1 /* Detect paths through the CFG which can never be executed in a conforming
2 program and isolate them.
4 Copyright (C) 2013-2019 Free Software Foundation, Inc.
6 This file is part of GCC.
8 GCC is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3, or (at your option)
13 GCC is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with GCC; see the file COPYING3. If not see
20 <http://www.gnu.org/licenses/>. */
24 #include "coretypes.h"
29 #include "tree-pass.h"
31 #include "diagnostic-core.h"
32 #include "fold-const.h"
33 #include "gimple-iterator.h"
34 #include "gimple-walk.h"
42 static bool cfg_altered;
44 /* Callback for walk_stmt_load_store_ops.
46 Return TRUE if OP will dereference the tree stored in DATA, FALSE
49 This routine only makes a superficial check for a dereference. Thus,
50 it must only be used if it is safe to return a false negative. */
52 check_loadstore (gimple *stmt, tree op, tree, void *data)
54 if ((TREE_CODE (op) == MEM_REF || TREE_CODE (op) == TARGET_MEM_REF)
55 && operand_equal_p (TREE_OPERAND (op, 0), (tree)data, 0))
57 TREE_THIS_VOLATILE (op) = 1;
58 TREE_SIDE_EFFECTS (op) = 1;
65 /* Insert a trap after SI and split the block after the trap. */
68 insert_trap (gimple_stmt_iterator *si_p, tree op)
70 /* We want the NULL pointer dereference to actually occur so that
71 code that wishes to catch the signal can do so.
73 If the dereference is a load, then there's nothing to do as the
74 LHS will be a throw-away SSA_NAME and the RHS is the NULL dereference.
76 If the dereference is a store and we can easily transform the RHS,
77 then simplify the RHS to enable more DCE. Note that we require the
78 statement to be a GIMPLE_ASSIGN which filters out calls on the RHS. */
79 gimple *stmt = gsi_stmt (*si_p);
80 if (walk_stmt_load_store_ops (stmt, (void *)op, NULL, check_loadstore)
81 && is_gimple_assign (stmt)
82 && INTEGRAL_TYPE_P (TREE_TYPE (gimple_assign_lhs (stmt))))
84 /* We just need to turn the RHS into zero converted to the proper
86 tree type = TREE_TYPE (gimple_assign_lhs (stmt));
87 gimple_assign_set_rhs_code (stmt, INTEGER_CST);
88 gimple_assign_set_rhs1 (stmt, fold_convert (type, integer_zero_node));
93 = gimple_build_call (builtin_decl_explicit (BUILT_IN_TRAP), 0);
94 gimple_seq seq = NULL;
95 gimple_seq_add_stmt (&seq, new_stmt);
97 /* If we had a NULL pointer dereference, then we want to insert the
98 __builtin_trap after the statement, for the other cases we want
99 to insert before the statement. */
100 if (walk_stmt_load_store_ops (stmt, (void *)op,
104 gsi_insert_after (si_p, seq, GSI_NEW_STMT);
105 if (stmt_ends_bb_p (stmt))
107 split_block (gimple_bb (stmt), stmt);
112 gsi_insert_before (si_p, seq, GSI_NEW_STMT);
114 split_block (gimple_bb (new_stmt), new_stmt);
115 *si_p = gsi_for_stmt (stmt);
118 /* BB when reached via incoming edge E will exhibit undefined behavior
119 at STMT. Isolate and optimize the path which exhibits undefined
122 Isolation is simple. Duplicate BB and redirect E to BB'.
124 Optimization is simple as well. Replace STMT in BB' with an
125 unconditional trap and remove all outgoing edges from BB'.
