public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug analyzer/107072] New: Analyzer call summarization not taking into account side-effects of calls
@ 2022-09-28 15:57 dmalcolm at gcc dot gnu.org
2022-10-05 0:20 ` [Bug analyzer/107072] " cvs-commit at gcc dot gnu.org
2022-10-05 0:27 ` dmalcolm at gcc dot gnu.org
0 siblings, 2 replies; 3+ messages in thread
From: dmalcolm at gcc dot gnu.org @ 2022-09-28 15:57 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107072
Bug ID: 107072
Summary: Analyzer call summarization not taking into account
side-effects of calls
Product: gcc
Version: 13.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: analyzer
Assignee: dmalcolm at gcc dot gnu.org
Reporter: dmalcolm at gcc dot gnu.org
Blocks: 99390, 107060
Target Milestone: ---
Created attachment 53637
--> https://gcc.gnu.org/bugzilla/attachment.cgi?id=53637&action=edit
Reproducer reduced from PR 107060
-fanalyzer-call-summaries doesn't seem to be taking account of the side-effects
of calls; it emit lots of -Wanalyzer-use-of-uninitialized-value false positives
on the reproducer for PR 107060.
Am attaching a minimized version, which emits these false positives:
$ ./xgcc -B. -S -fanalyzer ../../src/uninit.c -fanalyzer-call-summaries
../../src/uninit.c: In function ‘fetch_string_char_advance’:
../../src/uninit.c:52:7: warning: use of uninitialized value ‘chlen’ [CWE-457]
[-Wanalyzer-use-of-uninitialized-value]
52 | b += chlen;
| ^~
‘fetch_string_char_advance’: events 1-5
|
| 49 | if (STRING_MULTIBYTE(string)) {
| | ~
| | |
| | (3) following ‘true’ branch...
| 50 | int chlen;
| | ^~~~~
| | |
| | (1) region created on stack here
| | (2) capacity: 4 bytes
| 51 | output = string_char_and_length(chp, &chlen);
| | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (4) ...to here
| 52 | b += chlen;
| | ~~
| | |
| | (5) use of uninitialized value ‘chlen’ here
|
../../src/uninit.c: In function ‘fetch_string_char_as_multibyte_advance’:
../../src/uninit.c:70:7: warning: use of uninitialized value ‘chlen’ [CWE-457]
[-Wanalyzer-use-of-uninitialized-value]
70 | b += chlen;
| ^~
‘fetch_string_char_as_multibyte_advance’: events 1-5
|
| 67 | if (STRING_MULTIBYTE(string)) {
| | ~
| | |
| | (3) following ‘true’ branch...
| 68 | int chlen;
| | ^~~~~
| | |
| | (1) region created on stack here
| | (2) capacity: 4 bytes
| 69 | output = string_char_and_length(chp, &chlen);
| | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (4) ...to here
| 70 | b += chlen;
| | ~~
| | |
| | (5) use of uninitialized value ‘chlen’ here
|
...despite string_char_and_length writing back to chlen (aka *length) on every
possible outcome.
Referenced Bugs:
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99390
[Bug 99390] [meta-bug] tracker bug for call summaries in -fanalyzer
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107060
[Bug 107060] -fanalyzer unbearably slow when compiling GNU Emacs
^ permalink raw reply [flat|nested] 3+ messages in thread
* [Bug analyzer/107072] Analyzer call summarization not taking into account side-effects of calls
2022-09-28 15:57 [Bug analyzer/107072] New: Analyzer call summarization not taking into account side-effects of calls dmalcolm at gcc dot gnu.org
@ 2022-10-05 0:20 ` cvs-commit at gcc dot gnu.org
2022-10-05 0:27 ` dmalcolm at gcc dot gnu.org
1 sibling, 0 replies; 3+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2022-10-05 0:20 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107072
--- Comment #1 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by David Malcolm <dmalcolm@gcc.gnu.org>:
https://gcc.gnu.org/g:bfca9505f6fce631c2488f89aa156d56c7fae9ed
commit r13-3077-gbfca9505f6fce631c2488f89aa156d56c7fae9ed
Author: David Malcolm <dmalcolm@redhat.com>
Date: Tue Oct 4 20:19:07 2022 -0400
analyzer: revamp side-effects of call summaries [PR107072]
With -fanalyzer-call-summaries the analyzer canl attempt to summarize
the effects of some function calls at their call site, rather than
simulate the call directly, which can avoid big slowdowns during
analysis.
Previously, this summarization was extremely simplistic: no attempt
was made to update sm-state, and region_model::update_for_call_summary
would simply set the return value of the function to UNKNOWN, and assume
the function had no side effects.
This patch implements less simplistic summarizations: it tracks each
possible return enode from the called function, and attempts to generate
a successor enode from the callsite for each that have compatible
conditions, mapping state changes in the summary to state changes
at the callsite. It also implements the beginnings of heuristics for
generating user-facing descriptions of a summary e.g.
"when 'foo' returns NULL"
versus:
"when 'foo' returns a heap-allocated buffer"
This still has some bugs, but much more accurately tracks the effects
of a call, and so is an improvement; it should only have an effect
when -fanalyzer-call-summaries is enabled.
As before, -fanalyzer-call-summaries is disabled by default in
analyzer.opt (but enabled by default in the test suite).
gcc/ChangeLog:
PR analyzer/107072
* Makefile.in (ANALYZER_OBJS): Add analyzer/call-summary.o.
gcc/analyzer/ChangeLog:
PR analyzer/107072
* analyzer-logging.h: Include "diagnostic-core.h".
