2021-07-28 Release Manager * GCC 11.2.0 released. 2021-07-02 David Malcolm * store.cc (binding_cluster::get_any_binding): Make symbolic reads from a cluster with concrete bindings return unknown. 2021-07-02 David Malcolm * region-model-manager.cc (region_model_manager::get_or_create_int_cst): New. (region_model_manager::maybe_undo_optimize_bit_field_compare): Use it to simplify away a local tree. * region-model.cc (region_model::on_setjmp): Likewise. (region_model::on_longjmp): Likewise. * region-model.h (region_model_manager::get_or_create_int_cst): New decl. * store.cc (binding_cluster::zero_fill_region): Use it to simplify away a local tree. 2021-07-02 David Malcolm PR analyzer/99212 PR analyzer/101082 * engine.cc: Include "target.h". (impl_run_checkers): Log BITS_BIG_ENDIAN, BYTES_BIG_ENDIAN, and WORDS_BIG_ENDIAN. * region-model-manager.cc (region_model_manager::maybe_fold_binop): Move support for masking via ARG0 & CST into... (region_model_manager::maybe_undo_optimize_bit_field_compare): ...this new function. Flatten by converting from nested conditionals to a series of early return statements to reject failures. Reject if type is not unsigned_char_type_node. Handle BYTES_BIG_ENDIAN when determining which bits are bound in the binding_map. * region-model.h (region_model_manager::maybe_undo_optimize_bit_field_compare): New decl. * store.cc (bit_range::dump): New function. * store.h (bit_range::dump): New decl. 2021-07-02 David Malcolm * engine.cc (worklist::key_t::cmp): Move sort by call_string to before SCC. 2021-07-02 David Malcolm * region-model.cc (region_model::get_lvalue_1): Make const. (region_model::get_lvalue): Likewise. (region_model::get_rvalue_1): Likewise. (region_model::get_rvalue): Likewise. (region_model::deref_rvalue): Likewise. (region_model::get_rvalue_for_bits): Likewise. * region-model.h (region_model::get_lvalue): Likewise. (region_model::get_rvalue): Likewise. (region_model::deref_rvalue): Likewise. (region_model::get_rvalue_for_bits): Likewise. (region_model::get_lvalue_1): Likewise. (region_model::get_rvalue_1): Likewise. 2021-07-02 David Malcolm PR analyzer/99212 * region-model-manager.cc (region_model_manager::maybe_fold_binop): Add support for folding BIT_AND_EXPR of compound_svalue and a mask constant. * region-model.cc (region_model::get_rvalue_1): Implement BIT_FIELD_REF in terms of... (region_model::get_rvalue_for_bits): New function. * region-model.h (region_model::get_rvalue_for_bits): New decl. * store.cc (bit_range::from_mask): New function. (selftest::test_bit_range_intersects_p): New selftest. (selftest::assert_bit_range_from_mask_eq): New. (ASSERT_BIT_RANGE_FROM_MASK_EQ): New macro. (selftest::assert_no_bit_range_from_mask_eq): New. (ASSERT_NO_BIT_RANGE_FROM_MASK): New macro. (selftest::test_bit_range_from_mask): New selftest. (selftest::analyzer_store_cc_tests): Call the new selftests. * store.h (bit_range::intersects_p): New. (bit_range::from_mask): New decl. (concrete_binding::get_bit_range): New accessor. (store_manager::get_concrete_binding): New overload taking const bit_range &. 2021-07-02 David Malcolm * analyzer.h (int_size_in_bits): New decl. * region.cc (int_size_in_bits): New function. (region::get_bit_size): Reimplement in terms of the above. 2021-07-02 David Malcolm * store.cc (concrete_binding::dump_to_pp): Move bulk of implementation to... (bit_range::dump_to_pp): ...this new function. (bit_range::cmp): New. (concrete_binding::overlaps_p): Update for use of bit_range. (concrete_binding::cmp_ptr_ptr): Likewise. * store.h (struct bit_range): New. (class concrete_binding): Replace fields m_start_bit_offset and m_size_in_bits with new field m_bit_range. 2021-07-02 David Malcolm * svalue.h (conjured_svalue::iterator_t): Delete. 2021-07-02 David Malcolm * store.h (store::get_direct_binding): Remove unused decl. (store::get_default_binding): Likewise. 2021-07-02 David Malcolm * svalue.cc (poisoned_svalue::dump_to_pp): Dump type. (compound_svalue::dump_to_pp): Dump any type. 2021-07-02 David Malcolm PR analyzer/100615 * sm-malloc.cc: Include "analyzer/function-set.h". (malloc_state_machine::on_stmt): Call unaffected_by_call_p and bail on the functions it recognizes. (malloc_state_machine::unaffected_by_call_p): New. 2021-07-02 David Malcolm PR analyzer/100244 * sm-malloc.cc (free_of_non_heap::describe_state_change): Bulletproof against change.m_expr being NULL. 2021-04-27 Release Manager * GCC 11.1.0 released. 2021-04-13 David Malcolm PR analyzer/98599 * supergraph.cc (saved_uids::make_uid_unique): New. (saved_uids::restore_uids): New. (supergraph::supergraph): Replace assignments to stmt->uid with calls to m_stmt_uids.make_uid_unique. (supergraph::~supergraph): New. * supergraph.h (class saved_uids): New. (supergraph::~supergraph): New decl. (supergraph::m_stmt_uids): New field. 2021-04-10 David Malcolm PR analyzer/100011 * region-model.cc (region_model::on_assignment): Avoid NULL dereference if ctxt is NULL when assigning from a STRING_CST. 2021-04-08 David Malcolm PR analyzer/99042 PR analyzer/99774 * engine.cc (impl_region_model_context::impl_region_model_context): Add uncertainty param and use it to initialize m_uncertainty. (impl_region_model_context::get_uncertainty): New. (impl_sm_context::get_fndecl_for_call): Add NULL for new uncertainty param when constructing impl_region_model_context. (impl_sm_context::get_state): Likewise. (impl_sm_context::set_next_state): Likewise. (impl_sm_context::warn): Likewise. (exploded_node::on_stmt): Add uncertainty param and use it when constructing impl_region_model_context. (exploded_node::on_edge): Add uncertainty param and pass to on_edge call. (exploded_node::detect_leaks): Create uncertainty_t and pass to impl_region_model_context. (exploded_graph::get_or_create_node): Create uncertainty_t and pass to prune_for_point. (maybe_process_run_of_before_supernode_enodes): Create uncertainty_t and pass to impl_region_model_context. (exploded_graph::process_node): Create uncertainty_t instances and pass around as needed. * exploded-graph.h (impl_region_model_context::impl_region_model_context): Add uncertainty param. (impl_region_model_context::get_uncertainty): New decl. (impl_region_model_context::m_uncertainty): New field. (exploded_node::on_stmt): Add uncertainty param. (exploded_node::on_edge): Likewise. * program-state.cc (sm_state_map::on_liveness_change): Get uncertainty from context and use it to unset sm-state from svalues as appropriate. (program_state::on_edge): Add uncertainty param and use it when constructing impl_region_model_context. Fix indentation. (program_state::prune_for_point): Add uncertainty param and use it when constructing impl_region_model_context. (program_state::detect_leaks): Get any uncertainty from ctxt and use it to get maybe-live svalues for dest_state, rather than definitely-live ones; use this when determining which svalues have leaked. (selftest::test_program_state_merging): Create uncertainty_t and pass to impl_region_model_context. * program-state.h (program_state::on_edge): Add uncertainty param. (program_state::prune_for_point): Likewise. * region-model-impl-calls.cc (call_details::get_uncertainty): New. (region_model::impl_call_memcpy): Pass uncertainty to mark_region_as_unknown call. (region_model::impl_call_memset): Likewise. (region_model::impl_call_strcpy): Likewise. * region-model-reachability.cc (reachable_regions::handle_sval): Also add sval to m_mutable_svals. * region-model.cc (region_model::on_assignment): Pass any uncertainty from ctxt to the store::set_value call. (region_model::handle_unrecognized_call): Get any uncertainty from ctxt and use it to record mutable svalues at the unknown call. (region_model::get_reachable_svalues): Add uncertainty param and use it to mark any maybe-bound svalues as being reachable. (region_model::set_value): Pass any uncertainty from ctxt to the store::set_value call. (region_model::mark_region_as_unknown): Add uncertainty param and pass it on to the store::mark_region_as_unknown call. (region_model::update_for_call_summary): Add uncertainty param and pass it on to the region_model::mark_region_as_unknown call. * region-model.h (call_details::get_uncertainty): New decl. (region_model::get_reachable_svalues): Add uncertainty param. (region_model::mark_region_as_unknown): Add uncertainty param. (region_model_context::get_uncertainty): New vfunc. (noop_region_model_context::get_uncertainty): New vfunc implementation. * store.cc (dump_svalue_set): New. (uncertainty_t::dump_to_pp): New. (uncertainty_t::dump): New. (binding_cluster::clobber_region): Pass NULL for uncertainty to remove_overlapping_bindings. (binding_cluster::mark_region_as_unknown): Add uncertainty param and pass it to remove_overlapping_bindings. (binding_cluster::remove_overlapping_bindings): Add uncertainty param. Use it to record any svalues that were in clobbered bindings. (store::set_value): Add uncertainty param. Pass it to binding_cluster::mark_region_as_unknown when handling symbolic regions. (store::mark_region_as_unknown): Add uncertainty param and pass it to binding_cluster::mark_region_as_unknown. (store::remove_overlapping_bindings): Add uncertainty param and pass it to binding_cluster::remove_overlapping_bindings. * store.h (binding_cluster::mark_region_as_unknown): Add uncertainty param. (binding_cluster::remove_overlapping_bindings): Likewise. (store::set_value): Likewise. (store::mark_region_as_unknown): Likewise. 2021-04-05 David Malcolm PR analyzer/99906 * analyzer.cc (maybe_reconstruct_from_def_stmt): Fix NULL dereference on calls with zero arguments. * sm-malloc.cc (malloc_state_machine::on_stmt): When handling __attribute__((nonnull)), only call get_diagnostic_tree if the result will be used. 2021-04-05 David Malcolm PR analyzer/99886 * diagnostic-manager.cc (diagnostic_manager::prune_interproc_events): Use signed integers when subtracting one from path->num_events (). (diagnostic_manager::consolidate_conditions): Likewise. Convert next_idx to a signed int. 2021-04-01 David Malcolm * diagnostic-manager.cc (diagnostic_manager::add_diagnostic): Make enode param non-constant, and call add_diagnostic on it. Add enode index to log message. (diagnostic_manager::add_diagnostic): Make enode param non-constant. * diagnostic-manager.h (diagnostic_manager::add_diagnostic): Likewise for both decls. * engine.cc (impl_region_model_context::impl_region_model_context): Likewise for enode_for_diag. (impl_sm_context::impl_sm_context): Likewise. (impl_sm_context::m_enode_for_diag): Likewise. (exploded_node::dump_dot): Don't pass the diagnostic manager to dump_saved_diagnostics. (exploded_node::dump_saved_diagnostics): Drop param. Iterate directly through all saved diagnostics for the enode, rather than all saved diagnostics in the diagnostic_manager and filtering. (exploded_node::on_stmt): Make non-const. (exploded_node::on_edge): Likewise. (exploded_node::on_longjmp): Likewise. (exploded_node::detect_leaks): Likewise. (exploded_graph::get_or_create_node): Make enode_for_diag param non-const. (exploded_graph_annotator::print_enode): Iterate directly through all saved diagnostics for the enode, rather than all saved diagnostics in the diagnostic_manager and filtering. * exploded-graph.h (impl_region_model_context::impl_region_model_context): Make enode_for_diag param non-constant. (impl_region_model_context::m_enode_for_diag): Likewise. (exploded_node::dump_saved_diagnostics): Drop param. (exploded_node::on_stmt): Make non-const. (exploded_node::on_edge): Likewise. (exploded_node::on_longjmp): Likewise. (exploded_node::detect_leaks): Likewise. (exploded_node::add_diagnostic): New. (exploded_node::get_num_diagnostics): New. (exploded_node::get_saved_diagnostic): New. (exploded_node::m_saved_diagnostics): New. (exploded_graph::get_or_create_node): Make enode_for_diag param non-constant. * feasible-graph.cc (feasible_node::dump_dot): Drop diagnostic_manager from call to dump_saved_diagnostics. * program-state.cc (program_state::on_edge): Convert enode param to non-const pointer. (program_state::prune_for_point): Likewise for enode_for_diag param. * program-state.h (program_state::on_edge): Convert enode param to non-const pointer. (program_state::prune_for_point): Likewise for enode_for_diag param. 2021-03-31 David Malcolm PR analyzer/99771 * analyzer.cc (maybe_reconstruct_from_def_stmt): New. (fixup_tree_for_diagnostic_1): New. (fixup_tree_for_diagnostic): New. * analyzer.h (fixup_tree_for_diagnostic): New decl. * checker-path.cc (call_event::get_desc): Call fixup_tree_for_diagnostic and use it for the call_with_state call. (warning_event::get_desc): Likewise for the final_event and make_label_text calls. * engine.cc (impl_region_model_context::on_state_leak): Likewise for the on_leak and add_diagnostic calls. * region-model.cc (region_model::get_representative_tree): Likewise for the result. 2021-03-30 David Malcolm * region.h (region::dump_to_pp): Remove old decl. 2021-03-30 David Malcolm * sm-file.cc (fileptr_state_machine::on_stmt): Only call get_diagnostic_tree if the result will be used. * sm-malloc.cc (malloc_state_machine::on_stmt): Likewise. (malloc_state_machine::on_deallocator_call): Likewise. (malloc_state_machine::on_realloc_call): Likewise. (malloc_state_machine::on_realloc_call): Likewise. * sm-sensitive.cc (sensitive_state_machine::warn_for_any_exposure): Likewise. * sm-taint.cc (taint_state_machine::on_stmt): Likewise. 2021-03-25 David Malcolm PR analyzer/93695 PR analyzer/99044 PR analyzer/99716 * engine.cc (exploded_node::on_stmt): Clear sm-state involving an SSA name at the def-stmt of that SSA name. * program-state.cc (sm_state_map::purge_state_involving): New. * program-state.h (sm_state_map::purge_state_involving): New decl. * region-model.cc (selftest::test_involves_p): New. (selftest::analyzer_region_model_cc_tests): Call it. * svalue.cc (class involvement_visitor): New class (svalue::involves_p): New. * svalue.h (svalue::involves_p): New decl. 2021-03-19 David Malcolm PR analyzer/99614 * diagnostic-manager.cc (class epath_finder): Add DISABLE_COPY_AND_ASSIGN. 2021-03-15 Martin Liska * sm-file.cc (get_file_using_fns): Add missing comma in initializer. 2021-03-11 David Malcolm PR analyzer/96374 * analyzer.opt (-param=analyzer-max-infeasible-edges=): New param. (fdump-analyzer-feasibility): New flag. * diagnostic-manager.cc: Include "analyzer/trimmed-graph.h" and "analyzer/feasible-graph.h". (epath_finder::epath_finder): Convert m_sep to a pointer and only create it if !flag_analyzer_feasibility. (epath_finder::~epath_finder): New. (epath_finder::m_sep): Convert to a pointer. (epath_finder::get_best_epath): Add param "diag_idx" and use it when logging. Rather than finding the shortest path and then checking feasibility, instead use explore_feasible_paths unless !flag_analyzer_feasibility, in which case simply use the shortest path, and note if it is infeasible. Update for m_sep becoming a pointer. (class feasible_worklist): New. (epath_finder::explore_feasible_paths): New. (epath_finder::process_worklist_item): New. (class dump_eg_with_shortest_path): New. (epath_finder::dump_trimmed_graph): New. (epath_finder::dump_feasible_graph): New. (saved_diagnostic::saved_diagnostic): Add "idx" param, using it on new field m_idx. (saved_diagnostic::to_json): Dump m_idx. (saved_diagnostic::calc_best_epath): Pass m_idx to get_best_epath. Remove assertion that m_problem was set when m_best_epath is NULL. (diagnostic_manager::add_diagnostic): Pass an index when created saved_diagnostic instances. * diagnostic-manager.h (saved_diagnostic::saved_diagnostic): Add "idx" param. (saved_diagnostic::get_index): New accessor. (saved_diagnostic::m_idx): New field. * engine.cc (exploded_node::dump_dot): Call args.dump_extra_info. Move code to... (exploded_node::dump_processed_stmts): ...this new function and... (exploded_node::dump_saved_diagnostics): ...this new function. Add index of each diagnostic. (exploded_edge::dump_dot): Move bulk of code to... (exploded_edge::dump_dot_label): ...this new function. * exploded-graph.h (eg_traits::dump_args_t::dump_extra_info): New vfunc. (exploded_node::dump_processed_stmts): New decl. (exploded_node::dump_saved_diagnostics): New decl. (exploded_edge::dump_dot_label): New decl. * feasible-graph.cc: New file. * feasible-graph.h: New file. * trimmed-graph.cc: New file. * trimmed-graph.h: New file. 2021-03-11 David Malcolm * diagnostic-manager.cc (epath_finder::epath_finder): Update shortest_paths init for new param. 2021-03-10 David Malcolm PR analyzer/96374 * engine.cc (exploded_path::feasible_p): Move "snodes_visited" and "model" locals into a new class feasibility_state. Move heart of per-edge processing into feasibility_state::maybe_update_for_edge. (feasibility_state::feasibility_state): New. (feasibility_state::maybe_update_for_edge): New, based on loop body in exploded_path::feasible_p. * exploded-graph.h (class feasibility_state): New. 2021-03-10 David Malcolm * supergraph.h (callgraph_superedge::dyn_cast_callgraph_superedge): New. (call_superedge::dyn_cast_callgraph_superedge): Delete. (return_superedge::dyn_cast_callgraph_superedge): Delete. 2021-03-02 Martin Liska * diagnostic-manager.cc (diagnostic_manager::emit_saved_diagnostics): Do not pass engine. 2021-02-26 David Malcolm * engine.cc (exploded_path::exploded_path): New copy-ctor. * exploded-graph.h (exploded_path::operator=): Drop decl. 2021-02-26 David Malcolm PR analyzer/96374 * diagnostic-manager.cc (class epath_finder): New. (epath_finder::get_best_epath): New. (saved_diagnostic::saved_diagnostic): Update for replacement of m_state and m_epath_length with m_best_epath. (saved_diagnostic::~saved_diagnostic): Delete m_best_epath. (saved_diagnostic::to_json): Update "path_length" to be optional. (saved_diagnostic::calc_best_epath): New, based on dedupe_winners::add and parts of dedupe_key::dedupe_key. (saved_diagnostic::get_epath_length): New. (saved_diagnostic::add_duplicate): New. (dedupe_key::dedupe_key): Drop epath param. Move invocation of stmt_finder to saved_diagnostic::calc_best_epath. (class dedupe_candidate): Delete. (class dedupe_hash_map_traits): Update to use saved_diagnotic * rather than dedupe_candidate * as the value_type/compare_type. (dedupe_winners::~dedupe_winners): Don't delete the values. (dedupe_winners::add): Convert param from shortest_exploded_paths to epath_finder. Drop "eg" param. Drop dedupe_candidate, moving path generation and feasiblity checking to epath_finder::get_best_epath. Update winner-selection for move of epaths from dedupe_candidate to saved_diagnostic. (dedupe_winners::emit_best): Update for removal of class dedupe_candidate. (dedupe_winners::map_t): Update to use saved_diagnotic * rather than dedupe_candidate * as the value_type/compare_type. (diagnostic_manager::emit_saved_diagnostics): Move shortest_exploded_paths instance into epath_finder and pass that around instead. (diagnostic_manager::emit_saved_diagnostic): Drop epath, stmt and num_dupes params, instead getting these from the saved_diagnostic. Use correct location in inform_n call. * diagnostic-manager.h (class epath_finder): New forward decl. (saved_diagnostic::status): Drop enum. (saved_diagnostic::set_feasible): Drop. (saved_diagnostic::set_infeasible): Drop. (saved_diagnostic::get_status): Drop. (saved_diagnostic::calc_best_epath): New decl. (saved_diagnostic::get_best_epath): New decl. (saved_diagnostic::get_epath_length): New decl. (saved_diagnostic::set_epath_length): Drop. (saved_diagnostic::get_epath_length): Drop inline implementation. (saved_diagnostic::add_duplicate): New. (saved_diagnostic::get_num_dupes): New. (saved_diagnostic::m_d): Document ownership. (saved_diagnostic::m_trailing_eedge): Make const. (saved_diagnostic::m_status): Drop field. (saved_diagnostic::m_epath_length): Drop field. (saved_diagnostic::m_best_epath): New field. (saved_diagnostic::m_problem): Document ownership. (saved_diagnostic::m_duplicates): New field. (diagnostic_manager::emit_saved_diagnostic): Drop params epath, stmt, and num_dupes. * engine.cc (exploded_graph_annotator::print_saved_diagnostic): Update for changes to saved_diagnostic class. * exploded-graph.h (exploded_path::feasible_p): Drop unused overloaded decl. 2021-02-25 David Malcolm PR analyzer/99193 * region-model-impl-calls.cc (region_model::impl_call_realloc): New. * region-model.cc (region_model::on_call_pre): Call it. * region-model.h (region_model::impl_call_realloc): New decl. * sm-malloc.cc (enum wording): Add WORDING_REALLOCATED. (malloc_state_machine::m_realloc): New field. (use_after_free::describe_state_change): Add case for WORDING_REALLOCATED. (use_after_free::describe_final_event): Likewise. (malloc_state_machine::malloc_state_machine): Initialize m_realloc. (malloc_state_machine::on_stmt): Handle realloc by calling... (malloc_state_machine::on_realloc_call): New. 2021-02-22 David Malcolm PR analyzer/99196 * engine.cc (exploded_node::on_stmt): Provide terminate_path flag as a way for on_call_pre to terminate the current analysis path. * region-model-impl-calls.cc (call_details::num_args): New. (region_model::impl_call_error): New. * region-model.cc (region_model::on_call_pre): Add param "out_terminate_path". Handle "error" and "error_at_line". * region-model.h (call_details::num_args): New decl. (region_model::on_call_pre): Add param "out_terminate_path". (region_model::impl_call_error): New decl. 2021-02-17 David Malcolm PR analyzer/98969 * constraint-manager.cc (dead_svalue_purger::should_purge_p): Update for change to svalue::live_p. * program-state.cc (sm_state_map::on_liveness_change): Likewise. (program_state::detect_leaks): Likewise. * region-model-reachability.cc (reachable_regions::init_cluster): When dealing with a symbolic region, if the underlying pointer is implicitly live, add the region to the reachable regions. * region-model.cc (region_model::compare_initial_and_pointer): Move logic for detecting initial values of params to initial_svalue::initial_value_of_param_p. * svalue.cc (svalue::live_p): Convert "live_svalues" from a reference to a pointer; support it being NULL. (svalue::implicitly_live_p): Convert first param from a refererence to a pointer. (region_svalue::implicitly_live_p): Likewise. (constant_svalue::implicitly_live_p): Likewise. (initial_svalue::implicitly_live_p): Likewise. Treat the initial values of params for the top level frame as still live. (initial_svalue::initial_value_of_param_p): New function, taken from a test in region_model::compare_initial_and_pointer. (unaryop_svalue::implicitly_live_p): Convert first param from a refererence to a pointer. (binop_svalue::implicitly_live_p): Likewise. (sub_svalue::implicitly_live_p): Likewise. (unmergeable_svalue::implicitly_live_p): Likewise. * svalue.h (svalue::live_p): Likewise. (svalue::implicitly_live_p): Likewise. (region_svalue::implicitly_live_p): Likewise. (constant_svalue::implicitly_live_p): Likewise. (initial_svalue::implicitly_live_p): Likewise. (initial_svalue::initial_value_of_param_p): New decl. (unaryop_svalue::implicitly_live_p): Convert first param from a refererence to a pointer. (binop_svalue::implicitly_live_p): Likewise. (sub_svalue::implicitly_live_p): Likewise. (unmergeable_svalue::implicitly_live_p): Likewise. 