Great work with the analyzer! :) I am running it on WebKit and I find a few issues. At the moment they all seem to point to supergraph.cc:180. Here's a reduced example with todays (16.01.2020) GCC: $ /home/pmatos/installs/gcc-20200116/bin/g++ -v Using built-in specs. COLLECT_GCC=/home/pmatos/installs/gcc-20200116/bin/g++ COLLECT_LTO_WRAPPER=/home/pmatos/installs/gcc-20200116/libexec/gcc/x86_64-pc-linux-gnu/10.0.1/lto-wrapper Target: x86_64-pc-linux-gnu Configured with: ../gcc/configure --prefix=/home/pmatos/installs/gcc-20200116 --enable-languages=c,c++,lto --disable-docs --disable-multilib --disable-nls --disable-bootstrap Thread model: posix Supported LTO compression algorithms: zlib zstd gcc version 10.0.1 20200116 (experimental) (GCC) Test case: struct a { a(); }; class { a b; } c; $ /home/pmatos/installs/gcc-20200116/bin/g++ -std=gnu++17 -fanalyzer -c AllIsoHeaps.ii during IPA pass: analyzer AllIsoHeaps.ii:6:4: internal compiler error: Segmentation fault 6 | } c; | ^ 0x105fbdf crash_signal ../../gcc/gcc/toplev.c:328 0x140d341 supergraph::supergraph(logger*) ../../gcc/gcc/analyzer/supergraph.cc:180 0x13d768f impl_run_checkers(logger*) ../../gcc/gcc/analyzer/engine.cc:3520 0x13d8d73 run_checkers() ../../gcc/gcc/analyzer/engine.cc:3624 0x13cdb28 execute ../../gcc/gcc/analyzer/analyzer-pass.cc:84 Please submit a full bug report, with preprocessed source if appropriate. Please include the complete backtrace with any bug report. See <https://gcc.gnu.org/bugs/> for instructions.
Note that C++ is out-of-scope for the analyzer for GCC 10. Program received signal SIGSEGV, Segmentation fault. 0x0000000001cb37ed in supergraph::supergraph (this=0x7fffffffcda0, logger=0x0) at ../../src/gcc/analyzer/supergraph.cc:180 180 = ENTRY_BLOCK_PTR_FOR_FN (edge->callee->get_fun ()); Missing separate debuginfos, use: dnf debuginfo-install gmp-6.1.2-10.fc30.x86_64 libmpc-1.1.0-3.fc30.x86_64 libzstd-1.4.2-1.fc30.x86_64 mpfr-3.1.6-4.fc30.x86_64 (gdb) p edge->callee $1 = <cgraph_node * 0x7fffeaaaa2d0 "__ct_comp "/2> (gdb) p edge->callee->get_fun()->cfg $4 = (control_flow_graph *) 0x0 So it's a segfault reading through a NULL cfg pointer.
(In reply to David Malcolm from comment #1) > Note that C++ is out-of-scope for the analyzer for GCC 10. > > Program received signal SIGSEGV, Segmentation fault. > 0x0000000001cb37ed in supergraph::supergraph (this=0x7fffffffcda0, > logger=0x0) > at ../../src/gcc/analyzer/supergraph.cc:180 > 180 = ENTRY_BLOCK_PTR_FOR_FN (edge->callee->get_fun ()); > Missing separate debuginfos, use: dnf debuginfo-install > gmp-6.1.2-10.fc30.x86_64 libmpc-1.1.0-3.fc30.x86_64 > libzstd-1.4.2-1.fc30.x86_64 mpfr-3.1.6-4.fc30.x86_64 > > (gdb) p edge->callee > $1 = <cgraph_node * 0x7fffeaaaa2d0 "__ct_comp "/2> > > (gdb) p edge->callee->get_fun()->cfg > $4 = (control_flow_graph *) 0x0 > > So it's a segfault reading through a NULL cfg pointer. Ah - sorry. I was not aware of that. :) I will test it on C only for now then. Thanks. Feel free to close this if you wish.
Marking status as SUSPENDED for now and setting Target Milestone to 11 (in the hope of adding c++ support to the analyzer in gcc 11).
(In reply to David Malcolm from comment #3) > Marking status as SUSPENDED for now and setting Target Milestone to 11 (in > the hope of adding c++ support to the analyzer in gcc 11). Can't we call a sorry function in C++ situation so that we don't ICE?
