|
111
|
1 /* Detect paths through the CFG which can never be executed in a conforming
|
|
|
2 program and isolate them.
|
|
|
3
|
|
|
4 Copyright (C) 2013-2017 Free Software Foundation, Inc.
|
|
|
5
|
|
|
6 This file is part of GCC.
|
|
|
7
|
|
|
8 GCC is free software; you can redistribute it and/or modify
|
|
|
9 it under the terms of the GNU General Public License as published by
|
|
|
10 the Free Software Foundation; either version 3, or (at your option)
|
|
|
11 any later version.
|
|
|
12
|
|
|
13 GCC is distributed in the hope that it will be useful,
|
|
|
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
16 GNU General Public License for more details.
|
|
|
17
|
|
|
18 You should have received a copy of the GNU General Public License
|
|
|
19 along with GCC; see the file COPYING3. If not see
|
|
|
20 <http://www.gnu.org/licenses/>. */
|
|
|
21
|
|
|
22 #include "config.h"
|
|
|
23 #include "system.h"
|
|
|
24 #include "coretypes.h"
|
|
|
25 #include "backend.h"
|
|
|
26 #include "tree.h"
|
|
|
27 #include "gimple.h"
|
|
|
28 #include "cfghooks.h"
|
|
|
29 #include "tree-pass.h"
|
|
|
30 #include "ssa.h"
|
|
|
31 #include "diagnostic-core.h"
|
|
|
32 #include "fold-const.h"
|
|
|
33 #include "gimple-iterator.h"
|
|
|
34 #include "gimple-walk.h"
|
|
|
35 #include "tree-ssa.h"
|
|
|
36 #include "cfgloop.h"
|
|
|
37 #include "tree-cfg.h"
|
|
|
38 #include "cfganal.h"
|
|
|
39 #include "intl.h"
|
|
|
40
|
|
|
41
|
|
|
42 static bool cfg_altered;
|
|
|
43
|
|
|
44 /* Callback for walk_stmt_load_store_ops.
|
|
|
45
|
|
|
46 Return TRUE if OP will dereference the tree stored in DATA, FALSE
|
|
|
47 otherwise.
|
|
|
48
|
|
|
49 This routine only makes a superficial check for a dereference. Thus,
|
|
|
50 it must only be used if it is safe to return a false negative. */
|
|
|
51 static bool
|
|
|
52 check_loadstore (gimple *stmt, tree op, tree, void *data)
|
|
|
53 {
|
|
|
54 if ((TREE_CODE (op) == MEM_REF || TREE_CODE (op) == TARGET_MEM_REF)
|
|
|
55 && operand_equal_p (TREE_OPERAND (op, 0), (tree)data, 0))
|
|
|
56 {
|
|
|
57 TREE_THIS_VOLATILE (op) = 1;
|
|
|
58 TREE_SIDE_EFFECTS (op) = 1;
|
|
|
59 update_stmt (stmt);
|
|
|
60 return true;
|
|
|
61 }
|
|
|
62 return false;
|
|
|
63 }
|
|
|
64
|
|
|
65 /* Insert a trap after SI and split the block after the trap. */
|
|
|
66
|
|
|
67 static void
|
|
|
68 insert_trap (gimple_stmt_iterator *si_p, tree op)
|
|
|
69 {
|
|
|
70 /* We want the NULL pointer dereference to actually occur so that
|
|
|
71 code that wishes to catch the signal can do so.
