[Bug analyzer/113505] New: ICE: SIGSEGV in tree_class_check (tree.h:3766) with -O -fdump-analyzer -fanalyzer

[Bug analyzer/113505] New: ICE: SIGSEGV in tree_class_check (tree.h:3766) with -O -fdump-analyzer -fanalyzer

[zsojka at seznam dot cz]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=113505

            Bug ID: 113505
           Summary: ICE: SIGSEGV in tree_class_check (tree.h:3766) with -O
                    -fdump-analyzer -fanalyzer
           Product: gcc
           Version: 14.0
            Status: UNCONFIRMED
          Keywords: ice-on-valid-code
          Severity: normal
          Priority: P3
         Component: analyzer
          Assignee: dmalcolm at gcc dot gnu.org
          Reporter: zsojka at seznam dot cz
  Target Milestone: ---
              Host: x86_64-pc-linux-gnu
            Target: x86_64-pc-linux-gnu

Created attachment 57160
  --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=57160&action=edit
auto-reduced testcase

Compiler output:
$ x86_64-pc-linux-gnu-gcc -O -fdump-analyzer -fanalyzer obj_dat.i -wrapper
valgrind,-q
==17749== Invalid read of size 2
==17749==    at 0x15EC8C4: tree_class_check (tree.h:3766)
==17749==    by 0x15EC8C4: dump_mem_ref(pretty_printer*, tree_node*, int,
dump_flag) (tree-pretty-print.cc:1870)
==17749==    by 0x15E17D4: dump_generic_node(pretty_printer*, tree_node*, int,
dump_flag, bool) (tree-pretty-print.cc:2255)
==17749==    by 0x15E12FC: dump_generic_node(pretty_printer*, tree_node*, int,
dump_flag, bool) (tree-pretty-print.cc:3263)
==17749==    by 0x15E6B3A: dump_generic_node(pretty_printer*, tree_node*, int,
dump_flag, bool) (tree-pretty-print.cc:3148)
==17749==    by 0x15E6B1E: dump_generic_node(pretty_printer*, tree_node*, int,
dump_flag, bool) (tree-pretty-print.cc:3163)
==17749==    by 0x19396C9: dump_tree (region-model.cc:95)
==17749==    by 0x19396C9: ana::dump_quoted_tree(pretty_printer*, tree_node*)
(region-model.cc:105)
==17749==    by 0x192AB36: ana::sm_state_map::print(ana::region_model const*,
bool, bool, pretty_printer*) const (program-state.cc:238)
==17749==    by 0x192B0CE: ana::program_state::dump_to_pp(ana::extrinsic_state
const&, bool, bool, pretty_printer*) const (program-state.cc:1000)
==17749==    by 0x192B640: ana::program_state::detect_leaks(ana::program_state
const&, ana::program_state const&, ana::svalue const*, ana::extrinsic_state
const&, ana::region_model_context*) (program-state.cc:1492)
==17749==    by 0x190DE15:
ana::exploded_graph::process_node(ana::exploded_node*) (engine.cc:4138)
==17749==    by 0x190ECBA: ana::exploded_graph::process_worklist()
(engine.cc:3515)
==17749==    by 0x1911415: ana::impl_run_checkers(ana::logger*)
(engine.cc:6209)
==17749==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==17749== 
during IPA pass: analyzer
obj_dat.i: In function 'OBJ_create_objects':
obj_dat.i:13:27: internal compiler error: Segmentation fault
   13 |     while (__ctype_b_loc()[*l])
      |            ~~~~~~~~~~~~~~~^~~~
0x150de9f crash_signal
        /repo/gcc-trunk/gcc/toplev.cc:317
0x15ec8c4 tree_class_check(tree_node*, tree_code_class, char const*, int, char
const*)
        /repo/gcc-trunk/gcc/tree.h:3766
0x15ec8c4 dump_mem_ref
        /repo/gcc-trunk/gcc/tree-pretty-print.cc:1870
0x15e17d4 dump_generic_node(pretty_printer*, tree_node*, int, dump_flag, bool)
        /repo/gcc-trunk/gcc/tree-pretty-print.cc:2255
0x15e12fc dump_generic_node(pretty_printer*, tree_node*, int, dump_flag, bool)
        /repo/gcc-trunk/gcc/tree-pretty-print.cc:3263
0x15e6b3a dump_generic_node(pretty_printer*, tree_node*, int, dump_flag, bool)
        /repo/gcc-trunk/gcc/tree-pretty-print.cc:3148
0x15e6b1e dump_generic_node(pretty_printer*, tree_node*, int, dump_flag, bool)
        /repo/gcc-trunk/gcc/tree-pretty-print.cc:3163
0x19396c9 ana::dump_tree(pretty_printer*, tree_node*)
        /repo/gcc-trunk/gcc/analyzer/region-model.cc:95
0x19396c9 ana::dump_quoted_tree(pretty_printer*, tree_node*)
        /repo/gcc-trunk/gcc/analyzer/region-model.cc:105
0x192ab36 ana::sm_state_map::print(ana::region_model const*, bool, bool,
pretty_printer*) const
        /repo/gcc-trunk/gcc/analyzer/program-state.cc:238
0x192b0ce ana::program_state::dump_to_pp(ana::extrinsic_state const&, bool,
bool, pretty_printer*) const
        /repo/gcc-trunk/gcc/analyzer/program-state.cc:1000
0x192b640 ana::program_state::detect_leaks(ana::program_state const&,
ana::program_state const&, ana::svalue const*, ana::extrinsic_state const&,
ana::region_model_context*)
        /repo/gcc-trunk/gcc/analyzer/program-state.cc:1492
0x190de15 ana::exploded_graph::process_node(ana::exploded_node*)
        /repo/gcc-trunk/gcc/analyzer/engine.cc:4138
0x190ecba ana::exploded_graph::process_worklist()
        /repo/gcc-trunk/gcc/analyzer/engine.cc:3515
0x1911415 ana::impl_run_checkers(ana::logger*)
        /repo/gcc-trunk/gcc/analyzer/engine.cc:6209
0x19122db ana::run_checkers()
        /repo/gcc-trunk/gcc/analyzer/engine.cc:6300
0x1900f98 execute
        /repo/gcc-trunk/gcc/analyzer/analyzer-pass.cc:87
Please submit a full bug report, with preprocessed source (by using
-freport-bug).
Please include the complete backtrace with any bug report.
See <https://gcc.gnu.org/bugs/> for instructions.

