* [committed] analyzer: rewrite of region and value-handling
@ 2020-08-13 20:58 David Malcolm
2020-08-14 7:22 ` Martin Liška
2020-08-14 8:49 ` Christophe Lyon
0 siblings, 2 replies; 9+ messages in thread
From: David Malcolm @ 2020-08-13 20:58 UTC (permalink / raw)
To: gcc-patches
[-- Attachment #1: Type: text/plain, Size: 86249 bytes --]
This large patch reimplements how the analyzer tracks regions and
values.
Elimination of region_id and svalue_id
**************************************
The patch eliminates region_id and svalue_id in favor of simply
using pointers. I'd hoped that the ID classes would make it easier
to compare states, avoiding having to compare long hexadecimal addresses
in favor of small integers. Unfortunately it added lots of complexity,
with the need to remap IDs when comparing or purging states, and the
need to "canonicalize" when comparing states.
Various "state explosion" bugs in the old implementation were due to
failures in canonicalization, where two states that ought to be equal
were non-equal due to differences in ID ordering. I spent a lot of
time trying to fix canonicalization bugs, and there always seemed to
be one more bug. By eliminating IDs in this new implementation, lots
of tricky canonicalization goes away and no ID remapping should be
needed; almost all of the old validation code becomes redundant.
There's still some canonicalization in the new implementation, mostly
in constraint_manager, but much less than before.
Ownership of regions and svalues
********************************
In the old implementation, each region_model had its own copies of
regions and svalues, so there was heap bloat and churn as lots of
little objects were cloned when copying program_state instances. In the
new implementation the regions and svalues are immutable and are shared
thoughout the analysis, rather than being per region_model. They are
owned by a manager class, and are effectively singletons. Region and
svalue instances can now be compared by pointer rather than by comparing
their fields (the manager class takes care of uniqueness).
This is a huge simplification, and (I hope) will avoid lots
of heap churn as states are copied; all mutable state from regions and
svalues is now stored in a "store" class in the region_model.
Changes to the meaning of a "region"
************************************
Region subclasses no longer represent internal structure, but instead
represent how the regions are reached. So e.g. a global "struct coord
c;" is now a decl_region, rather than a struct_region.
In the old implementation, the values for each region were stored in the
region instances, but in the new implementation the regions are immutable.
Memory is now modeled in a new "store" class: a mapping from keys to
svalues, where the keys are both concrete bit-offsets from the start of
a "base region", and "symbolic" keys (thus hopefully making unions,
casts, aliasing etc easier to deal with). So e.g. for assignments to
the fields of a struct, it records the mapping from bit-offsets of e.g.
field to the values; if that memory is cast to another type and written
to, the appropriate clobbering of the bound values can happen.
The concept of "what the current stack is" moves from the regions to
being a field within the region_model ("m_current_frame").
Bugs fixed by this patch
************************
PR analyzer/93032 (missing leak diagnostic for zlib/contrib/minizip/mztools.c)
PR analyzer/93938 (ICE in analyzer)
PR analyzer/94011 (ICE in analyzer)
PR analyzer/94099 (ICE in analyzer)
PR analyzer/94399 (leak false positive with __attribute__((cleanup())))
PR analyzer/94458 (leak false positive)
PR analyzer/94503 (ICE on C++ return-value-optimization)
PR analyzer/94640 (leak false positive)
PR analyzer/94688 (ICE in analyzer)
PR analyzer/94689 ("arrays of functions are not meaningful" error)
PR analyzer/94839 (leak false positive)
PR analyzer/95026 (leak false positive)
PR analyzer/95042 (ICE merging const and non-const C++ object instances)
PR analyzer/95240 (leak false positive)
Successfully bootstrapped & regrtested on x86_64-pc-linux-gnu.
Pushed to master as 808f4dfeb3a95f50f15e71148e5c1067f90a126d.
At 1.1MB the patch exceeds the mailing list limit, so I'm attaching a
gzipped copy.
It can also be seen via:
https://gcc.gnu.org/git/?p=gcc.git;a=commitdiff;h=808f4dfeb3a95f50f15e71148e5c1067f90a126d
gcc/ChangeLog:
* Makefile.in (ANALYZER_OBJS): Add analyzer/region.o,
analyzer/region-model-impl-calls.o,
analyzer/region-model-manager.o,
analyzer/region-model-reachability.o, analyzer/store.o, and
analyzer/svalue.o.
* doc/analyzer.texi: Update for changes to analyzer
implementation.
* tristate.h (tristate::get_value): New accessor.
gcc/analyzer/ChangeLog:
* analyzer-logging.cc: Ignore "-Wformat-diag".
(logger::enter_scope): Use inc_indent in both overloads.
(logger::exit_scope): Use dec_indent.
* analyzer-logging.h (logger::inc_indent): New.
(logger::dec_indent): New.
* analyzer-selftests.cc (run_analyzer_selftests): Call
analyzer_store_cc_tests.
* analyzer-selftests.h (analyzer_store_cc_tests): New decl.
* analyzer.cc (get_stmt_location): New function.
* analyzer.h (class initial_svalue): New forward decl.
(class unaryop_svalue): New forward decl.
(class binop_svalue): New forward decl.
(class sub_svalue): New forward decl.
(class unmergeable_svalue): New forward decl.
(class placeholder_svalue): New forward decl.
(class widening_svalue): New forward decl.
(class compound_svalue): New forward decl.
(class conjured_svalue): New forward decl.
(svalue_set): New typedef.
(class map_region): Delete.
(class array_region): Delete.
(class frame_region): New forward decl.
(class function_region): New forward decl.
(class label_region): New forward decl.
(class decl_region): New forward decl.
(class element_region): New forward decl.
(class offset_region): New forward decl.
(class cast_region): New forward decl.
(class field_region): New forward decl.
(class string_region): New forward decl.
(class region_model_manager): New forward decl.
(class store_manager): New forward decl.
(class store): New forward decl.
(class call_details): New forward decl.
(struct svalue_id_merger_mapping): Delete.
(struct canonicalization): Delete.
(class function_point): New forward decl.
(class engine): New forward decl.
(dump_tree): New function decl.
(print_quoted_type): New function decl.
(readability_comparator): New function decl.
(tree_cmp): New function decl.
(class path_var): Move here from region-model.h
(bit_offset_t, bit_size_t, byte_size_t): New typedefs.
(class region_offset): New class.
(get_stmt_location): New decl.
(struct member_function_hash_traits): New struct.
(class consolidation_map): New class.
Ignore "-Wformat-diag".
* analyzer.opt (-param=analyzer-max-svalue-depth=): New param.
(-param=analyzer-max-enodes-for-full-dump=): New param.
* call-string.cc: Ignore -Wformat-diag.
* checker-path.cc: Move includes of "analyzer/call-string.h" and
"analyzer/program-point.h" to before "analyzer/region-model.h",
and also include "analyzer/store.h" before it.
(state_change_event::state_change_event): Replace "tree var" param
with "const svalue *sval". Convert "origin" param from tree to
"const svalue *".
(state_change_event::get_desc): Call get_representative_tree to
convert the var and origin from const svalue * to tree. Use
svalue::get_desc rather than %qE when describing state changes.
(checker_path::add_final_event): Use get_stmt_location.
* checker-path.h (state_change_event::state_change_event): Port
from tree to const svalue *.
(state_change_event::get_lvalue): Delete.
(state_change_event::get_dest_function): New.
(state_change_event::m_var): Replace with...
(state_change_event::m_sval): ...this.
(state_change_event::m_origin): Convert from tree to
const svalue *.
* constraint-manager.cc: Include "analyzer/call-string.h",
"analyzer/program-point.h", and "analyzer/store.h" before
"analyzer/region-model.h".
(struct bound, struct range): Move to constraint-manager.h.
(compare_constants): New function.
(range::dump): Rename to...
(range::dump_to_pp): ...this. Support NULL constants.
(range::dump): Reintroduce for dumping to stderr.
(range::constrained_to_single_element): Return result, rather than
writing to *OUT.
(range::eval_condition): New.
(range::below_lower_bound): New.
(range::above_upper_bound): New.
(equiv_class::equiv_class): Port from svalue_id to const svalue *.
(equiv_class::print): Likewise.
(equiv_class::hash): Likewise.
(equiv_class::operator==): Port from svalue_id to const svalue *.
(equiv_class::add): Port from svalue_id to const svalue *. Drop
"cm" param.
(equiv_class::del): Port from svalue_id to const svalue *.
(equiv_class::get_representative): Likewise.
(equiv_class::remap_svalue_ids): Delete.
(svalue_id_cmp_by_id): Rename to...
(svalue_cmp_by_ptr): ...this, porting from svalue_id to
const svalue *.
(equiv_class::canonicalize): Update qsort comparator.
(constraint::implied_by): New.
(constraint_manager::constraint_manager): Copy m_mgr in copy ctor.
(constraint_manager::dump_to_pp): Add "multiline" param
(constraint_manager::dump): Pass "true" for "multiline".
(constraint_manager::add_constraint): Port from svalue_id to
const svalue *. Split out second part into...
(constraint_manager::add_unknown_constraint): ...this new
function. Remove self-constraints when merging equivalence
classes.
(constraint_manager::add_constraint_internal): Remove constraints
that would be implied by the new constraint. Port from svalue_id
to const svalue *.
(constraint_manager::get_equiv_class_by_sid): Rename to...
(constraint_manager::get_equiv_class_by_svalue): ...this, porting
from svalue_id to const svalue *.
(constraint_manager::get_or_add_equiv_class): Port from svalue_id
to const svalue *.
(constraint_manager::eval_condition): Make const. Call
compare_constants and return early if it provides a known result.
(constraint_manager::get_ec_bounds): New.
(constraint_manager::eval_condition): New overloads. Make
existing one const, and use compare_constants.
(constraint_manager::purge): Convert "p" param to a template
rather that an abstract base class. Port from svalue_id to
const svalue *.
(class dead_svalue_purger): New class.
(constraint_manager::remap_svalue_ids): Delete.
(constraint_manager::on_liveness_change): New.
(equiv_class_cmp): Port from svalue_id to const svalue *.
(constraint_manager::canonicalize): Likewise. Combine with
purging of redundant equivalence classes and constraints.
(class cleaned_constraint_manager): Delete.
(class merger_fact_visitor): Make "m_cm_b" const. Add "m_merger"
field.
(merger_fact_visitor::fact): Port from svalue_id to const svalue *.
Add special case for widening.
(constraint_manager::merge): Port from svalue_id to const svalue *.
(constraint_manager::clean_merger_input): Delete.
(constraint_manager::for_each_fact): Port from svalue_id to
const svalue *.
(constraint_manager::validate): Likewise.
(selftest::test_constraint_conditions): Provide a
region_model_manager when creating region_model instances.
Add test for self-equality not creating equivalence classes.
(selftest::test_transitivity): Provide a region_model_manager when
creating region_model instances. Verify that EC-merging happens
when constraints are implied.
(selftest::test_constant_comparisons): Provide a
region_model_manager when creating region_model instances.
(selftest::test_constraint_impl): Likewise. Remove over-specified
assertions.
(selftest::test_equality): Provide a region_model_manager when
creating region_model instances.
(selftest::test_many_constants): Likewise. Provide a
program_point when testing merging.
(selftest::run_constraint_manager_tests): Move call to
test_constant_comparisons to outside the transitivity guard.
* constraint-manager.h (struct bound): Move here from
constraint-manager.cc.
(struct range): Likewise.
(struct::eval_condition): New decl.
(struct::below_lower_bound): New decl.
(struct::above_upper_bound): New decl.
(equiv_class::add): Port from svalue_id to const svalue *.
(equiv_class::del): Likewise.
(equiv_class::get_representative): Likewise.
(equiv_class::remap_svalue_ids): Drop.
(equiv_class::m_cst_sid): Convert to..
(equiv_class::m_cst_sval): ...this.
(equiv_class::m_vars): Port from svalue_id to const svalue *.
(constraint::bool implied_by): New decl.
(fact_visitor::on_fact): Port from svalue_id to const svalue *.
(constraint_manager::constraint_manager): Add mgr param.
(constraint_manager::clone): Delete.
(constraint_manager::maybe_get_constant): Delete.
(constraint_manager::get_sid_for_constant): Delete.
(constraint_manager::get_num_svalues): Delete.
(constraint_manager::dump_to_pp): Add "multiline" param.
(constraint_manager::get_equiv_class): Port from svalue_id to
const svalue *.
(constraint_manager::add_constraint): Likewise.
(constraint_manager::get_equiv_class_by_sid): Rename to...
(constraint_manager::get_equiv_class_by_svalue): ...this, porting
from svalue_id to const svalue *.
(constraint_manager::add_unknown_constraint): New decl.
(constraint_manager::get_or_add_equiv_class): Port from svalue_id
to const svalue *.
(constraint_manager::eval_condition): Likewise. Add overloads.
(constraint_manager::get_ec_bounds): New decl.
(constraint_manager::purge): Convert to template.
(constraint_manager::remap_svalue_ids): Delete.
(constraint_manager::on_liveness_change): New decl.
(constraint_manager::canonicalize): Drop param.
(constraint_manager::clean_merger_input): Delete.
(constraint_manager::m_mgr): New field.
* diagnostic-manager.cc: Move includes of
"analyzer/call-string.h" and "analyzer/program-point.h" to before
"analyzer/region-model.h", and also include "analyzer/store.h"
before it.
(saved_diagnostic::saved_diagnostic): Add "sval" param.
(diagnostic_manager::diagnostic_manager): Add engine param.
(diagnostic_manager::add_diagnostic): Add "sval" param, passing it
to saved_diagnostic ctor. Update overload to pass NULL for it.
(dedupe_winners::dedupe_winners): Add engine param.
(dedupe_winners::add): Add "eg" param. Pass m_engine to
feasible_p.
(dedupe_winner::m_engine): New field.
(diagnostic_manager::emit_saved_diagnostics): Pass engine to
dedupe_winners. Pass &eg when adding candidates. Pass svalue
rather than tree to prune_path. Use get_stmt_location to get
primary location of diagnostic.
(diagnostic_manager::emit_saved_diagnostic): Likewise.
(get_any_origin): Drop.
(state_change_event_creator::on_global_state_change): Pass NULL
const svalue * rather than NULL_TREE trees to state_change_event
ctor.
(state_change_event_creator::on_state_change): Port from tree and
svalue_id to const svalue *.
(for_each_state_change): Port from svalue_id to const svalue *.
(struct null_assignment_sm_context): New.
(diagnostic_manager::add_events_for_eedge): Add state change
events for assignment to NULL.
(diagnostic_manager::prune_path): Update param from tree to
const svalue *.
(diagnostic_manager::prune_for_sm_diagnostic): Port from tracking
by tree to by const svalue *.
* diagnostic-manager.h (saved_diagnostic::saved_diagnostic): Add sval
param.
(saved_diagnostic::m_sval): New field.
(diagnostic_manager::diagnostic_manager): Add engine param.
(diagnostic_manager::get_engine): New.
(diagnostic_manager::add_diagnostic): Add "sval" param.
(diagnostic_manager::prune_path): Likewise.
(diagnostic_manager::prune_for_sm_diagnostic): New overload.
(diagnostic_manager::m_eng): New field.
* engine.cc: Move includes of "analyzer/call-string.h" and
"analyzer/program-point.h" to before "analyzer/region-model.h",
and also include "analyzer/store.h" before it.
(impl_region_model_context::impl_region_model_context): Update for
removal of m_change field.
(impl_region_model_context::remap_svalue_ids): Delete.
(impl_region_model_context::on_svalue_leak): New.
(impl_region_model_context::on_svalue_purge): Delete.
(impl_region_model_context::on_liveness_change): New.
(impl_region_model_context::on_unknown_change): Update param
from svalue_id to const svalue *. Add is_mutable param.
(setjmp_svalue::compare_fields): Delete.
(setjmp_svalue::accept): New.
(setjmp_svalue::add_to_hash): Delete.
(setjmp_svalue::dump_to_pp): New.
(setjmp_svalue::print_details): Delete.
(impl_sm_context::impl_sm_context): Drop "change" param.
(impl_sm_context::get_fndecl_for_call): Drop "m_change".
(impl_sm_context::on_transition): Drop ATTRIBUTE_UNUSED from
"stmt" param. Drop m_change. Port from svalue_id to
const svalue *.
(impl_sm_context::warn_for_state): Drop m_change. Port from
svalue_id to const svalue *.
(impl_sm_context::get_readable_tree): Rename to...
(impl_sm_context::get_diagnostic_tree): ...this. Port from
svalue_id to const svalue *.
(impl_sm_context::is_zero_assignment): New.
(impl_sm_context::m_change): Delete field.
(leak_stmt_finder::find_stmt): Handle m_var being NULL.
(readability): Increase penalty for MEM_REF. For SSA_NAMEs,
slightly favor the underlying var over the SSA name. Heavily
penalize temporaries. Handle RESULT_DECL.
(readability_comparator): Make non-static. Consider stack depths.
(impl_region_model_context::on_state_leak): Convert from svalue_id
to const svalue *, updating for region_model changes. Use
id_equal.
(impl_region_model_context::on_inherited_svalue): Delete.
(impl_region_model_context::on_cast): Delete.
(impl_region_model_context::on_condition): Drop m_change.
(impl_region_model_context::on_phi): Likewise.
(impl_region_model_context::on_unexpected_tree_code): Handle t
being NULL.
(point_and_state::validate): Update stack checking for
region_model changes.
(eg_traits::dump_args_t::show_enode_details_p): New.
(exploded_node::exploded_node): Initialize m_num_processed_stmts.
(exploded_node::get_processed_stmt): New function.
(exploded_node::get_dot_fillcolor): Add more colors.
(exploded_node::dump_dot): Guard the printing of the point and
state with show_enode_details_p. Print the processed stmts for
this enode after the initial state.
(exploded_node::dump_to_pp): Pass true for new multiline param
of program_state::dump_to_pp.
(exploded_node::on_stmt): Drop "change" param. Log the stmt.
Set input_location. Implement __analyzer_describe. Update
implementation of __analyzer_dump and __analyzer_eval.
Remove purging of sm-state for unknown fncalls from here.
(exploded_node::on_edge): Drop "change" param.
(exploded_node::on_longjmp): Port from region_id/svalue_id to
const region */const svalue *. Call program_state::detect_leaks.
Drop state_change.
(exploded_node::detect_leaks): Update for changes to region_model.
Call program_state::detect_leaks.
(exploded_edge::exploded_edge): Drop ext_state and change params.
(exploded_edge::dump_dot): "args" is no longer used. Drop dumping
of m_change.
(exploded_graph::exploded_graph): Pass engine to
m_diagnostic_manager ctor. Use program_point::origin.
(exploded_graph::add_function_entry): Drop ctxt. Use
program_state::push_frame. Drop state_change.
(exploded_graph::get_or_create_node): Drop "change" param. Add
"enode_for_diag" param. Update dumping calls for API changes.
Pass point to can_merge_with_p. Show enode indices
within -Wanalyzer-too-complex diagnostic for hitting the per-point
limit.
(exploded_graph::add_edge): Drop "change" param. Log which nodes
are being connected. Update for changes to exploded_edge ctor.
(exploded_graph::get_per_program_point_data): New.
(exploded_graph::process_worklist): Pass point to
can_merge_with_p. Drop state_change. Update dumping call for API
change.
(exploded_graph::process_node): Drop state_change. Split the
node in-place if an sm-state-change occurs. Update
m_num_processed_stmts. Update dumping calls for API change.
(exploded_graph::log_stats): Call engine::log_stats.
(exploded_graph::dump_states_for_supernode): Update dumping
call.
(exploded_path::feasible_p): Add "eng" and "eg" params.
Rename "i" to "end_idx". Pass the manager to the region_model
ctor. Update for every processed stmt in the enode, not just the
first. Keep track of which snodes have been visited, and call
loop_replay_fixup when revisiting one.
(enode_label::get_text): Update dump call for new param.
(exploded_graph::dump_exploded_nodes): Likewise.
(exploded_graph::get_node_by_index): New.
(impl_run_checkers): Create engine instance and pass its address
to extrinsic_state ctor.
* exploded-graph.h
(impl_region_model_context::impl_region_model_context): Drop
"change" params.
(impl_region_model_context::void remap_svalue_ids): Delete.
(impl_region_model_context::on_svalue_purge): Delete.
(impl_region_model_context::on_svalue_leak): New.
(impl_region_model_context::on_liveness_change): New.
(impl_region_model_context::on_state_leak): Update signature.
(impl_region_model_context::on_inherited_svalue): Delete.
(impl_region_model_context::on_cast): Delete.
(impl_region_model_context::on_unknown_change): Update signature.
(impl_region_model_context::m_change): Delete.
(eg_traits::dump_args_t::show_enode_details_p): New.
(exploded_node::on_stmt): Drop "change" param.
(exploded_node::on_edge): Likewise.
(exploded_node::get_processed_stmt): New decl.
(exploded_node::m_num_processed_stmts): New field.
(exploded_edge::exploded_edge): Drop ext_state and change params.
(exploded_edge::m_change): Delete.
(exploded_graph::get_engine): New accessor.
(exploded_graph::get_or_create_node): Drop "change" param. Add
"enode_for_diag" param.
(exploded_graph::add_edge): Drop "change" param.
(exploded_graph::get_per_program_point_data): New decl.
(exploded_graph::get_node_by_index): New decl.
(exploded_path::feasible_p): Add "eng" and "eg" params.
* program-point.cc: Include "analyzer/store.h" before including
"analyzer/region-model.h".
(function_point::function_point): Move here from
program-point.h.
(function_point::get_function): Likewise.
(function_point::from_function_entry): Likewise.
(function_point::before_supernode): Likewise.
(function_point::next_stmt): New function.
* program-point.h (function_point::function_point): Move
implementation from here to program-point.cc.
(function_point::get_function): Likewise.
(function_point::from_function_entry): Likewise.
(function_point::before_supernode): Likewise.
(function_point::next_stmt): New decl.
(program_point::operator!=): New.
(program_point::origin): New.
(program_point::next_stmt): New.
(program_point::m_function_point): Make non-const.
* program-state.cc: Move includes of "analyzer/call-string.h" and
"analyzer/program-point.h" to before "analyzer/region-model.h",
and also include "analyzer/store.h" before it.
(extrinsic_state::get_model_manager): New.
(sm_state_map::sm_state_map): Pass in sm and sm_idx to ctor,
rather than pass the around.
(sm_state_map::clone_with_remapping): Delete.
(sm_state_map::print): Remove "sm" param in favor of "m_sm". Add
"simple" and "multiline" params and support multiline vs single
line dumping.
(sm_state_map::dump): Remove "sm" param in favor of "m_sm". Add
"simple" param.
(sm_state_map::hash): Port from svalue_id to const svalue *.
(sm_state_map::operator==): Likewise.
(sm_state_map::get_state): Likewise. Call canonicalize_svalue on
input. Handle inheritance of sm-state. Call get_default_state.
(sm_state_map::get_origin): Port from svalue_id to const svalue *.
(sm_state_map::set_state): Likewise. Pass in ext_state. Reject
attempts to set state on UNKNOWN.
(sm_state_map::impl_set_state): Port from svalue_id to
const svalue *. Pass in ext_state. Call canonicalize_svalue on
input.
(sm_state_map::purge_for_unknown_fncall): Delete.
(sm_state_map::on_svalue_leak): New.
(sm_state_map::remap_svalue_ids): Delete.
(sm_state_map::on_liveness_change): New.
(sm_state_map::on_unknown_change): Reimplement.
(sm_state_map::on_svalue_purge): Delete.
(sm_state_map::on_inherited_svalue): Delete.
(sm_state_map::on_cast): Delete.
(sm_state_map::validate): Delete.
(sm_state_map::canonicalize_svalue): New.
(program_state::program_state): Update to pass manager to
region_model's ctor. Constify num_states and pass state machine
and index to sm_state_map ctor.
(program_state::print): Update for changes to dump API.
(program_state::dump_to_pp): Ignore the summarize param. Add
"multiline" param.
(program_state::dump_to_file): Add "multiline" param.
(program_state::dump): Pass "true" for new "multiline" param.
(program_state::push_frame): New.
(program_state::on_edge): Drop "change" param. Call
program_state::detect_leaks.
(program_state::prune_for_point): Add enode_for_diag param.
Reimplement based on store class. Call detect_leaks
(program_state::remap_svalue_ids): Delete.
(program_state::get_representative_tree): Port from svalue_id to
const svalue *.
(program_state::can_merge_with_p): Add "point" param. Add early
reject for sm-differences. Drop id remapping.
(program_state::validate): Drop region model and sm_state_map
validation.
(state_change::sm_change::dump): Delete.
(state_change::sm_change::remap_svalue_ids): Delete.
(state_change::sm_change::on_svalue_purge): Delete.
(log_set_of_svalues): New.
(state_change::sm_change::validate): Delete.
(state_change::state_change): Delete.
(state_change::add_sm_change): Delete.
(state_change::affects_p): Delete.
(state_change::dump): Delete.
(state_change::remap_svalue_ids): Delete.
(state_change::on_svalue_purge): Delete.
(state_change::validate): Delete.
(selftest::assert_dump_eq): Delete.
(ASSERT_DUMP_EQ): Delete.
(selftest::test_sm_state_map): Update for changes to region_model
and sm_state_map, porting from svalue_id to const svalue *.
(selftest::test_program_state_dumping): Likewise. Drop test of
dumping, renaming to...
(selftest::test_program_state_1): ...this.
(selftest::test_program_state_dumping_2): Likewise, renaming to...
(selftest::test_program_state_2): ...this.
(selftest::test_program_state_merging): Update for changes to
region_model.
(selftest::test_program_state_merging_2): Likewise.
(selftest::analyzer_program_state_cc_tests): Update for renamed
tests.
* program-state.h (extrinsic_state::extrinsic_state): Add logger
and engine params.
(extrinsic_state::get_logger): New accessor.
(extrinsic_state::get_engine): New accessor.
(extrinsic_state::get_model_manager): New accessor.
(extrinsic_state::m_logger): New field.
(extrinsic_state::m_engine): New field.
(struct default_hash_traits<svalue_id>): Delete.
(pod_hash_traits<svalue_id>::hash): Delete.
(pod_hash_traits<svalue_id>::equal): Delete.
(pod_hash_traits<svalue_id>::mark_deleted): Delete.
(pod_hash_traits<svalue_id>::mark_empty): Delete.
(pod_hash_traits<svalue_id>::is_deleted): Delete.
(pod_hash_traits<svalue_id>::is_empty): Delete.
(sm_state_map::entry_t::entry_t): Port from svalue_id to
const svalue *.
(sm_state_map::entry_t::m_origin): Likewise.
(sm_state_map::map_t): Likewise.
(sm_state_map::sm_state_map): Add state_machine and index params.
(sm_state_map::clone_with_remapping): Delete.
(sm_state_map::print): Drop sm param; add simple and multiline
params.
(sm_state_map::dump): Drop sm param; add simple param.
(sm_state_map::get_state): Port from svalue_id to const svalue *.
Add ext_state param.
(sm_state_map::get_origin): Likewise.
(sm_state_map::set_state): Likewise.
(sm_state_map::impl_set_state): Likewise.
(sm_state_map::purge_for_unknown_fncall): Delete.
(sm_state_map::remap_svalue_ids): Delete.
(sm_state_map::on_svalue_purge): Delete.
(sm_state_map::on_svalue_leak): New.
(sm_state_map::on_liveness_change): New.
(sm_state_map::on_inherited_svalue): Delete.
(sm_state_map::on_cast): Delete.
(sm_state_map::validate): Delete.
(sm_state_map::on_unknown_change): Port from svalue_id to
const svalue *. Add is_mutable and ext_state params.
(sm_state_map::canonicalize_svalue): New.
(sm_state_map::m_sm): New field.
(sm_state_map::m_sm_idx): New field.
(program_state::operator=): Delete.
(program_state::dump_to_pp): Drop "summarize" param, adding
"simple" and "multiline".
(program_state::dump_to_file): Likewise.
(program_state::dump): Rename "summarize" to "simple".
(program_state::push_frame): New.
(program_state::get_current_function): New.
(program_state::on_edge): Drop "change" param.
(program_state::prune_for_point): Likewise. Add enode_for_diag
param.
(program_state::remap_svalue_ids): Delete.
(program_state::get_representative_tree): Port from svalue_id to
const svalue *.
(program_state::can_purge_p): Likewise. Pass ext_state to get_state.
(program_state::can_merge_with_p): Add point param.
(program_state::detect_leaks): New.
(state_change_visitor::on_state_change): Port from tree and
svalue_id to a pair of const svalue *.
(class state_change): Delete.
* region.cc: New file.
* region-model-impl-calls.cc: New file.
* region-model-manager.cc: New file.
* region-model-reachability.cc: New file.
* region-model-reachability.h: New file.
* region-model.cc: Include "analyzer/call-string.h",
"analyzer/program-point.h", and "analyzer/store.h" before
"analyzer/region-model.h". Include
"analyzer/region-model-reachability.h".
(dump_tree): Make non-static.
(dump_quoted_tree): Make non-static.
(print_quoted_type): Make non-static.
(path_var::dump): Delete.
(dump_separator): Delete.
(class impl_constraint_manager): Delete.
(svalue_id::print): Delete.
(svalue_id::dump_node_name_to_pp): Delete.
(svalue_id::validate): Delete.
(region_id::print): Delete.
(region_id::dump_node_name_to_pp): Delete.
(region_id::validate): Delete.
(region_id_set::region_id_set): Delete.
(svalue_id_set::svalue_id_set): Delete.
(svalue::operator==): Delete.
(svalue::hash): Delete.