2021-02-12 David Malcolm PR analyzer/98969 * engine.cc (readability): Add names for the various arbitrary values. Handle NOP_EXPR and INTEGER_CST. (readability_comparator): Combine the readability tests for tree and stack depth, rather than performing them sequentially. (impl_region_model_context::on_state_leak): Strip off top-level casts. * region-model.cc (region_model::get_representative_path_var): Add type-checking, moving the bulk of the implementation to... (region_model::get_representative_path_var_1): ...here. Respect types in casts by recursing and re-adding the cast, rather than merely stripping them off. Use the correct type when handling region_svalue. (region_model::get_representative_tree): Strip off any top-level cast. (region_model::get_representative_path_var): Add type-checking, moving the bulk of the implementation to... (region_model::get_representative_path_var_1): ...here. * region-model.h (region_model::get_representative_path_var_1): New decl (region_model::get_representative_path_var_1): New decl. * store.cc (append_pathvar_with_type): New. (binding_cluster::get_representative_path_vars): Cast path_vars to the correct type when adding them to *OUT_PVS. 2021-02-09 David Malcolm PR analyzer/98575 * sm-file.cc (is_file_using_fn_p): Support "_IO_"-prefixed variants. 2021-02-09 David Malcolm PR analyzer/98575 * store.cc (store::set_value): Treat a pointer written to *UNKNOWN as having escaped. 2021-02-02 David Malcolm PR analyzer/93355 PR analyzer/96374 * engine.cc (toplevel_function_p): Simplify so that we only reject functions with a "__analyzer_" prefix. (add_any_callbacks): Delete. (exploded_graph::build_initial_worklist): Update for dropped param of toplevel_function_p. (exploded_graph::build_initial_worklist): Don't bother looking for callbacks that are reachable from global initializers. 2021-02-01 David Malcolm PR analyzer/98918 * region-model-manager.cc (region_model_manager::get_or_create_initial_value): Fold the initial value of *UNKNOWN_PTR to an UNKNOWN value. (region_model_manager::get_field_region): Fold the value of UNKNOWN_PTR->FIELD to *UNKNOWN_PTR_OF_&FIELD_TYPE. 2021-01-29 David Malcolm * checker-path.cc (event_kind_to_string): Handle EK_START_CONSOLIDATED_CFG_EDGES and EK_END_CONSOLIDATED_CFG_EDGES. (start_consolidated_cfg_edges_event::get_desc): New. (checker_path::cfg_edge_pair_at_p): New. * checker-path.h (enum event_kind): Add EK_START_CONSOLIDATED_CFG_EDGES and EK_END_CONSOLIDATED_CFG_EDGES. (class start_consolidated_cfg_edges_event): New class. (class end_consolidated_cfg_edges_event): New class. (checker_path::delete_events): New. (checker_path::replace_event): New. (checker_path::cfg_edge_pair_at_p): New decl. * diagnostic-manager.cc (diagnostic_manager::prune_path): Call consolidate_conditions. (same_line_as_p): New. (diagnostic_manager::consolidate_conditions): New. * diagnostic-manager.h (diagnostic_manager::consolidate_conditions): New decl. 2021-01-18 David Malcolm * analyzer.h (is_std_named_call_p): New decl. * diagnostic-manager.cc (path_builder::get_sm): New. (state_change_event_creator::state_change_event_creator): Add "pb" param. (state_change_event_creator::on_global_state_change): Don't consider state changes affecting other state_machines. (state_change_event_creator::on_state_change): Likewise. (state_change_event_creator::m_pb): New field. (diagnostic_manager::add_events_for_eedge): Pass pb to visitor ctor. * region-model-impl-calls.cc (region_model::impl_deallocation_call): New. * region-model.cc: Include "attribs.h". (region_model::on_call_post): Handle fndecls referenced by __attribute__((deallocated_by(FOO))). * region-model.h (region_model::impl_deallocation_call): New decl. * sm-malloc.cc: Include "stringpool.h" and "attribs.h". Add leading comment. (class api): Delete. (enum resource_state): Update comment for change from api to deallocator and deallocator_set. (allocation_state::allocation_state): Drop api param. Add "deallocators" and "deallocator". (allocation_state::m_api): Drop field in favor of... (allocation_state::m_deallocators): New field. (allocation_state::m_deallocator): New field. (enum wording): Add WORDING_DEALLOCATED. (struct deallocator): New. (struct standard_deallocator): New. (struct custom_deallocator): New. (struct deallocator_set): New. (struct custom_deallocator_set): New. (struct standard_deallocator_set): New. (struct deallocator_set_map_traits): New. (malloc_state_machine::m_malloc): Drop field (malloc_state_machine::m_scalar_new): Likewise. (malloc_state_machine::m_vector_new): Likewise. (malloc_state_machine::m_free): New field (malloc_state_machine::m_scalar_delete): Likewise. (malloc_state_machine::m_vector_delete): Likewise. (malloc_state_machine::deallocator_map_t): New typedef. (malloc_state_machine::m_deallocator_map): New field. (malloc_state_machine::deallocator_set_cache_t): New typedef. (malloc_state_machine::m_custom_deallocator_set_cache): New field. (malloc_state_machine::custom_deallocator_set_map_t): New typedef. (malloc_state_machine::m_custom_deallocator_set_map): New field. (malloc_state_machine::m_dynamic_sets): New field. (malloc_state_machine::m_dynamic_deallocators): New field. (api::api): Delete. (deallocator::deallocator): New ctor. (deallocator::hash): New. (deallocator::dump_to_pp): New. (deallocator::cmp): New. (deallocator::cmp_ptr_ptr): New. (standard_deallocator::standard_deallocator): New ctor. (deallocator_set::deallocator_set): New ctor. (deallocator_set::dump): New. (custom_deallocator_set::custom_deallocator_set): New ctor. (custom_deallocator_set::contains_p): New. (custom_deallocator_set::maybe_get_single): New. (custom_deallocator_set::dump_to_pp): New. (standard_deallocator_set::standard_deallocator_set): New ctor. (standard_deallocator_set::contains_p): New. (standard_deallocator_set::maybe_get_single): New. (standard_deallocator_set::dump_to_pp): New. (start_p): New. (class mismatching_deallocation): Update for conversion from api to deallocator_set and deallocator. (double_free::emit): Use %qs. (class use_after_free): Update for conversion from api to deallocator_set and deallocator. (malloc_leak::describe_state_change): Only emit "allocated here" on a start->nonnull transition, rather than on other transitions to nonnull. (allocation_state::dump_to_pp): Update for conversion from api to deallocator_set. (allocation_state::get_nonnull): Likewise. (malloc_state_machine::malloc_state_machine): Likewise. (malloc_state_machine::~malloc_state_machine): New. (malloc_state_machine::add_state): Update for conversion from api to deallocator_set. (malloc_state_machine::get_or_create_custom_deallocator_set): New. (malloc_state_machine::maybe_create_custom_deallocator_set): New. (malloc_state_machine::get_or_create_deallocator): New. (malloc_state_machine::on_stmt): Update for conversion from api to deallocator_set. Handle "__attribute__((malloc(FOO)))", and the special attribute set on FOO. (malloc_state_machine::on_allocator_call): Update for conversion from api to deallocator_set. Add "returns_nonnull" param and use it to affect which state to transition to. (malloc_state_machine::on_deallocator_call): Update for conversion from api to deallocator_set. 2021-01-14 David Malcolm * engine.cc (strongly_connected_components::to_json): New. (worklist::to_json): New. (exploded_graph::to_json): JSON-ify the worklist. * exploded-graph.h (strongly_connected_components::to_json): New decl. (worklist::to_json): New decl. * store.cc (store::to_json): Fix comment. * supergraph.cc (supernode::to_json): Fix reference to "returning_call" in comment. Add optional "fun" to JSON. (edge_kind_to_string): New. (superedge::to_json): Add "kind" to JSON. 2021-01-14 David Malcolm PR analyzer/98679 * analyzer.h (region_offset::operator==): Make const. * pending-diagnostic.h (pending_diagnostic::equal_p): Likewise. * store.h (binding_cluster::for_each_value): Likewise. (binding_cluster::for_each_binding): Likewise. 2021-01-12 David Malcolm PR analyzer/98628 * store.cc (binding_cluster::make_unknown_relative_to): Don't mark dereferenced unknown pointers as having escaped. 2021-01-07 David Malcolm PR analyzer/98580 * region.cc (decl_region::get_svalue_for_initializer): Gracefully handle when LTO writes out DECL_INITIAL as error_mark_node. 2021-01-07 David Malcolm PR analyzer/97074 * store.cc (binding_cluster::can_merge_p): Add "out_store" param and pass to calls to binding_cluster::make_unknown_relative_to. (binding_cluster::make_unknown_relative_to): Add "out_store" param. Use it to mark base regions that are pointed to by pointers that become unknown as having escaped. (store::can_merge_p): Pass out_store to binding_cluster::can_merge_p. * store.h (binding_cluster::can_merge_p): Add "out_store" param. (binding_cluster::make_unknown_relative_to): Likewise. * svalue.cc (region_svalue::implicitly_live_p): New vfunc. * svalue.h (region_svalue::implicitly_live_p): New vfunc decl. 2021-01-07 David Malcolm PR analyzer/98564 * engine.cc (exploded_path::feasible_p): Add missing call to bitmap_clear. 2021-01-06 David Malcolm PR analyzer/97072 * region-model-reachability.cc (reachable_regions::init_cluster): Convert symbolic region handling to a switch statement. Add cases to handle SK_UNKNOWN and SK_CONJURED. 2021-01-05 David Malcolm PR analyzer/98293 * store.cc (binding_map::apply_ctor_to_region): When "index" is NULL, iterate through the fields for RECORD_TYPEs, rather than creating an INTEGER_CST index. 2020-11-30 David Malcolm * analyzer-pass.cc: Include "analyzer/analyzer.h" for the declaration of sorry_no_analyzer; include "tree.h" and "function.h" as these are needed by it. 2020-11-30 David Malcolm * analyzer-pass.cc (pass_analyzer::execute): Move sorry call to... (sorry_no_analyzer): New. * analyzer.h (class state_machine): New forward decl. (class logger): New forward decl. (class plugin_analyzer_init_iface): New. (sorry_no_analyzer): New decl. * checker-path.cc (checker_path::fixup_locations): New. * checker-path.h (checker_event::set_location): New. (checker_path::fixup_locations): New decl. * diagnostic-manager.cc (diagnostic_manager::emit_saved_diagnostic): Call checker_path::fixup_locations, and call fixup_location on the primary location. * engine.cc: Include "plugin.h". (class plugin_analyzer_init_impl): New. (impl_run_checkers): Invoke PLUGIN_ANALYZER_INIT callbacks. * pending-diagnostic.h (pending_diagnostic::fixup_location): New vfunc. 2020-11-18 David Malcolm PR analyzer/97893 * sm-malloc.cc (null_deref::emit): Use CWE-476 rather than CWE-690, as this isn't due to an unchecked return value. (null_arg::emit): Likewise. 2020-11-12 David Malcolm * checker-path.h (checker_event::get_id_ptr): New. * diagnostic-manager.cc (path_builder::path_builder): Add "sd" param and use it to initialize new field "m_sd". (path_builder::get_pending_diagnostic): New. (path_builder::m_sd): New field. (diagnostic_manager::emit_saved_diagnostic): Pass sd to path_builder ctor. (diagnostic_manager::add_events_for_superedge): Call new maybe_add_custom_events_for_superedge vfunc. * engine.cc (stale_jmp_buf::stale_jmp_buf): Add "setjmp_point" param and use it to initialize new field "m_setjmp_point". Initialize new field "m_stack_pop_event". (stale_jmp_buf::maybe_add_custom_events_for_superedge): New vfunc implementation. (stale_jmp_buf::describe_final_event): New vfunc implementation. (stale_jmp_buf::m_setjmp_point): New field. (stale_jmp_buf::m_stack_pop_event): New field. (exploded_node::on_longjmp): Pass setjmp_point to stale_jmp_buf ctor. * pending-diagnostic.h (pending_diagnostic::maybe_add_custom_events_for_superedge): New vfunc. 2020-11-12 David Malcolm PR tree-optimization/97424 * analyzer.opt (Wanalyzer-shift-count-negative): New. (Wanalyzer-shift-count-overflow): New. * region-model.cc (class shift_count_negative_diagnostic): New. (class shift_count_overflow_diagnostic): New. (region_model::get_gassign_result): Complain about shift counts that are negative or are >= the operand's type's width. 2020-11-10 Martin Liska * constraint-manager.cc (constraint_manager::merge): Remove unused code. * constraint-manager.h: Likewise. * program-state.cc (sm_state_map::sm_state_map): Likewise. (program_state::program_state): Likewise. (test_sm_state_map): Likewise. * program-state.h: Likewise. * region-model-reachability.cc (reachable_regions::reachable_regions): Likewise. * region-model-reachability.h: Likewise. * region-model.cc (region_model::handle_unrecognized_call): Likewise. (region_model::get_reachable_svalues): Likewise. (region_model::can_merge_with_p): Likewise. 2020-11-05 David Malcolm PR analyzer/97668 * svalue.cc (cmp_cst): Handle COMPLEX_CST. 2020-10-29 David Malcolm * program-state.cc (sm_state_map::on_liveness_change): Sort the leaking svalues before calling on_state_leak. (program_state::detect_leaks): Likewise when calling on_svalue_leak. * region-model-reachability.cc (reachable_regions::mark_escaped_clusters): Likewise when calling on_escaped_function. 2020-10-29 David Malcolm PR analyzer/97608 * region-model-reachability.cc (reachable_regions::handle_sval): Operands of reachable reversible operations are reachable. 2020-10-29 David Malcolm * analyzer.h (class state_machine): New forward decl. (class logger): Likewise. (class visitor): Likewise. * complexity.cc: New file, taken from svalue.cc. * complexity.h: New file, taken from region-model.h. * region-model.h: Include "analyzer/svalue.h" and "analyzer/region.h". Move struct complexity to complexity.h. Move svalue, its subclasses and supporting decls to svalue.h. Move region, its subclasses and supporting decls to region.h. * region.cc: Include "analyzer/region.h". (symbolic_region::symbolic_region): Move here from region-model.h. * region.h: New file, based on material from region-model.h. * svalue.cc: Include "analyzer/svalue.h". (complexity::complexity): Move to complexity.cc. (complexity::from_pair): Likewise. * svalue.h: New file, based on material from region-model.h. 2020-10-29 David Malcolm * program-state.cc (sm_state_map::print): Guard the printing of the origin pointer with !flag_dump_noaddr. * region.cc (string_region::dump_to_pp): Likewise for m_string_cst. 2020-10-27 David Malcolm PR analyzer/97568 * region-model.cc (region_model::get_initial_value_for_global): Move check that !DECL_EXTERNAL from here to... * region.cc (decl_region::get_svalue_for_initializer): ...here, using it to reject zero initialization. 2020-10-27 Markus Böck PR analyzer/96608 * store.h (hash): Cast to intptr_t instead of long 2020-10-27 David Malcolm * constraint-manager.cc (svalue_cmp_by_ptr): Delete. (equiv_class::canonicalize): Use svalue::cmp_ptr_ptr instead. (equiv_class_cmp): Eliminate pointer comparison. * diagnostic-manager.cc (dedupe_key::comparator): If they are at the same location, also compare epath ength and pending_diagnostic kind. * engine.cc (readability_comparator): If two path_vars have the same readability, then impose an arbitrary ordering on them. (worklist::key_t::cmp): If two points have the same plan ordering, continue the comparison. Call sm_state_map::cmp rather than comparing hash values. * program-state.cc (sm_state_map::entry_t::cmp): New. (sm_state_map::cmp): New. * program-state.h (sm_state_map::entry_t::cmp): New decl. (sm_state_map::elements): New. (sm_state_map::cmp): New. 2020-10-27 David Malcolm * engine.cc (setjmp_record::cmp): New. (supernode_cluster::dump_dot): Avoid embedding pointer in cluster name. (supernode_cluster::cmp_ptr_ptr): New. (function_call_string_cluster::dump_dot): Avoid embedding pointer in cluster name. Sort m_map when dumping child clusters. (function_call_string_cluster::cmp_ptr_ptr): New. (root_cluster::dump_dot): Sort m_map when dumping child clusters. * program-point.cc (function_point::cmp): New. (function_point::cmp_ptr): New. * program-point.h (function_point::cmp): New decl. (function_point::cmp_ptr): New decl. * program-state.cc (sm_state_map::print): Sort the values. Guard the printing of pointers with !flag_dump_noaddr. (program_state::prune_for_point): Sort the regions. (log_set_of_svalues): Sort the values. Guard the printing of pointers with !flag_dump_noaddr. * region-model-manager.cc (log_uniq_map): Sort the values. * region-model-reachability.cc (dump_set): New function template. (reachable_regions::dump_to_pp): Use it. * region-model.h (svalue::cmp_ptr): New decl. (svalue::cmp_ptr_ptr): New decl. (setjmp_record::cmp): New decl. (placeholder_svalue::get_name): New accessor. (widening_svalue::get_point): New accessor. (compound_svalue::get_map): New accessor. (conjured_svalue::get_stmt): New accessor. (conjured_svalue::get_id_region): New accessor. (region::cmp_ptrs): Rename to... (region::cmp_ptr_ptr): ...this. * region.cc (region::cmp_ptrs): Rename to... (region::cmp_ptr_ptr): ...this. * state-purge.cc (state_purge_per_ssa_name::state_purge_per_ssa_name): Sort m_points_needing_name when dumping. * store.cc (concrete_binding::cmp_ptr_ptr): New. (symbolic_binding::cmp_ptr_ptr): New. (binding_map::cmp): New. (get_sorted_parent_regions): Update for renaming of region::cmp_ptrs to region::cmp_ptr_ptr. (store::dump_to_pp): Likewise. (store::to_json): Likewise. (store::can_merge_p): Sort the base regions before considering them. * store.h (concrete_binding::cmp_ptr_ptr): New decl. (symbolic_binding::cmp_ptr_ptr): New decl. (binding_map::cmp): New decl. * supergraph.cc (supergraph::supergraph): Assign UIDs to the gimple stmts. * svalue.cc (cmp_cst): New. (svalue::cmp_ptr): New. (svalue::cmp_ptr_ptr): New. 2020-10-27 David Malcolm * engine.cc (exploded_graph::get_or_create_node): Fix off-by-one when imposing param_analyzer_max_enodes_per_program_point limit. 2020-10-27 David Malcolm * region-model.cc (region_model::get_representative_path_var): Implement case RK_LABEL. * region-model.h (label_region::get_label): New accessor. 2020-10-22 David Malcolm PR analyzer/97514 * engine.cc (exploded_graph::add_function_entry): Handle failure to create an enode, rather than asserting. 2020-10-22 David Malcolm PR analyzer/97489 * engine.cc (exploded_graph::add_function_entry): Assert that we have a function body. (exploded_graph::on_escaped_function): Reject fndecls that don't have a function body. 2020-10-14 David Malcolm PR analyzer/93388 * region-model.cc (region_model::get_initial_value_for_global): Fall back to returning an initial_svalue if decl_region::get_svalue_for_initializer fails. * region.cc (decl_region::get_svalue_for_initializer): Don't attempt to create a compound_svalue if the region has an unknown size. 2020-10-14 David Malcolm PR analyzer/93723 * store.cc (binding_map::apply_ctor_to_region): Remove redundant assertion. 2020-10-12 David Malcolm PR analyzer/97258 * engine.cc (impl_region_model_context::on_escaped_function): New vfunc. (exploded_graph::add_function_entry): Use m_functions_with_enodes to implement idempotency. (add_any_callbacks): New. (exploded_graph::build_initial_worklist): Use the above to find callbacks that are reachable from global initializers. (exploded_graph::on_escaped_function): New. * exploded-graph.h (impl_region_model_context::on_escaped_function): New decl. (exploded_graph::on_escaped_function): New decl. (exploded_graph::m_functions_with_enodes): New field. * region-model-reachability.cc (reachable_regions::reachable_regions): Replace "store" param with "model" param; use it to initialize m_model. (reachable_regions::add): When getting the svalue for the region, call get_store_value on the model rather than using an initial value. (reachable_regions::mark_escaped_clusters): Add ctxt param and use it to call on_escaped_function when a function_region escapes. * region-model-reachability.h (reachable_regions::reachable_regions): Replace "store" param with "model" param. (reachable_regions::mark_escaped_clusters): Add ctxt param. (reachable_regions::m_model): New field. * region-model.cc (region_model::handle_unrecognized_call): Update for change in reachable_regions ctor. (region_model::handle_unrecognized_call): Pass ctxt to mark_escaped_clusters. (region_model::get_reachable_svalues): Update for change in reachable_regions ctor. (region_model::get_initial_value_for_global): Read-only variables keep their initial values. * region-model.h (region_model_context::on_escaped_function): New vfunc. (noop_region_model_context::on_escaped_function): New. 2020-10-12 David Malcolm * analyzer.opt (Wanalyzer-write-to-const): New. (Wanalyzer-write-to-string-literal): New. * region-model-impl-calls.cc (region_model::impl_call_memcpy): Call check_for_writable_region. (region_model::impl_call_memset): Likewise. (region_model::impl_call_strcpy): Likewise. * region-model.cc (class write_to_const_diagnostic): New. (class write_to_string_literal_diagnostic): New. (region_model::check_for_writable_region): New. (region_model::set_value): Call check_for_writable_region. * region-model.h (region_model::check_for_writable_region): New decl. 2020-10-07 David Malcolm PR analyzer/97116 * sm-malloc.cc (method_p): New. (describe_argument_index): New. (inform_nonnull_attribute): Use describe_argument_index. (possible_null_arg::describe_final_event): Likewise. (null_arg::describe_final_event): Likewise. 2020-09-29 David Malcolm PR analyzer/95188 * engine.cc (stmt_requires_new_enode_p): Split enodes before "signal" calls. 2020-09-29 David Malcolm * constraint-manager.cc (constraint_manager::add_constraint_internal): Whitespace fixes. Silence -Wsign-compare warning. * engine.cc (maybe_process_run_of_before_supernode_enodes): Silence -Wsign-compare warning. 2020-09-28 David Malcolm * region-model.h (binop_svalue::dyn_cast_binop_svalue): Remove redundant "virtual". Add FINAL OVERRIDE. (widening_svalue::dyn_cast_widening_svalue): Add FINAL OVERRIDE. (compound_svalue::dyn_cast_compound_svalue): Likewise. (conjured_svalue::dyn_cast_conjured_svalue): Likewise. 2020-09-28 David Malcolm * diagnostic-manager.cc (null_assignment_sm_context::m_visitor): Remove unused field. 2020-09-28 David Malcolm PR analyzer/97233 * analyzer.cc (is_longjmp_call_p): Require the initial argument to be a pointer. * engine.cc (exploded_node::on_longjmp): Likewise. 2020-09-28 David Malcolm * program-state.cc (sm_state_map::print): Update check for m_global_state being the start state. 2020-09-26 David Malcolm PR analyzer/96646 PR analyzer/96841 * region-model.cc (region_model::get_representative_path_var): When handling offset_region, wrap the MEM_REF's first argument in an ADDR_EXPR of pointer type, rather than simply using the tree for the parent region. Require the MEM_REF's second argument to be an integer constant. 