public inbox for gcc-patches@gcc.gnu.org
 help / color / mirror / Atom feed
* Make tree-ssa-strlen.c handle partial unterminated strings
@ 2017-05-05 12:02 Richard Sandiford
  2017-05-05 15:55 ` Andi Kleen
                   ` (2 more replies)
  0 siblings, 3 replies; 14+ messages in thread
From: Richard Sandiford @ 2017-05-05 12:02 UTC (permalink / raw)
  To: gcc-patches

tree-ssa-strlen.c looks for cases in which a string is built up using
operations like:

    memcpy (a, "foo", 4);
    memcpy (a + 3, "bar", 4);
    int x = strlen (a);

As a side-effect, it optimises the non-final memcpys so that they don't
include the nul terminator.

However, after removing some "& ~0x1"s from tree-ssa-dse.c, the DSE pass
does this optimisation itself (because it can tell that later memcpys
overwrite the terminators).  The strlen pass wasn't able to handle these
pre-optimised calls in the same way as the unoptimised ones.

This patch adds support for tracking unterminated strings.

Tested on aarch64-linux-gnu and x86_64-linux-gnu.  OK to install?

Thanks,
Richard


[Based on commit branches/ARM/sve-branch@246236]

2017-05-05  Richard Sandiford  <richard.sandiford@linaro.org>

gcc/
	* tree-ssa-strlen.c (strinfo): Add a terminated field.
	(new_strinfo): Add a corresponding parameter and initialize the field.
	(get_string_length): Return null for unterminated strings.
	(unshare_strinfo): Update call to new_strinfo.
	(get_stridx_plus_constant): Likewise.
	(zero_length_string): Likewise.
	(handle_builtin_strchr): Likewise.
	(handle_builtin_strcat): Likewise.
	(handle_builtin_malloc): Likewise.
	(adjust_related_strinfos): Add a terminated parameter.
	(adjust_last_stmt): Update test for a zero-length terminated string.
	(handle_builtin_strlen): Assert that we can only know the length
	of terminated strings.  Update calls to new_strinfo.
	(handle_builtin_strcpy): Update calls to new_strinfo and set the
	terminated field when adjusting strinfos manually.
	(handle_builtin_memcpy): Handle unterminated strings.  Update calls
	to new_strinfo.
	(handle_builtin_memset): Initialize the terminated field.
	(handle_pointer_plus): Check for terminated strings.
	(handle_char_store): Handle unterminated strings.

gcc/testsuite/
	* gcc.dg/strlenopt-31.c: New testcase.

Index: gcc/tree-ssa-strlen.c
===================================================================
--- gcc/tree-ssa-strlen.c	2017-02-23 19:54:03.000000000 +0000
+++ gcc/tree-ssa-strlen.c	2017-05-05 12:53:08.764475923 +0100
@@ -99,6 +99,9 @@ struct strinfo
   /* A flag for the next maybe_invalidate that this strinfo shouldn't
      be invalidated.  Always cleared by maybe_invalidate.  */
   bool dont_invalidate;
+  /* True if the string is nul-terminated.  False is useful when
+     detecting strings that are built up via successive memcpys.  */
+  bool terminated;
 };
 
 /* Pool for allocating strinfo_struct entries.  */
@@ -400,7 +403,7 @@ new_addr_stridx (tree exp)
 /* Create a new strinfo.  */
 
 static strinfo *
-new_strinfo (tree ptr, int idx, tree length)
+new_strinfo (tree ptr, int idx, tree length, bool terminated)
 {
   strinfo *si = strinfo_pool.allocate ();
   si->length = length;
@@ -414,6 +417,7 @@ new_strinfo (tree ptr, int idx, tree len
   si->next = 0;
   si->writable = false;
   si->dont_invalidate = false;
+  si->terminated = terminated;
   return si;
 }
 
@@ -443,6 +447,9 @@ set_strinfo (int idx, strinfo *si)
 static tree
 get_string_length (strinfo *si)
 {
+  if (!si->terminated)
+    return NULL;
+
   if (si->length)
     return si->length;
 
@@ -595,7 +602,7 @@ unshare_strinfo (strinfo *si)
   if (si->refcount == 1 && !strinfo_shared ())
     return si;
 
-  nsi = new_strinfo (si->ptr, si->idx, si->length);
+  nsi = new_strinfo (si->ptr, si->idx, si->length, si->terminated);
   nsi->stmt = si->stmt;
   nsi->endptr = si->endptr;
   nsi->first = si->first;
@@ -694,7 +701,8 @@ get_stridx_plus_constant (strinfo *bases
   int idx = new_stridx (ptr);
   if (idx == 0)
     return 0;
-  si = new_strinfo (ptr, idx, build_int_cst (size_type_node, len));
+  si = new_strinfo (ptr, idx, build_int_cst (size_type_node, len),
+		    basesi->terminated);
   set_strinfo (idx, si);
   if (chainsi->next)
     {
@@ -778,7 +786,7 @@ zero_length_string (tree ptr, strinfo *c
   idx = new_stridx (ptr);
   if (idx == 0)
     return NULL;
-  si = new_strinfo (ptr, idx, build_int_cst (size_type_node, 0));
+  si = new_strinfo (ptr, idx, build_int_cst (size_type_node, 0), true);
   set_strinfo (idx, si);
   si->endptr = ptr;
   if (chainsi != NULL)
@@ -797,11 +805,12 @@ zero_length_string (tree ptr, strinfo *c
 }
 
 /* For strinfo ORIGSI whose length has been just updated
-   update also related strinfo lengths (add ADJ to each,
-   but don't adjust ORIGSI).  */
+   update also related strinfo lengths (add ADJ to each, and change
+   the terminated flag to TERMINATED, but don't adjust ORIGSI).  */
 
 static void
-adjust_related_strinfos (location_t loc, strinfo *origsi, tree adj)
+adjust_related_strinfos (location_t loc, strinfo *origsi, tree adj,
+			 bool terminated)
 {
   strinfo *si = verify_related_strinfos (origsi);
 
@@ -823,10 +832,11 @@ adjust_related_strinfos (location_t loc,
 	      si->length = fold_build2_loc (loc, PLUS_EXPR,
 					    TREE_TYPE (si->length), si->length,
 					    tem);
+	      si->terminated = terminated;
 	    }
 	  else if (si->stmt != NULL)
 	    /* Delayed length computation is unaffected.  */
-	    ;
+	    si->terminated = terminated;
 	  else
 	    gcc_unreachable ();
 
@@ -1009,7 +1019,9 @@ adjust_last_stmt (strinfo *si, gimple *s
 
   if (!is_strcat)
     {
-      if (si->length == NULL_TREE || !integer_zerop (si->length))
+      if (si->length == NULL_TREE
+	  || !integer_zerop (si->length)
+	  || !si->terminated)
 	return;
     }
 
@@ -1131,6 +1143,7 @@ handle_builtin_strlen (gimple_stmt_itera
 	    {
 	      si = unshare_strinfo (si);
 	      si->length = lhs;
+	      gcc_assert (si->terminated);
 	    }
 	  return;
 	}
@@ -1143,7 +1156,7 @@ handle_builtin_strlen (gimple_stmt_itera
     return;
   if (idx)
     {
-      strinfo *si = new_strinfo (src, idx, lhs);
+      strinfo *si = new_strinfo (src, idx, lhs, true);
       set_strinfo (idx, si);
       find_equal_ptrs (src, idx);
     }
@@ -1247,7 +1260,7 @@ handle_builtin_strchr (gimple_stmt_itera
 	  tree srcu = fold_convert_loc (loc, size_type_node, src);
 	  tree length = fold_build2_loc (loc, MINUS_EXPR,
 					 size_type_node, lhsu, srcu);
-	  strinfo *si = new_strinfo (src, idx, length);
+	  strinfo *si = new_strinfo (src, idx, length, true);
 	  si->endptr = lhs;
 	  set_strinfo (idx, si);
 	  find_equal_ptrs (src, idx);
@@ -1339,6 +1352,7 @@ handle_builtin_strcpy (enum built_in_fun
       oldlen = olddsi->length;
       dsi = unshare_strinfo (olddsi);
       dsi->length = srclen;
+      dsi->terminated = true;
       /* Break the chain, so adjust_related_strinfo on later pointers in
 	 the chain won't adjust this one anymore.  */
       dsi->next = 0;
@@ -1347,7 +1361,7 @@ handle_builtin_strcpy (enum built_in_fun
     }
   else
     {
-      dsi = new_strinfo (dst, didx, srclen);
+      dsi = new_strinfo (dst, didx, srclen, true);
       set_strinfo (didx, dsi);
       find_equal_ptrs (dst, didx);
     }
@@ -1376,6 +1390,7 @@ handle_builtin_strcpy (enum built_in_fun
 	      chainsi = unshare_strinfo (chainsi);
 	      chainsi->stmt = stmt;
 	      chainsi->length = NULL_TREE;
+	      chainsi->terminated = true;
 	      chainsi->endptr = NULL_TREE;
 	      chainsi->dont_invalidate = true;
 	    }
@@ -1398,7 +1413,7 @@ handle_builtin_strcpy (enum built_in_fun
 			       fold_convert_loc (loc, TREE_TYPE (srclen),
 						 oldlen));
       if (adj != NULL_TREE)
-	adjust_related_strinfos (loc, dsi, adj);
+	adjust_related_strinfos (loc, dsi, adj, true);
       else
 	dsi->prev = 0;
     }
@@ -1543,31 +1558,45 @@ handle_builtin_memcpy (enum built_in_fun
       && !integer_zerop (len))
     adjust_last_stmt (olddsi, stmt, false);
 
+  bool terminated;
   if (idx > 0)
     {
       gimple *def_stmt;
 
-      /* Handle memcpy (x, y, l) where l is strlen (y) + 1.  */
+      /* Handle memcpy (x, y, l) where l is strlen (y){, + 1}.  */
       si = get_strinfo (idx);
       if (si == NULL || si->length == NULL_TREE)
 	return;
-      if (TREE_CODE (len) != SSA_NAME)
-	return;
-      def_stmt = SSA_NAME_DEF_STMT (len);
-      if (!is_gimple_assign (def_stmt)
-	  || gimple_assign_rhs_code (def_stmt) != PLUS_EXPR
-	  || gimple_assign_rhs1 (def_stmt) != si->length
-	  || !integer_onep (gimple_assign_rhs2 (def_stmt)))
-	return;
+      if (len == si->length)
+	terminated = false;
+      else
+	{
+	  if (!si->terminated)
+	    return;
+	  if (TREE_CODE (len) != SSA_NAME)
+	    return;
+	  def_stmt = SSA_NAME_DEF_STMT (len);
+	  if (!is_gimple_assign (def_stmt)
+	      || gimple_assign_rhs_code (def_stmt) != PLUS_EXPR
+	      || gimple_assign_rhs1 (def_stmt) != si->length
+	      || !integer_onep (gimple_assign_rhs2 (def_stmt)))
+	    return;
+	  terminated = true;
+	}
     }
   else
     {
       si = NULL;
       /* Handle memcpy (x, "abcd", 5) or
 	 memcpy (x, "abc\0uvw", 7).  */
-      if (!tree_fits_uhwi_p (len)
-	  || tree_to_uhwi (len) <= (unsigned HOST_WIDE_INT) ~idx)
+      if (!tree_fits_uhwi_p (len))
+	return;
+
+      unsigned HOST_WIDE_INT clen = tree_to_uhwi (len);
+      if (clen < (unsigned HOST_WIDE_INT) ~idx)
 	return;
+
+      terminated = (clen > (unsigned HOST_WIDE_INT) ~idx);
     }
 
   if (olddsi != NULL && TREE_CODE (len) == SSA_NAME)
@@ -1589,6 +1618,7 @@ handle_builtin_memcpy (enum built_in_fun
       dsi = unshare_strinfo (olddsi);
       oldlen = olddsi->length;
       dsi->length = newlen;
+      dsi->terminated = terminated;
       /* Break the chain, so adjust_related_strinfo on later pointers in
 	 the chain won't adjust this one anymore.  */
       dsi->next = 0;
@@ -1597,7 +1627,7 @@ handle_builtin_memcpy (enum built_in_fun
     }
   else
     {
-      dsi = new_strinfo (dst, didx, newlen);
+      dsi = new_strinfo (dst, didx, newlen, terminated);
       set_strinfo (didx, dsi);
       find_equal_ptrs (dst, didx);
     }
@@ -1618,7 +1648,7 @@ handle_builtin_memcpy (enum built_in_fun
 			       fold_convert_loc (loc, TREE_TYPE (dsi->length),
 						 oldlen));
       if (adj != NULL_TREE)
-	adjust_related_strinfos (loc, dsi, adj);
+	adjust_related_strinfos (loc, dsi, adj, terminated);
       else
 	dsi->prev = 0;
     }
@@ -1627,27 +1657,30 @@ handle_builtin_memcpy (enum built_in_fun
   if (si != NULL)
     si->dont_invalidate = true;
 
-  lhs = gimple_call_lhs (stmt);
-  switch (bcode)
+  if (terminated)
     {
-    case BUILT_IN_MEMCPY:
-    case BUILT_IN_MEMCPY_CHK:
-    case BUILT_IN_MEMCPY_CHKP:
-    case BUILT_IN_MEMCPY_CHK_CHKP:
-      /* Allow adjust_last_stmt to decrease this memcpy's size.  */
-      laststmt.stmt = stmt;
-      laststmt.len = dsi->length;
-      laststmt.stridx = dsi->idx;
-      if (lhs)
-	ssa_ver_to_stridx[SSA_NAME_VERSION (lhs)] = didx;
-      break;
-    case BUILT_IN_MEMPCPY:
-    case BUILT_IN_MEMPCPY_CHK:
-    case BUILT_IN_MEMPCPY_CHKP:
-    case BUILT_IN_MEMPCPY_CHK_CHKP:
-      break;
-    default:
-      gcc_unreachable ();
+      lhs = gimple_call_lhs (stmt);
+      switch (bcode)
+	{
+	case BUILT_IN_MEMCPY:
+	case BUILT_IN_MEMCPY_CHK:
+	case BUILT_IN_MEMCPY_CHKP:
+	case BUILT_IN_MEMCPY_CHK_CHKP:
+	  /* Allow adjust_last_stmt to decrease this memcpy's size.  */
+	  laststmt.stmt = stmt;
+	  laststmt.len = dsi->length;
+	  laststmt.stridx = dsi->idx;
+	  if (lhs)
+	    ssa_ver_to_stridx[SSA_NAME_VERSION (lhs)] = didx;
+	  break;
+	case BUILT_IN_MEMPCPY:
+	case BUILT_IN_MEMPCPY_CHK:
+	case BUILT_IN_MEMPCPY_CHKP:
+	case BUILT_IN_MEMPCPY_CHK_CHKP:
+	  break;
+	default:
+	  gcc_unreachable ();
+	}
     }
 }
 
