/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc

Bug Summary

File:	build/gcc/analyzer/region-model.cc
Warning:	line 295, column 23 Use of memory after it is freed
Annotated Source Code

Press '?' to see keyboard shortcuts
Show analyzer invocation
clang -cc1 -cc1 -triple x86_64-suse-linux -analyze -disable-free -clear-ast-before-backend -disable-llvm-verifier -discard-value-names -main-file-name region-model.cc -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=cplusplus -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -analyzer-config-compatibility-mode=true -mrelocation-model static -mframe-pointer=none -fmath-errno -ffp-contract=on -fno-rounding-math -mconstructor-aliases -funwind-tables=2 -target-cpu x86-64 -tune-cpu generic -debugger-tuning=gdb -fcoverage-compilation-dir=/buildworker/marxinbox-gcc-clang-static-analyzer/objdir/gcc -resource-dir /usr/lib64/clang/15.0.7 -D IN_GCC -D HAVE_CONFIG_H -I . -I analyzer -I /buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc -I /buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer -I /buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/../include -I /buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/../libcpp/include -I /buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/../libcody -I /buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/../libdecnumber -I /buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/../libdecnumber/bid -I ../libdecnumber -I /buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/../libbacktrace -internal-isystem /usr/bin/../lib64/gcc/x86_64-suse-linux/13/../../../../include/c++/13 -internal-isystem /usr/bin/../lib64/gcc/x86_64-suse-linux/13/../../../../include/c++/13/x86_64-suse-linux -internal-isystem /usr/bin/../lib64/gcc/x86_64-suse-linux/13/../../../../include/c++/13/backward -internal-isystem /usr/lib64/clang/15.0.7/include -internal-isystem /usr/local/include -internal-isystem /usr/bin/../lib64/gcc/x86_64-suse-linux/13/../../../../x86_64-suse-linux/include -internal-externc-isystem /include -internal-externc-isystem /usr/include -O2 -Wno-narrowing -Wwrite-strings -fdeprecated-macro -fdebug-compilation-dir=/buildworker/marxinbox-gcc-clang-static-analyzer/objdir/gcc -ferror-limit 19 -fno-rtti -fgnuc-version=4.2.1 -vectorize-loops -vectorize-slp -analyzer-output=plist-html -analyzer-config silence-checkers=core.NullDereference -faddrsig -D__GCC_HAVE_DWARF2_CFI_ASM=1 -o /buildworker/marxinbox-gcc-clang-static-analyzer/objdir/clang-static-analyzer/2023-03-27-141847-20772-1/report-zdRMAs.plist -x c++ /buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc
1/* Classes for modeling the state of memory.
 Copyright (C) 2019-2023 Free Software Foundation, Inc.
 Contributed by David Malcolm <dmalcolm@redhat.com>.

5This file is part of GCC.

7GCC is free software; you can redistribute it and/or modify it
8under the terms of the GNU General Public License as published by
9the Free Software Foundation; either version 3, or (at your option)
10any later version.

12GCC is distributed in the hope that it will be useful, but
13WITHOUT ANY WARRANTY; without even the implied warranty of
14MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
15General Public License for more details.

17You should have received a copy of the GNU General Public License
18along with GCC; see the file COPYING3.  If not see
19<http://www.gnu.org/licenses/>.  */

21#include "config.h"
22#define INCLUDE_MEMORY
23#include "system.h"
24#include "coretypes.h"
25#include "make-unique.h"
26#include "tree.h"
27#include "function.h"
28#include "basic-block.h"
29#include "gimple.h"
30#include "gimple-iterator.h"
31#include "diagnostic-core.h"
32#include "graphviz.h"
33#include "options.h"
34#include "cgraph.h"
35#include "tree-dfa.h"
36#include "stringpool.h"
37#include "convert.h"
38#include "target.h"
39#include "fold-const.h"
40#include "tree-pretty-print.h"
41#include "diagnostic-color.h"
42#include "diagnostic-metadata.h"
43#include "bitmap.h"
44#include "selftest.h"
45#include "analyzer/analyzer.h"
46#include "analyzer/analyzer-logging.h"
47#include "ordered-hash-map.h"
48#include "options.h"
49#include "cgraph.h"
50#include "cfg.h"
51#include "analyzer/supergraph.h"
52#include "sbitmap.h"
53#include "analyzer/call-string.h"
54#include "analyzer/program-point.h"
55#include "analyzer/store.h"
56#include "analyzer/region-model.h"
57#include "analyzer/constraint-manager.h"
58#include "diagnostic-event-id.h"
59#include "analyzer/sm.h"
60#include "diagnostic-event-id.h"
61#include "analyzer/sm.h"
62#include "analyzer/pending-diagnostic.h"
63#include "analyzer/region-model-reachability.h"
64#include "analyzer/analyzer-selftests.h"
65#include "analyzer/program-state.h"
66#include "analyzer/call-summary.h"
67#include "stor-layout.h"
68#include "attribs.h"
69#include "tree-object-size.h"
70#include "gimple-ssa.h"
71#include "tree-phinodes.h"
72#include "tree-ssa-operands.h"
73#include "ssa-iterators.h"
74#include "calls.h"
75#include "is-a.h"
76#include "gcc-rich-location.h"
77#include "analyzer/checker-event.h"
78#include "analyzer/checker-path.h"
79#include "analyzer/feasible-graph.h"

81#if ENABLE_ANALYZER1

83namespace ana {

85/* Dump T to PP in language-independent form, for debugging/logging/dumping
 purposes.  */

88void
89dump_tree (pretty_printer *pp, tree t)
90{
dump_generic_node (pp, t, 0, TDF_SLIM, 0);
92}

94/* Dump T to PP in language-independent form in quotes, for
 debugging/logging/dumping purposes.  */

97void
98dump_quoted_tree (pretty_printer *pp, tree t)
99{
pp_begin_quote (pp, pp_show_color (pp)(pp)->show_color);
dump_tree (pp, t);
pp_end_quote (pp, pp_show_color (pp)(pp)->show_color);
103}

105/* Equivalent to pp_printf (pp, "%qT", t), to avoid nesting pp_printf
 calls within other pp_printf calls.

 default_tree_printer handles 'T' and some other codes by calling
   dump_generic_node (pp, t, 0, TDF_SLIM, 0);
 dump_generic_node calls pp_printf in various places, leading to
 garbled output.

 Ideally pp_printf could be made to be reentrant, but in the meantime
 this function provides a workaround.  */

116void
117print_quoted_type (pretty_printer *pp, tree t)
118{
pp_begin_quote (pp, pp_show_color (pp)(pp)->show_color);
dump_generic_node (pp, t, 0, TDF_SLIM, 0);
pp_end_quote (pp, pp_show_color (pp)(pp)->show_color);
122}

124/* class region_to_value_map.  */

126/* Assignment operator for region_to_value_map.  */

128region_to_value_map &
129region_to_value_map::operator= (const region_to_value_map &other)
130{
m_hash_map.empty ();
for (auto iter : other.m_hash_map)
  {
    const region *reg = iter.first;
    const svalue *sval = iter.second;
    m_hash_map.put (reg, sval);
  }
return *this;
139}

141/* Equality operator for region_to_value_map.  */

143bool
144region_to_value_map::operator== (const region_to_value_map &other) const
145{
if (m_hash_map.elements () != other.m_hash_map.elements ())
  return false;

for (auto iter : *this)
  {
    const region *reg = iter.first;
    const svalue *sval = iter.second;
    const svalue * const *other_slot = other.get (reg);
    if (other_slot == NULLnullptr)
return false;
    if (sval != *other_slot)
return false;
  }

return true;
161}

163/* Dump this object to PP.  */

165void
166region_to_value_map::dump_to_pp (pretty_printer *pp, bool simple,
		 bool multiline) const
168{
auto_vec<const region *> regs;
for (iterator iter = begin (); iter != end (); ++iter)
  regs.safe_push ((*iter).first);
regs.qsort (region::cmp_ptr_ptr)qsort (region::cmp_ptr_ptr);
if (multiline)
  pp_newline (pp);
else
  pp_string (pp, " {");
unsigned i;
const region *reg;
FOR_EACH_VEC_ELT (regs, i, reg)for (i = 0; (regs).iterate ((i), &(reg)); ++(i))
  {
    if (multiline)
pp_string (pp, "  ");
    else if (i > 0)
pp_string (pp, ", ");
    reg->dump_to_pp (pp, simple);
    pp_string (pp, ": ");
    const svalue *sval = *get (reg);
    sval->dump_to_pp (pp, true);
    if (multiline)
pp_newline (pp);
  }
if (!multiline)
  pp_string (pp, "}");
194}

196/* Dump this object to stderr.  */

198DEBUG_FUNCTION__attribute__ ((__used__)) void
199region_to_value_map::dump (bool simple) const
200{
pretty_printer pp;
pp_format_decoder (&pp)(&pp)->format_decoder = default_tree_printer;
pp_show_color (&pp)(&pp)->show_color = pp_show_color (global_dc->printer)(global_dc->printer)->show_color;
pp.buffer->stream = stderrstderr;
dump_to_pp (&pp, simple, true);
pp_newline (&pp);
pp_flush (&pp);
208}


211/* Attempt to merge THIS with OTHER, writing the result
 to OUT.

 For now, write (region, value) mappings that are in common between THIS
 and OTHER to OUT, effectively taking the intersection.

 Reject merger of different values.  */

219bool
220region_to_value_map::can_merge_with_p (const region_to_value_map &other,
		       region_to_value_map *out) const
222{
for (auto iter : *this)
  {
    const region *iter_reg = iter.first;
    const svalue *iter_sval = iter.second;
    const svalue * const * other_slot = other.get (iter_reg);
    if (other_slot)
{
 if (iter_sval == *other_slot)
   out->put (iter_reg, iter_sval);
 else
   return false;
}
  }
return true;
237}

239/* Purge any state involving SVAL.  */

241void
242region_to_value_map::purge_state_involving (const svalue *sval)
243{
auto_vec<const region *> to_purge;
for (auto iter : *this)
  {
    const region *iter_reg = iter.first;
    const svalue *iter_sval = iter.second;
    if (iter_reg->involves_p (sval) || iter_sval->involves_p (sval))
to_purge.safe_push (iter_reg);
  }
for (auto iter : to_purge)
  m_hash_map.remove (iter);
254}

256/* class region_model.  */

258/* Ctor for region_model: construct an "empty" model.  */

260region_model::region_model (region_model_manager *mgr)
m_mgr (mgr), m_store (), m_current_frame (NULLnullptr),
m_dynamic_extents ()
263{
m_constraints = new constraint_manager (mgr);
265}

267/* region_model's copy ctor.  */

269region_model::region_model (const region_model &other)
m_mgr (other.m_mgr), m_store (other.m_store),
m_constraints (new constraint_manager (*other.m_constraints)),
m_current_frame (other.m_current_frame),
m_dynamic_extents (other.m_dynamic_extents)
274{
275}

277/* region_model's dtor.  */

279region_model::~region_model ()
280{
delete m_constraints;
282}

284/* region_model's assignment operator.  */

286region_model &
1
Assuming other == *this→
287region_model::operator= (const region_model &other)
288{
/* m_mgr is const.  */
gcc_assert (m_mgr == other.m_mgr)((void)(!(m_mgr == other.m_mgr) ? fancy_abort ("/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 290, __FUNCTION__), 0 : 0));
2
←
'?' condition is false→

m_store = other.m_store;

delete m_constraints;
3
←
Memory is released→
m_constraints = new constraint_manager (*other.m_constraints);
4
←
Use of memory after it is freed

m_current_frame = other.m_current_frame;

m_dynamic_extents = other.m_dynamic_extents;

return *this;
302}

304/* Equality operator for region_model.

 Amongst other things this directly compares the stores and the constraint
 managers, so for this to be meaningful both this and OTHER should
 have been canonicalized.  */

310bool
311region_model::operator== (const region_model &other) const
312{
/* We can only compare instances that use the same manager.  */
gcc_assert (m_mgr == other.m_mgr)((void)(!(m_mgr == other.m_mgr) ? fancy_abort ("/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 314, __FUNCTION__), 0 : 0));

if (m_store != other.m_store)
  return false;

if (*m_constraints != *other.m_constraints)
  return false;

if (m_current_frame != other.m_current_frame)
  return false;

if (m_dynamic_extents != other.m_dynamic_extents)
  return false;

gcc_checking_assert (hash () == other.hash ())((void)(!(hash () == other.hash ()) ? fancy_abort ("/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 328, __FUNCTION__), 0 : 0));

return true;
331}

333/* Generate a hash value for this region_model.  */

335hashval_t
336region_model::hash () const
337{
hashval_t result = m_store.hash ();
result ^= m_constraints->hash ();
return result;
341}

343/* Dump a representation of this model to PP, showing the
 stack, the store, and any constraints.
 Use SIMPLE to control how svalues and regions are printed.  */

347void
348region_model::dump_to_pp (pretty_printer *pp, bool simple,
	  bool multiline) const
350{
/* Dump stack.  */
pp_printf (pp, "stack depth: %i", get_stack_depth ());
if (multiline)
  pp_newline (pp);
else
  pp_string (pp, " {");
for (const frame_region *iter_frame = m_current_frame; iter_frame;
     iter_frame = iter_frame->get_calling_frame ())
  {
    if (multiline)
pp_string (pp, "  ");
    else if (iter_frame != m_current_frame)
pp_string (pp, ", ");
    pp_printf (pp, "frame (index %i): ", iter_frame->get_index ());
    iter_frame->dump_to_pp (pp, simple);
    if (multiline)
pp_newline (pp);
  }
if (!multiline)
  pp_string (pp, "}");

/* Dump store.  */
if (!multiline)
  pp_string (pp, ", {");
m_store.dump_to_pp (pp, simple, multiline,
      m_mgr->get_store_manager ());
if (!multiline)
  pp_string (pp, "}");

/* Dump constraints.  */
pp_string (pp, "constraint_manager:");
if (multiline)
  pp_newline (pp);
else
  pp_string (pp, " {");
m_constraints->dump_to_pp (pp, multiline);
if (!multiline)
  pp_string (pp, "}");

/* Dump sizes of dynamic regions, if any are known.  */
if (!m_dynamic_extents.is_empty ())
  {
    pp_string (pp, "dynamic_extents:");
    m_dynamic_extents.dump_to_pp (pp, simple, multiline);
  }
396}

398/* Dump a representation of this model to FILE.  */

400void
401region_model::dump (FILE *fp, bool simple, bool multiline) const
402{
pretty_printer pp;
pp_format_decoder (&pp)(&pp)->format_decoder = default_tree_printer;
pp_show_color (&pp)(&pp)->show_color = pp_show_color (global_dc->printer)(global_dc->printer)->show_color;
pp.buffer->stream = fp;
dump_to_pp (&pp, simple, multiline);
pp_newline (&pp);
pp_flush (&pp);
410}

412/* Dump a multiline representation of this model to stderr.  */

414DEBUG_FUNCTION__attribute__ ((__used__)) void
415region_model::dump (bool simple) const
416{
dump (stderrstderr, simple, true);
418}

420/* Dump a multiline representation of this model to stderr.  */

422DEBUG_FUNCTION__attribute__ ((__used__)) void
423region_model::debug () const
424{
dump (true);
426}

428/* Assert that this object is valid.  */

430void
431region_model::validate () const
432{
m_store.validate ();
434}

436/* Canonicalize the store and constraints, to maximize the chance of
 equality between region_model instances.  */

439void
440region_model::canonicalize ()
441{
m_store.canonicalize (m_mgr->get_store_manager ());
m_constraints->canonicalize ();
444}

446/* Return true if this region_model is in canonical form.  */

448bool
449region_model::canonicalized_p () const
450{
region_model copy (*this);
copy.canonicalize ();
return *this == copy;
454}

456/* See the comment for store::loop_replay_fixup.  */

458void
459region_model::loop_replay_fixup (const region_model *dst_state)
460{
m_store.loop_replay_fixup (dst_state->get_store (), m_mgr);
462}

464/* A subclass of pending_diagnostic for complaining about uses of
 poisoned values.  */

467class poisoned_value_diagnostic
public pending_diagnostic_subclass<poisoned_value_diagnostic>
469{
470public:
poisoned_value_diagnostic (tree expr, enum poison_kind pkind,
	     const region *src_region,
	     tree check_expr)
: m_expr (expr), m_pkind (pkind),
  m_src_region (src_region),
  m_check_expr (check_expr)
{}

const char *get_kind () const final override { return "poisoned_value_diagnostic"; }

bool use_of_uninit_p () const final override
{
  return m_pkind == POISON_KIND_UNINIT;
}

bool operator== (const poisoned_value_diagnostic &other) const
{
  return (m_expr == other.m_expr
   && m_pkind == other.m_pkind
   && m_src_region == other.m_src_region);
}

int get_controlling_option () const final override
{
  switch (m_pkind)
    {
    default:
gcc_unreachable ()(fancy_abort ("/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 498, __FUNCTION__));
    case POISON_KIND_UNINIT:
return OPT_Wanalyzer_use_of_uninitialized_value;
    case POISON_KIND_FREED:
return OPT_Wanalyzer_use_after_free;
    case POISON_KIND_POPPED_STACK:
return OPT_Wanalyzer_use_of_pointer_in_stale_stack_frame;
    }
}

bool terminate_path_p () const final override { return true; }

bool emit (rich_location *rich_loc) final override
{
  switch (m_pkind)
    {
    default:
gcc_unreachable ()(fancy_abort ("/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 515, __FUNCTION__));
    case POISON_KIND_UNINIT:
{
 diagnostic_metadata m;
 m.add_cwe (457); /* "CWE-457: Use of Uninitialized Variable".  */
 return warning_meta (rich_loc, m, get_controlling_option (),
	       "use of uninitialized value %qE",
	       m_expr);
}
break;
    case POISON_KIND_FREED:
{
 diagnostic_metadata m;
 m.add_cwe (416); /* "CWE-416: Use After Free".  */
 return warning_meta (rich_loc, m, get_controlling_option (),
	       "use after %<free%> of %qE",
	       m_expr);
}
break;
    case POISON_KIND_POPPED_STACK:
{
 /* TODO: which CWE?  */
 return warning_at
   (rich_loc, get_controlling_option (),
    "dereferencing pointer %qE to within stale stack frame",
    m_expr);
}
break;
    }
}

label_text describe_final_event (const evdesc::final_event &ev) final override
{
  switch (m_pkind)
    {
    default:
gcc_unreachable ()(fancy_abort ("/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 551, __FUNCTION__));
    case POISON_KIND_UNINIT:
return ev.formatted_print ("use of uninitialized value %qE here",
		   m_expr);
    case POISON_KIND_FREED:
return ev.formatted_print ("use after %<free%> of %qE here",
		   m_expr);
    case POISON_KIND_POPPED_STACK:
return ev.formatted_print
 ("dereferencing pointer %qE to within stale stack frame",
  m_expr);
    }
}

void mark_interesting_stuff (interesting_t *interest) final override
{
  if (m_src_region)
    interest->add_region_creation (m_src_region);
}

/* Attempt to suppress false positives.
   Reject paths where the value of the underlying region isn't poisoned.
   This can happen due to state merging when exploring the exploded graph,
   where the more precise analysis during feasibility analysis finds that
   the region is in fact valid.
   To do this we need to get the value from the fgraph.  Unfortunately
   we can't simply query the state of m_src_region (from the enode),
   since it might be a different region in the fnode state (e.g. with
   heap-allocated regions, the numbering could be different).
   Hence we access m_check_expr, if available.  */

bool check_valid_fpath_p (const feasible_node &fnode,
	    const gimple *emission_stmt)
  const final override
{
  if (!m_check_expr)
    return true;

  /* We've reached the enode, but not necessarily the right function_point.
     Try to get the state at the correct stmt.  */
  region_model emission_model (fnode.get_model ().get_manager());
  if (!fnode.get_state_at_stmt (emission_stmt, &emission_model))
    /* Couldn't get state; accept this diagnostic.  */
    return true;

  const svalue *fsval = emission_model.get_rvalue (m_check_expr, NULLnullptr);
  /* Check to see if the expr is also poisoned in FNODE (and in the
     same way).  */
  const poisoned_svalue * fspval = fsval->dyn_cast_poisoned_svalue ();
  if (!fspval)
    return false;
  if (fspval->get_poison_kind () != m_pkind)
    return false;
  return true;
}

607private:
tree m_expr;
enum poison_kind m_pkind;
const region *m_src_region;
tree m_check_expr;
612};

614/* A subclass of pending_diagnostic for complaining about shifts
 by negative counts.  */

617class shift_count_negative_diagnostic
public pending_diagnostic_subclass<shift_count_negative_diagnostic>
619{
620public:
shift_count_negative_diagnostic (const gassign *assign, tree count_cst)
: m_assign (assign), m_count_cst (count_cst)
{}

const char *get_kind () const final override
{
  return "shift_count_negative_diagnostic";
}

bool operator== (const shift_count_negative_diagnostic &other) const
{
  return (m_assign == other.m_assign
   && same_tree_p (m_count_cst, other.m_count_cst));
}

int get_controlling_option () const final override
{
  return OPT_Wanalyzer_shift_count_negative;
}

bool emit (rich_location *rich_loc) final override
{
  return warning_at (rich_loc, get_controlling_option (),
       "shift by negative count (%qE)", m_count_cst);
}

label_text describe_final_event (const evdesc::final_event &ev) final override
{
  return ev.formatted_print ("shift by negative amount here (%qE)", m_count_cst);
}

652private:
const gassign *m_assign;
tree m_count_cst;
655};

657/* A subclass of pending_diagnostic for complaining about shifts
 by counts >= the width of the operand type.  */

660class shift_count_overflow_diagnostic
public pending_diagnostic_subclass<shift_count_overflow_diagnostic>
662{
663public:
shift_count_overflow_diagnostic (const gassign *assign,
		   int operand_precision,
		   tree count_cst)
: m_assign (assign), m_operand_precision (operand_precision),
  m_count_cst (count_cst)
{}

const char *get_kind () const final override
{
  return "shift_count_overflow_diagnostic";
}

bool operator== (const shift_count_overflow_diagnostic &other) const
{
  return (m_assign == other.m_assign
   && m_operand_precision == other.m_operand_precision
   && same_tree_p (m_count_cst, other.m_count_cst));
}

int get_controlling_option () const final override
{
  return OPT_Wanalyzer_shift_count_overflow;
}

bool emit (rich_location *rich_loc) final override
{
  return warning_at (rich_loc, get_controlling_option (),
       "shift by count (%qE) >= precision of type (%qi)",
       m_count_cst, m_operand_precision);
}

label_text describe_final_event (const evdesc::final_event &ev) final override
{
  return ev.formatted_print ("shift by count %qE here", m_count_cst);
}

700private:
const gassign *m_assign;
int m_operand_precision;
tree m_count_cst;
704};

706/* If ASSIGN is a stmt that can be modelled via
   set_value (lhs_reg, SVALUE, CTXT)
 for some SVALUE, get the SVALUE.
 Otherwise return NULL.  */

711const svalue *
712region_model::get_gassign_result (const gassign *assign,
		   region_model_context *ctxt)
714{
tree lhs = gimple_assign_lhs (assign);
tree rhs1 = gimple_assign_rhs1 (assign);
enum tree_code op = gimple_assign_rhs_code (assign);
switch (op)
  {
  default:
    return NULLnullptr;

  case POINTER_PLUS_EXPR:
    {
/* e.g. "_1 = a_10(D) + 12;" */
tree ptr = rhs1;
tree offset = gimple_assign_rhs2 (assign);

const svalue *ptr_sval = get_rvalue (ptr, ctxt);
const svalue *offset_sval = get_rvalue (offset, ctxt);
/* Quoting tree.def, "the second operand [of a POINTER_PLUS_EXPR]
  is an integer of type sizetype".  */
offset_sval = m_mgr->get_or_create_cast (size_type_nodeglobal_trees[TI_SIZE_TYPE], offset_sval);

const svalue *sval_binop
 = m_mgr->get_or_create_binop (TREE_TYPE (lhs)((contains_struct_check ((lhs), (TS_TYPED), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 736, __FUNCTION__))->typed.type), op,
			ptr_sval, offset_sval);
return sval_binop;
    }
    break;

  case POINTER_DIFF_EXPR:
    {
/* e.g. "_1 = p_2(D) - q_3(D);".  */
tree rhs2 = gimple_assign_rhs2 (assign);
const svalue *rhs1_sval = get_rvalue (rhs1, ctxt);
const svalue *rhs2_sval = get_rvalue (rhs2, ctxt);

// TODO: perhaps fold to zero if they're known to be equal?

const svalue *sval_binop
 = m_mgr->get_or_create_binop (TREE_TYPE (lhs)((contains_struct_check ((lhs), (TS_TYPED), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 752, __FUNCTION__))->typed.type), op,
			rhs1_sval, rhs2_sval);
return sval_binop;
    }
    break;

  /* Assignments of the form
set_value (lvalue (LHS), rvalue (EXPR))
     for various EXPR.
     We already have the lvalue for the LHS above, as "lhs_reg".  */
  case ADDR_EXPR: /* LHS = &RHS;  */
  case BIT_FIELD_REF:
  case COMPONENT_REF: /* LHS = op0.op1;  */
  case MEM_REF:
  case REAL_CST:
  case COMPLEX_CST:
  case VECTOR_CST:
  case INTEGER_CST:
  case ARRAY_REF:
  case SSA_NAME: /* LHS = VAR; */
  case VAR_DECL: /* LHS = VAR; */
  case PARM_DECL:/* LHS = VAR; */
  case REALPART_EXPR:
  case IMAGPART_EXPR:
    return get_rvalue (rhs1, ctxt);

  case ABS_EXPR:
  case ABSU_EXPR:
  case CONJ_EXPR:
  case BIT_NOT_EXPR:
  case FIX_TRUNC_EXPR:
  case FLOAT_EXPR:
  case NEGATE_EXPR:
  case NOP_EXPR:
  case VIEW_CONVERT_EXPR:
    {
/* Unary ops.  */
const svalue *rhs_sval = get_rvalue (rhs1, ctxt);
const svalue *sval_unaryop
 = m_mgr->get_or_create_unaryop (TREE_TYPE (lhs)((contains_struct_check ((lhs), (TS_TYPED), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 791, __FUNCTION__))->typed.type), op, rhs_sval);
return sval_unaryop;
    }

  case EQ_EXPR:
  case GE_EXPR:
  case LE_EXPR:
  case NE_EXPR:
  case GT_EXPR:
  case LT_EXPR:
  case UNORDERED_EXPR:
  case ORDERED_EXPR:
    {
tree rhs2 = gimple_assign_rhs2 (assign);

const svalue *rhs1_sval = get_rvalue (rhs1, ctxt);
const svalue *rhs2_sval = get_rvalue (rhs2, ctxt);

if (TREE_TYPE (lhs)((contains_struct_check ((lhs), (TS_TYPED), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 809, __FUNCTION__))->typed.type) == boolean_type_nodeglobal_trees[TI_BOOLEAN_TYPE])
 {
   /* Consider constraints between svalues.  */
   tristate t = eval_condition (rhs1_sval, op, rhs2_sval);
   if (t.is_known ())
     return m_mgr->get_or_create_constant_svalue
(t.is_true () ? boolean_true_nodeglobal_trees[TI_BOOLEAN_TRUE] : boolean_false_nodeglobal_trees[TI_BOOLEAN_FALSE]);
 }

/* Otherwise, generate a symbolic binary op.  */
const svalue *sval_binop
 = m_mgr->get_or_create_binop (TREE_TYPE (lhs)((contains_struct_check ((lhs), (TS_TYPED), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 820, __FUNCTION__))->typed.type), op,
			rhs1_sval, rhs2_sval);
return sval_binop;
    }
    break;

  case PLUS_EXPR:
  case MINUS_EXPR:
  case MULT_EXPR:
  case MULT_HIGHPART_EXPR:
  case TRUNC_DIV_EXPR:
  case CEIL_DIV_EXPR:
  case FLOOR_DIV_EXPR:
  case ROUND_DIV_EXPR:
  case TRUNC_MOD_EXPR:
  case CEIL_MOD_EXPR:
  case FLOOR_MOD_EXPR:
  case ROUND_MOD_EXPR:
  case RDIV_EXPR:
  case EXACT_DIV_EXPR:
  case LSHIFT_EXPR:
  case RSHIFT_EXPR:
  case LROTATE_EXPR:
  case RROTATE_EXPR:
  case BIT_IOR_EXPR:
  case BIT_XOR_EXPR:
  case BIT_AND_EXPR:
  case MIN_EXPR:
  case MAX_EXPR:
  case COMPLEX_EXPR:
    {
/* Binary ops.  */
tree rhs2 = gimple_assign_rhs2 (assign);

const svalue *rhs1_sval = get_rvalue (rhs1, ctxt);
const svalue *rhs2_sval = get_rvalue (rhs2, ctxt);

if (ctxt && (op == LSHIFT_EXPR || op == RSHIFT_EXPR))
 {
   /* "INT34-C. Do not shift an expression by a negative number of bits
      or by greater than or equal to the number of bits that exist in
      the operand."  */
   if (const tree rhs2_cst = rhs2_sval->maybe_get_constant ())
     if (TREE_CODE (rhs2_cst)((enum tree_code) (rhs2_cst)->base.code) == INTEGER_CST)
{
  if (tree_int_cst_sgn (rhs2_cst) < 0)
    ctxt->warn
      (make_unique<shift_count_negative_diagnostic>
	 (assign, rhs2_cst));
  else if (compare_tree_int (rhs2_cst,
			     TYPE_PRECISION (TREE_TYPE (rhs1))((tree_class_check ((((contains_struct_check ((rhs1), (TS_TYPED
), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 870, __FUNCTION__))->typed.type)), (tcc_type), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 870, __FUNCTION__))->type_common.precision))
	   >= 0)
    ctxt->warn
      (make_unique<shift_count_overflow_diagnostic>
	 (assign,
	  int (TYPE_PRECISION (TREE_TYPE (rhs1))((tree_class_check ((((contains_struct_check ((rhs1), (TS_TYPED
), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 875, __FUNCTION__))->typed.type)), (tcc_type), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 875, __FUNCTION__))->type_common.precision)),
	  rhs2_cst));
}
 }

const svalue *sval_binop
 = m_mgr->get_or_create_binop (TREE_TYPE (lhs)((contains_struct_check ((lhs), (TS_TYPED), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 881, __FUNCTION__))->typed.type), op,
			rhs1_sval, rhs2_sval);
return sval_binop;
    }

  /* Vector expressions.  In theory we could implement these elementwise,
     but for now, simply return unknown values.  */
  case VEC_DUPLICATE_EXPR:
  case VEC_SERIES_EXPR:
  case VEC_COND_EXPR:
  case VEC_PERM_EXPR:
  case VEC_WIDEN_MULT_HI_EXPR:
  case VEC_WIDEN_MULT_LO_EXPR:
  case VEC_WIDEN_MULT_EVEN_EXPR:
  case VEC_WIDEN_MULT_ODD_EXPR:
  case VEC_UNPACK_HI_EXPR:
  case VEC_UNPACK_LO_EXPR:
  case VEC_UNPACK_FLOAT_HI_EXPR:
  case VEC_UNPACK_FLOAT_LO_EXPR:
  case VEC_UNPACK_FIX_TRUNC_HI_EXPR:
  case VEC_UNPACK_FIX_TRUNC_LO_EXPR:
  case VEC_PACK_TRUNC_EXPR:
  case VEC_PACK_SAT_EXPR:
  case VEC_PACK_FIX_TRUNC_EXPR:
  case VEC_PACK_FLOAT_EXPR:
  case VEC_WIDEN_LSHIFT_HI_EXPR:
  case VEC_WIDEN_LSHIFT_LO_EXPR:
    return m_mgr->get_or_create_unknown_svalue (TREE_TYPE (lhs)((contains_struct_check ((lhs), (TS_TYPED), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 908, __FUNCTION__))->typed.type));
  }
910}

912/* Workaround for discarding certain false positives from
 -Wanalyzer-use-of-uninitialized-value
 of the form:
   ((A OR-IF B) OR-IF C)
 and:
   ((A AND-IF B) AND-IF C)
 where evaluating B is redundant, but could involve simple accesses of
 uninitialized locals.

