public inbox for gcc-cvs@sourceware.org
help / color / mirror / Atom feed
* [gcc r14-5566] analyzer: new warning: -Wanalyzer-infinite-loop [PR106147]
@ 2023-11-18 0:59 David Malcolm
0 siblings, 0 replies; only message in thread
From: David Malcolm @ 2023-11-18 0:59 UTC (permalink / raw)
To: gcc-cvs
https://gcc.gnu.org/g:841008d3966c0fe7a80ec10703a50fbdab7620ac
commit r14-5566-g841008d3966c0fe7a80ec10703a50fbdab7620ac
Author: David Malcolm <dmalcolm@redhat.com>
Date: Fri Nov 17 19:55:25 2023 -0500
analyzer: new warning: -Wanalyzer-infinite-loop [PR106147]
This patch implements a new analyzer warning: -Wanalyzer-infinite-loop.
It works by examining the exploded graph once the latter has been
fully built. It attempts to detect cycles in the exploded graph in
which:
- no externally visible work occurs
- no escape is possible from the cycle once it has been entered
- the program state is "sufficiently concrete" at each step:
- no unknown activity could be occurring
- the worklist was fully drained for each enode in the cycle
i.e. every enode in the cycle is processed
For example, it correctly complains about this bogus "for" loop:
int sum = 0;
for (struct node *iter = n; iter; iter->next)
sum += n->val;
return sum;
like this:
infinite-loop-linked-list.c: In function ‘for_loop_noop_next’:
infinite-loop-linked-list.c:110:31: warning: infinite loop [CWE-835] [-Wanalyzer-infinite-loop]
110 | for (struct node *iter = n; iter; iter->next)
| ^~~~
‘for_loop_noop_next’: events 1-5
|
| 110 | for (struct node *iter = n; iter; iter->next)
| | ^~~~
| | |
| | (1) infinite loop here
| | (2) when ‘iter’ is non-NULL: always following ‘true’ branch...
| | (5) ...to here
| 111 | sum += n->val;
| | ~~~~~~~~~~~~~
| | | |
| | | (3) ...to here
| | (4) looping back...
|
gcc/ChangeLog:
PR analyzer/106147
* Makefile.in (ANALYZER_OBJS): Add analyzer/infinite-loop.o.
* doc/invoke.texi: Add -fdump-analyzer-infinite-loop and
-Wanalyzer-infinite-loop. Add missing CWE link for
-Wanalyzer-infinite-recursion.
* timevar.def (TV_ANALYZER_INFINITE_LOOPS): New.
gcc/analyzer/ChangeLog:
PR analyzer/106147
* analyzer.opt (Wanalyzer-infinite-loop): New option.
(fdump-analyzer-infinite-loop): New option.
* checker-event.h (start_cfg_edge_event::get_desc): Drop "final".
(start_cfg_edge_event::maybe_describe_condition): Convert from
private to protected.
* checker-path.h (checker_path::get_logger): New.
* diagnostic-manager.cc (process_worklist_item): Update for
new context param of maybe_update_for_edge.
* engine.cc
(impl_region_model_context::impl_region_model_context): Add
out_could_have_done_work param to both ctors and use it to
initialize mm_out_could_have_done_work.
(impl_region_model_context::maybe_did_work): New vfunc
implementation.
(exploded_node::on_stmt): Add out_could_have_done_work param and
pass to ctxt ctor.
(exploded_node::on_stmt_pre): Treat setjmp and longjmp as "doing
work".
(exploded_node::on_longjmp): Likewise.
(exploded_edge::exploded_edge): Add "could_do_work" param and use
it to initialize m_could_do_work_p.
(exploded_edge::dump_dot_label): Add result of could_do_work_p.
(exploded_graph::add_function_entry): Mark edge as doing no work.
(exploded_graph::add_edge): Add "could_do_work" param and pass to
exploded_edge ctor.
(add_tainted_args_callback): Treat as doing no work.
(exploded_graph::process_worklist): Likewise when merging nodes.
(maybe_process_run_of_before_supernode_enodes::item): Likewise.
(exploded_graph::maybe_create_dynamic_call): Likewise.
(exploded_graph::process_node): Likewise for phi nodes.
Pass in a "could_have_done_work" bool when handling stmts and use
when creating edges. Assume work is done at bifurcation.
(exploded_path::feasible_p): Update for new context param of
maybe_update_for_edge.
(feasibility_state::feasibility_state): New ctor.
(feasibility_state::operator=): New.
(feasibility_state::maybe_update_for_edge): Add ctxt param and use
it. Fix missing newline when logging state.
(impl_run_checkers): Call exploded_graph::detect_infinite_loops.
* exploded-graph.h
(impl_region_model_context::impl_region_model_context): Add
out_could_have_done_work param to both ctors.
(impl_region_model_context::maybe_did_work): New decl.
(impl_region_model_context::checking_for_infinite_loop_p): New.
(impl_region_model_context::on_unusable_in_infinite_loop): New.
(impl_region_model_context::m_out_could_have_done_work): New
field.
(exploded_node::on_stmt): Add "out_could_have_done_work" param.
(exploded_edge::exploded_edge): Add "could_do_work" param.
(exploded_edge::could_do_work_p): New accessor.
(exploded_edge::m_could_do_work_p): New field.
(exploded_graph::add_edge): Add "could_do_work" param.
(exploded_graph::detect_infinite_loops): New decl.
(feasibility_state::feasibility_state): New ctor.
(feasibility_state::operator=): New decl.
(feasibility_state::maybe_update_for_edge): Add ctxt param.
* infinite-loop.cc: New file.
* program-state.cc (program_state::on_edge): Log the rejected
constraint when region_model::maybe_update_for_edge fails.
* region-model.cc (region_model::on_assignment): Treat any writes
other than to the stack as "doing work".
(region_model::on_stmt_pre): Treat all asm stmts as "doing work".
(region_model::on_call_post): Likewise for all calls to functions
with unknown side effects.
(region_model::handle_phi): Add svals_changing_meaning param.
Mark widening svalue in phi nodes as changing meaning.
(unusable_in_infinite_loop_constraint_p): New.
(region_model::add_constraint): If we're checking for an infinite
loop, bail out on unusable svalues, or if we don't have a definite
true/false for the constraint.
(region_model::update_for_phis): Gather all svalues changing
meaning in phi nodes, and purge constraints involving them.
(region_model::replay_call_summary): Treat all call summaries as
doing work.
(region_model::can_merge_with_p): Purge constraints involving
svalues that change meaning.
(model_merger::on_widening_reuse): New.
(test_iteration_1): Likewise.
(selftest::test_iteration_1): Remove assertion that model6 "knows"
that i < 157.
* region-model.h (region_model::handle_phi): Add
svals_changing_meaning param
(region_model_context::maybe_did_work): New pure virtual func.
(region_model_context::checking_for_infinite_loop_p): Likewise.
(region_model_context::on_unusable_in_infinite_loop): Likewise.
(noop_region_model_context::maybe_did_work): Implement.
(noop_region_model_context::checking_for_infinite_loop_p):
Likewise.
(noop_region_model_context::on_unusable_in_infinite_loop):
Likewise.
(region_model_context_decorator::maybe_did_work): Implement.
(region_model_context_decorator::checking_for_infinite_loop_p):
Likewise.
(region_model_context_decorator::on_unusable_in_infinite_loop):
Likewise.
(model_merger::on_widening_reuse): New decl.
(model_merger::m_svals_changing_meaning): New field.
* sm-signal.cc (register_signal_handler::impl_transition): Assume
the edge "does work".
* supergraph.cc (supernode::get_start_location): Use CFG edge's
goto_locus if available.
(supernode::get_end_location): Likewise.
(cfg_superedge::dump_label_to_pp): Dump edges with a "goto_locus"
* supergraph.h (cfg_superedge::get_goto_locus): New.
* svalue.cc (svalue::can_merge_p): Call on_widening_reuse for
widening values.
(involvement_visitor::visit_widening_svalue): New.
(svalue::involves_p): Update assertion to allow widening svalues.
gcc/testsuite/ChangeLog:
PR analyzer/106147
* c-c++-common/analyzer/gzio-2.c: Add dg-warning for infinite
loop, marked as xfail.
* c-c++-common/analyzer/infinite-loop-2.c: New test.
* c-c++-common/analyzer/infinite-loop-4.c: New test.
* c-c++-common/analyzer/infinite-loop-crc32c.c: New test.
* c-c++-common/analyzer/infinite-loop-doom-d_main-IdentifyVersion.c:
New test.
* c-c++-common/analyzer/infinite-loop-doom-v_video.c: New test.
* c-c++-common/analyzer/infinite-loop-g_error.c: New test.
* c-c++-common/analyzer/infinite-loop-linked-list.c: New test.
* c-c++-common/analyzer/infinite-recursion-inlining.c: Add
dg-warning directives for infinite loop.
* c-c++-common/analyzer/inlining-4-multiline.c: Update expected
paths for event 5 having a location.
* gcc.dg/analyzer/boxed-malloc-1.c: Add dg-warning for infinite
loop.
* gcc.dg/analyzer/data-model-20.c: Likewise. Add comment about
suspect code, and create...
* gcc.dg/analyzer/data-model-20a.c: ...this new test by cleaning
it up.
* gcc.dg/analyzer/edges-1.c: Add a placeholder statement to avoid
the "...to here" from the if stmt occurring at the "while", and
thus being treated as a bogus event.
* gcc.dg/analyzer/explode-2a.c: Add dg-warning for infinite loop.
* gcc.dg/analyzer/infinite-loop-1.c: New test.
* gcc.dg/analyzer/malloc-1.c: Add dg-warning for infinite loop.
* gcc.dg/analyzer/out-of-bounds-coreutils.c: Add TODO.
* gcc.dg/analyzer/paths-4.c: Add dg-warning for infinite loop.
* gcc.dg/analyzer/pr103892.c: Likewise.
* gcc.dg/analyzer/pr93546.c: Likewise.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
Diff:
---
gcc/Makefile.in | 1 +
gcc/analyzer/analyzer.opt | 8 +
gcc/analyzer/checker-event.h | 5 +-
gcc/analyzer/checker-path.h | 1 +
gcc/analyzer/diagnostic-manager.cc | 2 +-
gcc/analyzer/engine.cc | 122 +++--
gcc/analyzer/exploded-graph.h | 39 +-
gcc/analyzer/infinite-loop.cc | 565 +++++++++++++++++++++
gcc/analyzer/program-state.cc | 17 +-
gcc/analyzer/region-model.cc | 77 ++-
gcc/analyzer/region-model.h | 31 ++
gcc/analyzer/sm-signal.cc | 1 +
gcc/analyzer/supergraph.cc | 16 +
gcc/analyzer/supergraph.h | 2 +
gcc/analyzer/svalue.cc | 10 +-
gcc/doc/invoke.texi | 62 +++
gcc/testsuite/c-c++-common/analyzer/gzio-2.c | 2 +-
.../c-c++-common/analyzer/infinite-loop-2.c | 34 ++
.../c-c++-common/analyzer/infinite-loop-4.c | 71 +++
.../c-c++-common/analyzer/infinite-loop-crc32c.c | 14 +
.../infinite-loop-doom-d_main-IdentifyVersion.c | 26 +
.../analyzer/infinite-loop-doom-v_video.c | 31 ++
.../c-c++-common/analyzer/infinite-loop-g_error.c | 19 +
.../analyzer/infinite-loop-linked-list.c | 131 +++++
.../analyzer/infinite-recursion-inlining.c | 28 +-
.../c-c++-common/analyzer/inlining-4-multiline.c | 34 +-
gcc/testsuite/gcc.dg/analyzer/boxed-malloc-1.c | 2 +-
gcc/testsuite/gcc.dg/analyzer/data-model-20.c | 6 +-
gcc/testsuite/gcc.dg/analyzer/data-model-20a.c | 25 +
gcc/testsuite/gcc.dg/analyzer/edges-1.c | 2 +
gcc/testsuite/gcc.dg/analyzer/explode-2a.c | 2 +-
gcc/testsuite/gcc.dg/analyzer/infinite-loop-1.c | 235 +++++++++
gcc/testsuite/gcc.dg/analyzer/malloc-1.c | 2 +-
.../gcc.dg/analyzer/out-of-bounds-coreutils.c | 2 +-
gcc/testsuite/gcc.dg/analyzer/paths-4.c | 3 +-
gcc/testsuite/gcc.dg/analyzer/pr103892.c | 2 +-
gcc/testsuite/gcc.dg/analyzer/pr93546.c | 2 +-
gcc/timevar.def | 1 +
38 files changed, 1547 insertions(+), 86 deletions(-)
diff --git a/gcc/Makefile.in b/gcc/Makefile.in
index 7f2df4b5925..7228b79f223 100644
--- a/gcc/Makefile.in
+++ b/gcc/Makefile.in
@@ -1324,6 +1324,7 @@ ANALYZER_OBJS = \
analyzer/engine.o \
analyzer/feasible-graph.o \
analyzer/function-set.o \
+ analyzer/infinite-loop.o \
analyzer/infinite-recursion.o \
analyzer/kf.o \
analyzer/kf-analyzer.o \
diff --git a/gcc/analyzer/analyzer.opt b/gcc/analyzer/analyzer.opt
index 25df89d9c06..fae2649389a 100644
--- a/gcc/analyzer/analyzer.opt
+++ b/gcc/analyzer/analyzer.opt
@@ -134,6 +134,10 @@ Wanalyzer-imprecise-fp-arithmetic
Common Var(warn_analyzer_imprecise_fp_arithmetic) Init(1) Warning
Warn about code paths in which floating-point arithmetic is used in locations where precise computation is needed.
