public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug analyzer/106845] New: [13 Regression] ICE in exceeds_p, at analyzer/store.cc:464
@ 2022-09-06 7:06 asolokha at gmx dot com
2022-09-06 9:00 ` [Bug analyzer/106845] [13 Regression] ICE in exceeds_p, at analyzer/store.cc:464 since r13-2029-g7e3b45befdbbf1a1 marxin at gcc dot gnu.org
` (7 more replies)
0 siblings, 8 replies; 9+ messages in thread
From: asolokha at gmx dot com @ 2022-09-06 7:06 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106845
Bug ID: 106845
Summary: [13 Regression] ICE in exceeds_p, at
analyzer/store.cc:464
Product: gcc
Version: 13.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: analyzer
Assignee: dmalcolm at gcc dot gnu.org
Reporter: asolokha at gmx dot com
CC: tlange at gcc dot gnu.org
Target Milestone: ---
gcc 13.0.0 20220904 snapshot (g:20d30e737ad79dc36817e59f1676aa8bc0c6b325) ICEs
when compiling the following testcase w/ -fanalyzer:
int buf_size;
int
main (void)
{
char buf[buf_size];
__builtin_memset (&buf[1], 0, buf_size);
return 0;
}
% gcc-13.0.0 -fanalyzer -c vuqxegnn.c
during IPA pass: analyzer
vuqxegnn.c: In function 'main':
vuqxegnn.c:8:3: internal compiler error: in exceeds_p, at analyzer/store.cc:464
8 | __builtin_memset (&buf[1], 0, buf_size);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
0x7cd727 ana::byte_range::exceeds_p(ana::byte_range const&, ana::byte_range*)
const
/var/tmp/portage/sys-devel/gcc-13.0.0_p20220904/work/gcc-13-20220904/gcc/analyzer/store.cc:464
0x12d8d97 ana::region_model::check_region_bounds(ana::region const*,
ana::access_direction, ana::region_model_context*) const
/var/tmp/portage/sys-devel/gcc-13.0.0_p20220904/work/gcc-13-20220904/gcc/analyzer/region-model.cc:1658
0x12d9121 ana::region_model::check_region_access(ana::region const*,
ana::access_direction, ana::region_model_context*) const
/var/tmp/portage/sys-devel/gcc-13.0.0_p20220904/work/gcc-13-20220904/gcc/analyzer/region-model.cc:3234
0x12d9121 ana::region_model::check_region_for_write(ana::region const*,
ana::region_model_context*) const
/var/tmp/portage/sys-devel/gcc-13.0.0_p20220904/work/gcc-13-20220904/gcc/analyzer/region-model.cc:3255
0x12f03e8 ana::region_model::impl_call_memset(ana::call_details const&)
/var/tmp/portage/sys-devel/gcc-13.0.0_p20220904/work/gcc-13-20220904/gcc/analyzer/region-model-impl-calls.cc:548
0x12debc0 ana::region_model::on_call_pre(gcall const*,
ana::region_model_context*, bool*)
/var/tmp/portage/sys-devel/gcc-13.0.0_p20220904/work/gcc-13-20220904/gcc/analyzer/region-model.cc:1953
0x12e9a12 ana::region_model::on_stmt_pre(gimple const*, bool*, bool*,
ana::region_model_context*)
/var/tmp/portage/sys-devel/gcc-13.0.0_p20220904/work/gcc-13-20220904/gcc/analyzer/region-model.cc:1257
0x12b5878 ana::exploded_node::on_stmt(ana::exploded_graph&, ana::supernode
const*, gimple const*, ana::program_state*, ana::uncertainty_t*,
ana::path_context*)
/var/tmp/portage/sys-devel/gcc-13.0.0_p20220904/work/gcc-13-20220904/gcc/analyzer/engine.cc:1430
0x12b871f ana::exploded_graph::process_node(ana::exploded_node*)
/var/tmp/portage/sys-devel/gcc-13.0.0_p20220904/work/gcc-13-20220904/gcc/analyzer/engine.cc:3868
0x12b974a ana::exploded_graph::process_worklist()
/var/tmp/portage/sys-devel/gcc-13.0.0_p20220904/work/gcc-13-20220904/gcc/analyzer/engine.cc:3271
0x12bbe3c ana::impl_run_checkers(ana::logger*)
/var/tmp/portage/sys-devel/gcc-13.0.0_p20220904/work/gcc-13-20220904/gcc/analyzer/engine.cc:5912
0x12bce8e ana::run_checkers()
/var/tmp/portage/sys-devel/gcc-13.0.0_p20220904/work/gcc-13-20220904/gcc/analyzer/engine.cc:5986
