1/* Strict aliasing checks. 2 Copyright (C) 2007 Free Software Foundation, Inc. 3 Contributed by Silvius Rus <rus@google.com>. 4 5 This file is part of GCC. 6 7 GCC is free software; you can redistribute it and/or modify 8 it under the terms of the GNU General Public License as published by 9 the Free Software Foundation; either version 2, or (at your option) 10 any later version. 11 12 GCC is distributed in the hope that it will be useful, 13 but WITHOUT ANY WARRANTY; without even the implied warranty of 14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 GNU General Public License for more details. 16 17 You should have received a copy of the GNU General Public License 18 along with GCC; see the file COPYING. If not, write to 19 the Free Software Foundation, 51 Franklin Street, Fifth Floor, 20 Boston, MA 02110-1301, USA. */ 21 22#include "config.h" 23#include "system.h" 24#include "coretypes.h" 25#include "tm.h" 26#include "alloc-pool.h" 27#include "tree.h" 28#include "tree-dump.h" 29#include "tree-flow.h" 30#include "params.h" 31#include "function.h" 32#include "expr.h" 33#include "toplev.h" 34#include "diagnostic.h" 35#include "tree-ssa-structalias.h" 36#include "tree-ssa-propagate.h" 37#include "langhooks.h" 38 39/* Module to issue a warning when a program uses data through a type 40 different from the type through which the data were defined. 41 Implements -Wstrict-aliasing and -Wstrict-aliasing=n. 42 These checks only happen when -fstrict-aliasing is present. 43 44 The idea is to use the compiler to identify occurrences of nonstandard 45 aliasing, and report them to programmers. Programs free of such aliasing 46 are more portable, maintainable, and can usually be optimized better. 47 48 The current, as of April 2007, C and C++ language standards forbid 49 accessing data of type A through an lvalue of another type B, 50 with certain exceptions. See the C Standard ISO/IEC 9899:1999, 51 section 6.5, paragraph 7, and the C++ Standard ISO/IEC 14882:1998, 52 section 3.10, paragraph 15. 53 54 Example 1:*a is used as int but was defined as a float, *b. 55 int* a = ...; 56 float* b = reinterpret_cast<float*> (a); 57 *b = 2.0; 58 return *a 59 60 Unfortunately, the problem is in general undecidable if we take into 61 account arithmetic expressions such as array indices or pointer arithmetic. 62 (It is at least as hard as Peano arithmetic decidability.) 63 Even ignoring arithmetic, the problem is still NP-hard, because it is 64 at least as hard as flow-insensitive may-alias analysis, which was proved 65 NP-hard by Horwitz et al, TOPLAS 1997. 66 67 It is clear that we need to choose some heuristics. 68 Unfortunately, various users have different goals which correspond to 69 different time budgets so a common approach will not suit all. 70 We present the user with three effort/accuracy levels. By accuracy, we mean 71 a common-sense mix of low count of false positives with a 72 reasonably low number of false negatives. We are heavily biased 73 towards a low count of false positives. 74 The effort (compilation time) is likely to increase with the level. 75 76 -Wstrict-aliasing=1 77 =================== 78 Most aggressive, least accurate. Possibly useful when higher levels 79 do not warn but -fstrict-aliasing still breaks the code, as 80 it has very few false negatives. 81 Warn for all bad pointer conversions, even if never dereferenced. 82 Implemented in the front end (c-common.c). 83 Uses alias_sets_might_conflict to compare types. 84 85 -Wstrict-aliasing=2 86 =================== 87 Aggressive, not too precise. 88 May still have many false positives (not as many as level 1 though), 89 and few false negatives (but possibly more than level 1). 90 Runs only in the front end. Uses alias_sets_might_conflict to 91 compare types. Does not check for pointer dereferences. 92 Only warns when an address is taken. Warns about incomplete type punning. 