* analyzer.h: Include "function.h".
(class call_summary): New forward decl.
(class call_summary_replay): New forward decl.
(struct per_function_data): New forward decl.
(struct interesting_t): New forward decl.
(custom_edge_info::update_state): New vfunc.
* call-info.cc (custom_edge_info::update_state): New.
* call-summary.cc: New file.
* call-summary.h: New file.
* constraint-manager.cc: Include "analyzer/call-summary.h".
(class replay_fact_visitor): New.
(constraint_manager::replay_call_summary): New.
* constraint-manager.h (constraint_manager::replay_call_summary):
New.
* engine.cc: Include "analyzer/call-summary.h".
(exploded_node::on_stmt): Handle call summaries.
(class call_summary_edge_info): New.
(exploded_node::replay_call_summaries): New.
(exploded_node::replay_call_summary): New.
(per_function_data::~per_function_data): New.
(per_function_data::add_call_summary): Move here from header and
reimplement.
(exploded_graph::process_node): Call update_state rather than
update_model when handling bifurcation
(viz_callgraph_node::dump_dot): Use a regular label rather
than an HTML table; add summaries to dump.
* exploded-graph.h: Include "alloc-pool.h", "fibonacci_heap.h",
"supergraph.h", "sbitmap.h", "shortest-paths.h", "analyzer/sm.h",
"analyzer/program-state.h", and "analyzer/diagnostic-manager.h".
(exploded_node::replay_call_summaries): New decl.
(exploded_node::replay_call_summary): New decl.
(per_function_data::~per_function_data): New decl.
(per_function_data::add_call_summary): Move implemention from
header.
(per_function_data::m_summaries): Update type of element.
* known-function-manager.h: Include "analyzer/analyzer-logging.h".
* program-point.h: Include "pretty-print.h" and
"analyzer/call-string.h".
* program-state.cc: Include "analyzer/call-summary.h".
(sm_state_map::replay_call_summary): New.
(program_state::replay_call_summary): New.
* program-state.h (sm_state_map::replay_call_summary): New decl.
(program_state::replay_call_summary): New decl.
* region-model-manager.cc
(region_model_manager::get_or_create_asm_output_svalue): New
overload.
* region-model-manager.h
(region_model_manager::get_or_create_asm_output_svalue): New
overload decl.
* region-model.cc: Include "analyzer/call-summary.h".
(region_model::maybe_update_for_edge): Remove call to
region_model::update_for_call_summary on
SUPEREDGE_INTRAPROCEDURAL_CALL.
(region_model::update_for_call_summary): Delete.
(region_model::replay_call_summary): New.
* region-model.h (region_model::replay_call_summary): New decl.
(region_model::update_for_call_summary): Delete decl.
* store.cc: Include "analyzer/call-summary.h".
(store::replay_call_summary): New.
(store::replay_call_summary_cluster): New.
* store.h: Include "tristate.h".
(is_a_helper <const ana::concrete_binding *>::test): New.
(store::replay_call_summary): New decl.
(store::replay_call_summary_cluster): New decl.
* supergraph.cc (get_ultimate_function_for_cgraph_edge): Remove
"static" from decl.
(supergraph_call_edge): Make stmt param const.
* supergraph.h: Include "ordered-hash-map.h", "cfg.h",
"basic-block.h", "gimple.h", "gimple-iterator.h", and "digraph.h".
(supergraph_call_edge): Make stmt param const.
(get_ultimate_function_for_cgraph_edge): New decl.
* svalue.cc (compound_svalue::compound_svalue): Assert that we're
not nesting compound_svalues.
* svalue.h: Include "json.h", "analyzer/store.h", and
"analyzer/program-point.h".
(asm_output_svalue::get_num_outputs): New accessor.
gcc/testsuite/ChangeLog:
PR analyzer/107072
* gcc.dg/analyzer/call-summaries-2.c: New test.
* gcc.dg/analyzer/call-summaries-3.c: New test.
* gcc.dg/analyzer/call-summaries-asm-x86.c: New test.
* gcc.dg/analyzer/call-summaries-malloc.c: New test.
* gcc.dg/analyzer/call-summaries-pr107072.c: New test.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
^ permalink raw reply [flat|nested] 3+ messages in thread
* [Bug analyzer/107072] Analyzer call summarization not taking into account side-effects of calls
2022-09-28 15:57 [Bug analyzer/107072] New: Analyzer call summarization not taking into account side-effects of calls dmalcolm at gcc dot gnu.org
2022-10-05 0:20 ` [Bug analyzer/107072] " cvs-commit at gcc dot gnu.org
@ 2022-10-05 0:27 ` dmalcolm at gcc dot gnu.org
1 sibling, 0 replies; 3+ messages in thread
From: dmalcolm at gcc dot gnu.org @ 2022-10-05 0:27 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107072
David Malcolm <dmalcolm at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Last reconfirmed| |2022-10-05
Status|UNCONFIRMED |NEW
Ever confirmed|0 |1
--- Comment #2 from David Malcolm <dmalcolm at gcc dot gnu.org> ---
The above patch greatly improves the behavior, and fixes things for the
reproducer. Keeping this open as numerous issues remain: see the TODOs in the
above patch.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2022-10-05 0:27 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-09-28 15:57 [Bug analyzer/107072] New: Analyzer call summarization not taking into account side-effects of calls dmalcolm at gcc dot gnu.org
2022-10-05 0:20 ` [Bug analyzer/107072] " cvs-commit at gcc dot gnu.org
2022-10-05 0:27 ` dmalcolm at gcc dot gnu.org
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).