 When optimization is turned on the FE can immediately fold compound
 conditionals.  Specifically, c_parser_condition parses this condition:
   ((A OR-IF B) OR-IF C)
 and calls c_fully_fold on the condition.
 Within c_fully_fold, fold_truth_andor is called, which bails when
 optimization is off, but if any optimization is turned on can convert the
   ((A OR-IF B) OR-IF C)
 into:
   ((A OR B) OR_IF C)
 for sufficiently simple B
 i.e. the inner OR-IF becomes an OR.
 At gimplification time the inner OR becomes BIT_IOR_EXPR (in gimplify_expr),
 giving this for the inner condition:
    tmp = A | B;
    if (tmp)
 thus effectively synthesizing a redundant access of B when optimization
 is turned on, when compared to:
    if (A) goto L1; else goto L4;
L1: if (B) goto L2; else goto L4;
L2: if (C) goto L3; else goto L4;
 for the unoptimized case.

 Return true if CTXT appears to be  handling such a short-circuitable stmt,
 such as the def-stmt for B for the:
    tmp = A | B;
 case above, for the case where A is true and thus B would have been
 short-circuited without optimization, using MODEL for the value of A.  */

949static bool
950within_short_circuited_stmt_p (const region_model *model,
	       const gassign *assign_stmt)
952{
/* We must have an assignment to a temporary of _Bool type.  */
tree lhs = gimple_assign_lhs (assign_stmt);
if (TREE_TYPE (lhs)((contains_struct_check ((lhs), (TS_TYPED), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 955, __FUNCTION__))->typed.type) != boolean_type_nodeglobal_trees[TI_BOOLEAN_TYPE])
  return false;
if (TREE_CODE (lhs)((enum tree_code) (lhs)->base.code) != SSA_NAME)
  return false;
if (SSA_NAME_VAR (lhs)((tree_check ((lhs), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 959, __FUNCTION__, (SSA_NAME)))->ssa_name.var == (tree) nullptr
 || ((enum tree_code) ((lhs)->ssa_name.var)->base.code)
 == IDENTIFIER_NODE ? (tree) nullptr : (lhs)->ssa_name.var
) != NULL_TREE(tree) nullptr)
  return false;

/* The temporary bool must be used exactly once: as the second arg of
   a BIT_IOR_EXPR or BIT_AND_EXPR.  */
use_operand_p use_op;
gimple *use_stmt;
if (!single_imm_use (lhs, &use_op, &use_stmt))
  return false;
const gassign *use_assign = dyn_cast <const gassign *> (use_stmt);
if (!use_assign)
  return false;
enum tree_code op = gimple_assign_rhs_code (use_assign);
if (!(op == BIT_IOR_EXPR ||op == BIT_AND_EXPR))
  return false;
if (!(gimple_assign_rhs1 (use_assign) != lhs
&& gimple_assign_rhs2 (use_assign) == lhs))
  return false;

/* The first arg of the bitwise stmt must have a known value in MODEL
   that implies that the value of the second arg doesn't matter, i.e.
   1 for bitwise or, 0 for bitwise and.  */
tree other_arg = gimple_assign_rhs1 (use_assign);
/* Use a NULL ctxt here to avoid generating warnings.  */
const svalue *other_arg_sval = model->get_rvalue (other_arg, NULLnullptr);
tree other_arg_cst = other_arg_sval->maybe_get_constant ();
if (!other_arg_cst)
  return false;
switch (op)
  {
  default:
    gcc_unreachable ()(fancy_abort ("/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 990, __FUNCTION__));
  case BIT_IOR_EXPR:
    if (zerop (other_arg_cst))
return false;
    break;
  case BIT_AND_EXPR:
    if (!zerop (other_arg_cst))
return false;
    break;
  }

/* All tests passed.  We appear to be in a stmt that generates a boolean
   temporary with a value that won't matter.  */
return true;
1004}

1006/* Workaround for discarding certain false positives from
 -Wanalyzer-use-of-uninitialized-value
 seen with -ftrivial-auto-var-init=.

 -ftrivial-auto-var-init= will generate calls to IFN_DEFERRED_INIT.

 If the address of the var is taken, gimplification will give us
 something like:

   _1 = .DEFERRED_INIT (4, 2, &"len"[0]);
   len = _1;

 The result of DEFERRED_INIT will be an uninit value; we don't
 want to emit a false positive for "len = _1;"

 Return true if ASSIGN_STMT is such a stmt.  */

1023static bool
1024due_to_ifn_deferred_init_p (const gassign *assign_stmt)

1026{
/* We must have an assignment to a decl from an SSA name that's the
   result of a IFN_DEFERRED_INIT call.  */
if (gimple_assign_rhs_code (assign_stmt) != SSA_NAME)
  return false;
tree lhs = gimple_assign_lhs (assign_stmt);
if (TREE_CODE (lhs)((enum tree_code) (lhs)->base.code) != VAR_DECL)
  return false;
tree rhs = gimple_assign_rhs1 (assign_stmt);
if (TREE_CODE (rhs)((enum tree_code) (rhs)->base.code) != SSA_NAME)
  return false;
const gimple *def_stmt = SSA_NAME_DEF_STMT (rhs)(tree_check ((rhs), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 1037, __FUNCTION__, (SSA_NAME)))->ssa_name.def_stmt;
const gcall *call = dyn_cast <const gcall *> (def_stmt);
if (!call)
  return false;
if (gimple_call_internal_p (call)
    && gimple_call_internal_fn (call) == IFN_DEFERRED_INIT)
  return true;
return false;
1045}

1047/* Check for SVAL being poisoned, adding a warning to CTXT.
 Return SVAL, or, if a warning is added, another value, to avoid
 repeatedly complaining about the same poisoned value in followup code.
 SRC_REGION is a hint about where SVAL came from, and can be NULL.  */

1052const svalue *
1053region_model::check_for_poison (const svalue *sval,
		tree expr,
		const region *src_region,
		region_model_context *ctxt) const
1057{
if (!ctxt)
  return sval;

if (const poisoned_svalue *poisoned_sval = sval->dyn_cast_poisoned_svalue ())
  {
    enum poison_kind pkind = poisoned_sval->get_poison_kind ();

    /* Ignore uninitialized uses of empty types; there's nothing
to initialize.  */
    if (pkind == POISON_KIND_UNINIT
 && sval->get_type ()
 && is_empty_type (sval->get_type ()))
return sval;

    if (pkind == POISON_KIND_UNINIT)
if (const gimple *curr_stmt = ctxt->get_stmt ())
 if (const gassign *assign_stmt
= dyn_cast <const gassign *> (curr_stmt))
   {
     /* Special case to avoid certain false positives.  */
     if (within_short_circuited_stmt_p (this, assign_stmt))
return sval;

     /* Special case to avoid false positive on
 -ftrivial-auto-var-init=.  */
     if (due_to_ifn_deferred_init_p (assign_stmt))
return sval;
 }

    /* If we have an SSA name for a temporary, we don't want to print
'<unknown>'.
Poisoned values are shared by type, and so we can't reconstruct
the tree other than via the def stmts, using
fixup_tree_for_diagnostic.  */
    tree diag_arg = fixup_tree_for_diagnostic (expr);
    if (src_region == NULLnullptr && pkind == POISON_KIND_UNINIT)
src_region = get_region_for_poisoned_expr (expr);

    /* Can we reliably get the poisoned value from "expr"?
This is for use by poisoned_value_diagnostic::check_valid_fpath_p.
Unfortunately, we might not have a reliable value for EXPR.
Hence we only query its value now, and only use it if we get the
poisoned value back again.  */
    tree check_expr = expr;
    const svalue *foo_sval = get_rvalue (expr, NULLnullptr);
    if (foo_sval == sval)
check_expr = expr;
    else
check_expr = NULLnullptr;
    if (ctxt->warn (make_unique<poisoned_value_diagnostic> (diag_arg,
					      pkind,
					      src_region,
					      check_expr)))
{
 /* We only want to report use of a poisoned value at the first
    place it gets used; return an unknown value to avoid generating
    a chain of followup warnings.  */
 sval = m_mgr->get_or_create_unknown_svalue (sval->get_type ());
}

    return sval;
  }

return sval;
1122}

1124/* Attempt to get a region for describing EXPR, the source of region of
 a poisoned_svalue for use in a poisoned_value_diagnostic.
 Return NULL if there is no good region to use.  */

1128const region *
1129region_model::get_region_for_poisoned_expr (tree expr) const
1130{
if (TREE_CODE (expr)((enum tree_code) (expr)->base.code) == SSA_NAME)
  {
    tree decl = SSA_NAME_VAR (expr)((tree_check ((expr), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 1133, __FUNCTION__, (SSA_NAME)))->ssa_name.var == (tree)
 nullptr || ((enum tree_code) ((expr)->ssa_name.var)->base
.code) == IDENTIFIER_NODE ? (tree) nullptr : (expr)->ssa_name
.var);
    if (decl && DECL_P (decl)(tree_code_type_tmpl <0>::tree_code_type[(int) (((enum tree_code
) (decl)->base.code))] == tcc_declaration))
expr = decl;
    else
return NULLnullptr;
  }
return get_lvalue (expr, NULLnullptr);
1140}

1142/* Update this model for the ASSIGN stmt, using CTXT to report any
 diagnostics.  */

1145void
1146region_model::on_assignment (const gassign *assign, region_model_context *ctxt)
1147{
tree lhs = gimple_assign_lhs (assign);
tree rhs1 = gimple_assign_rhs1 (assign);

const region *lhs_reg = get_lvalue (lhs, ctxt);

/* Most assignments are handled by:
     set_value (lhs_reg, SVALUE, CTXT)
   for some SVALUE.  */
if (const svalue *sval = get_gassign_result (assign, ctxt))
  {
    tree expr = get_diagnostic_tree_for_gassign (assign);
    check_for_poison (sval, expr, NULLnullptr, ctxt);
    set_value (lhs_reg, sval, ctxt);
    return;
  }

enum tree_code op = gimple_assign_rhs_code (assign);
switch (op)
  {
  default:
    {
if (0)
 sorry_at (assign->location, "unhandled assignment op: %qs",
    get_tree_code_name (op));
const svalue *unknown_sval
 = m_mgr->get_or_create_unknown_svalue (TREE_TYPE (lhs)((contains_struct_check ((lhs), (TS_TYPED), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 1173, __FUNCTION__))->typed.type));
set_value (lhs_reg, unknown_sval, ctxt);
    }
    break;

  case CONSTRUCTOR:
    {
if (TREE_CLOBBER_P (rhs1)(((enum tree_code) (rhs1)->base.code) == CONSTRUCTOR &&
 ((rhs1)->base.volatile_flag)))
 {
   /* e.g. "x ={v} {CLOBBER};"  */
   clobber_region (lhs_reg);
 }
else
 {
   /* Any CONSTRUCTOR that survives to this point is either
      just a zero-init of everything, or a vector.  */
   if (!CONSTRUCTOR_NO_CLEARING (rhs1)((tree_check ((rhs1), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 1189, __FUNCTION__, (CONSTRUCTOR)))->base.public_flag))
     zero_fill_region (lhs_reg);
   unsigned ix;
   tree index;
   tree val;
   FOR_EACH_CONSTRUCTOR_ELT (CONSTRUCTOR_ELTS (rhs1), ix, index, val)for (ix = 0; (ix >= vec_safe_length (((tree_check ((rhs1),
 "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 1194, __FUNCTION__, (CONSTRUCTOR)))->constructor.elts)))
 ? false : (((void) (val = (*((tree_check ((rhs1), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 1194, __FUNCTION__, (CONSTRUCTOR)))->constructor.elts))[
ix].value)), (index = (*((tree_check ((rhs1), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 1194, __FUNCTION__, (CONSTRUCTOR)))->constructor.elts))[
ix].index), true); (ix)++)
     {
gcc_assert (TREE_CODE (TREE_TYPE (rhs1)) == VECTOR_TYPE)((void)(!(((enum tree_code) (((contains_struct_check ((rhs1),
 (TS_TYPED), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 1196, __FUNCTION__))->typed.type))->base.code) == VECTOR_TYPE
) ? fancy_abort ("/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 1196, __FUNCTION__), 0 : 0));
if (!index)
  index = build_int_cst (integer_type_nodeinteger_types[itk_int], ix);
gcc_assert (TREE_CODE (index) == INTEGER_CST)((void)(!(((enum tree_code) (index)->base.code) == INTEGER_CST
) ? fancy_abort ("/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 1199, __FUNCTION__), 0 : 0));
const svalue *index_sval
  = m_mgr->get_or_create_constant_svalue (index);
gcc_assert (index_sval)((void)(!(index_sval) ? fancy_abort ("/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 1202, __FUNCTION__), 0 : 0));
const region *sub_reg
  = m_mgr->get_element_region (lhs_reg,
			       TREE_TYPE (val)((contains_struct_check ((val), (TS_TYPED), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 1205, __FUNCTION__))->typed.type),
			       index_sval);
const svalue *val_sval = get_rvalue (val, ctxt);
set_value (sub_reg, val_sval, ctxt);
     }
 }
    }
    break;

  case STRING_CST:
    {
/* e.g. "struct s2 x = {{'A', 'B', 'C', 'D'}};".  */
const svalue *rhs_sval = get_rvalue (rhs1, ctxt);
m_store.set_value (m_mgr->get_store_manager(), lhs_reg, rhs_sval,
	   ctxt ? ctxt->get_uncertainty () : NULLnullptr);
    }
    break;
  }
1223}

1225/* Handle the pre-sm-state part of STMT, modifying this object in-place.
 Write true to *OUT_UNKNOWN_SIDE_EFFECTS if the stmt has unknown
 side effects.  */

1229void
1230region_model::on_stmt_pre (const gimple *stmt,
	   bool *out_unknown_side_effects,
	   region_model_context *ctxt)
1233{
switch (gimple_code (stmt))
  {
  default:
    /* No-op for now.  */
    break;

  case GIMPLE_ASSIGN:
    {
const gassign *assign = as_a <const gassign *> (stmt);
on_assignment (assign, ctxt);
    }
    break;

  case GIMPLE_ASM:
    {
const gasm *asm_stmt = as_a <const gasm *> (stmt);
on_asm_stmt (asm_stmt, ctxt);
    }
    break;

  case GIMPLE_CALL:
    {
/* Track whether we have a gcall to a function that's not recognized by
  anything, for which we don't have a function body, or for which we
  don't know the fndecl.  */
const gcall *call = as_a <const gcall *> (stmt);
*out_unknown_side_effects = on_call_pre (call, ctxt);
    }
    break;

  case GIMPLE_RETURN:
    {
const greturn *return_ = as_a <const greturn *> (stmt);
on_return (return_, ctxt);
    }
    break;
  }
1271}

1273/* Ensure that all arguments at the call described by CD are checked
 for poisoned values, by calling get_rvalue on each argument.  */

1276void
1277region_model::check_call_args (const call_details &cd) const
1278{
for (unsigned arg_idx = 0; arg_idx < cd.num_args (); arg_idx++)
  cd.get_arg_svalue (arg_idx);
1281}

1283/* Return true if CD is known to be a call to a function with
 __attribute__((const)).  */

1286static bool
1287const_fn_p (const call_details &cd)
1288{
tree fndecl = cd.get_fndecl_for_call ();
if (!fndecl)
  return false;
gcc_assert (DECL_P (fndecl))((void)(!((tree_code_type_tmpl <0>::tree_code_type[(int
) (((enum tree_code) (fndecl)->base.code))] == tcc_declaration
)) ? fancy_abort ("/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 1292, __FUNCTION__), 0 : 0));
return TREE_READONLY (fndecl)((non_type_check ((fndecl), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 1293, __FUNCTION__))->base.readonly_flag);
1294}

1296/* If this CD is known to be a call to a function with
 __attribute__((const)), attempt to get a const_fn_result_svalue
 based on the arguments, or return NULL otherwise.  */

1300static const svalue *
1301maybe_get_const_fn_result (const call_details &cd)
1302{
if (!const_fn_p (cd))
  return NULLnullptr;

unsigned num_args = cd.num_args ();
if (num_args > const_fn_result_svalue::MAX_INPUTS)
  /* Too many arguments.  */
  return NULLnullptr;

auto_vec<const svalue *> inputs (num_args);
for (unsigned arg_idx = 0; arg_idx < num_args; arg_idx++)
  {
    const svalue *arg_sval = cd.get_arg_svalue (arg_idx);
    if (!arg_sval->can_have_associated_state_p ())
return NULLnullptr;
    inputs.quick_push (arg_sval);
  }

region_model_manager *mgr = cd.get_manager ();
const svalue *sval
  = mgr->get_or_create_const_fn_result_svalue (cd.get_lhs_type (),
				 cd.get_fndecl_for_call (),
				 inputs);
return sval;
1326}

1328/* Update this model for an outcome of a call that returns a specific
 integer constant.
 If UNMERGEABLE, then make the result unmergeable, e.g. to prevent
 the state-merger code from merging success and failure outcomes.  */

1333void
1334region_model::update_for_int_cst_return (const call_details &cd,
			 int retval,
			 bool unmergeable)
1337{
if (!cd.get_lhs_type ())
  return;
if (TREE_CODE (cd.get_lhs_type ())((enum tree_code) (cd.get_lhs_type ())->base.code) != INTEGER_TYPE)
  return;
const svalue *result
  = m_mgr->get_or_create_int_cst (cd.get_lhs_type (), retval);
if (unmergeable)
  result = m_mgr->get_or_create_unmergeable (result);
set_value (cd.get_lhs_region (), result, cd.get_ctxt ());
1347}

1349/* Update this model for an outcome of a call that returns zero.
 If UNMERGEABLE, then make the result unmergeable, e.g. to prevent
 the state-merger code from merging success and failure outcomes.  */

1353void
1354region_model::update_for_zero_return (const call_details &cd,
		      bool unmergeable)
1356{
update_for_int_cst_return (cd, 0, unmergeable);
1358}

1360/* Update this model for an outcome of a call that returns non-zero.  */

1362void
1363region_model::update_for_nonzero_return (const call_details &cd)
1364{
if (!cd.get_lhs_type ())
  return;
if (TREE_CODE (cd.get_lhs_type ())((enum tree_code) (cd.get_lhs_type ())->base.code) != INTEGER_TYPE)
  return;
const svalue *zero
  = m_mgr->get_or_create_int_cst (cd.get_lhs_type (), 0);
const svalue *result
  = get_store_value (cd.get_lhs_region (), cd.get_ctxt ());
add_constraint (result, NE_EXPR, zero, cd.get_ctxt ());
1374}

1376/* Subroutine of region_model::maybe_get_copy_bounds.
 The Linux kernel commonly uses
   min_t([unsigned] long, VAR, sizeof(T));
 to set an upper bound on the size of a copy_to_user.
 Attempt to simplify such sizes by trying to get the upper bound as a
 constant.
 Return the simplified svalue if possible, or NULL otherwise.  */

1384static const svalue *
1385maybe_simplify_upper_bound (const svalue *num_bytes_sval,
	    region_model_manager *mgr)
1387{
tree type = num_bytes_sval->get_type ();
while (const svalue *raw = num_bytes_sval->maybe_undo_cast ())
  num_bytes_sval = raw;
if (const binop_svalue *binop_sval = num_bytes_sval->dyn_cast_binop_svalue ())
  if (binop_sval->get_op () == MIN_EXPR)
    if (binop_sval->get_arg1 ()->get_kind () == SK_CONSTANT)
{
 return mgr->get_or_create_cast (type, binop_sval->get_arg1 ());
 /* TODO: we might want to also capture the constraint
    when recording the diagnostic, or note that we're using
    the upper bound.  */
}
return NULLnullptr;
1401}

1403/* Attempt to get an upper bound for the size of a copy when simulating a
 copy function.

 NUM_BYTES_SVAL is the symbolic value for the size of the copy.
 Use it if it's constant, otherwise try to simplify it.  Failing
 that, use the size of SRC_REG if constant.

 Return a symbolic value for an upper limit on the number of bytes
 copied, or NULL if no such value could be determined.  */

1413const svalue *
1414region_model::maybe_get_copy_bounds (const region *src_reg,
		     const svalue *num_bytes_sval)
1416{
if (num_bytes_sval->maybe_get_constant ())
  return num_bytes_sval;

if (const svalue *simplified
    = maybe_simplify_upper_bound (num_bytes_sval, m_mgr))
  num_bytes_sval = simplified;

if (num_bytes_sval->maybe_get_constant ())
  return num_bytes_sval;

/* For now, try just guessing the size as the capacity of the
   base region of the src.
   This is a hack; we might get too large a value.  */
const region *src_base_reg = src_reg->get_base_region ();
num_bytes_sval = get_capacity (src_base_reg);

if (num_bytes_sval->maybe_get_constant ())
  return num_bytes_sval;

/* Non-constant: give up. */
return NULLnullptr;
1438}

1440/* Get any known_function for FNDECL for call CD.

 The call must match all assumptions made by the known_function (such as
 e.g. "argument 1's type must be a pointer type").

 Return NULL if no known_function is found, or it does not match the
 assumption(s).  */

1448const known_function *
1449region_model::get_known_function (tree fndecl, const call_details &cd) const
1450{
known_function_manager *known_fn_mgr = m_mgr->get_known_function_manager ();
return known_fn_mgr->get_match (fndecl, cd);
1453}

1455/* Get any known_function for IFN, or NULL.  */

1457const known_function *
1458region_model::get_known_function (enum internal_fn ifn) const
1459{
known_function_manager *known_fn_mgr = m_mgr->get_known_function_manager ();
return known_fn_mgr->get_internal_fn (ifn);
1462}

1464/* Update this model for the CALL stmt, using CTXT to report any
 diagnostics - the first half.

 Updates to the region_model that should be made *before* sm-states
 are updated are done here; other updates to the region_model are done
 in region_model::on_call_post.

 Return true if the function call has unknown side effects (it wasn't
 recognized and we don't have a body for it, or are unable to tell which
 fndecl it is).  */

1475bool
1476region_model::on_call_pre (const gcall *call, region_model_context *ctxt)
1477{
call_details cd (call, this, ctxt);

/* Special-case for IFN_DEFERRED_INIT.
   We want to report uninitialized variables with -fanalyzer (treating
   -ftrivial-auto-var-init= as purely a mitigation feature).
   Handle IFN_DEFERRED_INIT by treating it as no-op: don't touch the
   lhs of the call, so that it is still uninitialized from the point of
   view of the analyzer.  */
if (gimple_call_internal_p (call)
    && gimple_call_internal_fn (call) == IFN_DEFERRED_INIT)
  return false; /* No side effects.  */

/* Get svalues for all of the arguments at the callsite, to ensure that we
   complain about any uninitialized arguments.  This might lead to
   duplicates if any of the handling below also looks up the svalues,
   but the deduplication code should deal with that.  */
if (ctxt)
  check_call_args (cd);

tree callee_fndecl = get_fndecl_for_call (call, ctxt);

/* Some of the cases below update the lhs of the call based on the
   return value, but not all.  Provide a default value, which may
   get overwritten below.  */
if (tree lhs = gimple_call_lhs (call))
  {
    const region *lhs_region = get_lvalue (lhs, ctxt);
    const svalue *sval = maybe_get_const_fn_result (cd);
    if (!sval)
{
 if (callee_fndecl
     && lookup_attribute ("malloc", DECL_ATTRIBUTES (callee_fndecl)((contains_struct_check ((callee_fndecl), (TS_DECL_COMMON), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 1509, __FUNCTION__))->decl_common.attributes)))
   {
     const region *new_reg
= get_or_create_region_for_heap_alloc (NULLnullptr, ctxt);
     mark_region_as_unknown (new_reg, NULLnullptr);
     sval = m_mgr->get_ptr_svalue (cd.get_lhs_type (), new_reg);
   }
 else
   /* For the common case of functions without __attribute__((const)),
      use a conjured value, and purge any prior state involving that
      value (in case this is in a loop).  */
   sval = m_mgr->get_or_create_conjured_svalue (TREE_TYPE (lhs)((contains_struct_check ((lhs), (TS_TYPED), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 1520, __FUNCTION__))->typed.type), call,
					 lhs_region,
					 conjured_purge (this,
							 ctxt));
}
    set_value (lhs_region, sval, ctxt);
  }

if (gimple_call_internal_p (call))
  if (const known_function *kf
 = get_known_function (gimple_call_internal_fn (call)))
    {
kf->impl_call_pre (cd);
return false; /* No further side effects.  */
    }

if (!callee_fndecl)
  return true; /* Unknown side effects.  */

if (const known_function *kf = get_known_function (callee_fndecl, cd))
  {
    kf->impl_call_pre (cd);
    return false; /* No further side effects.  */
  }

const int callee_fndecl_flags = flags_from_decl_or_type (callee_fndecl);
if (callee_fndecl_flags & (ECF_CONST(1 << 0) | ECF_PURE(1 << 1)))
  return false; /* No side effects.  */

if (fndecl_built_in_p (callee_fndecl))
  return true; /* Unknown side effects.  */

if (!fndecl_has_gimple_body_p (callee_fndecl))
  return true; /* Unknown side effects.  */

return false; /* No side effects.  */
1556}

1558/* Update this model for the CALL stmt, using CTXT to report any
 diagnostics - the second half.

 Updates to the region_model that should be made *after* sm-states
 are updated are done here; other updates to the region_model are done
 in region_model::on_call_pre.

 If UNKNOWN_SIDE_EFFECTS is true, also call handle_unrecognized_call
 to purge state.  */

1568void
1569region_model::on_call_post (const gcall *call,
	    bool unknown_side_effects,
	    region_model_context *ctxt)
1572{
if (tree callee_fndecl = get_fndecl_for_call (call, ctxt))
  {
    call_details cd (call, this, ctxt);
    if (const known_function *kf = get_known_function (callee_fndecl, cd))
{
 kf->impl_call_post (cd);
 return;
}
    /* Was this fndecl referenced by
__attribute__((malloc(FOO)))?  */
    if (lookup_attribute ("*dealloc", DECL_ATTRIBUTES (callee_fndecl)((contains_struct_check ((callee_fndecl), (TS_DECL_COMMON), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 1583, __FUNCTION__))->decl_common.attributes)))
{
 impl_deallocation_call (cd);
 return;
}
  }

if (unknown_side_effects)
  handle_unrecognized_call (call, ctxt);
1592}

1594/* Purge state involving SVAL from this region_model, using CTXT
 (if non-NULL) to purge other state in a program_state.

 For example, if we're at the def-stmt of an SSA name, then we need to
 purge any state for svalues that involve that SSA name.  This avoids
 false positives in loops, since a symbolic value referring to the
 SSA name will be referring to the previous value of that SSA name.

 For example, in:
   while ((e = hashmap_iter_next(&iter))) {
     struct oid2strbuf *e_strbuf = (struct oid2strbuf *)e;
     free (e_strbuf->value);
   }
 at the def-stmt of e_8:
   e_8 = hashmap_iter_next (&iter);
 we should purge the "freed" state of:
   INIT_VAL(CAST_REG(‘struct oid2strbuf’, (*INIT_VAL(e_8))).value)
 which is the "e_strbuf->value" value from the previous iteration,
 or we will erroneously report a double-free - the "e_8" within it
 refers to the previous value.  */

1615void
1616region_model::purge_state_involving (const svalue *sval,
		     region_model_context *ctxt)
1618{
if (!sval->can_have_associated_state_p ())
  return;
m_store.purge_state_involving (sval, m_mgr);
m_constraints->purge_state_involving (sval);
m_dynamic_extents.purge_state_involving (sval);
if (ctxt)
  ctxt->purge_state_involving (sval);
1626}

1628/* A pending_note subclass for adding a note about an
 __attribute__((access, ...)) to a diagnostic.  */

1631class reason_attr_access : public pending_note_subclass<reason_attr_access>
1632{
1633public:
reason_attr_access (tree callee_fndecl, const attr_access &access)
: m_callee_fndecl (callee_fndecl),
  m_ptr_argno (access.ptrarg),
  m_access_str (TREE_STRING_POINTER (access.to_external_string ())((const char *)((tree_check ((access.to_external_string ()), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 1637, __FUNCTION__, (STRING_CST)))->string.str)))
{
}

const char *get_kind () const final override { return "reason_attr_access"; }

void emit () const final override
{
  inform (DECL_SOURCE_LOCATION (m_callee_fndecl)((contains_struct_check ((m_callee_fndecl), (TS_DECL_MINIMAL)
, "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 1645, __FUNCTION__))->decl_minimal.locus),
   "parameter %i of %qD marked with attribute %qs",
   m_ptr_argno + 1, m_callee_fndecl, m_access_str);
}

bool operator== (const reason_attr_access &other) const
{
  return (m_callee_fndecl == other.m_callee_fndecl
   && m_ptr_argno == other.m_ptr_argno
   && !strcmp (m_access_str, other.m_access_str));
}

1657private:
tree m_callee_fndecl;
unsigned m_ptr_argno;
const char *m_access_str;
1661};

1663/* Check CALL a call to external function CALLEE_FNDECL based on
 any __attribute__ ((access, ....) on the latter, complaining to
 CTXT about any issues.