(svalue::print): Delete.
(svalue::dump_dot_to_pp): Delete.
(svalue::remap_region_ids): Delete.
(svalue::walk_for_canonicalization): Delete.
(svalue::get_child_sid): Delete.
(svalue::maybe_get_constant): Delete.
(region_svalue::compare_fields): Delete.
(region_svalue::add_to_hash): Delete.
(region_svalue::print_details): Delete.
(region_svalue::dump_dot_to_pp): Delete.
(region_svalue::remap_region_ids): Delete.
(region_svalue::merge_values): Delete.
(region_svalue::walk_for_canonicalization): Delete.
(region_svalue::eval_condition): Delete.
(constant_svalue::compare_fields): Delete.
(constant_svalue::add_to_hash): Delete.
(constant_svalue::merge_values): Delete.
(constant_svalue::eval_condition): Move to svalue.cc.
(constant_svalue::print_details): Delete.
(constant_svalue::get_child_sid): Delete.
(unknown_svalue::compare_fields): Delete.
(unknown_svalue::add_to_hash): Delete.
(unknown_svalue::print_details): Delete.
(poison_kind_to_str): Move to svalue.cc.
(poisoned_svalue::compare_fields): Delete.
(poisoned_svalue::add_to_hash): Delete.
(poisoned_svalue::print_details): Delete.
(region_kind_to_str): Move to region.cc and reimplement.
(region::operator==): Delete.
(region::get_parent_region): Delete.
(region::set_value): Delete.
(region::become_active_view): Delete.
(region::deactivate_any_active_view): Delete.
(region::deactivate_view): Delete.
(region::get_value): Delete.
(region::get_inherited_child_sid): Delete.
(region_model::copy_region): Delete.
(region_model::copy_struct_region): Delete.
(region_model::copy_union_region): Delete.
(region_model::copy_array_region): Delete.
(region::hash): Delete.
(region::print): Delete.
(region::dump_dot_to_pp): Delete.
(region::dump_to_pp): Delete.
(region::dump_child_label): Delete.
(region::validate): Delete.
(region::remap_svalue_ids): Delete.
(region::remap_region_ids): Delete.
(region::add_view): Delete.
(region::get_view): Delete.
(region::region): Move to region.cc.
(region::add_to_hash): Delete.
(region::print_fields): Delete.
(region::non_null_p): Delete.
(primitive_region::clone): Delete.
(primitive_region::walk_for_canonicalization): Delete.
(map_region::map_region): Delete.
(map_region::compare_fields): Delete.
(map_region::print_fields): Delete.
(map_region::validate): Delete.
(map_region::dump_dot_to_pp): Delete.
(map_region::dump_child_label): Delete.
(map_region::get_or_create): Delete.
(map_region::get): Delete.
(map_region::add_to_hash): Delete.
(map_region::remap_region_ids): Delete.
(map_region::unbind): Delete.
(map_region::get_tree_for_child_region): Delete.
(map_region::get_tree_for_child_region): Delete.
(tree_cmp): Move to region.cc.
(map_region::can_merge_p): Delete.
(map_region::walk_for_canonicalization): Delete.
(map_region::get_value_by_name): Delete.
(struct_or_union_region::valid_key_p): Delete.
(struct_or_union_region::compare_fields): Delete.
(struct_region::clone): Delete.
(struct_region::compare_fields): Delete.
(union_region::clone): Delete.
(union_region::compare_fields): Delete.
(frame_region::compare_fields): Delete.
(frame_region::clone): Delete.
(frame_region::valid_key_p): Delete.
(frame_region::print_fields): Delete.
(frame_region::add_to_hash): Delete.
(globals_region::compare_fields): Delete.
(globals_region::clone): Delete.
(globals_region::valid_key_p): Delete.
(code_region::compare_fields): Delete.
(code_region::clone): Delete.
(code_region::valid_key_p): Delete.
(array_region::array_region): Delete.
(array_region::get_element): Delete.
(array_region::clone): Delete.
(array_region::compare_fields): Delete.
(array_region::print_fields): Delete.
(array_region::validate): Delete.
(array_region::dump_dot_to_pp): Delete.
(array_region::dump_child_label): Delete.
(array_region::get_or_create): Delete.
(array_region::get): Delete.
(array_region::add_to_hash): Delete.
(array_region::remap_region_ids): Delete.
(array_region::get_key_for_child_region): Delete.
(array_region::key_cmp): Delete.
(array_region::walk_for_canonicalization): Delete.
(array_region::key_from_constant): Delete.
(array_region::constant_from_key): Delete.
(function_region::compare_fields): Delete.
(function_region::clone): Delete.
(function_region::valid_key_p): Delete.
(stack_region::stack_region): Delete.
(stack_region::compare_fields): Delete.
(stack_region::clone): Delete.
(stack_region::print_fields): Delete.
(stack_region::dump_child_label): Delete.
(stack_region::validate): Delete.
(stack_region::push_frame): Delete.
(stack_region::get_current_frame_id): Delete.
(stack_region::pop_frame): Delete.
(stack_region::add_to_hash): Delete.
(stack_region::remap_region_ids): Delete.
(stack_region::can_merge_p): Delete.
(stack_region::walk_for_canonicalization): Delete.
(stack_region::get_value_by_name): Delete.
(heap_region::heap_region): Delete.
(heap_region::compare_fields): Delete.
(heap_region::clone): Delete.
(heap_region::walk_for_canonicalization): Delete.
(root_region::root_region): Delete.
(root_region::compare_fields): Delete.
(root_region::clone): Delete.
(root_region::print_fields): Delete.
(root_region::validate): Delete.
(root_region::dump_child_label): Delete.
(root_region::push_frame): Delete.
(root_region::get_current_frame_id): Delete.
(root_region::pop_frame): Delete.
(root_region::ensure_stack_region): Delete.
(root_region::get_stack_region): Delete.
(root_region::ensure_globals_region): Delete.
(root_region::get_code_region): Delete.
(root_region::ensure_code_region): Delete.
(root_region::get_globals_region): Delete.
(root_region::ensure_heap_region): Delete.
(root_region::get_heap_region): Delete.
(root_region::remap_region_ids): Delete.
(root_region::can_merge_p): Delete.
(root_region::add_to_hash): Delete.
(root_region::walk_for_canonicalization): Delete.
(root_region::get_value_by_name): Delete.
(symbolic_region::symbolic_region): Delete.
(symbolic_region::compare_fields): Delete.
(symbolic_region::clone): Delete.
(symbolic_region::walk_for_canonicalization): Delete.
(symbolic_region::print_fields): Delete.
(region_model::region_model): Add region_model_manager * param.
Reimplement in terms of store, dropping impl_constraint_manager
subclass.
(region_model::operator=): Reimplement in terms of store
(region_model::operator==): Likewise.
(region_model::hash): Likewise.
(region_model::print): Delete.
(region_model::print_svalue): Delete.
(region_model::dump_dot_to_pp): Delete.
(region_model::dump_dot_to_file): Delete.
(region_model::dump_dot): Delete.
(region_model::dump_to_pp): Replace "summarize" param with
"simple" and "multiline". Port to store-based implementation.
(region_model::dump): Replace "summarize" param with "simple" and
"multiline".
(dump_vec_of_tree): Delete.
(region_model::dump_summary_of_rep_path_vars): Delete.
(region_model::validate): Delete.
(svalue_id_cmp_by_constant_svalue_model): Delete.
(svalue_id_cmp_by_constant_svalue): Delete.
(region_model::canonicalize): Drop "ctxt" param. Reimplement in
terms of store and constraints.
(region_model::canonicalized_p): Remove NULL arg to canonicalize.
(region_model::loop_replay_fixup): New.
(poisoned_value_diagnostic::emit): Tweak wording of warnings.
(region_model::check_for_poison): Delete.
(region_model::get_gassign_result): New.
(region_model::on_assignment): Port to store-based implementation.
(region_model::on_call_pre): Delete calls to check_for_poison.
Move implementations to region-model-impl-calls.c and port to
store-based implementation.
(region_model::on_call_post): Likewise.
(class reachable_regions): Move to region-model-reachability.h/cc
and port to store-based implementation.
(region_model::handle_unrecognized_call): Port to store-based
implementation.
(region_model::get_reachable_svalues): New.
(region_model::on_setjmp): Port to store-based implementation.
(region_model::on_longjmp): Likewise.
(region_model::handle_phi): Drop is_back_edge param and the logic
using it.
(region_model::get_lvalue_1): Port from region_id to const region *.
(region_model::make_region_for_unexpected_tree_code): Delete.
(assert_compat_types): If the check fails, use internal_error to
show the types.
(region_model::get_lvalue): Port from region_id to const region *.
(region_model::get_rvalue_1): Port from svalue_id to const svalue *.
(region_model::get_rvalue): Likewise.
(region_model::get_or_create_ptr_svalue): Delete.
(region_model::get_or_create_constant_svalue): Delete.
(region_model::get_svalue_for_fndecl): Delete.
(region_model::get_region_for_fndecl): Delete.
(region_model::get_svalue_for_label): Delete.
(region_model::get_region_for_label): Delete.
(build_cast): Delete.
(region_model::maybe_cast_1): Delete.
(region_model::maybe_cast): Delete.
(region_model::get_field_region): Delete.
(region_model::get_store_value): New.
(region_model::region_exists_p): New.
(region_model::deref_rvalue): Port from svalue_id to const svalue *.
(region_model::set_value): Likewise.
(region_model::clobber_region): New.
(region_model::purge_region): New.
(region_model::zero_fill_region): New.
(region_model::mark_region_as_unknown): New.
(region_model::eval_condition): Port from svalue_id to
const svalue *.
(region_model::eval_condition_without_cm): Likewise.
(region_model::compare_initial_and_pointer): New.
(region_model::add_constraint): Port from svalue_id to
const svalue *.
(region_model::maybe_get_constant): Delete.
(region_model::get_representative_path_var): New.
(region_model::add_new_malloc_region): Delete.
(region_model::get_representative_tree): Port to const svalue *.
(region_model::get_representative_path_var): Port to
const region *.
(region_model::get_path_vars_for_svalue): Delete.
(region_model::set_to_new_unknown_value): Delete.
(region_model::update_for_phis): Don't pass is_back_edge to handle_phi.
(region_model::update_for_call_superedge): Port from svalue_id to
const svalue *.
(region_model::update_for_return_superedge): Port to store-based
implementation.
(region_model::update_for_call_summary): Replace
set_to_new_unknown_value with mark_region_as_unknown.
(region_model::get_root_region): Delete.
(region_model::get_stack_region_id): Delete.
(region_model::push_frame): Delete.
(region_model::get_current_frame_id): Delete.
(region_model::get_current_function): Delete.
(region_model::pop_frame): Delete.
(region_model::on_top_level_param): New.
(region_model::get_stack_depth): Delete.
(region_model::get_function_at_depth): Delete.
(region_model::get_globals_region_id): Delete.
(region_model::add_svalue): Delete.
(region_model::replace_svalue): Delete.
(region_model::add_region): Delete.
(region_model::get_svalue): Delete.
(region_model::get_region): Delete.
(make_region_for_type): Delete.
(region_model::add_region_for_type): Delete.
(region_model::on_top_level_param): New.
(class restrict_to_used_svalues): Delete.
(region_model::purge_unused_svalues): Delete.
(region_model::push_frame): New.
(region_model::remap_svalue_ids): Delete.
(region_model::remap_region_ids): Delete.
(region_model::purge_regions): Delete.
(region_model::get_descendents): Delete.
(region_model::delete_region_and_descendents): Delete.
(region_model::poison_any_pointers_to_bad_regions): Delete.
(region_model::can_merge_with_p): Delete.
(region_model::get_current_function): New.
(region_model::get_value_by_name): Delete.
(region_model::convert_byte_offset_to_array_index): Delete.
(region_model::pop_frame): New.
(region_model::get_or_create_mem_ref): Delete.
(region_model::get_stack_depth): New.
(region_model::get_frame_at_index): New.
(region_model::unbind_region_and_descendents): New.
(struct bad_pointer_finder): New.
(region_model::get_or_create_pointer_plus_expr): Delete.
(region_model::poison_any_pointers_to_descendents): New.
(region_model::get_or_create_view): Delete.
(region_model::can_merge_with_p): New.
(region_model::get_fndecl_for_call): Port from svalue_id to
const svalue *.
(struct append_ssa_names_cb_data): New.
(get_ssa_name_regions_for_current_frame): New.
(region_model::append_ssa_names_cb): New.
(model_merger::dump_to_pp): Add "simple" param. Drop dumping of
remappings.
(model_merger::dump): Add "simple" param to both overloads.
(model_merger::can_merge_values_p): Delete.
(model_merger::record_regions): Delete.
(model_merger::record_svalues): Delete.
(svalue_id_merger_mapping::svalue_id_merger_mapping): Delete.
(svalue_id_merger_mapping::dump_to_pp): Delete.
(svalue_id_merger_mapping::dump): Delete.
(region_model::create_region_for_heap_alloc): New.
(region_model::create_region_for_alloca): New.
(region_model::record_dynamic_extents): New.
(canonicalization::canonicalization): Delete.
(canonicalization::walk_rid): Delete.
(canonicalization::walk_sid): Delete.
(canonicalization::dump_to_pp): Delete.
(canonicalization::dump): Delete.
(inchash::add): Delete overloads for svalue_id and region_id.
(engine::log_stats): New.
(assert_condition): Add overload comparing svalues.
(assert_dump_eq): Pass "true" for multiline.
(selftest::test_dump): Update for rewrite of region_model.
(selftest::test_dump_2): Rename to...
(selftest::test_struct): ...this. Provide a region_model_manager
when creating region_model instance. Remove dump test. Add
checks for get_offset.
(selftest::test_dump_3): Rename to...
(selftest::test_array_1): ...this. Provide a region_model_manager
when creating region_model instance. Remove dump test.
(selftest::test_get_representative_tree): Port from svalue_id to
new API. Add test coverage for various expressions.
(selftest::test_unique_constants): Provide a region_model_manager
for the region_model. Add test coverage for comparing const vs
non-const.
(selftest::test_svalue_equality): Delete.
(selftest::test_region_equality): Delete.
(selftest::test_unique_unknowns): New.
(class purge_all_svalue_ids): Delete.
(class purge_one_svalue_id): Delete.
(selftest::test_purging_by_criteria): Delete.
(selftest::test_initial_svalue_folding): New.
(selftest::test_unaryop_svalue_folding): New.
(selftest::test_binop_svalue_folding): New.
(selftest::test_sub_svalue_folding): New.
(selftest::test_purge_unused_svalues): Delete.
(selftest::test_descendent_of_p): New.
(selftest::test_assignment): Provide a region_model_manager for
the region_model. Drop the dump test.
(selftest::test_compound_assignment): Likewise.
(selftest::test_stack_frames): Port to new implementation.
(selftest::test_get_representative_path_var): Likewise.
(selftest::test_canonicalization_1): Rename to...
(selftest::test_equality_1): ...this. Port to new API, and add
(selftest::test_canonicalization_2): Provide a
region_model_manager when creating region_model instances.
Remove redundant canicalization.
(selftest::test_canonicalization_3): Provide a
region_model_manager when creating region_model instances.
Remove param from calls to region_model::canonicalize.
(selftest::test_canonicalization_4): Likewise.
(selftest::assert_region_models_merge): Constify
out_merged_svalue. Port to new API.
(selftest::test_state_merging): Provide a
region_model_manager when creating region_model instances.
Provide a program_point point when merging them. Replace
set_to_new_unknown_value with usage of placeholder_svalues.
Drop get_value_by_name. Port from svalue_id to const svalue *.
Add test of heap allocation.
(selftest::test_constraint_merging): Provide a
region_model_manager when creating region_model instances.
Provide a program_point point when merging them. Eliminate use
of set_to_new_unknown_value.
(selftest::test_widening_constraints): New.
(selftest::test_iteration_1): New.
(selftest::test_malloc_constraints): Port to store-based
implementation.
(selftest::test_var): New test.
(selftest::test_array_2): New test.
(selftest::test_mem_ref): New test.
(selftest::test_POINTER_PLUS_EXPR_then_MEM_REF): New.
(selftest::test_malloc): New.
(selftest::test_alloca): New.
(selftest::analyzer_region_model_cc_tests): Update for renamings.
Call new functions.
* region-model.h (class path_var): Move to analyzer.h.
(class svalue_id): Delete.
(class region_id): Delete.
(class id_map): Delete.
(svalue_id_map): Delete.
(region_id_map): Delete.
(id_map<T>::id_map): Delete.
(id_map<T>::put): Delete.
(id_map<T>::get_dst_for_src): Delete.
(id_map<T>::get_src_for_dst): Delete.
(id_map<T>::dump_to_pp): Delete.
(id_map<T>::dump): Delete.
(id_map<T>::update): Delete.
(one_way_svalue_id_map): Delete.
(one_way_region_id_map): Delete.
(class region_id_set): Delete.
(class svalue_id_set): Delete.
(struct complexity): New.
(class visitor): New.
(enum svalue_kind): Add SK_SETJMP, SK_INITIAL, SK_UNARYOP,
SK_BINOP, SK_SUB,SK_UNMERGEABLE, SK_PLACEHOLDER, SK_WIDENING,
SK_COMPOUND, and SK_CONJURED.
(svalue::operator==): Delete.
(svalue::operator!=): Delete.
(svalue::clone): Delete.
(svalue::hash): Delete.
(svalue::dump_dot_to_pp): Delete.
(svalue::dump_to_pp): New.
(svalue::dump): New.
(svalue::get_desc): New.
(svalue::dyn_cast_initial_svalue): New.
(svalue::dyn_cast_unaryop_svalue): New.
(svalue::dyn_cast_binop_svalue): New.
(svalue::dyn_cast_sub_svalue): New.
(svalue::dyn_cast_unmergeable_svalue): New.
(svalue::dyn_cast_widening_svalue): New.
(svalue::dyn_cast_compound_svalue): New.
(svalue::dyn_cast_conjured_svalue): New.
(svalue::maybe_undo_cast): New.
(svalue::unwrap_any_unmergeable): New.
(svalue::remap_region_ids): Delete
(svalue::can_merge_p): New.
(svalue::walk_for_canonicalization): Delete
(svalue::get_complexity): New.
(svalue::get_child_sid): Delete
(svalue::accept): New.
(svalue::live_p): New.
(svalue::implicitly_live_p): New.
(svalue::svalue): Add complexity param.
(svalue::add_to_hash): Delete
(svalue::print_details): Delete
(svalue::m_complexity): New field.
(region_svalue::key_t): New struct.
(region_svalue::region_svalue): Port from region_id to
const region_id *. Add complexity.
(region_svalue::compare_fields): Delete.
(region_svalue::clone): Delete.
(region_svalue::dump_dot_to_pp): Delete.
(region_svalue::get_pointee): Port from region_id to
const region_id *.
(region_svalue::remap_region_ids): Delete.
(region_svalue::merge_values): Delete.
(region_svalue::dump_to_pp): New.
(region_svalue::accept): New.
(region_svalue::walk_for_canonicalization): Delete.
(region_svalue::eval_condition): Make params const.
(region_svalue::add_to_hash): Delete.
(region_svalue::print_details): Delete.
(region_svalue::m_rid): Replace with...
(region_svalue::m_reg): ...this.
(is_a_helper <region_svalue *>::test): Convert to...
(is_a_helper <const region_svalue *>::test): ...this.
(template <> struct default_hash_traits<region_svalue::key_t>):
New.
(constant_svalue::constant_svalue): Add complexity.
(constant_svalue::compare_fields): Delete.
(constant_svalue::clone): Delete.
(constant_svalue::add_to_hash): Delete.
(constant_svalue::dump_to_pp): New.
(constant_svalue::accept): New.
(constant_svalue::implicitly_live_p): New.
(constant_svalue::merge_values): Delete.
(constant_svalue::eval_condition): Make params const.
(constant_svalue::get_child_sid): Delete.
(constant_svalue::print_details): Delete.
(is_a_helper <constant_svalue *>::test): Convert to...
(is_a_helper <const constant_svalue *>::test): ...this.
(class unknown_svalue): Update leading comment.
(unknown_svalue::unknown_svalue): Add complexity.
(unknown_svalue::compare_fields): Delete.
(unknown_svalue::add_to_hash): Delete.
(unknown_svalue::dyn_cast_unknown_svalue): Delete.
(unknown_svalue::print_details): Delete.
(unknown_svalue::dump_to_pp): New.
(unknown_svalue::accept): New.
(poisoned_svalue::key_t): New struct.
(poisoned_svalue::poisoned_svalue): Add complexity.
(poisoned_svalue::compare_fields): Delete.
(poisoned_svalue::clone): Delete.
(poisoned_svalue::add_to_hash): Delete.
(poisoned_svalue::dump_to_pp): New.
(poisoned_svalue::accept): New.
(poisoned_svalue::print_details): Delete.
(is_a_helper <poisoned_svalue *>::test): Convert to...
(is_a_helper <const poisoned_svalue *>::test): ...this.
(template <> struct default_hash_traits<poisoned_svalue::key_t>):
New.
(setjmp_record::add_to_hash): New.
(setjmp_svalue::key_t): New struct.
(setjmp_svalue::compare_fields): Delete.
(setjmp_svalue::clone): Delete.
(setjmp_svalue::add_to_hash): Delete.
(setjmp_svalue::setjmp_svalue): Add complexity.
(setjmp_svalue::dump_to_pp): New.
(setjmp_svalue::accept): New.
(setjmp_svalue::void print_details): Delete.
(is_a_helper <const setjmp_svalue *>::test): New.
(template <> struct default_hash_traits<setjmp_svalue::key_t>): New.
(class initial_svalue : public svalue): New.
(is_a_helper <const initial_svalue *>::test): New.
(class unaryop_svalue): New.
(is_a_helper <const unaryop_svalue *>::test): New.
(template <> struct default_hash_traits<unaryop_svalue::key_t>): New.
(class binop_svalue): New.
(is_a_helper <const binop_svalue *>::test): New.
(template <> struct default_hash_traits<binop_svalue::key_t>): New.
(class sub_svalue): New.
(is_a_helper <const sub_svalue *>::test): New.
(template <> struct default_hash_traits<sub_svalue::key_t>): New.
(class unmergeable_svalue): New.
(is_a_helper <const unmergeable_svalue *>::test): New.
(class placeholder_svalue): New.
(is_a_helper <placeholder_svalue *>::test): New.
(class widening_svalue): New.
(is_a_helper <widening_svalue *>::test): New.
(template <> struct default_hash_traits<widening_svalue::key_t>): New.
(class compound_svalue): New.
(is_a_helper <compound_svalue *>::test): New.
(template <> struct default_hash_traits<compound_svalue::key_t>): New.
(class conjured_svalue): New.
(is_a_helper <conjured_svalue *>::test): New.
(template <> struct default_hash_traits<conjured_svalue::key_t>): New.
(enum region_kind): Delete RK_PRIMITIVE, RK_STRUCT, RK_UNION, and
RK_ARRAY. Add RK_LABEL, RK_DECL, RK_FIELD, RK_ELEMENT, RK_OFFSET,
RK_CAST, RK_HEAP_ALLOCATED, RK_ALLOCA, RK_STRING, and RK_UNKNOWN.
(region_kind_to_str): Delete.
(region::~region): Move implementation to region.cc.
(region::operator==): Delete.
(region::operator!=): Delete.
(region::clone): Delete.
(region::get_id): New.
(region::cmp_ids): New.
(region::dyn_cast_map_region): Delete.
(region::dyn_cast_array_region): Delete.
(region::region_id get_parent): Delete.
(region::get_parent_region): Convert to a simple accessor.
(region::void set_value): Delete.
(region::svalue_id get_value): Delete.
(region::svalue_id get_value_direct): Delete.
(region::svalue_id get_inherited_child_sid): Delete.
(region::dyn_cast_frame_region): New.
(region::dyn_cast_function_region): New.
(region::dyn_cast_decl_region): New.
(region::dyn_cast_field_region): New.
(region::dyn_cast_element_region): New.
(region::dyn_cast_offset_region): New.
(region::dyn_cast_cast_region): New.
(region::dyn_cast_string_region): New.
(region::accept): New.
(region::get_base_region): New.
(region::base_region_p): New.
(region::descendent_of_p): New.
(region::maybe_get_frame_region): New.
(region::maybe_get_decl): New.
(region::hash): Delete.
(region::rint): Delete.
(region::dump_dot_to_pp): Delete.
(region::get_desc): New.
(region::dump_to_pp): Convert to vfunc, changing signature.
(region::dump_child_label): Delete.
(region::remap_svalue_ids): Delete.
(region::remap_region_ids): Delete.
(region::dump): New.
(region::walk_for_canonicalization): Delete.
(region::non_null_p): Drop region_model param.
(region::add_view): Delete.
(region::get_view): Delete.
(region::get_active_view): Delete.
(region::is_view_p): Delete.
(region::cmp_ptrs): New.
(region::validate): Delete.
(region::get_offset): New.
(region::get_byte_size): New.
(region::get_bit_size): New.
(region::get_subregions_for_binding): New.
(region::region): Add complexity param. Convert parent from
region_id to const region *. Drop svalue_id. Drop copy ctor.
(region::symbolic_for_unknown_ptr_p): New.
(region::add_to_hash): Delete.
(region::print_fields): Delete.
(region::get_complexity): New accessor.
(region::become_active_view): Delete.
(region::deactivate_any_active_view): Delete.
(region::deactivate_view): Delete.
(region::calc_offset): New.
(region::m_parent_rid): Delete.
(region::m_sval_id): Delete.
(region::m_complexity): New.
(region::m_id): New.
(region::m_parent): New.
(region::m_view_rids): Delete.
(region::m_is_view): Delete.
(region::m_active_view_rid): Delete.
(region::m_cached_offset): New.
(is_a_helper <region *>::test): Convert to...
(is_a_helper <const region *>::test): ... this.
(class primitive_region): Delete.
(class space_region): New.
(class map_region): Delete.
(is_a_helper <map_region *>::test): Delete.
(class frame_region): Reimplement.
(template <> struct default_hash_traits<frame_region::key_t>):
New.
(class globals_region): Reimplement.
(is_a_helper <globals_region *>::test): Convert to...
(is_a_helper <const globals_region *>::test): ...this.
(class struct_or_union_region): Delete.
(is_a_helper <struct_or_union_region *>::test): Delete.
(class code_region): Reimplement.
(is_a_helper <const code_region *>::test): New.
(class struct_region): Delete.
(is_a_helper <struct_region *>::test): Delete.
(class function_region): Reimplement.
(is_a_helper <function_region *>::test): Convert to...
(is_a_helper <const function_region *>::test): ...this.
(class union_region): Delete.
(is_a_helper <union_region *>::test): Delete.
(class label_region): New.
(is_a_helper <const label_region *>::test): New.
(class scope_region): Delete.
(class stack_region): Reimplement.
(is_a_helper <stack_region *>::test): Convert to...
(is_a_helper <const stack_region *>::test): ...this.
(class heap_region): Reimplement.
(is_a_helper <heap_region *>::test): Convert to...
(is_a_helper <const heap_region *>::test): ...this.
(class root_region): Reimplement.
(is_a_helper <root_region *>::test): Convert to...
(is_a_helper <const root_region *>::test): ...this.
(class symbolic_region): Reimplement.
(is_a_helper <const symbolic_region *>::test): New.
(template <> struct default_hash_traits<symbolic_region::key_t>):
New.
(class decl_region): New.
(is_a_helper <const decl_region *>::test): New.
(class field_region): New.
(template <> struct default_hash_traits<field_region::key_t>): New.
(class array_region): Delete.
(class element_region): New.
(is_a_helper <array_region *>::test): Delete.
(is_a_helper <const element_region *>::test): New.
(template <> struct default_hash_traits<element_region::key_t>):
New.
(class offset_region): New.
(is_a_helper <const offset_region *>::test): New.
(template <> struct default_hash_traits<offset_region::key_t>):
New.
(class cast_region): New.
(is_a_helper <const cast_region *>::test): New.
(template <> struct default_hash_traits<cast_region::key_t>): New.
(class heap_allocated_region): New.
(class alloca_region): New.
(class string_region): New.
(is_a_helper <const string_region *>::test): New.
(class unknown_region): New.
(class region_model_manager): New.
(struct append_ssa_names_cb_data): New.
(class call_details): New.
(region_model::region_model): Add region_model_manager param.
(region_model::print_svalue): Delete.
(region_model::dump_dot_to_pp): Delete.
(region_model::dump_dot_to_file): Delete.
(region_model::dump_dot): Delete.
(region_model::dump_to_pp): Drop summarize param in favor of
simple and multiline.
(region_model::dump): Likewise.
(region_model::summarize_to_pp): Delete.
(region_model::summarize): Delete.
(region_model::void canonicalize): Drop ctxt param.
(region_model::void check_for_poison): Delete.
(region_model::get_gassign_result): New.
(region_model::impl_call_alloca): New.
(region_model::impl_call_analyzer_describe): New.
(region_model::impl_call_analyzer_eval): New.
(region_model::impl_call_builtin_expect): New.
(region_model::impl_call_calloc): New.
(region_model::impl_call_free): New.
(region_model::impl_call_malloc): New.
(region_model::impl_call_memset): New.
(region_model::impl_call_strlen): New.
(region_model::get_reachable_svalues): New.
(region_model::handle_phi): Drop is_back_edge param.
(region_model::region_id get_root_rid): Delete.
(region_model::root_region *get_root_region): Delete.
(region_model::region_id get_stack_region_id): Delete.
(region_model::push_frame): Convert from region_id and svalue_id
to const region * and const svalue *.
(region_model::get_current_frame_id): Replace with...
