93451 – ICE: qsort checking failed (error: qsort comparator non-negative on sorted output: 0)

Bug 93451 - ICE: qsort checking failed (error: qsort comparator non-negative on sorted output: 0)

Summary: ICE: qsort checking failed (error: qsort comparator non-negative on sorted ou...

Status:	RESOLVED FIXED

Alias:	None

Product:	gcc
Classification:	Unclassified
Component:	analyzer (show other bugs)
Version:	10.0

Importance:	P3 normal
Target Milestone:	---
Assignee:	David Malcolm

URL:
Keywords:	ice-on-valid-code

Depends on:
Blocks:	qsort_chk
	Show dependency tree / graph

Reported:	2020-01-27 08:29 UTC by Arseny Solokha
Modified:	2020-01-28 02:03 UTC (History)
CC List:	0 users

See Also:
Host:
Target:
Build:
Known to work:
Known to fail:
Last reconfirmed:	2020-01-27 00:00:00

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Arseny Solokha 2020-01-27 08:29:38 UTC

gcc-10.0.0-alpha20200126 snapshot (g:787c79e559f5f011989b94298346d89542eb9052) ICEs when compiling the following testcase w/ -O1 -fanalyzer:

void
mt (double);

void
nm (void)
{
  double ao = 0.0;
  long int es = -1;

  mt (ao);
  ++ao;
  mt (ao);
  mt (*(double *) &es);
}

% gcc-10.0.0 -O1 -fanalyzer -c gneu3e9x.c
gneu3e9x.c: In function 'nm':
gneu3e9x.c:10:3: error: qsort comparator non-negative on sorted output: 0
   10 |   mt (ao);
      |   ^~~~~~~
during IPA pass: analyzer
gneu3e9x.c:10:3: internal compiler error: qsort checking failed
0x790d0b qsort_chk_error
	/var/tmp/portage/sys-devel/gcc-10.0.0_alpha20200126/work/gcc-10-20200126/gcc/vec.c:214
0x790e2a qsort_chk(void*, unsigned long, unsigned long, int (*)(void const*, void const*, void*), void*)
	/var/tmp/portage/sys-devel/gcc-10.0.0_alpha20200126/work/gcc-10-20200126/gcc/vec.c:256
0x180d098 gcc_qsort(void*, unsigned long, unsigned long, int (*)(void const*, void const*))
	/var/tmp/portage/sys-devel/gcc-10.0.0_alpha20200126/work/gcc-10-20200126/gcc/sort.cc:270
0x11000c3 vec<ana::svalue_id, va_heap, vl_embed>::qsort(int (*)(void const*, void const*))
	/var/tmp/portage/sys-devel/gcc-10.0.0_alpha20200126/work/gcc-10-20200126/gcc/vec.h:1125
0x11000c3 vec<ana::svalue_id, va_heap, vl_ptr>::qsort(int (*)(void const*, void const*))
	/var/tmp/portage/sys-devel/gcc-10.0.0_alpha20200126/work/gcc-10-20200126/gcc/vec.h:1997
0x11000c3 ana::region_model::canonicalize(ana::region_model_context*)
	/var/tmp/portage/sys-devel/gcc-10.0.0_alpha20200126/work/gcc-10-20200126/gcc/analyzer/region-model.cc:3756
0x10f4e5a ana::program_state::prune_for_point(ana::exploded_graph&, ana::program_point const&, ana::state_change*) const
	/var/tmp/portage/sys-devel/gcc-10.0.0_alpha20200126/work/gcc-10-20200126/gcc/analyzer/program-state.cc:868
0x10e1be7 ana::exploded_graph::get_or_create_node(ana::program_point const&, ana::program_state const&, ana::state_change*)
	/var/tmp/portage/sys-devel/gcc-10.0.0_alpha20200126/work/gcc-10-20200126/gcc/analyzer/engine.cc:1845
0x10e4b79 ana::exploded_graph::process_node(ana::exploded_node*)
	/var/tmp/portage/sys-devel/gcc-10.0.0_alpha20200126/work/gcc-10-20200126/gcc/analyzer/engine.cc:2456
0x10e5342 ana::exploded_graph::process_worklist()
	/var/tmp/portage/sys-devel/gcc-10.0.0_alpha20200126/work/gcc-10-20200126/gcc/analyzer/engine.cc:2259
0x10e59c9 ana::impl_run_checkers(ana::logger*)
	/var/tmp/portage/sys-devel/gcc-10.0.0_alpha20200126/work/gcc-10-20200126/gcc/analyzer/engine.cc:3580
0x10e6463 ana::run_checkers()
	/var/tmp/portage/sys-devel/gcc-10.0.0_alpha20200126/work/gcc-10-20200126/gcc/analyzer/engine.cc:3634
0x10dbf08 execute
	/var/tmp/portage/sys-devel/gcc-10.0.0_alpha20200126/work/gcc-10-20200126/gcc/analyzer/analyzer-pass.cc:84

Comment 1 Martin Liška 2020-01-27 10:06:08 UTC

Confirmed, started with addition of -fanalyzer in r10-5950-g757bf1dff5e8cee3.

Comment 2 GCC Commits 2020-01-28 01:58:37 UTC

The master branch has been updated by David Malcolm <dmalcolm@gcc.gnu.org>:

https://gcc.gnu.org/g:8c08c983015e675f555d57a30e15d918abef2b93

commit r10-6271-g8c08c983015e675f555d57a30e15d918abef2b93
Author: David Malcolm <dmalcolm@redhat.com>
Date:   Mon Jan 27 16:23:43 2020 -0500

    analyzer: fix ICE when canonicalizing NaN (PR 93451)
    
    PR analyzer/93451 reports an ICE when canonicalizing the constants
    in a region_model, with a failed qsort_chk when attempting to sort
    the constants within the region_model.
    
    The svalues in the model were:
      sv0: {poisoned: uninit}
      sv1: {type: ‘double’, ‘0.0’}
      sv2: {type: ‘double’, ‘1.0e+0’}
      sv3: {type: ‘double’, ‘ Nan’}
    
    The qsort_chk of the 3 constants fails due to tree_cmp using the
    LT_EXPR ordering of the REAL_CSTs, which doesn't work for NaN.
    
    This patch adjusts tree_cmp to impose an arbitrary ordering during
    canonicalization for UNORDERED_EXPR cases w/o relying on the LT_EXPR
    ordering, fixing the ICE.
    
    gcc/analyzer/ChangeLog:
    	PR analyzer/93451
    	* region-model.cc (tree_cmp): For the REAL_CST case, impose an
    	arbitrary order on NaNs relative to other NaNs and to non-NaNs;
    	const-correctness tweak.
    	(ana::selftests::build_real_cst_from_string): New function.
    	(ana::selftests::append_interesting_constants): New function.
    	(ana::selftests::test_tree_cmp_on_constants): New test.
    	(ana::selftests::test_canonicalization_4): New test.
    	(ana::selftests::analyzer_region_model_cc_tests): Call the new
    	tests.
    
    gcc/testsuite/ChangeLog:
    	PR analyzer/93451
    	* gcc.dg/analyzer/torture/pr93451.c: New test.

Comment 3 David Malcolm 2020-01-28 02:03:20 UTC

Should be fixed by the above commit.