[PATCH 1/2] analyzer: g++ testsuite support

[PATCH 1/2] analyzer: g++ testsuite support

[David Malcolm]

PR analyzer/93288 reports a C++-specific ICE with -fanalyzer.

This patch creates the beginnings of a C++ test suite for the analyzer,
so that there's a place to put test coverage for the fix.
It adds a regression test for PR analyzer/93212, an ICE fixed
in r10-5970-g32077b693df8e3ed0424031a322df23822bf2f7e.

Successfully regrtested on x86_64-pc-linux-gnu (in conjunction with
the second patch).

OK for master?

gcc/testsuite/ChangeLog:
	PR analyzer/93212
	* g++.dg/analyzer/analyzer.exp: New subdirectory and .exp suite.
	* g++.dg/analyzer/malloc.C: New test.
	* g++.dg/analyzer/pr93212.C: New test.
---
 gcc/testsuite/g++.dg/analyzer/analyzer.exp | 49 ++++++++++++++++++++++
 gcc/testsuite/g++.dg/analyzer/malloc.C     |  9 ++++
 gcc/testsuite/g++.dg/analyzer/pr93212.C    | 17 ++++++++
 3 files changed, 75 insertions(+)
 create mode 100644 gcc/testsuite/g++.dg/analyzer/analyzer.exp
 create mode 100644 gcc/testsuite/g++.dg/analyzer/malloc.C
 create mode 100644 gcc/testsuite/g++.dg/analyzer/pr93212.C

diff --git a/gcc/testsuite/g++.dg/analyzer/analyzer.exp b/gcc/testsuite/g++.dg/analyzer/analyzer.exp
new file mode 100644
index 00000000000..60262f678ee
--- /dev/null
+++ b/gcc/testsuite/g++.dg/analyzer/analyzer.exp
@@ -0,0 +1,49 @@
+#   Copyright (C) 2020 Free Software Foundation, Inc.
+
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with GCC; see the file COPYING3.  If not see
+# <http://www.gnu.org/licenses/>.
+
+# G++ testsuite that uses the `dg.exp' driver.
+
+# Load support procs.
+load_lib g++-dg.exp
+
+# If the analyzer has not been enabled, bail.
+if { ![check_effective_target_analyzer] } {
+    return
+}
+
+if [info exists DEFAULT_CXXFLAGS] then {
+  set save_default_cxxflags $DEFAULT_CXXFLAGS
+}
+
+# If a testcase doesn't have special options, use these.
+set DEFAULT_CXXFLAGS " -fanalyzer -fdiagnostics-path-format=separate-events -Wanalyzer-too-complex -fanalyzer-call-summaries"
+
+# Initialize `dg'.
+dg-init
+
+# Main loop.
+set tests [lsort [glob -nocomplain $srcdir/$subdir/*.C]]
+
+g++-dg-runtest $tests "" $DEFAULT_CXXFLAGS
+
+# All done.
+dg-finish
+
+if [info exists save_default_cxxflags] {
+  set DEFAULT_CXXFLAGS $save_default_cxxflags
+} else {
+  unset DEFAULT_CXXFLAGS
+}
diff --git a/gcc/testsuite/g++.dg/analyzer/malloc.C b/gcc/testsuite/g++.dg/analyzer/malloc.C
new file mode 100644
index 00000000000..0637295e1f2
--- /dev/null
+++ b/gcc/testsuite/g++.dg/analyzer/malloc.C
@@ -0,0 +1,9 @@
+// { dg-do compile }
+
+#include <stdlib.h>
+
+void test_1 (void *ptr)
+{
+  free (ptr);
+  free (ptr); /* { dg-warning "double-'free' of 'ptr'" } */
+}
diff --git a/gcc/testsuite/g++.dg/analyzer/pr93212.C b/gcc/testsuite/g++.dg/analyzer/pr93212.C
new file mode 100644
index 00000000000..cfbb42d2275
--- /dev/null
+++ b/gcc/testsuite/g++.dg/analyzer/pr93212.C
@@ -0,0 +1,17 @@
+// { dg-do compile { target c++11 } }
+
+#include <iostream>
+auto lol()
+{
+    int aha = 3;
+    return [&aha] {
+        return aha;
+    };
+}
+
+int main()
+{
+    auto lambda = lol();
+    std::cout << lambda() << std::endl;
+    return 0;
+}
-- 
2.21.0

[PATCH 2/2] analyzer: use ultimate alias target at calls (PR 93288)

[David Malcolm]

PR analyzer/93288 reports an ICE in a C++ testcase when calling a
constructor.