(region_model::get_current_frame): ...this.
(region_model::pop_frame): Convert from region_id to
const region *. Drop purge and stats param. Add out_result.
(region_model::function *get_function_at_depth): Delete.
(region_model::get_globals_region_id): Delete.
(region_model::add_svalue): Delete.
(region_model::replace_svalue): Delete.
(region_model::add_region): Delete.
(region_model::add_region_for_type): Delete.
(region_model::get_svalue): Delete.
(region_model::get_region): Delete.
(region_model::get_lvalue): Convert from region_id to
const region *.
(region_model::get_rvalue): Convert from svalue_id to
const svalue *.
(region_model::get_or_create_ptr_svalue): Delete.
(region_model::get_or_create_constant_svalue): Delete.
(region_model::get_svalue_for_fndecl): Delete.
(region_model::get_svalue_for_label): Delete.
(region_model::get_region_for_fndecl): Delete.
(region_model::get_region_for_label): Delete.
(region_model::get_frame_at_index (int index) const;): New.
(region_model::maybe_cast): Delete.
(region_model::maybe_cast_1): Delete.
(region_model::get_field_region): Delete.
(region_model::id deref_rvalue): Convert from region_id and
svalue_id to const region * and const svalue *. Drop overload,
passing in both a tree and an svalue.
(region_model::set_value): Convert from region_id and svalue_id to
const region * and const svalue *.
(region_model::set_to_new_unknown_value): Delete.
(region_model::clobber_region (const region *reg);): New.
(region_model::purge_region (const region *reg);): New.
(region_model::zero_fill_region (const region *reg);): New.
(region_model::mark_region_as_unknown (const region *reg);): New.
(region_model::copy_region): Convert from region_id to
const region *.
(region_model::eval_condition): Convert from svalue_id to
const svalue *.
(region_model::eval_condition_without_cm): Likewise.
(region_model::compare_initial_and_pointer): New.
(region_model:maybe_get_constant): Delete.
(region_model::add_new_malloc_region): Delete.
(region_model::get_representative_tree): Convert from svalue_id to
const svalue *.
(region_model::get_representative_path_var): Delete decl taking a
region_id in favor of two decls, for svalue vs region, with an
svalue_set to ensure termination.
(region_model::get_path_vars_for_svalue): Delete.
(region_model::create_region_for_heap_alloc): New.
(region_model::create_region_for_alloca): New.
(region_model::purge_unused_svalues): Delete.
(region_model::remap_svalue_ids): Delete.
(region_model::remap_region_ids): Delete.
(region_model::purge_regions): Delete.
(region_model::get_num_svalues): Delete.
(region_model::get_num_regions): Delete.
(region_model::get_descendents): Delete.
(region_model::get_store): New.
(region_model::delete_region_and_descendents): Delete.
(region_model::get_manager): New.
(region_model::unbind_region_and_descendents): New.
(region_model::can_merge_with_p): Add point param. Drop
svalue_id_merger_mapping.
(region_model::get_value_by_name): Delete.
(region_model::convert_byte_offset_to_array_index): Delete.
(region_model::get_or_create_mem_ref): Delete.
(region_model::get_or_create_pointer_plus_expr): Delete.
(region_model::get_or_create_view): Delete.
(region_model::get_lvalue_1): Convert from region_id to
const region *.
(region_model::get_rvalue_1): Convert from svalue_id to
const svalue *.
(region_model::get_ssa_name_regions_for_current_frame): New.
(region_model::append_ssa_names_cb): New.
(region_model::get_store_value): New.
(region_model::copy_struct_region): Delete.
(region_model::copy_union_region): Delete.
(region_model::copy_array_region): Delete.
(region_model::region_exists_p): New.
(region_model::make_region_for_unexpected_tree_code): Delete.
(region_model::loop_replay_fixup): New.
(region_model::poison_any_pointers_to_bad_regions): Delete.
(region_model::poison_any_pointers_to_descendents): New.
(region_model::dump_summary_of_rep_path_vars): Delete.
(region_model::on_top_level_param): New.
(region_model::record_dynamic_extents): New.
(region_model::m_mgr;): New.
(region_model::m_store;): New.
(region_model::m_svalues;): Delete.
(region_model::m_regions;): Delete.
(region_model::m_root_rid;): Delete.
(region_model::m_current_frame;): New.
(region_model_context::remap_svalue_ids): Delete.
(region_model_context::can_purge_p): Delete.
(region_model_context::on_svalue_leak): New.
(region_model_context::on_svalue_purge): Delete.
(region_model_context::on_liveness_change): New.
(region_model_context::on_inherited_svalue): Delete.
(region_model_context::on_cast): Delete.
(region_model_context::on_unknown_change): Convert from svalue_id to
const svalue * and add is_mutable.
(class noop_region_model_context): Update for region_model_context
changes.
(model_merger::model_merger): Add program_point. Drop
svalue_id_merger_mapping.
(model_merger::dump_to_pp): Add "simple" param.
(model_merger::dump): Likewise.
(model_merger::get_region_a): Delete.
(model_merger::get_region_b): Delete.
(model_merger::can_merge_values_p): Delete.
(model_merger::record_regions): Delete.
(model_merger::record_svalues): Delete.
(model_merger::m_point): New field.
(model_merger::m_map_regions_from_a_to_m): Delete.
(model_merger::m_map_regions_from_b_to_m): Delete.
(model_merger::m_sid_mapping): Delete.
(struct svalue_id_merger_mapping): Delete.
(class engine): New.
(struct canonicalization): Delete.
(inchash::add): Delete decls for hashing svalue_id and region_id.
(test_region_model_context::on_unexpected_tree_code): Require t to
be non-NULL.
(selftest::assert_condition): Add overload comparing a pair of
const svalue *.
* sm-file.cc: Include "tristate.h", "selftest.h",
"analyzer/call-string.h", "analyzer/program-point.h",
"analyzer/store.h", and "analyzer/region-model.h".
(fileptr_state_machine::get_default_state): New.
(fileptr_state_machine::on_stmt): Remove calls to
get_readable_tree in favor of get_diagnostic_tree.
* sm-malloc.cc: Include "tristate.h", "selftest.h",
"analyzer/call-string.h", "analyzer/program-point.h",
"analyzer/store.h", and "analyzer/region-model.h".
(malloc_state_machine::get_default_state): New.
(malloc_state_machine::reset_when_passed_to_unknown_fn_p): New.
(malloc_diagnostic::describe_state_change): Handle change.m_expr
being NULL.
(null_arg::emit): Avoid printing "NULL '0'".
(null_arg::describe_final_event): Avoid printing "(0) NULL".
(malloc_leak::emit): Handle m_arg being NULL.
(malloc_leak::describe_final_event): Handle ev.m_expr being NULL.
(malloc_state_machine::on_stmt): Don't call get_readable_tree.
Call get_diagnostic_tree when creating pending diagnostics.
Update for is_zero_assignment becoming a member function of
sm_ctxt.
Don't transition to m_non_heap for ADDR_EXPR(MEM_REF()).
(malloc_state_machine::reset_when_passed_to_unknown_fn_p): New
vfunc implementation.
* sm-sensitive.cc (sensitive_state_machine::warn_for_any_exposure): Call
get_diagnostic_tree and pass the result to warn_for_state.
* sm-signal.cc: Move includes of "analyzer/call-string.h" and
"analyzer/program-point.h" to before "analyzer/region-model.h",
and also include "analyzer/store.h" before it.
(signal_unsafe_call::describe_state_change): Use
get_dest_function to get handler.
(update_model_for_signal_handler): Pass manager to region_model
ctor.
(register_signal_handler::impl_transition): Update for changes to
get_or_create_node and add_edge.
* sm-taint.cc (taint_state_machine::on_stmt): Remove calls to
get_readable_tree, replacing them when calling warn_for_state with
calls to get_diagnostic_tree.
* sm.cc (is_zero_assignment): Delete.
(any_pointer_p): Move to within namespace ana.
* sm.h (is_zero_assignment): Remove decl.
(any_pointer_p): Move decl to within namespace ana.
(state_machine::get_default_state): New vfunc.
(state_machine::reset_when_passed_to_unknown_fn_p): New vfunc.
(sm_context::get_readable_tree): Rename to...
(sm_context::get_diagnostic_tree): ...this.
(sm_context::is_zero_assignment): New vfunc.
* store.cc: New file.
* store.h: New file.
* svalue.cc: New file.
gcc/testsuite/ChangeLog:
PR analyzer/93032
PR analyzer/93938
PR analyzer/94011
PR analyzer/94099
PR analyzer/94399
PR analyzer/94458
PR analyzer/94503
PR analyzer/94640
PR analyzer/94688
PR analyzer/94689
PR analyzer/94839
PR analyzer/95026
PR analyzer/95042
PR analyzer/95240
* g++.dg/analyzer/pr93212.C: Add dg-warning for dangling
reference.
* g++.dg/analyzer/pr93950.C: Remove xfail.
* g++.dg/analyzer/pr94011.C: New test.
* g++.dg/analyzer/pr94028.C: Remove leak false positives; mark as
failing on C++98.
* g++.dg/analyzer/pr94503.C: New test.
* g++.dg/analyzer/pr95042.C: New test.
* gcc.dg/analyzer/CVE-2005-1689-dedupe-issue-2.c: New test.
* gcc.dg/analyzer/CVE-2005-1689-dedupe-issue.c: Add xfail.
* gcc.dg/analyzer/CVE-2005-1689-minimal.c:
Include "analyzer-decls.h".
(test_4, test_5, test_6, test_7, test_8): New tests.
* gcc.dg/analyzer/abs-1.c: New test.
* gcc.dg/analyzer/aliasing-1.c: New test.
* gcc.dg/analyzer/aliasing-2.c: New test.
* gcc.dg/analyzer/analyzer-decls.h (__analyzer_describe): New
decl.
(__analyzer_dump_num_heap_regions): Remove.
* gcc.dg/analyzer/attribute-nonnull.c: Add dg-warnings for cases
where NULL is directly used as an argument.
* gcc.dg/analyzer/bzero-1.c: New test.
* gcc.dg/analyzer/casts-1.c: New test.
* gcc.dg/analyzer/casts-2.c: New test.
* gcc.dg/analyzer/compound-assignment-1.c
(test_4): Remove xfail from leak false positive.
(called_by_test_5a): Add "allocated here" expected message.
(called_by_test_5b): Make expected leak message more precise.
* gcc.dg/analyzer/compound-assignment-3.c: Update expected leak
message.
* gcc.dg/analyzer/compound-assignment-4.c: New test.
* gcc.dg/analyzer/compound-assignment-5.c: New test.
* gcc.dg/analyzer/conditionals-notrans.c: Remove xfails.
* gcc.dg/analyzer/data-model-1.c (test_12d): Update expected
results.
(test_13): Remove xfail.
(test_14): Remove xfail.
(test_15): Remove xfail.
(test_16): Remove xfails. Add out-of-bounds access.
(test_16_alt): Remove xfails.
(test_23): Remove xfail.
(test_24): Remove xfail.
(test_25): Remove xfail.
(test_26): Update expected result. Remove xfail. Add xfail.
(test_27): Remove xfails.
(test_29): Add __analyzer_eval pointer comparisons.
(test_41): Generalize expected output for u.ptr comparison with
NULL for targets where this could be known to be false.
(test_42): Remove xfail.
(test_51): Remove xfails.
* gcc.dg/analyzer/data-model-13.c: Update for improvements to
source location and wording of leak message.
* gcc.dg/analyzer/data-model-14.c: Remove -fanalyzer-fine-grained.
(test_1): Update for improvement to expected message.
(test_2): Remove xfail.
* gcc.dg/analyzer/data-model-18.c: Remove xfail.
* gcc.dg/analyzer/data-model-20.c: New test.
* gcc.dg/analyzer/data-model-5.c: Add dg-warning for deref of
NULL. Add xfailing false leak.
* gcc.dg/analyzer/data-model-5b.c: Add xfailing false leak.
* gcc.dg/analyzer/data-model-5c.c: Update xfailing false leak.
* gcc.dg/analyzer/data-model-5d.c: Reimplement.
* gcc.dg/analyzer/data-model-6.c: Delete test.
* gcc.dg/analyzer/data-model-8.c: Remove xfail.
* gcc.dg/analyzer/describe-1.c: New test.
* gcc.dg/analyzer/dot-output.c: Remove xfail.
* gcc.dg/analyzer/explode-1.c: Add expected leak warning.
* gcc.dg/analyzer/explode-2.c: Add expected leak warnings. Mark
double-free warnings as xfail for now.
* gcc.dg/analyzer/feasibility-1.c: New test.
* gcc.dg/analyzer/first-field-1.c: New test.
* gcc.dg/analyzer/first-field-2.c: New test.
* gcc.dg/analyzer/init.c: New test.
* gcc.dg/analyzer/leak-2.c: New test.
* gcc.dg/analyzer/loop-0-up-to-n-by-1-with-iter-obj.c: New test.
* gcc.dg/analyzer/loop-0-up-to-n-by-1.c: New test.
* gcc.dg/analyzer/loop-2a.c: Update expected behavior.
* gcc.dg/analyzer/loop-3.c: Mark use-after-free as xfail. Add
expected warning about deref of unchecked pointer.
* gcc.dg/analyzer/loop-4.c: Remove -fno-analyzer-state-purge.
Update expected behavior.
* gcc.dg/analyzer/loop-n-down-to-1-by-1.c: New test.
* gcc.dg/analyzer/loop-start-down-to-end-by-1.c: New test.
* gcc.dg/analyzer/loop-start-down-to-end-by-step.c: New test.
* gcc.dg/analyzer/loop-start-to-end-by-step.c: New test.
* gcc.dg/analyzer/loop-start-up-to-end-by-1.c: New test.
* gcc.dg/analyzer/loop.c: Remove -fno-analyzer-state-purge.
Update expected behavior.
* gcc.dg/analyzer/malloc-1.c: Remove xfails from leak false
positives. Update expected wording of global_link.m_ptr leak.
(test_49): New test.
* gcc.dg/analyzer/malloc-4.c: Remove leak false positive. Update
expected wording of leak warning.
* gcc.dg/analyzer/malloc-in-loop.c: New test.
* gcc.dg/analyzer/malloc-ipa-8-double-free.c: Update expected path
to show call to wrapped_malloc.
* gcc.dg/analyzer/malloc-ipa-8-unchecked.c: Remove
-fanalyzer-verbose-state-changes.
* gcc.dg/analyzer/malloc-paths-9.c: Remove comment about duplicate
warnings. Remove duplicate use-after-free paths.
* gcc.dg/analyzer/malloc-vs-local-1a.c: Add dg-warning for deref
of unchecked pointer. Update expected number of enodes.
* gcc.dg/analyzer/malloc-vs-local-2.c: Likewise.
* gcc.dg/analyzer/malloc-vs-local-3.c: Add dg-warning for deref of
unchecked pointer. Update expected number of enodes. Avoid
overspecifying the leak message.
* gcc.dg/analyzer/memset-1.c: New test.
* gcc.dg/analyzer/paths-3.c: Update expected number of enodes.
* gcc.dg/analyzer/paths-4.c: Likewise.
* gcc.dg/analyzer/paths-6.c: Likewise.
* gcc.dg/analyzer/paths-7.c: Likewise.
* gcc.dg/analyzer/pr93032-mztools-simplified.c: New test.
* gcc.dg/analyzer/pr93032-mztools.c: New test.
* gcc.dg/analyzer/pr93382.c: Mark taint tests as failing.
* gcc.dg/analyzer/pr93938.c: New test.
* gcc.dg/analyzer/pr94099.c: Replace uninit dg-warning with
dg-warning for NULL dereference.
* gcc.dg/analyzer/pr94399.c: New test.
* gcc.dg/analyzer/pr94447.c: Add dg-warning for NULL dereference.
* gcc.dg/analyzer/pr94458.c: New test.
* gcc.dg/analyzer/pr94640.c: New test.
* gcc.dg/analyzer/pr94688.c: New test.
* gcc.dg/analyzer/pr94689.c: New test.
* gcc.dg/analyzer/pr94839.c: New test.
* gcc.dg/analyzer/pr95026.c: New test.
* gcc.dg/analyzer/pr95240.c: New test.
* gcc.dg/analyzer/refcounting-1.c: New test.
* gcc.dg/analyzer/single-field.c: New test.
* gcc.dg/analyzer/stale-frame-1.c: New test.
* gcc.dg/analyzer/symbolic-1.c: New test.
* gcc.dg/analyzer/symbolic-2.c: New test.
* gcc.dg/analyzer/symbolic-3.c: New test.
* gcc.dg/analyzer/symbolic-4.c: New test.
* gcc.dg/analyzer/symbolic-5.c: New test.
* gcc.dg/analyzer/symbolic-6.c: New test.
* gcc.dg/analyzer/taint-1.c: Mark the "gets unchecked value"
events as failing for now. Update dg-message directives to avoid
relying on numbering.
* gcc.dg/analyzer/torture/loop-inc-ptr-1.c: New test.
* gcc.dg/analyzer/torture/loop-inc-ptr-2.c: New test.
* gcc.dg/analyzer/torture/loop-inc-ptr-3.c: New test.
* gcc.dg/analyzer/unknown-fns-2.c: New test.
* gcc.dg/analyzer/unknown-fns-3.c: New test.
* gcc.dg/analyzer/unknown-fns-4.c: New test.
* gcc.dg/analyzer/unknown-fns.c: Update dg-warning to reflect fixed
source location for leak diagnostic.
* gcc.dg/analyzer/use-after-free.c: New test.
* gcc.dg/analyzer/vla-1.c: New test.
* gcc.dg/analyzer/zlib-4.c: Rewrite to avoid "exit" calls. Add
expected leak warnings.
* gfortran.dg/analyzer/pr93993.f90: Remove leak of tm warning,
which seems to have been a false positive.
---
gcc/Makefile.in | 8 +-
gcc/analyzer/analyzer-logging.cc | 8 +-
gcc/analyzer/analyzer-logging.h | 2 +
gcc/analyzer/analyzer-selftests.cc | 1 +
gcc/analyzer/analyzer-selftests.h | 1 +
gcc/analyzer/analyzer.cc | 30 +
gcc/analyzer/analyzer.h | 192 +-
gcc/analyzer/analyzer.opt | 8 +
gcc/analyzer/call-string.cc | 2 +
gcc/analyzer/checker-path.cc | 52 +-
gcc/analyzer/checker-path.h | 12 +-
gcc/analyzer/constraint-manager.cc | 1226 ++-
gcc/analyzer/constraint-manager.h | 113 +-
gcc/analyzer/diagnostic-manager.cc | 451 +-
gcc/analyzer/diagnostic-manager.h | 20 +-
gcc/analyzer/engine.cc | 790 +-
gcc/analyzer/exploded-graph.h | 55 +-
gcc/analyzer/program-point.cc | 61 +
gcc/analyzer/program-point.h | 52 +-
gcc/analyzer/program-state.cc | 1271 +--
gcc/analyzer/program-state.h | 240 +-
gcc/analyzer/region-model-impl-calls.cc | 352 +
gcc/analyzer/region-model-manager.cc | 1088 ++
gcc/analyzer/region-model-reachability.cc | 280 +
gcc/analyzer/region-model-reachability.h | 117 +
gcc/analyzer/region-model.cc | 8931 +++++------------
gcc/analyzer/region-model.h | 3140 +++---
gcc/analyzer/region.cc | 1064 ++
gcc/analyzer/sm-file.cc | 26 +-
gcc/analyzer/sm-malloc.cc | 164 +-
gcc/analyzer/sm-sensitive.cc | 3 +-
gcc/analyzer/sm-signal.cc | 15 +-
gcc/analyzer/sm-taint.cc | 9 +-
gcc/analyzer/sm.cc | 21 +-
gcc/analyzer/sm.h | 35 +-
gcc/analyzer/store.cc | 2008 ++++
gcc/analyzer/store.h | 613 ++
gcc/analyzer/svalue.cc | 1004 ++
gcc/doc/analyzer.texi | 110 +-
gcc/testsuite/g++.dg/analyzer/pr93212.C | 5 +-
gcc/testsuite/g++.dg/analyzer/pr93950.C | 4 +-
gcc/testsuite/g++.dg/analyzer/pr94011.C | 16 +
gcc/testsuite/g++.dg/analyzer/pr94028.C | 4 +-
gcc/testsuite/g++.dg/analyzer/pr94503.C | 25 +
gcc/testsuite/g++.dg/analyzer/pr95042.C | 28 +
.../analyzer/CVE-2005-1689-dedupe-issue-2.c | 30 +
.../analyzer/CVE-2005-1689-dedupe-issue.c | 2 +-
.../gcc.dg/analyzer/CVE-2005-1689-minimal.c | 61 +
gcc/testsuite/gcc.dg/analyzer/abs-1.c | 22 +
gcc/testsuite/gcc.dg/analyzer/aliasing-1.c | 25 +
gcc/testsuite/gcc.dg/analyzer/aliasing-2.c | 32 +
.../gcc.dg/analyzer/analyzer-decls.h | 7 +-
.../gcc.dg/analyzer/attribute-nonnull.c | 12 +-
gcc/testsuite/gcc.dg/analyzer/bzero-1.c | 11 +
gcc/testsuite/gcc.dg/analyzer/casts-1.c | 49 +
gcc/testsuite/gcc.dg/analyzer/casts-2.c | 15 +
.../gcc.dg/analyzer/compound-assignment-1.c | 9 +-
.../gcc.dg/analyzer/compound-assignment-3.c | 2 +-
.../gcc.dg/analyzer/compound-assignment-4.c | 28 +
.../gcc.dg/analyzer/compound-assignment-5.c | 142 +
.../gcc.dg/analyzer/conditionals-notrans.c | 33 +-
gcc/testsuite/gcc.dg/analyzer/data-model-1.c | 96 +-
gcc/testsuite/gcc.dg/analyzer/data-model-13.c | 7 +-
gcc/testsuite/gcc.dg/analyzer/data-model-14.c | 9 +-
gcc/testsuite/gcc.dg/analyzer/data-model-18.c | 4 +-
gcc/testsuite/gcc.dg/analyzer/data-model-20.c | 25 +
gcc/testsuite/gcc.dg/analyzer/data-model-5.c | 13 +-
gcc/testsuite/gcc.dg/analyzer/data-model-5b.c | 12 +-
gcc/testsuite/gcc.dg/analyzer/data-model-5c.c | 13 +-
gcc/testsuite/gcc.dg/analyzer/data-model-5d.c | 61 +-
gcc/testsuite/gcc.dg/analyzer/data-model-6.c | 14 -
gcc/testsuite/gcc.dg/analyzer/data-model-8.c | 3 +-
gcc/testsuite/gcc.dg/analyzer/describe-1.c | 11 +
gcc/testsuite/gcc.dg/analyzer/dot-output.c | 3 +-
gcc/testsuite/gcc.dg/analyzer/explode-1.c | 2 +-
gcc/testsuite/gcc.dg/analyzer/explode-2.c | 16 +-
gcc/testsuite/gcc.dg/analyzer/feasibility-1.c | 62 +
gcc/testsuite/gcc.dg/analyzer/first-field-1.c | 24 +
gcc/testsuite/gcc.dg/analyzer/first-field-2.c | 33 +
gcc/testsuite/gcc.dg/analyzer/init.c | 136 +
gcc/testsuite/gcc.dg/analyzer/leak-2.c | 9 +
.../loop-0-up-to-n-by-1-with-iter-obj.c | 73 +
.../gcc.dg/analyzer/loop-0-up-to-n-by-1.c | 31 +
gcc/testsuite/gcc.dg/analyzer/loop-2a.c | 10 +-
gcc/testsuite/gcc.dg/analyzer/loop-3.c | 7 +-
gcc/testsuite/gcc.dg/analyzer/loop-4.c | 13 +-
.../gcc.dg/analyzer/loop-n-down-to-1-by-1.c | 35 +
.../analyzer/loop-start-down-to-end-by-1.c | 35 +
.../analyzer/loop-start-down-to-end-by-step.c | 30 +
.../analyzer/loop-start-to-end-by-step.c | 36 +
.../analyzer/loop-start-up-to-end-by-1.c | 34 +
gcc/testsuite/gcc.dg/analyzer/loop.c | 9 +-
gcc/testsuite/gcc.dg/analyzer/malloc-1.c | 26 +-
gcc/testsuite/gcc.dg/analyzer/malloc-4.c | 4 +-
.../gcc.dg/analyzer/malloc-in-loop.c | 19 +
.../analyzer/malloc-ipa-8-double-free.c | 82 +-
.../gcc.dg/analyzer/malloc-ipa-8-unchecked.c | 6 +-
.../gcc.dg/analyzer/malloc-paths-9.c | 59 +-
.../gcc.dg/analyzer/malloc-vs-local-1a.c | 22 +-
.../gcc.dg/analyzer/malloc-vs-local-2.c | 16 +-
.../gcc.dg/analyzer/malloc-vs-local-3.c | 7 +-
gcc/testsuite/gcc.dg/analyzer/memset-1.c | 100 +
gcc/testsuite/gcc.dg/analyzer/paths-3.c | 4 +-
gcc/testsuite/gcc.dg/analyzer/paths-4.c | 10 +-
gcc/testsuite/gcc.dg/analyzer/paths-6.c | 4 +-
gcc/testsuite/gcc.dg/analyzer/paths-7.c | 3 +-
.../analyzer/pr93032-mztools-simplified.c | 22 +
.../gcc.dg/analyzer/pr93032-mztools.c | 331 +
gcc/testsuite/gcc.dg/analyzer/pr93382.c | 6 +-
gcc/testsuite/gcc.dg/analyzer/pr93938.c | 13 +
gcc/testsuite/gcc.dg/analyzer/pr94099.c | 3 +-
gcc/testsuite/gcc.dg/analyzer/pr94399.c | 13 +
gcc/testsuite/gcc.dg/analyzer/pr94447.c | 2 +-
gcc/testsuite/gcc.dg/analyzer/pr94458.c | 23 +
gcc/testsuite/gcc.dg/analyzer/pr94640.c | 17 +
gcc/testsuite/gcc.dg/analyzer/pr94688.c | 6 +
gcc/testsuite/gcc.dg/analyzer/pr94689.c | 8 +
gcc/testsuite/gcc.dg/analyzer/pr94839.c | 20 +
gcc/testsuite/gcc.dg/analyzer/pr95026.c | 17 +
gcc/testsuite/gcc.dg/analyzer/pr95240.c | 27 +
gcc/testsuite/gcc.dg/analyzer/refcounting-1.c | 31 +
gcc/testsuite/gcc.dg/analyzer/single-field.c | 37 +
gcc/testsuite/gcc.dg/analyzer/stale-frame-1.c | 15 +
gcc/testsuite/gcc.dg/analyzer/symbolic-1.c | 43 +
gcc/testsuite/gcc.dg/analyzer/symbolic-2.c | 32 +
gcc/testsuite/gcc.dg/analyzer/symbolic-3.c | 12 +
gcc/testsuite/gcc.dg/analyzer/symbolic-4.c | 20 +
gcc/testsuite/gcc.dg/analyzer/symbolic-5.c | 29 +
gcc/testsuite/gcc.dg/analyzer/symbolic-6.c | 24 +
gcc/testsuite/gcc.dg/analyzer/taint-1.c | 22 +-
.../gcc.dg/analyzer/torture/loop-inc-ptr-1.c | 15 +
.../gcc.dg/analyzer/torture/loop-inc-ptr-2.c | 17 +
.../gcc.dg/analyzer/torture/loop-inc-ptr-3.c | 18 +
gcc/testsuite/gcc.dg/analyzer/unknown-fns-2.c | 238 +
gcc/testsuite/gcc.dg/analyzer/unknown-fns-3.c | 67 +
gcc/testsuite/gcc.dg/analyzer/unknown-fns-4.c | 15 +
gcc/testsuite/gcc.dg/analyzer/unknown-fns.c | 8 +-
.../gcc.dg/analyzer/use-after-free.c | 12 +
gcc/testsuite/gcc.dg/analyzer/vla-1.c | 13 +
gcc/testsuite/gcc.dg/analyzer/zlib-4.c | 10 +-
.../gfortran.dg/analyzer/pr93993.f90 | 2 +-
gcc/tristate.h | 2 +
142 files changed, 16153 insertions(+), 10402 deletions(-)
create mode 100644 gcc/analyzer/region-model-impl-calls.cc
create mode 100644 gcc/analyzer/region-model-manager.cc
create mode 100644 gcc/analyzer/region-model-reachability.cc
create mode 100644 gcc/analyzer/region-model-reachability.h
create mode 100644 gcc/analyzer/region.cc
create mode 100644 gcc/analyzer/store.cc
create mode 100644 gcc/analyzer/store.h
create mode 100644 gcc/analyzer/svalue.cc
create mode 100644 gcc/testsuite/g++.dg/analyzer/pr94011.C
create mode 100644 gcc/testsuite/g++.dg/analyzer/pr94503.C
create mode 100644 gcc/testsuite/g++.dg/analyzer/pr95042.C
create mode 100644 gcc/testsuite/gcc.dg/analyzer/CVE-2005-1689-dedupe-issue-2.c
create mode 100644 gcc/testsuite/gcc.dg/analyzer/abs-1.c
create mode 100644 gcc/testsuite/gcc.dg/analyzer/aliasing-1.c
create mode 100644 gcc/testsuite/gcc.dg/analyzer/aliasing-2.c
create mode 100644 gcc/testsuite/gcc.dg/analyzer/bzero-1.c
create mode 100644 gcc/testsuite/gcc.dg/analyzer/casts-1.c
create mode 100644 gcc/testsuite/gcc.dg/analyzer/casts-2.c
create mode 100644 gcc/testsuite/gcc.dg/analyzer/compound-assignment-4.c
create mode 100644 gcc/testsuite/gcc.dg/analyzer/compound-assignment-5.c
create mode 100644 gcc/testsuite/gcc.dg/analyzer/data-model-20.c
delete mode 100644 gcc/testsuite/gcc.dg/analyzer/data-model-6.c
create mode 100644 gcc/testsuite/gcc.dg/analyzer/describe-1.c
create mode 100644 gcc/testsuite/gcc.dg/analyzer/feasibility-1.c
create mode 100644 gcc/testsuite/gcc.dg/analyzer/first-field-1.c
create mode 100644 gcc/testsuite/gcc.dg/analyzer/first-field-2.c
create mode 100644 gcc/testsuite/gcc.dg/analyzer/init.c
create mode 100644 gcc/testsuite/gcc.dg/analyzer/leak-2.c
create mode 100644 gcc/testsuite/gcc.dg/analyzer/loop-0-up-to-n-by-1-with-iter-obj.c
create mode 100644 gcc/testsuite/gcc.dg/analyzer/loop-0-up-to-n-by-1.c
create mode 100644 gcc/testsuite/gcc.dg/analyzer/loop-n-down-to-1-by-1.c
create mode 100644 gcc/testsuite/gcc.dg/analyzer/loop-start-down-to-end-by-1.c
create mode 100644 gcc/testsuite/gcc.dg/analyzer/loop-start-down-to-end-by-step.c
create mode 100644 gcc/testsuite/gcc.dg/analyzer/loop-start-to-end-by-step.c
create mode 100644 gcc/testsuite/gcc.dg/analyzer/loop-start-up-to-end-by-1.c
create mode 100644 gcc/testsuite/gcc.dg/analyzer/malloc-in-loop.c
create mode 100644 gcc/testsuite/gcc.dg/analyzer/memset-1.c
create mode 100644 gcc/testsuite/gcc.dg/analyzer/pr93032-mztools-simplified.c
create mode 100644 gcc/testsuite/gcc.dg/analyzer/pr93032-mztools.c
create mode 100644 gcc/testsuite/gcc.dg/analyzer/pr93938.c
create mode 100644 gcc/testsuite/gcc.dg/analyzer/pr94399.c
create mode 100644 gcc/testsuite/gcc.dg/analyzer/pr94458.c
create mode 100644 gcc/testsuite/gcc.dg/analyzer/pr94640.c
create mode 100644 gcc/testsuite/gcc.dg/analyzer/pr94688.c
create mode 100644 gcc/testsuite/gcc.dg/analyzer/pr94689.c
create mode 100644 gcc/testsuite/gcc.dg/analyzer/pr94839.c
create mode 100644 gcc/testsuite/gcc.dg/analyzer/pr95026.c
create mode 100644 gcc/testsuite/gcc.dg/analyzer/pr95240.c
create mode 100644 gcc/testsuite/gcc.dg/analyzer/refcounting-1.c
create mode 100644 gcc/testsuite/gcc.dg/analyzer/single-field.c
create mode 100644 gcc/testsuite/gcc.dg/analyzer/stale-frame-1.c
create mode 100644 gcc/testsuite/gcc.dg/analyzer/symbolic-1.c
create mode 100644 gcc/testsuite/gcc.dg/analyzer/symbolic-2.c
create mode 100644 gcc/testsuite/gcc.dg/analyzer/symbolic-3.c
create mode 100644 gcc/testsuite/gcc.dg/analyzer/symbolic-4.c
create mode 100644 gcc/testsuite/gcc.dg/analyzer/symbolic-5.c
create mode 100644 gcc/testsuite/gcc.dg/analyzer/symbolic-6.c
create mode 100644 gcc/testsuite/gcc.dg/analyzer/torture/loop-inc-ptr-1.c
create mode 100644 gcc/testsuite/gcc.dg/analyzer/torture/loop-inc-ptr-2.c
create mode 100644 gcc/testsuite/gcc.dg/analyzer/torture/loop-inc-ptr-3.c
create mode 100644 gcc/testsuite/gcc.dg/analyzer/unknown-fns-2.c
create mode 100644 gcc/testsuite/gcc.dg/analyzer/unknown-fns-3.c
create mode 100644 gcc/testsuite/gcc.dg/analyzer/unknown-fns-4.c
create mode 100644 gcc/testsuite/gcc.dg/analyzer/use-after-free.c
create mode 100644 gcc/testsuite/gcc.dg/analyzer/vla-1.c
[-- Attachment #2: 0001-analyzer-rewrite-of-region-and-value-handling.patch.gz --]
[-- Type: application/gzip, Size: 239148 bytes --]
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [committed] analyzer: rewrite of region and value-handling
2020-08-13 20:58 [committed] analyzer: rewrite of region and value-handling David Malcolm
@ 2020-08-14 7:22 ` Martin Liška
2020-08-14 7:26 ` Martin Liška
2020-08-14 13:08 ` David Malcolm
2020-08-14 8:49 ` Christophe Lyon
1 sibling, 2 replies; 9+ messages in thread
From: Martin Liška @ 2020-08-14 7:22 UTC (permalink / raw)
To: David Malcolm, gcc-patches
On 8/13/20 10:58 PM, David Malcolm via Gcc-patches wrote:
> PR analyzer/93032 (missing leak diagnostic for zlib/contrib/minizip/mztools.c)
> PR analyzer/93938 (ICE in analyzer)
> PR analyzer/94011 (ICE in analyzer)
> PR analyzer/94099 (ICE in analyzer)
> PR analyzer/94399 (leak false positive with __attribute__((cleanup())))
> PR analyzer/94458 (leak false positive)
> PR analyzer/94503 (ICE on C++ return-value-optimization)
> PR analyzer/94640 (leak false positive)
> PR analyzer/94688 (ICE in analyzer)
> PR analyzer/94689 ("arrays of functions are not meaningful" error)
> PR analyzer/94839 (leak false positive)
> PR analyzer/95026 (leak false positive)
> PR analyzer/95042 (ICE merging const and non-const C++ object instances)
> PR analyzer/95240 (leak false positive)
Hello David.