+Wanalyzer-infinite-loop
+Common Var(warn_analyzer_infinite_loop) Init(1) Warning
+Warn about code paths which appear to lead to an infinite loop.
+
Wanalyzer-infinite-recursion
Common Var(warn_analyzer_infinite_recursion) Init(1) Warning
Warn about code paths which appear to lead to infinite recursion.
@@ -354,6 +358,10 @@ fdump-analyzer-feasibility
Common RejectNegative Var(flag_dump_analyzer_feasibility)
Dump various analyzer internals to SRCFILE.*.fg.dot and SRCFILE.*.tg.dot.
+fdump-analyzer-infinite-loop
+Common RejectNegative Var(flag_dump_analyzer_infinite_loop)
+Dump various analyzer internals to SRCFILE.*.infinite-loop.dot.
+
fdump-analyzer-json
Common RejectNegative Var(flag_dump_analyzer_json)
Dump analyzer-specific data to a SRCFILE.analyzer.json.gz file.
diff --git a/gcc/analyzer/checker-event.h b/gcc/analyzer/checker-event.h
index 7ba92f19650..dcb2e27faa6 100644
--- a/gcc/analyzer/checker-event.h
+++ b/gcc/analyzer/checker-event.h
@@ -444,11 +444,12 @@ public:
{
}
- label_text get_desc (bool can_colorize) const final override;
+ label_text get_desc (bool can_colorize) const override;
- private:
+protected:
label_text maybe_describe_condition (bool can_colorize) const;
+private:
static label_text maybe_describe_condition (bool can_colorize,
tree lhs,
enum tree_code op,
diff --git a/gcc/analyzer/checker-path.h b/gcc/analyzer/checker-path.h
index 93c807c3d24..055d5e38b3f 100644
--- a/gcc/analyzer/checker-path.h
+++ b/gcc/analyzer/checker-path.h
@@ -65,6 +65,7 @@ public:
void dump (pretty_printer *pp) const;
void debug () const;
+ logger *get_logger () const { return m_logger; }
void maybe_log (logger *logger, const char *desc) const;
void add_event (std::unique_ptr<checker_event> event);
diff --git a/gcc/analyzer/diagnostic-manager.cc b/gcc/analyzer/diagnostic-manager.cc
index 972413a751a..a6755f2193f 100644
--- a/gcc/analyzer/diagnostic-manager.cc
+++ b/gcc/analyzer/diagnostic-manager.cc
@@ -517,7 +517,7 @@ process_worklist_item (feasible_worklist *worklist,
feasibility_state succ_state (fnode->get_state ());
std::unique_ptr<rejected_constraint> rc;
- if (succ_state.maybe_update_for_edge (logger, succ_eedge, &rc))
+ if (succ_state.maybe_update_for_edge (logger, succ_eedge, nullptr, &rc))
{
gcc_assert (rc == NULL);
feasible_node *succ_fnode
diff --git a/gcc/analyzer/engine.cc b/gcc/analyzer/engine.cc
index 4861ee54e98..041fe6a1d40 100644
--- a/gcc/analyzer/engine.cc
+++ b/gcc/analyzer/engine.cc
@@ -85,7 +85,8 @@ impl_region_model_context (exploded_graph &eg,
uncertainty_t *uncertainty,
path_context *path_ctxt,
const gimple *stmt,
- stmt_finder *stmt_finder)
+ stmt_finder *stmt_finder,
+ bool *out_could_have_done_work)
: m_eg (&eg), m_logger (eg.get_logger ()),
m_enode_for_diag (enode_for_diag),
m_old_state (old_state),
@@ -94,7 +95,8 @@ impl_region_model_context (exploded_graph &eg,
m_stmt_finder (stmt_finder),
m_ext_state (eg.get_ext_state ()),
m_uncertainty (uncertainty),
- m_path_ctxt (path_ctxt)
+ m_path_ctxt (path_ctxt),
+ m_out_could_have_done_work (out_could_have_done_work)
{
}
@@ -110,7 +112,8 @@ impl_region_model_context (program_state *state,
m_stmt_finder (NULL),
m_ext_state (ext_state),
m_uncertainty (uncertainty),
- m_path_ctxt (NULL)
+ m_path_ctxt (NULL),
+ m_out_could_have_done_work (nullptr)
{
}
@@ -1024,6 +1027,17 @@ impl_region_model_context::on_unexpected_tree_code (tree t,
m_new_state->m_valid = false;
}
+/* Implementation of region_model_context::maybe_did_work vfunc.
+ Mark that "externally visible work" has occurred, and thus we
+ shouldn't report an infinite loop here. */
+
+void
+impl_region_model_context::maybe_did_work ()
+{
+ if (m_out_could_have_done_work)
+ *m_out_could_have_done_work = true;
+}
+
/* struct point_and_state. */
/* Assert that this object is sane. */
@@ -1439,6 +1453,7 @@ exploded_node::on_stmt (exploded_graph &eg,
const gimple *stmt,
program_state *state,
uncertainty_t *uncertainty,
+ bool *out_could_have_done_work,
path_context *path_ctxt)
{
logger *logger = eg.get_logger ();
@@ -1464,7 +1479,8 @@ exploded_node::on_stmt (exploded_graph &eg,
impl_region_model_context ctxt (eg, this,
&old_state, state, uncertainty,
- path_ctxt, stmt);
+ path_ctxt, stmt, nullptr,
+ out_could_have_done_work);
/* Handle call summaries here. */
if (cgraph_edge *cgedge
@@ -1551,12 +1567,16 @@ exploded_node::on_stmt_pre (exploded_graph &eg,
else if (is_setjmp_call_p (call))
{
state->m_region_model->on_setjmp (call, this, ctxt);
+ if (ctxt)
+ ctxt->maybe_did_work ();
return;
}
else if (is_longjmp_call_p (call))
{
on_longjmp (eg, call, state, ctxt);
*out_terminate_path = true;
+ if (ctxt)
+ ctxt->maybe_did_work ();
return;
}
}
@@ -1938,8 +1958,9 @@ exploded_node::on_longjmp (exploded_graph &eg,
if (next)
{
exploded_edge *eedge
- = eg.add_edge (const_cast<exploded_node *> (this), next, NULL,
- make_unique<rewind_info_t> (tmp_setjmp_record, longjmp_call));
+ = eg.add_edge (const_cast<exploded_node *> (this), next, NULL, true,
+ make_unique<rewind_info_t> (tmp_setjmp_record,
+ longjmp_call));
/* For any diagnostics that were queued here (such as leaks) we want
the checker_path to show the rewinding events after the "final event"
@@ -2161,10 +2182,11 @@ rewind_info_t::add_events_to_path (checker_path *emission_path,
/* exploded_edge's ctor. */
exploded_edge::exploded_edge (exploded_node *src, exploded_node *dest,
- const superedge *sedge,
+ const superedge *sedge, bool could_do_work,
std::unique_ptr<custom_edge_info> custom_info)
: dedge<eg_traits> (src, dest), m_sedge (sedge),
- m_custom_info (std::move (custom_info))
+ m_custom_info (std::move (custom_info)),
+ m_could_do_work_p (could_do_work)
{
}
@@ -2228,6 +2250,9 @@ exploded_edge::dump_dot_label (pretty_printer *pp) const
else if (m_custom_info)
m_custom_info->print (pp);
+ pp_printf (pp, "%s",
+ could_do_work_p () ? "(could do work)" : "DOES NO WORK");
+
//pp_write_text_as_dot_label_to_stream (pp, /*for_record=*/false);
pp_printf (pp, "\"];\n");
@@ -2790,7 +2815,7 @@ exploded_graph::add_function_entry (function *fun)
if (!enode)
return NULL;
- add_edge (m_origin, enode, NULL, std::move (edge_info));
+ add_edge (m_origin, enode, NULL, false, std::move (edge_info));
m_functions_with_enodes.add (fun);
@@ -2988,19 +3013,20 @@ exploded_graph::get_or_create_node (const program_point &point,
/* Add an exploded_edge from SRC to DEST, recording its association
with SEDGE (which may be NULL), and, if non-NULL, taking ownership
- of CUSTOM_INFO.
+ of CUSTOM_INFO. COULD_DO_WORK is used for detecting infinite loops.
Return the newly-created eedge. */
exploded_edge *
exploded_graph::add_edge (exploded_node *src, exploded_node *dest,
- const superedge *sedge,
- std::unique_ptr<custom_edge_info> custom_info)
+ const superedge *sedge, bool could_do_work,
+ std::unique_ptr<custom_edge_info> custom_info)
{
if (get_logger ())
get_logger ()->log ("creating edge EN: %i -> EN: %i",
src->m_index, dest->m_index);
- exploded_edge *e = new exploded_edge (src, dest, sedge,
- std::move (custom_info));
+ exploded_edge *e
+ = new exploded_edge (src, dest, sedge, could_do_work,
+ std::move (custom_info));
digraph<eg_traits>::add_edge (e);
return e;
}
@@ -3249,7 +3275,7 @@ add_tainted_args_callback (exploded_graph *eg, tree field, tree fndecl,
}
}
- eg->add_edge (eg->get_origin (), enode, NULL,
+ eg->add_edge (eg->get_origin (), enode, NULL, false,
make_unique<tainted_args_call_info> (field, fndecl, loc));
}
@@ -3403,7 +3429,7 @@ exploded_graph::process_worklist ()
if (merged_state == state)
{
/* Then merge node_2 into node by adding an edge. */
- add_edge (node_2, node, NULL);
+ add_edge (node_2, node, NULL, false);
/* Remove node_2 from the worklist. */
m_worklist.take_next ();
@@ -3416,7 +3442,7 @@ exploded_graph::process_worklist ()
/* Then merge node into node_2, and leave node_2
in the worklist, to be processed on the next
iteration. */
- add_edge (node, node_2, NULL);
+ add_edge (node, node_2, NULL, false);
node->set_status (exploded_node::STATUS_MERGER);
continue;
}
@@ -3461,7 +3487,7 @@ exploded_graph::process_worklist ()
m_worklist.add_node (merged_enode);
else
{
- add_edge (node, merged_enode, NULL);
+ add_edge (node, merged_enode, NULL, false);
node->set_status (exploded_node::STATUS_MERGER);
}
@@ -3469,7 +3495,7 @@ exploded_graph::process_worklist ()
m_worklist.add_node (merged_enode);
else
{
- add_edge (node_2, merged_enode, NULL);
+ add_edge (node_2, merged_enode, NULL, false);
node_2->set_status (exploded_node::STATUS_MERGER);
}
@@ -3704,7 +3730,8 @@ maybe_process_run_of_before_supernode_enodes (exploded_node *enode)
{
exploded_node *next = next_enodes[it->m_merger_idx];
if (next)
- add_edge (it->m_input_enode, next, NULL);
+ add_edge (it->m_input_enode, next, NULL,
+ false); /* no "work" is done during merger. */
it->m_input_enode->set_status (exploded_node::STATUS_BULK_MERGED);
}
@@ -3847,6 +3874,7 @@ exploded_graph::maybe_create_dynamic_call (const gcall *call,
node);
if (enode)
add_edge (node,enode, NULL,
+ false, /* No work is done by the call itself. */
make_unique<dynamic_call_info_t> (call));
return true;
}
@@ -4039,7 +4067,8 @@ exploded_graph::process_node (exploded_node *node)
program_point next_point (point.get_next ());
exploded_node *next = get_or_create_node (next_point, next_state, node);
if (next)
- add_edge (node, next, NULL);
+ add_edge (node, next, NULL,
+ false); /* Assume no work is done at phi nodes. */
}
break;
case PK_BEFORE_STMT:
@@ -4067,6 +4096,7 @@ exploded_graph::process_node (exploded_node *node)
impl_path_context path_ctxt (&next_state, logger);
+ bool could_have_done_work = false;
uncertainty_t uncertainty;
const supernode *snode = point.get_supernode ();
unsigned stmt_idx;
@@ -4090,7 +4120,7 @@ exploded_graph::process_node (exploded_node *node)
/* Process the stmt. */
exploded_node::on_stmt_flags flags
= node->on_stmt (*this, snode, stmt, &next_state, &uncertainty,
- &path_ctxt);
+ &could_have_done_work, &path_ctxt);
node->m_num_processed_stmts++;
/* If flags.m_terminate_path, stop analyzing; any nodes/edges
@@ -4147,7 +4177,7 @@ exploded_graph::process_node (exploded_node *node)
node->m_num_processed_stmts--;
if (logger)
logger->log ("creating edge to split_enode");
- add_edge (node, split_enode, NULL);
+ add_edge (node, split_enode, NULL, could_have_done_work);
return;
}
else
@@ -4174,7 +4204,7 @@ exploded_graph::process_node (exploded_node *node)
exploded_node *next
= get_or_create_node (next_point, next_state, node);
if (next)
- add_edge (node, next, NULL);
+ add_edge (node, next, NULL, could_have_done_work);
}
/* If we have custom edge infos, "bifurcate" the state
@@ -4212,7 +4242,9 @@ exploded_graph::process_node (exploded_node *node)
exploded_node *next2
= get_or_create_node (next_point, bifurcated_new_state, node);
if (next2)
- add_edge (node, next2, NULL, std::move (edge_info));
+ add_edge (node, next2, NULL,
+ true /* assume that work could be done */,
+ std::move (edge_info));
}
else
{
@@ -4327,7 +4359,8 @@ exploded_graph::process_node (exploded_node *node)
next_state,
node);
if (next)
- add_edge (node, next, succ);
+ add_edge (node, next, succ,
+ true /* assume that work is done */);
}
}
@@ -4343,7 +4376,7 @@ exploded_graph::process_node (exploded_node *node)
node);
if (next)
{
- add_edge (node, next, succ);
+ add_edge (node, next, succ, false);
/* We might have a function entrypoint. */
detect_infinite_recursion (next);
@@ -4377,7 +4410,7 @@ exploded_graph::process_node (exploded_node *node)
next_state,
node);
if (enode)
- add_edge (node, enode, NULL,
+ add_edge (node, enode, NULL, false,
make_unique<dynamic_call_info_t> (call, true));
}
}
@@ -4708,7 +4741,7 @@ exploded_path::feasible_p (logger *logger,
eedge->m_dest->m_index);
std::unique_ptr <rejected_constraint> rc;
- if (!state.maybe_update_for_edge (logger, eedge, &rc))
+ if (!state.maybe_update_for_edge (logger, eedge, nullptr, &rc))
{
gcc_assert (rc);
if (out)
@@ -4835,6 +4868,21 @@ feasibility_state::feasibility_state (const feasibility_state &other)
bitmap_copy (m_snodes_visited, other.m_snodes_visited);
}
+feasibility_state::feasibility_state (const region_model &model,
+ const supergraph &sg)
+: m_model (model),
+ m_snodes_visited (sg.m_nodes.length ())
+{
+}
+
+feasibility_state &
+feasibility_state::operator= (const feasibility_state &other)
+{
+ m_model = other.m_model;
+ bitmap_copy (m_snodes_visited, other.m_snodes_visited);
+ return *this;
+}
+
/* The heart of feasibility-checking.