|
|
|
72
|
|
|
73 If the dereference is a load, then there's nothing to do as the
|
|
|
74 LHS will be a throw-away SSA_NAME and the RHS is the NULL dereference.
|
|
|
75
|
|
|
76 If the dereference is a store and we can easily transform the RHS,
|
|
|
77 then simplify the RHS to enable more DCE. Note that we require the
|
|
|
78 statement to be a GIMPLE_ASSIGN which filters out calls on the RHS. */
|
|
|
79 gimple *stmt = gsi_stmt (*si_p);
|
|
|
80 if (walk_stmt_load_store_ops (stmt, (void *)op, NULL, check_loadstore)
|
|
|
81 && is_gimple_assign (stmt)
|
|
|
82 && INTEGRAL_TYPE_P (TREE_TYPE (gimple_assign_lhs (stmt))))
|
|
|
83 {
|
|
|
84 /* We just need to turn the RHS into zero converted to the proper
|
|
|
85 type. */
|
|
|
86 tree type = TREE_TYPE (gimple_assign_lhs (stmt));
|
|
|
87 gimple_assign_set_rhs_code (stmt, INTEGER_CST);
|
|
|
88 gimple_assign_set_rhs1 (stmt, fold_convert (type, integer_zero_node));
|
|
|
89 update_stmt (stmt);
|
|
|
90 }
|
|
|
91
|
|
|
92 gcall *new_stmt
|
|
|
93 = gimple_build_call (builtin_decl_explicit (BUILT_IN_TRAP), 0);
|
|
|
94 gimple_seq seq = NULL;
|
|
|
95 gimple_seq_add_stmt (&seq, new_stmt);
|
|
|
96
|
|
|
97 /* If we had a NULL pointer dereference, then we want to insert the
|
|
|
98 __builtin_trap after the statement, for the other cases we want
|
|
|
99 to insert before the statement. */
|
|
|
100 if (walk_stmt_load_store_ops (stmt, (void *)op,
|
|
|
101 check_loadstore,
|
|
|
102 check_loadstore))
|
|
|
103 {
|
|
|
104 gsi_insert_after (si_p, seq, GSI_NEW_STMT);
|
|
|
105 if (stmt_ends_bb_p (stmt))
|
|
|
106 {
|
|
|
107 split_block (gimple_bb (stmt), stmt);
|
|
|
108 return;
|
|
|
109 }
|
|
|
110 }
|
|
|
111 else
|
|
|
112 gsi_insert_before (si_p, seq, GSI_NEW_STMT);
|
|
|
113
|
|
|
114 split_block (gimple_bb (new_stmt), new_stmt);
|
|
|
115 *si_p = gsi_for_stmt (stmt);
|
|
|
116 }
|
|
|
117
|
|
|
118 /* BB when reached via incoming edge E will exhibit undefined behavior
|
|
|
119 at STMT. Isolate and optimize the path which exhibits undefined
|
|
|
120 behavior.
|
|
|
121
|
|
|
122 Isolation is simple. Duplicate BB and redirect E to BB'.
|
|
|
123
|
|
|
124 Optimization is simple as well. Replace STMT in BB' with an
|
|
|
125 unconditional trap and remove all outgoing edges from BB'.
|
|
|
126
|
|
|
127 If RET_ZERO, do not trap, only return NULL.
|
|
|
128
|
|
|
129 DUPLICATE is a pre-existing duplicate, use it as BB' if it exists.
|
|
|
130
|
|
|
131 Return BB'. */
|
|
|
132
|
|
|
133 basic_block
|
|
|
134 isolate_path (basic_block bb, basic_block duplicate,
|
|
|
135 edge e, gimple *stmt, tree op, bool ret_zero)
|
|
|
136 {
|
|
|
137 gimple_stmt_iterator si, si2;
|
|
|
138 edge_iterator ei;
|
|
|
139 edge e2;
|
|
|
140 bool impossible = true;
|
|
|
141
|
|
|
142 for (si = gsi_start_bb (bb); gsi_stmt (si) != stmt; gsi_next (&si))
|
|
|
143 if (stmt_can_terminate_bb_p (gsi_stmt (si)))
|
|
|
144 {
|
|
|
145 impossible = false;
|
|
|
146 break;
|
|
|
147 }
|
|
|
148 force_edge_cold (e, impossible);
|
|
|
149
|
|
|
150 /* First duplicate BB if we have not done so already and remove all
|
|
|
151 the duplicate's outgoing edges as duplicate is going to unconditionally
|
|
|
152 trap. Removing the outgoing edges is both an optimization and ensures
|
|
|
153 we don't need to do any PHI node updates. */
|
|
|
154 if (!duplicate)
|
|
|
155 {
|
|
|
156 duplicate = duplicate_block (bb, NULL, NULL);
|
|
|
157 bb->frequency = 0;
|
|
|
158 bb->count = profile_count::zero ();
|
|
|
159 if (!ret_zero)
|
|
|
160 for (ei = ei_start (duplicate->succs); (e2 = ei_safe_edge (ei)); )
|
|
|
161 remove_edge (e2);
|
|
|
162 }
|
|
|
163
|
|
|
164 /* Complete the isolation step by redirecting E to reach DUPLICATE. */
|
|
|
165 e2 = redirect_edge_and_branch (e, duplicate);
|
|
|
166 if (e2)
|
|
|
167 {
|
|
|
168 flush_pending_stmts (e2);
|
|
|
169
|
|
|
170 /* Update profile only when redirection is really processed. */
|
|
|
171 bb->frequency += EDGE_FREQUENCY (e);
