From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gcc-bugzilla@gcc.gnu.org>
Received: by sourceware.org (Postfix, from userid 48)
	id D299B385783F; Wed, 10 May 2023 18:07:55 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org D299B385783F
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gcc.gnu.org;
	s=default; t=1683742075;
	bh=tSgfMaq+F+zhB/tC7JDjWftrWPzbVEh0tWSdBbCdb4o=;
	h=From:To:Subject:Date:In-Reply-To:References:From;
	b=hBUVjVXuxRZt7xmT5yBM+LMxZ3pzi21wLPKukzrO+ks6ZZfz/f4VLCRBTLBc36Yv0
	 IZ3gwGnOuGisOwsZX/TqgSgv8lBdym5B6j4ztdWERZrcZqp5LgD4BZL7sfrULAJomL
	 XlXD64dO0aq/RhP/uwKpRlY9z/xj5uDzGTNkhOeE=
From: "colomar.6.4.3 at gmail dot com" <gcc-bugzilla@gcc.gnu.org>
To: gcc-bugs@gcc.gnu.org
Subject: [Bug analyzer/109802] [regression] during IPA pass: analyzer:
 internal compiler error (using dubious flexible arrays in unions)
Date: Wed, 10 May 2023 18:07:55 +0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: gcc
X-Bugzilla-Component: analyzer
X-Bugzilla-Version: 13.1.0
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: normal
X-Bugzilla-Who: colomar.6.4.3 at gmail dot com
X-Bugzilla-Status: UNCONFIRMED
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: P3
X-Bugzilla-Assigned-To: dmalcolm at gcc dot gnu.org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: 
Message-ID: <bug-109802-4-IMnGr1t1n1@http.gcc.gnu.org/bugzilla/>
In-Reply-To: <bug-109802-4@http.gcc.gnu.org/bugzilla/>
References: <bug-109802-4@http.gcc.gnu.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
List-Id: <gcc-bugs.sourceware.org>

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D109802

--- Comment #2 from Alejandro Colomar <colomar.6.4.3 at gmail dot com> ---
Here's a simplified version that will cause the same internal compiler erro=
r.
This one will probably cause less brain damage to readers,
as it has significantly less magic.


$ cat flexi2.c=20
#include <stddef.h>
#include <stdlib.h>
#include <stdio.h>
#include <string.h>

struct s {
        int x;
        ptrdiff_t off[0];
};

int
main(void)
{
        char      *p;
        struct s  *s;

        s =3D malloc(sizeof(struct s) +
                   sizeof(ptrdiff_t) * 2 +
                   sizeof("foo") + sizeof("bar"));

        p =3D (void *) s + sizeof(struct s) + sizeof(ptrdiff_t) * 2;

        s->off[0] =3D p - (char *) s;
        p =3D stpcpy(p, "foo") + 1;
        s->off[1] =3D p - (char *) s;
        p =3D stpcpy(p, "bar") + 1;

        puts((char *) s + s->off[0]);
        puts((char *) s + s->off[1]);
}


$ gcc-12 -Wall -Wextra -Werror -fanalyzer -O3 flexi2.c=20
$ ./a.out=20
foo
bar
$ gcc-13 -Wall -Wextra -Werror -O3 flexi2.c=20
$ ./a.out=20
foo
bar
$ gcc-13 -Wall -Wextra -Werror -fanalyzer -O3 flexi2.c=20
during IPA pass: analyzer
flexi2.c: In function =E2=80=98main=E2=80=99:
flexi2.c:29:33: internal compiler error: in make, at analyzer/store.cc:132
   29 |         puts((char *) s + s->off[1]);
      |                           ~~~~~~^~~
0xcec8a5 ana::binding_key::make(ana::store_manager*, ana::region const*)
        ../../src/gcc/analyzer/store.cc:132
0xcf9533 ana::binding_cluster::get_binding(ana::store_manager*, ana::region
const*) const
        ../../src/gcc/analyzer/store.cc:1567
0xcf95eb ana::binding_cluster::get_binding_recursive(ana::store_manager*,
ana::region const*) const
        ../../src/gcc/analyzer/store.cc:1604
0xd05e49 ana::binding_cluster::get_any_binding(ana::store_manager*, ana::re=
gion
const*) const
        ../../src/gcc/analyzer/store.cc:1627
0xcd45f7 ana::region_model::get_store_value(ana::region const*,
ana::region_model_context*) const
        ../../src/gcc/analyzer/region-model.cc:2407
0xcd4e72 ana::region_model::get_rvalue(ana::path_var,
ana::region_model_context*) const
        ../../src/gcc/analyzer/region-model.cc:2297
0xcd6a5c ana::region_model::on_assignment(gassign const*,
ana::region_model_context*)
        ../../src/gcc/analyzer/region-model.cc:1156
0xcdc2da ana::exploded_node::on_stmt(ana::exploded_graph&, ana::supernode
const*, gimple const*, ana::program_state*, ana::uncertainty_t*,
ana::path_context*)
        ../../src/gcc/analyzer/engine.cc:1471
0xcdc877 ana::exploded_graph::process_node(ana::exploded_node*)
        ../../src/gcc/analyzer/engine.cc:4063
0xcdd8b9 ana::exploded_graph::process_worklist()
        ../../src/gcc/analyzer/engine.cc:3466
0xcddc57 ana::impl_run_checkers(ana::logger*)
        ../../src/gcc/analyzer/engine.cc:6125
0xcde4ff ana::run_checkers()
        ../../src/gcc/analyzer/engine.cc:6213
0xcde54b execute
        ../../src/gcc/analyzer/analyzer-pass.cc:87
Please submit a full bug report, with preprocessed source (by using
-freport-bug).
Please include the complete backtrace with any bug report.
See <file:///usr/share/doc/gcc-13/README.Bugs> for instructions.


I didn't attach the preprocessed source of this simplified example, since I
guess it would be repetitive with the previous one.=