2020-09-24 David Malcolm * analyzer.h (struct rejected_constraint): New decl. * analyzer.opt (fanalyzer-feasibility): New option. * diagnostic-manager.cc (path_builder::path_builder): Add "problem" param and use it to initialize new field. (path_builder::get_feasibility_problem): New accessor. (path_builder::m_feasibility_problem): New field. (dedupe_winners::add): Remove inversion of logic in "if" clause, swapping if/else suites. In the !feasible_p suite, inspect flag_analyzer_feasibility and add code to handle when this is off, accepting the infeasible path, but recording the feasibility_problem. (diagnostic_manager::emit_saved_diagnostic): Pass the feasibility_problem to the path_builder. (diagnostic_manager::add_events_for_eedge): If we have a feasibility_problem at this edge, use it to add a custom event. * engine.cc (exploded_path::feasible_p): Pass a rejected_constraint ** to model.maybe_update_for_edge and transfer ownership of any created instance to any feasibility_problem. (feasibility_problem::dump_to_pp): New. * exploded-graph.h (feasibility_problem::feasibility_problem): Drop "model" param; add rejected_constraint * param. (feasibility_problem::~feasibility_problem): New. (feasibility_problem::dump_to_pp): New decl. (feasibility_problem::m_model): Drop field. (feasibility_problem::m_rc): New field. * program-point.cc (function_point::get_location): Handle PK_BEFORE_SUPERNODE and PK_AFTER_SUPERNODE. * program-state.cc (program_state::on_edge): Pass NULL to new param of region_model::maybe_update_for_edge. * region-model.cc (region_model::add_constraint): New overload adding a rejected_constraint ** param. (region_model::maybe_update_for_edge): Add rejected_constraint ** param and pass it to the various apply_constraints_for_ calls. (region_model::apply_constraints_for_gcond): Add rejected_constraint ** param and pass it to add_constraint calls. (region_model::apply_constraints_for_gswitch): Likewise. (region_model::apply_constraints_for_exception): Likewise. (rejected_constraint::dump_to_pp): New. * region-model.h (region_model::maybe_update_for_edge): Add rejected_constraint ** param. (region_model::add_constraint): New overload adding a rejected_constraint ** param. (region_model::apply_constraints_for_gcond): Add rejected_constraint ** param. (region_model::apply_constraints_for_gswitch): Likewise. (region_model::apply_constraints_for_exception): Likewise. (struct rejected_constraint): New. 2020-09-23 David Malcolm PR analyzer/97178 * engine.cc (impl_run_checkers): Update for change to ext_state ctor. * program-state.cc (selftest::test_sm_state_map): Pass an engine instance to ext_state ctor. (selftest::test_program_state_1): Likewise. (selftest::test_program_state_2): Likewise. (selftest::test_program_state_merging): Likewise. (selftest::test_program_state_merging_2): Likewise. * program-state.h (extrinsic_state::extrinsic_state): Remove NULL default value for "eng" param. 2020-09-23 Tobias Burnus * analyzer-logging.cc: Guard '#pragma ... ignored "-Wformat-diag"' by '#if __GNUC__ >= 10' * analyzer.h: Likewise. * call-string.cc: Likewise. 2020-09-23 David Malcolm * engine.cc (exploded_node::on_stmt): Replace sequence of dyn_cast with switch. 2020-09-22 David Malcolm * analysis-plan.cc: Include "json.h". * analyzer.opt (fdump-analyzer-json): New. * call-string.cc: Include "json.h". (call_string::to_json): New. * call-string.h (call_string::to_json): New decl. * checker-path.cc: Include "json.h". * constraint-manager.cc: Include "json.h". (equiv_class::to_json): New. (constraint::to_json): New. (constraint_manager::to_json): New. * constraint-manager.h (equiv_class::to_json): New decl. (constraint::to_json): New decl. (constraint_manager::to_json): New decl. * diagnostic-manager.cc: Include "json.h". (saved_diagnostic::to_json): New. (diagnostic_manager::to_json): New. * diagnostic-manager.h (saved_diagnostic::to_json): New decl. (diagnostic_manager::to_json): New decl. * engine.cc: Include "json.h", . (exploded_node::status_to_str): New. (exploded_node::to_json): New. (exploded_edge::to_json): New. (exploded_graph::to_json): New. (dump_analyzer_json): New. (impl_run_checkers): Call it. * exploded-graph.h (exploded_node::status_to_str): New decl. (exploded_node::to_json): New. (exploded_edge::to_json): New. (exploded_graph::to_json): New. * pending-diagnostic.cc: Include "json.h". * program-point.cc: Include "json.h". (program_point::to_json): New. * program-point.h (program_point::to_json): New decl. * program-state.cc: Include "json.h". (extrinsic_state::to_json): New. (sm_state_map::to_json): New. (program_state::to_json): New. * program-state.h (extrinsic_state::to_json): New decl. (sm_state_map::to_json): New decl. (program_state::to_json): New decl. * region-model-impl-calls.cc: Include "json.h". * region-model-manager.cc: Include "json.h". * region-model-reachability.cc: Include "json.h". * region-model.cc: Include "json.h". * region-model.h (svalue::to_json): New decl. (region::to_json): New decl. * region.cc: Include "json.h". (region::to_json: New. * sm-file.cc: Include "json.h". * sm-malloc.cc: Include "json.h". * sm-pattern-test.cc: Include "json.h". * sm-sensitive.cc: Include "json.h". * sm-signal.cc: Include "json.h". (signal_delivery_edge_info_t::to_json): New. * sm-taint.cc: Include "json.h". * sm.cc: Include "diagnostic.h", "tree-diagnostic.h", and "json.h". (state_machine::state::to_json): New. (state_machine::to_json): New. * sm.h (state_machine::state::to_json): New. (state_machine::to_json): New. * state-purge.cc: Include "json.h". * store.cc: Include "json.h". (binding_key::get_desc): New. (binding_map::to_json): New. (binding_cluster::to_json): New. (store::to_json): New. * store.h (binding_key::get_desc): New decl. (binding_map::to_json): New decl. (binding_cluster::to_json): New decl. (store::to_json): New decl. * supergraph.cc: Include "json.h". (supergraph::to_json): New. (supernode::to_json): New. (superedge::to_json): New. * supergraph.h (supergraph::to_json): New decl. (supernode::to_json): New decl. (superedge::to_json): New decl. * svalue.cc: Include "json.h". (svalue::to_json): New. 2020-09-21 David Malcolm PR analyzer/97130 * region-model-impl-calls.cc (call_details::get_arg_type): New. * region-model.cc (region_model::on_call_pre): Check that the initial arg is a pointer before calling impl_call_memset and impl_call_strlen. * region-model.h (call_details::get_arg_type): New decl. 2020-09-21 David Malcolm PR analyzer/93355 * sm-malloc.cc (malloc_state_machine::get_default_state): Look at the base region when considering pointers. Treat pointers to decls as being non-heap. 2020-09-18 David Malcolm * checker-path.cc (warning_event::get_desc): Handle global state changes. 2020-09-18 David Malcolm * sm-malloc.cc (malloc_state_machine::on_stmt): Handle strdup and strndup as being malloc-like allocators. 2020-09-16 David Malcolm * engine.cc (strongly_connected_components::strong_connect): Only consider intraprocedural edges when creating SCCs. (worklist::key_t::cmp): Add comment. Treat call_string differences as more important than differences of program_point within a supernode. 2020-09-16 David Malcolm * engine.cc (supernode_cluster::dump_dot): Show the SCC id in the per-supernode clusters in FILENAME.eg.dot output. (exploded_graph_annotator::add_node_annotations): Show the SCC of the supernode in FILENAME.supernode.eg.dot output. * exploded-graph.h (worklist::scc_id): New. (exploded_graph::get_scc_id): New. 2020-09-16 David Malcolm * engine.cc (exploded_node::dump_dot): Show STATUS_BULK_MERGED. (exploded_graph::process_worklist): Call maybe_process_run_of_before_supernode_enodes. (exploded_graph::maybe_process_run_of_before_supernode_enodes): New. (exploded_graph_annotator::print_enode): Show STATUS_BULK_MERGED. * exploded-graph.h (enum exploded_node::status): Add STATUS_BULK_MERGED. 2020-09-16 David Malcolm * engine.cc (exploded_graph::process_node) : Simplify by using program_point::get_next. * program-point.cc (program_point::get_next): New. * program-point.h (program_point::get_next): New decl. 2020-09-16 David Malcolm * engine.cc (exploded_graph::get_or_create_node): Show the program point when issuing -Wanalyzer-too-complex due to hitting the per-program-point limit. 2020-09-16 David Malcolm * region-model.cc (region_model::on_call_pre): Treat getchar as having no side-effects. 2020-09-15 David Malcolm PR analyzer/96650 * constraint-manager.cc (merger_fact_visitor::on_fact): Replace assertion that add_constraint succeeded with an assertion that if it fails, -fanalyzer-transitivity is off. 2020-09-14 David Malcolm * analyzer.opt (-param=analyzer-max-constraints=): New param. * constraint-manager.cc (constraint_manager::add_constraint_internal): Silently reject attempts to add constraints when the above limit is reached. 2020-09-14 David Malcolm PR analyzer/96653 * constraint-manager.cc (constraint_manager::get_or_add_equiv_class): Don't accumulate transitive closure of all constraints on constants. 2020-09-14 David Malcolm PR analyzer/97029 * analyzer.cc (is_setjmp_call_p): Require the initial arg to be a pointer. * region-model.cc (region_model::deref_rvalue): Assert that the svalue is of pointer type. 2020-09-11 David Malcolm PR analyzer/96798 * region-model-impl-calls.cc (region_model::impl_call_memcpy): New. (region_model::impl_call_strcpy): New. * region-model.cc (region_model::on_call_pre): Flag unhandled builtins that are non-pure as having unknown side-effects. Implement BUILT_IN_MEMCPY, BUILT_IN_MEMCPY_CHK, BUILT_IN_STRCPY, BUILT_IN_STRCPY_CHK, BUILT_IN_FPRINTF, BUILT_IN_FPRINTF_UNLOCKED, BUILT_IN_PUTC, BUILT_IN_PUTC_UNLOCKED, BUILT_IN_FPUTC, BUILT_IN_FPUTC_UNLOCKED, BUILT_IN_FPUTS, BUILT_IN_FPUTS_UNLOCKED, BUILT_IN_FWRITE, BUILT_IN_FWRITE_UNLOCKED, BUILT_IN_PRINTF, BUILT_IN_PRINTF_UNLOCKED, BUILT_IN_PUTCHAR, BUILT_IN_PUTCHAR_UNLOCKED, BUILT_IN_PUTS, BUILT_IN_PUTS_UNLOCKED, BUILT_IN_VFPRINTF, BUILT_IN_VPRINTF. * region-model.h (region_model::impl_call_memcpy): New decl. (region_model::impl_call_strcpy): New decl. 2020-09-09 David Malcolm PR analyzer/94355 * analyzer.opt (Wanalyzer-mismatching-deallocation): New warning. * region-model-impl-calls.cc (region_model::impl_call_operator_new): New. (region_model::impl_call_operator_delete): New. * region-model.cc (region_model::on_call_pre): Detect operator new and operator delete. (region_model::on_call_post): Likewise. (region_model::maybe_update_for_edge): Detect EH edges and call... (region_model::apply_constraints_for_exception): New function. * region-model.h (region_model::impl_call_operator_new): New decl. (region_model::impl_call_operator_delete): New decl. (region_model::apply_constraints_for_exception): New decl. * sm-malloc.cc (enum resource_state): New. (struct allocation_state): New state subclass. (enum wording): New. (struct api): New. (malloc_state_machine::custom_data_t): New typedef. (malloc_state_machine::add_state): New decl. (malloc_state_machine::m_unchecked) (malloc_state_machine::m_nonnull) (malloc_state_machine::m_freed): Delete these states in favor of... (malloc_state_machine::m_malloc) (malloc_state_machine::m_scalar_new) (malloc_state_machine::m_vector_new): ...this new api instances, which own their own versions of these states. (malloc_state_machine::on_allocator_call): New decl. (malloc_state_machine::on_deallocator_call): New decl. (api::api): New ctor. (dyn_cast_allocation_state): New. (as_a_allocation_state): New. (get_rs): New. (unchecked_p): New. (nonnull_p): New. (freed_p): New. (malloc_diagnostic::describe_state_change): Use unchecked_p and nonnull_p. (class mismatching_deallocation): New. (double_free::double_free): Add funcname param for initializing m_funcname. (double_free::emit): Use m_funcname in warning message rather than hardcoding "free". (double_free::describe_state_change): Likewise. Use freed_p. (double_free::describe_call_with_state): Use freed_p. (double_free::describe_final_event): Use m_funcname in message rather than hardcoding "free". (double_free::m_funcname): New field. (possible_null::describe_state_change): Use unchecked_p. (possible_null::describe_return_of_state): Likewise. (use_after_free::use_after_free): Add param for initializing m_api. (use_after_free::emit): Use m_api->m_dealloc_funcname in message rather than hardcoding "free". (use_after_free::describe_state_change): Use freed_p. Change the wording of the message based on the API. (use_after_free::describe_final_event): Use m_api->m_dealloc_funcname in message rather than hardcoding "free". Change the wording of the message based on the API. (use_after_free::m_api): New field. (malloc_leak::describe_state_change): Use unchecked_p. Update for renaming of m_malloc_event to m_alloc_event. (malloc_leak::describe_final_event): Update for renaming of m_malloc_event to m_alloc_event. (malloc_leak::m_malloc_event): Rename... (malloc_leak::m_alloc_event): ...to this. (free_of_non_heap::free_of_non_heap): Add param for initializing m_funcname. (free_of_non_heap::emit): Use m_funcname in message rather than hardcoding "free". (free_of_non_heap::describe_final_event): Likewise. (free_of_non_heap::m_funcname): New field. (allocation_state::dump_to_pp): New. (allocation_state::get_nonnull): New. (malloc_state_machine::malloc_state_machine): Update for changes to state fields and new api fields. (malloc_state_machine::add_state): New. (malloc_state_machine::on_stmt): Move malloc/calloc handling to on_allocator_call and call it, passing in the API pointer. Likewise for free, moving it to on_deallocator_call. Handle calls to operator new and delete in an analogous way. Use unchecked_p when testing for possibly-null-arg and possibly-null-deref, and transition to the non-null for the correct API. Remove redundant node param from call to on_zero_assignment. Use freed_p for use-after-free check, and pass in API. (malloc_state_machine::on_allocator_call): New, based on code in on_stmt. (malloc_state_machine::on_deallocator_call): Likewise. (malloc_state_machine::on_phi): Mark node param with ATTRIBUTE_UNUSED; don't pass it to on_zero_assignment. (malloc_state_machine::on_condition): Mark node param with ATTRIBUTE_UNUSED. Replace on_transition calls with get_state and set_next_state pairs, transitioning to the non-null state for the appropriate API. (malloc_state_machine::can_purge_p): Port to new state approach. (malloc_state_machine::on_zero_assignment): Replace on_transition calls with get_state and set_next_state pairs. Drop redundant node param. * sm.h (state_machine::add_custom_state): New. 2020-09-09 David Malcolm * diagnostic-manager.cc (null_assignment_sm_context::warn_for_state): Replace with... (null_assignment_sm_context::warn): ...this. * engine.cc (impl_sm_context::warn_for_state): Replace with... (impl_sm_context::warn): ...this. * sm-file.cc (fileptr_state_machine::on_stmt): Replace warn_for_state and on_transition calls with a get_state test guarding warn and set_next_state calls. * sm-malloc.cc (malloc_state_machine::on_stmt): Likewise. * sm-pattern-test.cc (pattern_test_state_machine::on_condition): Replace warn_for_state call with warn call. * sm-sensitive.cc (sensitive_state_machine::warn_for_any_exposure): Replace warn_for_state call with a get_state test guarding a warn call. * sm-signal.cc (signal_state_machine::on_stmt): Likewise. * sm-taint.cc (taint_state_machine::on_stmt): Replace warn_for_state and on_transition calls with a get_state test guarding warn and set_next_state calls. * sm.h (sm_context::warn_for_state): Replace with... (sm_context::warn): ...this. 2020-09-09 David Malcolm * diagnostic-manager.cc (null_assignment_sm_context::null_assignment_sm_context): Add old_state and ext_state params, initializing m_old_state and m_ext_state. (null_assignment_sm_context::on_transition): Split into... (null_assignment_sm_context::get_state): ...this new vfunc implementation and... (null_assignment_sm_context::set_next_state): ...this new vfunc implementation. (null_assignment_sm_context::m_old_state): New field. (null_assignment_sm_context::m_ext_state): New field. (diagnostic_manager::add_events_for_eedge): Pass in old state and ext_state when creating sm_ctxt. * engine.cc (impl_sm_context::on_transition): Split into... (impl_sm_context::get_state): ...this new vfunc implementation and... (impl_sm_context::set_next_state): ...this new vfunc implementation. * sm.h (sm_context::get_state): New pure virtual function. (sm_context::set_next_state): Likewise. (sm_context::on_transition): Convert from a pure virtual function to a regular function implemented in terms of get_state and set_next_state. 2020-09-09 David Malcolm * checker-path.cc (state_change_event::get_desc): Update state_machine::get_state_name calls to state::get_name. (warning_event::get_desc): Likewise. * diagnostic-manager.cc (null_assignment_sm_context::on_transition): Update comparison against 0 with comparison with m_sm.get_start_state. (diagnostic_manager::prune_for_sm_diagnostic): Update state_machine::get_state_name calls to state::get_name. * engine.cc (impl_sm_context::on_transition): Likewise. (exploded_node::get_dot_fillcolor): Use get_id when summing the sm states. * program-state.cc (sm_state_map::sm_state_map): Don't hardcode 0 as the start state when initializing m_global_state. (sm_state_map::print): Use dump_to_pp rather than get_state_name when dumping states. (sm_state_map::is_empty_p): Don't hardcode 0 as the start state when examining m_global_state. (sm_state_map::hash): Use get_id when hashing states. (selftest::test_sm_state_map): Use state objects rather than arbitrary hardcoded integers. (selftest::test_program_state_merging): Likewise. (selftest::test_program_state_merging_2): Likewise. * sm-file.cc (fileptr_state_machine::m_start): Move to base class. (file_diagnostic::describe_state_change): Use get_start_state. (fileptr_state_machine::fileptr_state_machine): Drop m_start initialization. * sm-malloc.cc (malloc_state_machine::m_start): Move to base class. (malloc_diagnostic::describe_state_change): Use get_start_state. (possible_null::describe_state_change): Likewise. (malloc_state_machine::malloc_state_machine): Drop m_start initialization. * sm-pattern-test.cc (pattern_test_state_machine::m_start): Move to base class. (pattern_test_state_machine::pattern_test_state_machine): Drop m_start initialization. * sm-sensitive.cc (sensitive_state_machine::m_start): Move to base class. (sensitive_state_machine::sensitive_state_machine): Drop m_start initialization. * sm-signal.cc (signal_state_machine::m_start): Move to base class. (signal_state_machine::signal_state_machine): Drop m_start initialization. * sm-taint.cc (taint_state_machine::m_start): Move to base class. (taint_state_machine::taint_state_machine): Drop m_start initialization. * sm.cc (state_machine::state::dump_to_pp): New. (state_machine::state_machine): Move here from sm.h. Initialize m_next_state_id and m_start. (state_machine::add_state): Reimplement in terms of state objects. (state_machine::get_state_name): Delete. (state_machine::get_state_by_name): Reimplement in terms of state objects. Make const. (state_machine::validate): Delete. (state_machine::dump_to_pp): Reimplement in terms of state objects. * sm.h (state_machine::state): New class. (state_machine::state_t): Convert typedef from "unsigned" to "const state_machine::state *". (state_machine::state_machine): Move to sm.cc. (state_machine::get_default_state): Use m_start rather than hardcoding 0. (state_machine::get_state_name): Delete. (state_machine::get_state_by_name): Make const. (state_machine::get_start_state): New accessor. (state_machine::alloc_state_id): New. (state_machine::m_state_names): Drop in favor of... (state_machine::m_states): New field (state_machine::m_start): New field (start_start_p): Delete. 2020-09-08 David Malcolm PR analyzer/96949 * store.cc (binding_map::apply_ctor_val_to_range): Add error-handling for the cases where we have symbolic offsets. 2020-09-08 David Malcolm PR analyzer/96950 * store.cc (binding_map::apply_ctor_to_region): Handle RANGE_EXPR where min_index == max_index. (binding_map::apply_ctor_val_to_range): Replace assertion that we don't have a CONSTRUCTOR value with error-handling. 2020-09-08 David Malcolm PR analyzer/96962 * region-model.cc (region_model::on_call_pre): Fix guard on switch on built-ins to only consider BUILT_IN_NORMAL, rather than other kinds of build-ins. 2020-09-01 David Malcolm PR analyzer/96792 * region-model.cc (region_model::deref_rvalue): Add the constraint that PTR_SVAL is non-NULL. 2020-08-31 David Malcolm PR analyzer/96798 * region-model.cc (region_model::on_call_pre): Handle BUILT_IN_MEMSET_CHK. 2020-08-31 David Malcolm * region-model.cc (region_model::on_call_pre): Gather handling of builtins and of internal fns into switch statements. Handle "alloca" and BUILT_IN_ALLOCA_WITH_ALIGN. 2020-08-31 David Malcolm PR analyzer/96860 * region.cc (decl_region::get_svalue_for_constructor): Support apply_ctor_to_region failing. * store.cc (binding_map::apply_ctor_to_region): Add failure handling. (binding_map::apply_ctor_val_to_range): Likewise. (binding_map::apply_ctor_pair_to_child_region): Likewise. Replace assertion that child_base_offset is not symbolic with error handling. * store.h (binding_map::apply_ctor_to_region): Convert return type from void to bool. (binding_map::apply_ctor_val_to_range): Likewise. (binding_map::apply_ctor_pair_to_child_region): Likewise. 2020-08-31 David Malcolm PR analyzer/96763 * store.cc (binding_map::apply_ctor_to_region): Handle RANGE_EXPR by calling a new binding_map::apply_ctor_val_to_range subroutine. Split out the existing non-CONSTRUCTOR-handling code to a new apply_ctor_pair_to_child_region subroutine. (binding_map::apply_ctor_val_to_range): New. (binding_map::apply_ctor_pair_to_child_region): New, split out from binding_map::apply_ctor_to_region as noted above. * store.h (binding_map::apply_ctor_val_to_range): New decl. (binding_map::apply_ctor_pair_to_child_region): New decl. 2020-08-31 David Malcolm PR analyzer/96764 * region-model-manager.cc (region_model_manager::maybe_fold_unaryop): Handle VIEW_CONVERT_EXPR. (region_model_manager::get_or_create_cast): Move logic for real->integer casting to... (get_code_for_cast): ...this new function, and add logic for real->non-integer casts. (region_model_manager::maybe_fold_sub_svalue): Handle VIEW_CONVERT_EXPR. * region-model.cc (region_model::add_any_constraints_from_gassign): Likewise. * svalue.cc (svalue::maybe_undo_cast): Likewise. (unaryop_svalue::dump_to_pp): Likewise. 2020-08-26 David Malcolm PR analyzer/94858 * region-model-manager.cc (region_model_manager::get_or_create_widening_svalue): Assert that neither of the inputs are themselves widenings. * store.cc (store::eval_alias_1): The initial value of a pointer can't point to a region that was allocated on the heap after the beginning of the path. A widened pointer value can't alias anything that the initial pointer value can't alias. * svalue.cc (svalue::can_merge_p): Merge BINOP (X, OP, CST) with X to a widening svalue. Merge BINOP(WIDENING(BASE, BINOP(BASE, X)), X) and BINOP(BASE, X) to to the LHS of the first BINOP. 