OpenGrok

2025-05-23  Release Manager

	* GCC 14.3.0 released.

2024-11-20  David Malcolm  <dmalcolm (a] redhat.com>

	Backported from master:
	2024-07-04  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/115724
	* kf.cc (register_known_functions): Add __error_alias and
	__error_at_line_alias.

2024-11-20  David Malcolm  <dmalcolm (a] redhat.com>

	Backported from master:
	2024-05-03  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/111475
	* analyzer.cc (is_special_named_call_p): Add "look_in_std" param.
	(is_std_function_p): Make non-static.
	* analyzer.h (is_special_named_call_p): Add optional "look_in_std"
	param.
	(is_std_function_p): New decl.
	* engine.cc (stmt_requires_new_enode_p): Look for both "signal"
	and "std::signal".
	* kf.cc (register_known_functions): Add various "std::" copies
	of the known functions.
	* known-function-manager.cc
	(known_function_manager::~known_function_manager): Clean up
	m_std_ns_map_id_to_kf.
	(known_function_manager::add_std_ns): New.
	(known_function_manager::get_match): Also look for known "std::"
	functions.
	(known_function_manager::get_by_identifier_in_std_ns): New.
	* known-function-manager.h
	(known_function_manager::add_std_ns): New decl.
	(known_function_manager::get_by_identifier_in_std_ns): New decl.
	(known_function_manager::m_std_ns_map_id_to_kf): New field.
	* sm-file.cc (register_known_file_functions): Add various "std::"
	copies of the known functions.
	* sm-malloc.cc (malloc_state_machine::on_stmt): Handle
	"std::realloc".
	* sm-signal.cc (signal_unsafe_p): Consider "std::" copies of the
	functions as also being async-signal-unsafe.
	(signal_state_machine::on_stmt): Consider "std::signal".

2024-08-01  Release Manager

	* GCC 14.2.0 released.

2024-07-19  Daniel Bertalan  <dani (a] danielbertalan.dev>

	Backported from master:
	2024-07-12  Daniel Bertalan  <dani (a] danielbertalan.dev>

	* diagnostic-manager.cc (saved_diagnostic::saved_diagnostic):
	Change NULL to nullptr.
	(struct null_assignment_sm_context): Likewise.
	* infinite-loop.cc: Likewise.
	* infinite-recursion.cc: Likewise.
	* varargs.cc (va_list_state_machine::on_leak): Likewise.

2024-07-18  David Malcolm  <dmalcolm (a] redhat.com>

	Backported from master:
	2024-05-15  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/114899
	* access-diagram.cc
	(written_svalue_spatial_item::get_label_string): Bulletproof
	against SSA_NAME_VAR being null.

2024-05-07  Release Manager

	* GCC 14.1.0 released.

2024-04-12  Stefan Schulze Frielinghaus  <stefansf (a] linux.ibm.com>

	* region-model.cc (region_model::check_region_size): Bail out
	early on function pointers.

2024-04-10  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/114472
	* access-diagram.cc (bit_size_expr::maybe_get_formatted_str):
	Reject attempts to print sizes that are too large.
	* region.cc (region_offset::calc_symbolic_bit_offset): Use a
	typeless svalue for the bit offset.
	* store.cc (bit_range::intersects_p): Replace assertion with
	test.
	(bit_range::exceeds_p): Likewise.
	(bit_range::falls_short_of_p): Likewise.

2024-04-10  David Malcolm  <dmalcolm (a] redhat.com>

	* infinite-loop.cc: Include "diagnostic-format-sarif.h".
	(infinite_loop::to_json): New.
	(infinite_loop_diagnostic::maybe_add_sarif_properties): New.

2024-04-10  David Malcolm  <dmalcolm (a] redhat.com>

	* infinite-recursion.cc: Include "diagnostic-format-sarif.h".
	(infinite_recursion_diagnostic::maybe_add_sarif_properties): New.

2024-04-10  David Malcolm  <dmalcolm (a] redhat.com>

	* call-details.cc: Include "diagnostic-format-sarif.h".
	(overlapping_buffers::overlapping_buffers): Add params for new
	fields.
	(overlapping_buffers::maybe_add_sarif_properties): New.
	(overlapping_buffers::m_byte_range_a): New field.
	(overlapping_buffers::byte_range_b): New field.
	(overlapping_buffers::m_num_bytes_read_sval): New field.
	(call_details::complain_about_overlap): Pass new params to
	overlapping_buffers ctor.
	* ranges.cc (symbolic_byte_offset::to_json): New.
	(symbolic_byte_range::to_json): New.
	* ranges.h (symbolic_byte_offset::to_json): New decl.
	(symbolic_byte_range::to_json): New decl.

2024-04-10  David Malcolm  <dmalcolm (a] redhat.com>

	* sm-taint.cc (tainted_allocation_size::tainted_allocation_size):
	Add "size_in_bytes" param.
	(tainted_allocation_size::maybe_add_sarif_properties): New.
	(tainted_allocation_size::m_size_in_bytes): New field.
	(region_model::check_dynamic_size_for_taint): Pass size_in_bytes
	to tainted_allocation_size ctor.

2024-04-09  Jakub Jelinek  <jakub (a] redhat.com>

	* analyzer.opt (Wanalyzer-undefined-behavior-strtok): Fix duplicated
	words; in in -> in.
	* program-state.cc (sm_state_map::replay_call_summary): Fix duplicated
	words in comment; to to -> to.
	(program_state::replay_call_summary): Likewise.
	* region-model.cc (region_model::replay_call_summary): Likewise.

2024-04-05  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/114588
	* access-diagram.cc (access_diagram_impl::access_diagram_impl):
	Replace hardcoded colors for valid_style and invalid_style with
	calls to text_art::get_style_from_color_cap_name.

2024-04-02  David Malcolm  <dmalcolm (a] redhat.com>

	* region-model-manager.cc (maybe_undo_optimize_bit_field_compare):
	Guard against null types.
	* region-model.cc (apply_constraints_for_gswitch): Likewise.

2024-03-27  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/114473
	* call-summary.cc
	(call_summary_replay::convert_svalue_from_summary): Assert that
	the types match.
	(call_summary_replay::convert_region_from_summary): Likewise.
	(call_summary_replay::convert_region_from_summary_1): Add missing
	cast for the deref of RK_SYMBOLIC case.

2024-03-23  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/114408
	* engine.cc (impl_run_checkers): Free up any dominance info that
	we may have created.
	* kf.cc (class kf_ubsan_handler): New.
	(register_sanitizer_builtins): New.
	(register_known_functions): Call register_sanitizer_builtins.

2024-03-22  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/112974
	PR analyzer/112975
	* sm-taint.cc (taint_state_machine::on_condition): Strip away
	casts before considering LHS and RHS, to increase the chance of
	detecting places where sanitization of a value may have happened.

2024-03-22  David Malcolm  <dmalcolm (a] redhat.com>

	* sm-taint.cc: Include "diagnostic-format-sarif.h".
	(bounds_to_str): New.
	(taint_diagnostic::maybe_add_sarif_properties): New.
	(tainted_offset::tainted_offset): Add "offset" param.
	(tainted_offset::maybe_add_sarif_properties): New.
	(tainted_offset::m_offset): New.
	(region_model::check_region_for_taint): Pass offset to
	tainted_offset ctor.

2024-03-21  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/113619
	* region-model.cc (region_model::eval_condition): Fix
	cast-handling from r14-3632-ge7b267444045c5 so that if those give
	an unknown result, we continue trying the constraint manager.

2024-03-20  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/109251
	* sm-malloc.cc (deref_before_check::emit): Reject cases where the
	check is in a loop header within a macro expansion.
	(deref_before_check::loop_header_p): New.

2024-03-20  Jakub Jelinek  <jakub (a] redhat.com>

	* constraint-manager.cc (test_range, test_constraint_conditions,
	test_constant_comparisons, test_constraint_impl, test_purging,
	test_bits): Use integer_zero_node instead of
	build_zero_cst (integer_type_node) or
	build_int_cst (integer_type_node, 0) and integer_one_node instead of
	build_int_cst (integer_type_node, 1).
	* region-model.cc (region_model::get_store_value,
	append_interesting_constants, test_array_1,
	test_get_representative_tree, test_unique_constants, test_assignment,
	test_stack_frames, test_constraint_merging, test_widening_constraints,
	test_iteration_1, test_array_2): Likewise.

2024-03-19  Jakub Jelinek  <jakub (a] redhat.com>

	PR analyzer/113505
	* region-model.cc (get_tree_for_byte_offset,
	region_model::get_representative_path_var_1,
	test_mem_ref, test_POINTER_PLUS_EXPR_then_MEM_REF): Use
	char __attribute__((may_alias)) * as type of MEM_REF second argument.

2024-03-19  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/114286
	* kf.cc (class kf_atomic_exchange): Reimplement based on signature
	seen in gimple, rather than user-facing signature.
	(class kf_atomic_load): Likewise.
	(class kf_atomic_store): New.
	(register_atomic_builtins): Register kf_atomic_store.

2024-03-18  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/110902
	PR analyzer/110928
	PR analyzer/111305
	PR analyzer/111441
	* access-diagram.cc: Include "analyzer/analyzer-selftests.h".
	(get_access_size_str): Reimplement for conversion of
	implmementation of bit_size_expr from tree to const svalue &.  Use
	svalue::maybe_print_for_user rather than tree printing routines.
	(remove_ssa_names): Make non-static.
	(bit_size_expr::get_formatted_str): Rename to...
	(bit_size_expr::maybe_get_formatted_str): ...this, adding "model"
	param and converting return type to a unique_ptr.  Update for
	conversion of implementation of bit_size_expr from tree to
	const svalue &.  Use svalue::maybe_print_for_user rather than tree
	printing routines.
	(bit_size_expr::print): Rename to...
	(bit_size_expr::maybe_print_for_user): ...this, adding "model"
	param and converting return type to bool.  Update for
	conversion of implementation of bit_size_expr from tree to
	const svalue &.  Use svalue::maybe_print_for_user rather than tree
	printing routines.
	(bit_size_expr::maybe_get_as_bytes): Add "mgr" param and convert
	return type from tree to const svalue *; reimplement.
	(access_range::access_range): Call strip_types when on region_offset
	intializations.
	(access_range::get_size): Update for conversion of implementation
	of bit_size_expr from tree to const svalue &.
	(access_operation::get_valid_bits): Pass manager to access_range
	ctor.
	(access_operation::maybe_get_invalid_before_bits): Likewise.
	(access_operation::maybe_get_invalid_after_bits): Likewise.
	(boundaries::add): Likewise.
	(bit_to_table_map::populate): Add "mgr" param and pass it to
	access_range ctor.
	(access_diagram_impl::access_diagram_impl): Pass manager to
	bit_to_table_map::populate.
	(access_diagram_impl::maybe_add_gap): Use svalue rather than tree
	for symbolic bit offsets.  Port to new bit_size_expr
	representation.
	(access_diagram_impl::add_valid_vs_invalid_ruler): Port to new
	bit_size_expr representation.
	(selftest::assert_eq_typeless_integer): New.
	(ASSERT_EQ_TYPELESS_INTEGER): New.
	(selftest::test_bit_size_expr_to_bytes): New.
	(selftest::analyzer_access_diagram_cc_tests): New.
	* access-diagram.h (class bit_size_expr): Reimplement, converting
	implementation from tree to const svalue &.
	(access_range::access_range): Add "mgr" param.  Call strip_types
	on region_offset initializations.
	(access_range::get_size): Update decl for reimplementation.
	* analyzer-selftests.cc (selftest::run_analyzer_selftests): Call
	selftest::analyzer_access_diagram_cc_tests.
	* analyzer-selftests.h
	(selftest::analyzer_checker_script_cc_tests): Delete this stray
	typo.
	(selftest::analyzer_access_diagram_cc_tests): New decl.
	* analyzer.h (print_expr_for_user): New decl.
	(calc_symbolic_bit_offset): Update decl for reimplementation.
	(strip_types): New decls.
	(remove_ssa_names): New decl.
	* bounds-checking.cc (strip_types): New.
	(region_model::check_symbolic_bounds): Use typeless svalues.
	* region-model-manager.cc
	(region_model_manager::get_or_create_constant_svalue): Add "type"
	param.  Add overload with old signature.
	(region_model_manager::get_or_create_int_cst): Support type being
	NULL_TREE.
	(region_model_manager::maybe_fold_unaryop): Gracefully reject folding
	of casts to NULL_TREE type.
	(get_code_for_cast): Use NOP_EXPR for "casting" svalues to
	NULL_TREE type.
	(region_model_manager::get_or_create_cast): Support "casting"
	svalues to NULL_TREE type.
	(region_model_manager::maybe_fold_binop): Don't crash on inputs
	with NULL_TREE type.  Handle folding of binops on constants with
	NULL_TREE type.  Add missing cast from PR analyzer/110902.
	Support enough folding of other ops on NULL_TREE type to support
	bounds checking.
	(region_model_manager::get_or_create_const_fn_result_svalue):
	Remove assertion that type is nonnull.
	* region-model-manager.h
	(region_model_manager::get_or_create_constant_svalue): Add
	overloaded decl taking a type.
	(region_model_manager::maybe_fold_binop): Make public.
	(region_model_manager::constants_map_t): Use
	constant_svalue::key_t for the key, rather than just tree.
	* region-model.cc (print_expr_for_user): New.
	(selftest::test_array_2): Handle casts.
	* region.cc (region_offset::calc_symbolic_bit_offset): Return
	const svalue & rather than tree, and reimplement accordingly.
	(region::calc_offset): Use ptrdiff_type_node for types of byte
	offsets.
	(region::maybe_print_for_user): New.
	(element_region::get_relative_symbolic_offset): Use NULL_TREE for
	types of bit offsets.
	(offset_region::get_bit_offset): Likewise.
	(sized_region::get_bit_size_sval): Likewise for bit sizes.
	* region.h (region::maybe_print_for_user): New decl.
	* svalue.cc (class auto_add_parens): New.
	(svalue::maybe_print_for_user): New.
	(svalue::cmp_ptr): Support typeless constant svalues.
	(tristate_from_boolean_tree_node): New, taken from...
	(constant_svalue::eval_condition): ...here.  Handle comparison of
	typeless integer svalue constants.
	* svalue.h (svalue::maybe_print_for_user): New decl.
	(class constant_svalue): Support the type of the svalue being
	NULL_TREE.
	(struct default_hash_traits<constant_svalue::key_t>): New.

2024-03-18  David Malcolm  <dmalcolm (a] redhat.com>

	* access-diagram.cc (remove_ssa_names): Support operands being
	NULL_TREE, such as e.g. for COMPONENT_REF's operand 2.

2024-03-07  Jakub Jelinek  <jakub (a] redhat.com>

	* access-diagram.cc: Include diagnostic-core.h before including
	diagnostic.h or diagnostic-path.h.
	* sm-malloc.cc: Likewise.
	* diagnostic-manager.cc: Likewise.
	* call-summary.cc: Likewise.
	* record-layout.cc: Likewise.

2024-02-29  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/114159
	* analyzer.cc: Include "tree-dfa.h".
	(get_ssa_default_def): New decl.
	* analyzer.h (get_ssa_default_def): New.
	* call-info.cc (call_info::call_info): New ctor taking an explicit
	called_fn.
	* call-info.h (call_info::call_info): Likewise.
	* call-summary.cc (call_summary_replay::call_summary_replay):
	Convert param from function * to const function &.
	* call-summary.h (call_summary_replay::call_summary_replay):
	Likewise.
	* checker-event.h (state_change_event::get_dest_function):
	Constify return value.
	* engine.cc (point_and_state::validate): Update for conversion to
	const function &.
	(exploded_node::on_stmt): Likewise.
	(call_summary_edge_info::call_summary_edge_info): Likewise.
	Pass in called_fn to call_info ctor.
	(exploded_node::replay_call_summaries): Update for conversion to
	const function &.  Convert per_function_data from * to &.
	(exploded_node::replay_call_summary): Update for conversion to
	const function &.
	(exploded_graph::add_function_entry): Likewise.
	(toplevel_function_p): Likewise.
	(add_tainted_args_callback): Likewise.
	(exploded_graph::build_initial_worklist): Likewise.
	(exploded_graph::maybe_create_dynamic_call): Likewise.
	(maybe_update_for_edge): Likewise.
	(exploded_graph::on_escaped_function): Likewise.
	* exploded-graph.h (exploded_node::replay_call_summaries):
	Likewise.
	(exploded_node::replay_call_summary): Likewise.
	(exploded_graph::add_function_entry): Likewise.
	* program-point.cc (function_point::from_function_entry):
	Likewise.
	(program_point::from_function_entry): Likewise.
	* program-point.h (function_point::from_function_entry): Likewise.
	(program_point::from_function_entry): Likewise.
	* program-state.cc (program_state::push_frame): Likewise.
	(program_state::get_current_function): Constify return type.
	* program-state.h (program_state::push_frame): Update for
	conversion to const function &.
	(program_state::get_current_function): Likewise.
	* region-model-manager.cc
	(region_model_manager::get_frame_region): Likewise.
	* region-model-manager.h
	(region_model_manager::get_frame_region): Likewise.
	* region-model.cc (region_model::called_from_main_p): Likewise.
	(region_model::update_for_gcall): Likewise.
	(region_model::push_frame): Likewise.
	(region_model::get_current_function): Constify return type.
	(region_model::pop_frame): Update for conversion to
	const function &.
	(selftest::test_stack_frames): Likewise.
	(selftest::test_get_representative_path_var): Likewise.
	(selftest::test_state_merging): Likewise.
	(selftest::test_alloca): Likewise.
	* region-model.h (region_model::push_frame): Likewise.
	(region_model::get_current_function): Likewise.
	* region.cc (frame_region::dump_to_pp): Likewise.
	(frame_region::get_region_for_local): Likewise.
	* region.h (class frame_region): Likewise.
	* sm-signal.cc (signal_unsafe_call::describe_state_change):
	Likewise.
	(update_model_for_signal_handler): Likewise.
	(signal_delivery_edge_info_t::update_model): Likewise.
	(register_signal_handler::impl_transition): Likewise.
	* state-purge.cc (class gimple_op_visitor): Likewise.
	(state_purge_map::state_purge_map): Likewise.
	(state_purge_map::get_or_create_data_for_decl): Likewise.
	(state_purge_per_ssa_name::state_purge_per_ssa_name): Likewise.
	(state_purge_per_ssa_name::add_to_worklist): Likewise.
	(state_purge_per_ssa_name::process_point): Likewise.
	(state_purge_per_decl::add_to_worklist): Likewise.
	(state_purge_annotator::print_needed): Likewise.
	* state-purge.h
	(state_purge_map::get_or_create_data_for_decl): Likewise.
	(class state_purge_per_tree): Likewise.
	(class state_purge_per_ssa_name): Likewise.
	(class state_purge_per_decl): Likewise.
	* supergraph.cc (supergraph::dump_dot_to_pp): Likewise.
	* supergraph.h
	(supergraph::get_node_for_function_entry): Likewise.
	(supergraph::get_node_for_function_exit): Likewise.

2024-02-27  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/110483
	PR analyzer/111802
	* access-diagram.cc
	(string_literal_spatial_item::add_column_for_byte): Use %wu for
	printing unsigned HOST_WIDE_INT.

2024-02-27  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/111881
	* constraint-manager.cc (bound::ensure_closed): Assert that
	m_constant has integral type.
	(range::add_bound): Bail out on floating point constants.

2024-02-21  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/113999
	* analyzer.h (get_string_cst_size): New decl.
	* region-model-manager.cc (get_string_cst_size): New.
	(region_model_manager::maybe_get_char_from_string_cst): Treat
	single-byte accesses within string_cst but beyond
	TREE_STRING_LENGTH as being 0.
	* region-model.cc (string_cst_has_null_terminator): Likewise.

2024-02-21  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/113998
	* ranges.cc (symbolic_byte_range::intersection): Handle empty ranges.
	(selftest::test_intersects): Add test coverage for empty ranges.

2024-02-19  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/111289
	* varargs.cc (representable_in_integral_type_p): New.
	(va_arg_compatible_types_p): Add "arg_sval" param.  Handle integer
	types.
	(kf_va_arg::impl_call_pre): Pass arg_sval to
	va_arg_compatible_types_p.

2024-02-19  Andrew Pinski  <quic_apinski (a] quicinc.com>

	PR analyzer/113983
	* region-model-manager.cc (maybe_undo_optimize_bit_field_compare): Reject
	non integral types.

2024-02-15  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/111266
	* region.cc (offset_region::get_byte_size_sval): Delete.
	(offset_region::get_bit_size_sval): Delete.
	* region.h (region::get_byte_size): Add comment clarifying that
	this relates to the size of the access, rather than the size
	that's valid to access.
	(region::get_bit_size): Likewise.
	(region::get_byte_size_sval): Likewise.
	(region::get_bit_size_sval): Likewise.
	(offset_region::get_byte_size_sval): Delete.
	(offset_region::get_bit_size_sval): Delete.

2024-02-13  David Malcolm  <dmalcolm (a] redhat.com>

	* pending-diagnostic.cc (diagnostic_emission_context::warn):
	Update for renaming of emit_diagnostic_valist overload to
	emit_diagnostic_valist_meta.
	(diagnostic_emission_context::inform): Likewise.

2024-01-31  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/113253
	* region-model.cc (region_model::on_stmt_pre): Add gcc_unreachable
	for debug statements.
	* state-purge.cc
	(state_purge_per_ssa_name::state_purge_per_ssa_name): Skip any
	debug stmts in the FOR_EACH_IMM_USE_FAST list.
	* supergraph.cc (supergraph::supergraph): Don't add debug stmts
	to the supernodes.

2024-01-31  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/113509
	* checker-event.cc (state_change_event::get_desc): Don't assume
	"var" is non-NULL.

2024-01-30  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/113654
	* region-model.cc (is_round_up): New.
	(is_multiple_p): New.
	(is_dubious_capacity): New.
	(region_model::check_region_size): Move usage of size_visitor into
	is_dubious_capacity.

2024-01-30  David Malcolm  <dmalcolm (a] redhat.com>

	* region-model.cc
	(dubious_allocation_size::dubious_allocation_size): Add
	"capacity_sval" param.  Drop unused ctor.
	(dubious_allocation_size::maybe_add_sarif_properties): New.
	(dubious_allocation_size::m_capacity_sval): New field.
	(region_model::check_region_size): Pass capacity svalue to
	dubious_allocation_size ctor.

2024-01-25  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/112969
	* store.cc (binding_cluster::maybe_get_compound_binding): When
	populating default_map, express the bit-range of the default key
	for REG relative to REG, rather than to the base region.

2024-01-24  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/112977
	* engine.cc (impl_region_model_context::on_liveness_change): Pass
	m_ext_state to sm_state_map::on_liveness_change.
	* program-state.cc (sm_state_map::on_svalue_leak): Guard removal
	of map entry based on can_purge_p.
	(sm_state_map::on_liveness_change): Add ext_state param.  Add
	workaround for bad interaction between state purging and
	alt-inherited sm-state.
	* program-state.h (sm_state_map::on_liveness_change): Add
	ext_state param.
	* sm-taint.cc
	(taint_state_machine::has_alt_get_inherited_state_p): New.
	(taint_state_machine::can_purge_p): Return false for "has_lb" and
	"has_ub".
	* sm.h (state_machine::has_alt_get_inherited_state_p): New vfunc.

2024-01-18  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/111361
	* region-model.cc (svalue_byte_range_has_null_terminator_1): The
	initial byte of an all-zeroes SVAL is a zero byte.  Remove
	gcc_unreachable from SK_CONSTANT for constants that aren't
	STRING_CST or INTEGER_CST.

2024-01-18  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/112811
	* region-model.cc (fragment::dump_to_pp): New.
	(fragment::has_null_terminator): Convert to...
	(svalue_byte_range_has_null_terminator_1): ...this new function,
	updating to use a byte_range relative to the start of the svalue.
	(svalue_byte_range_has_null_terminator): New.
	(fragment::string_cst_has_null_terminator): Convert to...
	(string_cst_has_null_terminator): ...this, updating to use a
	byte_range relative to the start of the svalue.
	(iterable_cluster::dump_to_pp): New.
	(region_model::scan_for_null_terminator): Add logging, moving body
	to...
	(region_model::scan_for_null_terminator_1): ...this new function,
	adding more logging, and updating to use
	svalue_byte_range_has_null_terminator.
	* region-model.h (region_model::scan_for_null_terminator_1): New
	decl.

2024-01-16  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/106229
	* analyzer.h (compare_constants): New decl.
	* constraint-manager.cc (compare_constants): Make non-static.
	* sm-taint.cc: Add include "fold-const.h".
	(class concrete_range): New.
	(get_possible_range): New.
	(index_can_be_out_of_bounds_p): New.
	(region_model::check_region_for_taint): Reject
	-Wanalyzer-tainted-array-index if the type of the value makes it
	impossible for it to be out-of-bounds of the array.

2024-01-16  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/113333
	* region-model-manager.cc
	(region_model_manager::maybe_fold_unaryop): Casting all zeroes
	should give all zeroes.

2024-01-04  David Malcolm  <dmalcolm (a] redhat.com>

	* analyzer.opt.urls: New file, autogenerated by
	regenerate-opt-urls.py.

2024-01-04  David Malcolm  <dmalcolm (a] redhat.com>

	* checker-event.cc: Include "diagnostic-format-sarif.h" and
	"tree-logical-location.h".
	(checker_event::maybe_add_sarif_properties): New.
	(superedge_event::maybe_add_sarif_properties): New.
	(superedge_event::superedge_event): Add comment.
	* checker-event.h (checker_event::maybe_add_sarif_properties): New
	decl.
	(superedge_event::maybe_add_sarif_properties): New decl.

2024-01-04  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/112790
	* checker-event.cc (class inlining_info): Move to...
	* inlining-iterator.h (class inlining_info): ...here.
	* sm-malloc.cc: Include "analyzer/inlining-iterator.h".
	(maybe_complain_about_deref_before_check): Reject stmts that were
	inlined from another function.

2024-01-04  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/113222
	* access-diagram.cc (valid_region_spatial_item::add_boundaries):
	Handle TYPE_DOMAIN being null.
	(valid_region_spatial_item::add_array_elements_to_table):
	Likewise.

2023-12-16  David Malcolm  <dmalcolm (a] redhat.com>

	* analyzer.cc: Include "tree-pretty-print.h" and
	"diagnostic-event-id.h".
	(tree_to_json): New.
	(diagnostic_event_id_to_json): New.
	(bit_offset_to_json): New.
	(byte_offset_to_json): New.
	* analyzer.h (tree_to_json): New decl.
	(diagnostic_event_id_to_json): New decl.
	(bit_offset_to_json): New decl.
	(byte_offset_to_json): New decl.
	* bounds-checking.cc: Include "diagnostic-format-sarif.h".
	(out_of_bounds::maybe_add_sarif_properties): New.
	(concrete_out_of_bounds::maybe_add_sarif_properties): New.
	(concrete_past_the_end::maybe_add_sarif_properties): New.
	(symbolic_past_the_end::maybe_add_sarif_properties): New.
	* region-model.cc (region_to_value_map::to_json): New.
	(region_model::to_json): New.
	* region-model.h (region_to_value_map::to_json): New decl.
	(region_model::to_json): New decl.
	* store.cc (bit_range::to_json): New.
	(byte_range::to_json): New.
	* store.h (bit_range::to_json): New decl.
	(byte_range::to_json): New decl.

2023-12-16  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/112792
	* bounds-checking.cc
	(out_of_bounds::oob_region_creation_event_capacity): Rename
	"capacity" to "byte_capacity".  Layout fix.
	(out_of_bounds::::add_region_creation_events): Rename
	"capacity" to "byte_capacity".
	(class concrete_out_of_bounds): Rename m_out_of_bounds_range to
	m_out_of_bounds_bits and convert from a byte_range to a bit_range.
	(concrete_out_of_bounds::get_out_of_bounds_bytes): New.
	(concrete_past_the_end::concrete_past_the_end): Rename param
	"byte_bound" to "bit_bound".  Initialize m_byte_bound.
	(concrete_past_the_end::subclass_equal_p): Update for renaming
	of m_byte_bound to m_bit_bound.
	(concrete_past_the_end::m_bit_bound): New field.
	(concrete_buffer_overflow::concrete_buffer_overflow): Convert
	param "range" from byte_range to bit_range.  Rename param
	"byte_bound" to "bit_bound".
	(concrete_buffer_overflow::emit): Update for bits vs bytes.
	(concrete_buffer_overflow::describe_final_event): Split
	into...
	(concrete_buffer_overflow::describe_final_event_as_bytes): ...this
	(concrete_buffer_overflow::describe_final_event_as_bits): ...and
	this.
	(concrete_buffer_over_read::concrete_buffer_over_read): Convert
	param "range" from byte_range to bit_range.  Rename param
	"byte_bound" to "bit_bound".
	(concrete_buffer_over_read::emit): Update for bits vs bytes.
	(concrete_buffer_over_read::describe_final_event): Split into...
	(concrete_buffer_over_read::describe_final_event_as_bytes):
	...this
	(concrete_buffer_over_read::describe_final_event_as_bits): ...and
	this.
	(concrete_buffer_underwrite::concrete_buffer_underwrite): Convert
	param "range" from byte_range to bit_range.
	(concrete_buffer_underwrite::describe_final_event): Split into...
	(concrete_buffer_underwrite::describe_final_event_as_bytes):
	...this
	(concrete_buffer_underwrite::describe_final_event_as_bits): ...and
	this.
	(concrete_buffer_under_read::concrete_buffer_under_read): Convert
	param "range" from byte_range to bit_range.
	(concrete_buffer_under_read::describe_final_event): Split into...
	(concrete_buffer_under_read::describe_final_event_as_bytes):
	...this
	(concrete_buffer_under_read::describe_final_event_as_bits): ...and
	this.
	(region_model::check_region_bounds): Use bits for concrete values,
	and rename locals to indicate whether we're dealing with bits or
	bytes.  Specifically, replace "num_bytes_sval" with
	"num_bits_sval", and get it from reg's "get_bit_size_sval".
	Replace "num_bytes_tree" with "num_bits_tree".  Rename "capacity"
	to "byte_capacity".  Rename "cst_capacity_tree" to
	"cst_byte_capacity_tree".  Replace "offset" and
	"num_bytes_unsigned" with "bit_offset" and "num_bits_unsigned"
	respectively, converting from byte_offset_t to bit_offset_t.
	Replace "out" and "read_bytes" with "bits_outside" and "read_bits"
	respectively, converting from byte_range to bit_range.  Convert
	"buffer" from byte_range to bit_range.  Replace "byte_bound" with
	"bit_bound".
	* region.cc (region::get_bit_size_sval): New.
	(offset_region::get_bit_offset): New.
	(offset_region::get_bit_size_sval): New.
	(sized_region::get_bit_size_sval): New.
	(bit_range_region::get_bit_size_sval): New.
	* region.h (region::get_bit_size_sval): New vfunc.
	(offset_region::get_bit_offset): New decl.
	(offset_region::get_bit_size_sval): New decl.
	(sized_region::get_bit_size_sval): New decl.
	(bit_range_region::get_bit_size_sval): New decl.
	* store.cc (bit_range::intersects_p): New, based on
	byte_range::intersects_p.
	(bit_range::exceeds_p): New, based on byte_range::exceeds_p.
	(bit_range::falls_short_of_p): New, based on
	byte_range::falls_short_of_p.
	(byte_range::intersects_p): Delete.
	(byte_range::exceeds_p): Delete.
	(byte_range::falls_short_of_p): Delete.
	* store.h (bit_range::intersects_p): New overload.
	(bit_range::exceeds_p): New.
	(bit_range::falls_short_of_p): New.
	(byte_range::intersects_p): Delete.
	(byte_range::exceeds_p): Delete.
	(byte_range::falls_short_of_p): Delete.

2023-12-14  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/112655
	* infinite-loop.cc (infinite_loop::infinite_loop): Pass eedges
	via rvalue reference rather than by value.
	(starts_infinite_loop_p): Move eedges when constructing an
	infinite_loop instance.
	* sm-file.cc (fileptr_state_machine::fileptr_state_machine): Use
	initializer list for states.
	* sm-sensitive.cc
	(sensitive_state_machine::sensitive_state_machine): Likewise.
	* sm-signal.cc (signal_state_machine::signal_state_machine):
	Likewise.
	* sm-taint.cc (taint_state_machine::taint_state_machine):
	Likewise.
	* varargs.cc (va_list_state_machine::va_list_state_machine): Likewise.

2023-12-11  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/112955
	* engine.cc (feasibility_state::feasibility_state): Initialize
	m_snodes_visited.

2023-12-11  Andrew Pinski  <apinski (a] marvell.com>

	* region-model-manager.cc (maybe_undo_optimize_bit_field_compare): Remove
	the check for type being unsigned_char_type_node.

2023-12-08  David Malcolm  <dmalcolm (a] redhat.com>

	* sm-taint.cc (taint_state_machine::alt_get_inherited_state): Fix
	handling of TRUNC_MOD_EXPR.

2023-12-08  David Malcolm  <dmalcolm (a] redhat.com>

	* region-model.cc (contains_uninit_p): Only check for
	svalues that the infoleak warning can handle.

2023-12-08  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/112889
	* store.h (concrete_binding::concrete_binding): Strengthen
	assertion to require size to be be positive, rather than just
	non-zero.
	(concrete_binding::mark_deleted): Use size rather than start bit
	offset.
	(concrete_binding::mark_empty): Likewise.
	(concrete_binding::is_deleted): Likewise.
	(concrete_binding::is_empty): Likewise.

2023-12-07  Alexandre Oliva  <oliva (a] adacore.com>

	* region-model.cc (has_nondefault_case_for_value_p): Take
	enumerate type as a parameter.
	(region_model::apply_constraints_for_gswitch): Cope with
	integral promotion type casts.

2023-12-07  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/103546
	PR analyzer/112850
	* analyzer.opt (-param=analyzer-max-svalue-depth=): Increase from
	12 to 18.
	(Wanalyzer-symbol-too-complex): New.
	* diagnostic-manager.cc
	(null_assignment_sm_context::clear_all_per_svalue_state): New.
	* engine.cc (impl_sm_context::clear_all_per_svalue_state): New.
	* program-state.cc (sm_state_map::clear_all_per_svalue_state):
	New.
	* program-state.h (sm_state_map::clear_all_per_svalue_state): New
	decl.
	* region-model-manager.cc
	(region_model_manager::reject_if_too_complex): Add
	-Wanalyzer-symbol-too-complex.
	* sm-taint.cc (taint_state_machine::on_condition): Handle
	comparisons against UNKNOWN.
	* sm.h (sm_context::clear_all_per_svalue_state): New.

2023-12-06  David Malcolm  <dmalcolm (a] redhat.com>

	* engine.cc (dump_analyzer_json): Use
	flag_diagnostics_json_formatting.

2023-12-01  David Malcolm  <dmalcolm (a] redhat.com>

	* analyzer.h (class saved_diagnostic): New forward decl.
	* bounds-checking.cc: Update for changes to
	pending_diagnostic::emit.
	* call-details.cc: Likewise.
	* diagnostic-manager.cc: Include "diagnostic-format-sarif.h".
	(saved_diagnostic::maybe_add_sarif_properties): New.
	(class pending_diagnostic_metadata): New.
	(diagnostic_manager::emit_saved_diagnostic): Create a
	pending_diagnostic_metadata and a diagnostic_emission_context.
	Pass the latter to the pending_diagnostic::emit vfunc.
	* diagnostic-manager.h
	(saved_diagnostic::maybe_add_sarif_properties): New decl.
	* engine.cc: Update for changes to pending_diagnostic::emit.
	* infinite-loop.cc: Likewise.
	* infinite-recursion.cc: Likewise.
	* kf-analyzer.cc: Likewise.
	* kf.cc: Likewise.
	* pending-diagnostic.cc
	(diagnostic_emission_context::get_pending_diagnostic): New.
	(diagnostic_emission_context::warn): New.
	(diagnostic_emission_context::inform): New.
	* pending-diagnostic.h (class diagnostic_emission_context): New.
	(pending_diagnostic::emit): Update params.
	(pending_diagnostic::maybe_add_sarif_properties): New vfunc.
	* region.cc: Don't include "diagnostic-metadata.h".
	* region-model.cc: Include "diagnostic-format-sarif.h".  Update
	for changes to pending_diagnostic::emit.
	(exposure_through_uninit_copy::maybe_add_sarif_properties): New.
	* sm-fd.cc: Update for changes to pending_diagnostic::emit.
	* sm-file.cc: Likewise.
	* sm-malloc.cc: Likewise.
	* sm-pattern-test.cc: Likewise.
	* sm-sensitive.cc: Likewise.
	* sm-signal.cc: Likewise.
	* sm-taint.cc: Likewise.
	* store.cc: Don't include "diagnostic-metadata.h".
	* varargs.cc: Update for changes to pending_diagnostic::emit.

2023-11-19  David Malcolm  <dmalcolm (a] redhat.com>

	* analyzer.h: Include "rich-location.h".

2023-11-19  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/107573
	* analyzer.h (register_known_functions): Add region_model_manager
	param.
	* analyzer.opt (Wanalyzer-undefined-behavior-strtok): New.
	* call-summary.cc
	(call_summary_replay::convert_region_from_summary_1): Handle
	RK_PRIVATE.
	* engine.cc (impl_run_checkers): Pass model manager to
	register_known_functions.
	* kf.cc (class undefined_function_behavior): New.
	(class kf_strtok): New.
	(register_known_functions): Add region_model_manager param.
	Use it to register "strtok".
	* region-model-manager.cc
	(region_model_manager::get_or_create_conjured_svalue): Add "idx"
	param.
	* region-model-manager.h
	(region_model_manager::get_or_create_conjured_svalue): Add "idx"
	param.
	(region_model_manager::get_root_region): New accessor.
	* region-model.cc (region_model::scan_for_null_terminator): Handle
	"expr" being null.
	(region_model::get_representative_path_var_1): Handle RK_PRIVATE.
	* region-model.h (region_model::called_from_main_p): Make public.
	* region.cc (region::get_memory_space): Handle RK_PRIVATE.
	(region::can_have_initial_svalue_p): Handle MEMSPACE_PRIVATE.
	(private_region::dump_to_pp): New.
	* region.h (MEMSPACE_PRIVATE): New.
	(RK_PRIVATE): New.
	(class private_region): New.
	(is_a_helper <const private_region *>::test): New.
	* store.cc (store::replay_call_summary_cluster): Handle
	RK_PRIVATE.
	* svalue.h (struct conjured_svalue::key_t): Add "idx" param to
	ctor and "m_idx" field.
	(class conjured_svalue::conjured_svalue): Likewise.

2023-11-18  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/106147
	* analyzer.opt (Wanalyzer-infinite-loop): New option.
	(fdump-analyzer-infinite-loop): New option.
	* checker-event.h (start_cfg_edge_event::get_desc): Drop "final".
	(start_cfg_edge_event::maybe_describe_condition): Convert from
	private to protected.
	* checker-path.h (checker_path::get_logger): New.
	* diagnostic-manager.cc (process_worklist_item): Update for
	new context param of maybe_update_for_edge.
	* engine.cc
	(impl_region_model_context::impl_region_model_context): Add
	out_could_have_done_work param to both ctors and use it to
	initialize mm_out_could_have_done_work.
	(impl_region_model_context::maybe_did_work): New vfunc
	implementation.
	(exploded_node::on_stmt): Add out_could_have_done_work param and
	pass to ctxt ctor.
	(exploded_node::on_stmt_pre): Treat setjmp and longjmp as "doing
	work".
	(exploded_node::on_longjmp): Likewise.
	(exploded_edge::exploded_edge): Add "could_do_work" param and use
	it to initialize m_could_do_work_p.
	(exploded_edge::dump_dot_label): Add result of could_do_work_p.
	(exploded_graph::add_function_entry): Mark edge as doing no work.
	(exploded_graph::add_edge): Add "could_do_work" param and pass to
	exploded_edge ctor.
	(add_tainted_args_callback): Treat as doing no work.
	(exploded_graph::process_worklist): Likewise when merging nodes.
	(maybe_process_run_of_before_supernode_enodes::item): Likewise.
	(exploded_graph::maybe_create_dynamic_call): Likewise.
	(exploded_graph::process_node): Likewise for phi nodes.
	Pass in a "could_have_done_work" bool when handling stmts and use
	when creating edges.  Assume work is done at bifurcation.
	(exploded_path::feasible_p): Update for new context param of
	maybe_update_for_edge.
	(feasibility_state::feasibility_state): New ctor.
	(feasibility_state::operator=): New.
	(feasibility_state::maybe_update_for_edge): Add ctxt param and use
	it.  Fix missing newline when logging state.
	(impl_run_checkers): Call exploded_graph::detect_infinite_loops.
	* exploded-graph.h
	(impl_region_model_context::impl_region_model_context): Add
	out_could_have_done_work param to both ctors.
	(impl_region_model_context::maybe_did_work): New decl.
	(impl_region_model_context::checking_for_infinite_loop_p): New.
	(impl_region_model_context::on_unusable_in_infinite_loop): New.
	(impl_region_model_context::m_out_could_have_done_work): New
	field.
	(exploded_node::on_stmt): Add "out_could_have_done_work" param.
	(exploded_edge::exploded_edge): Add "could_do_work" param.
	(exploded_edge::could_do_work_p): New accessor.
	(exploded_edge::m_could_do_work_p): New field.
	(exploded_graph::add_edge): Add "could_do_work" param.
	(exploded_graph::detect_infinite_loops): New decl.
	(feasibility_state::feasibility_state): New ctor.
	(feasibility_state::operator=): New decl.
	(feasibility_state::maybe_update_for_edge): Add ctxt param.
	* infinite-loop.cc: New file.
	* program-state.cc (program_state::on_edge): Log the rejected
	constraint when region_model::maybe_update_for_edge fails.
	* region-model.cc (region_model::on_assignment): Treat any writes
	other than to the stack as "doing work".
	(region_model::on_stmt_pre): Treat all asm stmts as "doing work".
	(region_model::on_call_post): Likewise for all calls to functions
	with unknown side effects.
	(region_model::handle_phi): Add svals_changing_meaning param.
	Mark widening svalue in phi nodes as changing meaning.
	(unusable_in_infinite_loop_constraint_p): New.
	(region_model::add_constraint): If we're checking for an infinite
	loop, bail out on unusable svalues, or if we don't have a definite
	true/false for the constraint.
	(region_model::update_for_phis): Gather all svalues changing
	meaning in phi nodes, and purge constraints involving them.
	(region_model::replay_call_summary): Treat all call summaries as
	doing work.
	(region_model::can_merge_with_p): Purge constraints involving
	svalues that change meaning.
	(model_merger::on_widening_reuse): New.
	(test_iteration_1): Likewise.
	(selftest::test_iteration_1): Remove assertion that model6 "knows"
	that i < 157.
	* region-model.h (region_model::handle_phi): Add
	svals_changing_meaning param
	(region_model_context::maybe_did_work): New pure virtual func.
	(region_model_context::checking_for_infinite_loop_p): Likewise.
	(region_model_context::on_unusable_in_infinite_loop): Likewise.
	(noop_region_model_context::maybe_did_work): Implement.
	(noop_region_model_context::checking_for_infinite_loop_p):
	Likewise.
	(noop_region_model_context::on_unusable_in_infinite_loop):
	Likewise.
	(region_model_context_decorator::maybe_did_work): Implement.
	(region_model_context_decorator::checking_for_infinite_loop_p):
	Likewise.
	(region_model_context_decorator::on_unusable_in_infinite_loop):
	Likewise.
	(model_merger::on_widening_reuse): New decl.
	(model_merger::m_svals_changing_meaning): New field.
	* sm-signal.cc (register_signal_handler::impl_transition): Assume
	the edge "does work".
	* supergraph.cc (supernode::get_start_location): Use CFG edge's
	goto_locus if available.
	(supernode::get_end_location): Likewise.
	(cfg_superedge::dump_label_to_pp): Dump edges with a "goto_locus"
	* supergraph.h (cfg_superedge::get_goto_locus): New.
	* svalue.cc (svalue::can_merge_p): Call on_widening_reuse for
	widening values.
	(involvement_visitor::visit_widening_svalue): New.
	(svalue::involves_p): Update assertion to allow widening svalues.

2023-11-14  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/103533
	* sm-taint.cc: Remove "experimental" from comment.
	* sm.cc (make_checkers): Always add taint state machine.

2023-11-04  David Malcolm  <dmalcolm (a] redhat.com>

	* bounds-checking.cc: Update for changes to diagnostic_context.

2023-11-02  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/112317
	* access-diagram.cc (class x_aligned_x_ruler_widget): Eliminate
	unused field "m_col_widths".
	(access_diagram_impl::add_valid_vs_invalid_ruler): Update for
	above change.
	* region-model.cc
	(check_one_function_attr_null_terminated_string_arg): Remove
	unused variables "cd_unchecked", "strlen_sval", and
	"limited_sval".
	* region-model.h (region_model_context_decorator::warn): Add
	missing "override".

2023-10-31  David Malcolm  <dmalcolm (a] redhat.com>

	* record-layout.cc: New file, based on material in region-model.cc.
	* record-layout.h: Likewise.
	* region-model.cc: Include "analyzer/record-layout.h".
	(class record_layout): Move to record-layout.cc and .h

2023-10-26  David Malcolm  <dmalcolm (a] redhat.com>

	* region-model.cc
	(region_model::check_external_function_for_access_attr): Split
	out, replacing with...
	(region_model::check_function_attr_access): ...this new function
	and...
	(region_model::check_function_attrs): ...this new function.
	(region_model::check_one_function_attr_null_terminated_string_arg):
	New.
	(region_model::check_function_attr_null_terminated_string_arg):
	New.
	(region_model::handle_unrecognized_call): Update for renaming of
	check_external_function_for_access_attr to check_function_attrs.
	(region_model::check_for_null_terminated_string_arg): Add return
	value to one overload.  Make both overloads const.
	* region-model.h: Include "stringpool.h" and "attribs.h".
	(region_model::check_for_null_terminated_string_arg): Add return
	value to one overload.  Make both overloads const.
	(region_model::check_external_function_for_access_attr): Delete
	decl.
	(region_model::check_function_attr_access): New decl.
	(region_model::check_function_attr_null_terminated_string_arg):
	New decl.
	(region_model::check_one_function_attr_null_terminated_string_arg):
	New decl.
	(region_model::check_function_attrs): New decl.

2023-10-09  David Malcolm  <dmalcolm (a] redhat.com>

	* access-diagram.cc (boundaries::add): Explicitly state
	"boundaries::" scope for "kind" enum.

2023-10-08  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/111155
	* access-diagram.cc (boundaries::boundaries): Add logger param
	(boundaries::add): Add logging.
	(boundaries::get_hard_boundaries_in_range): New.
	(boundaries::m_logger): New field.
	(boundaries::get_table_x_for_offset): Make public.
	(class svalue_spatial_item): New.
	(class compound_svalue_spatial_item): New.
	(add_ellipsis_to_gaps): New.
	(valid_region_spatial_item::valid_region_spatial_item): Add theme
	param.  Initialize m_boundaries, m_existing_sval, and
	m_existing_sval_spatial_item.
	(valid_region_spatial_item::add_boundaries): Set m_boundaries.
	Add boundaries for any m_existing_sval_spatial_item.
	(valid_region_spatial_item::add_array_elements_to_table): Rewrite
	creation of min/max index in terms of
	maybe_add_array_index_to_table.  Rewrite ellipsis code using
	add_ellipsis_to_gaps. Add index values for any hard boundaries
	within the valid region.
	(valid_region_spatial_item::maybe_add_array_index_to_table): New,
	based on code formerly in add_array_elements_to_table.
	(valid_region_spatial_item::make_table): Make use of
	m_existing_sval_spatial_item, if any.
	(valid_region_spatial_item::m_boundaries): New field.
	(valid_region_spatial_item::m_existing_sval): New field.
	(valid_region_spatial_item::m_existing_sval_spatial_item): New
	field.
	(class svalue_spatial_item): Rename to...
	(class written_svalue_spatial_item): ...this.
	(class string_region_spatial_item): Rename to..
	(class string_literal_spatial_item): ...this.  Add "kind".
	(string_literal_spatial_item::add_boundaries): Use m_kind to
	determine kind of boundary.  Update for renaming of m_actual_bits
	to m_bits.
	(string_literal_spatial_item::make_table): Likewise.  Support not
	displaying a row for byte indexes, and not displaying a row for
	the type.
	(string_literal_spatial_item::add_column_for_byte): Make byte index
	row optional.
	(svalue_spatial_item::make): Convert to...
	(make_written_svalue_spatial_item): ...this.
	(make_existing_svalue_spatial_item): New.
	(access_diagram_impl::access_diagram_impl): Pass theme to
	m_valid_region_spatial_item ctor.  Update for renaming of
	m_svalue_spatial_item.
	(access_diagram_impl::find_boundaries): Pass logger to boundaries.
	Update for renaming of...
	(access_diagram_impl::m_svalue_spatial_item): Rename to...
	(access_diagram_impl::m_written_svalue_spatial_item): ...this.

2023-10-03  David Malcolm  <dmalcolm (a] redhat.com>

	* analyzer-logging.cc (logger::log_va_partial): Use text_info
	ctor.
	* analyzer.cc (make_label_text): Likewise.
	(make_label_text_n): Likewise.
	* pending-diagnostic.cc (evdesc::event_desc::formatted_print):
	Likewise.

2023-10-02  David Malcolm  <dmalcolm (a] redhat.com>

	* program-point.cc: Update for grouping of source printing fields
	within diagnostic_context.

2023-09-15  David Malcolm  <dmalcolm (a] redhat.com>

	* analyzer.cc (get_stmt_location): Handle null stmt.
	* diagnostic-manager.cc (saved_diagnostic::saved_diagnostic): Copy
	m_loc from ploc.
	(saved_diagnostic::operator==): Compare m_loc.
	(saved_diagnostic::calc_best_epath): Only use m_stmt_finder if
	m_loc is unknown.
	(dedupe_key::dedupe_key): Initialize m_loc.
	(dedupe_key::operator==): Compare m_loc.
	(dedupe_key::get_location): Use m_loc if it's known.
	(dedupe_key::m_loc): New field.
	(diagnostic_manager::emit_saved_diagnostic): Only call
	get_emission_location if m_loc is unknown, preferring to use m_loc
	if it's available.
	* diagnostic-manager.h (saved_diagnostic::m_loc): New field.
	(pending_location::pending_location): Initialize m_loc.  Add
	overload taking a location_t rather than a stmt/stmt_finder.
	(pending_location::m_loc): New field.

2023-09-15  David Malcolm  <dmalcolm (a] redhat.com>

	* analyzer.h (struct pending_location): New forward decl.
	* diagnostic-manager.cc (saved_diagnostic::saved_diagnostic):
	Replace params "enode", "snode", "stmt", and "stmt_finder" with
	"ploc".
	(diagnostic_manager::add_diagnostic): Likewise for both overloads.
	* diagnostic-manager.h (saved_diagnostic::saved_diagnostic):
	Likewise.
	(struct pending_location): New.
	(diagnostic_manager::add_diagnostic): Replace params "enode",
	"snode", "stmt", and "stmt_finder" with "ploc".
	* engine.cc (impl_region_model_context::warn): Update call to
	add_diagnostic for above change.
	(impl_sm_context::warn): Likewise.
	(impl_region_model_context::on_state_leak): Likewise.
	* infinite-recursion.cc
	(exploded_graph::detect_infinite_recursion): Likewise.

2023-09-15  David Malcolm  <dmalcolm (a] redhat.com>

	* region-model.cc (region_model::get_gassign_result): Handle
	volatile ops by using a conjured_svalue.

2023-09-14  David Malcolm  <dmalcolm (a] redhat.com>

	* checker-event.h (checker_event::get_thread_id): New.
	* checker-path.h (class checker_path): Implement thread-related
	vfuncs via a single simple_diagnostic_thread instance named
	"main".

2023-09-14  David Malcolm  <dmalcolm (a] redhat.com>

	* diagnostic-manager.cc (compatible_epath_p): Fix missing return.

2023-09-14  David Malcolm  <dmalcolm (a] redhat.com>

	* diagnostic-manager.cc (process_worklist_item): Use
	std::unique_ptr rather than plain rejected_constraint *.
	* engine.cc (exploded_path::feasible_p): Likewise.
	(feasibility_state::maybe_update_for_edge): Likewise.
	* exploded-graph.h (feasibility_problem::feasibility_problem):
	Likewise.
	(feasibility_problem::~feasibility_problem): Delete.
	(feasibility_problem::m_rc): Use std::unique_ptr.
	(feasibility_state::maybe_update_for_edge): Likewise.
	* feasible-graph.cc (feasible_graph::add_feasibility_problem):
	Likewise.
	* feasible-graph.h (class infeasible_node): Likewise.
	(feasible_graph::add_feasibility_problem): Likewise.
	* region-model.cc (region_model::add_constraint): Likewise.
	(region_model::maybe_update_for_edge): Likewise.
	(region_model::apply_constraints_for_gcond): Likewise.
	(region_model::apply_constraints_for_gswitch): Likewise.
	(region_model::apply_constraints_for_exception): Likewise.
	* region-model.h (class region_model): Likewise for decls.

2023-09-09  benjamin priour  <vultkayn (a] gcc.gnu.org>

	PR analyzer/96395
	* region-model.cc
	(region_model::add_constraints_from_binop): binop_svalues around
	LT_EXPR, LE_EXPR, GT_EXPR, GE_EXPR are now unwrapped.

2023-09-07  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/110529
	* program-point.cc (program_point::on_edge): Don't reject
	EDGE_ABNORMAL for computed gotos.
	* region-model.cc (region_model::maybe_update_for_edge): Handle
	computed goto statements.
	(region_model::apply_constraints_for_ggoto): New.
	* region-model.h (region_model::apply_constraints_for_ggoto): New decl.
	* supergraph.cc (supernode::get_label): New.
	* supergraph.h (supernode::get_label): New decl.

2023-09-07  benjamin priour  <vultkayn (a] gcc.gnu.org>
	    David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/110830
	* diagnostic-manager.cc
	(compatible_epaths_p): New function.
	(saved_diagnostic::supercedes_p): Now calls the above
	to determine if the diagnostics do overlap and the superseding
	may proceed.

2023-09-07  David Malcolm  <dmalcolm (a] redhat.com>

	* region-model.h: fix -Wunused-parameter warnings

2023-09-06  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/105899
	* kf.cc (class kf_strstr): New.
	(kf_strstr::impl_call_post): New.
	(register_known_functions): Register it.

2023-09-06  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/105899
	* kf.cc (class kf_strncpy): New.
	(kf_strncpy::impl_call_post): New.
	(register_known_functions): Register it.
	* region-model.cc (region_model::read_bytes): Handle unknown
	number of bytes.

2023-09-06  David Malcolm  <dmalcolm (a] redhat.com>

	* kf.cc (kf_calloc::impl_call_pre): Pass ctxt to zero_fill_region.
	(kf_memset::impl_call_pre): Move responsibility for calling
	check_region_for_write to fill_region.
	* region-model.cc (region_model::on_assignment): Pass ctxt to
	zero_fill_region.
	(region_model::fill_region): Add "ctxt" param, using it to call
	check_region_for_write.
	(region_model::zero_fill_region): Likewise.
	* region-model.h (region_model::fill_region): Add "ctxt" param.
	(region_model::zero_fill_region): Likewise.

2023-09-01  benjamin priour  <priour.be (a] gmail.com>

	PR analyzer/105948
	PR analyzer/94355
	* analyzer.h (is_placement_new_p): New declaration.
	* call-details.cc
	(call_details::deref_ptr_arg): New function.
	Dereference the argument at given index if possible.
	* call-details.h: Declaration of the above function.
	* kf-lang-cp.cc (is_placement_new_p): Returns true if the gcall
	is recognized as a placement new.
	(kf_operator_delete::impl_call_post): Unbinding a region and its
	descendents now poisons with POISON_KIND_DELETED.
	(register_known_functions_lang_cp): Known function "operator
	delete" is now registered only once independently of its number of
	arguments.
	* region-model.cc (region_model::eval_condition): Now
	recursively calls itself if any of the operand is wrapped in a
	cast.
	* sm-malloc.cc (malloc_state_machine::on_stmt):
	Add placement new recognition.
	* svalue.cc (poison_kind_to_str): Wording for the new PK.
	* svalue.h (enum poison_kind): Add value POISON_KIND_DELETED.

2023-08-31  Francois-Xavier Coudert  <fxcoudert (a] gcc.gnu.org>

	* kf.cc: Change spelling to macOS.

2023-08-30  Eric Feng  <ef2648 (a] columbia.edu>

	PR analyzer/107646
	* engine.cc (impl_region_model_context::warn): New optional
	parameter.
	* exploded-graph.h (class impl_region_model_context): Likewise.
	* region-model.cc (region_model::pop_frame): New callback
	feature for region_model::pop_frame.
	* region-model.h (struct append_regions_cb_data): Likewise.
	(class region_model): Likewise.
	(class region_model_context): New optional parameter.
	(class region_model_context_decorator): Likewise.

2023-08-30  Francois-Xavier Coudert  <fxcoudert (a] gcc.gnu.org>

	* region-model.cc: Define INCLUDE_ALGORITHM.

2023-08-29  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/99860
	* analyzer-selftests.cc (selftest::run_analyzer_selftests): Call
	selftest::analyzer_ranges_cc_tests.
	* analyzer-selftests.h (selftest::run_analyzer_selftests): New
	decl.
	* analyzer.opt (Wanalyzer-overlapping-buffers): New option.
	* call-details.cc: Include "analyzer/ranges.h" and "make-unique.h".
	(class overlapping_buffers): New.
	(call_details::complain_about_overlap): New.
	* call-details.h (call_details::complain_about_overlap): New decl.
	* kf.cc (kf_memcpy_memmove::impl_call_pre): Call
	cd.complain_about_overlap for memcpy and memcpy_chk.
	(kf_strcat::impl_call_pre): Call cd.complain_about_overlap.
	(kf_strcpy::impl_call_pre): Likewise.
	* ranges.cc: New file.
	* ranges.h: New file.

2023-08-29  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/105899
	* kf.cc (kf_strdup::impl_call_pre): Set size of
	dynamically-allocated buffer.  Simulate copying the string from
	the source region to the new buffer.

2023-08-27  benjamin priour  <vultkayn (a] gcc.gnu.org>

	PR analyzer/96395
	* analyzer.h (class known_function): Add virtual casts
	to builtin_known_function.
	(class builtin_known_function): New subclass of known_function
	for builtins.
	* kf.cc (class kf_alloca): Now derived from
	builtin_known_function.
	(class kf_calloc): Likewise.
	(class kf_free): Likewise.
	(class kf_malloc): Likewise.
	(class kf_memcpy_memmove): Likewise.
	(class kf_memset): Likewise.
	(class kf_realloc): Likewise.
	(class kf_strchr): Likewise.
	(class kf_sprintf): Likewise.
	(class kf_strcat): Likewise.
	(class kf_strcpy): Likewise.
	(class kf_strdup): Likewise.
	(class kf_strlen): Likewise.
	(class kf_strndup): Likewise.
	(register_known_functions): Builtins are now registered as
	known_functions by name rather than by their BUILTIN_CODE.
	* known-function-manager.cc (get_normal_builtin): New overload.
	* known-function-manager.h: New overload declaration.
	* region-model.cc (region_model::get_builtin_kf): New function.
	* region-model.h (class region_model): Add declaration of
	get_builtin_kf.
	* sm-fd.cc: For called recognized as builtins, use the
	attributes of that builtin as defined in gcc/builtins.def
	rather than the user's.
	* sm-malloc.cc (malloc_state_machine::on_stmt): Likewise.

2023-08-25  David Malcolm  <dmalcolm (a] redhat.com>

	* access-diagram.cc (class string_region_spatial_item): Remove
	assumption that the string is written to the start of the cluster.

2023-08-24  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/105899
	* call-details.cc
	(call_details::check_for_null_terminated_string_arg): Split into
	overloads, one taking just an arg_idx, the other a new
	"include_terminator" param.
	* call-details.h: Likewise.
	* kf.cc (class kf_strcat): New.
	(kf_strcpy::impl_call_pre): Update for change to
	check_for_null_terminated_string_arg.
	(register_known_functions): Register kf_strcat.
	* region-model.cc
	(region_model::check_for_null_terminated_string_arg): Split into
	overloads, one taking just an arg_idx, the other a new
	"include_terminator" param.  When returning an svalue, handle
	"include_terminator" being false by subtracting one.
	* region-model.h
	(region_model::check_for_null_terminated_string_arg): Split into
	overloads, one taking just an arg_idx, the other a new
	"include_terminator" param.

2023-08-24  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/105899
	* region-model.cc (fragment::has_null_terminator): Handle
	SK_BITS_WITHIN.

2023-08-24  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/105899
	* region-model-manager.cc
	(region_model_manager::get_or_create_initial_value): Simplify
	INIT_VAL(ELEMENT_REG(STRING_REG), CONSTANT_SVAL) to
	CONSTANT_SVAL(STRING[N]).

2023-08-24  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/105899
	* region-model.cc (fragment::has_null_terminator): Move STRING_CST
	handling to fragment::string_cst_has_null_terminator; also use it to
	handle INIT_VAL(STRING_REG).
	(fragment::string_cst_has_null_terminator): New, from above.

2023-08-24  David Malcolm  <dmalcolm (a] redhat.com>

	* kf.cc (kf_memcpy_memmove::impl_call_pre): Reimplement using
	region_model::copy_bytes.
	* region-model.cc (region_model::read_bytes): New.
	(region_model::copy_bytes): New.
	* region-model.h (region_model::read_bytes): New decl.
	(region_model::copy_bytes): New decl.

2023-08-24  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/105899
	* region-model.cc (region_model::get_string_size): Delete both.
	* region-model.h (region_model::get_string_size): Delete both
	decls.

2023-08-24  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/105899
	* kf.cc (kf_strcpy::impl_call_pre): Reimplement using
	check_for_null_terminated_string_arg.
	* region-model.cc (region_model::get_store_bytes): Shortcut
	reading all of a string_region.
	(region_model::scan_for_null_terminator): Use get_store_value for
	the bytes rather than "unknown" when returning an unknown length.
	(region_model::write_bytes): New.
	* region-model.h (region_model::write_bytes): New decl.

2023-08-24  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/105899
	* region-model.cc (iterable_cluster::iterable_cluster): Add
	symbolic binding keys to m_symbolic_bindings.
	(iterable_cluster::has_symbolic_bindings_p): New.
	(iterable_cluster::m_symbolic_bindings): New field.
	(region_model::scan_for_null_terminator): Treat clusters with
	symbolic bindings as having unknown strlen.

2023-08-24  David Malcolm  <dmalcolm (a] redhat.com>

	* engine.cc (impl_path_context::impl_path_context): Add logger
	param.
	(impl_path_context::bifurcate): Add log message.
	(impl_path_context::terminate_path): Likewise.
	(impl_path_context::m_logger): New field.
	(exploded_graph::process_node): Pass logger to path_ctxt ctor.

2023-08-22  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/105899
	* kf-analyzer.cc (class kf_analyzer_get_strlen): Move to kf.cc.
	(register_known_analyzer_functions): Use make_kf_strlen.
	* kf.cc (class kf_strlen::impl_call_pre): Replace with
	implementation of kf_analyzer_get_strlen from kf-analyzer.cc.
	Handle "UNKNOWN" return from check_for_null_terminated_string_arg
	by falling back to a conjured svalue.
	(make_kf_strlen): New.
	(register_known_functions): Use make_kf_strlen.
	* known-function-manager.h (make_kf_strlen): New decl.

2023-08-22  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/105899
	* call-details.cc (call_details::call_details): New ctor.
	* call-details.h (call_details::call_details): New ctor decl.
	(struct call_arg_details): Move here from region-model.cc.
	* region-model.cc (region_model::check_call_format_attr): New.
	(region_model::check_call_args): Call it.
	(struct call_arg_details): Move it to call-details.h.
	* region-model.h (region_model::check_call_format_attr): New decl.

2023-08-22  David Malcolm  <dmalcolm (a] redhat.com>

	* kf.cc (class kf_fopen): New.
	(register_known_functions): Register it.

2023-08-22  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/105899
	* analyzer.opt (Wanalyzer-unterminated-string): Delete.
	* call-details.cc
	(call_details::check_for_null_terminated_string_arg): Convert
	return type from void to const svalue *.  Add param "out_sval".
	* call-details.h
	(call_details::check_for_null_terminated_string_arg): Likewise.
	* kf-analyzer.cc (kf_analyzer_get_strlen::impl_call_pre): Wire up
	to result of check_for_null_terminated_string_arg.
	* region-model.cc (get_strlen): Delete.
	(class unterminated_string_arg): Delete.
	(struct fragment): New.
	(class iterable_cluster): New.
	(region_model::get_store_bytes): New.
	(get_tree_for_byte_offset): New.
	(region_model::scan_for_null_terminator): New.
	(region_model::check_for_null_terminated_string_arg): Convert
	return type from void to const svalue *.  Add param "out_sval".
	Reimplement in terms of scan_for_null_terminator, dropping the
	special-case for -Wanalyzer-unterminated-string.
	* region-model.h (region_model::get_store_bytes): New decl.
	(region_model::scan_for_null_terminator): New decl.
	(region_model::check_for_null_terminated_string_arg): Convert
	return type from void to const svalue *.  Add param "out_sval".
	* store.cc (concrete_binding::get_byte_range): New.
	* store.h (concrete_binding::get_byte_range): New decl.
	(store_manager::get_concrete_binding): New overload.

2023-08-22  David Malcolm  <dmalcolm (a] redhat.com>

	* region-model.cc (region_model_context_decorator::add_event):
	Handle m_inner being NULL.
	* region-model.h (class region_model_context_decorator): Likewise.
	(annotating_context::warn): Likewise.

2023-08-22  David Malcolm  <dmalcolm (a] redhat.com>

	* diagnostic-manager.cc (saved_diagnostic::add_event): New.
	(saved_diagnostic::add_any_saved_events): New.
	(diagnostic_manager::add_event): New.
	(dedupe_winners::emit_best): New.
	(diagnostic_manager::emit_saved_diagnostic): Make "sd" param
	non-const.  Call saved_diagnostic::add_any_saved_events.
	* diagnostic-manager.h (saved_diagnostic::add_event): New decl.
	(saved_diagnostic::add_any_saved_events): New decl.
	(saved_diagnostic::m_saved_events): New field.
	(diagnostic_manager::add_event): New decl.
	(diagnostic_manager::emit_saved_diagnostic): Make "sd" param
	non-const.
	* engine.cc (impl_region_model_context::add_event): New.
	* exploded-graph.h (impl_region_model_context::add_event): New decl.
	* region-model.cc
	(noop_region_model_context::add_event): New.
	(region_model_context_decorator::add_event): New.
	* region-model.h (region_model_context::add_event): New vfunc.
	(noop_region_model_context::add_event): New decl.
	(region_model_context_decorator::add_event): New decl.