127 If RET_ZERO, do not trap, only return NULL.
129 DUPLICATE is a pre-existing duplicate, use it as BB' if it exists.
134 isolate_path (basic_block bb, basic_block duplicate,
135 edge e, gimple *stmt, tree op, bool ret_zero)
137 gimple_stmt_iterator si, si2;
140 bool impossible = true;
141 profile_count count = e->count ();
143 for (si = gsi_start_bb (bb); gsi_stmt (si) != stmt; gsi_next (&si))
144 if (stmt_can_terminate_bb_p (gsi_stmt (si)))
149 force_edge_cold (e, impossible);
151 /* First duplicate BB if we have not done so already and remove all
152 the duplicate's outgoing edges as duplicate is going to unconditionally
153 trap. Removing the outgoing edges is both an optimization and ensures
154 we don't need to do any PHI node updates. */
157 duplicate = duplicate_block (bb, NULL, NULL);
158 duplicate->count = profile_count::zero ();
160 for (ei = ei_start (duplicate->succs); (e2 = ei_safe_edge (ei)); )
165 /* Complete the isolation step by redirecting E to reach DUPLICATE. */
166 e2 = redirect_edge_and_branch (e, duplicate);
169 flush_pending_stmts (e2);
171 /* Update profile only when redirection is really processed. */
172 bb->count += e->count ();
175 /* There may be more than one statement in DUPLICATE which exhibits
176 undefined behavior. Ultimately we want the first such statement in
177 DUPLCIATE so that we're able to delete as much code as possible.
179 So each time we discover undefined behavior in DUPLICATE, search for
180 the statement which triggers undefined behavior. If found, then
181 transform the statement into a trap and delete everything after the
182 statement. If not found, then this particular instance was subsumed by
183 an earlier instance of undefined behavior and there's nothing to do.
185 This is made more complicated by the fact that we have STMT, which is in
186 BB rather than in DUPLICATE. So we set up two iterators, one for each
187 block and walk forward looking for STMT in BB, advancing each iterator at
190 When we find STMT the second iterator should point to STMT's equivalent in
191 duplicate. If DUPLICATE ends before STMT is found in BB, then there's
194 Ignore labels and debug statements. */
195 si = gsi_start_nondebug_after_labels_bb (bb);
196 si2 = gsi_start_nondebug_after_labels_bb (duplicate);
197 while (!gsi_end_p (si) && !gsi_end_p (si2) && gsi_stmt (si) != stmt)
199 gsi_next_nondebug (&si);
200 gsi_next_nondebug (&si2);
203 /* This would be an indicator that we never found STMT in BB, which should
205 gcc_assert (!gsi_end_p (si));
207 /* If we did not run to the end of DUPLICATE, then SI points to STMT and
208 SI2 points to the duplicate of STMT in DUPLICATE. Insert a trap
209 before SI2 and remove SI2 and all trailing statements. */
210 if (!gsi_end_p (si2))
214 greturn *ret = as_a <greturn *> (gsi_stmt (si2));
215 tree zero = build_zero_cst (TREE_TYPE (gimple_return_retval (ret)));
216 gimple_return_set_retval (ret, zero);
220 insert_trap (&si2, op);
226 /* Return TRUE if STMT is a div/mod operation using DIVISOR as the divisor.
230 is_divmod_with_given_divisor (gimple *stmt, tree divisor)
232 /* Only assignments matter. */
233 if (!is_gimple_assign (stmt))
236 /* Check for every DIV/MOD expression. */
237 enum tree_code rhs_code = gimple_assign_rhs_code (stmt);
238 if (rhs_code == TRUNC_DIV_EXPR
239 || rhs_code == FLOOR_DIV_EXPR
240 || rhs_code == CEIL_DIV_EXPR
241 || rhs_code == EXACT_DIV_EXPR
242 || rhs_code == ROUND_DIV_EXPR
243 || rhs_code == TRUNC_MOD_EXPR
244 || rhs_code == FLOOR_MOD_EXPR
245 || rhs_code == CEIL_MOD_EXPR
246 || rhs_code == ROUND_MOD_EXPR)
248 /* Pointer equality is fine when DIVISOR is an SSA_NAME, but
249 not sufficient for constants which may have different types. */
250 if (operand_equal_p (gimple_assign_rhs2 (stmt), divisor, 0))
256 /* NAME is an SSA_NAME that we have already determined has the value 0 or NULL.
