[Bug analyzer/104452] New: [12 Regression] ICE: in hashtab_chk_error, at hash-table.cc:137 with -O -fanalyzer
zsojka at seznam dot cz
gcc-bugzilla@gcc.gnu.org
Tue Feb 8 21:04:26 GMT 2022
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=104452
Bug ID: 104452
Summary: [12 Regression] ICE: in hashtab_chk_error, at
hash-table.cc:137 with -O -fanalyzer
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Keywords: ice-on-valid-code
Severity: normal
Priority: P3
Component: analyzer
Assignee: dmalcolm at gcc dot gnu.org
Reporter: zsojka at seznam dot cz
Target Milestone: ---
Host: x86_64-pc-linux-gnu
Target: x86_64-pc-linux-gnu
Created attachment 52381
--> https://gcc.gnu.org/bugzilla/attachment.cgi?id=52381&action=edit
reduced testcase
Compiler output:
$ x86_64-pc-linux-gnu-gcc -O -fanalyzer testcase.c
hash table checking failed: equal operator returns true for a pair of values
with a different hash value
during IPA pass: analyzer
testcase.c: In function 'foo':
testcase.c:6:10: internal compiler error: in hashtab_chk_error, at
hash-table.cc:137
6 | if (x[i])
| ~^~~
0xcf15af hashtab_chk_error()
/repo/gcc-trunk/gcc/hash-table.cc:137
0x176ba61 hash_table<hash_map<ana::bit_range_region::key_t,
ana::bit_range_region*,
simple_hashmap_traits<default_hash_traits<ana::bit_range_region::key_t>,
ana::bit_range_region*> >::hash_entry, false,
xcallocator>::verify(ana::bit_range_region::key_t const&, unsigned int)
/repo/gcc-trunk/gcc/hash-table.h:1036
0x17637eb hash_table<hash_map<ana::bit_range_region::key_t,
ana::bit_range_region*,
simple_hashmap_traits<default_hash_traits<ana::bit_range_region::key_t>,
ana::bit_range_region*> >::hash_entry, false,
xcallocator>::find_with_hash(ana::bit_range_region::key_t const&, unsigned int)
/repo/gcc-trunk/gcc/hash-table.h:921
0x17637eb hash_map<ana::bit_range_region::key_t, ana::bit_range_region*,
simple_hashmap_traits<default_hash_traits<ana::bit_range_region::key_t>,
ana::bit_range_region*> >::get(ana::bit_range_region::key_t const&)
/repo/gcc-trunk/gcc/hash-map.h:189
0x17637eb
consolidation_map<ana::bit_range_region>::get(ana::bit_range_region::key_t
const&) const
/repo/gcc-trunk/gcc/analyzer/analyzer.h:371
0x17637eb ana::region_model_manager::get_bit_range(ana::region const*,
tree_node*, ana::bit_range const&)
/repo/gcc-trunk/gcc/analyzer/region-model-manager.cc:1507
0x1740f54 ana::region_model::get_lvalue_1(ana::path_var,
ana::region_model_context*) const
/repo/gcc-trunk/gcc/analyzer/region-model.cc:1724
0x17410d9 ana::region_model::get_lvalue(ana::path_var,
ana::region_model_context*) const
/repo/gcc-trunk/gcc/analyzer/region-model.cc:1818
0x17410d9 ana::region_model::get_lvalue(tree_node*, ana::region_model_context*)
const
/repo/gcc-trunk/gcc/analyzer/region-model.cc:1829
0x17416e0 ana::region_model::get_region_for_poisoned_expr(tree_node*) const
/repo/gcc-trunk/gcc/analyzer/region-model.cc:886
0x17416e0 ana::region_model::check_for_poison(ana::svalue const*, tree_node*,
ana::region_model_context*) const
/repo/gcc-trunk/gcc/analyzer/region-model.cc:855
0x172723b ana::impl_sm_context::is_zero_assignment(gimple const*)
/repo/gcc-trunk/gcc/analyzer/engine.cc:485
0x177149c on_stmt
/repo/gcc-trunk/gcc/analyzer/sm-malloc.cc:1700
0x171f5c6 ana::exploded_node::on_stmt(ana::exploded_graph&, ana::supernode
const*, gimple const*, ana::program_state*, ana::uncertainty_t*,
ana::path_context*)
/repo/gcc-trunk/gcc/analyzer/engine.cc:1324
0x172269d ana::exploded_graph::process_node(ana::exploded_node*)
/repo/gcc-trunk/gcc/analyzer/engine.cc:3694
0x1723682 ana::exploded_graph::process_worklist()
/repo/gcc-trunk/gcc/analyzer/engine.cc:3137
0x1725b86 ana::impl_run_checkers(ana::logger*)
/repo/gcc-trunk/gcc/analyzer/engine.cc:5716
0x17269fe ana::run_checkers()
/repo/gcc-trunk/gcc/analyzer/engine.cc:5787
0x1715f98 execute
/repo/gcc-trunk/gcc/analyzer/analyzer-pass.cc:87
Please submit a full bug report, with preprocessed source (by using
-freport-bug).
Please include the complete backtrace with any bug report.
See <https://gcc.gnu.org/bugs/> for instructions.
