Bug 110198 - [14 regression] g++.dg/analyzer/pr100244.C fails after r14-1632-g9589a46ddadc8b
Summary: [14 regression] g++.dg/analyzer/pr100244.C fails after r14-1632-g9589a46ddadc8b
Status: RESOLVED FIXED
Alias: None
Product: gcc
Classification: Unclassified
Component: analyzer (show other bugs)
Version: 14.0
: P3 normal
Target Milestone: 14.0
Assignee: David Malcolm
URL:
Keywords: testsuite-fail
Depends on:
Blocks:
 
Reported: 2023-06-09 19:13 UTC by seurer
Modified: 2023-06-29 23:39 UTC (History)
2 users (show)

See Also:
Host:
Target: powerpc64le-linux-gnu x86_64-linux-gnu cris-elf
Build:
Known to work:
Known to fail:
Last reconfirmed: 2023-06-09 00:00:00


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description seurer 2023-06-09 19:13:00 UTC
g:9589a46ddadc8b93c224c3f84fa94746c04596bf, r14-1632-g9589a46ddadc8b
make  -k check-gcc RUNTESTFLAGS="analyzer.exp=g++.dg/analyzer/pr100244.C"
FAIL: g++.dg/analyzer/pr100244.C  -std=c++14  (test for warnings, line 17)
FAIL: g++.dg/analyzer/pr100244.C  -std=c++17  (test for warnings, line 17)
FAIL: g++.dg/analyzer/pr100244.C  -std=c++20  (test for warnings, line 17)
# of expected passes		5
# of unexpected failures	3

I did not see any warnings in the log files from this but line 17 is:

  ~_Hashtable_alloc () { delete _M_buckets; } // { dg-warning "on the stack" }

so it may be a missing warning.


Also this one:

make  -k check-gcc RUNTESTFLAGS="analyzer.exp=gcc.dg/analyzer/pr101962.c"
FAIL: gcc.dg/analyzer/pr101962.c  (test for warnings, line 19)
# of expected passes		9
# of unexpected failures	1


line 19 is:

  int stack; /* { dg-message "region created on stack here" } */


It generated a bunch of warnings:

/home/seurer/gcc/git/gcc-test/gcc/testsuite/gcc.dg/analyzer/pr101962.c: In function 'test_1':
/home/seurer/gcc/git/gcc-test/gcc/testsuite/gcc.dg/analyzer/pr101962.c:23:3: warning: FALSE
/home/seurer/gcc/git/gcc-test/gcc/testsuite/gcc.dg/analyzer/pr101962.c:24:3: warning: TRUE
/home/seurer/gcc/git/gcc-test/gcc/testsuite/gcc.dg/analyzer/pr101962.c: In function 'test_s':
/home/seurer/gcc/git/gcc-test/gcc/testsuite/gcc.dg/analyzer/pr101962.c:43:3: warning: TRUE
/home/seurer/gcc/git/gcc-test/gcc/testsuite/gcc.dg/analyzer/pr101962.c:45:3: warning: TRUE
/home/seurer/gcc/git/gcc-test/gcc/testsuite/gcc.dg/analyzer/pr101962.c:47:3: warning: TRUE
/home/seurer/gcc/git/gcc-test/gcc/testsuite/gcc.dg/analyzer/pr101962.c:49:3: warning: TRUE
/home/seurer/gcc/git/gcc-test/gcc/testsuite/gcc.dg/analyzer/pr101962.c:51:3: warning: TRUE
/home/seurer/gcc/git/gcc-test/gcc/testsuite/gcc.dg/analyzer/pr101962.c: In function 'test_1':
/home/seurer/gcc/git/gcc-test/gcc/testsuite/gcc.dg/analyzer/pr101962.c:25:10: warning: stack-based buffer over-read [CWE-126] [-Wanalyzer-out-of-bounds]
/home/seurer/gcc/git/gcc-test/gcc/testsuite/gcc.dg/analyzer/pr101962.c:17:1: note: (1) entry to 'test_1'
/home/seurer/gcc/git/gcc-test/gcc/testsuite/gcc.dg/analyzer/pr101962.c:19:7: note: (2) capacity: 4 bytes
/home/seurer/gcc/git/gcc-test/gcc/testsuite/gcc.dg/analyzer/pr101962.c:21:7: note: (3) calling 'maybe_inc_int_ptr' from 'test_1'
/home/seurer/gcc/git/gcc-test/gcc/testsuite/gcc.dg/analyzer/pr101962.c:9:1: note: (4) entry to 'maybe_inc_int_ptr'
/home/seurer/gcc/git/gcc-test/gcc/testsuite/gcc.dg/analyzer/pr101962.c:11:6: note: (5) following 'false' branch (when 'ptr' is non-NULL)...
/home/seurer/gcc/git/gcc-test/gcc/testsuite/gcc.dg/analyzer/pr101962.c:13:10: note: (6) ...to here
/home/seurer/gcc/git/gcc-test/gcc/testsuite/gcc.dg/analyzer/pr101962.c:21:7: note: (7) returning to 'test_1' from 'maybe_inc_int_ptr'
/home/seurer/gcc/git/gcc-test/gcc/testsuite/gcc.dg/analyzer/pr101962.c:22:7: note: (8) calling 'maybe_inc_int_ptr' from 'test_1'
/home/seurer/gcc/git/gcc-test/gcc/testsuite/gcc.dg/analyzer/pr101962.c:9:1: note: (9) entry to 'maybe_inc_int_ptr'
/home/seurer/gcc/git/gcc-test/gcc/testsuite/gcc.dg/analyzer/pr101962.c:11:6: note: (10) following 'false' branch (when 'ptr' is non-NULL)...
/home/seurer/gcc/git/gcc-test/gcc/testsuite/gcc.dg/analyzer/pr101962.c:13:10: note: (11) ...to here
/home/seurer/gcc/git/gcc-test/gcc/testsuite/gcc.dg/analyzer/pr101962.c:22:7: note: (12) returning to 'test_1' from 'maybe_inc_int_ptr'
/home/seurer/gcc/git/gcc-test/gcc/testsuite/gcc.dg/analyzer/pr101962.c:25:10: note: (13) out-of-bounds read from byte 8 till byte 11 but 'stack' ends at byte 4
/home/seurer/gcc/git/gcc-test/gcc/testsuite/gcc.dg/analyzer/pr101962.c:25:10: note: read of 4 bytes from after the end of 'stack'


commit r14-1632-g9589a46ddadc8b93c224c3f84fa94746c04596bf
Author: Benjamin Priour <vultkayn@gcc.gnu.org>
Date:   Thu Jun 8 11:38:08 2023 +0200

    analyzer: Standalone OOB-warning [PR109437, PR109439]
Comment 1 Andrew Pinski 2023-06-09 22:12:18 UTC
Confirmed. I noticed the failure too even on x86_64-linux-gnu .
Comment 2 Benjamin Priour 2023-06-09 22:30:56 UTC
Yes sorry for the regression. I confirmed it myself too on x86_64-linux-gnu.
I wrote a fix immediately yesterday, and I am currently regtesting it.

It is promising as I quickly ran the test only for the analyzer test cases, all of them now are back to their expected behavior.

I'm sending the patch as soon as the regtesting finishes, so probably tomorrow evening, as my keys on the compiler farm are not yet synced.

For pr101962.c, it was indeed just a now obsolete message that had to be removed.

For pr100244.C it required to change the way OOB are handled by the uninitialized-value checker.
Comment 3 Hans-Peter Nilsson 2023-06-20 14:37:07 UTC
(In reply to Benjamin Priour from comment #2)
> Yes sorry for the regression. I confirmed it myself too on x86_64-linux-gnu.
> I wrote a fix immediately yesterday, and I am currently regtesting it.
> 
> It is promising as I quickly ran the test only for the analyzer test cases,
> all of them now are back to their expected behavior.
> 
> I'm sending the patch as soon as the regtesting finishes, so probably
> tomorrow evening, as my keys on the compiler farm are not yet synced.

