Bug 107783 - [13 Regression] ICE in deref_rvalue, at analyzer/region-model.cc:3238 since r13-4074-g86a90006864840c2
Summary: [13 Regression] ICE in deref_rvalue, at analyzer/region-model.cc:3238 since r...
Alias: None
Product: gcc
Classification: Unclassified
Component: analyzer (show other bugs)
Version: 13.0
: P4 normal
Target Milestone: 13.0
Assignee: David Malcolm
Depends on:
Reported: 2022-11-21 07:42 UTC by Arseny Solokha
Modified: 2022-11-22 22:44 UTC (History)
2 users (show)

See Also:
Known to work:
Known to fail:
Last reconfirmed: 2022-11-21 00:00:00


Note You need to log in before you can comment on or make changes to this bug.
Description Arseny Solokha 2022-11-21 07:42:52 UTC
gcc 13.0.0 20221120 snapshot (g:a16a5460447eaaff0b4468064e4d7b1cc8fc42eb) ICEs when compiling the following testcase w/ -fanalyzer:

foo (void)
  return bind (0, 0, 0);

% gcc-13 -fanalyzer -w -c oerlsfmf.c
during IPA pass: analyzer
oerlsfmf.c: In function 'foo':
oerlsfmf.c:4:10: internal compiler error: in deref_rvalue, at analyzer/region-model.cc:3238
    4 |   return bind (0, 0, 0);
      |          ^~~~~~~~~~~~~~
0x7bd370 ana::region_model::deref_rvalue(ana::svalue const*, tree_node*, ana::region_model_context*) const
0x13091e4 check_for_new_socket_fd
0x130b16d on_bind
0x130b16d ana::region_model::on_bind(ana::call_details const&, bool)
0x12e7646 ana::kf_bind::outcome_of_bind::update_model(ana::region_model*, ana::exploded_edge const*, ana::region_model_context*) const
0x12a8cee ana::exploded_graph::process_node(ana::exploded_node*)
0x12a984a ana::exploded_graph::process_worklist()
0x12abfd4 ana::impl_run_checkers(ana::logger*)
0x12acfd6 ana::run_checkers()
0x129b8d8 execute
Comment 1 Martin Liška 2022-11-21 08:25:40 UTC
Started with r13-4074-g86a90006864840c2.
Comment 2 Sergei Trofimovich 2022-11-21 16:30:47 UTC
Got the same ICE today on gnutls-3.7.8 package:

during IPA pass: analyzer
serv.c: In function 'listen_socket':
serv.c:1011:21: internal compiler error: in deref_rvalue, at analyzer/region-model.cc:3238
 1011 |                 if (bind(s, ptr->ai_addr, ptr->ai_addrlen) < 0) {
      |                     ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Comment 3 GCC Commits 2022-11-22 00:10:15 UTC
The master branch has been updated by David Malcolm <dmalcolm@gcc.gnu.org>:


commit r13-4220-g12a4785c9120beeef42f1bded52cc2674e206f57
Author: David Malcolm <dmalcolm@redhat.com>
Date:   Mon Nov 21 19:08:17 2022 -0500

    analyzer: fix ICE on 'bind' with non-pointer arg [P107783]
            PR analyzer/107783
            * region-model-impl-calls.cc (kf_accept::matches_call_types_p):
            Require that args 1 and 2 be pointers.
            (kf_bind::matches_call_types_p): Require that arg 1 be a pointer.
            * region-model.h (call_details::arg_is_pointer_p): New
            PR analyzer/107783
            * gcc.dg/analyzer/fd-bind-pr107783.c: New test.
    Signed-off-by: David Malcolm <dmalcolm@redhat.com>
Comment 4 David Malcolm 2022-11-22 00:23:20 UTC
Thanks for filing this bug.  The ICE in comment #0 should be fixed by the above commit.

Sergei: does the above commit also fix the issue you describe in comment #2?  Thanks.
Comment 5 GCC Commits 2022-11-22 22:32:52 UTC
The master branch has been updated by David Malcolm <dmalcolm@gcc.gnu.org>:


commit r13-4248-g64fb291c5839e1a82afb62743172b4eab1267399
Author: David Malcolm <dmalcolm@redhat.com>
Date:   Tue Nov 22 17:29:21 2022 -0500

    analyzer: fix ICE on 'bind(INT_CST, ...)' [PR107783]
    This was crashing inside fd_phase_mismatch's ctor with assertion
    failure when the state was "fd-constant".
    Fix the ICE by not complaining about constants passed to these APIs.
            PR analyzer/107783
            * sm-fd.cc (fd_state_machine::check_for_new_socket_fd): Don't
            complain when old state is "fd-constant".
            (fd_state_machine::on_listen): Likewise.
            (fd_state_machine::on_accept): Likewise.
            PR analyzer/107783
            * gcc.dg/analyzer/fd-accept.c (test_accept_on_constant): New.
            * gcc.dg/analyzer/fd-bind.c (test_bind_on_constant): New.
            * gcc.dg/analyzer/fd-connect.c (test_connect_on_constant): New.
            * gcc.dg/analyzer/fd-listen.c (test_listen_on_connected_socket):
            Fix typo.
            (test_listen_on_constant): New.
    Signed-off-by: David Malcolm <dmalcolm@redhat.com>
Comment 6 David Malcolm 2022-11-22 22:44:03 UTC
I found another ICE with the new "bind"-handling code, which I fixed in the above commit.

Marking this as resolved.

If you're still running into issues with the "bind"-handling code, please open separate bugs for them.  Thanks!