From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <dmalcolm@sourceware.org>
Received: by sourceware.org (Postfix, from userid 2209)
 id E95273857C45; Wed,  2 Feb 2022 14:56:43 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org E95273857C45
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="utf-8"
From: David Malcolm <dmalcolm@gcc.gnu.org>
To: gcc-cvs@gcc.gnu.org
Subject: [gcc r12-7000] analyzer: fix missing check for uninit of return values
X-Act-Checkin: gcc
X-Git-Author: David Malcolm <dmalcolm@redhat.com>
X-Git-Refname: refs/heads/master
X-Git-Oldrev: ea3e1915954371d8230fda44ce6821928f04f80e
X-Git-Newrev: 13ad6d9f50e3f197246b460c4d9a9e80ba2559cf
Message-Id: <20220202145643.E95273857C45@sourceware.org>
Date: Wed,  2 Feb 2022 14:56:43 +0000 (GMT)
X-BeenThere: gcc-cvs@gcc.gnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Gcc-cvs mailing list <gcc-cvs.gcc.gnu.org>
List-Unsubscribe: <https://gcc.gnu.org/mailman/options/gcc-cvs>,
 <mailto:gcc-cvs-request@gcc.gnu.org?subject=unsubscribe>
List-Archive: <https://gcc.gnu.org/pipermail/gcc-cvs/>
List-Help: <mailto:gcc-cvs-request@gcc.gnu.org?subject=help>
List-Subscribe: <https://gcc.gnu.org/mailman/listinfo/gcc-cvs>,
 <mailto:gcc-cvs-request@gcc.gnu.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Feb 2022 14:56:44 -0000

https://gcc.gnu.org/g:13ad6d9f50e3f197246b460c4d9a9e80ba2559cf

commit r12-7000-g13ad6d9f50e3f197246b460c4d9a9e80ba2559cf
Author: David Malcolm <dmalcolm@redhat.com>
Date:   Fri Jan 28 13:37:51 2022 -0500

    analyzer: fix missing check for uninit of return values
    
    When moving the -fanalyzer tests for -ftrivial-auto-var-init to the
    "torture" subdirectory of gcc.dg/analyzer I noticed that -fanalyzer
    wasn't always properly checking for initialization of return values.
    
    The issue was that some "return" handling was using
    region_model::copy_region to copy to the RESULT_DECL, and copy_region
    wasn't checking for poisoned svalues.
    
    This patch eliminates region_model::copy_region in favor of simply
    doing a get_ravlue/set_value pair, fixing the issue.
    
    gcc/analyzer/ChangeLog:
            * region-model.cc (region_model::on_return): Replace usage of
            copy_region with get_rvalue/set_value pair.
            (region_model::pop_frame): Likewise.
            (selftest::test_compound_assignment): Likewise.
            * region-model.h (region_model::copy_region): Delete decl.
            * region.cc (region_model::copy_region): Delete.
    
    gcc/testsuite/ChangeLog:
            * gcc.dg/analyzer/torture/ubsan-1.c: Add missing return stmts.
            * gcc.dg/analyzer/uninit-trivial-auto-var-init-pattern.c: Move
            to...
            * gcc.dg/analyzer/torture/uninit-trivial-auto-var-init-pattern.c:
            ...here.
            * gcc.dg/analyzer/uninit-trivial-auto-var-init-uninitialized.c:
            Move to...
            * gcc.dg/analyzer/torture/uninit-trivial-auto-var-init-uninitialized.c:
            ...here.
            * gcc.dg/analyzer/uninit-trivial-auto-var-init-zero.c: Move to...
            * gcc.dg/analyzer/torture/uninit-trivial-auto-var-init-zero.c: ...here.
    
    Signed-off-by: David Malcolm <dmalcolm@redhat.com>

Diff:
---
 gcc/analyzer/region-model.cc                        | 21 +++++++++++----------
 gcc/analyzer/region-model.h                         |  2 --
 gcc/analyzer/region.cc                              | 15 ---------------
 gcc/testsuite/gcc.dg/analyzer/torture/ubsan-1.c     |  2 ++
 .../torture/uninit-trivial-auto-var-init-pattern.c  | 10 ++++++++++
 .../uninit-trivial-auto-var-init-uninitialized.c    | 10 ++++++++++
 .../torture/uninit-trivial-auto-var-init-zero.c     | 10 ++++++++++
 .../analyzer/uninit-trivial-auto-var-init-pattern.c |  7 -------
 .../uninit-trivial-auto-var-init-uninitialized.c    |  7 -------
 .../analyzer/uninit-trivial-auto-var-init-zero.c    |  7 -------
 10 files changed, 43 insertions(+), 48 deletions(-)

diff --git a/gcc/analyzer/region-model.cc b/gcc/analyzer/region-model.cc
index 58c7028fc9c..6e7a21d0f9c 100644
--- a/gcc/analyzer/region-model.cc
+++ b/gcc/analyzer/region-model.cc
@@ -1559,7 +1559,11 @@ region_model::on_return (const greturn *return_stmt, region_model_context *ctxt)
   tree rhs = gimple_return_retval (return_stmt);
 
   if (lhs && rhs)
-    copy_region (get_lvalue (lhs, ctxt), get_lvalue (rhs, ctxt), ctxt);
+    {
+      const svalue *sval = get_rvalue (rhs, ctxt);
+      const region *ret_reg = get_lvalue (lhs, ctxt);
+      set_value (ret_reg, sval, ctxt);
+    }
 }
 
