analyzer: round-trip pointer-equality through intptr_t

When investigating how the analyzer handles malloc/free of Cray pointers in gfortran I noticed that that analyzer was losing information on pointers that were cast to an integer type, and then back to a pointer type again. The root cause is that region_model::maybe_cast_1 was only preserving the region_svalue-ness of the result if both types were pointers, instead returning an unknown_svalue for a pointer-to-int cast. This patch updates the above code so that it attempts to use a region_svalue if *either* type is a pointer Doing so allows the analyzer to recognize that the same underlying region is in use through various casts through integer types. gcc/analyzer/ChangeLog: * region-model.cc (region_model::maybe_cast_1): Attempt to provide a region_svalue if either type is a pointer, rather than if both types are pointers. gcc/testsuite/ChangeLog: * gcc.dg/analyzer/torture/intptr_t.c: New test.

analyzer: round-trip pointer-equality through intptr_t
When investigating how the analyzer handles malloc/free of Cray pointers in gfortran I noticed that that analyzer was losing information on pointers that were cast to an integer type, and then back to a pointer type again. The root cause is that region_model::maybe_cast_1 was only preserving the region_svalue-ness of the result if both types were pointers, instead returning an unknown_svalue for a pointer-to-int cast. This patch updates the above code so that it attempts to use a region_svalue if *either* type is a pointer Doing so allows the analyzer to recognize that the same underlying region is in use through various casts through integer types. gcc/analyzer/ChangeLog: * region-model.cc (region_model::maybe_cast_1): Attempt to provide a region_svalue if either type is a pointer, rather than if both types are pointers. gcc/testsuite/ChangeLog: * gcc.dg/analyzer/torture/intptr_t.c: New test.
cb273d81 · David Malcolm · 1ccdd460 · cb273d81 · cb273d81 · cb273d81
Commit cb273d81 authored Feb 05, 2020 by David Malcolm
Hide whitespace changes
Inline Side-by-side

Showing with 39 additions and 1 deletions

gcc/analyzer/ChangeLog
+6 -0

gcc/analyzer/region-model.cc
+1 -1

gcc/testsuite/ChangeLog
+4 -0

gcc/testsuite/gcc.dg/analyzer/torture/intptr_t.c
+28 -0

No files found.
--- a/gcc/analyzer/ChangeLog
+++ b/gcc/analyzer/ChangeLog
+2020-02-06  David Malcolm  <dmalcolm@redhat.com>
+	* region-model.cc (region_model::maybe_cast_1): Attempt to provide
+	a region_svalue if either type is a pointer, rather than if both
+	types are pointers.
 2020-02-05  David Malcolm  <dmalcolm@redhat.com>
 	* engine.cc (exploded_node::dump_dot): Show merger enodes.

--- a/gcc/analyzer/region-model.cc
+++ b/gcc/analyzer/region-model.cc
@@ -4977,7 +4977,7 @@ region_model::maybe_cast_1 (tree dst_type, svalue_id sid)
    return sid;
  if (POINTER_TYPE_P (dst_type)
-      && POINTER_TYPE_P (src_type))
+      || POINTER_TYPE_P (src_type))
    {
      /* Pointer to region.  */
      if (region_svalue *ptr_sval = sval->dyn_cast_region_svalue ())

--- a/gcc/testsuite/ChangeLog
+++ b/gcc/testsuite/ChangeLog
+2020-02-06  David Malcolm  <dmalcolm@redhat.com>
+	* gcc.dg/analyzer/torture/intptr_t.c: New test.
 2020-02-06  Segher Boessenkool  <segher@kernel.crashing.org>
 	* gcc.target/powerpc/pr93012.c: New.

--- a/gcc/testsuite/gcc.dg/analyzer/torture/intptr_t.c
+++ b/gcc/testsuite/gcc.dg/analyzer/torture/intptr_t.c
+/* { dg-skip-if "" { *-*-* } { "-fno-fat-lto-objects" } { "" } } */
+#include <stdlib.h>
+typedef __INTPTR_TYPE__ intptr_t;
+typedef __UINTPTR_TYPE__ uintptr_t;
+void test_1 (void)
+{
+  intptr_t ip;
+  void *p = malloc (1024);
+  ip = (intptr_t)p;
+  free ((void *)ip);
+} /* { dg-bogus "leak" } */
+void test_2 (void)
+{
+  uintptr_t uip;
+  void *p = malloc (1024);
+  uip = (uintptr_t)p;
+  free ((void *)uip);
+} /* { dg-bogus "leak" } */
+void test_3 (intptr_t ip)
+{
+  free ((void *)ip); /* { dg-message "first 'free'" } */
+  free ((void *)ip); /* { dg-warning "double-'free'" } */
+}