From 02be515b6bbdad37dfdefa365c1b2e4ae1c5ddb0 Mon Sep 17 00:00:00 2001
From: David Malcolm <dmalcolm@redhat.com>
Date: Thu, 4 Jun 2020 17:48:40 -0400
Subject: [PATCH 199/315] FIXME: add POINTER_PLUS_EXPR tests

---
 gcc/analyzer/region-model2.cc                | 12 +++++++++---
 gcc/testsuite/gcc.dg/analyzer/data-model-1.c |  4 ++++
 gcc/testsuite/gcc.dg/analyzer/loop-3.c       |  3 ---
 3 files changed, 13 insertions(+), 6 deletions(-)

diff --git a/gcc/analyzer/region-model2.cc b/gcc/analyzer/region-model2.cc
index 3ca6d0bfeac..00e1cdad920 100644
--- a/gcc/analyzer/region-model2.cc
+++ b/gcc/analyzer/region-model2.cc
@@ -3103,17 +3103,20 @@ region_model2_manager::maybe_fold_binop (tree type, enum tree_code op,
 				binop->get_arg1 (), arg1));
 
   /* FIXME.  pointer_plus_expr on pointer_plus_expr...
-     associative_tree_code is false for POINTER_PLUS_EXPR.  */
+     associative_tree_code is false for POINTER_PLUS_EXPR, but we
+     can fold:
+       "(PTR ptr+ CST_A) ptr+ CST_B)" to "PTR ptr+ (CST_A ptr+ CST_B)".  */
   /* e.g. in data-model-1.c: test_42c.  */
   if (cst1 && op == POINTER_PLUS_EXPR)
     if (const binop_svalue2 *binop = arg0->dyn_cast_binop_svalue2 ())
       if (binop->get_op () == POINTER_PLUS_EXPR)
 	if (tree cst01 = binop->get_arg1 ()->maybe_get_constant ())
-	  if (TREE_TYPE (cst01) == TREE_TYPE (cst1))
+	  {
 	    return get_or_create_binop
 	      (type, op, binop->get_arg0 (),
-	       get_or_create_binop (type, op,
+	       get_or_create_binop (size_type_node, op,
 				    binop->get_arg1 (), arg1));
+	  }
 
   // TODO
 
@@ -4096,6 +4099,9 @@ region_model2::on_gassign (const gassign *assign,
 
 	const svalue2 *ptr_sval = get_rvalue (ptr, ctxt);
 	const svalue2 *offset_sval = get_rvalue (offset, ctxt);
+	/* Quoting tree.def, "the second operand [of a POINTER_PLUS_EXPR]
+	   is an integer of type sizetype".  */
+	offset_sval = m_mgr->get_or_create_cast (size_type_node, offset_sval);
 
 	const svalue2 *sval_binop
 	      = m_mgr->get_or_create_binop (TREE_TYPE (lhs), op,
diff --git a/gcc/testsuite/gcc.dg/analyzer/data-model-1.c b/gcc/testsuite/gcc.dg/analyzer/data-model-1.c
index dccff41bbe2..c0dd2e0378b 100644
--- a/gcc/testsuite/gcc.dg/analyzer/data-model-1.c
+++ b/gcc/testsuite/gcc.dg/analyzer/data-model-1.c
@@ -629,6 +629,8 @@ void test_29a (struct coord p[])
   __analyzer_eval (q[-2].y == 107025); /* { dg-warning "TRUE" } */
 
   q -= 2;
+  __analyzer_eval (q == &p[7]); /* { dg-warning "UNKNOWN" } */
+  // TODO: make this be TRUE
 
   __analyzer_eval (q->x == 107024); /* { dg-warning "TRUE" } */
   __analyzer_eval (q->y == 107025); /* { dg-warning "TRUE" } */
@@ -677,6 +679,7 @@ void test_29b (void)
   __analyzer_eval (q[-2].y == 107025); /* { dg-warning "TRUE" } */
 
   q -= 2;
+  __analyzer_eval (q == &p[7]); /* { dg-warning "TRUE" } */
 
   __analyzer_eval (q->x == 107024); /* { dg-warning "TRUE" } */
   __analyzer_eval (q->y == 107025); /* { dg-warning "TRUE" } */
@@ -725,6 +728,7 @@ void test_29c (int len)
   __analyzer_eval (q[-2].y == 107025); /* { dg-warning "TRUE" } */
 
   q -= 2;
+  __analyzer_eval (q == &p[7]); /* { dg-warning "TRUE" } */
 
   __analyzer_eval (q->x == 107024); /* { dg-warning "TRUE" } */
   __analyzer_eval (q->y == 107025); /* { dg-warning "TRUE" } */
diff --git a/gcc/testsuite/gcc.dg/analyzer/loop-3.c b/gcc/testsuite/gcc.dg/analyzer/loop-3.c
index 191b4d8dc85..fb2c3796ada 100644
--- a/gcc/testsuite/gcc.dg/analyzer/loop-3.c
+++ b/gcc/testsuite/gcc.dg/analyzer/loop-3.c
@@ -8,9 +8,6 @@ void test(int c)
   for (i=0; i<255; i++) {
     buffer[i] = c; /* { dg-warning "use after 'free' of 'buffer'" "use after free" } */
                    /* { dg-warning "possibly-NULL 'buffer'" "deref of unchecked" { target *-*-* } .-1 } */
-		   /* TODO: fix up; keeping these lines to avoid fouling my result diffs
-		      due to the pointer arithmetic not picking up on the
-		      state */
     free(buffer); /* { dg-warning "double-'free' of 'buffer'" } */
   }
 
-- 
2.26.2