[Bug analyzer/93374] ICE in validate, at analyzer/region-model.cc:182

cvs-commit at gcc dot gnu.org gcc-bugzilla@gcc.gnu.org
Tue Feb 11 18:38:00 GMT 2020 

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=93374

--- Comment #1 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by David Malcolm <dmalcolm@gcc.gnu.org>:

https://gcc.gnu.org/g:a60d98890bba58649c26c2fc0c6f28cd6073aaaf

commit r10-6582-ga60d98890bba58649c26c2fc0c6f28cd6073aaaf
Author: David Malcolm <dmalcolm@redhat.com>
Date:   Tue Feb 11 10:52:40 2020 -0500

    analyzer: fix ICE due to missing state_change purging (PR 93374)

    PR analyzer/93374 reports an ICE within state_change::validate due to an
    m_new_sid in a recorded state-change being out of range of the svalues
    of the region_model of the new state.

    During get_or_create_node we attempt to merge the new state with the
    state of each of the existing enodes at the program point (in the
    absence of sm-state differences), simplifying the state at each
    attempt, and potentially reusing a node if we get a match.

    This state-merging invalidates any svalue_ids within any state_change
    object.

    The root cause is that, although the code was purging any such
    svalue_ids for the case where no match was found during merging, it was
    failing to purge them for the case where a matching enode *was* found
    for the merged state, leading to an invalid state_change along the
    exploded_edge to the reused enode.

    This patch moves the invalidation code to cover both cases, fixing the
    ICE.  It also extends state_change validation so that states are also
    checked.

    gcc/analyzer/ChangeLog:
        PR analyzer/93374
        * engine.cc (exploded_edge::exploded_edge): Add ext_state param
        and pass it to change.validate.
        (exploded_graph::get_or_create_node): Move purging of change
        svalues to also cover the case of reusing an existing enode.
        (exploded_graph::add_edge): Pass m_ext_state to exploded_edge's
        ctor.
        * exploded-graph.h (exploded_edge::exploded_edge): Add ext_state
        param.
        * program-state.cc (state_change::sm_change::validate): Likewise.
        Assert that m_sm_idx is sane.  Use ext_state to validate
        m_old_state and m_new_state.
        (state_change::validate): Add ext_state param and pass it to
        the sm_change validate calls.
        * program-state.h (state_change::sm_change::validate): Add
        ext_state param.
        (state_change::validate): Likewise.

    gcc/testsuite/ChangeLog:
        PR analyzer/93374
        * gcc.dg/analyzer/torture/pr93374.c: New test.

More information about the Gcc-bugs mailing list