Attempt to update this state in-place based on traversing EEDGE
@@ -4849,6 +4897,7 @@ bool
feasibility_state::
maybe_update_for_edge (logger *logger,
const exploded_edge *eedge,
+ region_model_context *ctxt,
std::unique_ptr<rejected_constraint> *out_rc)
{
const exploded_node &src_enode = *eedge->m_src;
@@ -4887,12 +4936,14 @@ maybe_update_for_edge (logger *logger,
}
const gimple *last_stmt = src_point.get_supernode ()->get_last_stmt ();
- if (!m_model.maybe_update_for_edge (*sedge, last_stmt, NULL, out_rc))
+ if (!m_model.maybe_update_for_edge (*sedge, last_stmt, ctxt, out_rc))
{
if (logger)
{
- logger->log ("rejecting due to region model");
+ logger->start_log_line ();
+ logger->log_partial ("rejecting due to region model: ");
m_model.dump_to_pp (logger->get_printer (), true, false);
+ logger->end_log_line ();
}
return false;
}
@@ -4908,13 +4959,13 @@ maybe_update_for_edge (logger *logger,
== PK_BEFORE_SUPERNODE);
function *fun = eedge->m_dest->get_function ();
gcc_assert (fun);
- m_model.push_frame (fun, NULL, NULL);
+ m_model.push_frame (fun, NULL, ctxt);
if (logger)
logger->log (" pushing frame for %qD", fun->decl);
}
else if (eedge->m_custom_info)
{
- eedge->m_custom_info->update_model (&m_model, eedge, NULL);
+ eedge->m_custom_info->update_model (&m_model, eedge, ctxt);
}
}
@@ -4933,7 +4984,7 @@ maybe_update_for_edge (logger *logger,
logger->log (" update for phis");
m_model.update_for_phis (src_enode.get_supernode (),
last_cfg_superedge,
- NULL);
+ ctxt);
/* If we've entering an snode that we've already visited on this
epath, then we need do fix things up for loops; see the
comment for store::loop_replay_fixup.
@@ -6153,6 +6204,9 @@ impl_run_checkers (logger *logger)
/* Now process the worklist, exploring the <point, state> graph. */
eg.process_worklist ();
+ if (warn_analyzer_infinite_loop)
+ eg.detect_infinite_loops ();
+
if (flag_dump_analyzer_exploded_graph)
{
auto_timevar tv (TV_ANALYZER_DUMP);
diff --git a/gcc/analyzer/exploded-graph.h b/gcc/analyzer/exploded-graph.h
index cb64c2a180a..45ee0d1f175 100644
--- a/gcc/analyzer/exploded-graph.h
+++ b/gcc/analyzer/exploded-graph.h
@@ -49,7 +49,9 @@ class impl_region_model_context : public region_model_context
path_context *path_ctxt,
const gimple *stmt,
- stmt_finder *stmt_finder = NULL);
+ stmt_finder *stmt_finder = NULL,
+
+ bool *out_could_have_done_work = nullptr);
impl_region_model_context (program_state *state,
const extrinsic_state &ext_state,
@@ -110,6 +112,10 @@ class impl_region_model_context : public region_model_context
const gimple *get_stmt () const override { return m_stmt; }
const exploded_graph *get_eg () const override { return m_eg; }
+ void maybe_did_work () override;
+ bool checking_for_infinite_loop_p () const override { return false; }
+ void on_unusable_in_infinite_loop () override {}
+
exploded_graph *m_eg;
log_user m_logger;
exploded_node *m_enode_for_diag;
@@ -120,6 +126,7 @@ class impl_region_model_context : public region_model_context
const extrinsic_state &m_ext_state;
uncertainty_t *m_uncertainty;
path_context *m_path_ctxt;
+ bool *m_out_could_have_done_work;
};
/* A <program_point, program_state> pair, used internally by
@@ -260,6 +267,7 @@ class exploded_node : public dnode<eg_traits>
const gimple *stmt,
program_state *state,
uncertainty_t *uncertainty,
+ bool *out_could_have_done_work,
path_context *path_ctxt);
void on_stmt_pre (exploded_graph &eg,
const gimple *stmt,
@@ -373,7 +381,7 @@ class exploded_edge : public dedge<eg_traits>
{
public:
exploded_edge (exploded_node *src, exploded_node *dest,
- const superedge *sedge,
+ const superedge *sedge, bool could_do_work,
std::unique_ptr<custom_edge_info> custom_info);
void dump_dot (graphviz_out *gv, const dump_args_t &args)
const final override;
@@ -389,8 +397,25 @@ class exploded_edge : public dedge<eg_traits>
a signal is delivered to a signal-handler. */
std::unique_ptr<custom_edge_info> m_custom_info;
+ bool could_do_work_p () const { return m_could_do_work_p; }
+
private:
DISABLE_COPY_AND_ASSIGN (exploded_edge);
+
+ /* For -Wanalyzer-infinite-loop.
+ Set to true during processing if any of the activity along
+ this edge is "externally-visible work" (and thus ruling this
+ out as being part of an infinite loop.
+
+ For example, given:
+
+ while (1)
+ do_something ();
+
+ although it is an infinite loop, presumably the point of the
+ program is the loop body, and thus reporting this as an infinite
+ loop is likely to be unhelpful to the user. */
+ bool m_could_do_work_p;
};
/* Extra data for an exploded_edge that represents dynamic call info ( calls
@@ -804,7 +829,7 @@ public:
const program_state &state,
exploded_node *enode_for_diag);
exploded_edge *add_edge (exploded_node *src, exploded_node *dest,
- const superedge *sedge,
+ const superedge *sedge, bool could_do_work,
std::unique_ptr<custom_edge_info> custom = NULL);
per_program_point_data *
@@ -856,6 +881,9 @@ public:
void on_escaped_function (tree fndecl);
+ /* In infinite-loop.cc */
+ void detect_infinite_loops ();
+
/* In infinite-recursion.cc */
void detect_infinite_recursion (exploded_node *enode);
exploded_node *find_previous_entry_to (function *top_of_stack_fun,
@@ -970,10 +998,15 @@ class feasibility_state
public:
feasibility_state (region_model_manager *manager,
const supergraph &sg);
+ feasibility_state (const region_model &model,
+ const supergraph &sg);
feasibility_state (const feasibility_state &other);
+ feasibility_state &operator= (const feasibility_state &other);
+
bool maybe_update_for_edge (logger *logger,
const exploded_edge *eedge,
+ region_model_context *ctxt,
std::unique_ptr<rejected_constraint> *out_rc);
void update_for_stmt (const gimple *stmt);
diff --git a/gcc/analyzer/infinite-loop.cc b/gcc/analyzer/infinite-loop.cc
new file mode 100644
index 00000000000..771d698a60b
--- /dev/null
+++ b/gcc/analyzer/infinite-loop.cc
@@ -0,0 +1,565 @@
+/* Detection of infinite loops.
+ Copyright (C) 2022-2023 Free Software Foundation, Inc.
+ Contributed by David Malcolm <dmalcolm@redhat.com>.
+
+This file is part of GCC.
+
+GCC is free software; you can redistribute it and/or modify it
+under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 3, or (at your option)
+any later version.
+
+GCC is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GCC; see the file COPYING3. If not see
+<http://www.gnu.org/licenses/>. */
+
+#include "config.h"
+#define INCLUDE_MEMORY
+#define INCLUDE_VECTOR
+#include "system.h"
+#include "coretypes.h"
+#include "tree.h"
+#include "fold-const.h"
+#include "gcc-rich-location.h"
+#include "alloc-pool.h"
+#include "fibonacci_heap.h"
+#include "shortest-paths.h"
+#include "diagnostic-core.h"
+#include "diagnostic-event-id.h"
+#include "diagnostic-path.h"
+#include "diagnostic-metadata.h"
+#include "function.h"
+#include "pretty-print.h"
+#include "sbitmap.h"
+#include "bitmap.h"
+#include "tristate.h"
+#include "ordered-hash-map.h"
+#include "selftest.h"
+#include "json.h"
+#include "analyzer/analyzer.h"
+#include "analyzer/analyzer-logging.h"
+#include "analyzer/call-string.h"
+#include "analyzer/program-point.h"
+#include "analyzer/store.h"
+#include "analyzer/region-model.h"
+#include "analyzer/constraint-manager.h"
+#include "analyzer/sm.h"
+#include "analyzer/pending-diagnostic.h"
+#include "analyzer/diagnostic-manager.h"
+#include "cfg.h"
+#include "basic-block.h"
+#include "gimple.h"
+#include "gimple-iterator.h"
+#include "gimple-pretty-print.h"
+#include "cgraph.h"
+#include "digraph.h"
+#include "analyzer/supergraph.h"
+#include "analyzer/program-state.h"
+#include "analyzer/exploded-graph.h"
+#include "analyzer/checker-path.h"
+#include "analyzer/feasible-graph.h"
+#include "make-unique.h"
+
+/* A bundle of data characterizing a particular infinite loop
+ identified within the exploded graph. */
+
+struct infinite_loop
+{
+ infinite_loop (const exploded_node &enode,
+ location_t loc,
+ std::vector<const exploded_edge *> eedges,
+ logger *logger)
+ : m_enode (enode),
+ m_loc (loc),
+ m_eedge_vec (eedges)
+ {
+ LOG_SCOPE (logger);
+ if (logger)
+ {
+ logger->start_log_line ();
+ logger->log_partial ("infinite loop: EN: %i", m_enode.m_index);
+ for (auto eedge : m_eedge_vec)
+ {
+ logger->log_partial (" ->");
+ if (const superedge *sedge = eedge->m_sedge)
+ {
+ sedge->dump_label_to_pp (logger->get_printer (), false);
+ }
+ logger->log_partial (" EN: %i", eedge->m_dest->m_index);
+ }
+ logger->end_log_line ();
+ }
+ }
+
+ bool
+ operator== (const infinite_loop &other) const
+ {
+ /* Compare underlying supernode, rather than enodes, so that
+ we don't get duplicates in functions that are called from
+ elsewhere. */
+ return (m_enode.get_supernode () == other.m_enode.get_supernode ()
+ && m_loc == other.m_loc);
+ }
+
+ const exploded_node &m_enode;
+ location_t m_loc;
+ std::vector<const exploded_edge *> m_eedge_vec;
+};
+
+/* A custom subclass of start_cfg_edge_event that rewords the
+ message to indicate that the CFG edge is *always* taken on
+ subsequent iterations, assuming it's been taken once. */
+
+class perpetual_start_cfg_edge_event : public start_cfg_edge_event
+{
+public:
+ perpetual_start_cfg_edge_event (const exploded_edge &eedge,
+ const event_loc_info &loc_info)
+ : start_cfg_edge_event (eedge, loc_info)
+ {
+ }
+
+ label_text get_desc (bool can_colorize) const final override
+ {
+ bool user_facing = !flag_analyzer_verbose_edges;
+ label_text edge_desc (m_sedge->get_description (user_facing));
+ if (user_facing)
+ {
+ if (edge_desc.get () && strlen (edge_desc.get ()) > 0)
+ {
+ label_text cond_desc = maybe_describe_condition (can_colorize);
+ label_text result;
+ if (cond_desc.get ())
+ return make_label_text
+ (can_colorize,
+ "%s: always following %qs branch...",
+ cond_desc.get (), edge_desc.get ());
+ else
+ return make_label_text
+ (can_colorize,
+ "if it ever follows %qs branch, it will always do so...",
+ edge_desc.get ());
+ }
+ }
+ return start_cfg_edge_event::get_desc (can_colorize);
+ }
+};
+
+/* A subclass of pending_diagnostic for complaining about suspected
+ infinite loops. */
+
+class infinite_loop_diagnostic
+: public pending_diagnostic_subclass<infinite_loop_diagnostic>
+{
+public:
+ infinite_loop_diagnostic (std::unique_ptr<infinite_loop> inf_loop)
+ : m_inf_loop (std::move (inf_loop))
+ {
+ gcc_assert (m_inf_loop != nullptr);
+ }
+
+ const char *get_kind () const final override
+ {
+ return "infinite_loop_diagnostic";
+ }
+
+ bool operator== (const infinite_loop_diagnostic &other) const
+ {
+ return *m_inf_loop == *other.m_inf_loop;
+ }
+
+ int get_controlling_option () const final override
+ {
+ return OPT_Wanalyzer_infinite_loop;
+ }
+
+ bool emit (rich_location *rich_loc, logger *) final override
+ {
+ /* "CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')". */
+ diagnostic_metadata m;
+ m.add_cwe (835);
+ return warning_meta (rich_loc, m, get_controlling_option (),
+ "infinite loop");
+ }
+
+ bool maybe_add_custom_events_for_superedge (const exploded_edge &,
+ checker_path *)
+ final override
+ {
+ /* Don't add any regular events; instead we add them after pruning as
+ part of the "final" warning. */
+ return true;
+ }
+
+ label_text describe_final_event (const evdesc::final_event &ev) final override
+ {
+ return ev.formatted_print ("infinite loop here");
+ }
+
+ /* Customize the location where the warning_event appears. */
+ void add_final_event (const state_machine *,
+ const exploded_node *enode,
+ const gimple *,
+ tree,
+ state_machine::state_t,
+ checker_path *emission_path) final override
+ {
+ emission_path->add_event
+ (make_unique<warning_event>
+ (event_loc_info (m_inf_loop->m_loc,
+ enode->get_function ()->decl,
+ enode->get_stack_depth ()),
+ enode,
+ NULL, NULL, NULL));
+
+ logger *logger = emission_path->get_logger ();
+
+ /* EMISSION_PATH has the path to the entry of the infinite loop.
