[Bug analyzer/107882] New: [13 Regression] ICE in get_last_bit_offset, at analyzer/store.h:255

[Bug analyzer/107882] New: [13 Regression] ICE in get_last_bit_offset, at analyzer/store.h:255

[asolokha at gmx dot com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107882

            Bug ID: 107882
           Summary: [13 Regression] ICE in get_last_bit_offset, at
                    analyzer/store.h:255
           Product: gcc
           Version: 13.0
            Status: UNCONFIRMED
          Keywords: ice-on-valid-code
          Severity: normal
          Priority: P3
         Component: analyzer
          Assignee: dmalcolm at gcc dot gnu.org
          Reporter: asolokha at gmx dot com
  Target Milestone: ---

gcc 13.0.0 20221120 snapshot (g:a16a5460447eaaff0b4468064e4d7b1cc8fc42eb) ICEs
when compiling the following testcase w/ -fanalyzer:

void
foo (int *x, int y)
{
  int *a = x, *b = (int *) &a;

  __builtin_memcpy (b + 1, x, y);
  foo (a, 0);
}

% gcc-13 -fanalyzer -c umtf33bl.c
during IPA pass: analyzer
umtf33bl.c: In function 'foo':
umtf33bl.c:7:3: internal compiler error: in get_last_bit_offset, at
analyzer/store.h:255
    7 |   foo (a, 0);
      |   ^~~~~~~~~~
0x7bf2d1 ana::bit_range::get_last_bit_offset() const
       
/var/tmp/portage/sys-devel/gcc-13.0.0_p20221120/work/gcc-13-20221120/gcc/analyzer/store.h:255
0x7bf2d1 ana::bit_range::get_last_bit_offset() const
       
/var/tmp/portage/sys-devel/gcc-13.0.0_p20221120/work/gcc-13-20221120/gcc/analyzer/store.h:253
0x7bf2d1 ana::bit_range::contains_p(ana::bit_range const&, ana::bit_range*)
const
       
/var/tmp/portage/sys-devel/gcc-13.0.0_p20221120/work/gcc-13-20221120/gcc/analyzer/store.cc:243
0x1326bff ana::binding_cluster::maybe_get_compound_binding(ana::store_manager*,
ana::region const*) const
       
/var/tmp/portage/sys-devel/gcc-13.0.0_p20221120/work/gcc-13-20221120/gcc/analyzer/store.cc:1716
0x12ca6c6 ana::region_model::get_store_value(ana::region const*,
ana::region_model_context*) const
       
/var/tmp/portage/sys-devel/gcc-13.0.0_p20221120/work/gcc-13-20221120/gcc/analyzer/region-model.cc:3158
0x12cae4c ana::region_model::get_rvalue(ana::path_var,
ana::region_model_context*) const
       
/var/tmp/portage/sys-devel/gcc-13.0.0_p20221120/work/gcc-13-20221120/gcc/analyzer/region-model.cc:3052
0x12d1e97 ana::region_model::on_assignment(gassign const*,
ana::region_model_context*)
       
/var/tmp/portage/sys-devel/gcc-13.0.0_p20221120/work/gcc-13-20221120/gcc/analyzer/region-model.cc:1093
0x12a34d4 ana::exploded_node::on_stmt(ana::exploded_graph&, ana::supernode
const*, gimple const*, ana::program_state*, ana::uncertainty_t*,
ana::path_context*)
       
/var/tmp/portage/sys-devel/gcc-13.0.0_p20221120/work/gcc-13-20221120/gcc/analyzer/engine.cc:1466
0x12a65c5 ana::exploded_graph::process_node(ana::exploded_node*)
       
/var/tmp/portage/sys-devel/gcc-13.0.0_p20221120/work/gcc-13-20221120/gcc/analyzer/engine.cc:4054
0x12a757a ana::exploded_graph::process_worklist()
       
/var/tmp/portage/sys-devel/gcc-13.0.0_p20221120/work/gcc-13-20221120/gcc/analyzer/engine.cc:3457
0x12a9d34 ana::impl_run_checkers(ana::logger*)
       
/var/tmp/portage/sys-devel/gcc-13.0.0_p20221120/work/gcc-13-20221120/gcc/analyzer/engine.cc:6110
0x12aad66 ana::run_checkers()
       
/var/tmp/portage/sys-devel/gcc-13.0.0_p20221120/work/gcc-13-20221120/gcc/analyzer/engine.cc:6198
0x1299578 execute
       
/var/tmp/portage/sys-devel/gcc-13.0.0_p20221120/work/gcc-13-20221120/gcc/analyzer/analyzer-pass.cc:87

[Bug analyzer/107882] [13 Regression] ICE in get_last_bit_offset, at analyzer/store.h:255

[marxin at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107882

Martin Liška <marxin at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |marxin at gcc dot gnu.org,
                   |                            |tlange at gcc dot gnu.org
             Status|UNCONFIRMED                 |NEW
   Last reconfirmed|                            |2022-11-28
     Ever confirmed|0                           |1

--- Comment #1 from Martin Liška <marxin at gcc dot gnu.org> ---
Started with r13-2582-g0ea5e3f4542832b8.

