Modernization; no functional change intended.

gcc/analyzer/ChangeLog:
	* access-diagram.cc: Use nullptr rather than NULL where
	appropriate.
	* analyzer-language.cc: Likewise.
	* analyzer-language.h: Likewise.
	* analyzer-logging.h: Likewise.
	* analyzer-pass.cc: Likewise.
	* analyzer.cc: Likewise.
	* bounds-checking.cc: Likewise.
	* call-details.cc: Likewise.
	* call-string.cc: Likewise.
	* call-string.h: Likewise.
	* call-summary.cc: Likewise.
	* checker-event.cc: Likewise.
	* common.h: Likewise.
	* constraint-manager.cc: Likewise.
	* constraint-manager.h: Likewise.
	* diagnostic-manager.cc: Likewise.
	* engine.cc: Likewise.
	* exploded-graph.h: Likewise.
	* function-set.cc: Likewise
	* infinite-recursion.cc: Likewise
	* inlining-iterator.h: Likewise
	* kf.cc: Likewise
	* known-function-manager.cc: Likewise
	* pending-diagnostic.cc: Likewise
	* program-point.cc: Likewise
	* program-point.h: Likewise
	* program-state.cc: Likewise
	* program-state.h: Likewise
	* record-layout.cc: Likewise
	* region-model-asm.cc: Likewise
	* region-model-manager.cc: Likewise
	* region-model-manager.h: Likewise
	* region-model-reachability.cc: Likewise
	* region-model.cc: Likewise
	* region-model.h: Likewise
	* region.cc: Likewise
	* region.h: Likewise
	* sm-fd.cc: Likewise
	* sm-malloc.cc: Likewise
	* sm-pattern-test.cc: Likewise
	* sm-signal.cc: Likewise
	* sm-taint.cc: Likewise
	* sm.cc: Likewise
	* sm.h: Likewise
	* state-purge.cc: Likewise
	* state-purge.h: Likewise
	* store.cc: Likewise
	* store.h: Likewise
	* supergraph.cc: Likewise
	* supergraph.h: Likewise
	* svalue.cc: Likewise
	* svalue.h: Likewise
	* varargs.cc: Likewise

Signed-off-by: David Malcolm <dmalcolm@redhat.com>

No functional change intended.

gcc/analyzer/ChangeLog:
	* analyzer.cc: Include "make-unique.h".  Convert "to_json"
	functions to use std::unique_ptr.
	* call-string.cc: Likewise.
	* constraint-manager.cc: Likewise.
	* diagnostic-manager.cc: Likewise.
	* engine.cc: Likewise.
	* program-point.cc: Likewise.
	* program-state.cc: Likewise.
	* ranges.cc: Likewise.
	* region-model.cc: Likewise.
	* region.cc: Likewise.
	* svalue.cc: Likewise.
	* sm.cc: Likewise.
	* store.cc: Likewise.
	* supergraph.cc: Likewise.
	* analyzer.h: Convert "to_json" functions to return
	std::unique_ptr.
	* call-string.h: Likewise.
	* constraint-manager.h: Likewise.
	(bounded_range::set_json_attr): Pass "obj" by reference.
	* diagnostic-manager.h: Convert "to_json" functions to return
	std::unique_ptr.
	* exploded-graph.h: Likewise.
	* program-point.h: Likewise.
	* program-state.h: Likewise.
	* ranges.h: Likewise.
	* region-model.h: Likewise.
	* region.h: Likewise.
	* sm.h: Likewise.
	* store.h: Likewise.
	* supergraph.h: Likewise.
	* svalue.h: Likewise.

Signed-off-by: David Malcolm <dmalcolm@redhat.com>

PR analyzer/114159 reports an ICE inside playback of call summaries
for very low values of --param=analyzer-max-svalue-depth=VAL.

Root cause is that call_summary_edge_info's ctor tries to evaluate
the function ptr of a gimple call stmt and assumes it gets a function *,
but with low values of --param=analyzer-max-svalue-depth=VAL we get
back an UNKNOWN svalue, rather than a pointer to a specific function.

Fix by adding a new call_info ctor that passes a specific
const function & from the call_summary_edge_info, rather than trying
to compute the function.