The issue is that when building the supergraph, we encounter the
cgraph edge to "__ct_comp ", the DECL_COMPLETE_CONSTRUCTOR_P, and
this node's DECL_STRUCT_FUNCTION has a NULL CFG, which the analyzer
reads through, leading to the ICE.

This patch reworks function and fndecl lookup at calls throughout the
analyzer so that it looks for the ultimate_alias_target of the callee.
In the case above, this means using the "__ct_base " for the ctor,
which has a CFG, fixing the ICE.

Getting this right allows for some simple C++ cases involving ctors to
work, so the patch also adds some test coverage for that.

Successfully bootstrapped & regrtested on x86_64-pc-linux-gnu.

gcc/analyzer/ChangeLog:
	PR analyzer/93288
	* analysis-plan.cc (analysis_plan::use_summary_p): Look through
	the ultimate_alias_target when getting the called function.
	* engine.cc (exploded_node::on_stmt): Rename second "ctxt" to
	"sm_ctxt".  Use the region_model's get_fndecl_for_call rather than
	gimple_call_fndecl.
	* region-model.cc (region_model::get_fndecl_for_call): Use
	ultimate_alias_target on fndecl.
	* supergraph.cc (get_ultimate_function_for_cgraph_edge): New
	function.
	(supergraph_call_edge): Use it when rejecting edges without
	functions.
	(supergraph::supergraph): Use it to get the function for the
	cgraph_edge when building interprocedural superedges.
	(callgraph_superedge::get_callee_function):  Use it.
	* supergraph.h (supergraph::get_num_snodes): Make param const.
	(supergraph::function_to_num_snodes_t): Make first type param
	const.

gcc/testsuite/ChangeLog:
	PR analyzer/93288
	* g++.dg/analyzer/malloc.C: Add test coverage for a double-free
	called in a constructor.
	* g++.dg/analyzer/pr93288.C: New test.
---
 gcc/analyzer/analysis-plan.cc           |  6 +++++-
 gcc/analyzer/engine.cc                  | 12 +++++------
 gcc/analyzer/region-model.cc            |  5 ++++-
 gcc/analyzer/supergraph.cc              | 28 +++++++++++++++++++------
 gcc/analyzer/supergraph.h               |  4 ++--
 gcc/testsuite/g++.dg/analyzer/malloc.C  | 16 ++++++++++++++
 gcc/testsuite/g++.dg/analyzer/pr93288.C |  8 +++++++
 7 files changed, 63 insertions(+), 16 deletions(-)
 create mode 100644 gcc/testsuite/g++.dg/analyzer/pr93288.C

diff --git a/gcc/analyzer/analysis-plan.cc b/gcc/analyzer/analysis-plan.cc
index 8ad2fa2ebb4..3c8b10b3314 100644
--- a/gcc/analyzer/analysis-plan.cc
+++ b/gcc/analyzer/analysis-plan.cc
@@ -120,7 +120,11 @@ analysis_plan::use_summary_p (const cgraph_edge *edge) const
 