 Currently we merely call check_region_for_write on any regions
 pointed to by arguments marked with a "write_only" or "read_write"
 attribute.  */

1671void
1672region_model::
1673check_external_function_for_access_attr (const gcall *call,
			 tree callee_fndecl,
			 region_model_context *ctxt) const
1676{
gcc_assert (call)((void)(!(call) ? fancy_abort ("/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 1677, __FUNCTION__), 0 : 0));
gcc_assert (callee_fndecl)((void)(!(callee_fndecl) ? fancy_abort ("/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 1678, __FUNCTION__), 0 : 0));
gcc_assert (ctxt)((void)(!(ctxt) ? fancy_abort ("/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 1679, __FUNCTION__), 0 : 0));

tree fntype = TREE_TYPE (callee_fndecl)((contains_struct_check ((callee_fndecl), (TS_TYPED), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 1681, __FUNCTION__))->typed.type);
if (!fntype)
  return;

if (!TYPE_ATTRIBUTES (fntype)((tree_class_check ((fntype), (tcc_type), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 1685, __FUNCTION__))->type_common.attributes))
  return;

/* Initialize a map of attribute access specifications for arguments
   to the function call.  */
rdwr_map rdwr_idx;
init_attr_rdwr_indices (&rdwr_idx, TYPE_ATTRIBUTES (fntype)((tree_class_check ((fntype), (tcc_type), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 1691, __FUNCTION__))->type_common.attributes));

unsigned argno = 0;

for (tree iter = TYPE_ARG_TYPES (fntype)((tree_check2 ((fntype), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 1695, __FUNCTION__, (FUNCTION_TYPE), (METHOD_TYPE)))->type_non_common
.values); iter;
     iter = TREE_CHAIN (iter)((contains_struct_check ((iter), (TS_COMMON), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 1696, __FUNCTION__))->common.chain), ++argno)
  {
    const attr_access* access = rdwr_idx.get (argno);
    if (!access)
continue;

    /* Ignore any duplicate entry in the map for the size argument.  */
    if (access->ptrarg != argno)
continue;

    if (access->mode == access_write_only
 || access->mode == access_read_write)
{
 /* Subclass of decorated_region_model_context that
    adds a note about the attr access to any saved diagnostics.  */
 class annotating_ctxt : public note_adding_context
 {
 public:
   annotating_ctxt (tree callee_fndecl,
	     const attr_access &access,
	     region_model_context *ctxt)
   : note_adding_context (ctxt),
     m_callee_fndecl (callee_fndecl),
     m_access (access)
   {
   }
   std::unique_ptr<pending_note> make_note () final override
   {
     return make_unique<reason_attr_access>
(m_callee_fndecl, m_access);
   }
 private:
   tree m_callee_fndecl;
   const attr_access &m_access;
 };

 /* Use this ctxt below so that any diagnostics get the
    note added to them.  */
 annotating_ctxt my_ctxt (callee_fndecl, *access, ctxt);

 tree ptr_tree = gimple_call_arg (call, access->ptrarg);
 const svalue *ptr_sval = get_rvalue (ptr_tree, &my_ctxt);
 const region *reg = deref_rvalue (ptr_sval, ptr_tree, &my_ctxt);
 check_region_for_write (reg, &my_ctxt);
 /* We don't use the size arg for now.  */
}
  }
1743}

1745/* Handle a call CALL to a function with unknown behavior.

 Traverse the regions in this model, determining what regions are
 reachable from pointer arguments to CALL and from global variables,
 recursively.

 Set all reachable regions to new unknown values and purge sm-state
 from their values, and from values that point to them.  */

1754void
1755region_model::handle_unrecognized_call (const gcall *call,
			region_model_context *ctxt)
1757{
tree fndecl = get_fndecl_for_call (call, ctxt);

if (fndecl && ctxt)
  check_external_function_for_access_attr (call, fndecl, ctxt);

reachable_regions reachable_regs (this);

/* Determine the reachable regions and their mutability.  */
{
  /* Add globals and regions that already escaped in previous
     unknown calls.  */
  m_store.for_each_cluster (reachable_regions::init_cluster_cb,
	      &reachable_regs);

  /* Params that are pointers.  */
  tree iter_param_types = NULL_TREE(tree) nullptr;
  if (fndecl)
    iter_param_types = TYPE_ARG_TYPES (TREE_TYPE (fndecl))((tree_check2 ((((contains_struct_check ((fndecl), (TS_TYPED)
, "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 1775, __FUNCTION__))->typed.type)), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 1775, __FUNCTION__, (FUNCTION_TYPE), (METHOD_TYPE)))->type_non_common
.values);
  for (unsigned arg_idx = 0; arg_idx < gimple_call_num_args (call); arg_idx++)
    {
/* Track expected param type, where available.  */
tree param_type = NULL_TREE(tree) nullptr;
if (iter_param_types)
 {
   param_type = TREE_VALUE (iter_param_types)((tree_check ((iter_param_types), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 1782, __FUNCTION__, (TREE_LIST)))->list.value);
   gcc_assert (param_type)((void)(!(param_type) ? fancy_abort ("/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 1783, __FUNCTION__), 0 : 0));
   iter_param_types = TREE_CHAIN (iter_param_types)((contains_struct_check ((iter_param_types), (TS_COMMON), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 1784, __FUNCTION__))->common.chain);
 }

tree parm = gimple_call_arg (call, arg_idx);
const svalue *parm_sval = get_rvalue (parm, ctxt);
reachable_regs.handle_parm (parm_sval, param_type);
    }
}

uncertainty_t *uncertainty = ctxt ? ctxt->get_uncertainty () : NULLnullptr;

/* Purge sm-state for the svalues that were reachable,
   both in non-mutable and mutable form.  */
for (svalue_set::iterator iter
= reachable_regs.begin_reachable_svals ();
     iter != reachable_regs.end_reachable_svals (); ++iter)
  {
    const svalue *sval = (*iter);
    if (ctxt)
ctxt->on_unknown_change (sval, false);
  }
for (svalue_set::iterator iter
= reachable_regs.begin_mutable_svals ();
     iter != reachable_regs.end_mutable_svals (); ++iter)
  {
    const svalue *sval = (*iter);
    if (ctxt)
ctxt->on_unknown_change (sval, true);
    if (uncertainty)
uncertainty->on_mutable_sval_at_unknown_call (sval);
  }

/* Mark any clusters that have escaped.  */
reachable_regs.mark_escaped_clusters (ctxt);

/* Update bindings for all clusters that have escaped, whether above,
   or previously.  */
m_store.on_unknown_fncall (call, m_mgr->get_store_manager (),
	     conjured_purge (this, ctxt));

/* Purge dynamic extents from any regions that have escaped mutably:
   realloc could have been called on them.  */
for (hash_set<const region *>::iterator
iter = reachable_regs.begin_mutable_base_regs ();
     iter != reachable_regs.end_mutable_base_regs ();
     ++iter)
  {
    const region *base_reg = (*iter);
    unset_dynamic_extents (base_reg);
  }
1834}

1836/* Traverse the regions in this model, determining what regions are
 reachable from the store and populating *OUT.

 If EXTRA_SVAL is non-NULL, treat it as an additional "root"
 for reachability (for handling return values from functions when
 analyzing return of the only function on the stack).

 If UNCERTAINTY is non-NULL, treat any svalues that were recorded
 within it as being maybe-bound as additional "roots" for reachability.

 Find svalues that haven't leaked.    */

1848void
1849region_model::get_reachable_svalues (svalue_set *out,
		     const svalue *extra_sval,
		     const uncertainty_t *uncertainty)
1852{
reachable_regions reachable_regs (this);

/* Add globals and regions that already escaped in previous
   unknown calls.  */
m_store.for_each_cluster (reachable_regions::init_cluster_cb,
	    &reachable_regs);

if (extra_sval)
  reachable_regs.handle_sval (extra_sval);

if (uncertainty)
  for (uncertainty_t::iterator iter
  = uncertainty->begin_maybe_bound_svals ();
iter != uncertainty->end_maybe_bound_svals (); ++iter)
    reachable_regs.handle_sval (*iter);

/* Get regions for locals that have explicitly bound values.  */
for (store::cluster_map_t::iterator iter = m_store.begin ();
     iter != m_store.end (); ++iter)
  {
    const region *base_reg = (*iter).first;
    if (const region *parent = base_reg->get_parent_region ())
if (parent->get_kind () == RK_FRAME)
 reachable_regs.add (base_reg, false);
  }

/* Populate *OUT based on the values that were reachable.  */
for (svalue_set::iterator iter
= reachable_regs.begin_reachable_svals ();
     iter != reachable_regs.end_reachable_svals (); ++iter)
  out->add (*iter);
1884}

1886/* Update this model for the RETURN_STMT, using CTXT to report any
 diagnostics.  */

1889void
1890region_model::on_return (const greturn *return_stmt, region_model_context *ctxt)
1891{
tree callee = get_current_function ()->decl;
tree lhs = DECL_RESULT (callee)((tree_check ((callee), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 1893, __FUNCTION__, (FUNCTION_DECL)))->decl_non_common.result
);
tree rhs = gimple_return_retval (return_stmt);

if (lhs && rhs)
  {
    const svalue *sval = get_rvalue (rhs, ctxt);
    const region *ret_reg = get_lvalue (lhs, ctxt);
    set_value (ret_reg, sval, ctxt);
  }
1902}

1904/* Update this model for a call and return of setjmp/sigsetjmp at CALL within
 ENODE, using CTXT to report any diagnostics.

 This is for the initial direct invocation of setjmp/sigsetjmp (which returns
 0), as opposed to any second return due to longjmp/sigsetjmp.  */

1910void
1911region_model::on_setjmp (const gcall *call, const exploded_node *enode,
	 region_model_context *ctxt)
1913{
const svalue *buf_ptr = get_rvalue (gimple_call_arg (call, 0), ctxt);
const region *buf_reg = deref_rvalue (buf_ptr, gimple_call_arg (call, 0),
			 ctxt);

/* Create a setjmp_svalue for this call and store it in BUF_REG's
   region.  */
if (buf_reg)
  {
    setjmp_record r (enode, call);
    const svalue *sval
= m_mgr->get_or_create_setjmp_svalue (r, buf_reg->get_type ());
    set_value (buf_reg, sval, ctxt);
  }

/* Direct calls to setjmp return 0.  */
if (tree lhs = gimple_call_lhs (call))
  {
    const svalue *new_sval
= m_mgr->get_or_create_int_cst (TREE_TYPE (lhs)((contains_struct_check ((lhs), (TS_TYPED), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 1932, __FUNCTION__))->typed.type), 0);
    const region *lhs_reg = get_lvalue (lhs, ctxt);
    set_value (lhs_reg, new_sval, ctxt);
  }
1936}

1938/* Update this region_model for rewinding from a "longjmp" at LONGJMP_CALL
 to a "setjmp" at SETJMP_CALL where the final stack depth should be
 SETJMP_STACK_DEPTH.  Pop any stack frames.  Leak detection is *not*
 done, and should be done by the caller.  */

1943void
1944region_model::on_longjmp (const gcall *longjmp_call, const gcall *setjmp_call,
	   int setjmp_stack_depth, region_model_context *ctxt)
1946{
/* Evaluate the val, using the frame of the "longjmp".  */
tree fake_retval = gimple_call_arg (longjmp_call, 1);
const svalue *fake_retval_sval = get_rvalue (fake_retval, ctxt);

/* Pop any frames until we reach the stack depth of the function where
   setjmp was called.  */
gcc_assert (get_stack_depth () >= setjmp_stack_depth)((void)(!(get_stack_depth () >= setjmp_stack_depth) ? fancy_abort
 ("/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 1953, __FUNCTION__), 0 : 0));
while (get_stack_depth () > setjmp_stack_depth)
  pop_frame (NULLnullptr, NULLnullptr, ctxt, false);

gcc_assert (get_stack_depth () == setjmp_stack_depth)((void)(!(get_stack_depth () == setjmp_stack_depth) ? fancy_abort
 ("/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 1957, __FUNCTION__), 0 : 0));

/* Assign to LHS of "setjmp" in new_state.  */
if (tree lhs = gimple_call_lhs (setjmp_call))
  {
    /* Passing 0 as the val to longjmp leads to setjmp returning 1.  */
    const svalue *zero_sval
= m_mgr->get_or_create_int_cst (TREE_TYPE (fake_retval)((contains_struct_check ((fake_retval), (TS_TYPED), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 1964, __FUNCTION__))->typed.type), 0);
    tristate eq_zero = eval_condition (fake_retval_sval, EQ_EXPR, zero_sval);
    /* If we have 0, use 1.  */
    if (eq_zero.is_true ())
{
 const svalue *one_sval
   = m_mgr->get_or_create_int_cst (TREE_TYPE (fake_retval)((contains_struct_check ((fake_retval), (TS_TYPED), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 1970, __FUNCTION__))->typed.type), 1);
 fake_retval_sval = one_sval;
}
    else
{
 /* Otherwise note that the value is nonzero.  */
 m_constraints->add_constraint (fake_retval_sval, NE_EXPR, zero_sval);
}

    /* Decorate the return value from setjmp as being unmergeable,
so that we don't attempt to merge states with it as zero
with states in which it's nonzero, leading to a clean distinction
in the exploded_graph betweeen the first return and the second
return.  */
    fake_retval_sval = m_mgr->get_or_create_unmergeable (fake_retval_sval);

    const region *lhs_reg = get_lvalue (lhs, ctxt);
    set_value (lhs_reg, fake_retval_sval, ctxt);
  }
1989}

1991/* Update this region_model for a phi stmt of the form
   LHS = PHI <...RHS...>.
 where RHS is for the appropriate edge.
 Get state from OLD_STATE so that all of the phi stmts for a basic block
 are effectively handled simultaneously.  */

1997void
1998region_model::handle_phi (const gphi *phi,
	  tree lhs, tree rhs,
	  const region_model &old_state,
	  region_model_context *ctxt)
2002{
/* For now, don't bother tracking the .MEM SSA names.  */
if (tree var = SSA_NAME_VAR (lhs)((tree_check ((lhs), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 2004, __FUNCTION__, (SSA_NAME)))->ssa_name.var == (tree)
 nullptr || ((enum tree_code) ((lhs)->ssa_name.var)->base
.code) == IDENTIFIER_NODE ? (tree) nullptr : (lhs)->ssa_name
.var))
  if (TREE_CODE (var)((enum tree_code) (var)->base.code) == VAR_DECL)
    if (VAR_DECL_IS_VIRTUAL_OPERAND (var)((tree_check ((var), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 2006, __FUNCTION__, (VAR_DECL)))->base.u.bits.saturating_flag
))
return;

const svalue *src_sval = old_state.get_rvalue (rhs, ctxt);
const region *dst_reg = old_state.get_lvalue (lhs, ctxt);

set_value (dst_reg, src_sval, ctxt);

if (ctxt)
  ctxt->on_phi (phi, rhs);
2016}

2018/* Implementation of region_model::get_lvalue; the latter adds type-checking.

 Get the id of the region for PV within this region_model,
 emitting any diagnostics to CTXT.  */

2023const region *
2024region_model::get_lvalue_1 (path_var pv, region_model_context *ctxt) const
2025{
tree expr = pv.m_tree;

gcc_assert (expr)((void)(!(expr) ? fancy_abort ("/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 2028, __FUNCTION__), 0 : 0));

switch (TREE_CODE (expr)((enum tree_code) (expr)->base.code))
  {
  default:
    return m_mgr->get_region_for_unexpected_tree_code (ctxt, expr,
					 dump_location_t ());

  case ARRAY_REF:
    {
tree array = TREE_OPERAND (expr, 0)(*((const_cast<tree*> (tree_operand_check ((expr), (0),
 "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 2038, __FUNCTION__)))));
tree index = TREE_OPERAND (expr, 1)(*((const_cast<tree*> (tree_operand_check ((expr), (1),
 "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 2039, __FUNCTION__)))));

const region *array_reg = get_lvalue (array, ctxt);
const svalue *index_sval = get_rvalue (index, ctxt);
return m_mgr->get_element_region (array_reg,
			  TREE_TYPE (TREE_TYPE (array))((contains_struct_check ((((contains_struct_check ((array), (
TS_TYPED), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 2044, __FUNCTION__))->typed.type)), (TS_TYPED), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 2044, __FUNCTION__))->typed.type),
			  index_sval);
    }
    break;

  case BIT_FIELD_REF:
    {
tree inner_expr = TREE_OPERAND (expr, 0)(*((const_cast<tree*> (tree_operand_check ((expr), (0),
 "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 2051, __FUNCTION__)))));
const region *inner_reg = get_lvalue (inner_expr, ctxt);
tree num_bits = TREE_OPERAND (expr, 1)(*((const_cast<tree*> (tree_operand_check ((expr), (1),
 "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 2053, __FUNCTION__)))));
tree first_bit_offset = TREE_OPERAND (expr, 2)(*((const_cast<tree*> (tree_operand_check ((expr), (2),
 "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 2054, __FUNCTION__)))));
gcc_assert (TREE_CODE (num_bits) == INTEGER_CST)((void)(!(((enum tree_code) (num_bits)->base.code) == INTEGER_CST
) ? fancy_abort ("/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 2055, __FUNCTION__), 0 : 0));
gcc_assert (TREE_CODE (first_bit_offset) == INTEGER_CST)((void)(!(((enum tree_code) (first_bit_offset)->base.code)
 == INTEGER_CST) ? fancy_abort ("/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 2056, __FUNCTION__), 0 : 0));
bit_range bits (TREE_INT_CST_LOW (first_bit_offset)((unsigned long) (*tree_int_cst_elt_check ((first_bit_offset)
, (0), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 2057, __FUNCTION__))),
	TREE_INT_CST_LOW (num_bits)((unsigned long) (*tree_int_cst_elt_check ((num_bits), (0), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 2058, __FUNCTION__))));
return m_mgr->get_bit_range (inner_reg, TREE_TYPE (expr)((contains_struct_check ((expr), (TS_TYPED), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 2059, __FUNCTION__))->typed.type), bits);
    }
    break;

  case MEM_REF:
    {
tree ptr = TREE_OPERAND (expr, 0)(*((const_cast<tree*> (tree_operand_check ((expr), (0),
 "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 2065, __FUNCTION__)))));
tree offset = TREE_OPERAND (expr, 1)(*((const_cast<tree*> (tree_operand_check ((expr), (1),
 "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 2066, __FUNCTION__)))));
const svalue *ptr_sval = get_rvalue (ptr, ctxt);
const svalue *offset_sval = get_rvalue (offset, ctxt);
const region *star_ptr = deref_rvalue (ptr_sval, ptr, ctxt);
return m_mgr->get_offset_region (star_ptr,
			 TREE_TYPE (expr)((contains_struct_check ((expr), (TS_TYPED), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 2071, __FUNCTION__))->typed.type),
			 offset_sval);
    }
    break;

  case FUNCTION_DECL:
    return m_mgr->get_region_for_fndecl (expr);

  case LABEL_DECL:
    return m_mgr->get_region_for_label (expr);

  case VAR_DECL:
    /* Handle globals.  */
    if (is_global_var (expr))
return m_mgr->get_region_for_global (expr);

    /* Fall through.  */

  case SSA_NAME:
  case PARM_DECL:
  case RESULT_DECL:
    {
gcc_assert (TREE_CODE (expr) == SSA_NAME((void)(!(((enum tree_code) (expr)->base.code) == SSA_NAME
 || ((enum tree_code) (expr)->base.code) == PARM_DECL || (
(enum tree_code) (expr)->base.code) == VAR_DECL || ((enum tree_code
) (expr)->base.code) == RESULT_DECL) ? fancy_abort ("/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 2096, __FUNCTION__), 0 : 0))
    || TREE_CODE (expr) == PARM_DECL((void)(!(((enum tree_code) (expr)->base.code) == SSA_NAME
 || ((enum tree_code) (expr)->base.code) == PARM_DECL || (
(enum tree_code) (expr)->base.code) == VAR_DECL || ((enum tree_code
) (expr)->base.code) == RESULT_DECL) ? fancy_abort ("/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 2096, __FUNCTION__), 0 : 0))
    || TREE_CODE (expr) == VAR_DECL((void)(!(((enum tree_code) (expr)->base.code) == SSA_NAME
 || ((enum tree_code) (expr)->base.code) == PARM_DECL || (
(enum tree_code) (expr)->base.code) == VAR_DECL || ((enum tree_code
) (expr)->base.code) == RESULT_DECL) ? fancy_abort ("/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 2096, __FUNCTION__), 0 : 0))
    || TREE_CODE (expr) == RESULT_DECL)((void)(!(((enum tree_code) (expr)->base.code) == SSA_NAME
 || ((enum tree_code) (expr)->base.code) == PARM_DECL || (
(enum tree_code) (expr)->base.code) == VAR_DECL || ((enum tree_code
) (expr)->base.code) == RESULT_DECL) ? fancy_abort ("/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 2096, __FUNCTION__), 0 : 0));

int stack_index = pv.m_stack_depth;
const frame_region *frame = get_frame_at_index (stack_index);
gcc_assert (frame)((void)(!(frame) ? fancy_abort ("/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 2100, __FUNCTION__), 0 : 0));
return frame->get_region_for_local (m_mgr, expr, ctxt);
    }

  case COMPONENT_REF:
    {
/* obj.field  */
tree obj = TREE_OPERAND (expr, 0)(*((const_cast<tree*> (tree_operand_check ((expr), (0),
 "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 2107, __FUNCTION__)))));
tree field = TREE_OPERAND (expr, 1)(*((const_cast<tree*> (tree_operand_check ((expr), (1),
 "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 2108, __FUNCTION__)))));
const region *obj_reg = get_lvalue (obj, ctxt);
return m_mgr->get_field_region (obj_reg, field);
    }
    break;

  case STRING_CST:
    return m_mgr->get_region_for_string (expr);
  }
2117}

2119/* Assert that SRC_TYPE can be converted to DST_TYPE as a no-op.  */

2121static void
2122assert_compat_types (tree src_type, tree dst_type)
2123{
if (src_type && dst_type && !VOID_TYPE_P (dst_type)(((enum tree_code) (dst_type)->base.code) == VOID_TYPE))
  {
2126#if CHECKING_P1
    if (!(useless_type_conversion_p (src_type, dst_type)))
internal_error ("incompatible types: %qT and %qT", src_type, dst_type);
2129#endif
  }
2131}

2133/* Return true if SRC_TYPE can be converted to DST_TYPE as a no-op.  */

2135bool
2136compat_types_p (tree src_type, tree dst_type)
2137{
if (src_type && dst_type && !VOID_TYPE_P (dst_type)(((enum tree_code) (dst_type)->base.code) == VOID_TYPE))
  if (!(useless_type_conversion_p (src_type, dst_type)))
    return false;
return true;
2142}

2144/* Get the region for PV within this region_model,
 emitting any diagnostics to CTXT.  */

2147const region *
2148region_model::get_lvalue (path_var pv, region_model_context *ctxt) const
2149{
if (pv.m_tree == NULL_TREE(tree) nullptr)
  return NULLnullptr;

const region *result_reg = get_lvalue_1 (pv, ctxt);
assert_compat_types (result_reg->get_type (), TREE_TYPE (pv.m_tree)((contains_struct_check ((pv.m_tree), (TS_TYPED), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 2154, __FUNCTION__))->typed.type));
return result_reg;
2156}

2158/* Get the region for EXPR within this region_model (assuming the most
 recent stack frame if it's a local).  */

2161const region *
2162region_model::get_lvalue (tree expr, region_model_context *ctxt) const
2163{
return get_lvalue (path_var (expr, get_stack_depth () - 1), ctxt);
2165}

2167/* Implementation of region_model::get_rvalue; the latter adds type-checking.

 Get the value of PV within this region_model,
 emitting any diagnostics to CTXT.  */

2172const svalue *
2173region_model::get_rvalue_1 (path_var pv, region_model_context *ctxt) const
2174{
gcc_assert (pv.m_tree)((void)(!(pv.m_tree) ? fancy_abort ("/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 2175, __FUNCTION__), 0 : 0));

switch (TREE_CODE (pv.m_tree)((enum tree_code) (pv.m_tree)->base.code))
  {
  default:
    return m_mgr->get_or_create_unknown_svalue (TREE_TYPE (pv.m_tree)((contains_struct_check ((pv.m_tree), (TS_TYPED), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 2180, __FUNCTION__))->typed.type));

  case ADDR_EXPR:
    {
/* "&EXPR".  */
tree expr = pv.m_tree;
tree op0 = TREE_OPERAND (expr, 0)(*((const_cast<tree*> (tree_operand_check ((expr), (0),
 "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 2186, __FUNCTION__)))));
const region *expr_reg = get_lvalue (op0, ctxt);
return m_mgr->get_ptr_svalue (TREE_TYPE (expr)((contains_struct_check ((expr), (TS_TYPED), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 2188, __FUNCTION__))->typed.type), expr_reg);
    }
    break;

  case BIT_FIELD_REF:
    {
tree expr = pv.m_tree;
tree op0 = TREE_OPERAND (expr, 0)(*((const_cast<tree*> (tree_operand_check ((expr), (0),
 "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 2195, __FUNCTION__)))));
const region *reg = get_lvalue (op0, ctxt);
tree num_bits = TREE_OPERAND (expr, 1)(*((const_cast<tree*> (tree_operand_check ((expr), (1),
 "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 2197, __FUNCTION__)))));
tree first_bit_offset = TREE_OPERAND (expr, 2)(*((const_cast<tree*> (tree_operand_check ((expr), (2),
 "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 2198, __FUNCTION__)))));
gcc_assert (TREE_CODE (num_bits) == INTEGER_CST)((void)(!(((enum tree_code) (num_bits)->base.code) == INTEGER_CST
) ? fancy_abort ("/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 2199, __FUNCTION__), 0 : 0));
gcc_assert (TREE_CODE (first_bit_offset) == INTEGER_CST)((void)(!(((enum tree_code) (first_bit_offset)->base.code)
 == INTEGER_CST) ? fancy_abort ("/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 2200, __FUNCTION__), 0 : 0));
bit_range bits (TREE_INT_CST_LOW (first_bit_offset)((unsigned long) (*tree_int_cst_elt_check ((first_bit_offset)
, (0), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 2201, __FUNCTION__))),
	TREE_INT_CST_LOW (num_bits)((unsigned long) (*tree_int_cst_elt_check ((num_bits), (0), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 2202, __FUNCTION__))));
return get_rvalue_for_bits (TREE_TYPE (expr)((contains_struct_check ((expr), (TS_TYPED), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 2203, __FUNCTION__))->typed.type), reg, bits, ctxt);
    }

  case VAR_DECL:
    if (DECL_HARD_REGISTER (pv.m_tree)((tree_check ((pv.m_tree), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 2207, __FUNCTION__, (VAR_DECL)))->decl_with_vis.hard_register
))
{
 /* If it has a hard register, it doesn't have a memory region
    and can't be referred to as an lvalue.  */
 return m_mgr->get_or_create_unknown_svalue (TREE_TYPE (pv.m_tree)((contains_struct_check ((pv.m_tree), (TS_TYPED), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 2211, __FUNCTION__))->typed.type));
}
    /* Fall through. */
  case PARM_DECL:
  case SSA_NAME:
  case RESULT_DECL:
  case ARRAY_REF:
    {
const region *reg = get_lvalue (pv, ctxt);
return get_store_value (reg, ctxt);
    }

  case REALPART_EXPR:
  case IMAGPART_EXPR:
  case VIEW_CONVERT_EXPR:
    {
tree expr = pv.m_tree;
tree arg = TREE_OPERAND (expr, 0)(*((const_cast<tree*> (tree_operand_check ((expr), (0),
 "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 2228, __FUNCTION__)))));
const svalue *arg_sval = get_rvalue (arg, ctxt);
const svalue *sval_unaryop
 = m_mgr->get_or_create_unaryop (TREE_TYPE (expr)((contains_struct_check ((expr), (TS_TYPED), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 2231, __FUNCTION__))->typed.type), TREE_CODE (expr)((enum tree_code) (expr)->base.code),
			  arg_sval);
return sval_unaryop;
    };

  case INTEGER_CST:
  case REAL_CST:
  case COMPLEX_CST:
  case VECTOR_CST:
  case STRING_CST:
    return m_mgr->get_or_create_constant_svalue (pv.m_tree);

  case POINTER_PLUS_EXPR:
{
 tree expr = pv.m_tree;
 tree ptr = TREE_OPERAND (expr, 0)(*((const_cast<tree*> (tree_operand_check ((expr), (0),
 "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 2246, __FUNCTION__)))));
 tree offset = TREE_OPERAND (expr, 1)(*((const_cast<tree*> (tree_operand_check ((expr), (1),
 "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 2247, __FUNCTION__)))));
 const svalue *ptr_sval = get_rvalue (ptr, ctxt);
 const svalue *offset_sval = get_rvalue (offset, ctxt);
 const svalue *sval_binop
   = m_mgr->get_or_create_binop (TREE_TYPE (expr)((contains_struct_check ((expr), (TS_TYPED), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 2251, __FUNCTION__))->typed.type), POINTER_PLUS_EXPR,
			  ptr_sval, offset_sval);
 return sval_binop;
}

