From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 48) id 662EE3881D38; Wed, 29 Mar 2023 18:19:18 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 662EE3881D38 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gcc.gnu.org; s=default; t=1680113958; bh=lNLLnqexQwSAgAxwmOyOBZdoDLlH5+9txlhg3V5klZU=; h=From:To:Subject:Date:In-Reply-To:References:From; b=eRxZNI/BxORREFzWqGZjK2qvTrQrLe/lSZQP1rvIxv7Jqj0Sf4kxBrfemlcTj/eYT qPlZR03qH7/lqh891XQEvim5XXOgl9EOVGRzqqLjrgL3XWNPmizu1CesAsnwJ7E2xR ABixsDgShqmMlVJWejIsjT/XG3dVV3MC9ugHInhY= From: "cvs-commit at gcc dot gnu.org" To: gcc-bugs@gcc.gnu.org Subject: [Bug analyzer/109094] Uninit false positive from -fanalyzer when longjmp unwinds frames with return stmts Date: Wed, 29 Mar 2023 18:19:17 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: gcc X-Bugzilla-Component: analyzer X-Bugzilla-Version: 13.0 X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: cvs-commit at gcc dot gnu.org X-Bugzilla-Status: ASSIGNED X-Bugzilla-Resolution: X-Bugzilla-Priority: P3 X-Bugzilla-Assigned-To: dmalcolm at gcc dot gnu.org X-Bugzilla-Target-Milestone: 12.3 X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 List-Id: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D109094 --- Comment #11 from CVS Commits --- The releases/gcc-12 branch has been updated by David Malcolm : https://gcc.gnu.org/g:7903e0bca003840751c109cfa41e5a1528ece12a commit r12-9367-g7903e0bca003840751c109cfa41e5a1528ece12a Author: David Malcolm Date: Wed Mar 29 14:16:49 2023 -0400 analyzer: fix ICE on certain longjmp calls [PR109094] PR analyzer/109094 reports an ICE in the analyzer seen on qemu's target/i386/tcg/translate.c The issue turned out to be that when handling a longjmp, the code to pop the frames was generating an svalue for the result_decl of any popped frame that had a non-void return type (and discarding it) leading to "uninit" poisoned_svalue_diagnostic instances being saved since the result_decl is only set by the greturn stmt. Later, when checking the feasibility of the path to these diagnostics, m_check_expr was evaluated in the context of the frame of the longjmp, leading to an attempt to evaluate the result_decl of each intervening frames whilst in the context of the topmost frame, leading to an assertion failure in frame_region::get_region_for_local here: 919 case RESULT_DECL: 920 gcc_assert (DECL_CONTEXT (expr) =3D=3D m_fun->decl); 921 break; This patch updates the analyzer's longjmp implementation so that it doesn't attempt to generate svalues for the result_decls when popping frames, fixing the assertion failure (and presumably fixing "uninit" false positives in a release build). Cherrypicked from r13-6749-g430d7d88c1a123. gcc/analyzer/ChangeLog: PR analyzer/109094 * region-model.cc (region_model::on_longjmp): Pass false for new "eval_return_svalue" param of pop_frame. (region_model::pop_frame): Add new "eval_return_svalue" param a= nd use it to suppress the call to get_rvalue on the result when needed by on_longjmp. * region-model.h (region_model::pop_frame): Add new "eval_return_svalue" param. gcc/testsuite/ChangeLog: PR analyzer/109094 * gcc.dg/analyzer/setjmp-pr109094.c: New test. Signed-off-by: David Malcolm =