Bug 110700 - [12 Regression] ICE with -fanalyzer --analyzer-checker=taint on division of tainted floating-point values
Summary: [12 Regression] ICE with -fanalyzer --analyzer-checker=taint on division of t...
Status: NEW
Alias: None
Product: gcc
Classification: Unclassified
Component: analyzer (show other bugs)
Version: 13.1.1
: P3 normal
Target Milestone: 12.5
Assignee: David Malcolm
URL:
Keywords: ice-on-valid-code
Depends on:
Blocks:
 
Reported: 2023-07-17 10:14 UTC by Geoffrey
Modified: 2024-06-20 09:13 UTC (History)
0 users

See Also:
Host:
Target:
Build:
Known to work:
Known to fail:
Last reconfirmed: 2023-07-19 00:00:00

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Geoffrey 2023-07-17 10:14:04 UTC 
when i try to use taint checher to handle the following case, i encouter an error.


```c
 __attribute__ ((tainted_args))
double divide(double x, double y){
return x/y;
}
```
cmd:
gcc -fanalyzer --analyzer-checker=taint cwe-369.c -c

error messages:
"
// Target: x86_64-pc-linux-gnu
// Configured with: ../gcc/configure -prefix=/usr/local/gcc-13-9533 --enable-checking=release --enable-languages=c,c++ --disable-multilib
// Thread model: posix
// Supported LTO compression algorithms: zlib
// gcc version 13.1.1 20230717 (GCC)
//
// during IPA pass: analyzer
// CWE/cwe-369.c: In function 'divide':
// CWE/cwe-369.c:3:9: internal compiler error: in wide_int_to_tree_1, at tree.cc:1755
//     3 | return x/y;
//       |        ~^~
// 0x712cea wide_int_to_tree_1
//      ../../gcc/gcc/tree.cc:1755
// 0xf4187b wide_int_to_tree(tree_node*, poly_int<1u, generic_wide_int<wide_int_ref_storage<false, true> > > const&)
//      ../../gcc/gcc/tree.cc:1867
// 0xf4187b build_int_cst(tree_node*, poly_int<1u, long>)
//      ../../gcc/gcc/tree.cc:1507
// 0x1007587 ana::region_model_manager::get_or_create_int_cst(tree_node*, poly_int<1u, long>)
//      ../../gcc/gcc/analyzer/region-model-manager.cc:236
// 0x1028059 check_for_tainted_divisor
//      ../../gcc/gcc/analyzer/sm-taint.cc:1355
// 0x1028059 on_stmt
//      ../../gcc/gcc/analyzer/sm-taint.cc:1015
// 0xfd5dbf ana::exploded_node::on_stmt(ana::exploded_graph&, ana::supernode const*, gimple const*, ana::program_state*, ana::uncertainty_t*, ana::path_context*)
//      ../../gcc/gcc/analyzer/engine.cc:1490
// 0xfd86bd ana::exploded_graph::process_node(ana::exploded_node*)
//      ../../gcc/gcc/analyzer/engine.cc:4063
// 0xfd94fa ana::exploded_graph::process_worklist()
//      ../../gcc/gcc/analyzer/engine.cc:3466
// 0xfdb7e7 ana::impl_run_checkers(ana::logger*)
//      ../../gcc/gcc/analyzer/engine.cc:6125
// 0xfdc7c6 ana::run_checkers()
//      ../../gcc/gcc/analyzer/engine.cc:6213
// 0xfccf68 execute
//      ../../gcc/gcc/analyzer/analyzer-pass.cc:87
// Please submit a full bug report, with preprocessed source.
// Please include the complete backtrace with any bug report.
// See <https://gcc.gnu.org/bugs/> for instructions.

// /usr/local/gcc-13-9533/libexec/gcc/x86_64-pc-linux-gnu/13.1.1/cc1 -quiet -imultiarch x86_64-linux-gnu CWE/cwe-369.c -quiet -dumpbase cwe-369.c -dumpbase-ext .c -mtune=generic -march=x86-64 -fanalyzer -fanalyzer-checker=taint -freport-bug -o - -frandom-seed=0 -fdump-noaddr

"
Comment 1 David Malcolm 2023-07-19 13:01:38 UTC 
Thanks for filing this bug.

Seems to affect GCC 12, 13, and trunk.

Here's the reproducer on Compiler Explorer:
  https://godbolt.org/z/GWM1G6b3s
Comment 2 GCC Commits 2023-07-19 21:56:22 UTC 
The master branch has been updated by David Malcolm <dmalcolm@gcc.gnu.org>:

https://gcc.gnu.org/g:b86c0fe327a5196a316bd698d12765b08de5dce7

commit r14-2658-gb86c0fe327a5196a316bd698d12765b08de5dce7
Author: David Malcolm <dmalcolm@redhat.com>
Date:   Wed Jul 19 17:55:09 2023 -0400

    analyzer: fix ICE on division of tainted floating-point values [PR110700]
    
    gcc/analyzer/ChangeLog:
            PR analyzer/110700
            * region-model-manager.cc
            (region_model_manager::get_or_create_int_cst): Assert that we have
            an integral or pointer type.
            * sm-taint.cc (taint_state_machine::check_for_tainted_divisor):
            Don't check non-integral types.
    
    gcc/testsuite/ChangeLog:
            PR analyzer/110700
            * gcc.dg/analyzer/taint-divisor-2.c: New test.
    
    Signed-off-by: David Malcolm <dmalcolm@redhat.com>
Comment 3 David Malcolm 2023-07-19 22:10:04 UTC 
Should be fixed on trunk by the above patch.  Keeping open to track backporting to branches for gcc 12 and gcc 13.
Comment 4 GCC Commits 2024-05-09 17:11:21 UTC 
The releases/gcc-13 branch has been updated by David Malcolm <dmalcolm@gcc.gnu.org>:

https://gcc.gnu.org/g:0df1ee083434ac00ecb19582b1e5b25e105981b2

commit r13-8746-g0df1ee083434ac00ecb19582b1e5b25e105981b2
Author: David Malcolm <dmalcolm@redhat.com>
Date:   Thu May 9 13:09:28 2024 -0400

    analyzer: fix ICE on division of tainted floating-point values [PR110700]
    
    gcc/analyzer/ChangeLog:
            PR analyzer/110700
            * region-model-manager.cc
            (region_model_manager::get_or_create_int_cst): Assert that we have
            an integral or pointer type.
            * sm-taint.cc (taint_state_machine::check_for_tainted_divisor):
            Don't check non-integral types.
    
    gcc/testsuite/ChangeLog:
            PR analyzer/110700
            * gcc.dg/analyzer/taint-divisor-2.c: New test.
    
    (cherry picked from commit r14-2658-gb86c0fe327a519)
    
    Signed-off-by: David Malcolm <dmalcolm@redhat.com>
Comment 5 David Malcolm 2024-05-09 17:53:16 UTC 
Should be fixed for GCC 13 (for the upcoming GCC 13.3) by the above patch.
       
Keeping open to track backporting to older branches.
Comment 6 Richard Biener 2024-06-20 09:13:28 UTC 
GCC 12.4 is being released, retargeting bugs to GCC 12.5.