   /* Require the callee to be sufficiently complex to be worth
      summarizing.  */
-  if ((int)m_sg.get_num_snodes (callee->get_fun ())
+  const function *fun
+    = const_cast <cgraph_node *> (callee)->ultimate_alias_target ()->get_fun ();
+  /* TODO(stage1): can ultimate_alias_target be made const?  */
+
+  if ((int)m_sg.get_num_snodes (fun)
       < param_analyzer_min_snodes_for_call_summary)
     return false;
 
diff --git a/gcc/analyzer/engine.cc b/gcc/analyzer/engine.cc
index 63579da953a..c4d7088d3e9 100644
--- a/gcc/analyzer/engine.cc
+++ b/gcc/analyzer/engine.cc
@@ -1044,19 +1044,19 @@ exploded_node::on_stmt (exploded_graph &eg,
       const sm_state_map *old_smap
 	= old_state.m_checker_states[sm_idx];
       sm_state_map *new_smap = state->m_checker_states[sm_idx];
-      impl_sm_context ctxt (eg, sm_idx, sm, this, &old_state, state,
-			    change,
-			    old_smap, new_smap);
+      impl_sm_context sm_ctxt (eg, sm_idx, sm, this, &old_state, state,
+			       change,
+			       old_smap, new_smap);
       /* Allow the state_machine to handle the stmt.  */
-      if (sm.on_stmt (&ctxt, snode, stmt))
+      if (sm.on_stmt (&sm_ctxt, snode, stmt))
 	unknown_side_effects = false;
       else
 	{
 	  /* For those stmts that were not handled by the state machine.  */
 	  if (const gcall *call = dyn_cast <const gcall *> (stmt))
 	    {
-	      tree callee_fndecl = gimple_call_fndecl (call);
-	      // TODO: maybe we can be smarter about handling function pointers?
+	      tree callee_fndecl
+		= state->m_region_model->get_fndecl_for_call (call, &ctxt);
 
 	      if (!fndecl_has_gimple_body_p (callee_fndecl))
 		new_smap->purge_for_unknown_fncall (eg, sm, call, callee_fndecl,
diff --git a/gcc/analyzer/region-model.cc b/gcc/analyzer/region-model.cc
index 61390aa4cd1..0ae7536a032 100644
--- a/gcc/analyzer/region-model.cc
+++ b/gcc/analyzer/region-model.cc
@@ -6665,7 +6665,10 @@ region_model::get_fndecl_for_call (const gcall *call,
       if (code)
 	{
 	  tree fn_decl = code->get_tree_for_child_region (fn_rid);
-	  return fn_decl;
+	  const cgraph_node *ultimate_node
+	    = cgraph_node::get (fn_decl)->ultimate_alias_target ();
+	  if (ultimate_node)
+	    return ultimate_node->decl;
 	}
     }
 
diff --git a/gcc/analyzer/supergraph.cc b/gcc/analyzer/supergraph.cc
index b20daa081d2..fb4dbdfd8b9 100644
--- a/gcc/analyzer/supergraph.cc
+++ b/gcc/analyzer/supergraph.cc
@@ -56,6 +56,18 @@ along with GCC; see the file COPYING3.  If not see
 
 namespace ana {
 
+/* Get the function of the ultimate alias target being called at EDGE,
+   if any.  */
+
+static function *
+get_ultimate_function_for_cgraph_edge (cgraph_edge *edge)
+{
+  cgraph_node *ultimate_node = edge->callee->ultimate_alias_target ();
+  if (!ultimate_node)
+    return NULL;
+  return ultimate_node->get_fun ();
+}
+
 /* Get the cgraph_edge, but only if there's an underlying function body.  */
 
