blob: 726684e472aaab88fa42ffb1d61344c25949ec42 [file] [log] [blame] [edit]
/* Predicate aware uninitialized variable warning.
Copyright (C) 2001-2024 Free Software Foundation, Inc.
Contributed by Xinliang David Li <davidxl@google.com>
This file is part of GCC.
GCC is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3, or (at your option)
any later version.
GCC is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with GCC; see the file COPYING3. If not see
<http://www.gnu.org/licenses/>. */
#define INCLUDE_STRING
#include "config.h"
#include "system.h"
#include "coretypes.h"
#include "backend.h"
#include "tree.h"
#include "gimple.h"
#include "tree-pass.h"
#include "ssa.h"
#include "gimple-pretty-print.h"
#include "diagnostic-core.h"
#include "fold-const.h"
#include "gimple-iterator.h"
#include "tree-ssa.h"
#include "tree-cfg.h"
#include "cfghooks.h"
#include "attribs.h"
#include "builtins.h"
#include "calls.h"
#include "gimple-range.h"
#include "gimple-predicate-analysis.h"
#include "domwalk.h"
#include "tree-ssa-sccvn.h"
#include "cfganal.h"
/* This implements the pass that does predicate aware warning on uses of
possibly uninitialized variables. The pass first collects the set of
possibly uninitialized SSA names. For each such name, it walks through
all its immediate uses. For each immediate use, it rebuilds the condition
expression (the predicate) that guards the use. The predicate is then
examined to see if the variable is always defined under that same condition.
This is done either by pruning the unrealizable paths that lead to the
default definitions or by checking if the predicate set that guards the
defining paths is a superset of the use predicate. */
/* Pointer set of potentially undefined ssa names, i.e.,
ssa names that are defined by phi with operands that
are not defined or potentially undefined. */
static hash_set<tree> *possibly_undefined_names;
static hash_map<gphi *, uninit_analysis::func_t::phi_arg_set_t> *defined_args;
/* Returns the first bit position (starting from LSB)
in mask that is non zero. Returns -1 if the mask is empty. */
static int
get_mask_first_set_bit (unsigned mask)
{
int pos = 0;
if (mask == 0)
return -1;
while ((mask & (1 << pos)) == 0)
pos++;
return pos;
}
#define MASK_FIRST_SET_BIT(mask) get_mask_first_set_bit (mask)
/* Return true if T, an SSA_NAME, has an undefined value. */
static bool
has_undefined_value_p (tree t)
{
return (ssa_undefined_value_p (t)
|| (possibly_undefined_names
&& possibly_undefined_names->contains (t)));
}
/* Return true if EXPR should suppress either uninitialized warning. */
static inline bool
get_no_uninit_warning (tree expr)
{
return warning_suppressed_p (expr, OPT_Wuninitialized);
}
/* Suppress both uninitialized warnings for EXPR. */
static inline void
set_no_uninit_warning (tree expr)
{
suppress_warning (expr, OPT_Wuninitialized);
}
/* Like has_undefined_value_p, but don't return true if the no-warning
bit is set on SSA_NAME_VAR for either uninit warning. */
static inline bool
uninit_undefined_value_p (tree t)
{
if (!has_undefined_value_p (t))
return false;
if (!SSA_NAME_VAR (t))
return true;
return !get_no_uninit_warning (SSA_NAME_VAR (t));
}
/* Emit warnings for uninitialized variables. This is done in two passes.
The first pass notices real uses of SSA names with undefined values.
Such uses are unconditionally uninitialized, and we can be certain that
such a use is a mistake. This pass is run before most optimizations,
so that we catch as many as we can.
The second pass follows PHI nodes to find uses that are potentially
uninitialized. In this case we can't necessarily prove that the use
is really uninitialized. This pass is run after most optimizations,
so that we thread as many jumps and possible, and delete as much dead
code as possible, in order to reduce false positives. We also look
again for plain uninitialized variables, since optimization may have
changed conditionally uninitialized to unconditionally uninitialized. */
/* Emit warning OPT for variable VAR at the point in the program where
the SSA_NAME T is being used uninitialized. The warning text is in
MSGID and STMT is the statement that does the uninitialized read.
PHI_ARG_LOC is the location of the PHI argument if T and VAR are one,
or UNKNOWN_LOCATION otherwise. */
static void
warn_uninit (opt_code opt, tree t, tree var, gimple *context,
location_t phi_arg_loc = UNKNOWN_LOCATION)
{
/* Bail if the value isn't provably uninitialized. */
if (!has_undefined_value_p (t))
return;
/* Ignore COMPLEX_EXPR as initializing only a part of a complex
turns in a COMPLEX_EXPR with the not initialized part being
set to its previous (undefined) value. */
if (is_gimple_assign (context)
&& gimple_assign_rhs_code (context) == COMPLEX_EXPR)
return;
/* Ignore REALPART_EXPR or IMAGPART_EXPR if its operand is a call to
.DEFERRED_INIT. This is for handling the following case correctly:
1 typedef _Complex float C;
2 C foo (int cond)
3 {
4 C f;
5 __imag__ f = 0;
6 if (cond)
7 {
8 __real__ f = 1;
9 return f;
10 }
11 return f;
12 }
with -ftrivial-auto-var-init, compiler will insert the following
artificial initialization at line 4:
f = .DEFERRED_INIT (f, 2);
_1 = REALPART_EXPR <f>;
without the following special handling, _1 = REALPART_EXPR <f> will
be treated as the uninitialized use point, which is incorrect. (the
real uninitialized use point is at line 11). */
if (is_gimple_assign (context)
&& (gimple_assign_rhs_code (context) == REALPART_EXPR
|| gimple_assign_rhs_code (context) == IMAGPART_EXPR))
{
tree v = gimple_assign_rhs1 (context);
if (TREE_CODE (TREE_OPERAND (v, 0)) == SSA_NAME
&& gimple_call_internal_p (SSA_NAME_DEF_STMT (TREE_OPERAND (v, 0)),
IFN_DEFERRED_INIT))
return;
}
/* Anonymous SSA_NAMEs shouldn't be uninitialized, but ssa_undefined_value_p
can return true if the def stmt of an anonymous SSA_NAME is
1. A COMPLEX_EXPR created for conversion from scalar to complex. Use the
underlying var of the COMPLEX_EXPRs real part in that case. See PR71581.
