_RHS:
+ gcc_unreachable ();
+ case GIMPLE_TERNARY_RHS:
+ case GIMPLE_BINARY_RHS:
+ case GIMPLE_UNARY_RHS:
+ {
+ tree t = make_node (code);
+ TREE_TYPE (t) = TREE_TYPE (ssa_name);
+ unsigned num_rhs_args = gimple_num_ops (def_stmt) - 1;
+ for (unsigned i = 0; i < num_rhs_args; i++)
+ {
+ tree op = gimple_op (def_stmt, i + 1);
+ if (op)
+ {
+ op = fixup_tree_for_diagnostic_1 (op, visited);
+ if (op == NULL_TREE)
+ return NULL_TREE;
+ }
+ TREE_OPERAND (t, i) = op;
+ }
+ return t;
+ }
+ case GIMPLE_SINGLE_RHS:
+ {
+ tree op = gimple_op (def_stmt, 1);
+ op = fixup_tree_for_diagnostic_1 (op, visited);
+ return op;
+ }
+ }
+ }
+ break;
+ case GIMPLE_CALL:
+ {
+ gcall *call_stmt = as_a <gcall *> (def_stmt);
+ tree return_type = gimple_call_return_type (call_stmt);
+ tree fn = fixup_tree_for_diagnostic_1 (gimple_call_fn (call_stmt),
+ visited);
+ unsigned num_args = gimple_call_num_args (call_stmt);
+ auto_vec<tree> args (num_args);
+ for (unsigned i = 0; i < num_args; i++)
+ {
+ tree arg = gimple_call_arg (call_stmt, i);
+ arg = fixup_tree_for_diagnostic_1 (arg, visited);
+ if (arg == NULL_TREE)
+ return NULL_TREE;
+ args.quick_push (arg);
+ }
+ return build_call_array_loc (gimple_location (call_stmt),
+ return_type, fn,
+ num_args, &args[0]);
+ }
+ break;
+ }
+}
+
+/* Subroutine of fixup_tree_for_diagnostic: attempt to fixup EXPR,
+ which can be NULL.
+ VISITED must be non-NULL; it is used to ensure termination. */
+
+static tree
+fixup_tree_for_diagnostic_1 (tree expr, hash_set<tree> *visited)
+{
+ if (expr
+ && TREE_CODE (expr) == SSA_NAME
+ && (SSA_NAME_VAR (expr) == NULL_TREE
+ || DECL_ARTIFICIAL (SSA_NAME_VAR (expr))))
+ if (tree expr2 = maybe_reconstruct_from_def_stmt (expr, visited))
+ return expr2;
+ return expr;
+}
+
+/* We don't want to print '<unknown>' in our diagnostics (PR analyzer/99771),
+ but sometimes we generate diagnostics involving an ssa name for a
+ temporary.
+
+ Work around this by attempting to reconstruct a tree expression for
+ such temporaries based on their def-stmts.
+
+ Otherwise return EXPR.