93 94 -Wstrict-aliasing=3 (default) 95 =================== 96 Should have very few false positives and few false negatives. 97 Takes care of the common punn+dereference pattern in the front end: 98 *(int*)&some_float. 99 Takes care of multiple statement cases in the back end, 100 using flow-sensitive points-to information (-O required). 101 Uses alias_sets_conflict_p to compare types and only warns 102 when the converted pointer is dereferenced. 103 Does not warn about incomplete type punning. 104 105 Future improvements can be included by adding higher levels. 106 107 In summary, expression level analysis is performed in the front-end, 108 and multiple-statement analysis is performed in the backend. 109 The remainder of this discussion is only about the backend analysis. 110 111 This implementation uses flow-sensitive points-to information. 112 Flow-sensitivity refers to accesses to the pointer, and not the object 113 pointed. For instance, we do not warn about the following case. 114 115 Example 2. 116 int* a = (int*)malloc (...); 117 float* b = reinterpret_cast<float*> (a); 118 *b = 2.0; 119 a = (int*)malloc (...); 120 return *a; 121 122 In SSA, it becomes clear that the INT value *A_2 referenced in the 123 return statement is not aliased to the FLOAT defined through *B_1. 124 int* a_1 = (int*)malloc (...); 125 float* b_1 = reinterpret_cast<float*> (a_1); 126 *b_1 = 2.0; 127 a_2 = (int*)malloc (...); 128 return *a_2; 129 130 131 Algorithm Outline 132 ================= 133 134 ForEach (ptr, object) in the points-to table 135 If (incompatible_types (*ptr, object)) 136 If (referenced (ptr, current function) 137 and referenced (object, current function)) 138 Issue warning (ptr, object, reference locations) 139 140 The complexity is: 141 O (sizeof (points-to table) 142 + sizeof (function body) * lookup_time (points-to table)) 143 144 Pointer dereference locations are looked up on demand. The search is 145 a single scan of the function body, in which all references to pointers 146 and objects in the points-to table are recorded. However, this dominant 147 time factor occurs rarely, only when cross-type aliasing was detected. 148 149 150 Limitations of the Proposed Implementation 151 ========================================== 152 153 1. We do not catch the following case, because -fstrict-aliasing will 154 associate different tags with MEM while building points-to information, 155 thus before we get to analyze it. 156 XXX: this could be solved by either running with -fno-strict-aliasing 157 or by recording the points-to information before splitting the orignal 158 tag based on type. 159 160 Example 3. 161 void* mem = malloc (...); 162 int* pi = reinterpret_cast<int*> (mem); 163 float* b = reinterpret_cast<float*> (mem); 164 *b = 2.0; 165 return *pi+1; 166 167 2. We do not check whether the two conflicting (de)references can 168 reach each other in the control flow sense. If we fixed limitation 169 1, we would wrongly issue a warning in the following case. 170 171 Example 4. 172 void* raw = malloc (...); 173 if (...) { 174 float* b = reinterpret_cast<float*> (raw); 175 *b = 2.0; 176 return (int)*b; 177 } else { 178 int* a = reinterpret_cast<int*> (raw); 179 *a = 1; 180 return *a; 181 182 3. Only simple types are compared, thus no structures, unions or classes 183 are analyzed. A first attempt to deal with structures introduced much 184 complication and has not showed much improvement in preliminary tests, 185 so it was left out. 186 187 4. All analysis is intraprocedural. */ 188 189 190/* Local declarations. */ 191static void find_references_in_function (void); 192 193 194 195/* Get main type of tree TYPE, stripping array dimensions and qualifiers. */ 196 197static tree 198get_main_type (tree type) 199{ 200 while (TREE_CODE (type) == ARRAY_TYPE) 201 type = TREE_TYPE (type); 202 return TYPE_MAIN_VARIANT (type); 203} 204 205 206/* Get the type of the given object. If IS_PTR is true, get the type of the 207 object pointed to or referenced by OBJECT instead. 