public inbox for gcc-cvs@sourceware.org
help / color / mirror / Atom feed
* [gcc r12-7000] analyzer: fix missing check for uninit of return values
@ 2022-02-02 14:56 David Malcolm
0 siblings, 0 replies; only message in thread
From: David Malcolm @ 2022-02-02 14:56 UTC (permalink / raw)
To: gcc-cvs
https://gcc.gnu.org/g:13ad6d9f50e3f197246b460c4d9a9e80ba2559cf
commit r12-7000-g13ad6d9f50e3f197246b460c4d9a9e80ba2559cf
Author: David Malcolm <dmalcolm@redhat.com>
Date: Fri Jan 28 13:37:51 2022 -0500
analyzer: fix missing check for uninit of return values
When moving the -fanalyzer tests for -ftrivial-auto-var-init to the
"torture" subdirectory of gcc.dg/analyzer I noticed that -fanalyzer
wasn't always properly checking for initialization of return values.
The issue was that some "return" handling was using
region_model::copy_region to copy to the RESULT_DECL, and copy_region
wasn't checking for poisoned svalues.
This patch eliminates region_model::copy_region in favor of simply
doing a get_ravlue/set_value pair, fixing the issue.
gcc/analyzer/ChangeLog:
* region-model.cc (region_model::on_return): Replace usage of
copy_region with get_rvalue/set_value pair.
(region_model::pop_frame): Likewise.
(selftest::test_compound_assignment): Likewise.
* region-model.h (region_model::copy_region): Delete decl.
* region.cc (region_model::copy_region): Delete.
gcc/testsuite/ChangeLog:
* gcc.dg/analyzer/torture/ubsan-1.c: Add missing return stmts.
* gcc.dg/analyzer/uninit-trivial-auto-var-init-pattern.c: Move
to...
* gcc.dg/analyzer/torture/uninit-trivial-auto-var-init-pattern.c:
...here.
* gcc.dg/analyzer/uninit-trivial-auto-var-init-uninitialized.c:
Move to...
* gcc.dg/analyzer/torture/uninit-trivial-auto-var-init-uninitialized.c:
...here.
* gcc.dg/analyzer/uninit-trivial-auto-var-init-zero.c: Move to...
* gcc.dg/analyzer/torture/uninit-trivial-auto-var-init-zero.c: ...here.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
Diff:
---
gcc/analyzer/region-model.cc | 21 +++++++++++----------
gcc/analyzer/region-model.h | 2 --
gcc/analyzer/region.cc | 15 ---------------
gcc/testsuite/gcc.dg/analyzer/torture/ubsan-1.c | 2 ++
.../torture/uninit-trivial-auto-var-init-pattern.c | 10 ++++++++++
.../uninit-trivial-auto-var-init-uninitialized.c | 10 ++++++++++
.../torture/uninit-trivial-auto-var-init-zero.c | 10 ++++++++++
.../analyzer/uninit-trivial-auto-var-init-pattern.c | 7 -------
.../uninit-trivial-auto-var-init-uninitialized.c | 7 -------
.../analyzer/uninit-trivial-auto-var-init-zero.c | 7 -------
10 files changed, 43 insertions(+), 48 deletions(-)
diff --git a/gcc/analyzer/region-model.cc b/gcc/analyzer/region-model.cc
index 58c7028fc9c..6e7a21d0f9c 100644
--- a/gcc/analyzer/region-model.cc
+++ b/gcc/analyzer/region-model.cc
@@ -1559,7 +1559,11 @@ region_model::on_return (const greturn *return_stmt, region_model_context *ctxt)
tree rhs = gimple_return_retval (return_stmt);
if (lhs && rhs)
- copy_region (get_lvalue (lhs, ctxt), get_lvalue (rhs, ctxt), ctxt);
+ {
+ const svalue *sval = get_rvalue (rhs, ctxt);
+ const region *ret_reg = get_lvalue (lhs, ctxt);
+ set_value (ret_reg, sval, ctxt);
+ }
}
/* Update this model for a call and return of setjmp/sigsetjmp at CALL within
@@ -3618,15 +3622,11 @@ region_model::pop_frame (const region *result_dst_reg,
tree result = DECL_RESULT (fndecl);
if (result && TREE_TYPE (result) != void_type_node)
{