|
|
|
172 }
|
|
|
173
|
|
|
174 /* There may be more than one statement in DUPLICATE which exhibits
|
|
|
175 undefined behavior. Ultimately we want the first such statement in
|
|
|
176 DUPLCIATE so that we're able to delete as much code as possible.
|
|
|
177
|
|
|
178 So each time we discover undefined behavior in DUPLICATE, search for
|
|
|
179 the statement which triggers undefined behavior. If found, then
|
|
|
180 transform the statement into a trap and delete everything after the
|
|
|
181 statement. If not found, then this particular instance was subsumed by
|
|
|
182 an earlier instance of undefined behavior and there's nothing to do.
|
|
|
183
|
|
|
184 This is made more complicated by the fact that we have STMT, which is in
|
|
|
185 BB rather than in DUPLICATE. So we set up two iterators, one for each
|
|
|
186 block and walk forward looking for STMT in BB, advancing each iterator at
|
|
|
187 each step.
|
|
|
188
|
|
|
189 When we find STMT the second iterator should point to STMT's equivalent in
|
|
|
190 duplicate. If DUPLICATE ends before STMT is found in BB, then there's
|
|
|
191 nothing to do.
|
|
|
192
|
|
|
193 Ignore labels and debug statements. */
|
|
|
194 si = gsi_start_nondebug_after_labels_bb (bb);
|
|
|
195 si2 = gsi_start_nondebug_after_labels_bb (duplicate);
|
|
|
196 while (!gsi_end_p (si) && !gsi_end_p (si2) && gsi_stmt (si) != stmt)
|
|
|
197 {
|
|
|
198 gsi_next_nondebug (&si);
|
|
|
199 gsi_next_nondebug (&si2);
|
|
|
200 }
|
|
|
201
|
|
|
202 /* This would be an indicator that we never found STMT in BB, which should
|
|
|
203 never happen. */
|
|
|
204 gcc_assert (!gsi_end_p (si));
|
|
|
205
|
|
|
206 /* If we did not run to the end of DUPLICATE, then SI points to STMT and
|
|
|
207 SI2 points to the duplicate of STMT in DUPLICATE. Insert a trap
|
|
|
208 before SI2 and remove SI2 and all trailing statements. */
|
|
|
209 if (!gsi_end_p (si2))
|
|
|
210 {
|
|
|
211 if (ret_zero)
|
|
|
212 {
|
|
|
213 greturn *ret = as_a <greturn *> (gsi_stmt (si2));
|
|
|
214 tree zero = build_zero_cst (TREE_TYPE (gimple_return_retval (ret)));
|
|
|
215 gimple_return_set_retval (ret, zero);
|
|
|
216 update_stmt (ret);
|
|
|
217 }
|
|
|
218 else
|
|
|
219 insert_trap (&si2, op);
|
|
|
220 }
|
|
|
221
|
|
|
222 return duplicate;
|
|
|
223 }
|
|
|
224
|
|
|
225 /* Return TRUE if STMT is a div/mod operation using DIVISOR as the divisor.
|
|
|
226 FALSE otherwise. */
|
|
|
227
|
|
|
228 static bool
|
|
|
229 is_divmod_with_given_divisor (gimple *stmt, tree divisor)
|
|
|
230 {
|
|
|
231 /* Only assignments matter. */
|
|
|
232 if (!is_gimple_assign (stmt))
|
|
|
233 return false;
|
|
|
234
|
|
|
235 /* Check for every DIV/MOD expression. */
|
|
|
236 enum tree_code rhs_code = gimple_assign_rhs_code (stmt);
|
|
|
237 if (rhs_code == TRUNC_DIV_EXPR
|
|
|
238 || rhs_code == FLOOR_DIV_EXPR
|
|
|
239 || rhs_code == CEIL_DIV_EXPR
|
|
|
240 || rhs_code == EXACT_DIV_EXPR
|
|
|
241 || rhs_code == ROUND_DIV_EXPR
|
|
|
242 || rhs_code == TRUNC_MOD_EXPR
|
|
|
243 || rhs_code == FLOOR_MOD_EXPR
|
|
|
244 || rhs_code == CEIL_MOD_EXPR
|
|
|
245 || rhs_code == ROUND_MOD_EXPR)
|
|
|
246 {
|
|
|
247 /* Pointer equality is fine when DIVISOR is an SSA_NAME, but
|
|
|
248 not sufficient for constants which may have different types. */
|
|
|
249 if (operand_equal_p (gimple_assign_rhs2 (stmt), divisor, 0))
|
|
|
250 return true;
|
|
|
251 }
|
|
|
252 return false;
|
|
|
253 }
|
|
|
254
|
|
|
255 /* NAME is an SSA_NAME that we have already determined has the value 0 or NULL.
