projects / platform / upstream / gcc.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: c381327) | patch
analyzer: respect some conditions from bit masks [PR108806]
authorDavid Malcolm <dmalcolm@redhat.com>
Thu, 16 Feb 2023 23:12:55 +0000 (18:12 -0500)
committerDavid Malcolm <dmalcolm@redhat.com>
Thu, 16 Feb 2023 23:12:55 +0000 (18:12 -0500)
commit4d3b7be281e73ecdaa233598db1a8390422b7770
treeeb03567b1a6b8f1e3bb42304615b6f043dd97ed1tree | snapshot
parentc381327dd6c2d9996702b2a341b91cf48942a8aecommit | diff
analyzer: respect some conditions from bit masks [PR108806]

PR analyzer/108806 reports false +ves seen from -fanalyzer on code like this
in qemu-7.2.0's hw/intc/omap_intc.c:

  [...snip...]
  struct omap_intr_handler_bank_s* bank = NULL;
  if ((offset & 0xf80) == 0x80) {
    [...set "bank" to non-NULL...]
  }
  switch (offset) {
    [...snip various cases that don't deref "bank"...]
    case 0x80:
      return bank->inputs;
    case 0x84:
      return bank->mask;
    [...etc...]
   }

where the analyzer falsely complains about execution paths in which
"(offset & 0xf80) == 0x80" was false (leaving "bank" as NULL), but then
in which "switch (offset)" goes to a case for which
"(offset & 0xf80) == 0x80" is true and dereferences NULL "bank", i.e.
paths in which "(offset & 0xf80) == 0x80" is both true *and* false.

This patch adds enough logic to constraint_manager for -fanalyzer to
reject such execution paths as impossible, fixing the false +ves.

Integration testing shows this eliminates 20 probable false positives:

Comparison: 9.08% -> 9.34% GOOD: 66 BAD: 661 -> 641 (-20)

where the affected warnings/projects are:

  -Wanalyzer-null-dereference: 0.00% GOOD: 0 BAD: 279 -> 269 (-10)
        qemu-7.2.0: 175 -> 165 (-10)

  -Wanalyzer-use-of-uninitialized-value: 0.00% GOOD: 0 BAD: 153 -> 143 (-10)
     coreutils-9.1:  18 ->  14 (-4)
        qemu-7.2.0:  54 ->  48 (-6)

gcc/analyzer/ChangeLog:
PR analyzer/108806
* constraint-manager.cc (bounded_range::dump_to_pp): Use
bounded_range::singleton_p.
(constraint_manager::add_bounded_ranges): Handle singleton ranges
by adding an EQ_EXPR constraint.
(constraint_manager::impossible_derived_conditions_p): New.
(constraint_manager::eval_condition): Reject EQ_EXPR when it would
imply impossible derived conditions.
(selftest::test_bits): New.
(selftest::run_constraint_manager_tests): Run it.
* constraint-manager.h (bounded_range::singleton_p): New.
(constraint_manager::impossible_derived_conditions_p): New decl.
* region-model.cc (region_model::get_rvalue_1): Handle
BIT_AND_EXPR, BIT_IOR_EXPR, and BIT_XOR_EXPR.

gcc/testsuite/ChangeLog:
PR analyzer/108806
* gcc.dg/analyzer/null-deref-pr108806-qemu.c: New test.
* gcc.dg/analyzer/pr103217.c: Add -Wno-analyzer-too-complex.
* gcc.dg/analyzer/switch.c (test_bitmask_1): New.
(test_bitmask_2): New.
* gcc.dg/analyzer/uninit-pr108806-qemu.c: New test.

Signed-off-by: David Malcolm <dmalcolm@redhat.com>
gcc/analyzer/constraint-manager.cc diff | blob | history
gcc/analyzer/constraint-manager.h diff | blob | history
gcc/analyzer/region-model.cc diff | blob | history
gcc/testsuite/gcc.dg/analyzer/null-deref-pr108806-qemu.c [new file with mode: 0644] blob
gcc/testsuite/gcc.dg/analyzer/pr103217.c diff | blob | history
gcc/testsuite/gcc.dg/analyzer/switch.c diff | blob | history
gcc/testsuite/gcc.dg/analyzer/uninit-pr108806-qemu.c [new file with mode: 0644] blob
Domain: System / Toolchain;