0x12abdf8 execute
/var/tmp/portage/sys-devel/gcc-13.0.0_p20220904/work/gcc-13-20220904/gcc/analyzer/analyzer-pass.cc:87
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Bug analyzer/106845] [13 Regression] ICE in exceeds_p, at analyzer/store.cc:464 since r13-2029-g7e3b45befdbbf1a1
2022-09-06 7:06 [Bug analyzer/106845] New: [13 Regression] ICE in exceeds_p, at analyzer/store.cc:464 asolokha at gmx dot com
@ 2022-09-06 9:00 ` marxin at gcc dot gnu.org
2022-09-06 9:24 ` rguenth at gcc dot gnu.org
` (6 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: marxin at gcc dot gnu.org @ 2022-09-06 9:00 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106845
Martin Liška <marxin at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Last reconfirmed| |2022-09-06
CC| |marxin at gcc dot gnu.org
Ever confirmed|0 |1
Status|UNCONFIRMED |NEW
Summary|[13 Regression] ICE in |[13 Regression] ICE in
|exceeds_p, at |exceeds_p, at
|analyzer/store.cc:464 |analyzer/store.cc:464 since
| |r13-2029-g7e3b45befdbbf1a1
--- Comment #1 from Martin Liška <marxin at gcc dot gnu.org> ---
Started with r13-2029-g7e3b45befdbbf1a1.
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Bug analyzer/106845] [13 Regression] ICE in exceeds_p, at analyzer/store.cc:464 since r13-2029-g7e3b45befdbbf1a1
2022-09-06 7:06 [Bug analyzer/106845] New: [13 Regression] ICE in exceeds_p, at analyzer/store.cc:464 asolokha at gmx dot com
2022-09-06 9:00 ` [Bug analyzer/106845] [13 Regression] ICE in exceeds_p, at analyzer/store.cc:464 since r13-2029-g7e3b45befdbbf1a1 marxin at gcc dot gnu.org
@ 2022-09-06 9:24 ` rguenth at gcc dot gnu.org
2022-09-06 13:36 ` dmalcolm at gcc dot gnu.org
` (5 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: rguenth at gcc dot gnu.org @ 2022-09-06 9:24 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106845
Richard Biener <rguenth at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Target Milestone|--- |13.0
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Bug analyzer/106845] [13 Regression] ICE in exceeds_p, at analyzer/store.cc:464 since r13-2029-g7e3b45befdbbf1a1
2022-09-06 7:06 [Bug analyzer/106845] New: [13 Regression] ICE in exceeds_p, at analyzer/store.cc:464 asolokha at gmx dot com
2022-09-06 9:00 ` [Bug analyzer/106845] [13 Regression] ICE in exceeds_p, at analyzer/store.cc:464 since r13-2029-g7e3b45befdbbf1a1 marxin at gcc dot gnu.org
2022-09-06 9:24 ` rguenth at gcc dot gnu.org
@ 2022-09-06 13:36 ` dmalcolm at gcc dot gnu.org
2022-09-06 15:18 ` tlange at gcc dot gnu.org
` (4 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: dmalcolm at gcc dot gnu.org @ 2022-09-06 13:36 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106845
--- Comment #2 from David Malcolm <dmalcolm at gcc dot gnu.org> ---
Failing assertion here:
#1 0x00000000014df116 in ana::byte_range::exceeds_p (this=0x7fffffffbf80,
other=..., out_overhanging_byte_range=0x7fffffffbfc0)
at ../../src/gcc/analyzer/store.cc:464
464 gcc_assert (size > 0);
(gdb) list
459 {
460 /* THIS definitely exceeds OTHER. */
461 byte_offset_t start = MAX (get_start_byte_offset (),
462 other.get_next_byte_offset ());
463 byte_offset_t size = get_next_byte_offset () - start;
464 gcc_assert (size > 0);
465 out_overhanging_byte_range->m_start_byte_offset = start;
466 out_overhanging_byte_range->m_size_in_bytes = size;
467 return true;
468 }
where "this" and "other" are both empty, having 0 size:
(gdb) call this->dump()
bytes 1-0
(gdb) call other.dump()
bytes 0--1
due to the cst_capacity_tree in the region_model::check_region_bounds caller is
zero.
