Line data Source code
1 : /* Warn on problematic uses of alloca and variable length arrays.
2 : Copyright (C) 2016-2026 Free Software Foundation, Inc.
3 : Contributed by Aldy Hernandez <aldyh@redhat.com>.
4 :
5 : This file is part of GCC.
6 :
7 : GCC is free software; you can redistribute it and/or modify it under
8 : the terms of the GNU General Public License as published by the Free
9 : Software Foundation; either version 3, or (at your option) any later
10 : version.
11 :
12 : GCC is distributed in the hope that it will be useful, but WITHOUT ANY
13 : WARRANTY; without even the implied warranty of MERCHANTABILITY or
14 : FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15 : for more details.
16 :
17 : You should have received a copy of the GNU General Public License
18 : along with GCC; see the file COPYING3. If not see
19 : <http://www.gnu.org/licenses/>. */
20 :
21 : #include "config.h"
22 : #include "system.h"
23 : #include "coretypes.h"
24 : #include "backend.h"
25 : #include "tree.h"
26 : #include "gimple.h"
27 : #include "tree-pass.h"
28 : #include "ssa.h"
29 : #include "gimple-pretty-print.h"
30 : #include "diagnostic-core.h"
31 : #include "fold-const.h"
32 : #include "gimple-iterator.h"
33 : #include "tree-ssa.h"
34 : #include "tree-cfg.h"
35 : #include "builtins.h"
36 : #include "calls.h"
37 : #include "cfgloop.h"
38 : #include "intl.h"
39 : #include "gimple-range.h"
40 :
41 : static unsigned HOST_WIDE_INT adjusted_warn_limit (bool);
42 :
43 : const pass_data pass_data_walloca = {
44 : GIMPLE_PASS,
45 : "walloca",
46 : OPTGROUP_NONE,
47 : TV_NONE,
48 : PROP_cfg, // properties_required
49 : 0, // properties_provided
50 : 0, // properties_destroyed
51 : 0, // properties_start
52 : 0, // properties_finish
53 : };
54 :
55 : class pass_walloca : public gimple_opt_pass
56 : {
57 : public:
58 571444 : pass_walloca (gcc::context *ctxt)
59 1142888 : : gimple_opt_pass(pass_data_walloca, ctxt), xlimit_certain_p (false)
60 : {}
61 285722 : opt_pass *clone () final override { return new pass_walloca (m_ctxt); }
62 571444 : void set_pass_param (unsigned int n, bool param) final override
63 : {
64 571444 : gcc_assert (n == 0);
65 : // Set to true to enable only warnings for alloca calls that
66 : // are certainly in excess of the limit. This includes calls
67 : // with constant arguments but excludes those in ranges (that
68 : // can only be determined by range analysis) as well as
69 : // the "may be too large" kind.
70 571444 : xlimit_certain_p = param;
71 571444 : }
72 : bool gate (function *) final override;
73 : unsigned int execute (function *) final override;
74 :
75 : private:
76 : // Set to TRUE the first time we run this pass on a function.
77 : bool xlimit_certain_p;
78 : };
79 :
80 : bool
81 3890148 : pass_walloca::gate (function *fun ATTRIBUTE_UNUSED)
82 : {
83 : // Warning is disabled when its size limit is greater than PTRDIFF_MAX
84 : // for the target maximum, which makes the limit negative since when
85 : // represented in signed HOST_WIDE_INT.
86 3890148 : unsigned HOST_WIDE_INT max = tree_to_uhwi (TYPE_MAX_VALUE (ptrdiff_type_node));
87 3890148 : return (adjusted_warn_limit (false) <= max
88 3890148 : || adjusted_warn_limit (true) <= max);
89 : }
90 :
91 : // Possible problematic uses of alloca.
92 : enum alloca_type {
93 : // Alloca argument is within known bounds that are appropriate.
94 : ALLOCA_OK,
95 :
96 : // Alloca argument is KNOWN to have a value that is too large.
97 : ALLOCA_BOUND_DEFINITELY_LARGE,
98 :
99 : // Alloca argument may be too large.
100 : ALLOCA_BOUND_MAYBE_LARGE,
101 :
102 : // Alloca appears in a loop.
103 : ALLOCA_IN_LOOP,
104 :
105 : // Alloca argument is 0.