+
+ EXPR can be NULL. */
+
+tree
+fixup_tree_for_diagnostic (tree expr)
+{
+ hash_set<tree> visited;
+ return fixup_tree_for_diagnostic_1 (expr, &visited);
+}
+
} // namespace ana
/* Helper function for checkers. Is the CALL to the given function name,
@@ -108,6 +108,7 @@ extern void dump_quoted_tree (pretty_printer *pp, tree t);
extern void print_quoted_type (pretty_printer *pp, tree t);
extern int readability_comparator (const void *p1, const void *p2);
extern int tree_cmp (const void *p1, const void *p2);
+extern tree fixup_tree_for_diagnostic (tree);
/* A tree, extended with stack frame information for locals, so that
we can distinguish between different values of locals within a potentially
@@ -634,12 +634,13 @@ call_event::get_desc (bool can_colorize) const
if (m_critical_state && m_pending_diagnostic)
{
gcc_assert (m_var);
+ tree var = fixup_tree_for_diagnostic (m_var);
label_text custom_desc
= m_pending_diagnostic->describe_call_with_state
(evdesc::call_with_state (can_colorize,
m_sedge->m_src->m_fun->decl,
m_sedge->m_dest->m_fun->decl,
- m_var,
+ var,
m_critical_state));
if (custom_desc.m_buffer)
return custom_desc;
@@ -880,19 +881,20 @@ warning_event::get_desc (bool can_colorize) const
{
if (m_pending_diagnostic)
{
+ tree var = fixup_tree_for_diagnostic (m_var);
label_text ev_desc
= m_pending_diagnostic->describe_final_event
- (evdesc::final_event (can_colorize, m_var, m_state));
+ (evdesc::final_event (can_colorize, var, m_state));
if (ev_desc.m_buffer)
{
if (m_sm && flag_analyzer_verbose_state_changes)
{
label_text result;
- if (m_var)
+ if (var)
result = make_label_text (can_colorize,
"%s (%qE is in state %qs)",
ev_desc.m_buffer,
- m_var, m_state->get_name ());
+ var, m_state->get_name ());
else
result = make_label_text (can_colorize,
"%s (in global state %qs)",
@@ -634,12 +634,13 @@ impl_region_model_context::on_state_leak (const state_machine &sm,
}
}
- pending_diagnostic *pd = sm.on_leak (leaked_tree);
+ tree leaked_tree_for_diag = fixup_tree_for_diagnostic (leaked_tree);
+ pending_diagnostic *pd = sm.on_leak (leaked_tree_for_diag);
if (pd)
m_eg->get_diagnostic_manager ().add_diagnostic
(&sm, m_enode_for_diag, m_enode_for_diag->get_supernode (),
m_stmt, &stmt_finder,
- leaked_tree, sval, state, pd);
+ leaked_tree_for_diag, sval, state, pd);
}
/* Implementation of region_model_context::on_condition vfunc.
@@ -2325,9 +2325,9 @@ region_model::get_representative_tree (const svalue *sval) const
/* Strip off any top-level cast. */
if (expr && TREE_CODE (expr) == NOP_EXPR)
- return TREE_OPERAND (expr, 0);
+ expr = TREE_OPERAND (expr, 0);
- return expr;
+ return fixup_tree_for_diagnostic (expr);
}
/* Implementation of region_model::get_representative_path_var.
@@ -12,6 +12,7 @@ test (void)
if (!new_table)
return NULL;
new_table->m_f = (char **)malloc(sizeof(char **));
- *new_table->m_f = NULL; /* { dg-warning "dereference of possibly-NULL '<unknown>'" } */ // FIXME: something better than "unknown" here
+ *new_table->m_f = NULL; /* { dg-warning "dereference of possibly-NULL '\\*new_table.m_f'" } */
+ /* { dg-message "'\\*new_table.m_f' could be NULL" "final event wording" { target *-*-* } .-1 } */
return new_table;
}
@@ -23,8 +23,7 @@ void test (struct foo f)
do_stuff ();
- calls_free (f.m_p); /* { dg-message "passing freed pointer '<unknown>' in call to 'calls_free' from 'test'" } */
- // TODO: something better than '<unknown>'
+ calls_free (f.m_p); /* { dg-message "passing freed pointer 'f\\.m_p' in call to 'calls_free' from 'test'" } */
do_stuff ();
}
new file mode 100644
@@ -0,0 +1,38 @@