2023-08-22  David Malcolm  <dmalcolm (a] redhat.com>

	* region-model.cc
	(class check_external_function_for_access_attr::annotating_ctxt):
	Convert to an annotating_context.
	* region-model.h (class note_adding_context): Rename to...
	(class annotating_context): ...this, updating the "warn" method.
	(note_adding_context::make_note): Replace with...
	(annotating_context::add_annotations): ...this.

2023-08-14  benjamin priour  <vultkayn (a] gcc.gnu.org>

	PR analyzer/110543
	* analyzer.opt: Add new option.
	* diagnostic-manager.cc
	(diagnostic_manager::prune_path): Call prune_system_headers.
	(prune_frame): New function that deletes all events in a frame.
	(diagnostic_manager::prune_system_headers): New function.
	* diagnostic-manager.h: Add prune_system_headers declaration.

2023-08-11  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/105899
	* analyzer.opt (Wanalyzer-unterminated-string): New.
	* call-details.cc
	(call_details::check_for_null_terminated_string_arg): New.
	* call-details.h
	(call_details::check_for_null_terminated_string_arg): New decl.
	* kf-analyzer.cc (class kf_analyzer_get_strlen): New.
	(register_known_analyzer_functions): Register it.
	* kf.cc (kf_error::impl_call_pre): Check that format arg is a
	valid null-terminated string.
	(kf_putenv::impl_call_pre): Likewise for the sole param.
	(kf_strchr::impl_call_pre): Likewise for the first param.
	(kf_strcpy::impl_call_pre): Likewise for the second param.
	(kf_strdup::impl_call_pre): Likewise for the sole param.
	* region-model.cc (get_strlen): New.
	(struct call_arg_details): New.
	(inform_about_expected_null_terminated_string_arg): New.
	(class unterminated_string_arg): New.
	(region_model::check_for_null_terminated_string_arg): New.
	* region-model.h
	(region_model::check_for_null_terminated_string_arg): New decl.

2023-08-11  Eric Feng  <ef2648 (a] columbia.edu>

	PR analyzer/107646
	* call-details.h: New function.
	* region-model.cc (region_model::get_or_create_region_for_heap_alloc):
	New optional parameters.
	* region-model.h (class region_model): New optional parameters.
	* sm-malloc.cc (on_realloc_with_move): New function.
	(region_model::transition_ptr_sval_non_null): New function.

2023-08-09  David Malcolm  <dmalcolm (a] redhat.com>

	* analyzer.h (class pure_known_function_with_default_return): New
	subclass.
	* call-details.cc (const_fn_p): Move here from region-model.cc.
	(maybe_get_const_fn_result): Likewise.
	(get_result_size_in_bytes): Likewise.
	(call_details::set_any_lhs_with_defaults): New function, based on
	code in region_model::on_call_pre.
	* call-details.h (call_details::set_any_lhs_with_defaults): New
	decl.
	* diagnostic-manager.cc
	(diagnostic_manager::emit_saved_diagnostic): Log the index of the
	saved_diagnostic.
	* kf.cc (pure_known_function_with_default_return::impl_call_pre):
	New.
	(kf_memset::impl_call_pre): Set the LHS to the first param.
	(kf_putenv::impl_call_pre): Call cd.set_any_lhs_with_defaults.
	(kf_sprintf::impl_call_pre): Call cd.set_any_lhs_with_defaults.
	(class kf_stack_restore): Derive from
	pure_known_function_with_default_return.
	(class kf_stack_save): Likewise.
	(kf_strlen::impl_call_pre): Call cd.set_any_lhs_with_defaults.
	* region-model-reachability.cc (reachable_regions::handle_sval):
	Remove logic for symbolic regions for pointers.
	* region-model.cc (region_model::canonicalize): Remove purging of
	dynamic extents workaround for surplus values from
	region_model::on_call_pre's default LHS code.
	(const_fn_p): Move to call-details.cc.
	(maybe_get_const_fn_result): Likewise.
	(get_result_size_in_bytes): Likewise.
	(region_model::update_for_nonzero_return): Call
	cd.set_any_lhs_with_defaults.
	(region_model::on_call_pre): Remove the assignment to the LHS of a
	default return value, instead requiring all known_function
	implementations to write to any LHS of the call.  Use
	cd.set_any_lhs_with_defaults on the non-kf paths.
	* sm-fd.cc (kf_socket::outcome_of_socket::update_model): Use
	cd.set_any_lhs_with_defaults when failing to get at fd state.
	(kf_bind::outcome_of_bind::update_model): Likewise.
	(kf_listen::outcome_of_listen::update_model): Likewise.
	(kf_accept::outcome_of_accept::update_model): Likewise.
	(kf_connect::outcome_of_connect::update_model): Likewise.
	(kf_read::impl_call_pre): Use cd.set_any_lhs_with_defaults.
	* sm-file.cc (class kf_stdio_output_fn): Derive from
	pure_known_function_with_default_return.
	(class kf_ferror): Likewise.
	(class kf_fileno): Likewise.
	(kf_fgets::impl_call_pre): Use cd.set_any_lhs_with_defaults.
	(kf_read::impl_call_pre): Likewise.
	(class kf_getc): Derive from
	pure_known_function_with_default_return.
	(class kf_getchar): Likewise.
	* varargs.cc (kf_va_arg::impl_call_pre): Use
	cd.set_any_lhs_with_defaults.

2023-08-04  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/110426
	* bounds-checking.cc (region_model::check_region_bounds): Handle
	symbolic base regions.
	* call-details.cc: Include "stringpool.h" and "attribs.h".
	(call_details::lookup_function_attribute): New function.
	* call-details.h (call_details::lookup_function_attribute): New
	function decl.
	* region-model-manager.cc
	(region_model_manager::maybe_fold_binop): Add reference to
	PR analyzer/110902.
	* region-model-reachability.cc (reachable_regions::handle_sval):
	Add symbolic regions for pointers that are conjured svalues for
	the LHS of a stmt.
	* region-model.cc (region_model::canonicalize): Purge dynamic
	extents for regions that aren't referenced.
	(get_result_size_in_bytes): New function.
	(region_model::on_call_pre): Use get_result_size_in_bytes and
	potentially set the dynamic extents of the region pointed to by
	the return value.
	(region_model::deref_rvalue): Add param "add_nonnull_constraint"
	and use it to conditionalize adding the constraint.
	(pending_diagnostic_subclass::dubious_allocation_size): Add "stmt"
	param to both ctors and use it to initialize new "m_stmt" field.
	(pending_diagnostic_subclass::operator==): Use m_stmt; don't use
	m_lhs or m_rhs.
	(pending_diagnostic_subclass::m_stmt): New field.
	(region_model::check_region_size): Generalize to any kind of
	pointer svalue by using deref_rvalue rather than checking for
	region_svalue.  Pass stmt to dubious_allocation_size ctor.
	* region-model.h (region_model::deref_rvalue): Add param
	"add_nonnull_constraint".
	* svalue.cc (conjured_svalue::lhs_value_p): New function.
	* svalue.h (conjured_svalue::lhs_value_p): New decl.

2023-08-04  David Malcolm  <dmalcolm (a] redhat.com>

	* svalue.cc (region_svalue::dump_to_pp): Support NULL type.
	(constant_svalue::dump_to_pp): Likewise.
	(initial_svalue::dump_to_pp): Likewise.
	(conjured_svalue::dump_to_pp): Likewise.  Fix missing print of the
	type.

2023-08-03  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/110882
	* region.cc (int_size_in_bits): Fail on zero-sized types.

2023-08-02  Eric Feng  <ef2648 (a] columbia.edu>

	PR analyzer/107646
	* analyzer-language.cc (run_callbacks): New function.
	(on_finish_translation_unit): New function.
	* analyzer-language.h (GCC_ANALYZER_LANGUAGE_H): New include.
	(class translation_unit): New vfuncs.

2023-07-26  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/104940
	* region-model-manager.cc
	(region_model_manager::region_model_manager): Update for
	generalizing region ids to also cover svalues.
	(region_model_manager::get_or_create_constant_svalue): Likewise.
	(region_model_manager::get_or_create_unknown_svalue): Likewise.
	(region_model_manager::create_unique_svalue): Likewise.
	(region_model_manager::get_or_create_initial_value): Likewise.
	(region_model_manager::get_or_create_setjmp_svalue): Likewise.
	(region_model_manager::get_or_create_poisoned_svalue): Likewise.
	(region_model_manager::get_ptr_svalue): Likewise.
	(region_model_manager::get_or_create_unaryop): Likewise.
	(region_model_manager::get_or_create_binop): Likewise.
	(region_model_manager::get_or_create_sub_svalue): Likewise.
	(region_model_manager::get_or_create_repeated_svalue): Likewise.
	(region_model_manager::get_or_create_bits_within): Likewise.
	(region_model_manager::get_or_create_unmergeable): Likewise.
	(region_model_manager::get_or_create_widening_svalue): Likewise.
	(region_model_manager::get_or_create_compound_svalue): Likewise.
	(region_model_manager::get_or_create_conjured_svalue): Likewise.
	(region_model_manager::get_or_create_asm_output_svalue): Likewise.
	(region_model_manager::get_or_create_const_fn_result_svalue):
	Likewise.
	(region_model_manager::get_region_for_fndecl): Likewise.
	(region_model_manager::get_region_for_label): Likewise.
	(region_model_manager::get_region_for_global): Likewise.
	(region_model_manager::get_field_region): Likewise.
	(region_model_manager::get_element_region): Likewise.
	(region_model_manager::get_offset_region): Likewise.
	(region_model_manager::get_sized_region): Likewise.
	(region_model_manager::get_cast_region): Likewise.
	(region_model_manager::get_frame_region): Likewise.
	(region_model_manager::get_symbolic_region): Likewise.
	(region_model_manager::get_region_for_string): Likewise.
	(region_model_manager::get_bit_range): Likewise.
	(region_model_manager::get_var_arg_region): Likewise.
	(region_model_manager::get_region_for_unexpected_tree_code):
	Likewise.
	(region_model_manager::get_or_create_region_for_heap_alloc):
	Likewise.
	(region_model_manager::create_region_for_alloca): Likewise.
	(region_model_manager::log_stats): Likewise.
	* region-model-manager.h (region_model_manager::get_num_regions):
	Replace with...
	(region_model_manager::get_num_symbols): ...this.
	(region_model_manager::alloc_region_id): Replace with...
	(region_model_manager::alloc_symbol_id): ...this.
	(region_model_manager::m_next_region_id): Replace with...
	(region_model_manager::m_next_symbol_id): ...this.
	* region-model.cc (selftest::test_get_representative_tree): Update
	for generalizing region ids to also cover svalues.
	(selftest::test_binop_svalue_folding): Likewise.
	(selftest::test_state_merging): Likewise.
	* region.cc (region::cmp_ids): Delete, in favor of
	symbol::cmp_ids.
	(region::region): Update for introduction of symbol base class.
	(frame_region::get_region_for_local): Likewise.
	(root_region::root_region): Likewise.
	(symbolic_region::symbolic_region): Likewise.
	* region.h: Replace include of "analyzer/complexity.h" with
	"analyzer/symbol.h".
	(class region): Make a subclass of symbol.
	(region::get_id): Delete in favor of symbol::get_id.
	(region::cmp_ids): Delete in favor of symbol::cmp_ids.
	(region::get_complexity): Delete in favor of
	symbol::get_complexity.
	(region::region): Use symbol::id_t for "id" param.
	(region::m_complexity): Move field to symbol base class.
	(region::m_id): Likewise.
	(space_region::space_region): Use symbol::id_t for "id" param.
	(frame_region::frame_region): Likewise.
	(globals_region::globals_region): Likewise.
	(code_region::code_region): Likewise.
	(function_region::function_region): Likewise.
	(label_region::label_region): Likewise.
	(stack_region::stack_region): Likewise.
	(heap_region::heap_region): Likewise.
	(thread_local_region::thread_local_region): Likewise.
	(root_region::root_region): Likewise.
	(symbolic_region::symbolic_region): Likewise.
	(decl_region::decl_region): Likewise.
	(field_region::field_region): Likewise.
	(element_region::element_region): Likewise.
	(offset_region::offset_region): Likewise.
	(sized_region::sized_region): Likewise.
	(cast_region::cast_region): Likewise.
	(heap_allocated_region::heap_allocated_region): Likewise.
	(alloca_region::alloca_region): Likewise.
	(string_region::string_region): Likewise.
	(bit_range_region::bit_range_region): Likewise.
	(var_arg_region::var_arg_region): Likewise.
	(errno_region::errno_region): Likewise.
	(unknown_region::unknown_region): Likewise.
	* svalue.cc (sub_svalue::sub_svalue): Add symbol::id_t param.
	(repeated_svalue::repeated_svalue): Likewise.
	(bits_within_svalue::bits_within_svalue): Likewise.
	(compound_svalue::compound_svalue): Likewise.
	* svalue.h: Replace include of "analyzer/complexity.h" with
	"analyzer/symbol.h".
	(class svalue): Make a subclass of symbol.
	(svalue::get_complexity): Delete in favor of
	symbol::get_complexity.
	(svalue::svalue): Add symbol::id_t param.  Update for new base
	class.
	(svalue::m_complexity): Delete in favor of
	symbol::m_complexity.
	(region_svalue::region_svalue): Add symbol::id_t param
	(constant_svalue::constant_svalue): Likewise.
	(unknown_svalue::unknown_svalue): Likewise.
	(poisoned_svalue::poisoned_svalue): Likewise.
	(setjmp_svalue::setjmp_svalue): Likewise.
	(initial_svalue::initial_svalue): Likewise.
	(unaryop_svalue::unaryop_svalue): Likewise.
	(binop_svalue::binop_svalue): Likewise.
	(sub_svalue::sub_svalue): Likewise.
	(repeated_svalue::repeated_svalue): Likewise.
	(bits_within_svalue::bits_within_svalue): Likewise.
	(unmergeable_svalue::unmergeable_svalue): Likewise.
	(placeholder_svalue::placeholder_svalue): Likewise.
	(widening_svalue::widening_svalue): Likewise.
	(compound_svalue::compound_svalue): Likewise.
	(conjured_svalue::conjured_svalue): Likewise.
	(asm_output_svalue::asm_output_svalue): Likewise.
	(const_fn_result_svalue::const_fn_result_svalue): Likewise.
	* symbol.cc: New file.
	* symbol.h: New file.

2023-07-21  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/110455
	* region-model.cc (region_model::get_gassign_result): Only check
	for bad shift counts when dealing with an integral type.

2023-07-21  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/110433
	PR middle-end/110612
	* access-diagram.cc (class spatial_item): Add virtual dtor.

2023-07-21  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/110387
	* region.h (struct cast_region::key_t): Support "m_type" being
	null by using "m_original_region" for empty/deleted slots.

2023-07-19  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/110700
	* region-model-manager.cc
	(region_model_manager::get_or_create_int_cst): Assert that we have
	an integral or pointer type.
	* sm-taint.cc (taint_state_machine::check_for_tainted_divisor):
	Don't check non-integral types.

2023-06-29  benjamin priour  <priour.be (a] gmail.com>

	PR analyzer/110198
	* region-model-manager.cc
	(region_model_manager::get_or_create_initial_value): Take an
	optional boolean value to bypass poisoning checks
	* region-model-manager.h: Update declaration of the above function.
	* region-model.cc (region_model::get_store_value): No longer returns
	on OOB, but rather gives a boolean to get_or_create_initial_value.
	(region_model::check_region_access): Update docstring.
	(region_model::check_region_for_write): Update docstring.

2023-06-24  David Malcolm  <dmalcolm (a] redhat.com>

	* access-diagram.cc: Add #define INCLUDE_VECTOR.
	* bounds-checking.cc: Likewise.

2023-06-22  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/106626
	* access-diagram.cc: New file.
	* access-diagram.h: New file.
	* analyzer.h (class region_offset): Add default ctor.
	(region_offset::make_byte_offset): New decl.
	(region_offset::concrete_p): New.
	(region_offset::get_concrete_byte_offset): New.
	(region_offset::calc_symbolic_bit_offset): New decl.
	(region_offset::calc_symbolic_byte_offset): New decl.
	(region_offset::dump_to_pp): New decl.
	(region_offset::dump): New decl.
	(operator<, operator<=, operator>, operator>=): New decls for
	region_offset.
	* analyzer.opt
	(-param=analyzer-text-art-string-ellipsis-threshold=): New.
	(-param=analyzer-text-art-string-ellipsis-head-len=): New.
	(-param=analyzer-text-art-string-ellipsis-tail-len=): New.
	(-param=analyzer-text-art-ideal-canvas-width=): New.
	(fanalyzer-debug-text-art): New.
	* bounds-checking.cc: Include "intl.h", "diagnostic-diagram.h",
	and "analyzer/access-diagram.h".
	(class out_of_bounds::oob_region_creation_event_capacity): New.
	(out_of_bounds::out_of_bounds): Add "model" and "sval_hint"
	params.
	(out_of_bounds::mark_interesting_stuff): Use the base region.
	(out_of_bounds::add_region_creation_events): Use
	oob_region_creation_event_capacity.
	(out_of_bounds::get_dir): New pure vfunc.
	(out_of_bounds::maybe_show_notes): New.
	(out_of_bounds::maybe_show_diagram): New.
	(out_of_bounds::make_access_diagram): New.
	(out_of_bounds::m_model): New field.
	(out_of_bounds::m_sval_hint): New field.
	(out_of_bounds::m_region_creation_event_id): New field.
	(concrete_out_of_bounds::concrete_out_of_bounds): Update for new
	fields.
	(concrete_past_the_end::concrete_past_the_end): Likewise.
	(concrete_past_the_end::add_region_creation_events): Use
	oob_region_creation_event_capacity.
	(concrete_buffer_overflow::concrete_buffer_overflow): Update for
	new fields.
	(concrete_buffer_overflow::emit): Replace call to
	maybe_describe_array_bounds with maybe_show_notes.
	(concrete_buffer_overflow::get_dir): New.
	(concrete_buffer_over_read::concrete_buffer_over_read): Update for
	new fields.
	(concrete_buffer_over_read::emit): Replace call to
	maybe_describe_array_bounds with maybe_show_notes.
	(concrete_buffer_overflow::get_dir): New.
	(concrete_buffer_underwrite::concrete_buffer_underwrite): Update
	for new fields.
	(concrete_buffer_underwrite::emit): Replace call to
	maybe_describe_array_bounds with maybe_show_notes.
	(concrete_buffer_underwrite::get_dir): New.
	(concrete_buffer_under_read::concrete_buffer_under_read): Update
	for new fields.
	(concrete_buffer_under_read::emit): Replace call to
	maybe_describe_array_bounds with maybe_show_notes.
	(concrete_buffer_under_read::get_dir): New.
	(symbolic_past_the_end::symbolic_past_the_end): Update for new
	fields.
	(symbolic_buffer_overflow::symbolic_buffer_overflow): Likewise.
	(symbolic_buffer_overflow::emit): Call maybe_show_notes.
	(symbolic_buffer_overflow::get_dir): New.
	(symbolic_buffer_over_read::symbolic_buffer_over_read): Update for
	new fields.
	(symbolic_buffer_over_read::emit): Call maybe_show_notes.
	(symbolic_buffer_over_read::get_dir): New.
	(region_model::check_symbolic_bounds): Add "sval_hint" param.  Pass
	it and sized_offset_reg to diagnostics.
	(region_model::check_region_bounds): Add "sval_hint" param, passing
	it to diagnostics.
	* diagnostic-manager.cc
	(diagnostic_manager::emit_saved_diagnostic): Pass logger to
	pending_diagnostic::emit.
	* engine.cc: Add logger param to pending_diagnostic::emit
	implementations.
	* infinite-recursion.cc: Likewise.
	* kf-analyzer.cc: Likewise.
	* kf.cc: Likewise.  Add nullptr for new param of
	check_region_for_write.
	* pending-diagnostic.h: Likewise in decl.
	* region-model-manager.cc
	(region_model_manager::get_or_create_int_cst): Convert param from
	poly_int64 to const poly_wide_int_ref &.
	(region_model_manager::maybe_fold_binop): Support type being NULL
	when checking for floating-point types.
	Check for (X + Y) - X => Y.  Be less strict about types when folding
	associative ops.  Check for (X + Y) * CST => (X * CST) + (Y * CST).
	* region-model-manager.h
	(region_model_manager::get_or_create_int_cst): Convert param from
	poly_int64 to const poly_wide_int_ref &.
	* region-model.cc: Add logger param to pending_diagnostic::emit
	implementations.
	(region_model::check_external_function_for_access_attr): Update
	for new param of check_region_for_write.
	(region_model::deref_rvalue): Use nullptr rather than NULL.
	(region_model::get_capacity): Handle RK_STRING.
	(region_model::check_region_access): Add "sval_hint" param; pass it to
	check_region_bounds.
	(region_model::check_region_for_write): Add "sval_hint" param;
	pass it to check_region_access.
	(region_model::check_region_for_read): Add NULL for new param to
	check_region_access.
	(region_model::set_value): Pass rhs_sval to
	check_region_for_write.
	(region_model::get_representative_path_var_1): Handle SK_CONSTANT
	in the check for infinite recursion.
	* region-model.h (region_model::check_region_for_write): Add
	"sval_hint" param.
	(region_model::check_region_access): Likewise.
	(region_model::check_symbolic_bounds): Likewise.
	(region_model::check_region_bounds): Likewise.
	* region.cc (region_offset::make_byte_offset): New.
	(region_offset::calc_symbolic_bit_offset): New.
	(region_offset::calc_symbolic_byte_offset): New.
	(region_offset::dump_to_pp): New.
	(region_offset::dump): New.
	(struct linear_op): New.
	(operator<, operator<=, operator>, operator>=): New, for
	region_offset.
	(region::get_next_offset): New.
	(region::get_relative_symbolic_offset): Use ptrdiff_type_node.
	(field_region::get_relative_symbolic_offset): Likewise.
	(element_region::get_relative_symbolic_offset): Likewise.
	(bit_range_region::get_relative_symbolic_offset): Likewise.
	* region.h (region::get_next_offset): New decl.
	* sm-fd.cc: Add logger param to pending_diagnostic::emit
	implementations.
	* sm-file.cc: Likewise.
	* sm-malloc.cc: Likewise.
	* sm-pattern-test.cc: Likewise.
	* sm-sensitive.cc: Likewise.
	* sm-signal.cc: Likewise.
	* sm-taint.cc: Likewise.
	* store.cc (bit_range::contains_p): Allow "out" to be null.
	* store.h (byte_range::get_start_bit_offset): New.
	(byte_range::get_next_bit_offset): New.
	* varargs.cc: Add logger param to pending_diagnostic::emit
	implementations.

2023-06-10  Tim Lange  <mail (a] tim-lange.me>

	PR analyzer/109577
	* constraint-manager.cc (class sval_finder): Visitor to find
	childs in svalue trees.
	(constraint_manager::sval_constrained_p): Add new function to
	check whether a sval might be part of an constraint.
	* constraint-manager.h: Add sval_constrained_p function.
	* region-model.cc (class size_visitor): Reverse behavior to not
	emit a warning on not explicitly considered cases.
	(region_model::check_region_size):
	Adapt to size_visitor changes.

2023-06-09  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/110112
	* region-model.cc (region_model::get_initial_value_for_global):
	Move code to region::calc_initial_value_at_main.
	* region.cc (region::get_initial_value_at_main): New function.
	(region::calc_initial_value_at_main): New function, based on code
	in region_model::get_initial_value_for_global.
	(region::region): Initialize m_cached_init_sval_at_main.
	(decl_region::get_svalue_for_constructor): Add a cache, splitting
	out body to...
	(decl_region::calc_svalue_for_constructor): ...this new function.
	* region.h (region::get_initial_value_at_main): New decl.
	(region::calc_initial_value_at_main): New decl.
	(region::m_cached_init_sval_at_main): New field.
	(decl_region::decl_region): Initialize m_ctor_svalue.
	(decl_region::calc_svalue_for_constructor): New decl.
	(decl_region::m_ctor_svalue): New field.

2023-06-08  Benjamin Priour  <vultkayn (a] gcc.gnu.org>

	* bounds-checking.cc (region_model::check_symbolic_bounds): Returns whether the BASE_REG
	region access was OOB.
	(region_model::check_region_bounds): Likewise.
	* region-model.cc (region_model::get_store_value): Creates an
	unknown svalue on OOB-read access to REG.
	(region_model::check_region_access): Returns whether an unknown svalue needs be created.
	(region_model::check_region_for_read): Passes check_region_access return value.
	* region-model.h: Update prior function definitions.

2023-06-02  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/109015
	* kf.cc (class kf_atomic_exchange): New.
	(class kf_atomic_exchange_n): New.
	(class kf_atomic_fetch_op): New.
	(class kf_atomic_op_fetch): New.
	(class kf_atomic_load): New.
	(class kf_atomic_load_n): New.
	(class kf_atomic_store_n): New.
	(register_atomic_builtins): New function.
	(register_known_functions): Call register_atomic_builtins.

2023-06-02  David Malcolm  <dmalcolm (a] redhat.com>

	* store.cc (store::eval_alias_1): Regions in different memory
	spaces can't alias.

2023-05-18  Bernhard Reutner-Fischer  <aldot (a] gcc.gnu.org>

	* region-model-manager.cc (get_code_for_cast): Use _P defines from
	tree.h.
	(region_model_manager::get_or_create_cast): Ditto.
	(region_model_manager::get_region_for_global): Ditto.
	* region-model.cc (region_model::get_lvalue_1): Ditto.
	* region.cc (decl_region::maybe_get_constant_value): Ditto.

2023-03-22  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/109239
	* program-point.cc: Include "analyzer/inlining-iterator.h".
	(program_point::effectively_intraprocedural_p): New function.
	* program-point.h (program_point::effectively_intraprocedural_p):
	New decl.
	* sm-malloc.cc (deref_before_check::emit): Use it when rejecting
	interprocedural cases, so that we reject interprocedural cases
	that have become intraprocedural due to inlining.

2023-03-18  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/109094
	* region-model.cc (region_model::on_longjmp): Pass false for
	new "eval_return_svalue" param of pop_frame.
	(region_model::pop_frame): Add new "eval_return_svalue" param and
	use it to suppress the call to get_rvalue on the result when
	needed by on_longjmp.
	* region-model.h (region_model::pop_frame): Add new
	"eval_return_svalue" param.

2023-03-10  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/109059
	* region-model.cc (region_model::mark_region_as_unknown): Gather a
	set of maybe-live svalues and call on_maybe_live_values with it.
	* store.cc (binding_map::remove_overlapping_bindings): Add new
	"maybe_live_values" param; add any removed svalues to it.
	(binding_cluster::clobber_region): Add NULL as new param of
	remove_overlapping_bindings.
	(binding_cluster::mark_region_as_unknown): Add "maybe_live_values"
	param and pass it to remove_overlapping_bindings.
	(binding_cluster::maybe_get_compound_binding): Add NULL for new
	param of binding_map::remove_overlapping_bindings.
	(binding_cluster::remove_overlapping_bindings): Add
	"maybe_live_values" param and pass to
	binding_map::remove_overlapping_bindings.
	(store::set_value): Capture a set of maybe-live svalues, and call
	on_maybe_live_values with it.
	(store::on_maybe_live_values): New.
	(store::mark_region_as_unknown): Add "maybe_live_values" param
	and pass it to binding_cluster::mark_region_as_unknown.
	(store::remove_overlapping_bindings): Pass NULL for new param of
	binding_cluster::remove_overlapping_bindings.
	* store.h (binding_map::remove_overlapping_bindings): Add
	"maybe_live_values" param.
	(binding_cluster::mark_region_as_unknown): Likewise.
	(binding_cluster::remove_overlapping_bindings): Likewise.
	(store::mark_region_as_unknown): Likewise.
	(store::on_maybe_live_values): New decl.

2023-03-10  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/108475
	PR analyzer/109060
	* sm-malloc.cc (deref_before_check::deref_before_check):
	Initialize new field m_deref_expr.  Assert that arg is non-NULL.
	(deref_before_check::emit): Reject cases where the spelling of the
	thing that was dereferenced differs from that of what is checked,
	or if the dereference expression was not found.  Remove code to
	handle NULL m_arg.
	(deref_before_check::describe_state_change): Remove code to handle
	NULL m_arg.
	(deref_before_check::describe_final_event): Likewise.
	(deref_before_check::sufficiently_similar_p): New.
	(deref_before_check::m_deref_expr): New field.
	(malloc_state_machine::maybe_complain_about_deref_before_check):
	Don't warn if the diag_ptr is NULL.

2023-03-03  David Malcolm  <dmalcolm (a] redhat.com>

	* kf.cc (class kf_sprintf): New.
	(register_known_functions): Register it.

2023-03-02  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/108968
	* region-model.cc (region_model::get_rvalue_1): Handle VAR_DECLs
	with a DECL_HARD_REGISTER by returning UNKNOWN.

2023-03-02  Hans-Peter Nilsson  <hp (a] axis.com>

	* kf.cc (register_known_functions): Add __errno function for newlib.

2023-03-01  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/107565
	* region-model.cc (region_model::on_call_pre): Flatten logic by
	returning early.  Consolidate logic for detecting const and pure
	functions.  When considering whether an unhandled built-in
	function has side-effects, consider all kinds of builtin, rather
	than just BUILT_IN_NORMAL, and don't require
	gimple_builtin_call_types_compatible_p.

2023-03-01  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/108935
	* infinite-recursion.cc (contains_unknown_p): New.
	(sufficiently_different_region_binding_p): New function, splitting
	out inner loop from...
	(sufficiently_different_p): ...here.  Extend detection of unknown
	svalues to also include svalues that contain unknown.  Treat
	changes in frames below the entry to the recursion as being
	sufficiently different to reject being an infinite recursion.

2023-02-21  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/108830
	* analyzer.opt (fanalyzer-suppress-followups): New option.
	* engine.cc (impl_region_model_context::warn): Terminate the path
	if the diagnostic's terminate_path_p vfunc returns true and
	-fanalyzer-suppress-followups is true (the default).
	(impl_sm_context::warn): Likewise, for both overloads.
	* pending-diagnostic.h (pending_diagnostic::terminate_path_p): New
	vfunc.
	* program-state.cc (program_state::on_edge): Terminate the path if
	the ctxt requests it during updating the edge.
	* region-model.cc (poisoned_value_diagnostic::terminate_path_p):
	New vfunc.
	* sm-malloc.cc (null_deref::terminate_path_p): New vfunc.
	(null_arg::terminate_path_p): New vfunc.

2023-02-16  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/108806
	* constraint-manager.cc (bounded_range::dump_to_pp): Use
	bounded_range::singleton_p.
	(constraint_manager::add_bounded_ranges): Handle singleton ranges
	by adding an EQ_EXPR constraint.
	(constraint_manager::impossible_derived_conditions_p): New.
	(constraint_manager::eval_condition): Reject EQ_EXPR when it would
	imply impossible derived conditions.
	(selftest::test_bits): New.
	(selftest::run_constraint_manager_tests): Run it.
	* constraint-manager.h (bounded_range::singleton_p): New.
	(constraint_manager::impossible_derived_conditions_p): New decl.
	* region-model.cc (region_model::get_rvalue_1): Handle
	BIT_AND_EXPR, BIT_IOR_EXPR, and BIT_XOR_EXPR.

2023-02-15  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/108664
	PR analyzer/108666
	PR analyzer/108725
	* diagnostic-manager.cc (epath_finder::get_best_epath): Add
	"target_stmt" param.
	(epath_finder::explore_feasible_paths): Likewise.
	(epath_finder::process_worklist_item): Likewise.
	(saved_diagnostic::calc_best_epath): Pass m_stmt to
	epath_finder::get_best_epath.
	* engine.cc (feasibility_state::maybe_update_for_edge): Move
	per-stmt logic to...
	(feasibility_state::update_for_stmt): ...this new function.
	* exploded-graph.h (feasibility_state::update_for_stmt): New decl.
	* feasible-graph.cc (feasible_node::get_state_at_stmt): New.
	* feasible-graph.h: Include "analyzer/exploded-graph.h".
	(feasible_node::get_state_at_stmt): New decl.
	* infinite-recursion.cc
	(infinite_recursion_diagnostic::check_valid_fpath_p): Update for
	vfunc signature change.
	* pending-diagnostic.h (pending_diagnostic::check_valid_fpath_p):
	Convert first param to a reference.  Add stmt param.
	* region-model.cc: Include "analyzer/feasible-graph.h".
	(poisoned_value_diagnostic::poisoned_value_diagnostic): Add
	"check_expr" param.
	(poisoned_value_diagnostic::check_valid_fpath_p): New.
	(poisoned_value_diagnostic::m_check_expr): New field.
	(region_model::check_for_poison): Attempt to supply a check_expr
	to the diagnostic
	(region_model::deref_rvalue): Add NULL for new check_expr param
	of poisoned_value_diagnostic.
	(region_model::get_or_create_region_for_heap_alloc): Don't reuse
	regions that are marked as TOUCHED.

2023-02-10  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/108745
	* sm-malloc.cc (deref_before_check::emit): Reject the warning if
	the check occurs within a macro defintion.

2023-02-09  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/108733
	* state-purge.cc (get_candidate_for_purging): Add ADDR_EXPR
	and MEM_REF.

2023-02-08  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/108704
	* state-purge.cc (state_purge_per_decl::process_point_backwards):
	Don't stop processing the decl if it's fully overwritten by
	this stmt if it's also used by this stmt.

2023-02-07  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/108661
	* sm-fd.cc (class kf_read): New.
	(register_known_fd_functions): Register "read".
	* sm-file.cc (class kf_fread): Update comment.

2023-02-02  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/108633
	* sm-fd.cc (fd_state_machine::check_for_fd_attrs): Add missing
	"continue".
	(fd_state_machine::on_listen): Don't issue phase-mismatch or
	type-mismatch warnings for the "invalid" state.

2023-02-01  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/108616
	* pending-diagnostic.cc (fixup_location_in_macro_p): Add "alloca"
	to macros that we shouldn't unwind inside.

2023-01-26  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/108524
	* analyzer.h (class feasible_node): New forward decl.
	* diagnostic-manager.cc (epath_finder::get_best_epath): Add "pd"
	param.
	(epath_finder::explore_feasible_paths): Likewise.
	(epath_finder::process_worklist_item): Likewise.  Use it to call
	pending_diagnostic::check_valid_fpath_p on the final fpath to
	give pending_diagnostic a way to add additional restrictions on
	feasibility.
	(saved_diagnostic::calc_best_epath): Pass pending_diagnostic to
	epath_finder::get_best_epath.
	* infinite-recursion.cc: Include "analyzer/feasible-graph.h".
	(infinite_recursion_diagnostic::check_valid_fpath_p): New.
	(infinite_recursion_diagnostic::fedge_uses_conjured_svalue_p): New.
	(infinite_recursion_diagnostic::expr_uses_conjured_svalue_p): New.
	* pending-diagnostic.h (pending_diagnostic::check_valid_fpath_p):
	New vfunc.

2023-01-19  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/108455
	* analyzer.h (class checker_event): New forward decl.
	(class state_change_event): Indent.
	(class warning_event): New forward decl.
	* checker-event.cc (state_change_event::state_change_event): Add
	"enode" param.
	(warning_event::get_desc): Update for new param of
	evdesc::final_event ctor.
	* checker-event.h (state_change_event::state_change_event): Add
	"enode" param.
	(state_change_event::get_exploded_node): New accessor.
	(state_change_event::m_enode): New field.
	(warning_event::warning_event): New "enode" param.
	(warning_event::get_exploded_node): New accessor.
	(warning_event::m_enode): New field.
	* diagnostic-manager.cc
	(state_change_event_creator::on_global_state_change): Pass
	src_node to state_change_event ctor.
	(state_change_event_creator::on_state_change): Likewise.
	(null_assignment_sm_context::set_next_state): Pass NULL for
	new param of state_change_event ctor.
	* infinite-recursion.cc
	(infinite_recursion_diagnostic::add_final_event): Update for new
	param of warning_event ctor.
	* pending-diagnostic.cc (pending_diagnostic::add_final_event):
	Pass enode to warning_event ctor.
	* pending-diagnostic.h (evdesc::final_event): Add reference to
	warning_event.
	* sm-malloc.cc: Include "analyzer/checker-event.h" and
	"analyzer/exploded-graph.h".
	(deref_before_check::deref_before_check): Initialize new fields.
	(deref_before_check::emit): Reject warnings in which we were
	unable to determine the enodes of the dereference and the check.
	Reject warnings interprocedural warnings. Reject warnings in which
	the dereference doesn't dominate the check.
	(deref_before_check::describe_state_change): Set m_deref_enode.
	(deref_before_check::describe_final_event): Set m_check_enode.
	(deref_before_check::m_deref_enode): New field.
	(deref_before_check::m_check_enode): New field.

2023-01-13  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/105273
	* region-model.cc (has_nondefault_case_for_value_p): New.
	(has_nondefault_cases_for_all_enum_values_p): New.
	(region_model::apply_constraints_for_gswitch): Skip
	implicitly-created "default" when switching on an enum
	and all enum values have non-default cases.
	(rejected_default_case::dump_to_pp): New.
	* region-model.h (region_model_context::possibly_tainted_p): New
	decl.
	(class rejected_default_case): New.
	* sm-taint.cc (region_model_context::possibly_tainted_p): New.
	* supergraph.cc (switch_cfg_superedge::dump_label_to_pp): Dump
	when implicitly_created_default_p.
	(switch_cfg_superedge::implicitly_created_default_p): New.
	* supergraph.h
	(switch_cfg_superedge::implicitly_created_default_p): New decl.

2023-01-11  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/108252
	* kf.cc (class kf_strdup): New.
	(class kf_strndup): New.
	(register_known_functions): Register them.
	* region-model.cc (region_model::on_call_pre): Use
	&HEAP_ALLOCATED_REGION for the default result of an external
	function with the "malloc" attribute, rather than CONJURED_SVALUE.
	(region_model::get_or_create_region_for_heap_alloc): Allow
	"size_in_bytes" to be NULL.
	* store.cc (store::set_value): When handling *UNKNOWN = VAL,
	mark VAL as "maybe bound".

2022-12-16  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/106479
	* kf.cc (kf_memcpy_memmove::impl_call_pre): Pass in source region
	to region_model::check_for_poison.
	* region-model-asm.cc (region_model::on_asm_stmt): Pass NULL
	region to region_model::check_for_poison.
	* region-model.cc (region_model::check_for_poison): Add
	"src_region" param, and pass it to poisoned_value_diagnostic.
	(region_model::on_assignment): Pass NULL region to
	region_model::check_for_poison.
	(region_model::get_rvalue): Likewise.
	* region-model.h (region_model::check_for_poison): Add
	"src_region" param.
	* sm-fd.cc (fd_state_machine::on_accept): Pass in source region
	to region_model::check_for_poison.
	* varargs.cc (kf_va_copy::impl_call_pre): Pass NULL region to
	region_model::check_for_poison.
	(kf_va_arg::impl_call_pre): Pass in source region to
	region_model::check_for_poison.

2022-12-14  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/108065
	* region.cc (decl_region::get_svalue_for_initializer): Bail out to
	avoid calling binding_key::make with an empty region.
	* store.cc (binding_map::apply_ctor_val_to_range): Likewise.
	(binding_map::apply_ctor_pair_to_child_region): Likewise.
	(binding_cluster::bind): Likewise.
	(binding_cluster::purge_region): Likewise.
	(binding_cluster::maybe_get_compound_binding): Likewise.
	(binding_cluster::maybe_get_simple_value): Likewise.

2022-12-09  David Malcolm  <dmalcolm (a] redhat.com>

	* analyzer.h (class known_function): Expand comment.
	* region-model-impl-calls.cc: Rename to...
	* kf.cc: ...this.
	* known-function-manager.h (class known_function_manager): Add
	leading comment.

2022-12-09  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/108003
	* call-summary.cc
	(call_summary_replay::convert_region_from_summary_1): Convert
	heap_regs_in_use from auto_sbitmap to auto_bitmap.
	* region-model-manager.cc
	(region_model_manager::get_or_create_region_for_heap_alloc):
	Convert from sbitmap to bitmap.
	* region-model-manager.h: Likewise.
	* region-model.cc
	(region_model::get_or_create_region_for_heap_alloc): Convert from
	auto_sbitmap to auto_bitmap.
	(region_model::get_referenced_base_regions): Likewise.
	* region-model.h: Include "bitmap.h" rather than "sbitmap.h".
	(region_model::get_referenced_base_regions): Convert from
	auto_sbitmap to auto_bitmap.

2022-12-09  David Malcolm  <dmalcolm (a] redhat.com>

	* region-model-impl-calls.cc (class kf_memcpy): Rename to...
	(class kf_memcpy_memmove): ...this.
	(kf_memcpy::impl_call_pre): Rename to...
	(kf_memcpy_memmove::impl_call_pre): ...this, and check the src for
	poison.
	(register_known_functions): Update for above renaming, and
	register BUILT_IN_MEMMOVE and BUILT_IN_MEMMOVE_CHK.

2022-12-06  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/107882
	* region-model.cc (region_model::get_store_value): Return an
	unknown value for empty regions.
	(region_model::set_value): Bail on empty regions.
	* region.cc (region::empty_p): New.
	* region.h (region::empty_p): New decl.
	* state-purge.cc (same_binding_p): Bail if either region is empty.
	* store.cc (binding_key::make): Assert that a concrete binding's
	bit_size must be > 0.
	(binding_cluster::mark_region_as_unknown): Bail on empty regions.
	(binding_cluster::get_binding): Likewise.
	(binding_cluster::remove_overlapping_bindings): Likewise.
	(binding_cluster::on_unknown_fncall): Don't conjure values for
	empty regions.
	(store::fill_region): Bail on empty regions.
	* store.h (class concrete_binding): Update comment to reflect that
	the range of bits must be non-empty.
	(concrete_binding::concrete_binding): Assert that bit range is
	non-empty.

2022-12-06  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/106325
	* region-model-manager.cc
	(region_model_manager::get_or_create_null_ptr): New.
	* region-model-manager.h
	(region_model_manager::get_or_create_null_ptr): New decl.
	* region-model.cc (region_model::on_top_level_param): Add
	"nonnull" param and make use of it.
	(region_model::push_frame): When handling a top-level entrypoint
	to the analysis, determine which params __attribute__((nonnull))
	applies to, and pass to on_top_level_param.
	* region-model.h (region_model::on_top_level_param): Add "nonnull"
	param.

2022-12-06  David Malcolm  <dmalcolm (a] redhat.com>

	* analyzer.h (register_known_analyzer_functions): New decl.
	(register_known_functions_lang_cp): New decl.
	* call-details.cc: New file, split out from
	region-model-impl-calls.cc.
	* call-details.h: New file, split out from region-model.h.
	* call-info.cc: Include "analyzer/call-details.h".
	* call-summary.h: Likewise.
	* kf-analyzer.cc: New file, split out from
	region-model-impl-calls.cc.
	* kf-lang-cp.cc: Likewise.
	* known-function-manager.cc: Include "analyzer/call-details.h".
	* region-model-impl-calls.cc: Move definitions of call_details's
	member functions to call-details.cc.  Move class kf_analyzer_* to
	kf-analyzer.cc.  Move kf_operator_new and kf_operator_delete to
	kf-lang-cp.cc.  Refresh #includes accordingly.
	(register_known_functions): Replace registration of __analyzer_*
	functions with a call to register_known_analyzer_functions.
	Replace registration of C++ support functions with a call to
	register_known_functions_lang_cp.
	* region-model.h (class call_details): Move to new call-details.h.
	* sm-fd.cc: Include "analyzer/call-details.h".
	* sm-file.cc: Likewise.
	* sm-malloc.cc: Likewise.
	* varargs.cc: Likewise.

2022-12-02  David Malcolm  <dmalcolm (a] redhat.com>

	* analyzer.h (struct event_loc_info): New forward decl.
	* bounds-checking.cc: Use event_loc_info throughout to bundle the
	loc, fndecl, depth triples.
	* call-info.cc: Likewise.
	* checker-event.cc: Likewise.
	* checker-event.h (struct event_loc_info): New decl.  Use it
	throughout to bundle the loc, fndecl, depth triples.
	* checker-path.cc: Likewise.
	* checker-path.h: Likewise.
	* diagnostic-manager.cc: Likewise.
	* engine.cc: Likewise.
	* infinite-recursion.cc: Likewise.
	* pending-diagnostic.cc: Likewise.
	* pending-diagnostic.h: Likewise.
	* region-model.cc: Likewise.
	* sm-signal.cc: Likewise.
	* varargs.cc: Likewise.

2022-12-02  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/107851
	* analyzer.cc (make_label_text_n): Convert param "n" from int to
	unsigned HOST_WIDE_INT.
	* analyzer.h (make_label_text_n): Likewise for decl.
	* bounds-checking.cc: Include "analyzer/checker-event.h" and
	"analyzer/checker-path.h".
	(out_of_bounds::add_region_creation_events): New.
	(concrete_past_the_end::describe_region_creation_event): Replace
	with...
	(concrete_past_the_end::add_region_creation_events): ...this.
	(symbolic_past_the_end::describe_region_creation_event): Delete.
	* checker-event.cc (region_creation_event::region_creation_event):
	Update for dropping all member data.
	(region_creation_event::get_desc): Delete, splitting out into
	region_creation_event_memory_space::get_desc,
	region_creation_event_capacity::get_desc, and
	region_creation_event_debug::get_desc.
	(region_creation_event_memory_space::get_desc): New.
	(region_creation_event_capacity::get_desc): New.
	(region_creation_event_allocation_size::get_desc): New.
	(region_creation_event_debug::get_desc): New.
	* checker-event.h: Include "analyzer/program-state.h".
	(enum rce_kind): Delete.
	(class region_creation_event): Drop all member data.
	(region_creation_event::region_creation_event): Make protected.
	(region_creation_event::get_desc): Delete.
	(class region_creation_event_memory_space): New.
	(class region_creation_event_capacity): New.
	(class region_creation_event_allocation_size): New.
	(class region_creation_event_debug): New.
	* checker-path.cc (checker_path::add_region_creation_events): Add
	"pd" param.  Call pending_diangnostic::add_region_creation_events.
	Update for conversion of RCE_DEBUG to region_creation_event_debug.
	* checker-path.h (checker_path::add_region_creation_events): Add
	"pd" param.
	* diagnostic-manager.cc (diagnostic_manager::build_emission_path):
	Pass pending_diagnostic to
	emission_path::add_region_creation_events.
	(diagnostic_manager::build_emission_path): Pass path_builder to
	add_event_on_final_node.
	(diagnostic_manager::add_event_on_final_node): Add "pb" param.
	Pass pending_diagnostic to
	emission_path::add_region_creation_events.
	(diagnostic_manager::add_events_for_eedge): Pass
	pending_diagnostic to emission_path::add_region_creation_events.
	* diagnostic-manager.h
	(diagnostic_manager::add_event_on_final_node): Add "pb" param.
	* pending-diagnostic.cc
	(pending_diagnostic::add_region_creation_events): New.
	* pending-diagnostic.h (struct region_creation): Delete.
	(pending_diagnostic::describe_region_creation_event): Delete.
	(pending_diagnostic::add_region_creation_events): New vfunc.
	* region-model.cc: Include "analyzer/checker-event.h" and
	"analyzer/checker-path.h".
	(dubious_allocation_size::dubious_allocation_size): Initialize
	m_has_allocation_event.
	(dubious_allocation_size::describe_region_creation_event): Delete.
	(dubious_allocation_size::describe_final_event): Update for
	replacement of m_allocation_event with m_has_allocation_event.
	(dubious_allocation_size::add_region_creation_events): New.
	(dubious_allocation_size::m_allocation_event): Replace with...
	(dubious_allocation_size::m_has_allocation_event): ...this.

2022-12-02  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/107948
	* region-model-manager.cc
	(region_model_manager::maybe_fold_binop): Fold (0 - VAL) to -VAL.
	* region-model.cc (region_model::eval_condition): Handle e.g.
	"-X <= 0" as equivalent to X >= 0".

2022-12-01  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/106626
	* bounds-checking.cc
	(symbolic_past_the_end::describe_final_event): Delete, moving to
	symbolic_buffer_overflow::describe_final_event and
	symbolic_buffer_over_read::describe_final_event, eliminating
	composition of text strings via "byte_str" and "m_dir_str".
	(symbolic_past_the_end::m_dir_str): Delete field.
	(symbolic_buffer_overflow::symbolic_buffer_overflow): Drop
	m_dir_str.
	(symbolic_buffer_overflow::describe_final_event): New, as noted
	above.
	(symbolic_buffer_over_read::symbolic_buffer_overflow): Drop
	m_dir_str.
	(symbolic_buffer_over_read::describe_final_event): New, as noted
	above.

2022-12-01  David Malcolm  <dmalcolm (a] redhat.com>

	* bounds-checking.cc (class out_of_bounds): Split out from...
	(class concrete_out_of_bounds): New abstract subclass.
	(class past_the_end): Rename to...
	(class concrete_past_the_end): ...this, and make a subclass of
	concrete_out_of_bounds.
	(class buffer_overflow): Rename to...
	(class concrete_buffer_overflow): ...this, and make a subclass of
	concrete_past_the_end.
	(class buffer_over_read): Rename to...
	(class concrete_buffer_over_read): ...this, and make a subclass of
	concrete_past_the_end.
	(class buffer_underwrite): Rename to...
	(class concrete_buffer_underwrite): ...this, and make a subclass
	of concrete_out_of_bounds.
	(class buffer_under_read): Rename to...
	(class concrete_buffer_under_read): ...this, and make a subclass
	of concrete_out_of_bounds.
	(class symbolic_past_the_end): Convert to a subclass of
	out_of_bounds.
	(symbolic_buffer_overflow::get_kind): New.
	(symbolic_buffer_over_read::get_kind): New.
	(region_model::check_region_bounds): Update for renamings.
	* engine.cc (impl_sm_context::set_next_state): Eliminate
	"new_ctxt", passing NULL to get_rvalue instead.
	(impl_sm_context::warn): Likewise.

2022-12-01  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/106626
	* bounds-checking.cc (out_of_bounds::get_memory_space): New.
	(buffer_overflow::emit): Use it.
	(class buffer_overread): Rename to...
	(class buffer_over_read): ...this.
	(buffer_over_read::emit): Specify which memory space the read is
	from, where known.  Change "overread" to "over-read".
	(class buffer_underflow): Rename to...
	(class buffer_underwrite): ...this.
	(buffer_underwrite::emit): Specify which memory space the write is
	to, where known.  Change "underflow" to "underwrite".
	(class buffer_underread): Rename to...
	(class buffer_under_read): Rename to...
	(buffer_under_read::emit): Specify which memory space the read is
	from, where known.  Change "underread" to "under-read".
	(symbolic_past_the_end::get_memory_space): New.
	(symbolic_buffer_overflow::emit): Use it.
	(class symbolic_buffer_overread): Rename to...
	(class symbolic_buffer_over_read): ...this.
	(symbolic_buffer_over_read::emit): Specify which memory space the
	read is from, where known.  Change "overread" to "over-read".
	(region_model::check_symbolic_bounds): Update for class renaming.
	(region_model::check_region_bounds): Likewise.

2022-12-01  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/106626
	* bounds-checking.cc (out_of_bounds::maybe_describe_array_bounds):
	New.
	(buffer_overflow::emit): Call maybe_describe_array_bounds.
	(buffer_overread::emit): Likewise.
	(buffer_underflow::emit): Likewise.
	(buffer_underread::emit): Likewise.

2022-12-01  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/106626
	* bounds-checking.cc (buffer_overflow::emit): Use inform_n.
	Update wording to clarify that we're talking about the size of
	the bad access, rather than its position.
	(buffer_overread::emit): Likewise.

2022-12-01  David Malcolm  <dmalcolm (a] redhat.com>

	* bounds-checking.cc: New file, taken from region-model.cc.
	* region-model.cc (class out_of_bounds): Move to
	bounds-checking.cc.
	(class past_the_end): Likewise.
	(class buffer_overflow): Likewise.
	(class buffer_overread): Likewise.
	(class buffer_underflow): Likewise.
	(class buffer_underread): Likewise.
	(class symbolic_past_the_end): Likewise.
	(class symbolic_buffer_overflow): Likewise.
	(class symbolic_buffer_overread): Likewise.
	(region_model::check_symbolic_bounds): Likewise.
	(maybe_get_integer_cst_tree): Likewise.
	(region_model::check_region_bounds): Likewise.
	* region-model.h: Add comment.

2022-12-01  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/107928
	* sm-fd.cc (fd_state_machine::on_bind): Handle m_constant_fd in
	the "success" outcome.
	(fd_state_machine::on_connect): Likewise.
	* sm-fd.dot: Add "constant_fd" state and its transitions.

2022-11-30  David Malcolm  <dmalcolm (a] redhat.com>

	* region-model-impl-calls.cc (class kf_fgets): Move to sm-file.cc.
	(kf_fgets::impl_call_pre): Likewise.
	(class kf_fread): Likewise.
	(kf_fread::impl_call_pre): Likewise.
	(class kf_getchar): Likewise.
	(class kf_stdio_output_fn): Likewise.
	(register_known_functions): Move registration of
	BUILT_IN_FPRINTF, BUILT_IN_FPRINTF_UNLOCKED, BUILT_IN_FPUTC,
	BUILT_IN_FPUTC_UNLOCKED, BUILT_IN_FPUTS, BUILT_IN_FPUTS_UNLOCKED,
	BUILT_IN_FWRITE, BUILT_IN_FWRITE_UNLOCKED, BUILT_IN_PRINTF,
	BUILT_IN_PRINTF_UNLOCKED, BUILT_IN_PUTC, BUILT_IN_PUTCHAR,
	BUILT_IN_PUTCHAR_UNLOCKED, BUILT_IN_PUTC_UNLOCKED, BUILT_IN_PUTS,
	BUILT_IN_PUTS_UNLOCKED, BUILT_IN_VFPRINTF, BUILT_IN_VPRINTF,
	"getchar", "fgets", "fgets_unlocked", and "fread" to
	register_known_file_functions.
	* sm-file.cc (class kf_stdio_output_fn): Move here from
	region-model-impl-calls.cc.
	(class kf_fgets): Likewise.
	(class kf_fread): Likewise.
	(class kf_getchar): Likewise.
	(register_known_file_functions): Move registration of
	BUILT_IN_FPRINTF, BUILT_IN_FPRINTF_UNLOCKED, BUILT_IN_FPUTC,
	BUILT_IN_FPUTC_UNLOCKED, BUILT_IN_FPUTS, BUILT_IN_FPUTS_UNLOCKED,
	BUILT_IN_FWRITE, BUILT_IN_FWRITE_UNLOCKED, BUILT_IN_PRINTF,
	BUILT_IN_PRINTF_UNLOCKED, BUILT_IN_PUTC, BUILT_IN_PUTCHAR,
	BUILT_IN_PUTCHAR_UNLOCKED, BUILT_IN_PUTC_UNLOCKED, BUILT_IN_PUTS,
	BUILT_IN_PUTS_UNLOCKED, BUILT_IN_VFPRINTF, BUILT_IN_VPRINTF,
	"fgets", "fgets_unlocked", "fread", and "getchar" to here from
	register_known_functions.

2022-11-30  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/103546
	* analyzer.h (register_known_file_functions): New decl.
	* program-state.cc (sm_state_map::replay_call_summary): Rejct
	attempts to store sm-state for caller_sval that can't have
	associated state.
	* region-model-impl-calls.cc (register_known_functions): Call
	register_known_file_functions.
	* sm-fd.cc (class kf_isatty): New.
	(register_known_fd_functions): Register it.
	* sm-file.cc (class kf_ferror): New.
	(class kf_fileno): New.
	(class kf_getc): New.
	(register_known_file_functions): New.

2022-11-30  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/105784
	* region-model-manager.cc
	(region_model_manager::maybe_fold_binop): For POINTER_PLUS_EXPR,
	PLUS_EXPR and MINUS_EXPR, eliminate requirement that the final
	type matches that of arg0 in favor of a cast.

2022-11-24  Martin Liska  <mliska (a] suse.cz>

	* varargs.cc: Fix Clang warnings.

2022-11-24  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/106473
	* call-summary.cc
	(call_summary_replay::convert_region_from_summary_1): Update for
	change to creation of heap-allocated regions.
	* program-state.cc (test_program_state_1): Likewise.
	(test_program_state_merging): Likewise.
	* region-model-impl-calls.cc (kf_calloc::impl_call_pre): Likewise.
	(kf_malloc::impl_call_pre): Likewise.
	(kf_operator_new::impl_call_pre): Likewise.
	(kf_realloc::impl_call_postsuccess_with_move::update_model): Likewise.
	* region-model-manager.cc
	(region_model_manager::create_region_for_heap_alloc): Convert
	to...
	(region_model_manager::get_or_create_region_for_heap_alloc):
	...this, reusing an existing region if it's unreferenced in the
	client state.
	* region-model-manager.h (region_model_manager::get_num_regions): New.
	 (region_model_manager::create_region_for_heap_alloc): Convert to...
	 (region_model_manager::get_or_create_region_for_heap_alloc): ...this.
	* region-model.cc (region_to_value_map::can_merge_with_p): Reject
	merger when the values are different.
	(region_model::create_region_for_heap_alloc): Convert to...
	(region_model::get_or_create_region_for_heap_alloc): ...this.
	(region_model::get_referenced_base_regions): New.
	(selftest::test_state_merging):  Update for change to creation of
	heap-allocated regions.
	(selftest::test_malloc_constraints): Likewise.
	(selftest::test_malloc): Likewise.
	* region-model.h: Include "sbitmap.h".
	(region_model::create_region_for_heap_alloc): Convert to...
	(region_model::get_or_create_region_for_heap_alloc): ...this.
	(region_model::get_referenced_base_regions): New decl.
	* store.cc (store::canonicalize): Don't purge a heap-allocated region
	that's been marked as escaping.

2022-11-24  David Malcolm  <dmalcolm (a] redhat.com>

	* checker-path.cc (checker_path::inject_any_inlined_call_events):
	Don't dump the address of the block when -fdump-noaddr.

2022-11-24  David Malcolm  <dmalcolm (a] redhat.com>

	* region-model.h (region_model::on_socket): Delete decl.
	(region_model::on_bind): Likewise.
	(region_model::on_listen): Likewise.
	(region_model::on_accept): Likewise.
	(region_model::on_connect): Likewise.
	* sm-fd.cc (kf_socket::outcome_of_socket::update_model): Move body
	of region_model::on_socket into here, ...
	(region_model::on_socket): ...eliminating this function.
	(kf_bind::outcome_of_bind::update_model): Likewise for on_bind...
	(region_model::on_bind): ...eliminating this function.
	(kf_listen::outcome_of_listen::update_model): Likewise fo
	on_listen...
	(region_model::on_listen): ...eliminating this function.
	(kf_accept::outcome_of_accept::update_model): Likewise fo
	on_accept...
	(region_model::on_accept): ...eliminating this function.
	(kf_connect::outcome_of_connect::update_model): Likewise fo
	on_connect...
	(region_model::on_connect): ...eliminating this function.

2022-11-24  David Malcolm  <dmalcolm (a] redhat.com>

	* analyzer.h (register_known_fd_functions): New decl.
	* region-model-impl-calls.cc (class kf_accept): Move to sm-fd.cc.
	(class kf_bind): Likewise.
	(class kf_connect): Likewise.
	(class kf_listen): Likewise.
	(class kf_pipe): Likewise.
	(class kf_socket): Likewise.
	(register_known_functions): Remove registration of the above
	functions, instead calling register_known_fd_functions.
	* sm-fd.cc: Include "analyzer/call-info.h".
	(class kf_socket): Move here from region-model-impl-calls.cc.
	(class kf_bind): Likewise.
	(class kf_listen): Likewise.
	(class kf_accept): Likewise.
	(class kf_connect): Likewise.
	(class kf_pipe): Likewise.
	(register_known_fd_functions): New.

2022-11-22  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/107788
	* known-function-manager.cc (known_function_manager::get_match):
	Don't look up fndecls by name when they're not in the root
	namespace.

2022-11-22  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/107783
	* sm-fd.cc (fd_state_machine::check_for_new_socket_fd): Don't
	complain when old state is "fd-constant".
	(fd_state_machine::on_listen): Likewise.
	(fd_state_machine::on_accept): Likewise.

2022-11-22  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/107807
	* region-model-impl-calls.cc (register_known_functions): Register
	"___errno" and "__error" as synonyms  for "__errno_location".

2022-11-22  David Malcolm  <dmalcolm (a] redhat.com>

	* analyzer.h (class internal_known_function): New.
	(register_varargs_builtins): New decl.
	* engine.cc (exploded_node::on_stmt_pre): Remove
	"out_terminate_path" param from call to region_model::on_stmt_pre.
	(feasibility_state::maybe_update_for_edge): Likewise.
	* known-function-manager.cc: Include "basic-block.h", "gimple.h",
	and "analyzer/region-model.h".
	(known_function_manager::known_function_manager): Initialize
	m_combined_fns_arr.
	(known_function_manager::~known_function_manager): Clean up
	m_combined_fns_arr.
	(known_function_manager::get_by_identifier): Make const.
	(known_function_manager::add): New overloaded definitions for
	enum built_in_function and enum internal_fn.
	(known_function_manager::get_by_fndecl): Delete.
	(known_function_manager::get_match): New.
	(known_function_manager::get_internal_fn): New.
	(known_function_manager::get_normal_builtin): New.
	* known-function-manager.h
	(known_function_manager::get_by_identifier): Make private and
	add const qualifier.
	(known_function_manager::get_by_fndecl): Delete.
	(known_function_manager::add): Add overloaded decls for
	enum built_in_function name and enum internal_fn.
	(known_function_manager::get_match): New decl.
	(known_function_manager::get_internal_fn): New decl.
	(known_function_manager::get_normal_builtin): New decl.
	(known_function_manager::m_combined_fns_arr): New field.
	* region-model-impl-calls.cc (call_details::arg_is_size_p): New.
	(class kf_alloca): New.
	(region_model::impl_call_alloca): Convert to...
	(kf_alloca::impl_call_pre): ...this.
	(kf_analyzer_dump_capacity::matches_call_types_p): Rewrite check
	to use call_details::arg_is_pointer_p.
	(region_model::impl_call_builtin_expect): Convert to...
	(class kf_expect): ...this.
	(class kf_calloc): New, adding check that both arguments are
	size_t.
	(region_model::impl_call_calloc): Convert to...
	(kf_calloc::impl_call_pre): ...this.
	(kf_connect::matches_call_types_p): Rewrite check to use
	call_details::arg_is_pointer_p.
	(region_model::impl_call_error): Convert to...
	(class kf_error): ...this, and...
	(kf_error::impl_call_pre): ...this.
	(class kf_fgets): New, adding checks that args 0 and 2 are
	pointers.
	(region_model::impl_call_fgets): Convert to...
	(kf_fgets::impl_call_pre): ...this.
	(class kf_fread): New, adding checks on the argument types.
	(region_model::impl_call_fread): Convert to...
	(kf_fread::impl_call_pre): ...this.
	(class kf_free): New, adding check that the argument is a pointer.
	(region_model::impl_call_free): Convert to...
	(kf_free::impl_call_post): ...this.
	(class kf_getchar): New.
	(class kf_malloc): New, adding check that the argument is a
	size_t.
	(region_model::impl_call_malloc): Convert to...
	(kf_malloc::impl_call_pre): ...this.
	(class kf_memcpy): New, adding checks on arguments.
	(region_model::impl_call_memcpy): Convert to...
	(kf_memcpy::impl_call_pre): ...this.
	(class kf_memset): New.
	(region_model::impl_call_memset): Convert to...
	(kf_memset::impl_call_pre): ...this.
	(kf_pipe::matches_call_types_p): Rewrite check to use
	call_details::arg_is_pointer_p.
	(kf_putenv::matches_call_types_p): Likewise.
	(class kf_realloc): New, adding checks on the argument types.
	(region_model::impl_call_realloc): Convert to...
	(kf_realloc::impl_call_post): ...this.
	(class kf_strchr): New.
	(region_model::impl_call_strchr): Convert to...
	(kf_strchr::impl_call_post): ...this.
	(class kf_stack_restore): New.
	(class kf_stack_save): New.
	(class kf_stdio_output_fn): New.
	(class kf_strcpy): New,
	(region_model::impl_call_strcpy): Convert to...
	(kf_strcpy::impl_call_pre): ...this.
	(class kf_strlen): New.
	(region_model::impl_call_strlen): Convert to...
	(kf_strlen::impl_call_pre): ...this.
	(class kf_ubsan_bounds): New.
	(region_model::impl_deallocation_call): Reimplement to avoid call
	to impl_call_free.
	(register_known_functions): Add handlers for IFN_BUILTIN_EXPECT
	and IFN_UBSAN_BOUNDS.  Add handlers for BUILT_IN_ALLOCA,
	BUILT_IN_ALLOCA_WITH_ALIGN, BUILT_IN_CALLOC, BUILT_IN_EXPECT,
	BUILT_IN_EXPECT_WITH_PROBABILITY, BUILT_IN_FPRINTF,
	BUILT_IN_FPRINTF_UNLOCKED, BUILT_IN_FPUTC,
	BUILT_IN_FPUTC_UNLOCKED, BUILT_IN_FPUTS, BUILT_IN_FPUTS_UNLOCKED,
	BUILT_IN_FREE, BUILT_IN_FWRITE, BUILT_IN_FWRITE_UNLOCKED,
	BUILT_IN_MALLOC, BUILT_IN_MEMCPY, BUILT_IN_MEMCPY_CHK,
	BUILT_IN_MEMSET, BUILT_IN_MEMSET_CHK, BUILT_IN_PRINTF,
	BUILT_IN_PRINTF_UNLOCKED, BUILT_IN_PUTC, BUILT_IN_PUTCHAR,
	BUILT_IN_PUTCHAR_UNLOCKED, BUILT_IN_PUTC_UNLOCKED, BUILT_IN_PUTS,
	BUILT_IN_PUTS_UNLOCKED, BUILT_IN_REALLOC, BUILT_IN_STACK_RESTORE,
	BUILT_IN_STACK_SAVE, BUILT_IN_STRCHR, BUILT_IN_STRCPY,
	BUILT_IN_STRCPY_CHK, BUILT_IN_STRLEN, BUILT_IN_VFPRINTF, and
	BUILT_IN_VPRINTF. Call register_varargs_builtins.  Add handlers
	for "getchar", "memset", "fgets", "fgets_unlocked", "fread",
	"error", and "error_at_line".
	* region-model.cc (region_model::on_stmt_pre): Drop
	"out_terminate_path" param.
	(region_model::get_known_function): Reimplement by calling
	known_function_manager::get_match, passing new "cd" param.
	Add overload taking enum internal_fn.
	(region_model::on_call_pre): Drop "out_terminate_path" param.
	Remove special-case handling of internal fns IFN_BUILTIN_EXPECT,
	IFN_UBSAN_BOUNDS, and IFN_VA_ARG, of built-in fns BUILT_IN_ALLOCA,
	BUILT_IN_ALLOCA_WITH_ALIGN, BUILT_IN_CALLOC, BUILT_IN_EXPECT,
	BUILT_IN_EXPECT_WITH_PROBABILITY, BUILT_IN_FREE, BUILT_IN_MALLOC,
	BUILT_IN_MEMCPY, BUILT_IN_MEMCPY_CHK, BUILT_IN_MEMSET,
	BUILT_IN_MEMSET_CHK, BUILT_IN_REALLOC, BUILT_IN_STRCHR,
	BUILT_IN_STRCPY, BUILT_IN_STRCPY_CHK, BUILT_IN_STRLEN,
	BUILT_IN_STACK_SAVE, BUILT_IN_STACK_RESTORE, BUILT_IN_FPRINTF,
	BUILT_IN_FPRINTF_UNLOCKED, BUILT_IN_PUTC, BUILT_IN_PUTC_UNLOCKED,
	BUILT_IN_FPUTC, BUILT_IN_FPUTC_UNLOCKED, BUILT_IN_FPUTS,
	BUILT_IN_FPUTS_UNLOCKED, BUILT_IN_FWRITE,
	BUILT_IN_FWRITE_UNLOCKED, BUILT_IN_PRINTF,
	BUILT_IN_PRINTF_UNLOCKED, BUILT_IN_PUTCHAR,
	BUILT_IN_PUTCHAR_UNLOCKED, BUILT_IN_PUTS, BUILT_IN_PUTS_UNLOCKED,
	BUILT_IN_VFPRINTF, BUILT_IN_VPRINTF, BUILT_IN_VA_START, and
	BUILT_IN_VA_COPY, and of named functions "malloc", "calloc",
	"alloca", "realloc", "error", "error_at_line", "fgets",
	"fgets_unlocked", "fread", "getchar", "memset", "strchr", and
	"strlen".  Replace all this special-casing with calls to
	get_known_function for internal fns and for fn decls.
	(region_model::on_call_post): Remove special-casing handling for
	"free" and "strchr", and for BUILT_IN_REALLOC, BUILT_IN_STRCHR,
	and BUILT_IN_VA_END.  Replace by consolidating on usage of
	get_known_function.
	* region-model.h (call_details::arg_is_size_p): New.
	(region_model::on_stmt_pre): Drop "out_terminate_path" param.
	(region_model::on_call_pre): Likewise.
	(region_model::impl_call_alloca): Delete.
	(region_model::impl_call_builtin_expect): Delete.
	(region_model::impl_call_calloc): Delete.
	(region_model::impl_call_error): Delete.
	(region_model::impl_call_fgets): Delete.
	(region_model::impl_call_fread): Delete.
	(region_model::impl_call_free): Delete.
	(region_model::impl_call_malloc): Delete.
	(region_model::impl_call_memcpy): Delete.
	(region_model::impl_call_memset): Delete.
	(region_model::impl_call_realloc): Delete.
	(region_model::impl_call_strchr): Delete.
	(region_model::impl_call_strcpy): Delete.
	(region_model::impl_call_strlen): Delete.
	(region_model::impl_call_va_start): Delete.
	(region_model::impl_call_va_copy): Delete.
	(region_model::impl_call_va_arg): Delete.
	(region_model::impl_call_va_end): Delete.
	(region_model::check_region_for_write): Public.
	(region_model::get_known_function): Add "cd" param.  Add
	overloaded decl taking enum internal_fn.
	* sm-malloc.cc: Update comments.
	* varargs.cc (class kf_va_start): New.
	(region_model::impl_call_va_start): Convert to...
	(kf_va_start::impl_call_pre): ...this.
	(class kf_va_copy): New.
	(region_model::impl_call_va_copy): Convert to...
	(kf_va_copy::impl_call_pre): ...this.
	(class kf_va_arg): New.
	(region_model::impl_call_va_arg): Convert to...
	(kf_va_arg::impl_call_pre): ...this.
	(class kf_va_end): New.
	(region_model::impl_call_va_end): Delete.
	(register_varargs_builtins): New.

