1	/* Pass to detect and issue warnings for violations of the restrict
2	qualifier.
3	Copyright (C) 2017-2024 Free Software Foundation, Inc.
4	Contributed by Martin Sebor <msebor@redhat.com>.
5
6	This file is part of GCC.
7
8	GCC is free software; you can redistribute it and/or modify it under
9	the terms of the GNU General Public License as published by the Free
10	Software Foundation; either version 3, or (at your option) any later
11	version.
12
13	GCC is distributed in the hope that it will be useful, but WITHOUT ANY
14	WARRANTY; without even the implied warranty of MERCHANTABILITY or
15	FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
16	for more details.
17
18	You should have received a copy of the GNU General Public License
19	along with GCC; see the file COPYING3. If not see
20	<http://www.gnu.org/licenses/>. */
21
22	#include "config.h"
23	#include "system.h"
24	#include "coretypes.h"
25	#include "backend.h"
26	#include "tree.h"
27	#include "gimple.h"
28	#include "tree-pass.h"
29	#include "pointer-query.h"
30	#include "ssa.h"
31	#include "gimple-pretty-print.h"
32	#include "gimple-ssa-warn-access.h"
33	#include "gimple-ssa-warn-restrict.h"
34	#include "diagnostic-core.h"
35	#include "fold-const.h"
36	#include "gimple-iterator.h"
37	#include "tree-dfa.h"
38	#include "tree-ssa.h"
39	#include "tree-cfg.h"
40	#include "tree-object-size.h"
41	#include "calls.h"
42	#include "cfgloop.h"
43	#include "intl.h"
44	#include "gimple-range.h"
45
46	namespace {
47
48	const pass_data pass_data_wrestrict = {
49	.type: GIMPLE_PASS,
50	.name: "wrestrict",
51	.optinfo_flags: OPTGROUP_NONE,
52	.tv_id: TV_NONE,
53	PROP_cfg, /* Properties_required. */
54	.properties_provided: 0, /* properties_provided. */
55	.properties_destroyed: 0, /* properties_destroyed. */
56	.todo_flags_start: 0, /* properties_start */
57	.todo_flags_finish: 0, /* properties_finish */
58	};
59
60	/* Pass to detect violations of strict aliasing requirements in calls
61	to built-in string and raw memory functions. */
62	class pass_wrestrict : public gimple_opt_pass
63	{
64	public:
65	pass_wrestrict (gcc::context *);
66
67	bool gate (function *) final override;
68	unsigned int execute (function *) final override;
69
70	void check_call (gimple *);
71
72	void check_block (basic_block);
73
74	/* A pointer_query object to store information about pointers and
75	their targets in. */
76	pointer_query m_ptr_qry;
77	};
78
79	pass_wrestrict::pass_wrestrict (gcc::context *ctxt)
80	: gimple_opt_pass (pass_data_wrestrict, ctxt),
81	m_ptr_qry ()
82	{ }
83
84	bool
85	pass_wrestrict::gate (function *fun ATTRIBUTE_UNUSED)
86	{
87	return warn_array_bounds || warn_restrict || warn_stringop_overflow;
88	}
89
90	void
91	pass_wrestrict::check_block (basic_block bb)
92	{
93	/* Iterate over statements, looking for function calls. */
94	for (auto si = gsi_start_bb (bb); !gsi_end_p (i: si); gsi_next (i: &si))
95	{
96	gimple *stmt = gsi_stmt (i: si);
97	if (!is_gimple_call (gs: stmt))
98	continue;
99
100	check_call (stmt);
101	}
102	}
103
104	unsigned
105	pass_wrestrict::execute (function *fun)
106	{
107	/* Create a new ranger instance and associate it with FUN. */
108	m_ptr_qry.rvals = enable_ranger (m: fun);
109
110	basic_block bb;
111	FOR_EACH_BB_FN (bb, fun)
112	check_block (bb);
113
114	m_ptr_qry.flush_cache ();
115
116	/* Release the ranger instance and replace it with a global ranger.
117	Also reset the pointer since calling disable_ranger() deletes it. */
118	disable_ranger (fun);
119	m_ptr_qry.rvals = NULL;
120
121	return 0;
122	}
123
124	/* Description of a memory reference by a built-in function. This
125	is similar to ao_ref but made especially suitable for -Wrestrict
126	and not for optimization. */
127	class builtin_memref
128	{
129	public:
130	/* The original pointer argument to the built-in function. */
131	tree ptr;
132	/* The referenced subobject or NULL if not available, and the base
133	object of the memory reference or NULL. */
134	tree ref;
135	tree base;
136
137	/* The size of the BASE object, PTRDIFF_MAX if indeterminate,
138	and negative until (possibly lazily) initialized. */
139	offset_int basesize;
140	/* Same for the subobject. */
141	offset_int refsize;
142
143	/* The non-negative offset of the referenced subobject. Used to avoid
144	warnings for (apparently) possibly but not definitively overlapping
145	accesses to member arrays. Negative when unknown/invalid. */
146	offset_int refoff;
147
148	/* The offset range relative to the base. */
149	offset_int offrange[2];
150	/* The size range of the access to this reference. */
151	offset_int sizrange[2];
152
153	/* Cached result of get_max_objsize(). */
154	const offset_int maxobjsize;
155
156	/* True for "bounded" string functions like strncat, and strncpy
157	and their variants that specify either an exact or upper bound
158	on the size of the accesses they perform. For strncat both
159	the source and destination references are bounded. For strncpy
160	only the destination reference is. */
161	bool strbounded_p;
162
163	builtin_memref (pointer_query &, gimple *, tree, tree);
164
165	tree offset_out_of_bounds (int, offset_int[3]) const;
166
167	private:
168	/* Call statement to the built-in. */
169	gimple *stmt;
170
171	pointer_query &m_ptr_qry;
172
173	/* Ctor helper to set or extend OFFRANGE based on argument. */
174	void extend_offset_range (tree);
175
176	/* Ctor helper to determine BASE and OFFRANGE from argument. */
177	void set_base_and_offset (tree);
178	};
179
180	/* Description of a memory access by a raw memory or string built-in
181	function involving a pair of builtin_memref's. */
182	class builtin_access
183	{
184	public:
185	/* Destination and source memory reference. */
186	builtin_memref* const dstref;
187	builtin_memref* const srcref;
188	/* The size range of the access. It's the greater of the accesses
189	to the two references. */
190	HOST_WIDE_INT sizrange[2];
191
192	/* The minimum and maximum offset of an overlap of the access
193	(if it does, in fact, overlap), and the size of the overlap. */
194	HOST_WIDE_INT ovloff[2];
195	HOST_WIDE_INT ovlsiz[2];
196
197	/* True to consider valid only accesses to the smallest subobject
198	and false for raw memory functions. */
199	bool strict () const
200	{
201	return (detect_overlap != &builtin_access::generic_overlap
202	&& detect_overlap != &builtin_access::no_overlap);
203	}
204
205	builtin_access (pointer_query &, gimple *,
206	builtin_memref &, builtin_memref &);
207
208	/* Entry point to determine overlap. */
209	bool overlap ();
210
211	offset_int write_off (tree) const;
212
213	void dump (FILE *) const;
214
215	private:
216	/* Implementation functions used to determine overlap. */
217	bool generic_overlap ();
218	bool strcat_overlap ();
219	bool strcpy_overlap ();
220
221	bool no_overlap ()
222	{
223	return false;
224	}
225
226	offset_int overlap_size (const offset_int [2], const offset_int[2],
227	offset_int [2]);
228
229	private:
230	/* Temporaries used to compute the final result. */
231	offset_int dstoff[2];
232	offset_int srcoff[2];
233	offset_int dstsiz[2];
234	offset_int srcsiz[2];
235
236	/* Pointer to a member function to call to determine overlap. */
237	bool (builtin_access::*detect_overlap) ();
238	};
239
240	/* Initialize a memory reference representation from a pointer EXPR and
241	a size SIZE in bytes. If SIZE is NULL_TREE then the size is assumed
242	to be unknown. STMT is the statement in which expr appears in. */
243
244	builtin_memref::builtin_memref (pointer_query &ptrqry, gimple *stmt, tree expr,
245	tree size)
246	: ptr (expr),
247	ref (),
248	base (),
249	basesize (-1),
250	refsize (-1),
251	refoff (HOST_WIDE_INT_MIN),
252	offrange (),
253	sizrange (),
254	maxobjsize (tree_to_shwi (max_object_size ())),
255	strbounded_p (),
256	stmt (stmt),
257	m_ptr_qry (ptrqry)
258	{
259	/* Unfortunately, wide_int default ctor is a no-op so array members
260	of the type must be set individually. */
261	offrange[0] = offrange[1] = 0;
262	sizrange[0] = sizrange[1] = 0;
263
264	if (!expr)
265	return;
266
267	/* Find the BASE object or pointer referenced by EXPR and set
268	the offset range OFFRANGE in the process. */
269	set_base_and_offset (expr);
270
271	if (size)
272	{
273	tree range[2];
274	/* Determine the size range, allowing for the result to be [0, 0]
275	for SIZE in the anti-range ~[0, N] where N >= PTRDIFF_MAX. */
276	get_size_range (m_ptr_qry.rvals, size, stmt, range, SR_ALLOW_ZERO);
277	sizrange[0] = wi::to_offset (t: range[0]);
278	sizrange[1] = wi::to_offset (t: range[1]);
279	/* get_size_range returns SIZE_MAX for the maximum size.
280	Constrain it to the real maximum of PTRDIFF_MAX. */
281	if (sizrange[0] <= maxobjsize && sizrange[1] > maxobjsize)
282	sizrange[1] = maxobjsize;
283	}
284	else
285	sizrange[1] = maxobjsize;
286
287	if (!DECL_P (base))
288	return;
289
290	/* If the offset could be in the range of the referenced object
291	constrain its bounds so neither exceeds those of the object. */
292	if (offrange[0] < 0 && offrange[1] > 0)
293	offrange[0] = 0;
294
295	offset_int maxoff = maxobjsize;
296	tree basetype = TREE_TYPE (base);
297	if (TREE_CODE (basetype) == ARRAY_TYPE)
298	{
299	if (ref && array_ref_flexible_size_p (ref))
300	; /* Use the maximum possible offset for an array that might
301	have flexible size. */
302	else if (tree basesize = TYPE_SIZE_UNIT (basetype))
303	if (TREE_CODE (basesize) == INTEGER_CST)
304	/* Size could be non-constant for a variable-length type such
305	as a struct with a VLA member (a GCC extension). */
306	maxoff = wi::to_offset (t: basesize);
307	}
308
309	if (offrange[0] >= 0)
310	{
311	if (offrange[1] < 0)
312	offrange[1] = offrange[0] <= maxoff ? maxoff : maxobjsize;
313	else if (offrange[0] <= maxoff && offrange[1] > maxoff)
314	offrange[1] = maxoff;
315	}
316	}
317
318	/* Based on the initial length of the destination STARTLEN, returns
319	the offset of the first write access from the beginning of
320	the destination. Nonzero only for strcat-type of calls. */
321
322	offset_int builtin_access::write_off (tree startlen) const
323	{
324	if (detect_overlap != &builtin_access::strcat_overlap
325	|| !startlen || TREE_CODE (startlen) != INTEGER_CST)
326	return 0;
327
328	return wi::to_offset (t: startlen);
329	}
330
331	/* Ctor helper to set or extend OFFRANGE based on the OFFSET argument.