106 : ALLOCA_ARG_IS_ZERO,
107 :
108 : // Alloca call is unbounded. That is, there is no controlling
109 : // predicate for its argument.
110 : ALLOCA_UNBOUNDED
111 : };
112 :
113 : // Type of an alloca call with its corresponding limit, if applicable.
114 99494 : class alloca_type_and_limit {
115 : public:
116 : enum alloca_type type;
117 : // For ALLOCA_BOUND_MAYBE_LARGE and ALLOCA_BOUND_DEFINITELY_LARGE
118 : // types, this field indicates the assumed limit if known or
119 : // integer_zero_node if unknown. For any other alloca types, this
120 : // field is undefined.
121 : wide_int limit;
122 : alloca_type_and_limit ();
123 71 : alloca_type_and_limit (enum alloca_type type,
124 142 : wide_int i) : type(type), limit(i) { }
125 99425 : alloca_type_and_limit (enum alloca_type type) : type(type)
126 : {
127 99425 : limit = wi::to_wide (integer_zero_node);
128 99425 : }
129 : };
130 :
131 : /* Return TRUE if the user specified a limit for either VLAs or ALLOCAs. */
132 :
133 : static bool
134 46276 : warn_limit_specified_p (bool is_vla)
135 : {
136 46276 : unsigned HOST_WIDE_INT max = is_vla ? warn_vla_limit : warn_alloca_limit;
137 46276 : return max != HOST_WIDE_INT_MAX;
138 : }
139 :
140 : /* Return the value of the argument N to -Walloca-larger-than= or
141 : -Wvla-larger-than= adjusted for the target data model so that
142 : when N == HOST_WIDE_INT_MAX, the adjusted value is set to
143 : PTRDIFF_MAX on the target. This is done to prevent warnings
144 : for unknown/unbounded allocations in the "permissive mode"
145 : while still diagnosing excessive and necessarily invalid
146 : allocations. */
147 :
148 : static unsigned HOST_WIDE_INT
149 3996576 : adjusted_warn_limit (bool idx)
150 : {
151 3996576 : static HOST_WIDE_INT limits[2];
152 3996576 : if (limits[idx])
153 3776736 : return limits[idx];
154 :
155 219840 : limits[idx] = idx ? warn_vla_limit : warn_alloca_limit;
156 219840 : if (limits[idx] != HOST_WIDE_INT_MAX)
157 50 : return limits[idx];
158 :
159 219790 : limits[idx] = tree_to_shwi (TYPE_MAX_VALUE (ptrdiff_type_node));
160 219790 : return limits[idx];
161 : }
162 :
163 : // Analyze the alloca call in STMT and return the alloca type with its
164 : // corresponding limit (if applicable). IS_VLA is set if the alloca
165 : // call was created by the gimplifier for a VLA.
166 :
167 : static class alloca_type_and_limit
168 53214 : alloca_call_type (gimple *stmt, bool is_vla)
169 : {
170 53214 : gcc_assert (gimple_alloca_call_p (stmt));
171 53214 : tree len = gimple_call_arg (stmt, 0);
172 :
173 53214 : gcc_assert (!is_vla || warn_vla_limit >= 0);
174 47966 : gcc_assert (is_vla || warn_alloca_limit >= 0);
175 :
176 : // Adjust warn_alloca_max_size for VLAs, by taking the underlying
177 : // type into account.
178 53214 : unsigned HOST_WIDE_INT max_size = adjusted_warn_limit (is_vla);
179 :
180 : // Check for the obviously bounded case.
181 53214 : if (TREE_CODE (len) == INTEGER_CST)
182 : {
183 6934 : if (tree_to_uhwi (len) > max_size)
184 23 : return alloca_type_and_limit (ALLOCA_BOUND_DEFINITELY_LARGE,
185 23 : wi::to_wide (len));
186 6911 : if (integer_zerop (len))
187 : {
188 28 : const offset_int maxobjsize
189 28 : = wi::to_offset (max_object_size ());
190 28 : alloca_type result = (max_size < maxobjsize
191 28 : ? ALLOCA_ARG_IS_ZERO : ALLOCA_OK);
192 28 : return alloca_type_and_limit (result);
193 : }
194 :
195 6883 : return alloca_type_and_limit (ALLOCA_OK);
196 : }
197 :
198 46280 : struct alloca_type_and_limit ret = alloca_type_and_limit (ALLOCA_OK);
199 : // If we have a declared maximum size, we can take it into account.
