[Bug analyzer/96616] New: Many new analyzer failures

[Bug analyzer/96616] New: Many new analyzer failures

[segher at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=96616

            Bug ID: 96616
           Summary: Many new analyzer failures
           Product: gcc
           Version: unknown
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: analyzer
          Assignee: dmalcolm at gcc dot gnu.org
          Reporter: segher at gcc dot gnu.org
  Target Milestone: ---

On powerpc64-linux.

For -m32:

+FAIL: gcc.dg/analyzer/init.c  (test for warnings, line 100)
+FAIL: gcc.dg/analyzer/init.c  (test for warnings, line 101)
+FAIL: gcc.dg/analyzer/init.c  (test for warnings, line 102)
+FAIL: gcc.dg/analyzer/init.c  (test for warnings, line 124)
+FAIL: gcc.dg/analyzer/init.c  (test for warnings, line 125)
+FAIL: gcc.dg/analyzer/init.c  (test for warnings, line 126)
+FAIL: gcc.dg/analyzer/init.c  (test for warnings, line 127)
+FAIL: gcc.dg/analyzer/init.c  (test for warnings, line 128)
+FAIL: gcc.dg/analyzer/init.c  (test for warnings, line 129)
+FAIL: gcc.dg/analyzer/init.c  (test for warnings, line 30)
+FAIL: gcc.dg/analyzer/init.c  (test for warnings, line 31)
+FAIL: gcc.dg/analyzer/init.c  (test for warnings, line 51)
+FAIL: gcc.dg/analyzer/init.c  (test for warnings, line 52)
+FAIL: gcc.dg/analyzer/init.c  (test for warnings, line 72)
+FAIL: gcc.dg/analyzer/init.c  (test for warnings, line 73)
+FAIL: gcc.dg/analyzer/init.c  (test for warnings, line 74)
+FAIL: gcc.dg/analyzer/init.c  (test for warnings, line 75)
+FAIL: gcc.dg/analyzer/init.c  (test for warnings, line 99)
+FAIL: gcc.dg/analyzer/init.c (test for excess errors)
+FAIL: gcc.dg/analyzer/pr93032-mztools.c (test for excess errors)

For -m64:

+FAIL: gcc.dg/analyzer/init.c  (test for warnings, line 100)
+FAIL: gcc.dg/analyzer/init.c  (test for warnings, line 101)
+FAIL: gcc.dg/analyzer/init.c  (test for warnings, line 102)
+FAIL: gcc.dg/analyzer/init.c  (test for warnings, line 124)
+FAIL: gcc.dg/analyzer/init.c  (test for warnings, line 125)
+FAIL: gcc.dg/analyzer/init.c  (test for warnings, line 126)
+FAIL: gcc.dg/analyzer/init.c  (test for warnings, line 127)
+FAIL: gcc.dg/analyzer/init.c  (test for warnings, line 128)
+FAIL: gcc.dg/analyzer/init.c  (test for warnings, line 129)
+FAIL: gcc.dg/analyzer/init.c  (test for warnings, line 72)
+FAIL: gcc.dg/analyzer/init.c  (test for warnings, line 73)
+FAIL: gcc.dg/analyzer/init.c  (test for warnings, line 74)
+FAIL: gcc.dg/analyzer/init.c  (test for warnings, line 75)
+FAIL: gcc.dg/analyzer/init.c  (test for warnings, line 99)
+FAIL: gcc.dg/analyzer/init.c (test for excess errors)
+FAIL: gcc.dg/analyzer/pr93032-mztools.c (test for excess errors)

(That latter one is over a screenful of
/home/segher/src/gcc/gcc/testsuite/gcc.dg/analyzer/pr93032-mztools.c:261:11:
war
ning: terminating analysis for this program point: EN: 810-818
[-Wanalyzer-too-c
omplex]
and all the rest are variations on
/home/segher/src/gcc/gcc/testsuite/gcc.dg/analyzer/init.c:72:3: warning:
UNKNOWN
).

[Bug analyzer/96616] Many new analyzer failures

[dmalcolm at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=96616

David Malcolm <dmalcolm at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|UNCONFIRMED                 |ASSIGNED
     Ever confirmed|0                           |1
   Last reconfirmed|                            |2020-08-14

--- Comment #1 from David Malcolm <dmalcolm at gcc dot gnu.org> ---
Thanks; sorry about this.  Seems to be the same set of failures as PR 96609; am
investigating.