+ Add extra edges showing the loop itself. */
+ for (auto eedge : m_inf_loop->m_eedge_vec)
+ {
+ if (logger)
+ logger->log ("EN: %i -> EN: %i",
+ eedge->m_src->m_index,
+ eedge->m_dest->m_index);
+ if (!eedge->m_sedge)
+ continue;
+
+ const cfg_superedge *cfg_sedge
+ = eedge->m_sedge->dyn_cast_cfg_superedge ();
+ if (!cfg_sedge)
+ continue;
+
+ const exploded_node *src_node = eedge->m_src;
+ const program_point &src_point = src_node->get_point ();
+ const exploded_node *dst_node = eedge->m_dest;
+ const program_point &dst_point = dst_node->get_point ();
+ const int src_stack_depth = src_point.get_stack_depth ();
+ const int dst_stack_depth = dst_point.get_stack_depth ();
+ const gimple *last_stmt = src_point.get_supernode ()->get_last_stmt ();
+
+ event_loc_info loc_info_from
+ (last_stmt ? last_stmt->location : cfg_sedge->get_goto_locus (),
+ src_point.get_fndecl (),
+ src_stack_depth);
+ event_loc_info loc_info_to
+ (dst_point.get_supernode ()->get_start_location (),
+ dst_point.get_fndecl (),
+ dst_stack_depth);
+
+ if (const switch_cfg_superedge *switch_cfg_sedge
+ = cfg_sedge->dyn_cast_switch_cfg_superedge ())
+ {
+ if (switch_cfg_sedge->implicitly_created_default_p ())
+ {
+ emission_path->add_event
+ (make_unique<perpetual_start_cfg_edge_event> (*eedge,
+ loc_info_from));
+ emission_path->add_event
+ (make_unique<end_cfg_edge_event>
+ (*eedge,
+ loc_info_to));
+ }
+ }
+
+ if (cfg_sedge->true_value_p ())
+ {
+ emission_path->add_event
+ (make_unique<perpetual_start_cfg_edge_event> (*eedge,
+ loc_info_from));
+ emission_path->add_event
+ (make_unique<end_cfg_edge_event>
+ (*eedge,
+ loc_info_to));
+ }
+ else if (cfg_sedge->false_value_p ())
+ {
+ emission_path->add_event
+ (make_unique<perpetual_start_cfg_edge_event> (*eedge,
+ loc_info_from));
+ emission_path->add_event
+ (make_unique<end_cfg_edge_event>
+ (*eedge,
+ loc_info_to));
+ }
+ else if (cfg_sedge->back_edge_p ())
+ {
+ emission_path->add_event
+ (make_unique<precanned_custom_event>
+ (loc_info_from, "looping back..."));
+ emission_path->add_event
+ (make_unique<end_cfg_edge_event>
+ (*eedge,
+ loc_info_to));
+ }
+ }
+ }
+
+private:
+ std::unique_ptr<infinite_loop> m_inf_loop;
+};
+
+/* If ENODE has an in-edge corresponding to a CFG backedge, return that
+ exploded in-edge.
+ Otherwise, return nullptr. */
+
+static const exploded_edge *
+get_in_edge_back_edge (const exploded_node &enode)
+{
+ for (auto in_edge : enode.m_preds)
+ {
+ const superedge *sedge = in_edge->m_sedge;
+ if (!sedge)
+ continue;
+ const cfg_superedge *cfg_sedge = sedge->dyn_cast_cfg_superedge ();
+ if (!cfg_sedge)
+ continue;
+ if (cfg_sedge->back_edge_p ())
+ return in_edge;
+ }
+ return nullptr;
+}
+
+/* Subclass of region_model_context that rejects conditional branches that
+ aren't known for definite. */
+
+class infinite_loop_checking_context : public noop_region_model_context
+{
+public:
+ infinite_loop_checking_context () : m_unusable (false) {}
+
+ bool checking_for_infinite_loop_p () const override { return true; }
+ void on_unusable_in_infinite_loop () override { m_unusable = true; }
+
+ bool unusable_p () const { return m_unusable; }
+
+private:
+ bool m_unusable;
+};
+
+/* Determine if an infinite loop starts at ENODE.
+ Return the loop if it is found, nullptr otherwise.
+
+ Look for cycles in the exploded graph in which:
+ - no externally visible work occurs
+ - no escape from the cycle
+ - the program state is "sufficiently concrete" at each step:
+ - no unknown activity could be occurring
+ - the worklist was fully drained for each enode in the cycle
+ i.e. every enode in the cycle is processed. */
+
+static std::unique_ptr<infinite_loop>
+starts_infinite_loop_p (const exploded_node &enode,
+ const exploded_graph &eg,
+ logger *logger)
+{
+ LOG_FUNC_1 (logger, "considering EN: %i", enode.m_index);
+
+ /* Only consider enodes that have a CFG back edge as an in-edge. */
+ if (const exploded_edge *back_edge = get_in_edge_back_edge (enode))
+ {
+ if (logger)
+ logger->log ("got backedge from EN: %i",
+ back_edge->m_src->m_index);
+ }
+ else
+ {
+ if (logger)
+ logger->log ("rejecting: no backedge in in-edges");
+ return nullptr;
+ }
+
+ /* Support for dumping an .infinite-loop.dot file visualizing the
+ traversal for this enode. */
+ std::unique_ptr<feasible_graph> fg;
+ feasible_node *curr_fnode = nullptr;
+
+ if (flag_dump_analyzer_infinite_loop)
+ fg = ::make_unique<feasible_graph> ();
+
+ location_t first_loc = UNKNOWN_LOCATION;
+ const exploded_node *iter = &enode;
+ feasibility_state state (*enode.get_state ().m_region_model,
+ eg.get_supergraph ());
+
+ if (fg)
+ curr_fnode = fg->add_node (&enode, state, 0);
+
+ hash_set<const exploded_node *> visited;
+ std::vector<const exploded_edge *> eedges;
+ while (1)
+ {
+ if (logger)
+ logger->log ("iter: EN: %i", iter->m_index);
+ /* Analysis bailed out before processing this node. */
+ if (iter->get_status () == exploded_node::STATUS_WORKLIST)
+ {
+ if (logger)
+ logger->log ("rejecting: EN: %i is still in worklist",
+ iter->m_index);
+ return nullptr;
+ }
+ if (visited.contains (iter))
+ {
+ /* We've looped back on ourselves. ENODE is in the loop
+ itself if ENODE is the first place we looped back,
+ as opposed to being on a path to a loop. */
+ if (iter == &enode)
+ {
+ if (logger)
+ logger->log ("accepting: looped back to EN: %i",
+ iter->m_index);
+ if (fg)
+ {
+ auto_timevar tv (TV_ANALYZER_DUMP);
+ pretty_printer pp;
+ pp_printf (&pp, "%s.en%i.infinite-loop.dot",
+ dump_base_name, enode.m_index);
+ char *filename = xstrdup (pp_formatted_text (&pp));
+ feasible_graph::dump_args_t dump_args (eg);
+ fg->dump_dot (filename, nullptr, dump_args);
+ free (filename);
+ }
+ return ::make_unique<infinite_loop> (enode,
+ first_loc,
+ eedges,
+ logger);
+ }
+ else
+ {
+ if (logger)
+ logger->log ("rejecting: looped back to EN: %i, not to EN: %i",
+ iter->m_index, enode.m_index);
+ return nullptr;
+ }
+ }
+ visited.add (iter);
+ if (first_loc == UNKNOWN_LOCATION)
+ {
+ location_t enode_loc = iter->get_point ().get_location ();
+ if (enode_loc != UNKNOWN_LOCATION)
+ first_loc = enode_loc;
+ }
+
+ /* Find the out-edges that are feasible, given the
+ constraints here. */
+ typedef std::pair<feasibility_state, const exploded_edge *> pair_t;
+ std::vector<pair_t> succs;
+ for (auto out_edge : iter->m_succs)
+ {
+ log_scope s (logger, "considering out-edge",
+ "EN:%i -> EN:%i",
+ out_edge->m_src->m_index,
+ out_edge->m_dest->m_index);
+ feasibility_state next_state (state);
+
+ /* Use this context to require edge conditions to be known,
+ rather than be merely "possible". */
+ infinite_loop_checking_context ctxt;
+ if (next_state.maybe_update_for_edge (logger,
+ out_edge,
+ &ctxt,
+ nullptr))
+ succs.push_back (pair_t (next_state, out_edge));
+ if (ctxt.unusable_p ())
+ {
+ /* If we get here, then we have e.g. a gcond where
+ the condition is UNKNOWN, or a condition
+ based on a widening_svalue. Reject such paths. */
+ if (logger)
+ logger->log ("rejecting: unusable");
+ return nullptr;
+ }
+ }
+
+ if (succs.size () != 1)
+ {
+ if (logger)
+ logger->log ("rejecting: %i feasible successors",
+ (int)succs.size ());
+ return nullptr;
+ }
+ const feasibility_state &next_state = succs[0].first;
+ const exploded_edge *out_eedge = succs[0].second;
+ if (out_eedge->could_do_work_p ())
+ {
+ if (logger)
+ logger->log ("rejecting: edge could do work");
+ return nullptr;
+ }
+ if (fg)
+ {
+ feasible_node *next_fnode = fg->add_node (out_eedge->m_dest,
+ next_state,
+ fg->m_nodes.length ());
+ fg->add_edge (new feasible_edge (curr_fnode, next_fnode, out_eedge));
+ curr_fnode = next_fnode;
+ }
+ state = next_state;
+ eedges.push_back (out_eedge);
+ if (first_loc == UNKNOWN_LOCATION)
+ {
+ if (out_eedge->m_sedge)
+ if (::edge cfg_edge = out_eedge->m_sedge->get_any_cfg_edge ())
+ if (cfg_edge->goto_locus > BUILTINS_LOCATION)
+ first_loc = cfg_edge->goto_locus;
+ }
+ iter = out_eedge->m_dest;
+ }
+}
+
+/* Implementation of -Wanalyzer-infinite-loop. */
+
+void
+exploded_graph::detect_infinite_loops ()
+{
+ LOG_FUNC (get_logger ());
+ auto_timevar tv (TV_ANALYZER_INFINITE_LOOPS);
+
+ /* Track all enodes we've warned for; both the loop entrypoints
+ and all the enodes within those loops. */
+ hash_set<const exploded_node *> warned_for;
+
+ for (auto enode : m_nodes)
+ {
+ if (get_logger ())
+ get_logger ()->log ("visited: %i out of %i",
+ (int)warned_for.elements (), m_nodes.length ());
+
+ /* Only warn about the first enode we encounter in each cycle. */
+ if (warned_for.contains(enode))
+ continue;
+
+ if (std::unique_ptr<infinite_loop> inf_loop
+ = starts_infinite_loop_p (*enode, *this, get_logger ()))
+ {
+ const supernode *snode = enode->get_supernode ();
+
+ if (get_logger ())
+ get_logger ()->log ("EN: %i from starts_infinite_loop_p",
+ enode->m_index);
+
+ for (auto iter : inf_loop->m_eedge_vec)
+ warned_for.add (iter->m_src);
+ gcc_assert (warned_for.contains(enode));
+
+ if (inf_loop->m_loc == UNKNOWN_LOCATION)
+ {
+ if (get_logger ())
+ get_logger ()->log
+ ("no location available for reporting infinite loop");
+ continue;
+ }
+
+ pending_location ploc (enode, snode, inf_loop->m_loc);
+ auto d
+ = ::make_unique<infinite_loop_diagnostic> (std::move (inf_loop));
+ get_diagnostic_manager ().add_diagnostic (ploc, std::move (d));
+ }
+ }
+}
diff --git a/gcc/analyzer/program-state.cc b/gcc/analyzer/program-state.cc
index 8dade4b5b3e..9bb81e6dddd 100644
--- a/gcc/analyzer/program-state.cc
+++ b/gcc/analyzer/program-state.cc
@@ -1145,15 +1145,22 @@ program_state::on_edge (exploded_graph &eg,
this,
uncertainty, &path_ctxt,
last_stmt);
+ std::unique_ptr<rejected_constraint> rc;
+ logger * const logger = eg.get_logger ();
if (!m_region_model->maybe_update_for_edge (*succ,
last_stmt,
- &ctxt, NULL))
+ &ctxt,
+ logger ? &rc : nullptr))
{
- logger * const logger = eg.get_logger ();
if (logger)
- logger->log ("edge to SN: %i is impossible"
- " due to region_model constraints",
- succ->m_dest->m_index);
+ {
+ logger->start_log_line ();
+ logger->log_partial ("edge to SN: %i is impossible"
+ " due to region_model constraint: ",
+ succ->m_dest->m_index);
+ rc->dump_to_pp (logger->get_printer ());
+ logger->end_log_line ();
+ }
return false;
}
if (terminated)
diff --git a/gcc/analyzer/region-model.cc b/gcc/analyzer/region-model.cc
index dc834406520..052c47d38f1 100644
--- a/gcc/analyzer/region-model.cc
+++ b/gcc/analyzer/region-model.cc
@@ -1179,6 +1179,15 @@ region_model::on_assignment (const gassign *assign, region_model_context *ctxt)
const region *lhs_reg = get_lvalue (lhs, ctxt);
+ /* Any writes other than to the stack are treated
