1 /* Strict aliasing checks.
2 Copyright (C) 2007 Free Software Foundation, Inc.
3 Contributed by Silvius Rus <rus@google.com>.
4
5 This file is part of GCC.
6
7 GCC is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 2, or (at your option)
10 any later version.
11
12 GCC is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
16
17 You should have received a copy of the GNU General Public License
18 along with GCC; see the file COPYING. If not, write to
19 the Free Software Foundation, 51 Franklin Street, Fifth Floor,
20 Boston, MA 02110-1301, USA. */
21
22 #include "config.h"
23 #include "system.h"
24 #include "coretypes.h"
25 #include "tm.h"
26 #include "alloc-pool.h"
27 #include "tree.h"
28 #include "tree-dump.h"
29 #include "tree-flow.h"
30 #include "params.h"
31 #include "function.h"
32 #include "expr.h"
33 #include "toplev.h"
34 #include "diagnostic.h"
35 #include "tree-ssa-structalias.h"
36 #include "tree-ssa-propagate.h"
37 #include "langhooks.h"
38
39 /* Module to issue a warning when a program uses data through a type
40 different from the type through which the data were defined.
41 Implements -Wstrict-aliasing and -Wstrict-aliasing=n.
42 These checks only happen when -fstrict-aliasing is present.
43
44 The idea is to use the compiler to identify occurrences of nonstandard
45 aliasing, and report them to programmers. Programs free of such aliasing
46 are more portable, maintainable, and can usually be optimized better.
47
48 The current, as of April 2007, C and C++ language standards forbid
49 accessing data of type A through an lvalue of another type B,
50 with certain exceptions. See the C Standard ISO/IEC 9899:1999,
51 section 6.5, paragraph 7, and the C++ Standard ISO/IEC 14882:1998,
52 section 3.10, paragraph 15.
53
54 Example 1:*a is used as int but was defined as a float, *b.
55 int* a = ...;
56 float* b = reinterpret_cast<float*> (a);
57 *b = 2.0;
58 return *a
59
60 Unfortunately, the problem is in general undecidable if we take into
61 account arithmetic expressions such as array indices or pointer arithmetic.
62 (It is at least as hard as Peano arithmetic decidability.)
63 Even ignoring arithmetic, the problem is still NP-hard, because it is
64 at least as hard as flow-insensitive may-alias analysis, which was proved
65 NP-hard by Horwitz et al, TOPLAS 1997.
66
67 It is clear that we need to choose some heuristics.
68 Unfortunately, various users have different goals which correspond to
69 different time budgets so a common approach will not suit all.
70 We present the user with three effort/accuracy levels. By accuracy, we mean
71 a common-sense mix of low count of false positives with a
72 reasonably low number of false negatives. We are heavily biased
73 towards a low count of false positives.
74 The effort (compilation time) is likely to increase with the level.
75
76 -Wstrict-aliasing=1
77 ===================
78 Most aggressive, least accurate. Possibly useful when higher levels
79 do not warn but -fstrict-aliasing still breaks the code, as
80 it has very few false negatives.
81 Warn for all bad pointer conversions, even if never dereferenced.
82 Implemented in the front end (c-common.c).
83 Uses alias_sets_might_conflict to compare types.
84
85 -Wstrict-aliasing=2
86 ===================
87 Aggressive, not too precise.
88 May still have many false positives (not as many as level 1 though),
89 and few false negatives (but possibly more than level 1).
90 Runs only in the front end. Uses alias_sets_might_conflict to
91 compare types. Does not check for pointer dereferences.
92 Only warns when an address is taken. Warns about incomplete type punning.
93
94 -Wstrict-aliasing=3 (default)
95 ===================
96 Should have very few false positives and few false negatives.
97 Takes care of the common punn+dereference pattern in the front end:
98 *(int*)&some_float.
99 Takes care of multiple statement cases in the back end,
100 using flow-sensitive points-to information (-O required).
101 Uses alias_sets_conflict_p to compare types and only warns
102 when the converted pointer is dereferenced.
103 Does not warn about incomplete type punning.
104
105 Future improvements can be included by adding higher levels.
106
107 In summary, expression level analysis is performed in the front-end,
108 and multiple-statement analysis is performed in the backend.
109 The remainder of this discussion is only about the backend analysis.
110
111 This implementation uses flow-sensitive points-to information.
112 Flow-sensitivity refers to accesses to the pointer, and not the object
113 pointed. For instance, we do not warn about the following case.