258 Return TRUE if USE_STMT uses NAME in a way where a 0 or NULL value results
259 in undefined behavior, FALSE otherwise
261 LOC is used for issuing diagnostics. This case represents potential
262 undefined behavior exposed by path splitting and that's reflected in
266 stmt_uses_name_in_undefined_way (gimple *use_stmt, tree name, location_t loc)
268 /* If we are working with a non pointer type, then see
269 if this use is a DIV/MOD operation using NAME as the
271 if (!POINTER_TYPE_P (TREE_TYPE (name)))
273 if (!cfun->can_throw_non_call_exceptions)
274 return is_divmod_with_given_divisor (use_stmt, name);
278 /* NAME is a pointer, so see if it's used in a context where it must
281 = infer_nonnull_range_by_dereference (use_stmt, name);
284 || infer_nonnull_range_by_attribute (use_stmt, name))
289 warning_at (loc, OPT_Wnull_dereference,
290 "potential null pointer dereference");
291 if (!flag_isolate_erroneous_paths_dereference)
296 if (!flag_isolate_erroneous_paths_attribute)
304 /* Return TRUE if USE_STMT uses 0 or NULL in a context which results in
305 undefined behavior, FALSE otherwise.
307 These cases are explicit in the IL. */
310 stmt_uses_0_or_null_in_undefined_way (gimple *stmt)
312 if (!cfun->can_throw_non_call_exceptions
313 && is_divmod_with_given_divisor (stmt, integer_zero_node))
316 /* By passing null_pointer_node, we can use the
317 infer_nonnull_range functions to detect explicit NULL
318 pointer dereferences and other uses where a non-NULL
319 value is required. */
322 = infer_nonnull_range_by_dereference (stmt, null_pointer_node);
324 || infer_nonnull_range_by_attribute (stmt, null_pointer_node))
328 location_t loc = gimple_location (stmt);
329 warning_at (loc, OPT_Wnull_dereference,
330 "null pointer dereference");
331 if (!flag_isolate_erroneous_paths_dereference)
336 if (!flag_isolate_erroneous_paths_attribute)
344 /* Look for PHI nodes which feed statements in the same block where
345 the value of the PHI node implies the statement is erroneous.
347 For example, a NULL PHI arg value which then feeds a pointer
350 When found isolate and optimize the path associated with the PHI
351 argument feeding the erroneous statement. */
353 find_implicit_erroneous_behavior (void)
357 FOR_EACH_BB_FN (bb, cfun)
361 /* Out of an abundance of caution, do not isolate paths to a
362 block where the block has any abnormal outgoing edges.
364 We might be able to relax this in the future. We have to detect
365 when we have to split the block with the NULL dereference and
366 the trap we insert. We have to preserve abnormal edges out
367 of the isolated block which in turn means updating PHIs at
368 the targets of those abnormal outgoing edges. */
369 if (has_abnormal_or_eh_outgoing_edge_p (bb))
373 /* If BB has an edge to itself, then duplication of BB below
374 could result in reallocation of BB's PHI nodes. If that happens
375 then the loop below over the PHIs would use the old PHI and
376 thus invalid information. We don't have a good way to know
377 if a PHI has been reallocated, so just avoid isolation in
379 if (find_edge (bb, bb))
382 /* First look for a PHI which sets a pointer to NULL and which
383 is then dereferenced within BB. This is somewhat overly
384 conservative, but probably catches most of the interesting
386 for (si = gsi_start_phis (bb); !gsi_end_p (si); gsi_next (&si))
388 gphi *phi = si.phi ();
389 tree lhs = gimple_phi_result (phi);
391 /* PHI produces a pointer result. See if any of the PHI's
394 When we remove an edge, we want to reprocess the current
395 index, hence the ugly way we update I for each iteration. */
396 basic_block duplicate = NULL;
397 for (unsigned i = 0, next_i = 0;
398 i < gimple_phi_num_args (phi);
401 tree op = gimple_phi_arg_def (phi, i);
402 edge e = gimple_phi_arg_edge (phi, i);
403 imm_use_iterator iter;
408 if (TREE_CODE (op) == ADDR_EXPR)
410 tree valbase = get_base_address (TREE_OPERAND (op, 0));
411 if ((VAR_P (valbase) && !is_global_var (valbase))
412 || TREE_CODE (valbase) == PARM_DECL)