 cgraph_edge *
@@ -69,7 +81,7 @@ supergraph_call_edge (function *fun, gimple *stmt)
     return NULL;
   if (!edge->callee)
     return NULL; /* e.g. for a function pointer.  */
-  if (!edge->callee->get_fun ())
+  if (!get_ultimate_function_for_cgraph_edge (edge))
     return NULL;
   return edge;
 }
@@ -178,8 +190,10 @@ supergraph::supergraph (logger *logger)
 	{
 	  cgraph_edge *edge = (*iter).first;
 	  supernode *caller_prev_supernode = (*iter).second;
-	  basic_block callee_cfg_block
-	    = ENTRY_BLOCK_PTR_FOR_FN (edge->callee->get_fun ());
+	  function* callee_fn = get_ultimate_function_for_cgraph_edge (edge);
+	  if (!callee_fn || !callee_fn->cfg)
+	    continue;
+	  basic_block callee_cfg_block = ENTRY_BLOCK_PTR_FOR_FN (callee_fn);
 	  supernode *callee_supernode
 	    = *m_bb_to_initial_node.get (callee_cfg_block);
 	  call_superedge *sedge
@@ -199,8 +213,10 @@ supergraph::supergraph (logger *logger)
 	{
 	  cgraph_edge *edge = (*iter).first;
 	  supernode *caller_next_supernode = (*iter).second;
-	  basic_block callee_cfg_block
-	    = EXIT_BLOCK_PTR_FOR_FN (edge->callee->get_fun ());
+	  function* callee_fn = get_ultimate_function_for_cgraph_edge (edge);
+	  if (!callee_fn || !callee_fn->cfg)
+	    continue;
+	  basic_block callee_cfg_block = EXIT_BLOCK_PTR_FOR_FN (callee_fn);
 	  supernode *callee_supernode
 	    = *m_bb_to_initial_node.get (callee_cfg_block);
 	  return_superedge *sedge
@@ -840,7 +856,7 @@ callgraph_superedge::dump_label_to_pp (pretty_printer *pp,
 function *
 callgraph_superedge::get_callee_function () const
 {
-  return m_cedge->callee->get_fun ();
+  return get_ultimate_function_for_cgraph_edge (m_cedge);
 }
 
 /* Get the calling function at this interprocedural call/return edge.  */
diff --git a/gcc/analyzer/supergraph.h b/gcc/analyzer/supergraph.h
index 0eac0b8bfc9..2c94f0544ce 100644
--- a/gcc/analyzer/supergraph.h
+++ b/gcc/analyzer/supergraph.h
@@ -156,7 +156,7 @@ public:
     return m_nodes[idx];
   }
 
-  unsigned get_num_snodes (function *fun) const
+  unsigned get_num_snodes (const function *fun) const
   {
     function_to_num_snodes_t &map
       = const_cast <function_to_num_snodes_t &>(m_function_to_num_snodes);
@@ -201,7 +201,7 @@ private:
   typedef ordered_hash_map<gimple *, supernode *> stmt_to_node_t;
   stmt_to_node_t m_stmt_to_node_t;
 
-  typedef hash_map<function *, unsigned> function_to_num_snodes_t;
+  typedef hash_map<const function *, unsigned> function_to_num_snodes_t;
   function_to_num_snodes_t m_function_to_num_snodes;
 };
 
diff --git a/gcc/testsuite/g++.dg/analyzer/malloc.C b/gcc/testsuite/g++.dg/analyzer/malloc.C
index 0637295e1f2..76baab98222 100644
--- a/gcc/testsuite/g++.dg/analyzer/malloc.C
+++ b/gcc/testsuite/g++.dg/analyzer/malloc.C
@@ -7,3 +7,19 @@ void test_1 (void *ptr)
   free (ptr);
   free (ptr); /* { dg-warning "double-'free' of 'ptr'" } */
 }
+
+/* Test of double-free in ctor.  */
+
+struct s2
+{
+  s2 (void *v)
+  {
+    free (v); // { dg-warning "double-'free' of 'v'" }
+  }
+};
+
+void test_2 (void *ptr)
+{
+  free (ptr); // { dg-message "first 'free' here" }
+  s2 a (ptr); // { dg-message "passing freed pointer 'ptr' in call to 's2::s2' from 'test_2'" }
+}
diff --git a/gcc/testsuite/g++.dg/analyzer/pr93288.C b/gcc/testsuite/g++.dg/analyzer/pr93288.C
new file mode 100644
index 00000000000..1798fed805f
--- /dev/null
+++ b/gcc/testsuite/g++.dg/analyzer/pr93288.C
@@ -0,0 +1,8 @@
+// { dg-do compile }
+
+struct a {
+  a();
+};
+class foo {
+  a b;
+} c;
-- 
2.21.0