  /* Binary ops.  */
  case PLUS_EXPR:
  case MULT_EXPR:
  case BIT_AND_EXPR:
  case BIT_IOR_EXPR:
  case BIT_XOR_EXPR:
{
 tree expr = pv.m_tree;
 tree arg0 = TREE_OPERAND (expr, 0)(*((const_cast<tree*> (tree_operand_check ((expr), (0),
 "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 2264, __FUNCTION__)))));
 tree arg1 = TREE_OPERAND (expr, 1)(*((const_cast<tree*> (tree_operand_check ((expr), (1),
 "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 2265, __FUNCTION__)))));
 const svalue *arg0_sval = get_rvalue (arg0, ctxt);
 const svalue *arg1_sval = get_rvalue (arg1, ctxt);
 const svalue *sval_binop
   = m_mgr->get_or_create_binop (TREE_TYPE (expr)((contains_struct_check ((expr), (TS_TYPED), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 2269, __FUNCTION__))->typed.type), TREE_CODE (expr)((enum tree_code) (expr)->base.code),
			  arg0_sval, arg1_sval);
 return sval_binop;
}

  case COMPONENT_REF:
  case MEM_REF:
    {
const region *ref_reg = get_lvalue (pv, ctxt);
return get_store_value (ref_reg, ctxt);
    }
  case OBJ_TYPE_REF:
    {
      tree expr = OBJ_TYPE_REF_EXPR (pv.m_tree)(*((const_cast<tree*> (tree_operand_check (((tree_check
 ((pv.m_tree), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 2282, __FUNCTION__, (OBJ_TYPE_REF)))), (0), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 2282, __FUNCTION__)))));
      return get_rvalue (expr, ctxt);
    }
  }
2286}

2288/* Get the value of PV within this region_model,
 emitting any diagnostics to CTXT.  */

2291const svalue *
2292region_model::get_rvalue (path_var pv, region_model_context *ctxt) const
2293{
if (pv.m_tree == NULL_TREE(tree) nullptr)
  return NULLnullptr;

const svalue *result_sval = get_rvalue_1 (pv, ctxt);

assert_compat_types (result_sval->get_type (), TREE_TYPE (pv.m_tree)((contains_struct_check ((pv.m_tree), (TS_TYPED), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 2299, __FUNCTION__))->typed.type));

result_sval = check_for_poison (result_sval, pv.m_tree, NULLnullptr, ctxt);

return result_sval;
2304}

2306/* Get the value of EXPR within this region_model (assuming the most
 recent stack frame if it's a local).  */

2309const svalue *
2310region_model::get_rvalue (tree expr, region_model_context *ctxt) const
2311{
return get_rvalue (path_var (expr, get_stack_depth () - 1), ctxt);
2313}

2315/* Return true if this model is on a path with "main" as the entrypoint
 (as opposed to one in which we're merely analyzing a subset of the
 path through the code).  */

2319bool
2320region_model::called_from_main_p () const
2321{
if (!m_current_frame)
  return false;
/* Determine if the oldest stack frame in this model is for "main".  */
const frame_region *frame0 = get_frame_at_index (0);
gcc_assert (frame0)((void)(!(frame0) ? fancy_abort ("/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 2326, __FUNCTION__), 0 : 0));
return id_equal (DECL_NAME (frame0->get_function ()->decl)((contains_struct_check ((frame0->get_function ()->decl
), (TS_DECL_MINIMAL), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 2327, __FUNCTION__))->decl_minimal.name), "main");
2328}

2330/* Subroutine of region_model::get_store_value for when REG is (or is within)
 a global variable that hasn't been touched since the start of this path
 (or was implicitly touched due to a call to an unknown function).  */

2334const svalue *
2335region_model::get_initial_value_for_global (const region *reg) const
2336{
/* Get the decl that REG is for (or is within).  */
const decl_region *base_reg
  = reg->get_base_region ()->dyn_cast_decl_region ();
gcc_assert (base_reg)((void)(!(base_reg) ? fancy_abort ("/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 2340, __FUNCTION__), 0 : 0));
tree decl = base_reg->get_decl ();

/* Special-case: to avoid having to explicitly update all previously
   untracked globals when calling an unknown fn, they implicitly have
   an unknown value if an unknown call has occurred, unless this is
   static to-this-TU and hasn't escaped.  Globals that have escaped
   are explicitly tracked, so we shouldn't hit this case for them.  */
if (m_store.called_unknown_fn_p ()
    && TREE_PUBLIC (decl)((decl)->base.public_flag)
    && !TREE_READONLY (decl)((non_type_check ((decl), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 2350, __FUNCTION__))->base.readonly_flag))
  return m_mgr->get_or_create_unknown_svalue (reg->get_type ());

/* If we are on a path from the entrypoint from "main" and we have a
   global decl defined in this TU that hasn't been touched yet, then
   the initial value of REG can be taken from the initialization value
   of the decl.  */
if (called_from_main_p () || TREE_READONLY (decl)((non_type_check ((decl), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 2357, __FUNCTION__))->base.readonly_flag))
  {
    /* Attempt to get the initializer value for base_reg.  */
    if (const svalue *base_reg_init
   = base_reg->get_svalue_for_initializer (m_mgr))
{
 if (reg == base_reg)
   return base_reg_init;
 else
   {
     /* Get the value for REG within base_reg_init.  */
     binding_cluster c (base_reg);
     c.bind (m_mgr->get_store_manager (), base_reg, base_reg_init);
     const svalue *sval
= c.get_any_binding (m_mgr->get_store_manager (), reg);
     if (sval)
{
  if (reg->get_type ())
    sval = m_mgr->get_or_create_cast (reg->get_type (),
				      sval);
  return sval;
}
   }
}
  }

/* Otherwise, return INIT_VAL(REG).  */
return m_mgr->get_or_create_initial_value (reg);
2385}

2387/* Get a value for REG, looking it up in the store, or otherwise falling
 back to "initial" or "unknown" values.
 Use CTXT to report any warnings associated with reading from REG. */

2391const svalue *
2392region_model::get_store_value (const region *reg,
	       region_model_context *ctxt) const
2394{
/* Getting the value of an empty region gives an unknown_svalue.  */
if (reg->empty_p ())
  return m_mgr->get_or_create_unknown_svalue (reg->get_type ());

check_region_for_read (reg, ctxt);

/* Special-case: handle var_decls in the constant pool.  */
if (const decl_region *decl_reg = reg->dyn_cast_decl_region ())
  if (const svalue *sval = decl_reg->maybe_get_constant_value (m_mgr))
    return sval;

const svalue *sval
  = m_store.get_any_binding (m_mgr->get_store_manager (), reg);
if (sval)
  {
    if (reg->get_type ())
sval = m_mgr->get_or_create_cast (reg->get_type (), sval);
    return sval;
  }

/* Special-case: read at a constant index within a STRING_CST.  */
if (const offset_region *offset_reg = reg->dyn_cast_offset_region ())
  if (tree byte_offset_cst
 = offset_reg->get_byte_offset ()->maybe_get_constant ())
    if (const string_region *str_reg
 = reg->get_parent_region ()->dyn_cast_string_region ())
{
 tree string_cst = str_reg->get_string_cst ();
 if (const svalue *char_sval
= m_mgr->maybe_get_char_from_string_cst (string_cst,
					 byte_offset_cst))
   return m_mgr->get_or_create_cast (reg->get_type (), char_sval);
}

/* Special-case: read the initial char of a STRING_CST.  */
if (const cast_region *cast_reg = reg->dyn_cast_cast_region ())
  if (const string_region *str_reg
= cast_reg->get_original_region ()->dyn_cast_string_region ())
    {
tree string_cst = str_reg->get_string_cst ();
tree byte_offset_cst = build_int_cst (integer_type_nodeinteger_types[itk_int], 0);
if (const svalue *char_sval
   = m_mgr->maybe_get_char_from_string_cst (string_cst,
				     byte_offset_cst))
 return m_mgr->get_or_create_cast (reg->get_type (), char_sval);
    }

/* Otherwise we implicitly have the initial value of the region
   (if the cluster had been touched, binding_cluster::get_any_binding,
   would have returned UNKNOWN, and we would already have returned
   that above).  */

/* Handle globals.  */
if (reg->get_base_region ()->get_parent_region ()->get_kind ()
    == RK_GLOBALS)
  return get_initial_value_for_global (reg);

return m_mgr->get_or_create_initial_value (reg);
2453}

2455/* Return false if REG does not exist, true if it may do.
 This is for detecting regions within the stack that don't exist anymore
 after frames are popped.  */

2459bool
2460region_model::region_exists_p (const region *reg) const
2461{
/* If within a stack frame, check that the stack frame is live.  */
if (const frame_region *enclosing_frame = reg->maybe_get_frame_region ())
  {
    /* Check that the current frame is the enclosing frame, or is called
by it.  */
    for (const frame_region *iter_frame = get_current_frame (); iter_frame;
  iter_frame = iter_frame->get_calling_frame ())
if (iter_frame == enclosing_frame)
 return true;
    return false;
  }

return true;
2475}

2477/* Get a region for referencing PTR_SVAL, creating a region if need be, and
 potentially generating warnings via CTXT.
 PTR_SVAL must be of pointer type.
 PTR_TREE if non-NULL can be used when emitting diagnostics.  */

2482const region *
2483region_model::deref_rvalue (const svalue *ptr_sval, tree ptr_tree,
	    region_model_context *ctxt) const
2485{
gcc_assert (ptr_sval)((void)(!(ptr_sval) ? fancy_abort ("/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 2486, __FUNCTION__), 0 : 0));
gcc_assert (POINTER_TYPE_P (ptr_sval->get_type ()))((void)(!((((enum tree_code) (ptr_sval->get_type ())->base
.code) == POINTER_TYPE || ((enum tree_code) (ptr_sval->get_type
 ())->base.code) == REFERENCE_TYPE)) ? fancy_abort ("/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 2487, __FUNCTION__), 0 : 0));

/* If we're dereferencing PTR_SVAL, assume that it is non-NULL; add this
   as a constraint.  This suppresses false positives from
   -Wanalyzer-null-dereference for the case where we later have an
   if (PTR_SVAL) that would occur if we considered the false branch
   and transitioned the malloc state machine from start->null.  */
tree null_ptr_cst = build_int_cst (ptr_sval->get_type (), 0);
const svalue *null_ptr = m_mgr->get_or_create_constant_svalue (null_ptr_cst);
m_constraints->add_constraint (ptr_sval, NE_EXPR, null_ptr);

switch (ptr_sval->get_kind ())
  {
  default:
    break;

  case SK_REGION:
    {
const region_svalue *region_sval
 = as_a <const region_svalue *> (ptr_sval);
return region_sval->get_pointee ();
    }

  case SK_BINOP:
    {
const binop_svalue *binop_sval
 = as_a <const binop_svalue *> (ptr_sval);
switch (binop_sval->get_op ())
 {
 case POINTER_PLUS_EXPR:
   {
     /* If we have a symbolic value expressing pointer arithmentic,
 try to convert it to a suitable region.  */
     const region *parent_region
= deref_rvalue (binop_sval->get_arg0 (), NULL_TREE(tree) nullptr, ctxt);
     const svalue *offset = binop_sval->get_arg1 ();
     tree type= TREE_TYPE (ptr_sval->get_type ())((contains_struct_check ((ptr_sval->get_type ()), (TS_TYPED
), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 2523, __FUNCTION__))->typed.type);
     return m_mgr->get_offset_region (parent_region, type, offset);
   }
 default:
   break;
 }
    }
    break;

  case SK_POISONED:
    {
if (ctxt)
 {
   tree ptr = get_representative_tree (ptr_sval);
   /* If we can't get a representative tree for PTR_SVAL
      (e.g. if it hasn't been bound into the store), then
      fall back on PTR_TREE, if non-NULL.  */
   if (!ptr)
     ptr = ptr_tree;
   if (ptr)
     {
const poisoned_svalue *poisoned_sval
  = as_a <const poisoned_svalue *> (ptr_sval);
enum poison_kind pkind = poisoned_sval->get_poison_kind ();
ctxt->warn (make_unique<poisoned_value_diagnostic>
	      (ptr, pkind, NULLnullptr, NULLnullptr));
     }
 }
    }
    break;
  }

return m_mgr->get_symbolic_region (ptr_sval);
2556}

2558/* Attempt to get BITS within any value of REG, as TYPE.
 In particular, extract values from compound_svalues for the case
 where there's a concrete binding at BITS.
 Return an unknown svalue if we can't handle the given case.
 Use CTXT to report any warnings associated with reading from REG.  */

2564const svalue *
2565region_model::get_rvalue_for_bits (tree type,
		   const region *reg,
		   const bit_range &bits,
		   region_model_context *ctxt) const
2569{
const svalue *sval = get_store_value (reg, ctxt);
return m_mgr->get_or_create_bits_within (type, bits, sval);
2572}

2574/* A subclass of pending_diagnostic for complaining about writes to
 constant regions of memory.  */

2577class write_to_const_diagnostic
public pending_diagnostic_subclass<write_to_const_diagnostic>
2579{
2580public:
write_to_const_diagnostic (const region *reg, tree decl)
: m_reg (reg), m_decl (decl)
{}

const char *get_kind () const final override
{
  return "write_to_const_diagnostic";
}

bool operator== (const write_to_const_diagnostic &other) const
{
  return (m_reg == other.m_reg
   && m_decl == other.m_decl);
}

int get_controlling_option () const final override
{
  return OPT_Wanalyzer_write_to_const;
}

bool emit (rich_location *rich_loc) final override
{
  auto_diagnostic_group d;
  bool warned;
  switch (m_reg->get_kind ())
    {
    default:
warned = warning_at (rich_loc, get_controlling_option (),
	     "write to %<const%> object %qE", m_decl);
break;
    case RK_FUNCTION:
warned = warning_at (rich_loc, get_controlling_option (),
	     "write to function %qE", m_decl);
break;
    case RK_LABEL:
warned = warning_at (rich_loc, get_controlling_option (),
	     "write to label %qE", m_decl);
break;
    }
  if (warned)
    inform (DECL_SOURCE_LOCATION (m_decl)((contains_struct_check ((m_decl), (TS_DECL_MINIMAL), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 2621, __FUNCTION__))->decl_minimal.locus), "declared here");
  return warned;
}

label_text describe_final_event (const evdesc::final_event &ev) final override
{
  switch (m_reg->get_kind ())
    {
    default:
return ev.formatted_print ("write to %<const%> object %qE here", m_decl);
    case RK_FUNCTION:
return ev.formatted_print ("write to function %qE here", m_decl);
    case RK_LABEL:
return ev.formatted_print ("write to label %qE here", m_decl);
    }
}

2638private:
const region *m_reg;
tree m_decl;
2641};

2643/* A subclass of pending_diagnostic for complaining about writes to
 string literals.  */

2646class write_to_string_literal_diagnostic
public pending_diagnostic_subclass<write_to_string_literal_diagnostic>
2648{
2649public:
write_to_string_literal_diagnostic (const region *reg)
: m_reg (reg)
{}

const char *get_kind () const final override
{
  return "write_to_string_literal_diagnostic";
}

bool operator== (const write_to_string_literal_diagnostic &other) const
{
  return m_reg == other.m_reg;
}

int get_controlling_option () const final override
{
  return OPT_Wanalyzer_write_to_string_literal;
}

bool emit (rich_location *rich_loc) final override
{
  return warning_at (rich_loc, get_controlling_option (),
       "write to string literal");
  /* Ideally we would show the location of the STRING_CST as well,
     but it is not available at this point.  */
}

label_text describe_final_event (const evdesc::final_event &ev) final override
{
  return ev.formatted_print ("write to string literal here");
}

2682private:
const region *m_reg;
2684};

2686/* Use CTXT to warn If DEST_REG is a region that shouldn't be written to.  */

2688void
2689region_model::check_for_writable_region (const region* dest_reg,
			 region_model_context *ctxt) const
2691{
/* Fail gracefully if CTXT is NULL.  */
if (!ctxt)
  return;

const region *base_reg = dest_reg->get_base_region ();
switch (base_reg->get_kind ())
  {
  default:
    break;
  case RK_FUNCTION:
    {
const function_region *func_reg = as_a <const function_region *> (base_reg);
tree fndecl = func_reg->get_fndecl ();
ctxt->warn (make_unique<write_to_const_diagnostic>
      (func_reg, fndecl));
    }
    break;
  case RK_LABEL:
    {
const label_region *label_reg = as_a <const label_region *> (base_reg);
tree label = label_reg->get_label ();
ctxt->warn (make_unique<write_to_const_diagnostic>
      (label_reg, label));
    }
    break;
  case RK_DECL:
    {
const decl_region *decl_reg = as_a <const decl_region *> (base_reg);
tree decl = decl_reg->get_decl ();
/* Warn about writes to const globals.
  Don't warn for writes to const locals, and params in particular,
  since we would warn in push_frame when setting them up (e.g the
  "this" param is "T* const").  */
if (TREE_READONLY (decl)((non_type_check ((decl), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 2725, __FUNCTION__))->base.readonly_flag)
   && is_global_var (decl))
 ctxt->warn (make_unique<write_to_const_diagnostic> (dest_reg, decl));
    }
    break;
  case RK_STRING:
    ctxt->warn (make_unique<write_to_string_literal_diagnostic> (dest_reg));
    break;
  }
2734}

2736/* Get the capacity of REG in bytes.  */

2738const svalue *
2739region_model::get_capacity (const region *reg) const
2740{
switch (reg->get_kind ())
  {
  default:
    break;
  case RK_DECL:
    {
const decl_region *decl_reg = as_a <const decl_region *> (reg);
tree decl = decl_reg->get_decl ();
if (TREE_CODE (decl)((enum tree_code) (decl)->base.code) == SSA_NAME)
 {
   tree type = TREE_TYPE (decl)((contains_struct_check ((decl), (TS_TYPED), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 2751, __FUNCTION__))->typed.type);
   tree size = TYPE_SIZE (type)((tree_class_check ((type), (tcc_type), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 2752, __FUNCTION__))->type_common.size);
   return get_rvalue (size, NULLnullptr);
 }
else
 {
   tree size = decl_init_size (decl, false);
   if (size)
     return get_rvalue (size, NULLnullptr);
 }
    }
    break;
  case RK_SIZED:
    /* Look through sized regions to get at the capacity
of the underlying regions.  */
    return get_capacity (reg->get_parent_region ());
  }

if (const svalue *recorded = get_dynamic_extents (reg))
  return recorded;

return m_mgr->get_or_create_unknown_svalue (sizetypesizetype_tab[(int) stk_sizetype]);
2773}

2775/* Return the string size, including the 0-terminator, if SVAL is a
 constant_svalue holding a string.  Otherwise, return an unknown_svalue.  */

2778const svalue *
2779region_model::get_string_size (const svalue *sval) const
2780{
tree cst = sval->maybe_get_constant ();
if (!cst || TREE_CODE (cst)((enum tree_code) (cst)->base.code) != STRING_CST)
  return m_mgr->get_or_create_unknown_svalue (size_type_nodeglobal_trees[TI_SIZE_TYPE]);

tree out = build_int_cst (size_type_nodeglobal_trees[TI_SIZE_TYPE], TREE_STRING_LENGTH (cst)((tree_check ((cst), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 2785, __FUNCTION__, (STRING_CST)))->string.length));
return m_mgr->get_or_create_constant_svalue (out);
2787}

2789/* Return the string size, including the 0-terminator, if REG is a
 string_region.  Otherwise, return an unknown_svalue.  */

2792const svalue *
2793region_model::get_string_size (const region *reg) const
2794{
const string_region *str_reg = dyn_cast <const string_region *> (reg);
if (!str_reg)
  return m_mgr->get_or_create_unknown_svalue (size_type_nodeglobal_trees[TI_SIZE_TYPE]);

tree cst = str_reg->get_string_cst ();
tree out = build_int_cst (size_type_nodeglobal_trees[TI_SIZE_TYPE], TREE_STRING_LENGTH (cst)((tree_check ((cst), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 2800, __FUNCTION__, (STRING_CST)))->string.length));
return m_mgr->get_or_create_constant_svalue (out);
2802}

2804/* If CTXT is non-NULL, use it to warn about any problems accessing REG,
 using DIR to determine if this access is a read or write.  */

2807void
2808region_model::check_region_access (const region *reg,
		   enum access_direction dir,
		   region_model_context *ctxt) const
2811{
/* Fail gracefully if CTXT is NULL.  */
if (!ctxt)
  return;

check_region_for_taint (reg, dir, ctxt);
check_region_bounds (reg, dir, ctxt);

switch (dir)
  {
  default:
    gcc_unreachable ()(fancy_abort ("/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 2822, __FUNCTION__));
  case DIR_READ:
    /* Currently a no-op.  */
    break;
  case DIR_WRITE:
    check_for_writable_region (reg, ctxt);
    break;
  }
2830}

2832/* If CTXT is non-NULL, use it to warn about any problems writing to REG.  */

2834void
2835region_model::check_region_for_write (const region *dest_reg,
		      region_model_context *ctxt) const
2837{
check_region_access (dest_reg, DIR_WRITE, ctxt);
2839}

2841/* If CTXT is non-NULL, use it to warn about any problems reading from REG.  */

2843void
2844region_model::check_region_for_read (const region *src_reg,
		     region_model_context *ctxt) const
2846{
check_region_access (src_reg, DIR_READ, ctxt);
2848}

2850/* Concrete subclass for casts of pointers that lead to trailing bytes.  */

2852class dubious_allocation_size
public pending_diagnostic_subclass<dubious_allocation_size>
2854{
2855public:
dubious_allocation_size (const region *lhs, const region *rhs)
: m_lhs (lhs), m_rhs (rhs), m_expr (NULL_TREE(tree) nullptr),
  m_has_allocation_event (false)
{}

dubious_allocation_size (const region *lhs, const region *rhs,
	   tree expr)
: m_lhs (lhs), m_rhs (rhs), m_expr (expr),
  m_has_allocation_event (false)
{}

const char *get_kind () const final override
{
  return "dubious_allocation_size";
}

bool operator== (const dubious_allocation_size &other) const
{
  return m_lhs == other.m_lhs && m_rhs == other.m_rhs
  && pending_diagnostic::same_tree_p (m_expr, other.m_expr);
}

int get_controlling_option () const final override
{
  return OPT_Wanalyzer_allocation_size;
}

bool emit (rich_location *rich_loc) final override
{
  diagnostic_metadata m;
  m.add_cwe (131);

  return warning_meta (rich_loc, m, get_controlling_option (),
	 "allocated buffer size is not a multiple"
	 " of the pointee's size");
}

label_text describe_final_event (const evdesc::final_event &ev) final
override
{
  tree pointee_type = TREE_TYPE (m_lhs->get_type ())((contains_struct_check ((m_lhs->get_type ()), (TS_TYPED),
 "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 2896, __FUNCTION__))->typed.type);
  if (m_has_allocation_event)
    return ev.formatted_print ("assigned to %qT here;"
		 " %<sizeof (%T)%> is %qE",
		 m_lhs->get_type (), pointee_type,
		 size_in_bytes (pointee_type));
  /* Fallback: Typically, we should always see an allocation_event
     before.  */
  if (m_expr)
    {
if (TREE_CODE (m_expr)((enum tree_code) (m_expr)->base.code) == INTEGER_CST)
 return ev.formatted_print ("allocated %E bytes and assigned to"
		    " %qT here; %<sizeof (%T)%> is %qE",
		    m_expr, m_lhs->get_type (), pointee_type,
		    size_in_bytes (pointee_type));
else
 return ev.formatted_print ("allocated %qE bytes and assigned to"
		    " %qT here; %<sizeof (%T)%> is %qE",
		    m_expr, m_lhs->get_type (), pointee_type,
		    size_in_bytes (pointee_type));
    }

  return ev.formatted_print ("allocated and assigned to %qT here;"
	       " %<sizeof (%T)%> is %qE",
	       m_lhs->get_type (), pointee_type,
	       size_in_bytes (pointee_type));
}

void
add_region_creation_events (const region *,
	      tree capacity,
	      const event_loc_info &loc_info,
	      checker_path &emission_path) final override
{
  emission_path.add_event
    (make_unique<region_creation_event_allocation_size> (capacity, loc_info));

  m_has_allocation_event = true;
}

void mark_interesting_stuff (interesting_t *interest) final override
{
  interest->add_region_creation (m_rhs);
}

2941private:
const region *m_lhs;
const region *m_rhs;
const tree m_expr;
bool m_has_allocation_event;
2946};

2948/* Return true on dubious allocation sizes for constant sizes.  */

2950static bool
2951capacity_compatible_with_type (tree cst, tree pointee_size_tree,
	       bool is_struct)
2953{
gcc_assert (TREE_CODE (cst) == INTEGER_CST)((void)(!(((enum tree_code) (cst)->base.code) == INTEGER_CST
) ? fancy_abort ("/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 2954, __FUNCTION__), 0 : 0));
gcc_assert (TREE_CODE (pointee_size_tree) == INTEGER_CST)((void)(!(((enum tree_code) (pointee_size_tree)->base.code
) == INTEGER_CST) ? fancy_abort ("/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 2955, __FUNCTION__), 0 : 0));

unsigned HOST_WIDE_INTlong pointee_size = TREE_INT_CST_LOW (pointee_size_tree)((unsigned long) (*tree_int_cst_elt_check ((pointee_size_tree
), (0), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 2957, __FUNCTION__)));
unsigned HOST_WIDE_INTlong alloc_size = TREE_INT_CST_LOW (cst)((unsigned long) (*tree_int_cst_elt_check ((cst), (0), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 2958, __FUNCTION__)));

if (is_struct)
  return alloc_size == 0 || alloc_size >= pointee_size;
return alloc_size % pointee_size == 0;
2963}

2965static bool
2966capacity_compatible_with_type (tree cst, tree pointee_size_tree)
2967{
return capacity_compatible_with_type (cst, pointee_size_tree, false);
2969}

2971/* Checks whether SVAL could be a multiple of SIZE_CST.

