From 031a8778f8da3aaf862951458fa412c42ed3e12b Mon Sep 17 00:00:00 2001 From: David Malcolm Date: Mon, 3 Jun 2019 14:18:27 +0100 Subject: [PATCH 22/28] FIXME: more on data-model-5.c --- gcc/testsuite/gcc.dg/analyzer/data-model-5.c | 40 ++++++++++++++++++++++++++-- 1 file changed, 38 insertions(+), 2 deletions(-) diff --git a/gcc/testsuite/gcc.dg/analyzer/data-model-5.c b/gcc/testsuite/gcc.dg/analyzer/data-model-5.c index ef3acfb..46881c9 100644 --- a/gcc/testsuite/gcc.dg/analyzer/data-model-5.c +++ b/gcc/testsuite/gcc.dg/analyzer/data-model-5.c @@ -57,16 +57,32 @@ type_obj str_type = { { &str_type, 1}, str_del }; -#if 0 +#if 1 + +base_obj *alloc_obj (type_obj *ob_type, size_t sz) +{ + base_obj *obj = (base_obj *)malloc (sz); + if (!obj) + return NULL; + obj->ob_type = ob_type; + obj->ob_refcnt = 1; + return obj; +} + base_obj *new_string_obj (const char *str) { __analyzer_dump (); size_t len = strlen (str); +#if 1 + string_obj *str_obj + = (string_obj *)alloc_obj (&str_type, sizeof (string_obj) + len + 1); +#else string_obj *str_obj = (string_obj *)malloc (sizeof (string_obj) + len + 1); if (!str_obj) return NULL; str_obj->str_base.ob_type = &str_type; str_obj->str_base.ob_refcnt = 1; +#endif str_obj->str_len = len; memcpy (str_obj->str_buf, str, len); str_obj->str_buf[len] = '\0'; @@ -76,7 +92,10 @@ base_obj *new_string_obj (const char *str) void unref (base_obj *obj) { if (--obj->ob_refcnt == 0) - obj->ob_type->tp_dealloc (obj); + { + __analyzer_dump(); + obj->ob_type->tp_dealloc (obj); + } } void test_1 (const char *str) @@ -89,4 +108,21 @@ void test_1 (const char *str) /* FIXME: - ought to complain about NULL deref for when the malloc fails -for some reason it's complaining about deref of uninit ptr in various places + - looks like something's going wrong with svalue reordering, and things start using the wrong IDs + e.g. the stack svalue stops being "sv0 uninit" and becomes something else + Seems to happen at: + entering: get_or_create_node + point: callstring: [(SN: 9 -> SN: 3 in test_1)] after (SN: 6 stmt: 0): _1 = obj_8(D)->ob_refcnt; + +where at EN: 320 + point: callstring: [(SN: 9 -> SN: 3 in test_1)] before (SN: 6 stmt: 0): _1 = obj_8(D)->ob_refcnt; +we have: + sv0: {poisoned: uninit} +but at: + +../../src/gcc/testsuite/gcc.dg/analyzer/data-model-5.c:94:12: warning: deref of uninitialized pointer + point: callstring: [(SN: 9 -> SN: 3 in test_1)] after (SN: 6 stmt: 0): _1 = obj_8(D)->ob_refcnt; +we have: + sv0: {type: ‘struct base_obj *’, &r18} +in "created EN: 321" (before pruning) */ -- 1.8.5.3