[Bug analyzer/99771] Analyzer diagnostics should not say ""
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99771 --- Comment #5 from CVS Commits --- The master branch has been updated by David Malcolm : https://gcc.gnu.org/g:b7175f36812b32d3de242f15c065b9cb68e957a9 commit r12-7541-gb7175f36812b32d3de242f15c065b9cb68e957a9 Author: David Malcolm Date: Tue Mar 8 14:16:48 2022 -0500 analyzer: more test coverage of leak detection [PR99771] gcc/testsuite/ChangeLog: PR analyzer/99771 * gcc.dg/analyzer/leak-4.c: New test. Signed-off-by: David Malcolm
[Bug analyzer/99771] Analyzer diagnostics should not say ""
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99771 --- Comment #4 from CVS Commits --- The master branch has been updated by David Malcolm : https://gcc.gnu.org/g:0af37ad4422052be4b7f779737e14c80e57d0ad9 commit r12-7525-g0af37ad4422052be4b7f779737e14c80e57d0ad9 Author: David Malcolm Date: Mon Mar 7 14:19:30 2022 -0500 analyzer: fix leak suppression at end of 'main' [PR101983] PR analyzer/101983 reports what I thought were false positives from -Wanalyzer-malloc-leak, but on closer inspection, the analyzer is correctly reporting heap-allocated buffers that are no longer reachable. However, these "leaks" occur at the end of "main". The analyzer already has some logic to avoid reporting leaks at the end of main, where the leak is detected at the end of the EXIT basic block. However, in this case, the leak is detected at the clobber in BB 2 here: : func (); res ={v} {CLOBBER(eol)}; _4 = 0; : : return _4; where we have a chain BB 2 -> BB 3 -> EXIT BB. This patch generalizes the "are we at the end of 'main'" detection to handle such cases, silencing -Wanalyzer-malloc-leak on them. There's a remaining issue where the analyzer unhelpfully describes one of the leaking values as '', rather than 'res.a', but I'm leaving that for a followup (covered by PR analyzer/99771). gcc/analyzer/ChangeLog: PR analyzer/101983 * engine.cc (returning_from_function_p): New. (impl_region_model_context::on_state_leak): Use it when rejecting leaks at the return from "main". gcc/testsuite/ChangeLog: PR analyzer/101983 * gcc.dg/analyzer/pr101983-main.c: New test. * gcc.dg/analyzer/pr101983-not-main.c: New test. Signed-off-by: David Malcolm
[Bug analyzer/99771] Analyzer diagnostics should not say ""
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99771 --- Comment #3 from David Malcolm --- The above patch fixes some of the occurrences of the bug (due to (b)), but not those due to (a), so keeping this bug open.
[Bug analyzer/99771] Analyzer diagnostics should not say ""
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99771 --- Comment #2 from CVS Commits --- The master branch has been updated by David Malcolm : https://gcc.gnu.org/g:e4bb1bd60a9fd1bed36092a990aa5fed5d45bfa6 commit r11-7941-ge4bb1bd60a9fd1bed36092a990aa5fed5d45bfa6 Author: David Malcolm Date: Mon Mar 29 16:13:32 2021 -0400 analyzer: avoid printing '' for SSA names [PR99771] We don't want to print '' in our diagnostics, but PR analyzer/99771 lists various cases where -fanalyzer does, due to using the SSA_NAME for a temporary when determining the best tree to use. This can happen in two ways: (a) ...when a better expression than the SSA_NAME could be built, but finding it requires traversing the relationships in the region_model in a graph-like way, rather than by considering individual svalues and regions. (b) ...when the only remaining user of the underlying svalue is the SSA_NAME, typically due to the diagnostic referring to a temporary. I've been experimenting with fixing (a), but don't have a good fix yet. In the meantime, this patch addresses (b) by detecting if we have the SSA_NAME for a temporary, and, for the cases where it's possible, reconstructing a tree by walking the def-stmts. This fixes various cases of (b) and ameliorates some cases of (a). gcc/analyzer/ChangeLog: PR analyzer/99771 * analyzer.cc (maybe_reconstruct_from_def_stmt): New. (fixup_tree_for_diagnostic_1): New. (fixup_tree_for_diagnostic): New. * analyzer.h (fixup_tree_for_diagnostic): New decl. * checker-path.cc (call_event::get_desc): Call fixup_tree_for_diagnostic and use it for the call_with_state call. (warning_event::get_desc): Likewise for the final_event and make_label_text calls. * engine.cc (impl_region_model_context::on_state_leak): Likewise for the on_leak and add_diagnostic calls. * region-model.cc (region_model::get_representative_tree): Likewise for the result. gcc/testsuite/ChangeLog: PR analyzer/99771 * gcc.dg/analyzer/data-model-10.c: Update expected output. * gcc.dg/analyzer/malloc-ipa-13.c: Likewise. * gcc.dg/analyzer/malloc-ipa-13a.c: New test. * gcc.dg/analyzer/pr99771-1.c: New test.
[Bug analyzer/99771] Analyzer diagnostics should not say ""
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99771 --- Comment #1 from CVS Commits --- The master branch has been updated by David Malcolm : https://gcc.gnu.org/g:0f9aa35c79a0fe195d5076375b5794246cf44819 commit r11-7917-g0f9aa35c79a0fe195d5076375b5794246cf44819 Author: David Malcolm Date: Fri Mar 26 13:26:15 2021 -0400 analyzer: only call get_diagnostic_tree when it's needed impl_sm_context::get_diagnostic_tree could be expensive, and I find myself needing to put a breakpoint on it to debug PR analyzer/99771, so only call it if we're about to use the result. gcc/analyzer/ChangeLog: * sm-file.cc (fileptr_state_machine::on_stmt): Only call get_diagnostic_tree if the result will be used. * sm-malloc.cc (malloc_state_machine::on_stmt): Likewise. (malloc_state_machine::on_deallocator_call): Likewise. (malloc_state_machine::on_realloc_call): Likewise. (malloc_state_machine::on_realloc_call): Likewise. * sm-sensitive.cc (sensitive_state_machine::warn_for_any_exposure): Likewise. * sm-taint.cc (taint_state_machine::on_stmt): Likewise.
[Bug analyzer/99771] Analyzer diagnostics should not say ""
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99771 David Malcolm changed: What|Removed |Added Ever confirmed|0 |1 Last reconfirmed||2021-03-25 Status|UNCONFIRMED |ASSIGNED