Or
2. A call to .DEFERRED_INIT internal function. Since the original variable
has been eliminated by optimziation, we need to get the variable name,
and variable declaration location from this call. We recorded variable
name into VAR_NAME_STR, and will get location info and record warning
suppressed info to VAR_DEF_STMT, which is the .DEFERRED_INIT call. */
const char *var_name_str = NULL;
gimple *var_def_stmt = NULL;
if (!var && !SSA_NAME_VAR (t))
{
var_def_stmt = SSA_NAME_DEF_STMT (t);
if (gassign *ass = dyn_cast <gassign *> (var_def_stmt))
{
switch (gimple_assign_rhs_code (var_def_stmt))
{
case COMPLEX_EXPR:
{
tree v = gimple_assign_rhs1 (ass);
if (TREE_CODE (v) == SSA_NAME
&& has_undefined_value_p (v)
&& zerop (gimple_assign_rhs2 (ass)))
var = SSA_NAME_VAR (v);
break;
}
case SSA_NAME:
{
tree v = gimple_assign_rhs1 (ass);
if (TREE_CODE (v) == SSA_NAME
&& SSA_NAME_VAR (v))
var = SSA_NAME_VAR (v);
break;
}
default:;
}
}
if (gimple_call_internal_p (var_def_stmt, IFN_DEFERRED_INIT))
{
/* Ignore the call to .DEFERRED_INIT that define the original
var itself as the following case:
temp = .DEFERRED_INIT (4, 2, “alt_reloc");
alt_reloc = temp;
In order to avoid generating warning for the fake usage
at alt_reloc = temp.
*/
tree lhs_var = NULL_TREE;
/* Get the variable name from the 3rd argument of call. */
tree var_name = gimple_call_arg (var_def_stmt, 2);
var_name = TREE_OPERAND (TREE_OPERAND (var_name, 0), 0);
var_name_str = TREE_STRING_POINTER (var_name);
if (is_gimple_assign (context))
{
if (VAR_P (gimple_assign_lhs (context)))
lhs_var = gimple_assign_lhs (context);
else if (TREE_CODE (gimple_assign_lhs (context)) == SSA_NAME)
lhs_var = SSA_NAME_VAR (gimple_assign_lhs (context));
}
if (lhs_var)
{
/* Get the name string for the LHS_VAR.
Refer to routine gimple_add_init_for_auto_var. */
if (DECL_NAME (lhs_var)
&& (strcmp (IDENTIFIER_POINTER (DECL_NAME (lhs_var)),
var_name_str) == 0))
return;
else if (!DECL_NAME (lhs_var))
{
char lhs_var_name_str_buf[3 + (HOST_BITS_PER_INT + 2) / 3];
sprintf (lhs_var_name_str_buf, "D.%u", DECL_UID (lhs_var));
if (strcmp (lhs_var_name_str_buf, var_name_str) == 0)
return;
}
}
gcc_assert (var_name_str && var_def_stmt);
}
}
if (var == NULL_TREE && var_name_str == NULL)
return;
/* Avoid warning if we've already done so or if the warning has been
suppressed. */
if (((warning_suppressed_p (context, OPT_Wuninitialized)
|| (gimple_assign_single_p (context)
&& get_no_uninit_warning (gimple_assign_rhs1 (context)))))
|| (var && get_no_uninit_warning (var))
|| (var_name_str
&& warning_suppressed_p (var_def_stmt, OPT_Wuninitialized)))
return;
/* Use either the location of the read statement or that of the PHI
argument, or that of the uninitialized variable, in that order,
whichever is valid. */
location_t location = UNKNOWN_LOCATION;
if (gimple_has_location (context))
location = gimple_location (context);
else if (phi_arg_loc != UNKNOWN_LOCATION)
location = phi_arg_loc;
else if (var)
location = DECL_SOURCE_LOCATION (var);
else if (var_name_str)
location = gimple_location (var_def_stmt);
auto_diagnostic_group d;
gcc_assert (opt == OPT_Wuninitialized || opt == OPT_Wmaybe_uninitialized);
if (var)
{
if ((opt == OPT_Wuninitialized
&& !warning_at (location, opt, "%qD is used uninitialized", var))
|| (opt == OPT_Wmaybe_uninitialized
&& !warning_at (location, opt, "%qD may be used uninitialized",
var)))
return;
}
else if (var_name_str)
{
if ((opt == OPT_Wuninitialized
&& !warning_at (location, opt, "%qs is used uninitialized",
var_name_str))
|| (opt == OPT_Wmaybe_uninitialized
&& !warning_at (location, opt, "%qs may be used uninitialized",
var_name_str)))
return;
}
/* Avoid subsequent warnings for reads of the same variable again. */
if (var)
suppress_warning (var, opt);
else if (var_name_str)
suppress_warning (var_def_stmt, opt);
/* Issue a note pointing to the read variable unless the warning
is at the same location. */
location_t var_loc = var ? DECL_SOURCE_LOCATION (var)
: gimple_location (var_def_stmt);
if (location == var_loc)
return;
if (var)
inform (var_loc, "%qD was declared here", var);
else if (var_name_str)
inform (var_loc, "%qs was declared here", var_name_str);
}
struct check_defs_data
{
/* If we found any may-defs besides must-def clobbers. */
bool found_may_defs;
};
/* Return true if STMT is a call to built-in function all of whose
by-reference arguments are const-qualified (i.e., the function can
be assumed not to modify them). */
static bool
builtin_call_nomodifying_p (gimple *stmt)
{
if (!gimple_call_builtin_p (stmt, BUILT_IN_NORMAL))
return false;
tree fndecl = gimple_call_fndecl (stmt);
if (!fndecl)
return false;
tree fntype = TREE_TYPE (fndecl);
if (!fntype)
return false;
/* Check the called function's signature for non-constc pointers.