2020-08-26 David Malcolm PR analyzer/96777 * region-model.h (class compound_svalue): Document that all keys must be concrete. (compound_svalue::compound_svalue): Move definition to svalue.cc. * store.cc (binding_map::apply_ctor_to_region): Handle initializers for trailing arrays with incomplete size. * svalue.cc (compound_svalue::compound_svalue): Move definition here from region-model.h. Add assertion that all keys are concrete. 2020-08-22 David Malcolm PR analyzer/94851 * region-model-manager.cc (region_model_manager::maybe_fold_binop): Fold bitwise "& 0" to 0. 2020-08-22 David Malcolm * store.cc (store::eval_alias): Make const. Split out 2nd half into store::eval_alias_1 and call it twice for symmetry, avoiding test duplication. (store::eval_alias_1): New function, split out from the above. * store.h (store::eval_alias): Make const. (store::eval_alias_1): New decl. 2020-08-22 David Malcolm * region-model.cc (region_model::push_frame): Bind the default SSA name for each parm if it exists, falling back to the parm itself otherwise, rather than doing both. 2020-08-20 David Malcolm PR analyzer/96723 * region-model-manager.cc (region_model_manager::get_field_region): Assert that field is a FIELD_DECL. * region.cc (region::get_subregions_for_binding): In union-handling, filter the TYPE_FIELDS traversal to just FIELD_DECLs. 2020-08-20 David Malcolm PR analyzer/96713 * region-model.cc (region_model::get_gassign_result): For comparisons, only use eval_condition when the lhs has boolean type, and use get_or_create_constant_svalue on the boolean constants directly rather than via get_rvalue. 2020-08-19 David Malcolm PR analyzer/96643 * region-model.cc (region_model::deref_rvalue): Rather than attempting to handle all svalue kinds in the switch, only cover the special cases, and move symbolic-region handling to after the switch, thus implicitly handling the missing case SK_COMPOUND. 2020-08-19 David Malcolm PR analyzer/96705 * region-model-manager.cc (region_model_manager::maybe_fold_binop): Check that we have an integral type before calling build_int_cst. 2020-08-19 David Malcolm PR analyzer/96699 * region-model-manager.cc (region_model_manager::get_or_create_cast): Use FIX_TRUNC_EXPR for casting from REAL_TYPE to INTEGER_TYPE. 2020-08-19 David Malcolm PR analyzer/96651 * region-model.cc (region_model::called_from_main_p): New. (region_model::get_store_value): Move handling for globals into... (region_model::get_initial_value_for_global): ...this new function, and add logic for extracting values from decl initializers. * region-model.h (decl_region::get_svalue_for_constructor): New decl. (decl_region::get_svalue_for_initializer): New decl. (region_model::called_from_main_p): New decl. (region_model::get_initial_value_for_global): New. * region.cc (decl_region::maybe_get_constant_value): Move logic for getting an svalue from a CONSTRUCTOR node to... (decl_region::get_svalue_for_constructor): ...this new function. (decl_region::get_svalue_for_initializer): New. * store.cc (get_svalue_for_ctor_val): Rewrite in terms of region_model::get_rvalue. * store.h (binding_cluster::get_map): New accessor. 2020-08-19 David Malcolm PR analyzer/96648 * region.cc (get_field_at_bit_offset): Gracefully handle negative values for bit_offset. 2020-08-18 David Malcolm * region-model.cc (region_model::get_rvalue_1): Fix name of local. 2020-08-18 David Malcolm PR analyzer/96641 * region-model.cc (region_model::get_rvalue_1): Handle unrecognized tree codes by returning "UNKNOWN. 2020-08-18 David Malcolm PR analyzer/96640 * region-model.cc (region_model::get_gassign_result): Handle various VEC_* tree codes by returning UNKNOWN. (region_model::on_assignment): Handle unrecognized tree codes by setting lhs to an unknown value, rather than issuing a "sorry" and asserting. 2020-08-17 David Malcolm PR analyzer/96644 * region-model-manager.cc (get_region_for_unexpected_tree_code): Handle ctxt being NULL. 2020-08-17 David Malcolm PR analyzer/96639 * region.cc (region::get_subregions_for_binding): Check for "type" being NULL. 2020-08-17 David Malcolm PR analyzer/96642 * store.cc (get_svalue_for_ctor_val): New. (binding_map::apply_ctor_to_region): Call it. 2020-08-14 David Malcolm PR testsuite/96609 PR analyzer/96616 * region-model.cc (region_model::get_store_value): Call maybe_get_constant_value on decl_regions first. * region-model.h (decl_region::maybe_get_constant_value): New decl. * region.cc (decl_region::get_stack_depth): Likewise. (decl_region::maybe_get_constant_value): New. * store.cc (get_subregion_within_ctor): New. (binding_map::apply_ctor_to_region): New. * store.h (binding_map::apply_ctor_to_region): New decl. 2020-08-14 David Malcolm PR analyzer/96611 * store.cc (store::mark_as_escaped): Reject attempts to get a cluster for an unknown pointer. 2020-08-13 David Malcolm PR analyzer/93032 PR analyzer/93938 PR analyzer/94011 PR analyzer/94099 PR analyzer/94399 PR analyzer/94458 PR analyzer/94503 PR analyzer/94640 PR analyzer/94688 PR analyzer/94689 PR analyzer/94839 PR analyzer/95026 PR analyzer/95042 PR analyzer/95240 * analyzer-logging.cc: Ignore "-Wformat-diag". (logger::enter_scope): Use inc_indent in both overloads. (logger::exit_scope): Use dec_indent. * analyzer-logging.h (logger::inc_indent): New. (logger::dec_indent): New. * analyzer-selftests.cc (run_analyzer_selftests): Call analyzer_store_cc_tests. * analyzer-selftests.h (analyzer_store_cc_tests): New decl. * analyzer.cc (get_stmt_location): New function. * analyzer.h (class initial_svalue): New forward decl. (class unaryop_svalue): New forward decl. (class binop_svalue): New forward decl. (class sub_svalue): New forward decl. (class unmergeable_svalue): New forward decl. (class placeholder_svalue): New forward decl. (class widening_svalue): New forward decl. (class compound_svalue): New forward decl. (class conjured_svalue): New forward decl. (svalue_set): New typedef. (class map_region): Delete. (class array_region): Delete. (class frame_region): New forward decl. (class function_region): New forward decl. (class label_region): New forward decl. (class decl_region): New forward decl. (class element_region): New forward decl. (class offset_region): New forward decl. (class cast_region): New forward decl. (class field_region): New forward decl. (class string_region): New forward decl. (class region_model_manager): New forward decl. (class store_manager): New forward decl. (class store): New forward decl. (class call_details): New forward decl. (struct svalue_id_merger_mapping): Delete. (struct canonicalization): Delete. (class function_point): New forward decl. (class engine): New forward decl. (dump_tree): New function decl. (print_quoted_type): New function decl. (readability_comparator): New function decl. (tree_cmp): New function decl. (class path_var): Move here from region-model.h (bit_offset_t, bit_size_t, byte_size_t): New typedefs. (class region_offset): New class. (get_stmt_location): New decl. (struct member_function_hash_traits): New struct. (class consolidation_map): New class. Ignore "-Wformat-diag". * analyzer.opt (-param=analyzer-max-svalue-depth=): New param. (-param=analyzer-max-enodes-for-full-dump=): New param. * call-string.cc: Ignore -Wformat-diag. * checker-path.cc: Move includes of "analyzer/call-string.h" and "analyzer/program-point.h" to before "analyzer/region-model.h", and also include "analyzer/store.h" before it. (state_change_event::state_change_event): Replace "tree var" param with "const svalue *sval". Convert "origin" param from tree to "const svalue *". (state_change_event::get_desc): Call get_representative_tree to convert the var and origin from const svalue * to tree. Use svalue::get_desc rather than %qE when describing state changes. (checker_path::add_final_event): Use get_stmt_location. * checker-path.h (state_change_event::state_change_event): Port from tree to const svalue *. (state_change_event::get_lvalue): Delete. (state_change_event::get_dest_function): New. (state_change_event::m_var): Replace with... (state_change_event::m_sval): ...this. (state_change_event::m_origin): Convert from tree to const svalue *. * constraint-manager.cc: Include "analyzer/call-string.h", "analyzer/program-point.h", and "analyzer/store.h" before "analyzer/region-model.h". (struct bound, struct range): Move to constraint-manager.h. (compare_constants): New function. (range::dump): Rename to... (range::dump_to_pp): ...this. Support NULL constants. (range::dump): Reintroduce for dumping to stderr. (range::constrained_to_single_element): Return result, rather than writing to *OUT. (range::eval_condition): New. (range::below_lower_bound): New. (range::above_upper_bound): New. (equiv_class::equiv_class): Port from svalue_id to const svalue *. (equiv_class::print): Likewise. (equiv_class::hash): Likewise. (equiv_class::operator==): Port from svalue_id to const svalue *. (equiv_class::add): Port from svalue_id to const svalue *. Drop "cm" param. (equiv_class::del): Port from svalue_id to const svalue *. (equiv_class::get_representative): Likewise. (equiv_class::remap_svalue_ids): Delete. (svalue_id_cmp_by_id): Rename to... (svalue_cmp_by_ptr): ...this, porting from svalue_id to const svalue *. (equiv_class::canonicalize): Update qsort comparator. (constraint::implied_by): New. (constraint_manager::constraint_manager): Copy m_mgr in copy ctor. (constraint_manager::dump_to_pp): Add "multiline" param (constraint_manager::dump): Pass "true" for "multiline". (constraint_manager::add_constraint): Port from svalue_id to const svalue *. Split out second part into... (constraint_manager::add_unknown_constraint): ...this new function. Remove self-constraints when merging equivalence classes. (constraint_manager::add_constraint_internal): Remove constraints that would be implied by the new constraint. Port from svalue_id to const svalue *. (constraint_manager::get_equiv_class_by_sid): Rename to... (constraint_manager::get_equiv_class_by_svalue): ...this, porting from svalue_id to const svalue *. (constraint_manager::get_or_add_equiv_class): Port from svalue_id to const svalue *. (constraint_manager::eval_condition): Make const. Call compare_constants and return early if it provides a known result. (constraint_manager::get_ec_bounds): New. (constraint_manager::eval_condition): New overloads. Make existing one const, and use compare_constants. (constraint_manager::purge): Convert "p" param to a template rather that an abstract base class. Port from svalue_id to const svalue *. (class dead_svalue_purger): New class. (constraint_manager::remap_svalue_ids): Delete. (constraint_manager::on_liveness_change): New. (equiv_class_cmp): Port from svalue_id to const svalue *. (constraint_manager::canonicalize): Likewise. Combine with purging of redundant equivalence classes and constraints. (class cleaned_constraint_manager): Delete. (class merger_fact_visitor): Make "m_cm_b" const. Add "m_merger" field. (merger_fact_visitor::fact): Port from svalue_id to const svalue *. Add special case for widening. (constraint_manager::merge): Port from svalue_id to const svalue *. (constraint_manager::clean_merger_input): Delete. (constraint_manager::for_each_fact): Port from svalue_id to const svalue *. (constraint_manager::validate): Likewise. (selftest::test_constraint_conditions): Provide a region_model_manager when creating region_model instances. Add test for self-equality not creating equivalence classes. (selftest::test_transitivity): Provide a region_model_manager when creating region_model instances. Verify that EC-merging happens when constraints are implied. (selftest::test_constant_comparisons): Provide a region_model_manager when creating region_model instances. (selftest::test_constraint_impl): Likewise. Remove over-specified assertions. (selftest::test_equality): Provide a region_model_manager when creating region_model instances. (selftest::test_many_constants): Likewise. Provide a program_point when testing merging. (selftest::run_constraint_manager_tests): Move call to test_constant_comparisons to outside the transitivity guard. * constraint-manager.h (struct bound): Move here from constraint-manager.cc. (struct range): Likewise. (struct::eval_condition): New decl. (struct::below_lower_bound): New decl. (struct::above_upper_bound): New decl. (equiv_class::add): Port from svalue_id to const svalue *. (equiv_class::del): Likewise. (equiv_class::get_representative): Likewise. (equiv_class::remap_svalue_ids): Drop. (equiv_class::m_cst_sid): Convert to.. (equiv_class::m_cst_sval): ...this. (equiv_class::m_vars): Port from svalue_id to const svalue *. (constraint::bool implied_by): New decl. (fact_visitor::on_fact): Port from svalue_id to const svalue *. (constraint_manager::constraint_manager): Add mgr param. (constraint_manager::clone): Delete. (constraint_manager::maybe_get_constant): Delete. (constraint_manager::get_sid_for_constant): Delete. (constraint_manager::get_num_svalues): Delete. (constraint_manager::dump_to_pp): Add "multiline" param. (constraint_manager::get_equiv_class): Port from svalue_id to const svalue *. (constraint_manager::add_constraint): Likewise. (constraint_manager::get_equiv_class_by_sid): Rename to... (constraint_manager::get_equiv_class_by_svalue): ...this, porting from svalue_id to const svalue *. (constraint_manager::add_unknown_constraint): New decl. (constraint_manager::get_or_add_equiv_class): Port from svalue_id to const svalue *. (constraint_manager::eval_condition): Likewise. Add overloads. (constraint_manager::get_ec_bounds): New decl. (constraint_manager::purge): Convert to template. (constraint_manager::remap_svalue_ids): Delete. (constraint_manager::on_liveness_change): New decl. (constraint_manager::canonicalize): Drop param. (constraint_manager::clean_merger_input): Delete. (constraint_manager::m_mgr): New field. * diagnostic-manager.cc: Move includes of "analyzer/call-string.h" and "analyzer/program-point.h" to before "analyzer/region-model.h", and also include "analyzer/store.h" before it. (saved_diagnostic::saved_diagnostic): Add "sval" param. (diagnostic_manager::diagnostic_manager): Add engine param. (diagnostic_manager::add_diagnostic): Add "sval" param, passing it to saved_diagnostic ctor. Update overload to pass NULL for it. (dedupe_winners::dedupe_winners): Add engine param. (dedupe_winners::add): Add "eg" param. Pass m_engine to feasible_p. (dedupe_winner::m_engine): New field. (diagnostic_manager::emit_saved_diagnostics): Pass engine to dedupe_winners. Pass &eg when adding candidates. Pass svalue rather than tree to prune_path. Use get_stmt_location to get primary location of diagnostic. (diagnostic_manager::emit_saved_diagnostic): Likewise. (get_any_origin): Drop. (state_change_event_creator::on_global_state_change): Pass NULL const svalue * rather than NULL_TREE trees to state_change_event ctor. (state_change_event_creator::on_state_change): Port from tree and svalue_id to const svalue *. (for_each_state_change): Port from svalue_id to const svalue *. (struct null_assignment_sm_context): New. (diagnostic_manager::add_events_for_eedge): Add state change events for assignment to NULL. (diagnostic_manager::prune_path): Update param from tree to const svalue *. (diagnostic_manager::prune_for_sm_diagnostic): Port from tracking by tree to by const svalue *. * diagnostic-manager.h (saved_diagnostic::saved_diagnostic): Add sval param. (saved_diagnostic::m_sval): New field. (diagnostic_manager::diagnostic_manager): Add engine param. (diagnostic_manager::get_engine): New. (diagnostic_manager::add_diagnostic): Add "sval" param. (diagnostic_manager::prune_path): Likewise. (diagnostic_manager::prune_for_sm_diagnostic): New overload. (diagnostic_manager::m_eng): New field. * engine.cc: Move includes of "analyzer/call-string.h" and "analyzer/program-point.h" to before "analyzer/region-model.h", and also include "analyzer/store.h" before it. (impl_region_model_context::impl_region_model_context): Update for removal of m_change field. (impl_region_model_context::remap_svalue_ids): Delete. (impl_region_model_context::on_svalue_leak): New. (impl_region_model_context::on_svalue_purge): Delete. (impl_region_model_context::on_liveness_change): New. (impl_region_model_context::on_unknown_change): Update param from svalue_id to const svalue *. Add is_mutable param. (setjmp_svalue::compare_fields): Delete. (setjmp_svalue::accept): New. (setjmp_svalue::add_to_hash): Delete. (setjmp_svalue::dump_to_pp): New. (setjmp_svalue::print_details): Delete. (impl_sm_context::impl_sm_context): Drop "change" param. (impl_sm_context::get_fndecl_for_call): Drop "m_change". (impl_sm_context::on_transition): Drop ATTRIBUTE_UNUSED from "stmt" param. Drop m_change. Port from svalue_id to const svalue *. (impl_sm_context::warn_for_state): Drop m_change. Port from svalue_id to const svalue *. (impl_sm_context::get_readable_tree): Rename to... (impl_sm_context::get_diagnostic_tree): ...this. Port from svalue_id to const svalue *. (impl_sm_context::is_zero_assignment): New. (impl_sm_context::m_change): Delete field. (leak_stmt_finder::find_stmt): Handle m_var being NULL. (readability): Increase penalty for MEM_REF. For SSA_NAMEs, slightly favor the underlying var over the SSA name. Heavily penalize temporaries. Handle RESULT_DECL. (readability_comparator): Make non-static. Consider stack depths. (impl_region_model_context::on_state_leak): Convert from svalue_id to const svalue *, updating for region_model changes. Use id_equal. (impl_region_model_context::on_inherited_svalue): Delete. (impl_region_model_context::on_cast): Delete. (impl_region_model_context::on_condition): Drop m_change. (impl_region_model_context::on_phi): Likewise. (impl_region_model_context::on_unexpected_tree_code): Handle t being NULL. (point_and_state::validate): Update stack checking for region_model changes. (eg_traits::dump_args_t::show_enode_details_p): New. (exploded_node::exploded_node): Initialize m_num_processed_stmts. (exploded_node::get_processed_stmt): New function. (exploded_node::get_dot_fillcolor): Add more colors. (exploded_node::dump_dot): Guard the printing of the point and state with show_enode_details_p. Print the processed stmts for this enode after the initial state. (exploded_node::dump_to_pp): Pass true for new multiline param of program_state::dump_to_pp. (exploded_node::on_stmt): Drop "change" param. Log the stmt. Set input_location. Implement __analyzer_describe. Update implementation of __analyzer_dump and __analyzer_eval. Remove purging of sm-state for unknown fncalls from here. (exploded_node::on_edge): Drop "change" param. (exploded_node::on_longjmp): Port from region_id/svalue_id to const region */const svalue *. Call program_state::detect_leaks. Drop state_change. (exploded_node::detect_leaks): Update for changes to region_model. Call program_state::detect_leaks. (exploded_edge::exploded_edge): Drop ext_state and change params. (exploded_edge::dump_dot): "args" is no longer used. Drop dumping of m_change. (exploded_graph::exploded_graph): Pass engine to m_diagnostic_manager ctor. Use program_point::origin. (exploded_graph::add_function_entry): Drop ctxt. Use program_state::push_frame. Drop state_change. (exploded_graph::get_or_create_node): Drop "change" param. Add "enode_for_diag" param. Update dumping calls for API changes. Pass point to can_merge_with_p. Show enode indices within -Wanalyzer-too-complex diagnostic for hitting the per-point limit. (exploded_graph::add_edge): Drop "change" param. Log which nodes are being connected. Update for changes to exploded_edge ctor. (exploded_graph::get_per_program_point_data): New. (exploded_graph::process_worklist): Pass point to can_merge_with_p. Drop state_change. Update dumping call for API change. (exploded_graph::process_node): Drop state_change. Split the node in-place if an sm-state-change occurs. Update m_num_processed_stmts. Update dumping calls for API change. (exploded_graph::log_stats): Call engine::log_stats. (exploded_graph::dump_states_for_supernode): Update dumping call. (exploded_path::feasible_p): Add "eng" and "eg" params. Rename "i" to "end_idx". Pass the manager to the region_model ctor. Update for every processed stmt in the enode, not just the first. Keep track of which snodes have been visited, and call loop_replay_fixup when revisiting one. (enode_label::get_text): Update dump call for new param. (exploded_graph::dump_exploded_nodes): Likewise. (exploded_graph::get_node_by_index): New. (impl_run_checkers): Create engine instance and pass its address to extrinsic_state ctor. * exploded-graph.h (impl_region_model_context::impl_region_model_context): Drop "change" params. (impl_region_model_context::void remap_svalue_ids): Delete. (impl_region_model_context::on_svalue_purge): Delete. (impl_region_model_context::on_svalue_leak): New. (impl_region_model_context::on_liveness_change): New. (impl_region_model_context::on_state_leak): Update signature. (impl_region_model_context::on_inherited_svalue): Delete. (impl_region_model_context::on_cast): Delete. (impl_region_model_context::on_unknown_change): Update signature. (impl_region_model_context::m_change): Delete. (eg_traits::dump_args_t::show_enode_details_p): New. (exploded_node::on_stmt): Drop "change" param. (exploded_node::on_edge): Likewise. (exploded_node::get_processed_stmt): New decl. (exploded_node::m_num_processed_stmts): New field. (exploded_edge::exploded_edge): Drop ext_state and change params. (exploded_edge::m_change): Delete. (exploded_graph::get_engine): New accessor. (exploded_graph::get_or_create_node): Drop "change" param. Add "enode_for_diag" param. (exploded_graph::add_edge): Drop "change" param. (exploded_graph::get_per_program_point_data): New decl. (exploded_graph::get_node_by_index): New decl. (exploded_path::feasible_p): Add "eng" and "eg" params. * program-point.cc: Include "analyzer/store.h" before including "analyzer/region-model.h". (function_point::function_point): Move here from program-point.h. (function_point::get_function): Likewise. (function_point::from_function_entry): Likewise. (function_point::before_supernode): Likewise. (function_point::next_stmt): New function. * program-point.h (function_point::function_point): Move implementation from here to program-point.cc. (function_point::get_function): Likewise. (function_point::from_function_entry): Likewise. (function_point::before_supernode): Likewise. (function_point::next_stmt): New decl. (program_point::operator!