332	Pointer offsets are represented as unsigned sizetype but must be
333	treated as signed. */
334
335	void
336	builtin_memref::extend_offset_range (tree offset)
337	{
338	if (TREE_CODE (offset) == INTEGER_CST)
339	{
340	offset_int off = int_cst_value (offset);
341	if (off != 0)
342	{
343	offrange[0] += off;
344	offrange[1] += off;
345	}
346	return;
347	}
348
349	if (TREE_CODE (offset) == SSA_NAME)
350	{
351	/* A pointer offset is represented as sizetype but treated
352	as signed. */
353	wide_int min, max;
354	value_range_kind rng = VR_VARYING;
355	value_range vr;
356	if (m_ptr_qry.rvals->range_of_expr (r&: vr, expr: offset, stmt))
357	{
358	tree vr_min, vr_max;
359	rng = get_legacy_range (vr, min&: vr_min, max&: vr_max);
360	if (!vr.undefined_p ())
361	{
362	min = wi::to_wide (t: vr_min);
363	max = wi::to_wide (t: vr_max);
364	}
365	}
366
367	if (rng == VR_ANTI_RANGE && wi::lts_p (x: max, y: min))
368	{
369	/* Convert an anti-range whose upper bound is less than
370	its lower bound to a signed range. */
371	offrange[0] += offset_int::from (x: max + 1, sgn: SIGNED);
372	offrange[1] += offset_int::from (x: min - 1, sgn: SIGNED);
373	return;
374	}
375
376	if (rng == VR_RANGE
377	&& (DECL_P (base) || wi::lts_p (x: min, y: max)))
378	{
379	/* Preserve the bounds of the range for an offset into
380	a known object (it may be adjusted later relative to
381	a constant offset from its beginning). Otherwise use
382	the bounds only when they are ascending when treated
383	as signed. */
384	offrange[0] += offset_int::from (x: min, sgn: SIGNED);
385	offrange[1] += offset_int::from (x: max, sgn: SIGNED);
386	return;
387	}
388
389	/* Handle an anti-range the same as no range at all. */
390	gimple *stmt = SSA_NAME_DEF_STMT (offset);
391	tree type;
392	if (is_gimple_assign (gs: stmt)
393	&& (type = TREE_TYPE (gimple_assign_rhs1 (stmt)))
394	&& INTEGRAL_TYPE_P (type)
395	&& TYPE_PRECISION (type) <= TYPE_PRECISION (TREE_TYPE (offset)))
396	{
397	tree_code code = gimple_assign_rhs_code (gs: stmt);
398	if (code == NOP_EXPR)
399	{
400	/* Use the bounds of the type of the NOP_EXPR operand
401	even if it's signed. The result doesn't trigger
402	warnings but makes their output more readable. */
403	offrange[0] += wi::to_offset (TYPE_MIN_VALUE (type));
404	offrange[1] += wi::to_offset (TYPE_MAX_VALUE (type));
405	return;
406	}
407	}
408	}
409
410	const offset_int maxoff = tree_to_shwi (max_object_size ()) >> 1;
411	const offset_int minoff = -maxoff - 1;
412
413	offrange[0] += minoff;
414	offrange[1] += maxoff;
415	}
416
417	/* Determines the base object or pointer of the reference EXPR
418	and the offset range from the beginning of the base. */
419
420	void
421	builtin_memref::set_base_and_offset (tree expr)
422	{
423	tree offset = NULL_TREE;
424
425	if (TREE_CODE (expr) == SSA_NAME)
426	{
427	/* Try to tease the offset out of the pointer. */
428	gimple *stmt = SSA_NAME_DEF_STMT (expr);
429	if (!base
430	&& gimple_assign_single_p (gs: stmt)
431	&& gimple_assign_rhs_code (gs: stmt) == ADDR_EXPR)
432	expr = gimple_assign_rhs1 (gs: stmt);
433	else if (is_gimple_assign (gs: stmt))
434	{
435	tree_code code = gimple_assign_rhs_code (gs: stmt);
436	if (CONVERT_EXPR_CODE_P (code))
437	{
438	tree rhs = gimple_assign_rhs1 (gs: stmt);
439	if (POINTER_TYPE_P (TREE_TYPE (rhs)))
440	expr = gimple_assign_rhs1 (gs: stmt);
441	else
442	{
443	base = expr;
444	return;
445	}
446	}
447	else if (code == POINTER_PLUS_EXPR)
448	{
449	expr = gimple_assign_rhs1 (gs: stmt);
450	offset = gimple_assign_rhs2 (gs: stmt);
451	}
452	else
453	{
454	base = expr;
455	return;
456	}
457	}
458	else
459	{
460	/* FIXME: Handle PHI nodes in case like:
461	_12 = &MEM[(void *)&a + 2B] + _10;
462
463	<bb> [local count: 1073741824]:
464	# prephitmp_13 = PHI <_12, &MEM[(void *)&a + 2B]>
465	memcpy (prephitmp_13, p_7(D), 6); */
466	base = expr;
467	return;
468	}
469	}
470
471	if (TREE_CODE (expr) == ADDR_EXPR)
472	expr = TREE_OPERAND (expr, 0);
473
474	/* Stash the reference for offset validation. */
475	ref = expr;
476
477	poly_int64 bitsize, bitpos;
478	tree var_off;
479	machine_mode mode;
480	int sign, reverse, vol;
481
482	/* Determine the base object or pointer of the reference and
483	the constant bit offset from the beginning of the base.
484	If the offset has a non-constant component, it will be in
485	VAR_OFF. MODE, SIGN, REVERSE, and VOL are write only and
486	unused here. */
487	base = get_inner_reference (expr, &bitsize, &bitpos, &var_off,
488	&mode, &sign, &reverse, &vol);
489
490	/* get_inner_reference is not expected to return null. */
491	gcc_assert (base != NULL);
492
493	if (offset)
494	extend_offset_range (offset);
495
496	poly_int64 bytepos = exact_div (a: bitpos, BITS_PER_UNIT);
497
498	/* Convert the poly_int64 offset to offset_int. The offset
499	should be constant but be prepared for it not to be just in
500	case. */
501	offset_int cstoff;
502	if (bytepos.is_constant (const_value: &cstoff))
503	{
504	offrange[0] += cstoff;
505	offrange[1] += cstoff;
506
507	/* Besides the reference saved above, also stash the offset
508	for validation. */
509	if (TREE_CODE (expr) == COMPONENT_REF)
510	refoff = cstoff;
511	}
512	else
513	offrange[1] += maxobjsize;
514
515	if (var_off)
516	{
517	if (TREE_CODE (var_off) == INTEGER_CST)
518	{
519	cstoff = wi::to_offset (t: var_off);
520	offrange[0] += cstoff;
521	offrange[1] += cstoff;
522	}
523	else
524	offrange[1] += maxobjsize;
525	}
526
527	if (TREE_CODE (base) == MEM_REF)
528	{
529	tree memrefoff = fold_convert (ptrdiff_type_node, TREE_OPERAND (base, 1));
530	extend_offset_range (offset: memrefoff);
531
532	if (refoff != HOST_WIDE_INT_MIN
533	&& TREE_CODE (expr) == COMPONENT_REF)
534	{
535	/* Bump up the offset of the referenced subobject to reflect
536	the offset to the enclosing object. For example, so that
537	in
538	struct S { char a, b[3]; } s[2];
539	strcpy (s[1].b, "1234");
540	REFOFF is set to s[1].b - (char*)s. */
541	offset_int off = tree_to_shwi (memrefoff);
542	refoff += off;
543
544	if (!integer_zerop (memrefoff)
545	&& !COMPLETE_TYPE_P (TREE_TYPE (expr))
546	&& multiple_of_p (sizetype, memrefoff,
547	TYPE_SIZE_UNIT (TREE_TYPE (base)), true))
548	/* A non-zero offset into an array of struct with flexible array
549	members implies that the array is empty because there is no
550	way to initialize such a member when it belongs to an array.
551	This must be some sort of a bug. */
552	refsize = 0;
553	}
554
555	base = TREE_OPERAND (base, 0);
556	}
557
558	if (TREE_CODE (ref) == COMPONENT_REF)
559	if (tree size = component_ref_size (ref))
560	if (TREE_CODE (size) == INTEGER_CST)
561	refsize = wi::to_offset (t: size);
562
563	if (TREE_CODE (base) == SSA_NAME)
564	set_base_and_offset (base);
565	}
566
567	/* Return error_mark_node if the signed offset exceeds the bounds
568	of the address space (PTRDIFF_MAX). Otherwise, return either BASE
569	or REF when the offset exceeds the bounds of the BASE or REF object,
570	and set OOBOFF to the past-the-end offset formed by the reference,
571	including its size. OOBOFF is initially setto the range of offsets,
572	and OOBOFF[2] to the offset of the first write access (nonzero for
573	the strcat family). When STRICT is nonzero use REF size, when
574	available, otherwise use BASE size. When STRICT is greater than 1,
575	use the size of the last array member as the bound, otherwise treat
576	such a member as a flexible array member. Return NULL when the offset
577	is in bounds. */
578
579	tree
580	builtin_memref::offset_out_of_bounds (int strict, offset_int ooboff[3]) const
581	{
582	if (!ptr)
583	return NULL_TREE;
584
585	/* The offset of the first write access or zero. */
586	offset_int wroff = ooboff[2];
587
588	/* A temporary, possibly adjusted, copy of the offset range. */
589	offset_int offrng[2] = { ooboff[0], ooboff[1] };
590
591	if (DECL_P (base) && TREE_CODE (TREE_TYPE (base)) == ARRAY_TYPE)
592	{
593	/* Check for offset in an anti-range with a negative lower bound.