If one is found, return false. */
unsigned argno = 0;
tree argtype;
function_args_iterator it;
FOREACH_FUNCTION_ARGS (fntype, argtype, it)
{
if (VOID_TYPE_P (argtype))
return true;
++argno;
if (!POINTER_TYPE_P (argtype))
continue;
if (TYPE_READONLY (TREE_TYPE (argtype)))
continue;
return false;
}
/* If the number of actual arguments to the call is less than or
equal to the number of parameters, return false. */
unsigned nargs = gimple_call_num_args (stmt);
if (nargs <= argno)
return false;
/* Check arguments passed through the ellipsis in calls to variadic
functions for pointers. If one is found that's a non-constant
pointer, return false. */
for (; argno < nargs; ++argno)
{
tree arg = gimple_call_arg (stmt, argno);
argtype = TREE_TYPE (arg);
if (!POINTER_TYPE_P (argtype))
continue;
if (TYPE_READONLY (TREE_TYPE (argtype)))
continue;
return false;
}
return true;
}
/* If ARG is a FNDECL parameter declared with attribute access none or
write_only issue a warning for its read access via PTR. */
static void
maybe_warn_read_write_only (tree fndecl, gimple *stmt, tree arg, tree ptr)
{
if (!fndecl)
return;
if (get_no_uninit_warning (arg))
return;
tree fntype = TREE_TYPE (fndecl);
if (!fntype)
return;
/* Initialize a map of attribute access specifications for arguments
to the function call. */
rdwr_map rdwr_idx;
init_attr_rdwr_indices (&rdwr_idx, TYPE_ATTRIBUTES (fntype));
unsigned argno = 0;
tree parms = DECL_ARGUMENTS (fndecl);
for (tree parm = parms; parm; parm = TREE_CHAIN (parm), ++argno)
{
if (parm != arg)
continue;
const attr_access* access = rdwr_idx.get (argno);
if (!access)
break;
if (access->mode != access_none
&& access->mode != access_write_only)
continue;
location_t stmtloc = gimple_location (stmt);
if (!warning_at (stmtloc, OPT_Wmaybe_uninitialized,
"%qE may be used uninitialized", ptr))
break;
suppress_warning (arg, OPT_Wmaybe_uninitialized);
const char* const access_str =
TREE_STRING_POINTER (access->to_external_string ());
location_t parmloc = DECL_SOURCE_LOCATION (parm);
inform (parmloc, "accessing argument %u of a function declared with "
"attribute %<%s%>",
argno + 1, access_str);
break;
}
}
/* Callback for walk_aliased_vdefs. */
static bool
check_defs (ao_ref *ref, tree vdef, void *data_)
{
check_defs_data *data = (check_defs_data *)data_;
gimple *def_stmt = SSA_NAME_DEF_STMT (vdef);
/* Ignore the vdef if the definition statement is a call
to .DEFERRED_INIT function. */
if (gimple_call_internal_p (def_stmt, IFN_DEFERRED_INIT))
return false;
/* For address taken variable, a temporary variable is added between
the variable and the call to .DEFERRED_INIT function as:
_1 = .DEFERRED_INIT (4, 2, &"i1"[0]);
i1 = _1;
Ignore this vdef as well. */
if (is_gimple_assign (def_stmt)
&& gimple_assign_rhs_code (def_stmt) == SSA_NAME)
{
tree tmp_var = gimple_assign_rhs1 (def_stmt);
if (gimple_call_internal_p (SSA_NAME_DEF_STMT (tmp_var),
IFN_DEFERRED_INIT))
return false;
}
/* The ASAN_MARK intrinsic doesn't modify the variable. */
if (is_gimple_call (def_stmt))
{
/* The ASAN_MARK intrinsic doesn't modify the variable. */
if (gimple_call_internal_p (def_stmt)
&& gimple_call_internal_fn (def_stmt) == IFN_ASAN_MARK)
return false;
if (tree fndecl = gimple_call_fndecl (def_stmt))
{
/* Some sanitizer calls pass integer arguments to built-ins
that expect pointets. Avoid using gimple_call_builtin_p()
which fails for such calls. */
if (DECL_BUILT_IN_CLASS (fndecl) == BUILT_IN_NORMAL)
{
built_in_function fncode = DECL_FUNCTION_CODE (fndecl);
if (fncode > BEGIN_SANITIZER_BUILTINS
&& fncode < END_SANITIZER_BUILTINS)
return false;
}
}
}
/* End of VLA scope is not a kill. */
if (gimple_call_builtin_p (def_stmt, BUILT_IN_STACK_RESTORE))
return false;
/* If this is a clobber then if it is not a kill walk past it. */
if (gimple_clobber_p (def_stmt))
{
if (stmt_kills_ref_p (def_stmt, ref))
return true;
return false;
}
if (builtin_call_nomodifying_p (def_stmt))
return false;
/* Found a may-def on this path. */
data->found_may_defs = true;
return true;
}
/* Counters and limits controlling the depth of analysis and
strictness of the warning. */
struct wlimits
{
/* Number of VDEFs encountered. */
unsigned int vdef_cnt;
/* Number of statements examined by walk_aliased_vdefs. */
unsigned int oracle_cnt;
/* Limit on the number of statements visited by walk_aliased_vdefs. */
unsigned limit;
/* Set when basic block with statement is executed unconditionally. */
bool always_executed;
/* Set to issue -Wmaybe-uninitialized. */
bool wmaybe_uninit;
};