+ as externally visible. */
+ if (ctxt)
+ {
+ enum memory_space memspace = lhs_reg->get_memory_space ();
+ if (memspace != MEMSPACE_STACK)
+ ctxt->maybe_did_work ();
+ }
+
/* Most assignments are handled by:
set_value (lhs_reg, SVALUE, CTXT)
for some SVALUE. */
@@ -1277,6 +1286,8 @@ region_model::on_stmt_pre (const gimple *stmt,
{
const gasm *asm_stmt = as_a <const gasm *> (stmt);
on_asm_stmt (asm_stmt, ctxt);
+ if (ctxt)
+ ctxt->maybe_did_work ();
}
break;
@@ -1701,7 +1712,11 @@ region_model::on_call_post (const gcall *call,
}
if (unknown_side_effects)
- handle_unrecognized_call (call, ctxt);
+ {
+ handle_unrecognized_call (call, ctxt);
+ if (ctxt)
+ ctxt->maybe_did_work ();
+ }
}
/* Purge state involving SVAL from this region_model, using CTXT
@@ -2236,6 +2251,7 @@ void
region_model::handle_phi (const gphi *phi,
tree lhs, tree rhs,
const region_model &old_state,
+ hash_set<const svalue *> &svals_changing_meaning,
region_model_context *ctxt)
{
/* For now, don't bother tracking the .MEM SSA names. */
@@ -2247,6 +2263,10 @@ region_model::handle_phi (const gphi *phi,
const svalue *src_sval = old_state.get_rvalue (rhs, ctxt);
const region *dst_reg = old_state.get_lvalue (lhs, ctxt);
+ const svalue *sval = old_state.get_rvalue (lhs, nullptr);
+ if (sval->get_kind () == SK_WIDENING)
+ svals_changing_meaning.add (sval);
+
set_value (dst_reg, src_sval, ctxt);
if (ctxt)
@@ -4661,6 +4681,14 @@ region_model::add_constraint (tree lhs, enum tree_code op, tree rhs,
return add_constraint (lhs_sval, op, rhs_sval, ctxt);
}
+static bool
+unusable_in_infinite_loop_constraint_p (const svalue *sval)
+{
+ if (sval->get_kind () == SK_WIDENING)
+ return true;
+ return false;
+}
+
/* Attempt to add the constraint "LHS OP RHS" to this region_model.
If it is consistent with existing constraints, add it, and return true.
Return false if it contradicts existing constraints.
@@ -4672,6 +4700,20 @@ region_model::add_constraint (const svalue *lhs,
const svalue *rhs,
region_model_context *ctxt)
{
+ const bool checking_for_infinite_loop
+ = ctxt ? ctxt->checking_for_infinite_loop_p () : false;
+
+ if (checking_for_infinite_loop)
+ {
+ if (unusable_in_infinite_loop_constraint_p (lhs)
+ || unusable_in_infinite_loop_constraint_p (rhs))
+ {
+ gcc_assert (ctxt);
+ ctxt->on_unusable_in_infinite_loop ();
+ return false;
+ }
+ }
+
tristate t_cond = eval_condition (lhs, op, rhs);
/* If we already have the condition, do nothing. */
@@ -4683,6 +4725,15 @@ region_model::add_constraint (const svalue *lhs,
if (t_cond.is_false ())
return false;
+ if (checking_for_infinite_loop)
+ {
+ /* Here, we don't have a definite true/false value, so bail out
+ when checking for infinite loops. */
+ gcc_assert (ctxt);
+ ctxt->on_unusable_in_infinite_loop ();
+ return false;
+ }
+
bool out;
if (add_constraints_from_binop (lhs, op, rhs, &out, ctxt))
return out;
@@ -5068,6 +5119,8 @@ region_model::update_for_phis (const supernode *snode,
are effectively handled simultaneously. */
const region_model old_state (*this);
+ hash_set<const svalue *> svals_changing_meaning;
+
for (gphi_iterator gpi = const_cast<supernode *>(snode)->start_phis ();
!gsi_end_p (gpi); gsi_next (&gpi))
{
@@ -5077,8 +5130,11 @@ region_model::update_for_phis (const supernode *snode,
tree lhs = gimple_phi_result (phi);
/* Update next_state based on phi and old_state. */
- handle_phi (phi, lhs, src, old_state, ctxt);
+ handle_phi (phi, lhs, src, old_state, svals_changing_meaning, ctxt);
}
+
+ for (auto iter : svals_changing_meaning)
+ m_constraints->purge_state_involving (iter);
}
/* Attempt to update this model for taking EDGE (where the last statement
@@ -5246,6 +5302,9 @@ region_model::replay_call_summary (call_summary_replay &r,
m_store.replay_call_summary (r, summary.m_store);
+ if (r.get_ctxt ())
+ r.get_ctxt ()->maybe_did_work ();
+
if (!m_constraints->replay_call_summary (r, *summary.m_constraints))
return false;
@@ -5807,6 +5866,9 @@ region_model::can_merge_with_p (const region_model &other_model,
*other_model.m_constraints,
out_model->m_constraints);
+ for (auto iter : m.m_svals_changing_meaning)
+ out_model->m_constraints->purge_state_involving (iter);
+
return true;
}
@@ -6658,6 +6720,14 @@ model_merger::mergeable_svalue_p (const svalue *sval) const
return true;
}
+/* Mark WIDENING_SVAL as changing meaning during the merge. */
+
+void
+model_merger::on_widening_reuse (const widening_svalue *widening_sval)
+{
+ m_svals_changing_meaning.add (widening_sval);
+}
+
} // namespace ana
/* Dump RMODEL fully to stderr (i.e. without summarization). */
@@ -8364,7 +8434,6 @@ test_iteration_1 ()
tree int_0 = build_int_cst (integer_type_node, 0);
tree int_1 = build_int_cst (integer_type_node, 1);
tree int_256 = build_int_cst (integer_type_node, 256);
- tree int_257 = build_int_cst (integer_type_node, 257);
tree i = build_global_decl ("i", integer_type_node);
test_region_model_context ctxt;
@@ -8426,8 +8495,6 @@ test_iteration_1 ()
ASSERT_TRUE (model5.can_merge_with_p (model2, point, &model6));
const svalue *merged_widening = model6.get_rvalue (i, &ctxt);
ASSERT_EQ (merged_widening->get_kind (), SK_WIDENING);
-
- ASSERT_CONDITION_TRUE (model6, i, LT_EXPR, int_257);
}
/* Verify that if we mark a pointer to a malloc-ed region as non-NULL,
diff --git a/gcc/analyzer/region-model.h b/gcc/analyzer/region-model.h
index 4d8480df141..e26d18713b1 100644
--- a/gcc/analyzer/region-model.h
+++ b/gcc/analyzer/region-model.h
@@ -328,6 +328,7 @@ class region_model
void handle_phi (const gphi *phi, tree lhs, tree rhs,
const region_model &old_state,
+ hash_set<const svalue *> &svals_changing_meaning,
region_model_context *ctxt);
bool maybe_update_for_edge (const superedge &edge,
@@ -804,6 +805,11 @@ class region_model_context
virtual const gimple *get_stmt () const = 0;
virtual const exploded_graph *get_eg () const = 0;
+
+ /* Hooks for detecting infinite loops. */
+ virtual void maybe_did_work () = 0;
+ virtual bool checking_for_infinite_loop_p () const = 0;
+ virtual void on_unusable_in_infinite_loop () = 0;
};
/* A "do nothing" subclass of region_model_context. */
@@ -861,6 +867,9 @@ public:
const gimple *get_stmt () const override { return NULL; }
const exploded_graph *get_eg () const override { return NULL; }
+ void maybe_did_work () override {}
+ bool checking_for_infinite_loop_p () const override { return false; }
+ void on_unusable_in_infinite_loop () override {}
};
/* A subclass of region_model_context for determining if operations fail
@@ -1036,6 +1045,24 @@ class region_model_context_decorator : public region_model_context
return nullptr;
}
+ void maybe_did_work () override
+ {
+ if (m_inner)
+ m_inner->maybe_did_work ();
+ }
+
+ bool checking_for_infinite_loop_p () const override
+ {
+ if (m_inner)
+ return m_inner->checking_for_infinite_loop_p ();
+ return false;
+ }
+ void on_unusable_in_infinite_loop () override
+ {
+ if (m_inner)
+ m_inner->on_unusable_in_infinite_loop ();
+ }
+
protected:
region_model_context_decorator (region_model_context *inner)
: m_inner (inner)
@@ -1108,6 +1135,8 @@ struct model_merger
return m_point.get_function_point ();
}
+ void on_widening_reuse (const widening_svalue *widening_sval);
+
const region_model *m_model_a;
const region_model *m_model_b;
const program_point &m_point;
@@ -1116,6 +1145,8 @@ struct model_merger
const extrinsic_state *m_ext_state;
const program_state *m_state_a;
const program_state *m_state_b;
+
+ hash_set<const svalue *> m_svals_changing_meaning;
};
/* A record that can (optionally) be written out when
diff --git a/gcc/analyzer/sm-signal.cc b/gcc/analyzer/sm-signal.cc
index e3f90921df9..9ebcbdbc8e0 100644
--- a/gcc/analyzer/sm-signal.cc
+++ b/gcc/analyzer/sm-signal.cc
@@ -279,6 +279,7 @@ public:
src_enode);
if (dst_enode)
eg->add_edge (src_enode, dst_enode, NULL, /*state_change (),*/
+ true, /* assume does work */
make_unique<signal_delivery_edge_info_t> ());
}
diff --git a/gcc/analyzer/supergraph.cc b/gcc/analyzer/supergraph.cc
index 31707e743a5..52cb8771de3 100644
--- a/gcc/analyzer/supergraph.cc
+++ b/gcc/analyzer/supergraph.cc
@@ -790,6 +790,13 @@ supernode::get_start_location () const
if (return_p ())
return m_fun->function_end_locus;
+ /* We have no locations for stmts. If we have a single out-edge that's
+ a CFG edge, the goto_locus of that edge is a better location for this
+ than UNKNOWN_LOCATION. */
+ if (m_succs.length () == 1)
+ if (const cfg_superedge *cfg_sedge = m_succs[0]->dyn_cast_cfg_superedge ())
+ return cfg_sedge->get_goto_locus ();
+
return UNKNOWN_LOCATION;
}
@@ -813,6 +820,12 @@ supernode::get_end_location () const
if (return_p ())
return m_fun->function_end_locus;
+ /* If we have a single out-edge that's a CFG edge, use the goto_locus of
+ that edge. */
+ if (m_succs.length () == 1)
+ if (const cfg_superedge *cfg_sedge = m_succs[0]->dyn_cast_cfg_superedge ())
+ return cfg_sedge->get_goto_locus ();
+
return UNKNOWN_LOCATION;
}
@@ -1063,6 +1076,9 @@ cfg_superedge::dump_label_to_pp (pretty_printer *pp,
pp_string (pp, ")");
}
+ if (m_cfg_edge->goto_locus > BUILTINS_LOCATION)
+ pp_string (pp, " (has goto_locus)");
+
/* Otherwise, no label. */
}
diff --git a/gcc/analyzer/supergraph.h b/gcc/analyzer/supergraph.h
index 27ebd13feb2..0cafbb57234 100644
--- a/gcc/analyzer/supergraph.h
+++ b/gcc/analyzer/supergraph.h
@@ -532,6 +532,8 @@ class cfg_superedge : public superedge
size_t get_phi_arg_idx () const;
tree get_phi_arg (const gphi *phi) const;
+ location_t get_goto_locus () const { return m_cfg_edge->goto_locus; }
+
private:
const ::edge m_cfg_edge;
};
diff --git a/gcc/analyzer/svalue.cc b/gcc/analyzer/svalue.cc
index 35eb8307b20..e5811bd1395 100644
--- a/gcc/analyzer/svalue.cc
+++ b/gcc/analyzer/svalue.cc
@@ -251,6 +251,7 @@ svalue::can_merge_p (const svalue *other,
a descending chain of constraints. */
if (other == widen_arg0)
{
+ merger->on_widening_reuse (widen_arg0);
return widen_arg0;
}
@@ -606,6 +607,12 @@ public:
m_found = true;
}
+ void visit_widening_svalue (const widening_svalue *candidate) final override
+ {
+ if (candidate == m_needle)
+ m_found = true;
+ }
+
bool found_p () const { return m_found; }
private:
@@ -620,7 +627,8 @@ svalue::involves_p (const svalue *other) const
{
/* Currently only implemented for these kinds. */
gcc_assert (other->get_kind () == SK_INITIAL
- || other->get_kind () == SK_CONJURED);
+ || other->get_kind () == SK_CONJURED
+ || other->get_kind () == SK_WIDENING);
involvement_visitor v (other);
accept (&v);
diff --git a/gcc/doc/invoke.texi b/gcc/doc/invoke.texi
index 1748afdbfe0..c0b571327fb 100644
--- a/gcc/doc/invoke.texi
+++ b/gcc/doc/invoke.texi
@@ -448,6 +448,7 @@ Objective-C and Objective-C++ Dialects}.