114
115 Example 2.
116 int* a = (int*)malloc (...);
117 float* b = reinterpret_cast<float*> (a);
118 *b = 2.0;
119 a = (int*)malloc (...);
120 return *a;
121
122 In SSA, it becomes clear that the INT value *A_2 referenced in the
123 return statement is not aliased to the FLOAT defined through *B_1.
124 int* a_1 = (int*)malloc (...);
125 float* b_1 = reinterpret_cast<float*> (a_1);
126 *b_1 = 2.0;
127 a_2 = (int*)malloc (...);
128 return *a_2;
129
130
131 Algorithm Outline
132 =================
133
134 ForEach (ptr, object) in the points-to table
135 If (incompatible_types (*ptr, object))
136 If (referenced (ptr, current function)
137 and referenced (object, current function))
138 Issue warning (ptr, object, reference locations)
139
140 The complexity is:
141 O (sizeof (points-to table)
142 + sizeof (function body) * lookup_time (points-to table))
143
144 Pointer dereference locations are looked up on demand. The search is
145 a single scan of the function body, in which all references to pointers
146 and objects in the points-to table are recorded. However, this dominant
147 time factor occurs rarely, only when cross-type aliasing was detected.
148
149
150 Limitations of the Proposed Implementation
151 ==========================================
152
153 1. We do not catch the following case, because -fstrict-aliasing will
154 associate different tags with MEM while building points-to information,
155 thus before we get to analyze it.
156 XXX: this could be solved by either running with -fno-strict-aliasing
157 or by recording the points-to information before splitting the orignal
158 tag based on type.
159
160 Example 3.
161 void* mem = malloc (...);
162 int* pi = reinterpret_cast<int*> (mem);
163 float* b = reinterpret_cast<float*> (mem);
164 *b = 2.0;
165 return *pi+1;
166
167 2. We do not check whether the two conflicting (de)references can
168 reach each other in the control flow sense. If we fixed limitation
169 1, we would wrongly issue a warning in the following case.
170
171 Example 4.
172 void* raw = malloc (...);
173 if (...) {
174 float* b = reinterpret_cast<float*> (raw);
175 *b = 2.0;
176 return (int)*b;
177 } else {
178 int* a = reinterpret_cast<int*> (raw);
179 *a = 1;
180 return *a;
181
182 3. Only simple types are compared, thus no structures, unions or classes
183 are analyzed. A first attempt to deal with structures introduced much
184 complication and has not showed much improvement in preliminary tests,
185 so it was left out.
186
187 4. All analysis is intraprocedural. */
188
189
190 /* Local declarations. */
191 static void find_references_in_function (void);
192
193
194
195 /* Get main type of tree TYPE, stripping array dimensions and qualifiers. */
196
197 static tree
get_main_type(tree type)198 get_main_type (tree type)
199 {
200 while (TREE_CODE (type) == ARRAY_TYPE)
201 type = TREE_TYPE (type);
202 return TYPE_MAIN_VARIANT (type);
203 }
204
205
206 /* Get the type of the given object. If IS_PTR is true, get the type of the
207 object pointed to or referenced by OBJECT instead.
208 For arrays, return the element type. Ignore all qualifiers. */
209
210 static tree
get_otype(tree object,bool is_ptr)211 get_otype (tree object, bool is_ptr)
212 {
213 tree otype = TREE_TYPE (object);
214
215 if (is_ptr)
216 {
217 gcc_assert (POINTER_TYPE_P (otype));
218 otype = TREE_TYPE (otype);
219 }
220 return get_main_type (otype);
221 }
222
223
224 /* Return true if tree TYPE is struct, class or union. */
225
226 static bool
struct_class_union_p(tree type)227 struct_class_union_p (tree type)
228 {
229 return (TREE_CODE (type) == RECORD_TYPE
230 || TREE_CODE (type) == UNION_TYPE
231 || TREE_CODE (type) == QUAL_UNION_TYPE);
232 }
233
234
235
236 /* Keep data during a search for an aliasing site.
237 RHS = object or pointer aliased. No LHS is specified because we are only
238 looking in the UseDef paths of a given variable, so LHS will always be
239 an SSA name of the same variable.
240 When IS_RHS_POINTER = true, we are looking for ... = RHS. Otherwise,
241 we are looking for ... = &RHS.