/* Determine if REF references an uninitialized operand and diagnose
it if so. STMS is the referencing statement. LHS is the result
of the access and may be null. RHS is the variable referenced by
the access; it may not be null. */
static tree
maybe_warn_operand (ao_ref &ref, gimple *stmt, tree lhs, tree rhs,
wlimits &wlims)
{
bool has_bit_insert = false;
use_operand_p luse_p;
imm_use_iterator liter;
if (get_no_uninit_warning (rhs))
return NULL_TREE;
/* Do not warn if the base was marked so or this is a
hard register var. */
tree base = ao_ref_base (&ref);
if ((VAR_P (base)
&& DECL_HARD_REGISTER (base))
|| get_no_uninit_warning (base))
return NULL_TREE;
/* Do not warn if the access is zero size or if it's fully outside
the object. */
poly_int64 decl_size;
if (known_size_p (ref.size)
&& known_eq (ref.max_size, ref.size)
&& (known_eq (ref.size, 0)
|| known_le (ref.offset + ref.size, 0)))
return NULL_TREE;
if (DECL_P (base)
&& known_ge (ref.offset, 0)
&& DECL_SIZE (base)
&& poly_int_tree_p (DECL_SIZE (base), &decl_size)
&& known_le (decl_size, ref.offset))
return NULL_TREE;
/* Do not warn if the result of the access is then used for
a BIT_INSERT_EXPR. */
if (lhs && TREE_CODE (lhs) == SSA_NAME)
FOR_EACH_IMM_USE_FAST (luse_p, liter, lhs)
{
gimple *use_stmt = USE_STMT (luse_p);
/* BIT_INSERT_EXPR first operand should not be considered
a use for the purpose of uninit warnings. */
if (gassign *ass = dyn_cast <gassign *> (use_stmt))
{
if (gimple_assign_rhs_code (ass) == BIT_INSERT_EXPR
&& luse_p->use == gimple_assign_rhs1_ptr (ass))
{
has_bit_insert = true;
break;
}
}
}
if (has_bit_insert)
return NULL_TREE;
/* Limit the walking to a constant number of stmts after
we overcommit quadratic behavior for small functions
and O(n) behavior. */
if (wlims.oracle_cnt > 128 * 128
&& wlims.oracle_cnt > wlims.vdef_cnt * 2)
wlims.limit = 32;
check_defs_data data;
bool fentry_reached = false;
data.found_may_defs = false;
tree use = gimple_vuse (stmt);
if (!use)
return NULL_TREE;
int res = walk_aliased_vdefs (&ref, use,
check_defs, &data, NULL,
&fentry_reached, wlims.limit);
if (res == -1)
{
wlims.oracle_cnt += wlims.limit;
return NULL_TREE;
}
wlims.oracle_cnt += res;
if (data.found_may_defs)
return NULL_TREE;
bool found_alloc = false;
if (fentry_reached)
{
if (TREE_CODE (base) == MEM_REF)
base = TREE_OPERAND (base, 0);
/* Follow the chain of SSA_NAME assignments looking for an alloca
call (or VLA) or malloc/realloc, or for decls. If any is found
(and in the latter case, the operand is a local variable) issue
a warning. */
while (TREE_CODE (base) == SSA_NAME)
{
gimple *def_stmt = SSA_NAME_DEF_STMT (base);
if (is_gimple_call (def_stmt)
&& gimple_call_builtin_p (def_stmt))
{
/* Detect uses of uninitialized alloca/VLAs. */
tree fndecl = gimple_call_fndecl (def_stmt);
const built_in_function fncode = DECL_FUNCTION_CODE (fndecl);
if (fncode == BUILT_IN_ALLOCA
|| fncode == BUILT_IN_ALLOCA_WITH_ALIGN
|| fncode == BUILT_IN_MALLOC)
found_alloc = true;
break;
}
if (!is_gimple_assign (def_stmt))
break;
tree_code code = gimple_assign_rhs_code (def_stmt);
if (code != ADDR_EXPR && code != POINTER_PLUS_EXPR)
break;
base = gimple_assign_rhs1 (def_stmt);
if (TREE_CODE (base) == ADDR_EXPR)
base = TREE_OPERAND (base, 0);
if (DECL_P (base)
|| TREE_CODE (base) == COMPONENT_REF)
rhs = base;
if (TREE_CODE (base) == MEM_REF)
base = TREE_OPERAND (base, 0);
if (tree ba = get_base_address (base))
base = ba;
}
/* Replace the RHS expression with BASE so that it
refers to it in the diagnostic (instead of to
'<unknown>'). */
if (DECL_P (base)
&& EXPR_P (rhs)
&& TREE_CODE (rhs) != COMPONENT_REF)
rhs = base;
}
/* Do not warn if it can be initialized outside this function.
If we did not reach function entry then we found killing
clobbers on all paths to entry. */
if (!found_alloc && fentry_reached)
{
if (TREE_CODE (base) == SSA_NAME)
{
tree var = SSA_NAME_VAR (base);
if (var && TREE_CODE (var) == PARM_DECL)
{
maybe_warn_read_write_only (cfun->decl, stmt, var, rhs);
return NULL_TREE;
}
}
if (!VAR_P (base)
|| is_global_var (base))
/* ??? We'd like to use ref_may_alias_global_p but that
excludes global readonly memory and thus we get bogus
warnings from p = cond ? "a" : "b" for example. */
return NULL_TREE;
}
/* Strip the address-of expression from arrays passed to functions. */
if (TREE_CODE (rhs) == ADDR_EXPR)
rhs = TREE_OPERAND (rhs, 0);
/* Check again since RHS may have changed above. */
if (get_no_uninit_warning (rhs))
return NULL_TREE;
/* Avoid warning about empty types such as structs with no members.