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Bug analyzer/106845] [13 Regression] ICE in exceeds_p, at analyzer/store.cc:464 since r13-2029-g7e3b45befdbbf1a1
2022-09-06 7:06 [Bug analyzer/106845] New: [13 Regression] ICE in exceeds_p, at analyzer/store.cc:464 asolokha at gmx dot com
` (2 preceding siblings ...)
2022-09-06 13:36 ` dmalcolm at gcc dot gnu.org
@ 2022-09-06 15:18 ` tlange at gcc dot gnu.org
2022-09-06 15:23 ` dmalcolm at gcc dot gnu.org
` (3 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: tlange at gcc dot gnu.org @ 2022-09-06 15:18 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106845
--- Comment #3 from Tim Lange <tlange at gcc dot gnu.org> ---
Thanks for the report!
(In reply to David Malcolm from comment #2)
> (gdb) call this->dump()
> bytes 1-0
This should be the read_bytes in region_model::check_region_bounds, with the
start being the offset and the last byte being the offset + num_bytes - 1. So
the number of accessed bytes seems to return 0.
I do use get_byte_size_sval () to retrieve the num_bytes. For the sized_region,
the m_byte_size_sval is returned, which is set to buf_size aka 0 inside
impl_call_memset. So the bug is that the caller proceeds to check for overflows
even if no bytes are accessed.
Solutions would be:
1. Bail out in the region_model::check_region_bounds if (tree_int_cst_equal
(num_bytes_tree, integer_zero_node)). Maybe also add an assertion to the
constructor of byte_range that m_size_in_bytes > 0.
2. Returning false if either THIS or OTHER has a size == 0 in
byte_range::exceeds_p and byte_range::falls_short_p.
It seems to me that the implementations of byte_range/bit_range
get_last_byte_offset () already assume that m_size_in_bytes should be greater
than zero. So I think the first one should the preferred fix.
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Bug analyzer/106845] [13 Regression] ICE in exceeds_p, at analyzer/store.cc:464 since r13-2029-g7e3b45befdbbf1a1
2022-09-06 7:06 [Bug analyzer/106845] New: [13 Regression] ICE in exceeds_p, at analyzer/store.cc:464 asolokha at gmx dot com
` (3 preceding siblings ...)
2022-09-06 15:18 ` tlange at gcc dot gnu.org
@ 2022-09-06 15:23 ` dmalcolm at gcc dot gnu.org
2022-09-06 15:32 ` tlange at gcc dot gnu.org
` (2 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: dmalcolm at gcc dot gnu.org @ 2022-09-06 15:23 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106845
--- Comment #4 from David Malcolm <dmalcolm at gcc dot gnu.org> ---
(In reply to Tim Lange from comment #3)
> It seems to me that the implementations of byte_range/bit_range
> get_last_byte_offset () already assume that m_size_in_bytes should be
> greater than zero. So I think the first one should the preferred fix.
Sounds right to me; do you want to assign yourself this one?
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Bug analyzer/106845] [13 Regression] ICE in exceeds_p, at analyzer/store.cc:464 since r13-2029-g7e3b45befdbbf1a1
2022-09-06 7:06 [Bug analyzer/106845] New: [13 Regression] ICE in exceeds_p, at analyzer/store.cc:464 asolokha at gmx dot com
` (4 preceding siblings ...)
2022-09-06 15:23 ` dmalcolm at gcc dot gnu.org
@ 2022-09-06 15:32 ` tlange at gcc dot gnu.org
2022-09-11 22:02 ` cvs-commit at gcc dot gnu.org
2022-09-11 22:11 ` tlange at gcc dot gnu.org
7 siblings, 0 replies; 9+ messages in thread
From: tlange at gcc dot gnu.org @ 2022-09-06 15:32 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106845
Tim Lange <tlange at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Assignee|dmalcolm at gcc dot gnu.org |tlange at gcc dot gnu.org
Status|NEW |ASSIGNED
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Bug analyzer/106845] [13 Regression] ICE in exceeds_p, at analyzer/store.cc:464 since r13-2029-g7e3b45befdbbf1a1
2022-09-06 7:06 [Bug analyzer/106845] New: [13 Regression] ICE in exceeds_p, at analyzer/store.cc:464 asolokha at gmx dot com
` (5 preceding siblings ...)