594	For such a range, consider only the non-negative subrange. */
595	if (offrng[1] < offrng[0] && offrng[1] < 0)
596	offrng[1] = maxobjsize;
597	}
598
599	/* Conservative offset of the last byte of the referenced object. */
600	offset_int endoff;
601
602	/* The bounds need not be ordered. Set HIB to use as the index
603	of the larger of the bounds and LOB as the opposite. */
604	bool hib = wi::les_p (x: offrng[0], y: offrng[1]);
605	bool lob = !hib;
606
607	/* Set to the size remaining in the object after subtracting
608	REFOFF. It may become negative as a result of negative indices
609	into the enclosing object, such as in:
610	extern struct S { char a[4], b[3], c[1]; } *p;
611	strcpy (p[-3].b, "123"); */
612	offset_int size = basesize;
613	tree obj = base;
614
615	const bool decl_p = DECL_P (obj);
616
617	if (basesize < 0)
618	{
619	endoff = offrng[lob] + (sizrange[0] - wroff);
620
621	/* For a reference through a pointer to an object of unknown size
622	all initial offsets are considered valid, positive as well as
623	negative, since the pointer itself can point past the beginning
624	of the object. However, the sum of the lower bound of the offset
625	and that of the size must be less than or equal than PTRDIFF_MAX. */
626	if (endoff > maxobjsize)
627	return error_mark_node;
628
629	/* When the referenced subobject is known, the end offset must be
630	within its bounds. Otherwise there is nothing to do. */
631	if (strict
632	&& !decl_p
633	&& ref
634	&& refsize >= 0
635	&& TREE_CODE (ref) == COMPONENT_REF)
636	{
637	/* If REFOFF is negative, SIZE will become negative here. */
638	size = refoff + refsize;
639	obj = ref;
640	}
641	else
642	return NULL_TREE;
643	}
644
645	/* A reference to an object of known size must be within the bounds
646	of either the base object or the subobject (see above for when
647	a subobject can be used). */
648	if ((decl_p && offrng[hib] < 0) || offrng[lob] > size)
649	return obj;
650
651	/* The extent of the reference must also be within the bounds of
652	the base object (if known) or the subobject or the maximum object
653	size otherwise. */
654	endoff = offrng[lob] + sizrange[0];
655	if (endoff > maxobjsize)
656	return error_mark_node;
657
658	if (strict
659	&& decl_p
660	&& ref
661	&& refsize >= 0
662	&& TREE_CODE (ref) == COMPONENT_REF)
663	{
664	/* If the reference is to a member subobject of a declared object,
665	the offset must be within the bounds of the subobject. */
666	size = refoff + refsize;
667	obj = ref;
668	}
669
670	if (endoff <= size)
671	return NULL_TREE;
672
673	/* Set the out-of-bounds offset range to be one greater than
674	that delimited by the reference including its size. */
675	ooboff[lob] = size;
676
677	if (endoff > ooboff[lob])
678	ooboff[hib] = endoff - 1;
679	else
680	ooboff[hib] = offrng[lob] + sizrange[1];
681
682	return obj;
683	}
684
685	/* Create an association between the memory references DST and SRC
686	for access by a call EXPR to a memory or string built-in funtion. */
687
688	builtin_access::builtin_access (pointer_query &ptrqry, gimple *call,
689	builtin_memref &dst,
690	builtin_memref &src)
691	: dstref (&dst), srcref (&src), sizrange (), ovloff (), ovlsiz (),
692	dstoff (), srcoff (), dstsiz (), srcsiz ()
693	{
694	dstoff[0] = dst.offrange[0];
695	dstoff[1] = dst.offrange[1];
696
697	/* Zero out since the offset_int ctors invoked above are no-op. */
698	srcoff[0] = srcoff[1] = 0;
699	dstsiz[0] = dstsiz[1] = 0;
700	srcsiz[0] = srcsiz[1] = 0;
701
702	/* Object Size Type to use to determine the size of the destination
703	and source objects. Overridden below for raw memory functions. */
704	int ostype = 1;
705
706	/* True when the size of one reference depends on the offset of
707	itself or the other. */
708	bool depends_p = true;
709
710	/* True when the size of the destination reference DSTREF has been
711	determined from SRCREF and so needs to be adjusted by the latter's
712	offset. Only meaningful for bounded string functions like strncpy. */
713	bool dstadjust_p = false;
714
715	/* The size argument number (depends on the built-in). */
716	unsigned sizeargno = 2;
717
718	tree func = gimple_call_fndecl (gs: call);
719	switch (DECL_FUNCTION_CODE (decl: func))
720	{
721	case BUILT_IN_MEMCPY:
722	case BUILT_IN_MEMCPY_CHK:
723	case BUILT_IN_MEMPCPY:
724	case BUILT_IN_MEMPCPY_CHK:
725	ostype = 0;
726	depends_p = false;
727	detect_overlap = &builtin_access::generic_overlap;
728	break;
729
730	case BUILT_IN_MEMMOVE:
731	case BUILT_IN_MEMMOVE_CHK:
732	/* For memmove there is never any overlap to check for. */
733	ostype = 0;
734	depends_p = false;
735	detect_overlap = &builtin_access::no_overlap;
736	break;
737
738	case BUILT_IN_MEMSET:
739	case BUILT_IN_MEMSET_CHK:
740	/* For memset there is never any overlap to check for. */
741	ostype = 0;
742	depends_p = false;
743	detect_overlap = &builtin_access::no_overlap;
744	break;
745
746	case BUILT_IN_STPNCPY:
747	case BUILT_IN_STPNCPY_CHK:
748	case BUILT_IN_STRNCPY:
749	case BUILT_IN_STRNCPY_CHK:
750	dstref->strbounded_p = true;
751	detect_overlap = &builtin_access::strcpy_overlap;
752	break;
753
754	case BUILT_IN_STPCPY:
755	case BUILT_IN_STPCPY_CHK:
756	case BUILT_IN_STRCPY:
757	case BUILT_IN_STRCPY_CHK:
758	detect_overlap = &builtin_access::strcpy_overlap;
759	break;
760
761	case BUILT_IN_STRCAT:
762	case BUILT_IN_STRCAT_CHK:
763	detect_overlap = &builtin_access::strcat_overlap;
764	break;
765
766	case BUILT_IN_STRNCAT:
767	case BUILT_IN_STRNCAT_CHK:
768	dstref->strbounded_p = true;
769	srcref->strbounded_p = true;
770	detect_overlap = &builtin_access::strcat_overlap;
771	break;
772
773	default:
774	/* Handle other string functions here whose access may need
775	to be validated for in-bounds offsets and non-overlapping
776	copies. */
777	return;
778	}
779
780	/* Try to determine the size of the base object. compute_objsize
781	expects a pointer so create one if BASE is a non-pointer object. */
782	if (dst.basesize < 0)
783	{
784	access_ref aref;
785	if (ptrqry.get_ref (dst.base, call, &aref, ostype) && aref.base0)
786	dst.basesize = aref.sizrng[1];
787	else
788	dst.basesize = HOST_WIDE_INT_MIN;
789	}
790
791	if (src.base && src.basesize < 0)
792	{
793	access_ref aref;
794	if (ptrqry.get_ref (src.base, call, &aref, ostype) && aref.base0)
795	src.basesize = aref.sizrng[1];
796	else
797	src.basesize = HOST_WIDE_INT_MIN;
798	}
799
800	const offset_int maxobjsize = dst.maxobjsize;
801
802	/* Make adjustments for references to the same object by string
803	built-in functions to reflect the constraints imposed by
804	the function. */
805
806	/* For bounded string functions determine the range of the bound
807	on the access. For others, the range stays unbounded. */
808	offset_int bounds[2] = { maxobjsize, maxobjsize };
809	if (dstref->strbounded_p)
810	{
811	unsigned nargs = gimple_call_num_args (gs: call);
812	if (nargs <= sizeargno)
813	return;
814
815	tree size = gimple_call_arg (gs: call, index: sizeargno);
816	tree range[2];
817	if (get_size_range (ptrqry.rvals, size, call, range, true))
818	{
819	bounds[0] = wi::to_offset (t: range[0]);
820	bounds[1] = wi::to_offset (t: range[1]);
821	}
822
823	/* If both references' size ranges are indeterminate use the last
824	(size) argument from the function call as a substitute. This
825	may only be necessary for strncpy (but not for memcpy where
826	the size range would have been already determined this way). */
827	if (dstref->sizrange[0] == 0 && dstref->sizrange[1] == maxobjsize
828	&& srcref->sizrange[0] == 0 && srcref->sizrange[1] == maxobjsize)
829	{
830	dstref->sizrange[0] = bounds[0];
831	dstref->sizrange[1] = bounds[1];
832	}
833	}
834
835	bool dstsize_set = false;
836	/* The size range of one reference involving the same base object
837	can be determined from the size range of the other reference.