$ x86_64-pc-linux-gnu-gcc -v
Using built-in specs.
COLLECT_GCC=/repo/gcc-trunk/binary-latest-amd64/bin/x86_64-pc-linux-gnu-gcc
COLLECT_LTO_WRAPPER=/repo/gcc-trunk/binary-trunk-r14-8284-20240119180625-g54519030b05-checking-yes-rtl-df-extra-nobootstrap-amd64/bin/../libexec/gcc/x86_64-pc-linux-gnu/14.0.1/lto-wrapper
Target: x86_64-pc-linux-gnu
Configured with: /repo/gcc-trunk//configure --enable-languages=c,c++
--enable-valgrind-annotations --disable-nls --enable-checking=yes,rtl,df,extra
--disable-bootstrap --with-cloog --with-ppl --with-isl
--build=x86_64-pc-linux-gnu --host=x86_64-pc-linux-gnu
--target=x86_64-pc-linux-gnu --with-ld=/usr/bin/x86_64-pc-linux-gnu-ld
--with-as=/usr/bin/x86_64-pc-linux-gnu-as --disable-libstdcxx-pch
--prefix=/repo/gcc-trunk//binary-trunk-r14-8284-20240119180625-g54519030b05-checking-yes-rtl-df-extra-nobootstrap-amd64
Thread model: posix
Supported LTO compression algorithms: zlib zstd
gcc version 14.0.1 20240119 (experimental) (GCC)

[Bug analyzer/113505] [14 Regression] ICE: SIGSEGV in tree_class_check (tree.h:3766) with -O -fdump-analyzer -fanalyzer

[dmalcolm at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=113505

David Malcolm <dmalcolm at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|UNCONFIRMED                 |NEW
     Ever confirmed|0                           |1
   Last reconfirmed|                            |2024-02-15
            Summary|ICE: SIGSEGV in             |[14 Regression] ICE:
                   |tree_class_check            |SIGSEGV in tree_class_check
                   |(tree.h:3766) with -O       |(tree.h:3766) with -O
                   |-fdump-analyzer -fanalyzer  |-fdump-analyzer -fanalyzer

--- Comment #1 from David Malcolm <dmalcolm at gcc dot gnu.org> ---
Confirmed:
  Trunk: https://godbolt.org/z/hMM5GK9s9

Doesn't affect GCC 13.2

[Bug analyzer/113505] [14 Regression] ICE: SIGSEGV in tree_class_check (tree.h:3766) with -O -fdump-analyzer -fanalyzer

[rguenth at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=113505

Richard Biener <rguenth at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Target Milestone|---                         |14.0

[Bug analyzer/113505] [14 Regression] ICE: SIGSEGV in tree_class_check (tree.h:3766) with -O -fdump-analyzer -fanalyzer

[law at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=113505

Jeffrey A. Law <law at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |law at gcc dot gnu.org
           Priority|P3                          |P1

[Bug analyzer/113505] [14 Regression] ICE: SIGSEGV in tree_class_check (tree.h:3766) with -O -fdump-analyzer -fanalyzer since r14-6239

[jakub at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=113505

Jakub Jelinek <jakub at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Summary|[14 Regression] ICE:        |[14 Regression] ICE:
                   |SIGSEGV in tree_class_check |SIGSEGV in tree_class_check
                   |(tree.h:3766) with -O       |(tree.h:3766) with -O
                   |-fdump-analyzer -fanalyzer  |-fdump-analyzer -fanalyzer
                   |                            |since r14-6239
                 CC|                            |jakub at gcc dot gnu.org

--- Comment #2 from Jakub Jelinek <jakub at gcc dot gnu.org> ---
Started with r14-6239-g08b7462d3ad8e5acd941b7c777c5b26b4064d686