208 For arrays, return the element type. Ignore all qualifiers. */ 209 210static tree 211get_otype (tree object, bool is_ptr) 212{ 213 tree otype = TREE_TYPE (object); 214 215 if (is_ptr) 216 { 217 gcc_assert (POINTER_TYPE_P (otype)); 218 otype = TREE_TYPE (otype); 219 } 220 return get_main_type (otype); 221} 222 223 224/* Return true if tree TYPE is struct, class or union. */ 225 226static bool 227struct_class_union_p (tree type) 228{ 229 return (TREE_CODE (type) == RECORD_TYPE 230 || TREE_CODE (type) == UNION_TYPE 231 || TREE_CODE (type) == QUAL_UNION_TYPE); 232} 233 234 235 236/* Keep data during a search for an aliasing site. 237 RHS = object or pointer aliased. No LHS is specified because we are only 238 looking in the UseDef paths of a given variable, so LHS will always be 239 an SSA name of the same variable. 240 When IS_RHS_POINTER = true, we are looking for ... = RHS. Otherwise, 241 we are looking for ... = &RHS. 242 SITE is the output of a search, non-NULL if the search succeeded. */ 243 244struct alias_match 245{ 246 tree rhs; 247 bool is_rhs_pointer; 248 tree site; 249}; 250 251 252/* Callback for find_alias_site. Return true if the right hand site 253 of STMT matches DATA. */ 254 255static bool 256find_alias_site_helper (tree var ATTRIBUTE_UNUSED, tree stmt, void *data) 257{ 258 struct alias_match *match = (struct alias_match *) data; 259 tree rhs_pointer = get_rhs (stmt); 260 tree to_match = NULL_TREE; 261 262 while (TREE_CODE (rhs_pointer) == NOP_EXPR 263 || TREE_CODE (rhs_pointer) == CONVERT_EXPR 264 || TREE_CODE (rhs_pointer) == VIEW_CONVERT_EXPR) 265 rhs_pointer = TREE_OPERAND (rhs_pointer, 0); 266 267 if (!rhs_pointer) 268 /* Not a type conversion. */ 269 return false; 270 271 if (TREE_CODE (rhs_pointer) == ADDR_EXPR && !match->is_rhs_pointer) 272 to_match = TREE_OPERAND (rhs_pointer, 0); 273 else if (POINTER_TYPE_P (rhs_pointer) && match->is_rhs_pointer) 274 to_match = rhs_pointer; 275 276 if (to_match != match->rhs) 277 /* Type conversion, but not a name match. */ 278 return false; 279 280 /* Found it. */ 281 match->site = stmt; 282 return true; 283} 284 285 286/* Find the statement where OBJECT1 gets aliased to OBJECT2. 287 If IS_PTR2 is true, consider OBJECT2 to be the name of a pointer or 288 reference rather than the actual aliased object. 289 For now, just implement the case where OBJECT1 is an SSA name defined 290 by a PHI statement. */ 291 292static tree 293find_alias_site (tree object1, bool is_ptr1 ATTRIBUTE_UNUSED, 294 tree object2, bool is_ptr2) 295{ 296 struct alias_match match; 297 298 match.rhs = object2; 299 match.is_rhs_pointer = is_ptr2; 300 match.site = NULL_TREE; 301 302 if (TREE_CODE (object1) != SSA_NAME) 303 return NULL_TREE; 304 305 walk_use_def_chains (object1, find_alias_site_helper, &match, false); 306 return match.site; 307} 308 309 310/* Structure to store temporary results when trying to figure out whether 311 an object is referenced. Just its presence in the text is not enough, 312 as we may just be taking its address. */ 313 314struct match_info 315{ 316 tree object; 317 bool is_ptr; 318 /* The difference between the number of references to OBJECT 319 and the number of occurences of &OBJECT. */ 320 int found; 321}; 322 323 324/* Return the base if EXPR is an SSA name. Return EXPR otherwise. */ 325 326static tree 327get_ssa_base (tree expr) 328{ 329 if (TREE_CODE (expr) == SSA_NAME) 330 return SSA_NAME_VAR (expr); 331 else 332 return expr; 333} 334 335 336/* Record references to objects and pointer dereferences across some piece of 337 code. The number of references is recorded for each item. 338 References to an object just to take its address are not counted. 