In doing so, I noticed that the analyzer was using "function *" despite
not modifying functions, and was sloppy about can-be-null versus
must-be-non-null function pointers, so I "constified" the function, and
converted the many places where the function must be non-null to be
"const function &".

gcc/analyzer/ChangeLog:
	PR analyzer/114159
	* analyzer.cc: Include "tree-dfa.h".
	(get_ssa_default_def): New decl.
	* analyzer.h (get_ssa_default_def): New.
	* call-info.cc (call_info::call_info): New ctor taking an explicit
	called_fn.
	* call-info.h (call_info::call_info): Likewise.
	* call-summary.cc (call_summary_replay::call_summary_replay):
	Convert param from function * to const function &.
	* call-summary.h (call_summary_replay::call_summary_replay):
	Likewise.
	* checker-event.h (state_change_event::get_dest_function):
	Constify return value.
	* engine.cc (point_and_state::validate): Update for conversion to
	const function &.
	(exploded_node::on_stmt): Likewise.
	(call_summary_edge_info::call_summary_edge_info): Likewise.
	Pass in called_fn to call_info ctor.
	(exploded_node::replay_call_summaries): Update for conversion to
	const function &.  Convert per_function_data from * to &.
	(exploded_node::replay_call_summary): Update for conversion to
	const function &.
	(exploded_graph::add_function_entry): Likewise.
	(toplevel_function_p): Likewise.
	(add_tainted_args_callback): Likewise.
	(exploded_graph::build_initial_worklist): Likewise.
	(exploded_graph::maybe_create_dynamic_call): Likewise.
	(maybe_update_for_edge): Likewise.
	(exploded_graph::on_escaped_function): Likewise.
	* exploded-graph.h (exploded_node::replay_call_summaries):
	Likewise.
	(exploded_node::replay_call_summary): Likewise.
	(exploded_graph::add_function_entry): Likewise.
	* program-point.cc (function_point::from_function_entry):
	Likewise.
	(program_point::from_function_entry): Likewise.
	* program-point.h (function_point::from_function_entry): Likewise.
	(program_point::from_function_entry): Likewise.
	* program-state.cc (program_state::push_frame): Likewise.
	(program_state::get_current_function): Constify return type.
	* program-state.h (program_state::push_frame): Update for
	conversion to const function &.
	(program_state::get_current_function): Likewise.
	* region-model-manager.cc
	(region_model_manager::get_frame_region): Likewise.
	* region-model-manager.h
	(region_model_manager::get_frame_region): Likewise.
	* region-model.cc (region_model::called_from_main_p): Likewise.
	(region_model::update_for_gcall): Likewise.
	(region_model::push_frame): Likewise.
	(region_model::get_current_function): Constify return type.
	(region_model::pop_frame): Update for conversion to
	const function &.
	(selftest::test_stack_frames): Likewise.
	(selftest::test_get_representative_path_var): Likewise.
	(selftest::test_state_merging): Likewise.
	(selftest::test_alloca): Likewise.
	* region-model.h (region_model::push_frame): Likewise.
	(region_model::get_current_function): Likewise.
	* region.cc (frame_region::dump_to_pp): Likewise.
	(frame_region::get_region_for_local): Likewise.
	* region.h (class frame_region): Likewise.
	* sm-signal.cc (signal_unsafe_call::describe_state_change):
	Likewise.
	(update_model_for_signal_handler): Likewise.
	(signal_delivery_edge_info_t::update_model): Likewise.
	(register_signal_handler::impl_transition): Likewise.
	* state-purge.cc (class gimple_op_visitor): Likewise.
	(state_purge_map::state_purge_map): Likewise.
	(state_purge_map::get_or_create_data_for_decl): Likewise.
	(state_purge_per_ssa_name::state_purge_per_ssa_name): Likewise.
	(state_purge_per_ssa_name::add_to_worklist): Likewise.
	(state_purge_per_ssa_name::process_point): Likewise.
	(state_purge_per_decl::add_to_worklist): Likewise.
	(state_purge_annotator::print_needed): Likewise.
	* state-purge.h
	(state_purge_map::get_or_create_data_for_decl): Likewise.
	(class state_purge_per_tree): Likewise.
	(class state_purge_per_ssa_name): Likewise.
	(class state_purge_per_decl): Likewise.
	* supergraph.cc (supergraph::dump_dot_to_pp): Likewise.
	* supergraph.h
	(supergraph::get_node_for_function_entry): Likewise.
	(supergraph::get_node_for_function_exit): Likewise.

gcc/ChangeLog:
	PR analyzer/114159
	* function.cc (function_name): Make param const.
	* function.h (function_name): Likewise.

gcc/testsuite/ChangeLog:
	PR analyzer/114159
	* c-c++-common/analyzer/call-summaries-pr114159.c: New test.

