93382 – ICE in validate, at analyzer/program-state.cc:512

Bug 93382 - ICE in validate, at analyzer/program-state.cc:512

Summary: ICE in validate, at analyzer/program-state.cc:512

Status:	RESOLVED FIXED

Alias:	None

Product:	gcc
Classification:	Unclassified
Component:	analyzer (show other bugs)
Version:	10.0

Importance:	P3 normal
Target Milestone:	10.0
Assignee:	David Malcolm

URL:
Keywords:	ice-on-valid-code

Depends on:
Blocks:

Reported:	2020-01-22 09:02 UTC by Arseny Solokha
Modified:	2020-01-23 02:11 UTC (History)
CC List:	0 users

See Also:
Host:
Target:
Build:
Known to work:
Known to fail:
Last reconfirmed:	2020-01-22 00:00:00

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Arseny Solokha 2020-01-22 09:02:21 UTC

gcc-10.0.0-alpha20200119 snapshot (g:3684bbb022cd75da55e1457673f269980aa12cdf) ICEs when compiling the following testcase w/ -fanalyzer:

typedef unsigned int size_t;

int ya;
void *lv;

size_t
fread (void *, size_t, size_t, void *);

void
ql (void)
{
  int n1[1];

  fread (n1, sizeof (n1[0]), 1, lv);
  ya = n1[0];
}

void
pl (void)
{
  ql ();
}

% gcc-10.0.0-alpha20200119 -fanalyzer -c gjg8xfgd.c
during IPA pass: analyzer
gjg8xfgd.c: In function 'pl':
gjg8xfgd.c:16:1: internal compiler error: in validate, at analyzer/program-state.cc:512
   16 | }
      | ^
0x7199ad sm_state_map::validate(state_machine const&, int) const
	/var/tmp/portage/sys-devel/gcc-10.0.0_alpha20200119/work/gcc-10-20200119/gcc/analyzer/program-state.cc:512
0x10ee461 program_state::validate(extrinsic_state const&) const
	/var/tmp/portage/sys-devel/gcc-10.0.0_alpha20200119/work/gcc-10-20200119/gcc/analyzer/program-state.cc:987
0x10df241 exploded_graph::get_or_create_node(program_point const&, program_state const&, state_change*)
	/var/tmp/portage/sys-devel/gcc-10.0.0_alpha20200119/work/gcc-10-20200119/gcc/analyzer/engine.cc:1833
0x10e2636 exploded_graph::process_node(exploded_node*)
	/var/tmp/portage/sys-devel/gcc-10.0.0_alpha20200119/work/gcc-10-20200119/gcc/analyzer/engine.cc:2508
0x10e29b2 exploded_graph::process_worklist()
	/var/tmp/portage/sys-devel/gcc-10.0.0_alpha20200119/work/gcc-10-20200119/gcc/analyzer/engine.cc:2253
0x10e3039 impl_run_checkers(logger*)
	/var/tmp/portage/sys-devel/gcc-10.0.0_alpha20200119/work/gcc-10-20200119/gcc/analyzer/engine.cc:3570
0x10e3ad3 run_checkers()
	/var/tmp/portage/sys-devel/gcc-10.0.0_alpha20200119/work/gcc-10-20200119/gcc/analyzer/engine.cc:3624
0x10d9558 execute
	/var/tmp/portage/sys-devel/gcc-10.0.0_alpha20200119/work/gcc-10-20200119/gcc/analyzer/analyzer-pass.cc:84

Comment 1 GCC Commits 2020-01-23 02:08:47 UTC

The master branch has been updated by David Malcolm <dmalcolm@gcc.gnu.org>:

https://gcc.gnu.org/g:591b59ebfcd48319452ebbd954267c9a05ba4b78

commit r10-6164-g591b59ebfcd48319452ebbd954267c9a05ba4b78
Author: David Malcolm <dmalcolm@redhat.com>
Date:   Wed Jan 22 09:37:18 2020 -0500

    analyzer: fix ICE due to sm-state origin being purged (PR 93382)
    
    The ICE in PR analyzer/93382 is a validation error.
    
    The global variable "idx" acquires a "tainted" state from local array
    n1[0].  When the frame is popped, the svalue for n1[0] is purged, but
    the "taint" sm_state_map's entry for "idx" has a svalue_id referencing
    the now-purged svalue.  This is caught by program_state::validate as an
    assertion failure.
    
    This patch fixes the issue by resetting the origin id within
    sm_state_map entries for the case where the origin id has been purged.
    
    gcc/analyzer/ChangeLog:
    	PR analyzer/93382
    	* program-state.cc (sm_state_map::on_svalue_purge): If the
    	entry survives, but the origin is being purged, then reset the
    	origin to null.
    
    gcc/testsuite/ChangeLog:
    	PR analyzer/93382
    	* gcc.dg/analyzer/pr93382.c: New test.

Comment 2 David Malcolm 2020-01-23 02:11:59 UTC

Thanks for filing this.  Should be fixed by the above commit.