838	This makes it possible to compute accurate offsets for warnings
839	involving functions like strcpy where the length of just one of
840	the two arguments is known (determined by tree-ssa-strlen). */
841	if (dstref->sizrange[0] == 0 && dstref->sizrange[1] == maxobjsize)
842	{
843	/* When the destination size is unknown set it to the size of
844	the source. */
845	dstref->sizrange[0] = srcref->sizrange[0];
846	dstref->sizrange[1] = srcref->sizrange[1];
847	dstsize_set = true;
848	}
849	else if (srcref->sizrange[0] == 0 && srcref->sizrange[1] == maxobjsize)
850	{
851	/* When the size of the source access is unknown set it to the size
852	of the destination first and adjust it later if necessary. */
853	srcref->sizrange[0] = dstref->sizrange[0];
854	srcref->sizrange[1] = dstref->sizrange[1];
855
856	if (depends_p)
857	{
858	if (dstref->strbounded_p)
859	{
860	/* Read access by strncpy is constrained by the third
861	argument but except for a zero bound is at least one. */
862	srcref->sizrange[0] = bounds[1] > 0 ? 1 : 0;
863	offset_int bound = wi::umin (x: srcref->basesize, y: bounds[1]);
864	if (bound < srcref->sizrange[1])
865	srcref->sizrange[1] = bound;
866	}
867	/* For string functions, adjust the size range of the source
868	reference by the inverse boundaries of the offset (because
869	the higher the offset into the string the shorter its
870	length). */
871	if (srcref->offrange[1] >= 0
872	&& srcref->offrange[1] < srcref->sizrange[0])
873	srcref->sizrange[0] -= srcref->offrange[1];
874	else
875	srcref->sizrange[0] = 1;
876
877	if (srcref->offrange[0] > 0)
878	{
879	if (srcref->offrange[0] < srcref->sizrange[1])
880	srcref->sizrange[1] -= srcref->offrange[0];
881	else
882	srcref->sizrange[1] = 0;
883	}
884
885	dstadjust_p = true;
886	}
887	}
888
889	if (detect_overlap == &builtin_access::generic_overlap)
890	{
891	if (dstref->strbounded_p)
892	{
893	dstref->sizrange[0] = bounds[0];
894	dstref->sizrange[1] = bounds[1];
895
896	if (dstref->sizrange[0] < srcref->sizrange[0])
897	srcref->sizrange[0] = dstref->sizrange[0];
898
899	if (dstref->sizrange[1] < srcref->sizrange[1])
900	srcref->sizrange[1] = dstref->sizrange[1];
901	}
902	}
903	else if (detect_overlap == &builtin_access::strcpy_overlap)
904	{
905	if (!dstref->strbounded_p)
906	{
907	/* For strcpy, adjust the destination size range to match that
908	of the source computed above. */
909	if (depends_p && dstadjust_p)
910	{
911	dstref->sizrange[0] = srcref->sizrange[0];
912	dstref->sizrange[1] = srcref->sizrange[1];
913	}
914	}
915	}
916	else if (!dstsize_set && detect_overlap == &builtin_access::strcat_overlap)
917	{
918	dstref->sizrange[0] += srcref->sizrange[0] - 1;
919	dstref->sizrange[1] += srcref->sizrange[1] - 1;
920	}
921
922	if (dstref->strbounded_p)
923	{
924	/* For strncpy, adjust the destination size range to match that
925	of the source computed above. */
926	dstref->sizrange[0] = bounds[0];
927	dstref->sizrange[1] = bounds[1];
928
929	if (bounds[0] < srcref->sizrange[0])
930	srcref->sizrange[0] = bounds[0];
931
932	if (bounds[1] < srcref->sizrange[1])
933	srcref->sizrange[1] = bounds[1];
934	}
935	}
936
937	offset_int
938	builtin_access::overlap_size (const offset_int a[2], const offset_int b[2],
939	offset_int *off)
940	{
941	const offset_int *p = a;
942	const offset_int *q = b;
943
944	/* Point P at the bigger of the two ranges and Q at the smaller. */
945	if (wi::lts_p (x: a[1] - a[0], y: b[1] - b[0]))
946	{
947	p = b;
948	q = a;
949	}
950
951	if (p[0] < q[0])
952	{
953	if (p[1] < q[0])
954	return 0;
955
956	*off = q[0];
957	return wi::smin (x: p[1], y: q[1]) - q[0];
958	}
959
960	if (q[1] < p[0])
961	return 0;
962
963	off[0] = p[0];
964	return q[1] - p[0];
965	}
966
967	/* Return true if the bounded mempry (memcpy amd similar) or string function
968	access (strncpy and similar) ACS overlaps. */
969
970	bool
971	builtin_access::generic_overlap ()
972	{
973	builtin_access &acs = *this;
974	const builtin_memref *dstref = acs.dstref;
975	const builtin_memref *srcref = acs.srcref;
976
977	gcc_assert (dstref->base == srcref->base);
978
979	const offset_int maxobjsize = acs.dstref->maxobjsize;
980
981	offset_int maxsize = dstref->basesize < 0 ? maxobjsize : dstref->basesize;
982
983	/* Adjust the larger bounds of the offsets (which may be the first
984	element if the lower bound is larger than the upper bound) to
985	make them valid for the smallest access (if possible) but no smaller
986	than the smaller bounds. */
987	gcc_assert (wi::les_p (acs.dstoff[0], acs.dstoff[1]));
988
989	if (maxsize < acs.dstoff[1] + acs.dstsiz[0])
990	acs.dstoff[1] = maxsize - acs.dstsiz[0];
991	if (acs.dstoff[1] < acs.dstoff[0])
992	acs.dstoff[1] = acs.dstoff[0];
993
994	gcc_assert (wi::les_p (acs.srcoff[0], acs.srcoff[1]));
995
996	if (maxsize < acs.srcoff[1] + acs.srcsiz[0])
997	acs.srcoff[1] = maxsize - acs.srcsiz[0];
998	if (acs.srcoff[1] < acs.srcoff[0])
999	acs.srcoff[1] = acs.srcoff[0];
1000
1001	/* Determine the minimum and maximum space for the access given
1002	the offsets. */
1003	offset_int space[2];
1004	space[0] = wi::abs (x: acs.dstoff[0] - acs.srcoff[0]);
1005	space[1] = space[0];
1006
1007	offset_int d = wi::abs (x: acs.dstoff[0] - acs.srcoff[1]);
1008	if (acs.srcsiz[0] > 0)
1009	{
1010	if (d < space[0])
1011	space[0] = d;
1012
1013	if (space[1] < d)
1014	space[1] = d;
1015	}
1016	else
1017	space[1] = acs.dstsiz[1];
1018
1019	d = wi::abs (x: acs.dstoff[1] - acs.srcoff[0]);
1020	if (d < space[0])
1021	space[0] = d;
1022
1023	if (space[1] < d)
1024	space[1] = d;
1025
1026	/* Treat raw memory functions both of whose references are bounded
1027	as special and permit uncertain overlaps to go undetected. For
1028	all kinds of constant offset and constant size accesses, if
1029	overlap isn't certain it is not possible. */
1030	bool overlap_possible = space[0] < acs.dstsiz[1];
1031	if (!overlap_possible)
1032	return false;
1033
1034	bool overlap_certain = space[1] < acs.dstsiz[0];
1035
1036	/* True when the size of one reference depends on the offset of
1037	the other. */
1038	bool depends_p = detect_overlap != &builtin_access::generic_overlap;
1039
1040	if (!overlap_certain)
1041	{
1042	if (!dstref->strbounded_p && !depends_p)
1043	/* Memcpy only considers certain overlap. */
1044	return false;
1045
1046	/* There's no way to distinguish an access to the same member
1047	of a structure from one to two distinct members of the same
1048	structure. Give up to avoid excessive false positives. */
1049	tree basetype = TREE_TYPE (dstref->base);
1050
1051	if (POINTER_TYPE_P (basetype))
1052	basetype = TREE_TYPE (basetype);
1053	else
1054	while (TREE_CODE (basetype) == ARRAY_TYPE)
1055	basetype = TREE_TYPE (basetype);
1056
1057	if (RECORD_OR_UNION_TYPE_P (basetype))
1058	return false;
1059	}
1060
1061	/* True for stpcpy and strcpy. */
1062	bool stxcpy_p = (!dstref->strbounded_p
1063	&& detect_overlap == &builtin_access::strcpy_overlap);
1064
1065	if (dstref->refoff >= 0
1066	&& srcref->refoff >= 0
1067	&& dstref->refoff != srcref->refoff
1068	&& (stxcpy_p || dstref->strbounded_p || srcref->strbounded_p))
1069	return false;
1070
1071	offset_int siz[2] = { maxobjsize + 1, 0 };
1072
1073	ovloff[0] = HOST_WIDE_INT_MAX;
1074	ovloff[1] = HOST_WIDE_INT_MIN;
1075
1076	if (stxcpy_p)
1077	{
1078	/* Iterate over the extreme locations (on the horizontal axis formed
1079	by their offsets) and sizes of two regions and find their smallest
1080	and largest overlap and the corresponding offsets. */
1081	for (unsigned i = 0; i != 2; ++i)
1082	{
1083	const offset_int a[2] = {
1084	acs.dstoff[i], acs.dstoff[i] + acs.dstsiz[!i]
1085	};
1086
1087	const offset_int b[2] = {
1088	acs.srcoff[i], acs.srcoff[i] + acs.srcsiz[!i]
1089	};
1090
1091	offset_int off;
1092	offset_int sz = overlap_size (a, b, off: &off);
1093	if (sz < siz[0])
1094	siz[0] = sz;
1095
1096	if (siz[1] <= sz)
1097	siz[1] = sz;
1098
1099	if (sz != 0)
1100	{
1101	if (wi::lts_p (x: off, y: ovloff[0]))
1102	ovloff[0] = off.to_shwi ();
1103	if (wi::lts_p (x: ovloff[1], y: off))
1104	ovloff[1] = off.to_shwi ();
1105	}
1106	}
1107	}
1108	else
1109	{
1110	/* Iterate over the extreme locations (on the horizontal axis
1111	formed by their offsets) and sizes of the two regions and
1112	find their smallest and largest overlap and the corresponding
1113	offsets. */
1114
1115	for (unsigned io = 0; io != 2; ++io)
1116	for (unsigned is = 0; is != 2; ++is)
1117	{
1118	const offset_int a[2] = {
1119	acs.dstoff[io], acs.dstoff[io] + acs.dstsiz[is]
1120	};
1121
1122	for (unsigned jo = 0; jo != 2; ++jo)
1123	for (unsigned js = 0; js != 2; ++js)
1124	{
1125	const offset_int b[2] = {
1126	acs.srcoff[jo], acs.srcoff[jo] + acs.srcsiz[js]
1127	};
1128
1129	offset_int off;
1130	offset_int sz = overlap_size (a, b, off: &off);
1131	if (sz < siz[0])
1132	siz[0] = sz;
1133
1134	if (siz[1] <= sz)
1135	siz[1] = sz;
1136
1137	if (sz != 0)
1138	{
1139	if (wi::lts_p (x: off, y: ovloff[0]))
1140	ovloff[0] = off.to_shwi ();
1141	if (wi::lts_p (x: ovloff[1], y: off))
1142	ovloff[1] = off.to_shwi ();
1143	}
1144	}
1145	}
1146	}
1147
1148	ovlsiz[0] = siz[0].to_shwi ();
1149	ovlsiz[1] = siz[1].to_shwi ();
1150
1151	/* Adjust the overlap offset range to reflect the overlap size range. */
1152	if (ovlsiz[0] == 0 && ovlsiz[1] > 1)
1153	ovloff[1] = ovloff[0] + ovlsiz[1] - 1;
1154
1155	return true;
1156	}
1157
1158	/* Return true if the strcat-like access overlaps. */
1159
1160	bool
1161	builtin_access::strcat_overlap ()
1162	{
1163	builtin_access &acs = *this;
1164	const builtin_memref *dstref = acs.dstref;