Signed-off-by: David Malcolm <dmalcolm@redhat.com>

The patch has this effect on my integration tests of -fanalyzer:

  Comparison:
    GOOD: 129        (17.70% -> 17.92%)
     BAD: 600 -> 591 (-9)

which is purely due to improvements to -Wanalyzer-deref-before-check
on the Linux kernel:

  -Wanalyzer-deref-before-check:
    GOOD: 1        (4.55% -> 7.69%)
     BAD: 21 -> 12 (-9)
     Known false positives: 16 -> 10 (-6)
       linux-5.10.162: 7 -> 1 (-6)
     Suspected false positives: 3 -> 0 (-3)
       linux-5.10.162: 3 -> 0 (-3)

gcc/analyzer/ChangeLog:
	PR analyzer/109239
	* program-point.cc: Include "analyzer/inlining-iterator.h".
	(program_point::effectively_intraprocedural_p): New function.
	* program-point.h (program_point::effectively_intraprocedural_p):
	New decl.
	* sm-malloc.cc (deref_before_check::emit): Use it when rejecting
	interprocedural cases, so that we reject interprocedural cases
	that have become intraprocedural due to inlining.

gcc/testsuite/ChangeLog:
	PR analyzer/109239
	* gcc.dg/analyzer/deref-before-check-pr109239-linux-bus.c: New test.

Signed-off-by: David Malcolm <dmalcolm@redhat.com>

With -fanalyzer-call-summaries the analyzer canl attempt to summarize
the effects of some function calls at their call site, rather than
simulate the call directly, which can avoid big slowdowns during
analysis.

Previously, this summarization was extremely simplistic: no attempt
was made to update sm-state, and region_model::update_for_call_summary
would simply set the return value of the function to UNKNOWN, and assume
the function had no side effects.

This patch implements less simplistic summarizations: it tracks each
possible return enode from the called function, and attempts to generate
a successor enode from the callsite for each that have compatible
conditions, mapping state changes in the summary to state changes
at the callsite.  It also implements the beginnings of heuristics for
generating user-facing descriptions of a summary e.g.
  "when 'foo' returns NULL"
versus:
  "when 'foo' returns a heap-allocated buffer"

This still has some bugs, but much more accurately tracks the effects
of a call, and so is an improvement; it should only have an effect
when -fanalyzer-call-summaries is enabled.

As before, -fanalyzer-call-summaries is disabled by default in
analyzer.opt (but enabled by default in the test suite).

gcc/ChangeLog:
	PR analyzer/107072
	* Makefile.in (ANALYZER_OBJS): Add analyzer/call-summary.o.

gcc/analyzer/ChangeLog:
	PR analyzer/107072
	* analyzer-logging.h: Include "diagnostic-core.h".
	* analyzer.h: Include "function.h".
	(class call_summary): New forward decl.
	(class call_summary_replay): New forward decl.
	(struct per_function_data): New forward decl.
	(struct interesting_t): New forward decl.
	(custom_edge_info::update_state): New vfunc.
	* call-info.cc (custom_edge_info::update_state): New.
	* call-summary.cc: New file.
	* call-summary.h: New file.
	* constraint-manager.cc: Include "analyzer/call-summary.h".
	(class replay_fact_visitor): New.
	(constraint_manager::replay_call_summary): New.
	* constraint-manager.h (constraint_manager::replay_call_summary):
	New.
	* engine.cc: Include "analyzer/call-summary.h".
	(exploded_node::on_stmt): Handle call summaries.
	(class call_summary_edge_info): New.
	(exploded_node::replay_call_summaries): New.
	(exploded_node::replay_call_summary): New.
	(per_function_data::~per_function_data): New.
	(per_function_data::add_call_summary): Move here from header and
	reimplement.
	(exploded_graph::process_node): Call update_state rather than
	update_model when handling bifurcation
	(viz_callgraph_node::dump_dot): Use a regular label rather
	than an HTML table; add summaries to dump.
	* exploded-graph.h: Include "alloc-pool.h", "fibonacci_heap.h",
	"supergraph.h", "sbitmap.h", "shortest-paths.h", "analyzer/sm.h",
	"analyzer/program-state.h", and "analyzer/diagnostic-manager.h".
	(exploded_node::replay_call_summaries): New decl.
	(exploded_node::replay_call_summary): New decl.
	(per_function_data::~per_function_data): New decl.
	(per_function_data::add_call_summary): Move implemention from
	header.
	(per_function_data::m_summaries): Update type of element.
	* known-function-manager.h: Include "analyzer/analyzer-logging.h".
	* program-point.h: Include "pretty-print.h" and
	"analyzer/call-string.h".
	* program-state.cc: Include "analyzer/call-summary.h".
	(sm_state_map::replay_call_summary): New.
	(program_state::replay_call_summary): New.
	* program-state.h (sm_state_map::replay_call_summary): New decl.
	(program_state::replay_call_summary): New decl.
	* region-model-manager.cc
	(region_model_manager::get_or_create_asm_output_svalue): New
	overload.
	* region-model-manager.h
	(region_model_manager::get_or_create_asm_output_svalue): New
	overload decl.
	* region-model.cc: Include "analyzer/call-summary.h".
	(region_model::maybe_update_for_edge): Remove call to
	region_model::update_for_call_summary on
	SUPEREDGE_INTRAPROCEDURAL_CALL.
	(region_model::update_for_call_summary): Delete.
	(region_model::replay_call_summary): New.
	* region-model.h (region_model::replay_call_summary): New decl.
	(region_model::update_for_call_summary): Delete decl.
	* store.cc: Include "analyzer/call-summary.h".
	(store::replay_call_summary): New.
	(store::replay_call_summary_cluster): New.
	* store.h: Include "tristate.h".
	(is_a_helper <const ana::concrete_binding *>::test): New.
	(store::replay_call_summary): New decl.
	(store::replay_call_summary_cluster): New decl.
	* supergraph.cc (get_ultimate_function_for_cgraph_edge): Remove
	"static" from decl.
	(supergraph_call_edge): Make stmt param const.
	* supergraph.h: Include "ordered-hash-map.h", "cfg.h",
	"basic-block.h", "gimple.h", "gimple-iterator.h", and "digraph.h".
	(supergraph_call_edge): Make stmt param const.
	(get_ultimate_function_for_cgraph_edge): New decl.
	* svalue.cc (compound_svalue::compound_svalue): Assert that we're
	not nesting compound_svalues.
	* svalue.h: Include "json.h", "analyzer/store.h", and
	"analyzer/program-point.h".
	(asm_output_svalue::get_num_outputs): New accessor.