[Bug analyzer/107882] [13 Regression] ICE in get_last_bit_offset, at analyzer/store.h:255 since 13-2582-g0ea5e3f4542832b8

[rguenth at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107882

Richard Biener <rguenth at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Target Milestone|---                         |13.0

[Bug analyzer/107882] [13 Regression] ICE in get_last_bit_offset, at analyzer/store.h:255 since 13-2582-g0ea5e3f4542832b8

[tlange at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107882

--- Comment #2 from Tim Lange <tlange at gcc dot gnu.org> ---
Created attachment 53979
  --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=53979&action=edit
patch for pr107882

I think the assertion here uncovered a bug. Currently, if the OTHER parameter
of bit_range::contains_p is empty (i.e. of size zero), contains_p calls
get_last_bit_offset, which result is only defined for non-empty ranges. Before
r13-2582-g0ea5e3f4542832b8, the contains_p check was inconsistent, e.g. for
(offset 1, size 1) and (offset 1, size 0), but true for (offset 0, size 2) and
(offset 1, size 0).

Not sure what the "right" fix is, as empty ranges sorta feel unnatural.
Treating [i, 0] as a subset of (k, n) if k <= i <= k+n seems somewhat
reasonable.

[Bug analyzer/107882] [13 Regression] ICE in get_last_bit_offset, at analyzer/store.h:255 since 13-2582-g0ea5e3f4542832b8

[dmalcolm at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107882

David Malcolm <dmalcolm at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |ASSIGNED

--- Comment #3 from David Malcolm <dmalcolm at gcc dot gnu.org> ---
I'm working on an alternate fix for this, which rejects creating bindings and
binding keys for empty bit ranges, as they're meaningless.  Testing it now.

[Bug analyzer/107882] [13 Regression] ICE in get_last_bit_offset, at analyzer/store.h:255 since 13-2582-g0ea5e3f4542832b8

[cvs-commit at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107882

--- Comment #4 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by David Malcolm <dmalcolm@gcc.gnu.org>:

https://gcc.gnu.org/g:dfe2ef7f2b6cac7017f32a0a04f74e1b6d9f1311

commit r13-4529-gdfe2ef7f2b6cac7017f32a0a04f74e1b6d9f1311
Author: David Malcolm <dmalcolm@redhat.com>
Date:   Tue Dec 6 18:24:16 2022 -0500

    analyzer: don't create bindings or binding keys for empty regions
[PR107882]

    PR analyzer/107882 reports an ICE, due to trying to get a compound svalue
    for this binding:

      cluster for: a:
        key:   {bytes 0-3}
        value:  {UNKNOWN()}
        key:   {empty}
        value:  {UNKNOWN()}
        key:   {bytes 4-7}
        value:  {UNKNOWN()}

    where there's an binding to the unknown value of zero bits in size
    "somewhere" within "a" (perhaps between bits 3 and 4?)

    This makes no sense, so this patch adds an assertion that we never
    attempt to create a binding key for an empty region, and adds early
    rejection of attempts to get or set the values of such regions, fixing
    the ICE.

    gcc/analyzer/ChangeLog:
            PR analyzer/107882
            * region-model.cc (region_model::get_store_value): Return an
            unknown value for empty regions.
            (region_model::set_value): Bail on empty regions.
            * region.cc (region::empty_p): New.
            * region.h (region::empty_p): New decl.
            * state-purge.cc (same_binding_p): Bail if either region is empty.
            * store.cc (binding_key::make): Assert that a concrete binding's
            bit_size must be > 0.
            (binding_cluster::mark_region_as_unknown): Bail on empty regions.
            (binding_cluster::get_binding): Likewise.
            (binding_cluster::remove_overlapping_bindings): Likewise.
            (binding_cluster::on_unknown_fncall): Don't conjure values for
            empty regions.
            (store::fill_region): Bail on empty regions.
            * store.h (class concrete_binding): Update comment to reflect that
            the range of bits must be non-empty.
            (concrete_binding::concrete_binding): Assert that bit range is
            non-empty.

    gcc/testsuite/ChangeLog:
            PR analyzer/107882
            * gcc.dg/analyzer/memcpy-pr107882.c: New test.

    Signed-off-by: David Malcolm <dmalcolm@redhat.com>

[Bug analyzer/107882] [13 Regression] ICE in get_last_bit_offset, at analyzer/store.h:255 since 13-2582-g0ea5e3f4542832b8

[dmalcolm at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107882

David Malcolm <dmalcolm at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|ASSIGNED                    |RESOLVED
         Resolution|---                         |FIXED

--- Comment #5 from David Malcolm <dmalcolm at gcc dot gnu.org> ---
Should be fixed by the above patch.