|
|
|
256
|
|
|
257 Return TRUE if USE_STMT uses NAME in a way where a 0 or NULL value results
|
|
|
258 in undefined behavior, FALSE otherwise
|
|
|
259
|
|
|
260 LOC is used for issuing diagnostics. This case represents potential
|
|
|
261 undefined behavior exposed by path splitting and that's reflected in
|
|
|
262 the diagnostic. */
|
|
|
263
|
|
|
264 bool
|
|
|
265 stmt_uses_name_in_undefined_way (gimple *use_stmt, tree name, location_t loc)
|
|
|
266 {
|
|
|
267 /* If we are working with a non pointer type, then see
|
|
|
268 if this use is a DIV/MOD operation using NAME as the
|
|
|
269 divisor. */
|
|
|
270 if (!POINTER_TYPE_P (TREE_TYPE (name)))
|
|
|
271 {
|
|
|
272 if (!flag_non_call_exceptions)
|
|
|
273 return is_divmod_with_given_divisor (use_stmt, name);
|
|
|
274 return false;
|
|
|
275 }
|
|
|
276
|
|
|
277 /* NAME is a pointer, so see if it's used in a context where it must
|
|
|
278 be non-NULL. */
|
|
|
279 bool by_dereference
|
|
|
280 = infer_nonnull_range_by_dereference (use_stmt, name);
|
|
|
281
|
|
|
282 if (by_dereference
|
|
|
283 || infer_nonnull_range_by_attribute (use_stmt, name))
|
|
|
284 {
|
|
|
285
|
|
|
286 if (by_dereference)
|
|
|
287 {
|
|
|
288 warning_at (loc, OPT_Wnull_dereference,
|
|
|
289 "potential null pointer dereference");
|
|
|
290 if (!flag_isolate_erroneous_paths_dereference)
|
|
|
291 return false;
|
|
|
292 }
|
|
|
293 else
|
|
|
294 {
|
|
|
295 if (!flag_isolate_erroneous_paths_attribute)
|
|
|
296 return false;
|
|
|
297 }
|
|
|
298 return true;
|
|
|
299 }
|
|
|
300 return false;
|
|
|
301 }
|
|
|
302
|
|
|
303 /* Return TRUE if USE_STMT uses 0 or NULL in a context which results in
|
|
|
304 undefined behavior, FALSE otherwise.
|
|
|
305
|
|
|
306 These cases are explicit in the IL. */
|
|
|
307
|
|
|
308 bool
|
|
|
309 stmt_uses_0_or_null_in_undefined_way (gimple *stmt)
|
|
|
310 {
|
|
|
311 if (!flag_non_call_exceptions
|
|
|
312 && is_divmod_with_given_divisor (stmt, integer_zero_node))
|
|
|
313 return true;
|
|
|
314
|
|
|
315 /* By passing null_pointer_node, we can use the
|
|
|
316 infer_nonnull_range functions to detect explicit NULL
|
|
|
317 pointer dereferences and other uses where a non-NULL
|
|
|
318 value is required. */
|
|
|
319
|
|
|
320 bool by_dereference
|
|
|
321 = infer_nonnull_range_by_dereference (stmt, null_pointer_node);
|
|
|
322 if (by_dereference
|
|
|
323 || infer_nonnull_range_by_attribute (stmt, null_pointer_node))
|
|
|
324 {
|
|
|
325 if (by_dereference)
|
|
|
326 {
|
|
|
327 location_t loc = gimple_location (stmt);
|
|
|
328 warning_at (loc, OPT_Wnull_dereference,
|
|
|
329 "null pointer dereference");
|
|
|
330 if (!flag_isolate_erroneous_paths_dereference)
|
|
|
331 return false;
|
|
|
332 }
|
|
|
333 else
|
|
|
334 {
|
|
|
335 if (!flag_isolate_erroneous_paths_attribute)
|
|
|
336 return false;
|
|
|
337 }
|
|
|
338 return true;
|
|
|
339 }
|
|
|
340 return false;
|
|
|
341 }
|
|
|
342
|
|
|
343 /* Look for PHI nodes which feed statements in the same block where
|
|
|
344 the value of the PHI node implies the statement is erroneous.