339 For instance, if PTR is a pointer and OBJ is an object: 340 1. Expression &obj + *ptr will have the following reference match structure: 341 ptrs: <ptr, 1> 342 objs: <ptr, 1> 343 OBJ does not appear as referenced because we just take its address. 344 2. Expression ptr + *ptr will have the following reference match structure: 345 ptrs: <ptr, 1> 346 objs: <ptr, 2> 347 PTR shows up twice as an object, but is dereferenced only once. 348 349 The elements of the hash tables are tree_map objects. */ 350struct reference_matches 351{ 352 htab_t ptrs; 353 htab_t objs; 354}; 355 356 357/* Return the match, if any. Otherwise, return NULL_TREE. It will 358 return NULL_TREE even when a match was found, if the value associated 359 to KEY is NULL_TREE. */ 360 361static inline tree 362match (htab_t ref_map, tree key) 363{ 364 struct tree_map to_find; 365 struct tree_map *found; 366 void **slot = NULL; 367 368 to_find.from = key; 369 to_find.hash = htab_hash_pointer (key); 370 slot = htab_find_slot (ref_map, &to_find, NO_INSERT); 371 372 if (!slot) 373 return NULL_TREE; 374 375 found = (struct tree_map *) *slot; 376 return found->to; 377} 378 379 380/* Set the entry corresponding to KEY, but only if the entry 381 already exists and its value is NULL_TREE. Otherwise, do nothing. */ 382 383static inline void 384maybe_add_match (htab_t ref_map, struct tree_map *key) 385{ 386 struct tree_map *found = htab_find (ref_map, key); 387 388 if (found && !found->to) 389 found->to = key->to; 390} 391 392 393/* Add an entry to HT, with key T and value NULL_TREE. */ 394 395static void 396add_key (htab_t ht, tree t, alloc_pool references_pool) 397{ 398 void **slot; 399 struct tree_map *tp = pool_alloc (references_pool); 400 401 tp->from = t; 402 tp->to = NULL_TREE; 403 tp->hash = htab_hash_pointer(tp->from); 404 405 slot = htab_find_slot (ht, tp, INSERT); 406 *slot = (void *) tp; 407} 408 409 410/* Some memory to keep the objects in the reference table. */ 411 412static alloc_pool ref_table_alloc_pool = NULL; 413 414 415/* Get some memory to keep the objects in the reference table. */ 416 417static inline alloc_pool 418reference_table_alloc_pool (bool build) 419{ 420 if (ref_table_alloc_pool || !build) 421 return ref_table_alloc_pool; 422 423 ref_table_alloc_pool = 424 create_alloc_pool ("ref_table_alloc_pool", sizeof (struct tree_map), 20); 425 426 return ref_table_alloc_pool; 427} 428 429 430/* Initialize the reference table by adding all pointers in the points-to 431 table as keys, and NULL_TREE as associated values. */ 432 433static struct reference_matches * 434build_reference_table (void) 435{ 436 unsigned int i; 437 struct reference_matches *ref_table = NULL; 438 alloc_pool references_pool = reference_table_alloc_pool (true); 439 440 ref_table = XNEW (struct reference_matches); 441 ref_table->objs = htab_create (10, tree_map_hash, tree_map_eq, NULL); 442 ref_table->ptrs = htab_create (10, tree_map_hash, tree_map_eq, NULL); 443 444 for (i = 1; i < num_ssa_names; i++) 445 { 446 tree ptr = ssa_name (i); 447 struct ptr_info_def *pi; 448 449 if (ptr == NULL_TREE) 450 continue; 451 452 pi = SSA_NAME_PTR_INFO (ptr); 453 454 if (!SSA_NAME_IN_FREE_LIST (ptr) && pi && pi->name_mem_tag) 455 { 456 /* Add pointer to the interesting dereference list. */ 457 add_key (ref_table->ptrs, ptr, references_pool); 458 459 /* Add all aliased names to the interesting reference list. */ 460 if (pi->pt_vars) 461 { 462 unsigned ix; 463 bitmap_iterator bi; 464 465 EXECUTE_IF_SET_IN_BITMAP (pi->pt_vars, 0, ix, bi) 466 { 467 tree alias = referenced_var (ix); 468 add_key (ref_table->objs, alias, references_pool); 469 } 470 } 471 } 472 } 473 474 return ref_table; 475} 476 477 478/* Reference table. */ 479 480static struct reference_matches *ref_table = NULL; 481 482 483/* Clean up the reference table if allocated. */ 484 485static void 486maybe_free_reference_table (void) 487{ 488 if (ref_table) 489 { 490 htab_delete (ref_table->ptrs); 491 htab_delete (ref_table->objs); 492 free (ref_table); 493 ref_table = NULL; 494 } 495 496 if (ref_table_alloc_pool) 497 { 498 free_alloc_pool (ref_table_alloc_pool); 499 ref_table_alloc_pool = NULL; 500 } 501} 502 503 504/* Get the reference table. Initialize it if needed. */ 505 506static inline struct reference_matches * 507reference_table (bool build) 508{ 509 if (ref_table || !build) 510 return ref_table; 511 512 ref_table = build_reference_table (); 513 find_references_in_function (); 514 return ref_table; 515} 516 517 518/* Callback for find_references_in_function. 519 Check whether *TP is an object reference or pointer dereference for the 520 variables given in ((struct match_info*)DATA)->OBJS or 521 ((struct match_info*)DATA)->PTRS. The total number of references 522 is stored in the same structures. */ 523 524static tree 525find_references_in_tree_helper (tree *tp, 526 int *walk_subtrees ATTRIBUTE_UNUSED, 527 void *data) 528{ 529 struct tree_map match; 530 static int parent_tree_code = ERROR_MARK; 531 532 /* Do not report references just for the purpose of taking an address. 533 XXX: we rely on the fact that the tree walk is in preorder 534 and that ADDR_EXPR is not a leaf, thus cannot be carried over across 535 walks. */ 536 if (parent_tree_code == ADDR_EXPR) 537 goto finish; 538 539 match.to = (tree) data; 540 541 if (TREE_CODE (*tp) == INDIRECT_REF) 542 { 543 match.from = TREE_OPERAND (*tp, 0); 544 match.hash = htab_hash_pointer (match.from); 545 maybe_add_match (reference_table (true)->ptrs, &match); 546 } 547 else 548 { 549 match.from = *tp; 550 match.hash = htab_hash_pointer (match.from); 551 maybe_add_match (reference_table (true)->objs, &match); 552 } 553 554finish: 555 parent_tree_code = TREE_CODE (*tp); 556 return NULL_TREE; 557} 558 559 560/* Find all the references to aliased variables in the current function. */ 561 562static void 563find_references_in_function (void) 564{ 565 basic_block bb; 566 block_stmt_iterator i; 567 568 FOR_EACH_BB (bb) 569 for (i = bsi_start (bb); !bsi_end_p (i); bsi_next (&i)) 570 walk_tree (bsi_stmt_ptr (i), find_references_in_tree_helper, 571 (void *) *bsi_stmt_ptr (i), NULL); 572} 573 574 575/* Find the reference site for OBJECT. 576 If IS_PTR is true, look for derferences of OBJECT instead. 577 XXX: only the first site is returned in the current 578 implementation. If there are no matching sites, return NULL_TREE. */ 579 580static tree 581reference_site (tree object, bool is_ptr) 582{ 583 if (is_ptr) 584 return match (reference_table (true)->ptrs, object); 585 else 586 return match (reference_table (true)->objs, object); 587} 588 589 590/* Try to get more location info when something is missing. 591 OBJECT1 and OBJECT2 are aliased names. If IS_PTR1 or IS_PTR2, the alias 592 is on the memory referenced or pointed to by OBJECT1 and OBJECT2. 593 ALIAS_SITE, DEREF_SITE1 and DEREF_SITE2 are the statements where the 594 alias takes place (some pointer assignment usually) and where the 595 alias is referenced through OBJECT1 and OBJECT2 respectively. 596 REF_TYPE1 and REF_TYPE2 will return the type of the reference at the 597 respective sites. Only the first matching reference is returned for 598 each name. If no statement is found, the function header is returned. */ 599 600static void 601maybe_find_missing_stmts (tree object1, bool is_ptr1, 602 tree object2, bool is_ptr2, 603 tree *alias_site, 604 tree *deref_site1, 605 tree *deref_site2) 606{ 607 if (object1 && object2) 608 { 609 if (!*alias_site || !EXPR_HAS_LOCATION (*alias_site)) 610 *alias_site = find_alias_site (object1, is_ptr1, object2, is_ptr2); 611 612 if (!*deref_site1 || !EXPR_HAS_LOCATION (*deref_site1)) 613 *deref_site1 = reference_site (object1, is_ptr1); 614 615 if (!