Any news on this?  I don't see anything posted to gcc-patches@ later than 2023-06-09.

If you have trouble testing the patch that you mention, please send it anyway with a message mentioning your troubles.
Comment 4 Benjamin Priour 2023-06-20 14:45:41 UTC
Yes, has been fixed and regtested a week ago. However I was in vacation
last week.
I will submit it shortly. though I would prefer to perform another
regtesting on a freshly pulled trunk first.

Benjamin.

On Tue, Jun 20, 2023 at 4:37 PM hp at gcc dot gnu.org <
gcc-bugzilla@gcc.gnu.org> wrote:

> https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110198
>
> --- Comment #3 from Hans-Peter Nilsson <hp at gcc dot gnu.org> ---
> (In reply to Benjamin Priour from comment #2)
> > Yes sorry for the regression. I confirmed it myself too on
> x86_64-linux-gnu.
> > I wrote a fix immediately yesterday, and I am currently regtesting it.
> >
> > It is promising as I quickly ran the test only for the analyzer test
> cases,
> > all of them now are back to their expected behavior.
> >
> > I'm sending the patch as soon as the regtesting finishes, so probably
> > tomorrow evening, as my keys on the compiler farm are not yet synced.
>
> Any news on this?  I don't see anything posted to gcc-patches@ later than
> 2023-06-09.
>
> If you have trouble testing the patch that you mention, please send it
> anyway
> with a message mentioning your troubles.
>
> --
> You are receiving this mail because:
> You are on the CC list for the bug.
Comment 5 Hans-Peter Nilsson 2023-06-22 14:33:03 UTC
(In reply to Benjamin Priour from comment #4)
> Yes, has been fixed and regtested a week ago. However I was in vacation
> last week.
> I will submit it shortly. though I would prefer to perform another
> regtesting on a freshly pulled trunk first.

You may need to rebase your changes again: after one of the changes in  ce47d3c2cf59..0e466e978c72, gcc.dg/analyzer/pr101962.c appears to be fixed and there's just g++.dg/analyzer/pr100244.C left (for cris-elf).

But please send your patches soon and let others test them, if your bootstrap cycles is longer than a day!
Comment 6 GCC Commits 2023-06-29 23:35:21 UTC
The trunk branch has been updated by Benjamin Priour <vultkayn@gcc.gnu.org>:

https://gcc.gnu.org/g:1eb90f46c16453f72dc119ba20b07053a15b452d

commit r14-2203-g1eb90f46c16453f72dc119ba20b07053a15b452d
Author: benjamin priour <priour.be@gmail.com>
Date:   Thu Jun 22 21:39:05 2023 +0200

    analyzer: Fix regression bug after r14-1632-g9589a46ddadc8b [PR110198]
    
    g++.dg/analyzer/PR100244.C was failing after a patch of PR109439.
    The reason was a spurious preemptive return of get_store_value upon
    out-of-bounds read that was preventing further checks. Now instead,
    a boolean value check_poisoned goes to false when a OOB is detected,
    and is later on given to get_or_create_initial_value.
    
    gcc/analyzer/ChangeLog:
            PR analyzer/110198
            * region-model-manager.cc
            (region_model_manager::get_or_create_initial_value): Take an
            optional boolean value to bypass poisoning checks
            * region-model-manager.h: Update declaration of the above function.
            * region-model.cc (region_model::get_store_value): No longer returns
            on OOB, but rather gives a boolean to get_or_create_initial_value.
            (region_model::check_region_access): Update docstring.
            (region_model::check_region_for_write): Update docstring.
    
    Signed-off-by: benjamin priour <priour.be@gmail.com>
Comment 7 Benjamin Priour 2023-06-29 23:39:07 UTC
Finally fixed as patch
https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=1eb90f46c16453f72dc119ba20b07053a15b452d