1165	const builtin_memref *srcref = acs.srcref;
1166
1167	gcc_assert (dstref->base == srcref->base);
1168
1169	const offset_int maxobjsize = acs.dstref->maxobjsize;
1170
1171	gcc_assert (dstref->base && dstref->base == srcref->base);
1172
1173	/* Adjust for strcat-like accesses. */
1174
1175	/* As a special case for strcat, set the DSTREF offsets to the length
1176	of the destination string since the function starts writing over
1177	its terminating nul, and set the destination size to 1 for the length
1178	of the nul. */
1179	acs.dstoff[0] += dstsiz[0] - srcref->sizrange[0];
1180	acs.dstoff[1] += dstsiz[1] - srcref->sizrange[1];
1181
1182	bool strfunc_unknown_args = acs.dstsiz[0] == 0 && acs.dstsiz[1] != 0;
1183
1184	/* The lower bound is zero when the size is unknown because then
1185	overlap is not certain. */
1186	acs.dstsiz[0] = strfunc_unknown_args ? 0 : 1;
1187	acs.dstsiz[1] = 1;
1188
1189	offset_int maxsize = dstref->basesize < 0 ? maxobjsize : dstref->basesize;
1190
1191	/* For references to the same base object, determine if there's a pair
1192	of valid offsets into the two references such that access between
1193	them doesn't overlap. Adjust both upper bounds to be valid for
1194	the smaller size (i.e., at most MAXSIZE - SIZE). */
1195
1196	if (maxsize < acs.dstoff[1] + acs.dstsiz[0])
1197	acs.dstoff[1] = maxsize - acs.dstsiz[0];
1198
1199	if (maxsize < acs.srcoff[1] + acs.srcsiz[0])
1200	acs.srcoff[1] = maxsize - acs.srcsiz[0];
1201
1202	/* Check to see if there's enough space for both accesses without
1203	overlap. Determine the optimistic (maximum) amount of available
1204	space. */
1205	offset_int space;
1206	if (acs.dstoff[0] <= acs.srcoff[0])
1207	{
1208	if (acs.dstoff[1] < acs.srcoff[1])
1209	space = acs.srcoff[1] + acs.srcsiz[0] - acs.dstoff[0];
1210	else
1211	space = acs.dstoff[1] + acs.dstsiz[0] - acs.srcoff[0];
1212	}
1213	else
1214	space = acs.dstoff[1] + acs.dstsiz[0] - acs.srcoff[0];
1215
1216	/* Overlap is certain if the distance between the farthest offsets
1217	of the opposite accesses is less than the sum of the lower bounds
1218	of the sizes of the two accesses. */
1219	bool overlap_certain = space < acs.dstsiz[0] + acs.srcsiz[0];
1220
1221	/* For a constant-offset, constant size access, consider the largest
1222	distance between the offset bounds and the lower bound of the access
1223	size. If the overlap isn't certain return success. */
1224	if (!overlap_certain
1225	&& acs.dstoff[0] == acs.dstoff[1]
1226	&& acs.srcoff[0] == acs.srcoff[1]
1227	&& acs.dstsiz[0] == acs.dstsiz[1]
1228	&& acs.srcsiz[0] == acs.srcsiz[1])
1229	return false;
1230
1231	/* Overlap is not certain but may be possible. */
1232
1233	offset_int access_min = acs.dstsiz[0] + acs.srcsiz[0];
1234
1235	/* Determine the conservative (minimum) amount of space. */
1236	space = wi::abs (x: acs.dstoff[0] - acs.srcoff[0]);
1237	offset_int d = wi::abs (x: acs.dstoff[0] - acs.srcoff[1]);
1238	if (d < space)
1239	space = d;
1240	d = wi::abs (x: acs.dstoff[1] - acs.srcoff[0]);
1241	if (d < space)
1242	space = d;
1243
1244	/* For a strict test (used for strcpy and similar with unknown or
1245	variable bounds or sizes), consider the smallest distance between
1246	the offset bounds and either the upper bound of the access size
1247	if known, or the lower bound otherwise. */
1248	if (access_min <= space && (access_min != 0 || !strfunc_unknown_args))
1249	return false;
1250
1251	/* When strcat overlap is certain it is always a single byte:
1252	the terminating NUL, regardless of offsets and sizes. When
1253	overlap is only possible its range is [0, 1]. */
1254	acs.ovlsiz[0] = dstref->sizrange[0] == dstref->sizrange[1] ? 1 : 0;
1255	acs.ovlsiz[1] = 1;
1256
1257	offset_int endoff
1258	= dstref->offrange[0] + (dstref->sizrange[0] - srcref->sizrange[0]);
1259	if (endoff <= srcref->offrange[0])
1260	acs.ovloff[0] = wi::smin (x: maxobjsize, y: srcref->offrange[0]).to_shwi ();
1261	else
1262	acs.ovloff[0] = wi::smin (x: maxobjsize, y: endoff).to_shwi ();
1263
1264	acs.sizrange[0] = wi::smax (x: wi::abs (x: endoff - srcref->offrange[0]) + 1,
1265	y: srcref->sizrange[0]).to_shwi ();
1266	if (dstref->offrange[0] == dstref->offrange[1])
1267	{
1268	if (srcref->offrange[0] == srcref->offrange[1])
1269	acs.ovloff[1] = acs.ovloff[0];
1270	else
1271	acs.ovloff[1]
1272	= wi::smin (x: maxobjsize,
1273	y: srcref->offrange[1] + srcref->sizrange[1]).to_shwi ();
1274	}
1275	else
1276	acs.ovloff[1]
1277	= wi::smin (x: maxobjsize,
1278	y: dstref->offrange[1] + dstref->sizrange[1]).to_shwi ();
1279
1280	if (acs.sizrange[0] == 0)
1281	acs.sizrange[0] = 1;
1282	acs.sizrange[1] = wi::smax (x: acs.dstsiz[1], y: srcref->sizrange[1]).to_shwi ();
1283	return true;
1284	}
1285
1286	/* Return true if the strcpy-like access overlaps. */
1287
1288	bool
1289	builtin_access::strcpy_overlap ()
1290	{
1291	return generic_overlap ();
1292	}
1293
1294	/* For a BASE of array type, clamp REFOFF to at most [0, BASE_SIZE]
1295	if known, or [0, MAXOBJSIZE] otherwise. */
1296
1297	static void
1298	clamp_offset (tree base, offset_int refoff[2], offset_int maxobjsize)
1299	{
1300	if (!base || TREE_CODE (TREE_TYPE (base)) != ARRAY_TYPE)
1301	return;
1302
1303	if (refoff[0] < 0 && refoff[1] >= 0)
1304	refoff[0] = 0;
1305
1306	if (refoff[1] < refoff[0])
1307	{
1308	offset_int maxsize = maxobjsize;
1309	if (tree size = TYPE_SIZE_UNIT (TREE_TYPE (base)))
1310	maxsize = wi::to_offset (t: size);
1311
1312	refoff[1] = wi::umin (x: refoff[1], y: maxsize);
1313	}
1314	}
1315
1316	/* Return true if DSTREF and SRCREF describe accesses that either overlap
1317	one another or that, in order not to overlap, would imply that the size
1318	of the referenced object(s) exceeds the maximum size of an object. Set
1319	Otherwise, if DSTREF and SRCREF do not definitely overlap (even though
1320	they may overlap in a way that's not apparent from the available data),
1321	return false. */
1322
1323	bool
1324	builtin_access::overlap ()
1325	{
1326	builtin_access &acs = *this;
1327
1328	const offset_int maxobjsize = dstref->maxobjsize;
1329
1330	acs.sizrange[0] = wi::smax (x: dstref->sizrange[0],
1331	y: srcref->sizrange[0]).to_shwi ();
1332	acs.sizrange[1] = wi::smax (x: dstref->sizrange[1],
1333	y: srcref->sizrange[1]).to_shwi ();
1334
1335	/* Check to see if the two references refer to regions that are
1336	too large not to overlap in the address space (whose maximum
1337	size is PTRDIFF_MAX). */
1338	offset_int size = dstref->sizrange[0] + srcref->sizrange[0];
1339	if (maxobjsize < size)
1340	{
1341	acs.ovloff[0] = (maxobjsize - dstref->sizrange[0]).to_shwi ();
1342	acs.ovlsiz[0] = (size - maxobjsize).to_shwi ();
1343	return true;
1344	}
1345
1346	/* If both base objects aren't known return the maximum possible
1347	offset that would make them not overlap. */
1348	if (!dstref->base || !srcref->base)
1349	return false;
1350
1351	/* If the base object is an array adjust the bounds of the offset
1352	to be non-negative and within the bounds of the array if possible. */
1353	clamp_offset (base: dstref->base, refoff: acs.dstoff, maxobjsize);
1354
1355	acs.srcoff[0] = srcref->offrange[0];
1356	acs.srcoff[1] = srcref->offrange[1];
1357
1358	clamp_offset (base: srcref->base, refoff: acs.srcoff, maxobjsize);
1359
1360	/* When the upper bound of the offset is less than the lower bound
1361	the former is the result of a negative offset being represented
1362	as a large positive value or vice versa. The resulting range is
1363	a union of two subranges: [MIN, UB] and [LB, MAX]. Since such
1364	a union is not representable using the current data structure
1365	replace it with the full range of offsets. */
1366	if (acs.dstoff[1] < acs.dstoff[0])
1367	{
1368	acs.dstoff[0] = -maxobjsize - 1;
1369	acs.dstoff[1] = maxobjsize;
1370	}
1371
1372	/* Validate the offset and size of each reference on its own first.
1373	This is independent of whether or not the base objects are the
1374	same. Normally, this would have already been detected and
1375	diagnosed by -Warray-bounds, unless it has been disabled. */
1376	offset_int maxoff = acs.dstoff[0] + dstref->sizrange[0];
1377	if (maxobjsize < maxoff)
1378	{
1379	acs.ovlsiz[0] = (maxoff - maxobjsize).to_shwi ();
1380	acs.ovloff[0] = acs.dstoff[0].to_shwi () - acs.ovlsiz[0];
1381	return true;
1382	}
1383
1384	/* Repeat the same as above but for the source offsets. */
1385	if (acs.srcoff[1] < acs.srcoff[0])
1386	{
1387	acs.srcoff[0] = -maxobjsize - 1;
1388	acs.srcoff[1] = maxobjsize;
1389	}
1390
1391	maxoff = acs.srcoff[0] + srcref->sizrange[0];
1392	if (maxobjsize < maxoff)
1393	{
1394	acs.ovlsiz[0] = (maxoff - maxobjsize).to_shwi ();
1395	acs.ovlsiz[1] = (acs.srcoff[0] + srcref->sizrange[1]
1396	- maxobjsize).to_shwi ();
1397	acs.ovloff[0] = acs.srcoff[0].to_shwi () - acs.ovlsiz[0];
1398	return true;
1399	}
1400
1401	if (dstref->base != srcref->base)
1402	return false;
1403
1404	acs.dstsiz[0] = dstref->sizrange[0];
1405	acs.dstsiz[1] = dstref->sizrange[1];
1406
1407	acs.srcsiz[0] = srcref->sizrange[0];
1408	acs.srcsiz[1] = srcref->sizrange[1];
1409
1410	/* Call the appropriate function to determine the overlap. */
1411	if ((this->*detect_overlap) ())
1412	{
1413	if (!sizrange[1])
1414	{
1415	/* Unless the access size range has already been set, do so here. */
1416	sizrange[0] = wi::smax (x: acs.dstsiz[0], y: srcref->sizrange[0]).to_shwi ();
1417	sizrange[1] = wi::smax (x: acs.dstsiz[1], y: srcref->sizrange[1]).to_shwi ();
1418	}
1419	return true;
1420	}
1421
1422	return false;