Sometimes the compilation succeeds:
$ x86_64-pc-linux-gnu-gcc -O -fanalyzer testcase.c
testcase.c: In function 'foo':
testcase.c:6:10: warning: use of uninitialized value '((int*)&x)[0]' [CWE-457]
[-Wanalyzer-use-of-uninitialized-value]
6 | if (x[i])
| ~^~~
'foo': event 1
|
| 6 | if (x[i])
| | ~^~~
| | |
| | (1) use of uninitialized value '((int*)&x)[0]' here
|
testcase.c:6:10: warning: use of uninitialized value '((int*)&x)[0]' [CWE-457]
[-Wanalyzer-use-of-uninitialized-value]
'foo': event 1
|
| 6 | if (x[i])
| | ~^~~
| | |
| | (1) use of uninitialized value '((int*)&x)[0]' here
|
/usr/bin/x86_64-pc-linux-gnu-ld: /usr/lib/../lib64/crt1.o: in function
`_start':
(.text+0x20): undefined reference to `main'
collect2: error: ld returned 1 exit status
Valgrind reports several "uninitialised" uses:
$ x86_64-pc-linux-gnu-gcc -O -fanalyzer testcase.c -wrapper
valgrind,-q,--track-origins=yes
==30624== Use of uninitialised value of size 8
==30624== at 0x17634FE: is_empty<hash_map<ana::bit_range_region::key_t,
ana::bit_range_region*,
simple_hashmap_traits<default_hash_traits<ana::bit_range_region::key_t>,
ana::bit_range_region*> >::hash_entry> (hash-map-traits.h:73)
==30624== by 0x17634FE: is_empty (hash-map.h:71)
==30624== by 0x17634FE: is_empty (hash-table.h:541)
==30624== by 0x17634FE: find_with_hash (hash-table.h:925)
==30624== by 0x17634FE: get (hash-map.h:189)
==30624== by 0x17634FE: get (analyzer.h:371)
==30624== by 0x17634FE: ana::region_model_manager::get_bit_range(ana::region
const*, tree_node*, ana::bit_range const&) (region-model-manager.cc:1507)
==30624== by 0x1740F54: ana::region_model::get_lvalue_1(ana::path_var,
ana::region_model_context*) const (region-model.cc:1724)
==30624== by 0x17410D9: get_lvalue (region-model.cc:1818)
==30624== by 0x17410D9: ana::region_model::get_lvalue(tree_node*,
ana::region_model_context*) const (region-model.cc:1829)
==30624== by 0x17416E0: get_region_for_poisoned_expr (region-model.cc:886)
==30624== by 0x17416E0: ana::region_model::check_for_poison(ana::svalue
const*, tree_node*, ana::region_model_context*) const (region-model.cc:855)
==30624== by 0x1746B5C: ana::region_model::on_assignment(gassign const*,
ana::region_model_context*) (region-model.cc:903)
==30624== by 0x171F498: ana::exploded_node::on_stmt(ana::exploded_graph&,
ana::supernode const*, gimple const*, ana::program_state*, ana::uncertainty_t*,
ana::path_context*) (engine.cc:1305)
==30624== by 0x172269D:
ana::exploded_graph::process_node(ana::exploded_node*) (engine.cc:3694)
==30624== by 0x1723682: ana::exploded_graph::process_worklist()
(engine.cc:3137)
==30624== by 0x1725B86: ana::impl_run_checkers(ana::logger*)
(engine.cc:5716)
==30624== by 0x17269FE: ana::run_checkers() (engine.cc:5787)
==30624== by 0x1715F98: (anonymous
namespace)::pass_analyzer::execute(function*) (analyzer-pass.cc:87)
==30624== by 0x127E0DA: execute_one_pass(opt_pass*) (passes.cc:2637)
==30624== Uninitialised value was created by a stack allocation
==30624== at 0x1740A89: ana::region_model::get_lvalue_1(ana::path_var,
ana::region_model_context*) const (region-model.cc:1690)
==30624==
==30624== Use of uninitialised value of size 8
...
$ x86_64-pc-linux-gnu-gcc -v
Using built-in specs.
COLLECT_GCC=/repo/gcc-trunk/binary-latest-amd64/bin/x86_64-pc-linux-gnu-gcc
COLLECT_LTO_WRAPPER=/repo/gcc-trunk/binary-trunk-r12-7089-20220208123931-g0103c2e4082-checking-yes-rtl-df-extra-amd64/bin/../libexec/gcc/x86_64-pc-linux-gnu/12.0.1/lto-wrapper
Target: x86_64-pc-linux-gnu
Configured with: /repo/gcc-trunk//configure --enable-languages=c,c++
--enable-valgrind-annotations --disable-nls --enable-checking=yes,rtl,df,extra
--with-cloog --with-ppl --with-isl --build=x86_64-pc-linux-gnu
--host=x86_64-pc-linux-gnu --target=x86_64-pc-linux-gnu
--with-ld=/usr/bin/x86_64-pc-linux-gnu-ld
--with-as=/usr/bin/x86_64-pc-linux-gnu-as --disable-libstdcxx-pch
--prefix=/repo/gcc-trunk//binary-trunk-r12-7089-20220208123931-g0103c2e4082-checking-yes-rtl-df-extra-amd64
Thread model: posix
Supported LTO compression algorithms: zlib zstd
gcc version 12.0.1 20220208 (experimental) (GCC)
More information about the Gcc-bugs
mailing list