-fdump-analyzer-exploded-nodes-3
-fdump-analyzer-exploded-paths
-fdump-analyzer-feasibility
+-fdump-analyzer-infinite-loop
-fdump-analyzer-json
-fdump-analyzer-state-purge
-fdump-analyzer-stderr
@@ -467,6 +468,7 @@ Objective-C and Objective-C++ Dialects}.
-Wno-analyzer-file-leak
-Wno-analyzer-free-of-non-heap
-Wno-analyzer-imprecise-fp-arithmetic
+-Wno-analyzer-infinite-loop
-Wno-analyzer-infinite-recursion
-Wno-analyzer-jump-through-null
-Wno-analyzer-malloc-leak
@@ -10401,6 +10403,7 @@ Enabling this option effectively enables the following warnings:
-Wanalyzer-file-leak
-Wanalyzer-free-of-non-heap
-Wanalyzer-imprecise-fp-arithmetic
+-Wanalyzer-infinite-loop
-Wanalyzer-infinite-recursion
-Wanalyzer-jump-through-null
-Wanalyzer-malloc-leak
@@ -10666,6 +10669,57 @@ arithmetic is used in locations where precise computation is needed. This
diagnostic only warns on use of floating-point operands inside the
calculation of an allocation size at the moment.
+@opindex Wanalyzer-infinite-loop
+@opindex Wno-analyzer-infinite-loop
+@item -Wno-analyzer-infinite-loop
+This warning requires @option{-fanalyzer}, which enables it; use
+@option{-Wno-analyzer-infinite-loop} to disable it.
+
+This diagnostics warns for paths through the code which appear to
+lead to an infinite loop.
+
+Specifically, the analyzer will issue this warning when it "sees" a loop
+in which:
+@itemize @bullet
+@item
+no externally-visible work could be being done within the loop
+@item
+there is no way to escape from the loop
+@item
+the analyzer is sufficiently confident about the program state
+throughout the loop to know that the above are true
+@end itemize
+
+One way for this warning to be emitted is when there is an execution
+path through a loop for which taking the path on one iteration implies
+that the same path will be taken on all subsequent iterations.
+
+For example, consider:
+
+@smallexample
+ while (1)
+ @{
+ char opcode = *cpu_state.pc;
+ switch (opcode)
+ @{
+ case OPCODE_FOO:
+ handle_opcode_foo (&cpu_state);
+ break;
+ case OPCODE_BAR:
+ handle_opcode_bar (&cpu_state);
+ break;
+ @}
+ @}
+@end smallexample
+
+The analyzer will complain for the above case because if @code{opcode}
+ever matches none of the cases, the @code{switch} will follow the
+implicit @code{default} case, making the body of the loop be a ``no-op''
+with @code{cpu_state.pc} unchanged, and thus using the same value of
+@code{opcode} on all subseqent iterations, leading to an infinite loop.
+
+See @uref{https://cwe.mitre.org/data/definitions/835.html, CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')}.
+
@opindex Wanalyzer-infinite-recursion
@opindex Wno-analyzer-infinite-recursion
@item -Wno-analyzer-infinite-recursion
@@ -10690,6 +10744,8 @@ this diagnostic.
Compare with @option{-Winfinite-recursion}, which provides a similar
diagnostic, but is implemented in a different way.
+See @uref{https://cwe.mitre.org/data/definitions/674.html, CWE-674: Uncontrolled Recursion}.
+
@opindex Wanalyzer-jump-through-null
@opindex Wno-analyzer-jump-through-null
@item -Wno-analyzer-jump-through-null
@@ -11455,6 +11511,12 @@ The details are written in a form suitable for viewing with GraphViz
to filenames of the form @file{@var{file}.*.fg.dot},
@file{@var{file}.*.tg.dot}, and @file{@var{file}.*.fpath.txt}.
+@opindex dump-analyzer-infinite-loop
+@item -fdump-analyzer-infinite-loop
+Dump internal details about the analyzer's search for infinite loops.
+The details are written in a form suitable for viewing with GraphViz
+to filenames of the form @file{@var{file}.*.infinite-loop.dot}.
+
@opindex fdump-analyzer-json
@item -fdump-analyzer-json
Dump a compressed JSON representation of analyzer internals to
diff --git a/gcc/testsuite/c-c++-common/analyzer/gzio-2.c b/gcc/testsuite/c-c++-common/analyzer/gzio-2.c
index 855ecc8f73d..a0dd112b05d 100644
--- a/gcc/testsuite/c-c++-common/analyzer/gzio-2.c
+++ b/gcc/testsuite/c-c++-common/analyzer/gzio-2.c
@@ -6,6 +6,6 @@ void gzseek (long offset, int whence)
offset -= 1;
if (offset < 0)
return;
- while (offset > 0) {
+ while (offset > 0) { /* { dg-warning "infinite loop" "" { xfail *-*-* } } */
}
}
diff --git a/gcc/testsuite/c-c++-common/analyzer/infinite-loop-2.c b/gcc/testsuite/c-c++-common/analyzer/infinite-loop-2.c
new file mode 100644
index 00000000000..f2825d606fa
--- /dev/null
+++ b/gcc/testsuite/c-c++-common/analyzer/infinite-loop-2.c
@@ -0,0 +1,34 @@
+extern int do_stuff (void);
+
+/* Various misleading "while" loops that look like do-whiles due
+ to proximity to another clause, but are actually empty. */
+
+void not_a_do_while_1 (int flag)
+{
+ if (flag) {
+ do_stuff ();
+ flag = 0;
+ } while (flag); // TODO: should we complain here?
+}
+
+void not_a_do_while_2 (int flag)
+{
+ if (!flag) {
+ do_stuff ();
+ flag = 1;
+ } while (flag); // TODO: should we complain here?
+}
+
+void not_a_do_while_3 (int flag)
+{
+ while (!flag) {
+ flag = do_stuff ();
+ } while (flag); // TODO: should we complain here?
+}
+
+void not_a_do_while_4 (int flag)
+{
+ while (flag) {
+ flag = do_stuff ();
+ } while (flag); // TODO: should we complain here?
+}
diff --git a/gcc/testsuite/c-c++-common/analyzer/infinite-loop-4.c b/gcc/testsuite/c-c++-common/analyzer/infinite-loop-4.c
new file mode 100644
index 00000000000..032f7fd5860
--- /dev/null
+++ b/gcc/testsuite/c-c++-common/analyzer/infinite-loop-4.c
@@ -0,0 +1,71 @@
+/* Various tests for loops that aren't infinite, strictly speaking,
+ but look bogus. */
+
+// TODO: should we complain about these?
+
+extern int maybe_useful_work ();
+
+/* Loop iteration going the wrong way, with a signed iterator
+
+ Not infinite, as will eventually overflow and bail out, but probably
+ not what the user intended. */
+
+void test_wrong_way_signed_1 (int n)
+{
+ for (int i = 0; i < n; i--)
+ {
+ }
+}
+
+void test_wrong_way_signed_2 (int n)
+{
+ for (int i = 0; i < n; i--)
+ maybe_useful_work ();
+}
+
+int test_wrong_way_signed_3 (int *arr, int n)
+{
+ int sum = 0;
+ for (int i = 0; i < n; i--)
+ sum += arr[i];
+ return sum;
+}
+
+
+/* As above, but with an unsigned iterator.