1423	}
1424
1425	/* Attempt to detect and diagnose an overlapping copy in a call expression
1426	EXPR involving an access ACS to a built-in memory or string function.
1427	Return true when one has been detected, false otherwise. */
1428
1429	static bool
1430	maybe_diag_overlap (location_t loc, gimple *call, builtin_access &acs)
1431	{
1432	if (!acs.overlap ())
1433	return false;
1434
1435	if (warning_suppressed_p (call, OPT_Wrestrict))
1436	return true;
1437
1438	/* For convenience. */
1439	const builtin_memref &dstref = *acs.dstref;
1440	const builtin_memref &srcref = *acs.srcref;
1441
1442	/* Determine the range of offsets and sizes of the overlap if it
1443	exists and issue diagnostics. */
1444	HOST_WIDE_INT *ovloff = acs.ovloff;
1445	HOST_WIDE_INT *ovlsiz = acs.ovlsiz;
1446	HOST_WIDE_INT *sizrange = acs.sizrange;
1447
1448	tree func = gimple_call_fndecl (gs: call);
1449
1450	/* To avoid a combinatorial explosion of diagnostics format the offsets
1451	or their ranges as strings and use them in the warning calls below. */
1452	char offstr[3][64];
1453
1454	if (dstref.offrange[0] == dstref.offrange[1]
1455	|| dstref.offrange[1] > HOST_WIDE_INT_MAX)
1456	sprintf (s: offstr[0], HOST_WIDE_INT_PRINT_DEC,
1457	dstref.offrange[0].to_shwi ());
1458	else
1459	sprintf (s: offstr[0],
1460	format: "[" HOST_WIDE_INT_PRINT_DEC ", " HOST_WIDE_INT_PRINT_DEC "]",
1461	dstref.offrange[0].to_shwi (),
1462	dstref.offrange[1].to_shwi ());
1463
1464	if (srcref.offrange[0] == srcref.offrange[1]
1465	|| srcref.offrange[1] > HOST_WIDE_INT_MAX)
1466	sprintf (s: offstr[1],
1467	HOST_WIDE_INT_PRINT_DEC,
1468	srcref.offrange[0].to_shwi ());
1469	else
1470	sprintf (s: offstr[1],
1471	format: "[" HOST_WIDE_INT_PRINT_DEC ", " HOST_WIDE_INT_PRINT_DEC "]",
1472	srcref.offrange[0].to_shwi (),
1473	srcref.offrange[1].to_shwi ());
1474
1475	if (ovloff[0] == ovloff[1] || !ovloff[1])
1476	sprintf (s: offstr[2], HOST_WIDE_INT_PRINT_DEC, ovloff[0]);
1477	else
1478	sprintf (s: offstr[2],
1479	format: "[" HOST_WIDE_INT_PRINT_DEC ", " HOST_WIDE_INT_PRINT_DEC "]",
1480	ovloff[0], ovloff[1]);
1481
1482	const offset_int maxobjsize = dstref.maxobjsize;
1483	bool must_overlap = ovlsiz[0] > 0;
1484
1485	if (ovlsiz[1] == 0)
1486	ovlsiz[1] = ovlsiz[0];
1487
1488	if (must_overlap)
1489	{
1490	/* Issue definitive "overlaps" diagnostic in this block. */
1491
1492	if (sizrange[0] == sizrange[1])
1493	{
1494	if (ovlsiz[0] == ovlsiz[1])
1495	warning_at (loc, OPT_Wrestrict,
1496	sizrange[0] == 1
1497	? (ovlsiz[0] == 1
1498	? G_("%qD accessing %wu byte at offsets %s "
1499	"and %s overlaps %wu byte at offset %s")
1500	: G_("%qD accessing %wu byte at offsets %s "
1501	"and %s overlaps %wu bytes at offset "
1502	"%s"))
1503	: (ovlsiz[0] == 1
1504	? G_("%qD accessing %wu bytes at offsets %s "
1505	"and %s overlaps %wu byte at offset %s")
1506	: G_("%qD accessing %wu bytes at offsets %s "
1507	"and %s overlaps %wu bytes at offset "
1508	"%s")),
1509	func, sizrange[0],
1510	offstr[0], offstr[1], ovlsiz[0], offstr[2]);
1511	else if (ovlsiz[1] >= 0 && ovlsiz[1] < maxobjsize.to_shwi ())
1512	warning_n (loc, OPT_Wrestrict, sizrange[0],
1513	"%qD accessing %wu byte at offsets %s "
1514	"and %s overlaps between %wu and %wu bytes "
1515	"at offset %s",
1516	"%qD accessing %wu bytes at offsets %s "
1517	"and %s overlaps between %wu and %wu bytes "
1518	"at offset %s",
1519	func, sizrange[0], offstr[0], offstr[1],
1520	ovlsiz[0], ovlsiz[1], offstr[2]);
1521	else
1522	warning_n (loc, OPT_Wrestrict, sizrange[0],
1523	"%qD accessing %wu byte at offsets %s and "
1524	"%s overlaps %wu or more bytes at offset %s",
1525	"%qD accessing %wu bytes at offsets %s and "
1526	"%s overlaps %wu or more bytes at offset %s",
1527	func, sizrange[0],
1528	offstr[0], offstr[1], ovlsiz[0], offstr[2]);
1529	return true;
1530	}
1531
1532	if (sizrange[1] >= 0 && sizrange[1] < maxobjsize.to_shwi ())
1533	{
1534	if (ovlsiz[0] == ovlsiz[1])
1535	warning_n (loc, OPT_Wrestrict, ovlsiz[0],
1536	"%qD accessing between %wu and %wu bytes "
1537	"at offsets %s and %s overlaps %wu byte at "
1538	"offset %s",
1539	"%qD accessing between %wu and %wu bytes "
1540	"at offsets %s and %s overlaps %wu bytes "
1541	"at offset %s",
1542	func, sizrange[0], sizrange[1],
1543	offstr[0], offstr[1], ovlsiz[0], offstr[2]);
1544	else if (ovlsiz[1] >= 0 && ovlsiz[1] < maxobjsize.to_shwi ())
1545	warning_at (loc, OPT_Wrestrict,
1546	"%qD accessing between %wu and %wu bytes at "
1547	"offsets %s and %s overlaps between %wu and %wu "
1548	"bytes at offset %s",
1549	func, sizrange[0], sizrange[1],
1550	offstr[0], offstr[1], ovlsiz[0], ovlsiz[1],
1551	offstr[2]);
1552	else
1553	warning_at (loc, OPT_Wrestrict,
1554	"%qD accessing between %wu and %wu bytes at "
1555	"offsets %s and %s overlaps %wu or more bytes "
1556	"at offset %s",
1557	func, sizrange[0], sizrange[1],
1558	offstr[0], offstr[1], ovlsiz[0], offstr[2]);
1559	return true;
1560	}
1561
1562	if (ovlsiz[0] != ovlsiz[1])
1563	ovlsiz[1] = maxobjsize.to_shwi ();
1564
1565	if (ovlsiz[0] == ovlsiz[1])
1566	warning_n (loc, OPT_Wrestrict, ovlsiz[0],
1567	"%qD accessing %wu or more bytes at offsets "
1568	"%s and %s overlaps %wu byte at offset %s",
1569	"%qD accessing %wu or more bytes at offsets "
1570	"%s and %s overlaps %wu bytes at offset %s",
1571	func, sizrange[0], offstr[0], offstr[1],
1572	ovlsiz[0], offstr[2]);
1573	else if (ovlsiz[1] >= 0 && ovlsiz[1] < maxobjsize.to_shwi ())
1574	warning_at (loc, OPT_Wrestrict,
1575	"%qD accessing %wu or more bytes at offsets %s "
1576	"and %s overlaps between %wu and %wu bytes "
1577	"at offset %s",
1578	func, sizrange[0], offstr[0], offstr[1],
1579	ovlsiz[0], ovlsiz[1], offstr[2]);
1580	else
1581	warning_at (loc, OPT_Wrestrict,
1582	"%qD accessing %wu or more bytes at offsets %s "
1583	"and %s overlaps %wu or more bytes at offset %s",
1584	func, sizrange[0], offstr[0], offstr[1],
1585	ovlsiz[0], offstr[2]);
1586	return true;
1587	}
1588
1589	/* Use more concise wording when one of the offsets is unbounded
1590	to avoid confusing the user with large and mostly meaningless
1591	numbers. */
1592	bool open_range;
1593	if (DECL_P (dstref.base) && TREE_CODE (TREE_TYPE (dstref.base)) == ARRAY_TYPE)
1594	open_range = ((dstref.offrange[0] == 0
1595	&& dstref.offrange[1] == maxobjsize)
1596	|| (srcref.offrange[0] == 0
1597	&& srcref.offrange[1] == maxobjsize));
1598	else
1599	open_range = ((dstref.offrange[0] == -maxobjsize - 1
1600	&& dstref.offrange[1] == maxobjsize)
1601	|| (srcref.offrange[0] == -maxobjsize - 1
1602	&& srcref.offrange[1] == maxobjsize));
1603
1604	if (sizrange[0] == sizrange[1] || sizrange[1] == 1)
1605	{
1606	if (ovlsiz[1] == 1)
1607	{
1608	if (open_range)
1609	warning_n (loc, OPT_Wrestrict, sizrange[1],
1610	"%qD accessing %wu byte may overlap "
1611	"%wu byte",
1612	"%qD accessing %wu bytes may overlap "
1613	"%wu byte",
1614	func, sizrange[1], ovlsiz[1]);
1615	else
1616	warning_n (loc, OPT_Wrestrict, sizrange[1],
1617	"%qD accessing %wu byte at offsets %s "
1618	"and %s may overlap %wu byte at offset %s",
1619	"%qD accessing %wu bytes at offsets %s "
1620	"and %s may overlap %wu byte at offset %s",
1621	func, sizrange[1], offstr[0], offstr[1],
1622	ovlsiz[1], offstr[2]);
1623	return true;
1624	}
1625
1626	if (open_range)
1627	warning_n (loc, OPT_Wrestrict, sizrange[1],
1628	"%qD accessing %wu byte may overlap "
1629	"up to %wu bytes",
1630	"%qD accessing %wu bytes may overlap "
1631	"up to %wu bytes",
1632	func, sizrange[1], ovlsiz[1]);
1633	else
1634	warning_n (loc, OPT_Wrestrict, sizrange[1],
1635	"%qD accessing %wu byte at offsets %s and "
1636	"%s may overlap up to %wu bytes at offset %s",
1637	"%qD accessing %wu bytes at offsets %s and "
1638	"%s may overlap up to %wu bytes at offset %s",
1639	func, sizrange[1], offstr[0], offstr[1],
1640	ovlsiz[1], offstr[2]);
1641	return true;
1642	}
1643
1644	if (sizrange[1] >= 0 && sizrange[1] < maxobjsize.to_shwi ())
1645	{
1646	if (open_range)
1647	warning_n (loc, OPT_Wrestrict, ovlsiz[1],
1648	"%qD accessing between %wu and %wu bytes "
1649	"may overlap %wu byte",
1650	"%qD accessing between %wu and %wu bytes "
1651	"may overlap up to %wu bytes",
1652	func, sizrange[0], sizrange[1], ovlsiz[1]);
1653	else
1654	warning_n (loc, OPT_Wrestrict, ovlsiz[1],
1655	"%qD accessing between %wu and %wu bytes "
1656	"at offsets %s and %s may overlap %wu byte "
1657	"at offset %s",
1658	"%qD accessing between %wu and %wu bytes "
1659	"at offsets %s and %s may overlap up to %wu "
1660	"bytes at offset %s",
1661	func, sizrange[0], sizrange[1],
1662	offstr[0], offstr[1], ovlsiz[1], offstr[2]);
1663	return true;
1664	}
1665
1666	warning_n (loc, OPT_Wrestrict, ovlsiz[1],
1667	"%qD accessing %wu or more bytes at offsets %s "
1668	"and %s may overlap %wu byte at offset %s",
1669	"%qD accessing %wu or more bytes at offsets %s "
1670	"and %s may overlap up to %wu bytes at offset %s",
1671	func, sizrange[0], offstr[0], offstr[1],
1672	ovlsiz[1], offstr[2]);
1673
1674	return true;
1675	}
1676
1677	/* Validate REF size and offsets in an expression passed as an argument
1678	to a CALL to a built-in function FUNC to make sure they are within
1679	the bounds of the referenced object if its size is known, or
1680	PTRDIFF_MAX otherwise. DO_WARN is true when a diagnostic should
1681	be issued, false otherwise.
