Bug 106551

Summary: [13 Regression] dup2 causes -fanalyzer ICE in valid_to_unchecked_state, at analyzer/sm-fd.cc:751
Product: gcc Reporter: Sergei Trofimovich <slyfox>
Component: analyzerAssignee: Immad Mir <mir>
Severity: normal CC: asolokha, dmalcolm, mir, tlange
Priority: P3    
Version: 13.0   
Target Milestone: 13.0   
Host: Target:
Build: Known to work:
Known to fail: Last reconfirmed:
Bug Depends on:    
Bug Blocks: 106003    

Description Sergei Trofimovich 2022-08-08 06:39:31 UTC
This week's gcc started ICEing on libpipeline-1.5.4 upstream package.

Minimal reproducer turned up by cvise:

    $ cat a.c.c
    extern int m;
    int dup2(int, int);
    void error(void);
    void max_active_pipelines_pdes(void) {
      if (dup2(m, 1))

$ gcc -g -O2 -Wall  -c a.c.c -fanalyzer
during IPA pass: analyzer
a.c.c: In function 'max_active_pipelines_pdes':
a.c.c:5:7: internal compiler error: in valid_to_unchecked_state, at analyzer/sm-fd.cc:751
    5 |   if (dup2(m, 1))
      |       ^~~~~~~~~~
0x1ef7d74 diagnostic_impl(rich_location*, diagnostic_metadata const*, int, char const*, __va_list_tag (*) [1], diagnostic_t)
0x1ef89c6 internal_error(char const*, ...)
0x9023d4 fancy_abort(char const*, int, char const*)
0x85baa7 ana::(anonymous namespace)::fd_state_machine::check_for_dup(ana::sm_context*, ana::supernode const*, gimple const*, gcall const*, tree_node*, ana::(anonymous namespace)::dup) const [clone .cold]
0x135181c ana::(anonymous namespace)::fd_state_machine::on_stmt(ana::sm_context*, ana::supernode const*, gimple const*) const
0x12fcd74 ana::exploded_node::on_stmt(ana::exploded_graph&, ana::supernode const*, gimple const*, ana::program_state*, ana::uncertainty_t*, ana::path_context*)
0x12ff7ab ana::exploded_graph::process_node(ana::exploded_node*)
0x130064a ana::exploded_graph::process_worklist()
0x1302999 ana::impl_run_checkers(ana::logger*)
0x130394e ana::run_checkers()
0x12f37e8 (anonymous namespace)::pass_analyzer::execute(function*)

$ gcc -v |& unnix
Using built-in specs.
Target: x86_64-unknown-linux-gnu
Configured with:
Thread model: posix
Supported LTO compression algorithms: zlib
gcc version 13.0.0 20220807 (experimental) (GCC)
Comment 1 David Malcolm 2022-08-08 14:02:14 UTC
Thanks for filing this; almost certainly related to 

Immad, do you want to take a look?
Comment 2 Immad Mir 2022-08-09 07:48:59 UTC
 Sergei Trofimovich: Thanks for bringing the issue to our attention.

Dave: I've sent a patch via gcc-patches.
Comment 3 GCC Commits 2022-08-11 16:21:53 UTC
The master branch has been updated by Immad Mir <mir@gcc.gnu.org>:


commit r13-2023-g837142257cbde3cc03ee0dacd1d7b2fb4fa48bae
Author: Immad Mir <mirimmad@outlook.com>
Date:   Thu Aug 11 21:45:54 2022 +0530

    analyzer: fix ICE casued by dup2 in sm-fd.cc[PR106551]
    This patch fixes the ICE caused by valid_to_unchecked_state,
    at analyzer/sm-fd.cc by handling the m_start state in
    Tested lightly on x86_64.
            PR analyzer/106551
            * sm-fd.cc (check_for_dup): handle the m_start
            state when transitioning the state of LHS
            of dup, dup2 and dup3 call.
            * gcc.dg/analyzer/fd-dup-1.c: New testcases.
            * gcc.dg/analyzer/fd-uninit-1.c: Remove bogus
    Signed-off-by: Immad Mir <mirimmad@outlook.com>
Comment 4 Tim Lange 2022-08-14 20:27:02 UTC
Hi Immad,

while testing my patch on coreutils [1], I encountered another ICE at the same line. I'm using the newest commit on the master at the time of writing this [2] (I've double-checked that I indeed have your fix included).

during IPA pass: analyzer
../lib/freopen.c: In function 'rpl_freopen':
../lib/freopen.c:82:19: internal compiler error: in valid_to_unchecked_state, at analyzer/sm-fd.cc:751
   82 |               if (dup2 (nullfd, fd) < 0)
      |                   ^~~~~~~~~~~~~~~~~
0x7bc106 valid_to_unchecked_state
0x7bc106 valid_to_unchecked_state
0x7bc106 check_for_dup
0x12a5e8c on_stmt
0x124f4e4 ana::exploded_node::on_stmt(ana::exploded_graph&, ana::supernode const*, gimple const*, ana::program_state*, ana::uncertainty_t*, ana::path_context*)
0x1251f1b ana::exploded_graph::process_node(ana::exploded_node*)
0x1252dba ana::exploded_graph::process_worklist()
0x125514d ana::impl_run_checkers(ana::logger*)
0x125614e ana::run_checkers()
0x1245ee8 execute

[1] compiling coreutils commit: https://git.savannah.gnu.org/gitweb/?p=coreutils.git;a=commit;h=9f71f478ec6929d323c17f0482db8791de87b4fd
[2] https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=fe4dc4f553d8639b0ce3465e5e6dcf61c1ae9752
Comment 5 Immad Mir 2022-08-15 08:37:25 UTC
Thanks for reporting the ICE, Tim.

Dave: I have sent a patch via gcc-patches.
Comment 6 GCC Commits 2022-08-15 16:52:49 UTC
The master branch has been updated by Immad Mir <mir@gcc.gnu.org>:


commit r13-2051-ged7e7620188dc0e653815bdd40d8802bd5446638
Author: Immad Mir <mirimmad@outlook.com>
Date:   Mon Aug 15 22:21:27 2022 +0530

    analyzer: fix for ICE in sm-fd.cc [PR106551]
    This patch fixes the ICE caused by valid_to_unchecked_state
    in sm-fd.cc by exiting early if first argument of any "dup"
    functions is invalid.
            PR analyzer/106551
            * sm-fd.cc (check_for_dup): exit early if first
            argument is invalid for all dup functions.
            PR analyzer/106551
            * gcc.dg/analyzer/fd-dup-1.c: New testcase.
    Signed-off-by: Immad Mir <mirimmad@outlook.com>
Comment 7 Immad Mir 2022-08-15 16:55:01 UTC
(In reply to CVS Commits from comment #6)

The patch was lightly tested on x86_64 Linux.
Comment 8 David Malcolm 2022-08-17 21:58:21 UTC
Presumably fixed by the above commit; marking as resolved.