[Bug analyzer/96616] Many new analyzer failures

[cvs-commit at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=96616

--- Comment #2 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by David Malcolm <dmalcolm@gcc.gnu.org>:

https://gcc.gnu.org/g:2867118ddda9b56d991c16022f7d3d634ed08313

commit r11-2708-g2867118ddda9b56d991c16022f7d3d634ed08313
Author: David Malcolm <dmalcolm@redhat.com>
Date:   Fri Aug 14 15:49:52 2020 -0400

    analyzer: fix initialization from constant pool [PR96609,PR96616]

    PR testsuite/96609 and PR analyzer/96616 report various testsuite
    failures seen on powerpc64, aarch64, and arm in new tests added by
    r11-2694-g808f4dfeb3a95f50f15e71148e5c1067f90a126d.

    Some of these failures (in gcc.dg/analyzer/init.c, and on arm
    in gcc.dg/analyzer/casts-1.c) relate to initializations from var_decls
    in the constant pool.  I wrote the tests assuming that the gimplified
    stmts would initialize the locals via a gassign of code CONSTRUCTOR,
    whereas on these targets some of the initializations are gassign from
    a VAR_DECL e.g.:
      c = *.LC0;
    where "*.LC0" is a var_decl with DECL_IN_CONSTANT_POOL set.

    For example, in test_7:
       struct coord c[2] = {{3, 4}, {5, 6}};
       __analyzer_eval (c[0].x == 3); /* { dg-warning "TRUE" } */
    after the initialization, the store was simply recording:
       cluster for: c: INIT_VAL(*.LC0)
    when I was expecting the cluster for c to have:
      cluster for: c
        key:   {kind: direct, start: 0, size: 32, next: 32}
        value: 'int' {(int)3}
        key:   {kind: direct, start: 32, size: 32, next: 64}
        value: 'int' {(int)4}
        key:   {kind: direct, start: 64, size: 32, next: 96}
        value: 'int' {(int)5}
        key:   {kind: direct, start: 96, size: 32, next: 128}
        value: 'int' {(int)6}
    The test for c[0].x == 3 would then generate:
      cluster for: _2: (SUB(SUB(INIT_VAL(*.LC0), c[(int)0]),
c[(int)0].x)==(int)3)
    which is UNKNOWN, leading to the test failing.

    This patch fixes the init.c and casts-1.c failures by special-casing
    reads from a var_decl with DECL_IN_CONSTANT_POOL set, so that they build
    a compound_svalue containing the bindings implied by the CONSTRUCTOR
    node for DECL_INITIAL.

    gcc/analyzer/ChangeLog:
            PR testsuite/96609
            PR analyzer/96616
            * region-model.cc (region_model::get_store_value): Call
            maybe_get_constant_value on decl_regions first.
            * region-model.h (decl_region::maybe_get_constant_value): New decl.
            * region.cc (decl_region::get_stack_depth): Likewise.
            (decl_region::maybe_get_constant_value): New.
            * store.cc (get_subregion_within_ctor): New.
            (binding_map::apply_ctor_to_region): New.
            * store.h (binding_map::apply_ctor_to_region): New decl.

[Bug analyzer/96616] Many new analyzer failures

[dmalcolm at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=96616

David Malcolm <dmalcolm at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |seurer at gcc dot gnu.org

--- Comment #3 from David Malcolm <dmalcolm at gcc dot gnu.org> ---
*** Bug 96609 has been marked as a duplicate of this bug. ***

[Bug analyzer/96616] Many new analyzer failures

[dmalcolm at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=96616

--- Comment #4 from David Malcolm <dmalcolm at gcc dot gnu.org> ---
The init.c issue should be fixed by commit
r11-2708-g2867118ddda9b56d991c16022f7d3d634ed08313

I'm still investigating the pr93032-mztools.c -Wanalyzer-too-complex warnings
(affects at least arm and aarch64 also).

[Bug analyzer/96616] pr93032-mztools.c -Wanalyzer-too-complex warnings on some targets

[dmalcolm at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=96616

David Malcolm <dmalcolm at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Summary|Many new analyzer failures  |pr93032-mztools.c
                   |                            |-Wanalyzer-too-complex
                   |                            |warnings on some targets

--- Comment #5 from David Malcolm <dmalcolm at gcc dot gnu.org> ---
Updating title to reflect that the remaining work is fixing the
-Wanalyzer-too-complex warnings that are showing up on some targets (at least
arm, aarch64, and powerpc64, but not x86_64 as far as I can tell).