*deref_site2 || !EXPR_HAS_LOCATION (*deref_site2)) 616 *deref_site2 = reference_site (object2, is_ptr2); 617 } 618 619 /* If we could not find the alias site, set it to one of the dereference 620 sites, if available. */ 621 if (!*alias_site) 622 { 623 if (*deref_site1) 624 *alias_site = *deref_site1; 625 else if (*deref_site2) 626 *alias_site = *deref_site2; 627 } 628 629 /* If we could not find the dereference sites, set them to the alias site, 630 if known. */ 631 if (!*deref_site1 && *alias_site) 632 *deref_site1 = *alias_site; 633 if (!*deref_site2 && *alias_site) 634 *deref_site2 = *alias_site; 635} 636 637 638/* Callback for find_first_artificial_name. 639 Find out if there are no artificial names at tree node *T. */ 640 641static tree 642ffan_walker (tree *t, 643 int *go_below ATTRIBUTE_UNUSED, 644 void *data ATTRIBUTE_UNUSED) 645{ 646 if (TREE_CODE (*t) == VAR_DECL || TREE_CODE (*t) == PARM_DECL) 647 if (DECL_ARTIFICIAL (*t)) 648 return *t; 649 650 return NULL_TREE; 651} 652 653/* Return the first artificial name within EXPR, or NULL_TREE if 654 none exists. */ 655 656static tree 657find_first_artificial_name (tree expr) 658{ 659 return walk_tree_without_duplicates (&expr, ffan_walker, NULL); 660} 661 662 663/* Get a name from the original program for VAR. */ 664 665static const char * 666get_var_name (tree var) 667{ 668 if (TREE_CODE (var) == SSA_NAME) 669 return get_var_name (get_ssa_base (var)); 670 671 if (find_first_artificial_name (var)) 672 return "{unknown}"; 673 674 if (TREE_CODE (var) == VAR_DECL || TREE_CODE (var) == PARM_DECL) 675 if (DECL_NAME (var)) 676 return IDENTIFIER_POINTER (DECL_NAME (var)); 677 678 return "{unknown}"; 679} 680 681 682/* Return true if VAR contains an artificial name. */ 683 684static bool 685contains_artificial_name_p (tree var) 686{ 687 if (TREE_CODE (var) == SSA_NAME) 688 return contains_artificial_name_p (get_ssa_base (var)); 689 690 return find_first_artificial_name (var) != NULL_TREE; 691} 692 693 694/* Return "*" if OBJECT is not the actual alias but a pointer to it, or 695 "" otherwise. 696 IS_PTR is true when OBJECT is not the actual alias. 697 In addition to checking IS_PTR, we also make sure that OBJECT is a pointer 698 since IS_PTR would also be true for C++ references, but we should only 699 print a * before a pointer and not before a reference. */ 700 701static const char * 702get_maybe_star_prefix (tree object, bool is_ptr) 703{ 704 gcc_assert (object); 705 return (is_ptr 706 && TREE_CODE (TREE_TYPE (object)) == POINTER_TYPE) ? "*" : ""; 707} 708 709 710/* Callback for contains_node_type_p. 711 Returns true if *T has tree code *(int*)DATA. */ 712 713static tree 714contains_node_type_p_callback (tree *t, 715 int *go_below ATTRIBUTE_UNUSED, 716 void *data) 717{ 718 return ((int) TREE_CODE (*t) == *((int *) data)) ? *t : NULL_TREE; 719} 720 721 722/* Return true if T contains a node with tree code TYPE. */ 723 724static bool 725contains_node_type_p (tree t, int type) 726{ 727 return (walk_tree_without_duplicates (&t, contains_node_type_p_callback, 728 (void *) &type) 729 != NULL_TREE); 730} 731 732 733/* Return true if a warning was issued in the front end at STMT. */ 734 735static bool 736already_warned_in_frontend_p (tree stmt) 737{ 738 tree rhs_pointer; 739 740 if (stmt == NULL_TREE) 741 return false; 742 743 rhs_pointer = get_rhs (stmt); 744 745 if ((TREE_CODE (rhs_pointer) == NOP_EXPR 746 || TREE_CODE (rhs_pointer) == CONVERT_EXPR 747 || TREE_CODE (rhs_pointer) == VIEW_CONVERT_EXPR) 748 && TREE_NO_WARNING (rhs_pointer)) 749 return true; 750 else 751 return false; 752} 753 754 755/* Return true if and only if TYPE is a function or method pointer type, 756 or pointer to a pointer to ... to a function or method. */ 757 758static bool 759is_method_pointer (tree type) 760{ 761 while (TREE_CODE (type) == POINTER_TYPE) 762 type = TREE_TYPE (type); 763 return TREE_CODE (type) == METHOD_TYPE || TREE_CODE (type) == FUNCTION_TYPE; 764} 765 766 767/* Issue a -Wstrict-aliasing warning. 