The first_field() test is important for C++ where the predicate
alone isn't always sufficient. */
tree rhstype = TREE_TYPE (rhs);
if (POINTER_TYPE_P (rhstype))
rhstype = TREE_TYPE (rhstype);
if (is_empty_type (rhstype))
return NULL_TREE;
bool warned = false;
/* We didn't find any may-defs so on all paths either
reached function entry or a killing clobber. */
location_t location = gimple_location (stmt);
if (wlims.always_executed)
{
if (warning_at (location, OPT_Wuninitialized,
"%qE is used uninitialized", rhs))
{
/* ??? This is only effective for decls as in
gcc.dg/uninit-B-O0.c. Avoid doing this for maybe-uninit
uses or accesses by functions as it may hide important
locations. */
if (lhs)
set_no_uninit_warning (rhs);
warned = true;
}
}
else if (wlims.wmaybe_uninit)
warned = warning_at (location, OPT_Wmaybe_uninitialized,
"%qE may be used uninitialized", rhs);
return warned ? base : NULL_TREE;
}
/* Diagnose passing addresses of uninitialized objects to either const
pointer arguments to functions, or to functions declared with attribute
access implying read access to those objects. */
static void
maybe_warn_pass_by_reference (gcall *stmt, wlimits &wlims)
{
if (!wlims.wmaybe_uninit)
return;
unsigned nargs = gimple_call_num_args (stmt);
if (!nargs)
return;
tree fndecl = gimple_call_fndecl (stmt);
tree fntype = gimple_call_fntype (stmt);
if (!fntype)
return;
/* Const function do not read their arguments. */
if (gimple_call_flags (stmt) & ECF_CONST)
return;
const built_in_function fncode
= (fndecl && gimple_call_builtin_p (stmt, BUILT_IN_NORMAL)
? DECL_FUNCTION_CODE (fndecl) : (built_in_function)BUILT_IN_LAST);
if (fncode == BUILT_IN_MEMCPY || fncode == BUILT_IN_MEMMOVE)
/* Avoid diagnosing calls to raw memory functions (this is overly
permissive; consider tightening it up). */
return;
/* Save the current warning setting and replace it either a "maybe"
when passing addresses of uninitialized variables to const-qualified
pointers or arguments declared with attribute read_write, or with
a "certain" when passing them to arguments declared with attribute
read_only. */
const bool save_always_executed = wlims.always_executed;
/* Initialize a map of attribute access specifications for arguments
to the function call. */
rdwr_map rdwr_idx;
init_attr_rdwr_indices (&rdwr_idx, TYPE_ATTRIBUTES (fntype));
tree argtype;
unsigned argno = 0;
function_args_iterator it;
FOREACH_FUNCTION_ARGS (fntype, argtype, it)
{
++argno;
if (argno > nargs)
break;
if (!POINTER_TYPE_P (argtype))
continue;
tree access_size = NULL_TREE;
const attr_access* access = rdwr_idx.get (argno - 1);
if (access)
{
if (access->mode == access_none
|| access->mode == access_write_only)
continue;
if (access->mode == access_deferred
&& !TYPE_READONLY (TREE_TYPE (argtype)))
continue;
if (save_always_executed && access->mode == access_read_only)
/* Attribute read_only arguments imply read access. */
wlims.always_executed = true;
else
/* Attribute read_write arguments are documented as requiring
initialized objects but it's expected that aggregates may
be only partially initialized regardless. */
wlims.always_executed = false;
if (access->sizarg < nargs)
access_size = gimple_call_arg (stmt, access->sizarg);
}
else if (!TYPE_READONLY (TREE_TYPE (argtype)))
continue;
else if (save_always_executed && fncode != BUILT_IN_LAST)
/* Const-qualified arguments to built-ins imply read access. */
wlims.always_executed = true;
else
/* Const-qualified arguments to ordinary functions imply a likely
(but not definitive) read access. */
wlims.always_executed = false;
/* Ignore args we are not going to read from. */
if (gimple_call_arg_flags (stmt, argno - 1)
& (EAF_UNUSED | EAF_NO_DIRECT_READ))
continue;
tree arg = gimple_call_arg (stmt, argno - 1);
if (!POINTER_TYPE_P (TREE_TYPE (arg)))
/* Avoid actual arguments with invalid types. */
continue;
ao_ref ref;
ao_ref_init_from_ptr_and_size (&ref, arg, access_size);
tree argbase = maybe_warn_operand (ref, stmt, NULL_TREE, arg, wlims);
if (!argbase)
continue;
if (access && access->mode != access_deferred)
{
const char* const access_str =
TREE_STRING_POINTER (access->to_external_string ());
if (fndecl)
{
location_t loc = DECL_SOURCE_LOCATION (fndecl);
inform (loc, "in a call to %qD declared with "
"attribute %<%s%> here", fndecl, access_str);
}
else
{
/* Handle calls through function pointers. */
location_t loc = gimple_location (stmt);
inform (loc, "in a call to %qT declared with "
"attribute %<%s%>", fntype, access_str);
}
}
else
{
/* For a declaration with no relevant attribute access create
a dummy object and use the formatting function to avoid
having to complicate things here. */
attr_access ptr_access = { };
if (!access)
access = &ptr_access;
const std::string argtypestr = access->array_as_string (argtype);
if (fndecl)
{
location_t loc (DECL_SOURCE_LOCATION (fndecl));
inform (loc, "by argument %u of type %s to %qD "
"declared here",
argno, argtypestr.c_str (), fndecl);
}
else
{
/* Handle calls through function pointers. */
location_t loc (gimple_location (stmt));
inform (loc, "by argument %u of type %s to %qT",
argno, argtypestr.c_str (), fntype);
}
}
if (DECL_P (argbase))
{
location_t loc = DECL_SOURCE_LOCATION (argbase);
inform (loc, "%qD declared here", argbase);
}
}
wlims.always_executed = save_always_executed;
}
/* Warn about an uninitialized PHI argument on the fallthru path to
an always executed block BB. */
static void