[Bug analyzer/96616] pr93032-mztools.c -Wanalyzer-too-complex warnings on some targets

[dmalcolm at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=96616

--- Comment #6 from David Malcolm <dmalcolm at gcc dot gnu.org> ---
*** Bug 96785 has been marked as a duplicate of this bug. ***

[Bug analyzer/96616] pr93032-mztools.c -Wanalyzer-too-complex warnings on some targets

[cvs-commit at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=96616

--- Comment #7 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by David Malcolm <dmalcolm@gcc.gnu.org>:

https://gcc.gnu.org/g:b28491dc2d79763ecbff4f0b9f1f3e48a443be1d

commit r11-3245-gb28491dc2d79763ecbff4f0b9f1f3e48a443be1d
Author: David Malcolm <dmalcolm@redhat.com>
Date:   Tue Aug 18 18:52:17 2020 -0400

    analyzer: bulk merger/processing of runs of nodes at CFG join points

    Prior to this patch the analyzer worklist considered only one node or
    two nodes at a time, processing and/or merging state individually or
    pairwise.

    This could lead to explosions of merger nodes at CFG join points,
    especially after switch statements, which could have large numbers
    of in-edges, and thus large numbers of merger exploded_nodes could
    be created, exceeding the per-point limit and thus stopping analysis
    with -Wanalyzer-too-complex.

    This patch special-cases the handling for runs of consecutive
    nodes in the worklist at a CFG join point, processing and merging
    them all together.

    The patch fixes a state explosion seen in bzip2.c seen when attempting
    to reproduce PR analyzer/95188, in a switch statement in a loop for
    argument parsing.  With this patch, the analyzer successfully
    consolidates the state after the argument parsing to a single exploded
    node.

    In gcc.dg/analyzer/pr96653.c there is a switch statement with over 300
    cases which leads to hitting the per-point limit.  With this patch
    the consolidation code doesn't manage to merge all of them due to other
    worklist-ordering bugs, and it still hits the per-point limits, but it
    does manage some very long consolidations:
      merged 2 in-enodes into 2 out-enode(s) at SN: 403
      merged 2 in-enodes into 2 out-enode(s) at SN: 403
      merged 2 in-enodes into 1 out-enode(s) at SN: 11
      merged 29 in-enodes into 1 out-enode(s) at SN: 35
      merged 6 in-enodes into 1 out-enode(s) at SN: 41
      merged 31 in-enodes into 1 out-enode(s) at SN: 35
    and with a followup patch to fix an SCC issue it manages:
      merged 358 in-enodes into 2 out-enode(s) at SN: 402

    The patch appears to fix the failure on non-x86_64 of:
      gcc.dg/analyzer/pr93032-mztools.c (test for excess errors)
    which is PR analyzer/96616.

    Unfortunately, the patch introduces a memory leak false positive in
    gcc.dg/analyzer/pr94851-1.c, but this appears to be a pre-existing bug
    that was hidden by state-merging failures.

    gcc/analyzer/ChangeLog:
            * engine.cc (exploded_node::dump_dot): Show STATUS_BULK_MERGED.
            (exploded_graph::process_worklist): Call
            maybe_process_run_of_before_supernode_enodes.
            (exploded_graph::maybe_process_run_of_before_supernode_enodes):
            New.
            (exploded_graph_annotator::print_enode): Show STATUS_BULK_MERGED.
            * exploded-graph.h (enum exploded_node::status): Add
            STATUS_BULK_MERGED.

    gcc/testsuite/ChangeLog:
            * gcc.dg/analyzer/bzip2-arg-parse-1.c: New test.
            * gcc.dg/analyzer/loop-n-down-to-1-by-1.c: Remove xfail.
            * gcc.dg/analyzer/pr94851-1.c: Add xfail.

[Bug analyzer/96616] pr93032-mztools.c -Wanalyzer-too-complex warnings on some targets

[dmalcolm at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=96616

David Malcolm <dmalcolm at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|ASSIGNED                    |RESOLVED
         Resolution|---                         |FIXED

--- Comment #8 from David Malcolm <dmalcolm at gcc dot gnu.org> ---
(In reply to David Malcolm from comment #5)
> Updating title to reflect that the remaining work is fixing the
> -Wanalyzer-too-complex warnings that are showing up on some targets (at
> least arm, aarch64, and powerpc64, but not x86_64 as far as I can tell).

I believe that this was fixed by
r11-3245-gb28491dc2d79763ecbff4f0b9f1f3e48a443be1d
(aka "analyzer: bulk merger/processing of runs of nodes at CFG join points").

Marking this one as resolved.