2022-11-22  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/107788
	* region-model.cc (region_model::update_for_int_cst_return):
	Require that the return type be an integer type.
	(region_model::update_for_nonzero_return): Likewise.

2022-11-22  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/107783
	* region-model-impl-calls.cc (kf_accept::matches_call_types_p):
	Require that args 1 and 2 be pointers.
	(kf_bind::matches_call_types_p): Require that arg 1 be a pointer.
	* region-model.h (call_details::arg_is_pointer_p): New

2022-11-22  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/107777
	* call-summary.cc
	(call_summary_replay::convert_region_from_summary_1): Handle
	RK_THREAD_LOCAL and RK_ERRNO in switch.
	* region-model.cc (region_model::get_representative_path_var_1):
	Likewise.

2022-11-19  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/107582
	* engine.cc (dynamic_call_info_t::update_model): Update the model
	by pushing or pop a frame, rather than by clobbering it with the
	model from the exploded_node's state.

2022-11-18  David Malcolm  <dmalcolm (a] redhat.com>

	* analyzer.cc (is_pipe_call_p): Delete.
	* analyzer.h (is_pipe_call_p): Delete.
	* region-model-impl-calls.cc (call_details::get_location): New.
	(class kf_analyzer_break): New, adapted from
	region_model::on_stmt_pre.
	(region_model::impl_call_analyzer_describe): Convert to...
	(class kf_analyzer_describe): ...this.
	(region_model::impl_call_analyzer_dump_capacity): Convert to...
	(class kf_analyzer_dump_capacity): ...this.
	(region_model::impl_call_analyzer_dump_escaped): Convert to...
	(class kf_analyzer_dump_escaped): ...this.
	(class kf_analyzer_dump_exploded_nodes): New.
	(region_model::impl_call_analyzer_dump_named_constant): Convert
	to...
	(class kf_analyzer_dump_named_constant): ...this.
	(class dump_path_diagnostic): Move here from region-model.cc.
	(class kf_analyzer_dump_path) New, adapted from
	region_model::on_stmt_pre.
	(class kf_analyzer_dump_region_model): Likewise.
	(region_model::impl_call_analyzer_eval): Convert to...
	(class kf_analyzer_eval): ...this.
	(region_model::impl_call_analyzer_get_unknown_ptr): Convert to...
	(class kf_analyzer_get_unknown_ptr): ...this.
	(class known_function_accept): Rename to...
	(class kf_accept): ...this.
	(class known_function_bind): Rename to...
	(class kf_bind): ...this.
	(class known_function_connect): Rename to...
	(class kf_connect): ...this.
	(region_model::impl_call_errno_location): Convert to...
	(class kf_errno_location): ...this.
	(class known_function_listen): Rename to...
	(class kf_listen): ...this.
	(region_model::impl_call_pipe): Convert to...
	(class kf_pipe): ...this.
	(region_model::impl_call_putenv): Convert to...
	(class kf_putenv): ...this.
	(region_model::impl_call_operator_new): Convert to...
	(class kf_operator_new): ...this.
	(region_model::impl_call_operator_delete): Convert to...
	(class kf_operator_delete): ...this.
	(class known_function_socket): Rename to...
	(class kf_socket): ...this.
	(register_known_functions): Rename param to KFM.  Break out
	existing known functions into a "POSIX" section, and add "pipe",
	"pipe2", and "putenv".  Add debugging functions
	"__analyzer_break", "__analyzer_describe",
	"__analyzer_dump_capacity", "__analyzer_dump_escaped",
	"__analyzer_dump_exploded_nodes",
	"__analyzer_dump_named_constant", "__analyzer_dump_path",
	"__analyzer_dump_region_model", "__analyzer_eval",
	"__analyzer_get_unknown_ptr".  Add C++ support functions
	"operator new", "operator new []", "operator delete", and
	"operator delete []".
	* region-model.cc (class dump_path_diagnostic): Move to
	region-model-impl-calls.cc.
	(region_model::on_stmt_pre): Eliminate special-casing of
	"__analyzer_describe", "__analyzer_dump_capacity",
	"__analyzer_dump_escaped", "__analyzer_dump_named_constant",
	"__analyzer_dump_path", "__analyzer_dump_region_model",
	"__analyzer_eval", "__analyzer_break",
	"__analyzer_dump_exploded_nodes", "__analyzer_get_unknown_ptr",
	"__errno_location", "pipe", "pipe2", "putenv", "operator new",
	"operator new []", "operator delete", "operator delete []"
	"pipe" and "pipe2", handling them instead via the known_functions
	mechanism.
	* region-model.h (call_details::get_location): New decl.
	(region_model::impl_call_analyzer_describe): Delete decl.
	(region_model::impl_call_analyzer_dump_capacity): Delete decl.
	(region_model::impl_call_analyzer_dump_escaped): Delete decl.
	(region_model::impl_call_analyzer_dump_named_constant): Delete decl.
	(region_model::impl_call_analyzer_eval): Delete decl.
	(region_model::impl_call_analyzer_get_unknown_ptr): Delete decl.
	(region_model::impl_call_errno_location): Delete decl.
	(region_model::impl_call_pipe): Delete decl.
	(region_model::impl_call_putenv): Delete decl.
	(region_model::impl_call_operator_new): Delete decl.
	(region_model::impl_call_operator_delete): Delete decl.
	* sm-fd.cc: Update comments.

2022-11-16  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/107711
	* analyzer-language.cc: Include "diagnostic.h".
	(maybe_stash_named_constant): Add logger param and use it to log
	the name being looked up, and the result.
	(stash_named_constants): New, splitting out from...
	(on_finish_translation_unit): ...this function.  Call
	get_or_create_logfile and use the result to create a logger
	instance, passing it to stash_named_constants.
	* analyzer.h (get_or_create_any_logfile): New decl.
	* engine.cc (dump_fout, owns_dump_fout): New globals, split out
	from run_checkers.
	(get_or_create_any_logfile): New function, split out from...
	(run_checkers): ...here, so that the logfile can be opened by
	on_finish_translation_unit.  Clear the globals when closing the
	dump file.

2022-11-16  David Malcolm  <dmalcolm (a] redhat.com>

	* analyzer.h (known_function::matches_call_types_p): New vfunc.
	(known_function::impl_call_pre): Provide base implementation.
	(known_function::impl_call_post): New vfunc.
	(register_known_functions): New.
	* engine.cc (impl_run_checkers): Call register_known_functions.
	* region-model-impl-calls.cc (region_model::impl_call_accept):
	Convert to...
	(class known_function_accept): ...this.
	(region_model::impl_call_bind): Convert to...
	(class known_function_bind): ...this.
	(region_model::impl_call_connect): Convert to...
	(class known_function_connect): ...this.
	(region_model::impl_call_listen): Convert to...
	(class known_function_listen): ...this.
	(region_model::impl_call_socket): Convert to...
	(class known_function_socket): ...this.
	(register_known_functions): New.
	* region-model.cc (region_model::on_call_pre): Remove special
	case for "bind" in favor of the known_function-handling dispatch.
	Add call to known_function::matches_call_types_p to latter.
	(region_model::on_call_post): Remove special cases for "accept",
	"bind", "connect", "listen", and "socket" in favor of dispatch
	to known_function::impl_call_post.
	* region-model.h (region_model::impl_call_accept): Delete decl.
	(region_model::impl_call_bind): Delete decl.
	(region_model::impl_call_connect): Delete decl.
	(region_model::impl_call_listen): Delete decl.
	(region_model::impl_call_socket): Delete decl.
	* sm-fd.cc: Update comments.

2022-11-16  David Malcolm  <dmalcolm (a] redhat.com>

	* checker-event.cc: New file, split out from...
	* checker-path.cc: ...this file.

2022-11-15  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/106140
	* analyzer-language.cc (on_finish_translation_unit): Stash named
	constants "SOCK_STREAM" and "SOCK_DGRAM".
	* analyzer.opt (Wanalyzer-fd-phase-mismatch): New.
	(Wanalyzer-fd-type-mismatch): New.
	* engine.cc (impl_region_model_context::get_state_map_by_name):
	Add "out_sm_context" param.  Allow out_sm_idx to be NULL.
	* exploded-graph.h
	(impl_region_model_context::get_state_map_by_name):
	Add "out_sm_context" param.
	* region-model-impl-calls.cc (region_model::impl_call_accept): New.
	(region_model::impl_call_bind): New.
	(region_model::impl_call_connect): New.
	(region_model::impl_call_listen): New.
	(region_model::impl_call_socket): New.
	* region-model.cc (region_model::on_call_pre): Special-case
	"bind".
	(region_model::on_call_post): Special-case "accept", "bind",
	"connect", "listen", and "socket".
	* region-model.h (region_model::impl_call_accept): New decl.
	(region_model::impl_call_bind): New decl.
	(region_model::impl_call_connect): New decl.
	(region_model::impl_call_listen): New decl.
	(region_model::impl_call_socket): New decl.
	(region_model::on_socket): New decl.
	(region_model::on_bind): New decl.
	(region_model::on_listen): New decl.
	(region_model::on_accept): New decl.
	(region_model::on_connect): New decl.
	(region_model::add_constraint): Make public.
	(region_model::check_for_poison): Make public.
	(region_model_context::get_state_map_by_name): Add out_sm_context param.
	(region_model_context::get_fd_map): Likewise.
	(region_model_context::get_malloc_map): Likewise.
	(region_model_context::get_taint_map): Likewise.
	(noop_region_model_context::get_state_map_by_name): Likewise.
	(region_model_context_decorator::get_state_map_by_name): Likewise.
	* sm-fd.cc: Include "analyzer/supergraph.h" and
	"analyzer/analyzer-language.h".
	(enum expected_phase): New enum.
	(fd_state_machine::m_new_datagram_socket): New.
	(fd_state_machine::m_new_stream_socket): New.
	(fd_state_machine::m_new_unknown_socket): New.
	(fd_state_machine::m_bound_datagram_socket): New.
	(fd_state_machine::m_bound_stream_socket): New.
	(fd_state_machine::m_bound_unknown_socket): New.
	(fd_state_machine::m_listening_stream_socket): New.
	(fd_state_machine::m_m_connected_stream_socket): New.
	(fd_state_machine::m_SOCK_STREAM): New.
	(fd_state_machine::m_SOCK_DGRAM): New.
	(fd_diagnostic::describe_state_change): Handle socket states.
	(fd_diagnostic::get_meaning_for_state_change): Likewise.
	(class fd_phase_mismatch): New.
	(enum expected_type): New enum.
	(class fd_type_mismatch): New.
	(fd_state_machine::fd_state_machine): Initialize new states and
	stashed named constants.
	(fd_state_machine::is_socket_fd_p): New.
	(fd_state_machine::is_datagram_socket_fd_p): New.
	(fd_state_machine::is_stream_socket_fd_p): New.
	(fd_state_machine::on_close): Handle the socket states.
	(fd_state_machine::check_for_open_fd): Complain about fncalls on
	sockets in the wrong phase.  Support socket FDs.
	(add_constraint_ge_zero): New.
	(fd_state_machine::get_state_for_socket_type): New.
	(fd_state_machine::on_socket): New.
	(fd_state_machine::check_for_socket_fd): New.
	(fd_state_machine::check_for_new_socket_fd): New.
	(fd_state_machine::on_bind): New.
	(fd_state_machine::on_listen): New.
	(fd_state_machine::on_accept): New.
	(fd_state_machine::on_connect): New.
	(fd_state_machine::can_purge_p): Don't purge socket values.
	(get_fd_state): New.
	(region_model::mark_as_valid_fd): Use get_fd_state.
	(region_model::on_socket): New.
	(region_model::on_bind): New.
	(region_model::on_listen): New.
	(region_model::on_accept): New.
	(region_model::on_connect): New.
	* sm-fd.dot: Update to reflect sm-fd.cc changes.

2022-11-15  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/106302
	* analyzer-language.cc: New file.
	* analyzer-language.h: New file.
	* analyzer.h (get_stashed_constant_by_name): New decl.
	(log_stashed_constants): New decl.
	* engine.cc (impl_run_checkers): Call log_stashed_constants.
	* region-model-impl-calls.cc
	(region_model::impl_call_analyzer_dump_named_constant): New.
	* region-model.cc (region_model::on_stmt_pre): Handle
	__analyzer_dump_named_constant.
	* region-model.h
	(region_model::impl_call_analyzer_dump_named_constant): New decl.
	* sm-fd.cc (fd_state_machine::m_O_ACCMODE): New.
	(fd_state_machine::m_O_RDONLY): New.
	(fd_state_machine::m_O_WRONLY): New.
	(fd_state_machine::fd_state_machine): Initialize the new fields.
	(fd_state_machine::get_access_mode_from_flag): Use the new fields,
	rather than using the host values.

2022-11-13  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/106235
	* analyzer.opt (Wanalyzer-tainted-assertion): New.
	* checker-path.cc (checker_path::fixup_locations): Pass false to
	pending_diagnostic::fixup_location.
	* diagnostic-manager.cc (get_emission_location): Pass true to
	pending_diagnostic::fixup_location.
	* pending-diagnostic.cc (pending_diagnostic::fixup_location): Add
	bool param.
	* pending-diagnostic.h (pending_diagnostic::fixup_location): Add
	bool param to decl.
	* sm-taint.cc (taint_state_machine::m_tainted_control_flow): New.
	(taint_diagnostic::describe_state_change): Drop "final".
	(class tainted_assertion): New.
	(taint_state_machine::taint_state_machine): Initialize
	m_tainted_control_flow.
	(taint_state_machine::alt_get_inherited_state): Support
	comparisons being tainted, based on their arguments.
	(is_assertion_failure_handler_p): New.
	(taint_state_machine::on_stmt): Complain about calls to assertion
	failure handlers guarded by an attacker-controller conditional.
	Detect attacker-controlled gcond conditionals and gswitch index
	values.
	(taint_state_machine::check_control_flow_arg_for_taint): New.

2022-11-11  David Malcolm  <dmalcolm (a] redhat.com>

	* sm-fd.dot: Fix typo in comment.
	* sm-file.dot: New file.
	* varargs.cc: Fix typo in comment.
	* varargs.dot: New file.

2022-11-11  David Malcolm  <dmalcolm (a] redhat.com>

	* checker-path.h: Split out checker_event and its subclasses to...
	* checker-event.h: ...this new header.

2022-11-11  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/106147
	* analyzer.opt (Wanalyzer-infinite-recursion): New.
	* call-string.cc (call_string::count_occurrences_of_function):
	New.
	* call-string.h (call_string::count_occurrences_of_function): New
	decl.
	* checker-path.cc (function_entry_event::function_entry_event):
	New ctor.
	(checker_path::add_final_event): Delete.
	* checker-path.h (function_entry_event::function_entry_event): New
	ctor.
	(function_entry_event::get_desc): Drop "final".
	(checker_path::add_final_event): Delete.
	* diagnostic-manager.cc
	(diagnostic_manager::emit_saved_diagnostic): Create the final
	event via a new pending_diagnostic::add_final_event vfunc, rather
	than checker_path::add_final_event.
	(diagnostic_manager::add_events_for_eedge): Create function entry
	events via a new pending_diagnostic::add_function_entry_event
	vfunc.
	* engine.cc (exploded_graph::process_node): When creating a new
	PK_BEFORE_SUPERNODE node, call
	exploded_graph::detect_infinite_recursion on it after adding the
	in-edge.
	* exploded-graph.h (exploded_graph::detect_infinite_recursion):
	New decl.
	(exploded_graph::find_previous_entry_to): New decl.
	* infinite-recursion.cc: New file.
	* pending-diagnostic.cc
	(pending_diagnostic::add_function_entry_event): New.
	(pending_diagnostic::add_final_event): New.
	* pending-diagnostic.h
	(pending_diagnostic::add_function_entry_event): New vfunc.
	(pending_diagnostic::add_final_event): New vfunc.

2022-11-10  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/99671
	* analyzer.opt (Wanalyzer-deref-before-check): New warning.
	* diagnostic-manager.cc
	(null_assignment_sm_context::set_next_state): Only add state
	change events for transition to "null" state.
	(null_assignment_sm_context::is_transition_to_null): New.
	* engine.cc (impl_region_model_context::on_pop_frame): New.
	* exploded-graph.h (impl_region_model_context::on_pop_frame): New
	decl.
	* program-state.cc (sm_state_map::clear_any_state): New.
	(sm_state_map::can_merge_with_p): New.
	(program_state::can_merge_with_p): Replace requirement that
	sm-states be equal in favor of an attempt to merge them.
	* program-state.h (sm_state_map::clear_any_state): New decl.
	(sm_state_map::can_merge_with_p): New decl.
	* region-model.cc (region_model::eval_condition): Make const.
	(region_model::pop_frame): Call ctxt->on_pop_frame.
	* region-model.h (region_model::eval_condition): Make const.
	(region_model_context::on_pop_frame): New vfunc.
	(noop_region_model_context::on_pop_frame): New.
	(region_model_context_decorator::on_pop_frame): New.
	* sm-malloc.cc (enum resource_state): Add RS_ASSUMED_NON_NULL.
	(allocation_state::dump_to_pp): Drop "final".
	(struct assumed_non_null_state): New subclass.
	(malloc_state_machine::m_assumed_non_null): New.
	(assumed_non_null_p): New.
	(class deref_before_check): New.
	(assumed_non_null_state::dump_to_pp): New.
	(malloc_state_machine::get_or_create_assumed_non_null_state_for_frame):
	New.
	(malloc_state_machine::maybe_assume_non_null): New.
	(malloc_state_machine::on_stmt): Transition from start state to
	"assumed-non-null" state for pointers passed to
	__attribute__((nonnull)) arguments, and for pointers explicitly
	dereferenced.  Call maybe_complain_about_deref_before_check for
	pointers explicitly compared against NULL.
	(malloc_state_machine::maybe_complain_about_deref_before_check):
	New.
	(malloc_state_machine::on_deallocator_call): Also transition
	"assumed-non-null" states to "freed".
	(malloc_state_machine::on_pop_frame): New.
	(malloc_state_machine::maybe_get_merged_states_nonequal): New.
	* sm-malloc.dot: Update for changes to sm-malloc.cc.
	* sm.h (state_machine::on_pop_frame): New.
	(state_machine::maybe_get_merged_state): New.
	(state_machine::maybe_get_merged_states_nonequal): New.

2022-11-09  David Malcolm  <dmalcolm (a] redhat.com>

	* checker-path.cc (checker_event::debug): New.
	(checker_path::add_event): Move here from checker-path.h.  Add
	logging.
	* checker-path.h (checker_event::debug): New decl.
	(checker_path::checker_path): Add logger param.
	(checker_path::add_event): Move definition from here to
	checker-path.cc.
	(checker_path::m_logger): New field.
	* diagnostic-manager.cc
	(diagnostic_manager::emit_saved_diagnostic): Pass logger to
	checker_path ctor.
	(diagnostic_manager::add_events_for_eedge): Log scope when
	processing a run of stmts.

2022-11-08  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/101962
	* region-model-impl-calls.cc: Update comment.
	* region-model.cc (region_model::check_symbolic_bounds): Fix
	layout of "void" return.  Replace usage of
	eval_condition_without_cm with eval_condition.
	(region_model::eval_condition): Take over body of...
	(region_model::eval_condition_without_cm): ...this subroutine,
	dropping the latter.  Eliminating this distinction avoids issues
	where constraints were not considered when recursing.
	(region_model::compare_initial_and_pointer): Update comment.
	(region_model::symbolic_greater_than): Replace usage of
	eval_condition_without_cm with eval_condition.
	* region-model.h
	(region_model::eval_condition_without_cm): Delete decl.

2022-11-08  David Malcolm  <dmalcolm (a] redhat.com>

	* region-model-impl-calls.cc
	(region_model::impl_call_errno_location): New.
	* region-model-manager.cc
	(region_model_manager::region_model_manager): Initialize
	m_thread_local_region and m_errno_region.
	* region-model-manager.h (region_model_manager::get_errno_region):
	New accessor.
	(region_model_manager::m_thread_local_region): New.
	(region_model_manager::m_errno_region): New.
	* region-model.cc (region_model::on_call_pre): Special-case
	"__errno_location".
	(region_model::set_errno): New.
	* region-model.h (impl_call_errno_location): New decl.
	(region_model::set_errno): New decl.
	* region.cc (thread_local_region::dump_to_pp): New.
	(errno_region::dump_to_pp): New.
	* region.h (enum memory_space): Add MEMSPACE_THREAD_LOCAL.
	(enum region_kind): Add RK_THREAD_LOCAL and RK_ERRNO.
	(class thread_local_region): New.
	(is_a_helper <const thread_local_region *>::test): New.
	(class errno_region): New.
	(is_a_helper <const errno_region *>::test): New.
	* store.cc (binding_cluster::escaped_p): New.
	(store::escaped_p): Treat errno as always having escaped.
	(store::replay_call_summary_cluster): Handle RK_THREAD_LOCAL and
	RK_ERRNO.
	* store.h (binding_cluster::escaped_p): Remove definition.

2022-11-08  David Malcolm  <dmalcolm (a] redhat.com>

	* call-info.cc (success_call_info::get_desc): Delete.
	(failed_call_info::get_desc): Likewise.
	(succeed_or_fail_call_info::get_desc): New.
	* call-info.h (class succeed_or_fail_call_info): New.
	(class success_call_info): Convert to a subclass of
	succeed_or_fail_call_info.
	(class failed_call_info): Likewise.

2022-11-08  David Malcolm  <dmalcolm (a] redhat.com>

	* region-model-impl-calls.cc (region_model::impl_call_strchr):
	Move to on_call_post.  Handle both outcomes using bifurcation,
	rather than just the "not found" case.
	* region-model.cc (region_model::on_call_pre): Move
	BUILT_IN_STRCHR and "strchr" to...
	(region_model::on_call_post): ...here.

2022-11-03  David Malcolm  <dmalcolm (a] redhat.com>

	* analyzer.h: Use std::unique_ptr for state machines from plugins.
	* engine.cc: Likewise.

2022-11-03  David Malcolm  <dmalcolm (a] redhat.com>

	* analyzer.h: Use std::unique_ptr for known functions.
	* engine.cc: Likewise.
	* known-function-manager.cc: Likewise.
	* known-function-manager.h: Likewise.

2022-11-03  David Malcolm  <dmalcolm (a] redhat.com>

	* analysis-plan.cc: Define INCLUDE_MEMORY before including
	system.h.
	* analyzer-pass.cc: Likewise.
	* analyzer-selftests.cc: Likewise.
	* analyzer.cc: Likewise.
	* analyzer.h: Use std::unique_ptr in bifurcation code.
	* call-string.cc: Define INCLUDE_MEMORY before including system.h.
	* complexity.cc: Likewise.
	* engine.cc: Use std::unique_ptr in bifurcation code.
	* exploded-graph.h: Likewise.
	* known-function-manager.cc: Define INCLUDE_MEMORY before
	including system.h.
	* region-model-impl-calls.cc: Use std::unique_ptr in bifurcation
	code.
	* region-model.cc: Likewise.
	* region-model.h: Likewise.
	* supergraph.cc: Define INCLUDE_MEMORY before including system.h.

2022-11-03  David Malcolm  <dmalcolm (a] redhat.com>

	* call-info.cc: Use std::unique_ptr for checker_event.
	* checker-path.cc: Likewise.
	* checker-path.h: Likewise.
	* diagnostic-manager.cc: Likewise.
	* engine.cc: Likewise.
	* pending-diagnostic.cc: Likewise.
	* sm-signal.cc: Likewise.
	* varargs.cc: Likewise.

2022-11-03  David Malcolm  <dmalcolm (a] redhat.com>

	* diagnostic-manager.cc: Include "make-unique.h".
	Use std::unique_ptr for feasibility_problems and exploded_path.
	Delete explicit saved_diagnostic dtor.
	* diagnostic-manager.h: Likewise.
	* engine.cc: Likewise.
	* exploded-graph.h: Likewise.
	* feasible-graph.cc: Likewise.
	* feasible-graph.h: Likewise.

2022-11-03  David Malcolm  <dmalcolm (a] redhat.com>

	* checker-path.cc (rewind_event::rewind_event): Update for usage of
	std::unique_ptr on custom_edge_info.
	* engine.cc (exploded_node::on_longjmp): Likewise.
	(exploded_edge::exploded_edge): Likewise.
	(exploded_edge::~exploded_edge): Delete.
	(exploded_graph::add_function_entry): Update for usage of
	std::unique_ptr on custom_edge_info.
	(exploded_graph::add_edge): Likewise.
	(add_tainted_args_callback): Likewise.
	(exploded_graph::maybe_create_dynamic_call): Likewise.
	(exploded_graph::process_node): Likewise.
	* exploded-graph.h (exploded_edge::~exploded_edge): Delete.
	(exploded_edge::m_custom_info): Use std::unique_ptr.
	(exploded_edge::add_edge): Likewise.
	* sm-signal.cc (register_signal_handler::impl_transition): Use
	make_unique.

2022-11-03  David Malcolm  <dmalcolm (a] redhat.com>

	* diagnostic-manager.cc (saved_diagnostic::saved_diagnostic): Make
	stmt_finder const.
	(saved_diagnostic::~saved_diagnostic): Remove explicit delete of
	m_stmt_finder.
	(diagnostic_manager::add_diagnostic): Make stmt_finder const.
	* diagnostic-manager.h (saved_diagnostic::saved_diagnostic):
	Likewise.
	(saved_diagnostic::m_stmt_finder): Convert to std::unique_ptr.
	(diagnostic_manager::add_diagnostic): Make stmt_finder const.
	* engine.cc (impl_sm_context::impl_sm_context): Likewise.
	(impl_sm_context::m_stmt_finder): Likewise.
	(leak_stmt_finder::clone): Convert return type to std::unique_ptr.
	* exploded-graph.h (stmt_finder::clone): Likewise.

2022-11-03  David Malcolm  <dmalcolm (a] redhat.com>

	* call-info.cc: Add define of INCLUDE_MEMORY.
	* call-summary.cc: Likewise.
	* checker-path.cc: Likewise.
	* constraint-manager.cc: Likewise.
	* diagnostic-manager.cc: Likewise.
	(saved_diagnostic::saved_diagnostic): Use std::unique_ptr for
	param d and field m_d.
	(saved_diagnostic::~saved_diagnostic): Remove explicit delete of m_d.
	(saved_diagnostic::add_note): Use std::unique_ptr for
	param pn.
	(saved_diagnostic::get_pending_diagnostic): Update for conversion
	of m_sd.m_d to unique_ptr.
	(diagnostic_manager::add_diagnostic): Use std::unique_ptr for
	param d.  Remove explicit deletion.
	(diagnostic_manager::add_note): Use std::unique_ptr for param pn.
	(diagnostic_manager::emit_saved_diagnostic): Update for conversion
	of m_sd.m_d to unique_ptr.
	(null_assignment_sm_context::warn): Use std::unique_ptr for
	param d.  Remove explicit deletion.
	* diagnostic-manager.h (saved_diagnostic::saved_diagnostic): Use
	std::unique_ptr for param d.
	(saved_diagnostic::add_note): Likewise for param pn.
	(saved_diagnostic::m_d): Likewise.
	(diagnostic_manager::add_diagnostic): Use std::unique_ptr for
	param d.
	(diagnostic_manager::add_note): Use std::unique_ptr for param pn.
	* engine.cc: Include "make-unique.h".
	(impl_region_model_context::warn): Update to use std::unique_ptr
	for param, removing explicit deletion.
	(impl_region_model_context::add_note): Likewise.
	(impl_sm_context::warn): Update to use std::unique_ptr
	for param.
	(impl_region_model_context::on_state_leak): Likewise for result of
	on_leak.
	(exploded_node::on_longjmp): Use make_unique when creating
	pending_diagnostic.
	(exploded_graph::process_node): Likewise.
	* exploded-graph.h (impl_region_model_context::warn): Update to
	use std::unique_ptr for param.
	(impl_region_model_context::add_note): Likewise.
	* feasible-graph.cc: Add define of INCLUDE_MEMORY.
	* pending-diagnostic.cc: Likewise.
	* pending-diagnostic.h: Include analyzer.sm.h"
	* program-point.cc: Add define of INCLUDE_MEMORY.
	* program-state.cc: Likewise.
	* region-model-asm.cc: Likewise.
	* region-model-impl-calls.cc: Likewise.  Include "make-unique.h".
	(region_model::impl_call_putenv): Use make_unique when creating
	pending_diagnostic.
	* region-model-manager.cc: Add define of INCLUDE_MEMORY.
	* region-model-reachability.cc: Likewise.
	* region-model.cc: Likewise.  Include "make-unique.h".
	(region_model::get_gassign_result): Use make_unique when creating
	pending_diagnostic.
	(region_model::check_for_poison): Likewise.
	(region_model::on_stmt_pre): Likewise.
	(region_model::check_symbolic_bounds): Likewise.
	(region_model::check_region_bounds): Likewise.
	(annotating_ctxt: make_note): Use std::unique_ptr for result.
	(region_model::deref_rvalue): Use make_unique when creating
	pending_diagnostic.
	(region_model::check_for_writable_region): Likewise.
	(region_model::check_region_size): Likewise.
	(region_model::check_dynamic_size_for_floats): Likewise.
	(region_model::maybe_complain_about_infoleak): Likewise.
	(noop_region_model_context::add_note): Use std::unique_ptr for
	param.  Remove explicit deletion.
	* region-model.h: Include "analyzer/pending-diagnostic.h".
	(region_model_context::warn): Convert param to std::unique_ptr.
	(region_model_context::add_note): Likewise.
	(noop_region_model_context::warn): Likewise.
	(noop_region_model_context::add_note): Likewise.
	(region_model_context_decorator::warn): Likewise.
	(region_model_context_decorator::add_note): Likewise.
	(note_adding_context::warn): Likewise.
	(note_adding_context::make_note): Likewise for return type.
	(test_region_model_context::warn): Convert param to
	std::unique_ptr.
	* region.cc: Add define of INCLUDE_MEMORY.
	* sm-fd.cc: Likewise.  Include "make-unique.h".
	(fd_state_machine::check_for_fd_attrs): Use make_unique when
	creating pending_diagnostics.
	(fd_state_machine::on_open): Likewise.
	(fd_state_machine::on_creat): Likewise.
	(fd_state_machine::check_for_dup): Likewise.
	(fd_state_machine::on_close): Likewise.
	(fd_state_machine::check_for_open_fd): Likewise.
	(fd_state_machine::on_leak): Likewise, converting return type to
	std::unique_ptr.
	* sm-file.cc: Add define of INCLUDE_MEMORY.  Include
	"make-unique.h".
	(fileptr_state_machine::on_stmt): Use make_unique when creating
	pending_diagnostic.
	(fileptr_state_machine::on_leak): Likewise, converting return type
	to std::unique_ptr.
	* sm-malloc.cc: Add define of INCLUDE_MEMORY.  Include
	"make-unique.h".
	(malloc_state_machine::on_stmt): Use make_unique when creating
	pending_diagnostic.
	(malloc_state_machine::handle_free_of_non_heap): Likewise.
	(malloc_state_machine::on_deallocator_call): Likewise.
	(malloc_state_machine::on_realloc_call): Likewise.
	(malloc_state_machine::on_leak): Likewise, converting return type
	to std::unique_ptr.
	* sm-pattern-test.cc: Add define of INCLUDE_MEMORY.  Include
	"make-unique.h".
	(pattern_test_state_machine::on_condition): Use make_unique when
	creating pending_diagnostic.
	* sm-sensitive.cc: Add define of INCLUDE_MEMORY.  Include
	"make-unique.h".
	(sensitive_state_machine::warn_for_any_exposure): Use make_unique
	when creating pending_diagnostic.
	* sm-signal.cc: Add define of INCLUDE_MEMORY.  Include
	"make-unique.h".
	(signal_state_machine::on_stmt): Use make_unique when creating
	pending_diagnostic.
	* sm-taint.cc: Add define of INCLUDE_MEMORY.  Include
	"make-unique.h".
	(taint_state_machine::check_for_tainted_size_arg): Use make_unique
	when creating pending_diagnostic.
	(taint_state_machine::check_for_tainted_divisor): Likewise.
	(region_model::check_region_for_taint): Likewise.
	(region_model::check_dynamic_size_for_taint): Likewise.
	* sm.cc: Add define of INCLUDE_MEMORY.  Include
	"analyzer/pending-diagnostic.h".
	(state_machine::on_leak): Move here from sm.h, changing return
	type to std::unique_ptr.
	* sm.h (state_machine::on_leak): Change return type to
	std::unique_ptr.  Move defn of base impl to sm.cc
	(sm_context::warn): Convert param d to std_unique_ptr.
	* state-purge.cc: Add define of INCLUDE_MEMORY.
	* store.cc: Likewise.
	* svalue.cc: Likewise.
	* trimmed-graph.cc: Likewise.
	* varargs.cc: Likewise.  Include "make-unique.h".
	(va_list_state_machine::check_for_ended_va_list): Use make_unique
	when creating pending_diagnostic.
	(va_list_state_machine::on_leak): Likewise, converting return type
	to std::unique_ptr.
	(region_model::impl_call_va_arg): Use make_unique when creating
	pending_diagnostic.

2022-11-03  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/107486
	* analyzer.cc (is_pipe_call_p): New.
	* analyzer.h (is_pipe_call_p): New decl.
	* region-model.cc (region_model::on_call_pre): Use it.
	(region_model::on_call_post): Likewise.

2022-10-26  David Malcolm  <dmalcolm (a] redhat.com>

	* sm-fd.cc (fd_state_machine::on_open): Transition to "unchecked"
	when the mode is symbolic, rather than just on integer constants.
	(fd_state_machine::check_for_open_fd): Don't complain about
	unchecked values in the start state.

2022-10-26  David Malcolm  <dmalcolm (a] redhat.com>

	* sm-fd.dot: New file.

2022-10-24  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/107349
	* varargs.cc (get_va_copy_arg): Fix the non-pointer case.

2022-10-24  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/107345
	* region-model.cc (region_model::eval_condition_without_cm):
	Ensure that constants are on the right-hand side before checking
	for them.

2022-10-24  David Malcolm  <dmalcolm (a] redhat.com>

	* engine.cc (impl_region_model_context::get_malloc_map): Replace
	with...
	(impl_region_model_context::get_state_map_by_name): ...this.
	(impl_region_model_context::get_fd_map): Delete.
	(impl_region_model_context::get_taint_map): Delete.
	* exploded-graph.h (impl_region_model_context::get_fd_map):
	Delete.
	(impl_region_model_context::get_malloc_map): Delete.
	(impl_region_model_context::get_taint_map): Delete.
	(impl_region_model_context::get_state_map_by_name): New.
	* region-model.h (region_model_context::get_state_map_by_name):
	New vfunc.
	(region_model_context::get_fd_map): Convert from vfunc to
	function.
	(region_model_context::get_malloc_map): Likewise.
	(region_model_context::get_taint_map): Likewise.
	(noop_region_model_context::get_state_map_by_name): New.
	(noop_region_model_context::get_fd_map): Delete.
	(noop_region_model_context::get_malloc_map): Delete.
	(noop_region_model_context::get_taint_map): Delete.
	(region_model_context_decorator::get_state_map_by_name): New.
	(region_model_context_decorator::get_fd_map): Delete.
	(region_model_context_decorator::get_malloc_map): Delete.
	(region_model_context_decorator::get_taint_map): Delete.

2022-10-24  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/106300
	* engine.cc (impl_region_model_context::get_fd_map): New.
	* exploded-graph.h (impl_region_model_context::get_fd_map): New
	decl.
	* region-model-impl-calls.cc (region_model::impl_call_pipe): New.
	* region-model.cc (region_model::update_for_int_cst_return): New,
	based on...
	(region_model::update_for_zero_return): ...this.  Reimplement in
	terms of the former.
	(region_model::on_call_pre): Handle "pipe" and "pipe2".
	(region_model::on_call_post): Likewise.
	* region-model.h (region_model::impl_call_pipe): New decl.
	(region_model::update_for_int_cst_return): New decl.
	(region_model::mark_as_valid_fd): New decl.
	(region_model_context::get_fd_map): New pure virtual fn.
	(noop_region_model_context::get_fd_map): New.
	(region_model_context_decorator::get_fd_map): New.
	* sm-fd.cc: Include "analyzer/program-state.h".
	(fd_state_machine::describe_state_change): Handle transitions from
	start state to valid states.
	(fd_state_machine::mark_as_valid_fd): New.
	(fd_state_machine::on_stmt): Add missing return for "creat".
	(region_model::mark_as_valid_fd): New.

2022-10-19  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/105765
	* varargs.cc (get_BT_VALIST_ARG): Rename to...
	(get_va_copy_arg): ...this, and update logic for determining level
	of indirection of va_copy's argument to use type of argument,
	rather than looking at va_list_type_node, to correctly handle
	__builtin_ms_va_copy.
	(get_stateful_BT_VALIST_ARG): Rename to...
	(get_stateful_va_copy_arg): ...this.
	(va_list_state_machine::on_va_copy): Update for renaming.
	(region_model::impl_call_va_copy): Likewise.

2022-10-13  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/107210
	* svalue.cc (constant_svalue::maybe_fold_bits_within): Only
	attempt to extract individual bits when tree_fits_uhwi_p.

2022-10-07  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/105783
	* region-model.cc (selftest::get_bit): New function.
	(selftest::test_bits_within_svalue_folding): New.
	(selfftest::analyzer_region_model_cc_tests): Call it.
	* svalue.cc (constant_svalue::maybe_fold_bits_within): Handle the
	case of extracting a single bit.

2022-10-06  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/107158
	* store.cc (store::replay_call_summary_cluster): Eliminate
	special-casing of RK_HEAP_ALLOCATED in favor of sharing code with
	RK_DECL, avoiding an ICE due to attempting to bind a
	compound_svalue into a binding_cluster when an svalue in the
	summary cluster converts to a compound_svalue in the caller.

2022-10-06  David Malcolm  <dmalcolm (a] redhat.com>

	* call-summary.cc (call_summary_replay::dump_to_pp): Bulletproof
	against NULL caller regions/svalues.

2022-10-05  David Malcolm  <dmalcolm (a] redhat.com>

	* analysis-plan.cc: Simplify includes.
	* analyzer-pass.cc: Likewise.
	* analyzer-selftests.cc: Likewise.
	* analyzer.cc: Likewise.
	* analyzer.h: Add includes of "json.h" and "tristate.h".
	* call-info.cc: Simplify includes.
	* call-string.cc: Likewise.
	* call-summary.cc: Likewise.
	* checker-path.cc: Likewise.
	* complexity.cc: Likewise.
	* constraint-manager.cc: Likewise.
	* diagnostic-manager.cc: Likewise.
	* engine.cc: Likewise.
	* feasible-graph.cc: Likewise.
	* known-function-manager.cc: Likewise.
	* pending-diagnostic.cc: Likewise.
	* program-point.cc: Likewise.
	* program-state.cc: Likewise.
	* region-model-asm.cc: Likewise.
	* region-model-impl-calls.cc: Likewise.
	* region-model-manager.cc: Likewise.
	* region-model-reachability.cc: Likewise.
	* region-model.cc: Likewise.
	* region-model.h: Include "selftest.h".
	* region.cc: Simplify includes.
	* sm-fd.cc: Likewise.
	* sm-file.cc: Likewise.
	* sm-malloc.cc: Likewise.
	* sm-pattern-test.cc: Likewise.
	* sm-sensitive.cc: Likewise.
	* sm-signal.cc: Likewise.
	* sm-taint.cc: Likewise.
	* sm.cc: Likewise.
	* state-purge.cc: Likewise.
	* store.cc: Likewise.
	* store.h: Likewise.
	* supergraph.cc: Likewise.
	* svalue.cc: Likewise.
	* svalue.h: Likewise.
	* trimmed-graph.cc: Likewise.
	* varargs.cc: Likewise.

2022-10-05  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/107060
	* call-summary.cc
	(call_summary_replay::convert_svalue_from_summary_1): Handle NULL
	results from convert_svalue_from_summary in SK_UNARY_OP and
	SK_BIN_OP.
	* engine.cc (impl_region_model_context::on_unknown_change): Bail
	out on svalues that can't have associated state.
	* region-model-impl-calls.cc
	(region_model::impl_call_analyzer_get_unknown_ptr): New.
	* region-model.cc (region_model::on_stmt_pre): Handle
	"__analyzer_get_unknown_ptr".
	* region-model.h
	(region_model::impl_call_analyzer_get_unknown_ptr): New decl.
	* store.cc (store::replay_call_summary_cluster): Avoid trying to
	create binding clusters for base regions that shouldn't have them.

2022-10-05  Martin Liska  <mliska (a] suse.cz>

	* call-summary.cc (call_summary_replay::call_summary_replay):
	Remove unused variable and arguments.
	* call-summary.h: Likewise.
	* engine.cc (exploded_node::on_stmt): Likewise.
	(exploded_node::replay_call_summaries): Likewise.
	(exploded_node::replay_call_summary): Likewise.
	* exploded-graph.h (class exploded_node): Likewise.

2022-10-05  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/107072
	* analyzer-logging.h: Include "diagnostic-core.h".
	* analyzer.h: Include "function.h".
	(class call_summary): New forward decl.
	(class call_summary_replay): New forward decl.
	(struct per_function_data): New forward decl.
	(struct interesting_t): New forward decl.
	(custom_edge_info::update_state): New vfunc.
	* call-info.cc (custom_edge_info::update_state): New.
	* call-summary.cc: New file.
	* call-summary.h: New file.
	* constraint-manager.cc: Include "analyzer/call-summary.h".
	(class replay_fact_visitor): New.
	(constraint_manager::replay_call_summary): New.
	* constraint-manager.h (constraint_manager::replay_call_summary):
	New.
	* engine.cc: Include "analyzer/call-summary.h".
	(exploded_node::on_stmt): Handle call summaries.
	(class call_summary_edge_info): New.
	(exploded_node::replay_call_summaries): New.
	(exploded_node::replay_call_summary): New.
	(per_function_data::~per_function_data): New.
	(per_function_data::add_call_summary): Move here from header and
	reimplement.
	(exploded_graph::process_node): Call update_state rather than
	update_model when handling bifurcation
	(viz_callgraph_node::dump_dot): Use a regular label rather
	than an HTML table; add summaries to dump.
	* exploded-graph.h: Include "alloc-pool.h", "fibonacci_heap.h",
	"supergraph.h", "sbitmap.h", "shortest-paths.h", "analyzer/sm.h",
	"analyzer/program-state.h", and "analyzer/diagnostic-manager.h".
	(exploded_node::replay_call_summaries): New decl.
	(exploded_node::replay_call_summary): New decl.
	(per_function_data::~per_function_data): New decl.
	(per_function_data::add_call_summary): Move implemention from
	header.
	(per_function_data::m_summaries): Update type of element.
	* known-function-manager.h: Include "analyzer/analyzer-logging.h".
	* program-point.h: Include "pretty-print.h" and
	"analyzer/call-string.h".
	* program-state.cc: Include "analyzer/call-summary.h".
	(sm_state_map::replay_call_summary): New.
	(program_state::replay_call_summary): New.
	* program-state.h (sm_state_map::replay_call_summary): New decl.
	(program_state::replay_call_summary): New decl.
	* region-model-manager.cc
	(region_model_manager::get_or_create_asm_output_svalue): New
	overload.
	* region-model-manager.h
	(region_model_manager::get_or_create_asm_output_svalue): New
	overload decl.
	* region-model.cc: Include "analyzer/call-summary.h".
	(region_model::maybe_update_for_edge): Remove call to
	region_model::update_for_call_summary on
	SUPEREDGE_INTRAPROCEDURAL_CALL.
	(region_model::update_for_call_summary): Delete.
	(region_model::replay_call_summary): New.
	* region-model.h (region_model::replay_call_summary): New decl.
	(region_model::update_for_call_summary): Delete decl.
	* store.cc: Include "analyzer/call-summary.h".
	(store::replay_call_summary): New.
	(store::replay_call_summary_cluster): New.
	* store.h: Include "tristate.h".
	(is_a_helper <const ana::concrete_binding *>::test): New.
	(store::replay_call_summary): New decl.
	(store::replay_call_summary_cluster): New decl.
	* supergraph.cc (get_ultimate_function_for_cgraph_edge): Remove
	"static" from decl.
	(supergraph_call_edge): Make stmt param const.
	* supergraph.h: Include "ordered-hash-map.h", "cfg.h",
	"basic-block.h", "gimple.h", "gimple-iterator.h", and "digraph.h".
	(supergraph_call_edge): Make stmt param const.
	(get_ultimate_function_for_cgraph_edge): New decl.
	* svalue.cc (compound_svalue::compound_svalue): Assert that we're
	not nesting compound_svalues.
	* svalue.h: Include "json.h", "analyzer/store.h", and
	"analyzer/program-point.h".
	(asm_output_svalue::get_num_outputs): New accessor.

2022-10-05  David Malcolm  <dmalcolm (a] redhat.com>

	* region-model.h: Include "analyzer/region-model-manager.h"
	(class region_model_manager): Move decl to...
	* region-model-manager.h: ...this new file.

2022-10-05  David Malcolm  <dmalcolm (a] redhat.com>

	* region-model-manager.cc
	(region_model_manager::maybe_fold_unaryop): Fold -(-(VAL)) to VAL.

2022-10-05  David Malcolm  <dmalcolm (a] redhat.com>

	* region-model-manager.cc
	(region_model_manager::get_or_create_widening_svalue): Use a
	function_point rather than a program_point.
	* region-model.cc (selftest::test_widening_constraints): Likewise.
	* region-model.h
	(region_model_manager::get_or_create_widening_svalue): Likewise.
	(model_merger::get_function_point): New.
	* svalue.cc (svalue::can_merge_p): Use a function_point rather
	than a program_point.
	(svalue::can_merge_p): Likewise.
	* svalue.h (widening_svalue::key_t): Likewise.
	(widening_svalue::widening_svalue): Likewise.

2022-09-12  Martin Liska  <mliska (a] suse.cz>

	* region-model.cc (region_model::maybe_complain_about_infoleak):
	Remove unused fields.

2022-09-11  Tim Lange  <mail (a] tim-lange.me>

	PR analyzer/106845
	* region-model.cc (region_model::check_region_bounds):
	Bail out if 0 bytes were accessed.
	* store.cc (byte_range::dump_to_pp):
	Add special case for empty ranges.
	(byte_range::exceeds_p): Restrict to non-empty ranges.
	(byte_range::falls_short_of_p): Restrict to non-empty ranges.
	* store.h (bit_range::empty_p): New function.
	(bit_range::get_last_byte_offset): Restrict to non-empty ranges.
	(byte_range::empty_p): New function.
	(byte_range::get_last_byte_offset): Restrict to non-empty ranges.

2022-09-09  David Malcolm  <dmalcolm (a] redhat.com>

	* analyzer.opt (Wanalyzer-exposure-through-uninit-copy): New.
	* checker-path.cc (region_creation_event::region_creation_event):
	Add "capacity" and "kind" params.
	(region_creation_event::get_desc): Generalize to different kinds
	of event.
	(checker_path::add_region_creation_event): Convert to...
	(checker_path::add_region_creation_events): ...this.
	* checker-path.h (enum rce_kind): New.
	(region_creation_event::region_creation_event): Add "capacity" and
	"kind" params.
	(region_creation_event::m_capacity): New field.
	(region_creation_event::m_rce_kind): New field.
	(checker_path::add_region_creation_event): Convert to...
	(checker_path::add_region_creation_events): ...this.
	* diagnostic-manager.cc (diagnostic_manager::build_emission_path):
	Update for multiple region creation events.
	(diagnostic_manager::add_event_on_final_node): Likewise.
	(diagnostic_manager::add_events_for_eedge): Likewise.
	* region-model-impl-calls.cc (call_details::get_logger): New.
	* region-model.cc: Define INCLUDE_MEMORY before including
	"system.h".  Include "gcc-rich-location.h".
	(class record_layout): New.
	(class exposure_through_uninit_copy): New.
	(contains_uninit_p): New.
	(region_model::maybe_complain_about_infoleak): New.
	* region-model.h (call_details::get_logger): New decl.
	(region_model::maybe_complain_about_infoleak): New decl.
	(region_model::mark_as_tainted): New decl.
	* sm-taint.cc (region_model::mark_as_tainted): New.

2022-09-09  David Malcolm  <dmalcolm (a] redhat.com>

	* analyzer.h (class known_function_manager): New forward decl.
	(class known_function): New.
	(plugin_analyzer_init_iface::register_known_function): New.
	* engine.cc: Include "analyzer/known-function-manager.h".
	(plugin_analyzer_init_impl::plugin_analyzer_init_impl): Add
	known_fn_mgr param.
	(plugin_analyzer_init_impl::register_state_machine): Add
	LOC_SCOPE.
	(plugin_analyzer_init_impl::register_known_function): New.
	(plugin_analyzer_init_impl::m_known_fn_mgr): New.
	(impl_run_checkers): Update plugin callback invocation to use
	eng's known_function_manager.
	* known-function-manager.cc: New file.
	* known-function-manager.h: New file.
	* region-model-manager.cc
	(region_model_manager::region_model_manager): Pass logger to
	m_known_fn_mgr's ctor.
	* region-model.cc (region_model::update_for_zero_return): New.
	(region_model::update_for_nonzero_return): New.
	(maybe_simplify_upper_bound): New.
	(region_model::maybe_get_copy_bounds): New.
	(region_model::get_known_function): New.
	(region_model::on_call_pre): Handle plugin-supplied known
	functions.
	* region-model.h: Include "analyzer/known-function-manager.h".
	(region_model_manager::get_known_function_manager): New.
	(region_model_manager::m_known_fn_mgr): New.
	(call_details::get_model): New accessor.
	(region_model::maybe_get_copy_bounds): New decl.
	(region_model::update_for_zero_return): New decl.
	(region_model::update_for_nonzero_return): New decl.
	(region_model::get_known_function): New decl.
	(region_model::get_known_function_manager): New.

2022-09-08  Tim Lange  <mail (a] tim-lange.me>

	PR analyzer/106625
	* analyzer.h (region_offset): Eliminate m_is_symbolic member.
	* region-model-impl-calls.cc (region_model::impl_call_realloc):
	Refine implementation to be more precise.
	* region-model.cc (class symbolic_past_the_end):
	Abstract diagnostic class to complain about accesses past the end
	with symbolic values.
	(class symbolic_buffer_overflow):
	Concrete diagnostic class to complain about buffer overflows with
	symbolic values.
	(class symbolic_buffer_overread):
	Concrete diagnostic class to complain about buffer overreads with
	symbolic values.
	(region_model::check_symbolic_bounds): New function.
	(maybe_get_integer_cst_tree): New helper function.
	(region_model::check_region_bounds):
	Add call to check_symbolic_bounds if offset is not concrete.
	(region_model::eval_condition_without_cm):
	Add support for EQ_EXPR and GT_EXPR with binaryop_svalues.
	(is_positive_svalue): New hleper function.
	(region_model::symbolic_greater_than):
	New function to handle GT_EXPR comparisons with symbolic values.
	(region_model::structural_equality): New function to compare
	whether two svalues are structured the same, i.e. evaluate to
	the same value.
	(test_struct): Reflect changes to region::calc_offset.
	(test_var): Likewise.
	(test_array_2): Likewise and add selftest with symbolic i.
	* region-model.h (class region_model): Add check_symbolic_bounds,
	symbolic_greater_than and structural_equality.
	* region.cc (region::get_offset):
	Reflect changes to region::calc_offset.
	(region::calc_offset):
	Compute the symbolic offset if the offset is not concrete.
	(region::get_relative_symbolic_offset): New function to return the
	symbolic offset in bytes relative to its parent.
	(field_region::get_relative_symbolic_offset): Likewise.
	(element_region::get_relative_symbolic_offset): Likewise.
	(offset_region::get_relative_symbolic_offset): Likewise.
	(bit_range_region::get_relative_symbolic_offset): Likewise.
	* region.h: Add get_relative_symbolic_offset.
	* store.cc (binding_key::make):
	Reflect changes to region::calc_offset.
	(binding_map::apply_ctor_val_to_range): Likewise.
	(binding_map::apply_ctor_pair_to_child_region): Likewise.
	(binding_cluster::bind_compound_sval): Likewise.
	(binding_cluster::get_any_binding): Likewise.
	(binding_cluster::maybe_get_compound_binding): Likewise.

2022-09-05  Tim Lange  <mail (a] tim-lange.me>

	* region-model-impl-calls.cc (region_model::impl_call_strcpy):
	Handle the constant string case.
	* region-model.cc (region_model::get_string_size):
	New function to get the string size from a region or svalue.
	* region-model.h (class region_model): Add get_string_size.

2022-09-05  Tim Lange  <mail (a] tim-lange.me>

	* region.cc (cast_region::get_relative_concrete_offset):
	New overloaded method.
	* region.h: Add cast_region::get_relative_concrete_offset.

2022-08-22  Martin Liska  <mliska (a] suse.cz>

	* region-model.cc: Add missing final keyword.

2022-08-18  Tim Lange  <mail (a] tim-lange.me>

	PR analyzer/106181
	* analyzer.opt: Add Wanalyzer-imprecise-floating-point-arithmetic.
	* region-model.cc (is_any_cast_p): Formatting.
	(region_model::check_region_size): Ensure precondition.
	(class imprecise_floating_point_arithmetic): New abstract
	diagnostic class for all floating-point related warnings.
	(class float_as_size_arg): Concrete diagnostic class to complain
	about floating-point operands inside the size argument.
	(class contains_floating_point_visitor):
	New visitor to find floating-point operands inside svalues.
	(region_model::check_dynamic_size_for_floats): New function.
	(region_model::set_dynamic_extents):
	Call to check_dynamic_size_for_floats.
	* region-model.h (class region_model):
	Add region_model::check_dynamic_size_for_floats.

2022-08-16  Martin Liska  <mliska (a] suse.cz>

	* region-model.cc: Fix -Winconsistent-missing-override clang
	warning.
	* region.h: Likewise.

2022-08-15  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/106626
	* region-model.cc (buffer_overread::emit): Fix copy&paste error in
	direction of the access in the note.

2022-08-15  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/106573
	* region-model.cc (region_model::on_call_pre): Use check_call_args
	when ensuring that we call get_arg_svalue on all args.  Remove
	redundant call from handling for stdio builtins.

2022-08-15  Immad Mir  <mirimmad (a] outlook.com>

	PR analyzer/106551
	* sm-fd.cc (check_for_dup): exit early if first
	argument is invalid for all dup functions.

2022-08-12  Tim Lange  <mail (a] tim-lange.me>

	PR analyzer/106000
	* analyzer.opt: Add Wanalyzer-out-of-bounds.
	* region-model.cc (class out_of_bounds): Diagnostics base class
	for all out-of-bounds diagnostics.
	(class past_the_end): Base class derived from out_of_bounds for
	the buffer_overflow and buffer_overread diagnostics.
	(class buffer_overflow): Buffer overflow diagnostics.
	(class buffer_overread): Buffer overread diagnostics.
	(class buffer_underflow): Buffer underflow diagnostics.
	(class buffer_underread): Buffer overread diagnostics.
	(region_model::check_region_bounds): New function to check region
	bounds for out-of-bounds accesses.
	(region_model::check_region_access):
	Add call to check_region_bounds.
	(region_model::get_representative_tree): New function that accepts
	a region instead of an svalue.
	* region-model.h (class region_model):
	Add region_model::check_region_bounds.
	* region.cc (region::symbolic_p): New predicate.
	(offset_region::get_byte_size_sval): Only return the remaining
	byte size on offset_regions.
	* region.h: Add region::symbolic_p.
	* store.cc (byte_range::intersects_p):
	Add new function equivalent to bit_range::intersects_p.
	(byte_range::exceeds_p): New function.
	(byte_range::falls_short_of_p): New function.
	* store.h (struct byte_range): Add byte_range::intersects_p,
	byte_range::exceeds_p and byte_range::falls_short_of_p.

2022-08-12  Tim Lange  <mail (a] tim-lange.me>

	PR analyzer/106539
	* region-model-impl-calls.cc (region_model::impl_call_realloc):
	Use the result of get_copied_size as the size for the
	sized_regions in realloc.
	(success_with_move::get_copied_size): New function.

2022-08-11  Immad Mir  <mirimmad (a] outlook.com>

	PR analyzer/106551
	* sm-fd.cc (check_for_dup): handle the m_start
	state when transitioning the state of LHS
	of dup, dup2 and dup3 call.

2022-08-09  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/106573
	* region-model.cc (region_model::on_call_pre): Ensure that we call
	get_arg_svalue on all arguments.

2022-08-05  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/105947
	* analyzer.opt (Wanalyzer-jump-through-null): New option.
	* engine.cc (class jump_through_null): New.
	(exploded_graph::process_node): Complain about jumps through NULL
	function pointers.

2022-08-02  Immad Mir  <mirimmad (a] outlook.com>

	PR analyzer/106298
	* sm-fd.cc (fd_state_machine::on_open): Add
	creat, dup, dup2 and dup3 functions.
	(enum dup): New.
	(fd_state_machine::valid_to_unchecked_state): New.
	(fd_state_machine::on_creat): New.
	(fd_state_machine::on_dup): New.

2022-07-28  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/105893
	* analyzer.opt (Wanalyzer-putenv-of-auto-var): New.
	* region-model-impl-calls.cc (class putenv_of_auto_var): New.
	(region_model::impl_call_putenv): New.
	* region-model.cc (region_model::on_call_pre): Handle putenv.
	* region-model.h (region_model::impl_call_putenv): New decl.

2022-07-28  David Malcolm  <dmalcolm (a] redhat.com>

	* sm-malloc.cc (free_of_non_heap::emit): Add comment about CWE.
	* sm-taint.cc (tainted_size::emit): Likewise.

2022-07-28  David Malcolm  <dmalcolm (a] redhat.com>

	* region.h: Add notes to the comment describing the region
	class hierarchy.

2022-07-27  Immad Mir  <mirimmad (a] outlook.com>

	PR analyzer/106286
	* sm-fd.cc:
	(fd_diagnostic::get_meaning_for_state_change): New.

2022-07-26  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/106319
	* store.cc (store::set_value): Don't strip away casts if the
	region has NULL type.

2022-07-26  David Malcolm  <dmalcolm (a] redhat.com>

	* region.h (code_region::get_element): Remove stray decl.
	(function_region::get_element): Likewise.

2022-07-25  Martin Liska  <mliska (a] suse.cz>

	* sm-fd.cc: Run dos2unix and fix coding style issues.

2022-07-23  Immad Mir  <mirimmad (a] outlook.com>

	* sm-fd.cc (fd_param_diagnostic): New diagnostic class.
	(fd_access_mode_mismatch): Change inheritance from fd_diagnostic
	to fd_param_diagnostic. Add new overloaded constructor.
	(fd_use_after_close): Likewise.
	(unchecked_use_of_fd): Likewise and also change name to fd_use_without_check.
	(double_close): Change name to fd_double_close.
	(enum access_directions): New.
	(fd_state_machine::on_stmt): Handle calls to function with the
	new three function attributes.
	(fd_state_machine::check_for_fd_attrs): New.
	(fd_state_machine::on_open): Use the new overloaded constructors
	of diagnostic classes.

2022-07-22  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/106413
	* varargs.cc (region_model::impl_call_va_start): Avoid iterating
	through non-existant variadic arguments by initializing the
	impl_region to "UNKNOWN" if the va_start occurs in the top-level
	function to the analysis.

2022-07-22  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/106401
	* store.cc (binding_cluster::binding_cluster): Remove overzealous
	assertion; we're checking for tracked_p in
	store::get_or_create_cluster.

2022-07-22  Tim Lange  <mail (a] tim-lange.me>

	PR analyzer/106394
	* region-model.cc (capacity_compatible_with_type): Always return true
	if alloc_size is zero.

2022-07-21  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/106383
	* varargs.cc (region_model::impl_call_va_arg): When determining if
	we're doing interprocedural analysis, use the stack depth of the
	frame in which va_start was called, rather than the current stack
	depth.

2022-07-21  David Malcolm  <dmalcolm (a] redhat.com>

	* sm-taint.cc (tainted_array_index::emit): Bulletproof against
	NULL m_arg.
	(tainted_array_index::describe_final_event): Likewise.
	(tainted_size::emit): Likewise.
	(tainted_size::describe_final_event): Likewise.

2022-07-21  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/106374
	* region.cc (decl_region::get_svalue_for_initializer): Bail out on
	untracked regions.

2022-07-20  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/106373
	* sm-taint.cc (taint_state_machine::on_condition): Potentially
	update the state of the RHS as well as the LHS.

2022-07-20  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/106359
	* region.h (string_region::tracked_p): New.
	* store.cc (binding_cluster::binding_cluster): Move here from
	store.h.  Add assertion that base_region is tracked_p.
	* store.h (binding_cluster::binding_cluster): Move to store.cc.

2022-07-19  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/106321
	* constraint-manager.h (bounded_ranges::get_count): New.
	(bounded_ranges::get_range): New.
	* engine.cc (impl_region_model_context::on_bounded_ranges): New.
	* exploded-graph.h (impl_region_model_context::on_bounded_ranges):
	New decl.
	* region-model.cc (region_model::apply_constraints_for_gswitch):
	Potentially call ctxt->on_bounded_ranges.
	* region-model.h (region_model_context::on_bounded_ranges): New
	vfunc.
	(noop_region_model_context::on_bounded_ranges): New.
	(region_model_context_decorator::on_bounded_ranges): New.
	* sm-taint.cc: Include "analyzer/constraint-manager.h".
	(taint_state_machine::on_bounded_ranges): New.
	* sm.h (state_machine::on_bounded_ranges): New.

2022-07-19  David Malcolm  <dmalcolm (a] redhat.com>

	* engine.cc (exploded_graph::process_node): Show any description
	of the out-edge when logging it for consideration.

2022-07-15  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/106284
	* sm-taint.cc (taint_state_machine::on_condition): Handle range
	checks optimized by build_range_check.

2022-07-15  Jonathan Wakely  <jwakely (a] redhat.com>

	* call-info.cc (call_info::print): Adjust to new label_text API.
	* checker-path.cc (checker_event::dump): Likewise.
	(region_creation_event::get_desc): Likewise.
	(state_change_event::get_desc): Likewise.
	(superedge_event::should_filter_p): Likewise.
	(start_cfg_edge_event::get_desc): Likewise.
	(call_event::get_desc): Likewise.
	(return_event::get_desc): Likewise.
	(warning_event::get_desc): Likewise.
	(checker_path::dump): Likewise.
	(checker_path::debug): Likewise.
	* diagnostic-manager.cc (diagnostic_manager::prune_for_sm_diagnostic):
	Likewise.
	(diagnostic_manager::prune_interproc_events): Likewise.
	* engine.cc (feasibility_state::maybe_update_for_edge):
	Likewise.
	* program-state.cc (sm_state_map::to_json): Likewise.
	* region-model-impl-calls.cc (region_model::impl_call_analyzer_describe): Likewise.
	(region_model::impl_call_analyzer_dump_capacity): Likewise.
	* region.cc (region::to_json): Likewise.
	* sm-malloc.cc (inform_nonnull_attribute): Likewise.
	* store.cc (binding_map::to_json): Likewise.
	(store::to_json): Likewise.
	* supergraph.cc (superedge::dump): Likewise.
	* svalue.cc (svalue::to_json): Likewise.