 It works by visiting all svalues inside SVAL until it reaches
 atomic nodes.  From those, it goes back up again and adds each
 node that might be a multiple of SIZE_CST to the RESULT_SET.  */

2977class size_visitor : public visitor
2978{
2979public:
size_visitor (tree size_cst, const svalue *root_sval, constraint_manager *cm)
: m_size_cst (size_cst), m_root_sval (root_sval), m_cm (cm)
{
  m_root_sval->accept (this);
}

bool get_result ()
{
  return result_set.contains (m_root_sval);
}

void visit_constant_svalue (const constant_svalue *sval) final override
{
  check_constant (sval->get_constant (), sval);
}

void visit_unknown_svalue (const unknown_svalue *sval ATTRIBUTE_UNUSED__attribute__ ((__unused__)))
  final override
{
  result_set.add (sval);
}

void visit_poisoned_svalue (const poisoned_svalue *sval ATTRIBUTE_UNUSED__attribute__ ((__unused__)))
  final override
{
  result_set.add (sval);
}

void visit_unaryop_svalue (const unaryop_svalue *sval) final override
{
  const svalue *arg = sval->get_arg ();
  if (result_set.contains (arg))
    result_set.add (sval);
}

void visit_binop_svalue (const binop_svalue *sval) final override
{
  const svalue *arg0 = sval->get_arg0 ();
  const svalue *arg1 = sval->get_arg1 ();

  if (sval->get_op () == MULT_EXPR)
    {
if (result_set.contains (arg0) || result_set.contains (arg1))
 result_set.add (sval);
    }
  else
    {
if (result_set.contains (arg0) && result_set.contains (arg1))
 result_set.add (sval);
    }
}

void visit_repeated_svalue (const repeated_svalue *sval) final override
{
  sval->get_inner_svalue ()->accept (this);
  if (result_set.contains (sval->get_inner_svalue ()))
    result_set.add (sval);
}

void visit_unmergeable_svalue (const unmergeable_svalue *sval) final override
{
  sval->get_arg ()->accept (this);
  if (result_set.contains (sval->get_arg ()))
    result_set.add (sval);
}

void visit_widening_svalue (const widening_svalue *sval) final override
{
  const svalue *base = sval->get_base_svalue ();
  const svalue *iter = sval->get_iter_svalue ();

  if (result_set.contains (base) && result_set.contains (iter))
    result_set.add (sval);
}

void visit_conjured_svalue (const conjured_svalue *sval ATTRIBUTE_UNUSED__attribute__ ((__unused__)))
  final override
{
  equiv_class_id id (-1);
  if (m_cm->get_equiv_class_by_svalue (sval, &id))
    {
if (tree cst = id.get_obj (*m_cm).get_any_constant ())
 check_constant (cst, sval);
else
 result_set.add (sval);
    }
}

void visit_asm_output_svalue (const asm_output_svalue *sval ATTRIBUTE_UNUSED__attribute__ ((__unused__)))
  final override
{
  result_set.add (sval);
}

void visit_const_fn_result_svalue (const const_fn_result_svalue
		      *sval ATTRIBUTE_UNUSED__attribute__ ((__unused__))) final override
{
  result_set.add (sval);
}

3080private:
void check_constant (tree cst, const svalue *sval)
{
  switch (TREE_CODE (cst)((enum tree_code) (cst)->base.code))
    {
    default:
/* Assume all unhandled operands are compatible.  */
result_set.add (sval);
break;
    case INTEGER_CST:
if (capacity_compatible_with_type (cst, m_size_cst))
 result_set.add (sval);
break;
    }
}

tree m_size_cst;
const svalue *m_root_sval;
constraint_manager *m_cm;
svalue_set result_set; /* Used as a mapping of svalue*->bool.  */
3100};

3102/* Return true if a struct or union either uses the inheritance pattern,
 where the first field is a base struct, or the flexible array member
 pattern, where the last field is an array without a specified size.  */

3106static bool
3107struct_or_union_with_inheritance_p (tree struc)
3108{
tree iter = TYPE_FIELDS (struc)((tree_check3 ((struc), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 3109, __FUNCTION__, (RECORD_TYPE), (UNION_TYPE), (QUAL_UNION_TYPE
)))->type_non_common.values);
if (iter == NULL_TREE(tree) nullptr)
 return false;
if (RECORD_OR_UNION_TYPE_P (TREE_TYPE (iter))(((enum tree_code) (((contains_struct_check ((iter), (TS_TYPED
), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 3112, __FUNCTION__))->typed.type))->base.code) == RECORD_TYPE
 || ((enum tree_code) (((contains_struct_check ((iter), (TS_TYPED
), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 3112, __FUNCTION__))->typed.type))->base.code) == UNION_TYPE
 || ((enum tree_code) (((contains_struct_check ((iter), (TS_TYPED
), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 3112, __FUNCTION__))->typed.type))->base.code) == QUAL_UNION_TYPE
))
 return true;

tree last_field;
while (iter != NULL_TREE(tree) nullptr)
  {
    last_field = iter;
    iter = DECL_CHAIN (iter)(((contains_struct_check (((contains_struct_check ((iter), (TS_DECL_MINIMAL
), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 3119, __FUNCTION__))), (TS_COMMON), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 3119, __FUNCTION__))->common.chain));
  }

if (last_field != NULL_TREE(tree) nullptr
    && TREE_CODE (TREE_TYPE (last_field))((enum tree_code) (((contains_struct_check ((last_field), (TS_TYPED
), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 3123, __FUNCTION__))->typed.type))->base.code) == ARRAY_TYPE)
 return true;

return false;
3127}

3129/* Return true if the lhs and rhs of an assignment have different types.  */

3131static bool
3132is_any_cast_p (const gimple *stmt)
3133{
if (const gassign *assign = dyn_cast <const gassign *> (stmt))
  return gimple_assign_cast_p (assign)
  || !pending_diagnostic::same_tree_p (
  TREE_TYPE (gimple_assign_lhs (assign))((contains_struct_check ((gimple_assign_lhs (assign)), (TS_TYPED
), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 3137, __FUNCTION__))->typed.type),
  TREE_TYPE (gimple_assign_rhs1 (assign))((contains_struct_check ((gimple_assign_rhs1 (assign)), (TS_TYPED
), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 3138, __FUNCTION__))->typed.type));
else if (const gcall *call = dyn_cast <const gcall *> (stmt))
  {
    tree lhs = gimple_call_lhs (call);
    return lhs != NULL_TREE(tree) nullptr && !pending_diagnostic::same_tree_p (
		    TREE_TYPE (gimple_call_lhs (call))((contains_struct_check ((gimple_call_lhs (call)), (TS_TYPED)
, "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 3143, __FUNCTION__))->typed.type),
		    gimple_call_return_type (call));
  }

return false;
3148}

3150/* On pointer assignments, check whether the buffer size of
 RHS_SVAL is compatible with the type of the LHS_REG.
 Use a non-null CTXT to report allocation size warnings.  */

3154void
3155region_model::check_region_size (const region *lhs_reg, const svalue *rhs_sval,
		 region_model_context *ctxt) const
3157{
if (!ctxt || ctxt->get_stmt () == NULLnullptr)
  return;
/* Only report warnings on assignments that actually change the type.  */
if (!is_any_cast_p (ctxt->get_stmt ()))
  return;

const region_svalue *reg_sval = dyn_cast <const region_svalue *> (rhs_sval);
if (!reg_sval)
  return;

tree pointer_type = lhs_reg->get_type ();
if (pointer_type == NULL_TREE(tree) nullptr || !POINTER_TYPE_P (pointer_type)(((enum tree_code) (pointer_type)->base.code) == POINTER_TYPE
 || ((enum tree_code) (pointer_type)->base.code) == REFERENCE_TYPE
))
  return;

tree pointee_type = TREE_TYPE (pointer_type)((contains_struct_check ((pointer_type), (TS_TYPED), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 3172, __FUNCTION__))->typed.type);
/* Make sure that the type on the left-hand size actually has a size.  */
if (pointee_type == NULL_TREE(tree) nullptr || VOID_TYPE_P (pointee_type)(((enum tree_code) (pointee_type)->base.code) == VOID_TYPE
)
    || TYPE_SIZE_UNIT (pointee_type)((tree_class_check ((pointee_type), (tcc_type), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 3175, __FUNCTION__))->type_common.size_unit) == NULL_TREE(tree) nullptr)
  return;

/* Bail out early on pointers to structs where we can
   not deduce whether the buffer size is compatible.  */
bool is_struct = RECORD_OR_UNION_TYPE_P (pointee_type)(((enum tree_code) (pointee_type)->base.code) == RECORD_TYPE
 || ((enum tree_code) (pointee_type)->base.code) == UNION_TYPE
 || ((enum tree_code) (pointee_type)->base.code) == QUAL_UNION_TYPE
);
if (is_struct && struct_or_union_with_inheritance_p (pointee_type))
  return;

tree pointee_size_tree = size_in_bytes (pointee_type);
/* We give up if the type size is not known at compile-time or the
   type size is always compatible regardless of the buffer size.  */
if (TREE_CODE (pointee_size_tree)((enum tree_code) (pointee_size_tree)->base.code) != INTEGER_CST
    || integer_zerop (pointee_size_tree)
    || integer_onep (pointee_size_tree))
  return;

const region *rhs_reg = reg_sval->get_pointee ();
const svalue *capacity = get_capacity (rhs_reg);
switch (capacity->get_kind ())
  {
  case svalue_kind::SK_CONSTANT:
    {
const constant_svalue *cst_cap_sval
 = as_a <const constant_svalue *> (capacity);
tree cst_cap = cst_cap_sval->get_constant ();
if (TREE_CODE (cst_cap)((enum tree_code) (cst_cap)->base.code) == INTEGER_CST
   && !capacity_compatible_with_type (cst_cap, pointee_size_tree,
			       is_struct))
 ctxt->warn (make_unique <dubious_allocation_size> (lhs_reg, rhs_reg,
					     cst_cap));
    }
    break;
  default:
    {
if (!is_struct)
 {
   size_visitor v (pointee_size_tree, capacity, m_constraints);
   if (!v.get_result ())
     {
tree expr = get_representative_tree (capacity);
ctxt->warn (make_unique <dubious_allocation_size> (lhs_reg,
						   rhs_reg,
						   expr));
     }
 }
    break;
    }
  }
3224}

3226/* Set the value of the region given by LHS_REG to the value given
 by RHS_SVAL.
 Use CTXT to report any warnings associated with writing to LHS_REG.  */

3230void
3231region_model::set_value (const region *lhs_reg, const svalue *rhs_sval,
	 region_model_context *ctxt)
3233{
gcc_assert (lhs_reg)((void)(!(lhs_reg) ? fancy_abort ("/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 3234, __FUNCTION__), 0 : 0));
gcc_assert (rhs_sval)((void)(!(rhs_sval) ? fancy_abort ("/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 3235, __FUNCTION__), 0 : 0));

/* Setting the value of an empty region is a no-op.  */
if (lhs_reg->empty_p ())
  return;

check_region_size (lhs_reg, rhs_sval, ctxt);

check_region_for_write (lhs_reg, ctxt);

m_store.set_value (m_mgr->get_store_manager(), lhs_reg, rhs_sval,
     ctxt ? ctxt->get_uncertainty () : NULLnullptr);
3247}

3249/* Set the value of the region given by LHS to the value given by RHS.  */

3251void
3252region_model::set_value (tree lhs, tree rhs, region_model_context *ctxt)
3253{
const region *lhs_reg = get_lvalue (lhs, ctxt);
const svalue *rhs_sval = get_rvalue (rhs, ctxt);
gcc_assert (lhs_reg)((void)(!(lhs_reg) ? fancy_abort ("/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 3256, __FUNCTION__), 0 : 0));
gcc_assert (rhs_sval)((void)(!(rhs_sval) ? fancy_abort ("/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 3257, __FUNCTION__), 0 : 0));
set_value (lhs_reg, rhs_sval, ctxt);
3259}

3261/* Remove all bindings overlapping REG within the store.  */

3263void
3264region_model::clobber_region (const region *reg)
3265{
m_store.clobber_region (m_mgr->get_store_manager(), reg);
3267}

3269/* Remove any bindings for REG within the store.  */

3271void
3272region_model::purge_region (const region *reg)
3273{
m_store.purge_region (m_mgr->get_store_manager(), reg);
3275}

3277/* Fill REG with SVAL.  */

3279void
3280region_model::fill_region (const region *reg, const svalue *sval)
3281{
m_store.fill_region (m_mgr->get_store_manager(), reg, sval);
3283}

3285/* Zero-fill REG.  */

3287void
3288region_model::zero_fill_region (const region *reg)
3289{
m_store.zero_fill_region (m_mgr->get_store_manager(), reg);
3291}

3293/* Mark REG as having unknown content.  */

3295void
3296region_model::mark_region_as_unknown (const region *reg,
		      uncertainty_t *uncertainty)
3298{
svalue_set maybe_live_values;
m_store.mark_region_as_unknown (m_mgr->get_store_manager(), reg,
		  uncertainty, &maybe_live_values);
m_store.on_maybe_live_values (maybe_live_values);
3303}

3305/* Determine what is known about the condition "LHS_SVAL OP RHS_SVAL" within
 this model.  */

3308tristate
3309region_model::eval_condition (const svalue *lhs,
	       enum tree_code op,
	       const svalue *rhs) const
3312{
gcc_assert (lhs)((void)(!(lhs) ? fancy_abort ("/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 3313, __FUNCTION__), 0 : 0));
gcc_assert (rhs)((void)(!(rhs) ? fancy_abort ("/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 3314, __FUNCTION__), 0 : 0));

/* For now, make no attempt to capture constraints on floating-point
   values.  */
if ((lhs->get_type () && FLOAT_TYPE_P (lhs->get_type ())((((enum tree_code) (lhs->get_type ())->base.code) == REAL_TYPE
) || ((((enum tree_code) (lhs->get_type ())->base.code)
 == COMPLEX_TYPE || (((enum tree_code) (lhs->get_type ())->
base.code) == VECTOR_TYPE)) && (((enum tree_code) (((
contains_struct_check ((lhs->get_type ()), (TS_TYPED), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 3318, __FUNCTION__))->typed.type))->base.code) == REAL_TYPE
))))
    || (rhs->get_type () && FLOAT_TYPE_P (rhs->get_type ())((((enum tree_code) (rhs->get_type ())->base.code) == REAL_TYPE
) || ((((enum tree_code) (rhs->get_type ())->base.code)
 == COMPLEX_TYPE || (((enum tree_code) (rhs->get_type ())->
base.code) == VECTOR_TYPE)) && (((enum tree_code) (((
contains_struct_check ((rhs->get_type ()), (TS_TYPED), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 3319, __FUNCTION__))->typed.type))->base.code) == REAL_TYPE
)))))
  return tristate::unknown ();

/* See what we know based on the values.  */

/* Unwrap any unmergeable values.  */
lhs = lhs->unwrap_any_unmergeable ();
rhs = rhs->unwrap_any_unmergeable ();

if (lhs == rhs)
  {
    /* If we have the same svalue, then we have equality
(apart from NaN-handling).
TODO: should this definitely be the case for poisoned values?  */
    /* Poisoned and unknown values are "unknowable".  */
    if (lhs->get_kind () == SK_POISONED
 || lhs->get_kind () == SK_UNKNOWN)
return tristate::TS_UNKNOWN;

    switch (op)
{
case EQ_EXPR:
case GE_EXPR:
case LE_EXPR:
 return tristate::TS_TRUE;

case NE_EXPR:
case GT_EXPR:
case LT_EXPR:
 return tristate::TS_FALSE;

default:
 /* For other ops, use the logic below.  */
 break;
}
  }

/* If we have a pair of region_svalues, compare them.  */
if (const region_svalue *lhs_ptr = lhs->dyn_cast_region_svalue ())
  if (const region_svalue *rhs_ptr = rhs->dyn_cast_region_svalue ())
    {
tristate res = region_svalue::eval_condition (lhs_ptr, op, rhs_ptr);
if (res.is_known ())
 return res;
/* Otherwise, only known through constraints.  */
    }

if (const constant_svalue *cst_lhs = lhs->dyn_cast_constant_svalue ())
  {
    /* If we have a pair of constants, compare them.  */
    if (const constant_svalue *cst_rhs = rhs->dyn_cast_constant_svalue ())
return constant_svalue::eval_condition (cst_lhs, op, cst_rhs);
    else
{
 /* When we have one constant, put it on the RHS.  */
 std::swap (lhs, rhs);
 op = swap_tree_comparison (op);
}
  }
gcc_assert (lhs->get_kind () != SK_CONSTANT)((void)(!(lhs->get_kind () != SK_CONSTANT) ? fancy_abort (
"/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 3378, __FUNCTION__), 0 : 0));

/* Handle comparison against zero.  */
if (const constant_svalue *cst_rhs = rhs->dyn_cast_constant_svalue ())
  if (zerop (cst_rhs->get_constant ()))
    {
if (const region_svalue *ptr = lhs->dyn_cast_region_svalue ())
 {
   /* A region_svalue is a non-NULL pointer, except in certain
      special cases (see the comment for region::non_null_p).  */
   const region *pointee = ptr->get_pointee ();
   if (pointee->non_null_p ())
     {
switch (op)
  {
  default:
    gcc_unreachable ()(fancy_abort ("/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 3394, __FUNCTION__));

  case EQ_EXPR:
  case GE_EXPR:
  case LE_EXPR:
    return tristate::TS_FALSE;

  case NE_EXPR:
  case GT_EXPR:
  case LT_EXPR:
    return tristate::TS_TRUE;
  }
     }
 }
else if (const binop_svalue *binop = lhs->dyn_cast_binop_svalue ())
 {
   /* Treat offsets from a non-NULL pointer as being non-NULL.  This
      isn't strictly true, in that eventually ptr++ will wrap
      around and be NULL, but it won't occur in practise and thus
      can be used to suppress effectively false positives that we
      shouldn't warn for.  */
   if (binop->get_op () == POINTER_PLUS_EXPR)
     {
tristate lhs_ts = eval_condition (binop->get_arg0 (), op, rhs);
if (lhs_ts.is_known ())
  return lhs_ts;
     }
 }
else if (const unaryop_svalue *unaryop
   = lhs->dyn_cast_unaryop_svalue ())
 {
   if (unaryop->get_op () == NEGATE_EXPR)
     {
/* e.g. "-X <= 0" is equivalent to X >= 0".  */
tristate lhs_ts = eval_condition (unaryop->get_arg (),
				  swap_tree_comparison (op),
				  rhs);
if (lhs_ts.is_known ())
  return lhs_ts;
     }
 }
    }

/* Handle rejection of equality for comparisons of the initial values of
   "external" values (such as params) with the address of locals.  */
if (const initial_svalue *init_lhs = lhs->dyn_cast_initial_svalue ())
  if (const region_svalue *rhs_ptr = rhs->dyn_cast_region_svalue ())
    {
tristate res = compare_initial_and_pointer (init_lhs, rhs_ptr);
if (res.is_known ())
 return res;
    }
if (const initial_svalue *init_rhs = rhs->dyn_cast_initial_svalue ())
  if (const region_svalue *lhs_ptr = lhs->dyn_cast_region_svalue ())
    {
tristate res = compare_initial_and_pointer (init_rhs, lhs_ptr);
if (res.is_known ())
 return res;
    }

if (const widening_svalue *widen_lhs = lhs->dyn_cast_widening_svalue ())
  if (tree rhs_cst = rhs->maybe_get_constant ())
    {
tristate res = widen_lhs->eval_condition_without_cm (op, rhs_cst);
if (res.is_known ())
 return res;
    }

/* Handle comparisons between two svalues with more than one operand.  */
if (const binop_svalue *binop = lhs->dyn_cast_binop_svalue ())
  {
    switch (op)
{
default:
 break;
case EQ_EXPR:
 {
   /* TODO: binops can be equal even if they are not structurally
     equal in case of commutative operators.  */
   tristate res = structural_equality (lhs, rhs);
   if (res.is_true ())
     return res;
 }
 break;
case LE_EXPR:
 {
   tristate res = structural_equality (lhs, rhs);
   if (res.is_true ())
     return res;
 }
 break;
case GE_EXPR:
 {
   tristate res = structural_equality (lhs, rhs);
   if (res.is_true ())
     return res;
   res = symbolic_greater_than (binop, rhs);
   if (res.is_true ())
     return res;
 }
 break;
case GT_EXPR:
 {
   tristate res = symbolic_greater_than (binop, rhs);
   if (res.is_true ())
     return res;
 }
 break;
}
  }

/* Otherwise, try constraints.
   Cast to const to ensure we don't change the constraint_manager as we
   do this (e.g. by creating equivalence classes).  */
const constraint_manager *constraints = m_constraints;
return constraints->eval_condition (lhs, op, rhs);
3510}

3512/* Subroutine of region_model::eval_condition, for rejecting
 equality of INIT_VAL(PARM) with &LOCAL.  */

3515tristate
3516region_model::compare_initial_and_pointer (const initial_svalue *init,
			    const region_svalue *ptr) const
3518{
const region *pointee = ptr->get_pointee ();

/* If we have a pointer to something within a stack frame, it can't be the
   initial value of a param.  */
if (pointee->maybe_get_frame_region ())
  if (init->initial_value_of_param_p ())
    return tristate::TS_FALSE;

return tristate::TS_UNKNOWN;
3528}

3530/* Return true if SVAL is definitely positive.  */

3532static bool
3533is_positive_svalue (const svalue *sval)
3534{
if (tree cst = sval->maybe_get_constant ())
  return !zerop (cst) && get_range_pos_neg (cst) == 1;
tree type = sval->get_type ();
if (!type)
  return false;
/* Consider a binary operation size_t + int.  The analyzer wraps the int in
   an unaryop_svalue, converting it to a size_t, but in the dynamic execution
   the result is smaller than the first operand.  Thus, we have to look if
   the argument of the unaryop_svalue is also positive.  */
if (const unaryop_svalue *un_op = dyn_cast <const unaryop_svalue *> (sval))
  return CONVERT_EXPR_CODE_P (un_op->get_op ())((un_op->get_op ()) == NOP_EXPR || (un_op->get_op ()) ==
 CONVERT_EXPR) && TYPE_UNSIGNED (type)((tree_class_check ((type), (tcc_type), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 3545, __FUNCTION__))->base.u.bits.unsigned_flag)
  && is_positive_svalue (un_op->get_arg ());
return TYPE_UNSIGNED (type)((tree_class_check ((type), (tcc_type), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 3547, __FUNCTION__))->base.u.bits.unsigned_flag);
3548}

3550/* Return true if A is definitely larger than B.

 Limitation: does not account for integer overflows and does not try to
      return false, so it can not be used negated.  */

3555tristate
3556region_model::symbolic_greater_than (const binop_svalue *bin_a,
		     const svalue *b) const
3558{
if (bin_a->get_op () == PLUS_EXPR || bin_a->get_op () == MULT_EXPR)
  {
    /* Eliminate the right-hand side of both svalues.  */
    if (const binop_svalue *bin_b = dyn_cast <const binop_svalue *> (b))
if (bin_a->get_op () == bin_b->get_op ()
   && eval_condition (bin_a->get_arg1 (),
	       GT_EXPR,
	       bin_b->get_arg1 ()).is_true ()
   && eval_condition (bin_a->get_arg0 (),
	       GE_EXPR,
	       bin_b->get_arg0 ()).is_true ())
 return tristate (tristate::TS_TRUE);

    /* Otherwise, try to remove a positive offset or factor from BIN_A.  */
    if (is_positive_svalue (bin_a->get_arg1 ())
 && eval_condition (bin_a->get_arg0 (),
	     GE_EXPR, b).is_true ())
 return tristate (tristate::TS_TRUE);
  }
return tristate::unknown ();
3579}

3581/* Return true if A and B are equal structurally.

 Structural equality means that A and B are equal if the svalues A and B have
 the same nodes at the same positions in the tree and the leafs are equal.
 Equality for conjured_svalues and initial_svalues is determined by comparing
 the pointers while constants are compared by value.  That behavior is useful
 to check for binaryop_svlaues that evaluate to the same concrete value but
 might use one operand with a different type but the same constant value.

 For example,
   binop_svalue (mult_expr,
     initial_svalue (‘size_t’, decl_region (..., 'some_var')),
     constant_svalue (‘size_t’, 4))
 and
   binop_svalue (mult_expr,
     initial_svalue (‘size_t’, decl_region (..., 'some_var'),
     constant_svalue (‘sizetype’, 4))
 are structurally equal.  A concrete C code example, where this occurs, can
 be found in test7 of out-of-bounds-5.c.  */

3601tristate
3602region_model::structural_equality (const svalue *a, const svalue *b) const
3603{
/* If A and B are referentially equal, they are also structurally equal.  */
if (a == b)
  return tristate (tristate::TS_TRUE);

switch (a->get_kind ())
  {
  default:
    return tristate::unknown ();
  /* SK_CONJURED and SK_INITIAL are already handled
     by the referential equality above.  */
  case SK_CONSTANT:
    {
tree a_cst = a->maybe_get_constant ();
tree b_cst = b->maybe_get_constant ();
if (a_cst && b_cst)
 return tristate (tree_int_cst_equal (a_cst, b_cst));
    }
    return tristate (tristate::TS_FALSE);
  case SK_UNARYOP:
    {
const unaryop_svalue *un_a = as_a <const unaryop_svalue *> (a);
if (const unaryop_svalue *un_b = dyn_cast <const unaryop_svalue *> (b))
 return tristate (pending_diagnostic::same_tree_p (un_a->get_type (),
					    un_b->get_type ())
	   && un_a->get_op () == un_b->get_op ()
	   && structural_equality (un_a->get_arg (),
				   un_b->get_arg ()));
    }
    return tristate (tristate::TS_FALSE);
  case SK_BINOP:
    {
const binop_svalue *bin_a = as_a <const binop_svalue *> (a);
if (const binop_svalue *bin_b = dyn_cast <const binop_svalue *> (b))
 return tristate (bin_a->get_op () == bin_b->get_op ()
	   && structural_equality (bin_a->get_arg0 (),
				   bin_b->get_arg0 ())
	   && structural_equality (bin_a->get_arg1 (),
				   bin_b->get_arg1 ()));
    }
    return tristate (tristate::TS_FALSE);
  }
3645}

3647/* Handle various constraints of the form:
   LHS: ((bool)INNER_LHS INNER_OP INNER_RHS))
   OP : == or !=
   RHS: zero
 and (with a cast):
   LHS: CAST([long]int, ((bool)INNER_LHS INNER_OP INNER_RHS))
   OP : == or !=
   RHS: zero
 by adding constraints for INNER_LHS INNEROP INNER_RHS.

 Return true if this function can fully handle the constraint; if
 so, add the implied constraint(s) and write true to *OUT if they
 are consistent with existing constraints, or write false to *OUT
 if they contradicts existing constraints.

 Return false for cases that this function doeesn't know how to handle.

 For example, if we're checking a stored conditional, we'll have
 something like:
   LHS: CAST(long int, (&HEAP_ALLOCATED_REGION(8)!=(int *)0B))
   OP : NE_EXPR
   RHS: zero
 which this function can turn into an add_constraint of:
   (&HEAP_ALLOCATED_REGION(8) != (int *)0B)

 Similarly, optimized && and || conditionals lead to e.g.
   if (p && q)
 becoming gimple like this:
   _1 = p_6 == 0B;
   _2 = q_8 == 0B
   _3 = _1 | _2
 On the "_3 is false" branch we can have constraints of the form:
   ((&HEAP_ALLOCATED_REGION(8)!=(int *)0B)
    | (&HEAP_ALLOCATED_REGION(10)!=(int *)0B))
   == 0
 which implies that both _1 and _2 are false,
 which this function can turn into a pair of add_constraints of
   (&HEAP_ALLOCATED_REGION(8)!=(int *)0B)
 and:
   (&HEAP_ALLOCATED_REGION(10)!=(int *)0B).  */

3688bool
3689region_model::add_constraints_from_binop (const svalue *outer_lhs,
			  enum tree_code outer_op,
			  const svalue *outer_rhs,
			  bool *out,
			  region_model_context *ctxt)
3694{
while (const svalue *cast = outer_lhs->maybe_undo_cast ())
  outer_lhs = cast;
const binop_svalue *binop_sval = outer_lhs->dyn_cast_binop_svalue ();
if (!binop_sval)
  return false;
if (!outer_rhs->all_zeroes_p ())
  return false;

const svalue *inner_lhs = binop_sval->get_arg0 ();
enum tree_code inner_op = binop_sval->get_op ();
const svalue *inner_rhs = binop_sval->get_arg1 ();

if (outer_op != NE_EXPR && outer_op != EQ_EXPR)
  return false;

/* We have either
   - "OUTER_LHS != false" (i.e. OUTER is true), or
   - "OUTER_LHS == false" (i.e. OUTER is false).  */
bool is_true = outer_op == NE_EXPR;

switch (inner_op)
  {
  default:
    return false;

  case EQ_EXPR:
  case NE_EXPR:
    {
/* ...and "(inner_lhs OP inner_rhs) == 0"
  then (inner_lhs OP inner_rhs) must have the same
  logical value as LHS.  */
if (!is_true)
 inner_op = invert_tree_comparison (inner_op, false /* honor_nans */);
*out = add_constraint (inner_lhs, inner_op, inner_rhs, ctxt);
return true;
    }
    break;

  case BIT_AND_EXPR:
    if (is_true)
{
 /* ...and "(inner_lhs & inner_rhs) != 0"
    then both inner_lhs and inner_rhs must be true.  */
 const svalue *false_sval
   = m_mgr->get_or_create_constant_svalue (boolean_false_nodeglobal_trees[TI_BOOLEAN_FALSE]);
 bool sat1 = add_constraint (inner_lhs, NE_EXPR, false_sval, ctxt);
 bool sat2 = add_constraint (inner_rhs, NE_EXPR, false_sval, ctxt);
 *out = sat1 && sat2;
 return true;
}
    return false;

  case BIT_IOR_EXPR:
    if (!is_true)
{
 /* ...and "(inner_lhs | inner_rhs) == 0"
    i.e. "(inner_lhs | inner_rhs)" is false
    then both inner_lhs and inner_rhs must be false.  */
 const svalue *false_sval
   = m_mgr->get_or_create_constant_svalue (boolean_false_nodeglobal_trees[TI_BOOLEAN_FALSE]);
 bool sat1 = add_constraint (inner_lhs, EQ_EXPR, false_sval, ctxt);
 bool sat2 = add_constraint (inner_rhs, EQ_EXPR, false_sval, ctxt);
 *out = sat1 && sat2;
 return true;
}
    return false;
  }
3762}

3764/* Attempt to add the constraint "LHS OP RHS" to this region_model.
 If it is consistent with existing constraints, add it, and return true.
 Return false if it contradicts existing constraints.
 Use CTXT for reporting any diagnostics associated with the accesses.  */

3769bool
3770region_model::add_constraint (tree lhs, enum tree_code op, tree rhs,
	      region_model_context *ctxt)
3772{
/* For now, make no attempt to capture constraints on floating-point
   values.  */
if (FLOAT_TYPE_P (TREE_TYPE (lhs))((((enum tree_code) (((contains_struct_check ((lhs), (TS_TYPED
), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 3775, __FUNCTION__))->typed.type))->base.code) == REAL_TYPE
) || ((((enum tree_code) (((contains_struct_check ((lhs), (TS_TYPED
), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 3775, __FUNCTION__))->typed.type))->base.code) == COMPLEX_TYPE
 || (((enum tree_code) (((contains_struct_check ((lhs), (TS_TYPED
), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 3775, __FUNCTION__))->typed.type))->base.code) == VECTOR_TYPE
)) && (((enum tree_code) (((contains_struct_check (((
(contains_struct_check ((lhs), (TS_TYPED), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 3775, __FUNCTION__))->typed.type)), (TS_TYPED), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 3775, __FUNCTION__))->typed.type))->base.code) == REAL_TYPE
))) || FLOAT_TYPE_P (TREE_TYPE (rhs))((((enum tree_code) (((contains_struct_check ((rhs), (TS_TYPED
), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 3775, __FUNCTION__))->typed.type))->base.code) == REAL_TYPE
) || ((((enum tree_code) (((contains_struct_check ((rhs), (TS_TYPED
), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 3775, __FUNCTION__))->typed.type))->base.code) == COMPLEX_TYPE
 || (((enum tree_code) (((contains_struct_check ((rhs), (TS_TYPED
), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 3775, __FUNCTION__))->typed.type))->base.code) == VECTOR_TYPE
)) && (((enum tree_code) (((contains_struct_check (((
(contains_struct_check ((rhs), (TS_TYPED), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 3775, __FUNCTION__))->typed.type)), (TS_TYPED), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 3775, __FUNCTION__))->typed.type))->base.code) == REAL_TYPE
))))
  return true;

const svalue *lhs_sval = get_rvalue (lhs, ctxt);
const svalue *rhs_sval = get_rvalue (rhs, ctxt);

return add_constraint (lhs_sval, op, rhs_sval, ctxt);
3782}

3784/* Attempt to add the constraint "LHS OP RHS" to this region_model.
 If it is consistent with existing constraints, add it, and return true.
 Return false if it contradicts existing constraints.
 Use CTXT for reporting any diagnostics associated with the accesses.  */

3789bool
3790region_model::add_constraint (const svalue *lhs,
	      enum tree_code op,
	      const svalue *rhs,
	      region_model_context *ctxt)
3794{
tristate t_cond = eval_condition (lhs, op, rhs);

/* If we already have the condition, do nothing.  */
if (t_cond.is_true ())
  return true;

/* Reject a constraint that would contradict existing knowledge, as
   unsatisfiable.  */
if (t_cond.is_false ())
  return false;

bool out;
if (add_constraints_from_binop (lhs, op, rhs, &out, ctxt))
  return out;

/* Attempt to store the constraint.  */
if (!m_constraints->add_constraint (lhs, op, rhs))
  return false;