=): New. (program_point::origin): New. (program_point::next_stmt): New. (program_point::m_function_point): Make non-const. * program-state.cc: Move includes of "analyzer/call-string.h" and "analyzer/program-point.h" to before "analyzer/region-model.h", and also include "analyzer/store.h" before it. (extrinsic_state::get_model_manager): New. (sm_state_map::sm_state_map): Pass in sm and sm_idx to ctor, rather than pass the around. (sm_state_map::clone_with_remapping): Delete. (sm_state_map::print): Remove "sm" param in favor of "m_sm". Add "simple" and "multiline" params and support multiline vs single line dumping. (sm_state_map::dump): Remove "sm" param in favor of "m_sm". Add "simple" param. (sm_state_map::hash): Port from svalue_id to const svalue *. (sm_state_map::operator==): Likewise. (sm_state_map::get_state): Likewise. Call canonicalize_svalue on input. Handle inheritance of sm-state. Call get_default_state. (sm_state_map::get_origin): Port from svalue_id to const svalue *. (sm_state_map::set_state): Likewise. Pass in ext_state. Reject attempts to set state on UNKNOWN. (sm_state_map::impl_set_state): Port from svalue_id to const svalue *. Pass in ext_state. Call canonicalize_svalue on input. (sm_state_map::purge_for_unknown_fncall): Delete. (sm_state_map::on_svalue_leak): New. (sm_state_map::remap_svalue_ids): Delete. (sm_state_map::on_liveness_change): New. (sm_state_map::on_unknown_change): Reimplement. (sm_state_map::on_svalue_purge): Delete. (sm_state_map::on_inherited_svalue): Delete. (sm_state_map::on_cast): Delete. (sm_state_map::validate): Delete. (sm_state_map::canonicalize_svalue): New. (program_state::program_state): Update to pass manager to region_model's ctor. Constify num_states and pass state machine and index to sm_state_map ctor. (program_state::print): Update for changes to dump API. (program_state::dump_to_pp): Ignore the summarize param. Add "multiline" param. (program_state::dump_to_file): Add "multiline" param. (program_state::dump): Pass "true" for new "multiline" param. (program_state::push_frame): New. (program_state::on_edge): Drop "change" param. Call program_state::detect_leaks. (program_state::prune_for_point): Add enode_for_diag param. Reimplement based on store class. Call detect_leaks (program_state::remap_svalue_ids): Delete. (program_state::get_representative_tree): Port from svalue_id to const svalue *. (program_state::can_merge_with_p): Add "point" param. Add early reject for sm-differences. Drop id remapping. (program_state::validate): Drop region model and sm_state_map validation. (state_change::sm_change::dump): Delete. (state_change::sm_change::remap_svalue_ids): Delete. (state_change::sm_change::on_svalue_purge): Delete. (log_set_of_svalues): New. (state_change::sm_change::validate): Delete. (state_change::state_change): Delete. (state_change::add_sm_change): Delete. (state_change::affects_p): Delete. (state_change::dump): Delete. (state_change::remap_svalue_ids): Delete. (state_change::on_svalue_purge): Delete. (state_change::validate): Delete. (selftest::assert_dump_eq): Delete. (ASSERT_DUMP_EQ): Delete. (selftest::test_sm_state_map): Update for changes to region_model and sm_state_map, porting from svalue_id to const svalue *. (selftest::test_program_state_dumping): Likewise. Drop test of dumping, renaming to... (selftest::test_program_state_1): ...this. (selftest::test_program_state_dumping_2): Likewise, renaming to... (selftest::test_program_state_2): ...this. (selftest::test_program_state_merging): Update for changes to region_model. (selftest::test_program_state_merging_2): Likewise. (selftest::analyzer_program_state_cc_tests): Update for renamed tests. * program-state.h (extrinsic_state::extrinsic_state): Add logger and engine params. (extrinsic_state::get_logger): New accessor. (extrinsic_state::get_engine): New accessor. (extrinsic_state::get_model_manager): New accessor. (extrinsic_state::m_logger): New field. (extrinsic_state::m_engine): New field. (struct default_hash_traits): Delete. (pod_hash_traits::hash): Delete. (pod_hash_traits::equal): Delete. (pod_hash_traits::mark_deleted): Delete. (pod_hash_traits::mark_empty): Delete. (pod_hash_traits::is_deleted): Delete. (pod_hash_traits::is_empty): Delete. (sm_state_map::entry_t::entry_t): Port from svalue_id to const svalue *. (sm_state_map::entry_t::m_origin): Likewise. (sm_state_map::map_t): Likewise. (sm_state_map::sm_state_map): Add state_machine and index params. (sm_state_map::clone_with_remapping): Delete. (sm_state_map::print): Drop sm param; add simple and multiline params. (sm_state_map::dump): Drop sm param; add simple param. (sm_state_map::get_state): Port from svalue_id to const svalue *. Add ext_state param. (sm_state_map::get_origin): Likewise. (sm_state_map::set_state): Likewise. (sm_state_map::impl_set_state): Likewise. (sm_state_map::purge_for_unknown_fncall): Delete. (sm_state_map::remap_svalue_ids): Delete. (sm_state_map::on_svalue_purge): Delete. (sm_state_map::on_svalue_leak): New. (sm_state_map::on_liveness_change): New. (sm_state_map::on_inherited_svalue): Delete. (sm_state_map::on_cast): Delete. (sm_state_map::validate): Delete. (sm_state_map::on_unknown_change): Port from svalue_id to const svalue *. Add is_mutable and ext_state params. (sm_state_map::canonicalize_svalue): New. (sm_state_map::m_sm): New field. (sm_state_map::m_sm_idx): New field. (program_state::operator=): Delete. (program_state::dump_to_pp): Drop "summarize" param, adding "simple" and "multiline". (program_state::dump_to_file): Likewise. (program_state::dump): Rename "summarize" to "simple". (program_state::push_frame): New. (program_state::get_current_function): New. (program_state::on_edge): Drop "change" param. (program_state::prune_for_point): Likewise. Add enode_for_diag param. (program_state::remap_svalue_ids): Delete. (program_state::get_representative_tree): Port from svalue_id to const svalue *. (program_state::can_purge_p): Likewise. Pass ext_state to get_state. (program_state::can_merge_with_p): Add point param. (program_state::detect_leaks): New. (state_change_visitor::on_state_change): Port from tree and svalue_id to a pair of const svalue *. (class state_change): Delete. * region.cc: New file. * region-model-impl-calls.cc: New file. * region-model-manager.cc: New file. * region-model-reachability.cc: New file. * region-model-reachability.h: New file. * region-model.cc: Include "analyzer/call-string.h", "analyzer/program-point.h", and "analyzer/store.h" before "analyzer/region-model.h". Include "analyzer/region-model-reachability.h". (dump_tree): Make non-static. (dump_quoted_tree): Make non-static. (print_quoted_type): Make non-static. (path_var::dump): Delete. (dump_separator): Delete. (class impl_constraint_manager): Delete. (svalue_id::print): Delete. (svalue_id::dump_node_name_to_pp): Delete. (svalue_id::validate): Delete. (region_id::print): Delete. (region_id::dump_node_name_to_pp): Delete. (region_id::validate): Delete. (region_id_set::region_id_set): Delete. (svalue_id_set::svalue_id_set): Delete. (svalue::operator==): Delete. (svalue::hash): Delete. (svalue::print): Delete. (svalue::dump_dot_to_pp): Delete. (svalue::remap_region_ids): Delete. (svalue::walk_for_canonicalization): Delete. (svalue::get_child_sid): Delete. (svalue::maybe_get_constant): Delete. (region_svalue::compare_fields): Delete. (region_svalue::add_to_hash): Delete. (region_svalue::print_details): Delete. (region_svalue::dump_dot_to_pp): Delete. (region_svalue::remap_region_ids): Delete. (region_svalue::merge_values): Delete. (region_svalue::walk_for_canonicalization): Delete. (region_svalue::eval_condition): Delete. (constant_svalue::compare_fields): Delete. (constant_svalue::add_to_hash): Delete. (constant_svalue::merge_values): Delete. (constant_svalue::eval_condition): Move to svalue.cc. (constant_svalue::print_details): Delete. (constant_svalue::get_child_sid): Delete. (unknown_svalue::compare_fields): Delete. (unknown_svalue::add_to_hash): Delete. (unknown_svalue::print_details): Delete. (poison_kind_to_str): Move to svalue.cc. (poisoned_svalue::compare_fields): Delete. (poisoned_svalue::add_to_hash): Delete. (poisoned_svalue::print_details): Delete. (region_kind_to_str): Move to region.cc and reimplement. (region::operator==): Delete. (region::get_parent_region): Delete. (region::set_value): Delete. (region::become_active_view): Delete. (region::deactivate_any_active_view): Delete. (region::deactivate_view): Delete. (region::get_value): Delete. (region::get_inherited_child_sid): Delete. (region_model::copy_region): Delete. (region_model::copy_struct_region): Delete. (region_model::copy_union_region): Delete. (region_model::copy_array_region): Delete. (region::hash): Delete. (region::print): Delete. (region::dump_dot_to_pp): Delete. (region::dump_to_pp): Delete. (region::dump_child_label): Delete. (region::validate): Delete. (region::remap_svalue_ids): Delete. (region::remap_region_ids): Delete. (region::add_view): Delete. (region::get_view): Delete. (region::region): Move to region.cc. (region::add_to_hash): Delete. (region::print_fields): Delete. (region::non_null_p): Delete. (primitive_region::clone): Delete. (primitive_region::walk_for_canonicalization): Delete. (map_region::map_region): Delete. (map_region::compare_fields): Delete. (map_region::print_fields): Delete. (map_region::validate): Delete. (map_region::dump_dot_to_pp): Delete. (map_region::dump_child_label): Delete. (map_region::get_or_create): Delete. (map_region::get): Delete. (map_region::add_to_hash): Delete. (map_region::remap_region_ids): Delete. (map_region::unbind): Delete. (map_region::get_tree_for_child_region): Delete. (map_region::get_tree_for_child_region): Delete. (tree_cmp): Move to region.cc. (map_region::can_merge_p): Delete. (map_region::walk_for_canonicalization): Delete. (map_region::get_value_by_name): Delete. (struct_or_union_region::valid_key_p): Delete. (struct_or_union_region::compare_fields): Delete. (struct_region::clone): Delete. (struct_region::compare_fields): Delete. (union_region::clone): Delete. (union_region::compare_fields): Delete. (frame_region::compare_fields): Delete. (frame_region::clone): Delete. (frame_region::valid_key_p): Delete. (frame_region::print_fields): Delete. (frame_region::add_to_hash): Delete. (globals_region::compare_fields): Delete. (globals_region::clone): Delete. (globals_region::valid_key_p): Delete. (code_region::compare_fields): Delete. (code_region::clone): Delete. (code_region::valid_key_p): Delete. (array_region::array_region): Delete. (array_region::get_element): Delete. (array_region::clone): Delete. (array_region::compare_fields): Delete. (array_region::print_fields): Delete. (array_region::validate): Delete. (array_region::dump_dot_to_pp): Delete. (array_region::dump_child_label): Delete. (array_region::get_or_create): Delete. (array_region::get): Delete. (array_region::add_to_hash): Delete. (array_region::remap_region_ids): Delete. (array_region::get_key_for_child_region): Delete. (array_region::key_cmp): Delete. (array_region::walk_for_canonicalization): Delete. (array_region::key_from_constant): Delete. (array_region::constant_from_key): Delete. (function_region::compare_fields): Delete. (function_region::clone): Delete. (function_region::valid_key_p): Delete. (stack_region::stack_region): Delete. (stack_region::compare_fields): Delete. (stack_region::clone): Delete. (stack_region::print_fields): Delete. (stack_region::dump_child_label): Delete. (stack_region::validate): Delete. (stack_region::push_frame): Delete. (stack_region::get_current_frame_id): Delete. (stack_region::pop_frame): Delete. (stack_region::add_to_hash): Delete. (stack_region::remap_region_ids): Delete. (stack_region::can_merge_p): Delete. (stack_region::walk_for_canonicalization): Delete. (stack_region::get_value_by_name): Delete. (heap_region::heap_region): Delete. (heap_region::compare_fields): Delete. (heap_region::clone): Delete. (heap_region::walk_for_canonicalization): Delete. (root_region::root_region): Delete. (root_region::compare_fields): Delete. (root_region::clone): Delete. (root_region::print_fields): Delete. (root_region::validate): Delete. (root_region::dump_child_label): Delete. (root_region::push_frame): Delete. (root_region::get_current_frame_id): Delete. (root_region::pop_frame): Delete. (root_region::ensure_stack_region): Delete. (root_region::get_stack_region): Delete. (root_region::ensure_globals_region): Delete. (root_region::get_code_region): Delete. (root_region::ensure_code_region): Delete. (root_region::get_globals_region): Delete. (root_region::ensure_heap_region): Delete. (root_region::get_heap_region): Delete. (root_region::remap_region_ids): Delete. (root_region::can_merge_p): Delete. (root_region::add_to_hash): Delete. (root_region::walk_for_canonicalization): Delete. (root_region::get_value_by_name): Delete. (symbolic_region::symbolic_region): Delete. (symbolic_region::compare_fields): Delete. (symbolic_region::clone): Delete. (symbolic_region::walk_for_canonicalization): Delete. (symbolic_region::print_fields): Delete. (region_model::region_model): Add region_model_manager * param. Reimplement in terms of store, dropping impl_constraint_manager subclass. (region_model::operator=): Reimplement in terms of store (region_model::operator==): Likewise. (region_model::hash): Likewise. (region_model::print): Delete. (region_model::print_svalue): Delete. (region_model::dump_dot_to_pp): Delete. (region_model::dump_dot_to_file): Delete. (region_model::dump_dot): Delete. (region_model::dump_to_pp): Replace "summarize" param with "simple" and "multiline". Port to store-based implementation. (region_model::dump): Replace "summarize" param with "simple" and "multiline". (dump_vec_of_tree): Delete. (region_model::dump_summary_of_rep_path_vars): Delete. (region_model::validate): Delete. (svalue_id_cmp_by_constant_svalue_model): Delete. (svalue_id_cmp_by_constant_svalue): Delete. (region_model::canonicalize): Drop "ctxt" param. Reimplement in terms of store and constraints. (region_model::canonicalized_p): Remove NULL arg to canonicalize. (region_model::loop_replay_fixup): New. (poisoned_value_diagnostic::emit): Tweak wording of warnings. (region_model::check_for_poison): Delete. (region_model::get_gassign_result): New. (region_model::on_assignment): Port to store-based implementation. (region_model::on_call_pre): Delete calls to check_for_poison. Move implementations to region-model-impl-calls.c and port to store-based implementation. (region_model::on_call_post): Likewise. (class reachable_regions): Move to region-model-reachability.h/cc and port to store-based implementation. (region_model::handle_unrecognized_call): Port to store-based implementation. (region_model::get_reachable_svalues): New. (region_model::on_setjmp): Port to store-based implementation. (region_model::on_longjmp): Likewise. (region_model::handle_phi): Drop is_back_edge param and the logic using it. (region_model::get_lvalue_1): Port from region_id to const region *. (region_model::make_region_for_unexpected_tree_code): Delete. (assert_compat_types): If the check fails, use internal_error to show the types. (region_model::get_lvalue): Port from region_id to const region *. (region_model::get_rvalue_1): Port from svalue_id to const svalue *. (region_model::get_rvalue): Likewise. (region_model::get_or_create_ptr_svalue): Delete. (region_model::get_or_create_constant_svalue): Delete. (region_model::get_svalue_for_fndecl): Delete. (region_model::get_region_for_fndecl): Delete. (region_model::get_svalue_for_label): Delete. (region_model::get_region_for_label): Delete. (build_cast): Delete. (region_model::maybe_cast_1): Delete. (region_model::maybe_cast): Delete. (region_model::get_field_region): Delete. (region_model::get_store_value): New. (region_model::region_exists_p): New. (region_model::deref_rvalue): Port from svalue_id to const svalue *. (region_model::set_value): Likewise. (region_model::clobber_region): New. (region_model::purge_region): New. (region_model::zero_fill_region): New. (region_model::mark_region_as_unknown): New. (region_model::eval_condition): Port from svalue_id to const svalue *. (region_model::eval_condition_without_cm): Likewise. (region_model::compare_initial_and_pointer): New. (region_model::add_constraint): Port from svalue_id to const svalue *. (region_model::maybe_get_constant): Delete. (region_model::get_representative_path_var): New. (region_model::add_new_malloc_region): Delete. (region_model::get_representative_tree): Port to const svalue *. (region_model::get_representative_path_var): Port to const region *. (region_model::get_path_vars_for_svalue): Delete. (region_model::set_to_new_unknown_value): Delete. (region_model::update_for_phis): Don't pass is_back_edge to handle_phi. (region_model::update_for_call_superedge): Port from svalue_id to const svalue *. (region_model::update_for_return_superedge): Port to store-based implementation. (region_model::update_for_call_summary): Replace set_to_new_unknown_value with mark_region_as_unknown. (region_model::get_root_region): Delete. (region_model::get_stack_region_id): Delete. (region_model::push_frame): Delete. (region_model::get_current_frame_id): Delete. (region_model::get_current_function): Delete. (region_model::pop_frame): Delete. (region_model::on_top_level_param): New. (region_model::get_stack_depth): Delete. (region_model::get_function_at_depth): Delete. (region_model::get_globals_region_id): Delete. (region_model::add_svalue): Delete. (region_model::replace_svalue): Delete. (region_model::add_region): Delete. (region_model::get_svalue): Delete. (region_model::get_region): Delete. (make_region_for_type): Delete. (region_model::add_region_for_type): Delete. (region_model::on_top_level_param): New. (class restrict_to_used_svalues): Delete. (region_model::purge_unused_svalues): Delete. (region_model::push_frame): New. (region_model::remap_svalue_ids): Delete. (region_model::remap_region_ids): Delete. (region_model::purge_regions): Delete. (region_model::get_descendents): Delete. (region_model::delete_region_and_descendents): Delete. (region_model::poison_any_pointers_to_bad_regions): Delete. (region_model::can_merge_with_p): Delete. (region_model::get_current_function): New. (region_model::get_value_by_name): Delete. (region_model::convert_byte_offset_to_array_index): Delete. (region_model::pop_frame): New. (region_model::get_or_create_mem_ref): Delete. (region_model::get_stack_depth): New. (region_model::get_frame_at_index): New. (region_model::unbind_region_and_descendents): New. (struct bad_pointer_finder): New. (region_model::get_or_create_pointer_plus_expr): Delete. (region_model::poison_any_pointers_to_descendents): New. (region_model::get_or_create_view): Delete. (region_model::can_merge_with_p): New. (region_model::get_fndecl_for_call): Port from svalue_id to const svalue *. (struct append_ssa_names_cb_data): New. (get_ssa_name_regions_for_current_frame): New. (region_model::append_ssa_names_cb): New. (model_merger::dump_to_pp): Add "simple" param. Drop dumping of remappings. (model_merger::dump): Add "simple" param to both overloads. (model_merger::can_merge_values_p): Delete. (model_merger::record_regions): Delete. (model_merger::record_svalues): Delete. (svalue_id_merger_mapping::svalue_id_merger_mapping): Delete. (svalue_id_merger_mapping::dump_to_pp): Delete. (svalue_id_merger_mapping::dump): Delete. (region_model::create_region_for_heap_alloc): New. (region_model::create_region_for_alloca): New. (region_model::record_dynamic_extents): New. (canonicalization::canonicalization): Delete. (canonicalization::walk_rid): Delete. (canonicalization::walk_sid): Delete. (canonicalization::dump_to_pp): Delete. (canonicalization::dump): Delete. (inchash::add): Delete overloads for svalue_id and region_id. (engine::log_stats): New. (assert_condition): Add overload comparing svalues. (assert_dump_eq): Pass "true" for multiline. (selftest::test_dump): Update for rewrite of region_model. (selftest::test_dump_2): Rename to... (selftest::test_struct): ...this. Provide a region_model_manager when creating region_model instance. Remove dump test. Add checks for get_offset. (selftest::test_dump_3): Rename to... (selftest::test_array_1): ...this. Provide a region_model_manager when creating region_model instance. Remove dump test. (selftest::test_get_representative_tree): Port from svalue_id to new API. Add test coverage for various expressions. (selftest::test_unique_constants): Provide a region_model_manager for the region_model. Add test coverage for comparing const vs non-const. (selftest::test_svalue_equality): Delete. (selftest::test_region_equality): Delete. (selftest::test_unique_unknowns): New. (class purge_all_svalue_ids): Delete. (class purge_one_svalue_id): Delete. (selftest::test_purging_by_criteria): Delete. (selftest::test_initial_svalue_folding): New. (selftest::test_unaryop_svalue_folding): New. (selftest::test_binop_svalue_folding): New. (selftest::test_sub_svalue_folding): New. (selftest::test_purge_unused_svalues): Delete. (selftest::test_descendent_of_p): New. (selftest::test_assignment): Provide a region_model_manager for the region_model. Drop the dump test. (selftest::test_compound_assignment): Likewise. (selftest::test_stack_frames): Port to new implementation. (selftest::test_get_representative_path_var): Likewise. (selftest::test_canonicalization_1): Rename to... (selftest::test_equality_1): ...this. Port to new API, and add (selftest::test_canonicalization_2): Provide a region_model_manager when creating region_model instances. Remove redundant canicalization. (selftest::test_canonicalization_3): Provide a region_model_manager when creating region_model instances. Remove param from calls to region_model::canonicalize. (selftest::test_canonicalization_4): Likewise. (selftest::assert_region_models_merge): Constify out_merged_svalue. Port to new API. (selftest::test_state_merging): Provide a region_model_manager when creating region_model instances. Provide a program_point point when merging them. Replace set_to_new_unknown_value with usage of placeholder_svalues. Drop get_value_by_name. Port from svalue_id to const svalue *. Add test of heap allocation. (selftest::test_constraint_merging): Provide a region_model_manager when creating region_model instances. Provide a program_point point when merging them. Eliminate use of set_to_new_unknown_value. (selftest::test_widening_constraints): New. (selftest::test_iteration_1): New. (selftest::test_malloc_constraints): Port to store-based implementation. (selftest::test_var): New test. (selftest::test_array_2): New test. (selftest::test_mem_ref): New test. (selftest::test_POINTER_PLUS_EXPR_then_MEM_REF): New. (selftest::test_malloc): New. (selftest::test_alloca): New. (selftest::analyzer_region_model_cc_tests): Update for renamings. Call new functions. * region-model.h (class path_var): Move to analyzer.h. (class svalue_id): Delete. (class region_id): Delete. (class id_map): Delete. (svalue_id_map): Delete. (region_id_map): Delete. (id_map::id_map): Delete. (id_map::put): Delete. (id_map::get_dst_for_src): Delete. (id_map::get_src_for_dst): Delete. (id_map::dump_to_pp): Delete. (id_map::dump): Delete. (id_map::update): Delete. (one_way_svalue_id_map): Delete. (one_way_region_id_map): Delete. (class region_id_set): Delete. (class svalue_id_set): Delete. (struct complexity): New. (class visitor): New. (enum svalue_kind): Add SK_SETJMP, SK_INITIAL, SK_UNARYOP, SK_BINOP, SK_SUB,SK_UNMERGEABLE, SK_PLACEHOLDER, SK_WIDENING, SK_COMPOUND, and SK_CONJURED. (svalue::operator==): Delete. (svalue::operator!