414 FOR_EACH_IMM_USE_STMT (use_stmt, iter, lhs)
417 = dyn_cast <greturn *> (use_stmt);
421 if (gimple_return_retval (return_stmt) != lhs)
425 auto_diagnostic_group d;
426 if (warning_at (gimple_location (use_stmt),
427 OPT_Wreturn_local_addr,
428 "function may return address "
429 "of local variable"))
430 inform (DECL_SOURCE_LOCATION(valbase),
434 if ((flag_isolate_erroneous_paths_dereference
435 || flag_isolate_erroneous_paths_attribute)
436 && gimple_bb (use_stmt) == bb)
438 duplicate = isolate_path (bb, duplicate, e,
439 use_stmt, lhs, true);
441 /* When we remove an incoming edge, we need to
442 reprocess the Ith element. */
450 if (!integer_zerop (op))
453 location_t phi_arg_loc = gimple_phi_arg_location (phi, i);
455 /* We've got a NULL PHI argument. Now see if the
456 PHI's result is dereferenced within BB. */
457 FOR_EACH_IMM_USE_STMT (use_stmt, iter, lhs)
459 /* We only care about uses in BB. Catching cases in
460 in other blocks would require more complex path
462 if (gimple_bb (use_stmt) != bb)
465 location_t loc = gimple_location (use_stmt)
466 ? gimple_location (use_stmt)
469 if (stmt_uses_name_in_undefined_way (use_stmt, lhs, loc))
471 duplicate = isolate_path (bb, duplicate, e,
472 use_stmt, lhs, false);
474 /* When we remove an incoming edge, we need to
475 reprocess the Ith element. */
485 /* Look for statements which exhibit erroneous behavior. For example
486 a NULL pointer dereference.
488 When found, optimize the block containing the erroneous behavior. */
490 find_explicit_erroneous_behavior (void)
494 FOR_EACH_BB_FN (bb, cfun)
496 gimple_stmt_iterator si;
498 /* Out of an abundance of caution, do not isolate paths to a
499 block where the block has any abnormal outgoing edges.
501 We might be able to relax this in the future. We have to detect
502 when we have to split the block with the NULL dereference and
503 the trap we insert. We have to preserve abnormal edges out
504 of the isolated block which in turn means updating PHIs at
505 the targets of those abnormal outgoing edges. */
506 if (has_abnormal_or_eh_outgoing_edge_p (bb))
509 /* Now look at the statements in the block and see if any of
510 them explicitly dereference a NULL pointer. This happens
511 because of jump threading and constant propagation. */
512 for (si = gsi_start_bb (bb); !gsi_end_p (si); gsi_next (&si))
514 gimple *stmt = gsi_stmt (si);
516 if (stmt_uses_0_or_null_in_undefined_way (stmt))
518 insert_trap (&si, null_pointer_node);
519 bb = gimple_bb (gsi_stmt (si));
521 /* Ignore any more operands on this statement and
522 continue the statement iterator (which should
523 terminate its loop immediately. */
528 /* Detect returning the address of a local variable. This only
529 becomes undefined behavior if the result is used, so we do not
530 insert a trap and only return NULL instead. */
531 if (greturn *return_stmt = dyn_cast <greturn *> (stmt))
533 tree val = gimple_return_retval (return_stmt);
534 if (val && TREE_CODE (val) == ADDR_EXPR)
536 tree valbase = get_base_address (TREE_OPERAND (val, 0));
537 if ((VAR_P (valbase) && !is_global_var (valbase))
538 || TREE_CODE (valbase) == PARM_DECL)
540 /* We only need it for this particular case. */
541 calculate_dominance_info (CDI_POST_DOMINATORS);
543 bool always_executed = dominated_by_p
544 (CDI_POST_DOMINATORS,
545 single_succ (ENTRY_BLOCK_PTR_FOR_FN (cfun)), bb);
547 msg = N_("function returns address of local variable");
549 msg = N_("function may return address of "
552 auto_diagnostic_group d;
553 if (warning_at (gimple_location (stmt),
554 OPT_Wreturn_local_addr, msg))
555 inform (DECL_SOURCE_LOCATION(valbase),
559 /* Do not modify code if the user only asked for
561 if (flag_isolate_erroneous_paths_dereference
562 || flag_isolate_erroneous_paths_attribute)
564 tree zero = build_zero_cst (TREE_TYPE (val));
565 gimple_return_set_retval (return_stmt, zero);
575 /* Search the function for statements which, if executed, would cause
576 the program to fault such as a dereference of a NULL pointer.