gcc/testsuite/ChangeLog:
	PR analyzer/107072
	* gcc.dg/analyzer/call-summaries-2.c: New test.
	* gcc.dg/analyzer/call-summaries-3.c: New test.
	* gcc.dg/analyzer/call-summaries-asm-x86.c: New test.
	* gcc.dg/analyzer/call-summaries-malloc.c: New test.
	* gcc.dg/analyzer/call-summaries-pr107072.c: New test.

Signed-off-by: David Malcolm <dmalcolm@redhat.com>

ana::call_string is a wrapper around an auto_vec of callsites, leading
to non-trivial copying when copying around call_string instances, e.g.
in ana::program_point.

This patch consolidates call_string instances within the
region_model_manager: it now owns the root/empty call_string, and
each call_string instance tracks its children, lazily creating them on
demand, so that the call_string instances form a tree-like hierarchy in
memory.  Doing this requires passing the region_model_manager to the
various program_point factory methods, so that they can get at the root
call_string.

Instances of call_string become immutable (apart from their internal
cache for looking up their children); operations that previously
modified them now return the call_string for the result of the
operation.

I wasn't able to observe any performance impact of this, but it
simplifies call_string and program_point management, and thus I hope
will make it easier to improve call summarization.  In particular,
region_model_manager::log_stats will now print a hierarchical dump of
all the call_string instances used in the analysis (in -fdump-analyzer
and -fdump-analyzer-stderr).

