Whilst debugging the remaining state explosion in PR analyzer/93355
I noticed that half of the states at an exploding program point had:
'malloc': {'&buf': 'non-heap'}
whereas the other half didn't, presumably depending on whether the path
to each enode had used this local buffer:
char buf[400];
This patch tweaks malloc_state_machine::get_default_state to be smarter
about this, so that we can implicitly treat pointers to decls as
non-heap, preventing pointless differences between sm_state_map
instances. With that, all of the states in question have equal (empty)
malloc sm-state - though the state explosion continues for other reasons.
Successfully bootstrapped & regrtested on x86_64-pc-linux-gnu.
Pushed to master as 15e7b93ba4256884c90198c678ed7eded4e73464.
gcc/analyzer/ChangeLog:
PR analyzer/93355
* sm-malloc.cc (malloc_state_machine::get_default_state): Look at
the base region when considering pointers. Treat pointers to
decls as being non-heap.
---
gcc/analyzer/sm-malloc.cc | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/gcc/analyzer/sm-malloc.cc b/gcc/analyzer/sm-malloc.cc
index 90d1da14586..12b2383e4a7 100644
--- a/gcc/analyzer/sm-malloc.cc
+++ b/gcc/analyzer/sm-malloc.cc
@@ -183,7 +183,9 @@ public:
if (const region_svalue *ptr = sval->dyn_cast_region_svalue ())
{
const region *reg = ptr->get_pointee ();
- if (reg->get_kind () == RK_STRING)
+ const region *base_reg = reg->get_base_region ();
+ if (base_reg->get_kind () == RK_DECL
+ || base_reg->get_kind () == RK_STRING)
return m_non_heap;
}
return m_start;
--
2.26.2