+
+ Not infinite, as will immediately overflow and bail out, but probably
+ not what the user intended. */
+
+void test_wrong_way_unsigned_1 (unsigned n)
+{
+ for (unsigned i = 0; i < n; i--)
+ {
+ }
+}
+
+void test_wrong_way_unsigned_2 (unsigned n)
+{
+ for (unsigned i = 0; i < n; i--)
+ maybe_useful_work ();
+}
+
+int test_wrong_way_unsigned_3 (int *arr, unsigned n)
+{
+ int sum = 0;
+ for (unsigned i = 0; i < n; i--)
+ sum += arr[i];
+ return sum;
+}
+
+/* BUG: "n" never changes, so loop is never entered. */
+
+void test_1 (void)
+{
+ int n = 0;
+
+ /* [...snip...] */
+
+ for (int i = 0; i < n; i++)
+ maybe_useful_work ();
+}
diff --git a/gcc/testsuite/c-c++-common/analyzer/infinite-loop-crc32c.c b/gcc/testsuite/c-c++-common/analyzer/infinite-loop-crc32c.c
new file mode 100644
index 00000000000..01d4e4d91f9
--- /dev/null
+++ b/gcc/testsuite/c-c++-common/analyzer/infinite-loop-crc32c.c
@@ -0,0 +1,14 @@
+/* Based on qemu's util/crc32c.c, in turn based on the
+ Linux kernel cryptographic crc32c module. */
+
+#include <stdint.h>
+
+extern const uint32_t crc32c_table[256];
+
+uint32_t crc32c(uint32_t crc, const uint8_t *data, unsigned int length)
+{
+ while (length--) { /* { dg-bogus "infinite loop" } */
+ crc = crc32c_table[(crc ^ *data++) & 0xFFL] ^ (crc >> 8);
+ }
+ return crc^0xffffffff;
+}
diff --git a/gcc/testsuite/c-c++-common/analyzer/infinite-loop-doom-d_main-IdentifyVersion.c b/gcc/testsuite/c-c++-common/analyzer/infinite-loop-doom-d_main-IdentifyVersion.c
new file mode 100644
index 00000000000..166d6da11f9
--- /dev/null
+++ b/gcc/testsuite/c-c++-common/analyzer/infinite-loop-doom-d_main-IdentifyVersion.c
@@ -0,0 +1,26 @@
+/* Reduced from a -Wanalyzer-infinite-loop false positive seen in Doom's
+ d_main.c, which is under the GPLv2 or later. */
+
+extern char* wadfiles[20];
+
+void
+D_AddFile(const char* file)
+{
+ int numwadfiles;
+ char* newfile;
+
+ for (numwadfiles = 0; wadfiles[numwadfiles]; numwadfiles++) /* { dg-bogus "infinite loop" } */
+ ;
+
+ newfile = (char *)__builtin_malloc(__builtin_strlen(file) + 1);
+ __builtin_strcpy(newfile, file); /* { dg-warning "possibly-NULL" } */
+
+ wadfiles[numwadfiles] = newfile;
+}
+
+void
+IdentifyVersion(void)
+{
+ D_AddFile("doom1.wad");
+ D_AddFile("data_se/texture1.lmp");
+}
diff --git a/gcc/testsuite/c-c++-common/analyzer/infinite-loop-doom-v_video.c b/gcc/testsuite/c-c++-common/analyzer/infinite-loop-doom-v_video.c
new file mode 100644
index 00000000000..35f420655c4
--- /dev/null
+++ b/gcc/testsuite/c-c++-common/analyzer/infinite-loop-doom-v_video.c
@@ -0,0 +1,31 @@
+/* Reduced from a -Wanalyzer-infinite-loop false positive seen in Doom's
+ v_video.c, which is under the GPLv2 or later. */
+
+typedef unsigned char byte;
+
+byte* screens[5];
+
+#define SCREENWIDTH 320
+
+void
+V_DrawBlock
+( int x,
+ int y,
+ int scrn,
+ int width,
+ int height,
+ byte* src )
+{
+ byte* dest;
+
+ /* [...snip...] */
+
+ dest = screens[scrn] + y*SCREENWIDTH+x;
+
+ while (height--) /* { dg-bogus "infinite loop" } */
+ {
+ __builtin_memcpy (dest, src, width);
+ src += width;
+ dest += SCREENWIDTH;
+ }
+}
diff --git a/gcc/testsuite/c-c++-common/analyzer/infinite-loop-g_error.c b/gcc/testsuite/c-c++-common/analyzer/infinite-loop-g_error.c
new file mode 100644
index 00000000000..5a267be0770
--- /dev/null
+++ b/gcc/testsuite/c-c++-common/analyzer/infinite-loop-g_error.c
@@ -0,0 +1,19 @@
+/* Reduced from glib, which has a g_error macro with this infinite
+ loop in it:
+ for (;;) ;
+
+ Make sure we provide a readable warning for this case. */
+
+extern void g_log_structured_standard (const char *);
+
+#define g_error(MSG) \
+ do { \
+ g_log_structured_standard (MSG); \
+ for (;;) ; \
+ } while (0)
+/* { dg-message "5: infinite loop" "" { target *-*-* } .-2 } */
+
+void test_g_error (void)
+{
+ g_error ("something went wrong"); /* { dg-message "in expansion of macro 'g_error'" } */
+}
diff --git a/gcc/testsuite/c-c++-common/analyzer/infinite-loop-linked-list.c b/gcc/testsuite/c-c++-common/analyzer/infinite-loop-linked-list.c
new file mode 100644
index 00000000000..aaa387fd310
--- /dev/null
+++ b/gcc/testsuite/c-c++-common/analyzer/infinite-loop-linked-list.c
@@ -0,0 +1,131 @@
+/* Various correct and incorrect ways to walk a linked list, accumulating
+ a value. */
+
+/* { dg-additional-options "-O0" } */
+
+extern int maybe_useful_work ();
+
+struct node
+{
+ struct node *next;
+ int val;
+};
+
+/* Various "while" loops. */
+
+int correct_while_loop (struct node *n)
+{
+ int sum = 0;
+ while (n)
+ {
+ sum += n->val;
+ n = n->next;
+ }
+ return sum;
+}
+
+int while_loop_missing_next (struct node *n)
+{
+ int sum = 0;
+ while (n) /* { dg-line "while_loop_missing_next_WHILE_LINE" } */
+ {
+ sum += n->val; /* { dg-line "while_loop_missing_next_LOOP_BODY" } */
+ /* We're missing: "n = n->next;", so n does not change */
+ }
+ return sum;
+
+ /* { dg-warning "10: infinite loop" "" { target *-*-* } while_loop_missing_next_WHILE_LINE } */
+ /* { dg-message "10: \\(2\\) when 'n' is non-NULL: always following 'true' branch\.\.\." "" { target *-*-* } while_loop_missing_next_WHILE_LINE } */
+ /* { dg-message "\\(3\\) \.\.\.to here" "" { target *-*-* } while_loop_missing_next_LOOP_BODY } */
+ /* { dg-message "\\(4\\) looping back\.\.\." "" { target *-*-* } while_loop_missing_next_LOOP_BODY } */
+ /* { dg-message "\\(5\\) \.\.\.to here" "" { target *-*-* } while_loop_missing_next_WHILE_LINE } */
+}
+
+int while_loop_missing_next_with_work (struct node *n)
+{
+ int sum = 0;
+ while (n) /* { dg-bogus "infinite loop" } */
+ {
+ sum += n->val;
+ /* We're missing: "n = n->next;", so n does not change */
+ /* But here we do something that could be doing useful work. */
+ maybe_useful_work ();
+ }
+ return sum;
+}
+
+/* BUG: missing: "sum += ", so sum does not change. */
+
+int while_loop_missing_add (struct node *n)
+{
+ int sum = 0;
+ while (n) /* { dg-warning "infinite loop" } */
+ n->val;
+ return sum;
+}
+
+/* Various "for" loops. */
+
+int correct_for_loop (struct node *n)
+{
+ int sum = 0;
+ for (struct node *iter = n; iter; iter = iter->next)
+ sum += n->val;
+ return sum;
+}
+
+int for_loop_missing_condition (struct node *n)
+{
+ int sum = 0;
+ for (struct node *iter = n; ; iter = iter->next)
+ sum += n->val; /* { dg-warning "infinite loop" } */
+ return sum;
+}
+
+int for_loop_missing_next (struct node *n)
+{
+ int sum = 0;
+ for (struct node *iter = n; iter; ) /* { dg-warning "infinite loop" } */
+ sum += n->val;
+ return sum;
+}
+
+/* BUG: missing: "sum += ", so sum does not change.
+ Not an infinite loop though, as we do iterate to the
+ end of the list. */
+
+int for_loop_missing_add (struct node *n)
+{
+ int sum = 0;
+ for (struct node *iter = n; iter; iter = iter->next)
+ n->val; /* { dg-bogus "infinite loop" } */
+ return sum;
+}
+
+/* BUG: "iter->next" should be "iter = iter->next". */
+
+int for_loop_noop_next (struct node *n)
+{
+ int sum = 0;
+ for (struct node *iter = n; iter; iter->next) /* { dg-line for_loop_noop_next_FOR_LINE } */
+ sum += n->val; /* { dg-line for_loop_noop_next_LOOP_BODY } */
+ return sum;
+
+ /* { dg-warning "31: infinite loop" "" { target *-*-* } for_loop_noop_next_FOR_LINE } */
+ /* { dg-message "31: \\(2\\) when 'iter' is non-NULL: always following 'true' branch\.\.\." "" { target *-*-* } for_loop_noop_next_FOR_LINE } */
+ /* { dg-message "\\(3\\) \.\.\.to here" "" { target *-*-* } for_loop_noop_next_LOOP_BODY } */
+ /* { dg-message "\\(4\\) looping back\.\.\." "" { target *-*-* } for_loop_noop_next_LOOP_BODY } */
+ /* { dg-message "\\(5\\) \.\.\.to here" "" { target *-*-* } for_loop_noop_next_FOR_LINE } */
+}
+
+/* BUG: "iter = n->next" should be "iter = iter->next"
+ and so it becomes an infinite loop at the 2nd element. */
+
+int for_loop_wrong_next (struct node *n)
+{
+ int sum = 0;
+ for (struct node *iter = n; iter; iter = n->next) /* { dg-warning "infinite loop" "" { xfail *-*-* } } */
+ /* TODO: xfail. */
+ sum += n->val;
+ return sum;
+}
diff --git a/gcc/testsuite/c-c++-common/analyzer/infinite-recursion-inlining.c b/gcc/testsuite/c-c++-common/analyzer/infinite-recursion-inlining.c
index c885c922fe1..9dd5590acc0 100644
--- a/gcc/testsuite/c-c++-common/analyzer/infinite-recursion-inlining.c
+++ b/gcc/testsuite/c-c++-common/analyzer/infinite-recursion-inlining.c
@@ -11,13 +11,13 @@
void test_direct (void)
{
- test_direct (); /* Ideally would warn here, but it becomes an infinite loop. */
-}
+ test_direct ();
+} /* { dg-warning "infinite-loop" } */
void test_guarded (int flag)
{
- if (flag)
- test_guarded (flag); /* Ideally would warn here, but it becomes an infinite loop. */
+ if (flag) /* { dg-warning "infinite-loop" } */
+ test_guarded (flag);
}
void test_flipped_guard (int flag)
@@ -34,7 +34,7 @@ void test_param_variant (int depth)
void test_unguarded_param_variant (int depth)
{
- test_unguarded_param_variant (depth - 1); /* Ideally would warn here, but it becomes an infinite loop. */
+ test_unguarded_param_variant (depth - 1); /* { dg-warning "infinite-loop" } */
}
int g;
@@ -90,27 +90,23 @@ int test_do_while_postdecrement_param (int n)
/* Various cases of decrementing "n" as the recursion proceeds where
not every path recurses, but we're not actually checking "n", so
- if "flag" is true it's an infinite recursion. */
+ if "flag" is true it's an infinite recursion (which looks like an
+ infinite loop after inlining). */
void test_partially_guarded_postdecrement (int flag, int n)
{
- /* Ideally we'd catch this, but it becomes an infinite loop. */
- if (flag)
+ if (flag) /* { dg-warning "infinite loop" } */
test_partially_guarded_postdecrement (flag, n--);
}
void test_partially_guarded_predecrement (int flag, int n)
{
- /* We fail to report this; we see that "n" is changing,
- though it isn't relevant to whether we recurse. */
- if (flag)
- test_partially_guarded_predecrement (flag, --n); /* { dg-warning "infinite recursion" "TODO" { xfail *-*-* } } */
+ if (flag) /* { dg-warning "infinite loop" } */
+ test_partially_guarded_predecrement (flag, --n);
}
void test_partially_guarded_subtract (int flag, int n)
{
- /* We fail to report this; we see that "n" is changing,
- though it isn't relevant to whether we recurse. */
- if (flag)
- test_partially_guarded_subtract (flag, n - 1); /* { dg-warning "infinite recursion" "TODO" { xfail *-*-* } } */
+ if (flag) /* { dg-warning "infinite loop" } */
+ test_partially_guarded_subtract (flag, n - 1);
}
diff --git a/gcc/testsuite/c-c++-common/analyzer/inlining-4-multiline.c b/gcc/testsuite/c-c++-common/analyzer/inlining-4-multiline.c
index c870a9f654d..5c971c581ae 100644
--- a/gcc/testsuite/c-c++-common/analyzer/inlining-4-multiline.c
+++ b/gcc/testsuite/c-c++-common/analyzer/inlining-4-multiline.c
@@ -56,13 +56,20 @@ outer (int flag)
| |
| (4) following 'true' branch (when 'flag != 0')...
|
+ 'inner': event 5 (depth 3)
+ |
+ |
+ | #define NULL ((void *)0)
+ | ^
+ | |
+ | (5) ...to here
+ { dg-end-multiline-output "" { target c } } */
+/* { dg-begin-multiline-output "" }
+ | return NULL;
+ | ^~~~
+ |
<-------------+
|
- 'outer': event 5 (depth 1)
- |
- |cc1:
- | (5): ...to here
- |
'outer': event 6 (depth 1)
|
| return *middle (flag);
@@ -100,13 +107,20 @@ outer (int flag)
| |
| (4) following 'true' branch (when 'flag != 0')...
|
+ 'const char* inner(int)': event 5 (depth 3)
+ |
+ |
+ | #define NULL
+ |
+ | |
+ | (5) ...to here
+ { dg-end-multiline-output "" { target c++ } } */
+/* { dg-begin-multiline-output "" }
+ | return NULL;
+ | ^~~~
+ |
<-------------+
|
- 'char outer(int)': event 5 (depth 1)
- |
- |cc1plus:
- | (5): ...to here
- |
'char outer(int)': event 6 (depth 1)
|
| return *middle (flag);
diff --git a/gcc/testsuite/gcc.dg/analyzer/boxed-malloc-1.c b/gcc/testsuite/gcc.dg/analyzer/boxed-malloc-1.c
index 435fb4f01c3..6b6bba338ae 100644
--- a/gcc/testsuite/gcc.dg/analyzer/boxed-malloc-1.c
+++ b/gcc/testsuite/gcc.dg/analyzer/boxed-malloc-1.c
@@ -141,7 +141,7 @@ void test_12 (void)
while (1)
{
- free (ptr.value);
+ free (ptr.value); /* { dg-warning "infinite loop" } */
free (ptr.value); /* { dg-warning "double-'free' of 'ptr.value'" } */
}
}
diff --git a/gcc/testsuite/gcc.dg/analyzer/data-model-20.c b/gcc/testsuite/gcc.dg/analyzer/data-model-20.c
index ff65883dac1..59f62853ad6 100644
--- a/gcc/testsuite/gcc.dg/analyzer/data-model-20.c
+++ b/gcc/testsuite/gcc.dg/analyzer/data-model-20.c
@@ -14,7 +14,11 @@ test (int n) {
for (i = 0; i < n; i++) {
if ((arr[i] = (struct foo *)malloc(sizeof(struct foo))) == NULL) {
- for (; i >= 0; i++) {
+ for (; i >= 0; i++) { /* { dg-warning "infinite loop" } */
+ /* This loop is in the wrong direction, so not technically an
+ infinite loop ("i" will eventually wrap around), but the
+ analyzer's condition handling treats the overflow as such.
