Bug 93382

Summary: ICE in validate, at analyzer/program-state.cc:512
Product: gcc Reporter: Arseny Solokha <asolokha>
Component: analyzerAssignee: David Malcolm <dmalcolm>
Status: RESOLVED FIXED    
Severity: normal Keywords: ice-on-valid-code
Priority: P3    
Version: 10.0   
Target Milestone: 10.0   
Host: Target:
Build: Known to work:
Known to fail: Last reconfirmed: 2020-01-22 00:00:00

Description Arseny Solokha 2020-01-22 09:02:21 UTC 
gcc-10.0.0-alpha20200119 snapshot (g:3684bbb022cd75da55e1457673f269980aa12cdf) ICEs when compiling the following testcase w/ -fanalyzer:

typedef unsigned int size_t;

int ya;
void *lv;

size_t
fread (void *, size_t, size_t, void *);

void
ql (void)
{
  int n1[1];

  fread (n1, sizeof (n1[0]), 1, lv);
  ya = n1[0];
}

void
pl (void)
{
  ql ();
}

% gcc-10.0.0-alpha20200119 -fanalyzer -c gjg8xfgd.c
during IPA pass: analyzer
gjg8xfgd.c: In function 'pl':
gjg8xfgd.c:16:1: internal compiler error: in validate, at analyzer/program-state.cc:512
   16 | }
      | ^
0x7199ad sm_state_map::validate(state_machine const&, int) const
	/var/tmp/portage/sys-devel/gcc-10.0.0_alpha20200119/work/gcc-10-20200119/gcc/analyzer/program-state.cc:512
0x10ee461 program_state::validate(extrinsic_state const&) const
	/var/tmp/portage/sys-devel/gcc-10.0.0_alpha20200119/work/gcc-10-20200119/gcc/analyzer/program-state.cc:987
0x10df241 exploded_graph::get_or_create_node(program_point const&, program_state const&, state_change*)
	/var/tmp/portage/sys-devel/gcc-10.0.0_alpha20200119/work/gcc-10-20200119/gcc/analyzer/engine.cc:1833
0x10e2636 exploded_graph::process_node(exploded_node*)
	/var/tmp/portage/sys-devel/gcc-10.0.0_alpha20200119/work/gcc-10-20200119/gcc/analyzer/engine.cc:2508
0x10e29b2 exploded_graph::process_worklist()
	/var/tmp/portage/sys-devel/gcc-10.0.0_alpha20200119/work/gcc-10-20200119/gcc/analyzer/engine.cc:2253
0x10e3039 impl_run_checkers(logger*)
	/var/tmp/portage/sys-devel/gcc-10.0.0_alpha20200119/work/gcc-10-20200119/gcc/analyzer/engine.cc:3570
0x10e3ad3 run_checkers()
	/var/tmp/portage/sys-devel/gcc-10.0.0_alpha20200119/work/gcc-10-20200119/gcc/analyzer/engine.cc:3624
0x10d9558 execute
	/var/tmp/portage/sys-devel/gcc-10.0.0_alpha20200119/work/gcc-10-20200119/gcc/analyzer/analyzer-pass.cc:84
Comment 1 GCC Commits 2020-01-23 02:08:47 UTC 
The master branch has been updated by David Malcolm <dmalcolm@gcc.gnu.org>:

https://gcc.gnu.org/g:591b59ebfcd48319452ebbd954267c9a05ba4b78

commit r10-6164-g591b59ebfcd48319452ebbd954267c9a05ba4b78
Author: David Malcolm <dmalcolm@redhat.com>
Date:   Wed Jan 22 09:37:18 2020 -0500

    analyzer: fix ICE due to sm-state origin being purged (PR 93382)
    
    The ICE in PR analyzer/93382 is a validation error.
    
    The global variable "idx" acquires a "tainted" state from local array
    n1[0].  When the frame is popped, the svalue for n1[0] is purged, but
    the "taint" sm_state_map's entry for "idx" has a svalue_id referencing
    the now-purged svalue.  This is caught by program_state::validate as an
    assertion failure.
    
    This patch fixes the issue by resetting the origin id within
    sm_state_map entries for the case where the origin id has been purged.
    
    gcc/analyzer/ChangeLog:
    	PR analyzer/93382
    	* program-state.cc (sm_state_map::on_svalue_purge): If the
    	entry survives, but the origin is being purged, then reset the
    	origin to null.
    
    gcc/testsuite/ChangeLog:
    	PR analyzer/93382
    	* gcc.dg/analyzer/pr93382.c: New test.
Comment 2 David Malcolm 2020-01-23 02:11:59 UTC 
Thanks for filing this.  Should be fixed by the above commit.