[Bug analyzer/96648] New: [11 Regression] ICE in get_field_at_bit_offset, at analyzer/region.cc:229

[Bug analyzer/96648] New: [11 Regression] ICE in get_field_at_bit_offset, at analyzer/region.cc:229

[asolokha at gmx dot com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=96648

            Bug ID: 96648
           Summary: [11 Regression] ICE in get_field_at_bit_offset, at
                    analyzer/region.cc:229
           Product: gcc
           Version: 11.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: analyzer
          Assignee: dmalcolm at gcc dot gnu.org
          Reporter: asolokha at gmx dot com
  Target Milestone: ---

gcc-11.0.0-alpha20200816 snapshot (g:c99116aeeb9644ebddec653ee8b19de4d38b65bd)
ICEs when compiling the following testcase w/ -O1 -fanalyzer:

struct vd {
  struct vd *rs;
};

struct fh {
  struct vd cl;
};

struct i3 {
  struct fh *h4;
};

struct fh *
gm (void);

void
j7 (struct vd *);

inline void
mb (struct vd *e7)
{
  j7 (e7->rs);
}

void
po (struct i3 *d2)
{
  struct i3 *s2;

  d2->h4 = gm ();
  mb (&d2->h4->cl);
  s2 = ({ d2 - 1; });
  po (s2);
}

% gcc-11.0.0 -O1 -fanalyzer -c yepd00sw.c
during IPA pass: analyzer
yepd00sw.c: In function 'po':
yepd00sw.c:22:3: internal compiler error: in get_field_at_bit_offset, at
analyzer/region.cc:229
   22 |   j7 (e7->rs);
      |   ^~~~~~~~~~~
0x720bb1 ana::region::get_subregions_for_binding(ana::region_model_manager*,
generic_wide_int<fixed_wide_int_storage<128> >,
generic_wide_int<fixed_wide_int_storage<128> >, tree_node*,
auto_vec<ana::region const*, 0ul>*) const
       
/var/tmp/portage/sys-devel/gcc-11.0.0_alpha20200816/work/gcc-11-20200816/gcc/analyzer/region.cc:229
0x113822c ana::binding_cluster::get_representative_path_vars(ana::region_model
const*, hash_set<ana::svalue const*, false, default_hash_traits<ana::svalue
const*> >*, ana::region const*, ana::svalue const*, auto_vec<ana::path_var,
0ul>*) const
       
/var/tmp/portage/sys-devel/gcc-11.0.0_alpha20200816/work/gcc-11-20200816/gcc/analyzer/store.cc:1121
0x11392e7 ana::store::get_representative_path_vars(ana::region_model const*,
hash_set<ana::svalue const*, false, default_hash_traits<ana::svalue const*> >*,
ana::svalue const*, auto_vec<ana::path_var, 0ul>*) const
       
/var/tmp/portage/sys-devel/gcc-11.0.0_alpha20200816/work/gcc-11-20200816/gcc/analyzer/store.cc:1805
0x110dc5d ana::region_model::get_representative_path_var(ana::svalue const*,
hash_set<ana::svalue const*, false, default_hash_traits<ana::svalue const*> >*)
const
       
/var/tmp/portage/sys-devel/gcc-11.0.0_alpha20200816/work/gcc-11-20200816/gcc/analyzer/region-model.cc:1806
0x110e3a7 ana::region_model::get_representative_tree(ana::svalue const*) const
       
/var/tmp/portage/sys-devel/gcc-11.0.0_alpha20200816/work/gcc-11-20200816/gcc/analyzer/region-model.cc:1851
0x10f8474 ana::impl_sm_context::get_diagnostic_tree(tree_node*)
       
/var/tmp/portage/sys-devel/gcc-11.0.0_alpha20200816/work/gcc-11-20200816/gcc/analyzer/engine.cc:295
0x11320df on_stmt
       
/var/tmp/portage/sys-devel/gcc-11.0.0_alpha20200816/work/gcc-11-20200816/gcc/analyzer/sm-malloc.cc:805
0x10f318f ana::exploded_node::on_stmt(ana::exploded_graph&, ana::supernode
const*, gimple const*, ana::program_state*) const
       
/var/tmp/portage/sys-devel/gcc-11.0.0_alpha20200816/work/gcc-11-20200816/gcc/analyzer/engine.cc:1098
0x10f426d ana::exploded_graph::process_node(ana::exploded_node*)
       
/var/tmp/portage/sys-devel/gcc-11.0.0_alpha20200816/work/gcc-11-20200816/gcc/analyzer/engine.cc:2526
0x10f4d5a ana::exploded_graph::process_worklist()
       
/var/tmp/portage/sys-devel/gcc-11.0.0_alpha20200816/work/gcc-11-20200816/gcc/analyzer/engine.cc:2341
0x10f6e8f ana::impl_run_checkers(ana::logger*)
       
/var/tmp/portage/sys-devel/gcc-11.0.0_alpha20200816/work/gcc-11-20200816/gcc/analyzer/engine.cc:4107
0x10f7aac ana::run_checkers()
       
/var/tmp/portage/sys-devel/gcc-11.0.0_alpha20200816/work/gcc-11-20200816/gcc/analyzer/engine.cc:4175
0x10ec468 execute
       
/var/tmp/portage/sys-devel/gcc-11.0.0_alpha20200816/work/gcc-11-20200816/gcc/analyzer/analyzer-pass.cc:84

[Bug analyzer/96648] [11 Regression] ICE in get_field_at_bit_offset, at analyzer/region.cc:229

[cvs-commit at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=96648

--- Comment #1 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by David Malcolm <dmalcolm@gcc.gnu.org>:

https://gcc.gnu.org/g:400abebf48a90d0797718ab7c3864de331e85b70

commit r11-2753-g400abebf48a90d0797718ab7c3864de331e85b70
Author: David Malcolm <dmalcolm@redhat.com>
Date:   Mon Aug 17 21:12:35 2020 -0400

    analyzer: fix ICE with negative bit offsets [PR96648]

    PR analyzer/96648 reports an ICE within get_field_at_bit_offset due
    to a negative bit offset, arising due to pointer arithmetic.

    This patch replaces an assertion with handling for this case, fixing the
    ICE.

    gcc/analyzer/ChangeLog:
            PR analyzer/96648
            * region.cc (get_field_at_bit_offset): Gracefully handle negative
            values for bit_offset.

    gcc/testsuite/ChangeLog:
            PR analyzer/96648
            * gcc.dg/analyzer/pr96648.c: New test.

[Bug analyzer/96648] [11 Regression] ICE in get_field_at_bit_offset, at analyzer/region.cc:229

[dmalcolm at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=96648

David Malcolm <dmalcolm at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|UNCONFIRMED                 |RESOLVED
         Resolution|---                         |FIXED

--- Comment #2 from David Malcolm <dmalcolm at gcc dot gnu.org> ---
Should be fixed by the above patch.