@@ -1696,7 +1729,7 @@ handle_builtin_strcat (enum built_in_fun
 	    }
 	  if (dsi == NULL)
 	    {
-	      dsi = new_strinfo (dst, didx, NULL_TREE);
+	      dsi = new_strinfo (dst, didx, NULL_TREE, true);
 	      set_strinfo (didx, dsi);
 	      find_equal_ptrs (dst, didx);
 	    }
@@ -1704,6 +1737,7 @@ handle_builtin_strcat (enum built_in_fun
 	    {
 	      dsi = unshare_strinfo (dsi);
 	      dsi->length = NULL_TREE;
+	      dsi->terminated = true;
 	      dsi->next = 0;
 	      dsi->endptr = NULL_TREE;
 	    }
@@ -1739,7 +1773,7 @@ handle_builtin_strcat (enum built_in_fun
     {
       dsi->length = fold_build2_loc (loc, PLUS_EXPR, TREE_TYPE (dsi->length),
 				     dsi->length, srclen);
-      adjust_related_strinfos (loc, dsi, srclen);
+      adjust_related_strinfos (loc, dsi, srclen, true);
       dsi->dont_invalidate = true;
     }
   else
@@ -1877,7 +1911,7 @@ handle_builtin_malloc (enum built_in_fun
   tree length = NULL_TREE;
   if (bcode == BUILT_IN_CALLOC)
     length = build_int_cst (size_type_node, 0);
-  strinfo *si = new_strinfo (lhs, idx, length);
+  strinfo *si = new_strinfo (lhs, idx, length, bcode == BUILT_IN_CALLOC);
   if (bcode == BUILT_IN_CALLOC)
     si->endptr = lhs;
   set_strinfo (idx, si);
@@ -1920,6 +1954,7 @@ handle_builtin_memset (gimple_stmt_itera
       update_gimple_call (&gsi1, builtin_decl_implicit (BUILT_IN_CALLOC), 2,
 			  size, build_one_cst (size_type_node));
       si1->length = build_int_cst (size_type_node, 0);
+      si1->terminated = true;
       si1->stmt = gsi_stmt (gsi1);
     }
   else
@@ -2056,12 +2091,13 @@ handle_pointer_plus (gimple_stmt_iterato
 
   off = gimple_assign_rhs2 (stmt);
   zsi = NULL;
-  if (operand_equal_p (si->length, off, 0))
+  if (si->terminated && operand_equal_p (si->length, off, 0))
     zsi = zero_length_string (lhs, si);
   else if (TREE_CODE (off) == SSA_NAME)
     {
       gimple *def_stmt = SSA_NAME_DEF_STMT (off);
       if (gimple_assign_single_p (def_stmt)
+	  && si->terminated
 	  && operand_equal_p (si->length, gimple_assign_rhs1 (def_stmt), 0))
 	zsi = zero_length_string (lhs, si);
     }
@@ -2088,6 +2124,8 @@ handle_char_store (gimple_stmt_iterator
   strinfo *si = NULL;
   gimple *stmt = gsi_stmt (*gsi);
   tree ssaname = NULL_TREE, lhs = gimple_assign_lhs (stmt);
+  tree rhs = gimple_assign_rhs1 (stmt);
+  int terminated = -1;
 
   if (TREE_CODE (lhs) == MEM_REF
       && TREE_CODE (TREE_OPERAND (lhs, 0)) == SSA_NAME)
@@ -2101,12 +2139,18 @@ handle_char_store (gimple_stmt_iterator
   else
     idx = get_addr_stridx (lhs, NULL_TREE);
 
+  if (initializer_zerop (rhs))
+    terminated = 1;
+  else if (TREE_CODE (rhs) == INTEGER_CST && integer_nonzerop (rhs))
+    terminated = 0;
+
   if (idx > 0)
     {
       si = get_strinfo (idx);
       if (si != NULL && si->length != NULL_TREE && integer_zerop (si->length))
 	{
-	  if (initializer_zerop (gimple_assign_rhs1 (stmt)))
+	  /* We're writing to the end of a previous string.  */
+	  if (si->terminated && terminated == 1)
 	    {
 	      /* When storing '\0', the store can be removed
 		 if we know it has been stored in the current function.  */
@@ -2125,15 +2169,20 @@ handle_char_store (gimple_stmt_iterator
 		}
 	    }
 	  else
-	    /* Otherwise this statement overwrites the '\0' with
-	       something, if the previous stmt was a memcpy,
-	       its length may be decreased.  */
-	    adjust_last_stmt (si, stmt, false);
+	    {
+	      /* Otherwise leave the entry alone and allow it to be
+		 invalidated.  */
+	      if (si->terminated)
+		/* This statement overwrites the '\0' with something, if the
+		   previous stmt was a memcpy, its length may be decreased.  */
+		adjust_last_stmt (si, stmt, false);
+	    }
 	}
-      else if (si != NULL && integer_zerop (gimple_assign_rhs1 (stmt)))
+      else if (si != NULL && terminated == 1)
 	{
 	  si = unshare_strinfo (si);
 	  si->length = build_int_cst (size_type_node, 0);
+	  si->terminated = true;
 	  si->endptr = NULL;
 	  si->prev = 0;
 	  si->next = 0;
@@ -2164,35 +2213,31 @@ handle_char_store (gimple_stmt_iterator
 	   bar (len, len2, len3, len4);
         }
 	*/ 
-      else if (si != NULL && si->length != NULL_TREE
+      else if (si != NULL
+	       && si->length != NULL_TREE
 	       && TREE_CODE (si->length) == INTEGER_CST
-	       && integer_nonzerop (gimple_assign_rhs1 (stmt)))
+	       && terminated == 0)
 	{
 	  gsi_next (gsi);
 	  return false;
 	}
     }
-  else if (idx == 0 && initializer_zerop (gimple_assign_rhs1 (stmt)))
+  else if (idx == 0 && terminated >= 0)
     {
       if (ssaname)
-	{
-	  si = zero_length_string (ssaname, NULL);
-	  if (si != NULL)
-	    si->dont_invalidate = true;
-	}
+	idx = new_stridx (ssaname);
       else
+	idx = new_addr_stridx (lhs);
+      if (idx != 0)
 	{
-	  int idx = new_addr_stridx (lhs);
-	  if (idx != 0)
-	    {
-	      si = new_strinfo (build_fold_addr_expr (lhs), idx,
-				build_int_cst (size_type_node, 0));
-	      set_strinfo (idx, si);
-	      si->dont_invalidate = true;
-	    }
+	  tree ptr = (ssaname ? ssaname : build_fold_addr_expr (lhs));
+	  si = new_strinfo (ptr, idx, size_int (!terminated), terminated);
+	  set_strinfo (idx, si);
+	  if (ssaname && !SSA_NAME_OCCURS_IN_ABNORMAL_PHI (ssaname))
+	    si->endptr = ssaname;
+	  si->dont_invalidate = true;
+	  si->writable = true;
 	}
-      if (si != NULL)
-	si->writable = true;
     }
   else if (idx == 0
 	   && TREE_CODE (gimple_assign_rhs1 (stmt)) == STRING_CST
@@ -2207,14 +2252,14 @@ handle_char_store (gimple_stmt_iterator
 	  if (idx != 0)
 	    {
 	      si = new_strinfo (build_fold_addr_expr (lhs), idx,
-				build_int_cst (size_type_node, l));
+				build_int_cst (size_type_node, l), true);
 	      set_strinfo (idx, si);
 	      si->dont_invalidate = true;
 	    }
 	}
     }
 
-  if (si != NULL && initializer_zerop (gimple_assign_rhs1 (stmt)))
+  if (si != NULL && terminated == 1)
     {
       /* Allow adjust_last_stmt to remove it if the stored '\0'
 	 is immediately overwritten.  */
Index: gcc/testsuite/gcc.dg/strlenopt-31.c
===================================================================
--- /dev/null	2017-05-05 07:30:08.141451281 +0100
+++ gcc/testsuite/gcc.dg/strlenopt-31.c	2017-05-05 12:53:08.763475920 +0100
@@ -0,0 +1,57 @@
+/* { dg-do run } */
+/* { dg-options "-O2 -fdump-tree-strlen" } */
+
+#include "strlenopt.h"
+
+volatile int v;
+
+size_t
+f1 (void)
+{
+  char a[30];
+  v += 1;
+  memcpy (a, "1234567", 7);
+  memcpy (a + 7, "89abcdefg", 9);
+  memcpy (a + 16, "h", 2);
+  return strlen (a);	// This strlen should be optimized into 17.
+}
+
+size_t
+f2 (char *a)
+{
+  v += 2;
+  memcpy (a, "1234567", 7);
+  memcpy (a + 7, "89abcdefg", 9);
+  memcpy (a + 16, "h", 2);
+  return strlen (a);	// This strlen should be optimized into 17.
+}
+
+size_t
+f3 (void)
+{
+  char a[30];
+  v += 3;
+  a[0] = '1';
+  memcpy (a + 1, "2345678", 8);
+  return strlen (a);	// This strlen should be optimized into 8.
+}
+
+size_t
+f4 (char *a)
+{
+  v += 4;
+  a[0] = '1';
+  memcpy (a + 1, "2345678", 8);
+  return strlen (a);	// This strlen should be optimized into 8.
+}
+
+int
+main ()
+{
+  char a[30];
+  if (f1 () != 17 || f2 (a) != 17 || f3 () != 8 || f4 (a) != 8)
+    abort ();
+  return 0;
+}
+
+/* { dg-final { scan-tree-dump-times "strlen \\(" 0 "strlen" } } */

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: Make tree-ssa-strlen.c handle partial unterminated strings
  2017-05-05 12:02 Make tree-ssa-strlen.c handle partial unterminated strings Richard Sandiford
@ 2017-05-05 15:55 ` Andi Kleen
  2017-05-05 15:57   ` Jakub Jelinek
  2017-05-05 16:02 ` Jakub Jelinek
  2017-05-05 16:10 ` Martin Sebor
  2 siblings, 1 reply; 14+ messages in thread
From: Andi Kleen @ 2017-05-05 15:55 UTC (permalink / raw)
  To: gcc-patches; +Cc: richard.sandiford

Richard Sandiford <richard.sandiford@linaro.org> writes:

> tree-ssa-strlen.c looks for cases in which a string is built up using
> operations like:
>
>     memcpy (a, "foo", 4);
>     memcpy (a + 3, "bar", 4);
>     int x = strlen (a);
>
> As a side-effect, it optimises the non-final memcpys so that they don't
> include the nul terminator.
>
> However, after removing some "& ~0x1"s from tree-ssa-dse.c, the DSE pass
> does this optimisation itself (because it can tell that later memcpys
> overwrite the terminators).  The strlen pass wasn't able to handle these
> pre-optimised calls in the same way as the unoptimised ones.
>
> This patch adds support for tracking unterminated strings.

Would that be useful as a warning too? If the pass can figure out
the final string can be not null terminated when passed somewhere else,
warn, because it's likely a bug in the program.

-Andi

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: Make tree-ssa-strlen.c handle partial unterminated strings
  2017-05-05 15:55 ` Andi Kleen
@ 2017-05-05 15:57   ` Jakub Jelinek
  2017-05-05 16:29     ` Martin Sebor
  0 siblings, 1 reply; 14+ messages in thread
From: Jakub Jelinek @ 2017-05-05 15:57 UTC (permalink / raw)
  To: Andi Kleen; +Cc: gcc-patches, richard.sandiford

On Fri, May 05, 2017 at 08:50:04AM -0700, Andi Kleen wrote:
> Richard Sandiford <richard.sandiford@linaro.org> writes:
> 
> > tree-ssa-strlen.c looks for cases in which a string is built up using
> > operations like:
> >
> >     memcpy (a, "foo", 4);
> >     memcpy (a + 3, "bar", 4);
> >     int x = strlen (a);
> >
> > As a side-effect, it optimises the non-final memcpys so that they don't
> > include the nul terminator.
> >
> > However, after removing some "& ~0x1"s from tree-ssa-dse.c, the DSE pass
> > does this optimisation itself (because it can tell that later memcpys
> > overwrite the terminators).  The strlen pass wasn't able to handle these
> > pre-optimised calls in the same way as the unoptimised ones.
> >
> > This patch adds support for tracking unterminated strings.
> 
> Would that be useful as a warning too? If the pass can figure out
> the final string can be not null terminated when passed somewhere else,
> warn, because it's likely a bug in the program.

Why would it be a bug?  Not all sequences of chars are zero terminated
strings, it can be arbitrary memory and have size somewhere on the side.
Also, the fact that strlen pass sees a memcpy (a, "foo", 3); and a passed
somewhere else doesn't mean a isn't zero terminated, the pass records only
what it can prove, so even when you have:
memcpy (a, "abcdefgh", 9);
*p = 0; // unrelated pointer, but compiler can't prove that
memcpy (a, "foo", 3);
call (a);
there is really nothing wrong with it, the string is still zero terminated.
The pass had to flush the knowledge that it knew length of a on the wild
pointer store.

	Jakub

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: Make tree-ssa-strlen.c handle partial unterminated strings
  2017-05-05 12:02 Make tree-ssa-strlen.c handle partial unterminated strings Richard Sandiford
  2017-05-05 15:55 ` Andi Kleen
@ 2017-05-05 16:02 ` Jakub Jelinek
  2017-05-07 10:18   ` Richard Sandiford
  2017-05-05 16:10 ` Martin Sebor
  2 siblings, 1 reply; 14+ messages in thread
From: Jakub Jelinek @ 2017-05-05 16:02 UTC (permalink / raw)
  To: gcc-patches, richard.sandiford

On Fri, May 05, 2017 at 01:01:08PM +0100, Richard Sandiford wrote:
> tree-ssa-strlen.c looks for cases in which a string is built up using
> operations like:
> 
>     memcpy (a, "foo", 4);
>     memcpy (a + 3, "bar", 4);
>     int x = strlen (a);
> 
> As a side-effect, it optimises the non-final memcpys so that they don't
> include the nul terminator.
> 
> However, after removing some "& ~0x1"s from tree-ssa-dse.c, the DSE pass
> does this optimisation itself (because it can tell that later memcpys
> overwrite the terminators).  The strlen pass wasn't able to handle these
> pre-optimised calls in the same way as the unoptimised ones.
> 
> This patch adds support for tracking unterminated strings.

