[Bug analyzer/99771] New: Analyzer diagnostics should not say "<unknown>"

[Bug analyzer/99771] New: Analyzer diagnostics should not say "<unknown>"

[dmalcolm at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99771

            Bug ID: 99771
           Summary: Analyzer diagnostics should not say "<unknown>"
           Product: gcc
           Version: 11.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: analyzer
          Assignee: dmalcolm at gcc dot gnu.org
          Reporter: dmalcolm at gcc dot gnu.org
  Target Milestone: ---

Various analyzer diagnostics talk about "<unknown>"; examples can be seen in
the testsuite:
  data-model-10.c:
    *new_table->m_f = NULL; // "dereference of possibly-NULL '<unknown>'"

  malloc-1.c (test_44):
    free (global_ptr); // "leak of '<unknown>'"

  malloc-ipa-13.c:
    calls_free (f.m_p); //"passing freed pointer '<unknown>' in call to
'calls_free' from 'test'"

and IIRC I've seen these "in the wild" recently as well.

We shouldn't emit "<unknown>" to the end-user.

Filing this bug to have a place to track fixing these.

[Bug analyzer/99771] Analyzer diagnostics should not say "<unknown>"

[dmalcolm at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99771

David Malcolm <dmalcolm at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
     Ever confirmed|0                           |1
   Last reconfirmed|                            |2021-03-25
             Status|UNCONFIRMED                 |ASSIGNED

[Bug analyzer/99771] Analyzer diagnostics should not say "<unknown>"

[cvs-commit at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99771

--- Comment #1 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by David Malcolm <dmalcolm@gcc.gnu.org>:

https://gcc.gnu.org/g:0f9aa35c79a0fe195d5076375b5794246cf44819

commit r11-7917-g0f9aa35c79a0fe195d5076375b5794246cf44819
Author: David Malcolm <dmalcolm@redhat.com>
Date:   Fri Mar 26 13:26:15 2021 -0400

    analyzer: only call get_diagnostic_tree when it's needed

    impl_sm_context::get_diagnostic_tree could be expensive, and
    I find myself needing to put a breakpoint on it to debug
    PR analyzer/99771, so only call it if we're about to use
    the result.

    gcc/analyzer/ChangeLog:
            * sm-file.cc (fileptr_state_machine::on_stmt): Only call
            get_diagnostic_tree if the result will be used.
            * sm-malloc.cc (malloc_state_machine::on_stmt): Likewise.
            (malloc_state_machine::on_deallocator_call): Likewise.
            (malloc_state_machine::on_realloc_call): Likewise.
            (malloc_state_machine::on_realloc_call): Likewise.
            * sm-sensitive.cc
            (sensitive_state_machine::warn_for_any_exposure): Likewise.
            * sm-taint.cc (taint_state_machine::on_stmt): Likewise.

[Bug analyzer/99771] Analyzer diagnostics should not say "<unknown>"

[cvs-commit at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99771

--- Comment #2 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by David Malcolm <dmalcolm@gcc.gnu.org>:

https://gcc.gnu.org/g:e4bb1bd60a9fd1bed36092a990aa5fed5d45bfa6

commit r11-7941-ge4bb1bd60a9fd1bed36092a990aa5fed5d45bfa6
Author: David Malcolm <dmalcolm@redhat.com>
Date:   Mon Mar 29 16:13:32 2021 -0400

    analyzer: avoid printing '<unknown>' for SSA names [PR99771]

    We don't want to print '<unknown>' in our diagnostics, but
    PR analyzer/99771 lists various cases where -fanalyzer does, due to
    using the SSA_NAME for a temporary when determining the best tree to
    use.

    This can happen in two ways:

    (a) ...when a better expression than the SSA_NAME could be built, but
    finding it requires traversing the relationships in the region_model
    in a graph-like way, rather than by considering individual svalues and
    regions.

    (b) ...when the only remaining user of the underlying svalue is the
    SSA_NAME, typically due to the diagnostic referring to a temporary.