200 46280 : if (gimple_call_builtin_p (stmt, BUILT_IN_ALLOCA_WITH_ALIGN_AND_MAX))
201 : {
202 4 : tree arg = gimple_call_arg (stmt, 2);
203 4 : if (compare_tree_int (arg, max_size) <= 0)
204 2 : ret = alloca_type_and_limit (ALLOCA_OK);
205 : else
206 : {
207 2 : const offset_int maxobjsize
208 2 : = wi::to_offset (max_object_size ());
209 2 : alloca_type result = (max_size < maxobjsize
210 2 : ? ALLOCA_BOUND_MAYBE_LARGE : ALLOCA_OK);
211 2 : ret = alloca_type_and_limit (result, wi::to_wide (arg));
212 : }
213 4 : return ret;
214 : }
215 :
216 : // If the user specified a limit, use it.
217 46276 : int_range_max r;
218 46276 : if (warn_limit_specified_p (is_vla)
219 82 : && TREE_CODE (len) == SSA_NAME
220 82 : && types_compatible_p (TREE_TYPE (len), size_type_node)
221 164 : && get_range_query (cfun)->range_of_expr (r, len, stmt)
222 46358 : && !r.varying_p ())
223 : {
224 : // The invalid bits are anything outside of [0, MAX_SIZE].
225 70 : int_range<2> invalid_range (size_type_node,
226 140 : wi::shwi (0, TYPE_PRECISION (size_type_node)),
227 70 : wi::shwi (max_size, TYPE_PRECISION (size_type_node)),
228 70 : VR_ANTI_RANGE);
229 :
230 70 : r.intersect (invalid_range);
231 70 : if (r.undefined_p ())
232 24 : return alloca_type_and_limit (ALLOCA_OK);
233 :
234 46 : return alloca_type_and_limit (ALLOCA_BOUND_MAYBE_LARGE,
235 46 : wi::to_wide (integer_zero_node));
236 70 : }
237 :
238 46206 : const offset_int maxobjsize = tree_to_shwi (max_object_size ());
239 : /* When MAX_SIZE is greater than or equal to PTRDIFF_MAX treat
240 : allocations that aren't visibly constrained as OK, otherwise
241 : report them as (potentially) unbounded. */
242 46206 : alloca_type unbounded_result = (max_size < maxobjsize.to_uhwi ()
243 46206 : ? ALLOCA_UNBOUNDED : ALLOCA_OK);
244 46206 : return alloca_type_and_limit (unbounded_result);
245 92556 : }
246 :
247 : // Return TRUE if STMT is in a loop, otherwise return FALSE.
248 :
249 : static bool
250 47897 : in_loop_p (gimple *stmt)
251 : {
252 47897 : basic_block bb = gimple_bb (stmt);
253 47897 : return
254 47897 : bb->loop_father && bb->loop_father->header != ENTRY_BLOCK_PTR_FOR_FN (cfun);
255 : }
256 :
257 : unsigned int
258 3889942 : pass_walloca::execute (function *fun)
259 : {
260 3889942 : enable_ranger (fun);
261 3889942 : basic_block bb;
262 31570102 : FOR_EACH_BB_FN (bb, fun)
263 : {
264 205609428 : for (gimple_stmt_iterator si = gsi_start_bb (bb); !gsi_end_p (si);
265 150249108 : gsi_next (&si))
266 : {
267 150249108 : gimple *stmt = gsi_stmt (si);
268 150249108 : if (!gimple_alloca_call_p (stmt))
269 150195894 : continue;
270 :
271 53219 : location_t loc = gimple_nonartificial_location (stmt);
272 53219 : loc = expansion_point_location_if_in_system_header (loc);
273 :
274 53219 : const bool is_vla
275 53219 : = gimple_call_alloca_for_var_p (as_a <gcall *> (stmt));
276 :
277 : // Strict mode whining for VLAs is handled by the front-end,
278 : // so we can safely ignore this case. Also, ignore VLAs if
279 : // the user doesn't care about them.