I'm not sure I like the terminology (terminated vs. !terminated), I wonder
if it wouldn't be better to add next to length field minimum_length field,
length would be what it is now, tree representing the string length,
while minimum_length would be just a guarantee that strlen (ptr) >=
minimum_length, i.e. that in the first minimum_length bytes (best would be
to guarantee that it is just a constant if non-NULL) are non-zero.
It shouldn't be handled just by non-zero terminated memcpy, but e.g. even if
you e.g. construct it byte by byte, etc.
  a[0] = 'a';
  a[1] = 'b';
  a[2] = 'c';
  a[3] = 'd';
  a[4] = '\0';
  x = strlen (a);
etc., or
  strcpy (a, "abcdefg");
  strcpy (a + 8, "hijk");
  a[7] = 'q';
  x = strlen (a);
or say by storing 4 non-zero bytes at a time...

	Jakub

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: Make tree-ssa-strlen.c handle partial unterminated strings
  2017-05-05 12:02 Make tree-ssa-strlen.c handle partial unterminated strings Richard Sandiford
  2017-05-05 15:55 ` Andi Kleen
  2017-05-05 16:02 ` Jakub Jelinek
@ 2017-05-05 16:10 ` Martin Sebor
  2 siblings, 0 replies; 14+ messages in thread
From: Martin Sebor @ 2017-05-05 16:10 UTC (permalink / raw)
  To: gcc-patches, richard.sandiford

On 05/05/2017 06:01 AM, Richard Sandiford wrote:
> tree-ssa-strlen.c looks for cases in which a string is built up using
> operations like:
>
>     memcpy (a, "foo", 4);
>     memcpy (a + 3, "bar", 4);
>     int x = strlen (a);
>
> As a side-effect, it optimises the non-final memcpys so that they don't
> include the nul terminator.
>
> However, after removing some "& ~0x1"s from tree-ssa-dse.c, the DSE pass
> does this optimisation itself (because it can tell that later memcpys
> overwrite the terminators).  The strlen pass wasn't able to handle these
> pre-optimised calls in the same way as the unoptimised ones.
>
> This patch adds support for tracking unterminated strings.

Oooh, very nice! :)  I spent some time on something like this
last summer (under bug 71304) but didn't finish it.  My patch
also handled NULs inserted by simple assignment.  I see your
patch handles them when they are inserted by a call to one of
the functions but not otherwise, as in the test case below.
Is that something that could be easily handled in your
approach?

   char a[30];

   int f1 (void)
   {
     __builtin_memcpy (a, "1234567", 7);
     __builtin_memcpy (a + 7, "", 1);
      return __builtin_strlen (a);   // is optimized to 7
   }

   int f2 (void)
   {
     __builtin_memcpy (a, "1234567", 7);
     a[7] = '\0';
      return __builtin_strlen (a);   // could be optimized to 7
   }

Martin

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: Make tree-ssa-strlen.c handle partial unterminated strings
  2017-05-05 15:57   ` Jakub Jelinek
@ 2017-05-05 16:29     ` Martin Sebor
  2017-05-05 16:38       ` Jakub Jelinek
  2017-05-05 16:43       ` Jeff Law
  0 siblings, 2 replies; 14+ messages in thread
From: Martin Sebor @ 2017-05-05 16:29 UTC (permalink / raw)
  To: Jakub Jelinek, Andi Kleen; +Cc: gcc-patches, richard.sandiford

On 05/05/2017 09:55 AM, Jakub Jelinek wrote:
> On Fri, May 05, 2017 at 08:50:04AM -0700, Andi Kleen wrote:
>> Richard Sandiford <richard.sandiford@linaro.org> writes:
>>
>>> tree-ssa-strlen.c looks for cases in which a string is built up using
>>> operations like:
>>>
>>>     memcpy (a, "foo", 4);
>>>     memcpy (a + 3, "bar", 4);
>>>     int x = strlen (a);
>>>
>>> As a side-effect, it optimises the non-final memcpys so that they don't
>>> include the nul terminator.
>>>
>>> However, after removing some "& ~0x1"s from tree-ssa-dse.c, the DSE pass
>>> does this optimisation itself (because it can tell that later memcpys
>>> overwrite the terminators).  The strlen pass wasn't able to handle these
>>> pre-optimised calls in the same way as the unoptimised ones.
>>>
>>> This patch adds support for tracking unterminated strings.
>>
>> Would that be useful as a warning too? If the pass can figure out
>> the final string can be not null terminated when passed somewhere else,
>> warn, because it's likely a bug in the program.
>
> Why would it be a bug?  Not all sequences of chars are zero terminated
> strings, it can be arbitrary memory and have size somewhere on the side.
> Also, the fact that strlen pass sees a memcpy (a, "foo", 3); and a passed
> somewhere else doesn't mean a isn't zero terminated, the pass records only
> what it can prove, so even when you have:
> memcpy (a, "abcdefgh", 9);
> *p = 0; // unrelated pointer, but compiler can't prove that
> memcpy (a, "foo", 3);
> call (a);

There have been requests for a warning to diagnose invalid uses
of character arrays that are not nul-terminated, such as arguments
to functions that expect a (nul-terminated) string.  For example:

     char *p = (char*)malloc (20);
     memcpy (p, "/tmp/", 5);
     strcat (p, "file.text");   // << warn here

It would be helpful to diagnose such cases (while avoiding false
positives on the indeterminate cases you mention, of course).

Martin

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: Make tree-ssa-strlen.c handle partial unterminated strings
  2017-05-05 16:29     ` Martin Sebor
@ 2017-05-05 16:38       ` Jakub Jelinek
  2017-05-05 16:49         ` Martin Sebor
  2017-05-05 16:43       ` Jeff Law
  1 sibling, 1 reply; 14+ messages in thread
From: Jakub Jelinek @ 2017-05-05 16:38 UTC (permalink / raw)
  To: Martin Sebor; +Cc: Andi Kleen, gcc-patches, richard.sandiford

On Fri, May 05, 2017 at 10:28:45AM -0600, Martin Sebor wrote:
> There have been requests for a warning to diagnose invalid uses
> of character arrays that are not nul-terminated, such as arguments
> to functions that expect a (nul-terminated) string.  For example:
> 
>     char *p = (char*)malloc (20);
>     memcpy (p, "/tmp/", 5);
>     strcat (p, "file.text");   // << warn here
> 
> It would be helpful to diagnose such cases (while avoiding false
> positives on the indeterminate cases you mention, of course).

One thing here is that there is a function known to require a null
terminated function, not arbitrary other function that may or might not
need it.
And another thing is that in the tree-ssa-strlen.c framework known
records can be invalidated at any time and you then don't know,
it is an optimization, not a warning framework.
So, for the warning you'd need to track whether there have been any
invalidation and just punt in that case.

	Jakub

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: Make tree-ssa-strlen.c handle partial unterminated strings
  2017-05-05 16:29     ` Martin Sebor
  2017-05-05 16:38       ` Jakub Jelinek
@ 2017-05-05 16:43       ` Jeff Law
  1 sibling, 0 replies; 14+ messages in thread
From: Jeff Law @ 2017-05-05 16:43 UTC (permalink / raw)
  To: Martin Sebor, Jakub Jelinek, Andi Kleen; +Cc: gcc-patches, richard.sandiford

On 05/05/2017 10:28 AM, Martin Sebor wrote:
> On 05/05/2017 09:55 AM, Jakub Jelinek wrote:
>> On Fri, May 05, 2017 at 08:50:04AM -0700, Andi Kleen wrote:
>>> Richard Sandiford <richard.sandiford@linaro.org> writes:
>>>
>>>> tree-ssa-strlen.c looks for cases in which a string is built up using
>>>> operations like:
>>>>
>>>>     memcpy (a, "foo", 4);
>>>>     memcpy (a + 3, "bar", 4);
>>>>     int x = strlen (a);
>>>>
>>>> As a side-effect, it optimises the non-final memcpys so that they don't
>>>> include the nul terminator.
>>>>
>>>> However, after removing some "& ~0x1"s from tree-ssa-dse.c, the DSE 
>>>> pass
>>>> does this optimisation itself (because it can tell that later memcpys
>>>> overwrite the terminators).  The strlen pass wasn't able to handle 
>>>> these
>>>> pre-optimised calls in the same way as the unoptimised ones.
>>>>
>>>> This patch adds support for tracking unterminated strings.
>>>
>>> Would that be useful as a warning too? If the pass can figure out
>>> the final string can be not null terminated when passed somewhere else,
>>> warn, because it's likely a bug in the program.
>>
>> Why would it be a bug?  Not all sequences of chars are zero terminated
>> strings, it can be arbitrary memory and have size somewhere on the side.
>> Also, the fact that strlen pass sees a memcpy (a, "foo", 3); and a passed
>> somewhere else doesn't mean a isn't zero terminated, the pass records 
>> only
>> what it can prove, so even when you have:
>> memcpy (a, "abcdefgh", 9);
>> *p = 0; // unrelated pointer, but compiler can't prove that
>> memcpy (a, "foo", 3);
>> call (a);
> 
> There have been requests for a warning to diagnose invalid uses
> of character arrays that are not nul-terminated, such as arguments
> to functions that expect a (nul-terminated) string.  For example:
> 
>      char *p = (char*)malloc (20);
>      memcpy (p, "/tmp/", 5);
>      strcat (p, "file.text");   // << warn here
> 
> It would be helpful to diagnose such cases (while avoiding false
> positives on the indeterminate cases you mention, of course).
Can't we just start at point where the string must be terminated (strcat 
call in this case) and walk the VUSE/VDEF chain back to determine if 
object's NUL termination status is:

1. Terminated
2. Not terminated
3. Indeterminate

You'd probably want to have some kind of propagation step so that you 
don't just give up when you see a PHI node.  Instead you recurse on the 
PHI args before determining the state at the PHI itself.

Jeff

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: Make tree-ssa-strlen.c handle partial unterminated strings
  2017-05-05 16:38       ` Jakub Jelinek
@ 2017-05-05 16:49         ` Martin Sebor
  0 siblings, 0 replies; 14+ messages in thread
From: Martin Sebor @ 2017-05-05 16:49 UTC (permalink / raw)
  To: Jakub Jelinek; +Cc: Andi Kleen, gcc-patches, richard.sandiford

On 05/05/2017 10:32 AM, Jakub Jelinek wrote:
> On Fri, May 05, 2017 at 10:28:45AM -0600, Martin Sebor wrote:
>> There have been requests for a warning to diagnose invalid uses
>> of character arrays that are not nul-terminated, such as arguments
>> to functions that expect a (nul-terminated) string.  For example:
>>
>>     char *p = (char*)malloc (20);
>>     memcpy (p, "/tmp/", 5);
>>     strcat (p, "file.text");   // << warn here
>>
>> It would be helpful to diagnose such cases (while avoiding false
>> positives on the indeterminate cases you mention, of course).
>
> One thing here is that there is a function known to require a null
> terminated function, not arbitrary other function that may or might not
> need it.

Understood.  GCC knows about a subset of those functions but there
is no mechanism to let it know about user-defined functions that
have the same constraint.  With the warning implemented, adding
an attribute would make it possible for GCC to diagnose this
problem in general.  For instance, say the attribute is called
string, libc could annotate fopen like so:

   FILE* __attribute__ ((string (1), string (2)))
   fopen (const char *restrict, const char *restrict);

> And another thing is that in the tree-ssa-strlen.c framework known
> records can be invalidated at any time and you then don't know,
> it is an optimization, not a warning framework.
> So, for the warning you'd need to track whether there have been any
> invalidation and just punt in that case.

Sure.

Martin

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: Make tree-ssa-strlen.c handle partial unterminated strings
  2017-05-05 16:02 ` Jakub Jelinek
@ 2017-05-07 10:18   ` Richard Sandiford
  2017-05-10 14:18     ` Jakub Jelinek
  0 siblings, 1 reply; 14+ messages in thread
From: Richard Sandiford @ 2017-05-07 10:18 UTC (permalink / raw)
  To: Jakub Jelinek; +Cc: gcc-patches

Jakub Jelinek <jakub@redhat.com> writes:
> On Fri, May 05, 2017 at 01:01:08PM +0100, Richard Sandiford wrote:
>> tree-ssa-strlen.c looks for cases in which a string is built up using
>> operations like:
>> 
>>     memcpy (a, "foo", 4);
>>     memcpy (a + 3, "bar", 4);
>>     int x = strlen (a);
>> 
>> As a side-effect, it optimises the non-final memcpys so that they don't
>> include the nul terminator.
>> 
>> However, after removing some "& ~0x1"s from tree-ssa-dse.c, the DSE pass
>> does this optimisation itself (because it can tell that later memcpys
>> overwrite the terminators).  The strlen pass wasn't able to handle these
>> pre-optimised calls in the same way as the unoptimised ones.
>> 
>> This patch adds support for tracking unterminated strings.
>
> I'm not sure I like the terminology (terminated vs. !terminated), I wonder
> if it wouldn't be better to add next to length field minimum_length field,
> length would be what it is now, tree representing the string length,
> while minimum_length would be just a guarantee that strlen (ptr) >=
> minimum_length, i.e. that in the first minimum_length bytes (best would be
> to guarantee that it is just a constant if non-NULL) are non-zero.
> It shouldn't be handled just by non-zero terminated memcpy, but e.g. even if
> you e.g. construct it byte by byte, etc.
>   a[0] = 'a';
>   a[1] = 'b';
>   a[2] = 'c';
>   a[3] = 'd';
>   a[4] = '\0';
>   x = strlen (a);
> etc., or
>   strcpy (a, "abcdefg");
>   strcpy (a + 8, "hijk");
>   a[7] = 'q';
>   x = strlen (a);
> or say by storing 4 non-zero bytes at a time...

I've got most of the way through a version that uses min_length instead.
But one thing that the terminated flag allows that a constant min_length
doesn't is:

  size_t
  f1 (char *a1)
  {
    size_t x = strlen (a1);
    char *a3 = a1 + x;
    a3[0] = '1';  // a1 length x + 1, unterminated  (min length x + 1)
    a3[1] = '2';  // a1 length x + 2, unterminated  (min length x + 2)
    a3[2] = '3';  // a1 length x + 3, unterminated  (min length x + 3)
    a3[3] = 0;    // a1 length x + 3, terminated
    return strlen (a1);
  }

For the a3[3] = 0, we know a3's min_length is 3 and so it's obvious
that we can convert its min_length to a length.  But even if we allow
a1's min_length to be nonconstant, it seems a bit risky to assume that
we can convert its min_length to a length as well.  It would only work
if the min_lengths in related strinfos are kept in sync, whereas it
ought to be safe to say that the minimum length of something is 0.