Unfortunately, this format is not recognized by gcc-changelog script and
so the corresponding PR entries were not added to the generated ChangeLog
entries. The currently supported regex is:
pr_regex = re.compile(r'\tPR (?P<component>[a-z+-]+\/)?([0-9]+)$')
which prevents parsing an entries not being standalone.
Anyway, I updated gcc/analyzer/ChangeLog manually.
Thanks,
Martin
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [committed] analyzer: rewrite of region and value-handling
2020-08-14 7:22 ` Martin Liška
@ 2020-08-14 7:26 ` Martin Liška
2020-08-14 13:28 ` David Malcolm
2020-08-14 13:08 ` David Malcolm
1 sibling, 1 reply; 9+ messages in thread
From: Martin Liška @ 2020-08-14 7:26 UTC (permalink / raw)
To: David Malcolm, gcc-patches
On 8/14/20 9:22 AM, Martin Liška wrote:
> On 8/13/20 10:58 PM, David Malcolm via Gcc-patches wrote:
>> PR analyzer/93032 (missing leak diagnostic for zlib/contrib/minizip/mztools.c)
>> PR analyzer/93938 (ICE in analyzer)
>> PR analyzer/94011 (ICE in analyzer)
>> PR analyzer/94099 (ICE in analyzer)
>> PR analyzer/94399 (leak false positive with __attribute__((cleanup())))
>> PR analyzer/94458 (leak false positive)
>> PR analyzer/94503 (ICE on C++ return-value-optimization)
>> PR analyzer/94640 (leak false positive)
>> PR analyzer/94688 (ICE in analyzer)
>> PR analyzer/94689 ("arrays of functions are not meaningful" error)
>> PR analyzer/94839 (leak false positive)
>> PR analyzer/95026 (leak false positive)
>> PR analyzer/95042 (ICE merging const and non-const C++ object instances)
>> PR analyzer/95240 (leak false positive)
>
> Hello David.
>
> Unfortunately, this format is not recognized by gcc-changelog script and
> so the corresponding PR entries were not added to the generated ChangeLog
> entries. The currently supported regex is:
>
> pr_regex = re.compile(r'\tPR (?P<component>[a-z+-]+\/)?([0-9]+)$')
>
> which prevents parsing an entries not being standalone.
> Anyway, I updated gcc/analyzer/ChangeLog manually.
>
> Thanks,
> Martin
... and I bet for similar reasons gcc-bugs emails were not send to various PRs
mentioned in the commit.
Martin
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [committed] analyzer: rewrite of region and value-handling
2020-08-13 20:58 [committed] analyzer: rewrite of region and value-handling David Malcolm
2020-08-14 7:22 ` Martin Liška
@ 2020-08-14 8:49 ` Christophe Lyon
2020-08-14 20:20 ` David Malcolm
1 sibling, 1 reply; 9+ messages in thread
From: Christophe Lyon @ 2020-08-14 8:49 UTC (permalink / raw)
To: David Malcolm; +Cc: gcc-patches
Hi David,
On Thu, 13 Aug 2020 at 22:58, David Malcolm via Gcc-patches
<gcc-patches@gcc.gnu.org> wrote:
>
> This large patch reimplements how the analyzer tracks regions and
> values.
>
> Elimination of region_id and svalue_id
> **************************************
>
> The patch eliminates region_id and svalue_id in favor of simply
> using pointers. I'd hoped that the ID classes would make it easier
> to compare states, avoiding having to compare long hexadecimal addresses
> in favor of small integers. Unfortunately it added lots of complexity,
> with the need to remap IDs when comparing or purging states, and the
> need to "canonicalize" when comparing states.
>
> Various "state explosion" bugs in the old implementation were due to
> failures in canonicalization, where two states that ought to be equal
> were non-equal due to differences in ID ordering. I spent a lot of
> time trying to fix canonicalization bugs, and there always seemed to
> be one more bug. By eliminating IDs in this new implementation, lots
> of tricky canonicalization goes away and no ID remapping should be
> needed; almost all of the old validation code becomes redundant.
> There's still some canonicalization in the new implementation, mostly
> in constraint_manager, but much less than before.
>
> Ownership of regions and svalues
> ********************************
>
> In the old implementation, each region_model had its own copies of
> regions and svalues, so there was heap bloat and churn as lots of
> little objects were cloned when copying program_state instances. In the
> new implementation the regions and svalues are immutable and are shared
> thoughout the analysis, rather than being per region_model. They are
> owned by a manager class, and are effectively singletons. Region and
> svalue instances can now be compared by pointer rather than by comparing
> their fields (the manager class takes care of uniqueness).
>
> This is a huge simplification, and (I hope) will avoid lots
> of heap churn as states are copied; all mutable state from regions and
> svalues is now stored in a "store" class in the region_model.
>
> Changes to the meaning of a "region"
> ************************************
>
> Region subclasses no longer represent internal structure, but instead
> represent how the regions are reached. So e.g. a global "struct coord
> c;" is now a decl_region, rather than a struct_region.
>
> In the old implementation, the values for each region were stored in the
> region instances, but in the new implementation the regions are immutable.
> Memory is now modeled in a new "store" class: a mapping from keys to
> svalues, where the keys are both concrete bit-offsets from the start of
> a "base region", and "symbolic" keys (thus hopefully making unions,
> casts, aliasing etc easier to deal with). So e.g. for assignments to
> the fields of a struct, it records the mapping from bit-offsets of e.g.
> field to the values; if that memory is cast to another type and written
> to, the appropriate clobbering of the bound values can happen.
>
> The concept of "what the current stack is" moves from the regions to
> being a field within the region_model ("m_current_frame").
>
> Bugs fixed by this patch
> ************************
>
> PR analyzer/93032 (missing leak diagnostic for zlib/contrib/minizip/mztools.c)
> PR analyzer/93938 (ICE in analyzer)
> PR analyzer/94011 (ICE in analyzer)
> PR analyzer/94099 (ICE in analyzer)
> PR analyzer/94399 (leak false positive with __attribute__((cleanup())))
> PR analyzer/94458 (leak false positive)
> PR analyzer/94503 (ICE on C++ return-value-optimization)
> PR analyzer/94640 (leak false positive)
> PR analyzer/94688 (ICE in analyzer)
> PR analyzer/94689 ("arrays of functions are not meaningful" error)
> PR analyzer/94839 (leak false positive)
> PR analyzer/95026 (leak false positive)
> PR analyzer/95042 (ICE merging const and non-const C++ object instances)
> PR analyzer/95240 (leak false positive)
>
> Successfully bootstrapped & regrtested on x86_64-pc-linux-gnu.
> Pushed to master as 808f4dfeb3a95f50f15e71148e5c1067f90a126d.
>
Some of the new tests fail on arm and aarch64.
On arm:
gcc.dg/analyzer/casts-1.c (test for warnings, line 19)
gcc.dg/analyzer/casts-1.c (test for warnings, line 20)
gcc.dg/analyzer/casts-1.c (test for warnings, line 21)
gcc.dg/analyzer/casts-1.c (test for warnings, line 22)
gcc.dg/analyzer/casts-1.c (test for warnings, line 23)
gcc.dg/analyzer/casts-1.c (test for warnings, line 24)
gcc.dg/analyzer/casts-1.c (test for warnings, line 25)
gcc.dg/analyzer/casts-1.c (test for warnings, line 26)
gcc.dg/analyzer/casts-1.c (test for warnings, line 36)
gcc.dg/analyzer/casts-1.c (test for warnings, line 37)
gcc.dg/analyzer/casts-1.c (test for warnings, line 38)
gcc.dg/analyzer/casts-1.c (test for warnings, line 39)
gcc.dg/analyzer/casts-1.c (test for excess errors)
gcc.dg/analyzer/init.c (test for warnings, line 100)
gcc.dg/analyzer/init.c (test for warnings, line 101)
gcc.dg/analyzer/init.c (test for warnings, line 102)
gcc.dg/analyzer/init.c (test for warnings, line 124)
gcc.dg/analyzer/init.c (test for warnings, line 125)
gcc.dg/analyzer/init.c (test for warnings, line 126)
gcc.dg/analyzer/init.c (test for warnings, line 127)
gcc.dg/analyzer/init.c (test for warnings, line 128)
gcc.dg/analyzer/init.c (test for warnings, line 129)
gcc.dg/analyzer/init.c (test for warnings, line 30)
gcc.dg/analyzer/init.c (test for warnings, line 31)
gcc.dg/analyzer/init.c (test for warnings, line 51)
gcc.dg/analyzer/init.c (test for warnings, line 52)
gcc.dg/analyzer/init.c (test for warnings, line 72)
gcc.dg/analyzer/init.c (test for warnings, line 73)
gcc.dg/analyzer/init.c (test for warnings, line 74)
gcc.dg/analyzer/init.c (test for warnings, line 75)
gcc.dg/analyzer/init.c (test for warnings, line 99)
gcc.dg/analyzer/init.c (test for excess errors)
gcc.dg/analyzer/pr93032-mztools.c (test for excess errors)
In my logs I can see:
/gcc/testsuite/gcc.dg/analyzer/casts-1.c: In function 'test_1':
/gcc/testsuite/gcc.dg/analyzer/casts-1.c:19:3: warning: UNKNOWN
/gcc/testsuite/gcc.dg/analyzer/casts-1.c:20:3: warning: UNKNOWN
/gcc/testsuite/gcc.dg/analyzer/casts-1.c:21:3: warning: UNKNOWN
/gcc/testsuite/gcc.dg/analyzer/casts-1.c:22:3: warning: UNKNOWN
/gcc/testsuite/gcc.dg/analyzer/casts-1.c:23:3: warning: UNKNOWN
/gcc/testsuite/gcc.dg/analyzer/casts-1.c:24:3: warning: UNKNOWN
/gcc/testsuite/gcc.dg/analyzer/casts-1.c:25:3: warning: UNKNOWN
/gcc/testsuite/gcc.dg/analyzer/casts-1.c:26:3: warning: UNKNOWN
/gcc/testsuite/gcc.dg/analyzer/casts-1.c:29:3: warning: TRUE
/gcc/testsuite/gcc.dg/analyzer/casts-1.c:30:3: warning: TRUE
/gcc/testsuite/gcc.dg/analyzer/casts-1.c: In function 'test_2':
/gcc/testsuite/gcc.dg/analyzer/casts-1.c:36:3: warning: UNKNOWN
/gcc/testsuite/gcc.dg/analyzer/casts-1.c:37:3: warning: UNKNOWN
/gcc/testsuite/gcc.dg/analyzer/casts-1.c:38:3: warning: UNKNOWN
/gcc/testsuite/gcc.dg/analyzer/casts-1.c:39:3: warning: UNKNOWN
/gcc/testsuite/gcc.dg/analyzer/casts-1.c:41:3: warning: UNKNOWN
/gcc/testsuite/gcc.dg/analyzer/casts-1.c:43:3: warning: UNKNOWN
/gcc/testsuite/gcc.dg/analyzer/casts-1.c:45:3: warning: UNKNOWN
/gcc/testsuite/gcc.dg/analyzer/casts-1.c:47:3: warning: UNKNOWN
/gcc/testsuite/gcc.dg/analyzer/init.c:30:3: warning: UNKNOWN
/gcc/testsuite/gcc.dg/analyzer/init.c:31:3: warning: UNKNOWN
/gcc/testsuite/gcc.dg/analyzer/init.c:51:3: warning: UNKNOWN
/gcc/testsuite/gcc.dg/analyzer/init.c:52:3: warning: UNKNOWN
/gcc/testsuite/gcc.dg/analyzer/init.c:72:3: warning: UNKNOWN
/gcc/testsuite/gcc.dg/analyzer/init.c:73:3: warning: UNKNOWN
/gcc/testsuite/gcc.dg/analyzer/init.c:74:3: warning: UNKNOWN
/gcc/testsuite/gcc.dg/analyzer/init.c:75:3: warning: UNKNOWN
/gcc/testsuite/gcc.dg/analyzer/init.c:99:3: warning: UNKNOWN
/gcc/testsuite/gcc.dg/analyzer/init.c:100:3: warning: UNKNOWN
/gcc/testsuite/gcc.dg/analyzer/init.c:101:3: warning: UNKNOWN
/gcc/testsuite/gcc.dg/analyzer/init.c:102:3: warning: UNKNOWN
/gcc/testsuite/gcc.dg/analyzer/init.c:124:3: warning: UNKNOWN
/gcc/testsuite/gcc.dg/analyzer/init.c:125:3: warning: UNKNOWN
/gcc/testsuite/gcc.dg/analyzer/init.c:126:3: warning: UNKNOWN
/gcc/testsuite/gcc.dg/analyzer/init.c:127:3: warning: UNKNOWN
/gcc/testsuite/gcc.dg/analyzer/init.c:128:3: warning: UNKNOWN
/gcc/testsuite/gcc.dg/analyzer/init.c:129:3: warning: UNKNOWN
FAIL: gcc.dg/analyzer/pr93032-mztools.c (test for excess errors)
Excess errors:
/gcc/testsuite/gcc.dg/analyzer/pr93032-mztools.c:174:15: warning:
terminating analysis for this program point: EN: 213-217, EN: 475-477,
EN: 632 [-Wanalyzer-too-complex]
/gcc/testsuite/gcc.dg/analyzer/pr93032-mztools.c:174:15: warning:
terminating analysis for this program point: EN: 213-217, EN: 475-477,
EN: 632 [-Wanalyzer-too-complex]
/gcc/testsuite/gcc.dg/analyzer/pr93032-mztools.c:174:15: warning:
terminating analysis for this program point: EN: 213-217, EN: 475-477,
EN: 632 [-Wanalyzer-too-complex]
/gcc/testsuite/gcc.dg/analyzer/pr93032-mztools.c:261:11: warning:
terminating analysis for this program point: EN: 831-839
[-Wanalyzer-too-complex]
/gcc/testsuite/gcc.dg/analyzer/pr93032-mztools.c:261:11: warning:
terminating analysis for this program point: EN: 831-839
[-Wanalyzer-too-complex]
/gcc/testsuite/gcc.dg/analyzer/pr93032-mztools.c:261:11: warning:
terminating analysis for this program point: EN: 831-839
[-Wanalyzer-too-complex]
/gcc/testsuite/gcc.dg/analyzer/pr93032-mztools.c:261:11: warning:
terminating analysis for this program point: EN: 831-839
[-Wanalyzer-too-complex]
/gcc/testsuite/gcc.dg/analyzer/pr93032-mztools.c:261:11: warning:
terminating analysis for this program point: EN: 831-839
[-Wanalyzer-too-complex]
/gcc/testsuite/gcc.dg/analyzer/pr93032-mztools.c:261:11: warning:
terminating analysis for this program point: EN: 831-839
[-Wanalyzer-too-complex]
/gcc/testsuite/gcc.dg/analyzer/pr93032-mztools.c:261:11: warning:
terminating analysis for this program point: EN: 831-839
[-Wanalyzer-too-complex]
/gcc/testsuite/gcc.dg/analyzer/pr93032-mztools.c:261:11: warning:
terminating analysis for this program point: EN: 831-839
[-Wanalyzer-too-complex]
/gcc/testsuite/gcc.dg/analyzer/pr93032-mztools.c:261:11: warning:
terminating analysis for this program point: EN: 831-839
[-Wanalyzer-too-complex]
/gcc/testsuite/gcc.dg/analyzer/pr93032-mztools.c:261:11: warning:
terminating analysis for this program point: EN: 831-839
[-Wanalyzer-too-complex]
/gcc/testsuite/gcc.dg/analyzer/pr93032-mztools.c:261:11: warning:
terminating analysis for this program point: EN: 831-839
[-Wanalyzer-too-complex]
/gcc/testsuite/gcc.dg/analyzer/pr93032-mztools.c:261:11: warning:
terminating analysis for this program point: EN: 831-839
[-Wanalyzer-too-complex]
/gcc/testsuite/gcc.dg/analyzer/pr93032-mztools.c:261:11: warning:
terminating analysis for this program point: EN: 831-839
[-Wanalyzer-too-complex]
/gcc/testsuite/gcc.dg/analyzer/pr93032-mztools.c:261:11: warning:
terminating analysis for this program point: EN: 831-839
[-Wanalyzer-too-complex]
/gcc/testsuite/gcc.dg/analyzer/pr93032-mztools.c:261:11: warning:
terminating analysis for this program point: EN: 831-839
[-Wanalyzer-too-complex]
/gcc/testsuite/gcc.dg/analyzer/pr93032-mztools.c:261:11: warning:
terminating analysis for this program point: EN: 831-839
[-Wanalyzer-too-complex]
/gcc/testsuite/gcc.dg/analyzer/pr93032-mztools.c:261:11: warning:
terminating analysis for this program point: EN: 831-839
[-Wanalyzer-too-complex]
/gcc/testsuite/gcc.dg/analyzer/pr93032-mztools.c:261:11: warning:
terminating analysis for this program point: EN: 831-839
[-Wanalyzer-too-complex]
on aarch64:
gcc.dg/analyzer/init.c (test for warnings, line 124)
gcc.dg/analyzer/init.c (test for warnings, line 125)
gcc.dg/analyzer/init.c (test for warnings, line 126)
gcc.dg/analyzer/init.c (test for warnings, line 127)
gcc.dg/analyzer/init.c (test for warnings, line 128)
gcc.dg/analyzer/init.c (test for warnings, line 129)
gcc.dg/analyzer/init.c (test for excess errors)
gcc.dg/analyzer/pr93032-mztools.c (test for excess errors)
because:
/gcc/testsuite/gcc.dg/analyzer/init.c:124:3: warning: UNKNOWN
/gcc/testsuite/gcc.dg/analyzer/init.c:125:3: warning: UNKNOWN
/gcc/testsuite/gcc.dg/analyzer/init.c:126:3: warning: UNKNOWN
/gcc/testsuite/gcc.dg/analyzer/init.c:127:3: warning: UNKNOWN
/gcc/testsuite/gcc.dg/analyzer/init.c:128:3: warning: UNKNOWN
/gcc/testsuite/gcc.dg/analyzer/init.c:129:3: warning: UNKNOWN
FAIL: gcc.dg/analyzer/pr93032-mztools.c (test for excess errors)
Excess errors:
/gcc/testsuite/gcc.dg/analyzer/pr93032-mztools.c:261:11: warning:
terminating analysis for this program point: EN: 810-818
[-Wanalyzer-too-complex]
/gcc/testsuite/gcc.dg/analyzer/pr93032-mztools.c:261:11: warning:
terminating analysis for this program point: EN: 810-818
[-Wanalyzer-too-complex]
/gcc/testsuite/gcc.dg/analyzer/pr93032-mztools.c:261:11: warning:
terminating analysis for this program point: EN: 810-818
[-Wanalyzer-too-complex]
/gcc/testsuite/gcc.dg/analyzer/pr93032-mztools.c:261:11: warning:
terminating analysis for this program point: EN: 810-818
[-Wanalyzer-too-complex]
/gcc/testsuite/gcc.dg/analyzer/pr93032-mztools.c:261:11: warning:
terminating analysis for this program point: EN: 810-818
[-Wanalyzer-too-complex]
/gcc/testsuite/gcc.dg/analyzer/pr93032-mztools.c:261:11: warning:
terminating analysis for this program point: EN: 810-818
[-Wanalyzer-too-complex]
/gcc/testsuite/gcc.dg/analyzer/pr93032-mztools.c:261:11: warning:
terminating analysis for this program point: EN: 810-818
[-Wanalyzer-too-complex]
/gcc/testsuite/gcc.dg/analyzer/pr93032-mztools.c:261:11: warning:
terminating analysis for this program point: EN: 810-818
[-Wanalyzer-too-complex]
/gcc/testsuite/gcc.dg/analyzer/pr93032-mztools.c:261:11: warning:
terminating analysis for this program point: EN: 810-818
[-Wanalyzer-too-complex]
/gcc/testsuite/gcc.dg/analyzer/pr93032-mztools.c:261:11: warning:
terminating analysis for this program point: EN: 810-818
[-Wanalyzer-too-complex]
/gcc/testsuite/gcc.dg/analyzer/pr93032-mztools.c:261:11: warning:
terminating analysis for this program point: EN: 810-818
[-Wanalyzer-too-complex]
/gcc/testsuite/gcc.dg/analyzer/pr93032-mztools.c:261:11: warning:
terminating analysis for this program point: EN: 810-818
[-Wanalyzer-too-complex]
/gcc/testsuite/gcc.dg/analyzer/pr93032-mztools.c:261:11: warning:
terminating analysis for this program point: EN: 810-818
[-Wanalyzer-too-complex]
/gcc/testsuite/gcc.dg/analyzer/pr93032-mztools.c:261:11: warning:
terminating analysis for this program point: EN: 810-818
[-Wanalyzer-too-complex]
/gcc/testsuite/gcc.dg/analyzer/pr93032-mztools.c:261:11: warning:
terminating analysis for this program point: EN: 810-818
[-Wanalyzer-too-complex]
/gcc/testsuite/gcc.dg/analyzer/pr93032-mztools.c:261:11: warning:
terminating analysis for this program point: EN: 810-818
[-Wanalyzer-too-complex]
/gcc/testsuite/gcc.dg/analyzer/pr93032-mztools.c:261:11: warning:
terminating analysis for this program point: EN: 810-818
[-Wanalyzer-too-complex]
/gcc/testsuite/gcc.dg/analyzer/pr93032-mztools.c:261:11: warning:
terminating analysis for this program point: EN: 810-818
[-Wanalyzer-too-complex]
/gcc/testsuite/gcc.dg/analyzer/pr93032-mztools.c:261:11: warning:
terminating analysis for this program point: EN: 810-818
[-Wanalyzer-too-complex]
HTH
Christophe
> At 1.1MB the patch exceeds the mailing list limit, so I'm attaching a
> gzipped copy.
> It can also be seen via:
> https://gcc.gnu.org/git/?p=gcc.git;a=commitdiff;h=808f4dfeb3a95f50f15e71148e5c1067f90a126d
>
> gcc/ChangeLog:
> * Makefile.in (ANALYZER_OBJS): Add analyzer/region.o,
> analyzer/region-model-impl-calls.o,
> analyzer/region-model-manager.o,
> analyzer/region-model-reachability.o, analyzer/store.o, and
> analyzer/svalue.o.
> * doc/analyzer.texi: Update for changes to analyzer
> implementation.
> * tristate.h (tristate::get_value): New accessor.
>
> gcc/analyzer/ChangeLog:
> * analyzer-logging.cc: Ignore "-Wformat-diag".
> (logger::enter_scope): Use inc_indent in both overloads.
> (logger::exit_scope): Use dec_indent.
> * analyzer-logging.h (logger::inc_indent): New.
> (logger::dec_indent): New.
> * analyzer-selftests.cc (run_analyzer_selftests): Call
> analyzer_store_cc_tests.
> * analyzer-selftests.h (analyzer_store_cc_tests): New decl.
> * analyzer.cc (get_stmt_location): New function.
> * analyzer.h (class initial_svalue): New forward decl.
> (class unaryop_svalue): New forward decl.
> (class binop_svalue): New forward decl.
> (class sub_svalue): New forward decl.
> (class unmergeable_svalue): New forward decl.
> (class placeholder_svalue): New forward decl.
> (class widening_svalue): New forward decl.
> (class compound_svalue): New forward decl.
> (class conjured_svalue): New forward decl.
> (svalue_set): New typedef.
> (class map_region): Delete.
> (class array_region): Delete.
> (class frame_region): New forward decl.
> (class function_region): New forward decl.
> (class label_region): New forward decl.
> (class decl_region): New forward decl.
> (class element_region): New forward decl.
> (class offset_region): New forward decl.