242 SITE is the output of a search, non-NULL if the search succeeded. */
243
244 struct alias_match
245 {
246 tree rhs;
247 bool is_rhs_pointer;
248 tree site;
249 };
250
251
252 /* Callback for find_alias_site. Return true if the right hand site
253 of STMT matches DATA. */
254
255 static bool
find_alias_site_helper(tree var ATTRIBUTE_UNUSED,tree stmt,void * data)256 find_alias_site_helper (tree var ATTRIBUTE_UNUSED, tree stmt, void *data)
257 {
258 struct alias_match *match = (struct alias_match *) data;
259 tree rhs_pointer = get_rhs (stmt);
260 tree to_match = NULL_TREE;
261
262 while (TREE_CODE (rhs_pointer) == NOP_EXPR
263 || TREE_CODE (rhs_pointer) == CONVERT_EXPR
264 || TREE_CODE (rhs_pointer) == VIEW_CONVERT_EXPR)
265 rhs_pointer = TREE_OPERAND (rhs_pointer, 0);
266
267 if (!rhs_pointer)
268 /* Not a type conversion. */
269 return false;
270
271 if (TREE_CODE (rhs_pointer) == ADDR_EXPR && !match->is_rhs_pointer)
272 to_match = TREE_OPERAND (rhs_pointer, 0);
273 else if (POINTER_TYPE_P (rhs_pointer) && match->is_rhs_pointer)
274 to_match = rhs_pointer;
275
276 if (to_match != match->rhs)
277 /* Type conversion, but not a name match. */
278 return false;
279
280 /* Found it. */
281 match->site = stmt;
282 return true;
283 }
284
285
286 /* Find the statement where OBJECT1 gets aliased to OBJECT2.
287 If IS_PTR2 is true, consider OBJECT2 to be the name of a pointer or
288 reference rather than the actual aliased object.
289 For now, just implement the case where OBJECT1 is an SSA name defined
290 by a PHI statement. */
291
292 static tree
find_alias_site(tree object1,bool is_ptr1 ATTRIBUTE_UNUSED,tree object2,bool is_ptr2)293 find_alias_site (tree object1, bool is_ptr1 ATTRIBUTE_UNUSED,
294 tree object2, bool is_ptr2)
295 {
296 struct alias_match match;
297
298 match.rhs = object2;
299 match.is_rhs_pointer = is_ptr2;
300 match.site = NULL_TREE;
301
302 if (TREE_CODE (object1) != SSA_NAME)
303 return NULL_TREE;
304
305 walk_use_def_chains (object1, find_alias_site_helper, &match, false);
306 return match.site;
307 }
308
309
310 /* Structure to store temporary results when trying to figure out whether
311 an object is referenced. Just its presence in the text is not enough,
312 as we may just be taking its address. */
313
314 struct match_info
315 {
316 tree object;
317 bool is_ptr;
318 /* The difference between the number of references to OBJECT
319 and the number of occurences of &OBJECT. */
320 int found;
321 };
322
323
324 /* Return the base if EXPR is an SSA name. Return EXPR otherwise. */
325
326 static tree
get_ssa_base(tree expr)327 get_ssa_base (tree expr)
328 {
329 if (TREE_CODE (expr) == SSA_NAME)
330 return SSA_NAME_VAR (expr);
331 else
332 return expr;
333 }
334
335
336 /* Record references to objects and pointer dereferences across some piece of
337 code. The number of references is recorded for each item.
338 References to an object just to take its address are not counted.
339 For instance, if PTR is a pointer and OBJ is an object:
340 1. Expression &obj + *ptr will have the following reference match structure:
341 ptrs: <ptr, 1>
342 objs: <ptr, 1>
343 OBJ does not appear as referenced because we just take its address.
344 2. Expression ptr + *ptr will have the following reference match structure:
345 ptrs: <ptr, 1>
346 objs: <ptr, 2>
347 PTR shows up twice as an object, but is dereferenced only once.
348
349 The elements of the hash tables are tree_map objects. */
350 struct reference_matches
351 {
352 htab_t ptrs;
353 htab_t objs;
354 };
355
356
357 /* Return the match, if any. Otherwise, return NULL_TREE. It will
358 return NULL_TREE even when a match was found, if the value associated
359 to KEY is NULL_TREE. */
360
361 static inline tree
match(htab_t ref_map,tree key)362 match (htab_t ref_map, tree key)
363 {
364 struct tree_map to_find;
365 struct tree_map *found;
366 void **slot = NULL;
367
368 to_find.from = key;
369 to_find.hash = htab_hash_pointer (key);
370 slot = htab_find_slot (ref_map, &to_find, NO_INSERT);
371
372 if (!slot)
373 return NULL_TREE;
374
375 found = (struct tree_map *) *slot;
376 return found->to;
377 }
378
379
380 /* Set the entry corresponding to KEY, but only if the entry
381 already exists and its value is NULL_TREE. Otherwise, do nothing. */
382
383 static inline void
maybe_add_match(htab_t ref_map,struct tree_map * key)384 maybe_add_match (htab_t ref_map, struct tree_map *key)
385 {
386 struct tree_map *found = htab_find (ref_map, key);
387
388 if (found && !found->to)
389 found->to = key->to;
390 }
391
392
393 /* Add an entry to HT, with key T and value NULL_TREE. */
394
395 static void
add_key(htab_t ht,tree t,alloc_pool references_pool)396 add_key (htab_t ht, tree t, alloc_pool references_pool)
397 {
398 void **slot;
399 struct tree_map *tp = pool_alloc (references_pool);
400
401 tp->from = t;
402 tp->to = NULL_TREE;
403 tp->hash = htab_hash_pointer(tp->from);
404
405 slot = htab_find_slot (ht, tp, INSERT);
406 *slot = (void *) tp;
407 }
408
409
410 /* Some memory to keep the objects in the reference table. */
411
412 static alloc_pool ref_table_alloc_pool = NULL;
413
414
415 /* Get some memory to keep the objects in the reference table. */
416
417 static inline alloc_pool
reference_table_alloc_pool(bool build)418 reference_table_alloc_pool (bool build)
419 {
420 if (ref_table_alloc_pool || !build)
421 return ref_table_alloc_pool;
422
423 ref_table_alloc_pool =
424 create_alloc_pool ("ref_table_alloc_pool", sizeof (struct tree_map), 20);
425
426 return ref_table_alloc_pool;
427 }
428
429
430 /* Initialize the reference table by adding all pointers in the points-to
431 table as keys, and NULL_TREE as associated values. */
432
433 static struct reference_matches *
build_reference_table(void)434 build_reference_table (void)
435 {
436 unsigned int i;
437 struct reference_matches *ref_table = NULL;
438 alloc_pool references_pool = reference_table_alloc_pool (true);
439
440 ref_table = XNEW (struct reference_matches);
441 ref_table->objs = htab_create (10, tree_map_hash, tree_map_eq, NULL);
442 ref_table->ptrs = htab_create (10, tree_map_hash, tree_map_eq, NULL);
443
444 for (i = 1; i < num_ssa_names; i++)
445 {
446 tree ptr = ssa_name (i);
447 struct ptr_info_def *pi;
448
449 if (ptr == NULL_TREE)
450 continue;
451
452 pi = SSA_NAME_PTR_INFO (ptr);
453
454 if (!SSA_NAME_IN_FREE_LIST (ptr) && pi && pi->name_mem_tag)
455 {
456 /* Add pointer to the interesting dereference list. */
457 add_key (ref_table->ptrs, ptr, references_pool);
458
459 /* Add all aliased names to the interesting reference list. */
460 if (pi->pt_vars)
461 {
462 unsigned ix;
463 bitmap_iterator bi;
464
465 EXECUTE_IF_SET_IN_BITMAP (pi->pt_vars, 0, ix, bi)
466 {
467 tree alias = referenced_var (ix);
468 add_key (ref_table->objs, alias, references_pool);
469 }
470 }
471 }
472 }
473
474 return ref_table;
475 }
476
477
478 /* Reference table. */
479
480 static struct reference_matches *ref_table = NULL;
481
482
483 /* Clean up the reference table if allocated. */
484
485 static void
maybe_free_reference_table(void)486 maybe_free_reference_table (void)
487 {
488 if (ref_table)
489 {
490 htab_delete (ref_table->ptrs);
491 htab_delete (ref_table->objs);
492 free (ref_table);
493 ref_table = NULL;
494 }
495
496 if (ref_table_alloc_pool)
497 {
498 free_alloc_pool (ref_table_alloc_pool);
499 ref_table_alloc_pool = NULL;
500 }
501 }
502
503
504 /* Get the reference table. Initialize it if needed. */
505
506 static inline struct reference_matches *
reference_table(bool build)507 reference_table (bool build)
508 {
509 if (ref_table || !build)
510 return ref_table;
511
512 ref_table = build_reference_table ();
513 find_references_in_function ();
514 return ref_table;
515 }
516
517
518 /* Callback for find_references_in_function.
519 Check whether *TP is an object reference or pointer dereference for the
520 variables given in ((struct match_info*)DATA)->OBJS or
521 ((struct match_info*)DATA)->PTRS. The total number of references
522 is stored in the same structures. */
523
524 static tree
find_references_in_tree_helper(tree * tp,int * walk_subtrees ATTRIBUTE_UNUSED,void * data)525 find_references_in_tree_helper (tree *tp,
526 int *walk_subtrees ATTRIBUTE_UNUSED,
527 void *data)
528 {
529 struct tree_map match;
530 static int parent_tree_code = ERROR_MARK;
531
532 /* Do not report references just for the purpose of taking an address.