Having two separate fields could allow us to say that a1's length is x
and its minimum length is 3 in:

  a1[0] = '1';
  a1[1] = '2';
  a1[2] = '3';
  size_t x = strlen (a1);

which in turn would allow the final length of a1 in:

  a1[0] = '1';
  a1[1] = '2';
  a1[2] = '3';
  size_t x = strlen (a1);
  a1[3] = '4';   // drop a1's length here
  a1[4] = 0;

to be optimised to 4.  But we'd then have to drop the constant minimum for:

  a1[0] = '1';
  a1[1] = '2';
  a1[2] = '3';
  size_t x = strlen (a1);
  char *a3 = a1 + x;
  a3[0] = '4';  // a1's min_length is x + 1, not 4

in order to support:

  a3[1] = 0;    // a1's length is x + 1

even though the minimum of 4 would be correct.  So there will be very
few cases in which length is not null and not equal to min_length.

Maybe we could keep both pieces of information around if we had both a
terminated flag and a constant mininum length.

So I think that gives four possiblities:

  (1) Keep the terminated flag, but extend the original patch to handle
      strings built up a character at a time.  This would handle f1 above.

  (2) Replace the terminated flag with a constant minimum length, don't
      handle f1 above.

  (3) Replace the terminated flag with an arbitrary minimum length and
      ensure that it's always valid to copy the minimum length to the
      length when we do so for the final strinfo in a chain.

  (4) Keep the terminated flag and also add a constant minimum length.
      This would handle all the cases above.

Thanks,
Richard

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: Make tree-ssa-strlen.c handle partial unterminated strings
  2017-05-07 10:18   ` Richard Sandiford
@ 2017-05-10 14:18     ` Jakub Jelinek
  2017-05-10 19:57       ` Richard Sandiford
  0 siblings, 1 reply; 14+ messages in thread
From: Jakub Jelinek @ 2017-05-10 14:18 UTC (permalink / raw)
  To: gcc-patches, rdsandiford

Hi!

Note the intent of the pass is to handle the most common cases, it is fine
if some cases that aren't common aren't handled, it is all about the extra
complexity vs. how much it helps on real-world code.

On Sun, May 07, 2017 at 10:10:48AM +0100, Richard Sandiford wrote:
> I've got most of the way through a version that uses min_length instead.
> But one thing that the terminated flag allows that a constant min_length
> doesn't is:
> 
>   size_t
>   f1 (char *a1)
>   {
>     size_t x = strlen (a1);
>     char *a3 = a1 + x;
>     a3[0] = '1';  // a1 length x + 1, unterminated  (min length x + 1)
>     a3[1] = '2';  // a1 length x + 2, unterminated  (min length x + 2)
>     a3[2] = '3';  // a1 length x + 3, unterminated  (min length x + 3)
>     a3[3] = 0;    // a1 length x + 3, terminated
>     return strlen (a1);
>   }
> 
> For the a3[3] = 0, we know a3's min_length is 3 and so it's obvious
> that we can convert its min_length to a length.  But even if we allow
> a1's min_length to be nonconstant, it seems a bit risky to assume that
> we can convert its min_length to a length as well.  It would only work
> if the min_lengths in related strinfos are kept in sync, whereas it
> ought to be safe to say that the minimum length of something is 0.

And we have code for that.  If verify_related_strinfos returns non-NULL,
we can adjust all the related strinfos that need adjusting.
See e.g. zero_length_string on how it uses that.  It is just that we should
decide what is the acceptable complexity of the length/min_length
expressions (whether INTEGER_CST or SSA_NAME is enough, then the above
would not work, but is that really that important), or if we e.g. allow
SSA_NAME + INTEGER_CST in addition to that, or sum of 2 SSA_NAMEs, etc.).
I don't see how terminated vs. unterminated (which is misnamed anyway, it
means that it isn't known to be terminated, it might be terminated or not)
would help with that.

> So I think that gives four possiblities:
> 
>   (1) Keep the terminated flag, but extend the original patch to handle
>       strings built up a character at a time.  This would handle f1 above.

Only if you allow complex expressions like SSA_NAME + INTEGER_CST in length.

>   (2) Replace the terminated flag with a constant minimum length, don't
>       handle f1 above.

Sure, if you only allow constants, it will be limited to constants.

>   (3) Replace the terminated flag with an arbitrary minimum length and
>       ensure that it's always valid to copy the minimum length to the
>       length when we do so for the final strinfo in a chain.

Even length doesn't allow arbitrary expressions, the more complex it is,
the more expensive will it be to compute it when you e.g. replace
strlen with that.

I'd introduce min_length, start with INTEGER_CST, once it is handled
everywhere in the pass properly, see if there is enough code in the wild
that would justify allowing more than that.

min_length is a simple guarantee that there are no zero bytes among the
first min_length bytes, length is the same plus that there is a zero byte
right after that, so it is easy to argue about what happens if you store
non-zero somewhere into it, or store zero, etc.

	Jakub

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: Make tree-ssa-strlen.c handle partial unterminated strings
  2017-05-10 14:18     ` Jakub Jelinek
@ 2017-05-10 19:57       ` Richard Sandiford
  2017-05-17  7:21         ` Richard Sandiford
  0 siblings, 1 reply; 14+ messages in thread
From: Richard Sandiford @ 2017-05-10 19:57 UTC (permalink / raw)
  To: Jakub Jelinek; +Cc: gcc-patches

Jakub Jelinek <jakub@redhat.com> writes:
> Hi!
>
> Note the intent of the pass is to handle the most common cases, it is fine
> if some cases that aren't common aren't handled, it is all about the extra
> complexity vs. how much it helps on real-world code.

OK.

> On Sun, May 07, 2017 at 10:10:48AM +0100, Richard Sandiford wrote:
>> I've got most of the way through a version that uses min_length instead.
>> But one thing that the terminated flag allows that a constant min_length
>> doesn't is:
>> 
>>   size_t
>>   f1 (char *a1)
>>   {
>>     size_t x = strlen (a1);
>>     char *a3 = a1 + x;
>>     a3[0] = '1';  // a1 length x + 1, unterminated  (min length x + 1)
>>     a3[1] = '2';  // a1 length x + 2, unterminated  (min length x + 2)
>>     a3[2] = '3';  // a1 length x + 3, unterminated  (min length x + 3)
>>     a3[3] = 0;    // a1 length x + 3, terminated
>>     return strlen (a1);
>>   }
>> 
>> For the a3[3] = 0, we know a3's min_length is 3 and so it's obvious
>> that we can convert its min_length to a length.  But even if we allow
>> a1's min_length to be nonconstant, it seems a bit risky to assume that
>> we can convert its min_length to a length as well.  It would only work
>> if the min_lengths in related strinfos are kept in sync, whereas it
>> ought to be safe to say that the minimum length of something is 0.
>
> And we have code for that.  If verify_related_strinfos returns non-NULL,
> we can adjust all the related strinfos that need adjusting.
> See e.g. zero_length_string on how it uses that.  It is just that we should
> decide what is the acceptable complexity of the length/min_length
> expressions (whether INTEGER_CST or SSA_NAME is enough, then the above
> would not work, but is that really that important), or if we e.g. allow
> SSA_NAME + INTEGER_CST in addition to that, or sum of 2 SSA_NAMEs, etc.).
> I don't see how terminated vs. unterminated (which is misnamed anyway, it
> means that it isn't known to be terminated, it might be terminated or not)
> would help with that.

The example above works with the flag because we already allow
SSA_NAME + INTEGER_CST for the length field, thanks to:

      tree adj = NULL_TREE;
      if (oldlen == NULL_TREE)
	;
      else if (integer_zerop (oldlen))
	adj = srclen;
      else if (TREE_CODE (oldlen) == INTEGER_CST
	       || TREE_CODE (srclen) == INTEGER_CST)
	adj = fold_build2_loc (loc, MINUS_EXPR,
			       TREE_TYPE (srclen), srclen,
			       fold_convert_loc (loc, TREE_TYPE (srclen),
						 oldlen));
      if (adj != NULL_TREE)
	adjust_related_strinfos (loc, dsi, adj);

etc.  So with a constant min_length we lose out (compared to the flag)
by making min_length more restrictive.

Like you say later, min_length is the number of characters that are
known to be nonzero, and length is the number of characters that are
known to be nonzero and followed by a zero, so even if we do relax the
rules for min_length to match length, I think in almost all useful cases
the length will be equal to the min_length or will be null (i.e. it'll
act almost like a de facto flag).

If the name's a problem, how about "known_terminated_p" instead of
"terminated_p"?

>> So I think that gives four possiblities:
>> 
>>   (1) Keep the terminated flag, but extend the original patch to handle
>>       strings built up a character at a time.  This would handle f1 above.
>
> Only if you allow complex expressions like SSA_NAME + INTEGER_CST in length.
>
>>   (2) Replace the terminated flag with a constant minimum length, don't
>>       handle f1 above.
>
> Sure, if you only allow constants, it will be limited to constants.
>
>>   (3) Replace the terminated flag with an arbitrary minimum length and
>>       ensure that it's always valid to copy the minimum length to the
>>       length when we do so for the final strinfo in a chain.
>
> Even length doesn't allow arbitrary expressions, the more complex it is,
> the more expensive will it be to compute it when you e.g. replace
> strlen with that.
>
> I'd introduce min_length, start with INTEGER_CST, once it is handled
> everywhere in the pass properly, see if there is enough code in the wild
> that would justify allowing more than that.
>
> min_length is a simple guarantee that there are no zero bytes among the
> first min_length bytes, length is the same plus that there is a zero byte
> right after that, so it is easy to argue about what happens if you store
> non-zero somewhere into it, or store zero, etc.

I think that's true of the flag version too though.  If you store a zero
into X <= length, you set the length to X and set known_terminated_p.
If you store a nonzero into X < length, nothing changes.  If you store
an unknown value into X < length, you set the length to X and clear
the known_terminated_p flag.

Thanks,
Richard

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: Make tree-ssa-strlen.c handle partial unterminated strings
  2017-05-10 19:57       ` Richard Sandiford
@ 2017-05-17  7:21         ` Richard Sandiford
  2017-05-23 10:17           ` Jakub Jelinek
  0 siblings, 1 reply; 14+ messages in thread
From: Richard Sandiford @ 2017-05-17  7:21 UTC (permalink / raw)
  To: Jakub Jelinek; +Cc: gcc-patches

Richard Sandiford <richard.sandiford@linaro.org> writes:
> Jakub Jelinek <jakub@redhat.com> writes:
>> Hi!
>>
>> Note the intent of the pass is to handle the most common cases, it is fine
>> if some cases that aren't common aren't handled, it is all about the extra
>> complexity vs. how much it helps on real-world code.
>
> OK.
>
>> On Sun, May 07, 2017 at 10:10:48AM +0100, Richard Sandiford wrote:
>>> I've got most of the way through a version that uses min_length instead.
>>> But one thing that the terminated flag allows that a constant min_length
>>> doesn't is:
>>> 
>>>   size_t
>>>   f1 (char *a1)
>>>   {
>>>     size_t x = strlen (a1);
>>>     char *a3 = a1 + x;
>>>     a3[0] = '1';  // a1 length x + 1, unterminated  (min length x + 1)
>>>     a3[1] = '2';  // a1 length x + 2, unterminated  (min length x + 2)
>>>     a3[2] = '3';  // a1 length x + 3, unterminated  (min length x + 3)
>>>     a3[3] = 0;    // a1 length x + 3, terminated
>>>     return strlen (a1);
>>>   }
>>> 
>>> For the a3[3] = 0, we know a3's min_length is 3 and so it's obvious
>>> that we can convert its min_length to a length.  But even if we allow
>>> a1's min_length to be nonconstant, it seems a bit risky to assume that
>>> we can convert its min_length to a length as well.  It would only work
>>> if the min_lengths in related strinfos are kept in sync, whereas it
>>> ought to be safe to say that the minimum length of something is 0.
>>
>> And we have code for that.  If verify_related_strinfos returns non-NULL,
>> we can adjust all the related strinfos that need adjusting.
>> See e.g. zero_length_string on how it uses that.  It is just that we should
>> decide what is the acceptable complexity of the length/min_length
>> expressions (whether INTEGER_CST or SSA_NAME is enough, then the above
>> would not work, but is that really that important), or if we e.g. allow
>> SSA_NAME + INTEGER_CST in addition to that, or sum of 2 SSA_NAMEs, etc.).
>> I don't see how terminated vs. unterminated (which is misnamed anyway, it
>> means that it isn't known to be terminated, it might be terminated or not)
>> would help with that.
>
> The example above works with the flag because we already allow
> SSA_NAME + INTEGER_CST for the length field, thanks to:
>
>       tree adj = NULL_TREE;
>       if (oldlen == NULL_TREE)
> 	;
>       else if (integer_zerop (oldlen))
> 	adj = srclen;
>       else if (TREE_CODE (oldlen) == INTEGER_CST
> 	       || TREE_CODE (srclen) == INTEGER_CST)
> 	adj = fold_build2_loc (loc, MINUS_EXPR,
> 			       TREE_TYPE (srclen), srclen,
> 			       fold_convert_loc (loc, TREE_TYPE (srclen),
> 						 oldlen));
>       if (adj != NULL_TREE)
> 	adjust_related_strinfos (loc, dsi, adj);
>
> etc.  So with a constant min_length we lose out (compared to the flag)
> by making min_length more restrictive.
>
> Like you say later, min_length is the number of characters that are
> known to be nonzero, and length is the number of characters that are
> known to be nonzero and followed by a zero, so even if we do relax the
> rules for min_length to match length, I think in almost all useful cases
> the length will be equal to the min_length or will be null (i.e. it'll
> act almost like a de facto flag).

How about the patch below?  It renames "length" to "nonzero_chars"
and adds a "full_string_p" flag to indicate that the nonzero characters
are known to be followed by a zero.  It keeps the current decisions
about which kinds of length/nonzero_chars expression are valid and
worth tracking.  It also handles strings built up a character at
a time (unlike the original).

Tested on aarch64-linux-gnu and x86_64-linux-gnu.