=): Delete. (svalue::clone): Delete. (svalue::hash): Delete. (svalue::dump_dot_to_pp): Delete. (svalue::dump_to_pp): New. (svalue::dump): New. (svalue::get_desc): New. (svalue::dyn_cast_initial_svalue): New. (svalue::dyn_cast_unaryop_svalue): New. (svalue::dyn_cast_binop_svalue): New. (svalue::dyn_cast_sub_svalue): New. (svalue::dyn_cast_unmergeable_svalue): New. (svalue::dyn_cast_widening_svalue): New. (svalue::dyn_cast_compound_svalue): New. (svalue::dyn_cast_conjured_svalue): New. (svalue::maybe_undo_cast): New. (svalue::unwrap_any_unmergeable): New. (svalue::remap_region_ids): Delete (svalue::can_merge_p): New. (svalue::walk_for_canonicalization): Delete (svalue::get_complexity): New. (svalue::get_child_sid): Delete (svalue::accept): New. (svalue::live_p): New. (svalue::implicitly_live_p): New. (svalue::svalue): Add complexity param. (svalue::add_to_hash): Delete (svalue::print_details): Delete (svalue::m_complexity): New field. (region_svalue::key_t): New struct. (region_svalue::region_svalue): Port from region_id to const region_id *. Add complexity. (region_svalue::compare_fields): Delete. (region_svalue::clone): Delete. (region_svalue::dump_dot_to_pp): Delete. (region_svalue::get_pointee): Port from region_id to const region_id *. (region_svalue::remap_region_ids): Delete. (region_svalue::merge_values): Delete. (region_svalue::dump_to_pp): New. (region_svalue::accept): New. (region_svalue::walk_for_canonicalization): Delete. (region_svalue::eval_condition): Make params const. (region_svalue::add_to_hash): Delete. (region_svalue::print_details): Delete. (region_svalue::m_rid): Replace with... (region_svalue::m_reg): ...this. (is_a_helper ::test): Convert to... (is_a_helper ::test): ...this. (template <> struct default_hash_traits): New. (constant_svalue::constant_svalue): Add complexity. (constant_svalue::compare_fields): Delete. (constant_svalue::clone): Delete. (constant_svalue::add_to_hash): Delete. (constant_svalue::dump_to_pp): New. (constant_svalue::accept): New. (constant_svalue::implicitly_live_p): New. (constant_svalue::merge_values): Delete. (constant_svalue::eval_condition): Make params const. (constant_svalue::get_child_sid): Delete. (constant_svalue::print_details): Delete. (is_a_helper ::test): Convert to... (is_a_helper ::test): ...this. (class unknown_svalue): Update leading comment. (unknown_svalue::unknown_svalue): Add complexity. (unknown_svalue::compare_fields): Delete. (unknown_svalue::add_to_hash): Delete. (unknown_svalue::dyn_cast_unknown_svalue): Delete. (unknown_svalue::print_details): Delete. (unknown_svalue::dump_to_pp): New. (unknown_svalue::accept): New. (poisoned_svalue::key_t): New struct. (poisoned_svalue::poisoned_svalue): Add complexity. (poisoned_svalue::compare_fields): Delete. (poisoned_svalue::clone): Delete. (poisoned_svalue::add_to_hash): Delete. (poisoned_svalue::dump_to_pp): New. (poisoned_svalue::accept): New. (poisoned_svalue::print_details): Delete. (is_a_helper ::test): Convert to... (is_a_helper ::test): ...this. (template <> struct default_hash_traits): New. (setjmp_record::add_to_hash): New. (setjmp_svalue::key_t): New struct. (setjmp_svalue::compare_fields): Delete. (setjmp_svalue::clone): Delete. (setjmp_svalue::add_to_hash): Delete. (setjmp_svalue::setjmp_svalue): Add complexity. (setjmp_svalue::dump_to_pp): New. (setjmp_svalue::accept): New. (setjmp_svalue::void print_details): Delete. (is_a_helper ::test): New. (template <> struct default_hash_traits): New. (class initial_svalue : public svalue): New. (is_a_helper ::test): New. (class unaryop_svalue): New. (is_a_helper ::test): New. (template <> struct default_hash_traits): New. (class binop_svalue): New. (is_a_helper ::test): New. (template <> struct default_hash_traits): New. (class sub_svalue): New. (is_a_helper ::test): New. (template <> struct default_hash_traits): New. (class unmergeable_svalue): New. (is_a_helper ::test): New. (class placeholder_svalue): New. (is_a_helper ::test): New. (class widening_svalue): New. (is_a_helper ::test): New. (template <> struct default_hash_traits): New. (class compound_svalue): New. (is_a_helper ::test): New. (template <> struct default_hash_traits): New. (class conjured_svalue): New. (is_a_helper ::test): New. (template <> struct default_hash_traits): New. (enum region_kind): Delete RK_PRIMITIVE, RK_STRUCT, RK_UNION, and RK_ARRAY. Add RK_LABEL, RK_DECL, RK_FIELD, RK_ELEMENT, RK_OFFSET, RK_CAST, RK_HEAP_ALLOCATED, RK_ALLOCA, RK_STRING, and RK_UNKNOWN. (region_kind_to_str): Delete. (region::~region): Move implementation to region.cc. (region::operator==): Delete. (region::operator!=): Delete. (region::clone): Delete. (region::get_id): New. (region::cmp_ids): New. (region::dyn_cast_map_region): Delete. (region::dyn_cast_array_region): Delete. (region::region_id get_parent): Delete. (region::get_parent_region): Convert to a simple accessor. (region::void set_value): Delete. (region::svalue_id get_value): Delete. (region::svalue_id get_value_direct): Delete. (region::svalue_id get_inherited_child_sid): Delete. (region::dyn_cast_frame_region): New. (region::dyn_cast_function_region): New. (region::dyn_cast_decl_region): New. (region::dyn_cast_field_region): New. (region::dyn_cast_element_region): New. (region::dyn_cast_offset_region): New. (region::dyn_cast_cast_region): New. (region::dyn_cast_string_region): New. (region::accept): New. (region::get_base_region): New. (region::base_region_p): New. (region::descendent_of_p): New. (region::maybe_get_frame_region): New. (region::maybe_get_decl): New. (region::hash): Delete. (region::rint): Delete. (region::dump_dot_to_pp): Delete. (region::get_desc): New. (region::dump_to_pp): Convert to vfunc, changing signature. (region::dump_child_label): Delete. (region::remap_svalue_ids): Delete. (region::remap_region_ids): Delete. (region::dump): New. (region::walk_for_canonicalization): Delete. (region::non_null_p): Drop region_model param. (region::add_view): Delete. (region::get_view): Delete. (region::get_active_view): Delete. (region::is_view_p): Delete. (region::cmp_ptrs): New. (region::validate): Delete. (region::get_offset): New. (region::get_byte_size): New. (region::get_bit_size): New. (region::get_subregions_for_binding): New. (region::region): Add complexity param. Convert parent from region_id to const region *. Drop svalue_id. Drop copy ctor. (region::symbolic_for_unknown_ptr_p): New. (region::add_to_hash): Delete. (region::print_fields): Delete. (region::get_complexity): New accessor. (region::become_active_view): Delete. (region::deactivate_any_active_view): Delete. (region::deactivate_view): Delete. (region::calc_offset): New. (region::m_parent_rid): Delete. (region::m_sval_id): Delete. (region::m_complexity): New. (region::m_id): New. (region::m_parent): New. (region::m_view_rids): Delete. (region::m_is_view): Delete. (region::m_active_view_rid): Delete. (region::m_cached_offset): New. (is_a_helper ::test): Convert to... (is_a_helper ::test): ... this. (class primitive_region): Delete. (class space_region): New. (class map_region): Delete. (is_a_helper ::test): Delete. (class frame_region): Reimplement. (template <> struct default_hash_traits): New. (class globals_region): Reimplement. (is_a_helper ::test): Convert to... (is_a_helper ::test): ...this. (class struct_or_union_region): Delete. (is_a_helper ::test): Delete. (class code_region): Reimplement. (is_a_helper ::test): New. (class struct_region): Delete. (is_a_helper ::test): Delete. (class function_region): Reimplement. (is_a_helper ::test): Convert to... (is_a_helper ::test): ...this. (class union_region): Delete. (is_a_helper ::test): Delete. (class label_region): New. (is_a_helper ::test): New. (class scope_region): Delete. (class stack_region): Reimplement. (is_a_helper ::test): Convert to... (is_a_helper ::test): ...this. (class heap_region): Reimplement. (is_a_helper ::test): Convert to... (is_a_helper ::test): ...this. (class root_region): Reimplement. (is_a_helper ::test): Convert to... (is_a_helper ::test): ...this. (class symbolic_region): Reimplement. (is_a_helper ::test): New. (template <> struct default_hash_traits): New. (class decl_region): New. (is_a_helper ::test): New. (class field_region): New. (template <> struct default_hash_traits): New. (class array_region): Delete. (class element_region): New. (is_a_helper ::test): Delete. (is_a_helper ::test): New. (template <> struct default_hash_traits): New. (class offset_region): New. (is_a_helper ::test): New. (template <> struct default_hash_traits): New. (class cast_region): New. (is_a_helper ::test): New. (template <> struct default_hash_traits): New. (class heap_allocated_region): New. (class alloca_region): New. (class string_region): New. (is_a_helper ::test): New. (class unknown_region): New. (class region_model_manager): New. (struct append_ssa_names_cb_data): New. (class call_details): New. (region_model::region_model): Add region_model_manager param. (region_model::print_svalue): Delete. (region_model::dump_dot_to_pp): Delete. (region_model::dump_dot_to_file): Delete. (region_model::dump_dot): Delete. (region_model::dump_to_pp): Drop summarize param in favor of simple and multiline. (region_model::dump): Likewise. (region_model::summarize_to_pp): Delete. (region_model::summarize): Delete. (region_model::void canonicalize): Drop ctxt param. (region_model::void check_for_poison): Delete. (region_model::get_gassign_result): New. (region_model::impl_call_alloca): New. (region_model::impl_call_analyzer_describe): New. (region_model::impl_call_analyzer_eval): New. (region_model::impl_call_builtin_expect): New. (region_model::impl_call_calloc): New. (region_model::impl_call_free): New. (region_model::impl_call_malloc): New. (region_model::impl_call_memset): New. (region_model::impl_call_strlen): New. (region_model::get_reachable_svalues): New. (region_model::handle_phi): Drop is_back_edge param. (region_model::region_id get_root_rid): Delete. (region_model::root_region *get_root_region): Delete. (region_model::region_id get_stack_region_id): Delete. (region_model::push_frame): Convert from region_id and svalue_id to const region * and const svalue *. (region_model::get_current_frame_id): Replace with... (region_model::get_current_frame): ...this. (region_model::pop_frame): Convert from region_id to const region *. Drop purge and stats param. Add out_result. (region_model::function *get_function_at_depth): Delete. (region_model::get_globals_region_id): Delete. (region_model::add_svalue): Delete. (region_model::replace_svalue): Delete. (region_model::add_region): Delete. (region_model::add_region_for_type): Delete. (region_model::get_svalue): Delete. (region_model::get_region): Delete. (region_model::get_lvalue): Convert from region_id to const region *. (region_model::get_rvalue): Convert from svalue_id to const svalue *. (region_model::get_or_create_ptr_svalue): Delete. (region_model::get_or_create_constant_svalue): Delete. (region_model::get_svalue_for_fndecl): Delete. (region_model::get_svalue_for_label): Delete. (region_model::get_region_for_fndecl): Delete. (region_model::get_region_for_label): Delete. (region_model::get_frame_at_index (int index) const;): New. (region_model::maybe_cast): Delete. (region_model::maybe_cast_1): Delete. (region_model::get_field_region): Delete. (region_model::id deref_rvalue): Convert from region_id and svalue_id to const region * and const svalue *. Drop overload, passing in both a tree and an svalue. (region_model::set_value): Convert from region_id and svalue_id to const region * and const svalue *. (region_model::set_to_new_unknown_value): Delete. (region_model::clobber_region (const region *reg);): New. (region_model::purge_region (const region *reg);): New. (region_model::zero_fill_region (const region *reg);): New. (region_model::mark_region_as_unknown (const region *reg);): New. (region_model::copy_region): Convert from region_id to const region *. (region_model::eval_condition): Convert from svalue_id to const svalue *. (region_model::eval_condition_without_cm): Likewise. (region_model::compare_initial_and_pointer): New. (region_model:maybe_get_constant): Delete. (region_model::add_new_malloc_region): Delete. (region_model::get_representative_tree): Convert from svalue_id to const svalue *. (region_model::get_representative_path_var): Delete decl taking a region_id in favor of two decls, for svalue vs region, with an svalue_set to ensure termination. (region_model::get_path_vars_for_svalue): Delete. (region_model::create_region_for_heap_alloc): New. (region_model::create_region_for_alloca): New. (region_model::purge_unused_svalues): Delete. (region_model::remap_svalue_ids): Delete. (region_model::remap_region_ids): Delete. (region_model::purge_regions): Delete. (region_model::get_num_svalues): Delete. (region_model::get_num_regions): Delete. (region_model::get_descendents): Delete. (region_model::get_store): New. (region_model::delete_region_and_descendents): Delete. (region_model::get_manager): New. (region_model::unbind_region_and_descendents): New. (region_model::can_merge_with_p): Add point param. Drop svalue_id_merger_mapping. (region_model::get_value_by_name): Delete. (region_model::convert_byte_offset_to_array_index): Delete. (region_model::get_or_create_mem_ref): Delete. (region_model::get_or_create_pointer_plus_expr): Delete. (region_model::get_or_create_view): Delete. (region_model::get_lvalue_1): Convert from region_id to const region *. (region_model::get_rvalue_1): Convert from svalue_id to const svalue *. (region_model::get_ssa_name_regions_for_current_frame): New. (region_model::append_ssa_names_cb): New. (region_model::get_store_value): New. (region_model::copy_struct_region): Delete. (region_model::copy_union_region): Delete. (region_model::copy_array_region): Delete. (region_model::region_exists_p): New. (region_model::make_region_for_unexpected_tree_code): Delete. (region_model::loop_replay_fixup): New. (region_model::poison_any_pointers_to_bad_regions): Delete. (region_model::poison_any_pointers_to_descendents): New. (region_model::dump_summary_of_rep_path_vars): Delete. (region_model::on_top_level_param): New. (region_model::record_dynamic_extents): New. (region_model::m_mgr;): New. (region_model::m_store;): New. (region_model::m_svalues;): Delete. (region_model::m_regions;): Delete. (region_model::m_root_rid;): Delete. (region_model::m_current_frame;): New. (region_model_context::remap_svalue_ids): Delete. (region_model_context::can_purge_p): Delete. (region_model_context::on_svalue_leak): New. (region_model_context::on_svalue_purge): Delete. (region_model_context::on_liveness_change): New. (region_model_context::on_inherited_svalue): Delete. (region_model_context::on_cast): Delete. (region_model_context::on_unknown_change): Convert from svalue_id to const svalue * and add is_mutable. (class noop_region_model_context): Update for region_model_context changes. (model_merger::model_merger): Add program_point. Drop svalue_id_merger_mapping. (model_merger::dump_to_pp): Add "simple" param. (model_merger::dump): Likewise. (model_merger::get_region_a): Delete. (model_merger::get_region_b): Delete. (model_merger::can_merge_values_p): Delete. (model_merger::record_regions): Delete. (model_merger::record_svalues): Delete. (model_merger::m_point): New field. (model_merger::m_map_regions_from_a_to_m): Delete. (model_merger::m_map_regions_from_b_to_m): Delete. (model_merger::m_sid_mapping): Delete. (struct svalue_id_merger_mapping): Delete. (class engine): New. (struct canonicalization): Delete. (inchash::add): Delete decls for hashing svalue_id and region_id. (test_region_model_context::on_unexpected_tree_code): Require t to be non-NULL. (selftest::assert_condition): Add overload comparing a pair of const svalue *. * sm-file.cc: Include "tristate.h", "selftest.h", "analyzer/call-string.h", "analyzer/program-point.h", "analyzer/store.h", and "analyzer/region-model.h". (fileptr_state_machine::get_default_state): New. (fileptr_state_machine::on_stmt): Remove calls to get_readable_tree in favor of get_diagnostic_tree. * sm-malloc.cc: Include "tristate.h", "selftest.h", "analyzer/call-string.h", "analyzer/program-point.h", "analyzer/store.h", and "analyzer/region-model.h". (malloc_state_machine::get_default_state): New. (malloc_state_machine::reset_when_passed_to_unknown_fn_p): New. (malloc_diagnostic::describe_state_change): Handle change.m_expr being NULL. (null_arg::emit): Avoid printing "NULL '0'". (null_arg::describe_final_event): Avoid printing "(0) NULL". (malloc_leak::emit): Handle m_arg being NULL. (malloc_leak::describe_final_event): Handle ev.m_expr being NULL. (malloc_state_machine::on_stmt): Don't call get_readable_tree. Call get_diagnostic_tree when creating pending diagnostics. Update for is_zero_assignment becoming a member function of sm_ctxt. Don't transition to m_non_heap for ADDR_EXPR(MEM_REF()). (malloc_state_machine::reset_when_passed_to_unknown_fn_p): New vfunc implementation. * sm-sensitive.cc (sensitive_state_machine::warn_for_any_exposure): Call get_diagnostic_tree and pass the result to warn_for_state. * sm-signal.cc: Move includes of "analyzer/call-string.h" and "analyzer/program-point.h" to before "analyzer/region-model.h", and also include "analyzer/store.h" before it. (signal_unsafe_call::describe_state_change): Use get_dest_function to get handler. (update_model_for_signal_handler): Pass manager to region_model ctor. (register_signal_handler::impl_transition): Update for changes to get_or_create_node and add_edge. * sm-taint.cc (taint_state_machine::on_stmt): Remove calls to get_readable_tree, replacing them when calling warn_for_state with calls to get_diagnostic_tree. * sm.cc (is_zero_assignment): Delete. (any_pointer_p): Move to within namespace ana. * sm.h (is_zero_assignment): Remove decl. (any_pointer_p): Move decl to within namespace ana. (state_machine::get_default_state): New vfunc. (state_machine::reset_when_passed_to_unknown_fn_p): New vfunc. (sm_context::get_readable_tree): Rename to... (sm_context::get_diagnostic_tree): ...this. (sm_context::is_zero_assignment): New vfunc. * store.cc: New file. * store.h: New file. * svalue.cc: New file. 2020-05-22 Mark Wielaard * sm-signal.cc(signal_unsafe_call::emit): Possibly add gcc_rich_location note for replacement. (signal_unsafe_call::get_replacement_fn): New private function. (get_async_signal_unsafe_fns): Add "exit". 2020-04-28 David Malcolm PR analyzer/94816 * engine.cc (impl_region_model_context::on_unexpected_tree_code): Handle NULL tree. * region-model.cc (region_model::add_region_for_type): Handle NULL type. * region-model.h (test_region_model_context::on_unexpected_tree_code): Handle NULL tree. 2020-04-28 David Malcolm PR analyzer/94447 PR analyzer/94639 PR analyzer/94732 PR analyzer/94754 * analyzer.opt (Wanalyzer-use-of-uninitialized-value): Delete. * program-state.cc (selftest::test_program_state_dumping): Update expected dump result for removal of "uninit". * region-model.cc (poison_kind_to_str): Delete POISON_KIND_UNINIT case. (root_region::ensure_stack_region): Initialize stack with null svalue_id rather than with a typeless POISON_KIND_UNINIT value. (root_region::ensure_heap_region): Likewise for the heap. (region_model::dump_summary_of_rep_path_vars): Remove summarization of uninit values. (region_model::validate): Remove check that the stack has a POISON_KIND_UNINIT value. (poisoned_value_diagnostic::emit): Remove POISON_KIND_UNINIT case. (poisoned_value_diagnostic::describe_final_event): Likewise. (selftest::test_dump): Update expected dump result for removal of "uninit". (selftest::test_svalue_equality): Remove "uninit" and "freed". * region-model.h (enum poison_kind): Remove POISON_KIND_UNINIT. 2020-04-01 David Malcolm PR analyzer/94378 * checker-path.cc: Include "bitmap.h". * constraint-manager.cc: Likewise. * diagnostic-manager.cc: Likewise. * engine.cc: Likewise. (exploded_node::detect_leaks): Pass null region_id to pop_frame. * program-point.cc: Include "bitmap.h". * program-state.cc: Likewise. * region-model.cc (id_set::id_set): Convert to... (region_id_set::region_id_set): ...this. (svalue_id_set::svalue_id_set): New ctor. (region_model::copy_region): New function. (region_model::copy_struct_region): New function. (region_model::copy_union_region): New function. (region_model::copy_array_region): New function. (stack_region::pop_frame): Drop return value. Add "result_dst_rid" param; if it is non-null, use copy_region to copy the result to it. Rather than capture and pass a single "known used" return value to be used by purge_unused_values, instead gather and pass a set of known used return values. (root_region::pop_frame): Drop return value. Add "result_dst_rid" param. (region_model::on_assignment): Use copy_region. (region_model::on_return): Likewise for the result. (region_model::on_longjmp): Pass null for pop_frame's result_dst_rid. (region_model::update_for_return_superedge): Pass the region for the return value of the call, if any, to pop_frame, rather than setting the lvalue for the lhs of the result. (region_model::pop_frame): Drop return value. Add "result_dst_rid" param. (region_model::purge_unused_svalues): Convert third param from an svalue_id * to an svalue_id_set *, updating the initial populating of the "used" bitmap accordingly. Don't remap it when done. (struct selftest::coord_test): New selftest fixture, extracted from... (selftest::test_dump_2): ...here. (selftest::test_compound_assignment): New selftest. (selftest::test_stack_frames): Pass null to new param of pop_frame. (selftest::analyzer_region_model_cc_tests): Call the new selftest. * region-model.h (class id_set): Delete template. (class region_id_set): Reimplement, using old id_set implementation. (class svalue_id_set): Likewise. Convert from auto_sbitmap to auto_bitmap. (region::get_active_view): New accessor. (stack_region::pop_frame): Drop return value. Add "result_dst_rid" param. (root_region::pop_frame): Likewise. (region_model::pop_frame): Likewise. (region_model::copy_region): New decl. (region_model::purge_unused_svalues): Convert third param from an svalue_id * to an svalue_id_set *. (region_model::copy_struct_region): New decl. (region_model::copy_union_region): New decl. (region_model::copy_array_region): New decl. 2020-03-27 David Malcolm * program-state.cc (selftest::test_program_state_dumping): Update expected dump to include symbolic_region's possibly_null field. * region-model.cc (symbolic_region::print_fields): New vfunc implementation. (region_model::add_constraint): Clear m_possibly_null from symbolic_regions now known to be non-NULL. (selftest::test_malloc_constraints): New selftest. (selftest::analyzer_region_model_cc_tests): Call it. * region-model.h (region::dyn_cast_symbolic_region): Add non-const overload. (symbolic_region::dyn_cast_symbolic_region): Implement it. (symbolic_region::print_fields): New vfunc override decl. 2020-03-27 David Malcolm * analyzer.h (class feasibility_problem): New forward decl. * diagnostic-manager.cc (saved_diagnostic::saved_diagnostic): Initialize new fields m_status, m_epath_length, and m_problem. (saved_diagnostic::~saved_diagnostic): Delete m_problem. (dedupe_candidate::dedupe_candidate): Convert "sd" param from a const ref to a mutable ptr. (dedupe_winners::add): Convert "sd" param from a const ref to a mutable ptr. Record the length of the exploded_path. Record the feasibility/infeasibility of sd into sd, capturing a feasibility_problem when feasible_p fails, and storing it in sd. (diagnostic_manager::emit_saved_diagnostics): Update for pass by ptr rather than by const ref. * diagnostic-manager.h (class saved_diagnostic): Add new enum status. Add fields m_status, m_epath_length and m_problem. (saved_diagnostic::set_feasible): New member function. (saved_diagnostic::set_infeasible): New member function. (saved_diagnostic::get_feasibility_problem): New accessor. (saved_diagnostic::get_status): New accessor. (saved_diagnostic::set_epath_length): New member function. (saved_diagnostic::get_epath_length): New accessor. * engine.cc: Include "gimple-pretty-print.h". (exploded_path::feasible_p): Add OUT param and, if non-NULL, write a new feasibility_problem to it on failure. (viz_callgraph_node::dump_dot): Convert begin_tr calls to begin_trtd. Convert end_tr calls to end_tdtr. (class exploded_graph_annotator): New subclass of dot_annotator. (impl_run_checkers): Add a second -fdump-analyzer-supergraph dump after the analysis runs, using exploded_graph_annotator. dumping to DUMP_BASE_NAME.supergraph-eg.dot. * exploded-graph.h (exploded_node::get_dot_fillcolor): Make public. (exploded_path::feasible_p): Add OUT param. (class feasibility_problem): New class. * state-purge.cc (state_purge_annotator::add_node_annotations): Return a bool, add a "within_table" param. (print_vec_of_names): Convert begin_tr calls to begin_trtd. Convert end_tr calls to end_tdtr. (state_purge_annotator::add_stmt_annotations): Add "within_row" param. * state-purge.h ((state_purge_annotator::add_node_annotations): Return a bool, add a "within_table" param. (state_purge_annotator::add_stmt_annotations): Add "within_row" param. * supergraph.cc (supernode::dump_dot): Call add_node_annotations twice: as before, passing false for "within_table", then again with true when within the TABLE element. Convert some begin_tr calls to begin_trtd, and some end_tr calls to end_tdtr. Repeat each add_stmt_annotations call, distinguishing between calls that add TRs and those that add TDs to an existing TR. Add a call to add_after_node_annotations. * supergraph.h (dot_annotator::add_node_annotations): Add a "within_table" param. (dot_annotator::add_stmt_annotations): Add a "within_row" param. (dot_annotator::add_after_node_annotations): New vfunc. 