public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed
From: "geoffreydgr at icloud dot com" <gcc-bugzilla@gcc.gnu.org>
To: gcc-bugs@gcc.gnu.org
Subject: [Bug analyzer/110928] New: ICE with -fanalyzer on -Wanalyzer-out-of-bounds checker
Date: Mon, 07 Aug 2023 03:24:13 +0000	[thread overview]
Message-ID: <bug-110928-4@http.gcc.gnu.org/bugzilla/> (raw)

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110928

            Bug ID: 110928
           Summary: ICE with -fanalyzer on -Wanalyzer-out-of-bounds
                    checker
           Product: gcc
           Version: 14.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: analyzer
          Assignee: dmalcolm at gcc dot gnu.org
          Reporter: geoffreydgr at icloud dot com
  Target Milestone: ---

ICE bug when analyzing the folowing program. And there also is a FP report of
out-of-bounds. 

cmd: gcc -O0 -fanalyzer
gcc version: x86-64 gcc (trunk)
compiler explore: https://godbolt.org/z/Gsx5WTqKj

```c
#include "stdio.h"
#include "stdint.h"


uint64_t d(int32_t h) {
  uint64_t j[2][6];
  int32_t k;
  for (k = 1;;) {
    printf("FLAG\n");
    if (h < 106 || j[k][h])
      return 0;
  }
}
int16_t e() {
  int32_t f[5];
  for (f[2] = 3; f[2]; --f[2])
    d(0);
}

int main() { e(); }

```

output:
```
<source>: In function 'd':
<source>:10:24: warning: stack-based buffer over-read [CWE-121]
[-Wanalyzer-out-of-bounds]
   10 |     if (h < 106 || j[k][h])
      |                    ~~~~^~~
  'd': events 1-4
    |
    |    6 |   uint64_t j[2][6];
    |      |            ^
    |      |            |
    |      |            (1) capacity: 96 bytes
    |......
    |   10 |     if (h < 106 || j[k][h])
    |      |        ~           ~~~~~~~
    |      |        |               |
    |      |        |               (3) ...to here
    |      |        |               (4) read of 8 bytes at offset 'h * 8 + 48'
exceeds 'j'
    |      |        (2) following 'false' branch (when 'h > 105')...
    |
<source>:10:24: note: valid subscripts for 'j' are '[0]' to '[1]'
   10 |     if (h < 106 || j[k][h])
      |                    ~~~~^~~
during IPA pass: analyzer
<source>:10:8: internal compiler error: in fold_binary_loc, at
fold-const.cc:11320
   10 |     if (h < 106 || j[k][h])
      |        ^
0x216b2ae internal_error(char const*, ...)
        ???:0
0x9d1202 fancy_abort(char const*, int, char const*)
        ???:0
0xcdba8d fold_build2_loc(unsigned int, tree_code, tree_node*, tree_node*,
tree_node*)
        ???:0
0x172fc13 generic_simplify_MULT_EXPR(unsigned int, tree_code, tree_node*,
tree_node*, tree_node*)
        ???:0
0xcd40c5 fold_binary_loc(unsigned int, tree_code, tree_node*, tree_node*,
tree_node*)
        ???:0
0xcdba8d fold_build2_loc(unsigned int, tree_code, tree_node*, tree_node*,
tree_node*)
        ???:0
0x14beb7f ana::region_offset::calc_symbolic_bit_offset(ana::region_model
const&) const
        ???:0
0x213be3b ana::access_range::get_size(ana::region_model const&,
ana::bit_size_expr*) const
        ???:0
0x2148663 ana::access_diagram_impl::access_diagram_impl(ana::access_operation
const&, diagnostic_event_id_t, text_art::style_manager&, text_art::theme
const&, ana::logger*)
        ???:0
0x213ce0b ana::access_diagram::access_diagram(ana::access_operation const&,
diagnostic_event_id_t, text_art::style_manager&, text_art::theme const&,
ana::logger*)
        ???:0
0x1fbf5d3 ana::symbolic_buffer_over_read::emit(rich_location*, ana::logger*)
        ???:0
0x1fe653e ana::diagnostic_manager::emit_saved_diagnostic(ana::exploded_graph
const&, ana::saved_diagnostic const&)
        ???:0
0x1fe6d40 ana::diagnostic_manager::emit_saved_diagnostics(ana::exploded_graph
const&)
        ???:0
0x149e891 ana::impl_run_checkers(ana::logger*)
        ???:0
0x149f83f ana::run_checkers()
        ???:0
Please submit a full bug report, with preprocessed source (by using
-freport-bug).
Please include the complete backtrace with any bug report.
See <https://gcc.gnu.org/bugs/> for instructions.
Compiler returned: 1
```

             reply	other threads:[~2023-08-07  3:24 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-08-07  3:24 geoffreydgr at icloud dot com [this message]
2024-02-15 19:56 ` [Bug analyzer/110928] [14 Regression] " dmalcolm at gcc dot gnu.org
2024-03-04 13:01 ` rguenth at gcc dot gnu.org
2024-03-07 23:26 ` law at gcc dot gnu.org
2024-03-18 22:47 ` cvs-commit at gcc dot gnu.org
2024-03-18 22:54 ` dmalcolm at gcc dot gnu.org

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=bug-110928-4@http.gcc.gnu.org/bugzilla/ \
    --to=gcc-bugzilla@gcc.gnu.org \
    --cc=gcc-bugs@gcc.gnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).