warn_uninit_phi_uses (basic_block bb)
{
edge_iterator ei;
edge e, found = NULL, found_back = NULL;
/* Look for a fallthru and possibly a single backedge. */
FOR_EACH_EDGE (e, ei, bb->preds)
{
/* Ignore backedges. */
if (dominated_by_p (CDI_DOMINATORS, e->src, bb))
{
if (found_back)
{
found = NULL;
break;
}
found_back = e;
continue;
}
if (found)
{
found = NULL;
break;
}
found = e;
}
if (!found)
return;
basic_block succ = single_succ (ENTRY_BLOCK_PTR_FOR_FN (cfun));
for (gphi_iterator si = gsi_start_phis (bb); !gsi_end_p (si);
gsi_next (&si))
{
gphi *phi = si.phi ();
tree def = PHI_ARG_DEF_FROM_EDGE (phi, found);
if (TREE_CODE (def) != SSA_NAME
|| !SSA_NAME_IS_DEFAULT_DEF (def)
|| virtual_operand_p (def))
continue;
/* If there's a default def on the fallthru edge PHI
value and there's a use that post-dominates entry
then that use is uninitialized and we can warn. */
imm_use_iterator iter;
use_operand_p use_p;
gimple *use_stmt = NULL;
FOR_EACH_IMM_USE_FAST (use_p, iter, gimple_phi_result (phi))
{
use_stmt = USE_STMT (use_p);
if (gimple_location (use_stmt) != UNKNOWN_LOCATION
&& dominated_by_p (CDI_POST_DOMINATORS, succ,
gimple_bb (use_stmt))
/* If we found a non-fallthru edge make sure the
use is inside the loop, otherwise the backedge
can serve as initialization. */
&& (!found_back
|| dominated_by_p (CDI_DOMINATORS, found_back->src,
gimple_bb (use_stmt))))
break;
use_stmt = NULL;
}
if (use_stmt)
warn_uninit (OPT_Wuninitialized, def,
SSA_NAME_VAR (def), use_stmt);
}
}
/* Issue warnings about reads of uninitialized variables. WMAYBE_UNINIT
is true to issue -Wmaybe-uninitialized, otherwise -Wuninitialized. */
static void
warn_uninitialized_vars (bool wmaybe_uninit)
{
/* Counters and limits controlling the depth of the warning. */
wlimits wlims = { };
wlims.wmaybe_uninit = wmaybe_uninit;
auto_bb_flag ft_reachable (cfun);
/* Mark blocks that are always executed when we ignore provably
not executed and EH and abnormal edges. */
basic_block bb = single_succ (ENTRY_BLOCK_PTR_FOR_FN (cfun));
while (!(bb->flags & ft_reachable))
{
bb->flags |= ft_reachable;
edge e = find_fallthru_edge (bb->succs);
if (e && e->flags & EDGE_EXECUTABLE)
{
bb = e->dest;
continue;
}
/* Find a single executable edge. */
edge_iterator ei;
edge ee = NULL;
FOR_EACH_EDGE (e, ei, bb->succs)
if (e->flags & EDGE_EXECUTABLE)
{
if (!ee)
ee = e;
else
{
ee = NULL;
break;
}
}
if (ee)
bb = ee->dest;
else
bb = get_immediate_dominator (CDI_POST_DOMINATORS, bb);
if (!bb || bb->index == EXIT_BLOCK)
break;
}
FOR_EACH_BB_FN (bb, cfun)
{
wlims.always_executed = (bb->flags & ft_reachable);
bb->flags &= ~ft_reachable;
edge_iterator ei;
edge e;
FOR_EACH_EDGE (e, ei, bb->preds)
if (e->flags & EDGE_EXECUTABLE)
break;
/* Skip unreachable blocks. For early analysis we use VN to
determine edge executability when wmaybe_uninit. */
if (!e)
continue;
if (wlims.always_executed)
warn_uninit_phi_uses (bb);
gimple_stmt_iterator gsi;
for (gsi = gsi_start_bb (bb); !gsi_end_p (gsi); gsi_next (&gsi))
{
gimple *stmt = gsi_stmt (gsi);
/* The call is an artificial use, will not provide meaningful
error message. If the result of the call is used somewhere
else, we warn there instead. */
if (gimple_call_internal_p (stmt, IFN_DEFERRED_INIT))
continue;
if (is_gimple_debug (stmt))
continue;
/* We only do data flow with SSA_NAMEs, so that's all we
can warn about. */
use_operand_p use_p;
ssa_op_iter op_iter;
FOR_EACH_SSA_USE_OPERAND (use_p, stmt, op_iter, SSA_OP_USE)
{
/* BIT_INSERT_EXPR first operand should not be considered
a use for the purpose of uninit warnings. */
if (gassign *ass = dyn_cast <gassign *> (stmt))
{
if (gimple_assign_rhs_code (ass) == BIT_INSERT_EXPR
&& use_p->use == gimple_assign_rhs1_ptr (ass))
continue;
}
tree use = USE_FROM_PTR (use_p);
if (wlims.always_executed)
warn_uninit (OPT_Wuninitialized, use,
SSA_NAME_VAR (use), stmt);
else if (wlims.wmaybe_uninit)
warn_uninit (OPT_Wmaybe_uninitialized, use,
SSA_NAME_VAR (use), stmt);
}
/* For limiting the alias walk below we count all
vdefs in the function. */
if (gimple_vdef (stmt))
wlims.vdef_cnt++;
if (gcall *call = dyn_cast <gcall *> (stmt))
maybe_warn_pass_by_reference (call, wlims);
else if (gimple_assign_load_p (stmt)
&& gimple_has_location (stmt))
{
tree rhs = gimple_assign_rhs1 (stmt);
tree lhs = gimple_assign_lhs (stmt);
ao_ref ref;
ao_ref_init (&ref, rhs);
tree var = maybe_warn_operand (ref, stmt, lhs, rhs, wlims);
if (!var)
continue;
if (DECL_P (var))
{
location_t loc = DECL_SOURCE_LOCATION (var);
inform (loc, "%qD declared here", var);
}
}
}
}
}
/* Checks if the operand OPND of PHI is defined by
another phi with one operand defined by this PHI,
but the rest operands are all defined. If yes,
returns true to skip this operand as being
redundant. Can be enhanced to be more general. */
static bool
can_skip_redundant_opnd (tree opnd, gimple *phi)
{
tree phi_def = gimple_phi_result (phi);
gimple *op_def = SSA_NAME_DEF_STMT (opnd);
if (gimple_code (op_def) != GIMPLE_PHI)
return false;
unsigned n = gimple_phi_num_args (op_def);
for (unsigned i = 0; i < n; ++i)
{
tree op = gimple_phi_arg_def (op_def, i);
if (TREE_CODE (op) != SSA_NAME)
continue;
if (op != phi_def && uninit_undefined_value_p (op))
return false;
}
return true;
}
/* Return a bitset holding the positions of arguments in PHI with empty
(or possibly empty) definitions. */
static unsigned
compute_uninit_opnds_pos (gphi *phi)
{
unsigned uninit_opnds = 0;