2020-03-27 David Malcolm * diagnostic-manager.cc (dedupe_winners::add): Show the exploded_node index in the log messages. (diagnostic_manager::emit_saved_diagnostics): Log a summary of m_saved_diagnostics at entry. 2020-03-27 David Malcolm * supergraph.cc (superedge::dump): Add space before description; move newline to non-pretty_printer overload. 2020-03-18 David Malcolm * region-model.cc: Include "stor-layout.h". (region_model::dump_to_pp): Rather than calling dump_summary_of_map on each of the current frame and the globals, instead get a vec of representative path_vars for all regions, and then dump a summary of all of them. (region_model::dump_summary_of_map): Delete, rewriting into... (region_model::dump_summary_of_rep_path_vars): ...this new function, working on a vec of path_vars. (region_model::set_value): New overload. (region_model::get_representative_path_var): Rename "parent_region" local to "parent_reg" and consolidate with other local. Guard test for grandparent being stack on parent_reg being non-NULL. Move handling for parent being an array_region to within guard for parent_reg being non-NULL. (selftest::make_test_compound_type): New function. (selftest::test_dump_2): New selftest. (selftest::test_dump_3): New selftest. (selftest::test_stack_frames): Update expected output from simplified dump to show "a" and "b" from parent frame and "y" in child frame. (selftest::analyzer_region_model_cc_tests): Call test_dump_2 and test_dump_3. * region-model.h (region_model::set_value): New overload decl. (region_model::dump_summary_of_map): Delete. (region_model::dump_summary_of_rep_path_vars): New. 2020-03-18 David Malcolm * region-model.h (class noop_region_model_context): New subclass of region_model_context. (class tentative_region_model_context): Inherit from noop_region_model_context rather than from region_model_context; drop redundant vfunc implementations. (class test_region_model_context): Likewise. 2020-03-18 David Malcolm * engine.cc (exploded_node::exploded_node): Move implementation here from header; accept point_and_state by const reference rather than by value. * exploded-graph.h (exploded_node::exploded_node): Pass point_and_state by const reference rather than by value. Move body to engine.cc. 2020-03-18 Jakub Jelinek * sm-malloc.cc (malloc_state_machine::on_stmt): Fix up duplicated word issue in a comment. * region-model.cc (region_model::make_region_for_unexpected_tree_code, region_model::delete_region_and_descendents): Likewise. * engine.cc (class exploded_cluster): Likewise. * diagnostic-manager.cc (class path_builder): Likewise. 2020-03-13 David Malcolm PR analyzer/94099 PR analyzer/94105 * diagnostic-manager.cc (for_each_state_change): Bulletproof against errors in get_rvalue by passing a tentative_region_model_context and rejecting if there's an error. * region-model.cc (region_model::get_lvalue_1): When handling ARRAY_REF, handle results of error-handling. Handle NOP_EXPR. 2020-03-06 David Malcolm * analyzer.h (class array_region): New forward decl. * program-state.cc (selftest::test_program_state_dumping_2): New. (selftest::analyzer_program_state_cc_tests): Call it. * region-model.cc (array_region::constant_from_key): New. (region_model::get_representative_tree): Handle region_svalue by generating an ADDR_EXPR. (region_model::get_representative_path_var): In view handling, remove erroneous TREE_TYPE when determining the type of the tree. Handle array regions and STRING_CST. (selftest::assert_dump_tree_eq): New. (ASSERT_DUMP_TREE_EQ): New macro. (selftest::test_get_representative_tree): New selftest. (selftest::analyzer_region_model_cc_tests): Call it. * region-model.h (region::dyn_cast_array_region): New vfunc. (array_region::dyn_cast_array_region): New vfunc implementation. (array_region::constant_from_key): New decl. 2020-03-06 David Malcolm * analyzer.h (dump_quoted_tree): New decl. * engine.cc (exploded_node::dump_dot): Pass region model to sm_state_map::print. * program-state.cc: Include diagnostic-core.h. (sm_state_map::print): Add "model" param and use it to print representative trees. Only print origin information if non-null. (sm_state_map::dump): Pass NULL for model to print call. (program_state::print): Pass region model to sm_state_map::print. (program_state::dump_to_pp): Use spaces rather than newlines when summarizing. Pass region_model to sm_state_map::print. (ana::selftest::assert_dump_eq): New function. (ASSERT_DUMP_EQ): New macro. (ana::selftest::test_program_state_dumping): New function. (ana::selftest::analyzer_program_state_cc_tests): Call it. * program-state.h (program_state::print): Add model param. * region-model.cc (dump_quoted_tree): New function. (map_region::print_fields): Use dump_quoted_tree rather than %qE to avoid lang-dependent output. (map_region::dump_child_label): Likewise. (region_model::dump_summary_of_map): For SK_REGION, when get_representative_path_var fails, print the region id rather than erroneously printing NULL. * sm.cc (state_machine::get_state_by_name): New function. * sm.h (state_machine::get_state_by_name): New decl. 2020-03-04 David Malcolm * region-model.cc (region::validate): Convert model param from ptr to reference. Update comment to reflect that it's now a vfunc. (map_region::validate): New vfunc implementation. (array_region::validate): New vfunc implementation. (stack_region::validate): New vfunc implementation. (root_region::validate): New vfunc implementation. (region_model::validate): Pass a reference rather than a pointer to the region::validate vfunc. * region-model.h (region::validate): Make virtual. Convert model param from ptr to reference. (map_region::validate): New vfunc decl. (array_region::validate): New vfunc decl. (stack_region::validate): New vfunc decl. (root_region::validate): New vfunc decl. 2020-03-04 David Malcolm PR analyzer/93993 * region-model.cc (region_model::on_call_pre): Handle BUILT_IN_EXPECT and its variants. (region_model::add_any_constraints_from_ssa_def_stmt): Split out gassign handling into add_any_constraints_from_gassign; add gcall handling. (region_model::add_any_constraints_from_gassign): New function, based on the above. Add handling for NOP_EXPR. (region_model::add_any_constraints_from_gcall): New function. (region_model::get_representative_path_var): Handle views. * region-model.h (region_model::add_any_constraints_from_ssa_def_stmt): New decl. (region_model::add_any_constraints_from_gassign): New decl. 2020-03-04 David Malcolm PR analyzer/93993 * checker-path.h (state_change_event::get_lvalue): Add ctxt param and pass it to region_model::get_value call. * diagnostic-manager.cc (get_any_origin): Pass a tentative_region_model_context to the calls to get_lvalue and reject the comparison if errors occur. (can_be_expr_of_interest_p): New function. (diagnostic_manager::prune_for_sm_diagnostic): Replace checks for CONSTANT_CLASS_P with calls to update_for_unsuitable_sm_exprs. Pass a tentative_region_model_context to the calls to state_change_event::get_lvalue and reject the comparison if errors occur. (diagnostic_manager::update_for_unsuitable_sm_exprs): New. * diagnostic-manager.h (diagnostic_manager::update_for_unsuitable_sm_exprs): New decl. * region-model.h (class tentative_region_model_context): New class. 2020-03-04 David Malcolm * engine.cc (worklist::worklist): Remove unused field m_eg. (class viz_callgraph_edge): Remove unused field m_call_sedge. (class viz_callgraph): Remove unused field m_sg. * exploded-graph.h (worklist::::m_eg): Remove unused field. 2020-03-02 David Malcolm * analyzer.opt (fanalyzer-show-duplicate-count): New option. * diagnostic-manager.cc (diagnostic_manager::emit_saved_diagnostic): Use the above to guard the printing of the duplicate count. 2020-03-02 David Malcolm PR analyzer/93959 * analyzer.cc (is_std_function_p): New function. (is_std_named_call_p): New functions. * analyzer.h (is_std_named_call_p): New decl. * sm-malloc.cc (malloc_state_machine::on_stmt): Check for "std::" variants when checking for malloc, calloc and free. 2020-02-26 David Malcolm PR analyzer/93950 * diagnostic-manager.cc (diagnostic_manager::prune_for_sm_diagnostic): Assert that var is either NULL or not a constant. When updating var, bulletproof against constant values. 2020-02-26 David Malcolm PR analyzer/93947 * region-model.cc (region_model::get_fndecl_for_call): Gracefully fail for fn_decls that don't have a cgraph_node. 2020-02-26 David Malcolm * bar-chart.cc: New file. * bar-chart.h: New file. * engine.cc: Include "analyzer/bar-chart.h". (stats::log): Only log the m_num_nodes kinds that are non-zero. (stats::dump): Likewise when dumping. (stats::get_total_enodes): New. (exploded_graph::get_or_create_node): Increment the per-point-data m_excess_enodes when hitting the per-program-point limit on enodes. (exploded_graph::print_bar_charts): New. (exploded_graph::log_stats): Log the number of unprocessed enodes in the worklist. Call print_bar_charts. (exploded_graph::dump_stats): Print the number of unprocessed enodes in the worklist. * exploded-graph.h (stats::get_total_enodes): New decl. (struct per_program_point_data): Add field m_excess_enodes. (exploded_graph::print_bar_charts): New decl. * supergraph.cc (superedge::dump): New. (superedge::dump): New. * supergraph.h (supernode::get_function): New. (superedge::dump): New decl. (superedge::dump): New decl. 2020-02-24 David Malcolm * engine.cc (exploded_graph::get_or_create_node): Dump the program_state to the pp, rather than to stderr. 2020-02-24 David Malcolm PR analyzer/93032 * sm.cc (make_checkers): Require the "taint" checker to be explicitly enabled. 2020-02-24 David Malcolm PR analyzer/93899 * engine.cc (impl_region_model_context::impl_region_model_context): Add logger param. * engine.cc (exploded_graph::add_function_entry): Create an impl_region_model_context and pass it to the push_frame call. Bail if the resulting state is invalid. (exploded_graph::build_initial_worklist): Likewise. (exploded_graph::build_initial_worklist): Handle the case where add_function_entry fails. * exploded-graph.h (impl_region_model_context::impl_region_model_context): Add logger param. * region-model.cc (map_region::get_or_create): Add ctxt param and pass it to add_region_for_type. (map_region::can_merge_p): Pass NULL as a ctxt to call to get_or_create. (array_region::get_element): Pass ctxt to call to get_or_create. (array_region::get_or_create): Add ctxt param and pass it to add_region_for_type. (root_region::push_frame): Pass ctxt to get_or_create calls. (region_model::get_lvalue_1): Likewise. (region_model::make_region_for_unexpected_tree_code): Assert that ctxt is non-NULL. (region_model::get_rvalue_1): Pass ctxt to get_svalue_for_fndecl and get_svalue_for_label calls. (region_model::get_svalue_for_fndecl): Add ctxt param and pass it to get_region_for_fndecl. (region_model::get_region_for_fndecl): Add ctxt param and pass it to get_or_create. (region_model::get_svalue_for_label): Add ctxt param and pass it to get_region_for_label. (region_model::get_region_for_label): Add ctxt param and pass it to get_region_for_fndecl and get_or_create. (region_model::get_field_region): Add ctxt param and pass it to get_or_create_view and get_or_create. (make_region_for_type): Replace gcc_unreachable with return NULL. (region_model::add_region_for_type): Add ctxt param. Handle a return of NULL from make_region_for_type by calling make_region_for_unexpected_tree_code. (region_model::get_or_create_mem_ref): Pass ctxt to calls to get_or_create_view. (region_model::get_or_create_view): Add ctxt param and pass it to add_region_for_type. (selftest::test_state_merging): Pass ctxt to get_or_create_view. * region-model.h (region_model::get_or_create): Add ctxt param. (region_model::add_region_for_type): Likewise. (region_model::get_svalue_for_fndecl): Likewise. (region_model::get_svalue_for_label): Likewise. (region_model::get_region_for_fndecl): Likewise. (region_model::get_region_for_label): Likewise. (region_model::get_field_region): Likewise. (region_model::get_or_create_view): Likewise. 2020-02-24 David Malcolm * checker-path.cc (superedge_event::should_filter_p): Update filter for empty descriptions to cover verbosity level 3 as well as 2. * diagnostic-manager.cc: Include "analyzer/reachability.h". (class path_builder): New class. (diagnostic_manager::emit_saved_diagnostic): Create a path_builder and pass it to build_emission_path, rather passing eg; similarly for add_events_for_eedge and ext_state. (diagnostic_manager::build_emission_path): Replace "eg" param with a path_builder, pass it to add_events_for_eedge. (diagnostic_manager::add_events_for_eedge): Replace ext_state param with path_builder; pass it to add_events_for_superedge. (diagnostic_manager::significant_edge_p): New. (diagnostic_manager::add_events_for_superedge): Add path_builder param. Reject insignificant edges at verbosity levels below 3. (diagnostic_manager::prune_for_sm_diagnostic): Update highest verbosity level to 4. * diagnostic-manager.h (class path_builder): New forward decl. (diagnostic_manager::build_emission_path): Replace "eg" param with a path_builder. (diagnostic_manager::add_events_for_eedge): Replace ext_state param with path_builder. (diagnostic_manager::significant_edge_p): New. (diagnostic_manager::add_events_for_superedge): Add path_builder param. * reachability.h: New file. 2020-02-18 David Malcolm PR analyzer/93692 * analyzer.opt (fdump-analyzer-callgraph): Rewrite description. 2020-02-18 David Malcolm PR analyzer/93777 * region-model.cc (region_model::maybe_cast_1): Replace assertion that build_cast returns non-NULL with a conditional, falling through to the logic which returns a new unknown value of the desired type if it fails. 2020-02-18 David Malcolm PR analyzer/93778 * engine.cc (impl_region_model_context::on_unknown_tree_code): Rename to... (impl_region_model_context::on_unexpected_tree_code): ...this and convert first argument from path_var to tree. (exploded_node::on_stmt): Pass ctxt to purge_for_unknown_fncall. * exploded-graph.h (region_model_context::on_unknown_tree_code): Rename to... (region_model_context::on_unexpected_tree_code): ...this and convert first argument from path_var to tree. * program-state.cc (sm_state_map::purge_for_unknown_fncall): Add ctxt param and pass on to calls to get_rvalue. * program-state.h (sm_state_map::purge_for_unknown_fncall): Add ctxt param. * region-model.cc (region_model::handle_unrecognized_call): Pass ctxt on to call to get_rvalue. (region_model::get_lvalue_1): Move body of default case to region_model::make_region_for_unexpected_tree_code and call it. Within COMPONENT_REF case, reject attempts to handle types other than RECORD_TYPE and UNION_TYPE. (region_model::make_region_for_unexpected_tree_code): New function, based on default case of region_model::get_lvalue_1. * region-model.h (region_model::make_region_for_unexpected_tree_code): New decl. (region_model::on_unknown_tree_code): Rename to... (region_model::on_unexpected_tree_code): ...this and convert first argument from path_var to tree. (class test_region_model_context): Update vfunc implementation for above change. 2020-02-18 David Malcolm PR analyzer/93774 * region-model.cc (region_model::convert_byte_offset_to_array_index): Use int_size_in_bytes before calling size_in_bytes, to gracefully fail on incomplete types. 2020-02-17 David Malcolm PR analyzer/93775 * region-model.cc (region_model::get_fndecl_for_call): Handle the case where the code_region's get_tree_for_child_region returns NULL. 2020-02-17 David Malcolm PR analyzer/93388 * engine.cc (impl_region_model_context::on_unknown_tree_code): New. (exploded_graph::get_or_create_node): Reject invalid states. * exploded-graph.h (impl_region_model_context::on_unknown_tree_code): New decl. (point_and_state::point_and_state): Assert that the state is valid. * program-state.cc (program_state::program_state): Initialize m_valid to true. (program_state::operator=): Copy m_valid. (program_state::program_state): Likewise for move constructor. (program_state::print): Print m_valid. (program_state::dump_to_pp): Likewise. * program-state.h (program_state::m_valid): New field. * region-model.cc (region_model::get_lvalue_1): Implement the default case by returning a new symbolic region and calling the context's on_unknown_tree_code, rather than issuing an internal_error. Implement VIEW_CONVERT_EXPR. * region-model.h (region_model_context::on_unknown_tree_code): New vfunc. (test_region_model_context::on_unknown_tree_code): New. 2020-02-17 David Malcolm * sm-malloc.cc (malloc_diagnostic::describe_state_change): For transition to the "null" state, only say "assuming" when transitioning from the "unchecked" state. 2020-02-17 David Malcolm * diagnostic-manager.h (diagnostic_manager::get_saved_diagnostic): Add const overload. * engine.cc (exploded_node::dump_dot): Dump saved_diagnostics. * exploded-graph.h (exploded_graph::get_diagnostic_manager): Add const overload. 2020-02-11 David Malcolm PR analyzer/93288 * analysis-plan.cc (analysis_plan::use_summary_p): Look through the ultimate_alias_target when getting the called function. * engine.cc (exploded_node::on_stmt): Rename second "ctxt" to "sm_ctxt". Use the region_model's get_fndecl_for_call rather than gimple_call_fndecl. * region-model.cc (region_model::get_fndecl_for_call): Use ultimate_alias_target on fndecl. * supergraph.cc (get_ultimate_function_for_cgraph_edge): New function. (supergraph_call_edge): Use it when rejecting edges without functions. (supergraph::supergraph): Use it to get the function for the cgraph_edge when building interprocedural superedges. (callgraph_superedge::get_callee_function): Use it. * supergraph.h (supergraph::get_num_snodes): Make param const. (supergraph::function_to_num_snodes_t): Make first type param const. 2020-02-11 David Malcolm PR analyzer/93374 * engine.cc (exploded_edge::exploded_edge): Add ext_state param and pass it to change.validate. (exploded_graph::get_or_create_node): Move purging of change svalues to also cover the case of reusing an existing enode. (exploded_graph::add_edge): Pass m_ext_state to exploded_edge's ctor. * exploded-graph.h (exploded_edge::exploded_edge): Add ext_state param. * program-state.cc (state_change::sm_change::validate): Likewise. Assert that m_sm_idx is sane. Use ext_state to validate m_old_state and m_new_state. (state_change::validate): Add ext_state param and pass it to the sm_change validate calls. * program-state.h (state_change::sm_change::validate): Add ext_state param. (state_change::validate): Likewise. 2020-02-11 David Malcolm PR analyzer/93669 * engine.cc (exploded_graph::dump_exploded_nodes): Handle missing case of STATUS_WORKLIST in implementation of "__analyzer_dump_exploded_nodes". 2020-02-11 David Malcolm PR analyzer/93649 * constraint-manager.cc (constraint_manager::add_constraint): When merging equivalence classes and updating m_constant, also update m_cst_sid. (constraint_manager::validate): If m_constant is non-NULL assert that m_cst_sid is non-null and is valid. 2020-02-11 David Malcolm PR analyzer/93657 * analyzer.opt (fdump-analyzer): Reword description. (fdump-analyzer-stderr): Likewise. 2020-02-11 David Malcolm * region-model.cc (print_quoted_type): New function. (svalue::print): Use it to replace %qT. (region::dump_to_pp): Likewise. (region::dump_child_label): Likewise. (region::print_fields): Likewise. 2020-02-10 David Malcolm PR analyzer/93659 * analyzer.opt (-param=analyzer-max-recursion-depth=): Fix "tha" -> "that" typo. (Wanalyzer-use-of-uninitialized-value): Fix "initialized" -> "uninitialized" typo. 2020-02-10 David Malcolm PR analyzer/93350 * region-model.cc (region_model::get_lvalue_1): Handle BIT_FIELD_REF. (make_region_for_type): Handle VECTOR_TYPE. 2020-02-10 David Malcolm PR analyzer/93647 * diagnostic-manager.cc (diagnostic_manager::prune_for_sm_diagnostic): Bulletproof against VAR being constant. * region-model.cc (region_model::get_lvalue_1): Provide a better error message when encountering an unhandled tree code. 2020-02-10 David Malcolm PR analyzer/93405 * region-model.cc (region_model::get_lvalue_1): Implement CONST_DECL. 2020-02-06 David Malcolm * region-model.cc (region_model::maybe_cast_1): Attempt to provide a region_svalue if either type is a pointer, rather than if both types are pointers. 