2022-09-06 15:32 ` tlange at gcc dot gnu.org
@ 2022-09-11 22:02 ` cvs-commit at gcc dot gnu.org
2022-09-11 22:11 ` tlange at gcc dot gnu.org
7 siblings, 0 replies; 9+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2022-09-11 22:02 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106845
--- Comment #5 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by Tim Lange <tlange@gcc.gnu.org>:
https://gcc.gnu.org/g:0ea5e3f4542832b8da016b152695e64a2a386309
commit r13-2582-g0ea5e3f4542832b8da016b152695e64a2a386309
Author: Tim Lange <mail@tim-lange.me>
Date: Sat Sep 10 23:53:48 2022 +0200
analyzer: consider empty ranges and zero byte accesses [PR106845]
This patch adds handling of empty ranges in bit_range and byte_range and
adds an assertion to member functions that assume a positive size.
Further, the patch fixes an ICE caused by an empty byte_range passed to
byte_range::exceeds_p.
Regression-tested on Linux x86_64.
2022-09-10 Tim Lange <mail@tim-lange.me>
gcc/analyzer/ChangeLog:
PR analyzer/106845
* region-model.cc (region_model::check_region_bounds):
Bail out if 0 bytes were accessed.
* store.cc (byte_range::dump_to_pp):
Add special case for empty ranges.
(byte_range::exceeds_p): Restrict to non-empty ranges.
(byte_range::falls_short_of_p): Restrict to non-empty ranges.
* store.h (bit_range::empty_p): New function.
(bit_range::get_last_byte_offset): Restrict to non-empty ranges.
(byte_range::empty_p): New function.
(byte_range::get_last_byte_offset): Restrict to non-empty ranges.
gcc/testsuite/ChangeLog:
PR analyzer/106845
* gcc.dg/analyzer/out-of-bounds-zero.c: New test.
* gcc.dg/analyzer/pr106845.c: New test.
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Bug analyzer/106845] [13 Regression] ICE in exceeds_p, at analyzer/store.cc:464 since r13-2029-g7e3b45befdbbf1a1
2022-09-06 7:06 [Bug analyzer/106845] New: [13 Regression] ICE in exceeds_p, at analyzer/store.cc:464 asolokha at gmx dot com
` (6 preceding siblings ...)
2022-09-11 22:02 ` cvs-commit at gcc dot gnu.org
@ 2022-09-11 22:11 ` tlange at gcc dot gnu.org
7 siblings, 0 replies; 9+ messages in thread
From: tlange at gcc dot gnu.org @ 2022-09-11 22:11 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106845
Tim Lange <tlange at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |FIXED
Status|ASSIGNED |RESOLVED
--- Comment #6 from Tim Lange <tlange at gcc dot gnu.org> ---
(In reply to CVS Commits from comment #5)
> The master branch has been updated by Tim Lange <tlange@gcc.gnu.org>:
>
> https://gcc.gnu.org/g:0ea5e3f4542832b8da016b152695e64a2a386309
>
> commit r13-2582-g0ea5e3f4542832b8da016b152695e64a2a386309
Fixed the ICE with the commit above.
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2022-09-11 22:11 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-09-06 7:06 [Bug analyzer/106845] New: [13 Regression] ICE in exceeds_p, at analyzer/store.cc:464 asolokha at gmx dot com
2022-09-06 9:00 ` [Bug analyzer/106845] [13 Regression] ICE in exceeds_p, at analyzer/store.cc:464 since r13-2029-g7e3b45befdbbf1a1 marxin at gcc dot gnu.org
2022-09-06 9:24 ` rguenth at gcc dot gnu.org
2022-09-06 13:36 ` dmalcolm at gcc dot gnu.org
2022-09-06 15:18 ` tlange at gcc dot gnu.org
2022-09-06 15:23 ` dmalcolm at gcc dot gnu.org
2022-09-06 15:32 ` tlange at gcc dot gnu.org
2022-09-11 22:02 ` cvs-commit at gcc dot gnu.org
2022-09-11 22:11 ` tlange at gcc dot gnu.org
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).