unsigned n = gimple_phi_num_args (phi);
/* Bail out for phi with too many args. */
if (n > uninit_analysis::func_t::max_phi_args)
return 0;
for (unsigned i = 0; i < n; ++i)
{
tree op = gimple_phi_arg_def (phi, i);
if (TREE_CODE (op) == SSA_NAME
&& uninit_undefined_value_p (op)
&& !can_skip_redundant_opnd (op, phi))
{
if (cfun->has_nonlocal_label || cfun->calls_setjmp)
{
/* Ignore SSA_NAMEs that appear on abnormal edges
somewhere. */
if (SSA_NAME_OCCURS_IN_ABNORMAL_PHI (op))
continue;
}
MASK_SET_BIT (uninit_opnds, i);
}
}
/* If we have recorded guarded uses of may-uninit values mask those. */
if (auto *def_mask = defined_args->get (phi))
uninit_opnds &= ~*def_mask;
return uninit_opnds;
}
/* Function object type used to determine whether an expression
is of interest to the predicate analyzer. */
struct uninit_undef_val_t: public uninit_analysis::func_t
{
virtual unsigned phi_arg_set (gphi *) override;
};
/* Return a bitset of PHI arguments of interest. */
unsigned
uninit_undef_val_t::phi_arg_set (gphi *phi)
{
return compute_uninit_opnds_pos (phi);
}
/* sort helper for find_uninit_use. */
static int
cand_cmp (const void *a, const void *b, void *data)
{
int *bb_to_rpo = (int *)data;
const gimple *sa = *(const gimple * const *)a;
const gimple *sb = *(const gimple * const *)b;
if (bb_to_rpo[gimple_bb (sa)->index] < bb_to_rpo[gimple_bb (sb)->index])
return -1;
else if (bb_to_rpo[gimple_bb (sa)->index] > bb_to_rpo[gimple_bb (sb)->index])
return 1;
return 0;
}
/* Searches through all uses of a potentially
uninitialized variable defined by PHI and returns a use
statement if the use is not properly guarded. It returns
NULL if all uses are guarded. UNINIT_OPNDS is a bitvector
holding the position(s) of uninit PHI operands. */
static gimple *
find_uninit_use (gphi *phi, unsigned uninit_opnds, int *bb_to_rpo)
{
/* The Boolean predicate guarding the PHI definition. Initialized
lazily from PHI in the first call to is_use_guarded() and cached
for subsequent iterations. */
uninit_undef_val_t eval;
uninit_analysis def_preds (eval);
/* First process PHIs and record other candidates. */
auto_vec<gimple *, 64> cands;
use_operand_p use_p;
imm_use_iterator iter;
tree phi_result = gimple_phi_result (phi);
FOR_EACH_IMM_USE_FAST (use_p, iter, phi_result)
{
gimple *use_stmt = USE_STMT (use_p);
if (is_gimple_debug (use_stmt))
continue;
/* Look through a single level of SSA name copies. This is
important for copies involving abnormals which we can't always
proapgate out but which result in spurious unguarded uses. */
use_operand_p use2_p;
gimple *use2_stmt;
if (gimple_assign_ssa_name_copy_p (use_stmt)
&& single_imm_use (gimple_assign_lhs (use_stmt), &use2_p, &use2_stmt))
{
use_p = use2_p;
use_stmt = use2_stmt;
}
if (gphi *use_phi = dyn_cast<gphi *> (use_stmt))
{
unsigned idx = PHI_ARG_INDEX_FROM_USE (use_p);
edge e = gimple_phi_arg_edge (use_phi, idx);
/* Do not look for uses in the next iteration of a loop, predicate
analysis will not use the appropriate predicates to prove
reachability. */
if (e->flags & EDGE_DFS_BACK)
continue;
basic_block use_bb = e->src;
if (def_preds.is_use_guarded (use_stmt, use_bb, phi, uninit_opnds))
{
/* For a guarded use in a PHI record the PHI argument as
initialized. */
if (idx < uninit_analysis::func_t::max_phi_args)
{
bool existed_p;
auto &def_mask
= defined_args->get_or_insert (use_phi, &existed_p);
if (!existed_p)
def_mask = 0;
MASK_SET_BIT (def_mask, idx);
}
continue;
}
if (dump_file && (dump_flags & TDF_DETAILS))
{
fprintf (dump_file, "Found unguarded use on edge %u -> %u: ",
e->src->index, e->dest->index);
print_gimple_stmt (dump_file, use_stmt, 0);
}
/* Found a phi use that is not guarded, mark the use as
possibly undefined. */
possibly_undefined_names->add (USE_FROM_PTR (use_p));
}
else
cands.safe_push (use_stmt);
}
/* Sort candidates after RPO. */
cands.stablesort (cand_cmp, bb_to_rpo);
basic_block use_bb = NULL;
for (gimple *use_stmt : cands)
{
/* We only have to try diagnosing the first use in each block. */
if (gimple_bb (use_stmt) == use_bb)
continue;
use_bb = gimple_bb (use_stmt);
if (def_preds.is_use_guarded (use_stmt, use_bb, phi, uninit_opnds))
continue;
if (dump_file && (dump_flags & TDF_DETAILS))
{
fprintf (dump_file, "Found unguarded use in bb %u: ",
use_bb->index);
print_gimple_stmt (dump_file, use_stmt, 0);
}
return use_stmt;
}
return NULL;
}
/* Look for inputs to PHI that are SSA_NAMEs that have empty definitions
and gives warning if there exists a runtime path from the entry to a
use of the PHI def that does not contain a definition. In other words,
the warning is on the real use. The more dead paths that can be pruned
by the compiler, the fewer false positives the warning is. */
static void
warn_uninitialized_phi (gphi *phi, unsigned uninit_opnds, int *bb_to_rpo)
{
if (dump_file && (dump_flags & TDF_DETAILS))
{
fprintf (dump_file, "Examining phi: ");
print_gimple_stmt (dump_file, phi, 0);
}
gimple *uninit_use_stmt = find_uninit_use (phi, uninit_opnds, bb_to_rpo);
/* All uses are properly guarded. */
if (!uninit_use_stmt)
return;
unsigned phiarg_index = MASK_FIRST_SET_BIT (uninit_opnds);
tree uninit_op = gimple_phi_arg_def (phi, phiarg_index);
location_t loc = UNKNOWN_LOCATION;
if (gimple_phi_arg_has_location (phi, phiarg_index))
loc = gimple_phi_arg_location (phi, phiarg_index);
else
{
tree arg_def = gimple_phi_arg_def (phi, phiarg_index);
if (TREE_CODE (arg_def) == SSA_NAME)
{