533 XXX: we rely on the fact that the tree walk is in preorder
534 and that ADDR_EXPR is not a leaf, thus cannot be carried over across
535 walks. */
536 if (parent_tree_code == ADDR_EXPR)
537 goto finish;
538
539 match.to = (tree) data;
540
541 if (TREE_CODE (*tp) == INDIRECT_REF)
542 {
543 match.from = TREE_OPERAND (*tp, 0);
544 match.hash = htab_hash_pointer (match.from);
545 maybe_add_match (reference_table (true)->ptrs, &match);
546 }
547 else
548 {
549 match.from = *tp;
550 match.hash = htab_hash_pointer (match.from);
551 maybe_add_match (reference_table (true)->objs, &match);
552 }
553
554 finish:
555 parent_tree_code = TREE_CODE (*tp);
556 return NULL_TREE;
557 }
558
559
560 /* Find all the references to aliased variables in the current function. */
561
562 static void
find_references_in_function(void)563 find_references_in_function (void)
564 {
565 basic_block bb;
566 block_stmt_iterator i;
567
568 FOR_EACH_BB (bb)
569 for (i = bsi_start (bb); !bsi_end_p (i); bsi_next (&i))
570 walk_tree (bsi_stmt_ptr (i), find_references_in_tree_helper,
571 (void *) *bsi_stmt_ptr (i), NULL);
572 }
573
574
575 /* Find the reference site for OBJECT.
576 If IS_PTR is true, look for derferences of OBJECT instead.
577 XXX: only the first site is returned in the current
578 implementation. If there are no matching sites, return NULL_TREE. */
579
580 static tree
reference_site(tree object,bool is_ptr)581 reference_site (tree object, bool is_ptr)
582 {
583 if (is_ptr)
584 return match (reference_table (true)->ptrs, object);
585 else
586 return match (reference_table (true)->objs, object);
587 }
588
589
590 /* Try to get more location info when something is missing.
591 OBJECT1 and OBJECT2 are aliased names. If IS_PTR1 or IS_PTR2, the alias
592 is on the memory referenced or pointed to by OBJECT1 and OBJECT2.
593 ALIAS_SITE, DEREF_SITE1 and DEREF_SITE2 are the statements where the
594 alias takes place (some pointer assignment usually) and where the
595 alias is referenced through OBJECT1 and OBJECT2 respectively.
596 REF_TYPE1 and REF_TYPE2 will return the type of the reference at the
597 respective sites. Only the first matching reference is returned for
598 each name. If no statement is found, the function header is returned. */
599
600 static void
maybe_find_missing_stmts(tree object1,bool is_ptr1,tree object2,bool is_ptr2,tree * alias_site,tree * deref_site1,tree * deref_site2)601 maybe_find_missing_stmts (tree object1, bool is_ptr1,
602 tree object2, bool is_ptr2,
603 tree *alias_site,
604 tree *deref_site1,
605 tree *deref_site2)
606 {
607 if (object1 && object2)
608 {
609 if (!*alias_site || !EXPR_HAS_LOCATION (*alias_site))
610 *alias_site = find_alias_site (object1, is_ptr1, object2, is_ptr2);
611
612 if (!*deref_site1 || !EXPR_HAS_LOCATION (*deref_site1))
613 *deref_site1 = reference_site (object1, is_ptr1);
614
615 if (!*deref_site2 || !EXPR_HAS_LOCATION (*deref_site2))
616 *deref_site2 = reference_site (object2, is_ptr2);
617 }
618
619 /* If we could not find the alias site, set it to one of the dereference
620 sites, if available. */
621 if (!*alias_site)
622 {
623 if (*deref_site1)
624 *alias_site = *deref_site1;
625 else if (*deref_site2)
626 *alias_site = *deref_site2;
627 }
628
629 /* If we could not find the dereference sites, set them to the alias site,
630 if known. */
631 if (!*deref_site1 && *alias_site)
632 *deref_site1 = *alias_site;
633 if (!*deref_site2 && *alias_site)
634 *deref_site2 = *alias_site;
635 }
636
637
638 /* Callback for find_first_artificial_name.