/* Notify the context, if any.  This exists so that the state machines
   in a program_state can be notified about the condition, and so can
   set sm-state for e.g. unchecked->checked, both for cfg-edges, and
   when synthesizing constraints as above.  */
if (ctxt)
  ctxt->on_condition (lhs, op, rhs);

/* If we have &REGION == NULL, then drop dynamic extents for REGION (for
   the case where REGION is heap-allocated and thus could be NULL).  */
if (tree rhs_cst = rhs->maybe_get_constant ())
  if (op == EQ_EXPR && zerop (rhs_cst))
    if (const region_svalue *region_sval = lhs->dyn_cast_region_svalue ())
unset_dynamic_extents (region_sval->get_pointee ());

return true;
3829}

3831/* As above, but when returning false, if OUT is non-NULL, write a
 new rejected_constraint to *OUT.  */

3834bool
3835region_model::add_constraint (tree lhs, enum tree_code op, tree rhs,
	      region_model_context *ctxt,
	      rejected_constraint **out)
3838{
bool sat = add_constraint (lhs, op, rhs, ctxt);
if (!sat && out)
  *out = new rejected_op_constraint (*this, lhs, op, rhs);
return sat;
3843}

3845/* Determine what is known about the condition "LHS OP RHS" within
 this model.
 Use CTXT for reporting any diagnostics associated with the accesses.  */

3849tristate
3850region_model::eval_condition (tree lhs,
	      enum tree_code op,
	      tree rhs,
	      region_model_context *ctxt) const
3854{
/* For now, make no attempt to model constraints on floating-point
   values.  */
if (FLOAT_TYPE_P (TREE_TYPE (lhs))((((enum tree_code) (((contains_struct_check ((lhs), (TS_TYPED
), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 3857, __FUNCTION__))->typed.type))->base.code) == REAL_TYPE
) || ((((enum tree_code) (((contains_struct_check ((lhs), (TS_TYPED
), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 3857, __FUNCTION__))->typed.type))->base.code) == COMPLEX_TYPE
 || (((enum tree_code) (((contains_struct_check ((lhs), (TS_TYPED
), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 3857, __FUNCTION__))->typed.type))->base.code) == VECTOR_TYPE
)) && (((enum tree_code) (((contains_struct_check (((
(contains_struct_check ((lhs), (TS_TYPED), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 3857, __FUNCTION__))->typed.type)), (TS_TYPED), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 3857, __FUNCTION__))->typed.type))->base.code) == REAL_TYPE
))) || FLOAT_TYPE_P (TREE_TYPE (rhs))((((enum tree_code) (((contains_struct_check ((rhs), (TS_TYPED
), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 3857, __FUNCTION__))->typed.type))->base.code) == REAL_TYPE
) || ((((enum tree_code) (((contains_struct_check ((rhs), (TS_TYPED
), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 3857, __FUNCTION__))->typed.type))->base.code) == COMPLEX_TYPE
 || (((enum tree_code) (((contains_struct_check ((rhs), (TS_TYPED
), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 3857, __FUNCTION__))->typed.type))->base.code) == VECTOR_TYPE
)) && (((enum tree_code) (((contains_struct_check (((
(contains_struct_check ((rhs), (TS_TYPED), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 3857, __FUNCTION__))->typed.type)), (TS_TYPED), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 3857, __FUNCTION__))->typed.type))->base.code) == REAL_TYPE
))))
  return tristate::unknown ();

return eval_condition (get_rvalue (lhs, ctxt), op, get_rvalue (rhs, ctxt));
3861}

3863/* Implementation of region_model::get_representative_path_var.
 Attempt to return a path_var that represents SVAL, or return NULL_TREE.
 Use VISITED to prevent infinite mutual recursion with the overload for
 regions.  */

3868path_var
3869region_model::get_representative_path_var_1 (const svalue *sval,
			     svalue_set *visited) const
3871{
gcc_assert (sval)((void)(!(sval) ? fancy_abort ("/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 3872, __FUNCTION__), 0 : 0));

/* Prevent infinite recursion.  */
if (visited->contains (sval))
  return path_var (NULL_TREE(tree) nullptr, 0);
visited->add (sval);

/* Handle casts by recursion into get_representative_path_var.  */
if (const svalue *cast_sval = sval->maybe_undo_cast ())
  {
    path_var result = get_representative_path_var (cast_sval, visited);
    tree orig_type = sval->get_type ();
    /* If necessary, wrap the result in a cast.  */
    if (result.m_tree && orig_type)
result.m_tree = build1 (NOP_EXPR, orig_type, result.m_tree);
    return result;
  }

auto_vec<path_var> pvs;
m_store.get_representative_path_vars (this, visited, sval, &pvs);

if (tree cst = sval->maybe_get_constant ())
  pvs.safe_push (path_var (cst, 0));

/* Handle string literals and various other pointers.  */
if (const region_svalue *ptr_sval = sval->dyn_cast_region_svalue ())
  {
    const region *reg = ptr_sval->get_pointee ();
    if (path_var pv = get_representative_path_var (reg, visited))
return path_var (build1 (ADDR_EXPR,
		 sval->get_type (),
		 pv.m_tree),
	 pv.m_stack_depth);
  }

/* If we have a sub_svalue, look for ways to represent the parent.  */
if (const sub_svalue *sub_sval = sval->dyn_cast_sub_svalue ())
  {
    const svalue *parent_sval = sub_sval->get_parent ();
    const region *subreg = sub_sval->get_subregion ();
    if (path_var parent_pv
   = get_representative_path_var (parent_sval, visited))
if (const field_region *field_reg = subreg->dyn_cast_field_region ())
 return path_var (build3 (COMPONENT_REF,
		   sval->get_type (),
		   parent_pv.m_tree,
		   field_reg->get_field (),
		   NULL_TREE(tree) nullptr),
	   parent_pv.m_stack_depth);
  }

/* Handle binops.  */
if (const binop_svalue *binop_sval = sval->dyn_cast_binop_svalue ())
  if (path_var lhs_pv
= get_representative_path_var (binop_sval->get_arg0 (), visited))
    if (path_var rhs_pv
 = get_representative_path_var (binop_sval->get_arg1 (), visited))
return path_var (build2 (binop_sval->get_op (),
		 sval->get_type (),
		 lhs_pv.m_tree, rhs_pv.m_tree),
	 lhs_pv.m_stack_depth);

if (pvs.length () < 1)
  return path_var (NULL_TREE(tree) nullptr, 0);

pvs.qsort (readability_comparator)qsort (readability_comparator);
return pvs[0];
3939}

3941/* Attempt to return a path_var that represents SVAL, or return NULL_TREE.
 Use VISITED to prevent infinite mutual recursion with the overload for
 regions

 This function defers to get_representative_path_var_1 to do the work;
 it adds verification that get_representative_path_var_1 returned a tree
 of the correct type.  */

3949path_var
3950region_model::get_representative_path_var (const svalue *sval,
			   svalue_set *visited) const
3952{
if (sval == NULLnullptr)
  return path_var (NULL_TREE(tree) nullptr, 0);

tree orig_type = sval->get_type ();

path_var result = get_representative_path_var_1 (sval, visited);

/* Verify that the result has the same type as SVAL, if any.  */
if (result.m_tree && orig_type)
  gcc_assert (TREE_TYPE (result.m_tree) == orig_type)((void)(!(((contains_struct_check ((result.m_tree), (TS_TYPED
), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 3962, __FUNCTION__))->typed.type) == orig_type) ? fancy_abort
 ("/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 3962, __FUNCTION__), 0 : 0));

return result;
3965}

3967/* Attempt to return a tree that represents SVAL, or return NULL_TREE.

 Strip off any top-level cast, to avoid messages like
   double-free of '(void *)ptr'
 from analyzer diagnostics.  */

3973tree
3974region_model::get_representative_tree (const svalue *sval) const
3975{
svalue_set visited;
tree expr = get_representative_path_var (sval, &visited).m_tree;

/* Strip off any top-level cast.  */
if (expr && TREE_CODE (expr)((enum tree_code) (expr)->base.code) == NOP_EXPR)
  expr = TREE_OPERAND (expr, 0)(*((const_cast<tree*> (tree_operand_check ((expr), (0),
 "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 3981, __FUNCTION__)))));

return fixup_tree_for_diagnostic (expr);
3984}

3986tree
3987region_model::get_representative_tree (const region *reg) const
3988{
svalue_set visited;
tree expr = get_representative_path_var (reg, &visited).m_tree;

/* Strip off any top-level cast.  */
if (expr && TREE_CODE (expr)((enum tree_code) (expr)->base.code) == NOP_EXPR)
  expr = TREE_OPERAND (expr, 0)(*((const_cast<tree*> (tree_operand_check ((expr), (0),
 "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 3994, __FUNCTION__)))));

return fixup_tree_for_diagnostic (expr);
3997}

3999/* Implementation of region_model::get_representative_path_var.

 Attempt to return a path_var that represents REG, or return
 the NULL path_var.
 For example, a region for a field of a local would be a path_var
 wrapping a COMPONENT_REF.
 Use VISITED to prevent infinite mutual recursion with the overload for
 svalues.  */

4008path_var
4009region_model::get_representative_path_var_1 (const region *reg,
			     svalue_set *visited) const
4011{
switch (reg->get_kind ())
  {
  default:
    gcc_unreachable ()(fancy_abort ("/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 4015, __FUNCTION__));

  case RK_FRAME:
  case RK_GLOBALS:
  case RK_CODE:
  case RK_HEAP:
  case RK_STACK:
  case RK_THREAD_LOCAL:
  case RK_ROOT:
     /* Regions that represent memory spaces are not expressible as trees.  */
    return path_var (NULL_TREE(tree) nullptr, 0);

  case RK_FUNCTION:
    {
const function_region *function_reg
 = as_a <const function_region *> (reg);
return path_var (function_reg->get_fndecl (), 0);
    }
  case RK_LABEL:
    {
const label_region *label_reg = as_a <const label_region *> (reg);
return path_var (label_reg->get_label (), 0);
    }

  case RK_SYMBOLIC:
    {
const symbolic_region *symbolic_reg
 = as_a <const symbolic_region *> (reg);
const svalue *pointer = symbolic_reg->get_pointer ();
path_var pointer_pv = get_representative_path_var (pointer, visited);
if (!pointer_pv)
 return path_var (NULL_TREE(tree) nullptr, 0);
tree offset = build_int_cst (pointer->get_type (), 0);
return path_var (build2 (MEM_REF,
		 reg->get_type (),
		 pointer_pv.m_tree,
		 offset),
	 pointer_pv.m_stack_depth);
    }
  case RK_DECL:
    {
const decl_region *decl_reg = as_a <const decl_region *> (reg);
return path_var (decl_reg->get_decl (), decl_reg->get_stack_depth ());
    }
  case RK_FIELD:
    {
const field_region *field_reg = as_a <const field_region *> (reg);
path_var parent_pv
 = get_representative_path_var (reg->get_parent_region (), visited);
if (!parent_pv)
 return path_var (NULL_TREE(tree) nullptr, 0);
return path_var (build3 (COMPONENT_REF,
		 reg->get_type (),
		 parent_pv.m_tree,
		 field_reg->get_field (),
		 NULL_TREE(tree) nullptr),
	 parent_pv.m_stack_depth);
    }

  case RK_ELEMENT:
    {
const element_region *element_reg
 = as_a <const element_region *> (reg);
path_var parent_pv
 = get_representative_path_var (reg->get_parent_region (), visited);
if (!parent_pv)
 return path_var (NULL_TREE(tree) nullptr, 0);
path_var index_pv
 = get_representative_path_var (element_reg->get_index (), visited);
if (!index_pv)
 return path_var (NULL_TREE(tree) nullptr, 0);
return path_var (build4 (ARRAY_REF,
		 reg->get_type (),
		 parent_pv.m_tree, index_pv.m_tree,
		 NULL_TREE(tree) nullptr, NULL_TREE(tree) nullptr),
	 parent_pv.m_stack_depth);
    }

  case RK_OFFSET:
    {
const offset_region *offset_reg
 = as_a <const offset_region *> (reg);
path_var parent_pv
 = get_representative_path_var (reg->get_parent_region (), visited);
if (!parent_pv)
 return path_var (NULL_TREE(tree) nullptr, 0);
path_var offset_pv
 = get_representative_path_var (offset_reg->get_byte_offset (),
			 visited);
if (!offset_pv || TREE_CODE (offset_pv.m_tree)((enum tree_code) (offset_pv.m_tree)->base.code) != INTEGER_CST)
 return path_var (NULL_TREE(tree) nullptr, 0);
tree addr_parent = build1 (ADDR_EXPR,
		   build_pointer_type (reg->get_type ()),
		   parent_pv.m_tree);
return path_var (build2 (MEM_REF,
		 reg->get_type (),
		 addr_parent, offset_pv.m_tree),
	 parent_pv.m_stack_depth);
    }

  case RK_SIZED:
    return path_var (NULL_TREE(tree) nullptr, 0);

  case RK_CAST:
    {
path_var parent_pv
 = get_representative_path_var (reg->get_parent_region (), visited);
if (!parent_pv)
 return path_var (NULL_TREE(tree) nullptr, 0);
return path_var (build1 (NOP_EXPR,
		 reg->get_type (),
		 parent_pv.m_tree),
	 parent_pv.m_stack_depth);
    }

  case RK_HEAP_ALLOCATED:
  case RK_ALLOCA:
    /* No good way to express heap-allocated/alloca regions as trees.  */
    return path_var (NULL_TREE(tree) nullptr, 0);

  case RK_STRING:
    {
const string_region *string_reg = as_a <const string_region *> (reg);
return path_var (string_reg->get_string_cst (), 0);
    }

  case RK_VAR_ARG:
  case RK_ERRNO:
  case RK_UNKNOWN:
    return path_var (NULL_TREE(tree) nullptr, 0);
  }
4146}

4148/* Attempt to return a path_var that represents REG, or return
 the NULL path_var.
 For example, a region for a field of a local would be a path_var
 wrapping a COMPONENT_REF.
 Use VISITED to prevent infinite mutual recursion with the overload for
 svalues.

 This function defers to get_representative_path_var_1 to do the work;
 it adds verification that get_representative_path_var_1 returned a tree
 of the correct type.  */

4159path_var
4160region_model::get_representative_path_var (const region *reg,
			   svalue_set *visited) const
4162{
path_var result = get_representative_path_var_1 (reg, visited);

/* Verify that the result has the same type as REG, if any.  */
if (result.m_tree && reg->get_type ())
  gcc_assert (TREE_TYPE (result.m_tree) == reg->get_type ())((void)(!(((contains_struct_check ((result.m_tree), (TS_TYPED
), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 4167, __FUNCTION__))->typed.type) == reg->get_type ()
) ? fancy_abort ("/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 4167, __FUNCTION__), 0 : 0));

return result;
4170}

4172/* Update this model for any phis in SNODE, assuming we came from
 LAST_CFG_SUPEREDGE.  */

4175void
4176region_model::update_for_phis (const supernode *snode,
	       const cfg_superedge *last_cfg_superedge,
	       region_model_context *ctxt)
4179{
gcc_assert (last_cfg_superedge)((void)(!(last_cfg_superedge) ? fancy_abort ("/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 4180, __FUNCTION__), 0 : 0));

/* Copy this state and pass it to handle_phi so that all of the phi stmts
   are effectively handled simultaneously.  */
const region_model old_state (*this);

for (gphi_iterator gpi = const_cast<supernode *>(snode)->start_phis ();
     !gsi_end_p (gpi); gsi_next (&gpi))
  {
    gphi *phi = gpi.phi ();

    tree src = last_cfg_superedge->get_phi_arg (phi);
    tree lhs = gimple_phi_result (phi);

    /* Update next_state based on phi and old_state.  */
    handle_phi (phi, lhs, src, old_state, ctxt);
  }
4197}

4199/* Attempt to update this model for taking EDGE (where the last statement
 was LAST_STMT), returning true if the edge can be taken, false
 otherwise.
 When returning false, if OUT is non-NULL, write a new rejected_constraint
 to it.

 For CFG superedges where LAST_STMT is a conditional or a switch
 statement, attempt to add the relevant conditions for EDGE to this
 model, returning true if they are feasible, or false if they are
 impossible.

 For call superedges, push frame information and store arguments
 into parameters.

 For return superedges, pop frame information and store return
 values into any lhs.

 Rejection of call/return superedges happens elsewhere, in
 program_point::on_edge (i.e. based on program point, rather
 than program state).  */

4220bool
4221region_model::maybe_update_for_edge (const superedge &edge,
		     const gimple *last_stmt,
		     region_model_context *ctxt,
		     rejected_constraint **out)
4225{
/* Handle frame updates for interprocedural edges.  */
switch (edge.m_kind)
  {
  default:
    break;

  case SUPEREDGE_CALL:
    {
const call_superedge *call_edge = as_a <const call_superedge *> (&edge);
update_for_call_superedge (*call_edge, ctxt);
    }
    break;

  case SUPEREDGE_RETURN:
    {
const return_superedge *return_edge
 = as_a <const return_superedge *> (&edge);
update_for_return_superedge (*return_edge, ctxt);
    }
    break;

  case SUPEREDGE_INTRAPROCEDURAL_CALL:
    /* This is a no-op for call summaries; we should already
have handled the effect of the call summary at the call stmt.  */
    break;
  }

if (last_stmt == NULLnullptr)
  return true;

/* Apply any constraints for conditionals/switch statements.  */

if (const gcond *cond_stmt = dyn_cast <const gcond *> (last_stmt))
  {
    const cfg_superedge *cfg_sedge = as_a <const cfg_superedge *> (&edge);
    return apply_constraints_for_gcond (*cfg_sedge, cond_stmt, ctxt, out);
  }

if (const gswitch *switch_stmt = dyn_cast <const gswitch *> (last_stmt))
  {
    const switch_cfg_superedge *switch_sedge
= as_a <const switch_cfg_superedge *> (&edge);
    return apply_constraints_for_gswitch (*switch_sedge, switch_stmt,
			    ctxt, out);
  }

/* Apply any constraints due to an exception being thrown.  */
if (const cfg_superedge *cfg_sedge = dyn_cast <const cfg_superedge *> (&edge))
  if (cfg_sedge->get_flags () & EDGE_EH)
    return apply_constraints_for_exception (last_stmt, ctxt, out);

return true;
4278}

4280/* Push a new frame_region on to the stack region.
 Populate the frame_region with child regions for the function call's
 parameters, using values from the arguments at the callsite in the
 caller's frame.  */

4285void
4286region_model::update_for_gcall (const gcall *call_stmt,
		region_model_context *ctxt,
		function *callee)
4289{
/* Build a vec of argument svalues, using the current top
   frame for resolving tree expressions.  */
auto_vec<const svalue *> arg_svals (gimple_call_num_args (call_stmt));

for (unsigned i = 0; i < gimple_call_num_args (call_stmt); i++)
  {
    tree arg = gimple_call_arg (call_stmt, i);
    arg_svals.quick_push (get_rvalue (arg, ctxt));
  }

if(!callee)
{
  /* Get the function * from the gcall.  */
  tree fn_decl = get_fndecl_for_call (call_stmt,ctxt);
  callee = DECL_STRUCT_FUNCTION (fn_decl)((tree_check ((fn_decl), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 4304, __FUNCTION__, (FUNCTION_DECL)))->function_decl.f);
}

push_frame (callee, &arg_svals, ctxt);
4308}

4310/* Pop the top-most frame_region from the stack, and copy the return
 region's values (if any) into the region for the lvalue of the LHS of
 the call (if any).  */

4314void
4315region_model::update_for_return_gcall (const gcall *call_stmt,
		       region_model_context *ctxt)
4317{
/* Get the lvalue for the result of the call, passing it to pop_frame,
   so that pop_frame can determine the region with respect to the
   *caller* frame.  */
tree lhs = gimple_call_lhs (call_stmt);
pop_frame (lhs, NULLnullptr, ctxt);
4323}

4325/* Extract calling information from the superedge and update the model for the 
 call  */

4328void
4329region_model::update_for_call_superedge (const call_superedge &call_edge,
			 region_model_context *ctxt)
4331{
const gcall *call_stmt = call_edge.get_call_stmt ();
update_for_gcall (call_stmt, ctxt, call_edge.get_callee_function ());
4334}

4336/* Extract calling information from the return superedge and update the model 
 for the returning call */

4339void
4340region_model::update_for_return_superedge (const return_superedge &return_edge,
			   region_model_context *ctxt)
4342{
const gcall *call_stmt = return_edge.get_call_stmt ();
update_for_return_gcall (call_stmt, ctxt);
4345}

4347/* Attempt to to use R to replay SUMMARY into this object.
 Return true if it is possible.  */

4350bool
4351region_model::replay_call_summary (call_summary_replay &r,
		   const region_model &summary)
4353{
gcc_assert (summary.get_stack_depth () == 1)((void)(!(summary.get_stack_depth () == 1) ? fancy_abort ("/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 4354, __FUNCTION__), 0 : 0));

m_store.replay_call_summary (r, summary.m_store);

if (!m_constraints->replay_call_summary (r, *summary.m_constraints))
  return false;

for (auto kv : summary.m_dynamic_extents)
  {
    const region *summary_reg = kv.first;
    const region *caller_reg = r.convert_region_from_summary (summary_reg);
    if (!caller_reg)
continue;
    const svalue *summary_sval = kv.second;
    const svalue *caller_sval = r.convert_svalue_from_summary (summary_sval);
    if (!caller_sval)
continue;
    m_dynamic_extents.put (caller_reg, caller_sval);
  }

return true;
4375}

4377/* Given a true or false edge guarded by conditional statement COND_STMT,
 determine appropriate constraints for the edge to be taken.

 If they are feasible, add the constraints and return true.

 Return false if the constraints contradict existing knowledge
 (and so the edge should not be taken).
 When returning false, if OUT is non-NULL, write a new rejected_constraint
 to it.  */

4387bool
4388region_model::apply_constraints_for_gcond (const cfg_superedge &sedge,
			   const gcond *cond_stmt,
			   region_model_context *ctxt,
			   rejected_constraint **out)
4392{
::edge cfg_edge = sedge.get_cfg_edge ();
gcc_assert (cfg_edge != NULL)((void)(!(cfg_edge != nullptr) ? fancy_abort ("/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 4394, __FUNCTION__), 0 : 0));
gcc_assert (cfg_edge->flags & (EDGE_TRUE_VALUE | EDGE_FALSE_VALUE))((void)(!(cfg_edge->flags & (EDGE_TRUE_VALUE | EDGE_FALSE_VALUE
)) ? fancy_abort ("/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 4395, __FUNCTION__), 0 : 0));

enum tree_code op = gimple_cond_code (cond_stmt);
tree lhs = gimple_cond_lhs (cond_stmt);
tree rhs = gimple_cond_rhs (cond_stmt);
if (cfg_edge->flags & EDGE_FALSE_VALUE)
  op = invert_tree_comparison (op, false /* honor_nans */);
return add_constraint (lhs, op, rhs, ctxt, out);
4403}

4405/* Return true iff SWITCH_STMT has a non-default label that contains
 INT_CST.  */

4408static bool
4409has_nondefault_case_for_value_p (const gswitch *switch_stmt, tree int_cst)
4410{
/* We expect the initial label to be the default; skip it.  */
gcc_assert (CASE_LOW (gimple_switch_label (switch_stmt, 0)) == NULL)((void)(!((*((const_cast<tree*> (tree_operand_check (((
tree_check ((gimple_switch_label (switch_stmt, 0)), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 4412, __FUNCTION__, (CASE_LABEL_EXPR)))), (0), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 4412, __FUNCTION__))))) == nullptr) ? fancy_abort ("/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 4412, __FUNCTION__), 0 : 0));
unsigned min_idx = 1;
unsigned max_idx = gimple_switch_num_labels (switch_stmt) - 1;

/* Binary search: try to find the label containing INT_CST.
   This requires the cases to be sorted by CASE_LOW (done by the
   gimplifier).  */
while (max_idx >= min_idx)
  {
    unsigned case_idx = (min_idx + max_idx) / 2;
    tree label =  gimple_switch_label (switch_stmt, case_idx);
    tree low = CASE_LOW (label)(*((const_cast<tree*> (tree_operand_check (((tree_check
 ((label), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 4423, __FUNCTION__, (CASE_LABEL_EXPR)))), (0), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 4423, __FUNCTION__)))));
    gcc_assert (low)((void)(!(low) ? fancy_abort ("/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 4424, __FUNCTION__), 0 : 0));
    tree high = CASE_HIGH (label)(*((const_cast<tree*> (tree_operand_check (((tree_check
 ((label), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 4425, __FUNCTION__, (CASE_LABEL_EXPR)))), (1), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 4425, __FUNCTION__)))));
    if (!high)
high = low;
    if (tree_int_cst_compare (int_cst, low) < 0)
{
 /* INT_CST is below the range of this label.  */
 gcc_assert (case_idx > 0)((void)(!(case_idx > 0) ? fancy_abort ("/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 4431, __FUNCTION__), 0 : 0));
 max_idx = case_idx - 1;
}
    else if (tree_int_cst_compare (int_cst, high) > 0)
{
 /* INT_CST is above the range of this case.  */
 min_idx = case_idx + 1;
}
    else
/* This case contains INT_CST.  */
return true;
  }
/* Not found.  */
return false;
4445}

4447/* Return true iff SWITCH_STMT (which must be on an enum value)
 has nondefault cases handling all values in the enum.  */

4450static bool
4451has_nondefault_cases_for_all_enum_values_p (const gswitch *switch_stmt)
4452{
gcc_assert (switch_stmt)((void)(!(switch_stmt) ? fancy_abort ("/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 4453, __FUNCTION__), 0 : 0));
tree type = TREE_TYPE (gimple_switch_index (switch_stmt))((contains_struct_check ((gimple_switch_index (switch_stmt)),
 (TS_TYPED), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 4454, __FUNCTION__))->typed.type);
gcc_assert (TREE_CODE (type) == ENUMERAL_TYPE)((void)(!(((enum tree_code) (type)->base.code) == ENUMERAL_TYPE
) ? fancy_abort ("/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 4455, __FUNCTION__), 0 : 0));

for (tree enum_val_iter = TYPE_VALUES (type)((tree_check ((type), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 4457, __FUNCTION__, (ENUMERAL_TYPE)))->type_non_common.values
);
     enum_val_iter;
     enum_val_iter = TREE_CHAIN (enum_val_iter)((contains_struct_check ((enum_val_iter), (TS_COMMON), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 4459, __FUNCTION__))->common.chain))
  {
    tree enum_val = TREE_VALUE (enum_val_iter)((tree_check ((enum_val_iter), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 4461, __FUNCTION__, (TREE_LIST)))->list.value);
    gcc_assert (TREE_CODE (enum_val) == CONST_DECL)((void)(!(((enum tree_code) (enum_val)->base.code) == CONST_DECL
) ? fancy_abort ("/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 4462, __FUNCTION__), 0 : 0));
    gcc_assert (TREE_CODE (DECL_INITIAL (enum_val)) == INTEGER_CST)((void)(!(((enum tree_code) (((contains_struct_check ((enum_val
), (TS_DECL_COMMON), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 4463, __FUNCTION__))->decl_common.initial))->base.code
) == INTEGER_CST) ? fancy_abort ("/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 4463, __FUNCTION__), 0 : 0));
    if (!has_nondefault_case_for_value_p (switch_stmt,
			    DECL_INITIAL (enum_val)((contains_struct_check ((enum_val), (TS_DECL_COMMON), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 4465, __FUNCTION__))->decl_common.initial)))
return false;
  }
return true;
4469}

4471/* Given an EDGE guarded by SWITCH_STMT, determine appropriate constraints
 for the edge to be taken.

 If they are feasible, add the constraints and return true.

 Return false if the constraints contradict existing knowledge
 (and so the edge should not be taken).
 When returning false, if OUT is non-NULL, write a new rejected_constraint
 to it.  */

4481bool
4482region_model::apply_constraints_for_gswitch (const switch_cfg_superedge &edge,
			     const gswitch *switch_stmt,
			     region_model_context *ctxt,
			     rejected_constraint **out)
4486{
tree index  = gimple_switch_index (switch_stmt);
const svalue *index_sval = get_rvalue (index, ctxt);

/* If we're switching based on an enum type, assume that the user is only
   working with values from the enum.  Hence if this is an
   implicitly-created "default", assume it doesn't get followed.
   This fixes numerous "uninitialized" false positives where we otherwise
   consider jumping past the initialization cases.  */

if (/* Don't check during feasibility-checking (when ctxt is NULL).  */
    ctxt
    /* Must be an enum value.  */
    && index_sval->get_type ()
    && TREE_CODE (TREE_TYPE (index))((enum tree_code) (((contains_struct_check ((index), (TS_TYPED
), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 4500, __FUNCTION__))->typed.type))->base.code) == ENUMERAL_TYPE
    && TREE_CODE (index_sval->get_type ())((enum tree_code) (index_sval->get_type ())->base.code) == ENUMERAL_TYPE
    /* If we have a constant, then we can check it directly.  */
    && index_sval->get_kind () != SK_CONSTANT
    && edge.implicitly_created_default_p ()
    && has_nondefault_cases_for_all_enum_values_p (switch_stmt)
    /* Don't do this if there's a chance that the index is
attacker-controlled.  */
    && !ctxt->possibly_tainted_p (index_sval))
  {
    if (out)
*out = new rejected_default_case (*this);
    return false;
  }

bounded_ranges_manager *ranges_mgr = get_range_manager ();
const bounded_ranges *all_cases_ranges
  = ranges_mgr->get_or_create_ranges_for_switch (&edge, switch_stmt);
bool sat = m_constraints->add_bounded_ranges (index_sval, all_cases_ranges);
if (!sat && out)
  *out = new rejected_ranges_constraint (*this, index, all_cases_ranges);
if (sat && ctxt && !all_cases_ranges->empty_p ())
  ctxt->on_bounded_ranges (*index_sval, *all_cases_ranges);
return sat;
4524}

4526/* Apply any constraints due to an exception being thrown at LAST_STMT.

 If they are feasible, add the constraints and return true.