[Bug analyzer/113505] [14 Regression] ICE: SIGSEGV in tree_class_check (tree.h:3766) with -O -fdump-analyzer -fanalyzer since r14-6239

[jakub at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=113505

--- Comment #3 from Jakub Jelinek <jakub at gcc dot gnu.org> ---
Seems this is because the analyzer creates invalid IL.
MEM_REF second argument should be always INTEGER_CST, with value which is the
offset from the base and pointer type used for TBAA purposes:
/* Memory addressing.  Operands are a pointer and a tree constant integer
   byte offset of the pointer type that when dereferenced yields the
   type of the base object the pointer points into and which is used for
   TBAA purposes.
   The type of the MEM_REF is the type the bytes at the memory location
   are interpreted as.
   MEM_REF <p, c> is equivalent to ((typeof(c))p)->x... where x... is a
   chain of component references offsetting p by c.  */
DEFTREECODE (MEM_REF, "mem_ref", tcc_reference, 2)

Now, analyzer in some cases creates MEM_REFs right:
      tree len_ptr = cd.get_arg_tree (2);
      tree star_len_ptr = build2 (MEM_REF, TREE_TYPE (TREE_TYPE (len_ptr)),
                                  len_ptr,
                                  build_int_cst (TREE_TYPE (len_ptr), 0));
in sm-fd.cc most likely has POINTER_TYPE, but
static tree
get_tree_for_byte_offset (tree ptr_expr, byte_offset_t byte_offset)
{
  gcc_assert (ptr_expr);
  return fold_build2 (MEM_REF,
                      char_type_node,
                      ptr_expr, wide_int_to_tree (size_type_node,
byte_offset));
}
and
  tree offset_0 = build_int_cst (integer_type_node, 0);
  tree star_p = build2 (MEM_REF, integer_type_node, p, offset_0);
and
  tree offset_0 = build_int_cst (integer_type_node, 0);
  tree mem_ref = build2 (MEM_REF, integer_type_node,
                         pointer_plus_expr, offset_0);
are definitely wrong, the two other spots in region-model.cc which create
MEM_REFs not really sure about.
Now, if such MEM_REFs will be around only during the pass and not actually
emitted
into the IL nor TBAA analyzed if they can or can't be aliased with some other
reference, I'd suggest just to use something that can alias anything, so:
build_pointer_type_for_mode (char_type_node, ptr_mode, true)

[Bug analyzer/113505] [14 Regression] ICE: SIGSEGV in tree_class_check (tree.h:3766) with -O -fdump-analyzer -fanalyzer since r14-6239

[jakub at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=113505

--- Comment #4 from Jakub Jelinek <jakub at gcc dot gnu.org> ---
Created attachment 57737
  --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=57737&action=edit
gcc14-pr113505.patch

Untested patch to do that.  Fixes the ICE.

[Bug analyzer/113505] [14 Regression] ICE: SIGSEGV in tree_class_check (tree.h:3766) with -O -fdump-analyzer -fanalyzer since r14-6239

[dmalcolm at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=113505

--- Comment #5 from David Malcolm <dmalcolm at gcc dot gnu.org> ---
Thanks, am testing your patch now.

[Bug analyzer/113505] [14 Regression] ICE: SIGSEGV in tree_class_check (tree.h:3766) with -O -fdump-analyzer -fanalyzer since r14-6239

[cvs-commit at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=113505

--- Comment #6 from GCC Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by David Malcolm <dmalcolm@gcc.gnu.org>:

https://gcc.gnu.org/g:c87f1f3d660f4103c91c72a4d3e1d19ff2858671

commit r14-9555-gc87f1f3d660f4103c91c72a4d3e1d19ff2858671
Author: Jakub Jelinek <jakub@redhat.com>
Date:   Tue Mar 19 16:06:13 2024 -0400

    analyzer: fix ICE due to corrupt MEM_REFs [PR113505]

    gcc/analyzer/ChangeLog
            PR analyzer/113505
            * region-model.cc (get_tree_for_byte_offset,
            region_model::get_representative_path_var_1,
            test_mem_ref, test_POINTER_PLUS_EXPR_then_MEM_REF): Use
            char __attribute__((may_alias)) * as type of MEM_REF second
argument.

    gcc/testsuite/ChangeLog
            PR analyzer/113505
            * gcc.dg/analyzer/pr113505.c: New test.

    Signed-off-by: David Malcolm <dmalcolm@redhat.com>

[Bug analyzer/113505] [14 Regression] ICE: SIGSEGV in tree_class_check (tree.h:3766) with -O -fdump-analyzer -fanalyzer since r14-6239

[dmalcolm at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=113505

David Malcolm <dmalcolm at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
             Status|NEW                         |RESOLVED

--- Comment #7 from David Malcolm <dmalcolm at gcc dot gnu.org> ---
Patch looked good to me and it passed bootstrap, regrtesting, and integration
testing (all on x86_64-pc-linux-gnu), so I went ahead and pushed it to trunk.

Marking as resolved.

Thanks again for the patch