2022-07-07  David Malcolm  <dmalcolm (a] redhat.com>

	* checker-path.cc (start_cfg_edge_event::get_desc): Update for
	superedge::get_description returning a label_text.
	* engine.cc (feasibility_state::maybe_update_for_edge): Likewise.
	* supergraph.cc (superedge::dump): Likewise.
	(superedge::get_description): Convert return type from char * to
	label_text.
	* supergraph.h (superedge::get_description): Likewise.

2022-07-07  David Malcolm  <dmalcolm (a] redhat.com>

	* call-info.cc (call_info::print): Update for removal of
	label_text::maybe_free in favor of automatic memory management.
	* checker-path.cc (checker_event::dump): Likewise.
	(checker_event::prepare_for_emission): Likewise.
	(state_change_event::get_desc): Likewise.
	(superedge_event::should_filter_p): Likewise.
	(start_cfg_edge_event::get_desc): Likewise.
	(warning_event::get_desc): Likewise.
	(checker_path::dump): Likewise.
	(checker_path::debug): Likewise.
	* diagnostic-manager.cc
	(diagnostic_manager::prune_for_sm_diagnostic): Likewise.
	(diagnostic_manager::prune_interproc_events): Likewise.
	* program-state.cc (sm_state_map::to_json): Likewise.
	* region.cc (region::to_json): Likewise.
	* sm-malloc.cc (inform_nonnull_attribute): Likewise.
	* store.cc (binding_map::to_json): Likewise.
	(store::to_json): Likewise.
	* svalue.cc (svalue::to_json): Likewise.

2022-07-07  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/106225
	* sm-taint.cc (taint_state_machine::on_stmt): Move handling of
	assignments from division to...
	(taint_state_machine::check_for_tainted_divisor): ...this new
	function.  Reject warning when the divisor is known to be non-zero.
	* sm.cc: Include "analyzer/program-state.h".
	(sm_context::get_old_region_model): New.
	* sm.h (sm_context::get_old_region_model): New decl.

2022-07-06  Immad Mir  <mirimmad (a] outlook.com>

	PR analyzer/106184
	* sm-fd.cc (fd_state_machine): Change ordering of initialization
	of state m_invalid so that the order of initializers is same as
	the ordering of the fields in the class decl.

2022-07-06  Immad Mir  <mirimmad (a] outlook.com>

	* sm-fd.cc (use_after_close): save the "close" event and
	show it where possible.

2022-07-06  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/106204
	* region-model.cc (within_short_circuited_stmt_p): Move extraction
	of assign_stmt to caller.
	(due_to_ifn_deferred_init_p): New.
	(region_model::check_for_poison): Move extraction of assign_stmt
	from within_short_circuited_stmt_p to here.  Share logic with
	call to due_to_ifn_deferred_init_p.

2022-07-02  Tim Lange  <mail (a] tim-lange.me>

	PR analyzer/105900
	* analyzer.opt: Added Wanalyzer-allocation-size.
	* checker-path.cc (region_creation_event::get_desc): Added call to new
	virtual function pending_diagnostic::describe_region_creation_event.
	* checker-path.h: Added region_creation_event::get_desc.
	* diagnostic-manager.cc (diagnostic_manager::add_event_on_final_node):
	New function.
	* diagnostic-manager.h:
	Added diagnostic_manager::add_event_on_final_node.
	* pending-diagnostic.h (struct region_creation): New event_desc struct.
	(pending_diagnostic::describe_region_creation_event): Added virtual
	function to overwrite description of a region creation.
	* region-model.cc (class dubious_allocation_size): New class.
	(capacity_compatible_with_type): New helper function.
	(class size_visitor): New class.
	(struct_or_union_with_inheritance_p): New helper function.
	(is_any_cast_p): New helper function.
	(region_model::check_region_size): New function.
	(region_model::set_value): Added call to
	region_model::check_region_size.
	* region-model.h (class region_model): New function check_region_size.
	* svalue.cc (region_svalue::accept): Changed to post-order traversal.
	(initial_svalue::accept): Likewise.
	(unaryop_svalue::accept): Likewise.
	(binop_svalue::accept): Likewise.
	(sub_svalue::accept): Likewise.
	(repeated_svalue::accept): Likewise.
	(bits_within_svalue::accept): Likewise.
	(widening_svalue::accept): Likewise.
	(unmergeable_svalue::accept): Likewise.
	(compound_svalue::accept): Likewise.
	(conjured_svalue::accept): Likewise.
	(asm_output_svalue::accept): Likewise.
	(const_fn_result_svalue::accept): Likewise.

2022-07-02  Immad Mir  <mirimmad17 (a] gmail.com>

	PR analyzer/106003
	* analyzer.opt (Wanalyzer-fd-leak): New option.
	(Wanalyzer-fd-access-mode-mismatch): New option.
	(Wanalyzer-fd-use-without-check): New option.
	(Wanalyzer-fd-double-close): New option.
	(Wanalyzer-fd-use-after-close): New option.
	* sm.h (make_fd_state_machine): New decl.
	* sm.cc (make_checkers): Call make_fd_state_machine.
	* sm-fd.cc: New file.

2022-06-24  David Malcolm  <dmalcolm (a] redhat.com>

	* call-string.cc: Add includes of "analyzer/analyzer.h"
	and "analyzer/analyzer-logging.h".
	(call_string::call_string): Delete copy ctor.
	(call_string::operator=): Delete.
	(call_string::operator==): Delete.
	(call_string::hash): Delete.
	(call_string::push_call): Make const, returning the resulting
	call_string.
	(call_string::pop): Delete.
	(call_string::cmp_ptr_ptr): New.
	(call_string::validate): Assert that m_parent is non-NULL, or
	m_elements is empty.
	(call_string::call_string): Move default ctor here from
	call-string.h and reimplement.  Add ctor taking a parent
	and an element.
	(call_string::~call_string): New.
	(call_string::recursive_log): New.
	* call-string.h (call_string::call_string): Move default ctor's
	defn to call-string.cc.  Delete copy ctor.  Add ctor taking a
	parent and an element.
	(call_string::operator=): Delete.
	(call_string::operator==): Delete.
	(call_string::hash): Delete.
	(call_string::push_call): Make const, returning the resulting
	call_string.
	(call_string::pop): Delete decl.
	(call_string::get_parent): New.
	(call_string::cmp_ptr_ptr): New decl.
	(call_string::get_top_of_stack): New.
	(struct call_string::hashmap_traits_t): New.
	(class call_string): Add friend class region_model_manager.  Add
	DISABLE_COPY_AND_ASSIGN.
	(call_string::~call_string): New decl.
	(call_string::recursive_log): New decl.
	(call_string::m_parent): New field.
	(call_string::m_children): New field.
	* constraint-manager.cc (selftest::test_many_constants): Pass
	model manager to program_point::origin.
	* engine.cc (exploded_graph::exploded_graph): Likewise.
	(exploded_graph::add_function_entry): Likewise for
	program_point::from_function_entry.
	(add_tainted_args_callback): Likewise.
	(exploded_graph::maybe_process_run_of_before_supernode_enodes):
	Update for change to program_point.get_call_string.
	(exploded_graph::process_node): Likewise.
	(class function_call_string_cluster): Convert m_cs from a
	call_string to a const call_string &.
	(struct function_call_string): Likewise.
	(pod_hash_traits<function_call_string>::hash): Use pointer_hash
	for m_cs.
	(pod_hash_traits<function_call_string>::equal): Update for change
	to m_cs.
	(root_cluster::add_node): Update for change to
	function_call_string.
	(viz_callgraph_node::dump_dot): Update for change to call_string.
	* exploded-graph.h (per_call_string_data::m_key): Convert to a
	reference.
	(struct eg_call_string_hash_map_traits): Delete.
	(exploded_graph::call_string_data_map_t): Remove traits class.
	* program-point.cc: Move include of "analyzer/call-string.h" to
	after "analyzer/analyzer-logging.h".
	(program_point::print): Update for conversion of m_call_string to
	a pointer.
	(program_point::to_json): Likewise.
	(program_point::push_to_call_stack): Update for immutability of
	call strings.
	(program_point::pop_from_call_stack): Likewise.
	(program_point::hash): Use pointer hashing for m_call_string.
	(program_point::get_function_at_depth): Update for change to
	m_call_string.
	(program_point::validate): Update for changes to call_string.
	(program_point::on_edge): Likewise.
	(program_point::origin): Move here from call-string.h.  Add
	region_model_manager param and use it to get empty call string.
	(program_point::from_function_entry): Likewise.
	(selftest::test_function_point_ordering): Likewise.
	(selftest::test_function_point_ordering): Likewise.
	* program-point.h (program_point::program_point): Update for
	change to m_call_string.
	(program_point::get_call_string): Likewise.
	(program_point::get_stack_depth): Likewise.
	(program_point::origin): Add region_model_manager param, and move
	defn to call-string.cc.
	(program_point::from_function_entry): Likewise.
	(program_point::empty): Drop call_string.
	(program_point::deleted): Likewise.
	(program_point::program_point): New private ctor.
	(program_point::m_call_string): Convert from call_string to const
	call_string *.
	* program-state.cc (selftest::test_program_state_merging): Update
	for call_string changes.
	(selftest::test_program_state_merging_2): Likewise.
	* region-model-manager.cc
	(region_model_manager::region_model_manager): Construct
	m_empty_call_string.
	(region_model_manager::log_stats): Log the call strings.
	* region-model.cc (assert_region_models_merge): Pass the
	region_model_manager when creating program_point instances.
	(selftest::test_state_merging): Likewise.
	(selftest::test_constraint_merging): Likewise.
	(selftest::test_widening_constraints): Likewise.
	(selftest::test_iteration_1): Likewise.
	* region-model.h (region_model_manager::get_empty_call_string):
	New.
	(region_model_manager::m_empty_call_string): New.
	* sm-signal.cc (register_signal_handler::impl_transition): Update
	for changes to call_string.

2022-06-24  David Malcolm  <dmalcolm (a] redhat.com>

	* call-string.cc (call_string::calc_recursion_depth): Whitespace
	cleanups.
	(call_string::cmp): Likewise.
	(call_string::get_caller_node): Likewise.
	(call_string::validate): Likewise.
	* engine.cc (dynamic_call_info_t::add_events_to_path): Likewise.
	(exploded_graph::get_per_function_data): Likewise.
	(exploded_graph::maybe_create_dynamic_call): Likewise.
	(exploded_graph::maybe_create_dynamic_call): Likewise.
	(exploded_graph::process_node): Likewise.

2022-06-16  David Malcolm  <dmalcolm (a] redhat.com>

	* varargs.cc (va_arg_type_mismatch::emit): Associate the warning
	with CWE-686 ("Function Call With Incorrect Argument Type").

2022-06-16  David Malcolm  <dmalcolm (a] redhat.com>

	* varargs.cc: Include "diagnostic-metadata.h".
	(va_list_exhausted::emit): Associate the warning with
	CWE-685 ("Function Call With Incorrect Number of Arguments").

2022-06-16  David Malcolm  <dmalcolm (a] redhat.com>

	* sm-file.cc (double_fclose::emit): Associate the warning with
	CWE-1341 ("Multiple Releases of Same Resource or Handle").

2022-06-15  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/105962
	* analyzer.opt (fanalyzer-undo-inlining): New option.
	* checker-path.cc: Include "diagnostic-core.h" and
	"inlining-iterator.h".
	(event_kind_to_string): Handle EK_INLINED_CALL.
	(class inlining_info): New class.
	(checker_event::checker_event): Move here from checker-path.h.
	Store original fndecl and depth, and calculate effective fndecl
	and depth based on inlining information.
	(checker_event::dump): Emit original depth as well as effective
	depth when they differ; likewise for fndecl.
	(region_creation_event::get_desc): Use m_effective_fndecl.
	(inlined_call_event::get_desc): New.
	(inlined_call_event::get_meaning): New.
	(checker_path::inject_any_inlined_call_events): New.
	* checker-path.h (enum event_kind): Add EK_INLINED_CALL.
	(checker_event::checker_event): Make protected, and move
	definition to checker-path.cc.
	(checker_event::get_fndecl): Use effective fndecl.
	(checker_event::get_stack_depth): Use effective stack depth.
	(checker_event::get_logical_location): Use effective stack depth.
	(checker_event::get_original_stack_depth): New.
	(checker_event::m_fndecl): Rename to...
	(checker_event::m_original_fndecl): ...this.
	(checker_event::m_depth): Rename to...
	(checker_event::m_original_depth): ...this.
	(checker_event::m_effective_fndecl): New field.
	(checker_event::m_effective_depth): New field.
	(class inlined_call_event): New checker_event subclass.
	(checker_path::inject_any_inlined_call_events): New decl.
	* diagnostic-manager.cc: Include "inlining-iterator.h".
	(diagnostic_manager::emit_saved_diagnostic): Call
	checker_path::inject_any_inlined_call_events.
	(diagnostic_manager::prune_for_sm_diagnostic): Handle
	EK_INLINED_CALL.
	* engine.cc (tainted_args_function_custom_event::get_desc): Use
	effective fndecl.
	* inlining-iterator.h: New file.

2022-06-15  David Malcolm  <dmalcolm (a] redhat.com>

	* diagnostic-manager.cc (saved_diagnostic::dump_dot_id): New.
	(saved_diagnostic::dump_as_dot_node): New.
	* diagnostic-manager.h (saved_diagnostic::dump_dot_id): New decl.
	(saved_diagnostic::dump_as_dot_node): New decl.
	* engine.cc (exploded_node::dump_dot): Add nodes for saved
	diagnostics.

2022-06-02  David Malcolm  <dmalcolm (a] redhat.com>

	* checker-path.cc (checker_event::get_meaning): New.
	(function_entry_event::get_meaning): New.
	(state_change_event::get_desc): Add dump of meaning of the event
	to the -fanalyzer-verbose-state-changes output.
	(state_change_event::get_meaning): New.
	(cfg_edge_event::get_meaning): New.
	(call_event::get_meaning): New.
	(return_event::get_meaning): New.
	(start_consolidated_cfg_edges_event::get_meaning): New.
	(warning_event::get_meaning): New.
	* checker-path.h: Include "tree-logical-location.h".
	(checker_event::checker_event): Construct m_logical_loc.
	(checker_event::get_logical_location): New.
	(checker_event::get_meaning): New decl.
	(checker_event::m_logical_loc): New.
	(function_entry_event::get_meaning): New decl.
	(state_change_event::get_meaning): New decl.
	(cfg_edge_event::get_meaning): New decl.
	(call_event::get_meaning): New decl.
	(return_event::get_meaning): New decl.
	(start_consolidated_cfg_edges_event::get_meaning): New.
	(warning_event::get_meaning): New decl.
	* pending-diagnostic.h: Include "diagnostic-path.h".
	(pending_diagnostic::get_meaning_for_state_change): New vfunc.
	* sm-file.cc (file_diagnostic::get_meaning_for_state_change): New
	vfunc impl.
	* sm-malloc.cc (malloc_diagnostic::get_meaning_for_state_change):
	Likewise.
	* sm-sensitive.cc
	(exposure_through_output_file::get_meaning_for_state_change):
	Likewise.
	* sm-taint.cc (taint_diagnostic::get_meaning_for_state_change):
	Likewise.
	* varargs.cc
	(va_list_sm_diagnostic::get_meaning_for_state_change): Likewise.

2022-05-23  David Malcolm  <dmalcolm (a] redhat.com>

	* call-info.cc: Add "final" and "override" to all vfunc
	implementations that were missing them, as appropriate.
	* engine.cc: Likewise.
	* region-model.cc: Likewise.
	* sm-malloc.cc: Likewise.
	* supergraph.h: Likewise.
	* svalue.cc: Likewise.
	* varargs.cc: Likewise.

2022-05-20  David Malcolm  <dmalcolm (a] redhat.com>

	* analyzer-pass.cc: Replace uses of "FINAL" and "OVERRIDE" with
	"final" and "override".
	* call-info.h: Likewise.
	* checker-path.h: Likewise.
	* constraint-manager.cc: Likewise.
	* diagnostic-manager.cc: Likewise.
	* engine.cc: Likewise.
	* exploded-graph.h: Likewise.
	* feasible-graph.h: Likewise.
	* pending-diagnostic.h: Likewise.
	* region-model-impl-calls.cc: Likewise.
	* region-model.cc: Likewise.
	* region-model.h: Likewise.
	* region.h: Likewise.
	* sm-file.cc: Likewise.
	* sm-malloc.cc: Likewise.
	* sm-pattern-test.cc: Likewise.
	* sm-sensitive.cc: Likewise.
	* sm-signal.cc: Likewise.
	* sm-taint.cc: Likewise.
	* state-purge.h: Likewise.
	* store.cc: Likewise.
	* store.h: Likewise.
	* supergraph.h: Likewise.
	* svalue.h: Likewise.
	* trimmed-graph.h: Likewise.
	* varargs.cc: Likewise.

2022-05-16  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/105103
	* analyzer.cc (make_label_text_n): New.
	* analyzer.h (class var_arg_region): New forward decl.
	(make_label_text_n): New decl.
	* analyzer.opt (Wanalyzer-va-arg-type-mismatch): New option.
	(Wanalyzer-va-list-exhausted): New option.
	(Wanalyzer-va-list-leak): New option.
	(Wanalyzer-va-list-use-after-va-end): New option.
	* checker-path.cc (call_event::get_desc): Split out decl access
	into..
	(call_event::get_caller_fndecl): ...this new function and...
	(call_event::get_callee_fndecl): ...this new function.
	* checker-path.h (call_event::get_desc): Drop "FINAL".
	(call_event::get_caller_fndecl): New decl.
	(call_event::get_callee_fndecl): New decl.
	(class call_event): Make fields protected.
	* diagnostic-manager.cc (null_assignment_sm_context::warn): New
	overload.
	(null_assignment_sm_context::get_new_program_state): New.
	(diagnostic_manager::add_events_for_superedge): Move case
	SUPEREDGE_CALL to a new pending_diagnostic::add_call_event vfunc.
	* engine.cc (impl_sm_context::warn): Implement new override.
	(impl_sm_context::get_new_program_state): New.
	* pending-diagnostic.cc: Include "analyzer/diagnostic-manager.h",
	"cpplib.h", "digraph.h", "ordered-hash-map.h", "cfg.h",
	"basic-block.h", "gimple.h", "gimple-iterator.h", "cgraph.h"
	"analyzer/supergraph.h", "analyzer/program-state.h",
	"alloc-pool.h", "fibonacci_heap.h", "shortest-paths.h",
	"sbitmap.h", "analyzer/exploded-graph.h", "diagnostic-path.h",
	and "analyzer/checker-path.h".
	(ht_ident_eq): New.
	(fixup_location_in_macro_p): New.
	(pending_diagnostic::fixup_location): New.
	(pending_diagnostic::add_call_event): New.
	* pending-diagnostic.h (pending_diagnostic::fixup_location): Drop
	no-op inline implementation in favor of the more complex
	implementation above.
	(pending_diagnostic::add_call_event): New vfunc.
	* region-model-impl-calls.cc: Include "analyzer/sm.h",
	"diagnostic-path.h", and "analyzer/pending-diagnostic.h".
	* region-model-manager.cc
	(region_model_manager::get_var_arg_region): New.
	(region_model_manager::log_stats): Log m_var_arg_regions.
	* region-model.cc (region_model::on_call_pre): Handle IFN_VA_ARG,
	BUILT_IN_VA_START, and BUILT_IN_VA_COPY.
	(region_model::on_call_post): Handle BUILT_IN_VA_END.
	(region_model::get_representative_path_var_1): Handle RK_VAR_ARG.
	(region_model::push_frame): Push variadic arguments.
	* region-model.h (region_model_manager::get_var_arg_region): New
	decl.
	(region_model_manager::m_var_arg_regions): New field.
	(region_model::impl_call_va_start): New decl.
	(region_model::impl_call_va_copy): New decl.
	(region_model::impl_call_va_arg): New decl.
	(region_model::impl_call_va_end): New decl.
	* region.cc (alloca_region::dump_to_pp): Dump the id.
	(var_arg_region::dump_to_pp): New.
	(var_arg_region::get_frame_region): New.
	* region.h (enum region_kind): Add RK_VAR_ARG.
	(region::dyn_cast_var_arg_region): New.
	(class var_arg_region): New.
	(is_a_helper <const var_arg_region *>::test): New.
	(struct default_hash_traits<var_arg_region::key_t>): New.
	* sm.cc (make_checkers): Call make_va_list_state_machine.
	* sm.h (sm_context::warn): New vfunc.
	(sm_context::get_old_svalue): Drop unused decl.
	(sm_context::get_new_program_state): New vfunc.
	(make_va_list_state_machine): New decl.
	* varargs.cc: New file.

2022-05-16  Martin Liska  <mliska (a] suse.cz>

	* engine.cc (exploded_node::get_dot_fillcolor): Use ARRAY_SIZE.
	* function-set.cc (test_stdio_example): Likewise.
	* sm-file.cc (get_file_using_fns): Likewise.
	* sm-malloc.cc (malloc_state_machine::unaffected_by_call_p): Likewise.
	* sm-signal.cc (get_async_signal_unsafe_fns): Likewise.

2022-05-13  Richard Biener  <rguenther (a] suse.de>

	* supergraph.cc: Re-order gimple-fold.h include.

2022-05-11  David Malcolm  <dmalcolm (a] redhat.com>

	* checker-path.cc (state_change_event::get_desc): Call maybe_free
	on label_text temporaries.
	* diagnostic-manager.cc
	(diagnostic_manager::prune_for_sm_diagnostic): Likewise.
	* engine.cc (exploded_graph::~exploded_graph): Fix leak of
	m_per_point_data and m_per_call_string_data values.  Simplify
	cleanup of m_per_function_stats and m_per_point_data values.
	(feasibility_state::maybe_update_for_edge): Fix leak of result of
	superedge::get_description.
	* region-model-manager.cc
	(region_model_manager::~region_model_manager): Move cleanup of
	m_setjmp_values to match the ordering of the fields within
	region_model_manager.  Fix leak of values within
	m_repeated_values_map, m_bits_within_values_map,
	m_asm_output_values_map, and m_const_fn_result_values_map.

2022-04-28  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/105285
	* store.cc (binding_cluster::get_any_binding): Handle accessing
	sub_svalues of clusters where the base region has a symbolic
	binding.

2022-04-28  David Malcolm  <dmalcolm (a] redhat.com>

	* diagnostic-manager.cc (epath_finder::process_worklist_item):
	Call dump_feasible_path when a path that reaches the the target
	enode is found.
	(epath_finder::dump_feasible_path): New.
	* engine.cc (feasibility_state::dump_to_pp): New.
	* exploded-graph.h (feasibility_state::dump_to_pp): New decl.
	* feasible-graph.cc (feasible_graph::dump_feasible_path): New.
	* feasible-graph.h (feasible_graph::dump_feasible_path): New
	decls.
	* program-point.cc (function_point::print): Fix missing trailing
	newlines.
	* program-point.h (program_point::print_source_line): Remove
	unimplemented decl.

2022-04-25  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/105365
	PR analyzer/105366
	* svalue.cc
	(cmp_cst): Rename to...
	(cmp_csts_same_type): ...this.  Convert all recursive calls to
	calls to...
	(cmp_csts_and_types): ....this new function.
	(svalue::cmp_ptr): Update for renaming of cmp_cst

2022-04-14  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/105264
	* region-model-reachability.cc (reachable_regions::handle_parm):
	Use maybe_get_deref_base_region rather than just region_svalue, to
	handle pointer arithmetic also.
	* svalue.cc (svalue::maybe_get_deref_base_region): New.
	* svalue.h (svalue::maybe_get_deref_base_region): New decl.

2022-04-14  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/105252
	* svalue.cc (cmp_cst): When comparing VECTOR_CSTs, compare the
	types of the encoded elements before calling cmp_cst on them.

2022-04-09  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/103892
	* region-model-manager.cc
	(region_model_manager::get_unknown_symbolic_region): New,
	extracted from...
	(region_model_manager::get_field_region): ...here.
	(region_model_manager::get_element_region): Use it here.
	(region_model_manager::get_offset_region): Likewise.
	(region_model_manager::get_sized_region): Likewise.
	(region_model_manager::get_cast_region): Likewise.
	(region_model_manager::get_bit_range): Likewise.
	* region-model.h
	(region_model_manager::get_unknown_symbolic_region): New decl.
	* region.cc (symbolic_region::symbolic_region): Handle sval_ptr
	having NULL type.
	(symbolic_region::dump_to_pp): Handle having NULL type.

2022-04-07  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/102208
	* store.cc (binding_map::remove_overlapping_bindings): Add
	"always_overlap" param, using it to generalize to the case where
	we want to remove all bindings.  Update "uncertainty" logic to
	only record maybe-bound values for cases where there is a symbolic
	write involved.
	(binding_cluster::mark_region_as_unknown): Split param "reg" into
	"reg_to_bind" and "reg_for_overlap".
	(binding_cluster::maybe_get_compound_binding): Pass "false" to
	binding_map::remove_overlapping_bindings new "always_overlap" param.
	(binding_cluster::remove_overlapping_bindings): Determine
	"always_overlap" and pass it to
	binding_map::remove_overlapping_bindings.
	(store::set_value): Pass uncertainty to remove_overlapping_bindings
	call.  Update for new param of
	binding_cluster::mark_region_as_unknown, passing both the base
	region of the iter_cluster, and the lhs_reg.
	(store::mark_region_as_unknown): Update for new param of
	binding_cluster::mark_region_as_unknown, passing "reg" for both.
	(store::remove_overlapping_bindings): Add param "uncertainty", and
	pass it on to call to
	binding_cluster::remove_overlapping_bindings.
	* store.h (binding_map::remove_overlapping_bindings): Add
	"always_overlap" param.
	(binding_cluster::mark_region_as_unknown): Split param "reg" into
	"reg_to_bind" and "reg_for_overlap".
	(store::remove_overlapping_bindings): Add param "uncertainty".

2022-03-29  David Malcolm  <dmalcolm (a] redhat.com>

	PR testsuite/105085
	* region-model-manager.cc (dump_untracked_region): Skip decls in
	the constant pool.

2022-03-29  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/105087
	* analyzer.h (class conjured_purge): New forward decl.
	* region-model-asm.cc (region_model::on_asm_stmt): Add
	conjured_purge param to calls binding_cluster::on_asm and
	region_model_manager::get_or_create_conjured_svalue.
	* region-model-impl-calls.cc
	(call_details::get_or_create_conjured_svalue): Likewise for call
	to region_model_manager::get_or_create_conjured_svalue.
	(region_model::impl_call_fgets): Remove call to
	region_model::purge_state_involving, as this is now done
	implicitly by call_details::get_or_create_conjured_svalue.
	(region_model::impl_call_fread): Likewise.
	(region_model::impl_call_strchr): Pass conjured_purge param to
	call to region_model_manager::get_or_create_conjured_svalue.
	* region-model-manager.cc (conjured_purge::purge): New.
	(region_model_manager::get_or_create_conjured_svalue): Add
	param "p".  Use it to purge state when reusing an existing
	conjured_svalue.
	* region-model.cc (region_model::on_call_pre): Replace call to
	region_model::purge_state_involving with passing conjured_purge
	to region_model_manager::get_or_create_conjured_svalue.
	(region_model::handle_unrecognized_call): Pass conjured_purge to
	store::on_unknown_fncall.
	* region-model.h
	(region_model_manager::get_or_create_conjured_svalue): Add param
	"p".
	* store.cc (binding_cluster::on_unknown_fncall): Likewise.  Pass
	it on to region_model_manager::get_or_create_conjured_svalue.
	(binding_cluster::on_asm): Likewise.
	(store::on_unknown_fncall): Add param "p" and pass it on to
	binding_cluster::on_unknown_fncall.
	* store.h (binding_cluster::on_unknown_fncall): Add param p.
	(binding_cluster::on_asm): Likewise.
	(store::on_unknown_fncall): Likewise.
	* svalue.h (class conjured_purge): New.

2022-03-29  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/105074
	* region.cc (ipa_ref_requires_tracking): Drop "context_fndecl",
	instead using the ref->referring to get the cgraph node of the
	caller.
	(symnode_requires_tracking_p): Likewise.

2022-03-26  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/105057
	* store.cc (binding_cluster::make_unknown_relative_to): Reject
	attempts to create a cluster for untracked base regions.
	(store::set_value): Likewise.
	(store::fill_region): Likewise.
	(store::mark_region_as_unknown): Likewise.

2022-03-25  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/104954
	* analyzer.opt (-fdump-analyzer-untracked): New option.
	* engine.cc (impl_run_checkers): Handle it.
	* region-model-asm.cc (region_model::on_asm_stmt): Don't attempt
	to clobber regions with !tracked_p ().
	* region-model-manager.cc (dump_untracked_region): New.
	(region_model_manager::dump_untracked_regions): New.
	(frame_region::dump_untracked_regions): New.
	* region-model.h (region_model_manager::dump_untracked_regions):
	New decl.
	* region.cc (ipa_ref_requires_tracking): New.
	(symnode_requires_tracking_p): New.
	(decl_region::calc_tracked_p): New.
	* region.h (region::tracked_p): New vfunc.
	(frame_region::dump_untracked_regions): New decl.
	(class decl_region): Note that this is also used fo SSA names.
	(decl_region::decl_region): Initialize m_tracked.
	(decl_region::tracked_p): New.
	(decl_region::calc_tracked_p): New decl.
	(decl_region::m_tracked): New.
	* store.cc (store::get_or_create_cluster): Assert that we
	don't try to create clusters for base regions that aren't
	trackable.
	(store::mark_as_escaped): Don't mark base regions that we're not
	tracking.

2022-03-23  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/104979
	* engine.cc (impl_run_checkers): Create the engine after the
	supergraph, and pass the supergraph to the engine.
	* region-model.cc (region_model::get_lvalue_1): Pass ctxt to
	frame_region::get_region_for_local.
	(region_model::update_for_return_gcall): Pass the lvalue for the
	result to pop_frame as a tree, rather than as a region.
	(region_model::pop_frame): Update for above change, determining
	the destination region after the frame is popped and thus with
	respect to the caller frame rather than the called frame.
	Likewise, set the value of the region to the return value after
	the frame is popped.
	(engine::engine): Add supergraph pointer.
	(selftest::test_stack_frames): Set the DECL_CONTECT of PARM_DECLs.
	(selftest::test_get_representative_path_var): Likewise.
	(selftest::test_state_merging): Likewise.
	* region-model.h (region_model::pop_frame): Convert first param
	from a const region * to a tree.
	(engine::engine): Add param "sg".
	(engine::m_sg): New field.
	* region.cc: Include "analyzer/sm.h" and
	"analyzer/program-state.h".
	(frame_region::get_region_for_local): Add "ctxt" param.
	Add assertions that VAR_DECLs are locals, and that expr is for the
	correct function.
	* region.h (frame_region::get_region_for_local): Add "ctxt" param.

2022-03-23  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/105017
	* sm-taint.cc (taint_diagnostic::subclass_equal_p): Check
	m_has_bounds as well as m_arg.
	(tainted_allocation_size::subclass_equal_p): Chain up to base
	class implementation.  Also check m_mem_space.
	(tainted_allocation_size::emit): Add note showing stack-based vs
	heap-based allocations.

2022-03-23  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/104997
	* diagnostic-manager.cc (diagnostic_manager::add_diagnostic):
	Convert return type from "void" to "bool", reporting success vs
	failure to caller, for both overloads.
	* diagnostic-manager.h (diagnostic_manager::add_diagnostic):
	Likewise.
	* engine.cc (impl_region_model_context::warn): Propagate return
	value from diagnostic_manager::add_diagnostic.

2022-03-18  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/104943
	PR analyzer/104954
	PR analyzer/103533
	* analyzer.h (class state_purge_per_decl): New forward decl.
	* engine.cc (impl_run_checkers): Pass region_model_manager to
	state_purge_map ctor.
	* program-point.cc (function_point::final_stmt_p): New.
	(function_point::get_next): New.
	* program-point.h (function_point::final_stmt_p): New decl.
	(function_point::get_next): New decl.
	* program-state.cc (program_state::prune_for_point): Generalize to
	purge local decls as well as SSA names.
	(program_state::can_purge_base_region_p): New.
	* program-state.h (program_state::can_purge_base_region_p): New
	decl.
	* region-model.cc (struct append_ssa_names_cb_data): Rename to...
	(struct append_regions_cb_data): ...this.
	(region_model::get_ssa_name_regions_for_current_frame): Rename
	to...
	(region_model::get_regions_for_current_frame): ...this, updating
	for other renamings.
	(region_model::append_ssa_names_cb): Rename to...
	(region_model::append_regions_cb): ...this, and drop the requirement
	that the subregion be a SSA name.
	* region-model.h (struct append_ssa_names_cb_data): Rename decl
	to...
	(struct append_regions_cb_data): ...this.
	(region_model::get_ssa_name_regions_for_current_frame): Rename
	decl to...
	(region_model::get_regions_for_current_frame): ...this.
	(region_model::append_ssa_names_cb): Rename decl to...
	(region_model::append_regions_cb): ...this.
	* state-purge.cc: Include "tristate.h", "selftest.h",
	"analyzer/store.h", "analyzer/region-model.h", and
	"gimple-walk.h".
	(get_candidate_for_purging): New.
	(class gimple_op_visitor): New.
	(my_load_cb): New.
	(my_store_cb): New.
	(my_addr_cb): New.
	(state_purge_map::state_purge_map): Add "mgr" param.  Update for
	renamings.  Find uses of local variables.
	(state_purge_map::~state_purge_map): Update for renaming of m_map
	to m_ssa_map.  Clean up m_decl_map.
	(state_purge_map::get_or_create_data_for_decl): New.
	(state_purge_per_ssa_name::state_purge_per_ssa_name): Update for
	inheriting from state_purge_per_tree.
	(state_purge_per_ssa_name::add_to_worklist): Likewise.
	(state_purge_per_decl::state_purge_per_decl): New.
	(state_purge_per_decl::add_needed_at): New.
	(state_purge_per_decl::add_pointed_to_at): New.
	(state_purge_per_decl::process_worklists): New.
	(state_purge_per_decl::add_to_worklist): New.
	(same_binding_p): New.
	(fully_overwrites_p): New.
	(state_purge_per_decl::process_point_backwards): New.
	(state_purge_per_decl::process_point_forwards): New.
	(state_purge_per_decl::needed_at_point_p): New.
	(state_purge_annotator::print_needed): Generalize to print local
	decls as well as SSA names.
	* state-purge.h (class state_purge_map): Update leading comment.
	(state_purge_map::map_t): Rename to...
	(state_purge_map::ssa_map_t): ...this.
	(state_purge_map::iterator): Rename to...
	(state_purge_map::ssa_iterator): ...this.
	(state_purge_map::decl_map_t): New typedef.
	(state_purge_map::decl_iterator): New typedef.
	(state_purge_map::state_purge_map): Add "mgr" param.
	(state_purge_map::get_data_for_ssa_name): Update for renaming.
	(state_purge_map::get_any_data_for_decl): New.
	(state_purge_map::get_or_create_data_for_decl): New decl.
	(state_purge_map::begin): Rename to...
	(state_purge_map::begin_ssas): ...this.
	(state_purge_map::end): Rename to...
	(state_purge_map::end_ssa): ...this.
	(state_purge_map::begin_decls): New.
	(state_purge_map::end_decls): New.
	(state_purge_map::m_map): Rename to...
	(state_purge_map::m_ssa_map): ...this.
	(state_purge_map::m_decl_map): New field.
	(class state_purge_per_tree): New class.
	(class state_purge_per_ssa_name): Inherit from state_purge_per_tree.
	(state_purge_per_ssa_name::get_function): Move to base class.
	(state_purge_per_ssa_name::point_set_t): Likewise.
	(state_purge_per_ssa_name::m_fun): Likewise.
	(class state_purge_per_decl): New.

2022-03-17  David Malcolm  <dmalcolm (a] redhat.com>

	* state-purge.cc (state_purge_annotator::add_node_annotations):
	Avoid duplicate before-supernode annotations when returning from
	an interprocedural call.  Show after-supernode annotations.

2022-03-17  David Malcolm  <dmalcolm (a] redhat.com>

	* program-point.cc (program_point::get_next): Fix missing
	increment of index.

2022-03-16  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/104955
	* diagnostic-manager.cc (get_emission_location): New.
	(diagnostic_manager::diagnostic_manager): Initialize
	m_num_disabled_diagnostics.
	(diagnostic_manager::add_diagnostic): Reject diagnostics that
	will eventually be rejected due to being disabled.
	(diagnostic_manager::emit_saved_diagnostics): Log the number
	of disabled diagnostics.
	(diagnostic_manager::emit_saved_diagnostic): Split out logic for
	determining emission location to get_emission_location.
	* diagnostic-manager.h
	(diagnostic_manager::m_num_disabled_diagnostics): New field.
	* engine.cc (stale_jmp_buf::get_controlling_option): New.
	(stale_jmp_buf::emit): Use it.
	* pending-diagnostic.h
	(pending_diagnostic::get_controlling_option): New vfunc.
	* region-model.cc
	(poisoned_value_diagnostic::get_controlling_option): New.
	(poisoned_value_diagnostic::emit): Use it.
	(shift_count_negative_diagnostic::get_controlling_option): New.
	(shift_count_negative_diagnostic::emit): Use it.
	(shift_count_overflow_diagnostic::get_controlling_option): New.
	(shift_count_overflow_diagnostic::emit): Use it.
	(dump_path_diagnostic::get_controlling_option): New.
	(dump_path_diagnostic::emit): Use it.
	(write_to_const_diagnostic::get_controlling_option): New.
	(write_to_const_diagnostic::emit): Use it.
	(write_to_string_literal_diagnostic::get_controlling_option): New.
	(write_to_string_literal_diagnostic::emit): Use it.
	* sm-file.cc (double_fclose::get_controlling_option): New.
	(double_fclose::emit): Use it.
	(file_leak::get_controlling_option): New.
	(file_leak::emit): Use it.
	* sm-malloc.cc (mismatching_deallocation::get_controlling_option):
	New.
	(mismatching_deallocation::emit): Use it.
	(double_free::get_controlling_option): New.
	(double_free::emit): Use it.
	(possible_null_deref::get_controlling_option): New.
	(possible_null_deref::emit): Use it.
	(possible_null_arg::get_controlling_option): New.
	(possible_null_arg::emit): Use it.
	(null_deref::get_controlling_option): New.
	(null_deref::emit): Use it.
	(null_arg::get_controlling_option): New.
	(null_arg::emit): Use it.
	(use_after_free::get_controlling_option): New.
	(use_after_free::emit): Use it.
	(malloc_leak::get_controlling_option): New.
	(malloc_leak::emit): Use it.
	(free_of_non_heap::get_controlling_option): New.
	(free_of_non_heap::emit): Use it.
	* sm-pattern-test.cc (pattern_match::get_controlling_option): New.
	(pattern_match::emit): Use it.
	* sm-sensitive.cc
	(exposure_through_output_file::get_controlling_option): New.
	(exposure_through_output_file::emit): Use it.
	* sm-signal.cc (signal_unsafe_call::get_controlling_option): New.
	(signal_unsafe_call::emit): Use it.
	* sm-taint.cc (tainted_array_index::get_controlling_option): New.
	(tainted_array_index::emit): Use it.
	(tainted_offset::get_controlling_option): New.
	(tainted_offset::emit): Use it.
	(tainted_size::get_controlling_option): New.
	(tainted_size::emit): Use it.
	(tainted_divisor::get_controlling_option): New.
	(tainted_divisor::emit): Use it.
	(tainted_allocation_size::get_controlling_option): New.
	(tainted_allocation_size::emit): Use it.

2022-03-15  David Malcolm  <dmalcolm (a] redhat.com>

	* store.cc (store::store): Presize m_cluster_map.

2022-03-10  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/104863
	* constraint-manager.cc (constraint_manager::add_constraint):
	Refresh the EC IDs when adding constraints implied by offsets.

2022-03-10  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/104793
	* analyzer.h (class pending_note): New forward decl.
	* diagnostic-manager.cc (saved_diagnostic::saved_diagnostic):
	Initialize m_notes.
	(saved_diagnostic::operator==): Compare m_notes.
	(saved_diagnostic::add_note): New.
	(saved_diagnostic::emit_any_notes): New.
	(diagnostic_manager::add_note): New.
	(diagnostic_manager::emit_saved_diagnostic): Call emit_any_notes
	after emitting the warning.
	* diagnostic-manager.h (saved_diagnostic::add_note): New decl.
	(saved_diagnostic::emit_any_notes): New decl.
	(saved_diagnostic::m_notes): New field.
	(diagnostic_manager::add_note): New decl.
	* engine.cc (impl_region_model_context::add_note): New.
	* exploded-graph.h (impl_region_model_context::add_note): New
	decl.
	* pending-diagnostic.h (class pending_note): New.
	(class pending_note_subclass): New template.
	* region-model.cc (class reason_attr_access): New.
	(check_external_function_for_access_attr): Add class
	annotating_ctxt and use it when checking region.
	(noop_region_model_context::add_note): New.
	* region-model.h (region_model_context::add_note): New vfunc.
	(noop_region_model_context::add_note): New decl.
	(class region_model_context_decorator): New.
	(class note_adding_context): New.

2022-03-10  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/104793
	* region-model.cc
	(region_model::check_external_function_for_access_attr): New.
	(region_model::handle_unrecognized_call): Call it.
	* region-model.h
	(region_model::check_external_function_for_access_attr): New decl.
	(region_model::handle_unrecognized_call): New decl.

2022-03-10  David Malcolm  <dmalcolm (a] redhat.com>

	* sm-taint.cc (taint_state_machine::check_for_tainted_size_arg):
	Avoid generating duplicate saved_diagnostics by only handling the
	rdwr_map entry for the ptrarg, not the duplicate entry for the
	sizarg.

2022-03-07  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/101983
	* engine.cc (returning_from_function_p): New.
	(impl_region_model_context::on_state_leak): Use it when rejecting
	leaks at the return from "main".

2022-03-07  Jakub Jelinek  <jakub (a] redhat.com>

	* store.cc: Fix up duplicated word issue in a comment.
	* analyzer.cc: Likewise.
	* engine.cc: Likewise.
	* sm-taint.cc: Likewise.

2022-03-04  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/103521
	* analyzer.opt (-param=analyzer-max-svalue-depth=): Reduce from 13
	to 12.

2022-02-23  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/104434
	* analyzer.h (class const_fn_result_svalue): New decl.
	* region-model-impl-calls.cc (call_details::get_manager): New.
	* region-model-manager.cc
	(region_model_manager::get_or_create_const_fn_result_svalue): New.
	(region_model_manager::log_stats): Log
	m_const_fn_result_values_map.
	* region-model.cc (const_fn_p): New.
	(maybe_get_const_fn_result): New.
	(region_model::on_call_pre): Handle fndecls with
	__attribute__((const)) by calling the above rather than making
	a conjured_svalue.
	* region-model.h (visitor::visit_const_fn_result_svalue): New.
	(region_model_manager::get_or_create_const_fn_result_svalue): New
	decl.
	(region_model_manager::const_fn_result_values_map_t): New typedef.
	(region_model_manager::m_const_fn_result_values_map): New field.
	(call_details::get_manager): New decl.
	* svalue.cc (svalue::cmp_ptr): Handle SK_CONST_FN_RESULT.
	(const_fn_result_svalue::dump_to_pp): New.
	(const_fn_result_svalue::dump_input): New.
	(const_fn_result_svalue::accept): New.
	* svalue.h (enum svalue_kind): Add SK_CONST_FN_RESULT.
	(svalue::dyn_cast_const_fn_result_svalue): New.
	(class const_fn_result_svalue): New.
	(is_a_helper <const const_fn_result_svalue *>::test): New.
	(template <> struct default_hash_traits<const_fn_result_svalue::key_t>):
	New.

2022-02-17  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/104576
	* region-model.cc: Include "calls.h".
	(region_model::on_call_pre): Use flags_from_decl_or_type to
	generalize check for DECL_PURE_P to also check for ECF_CONST.

2022-02-16  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/104560
	* diagnostic-manager.cc (diagnostic_manager::build_emission_path):
	Add region creation events for globals of interest.
	(null_assignment_sm_context::get_old_program_state): New.
	(diagnostic_manager::add_events_for_eedge): Move check for
	changing dynamic extents from PK_BEFORE_STMT case to after the
	switch on the dst_point's kind so that we can emit them for the
	final stmt in a basic block.
	* engine.cc (impl_sm_context::get_old_program_state): New.
	* sm-malloc.cc (malloc_state_machine::get_default_state): Rewrite
	detection of m_non_heap to use get_memory_space.
	(free_of_non_heap::free_of_non_heap): Add freed_reg param.
	(free_of_non_heap::subclass_equal_p): Update for changes to
	fields.
	(free_of_non_heap::emit): Drop m_kind in favor of
	get_memory_space.
	(free_of_non_heap::describe_state_change): Remove logic for
	detecting alloca.
	(free_of_non_heap::mark_interesting_stuff): Add region-creation of
	m_freed_reg.
	(free_of_non_heap::get_memory_space): New.
	(free_of_non_heap::kind): Drop enum.
	(free_of_non_heap::m_freed_reg): New field.
	(free_of_non_heap::m_kind): Drop field.
	(malloc_state_machine::on_stmt): Drop transition to m_non_heap.
	(malloc_state_machine::handle_free_of_non_heap): New function,
	split out from on_deallocator_call and on_realloc_call, adding
	detection of the freed region.
	(malloc_state_machine::on_deallocator_call): Use it.
	(malloc_state_machine::on_realloc_call): Likewise.
	* sm.h (sm_context::get_old_program_state): New vfunc.

2022-02-15  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/104524
	* region-model-manager.cc
	(region_model_manager::maybe_fold_sub_svalue): Only call
	get_or_create_cast if type is non-NULL.

2022-02-15  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/102692
	* exploded-graph.h (impl_region_model_context::get_stmt): New.
	* region-model.cc: Include "gimple-ssa.h", "tree-phinodes.h",
	"tree-ssa-operands.h", and "ssa-iterators.h".
	(within_short_circuited_stmt_p): New.
	(region_model::check_for_poison): Don't warn about uninit values
	if within_short_circuited_stmt_p.
	* region-model.h (region_model_context::get_stmt): New vfunc.
	(noop_region_model_context::get_stmt): New.

2022-02-11  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/104274
	* region-model.cc (region_model::check_for_poison): Ignore
	uninitialized uses of empty types.

2022-02-10  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/98797
	* region-model-manager.cc
	(region_model_manager::maybe_fold_sub_svalue): Generalize getting
	individual chars of a STRING_CST from element_region to any
	subregion which is a concrete access of a single byte from its
	parent region.
	* region.cc (region::get_relative_concrete_byte_range): New.
	* region.h (region::get_relative_concrete_byte_range): New decl.

2022-02-09  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/104452
	* region-model.cc (selftest::test_bit_range_regions): New.
	(selftest::analyzer_region_model_cc_tests): Call it.
	* region.h (bit_range_region::key_t::hash): Fix hashing of m_bits
	to avoid using uninitialized data.

2022-02-07  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/104417
	* sm-taint.cc (tainted_allocation_size::tainted_allocation_size):
	Remove overzealous assertion.
	(tainted_allocation_size::emit): Likewise.
	(region_model::check_dynamic_size_for_taint): Likewise.

2022-02-07  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/103872
	* region-model-impl-calls.cc (region_model::impl_call_memcpy):
	Reimplement in terms of a get_store_value followed by a set_value.

2022-02-03  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/104369
	* engine.cc (exploded_graph::process_node): Use the node for any
	diagnostics, avoiding ICE if a bifurcation update adds a
	saved_diagnostic, such as for a tainted realloc size.
	* region-model-impl-calls.cc
	(region_model::impl_call_realloc::success_no_move::update_model):
	Require the old pointer to be non-NULL to be able successfully
	grow in place.  Use model->deref_rvalue rather than maybe_get_region
	to support the old pointer being symbolic.
	(region_model::impl_call_realloc::success_with_move::update_model):
	Likewise.  Add a constraint that the new pointer != the old pointer.
	Use a sized_region when setting the value of the new region.
	Handle the case where we don't know the dynamic size of the old
	region by marking the new region as unknown.
	* sm-taint.cc (tainted_allocation_size::tainted_allocation_size):
	Update assertion to also allow for MEMSPACE_UNKNOWN.
	(tainted_allocation_size::emit): Likewise.
	(region_model::check_dynamic_size_for_taint): Likewise.

2022-02-03  David Malcolm  <dmalcolm (a] redhat.com>

	* region-model-impl-calls.cc (region_model::impl_call_calloc): Use
	a sized_region when calling zero_fill_region.

2022-02-02  David Malcolm  <dmalcolm (a] redhat.com>

	* region-model.cc (region_model::on_return): Replace usage of
	copy_region with get_rvalue/set_value pair.
	(region_model::pop_frame): Likewise.
	(selftest::test_compound_assignment): Likewise.
	* region-model.h (region_model::copy_region): Delete decl.
	* region.cc (region_model::copy_region): Delete.

2022-02-02  David Malcolm  <dmalcolm (a] redhat.com>

	* region.cc (region::calc_offset): Consolidate effectively
	identical cases.

2022-02-02  David Malcolm  <dmalcolm (a] redhat.com>

	* analyzer.h (class bit_range_region): New forward decl.
	* region-model-manager.cc (region_model_manager::get_bit_range):
	New.
	(region_model_manager::log_stats): Handle m_bit_range_regions.
	* region-model.cc (region_model::get_lvalue_1): Handle
	BIT_FIELD_REF.
	* region-model.h (region_model_manager::get_bit_range): New decl.
	(region_model_manager::m_bit_range_regions): New field.
	* region.cc (region::get_base_region): Handle RK_BIT_RANGE.
	(region::base_region_p): Likewise.
	(region::calc_offset): Likewise.
	(bit_range_region::dump_to_pp): New.
	(bit_range_region::get_byte_size): New.
	(bit_range_region::get_bit_size): New.
	(bit_range_region::get_byte_size_sval): New.
	(bit_range_region::get_relative_concrete_offset): New.
	* region.h (enum region_kind): Add RK_BIT_RANGE.
	(region::dyn_cast_bit_range_region): New vfunc.
	(class bit_range_region): New.
	(is_a_helper <const bit_range_region *>::test): New.
	(default_hash_traits<bit_range_region::key_t>): New.

2022-02-02  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/104270
	* region-model.cc (region_model::on_call_pre): Handle
	IFN_DEFERRED_INIT.

2022-01-27  David Malcolm  <dmalcolm (a] redhat.com>

	* checker-path.cc (event_kind_to_string): Handle
	EK_REGION_CREATION.
	(region_creation_event::region_creation_event): New.
	(region_creation_event::get_desc): New.
	(checker_path::add_region_creation_event): New.
	* checker-path.h (enum event_kind): Add EK_REGION_CREATION.
	(class region_creation_event): New subclass.
	(checker_path::add_region_creation_event): New decl.
	* diagnostic-manager.cc
	(diagnostic_manager::emit_saved_diagnostic): Pass NULL for new
	param to add_events_for_eedge when handling trailing eedge.
	(diagnostic_manager::build_emission_path): Create an interesting_t
	instance, allow the pending diagnostic to populate it, and pass it
	to the calls to add_events_for_eedge.
	(diagnostic_manager::add_events_for_eedge): Add "interest" param.
	Use it to add region_creation_events for on-stack regions created
	within at function entry, and when pertinent dynamically-sized
	regions are created.
	(diagnostic_manager::prune_for_sm_diagnostic): Add case for
	EK_REGION_CREATION.
	* diagnostic-manager.h (diagnostic_manager::add_events_for_eedge):
	Add "interest" param.
	* pending-diagnostic.cc: Include "selftest.h", "tristate.h",
	"analyzer/call-string.h", "analyzer/program-point.h",
	"analyzer/store.h", and "analyzer/region-model.h".
	(interesting_t::add_region_creation): New.
	(interesting_t::dump_to_pp): New.
	* pending-diagnostic.h (struct interesting_t): New.
	(pending_diagnostic::mark_interesting_stuff): New vfunc.
	* region-model.cc
	(poisoned_value_diagnostic::poisoned_value_diagnostic): Add
	(poisoned_value_diagnostic::operator==): Compare m_pkind and
	m_src_region fields.
	(poisoned_value_diagnostic::mark_interesting_stuff): New.
	(poisoned_value_diagnostic::m_src_region): New.
	(region_model::check_for_poison): Call
	get_region_for_poisoned_expr for uninit values and pass the resul
	to the diagnostic.
	(region_model::get_region_for_poisoned_expr): New.
	(region_model::deref_rvalue): Pass NULL for
	poisoned_value_diagnostic's src_region.
	* region-model.h (region_model::get_region_for_poisoned_expr): New
	decl.
	* region.h (frame_region::get_fndecl): New.

2022-01-27  Martin Liska  <mliska (a] suse.cz>

	PR analyzer/104247
	* constraint-manager.cc (bounded_ranges_manager::log_stats):
	Cast to long for format purpose.
	* region-model-manager.cc (log_uniq_map): Likewise.

2022-01-26  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/104224
	* region-model.cc (region_model::check_call_args): New.
	(region_model::on_call_pre): Call it when ignoring stdio builtins.
	* region-model.h (region_model::check_call_args): New decl

2022-01-26  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/94362
	* constraint-manager.cc (range::add_bound): Fix tests for
	discarding redundant constraints.  Perform test for rejecting
	unsatisfiable constraints earlier so that they don't update
	the object on failure.
	(selftest::test_range): New.
	(selftest::test_constant_comparisons): Add test coverage for
	existing constraints becoming narrower until they are
	unsatisfiable.
	(selftest::run_constraint_manager_tests): Call test_range.

2022-01-22  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/104159
	* region-model-manager.cc
	(region_model_manager::get_or_create_cast): Bail out if the types
	are the same.  Don't attempt to handle casts involving vector
	types.

2022-01-20  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/94362
	* constraint-manager.cc (bound::ensure_closed): Convert param to
	enum bound_kind.
	(range::constrained_to_single_element): Likewise.
	(range::add_bound): New.
	(constraint_manager::add_constraint): Handle SVAL + OFFSET
	compared to a constant.
	(constraint_manager::get_ec_bounds): Rewrite in terms of
	range::add_bound.
	(constraint_manager::eval_condition): Reject if range::add_bound
	fails.
	(selftest::test_constant_comparisons): Add test coverage for
	various impossible combinations of integer comparisons.
	* constraint-manager.h (enum bound_kind): New.
	(struct bound): Likewise.
	(bound::ensure_closed): Convert to param to enum bound_kind.
	(struct range): Convert to...
	(class range): ...this, making fields private.
	(range::add_bound): New decls.
	* region-model.cc (region_model::add_constraint): Fail if
	constraint_manager::add_constraint fails.

2022-01-18  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/104089
	* region-model-manager.cc
	(region_model_manager::get_or_create_constant_svalue): Assert that
	we have a CONSTANT_CLASS_P.
	(region_model_manager::maybe_fold_unaryop): Only fold a constant
	when fold_unary's result is a constant or a cast of a constant.

2022-01-18  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/104062
	* region-model-manager.cc
	(region_model_manager::maybe_fold_sub_svalue): Avoid casting to
	NULL type when folding access to repeated svalue.

2022-01-17  Martin Liska  <mliska (a] suse.cz>

	* analyzer.cc (is_special_named_call_p): Rename .c names to .cc.
	(is_named_call_p): Likewise.
	* region-model-asm.cc (deterministic_p): Likewise.
	* region.cc (field_region::get_relative_concrete_offset): Likewise.
	* sm-malloc.cc (method_p): Likewise.
	* supergraph.cc (superedge::dump_dot): Likewise.

2022-01-14  David Malcolm  <dmalcolm (a] redhat.com>

	* sm-taint.cc (taint_state_machine::combine_states): Handle combination
	of has_ub and has_lb.

2022-01-14  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/104029
	* sm-taint.cc (taint_state_machine::alt_get_inherited_state):
	Remove gcc_unreachable from default case for unary ops.

2022-01-14  David Malcolm  <dmalcolm (a] redhat.com>

	* engine.cc: Include "stringpool.h", "attribs.h", and
	"tree-dfa.h".
	(mark_params_as_tainted): New.
	(class tainted_args_function_custom_event): New.
	(class tainted_args_function_info): New.
	(exploded_graph::add_function_entry): Handle functions with
	"tainted_args" attribute.
	(class tainted_args_field_custom_event): New.
	(class tainted_args_callback_custom_event): New.
	(class tainted_args_call_info): New.
	(add_tainted_args_callback): New.
	(add_any_callbacks): New.
	(exploded_graph::build_initial_worklist): Likewise.
	(exploded_graph::build_initial_worklist): Find callbacks that are
	reachable from global initializers, calling add_any_callbacks on
	them.

2022-01-12  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/103940
	* engine.cc (impl_sm_context::impl_sm_context): Add
	"unknown_side_effects" param and use it to initialize
	new m_unknown_side_effects field.
	(impl_sm_context::unknown_side_effects_p): New.
	(impl_sm_context::m_unknown_side_effects): New.
	(exploded_node::on_stmt): Pass unknown_side_effects to sm_ctxt
	ctor.
	* sm-taint.cc: Include "stringpool.h" and "attribs.h".
	(tainted_size::tainted_size): Drop "dir" param.
	(tainted_size::get_kind): Drop "FINAL".
	(tainted_size::emit): Likewise.
	(tainted_size::m_dir): Drop unused field.
	(class tainted_access_attrib_size): New subclass.
	(taint_state_machine::on_stmt): Call check_for_tainted_size_arg on
	external functions with unknown side effects.
	(taint_state_machine::check_for_tainted_size_arg): New.
	(region_model::check_region_for_taint): Drop "dir" param from
	tainted_size ctor.
	* sm.h (sm_context::unknown_side_effects_p): New.

2022-01-11  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/102692
	* diagnostic-manager.cc
	(class auto_disable_complexity_checks): Rename to...
	(class auto_checking_feasibility): ...this, updating
	the calls accordingly.
	(epath_finder::explore_feasible_paths): Update for renaming.
	* region-model-manager.cc
	(region_model_manager::region_model_manager): Update for change from
	m_check_complexity to m_checking_feasibility.
	(region_model_manager::reject_if_too_complex): Likewise.
	(region_model_manager::get_or_create_unknown_svalue): Handle
	m_checking_feasibility.
	(region_model_manager::create_unique_svalue): New.
	(region_model_manager::maybe_fold_binop): Handle BIT_AND_EXPR and
	BIT_IOR_EXPRs on booleans where we know the result.
	* region-model.cc (test_binop_svalue_folding): Add test coverage
	for the above.
	* region-model.h (region_model_manager::create_unique_svalue): New
	decl.
	(region_model_manager::enable_complexity_check): Replace with...
	(region_model_manager::begin_checking_feasibility): ...this.
	(region_model_manager::disable_complexity_check): Replace with...
	(region_model_manager::end_checking_feasibility): ...this.
	(region_model_manager::m_check_complexity): Replace with...
	(region_model_manager::m_checking_feasibility): ...this.
	(region_model_manager::m_managed_dynamic_svalues): New field.

2022-01-08  David Malcolm  <dmalcolm (a] redhat.com>

	* engine.cc (impl_run_checkers): Pass logger to engine ctor.
	* region-model-manager.cc
	(region_model_manager::region_model_manager): Add logger param and
	use it to initialize m_logger.
	* region-model.cc (engine::engine): New.
	* region-model.h (region_model_manager::region_model_manager):
	Add logger param.
	(region_model_manager::get_logger): New.
	(region_model_manager::m_logger): New field.
	(engine::engine): New.
	* store.cc (store_manager::get_logger): New.
	(store::set_value): Log scope.  Log when marking a cluster as
	unknown due to possible aliasing.
	* store.h (store_manager::get_logger): New decl.

2022-01-08  David Malcolm  <dmalcolm (a] redhat.com>

	* region-model-impl-calls.cc (cmp_decls): New.
	(cmp_decls_ptr_ptr): New.
	(region_model::impl_call_analyzer_dump_escaped): New.
	* region-model.cc (region_model::on_stmt_pre): Handle
	__analyzer_dump_escaped.
	* region-model.h (region_model::impl_call_analyzer_dump_escaped):
	New decl.
	* store.h (binding_cluster::get_base_region): New accessor.

2022-01-08  David Malcolm  <dmalcolm (a] redhat.com>

	* region.cc (region::is_named_decl_p): New.
	* region.h (region::is_named_decl_p): New decl.

2022-01-06  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/103546
	* store.cc (store::eval_alias_1): Refactor handling of decl
	regions, adding a test for may_be_aliased, rejecting those for
	which it returns false.

2021-12-12  Jonathan Wakely  <jwakely (a] redhat.com>

	* engine.cc: Define INCLUDE_MEMORY instead of INCLUDE_UNIQUE_PTR.

2021-12-06  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/103533
	* constraint-manager.cc (equiv_class::contains_non_constant_p):
	New.
	(constraint_manager::canonicalize): Call it when determining
	redundant ECs.
	(selftest::test_purging): New selftest.
	(selftest::run_constraint_manager_tests): Likewise.
	* constraint-manager.h (equiv_class::contains_non_constant_p):
	New decl.

2021-12-01  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/102471
	* region-model-reachability.cc (reachable_regions::handle_parm):
	Treat all svalues within a compound parm has reachable, and those
	wrapped in a cast.

2021-11-29  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/103217
	* store.cc (binding_cluster::can_merge_p): For the "key is bound"
	vs "key is not bound" merger case, check that the bound svalue
	is mergeable before merging it to "unknown", rejecting the merger
	otherwise.

2021-11-19  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/103217
	* engine.cc (exploded_graph::get_or_create_node): Pass in
	m_ext_state to program_state::can_merge_with_p.
	(exploded_graph::process_worklist): Likewise.
	(exploded_graph::maybe_process_run_of_before_supernode_enodes):
	Likewise.
	(exploded_graph::process_node): Add missing call to detect_leaks
	when handling phi nodes.
	* program-state.cc (program_state::can_merge_with_p): Add
	"ext_state" param.  Pass it and state ptrs to
	region_model::can_merge_with_p.
	(selftest::test_program_state_merging): Update for new ext_state
	param of program_state::can_merge_with_p.
	(selftest::test_program_state_merging_2): Likewise.
	* program-state.h (program_state::can_purge_p): Make const.
	(program_state::can_merge_with_p): Add "ext_state" param.
	* region-model.cc: Include "analyzer/program-state.h".
	(region_model::can_merge_with_p): Add params "ext_state",
	"state_a", and "state_b", use them when creating model_merger
	object.
	(model_merger::mergeable_svalue_p): New.
	* region-model.h (region_model::can_merge_with_p): Add params
	"ext_state", "state_a", and "state_b".
	(model_merger::model_merger) Likewise, initializing new fields.
	(model_merger::mergeable_svalue_p): New decl.
	(model_merger::m_ext_state): New field.
	(model_merger::m_state_a): New field.
	(model_merger::m_state_b): New field.
	* svalue.cc (svalue::can_merge_p): Call
	model_merger::mergeable_svalue_p on both states and reject the
	merger accordingly.

2021-11-17  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/102695
	* region-model-impl-calls.cc (region_model::impl_call_strchr): New.
	* region-model-manager.cc
	(region_model_manager::maybe_fold_unaryop): Simplify cast to
	pointer type of an existing pointer to a region.
	* region-model.cc (region_model::on_call_pre): Handle
	BUILT_IN_STRCHR and "strchr".
	(write_to_const_diagnostic::emit): Add auto_diagnostic_group.  Add
	alternate wordings for functions and labels.
	(write_to_const_diagnostic::describe_final_event): Add alternate
	wordings for functions and labels.
	(region_model::check_for_writable_region): Handle RK_FUNCTION and
	RK_LABEL.
	* region-model.h (region_model::impl_call_strchr): New decl.

2021-11-16  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/102662
	* constraint-manager.cc (bounded_range::operator==): Require the
	types to be the same for equality.

2021-11-13  David Malcolm  <dmalcolm (a] redhat.com>

	* analyzer.opt (Wanalyzer-tainted-allocation-size): New.
	(Wanalyzer-tainted-divisor): New.
	(Wanalyzer-tainted-offset): New.
	(Wanalyzer-tainted-size): New.
	* engine.cc (impl_region_model_context::get_taint_map): New.
	* exploded-graph.h (impl_region_model_context::get_taint_map):
	New decl.
	* program-state.cc (sm_state_map::get_state): Call
	alt_get_inherited_state.
	(sm_state_map::impl_set_state): Modify states within
	compound svalues.
	(program_state::impl_call_analyzer_dump_state): Undo casts.
	(selftest::test_program_state_1): Update for new context param of
	create_region_for_heap_alloc.
	(selftest::test_program_state_merging): Likewise.
	* region-model-impl-calls.cc (region_model::impl_call_alloca):
	Likewise.
	(region_model::impl_call_calloc): Likewise.
	(region_model::impl_call_malloc): Likewise.
	(region_model::impl_call_operator_new): Likewise.
	(region_model::impl_call_realloc): Likewise.
	* region-model.cc (region_model::check_region_access): Call
	check_region_for_taint.
	(region_model::get_representative_path_var_1): Handle binops.
	(region_model::create_region_for_heap_alloc): Add "ctxt" param and
	pass it to set_dynamic_extents.
	(region_model::create_region_for_alloca): Likewise.
	(region_model::set_dynamic_extents): Add "ctxt" param and use it
	to call check_dynamic_size_for_taint.
	(selftest::test_state_merging): Update for new context param of
	create_region_for_heap_alloc.
	(selftest::test_malloc_constraints): Likewise.
	(selftest::test_malloc): Likewise.
	(selftest::test_alloca): Likewise for create_region_for_alloca.
	* region-model.h (region_model::create_region_for_heap_alloc): Add
	"ctxt" param.
	(region_model::create_region_for_alloca): Likewise.
	(region_model::set_dynamic_extents): Likewise.
	(region_model::check_dynamic_size_for_taint): New decl.
	(region_model::check_region_for_taint): New decl.
	(region_model_context::get_taint_map): New vfunc.
	(noop_region_model_context::get_taint_map): New.
	* sm-taint.cc: Remove include of "diagnostic-event-id.h"; add
	includes of "gimple-iterator.h", "tristate.h", "selftest.h",
	"ordered-hash-map.h", "cgraph.h", "cfg.h", "digraph.h",
	"analyzer/supergraph.h", "analyzer/call-string.h",
	"analyzer/program-point.h", "analyzer/store.h",
	"analyzer/region-model.h", and "analyzer/program-state.h".
	(enum bounds): Move to top of file.
	(class taint_diagnostic): New.
	(class tainted_array_index): Convert to subclass of taint_diagnostic.
	(tainted_array_index::emit): Add CWE-129.  Reword warning to use
	"attacker-controlled" rather than "tainted".
	(tainted_array_index::describe_state_change): Move to
	taint_diagnostic::describe_state_change.
	(tainted_array_index::describe_final_event): Reword to use
	"attacker-controlled" rather than "tainted".
	(class tainted_offset): New.
	(class tainted_size): New.
	(class tainted_divisor): New.
	(class tainted_allocation_size): New.
	(taint_state_machine::alt_get_inherited_state): New.
	(taint_state_machine::on_stmt): In assignment handling, remove
	ARRAY_REF handling in favor of check_region_for_taint.  Add
	detection of tainted divisors.
	(taint_state_machine::get_taint): New.
	(taint_state_machine::combine_states): New.
	(region_model::check_region_for_taint): New.
	(region_model::check_dynamic_size_for_taint): New.
	* sm.h (state_machine::alt_get_inherited_state): New.