639 Find out if there are no artificial names at tree node *T. */
640
641 static tree
ffan_walker(tree * t,int * go_below ATTRIBUTE_UNUSED,void * data ATTRIBUTE_UNUSED)642 ffan_walker (tree *t,
643 int *go_below ATTRIBUTE_UNUSED,
644 void *data ATTRIBUTE_UNUSED)
645 {
646 if (TREE_CODE (*t) == VAR_DECL || TREE_CODE (*t) == PARM_DECL)
647 if (DECL_ARTIFICIAL (*t))
648 return *t;
649
650 return NULL_TREE;
651 }
652
653 /* Return the first artificial name within EXPR, or NULL_TREE if
654 none exists. */
655
656 static tree
find_first_artificial_name(tree expr)657 find_first_artificial_name (tree expr)
658 {
659 return walk_tree_without_duplicates (&expr, ffan_walker, NULL);
660 }
661
662
663 /* Get a name from the original program for VAR. */
664
665 static const char *
get_var_name(tree var)666 get_var_name (tree var)
667 {
668 if (TREE_CODE (var) == SSA_NAME)
669 return get_var_name (get_ssa_base (var));
670
671 if (find_first_artificial_name (var))
672 return "{unknown}";
673
674 if (TREE_CODE (var) == VAR_DECL || TREE_CODE (var) == PARM_DECL)
675 if (DECL_NAME (var))
676 return IDENTIFIER_POINTER (DECL_NAME (var));
677
678 return "{unknown}";
679 }
680
681
682 /* Return true if VAR contains an artificial name. */
683
684 static bool
contains_artificial_name_p(tree var)685 contains_artificial_name_p (tree var)
686 {
687 if (TREE_CODE (var) == SSA_NAME)
688 return contains_artificial_name_p (get_ssa_base (var));
689
690 return find_first_artificial_name (var) != NULL_TREE;
691 }
692
693
694 /* Return "*" if OBJECT is not the actual alias but a pointer to it, or
695 "" otherwise.
696 IS_PTR is true when OBJECT is not the actual alias.
697 In addition to checking IS_PTR, we also make sure that OBJECT is a pointer
698 since IS_PTR would also be true for C++ references, but we should only
699 print a * before a pointer and not before a reference. */
700
701 static const char *
get_maybe_star_prefix(tree object,bool is_ptr)702 get_maybe_star_prefix (tree object, bool is_ptr)
703 {
704 gcc_assert (object);
705 return (is_ptr
706 && TREE_CODE (TREE_TYPE (object)) == POINTER_TYPE) ? "*" : "";
707 }
708
709
710 /* Callback for contains_node_type_p.
711 Returns true if *T has tree code *(int*)DATA. */
712
713 static tree
contains_node_type_p_callback(tree * t,int * go_below ATTRIBUTE_UNUSED,void * data)714 contains_node_type_p_callback (tree *t,
715 int *go_below ATTRIBUTE_UNUSED,
716 void *data)
717 {
718 return ((int) TREE_CODE (*t) == *((int *) data)) ? *t : NULL_TREE;
719 }
720
721
722 /* Return true if T contains a node with tree code TYPE. */
723
724 static bool
contains_node_type_p(tree t,int type)725 contains_node_type_p (tree t, int type)
726 {
727 return (walk_tree_without_duplicates (&t, contains_node_type_p_callback,
728 (void *) &type)
729 != NULL_TREE);
730 }
731
732
733 /* Return true if a warning was issued in the front end at STMT. */
734
735 static bool
already_warned_in_frontend_p(tree stmt)736 already_warned_in_frontend_p (tree stmt)
737 {
738 tree rhs_pointer;
739
740 if (stmt == NULL_TREE)
741 return false;
742
743 rhs_pointer = get_rhs (stmt);
744
745 if ((TREE_CODE (rhs_pointer) == NOP_EXPR
746 || TREE_CODE (rhs_pointer) == CONVERT_EXPR
747 || TREE_CODE (rhs_pointer) == VIEW_CONVERT_EXPR)
748 && TREE_NO_WARNING (rhs_pointer))
749 return true;
750 else
751 return false;
752 }
753
754
755 /* Return true if and only if TYPE is a function or method pointer type,
756 or pointer to a pointer to ... to a function or method. */
757
758 static bool
is_method_pointer(tree type)759 is_method_pointer (tree type)
760 {
761 while (TREE_CODE (type) == POINTER_TYPE)
762 type = TREE_TYPE (type);
763 return TREE_CODE (type) == METHOD_TYPE || TREE_CODE (type) == FUNCTION_TYPE;
764 }
765
766
767 /* Issue a -Wstrict-aliasing warning.
768 OBJECT1 and OBJECT2 are aliased names.
769 If IS_PTR1 and/or IS_PTR2 is true, then the corresponding name
770 OBJECT1/OBJECT2 is a pointer or reference to the aliased memory,
771 rather than actual storage.