> (class cast_region): New forward decl.
> (class field_region): New forward decl.
> (class string_region): New forward decl.
> (class region_model_manager): New forward decl.
> (class store_manager): New forward decl.
> (class store): New forward decl.
> (class call_details): New forward decl.
> (struct svalue_id_merger_mapping): Delete.
> (struct canonicalization): Delete.
> (class function_point): New forward decl.
> (class engine): New forward decl.
> (dump_tree): New function decl.
> (print_quoted_type): New function decl.
> (readability_comparator): New function decl.
> (tree_cmp): New function decl.
> (class path_var): Move here from region-model.h
> (bit_offset_t, bit_size_t, byte_size_t): New typedefs.
> (class region_offset): New class.
> (get_stmt_location): New decl.
> (struct member_function_hash_traits): New struct.
> (class consolidation_map): New class.
> Ignore "-Wformat-diag".
> * analyzer.opt (-param=analyzer-max-svalue-depth=): New param.
> (-param=analyzer-max-enodes-for-full-dump=): New param.
> * call-string.cc: Ignore -Wformat-diag.
> * checker-path.cc: Move includes of "analyzer/call-string.h" and
> "analyzer/program-point.h" to before "analyzer/region-model.h",
> and also include "analyzer/store.h" before it.
> (state_change_event::state_change_event): Replace "tree var" param
> with "const svalue *sval". Convert "origin" param from tree to
> "const svalue *".
> (state_change_event::get_desc): Call get_representative_tree to
> convert the var and origin from const svalue * to tree. Use
> svalue::get_desc rather than %qE when describing state changes.
> (checker_path::add_final_event): Use get_stmt_location.
> * checker-path.h (state_change_event::state_change_event): Port
> from tree to const svalue *.
> (state_change_event::get_lvalue): Delete.
> (state_change_event::get_dest_function): New.
> (state_change_event::m_var): Replace with...
> (state_change_event::m_sval): ...this.
> (state_change_event::m_origin): Convert from tree to
> const svalue *.
> * constraint-manager.cc: Include "analyzer/call-string.h",
> "analyzer/program-point.h", and "analyzer/store.h" before
> "analyzer/region-model.h".
> (struct bound, struct range): Move to constraint-manager.h.
> (compare_constants): New function.
> (range::dump): Rename to...
> (range::dump_to_pp): ...this. Support NULL constants.
> (range::dump): Reintroduce for dumping to stderr.
> (range::constrained_to_single_element): Return result, rather than
> writing to *OUT.
> (range::eval_condition): New.
> (range::below_lower_bound): New.
> (range::above_upper_bound): New.
> (equiv_class::equiv_class): Port from svalue_id to const svalue *.
> (equiv_class::print): Likewise.
> (equiv_class::hash): Likewise.
> (equiv_class::operator==): Port from svalue_id to const svalue *.
> (equiv_class::add): Port from svalue_id to const svalue *. Drop
> "cm" param.
> (equiv_class::del): Port from svalue_id to const svalue *.
> (equiv_class::get_representative): Likewise.
> (equiv_class::remap_svalue_ids): Delete.
> (svalue_id_cmp_by_id): Rename to...
> (svalue_cmp_by_ptr): ...this, porting from svalue_id to
> const svalue *.
> (equiv_class::canonicalize): Update qsort comparator.
> (constraint::implied_by): New.
> (constraint_manager::constraint_manager): Copy m_mgr in copy ctor.
> (constraint_manager::dump_to_pp): Add "multiline" param
> (constraint_manager::dump): Pass "true" for "multiline".
> (constraint_manager::add_constraint): Port from svalue_id to
> const svalue *. Split out second part into...
> (constraint_manager::add_unknown_constraint): ...this new
> function. Remove self-constraints when merging equivalence
> classes.
> (constraint_manager::add_constraint_internal): Remove constraints
> that would be implied by the new constraint. Port from svalue_id
> to const svalue *.
> (constraint_manager::get_equiv_class_by_sid): Rename to...
> (constraint_manager::get_equiv_class_by_svalue): ...this, porting
> from svalue_id to const svalue *.
> (constraint_manager::get_or_add_equiv_class): Port from svalue_id
> to const svalue *.
> (constraint_manager::eval_condition): Make const. Call
> compare_constants and return early if it provides a known result.
> (constraint_manager::get_ec_bounds): New.
> (constraint_manager::eval_condition): New overloads. Make
> existing one const, and use compare_constants.
> (constraint_manager::purge): Convert "p" param to a template
> rather that an abstract base class. Port from svalue_id to
> const svalue *.
> (class dead_svalue_purger): New class.
> (constraint_manager::remap_svalue_ids): Delete.
> (constraint_manager::on_liveness_change): New.
> (equiv_class_cmp): Port from svalue_id to const svalue *.
> (constraint_manager::canonicalize): Likewise. Combine with
> purging of redundant equivalence classes and constraints.
> (class cleaned_constraint_manager): Delete.
> (class merger_fact_visitor): Make "m_cm_b" const. Add "m_merger"
> field.
> (merger_fact_visitor::fact): Port from svalue_id to const svalue *.
> Add special case for widening.
> (constraint_manager::merge): Port from svalue_id to const svalue *.
> (constraint_manager::clean_merger_input): Delete.
> (constraint_manager::for_each_fact): Port from svalue_id to
> const svalue *.
> (constraint_manager::validate): Likewise.
> (selftest::test_constraint_conditions): Provide a
> region_model_manager when creating region_model instances.
> Add test for self-equality not creating equivalence classes.
> (selftest::test_transitivity): Provide a region_model_manager when
> creating region_model instances. Verify that EC-merging happens
> when constraints are implied.
> (selftest::test_constant_comparisons): Provide a
> region_model_manager when creating region_model instances.
> (selftest::test_constraint_impl): Likewise. Remove over-specified
> assertions.
> (selftest::test_equality): Provide a region_model_manager when
> creating region_model instances.
> (selftest::test_many_constants): Likewise. Provide a
> program_point when testing merging.
> (selftest::run_constraint_manager_tests): Move call to
> test_constant_comparisons to outside the transitivity guard.
> * constraint-manager.h (struct bound): Move here from
> constraint-manager.cc.
> (struct range): Likewise.
> (struct::eval_condition): New decl.
> (struct::below_lower_bound): New decl.
> (struct::above_upper_bound): New decl.
> (equiv_class::add): Port from svalue_id to const svalue *.
> (equiv_class::del): Likewise.
> (equiv_class::get_representative): Likewise.
> (equiv_class::remap_svalue_ids): Drop.
> (equiv_class::m_cst_sid): Convert to..
> (equiv_class::m_cst_sval): ...this.
> (equiv_class::m_vars): Port from svalue_id to const svalue *.
> (constraint::bool implied_by): New decl.
> (fact_visitor::on_fact): Port from svalue_id to const svalue *.
> (constraint_manager::constraint_manager): Add mgr param.
> (constraint_manager::clone): Delete.
> (constraint_manager::maybe_get_constant): Delete.
> (constraint_manager::get_sid_for_constant): Delete.
> (constraint_manager::get_num_svalues): Delete.
> (constraint_manager::dump_to_pp): Add "multiline" param.
> (constraint_manager::get_equiv_class): Port from svalue_id to
> const svalue *.
> (constraint_manager::add_constraint): Likewise.
> (constraint_manager::get_equiv_class_by_sid): Rename to...
> (constraint_manager::get_equiv_class_by_svalue): ...this, porting
> from svalue_id to const svalue *.
> (constraint_manager::add_unknown_constraint): New decl.
> (constraint_manager::get_or_add_equiv_class): Port from svalue_id
> to const svalue *.
> (constraint_manager::eval_condition): Likewise. Add overloads.
> (constraint_manager::get_ec_bounds): New decl.
> (constraint_manager::purge): Convert to template.
> (constraint_manager::remap_svalue_ids): Delete.
> (constraint_manager::on_liveness_change): New decl.
> (constraint_manager::canonicalize): Drop param.
> (constraint_manager::clean_merger_input): Delete.
> (constraint_manager::m_mgr): New field.
> * diagnostic-manager.cc: Move includes of
> "analyzer/call-string.h" and "analyzer/program-point.h" to before
> "analyzer/region-model.h", and also include "analyzer/store.h"
> before it.
> (saved_diagnostic::saved_diagnostic): Add "sval" param.
> (diagnostic_manager::diagnostic_manager): Add engine param.
> (diagnostic_manager::add_diagnostic): Add "sval" param, passing it
> to saved_diagnostic ctor. Update overload to pass NULL for it.
> (dedupe_winners::dedupe_winners): Add engine param.
> (dedupe_winners::add): Add "eg" param. Pass m_engine to
> feasible_p.
> (dedupe_winner::m_engine): New field.
> (diagnostic_manager::emit_saved_diagnostics): Pass engine to
> dedupe_winners. Pass &eg when adding candidates. Pass svalue
> rather than tree to prune_path. Use get_stmt_location to get
> primary location of diagnostic.
> (diagnostic_manager::emit_saved_diagnostic): Likewise.
> (get_any_origin): Drop.
> (state_change_event_creator::on_global_state_change): Pass NULL
> const svalue * rather than NULL_TREE trees to state_change_event
> ctor.
> (state_change_event_creator::on_state_change): Port from tree and
> svalue_id to const svalue *.
> (for_each_state_change): Port from svalue_id to const svalue *.
> (struct null_assignment_sm_context): New.
> (diagnostic_manager::add_events_for_eedge): Add state change
> events for assignment to NULL.
> (diagnostic_manager::prune_path): Update param from tree to
> const svalue *.
> (diagnostic_manager::prune_for_sm_diagnostic): Port from tracking
> by tree to by const svalue *.
> * diagnostic-manager.h (saved_diagnostic::saved_diagnostic): Add sval
> param.
> (saved_diagnostic::m_sval): New field.
> (diagnostic_manager::diagnostic_manager): Add engine param.
> (diagnostic_manager::get_engine): New.
> (diagnostic_manager::add_diagnostic): Add "sval" param.
> (diagnostic_manager::prune_path): Likewise.
> (diagnostic_manager::prune_for_sm_diagnostic): New overload.
> (diagnostic_manager::m_eng): New field.
> * engine.cc: Move includes of "analyzer/call-string.h" and
> "analyzer/program-point.h" to before "analyzer/region-model.h",
> and also include "analyzer/store.h" before it.
> (impl_region_model_context::impl_region_model_context): Update for
> removal of m_change field.
> (impl_region_model_context::remap_svalue_ids): Delete.
> (impl_region_model_context::on_svalue_leak): New.
> (impl_region_model_context::on_svalue_purge): Delete.
> (impl_region_model_context::on_liveness_change): New.
> (impl_region_model_context::on_unknown_change): Update param
> from svalue_id to const svalue *. Add is_mutable param.
> (setjmp_svalue::compare_fields): Delete.
> (setjmp_svalue::accept): New.
> (setjmp_svalue::add_to_hash): Delete.
> (setjmp_svalue::dump_to_pp): New.
> (setjmp_svalue::print_details): Delete.
> (impl_sm_context::impl_sm_context): Drop "change" param.
> (impl_sm_context::get_fndecl_for_call): Drop "m_change".
> (impl_sm_context::on_transition): Drop ATTRIBUTE_UNUSED from
> "stmt" param. Drop m_change. Port from svalue_id to
> const svalue *.
> (impl_sm_context::warn_for_state): Drop m_change. Port from
> svalue_id to const svalue *.
> (impl_sm_context::get_readable_tree): Rename to...
> (impl_sm_context::get_diagnostic_tree): ...this. Port from
> svalue_id to const svalue *.
> (impl_sm_context::is_zero_assignment): New.
> (impl_sm_context::m_change): Delete field.
> (leak_stmt_finder::find_stmt): Handle m_var being NULL.
> (readability): Increase penalty for MEM_REF. For SSA_NAMEs,
> slightly favor the underlying var over the SSA name. Heavily
> penalize temporaries. Handle RESULT_DECL.
> (readability_comparator): Make non-static. Consider stack depths.
> (impl_region_model_context::on_state_leak): Convert from svalue_id
> to const svalue *, updating for region_model changes. Use
> id_equal.
> (impl_region_model_context::on_inherited_svalue): Delete.
> (impl_region_model_context::on_cast): Delete.
> (impl_region_model_context::on_condition): Drop m_change.
> (impl_region_model_context::on_phi): Likewise.
> (impl_region_model_context::on_unexpected_tree_code): Handle t
> being NULL.
> (point_and_state::validate): Update stack checking for
> region_model changes.
> (eg_traits::dump_args_t::show_enode_details_p): New.
> (exploded_node::exploded_node): Initialize m_num_processed_stmts.
> (exploded_node::get_processed_stmt): New function.
> (exploded_node::get_dot_fillcolor): Add more colors.
> (exploded_node::dump_dot): Guard the printing of the point and
> state with show_enode_details_p. Print the processed stmts for
> this enode after the initial state.
> (exploded_node::dump_to_pp): Pass true for new multiline param
> of program_state::dump_to_pp.
> (exploded_node::on_stmt): Drop "change" param. Log the stmt.
> Set input_location. Implement __analyzer_describe. Update
> implementation of __analyzer_dump and __analyzer_eval.
> Remove purging of sm-state for unknown fncalls from here.
> (exploded_node::on_edge): Drop "change" param.
> (exploded_node::on_longjmp): Port from region_id/svalue_id to
> const region */const svalue *. Call program_state::detect_leaks.
> Drop state_change.
> (exploded_node::detect_leaks): Update for changes to region_model.
> Call program_state::detect_leaks.
> (exploded_edge::exploded_edge): Drop ext_state and change params.
> (exploded_edge::dump_dot): "args" is no longer used. Drop dumping
> of m_change.
> (exploded_graph::exploded_graph): Pass engine to
> m_diagnostic_manager ctor. Use program_point::origin.
> (exploded_graph::add_function_entry): Drop ctxt. Use
> program_state::push_frame. Drop state_change.
> (exploded_graph::get_or_create_node): Drop "change" param. Add
> "enode_for_diag" param. Update dumping calls for API changes.
> Pass point to can_merge_with_p. Show enode indices
> within -Wanalyzer-too-complex diagnostic for hitting the per-point
> limit.
> (exploded_graph::add_edge): Drop "change" param. Log which nodes
> are being connected. Update for changes to exploded_edge ctor.
> (exploded_graph::get_per_program_point_data): New.
> (exploded_graph::process_worklist): Pass point to
> can_merge_with_p. Drop state_change. Update dumping call for API
> change.
> (exploded_graph::process_node): Drop state_change. Split the
> node in-place if an sm-state-change occurs. Update
> m_num_processed_stmts. Update dumping calls for API change.
> (exploded_graph::log_stats): Call engine::log_stats.
> (exploded_graph::dump_states_for_supernode): Update dumping
> call.
> (exploded_path::feasible_p): Add "eng" and "eg" params.
> Rename "i" to "end_idx". Pass the manager to the region_model
> ctor. Update for every processed stmt in the enode, not just the
> first. Keep track of which snodes have been visited, and call
> loop_replay_fixup when revisiting one.
> (enode_label::get_text): Update dump call for new param.
> (exploded_graph::dump_exploded_nodes): Likewise.
> (exploded_graph::get_node_by_index): New.
> (impl_run_checkers): Create engine instance and pass its address
> to extrinsic_state ctor.
> * exploded-graph.h
> (impl_region_model_context::impl_region_model_context): Drop
> "change" params.
> (impl_region_model_context::void remap_svalue_ids): Delete.
> (impl_region_model_context::on_svalue_purge): Delete.
> (impl_region_model_context::on_svalue_leak): New.
> (impl_region_model_context::on_liveness_change): New.
> (impl_region_model_context::on_state_leak): Update signature.
> (impl_region_model_context::on_inherited_svalue): Delete.
> (impl_region_model_context::on_cast): Delete.
> (impl_region_model_context::on_unknown_change): Update signature.
> (impl_region_model_context::m_change): Delete.
> (eg_traits::dump_args_t::show_enode_details_p): New.
> (exploded_node::on_stmt): Drop "change" param.
> (exploded_node::on_edge): Likewise.
> (exploded_node::get_processed_stmt): New decl.
> (exploded_node::m_num_processed_stmts): New field.
> (exploded_edge::exploded_edge): Drop ext_state and change params.
> (exploded_edge::m_change): Delete.
> (exploded_graph::get_engine): New accessor.
> (exploded_graph::get_or_create_node): Drop "change" param. Add
> "enode_for_diag" param.
> (exploded_graph::add_edge): Drop "change" param.
> (exploded_graph::get_per_program_point_data): New decl.
> (exploded_graph::get_node_by_index): New decl.
> (exploded_path::feasible_p): Add "eng" and "eg" params.
> * program-point.cc: Include "analyzer/store.h" before including
> "analyzer/region-model.h".
> (function_point::function_point): Move here from
> program-point.h.
> (function_point::get_function): Likewise.
> (function_point::from_function_entry): Likewise.
> (function_point::before_supernode): Likewise.
> (function_point::next_stmt): New function.
> * program-point.h (function_point::function_point): Move
> implementation from here to program-point.cc.
> (function_point::get_function): Likewise.
> (function_point::from_function_entry): Likewise.
> (function_point::before_supernode): Likewise.
> (function_point::next_stmt): New decl.
> (program_point::operator!=): New.
> (program_point::origin): New.
> (program_point::next_stmt): New.
> (program_point::m_function_point): Make non-const.
> * program-state.cc: Move includes of "analyzer/call-string.h" and
> "analyzer/program-point.h" to before "analyzer/region-model.h",
> and also include "analyzer/store.h" before it.
> (extrinsic_state::get_model_manager): New.
> (sm_state_map::sm_state_map): Pass in sm and sm_idx to ctor,
> rather than pass the around.
> (sm_state_map::clone_with_remapping): Delete.
> (sm_state_map::print): Remove "sm" param in favor of "m_sm". Add
> "simple" and "multiline" params and support multiline vs single
> line dumping.
> (sm_state_map::dump): Remove "sm" param in favor of "m_sm". Add
> "simple" param.
> (sm_state_map::hash): Port from svalue_id to const svalue *.
> (sm_state_map::operator==): Likewise.
> (sm_state_map::get_state): Likewise. Call canonicalize_svalue on
> input. Handle inheritance of sm-state. Call get_default_state.
> (sm_state_map::get_origin): Port from svalue_id to const svalue *.
> (sm_state_map::set_state): Likewise. Pass in ext_state. Reject
> attempts to set state on UNKNOWN.
> (sm_state_map::impl_set_state): Port from svalue_id to
> const svalue *. Pass in ext_state. Call canonicalize_svalue on
> input.
> (sm_state_map::purge_for_unknown_fncall): Delete.
> (sm_state_map::on_svalue_leak): New.
> (sm_state_map::remap_svalue_ids): Delete.
> (sm_state_map::on_liveness_change): New.
> (sm_state_map::on_unknown_change): Reimplement.
> (sm_state_map::on_svalue_purge): Delete.
> (sm_state_map::on_inherited_svalue): Delete.
> (sm_state_map::on_cast): Delete.
> (sm_state_map::validate): Delete.
> (sm_state_map::canonicalize_svalue): New.
> (program_state::program_state): Update to pass manager to
> region_model's ctor. Constify num_states and pass state machine
> and index to sm_state_map ctor.
> (program_state::print): Update for changes to dump API.
> (program_state::dump_to_pp): Ignore the summarize param. Add
> "multiline" param.
> (program_state::dump_to_file): Add "multiline" param.
> (program_state::dump): Pass "true" for new "multiline" param.
> (program_state::push_frame): New.
> (program_state::on_edge): Drop "change" param. Call
> program_state::detect_leaks.
> (program_state::prune_for_point): Add enode_for_diag param.
> Reimplement based on store class. Call detect_leaks
> (program_state::remap_svalue_ids): Delete.
> (program_state::get_representative_tree): Port from svalue_id to
> const svalue *.
> (program_state::can_merge_with_p): Add "point" param. Add early
> reject for sm-differences. Drop id remapping.
> (program_state::validate): Drop region model and sm_state_map
> validation.
> (state_change::sm_change::dump): Delete.
> (state_change::sm_change::remap_svalue_ids): Delete.
> (state_change::sm_change::on_svalue_purge): Delete.
> (log_set_of_svalues): New.
> (state_change::sm_change::validate): Delete.
> (state_change::state_change): Delete.
> (state_change::add_sm_change): Delete.
> (state_change::affects_p): Delete.
> (state_change::dump): Delete.
> (state_change::remap_svalue_ids): Delete.
> (state_change::on_svalue_purge): Delete.
> (state_change::validate): Delete.
> (selftest::assert_dump_eq): Delete.
> (ASSERT_DUMP_EQ): Delete.
> (selftest::test_sm_state_map): Update for changes to region_model
> and sm_state_map, porting from svalue_id to const svalue *.
> (selftest::test_program_state_dumping): Likewise. Drop test of
> dumping, renaming to...
> (selftest::test_program_state_1): ...this.
> (selftest::test_program_state_dumping_2): Likewise, renaming to...
> (selftest::test_program_state_2): ...this.
> (selftest::test_program_state_merging): Update for changes to
> region_model.
> (selftest::test_program_state_merging_2): Likewise.
> (selftest::analyzer_program_state_cc_tests): Update for renamed
> tests.
> * program-state.h (extrinsic_state::extrinsic_state): Add logger
> and engine params.
> (extrinsic_state::get_logger): New accessor.
> (extrinsic_state::get_engine): New accessor.
> (extrinsic_state::get_model_manager): New accessor.
> (extrinsic_state::m_logger): New field.
> (extrinsic_state::m_engine): New field.
> (struct default_hash_traits<svalue_id>): Delete.
> (pod_hash_traits<svalue_id>::hash): Delete.
> (pod_hash_traits<svalue_id>::equal): Delete.
> (pod_hash_traits<svalue_id>::mark_deleted): Delete.
> (pod_hash_traits<svalue_id>::mark_empty): Delete.
> (pod_hash_traits<svalue_id>::is_deleted): Delete.
> (pod_hash_traits<svalue_id>::is_empty): Delete.
> (sm_state_map::entry_t::entry_t): Port from svalue_id to
> const svalue *.
> (sm_state_map::entry_t::m_origin): Likewise.
> (sm_state_map::map_t): Likewise.
> (sm_state_map::sm_state_map): Add state_machine and index params.
> (sm_state_map::clone_with_remapping): Delete.
> (sm_state_map::print): Drop sm param; add simple and multiline
> params.
> (sm_state_map::dump): Drop sm param; add simple param.
> (sm_state_map::get_state): Port from svalue_id to const svalue *.
> Add ext_state param.
> (sm_state_map::get_origin): Likewise.
> (sm_state_map::set_state): Likewise.
> (sm_state_map::impl_set_state): Likewise.
> (sm_state_map::purge_for_unknown_fncall): Delete.
> (sm_state_map::remap_svalue_ids): Delete.
> (sm_state_map::on_svalue_purge): Delete.
> (sm_state_map::on_svalue_leak): New.
> (sm_state_map::on_liveness_change): New.
> (sm_state_map::on_inherited_svalue): Delete.
> (sm_state_map::on_cast): Delete.
> (sm_state_map::validate): Delete.
> (sm_state_map::on_unknown_change): Port from svalue_id to
> const svalue *. Add is_mutable and ext_state params.
> (sm_state_map::canonicalize_svalue): New.
> (sm_state_map::m_sm): New field.
> (sm_state_map::m_sm_idx): New field.
> (program_state::operator=): Delete.
> (program_state::dump_to_pp): Drop "summarize" param, adding
> "simple" and "multiline".
> (program_state::dump_to_file): Likewise.
> (program_state::dump): Rename "summarize" to "simple".
> (program_state::push_frame): New.
> (program_state::get_current_function): New.
> (program_state::on_edge): Drop "change" param.
> (program_state::prune_for_point): Likewise. Add enode_for_diag
> param.
> (program_state::remap_svalue_ids): Delete.
> (program_state::get_representative_tree): Port from svalue_id to
> const svalue *.
> (program_state::can_purge_p): Likewise. Pass ext_state to get_state.
> (program_state::can_merge_with_p): Add point param.
> (program_state::detect_leaks): New.
> (state_change_visitor::on_state_change): Port from tree and
> svalue_id to a pair of const svalue *.
> (class state_change): Delete.
> * region.cc: New file.
> * region-model-impl-calls.cc: New file.
> * region-model-manager.cc: New file.
> * region-model-reachability.cc: New file.
> * region-model-reachability.h: New file.
> * region-model.cc: Include "analyzer/call-string.h",
> "analyzer/program-point.h", and "analyzer/store.h" before
> "analyzer/region-model.h". Include
> "analyzer/region-model-reachability.h".
> (dump_tree): Make non-static.
> (dump_quoted_tree): Make non-static.
> (print_quoted_type): Make non-static.
> (path_var::dump): Delete.
> (dump_separator): Delete.
> (class impl_constraint_manager): Delete.
> (svalue_id::print): Delete.
> (svalue_id::dump_node_name_to_pp): Delete.
> (svalue_id::validate): Delete.
> (region_id::print): Delete.
> (region_id::dump_node_name_to_pp): Delete.
> (region_id::validate): Delete.
> (region_id_set::region_id_set): Delete.
> (svalue_id_set::svalue_id_set): Delete.
> (svalue::operator==): Delete.
> (svalue::hash): Delete.
> (svalue::print): Delete.
> (svalue::dump_dot_to_pp): Delete.
> (svalue::remap_region_ids): Delete.
> (svalue::walk_for_canonicalization): Delete.
> (svalue::get_child_sid): Delete.
> (svalue::maybe_get_constant): Delete.
> (region_svalue::compare_fields): Delete.
> (region_svalue::add_to_hash): Delete.
> (region_svalue::print_details): Delete.
> (region_svalue::dump_dot_to_pp): Delete.
> (region_svalue::remap_region_ids): Delete.
> (region_svalue::merge_values): Delete.
> (region_svalue::walk_for_canonicalization): Delete.
> (region_svalue::eval_condition): Delete.
> (constant_svalue::compare_fields): Delete.
> (constant_svalue::add_to_hash): Delete.
> (constant_svalue::merge_values): Delete.
> (constant_svalue::eval_condition): Move to svalue.cc.
> (constant_svalue::print_details): Delete.
> (constant_svalue::get_child_sid): Delete.
> (unknown_svalue::compare_fields): Delete.
> (unknown_svalue::add_to_hash): Delete.
> (unknown_svalue::print_details): Delete.
> (poison_kind_to_str): Move to svalue.cc.
> (poisoned_svalue::compare_fields): Delete.
> (poisoned_svalue::add_to_hash): Delete.
> (poisoned_svalue::print_details): Delete.
> (region_kind_to_str): Move to region.cc and reimplement.
> (region::operator==): Delete.
> (region::get_parent_region): Delete.
> (region::set_value): Delete.
> (region::become_active_view): Delete.
> (region::deactivate_any_active_view): Delete.
> (region::deactivate_view): Delete.
> (region::get_value): Delete.
> (region::get_inherited_child_sid): Delete.
> (region_model::copy_region): Delete.
> (region_model::copy_struct_region): Delete.
> (region_model::copy_union_region): Delete.
> (region_model::copy_array_region): Delete.
> (region::hash): Delete.
> (region::print): Delete.
> (region::dump_dot_to_pp): Delete.
> (region::dump_to_pp): Delete.
> (region::dump_child_label): Delete.
> (region::validate): Delete.
> (region::remap_svalue_ids): Delete.
> (region::remap_region_ids): Delete.
> (region::add_view): Delete.
> (region::get_view): Delete.
> (region::region): Move to region.cc.
> (region::add_to_hash): Delete.
> (region::print_fields): Delete.
> (region::non_null_p): Delete.
> (primitive_region::clone): Delete.
> (primitive_region::walk_for_canonicalization): Delete.
> (map_region::map_region): Delete.
> (map_region::compare_fields): Delete.
> (map_region::print_fields): Delete.
> (map_region::validate): Delete.
> (map_region::dump_dot_to_pp): Delete.
> (map_region::dump_child_label): Delete.
> (map_region::get_or_create): Delete.
> (map_region::get): Delete.
> (map_region::add_to_hash): Delete.
> (map_region::remap_region_ids): Delete.
> (map_region::unbind): Delete.
> (map_region::get_tree_for_child_region): Delete.
> (map_region::get_tree_for_child_region): Delete.
> (tree_cmp): Move to region.cc.
> (map_region::can_merge_p): Delete.
> (map_region::walk_for_canonicalization): Delete.
> (map_region::get_value_by_name): Delete.
> (struct_or_union_region::valid_key_p): Delete.
> (struct_or_union_region::compare_fields): Delete.
> (struct_region::clone): Delete.
> (struct_region::compare_fields): Delete.
> (union_region::clone): Delete.
> (union_region::compare_fields): Delete.
> (frame_region::compare_fields): Delete.
> (frame_region::clone): Delete.
> (frame_region::valid_key_p): Delete.
> (frame_region::print_fields): Delete.
> (frame_region::add_to_hash): Delete.
> (globals_region::compare_fields): Delete.
> (globals_region::clone): Delete.
> (globals_region::valid_key_p): Delete.
> (code_region::compare_fields): Delete.
> (code_region::clone): Delete.
> (code_region::valid_key_p): Delete.
> (array_region::array_region): Delete.
> (array_region::get_element): Delete.
> (array_region::clone): Delete.
> (array_region::compare_fields): Delete.
> (array_region::print_fields): Delete.
> (array_region::validate): Delete.
> (array_region::dump_dot_to_pp): Delete.
> (array_region::dump_child_label): Delete.
> (array_region::get_or_create): Delete.
