Bug 107783 - [13 Regression] ICE in deref_rvalue, at analyzer/region-model.cc:3238 since r13-4074-g86a90006864840c2
Summary: [13 Regression] ICE in deref_rvalue, at analyzer/region-model.cc:3238 since r...
Status: RESOLVED FIXED
Alias: None
Product: gcc
Classification: Unclassified
Component: analyzer (show other bugs)
Version: 13.0
: P4 normal
Target Milestone: 13.0
Assignee: David Malcolm
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-11-21 07:42 UTC by Arseny Solokha
Modified: 2022-11-22 22:44 UTC (History)
2 users (show)

See Also:
Host:
Target:
Build:
Known to work:
Known to fail:
Last reconfirmed: 2022-11-21 00:00:00


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Arseny Solokha 2022-11-21 07:42:52 UTC
gcc 13.0.0 20221120 snapshot (g:a16a5460447eaaff0b4468064e4d7b1cc8fc42eb) ICEs when compiling the following testcase w/ -fanalyzer:

int
foo (void)
{
  return bind (0, 0, 0);
}

% gcc-13 -fanalyzer -w -c oerlsfmf.c
during IPA pass: analyzer
oerlsfmf.c: In function 'foo':
oerlsfmf.c:4:10: internal compiler error: in deref_rvalue, at analyzer/region-model.cc:3238
    4 |   return bind (0, 0, 0);
      |          ^~~~~~~~~~~~~~
0x7bd370 ana::region_model::deref_rvalue(ana::svalue const*, tree_node*, ana::region_model_context*) const
	/var/tmp/portage/sys-devel/gcc-13.0.0_p20221120/work/gcc-13-20221120/gcc/analyzer/region-model.cc:3238
0x13091e4 check_for_new_socket_fd
	/var/tmp/portage/sys-devel/gcc-13.0.0_p20221120/work/gcc-13-20221120/gcc/analyzer/sm-fd.cc:1785
0x130b16d on_bind
	/var/tmp/portage/sys-devel/gcc-13.0.0_p20221120/work/gcc-13-20221120/gcc/analyzer/sm-fd.cc:1848
0x130b16d ana::region_model::on_bind(ana::call_details const&, bool)
	/var/tmp/portage/sys-devel/gcc-13.0.0_p20221120/work/gcc-13-20221120/gcc/analyzer/sm-fd.cc:2284
0x12e7646 ana::kf_bind::outcome_of_bind::update_model(ana::region_model*, ana::exploded_edge const*, ana::region_model_context*) const
	/var/tmp/portage/sys-devel/gcc-13.0.0_p20221120/work/gcc-13-20221120/gcc/analyzer/region-model-impl-calls.cc:630
0x12a8cee ana::exploded_graph::process_node(ana::exploded_node*)
	/var/tmp/portage/sys-devel/gcc-13.0.0_p20221120/work/gcc-13-20221120/gcc/analyzer/engine.cc:4170
0x12a984a ana::exploded_graph::process_worklist()
	/var/tmp/portage/sys-devel/gcc-13.0.0_p20221120/work/gcc-13-20221120/gcc/analyzer/engine.cc:3457
0x12abfd4 ana::impl_run_checkers(ana::logger*)
	/var/tmp/portage/sys-devel/gcc-13.0.0_p20221120/work/gcc-13-20221120/gcc/analyzer/engine.cc:6110
0x12acfd6 ana::run_checkers()
	/var/tmp/portage/sys-devel/gcc-13.0.0_p20221120/work/gcc-13-20221120/gcc/analyzer/engine.cc:6198
0x129b8d8 execute
	/var/tmp/portage/sys-devel/gcc-13.0.0_p20221120/work/gcc-13-20221120/gcc/analyzer/analyzer-pass.cc:87
Comment 1 Martin Liška 2022-11-21 08:25:40 UTC
Started with r13-4074-g86a90006864840c2.
Comment 2 Sergei Trofimovich 2022-11-21 16:30:47 UTC
Got the same ICE today on gnutls-3.7.8 package:

during IPA pass: analyzer
serv.c: In function 'listen_socket':
serv.c:1011:21: internal compiler error: in deref_rvalue, at analyzer/region-model.cc:3238
 1011 |                 if (bind(s, ptr->ai_addr, ptr->ai_addrlen) < 0) {
      |                     ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Comment 3 GCC Commits 2022-11-22 00:10:15 UTC
The master branch has been updated by David Malcolm <dmalcolm@gcc.gnu.org>:

https://gcc.gnu.org/g:12a4785c9120beeef42f1bded52cc2674e206f57

commit r13-4220-g12a4785c9120beeef42f1bded52cc2674e206f57
Author: David Malcolm <dmalcolm@redhat.com>
Date:   Mon Nov 21 19:08:17 2022 -0500

    analyzer: fix ICE on 'bind' with non-pointer arg [P107783]
    
    gcc/analyzer/ChangeLog:
            PR analyzer/107783
            * region-model-impl-calls.cc (kf_accept::matches_call_types_p):
            Require that args 1 and 2 be pointers.
            (kf_bind::matches_call_types_p): Require that arg 1 be a pointer.
            * region-model.h (call_details::arg_is_pointer_p): New
    
    gcc/testsuite/ChangeLog:
            PR analyzer/107783
            * gcc.dg/analyzer/fd-bind-pr107783.c: New test.
    
    Signed-off-by: David Malcolm <dmalcolm@redhat.com>
Comment 4 David Malcolm 2022-11-22 00:23:20 UTC
Thanks for filing this bug.  The ICE in comment #0 should be fixed by the above commit.

Sergei: does the above commit also fix the issue you describe in comment #2?  Thanks.
Comment 5 GCC Commits 2022-11-22 22:32:52 UTC
The master branch has been updated by David Malcolm <dmalcolm@gcc.gnu.org>:

https://gcc.gnu.org/g:64fb291c5839e1a82afb62743172b4eab1267399

commit r13-4248-g64fb291c5839e1a82afb62743172b4eab1267399
Author: David Malcolm <dmalcolm@redhat.com>
Date:   Tue Nov 22 17:29:21 2022 -0500

    analyzer: fix ICE on 'bind(INT_CST, ...)' [PR107783]
    
    This was crashing inside fd_phase_mismatch's ctor with assertion
    failure when the state was "fd-constant".
    
    Fix the ICE by not complaining about constants passed to these APIs.
    
    gcc/analyzer/ChangeLog:
            PR analyzer/107783
            * sm-fd.cc (fd_state_machine::check_for_new_socket_fd): Don't
            complain when old state is "fd-constant".
            (fd_state_machine::on_listen): Likewise.
            (fd_state_machine::on_accept): Likewise.
    
    gcc/testsuite/ChangeLog:
            PR analyzer/107783
            * gcc.dg/analyzer/fd-accept.c (test_accept_on_constant): New.
            * gcc.dg/analyzer/fd-bind.c (test_bind_on_constant): New.
            * gcc.dg/analyzer/fd-connect.c (test_connect_on_constant): New.
            * gcc.dg/analyzer/fd-listen.c (test_listen_on_connected_socket):
            Fix typo.
            (test_listen_on_constant): New.
    
    Signed-off-by: David Malcolm <dmalcolm@redhat.com>
Comment 6 David Malcolm 2022-11-22 22:44:03 UTC
I found another ICE with the new "bind"-handling code, which I fixed in the above commit.

Marking this as resolved.

If you're still running into issues with the "bind"-handling code, please open separate bugs for them.  Thanks!