    I've been experimenting with fixing (a), but don't have a good fix yet.
    In the meantime, this patch addresses (b) by detecting if we have
    the SSA_NAME for a temporary, and, for the cases where it's possible,
    reconstructing a tree by walking the def-stmts.  This fixes various
    cases of (b) and ameliorates some cases of (a).

    gcc/analyzer/ChangeLog:
            PR analyzer/99771
            * analyzer.cc (maybe_reconstruct_from_def_stmt): New.
            (fixup_tree_for_diagnostic_1): New.
            (fixup_tree_for_diagnostic): New.
            * analyzer.h (fixup_tree_for_diagnostic): New decl.
            * checker-path.cc (call_event::get_desc): Call
            fixup_tree_for_diagnostic and use it for the call_with_state call.
            (warning_event::get_desc): Likewise for the final_event and
            make_label_text calls.
            * engine.cc (impl_region_model_context::on_state_leak): Likewise
            for the on_leak and add_diagnostic calls.
            * region-model.cc (region_model::get_representative_tree):
            Likewise for the result.

    gcc/testsuite/ChangeLog:
            PR analyzer/99771
            * gcc.dg/analyzer/data-model-10.c: Update expected output.
            * gcc.dg/analyzer/malloc-ipa-13.c: Likewise.
            * gcc.dg/analyzer/malloc-ipa-13a.c: New test.
            * gcc.dg/analyzer/pr99771-1.c: New test.

[Bug analyzer/99771] Analyzer diagnostics should not say "<unknown>"

[dmalcolm at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99771

--- Comment #3 from David Malcolm <dmalcolm at gcc dot gnu.org> ---
The above patch fixes some of the occurrences of the bug (due to (b)), but not
those due to (a), so keeping this bug open.

[Bug analyzer/99771] Analyzer diagnostics should not say "<unknown>"

[cvs-commit at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99771

--- Comment #4 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by David Malcolm <dmalcolm@gcc.gnu.org>:

https://gcc.gnu.org/g:0af37ad4422052be4b7f779737e14c80e57d0ad9

commit r12-7525-g0af37ad4422052be4b7f779737e14c80e57d0ad9
Author: David Malcolm <dmalcolm@redhat.com>
Date:   Mon Mar 7 14:19:30 2022 -0500

    analyzer: fix leak suppression at end of 'main' [PR101983]

    PR analyzer/101983 reports what I thought were false positives
    from -Wanalyzer-malloc-leak, but on closer inspection, the
    analyzer is correctly reporting heap-allocated buffers that are
    no longer reachable.

    However, these "leaks" occur at the end of "main".  The analyzer already
    has some logic to avoid reporting leaks at the end of main, where the
    leak is detected at the end of the EXIT basic block.  However, in this
case,
    the leak is detected at the clobber in BB 2 here:
      <bb 2> :
      func (&res);
      res ={v} {CLOBBER(eol)};
      _4 = 0;

      <bb 3> :
    <L0>:
      return _4;

    where we have a chain BB 2 -> BB 3 -> EXIT BB.

    This patch generalizes the "are we at the end of 'main'" detection to
    handle such cases, silencing -Wanalyzer-malloc-leak on them.

    There's a remaining issue where the analyzer unhelpfully describes one
    of the leaking values as '<unknown>', rather than 'res.a', but I'm
    leaving that for a followup (covered by PR analyzer/99771).

    gcc/analyzer/ChangeLog:
            PR analyzer/101983
            * engine.cc (returning_from_function_p): New.
            (impl_region_model_context::on_state_leak): Use it when rejecting
            leaks at the return from "main".

    gcc/testsuite/ChangeLog:
            PR analyzer/101983
            * gcc.dg/analyzer/pr101983-main.c: New test.
            * gcc.dg/analyzer/pr101983-not-main.c: New test.

    Signed-off-by: David Malcolm <dmalcolm@redhat.com>

[Bug analyzer/99771] Analyzer diagnostics should not say "<unknown>"

[cvs-commit at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99771

--- Comment #5 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by David Malcolm <dmalcolm@gcc.gnu.org>:

https://gcc.gnu.org/g:b7175f36812b32d3de242f15c065b9cb68e957a9

commit r12-7541-gb7175f36812b32d3de242f15c065b9cb68e957a9
Author: David Malcolm <dmalcolm@redhat.com>
Date:   Tue Mar 8 14:16:48 2022 -0500

    analyzer: more test coverage of leak detection [PR99771]

    gcc/testsuite/ChangeLog:
            PR analyzer/99771
            * gcc.dg/analyzer/leak-4.c: New test.

    Signed-off-by: David Malcolm <dmalcolm@redhat.com>