578 Such a program can't be valid if such a statement was to execute
579 according to ISO standards.
581 We detect explicit NULL pointer dereferences as well as those implied
582 by a PHI argument having a NULL value which unconditionally flows into
583 a dereference in the same block as the PHI.
585 In the former case we replace the offending statement with an
586 unconditional trap and eliminate the outgoing edges from the statement's
587 basic block. This may expose secondary optimization opportunities.
589 In the latter case, we isolate the path(s) with the NULL PHI
590 feeding the dereference. We can then replace the offending statement
591 and eliminate the outgoing edges in the duplicate. Again, this may
592 expose secondary optimization opportunities.
594 A warning for both cases may be advisable as well.
596 Other statically detectable violations of the ISO standard could be
597 handled in a similar way, such as out-of-bounds array indexing. */
600 gimple_ssa_isolate_erroneous_paths (void)
602 initialize_original_copy_tables ();
604 /* Search all the blocks for edges which, if traversed, will
605 result in undefined behavior. */
608 /* First handle cases where traversal of a particular edge
609 triggers undefined behavior. These cases require creating
610 duplicate blocks and thus new SSA_NAMEs.
612 We want that process complete prior to the phase where we start
613 removing edges from the CFG. Edge removal may ultimately result in
614 removal of PHI nodes and thus releasing SSA_NAMEs back to the
617 If the two processes run in parallel we could release an SSA_NAME
618 back to the manager but we could still have dangling references
619 to the released SSA_NAME in unreachable blocks.
620 that any released names not have dangling references in the IL. */
621 find_implicit_erroneous_behavior ();
622 find_explicit_erroneous_behavior ();
624 free_original_copy_tables ();
626 /* We scramble the CFG and loop structures a bit, clean up
627 appropriately. We really should incrementally update the
628 loop structures, in theory it shouldn't be that hard. */
629 free_dominance_info (CDI_POST_DOMINATORS);
632 free_dominance_info (CDI_DOMINATORS);
633 loops_state_set (LOOPS_NEED_FIXUP);
634 return TODO_cleanup_cfg | TODO_update_ssa;
640 const pass_data pass_data_isolate_erroneous_paths =
642 GIMPLE_PASS, /* type */
643 "isolate-paths", /* name */
644 OPTGROUP_NONE, /* optinfo_flags */
645 TV_ISOLATE_ERRONEOUS_PATHS, /* tv_id */
646 ( PROP_cfg | PROP_ssa ), /* properties_required */
647 0, /* properties_provided */
648 0, /* properties_destroyed */
649 0, /* todo_flags_start */
650 0, /* todo_flags_finish */
653 class pass_isolate_erroneous_paths : public gimple_opt_pass
656 pass_isolate_erroneous_paths (gcc::context *ctxt)
657 : gimple_opt_pass (pass_data_isolate_erroneous_paths, ctxt)
660 /* opt_pass methods: */
661 opt_pass * clone () { return new pass_isolate_erroneous_paths (m_ctxt); }
662 virtual bool gate (function *)
664 /* If we do not have a suitable builtin function for the trap statement,
665 then do not perform the optimization. */
666 return (flag_isolate_erroneous_paths_dereference != 0
667 || flag_isolate_erroneous_paths_attribute != 0
668 || warn_null_dereference);
671 virtual unsigned int execute (function *)
673 return gimple_ssa_isolate_erroneous_paths ();
676 }; // class pass_isolate_erroneous_paths
680 make_pass_isolate_erroneous_paths (gcc::context *ctxt)
682 return new pass_isolate_erroneous_paths (ctxt);
projects / platform / upstream / gcc.git / blob