analyzer: decls are not on the heap

Whilst debugging the remaining state explosion in PR analyzer/93355
I noticed that half of the states at an exploding program point had:
  'malloc': {'&buf': 'non-heap'}
whereas the other half didn't, presumably depending on whether the path
to each enode had used this local buffer:
  char buf[400];

This patch tweaks malloc_state_machine::get_default_state to be smarter
about this, so that we can implicitly treat pointers to decls as
non-heap, preventing pointless differences between sm_state_map
instances.  With that, all of the states in question have equal (empty)
malloc sm-state - though the state explosion continues for other reasons.

gcc/analyzer/ChangeLog:
	PR analyzer/93355
	* sm-malloc.cc (malloc_state_machine::get_default_state): Look at
	the base region when considering pointers.  Treat pointers to
	decls as being non-heap.

diff --git a/gcc/analyzer/sm-malloc.cc b/gcc/analyzer/sm-malloc.cc
index 90d1da14586d2c41d17a98a4bc9b64b1a4cc15f9..12b2383e4a7e1913594ebea89c07d35d2b3fe460 100644 (file)
--- a/gcc/analyzer/sm-malloc.cc
+++ b/gcc/analyzer/sm-malloc.cc
@@ -183,7 +183,9 @@ public:
     if (const region_svalue *ptr = sval->dyn_cast_region_svalue ())
       {
        const region *reg = ptr->get_pointee ();
-       if (reg->get_kind () == RK_STRING)
+       const region *base_reg = reg->get_base_region ();
+       if (base_reg->get_kind () == RK_DECL
+           || base_reg->get_kind () == RK_STRING)
          return m_non_heap;
       }
     return m_start;