71fc4655ab
Various false positives from -fanalyzer involve SSA names in loops,
where sm-state associated with an SSA name from one iteration is
erroneously reused in a subsequent iteration.
For example, PR analyzer/99716 describes a false
"double 'fclose' of FILE 'fp'"
on:
for (i = 0; i < 2; ++i) {
FILE *fp = fopen ("/tmp/test", "w");
fprintf (fp, "hello");
fclose (fp);
}
where the gimple of the loop body is:
fp_7 = fopen ("/tmp/test", "w");
__builtin_fwrite ("hello", 1, 5, fp_7);
fclose (fp_7);
i_10 = i_1 + 1;
where fp_7 transitions to "closed" at the fclose, but is not
reset at the subsequent fopen, leading to the false positive
when the fclose is re-reached.
The fix is to reset sm-state for svalues that involve an SSA name
at the SSA name's def-stmt, since the def-stmt effectively changes
the meaning of those related svalues.
gcc/analyzer/ChangeLog:
PR analyzer/93695
PR analyzer/99044
PR analyzer/99716
* engine.cc (exploded_node::on_stmt): Clear sm-state involving
an SSA name at the def-stmt of that SSA name.
* program-state.cc (sm_state_map::purge_state_involving): New.
* program-state.h (sm_state_map::purge_state_involving): New decl.
* region-model.cc (selftest::test_involves_p): New.
(selftest::analyzer_region_model_cc_tests): Call it.
* svalue.cc (class involvement_visitor): New class
(svalue::involves_p): New.
* svalue.h (svalue::involves_p): New decl.
gcc/testsuite/ChangeLog:
PR analyzer/93695
PR analyzer/99044
PR analyzer/99716
* gcc.dg/analyzer/attr-malloc-CVE-2019-19078-usb-leak.c: Remove
xfail.
* gcc.dg/analyzer/pr93695-1.c: New test.
* gcc.dg/analyzer/pr99044-1.c: New test.
* gcc.dg/analyzer/pr99044-2.c: New test.
* gcc.dg/analyzer/pr99716-1.c: New test.
* gcc.dg/analyzer/pr99716-2.c: New test.
* gcc.dg/analyzer/pr99716-3.c: New test.
|
||
|---|---|---|
| .. | ||
| analysis-plan.cc | ||
| analysis-plan.h | ||
| analyzer-logging.cc | ||
| analyzer-logging.h | ||
| analyzer-pass.cc | ||
| analyzer-selftests.cc | ||
| analyzer-selftests.h | ||
| analyzer.cc | ||
| analyzer.h | ||
| analyzer.opt | ||
| bar-chart.cc | ||
| bar-chart.h | ||
| call-string.cc | ||
| call-string.h | ||
| ChangeLog | ||
| checker-path.cc | ||
| checker-path.h | ||
| complexity.cc | ||
| complexity.h | ||
| constraint-manager.cc | ||
| constraint-manager.h | ||
| diagnostic-manager.cc | ||
| diagnostic-manager.h | ||
| engine.cc | ||
| engine.h | ||
| exploded-graph.h | ||
| feasible-graph.cc | ||
| feasible-graph.h | ||
| function-set.cc | ||
| function-set.h | ||
| pending-diagnostic.cc | ||
| pending-diagnostic.h | ||
| program-point.cc | ||
| program-point.h | ||
| program-state.cc | ||
| program-state.h | ||
| reachability.h | ||
| region-model-impl-calls.cc | ||
| region-model-manager.cc | ||
| region-model-reachability.cc | ||
| region-model-reachability.h | ||
| region-model.cc | ||
| region-model.h | ||
| region.cc | ||
| region.h | ||
| sm-file.cc | ||
| sm-malloc.cc | ||
| sm-malloc.dot | ||
| sm-pattern-test.cc | ||
| sm-sensitive.cc | ||
| sm-signal.cc | ||
| sm-taint.cc | ||
| sm.cc | ||
| sm.h | ||
| state-purge.cc | ||
| state-purge.h | ||
| store.cc | ||
| store.h | ||
| supergraph.cc | ||
| supergraph.h | ||
| svalue.cc | ||
| svalue.h | ||
| trimmed-graph.cc | ||
| trimmed-graph.h | ||