projects / platform / upstream / gcc.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 1203e8f) | patch
analyzer: ensure that we purge state when reusing a conjured_svalue [PR105087]
authorDavid Malcolm <dmalcolm@redhat.com>
Tue, 29 Mar 2022 00:41:23 +0000 (20:41 -0400)
committerDavid Malcolm <dmalcolm@redhat.com>
Tue, 29 Mar 2022 00:41:23 +0000 (20:41 -0400)
commit3734527dfa0d10a50aee2f088d37320000fd65bf
tree0885e7f4830b9064a520fd4583eb16f54c8660a0tree | snapshot
parent1203e8f7880c9751ece5f5302e413b20f4608a00commit | diff
analyzer: ensure that we purge state when reusing a conjured_svalue [PR105087]

PR analyzer/105087 describes a false positive from
-Wanalyzer-double-free in which the analyzer erroneously considers two
successive inlined vasprintf calls to have allocated the same pointer.

The root cause is that the result written back from vasprintf is a
conjured_svalue, and that we normally purge state when reusing a
conjured_svalue, but various places in the code were calling
region_model_manager::get_or_create_conjured_svalue but failing to
then call region_model::purge_state_involving on the result.

This patch fixes things by moving responsibility for calling
region_model::purge_state_involving into
region_model_manager::get_or_create_conjured_svalue, so that it is
always called when reusing a conjured_svalue, fixing the false positive.

gcc/analyzer/ChangeLog:
PR analyzer/105087
* analyzer.h (class conjured_purge): New forward decl.
* region-model-asm.cc (region_model::on_asm_stmt): Add
conjured_purge param to calls binding_cluster::on_asm and
region_model_manager::get_or_create_conjured_svalue.
* region-model-impl-calls.cc
(call_details::get_or_create_conjured_svalue): Likewise for call
to region_model_manager::get_or_create_conjured_svalue.
(region_model::impl_call_fgets): Remove call to
region_model::purge_state_involving, as this is now done
implicitly by call_details::get_or_create_conjured_svalue.
(region_model::impl_call_fread): Likewise.
(region_model::impl_call_strchr): Pass conjured_purge param to
call to region_model_manager::get_or_create_conjured_svalue.
* region-model-manager.cc (conjured_purge::purge): New.
(region_model_manager::get_or_create_conjured_svalue): Add
param "p".  Use it to purge state when reusing an existing
conjured_svalue.
* region-model.cc (region_model::on_call_pre): Replace call to
region_model::purge_state_involving with passing conjured_purge
to region_model_manager::get_or_create_conjured_svalue.
(region_model::handle_unrecognized_call): Pass conjured_purge to
store::on_unknown_fncall.
* region-model.h
(region_model_manager::get_or_create_conjured_svalue): Add param
"p".
* store.cc (binding_cluster::on_unknown_fncall): Likewise.  Pass
it on to region_model_manager::get_or_create_conjured_svalue.
(binding_cluster::on_asm): Likewise.
(store::on_unknown_fncall): Add param "p" and pass it on to
binding_cluster::on_unknown_fncall.
* store.h (binding_cluster::on_unknown_fncall): Add param p.
(binding_cluster::on_asm): Likewise.
(store::on_unknown_fncall): Likewise.
* svalue.h (class conjured_purge): New.

gcc/testsuite/ChangeLog:
* gcc.dg/analyzer/pr105087-1.c: New test.
* gcc.dg/analyzer/pr105087-2.c: New test.
* gcc.dg/analyzer/vasprintf-1.c: New test.

Signed-off-by: David Malcolm <dmalcolm@redhat.com>
12 files changed:
gcc/analyzer/analyzer.h diff | blob | history
gcc/analyzer/region-model-asm.cc diff | blob | history
gcc/analyzer/region-model-impl-calls.cc diff | blob | history
gcc/analyzer/region-model-manager.cc diff | blob | history
gcc/analyzer/region-model.cc diff | blob | history
gcc/analyzer/region-model.h diff | blob | history
gcc/analyzer/store.cc diff | blob | history
gcc/analyzer/store.h diff | blob | history
gcc/analyzer/svalue.h diff | blob | history
gcc/testsuite/gcc.dg/analyzer/pr105087-1.c [new file with mode: 0644] blob
gcc/testsuite/gcc.dg/analyzer/pr105087-2.c [new file with mode: 0644] blob
gcc/testsuite/gcc.dg/analyzer/vasprintf-1.c [new file with mode: 0644] blob
Domain: System / Toolchain;