|
|
|
345
|
|
|
346 For example, a NULL PHI arg value which then feeds a pointer
|
|
|
347 dereference.
|
|
|
348
|
|
|
349 When found isolate and optimize the path associated with the PHI
|
|
|
350 argument feeding the erroneous statement. */
|
|
|
351 static void
|
|
|
352 find_implicit_erroneous_behavior (void)
|
|
|
353 {
|
|
|
354 basic_block bb;
|
|
|
355
|
|
|
356 FOR_EACH_BB_FN (bb, cfun)
|
|
|
357 {
|
|
|
358 gphi_iterator si;
|
|
|
359
|
|
|
360 /* Out of an abundance of caution, do not isolate paths to a
|
|
|
361 block where the block has any abnormal outgoing edges.
|
|
|
362
|
|
|
363 We might be able to relax this in the future. We have to detect
|
|
|
364 when we have to split the block with the NULL dereference and
|
|
|
365 the trap we insert. We have to preserve abnormal edges out
|
|
|
366 of the isolated block which in turn means updating PHIs at
|
|
|
367 the targets of those abnormal outgoing edges. */
|
|
|
368 if (has_abnormal_or_eh_outgoing_edge_p (bb))
|
|
|
369 continue;
|
|
|
370
|
|
|
371
|
|
|
372 /* If BB has an edge to itself, then duplication of BB below
|
|
|
373 could result in reallocation of BB's PHI nodes. If that happens
|
|
|
374 then the loop below over the PHIs would use the old PHI and
|
|
|
375 thus invalid information. We don't have a good way to know
|
|
|
376 if a PHI has been reallocated, so just avoid isolation in
|
|
|
377 this case. */
|
|
|
378 if (find_edge (bb, bb))
|
|
|
379 continue;
|
|
|
380
|
|
|
381 /* First look for a PHI which sets a pointer to NULL and which
|
|
|
382 is then dereferenced within BB. This is somewhat overly
|
|
|
383 conservative, but probably catches most of the interesting
|
|
|
384 cases. */
|
|
|
385 for (si = gsi_start_phis (bb); !gsi_end_p (si); gsi_next (&si))
|
|
|
386 {
|
|
|
387 gphi *phi = si.phi ();
|
|
|
388 tree lhs = gimple_phi_result (phi);
|
|
|
389
|
|
|
390 /* PHI produces a pointer result. See if any of the PHI's
|
|
|
391 arguments are NULL.
