[Bug analyzer/106203] New: Allow to emit diagnostics at return edges for the exit point as well as the call site

[Bug analyzer/106203] New: Allow to emit diagnostics at return edges for the exit point as well as the call site

[tlange at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106203

            Bug ID: 106203
           Summary: Allow to emit diagnostics at return edges for the exit
                    point as well as the call site
           Product: gcc
           Version: unknown
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: analyzer
          Assignee: dmalcolm at gcc dot gnu.org
          Reporter: tlange at gcc dot gnu.org
  Target Milestone: ---

Currently, the region_model_context at return edges, created inside
program_state::on_edge, neither holds a stmt nor a stmt_finder and thus,
warnings at return edges are rejected by impl_region_model_context::warn.

PR105900 has 2 XFAILs inside allocation-size-(1|2).c because the call to
set_value (lhs, <returned_value>) happens at a return edge. Similarly, PR105888
also needs to emit a warning at a return edge, but for the callee's exit point.

David already expressed ideas on how to solve this:
- have two contexts for pop_frame: one in the old frame, the other in
the new frame (for the caller)
- generalize stmt_finder, so it can also update the supernode to use
- rework pop_frame (I've had to do this before, I've run into issues
like this before).

[Bug analyzer/106203] Allow to emit diagnostics at return edges for the exit point as well as the call site

[dmalcolm at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106203

--- Comment #1 from David Malcolm <dmalcolm at gcc dot gnu.org> ---
I've been prototyping an implementation of PR 106147 (infinite loop detection),
and in some cases there aren't any statements at all for my warnings, just
location_t values (if that).  So as part of that I've been looking at a big
revamp of how source locations are tracked in the analyzer; I may be able to
fix this as part of that.

[Bug analyzer/106203] Allow to emit diagnostics at return edges for the exit point as well as the call site

[cvs-commit at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106203

--- Comment #2 from GCC Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by David Malcolm <dmalcolm@gcc.gnu.org>:

https://gcc.gnu.org/g:2b0a7fe3abfbd47081f714a0a1263afe00c5cfd9

commit r15-969-g2b0a7fe3abfbd47081f714a0a1263afe00c5cfd9
Author: David Malcolm <dmalcolm@redhat.com>
Date:   Sat Jun 1 13:50:32 2024 -0400

    analyzer: detect -Wanalyzer-allocation-size at call stmts [PR106203]

    gcc/analyzer/ChangeLog:
            PR analyzer/106203
            * checker-event.h: Include "analyzer/event-loc-info.h".
            (struct event_loc_info): Move to its own header file.
            * diagnostic-manager.cc
            (diagnostic_manager::emit_saved_diagnostic): Move creation of
            event_loc_info here from add_final_event, and if we have a
            stmt_finder, call its update_event_loc_info method.
            * engine.cc (leak_stmt_finder::update_event_loc_info): New.
            (exploded_node::detect_leaks): Likewise.
            (exploded_node::detect_leaks): Pass nullptr as call_stmt arg to
            region_model::pop_frame.
            * event-loc-info.h: New file, with content taken from
            checker-event.h.
            * exploded-graph.h (stmt_finder::update_event_loc_info): New pure
            virtual function.
            * infinite-loop.cc (infinite_loop_diagnostic::add_final_event):
            Update for change to vfunc signature.
            * infinite-recursion.cc
            (infinite_recursion_diagnostic::add_final_event): Likewise.
            * pending-diagnostic.cc (pending_diagnostic::add_final_event):
            Pass in the event_loc_info from the caller, rather than generating
            it from a gimple stmt and enode.
            * pending-diagnostic.h (pending_diagnostic::add_final_event):
            Likewise.
            * region-model.cc (region_model::on_longjmp): Pass nullptr as
            call_stmt arg to region_model::pop_frame.
            (region_model::update_for_return_gcall): Likewise, but pass
            call_stmt.
            (class caller_context): New.
            (region_model::pop_frame): Add "call_stmt" argument.  Use it
            and the frame_region with a caller_context when setting
            result_dst_reg's value so that any diagnostic is reported at the
            call stmt in the caller.
            (selftest::test_stack_frames): Pass nullptr as call_stmt arg to
            region_model::pop_frame.
            (selftest::test_alloca): Likewise.
            * region-model.h (region_model::pop_frame): Add "call_stmt"
            argument.

    gcc/testsuite/ChangeLog:
            PR analyzer/106203
            * c-c++-common/analyzer/allocation-size-1.c (test_9): Remove
            xfail.
            * c-c++-common/analyzer/allocation-size-2.c (test_8): Likewise.
            * gcc.dg/analyzer/allocation-size-multiline-4.c: New test.
            * gcc.dg/plugin/analyzer_cpython_plugin.c
            (refcnt_stmt_finder::update_event_loc_info): New.

    Signed-off-by: David Malcolm <dmalcolm@redhat.com>

[Bug analyzer/106203] Allow to emit diagnostics at return edges for the exit point as well as the call site

[dmalcolm at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106203

David Malcolm <dmalcolm at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|UNCONFIRMED                 |RESOLVED
         Resolution|---                         |FIXED

--- Comment #3 from David Malcolm <dmalcolm at gcc dot gnu.org> ---
Should be fixed by the above patch for GCC 15.

I don't plan to attempt backporting this, so marking it resolved.