From 00d29afd074d84d9d903d4fb6a5db859f6b1f7a2 Mon Sep 17 00:00:00 2001
From: David Malcolm <dmalcolm@redhat.com>
Date: Thu, 2 Jul 2020 14:01:15 -0400
Subject: [PATCH 278/315] FIXME: return POISON_KIND_UNINIT for default SSA
 names for uninit vars

---
 gcc/analyzer/constraint-manager2.cc |  6 ++++--
 gcc/analyzer/region-model2.cc       | 24 ++++++++++++++++++------
 2 files changed, 22 insertions(+), 8 deletions(-)

diff --git a/gcc/analyzer/constraint-manager2.cc b/gcc/analyzer/constraint-manager2.cc
index dbab8b74550..5c24ca007d0 100644
--- a/gcc/analyzer/constraint-manager2.cc
+++ b/gcc/analyzer/constraint-manager2.cc
@@ -1350,9 +1350,11 @@ constraint_manager2::eval_condition (const svalue2 *lhs,
   lhs = lhs->unwrap_any_unmergeable ();
   rhs = rhs->unwrap_any_unmergeable ();
 
-  /* Nothing can be known about unknown values.  */
+  /* Nothing can be known about unknown or poisoned values.  */
   if (lhs->get_kind () == svalue2::SK_UNKNOWN
-      || rhs->get_kind () == svalue2::SK_UNKNOWN)
+      || lhs->get_kind () == svalue2::SK_POISONED
+      || rhs->get_kind () == svalue2::SK_UNKNOWN
+      || rhs->get_kind () == svalue2::SK_POISONED)
     return tristate (tristate::TS_UNKNOWN);
 
   if (lhs == rhs
diff --git a/gcc/analyzer/region-model2.cc b/gcc/analyzer/region-model2.cc
index 101cac7db21..5fb071678f6 100644
--- a/gcc/analyzer/region-model2.cc
+++ b/gcc/analyzer/region-model2.cc
@@ -3259,13 +3259,20 @@ region_model2_manager::get_or_create_initial_value (const region2 *reg)
 				 get_or_create_initial_value (original_reg));
     }
 
-  /* We shouldn't create these for SSA names.  */
-  // TODO:
-#if 0
+  /* If we attempt to get the initial value of an SSA name that has
+     SSA_NAME_IS_DEFAULT_DEF and is not for a PARM_DECL, we have a
+     use of an uninitialized variable.  Return a poisoned value instead.  */
   if (const decl_region2 *decl_reg = reg->dyn_cast_decl_region2 ())
-    return get_or_create_poisoned_svalue2 (POISON_KIND_UNINIT,
-					   reg->get_type ());
-#endif
+    if (TREE_CODE (decl_reg->get_decl ()) == SSA_NAME)
+      {
+	tree ssa_name = decl_reg->get_decl ();
+	if (SSA_NAME_IS_DEFAULT_DEF (ssa_name))
+	  if (tree var = SSA_NAME_VAR (ssa_name))
+	    if (TREE_CODE (var) == VAR_DECL)
+	      return get_or_create_poisoned_svalue2 (POISON_KIND_UNINIT,
+						     reg->get_type ());
+      }
+
   if (initial_svalue2 **slot = m_initial_values_map.get (reg))
     return *slot;
   initial_svalue2 *initial_sval = new initial_svalue2 (reg->get_type (), reg);
@@ -6204,6 +6211,11 @@ region_model2::eval_condition_without_cm (const svalue2 *lhs,
       /* If we have the same svalue2, then we have equality
 	 (apart from NaN-handling).
 	 TODO: should this definitely be the case for poisoned values?  */
+      /* Poisoned and unknown values are "unknowable".  */
+      if (lhs->get_kind () == svalue2::SK_POISONED
+	  || lhs->get_kind () == svalue2::SK_UNKNOWN)
+	return tristate::TS_UNKNOWN;
+
       switch (op)
 	{
 	case EQ_EXPR:
-- 
2.26.2