2020-02-05 David Malcolm * engine.cc (exploded_node::dump_dot): Show merger enodes. (worklist::add_node): Assert that the node's m_status is STATUS_WORKLIST. (exploded_graph::process_worklist): Likewise for nodes from the worklist. Set status of merged nodes to STATUS_MERGER. (exploded_graph::process_node): Set status of node to STATUS_PROCESSED. (exploded_graph::dump_exploded_nodes): Rework handling of "__analyzer_dump_exploded_nodes", splitting enodes by status into "processed" and "merger", showing the count of just the processed enodes at the call, rather than the count of all enodes. * exploded-graph.h (exploded_node::status): New enum. (exploded_node::exploded_node): Initialize m_status to STATUS_WORKLIST. (exploded_node::get_status): New getter. (exploded_node::set_status): New setter. 2020-02-04 David Malcolm PR analyzer/93543 * engine.cc (pod_hash_traits::mark_empty): Eliminate reinterpret_cast. (pod_hash_traits::is_empty): Likewise. 2020-02-03 David Malcolm * constraint-manager.cc (range::constrained_to_single_element): Replace fold_build2 with fold_binary. Remove unnecessary newline. (constraint_manager::get_or_add_equiv_class): Replace fold_build2 with fold_binary in two places, and remove out-of-date comment. (constraint_manager::eval_condition): Replace fold_build2 with fold_binary. * region-model.cc (constant_svalue::eval_condition): Likewise. (region_model::on_assignment): Likewise. 2020-02-03 David Malcolm PR analyzer/93544 * diagnostic-manager.cc (diagnostic_manager::prune_for_sm_diagnostic): Bulletproof against bad choices due to bad paths. * engine.cc (impl_region_model_context::on_phi): New. * exploded-graph.h (impl_region_model_context::on_phi): New decl. * region-model.cc (region_model::on_longjmp): Likewise. (region_model::handle_phi): Add phi param. Call the ctxt's on_phi vfunc. (region_model::update_for_phis): Pass phi to handle_phi. * region-model.h (region_model::handle_phi): Add phi param. (region_model_context::on_phi): New vfunc. (test_region_model_context::on_phi): New. * sm-malloc.cc (malloc_state_machine::on_phi): New. (malloc_state_machine::on_zero_assignment): New. * sm.h (state_machine::on_phi): New vfunc. 2020-02-03 David Malcolm * engine.cc (supernode_cluster::dump_dot): Show BB index as well as SN index. * supergraph.cc (supernode::dump_dot): Likewise. 2020-02-03 David Malcolm PR analyzer/93546 * region-model.cc (region_model::on_call_pre): Update for new param of symbolic_region ctor. (region_model::deref_rvalue): Likewise. (region_model::add_new_malloc_region): Likewise. (make_region_for_type): Likewise, preserving type. * region-model.h (symbolic_region::symbolic_region): Add "type" param and pass it to base class ctor. 2020-02-03 David Malcolm PR analyzer/93547 * constraint-manager.cc (constraint_manager::get_or_add_equiv_class): Ensure types are compatible before comparing constants. 2020-01-31 David Malcolm PR analyzer/93457 * region-model.cc (make_region_for_type): Use VOID_TYPE_P rather than checking against void_type_node. 2020-01-31 David Malcolm PR analyzer/93373 * region-model.cc (ASSERT_COMPAT_TYPES): Convert to... (assert_compat_types): ...this, and bail when either type is NULL, or when VOID_TYPE_P (dst_type). (region_model::get_lvalue): Update for above conversion. (region_model::get_rvalue): Likewise. 2020-01-31 David Malcolm PR analyzer/93379 * region-model.cc (region_model::update_for_return_superedge): Move check for null result so that it also guards setting the lhs. 2020-01-31 David Malcolm PR analyzer/93438 * region-model.cc (stack_region::can_merge_p): Split into a two pass approach, creating all stack regions first, then populating them. (selftest::test_state_merging): Add test coverage for (a) the case of self-merging a model in which a local in an older stack frame points to a local in a more recent stack frame (which previously would ICE), and (b) the case of self-merging a model in which a local points to a global (which previously worked OK). 2020-01-31 David Malcolm * analyzer.cc (is_named_call_p): Replace tests for fndecl being extern at file scope and having a non-NULL DECL_NAME with a call to maybe_special_function_p. * function-set.cc (function_set::contains_decl_p): Add call to maybe_special_function_p. 2020-01-31 David Malcolm PR analyzer/93450 * constraint-manager.cc (constraint_manager::get_or_add_equiv_class): Only compare constants if their types are compatible. * region-model.cc (constant_svalue::eval_condition): Replace check for identical types with call to types_compatible_p. 2020-01-30 David Malcolm * program-state.cc (extrinsic_state::dump_to_pp): New. (extrinsic_state::dump_to_file): New. (extrinsic_state::dump): New. * program-state.h (extrinsic_state::dump_to_pp): New decl. (extrinsic_state::dump_to_file): New decl. (extrinsic_state::dump): New decl. * sm.cc: Include "pretty-print.h". (state_machine::dump_to_pp): New. * sm.h (state_machine::dump_to_pp): New decl. 2020-01-30 David Malcolm * diagnostic-manager.cc (for_each_state_change): Use extrinsic_state::get_num_checkers rather than accessing m_checkers directly. * program-state.cc (program_state::program_state): Likewise. * program-state.h (extrinsic_state::m_checkers): Make private. 2020-01-30 David Malcolm PR analyzer/93356 * region-model.cc (region_model::eval_condition): In both overloads, bail out immediately on floating-point types. (region_model::eval_condition_without_cm): Likewise. (region_model::add_constraint): Likewise. 2020-01-30 David Malcolm PR analyzer/93450 * program-state.cc (sm_state_map::set_state): For the overload taking an svalue_id, bail out if the set_state on the ec does nothing. Convert the latter's return type from void to bool, returning true if anything changed. (sm_state_map::impl_set_state): Convert the return type from void to bool, returning true if the state changed. * program-state.h (sm_state_map::set_state): Convert return type from void to bool. (sm_state_map::impl_set_state): Likewise. * region-model.cc (constant_svalue::eval_condition): Only call fold_build2 if the types are the same. 2020-01-29 Jakub Jelinek * analyzer.h (PUSH_IGNORE_WFORMAT, POP_IGNORE_WFORMAT): Remove. * constraint-manager.cc: Include diagnostic-core.h before graphviz.h. (range::dump, equiv_class::print): Don't use PUSH_IGNORE_WFORMAT or POP_IGNORE_WFORMAT. * state-purge.cc: Include diagnostic-core.h before gimple-pretty-print.h. (state_purge_annotator::add_node_annotations, print_vec_of_names): Don't use PUSH_IGNORE_WFORMAT or POP_IGNORE_WFORMAT. * region-model.cc: Move diagnostic-core.h include before graphviz.h. (path_var::dump, svalue::print, constant_svalue::print_details, region::dump_to_pp, region::dump_child_label, region::print_fields, map_region::print_fields, map_region::dump_dot_to_pp, map_region::dump_child_label, array_region::print_fields, array_region::dump_dot_to_pp): Don't use PUSH_IGNORE_WFORMAT or POP_IGNORE_WFORMAT. 2020-01-28 David Malcolm PR analyzer/93316 * engine.cc (rewind_info_t::update_model): Get the longjmp call stmt via get_longjmp_call () rather than assuming it is the last stmt in the longjmp's supernode. (rewind_info_t::add_events_to_path): Get the location_t for the rewind_from_longjmp_event via get_longjmp_call () rather than from the supernode's get_end_location (). 2020-01-28 David Malcolm * region-model.cc (poisoned_value_diagnostic::emit): Update for renaming of warning_at overload to warning_meta. * sm-file.cc (file_leak::emit): Likewise. * sm-malloc.cc (double_free::emit): Likewise. (possible_null_deref::emit): Likewise. (possible_null_arg::emit): Likewise. (null_deref::emit): Likewise. (null_arg::emit): Likewise. (use_after_free::emit): Likewise. (malloc_leak::emit): Likewise. (free_of_non_heap::emit): Likewise. * sm-sensitive.cc (exposure_through_output_file::emit): Likewise. * sm-signal.cc (signal_unsafe_call::emit): Likewise. * sm-taint.cc (tainted_array_index::emit): Likewise. 2020-01-27 David Malcolm PR analyzer/93451 * region-model.cc (tree_cmp): For the REAL_CST case, impose an arbitrary order on NaNs relative to other NaNs and to non-NaNs; const-correctness tweak. (ana::selftests::build_real_cst_from_string): New function. (ana::selftests::append_interesting_constants): New function. (ana::selftests::test_tree_cmp_on_constants): New test. (ana::selftests::test_canonicalization_4): New test. (ana::selftests::analyzer_region_model_cc_tests): Call the new tests. 2020-01-27 David Malcolm PR analyzer/93349 * engine.cc (run_checkers): Save and restore input_location. 2020-01-27 David Malcolm * call-string.cc (call_string::cmp_1): Delete, moving body to... (call_string::cmp): ...here. * call-string.h (call_string::cmp_1): Delete decl. * engine.cc (worklist::key_t::cmp_1): Delete, moving body to... (worklist::key_t::cmp): ...here. Implement hash comparisons via comparison rather than subtraction to avoid overflow issues. * exploded-graph.h (worklist::key_t::cmp_1): Delete decl. * region-model.cc (tree_cmp): Eliminate buggy checking for symmetry. 2020-01-27 David Malcolm * analyzer.cc (is_named_call_p): Check that fndecl is "extern" and at file scope. Potentially disregard prefix _ or __ in fndecl's name. Bail if the identifier is NULL. (is_setjmp_call_p): Expect a gcall rather than plain gimple. Remove special-case check for leading prefix, and also check for sigsetjmp. (is_longjmp_call_p): Also check for siglongjmp. (get_user_facing_name): New function. * analyzer.h (is_setjmp_call_p): Expect a gcall rather than plain gimple. (get_user_facing_name): New decl. * checker-path.cc (setjmp_event::get_desc): Use get_user_facing_name to avoid hardcoding the function name. (rewind_event::rewind_event): Add rewind_info param, using it to initialize new m_rewind_info field, and strengthen the assertion. (rewind_from_longjmp_event::get_desc): Use get_user_facing_name to avoid hardcoding the function name. (rewind_to_setjmp_event::get_desc): Likewise. * checker-path.h (setjmp_event::setjmp_event): Add setjmp_call param and use it to initialize... (setjmp_event::m_setjmp_call): New field. (rewind_event::rewind_event): Add rewind_info param. (rewind_event::m_rewind_info): New protected field. (rewind_from_longjmp_event::rewind_from_longjmp_event): Add rewind_info param. (class rewind_to_setjmp_event): Move rewind_info field to parent class. * diagnostic-manager.cc (diagnostic_manager::add_events_for_eedge): Update setjmp-handling for is_setjmp_call_p requiring a gcall; pass the call to the new setjmp_event. * engine.cc (exploded_node::on_stmt): Update for is_setjmp_call_p requiring a gcall. (stale_jmp_buf::emit): Use get_user_facing_name to avoid hardcoding the function names. (exploded_node::on_longjmp): Pass the longjmp_call when constructing rewind_info. (rewind_info_t::add_events_to_path): Pass the rewind_info_t to the rewind_from_longjmp_event's ctor. * exploded-graph.h (rewind_info_t::rewind_info_t): Add longjmp_call param. (rewind_info_t::get_longjmp_call): New. (rewind_info_t::m_longjmp_call): New. * region-model.cc (region_model::on_setjmp): Update comment to indicate this is also for sigsetjmp. * region-model.h (struct setjmp_record): Likewise. (class setjmp_svalue): Likewise. 2020-01-27 David Malcolm PR analyzer/93276 * analyzer.h (PUSH_IGNORE_WFORMAT, POP_IGNORE_WFORMAT): Guard these macros with GCC_VERSION >= 4006, making them no-op otherwise. * engine.cc (exploded_edge::exploded_edge): Specify template for base class initializer. (exploded_graph::add_edge): Specify template when chaining up to base class add_edge implementation. (viz_callgraph_node::dump_dot): Drop redundant "typename". (viz_callgraph_edge::viz_callgraph_edge): Specify template for base class initializer. * program-state.cc (sm_state_map::clone_with_remapping): Drop redundant "typename". (sm_state_map::print): Likewise. (sm_state_map::hash): Likewise. (sm_state_map::operator==): Likewise. (sm_state_map::remap_svalue_ids): Likewise. (sm_state_map::on_svalue_purge): Likewise. (sm_state_map::validate): Likewise. * program-state.h (sm_state_map::iterator_t): Likewise. * supergraph.h (superedge::superedge): Specify template for base class initializer. 2020-01-23 David Malcolm PR analyzer/93375 * supergraph.cc (callgraph_superedge::get_arg_for_parm): Fail gracefully is the number of parameters at the callee exceeds the number of arguments at the call stmt. (callgraph_superedge::get_parm_for_arg): Likewise. 2020-01-22 David Malcolm PR analyzer/93382 * program-state.cc (sm_state_map::on_svalue_purge): If the entry survives, but the origin is being purged, then reset the origin to null. 2020-01-22 David Malcolm * sm-signal.cc: Fix nesting of CHECKING_P and namespace ana. 2020-01-22 David Malcolm PR analyzer/93378 * engine.cc (setjmp_svalue::compare_fields): Update for replacement of m_enode with m_setjmp_record. (setjmp_svalue::add_to_hash): Likewise. (setjmp_svalue::get_index): Rename... (setjmp_svalue::get_enode_index): ...to this. (setjmp_svalue::print_details): Update for replacement of m_enode with m_setjmp_record. (exploded_node::on_longjmp): Likewise. * exploded-graph.h (rewind_info_t::m_enode_origin): Replace... (rewind_info_t::m_setjmp_record): ...with this. (rewind_info_t::rewind_info_t): Update for replacement of m_enode with m_setjmp_record. (rewind_info_t::get_setjmp_point): Likewise. (rewind_info_t::get_setjmp_call): Likewise. * region-model.cc (region_model::dump_summary_of_map): Likewise. (region_model::on_setjmp): Likewise. * region-model.h (struct setjmp_record): New struct. (setjmp_svalue::m_enode): Replace... (setjmp_svalue::m_setjmp_record): ...with this. (setjmp_svalue::setjmp_svalue): Update for replacement of m_enode with m_setjmp_record. (setjmp_svalue::clone): Likewise. (setjmp_svalue::get_index): Rename... (setjmp_svalue::get_enode_index): ...to this. (setjmp_svalue::get_exploded_node): Replace... (setjmp_svalue::get_setjmp_record): ...with this. 2020-01-22 David Malcolm PR analyzer/93316 * analyzer.cc (is_setjmp_call_p): Check for "setjmp" as well as "_setjmp". 2020-01-22 David Malcolm PR analyzer/93307 * analysis-plan.h: Wrap everything namespace "ana". * analyzer-logging.cc: Likewise. * analyzer-logging.h: Likewise. * analyzer-pass.cc (pass_analyzer::execute): Update for "ana" namespace. * analyzer-selftests.cc: Wrap everything namespace "ana". * analyzer-selftests.h: Likewise. * analyzer.h: Likewise for forward decls of types. * call-string.h: Likewise. * checker-path.cc: Likewise. * checker-path.h: Likewise. * constraint-manager.cc: Likewise. * constraint-manager.h: Likewise. * diagnostic-manager.cc: Likewise. * diagnostic-manager.h: Likewise. * engine.cc: Likewise. * engine.h: Likewise. * exploded-graph.h: Likewise. * function-set.cc: Likewise. * function-set.h: Likewise. * pending-diagnostic.cc: Likewise. * pending-diagnostic.h: Likewise. * program-point.cc: Likewise. * program-point.h: Likewise. * program-state.cc: Likewise. * program-state.h: Likewise. * region-model.cc: Likewise. * region-model.h: Likewise. * sm-file.cc: Likewise. * sm-malloc.cc: Likewise. * sm-pattern-test.cc: Likewise. * sm-sensitive.cc: Likewise. * sm-signal.cc: Likewise. * sm-taint.cc: Likewise. * sm.cc: Likewise. * sm.h: Likewise. * state-purge.h: Likewise. * supergraph.cc: Likewise. * supergraph.h: Likewise. 2020-01-21 David Malcolm PR analyzer/93352 * region-model.cc (int_cmp): Rename to... (array_region::key_cmp): ...this, using key_t rather than int. Rewrite in terms of comparisons rather than subtraction to ensure qsort is anti-symmetric when handling extreme values. (array_region::walk_for_canonicalization): Update for above renaming. * region-model.h (array_region::key_cmp): New decl. 2020-01-17 David Malcolm PR analyzer/93290 * region-model.cc (region_model::eval_condition_without_cm): Avoid gcc_unreachable for unexpected operations for the case where we're comparing an svalue against itself. 2020-01-17 David Malcolm PR analyzer/93281 * region-model.cc (region_model::convert_byte_offset_to_array_index): Convert to ssizetype before dividing by byte_size. Use fold_binary rather than fold_build2 to avoid needlessly constructing a tree for the non-const case. 2020-01-15 David Malcolm * engine.cc (class impl_region_model_context): Fix comment. 2020-01-14 David Malcolm PR analyzer/93212 * region-model.cc (make_region_for_type): Use FUNC_OR_METHOD_TYPE_P rather than comparing against FUNCTION_TYPE. * region-model.h (function_region::function_region): Likewise. 2020-01-14 David Malcolm * program-state.cc (sm_state_map::clone_with_remapping): Copy m_global_state. (selftest::test_program_state_merging_2): New selftest. (selftest::analyzer_program_state_cc_tests): Call it. 2020-01-14 David Malcolm * checker-path.h (checker_path::get_checker_event): New function. (checker_path): Add DISABLE_COPY_AND_ASSIGN; make fields private. * diagnostic-manager.cc (diagnostic_manager::prune_for_sm_diagnostic): Replace direct access to checker_path::m_events with accessor functions. Fix overlong line. (diagnostic_manager::prune_interproc_events): Replace direct access to checker_path::m_events with accessor functions. (diagnostic_manager::finish_pruning): Likewise. 2020-01-14 David Malcolm * checker-path.h (checker_event::clone): Delete vfunc decl. (debug_event::clone): Delete vfunc impl. (custom_event::clone): Delete vfunc impl. (statement_event::clone): Delete vfunc impl. (function_entry_event::clone): Delete vfunc impl. (state_change_event::clone): Delete vfunc impl. (start_cfg_edge_event::clone): Delete vfunc impl. (end_cfg_edge_event::clone): Delete vfunc impl. (call_event::clone): Delete vfunc impl. (return_event::clone): Delete vfunc impl. (setjmp_event::clone): Delete vfunc impl. (rewind_from_longjmp_event::clone): Delete vfunc impl. (rewind_to_setjmp_event::clone): Delete vfunc impl. (warning_event::clone): Delete vfunc impl. 2020-01-14 David Malcolm * supergraph.cc (supernode::dump_dot): Ensure that the TABLE element has at least one TR. 2020-01-14 David Malcolm PR analyzer/58237 * engine.cc (leak_stmt_finder::find_stmt): Use get_pure_location when comparing against UNKNOWN_LOCATION. (stmt_requires_new_enode_p): Likewise. (exploded_graph::dump_exploded_nodes): Likewise. * supergraph.cc (supernode::get_start_location): Likewise. (supernode::get_end_location): Likewise. 2020-01-14 David Malcolm PR analyzer/58237 * analyzer-selftests.cc (selftest::run_analyzer_selftests): Call selftest::analyzer_sm_file_cc_tests. * analyzer-selftests.h (selftest::analyzer_sm_file_cc_tests): New decl. * sm-file.cc: Include "analyzer/function-set.h" and "analyzer/analyzer-selftests.h". (get_file_using_fns): New function. (is_file_using_fn_p): New function. (fileptr_state_machine::on_stmt): Return true for known functions. (selftest::analyzer_sm_file_cc_tests): New function. 2020-01-14 David Malcolm * analyzer-selftests.cc (selftest::run_analyzer_selftests): Call selftest::analyzer_sm_signal_cc_tests. * analyzer-selftests.h (selftest::analyzer_sm_signal_cc_tests): New decl. * sm-signal.cc: Include "analyzer/function-set.h" and "analyzer/analyzer-selftests.h". (get_async_signal_unsafe_fns): New function. (signal_unsafe_p): Reimplement in terms of the above. (selftest::analyzer_sm_signal_cc_tests): New function. 2020-01-14 David Malcolm * analyzer-selftests.cc (selftest::run_analyzer_selftests): Call selftest::analyzer_function_set_cc_tests. * analyzer-selftests.h (selftest::analyzer_function_set_cc_tests): New decl. * function-set.cc: New file. * function-set.h: New file. 2020-01-14 David Malcolm * analyzer.h (fndecl_has_gimple_body_p): New decl. * engine.cc (impl_region_model_context::on_unknown_change): New function. (fndecl_has_gimple_body_p): Make non-static. (exploded_node::on_stmt): Treat __analyzer_dump_exploded_nodes as known. Track whether we have a call with unknown side-effects and pass it to on_call_post. * exploded-graph.h (impl_region_model_context::on_unknown_change): New decl. * program-state.cc (sm_state_map::on_unknown_change): New function. * program-state.h (sm_state_map::on_unknown_change): New decl. * region-model.cc: Include "bitmap.h". (region_model::on_call_pre): Return a bool, capturing whether the call has unknown side effects. (region_model::on_call_post): Add arg "bool unknown_side_effects" and if true, call handle_unrecognized_call. (class reachable_regions): New class. (region_model::handle_unrecognized_call): New function. * region-model.h (region_model::on_call_pre): Return a bool. (region_model::on_call_post): Add arg "bool unknown_side_effects". (region_model::handle_unrecognized_call): New decl. (region_model_context::on_unknown_change): New vfunc. (test_region_model_context::on_unknown_change): New function. 2020-01-14 David Malcolm * diagnostic-manager.cc (saved_diagnostic::operator==): Move here from header. Replace pointer equality test on m_var with call to pending_diagnostic::same_tree_p. * diagnostic-manager.h (saved_diagnostic::operator==): Move to diagnostic-manager.cc. * pending-diagnostic.cc (pending_diagnostic::same_tree_p): New. * pending-diagnostic.h (pending_diagnostic::same_tree_p): New. * sm-file.cc (file_diagnostic::subclass_equal_p): Replace pointer equality on m_arg with call to pending_diagnostic::same_tree_p. * sm-malloc.cc (malloc_diagnostic::subclass_equal_p): Likewise. (possible_null_arg::subclass_equal_p): Likewise. (null_arg::subclass_equal_p): Likewise. (free_of_non_heap::subclass_equal_p): Likewise. * sm-pattern-test.cc (pattern_match::operator==): Likewise. * sm-sensitive.cc (exposure_through_output_file::operator==): Likewise. * sm-taint.cc (tainted_array_index::operator==): Likewise. 2020-01-14 David Malcolm * diagnostic-manager.cc (dedupe_winners::add): Add logging of deduplication decisions made. 2020-01-14 David Malcolm * ChangeLog: New file. * analyzer-selftests.cc: New file. * analyzer-selftests.h: New file. * analyzer.opt: New file. * analysis-plan.cc: New file. * analysis-plan.h: New file. * analyzer-logging.cc: New file. * analyzer-logging.h: New file. * analyzer-pass.cc: New file. * analyzer.cc: New file. * analyzer.h: New file. * call-string.cc: New file. * call-string.h: New file. * checker-path.cc: New file. * checker-path.h: New file. * constraint-manager.cc: New file. * constraint-manager.h: New file. * diagnostic-manager.cc: New file. * diagnostic-manager.h: New file. * engine.cc: New file. * engine.h: New file. * exploded-graph.h: New file. * pending-diagnostic.cc: New file. * pending-diagnostic.h: New file. * program-point.cc: New file. * program-point.h: New file. * program-state.cc: New file. * program-state.h: New file. * region-model.cc: New file. * region-model.h: New file. * sm-file.cc: New file. * sm-malloc.cc: New file. * sm-malloc.dot: New file. * sm-pattern-test.cc: New file. * sm-sensitive.cc: New file. * sm-signal.cc: New file. * sm-taint.cc: New file. * sm.cc: New file. * sm.h: New file. * state-purge.cc: New file. * state-purge.h: New file. * supergraph.cc: New file. * supergraph.h: New file. 2019-12-13 David Malcolm * Initial creation Copyright (C) 2019-2021 Free Software Foundation, Inc. Copying and distribution of this file, with or without modification, are permitted in any medium without royalty provided the copyright notice and this notice are preserved.