2021-11-12  David Malcolm  <dmalcolm (a] redhat.com>

	* engine.cc (exploded_node::on_stmt_pre): Return when handling
	"__analyzer_dump_state".

2021-11-11  Richard Biener  <rguenther (a] suse.de>

	* supergraph.cc: Include bitmap.h.

2021-11-04  David Malcolm  <dmalcolm (a] redhat.com>

	* program-state.cc (sm_state_map::dump): Use default_tree_printer
	as format decoder.

2021-09-16  Maxim Blinov  <maxim.blinov (a] embecosm.com>

	PR bootstrap/102242
	* engine.cc (INCLUDE_UNIQUE_PTR): Define.

2021-09-08  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/102225
	* analyzer.h (compat_types_p): New decl.
	* constraint-manager.cc
	(constraint_manager::get_or_add_equiv_class): Guard against NULL
	type when checking for pointer types.
	* region-model-impl-calls.cc (region_model::impl_call_realloc):
	Guard against NULL lhs type/region.  Guard against the size value
	not being of a compatible type for dynamic extents.
	* region-model.cc (compat_types_p): Make non-static.

2021-08-30  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/99260
	* analyzer.h (class custom_edge_info): New class, adapted from
	exploded_edge::custom_info_t.  Make member functions const.
	Make update_model return bool, converting edge param from
	reference to a pointer, and adding a ctxt param.
	(class path_context): New class.
	* call-info.cc: New file.
	* call-info.h: New file.
	* engine.cc: Include "analyzer/call-info.h" and <memory>.
	(impl_region_model_context::impl_region_model_context): Update for
	new m_path_ctxt field.
	(impl_region_model_context::bifurcate): New.
	(impl_region_model_context::terminate_path): New.
	(impl_region_model_context::get_malloc_map): New.
	(impl_sm_context::impl_sm_context): Update for new m_path_ctxt
	field.
	(impl_sm_context::get_fndecl_for_call): Likewise.
	(impl_sm_context::set_next_state): Likewise.
	(impl_sm_context::warn): Likewise.
	(impl_sm_context::is_zero_assignment): Likewise.
	(impl_sm_context::get_path_context): New.
	(impl_sm_context::m_path_ctxt): New.
	(impl_region_model_context::on_condition): Update for new
	path_ctxt param.  Handle m_enode_for_diag being NULL.
	(impl_region_model_context::on_phi): Update for new path_ctxt
	param.
	(exploded_node::on_stmt): Add path_ctxt param, updating ctor calls
	to use it as necessary.  Use it to bail out after sm-handling,
	if needed.
	(exploded_node::detect_leaks): Update for new path_ctxt param.
	(dynamic_call_info_t::update_model): Update for conversion of
	exploded_edge::custom_info_t to custom_edge_info.
	(dynamic_call_info_t::add_events_to_path): Likewise.
	(rewind_info_t::update_model): Likewise.
	(rewind_info_t::add_events_to_path): Likewise.
	(exploded_edge::exploded_edge): Likewise.
	(exploded_graph::add_edge): Likewise.
	(exploded_graph::maybe_process_run_of_before_supernode_enodes):
	Update for new path_ctxt param.
	(class impl_path_context): New.
	(exploded_graph::process_node): Update for new path_ctxt param.
	Create an impl_path_context and pass it to exploded_node::on_stmt.
	Use it to terminate iterating stmts if terminate_path is called
	on it.  After processing a run of stmts, query path_ctxt to
	potentially terminate the analysis path, and/or to "bifurcate" the
	analysis into multiple additional paths.
	(feasibility_state::maybe_update_for_edge): Update for new
	update_model ctxt param.
	* exploded-graph.h
	(impl_region_model_context::impl_region_model_context): Add
	path_ctxt param.
	(impl_region_model_context::bifurcate): New.
	(impl_region_model_context::terminate_path): New
	(impl_region_model_context::get_ext_state): New.
	(impl_region_model_context::get_malloc_map): New.
	(impl_region_model_context::m_path_ctxt): New field.
	(exploded_node::on_stmt): Add path_ctxt param.
	(class exploded_edge::custom_info_t): Move to analyzer.h, renaming
	to custom_edge_info, and making the changes as noted in analyzer.h
	above.
	(exploded_edge::exploded_edge): Update for these changes to
	exploded_edge::custom_info_t.
	(exploded_edge::m_custom_info): Likewise.
	(class dynamic_call_info_t): Likewise.
	(class rewind_info_t): Likewise.
	(exploded_graph::add_edge): Likewise.
	* program-state.cc (program_state::on_edge): Update for new
	path_ctxt param.
	(program_state::push_call): Likewise.
	(program_state::returning_call): Likewise.
	(program_state::prune_for_point): Likewise.
	* region-model-impl-calls.cc: Include "analyzer/call-info.h".
	(call_details::get_fndecl_for_call): New.
	(region_model::impl_call_realloc): Reimplement.
	* region-model.cc (region_model::on_call_pre): Move call to
	impl_call_realloc to...
	(region_model::on_call_post): ...here.  Consolidate creation
	of call_details instance.
	(noop_region_model_context::bifurcate): New.
	(noop_region_model_context::terminate_path): New.
	* region-model.h (call_details::get_call_stmt): New.
	(call_details::get_fndecl_for_call): New.
	(region_model::on_realloc_with_move): New.
	(region_model_context::bifurcate): New.
	(region_model_context::terminate_path): New.
	(region_model_context::get_ext_state): New.
	(region_model_context::get_malloc_map): New.
	(noop_region_model_context::bifurcate): New.
	(noop_region_model_context::terminate_path): New.
	(noop_region_model_context::get_ext_state): New.
	(noop_region_model_context::get_malloc_map): New.
	* sm-malloc.cc: Include "analyzer/program-state.h".
	(malloc_state_machine::on_realloc_call): Reimplement.
	(malloc_state_machine::on_realloc_with_move): New.
	(region_model::on_realloc_with_move): New.
	* sm-signal.cc (class signal_delivery_edge_info_t): Update for
	conversion from exploded_edge::custom_info_t to custom_edge_info.
	* sm.h (sm_context::get_path_context): New.
	* svalue.cc (svalue::maybe_get_constant): Call
	unwrap_any_unmergeable.

2021-08-25  Ankur Saini  <arsenic (a] sourceware.org>

	PR analyzer/101980
	* engine.cc (exploded_graph::maybe_create_dynamic_call): Don't create
	calls if max recursion limit is reached.

2021-08-23  David Malcolm  <dmalcolm (a] redhat.com>

	* analyzer.h (struct rejected_constraint): Convert to...
	(class rejected_constraint): ...this.
	(class bounded_ranges): New forward decl.
	(class bounded_ranges_manager): New forward decl.
	* constraint-manager.cc: Include "analyzer/analyzer-logging.h" and
	"tree-pretty-print.h".
	(can_plus_one_p): New.
	(plus_one): New.
	(can_minus_one_p): New.
	(minus_one): New.
	(bounded_range::bounded_range): New.
	(dump_cst): New.
	(bounded_range::dump_to_pp): New.
	(bounded_range::dump): New.
	(bounded_range::to_json): New.
	(bounded_range::set_json_attr): New.
	(bounded_range::contains_p): New.
	(bounded_range::intersects_p): New.
	(bounded_range::operator==): New.
	(bounded_range::cmp): New.
	(bounded_ranges::bounded_ranges): New.
	(bounded_ranges::bounded_ranges): New.
	(bounded_ranges::bounded_ranges): New.
	(bounded_ranges::canonicalize): New.
	(bounded_ranges::validate): New.
	(bounded_ranges::operator==): New.
	(bounded_ranges::dump_to_pp): New.
	(bounded_ranges::dump): New.
	(bounded_ranges::to_json): New.
	(bounded_ranges::eval_condition): New.
	(bounded_ranges::contain_p): New.
	(bounded_ranges::cmp): New.
	(bounded_ranges_manager::~bounded_ranges_manager): New.
	(bounded_ranges_manager::get_or_create_empty): New.
	(bounded_ranges_manager::get_or_create_point): New.
	(bounded_ranges_manager::get_or_create_range): New.
	(bounded_ranges_manager::get_or_create_union): New.
	(bounded_ranges_manager::get_or_create_intersection): New.
	(bounded_ranges_manager::get_or_create_inverse): New.
	(bounded_ranges_manager::consolidate): New.
	(bounded_ranges_manager::get_or_create_ranges_for_switch): New.
	(bounded_ranges_manager::create_ranges_for_switch): New.
	(bounded_ranges_manager::make_case_label_ranges): New.
	(bounded_ranges_manager::log_stats): New.
	(bounded_ranges_constraint::print): New.
	(bounded_ranges_constraint::to_json): New.
	(bounded_ranges_constraint::operator==): New.
	(bounded_ranges_constraint::add_to_hash): New.
	(constraint_manager::constraint_manager): Update for new field
	m_bounded_ranges_constraints.
	(constraint_manager::operator=): Likewise.
	(constraint_manager::hash): Likewise.
	(constraint_manager::operator==): Likewise.
	(constraint_manager::print): Likewise.
	(constraint_manager::dump_to_pp): Likewise.
	(constraint_manager::to_json): Likewise.
	(constraint_manager::add_unknown_constraint): Update the lhs_ec_id
	if necessary in existing constraints when combining equivalence
	classes.  Add similar code for handling
	m_bounded_ranges_constraints.
	(constraint_manager::add_constraint_internal): Add comment.
	(constraint_manager::add_bounded_ranges): New.
	(constraint_manager::eval_condition): Use new field
	m_bounded_ranges_constraints.
	(constraint_manager::purge): Update bounded_ranges_constraint
	instances.
	(constraint_manager::canonicalize): Update for new field.
	(merger_fact_visitor::on_ranges): New.
	(constraint_manager::for_each_fact): Use new field
	m_bounded_ranges_constraints.
	(constraint_manager::validate):  Fix off-by-one error needed due
	to bug fixed above in add_unknown_constraint.  Validate the EC IDs
	in m_bounded_ranges_constraints.
	(constraint_manager::get_range_manager): New.
	(selftest::assert_dump_bounded_range_eq): New.
	(ASSERT_DUMP_BOUNDED_RANGE_EQ): New.
	(selftest::test_bounded_range): New.
	(selftest::assert_dump_bounded_ranges_eq): New.
	(ASSERT_DUMP_BOUNDED_RANGES_EQ): New.
	(selftest::test_bounded_ranges): New.
	(selftest::run_constraint_manager_tests): Call the new selftests.
	* constraint-manager.h (struct bounded_range): New.
	(struct bounded_ranges): New.
	(template <> struct default_hash_traits<bounded_ranges::key_t>): New.
	(class bounded_ranges_manager): New.
	(fact_visitor::on_ranges): New pure virtual function.
	(class bounded_ranges_constraint): New.
	(constraint_manager::add_bounded_ranges): New decl.
	(constraint_manager::get_range_manager): New decl.
	(constraint_manager::m_bounded_ranges_constraints): New field.
	* diagnostic-manager.cc (epath_finder::process_worklist_item):
	Transfer ownership of rc to add_feasibility_problem.
	* engine.cc (feasibility_problem::dump_to_pp): Use get_model.
	* feasible-graph.cc (infeasible_node::dump_dot): Update for
	conversion of m_rc to a pointer.
	(feasible_graph::add_feasibility_problem): Pass RC by pointer and
	take ownership.
	* feasible-graph.h (infeasible_node::infeasible_node): Pass RC by
	pointer and take ownership.
	(infeasible_node::~infeasible_node): New.
	(infeasible_node::m_rc): Convert to a pointer.
	(feasible_graph::add_feasibility_problem): Pass RC by pointer and
	take ownership.
	* region-model-manager.cc: Include
	"analyzer/constraint-manager.h".
	(region_model_manager::region_model_manager): Initializer new
	field m_range_mgr.
	(region_model_manager::~region_model_manager): Delete it.
	(region_model_manager::log_stats): Call log_stats on it.
	* region-model.cc (region_model::add_constraint): Use new subclass
	rejected_op_constraint.
	(region_model::apply_constraints_for_gswitch): Reimplement using
	bounded_ranges_manager.
	(rejected_constraint::dump_to_pp): Convert to...
	(rejected_op_constraint::dump_to_pp): ...this.
	(rejected_ranges_constraint::dump_to_pp): New.
	* region-model.h (struct purge_stats): Add field
	m_num_bounded_ranges_constraints.
	(region_model_manager::get_range_manager): New.
	(region_model_manager::m_range_mgr): New.
	(region_model::get_range_manager): New.
	(struct rejected_constraint): Split into...
	(class rejected_constraint):...this new abstract base class,
	and...
	(class rejected_op_constraint): ...this new concrete subclass.
	(class rejected_ranges_constraint): New.
	* supergraph.cc: Include "tree-cfg.h".
	(supergraph::supergraph): Drop idx param from add_cfg_edge.
	(supergraph::add_cfg_edge): Drop idx param.
	(switch_cfg_superedge::switch_cfg_superedge): Move here from
	header.  Populate m_case_labels with all cases which go to DST.
	(switch_cfg_superedge::dump_label_to_pp): Reimplement to use
	m_case_labels.
	(switch_cfg_superedge::get_case_label): Delete.
	* supergraph.h (supergraphadd_cfg_edge): Drop "idx" param.
	(switch_cfg_superedge::switch_cfg_superedge): Drop idx param and
	move implementation to supergraph.cc.
	(switch_cfg_superedge::get_case_label): Delete.
	(switch_cfg_superedge::get_case_labels): New.
	(switch_cfg_superedge::m_idx): Delete.
	(switch_cfg_superedge::m_case_labels): New field.

2021-08-23  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/101875
	* sm-file.cc (file_diagnostic::describe_state_change): Handle
	change.m_expr being NULL.

2021-08-23  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/101837
	* analyzer.cc (maybe_reconstruct_from_def_stmt): Bail if fn is
	NULL, and assert that it's non-NULL before passing it to
	build_call_array_loc.

2021-08-23  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/101962
	* region-model.cc (region_model::eval_condition_without_cm):
	Refactor comparison against zero, adding a check for
	POINTER_PLUS_EXPR of non-NULL.

2021-08-23  David Malcolm  <dmalcolm (a] redhat.com>

	* store.cc (bit_range::intersects_p): New overload.
	(bit_range::operator-): New.
	(binding_cluster::maybe_get_compound_binding): Handle the partial
	overlap case.
	(selftest::test_bit_range_intersects_p): Add test coverage for
	new overload of bit_range::intersects_p.
	* store.h (bit_range::intersects_p): New overload.
	(bit_range::operator-): New.

2021-08-23  Ankur Saini  <arsenic (a] sourceware.org>

	PR analyzer/102020
	* diagnostic-manager.cc
	(diagnostic_manager::prune_for_sm_diagnostic)<case EK_CALL_EDGE>: Fix typo.

2021-08-21  Ankur Saini  <arsenic (a] sourceware.org>

	PR analyzer/101980
	* diagnostic-manager.cc
	(diagnostic_manager::prune_for_sm_diagnostic)<case EK_CALL_EDGE>: Use
	caller_model only when the supergraph_edge doesn't exixt.
	(diagnostic_manager::prune_for_sm_diagnostic)<case EK_RETURN_EDGE>:
	Likewise.
	* engine.cc (exploded_graph::create_dynamic_call): Rename to...
	(exploded_graph::maybe_create_dynamic_call): ...this, return call
	creation status.
	(exploded_graph::process_node): Handle calls which were not dynamically
	discovered.
	* exploded-graph.h (exploded_graph::create_dynamic_call): Rename to...
	(exploded_graph::maybe_create_dynamic_call): ...this.
	* region-model.cc (region_model::update_for_gcall): New param, use it
	to push call to frame.
	(region_model::update_for_call_superedge): Pass callee function to
	update_for_gcall.
	* region-model.h (region_model::update_for_gcall): New param.

2021-08-18  Ankur Saini  <arsenic (a] sourceware.org>

	PR analyzer/97114
	* region-model.cc (region_model::get_rvalue_1): Add case for
	OBJ_TYPE_REF.

2021-08-18  Ankur Saini  <arsenic (a] sourceware.org>

	PR analyzer/100546
	* analysis-plan.cc (analysis_plan::use_summary_p): Don't use call
	summaries if there is no callgraph edge
	* checker-path.cc (call_event::call_event): Handle calls events that
	are not represented by a supergraph call edge
	(return_event::return_event): Likewise.
	(call_event::get_desc): Work with new call_event structure.
	(return_event::get_desc): Likeise.
	* checker-path.h (call_event::m_src_snode): New field.
	(call_event::m_dest_snode): New field.
	(return_event::m_src_snode): New field.
	(return_event::m_dest_snode): New field.
	* diagnostic-manager.cc
	(diagnostic_manager::prune_for_sm_diagnostic)<case EK_CALL_EDGE>:
	Refactor to work with edges without callgraph edge.
	(diagnostic_manager::prune_for_sm_diagnostic)<case EK_RETURN_EDGE>:
	Likewise.
	* engine.cc (dynamic_call_info_t::update_model): New function.
	(dynamic_call_info_t::add_events_to_path): New function.
	(exploded_graph::create_dynamic_call): New function.
	(exploded_graph::process_node): Work with dynamically discovered calls.
	* exploded-graph.h (class dynamic_call_info_t): New class.
	(exploded_graph::create_dynamic_call): New decl.
	* program-point.cc (program_point::push_to_call_stack): New function.
	(program_point::pop_from_call_stack): New function.
	* program-point.h (program_point::push_to_call_stack): New decl.
	(program_point::pop_from_call_stack): New decl.
	* program-state.cc (program_state::push_call): New function.
	(program_state::returning_call): New function.
	* program-state.h (program_state::push_call): New decl.
	(program_state::returning_call): New decl.
	* region-model.cc (region_model::update_for_gcall) New function.
	(region_model::update_for_return_gcall): New function.
	(egion_model::update_for_call_superedge): Get the underlying gcall and
	update for gcall.
	(region_model::update_for_return_superedge): Likewise.
	* region-model.h (region_model::update_for_gcall): New decl.
	(region_model::update_for_return_gcall): New decl.
	* state-purge.cc (state_purge_per_ssa_name::process_point): Update to
	work with calls without underlying cgraph edge.
	* supergraph.cc (supergraph::supergraph) Split snodes at every callsite.
	* supergraph.h (supernode::get_returning_call) New accessor.

2021-08-04  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/101570
	* analyzer.cc (maybe_reconstruct_from_def_stmt): Add GIMPLE_ASM
	case.
	* analyzer.h (class asm_output_svalue): New forward decl.
	(class reachable_regions): New forward decl.
	* complexity.cc (complexity::from_vec_svalue): New.
	* complexity.h (complexity::from_vec_svalue): New decl.
	* engine.cc (feasibility_state::maybe_update_for_edge): Handle
	asm stmts by calling on_asm_stmt.
	* region-model-asm.cc: New file.
	* region-model-manager.cc
	(region_model_manager::maybe_fold_asm_output_svalue): New.
	(region_model_manager::get_or_create_asm_output_svalue): New.
	(region_model_manager::log_stats): Log m_asm_output_values_map.
	* region-model.cc (region_model::on_stmt_pre): Handle GIMPLE_ASM.
	* region-model.h (visitor::visit_asm_output_svalue): New.
	(region_model_manager::get_or_create_asm_output_svalue): New decl.
	(region_model_manager::maybe_fold_asm_output_svalue): New decl.
	(region_model_manager::asm_output_values_map_t): New typedef.
	(region_model_manager::m_asm_output_values_map): New field.
	(region_model::on_asm_stmt): New.
	* store.cc (binding_cluster::on_asm): New.
	* store.h (binding_cluster::on_asm): New decl.
	* svalue.cc (svalue::cmp_ptr): Handle SK_ASM_OUTPUT.
	(asm_output_svalue::dump_to_pp): New.
	(asm_output_svalue::dump_input): New.
	(asm_output_svalue::input_idx_to_asm_idx): New.
	(asm_output_svalue::accept): New.
	* svalue.h (enum svalue_kind): Add SK_ASM_OUTPUT.
	(svalue::dyn_cast_asm_output_svalue): New.
	(class asm_output_svalue): New.
	(is_a_helper <const asm_output_svalue *>::test): New.
	(struct default_hash_traits<asm_output_svalue::key_t>): New.

2021-08-03  Jakub Jelinek  <jakub (a] redhat.com>

	PR analyzer/101721
	* sm-malloc.cc (known_allocator_p): Only check DECL_FUNCTION_CODE on
	BUILT_IN_NORMAL builtins.

2021-07-29  Ankur Saini  <arsenic (a] sourceware.org>

	* call-string.cc (call_string::element_t::operator==): New operator.
	(call_String::element_t::operator!=): New operator.
	(call_string::element_t::get_caller_function): New function.
	(call_string::element_t::get_callee_function): New function.
	(call_string::call_string): Refactor to Initialise m_elements.
	(call_string::operator=): Refactor to work with m_elements.
	(call_string::operator==): Likewise.
	(call_string::to_json): Likewise.
	(call_string::hash): Refactor to hash e.m_caller.
	(call_string::push_call): Refactor to work with m_elements.
	(call_string::push_call): New overload to push call via supernodes.
	(call_string::pop): Refactor to work with m_elements.
	(call_string::calc_recursion_depth): Likewise.
	(call_string::cmp): Likewise.
	(call_string::validate): Likewise.
	(call_string::operator[]): Likewise.
	* call-string.h (class supernode): New forward decl.
	(struct call_string::element_t): New struct.
	(call_string::call_string): Refactor to initialise m_elements.
	(call_string::bool empty_p): Refactor to work with m_elements.
	(call_string::get_callee_node): New decl.
	(call_string::get_caller_node): New decl.
	(m_elements): Replaces m_return_edges.
	* program-point.cc (program_point::get_function_at_depth): Refactor to
	work with new call-string format.
	(program_point::validate): Likewise.
	(program_point::on_edge): Likewise.

2021-07-28  David Malcolm  <dmalcolm (a] redhat.com>

	* region-model.cc (region_model::on_call_pre): Treat
	IFN_UBSAN_BOUNDS, BUILT_IN_STACK_SAVE, and BUILT_IN_STACK_RESTORE
	as no-ops, rather than handling them as unknown functions.

2021-07-28  David Malcolm  <dmalcolm (a] redhat.com>

	* region-model-impl-calls.cc (region_model::impl_call_alloca):
	Drop redundant return value.
	(region_model::impl_call_builtin_expect): Likewise.
	(region_model::impl_call_calloc): Likewise.
	(region_model::impl_call_malloc): Likewise.
	(region_model::impl_call_memset): Likewise.
	(region_model::impl_call_operator_new): Likewise.
	(region_model::impl_call_operator_delete): Likewise.
	(region_model::impl_call_strlen): Likewise.
	* region-model.cc (region_model::on_call_pre): Fix return value of
	known functions that don't have unknown side-effects.
	* region-model.h (region_model::impl_call_alloca): Drop redundant
	return value.
	(region_model::impl_call_builtin_expect): Likewise.
	(region_model::impl_call_calloc): Likewise.
	(region_model::impl_call_malloc): Likewise.
	(region_model::impl_call_memset): Likewise.
	(region_model::impl_call_strlen): Likewise.
	(region_model::impl_call_operator_new): Likewise.
	(region_model::impl_call_operator_delete): Likewise.

2021-07-28  Siddhesh Poyarekar  <siddhesh (a] gotplt.org>

	* analyzer.cc (is_named_call_p, is_std_named_call_p): Make
	first argument a const_tree.
	* analyzer.h (is_named_call_p, -s_std_named_call_p): Likewise.
	* sm-malloc.cc (known_allocator_p): New function.
	(malloc_state_machine::on_stmt): Use it.

2021-07-28  Siddhesh Poyarekar  <siddhesh (a] gotplt.org>

	* sm-malloc.cc
	(malloc_state_machine::get_or_create_deallocator): Recognize
	__builtin_free.

2021-07-26  David Malcolm  <dmalcolm (a] redhat.com>

	* region-model.cc (region_model::on_call_pre): Always set conjured
	LHS, not just for SSA names.

2021-07-23  David Malcolm  <dmalcolm (a] redhat.com>

	* diagnostic-manager.cc
	(class auto_disable_complexity_checks): New.
	(epath_finder::explore_feasible_paths): Use it to disable
	complexity checks whilst processing the worklist.
	* region-model-manager.cc
	(region_model_manager::region_model_manager): Initialize
	m_check_complexity.
	(region_model_manager::reject_if_too_complex): Bail if
	m_check_complexity is false.
	* region-model.h
	(region_model_manager::enable_complexity_check): New.
	(region_model_manager::disable_complexity_check): New.
	(region_model_manager::m_check_complexity): New.

2021-07-21  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/101547
	* sm-file.cc (file_leak::emit): Handle m_arg being NULL.
	(file_leak::describe_final_event): Handle ev.m_expr being NULL.

2021-07-21  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/101522
	* store.cc (binding_cluster::purge_state_involving): Don't change
	m_map whilst iterating through it.

2021-07-21  David Malcolm  <dmalcolm (a] redhat.com>

	* region-model.cc (region_model::handle_phi): Add "old_state"
	param and use it.
	(region_model::update_for_phis): Update so that all of the phi
	stmts are effectively handled simultaneously, rather than in
	order.
	* region-model.h (region_model::handle_phi): Add "old_state"
	param.
	* state-purge.cc (self_referential_phi_p): Replace with...
	(name_used_by_phis_p): ...this new function.
	(state_purge_per_ssa_name::process_point): Update to use the
	above, so that all phi stmts at a basic block are effectively
	considered simultaneously, and only consider the phi arguments for
	the pertinent in-edge.
	* supergraph.cc (cfg_superedge::get_phi_arg_idx): New.
	(cfg_superedge::get_phi_arg): Use the above.
	* supergraph.h (cfg_superedge::get_phi_arg_idx): New decl.

2021-07-21  David Malcolm  <dmalcolm (a] redhat.com>

	* state-purge.cc (state_purge_annotator::add_node_annotations):
	Rather than erroneously always using the NULL in-edge, determine
	each relevant in-edge, and print the appropriate data for each
	in-edge.  Use print_needed to print the data as comma-separated
	lists of SSA names.
	(print_vec_of_names): Add "within_table" param and use it.
	(state_purge_annotator::add_stmt_annotations): Factor out
	collation and printing code into...
	(state_purge_annotator::print_needed): ...this new function.
	* state-purge.h (state_purge_annotator::print_needed): New decl.

2021-07-21  David Malcolm  <dmalcolm (a] redhat.com>

	* program-point.cc (function_point::print): Show src BB index at
	BEFORE_SUPERNODE.

2021-07-21  David Malcolm  <dmalcolm (a] redhat.com>

	* svalue.cc (infix_p): New.
	(binop_svalue::dump_to_pp): Use it to print MIN_EXPR and MAX_EXPR
	in prefix form, rather than infix.

2021-07-19  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/101503
	* constraint-manager.cc (constraint_manager::add_constraint): Use
	can_have_associated_state_p rather than testing for unknown.
	(constraint_manager::get_or_add_equiv_class): Likewise.
	* program-state.cc (sm_state_map::set_state): Likewise.
	(sm_state_map::impl_set_state): Add assertion.
	* region-model-manager.cc
	(region_model_manager::maybe_fold_unaryop): Handle poisoned
	values.
	(region_model_manager::maybe_fold_binop): Move handling of unknown
	values...
	(region_model_manager::get_or_create_binop): ...to here, and
	generalize to use can_have_associated_state_p.
	(region_model_manager::maybe_fold_sub_svalue): Use
	can_have_associated_state_p rather than testing for unknown.
	(region_model_manager::maybe_fold_repeated_svalue): Use unknown
	when the size or repeated value is "unknown"/"poisoned".
	* region-model.cc (region_model::purge_state_involving): Reject
	attempts to purge unknown/poisoned svalues, as these svalues
	should not have state associated with them.
	* svalue.cc (sub_svalue::sub_svalue): Assert that we're building
	on top of an svalue with can_have_associated_state_p.
	(repeated_svalue::repeated_svalue): Likewise.
	(bits_within_svalue::bits_within_svalue): Likewise.
	* svalue.h (svalue::can_have_associated_state_p): New.
	(unknown_svalue::can_have_associated_state_p): New.
	(poisoned_svalue::can_have_associated_state_p): New.
	(unaryop_svalue::unaryop_svalue): Assert that we're building on
	top of an svalue with can_have_associated_state_p.
	(binop_svalue::binop_svalue): Likewise.
	(widening_svalue::widening_svalue): Likewise.

2021-07-16  David Malcolm  <dmalcolm (a] redhat.com>

	* analyzer.h (enum access_direction): New.
	* engine.cc (exploded_node::on_longjmp): Update for new param of
	get_store_value.
	* program-state.cc (program_state::prune_for_point): Likewise.
	* region-model-impl-calls.cc (region_model::impl_call_memcpy):
	Replace call to check_for_writable_region with call to
	check_region_for_write.
	(region_model::impl_call_memset): Likewise.
	(region_model::impl_call_strcpy): Likewise.
	* region-model-reachability.cc (reachable_regions::add): Update
	for new param of get_store_value.
	* region-model.cc (region_model::get_rvalue_1): Likewise, also for
	get_rvalue_for_bits.
	(region_model::get_store_value): Add ctxt param and use it to call
	check_region_for_read.
	(region_model::get_rvalue_for_bits): Add ctxt param and use it to
	call get_store_value.
	(region_model::check_region_access): New.
	(region_model::check_region_for_write): New.
	(region_model::check_region_for_read): New.
	(region_model::set_value): Update comment.  Replace call to
	check_for_writable_region with call to check_region_for_write.
	* region-model.h (region_model::get_rvalue_for_bits): Add ctxt
	param.
	(region_model::get_store_value): Add ctxt param.
	(region_model::check_region_access): New decl.
	(region_model::check_region_for_write): New decl.
	(region_model::check_region_for_read): New decl.
	* region.cc (region_model::copy_region): Update call to
	get_store_value.
	* svalue.cc (initial_svalue::implicitly_live_p): Likewise.

2021-07-16  David Malcolm  <dmalcolm (a] redhat.com>

	* engine.cc (exploded_node::on_stmt_pre): Handle
	__analyzer_dump_state.
	* program-state.cc (extrinsic_state::get_sm_idx_by_name): New.
	(program_state::impl_call_analyzer_dump_state): New.
	* program-state.h (extrinsic_state::get_sm_idx_by_name): New decl.
	(program_state::impl_call_analyzer_dump_state): New decl.
	* region-model-impl-calls.cc
	(call_details::get_arg_string_literal): New.
	* region-model.h (call_details::get_arg_string_literal): New decl.

2021-07-16  David Malcolm  <dmalcolm (a] redhat.com>

	* program-state.cc (program_state::detect_leaks): Simplify using
	svalue::maybe_get_region.
	* region-model-impl-calls.cc (region_model::impl_call_fgets): Likewise.
	(region_model::impl_call_fread): Likewise.
	(region_model::impl_call_free): Likewise.
	(region_model::impl_call_operator_delete): Likewise.
	* region-model.cc (selftest::test_stack_frames): Likewise.
	(selftest::test_state_merging): Likewise.
	* svalue.cc (svalue::maybe_get_region): New.
	* svalue.h (svalue::maybe_get_region): New decl.

2021-07-15  David Malcolm  <dmalcolm (a] redhat.com>

	* svalue.h (is_a_helper <placeholder_svalue *>::test): Make
	param and template param const.
	(is_a_helper <widening_svalue *>::test): Likewise.
	(is_a_helper <compound_svalue *>::test): Likewise.
	(is_a_helper <conjured_svalue *>::test): Likewise.

2021-07-15  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/95006
	PR analyzer/94713
	PR analyzer/94714
	* analyzer.cc (maybe_reconstruct_from_def_stmt): Split out
	GIMPLE_ASSIGN case into...
	(get_diagnostic_tree_for_gassign_1): New.
	(get_diagnostic_tree_for_gassign): New.
	* analyzer.h (get_diagnostic_tree_for_gassign): New decl.
	* analyzer.opt (Wanalyzer-write-to-string-literal): New.
	* constraint-manager.cc (class svalue_purger): New.
	(constraint_manager::purge_state_involving): New.
	* constraint-manager.h
	(constraint_manager::purge_state_involving): New.
	* diagnostic-manager.cc (saved_diagnostic::supercedes_p): New.
	(dedupe_winners::handle_interactions): New.
	(diagnostic_manager::emit_saved_diagnostics): Call it.
	* diagnostic-manager.h (saved_diagnostic::supercedes_p): New decl.
	* engine.cc (impl_region_model_context::warn): Convert return type
	to bool.  Return false if the diagnostic isn't saved.
	(impl_region_model_context::purge_state_involving): New.
	(impl_sm_context::get_state): Use NULL ctxt when querying old
	rvalue.
	(impl_sm_context::set_next_state): Use new sval when querying old
	state.
	(class dump_path_diagnostic): Move to region-model.cc
	(exploded_node::on_stmt): Move to on_stmt_pre and on_stmt_post.
	Remove call to purge_state_involving.
	(exploded_node::on_stmt_pre): New, based on the above.  Move most
	of it to region_model::on_stmt_pre.
	(exploded_node::on_stmt_post): Likewise, moving to
	region_model::on_stmt_post.
	(class stale_jmp_buf): Fix parent class to use curiously recurring
	template pattern.
	(feasibility_state::maybe_update_for_edge): Call on_call_pre and
	on_call_post on gcalls.
	* exploded-graph.h (impl_region_model_context::warn): Return bool.
	(impl_region_model_context::purge_state_involving): New decl.
	(exploded_node::on_stmt_pre): New decl.
	(exploded_node::on_stmt_post): New decl.
	* pending-diagnostic.h (pending_diagnostic::use_of_uninit_p): New.
	(pending_diagnostic::supercedes_p): New.
	* program-state.cc (sm_state_map::get_state): Inherit state for
	conjured_svalue as well as initial_svalue.
	(sm_state_map::purge_state_involving): Also support SK_CONJURED.
	* region-model-impl-calls.cc (call_details::get_uncertainty):
	Handle m_ctxt being NULL.
	(call_details::get_or_create_conjured_svalue): New.
	(region_model::impl_call_fgets): New.
	(region_model::impl_call_fread): New.
	* region-model-manager.cc
	(region_model_manager::get_or_create_initial_value): Return an
	uninitialized poisoned value for regions that can't have initial
	values.
	* region-model-reachability.cc
	(reachable_regions::mark_escaped_clusters): Handle ctxt being
	NULL.
	* region-model.cc (region_to_value_map::purge_state_involving): New.
	(poisoned_value_diagnostic::use_of_uninit_p): New.
	(poisoned_value_diagnostic::emit): Handle POISON_KIND_UNINIT.
	(poisoned_value_diagnostic::describe_final_event): Likewise.
	(region_model::check_for_poison): New.
	(region_model::on_assignment): Call it.
	(class dump_path_diagnostic): Move here from engine.cc.
	(region_model::on_stmt_pre): New, based on exploded_node::on_stmt.
	(region_model::on_call_pre): Move the setting of the LHS to a
	conjured svalue to before the checks for specific functions.
	Handle "fgets", "fgets_unlocked", and "fread".
	(region_model::purge_state_involving): New.
	(region_model::handle_unrecognized_call): Handle ctxt being NULL.
	(region_model::get_rvalue): Call check_for_poison.
	(selftest::test_stack_frames): Use NULL for context when getting
	uninitialized rvalue.
	(selftest::test_alloca): Likewise.
	* region-model.h (region_to_value_map::purge_state_involving): New
	decl.
	(call_details::get_or_create_conjured_svalue): New decl.
	(region_model::on_stmt_pre): New decl.
	(region_model::purge_state_involving): New decl.
	(region_model::impl_call_fgets): New decl.
	(region_model::impl_call_fread): New decl.
	(region_model::check_for_poison): New decl.
	(region_model_context::warn): Return bool.
	(region_model_context::purge_state_involving): New.
	(noop_region_model_context::warn): Return bool.
	(noop_region_model_context::purge_state_involving): New.
	(test_region_model_context:: warn): Return bool.
	* region.cc (region::get_memory_space): New.
	(region::can_have_initial_svalue_p): New.
	(region::involves_p): New.
	* region.h (enum memory_space): New.
	(region::get_memory_space): New decl.
	(region::can_have_initial_svalue_p): New decl.
	(region::involves_p): New decl.
	* sm-malloc.cc (use_after_free::supercedes_p): New.
	* store.cc (binding_cluster::purge_state_involving): New.
	(store::purge_state_involving): New.
	* store.h (class symbolic_binding): New forward decl.
	(binding_key::dyn_cast_symbolic_binding): New.
	(symbolic_binding::dyn_cast_symbolic_binding): New.
	(binding_cluster::purge_state_involving): New.
	(store::purge_state_involving): New.
	* svalue.cc (svalue::can_merge_p): Reject attempts to merge
	poisoned svalues with other svalues, so that we identify
	paths in which a variable is conditionally uninitialized.
	(involvement_visitor::visit_conjured_svalue): New.
	(svalue::involves_p): Also handle SK_CONJURED.
	(poison_kind_to_str): Handle POISON_KIND_UNINIT.
	(poisoned_svalue::maybe_fold_bits_within): New.
	* svalue.h (enum poison_kind): Add POISON_KIND_UNINIT.
	(poisoned_svalue::maybe_fold_bits_within): New decl.

2021-07-15  David Malcolm  <dmalcolm (a] redhat.com>

	* analyzer.opt (fdump-analyzer-exploded-paths): New.
	* diagnostic-manager.cc
	(diagnostic_manager::emit_saved_diagnostic): Implement it.
	* engine.cc (exploded_path::dump_to_pp): Add ext_state param and
	use it to dump states if non-NULL.
	(exploded_path::dump): Likewise.
	(exploded_path::dump_to_file): New.
	* exploded-graph.h (exploded_path::dump_to_pp): Add ext_state
	param.
	(exploded_path::dump): Likewise.
	(exploded_path::dump): Likewise.
	(exploded_path::dump_to_file): New.

2021-07-15  David Malcolm  <dmalcolm (a] redhat.com>

	* analyzer.cc (fixup_tree_for_diagnostic_1): Use DECL_DEBUG_EXPR
	if it's available.
	* engine.cc (readability): Likewise.

2021-07-15  David Malcolm  <dmalcolm (a] redhat.com>

	* state-purge.cc (self_referential_phi_p): New.
	(state_purge_per_ssa_name::process_point): Don't purge an SSA name
	at its def-stmt if the def-stmt is self-referential.

2021-07-07  David Malcolm  <dmalcolm (a] redhat.com>

	* diagnostic-manager.cc (null_assignment_sm_context::get_state):
	New overload.
	(null_assignment_sm_context::set_next_state): New overload.
	(null_assignment_sm_context::get_diagnostic_tree): New.
	* engine.cc (impl_sm_context::get_state): New overload.
	(impl_sm_context::set_next_state): New overload.
	(impl_sm_context::get_diagnostic_tree): New overload.
	(impl_region_model_context::on_condition): Convert params from
	tree to const svalue *.
	* exploded-graph.h (impl_region_model_context::on_condition):
	Likewise.
	* region-model.cc (region_model::on_call_pre): Move handling of
	internal calls to before checking for get_fndecl_for_call.
	(region_model::add_constraints_from_binop): New.
	(region_model::add_constraint): Split out into a new overload
	working on const svalue * rather than tree.  Call
	add_constraints_from_binop.  Drop call to
	add_any_constraints_from_ssa_def_stmt.
	(region_model::add_any_constraints_from_ssa_def_stmt): Delete.
	(region_model::add_any_constraints_from_gassign): Delete.
	(region_model::add_any_constraints_from_gcall): Delete.
	* region-model.h
	(region_model::add_any_constraints_from_ssa_def_stmt): Delete.
	(region_model::add_any_constraints_from_gassign): Delete.
	(region_model::add_any_constraints_from_gcall): Delete.
	(region_model::add_constraint): Add overload decl.
	(region_model::add_constraints_from_binop): New decl.
	(region_model_context::on_condition): Convert params from tree to
	const svalue *.
	(noop_region_model_context::on_condition): Likewise.
	* sm-file.cc (fileptr_state_machine::condition): Likewise.
	* sm-malloc.cc (malloc_state_machine::on_condition): Likewise.
	* sm-pattern-test.cc: Include tristate.h, selftest.h,
	analyzer/call-string.h, analyzer/program-point.h,
	analyzer/store.h, and analyzer/region-model.h.
	(pattern_test_state_machine::on_condition): Convert params from tree to
	const svalue *.
	* sm-sensitive.cc (sensitive_state_machine::on_condition): Delete.
	* sm-signal.cc (signal_state_machine::on_condition): Delete.
	* sm-taint.cc (taint_state_machine::on_condition): Convert params
	from tree to const svalue *.
	* sm.cc: Include tristate.h, selftest.h, analyzer/call-string.h,
	analyzer/program-point.h, analyzer/store.h, and
	analyzer/region-model.h.
	(any_pointer_p): Add overload taking const svalue *sval.
	* sm.h (any_pointer_p): Add overload taking const svalue *sval.
	(state_machine::on_condition): Convert params from tree to
	const svalue *.  Provide no-op default implementation.
	(sm_context::get_state): Add overload taking const svalue *sval.
	(sm_context::set_next_state): Likewise.
	(sm_context::on_transition): Likewise.
	(sm_context::get_diagnostic_tree): Likewise.
	* svalue.cc (svalue::all_zeroes_p): New.
	(constant_svalue::all_zeroes_p): New.
	(repeated_svalue::all_zeroes_p): Convert to vfunc.
	* svalue.h (svalue::all_zeroes_p): New decl.
	(constant_svalue::all_zeroes_p): New decl.
	(repeated_svalue::all_zeroes_p): Convert decl to vfunc.

2021-06-30  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/95006
	* analyzer.h (class repeated_svalue): New forward decl.
	(class bits_within_svalue): New forward decl.
	(class sized_region): New forward decl.
	(get_field_at_bit_offset): New forward decl.
	* engine.cc (exploded_graph::get_or_create_node): Validate the
	merged state.
	(exploded_graph::maybe_process_run_of_before_supernode_enodes):
	Validate the states at each stage.
	* program-state.cc (program_state::validate): Validate
	m_region_model.
	* region-model-impl-calls.cc (region_model::impl_call_memset):
	Replace special-case logic for handling constant sizes with
	a call to fill_region of a sized_region with the given fill value.
	* region-model-manager.cc (maybe_undo_optimize_bit_field_compare):
	Drop DK_direct.
	(region_model_manager::maybe_fold_sub_svalue):  Fold element-based
	subregions of an initial value into initial values of an element.
	Fold subvalues of repeated svalues.
	(region_model_manager::maybe_fold_repeated_svalue): New.
	(region_model_manager::get_or_create_repeated_svalue): New.
	(get_bit_range_for_field): New.
	(get_byte_range_for_field): New.
	(get_field_at_byte_range): New.
	(region_model_manager::maybe_fold_bits_within_svalue): New.
	(region_model_manager::get_or_create_bits_within): New.
	(region_model_manager::get_sized_region): New.
	(region_model_manager::log_stats): Update for addition of
	m_repeated_values_map, m_bits_within_values_map, and
	m_sized_regions.
	* region-model.cc (region_model::validate): New.
	(region_model::on_assignment): Drop enum binding_kind.
	(region_model::get_initial_value_for_global): Likewise.
	(region_model::get_rvalue_for_bits): Replace body with call to
	get_or_create_bits_within.
	(region_model::get_capacity): Handle RK_SIZED.
	(region_model::set_value): Drop enum binding_kind.
	(region_model::fill_region): New.
	(region_model::get_representative_path_var_1): Handle RK_SIZED.
	* region-model.h (visitor::visit_repeated_svalue): New.
	(visitor::visit_bits_within_svalue): New.
	(region_model_manager::get_or_create_repeated_svalue): New decl.
	(region_model_manager::get_or_create_bits_within): New decl.
	(region_model_manager::get_sized_region): New decl.
	(region_model_manager::maybe_fold_repeated_svalue): New decl.
	(region_model_manager::maybe_fold_bits_within_svalue): New decl.
	(region_model_manager::repeated_values_map_t): New typedef.
	(region_model_manager::m_repeated_values_map): New field.
	(region_model_manager::bits_within_values_map_t): New typedef.
	(region_model_manager::m_bits_within_values_map): New field.
	(region_model_manager::m_sized_regions): New field.
	(region_model::fill_region): New decl.
	* region.cc (region::get_base_region): Handle RK_SIZED.
	(region::base_region_p): Likewise.
	(region::get_byte_size_sval): New.
	(get_field_at_bit_offset): Make non-static.
	(region::calc_offset): Move implementation of cases to
	get_relative_concrete_offset vfunc implementations.  Handle
	RK_SIZED.
	(region::get_relative_concrete_offset): New.
	(decl_region::get_svalue_for_initializer): Drop enum binding_kind.
	(field_region::get_relative_concrete_offset): New, from
	region::calc_offset.
	(element_region::get_relative_concrete_offset): Likewise.
	(offset_region::get_relative_concrete_offset): Likewise.
	(sized_region::accept): New.
	(sized_region::dump_to_pp): New.
	(sized_region::get_byte_size): New.
	(sized_region::get_bit_size): New.
	* region.h (enum region_kind): Add RK_SIZED.
	(region::dyn_cast_sized_region): New.
	(region::get_byte_size): Make virtual.
	(region::get_bit_size): Likewise.
	(region::get_byte_size_sval): New decl.
	(region::get_relative_concrete_offset): New decl.
	(field_region::get_relative_concrete_offset): New decl.
	(element_region::get_relative_concrete_offset): Likewise.
	(offset_region::get_relative_concrete_offset): Likewise.
	(class sized_region): New.
	* store.cc (binding_kind_to_string): Delete.
	(binding_key::make): Drop enum binding_kind.
	(binding_key::dump_to_pp): Delete.
	(binding_key::cmp_ptrs): Drop enum binding_kind.
	(bit_range::contains_p): New.
	(byte_range::dump): New.
	(byte_range::contains_p): New.
	(byte_range::cmp): New.
	(concrete_binding::dump_to_pp): Drop enum binding_kind.
	(concrete_binding::cmp_ptr_ptr): Likewise.
	(symbolic_binding::dump_to_pp): Likewise.
	(symbolic_binding::cmp_ptr_ptr): Likewise.
	(binding_map::apply_ctor_val_to_range): Likewise.
	(binding_map::apply_ctor_pair_to_child_region): Likewise.
	(binding_map::get_overlapping_bindings): New.
	(binding_map::remove_overlapping_bindings): New.
	(binding_cluster::validate): New.
	(binding_cluster::bind): Drop enum binding_kind.
	(binding_cluster::bind_compound_sval): Likewise.
	(binding_cluster::purge_region): Likewise.
	(binding_cluster::zero_fill_region): Reimplement in terms of...
	(binding_cluster::fill_region): New.
	(binding_cluster::mark_region_as_unknown): Drop enum binding_kind.
	(binding_cluster::get_binding): Likewise.
	(binding_cluster::get_binding_recursive): Likewise.
	(binding_cluster::get_any_binding): Likewise.
	(binding_cluster::maybe_get_compound_binding): Reimplement.
	(binding_cluster::get_overlapping_bindings): Delete.
	(binding_cluster::remove_overlapping_bindings): Reimplement in
	terms of binding_map::remove_overlapping_bindings.
	(binding_cluster::can_merge_p): Update for removal of
	enum binding_kind.
	(binding_cluster::on_unknown_fncall): Drop enum binding_kind.
	(binding_cluster::maybe_get_simple_value): Likewise.
	(store_manager::get_concrete_binding): Likewise.
	(store_manager::get_symbolic_binding): Likewise.
	(store::validate): New.
	(store::set_value): Drop enum binding_kind.
	(store::zero_fill_region): Reimplement in terms of...
	(store::fill_region): New.
	(selftest::test_binding_key_overlap): Drop enum binding_kind.
	* store.h (enum binding_kind): Delete.
	(binding_kind_to_string): Delete decl.
	(binding_key::make): Drop enum binding_kind.
	(binding_key::dump_to_pp): Make pure virtual.
	(binding_key::get_kind): Delete.
	(binding_key::mark_deleted): Delete.
	(binding_key::mark_empty): Delete.
	(binding_key::is_deleted): Delete.
	(binding_key::is_empty): Delete.
	(binding_key::binding_key): Delete.
	(binding_key::impl_hash): Delete.
	(binding_key::impl_eq): Delete.
	(binding_key::m_kind): Delete.
	(bit_range::get_last_bit_offset): New.
	(bit_range::contains_p): New.
	(byte_range::contains_p): New.
	(byte_range::operator==): New.
	(byte_range::get_start_byte_offset): New.
	(byte_range::get_next_byte_offset): New.
	(byte_range::get_last_byte_offset): New.
	(byte_range::as_bit_range): New.
	(byte_range::cmp): New.
	(concrete_binding::concrete_binding): Drop enum binding_kind.
	(concrete_binding::hash): Likewise.
	(concrete_binding::operator==): Likewise.
	(concrete_binding::mark_deleted): New.
	(concrete_binding::mark_empty): New.
	(concrete_binding::is_deleted): New.
	(concrete_binding::is_empty): New.
	(default_hash_traits<ana::concrete_binding>::empty_zero_p): Make false.
	(symbolic_binding::symbolic_binding): Drop enum binding_kind.
	(symbolic_binding::hash): Likewise.
	(symbolic_binding::operator==): Likewise.
	(symbolic_binding::mark_deleted): New.
	(symbolic_binding::mark_empty): New.
	(symbolic_binding::is_deleted): New.
	(symbolic_binding::is_empty): New.
	(binding_map::remove_overlapping_bindings): New decl.
	(binding_map::get_overlapping_bindings): New decl.
	(binding_cluster::validate): New decl.
	(binding_cluster::bind): Drop enum binding_kind.
	(binding_cluster::fill_region): New decl.
	(binding_cluster::get_binding): Drop enum binding_kind.
	(binding_cluster::get_binding_recursive): Likewise.
	(binding_cluster::get_overlapping_bindings): Delete.
	(store::validate): New decl.
	(store::set_value): Drop enum binding_kind.
	(store::fill_region): New decl.
	(store_manager::get_concrete_binding): Drop enum binding_kind.
	(store_manager::get_symbolic_binding): Likewise.
	* svalue.cc (svalue::cmp_ptr): Handle SK_REPEATED and
	SK_BITS_WITHIN.
	(svalue::extract_bit_range): New.
	(svalue::maybe_fold_bits_within): New.
	(constant_svalue::maybe_fold_bits_within): New.
	(unknown_svalue::maybe_fold_bits_within): New.
	(unaryop_svalue::maybe_fold_bits_within): New.
	(repeated_svalue::repeated_svalue): New.
	(repeated_svalue::dump_to_pp): New.
	(repeated_svalue::accept): New.
	(repeated_svalue::all_zeroes_p): New.
	(repeated_svalue::maybe_fold_bits_within): New.
	(bits_within_svalue::bits_within_svalue): New.
	(bits_within_svalue::dump_to_pp): New.
	(bits_within_svalue::maybe_fold_bits_within): New.
	(bits_within_svalue::accept): New.
	(bits_within_svalue::implicitly_live_p): New.
	(compound_svalue::maybe_fold_bits_within): New.
	* svalue.h (enum svalue_kind): Add SK_REPEATED and SK_BITS_WITHIN.
	(svalue::dyn_cast_repeated_svalue): New.
	(svalue::dyn_cast_bits_within_svalue): New.
	(svalue::extract_bit_range): New decl.
	(svalue::maybe_fold_bits_within): New vfunc decl.
	(region_svalue::key_t::mark_empty): Use 2 rather than NULL_TREE.
	(region_svalue::key_t::is_empty): Likewise.
	(default_hash_traits<region_svalue::key_t>::empty_zero_p): Make false.
	(constant_svalue::maybe_fold_bits_within): New.
	(unknown_svalue::maybe_fold_bits_within): New.
	(poisoned_svalue::key_t::mark_empty): Use 2 rather than NULL_TREE.
	(poisoned_svalue::key_t::is_empty): Likewise.
	(default_hash_traits<poisoned_svalue::key_t>::empty_zero_p): Make
	false.
	(setjmp_svalue::key_t::mark_empty): Use 2 rather than NULL_TREE.
	(setjmp_svalue::key_t::is_empty): Likewise.
	(default_hash_traits<setjmp_svalue::key_t>::empty_zero_p): Make
	false.
	(unaryop_svalue::key_t::mark_empty): Use 2 rather than NULL_TREE.
	(unaryop_svalue::key_t::is_empty): Likewise.
	(unaryop_svalue::maybe_fold_bits_within): New.
	(default_hash_traits<unaryop_svalue::key_t>::empty_zero_p): Make
	false.
	(binop_svalue::key_t::mark_empty): Use 2 rather than NULL_TREE.
	(binop_svalue::key_t::is_empty): Likewise.
	(default_hash_traits<binop_svalue::key_t>::empty_zero_p): Make
	false.
	(sub_svalue::key_t::mark_empty): Use 2 rather than NULL_TREE.
	(sub_svalue::key_t::is_empty): Likewise.
	(default_hash_traits<sub_svalue::key_t>::empty_zero_p): Make
	false.
	(class repeated_svalue): New.
	(is_a_helper <const repeated_svalue *>::test): New.
	(struct default_hash_traits<repeated_svalue::key_t>): New.
	(class bits_within_svalue): New.
	(is_a_helper <const bits_within_svalue *>::test): New.
	(struct default_hash_traits<bits_within_svalue::key_t>): New.
	(widening_svalue::key_t::mark_empty): Use 2 rather than NULL_TREE.
	(widening_svalue::key_t::is_empty): Likewise.
	(default_hash_traits<widening_svalue::key_t>::empty_zero_p): Make
	false.
	(compound_svalue::key_t::mark_empty): Use 2 rather than NULL_TREE.
	(compound_svalue::key_t::is_empty): Likewise.
	(compound_svalue::maybe_fold_bits_within): New.
	(default_hash_traits<compound_svalue::key_t>::empty_zero_p): Make
	false.

2021-06-28  David Malcolm  <dmalcolm (a] redhat.com>

	* analyzer.h (byte_offset_t): New typedef.
	* store.cc (bit_range::dump_to_pp): Dump as a byte range if
	possible.
	(bit_range::as_byte_range): New.
	(byte_range::dump_to_pp): New.
	* store.h (class byte_range): New forward decl.
	(struct bit_range): Add comment.
	(bit_range::as_byte_range): New decl.
	(struct byte_range): New.

2021-06-22  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/101143
	* region-model.cc (compat_types_p): New function.
	(region_model::create_region_for_heap_alloc): Convert assertion to
	an error check.
	(region_model::create_region_for_alloca): Likewise.

2021-06-18  David Malcolm  <dmalcolm (a] redhat.com>

	* store.cc (binding_cluster::get_any_binding): Make symbolic reads
	from a cluster with concrete bindings return unknown.

2021-06-18  David Malcolm  <dmalcolm (a] redhat.com>

	* region-model-manager.cc
	(region_model_manager::get_or_create_int_cst): New.
	(region_model_manager::maybe_undo_optimize_bit_field_compare): Use
	it to simplify away a local tree.
	* region-model.cc (region_model::on_setjmp): Likewise.
	(region_model::on_longjmp): Likewise.
	* region-model.h (region_model_manager::get_or_create_int_cst):
	New decl.
	* store.cc (binding_cluster::zero_fill_region): Use it to simplify
	away a local tree.

2021-06-18  David Malcolm  <dmalcolm (a] redhat.com>

	* checker-path.cc (class custom_event): Make abstract to allow for
	custom vfuncs, splitting existing implementation into...
	(class precanned_custom_event): New subclass.
	(custom_event::get_desc): Move to...
	(precanned_custom_event::get_desc): ...subclass.
	* checker-path.h (class custom_event): Make abstract to allow for
	custom vfuncs, splitting existing implementation into...
	(class precanned_custom_event): New subclass.
	* diagnostic-manager.cc (diagnostic_manager::add_events_for_eedge):
	Use precanned_custom_event.
	* engine.cc
	(stale_jmp_buf::maybe_add_custom_events_for_superedge): Likewise.
	* sm-signal.cc (signal_delivery_edge_info_t::add_events_to_path):
	Likewise.

2021-06-15  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/99212
	PR analyzer/101082
	* engine.cc: Include "target.h".
	(impl_run_checkers): Log BITS_BIG_ENDIAN, BYTES_BIG_ENDIAN, and
	WORDS_BIG_ENDIAN.
	* region-model-manager.cc
	(region_model_manager::maybe_fold_binop): Move support for masking
	via ARG0 & CST into...
	(region_model_manager::maybe_undo_optimize_bit_field_compare):
	...this new function.  Flatten by converting from nested
	conditionals to a series of early return statements to reject
	failures.  Reject if type is not unsigned_char_type_node.
	Handle BYTES_BIG_ENDIAN when determining which bits are bound
	in the binding_map.
	* region-model.h
	(region_model_manager::maybe_undo_optimize_bit_field_compare):
	New decl.
	* store.cc (bit_range::dump): New function.
	* store.h (bit_range::dump): New decl.

2021-06-15  David Malcolm  <dmalcolm (a] redhat.com>

	* engine.cc (exploded_node::on_stmt): Handle __analyzer_dump_capacity.
	(exploded_node::on_stmt): Drop m_sm_changes from on_stmt_flags.
	(state_change_requires_new_enode_p): New function...
	(exploded_graph::process_node): Call it, rather than querying
	flags.m_sm_changes, so that dynamic-extent differences can also
	trigger the splitting of nodes.
	* exploded-graph.h (struct on_stmt_flags): Drop field m_sm_changes.
	* program-state.cc (program_state::detect_leaks): Purge dead
	heap-allocated regions from dynamic extents.
	(selftest::test_program_state_1): Fix type of "size_in_bytes".
	(selftest::test_program_state_merging): Likewise.
	* region-model-impl-calls.cc
	(region_model::impl_call_analyzer_dump_capacity): New.
	(region_model::impl_call_free): Remove dynamic extents from the
	freed region.
	* region-model-reachability.h
	(reachable_regions::begin_mutable_base_regs): New.
	(reachable_regions::end_mutable_base_regs): New.
	* region-model.cc: Include "tree-object-size.h".
	(region_model::region_model): Support new field m_dynamic_extents.
	(region_model::operator=): Likewise.
	(region_model::operator==): Likewise.
	(region_model::dump_to_pp): Dump sizes of dynamic regions.
	(region_model::handle_unrecognized_call): Purge dynamic extents
	from any regions that have escaped mutably:.
	(region_model::get_capacity): New function.
	(region_model::add_constraint): Unset dynamic extents when a
	heap-allocated region's address is NULL.
	(region_model::unbind_region_and_descendents): Purge dynamic
	extents of unbound regions.
	(region_model::can_merge_with_p): Call
	m_dynamic_extents.can_merge_with_p.
	(region_model::create_region_for_heap_alloc): Assert that
	size_in_bytes's type is compatible with size_type_node.  Update
	for renaming of record_dynamic_extents to set_dynamic_extents.
	(region_model::create_region_for_alloca): Likewise.
	(region_model::record_dynamic_extents): Rename to...
	(region_model::set_dynamic_extents): ...this.  Assert that
	size_in_bytes's type is compatible with size_type_node.  Add it
	to the m_dynamic_extents map.
	(region_model::get_dynamic_extents): New.
	(region_model::unset_dynamic_extents): New.
	(selftest::test_state_merging): Fix type of "size".
	(selftest::test_malloc_constraints): Likewise.
	(selftest::test_malloc): Verify dynamic extents.
	(selftest::test_alloca): Likewise.
	* region-model.h (region_to_value_map::is_empty): New.
	(region_model::dynamic_extents_t): New typedef.
	(region_model::impl_call_analyzer_dump_capacity): New decl.
	(region_model::get_dynamic_extents): New function.
	(region_model::get_dynamic_extents): New decl.
	(region_model::set_dynamic_extents): New decl.
	(region_model::unset_dynamic_extents): New decl.
	(region_model::get_capacity): New decl.
	(region_model::record_dynamic_extents): Rename to set_dynamic_extents.
	(region_model::m_dynamic_extents): New field.

2021-06-15  David Malcolm  <dmalcolm (a] redhat.com>

	* region-model.cc (region_to_value_map::operator=): New.
	(region_to_value_map::operator==): New.
	(region_to_value_map::dump_to_pp): New.
	(region_to_value_map::dump): New.
	(region_to_value_map::can_merge_with_p): New.
	* region-model.h (class region_to_value_map): New class.

2021-06-13  Trevor Saunders  <tbsaunde (a] tbsaunde.org>

	* call-string.cc (call_string::call_string): Use range based for
	to iterate over vec<>.
	(call_string::to_json): Likewise.
	(call_string::hash): Likewise.
	(call_string::calc_recursion_depth): Likewise.
	* checker-path.cc (checker_path::fixup_locations): Likewise.
	* constraint-manager.cc (equiv_class::equiv_class): Likewise.
	(equiv_class::to_json): Likewise.
	(equiv_class::hash): Likewise.
	(constraint_manager::to_json): Likewise.
	* engine.cc (impl_region_model_context::on_svalue_leak):
	Likewise.
	(on_liveness_change): Likewise.
	(impl_region_model_context::on_unknown_change): Likewise.
	* program-state.cc (sm_state_map::set_state): Likewise.
	* region-model.cc (test_canonicalization_4): Likewise.

2021-06-11  David Malcolm  <dmalcolm (a] redhat.com>

	* engine.cc (worklist::key_t::cmp): Move sort by call_string to
	before SCC.

2021-06-09  David Malcolm  <dmalcolm (a] redhat.com>

	* region-model.cc (region_model::get_lvalue_1): Make const.
	(region_model::get_lvalue): Likewise.
	(region_model::get_rvalue_1): Likewise.
	(region_model::get_rvalue): Likewise.
	(region_model::deref_rvalue): Likewise.
	(region_model::get_rvalue_for_bits): Likewise.
	* region-model.h (region_model::get_lvalue): Likewise.
	(region_model::get_rvalue): Likewise.
	(region_model::deref_rvalue): Likewise.
	(region_model::get_rvalue_for_bits): Likewise.
	(region_model::get_lvalue_1): Likewise.
	(region_model::get_rvalue_1): Likewise.

2021-06-08  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/99212
	* region-model-manager.cc
	(region_model_manager::maybe_fold_binop): Add support for folding
	BIT_AND_EXPR of compound_svalue and a mask constant.
	* region-model.cc (region_model::get_rvalue_1): Implement
	BIT_FIELD_REF in terms of...
	(region_model::get_rvalue_for_bits): New function.
	* region-model.h (region_model::get_rvalue_for_bits): New decl.
	* store.cc (bit_range::from_mask): New function.
	(selftest::test_bit_range_intersects_p): New selftest.
	(selftest::assert_bit_range_from_mask_eq): New.
	(ASSERT_BIT_RANGE_FROM_MASK_EQ): New macro.
	(selftest::assert_no_bit_range_from_mask_eq): New.
	(ASSERT_NO_BIT_RANGE_FROM_MASK): New macro.
	(selftest::test_bit_range_from_mask): New selftest.
	(selftest::analyzer_store_cc_tests): Call the new selftests.
	* store.h (bit_range::intersects_p): New.
	(bit_range::from_mask): New decl.
	(concrete_binding::get_bit_range): New accessor.
	(store_manager::get_concrete_binding): New overload taking
	const bit_range &.

2021-06-08  David Malcolm  <dmalcolm (a] redhat.com>

	* analyzer.h (int_size_in_bits): New decl.
	* region.cc (int_size_in_bits): New function.
	(region::get_bit_size): Reimplement in terms of the above.

2021-06-08  David Malcolm  <dmalcolm (a] redhat.com>

	* store.cc (concrete_binding::dump_to_pp): Move bulk of
	implementation to...
	(bit_range::dump_to_pp): ...this new function.
	(bit_range::cmp): New.
	(concrete_binding::overlaps_p): Update for use of bit_range.
	(concrete_binding::cmp_ptr_ptr): Likewise.
	* store.h (struct bit_range): New.
	(class concrete_binding): Replace fields m_start_bit_offset and
	m_size_in_bits with new field m_bit_range.

2021-06-08  David Malcolm  <dmalcolm (a] redhat.com>

	* svalue.h (conjured_svalue::iterator_t): Delete.

2021-06-03  David Malcolm  <dmalcolm (a] redhat.com>

	* store.h (store::get_direct_binding): Remove unused decl.
	(store::get_default_binding): Likewise.

2021-06-03  David Malcolm  <dmalcolm (a] redhat.com>

	* svalue.cc (poisoned_svalue::dump_to_pp): Dump type.
	(compound_svalue::dump_to_pp): Dump any type.

2021-05-18  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/100615
	* sm-malloc.cc: Include "analyzer/function-set.h".
	(malloc_state_machine::on_stmt): Call unaffected_by_call_p and
	bail on the functions it recognizes.
	(malloc_state_machine::unaffected_by_call_p): New.

2021-05-10  Martin Liska  <mliska (a] suse.cz>

	* sm-file.cc (is_file_using_fn_p): Use startswith
	function instead of strncmp.

2021-05-10  Martin Liska  <mliska (a] suse.cz>

	* program-state.cc (program_state::operator=): Remove
	__cplusplus >= 201103.
	(program_state::program_state): Likewise.
	* program-state.h: Likewise.
	* region-model.h (class region_model): Remove dead code.

2021-04-24  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/100244
	* sm-malloc.cc (free_of_non_heap::describe_state_change):
	Bulletproof against change.m_expr being NULL.

2021-04-13  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/98599
	* supergraph.cc (saved_uids::make_uid_unique): New.
	(saved_uids::restore_uids): New.
	(supergraph::supergraph): Replace assignments to stmt->uid with
	calls to m_stmt_uids.make_uid_unique.
	(supergraph::~supergraph): New.
	* supergraph.h (class saved_uids): New.
	(supergraph::~supergraph): New decl.
	(supergraph::m_stmt_uids): New field.