+/* { dg-additional-options "-fanalyzer-verbosity=1" } */
+
+#include <stdlib.h>
+
+void
+calls_free (void *victim)
+{
+ free (victim); /* { dg-warning "double-'free' of 'victim'" } */
+}
+
+extern void do_stuff (void);
+
+struct foo
+{
+ void *m_p;
+};
+
+static void * __attribute__((noinline))
+test_a (struct foo f)
+{
+ do_stuff ();
+
+ calls_free (f.m_p);
+
+ do_stuff ();
+
+ return f.m_p;
+}
+
+void test_b (void *p)
+{
+ void *q;
+ struct foo f;
+ f.m_p = p;
+ q = test_a (f);
+ calls_free (q); /* { dg-message "passing freed pointer 'q' in call to 'calls_free' from 'test_b'" } */
+ do_stuff ();
+}
new file mode 100644
@@ -0,0 +1,63 @@
+/* Verify that we don't print "<unknown>" in various diagnostics
+ (PR analyzer/99771). */
+
+#include <stdlib.h>
+
+void test_1 (void)
+{
+ *(char*)malloc (1024) = 42; /* { dg-warning "dereference of possibly-NULL 'malloc\\(1024\\)'" } */
+} /* { dg-warning "leak of 'malloc\\(1024\\)'" "warning" } */
+ /* { dg-message "'malloc\\(1024\\)' leaks here" "final event" { target *-*-* } .-1 } */
+
+void test_2 (size_t n)
+{
+ *(char*)malloc (4 * n) = 42; /* { dg-warning "dereference of possibly-NULL 'malloc\\(n \\* 4\\)'" "warning" } */
+ /* { dg-message "'malloc\\(n \\* 4\\)' could be NULL" "final event" { target *-*-* } .-1 } */
+} /* { dg-warning "leak of 'malloc\\(n \\* 4\\)'" "warning" } */
+ /* { dg-message "'malloc\\(n \\* 4\\)' leaks here" "final event" { target *-*-* } .-1 } */
+
+/* A compound example. */
+
+void test_3 (size_t a, size_t b, size_t c)
+{
+ *(char*)malloc (a + (b * c)) = 42; /* { dg-warning "dereference of possibly-NULL 'malloc\\(a \\+ b \\* c\\)'" "warning" } */
+ /* { dg-message "'malloc\\(a \\+ b \\* c\\)' could be NULL" "final event" { target *-*-* } .-1 } */
+} /* { dg-warning "leak of 'malloc\\(a \\+ b \\* c\\)'" "warning" } */
+ /* { dg-message "'malloc\\(a \\+ b \\* c\\)' leaks here" "final event" { target *-*-* } .-1 } */
+
+void test_4 (size_t a, size_t b, size_t c)
+{
+ *(char *)malloc (a ? b : c) = 42; /* { dg-warning "dereference of possibly-NULL 'malloc\\(<unknown>\\)'" "warning" } */
+ /* { dg-message "'malloc\\(<unknown>\\)' could be NULL" "final event" { target *-*-* } .-1 } */
+} /* { dg-warning "leak of 'malloc\\(<unknown>\\)'" "warning" } */
+ /* { dg-message "'malloc\\(<unknown>\\)' leaks here" "final event" { target *-*-* } .-1 } */
+
+/* Unary operators. */
+
+void test_5 (size_t a)
+{
+ *(char*)malloc (-a) = 42; /* { dg-warning "dereference of possibly-NULL 'malloc\\(-a\\)'" } */
+} /* { dg-warning "leak of 'malloc\\(-a\\)'" "warning" } */
+ /* { dg-message "'malloc\\(-a\\)' leaks here" "final event" { target *-*-* } .-1 } */
+
+void test_6 (size_t a)
+{
+ *(char*)malloc (~a) = 42; /* { dg-warning "dereference of possibly-NULL 'malloc\\(~a\\)'" } */
+} /* { dg-warning "leak of 'malloc\\(~a\\)'" "warning" } */
+ /* { dg-message "'malloc\\(~a\\)' leaks here" "final event" { target *-*-* } .-1 } */
+
+/* Field access. */
+
+struct s7 { size_t sz; };
+
+void test_7a(struct s7 s)
+{
+ *(char*)malloc (s.sz) = 42; /* { dg-warning "dereference of possibly-NULL 'malloc\\(s\\.sz\\)'" } */
+} /* { dg-warning "leak of 'malloc\\(s\\.sz\\)'" "warning" } */
+ /* { dg-message "'malloc\\(s\\.sz\\)' leaks here" "final event" { target *-*-* } .-1 } */
+
+void test_7b (struct s7 *s)
+{
+ *(char*)malloc (s->sz) = 42; /* { dg-warning "dereference of possibly-NULL 'malloc\\(\\*s\\.sz\\)'" } */
+} /* { dg-warning "leak of 'malloc\\(\\*s\\.sz\\)'" "warning" } */
+ /* { dg-message "'malloc\\(\\*s\\.sz\\)' leaks here" "final event" { target *-*-* } .-1 } */