> (array_region::get): Delete.
> (array_region::add_to_hash): Delete.
> (array_region::remap_region_ids): Delete.
> (array_region::get_key_for_child_region): Delete.
> (array_region::key_cmp): Delete.
> (array_region::walk_for_canonicalization): Delete.
> (array_region::key_from_constant): Delete.
> (array_region::constant_from_key): Delete.
> (function_region::compare_fields): Delete.
> (function_region::clone): Delete.
> (function_region::valid_key_p): Delete.
> (stack_region::stack_region): Delete.
> (stack_region::compare_fields): Delete.
> (stack_region::clone): Delete.
> (stack_region::print_fields): Delete.
> (stack_region::dump_child_label): Delete.
> (stack_region::validate): Delete.
> (stack_region::push_frame): Delete.
> (stack_region::get_current_frame_id): Delete.
> (stack_region::pop_frame): Delete.
> (stack_region::add_to_hash): Delete.
> (stack_region::remap_region_ids): Delete.
> (stack_region::can_merge_p): Delete.
> (stack_region::walk_for_canonicalization): Delete.
> (stack_region::get_value_by_name): Delete.
> (heap_region::heap_region): Delete.
> (heap_region::compare_fields): Delete.
> (heap_region::clone): Delete.
> (heap_region::walk_for_canonicalization): Delete.
> (root_region::root_region): Delete.
> (root_region::compare_fields): Delete.
> (root_region::clone): Delete.
> (root_region::print_fields): Delete.
> (root_region::validate): Delete.
> (root_region::dump_child_label): Delete.
> (root_region::push_frame): Delete.
> (root_region::get_current_frame_id): Delete.
> (root_region::pop_frame): Delete.
> (root_region::ensure_stack_region): Delete.
> (root_region::get_stack_region): Delete.
> (root_region::ensure_globals_region): Delete.
> (root_region::get_code_region): Delete.
> (root_region::ensure_code_region): Delete.
> (root_region::get_globals_region): Delete.
> (root_region::ensure_heap_region): Delete.
> (root_region::get_heap_region): Delete.
> (root_region::remap_region_ids): Delete.
> (root_region::can_merge_p): Delete.
> (root_region::add_to_hash): Delete.
> (root_region::walk_for_canonicalization): Delete.
> (root_region::get_value_by_name): Delete.
> (symbolic_region::symbolic_region): Delete.
> (symbolic_region::compare_fields): Delete.
> (symbolic_region::clone): Delete.
> (symbolic_region::walk_for_canonicalization): Delete.
> (symbolic_region::print_fields): Delete.
> (region_model::region_model): Add region_model_manager * param.
> Reimplement in terms of store, dropping impl_constraint_manager
> subclass.
> (region_model::operator=): Reimplement in terms of store
> (region_model::operator==): Likewise.
> (region_model::hash): Likewise.
> (region_model::print): Delete.
> (region_model::print_svalue): Delete.
> (region_model::dump_dot_to_pp): Delete.
> (region_model::dump_dot_to_file): Delete.
> (region_model::dump_dot): Delete.
> (region_model::dump_to_pp): Replace "summarize" param with
> "simple" and "multiline". Port to store-based implementation.
> (region_model::dump): Replace "summarize" param with "simple" and
> "multiline".
> (dump_vec_of_tree): Delete.
> (region_model::dump_summary_of_rep_path_vars): Delete.
> (region_model::validate): Delete.
> (svalue_id_cmp_by_constant_svalue_model): Delete.
> (svalue_id_cmp_by_constant_svalue): Delete.
> (region_model::canonicalize): Drop "ctxt" param. Reimplement in
> terms of store and constraints.
> (region_model::canonicalized_p): Remove NULL arg to canonicalize.
> (region_model::loop_replay_fixup): New.
> (poisoned_value_diagnostic::emit): Tweak wording of warnings.
> (region_model::check_for_poison): Delete.
> (region_model::get_gassign_result): New.
> (region_model::on_assignment): Port to store-based implementation.
> (region_model::on_call_pre): Delete calls to check_for_poison.
> Move implementations to region-model-impl-calls.c and port to
> store-based implementation.
> (region_model::on_call_post): Likewise.
> (class reachable_regions): Move to region-model-reachability.h/cc
> and port to store-based implementation.
> (region_model::handle_unrecognized_call): Port to store-based
> implementation.
> (region_model::get_reachable_svalues): New.
> (region_model::on_setjmp): Port to store-based implementation.
> (region_model::on_longjmp): Likewise.
> (region_model::handle_phi): Drop is_back_edge param and the logic
> using it.
> (region_model::get_lvalue_1): Port from region_id to const region *.
> (region_model::make_region_for_unexpected_tree_code): Delete.
> (assert_compat_types): If the check fails, use internal_error to
> show the types.
> (region_model::get_lvalue): Port from region_id to const region *.
> (region_model::get_rvalue_1): Port from svalue_id to const svalue *.
> (region_model::get_rvalue): Likewise.
> (region_model::get_or_create_ptr_svalue): Delete.
> (region_model::get_or_create_constant_svalue): Delete.
> (region_model::get_svalue_for_fndecl): Delete.
> (region_model::get_region_for_fndecl): Delete.
> (region_model::get_svalue_for_label): Delete.
> (region_model::get_region_for_label): Delete.
> (build_cast): Delete.
> (region_model::maybe_cast_1): Delete.
> (region_model::maybe_cast): Delete.
> (region_model::get_field_region): Delete.
> (region_model::get_store_value): New.
> (region_model::region_exists_p): New.
> (region_model::deref_rvalue): Port from svalue_id to const svalue *.
> (region_model::set_value): Likewise.
> (region_model::clobber_region): New.
> (region_model::purge_region): New.
> (region_model::zero_fill_region): New.
> (region_model::mark_region_as_unknown): New.
> (region_model::eval_condition): Port from svalue_id to
> const svalue *.
> (region_model::eval_condition_without_cm): Likewise.
> (region_model::compare_initial_and_pointer): New.
> (region_model::add_constraint): Port from svalue_id to
> const svalue *.
> (region_model::maybe_get_constant): Delete.
> (region_model::get_representative_path_var): New.
> (region_model::add_new_malloc_region): Delete.
> (region_model::get_representative_tree): Port to const svalue *.
> (region_model::get_representative_path_var): Port to
> const region *.
> (region_model::get_path_vars_for_svalue): Delete.
> (region_model::set_to_new_unknown_value): Delete.
> (region_model::update_for_phis): Don't pass is_back_edge to handle_phi.
> (region_model::update_for_call_superedge): Port from svalue_id to
> const svalue *.
> (region_model::update_for_return_superedge): Port to store-based
> implementation.
> (region_model::update_for_call_summary): Replace
> set_to_new_unknown_value with mark_region_as_unknown.
> (region_model::get_root_region): Delete.
> (region_model::get_stack_region_id): Delete.
> (region_model::push_frame): Delete.
> (region_model::get_current_frame_id): Delete.
> (region_model::get_current_function): Delete.
> (region_model::pop_frame): Delete.
> (region_model::on_top_level_param): New.
> (region_model::get_stack_depth): Delete.
> (region_model::get_function_at_depth): Delete.
> (region_model::get_globals_region_id): Delete.
> (region_model::add_svalue): Delete.
> (region_model::replace_svalue): Delete.
> (region_model::add_region): Delete.
> (region_model::get_svalue): Delete.
> (region_model::get_region): Delete.
> (make_region_for_type): Delete.
> (region_model::add_region_for_type): Delete.
> (region_model::on_top_level_param): New.
> (class restrict_to_used_svalues): Delete.
> (region_model::purge_unused_svalues): Delete.
> (region_model::push_frame): New.
> (region_model::remap_svalue_ids): Delete.
> (region_model::remap_region_ids): Delete.
> (region_model::purge_regions): Delete.
> (region_model::get_descendents): Delete.
> (region_model::delete_region_and_descendents): Delete.
> (region_model::poison_any_pointers_to_bad_regions): Delete.
> (region_model::can_merge_with_p): Delete.
> (region_model::get_current_function): New.
> (region_model::get_value_by_name): Delete.
> (region_model::convert_byte_offset_to_array_index): Delete.
> (region_model::pop_frame): New.
> (region_model::get_or_create_mem_ref): Delete.
> (region_model::get_stack_depth): New.
> (region_model::get_frame_at_index): New.
> (region_model::unbind_region_and_descendents): New.
> (struct bad_pointer_finder): New.
> (region_model::get_or_create_pointer_plus_expr): Delete.
> (region_model::poison_any_pointers_to_descendents): New.
> (region_model::get_or_create_view): Delete.
> (region_model::can_merge_with_p): New.
> (region_model::get_fndecl_for_call): Port from svalue_id to
> const svalue *.
> (struct append_ssa_names_cb_data): New.
> (get_ssa_name_regions_for_current_frame): New.
> (region_model::append_ssa_names_cb): New.
> (model_merger::dump_to_pp): Add "simple" param. Drop dumping of
> remappings.
> (model_merger::dump): Add "simple" param to both overloads.
> (model_merger::can_merge_values_p): Delete.
> (model_merger::record_regions): Delete.
> (model_merger::record_svalues): Delete.
> (svalue_id_merger_mapping::svalue_id_merger_mapping): Delete.
> (svalue_id_merger_mapping::dump_to_pp): Delete.
> (svalue_id_merger_mapping::dump): Delete.
> (region_model::create_region_for_heap_alloc): New.
> (region_model::create_region_for_alloca): New.
> (region_model::record_dynamic_extents): New.
> (canonicalization::canonicalization): Delete.
> (canonicalization::walk_rid): Delete.
> (canonicalization::walk_sid): Delete.
> (canonicalization::dump_to_pp): Delete.
> (canonicalization::dump): Delete.
> (inchash::add): Delete overloads for svalue_id and region_id.
> (engine::log_stats): New.
> (assert_condition): Add overload comparing svalues.
> (assert_dump_eq): Pass "true" for multiline.
> (selftest::test_dump): Update for rewrite of region_model.
> (selftest::test_dump_2): Rename to...
> (selftest::test_struct): ...this. Provide a region_model_manager
> when creating region_model instance. Remove dump test. Add
> checks for get_offset.
> (selftest::test_dump_3): Rename to...
> (selftest::test_array_1): ...this. Provide a region_model_manager
> when creating region_model instance. Remove dump test.
> (selftest::test_get_representative_tree): Port from svalue_id to
> new API. Add test coverage for various expressions.
> (selftest::test_unique_constants): Provide a region_model_manager
> for the region_model. Add test coverage for comparing const vs
> non-const.
> (selftest::test_svalue_equality): Delete.
> (selftest::test_region_equality): Delete.
> (selftest::test_unique_unknowns): New.
> (class purge_all_svalue_ids): Delete.
> (class purge_one_svalue_id): Delete.
> (selftest::test_purging_by_criteria): Delete.
> (selftest::test_initial_svalue_folding): New.
> (selftest::test_unaryop_svalue_folding): New.
> (selftest::test_binop_svalue_folding): New.
> (selftest::test_sub_svalue_folding): New.
> (selftest::test_purge_unused_svalues): Delete.
> (selftest::test_descendent_of_p): New.
> (selftest::test_assignment): Provide a region_model_manager for
> the region_model. Drop the dump test.
> (selftest::test_compound_assignment): Likewise.
> (selftest::test_stack_frames): Port to new implementation.
> (selftest::test_get_representative_path_var): Likewise.
> (selftest::test_canonicalization_1): Rename to...
> (selftest::test_equality_1): ...this. Port to new API, and add
> (selftest::test_canonicalization_2): Provide a
> region_model_manager when creating region_model instances.
> Remove redundant canicalization.
> (selftest::test_canonicalization_3): Provide a
> region_model_manager when creating region_model instances.
> Remove param from calls to region_model::canonicalize.
> (selftest::test_canonicalization_4): Likewise.
> (selftest::assert_region_models_merge): Constify
> out_merged_svalue. Port to new API.
> (selftest::test_state_merging): Provide a
> region_model_manager when creating region_model instances.
> Provide a program_point point when merging them. Replace
> set_to_new_unknown_value with usage of placeholder_svalues.
> Drop get_value_by_name. Port from svalue_id to const svalue *.
> Add test of heap allocation.
> (selftest::test_constraint_merging): Provide a
> region_model_manager when creating region_model instances.
> Provide a program_point point when merging them. Eliminate use
> of set_to_new_unknown_value.
> (selftest::test_widening_constraints): New.
> (selftest::test_iteration_1): New.
> (selftest::test_malloc_constraints): Port to store-based
> implementation.
> (selftest::test_var): New test.
> (selftest::test_array_2): New test.
> (selftest::test_mem_ref): New test.
> (selftest::test_POINTER_PLUS_EXPR_then_MEM_REF): New.
> (selftest::test_malloc): New.
> (selftest::test_alloca): New.
> (selftest::analyzer_region_model_cc_tests): Update for renamings.
> Call new functions.
> * region-model.h (class path_var): Move to analyzer.h.
> (class svalue_id): Delete.
> (class region_id): Delete.
> (class id_map): Delete.
> (svalue_id_map): Delete.
> (region_id_map): Delete.
> (id_map<T>::id_map): Delete.
> (id_map<T>::put): Delete.
> (id_map<T>::get_dst_for_src): Delete.
> (id_map<T>::get_src_for_dst): Delete.
> (id_map<T>::dump_to_pp): Delete.
> (id_map<T>::dump): Delete.
> (id_map<T>::update): Delete.
> (one_way_svalue_id_map): Delete.
> (one_way_region_id_map): Delete.
> (class region_id_set): Delete.
> (class svalue_id_set): Delete.
> (struct complexity): New.
> (class visitor): New.
> (enum svalue_kind): Add SK_SETJMP, SK_INITIAL, SK_UNARYOP,
> SK_BINOP, SK_SUB,SK_UNMERGEABLE, SK_PLACEHOLDER, SK_WIDENING,
> SK_COMPOUND, and SK_CONJURED.
> (svalue::operator==): Delete.
> (svalue::operator!=): Delete.
> (svalue::clone): Delete.
> (svalue::hash): Delete.
> (svalue::dump_dot_to_pp): Delete.
> (svalue::dump_to_pp): New.
> (svalue::dump): New.
> (svalue::get_desc): New.
> (svalue::dyn_cast_initial_svalue): New.
> (svalue::dyn_cast_unaryop_svalue): New.
> (svalue::dyn_cast_binop_svalue): New.
> (svalue::dyn_cast_sub_svalue): New.
> (svalue::dyn_cast_unmergeable_svalue): New.
> (svalue::dyn_cast_widening_svalue): New.
> (svalue::dyn_cast_compound_svalue): New.
> (svalue::dyn_cast_conjured_svalue): New.
> (svalue::maybe_undo_cast): New.
> (svalue::unwrap_any_unmergeable): New.
> (svalue::remap_region_ids): Delete
> (svalue::can_merge_p): New.
> (svalue::walk_for_canonicalization): Delete
> (svalue::get_complexity): New.
> (svalue::get_child_sid): Delete
> (svalue::accept): New.
> (svalue::live_p): New.
> (svalue::implicitly_live_p): New.
> (svalue::svalue): Add complexity param.
> (svalue::add_to_hash): Delete
> (svalue::print_details): Delete
> (svalue::m_complexity): New field.
> (region_svalue::key_t): New struct.
> (region_svalue::region_svalue): Port from region_id to
> const region_id *. Add complexity.
> (region_svalue::compare_fields): Delete.
> (region_svalue::clone): Delete.
> (region_svalue::dump_dot_to_pp): Delete.
> (region_svalue::get_pointee): Port from region_id to
> const region_id *.
> (region_svalue::remap_region_ids): Delete.
> (region_svalue::merge_values): Delete.
> (region_svalue::dump_to_pp): New.
> (region_svalue::accept): New.
> (region_svalue::walk_for_canonicalization): Delete.
> (region_svalue::eval_condition): Make params const.
> (region_svalue::add_to_hash): Delete.
> (region_svalue::print_details): Delete.
> (region_svalue::m_rid): Replace with...
> (region_svalue::m_reg): ...this.
> (is_a_helper <region_svalue *>::test): Convert to...
> (is_a_helper <const region_svalue *>::test): ...this.
> (template <> struct default_hash_traits<region_svalue::key_t>):
> New.
> (constant_svalue::constant_svalue): Add complexity.
> (constant_svalue::compare_fields): Delete.
> (constant_svalue::clone): Delete.
> (constant_svalue::add_to_hash): Delete.
> (constant_svalue::dump_to_pp): New.
> (constant_svalue::accept): New.
> (constant_svalue::implicitly_live_p): New.
> (constant_svalue::merge_values): Delete.
> (constant_svalue::eval_condition): Make params const.
> (constant_svalue::get_child_sid): Delete.
> (constant_svalue::print_details): Delete.
> (is_a_helper <constant_svalue *>::test): Convert to...
> (is_a_helper <const constant_svalue *>::test): ...this.
> (class unknown_svalue): Update leading comment.
> (unknown_svalue::unknown_svalue): Add complexity.
> (unknown_svalue::compare_fields): Delete.
> (unknown_svalue::add_to_hash): Delete.
> (unknown_svalue::dyn_cast_unknown_svalue): Delete.
> (unknown_svalue::print_details): Delete.
> (unknown_svalue::dump_to_pp): New.
> (unknown_svalue::accept): New.
> (poisoned_svalue::key_t): New struct.
> (poisoned_svalue::poisoned_svalue): Add complexity.
> (poisoned_svalue::compare_fields): Delete.
> (poisoned_svalue::clone): Delete.
> (poisoned_svalue::add_to_hash): Delete.
> (poisoned_svalue::dump_to_pp): New.
> (poisoned_svalue::accept): New.
> (poisoned_svalue::print_details): Delete.
> (is_a_helper <poisoned_svalue *>::test): Convert to...
> (is_a_helper <const poisoned_svalue *>::test): ...this.
> (template <> struct default_hash_traits<poisoned_svalue::key_t>):
> New.
> (setjmp_record::add_to_hash): New.
> (setjmp_svalue::key_t): New struct.
> (setjmp_svalue::compare_fields): Delete.
> (setjmp_svalue::clone): Delete.
> (setjmp_svalue::add_to_hash): Delete.
> (setjmp_svalue::setjmp_svalue): Add complexity.
> (setjmp_svalue::dump_to_pp): New.
> (setjmp_svalue::accept): New.
> (setjmp_svalue::void print_details): Delete.
> (is_a_helper <const setjmp_svalue *>::test): New.
> (template <> struct default_hash_traits<setjmp_svalue::key_t>): New.
> (class initial_svalue : public svalue): New.
> (is_a_helper <const initial_svalue *>::test): New.
> (class unaryop_svalue): New.
> (is_a_helper <const unaryop_svalue *>::test): New.
> (template <> struct default_hash_traits<unaryop_svalue::key_t>): New.
> (class binop_svalue): New.
> (is_a_helper <const binop_svalue *>::test): New.
> (template <> struct default_hash_traits<binop_svalue::key_t>): New.
> (class sub_svalue): New.
> (is_a_helper <const sub_svalue *>::test): New.
> (template <> struct default_hash_traits<sub_svalue::key_t>): New.
> (class unmergeable_svalue): New.
> (is_a_helper <const unmergeable_svalue *>::test): New.
> (class placeholder_svalue): New.
> (is_a_helper <placeholder_svalue *>::test): New.
> (class widening_svalue): New.
> (is_a_helper <widening_svalue *>::test): New.
> (template <> struct default_hash_traits<widening_svalue::key_t>): New.
> (class compound_svalue): New.
> (is_a_helper <compound_svalue *>::test): New.
> (template <> struct default_hash_traits<compound_svalue::key_t>): New.
> (class conjured_svalue): New.
> (is_a_helper <conjured_svalue *>::test): New.
> (template <> struct default_hash_traits<conjured_svalue::key_t>): New.
> (enum region_kind): Delete RK_PRIMITIVE, RK_STRUCT, RK_UNION, and
> RK_ARRAY. Add RK_LABEL, RK_DECL, RK_FIELD, RK_ELEMENT, RK_OFFSET,
> RK_CAST, RK_HEAP_ALLOCATED, RK_ALLOCA, RK_STRING, and RK_UNKNOWN.
> (region_kind_to_str): Delete.
> (region::~region): Move implementation to region.cc.
> (region::operator==): Delete.
> (region::operator!=): Delete.
> (region::clone): Delete.
> (region::get_id): New.
> (region::cmp_ids): New.
> (region::dyn_cast_map_region): Delete.
> (region::dyn_cast_array_region): Delete.
> (region::region_id get_parent): Delete.
> (region::get_parent_region): Convert to a simple accessor.
> (region::void set_value): Delete.
> (region::svalue_id get_value): Delete.
> (region::svalue_id get_value_direct): Delete.
> (region::svalue_id get_inherited_child_sid): Delete.
> (region::dyn_cast_frame_region): New.
> (region::dyn_cast_function_region): New.
> (region::dyn_cast_decl_region): New.
> (region::dyn_cast_field_region): New.
> (region::dyn_cast_element_region): New.
> (region::dyn_cast_offset_region): New.
> (region::dyn_cast_cast_region): New.
> (region::dyn_cast_string_region): New.
> (region::accept): New.
> (region::get_base_region): New.
> (region::base_region_p): New.
> (region::descendent_of_p): New.
> (region::maybe_get_frame_region): New.
> (region::maybe_get_decl): New.
> (region::hash): Delete.
> (region::rint): Delete.
> (region::dump_dot_to_pp): Delete.
> (region::get_desc): New.
> (region::dump_to_pp): Convert to vfunc, changing signature.
> (region::dump_child_label): Delete.
> (region::remap_svalue_ids): Delete.
> (region::remap_region_ids): Delete.
> (region::dump): New.
> (region::walk_for_canonicalization): Delete.
> (region::non_null_p): Drop region_model param.
> (region::add_view): Delete.
> (region::get_view): Delete.
> (region::get_active_view): Delete.
> (region::is_view_p): Delete.
> (region::cmp_ptrs): New.
> (region::validate): Delete.
> (region::get_offset): New.
> (region::get_byte_size): New.
> (region::get_bit_size): New.
> (region::get_subregions_for_binding): New.
> (region::region): Add complexity param. Convert parent from
> region_id to const region *. Drop svalue_id. Drop copy ctor.
> (region::symbolic_for_unknown_ptr_p): New.
> (region::add_to_hash): Delete.
> (region::print_fields): Delete.
> (region::get_complexity): New accessor.
> (region::become_active_view): Delete.
> (region::deactivate_any_active_view): Delete.
> (region::deactivate_view): Delete.
> (region::calc_offset): New.
> (region::m_parent_rid): Delete.
> (region::m_sval_id): Delete.
> (region::m_complexity): New.
> (region::m_id): New.
> (region::m_parent): New.
> (region::m_view_rids): Delete.
> (region::m_is_view): Delete.
> (region::m_active_view_rid): Delete.
> (region::m_cached_offset): New.
> (is_a_helper <region *>::test): Convert to...
> (is_a_helper <const region *>::test): ... this.
> (class primitive_region): Delete.
> (class space_region): New.
> (class map_region): Delete.
> (is_a_helper <map_region *>::test): Delete.
> (class frame_region): Reimplement.
> (template <> struct default_hash_traits<frame_region::key_t>):
> New.
> (class globals_region): Reimplement.
> (is_a_helper <globals_region *>::test): Convert to...
> (is_a_helper <const globals_region *>::test): ...this.
> (class struct_or_union_region): Delete.
> (is_a_helper <struct_or_union_region *>::test): Delete.
> (class code_region): Reimplement.
> (is_a_helper <const code_region *>::test): New.
> (class struct_region): Delete.
> (is_a_helper <struct_region *>::test): Delete.
> (class function_region): Reimplement.
> (is_a_helper <function_region *>::test): Convert to...
> (is_a_helper <const function_region *>::test): ...this.
> (class union_region): Delete.
> (is_a_helper <union_region *>::test): Delete.
> (class label_region): New.
> (is_a_helper <const label_region *>::test): New.
> (class scope_region): Delete.
> (class stack_region): Reimplement.
> (is_a_helper <stack_region *>::test): Convert to...
> (is_a_helper <const stack_region *>::test): ...this.
> (class heap_region): Reimplement.
> (is_a_helper <heap_region *>::test): Convert to...
> (is_a_helper <const heap_region *>::test): ...this.
> (class root_region): Reimplement.
> (is_a_helper <root_region *>::test): Convert to...
> (is_a_helper <const root_region *>::test): ...this.
> (class symbolic_region): Reimplement.
> (is_a_helper <const symbolic_region *>::test): New.
> (template <> struct default_hash_traits<symbolic_region::key_t>):
> New.
> (class decl_region): New.
> (is_a_helper <const decl_region *>::test): New.
> (class field_region): New.
> (template <> struct default_hash_traits<field_region::key_t>): New.
> (class array_region): Delete.
> (class element_region): New.
> (is_a_helper <array_region *>::test): Delete.
> (is_a_helper <const element_region *>::test): New.
> (template <> struct default_hash_traits<element_region::key_t>):
> New.
> (class offset_region): New.
> (is_a_helper <const offset_region *>::test): New.
> (template <> struct default_hash_traits<offset_region::key_t>):
> New.
> (class cast_region): New.
> (is_a_helper <const cast_region *>::test): New.
> (template <> struct default_hash_traits<cast_region::key_t>): New.
> (class heap_allocated_region): New.
> (class alloca_region): New.
> (class string_region): New.
> (is_a_helper <const string_region *>::test): New.
> (class unknown_region): New.
> (class region_model_manager): New.
> (struct append_ssa_names_cb_data): New.
> (class call_details): New.
> (region_model::region_model): Add region_model_manager param.
> (region_model::print_svalue): Delete.
> (region_model::dump_dot_to_pp): Delete.
> (region_model::dump_dot_to_file): Delete.
> (region_model::dump_dot): Delete.
> (region_model::dump_to_pp): Drop summarize param in favor of
> simple and multiline.
> (region_model::dump): Likewise.
> (region_model::summarize_to_pp): Delete.
> (region_model::summarize): Delete.
> (region_model::void canonicalize): Drop ctxt param.
> (region_model::void check_for_poison): Delete.
> (region_model::get_gassign_result): New.
> (region_model::impl_call_alloca): New.
> (region_model::impl_call_analyzer_describe): New.
> (region_model::impl_call_analyzer_eval): New.
> (region_model::impl_call_builtin_expect): New.
> (region_model::impl_call_calloc): New.
> (region_model::impl_call_free): New.
> (region_model::impl_call_malloc): New.
> (region_model::impl_call_memset): New.
> (region_model::impl_call_strlen): New.
> (region_model::get_reachable_svalues): New.
> (region_model::handle_phi): Drop is_back_edge param.
> (region_model::region_id get_root_rid): Delete.
> (region_model::root_region *get_root_region): Delete.
> (region_model::region_id get_stack_region_id): Delete.
> (region_model::push_frame): Convert from region_id and svalue_id
> to const region * and const svalue *.
> (region_model::get_current_frame_id): Replace with...
> (region_model::get_current_frame): ...this.
> (region_model::pop_frame): Convert from region_id to
> const region *. Drop purge and stats param. Add out_result.
> (region_model::function *get_function_at_depth): Delete.
> (region_model::get_globals_region_id): Delete.
> (region_model::add_svalue): Delete.
> (region_model::replace_svalue): Delete.
> (region_model::add_region): Delete.
> (region_model::add_region_for_type): Delete.
> (region_model::get_svalue): Delete.
> (region_model::get_region): Delete.
> (region_model::get_lvalue): Convert from region_id to
> const region *.
> (region_model::get_rvalue): Convert from svalue_id to
> const svalue *.
> (region_model::get_or_create_ptr_svalue): Delete.
> (region_model::get_or_create_constant_svalue): Delete.
> (region_model::get_svalue_for_fndecl): Delete.
> (region_model::get_svalue_for_label): Delete.
> (region_model::get_region_for_fndecl): Delete.
> (region_model::get_region_for_label): Delete.
> (region_model::get_frame_at_index (int index) const;): New.
> (region_model::maybe_cast): Delete.
> (region_model::maybe_cast_1): Delete.
> (region_model::get_field_region): Delete.
> (region_model::id deref_rvalue): Convert from region_id and
> svalue_id to const region * and const svalue *. Drop overload,
> passing in both a tree and an svalue.
> (region_model::set_value): Convert from region_id and svalue_id to
> const region * and const svalue *.
> (region_model::set_to_new_unknown_value): Delete.
> (region_model::clobber_region (const region *reg);): New.
> (region_model::purge_region (const region *reg);): New.
> (region_model::zero_fill_region (const region *reg);): New.
> (region_model::mark_region_as_unknown (const region *reg);): New.
> (region_model::copy_region): Convert from region_id to
> const region *.
> (region_model::eval_condition): Convert from svalue_id to
> const svalue *.
> (region_model::eval_condition_without_cm): Likewise.
> (region_model::compare_initial_and_pointer): New.
> (region_model:maybe_get_constant): Delete.
> (region_model::add_new_malloc_region): Delete.
> (region_model::get_representative_tree): Convert from svalue_id to
> const svalue *.
> (region_model::get_representative_path_var): Delete decl taking a
> region_id in favor of two decls, for svalue vs region, with an
> svalue_set to ensure termination.
> (region_model::get_path_vars_for_svalue): Delete.
> (region_model::create_region_for_heap_alloc): New.
> (region_model::create_region_for_alloca): New.
> (region_model::purge_unused_svalues): Delete.
> (region_model::remap_svalue_ids): Delete.
> (region_model::remap_region_ids): Delete.
> (region_model::purge_regions): Delete.
> (region_model::get_num_svalues): Delete.