Thanks,
Richard


2017-05-17  Richard Sandiford  <richard.sandiford@linaro.org>

gcc/
	* tree-ssa-strlen.c (strinfo): Rename the length field to
	nonzero_chars.  Add a full_string_p field.
	(compare_nonzero_chars, zero_length_string_p): New functions.
	(get_addr_stridx): Add an offset_out parameter.
	Use compare_nonzero_chars.
	(get_stridx): Update accordingly.  Use compare_nonzero_chars.
	(new_strinfo): Update after above changes to strinfo.
	(set_endptr_and_length): Set full_string_p.
	(get_string_length): Update after above changes to strinfo.
	(unshare_strinfo): Update call to new_strinfo.
	(maybe_invalidate): Likewise.
	(get_stridx_plus_constant): Change off to unsigned HOST_WIDE_INT.
	Use compare_nonzero_chars and zero_string_p.  Treat nonzero_chars
	as a uhwi instead of an shwi.  Update after above changes to
	strinfo and new_strinfo.
	(zero_length_string): Assert that chainsi contains full strings.
	Use zero_length_string_p.  Update call to new_strinfo.
	(adjust_related_strinfos): Update after above changes to strinfo.
	Copy full_string_p from origsi.
	(adjust_last_stmt): Use zero_length_string_p.
	(handle_builtin_strlen): Update after above changes to strinfo and
	new_strinfo.  Install the lhs as the string length if the previous
	entry didn't describe a full string.
	(handle_builtin_strchr): Update after above changes to strinfo
	and new_strinfo.
	(handle_builtin_strcpy): Likewise.
	(handle_builtin_strcat): Likewise.
	(handle_builtin_malloc): Likewise.
	(handle_pointer_plus): Likewise.
	(handle_builtin_memcpy): Likewise.  Track nonzero characters
	that aren't necessarily followed by a nul terminator.
	(handle_char_store): Likewise.

gcc/testsuite/
	* gcc.dg/strlenopt-32.c: New testcase.
	* gcc.dg/strlenopt-33.c: Likewise.
	* gcc.dg/strlenopt-33g.c: Likewise.
	* gcc.dg/strlenopt-34.c: Likewise.
	* gcc.dg/strlenopt-35.c: Likewise.

Index: gcc/tree-ssa-strlen.c
===================================================================
--- gcc/tree-ssa-strlen.c	2017-05-17 07:33:01.091940890 +0100
+++ gcc/tree-ssa-strlen.c	2017-05-17 07:33:03.918870380 +0100
@@ -57,8 +57,13 @@ the Free Software Foundation; either ver
 /* String information record.  */
 struct strinfo
 {
-  /* String length of this string.  */
-  tree length;
+  /* Number of leading characters that are known to be nonzero.  This is
+     also the length of the string if FULL_STRING_P.
+
+     The values in a list of related string pointers must be consistent;
+     that is, if strinfo B comes X bytes after strinfo A, it must be
+     the case that A->nonzero_chars == X + B->nonzero_chars.  */
+  tree nonzero_chars;
   /* Any of the corresponding pointers for querying alias oracle.  */
   tree ptr;
   /* This is used for two things:
@@ -105,6 +110,10 @@ struct strinfo
   /* A flag for the next maybe_invalidate that this strinfo shouldn't
      be invalidated.  Always cleared by maybe_invalidate.  */
   bool dont_invalidate;
+  /* True if the string is known to be nul-terminated after NONZERO_CHARS
+     characters.  False is useful when detecting strings that are built
+     up via successive memcpys.  */
+  bool full_string_p;
 };
 
 /* Pool for allocating strinfo_struct entries.  */
@@ -150,7 +159,34 @@ struct laststmt_struct
   int stridx;
 } laststmt;
 
-static int get_stridx_plus_constant (strinfo *, HOST_WIDE_INT, tree);
+static int get_stridx_plus_constant (strinfo *, unsigned HOST_WIDE_INT, tree);
+
+/* Return:
+
+   - 1 if SI is known to start with more than OFF nonzero characters.
+
+   - 0 if SI is known to start with OFF nonzero characters,
+     but is not known to start with more.
+
+   - -1 if SI might not start with OFF nonzero characters.  */
+
+static inline int
+compare_nonzero_chars (strinfo *si, unsigned HOST_WIDE_INT off)
+{
+  if (si->nonzero_chars
+      && TREE_CODE (si->nonzero_chars) == INTEGER_CST)
+    return compare_tree_int (si->nonzero_chars, off);
+  else
+    return -1;
+}
+
+/* Return true if SI is known to be a zero-length string.  */
+
+static inline bool
+zero_length_string_p (strinfo *si)
+{
+  return si->full_string_p && integer_zerop (si->nonzero_chars);
+}
 
 /* Return strinfo vector entry IDX.  */
 
@@ -175,10 +211,13 @@ get_next_strinfo (strinfo *si)
   return nextsi;
 }
 
-/* Helper function for get_stridx.  */
+/* Helper function for get_stridx.  Return the strinfo index of the address
+   of EXP, which is available in PTR if nonnull.  If OFFSET_OUT, it is
+   OK to return the index for some X <= &EXP and store &EXP - X in
+   *OFFSET_OUT.  */
 
 static int
-get_addr_stridx (tree exp, tree ptr)
+get_addr_stridx (tree exp, tree ptr, unsigned HOST_WIDE_INT *offset_out)
 {
   HOST_WIDE_INT off;
   struct stridxlist *list, *last = NULL;
@@ -198,7 +237,11 @@ get_addr_stridx (tree exp, tree ptr)
   do
     {
       if (list->offset == off)
-	return list->idx;
+	{
+	  if (offset_out)
+	    *offset_out = 0;
+	  return list->idx;
+	}
       if (list->offset > off)
 	return 0;
       last = list;
@@ -206,14 +249,21 @@ get_addr_stridx (tree exp, tree ptr)
     }
   while (list);
 
-  if (ptr && last && last->idx > 0)
+  if ((offset_out || ptr) && last && last->idx > 0)
     {
+      unsigned HOST_WIDE_INT rel_off
+	= (unsigned HOST_WIDE_INT) off - last->offset;
       strinfo *si = get_strinfo (last->idx);
-      if (si
-	  && si->length
-	  && TREE_CODE (si->length) == INTEGER_CST
-	  && compare_tree_int (si->length, off - last->offset) != -1)
-	return get_stridx_plus_constant (si, off - last->offset, ptr);
+      if (si && compare_nonzero_chars (si, rel_off) >= 0)
+	{
+	  if (offset_out)
+	    {
+	      *offset_out = rel_off;
+	      return last->idx;
+	    }
+	  else
+	    return get_stridx_plus_constant (si, rel_off, ptr);
+	}
     }
   return 0;
 }
@@ -253,10 +303,7 @@ get_stridx (tree exp)
 	    {
 	      strinfo *si
 		= get_strinfo (ssa_ver_to_stridx[SSA_NAME_VERSION (rhs1)]);
-	      if (si
-		  && si->length
-		  && TREE_CODE (si->length) == INTEGER_CST
-		  && compare_tree_int (si->length, off) != -1)
+	      if (si && compare_nonzero_chars (si, off) >= 0)
 		return get_stridx_plus_constant (si, off, exp);
 	    }
 	  e = rhs1;
@@ -266,7 +313,7 @@ get_stridx (tree exp)
 
   if (TREE_CODE (exp) == ADDR_EXPR)
     {
-      int idx = get_addr_stridx (TREE_OPERAND (exp, 0), exp);
+      int idx = get_addr_stridx (TREE_OPERAND (exp, 0), exp, NULL);
       if (idx != 0)
 	return idx;
     }
@@ -419,10 +466,10 @@ new_addr_stridx (tree exp)
 /* Create a new strinfo.  */
 
 static strinfo *
-new_strinfo (tree ptr, int idx, tree length)
+new_strinfo (tree ptr, int idx, tree nonzero_chars, bool full_string_p)
 {
   strinfo *si = strinfo_pool.allocate ();
-  si->length = length;
+  si->nonzero_chars = nonzero_chars;
   si->ptr = ptr;
   si->stmt = NULL;
   si->endptr = NULL_TREE;
@@ -433,6 +480,7 @@ new_strinfo (tree ptr, int idx, tree len
   si->next = 0;
   si->writable = false;
   si->dont_invalidate = false;
+  si->full_string_p = full_string_p;
   return si;
 }
 
@@ -492,8 +540,9 @@ set_endptr_and_length (location_t loc, s
   si->stmt = NULL;
   tree start_as_size = fold_convert_loc (loc, size_type_node, si->ptr);
   tree end_as_size = fold_convert_loc (loc, size_type_node, endptr);
-  si->length = fold_build2_loc (loc, MINUS_EXPR, size_type_node,
-				end_as_size, start_as_size);
+  si->nonzero_chars = fold_build2_loc (loc, MINUS_EXPR, size_type_node,
+				       end_as_size, start_as_size);
+  si->full_string_p = true;
 }
 
 /* Return string length, or NULL if it can't be computed.  */
@@ -501,8 +550,8 @@ set_endptr_and_length (location_t loc, s
 static tree
 get_string_length (strinfo *si)
 {
-  if (si->length)
-    return si->length;
+  if (si->nonzero_chars)
+    return si->full_string_p ? si->nonzero_chars : NULL;
 
   if (si->stmt)
     {
@@ -595,19 +644,19 @@ get_string_length (strinfo *si)
 	  for (strinfo *chainsi = verify_related_strinfos (si);
 	       chainsi != NULL;
 	       chainsi = get_next_strinfo (chainsi))
-	    if (chainsi->length == NULL)
+	    if (chainsi->nonzero_chars == NULL)
 	      set_endptr_and_length (loc, chainsi, lhs);
 	  break;
 	case BUILT_IN_MALLOC:
 	  break;
-	/* BUILT_IN_CALLOC always has si->length set.  */
+	/* BUILT_IN_CALLOC always has si->nonzero_chars set.  */
 	default:
 	  gcc_unreachable ();
 	  break;
 	}
     }
 
-  return si->length;
+  return si->nonzero_chars;
 }
 
 /* Invalidate string length information for strings whose length
@@ -626,7 +675,7 @@ maybe_invalidate (gimple *stmt)
 	if (!si->dont_invalidate)
 	  {
 	    ao_ref r;
-	    /* Do not use si->length.  */
+	    /* Do not use si->nonzero_chars.  */
 	    ao_ref_init_from_ptr_and_size (&r, si->ptr, NULL_TREE);
 	    if (stmt_may_clobber_ref_p_1 (stmt, &r))
 	      {
@@ -653,7 +702,7 @@ unshare_strinfo (strinfo *si)
   if (si->refcount == 1 && !strinfo_shared ())
     return si;
 
-  nsi = new_strinfo (si->ptr, si->idx, si->length);
+  nsi = new_strinfo (si->ptr, si->idx, si->nonzero_chars, si->full_string_p);
   nsi->stmt = si->stmt;
   nsi->endptr = si->endptr;
   nsi->first = si->first;
@@ -670,39 +719,39 @@ unshare_strinfo (strinfo *si)
    been created.  */
 
 static int
-get_stridx_plus_constant (strinfo *basesi, HOST_WIDE_INT off, tree ptr)
+get_stridx_plus_constant (strinfo *basesi, unsigned HOST_WIDE_INT off,
+			  tree ptr)
 {
   if (TREE_CODE (ptr) == SSA_NAME && SSA_NAME_OCCURS_IN_ABNORMAL_PHI (ptr))
     return 0;
 
-  if (basesi->length == NULL_TREE
-      || TREE_CODE (basesi->length) != INTEGER_CST
-      || compare_tree_int (basesi->length, off) == -1
-      || !tree_fits_shwi_p (basesi->length))
+  if (compare_nonzero_chars (basesi, off) < 0
+      || !tree_fits_uhwi_p (basesi->nonzero_chars))
     return 0;
 
-  HOST_WIDE_INT len = tree_to_shwi (basesi->length) - off;
+  unsigned HOST_WIDE_INT nonzero_chars
+    = tree_to_uhwi (basesi->nonzero_chars) - off;
   strinfo *si = basesi, *chainsi;
   if (si->first || si->prev || si->next)
     si = verify_related_strinfos (basesi);
   if (si == NULL
-      || si->length == NULL_TREE
-      || TREE_CODE (si->length) != INTEGER_CST)
+      || si->nonzero_chars == NULL_TREE
+      || TREE_CODE (si->nonzero_chars) != INTEGER_CST)
     return 0;
 
   if (TREE_CODE (ptr) == SSA_NAME
       && ssa_ver_to_stridx.length () <= SSA_NAME_VERSION (ptr))
     ssa_ver_to_stridx.safe_grow_cleared (num_ssa_names);
 
-  gcc_checking_assert (compare_tree_int (si->length, off) != -1);
+  gcc_checking_assert (compare_tree_int (si->nonzero_chars, off) != -1);
   for (chainsi = si; chainsi->next; chainsi = si)
     {
       si = get_next_strinfo (chainsi);
       if (si == NULL
-	  || si->length == NULL_TREE
-	  || TREE_CODE (si->length) != INTEGER_CST)
+	  || si->nonzero_chars == NULL_TREE
+	  || TREE_CODE (si->nonzero_chars) != INTEGER_CST)
 	break;
-      int r = compare_tree_int (si->length, len);
+      int r = compare_tree_int (si->nonzero_chars, nonzero_chars);
       if (r != 1)
 	{
 	  if (r == 0)
@@ -724,7 +773,8 @@ get_stridx_plus_constant (strinfo *bases
   int idx = new_stridx (ptr);
   if (idx == 0)
     return 0;
-  si = new_strinfo (ptr, idx, build_int_cst (size_type_node, len));
+  si = new_strinfo (ptr, idx, build_int_cst (size_type_node, nonzero_chars),
+		    basesi->full_string_p);
   set_strinfo (idx, si);
   if (chainsi->next)
     {
@@ -736,7 +786,7 @@ get_stridx_plus_constant (strinfo *bases
   if (chainsi->first == 0)
     chainsi->first = chainsi->idx;
   chainsi->next = idx;
-  if (chainsi->endptr == NULL_TREE && len == 0)
+  if (chainsi->endptr == NULL_TREE && zero_length_string_p (si))
     chainsi->endptr = ptr;
   si->endptr = chainsi->endptr;
   si->prev = chainsi->idx;
@@ -769,7 +819,7 @@ zero_length_string (tree ptr, strinfo *c
 	  do
 	    {
 	      /* We shouldn't mix delayed and non-delayed lengths.  */
-	      gcc_assert (si->length);
+	      gcc_assert (si->full_string_p);
 	      if (si->endptr == NULL_TREE)
 		{
 		  si = unshare_strinfo (si);
@@ -779,7 +829,7 @@ zero_length_string (tree ptr, strinfo *c
 	      si = get_next_strinfo (si);
 	    }
 	  while (si != NULL);
-	  if (chainsi->length && integer_zerop (chainsi->length))
+	  if (zero_length_string_p (chainsi))
 	    {
 	      if (chainsi->next)
 		{
@@ -793,7 +843,7 @@ zero_length_string (tree ptr, strinfo *c
       else
 	{
 	  /* We shouldn't mix delayed and non-delayed lengths.  */
-	  gcc_assert (chainsi->length);
+	  gcc_assert (chainsi->full_string_p);
 	  if (chainsi->first || chainsi->prev || chainsi->next)
 	    {
 	      chainsi = unshare_strinfo (chainsi);
@@ -806,7 +856,7 @@ zero_length_string (tree ptr, strinfo *c
   idx = new_stridx (ptr);
   if (idx == 0)
     return NULL;
-  si = new_strinfo (ptr, idx, build_int_cst (size_type_node, 0));
+  si = new_strinfo (ptr, idx, build_int_cst (size_type_node, 0), true);
   set_strinfo (idx, si);
   si->endptr = ptr;
   if (chainsi != NULL)
@@ -824,9 +874,11 @@ zero_length_string (tree ptr, strinfo *c
   return si;
 }
 