1682	Both initial values of the offsets and their final value computed
1683	by the function by incrementing the initial value by the size are
1684	validated. Return the warning number if the offsets are not valid
1685	and a diagnostic has been issued, or would have been issued if
1686	DO_WARN had been true, otherwise an invalid warning number. */
1687
1688	static opt_code
1689	maybe_diag_access_bounds (gimple *call, tree func, int strict,
1690	const builtin_memref &ref, offset_int wroff,
1691	bool do_warn)
1692	{
1693	location_t loc = gimple_location (g: call);
1694	const offset_int maxobjsize = ref.maxobjsize;
1695
1696	/* Check for excessive size first and regardless of warning options
1697	since the result is used to make codegen decisions. */
1698	if (ref.sizrange[0] > maxobjsize)
1699	{
1700	const opt_code opt = OPT_Wstringop_overflow_;
1701	/* Return true without issuing a warning. */
1702	if (!do_warn)
1703	return opt;
1704
1705	if (ref.ref && warning_suppressed_p (ref.ref, OPT_Wstringop_overflow_))
1706	return no_warning;
1707
1708	bool warned = false;
1709	if (warn_stringop_overflow)
1710	{
1711	if (ref.sizrange[0] == ref.sizrange[1])
1712	warned = warning_at (loc, opt,
1713	"%qD specified bound %wu "
1714	"exceeds maximum object size %wu",
1715	func, ref.sizrange[0].to_uhwi (),
1716	maxobjsize.to_uhwi ());
1717	else
1718	warned = warning_at (loc, opt,
1719	"%qD specified bound between %wu and %wu "
1720	"exceeds maximum object size %wu",
1721	func, ref.sizrange[0].to_uhwi (),
1722	ref.sizrange[1].to_uhwi (),
1723	maxobjsize.to_uhwi ());
1724	return warned ? opt : no_warning;
1725	}
1726	}
1727
1728	/* Check for out-bounds pointers regardless of warning options since
1729	the result is used to make codegen decisions. An excessive WROFF
1730	can only come up as a result of an invalid strncat bound and is
1731	diagnosed separately using a more meaningful warning. */
1732	if (maxobjsize < wroff)
1733	wroff = 0;
1734	offset_int ooboff[] = { ref.offrange[0], ref.offrange[1], wroff };
1735	tree oobref = ref.offset_out_of_bounds (strict, ooboff);
1736	if (!oobref)
1737	return no_warning;
1738
1739	const opt_code opt = OPT_Warray_bounds_;
1740	/* Return true without issuing a warning. */
1741	if (!do_warn)
1742	return opt;
1743
1744	if (!warn_array_bounds)
1745	return no_warning;
1746
1747	if (warning_suppressed_p (ref.ptr, opt)
1748	|| (ref.ref && warning_suppressed_p (ref.ref, opt)))
1749	return no_warning;
1750
1751	char rangestr[2][64];
1752	if (ooboff[0] == ooboff[1]
1753	|| (ooboff[0] != ref.offrange[0]
1754	&& ooboff[0].to_shwi () >= ooboff[1].to_shwi ()))
1755	sprintf (s: rangestr[0], format: "%lli", (long long) ooboff[0].to_shwi ());
1756	else
1757	sprintf (s: rangestr[0], format: "[%lli, %lli]",
1758	(long long) ooboff[0].to_shwi (),
1759	(long long) ooboff[1].to_shwi ());
1760
1761	bool warned = false;
1762
1763	if (oobref == error_mark_node)
1764	{
1765	if (ref.sizrange[0] == ref.sizrange[1])
1766	sprintf (s: rangestr[1], format: "%llu",
1767	(unsigned long long) ref.sizrange[0].to_shwi ());
1768	else
1769	sprintf (s: rangestr[1], format: "[%lli, %lli]",
1770	(unsigned long long) ref.sizrange[0].to_uhwi (),
1771	(unsigned long long) ref.sizrange[1].to_uhwi ());
1772
1773	tree type;
1774
1775	if (DECL_P (ref.base)
1776	&& TREE_CODE (type = TREE_TYPE (ref.base)) == ARRAY_TYPE)
1777	{
1778	auto_diagnostic_group d;
1779	if (warning_at (loc, opt,
1780	"%qD pointer overflow between offset %s "
1781	"and size %s accessing array %qD with type %qT",
1782	func, rangestr[0], rangestr[1], ref.base, type))
1783	{
1784	inform (DECL_SOURCE_LOCATION (ref.base),
1785	"array %qD declared here", ref.base);
1786	warned = true;
1787	}
1788	else
1789	warned = warning_at (loc, opt,
1790	"%qD pointer overflow between offset %s "
1791	"and size %s",
1792	func, rangestr[0], rangestr[1]);
1793	}
1794	else
1795	warned = warning_at (loc, opt,
1796	"%qD pointer overflow between offset %s "
1797	"and size %s",
1798	func, rangestr[0], rangestr[1]);
1799	}
1800	else if (oobref == ref.base)
1801	{
1802	/* True when the offset formed by an access to the reference
1803	is out of bounds, rather than the initial offset wich is
1804	in bounds. This implies access past the end. */
1805	bool form = ooboff[0] != ref.offrange[0];
1806
1807	if (DECL_P (ref.base))
1808	{
1809	auto_diagnostic_group d;
1810	if ((ref.basesize < maxobjsize
1811	&& warning_at (loc, opt,
1812	form
1813	? G_("%qD forming offset %s is out of "
1814	"the bounds [0, %wu] of object %qD with "
1815	"type %qT")
1816	: G_("%qD offset %s is out of the bounds "
1817	"[0, %wu] of object %qD with type %qT"),
1818	func, rangestr[0], ref.basesize.to_uhwi (),
1819	ref.base, TREE_TYPE (ref.base)))
1820	|| warning_at (loc, opt,
1821	form
1822	? G_("%qD forming offset %s is out of "
1823	"the bounds of object %qD with type %qT")
1824	: G_("%qD offset %s is out of the bounds "
1825	"of object %qD with type %qT"),
1826	func, rangestr[0],
1827	ref.base, TREE_TYPE (ref.base)))
1828	{
1829	inform (DECL_SOURCE_LOCATION (ref.base),
1830	"%qD declared here", ref.base);
1831	warned = true;
1832	}
1833	}
1834	else if (ref.basesize < maxobjsize)
1835	warned = warning_at (loc, opt,
1836	form
1837	? G_("%qD forming offset %s is out "
1838	"of the bounds [0, %wu]")
1839	: G_("%qD offset %s is out "
1840	"of the bounds [0, %wu]"),
1841	func, rangestr[0], ref.basesize.to_uhwi ());
1842	else
1843	warned = warning_at (loc, opt,
1844	form
1845	? G_("%qD forming offset %s is out of bounds")
1846	: G_("%qD offset %s is out of bounds"),
1847	func, rangestr[0]);
1848	}
1849	else if (TREE_CODE (ref.ref) == MEM_REF)
1850	{
1851	tree refop = TREE_OPERAND (ref.ref, 0);
1852	tree type = TREE_TYPE (refop);
1853	if (POINTER_TYPE_P (type))
1854	type = TREE_TYPE (type);
1855	type = TYPE_MAIN_VARIANT (type);
1856
1857	if (warning_at (loc, opt,
1858	"%qD offset %s from the object at %qE is out "
1859	"of the bounds of %qT",
1860	func, rangestr[0], ref.base, type))
1861	{
1862	if (TREE_CODE (ref.ref) == COMPONENT_REF)
1863	refop = TREE_OPERAND (ref.ref, 1);
1864	if (DECL_P (refop))
1865	inform (DECL_SOURCE_LOCATION (refop),
1866	"subobject %qD declared here", refop);
1867	warned = true;
1868	}
1869	}
1870	else
1871	{
1872	tree refop = TREE_OPERAND (ref.ref, 0);
1873	tree type = TYPE_MAIN_VARIANT (TREE_TYPE (ref.ref));
1874
1875	if (warning_at (loc, opt,
1876	"%qD offset %s from the object at %qE is out "
1877	"of the bounds of referenced subobject %qD with "
1878	"type %qT at offset %wi",
1879	func, rangestr[0], ref.base,
1880	TREE_OPERAND (ref.ref, 1), type,
1881	ref.refoff.to_shwi ()))
1882	{
1883	if (TREE_CODE (ref.ref) == COMPONENT_REF)
1884	refop = TREE_OPERAND (ref.ref, 1);
1885	if (DECL_P (refop))
1886	inform (DECL_SOURCE_LOCATION (refop),
1887	"subobject %qD declared here", refop);
1888	warned = true;
1889	}
1890	}
1891
1892	return warned ? opt : no_warning;
1893	}
1894
1895	/* Check a CALL statement for restrict-violations and issue warnings
1896	if/when appropriate. */
1897
1898	void
1899	pass_wrestrict::check_call (gimple *call)
1900	{
1901	/* Avoid checking the call if it has already been diagnosed for
1902	some reason. */
1903	if (warning_suppressed_p (call, OPT_Wrestrict))
1904	return;
1905
1906	tree func = gimple_call_fndecl (gs: call);
1907	if (!func || !fndecl_built_in_p (node: func, klass: BUILT_IN_NORMAL))
1908	return;
1909
1910	/* Argument number to extract from the call (depends on the built-in
1911	and its kind). */
1912	unsigned dst_idx = -1;
1913	unsigned src_idx = -1;
1914	unsigned bnd_idx = -1;
1915
1916	/* Is this CALL to a string function (as opposed to one to a raw
1917	memory function). */
1918	bool strfun = true;
1919
1920	switch (DECL_FUNCTION_CODE (decl: func))
1921	{
1922	case BUILT_IN_MEMCPY:
1923	case BUILT_IN_MEMCPY_CHK:
1924	case BUILT_IN_MEMPCPY:
1925	case BUILT_IN_MEMPCPY_CHK:
1926	case BUILT_IN_MEMMOVE:
1927	case BUILT_IN_MEMMOVE_CHK:
1928	strfun = false;
1929	/* Fall through. */
1930
1931	case BUILT_IN_STPNCPY:
1932	case BUILT_IN_STPNCPY_CHK:
1933	case BUILT_IN_STRNCAT:
1934	case BUILT_IN_STRNCAT_CHK:
1935	case BUILT_IN_STRNCPY:
1936	case BUILT_IN_STRNCPY_CHK:
1937	dst_idx = 0;
1938	src_idx = 1;
1939	bnd_idx = 2;
1940	break;
1941
1942	case BUILT_IN_MEMSET:
1943	case BUILT_IN_MEMSET_CHK:
1944	dst_idx = 0;
1945	bnd_idx = 2;
1946	break;
1947
1948	case BUILT_IN_STPCPY:
1949	case BUILT_IN_STPCPY_CHK:
1950	case BUILT_IN_STRCPY:
1951	case BUILT_IN_STRCPY_CHK:
1952	case BUILT_IN_STRCAT:
1953	case BUILT_IN_STRCAT_CHK:
1954	dst_idx = 0;
1955	src_idx = 1;
1956	break;
1957
1958	default:
1959	/* Handle other string functions here whose access may need
1960	to be validated for in-bounds offsets and non-overlapping
1961	copies. */
1962	return;
1963	}
1964
1965	unsigned nargs = gimple_call_num_args (gs: call);
1966
1967	tree dst = dst_idx < nargs ? gimple_call_arg (gs: call, index: dst_idx) : NULL_TREE;
1968	tree src = src_idx < nargs ? gimple_call_arg (gs: call, index: src_idx) : NULL_TREE;
1969	tree dstwr = bnd_idx < nargs ? gimple_call_arg (gs: call, index: bnd_idx) : NULL_TREE;
1970
1971	/* For string functions with an unspecified or unknown bound,
1972	assume the size of the access is one. */
1973	if (!dstwr && strfun)
1974	dstwr = size_one_node;
1975
1976	/* DST and SRC can be null for a call with an insufficient number
1977	of arguments to a built-in function declared without a protype. */
1978	if (!dst || (src_idx < nargs && !src))
1979	return;
1980
1981	/* DST, SRC, or DSTWR can also have the wrong type in a call to
1982	a function declared without a prototype. Avoid checking such
1983	invalid calls. */
1984	if (TREE_CODE (TREE_TYPE (dst)) != POINTER_TYPE
1985	|| (src && TREE_CODE (TREE_TYPE (src)) != POINTER_TYPE)
1986	|| (dstwr && !INTEGRAL_TYPE_P (TREE_TYPE (dstwr))))
1987	return;
1988
1989	opt_code opt = check_bounds_or_overlap (m_ptr_qry, call, dst, src, dstwr,
1990	NULL_TREE);
1991	/* Avoid diagnosing the call again. */
1992	suppress_warning (call, opt);
1993	}
1994
1995	} /* anonymous namespace */
1996
1997	/* Attempt to detect and diagnose invalid offset bounds and (except for
1998	memmove) overlapping copy in a call expression EXPR from SRC to DST
1999	and DSTSIZE and SRCSIZE bytes, respectively. Both DSTSIZE and
2000	SRCSIZE may be NULL. DO_WARN is false to detect either problem
2001	without issue a warning. Return the OPT_Wxxx constant corresponding
2002	to the warning if one has been detected and zero otherwise. */
2003
2004	opt_code
2005	check_bounds_or_overlap (gimple *call, tree dst, tree src, tree dstsize,
2006	tree srcsize, bool bounds_only /* = false */,
2007	bool do_warn /* = true */)
2008	{
2009	pointer_query ptrqry (get_range_query (cfun));
2010	return check_bounds_or_overlap (ptrqry,
2011	call, dst, src, dstsize, srcsize,
2012	bounds_only, do_warn);
2013	}
2014
2015	opt_code
2016	check_bounds_or_overlap (pointer_query &ptrqry,
2017	gimple *call, tree dst, tree src, tree dstsize,
2018	tree srcsize, bool bounds_only /* = false */,
2019	bool do_warn /* = true */)
2020	{
2021	tree func = gimple_call_fndecl (gs: call);
2022
2023	builtin_memref dstref (ptrqry, call, dst, dstsize);
2024	builtin_memref srcref (ptrqry, call, src, srcsize);
2025
2026	/* Create a descriptor of the access. This may adjust both DSTREF
2027	and SRCREF based on one another and the kind of the access. */
2028	builtin_access acs (ptrqry, call, dstref, srcref);
2029
2030	/* Set STRICT to the value of the -Warray-bounds=N argument for
2031	string functions or when N > 1. */
2032	int strict = (acs.strict () || warn_array_bounds > 1 ? warn_array_bounds : 0);
2033
2034	/* The starting offset of the destination write access. Nonzero only
2035	for the strcat family of functions. */
2036	offset_int wroff = acs.write_off (startlen: dstsize);
2037
2038	/* Validate offsets to each reference before the access first to make
2039	sure they are within the bounds of the destination object if its
2040	size is known, or PTRDIFF_MAX otherwise. */
2041	opt_code opt
2042	= maybe_diag_access_bounds (call, func, strict, ref: dstref, wroff, do_warn);
2043	if (opt == no_warning)
2044	opt = maybe_diag_access_bounds (call, func, strict, ref: srcref, wroff: 0, do_warn);
2045
2046	if (opt != no_warning)
2047	{
2048	if (do_warn)
2049	suppress_warning (call, opt);
2050	return opt;
2051	}
2052
2053	if (!warn_restrict || bounds_only || !src)
2054	return no_warning;
2055
2056	if (!bounds_only)
2057	{
2058	switch (DECL_FUNCTION_CODE (decl: func))
2059	{
2060	case BUILT_IN_MEMMOVE:
2061	case BUILT_IN_MEMMOVE_CHK:
2062	case BUILT_IN_MEMSET:
2063	case BUILT_IN_MEMSET_CHK:
2064	return no_warning;
2065	default:
2066	break;
2067	}
2068	}
2069
2070	location_t loc = gimple_location (g: call);
2071	if (operand_equal_p (dst, src, flags: 0))
2072	{
2073	/* Issue -Wrestrict unless the pointers are null (those do
2074	not point to objects and so do not indicate an overlap;
2075	such calls could be the result of sanitization and jump
2076	threading). */
2077	if (!integer_zerop (dst) && !warning_suppressed_p (call, OPT_Wrestrict))
2078	{
2079	warning_at (loc, OPT_Wrestrict,
2080	"%qD source argument is the same as destination",
2081	func);
2082	suppress_warning (call, OPT_Wrestrict);
2083	return OPT_Wrestrict;
2084	}
2085
2086	return no_warning;
2087	}
2088
2089	/* Return false when overlap has been detected. */
2090	if (maybe_diag_overlap (loc, call, acs))
2091	{
2092	suppress_warning (call, OPT_Wrestrict);
2093	return OPT_Wrestrict;
2094	}
2095
2096	return no_warning;
2097	}
2098
2099	gimple_opt_pass *
2100	make_pass_warn_restrict (gcc::context *ctxt)
2101	{
2102	return new pass_wrestrict (ctxt);
2103	}
2104
2105	DEBUG_FUNCTION void
2106	dump_builtin_memref (FILE *fp, const builtin_memref &ref)
2107	{
2108	fprintf (stream: fp, format: "\n ptr = ");
2109	print_generic_expr (fp, ref.ptr, TDF_LINENO);
2110	fprintf (stream: fp, format: "\n ref = ");
2111	if (ref.ref)
2112	print_generic_expr (fp, ref.ref, TDF_LINENO);
2113	else
2114	fputs (s: "null", stream: fp);
2115	fprintf (stream: fp, format: "\n base = ");
2116	print_generic_expr (fp, ref.base, TDF_LINENO);
2117	fprintf (stream: fp,
2118	format: "\n basesize = %lli"
2119	"\n refsize = %lli"
2120	"\n refoff = %lli"
2121	"\n offrange = [%lli, %lli]"
2122	"\n sizrange = [%lli, %lli]"
2123	"\n strbounded_p = %s\n",
2124	(long long)ref.basesize.to_shwi (),
2125	(long long)ref.refsize.to_shwi (),
2126	(long long)ref.refoff.to_shwi (),
2127	(long long)ref.offrange[0].to_shwi (),
2128	(long long)ref.offrange[1].to_shwi (),
2129	(long long)ref.sizrange[0].to_shwi (),
2130	(long long)ref.sizrange[1].to_shwi (),
2131	ref.strbounded_p ? "true" : "false");
2132	}
2133
2134	void
2135	builtin_access::dump (FILE *fp) const
2136	{
2137	fprintf (stream: fp, format: " dstref:");
2138	dump_builtin_memref (fp, ref: *dstref);
2139	fprintf (stream: fp, format: "\n srcref:");
2140	dump_builtin_memref (fp, ref: *srcref);
2141
2142	fprintf (stream: fp,
2143	format: " sizrange = [%lli, %lli]\n"
2144	" ovloff = [%lli, %lli]\n"
2145	" ovlsiz = [%lli, %lli]\n"
2146	" dstoff = [%lli, %lli]\n"
2147	" dstsiz = [%lli, %lli]\n"
2148	" srcoff = [%lli, %lli]\n"
2149	" srcsiz = [%lli, %lli]\n",
2150	(long long)sizrange[0], (long long)sizrange[1],
2151	(long long)ovloff[0], (long long)ovloff[1],
2152	(long long)ovlsiz[0], (long long)ovlsiz[1],
2153	(long long)dstoff[0].to_shwi (), (long long)dstoff[1].to_shwi (),
2154	(long long)dstsiz[0].to_shwi (), (long long)dstsiz[1].to_shwi (),
2155	(long long)srcoff[0].to_shwi (), (long long)srcoff[1].to_shwi (),
2156	(long long)srcsiz[0].to_shwi (), (long long)srcsiz[1].to_shwi ());
2157	}
2158
2159	DEBUG_FUNCTION void
2160	dump_builtin_access (FILE *fp, gimple *stmt, const builtin_access &acs)
2161	{
2162	if (stmt)
2163	{
2164	fprintf (stream: fp, format: "\nDumping builtin_access for ");
2165	print_gimple_expr (fp, stmt, TDF_LINENO);
2166	fputs (s: ":\n", stream: fp);
2167	}
2168
2169	acs.dump (fp);
2170	}
2171
2172	DEBUG_FUNCTION void
2173	debug (gimple *stmt, const builtin_access &acs)
2174	{
2175	dump_builtin_access (stdout, stmt, acs);
2176	}
2177