 /* Update this model for a call and return of setjmp/sigsetjmp at CALL within
@@ -3618,15 +3622,11 @@ region_model::pop_frame (const region *result_dst_reg,
   tree result = DECL_RESULT (fndecl);
   if (result && TREE_TYPE (result) != void_type_node)
     {
+      const svalue *retval = get_rvalue (result, ctxt);
       if (result_dst_reg)
-	{
-	  /* Copy the result to RESULT_DST_REG.  */
-	  copy_region (result_dst_reg,
-		       get_lvalue (result, ctxt),
-		       ctxt);
-	}
+	set_value (result_dst_reg, retval, ctxt);
       if (out_result)
-	*out_result = get_rvalue (result, ctxt);
+	*out_result = retval;
     }
 
   /* Pop the frame.  */
@@ -4758,8 +4758,9 @@ test_compound_assignment ()
   model.set_value (c_y, int_m3, NULL);
 
   /* Copy c to d.  */
-  model.copy_region (model.get_lvalue (d, NULL), model.get_lvalue (c, NULL),
-		     NULL);
+  const svalue *sval = model.get_rvalue (c, NULL);
+  model.set_value (model.get_lvalue (d, NULL), sval, NULL);
+
   /* Check that the fields have the same svalues.  */
   ASSERT_EQ (model.get_rvalue (c_x, NULL), model.get_rvalue (d_x, NULL));
   ASSERT_EQ (model.get_rvalue (c_y, NULL), model.get_rvalue (d_y, NULL));
diff --git a/gcc/analyzer/region-model.h b/gcc/analyzer/region-model.h
index 3fa090d771e..46cf37e6b26 100644
--- a/gcc/analyzer/region-model.h
+++ b/gcc/analyzer/region-model.h
@@ -676,8 +676,6 @@ class region_model
   void zero_fill_region (const region *reg);
   void mark_region_as_unknown (const region *reg, uncertainty_t *uncertainty);
 
-  void copy_region (const region *dst_reg, const region *src_reg,
-		    region_model_context *ctxt);
   tristate eval_condition (const svalue *lhs,
 			   enum tree_code op,
 			   const svalue *rhs) const;
diff --git a/gcc/analyzer/region.cc b/gcc/analyzer/region.cc
index 77554b86143..0adc75e577d 100644
--- a/gcc/analyzer/region.cc
+++ b/gcc/analyzer/region.cc
@@ -539,21 +539,6 @@ region::get_relative_concrete_offset (bit_offset_t *) const
   return false;
 }
 
-/* Copy from SRC_REG to DST_REG, using CTXT for any issues that occur.  */
-
-void
-region_model::copy_region (const region *dst_reg, const region *src_reg,
-			   region_model_context *ctxt)
-{
-  gcc_assert (dst_reg);
-  gcc_assert (src_reg);
-  if (dst_reg == src_reg)
-    return;
-
-  const svalue *sval = get_store_value (src_reg, ctxt);
-  set_value (dst_reg, sval, ctxt);
-}
-
 /* Dump a description of this region to stderr.  */
 
 DEBUG_FUNCTION void
diff --git a/gcc/testsuite/gcc.dg/analyzer/torture/ubsan-1.c b/gcc/testsuite/gcc.dg/analyzer/torture/ubsan-1.c
index b9f34f166ba..2e1e6a09fea 100644
--- a/gcc/testsuite/gcc.dg/analyzer/torture/ubsan-1.c
+++ b/gcc/testsuite/gcc.dg/analyzer/torture/ubsan-1.c
@@ -19,6 +19,7 @@ int test_2 (int *arr, int i, int n)
     __analyzer_eval (arr[i]); /* { dg-warning "TRUE" } */
   else
     __analyzer_eval (arr[i]); /* { dg-warning "FALSE" } */
+  return 1;
 }
 
 int test_3 (int arr[], int i, int n)
@@ -29,6 +30,7 @@ int test_3 (int arr[], int i, int n)
     __analyzer_eval (arr[i]); /* { dg-warning "TRUE" } */
   else
     __analyzer_eval (arr[i]); /* { dg-warning "FALSE" } */
+  return 1;
 }
 