2021-04-10  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/100011
	* region-model.cc (region_model::on_assignment): Avoid NULL
	dereference if ctxt is NULL when assigning from a STRING_CST.

2021-04-08  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/99042
	PR analyzer/99774
	* engine.cc
	(impl_region_model_context::impl_region_model_context): Add
	uncertainty param and use it to initialize m_uncertainty.
	(impl_region_model_context::get_uncertainty): New.
	(impl_sm_context::get_fndecl_for_call): Add NULL for new
	uncertainty param when constructing impl_region_model_context.
	(impl_sm_context::get_state): Likewise.
	(impl_sm_context::set_next_state): Likewise.
	(impl_sm_context::warn): Likewise.
	(exploded_node::on_stmt): Add uncertainty param
	and use it when constructing impl_region_model_context.
	(exploded_node::on_edge): Add uncertainty param and pass
	to on_edge call.
	(exploded_node::detect_leaks): Create uncertainty_t and pass to
	impl_region_model_context.
	(exploded_graph::get_or_create_node): Create uncertainty_t and
	pass to prune_for_point.
	(maybe_process_run_of_before_supernode_enodes): Create
	uncertainty_t and pass to impl_region_model_context.
	(exploded_graph::process_node): Create uncertainty_t instances and
	pass around as needed.
	* exploded-graph.h
	(impl_region_model_context::impl_region_model_context): Add
	uncertainty param.
	(impl_region_model_context::get_uncertainty): New decl.
	(impl_region_model_context::m_uncertainty): New field.
	(exploded_node::on_stmt): Add uncertainty param.
	(exploded_node::on_edge): Likewise.
	* program-state.cc (sm_state_map::on_liveness_change): Get
	uncertainty from context and use it to unset sm-state from
	svalues as appropriate.
	(program_state::on_edge): Add uncertainty param and use it when
	constructing impl_region_model_context.  Fix indentation.
	(program_state::prune_for_point): Add uncertainty param and use it
	when constructing impl_region_model_context.
	(program_state::detect_leaks): Get any uncertainty from ctxt and
	use it to get maybe-live svalues for dest_state, rather than
	definitely-live ones; use this when determining which svalues
	have leaked.
	(selftest::test_program_state_merging): Create uncertainty_t and
	pass to impl_region_model_context.
	* program-state.h (program_state::on_edge): Add uncertainty param.
	(program_state::prune_for_point): Likewise.
	* region-model-impl-calls.cc (call_details::get_uncertainty): New.
	(region_model::impl_call_memcpy): Pass uncertainty to
	mark_region_as_unknown call.
	(region_model::impl_call_memset): Likewise.
	(region_model::impl_call_strcpy): Likewise.
	* region-model-reachability.cc (reachable_regions::handle_sval):
	Also add sval to m_mutable_svals.
	* region-model.cc (region_model::on_assignment): Pass any
	uncertainty from ctxt to the store::set_value call.
	(region_model::handle_unrecognized_call): Get any uncertainty from
	ctxt and use it to record mutable svalues at the unknown call.
	(region_model::get_reachable_svalues): Add uncertainty param and
	use it to mark any maybe-bound svalues as being reachable.
	(region_model::set_value): Pass any uncertainty from ctxt to the
	store::set_value call.
	(region_model::mark_region_as_unknown): Add uncertainty param and
	pass it on to the store::mark_region_as_unknown call.
	(region_model::update_for_call_summary): Add uncertainty param and
	pass it on to the region_model::mark_region_as_unknown call.
	* region-model.h (call_details::get_uncertainty): New decl.
	(region_model::get_reachable_svalues): Add uncertainty param.
	(region_model::mark_region_as_unknown): Add uncertainty param.
	(region_model_context::get_uncertainty): New vfunc.
	(noop_region_model_context::get_uncertainty): New vfunc
	implementation.
	* store.cc (dump_svalue_set): New.
	(uncertainty_t::dump_to_pp): New.
	(uncertainty_t::dump): New.
	(binding_cluster::clobber_region): Pass NULL for uncertainty to
	remove_overlapping_bindings.
	(binding_cluster::mark_region_as_unknown): Add uncertainty param
	and pass it to remove_overlapping_bindings.
	(binding_cluster::remove_overlapping_bindings): Add uncertainty param.
	Use it to record any svalues that were in clobbered bindings.
	(store::set_value): Add uncertainty param.  Pass it to
	binding_cluster::mark_region_as_unknown when handling symbolic
	regions.
	(store::mark_region_as_unknown): Add uncertainty param and pass it
	to binding_cluster::mark_region_as_unknown.
	(store::remove_overlapping_bindings): Add uncertainty param and
	pass it to binding_cluster::remove_overlapping_bindings.
	* store.h (binding_cluster::mark_region_as_unknown): Add
	uncertainty param.
	(binding_cluster::remove_overlapping_bindings): Likewise.
	(store::set_value): Likewise.
	(store::mark_region_as_unknown): Likewise.

2021-04-05  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/99906
	* analyzer.cc (maybe_reconstruct_from_def_stmt): Fix NULL
	dereference on calls with zero arguments.
	* sm-malloc.cc (malloc_state_machine::on_stmt): When handling
	__attribute__((nonnull)), only call get_diagnostic_tree if the
	result will be used.

2021-04-05  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/99886
	* diagnostic-manager.cc
	(diagnostic_manager::prune_interproc_events): Use signed integers
	when subtracting one from path->num_events ().
	(diagnostic_manager::consolidate_conditions): Likewise.  Convert
	next_idx to a signed int.

2021-04-01  David Malcolm  <dmalcolm (a] redhat.com>

	* diagnostic-manager.cc (diagnostic_manager::add_diagnostic): Make
	enode param non-constant, and call add_diagnostic on it.  Add
	enode index to log message.
	(diagnostic_manager::add_diagnostic): Make enode param
	non-constant.
	* diagnostic-manager.h (diagnostic_manager::add_diagnostic):
	Likewise for both decls.
	* engine.cc
	(impl_region_model_context::impl_region_model_context): Likewise
	for enode_for_diag.
	(impl_sm_context::impl_sm_context): Likewise.
	(impl_sm_context::m_enode_for_diag): Likewise.
	(exploded_node::dump_dot): Don't pass the diagnostic manager
	to dump_saved_diagnostics.
	(exploded_node::dump_saved_diagnostics): Drop param.  Iterate
	directly through all saved diagnostics for the enode, rather
	than all saved diagnostics in the diagnostic_manager and
	filtering.
	(exploded_node::on_stmt): Make non-const.
	(exploded_node::on_edge): Likewise.
	(exploded_node::on_longjmp): Likewise.
	(exploded_node::detect_leaks): Likewise.
	(exploded_graph::get_or_create_node): Make enode_for_diag param
	non-const.
	(exploded_graph_annotator::print_enode): Iterate
	directly through all saved diagnostics for the enode, rather
	than all saved diagnostics in the diagnostic_manager and
	filtering.
	* exploded-graph.h
	(impl_region_model_context::impl_region_model_context): Make
	enode_for_diag param non-constant.
	(impl_region_model_context::m_enode_for_diag): Likewise.
	(exploded_node::dump_saved_diagnostics): Drop param.
	(exploded_node::on_stmt): Make non-const.
	(exploded_node::on_edge): Likewise.
	(exploded_node::on_longjmp): Likewise.
	(exploded_node::detect_leaks): Likewise.
	(exploded_node::add_diagnostic): New.
	(exploded_node::get_num_diagnostics): New.
	(exploded_node::get_saved_diagnostic): New.
	(exploded_node::m_saved_diagnostics): New.
	(exploded_graph::get_or_create_node): Make enode_for_diag param
	non-constant.
	* feasible-graph.cc (feasible_node::dump_dot): Drop
	diagnostic_manager from call to dump_saved_diagnostics.
	* program-state.cc (program_state::on_edge): Convert enode param
	to non-const pointer.
	(program_state::prune_for_point): Likewise for enode_for_diag
	param.
	* program-state.h (program_state::on_edge): Convert enode param
	to non-const pointer.
	(program_state::prune_for_point): Likewise for enode_for_diag
	param.

2021-03-31  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/99771
	* analyzer.cc (maybe_reconstruct_from_def_stmt): New.
	(fixup_tree_for_diagnostic_1): New.
	(fixup_tree_for_diagnostic): New.
	* analyzer.h (fixup_tree_for_diagnostic): New decl.
	* checker-path.cc (call_event::get_desc): Call
	fixup_tree_for_diagnostic and use it for the call_with_state call.
	(warning_event::get_desc): Likewise for the final_event and
	make_label_text calls.
	* engine.cc (impl_region_model_context::on_state_leak): Likewise
	for the on_leak and add_diagnostic calls.
	* region-model.cc (region_model::get_representative_tree):
	Likewise for the result.

2021-03-30  David Malcolm  <dmalcolm (a] redhat.com>

	* region.h (region::dump_to_pp): Remove old decl.

2021-03-30  David Malcolm  <dmalcolm (a] redhat.com>

	* sm-file.cc (fileptr_state_machine::on_stmt): Only call
	get_diagnostic_tree if the result will be used.
	* sm-malloc.cc (malloc_state_machine::on_stmt): Likewise.
	(malloc_state_machine::on_deallocator_call): Likewise.
	(malloc_state_machine::on_realloc_call): Likewise.
	(malloc_state_machine::on_realloc_call): Likewise.
	* sm-sensitive.cc
	(sensitive_state_machine::warn_for_any_exposure): Likewise.
	* sm-taint.cc (taint_state_machine::on_stmt): Likewise.

2021-03-25  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/93695
	PR analyzer/99044
	PR analyzer/99716
	* engine.cc (exploded_node::on_stmt): Clear sm-state involving
	an SSA name at the def-stmt of that SSA name.
	* program-state.cc (sm_state_map::purge_state_involving): New.
	* program-state.h (sm_state_map::purge_state_involving): New decl.
	* region-model.cc (selftest::test_involves_p): New.
	(selftest::analyzer_region_model_cc_tests): Call it.
	* svalue.cc (class involvement_visitor): New class
	(svalue::involves_p): New.
	* svalue.h (svalue::involves_p): New decl.

2021-03-19  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/99614
	* diagnostic-manager.cc (class epath_finder): Add
	DISABLE_COPY_AND_ASSIGN.

2021-03-15  Martin Liska  <mliska (a] suse.cz>

	* sm-file.cc (get_file_using_fns): Add missing comma in initializer.

2021-03-11  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/96374
	* analyzer.opt (-param=analyzer-max-infeasible-edges=): New param.
	(fdump-analyzer-feasibility): New flag.
	* diagnostic-manager.cc: Include "analyzer/trimmed-graph.h" and
	"analyzer/feasible-graph.h".
	(epath_finder::epath_finder): Convert m_sep to a pointer and
	only create it if !flag_analyzer_feasibility.
	(epath_finder::~epath_finder): New.
	(epath_finder::m_sep): Convert to a pointer.
	(epath_finder::get_best_epath): Add param "diag_idx" and use it
	when logging.  Rather than finding the shortest path and then
	checking feasibility, instead use explore_feasible_paths unless
	!flag_analyzer_feasibility, in which case simply use the shortest
	path, and note if it is infeasible.  Update for m_sep becoming a
	pointer.
	(class feasible_worklist): New.
	(epath_finder::explore_feasible_paths): New.
	(epath_finder::process_worklist_item): New.
	(class dump_eg_with_shortest_path): New.
	(epath_finder::dump_trimmed_graph): New.
	(epath_finder::dump_feasible_graph): New.
	(saved_diagnostic::saved_diagnostic): Add "idx" param, using it
	on new field m_idx.
	(saved_diagnostic::to_json): Dump m_idx.
	(saved_diagnostic::calc_best_epath): Pass m_idx to get_best_epath.
	Remove assertion that m_problem was set when m_best_epath is NULL.
	(diagnostic_manager::add_diagnostic): Pass an index when created
	saved_diagnostic instances.
	* diagnostic-manager.h (saved_diagnostic::saved_diagnostic): Add
	"idx" param.
	(saved_diagnostic::get_index): New accessor.
	(saved_diagnostic::m_idx): New field.
	* engine.cc (exploded_node::dump_dot): Call args.dump_extra_info.
	Move code to...
	(exploded_node::dump_processed_stmts): ...this new function and...
	(exploded_node::dump_saved_diagnostics): ...this new function.
	Add index of each diagnostic.
	(exploded_edge::dump_dot):  Move bulk of code to...
	(exploded_edge::dump_dot_label): ...this new function.
	* exploded-graph.h (eg_traits::dump_args_t::dump_extra_info): New
	vfunc.
	(exploded_node::dump_processed_stmts): New decl.
	(exploded_node::dump_saved_diagnostics): New decl.
	(exploded_edge::dump_dot_label): New decl.
	* feasible-graph.cc: New file.
	* feasible-graph.h: New file.
	* trimmed-graph.cc: New file.
	* trimmed-graph.h: New file.

2021-03-11  David Malcolm  <dmalcolm (a] redhat.com>

	* diagnostic-manager.cc (epath_finder::epath_finder):
	Update shortest_paths init for new param.

2021-03-10  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/96374
	* engine.cc (exploded_path::feasible_p): Move "snodes_visited" and
	"model" locals into a new class feasibility_state.  Move heart
	of per-edge processing into
	feasibility_state::maybe_update_for_edge.
	(feasibility_state::feasibility_state): New.
	(feasibility_state::maybe_update_for_edge): New, based on loop
	body in exploded_path::feasible_p.
	* exploded-graph.h (class feasibility_state): New.

2021-03-10  David Malcolm  <dmalcolm (a] redhat.com>

	* supergraph.h
	(callgraph_superedge::dyn_cast_callgraph_superedge): New.
	(call_superedge::dyn_cast_callgraph_superedge): Delete.
	(return_superedge::dyn_cast_callgraph_superedge): Delete.

2021-03-02  Martin Liska  <mliska (a] suse.cz>

	* diagnostic-manager.cc (diagnostic_manager::emit_saved_diagnostics):
	Do not pass engine.

2021-02-26  David Malcolm  <dmalcolm (a] redhat.com>

	* engine.cc (exploded_path::exploded_path): New copy-ctor.
	* exploded-graph.h (exploded_path::operator=): Drop decl.

2021-02-26  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/96374
	* diagnostic-manager.cc (class epath_finder): New.
	(epath_finder::get_best_epath): New.
	(saved_diagnostic::saved_diagnostic): Update for replacement of
	m_state and m_epath_length with m_best_epath.
	(saved_diagnostic::~saved_diagnostic): Delete m_best_epath.
	(saved_diagnostic::to_json): Update "path_length" to be optional.
	(saved_diagnostic::calc_best_epath): New, based on
	dedupe_winners::add and parts of dedupe_key::dedupe_key.
	(saved_diagnostic::get_epath_length): New.
	(saved_diagnostic::add_duplicate): New.
	(dedupe_key::dedupe_key): Drop epath param.  Move invocation of
	stmt_finder to saved_diagnostic::calc_best_epath.
	(class dedupe_candidate): Delete.
	(class dedupe_hash_map_traits): Update to use saved_diagnotic *
	rather than dedupe_candidate * as the value_type/compare_type.
	(dedupe_winners::~dedupe_winners): Don't delete the values.
	(dedupe_winners::add): Convert param from shortest_exploded_paths to
	epath_finder.  Drop "eg" param.  Drop dedupe_candidate, moving
	path generation and feasiblity checking to
	epath_finder::get_best_epath.  Update winner-selection for move
	of epaths from dedupe_candidate to saved_diagnostic.
	(dedupe_winners::emit_best):  Update for removal of class
	dedupe_candidate.
	(dedupe_winners::map_t): Update to use saved_diagnotic * rather
	than dedupe_candidate * as the value_type/compare_type.
	(diagnostic_manager::emit_saved_diagnostics): Move
	shortest_exploded_paths instance into epath_finder and pass that
	around instead.
	(diagnostic_manager::emit_saved_diagnostic): Drop epath, stmt
	and num_dupes params, instead getting these from the
	saved_diagnostic.  Use correct location in inform_n call.
	* diagnostic-manager.h (class epath_finder): New forward decl.
	(saved_diagnostic::status): Drop enum.
	(saved_diagnostic::set_feasible): Drop.
	(saved_diagnostic::set_infeasible): Drop.
	(saved_diagnostic::get_status): Drop.
	(saved_diagnostic::calc_best_epath): New decl.
	(saved_diagnostic::get_best_epath): New decl.
	(saved_diagnostic::get_epath_length): New decl.
	(saved_diagnostic::set_epath_length): Drop.
	(saved_diagnostic::get_epath_length): Drop inline implementation.
	(saved_diagnostic::add_duplicate): New.
	(saved_diagnostic::get_num_dupes): New.
	(saved_diagnostic::m_d): Document ownership.
	(saved_diagnostic::m_trailing_eedge): Make const.
	(saved_diagnostic::m_status): Drop field.
	(saved_diagnostic::m_epath_length): Drop field.
	(saved_diagnostic::m_best_epath): New field.
	(saved_diagnostic::m_problem): Document ownership.
	(saved_diagnostic::m_duplicates): New field.
	(diagnostic_manager::emit_saved_diagnostic): Drop params epath,
	stmt, and num_dupes.
	* engine.cc (exploded_graph_annotator::print_saved_diagnostic):
	Update for changes to saved_diagnostic class.
	* exploded-graph.h (exploded_path::feasible_p): Drop unused
	overloaded decl.

2021-02-25  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/99193
	* region-model-impl-calls.cc (region_model::impl_call_realloc): New.
	* region-model.cc (region_model::on_call_pre): Call it.
	* region-model.h (region_model::impl_call_realloc): New decl.
	* sm-malloc.cc (enum wording): Add WORDING_REALLOCATED.
	(malloc_state_machine::m_realloc): New field.
	(use_after_free::describe_state_change): Add case for
	WORDING_REALLOCATED.
	(use_after_free::describe_final_event): Likewise.
	(malloc_state_machine::malloc_state_machine): Initialize
	m_realloc.
	(malloc_state_machine::on_stmt): Handle realloc by calling...
	(malloc_state_machine::on_realloc_call): New.

2021-02-22  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/99196
	* engine.cc (exploded_node::on_stmt): Provide terminate_path
	flag as a way for on_call_pre to terminate the current analysis
	path.
	* region-model-impl-calls.cc (call_details::num_args): New.
	(region_model::impl_call_error): New.
	* region-model.cc (region_model::on_call_pre): Add param
	"out_terminate_path".  Handle "error" and "error_at_line".
	* region-model.h (call_details::num_args): New decl.
	(region_model::on_call_pre): Add param "out_terminate_path".
	(region_model::impl_call_error): New decl.

2021-02-17  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/98969
	* constraint-manager.cc (dead_svalue_purger::should_purge_p):
	Update for change to svalue::live_p.
	* program-state.cc (sm_state_map::on_liveness_change): Likewise.
	(program_state::detect_leaks): Likewise.
	* region-model-reachability.cc (reachable_regions::init_cluster):
	When dealing with a symbolic region, if the underlying pointer is
	implicitly live, add the region to the reachable regions.
	* region-model.cc (region_model::compare_initial_and_pointer):
	Move logic for detecting initial values of params to
	initial_svalue::initial_value_of_param_p.
	* svalue.cc (svalue::live_p): Convert "live_svalues" from a
	reference to a pointer; support it being NULL.
	(svalue::implicitly_live_p): Convert first param from a
	refererence to a pointer.
	(region_svalue::implicitly_live_p): Likewise.
	(constant_svalue::implicitly_live_p): Likewise.
	(initial_svalue::implicitly_live_p): Likewise.  Treat the initial
	values of params for the top level frame as still live.
	(initial_svalue::initial_value_of_param_p): New function, taken
	from a test in region_model::compare_initial_and_pointer.
	(unaryop_svalue::implicitly_live_p): Convert first param from a
	refererence to a pointer.
	(binop_svalue::implicitly_live_p): Likewise.
	(sub_svalue::implicitly_live_p): Likewise.
	(unmergeable_svalue::implicitly_live_p): Likewise.
	* svalue.h (svalue::live_p): Likewise.
	(svalue::implicitly_live_p): Likewise.
	(region_svalue::implicitly_live_p): Likewise.
	(constant_svalue::implicitly_live_p): Likewise.
	(initial_svalue::implicitly_live_p): Likewise.
	(initial_svalue::initial_value_of_param_p): New decl.
	(unaryop_svalue::implicitly_live_p): Convert first param from a
	refererence to a pointer.
	(binop_svalue::implicitly_live_p): Likewise.
	(sub_svalue::implicitly_live_p): Likewise.
	(unmergeable_svalue::implicitly_live_p): Likewise.

2021-02-12  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/98969
	* engine.cc (readability): Add names for the various arbitrary
	values.  Handle NOP_EXPR and INTEGER_CST.
	(readability_comparator): Combine the readability tests for
	tree and stack depth, rather than performing them sequentially.
	(impl_region_model_context::on_state_leak): Strip off top-level
	casts.
	* region-model.cc (region_model::get_representative_path_var): Add
	type-checking, moving the bulk of the implementation to...
	(region_model::get_representative_path_var_1): ...here.  Respect
	types in casts by recursing and re-adding the cast, rather than
	merely stripping them off.  Use the correct type when handling
	region_svalue.
	(region_model::get_representative_tree): Strip off any top-level
	cast.
	(region_model::get_representative_path_var): Add type-checking,
	moving the bulk of the implementation to...
	(region_model::get_representative_path_var_1): ...here.
	* region-model.h (region_model::get_representative_path_var_1):
	New decl
	(region_model::get_representative_path_var_1): New decl.
	* store.cc (append_pathvar_with_type): New.
	(binding_cluster::get_representative_path_vars): Cast path_vars
	to the correct type when adding them to *OUT_PVS.

2021-02-09  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/98575
	* sm-file.cc (is_file_using_fn_p): Support "_IO_"-prefixed
	variants.

2021-02-09  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/98575
	* store.cc (store::set_value): Treat a pointer written to *UNKNOWN
	as having escaped.

2021-02-02  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/93355
	PR analyzer/96374
	* engine.cc (toplevel_function_p): Simplify so that
	we only reject functions with a "__analyzer_" prefix.
	(add_any_callbacks): Delete.
	(exploded_graph::build_initial_worklist): Update for
	dropped param of toplevel_function_p.
	(exploded_graph::build_initial_worklist): Don't bother
	looking for callbacks that are reachable from global
	initializers.

2021-02-01  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/98918
	* region-model-manager.cc
	(region_model_manager::get_or_create_initial_value):
	Fold the initial value of *UNKNOWN_PTR to an UNKNOWN value.
	(region_model_manager::get_field_region): Fold the value
	of UNKNOWN_PTR->FIELD to *UNKNOWN_PTR_OF_&FIELD_TYPE.

2021-01-29  David Malcolm  <dmalcolm (a] redhat.com>

	* checker-path.cc (event_kind_to_string): Handle
	EK_START_CONSOLIDATED_CFG_EDGES and
	EK_END_CONSOLIDATED_CFG_EDGES.
	(start_consolidated_cfg_edges_event::get_desc): New.
	(checker_path::cfg_edge_pair_at_p): New.
	* checker-path.h (enum event_kind): Add
	EK_START_CONSOLIDATED_CFG_EDGES and
	EK_END_CONSOLIDATED_CFG_EDGES.
	(class start_consolidated_cfg_edges_event): New class.
	(class end_consolidated_cfg_edges_event): New class.
	(checker_path::delete_events): New.
	(checker_path::replace_event): New.
	(checker_path::cfg_edge_pair_at_p): New decl.
	* diagnostic-manager.cc (diagnostic_manager::prune_path): Call
	consolidate_conditions.
	(same_line_as_p): New.
	(diagnostic_manager::consolidate_conditions): New.
	* diagnostic-manager.h
	(diagnostic_manager::consolidate_conditions): New decl.

2021-01-18  David Malcolm  <dmalcolm (a] redhat.com>

	* analyzer.h (is_std_named_call_p): New decl.
	* diagnostic-manager.cc (path_builder::get_sm): New.
	(state_change_event_creator::state_change_event_creator): Add "pb"
	param.
	(state_change_event_creator::on_global_state_change): Don't consider
	state changes affecting other state_machines.
	(state_change_event_creator::on_state_change): Likewise.
	(state_change_event_creator::m_pb): New field.
	(diagnostic_manager::add_events_for_eedge): Pass pb to visitor
	ctor.
	* region-model-impl-calls.cc
	(region_model::impl_deallocation_call): New.
	* region-model.cc: Include "attribs.h".
	(region_model::on_call_post): Handle fndecls referenced by
	__attribute__((deallocated_by(FOO))).
	* region-model.h (region_model::impl_deallocation_call): New decl.
	* sm-malloc.cc: Include "stringpool.h" and "attribs.h".  Add
	leading comment.
	(class api): Delete.
	(enum resource_state): Update comment for change from api to
	deallocator and deallocator_set.
	(allocation_state::allocation_state): Drop api param.  Add
	"deallocators" and "deallocator".
	(allocation_state::m_api): Drop field in favor of...
	(allocation_state::m_deallocators): New field.
	(allocation_state::m_deallocator): New field.
	(enum wording): Add WORDING_DEALLOCATED.
	(struct deallocator): New.
	(struct standard_deallocator): New.
	(struct custom_deallocator): New.
	(struct deallocator_set): New.
	(struct custom_deallocator_set): New.
	(struct standard_deallocator_set): New.
	(struct deallocator_set_map_traits): New.
	(malloc_state_machine::m_malloc): Drop field
	(malloc_state_machine::m_scalar_new): Likewise.
	(malloc_state_machine::m_vector_new): Likewise.
	(malloc_state_machine::m_free): New field
	(malloc_state_machine::m_scalar_delete): Likewise.
	(malloc_state_machine::m_vector_delete): Likewise.
	(malloc_state_machine::deallocator_map_t): New typedef.
	(malloc_state_machine::m_deallocator_map): New field.
	(malloc_state_machine::deallocator_set_cache_t): New typedef.
	(malloc_state_machine::m_custom_deallocator_set_cache): New field.
	(malloc_state_machine::custom_deallocator_set_map_t): New typedef.
	(malloc_state_machine::m_custom_deallocator_set_map): New field.
	(malloc_state_machine::m_dynamic_sets): New field.
	(malloc_state_machine::m_dynamic_deallocators): New field.
	(api::api): Delete.
	(deallocator::deallocator): New ctor.
	(deallocator::hash): New.
	(deallocator::dump_to_pp): New.
	(deallocator::cmp): New.
	(deallocator::cmp_ptr_ptr): New.
	(standard_deallocator::standard_deallocator): New ctor.
	(deallocator_set::deallocator_set): New ctor.
	(deallocator_set::dump): New.
	(custom_deallocator_set::custom_deallocator_set): New ctor.
	(custom_deallocator_set::contains_p): New.
	(custom_deallocator_set::maybe_get_single): New.
	(custom_deallocator_set::dump_to_pp): New.
	(standard_deallocator_set::standard_deallocator_set): New ctor.
	(standard_deallocator_set::contains_p): New.
	(standard_deallocator_set::maybe_get_single): New.
	(standard_deallocator_set::dump_to_pp): New.
	(start_p): New.
	(class mismatching_deallocation): Update for conversion from api
	to deallocator_set and deallocator.
	(double_free::emit): Use %qs.
	(class use_after_free): Update for conversion from api to
	deallocator_set and deallocator.
	(malloc_leak::describe_state_change): Only emit "allocated here" on
	a start->nonnull transition, rather than on other transitions to
	nonnull.
	(allocation_state::dump_to_pp): Update for conversion from api to
	deallocator_set.
	(allocation_state::get_nonnull): Likewise.
	(malloc_state_machine::malloc_state_machine): Likewise.
	(malloc_state_machine::~malloc_state_machine): New.
	(malloc_state_machine::add_state): Update for conversion from api
	to deallocator_set.
	(malloc_state_machine::get_or_create_custom_deallocator_set): New.
	(malloc_state_machine::maybe_create_custom_deallocator_set): New.
	(malloc_state_machine::get_or_create_deallocator): New.
	(malloc_state_machine::on_stmt): Update for conversion from api
	to deallocator_set.  Handle "__attribute__((malloc(FOO)))", and
	the special attribute set on FOO.
	(malloc_state_machine::on_allocator_call): Update for conversion
	from api to deallocator_set.  Add "returns_nonnull" param and use
	it to affect which state to transition to.
	(malloc_state_machine::on_deallocator_call): Update for conversion
	from api to deallocator_set.

2021-01-14  David Malcolm  <dmalcolm (a] redhat.com>

	* engine.cc (strongly_connected_components::to_json): New.
	(worklist::to_json): New.
	(exploded_graph::to_json): JSON-ify the worklist.
	* exploded-graph.h (strongly_connected_components::to_json): New
	decl.
	(worklist::to_json): New decl.
	* store.cc (store::to_json): Fix comment.
	* supergraph.cc (supernode::to_json): Fix reference to
	"returning_call" in comment.  Add optional "fun" to JSON.
	(edge_kind_to_string): New.
	(superedge::to_json): Add "kind" to JSON.

2021-01-14  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/98679
	* analyzer.h (region_offset::operator==): Make const.
	* pending-diagnostic.h (pending_diagnostic::equal_p): Likewise.
	* store.h (binding_cluster::for_each_value): Likewise.
	(binding_cluster::for_each_binding): Likewise.

2021-01-12  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/98628
	* store.cc (binding_cluster::make_unknown_relative_to): Don't mark
	dereferenced unknown pointers as having escaped.

2021-01-07  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/98580
	* region.cc (decl_region::get_svalue_for_initializer): Gracefully
	handle when LTO writes out DECL_INITIAL as error_mark_node.

2021-01-07  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/97074
	* store.cc (binding_cluster::can_merge_p): Add "out_store" param
	and pass to calls to binding_cluster::make_unknown_relative_to.
	(binding_cluster::make_unknown_relative_to): Add "out_store"
	param.  Use it to mark base regions that are pointed to by
	pointers that become unknown as having escaped.
	(store::can_merge_p): Pass out_store to
	binding_cluster::can_merge_p.
	* store.h (binding_cluster::can_merge_p): Add "out_store" param.
	(binding_cluster::make_unknown_relative_to): Likewise.
	* svalue.cc (region_svalue::implicitly_live_p): New vfunc.
	* svalue.h (region_svalue::implicitly_live_p): New vfunc decl.

2021-01-07  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/98564
	* engine.cc (exploded_path::feasible_p): Add missing call to
	bitmap_clear.

2021-01-06  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/97072
	* region-model-reachability.cc (reachable_regions::init_cluster):
	Convert symbolic region handling to a switch statement.  Add cases
	to handle SK_UNKNOWN and SK_CONJURED.

2021-01-05  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/98293
	* store.cc (binding_map::apply_ctor_to_region): When "index" is
	NULL, iterate through the fields for RECORD_TYPEs, rather than
	creating an INTEGER_CST index.

2020-11-30  David Malcolm  <dmalcolm (a] redhat.com>

	* analyzer-pass.cc: Include "analyzer/analyzer.h" for the
	declaration of sorry_no_analyzer; include "tree.h" and
	"function.h" as these are needed by it.

2020-11-30  David Malcolm  <dmalcolm (a] redhat.com>

	* analyzer-pass.cc (pass_analyzer::execute): Move sorry call to...
	(sorry_no_analyzer): New.
	* analyzer.h (class state_machine): New forward decl.
	(class logger): New forward decl.
	(class plugin_analyzer_init_iface): New.
	(sorry_no_analyzer): New decl.
	* checker-path.cc (checker_path::fixup_locations): New.
	* checker-path.h (checker_event::set_location): New.
	(checker_path::fixup_locations): New decl.
	* diagnostic-manager.cc
	(diagnostic_manager::emit_saved_diagnostic): Call
	checker_path::fixup_locations, and call fixup_location
	on the primary location.
	* engine.cc: Include "plugin.h".
	(class plugin_analyzer_init_impl): New.
	(impl_run_checkers): Invoke PLUGIN_ANALYZER_INIT callbacks.
	* pending-diagnostic.h (pending_diagnostic::fixup_location): New
	vfunc.

2020-11-18  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/97893
	* sm-malloc.cc (null_deref::emit): Use CWE-476 rather than
	CWE-690, as this isn't due to an unchecked return value.
	(null_arg::emit): Likewise.

2020-11-12  David Malcolm  <dmalcolm (a] redhat.com>

	* checker-path.h (checker_event::get_id_ptr): New.
	* diagnostic-manager.cc (path_builder::path_builder): Add "sd"
	param and use it to initialize new field "m_sd".
	(path_builder::get_pending_diagnostic): New.
	(path_builder::m_sd): New field.
	(diagnostic_manager::emit_saved_diagnostic): Pass sd to
	path_builder ctor.
	(diagnostic_manager::add_events_for_superedge): Call new
	maybe_add_custom_events_for_superedge vfunc.
	* engine.cc (stale_jmp_buf::stale_jmp_buf): Add "setjmp_point"
	param and use it to initialize new field "m_setjmp_point".
	Initialize new field "m_stack_pop_event".
	(stale_jmp_buf::maybe_add_custom_events_for_superedge): New vfunc
	implementation.
	(stale_jmp_buf::describe_final_event): New vfunc implementation.
	(stale_jmp_buf::m_setjmp_point): New field.
	(stale_jmp_buf::m_stack_pop_event): New field.
	(exploded_node::on_longjmp): Pass setjmp_point to stale_jmp_buf
	ctor.
	* pending-diagnostic.h
	(pending_diagnostic::maybe_add_custom_events_for_superedge): New
	vfunc.

2020-11-12  David Malcolm  <dmalcolm (a] redhat.com>

	PR tree-optimization/97424
	* analyzer.opt (Wanalyzer-shift-count-negative): New.
	(Wanalyzer-shift-count-overflow): New.
	* region-model.cc (class shift_count_negative_diagnostic): New.
	(class shift_count_overflow_diagnostic): New.
	(region_model::get_gassign_result): Complain about shift counts that
	are negative or are >= the operand's type's width.

2020-11-10  Martin Liska  <mliska (a] suse.cz>

	* constraint-manager.cc (constraint_manager::merge): Remove
	unused code.
	* constraint-manager.h: Likewise.
	* program-state.cc (sm_state_map::sm_state_map): Likewise.
	(program_state::program_state): Likewise.
	(test_sm_state_map): Likewise.
	* program-state.h: Likewise.
	* region-model-reachability.cc (reachable_regions::reachable_regions): Likewise.
	* region-model-reachability.h: Likewise.
	* region-model.cc (region_model::handle_unrecognized_call): Likewise.
	(region_model::get_reachable_svalues): Likewise.
	(region_model::can_merge_with_p): Likewise.

2020-11-05  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/97668
	* svalue.cc (cmp_cst): Handle COMPLEX_CST.

2020-10-29  David Malcolm  <dmalcolm (a] redhat.com>

	* program-state.cc (sm_state_map::on_liveness_change): Sort the
	leaking svalues before calling on_state_leak.
	(program_state::detect_leaks): Likewise when calling
	on_svalue_leak.
	* region-model-reachability.cc
	(reachable_regions::mark_escaped_clusters): Likewise when
	calling on_escaped_function.

2020-10-29  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/97608
	* region-model-reachability.cc (reachable_regions::handle_sval):
	Operands of reachable reversible operations are reachable.

2020-10-29  David Malcolm  <dmalcolm (a] redhat.com>

	* analyzer.h (class state_machine): New forward decl.
	(class logger): Likewise.
	(class visitor): Likewise.
	* complexity.cc: New file, taken from svalue.cc.
	* complexity.h: New file, taken from region-model.h.
	* region-model.h: Include "analyzer/svalue.h" and
	"analyzer/region.h".  Move struct complexity to complexity.h.
	Move svalue, its subclasses and supporting decls to svalue.h.
	Move region, its subclasses and supporting decls to region.h.
	* region.cc: Include "analyzer/region.h".
	(symbolic_region::symbolic_region): Move here from region-model.h.
	* region.h: New file, based on material from region-model.h.
	* svalue.cc: Include "analyzer/svalue.h".
	(complexity::complexity): Move to complexity.cc.
	(complexity::from_pair): Likewise.
	* svalue.h: New file, based on material from region-model.h.

2020-10-29  David Malcolm  <dmalcolm (a] redhat.com>

	* program-state.cc (sm_state_map::print): Guard the printing of
	the origin pointer with !flag_dump_noaddr.
	* region.cc (string_region::dump_to_pp): Likewise for
	m_string_cst.

2020-10-27  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/97568
	* region-model.cc (region_model::get_initial_value_for_global):
	Move check that !DECL_EXTERNAL from here to...
	* region.cc (decl_region::get_svalue_for_initializer): ...here,
	using it to reject zero initialization.

2020-10-27  Markus Bck  <markus.boeck02 (a] gmail.com>

	PR analyzer/96608
	* store.h (hash): Cast to intptr_t instead of long

2020-10-27  David Malcolm  <dmalcolm (a] redhat.com>

	* constraint-manager.cc (svalue_cmp_by_ptr): Delete.
	(equiv_class::canonicalize): Use svalue::cmp_ptr_ptr instead.
	(equiv_class_cmp): Eliminate pointer comparison.
	* diagnostic-manager.cc (dedupe_key::comparator): If they are at
	the same location, also compare epath ength and pending_diagnostic
	kind.
	* engine.cc (readability_comparator): If two path_vars have the
	same readability, then impose an arbitrary ordering on them.
	(worklist::key_t::cmp): If two points have the same plan ordering,
	continue the comparison.  Call sm_state_map::cmp rather than
	comparing hash values.
	* program-state.cc (sm_state_map::entry_t::cmp): New.
	(sm_state_map::cmp): New.
	* program-state.h (sm_state_map::entry_t::cmp): New decl.
	(sm_state_map::elements): New.
	(sm_state_map::cmp): New.

2020-10-27  David Malcolm  <dmalcolm (a] redhat.com>

	* engine.cc (setjmp_record::cmp): New.
	(supernode_cluster::dump_dot): Avoid embedding pointer in cluster
	name.
	(supernode_cluster::cmp_ptr_ptr): New.
	(function_call_string_cluster::dump_dot): Avoid embedding pointer
	in cluster name.  Sort m_map when dumping child clusters.
	(function_call_string_cluster::cmp_ptr_ptr): New.
	(root_cluster::dump_dot): Sort m_map when dumping child clusters.
	* program-point.cc (function_point::cmp): New.
	(function_point::cmp_ptr): New.
	* program-point.h (function_point::cmp): New decl.
	(function_point::cmp_ptr): New decl.
	* program-state.cc (sm_state_map::print): Sort the values.  Guard
	the printing of pointers with !flag_dump_noaddr.
	(program_state::prune_for_point): Sort the regions.
	(log_set_of_svalues): Sort the values.  Guard the printing of
	pointers with !flag_dump_noaddr.
	* region-model-manager.cc (log_uniq_map): Sort the values.
	* region-model-reachability.cc (dump_set): New function template.
	(reachable_regions::dump_to_pp): Use it.
	* region-model.h (svalue::cmp_ptr): New decl.
	(svalue::cmp_ptr_ptr): New decl.
	(setjmp_record::cmp): New decl.
	(placeholder_svalue::get_name): New accessor.
	(widening_svalue::get_point): New accessor.
	(compound_svalue::get_map): New accessor.
	(conjured_svalue::get_stmt): New accessor.
	(conjured_svalue::get_id_region): New accessor.
	(region::cmp_ptrs): Rename to...
	(region::cmp_ptr_ptr): ...this.
	* region.cc (region::cmp_ptrs): Rename to...
	(region::cmp_ptr_ptr): ...this.
	* state-purge.cc
	(state_purge_per_ssa_name::state_purge_per_ssa_name): Sort
	m_points_needing_name when dumping.
	* store.cc (concrete_binding::cmp_ptr_ptr): New.
	(symbolic_binding::cmp_ptr_ptr): New.
	(binding_map::cmp): New.
	(get_sorted_parent_regions): Update for renaming of
	region::cmp_ptrs to region::cmp_ptr_ptr.
	(store::dump_to_pp): Likewise.
	(store::to_json): Likewise.
	(store::can_merge_p): Sort the base regions before considering
	them.
	* store.h (concrete_binding::cmp_ptr_ptr): New decl.
	(symbolic_binding::cmp_ptr_ptr): New decl.
	(binding_map::cmp): New decl.
	* supergraph.cc (supergraph::supergraph): Assign UIDs to the
	gimple stmts.
	* svalue.cc (cmp_cst): New.
	(svalue::cmp_ptr): New.
	(svalue::cmp_ptr_ptr): New.

2020-10-27  David Malcolm  <dmalcolm (a] redhat.com>

	* engine.cc (exploded_graph::get_or_create_node): Fix off-by-one
	when imposing param_analyzer_max_enodes_per_program_point limit.

2020-10-27  David Malcolm  <dmalcolm (a] redhat.com>

	* region-model.cc (region_model::get_representative_path_var):
	Implement case RK_LABEL.
	* region-model.h (label_region::get_label): New accessor.

2020-10-22  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/97514
	* engine.cc (exploded_graph::add_function_entry): Handle failure
	to create an enode, rather than asserting.

2020-10-22  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/97489
	* engine.cc (exploded_graph::add_function_entry): Assert that we
	have a function body.
	(exploded_graph::on_escaped_function): Reject fndecls that don't
	have a function body.

2020-10-14  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/93388
	* region-model.cc (region_model::get_initial_value_for_global):
	Fall back to returning an initial_svalue if
	decl_region::get_svalue_for_initializer fails.
	* region.cc (decl_region::get_svalue_for_initializer): Don't
	attempt to create a compound_svalue if the region has an unknown
	size.

2020-10-14  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/93723
	* store.cc (binding_map::apply_ctor_to_region): Remove redundant
	assertion.

2020-10-12  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/97258
	* engine.cc (impl_region_model_context::on_escaped_function): New
	vfunc.
	(exploded_graph::add_function_entry): Use m_functions_with_enodes
	to implement idempotency.
	(add_any_callbacks): New.
	(exploded_graph::build_initial_worklist): Use the above to find
	callbacks that are reachable from global initializers.
	(exploded_graph::on_escaped_function): New.
	* exploded-graph.h
	(impl_region_model_context::on_escaped_function): New decl.
	(exploded_graph::on_escaped_function): New decl.
	(exploded_graph::m_functions_with_enodes): New field.
	* region-model-reachability.cc
	(reachable_regions::reachable_regions): Replace "store" param with
	"model" param; use it to initialize m_model.
	(reachable_regions::add): When getting the svalue for the region,
	call get_store_value on the model rather than using an initial
	value.
	(reachable_regions::mark_escaped_clusters): Add ctxt param and
	use it to call on_escaped_function when a function_region escapes.
	* region-model-reachability.h
	(reachable_regions::reachable_regions): Replace "store" param with
	"model" param.
	(reachable_regions::mark_escaped_clusters): Add ctxt param.
	(reachable_regions::m_model): New field.
	* region-model.cc (region_model::handle_unrecognized_call): Update
	for change in reachable_regions ctor.
	(region_model::handle_unrecognized_call): Pass ctxt to
	mark_escaped_clusters.
	(region_model::get_reachable_svalues): Update for change in
	reachable_regions ctor.
	(region_model::get_initial_value_for_global): Read-only variables
	keep their initial values.
	* region-model.h (region_model_context::on_escaped_function): New
	vfunc.
	(noop_region_model_context::on_escaped_function): New.

2020-10-12  David Malcolm  <dmalcolm (a] redhat.com>

	* analyzer.opt (Wanalyzer-write-to-const): New.
	(Wanalyzer-write-to-string-literal): New.
	* region-model-impl-calls.cc (region_model::impl_call_memcpy):
	Call check_for_writable_region.
	(region_model::impl_call_memset): Likewise.
	(region_model::impl_call_strcpy): Likewise.
	* region-model.cc (class write_to_const_diagnostic): New.
	(class write_to_string_literal_diagnostic): New.
	(region_model::check_for_writable_region): New.
	(region_model::set_value): Call check_for_writable_region.
	* region-model.h (region_model::check_for_writable_region): New
	decl.

2020-10-07  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/97116
	* sm-malloc.cc (method_p): New.
	(describe_argument_index): New.
	(inform_nonnull_attribute): Use describe_argument_index.
	(possible_null_arg::describe_final_event): Likewise.
	(null_arg::describe_final_event): Likewise.

2020-09-29  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/95188
	* engine.cc (stmt_requires_new_enode_p): Split enodes before
	"signal" calls.

2020-09-29  David Malcolm  <dmalcolm (a] redhat.com>

	* constraint-manager.cc
	(constraint_manager::add_constraint_internal): Whitespace fixes.
	Silence -Wsign-compare warning.
	* engine.cc (maybe_process_run_of_before_supernode_enodes):
	Silence -Wsign-compare warning.

2020-09-28  David Malcolm  <dmalcolm (a] redhat.com>

	* region-model.h (binop_svalue::dyn_cast_binop_svalue): Remove
	redundant "virtual".  Add FINAL OVERRIDE.
	(widening_svalue::dyn_cast_widening_svalue): Add FINAL OVERRIDE.
	(compound_svalue::dyn_cast_compound_svalue): Likewise.
	(conjured_svalue::dyn_cast_conjured_svalue): Likewise.

2020-09-28  David Malcolm  <dmalcolm (a] redhat.com>

	* diagnostic-manager.cc (null_assignment_sm_context::m_visitor):
	Remove unused field.

2020-09-28  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/97233
	* analyzer.cc (is_longjmp_call_p): Require the initial argument
	to be a pointer.
	* engine.cc (exploded_node::on_longjmp): Likewise.

2020-09-28  David Malcolm  <dmalcolm (a] redhat.com>

	* program-state.cc (sm_state_map::print): Update check
	for m_global_state being the start state.

2020-09-26  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/96646
	PR analyzer/96841
	* region-model.cc (region_model::get_representative_path_var):
	When handling offset_region, wrap the MEM_REF's first argument in
	an ADDR_EXPR of pointer type, rather than simply using the tree
	for the parent region.  Require the MEM_REF's second argument to
	be an integer constant.

2020-09-24  David Malcolm  <dmalcolm (a] redhat.com>

	* analyzer.h (struct rejected_constraint): New decl.
	* analyzer.opt (fanalyzer-feasibility): New option.
	* diagnostic-manager.cc (path_builder::path_builder): Add
	"problem" param and use it to initialize new field.
	(path_builder::get_feasibility_problem): New accessor.
	(path_builder::m_feasibility_problem): New field.
	(dedupe_winners::add): Remove inversion of logic in "if" clause,
	swapping if/else suites.  In the !feasible_p suite, inspect
	flag_analyzer_feasibility and add code to handle when this
	is off, accepting the infeasible path, but recording the
	feasibility_problem.
	(diagnostic_manager::emit_saved_diagnostic): Pass the
	feasibility_problem to the path_builder.
	(diagnostic_manager::add_events_for_eedge): If we have
	a feasibility_problem at this edge, use it to add a custom event.
	* engine.cc (exploded_path::feasible_p): Pass a
	rejected_constraint ** to model.maybe_update_for_edge and transfer
	ownership of any created instance to any feasibility_problem.
	(feasibility_problem::dump_to_pp): New.
	* exploded-graph.h (feasibility_problem::feasibility_problem):
	Drop "model" param; add rejected_constraint * param.
	(feasibility_problem::~feasibility_problem): New.
	(feasibility_problem::dump_to_pp): New decl.
	(feasibility_problem::m_model): Drop field.
	(feasibility_problem::m_rc): New field.
	* program-point.cc (function_point::get_location): Handle
	PK_BEFORE_SUPERNODE and PK_AFTER_SUPERNODE.
	* program-state.cc (program_state::on_edge): Pass NULL to new
	param of region_model::maybe_update_for_edge.
	* region-model.cc (region_model::add_constraint): New overload
	adding a rejected_constraint ** param.
	(region_model::maybe_update_for_edge): Add rejected_constraint **
	param and pass it to the various apply_constraints_for_ calls.
	(region_model::apply_constraints_for_gcond): Add
	rejected_constraint ** param and pass it to add_constraint calls.
	(region_model::apply_constraints_for_gswitch): Likewise.
	(region_model::apply_constraints_for_exception): Likewise.
	(rejected_constraint::dump_to_pp): New.
	* region-model.h (region_model::maybe_update_for_edge):
	Add rejected_constraint ** param.
	(region_model::add_constraint): New overload adding a
	rejected_constraint ** param.
	(region_model::apply_constraints_for_gcond): Add
	rejected_constraint ** param.
	(region_model::apply_constraints_for_gswitch): Likewise.
	(region_model::apply_constraints_for_exception): Likewise.
	(struct rejected_constraint): New.

2020-09-23  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/97178
	* engine.cc (impl_run_checkers): Update for change to ext_state
	ctor.
	* program-state.cc (selftest::test_sm_state_map): Pass an engine
	instance to ext_state ctor.
	(selftest::test_program_state_1): Likewise.
	(selftest::test_program_state_2): Likewise.
	(selftest::test_program_state_merging): Likewise.
	(selftest::test_program_state_merging_2): Likewise.
	* program-state.h (extrinsic_state::extrinsic_state): Remove NULL
	default value for "eng" param.

2020-09-23  Tobias Burnus  <tobias (a] codesourcery.com>

	* analyzer-logging.cc: Guard '#pragma ... ignored "-Wformat-diag"'
	by '#if __GNUC__ >= 10'
	* analyzer.h: Likewise.
	* call-string.cc: Likewise.

2020-09-23  David Malcolm  <dmalcolm (a] redhat.com>

	* engine.cc (exploded_node::on_stmt): Replace sequence of dyn_cast
	with switch.

2020-09-22  David Malcolm  <dmalcolm (a] redhat.com>

	* analysis-plan.cc: Include "json.h".
	* analyzer.opt (fdump-analyzer-json): New.
	* call-string.cc: Include "json.h".
	(call_string::to_json): New.
	* call-string.h (call_string::to_json): New decl.
	* checker-path.cc: Include "json.h".
	* constraint-manager.cc: Include "json.h".
	(equiv_class::to_json): New.
	(constraint::to_json): New.
	(constraint_manager::to_json): New.
	* constraint-manager.h (equiv_class::to_json): New decl.
	(constraint::to_json): New decl.
	(constraint_manager::to_json): New decl.
	* diagnostic-manager.cc: Include "json.h".
	(saved_diagnostic::to_json): New.
	(diagnostic_manager::to_json): New.
	* diagnostic-manager.h (saved_diagnostic::to_json): New decl.
	(diagnostic_manager::to_json): New decl.
	* engine.cc: Include "json.h", <zlib.h>.
	(exploded_node::status_to_str): New.
	(exploded_node::to_json): New.
	(exploded_edge::to_json): New.
	(exploded_graph::to_json): New.
	(dump_analyzer_json): New.
	(impl_run_checkers): Call it.
	* exploded-graph.h (exploded_node::status_to_str): New decl.
	(exploded_node::to_json): New.
	(exploded_edge::to_json): New.
	(exploded_graph::to_json): New.
	* pending-diagnostic.cc: Include "json.h".
	* program-point.cc: Include "json.h".
	(program_point::to_json): New.
	* program-point.h (program_point::to_json): New decl.
	* program-state.cc: Include "json.h".
	(extrinsic_state::to_json): New.
	(sm_state_map::to_json): New.
	(program_state::to_json): New.
	* program-state.h (extrinsic_state::to_json): New decl.
	(sm_state_map::to_json): New decl.
	(program_state::to_json): New decl.
	* region-model-impl-calls.cc: Include "json.h".
	* region-model-manager.cc: Include "json.h".
	* region-model-reachability.cc: Include "json.h".
	* region-model.cc: Include "json.h".
	* region-model.h (svalue::to_json): New decl.
	(region::to_json): New decl.
	* region.cc: Include "json.h".
	(region::to_json: New.
	* sm-file.cc: Include "json.h".
	* sm-malloc.cc: Include "json.h".
	* sm-pattern-test.cc: Include "json.h".
	* sm-sensitive.cc: Include "json.h".
	* sm-signal.cc: Include "json.h".
	(signal_delivery_edge_info_t::to_json): New.
	* sm-taint.cc: Include "json.h".
	* sm.cc: Include "diagnostic.h", "tree-diagnostic.h", and
	"json.h".
	(state_machine::state::to_json): New.
	(state_machine::to_json): New.
	* sm.h (state_machine::state::to_json): New.
	(state_machine::to_json): New.
	* state-purge.cc: Include "json.h".
	* store.cc: Include "json.h".
	(binding_key::get_desc): New.
	(binding_map::to_json): New.
	(binding_cluster::to_json): New.
	(store::to_json): New.
	* store.h (binding_key::get_desc): New decl.
	(binding_map::to_json): New decl.
	(binding_cluster::to_json): New decl.
	(store::to_json): New decl.
	* supergraph.cc: Include "json.h".
	(supergraph::to_json): New.
	(supernode::to_json): New.
	(superedge::to_json): New.
	* supergraph.h (supergraph::to_json): New decl.
	(supernode::to_json): New decl.
	(superedge::to_json): New decl.
	* svalue.cc: Include "json.h".
	(svalue::to_json): New.

2020-09-21  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/97130
	* region-model-impl-calls.cc (call_details::get_arg_type): New.
	* region-model.cc (region_model::on_call_pre): Check that the
	initial arg is a pointer before calling impl_call_memset and
	impl_call_strlen.
	* region-model.h (call_details::get_arg_type): New decl.

2020-09-21  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/93355
	* sm-malloc.cc (malloc_state_machine::get_default_state): Look at
	the base region when considering pointers.  Treat pointers to
	decls as being non-heap.

2020-09-18  David Malcolm  <dmalcolm (a] redhat.com>

	* checker-path.cc (warning_event::get_desc): Handle global state
	changes.

2020-09-18  David Malcolm  <dmalcolm (a] redhat.com>

	* sm-malloc.cc (malloc_state_machine::on_stmt): Handle strdup and
	strndup as being malloc-like allocators.

2020-09-16  David Malcolm  <dmalcolm (a] redhat.com>

	* engine.cc (strongly_connected_components::strong_connect): Only
	consider intraprocedural edges when creating SCCs.
	(worklist::key_t::cmp): Add comment.  Treat call_string
	differences as more important than differences of program_point
	within a supernode.

2020-09-16  David Malcolm  <dmalcolm (a] redhat.com>

	* engine.cc (supernode_cluster::dump_dot): Show the SCC id
	in the per-supernode clusters in FILENAME.eg.dot output.
	(exploded_graph_annotator::add_node_annotations):
	Show the SCC of the supernode in FILENAME.supernode.eg.dot output.
	* exploded-graph.h (worklist::scc_id): New.
	(exploded_graph::get_scc_id): New.

2020-09-16  David Malcolm  <dmalcolm (a] redhat.com>

	* engine.cc (exploded_node::dump_dot): Show STATUS_BULK_MERGED.
	(exploded_graph::process_worklist): Call
	maybe_process_run_of_before_supernode_enodes.
	(exploded_graph::maybe_process_run_of_before_supernode_enodes):
	New.
	(exploded_graph_annotator::print_enode): Show STATUS_BULK_MERGED.
	* exploded-graph.h (enum exploded_node::status): Add
	STATUS_BULK_MERGED.

2020-09-16  David Malcolm  <dmalcolm (a] redhat.com>

	* engine.cc
	(exploded_graph::process_node) <case PK_BEFORE_SUPERNODE>:
	Simplify by using program_point::get_next.
	* program-point.cc (program_point::get_next): New.
	* program-point.h (program_point::get_next): New decl.

2020-09-16  David Malcolm  <dmalcolm (a] redhat.com>

	* engine.cc (exploded_graph::get_or_create_node): Show the
	program point when issuing -Wanalyzer-too-complex due to hitting
	the per-program-point limit.

2020-09-16  David Malcolm  <dmalcolm (a] redhat.com>

	* region-model.cc (region_model::on_call_pre): Treat getchar as
	having no side-effects.

2020-09-15  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/96650
	* constraint-manager.cc (merger_fact_visitor::on_fact): Replace
	assertion that add_constraint succeeded with an assertion that
	if it fails, -fanalyzer-transitivity is off.

2020-09-14  David Malcolm  <dmalcolm (a] redhat.com>

	* analyzer.opt (-param=analyzer-max-constraints=): New param.
	* constraint-manager.cc
	(constraint_manager::add_constraint_internal): Silently reject
	attempts to add constraints when the above limit is reached.

2020-09-14  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/96653
	* constraint-manager.cc
	(constraint_manager::get_or_add_equiv_class): Don't accumulate
	transitive closure of all constraints on constants.

2020-09-14  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/97029
	* analyzer.cc (is_setjmp_call_p): Require the initial arg to be a
	pointer.
	* region-model.cc (region_model::deref_rvalue): Assert that the
	svalue is of pointer type.

2020-09-11  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/96798
	* region-model-impl-calls.cc (region_model::impl_call_memcpy):
	New.
	(region_model::impl_call_strcpy): New.
	* region-model.cc (region_model::on_call_pre): Flag unhandled
	builtins that are non-pure as having unknown side-effects.
	Implement BUILT_IN_MEMCPY, BUILT_IN_MEMCPY_CHK, BUILT_IN_STRCPY,
	BUILT_IN_STRCPY_CHK, BUILT_IN_FPRINTF, BUILT_IN_FPRINTF_UNLOCKED,
	BUILT_IN_PUTC, BUILT_IN_PUTC_UNLOCKED, BUILT_IN_FPUTC,
	BUILT_IN_FPUTC_UNLOCKED, BUILT_IN_FPUTS, BUILT_IN_FPUTS_UNLOCKED,
	BUILT_IN_FWRITE, BUILT_IN_FWRITE_UNLOCKED, BUILT_IN_PRINTF,
	BUILT_IN_PRINTF_UNLOCKED, BUILT_IN_PUTCHAR,
	BUILT_IN_PUTCHAR_UNLOCKED, BUILT_IN_PUTS, BUILT_IN_PUTS_UNLOCKED,
	BUILT_IN_VFPRINTF, BUILT_IN_VPRINTF.
	* region-model.h (region_model::impl_call_memcpy): New decl.
	(region_model::impl_call_strcpy): New decl.

2020-09-09  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/94355
	* analyzer.opt (Wanalyzer-mismatching-deallocation): New warning.
	* region-model-impl-calls.cc
	(region_model::impl_call_operator_new): New.
	(region_model::impl_call_operator_delete): New.
	* region-model.cc (region_model::on_call_pre): Detect operator new
	and operator delete.
	(region_model::on_call_post): Likewise.
	(region_model::maybe_update_for_edge): Detect EH edges and call...
	(region_model::apply_constraints_for_exception): New function.
	* region-model.h (region_model::impl_call_operator_new): New decl.
	(region_model::impl_call_operator_delete): New decl.
	(region_model::apply_constraints_for_exception): New decl.
	* sm-malloc.cc (enum resource_state): New.
	(struct allocation_state): New state subclass.
	(enum wording): New.
	(struct api): New.
	(malloc_state_machine::custom_data_t): New typedef.
	(malloc_state_machine::add_state): New decl.
	(malloc_state_machine::m_unchecked)
	(malloc_state_machine::m_nonnull)
	(malloc_state_machine::m_freed): Delete these states in favor
	of...
	(malloc_state_machine::m_malloc)
	(malloc_state_machine::m_scalar_new)
	(malloc_state_machine::m_vector_new): ...this new api instances,
	which own their own versions of these states.
	(malloc_state_machine::on_allocator_call): New decl.
	(malloc_state_machine::on_deallocator_call): New decl.
	(api::api): New ctor.
	(dyn_cast_allocation_state): New.
	(as_a_allocation_state): New.
	(get_rs): New.
	(unchecked_p): New.
	(nonnull_p): New.
	(freed_p): New.
	(malloc_diagnostic::describe_state_change): Use unchecked_p and
	nonnull_p.
	(class mismatching_deallocation): New.
	(double_free::double_free): Add funcname param for initializing
	m_funcname.
	(double_free::emit): Use m_funcname in warning message rather
	than hardcoding "free".
	(double_free::describe_state_change): Likewise.  Use freed_p.
	(double_free::describe_call_with_state): Use freed_p.
	(double_free::describe_final_event): Use m_funcname in message
	rather than hardcoding "free".
	(double_free::m_funcname): New field.
	(possible_null::describe_state_change): Use unchecked_p.
	(possible_null::describe_return_of_state): Likewise.
	(use_after_free::use_after_free): Add param for initializing m_api.
	(use_after_free::emit): Use m_api->m_dealloc_funcname in message
	rather than hardcoding "free".
	(use_after_free::describe_state_change): Use freed_p.  Change the
	wording of the message based on the API.
	(use_after_free::describe_final_event): Use
	m_api->m_dealloc_funcname in message rather than hardcoding
	"free".  Change the wording of the message based on the API.
	(use_after_free::m_api): New field.
	(malloc_leak::describe_state_change): Use unchecked_p.  Update
	for renaming of m_malloc_event to m_alloc_event.
	(malloc_leak::describe_final_event): Update for renaming of
	m_malloc_event to m_alloc_event.
	(malloc_leak::m_malloc_event): Rename...
	(malloc_leak::m_alloc_event): ...to this.
	(free_of_non_heap::free_of_non_heap): Add param for initializing
	m_funcname.
	(free_of_non_heap::emit): Use m_funcname in message rather than
	hardcoding "free".
	(free_of_non_heap::describe_final_event): Likewise.
	(free_of_non_heap::m_funcname): New field.
	(allocation_state::dump_to_pp): New.
	(allocation_state::get_nonnull): New.
	(malloc_state_machine::malloc_state_machine): Update for changes
	to state fields and new api fields.
	(malloc_state_machine::add_state): New.
	(malloc_state_machine::on_stmt): Move malloc/calloc handling to
	on_allocator_call and call it, passing in the API pointer.
	Likewise for free, moving it to on_deallocator_call.  Handle calls
	to operator new and delete in an analogous way.  Use unchecked_p
	when testing for possibly-null-arg and possibly-null-deref, and
	transition to the non-null for the correct API.  Remove redundant
	node param from call to on_zero_assignment.  Use freed_p for
	use-after-free check, and pass in API.
	(malloc_state_machine::on_allocator_call): New, based on code in
	on_stmt.
	(malloc_state_machine::on_deallocator_call): Likewise.
	(malloc_state_machine::on_phi): Mark node param with
	ATTRIBUTE_UNUSED; don't pass it to on_zero_assignment.
	(malloc_state_machine::on_condition): Mark node param with
	ATTRIBUTE_UNUSED.  Replace on_transition calls with get_state and
	set_next_state pairs, transitioning to the non-null state for the
	appropriate API.
	(malloc_state_machine::can_purge_p): Port to new state approach.
	(malloc_state_machine::on_zero_assignment): Replace on_transition
	calls with get_state and set_next_state pairs.  Drop redundant
	node param.
	* sm.h (state_machine::add_custom_state): New.

2020-09-09  David Malcolm  <dmalcolm (a] redhat.com>

	* diagnostic-manager.cc
	(null_assignment_sm_context::warn_for_state): Replace with...
	(null_assignment_sm_context::warn): ...this.
	* engine.cc (impl_sm_context::warn_for_state): Replace with...
	(impl_sm_context::warn): ...this.
	* sm-file.cc (fileptr_state_machine::on_stmt): Replace
	warn_for_state and on_transition calls with a get_state
	test guarding warn and set_next_state calls.
	* sm-malloc.cc (malloc_state_machine::on_stmt): Likewise.
	* sm-pattern-test.cc (pattern_test_state_machine::on_condition):
	Replace warn_for_state call with warn call.
	* sm-sensitive.cc
	(sensitive_state_machine::warn_for_any_exposure): Replace
	warn_for_state call with a get_state test guarding a warn call.
	* sm-signal.cc (signal_state_machine::on_stmt): Likewise.
	* sm-taint.cc (taint_state_machine::on_stmt):  Replace
	warn_for_state and on_transition calls with a get_state
	test guarding warn and set_next_state calls.
	* sm.h (sm_context::warn_for_state): Replace with...
	(sm_context::warn): ...this.

2020-09-09  David Malcolm  <dmalcolm (a] redhat.com>

	* diagnostic-manager.cc
	(null_assignment_sm_context::null_assignment_sm_context): Add old_state
	and ext_state params, initializing m_old_state and m_ext_state.
	(null_assignment_sm_context::on_transition): Split into...
	(null_assignment_sm_context::get_state): ...this new vfunc
	implementation and...
	(null_assignment_sm_context::set_next_state): ...this new vfunc
	implementation.
	(null_assignment_sm_context::m_old_state): New field.
	(null_assignment_sm_context::m_ext_state): New field.
	(diagnostic_manager::add_events_for_eedge): Pass in old state and
	ext_state when creating sm_ctxt.
	* engine.cc (impl_sm_context::on_transition): Split into...
	(impl_sm_context::get_state): ...this new vfunc
	implementation and...
	(impl_sm_context::set_next_state): ...this new vfunc
	implementation.
	* sm.h (sm_context::get_state): New pure virtual function.
	(sm_context::set_next_state): Likewise.
	(sm_context::on_transition): Convert from a pure virtual function
	to a regular function implemented in terms of get_state and
	set_next_state.

2020-09-09  David Malcolm  <dmalcolm (a] redhat.com>

	* checker-path.cc (state_change_event::get_desc): Update
	state_machine::get_state_name calls to state::get_name.
	(warning_event::get_desc): Likewise.
	* diagnostic-manager.cc
	(null_assignment_sm_context::on_transition): Update comparison
	against 0 with comparison with m_sm.get_start_state.
	(diagnostic_manager::prune_for_sm_diagnostic): Update
	state_machine::get_state_name calls to state::get_name.
	* engine.cc (impl_sm_context::on_transition): Likewise.
	(exploded_node::get_dot_fillcolor): Use get_id when summing
	the sm states.
	* program-state.cc (sm_state_map::sm_state_map): Don't hardcode
	0 as the start state when initializing m_global_state.
	(sm_state_map::print): Use dump_to_pp rather than get_state_name
	when dumping states.
	(sm_state_map::is_empty_p): Don't hardcode 0 as the start state
	when examining m_global_state.
	(sm_state_map::hash): Use get_id when hashing states.
	(selftest::test_sm_state_map): Use state objects rather than
	arbitrary hardcoded integers.
	(selftest::test_program_state_merging): Likewise.
	(selftest::test_program_state_merging_2): Likewise.
	* sm-file.cc (fileptr_state_machine::m_start): Move to base class.
	(file_diagnostic::describe_state_change): Use get_start_state.
	(fileptr_state_machine::fileptr_state_machine): Drop m_start
	initialization.
	* sm-malloc.cc (malloc_state_machine::m_start): Move to base
	class.
	(malloc_diagnostic::describe_state_change): Use get_start_state.
	(possible_null::describe_state_change): Likewise.
	(malloc_state_machine::malloc_state_machine): Drop m_start
	initialization.
	* sm-pattern-test.cc (pattern_test_state_machine::m_start): Move
	to base class.
	(pattern_test_state_machine::pattern_test_state_machine): Drop
	m_start initialization.
	* sm-sensitive.cc (sensitive_state_machine::m_start): Move to base
	class.
	(sensitive_state_machine::sensitive_state_machine): Drop m_start
	initialization.
	* sm-signal.cc (signal_state_machine::m_start): Move to base
	class.
	(signal_state_machine::signal_state_machine): Drop m_start
	initialization.
	* sm-taint.cc (taint_state_machine::m_start): Move to base class.
	(taint_state_machine::taint_state_machine): Drop m_start
	initialization.
	* sm.cc (state_machine::state::dump_to_pp): New.
	(state_machine::state_machine): Move here from sm.h.  Initialize
	m_next_state_id and m_start.
	(state_machine::add_state): Reimplement in terms of state objects.
	(state_machine::get_state_name): Delete.
	(state_machine::get_state_by_name): Reimplement in terms of state
	objects.  Make const.
	(state_machine::validate): Delete.
	(state_machine::dump_to_pp): Reimplement in terms of state
	objects.
	* sm.h (state_machine::state): New class.
	(state_machine::state_t): Convert typedef from "unsigned" to
	"const state_machine::state *".
	(state_machine::state_machine): Move to sm.cc.
	(state_machine::get_default_state): Use m_start rather than
	hardcoding 0.
	(state_machine::get_state_name): Delete.
	(state_machine::get_state_by_name): Make const.
	(state_machine::get_start_state): New accessor.
	(state_machine::alloc_state_id): New.
	(state_machine::m_state_names): Drop in favor of...
	(state_machine::m_states): New field
	(state_machine::m_start): New field
	(start_start_p): Delete.