+ In any case, the code is suspect and warrants a warning. */
free(arr[i]); /* { dg-bogus "double-'free'" } */
}
free(arr); /* { dg-warning "leak" } */
diff --git a/gcc/testsuite/gcc.dg/analyzer/data-model-20a.c b/gcc/testsuite/gcc.dg/analyzer/data-model-20a.c
new file mode 100644
index 00000000000..767b9912ed9
--- /dev/null
+++ b/gcc/testsuite/gcc.dg/analyzer/data-model-20a.c
@@ -0,0 +1,25 @@
+/* { dg-additional-options "-Wno-analyzer-too-complex" } */
+
+#include <stdlib.h>
+
+struct foo { int dummy; };
+
+struct foo **
+test (int n) {
+ struct foo **arr;
+ int i;
+
+ if ((arr = (struct foo **)malloc(n * sizeof(struct foo *))) == NULL)
+ return NULL;
+
+ for (i = 0; i < n; i++) {
+ if ((arr[i] = (struct foo *)malloc(sizeof(struct foo))) == NULL) {
+ for (; i >= 0; i--) {
+ free(arr[i]); /* { dg-bogus "double-'free'" } */
+ }
+ free(arr); /* { dg-bogus "leak" "" { xfail *-*-* } } */
+ return NULL;
+ }
+ }
+ return arr;
+}
diff --git a/gcc/testsuite/gcc.dg/analyzer/edges-1.c b/gcc/testsuite/gcc.dg/analyzer/edges-1.c
index f08a6143d59..644a2df8daf 100644
--- a/gcc/testsuite/gcc.dg/analyzer/edges-1.c
+++ b/gcc/testsuite/gcc.dg/analyzer/edges-1.c
@@ -15,6 +15,8 @@ void test_1 (const char *path, int flag)
if (!fp) /* { dg-message "when 'fp' is non-NULL" } */
return;
+ bar ();
+
/* We shouldn't report this control flow. */
while (foo ()) /* { dg-bogus "" } */
bar ();
diff --git a/gcc/testsuite/gcc.dg/analyzer/explode-2a.c b/gcc/testsuite/gcc.dg/analyzer/explode-2a.c
index 32c71ca44aa..d07ce5b270a 100644
--- a/gcc/testsuite/gcc.dg/analyzer/explode-2a.c
+++ b/gcc/testsuite/gcc.dg/analyzer/explode-2a.c
@@ -14,7 +14,7 @@ void test (void)
explode-2.c as this code. */
int a = get ();
int b = get ();
- while (a)
+ while (a) /* { dg-warning "infinite loop" } */
{
switch (b)
{
diff --git a/gcc/testsuite/gcc.dg/analyzer/infinite-loop-1.c b/gcc/testsuite/gcc.dg/analyzer/infinite-loop-1.c
new file mode 100644
index 00000000000..c3515bb140a
--- /dev/null
+++ b/gcc/testsuite/gcc.dg/analyzer/infinite-loop-1.c
@@ -0,0 +1,235 @@
+/* { dg-additional-options "-O0" } */
+
+extern int maybe_useful_work ();
+
+int global_var;
+volatile int volatile_global_var;
+
+struct st
+{
+ int x;
+ int y;
+};
+
+static void __attribute__((noinline))
+do_nothing (void)
+{
+}
+
+void test_empty_while_true ()
+{
+ while (1) {} /* { dg-warning "infinite loop" } */
+ /* { dg-message "looping back\.\.\." "" { target *-*-* } .-1 } */
+ /* { dg-message "\.\.\.to here" "" { target *-*-* } .-2 } */
+}
+
+void test_empty_do_while ()
+{
+ do {} while (1); /* { dg-warning "infinite loop" } */
+ /* { dg-message "looping back\.\.\." "" { target *-*-* } .-1 } */
+ /* { dg-message "\.\.\.to here" "" { target *-*-* } .-2 } */
+}
+
+void test_empty_for ()
+{
+ for (;;) {} /* { dg-warning "infinite loop" } */
+ /* { dg-message "looping back\.\.\." "" { target *-*-* } .-1 } */
+ /* { dg-message "\.\.\.to here" "" { target *-*-* } .-2 } */
+}
+
+void test_while_true_maybe_useful_work ()
+{
+ while (1)
+ maybe_useful_work ();
+}
+
+void test_while_true_interproc_empty ()
+{
+ /* Depending on optimization level, location is sometimes
+ on "while", sometimes on "do_nothing", and sometimes the
+ unknown location. */
+ while (1)
+ do_nothing (); /* { dg-warning "infinite loop" } */
+}
+
+void test_while_true_increment_local ()
+{
+ int i = 0;
+ while (1)
+ i++; /* { dg-warning "infinite loop" } */
+}
+
+void test_while_true_increment_global ()
+{
+ while (1)
+ global_var++;
+}
+
+void test_guarded_while_true_increment_local (int flag)
+{
+ if (flag)
+ {
+ int i = 0;
+ while (1)
+ i++; /* { dg-warning "infinite loop" } */
+ }
+}
+
+void test_while_local_flag_increment_local (int flag)
+{
+ int i = 0;
+ while (flag) /* { dg-warning "infinite loop" } */
+ i++;
+}
+
+extern int check_flag (void);
+
+void test_while_calling_fn (void)
+{
+ while (check_flag ())
+ do_nothing ();
+}
+
+void test_missing_parens_on_call (void)
+{
+ while (check_flag)
+ do_nothing (); /* { dg-warning "infinite loop" } */
+}
+
+void test_iteration_copy_and_paste_error (int m, int n)
+{
+ /* Wrong variable is incremented in inner "for" loop, thus
+ effectively an infinite loop. */
+ float arr[m][n];
+ for (int i = 0; i < m; i++)
+ for (int j = 0; j < n; i++) /* { dg-warning "infinite loop" } */
+ arr[i][j] = 0.f;
+}
+
+void test_missing_comparison_in_for_condition_1 (int n)
+{
+ /* Should have been "i < n", rather than just "n". */
+ for (int i = 0; n; i++) /* { dg-warning "infinite loop" } */
+ {
+ }
+}
+
+int test_missing_comparison_in_for_condition_2 (int val, int *arr, int n)
+{
+ /* Should have been "i < n", rather than just "n". */
+ int acc = 0;
+ for (int i = 0; n; i++) /* { dg-warning "infinite loop" } */
+ acc += arr[i];
+ return acc;
+}
+
+void test_non_volatile_local_1 (void)
+{
+ int flag = 0;
+ while (!flag) /* { dg-warning "infinite loop" } */
+ {
+ }
+}
+
+void test_non_volatile_local_2a (void)
+{
+ int flag = 0;
+
+ /* Perhaps should complain about this.
+ Although the infinite loop might be doing useful work,
+ "while (!flag)" is a misleading way to spell "infinite loop". */
+ while (!flag)
+ maybe_useful_work ();
+}
+
+void test_non_volatile_local_2b (void)
+{
+ int flag = 0;
+
+ while (!flag)
+ flag = maybe_useful_work ();
+}
+
+void test_non_volatile_local_3a (int n)
+{
+ int i = 0;
+
+ /* Perhaps should complain about this.
+ Although the infinite loop might be doing useful work,
+ "while (i < n)" is a misleading way to spell "infinite loop". */
+ while (i < n)
+ maybe_useful_work ();
+}
+
+void test_non_volatile_local_3b (int n)
+{
+ int i = 0;
+
+ while (i < n)
+ {
+ maybe_useful_work ();
+ i++;
+ }
+}
+
+void test_volatile_local (void)
+{
+ volatile int flag = 0;
+ while (!flag) /* { dg-bogus "infinite loop" } */
+ {
+ }
+}
+
+void test_non_volatile_global (void)
+{
+ /* Not sure if we should warn here. */
+ while (!global_var) /* { dg-warning "infinite loop" } */
+ {
+ }
+}
+
+void test_volatile_global (void)
+{
+ while (!volatile_global_var) /* { dg-bogus "infinite loop" } */
+ {
+ }
+}
+
+void test_field_1 (struct st *p)
+{
+ /* Not sure if we should warn here. */
+ while (!p->x) /* { dg-warning "infinite loop" } */
+ {
+ }
+}
+
+void test_field_2 (struct st *p)
+{
+ while (!p->x) /* { dg-bogus "infinite loop" } */
+ maybe_useful_work ();
+}
+
+
+int missing_init_of_i (int *arr, unsigned n)
+{
+ int sum = 0;
+ for (int i; i < n; i--) /* { dg-warning "use of uninitialized value 'i'" } */
+ sum += arr[i];
+ return sum;
+}
+
+void test_switch (char *pc)
+{
+ while (1)
+ {
+ char opcode = *pc; /* { dg-warning "infinite loop" } */
+ switch (opcode) /* { dg-message "if it ever follows 'default:' branch, it will always do so\.\.\." } */
+ {
+ case 'A':
+ pc++;
+ break;
+ case 'B':
+ return;
+ }
+ }
+}
diff --git a/gcc/testsuite/gcc.dg/analyzer/malloc-1.c b/gcc/testsuite/gcc.dg/analyzer/malloc-1.c
index 6b5590a433a..2a42a05fb9e 100644
--- a/gcc/testsuite/gcc.dg/analyzer/malloc-1.c
+++ b/gcc/testsuite/gcc.dg/analyzer/malloc-1.c
@@ -124,7 +124,7 @@ void test_12 (void)
while (1)
{
- free (ptr);
+ free (ptr); /* { dg-warning "infinite loop" } */
free (ptr); /* { dg-warning "double-'free' of 'ptr'" } */
}
}
diff --git a/gcc/testsuite/gcc.dg/analyzer/out-of-bounds-coreutils.c b/gcc/testsuite/gcc.dg/analyzer/out-of-bounds-coreutils.c
index cd0f4b7f7b2..7af4c3794aa 100644
--- a/gcc/testsuite/gcc.dg/analyzer/out-of-bounds-coreutils.c
+++ b/gcc/testsuite/gcc.dg/analyzer/out-of-bounds-coreutils.c
@@ -3,7 +3,7 @@
void add_zero_terminator (char *buf)
{
char *end = buf;
- while (end++);
+ while (end++); /* TODO: arguably we should report this. */
if (buf < end)
end[-1] = '\0';
}
diff --git a/gcc/testsuite/gcc.dg/analyzer/paths-4.c b/gcc/testsuite/gcc.dg/analyzer/paths-4.c
index b72e658739e..60b3a0cfd2a 100644
--- a/gcc/testsuite/gcc.dg/analyzer/paths-4.c
+++ b/gcc/testsuite/gcc.dg/analyzer/paths-4.c
@@ -26,9 +26,10 @@ int test_2 (struct state *s)
while (1)
{
__analyzer_dump_exploded_nodes (0); /* { dg-warning "2 processed enode" } */
+ /* { dg-warning "infinite loop" "" { target *-*-* } .-1 } */
__analyzer_dump_exploded_nodes (0); /* { dg-warning "2 processed enode" } */
/* TODO: why does the above need an extra stmt to merge state? */
- switch (s->mode)
+ switch (s->mode) /* { dg-message "if it ever follows 'default:' branch, it will always do so\.\.\." } */
{
case 0:
__analyzer_dump_exploded_nodes (0); /* { dg-warning "2 processed enode" } */
diff --git a/gcc/testsuite/gcc.dg/analyzer/pr103892.c b/gcc/testsuite/gcc.dg/analyzer/pr103892.c
index 95d4b17d18b..d16cd83c472 100644
--- a/gcc/testsuite/gcc.dg/analyzer/pr103892.c
+++ b/gcc/testsuite/gcc.dg/analyzer/pr103892.c
@@ -38,7 +38,7 @@ typedef struct pipecmd_sequence pipecmd_sequence_t;
static char *argstr_get_word (const char **argstr)
{
- while (**argstr) {
+ while (**argstr) { /* { dg-warning "infinite loop" } */
switch (**argstr) {
case ' ':
case '\t':
diff --git a/gcc/testsuite/gcc.dg/analyzer/pr93546.c b/gcc/testsuite/gcc.dg/analyzer/pr93546.c
index 66f6805b07a..07898e9bde5 100644
--- a/gcc/testsuite/gcc.dg/analyzer/pr93546.c
+++ b/gcc/testsuite/gcc.dg/analyzer/pr93546.c
@@ -5,7 +5,7 @@ void
ch (int x1)
{
({ bx: &&bx; });
- while (x1 == 0)
+ while (x1 == 0) /* { dg-warning "infinite loop" } */
{
}
}
diff --git a/gcc/timevar.def b/gcc/timevar.def
index d21b08c030d..9628223a436 100644
--- a/gcc/timevar.def
+++ b/gcc/timevar.def
@@ -342,6 +342,7 @@ DEFTIMEVAR (TV_ANALYZER_STATE_PURGE , "analyzer: state purge")
DEFTIMEVAR (TV_ANALYZER_PLAN , "analyzer: planning")
DEFTIMEVAR (TV_ANALYZER_SCC , "analyzer: scc")
DEFTIMEVAR (TV_ANALYZER_WORKLIST , "analyzer: processing worklist")
+DEFTIMEVAR (TV_ANALYZER_INFINITE_LOOPS, "analyzer: finding infinite loops")
DEFTIMEVAR (TV_ANALYZER_DUMP , "analyzer: dump")
DEFTIMEVAR (TV_ANALYZER_DIAGNOSTICS , "analyzer: emitting diagnostics")
DEFTIMEVAR (TV_ANALYZER_SHORTEST_PATHS, "analyzer: shortest paths")
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2023-11-18 0:59 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-11-18 0:59 [gcc r14-5566] analyzer: new warning: -Wanalyzer-infinite-loop [PR106147] David Malcolm
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).