-/* For strinfo ORIGSI whose length has been just updated
-   update also related strinfo lengths (add ADJ to each,
-   but don't adjust ORIGSI).  */
+/* For strinfo ORIGSI whose length has been just updated, adjust other
+   related strinfos so that they match the new ORIGSI.  This involves:
+
+   - adding ADJ to the nonzero_chars fields
+   - copying full_string_p from the new ORIGSI.  */
 
 static void
 adjust_related_strinfos (location_t loc, strinfo *origsi, tree adj)
@@ -848,10 +900,12 @@ adjust_related_strinfos (location_t loc,
 	  /* We shouldn't see delayed lengths here; the caller must have
 	     calculated the old length in order to calculate the
 	     adjustment.  */
-	  gcc_assert (si->length);
-	  tem = fold_convert_loc (loc, TREE_TYPE (si->length), adj);
-	  si->length = fold_build2_loc (loc, PLUS_EXPR, TREE_TYPE (si->length),
-					si->length, tem);
+	  gcc_assert (si->nonzero_chars);
+	  tem = fold_convert_loc (loc, TREE_TYPE (si->nonzero_chars), adj);
+	  si->nonzero_chars = fold_build2_loc (loc, PLUS_EXPR,
+					       TREE_TYPE (si->nonzero_chars),
+					       si->nonzero_chars, tem);
+	  si->full_string_p = origsi->full_string_p;
 
 	  si->endptr = NULL_TREE;
 	  si->dont_invalidate = true;
@@ -1020,11 +1074,8 @@ adjust_last_stmt (strinfo *si, gimple *s
 	}
     }
 
-  if (!is_strcat)
-    {
-      if (si->length == NULL_TREE || !integer_zerop (si->length))
-	return;
-    }
+  if (!is_strcat && !zero_length_string_p (si))
+    return;
 
   if (is_gimple_assign (last.stmt))
     {
@@ -1138,12 +1189,13 @@ handle_builtin_strlen (gimple_stmt_itera
 	      print_gimple_stmt (dump_file, stmt, 0, TDF_SLIM);
 	    }
 	  if (si != NULL
-	      && TREE_CODE (si->length) != SSA_NAME
-	      && TREE_CODE (si->length) != INTEGER_CST
+	      && TREE_CODE (si->nonzero_chars) != SSA_NAME
+	      && TREE_CODE (si->nonzero_chars) != INTEGER_CST
 	      && !SSA_NAME_OCCURS_IN_ABNORMAL_PHI (lhs))
 	    {
 	      si = unshare_strinfo (si);
-	      si->length = lhs;
+	      si->nonzero_chars = lhs;
+	      gcc_assert (si->full_string_p);
 	    }
 	  return;
 	}
@@ -1152,11 +1204,25 @@ handle_builtin_strlen (gimple_stmt_itera
     return;
   if (idx == 0)
     idx = new_stridx (src);
-  else if (get_strinfo (idx) != NULL)
-    return;
+  else
+    {
+      strinfo *si = get_strinfo (idx);
+      if (si != NULL)
+	{
+	  if (!si->full_string_p && !si->stmt)
+	    {
+	      /* Until now we only had a lower bound on the string length.
+		 Install LHS as the actual length.  */
+	      si = unshare_strinfo (si);
+	      si->nonzero_chars = lhs;
+	      si->full_string_p = true;
+	    }
+	  return;
+	}
+    }
   if (idx)
     {
-      strinfo *si = new_strinfo (src, idx, lhs);
+      strinfo *si = new_strinfo (src, idx, lhs, true);
       set_strinfo (idx, si);
       find_equal_ptrs (src, idx);
     }
@@ -1260,7 +1326,7 @@ handle_builtin_strchr (gimple_stmt_itera
 	  tree srcu = fold_convert_loc (loc, size_type_node, src);
 	  tree length = fold_build2_loc (loc, MINUS_EXPR,
 					 size_type_node, lhsu, srcu);
-	  strinfo *si = new_strinfo (src, idx, length);
+	  strinfo *si = new_strinfo (src, idx, length, true);
 	  si->endptr = lhs;
 	  set_strinfo (idx, si);
 	  find_equal_ptrs (src, idx);
@@ -1349,9 +1415,10 @@ handle_builtin_strcpy (enum built_in_fun
     }
   if (olddsi != NULL)
     {
-      oldlen = olddsi->length;
+      oldlen = olddsi->nonzero_chars;
       dsi = unshare_strinfo (olddsi);
-      dsi->length = srclen;
+      dsi->nonzero_chars = srclen;
+      dsi->full_string_p = (srclen != NULL_TREE);
       /* Break the chain, so adjust_related_strinfo on later pointers in
 	 the chain won't adjust this one anymore.  */
       dsi->next = 0;
@@ -1360,14 +1427,14 @@ handle_builtin_strcpy (enum built_in_fun
     }
   else
     {
-      dsi = new_strinfo (dst, didx, srclen);
+      dsi = new_strinfo (dst, didx, srclen, srclen != NULL_TREE);
       set_strinfo (didx, dsi);
       find_equal_ptrs (dst, didx);
     }
   dsi->writable = true;
   dsi->dont_invalidate = true;
 
-  if (dsi->length == NULL_TREE)
+  if (dsi->nonzero_chars == NULL_TREE)
     {
       strinfo *chainsi;
 
@@ -1388,7 +1455,8 @@ handle_builtin_strcpy (enum built_in_fun
 		 invalidated.  */
 	      chainsi = unshare_strinfo (chainsi);
 	      chainsi->stmt = stmt;
-	      chainsi->length = NULL_TREE;
+	      chainsi->nonzero_chars = NULL_TREE;
+	      chainsi->full_string_p = false;
 	      chainsi->endptr = NULL_TREE;
 	      chainsi->dont_invalidate = true;
 	    }
@@ -1556,31 +1624,61 @@ handle_builtin_memcpy (enum built_in_fun
       && !integer_zerop (len))
     adjust_last_stmt (olddsi, stmt, false);
 
+  bool full_string_p;
   if (idx > 0)
     {
       gimple *def_stmt;
 
-      /* Handle memcpy (x, y, l) where l is strlen (y) + 1.  */
+      /* Handle memcpy (x, y, l) where l's relationship with strlen (y)
+	 is known.  */
       si = get_strinfo (idx);
-      if (si == NULL || si->length == NULL_TREE)
-	return;
-      if (TREE_CODE (len) != SSA_NAME)
-	return;
-      def_stmt = SSA_NAME_DEF_STMT (len);
-      if (!is_gimple_assign (def_stmt)
-	  || gimple_assign_rhs_code (def_stmt) != PLUS_EXPR
-	  || gimple_assign_rhs1 (def_stmt) != si->length
-	  || !integer_onep (gimple_assign_rhs2 (def_stmt)))
+      if (si == NULL || si->nonzero_chars == NULL_TREE)
 	return;
+      if (TREE_CODE (len) == INTEGER_CST
+	  && TREE_CODE (si->nonzero_chars) == INTEGER_CST)
+	{
+	  if (tree_int_cst_le (len, si->nonzero_chars))
+	    {
+	      /* Copying LEN nonzero characters, where LEN is constant.  */
+	      newlen = len;
+	      full_string_p = false;
+	    }
+	  else
+	    {
+	      /* Copying the whole of the analyzed part of SI.  */
+	      newlen = si->nonzero_chars;
+	      full_string_p = si->full_string_p;
+	    }
+	}
+      else
+	{
+	  if (!si->full_string_p)
+	    return;
+	  if (TREE_CODE (len) != SSA_NAME)
+	    return;
+	  def_stmt = SSA_NAME_DEF_STMT (len);
+	  if (!is_gimple_assign (def_stmt)
+	      || gimple_assign_rhs_code (def_stmt) != PLUS_EXPR
+	      || gimple_assign_rhs1 (def_stmt) != si->nonzero_chars
+	      || !integer_onep (gimple_assign_rhs2 (def_stmt)))
+	    return;
+	  /* Copying variable-length string SI (and no more).  */
+	  newlen = si->nonzero_chars;
+	  full_string_p = true;
+	}
     }
   else
     {
       si = NULL;
       /* Handle memcpy (x, "abcd", 5) or
 	 memcpy (x, "abc\0uvw", 7).  */
-      if (!tree_fits_uhwi_p (len)
-	  || tree_to_uhwi (len) <= (unsigned HOST_WIDE_INT) ~idx)
+      if (!tree_fits_uhwi_p (len))
 	return;
+
+      unsigned HOST_WIDE_INT clen = tree_to_uhwi (len);
+      unsigned HOST_WIDE_INT nonzero_chars = ~idx;
+      newlen = build_int_cst (size_type_node, MIN (nonzero_chars, clen));
+      full_string_p = clen > nonzero_chars;
     }
 
   if (olddsi != NULL && TREE_CODE (len) == SSA_NAME)
@@ -1592,16 +1690,13 @@ handle_builtin_memcpy (enum built_in_fun
       if (didx == 0)
 	return;
     }
-  if (si != NULL)
-    newlen = si->length;
-  else
-    newlen = build_int_cst (size_type_node, ~idx);
   oldlen = NULL_TREE;
   if (olddsi != NULL)
     {
       dsi = unshare_strinfo (olddsi);
-      oldlen = olddsi->length;
-      dsi->length = newlen;
+      oldlen = olddsi->nonzero_chars;
+      dsi->nonzero_chars = newlen;
+      dsi->full_string_p = full_string_p;
       /* Break the chain, so adjust_related_strinfo on later pointers in
 	 the chain won't adjust this one anymore.  */
       dsi->next = 0;
@@ -1610,7 +1705,7 @@ handle_builtin_memcpy (enum built_in_fun
     }
   else
     {
-      dsi = new_strinfo (dst, didx, newlen);
+      dsi = new_strinfo (dst, didx, newlen, full_string_p);
       set_strinfo (didx, dsi);
       find_equal_ptrs (dst, didx);
     }
@@ -1623,12 +1718,11 @@ handle_builtin_memcpy (enum built_in_fun
       if (oldlen == NULL_TREE)
 	;
       else if (integer_zerop (oldlen))
-	adj = dsi->length;
+	adj = newlen;
       else if (TREE_CODE (oldlen) == INTEGER_CST
-	       || TREE_CODE (dsi->length) == INTEGER_CST)
-	adj = fold_build2_loc (loc, MINUS_EXPR,
-			       TREE_TYPE (dsi->length), dsi->length,
-			       fold_convert_loc (loc, TREE_TYPE (dsi->length),
+	       || TREE_CODE (newlen) == INTEGER_CST)
+	adj = fold_build2_loc (loc, MINUS_EXPR, TREE_TYPE (newlen), newlen,
+			       fold_convert_loc (loc, TREE_TYPE (newlen),
 						 oldlen));
       if (adj != NULL_TREE)
 	adjust_related_strinfos (loc, dsi, adj);
@@ -1640,27 +1734,30 @@ handle_builtin_memcpy (enum built_in_fun
   if (si != NULL)
     si->dont_invalidate = true;
 
-  lhs = gimple_call_lhs (stmt);
-  switch (bcode)
+  if (full_string_p)
     {
-    case BUILT_IN_MEMCPY:
-    case BUILT_IN_MEMCPY_CHK:
-    case BUILT_IN_MEMCPY_CHKP:
-    case BUILT_IN_MEMCPY_CHK_CHKP:
-      /* Allow adjust_last_stmt to decrease this memcpy's size.  */
-      laststmt.stmt = stmt;
-      laststmt.len = dsi->length;
-      laststmt.stridx = dsi->idx;
-      if (lhs)
-	ssa_ver_to_stridx[SSA_NAME_VERSION (lhs)] = didx;
-      break;
-    case BUILT_IN_MEMPCPY:
-    case BUILT_IN_MEMPCPY_CHK:
-    case BUILT_IN_MEMPCPY_CHKP:
-    case BUILT_IN_MEMPCPY_CHK_CHKP:
-      break;
-    default:
-      gcc_unreachable ();
+      lhs = gimple_call_lhs (stmt);
+      switch (bcode)
+	{
+	case BUILT_IN_MEMCPY:
+	case BUILT_IN_MEMCPY_CHK:
+	case BUILT_IN_MEMCPY_CHKP:
+	case BUILT_IN_MEMCPY_CHK_CHKP:
+	  /* Allow adjust_last_stmt to decrease this memcpy's size.  */
+	  laststmt.stmt = stmt;
+	  laststmt.len = dsi->nonzero_chars;
+	  laststmt.stridx = dsi->idx;
+	  if (lhs)
+	    ssa_ver_to_stridx[SSA_NAME_VERSION (lhs)] = didx;
+	  break;
+	case BUILT_IN_MEMPCPY:
+	case BUILT_IN_MEMPCPY_CHK:
+	case BUILT_IN_MEMPCPY_CHKP:
+	case BUILT_IN_MEMPCPY_CHK_CHKP:
+	  break;
+	default:
+	  gcc_unreachable ();
+	}
     }
 }
 