+ const svalue *retval = get_rvalue (result, ctxt);
if (result_dst_reg)
- {
- /* Copy the result to RESULT_DST_REG. */
- copy_region (result_dst_reg,
- get_lvalue (result, ctxt),
- ctxt);
- }
+ set_value (result_dst_reg, retval, ctxt);
if (out_result)
- *out_result = get_rvalue (result, ctxt);
+ *out_result = retval;
}
/* Pop the frame. */
@@ -4758,8 +4758,9 @@ test_compound_assignment ()
model.set_value (c_y, int_m3, NULL);
/* Copy c to d. */
- model.copy_region (model.get_lvalue (d, NULL), model.get_lvalue (c, NULL),
- NULL);
+ const svalue *sval = model.get_rvalue (c, NULL);
+ model.set_value (model.get_lvalue (d, NULL), sval, NULL);
+
/* Check that the fields have the same svalues. */
ASSERT_EQ (model.get_rvalue (c_x, NULL), model.get_rvalue (d_x, NULL));
ASSERT_EQ (model.get_rvalue (c_y, NULL), model.get_rvalue (d_y, NULL));
diff --git a/gcc/analyzer/region-model.h b/gcc/analyzer/region-model.h
index 3fa090d771e..46cf37e6b26 100644
--- a/gcc/analyzer/region-model.h
+++ b/gcc/analyzer/region-model.h
@@ -676,8 +676,6 @@ class region_model
void zero_fill_region (const region *reg);
void mark_region_as_unknown (const region *reg, uncertainty_t *uncertainty);
- void copy_region (const region *dst_reg, const region *src_reg,
- region_model_context *ctxt);
tristate eval_condition (const svalue *lhs,
enum tree_code op,
const svalue *rhs) const;
diff --git a/gcc/analyzer/region.cc b/gcc/analyzer/region.cc
index 77554b86143..0adc75e577d 100644
--- a/gcc/analyzer/region.cc
+++ b/gcc/analyzer/region.cc
@@ -539,21 +539,6 @@ region::get_relative_concrete_offset (bit_offset_t *) const
return false;
}
-/* Copy from SRC_REG to DST_REG, using CTXT for any issues that occur. */
-
-void
-region_model::copy_region (const region *dst_reg, const region *src_reg,
- region_model_context *ctxt)
-{
- gcc_assert (dst_reg);
- gcc_assert (src_reg);
- if (dst_reg == src_reg)
- return;
-
- const svalue *sval = get_store_value (src_reg, ctxt);
- set_value (dst_reg, sval, ctxt);
-}
-
/* Dump a description of this region to stderr. */
DEBUG_FUNCTION void
diff --git a/gcc/testsuite/gcc.dg/analyzer/torture/ubsan-1.c b/gcc/testsuite/gcc.dg/analyzer/torture/ubsan-1.c
index b9f34f166ba..2e1e6a09fea 100644
--- a/gcc/testsuite/gcc.dg/analyzer/torture/ubsan-1.c
+++ b/gcc/testsuite/gcc.dg/analyzer/torture/ubsan-1.c
@@ -19,6 +19,7 @@ int test_2 (int *arr, int i, int n)
__analyzer_eval (arr[i]); /* { dg-warning "TRUE" } */
else
__analyzer_eval (arr[i]); /* { dg-warning "FALSE" } */
+ return 1;
}
int test_3 (int arr[], int i, int n)
@@ -29,6 +30,7 @@ int test_3 (int arr[], int i, int n)
__analyzer_eval (arr[i]); /* { dg-warning "TRUE" } */
else
__analyzer_eval (arr[i]); /* { dg-warning "FALSE" } */
+ return 1;
}
void test_4 (int i, int n)
diff --git a/gcc/testsuite/gcc.dg/analyzer/torture/uninit-trivial-auto-var-init-pattern.c b/gcc/testsuite/gcc.dg/analyzer/torture/uninit-trivial-auto-var-init-pattern.c
new file mode 100644
index 00000000000..2445ee509df
--- /dev/null
+++ b/gcc/testsuite/gcc.dg/analyzer/torture/uninit-trivial-auto-var-init-pattern.c
@@ -0,0 +1,10 @@
+/* { dg-skip-if "" { *-*-* } { "-fno-fat-lto-objects" } { "" } } */
+/* { dg-additional-options "-ftrivial-auto-var-init=pattern" } */
+
+int test_1 (void)
+{
+ int i; /* { dg-message "region created on stack here" } */
+ return i; /* { dg-warning "use of uninitialized value 'i.*'" } */