(In reply to Martin Liška from comment #4) > (In reply to David Malcolm from comment #3) > > Marking status as SUSPENDED for now and setting Target Milestone to 11 (in > > the hope of adding c++ support to the analyzer in gcc 11). > > Can't we call a sorry function in C++ situation so that we don't ICE? Agreed; filed as PR 93392.
Jakub convinced me that we shouldn't "sorry" on C++: https://gcc.gnu.org/ml/gcc-patches/2020-02/msg00273.html
Candidate patch: https://gcc.gnu.org/ml/gcc-patches/2020-02/msg00398.html
The master branch has been updated by David Malcolm <dmalcolm@gcc.gnu.org>: https://gcc.gnu.org/g:35e24106fc1b782e70f8339e0a1321a2bc7a7f15 commit r10-6588-g35e24106fc1b782e70f8339e0a1321a2bc7a7f15 Author: David Malcolm <dmalcolm@redhat.com> Date: Thu Nov 21 12:30:45 2019 -0500 analyzer: g++ testsuite support PR analyzer/93288 reports a C++-specific ICE with -fanalyzer. This patch creates the beginnings of a C++ test suite for the analyzer, so that there's a place to put test coverage for the fix. It adds a regression test for PR analyzer/93212, an ICE fixed in r10-5970-g32077b693df8e3ed0424031a322df23822bf2f7e. gcc/testsuite/ChangeLog: PR analyzer/93212 * g++.dg/analyzer/analyzer.exp: New subdirectory and .exp suite. * g++.dg/analyzer/malloc.C: New test. * g++.dg/analyzer/pr93212.C: New test.
The master branch has been updated by David Malcolm <dmalcolm@gcc.gnu.org>: https://gcc.gnu.org/g:91f993b7e31ce85676148dca180bc0d827d4245e commit r10-6590-g91f993b7e31ce85676148dca180bc0d827d4245e Author: David Malcolm <dmalcolm@redhat.com> Date: Wed Feb 5 21:29:04 2020 -0500 analyzer: use ultimate alias target at calls (PR 93288) PR analyzer/93288 reports an ICE in a C++ testcase when calling a constructor. The issue is that when building the supergraph, we encounter the cgraph edge to "__ct_comp ", the DECL_COMPLETE_CONSTRUCTOR_P, and this node's DECL_STRUCT_FUNCTION has a NULL CFG, which the analyzer reads through, leading to the ICE. This patch reworks function and fndecl lookup at calls throughout the analyzer so that it looks for the ultimate_alias_target of the callee. In the case above, this means using the "__ct_base " for the ctor, which has a CFG, fixing the ICE. Getting this right allows for some simple C++ cases involving ctors to work, so the patch also adds some test coverage for that. gcc/analyzer/ChangeLog: PR analyzer/93288 * analysis-plan.cc (analysis_plan::use_summary_p): Look through the ultimate_alias_target when getting the called function. * engine.cc (exploded_node::on_stmt): Rename second "ctxt" to "sm_ctxt". Use the region_model's get_fndecl_for_call rather than gimple_call_fndecl. * region-model.cc (region_model::get_fndecl_for_call): Use ultimate_alias_target on fndecl. * supergraph.cc (get_ultimate_function_for_cgraph_edge): New function. (supergraph_call_edge): Use it when rejecting edges without functions. (supergraph::supergraph): Use it to get the function for the cgraph_edge when building interprocedural superedges. (callgraph_superedge::get_callee_function): Use it. * supergraph.h (supergraph::get_num_snodes): Make param const. (supergraph::function_to_num_snodes_t): Make first type param const. gcc/testsuite/ChangeLog: PR analyzer/93288 * g++.dg/analyzer/malloc.C: Add test coverage for a double-free called in a constructor. * g++.dg/analyzer/pr93288.C: New test.
Should be fixed by the above commit.
(In reply to David Malcolm from comment #10) > Should be fixed by the above commit. David, does this mean the analyzer has C++ support now or just that this specific bug is fixed in-tree?
(In reply to pmatos from comment #11) > (In reply to David Malcolm from comment #10) > > Should be fixed by the above commit. > > David, does this mean the analyzer has C++ support now or just that this > specific bug is fixed in-tree? The latter. I don't expect the analyzer to be useful with C++ in this release (I'm just fixing the ICE in a way that will help with supporting C++ in the future).