> (region_model::get_num_regions): Delete.
> (region_model::get_descendents): Delete.
> (region_model::get_store): New.
> (region_model::delete_region_and_descendents): Delete.
> (region_model::get_manager): New.
> (region_model::unbind_region_and_descendents): New.
> (region_model::can_merge_with_p): Add point param. Drop
> svalue_id_merger_mapping.
> (region_model::get_value_by_name): Delete.
> (region_model::convert_byte_offset_to_array_index): Delete.
> (region_model::get_or_create_mem_ref): Delete.
> (region_model::get_or_create_pointer_plus_expr): Delete.
> (region_model::get_or_create_view): Delete.
> (region_model::get_lvalue_1): Convert from region_id to
> const region *.
> (region_model::get_rvalue_1): Convert from svalue_id to
> const svalue *.
> (region_model::get_ssa_name_regions_for_current_frame): New.
> (region_model::append_ssa_names_cb): New.
> (region_model::get_store_value): New.
> (region_model::copy_struct_region): Delete.
> (region_model::copy_union_region): Delete.
> (region_model::copy_array_region): Delete.
> (region_model::region_exists_p): New.
> (region_model::make_region_for_unexpected_tree_code): Delete.
> (region_model::loop_replay_fixup): New.
> (region_model::poison_any_pointers_to_bad_regions): Delete.
> (region_model::poison_any_pointers_to_descendents): New.
> (region_model::dump_summary_of_rep_path_vars): Delete.
> (region_model::on_top_level_param): New.
> (region_model::record_dynamic_extents): New.
> (region_model::m_mgr;): New.
> (region_model::m_store;): New.
> (region_model::m_svalues;): Delete.
> (region_model::m_regions;): Delete.
> (region_model::m_root_rid;): Delete.
> (region_model::m_current_frame;): New.
> (region_model_context::remap_svalue_ids): Delete.
> (region_model_context::can_purge_p): Delete.
> (region_model_context::on_svalue_leak): New.
> (region_model_context::on_svalue_purge): Delete.
> (region_model_context::on_liveness_change): New.
> (region_model_context::on_inherited_svalue): Delete.
> (region_model_context::on_cast): Delete.
> (region_model_context::on_unknown_change): Convert from svalue_id to
> const svalue * and add is_mutable.
> (class noop_region_model_context): Update for region_model_context
> changes.
> (model_merger::model_merger): Add program_point. Drop
> svalue_id_merger_mapping.
> (model_merger::dump_to_pp): Add "simple" param.
> (model_merger::dump): Likewise.
> (model_merger::get_region_a): Delete.
> (model_merger::get_region_b): Delete.
> (model_merger::can_merge_values_p): Delete.
> (model_merger::record_regions): Delete.
> (model_merger::record_svalues): Delete.
> (model_merger::m_point): New field.
> (model_merger::m_map_regions_from_a_to_m): Delete.
> (model_merger::m_map_regions_from_b_to_m): Delete.
> (model_merger::m_sid_mapping): Delete.
> (struct svalue_id_merger_mapping): Delete.
> (class engine): New.
> (struct canonicalization): Delete.
> (inchash::add): Delete decls for hashing svalue_id and region_id.
> (test_region_model_context::on_unexpected_tree_code): Require t to
> be non-NULL.
> (selftest::assert_condition): Add overload comparing a pair of
> const svalue *.
> * sm-file.cc: Include "tristate.h", "selftest.h",
> "analyzer/call-string.h", "analyzer/program-point.h",
> "analyzer/store.h", and "analyzer/region-model.h".
> (fileptr_state_machine::get_default_state): New.
> (fileptr_state_machine::on_stmt): Remove calls to
> get_readable_tree in favor of get_diagnostic_tree.
> * sm-malloc.cc: Include "tristate.h", "selftest.h",
> "analyzer/call-string.h", "analyzer/program-point.h",
> "analyzer/store.h", and "analyzer/region-model.h".
> (malloc_state_machine::get_default_state): New.
> (malloc_state_machine::reset_when_passed_to_unknown_fn_p): New.
> (malloc_diagnostic::describe_state_change): Handle change.m_expr
> being NULL.
> (null_arg::emit): Avoid printing "NULL '0'".
> (null_arg::describe_final_event): Avoid printing "(0) NULL".
> (malloc_leak::emit): Handle m_arg being NULL.
> (malloc_leak::describe_final_event): Handle ev.m_expr being NULL.
> (malloc_state_machine::on_stmt): Don't call get_readable_tree.
> Call get_diagnostic_tree when creating pending diagnostics.
> Update for is_zero_assignment becoming a member function of
> sm_ctxt.
> Don't transition to m_non_heap for ADDR_EXPR(MEM_REF()).
> (malloc_state_machine::reset_when_passed_to_unknown_fn_p): New
> vfunc implementation.
> * sm-sensitive.cc (sensitive_state_machine::warn_for_any_exposure): Call
> get_diagnostic_tree and pass the result to warn_for_state.
> * sm-signal.cc: Move includes of "analyzer/call-string.h" and
> "analyzer/program-point.h" to before "analyzer/region-model.h",
> and also include "analyzer/store.h" before it.
> (signal_unsafe_call::describe_state_change): Use
> get_dest_function to get handler.
> (update_model_for_signal_handler): Pass manager to region_model
> ctor.
> (register_signal_handler::impl_transition): Update for changes to
> get_or_create_node and add_edge.
> * sm-taint.cc (taint_state_machine::on_stmt): Remove calls to
> get_readable_tree, replacing them when calling warn_for_state with
> calls to get_diagnostic_tree.
> * sm.cc (is_zero_assignment): Delete.
> (any_pointer_p): Move to within namespace ana.
> * sm.h (is_zero_assignment): Remove decl.
> (any_pointer_p): Move decl to within namespace ana.
> (state_machine::get_default_state): New vfunc.
> (state_machine::reset_when_passed_to_unknown_fn_p): New vfunc.
> (sm_context::get_readable_tree): Rename to...
> (sm_context::get_diagnostic_tree): ...this.
> (sm_context::is_zero_assignment): New vfunc.
> * store.cc: New file.
> * store.h: New file.
> * svalue.cc: New file.
>
> gcc/testsuite/ChangeLog:
> PR analyzer/93032
> PR analyzer/93938
> PR analyzer/94011
> PR analyzer/94099
> PR analyzer/94399
> PR analyzer/94458
> PR analyzer/94503
> PR analyzer/94640
> PR analyzer/94688
> PR analyzer/94689
> PR analyzer/94839
> PR analyzer/95026
> PR analyzer/95042
> PR analyzer/95240
> * g++.dg/analyzer/pr93212.C: Add dg-warning for dangling
> reference.
> * g++.dg/analyzer/pr93950.C: Remove xfail.
> * g++.dg/analyzer/pr94011.C: New test.
> * g++.dg/analyzer/pr94028.C: Remove leak false positives; mark as
> failing on C++98.
> * g++.dg/analyzer/pr94503.C: New test.
> * g++.dg/analyzer/pr95042.C: New test.
> * gcc.dg/analyzer/CVE-2005-1689-dedupe-issue-2.c: New test.
> * gcc.dg/analyzer/CVE-2005-1689-dedupe-issue.c: Add xfail.
> * gcc.dg/analyzer/CVE-2005-1689-minimal.c:
> Include "analyzer-decls.h".
> (test_4, test_5, test_6, test_7, test_8): New tests.
> * gcc.dg/analyzer/abs-1.c: New test.
> * gcc.dg/analyzer/aliasing-1.c: New test.
> * gcc.dg/analyzer/aliasing-2.c: New test.
> * gcc.dg/analyzer/analyzer-decls.h (__analyzer_describe): New
> decl.
> (__analyzer_dump_num_heap_regions): Remove.
> * gcc.dg/analyzer/attribute-nonnull.c: Add dg-warnings for cases
> where NULL is directly used as an argument.
> * gcc.dg/analyzer/bzero-1.c: New test.
> * gcc.dg/analyzer/casts-1.c: New test.
> * gcc.dg/analyzer/casts-2.c: New test.
> * gcc.dg/analyzer/compound-assignment-1.c
> (test_4): Remove xfail from leak false positive.
> (called_by_test_5a): Add "allocated here" expected message.
> (called_by_test_5b): Make expected leak message more precise.
> * gcc.dg/analyzer/compound-assignment-3.c: Update expected leak
> message.
> * gcc.dg/analyzer/compound-assignment-4.c: New test.
> * gcc.dg/analyzer/compound-assignment-5.c: New test.
> * gcc.dg/analyzer/conditionals-notrans.c: Remove xfails.
> * gcc.dg/analyzer/data-model-1.c (test_12d): Update expected
> results.
> (test_13): Remove xfail.
> (test_14): Remove xfail.
> (test_15): Remove xfail.
> (test_16): Remove xfails. Add out-of-bounds access.
> (test_16_alt): Remove xfails.
> (test_23): Remove xfail.
> (test_24): Remove xfail.
> (test_25): Remove xfail.
> (test_26): Update expected result. Remove xfail. Add xfail.
> (test_27): Remove xfails.
> (test_29): Add __analyzer_eval pointer comparisons.
> (test_41): Generalize expected output for u.ptr comparison with
> NULL for targets where this could be known to be false.
> (test_42): Remove xfail.
> (test_51): Remove xfails.
> * gcc.dg/analyzer/data-model-13.c: Update for improvements to
> source location and wording of leak message.
> * gcc.dg/analyzer/data-model-14.c: Remove -fanalyzer-fine-grained.
> (test_1): Update for improvement to expected message.
> (test_2): Remove xfail.
> * gcc.dg/analyzer/data-model-18.c: Remove xfail.
> * gcc.dg/analyzer/data-model-20.c: New test.
> * gcc.dg/analyzer/data-model-5.c: Add dg-warning for deref of
> NULL. Add xfailing false leak.
> * gcc.dg/analyzer/data-model-5b.c: Add xfailing false leak.
> * gcc.dg/analyzer/data-model-5c.c: Update xfailing false leak.
> * gcc.dg/analyzer/data-model-5d.c: Reimplement.
> * gcc.dg/analyzer/data-model-6.c: Delete test.
> * gcc.dg/analyzer/data-model-8.c: Remove xfail.
> * gcc.dg/analyzer/describe-1.c: New test.
> * gcc.dg/analyzer/dot-output.c: Remove xfail.
> * gcc.dg/analyzer/explode-1.c: Add expected leak warning.
> * gcc.dg/analyzer/explode-2.c: Add expected leak warnings. Mark
> double-free warnings as xfail for now.
> * gcc.dg/analyzer/feasibility-1.c: New test.
> * gcc.dg/analyzer/first-field-1.c: New test.
> * gcc.dg/analyzer/first-field-2.c: New test.
> * gcc.dg/analyzer/init.c: New test.
> * gcc.dg/analyzer/leak-2.c: New test.
> * gcc.dg/analyzer/loop-0-up-to-n-by-1-with-iter-obj.c: New test.
> * gcc.dg/analyzer/loop-0-up-to-n-by-1.c: New test.
> * gcc.dg/analyzer/loop-2a.c: Update expected behavior.
> * gcc.dg/analyzer/loop-3.c: Mark use-after-free as xfail. Add
> expected warning about deref of unchecked pointer.
> * gcc.dg/analyzer/loop-4.c: Remove -fno-analyzer-state-purge.
> Update expected behavior.
> * gcc.dg/analyzer/loop-n-down-to-1-by-1.c: New test.
> * gcc.dg/analyzer/loop-start-down-to-end-by-1.c: New test.
> * gcc.dg/analyzer/loop-start-down-to-end-by-step.c: New test.
> * gcc.dg/analyzer/loop-start-to-end-by-step.c: New test.
> * gcc.dg/analyzer/loop-start-up-to-end-by-1.c: New test.
> * gcc.dg/analyzer/loop.c: Remove -fno-analyzer-state-purge.
> Update expected behavior.
> * gcc.dg/analyzer/malloc-1.c: Remove xfails from leak false
> positives. Update expected wording of global_link.m_ptr leak.
> (test_49): New test.
> * gcc.dg/analyzer/malloc-4.c: Remove leak false positive. Update
> expected wording of leak warning.
> * gcc.dg/analyzer/malloc-in-loop.c: New test.
> * gcc.dg/analyzer/malloc-ipa-8-double-free.c: Update expected path
> to show call to wrapped_malloc.
> * gcc.dg/analyzer/malloc-ipa-8-unchecked.c: Remove
> -fanalyzer-verbose-state-changes.
> * gcc.dg/analyzer/malloc-paths-9.c: Remove comment about duplicate
> warnings. Remove duplicate use-after-free paths.
> * gcc.dg/analyzer/malloc-vs-local-1a.c: Add dg-warning for deref
> of unchecked pointer. Update expected number of enodes.
> * gcc.dg/analyzer/malloc-vs-local-2.c: Likewise.
> * gcc.dg/analyzer/malloc-vs-local-3.c: Add dg-warning for deref of
> unchecked pointer. Update expected number of enodes. Avoid
> overspecifying the leak message.
> * gcc.dg/analyzer/memset-1.c: New test.
> * gcc.dg/analyzer/paths-3.c: Update expected number of enodes.
> * gcc.dg/analyzer/paths-4.c: Likewise.
> * gcc.dg/analyzer/paths-6.c: Likewise.
> * gcc.dg/analyzer/paths-7.c: Likewise.
> * gcc.dg/analyzer/pr93032-mztools-simplified.c: New test.
> * gcc.dg/analyzer/pr93032-mztools.c: New test.
> * gcc.dg/analyzer/pr93382.c: Mark taint tests as failing.
> * gcc.dg/analyzer/pr93938.c: New test.
> * gcc.dg/analyzer/pr94099.c: Replace uninit dg-warning with
> dg-warning for NULL dereference.
> * gcc.dg/analyzer/pr94399.c: New test.
> * gcc.dg/analyzer/pr94447.c: Add dg-warning for NULL dereference.
> * gcc.dg/analyzer/pr94458.c: New test.
> * gcc.dg/analyzer/pr94640.c: New test.
> * gcc.dg/analyzer/pr94688.c: New test.
> * gcc.dg/analyzer/pr94689.c: New test.
> * gcc.dg/analyzer/pr94839.c: New test.
> * gcc.dg/analyzer/pr95026.c: New test.
> * gcc.dg/analyzer/pr95240.c: New test.
> * gcc.dg/analyzer/refcounting-1.c: New test.
> * gcc.dg/analyzer/single-field.c: New test.
> * gcc.dg/analyzer/stale-frame-1.c: New test.
> * gcc.dg/analyzer/symbolic-1.c: New test.
> * gcc.dg/analyzer/symbolic-2.c: New test.
> * gcc.dg/analyzer/symbolic-3.c: New test.
> * gcc.dg/analyzer/symbolic-4.c: New test.
> * gcc.dg/analyzer/symbolic-5.c: New test.
> * gcc.dg/analyzer/symbolic-6.c: New test.
> * gcc.dg/analyzer/taint-1.c: Mark the "gets unchecked value"
> events as failing for now. Update dg-message directives to avoid
> relying on numbering.
> * gcc.dg/analyzer/torture/loop-inc-ptr-1.c: New test.
> * gcc.dg/analyzer/torture/loop-inc-ptr-2.c: New test.
> * gcc.dg/analyzer/torture/loop-inc-ptr-3.c: New test.
> * gcc.dg/analyzer/unknown-fns-2.c: New test.
> * gcc.dg/analyzer/unknown-fns-3.c: New test.
> * gcc.dg/analyzer/unknown-fns-4.c: New test.
> * gcc.dg/analyzer/unknown-fns.c: Update dg-warning to reflect fixed
> source location for leak diagnostic.
> * gcc.dg/analyzer/use-after-free.c: New test.
> * gcc.dg/analyzer/vla-1.c: New test.
> * gcc.dg/analyzer/zlib-4.c: Rewrite to avoid "exit" calls. Add
> expected leak warnings.
> * gfortran.dg/analyzer/pr93993.f90: Remove leak of tm warning,
> which seems to have been a false positive.
> ---
> gcc/Makefile.in | 8 +-
> gcc/analyzer/analyzer-logging.cc | 8 +-
> gcc/analyzer/analyzer-logging.h | 2 +
> gcc/analyzer/analyzer-selftests.cc | 1 +
> gcc/analyzer/analyzer-selftests.h | 1 +
> gcc/analyzer/analyzer.cc | 30 +
> gcc/analyzer/analyzer.h | 192 +-
> gcc/analyzer/analyzer.opt | 8 +
> gcc/analyzer/call-string.cc | 2 +
> gcc/analyzer/checker-path.cc | 52 +-
> gcc/analyzer/checker-path.h | 12 +-
> gcc/analyzer/constraint-manager.cc | 1226 ++-
> gcc/analyzer/constraint-manager.h | 113 +-
> gcc/analyzer/diagnostic-manager.cc | 451 +-
> gcc/analyzer/diagnostic-manager.h | 20 +-
> gcc/analyzer/engine.cc | 790 +-
> gcc/analyzer/exploded-graph.h | 55 +-
> gcc/analyzer/program-point.cc | 61 +
> gcc/analyzer/program-point.h | 52 +-
> gcc/analyzer/program-state.cc | 1271 +--
> gcc/analyzer/program-state.h | 240 +-
> gcc/analyzer/region-model-impl-calls.cc | 352 +
> gcc/analyzer/region-model-manager.cc | 1088 ++
> gcc/analyzer/region-model-reachability.cc | 280 +
> gcc/analyzer/region-model-reachability.h | 117 +
> gcc/analyzer/region-model.cc | 8931 +++++------------
> gcc/analyzer/region-model.h | 3140 +++---
> gcc/analyzer/region.cc | 1064 ++
> gcc/analyzer/sm-file.cc | 26 +-
> gcc/analyzer/sm-malloc.cc | 164 +-
> gcc/analyzer/sm-sensitive.cc | 3 +-
> gcc/analyzer/sm-signal.cc | 15 +-
> gcc/analyzer/sm-taint.cc | 9 +-
> gcc/analyzer/sm.cc | 21 +-
> gcc/analyzer/sm.h | 35 +-
> gcc/analyzer/store.cc | 2008 ++++
> gcc/analyzer/store.h | 613 ++
> gcc/analyzer/svalue.cc | 1004 ++
> gcc/doc/analyzer.texi | 110 +-
> gcc/testsuite/g++.dg/analyzer/pr93212.C | 5 +-
> gcc/testsuite/g++.dg/analyzer/pr93950.C | 4 +-
> gcc/testsuite/g++.dg/analyzer/pr94011.C | 16 +
> gcc/testsuite/g++.dg/analyzer/pr94028.C | 4 +-
> gcc/testsuite/g++.dg/analyzer/pr94503.C | 25 +
> gcc/testsuite/g++.dg/analyzer/pr95042.C | 28 +
> .../analyzer/CVE-2005-1689-dedupe-issue-2.c | 30 +
> .../analyzer/CVE-2005-1689-dedupe-issue.c | 2 +-
> .../gcc.dg/analyzer/CVE-2005-1689-minimal.c | 61 +
> gcc/testsuite/gcc.dg/analyzer/abs-1.c | 22 +
> gcc/testsuite/gcc.dg/analyzer/aliasing-1.c | 25 +
> gcc/testsuite/gcc.dg/analyzer/aliasing-2.c | 32 +
> .../gcc.dg/analyzer/analyzer-decls.h | 7 +-
> .../gcc.dg/analyzer/attribute-nonnull.c | 12 +-
> gcc/testsuite/gcc.dg/analyzer/bzero-1.c | 11 +
> gcc/testsuite/gcc.dg/analyzer/casts-1.c | 49 +
> gcc/testsuite/gcc.dg/analyzer/casts-2.c | 15 +
> .../gcc.dg/analyzer/compound-assignment-1.c | 9 +-
> .../gcc.dg/analyzer/compound-assignment-3.c | 2 +-
> .../gcc.dg/analyzer/compound-assignment-4.c | 28 +
> .../gcc.dg/analyzer/compound-assignment-5.c | 142 +
> .../gcc.dg/analyzer/conditionals-notrans.c | 33 +-
> gcc/testsuite/gcc.dg/analyzer/data-model-1.c | 96 +-
> gcc/testsuite/gcc.dg/analyzer/data-model-13.c | 7 +-
> gcc/testsuite/gcc.dg/analyzer/data-model-14.c | 9 +-
> gcc/testsuite/gcc.dg/analyzer/data-model-18.c | 4 +-
> gcc/testsuite/gcc.dg/analyzer/data-model-20.c | 25 +
> gcc/testsuite/gcc.dg/analyzer/data-model-5.c | 13 +-
> gcc/testsuite/gcc.dg/analyzer/data-model-5b.c | 12 +-
> gcc/testsuite/gcc.dg/analyzer/data-model-5c.c | 13 +-
> gcc/testsuite/gcc.dg/analyzer/data-model-5d.c | 61 +-
> gcc/testsuite/gcc.dg/analyzer/data-model-6.c | 14 -
> gcc/testsuite/gcc.dg/analyzer/data-model-8.c | 3 +-
> gcc/testsuite/gcc.dg/analyzer/describe-1.c | 11 +
> gcc/testsuite/gcc.dg/analyzer/dot-output.c | 3 +-
> gcc/testsuite/gcc.dg/analyzer/explode-1.c | 2 +-
> gcc/testsuite/gcc.dg/analyzer/explode-2.c | 16 +-
> gcc/testsuite/gcc.dg/analyzer/feasibility-1.c | 62 +
> gcc/testsuite/gcc.dg/analyzer/first-field-1.c | 24 +
> gcc/testsuite/gcc.dg/analyzer/first-field-2.c | 33 +
> gcc/testsuite/gcc.dg/analyzer/init.c | 136 +
> gcc/testsuite/gcc.dg/analyzer/leak-2.c | 9 +
> .../loop-0-up-to-n-by-1-with-iter-obj.c | 73 +
> .../gcc.dg/analyzer/loop-0-up-to-n-by-1.c | 31 +
> gcc/testsuite/gcc.dg/analyzer/loop-2a.c | 10 +-
> gcc/testsuite/gcc.dg/analyzer/loop-3.c | 7 +-
> gcc/testsuite/gcc.dg/analyzer/loop-4.c | 13 +-
> .../gcc.dg/analyzer/loop-n-down-to-1-by-1.c | 35 +
> .../analyzer/loop-start-down-to-end-by-1.c | 35 +
> .../analyzer/loop-start-down-to-end-by-step.c | 30 +
> .../analyzer/loop-start-to-end-by-step.c | 36 +
> .../analyzer/loop-start-up-to-end-by-1.c | 34 +
> gcc/testsuite/gcc.dg/analyzer/loop.c | 9 +-
> gcc/testsuite/gcc.dg/analyzer/malloc-1.c | 26 +-
> gcc/testsuite/gcc.dg/analyzer/malloc-4.c | 4 +-
> .../gcc.dg/analyzer/malloc-in-loop.c | 19 +
> .../analyzer/malloc-ipa-8-double-free.c | 82 +-
> .../gcc.dg/analyzer/malloc-ipa-8-unchecked.c | 6 +-
> .../gcc.dg/analyzer/malloc-paths-9.c | 59 +-
> .../gcc.dg/analyzer/malloc-vs-local-1a.c | 22 +-
> .../gcc.dg/analyzer/malloc-vs-local-2.c | 16 +-
> .../gcc.dg/analyzer/malloc-vs-local-3.c | 7 +-
> gcc/testsuite/gcc.dg/analyzer/memset-1.c | 100 +
> gcc/testsuite/gcc.dg/analyzer/paths-3.c | 4 +-
> gcc/testsuite/gcc.dg/analyzer/paths-4.c | 10 +-
> gcc/testsuite/gcc.dg/analyzer/paths-6.c | 4 +-
> gcc/testsuite/gcc.dg/analyzer/paths-7.c | 3 +-
> .../analyzer/pr93032-mztools-simplified.c | 22 +
> .../gcc.dg/analyzer/pr93032-mztools.c | 331 +
> gcc/testsuite/gcc.dg/analyzer/pr93382.c | 6 +-
> gcc/testsuite/gcc.dg/analyzer/pr93938.c | 13 +
> gcc/testsuite/gcc.dg/analyzer/pr94099.c | 3 +-
> gcc/testsuite/gcc.dg/analyzer/pr94399.c | 13 +
> gcc/testsuite/gcc.dg/analyzer/pr94447.c | 2 +-
> gcc/testsuite/gcc.dg/analyzer/pr94458.c | 23 +
> gcc/testsuite/gcc.dg/analyzer/pr94640.c | 17 +
> gcc/testsuite/gcc.dg/analyzer/pr94688.c | 6 +
> gcc/testsuite/gcc.dg/analyzer/pr94689.c | 8 +
> gcc/testsuite/gcc.dg/analyzer/pr94839.c | 20 +
> gcc/testsuite/gcc.dg/analyzer/pr95026.c | 17 +
> gcc/testsuite/gcc.dg/analyzer/pr95240.c | 27 +
> gcc/testsuite/gcc.dg/analyzer/refcounting-1.c | 31 +
> gcc/testsuite/gcc.dg/analyzer/single-field.c | 37 +
> gcc/testsuite/gcc.dg/analyzer/stale-frame-1.c | 15 +
> gcc/testsuite/gcc.dg/analyzer/symbolic-1.c | 43 +
> gcc/testsuite/gcc.dg/analyzer/symbolic-2.c | 32 +
> gcc/testsuite/gcc.dg/analyzer/symbolic-3.c | 12 +
> gcc/testsuite/gcc.dg/analyzer/symbolic-4.c | 20 +
> gcc/testsuite/gcc.dg/analyzer/symbolic-5.c | 29 +
> gcc/testsuite/gcc.dg/analyzer/symbolic-6.c | 24 +
> gcc/testsuite/gcc.dg/analyzer/taint-1.c | 22 +-
> .../gcc.dg/analyzer/torture/loop-inc-ptr-1.c | 15 +
> .../gcc.dg/analyzer/torture/loop-inc-ptr-2.c | 17 +
> .../gcc.dg/analyzer/torture/loop-inc-ptr-3.c | 18 +
> gcc/testsuite/gcc.dg/analyzer/unknown-fns-2.c | 238 +
> gcc/testsuite/gcc.dg/analyzer/unknown-fns-3.c | 67 +
> gcc/testsuite/gcc.dg/analyzer/unknown-fns-4.c | 15 +
> gcc/testsuite/gcc.dg/analyzer/unknown-fns.c | 8 +-
> .../gcc.dg/analyzer/use-after-free.c | 12 +
> gcc/testsuite/gcc.dg/analyzer/vla-1.c | 13 +
> gcc/testsuite/gcc.dg/analyzer/zlib-4.c | 10 +-
> .../gfortran.dg/analyzer/pr93993.f90 | 2 +-
> gcc/tristate.h | 2 +
> 142 files changed, 16153 insertions(+), 10402 deletions(-)
> create mode 100644 gcc/analyzer/region-model-impl-calls.cc
> create mode 100644 gcc/analyzer/region-model-manager.cc
> create mode 100644 gcc/analyzer/region-model-reachability.cc
> create mode 100644 gcc/analyzer/region-model-reachability.h
> create mode 100644 gcc/analyzer/region.cc
> create mode 100644 gcc/analyzer/store.cc
> create mode 100644 gcc/analyzer/store.h
> create mode 100644 gcc/analyzer/svalue.cc
> create mode 100644 gcc/testsuite/g++.dg/analyzer/pr94011.C
> create mode 100644 gcc/testsuite/g++.dg/analyzer/pr94503.C
> create mode 100644 gcc/testsuite/g++.dg/analyzer/pr95042.C
> create mode 100644 gcc/testsuite/gcc.dg/analyzer/CVE-2005-1689-dedupe-issue-2.c
> create mode 100644 gcc/testsuite/gcc.dg/analyzer/abs-1.c
> create mode 100644 gcc/testsuite/gcc.dg/analyzer/aliasing-1.c
> create mode 100644 gcc/testsuite/gcc.dg/analyzer/aliasing-2.c
> create mode 100644 gcc/testsuite/gcc.dg/analyzer/bzero-1.c
> create mode 100644 gcc/testsuite/gcc.dg/analyzer/casts-1.c
> create mode 100644 gcc/testsuite/gcc.dg/analyzer/casts-2.c
> create mode 100644 gcc/testsuite/gcc.dg/analyzer/compound-assignment-4.c
> create mode 100644 gcc/testsuite/gcc.dg/analyzer/compound-assignment-5.c
> create mode 100644 gcc/testsuite/gcc.dg/analyzer/data-model-20.c
> delete mode 100644 gcc/testsuite/gcc.dg/analyzer/data-model-6.c
> create mode 100644 gcc/testsuite/gcc.dg/analyzer/describe-1.c
> create mode 100644 gcc/testsuite/gcc.dg/analyzer/feasibility-1.c
> create mode 100644 gcc/testsuite/gcc.dg/analyzer/first-field-1.c
> create mode 100644 gcc/testsuite/gcc.dg/analyzer/first-field-2.c
> create mode 100644 gcc/testsuite/gcc.dg/analyzer/init.c
> create mode 100644 gcc/testsuite/gcc.dg/analyzer/leak-2.c
> create mode 100644 gcc/testsuite/gcc.dg/analyzer/loop-0-up-to-n-by-1-with-iter-obj.c
> create mode 100644 gcc/testsuite/gcc.dg/analyzer/loop-0-up-to-n-by-1.c
> create mode 100644 gcc/testsuite/gcc.dg/analyzer/loop-n-down-to-1-by-1.c
> create mode 100644 gcc/testsuite/gcc.dg/analyzer/loop-start-down-to-end-by-1.c
> create mode 100644 gcc/testsuite/gcc.dg/analyzer/loop-start-down-to-end-by-step.c
> create mode 100644 gcc/testsuite/gcc.dg/analyzer/loop-start-to-end-by-step.c
> create mode 100644 gcc/testsuite/gcc.dg/analyzer/loop-start-up-to-end-by-1.c
> create mode 100644 gcc/testsuite/gcc.dg/analyzer/malloc-in-loop.c
> create mode 100644 gcc/testsuite/gcc.dg/analyzer/memset-1.c
> create mode 100644 gcc/testsuite/gcc.dg/analyzer/pr93032-mztools-simplified.c
> create mode 100644 gcc/testsuite/gcc.dg/analyzer/pr93032-mztools.c
> create mode 100644 gcc/testsuite/gcc.dg/analyzer/pr93938.c
> create mode 100644 gcc/testsuite/gcc.dg/analyzer/pr94399.c
> create mode 100644 gcc/testsuite/gcc.dg/analyzer/pr94458.c
> create mode 100644 gcc/testsuite/gcc.dg/analyzer/pr94640.c
> create mode 100644 gcc/testsuite/gcc.dg/analyzer/pr94688.c
> create mode 100644 gcc/testsuite/gcc.dg/analyzer/pr94689.c
> create mode 100644 gcc/testsuite/gcc.dg/analyzer/pr94839.c
> create mode 100644 gcc/testsuite/gcc.dg/analyzer/pr95026.c
> create mode 100644 gcc/testsuite/gcc.dg/analyzer/pr95240.c
> create mode 100644 gcc/testsuite/gcc.dg/analyzer/refcounting-1.c
> create mode 100644 gcc/testsuite/gcc.dg/analyzer/single-field.c
> create mode 100644 gcc/testsuite/gcc.dg/analyzer/stale-frame-1.c
> create mode 100644 gcc/testsuite/gcc.dg/analyzer/symbolic-1.c
> create mode 100644 gcc/testsuite/gcc.dg/analyzer/symbolic-2.c
> create mode 100644 gcc/testsuite/gcc.dg/analyzer/symbolic-3.c
> create mode 100644 gcc/testsuite/gcc.dg/analyzer/symbolic-4.c
> create mode 100644 gcc/testsuite/gcc.dg/analyzer/symbolic-5.c
> create mode 100644 gcc/testsuite/gcc.dg/analyzer/symbolic-6.c
> create mode 100644 gcc/testsuite/gcc.dg/analyzer/torture/loop-inc-ptr-1.c
> create mode 100644 gcc/testsuite/gcc.dg/analyzer/torture/loop-inc-ptr-2.c
> create mode 100644 gcc/testsuite/gcc.dg/analyzer/torture/loop-inc-ptr-3.c
> create mode 100644 gcc/testsuite/gcc.dg/analyzer/unknown-fns-2.c
> create mode 100644 gcc/testsuite/gcc.dg/analyzer/unknown-fns-3.c
> create mode 100644 gcc/testsuite/gcc.dg/analyzer/unknown-fns-4.c
> create mode 100644 gcc/testsuite/gcc.dg/analyzer/use-after-free.c
> create mode 100644 gcc/testsuite/gcc.dg/analyzer/vla-1.c
>
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [committed] analyzer: rewrite of region and value-handling
2020-08-14 7:22 ` Martin Liška
2020-08-14 7:26 ` Martin Liška
@ 2020-08-14 13:08 ` David Malcolm
1 sibling, 0 replies; 9+ messages in thread
From: David Malcolm @ 2020-08-14 13:08 UTC (permalink / raw)
To: Martin Liška, gcc-patches
On Fri, 2020-08-14 at 09:22 +0200, Martin Liška wrote:
> On 8/13/20 10:58 PM, David Malcolm via Gcc-patches wrote:
> > PR analyzer/93032 (missing leak diagnostic for
> > zlib/contrib/minizip/mztools.c)
> > PR analyzer/93938 (ICE in analyzer)
> > PR analyzer/94011 (ICE in analyzer)
> > PR analyzer/94099 (ICE in analyzer)
> > PR analyzer/94399 (leak false positive with
> > __attribute__((cleanup())))
> > PR analyzer/94458 (leak false positive)
> > PR analyzer/94503 (ICE on C++ return-value-optimization)
> > PR analyzer/94640 (leak false positive)
> > PR analyzer/94688 (ICE in analyzer)
> > PR analyzer/94689 ("arrays of functions are not meaningful" error)
> > PR analyzer/94839 (leak false positive)
> > PR analyzer/95026 (leak false positive)
> > PR analyzer/95042 (ICE merging const and non-const C++ object
> > instances)
> > PR analyzer/95240 (leak false positive)
>
> Hello David.