2020-09-08  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/96949
	* store.cc (binding_map::apply_ctor_val_to_range): Add
	error-handling for the cases where we have symbolic offsets.

2020-09-08  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/96950
	* store.cc (binding_map::apply_ctor_to_region): Handle RANGE_EXPR
	where min_index == max_index.
	(binding_map::apply_ctor_val_to_range): Replace assertion that we
	don't have a CONSTRUCTOR value with error-handling.

2020-09-08  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/96962
	* region-model.cc (region_model::on_call_pre): Fix guard on switch
	on built-ins to only consider BUILT_IN_NORMAL, rather than other
	kinds of build-ins.

2020-09-01  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/96792
	* region-model.cc (region_model::deref_rvalue): Add the constraint
	that PTR_SVAL is non-NULL.

2020-08-31  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/96798
	* region-model.cc (region_model::on_call_pre): Handle
	BUILT_IN_MEMSET_CHK.

2020-08-31  David Malcolm  <dmalcolm (a] redhat.com>

	* region-model.cc (region_model::on_call_pre): Gather handling of
	builtins and of internal fns into switch statements.  Handle
	"alloca" and BUILT_IN_ALLOCA_WITH_ALIGN.

2020-08-31  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/96860
	* region.cc (decl_region::get_svalue_for_constructor): Support
	apply_ctor_to_region failing.
	* store.cc (binding_map::apply_ctor_to_region): Add failure
	handling.
	(binding_map::apply_ctor_val_to_range): Likewise.
	(binding_map::apply_ctor_pair_to_child_region): Likewise.  Replace
	assertion that child_base_offset is not symbolic with error
	handling.
	* store.h (binding_map::apply_ctor_to_region): Convert return type
	from void to bool.
	(binding_map::apply_ctor_val_to_range): Likewise.
	(binding_map::apply_ctor_pair_to_child_region): Likewise.

2020-08-31  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/96763
	* store.cc (binding_map::apply_ctor_to_region): Handle RANGE_EXPR
	by calling a new binding_map::apply_ctor_val_to_range subroutine.
	Split out the existing non-CONSTRUCTOR-handling code to a new
	apply_ctor_pair_to_child_region subroutine.
	(binding_map::apply_ctor_val_to_range): New.
	(binding_map::apply_ctor_pair_to_child_region): New, split out
	from binding_map::apply_ctor_to_region as noted above.
	* store.h (binding_map::apply_ctor_val_to_range): New decl.
	(binding_map::apply_ctor_pair_to_child_region): New decl.

2020-08-31  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/96764
	* region-model-manager.cc
	(region_model_manager::maybe_fold_unaryop): Handle VIEW_CONVERT_EXPR.
	(region_model_manager::get_or_create_cast): Move logic for
	real->integer casting to...
	(get_code_for_cast): ...this new function, and add logic for
	real->non-integer casts.
	(region_model_manager::maybe_fold_sub_svalue): Handle
	VIEW_CONVERT_EXPR.
	* region-model.cc
	(region_model::add_any_constraints_from_gassign): Likewise.
	* svalue.cc (svalue::maybe_undo_cast): Likewise.
	(unaryop_svalue::dump_to_pp): Likewise.

2020-08-26  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/94858
	* region-model-manager.cc
	(region_model_manager::get_or_create_widening_svalue): Assert that
	neither of the inputs are themselves widenings.
	* store.cc (store::eval_alias_1): The initial value of a pointer
	can't point to a region that was allocated on the heap after the
	beginning of the path.  A widened pointer value can't alias anything
	that the initial pointer value can't alias.
	* svalue.cc (svalue::can_merge_p): Merge BINOP (X, OP, CST) with X
	to a widening svalue.  Merge
	BINOP(WIDENING(BASE, BINOP(BASE, X)), X) and BINOP(BASE, X) to
	to the LHS of the first BINOP.

2020-08-26  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/96777
	* region-model.h (class compound_svalue): Document that all keys
	must be concrete.
	(compound_svalue::compound_svalue): Move definition to svalue.cc.
	* store.cc (binding_map::apply_ctor_to_region): Handle
	initializers for trailing arrays with incomplete size.
	* svalue.cc (compound_svalue::compound_svalue): Move definition
	here from region-model.h.  Add assertion that all keys are
	concrete.

2020-08-22  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/94851
	* region-model-manager.cc
	(region_model_manager::maybe_fold_binop): Fold bitwise "& 0" to 0.

2020-08-22  David Malcolm  <dmalcolm (a] redhat.com>

	* store.cc (store::eval_alias): Make const.  Split out 2nd half
	into store::eval_alias_1 and call it twice for symmetry, avoiding
	test duplication.
	(store::eval_alias_1): New function, split out from the above.
	* store.h (store::eval_alias): Make const.
	(store::eval_alias_1): New decl.

2020-08-22  David Malcolm  <dmalcolm (a] redhat.com>

	* region-model.cc (region_model::push_frame): Bind the default
	SSA name for each parm if it exists, falling back to the parm
	itself otherwise, rather than doing both.

2020-08-20  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/96723
	* region-model-manager.cc
	(region_model_manager::get_field_region): Assert that field is a
	FIELD_DECL.
	* region.cc (region::get_subregions_for_binding): In
	union-handling, filter the TYPE_FIELDS traversal to just FIELD_DECLs.

2020-08-20  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/96713
	* region-model.cc (region_model::get_gassign_result): For
	comparisons, only use eval_condition when the lhs has boolean
	type, and use get_or_create_constant_svalue on the boolean
	constants directly rather than via get_rvalue.

2020-08-19  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/96643
	* region-model.cc (region_model::deref_rvalue): Rather than
	attempting to handle all svalue kinds in the switch, only cover
	the special cases, and move symbolic-region handling to after
	the switch, thus implicitly handling the missing case SK_COMPOUND.

2020-08-19  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/96705
	* region-model-manager.cc
	(region_model_manager::maybe_fold_binop): Check that we have an
	integral type before calling build_int_cst.

2020-08-19  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/96699
	* region-model-manager.cc
	(region_model_manager::get_or_create_cast): Use FIX_TRUNC_EXPR for
	casting from REAL_TYPE to INTEGER_TYPE.

2020-08-19  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/96651
	* region-model.cc (region_model::called_from_main_p): New.
	(region_model::get_store_value): Move handling for globals into...
	(region_model::get_initial_value_for_global): ...this new
	function, and add logic for extracting values from decl
	initializers.
	* region-model.h (decl_region::get_svalue_for_constructor): New
	decl.
	(decl_region::get_svalue_for_initializer): New decl.
	(region_model::called_from_main_p): New decl.
	(region_model::get_initial_value_for_global): New.
	* region.cc (decl_region::maybe_get_constant_value): Move logic
	for getting an svalue from a CONSTRUCTOR node to...
	(decl_region::get_svalue_for_constructor): ...this new function.
	(decl_region::get_svalue_for_initializer): New.
	* store.cc (get_svalue_for_ctor_val): Rewrite in terms of
	region_model::get_rvalue.
	* store.h (binding_cluster::get_map): New accessor.

2020-08-19  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/96648
	* region.cc (get_field_at_bit_offset): Gracefully handle negative
	values for bit_offset.

2020-08-18  David Malcolm  <dmalcolm (a] redhat.com>

	* region-model.cc (region_model::get_rvalue_1): Fix name of local.

2020-08-18  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/96641
	* region-model.cc (region_model::get_rvalue_1): Handle
	unrecognized tree codes by returning "UNKNOWN.

2020-08-18  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/96640
	* region-model.cc (region_model::get_gassign_result): Handle various
	VEC_* tree codes by returning UNKNOWN.
	(region_model::on_assignment): Handle unrecognized tree codes by
	setting lhs to an unknown value, rather than issuing a "sorry" and
	asserting.

2020-08-17  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/96644
	* region-model-manager.cc (get_region_for_unexpected_tree_code):
	Handle ctxt being NULL.

2020-08-17  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/96639
	* region.cc (region::get_subregions_for_binding): Check for "type"
	being NULL.

2020-08-17  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/96642
	* store.cc (get_svalue_for_ctor_val): New.
	(binding_map::apply_ctor_to_region): Call it.

2020-08-14  David Malcolm  <dmalcolm (a] redhat.com>

	PR testsuite/96609
	PR analyzer/96616
	* region-model.cc (region_model::get_store_value): Call
	maybe_get_constant_value on decl_regions first.
	* region-model.h (decl_region::maybe_get_constant_value): New decl.
	* region.cc (decl_region::get_stack_depth): Likewise.
	(decl_region::maybe_get_constant_value): New.
	* store.cc (get_subregion_within_ctor): New.
	(binding_map::apply_ctor_to_region): New.
	* store.h (binding_map::apply_ctor_to_region): New decl.

2020-08-14  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/96611
	* store.cc (store::mark_as_escaped): Reject attempts to
	get a cluster for an unknown pointer.

2020-08-13  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/93032
	PR analyzer/93938
	PR analyzer/94011
	PR analyzer/94099
	PR analyzer/94399
	PR analyzer/94458
	PR analyzer/94503
	PR analyzer/94640
	PR analyzer/94688
	PR analyzer/94689
	PR analyzer/94839
	PR analyzer/95026
	PR analyzer/95042
	PR analyzer/95240
	* analyzer-logging.cc: Ignore "-Wformat-diag".
	(logger::enter_scope): Use inc_indent in both overloads.
	(logger::exit_scope): Use dec_indent.
	* analyzer-logging.h (logger::inc_indent): New.
	(logger::dec_indent): New.
	* analyzer-selftests.cc (run_analyzer_selftests): Call
	analyzer_store_cc_tests.
	* analyzer-selftests.h (analyzer_store_cc_tests): New decl.
	* analyzer.cc (get_stmt_location): New function.
	* analyzer.h (class initial_svalue): New forward decl.
	(class unaryop_svalue): New forward decl.
	(class binop_svalue): New forward decl.
	(class sub_svalue): New forward decl.
	(class unmergeable_svalue): New forward decl.
	(class placeholder_svalue): New forward decl.
	(class widening_svalue): New forward decl.
	(class compound_svalue): New forward decl.
	(class conjured_svalue): New forward decl.
	(svalue_set): New typedef.
	(class map_region): Delete.
	(class array_region): Delete.
	(class frame_region): New forward decl.
	(class function_region): New forward decl.
	(class label_region): New forward decl.
	(class decl_region): New forward decl.
	(class element_region): New forward decl.
	(class offset_region): New forward decl.
	(class cast_region): New forward decl.
	(class field_region): New forward decl.
	(class string_region): New forward decl.
	(class region_model_manager): New forward decl.
	(class store_manager): New forward decl.
	(class store): New forward decl.
	(class call_details): New forward decl.
	(struct svalue_id_merger_mapping): Delete.
	(struct canonicalization): Delete.
	(class function_point): New forward decl.
	(class engine): New forward decl.
	(dump_tree): New function decl.
	(print_quoted_type): New function decl.
	(readability_comparator): New function decl.
	(tree_cmp): New function decl.
	(class path_var): Move here from region-model.h
	(bit_offset_t, bit_size_t, byte_size_t): New typedefs.
	(class region_offset): New class.
	(get_stmt_location): New decl.
	(struct member_function_hash_traits): New struct.
	(class consolidation_map): New class.
	Ignore "-Wformat-diag".
	* analyzer.opt (-param=analyzer-max-svalue-depth=): New param.
	(-param=analyzer-max-enodes-for-full-dump=): New param.
	* call-string.cc: Ignore -Wformat-diag.
	* checker-path.cc: Move includes of "analyzer/call-string.h" and
	"analyzer/program-point.h" to before "analyzer/region-model.h",
	and also include "analyzer/store.h" before it.
	(state_change_event::state_change_event): Replace "tree var" param
	with "const svalue *sval".  Convert "origin" param from tree to
	"const svalue *".
	(state_change_event::get_desc): Call get_representative_tree to
	convert the var and origin from const svalue * to tree.  Use
	svalue::get_desc rather than %qE when describing state changes.
	(checker_path::add_final_event): Use get_stmt_location.
	* checker-path.h (state_change_event::state_change_event): Port
	from tree to const svalue *.
	(state_change_event::get_lvalue): Delete.
	(state_change_event::get_dest_function): New.
	(state_change_event::m_var): Replace with...
	(state_change_event::m_sval): ...this.
	(state_change_event::m_origin): Convert from tree to
	const svalue *.
	* constraint-manager.cc: Include "analyzer/call-string.h",
	"analyzer/program-point.h", and "analyzer/store.h" before
	"analyzer/region-model.h".
	(struct bound, struct range): Move to constraint-manager.h.
	(compare_constants): New function.
	(range::dump): Rename to...
	(range::dump_to_pp): ...this.  Support NULL constants.
	(range::dump): Reintroduce for dumping to stderr.
	(range::constrained_to_single_element): Return result, rather than
	writing to *OUT.
	(range::eval_condition): New.
	(range::below_lower_bound): New.
	(range::above_upper_bound): New.
	(equiv_class::equiv_class): Port from svalue_id to const svalue *.
	(equiv_class::print): Likewise.
	(equiv_class::hash): Likewise.
	(equiv_class::operator==): Port from svalue_id to const svalue *.
	(equiv_class::add): Port from svalue_id to const svalue *. Drop
	"cm" param.
	(equiv_class::del): Port from svalue_id to const svalue *.
	(equiv_class::get_representative): Likewise.
	(equiv_class::remap_svalue_ids): Delete.
	(svalue_id_cmp_by_id): Rename to...
	(svalue_cmp_by_ptr): ...this, porting from svalue_id to
	const svalue *.
	(equiv_class::canonicalize): Update qsort comparator.
	(constraint::implied_by): New.
	(constraint_manager::constraint_manager): Copy m_mgr in copy ctor.
	(constraint_manager::dump_to_pp): Add "multiline" param
	(constraint_manager::dump): Pass "true" for "multiline".
	(constraint_manager::add_constraint): Port from svalue_id to
	const svalue *.  Split out second part into...
	(constraint_manager::add_unknown_constraint): ...this new
	function.  Remove self-constraints when merging equivalence
	classes.
	(constraint_manager::add_constraint_internal): Remove constraints
	that would be implied by the new constraint.  Port from svalue_id
	to const svalue *.
	(constraint_manager::get_equiv_class_by_sid): Rename to...
	(constraint_manager::get_equiv_class_by_svalue): ...this, porting
	from svalue_id to const svalue *.
	(constraint_manager::get_or_add_equiv_class): Port from svalue_id
	to const svalue *.
	(constraint_manager::eval_condition): Make const.  Call
	compare_constants and return early if it provides a known result.
	(constraint_manager::get_ec_bounds): New.
	(constraint_manager::eval_condition): New overloads.  Make
	existing one const, and use compare_constants.
	(constraint_manager::purge): Convert "p" param to a template
	rather that an abstract base class.  Port from svalue_id to
	const svalue *.
	(class dead_svalue_purger): New class.
	(constraint_manager::remap_svalue_ids): Delete.
	(constraint_manager::on_liveness_change): New.
	(equiv_class_cmp): Port from svalue_id to const svalue *.
	(constraint_manager::canonicalize): Likewise.  Combine with
	purging of redundant equivalence classes and constraints.
	(class cleaned_constraint_manager): Delete.
	(class merger_fact_visitor): Make "m_cm_b" const.  Add "m_merger"
	field.
	(merger_fact_visitor::fact): Port from svalue_id to const svalue *.
	Add special case for widening.
	(constraint_manager::merge): Port from svalue_id to const svalue *.
	(constraint_manager::clean_merger_input): Delete.
	(constraint_manager::for_each_fact): Port from svalue_id to
	const svalue *.
	(constraint_manager::validate): Likewise.
	(selftest::test_constraint_conditions): Provide a
	region_model_manager when creating region_model instances.
	Add test for self-equality not creating equivalence classes.
	(selftest::test_transitivity): Provide a region_model_manager when
	creating region_model instances.  Verify that EC-merging happens
	when constraints are implied.
	(selftest::test_constant_comparisons):  Provide a
	region_model_manager when creating region_model instances.
	(selftest::test_constraint_impl): Likewise.  Remove over-specified
	assertions.
	(selftest::test_equality): Provide a region_model_manager when
	creating region_model instances.
	(selftest::test_many_constants): Likewise.  Provide a
	program_point when testing merging.
	(selftest::run_constraint_manager_tests): Move call to
	test_constant_comparisons to outside the transitivity guard.
	* constraint-manager.h (struct bound): Move here from
	constraint-manager.cc.
	(struct range): Likewise.
	(struct::eval_condition): New decl.
	(struct::below_lower_bound): New decl.
	(struct::above_upper_bound): New decl.
	(equiv_class::add): Port from svalue_id to const svalue *.
	(equiv_class::del): Likewise.
	(equiv_class::get_representative): Likewise.
	(equiv_class::remap_svalue_ids): Drop.
	(equiv_class::m_cst_sid): Convert to..
	(equiv_class::m_cst_sval): ...this.
	(equiv_class::m_vars): Port from svalue_id to const svalue *.
	(constraint::bool implied_by): New decl.
	(fact_visitor::on_fact): Port from svalue_id to const svalue *.
	(constraint_manager::constraint_manager): Add mgr param.
	(constraint_manager::clone): Delete.
	(constraint_manager::maybe_get_constant): Delete.
	(constraint_manager::get_sid_for_constant): Delete.
	(constraint_manager::get_num_svalues): Delete.
	(constraint_manager::dump_to_pp): Add "multiline" param.
	(constraint_manager::get_equiv_class): Port from svalue_id to
	const svalue *.
	(constraint_manager::add_constraint):  Likewise.
	(constraint_manager::get_equiv_class_by_sid): Rename to...
	(constraint_manager::get_equiv_class_by_svalue): ...this, porting
	from svalue_id to const svalue *.
	(constraint_manager::add_unknown_constraint): New decl.
	(constraint_manager::get_or_add_equiv_class): Port from svalue_id
	to const svalue *.
	(constraint_manager::eval_condition): Likewise.  Add overloads.
	(constraint_manager::get_ec_bounds): New decl.
	(constraint_manager::purge): Convert to template.
	(constraint_manager::remap_svalue_ids): Delete.
	(constraint_manager::on_liveness_change): New decl.
	(constraint_manager::canonicalize): Drop param.
	(constraint_manager::clean_merger_input): Delete.
	(constraint_manager::m_mgr): New field.
	* diagnostic-manager.cc: Move includes of
	"analyzer/call-string.h" and "analyzer/program-point.h" to before
	"analyzer/region-model.h", and also include "analyzer/store.h"
	before it.
	(saved_diagnostic::saved_diagnostic): Add "sval" param.
	(diagnostic_manager::diagnostic_manager): Add engine param.
	(diagnostic_manager::add_diagnostic): Add "sval" param, passing it
	to saved_diagnostic ctor.  Update overload to pass NULL for it.
	(dedupe_winners::dedupe_winners): Add engine param.
	(dedupe_winners::add): Add "eg" param.  Pass m_engine to
	feasible_p.
	(dedupe_winner::m_engine): New field.
	(diagnostic_manager::emit_saved_diagnostics): Pass engine to
	dedupe_winners.  Pass &eg when adding candidates.  Pass svalue
	rather than tree to prune_path.  Use get_stmt_location to get
	primary location of diagnostic.
	(diagnostic_manager::emit_saved_diagnostic): Likewise.
	(get_any_origin): Drop.
	(state_change_event_creator::on_global_state_change): Pass NULL
	const svalue * rather than NULL_TREE trees to state_change_event
	ctor.
	(state_change_event_creator::on_state_change): Port from tree and
	svalue_id to const svalue *.
	(for_each_state_change): Port from svalue_id to const svalue *.
	(struct null_assignment_sm_context): New.
	(diagnostic_manager::add_events_for_eedge):  Add state change
	events for assignment to NULL.
	(diagnostic_manager::prune_path): Update param from tree to
	const svalue *.
	(diagnostic_manager::prune_for_sm_diagnostic): Port from tracking
	by tree to by const svalue *.
	* diagnostic-manager.h (saved_diagnostic::saved_diagnostic): Add sval
	param.
	(saved_diagnostic::m_sval): New field.
	(diagnostic_manager::diagnostic_manager): Add engine param.
	(diagnostic_manager::get_engine): New.
	(diagnostic_manager::add_diagnostic): Add "sval" param.
	(diagnostic_manager::prune_path): Likewise.
	(diagnostic_manager::prune_for_sm_diagnostic): New overload.
	(diagnostic_manager::m_eng): New field.
	* engine.cc: Move includes of "analyzer/call-string.h" and
	"analyzer/program-point.h" to before "analyzer/region-model.h",
	and also include "analyzer/store.h" before it.
	(impl_region_model_context::impl_region_model_context): Update for
	removal of m_change field.
	(impl_region_model_context::remap_svalue_ids): Delete.
	(impl_region_model_context::on_svalue_leak): New.
	(impl_region_model_context::on_svalue_purge): Delete.
	(impl_region_model_context::on_liveness_change): New.
	(impl_region_model_context::on_unknown_change): Update param
	from svalue_id to const svalue *.  Add is_mutable param.
	(setjmp_svalue::compare_fields): Delete.
	(setjmp_svalue::accept): New.
	(setjmp_svalue::add_to_hash): Delete.
	(setjmp_svalue::dump_to_pp): New.
	(setjmp_svalue::print_details): Delete.
	(impl_sm_context::impl_sm_context): Drop "change" param.
	(impl_sm_context::get_fndecl_for_call): Drop "m_change".
	(impl_sm_context::on_transition): Drop ATTRIBUTE_UNUSED from
	"stmt" param.  Drop m_change.  Port from svalue_id to
	const svalue *.
	(impl_sm_context::warn_for_state): Drop m_change.  Port from
	svalue_id to const svalue *.
	(impl_sm_context::get_readable_tree): Rename to...
	(impl_sm_context::get_diagnostic_tree): ...this.  Port from
	svalue_id to const svalue *.
	(impl_sm_context::is_zero_assignment): New.
	(impl_sm_context::m_change): Delete field.
	(leak_stmt_finder::find_stmt): Handle m_var being NULL.
	(readability):  Increase penalty for MEM_REF.  For SSA_NAMEs,
	slightly favor the underlying var over the SSA name.  Heavily
	penalize temporaries.  Handle RESULT_DECL.
	(readability_comparator): Make non-static.  Consider stack depths.
	(impl_region_model_context::on_state_leak): Convert from svalue_id
	to const svalue *, updating for region_model changes.  Use
	id_equal.
	(impl_region_model_context::on_inherited_svalue): Delete.
	(impl_region_model_context::on_cast): Delete.
	(impl_region_model_context::on_condition):  Drop m_change.
	(impl_region_model_context::on_phi): Likewise.
	(impl_region_model_context::on_unexpected_tree_code): Handle t
	being NULL.
	(point_and_state::validate): Update stack checking for
	region_model changes.
	(eg_traits::dump_args_t::show_enode_details_p): New.
	(exploded_node::exploded_node): Initialize m_num_processed_stmts.
	(exploded_node::get_processed_stmt): New function.
	(exploded_node::get_dot_fillcolor): Add more colors.
	(exploded_node::dump_dot): Guard the printing of the point and
	state with show_enode_details_p.  Print the processed stmts for
	this enode after the initial state.
	(exploded_node::dump_to_pp): Pass true for new multiline param
	of program_state::dump_to_pp.
	(exploded_node::on_stmt): Drop "change" param.  Log the stmt.
	Set input_location.  Implement __analyzer_describe.  Update
	implementation of __analyzer_dump and __analyzer_eval.
	Remove purging of sm-state for unknown fncalls from here.
	(exploded_node::on_edge): Drop "change" param.
	(exploded_node::on_longjmp): Port from region_id/svalue_id to
	const region */const svalue *.  Call program_state::detect_leaks.
	Drop state_change.
	(exploded_node::detect_leaks): Update for changes to region_model.
	Call program_state::detect_leaks.
	(exploded_edge::exploded_edge): Drop ext_state and change params.
	(exploded_edge::dump_dot): "args" is no longer used.  Drop dumping
	of m_change.
	(exploded_graph::exploded_graph): Pass engine to
	m_diagnostic_manager ctor.  Use program_point::origin.
	(exploded_graph::add_function_entry):  Drop ctxt.  Use
	program_state::push_frame.  Drop state_change.
	(exploded_graph::get_or_create_node): Drop "change" param.  Add
	"enode_for_diag" param.  Update dumping calls for API changes.
	Pass point to can_merge_with_p.  Show enode indices
	within -Wanalyzer-too-complex diagnostic for hitting the per-point
	limit.
	(exploded_graph::add_edge): Drop "change" param.  Log which nodes
	are being connected.  Update for changes to exploded_edge ctor.
	(exploded_graph::get_per_program_point_data): New.
	(exploded_graph::process_worklist): Pass point to
	can_merge_with_p.  Drop state_change.  Update dumping call for API
	change.
	(exploded_graph::process_node):  Drop state_change.  Split the
	node in-place if an sm-state-change occurs.  Update
	m_num_processed_stmts.  Update dumping calls for API change.
	(exploded_graph::log_stats): Call engine::log_stats.
	(exploded_graph::dump_states_for_supernode): Update dumping
	call.
	(exploded_path::feasible_p): Add "eng" and "eg" params.
	Rename "i" to "end_idx".  Pass the manager to the region_model
	ctor.  Update for every processed stmt in the enode, not just the
	first.  Keep track of which snodes have been visited, and call
	loop_replay_fixup when revisiting one.
	(enode_label::get_text): Update dump call for new param.
	(exploded_graph::dump_exploded_nodes): Likewise.
	(exploded_graph::get_node_by_index): New.
	(impl_run_checkers): Create engine instance and pass its address
	to extrinsic_state ctor.
	* exploded-graph.h
	(impl_region_model_context::impl_region_model_context): Drop
	"change" params.
	(impl_region_model_context::void remap_svalue_ids): Delete.
	(impl_region_model_context::on_svalue_purge): Delete.
	(impl_region_model_context::on_svalue_leak): New.
	(impl_region_model_context::on_liveness_change): New.
	(impl_region_model_context::on_state_leak): Update signature.
	(impl_region_model_context::on_inherited_svalue): Delete.
	(impl_region_model_context::on_cast): Delete.
	(impl_region_model_context::on_unknown_change): Update signature.
	(impl_region_model_context::m_change): Delete.
	(eg_traits::dump_args_t::show_enode_details_p): New.
	(exploded_node::on_stmt): Drop "change" param.
	(exploded_node::on_edge): Likewise.
	(exploded_node::get_processed_stmt): New decl.
	(exploded_node::m_num_processed_stmts): New field.
	(exploded_edge::exploded_edge): Drop ext_state and change params.
	(exploded_edge::m_change): Delete.
	(exploded_graph::get_engine): New accessor.
	(exploded_graph::get_or_create_node): Drop "change" param.  Add
	"enode_for_diag" param.
	(exploded_graph::add_edge): Drop "change" param.
	(exploded_graph::get_per_program_point_data): New decl.
	(exploded_graph::get_node_by_index): New decl.
	(exploded_path::feasible_p): Add "eng" and "eg" params.
	* program-point.cc: Include "analyzer/store.h" before including
	"analyzer/region-model.h".
	(function_point::function_point): Move here from
	program-point.h.
	(function_point::get_function): Likewise.
	(function_point::from_function_entry): Likewise.
	(function_point::before_supernode): Likewise.
	(function_point::next_stmt): New function.
	* program-point.h (function_point::function_point): Move
	implementation from here to program-point.cc.
	(function_point::get_function): Likewise.
	(function_point::from_function_entry): Likewise.
	(function_point::before_supernode): Likewise.
	(function_point::next_stmt): New decl.
	(program_point::operator!=): New.
	(program_point::origin): New.
	(program_point::next_stmt): New.
	(program_point::m_function_point): Make non-const.
	* program-state.cc: Move includes of "analyzer/call-string.h" and
	"analyzer/program-point.h" to before "analyzer/region-model.h",
	and also include "analyzer/store.h" before it.
	(extrinsic_state::get_model_manager): New.
	(sm_state_map::sm_state_map): Pass in sm and sm_idx to ctor,
	rather than pass the around.
	(sm_state_map::clone_with_remapping): Delete.
	(sm_state_map::print): Remove "sm" param in favor of "m_sm".  Add
	"simple" and "multiline" params and support multiline vs single
	line dumping.
	(sm_state_map::dump): Remove "sm" param in favor of "m_sm".  Add
	"simple" param.
	(sm_state_map::hash): Port from svalue_id to const svalue *.
	(sm_state_map::operator==): Likewise.
	(sm_state_map::get_state): Likewise.  Call canonicalize_svalue on
	input.  Handle inheritance of sm-state.  Call get_default_state.
	(sm_state_map::get_origin): Port from svalue_id to const svalue *.
	(sm_state_map::set_state): Likewise.  Pass in ext_state.  Reject
	attempts to set state on UNKNOWN.
	(sm_state_map::impl_set_state): Port from svalue_id to
	const svalue *.  Pass in ext_state.  Call canonicalize_svalue on
	input.
	(sm_state_map::purge_for_unknown_fncall): Delete.
	(sm_state_map::on_svalue_leak): New.
	(sm_state_map::remap_svalue_ids): Delete.
	(sm_state_map::on_liveness_change): New.
	(sm_state_map::on_unknown_change): Reimplement.
	(sm_state_map::on_svalue_purge): Delete.
	(sm_state_map::on_inherited_svalue): Delete.
	(sm_state_map::on_cast): Delete.
	(sm_state_map::validate): Delete.
	(sm_state_map::canonicalize_svalue): New.
	(program_state::program_state): Update to pass manager to
	region_model's ctor.  Constify num_states and pass state machine
	and index to sm_state_map ctor.
	(program_state::print): Update for changes to dump API.
	(program_state::dump_to_pp): Ignore the summarize param.  Add
	"multiline" param.
	(program_state::dump_to_file): Add "multiline" param.
	(program_state::dump): Pass "true" for new "multiline" param.
	(program_state::push_frame): New.
	(program_state::on_edge): Drop "change" param.  Call
	program_state::detect_leaks.
	(program_state::prune_for_point): Add enode_for_diag param.
	Reimplement based on store class.  Call detect_leaks
	(program_state::remap_svalue_ids): Delete.
	(program_state::get_representative_tree): Port from svalue_id to
	const svalue *.
	(program_state::can_merge_with_p): Add "point" param.  Add early
	reject for sm-differences.  Drop id remapping.
	(program_state::validate): Drop region model and sm_state_map
	validation.
	(state_change::sm_change::dump): Delete.
	(state_change::sm_change::remap_svalue_ids): Delete.
	(state_change::sm_change::on_svalue_purge): Delete.
	(log_set_of_svalues): New.
	(state_change::sm_change::validate): Delete.
	(state_change::state_change): Delete.
	(state_change::add_sm_change): Delete.
	(state_change::affects_p): Delete.
	(state_change::dump): Delete.
	(state_change::remap_svalue_ids): Delete.
	(state_change::on_svalue_purge): Delete.
	(state_change::validate): Delete.
	(selftest::assert_dump_eq): Delete.
	(ASSERT_DUMP_EQ): Delete.
	(selftest::test_sm_state_map): Update for changes to region_model
	and sm_state_map, porting from svalue_id to const svalue *.
	(selftest::test_program_state_dumping): Likewise.  Drop test of
	dumping, renaming to...
	(selftest::test_program_state_1): ...this.
	(selftest::test_program_state_dumping_2): Likewise, renaming to...
	(selftest::test_program_state_2): ...this.
	(selftest::test_program_state_merging): Update for changes to
	region_model.
	(selftest::test_program_state_merging_2): Likewise.
	(selftest::analyzer_program_state_cc_tests): Update for renamed
	tests.
	* program-state.h (extrinsic_state::extrinsic_state): Add logger
	and engine params.
	(extrinsic_state::get_logger): New accessor.
	(extrinsic_state::get_engine): New accessor.
	(extrinsic_state::get_model_manager): New accessor.
	(extrinsic_state::m_logger): New field.
	(extrinsic_state::m_engine): New field.
	(struct default_hash_traits<svalue_id>): Delete.
	(pod_hash_traits<svalue_id>::hash): Delete.
	(pod_hash_traits<svalue_id>::equal): Delete.
	(pod_hash_traits<svalue_id>::mark_deleted): Delete.
	(pod_hash_traits<svalue_id>::mark_empty): Delete.
	(pod_hash_traits<svalue_id>::is_deleted): Delete.
	(pod_hash_traits<svalue_id>::is_empty): Delete.
	(sm_state_map::entry_t::entry_t): Port from svalue_id to
	const svalue *.
	(sm_state_map::entry_t::m_origin): Likewise.
	(sm_state_map::map_t): Likewise.
	(sm_state_map::sm_state_map): Add state_machine and index params.
	(sm_state_map::clone_with_remapping): Delete.
	(sm_state_map::print):  Drop sm param; add simple and multiline
	params.
	(sm_state_map::dump): Drop sm param; add simple param.
	(sm_state_map::get_state): Port from svalue_id to const svalue *.
	Add ext_state param.
	(sm_state_map::get_origin): Likewise.
	(sm_state_map::set_state): Likewise.
	(sm_state_map::impl_set_state): Likewise.
	(sm_state_map::purge_for_unknown_fncall): Delete.
	(sm_state_map::remap_svalue_ids): Delete.
	(sm_state_map::on_svalue_purge): Delete.
	(sm_state_map::on_svalue_leak): New.
	(sm_state_map::on_liveness_change): New.
	(sm_state_map::on_inherited_svalue): Delete.
	(sm_state_map::on_cast): Delete.
	(sm_state_map::validate): Delete.
	(sm_state_map::on_unknown_change): Port from svalue_id to
	const svalue *.  Add is_mutable and ext_state params.
	(sm_state_map::canonicalize_svalue): New.
	(sm_state_map::m_sm): New field.
	(sm_state_map::m_sm_idx): New field.
	(program_state::operator=): Delete.
	(program_state::dump_to_pp): Drop "summarize" param, adding
	"simple" and "multiline".
	(program_state::dump_to_file): Likewise.
	(program_state::dump): Rename "summarize" to "simple".
	(program_state::push_frame): New.
	(program_state::get_current_function): New.
	(program_state::on_edge): Drop "change" param.
	(program_state::prune_for_point): Likewise.  Add enode_for_diag
	param.
	(program_state::remap_svalue_ids): Delete.
	(program_state::get_representative_tree): Port from svalue_id to
	const svalue *.
	(program_state::can_purge_p): Likewise.  Pass ext_state to get_state.
	(program_state::can_merge_with_p): Add point param.
	(program_state::detect_leaks): New.
	(state_change_visitor::on_state_change): Port from tree and
	svalue_id to a pair of const svalue *.
	(class state_change): Delete.
	* region.cc: New file.
	* region-model-impl-calls.cc: New file.
	* region-model-manager.cc: New file.
	* region-model-reachability.cc: New file.
	* region-model-reachability.h: New file.
	* region-model.cc: Include "analyzer/call-string.h",
	"analyzer/program-point.h", and "analyzer/store.h" before
	"analyzer/region-model.h".  Include
	"analyzer/region-model-reachability.h".
	(dump_tree): Make non-static.
	(dump_quoted_tree): Make non-static.
	(print_quoted_type): Make non-static.
	(path_var::dump): Delete.
	(dump_separator): Delete.
	(class impl_constraint_manager): Delete.
	(svalue_id::print): Delete.
	(svalue_id::dump_node_name_to_pp): Delete.
	(svalue_id::validate): Delete.
	(region_id::print): Delete.
	(region_id::dump_node_name_to_pp): Delete.
	(region_id::validate): Delete.
	(region_id_set::region_id_set): Delete.
	(svalue_id_set::svalue_id_set): Delete.
	(svalue::operator==): Delete.
	(svalue::hash): Delete.
	(svalue::print): Delete.
	(svalue::dump_dot_to_pp): Delete.
	(svalue::remap_region_ids): Delete.
	(svalue::walk_for_canonicalization): Delete.
	(svalue::get_child_sid): Delete.
	(svalue::maybe_get_constant): Delete.
	(region_svalue::compare_fields): Delete.
	(region_svalue::add_to_hash): Delete.
	(region_svalue::print_details): Delete.
	(region_svalue::dump_dot_to_pp): Delete.
	(region_svalue::remap_region_ids): Delete.
	(region_svalue::merge_values): Delete.
	(region_svalue::walk_for_canonicalization): Delete.
	(region_svalue::eval_condition): Delete.
	(constant_svalue::compare_fields): Delete.
	(constant_svalue::add_to_hash): Delete.
	(constant_svalue::merge_values): Delete.
	(constant_svalue::eval_condition): Move to svalue.cc.
	(constant_svalue::print_details): Delete.
	(constant_svalue::get_child_sid): Delete.
	(unknown_svalue::compare_fields): Delete.
	(unknown_svalue::add_to_hash): Delete.
	(unknown_svalue::print_details): Delete.
	(poison_kind_to_str): Move to svalue.cc.
	(poisoned_svalue::compare_fields): Delete.
	(poisoned_svalue::add_to_hash): Delete.
	(poisoned_svalue::print_details): Delete.
	(region_kind_to_str): Move to region.cc and reimplement.
	(region::operator==): Delete.
	(region::get_parent_region): Delete.
	(region::set_value): Delete.
	(region::become_active_view): Delete.
	(region::deactivate_any_active_view): Delete.
	(region::deactivate_view): Delete.
	(region::get_value): Delete.
	(region::get_inherited_child_sid): Delete.
	(region_model::copy_region): Delete.
	(region_model::copy_struct_region): Delete.
	(region_model::copy_union_region): Delete.
	(region_model::copy_array_region): Delete.
	(region::hash): Delete.
	(region::print): Delete.
	(region::dump_dot_to_pp): Delete.
	(region::dump_to_pp): Delete.
	(region::dump_child_label): Delete.
	(region::validate): Delete.
	(region::remap_svalue_ids): Delete.
	(region::remap_region_ids): Delete.
	(region::add_view): Delete.
	(region::get_view): Delete.
	(region::region): Move to region.cc.
	(region::add_to_hash): Delete.
	(region::print_fields): Delete.
	(region::non_null_p): Delete.
	(primitive_region::clone): Delete.
	(primitive_region::walk_for_canonicalization): Delete.
	(map_region::map_region): Delete.
	(map_region::compare_fields): Delete.
	(map_region::print_fields): Delete.
	(map_region::validate): Delete.
	(map_region::dump_dot_to_pp): Delete.
	(map_region::dump_child_label): Delete.
	(map_region::get_or_create): Delete.
	(map_region::get): Delete.
	(map_region::add_to_hash): Delete.
	(map_region::remap_region_ids): Delete.
	(map_region::unbind): Delete.
	(map_region::get_tree_for_child_region): Delete.
	(map_region::get_tree_for_child_region): Delete.
	(tree_cmp): Move to region.cc.
	(map_region::can_merge_p): Delete.
	(map_region::walk_for_canonicalization): Delete.
	(map_region::get_value_by_name): Delete.
	(struct_or_union_region::valid_key_p): Delete.
	(struct_or_union_region::compare_fields): Delete.
	(struct_region::clone): Delete.
	(struct_region::compare_fields): Delete.
	(union_region::clone): Delete.
	(union_region::compare_fields): Delete.
	(frame_region::compare_fields): Delete.
	(frame_region::clone): Delete.
	(frame_region::valid_key_p): Delete.
	(frame_region::print_fields): Delete.
	(frame_region::add_to_hash): Delete.
	(globals_region::compare_fields): Delete.
	(globals_region::clone): Delete.
	(globals_region::valid_key_p): Delete.
	(code_region::compare_fields): Delete.
	(code_region::clone): Delete.
	(code_region::valid_key_p): Delete.
	(array_region::array_region): Delete.
	(array_region::get_element): Delete.
	(array_region::clone): Delete.
	(array_region::compare_fields): Delete.
	(array_region::print_fields): Delete.
	(array_region::validate): Delete.
	(array_region::dump_dot_to_pp): Delete.
	(array_region::dump_child_label): Delete.
	(array_region::get_or_create): Delete.
	(array_region::get): Delete.
	(array_region::add_to_hash): Delete.
	(array_region::remap_region_ids): Delete.
	(array_region::get_key_for_child_region): Delete.
	(array_region::key_cmp): Delete.
	(array_region::walk_for_canonicalization): Delete.
	(array_region::key_from_constant): Delete.
	(array_region::constant_from_key): Delete.
	(function_region::compare_fields): Delete.
	(function_region::clone): Delete.
	(function_region::valid_key_p): Delete.
	(stack_region::stack_region): Delete.
	(stack_region::compare_fields): Delete.
	(stack_region::clone): Delete.
	(stack_region::print_fields): Delete.
	(stack_region::dump_child_label): Delete.
	(stack_region::validate): Delete.
	(stack_region::push_frame): Delete.
	(stack_region::get_current_frame_id): Delete.
	(stack_region::pop_frame): Delete.
	(stack_region::add_to_hash): Delete.
	(stack_region::remap_region_ids): Delete.
	(stack_region::can_merge_p): Delete.
	(stack_region::walk_for_canonicalization): Delete.
	(stack_region::get_value_by_name): Delete.
	(heap_region::heap_region): Delete.
	(heap_region::compare_fields): Delete.
	(heap_region::clone): Delete.
	(heap_region::walk_for_canonicalization): Delete.
	(root_region::root_region): Delete.
	(root_region::compare_fields): Delete.
	(root_region::clone): Delete.
	(root_region::print_fields): Delete.
	(root_region::validate): Delete.
	(root_region::dump_child_label): Delete.
	(root_region::push_frame): Delete.
	(root_region::get_current_frame_id): Delete.
	(root_region::pop_frame): Delete.
	(root_region::ensure_stack_region): Delete.
	(root_region::get_stack_region): Delete.
	(root_region::ensure_globals_region): Delete.
	(root_region::get_code_region): Delete.
	(root_region::ensure_code_region): Delete.
	(root_region::get_globals_region): Delete.
	(root_region::ensure_heap_region): Delete.
	(root_region::get_heap_region): Delete.
	(root_region::remap_region_ids): Delete.
	(root_region::can_merge_p): Delete.
	(root_region::add_to_hash): Delete.
	(root_region::walk_for_canonicalization): Delete.
	(root_region::get_value_by_name): Delete.
	(symbolic_region::symbolic_region): Delete.
	(symbolic_region::compare_fields): Delete.
	(symbolic_region::clone): Delete.
	(symbolic_region::walk_for_canonicalization): Delete.
	(symbolic_region::print_fields): Delete.
	(region_model::region_model): Add region_model_manager * param.
	Reimplement in terms of store, dropping impl_constraint_manager
	subclass.
	(region_model::operator=): Reimplement in terms of store
	(region_model::operator==): Likewise.
	(region_model::hash): Likewise.
	(region_model::print): Delete.
	(region_model::print_svalue): Delete.
	(region_model::dump_dot_to_pp): Delete.
	(region_model::dump_dot_to_file): Delete.
	(region_model::dump_dot): Delete.
	(region_model::dump_to_pp): Replace "summarize" param with
	"simple" and "multiline".  Port to store-based implementation.
	(region_model::dump): Replace "summarize" param with "simple" and
	"multiline".
	(dump_vec_of_tree): Delete.
	(region_model::dump_summary_of_rep_path_vars): Delete.
	(region_model::validate): Delete.
	(svalue_id_cmp_by_constant_svalue_model): Delete.
	(svalue_id_cmp_by_constant_svalue): Delete.
	(region_model::canonicalize): Drop "ctxt" param.  Reimplement in
	terms of store and constraints.
	(region_model::canonicalized_p): Remove NULL arg to canonicalize.
	(region_model::loop_replay_fixup): New.
	(poisoned_value_diagnostic::emit): Tweak wording of warnings.
	(region_model::check_for_poison): Delete.
	(region_model::get_gassign_result): New.
	(region_model::on_assignment): Port to store-based implementation.
	(region_model::on_call_pre): Delete calls to check_for_poison.
	Move implementations to region-model-impl-calls.c and port to
	store-based implementation.
	(region_model::on_call_post): Likewise.
	(class reachable_regions): Move to region-model-reachability.h/cc
	and port to store-based implementation.
	(region_model::handle_unrecognized_call): Port to store-based
	implementation.
	(region_model::get_reachable_svalues): New.
	(region_model::on_setjmp): Port to store-based implementation.
	(region_model::on_longjmp): Likewise.
	(region_model::handle_phi): Drop is_back_edge param and the logic
	using it.
	(region_model::get_lvalue_1): Port from region_id to const region *.
	(region_model::make_region_for_unexpected_tree_code): Delete.
	(assert_compat_types): If the check fails, use internal_error to
	show the types.
	(region_model::get_lvalue): Port from region_id to const region *.
	(region_model::get_rvalue_1): Port from svalue_id to const svalue *.
	(region_model::get_rvalue): Likewise.
	(region_model::get_or_create_ptr_svalue): Delete.
	(region_model::get_or_create_constant_svalue): Delete.
	(region_model::get_svalue_for_fndecl): Delete.
	(region_model::get_region_for_fndecl): Delete.
	(region_model::get_svalue_for_label): Delete.
	(region_model::get_region_for_label): Delete.
	(build_cast): Delete.
	(region_model::maybe_cast_1): Delete.
	(region_model::maybe_cast): Delete.
	(region_model::get_field_region): Delete.
	(region_model::get_store_value): New.
	(region_model::region_exists_p): New.
	(region_model::deref_rvalue): Port from svalue_id to const svalue *.
	(region_model::set_value): Likewise.
	(region_model::clobber_region): New.
	(region_model::purge_region): New.
	(region_model::zero_fill_region): New.
	(region_model::mark_region_as_unknown): New.
	(region_model::eval_condition): Port from svalue_id to
	const svalue *.
	(region_model::eval_condition_without_cm): Likewise.
	(region_model::compare_initial_and_pointer): New.
	(region_model::add_constraint): Port from svalue_id to
	const svalue *.
	(region_model::maybe_get_constant): Delete.
	(region_model::get_representative_path_var): New.
	(region_model::add_new_malloc_region): Delete.
	(region_model::get_representative_tree): Port to const svalue *.
	(region_model::get_representative_path_var): Port to
	const region *.
	(region_model::get_path_vars_for_svalue): Delete.
	(region_model::set_to_new_unknown_value): Delete.
	(region_model::update_for_phis): Don't pass is_back_edge to handle_phi.
	(region_model::update_for_call_superedge): Port from svalue_id to
	const svalue *.
	(region_model::update_for_return_superedge): Port to store-based
	implementation.
	(region_model::update_for_call_summary): Replace
	set_to_new_unknown_value with mark_region_as_unknown.
	(region_model::get_root_region): Delete.
	(region_model::get_stack_region_id): Delete.
	(region_model::push_frame): Delete.
	(region_model::get_current_frame_id): Delete.
	(region_model::get_current_function): Delete.
	(region_model::pop_frame): Delete.
	(region_model::on_top_level_param): New.
	(region_model::get_stack_depth): Delete.
	(region_model::get_function_at_depth): Delete.
	(region_model::get_globals_region_id): Delete.
	(region_model::add_svalue): Delete.
	(region_model::replace_svalue): Delete.
	(region_model::add_region): Delete.
	(region_model::get_svalue): Delete.
	(region_model::get_region): Delete.
	(make_region_for_type): Delete.
	(region_model::add_region_for_type): Delete.
	(region_model::on_top_level_param): New.
	(class restrict_to_used_svalues): Delete.
	(region_model::purge_unused_svalues): Delete.
	(region_model::push_frame): New.
	(region_model::remap_svalue_ids): Delete.
	(region_model::remap_region_ids): Delete.
	(region_model::purge_regions): Delete.
	(region_model::get_descendents): Delete.
	(region_model::delete_region_and_descendents): Delete.
	(region_model::poison_any_pointers_to_bad_regions): Delete.
	(region_model::can_merge_with_p): Delete.
	(region_model::get_current_function): New.
	(region_model::get_value_by_name): Delete.
	(region_model::convert_byte_offset_to_array_index): Delete.
	(region_model::pop_frame): New.
	(region_model::get_or_create_mem_ref): Delete.
	(region_model::get_stack_depth): New.
	(region_model::get_frame_at_index): New.
	(region_model::unbind_region_and_descendents): New.
	(struct bad_pointer_finder): New.
	(region_model::get_or_create_pointer_plus_expr): Delete.
	(region_model::poison_any_pointers_to_descendents): New.
	(region_model::get_or_create_view): Delete.
	(region_model::can_merge_with_p): New.
	(region_model::get_fndecl_for_call):  Port from svalue_id to
	const svalue *.
	(struct append_ssa_names_cb_data): New.
	(get_ssa_name_regions_for_current_frame): New.
	(region_model::append_ssa_names_cb): New.
	(model_merger::dump_to_pp): Add "simple" param.  Drop dumping of
	remappings.
	(model_merger::dump): Add "simple" param to both overloads.
	(model_merger::can_merge_values_p): Delete.
	(model_merger::record_regions): Delete.
	(model_merger::record_svalues): Delete.
	(svalue_id_merger_mapping::svalue_id_merger_mapping): Delete.
	(svalue_id_merger_mapping::dump_to_pp): Delete.
	(svalue_id_merger_mapping::dump): Delete.
	(region_model::create_region_for_heap_alloc): New.
	(region_model::create_region_for_alloca): New.
	(region_model::record_dynamic_extents): New.
	(canonicalization::canonicalization): Delete.
	(canonicalization::walk_rid): Delete.
	(canonicalization::walk_sid): Delete.
	(canonicalization::dump_to_pp): Delete.
	(canonicalization::dump): Delete.
	(inchash::add): Delete overloads for svalue_id and region_id.
	(engine::log_stats): New.
	(assert_condition): Add overload comparing svalues.
	(assert_dump_eq): Pass "true" for multiline.
	(selftest::test_dump): Update for rewrite of region_model.
	(selftest::test_dump_2): Rename to...
	(selftest::test_struct): ...this.  Provide a region_model_manager
	when creating region_model instance.  Remove dump test.  Add
	checks for get_offset.
	(selftest::test_dump_3): Rename to...
	(selftest::test_array_1): ...this.  Provide a region_model_manager
	when creating region_model instance.  Remove dump test.
	(selftest::test_get_representative_tree): Port from svalue_id to
	new API.  Add test coverage for various expressions.
	(selftest::test_unique_constants): Provide a region_model_manager
	for the region_model.  Add test coverage for comparing const vs
	non-const.
	(selftest::test_svalue_equality): Delete.
	(selftest::test_region_equality): Delete.
	(selftest::test_unique_unknowns): New.
	(class purge_all_svalue_ids): Delete.
	(class purge_one_svalue_id): Delete.
	(selftest::test_purging_by_criteria): Delete.
	(selftest::test_initial_svalue_folding): New.
	(selftest::test_unaryop_svalue_folding): New.
	(selftest::test_binop_svalue_folding): New.
	(selftest::test_sub_svalue_folding): New.
	(selftest::test_purge_unused_svalues): Delete.
	(selftest::test_descendent_of_p): New.
	(selftest::test_assignment): Provide a region_model_manager for
	the region_model.  Drop the dump test.
	(selftest::test_compound_assignment): Likewise.
	(selftest::test_stack_frames): Port to new implementation.
	(selftest::test_get_representative_path_var): Likewise.
	(selftest::test_canonicalization_1): Rename to...
	(selftest::test_equality_1): ...this.  Port to new API, and add
	(selftest::test_canonicalization_2): Provide a
	region_model_manager when creating region_model instances.
	Remove redundant canicalization.
	(selftest::test_canonicalization_3): Provide a
	region_model_manager when creating region_model instances.
	Remove param from calls to region_model::canonicalize.
	(selftest::test_canonicalization_4): Likewise.
	(selftest::assert_region_models_merge): Constify
	out_merged_svalue.  Port to new API.
	(selftest::test_state_merging): Provide a
	region_model_manager when creating region_model instances.
	Provide a program_point point when merging them.  Replace
	set_to_new_unknown_value with usage of placeholder_svalues.
	Drop get_value_by_name.  Port from svalue_id to const svalue *.
	Add test of heap allocation.
	(selftest::test_constraint_merging):  Provide a
	region_model_manager when creating region_model instances.
	Provide a program_point point when merging them.  Eliminate use
	of set_to_new_unknown_value.
	(selftest::test_widening_constraints): New.
	(selftest::test_iteration_1): New.
	(selftest::test_malloc_constraints): Port to store-based
	implementation.
	(selftest::test_var): New test.
	(selftest::test_array_2): New test.
	(selftest::test_mem_ref): New test.
	(selftest::test_POINTER_PLUS_EXPR_then_MEM_REF): New.
	(selftest::test_malloc): New.
	(selftest::test_alloca): New.
	(selftest::analyzer_region_model_cc_tests): Update for renamings.
	Call new functions.
	* region-model.h (class path_var): Move to analyzer.h.
	(class svalue_id): Delete.
	(class region_id): Delete.
	(class id_map): Delete.
	(svalue_id_map): Delete.
	(region_id_map): Delete.
	(id_map<T>::id_map): Delete.
	(id_map<T>::put): Delete.
	(id_map<T>::get_dst_for_src): Delete.
	(id_map<T>::get_src_for_dst): Delete.
	(id_map<T>::dump_to_pp): Delete.
	(id_map<T>::dump): Delete.
	(id_map<T>::update): Delete.
	(one_way_svalue_id_map): Delete.
	(one_way_region_id_map): Delete.
	(class region_id_set): Delete.
	(class svalue_id_set): Delete.
	(struct complexity): New.
	(class visitor): New.
	(enum svalue_kind): Add SK_SETJMP, SK_INITIAL, SK_UNARYOP,
	SK_BINOP, SK_SUB,SK_UNMERGEABLE, SK_PLACEHOLDER, SK_WIDENING,
	SK_COMPOUND, and SK_CONJURED.
	(svalue::operator==): Delete.
	(svalue::operator!=): Delete.
	(svalue::clone): Delete.
	(svalue::hash): Delete.
	(svalue::dump_dot_to_pp): Delete.
	(svalue::dump_to_pp): New.
	(svalue::dump): New.
	(svalue::get_desc): New.
	(svalue::dyn_cast_initial_svalue): New.
	(svalue::dyn_cast_unaryop_svalue): New.
	(svalue::dyn_cast_binop_svalue): New.
	(svalue::dyn_cast_sub_svalue): New.
	(svalue::dyn_cast_unmergeable_svalue): New.
	(svalue::dyn_cast_widening_svalue): New.
	(svalue::dyn_cast_compound_svalue): New.
	(svalue::dyn_cast_conjured_svalue): New.
	(svalue::maybe_undo_cast): New.
	(svalue::unwrap_any_unmergeable): New.
	(svalue::remap_region_ids): Delete
	(svalue::can_merge_p): New.
	(svalue::walk_for_canonicalization): Delete
	(svalue::get_complexity): New.
	(svalue::get_child_sid): Delete
	(svalue::accept): New.
	(svalue::live_p): New.
	(svalue::implicitly_live_p): New.
	(svalue::svalue): Add complexity param.
	(svalue::add_to_hash): Delete
	(svalue::print_details): Delete
	(svalue::m_complexity): New field.
	(region_svalue::key_t): New struct.
	(region_svalue::region_svalue): Port from region_id to
	const region_id *.  Add complexity.
	(region_svalue::compare_fields): Delete.
	(region_svalue::clone): Delete.
	(region_svalue::dump_dot_to_pp): Delete.
	(region_svalue::get_pointee): Port from region_id to
	const region_id *.
	(region_svalue::remap_region_ids): Delete.
	(region_svalue::merge_values): Delete.
	(region_svalue::dump_to_pp): New.
	(region_svalue::accept): New.
	(region_svalue::walk_for_canonicalization): Delete.
	(region_svalue::eval_condition): Make params const.
	(region_svalue::add_to_hash): Delete.
	(region_svalue::print_details): Delete.
	(region_svalue::m_rid): Replace with...
	(region_svalue::m_reg): ...this.
	(is_a_helper <region_svalue *>::test): Convert to...
	(is_a_helper <const region_svalue *>::test): ...this.
	(template <> struct default_hash_traits<region_svalue::key_t>):
	New.
	(constant_svalue::constant_svalue): Add complexity.
	(constant_svalue::compare_fields): Delete.
	(constant_svalue::clone): Delete.
	(constant_svalue::add_to_hash): Delete.
	(constant_svalue::dump_to_pp): New.
	(constant_svalue::accept): New.
	(constant_svalue::implicitly_live_p): New.
	(constant_svalue::merge_values): Delete.
	(constant_svalue::eval_condition): Make params const.
	(constant_svalue::get_child_sid): Delete.
	(constant_svalue::print_details): Delete.
	(is_a_helper <constant_svalue *>::test): Convert to...
	(is_a_helper <const constant_svalue *>::test): ...this.
	(class unknown_svalue): Update leading comment.
	(unknown_svalue::unknown_svalue): Add complexity.
	(unknown_svalue::compare_fields): Delete.
	(unknown_svalue::add_to_hash): Delete.
	(unknown_svalue::dyn_cast_unknown_svalue): Delete.
	(unknown_svalue::print_details): Delete.
	(unknown_svalue::dump_to_pp): New.
	(unknown_svalue::accept): New.
	(poisoned_svalue::key_t): New struct.
	(poisoned_svalue::poisoned_svalue): Add complexity.
	(poisoned_svalue::compare_fields): Delete.
	(poisoned_svalue::clone): Delete.
	(poisoned_svalue::add_to_hash): Delete.
	(poisoned_svalue::dump_to_pp): New.
	(poisoned_svalue::accept): New.
	(poisoned_svalue::print_details): Delete.
	(is_a_helper <poisoned_svalue *>::test): Convert to...
	(is_a_helper <const poisoned_svalue *>::test): ...this.
	(template <> struct default_hash_traits<poisoned_svalue::key_t>):
	New.
	(setjmp_record::add_to_hash): New.
	(setjmp_svalue::key_t): New struct.
	(setjmp_svalue::compare_fields): Delete.
	(setjmp_svalue::clone): Delete.
	(setjmp_svalue::add_to_hash): Delete.
	(setjmp_svalue::setjmp_svalue): Add complexity.
	(setjmp_svalue::dump_to_pp): New.
	(setjmp_svalue::accept): New.
	(setjmp_svalue::void print_details): Delete.
	(is_a_helper <const setjmp_svalue *>::test): New.
	(template <> struct default_hash_traits<setjmp_svalue::key_t>): New.
	(class initial_svalue : public svalue): New.
	(is_a_helper <const initial_svalue *>::test): New.
	(class unaryop_svalue): New.
	(is_a_helper <const unaryop_svalue *>::test): New.
	(template <> struct default_hash_traits<unaryop_svalue::key_t>): New.
	(class binop_svalue): New.
	(is_a_helper <const binop_svalue *>::test): New.
	(template <> struct default_hash_traits<binop_svalue::key_t>): New.
	(class sub_svalue): New.
	(is_a_helper <const sub_svalue *>::test): New.
	(template <> struct default_hash_traits<sub_svalue::key_t>): New.
	(class unmergeable_svalue): New.
	(is_a_helper <const unmergeable_svalue *>::test): New.
	(class placeholder_svalue): New.
	(is_a_helper <placeholder_svalue *>::test): New.
	(class widening_svalue): New.
	(is_a_helper <widening_svalue *>::test): New.
	(template <> struct default_hash_traits<widening_svalue::key_t>): New.
	(class compound_svalue): New.
	(is_a_helper <compound_svalue *>::test): New.
	(template <> struct default_hash_traits<compound_svalue::key_t>): New.
	(class conjured_svalue): New.
	(is_a_helper <conjured_svalue *>::test): New.
	(template <> struct default_hash_traits<conjured_svalue::key_t>): New.
	(enum region_kind): Delete RK_PRIMITIVE, RK_STRUCT, RK_UNION, and
	RK_ARRAY.  Add RK_LABEL, RK_DECL, RK_FIELD, RK_ELEMENT, RK_OFFSET,
	RK_CAST, RK_HEAP_ALLOCATED, RK_ALLOCA, RK_STRING, and RK_UNKNOWN.
	(region_kind_to_str): Delete.
	(region::~region): Move implementation to region.cc.
	(region::operator==): Delete.
	(region::operator!=): Delete.
	(region::clone): Delete.
	(region::get_id): New.
	(region::cmp_ids): New.
	(region::dyn_cast_map_region): Delete.
	(region::dyn_cast_array_region): Delete.
	(region::region_id get_parent): Delete.
	(region::get_parent_region): Convert to a simple accessor.
	(region::void set_value): Delete.
	(region::svalue_id get_value): Delete.
	(region::svalue_id get_value_direct): Delete.
	(region::svalue_id get_inherited_child_sid): Delete.
	(region::dyn_cast_frame_region): New.
	(region::dyn_cast_function_region): New.
	(region::dyn_cast_decl_region): New.
	(region::dyn_cast_field_region): New.
	(region::dyn_cast_element_region): New.
	(region::dyn_cast_offset_region): New.
	(region::dyn_cast_cast_region): New.
	(region::dyn_cast_string_region): New.
	(region::accept): New.
	(region::get_base_region): New.
	(region::base_region_p): New.
	(region::descendent_of_p): New.
	(region::maybe_get_frame_region): New.
	(region::maybe_get_decl): New.
	(region::hash): Delete.
	(region::rint): Delete.
	(region::dump_dot_to_pp): Delete.
	(region::get_desc): New.
	(region::dump_to_pp): Convert to vfunc, changing signature.
	(region::dump_child_label): Delete.
	(region::remap_svalue_ids): Delete.
	(region::remap_region_ids): Delete.
	(region::dump): New.
	(region::walk_for_canonicalization): Delete.
	(region::non_null_p): Drop region_model param.
	(region::add_view): Delete.
	(region::get_view): Delete.
	(region::get_active_view): Delete.
	(region::is_view_p): Delete.
	(region::cmp_ptrs): New.
	(region::validate): Delete.
	(region::get_offset): New.
	(region::get_byte_size): New.
	(region::get_bit_size): New.
	(region::get_subregions_for_binding): New.
	(region::region): Add complexity param.  Convert parent from
	region_id to const region *.  Drop svalue_id.  Drop copy ctor.
	(region::symbolic_for_unknown_ptr_p): New.
	(region::add_to_hash): Delete.
	(region::print_fields): Delete.
	(region::get_complexity): New accessor.
	(region::become_active_view): Delete.
	(region::deactivate_any_active_view): Delete.
	(region::deactivate_view): Delete.
	(region::calc_offset): New.
	(region::m_parent_rid): Delete.
	(region::m_sval_id): Delete.
	(region::m_complexity): New.
	(region::m_id): New.
	(region::m_parent): New.
	(region::m_view_rids): Delete.
	(region::m_is_view): Delete.
	(region::m_active_view_rid): Delete.
	(region::m_cached_offset): New.
	(is_a_helper <region *>::test): Convert to...
	(is_a_helper <const region *>::test): ... this.
	(class primitive_region): Delete.
	(class space_region): New.
	(class map_region): Delete.
	(is_a_helper <map_region *>::test): Delete.
	(class frame_region): Reimplement.
	(template <> struct default_hash_traits<frame_region::key_t>):
	New.
	(class globals_region): Reimplement.
	(is_a_helper <globals_region *>::test): Convert to...
	(is_a_helper <const globals_region *>::test): ...this.
	(class struct_or_union_region): Delete.
	(is_a_helper <struct_or_union_region *>::test): Delete.
	(class code_region): Reimplement.
	(is_a_helper <const code_region *>::test): New.
	(class struct_region): Delete.
	(is_a_helper <struct_region *>::test): Delete.
	(class function_region): Reimplement.
	(is_a_helper <function_region *>::test): Convert to...
	(is_a_helper <const function_region *>::test): ...this.
	(class union_region): Delete.
	(is_a_helper <union_region *>::test): Delete.
	(class label_region): New.
	(is_a_helper <const label_region *>::test): New.
	(class scope_region): Delete.
	(class stack_region): Reimplement.
	(is_a_helper <stack_region *>::test): Convert to...
	(is_a_helper <const stack_region *>::test): ...this.
	(class heap_region): Reimplement.
	(is_a_helper <heap_region *>::test): Convert to...
	(is_a_helper <const heap_region *>::test): ...this.
	(class root_region): Reimplement.
	(is_a_helper <root_region *>::test): Convert to...
	(is_a_helper <const root_region *>::test): ...this.
	(class symbolic_region): Reimplement.
	(is_a_helper <const symbolic_region *>::test): New.
	(template <> struct default_hash_traits<symbolic_region::key_t>):
	New.
	(class decl_region): New.
	(is_a_helper <const decl_region *>::test): New.
	(class field_region): New.
	(template <> struct default_hash_traits<field_region::key_t>): New.
	(class array_region): Delete.
	(class element_region): New.
	(is_a_helper <array_region *>::test): Delete.
	(is_a_helper <const element_region *>::test): New.
	(template <> struct default_hash_traits<element_region::key_t>):
	New.
	(class offset_region): New.
	(is_a_helper <const offset_region *>::test): New.
	(template <> struct default_hash_traits<offset_region::key_t>):
	New.
	(class cast_region): New.
	(is_a_helper <const cast_region *>::test): New.
	(template <> struct default_hash_traits<cast_region::key_t>): New.
	(class heap_allocated_region): New.
	(class alloca_region): New.
	(class string_region): New.
	(is_a_helper <const string_region *>::test): New.
	(class unknown_region): New.
	(class region_model_manager): New.
	(struct append_ssa_names_cb_data): New.
	(class call_details): New.
	(region_model::region_model): Add region_model_manager param.
	(region_model::print_svalue): Delete.
	(region_model::dump_dot_to_pp): Delete.
	(region_model::dump_dot_to_file): Delete.
	(region_model::dump_dot): Delete.
	(region_model::dump_to_pp): Drop summarize param in favor of
	simple and multiline.
	(region_model::dump): Likewise.
	(region_model::summarize_to_pp): Delete.
	(region_model::summarize): Delete.
	(region_model::void canonicalize): Drop ctxt param.
	(region_model::void check_for_poison): Delete.
	(region_model::get_gassign_result): New.
	(region_model::impl_call_alloca): New.
	(region_model::impl_call_analyzer_describe): New.
	(region_model::impl_call_analyzer_eval): New.
	(region_model::impl_call_builtin_expect): New.
	(region_model::impl_call_calloc): New.
	(region_model::impl_call_free): New.
	(region_model::impl_call_malloc): New.
	(region_model::impl_call_memset): New.
	(region_model::impl_call_strlen): New.
	(region_model::get_reachable_svalues): New.
	(region_model::handle_phi): Drop is_back_edge param.
	(region_model::region_id get_root_rid): Delete.
	(region_model::root_region *get_root_region): Delete.
	(region_model::region_id get_stack_region_id): Delete.
	(region_model::push_frame): Convert from region_id and svalue_id
	to const region * and const svalue *.
	(region_model::get_current_frame_id): Replace with...
	(region_model::get_current_frame): ...this.
	(region_model::pop_frame): Convert from region_id to
	const region *.  Drop purge and stats param.  Add out_result.
	(region_model::function *get_function_at_depth): Delete.
	(region_model::get_globals_region_id): Delete.
	(region_model::add_svalue): Delete.
	(region_model::replace_svalue): Delete.
	(region_model::add_region): Delete.
	(region_model::add_region_for_type): Delete.
	(region_model::get_svalue): Delete.
	(region_model::get_region): Delete.
	(region_model::get_lvalue): Convert from region_id to
	const region *.
	(region_model::get_rvalue): Convert from svalue_id to
	const svalue *.
	(region_model::get_or_create_ptr_svalue): Delete.
	(region_model::get_or_create_constant_svalue): Delete.
	(region_model::get_svalue_for_fndecl): Delete.
	(region_model::get_svalue_for_label): Delete.
	(region_model::get_region_for_fndecl): Delete.
	(region_model::get_region_for_label): Delete.
	(region_model::get_frame_at_index (int index) const;): New.
	(region_model::maybe_cast): Delete.
	(region_model::maybe_cast_1): Delete.
	(region_model::get_field_region): Delete.
	(region_model::id deref_rvalue): Convert from region_id and
	svalue_id to const region * and const svalue *.  Drop overload,
	passing in both a tree and an svalue.
	(region_model::set_value): Convert from region_id and svalue_id to
	const region * and const svalue *.
	(region_model::set_to_new_unknown_value): Delete.
	(region_model::clobber_region (const region *reg);): New.
	(region_model::purge_region (const region *reg);): New.
	(region_model::zero_fill_region (const region *reg);): New.
	(region_model::mark_region_as_unknown (const region *reg);): New.
	(region_model::copy_region): Convert from region_id to
	const region *.
	(region_model::eval_condition): Convert from svalue_id to
	const svalue *.
	(region_model::eval_condition_without_cm): Likewise.
	(region_model::compare_initial_and_pointer): New.
	(region_model:maybe_get_constant): Delete.
	(region_model::add_new_malloc_region): Delete.
	(region_model::get_representative_tree): Convert from svalue_id to
	const svalue *.
	(region_model::get_representative_path_var): Delete decl taking a
	region_id in favor of two decls, for svalue vs region, with an
	svalue_set to ensure termination.
	(region_model::get_path_vars_for_svalue): Delete.
	(region_model::create_region_for_heap_alloc): New.
	(region_model::create_region_for_alloca): New.
	(region_model::purge_unused_svalues): Delete.
	(region_model::remap_svalue_ids): Delete.
	(region_model::remap_region_ids): Delete.
	(region_model::purge_regions): Delete.
	(region_model::get_num_svalues): Delete.
	(region_model::get_num_regions): Delete.
	(region_model::get_descendents): Delete.
	(region_model::get_store): New.
	(region_model::delete_region_and_descendents): Delete.
	(region_model::get_manager): New.
	(region_model::unbind_region_and_descendents): New.
	(region_model::can_merge_with_p): Add point param.  Drop
	svalue_id_merger_mapping.
	(region_model::get_value_by_name): Delete.
	(region_model::convert_byte_offset_to_array_index): Delete.
	(region_model::get_or_create_mem_ref): Delete.
	(region_model::get_or_create_pointer_plus_expr): Delete.
	(region_model::get_or_create_view): Delete.
	(region_model::get_lvalue_1): Convert from region_id to
	const region *.
	(region_model::get_rvalue_1): Convert from svalue_id to
	const svalue *.
	(region_model::get_ssa_name_regions_for_current_frame): New.
	(region_model::append_ssa_names_cb): New.
	(region_model::get_store_value): New.
	(region_model::copy_struct_region): Delete.
	(region_model::copy_union_region): Delete.
	(region_model::copy_array_region): Delete.
	(region_model::region_exists_p): New.
	(region_model::make_region_for_unexpected_tree_code): Delete.
	(region_model::loop_replay_fixup): New.
	(region_model::poison_any_pointers_to_bad_regions): Delete.
	(region_model::poison_any_pointers_to_descendents): New.
	(region_model::dump_summary_of_rep_path_vars): Delete.
	(region_model::on_top_level_param): New.
	(region_model::record_dynamic_extents): New.
	(region_model::m_mgr;): New.
	(region_model::m_store;): New.
	(region_model::m_svalues;): Delete.
	(region_model::m_regions;): Delete.
	(region_model::m_root_rid;): Delete.
	(region_model::m_current_frame;): New.
	(region_model_context::remap_svalue_ids): Delete.
	(region_model_context::can_purge_p): Delete.
	(region_model_context::on_svalue_leak): New.
	(region_model_context::on_svalue_purge): Delete.
	(region_model_context::on_liveness_change): New.
	(region_model_context::on_inherited_svalue): Delete.
	(region_model_context::on_cast): Delete.
	(region_model_context::on_unknown_change): Convert from svalue_id to
	const svalue * and add is_mutable.
	(class noop_region_model_context): Update for region_model_context
	changes.
	(model_merger::model_merger): Add program_point.  Drop
	svalue_id_merger_mapping.
	(model_merger::dump_to_pp): Add "simple" param.
	(model_merger::dump): Likewise.
	(model_merger::get_region_a): Delete.
	(model_merger::get_region_b): Delete.
	(model_merger::can_merge_values_p): Delete.
	(model_merger::record_regions): Delete.
	(model_merger::record_svalues): Delete.
	(model_merger::m_point): New field.
	(model_merger::m_map_regions_from_a_to_m): Delete.
	(model_merger::m_map_regions_from_b_to_m): Delete.
	(model_merger::m_sid_mapping): Delete.
	(struct svalue_id_merger_mapping): Delete.
	(class engine): New.
	(struct canonicalization): Delete.
	(inchash::add): Delete decls for hashing svalue_id and region_id.
	(test_region_model_context::on_unexpected_tree_code): Require t to
	be non-NULL.
	(selftest::assert_condition): Add overload comparing a pair of
	const svalue *.
	* sm-file.cc: Include "tristate.h", "selftest.h",
	"analyzer/call-string.h", "analyzer/program-point.h",
	"analyzer/store.h", and "analyzer/region-model.h".
	(fileptr_state_machine::get_default_state): New.
	(fileptr_state_machine::on_stmt): Remove calls to
	get_readable_tree in favor of get_diagnostic_tree.
	* sm-malloc.cc: Include "tristate.h", "selftest.h",
	"analyzer/call-string.h", "analyzer/program-point.h",
	"analyzer/store.h", and "analyzer/region-model.h".
	(malloc_state_machine::get_default_state): New.
	(malloc_state_machine::reset_when_passed_to_unknown_fn_p): New.
	(malloc_diagnostic::describe_state_change): Handle change.m_expr
	being NULL.
	(null_arg::emit): Avoid printing "NULL '0'".
	(null_arg::describe_final_event): Avoid printing "(0) NULL".
	(malloc_leak::emit): Handle m_arg being NULL.
	(malloc_leak::describe_final_event): Handle ev.m_expr being NULL.
	(malloc_state_machine::on_stmt): Don't call get_readable_tree.
	Call get_diagnostic_tree when creating pending diagnostics.
	Update for is_zero_assignment becoming a member function of
	sm_ctxt.
	Don't transition to m_non_heap for ADDR_EXPR(MEM_REF()).
	(malloc_state_machine::reset_when_passed_to_unknown_fn_p): New
	vfunc implementation.
	* sm-sensitive.cc (sensitive_state_machine::warn_for_any_exposure): Call
	get_diagnostic_tree and pass the result to warn_for_state.
	* sm-signal.cc: Move includes of "analyzer/call-string.h" and
	"analyzer/program-point.h" to before "analyzer/region-model.h",
	and also include "analyzer/store.h" before it.
	(signal_unsafe_call::describe_state_change): Use
	get_dest_function to get handler.
	(update_model_for_signal_handler): Pass manager to region_model
	ctor.
	(register_signal_handler::impl_transition): Update for changes to
	get_or_create_node and add_edge.
	* sm-taint.cc (taint_state_machine::on_stmt): Remove calls to
	get_readable_tree, replacing them when calling warn_for_state with
	calls to get_diagnostic_tree.
	* sm.cc (is_zero_assignment): Delete.
	(any_pointer_p): Move to within namespace ana.
	* sm.h (is_zero_assignment): Remove decl.
	(any_pointer_p): Move decl to within namespace ana.
	(state_machine::get_default_state): New vfunc.
	(state_machine::reset_when_passed_to_unknown_fn_p): New vfunc.
	(sm_context::get_readable_tree): Rename to...
	(sm_context::get_diagnostic_tree): ...this.
	(sm_context::is_zero_assignment): New vfunc.
	* store.cc: New file.
	* store.h: New file.
	* svalue.cc: New file.