Re: [PATCH 1/2] analyzer: g++ testsuite support

[Mike Stump]

On Feb 6, 2020, at 12:27 PM, David Malcolm <dmalcolm@redhat.com> wrote:
> 
> PR analyzer/93288 reports a C++-specific ICE with -fanalyzer.
> 
> This patch creates the beginnings of a C++ test suite for the analyzer,
> so that there's a place to put test coverage for the fix.
> It adds a regression test for PR analyzer/93212, an ICE fixed
> in r10-5970-g32077b693df8e3ed0424031a322df23822bf2f7e.
> 
> Successfully regrtested on x86_64-pc-linux-gnu (in conjunction with
> the second patch).
> 
> OK for master?

Ok.  You can self approve all the usual and customary things...

testsuite: Fix g++.dg/analyzer/pr93212.C with check-c++-all

[Jakub Jelinek]

On Thu, Feb 06, 2020 at 03:27:29PM -0500, David Malcolm wrote:
> gcc/testsuite/ChangeLog:
> 	PR analyzer/93212
> 	* g++.dg/analyzer/analyzer.exp: New subdirectory and .exp suite.
> 	* g++.dg/analyzer/malloc.C: New test.
> 	* g++.dg/analyzer/pr93212.C: New test.

The test FAILs with c++11:
.../gcc/testsuite/g++.dg/analyzer/pr93212.C:4:1: error: 'lol' function uses 'auto' type specifier without trailing return type
.../gcc/testsuite/g++.dg/analyzer/pr93212.C:4:1: note: deduced return type only available with '-std=c++14' or '-std=gnu++14'

Fixed thusly, regtested on x86_64-linux, committed to trunk as obvious.

2020-02-13  Jakub Jelinek  <jakub@redhat.com>

	* g++.dg/analyzer/pr93212.C: Require c++14 rather than c++11.

--- gcc/testsuite/g++.dg/analyzer/pr93212.C
+++ gcc/testsuite/g++.dg/analyzer/pr93212.C
@@ -1,4 +1,4 @@
-// { dg-do compile { target c++11 } }
+// { dg-do compile { target c++14 } }
 
 #include <iostream>
 auto lol()

	Jakub

Re: testsuite: Fix g++.dg/analyzer/pr93212.C with check-c++-all

[David Malcolm]

On Thu, 2020-02-13 at 08:11 +0100, Jakub Jelinek wrote:
> On Thu, Feb 06, 2020 at 03:27:29PM -0500, David Malcolm wrote:
> > gcc/testsuite/ChangeLog:
> > 	PR analyzer/93212
> > 	* g++.dg/analyzer/analyzer.exp: New subdirectory and .exp
> > suite.
> > 	* g++.dg/analyzer/malloc.C: New test.
> > 	* g++.dg/analyzer/pr93212.C: New test.
> 
> The test FAILs with c++11:
> .../gcc/testsuite/g++.dg/analyzer/pr93212.C:4:1: error: 'lol'
> function uses 'auto' type specifier without trailing return type
> .../gcc/testsuite/g++.dg/analyzer/pr93212.C:4:1: note: deduced return
> type only available with '-std=c++14' or '-std=gnu++14'
> 
> Fixed thusly, regtested on x86_64-linux, committed to trunk as
> obvious.

Thanks Jakub, and sorry for the failure.

I did some digging into why this got through my testing.

My standard patch testing involves a bootstrap build with these three
Makefile targets in sequence:

  make all
  make install
  make check

each teed to a logfile, and with a suitable -j

I hadn't noticed the check-c++-all in cp/Make-lang.in.

I've been using "--target_board=unix\{-m32,-m64\}" in my RUNTESTFLAGS
during development of a patch, but I notice now that I didn't have it
in my bootstrap testing.  I've fixed that, and added check-c++-all.

Are there any other Makefile targets I should be testing with?


Thanks
Dave