|
|
|
392
|
|
|
393 When we remove an edge, we want to reprocess the current
|
|
|
394 index, hence the ugly way we update I for each iteration. */
|
|
|
395 basic_block duplicate = NULL;
|
|
|
396 for (unsigned i = 0, next_i = 0;
|
|
|
397 i < gimple_phi_num_args (phi);
|
|
|
398 i = next_i)
|
|
|
399 {
|
|
|
400 tree op = gimple_phi_arg_def (phi, i);
|
|
|
401 edge e = gimple_phi_arg_edge (phi, i);
|
|
|
402 imm_use_iterator iter;
|
|
|
403 gimple *use_stmt;
|
|
|
404
|
|
|
405 next_i = i + 1;
|
|
|
406
|
|
|
407 if (TREE_CODE (op) == ADDR_EXPR)
|
|
|
408 {
|
|
|
409 tree valbase = get_base_address (TREE_OPERAND (op, 0));
|
|
|
410 if ((VAR_P (valbase) && !is_global_var (valbase))
|
|
|
411 || TREE_CODE (valbase) == PARM_DECL)
|
|
|
412 {
|
|
|
413 FOR_EACH_IMM_USE_STMT (use_stmt, iter, lhs)
|
|
|
414 {
|
|
|
415 greturn *return_stmt
|
|
|
416 = dyn_cast <greturn *> (use_stmt);
|
|
|
417 if (!return_stmt)
|
|
|
418 continue;
|
|
|
419
|
|
|
420 if (gimple_return_retval (return_stmt) != lhs)
|
|
|
421 continue;
|
|
|
422
|
|
|
423 if (warning_at (gimple_location (use_stmt),
|
|
|
424 OPT_Wreturn_local_addr,
|
|
|
425 "function may return address "
|
|
|
426 "of local variable"))
|
|
|
427 inform (DECL_SOURCE_LOCATION(valbase),
|
|
|
428 "declared here");
|
|
|
429
|
|
|
430 if (gimple_bb (use_stmt) == bb)
|
|
|
431 {
|
|
|
432 duplicate = isolate_path (bb, duplicate, e,
|
|
|
433 use_stmt, lhs, true);
|
|
|
434
|
|
|
435 /* When we remove an incoming edge, we need to
|
|
|
436 reprocess the Ith element. */
|
|
|
437 next_i = i;
|
|
|
438 cfg_altered = true;
|
|
|
439 }
|
|
|
440 }
|
|
|
441 }
|
|
|
442 }
|
|
|
443
|
|
|
444 if (!integer_zerop (op))
|
|
|
445 continue;
|
|
|
446
|
|
|
447 location_t phi_arg_loc = gimple_phi_arg_location (phi, i);
|
|
|
448
|
|
|
449 /* We've got a NULL PHI argument. Now see if the
|
|
|
450 PHI's result is dereferenced within BB. */
|
|
|
451 FOR_EACH_IMM_USE_STMT (use_stmt, iter, lhs)
|
|
|
452 {
|
|
|
453 /* We only care about uses in BB. Catching cases in
|
|
|
454 in other blocks would require more complex path
|
|
|
455 isolation code. */
|
|
|
456 if (gimple_bb (use_stmt) != bb)
|
|
|
457 continue;
|
|
|
458
|
|
|
459 location_t loc = gimple_location (use_stmt)
|
|
|
460 ? gimple_location (use_stmt)
|
|
|
461 : phi_arg_loc;
|
|
|
462
|
|
|
463 if (stmt_uses_name_in_undefined_way (use_stmt, lhs, loc))
|
|
|
464 {
|
|
|
465 duplicate = isolate_path (bb, duplicate, e,
|
|
|
466 use_stmt, lhs, false);
|
|
|
467
|
|
|
468 /* When we remove an incoming edge, we need to
|
|
|
469 reprocess the Ith element. */
|
|
|
470 next_i = i;
|
|
|
471 cfg_altered = true;
|
|
|
472 }
|
|
|
473 }
|
|
|
474 }
|
|
|
475 }
|
|
|
476 }
|
|
|
477 }
|
|
|
478
|
|
|
479 /* Look for statements which exhibit erroneous behavior. For example
|
|
|
480 a NULL pointer dereference.
|
|
|
481
|
|
|
482 When found, optimize the block containing the erroneous behavior. */
|
|
|
483 static void
|
|
|
484 find_explicit_erroneous_behavior (void)
|
|
|
485 {
|
|
|
486 basic_block bb;
|
|
|
487
|
|
|
488 FOR_EACH_BB_FN (bb, cfun)
|
|
|
489 {
|
|
|
490 gimple_stmt_iterator si;
|
|
|
491
|
|
|
492 /* Out of an abundance of caution, do not isolate paths to a
|
|
|
493 block where the block has any abnormal outgoing edges.