@@ -1709,14 +1806,15 @@ handle_builtin_strcat (enum built_in_fun
 	    }
 	  if (dsi == NULL)
 	    {
-	      dsi = new_strinfo (dst, didx, NULL_TREE);
+	      dsi = new_strinfo (dst, didx, NULL_TREE, false);
 	      set_strinfo (didx, dsi);
 	      find_equal_ptrs (dst, didx);
 	    }
 	  else
 	    {
 	      dsi = unshare_strinfo (dsi);
-	      dsi->length = NULL_TREE;
+	      dsi->nonzero_chars = NULL_TREE;
+	      dsi->full_string_p = false;
 	      dsi->next = 0;
 	      dsi->endptr = NULL_TREE;
 	    }
@@ -1740,7 +1838,7 @@ handle_builtin_strcat (enum built_in_fun
     }
 
   loc = gimple_location (stmt);
-  dstlen = dsi->length;
+  dstlen = dsi->nonzero_chars;
   endptr = dsi->endptr;
 
   dsi = unshare_strinfo (dsi);
@@ -1750,14 +1848,17 @@ handle_builtin_strcat (enum built_in_fun
 
   if (srclen != NULL_TREE)
     {
-      dsi->length = fold_build2_loc (loc, PLUS_EXPR, TREE_TYPE (dsi->length),
-				     dsi->length, srclen);
+      dsi->nonzero_chars = fold_build2_loc (loc, PLUS_EXPR,
+					    TREE_TYPE (dsi->nonzero_chars),
+					    dsi->nonzero_chars, srclen);
+      gcc_assert (dsi->full_string_p);
       adjust_related_strinfos (loc, dsi, srclen);
       dsi->dont_invalidate = true;
     }
   else
     {
-      dsi->length = NULL;
+      dsi->nonzero_chars = NULL;
+      dsi->full_string_p = false;
       if (lhs == NULL_TREE && builtin_decl_implicit_p (BUILT_IN_STPCPY))
 	dsi->dont_invalidate = true;
     }
@@ -1890,7 +1991,7 @@ handle_builtin_malloc (enum built_in_fun
   tree length = NULL_TREE;
   if (bcode == BUILT_IN_CALLOC)
     length = build_int_cst (size_type_node, 0);
-  strinfo *si = new_strinfo (lhs, idx, length);
+  strinfo *si = new_strinfo (lhs, idx, length, length != NULL_TREE);
   if (bcode == BUILT_IN_CALLOC)
     si->endptr = lhs;
   set_strinfo (idx, si);
@@ -1932,7 +2033,8 @@ handle_builtin_memset (gimple_stmt_itera
       gimple_stmt_iterator gsi1 = gsi_for_stmt (stmt1);
       update_gimple_call (&gsi1, builtin_decl_implicit (BUILT_IN_CALLOC), 2,
 			  size, build_one_cst (size_type_node));
-      si1->length = build_int_cst (size_type_node, 0);
+      si1->nonzero_chars = build_int_cst (size_type_node, 0);
+      si1->full_string_p = true;
       si1->stmt = gsi_stmt (gsi1);
     }
   else
@@ -2064,18 +2166,20 @@ handle_pointer_plus (gimple_stmt_iterato
     }
 
   si = get_strinfo (idx);
-  if (si == NULL || si->length == NULL_TREE)
+  if (si == NULL || si->nonzero_chars == NULL_TREE)
     return;
 
   off = gimple_assign_rhs2 (stmt);
   zsi = NULL;
-  if (operand_equal_p (si->length, off, 0))
+  if (si->full_string_p && operand_equal_p (si->nonzero_chars, off, 0))
     zsi = zero_length_string (lhs, si);
   else if (TREE_CODE (off) == SSA_NAME)
     {
       gimple *def_stmt = SSA_NAME_DEF_STMT (off);
       if (gimple_assign_single_p (def_stmt)
-	  && operand_equal_p (si->length, gimple_assign_rhs1 (def_stmt), 0))
+	  && si->full_string_p
+	  && operand_equal_p (si->nonzero_chars,
+			      gimple_assign_rhs1 (def_stmt), 0))
 	zsi = zero_length_string (lhs, si);
     }
   if (zsi != NULL
@@ -2101,63 +2205,63 @@ handle_char_store (gimple_stmt_iterator
   strinfo *si = NULL;
   gimple *stmt = gsi_stmt (*gsi);
   tree ssaname = NULL_TREE, lhs = gimple_assign_lhs (stmt);
+  tree rhs = gimple_assign_rhs1 (stmt);
+  unsigned HOST_WIDE_INT offset = 0;
 
   if (TREE_CODE (lhs) == MEM_REF
       && TREE_CODE (TREE_OPERAND (lhs, 0)) == SSA_NAME)
     {
-      if (integer_zerop (TREE_OPERAND (lhs, 1)))
+      tree mem_offset = TREE_OPERAND (lhs, 1);
+      if (tree_fits_uhwi_p (mem_offset))
 	{
-	  ssaname = TREE_OPERAND (lhs, 0);
-	  idx = get_stridx (ssaname);
+	  /* Get the strinfo for the base, and use it if it starts with at
+	     least OFFSET nonzero characters.  This is trivially true if
+	     OFFSET is zero.  */
+	  offset = tree_to_uhwi (mem_offset);
+	  idx = get_stridx (TREE_OPERAND (lhs, 0));
+	  if (idx > 0)
+	    si = get_strinfo (idx);
+	  if (offset == 0)
+	    ssaname = TREE_OPERAND (lhs, 0);
+	  else if (si == NULL || compare_nonzero_chars (si, offset) < 0)
+	    return true;
 	}
     }
   else
-    idx = get_addr_stridx (lhs, NULL_TREE);
+    {
+      idx = get_addr_stridx (lhs, NULL_TREE, &offset);
+      if (idx > 0)
+	si = get_strinfo (idx);
+    }
 
-  if (idx > 0)
+  bool storing_zero_p = initializer_zerop (rhs);
+  bool storing_nonzero_p = (!storing_zero_p
+			    && TREE_CODE (rhs) == INTEGER_CST
+			    && integer_nonzerop (rhs));
+
+  if (si != NULL)
     {
-      si = get_strinfo (idx);
-      if (si != NULL && si->length != NULL_TREE && integer_zerop (si->length))
-	{
-	  if (initializer_zerop (gimple_assign_rhs1 (stmt)))
-	    {
-	      /* When storing '\0', the store can be removed
-		 if we know it has been stored in the current function.  */
-	      if (!stmt_could_throw_p (stmt) && si->writable)
-		{
-		  unlink_stmt_vdef (stmt);
-		  release_defs (stmt);
-		  gsi_remove (gsi, true);
-		  return false;
-		}
-	      else
-		{
-		  si->writable = true;
-		  gsi_next (gsi);
-		  return false;
-		}
+      int cmp = compare_nonzero_chars (si, offset);
+      gcc_assert (offset == 0 || cmp >= 0);
+      if (storing_zero_p && cmp == 0 && si->full_string_p)
+	{
+	  /* When overwriting a '\0' with a '\0', the store can be removed
+	     if we know it has been stored in the current function.  */
+	  if (!stmt_could_throw_p (stmt) && si->writable)
+	    {
+	      unlink_stmt_vdef (stmt);
+	      release_defs (stmt);
+	      gsi_remove (gsi, true);
+	      return false;
 	    }
 	  else
-	    /* Otherwise this statement overwrites the '\0' with
-	       something, if the previous stmt was a memcpy,
-	       its length may be decreased.  */
-	    adjust_last_stmt (si, stmt, false);
-	}
-      else if (si != NULL && integer_zerop (gimple_assign_rhs1 (stmt)))
-	{
-	  si = unshare_strinfo (si);
-	  si->length = build_int_cst (size_type_node, 0);
-	  si->endptr = NULL;
-	  si->prev = 0;
-	  si->next = 0;
-	  si->stmt = NULL;
-	  si->first = 0;
-	  si->writable = true;
-	  if (ssaname && !SSA_NAME_OCCURS_IN_ABNORMAL_PHI (ssaname))
-	    si->endptr = ssaname;
-	  si->dont_invalidate = true;
+	    {
+	      si->writable = true;
+	      gsi_next (gsi);
+	      return false;
+	    }
 	}
-      /* If si->length is non-zero constant, we aren't overwriting '\0',
+      /* If si->nonzero_chars > OFFSET, we aren't overwriting '\0',
 	 and if we aren't storing '\0', we know that the length of the
 	 string and any other zero terminated string in memory remains
 	 the same.  In that case we move to the next gimple statement and
@@ -2177,35 +2281,74 @@ handle_char_store (gimple_stmt_iterator
 	   bar (len, len2, len3, len4);
         }
 	*/ 
-      else if (si != NULL && si->length != NULL_TREE
-	       && TREE_CODE (si->length) == INTEGER_CST
-	       && integer_nonzerop (gimple_assign_rhs1 (stmt)))
+      else if (storing_nonzero_p && cmp > 0)
 	{
 	  gsi_next (gsi);
 	  return false;
 	}
+      else if (storing_zero_p || storing_nonzero_p || (offset != 0 && cmp > 0))
+	{
+	  /* When storing_nonzero_p, we know that the string now starts
+	     with OFFSET + 1 nonzero characters, but don't know whether
+	     there's a following nul terminator.
+
+	     When storing_zero_p, we know that the string is now OFFSET
+	     characters long.
+
+	     Otherwise, we're storing an unknown value at offset OFFSET,
+	     so need to clip the nonzero_chars to OFFSET.  */
+	  location_t loc = gimple_location (stmt);
+	  tree oldlen = si->nonzero_chars;
+	  if (cmp == 0 && si->full_string_p)
+	    /* We're overwriting the nul terminator with a nonzero or
+	       unknown character.  If the previous stmt was a memcpy,
+	       its length may be decreased.  */
+	    adjust_last_stmt (si, stmt, false);
+	  si = unshare_strinfo (si);
+	  if (storing_nonzero_p)
+	    si->nonzero_chars = build_int_cst (size_type_node, offset + 1);
+	  else
+	    si->nonzero_chars = build_int_cst (size_type_node, offset);
+	  si->full_string_p = storing_zero_p;
+	  if (storing_zero_p
+	      && ssaname
+	      && !SSA_NAME_OCCURS_IN_ABNORMAL_PHI (ssaname))
+	    si->endptr = ssaname;
+	  else
+	    si->endptr = NULL;
+	  si->next = 0;
+	  si->stmt = NULL;
+	  si->writable = true;
+	  si->dont_invalidate = true;
+	  if (oldlen)
+	    {
+	      tree adj = fold_build2_loc (loc, MINUS_EXPR, size_type_node,
+					  si->nonzero_chars, oldlen);
+	      adjust_related_strinfos (loc, si, adj);
+	    }
+	  else
+	    si->prev = 0;
+	}
     }
-  else if (idx == 0 && initializer_zerop (gimple_assign_rhs1 (stmt)))
+  else if (idx == 0 && (storing_zero_p || storing_nonzero_p))
     {
       if (ssaname)
-	{
-	  si = zero_length_string (ssaname, NULL);
-	  if (si != NULL)
-	    si->dont_invalidate = true;
-	}
+	idx = new_stridx (ssaname);
       else
+	idx = new_addr_stridx (lhs);
+      if (idx != 0)
 	{
-	  int idx = new_addr_stridx (lhs);
-	  if (idx != 0)
-	    {
-	      si = new_strinfo (build_fold_addr_expr (lhs), idx,
-				build_int_cst (size_type_node, 0));
-	      set_strinfo (idx, si);
-	      si->dont_invalidate = true;
-	    }
+	  tree ptr = (ssaname ? ssaname : build_fold_addr_expr (lhs));
+	  tree len = storing_nonzero_p ? size_one_node : size_zero_node;
+	  si = new_strinfo (ptr, idx, len, storing_zero_p);
+	  set_strinfo (idx, si);
+	  if (storing_zero_p
+	      && ssaname
+	      && !SSA_NAME_OCCURS_IN_ABNORMAL_PHI (ssaname))
+	    si->endptr = ssaname;
+	  si->dont_invalidate = true;
+	  si->writable = true;
 	}
-      if (si != NULL)
-	si->writable = true;
     }
   else if (idx == 0
 	   && TREE_CODE (gimple_assign_rhs1 (stmt)) == STRING_CST
@@ -2220,14 +2363,14 @@ handle_char_store (gimple_stmt_iterator
 	  if (idx != 0)
 	    {
 	      si = new_strinfo (build_fold_addr_expr (lhs), idx,
-				build_int_cst (size_type_node, l));
+				build_int_cst (size_type_node, l), true);
 	      set_strinfo (idx, si);
 	      si->dont_invalidate = true;
 	    }
 	}
     }
 