772 ALIAS_SITE is a statement where the alias took place. In the most common
773 case, that is where a pointer was assigned to the address of an object. */
774
775 static bool
strict_aliasing_warn(tree alias_site,tree object1,bool is_ptr1,tree object2,bool is_ptr2,bool filter_artificials)776 strict_aliasing_warn (tree alias_site,
777 tree object1, bool is_ptr1,
778 tree object2, bool is_ptr2,
779 bool filter_artificials)
780 {
781 tree ref_site1 = NULL_TREE;
782 tree ref_site2 = NULL_TREE;
783 const char *name1;
784 const char *name2;
785 location_t alias_loc;
786 location_t ref1_loc;
787 location_t ref2_loc;
788 gcc_assert (object1);
789 gcc_assert (object2);
790
791 if (contains_artificial_name_p (object1)
792 || contains_artificial_name_p (object2))
793 return false;
794
795 name1 = get_var_name (object1);
796 name2 = get_var_name (object2);
797
798 if (is_method_pointer (get_main_type (TREE_TYPE (object2))))
799 return false;
800
801 maybe_find_missing_stmts (object1, is_ptr1, object2, is_ptr2, &alias_site,
802 &ref_site1, &ref_site2);
803
804 if (!alias_site)
805 return false;
806
807 if (EXPR_HAS_LOCATION (alias_site))
808 alias_loc = EXPR_LOCATION (alias_site);
809 else
810 return false;
811
812 if (EXPR_HAS_LOCATION (ref_site1))
813 ref1_loc = EXPR_LOCATION (ref_site1);
814 else
815 ref1_loc = alias_loc;
816
817 if (EXPR_HAS_LOCATION (ref_site2))
818 ref2_loc = EXPR_LOCATION (ref_site2);
819 else
820 ref2_loc = alias_loc;
821
822 if (already_warned_in_frontend_p (alias_site))
823 return false;
824
825 /* If they are not SSA names, but contain SSA names, drop the warning
826 because it cannot be displayed well.
827 Also drop it if they both contain artificials.
828 XXX: this is a hack, must figure out a better way to display them. */
829 if (filter_artificials)
830 if ((find_first_artificial_name (get_ssa_base (object1))
831 && find_first_artificial_name (get_ssa_base (object2)))
832 || (TREE_CODE (object1) != SSA_NAME
833 && contains_node_type_p (object1, SSA_NAME))
834 || (TREE_CODE (object2) != SSA_NAME
835 && contains_node_type_p (object2, SSA_NAME)))
836 return false;
837
838 /* XXX: In the following format string, %s:%d should be replaced by %H.
839 However, in my tests only the first %H printed ok, while the
840 second and third were printed as blanks. */
841 warning (OPT_Wstrict_aliasing,
842 "%Hlikely type-punning may break strict-aliasing rules: "
843 "object %<%s%s%> of main type %qT is referenced at or around "
844 "%s:%d and may be "
845 "aliased to object %<%s%s%> of main type %qT which is referenced "
846 "at or around %s:%d.",
847 &alias_loc,
848 get_maybe_star_prefix (object1, is_ptr1),
849 name1, get_otype (object1, is_ptr1),
850 LOCATION_FILE (ref1_loc), LOCATION_LINE (ref1_loc),
851 get_maybe_star_prefix (object2, is_ptr2),
852 name2, get_otype (object2, is_ptr2),
853 LOCATION_FILE (ref2_loc), LOCATION_LINE (ref2_loc));
854
855 return true;
856 }
857
858
859
860 /* Return true when any objects of TYPE1 and TYPE2 respectively
861 may not be aliased according to the language standard. */
862
863 static bool
nonstandard_alias_types_p(tree type1,tree type2)864 nonstandard_alias_types_p (tree type1, tree type2)
865 {
866 HOST_WIDE_INT set1;
867 HOST_WIDE_INT set2;
868
869 if (VOID_TYPE_P (type1) || VOID_TYPE_P (type2))
870 return false;
871
872 set1 = get_alias_set (type1);
873 set2 = get_alias_set (type2);
874 return !alias_sets_conflict_p (set1, set2);
875 }
876
877
878
879 /* Returns true if the given name is a struct field tag (SFT). */
880
881 static bool
struct_field_tag_p(tree var)882 struct_field_tag_p (tree var)
883 {
884 return TREE_CODE (var) == STRUCT_FIELD_TAG;
885 }
886
887
888 /* Returns true when *PTR may not be aliased to ALIAS.
889 See C standard 6.5p7 and C++ standard 3.10p15.
890 If PTR_PTR is true, ALIAS represents a pointer or reference to the
891 aliased storage rather than its actual name. */
892
893 static bool
nonstandard_alias_p(tree ptr,tree alias,bool ptr_ptr)894 nonstandard_alias_p (tree ptr, tree alias, bool ptr_ptr)
895 {
896 /* Find the types to compare. */
897 tree ptr_type = get_otype (ptr, true);
898 tree alias_type = get_otype (alias, ptr_ptr);
899
900 /* XXX: for now, say it's OK if the alias escapes.