|
|
|
494
|
|
|
495 We might be able to relax this in the future. We have to detect
|
|
|
496 when we have to split the block with the NULL dereference and
|
|
|
497 the trap we insert. We have to preserve abnormal edges out
|
|
|
498 of the isolated block which in turn means updating PHIs at
|
|
|
499 the targets of those abnormal outgoing edges. */
|
|
|
500 if (has_abnormal_or_eh_outgoing_edge_p (bb))
|
|
|
501 continue;
|
|
|
502
|
|
|
503 /* Now look at the statements in the block and see if any of
|
|
|
504 them explicitly dereference a NULL pointer. This happens
|
|
|
505 because of jump threading and constant propagation. */
|
|
|
506 for (si = gsi_start_bb (bb); !gsi_end_p (si); gsi_next (&si))
|
|
|
507 {
|
|
|
508 gimple *stmt = gsi_stmt (si);
|
|
|
509
|
|
|
510 if (stmt_uses_0_or_null_in_undefined_way (stmt))
|
|
|
511 {
|
|
|
512 insert_trap (&si, null_pointer_node);
|
|
|
513 bb = gimple_bb (gsi_stmt (si));
|
|
|
514
|
|
|
515 /* Ignore any more operands on this statement and
|
|
|
516 continue the statement iterator (which should
|
|
|
517 terminate its loop immediately. */
|
|
|
518 cfg_altered = true;
|
|
|
519 break;
|
|
|
520 }
|
|
|
521
|
|
|
522 /* Detect returning the address of a local variable. This only
|
|
|
523 becomes undefined behavior if the result is used, so we do not
|
|
|
524 insert a trap and only return NULL instead. */
|
|
|
525 if (greturn *return_stmt = dyn_cast <greturn *> (stmt))
|
|
|
526 {
|
|
|
527 tree val = gimple_return_retval (return_stmt);
|
|
|
528 if (val && TREE_CODE (val) == ADDR_EXPR)
|
|
|
529 {
|
|
|
530 tree valbase = get_base_address (TREE_OPERAND (val, 0));
|
|
|
531 if ((VAR_P (valbase) && !is_global_var (valbase))
|
|
|
532 || TREE_CODE (valbase) == PARM_DECL)
|
|
|
533 {
|
|
|
534 /* We only need it for this particular case. */
|
|
|
535 calculate_dominance_info (CDI_POST_DOMINATORS);
|
|
|
536 const char* msg;
|
|
|
537 bool always_executed = dominated_by_p
|
|
|
538 (CDI_POST_DOMINATORS,
|
|
|
539 single_succ (ENTRY_BLOCK_PTR_FOR_FN (cfun)), bb);
|
|
|
540 if (always_executed)
|
|
|
541 msg = N_("function returns address of local variable");
|
|
|
542 else
|
|
|
543 msg = N_("function may return address of "
|
|
|
544 "local variable");
|
|
|
545
|
|
|
546 if (warning_at (gimple_location (stmt),
|
|
|
547 OPT_Wreturn_local_addr, msg))
|
|
|
548 inform (DECL_SOURCE_LOCATION(valbase), "declared here");
|
|
|
549 tree zero = build_zero_cst (TREE_TYPE (val));
|
|
|
550 gimple_return_set_retval (return_stmt, zero);
|
|
|
551 update_stmt (stmt);
|
|
|
552 }
|
|
|
553 }
|
|
|
554 }
|
|
|
555 }
|
|
|
556 }
|
|
|
557 }
|
|
|
558
|
|
|
559 /* Search the function for statements which, if executed, would cause
|
|
|
560 the program to fault such as a dereference of a NULL pointer.
|
|
|
561
|
|
|
562 Such a program can't be valid if such a statement was to execute
|
|
|
563 according to ISO standards.
|
|
|
564
|
|
|
565 We detect explicit NULL pointer dereferences as well as those implied
|
|
|
566 by a PHI argument having a NULL value which unconditionally flows into
|
|
|
567 a dereference in the same block as the PHI.
|
|
|
568
|
|
|
569 In the former case we replace the offending statement with an
|
|
|
570 unconditional trap and eliminate the outgoing edges from the statement's
|
|
|
571 basic block. This may expose secondary optimization opportunities.
|
|
|
572
|
|
|
573 In the latter case, we isolate the path(s) with the NULL PHI
|
|
|
574 feeding the dereference. We can then replace the offending statement
|
|
|
575 and eliminate the outgoing edges in the duplicate. Again, this may
|
|
|
576 expose secondary optimization opportunities.