gcc/analyzer/ChangeLog:
	* call-string.cc: Add includes of "analyzer/analyzer.h"
	and "analyzer/analyzer-logging.h".
	(call_string::call_string): Delete copy ctor.
	(call_string::operator=): Delete.
	(call_string::operator==): Delete.
	(call_string::hash): Delete.
	(call_string::push_call): Make const, returning the resulting
	call_string.
	(call_string::pop): Delete.
	(call_string::cmp_ptr_ptr): New.
	(call_string::validate): Assert that m_parent is non-NULL, or
	m_elements is empty.
	(call_string::call_string): Move default ctor here from
	call-string.h and reimplement.  Add ctor taking a parent
	and an element.
	(call_string::~call_string): New.
	(call_string::recursive_log): New.
	* call-string.h (call_string::call_string): Move default ctor's
	defn to call-string.cc.  Delete copy ctor.  Add ctor taking a
	parent and an element.
	(call_string::operator=): Delete.
	(call_string::operator==): Delete.
	(call_string::hash): Delete.
	(call_string::push_call): Make const, returning the resulting
	call_string.
	(call_string::pop): Delete decl.
	(call_string::get_parent): New.
	(call_string::cmp_ptr_ptr): New decl.
	(call_string::get_top_of_stack): New.
	(struct call_string::hashmap_traits_t): New.
	(class call_string): Add friend class region_model_manager.  Add
	DISABLE_COPY_AND_ASSIGN.
	(call_string::~call_string): New decl.
	(call_string::recursive_log): New decl.
	(call_string::m_parent): New field.
	(call_string::m_children): New field.
	* constraint-manager.cc (selftest::test_many_constants): Pass
	model manager to program_point::origin.
	* engine.cc (exploded_graph::exploded_graph): Likewise.
	(exploded_graph::add_function_entry): Likewise for
	program_point::from_function_entry.
	(add_tainted_args_callback): Likewise.
	(exploded_graph::maybe_process_run_of_before_supernode_enodes):
	Update for change to program_point.get_call_string.
	(exploded_graph::process_node): Likewise.
	(class function_call_string_cluster): Convert m_cs from a
	call_string to a const call_string &.
	(struct function_call_string): Likewise.
	(pod_hash_traits<function_call_string>::hash): Use pointer_hash
	for m_cs.
	(pod_hash_traits<function_call_string>::equal): Update for change
	to m_cs.
	(root_cluster::add_node): Update for change to
	function_call_string.
	(viz_callgraph_node::dump_dot): Update for change to call_string.
	* exploded-graph.h (per_call_string_data::m_key): Convert to a
	reference.
	(struct eg_call_string_hash_map_traits): Delete.
	(exploded_graph::call_string_data_map_t): Remove traits class.
	* program-point.cc: Move include of "analyzer/call-string.h" to
	after "analyzer/analyzer-logging.h".
	(program_point::print): Update for conversion of m_call_string to
	a pointer.
	(program_point::to_json): Likewise.
	(program_point::push_to_call_stack): Update for immutability of
	call strings.
	(program_point::pop_from_call_stack): Likewise.
	(program_point::hash): Use pointer hashing for m_call_string.
	(program_point::get_function_at_depth): Update for change to
	m_call_string.
	(program_point::validate): Update for changes to call_string.
	(program_point::on_edge): Likewise.
	(program_point::origin): Move here from call-string.h.  Add
	region_model_manager param and use it to get empty call string.
	(program_point::from_function_entry): Likewise.
	(selftest::test_function_point_ordering): Likewise.
	(selftest::test_function_point_ordering): Likewise.
	* program-point.h (program_point::program_point): Update for
	change to m_call_string.
	(program_point::get_call_string): Likewise.
	(program_point::get_stack_depth): Likewise.
	(program_point::origin): Add region_model_manager param, and move
	defn to call-string.cc.
	(program_point::from_function_entry): Likewise.
	(program_point::empty): Drop call_string.
	(program_point::deleted): Likewise.
	(program_point::program_point): New private ctor.
	(program_point::m_call_string): Convert from call_string to const
	call_string *.
	* program-state.cc (selftest::test_program_state_merging): Update
	for call_string changes.
	(selftest::test_program_state_merging_2): Likewise.
	* region-model-manager.cc
	(region_model_manager::region_model_manager): Construct
	m_empty_call_string.
	(region_model_manager::log_stats): Log the call strings.
	* region-model.cc (assert_region_models_merge): Pass the
	region_model_manager when creating program_point instances.
	(selftest::test_state_merging): Likewise.
	(selftest::test_constraint_merging): Likewise.
	(selftest::test_widening_constraints): Likewise.
	(selftest::test_iteration_1): Likewise.
	* region-model.h (region_model_manager::get_empty_call_string):
	New.
	(region_model_manager::m_empty_call_string): New.
	* sm-signal.cc (register_signal_handler::impl_transition): Update
	for changes to call_string.

Signed-off-by: David Malcolm <dmalcolm@redhat.com>

I found this extension to -fdump-analyzer-feasibility very helpful when
debugging PR analyzer/105285.

gcc/analyzer/ChangeLog:
	* diagnostic-manager.cc (epath_finder::process_worklist_item):
	Call dump_feasible_path when a path that reaches the the target
	enode is found.
	(epath_finder::dump_feasible_path): New.
	* engine.cc (feasibility_state::dump_to_pp): New.
	* exploded-graph.h (feasibility_state::dump_to_pp): New decl.
	* feasible-graph.cc (feasible_graph::dump_feasible_path): New.
	* feasible-graph.h (feasible_graph::dump_feasible_path): New
	decls.
	* program-point.cc (function_point::print): Fix missing trailing
	newlines.
	* program-point.h (program_point::print_source_line): Remove
	unimplemented decl.

gcc/ChangeLog:
	* doc/invoke.texi (-fdump-analyzer-feasibility): Mention the
	fpath.txt output.

Signed-off-by: David Malcolm <dmalcolm@redhat.com>