>
> Unfortunately, this format is not recognized by gcc-changelog script
> and
> so the corresponding PR entries were not added to the generated
> ChangeLog
> entries. The currently supported regex is:
>
> pr_regex = re.compile(r'\tPR (?P<component>[a-z+-]+\/)?([0-9]+)$')
>
> which prevents parsing an entries not being standalone.
> Anyway, I updated gcc/analyzer/ChangeLog manually.
Thanks
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [committed] analyzer: rewrite of region and value-handling
2020-08-14 7:26 ` Martin Liška
@ 2020-08-14 13:28 ` David Malcolm
0 siblings, 0 replies; 9+ messages in thread
From: David Malcolm @ 2020-08-14 13:28 UTC (permalink / raw)
To: Martin Liška, gcc-patches
On Fri, 2020-08-14 at 09:26 +0200, Martin Liška wrote:
> On 8/14/20 9:22 AM, Martin Liška wrote:
> > On 8/13/20 10:58 PM, David Malcolm via Gcc-patches wrote:
> > > PR analyzer/93032 (missing leak diagnostic for
> > > zlib/contrib/minizip/mztools.c)
> > > PR analyzer/93938 (ICE in analyzer)
> > > PR analyzer/94011 (ICE in analyzer)
> > > PR analyzer/94099 (ICE in analyzer)
> > > PR analyzer/94399 (leak false positive with
> > > __attribute__((cleanup())))
> > > PR analyzer/94458 (leak false positive)
> > > PR analyzer/94503 (ICE on C++ return-value-optimization)
> > > PR analyzer/94640 (leak false positive)
> > > PR analyzer/94688 (ICE in analyzer)
> > > PR analyzer/94689 ("arrays of functions are not meaningful"
> > > error)
> > > PR analyzer/94839 (leak false positive)
> > > PR analyzer/95026 (leak false positive)
> > > PR analyzer/95042 (ICE merging const and non-const C++ object
> > > instances)
> > > PR analyzer/95240 (leak false positive)
> >
> > Hello David.
> >
> > Unfortunately, this format is not recognized by gcc-changelog
> > script and
> > so the corresponding PR entries were not added to the generated
> > ChangeLog
> > entries. The currently supported regex is:
> >
> > pr_regex = re.compile(r'\tPR (?P<component>[a-z+-]+\/)?([0-9]+)$')
> >
> > which prevents parsing an entries not being standalone.
> > Anyway, I updated gcc/analyzer/ChangeLog manually.
> >
> > Thanks,
> > Martin
BTW, the entries you quoted above (with their per-bug descriptions) are
in the leading text of the commit message, without indentation, and
they are also in the section labeled "gcc/analyzer/ChangeLog with TAB
indentation, and without descriptions.
In my initial attempts to push the patch, the latter had the same text
as the former, each line indented with a tab, and it caused the commit
to fail the push hook.
I removed the trailing descriptive text from each
(TAB)PR analyzer/NNNNN
line in the ChangeLog part of the message, and the hook passed and let
me push the patch.
(I wanted to quote the logs here, but I don't seem to have them
anymore, sadly)
> ... and I bet for similar reasons gcc-bugs emails were not send to
> various PRs
> mentioned in the commit.
I wondered about that too. Given that the hook rejected it, and then
accepted the revised version, my theory is that the commit exceeded
some size limit for the bugzilla integration (the "git show --no-patch"
blurb and ChangeLog from the commit is 1652 lines long and approaching
100k [1])
Looking at the "Daily bump." commit
b3cb56060bcdc1cf4d38aa30b5017b802822f8c0 I see that the ChangeLog
entries did make it into the various ChangeLog files.
Dave
[1] writing the ChangeLog took about 3 days, which part of me resents
as tedious busywork, but I did find and fix several bugs whilst doing
it, including one serious one-liner mistake that was significantly
slowed down the code, so there is some merit in poring over a
candidate change line-by-line, I guess.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [committed] analyzer: rewrite of region and value-handling
2020-08-14 8:49 ` Christophe Lyon
@ 2020-08-14 20:20 ` David Malcolm
2020-08-14 22:51 ` [committed] analyzer: fix initialization from constant pool [PR96609, PR96616] David Malcolm
0 siblings, 1 reply; 9+ messages in thread
From: David Malcolm @ 2020-08-14 20:20 UTC (permalink / raw)
To: Christophe Lyon; +Cc: gcc-patches
On Fri, 2020-08-14 at 10:49 +0200, Christophe Lyon wrote:
> Hi David,
>
>
> On Thu, 13 Aug 2020 at 22:58, David Malcolm via Gcc-patches
> <gcc-patches@gcc.gnu.org> wrote:
> > This large patch reimplements how the analyzer tracks regions and
> > values.
[...]
> > Pushed to master as 808f4dfeb3a95f50f15e71148e5c1067f90a126d.
> >
>
> Some of the new tests fail on arm and aarch64.
Sorry about the failures.
The failures were additionally reported as failing on powerpc64 to
bugzilla as PR testsuite/96609 and PR analyzer/96616; those reports
both mentioned the init.c and the pr93032-mztools.c failures.
The init.c failures and the casts-1.c failures on arm seems to be due
to the analyzer not knowing about constant pools. I'm testing a fix
for that now.
I'll look at the pr93032-mztools.c next.
>
> HTH
>
> Christophe
Thanks for the report; sorry for the breakage
Dave
^ permalink raw reply [flat|nested] 9+ messages in thread
* [committed] analyzer: fix initialization from constant pool [PR96609, PR96616]
2020-08-14 20:20 ` David Malcolm
@ 2020-08-14 22:51 ` David Malcolm
2020-08-15 14:16 ` Christophe Lyon
0 siblings, 1 reply; 9+ messages in thread
From: David Malcolm @ 2020-08-14 22:51 UTC (permalink / raw)
To: gcc-patches
PR testsuite/96609 and PR analyzer/96616 report various testsuite
failures seen on powerpc64, aarch64, and arm in new tests added by
r11-2694-g808f4dfeb3a95f50f15e71148e5c1067f90a126d.
Some of these failures (in gcc.dg/analyzer/init.c, and on arm
in gcc.dg/analyzer/casts-1.c) relate to initializations from var_decls
in the constant pool. I wrote the tests assuming that the gimplified
stmts would initialize the locals via a gassign of code CONSTRUCTOR,
whereas on these targets some of the initializations are gassign from
a VAR_DECL e.g.:
c = *.LC0;
where "*.LC0" is a var_decl with DECL_IN_CONSTANT_POOL set.
For example, in test_7:
struct coord c[2] = {{3, 4}, {5, 6}};
__analyzer_eval (c[0].x == 3); /* { dg-warning "TRUE" } */
after the initialization, the store was simply recording:
cluster for: c: INIT_VAL(*.LC0)
when I was expecting the cluster for c to have:
cluster for: c
key: {kind: direct, start: 0, size: 32, next: 32}
value: 'int' {(int)3}
key: {kind: direct, start: 32, size: 32, next: 64}
value: 'int' {(int)4}
key: {kind: direct, start: 64, size: 32, next: 96}
value: 'int' {(int)5}
key: {kind: direct, start: 96, size: 32, next: 128}
value: 'int' {(int)6}
The test for c[0].x == 3 would then generate:
cluster for: _2: (SUB(SUB(INIT_VAL(*.LC0), c[(int)0]), c[(int)0].x)==(int)3)
which is UNKNOWN, leading to the test failing.
This patch fixes the init.c and casts-1.c failures by special-casing
reads from a var_decl with DECL_IN_CONSTANT_POOL set, so that they build
a compound_svalue containing the bindings implied by the CONSTRUCTOR
node for DECL_INITIAL.
Successfully bootstrapped & regrtested on x86_64-pc-linux-gnu.
Manually verified the fixes to init.c and casts-1.c on
aarch64-unknown-linux-gnu, arm-unknown-eabi, and powerpc64-linux-gnu
(-m32 and -m64).
Pushed to master as r11-2708-g2867118ddda9b56d991c16022f7d3d634ed08313.
This doesn't address the bogus -Wanalyzer-too-complex messages
for pr93032-mztools.c reported in the bugs, which seem to be a
separate issue that I'm now investigating.
gcc/analyzer/ChangeLog:
PR testsuite/96609
PR analyzer/96616
* region-model.cc (region_model::get_store_value): Call
maybe_get_constant_value on decl_regions first.
* region-model.h (decl_region::maybe_get_constant_value): New decl.
* region.cc (decl_region::get_stack_depth): Likewise.
(decl_region::maybe_get_constant_value): New.
* store.cc (get_subregion_within_ctor): New.
(binding_map::apply_ctor_to_region): New.
* store.h (binding_map::apply_ctor_to_region): New decl.
---
gcc/analyzer/region-model.cc | 5 +++
gcc/analyzer/region-model.h | 2 ++
gcc/analyzer/region.cc | 27 +++++++++++++++++
gcc/analyzer/store.cc | 59 ++++++++++++++++++++++++++++++++++++
gcc/analyzer/store.h | 3 ++
5 files changed, 96 insertions(+)
diff --git a/gcc/analyzer/region-model.cc b/gcc/analyzer/region-model.cc
index 649e20438e4..3c7ea40e8d8 100644
--- a/gcc/analyzer/region-model.cc
+++ b/gcc/analyzer/region-model.cc
@@ -1192,6 +1192,11 @@ region_model::get_rvalue (tree expr, region_model_context *ctxt)
const svalue *
region_model::get_store_value (const region *reg) const
{
+ /* Special-case: handle var_decls in the constant pool. */
+ if (const decl_region *decl_reg = reg->dyn_cast_decl_region ())
+ if (const svalue *sval = decl_reg->maybe_get_constant_value (m_mgr))
+ return sval;
+
const svalue *sval
= m_store.get_any_binding (m_mgr->get_store_manager (), reg);
if (sval)
diff --git a/gcc/analyzer/region-model.h b/gcc/analyzer/region-model.h
index 33aa3461611..3d044bf8d6c 100644
--- a/gcc/analyzer/region-model.h
+++ b/gcc/analyzer/region-model.h
@@ -1869,6 +1869,8 @@ public:
tree get_decl () const { return m_decl; }
int get_stack_depth () const;
+ const svalue *maybe_get_constant_value (region_model_manager *mgr) const;
+
private:
tree m_decl;
};
diff --git a/gcc/analyzer/region.cc b/gcc/analyzer/region.cc
index f3f577c43de..afe416b001b 100644
--- a/gcc/analyzer/region.cc
+++ b/gcc/analyzer/region.cc
@@ -874,6 +874,33 @@ decl_region::get_stack_depth () const
return 0;
}
+/* If the underlying decl is in the global constant pool,
+ return an svalue representing the constant value.
+ Otherwise return NULL. */
+
+const svalue *
+decl_region::maybe_get_constant_value (region_model_manager *mgr) const
+{
+ if (TREE_CODE (m_decl) == VAR_DECL
+ && DECL_IN_CONSTANT_POOL (m_decl)
+ && DECL_INITIAL (m_decl)
+ && TREE_CODE (DECL_INITIAL (m_decl)) == CONSTRUCTOR)
+ {
+ tree ctor = DECL_INITIAL (m_decl);
+ gcc_assert (!TREE_CLOBBER_P (ctor));
+
+ /* Create a binding map, applying ctor to it, using this
+ decl_region as the base region when building child regions
+ for offset calculations. */
+ binding_map map;
+ map.apply_ctor_to_region (this, ctor, mgr);
+
+ /* Return a compound svalue for the map we built. */
+ return mgr->get_or_create_compound_svalue (get_type (), map);
+ }
+ return NULL;
+}
+
/* class field_region : public region. */
/* Implementation of region::dump_to_pp vfunc for field_region. */
diff --git a/gcc/analyzer/store.cc b/gcc/analyzer/store.cc
index 950a7784542..232920019e0 100644
--- a/gcc/analyzer/store.cc
+++ b/gcc/analyzer/store.cc
@@ -366,6 +366,65 @@ binding_map::dump (bool simple) const
pp_flush (&pp);
}
+/* Get the child region of PARENT_REG based upon INDEX within a
+ CONSTRUCTOR. */
+
+static const region *
+get_subregion_within_ctor (const region *parent_reg, tree index,
+ region_model_manager *mgr)
+{
+ switch (TREE_CODE (index))
+ {
+ default:
+ gcc_unreachable ();
+ case INTEGER_CST:
+ {
+ const svalue *index_sval
+ = mgr->get_or_create_constant_svalue (index);
+ return mgr->get_element_region (parent_reg,
+ TREE_TYPE (parent_reg->get_type ()),
+ index_sval);
+ }
+ break;
+ case FIELD_DECL:
+ return mgr->get_field_region (parent_reg, index);
+ }
+}
+
+/* Bind values from CONSTRUCTOR to this map, relative to
+ PARENT_REG's relationship to its base region. */
+
+void
+binding_map::apply_ctor_to_region (const region *parent_reg, tree ctor,
+ region_model_manager *mgr)
+{
+ gcc_assert (parent_reg);
+ gcc_assert (TREE_CODE (ctor) == CONSTRUCTOR);
+ gcc_assert (!CONSTRUCTOR_NO_CLEARING (ctor));
+
+ unsigned ix;
+ tree index;
+ tree val;
+ FOR_EACH_CONSTRUCTOR_ELT (CONSTRUCTOR_ELTS (ctor), ix, index, val)
+ {
+ if (!index)
+ index = build_int_cst (integer_type_node, ix);
+ const region *child_reg
+ = get_subregion_within_ctor (parent_reg, index, mgr);
+ if (TREE_CODE (val) == CONSTRUCTOR)
+ apply_ctor_to_region (child_reg, val, mgr);
+ else
+ {
+ gcc_assert (CONSTANT_CLASS_P (val));
+ const svalue *cst_sval = mgr->get_or_create_constant_svalue (val);
+ const binding_key *k
+ = binding_key::make (mgr->get_store_manager (), child_reg,
+ BK_direct);
+ put (k, cst_sval);
+ }
+ }
+}
+
/* class binding_cluster. */
/* binding_cluster's copy ctor. */
diff --git a/gcc/analyzer/store.h b/gcc/analyzer/store.h
index 4f251d6420f..16bad030b36 100644
--- a/gcc/analyzer/store.h
+++ b/gcc/analyzer/store.h
@@ -340,6 +340,9 @@ public:
void dump_to_pp (pretty_printer *pp, bool simple, bool multiline) const;
void dump (bool simple) const;
+ void apply_ctor_to_region (const region *parent_reg, tree ctor,
+ region_model_manager *mgr);
+
private:
map_t m_map;
};
--
2.26.2
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [committed] analyzer: fix initialization from constant pool [PR96609, PR96616]
2020-08-14 22:51 ` [committed] analyzer: fix initialization from constant pool [PR96609, PR96616] David Malcolm
@ 2020-08-15 14:16 ` Christophe Lyon
0 siblings, 0 replies; 9+ messages in thread
From: Christophe Lyon @ 2020-08-15 14:16 UTC (permalink / raw)
To: David Malcolm; +Cc: gcc Patches
On Sat, 15 Aug 2020 at 00:52, David Malcolm <dmalcolm@redhat.com> wrote:
>
> PR testsuite/96609 and PR analyzer/96616 report various testsuite
> failures seen on powerpc64, aarch64, and arm in new tests added by
> r11-2694-g808f4dfeb3a95f50f15e71148e5c1067f90a126d.
>
> Some of these failures (in gcc.dg/analyzer/init.c, and on arm
> in gcc.dg/analyzer/casts-1.c) relate to initializations from var_decls
> in the constant pool. I wrote the tests assuming that the gimplified
> stmts would initialize the locals via a gassign of code CONSTRUCTOR,
> whereas on these targets some of the initializations are gassign from
> a VAR_DECL e.g.:
> c = *.LC0;
> where "*.LC0" is a var_decl with DECL_IN_CONSTANT_POOL set.
>
> For example, in test_7:
> struct coord c[2] = {{3, 4}, {5, 6}};
> __analyzer_eval (c[0].x == 3); /* { dg-warning "TRUE" } */
> after the initialization, the store was simply recording:
> cluster for: c: INIT_VAL(*.LC0)
> when I was expecting the cluster for c to have:
> cluster for: c
> key: {kind: direct, start: 0, size: 32, next: 32}
> value: 'int' {(int)3}
> key: {kind: direct, start: 32, size: 32, next: 64}
> value: 'int' {(int)4}
> key: {kind: direct, start: 64, size: 32, next: 96}
> value: 'int' {(int)5}
> key: {kind: direct, start: 96, size: 32, next: 128}
> value: 'int' {(int)6}
> The test for c[0].x == 3 would then generate:
> cluster for: _2: (SUB(SUB(INIT_VAL(*.LC0), c[(int)0]), c[(int)0].x)==(int)3)
> which is UNKNOWN, leading to the test failing.
>
> This patch fixes the init.c and casts-1.c failures by special-casing
> reads from a var_decl with DECL_IN_CONSTANT_POOL set, so that they build
> a compound_svalue containing the bindings implied by the CONSTRUCTOR
> node for DECL_INITIAL.
>
> Successfully bootstrapped & regrtested on x86_64-pc-linux-gnu.
> Manually verified the fixes to init.c and casts-1.c on
> aarch64-unknown-linux-gnu, arm-unknown-eabi, and powerpc64-linux-gnu
> (-m32 and -m64).
>
> Pushed to master as r11-2708-g2867118ddda9b56d991c16022f7d3d634ed08313.
>
Hi David,
Thanks for fixing this.
However, this patch is causing 2 ICEs on arm:
gcc.dg/analyzer/data-model-1.c (internal compiler error)
gcc.dg/analyzer/pr94639.c (internal compiler error)
Christophe
> This doesn't address the bogus -Wanalyzer-too-complex messages
> for pr93032-mztools.c reported in the bugs, which seem to be a
> separate issue that I'm now investigating.
>
> gcc/analyzer/ChangeLog:
> PR testsuite/96609
> PR analyzer/96616
> * region-model.cc (region_model::get_store_value): Call
> maybe_get_constant_value on decl_regions first.
> * region-model.h (decl_region::maybe_get_constant_value): New decl.
> * region.cc (decl_region::get_stack_depth): Likewise.
> (decl_region::maybe_get_constant_value): New.
> * store.cc (get_subregion_within_ctor): New.
> (binding_map::apply_ctor_to_region): New.
> * store.h (binding_map::apply_ctor_to_region): New decl.
> ---
> gcc/analyzer/region-model.cc | 5 +++
> gcc/analyzer/region-model.h | 2 ++
> gcc/analyzer/region.cc | 27 +++++++++++++++++
> gcc/analyzer/store.cc | 59 ++++++++++++++++++++++++++++++++++++
> gcc/analyzer/store.h | 3 ++
> 5 files changed, 96 insertions(+)
>
> diff --git a/gcc/analyzer/region-model.cc b/gcc/analyzer/region-model.cc
> index 649e20438e4..3c7ea40e8d8 100644
> --- a/gcc/analyzer/region-model.cc
> +++ b/gcc/analyzer/region-model.cc
> @@ -1192,6 +1192,11 @@ region_model::get_rvalue (tree expr, region_model_context *ctxt)
> const svalue *
> region_model::get_store_value (const region *reg) const
> {
> + /* Special-case: handle var_decls in the constant pool. */
> + if (const decl_region *decl_reg = reg->dyn_cast_decl_region ())
> + if (const svalue *sval = decl_reg->maybe_get_constant_value (m_mgr))
> + return sval;
> +
> const svalue *sval
> = m_store.get_any_binding (m_mgr->get_store_manager (), reg);
> if (sval)
> diff --git a/gcc/analyzer/region-model.h b/gcc/analyzer/region-model.h
> index 33aa3461611..3d044bf8d6c 100644
> --- a/gcc/analyzer/region-model.h
> +++ b/gcc/analyzer/region-model.h
> @@ -1869,6 +1869,8 @@ public:
> tree get_decl () const { return m_decl; }
> int get_stack_depth () const;
>
> + const svalue *maybe_get_constant_value (region_model_manager *mgr) const;
> +
> private:
> tree m_decl;
> };
> diff --git a/gcc/analyzer/region.cc b/gcc/analyzer/region.cc
> index f3f577c43de..afe416b001b 100644
> --- a/gcc/analyzer/region.cc
> +++ b/gcc/analyzer/region.cc
> @@ -874,6 +874,33 @@ decl_region::get_stack_depth () const
> return 0;
> }
>
> +/* If the underlying decl is in the global constant pool,
> + return an svalue representing the constant value.
> + Otherwise return NULL. */
> +
> +const svalue *
> +decl_region::maybe_get_constant_value (region_model_manager *mgr) const
> +{
> + if (TREE_CODE (m_decl) == VAR_DECL
> + && DECL_IN_CONSTANT_POOL (m_decl)
> + && DECL_INITIAL (m_decl)
> + && TREE_CODE (DECL_INITIAL (m_decl)) == CONSTRUCTOR)
> + {
> + tree ctor = DECL_INITIAL (m_decl);
> + gcc_assert (!TREE_CLOBBER_P (ctor));
> +
> + /* Create a binding map, applying ctor to it, using this
> + decl_region as the base region when building child regions
> + for offset calculations. */
> + binding_map map;
> + map.apply_ctor_to_region (this, ctor, mgr);
> +
> + /* Return a compound svalue for the map we built. */
> + return mgr->get_or_create_compound_svalue (get_type (), map);
> + }
> + return NULL;
> +}
> +
> /* class field_region : public region. */
>
> /* Implementation of region::dump_to_pp vfunc for field_region. */
> diff --git a/gcc/analyzer/store.cc b/gcc/analyzer/store.cc
> index 950a7784542..232920019e0 100644
> --- a/gcc/analyzer/store.cc
> +++ b/gcc/analyzer/store.cc
> @@ -366,6 +366,65 @@ binding_map::dump (bool simple) const
> pp_flush (&pp);
> }
>
> +/* Get the child region of PARENT_REG based upon INDEX within a
> + CONSTRUCTOR. */
> +
> +static const region *
> +get_subregion_within_ctor (const region *parent_reg, tree index,
> + region_model_manager *mgr)
> +{
> + switch (TREE_CODE (index))
> + {
> + default:
> + gcc_unreachable ();
> + case INTEGER_CST:
> + {
> + const svalue *index_sval
> + = mgr->get_or_create_constant_svalue (index);
> + return mgr->get_element_region (parent_reg,
> + TREE_TYPE (parent_reg->get_type ()),
> + index_sval);
> + }
> + break;
> + case FIELD_DECL:
> + return mgr->get_field_region (parent_reg, index);
> + }
> +}
> +
> +/* Bind values from CONSTRUCTOR to this map, relative to
> + PARENT_REG's relationship to its base region. */
> +
> +void
> +binding_map::apply_ctor_to_region (const region *parent_reg, tree ctor,
> + region_model_manager *mgr)
> +{
> + gcc_assert (parent_reg);
> + gcc_assert (TREE_CODE (ctor) == CONSTRUCTOR);
> + gcc_assert (!CONSTRUCTOR_NO_CLEARING (ctor));
> +
> + unsigned ix;
> + tree index;
> + tree val;
> + FOR_EACH_CONSTRUCTOR_ELT (CONSTRUCTOR_ELTS (ctor), ix, index, val)
> + {
> + if (!index)
> + index = build_int_cst (integer_type_node, ix);
> + const region *child_reg
> + = get_subregion_within_ctor (parent_reg, index, mgr);
> + if (TREE_CODE (val) == CONSTRUCTOR)
> + apply_ctor_to_region (child_reg, val, mgr);
> + else
> + {
> + gcc_assert (CONSTANT_CLASS_P (val));
> + const svalue *cst_sval = mgr->get_or_create_constant_svalue (val);
> + const binding_key *k
> + = binding_key::make (mgr->get_store_manager (), child_reg,
> + BK_direct);
> + put (k, cst_sval);
> + }
> + }
> +}
> +
> /* class binding_cluster. */
>
> /* binding_cluster's copy ctor. */
> diff --git a/gcc/analyzer/store.h b/gcc/analyzer/store.h
> index 4f251d6420f..16bad030b36 100644
> --- a/gcc/analyzer/store.h
> +++ b/gcc/analyzer/store.h
> @@ -340,6 +340,9 @@ public:
> void dump_to_pp (pretty_printer *pp, bool simple, bool multiline) const;
> void dump (bool simple) const;
>
> + void apply_ctor_to_region (const region *parent_reg, tree ctor,
> + region_model_manager *mgr);
> +
> private:
> map_t m_map;
> };
> --
> 2.26.2
>
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2020-08-15 14:16 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-08-13 20:58 [committed] analyzer: rewrite of region and value-handling David Malcolm
2020-08-14 7:22 ` Martin Liška
2020-08-14 7:26 ` Martin Liška
2020-08-14 13:28 ` David Malcolm
2020-08-14 13:08 ` David Malcolm
2020-08-14 8:49 ` Christophe Lyon
2020-08-14 20:20 ` David Malcolm
2020-08-14 22:51 ` [committed] analyzer: fix initialization from constant pool [PR96609, PR96616] David Malcolm
2020-08-15 14:16 ` Christophe Lyon
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).