901 Not sure this is needed in general, but otherwise GCC will not
902 bootstrap. */
903 if (var_ann (get_ssa_base (alias))->escape_mask != NO_ESCAPE)
904 return false;
905
906 /* XXX: don't get into structures for now. It brings much complication
907 and little benefit. */
908 if (struct_class_union_p (ptr_type) || struct_class_union_p (alias_type))
909 return false;
910
911 /* XXX: In 4.2.1, field resolution in alias is not as good as in pre-4.3
912 This fixes problems found during the backport, where a pointer to the
913 first field of a struct appears to be aliased to the whole struct. */
914 if (struct_field_tag_p (alias))
915 return false;
916
917 /* If they are both SSA names of artificials, let it go, the warning
918 is too confusing. */
919 if (find_first_artificial_name (ptr) && find_first_artificial_name (alias))
920 return false;
921
922 /* Compare the types. */
923 return nonstandard_alias_types_p (ptr_type, alias_type);
924 }
925
926
927 /* Return true when we should skip analysis for pointer PTR based on the
928 fact that their alias information *PI is not considered relevant. */
929
930 static bool
skip_this_pointer(tree ptr ATTRIBUTE_UNUSED,struct ptr_info_def * pi)931 skip_this_pointer (tree ptr ATTRIBUTE_UNUSED, struct ptr_info_def *pi)
932 {
933 /* If it is not dereferenced, it is not a problem (locally). */
934 if (!pi->is_dereferenced)
935 return true;
936
937 /* This would probably cause too many false positives. */
938 if (pi->value_escapes_p || pi->pt_anything)
939 return true;
940
941 return false;
942 }
943
944
945 /* Find aliasing to named objects for pointer PTR. */
946
947 static void
dsa_named_for(tree ptr)948 dsa_named_for (tree ptr)
949 {
950 struct ptr_info_def *pi = SSA_NAME_PTR_INFO (ptr);
951
952 if (pi)
953 {
954 if (skip_this_pointer (ptr, pi))
955 return;
956
957 /* For all the variables it could be aliased to. */
958 if (pi->pt_vars)
959 {
960 unsigned ix;
961 bitmap_iterator bi;
962
963 EXECUTE_IF_SET_IN_BITMAP (pi->pt_vars, 0, ix, bi)
964 {
965 tree alias = referenced_var (ix);
966
967 if (is_global_var (alias))
968 continue;
969
970 if (nonstandard_alias_p (ptr, alias, false))
971 strict_aliasing_warn (SSA_NAME_DEF_STMT (ptr),
972 ptr, true, alias, false, true);
973 }
974 }
975 }
976 }
977
978
979 /* Detect and report strict aliasing violation of named objects. */
980
981 static void
detect_strict_aliasing_named(void)982 detect_strict_aliasing_named (void)
983 {
984 unsigned int i;
985
986 for (i = 1; i < num_ssa_names; i++)
987 {
988 tree ptr = ssa_name (i);
989 struct ptr_info_def *pi;
990
991 if (ptr == NULL_TREE)
992 continue;
993
994 pi = SSA_NAME_PTR_INFO (ptr);
995
996 if (!SSA_NAME_IN_FREE_LIST (ptr) && pi && pi->name_mem_tag)
997 dsa_named_for (ptr);
998 }
999 }
1000
1001
1002 /* Return false only the first time I see each instance of FUNC. */
1003
1004 static bool
processed_func_p(tree func)1005 processed_func_p (tree func)
1006 {
1007 static htab_t seen = NULL;
1008 void **slot;
1009
1010 if (!seen)
1011 seen = htab_create (100, htab_hash_pointer, htab_eq_pointer, NULL);
1012
1013 slot = htab_find_slot (seen, func, INSERT);
1014 gcc_assert (slot);
1015
1016 if (*slot)
1017 return true;
1018
1019 *slot = func;
1020 return false;
1021 }
1022
1023
1024 /* Detect and warn about type-punning using points-to information. */
1025
1026 void
strict_aliasing_warning_backend(void)1027 strict_aliasing_warning_backend (void)
1028 {
1029 if (!(flag_strict_aliasing
1030 && warn_strict_aliasing == 3
1031 && !processed_func_p (current_function_decl)))
1032 return;
1033
1034 detect_strict_aliasing_named ();
1035 maybe_free_reference_table ();
1036 }
1037