 Return false if the constraints contradict existing knowledge
 (and so the edge should not be taken).
 When returning false, if OUT is non-NULL, write a new rejected_constraint
 to it.  */

4535bool
4536region_model::apply_constraints_for_exception (const gimple *last_stmt,
			       region_model_context *ctxt,
			       rejected_constraint **out)
4539{
gcc_assert (last_stmt)((void)(!(last_stmt) ? fancy_abort ("/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 4540, __FUNCTION__), 0 : 0));
if (const gcall *call = dyn_cast <const gcall *> (last_stmt))
  if (tree callee_fndecl = get_fndecl_for_call (call, ctxt))
    if (is_named_call_p (callee_fndecl, "operator new", call, 1)
 || is_named_call_p (callee_fndecl, "operator new []", call, 1))
{
 /* We have an exception thrown from operator new.
    Add a constraint that the result was NULL, to avoid a false
    leak report due to the result being lost when following
    the EH edge.  */
 if (tree lhs = gimple_call_lhs (call))
   return add_constraint (lhs, EQ_EXPR, null_pointer_nodeglobal_trees[TI_NULL_POINTER], ctxt, out);
 return true;
}
return true;
4555}

4557/* For use with push_frame when handling a top-level call within the analysis.
 PARAM has a defined but unknown initial value.
 Anything it points to has escaped, since the calling context "knows"
 the pointer, and thus calls to unknown functions could read/write into
 the region.
 If NONNULL is true, then assume that PARAM must be non-NULL.  */

4564void
4565region_model::on_top_level_param (tree param,
		  bool nonnull,
		  region_model_context *ctxt)
4568{
if (POINTER_TYPE_P (TREE_TYPE (param))(((enum tree_code) (((contains_struct_check ((param), (TS_TYPED
), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 4569, __FUNCTION__))->typed.type))->base.code) == POINTER_TYPE
 || ((enum tree_code) (((contains_struct_check ((param), (TS_TYPED
), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 4569, __FUNCTION__))->typed.type))->base.code) == REFERENCE_TYPE
))
  {
    const region *param_reg = get_lvalue (param, ctxt);
    const svalue *init_ptr_sval
= m_mgr->get_or_create_initial_value (param_reg);
    const region *pointee_reg = m_mgr->get_symbolic_region (init_ptr_sval);
    m_store.mark_as_escaped (pointee_reg);
    if (nonnull)
{
 const svalue *null_ptr_sval
   = m_mgr->get_or_create_null_ptr (TREE_TYPE (param)((contains_struct_check ((param), (TS_TYPED), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 4579, __FUNCTION__))->typed.type));
 add_constraint (init_ptr_sval, NE_EXPR, null_ptr_sval, ctxt);
}
  }
4583}

4585/* Update this region_model to reflect pushing a frame onto the stack
 for a call to FUN.

 If ARG_SVALS is non-NULL, use it to populate the parameters
 in the new frame.
 Otherwise, the params have their initial_svalues.

 Return the frame_region for the new frame.  */

4594const region *
4595region_model::push_frame (function *fun, const vec<const svalue *> *arg_svals,
	  region_model_context *ctxt)
4597{
m_current_frame = m_mgr->get_frame_region (m_current_frame, fun);
if (arg_svals)
  {
    /* Arguments supplied from a caller frame.  */
    tree fndecl = fun->decl;
    unsigned idx = 0;
    for (tree iter_parm = DECL_ARGUMENTS (fndecl)((tree_check ((fndecl), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 4604, __FUNCTION__, (FUNCTION_DECL)))->function_decl.arguments
); iter_parm;
  iter_parm = DECL_CHAIN (iter_parm)(((contains_struct_check (((contains_struct_check ((iter_parm
), (TS_DECL_MINIMAL), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 4605, __FUNCTION__))), (TS_COMMON), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 4605, __FUNCTION__))->common.chain)), ++idx)
{
 /* If there's a mismatching declaration, the call stmt might
    not have enough args.  Handle this case by leaving the
    rest of the params as uninitialized.  */
 if (idx >= arg_svals->length ())
   break;
 tree parm_lval = iter_parm;
 if (tree parm_default_ssa = ssa_default_def (fun, iter_parm))
   parm_lval = parm_default_ssa;
 const region *parm_reg = get_lvalue (parm_lval, ctxt);
 const svalue *arg_sval = (*arg_svals)[idx];
 set_value (parm_reg, arg_sval, ctxt);
}

    /* Handle any variadic args.  */
    unsigned va_arg_idx = 0;
    for (; idx < arg_svals->length (); idx++, va_arg_idx++)
{
 const svalue *arg_sval = (*arg_svals)[idx];
 const region *var_arg_reg
   = m_mgr->get_var_arg_region (m_current_frame,
			 va_arg_idx);
 set_value (var_arg_reg, arg_sval, ctxt);
}
  }
else
  {
    /* Otherwise we have a top-level call within the analysis.  The params
have defined but unknown initial values.
Anything they point to has escaped.  */
    tree fndecl = fun->decl;

    /* Handle "__attribute__((nonnull))".   */
    tree fntype = TREE_TYPE (fndecl)((contains_struct_check ((fndecl), (TS_TYPED), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 4639, __FUNCTION__))->typed.type);
    bitmap nonnull_args = get_nonnull_args (fntype);

    unsigned parm_idx = 0;
    for (tree iter_parm = DECL_ARGUMENTS (fndecl)((tree_check ((fndecl), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 4643, __FUNCTION__, (FUNCTION_DECL)))->function_decl.arguments
); iter_parm;
  iter_parm = DECL_CHAIN (iter_parm)(((contains_struct_check (((contains_struct_check ((iter_parm
), (TS_DECL_MINIMAL), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 4644, __FUNCTION__))), (TS_COMMON), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 4644, __FUNCTION__))->common.chain)))
{
 bool non_null = (nonnull_args
	   ? (bitmap_empty_p (nonnull_args)
	      || bitmap_bit_p (nonnull_args, parm_idx))
	   : false);
 if (tree parm_default_ssa = ssa_default_def (fun, iter_parm))
   on_top_level_param (parm_default_ssa, non_null, ctxt);
 else
   on_top_level_param (iter_parm, non_null, ctxt);
 parm_idx++;
}

    BITMAP_FREE (nonnull_args)((void) (bitmap_obstack_free ((bitmap) nonnull_args), (nonnull_args
) = (bitmap) nullptr));
  }

return m_current_frame;
4661}

4663/* Get the function of the top-most frame in this region_model's stack.
 There must be such a frame.  */

4666function *
4667region_model::get_current_function () const
4668{
const frame_region *frame = get_current_frame ();
gcc_assert (frame)((void)(!(frame) ? fancy_abort ("/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 4670, __FUNCTION__), 0 : 0));
return frame->get_function ();
4672}

4674/* Pop the topmost frame_region from this region_model's stack;

 If RESULT_LVALUE is non-null, copy any return value from the frame
 into the corresponding region (evaluated with respect to the *caller*
 frame, rather than the called frame).
 If OUT_RESULT is non-null, copy any return value from the frame
 into *OUT_RESULT.

 If EVAL_RETURN_SVALUE is false, then don't evaluate the return value.
 This is for use when unwinding frames e.g. due to longjmp, to suppress
 erroneously reporting uninitialized return values.

 Purge the frame region and all its descendent regions.
 Convert any pointers that point into such regions into
 POISON_KIND_POPPED_STACK svalues.  */

4690void
4691region_model::pop_frame (tree result_lvalue,
	 const svalue **out_result,
	 region_model_context *ctxt,
	 bool eval_return_svalue)
4695{
gcc_assert (m_current_frame)((void)(!(m_current_frame) ? fancy_abort ("/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 4696, __FUNCTION__), 0 : 0));

const frame_region *frame_reg = m_current_frame;

/* Notify state machines.  */
if (ctxt)
  ctxt->on_pop_frame (frame_reg);

/* Evaluate the result, within the callee frame.  */
tree fndecl = m_current_frame->get_function ()->decl;
tree result = DECL_RESULT (fndecl)((tree_check ((fndecl), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 4706, __FUNCTION__, (FUNCTION_DECL)))->decl_non_common.result
);
const svalue *retval = NULLnullptr;
if (result
    && TREE_TYPE (result)((contains_struct_check ((result), (TS_TYPED), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 4709, __FUNCTION__))->typed.type) != void_type_nodeglobal_trees[TI_VOID_TYPE]
    && eval_return_svalue)
  {
    retval = get_rvalue (result, ctxt);
    if (out_result)
*out_result = retval;
  }

/* Pop the frame.  */
m_current_frame = m_current_frame->get_calling_frame ();

if (result_lvalue && retval)
  {
    gcc_assert (eval_return_svalue)((void)(!(eval_return_svalue) ? fancy_abort ("/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 4722, __FUNCTION__), 0 : 0));

    /* Compute result_dst_reg using RESULT_LVALUE *after* popping
the frame, but before poisoning pointers into the old frame.  */
    const region *result_dst_reg = get_lvalue (result_lvalue, ctxt);
    set_value (result_dst_reg, retval, ctxt);
  }

unbind_region_and_descendents (frame_reg,POISON_KIND_POPPED_STACK);
4731}

4733/* Get the number of frames in this region_model's stack.  */

4735int
4736region_model::get_stack_depth () const
4737{
const frame_region *frame = get_current_frame ();
if (frame)
  return frame->get_stack_depth ();
else
  return 0;
4743}

4745/* Get the frame_region with the given index within the stack.
 The frame_region must exist.  */

4748const frame_region *
4749region_model::get_frame_at_index (int index) const
4750{
const frame_region *frame = get_current_frame ();
gcc_assert (frame)((void)(!(frame) ? fancy_abort ("/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 4752, __FUNCTION__), 0 : 0));
gcc_assert (index >= 0)((void)(!(index >= 0) ? fancy_abort ("/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 4753, __FUNCTION__), 0 : 0));
gcc_assert (index <= frame->get_index ())((void)(!(index <= frame->get_index ()) ? fancy_abort (
"/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 4754, __FUNCTION__), 0 : 0));
while (index != frame->get_index ())
  {
    frame = frame->get_calling_frame ();
    gcc_assert (frame)((void)(!(frame) ? fancy_abort ("/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 4758, __FUNCTION__), 0 : 0));
  }
return frame;
4761}

4763/* Unbind svalues for any regions in REG and below.
 Find any pointers to such regions; convert them to
 poisoned values of kind PKIND.
 Also purge any dynamic extents.  */

4768void
4769region_model::unbind_region_and_descendents (const region *reg,
			     enum poison_kind pkind)
4771{
/* Gather a set of base regions to be unbound.  */
hash_set<const region *> base_regs;
for (store::cluster_map_t::iterator iter = m_store.begin ();
     iter != m_store.end (); ++iter)
  {
    const region *iter_base_reg = (*iter).first;
    if (iter_base_reg->descendent_of_p (reg))
base_regs.add (iter_base_reg);
  }
for (hash_set<const region *>::iterator iter = base_regs.begin ();
     iter != base_regs.end (); ++iter)
  m_store.purge_cluster (*iter);

/* Find any pointers to REG or its descendents; convert to poisoned.  */
poison_any_pointers_to_descendents (reg, pkind);

/* Purge dynamic extents of any base regions in REG and below
   (e.g. VLAs and alloca stack regions).  */
for (auto iter : m_dynamic_extents)
  {
    const region *iter_reg = iter.first;
    if (iter_reg->descendent_of_p (reg))
unset_dynamic_extents (iter_reg);
  }
4796}

4798/* Implementation of BindingVisitor.
 Update the bound svalues for regions below REG to use poisoned
 values instead.  */

4802struct bad_pointer_finder
4803{
bad_pointer_finder (const region *reg, enum poison_kind pkind,
      region_model_manager *mgr)
: m_reg (reg), m_pkind (pkind), m_mgr (mgr), m_count (0)
{}

void on_binding (const binding_key *, const svalue *&sval)
{
  if (const region_svalue *ptr_sval = sval->dyn_cast_region_svalue ())
    {
const region *ptr_dst = ptr_sval->get_pointee ();
/* Poison ptrs to descendents of REG, but not to REG itself,
  otherwise double-free detection doesn't work (since sm-state
  for "free" is stored on the original ptr svalue).  */
if (ptr_dst->descendent_of_p (m_reg)
   && ptr_dst != m_reg)
 {
   sval = m_mgr->get_or_create_poisoned_svalue (m_pkind,
					 sval->get_type ());
   ++m_count;
 }
    }
}

const region *m_reg;
enum poison_kind m_pkind;
region_model_manager *const m_mgr;
int m_count;
4831};

4833/* Find any pointers to REG or its descendents; convert them to
 poisoned values of kind PKIND.
 Return the number of pointers that were poisoned.  */

4837int
4838region_model::poison_any_pointers_to_descendents (const region *reg,
				   enum poison_kind pkind)
4840{
bad_pointer_finder bv (reg, pkind, m_mgr);
m_store.for_each_binding (bv);
return bv.m_count;
4844}

4846/* Attempt to merge THIS with OTHER_MODEL, writing the result
 to OUT_MODEL.  Use POINT to distinguish values created as a
 result of merging.  */

4850bool
4851region_model::can_merge_with_p (const region_model &other_model,
		const program_point &point,
		region_model *out_model,
		const extrinsic_state *ext_state,
		const program_state *state_a,
		const program_state *state_b) const
4857{
gcc_assert (out_model)((void)(!(out_model) ? fancy_abort ("/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 4858, __FUNCTION__), 0 : 0));
gcc_assert (m_mgr == other_model.m_mgr)((void)(!(m_mgr == other_model.m_mgr) ? fancy_abort ("/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 4859, __FUNCTION__), 0 : 0));
gcc_assert (m_mgr == out_model->m_mgr)((void)(!(m_mgr == out_model->m_mgr) ? fancy_abort ("/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 4860, __FUNCTION__), 0 : 0));

if (m_current_frame != other_model.m_current_frame)
  return false;
out_model->m_current_frame = m_current_frame;

model_merger m (this, &other_model, point, out_model,
  ext_state, state_a, state_b);

if (!store::can_merge_p (&m_store, &other_model.m_store,
	   &out_model->m_store, m_mgr->get_store_manager (),
	   &m))
  return false;

if (!m_dynamic_extents.can_merge_with_p (other_model.m_dynamic_extents,
			   &out_model->m_dynamic_extents))
  return false;

/* Merge constraints.  */
constraint_manager::merge (*m_constraints,
	      *other_model.m_constraints,
	      out_model->m_constraints);

return true;
4884}

4886/* Attempt to get the fndecl used at CALL, if known, or NULL_TREE
 otherwise.  */

4889tree
4890region_model::get_fndecl_for_call (const gcall *call,
		   region_model_context *ctxt)
4892{
tree fn_ptr = gimple_call_fn (call);
if (fn_ptr == NULL_TREE(tree) nullptr)
  return NULL_TREE(tree) nullptr;
const svalue *fn_ptr_sval = get_rvalue (fn_ptr, ctxt);
if (const region_svalue *fn_ptr_ptr
= fn_ptr_sval->dyn_cast_region_svalue ())
  {
    const region *reg = fn_ptr_ptr->get_pointee ();
    if (const function_region *fn_reg = reg->dyn_cast_function_region ())
{
 tree fn_decl = fn_reg->get_fndecl ();
 cgraph_node *node = cgraph_node::get (fn_decl);
 if (!node)
   return NULL_TREE(tree) nullptr;
 const cgraph_node *ultimate_node = node->ultimate_alias_target ();
 if (ultimate_node)
   return ultimate_node->decl;
}
  }

return NULL_TREE(tree) nullptr;
4914}

4916/* Would be much simpler to use a lambda here, if it were supported.  */

4918struct append_regions_cb_data
4919{
const region_model *model;
auto_vec<const decl_region *> *out;
4922};

4924/* Populate *OUT with all decl_regions in the current
 frame that have clusters within the store.  */

4927void
4928region_model::
4929get_regions_for_current_frame (auto_vec<const decl_region *> *out) const
4930{
append_regions_cb_data data;
data.model = this;
data.out = out;
m_store.for_each_cluster (append_regions_cb, &data);
4935}

4937/* Implementation detail of get_regions_for_current_frame.  */

4939void
4940region_model::append_regions_cb (const region *base_reg,
		 append_regions_cb_data *cb_data)
4942{
if (base_reg->get_parent_region () != cb_data->model->m_current_frame)
  return;
if (const decl_region *decl_reg = base_reg->dyn_cast_decl_region ())
  cb_data->out->safe_push (decl_reg);
4947}


4950/* Abstract class for diagnostics related to the use of
 floating-point arithmetic where precision is needed.  */

4953class imprecise_floating_point_arithmetic : public pending_diagnostic
4954{
4955public:
int get_controlling_option () const final override
{
  return OPT_Wanalyzer_imprecise_fp_arithmetic;
}
4960};

4962/* Concrete diagnostic to complain about uses of floating-point arithmetic
 in the size argument of malloc etc.  */

4965class float_as_size_arg : public imprecise_floating_point_arithmetic
4966{
4967public:
float_as_size_arg (tree arg) : m_arg (arg)
{}

const char *get_kind () const final override
{
  return "float_as_size_arg_diagnostic";
}

bool subclass_equal_p (const pending_diagnostic &other) const final override
{
  return same_tree_p (m_arg, ((const float_as_size_arg &) other).m_arg);
}

bool emit (rich_location *rich_loc) final override
{
  diagnostic_metadata m;
  bool warned = warning_meta (rich_loc, m, get_controlling_option (),
		"use of floating-point arithmetic here might"
		" yield unexpected results");
  if (warned)
    inform (rich_loc->get_loc (), "only use operands of an integer type"
		    " inside the size argument");
  return warned;
}

label_text describe_final_event (const evdesc::final_event &ev) final
override
{
  if (m_arg)
    return ev.formatted_print ("operand %qE is of type %qT",
		 m_arg, TREE_TYPE (m_arg)((contains_struct_check ((m_arg), (TS_TYPED), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 4998, __FUNCTION__))->typed.type));
  return ev.formatted_print ("at least one operand of the size argument is"
	       " of a floating-point type");
}

5003private:
tree m_arg;
5005};

5007/* Visitor to find uses of floating-point variables/constants in an svalue.  */

5009class contains_floating_point_visitor : public visitor
5010{
5011public:
contains_floating_point_visitor (const svalue *root_sval) : m_result (NULLnullptr)
{
  root_sval->accept (this);
}

const svalue *get_svalue_to_report ()
{
  return m_result;
}

void visit_constant_svalue (const constant_svalue *sval) final override
{
  /* At the point the analyzer runs, constant integer operands in a floating
     point expression are already implictly converted to floating-points.
     Thus, we do prefer to report non-constants such that the diagnostic
     always reports a floating-point operand.  */
  tree type = sval->get_type ();
  if (type && FLOAT_TYPE_P (type)((((enum tree_code) (type)->base.code) == REAL_TYPE) || ((
((enum tree_code) (type)->base.code) == COMPLEX_TYPE || ((
(enum tree_code) (type)->base.code) == VECTOR_TYPE)) &&
 (((enum tree_code) (((contains_struct_check ((type), (TS_TYPED
), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 5029, __FUNCTION__))->typed.type))->base.code) == REAL_TYPE
))) && !m_result)
    m_result = sval;
}

void visit_conjured_svalue (const conjured_svalue *sval) final override
{
  tree type = sval->get_type ();
  if (type && FLOAT_TYPE_P (type)((((enum tree_code) (type)->base.code) == REAL_TYPE) || ((
((enum tree_code) (type)->base.code) == COMPLEX_TYPE || ((
(enum tree_code) (type)->base.code) == VECTOR_TYPE)) &&
 (((enum tree_code) (((contains_struct_check ((type), (TS_TYPED
), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 5036, __FUNCTION__))->typed.type))->base.code) == REAL_TYPE
))))
    m_result = sval;
}

void visit_initial_svalue (const initial_svalue *sval) final override
{
  tree type = sval->get_type ();
  if (type && FLOAT_TYPE_P (type)((((enum tree_code) (type)->base.code) == REAL_TYPE) || ((
((enum tree_code) (type)->base.code) == COMPLEX_TYPE || ((
(enum tree_code) (type)->base.code) == VECTOR_TYPE)) &&
 (((enum tree_code) (((contains_struct_check ((type), (TS_TYPED
), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 5043, __FUNCTION__))->typed.type))->base.code) == REAL_TYPE
))))
    m_result = sval;
}

5047private:
/* Non-null if at least one floating-point operand was found.  */
const svalue *m_result;
5050};

5052/* May complain about uses of floating-point operands in SIZE_IN_BYTES.  */

5054void
5055region_model::check_dynamic_size_for_floats (const svalue *size_in_bytes,
			     region_model_context *ctxt) const
5057{
gcc_assert (ctxt)((void)(!(ctxt) ? fancy_abort ("/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 5058, __FUNCTION__), 0 : 0));

contains_floating_point_visitor v (size_in_bytes);
if (const svalue *float_sval = v.get_svalue_to_report ())
{
 tree diag_arg = get_representative_tree (float_sval);
 ctxt->warn (make_unique<float_as_size_arg> (diag_arg));
}
5066}

5068/* Return a region describing a heap-allocated block of memory.
 Use CTXT to complain about tainted sizes.

 Reuse an existing heap_allocated_region if it's not being referenced by
 this region_model; otherwise create a new one.  */

5074const region *
5075region_model::get_or_create_region_for_heap_alloc (const svalue *size_in_bytes,
				   region_model_context *ctxt)
5077{
/* Determine which regions are referenced in this region_model, so that
   we can reuse an existing heap_allocated_region if it's not in use on
   this path.  */
auto_bitmap base_regs_in_use;
get_referenced_base_regions (base_regs_in_use);

/* Don't reuse regions that are marked as TOUCHED.  */
for (store::cluster_map_t::iterator iter = m_store.begin ();
     iter != m_store.end (); ++iter)
  if ((*iter).second->touched_p ())
    {
const region *base_reg = (*iter).first;
bitmap_set_bit (base_regs_in_use, base_reg->get_id ());
    }

const region *reg
  = m_mgr->get_or_create_region_for_heap_alloc (base_regs_in_use);
if (size_in_bytes)
  if (compat_types_p (size_in_bytes->get_type (), size_type_nodeglobal_trees[TI_SIZE_TYPE]))
    set_dynamic_extents (reg, size_in_bytes, ctxt);
return reg;
5099}

5101/* Populate OUT_IDS with the set of IDs of those base regions which are
 reachable in this region_model.  */

5104void
5105region_model::get_referenced_base_regions (auto_bitmap &out_ids) const
5106{
reachable_regions reachable_regs (const_cast<region_model *> (this));
m_store.for_each_cluster (reachable_regions::init_cluster_cb,
	    &reachable_regs);
/* Get regions for locals that have explicitly bound values.  */
for (store::cluster_map_t::iterator iter = m_store.begin ();
     iter != m_store.end (); ++iter)
  {
    const region *base_reg = (*iter).first;
    if (const region *parent = base_reg->get_parent_region ())
if (parent->get_kind () == RK_FRAME)
 reachable_regs.add (base_reg, false);
  }

bitmap_clear (out_ids);
for (auto iter_reg : reachable_regs)
  bitmap_set_bit (out_ids, iter_reg->get_id ());
5123}

5125/* Return a new region describing a block of memory allocated within the
 current frame.
 Use CTXT to complain about tainted sizes.  */

5129const region *
5130region_model::create_region_for_alloca (const svalue *size_in_bytes,
			region_model_context *ctxt)
5132{
const region *reg = m_mgr->create_region_for_alloca (m_current_frame);
if (compat_types_p (size_in_bytes->get_type (), size_type_nodeglobal_trees[TI_SIZE_TYPE]))
  set_dynamic_extents (reg, size_in_bytes, ctxt);
return reg;
5137}

5139/* Record that the size of REG is SIZE_IN_BYTES.
 Use CTXT to complain about tainted sizes.  */

5142void
5143region_model::set_dynamic_extents (const region *reg,
		   const svalue *size_in_bytes,
		   region_model_context *ctxt)
5146{
assert_compat_types (size_in_bytes->get_type (), size_type_nodeglobal_trees[TI_SIZE_TYPE]);
if (ctxt)
  {
    check_dynamic_size_for_taint (reg->get_memory_space (), size_in_bytes,
		    ctxt);
    check_dynamic_size_for_floats (size_in_bytes, ctxt);
  }
m_dynamic_extents.put (reg, size_in_bytes);
5155}

5157/* Get the recording of REG in bytes, or NULL if no dynamic size was
 recorded.  */

5160const svalue *
5161region_model::get_dynamic_extents (const region *reg) const
5162{
if (const svalue * const *slot = m_dynamic_extents.get (reg))
  return *slot;
return NULLnullptr;
5166}

5168/* Unset any recorded dynamic size of REG.  */

5170void
5171region_model::unset_dynamic_extents (const region *reg)
5172{
m_dynamic_extents.remove (reg);
5174}

5176/* Information of the layout of a RECORD_TYPE, capturing it as a vector
 of items, where each item is either a field or padding.  */

5179class record_layout
5180{
5181public:
/* An item within a record; either a field, or padding after a field.  */
struct item
{
public:
  item (const bit_range &br,
 tree field,
 bool is_padding)
  : m_bit_range (br),
    m_field (field),
    m_is_padding (is_padding)
  {
  }

  bit_offset_t get_start_bit_offset () const
  {
    return m_bit_range.get_start_bit_offset ();
  }
  bit_offset_t get_next_bit_offset () const
  {
    return m_bit_range.get_next_bit_offset ();
  }

  bool contains_p (bit_offset_t offset) const
  {
    return m_bit_range.contains_p (offset);
  }

  void dump_to_pp (pretty_printer *pp) const
  {
    if (m_is_padding)
pp_printf (pp, "padding after %qD", m_field);
    else
pp_printf (pp, "%qD", m_field);
    pp_string (pp, ", ");
    m_bit_range.dump_to_pp (pp);
  }

  bit_range m_bit_range;
  tree m_field;
  bool m_is_padding;
};

record_layout (tree record_type)
{
  gcc_assert (TREE_CODE (record_type) == RECORD_TYPE)((void)(!(((enum tree_code) (record_type)->base.code) == RECORD_TYPE
) ? fancy_abort ("/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 5226, __FUNCTION__), 0 : 0));

  for (tree iter = TYPE_FIELDS (record_type)((tree_check3 ((record_type), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 5228, __FUNCTION__, (RECORD_TYPE), (UNION_TYPE), (QUAL_UNION_TYPE
)))->type_non_common.values); iter != NULL_TREE(tree) nullptr;
iter = DECL_CHAIN (iter)(((contains_struct_check (((contains_struct_check ((iter), (TS_DECL_MINIMAL
), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 5229, __FUNCTION__))), (TS_COMMON), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 5229, __FUNCTION__))->common.chain)))
    {
if (TREE_CODE (iter)((enum tree_code) (iter)->base.code) == FIELD_DECL)
 {
   int iter_field_offset = int_bit_position (iter);
   bit_size_t size_in_bits;
   if (!int_size_in_bits (TREE_TYPE (iter)((contains_struct_check ((iter), (TS_TYPED), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 5235, __FUNCTION__))->typed.type), &size_in_bits))
     size_in_bits = 0;

   maybe_pad_to (iter_field_offset);

   /* Add field.  */
   m_items.safe_push (item (bit_range (iter_field_offset,
				size_in_bits),
		     iter, false));
 }
    }

  /* Add any trailing padding.  */
  bit_size_t size_in_bits;
  if (int_size_in_bits (record_type, &size_in_bits))
    maybe_pad_to (size_in_bits);
}

void dump_to_pp (pretty_printer *pp) const
{
  unsigned i;
  item *it;
  FOR_EACH_VEC_ELT (m_items, i, it)for (i = 0; (m_items).iterate ((i), &(it)); ++(i))
    {
it->dump_to_pp (pp);
pp_newline (pp);
    }
}

DEBUG_FUNCTION__attribute__ ((__used__)) void dump () const
{
  pretty_printer pp;
  pp_format_decoder (&pp)(&pp)->format_decoder = default_tree_printer;
  pp.buffer->stream = stderrstderr;
  dump_to_pp (&pp);
  pp_flush (&pp);
}

const record_layout::item *get_item_at (bit_offset_t offset) const
{
  unsigned i;
  item *it;
  FOR_EACH_VEC_ELT (m_items, i, it)for (i = 0; (m_items).iterate ((i), &(it)); ++(i))
    if (it->contains_p (offset))
return it;
  return NULLnullptr;
}

5283private:
/* Subroutine of ctor.  Add padding item to NEXT_OFFSET if necessary.  */

void maybe_pad_to (bit_offset_t next_offset)
{
  if (m_items.length () > 0)
    {
const item &last_item = m_items[m_items.length () - 1];
bit_offset_t offset_after_last_item
 = last_item.get_next_bit_offset ();
if (next_offset > offset_after_last_item)
 {
   bit_size_t padding_size
     = next_offset - offset_after_last_item;
   m_items.safe_push (item (bit_range (offset_after_last_item,
				padding_size),
		     last_item.m_field, true));
 }
    }
}

auto_vec<item> m_items;
5305};

5307/* A subclass of pending_diagnostic for complaining about uninitialized data
 being copied across a trust boundary to an untrusted output
 (e.g. copy_to_user infoleaks in the Linux kernel).  */