280 53219 : if (is_vla)
281 : {
282 5251 : if (warn_vla > 0 || warn_vla_limit < 0)
283 3 : continue;
284 : }
285 47968 : else if (warn_alloca)
286 : {
287 2 : warning_at (loc, OPT_Walloca, "use of %<alloca%>");
288 2 : continue;
289 : }
290 47966 : else if (warn_alloca_limit < 0)
291 0 : continue;
292 :
293 53214 : class alloca_type_and_limit t
294 53214 : = alloca_call_type (stmt, is_vla);
295 :
296 53214 : unsigned HOST_WIDE_INT adjusted_alloca_limit
297 53214 : = adjusted_warn_limit (false);
298 : // Even if we think the alloca call is OK, make sure it's not in a
299 : // loop, except for a VLA, since VLAs are guaranteed to be cleaned
300 : // up when they go out of scope, including in a loop.
301 53214 : if (t.type == ALLOCA_OK && !is_vla && in_loop_p (stmt))
302 : {
303 : /* As in other instances, only diagnose this when the limit
304 : is less than the maximum valid object size. */
305 44 : const offset_int maxobjsize
306 44 : = wi::to_offset (max_object_size ());
307 44 : if (adjusted_alloca_limit < maxobjsize.to_uhwi ())
308 2 : t = alloca_type_and_limit (ALLOCA_IN_LOOP);
309 : }
310 :
311 47966 : enum opt_code wcode
312 53214 : = is_vla ? OPT_Wvla_larger_than_ : OPT_Walloca_larger_than_;
313 53214 : char buff[WIDE_INT_MAX_INL_PRECISION / 4 + 4];
314 53214 : switch (t.type)
315 : {
316 : case ALLOCA_OK:
317 : break;
318 48 : case ALLOCA_BOUND_MAYBE_LARGE:
319 48 : {
320 48 : if (xlimit_certain_p)
321 : break;
322 :
323 22 : auto_diagnostic_group d;
324 41 : if (warning_at (loc, wcode,
325 : (is_vla
326 : ? G_("argument to variable-length "
327 : "array may be too large")
328 : : G_("argument to %<alloca%> may be too "
329 : "large")))
330 22 : && t.limit != 0)
331 : {
332 1 : gcc_assert (t.limit.get_len () < WIDE_INT_MAX_INL_ELTS);
333 1 : print_decu (t.limit, buff);
334 1 : inform (loc, "limit is %wu bytes, but argument "
335 : "may be as large as %s",
336 0 : is_vla ? warn_vla_limit : adjusted_alloca_limit,
337 : buff);
338 : }
339 22 : }
340 22 : break;
341 23 : case ALLOCA_BOUND_DEFINITELY_LARGE:
342 23 : {
343 23 : auto_diagnostic_group d;
344 42 : if (warning_at (loc, wcode,
345 : (is_vla
346 : ? G_("argument to variable-length"
347 : " array is too large")
348 : : G_("argument to %<alloca%> is too large")))
349 23 : && t.limit != 0)
350 : {
351 23 : gcc_assert (t.limit.get_len () < WIDE_INT_MAX_INL_ELTS);
352 23 : print_decu (t.limit, buff);
353 27 : inform (loc, "limit is %wu bytes, but argument is %s",
354 4 : is_vla ? warn_vla_limit : adjusted_alloca_limit,
355 : buff);
356 : }
357 23 : }
358 23 : break;
359 12 : case ALLOCA_UNBOUNDED:
360 12 : if (xlimit_certain_p)
361 : break;
362 :
363 5 : warning_at (loc, wcode,
364 : (is_vla
365 : ? G_("unbounded use of variable-length array")
366 : : G_("unbounded use of %<alloca%>")));
367 3 : break;
368 2 : case ALLOCA_IN_LOOP:
369 2 : gcc_assert (!is_vla);
370 2 : warning_at (loc, wcode,
371 : "use of %<alloca%> within a loop");
372 2 : break;
373 3 : case ALLOCA_ARG_IS_ZERO:
374 6 : warning_at (loc, wcode,
375 : (is_vla
376 : ? G_("argument to variable-length array "
377 : "is zero")
378 : : G_("argument to %<alloca%> is zero")));
379 3 : break;
380 0 : default:
381 0 : gcc_unreachable ();
382 : }
383 53214 : }
384 : }
385 3889942 : disable_ranger (fun);
386 3889942 : return 0;
387 : }
388 :
389 : gimple_opt_pass *
390 285722 : make_pass_walloca (gcc::context *ctxt)
391 : {
392 285722 : return new pass_walloca (ctxt);
393 : }
|