 void test_4 (int i, int n)
diff --git a/gcc/testsuite/gcc.dg/analyzer/torture/uninit-trivial-auto-var-init-pattern.c b/gcc/testsuite/gcc.dg/analyzer/torture/uninit-trivial-auto-var-init-pattern.c
new file mode 100644
index 00000000000..2445ee509df
--- /dev/null
+++ b/gcc/testsuite/gcc.dg/analyzer/torture/uninit-trivial-auto-var-init-pattern.c
@@ -0,0 +1,10 @@
+/* { dg-skip-if "" { *-*-* } { "-fno-fat-lto-objects" } { "" } } */
+/* { dg-additional-options "-ftrivial-auto-var-init=pattern" } */
+
+int test_1 (void)
+{
+  int i; /* { dg-message "region created on stack here" } */
+  return i; /* { dg-warning "use of uninitialized value 'i.*'" } */
+  /* FIXME: the LTO build sometimes shows SSA names here
+     (PR analyzer/94976).  */
+}
diff --git a/gcc/testsuite/gcc.dg/analyzer/torture/uninit-trivial-auto-var-init-uninitialized.c b/gcc/testsuite/gcc.dg/analyzer/torture/uninit-trivial-auto-var-init-uninitialized.c
new file mode 100644
index 00000000000..7c4dd27adec
--- /dev/null
+++ b/gcc/testsuite/gcc.dg/analyzer/torture/uninit-trivial-auto-var-init-uninitialized.c
@@ -0,0 +1,10 @@
+/* { dg-skip-if "" { *-*-* } { "-fno-fat-lto-objects" } { "" } } */
+/* { dg-additional-options "-ftrivial-auto-var-init=uninitialized" } */
+
+int test_1 (void)
+{
+  int i; /* { dg-message "region created on stack here" } */
+  return i; /* { dg-warning "use of uninitialized value 'i.*'" } */
+  /* FIXME: the LTO build sometimes shows SSA names here
+     (PR analyzer/94976).  */
+}
diff --git a/gcc/testsuite/gcc.dg/analyzer/torture/uninit-trivial-auto-var-init-zero.c b/gcc/testsuite/gcc.dg/analyzer/torture/uninit-trivial-auto-var-init-zero.c
new file mode 100644
index 00000000000..6486d25a72a
--- /dev/null
+++ b/gcc/testsuite/gcc.dg/analyzer/torture/uninit-trivial-auto-var-init-zero.c
@@ -0,0 +1,10 @@
+/* { dg-skip-if "" { *-*-* } { "-fno-fat-lto-objects" } { "" } } */
+/* { dg-additional-options "-ftrivial-auto-var-init=zero" } */
+
+int test_1 (void)
+{
+  int i; /* { dg-message "region created on stack here" } */
+  return i; /* { dg-warning "use of uninitialized value 'i.*'" } */
+  /* FIXME: the LTO build sometimes shows SSA names here
+     (PR analyzer/94976).  */
+}
diff --git a/gcc/testsuite/gcc.dg/analyzer/uninit-trivial-auto-var-init-pattern.c b/gcc/testsuite/gcc.dg/analyzer/uninit-trivial-auto-var-init-pattern.c
deleted file mode 100644
index 0b78dc65267..00000000000
--- a/gcc/testsuite/gcc.dg/analyzer/uninit-trivial-auto-var-init-pattern.c
+++ /dev/null
@@ -1,7 +0,0 @@
-/* { dg-additional-options "-ftrivial-auto-var-init=pattern" } */
-
-int test_1 (void)
-{
-  int i; /* { dg-message "region created on stack here" } */
-  return i; /* { dg-warning "use of uninitialized value 'i'" } */
-}
diff --git a/gcc/testsuite/gcc.dg/analyzer/uninit-trivial-auto-var-init-uninitialized.c b/gcc/testsuite/gcc.dg/analyzer/uninit-trivial-auto-var-init-uninitialized.c
deleted file mode 100644
index 124d3a327b8..00000000000
--- a/gcc/testsuite/gcc.dg/analyzer/uninit-trivial-auto-var-init-uninitialized.c
+++ /dev/null
@@ -1,7 +0,0 @@
-/* { dg-additional-options "-ftrivial-auto-var-init=uninitialized" } */
-
-int test_1 (void)
-{
-  int i; /* { dg-message "region created on stack here" } */
-  return i; /* { dg-warning "use of uninitialized value 'i'" } */
-}
diff --git a/gcc/testsuite/gcc.dg/analyzer/uninit-trivial-auto-var-init-zero.c b/gcc/testsuite/gcc.dg/analyzer/uninit-trivial-auto-var-init-zero.c
deleted file mode 100644
index ef7dc674867..00000000000
--- a/gcc/testsuite/gcc.dg/analyzer/uninit-trivial-auto-var-init-zero.c
+++ /dev/null
@@ -1,7 +0,0 @@
-/* { dg-additional-options "-ftrivial-auto-var-init=zero" } */
-
-int test_1 (void)
-{
-  int i; /* { dg-message "region created on stack here" } */
-  return i; /* { dg-warning "use of uninitialized value 'i'" } */
-}