93352 – ICE: qsort checking failed (error: qsort comparator not anti-symmetric: -2147483648, -2147483648)

Bug 93352 - ICE: qsort checking failed (error: qsort comparator not anti-symmetric: -2147483648, -2147483648)

Summary: ICE: qsort checking failed (error: qsort comparator not anti-symmetric: -2147...

Status:	RESOLVED FIXED

Alias:	None

Product:	gcc
Classification:	Unclassified
Component:	analyzer (show other bugs)
Version:	10.0

Importance:	P3 normal
Target Milestone:	---
Assignee:	David Malcolm

URL:
Keywords:	ice-on-invalid-code

Depends on:
Blocks:	qsort_chk
	Show dependency tree / graph

Reported:	2020-01-21 12:57 UTC by Arseny Solokha
Modified:	2020-01-22 00:01 UTC (History)
CC List:	0 users

See Also:
Host:
Target:
Build:
Known to work:
Known to fail:
Last reconfirmed:	2020-01-21 00:00:00

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Arseny Solokha 2020-01-21 12:57:59 UTC

gcc-10.0.0-alpha20200119 snapshot (g:3684bbb022cd75da55e1457673f269980aa12cdf) ICEs when compiling the following testcase, reduced from gcc/testsuite/c-c++-common/Warray-bounds.c, w/ -fanalyzer:

struct yc {
  int c0;
  char di[];
};

void
qt (struct yc *ab)
{
  ab->di[0x7fffffff + 1] = ab->di[0];
}

% gcc-10.0.0-alpha20200119 -fanalyzer -w -c xperohg3.c
xperohg3.c: In function 'qt':
xperohg3.c:9:34: error: qsort comparator not anti-symmetric: -2147483648, -2147483648
    9 |   ab->di[0x7fffffff + 1] = ab->di[0];
      |                            ~~~~~~^~~
during IPA pass: analyzer
xperohg3.c:9:34: internal compiler error: qsort checking failed
0x78eb47 qsort_chk_error
	/var/tmp/portage/sys-devel/gcc-10.0.0_alpha20200119/work/gcc-10-20200119/gcc/vec.c:214
0x78ec50 qsort_chk(void*, unsigned long, unsigned long, int (*)(void const*, void const*, void*), void*)
	/var/tmp/portage/sys-devel/gcc-10.0.0_alpha20200119/work/gcc-10-20200119/gcc/vec.c:258
0x1809d38 gcc_qsort(void*, unsigned long, unsigned long, int (*)(void const*, void const*))
	/var/tmp/portage/sys-devel/gcc-10.0.0_alpha20200119/work/gcc-10-20200119/gcc/sort.cc:270
0x10febc0 vec<int, va_heap, vl_embed>::qsort(int (*)(void const*, void const*))
	/var/tmp/portage/sys-devel/gcc-10.0.0_alpha20200119/work/gcc-10-20200119/gcc/vec.h:1125
0x10febc0 vec<int, va_heap, vl_ptr>::qsort(int (*)(void const*, void const*))
	/var/tmp/portage/sys-devel/gcc-10.0.0_alpha20200119/work/gcc-10-20200119/gcc/vec.h:1997
0x10febc0 array_region::walk_for_canonicalization(canonicalization*) const
	/var/tmp/portage/sys-devel/gcc-10.0.0_alpha20200119/work/gcc-10-20200119/gcc/analyzer/region-model.cc:2415
0x10fb2f1 map_region::walk_for_canonicalization(canonicalization*) const
	/var/tmp/portage/sys-devel/gcc-10.0.0_alpha20200119/work/gcc-10-20200119/gcc/analyzer/region-model.cc:1960
0x10fd62f region_model::canonicalize(region_model_context*)
	/var/tmp/portage/sys-devel/gcc-10.0.0_alpha20200119/work/gcc-10-20200119/gcc/analyzer/region-model.cc:3767
0x10f24aa program_state::prune_for_point(exploded_graph&, program_point const&, state_change*) const
	/var/tmp/portage/sys-devel/gcc-10.0.0_alpha20200119/work/gcc-10-20200119/gcc/analyzer/program-state.cc:861
0x10df257 exploded_graph::get_or_create_node(program_point const&, program_state const&, state_change*)
	/var/tmp/portage/sys-devel/gcc-10.0.0_alpha20200119/work/gcc-10-20200119/gcc/analyzer/engine.cc:1839
0x10e21e9 exploded_graph::process_node(exploded_node*)
	/var/tmp/portage/sys-devel/gcc-10.0.0_alpha20200119/work/gcc-10-20200119/gcc/analyzer/engine.cc:2450
0x10e29b2 exploded_graph::process_worklist()
	/var/tmp/portage/sys-devel/gcc-10.0.0_alpha20200119/work/gcc-10-20200119/gcc/analyzer/engine.cc:2253
0x10e3039 impl_run_checkers(logger*)
	/var/tmp/portage/sys-devel/gcc-10.0.0_alpha20200119/work/gcc-10-20200119/gcc/analyzer/engine.cc:3570
0x10e3ad3 run_checkers()
	/var/tmp/portage/sys-devel/gcc-10.0.0_alpha20200119/work/gcc-10-20200119/gcc/analyzer/engine.cc:3624
0x10d9558 execute
	/var/tmp/portage/sys-devel/gcc-10.0.0_alpha20200119/work/gcc-10-20200119/gcc/analyzer/analyzer-pass.cc:84

Comment 1 GCC Commits 2020-01-22 00:00:28 UTC

The master branch has been updated by David Malcolm <dmalcolm@gcc.gnu.org>:

https://gcc.gnu.org/g:4f01e5778689977c9569477947b8062d8d866667

commit r10-6127-g4f01e5778689977c9569477947b8062d8d866667
Author: David Malcolm <dmalcolm@redhat.com>
Date:   Tue Jan 21 12:42:36 2020 -0500

    analyzer: fix qsort issue with array_region keys (PR 93352)
    
    PR analyzer/93352 reports a qsort failure
      "comparator not anti-symmetric: -2147483648, -2147483648)"
    within the analyzer on code involving an array access of [0x7fffffff + 1].
    
    The issue is that array_region (which uses int for keys into known
    values in the array) uses subtraction to implement int_cmp for sorting
    the keys, which isn't going to work for boundary values.
    
    Potentially a wider type should be used, but for now this patch fixes
    the ICE by using explicit comparisons rather than subtraction to
    implement the qsort callback.
    
    gcc/analyzer/ChangeLog:
    	PR analyzer/93352
    	* region-model.cc (int_cmp): Rename to...
    	(array_region::key_cmp): ...this, using key_t rather than int.
    	Rewrite in terms of comparisons rather than subtraction to
    	ensure qsort is anti-symmetric when handling extreme values.
    	(array_region::walk_for_canonicalization): Update for above
    	renaming.
    	* region-model.h (array_region::key_cmp): New decl.
    
    gcc/testsuite/ChangeLog:
    	PR analyzer/93352
    	* gcc.dg/analyzer/pr93352.c: New test.

Comment 2 David Malcolm 2020-01-22 00:01:16 UTC

Should be fixed by above commit.