2020-05-22  Mark Wielaard  <mark (a] klomp.org>

	* sm-signal.cc(signal_unsafe_call::emit): Possibly add
	gcc_rich_location note for replacement.
	(signal_unsafe_call::get_replacement_fn): New private function.
	(get_async_signal_unsafe_fns): Add "exit".

2020-04-28  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/94816
	* engine.cc (impl_region_model_context::on_unexpected_tree_code):
	Handle NULL tree.
	* region-model.cc (region_model::add_region_for_type): Handle
	NULL type.
	* region-model.h
	(test_region_model_context::on_unexpected_tree_code): Handle NULL
	tree.

2020-04-28  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/94447
	PR analyzer/94639
	PR analyzer/94732
	PR analyzer/94754
	* analyzer.opt (Wanalyzer-use-of-uninitialized-value): Delete.
	* program-state.cc (selftest::test_program_state_dumping): Update
	expected dump result for removal of "uninit".
	* region-model.cc (poison_kind_to_str): Delete POISON_KIND_UNINIT
	case.
	(root_region::ensure_stack_region): Initialize stack with null
	svalue_id rather than with a typeless POISON_KIND_UNINIT value.
	(root_region::ensure_heap_region): Likewise for the heap.
	(region_model::dump_summary_of_rep_path_vars): Remove
	summarization of uninit values.
	(region_model::validate): Remove check that the stack has a
	POISON_KIND_UNINIT value.
	(poisoned_value_diagnostic::emit): Remove POISON_KIND_UNINIT
	case.
	(poisoned_value_diagnostic::describe_final_event): Likewise.
	(selftest::test_dump): Update expected dump result for removal of
	"uninit".
	(selftest::test_svalue_equality): Remove "uninit" and "freed".
	* region-model.h (enum poison_kind): Remove POISON_KIND_UNINIT.

2020-04-01  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/94378
	* checker-path.cc: Include "bitmap.h".
	* constraint-manager.cc: Likewise.
	* diagnostic-manager.cc: Likewise.
	* engine.cc: Likewise.
	(exploded_node::detect_leaks): Pass null region_id to pop_frame.
	* program-point.cc: Include "bitmap.h".
	* program-state.cc: Likewise.
	* region-model.cc (id_set<region_id>::id_set): Convert to...
	(region_id_set::region_id_set): ...this.
	(svalue_id_set::svalue_id_set): New ctor.
	(region_model::copy_region): New function.
	(region_model::copy_struct_region): New function.
	(region_model::copy_union_region): New function.
	(region_model::copy_array_region): New function.
	(stack_region::pop_frame): Drop return value.  Add
	"result_dst_rid" param; if it is non-null, use copy_region to copy
	the result to it.  Rather than capture and pass a single "known
	used" return value to be used by purge_unused_values, instead
	gather and pass a set of known used return values.
	(root_region::pop_frame): Drop return value.  Add "result_dst_rid"
	param.
	(region_model::on_assignment): Use copy_region.
	(region_model::on_return): Likewise for the result.
	(region_model::on_longjmp): Pass null for pop_frame's
	result_dst_rid.
	(region_model::update_for_return_superedge): Pass the region for the
	return value of the call, if any, to pop_frame, rather than setting
	the lvalue for the lhs of the result.
	(region_model::pop_frame): Drop return value.  Add
	"result_dst_rid" param.
	(region_model::purge_unused_svalues): Convert third param from an
	svalue_id * to an svalue_id_set *, updating the initial populating
	of the "used" bitmap accordingly.  Don't remap it when done.
	(struct selftest::coord_test): New selftest fixture, extracted from...
	(selftest::test_dump_2): ...here.
	(selftest::test_compound_assignment): New selftest.
	(selftest::test_stack_frames): Pass null to new param of pop_frame.
	(selftest::analyzer_region_model_cc_tests): Call the new selftest.
	* region-model.h (class id_set): Delete template.
	(class region_id_set): Reimplement, using old id_set implementation.
	(class svalue_id_set): Likewise.  Convert from auto_sbitmap to
	auto_bitmap.
	(region::get_active_view): New accessor.
	(stack_region::pop_frame): Drop return value.  Add
	"result_dst_rid" param.
	(root_region::pop_frame): Likewise.
	(region_model::pop_frame): Likewise.
	(region_model::copy_region): New decl.
	(region_model::purge_unused_svalues): Convert third param from an
	svalue_id * to an svalue_id_set *.
	(region_model::copy_struct_region): New decl.
	(region_model::copy_union_region): New decl.
	(region_model::copy_array_region): New decl.

2020-03-27  David Malcolm  <dmalcolm (a] redhat.com>

	* program-state.cc (selftest::test_program_state_dumping): Update
	expected dump to include symbolic_region's possibly_null field.
	* region-model.cc (symbolic_region::print_fields): New vfunc
	implementation.
	(region_model::add_constraint): Clear m_possibly_null from
	symbolic_regions now known to be non-NULL.
	(selftest::test_malloc_constraints): New selftest.
	(selftest::analyzer_region_model_cc_tests): Call it.
	* region-model.h (region::dyn_cast_symbolic_region): Add non-const
	overload.
	(symbolic_region::dyn_cast_symbolic_region): Implement it.
	(symbolic_region::print_fields): New vfunc override decl.

2020-03-27  David Malcolm  <dmalcolm (a] redhat.com>

	* analyzer.h (class feasibility_problem): New forward decl.
	* diagnostic-manager.cc (saved_diagnostic::saved_diagnostic):
	Initialize new fields m_status, m_epath_length, and m_problem.
	(saved_diagnostic::~saved_diagnostic): Delete m_problem.
	(dedupe_candidate::dedupe_candidate): Convert "sd" param from a
	const ref to a mutable ptr.
	(dedupe_winners::add): Convert "sd" param from a const ref to a
	mutable ptr.  Record the length of the exploded_path.  Record the
	feasibility/infeasibility of sd into sd, capturing a
	feasibility_problem when feasible_p fails, and storing it in sd.
	(diagnostic_manager::emit_saved_diagnostics): Update for pass by
	ptr rather than by const ref.
	* diagnostic-manager.h (class saved_diagnostic): Add new enum
	status.  Add fields m_status, m_epath_length and m_problem.
	(saved_diagnostic::set_feasible): New member function.
	(saved_diagnostic::set_infeasible): New member function.
	(saved_diagnostic::get_feasibility_problem): New accessor.
	(saved_diagnostic::get_status): New accessor.
	(saved_diagnostic::set_epath_length): New member function.
	(saved_diagnostic::get_epath_length): New accessor.
	* engine.cc: Include "gimple-pretty-print.h".
	(exploded_path::feasible_p): Add OUT param and, if non-NULL, write
	a new feasibility_problem to it on failure.
	(viz_callgraph_node::dump_dot): Convert begin_tr calls to
	begin_trtd.  Convert end_tr calls to end_tdtr.
	(class exploded_graph_annotator): New subclass of dot_annotator.
	(impl_run_checkers): Add a second -fdump-analyzer-supergraph dump
	after the analysis runs, using exploded_graph_annotator. dumping
	to DUMP_BASE_NAME.supergraph-eg.dot.
	* exploded-graph.h (exploded_node::get_dot_fillcolor): Make
	public.
	(exploded_path::feasible_p): Add OUT param.
	(class feasibility_problem): New class.
	* state-purge.cc (state_purge_annotator::add_node_annotations):
	Return a bool, add a "within_table" param.
	(print_vec_of_names): Convert begin_tr calls to begin_trtd.
	Convert end_tr calls to end_tdtr.
	(state_purge_annotator::add_stmt_annotations): Add "within_row"
	param.
	* state-purge.h ((state_purge_annotator::add_node_annotations):
	Return a bool, add a "within_table" param.
	(state_purge_annotator::add_stmt_annotations): Add "within_row"
	param.
	* supergraph.cc (supernode::dump_dot): Call add_node_annotations
	twice: as before, passing false for "within_table", then again
	with true when within the TABLE element.  Convert some begin_tr
	calls to begin_trtd, and some end_tr calls to end_tdtr.
	Repeat each add_stmt_annotations call, distinguishing between
	calls that add TRs and those that add TDs to an existing TR.
	Add a call to add_after_node_annotations.
	* supergraph.h (dot_annotator::add_node_annotations): Add a
	"within_table" param.
	(dot_annotator::add_stmt_annotations): Add a "within_row" param.
	(dot_annotator::add_after_node_annotations): New vfunc.

2020-03-27  David Malcolm  <dmalcolm (a] redhat.com>

	* diagnostic-manager.cc (dedupe_winners::add): Show the
	exploded_node index in the log messages.
	(diagnostic_manager::emit_saved_diagnostics): Log a summary of
	m_saved_diagnostics at entry.

2020-03-27  David Malcolm  <dmalcolm (a] redhat.com>

	* supergraph.cc (superedge::dump): Add space before description;
	move newline to non-pretty_printer overload.

2020-03-18  David Malcolm  <dmalcolm (a] redhat.com>

	* region-model.cc: Include "stor-layout.h".
	(region_model::dump_to_pp): Rather than calling
	dump_summary_of_map on each of the current frame and the globals,
	instead get a vec of representative path_vars for all regions,
	and then dump a summary of all of them.
	(region_model::dump_summary_of_map): Delete, rewriting into...
	(region_model::dump_summary_of_rep_path_vars): ...this new
	function, working on a vec of path_vars.
	(region_model::set_value): New overload.
	(region_model::get_representative_path_var): Rename
	"parent_region" local to "parent_reg" and consolidate with other
	local.  Guard test for grandparent being stack on parent_reg being
	non-NULL.  Move handling for parent being an array_region to
	within guard for parent_reg being non-NULL.
	(selftest::make_test_compound_type): New function.
	(selftest::test_dump_2): New selftest.
	(selftest::test_dump_3): New selftest.
	(selftest::test_stack_frames): Update expected output from
	simplified dump to show "a" and "b" from parent frame and "y" in
	child frame.
	(selftest::analyzer_region_model_cc_tests): Call test_dump_2 and
	test_dump_3.
	* region-model.h (region_model::set_value): New overload decl.
	(region_model::dump_summary_of_map): Delete.
	(region_model::dump_summary_of_rep_path_vars): New.

2020-03-18  David Malcolm  <dmalcolm (a] redhat.com>

	* region-model.h (class noop_region_model_context): New subclass
	of region_model_context.
	(class tentative_region_model_context): Inherit from
	noop_region_model_context rather than from region_model_context;
	drop redundant vfunc implementations.
	(class test_region_model_context): Likewise.

2020-03-18  David Malcolm  <dmalcolm (a] redhat.com>

	* engine.cc (exploded_node::exploded_node): Move implementation
	here from header; accept point_and_state by const reference rather
	than by value.
	* exploded-graph.h (exploded_node::exploded_node): Pass
	point_and_state by const reference rather than by value.  Move
	body to engine.cc.

2020-03-18  Jakub Jelinek  <jakub (a] redhat.com>

	* sm-malloc.cc (malloc_state_machine::on_stmt): Fix up duplicated word
	issue in a comment.
	* region-model.cc (region_model::make_region_for_unexpected_tree_code,
	region_model::delete_region_and_descendents): Likewise.
	* engine.cc (class exploded_cluster): Likewise.
	* diagnostic-manager.cc (class path_builder): Likewise.

2020-03-13  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/94099
	PR analyzer/94105
	* diagnostic-manager.cc (for_each_state_change): Bulletproof
	against errors in get_rvalue by passing a
	tentative_region_model_context and rejecting if there's an error.
	* region-model.cc (region_model::get_lvalue_1): When handling
	ARRAY_REF, handle results of error-handling.  Handle NOP_EXPR.

2020-03-06  David Malcolm  <dmalcolm (a] redhat.com>

	* analyzer.h (class array_region): New forward decl.
	* program-state.cc (selftest::test_program_state_dumping_2): New.
	(selftest::analyzer_program_state_cc_tests): Call it.
	* region-model.cc (array_region::constant_from_key): New.
	(region_model::get_representative_tree): Handle region_svalue by
	generating an ADDR_EXPR.
	(region_model::get_representative_path_var): In view handling,
	remove erroneous TREE_TYPE when determining the type of the tree.
	Handle array regions and STRING_CST.
	(selftest::assert_dump_tree_eq): New.
	(ASSERT_DUMP_TREE_EQ): New macro.
	(selftest::test_get_representative_tree): New selftest.
	(selftest::analyzer_region_model_cc_tests): Call it.
	* region-model.h (region::dyn_cast_array_region): New vfunc.
	(array_region::dyn_cast_array_region): New vfunc implementation.
	(array_region::constant_from_key): New decl.

2020-03-06  David Malcolm  <dmalcolm (a] redhat.com>

	* analyzer.h (dump_quoted_tree): New decl.
	* engine.cc (exploded_node::dump_dot): Pass region model to
	sm_state_map::print.
	* program-state.cc: Include diagnostic-core.h.
	(sm_state_map::print): Add "model" param and use it to print
	representative trees.  Only print origin information if non-null.
	(sm_state_map::dump): Pass NULL for model to print call.
	(program_state::print): Pass region model to sm_state_map::print.
	(program_state::dump_to_pp): Use spaces rather than newlines when
	summarizing.  Pass region_model to sm_state_map::print.
	(ana::selftest::assert_dump_eq): New function.
	(ASSERT_DUMP_EQ): New macro.
	(ana::selftest::test_program_state_dumping): New function.
	(ana::selftest::analyzer_program_state_cc_tests): Call it.
	* program-state.h (program_state::print): Add model param.
	* region-model.cc (dump_quoted_tree): New function.
	(map_region::print_fields): Use dump_quoted_tree rather than
	%qE to avoid lang-dependent output.
	(map_region::dump_child_label): Likewise.
	(region_model::dump_summary_of_map): For SK_REGION, when
	get_representative_path_var fails, print the region id rather than
	erroneously printing NULL.
	* sm.cc (state_machine::get_state_by_name): New function.
	* sm.h (state_machine::get_state_by_name): New decl.

2020-03-04  David Malcolm  <dmalcolm (a] redhat.com>

	* region-model.cc (region::validate): Convert model param from ptr
	to reference.  Update comment to reflect that it's now a vfunc.
	(map_region::validate): New vfunc implementation.
	(array_region::validate): New vfunc implementation.
	(stack_region::validate): New vfunc implementation.
	(root_region::validate): New vfunc implementation.
	(region_model::validate): Pass a reference rather than a pointer
	to the region::validate vfunc.
	* region-model.h (region::validate): Make virtual.  Convert model
	param from ptr to reference.
	(map_region::validate): New vfunc decl.
	(array_region::validate): New vfunc decl.
	(stack_region::validate): New vfunc decl.
	(root_region::validate): New vfunc decl.

2020-03-04  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/93993
	* region-model.cc (region_model::on_call_pre): Handle
	BUILT_IN_EXPECT and its variants.
	(region_model::add_any_constraints_from_ssa_def_stmt): Split out
	gassign handling into add_any_constraints_from_gassign; add gcall
	handling.
	(region_model::add_any_constraints_from_gassign): New function,
	based on the above.  Add handling for NOP_EXPR.
	(region_model::add_any_constraints_from_gcall): New function.
	(region_model::get_representative_path_var): Handle views.
	* region-model.h
	(region_model::add_any_constraints_from_ssa_def_stmt): New decl.
	(region_model::add_any_constraints_from_gassign): New decl.

2020-03-04  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/93993
	* checker-path.h (state_change_event::get_lvalue): Add ctxt param
	and pass it to region_model::get_value call.
	* diagnostic-manager.cc (get_any_origin): Pass a
	tentative_region_model_context to the calls to get_lvalue and reject
	the comparison if errors occur.
	(can_be_expr_of_interest_p): New function.
	(diagnostic_manager::prune_for_sm_diagnostic): Replace checks for
	CONSTANT_CLASS_P with calls to update_for_unsuitable_sm_exprs.
	Pass a tentative_region_model_context to the calls to
	state_change_event::get_lvalue and reject the comparison if errors
	occur.
	(diagnostic_manager::update_for_unsuitable_sm_exprs): New.
	* diagnostic-manager.h
	(diagnostic_manager::update_for_unsuitable_sm_exprs): New decl.
	* region-model.h (class tentative_region_model_context): New class.

2020-03-04  David Malcolm  <dmalcolm (a] redhat.com>

	* engine.cc (worklist::worklist): Remove unused field m_eg.
	(class viz_callgraph_edge): Remove unused field m_call_sedge.
	(class viz_callgraph): Remove unused field m_sg.
	* exploded-graph.h (worklist::::m_eg): Remove unused field.

2020-03-02  David Malcolm  <dmalcolm (a] redhat.com>

	* analyzer.opt (fanalyzer-show-duplicate-count): New option.
	* diagnostic-manager.cc
	(diagnostic_manager::emit_saved_diagnostic): Use the above to
	guard the printing of the duplicate count.

2020-03-02  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/93959
	* analyzer.cc (is_std_function_p): New function.
	(is_std_named_call_p): New functions.
	* analyzer.h (is_std_named_call_p): New decl.
	* sm-malloc.cc (malloc_state_machine::on_stmt): Check for "std::"
	variants when checking for malloc, calloc and free.

2020-02-26  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/93950
	* diagnostic-manager.cc
	(diagnostic_manager::prune_for_sm_diagnostic): Assert that var is
	either NULL or not a constant.  When updating var, bulletproof
	against constant values.

2020-02-26  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/93947
	* region-model.cc (region_model::get_fndecl_for_call): Gracefully
	fail for fn_decls that don't have a cgraph_node.

2020-02-26  David Malcolm  <dmalcolm (a] redhat.com>

	* bar-chart.cc: New file.
	* bar-chart.h: New file.
	* engine.cc: Include "analyzer/bar-chart.h".
	(stats::log): Only log the m_num_nodes kinds that are non-zero.
	(stats::dump): Likewise when dumping.
	(stats::get_total_enodes): New.
	(exploded_graph::get_or_create_node): Increment the per-point-data
	m_excess_enodes when hitting the per-program-point limit on
	enodes.
	(exploded_graph::print_bar_charts): New.
	(exploded_graph::log_stats): Log the number of unprocessed enodes
	in the worklist.  Call print_bar_charts.
	(exploded_graph::dump_stats): Print the number of unprocessed
	enodes in the worklist.
	* exploded-graph.h (stats::get_total_enodes): New decl.
	(struct per_program_point_data): Add field m_excess_enodes.
	(exploded_graph::print_bar_charts): New decl.
	* supergraph.cc (superedge::dump): New.
	(superedge::dump): New.
	* supergraph.h (supernode::get_function): New.
	(superedge::dump): New decl.
	(superedge::dump): New decl.

2020-02-24  David Malcolm  <dmalcolm (a] redhat.com>

	* engine.cc (exploded_graph::get_or_create_node): Dump the
	program_state to the pp, rather than to stderr.

2020-02-24  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/93032
	* sm.cc (make_checkers): Require the "taint" checker to be
	explicitly enabled.

2020-02-24  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/93899
	* engine.cc
	(impl_region_model_context::impl_region_model_context): Add logger
	param.
	* engine.cc (exploded_graph::add_function_entry): Create an
	impl_region_model_context and pass it to the push_frame call.
	Bail if the resulting state is invalid.
	(exploded_graph::build_initial_worklist): Likewise.
	(exploded_graph::build_initial_worklist): Handle the case where
	add_function_entry fails.
	* exploded-graph.h
	(impl_region_model_context::impl_region_model_context): Add logger
	param.
	* region-model.cc (map_region::get_or_create): Add ctxt param and
	pass it to add_region_for_type.
	(map_region::can_merge_p): Pass NULL as a ctxt to call to
	get_or_create.
	(array_region::get_element): Pass ctxt to call to get_or_create.
	(array_region::get_or_create): Add ctxt param and pass it to
	add_region_for_type.
	(root_region::push_frame): Pass ctxt to get_or_create calls.
	(region_model::get_lvalue_1): Likewise.
	(region_model::make_region_for_unexpected_tree_code): Assert that
	ctxt is non-NULL.
	(region_model::get_rvalue_1): Pass ctxt to get_svalue_for_fndecl
	and get_svalue_for_label calls.
	(region_model::get_svalue_for_fndecl): Add ctxt param and pass it
	to get_region_for_fndecl.
	(region_model::get_region_for_fndecl): Add ctxt param and pass it
	to get_or_create.
	(region_model::get_svalue_for_label): Add ctxt param and pass it
	to get_region_for_label.
	(region_model::get_region_for_label): Add ctxt param and pass it
	to get_region_for_fndecl and get_or_create.
	(region_model::get_field_region): Add ctxt param and pass it to
	get_or_create_view and get_or_create.
	(make_region_for_type): Replace gcc_unreachable with return NULL.
	(region_model::add_region_for_type): Add ctxt param.  Handle a
	return of NULL from make_region_for_type by calling
	make_region_for_unexpected_tree_code.
	(region_model::get_or_create_mem_ref): Pass ctxt to calls to
	get_or_create_view.
	(region_model::get_or_create_view): Add ctxt param and pass it to
	add_region_for_type.
	(selftest::test_state_merging): Pass ctxt to get_or_create_view.
	* region-model.h (region_model::get_or_create): Add ctxt param.
	(region_model::add_region_for_type): Likewise.
	(region_model::get_svalue_for_fndecl): Likewise.
	(region_model::get_svalue_for_label): Likewise.
	(region_model::get_region_for_fndecl): Likewise.
	(region_model::get_region_for_label): Likewise.
	(region_model::get_field_region): Likewise.
	(region_model::get_or_create_view): Likewise.

2020-02-24  David Malcolm  <dmalcolm (a] redhat.com>

	* checker-path.cc (superedge_event::should_filter_p): Update
	filter for empty descriptions to cover verbosity level 3 as well
	as 2.
	* diagnostic-manager.cc: Include "analyzer/reachability.h".
	(class path_builder): New class.
	(diagnostic_manager::emit_saved_diagnostic): Create a path_builder
	and pass it to build_emission_path, rather passing eg; similarly
	for add_events_for_eedge and ext_state.
	(diagnostic_manager::build_emission_path): Replace "eg" param
	with a path_builder, pass it to add_events_for_eedge.
	(diagnostic_manager::add_events_for_eedge): Replace ext_state
	param with path_builder; pass it to add_events_for_superedge.
	(diagnostic_manager::significant_edge_p): New.
	(diagnostic_manager::add_events_for_superedge): Add path_builder
	param.  Reject insignificant edges at verbosity levels below 3.
	(diagnostic_manager::prune_for_sm_diagnostic): Update highest
	verbosity level to 4.
	* diagnostic-manager.h (class path_builder): New forward decl.
	(diagnostic_manager::build_emission_path): Replace "eg" param
	with a path_builder.
	(diagnostic_manager::add_events_for_eedge): Replace ext_state
	param with path_builder.
	(diagnostic_manager::significant_edge_p): New.
	(diagnostic_manager::add_events_for_superedge): Add path_builder
	param.
	* reachability.h: New file.

2020-02-18  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/93692
	* analyzer.opt (fdump-analyzer-callgraph): Rewrite description.

2020-02-18  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/93777
	* region-model.cc (region_model::maybe_cast_1): Replace assertion
	that build_cast returns non-NULL with a conditional, falling
	through to the logic which returns a new unknown value of the
	desired type if it fails.

2020-02-18  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/93778
	* engine.cc (impl_region_model_context::on_unknown_tree_code):
	Rename to...
	(impl_region_model_context::on_unexpected_tree_code): ...this and
	convert first argument from path_var to tree.
	(exploded_node::on_stmt): Pass ctxt to purge_for_unknown_fncall.
	* exploded-graph.h (region_model_context::on_unknown_tree_code):
	Rename to...
	(region_model_context::on_unexpected_tree_code): ...this and
	convert first argument from path_var to tree.
	* program-state.cc (sm_state_map::purge_for_unknown_fncall): Add
	ctxt param and pass on to calls to get_rvalue.
	* program-state.h (sm_state_map::purge_for_unknown_fncall): Add
	ctxt param.
	* region-model.cc (region_model::handle_unrecognized_call): Pass
	ctxt on to call to get_rvalue.
	(region_model::get_lvalue_1): Move body of default case to
	region_model::make_region_for_unexpected_tree_code and call it.
	Within COMPONENT_REF case, reject attempts to handle types other
	than RECORD_TYPE and UNION_TYPE.
	(region_model::make_region_for_unexpected_tree_code): New
	function, based on default case of region_model::get_lvalue_1.
	* region-model.h
	(region_model::make_region_for_unexpected_tree_code): New decl.
	(region_model::on_unknown_tree_code): Rename to...
	(region_model::on_unexpected_tree_code): ...this and convert first
	argument from path_var to tree.
	(class test_region_model_context): Update vfunc implementation for
	above change.

2020-02-18  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/93774
	* region-model.cc
	(region_model::convert_byte_offset_to_array_index): Use
	int_size_in_bytes before calling size_in_bytes, to gracefully fail
	on incomplete types.

2020-02-17  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/93775
	* region-model.cc (region_model::get_fndecl_for_call): Handle the
	case where the code_region's get_tree_for_child_region returns
	NULL.

2020-02-17  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/93388
	* engine.cc (impl_region_model_context::on_unknown_tree_code):
	New.
	(exploded_graph::get_or_create_node): Reject invalid states.
	* exploded-graph.h
	(impl_region_model_context::on_unknown_tree_code): New decl.
	(point_and_state::point_and_state): Assert that the state is
	valid.
	* program-state.cc (program_state::program_state): Initialize
	m_valid to true.
	(program_state::operator=): Copy m_valid.
	(program_state::program_state): Likewise for move constructor.
	(program_state::print): Print m_valid.
	(program_state::dump_to_pp): Likewise.
	* program-state.h (program_state::m_valid): New field.
	* region-model.cc (region_model::get_lvalue_1): Implement the
	default case by returning a new symbolic region and calling
	the context's on_unknown_tree_code, rather than issuing an
	internal_error.  Implement VIEW_CONVERT_EXPR.
	* region-model.h (region_model_context::on_unknown_tree_code): New
	vfunc.
	(test_region_model_context::on_unknown_tree_code): New.

2020-02-17  David Malcolm  <dmalcolm (a] redhat.com>

	* sm-malloc.cc (malloc_diagnostic::describe_state_change): For
	transition to the "null" state, only say "assuming" when
	transitioning from the "unchecked" state.

2020-02-17  David Malcolm  <dmalcolm (a] redhat.com>

	* diagnostic-manager.h (diagnostic_manager::get_saved_diagnostic):
	Add const overload.
	* engine.cc (exploded_node::dump_dot): Dump saved_diagnostics.
	* exploded-graph.h (exploded_graph::get_diagnostic_manager): Add
	const overload.

2020-02-11  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/93288
	* analysis-plan.cc (analysis_plan::use_summary_p): Look through
	the ultimate_alias_target when getting the called function.
	* engine.cc (exploded_node::on_stmt): Rename second "ctxt" to
	"sm_ctxt".  Use the region_model's get_fndecl_for_call rather than
	gimple_call_fndecl.
	* region-model.cc (region_model::get_fndecl_for_call): Use
	ultimate_alias_target on fndecl.
	* supergraph.cc (get_ultimate_function_for_cgraph_edge): New
	function.
	(supergraph_call_edge): Use it when rejecting edges without
	functions.
	(supergraph::supergraph): Use it to get the function for the
	cgraph_edge when building interprocedural superedges.
	(callgraph_superedge::get_callee_function):  Use it.
	* supergraph.h (supergraph::get_num_snodes): Make param const.
	(supergraph::function_to_num_snodes_t): Make first type param
	const.

2020-02-11  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/93374
	* engine.cc (exploded_edge::exploded_edge): Add ext_state param
	and pass it to change.validate.
	(exploded_graph::get_or_create_node): Move purging of change
	svalues to also cover the case of reusing an existing enode.
	(exploded_graph::add_edge): Pass m_ext_state to exploded_edge's
	ctor.
	* exploded-graph.h (exploded_edge::exploded_edge): Add ext_state
	param.
	* program-state.cc (state_change::sm_change::validate): Likewise.
	Assert that m_sm_idx is sane.  Use ext_state to validate
	m_old_state and m_new_state.
	(state_change::validate): Add ext_state param and pass it to
	the sm_change validate calls.
	* program-state.h (state_change::sm_change::validate): Add
	ext_state param.
	(state_change::validate): Likewise.

2020-02-11  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/93669
	* engine.cc (exploded_graph::dump_exploded_nodes): Handle missing
	case of STATUS_WORKLIST in implementation of
	"__analyzer_dump_exploded_nodes".

2020-02-11  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/93649
	* constraint-manager.cc (constraint_manager::add_constraint): When
	merging equivalence classes and updating m_constant, also update
	m_cst_sid.
	(constraint_manager::validate): If m_constant is non-NULL assert
	that m_cst_sid is non-null and is valid.

2020-02-11  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/93657
	* analyzer.opt (fdump-analyzer): Reword description.
	(fdump-analyzer-stderr): Likewise.

2020-02-11  David Malcolm  <dmalcolm (a] redhat.com>

	* region-model.cc (print_quoted_type): New function.
	(svalue::print): Use it to replace %qT.
	(region::dump_to_pp): Likewise.
	(region::dump_child_label): Likewise.
	(region::print_fields): Likewise.

2020-02-10  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/93659
	* analyzer.opt (-param=analyzer-max-recursion-depth=): Fix "tha"
	-> "that" typo.
	(Wanalyzer-use-of-uninitialized-value): Fix "initialized" ->
	"uninitialized" typo.

2020-02-10  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/93350
	* region-model.cc (region_model::get_lvalue_1):
	Handle BIT_FIELD_REF.
	(make_region_for_type): Handle VECTOR_TYPE.

2020-02-10  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/93647
	* diagnostic-manager.cc
	(diagnostic_manager::prune_for_sm_diagnostic): Bulletproof against
	VAR being constant.
	* region-model.cc (region_model::get_lvalue_1): Provide a better
	error message when encountering an unhandled tree code.

2020-02-10  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/93405
	* region-model.cc (region_model::get_lvalue_1): Implement
	CONST_DECL.

2020-02-06  David Malcolm  <dmalcolm (a] redhat.com>

	* region-model.cc (region_model::maybe_cast_1): Attempt to provide
	a region_svalue if either type is a pointer, rather than if both
	types are pointers.

2020-02-05  David Malcolm  <dmalcolm (a] redhat.com>

	* engine.cc (exploded_node::dump_dot): Show merger enodes.
	(worklist::add_node): Assert that the node's m_status is
	STATUS_WORKLIST.
	(exploded_graph::process_worklist): Likewise for nodes from the
	worklist.  Set status of merged nodes to STATUS_MERGER.
	(exploded_graph::process_node): Set status of node to
	STATUS_PROCESSED.
	(exploded_graph::dump_exploded_nodes): Rework handling of
	"__analyzer_dump_exploded_nodes", splitting enodes by status into
	"processed" and "merger", showing the count of just the processed
	enodes at the call, rather than the count of all enodes.
	* exploded-graph.h (exploded_node::status): New enum.
	(exploded_node::exploded_node): Initialize m_status to
	STATUS_WORKLIST.
	(exploded_node::get_status): New getter.
	(exploded_node::set_status): New setter.

2020-02-04  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/93543
	* engine.cc (pod_hash_traits<function_call_string>::mark_empty):
	Eliminate reinterpret_cast.
	(pod_hash_traits<function_call_string>::is_empty): Likewise.

2020-02-03  David Malcolm  <dmalcolm (a] redhat.com>

	* constraint-manager.cc (range::constrained_to_single_element):
	Replace fold_build2 with fold_binary.  Remove unnecessary newline.
	(constraint_manager::get_or_add_equiv_class): Replace fold_build2
	with fold_binary in two places, and remove out-of-date comment.
	(constraint_manager::eval_condition): Replace fold_build2 with
	fold_binary.
	* region-model.cc (constant_svalue::eval_condition): Likewise.
	(region_model::on_assignment): Likewise.

2020-02-03  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/93544
	* diagnostic-manager.cc
	(diagnostic_manager::prune_for_sm_diagnostic): Bulletproof
	against bad choices due to bad paths.
	* engine.cc (impl_region_model_context::on_phi): New.
	* exploded-graph.h (impl_region_model_context::on_phi): New decl.
	* region-model.cc (region_model::on_longjmp): Likewise.
	(region_model::handle_phi): Add phi param.  Call the ctxt's on_phi
	vfunc.
	(region_model::update_for_phis): Pass phi to handle_phi.
	* region-model.h (region_model::handle_phi): Add phi param.
	(region_model_context::on_phi): New vfunc.
	(test_region_model_context::on_phi): New.
	* sm-malloc.cc (malloc_state_machine::on_phi): New.
	(malloc_state_machine::on_zero_assignment): New.
	* sm.h (state_machine::on_phi): New vfunc.

2020-02-03  David Malcolm  <dmalcolm (a] redhat.com>

	* engine.cc (supernode_cluster::dump_dot): Show BB index as
	well as SN index.
	* supergraph.cc (supernode::dump_dot): Likewise.

2020-02-03  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/93546
	* region-model.cc (region_model::on_call_pre): Update for new
	param of symbolic_region ctor.
	(region_model::deref_rvalue): Likewise.
	(region_model::add_new_malloc_region): Likewise.
	(make_region_for_type): Likewise, preserving type.
	* region-model.h (symbolic_region::symbolic_region): Add "type"
	param and pass it to base class ctor.

2020-02-03  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/93547
	* constraint-manager.cc
	(constraint_manager::get_or_add_equiv_class): Ensure types are
	compatible before comparing constants.

2020-01-31  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/93457
	* region-model.cc (make_region_for_type): Use VOID_TYPE_P rather
	than checking against void_type_node.

2020-01-31  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/93373
	* region-model.cc (ASSERT_COMPAT_TYPES): Convert to...
	(assert_compat_types): ...this, and bail when either type is NULL,
	or when VOID_TYPE_P (dst_type).
	(region_model::get_lvalue): Update for above conversion.
	(region_model::get_rvalue): Likewise.

2020-01-31  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/93379
	* region-model.cc (region_model::update_for_return_superedge):
	Move check for null result so that it also guards setting the
	lhs.

2020-01-31  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/93438
	* region-model.cc (stack_region::can_merge_p): Split into a two
	pass approach, creating all stack regions first, then populating
	them.
	(selftest::test_state_merging): Add test coverage for (a) the case
	of self-merging a model in which a local in an older stack frame
	points to a local in a more recent stack frame (which previously
	would ICE), and (b) the case of self-merging a model in which a
	local points to a global (which previously worked OK).

2020-01-31  David Malcolm  <dmalcolm (a] redhat.com>

	* analyzer.cc (is_named_call_p): Replace tests for fndecl being
	extern at file scope and having a non-NULL DECL_NAME with a call
	to maybe_special_function_p.
	* function-set.cc (function_set::contains_decl_p): Add call to
	maybe_special_function_p.

2020-01-31  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/93450
	* constraint-manager.cc
	(constraint_manager::get_or_add_equiv_class): Only compare constants
	if their types are compatible.
	* region-model.cc (constant_svalue::eval_condition): Replace check
	for identical types with call to types_compatible_p.

2020-01-30  David Malcolm  <dmalcolm (a] redhat.com>

	* program-state.cc (extrinsic_state::dump_to_pp): New.
	(extrinsic_state::dump_to_file): New.
	(extrinsic_state::dump): New.
	* program-state.h (extrinsic_state::dump_to_pp): New decl.
	(extrinsic_state::dump_to_file): New decl.
	(extrinsic_state::dump): New decl.
	* sm.cc: Include "pretty-print.h".
	(state_machine::dump_to_pp): New.
	* sm.h (state_machine::dump_to_pp): New decl.

2020-01-30  David Malcolm  <dmalcolm (a] redhat.com>

	* diagnostic-manager.cc (for_each_state_change): Use
	extrinsic_state::get_num_checkers rather than accessing m_checkers
	directly.
	* program-state.cc (program_state::program_state): Likewise.
	* program-state.h (extrinsic_state::m_checkers): Make private.

2020-01-30  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/93356
	* region-model.cc (region_model::eval_condition): In both
	overloads, bail out immediately on floating-point types.
	(region_model::eval_condition_without_cm): Likewise.
	(region_model::add_constraint): Likewise.

2020-01-30  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/93450
	* program-state.cc (sm_state_map::set_state): For the overload
	taking an svalue_id, bail out if the set_state on the ec does
	nothing.  Convert the latter's return type from void to bool,
	returning true if anything changed.
	(sm_state_map::impl_set_state): Convert the return type from void
	to bool, returning true if the state changed.
	* program-state.h (sm_state_map::set_state): Convert return type
	from void to bool.
	(sm_state_map::impl_set_state): Likewise.
	* region-model.cc (constant_svalue::eval_condition): Only call
	fold_build2 if the types are the same.

2020-01-29  Jakub Jelinek  <jakub (a] redhat.com>

	* analyzer.h (PUSH_IGNORE_WFORMAT, POP_IGNORE_WFORMAT): Remove.
	* constraint-manager.cc: Include diagnostic-core.h before graphviz.h.
	(range::dump, equiv_class::print): Don't use PUSH_IGNORE_WFORMAT or
	POP_IGNORE_WFORMAT.
	* state-purge.cc: Include diagnostic-core.h before
	gimple-pretty-print.h.
	(state_purge_annotator::add_node_annotations, print_vec_of_names):
	Don't use PUSH_IGNORE_WFORMAT or POP_IGNORE_WFORMAT.
	* region-model.cc: Move diagnostic-core.h include before graphviz.h.
	(path_var::dump, svalue::print, constant_svalue::print_details,
	region::dump_to_pp, region::dump_child_label, region::print_fields,
	map_region::print_fields, map_region::dump_dot_to_pp,
	map_region::dump_child_label, array_region::print_fields,
	array_region::dump_dot_to_pp): Don't use PUSH_IGNORE_WFORMAT or
	POP_IGNORE_WFORMAT.

2020-01-28  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/93316
	* engine.cc (rewind_info_t::update_model): Get the longjmp call
	stmt via get_longjmp_call () rather than assuming it is the last
	stmt in the longjmp's supernode.
	(rewind_info_t::add_events_to_path): Get the location_t for the
	rewind_from_longjmp_event via get_longjmp_call () rather than from
	the supernode's get_end_location ().

2020-01-28  David Malcolm  <dmalcolm (a] redhat.com>

	* region-model.cc (poisoned_value_diagnostic::emit): Update for
	renaming of warning_at overload to warning_meta.
	* sm-file.cc (file_leak::emit): Likewise.
	* sm-malloc.cc (double_free::emit): Likewise.
	(possible_null_deref::emit): Likewise.
	(possible_null_arg::emit): Likewise.
	(null_deref::emit): Likewise.
	(null_arg::emit): Likewise.
	(use_after_free::emit): Likewise.
	(malloc_leak::emit): Likewise.
	(free_of_non_heap::emit): Likewise.
	* sm-sensitive.cc (exposure_through_output_file::emit): Likewise.
	* sm-signal.cc (signal_unsafe_call::emit): Likewise.
	* sm-taint.cc (tainted_array_index::emit): Likewise.

2020-01-27  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/93451
	* region-model.cc (tree_cmp): For the REAL_CST case, impose an
	arbitrary order on NaNs relative to other NaNs and to non-NaNs;
	const-correctness tweak.
	(ana::selftests::build_real_cst_from_string): New function.
	(ana::selftests::append_interesting_constants): New function.
	(ana::selftests::test_tree_cmp_on_constants): New test.
	(ana::selftests::test_canonicalization_4): New test.
	(ana::selftests::analyzer_region_model_cc_tests): Call the new
	tests.

2020-01-27  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/93349
	* engine.cc (run_checkers): Save and restore input_location.

2020-01-27  David Malcolm  <dmalcolm (a] redhat.com>

	* call-string.cc (call_string::cmp_1): Delete, moving body to...
	(call_string::cmp): ...here.
	* call-string.h (call_string::cmp_1): Delete decl.
	* engine.cc (worklist::key_t::cmp_1): Delete, moving body to...
	(worklist::key_t::cmp): ...here.  Implement hash comparisons
	via comparison rather than subtraction to avoid overflow issues.
	* exploded-graph.h (worklist::key_t::cmp_1): Delete decl.
	* region-model.cc (tree_cmp): Eliminate buggy checking for
	symmetry.

2020-01-27  David Malcolm  <dmalcolm (a] redhat.com>

	* analyzer.cc  (is_named_call_p): Check that fndecl is "extern"
	and at file scope.  Potentially disregard prefix _ or __ in
	fndecl's name.  Bail if the identifier is NULL.
	(is_setjmp_call_p): Expect a gcall rather than plain gimple.
	Remove special-case check for leading prefix, and also check for
	sigsetjmp.
	(is_longjmp_call_p): Also check for siglongjmp.
	(get_user_facing_name): New function.
	* analyzer.h (is_setjmp_call_p): Expect a gcall rather than plain
	gimple.
	(get_user_facing_name): New decl.
	* checker-path.cc (setjmp_event::get_desc): Use
	get_user_facing_name to avoid hardcoding the function name.
	(rewind_event::rewind_event): Add rewind_info param, using it to
	initialize new m_rewind_info field, and strengthen the assertion.
	(rewind_from_longjmp_event::get_desc): Use get_user_facing_name to
	avoid hardcoding the function name.
	(rewind_to_setjmp_event::get_desc): Likewise.
	* checker-path.h (setjmp_event::setjmp_event): Add setjmp_call
	param and use it to initialize...
	(setjmp_event::m_setjmp_call): New field.
	(rewind_event::rewind_event): Add rewind_info param.
	(rewind_event::m_rewind_info): New protected field.
	(rewind_from_longjmp_event::rewind_from_longjmp_event): Add
	rewind_info param.
	(class rewind_to_setjmp_event): Move rewind_info field to parent
	class.
	* diagnostic-manager.cc (diagnostic_manager::add_events_for_eedge):
	Update setjmp-handling for is_setjmp_call_p requiring a gcall;
	pass the call to the new setjmp_event.
	* engine.cc (exploded_node::on_stmt): Update for is_setjmp_call_p
	requiring a gcall.
	(stale_jmp_buf::emit): Use get_user_facing_name to avoid
	hardcoding the function names.
	(exploded_node::on_longjmp): Pass the longjmp_call when
	constructing rewind_info.
	(rewind_info_t::add_events_to_path): Pass the rewind_info_t to the
	rewind_from_longjmp_event's ctor.
	* exploded-graph.h (rewind_info_t::rewind_info_t): Add
	longjmp_call param.
	(rewind_info_t::get_longjmp_call): New.
	(rewind_info_t::m_longjmp_call): New.
	* region-model.cc (region_model::on_setjmp): Update comment to
	indicate this is also for sigsetjmp.
	* region-model.h (struct setjmp_record): Likewise.
	(class setjmp_svalue): Likewise.

2020-01-27  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/93276
	* analyzer.h (PUSH_IGNORE_WFORMAT, POP_IGNORE_WFORMAT): Guard these
	macros with GCC_VERSION >= 4006, making them no-op otherwise.
	* engine.cc (exploded_edge::exploded_edge): Specify template for
	base class initializer.
	(exploded_graph::add_edge): Specify template when chaining up to
	base class add_edge implementation.
	(viz_callgraph_node::dump_dot): Drop redundant "typename".
	(viz_callgraph_edge::viz_callgraph_edge): Specify template for
	base class initializer.
	* program-state.cc (sm_state_map::clone_with_remapping): Drop
	redundant "typename".
	(sm_state_map::print): Likewise.
	(sm_state_map::hash): Likewise.
	(sm_state_map::operator==): Likewise.
	(sm_state_map::remap_svalue_ids): Likewise.
	(sm_state_map::on_svalue_purge): Likewise.
	(sm_state_map::validate): Likewise.
	* program-state.h (sm_state_map::iterator_t): Likewise.
	* supergraph.h (superedge::superedge): Specify template for base
	class initializer.

2020-01-23  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/93375
	* supergraph.cc (callgraph_superedge::get_arg_for_parm): Fail
	gracefully is the number of parameters at the callee exceeds the
	number of arguments at the call stmt.
	(callgraph_superedge::get_parm_for_arg): Likewise.

2020-01-22  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/93382
	* program-state.cc (sm_state_map::on_svalue_purge): If the
	entry survives, but the origin is being purged, then reset the
	origin to null.

2020-01-22  David Malcolm  <dmalcolm (a] redhat.com>

	* sm-signal.cc: Fix nesting of CHECKING_P and namespace ana.

2020-01-22  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/93378
	* engine.cc (setjmp_svalue::compare_fields): Update for
	replacement of m_enode with m_setjmp_record.
	(setjmp_svalue::add_to_hash): Likewise.
	(setjmp_svalue::get_index): Rename...
	(setjmp_svalue::get_enode_index): ...to this.
	(setjmp_svalue::print_details): Update for replacement of m_enode
	with m_setjmp_record.
	(exploded_node::on_longjmp): Likewise.
	* exploded-graph.h (rewind_info_t::m_enode_origin): Replace...
	(rewind_info_t::m_setjmp_record): ...with this.
	(rewind_info_t::rewind_info_t): Update for replacement of m_enode
	with m_setjmp_record.
	(rewind_info_t::get_setjmp_point): Likewise.
	(rewind_info_t::get_setjmp_call): Likewise.
	* region-model.cc (region_model::dump_summary_of_map): Likewise.
	(region_model::on_setjmp): Likewise.
	* region-model.h (struct setjmp_record): New struct.
	(setjmp_svalue::m_enode): Replace...
	(setjmp_svalue::m_setjmp_record): ...with this.
	(setjmp_svalue::setjmp_svalue): Update for replacement of m_enode
	with m_setjmp_record.
	(setjmp_svalue::clone): Likewise.
	(setjmp_svalue::get_index): Rename...
	(setjmp_svalue::get_enode_index): ...to this.
	(setjmp_svalue::get_exploded_node): Replace...
	(setjmp_svalue::get_setjmp_record): ...with this.

2020-01-22  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/93316
	* analyzer.cc (is_setjmp_call_p): Check for "setjmp" as well as
	"_setjmp".

2020-01-22  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/93307
	* analysis-plan.h: Wrap everything namespace "ana".
	* analyzer-logging.cc: Likewise.
	* analyzer-logging.h: Likewise.
	* analyzer-pass.cc (pass_analyzer::execute): Update for "ana"
	namespace.
	* analyzer-selftests.cc: Wrap everything namespace "ana".
	* analyzer-selftests.h: Likewise.
	* analyzer.h: Likewise for forward decls of types.
	* call-string.h: Likewise.
	* checker-path.cc: Likewise.
	* checker-path.h: Likewise.
	* constraint-manager.cc: Likewise.
	* constraint-manager.h: Likewise.
	* diagnostic-manager.cc: Likewise.
	* diagnostic-manager.h: Likewise.
	* engine.cc: Likewise.
	* engine.h: Likewise.
	* exploded-graph.h: Likewise.
	* function-set.cc: Likewise.
	* function-set.h: Likewise.
	* pending-diagnostic.cc: Likewise.
	* pending-diagnostic.h: Likewise.
	* program-point.cc: Likewise.
	* program-point.h: Likewise.
	* program-state.cc: Likewise.
	* program-state.h: Likewise.
	* region-model.cc: Likewise.
	* region-model.h: Likewise.
	* sm-file.cc: Likewise.
	* sm-malloc.cc: Likewise.
	* sm-pattern-test.cc: Likewise.
	* sm-sensitive.cc: Likewise.
	* sm-signal.cc: Likewise.
	* sm-taint.cc: Likewise.
	* sm.cc: Likewise.
	* sm.h: Likewise.
	* state-purge.h: Likewise.
	* supergraph.cc: Likewise.
	* supergraph.h: Likewise.

2020-01-21  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/93352
	* region-model.cc (int_cmp): Rename to...
	(array_region::key_cmp): ...this, using key_t rather than int.
	Rewrite in terms of comparisons rather than subtraction to
	ensure qsort is anti-symmetric when handling extreme values.
	(array_region::walk_for_canonicalization): Update for above
	renaming.
	* region-model.h (array_region::key_cmp): New decl.

2020-01-17  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/93290
	* region-model.cc (region_model::eval_condition_without_cm): Avoid
	gcc_unreachable for unexpected operations for the case where
	we're comparing an svalue against itself.

2020-01-17  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/93281
	* region-model.cc
	(region_model::convert_byte_offset_to_array_index): Convert to
	ssizetype before dividing by byte_size.  Use fold_binary rather
	than fold_build2 to avoid needlessly constructing a tree for the
	non-const case.

2020-01-15  David Malcolm  <dmalcolm (a] redhat.com>

	* engine.cc (class impl_region_model_context): Fix comment.

2020-01-14  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/93212
	* region-model.cc (make_region_for_type): Use
	FUNC_OR_METHOD_TYPE_P rather than comparing against FUNCTION_TYPE.
	* region-model.h (function_region::function_region): Likewise.

2020-01-14  David Malcolm  <dmalcolm (a] redhat.com>

	* program-state.cc (sm_state_map::clone_with_remapping): Copy
	m_global_state.
	(selftest::test_program_state_merging_2): New selftest.
	(selftest::analyzer_program_state_cc_tests): Call it.

2020-01-14  David Malcolm  <dmalcolm (a] redhat.com>

	* checker-path.h (checker_path::get_checker_event): New function.
	(checker_path): Add DISABLE_COPY_AND_ASSIGN; make fields private.
	* diagnostic-manager.cc
	(diagnostic_manager::prune_for_sm_diagnostic): Replace direct
	access to checker_path::m_events with accessor functions.  Fix
	overlong line.
	(diagnostic_manager::prune_interproc_events): Replace direct
	access to checker_path::m_events with accessor functions.
	(diagnostic_manager::finish_pruning): Likewise.

2020-01-14  David Malcolm  <dmalcolm (a] redhat.com>

	* checker-path.h (checker_event::clone): Delete vfunc decl.
	(debug_event::clone): Delete vfunc impl.
	(custom_event::clone): Delete vfunc impl.
	(statement_event::clone): Delete vfunc impl.
	(function_entry_event::clone): Delete vfunc impl.
	(state_change_event::clone): Delete vfunc impl.
	(start_cfg_edge_event::clone): Delete vfunc impl.
	(end_cfg_edge_event::clone): Delete vfunc impl.
	(call_event::clone): Delete vfunc impl.
	(return_event::clone): Delete vfunc impl.
	(setjmp_event::clone): Delete vfunc impl.
	(rewind_from_longjmp_event::clone): Delete vfunc impl.
	(rewind_to_setjmp_event::clone): Delete vfunc impl.
	(warning_event::clone): Delete vfunc impl.

2020-01-14  David Malcolm  <dmalcolm (a] redhat.com>

	* supergraph.cc (supernode::dump_dot): Ensure that the TABLE
	element has at least one TR.

2020-01-14  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/58237
	* engine.cc (leak_stmt_finder::find_stmt): Use get_pure_location
	when comparing against UNKNOWN_LOCATION.
	(stmt_requires_new_enode_p): Likewise.
	(exploded_graph::dump_exploded_nodes): Likewise.
	* supergraph.cc (supernode::get_start_location): Likewise.
	(supernode::get_end_location): Likewise.

2020-01-14  David Malcolm  <dmalcolm (a] redhat.com>

	PR analyzer/58237
	* analyzer-selftests.cc (selftest::run_analyzer_selftests): Call
	selftest::analyzer_sm_file_cc_tests.
	* analyzer-selftests.h (selftest::analyzer_sm_file_cc_tests): New
	decl.
	* sm-file.cc: Include "analyzer/function-set.h" and
	"analyzer/analyzer-selftests.h".
	(get_file_using_fns): New function.
	(is_file_using_fn_p): New function.
	(fileptr_state_machine::on_stmt): Return true for known functions.
	(selftest::analyzer_sm_file_cc_tests): New function.

2020-01-14  David Malcolm  <dmalcolm (a] redhat.com>

	* analyzer-selftests.cc (selftest::run_analyzer_selftests): Call
	selftest::analyzer_sm_signal_cc_tests.
	* analyzer-selftests.h (selftest::analyzer_sm_signal_cc_tests):
	New decl.
	* sm-signal.cc: Include "analyzer/function-set.h" and
	"analyzer/analyzer-selftests.h".
	(get_async_signal_unsafe_fns): New function.
	(signal_unsafe_p): Reimplement in terms of the above.
	(selftest::analyzer_sm_signal_cc_tests): New function.

2020-01-14  David Malcolm  <dmalcolm (a] redhat.com>

	* analyzer-selftests.cc (selftest::run_analyzer_selftests): Call
	selftest::analyzer_function_set_cc_tests.
	* analyzer-selftests.h (selftest::analyzer_function_set_cc_tests):
	New decl.
	* function-set.cc: New file.
	* function-set.h: New file.

2020-01-14  David Malcolm  <dmalcolm (a] redhat.com>

	* analyzer.h (fndecl_has_gimple_body_p): New decl.
	* engine.cc (impl_region_model_context::on_unknown_change): New
	function.
	(fndecl_has_gimple_body_p): Make non-static.
	(exploded_node::on_stmt): Treat __analyzer_dump_exploded_nodes as
	known.  Track whether we have a call with unknown side-effects and
	pass it to on_call_post.
	* exploded-graph.h (impl_region_model_context::on_unknown_change):
	New decl.
	* program-state.cc (sm_state_map::on_unknown_change): New function.
	* program-state.h (sm_state_map::on_unknown_change): New decl.
	* region-model.cc: Include "bitmap.h".
	(region_model::on_call_pre): Return a bool, capturing whether the
	call has unknown side effects.
	(region_model::on_call_post): Add arg "bool unknown_side_effects"
	and if true, call handle_unrecognized_call.
	(class reachable_regions): New class.
	(region_model::handle_unrecognized_call): New function.
	* region-model.h (region_model::on_call_pre): Return a bool.
	(region_model::on_call_post): Add arg "bool unknown_side_effects".
	(region_model::handle_unrecognized_call): New decl.
	(region_model_context::on_unknown_change): New vfunc.
	(test_region_model_context::on_unknown_change): New function.

2020-01-14  David Malcolm  <dmalcolm (a] redhat.com>

	* diagnostic-manager.cc (saved_diagnostic::operator==): Move here
	from header.  Replace pointer equality test on m_var with call to
	pending_diagnostic::same_tree_p.
	* diagnostic-manager.h (saved_diagnostic::operator==): Move to
	diagnostic-manager.cc.
	* pending-diagnostic.cc (pending_diagnostic::same_tree_p): New.
	* pending-diagnostic.h (pending_diagnostic::same_tree_p): New.
	* sm-file.cc (file_diagnostic::subclass_equal_p): Replace pointer
	equality on m_arg with call to pending_diagnostic::same_tree_p.
	* sm-malloc.cc (malloc_diagnostic::subclass_equal_p): Likewise.
	(possible_null_arg::subclass_equal_p): Likewise.
	(null_arg::subclass_equal_p): Likewise.
	(free_of_non_heap::subclass_equal_p): Likewise.
	* sm-pattern-test.cc (pattern_match::operator==): Likewise.
	* sm-sensitive.cc (exposure_through_output_file::operator==):
	Likewise.
	* sm-taint.cc (tainted_array_index::operator==): Likewise.

2020-01-14  David Malcolm  <dmalcolm (a] redhat.com>

	* diagnostic-manager.cc (dedupe_winners::add): Add logging
	of deduplication decisions made.

2020-01-14  David Malcolm  <dmalcolm (a] redhat.com>

	* ChangeLog: New file.
	* analyzer-selftests.cc: New file.
	* analyzer-selftests.h: New file.
	* analyzer.opt: New file.
	* analysis-plan.cc: New file.
	* analysis-plan.h: New file.
	* analyzer-logging.cc: New file.
	* analyzer-logging.h: New file.
	* analyzer-pass.cc: New file.
	* analyzer.cc: New file.
	* analyzer.h: New file.
	* call-string.cc: New file.
	* call-string.h: New file.
	* checker-path.cc: New file.
	* checker-path.h: New file.
	* constraint-manager.cc: New file.
	* constraint-manager.h: New file.
	* diagnostic-manager.cc: New file.
	* diagnostic-manager.h: New file.
	* engine.cc: New file.
	* engine.h: New file.
	* exploded-graph.h: New file.
	* pending-diagnostic.cc: New file.
	* pending-diagnostic.h: New file.
	* program-point.cc: New file.
	* program-point.h: New file.
	* program-state.cc: New file.
	* program-state.h: New file.
	* region-model.cc: New file.
	* region-model.h: New file.
	* sm-file.cc: New file.
	* sm-malloc.cc: New file.
	* sm-malloc.dot: New file.
	* sm-pattern-test.cc: New file.
	* sm-sensitive.cc: New file.
	* sm-signal.cc: New file.
	* sm-taint.cc: New file.
	* sm.cc: New file.
	* sm.h: New file.
	* state-purge.cc: New file.
	* state-purge.h: New file.
	* supergraph.cc: New file.
	* supergraph.h: New file.

2019-12-13  David Malcolm  <dmalcolm (a] redhat.com>

	* Initial creation


Copyright (C) 2019-2024 Free Software Foundation, Inc.

Copying and distribution of this file, with or without modification,
are permitted in any medium without royalty provided the copyright
notice and this notice are preserved.