-  if (si != NULL && initializer_zerop (gimple_assign_rhs1 (stmt)))
+  if (si != NULL && offset == 0 && storing_zero_p)
     {
       /* Allow adjust_last_stmt to remove it if the stored '\0'
 	 is immediately overwritten.  */
Index: gcc/testsuite/gcc.dg/strlenopt-32.c
===================================================================
--- /dev/null	2017-05-16 16:51:34.993412001 +0100
+++ gcc/testsuite/gcc.dg/strlenopt-32.c	2017-05-17 07:33:03.919877480 +0100
@@ -0,0 +1,193 @@
+/* { dg-do run } */
+/* { dg-options "-O2 -fdump-tree-strlen" } */
+
+#include "strlenopt.h"
+
+char temp[30];
+volatile int v;
+
+size_t __attribute__ ((noinline, noclone))
+f1 (void)
+{
+  char a[30];
+  v += 1;
+  memcpy (a, "1234567", 7);
+  memcpy (a + 7, "89abcdefg", 9);
+  memcpy (a + 16, "h", 2);
+  return strlen (a);	// This strlen should be optimized into 17.
+}
+
+size_t __attribute__ ((noinline, noclone))
+f2 (char *a)
+{
+  v += 2;
+  memcpy (a, "1234567", 7);
+  memcpy (a + 7, "89abcdefg", 9);
+  memcpy (a + 16, "h", 2);
+  return strlen (a);	// This strlen should be optimized into 17.
+}
+
+size_t __attribute__ ((noinline, noclone))
+f3 (void)
+{
+  char a[30];
+  v += 3;
+  a[0] = '1';
+  memcpy (a + 1, "2345678", 8);
+  return strlen (a);	// This strlen should be optimized into 8.
+}
+
+size_t __attribute__ ((noinline, noclone))
+f4 (char *a)
+{
+  v += 4;
+  a[0] = '1';
+  memcpy (a + 1, "2345678", 8);
+  return strlen (a);	// This strlen should be optimized into 8.
+}
+
+size_t __attribute__ ((noinline, noclone))
+f5 (void)
+{
+  char a[30];
+  v += 5;
+  a[0] = '1';
+  a[1] = '2';
+  a[2] = '3';
+  memcpy (a + 3, "456", 3);
+  a[6] = '7';
+  a[7] = 0;
+  return strlen (a);	// This strlen should be optimized into 7.
+}
+
+size_t __attribute__ ((noinline, noclone))
+f6 (char *a)
+{
+  v += 6;
+  a[0] = '1';
+  a[1] = '2';
+  a[2] = '3';
+  memcpy (a + 3, "456", 3);
+  a[6] = '7';
+  a[7] = 0;
+  return strlen (a);	// This strlen should be optimized into 7.
+}
+
+size_t __attribute__ ((noinline, noclone))
+f7 (void)
+{
+  char a[30];
+  v += 7;
+  strcpy (a, "abcde");
+  int len1 = strlen (a);
+  a[2] = '_';
+  int len2 = strlen (a);
+  return len1 + len2;	// This should be optimized into 10.
+}
+
+size_t __attribute__ ((noinline, noclone))
+f8 (char *a)
+{
+  v += 8;
+  strcpy (a, "abcde");
+  int len1 = strlen (a);
+  a[2] = '_';
+  int len2 = strlen (a);
+  return len1 + len2;	// This should be optimized into 10.
+}
+
+size_t __attribute__ ((noinline, noclone))
+f9 (char b)
+{
+  char a[30];
+  v += 9;
+  strcpy (a, "foo.bar");
+  a[4] = b;
+  a[3] = 0;
+  return strlen (a);	// This should be optimized into 3.
+}
+
+size_t __attribute__ ((noinline, noclone))
+f10 (char *a, char b)
+{
+  v += 10;
+  strcpy (a, "foo.bar");
+  a[4] = b;
+  a[3] = 0;
+  return strlen (a);	// This should be optimized into 3.
+}
+
+size_t __attribute__ ((noinline, noclone))
+f11 (void)
+{
+  char a[30];
+  v += 11;
+  strcpy (temp, "123456");
+  memcpy (a, temp, 7);
+  return strlen (a);	// This should be optimized into 6.
+}
+
+size_t __attribute__ ((noinline, noclone))
+f12 (char *a)
+{
+  v += 12;
+  strcpy (temp, "123456");
+  memcpy (a, temp, 7);
+  return strlen (a);	// This should be optimized into 6.
+}
+
+size_t __attribute__ ((noinline, noclone))
+f13 (void)
+{
+  char a[30];
+  v += 13;
+  strcpy (temp, "1234567");
+  memcpy (a, temp, 7);
+  a[7] = 0;
+  return strlen (a);	// This should be optimized into 7.
+}
+
+size_t __attribute__ ((noinline, noclone))
+f14 (char *a)
+{
+  v += 14;
+  strcpy (temp, "1234567");
+  memcpy (a, temp, 7);
+  a[7] = 0;
+  return strlen (a);	// This should be optimized into 7.
+}
+
+size_t __attribute__ ((noinline, noclone))
+f15 (void)
+{
+  char a[30];
+  v += 15;
+  strcpy (temp, "12345679");
+  memcpy (a, temp, 7);
+  a[7] = 0;
+  return strlen (a);	// This should be optimized into 7.
+}
+
+size_t __attribute__ ((noinline, noclone))
+f16 (char *a)
+{
+  v += 16;
+  strcpy (temp, "123456789");
+  memcpy (a, temp, 7);
+  a[7] = 0;
+  return strlen (a);	// This should be optimized into 7.
+}
+
+int
+main ()
+{
+  char a[30];
+  if (f1 () != 17 || f2 (a) != 17 || f3 () != 8 || f4 (a) != 8
+      || f5 () != 7 || f6 (a) != 7 || f7 () != 10 || f8 (a) != 10
+      || f9 ('_') != 3 || f10 (a, '_') != 3 || f11 () != 6 || f12 (a) != 6
+      || f13 () != 7 || f14 (a) != 7 || f15 () != 7 || f16 (a) != 7)
+    abort ();
+  return 0;
+}
+
+/* { dg-final { scan-tree-dump-times "strlen \\(" 0 "strlen" } } */
Index: gcc/testsuite/gcc.dg/strlenopt-33.c
===================================================================
--- /dev/null	2017-05-16 16:51:34.993412001 +0100
+++ gcc/testsuite/gcc.dg/strlenopt-33.c	2017-05-17 07:33:03.919877480 +0100
@@ -0,0 +1,42 @@
+/* { dg-do run } */
+/* { dg-options "-O2 -fdump-tree-strlen" } */
+
+#include "strlenopt.h"
+
+volatile int v;
+
+size_t __attribute__ ((noinline, noclone))
+f1 (char *b)
+{
+  char a[30];
+  v += 1;
+  strcpy (a, b);
+  // This needs to stay.
+  int len1 = strlen (a);
+  a[0] = '_';
+  a[1] = 0;
+  return len1 + strlen (a);
+}
+
+size_t __attribute__ ((noinline, noclone))
+f2 (char *a, char *b)
+{
+  v += 2;
+  strcpy (a, b);
+  // This needs to stay.
+  int len1 = strlen (a);
+  a[0] = '_';
+  a[1] = 0;
+  return len1 + strlen (a);
+}
+
+int
+main ()
+{
+  char a[30];
+  if (f1 ("foo") != 4 || f2 (a, "foobar") != 7)
+    abort ();
+  return 0;
+}
+
+/* { dg-final { scan-tree-dump-times "strlen \\(" 2 "strlen" } } */
Index: gcc/testsuite/gcc.dg/strlenopt-33g.c
===================================================================
--- /dev/null	2017-05-16 16:51:34.993412001 +0100
+++ gcc/testsuite/gcc.dg/strlenopt-33g.c	2017-05-17 07:33:03.919877480 +0100
@@ -0,0 +1,45 @@
+/* { dg-do run { target *-*-linux* *-*-gnu* } } */
+/* { dg-do run } */
+/* { dg-options "-O2 -fdump-tree-strlen" } */
+
+#define USE_GNU
+#include "strlenopt.h"
+
+volatile int v;
+
+size_t __attribute__ ((noinline, noclone))
+f1 (char *b)
+{
+  char a[30];
+  v += 1;
+  // Should be converted to stpcpy.
+  strcpy (a, b);
+  int len1 = strlen (a);
+  a[0] = '_';
+  a[1] = 0;
+  return len1 + strlen (a);
+}
+
+size_t __attribute__ ((noinline, noclone))
+f2 (char *a, char *b)
+{
+  v += 2;
+  // Should be converted to stpcpy.
+  strcpy (a, b);
+  int len1 = strlen (a);
+  a[0] = '_';
+  a[1] = 0;
+  return len1 + strlen (a);
+}
+
+int
+main ()
+{
+  char a[30];
+  if (f1 ("foo") != 4 || f2 (a, "foobar") != 7)
+    abort ();
+  return 0;
+}
+
+/* { dg-final { scan-tree-dump-times "strlen \\(" 0 "strlen" } } */
+/* { dg-final { scan-tree-dump-times "stpcpy \\(" 2 "strlen" } } */
Index: gcc/testsuite/gcc.dg/strlenopt-34.c
===================================================================
--- /dev/null	2017-05-16 16:51:34.993412001 +0100
+++ gcc/testsuite/gcc.dg/strlenopt-34.c	2017-05-17 07:33:14.155034020 +0100
@@ -0,0 +1,38 @@
+/* { dg-do run } */
+/* { dg-options "-O2 -fdump-tree-strlen" } */
+
+#include "strlenopt.h"
+
+volatile int v;
+
+size_t __attribute__ ((noinline, noclone))
+f1 (char b)
+{
+  char a[30];
+  v += 1;
+  strcpy (a, "foo.bar");
+  a[3] = b;
+  a[4] = 0;
+  return strlen (a);
+}
+
+size_t __attribute__ ((noinline, noclone))
+f2 (char *a, char b)
+{
+  v += 2;
+  strcpy (a, "foo.bar");
+  a[3] = b;
+  a[4] = 0;
+  return strlen (a);
+}
+
+int
+main ()
+{
+  char a[30];
+  if (f1 ('_') != 4 || f1 (0) != 3 || f2 (a, '_') != 4 || f2 (a, 0) != 3)
+    abort ();
+  return 0;
+}
+
+/* { dg-final { scan-tree-dump-times "strlen \\(" 2 "strlen" } } */
Index: gcc/testsuite/gcc.dg/strlenopt-35.c
===================================================================
--- /dev/null	2017-05-16 16:51:34.993412001 +0100
+++ gcc/testsuite/gcc.dg/strlenopt-35.c	2017-05-17 07:33:03.919877480 +0100
@@ -0,0 +1,31 @@
+/* { dg-do run } */
+/* { dg-options "-O2 -fdump-tree-strlen" } */
+
+#include "strlenopt.h"
+
+volatile int v;
+
+size_t
+f1 (char *a1)
+{
+  v += 1;
+  size_t x = strlen (a1);
+  char *a2 = a1 + x;
+  a2[0] = '1';
+  a2[1] = '2';
+  a2[2] = '3';
+  a2[3] = 0;
+  return strlen (a1);
+}
+
+int
+main ()
+{
+  char a[30];
+  strcpy (a, "abcd");
+  if (f1 (a) != 7)
+    abort ();
+  return 0;
+}
+
+/* { dg-final { scan-tree-dump-times "strlen \\(" 1 "strlen" } } */

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: Make tree-ssa-strlen.c handle partial unterminated strings
  2017-05-17  7:21         ` Richard Sandiford
@ 2017-05-23 10:17           ` Jakub Jelinek
  0 siblings, 0 replies; 14+ messages in thread
From: Jakub Jelinek @ 2017-05-23 10:17 UTC (permalink / raw)
  To: gcc-patches, richard.sandiford

On Wed, May 17, 2017 at 07:52:38AM +0100, Richard Sandiford wrote:
> 2017-05-17  Richard Sandiford  <richard.sandiford@linaro.org>
> 
> gcc/
> 	* tree-ssa-strlen.c (strinfo): Rename the length field to
> 	nonzero_chars.  Add a full_string_p field.
> 	(compare_nonzero_chars, zero_length_string_p): New functions.
> 	(get_addr_stridx): Add an offset_out parameter.
> 	Use compare_nonzero_chars.
> 	(get_stridx): Update accordingly.  Use compare_nonzero_chars.
> 	(new_strinfo): Update after above changes to strinfo.
> 	(set_endptr_and_length): Set full_string_p.
> 	(get_string_length): Update after above changes to strinfo.
> 	(unshare_strinfo): Update call to new_strinfo.
> 	(maybe_invalidate): Likewise.
> 	(get_stridx_plus_constant): Change off to unsigned HOST_WIDE_INT.
> 	Use compare_nonzero_chars and zero_string_p.  Treat nonzero_chars
> 	as a uhwi instead of an shwi.  Update after above changes to
> 	strinfo and new_strinfo.
> 	(zero_length_string): Assert that chainsi contains full strings.
> 	Use zero_length_string_p.  Update call to new_strinfo.
> 	(adjust_related_strinfos): Update after above changes to strinfo.
> 	Copy full_string_p from origsi.
> 	(adjust_last_stmt): Use zero_length_string_p.
> 	(handle_builtin_strlen): Update after above changes to strinfo and
> 	new_strinfo.  Install the lhs as the string length if the previous
> 	entry didn't describe a full string.
> 	(handle_builtin_strchr): Update after above changes to strinfo
> 	and new_strinfo.
> 	(handle_builtin_strcpy): Likewise.
> 	(handle_builtin_strcat): Likewise.
> 	(handle_builtin_malloc): Likewise.
> 	(handle_pointer_plus): Likewise.
> 	(handle_builtin_memcpy): Likewise.  Track nonzero characters
> 	that aren't necessarily followed by a nul terminator.
> 	(handle_char_store): Likewise.
> 
> gcc/testsuite/
> 	* gcc.dg/strlenopt-32.c: New testcase.
> 	* gcc.dg/strlenopt-33.c: Likewise.
> 	* gcc.dg/strlenopt-33g.c: Likewise.
> 	* gcc.dg/strlenopt-34.c: Likewise.
> 	* gcc.dg/strlenopt-35.c: Likewise.

Ok, with a small nit.

> @@ -501,8 +550,8 @@ set_endptr_and_length (location_t loc, s
>  static tree
>  get_string_length (strinfo *si)
>  {
> -  if (si->length)
> -    return si->length;
> +  if (si->nonzero_chars)
> +    return si->full_string_p ? si->nonzero_chars : NULL;

This should be NULL_TREE.
>  
>    if (si->stmt)
>      {
> @@ -595,19 +644,19 @@ get_string_length (strinfo *si)
>  	  for (strinfo *chainsi = verify_related_strinfos (si);
>  	       chainsi != NULL;
>  	       chainsi = get_next_strinfo (chainsi))
> -	    if (chainsi->length == NULL)
> +	    if (chainsi->nonzero_chars == NULL)

and this actually too (though it is preexisting).

For future work, it would be nice if we could handle not just
memcpy and single character stores, but also cases where a memcpy
is folded into a store of couple of adjacent bytes, say
MEM_REF[ptr, 0] = 0x12345678;
is storing 4 non-zero bytes, while = 0x345678; would be zero nonzero_chars +
full_string_p for big endian and 3 non-zero bytes plus zero byte on little
endian.  One could use native_encode_expr on the rhs and then determine the
nonzero count at the start and optional presence of a zero char afterwards.

	Jakub

^ permalink raw reply	[flat|nested] 14+ messages in thread

end of thread, other threads:[~2017-05-23 10:10 UTC | newest]

Thread overview: 14+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-05-05 12:02 Make tree-ssa-strlen.c handle partial unterminated strings Richard Sandiford
2017-05-05 15:55 ` Andi Kleen
2017-05-05 15:57   ` Jakub Jelinek
2017-05-05 16:29     ` Martin Sebor
2017-05-05 16:38       ` Jakub Jelinek
2017-05-05 16:49         ` Martin Sebor
2017-05-05 16:43       ` Jeff Law
2017-05-05 16:02 ` Jakub Jelinek
2017-05-07 10:18   ` Richard Sandiford
2017-05-10 14:18     ` Jakub Jelinek
2017-05-10 19:57       ` Richard Sandiford
2017-05-17  7:21         ` Richard Sandiford
2017-05-23 10:17           ` Jakub Jelinek
2017-05-05 16:10 ` Martin Sebor

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).