gimple *def_stmt = SSA_NAME_DEF_STMT (arg_def);
if (gphi *arg_phi = dyn_cast<gphi *> (def_stmt))
{
unsigned uop = compute_uninit_opnds_pos (arg_phi);
unsigned idx = MASK_FIRST_SET_BIT (uop);
if (idx < gimple_phi_num_args (arg_phi)
&& gimple_phi_arg_has_location (arg_phi, idx))
loc = gimple_phi_arg_location (arg_phi, idx);
}
}
}
warn_uninit (OPT_Wmaybe_uninitialized, uninit_op,
SSA_NAME_VAR (uninit_op),
uninit_use_stmt, loc);
}
static bool
gate_warn_uninitialized (void)
{
return warn_uninitialized || warn_maybe_uninitialized;
}
namespace {
const pass_data pass_data_late_warn_uninitialized =
{
GIMPLE_PASS, /* type */
"uninit", /* name */
OPTGROUP_NONE, /* optinfo_flags */
TV_NONE, /* tv_id */
PROP_ssa, /* properties_required */
0, /* properties_provided */
0, /* properties_destroyed */
0, /* todo_flags_start */
0, /* todo_flags_finish */
};
class pass_late_warn_uninitialized : public gimple_opt_pass
{
public:
pass_late_warn_uninitialized (gcc::context *ctxt)
: gimple_opt_pass (pass_data_late_warn_uninitialized, ctxt)
{}
/* opt_pass methods: */
opt_pass *clone () final override
{
return new pass_late_warn_uninitialized (m_ctxt);
}
bool gate (function *) final override { return gate_warn_uninitialized (); }
unsigned int execute (function *) final override;
}; // class pass_late_warn_uninitialized
static void
execute_late_warn_uninitialized (function *fun)
{
calculate_dominance_info (CDI_DOMINATORS);
calculate_dominance_info (CDI_POST_DOMINATORS);
/* Mark all edges executable, warn_uninitialized_vars will skip
unreachable blocks. */
set_all_edges_as_executable (fun);
mark_dfs_back_edges (fun);
int *rpo = XNEWVEC (int, n_basic_blocks_for_fn (fun));
int n = pre_and_rev_post_order_compute_fn (fun, NULL, rpo, false);
int *bb_to_rpo = XNEWVEC (int, last_basic_block_for_fn (fun));
for (int i = 0; i < n; ++i)
bb_to_rpo[rpo[i]] = i;
/* Re-do the plain uninitialized variable check, as optimization may have
straightened control flow. Do this first so that we don't accidentally
get a "may be" warning when we'd have seen an "is" warning later. */
warn_uninitialized_vars (/*warn_maybe_uninitialized=*/1);
timevar_push (TV_TREE_UNINIT);
/* Avoid quadratic beahvior when looking up case labels for edges. */
start_recording_case_labels ();
possibly_undefined_names = new hash_set<tree>;
defined_args = new hash_map<gphi *, uninit_analysis::func_t::phi_arg_set_t>;
/* Walk the CFG in RPO order so we visit PHIs with defs that are
possibly uninitialized from other PHIs after those. The uninit
predicate analysis will then expand the PHIs predicate with
the predicates of the edges from such PHI defs. */
for (int i = 0; i < n; ++i)
for (auto gsi = gsi_start_phis (BASIC_BLOCK_FOR_FN (fun, rpo[i]));
!gsi_end_p (gsi); gsi_next (&gsi))
{
gphi *phi = gsi.phi ();
/* Don't look at virtual operands. */
if (virtual_operand_p (gimple_phi_result (phi)))
continue;
unsigned uninit_opnds = compute_uninit_opnds_pos (phi);
if (MASK_EMPTY (uninit_opnds))
continue;
warn_uninitialized_phi (phi, uninit_opnds, bb_to_rpo);
}
free (rpo);
free (bb_to_rpo);
delete possibly_undefined_names;
possibly_undefined_names = NULL;
delete defined_args;
defined_args = NULL;
end_recording_case_labels ();
free_dominance_info (CDI_POST_DOMINATORS);
timevar_pop (TV_TREE_UNINIT);
}
unsigned int
pass_late_warn_uninitialized::execute (function *fun)
{
execute_late_warn_uninitialized (fun);
return 0;
}
} // anon namespace
gimple_opt_pass *
make_pass_late_warn_uninitialized (gcc::context *ctxt)
{
return new pass_late_warn_uninitialized (ctxt);
}
static unsigned int
execute_early_warn_uninitialized (struct function *fun)
{
/* Currently, this pass runs always but
execute_late_warn_uninitialized only runs with optimization. With
optimization we want to warn about possible uninitialized as late
as possible, thus don't do it here. However, without
optimization we need to warn here about "may be uninitialized". */
calculate_dominance_info (CDI_DOMINATORS);
calculate_dominance_info (CDI_POST_DOMINATORS);
/* Use VN in its cheapest incarnation and without doing any
elimination to compute edge reachability. Don't bother when
we only warn for unconditionally executed code though. */
if (!optimize)
do_rpo_vn (fun, NULL, NULL, false, false, false, VN_NOWALK);
else
set_all_edges_as_executable (fun);
warn_uninitialized_vars (/*warn_maybe_uninitialized=*/!optimize);
/* Post-dominator information cannot be reliably updated. Free it
after the use. */
free_dominance_info (CDI_POST_DOMINATORS);
return 0;
}
namespace {
const pass_data pass_data_early_warn_uninitialized =
{
GIMPLE_PASS, /* type */
"early_uninit", /* name */
OPTGROUP_NONE, /* optinfo_flags */
TV_TREE_UNINIT, /* tv_id */
PROP_ssa, /* properties_required */
0, /* properties_provided */
0, /* properties_destroyed */
0, /* todo_flags_start */
0, /* todo_flags_finish */
};
class pass_early_warn_uninitialized : public gimple_opt_pass
{
public:
pass_early_warn_uninitialized (gcc::context *ctxt)
: gimple_opt_pass (pass_data_early_warn_uninitialized, ctxt)
{}
/* opt_pass methods: */
bool gate (function *) final override { return gate_warn_uninitialized (); }
unsigned int execute (function *fun) final override
{
return execute_early_warn_uninitialized (fun);
}
}; // class pass_early_warn_uninitialized
} // anon namespace
gimple_opt_pass *
make_pass_early_warn_uninitialized (gcc::context *ctxt)
{
return new pass_early_warn_uninitialized (ctxt);
}