5311class exposure_through_uninit_copy
: public pending_diagnostic_subclass<exposure_through_uninit_copy>
5313{
5314public:
exposure_through_uninit_copy (const region *src_region,
		const region *dest_region,
		const svalue *copied_sval)
: m_src_region (src_region),
  m_dest_region (dest_region),
  m_copied_sval (copied_sval)
{
  gcc_assert (m_copied_sval->get_kind () == SK_POISONED((void)(!(m_copied_sval->get_kind () == SK_POISONED || m_copied_sval
->get_kind () == SK_COMPOUND) ? fancy_abort ("/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 5323, __FUNCTION__), 0 : 0))
|| m_copied_sval->get_kind () == SK_COMPOUND)((void)(!(m_copied_sval->get_kind () == SK_POISONED || m_copied_sval
->get_kind () == SK_COMPOUND) ? fancy_abort ("/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 5323, __FUNCTION__), 0 : 0));
}

const char *get_kind () const final override
{
  return "exposure_through_uninit_copy";
}

bool operator== (const exposure_through_uninit_copy &other) const
{
  return (m_src_region == other.m_src_region
   && m_dest_region == other.m_dest_region
   && m_copied_sval == other.m_copied_sval);
}

int get_controlling_option () const final override
{
  return OPT_Wanalyzer_exposure_through_uninit_copy;
}

bool emit (rich_location *rich_loc) final override
{
  diagnostic_metadata m;
  /* CWE-200: Exposure of Sensitive Information to an Unauthorized Actor.  */
  m.add_cwe (200);
  enum memory_space mem_space = get_src_memory_space ();
  bool warned;
  switch (mem_space)
    {
    default:
warned = warning_meta
 (rich_loc, m, get_controlling_option (),
  "potential exposure of sensitive information"
  " by copying uninitialized data across trust boundary");
break;
    case MEMSPACE_STACK:
warned = warning_meta
 (rich_loc, m, get_controlling_option (),
  "potential exposure of sensitive information"
  " by copying uninitialized data from stack across trust boundary");
break;
    case MEMSPACE_HEAP:
warned = warning_meta
 (rich_loc, m, get_controlling_option (),
  "potential exposure of sensitive information"
  " by copying uninitialized data from heap across trust boundary");
break;
    }
  if (warned)
    {
location_t loc = rich_loc->get_loc ();
inform_number_of_uninit_bits (loc);
complain_about_uninit_ranges (loc);

if (mem_space == MEMSPACE_STACK)
 maybe_emit_fixit_hint ();
    }
  return warned;
}

label_text describe_final_event (const evdesc::final_event &) final override
{
  enum memory_space mem_space = get_src_memory_space ();
  switch (mem_space)
    {
    default:
return label_text::borrow ("uninitialized data copied here");

    case MEMSPACE_STACK:
return label_text::borrow ("uninitialized data copied from stack here");

    case MEMSPACE_HEAP:
return label_text::borrow ("uninitialized data copied from heap here");
    }
}

void mark_interesting_stuff (interesting_t *interest) final override
{
  if (m_src_region)
    interest->add_region_creation (m_src_region);
}

5405private:
enum memory_space get_src_memory_space () const
{
  return m_src_region ? m_src_region->get_memory_space () : MEMSPACE_UNKNOWN;
}

bit_size_t calc_num_uninit_bits () const
{
  switch (m_copied_sval->get_kind ())
    {
    default:
gcc_unreachable ()(fancy_abort ("/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 5416, __FUNCTION__));
break;
    case SK_POISONED:
{
 const poisoned_svalue *poisoned_sval
   = as_a <const poisoned_svalue *> (m_copied_sval);
 gcc_assert (poisoned_sval->get_poison_kind () == POISON_KIND_UNINIT)((void)(!(poisoned_sval->get_poison_kind () == POISON_KIND_UNINIT
) ? fancy_abort ("/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 5422, __FUNCTION__), 0 : 0));

 /* Give up if don't have type information.  */
 if (m_copied_sval->get_type () == NULL_TREE(tree) nullptr)
   return 0;

 bit_size_t size_in_bits;
 if (int_size_in_bits (m_copied_sval->get_type (), &size_in_bits))
   return size_in_bits;

 /* Give up if we can't get the size of the type.  */
 return 0;
}
break;
    case SK_COMPOUND:
{
 const compound_svalue *compound_sval
   = as_a <const compound_svalue *> (m_copied_sval);
 bit_size_t result = 0;
 /* Find keys for uninit svals.  */
 for (auto iter : *compound_sval)
   {
     const svalue *sval = iter.second;
     if (const poisoned_svalue *psval
  = sval->dyn_cast_poisoned_svalue ())
if (psval->get_poison_kind () == POISON_KIND_UNINIT)
  {
    const binding_key *key = iter.first;
    const concrete_binding *ckey
      = key->dyn_cast_concrete_binding ();
    gcc_assert (ckey)((void)(!(ckey) ? fancy_abort ("/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 5452, __FUNCTION__), 0 : 0));
    result += ckey->get_size_in_bits ();
  }
   }
 return result;
}
    }
}

void inform_number_of_uninit_bits (location_t loc) const
{
  bit_size_t num_uninit_bits = calc_num_uninit_bits ();
  if (num_uninit_bits <= 0)
    return;
  if (num_uninit_bits % BITS_PER_UNIT(8) == 0)
    {
/* Express in bytes.  */
byte_size_t num_uninit_bytes = num_uninit_bits / BITS_PER_UNIT(8);
if (num_uninit_bytes == 1)
 inform (loc, "1 byte is uninitialized");
else
 inform (loc,
  "%wu bytes are uninitialized", num_uninit_bytes.to_uhwi ());
    }
  else
    {
/* Express in bits.  */
if (num_uninit_bits == 1)
 inform (loc, "1 bit is uninitialized");
else
 inform (loc,
  "%wu bits are uninitialized", num_uninit_bits.to_uhwi ());
    }
}

void complain_about_uninit_ranges (location_t loc) const
{
  if (const compound_svalue *compound_sval
= m_copied_sval->dyn_cast_compound_svalue ())
    {
/* Find keys for uninit svals.  */
auto_vec<const concrete_binding *> uninit_keys;
for (auto iter : *compound_sval)
 {
   const svalue *sval = iter.second;
   if (const poisoned_svalue *psval
= sval->dyn_cast_poisoned_svalue ())
     if (psval->get_poison_kind () == POISON_KIND_UNINIT)
{
  const binding_key *key = iter.first;
  const concrete_binding *ckey
    = key->dyn_cast_concrete_binding ();
  gcc_assert (ckey)((void)(!(ckey) ? fancy_abort ("/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 5504, __FUNCTION__), 0 : 0));
  uninit_keys.safe_push (ckey);
}
 }
/* Complain about them in sorted order.  */
uninit_keys.qsort (concrete_binding::cmp_ptr_ptr)qsort (concrete_binding::cmp_ptr_ptr);

std::unique_ptr<record_layout> layout;

tree type = m_copied_sval->get_type ();
if (type && TREE_CODE (type)((enum tree_code) (type)->base.code) == RECORD_TYPE)
 {
   // (std::make_unique is C++14)
   layout = std::unique_ptr<record_layout> (new record_layout (type));

   if (0)
     layout->dump ();
 }

unsigned i;
const concrete_binding *ckey;
FOR_EACH_VEC_ELT (uninit_keys, i, ckey)for (i = 0; (uninit_keys).iterate ((i), &(ckey)); ++(i))
 {
   bit_offset_t start_bit = ckey->get_start_bit_offset ();
   bit_offset_t next_bit = ckey->get_next_bit_offset ();
   complain_about_uninit_range (loc, start_bit, next_bit,
			 layout.get ());
 }
    }
}

void complain_about_uninit_range (location_t loc,
		    bit_offset_t start_bit,
		    bit_offset_t next_bit,
		    const record_layout *layout) const
{
  if (layout)
    {
while (start_bit < next_bit)
 {
   if (const record_layout::item *item
  = layout->get_item_at (start_bit))
     {
gcc_assert (start_bit >= item->get_start_bit_offset ())((void)(!(start_bit >= item->get_start_bit_offset ()) ?
 fancy_abort ("/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 5547, __FUNCTION__), 0 : 0));
gcc_assert (start_bit < item->get_next_bit_offset ())((void)(!(start_bit < item->get_next_bit_offset ()) ? fancy_abort
 ("/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 5548, __FUNCTION__), 0 : 0));
if (item->get_start_bit_offset () == start_bit
    && item->get_next_bit_offset () <= next_bit)
  complain_about_fully_uninit_item (*item);
else
  complain_about_partially_uninit_item (*item);
start_bit = item->get_next_bit_offset ();
continue;
     }
   else
     break;
 }
    }

  if (start_bit >= next_bit)
    return;

  if (start_bit % 8 == 0 && next_bit % 8 == 0)
    {
/* Express in bytes.  */
byte_offset_t start_byte = start_bit / 8;
byte_offset_t last_byte = (next_bit / 8) - 1;
if (last_byte == start_byte)
 inform (loc,
  "byte %wu is uninitialized",
  start_byte.to_uhwi ());
else
 inform (loc,
  "bytes %wu - %wu are uninitialized",
  start_byte.to_uhwi (),
  last_byte.to_uhwi ());
    }
  else
    {
/* Express in bits.  */
bit_offset_t last_bit = next_bit - 1;
if (last_bit == start_bit)
 inform (loc,
  "bit %wu is uninitialized",
  start_bit.to_uhwi ());
else
 inform (loc,
  "bits %wu - %wu are uninitialized",
  start_bit.to_uhwi (),
  last_bit.to_uhwi ());
    }
}

static void
complain_about_fully_uninit_item (const record_layout::item &item)
{
  tree field = item.m_field;
  bit_size_t num_bits = item.m_bit_range.m_size_in_bits;
  if (item.m_is_padding)
    {
if (num_bits % 8 == 0)
 {
   /* Express in bytes.  */
   byte_size_t num_bytes = num_bits / BITS_PER_UNIT(8);
   if (num_bytes == 1)
     inform (DECL_SOURCE_LOCATION (field)((contains_struct_check ((field), (TS_DECL_MINIMAL), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 5608, __FUNCTION__))->decl_minimal.locus),
      "padding after field %qD is uninitialized (1 byte)",
      field);
   else
     inform (DECL_SOURCE_LOCATION (field)((contains_struct_check ((field), (TS_DECL_MINIMAL), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 5612, __FUNCTION__))->decl_minimal.locus),
      "padding after field %qD is uninitialized (%wu bytes)",
      field, num_bytes.to_uhwi ());
 }
else
 {
   /* Express in bits.  */
   if (num_bits == 1)
     inform (DECL_SOURCE_LOCATION (field)((contains_struct_check ((field), (TS_DECL_MINIMAL), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 5620, __FUNCTION__))->decl_minimal.locus),
      "padding after field %qD is uninitialized (1 bit)",
      field);
   else
     inform (DECL_SOURCE_LOCATION (field)((contains_struct_check ((field), (TS_DECL_MINIMAL), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 5624, __FUNCTION__))->decl_minimal.locus),
      "padding after field %qD is uninitialized (%wu bits)",
      field, num_bits.to_uhwi ());
 }
    }
  else
    {
if (num_bits % 8 == 0)
 {
   /* Express in bytes.  */
   byte_size_t num_bytes = num_bits / BITS_PER_UNIT(8);
   if (num_bytes == 1)
     inform (DECL_SOURCE_LOCATION (field)((contains_struct_check ((field), (TS_DECL_MINIMAL), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 5636, __FUNCTION__))->decl_minimal.locus),
      "field %qD is uninitialized (1 byte)", field);
   else
     inform (DECL_SOURCE_LOCATION (field)((contains_struct_check ((field), (TS_DECL_MINIMAL), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 5639, __FUNCTION__))->decl_minimal.locus),
      "field %qD is uninitialized (%wu bytes)",
      field, num_bytes.to_uhwi ());
 }
else
 {
   /* Express in bits.  */
   if (num_bits == 1)
     inform (DECL_SOURCE_LOCATION (field)((contains_struct_check ((field), (TS_DECL_MINIMAL), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 5647, __FUNCTION__))->decl_minimal.locus),
      "field %qD is uninitialized (1 bit)", field);
   else
     inform (DECL_SOURCE_LOCATION (field)((contains_struct_check ((field), (TS_DECL_MINIMAL), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 5650, __FUNCTION__))->decl_minimal.locus),
      "field %qD is uninitialized (%wu bits)",
      field, num_bits.to_uhwi ());
 }
    }
}

static void
complain_about_partially_uninit_item (const record_layout::item &item)
{
  tree field = item.m_field;
  if (item.m_is_padding)
    inform (DECL_SOURCE_LOCATION (field)((contains_struct_check ((field), (TS_DECL_MINIMAL), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 5662, __FUNCTION__))->decl_minimal.locus),
     "padding after field %qD is partially uninitialized",
     field);
  else
    inform (DECL_SOURCE_LOCATION (field)((contains_struct_check ((field), (TS_DECL_MINIMAL), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 5666, __FUNCTION__))->decl_minimal.locus),
     "field %qD is partially uninitialized",
     field);
  /* TODO: ideally we'd describe what parts are uninitialized.  */
}

void maybe_emit_fixit_hint () const
{
  if (tree decl = m_src_region->maybe_get_decl ())
    {
gcc_rich_location hint_richloc (DECL_SOURCE_LOCATION (decl)((contains_struct_check ((decl), (TS_DECL_MINIMAL), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 5676, __FUNCTION__))->decl_minimal.locus));
hint_richloc.add_fixit_insert_after (" = {0}");
inform (&hint_richloc,
"suggest forcing zero-initialization by"
" providing a %<{0}%> initializer");
    }
}

5684private:
const region *m_src_region;
const region *m_dest_region;
const svalue *m_copied_sval;
5688};

5690/* Return true if any part of SVAL is uninitialized.  */

5692static bool
5693contains_uninit_p (const svalue *sval)
5694{
struct uninit_finder : public visitor
{
public:
  uninit_finder () : m_found_uninit (false) {}
  void visit_poisoned_svalue (const poisoned_svalue *sval)
  {
    if (sval->get_poison_kind () == POISON_KIND_UNINIT)
m_found_uninit = true;
  }
  bool m_found_uninit;
};

uninit_finder v;
sval->accept (&v);

return v.m_found_uninit;
5711}

5713/* Function for use by plugins when simulating writing data through a
 pointer to an "untrusted" region DST_REG (and thus crossing a security
 boundary), such as copying data to user space in an OS kernel.

 Check that COPIED_SVAL is fully initialized.  If not, complain about
 an infoleak to CTXT.

 SRC_REG can be NULL; if non-NULL it is used as a hint in the diagnostic
 as to where COPIED_SVAL came from.  */

5723void
5724region_model::maybe_complain_about_infoleak (const region *dst_reg,
			     const svalue *copied_sval,
			     const region *src_reg,
			     region_model_context *ctxt)
5728{
/* Check for exposure.  */
if (contains_uninit_p (copied_sval))
  ctxt->warn (make_unique<exposure_through_uninit_copy> (src_reg,
					   dst_reg,
					   copied_sval));
5734}

5736/* Set errno to a positive symbolic int, as if some error has occurred.  */

5738void
5739region_model::set_errno (const call_details &cd)
5740{
const region *errno_reg = m_mgr->get_errno_region ();
conjured_purge p (this, cd.get_ctxt ());
const svalue *new_errno_sval
  = m_mgr->get_or_create_conjured_svalue (integer_type_nodeinteger_types[itk_int],
			    cd.get_call_stmt (),
			    errno_reg, p);
const svalue *zero
  = m_mgr->get_or_create_int_cst (integer_type_nodeinteger_types[itk_int], 0);
add_constraint (new_errno_sval, GT_EXPR, zero, cd.get_ctxt ());
set_value (errno_reg, new_errno_sval, cd.get_ctxt ());
5751}

5753/* class noop_region_model_context : public region_model_context.  */

5755void
5756noop_region_model_context::add_note (std::unique_ptr<pending_note>)
5757{
5758}

5760void
5761noop_region_model_context::bifurcate (std::unique_ptr<custom_edge_info>)
5762{
5763}

5765void
5766noop_region_model_context::terminate_path ()
5767{
5768}

5770/* struct model_merger.  */

5772/* Dump a multiline representation of this merger to PP.  */

5774void
5775model_merger::dump_to_pp (pretty_printer *pp, bool simple) const
5776{
pp_string (pp, "model A:");
pp_newline (pp);
m_model_a->dump_to_pp (pp, simple, true);
pp_newline (pp);

pp_string (pp, "model B:");
pp_newline (pp);
m_model_b->dump_to_pp (pp, simple, true);
pp_newline (pp);

pp_string (pp, "merged model:");
pp_newline (pp);
m_merged_model->dump_to_pp (pp, simple, true);
pp_newline (pp);
5791}

5793/* Dump a multiline representation of this merger to FILE.  */

5795void
5796model_merger::dump (FILE *fp, bool simple) const
5797{
pretty_printer pp;
pp_format_decoder (&pp)(&pp)->format_decoder = default_tree_printer;
pp_show_color (&pp)(&pp)->show_color = pp_show_color (global_dc->printer)(global_dc->printer)->show_color;
pp.buffer->stream = fp;
dump_to_pp (&pp, simple);
pp_flush (&pp);
5804}

5806/* Dump a multiline representation of this merger to stderr.  */

5808DEBUG_FUNCTION__attribute__ ((__used__)) void
5809model_merger::dump (bool simple) const
5810{
dump (stderrstderr, simple);
5812}

5814/* Return true if it's OK to merge SVAL with other svalues.  */

5816bool
5817model_merger::mergeable_svalue_p (const svalue *sval) const
5818{
if (m_ext_state)
  {
    /* Reject merging svalues that have non-purgable sm-state,
to avoid falsely reporting memory leaks by merging them
with something else.  For example, given a local var "p",
reject the merger of a:
  store_a mapping "p" to a malloc-ed ptr
with:
  store_b mapping "p" to a NULL ptr.  */
    if (m_state_a)
if (!m_state_a->can_purge_p (*m_ext_state, sval))
 return false;
    if (m_state_b)
if (!m_state_b->can_purge_p (*m_ext_state, sval))
 return false;
  }
return true;
5836}

5838} // namespace ana

5840/* Dump RMODEL fully to stderr (i.e. without summarization).  */

5842DEBUG_FUNCTION__attribute__ ((__used__)) void
5843debug (const region_model &rmodel)
5844{
rmodel.dump (false);
5846}

5848/* class rejected_op_constraint : public rejected_constraint.  */

5850void
5851rejected_op_constraint::dump_to_pp (pretty_printer *pp) const
5852{
region_model m (m_model);
const svalue *lhs_sval = m.get_rvalue (m_lhs, NULLnullptr);
const svalue *rhs_sval = m.get_rvalue (m_rhs, NULLnullptr);
lhs_sval->dump_to_pp (pp, true);
pp_printf (pp, " %s ", op_symbol_code (m_op));
rhs_sval->dump_to_pp (pp, true);
5859}

5861/* class rejected_default_case : public rejected_constraint.  */

5863void
5864rejected_default_case::dump_to_pp (pretty_printer *pp) const
5865{
pp_string (pp, "implicit default for enum");
5867}

5869/* class rejected_ranges_constraint : public rejected_constraint.  */

5871void
5872rejected_ranges_constraint::dump_to_pp (pretty_printer *pp) const
5873{
region_model m (m_model);
const svalue *sval = m.get_rvalue (m_expr, NULLnullptr);
sval->dump_to_pp (pp, true);
pp_string (pp, " in ");
m_ranges->dump_to_pp (pp, true);
5879}

5881/* class engine.  */

5883/* engine's ctor.  */

5885engine::engine (const supergraph *sg, logger *logger)
m_sg (sg), m_mgr (logger)
5887{
5888}

5890/* Dump the managed objects by class to LOGGER, and the per-class totals.  */

5892void
5893engine::log_stats (logger *logger) const
5894{
m_mgr.log_stats (logger, true);
5896}

5898namespace ana {

5900#if CHECKING_P1

5902namespace selftest {

5904/* Build a constant tree of the given type from STR.  */

5906static tree
5907build_real_cst_from_string (tree type, const char *str)
5908{
REAL_VALUE_TYPEstruct real_value real;
real_from_string (&real, str);
return build_real (type, real);
5912}

5914/* Append various "interesting" constants to OUT (e.g. NaN).  */

5916static void
5917append_interesting_constants (auto_vec<tree> *out)
5918{
out->safe_push (build_int_cst (integer_type_nodeinteger_types[itk_int], 0));
out->safe_push (build_int_cst (integer_type_nodeinteger_types[itk_int], 42));
out->safe_push (build_int_cst (unsigned_type_nodeinteger_types[itk_unsigned_int], 0));
out->safe_push (build_int_cst (unsigned_type_nodeinteger_types[itk_unsigned_int], 42));
out->safe_push (build_real_cst_from_string (float_type_nodeglobal_trees[TI_FLOAT_TYPE], "QNaN"));
out->safe_push (build_real_cst_from_string (float_type_nodeglobal_trees[TI_FLOAT_TYPE], "-QNaN"));
out->safe_push (build_real_cst_from_string (float_type_nodeglobal_trees[TI_FLOAT_TYPE], "SNaN"));
out->safe_push (build_real_cst_from_string (float_type_nodeglobal_trees[TI_FLOAT_TYPE], "-SNaN"));
out->safe_push (build_real_cst_from_string (float_type_nodeglobal_trees[TI_FLOAT_TYPE], "0.0"));
out->safe_push (build_real_cst_from_string (float_type_nodeglobal_trees[TI_FLOAT_TYPE], "-0.0"));
out->safe_push (build_real_cst_from_string (float_type_nodeglobal_trees[TI_FLOAT_TYPE], "Inf"));
out->safe_push (build_real_cst_from_string (float_type_nodeglobal_trees[TI_FLOAT_TYPE], "-Inf"));
5931}

5933/* Verify that tree_cmp is a well-behaved comparator for qsort, even
 if the underlying constants aren't comparable.  */

5936static void
5937test_tree_cmp_on_constants ()
5938{
auto_vec<tree> csts;
append_interesting_constants (&csts);

/* Try sorting every triple. */
const unsigned num = csts.length ();
for (unsigned i = 0; i < num; i++)
  for (unsigned j = 0; j < num; j++)
    for (unsigned k = 0; k < num; k++)
{
 auto_vec<tree> v (3);
 v.quick_push (csts[i]);
 v.quick_push (csts[j]);
 v.quick_push (csts[k]);
 v.qsort (tree_cmp)qsort (tree_cmp);
}
5954}

5956/* Implementation detail of the ASSERT_CONDITION_* macros.  */

5958void
5959assert_condition (const location &loc,
  region_model &model,
  const svalue *lhs, tree_code op, const svalue *rhs,
  tristate expected)
5963{
tristate actual = model.eval_condition (lhs, op, rhs);
ASSERT_EQ_AT (loc, actual, expected)do { const char *desc_ = "ASSERT_EQ (" "actual" ", " "expected"
 ")"; if ((actual) == (expected)) ::selftest::pass ((loc), desc_
); else ::selftest::fail ((loc), desc_); } while (0);
5966}

5968/* Implementation detail of the ASSERT_CONDITION_* macros.  */

5970void
5971assert_condition (const location &loc,
  region_model &model,
  tree lhs, tree_code op, tree rhs,
  tristate expected)
5975{
tristate actual = model.eval_condition (lhs, op, rhs, NULLnullptr);
ASSERT_EQ_AT (loc, actual, expected)do { const char *desc_ = "ASSERT_EQ (" "actual" ", " "expected"
 ")"; if ((actual) == (expected)) ::selftest::pass ((loc), desc_
); else ::selftest::fail ((loc), desc_); } while (0);
5978}

5980/* Implementation detail of ASSERT_DUMP_TREE_EQ.  */

5982static void
5983assert_dump_tree_eq (const location &loc, tree t, const char *expected)
5984{
auto_fix_quotes sentinel;
pretty_printer pp;
pp_format_decoder (&pp)(&pp)->format_decoder = default_tree_printer;
dump_tree (&pp, t);
ASSERT_STREQ_AT (loc, pp_formatted_text (&pp), expected)do { ::selftest::assert_streq ((loc), "pp_formatted_text (&pp)"
, "expected", (pp_formatted_text (&pp)), (expected)); } while
 (0);
5990}

5992/* Assert that dump_tree (T) is EXPECTED.  */

5994#define ASSERT_DUMP_TREE_EQ(T, EXPECTED)do { assert_dump_tree_eq (((::selftest::location ("/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 5994, __FUNCTION__))), (T), (EXPECTED)); } while (0) \
SELFTEST_BEGIN_STMTdo {							\
assert_dump_tree_eq ((SELFTEST_LOCATION(::selftest::location ("/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 5996, __FUNCTION__))), (T), (EXPECTED)); \
SELFTEST_END_STMT} while (0)

5999/* Implementation detail of ASSERT_DUMP_EQ.  */

6001static void
6002assert_dump_eq (const location &loc,
const region_model &model,
bool summarize,
const char *expected)
6006{
auto_fix_quotes sentinel;
pretty_printer pp;
pp_format_decoder (&pp)(&pp)->format_decoder = default_tree_printer;

model.dump_to_pp (&pp, summarize, true);
ASSERT_STREQ_AT (loc, pp_formatted_text (&pp), expected)do { ::selftest::assert_streq ((loc), "pp_formatted_text (&pp)"
, "expected", (pp_formatted_text (&pp)), (expected)); } while
 (0);
6013}

6015/* Assert that MODEL.dump_to_pp (SUMMARIZE) is EXPECTED.  */

6017#define ASSERT_DUMP_EQ(MODEL, SUMMARIZE, EXPECTED)do { assert_dump_eq (((::selftest::location ("/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 6017, __FUNCTION__))), (MODEL), (SUMMARIZE), (EXPECTED)); }
 while (0) \
SELFTEST_BEGIN_STMTdo {							\
assert_dump_eq ((SELFTEST_LOCATION(::selftest::location ("/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 6019, __FUNCTION__))), (MODEL), (SUMMARIZE), (EXPECTED)); \
SELFTEST_END_STMT} while (0)

6022/* Smoketest for region_model::dump_to_pp.  */

6024static void
6025test_dump ()
6026{
region_model_manager mgr;
region_model model (&mgr);

ASSERT_DUMP_EQ (model, false,do { assert_dump_eq (((::selftest::location ("/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 6035, __FUNCTION__))), (model), (false), ("stack depth: 0\n"
 "m_called_unknown_fn: FALSE\n" "constraint_manager:\n" "  equiv classes:\n"
 "  constraints:\n")); } while (0)
  "stack depth: 0\n"do { assert_dump_eq (((::selftest::location ("/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 6035, __FUNCTION__))), (model), (false), ("stack depth: 0\n"
 "m_called_unknown_fn: FALSE\n" "constraint_manager:\n" "  equiv classes:\n"
 "  constraints:\n")); } while (0)
  "m_called_unknown_fn: FALSE\n"do { assert_dump_eq (((::selftest::location ("/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 6035, __FUNCTION__))), (model), (false), ("stack depth: 0\n"
 "m_called_unknown_fn: FALSE\n" "constraint_manager:\n" "  equiv classes:\n"
 "  constraints:\n")); } while (0)
  "constraint_manager:\n"do { assert_dump_eq (((::selftest::location ("/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 6035, __FUNCTION__))), (model), (false), ("stack depth: 0\n"
 "m_called_unknown_fn: FALSE\n" "constraint_manager:\n" "  equiv classes:\n"
 "  constraints:\n")); } while (0)
  "  equiv classes:\n"do { assert_dump_eq (((::selftest::location ("/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 6035, __FUNCTION__))), (model), (false), ("stack depth: 0\n"
 "m_called_unknown_fn: FALSE\n" "constraint_manager:\n" "  equiv classes:\n"
 "  constraints:\n")); } while (0)
  "  constraints:\n")do { assert_dump_eq (((::selftest::location ("/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 6035, __FUNCTION__))), (model), (false), ("stack depth: 0\n"
 "m_called_unknown_fn: FALSE\n" "constraint_manager:\n" "  equiv classes:\n"
 "  constraints:\n")); } while (0);
ASSERT_DUMP_EQ (model, true,do { assert_dump_eq (((::selftest::location ("/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 6041, __FUNCTION__))), (model), (true), ("stack depth: 0\n"
 "m_called_unknown_fn: FALSE\n" "constraint_manager:\n" "  equiv classes:\n"
 "  constraints:\n")); } while (0)
  "stack depth: 0\n"do { assert_dump_eq (((::selftest::location ("/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 6041, __FUNCTION__))), (model), (true), ("stack depth: 0\n"
 "m_called_unknown_fn: FALSE\n" "constraint_manager:\n" "  equiv classes:\n"
 "  constraints:\n")); } while (0)
  "m_called_unknown_fn: FALSE\n"do { assert_dump_eq (((::selftest::location ("/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 6041, __FUNCTION__))), (model), (true), ("stack depth: 0\n"
 "m_called_unknown_fn: FALSE\n" "constraint_manager:\n" "  equiv classes:\n"
 "  constraints:\n")); } while (0)
  "constraint_manager:\n"do { assert_dump_eq (((::selftest::location ("/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 6041, __FUNCTION__))), (model), (true), ("stack depth: 0\n"
 "m_called_unknown_fn: FALSE\n" "constraint_manager:\n" "  equiv classes:\n"
 "  constraints:\n")); } while (0)
  "  equiv classes:\n"do { assert_dump_eq (((::selftest::location ("/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 6041, __FUNCTION__))), (model), (true), ("stack depth: 0\n"
 "m_called_unknown_fn: FALSE\n" "constraint_manager:\n" "  equiv classes:\n"
 "  constraints:\n")); } while (0)
  "  constraints:\n")do { assert_dump_eq (((::selftest::location ("/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 6041, __FUNCTION__))), (model), (true), ("stack depth: 0\n"
 "m_called_unknown_fn: FALSE\n" "constraint_manager:\n" "  equiv classes:\n"
 "  constraints:\n")); } while (0);
6042}

6044/* Helper function for selftests.  Create a struct or union type named NAME,
 with the fields given by the FIELD_DECLS in FIELDS.
 If IS_STRUCT is true create a RECORD_TYPE (aka a struct), otherwise
 create a UNION_TYPE.  */

6049static tree
6050make_test_compound_type (const char *name, bool is_struct,
	 const auto_vec<tree> *fields)
6052{
tree t = make_node (is_struct ? RECORD_TYPE : UNION_TYPE);
TYPE_NAME (t)((tree_class_check ((t), (tcc_type), "/buildworker/marxinbox-gcc-clang-static-analyzer/build/gcc/analyzer/region-model.cc"
, 6054, __FUNCTION__))->type_common.name) = get_identifier (name)(__builtin_constant_p (name) ? get_identifier_with_length ((name
), strlen (name)) : get_identifier (name));
TYPE_SIZE (t)((tree_class_che