768 OBJECT1 and OBJECT2 are aliased names. 769 If IS_PTR1 and/or IS_PTR2 is true, then the corresponding name 770 OBJECT1/OBJECT2 is a pointer or reference to the aliased memory, 771 rather than actual storage. 772 ALIAS_SITE is a statement where the alias took place. In the most common 773 case, that is where a pointer was assigned to the address of an object. */ 774 775static bool 776strict_aliasing_warn (tree alias_site, 777 tree object1, bool is_ptr1, 778 tree object2, bool is_ptr2, 779 bool filter_artificials) 780{ 781 tree ref_site1 = NULL_TREE; 782 tree ref_site2 = NULL_TREE; 783 const char *name1; 784 const char *name2; 785 location_t alias_loc; 786 location_t ref1_loc; 787 location_t ref2_loc; 788 gcc_assert (object1); 789 gcc_assert (object2); 790 791 if (contains_artificial_name_p (object1) 792 || contains_artificial_name_p (object2)) 793 return false; 794 795 name1 = get_var_name (object1); 796 name2 = get_var_name (object2); 797 798 if (is_method_pointer (get_main_type (TREE_TYPE (object2)))) 799 return false; 800 801 maybe_find_missing_stmts (object1, is_ptr1, object2, is_ptr2, &alias_site, 802 &ref_site1, &ref_site2); 803 804 if (!alias_site) 805 return false; 806 807 if (EXPR_HAS_LOCATION (alias_site)) 808 alias_loc = EXPR_LOCATION (alias_site); 809 else 810 return false; 811 812 if (EXPR_HAS_LOCATION (ref_site1)) 813 ref1_loc = EXPR_LOCATION (ref_site1); 814 else 815 ref1_loc = alias_loc; 816 817 if (EXPR_HAS_LOCATION (ref_site2)) 818 ref2_loc = EXPR_LOCATION (ref_site2); 819 else 820 ref2_loc = alias_loc; 821 822 if (already_warned_in_frontend_p (alias_site)) 823 return false; 824 825 /* If they are not SSA names, but contain SSA names, drop the warning 826 because it cannot be displayed well. 827 Also drop it if they both contain artificials. 828 XXX: this is a hack, must figure out a better way to display them. */ 829 if (filter_artificials) 830 if ((find_first_artificial_name (get_ssa_base (object1)) 831 && find_first_artificial_name (get_ssa_base (object2))) 832 || (TREE_CODE (object1) != SSA_NAME 833 && contains_node_type_p (object1, SSA_NAME)) 834 || (TREE_CODE (object2) != SSA_NAME 835 && contains_node_type_p (object2, SSA_NAME))) 836 return false; 837 838 /* XXX: In the following format string, %s:%d should be replaced by %H. 839 However, in my tests only the first %H printed ok, while the 840 second and third were printed as blanks. */ 841 warning (OPT_Wstrict_aliasing, 842 "%Hlikely type-punning may break strict-aliasing rules: " 843 "object %<%s%s%> of main type %qT is referenced at or around " 844 "%s:%d and may be " 845 "aliased to object %<%s%s%> of main type %qT which is referenced " 846 "at or around %s:%d.", 847 &alias_loc, 848 get_maybe_star_prefix (object1, is_ptr1), 849 name1, get_otype (object1, is_ptr1), 850 LOCATION_FILE (ref1_loc), LOCATION_LINE (ref1_loc), 851 get_maybe_star_prefix (object2, is_ptr2), 852 name2, get_otype (object2, is_ptr2), 853 LOCATION_FILE (ref2_loc), LOCATION_LINE (ref2_loc)); 854 855 return true; 856} 857 858 859 860/* Return true when any objects of TYPE1 and TYPE2 respectively 861 may not be aliased according to the language standard. */ 862 863static bool 864nonstandard_alias_types_p (tree type1, tree type2) 865{ 866 HOST_WIDE_INT set1; 867 HOST_WIDE_INT set2; 868 869 if (VOID_TYPE_P (type1) || VOID_TYPE_P (type2)) 870 return false; 871 872 set1 = get_alias_set (type1); 873 set2 = get_alias_set (type2); 874 return !alias_sets_conflict_p (set1, set2); 875} 876 877 878 879/* Returns true if the given name is a struct field tag (SFT). */ 880 881static bool 882struct_field_tag_p (tree var) 883{ 884 return TREE_CODE (var) == STRUCT_FIELD_TAG; 885} 886 887 888/* Returns true when *PTR may not be aliased to ALIAS. 