|
|
|
577
|
|
|
578 A warning for both cases may be advisable as well.
|
|
|
579
|
|
|
580 Other statically detectable violations of the ISO standard could be
|
|
|
581 handled in a similar way, such as out-of-bounds array indexing. */
|
|
|
582
|
|
|
583 static unsigned int
|
|
|
584 gimple_ssa_isolate_erroneous_paths (void)
|
|
|
585 {
|
|
|
586 initialize_original_copy_tables ();
|
|
|
587
|
|
|
588 /* Search all the blocks for edges which, if traversed, will
|
|
|
589 result in undefined behavior. */
|
|
|
590 cfg_altered = false;
|
|
|
591
|
|
|
592 /* First handle cases where traversal of a particular edge
|
|
|
593 triggers undefined behavior. These cases require creating
|
|
|
594 duplicate blocks and thus new SSA_NAMEs.
|
|
|
595
|
|
|
596 We want that process complete prior to the phase where we start
|
|
|
597 removing edges from the CFG. Edge removal may ultimately result in
|
|
|
598 removal of PHI nodes and thus releasing SSA_NAMEs back to the
|
|
|
599 name manager.
|
|
|
600
|
|
|
601 If the two processes run in parallel we could release an SSA_NAME
|
|
|
602 back to the manager but we could still have dangling references
|
|
|
603 to the released SSA_NAME in unreachable blocks.
|
|
|
604 that any released names not have dangling references in the IL. */
|
|
|
605 find_implicit_erroneous_behavior ();
|
|
|
606 find_explicit_erroneous_behavior ();
|
|
|
607
|
|
|
608 free_original_copy_tables ();
|
|
|
609
|
|
|
610 /* We scramble the CFG and loop structures a bit, clean up
|
|
|
611 appropriately. We really should incrementally update the
|
|
|
612 loop structures, in theory it shouldn't be that hard. */
|
|
|
613 free_dominance_info (CDI_POST_DOMINATORS);
|
|
|
614 if (cfg_altered)
|
|
|
615 {
|
|
|
616 free_dominance_info (CDI_DOMINATORS);
|
|
|
617 loops_state_set (LOOPS_NEED_FIXUP);
|
|
|
618 return TODO_cleanup_cfg | TODO_update_ssa;
|
|
|
619 }
|
|
|
620 return 0;
|
|
|
621 }
|
|
|
622
|
|
|
623 namespace {
|
|
|
624 const pass_data pass_data_isolate_erroneous_paths =
|
|
|
625 {
|
|
|
626 GIMPLE_PASS, /* type */
|
|
|
627 "isolate-paths", /* name */
|
|
|
628 OPTGROUP_NONE, /* optinfo_flags */
|
|
|
629 TV_ISOLATE_ERRONEOUS_PATHS, /* tv_id */
|
|
|
630 ( PROP_cfg | PROP_ssa ), /* properties_required */
|
|
|
631 0, /* properties_provided */
|
|
|
632 0, /* properties_destroyed */
|
|
|
633 0, /* todo_flags_start */
|
|
|
634 0, /* todo_flags_finish */
|
|
|
635 };
|
|
|
636
|
|
|
637 class pass_isolate_erroneous_paths : public gimple_opt_pass
|
|
|
638 {
|
|
|
639 public:
|
|
|
640 pass_isolate_erroneous_paths (gcc::context *ctxt)
|
|
|
641 : gimple_opt_pass (pass_data_isolate_erroneous_paths, ctxt)
|
|
|
642 {}
|
|
|
643
|
|
|
644 /* opt_pass methods: */
|
|
|
645 opt_pass * clone () { return new pass_isolate_erroneous_paths (m_ctxt); }
|
|
|
646 virtual bool gate (function *)
|
|
|
647 {
|
|
|
648 /* If we do not have a suitable builtin function for the trap statement,
|
|
|
649 then do not perform the optimization. */
|
|
|
650 return (flag_isolate_erroneous_paths_dereference != 0
|
|
|
651 || flag_isolate_erroneous_paths_attribute != 0
|
|
|
652 || warn_null_dereference);
|
|
|
653 }
|
|
|
654
|
|
|
655 virtual unsigned int execute (function *)
|
|
|
656 {
|
|
|
657 return gimple_ssa_isolate_erroneous_paths ();
|
|
|
658 }
|
|
|
659
|
|
|
660 }; // class pass_isolate_erroneous_paths
|
|
|
661 }
|
|
|
662
|
|
|
663 gimple_opt_pass *
|
|
|
664 make_pass_isolate_erroneous_paths (gcc::context *ctxt)
|
|
|
665 {
|
|
|
666 return new pass_isolate_erroneous_paths (ctxt);
|
|
|
667 }
|