+ /* FIXME: the LTO build sometimes shows SSA names here
+ (PR analyzer/94976). */
+}
diff --git a/gcc/testsuite/gcc.dg/analyzer/torture/uninit-trivial-auto-var-init-uninitialized.c b/gcc/testsuite/gcc.dg/analyzer/torture/uninit-trivial-auto-var-init-uninitialized.c
new file mode 100644
index 00000000000..7c4dd27adec
--- /dev/null
+++ b/gcc/testsuite/gcc.dg/analyzer/torture/uninit-trivial-auto-var-init-uninitialized.c
@@ -0,0 +1,10 @@
+/* { dg-skip-if "" { *-*-* } { "-fno-fat-lto-objects" } { "" } } */
+/* { dg-additional-options "-ftrivial-auto-var-init=uninitialized" } */
+
+int test_1 (void)
+{
+ int i; /* { dg-message "region created on stack here" } */
+ return i; /* { dg-warning "use of uninitialized value 'i.*'" } */
+ /* FIXME: the LTO build sometimes shows SSA names here
+ (PR analyzer/94976). */
+}
diff --git a/gcc/testsuite/gcc.dg/analyzer/torture/uninit-trivial-auto-var-init-zero.c b/gcc/testsuite/gcc.dg/analyzer/torture/uninit-trivial-auto-var-init-zero.c
new file mode 100644
index 00000000000..6486d25a72a
--- /dev/null
+++ b/gcc/testsuite/gcc.dg/analyzer/torture/uninit-trivial-auto-var-init-zero.c
@@ -0,0 +1,10 @@
+/* { dg-skip-if "" { *-*-* } { "-fno-fat-lto-objects" } { "" } } */
+/* { dg-additional-options "-ftrivial-auto-var-init=zero" } */
+
+int test_1 (void)
+{
+ int i; /* { dg-message "region created on stack here" } */
+ return i; /* { dg-warning "use of uninitialized value 'i.*'" } */
+ /* FIXME: the LTO build sometimes shows SSA names here
+ (PR analyzer/94976). */
+}
diff --git a/gcc/testsuite/gcc.dg/analyzer/uninit-trivial-auto-var-init-pattern.c b/gcc/testsuite/gcc.dg/analyzer/uninit-trivial-auto-var-init-pattern.c
deleted file mode 100644
index 0b78dc65267..00000000000
--- a/gcc/testsuite/gcc.dg/analyzer/uninit-trivial-auto-var-init-pattern.c
+++ /dev/null
@@ -1,7 +0,0 @@
-/* { dg-additional-options "-ftrivial-auto-var-init=pattern" } */
-
-int test_1 (void)
-{
- int i; /* { dg-message "region created on stack here" } */
- return i; /* { dg-warning "use of uninitialized value 'i'" } */
-}
diff --git a/gcc/testsuite/gcc.dg/analyzer/uninit-trivial-auto-var-init-uninitialized.c b/gcc/testsuite/gcc.dg/analyzer/uninit-trivial-auto-var-init-uninitialized.c
deleted file mode 100644
index 124d3a327b8..00000000000
--- a/gcc/testsuite/gcc.dg/analyzer/uninit-trivial-auto-var-init-uninitialized.c
+++ /dev/null
@@ -1,7 +0,0 @@
-/* { dg-additional-options "-ftrivial-auto-var-init=uninitialized" } */
-
-int test_1 (void)
-{
- int i; /* { dg-message "region created on stack here" } */
- return i; /* { dg-warning "use of uninitialized value 'i'" } */
-}
diff --git a/gcc/testsuite/gcc.dg/analyzer/uninit-trivial-auto-var-init-zero.c b/gcc/testsuite/gcc.dg/analyzer/uninit-trivial-auto-var-init-zero.c
deleted file mode 100644
index ef7dc674867..00000000000
--- a/gcc/testsuite/gcc.dg/analyzer/uninit-trivial-auto-var-init-zero.c
+++ /dev/null
@@ -1,7 +0,0 @@
-/* { dg-additional-options "-ftrivial-auto-var-init=zero" } */
-
-int test_1 (void)
-{
- int i; /* { dg-message "region created on stack here" } */
- return i; /* { dg-warning "use of uninitialized value 'i'" } */
-}
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2022-02-02 14:56 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-02-02 14:56 [gcc r12-7000] analyzer: fix missing check for uninit of return values David Malcolm
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).