889 See C standard 6.5p7 and C++ standard 3.10p15. 890 If PTR_PTR is true, ALIAS represents a pointer or reference to the 891 aliased storage rather than its actual name. */ 892 893static bool 894nonstandard_alias_p (tree ptr, tree alias, bool ptr_ptr) 895{ 896 /* Find the types to compare. */ 897 tree ptr_type = get_otype (ptr, true); 898 tree alias_type = get_otype (alias, ptr_ptr); 899 900 /* XXX: for now, say it's OK if the alias escapes. 901 Not sure this is needed in general, but otherwise GCC will not 902 bootstrap. */ 903 if (var_ann (get_ssa_base (alias))->escape_mask != NO_ESCAPE) 904 return false; 905 906 /* XXX: don't get into structures for now. It brings much complication 907 and little benefit. */ 908 if (struct_class_union_p (ptr_type) || struct_class_union_p (alias_type)) 909 return false; 910 911 /* XXX: In 4.2.1, field resolution in alias is not as good as in pre-4.3 912 This fixes problems found during the backport, where a pointer to the 913 first field of a struct appears to be aliased to the whole struct. */ 914 if (struct_field_tag_p (alias)) 915 return false; 916 917 /* If they are both SSA names of artificials, let it go, the warning 918 is too confusing. */ 919 if (find_first_artificial_name (ptr) && find_first_artificial_name (alias)) 920 return false; 921 922 /* Compare the types. */ 923 return nonstandard_alias_types_p (ptr_type, alias_type); 924} 925 926 927/* Return true when we should skip analysis for pointer PTR based on the 928 fact that their alias information *PI is not considered relevant. */ 929 930static bool 931skip_this_pointer (tree ptr ATTRIBUTE_UNUSED, struct ptr_info_def *pi) 932{ 933 /* If it is not dereferenced, it is not a problem (locally). */ 934 if (!pi->is_dereferenced) 935 return true; 936 937 /* This would probably cause too many false positives. */ 938 if (pi->value_escapes_p || pi->pt_anything) 939 return true; 940 941 return false; 942} 943 944 945/* Find aliasing to named objects for pointer PTR. */ 946 947static void 948dsa_named_for (tree ptr) 949{ 950 struct ptr_info_def *pi = SSA_NAME_PTR_INFO (ptr); 951 952 if (pi) 953 { 954 if (skip_this_pointer (ptr, pi)) 955 return; 956 957 /* For all the variables it could be aliased to. */ 958 if (pi->pt_vars) 959 { 960 unsigned ix; 961 bitmap_iterator bi; 962 963 EXECUTE_IF_SET_IN_BITMAP (pi->pt_vars, 0, ix, bi) 964 { 965 tree alias = referenced_var (ix); 966 967 if (is_global_var (alias)) 968 continue; 969 970 if (nonstandard_alias_p (ptr, alias, false)) 971 strict_aliasing_warn (SSA_NAME_DEF_STMT (ptr), 972 ptr, true, alias, false, true); 973 } 974 } 975 } 976} 977 978 979/* Detect and report strict aliasing violation of named objects. */ 980 981static void 982detect_strict_aliasing_named (void) 983{ 984 unsigned int i; 985 986 for (i = 1; i < num_ssa_names; i++) 987 { 988 tree ptr = ssa_name (i); 989 struct ptr_info_def *pi; 990 991 if (ptr == NULL_TREE) 992 continue; 993 994 pi = SSA_NAME_PTR_INFO (ptr); 995 996 if (!SSA_NAME_IN_FREE_LIST (ptr) && pi && pi->name_mem_tag) 997 dsa_named_for (ptr); 998 } 999} 1000 1001 1002/* Return false only the first time I see each instance of FUNC. */ 1003 1004static bool 1005processed_func_p (tree func) 1006{ 1007 static htab_t seen = NULL; 1008 void **slot; 1009 1010 if (!seen) 1011 seen = htab_create (100, htab_hash_pointer, htab_eq_pointer, NULL); 1012 1013 slot = htab_find_slot (seen, func, INSERT); 1014 gcc_assert (slot); 1015 1016 if (*slot) 1017 return true; 1018 1019 *slot = func; 1020 return false; 1021} 1022 1023 1024/* Detect and warn about type-punning using points-to information. */ 1025 1026void 1027strict_aliasing_warning_backend (void) 1028{ 1029 if (!(flag_strict_aliasing 1030 && warn_strict_aliasing == 3 1031 && !processed_func_p (current_function_decl))) 1032 return; 1033 1034 detect_strict_aliasing_named (); 1035 maybe_free_reference_table (); 1036} 1037