[Bug tree-optimization/98721] New: [11 Regression] ICE in c_tree_printer at /gcc/c/c-objc-common.c:314 since r11-5523-geafe8ee7af13c398

[Bug tree-optimization/98721] New: [11 Regression] ICE in c_tree_printer at /gcc/c/c-objc-common.c:314 since r11-5523-geafe8ee7af13c398

[marxin at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=98721

            Bug ID: 98721
           Summary: [11 Regression] ICE in c_tree_printer at
                    /gcc/c/c-objc-common.c:314 since
                    r11-5523-geafe8ee7af13c398
           Product: gcc
           Version: 11.0
            Status: UNCONFIRMED
          Keywords: ice-on-valid-code
          Severity: normal
          Priority: P3
         Component: tree-optimization
          Assignee: unassigned at gcc dot gnu.org
          Reporter: marxin at gcc dot gnu.org
                CC: msebor at gcc dot gnu.org
  Target Milestone: ---

Since the revision, I see the following ICE:

$ cat strlen.i
long unsigned int strlen(const char *);

void test_char_vla_local(int n) {
  char vla[n];
  if (1 == strlen(vla)) {
    char vla[n];
  }
}

$ gcc strlen.i -c -fsanitize=undefined -fno-code-hoisting -O3
strlen.i: In function ‘test_char_vla_local’:
strlen.i:5:12: warning: ‘strlen’ reading 1 or more bytes from a region of size
0 [-Wstringop-overread]
    5 |   if (1 == strlen(vla)) {
      |            ^~~~~~~~~~~
‘
during RTL pass: expand
Segmentation fault
0xe6e37a crash_signal
        /home/marxin/Programming/gcc/gcc/toplev.c:327
0x8a9ee8 c_tree_printer
        /home/marxin/Programming/gcc/gcc/c/c-objc-common.c:314
0x8a9ee8 c_tree_printer
        /home/marxin/Programming/gcc/gcc/c/c-objc-common.c:254
0x1a43872 pp_format(pretty_printer*, text_info*)
        /home/marxin/Programming/gcc/gcc/pretty-print.c:1475
0x1a288a0 diagnostic_report_diagnostic(diagnostic_context*, diagnostic_info*)
        /home/marxin/Programming/gcc/gcc/diagnostic.c:1244
0x1a2bb87 diagnostic_impl
        /home/marxin/Programming/gcc/gcc/diagnostic.c:1406
0x1a2bb87 inform(unsigned int, char const*, ...)
        /home/marxin/Programming/gcc/gcc/diagnostic.c:1485
0x994e06 access_ref::inform_access(access_mode) const
        /home/marxin/Programming/gcc/gcc/builtins.c:4576
0x998aab check_access(tree_node*, tree_node*, tree_node*, tree_node*,
tree_node*, access_mode, access_data const*)
        /home/marxin/Programming/gcc/gcc/builtins.c:4889
0x9998c4 check_read_access
        /home/marxin/Programming/gcc/gcc/builtins.c:4909
0x9999c1 check_read_access
        /home/marxin/Programming/gcc/gcc/expr.h:282
0x9999c1 expand_builtin_strlen
        /home/marxin/Programming/gcc/gcc/builtins.c:3701
0x99ef2c expand_builtin(tree_node*, rtx_def*, rtx_def*, machine_mode, int)
        /home/marxin/Programming/gcc/gcc/builtins.c:9818
0xaf2c8d expand_expr_real_1(tree_node*, rtx_def*, machine_mode,
expand_modifier, rtx_def**, bool)
        /home/marxin/Programming/gcc/gcc/expr.c:11275
0xafe0b0 store_expr(tree_node*, rtx_def*, int, bool, bool)
        /home/marxin/Programming/gcc/gcc/expr.c:5885
0xaff8cf expand_assignment(tree_node*, tree_node*, bool)
        /home/marxin/Programming/gcc/gcc/expr.c:5621
0x9c9046 expand_call_stmt
        /home/marxin/Programming/gcc/gcc/cfgexpand.c:2837
0x9c9046 expand_gimple_stmt_1
        /home/marxin/Programming/gcc/gcc/cfgexpand.c:3843
0x9c9046 expand_gimple_stmt
        /home/marxin/Programming/gcc/gcc/cfgexpand.c:4007
0x9cef5a expand_gimple_basic_block
        /home/marxin/Programming/gcc/gcc/cfgexpand.c:6044
Please submit a full bug report,
with preprocessed source if appropriate.
Please include the complete backtrace with any bug report.
See <https://gcc.gnu.org/bugs/> for instructions.

[Bug tree-optimization/98721] [11 Regression] ICE in c_tree_printer at /gcc/c/c-objc-common.c:314 since r11-5523-geafe8ee7af13c398

[marxin at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=98721

Martin Liška <marxin at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|UNCONFIRMED                 |NEW
   Last reconfirmed|                            |2021-01-18
      Known to work|                            |10.2.0
     Ever confirmed|0                           |1
   Target Milestone|---                         |11.0
      Known to fail|                            |11.0

[Bug tree-optimization/98721] [11 Regression] ICE in c_tree_printer at /gcc/c/c-objc-common.c:314 since r11-5523-geafe8ee7af13c398

[marxin at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=98721

--- Comment #1 from Martin Liška <marxin at gcc dot gnu.org> ---
Where both these 2 objects are null:

(gdb) p sizestr
$7 = "0", '\000' <repeats 15 times>,
"\060\316\377\377\377\177\000\000P\316\377\377\377\177\000\000\210#\000\000\000\000\000\000\230\373;\367\377\177\000\000\000wF\367\377\177\000\000\340-;\367\377\177\000\000\340\267<\367\377\177\000\000\361̖\000\000\000\000"
(gdb) p allocfn
$8 = <tree 0x0>

in access_ref::inform_access (access_mode mode) const function.

[Bug tree-optimization/98721] [11 Regression] ICE in c_tree_printer at /gcc/c/c-objc-common.c:314 since r11-5523-geafe8ee7af13c398

[rguenth at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=98721

Richard Biener <rguenth at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Priority|P3                          |P1

[Bug tree-optimization/98721] [11 Regression] ICE in c_tree_printer at /gcc/c/c-objc-common.c:314 since r11-5523-geafe8ee7af13c398

[jakub at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=98721

Jakub Jelinek <jakub at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Assignee|unassigned at gcc dot gnu.org      |jakub at gcc dot gnu.org
             Status|NEW                         |ASSIGNED
                 CC|                            |jakub at gcc dot gnu.org

--- Comment #2 from Jakub Jelinek <jakub at gcc dot gnu.org> ---
Created attachment 50001
  --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=50001&action=edit
gcc11-pr98721.patch

Untested fix.  I'm hesistant to add the #c0 testcase, because we really
shouldn't be warning on this at all.  I think the right fix is not to do
jump-threading on the ubsan (and other sanitizer) checks.

[Bug tree-optimization/98721] [11 Regression] ICE in c_tree_printer at /gcc/c/c-objc-common.c:314 since r11-5523-geafe8ee7af13c398

[jakub at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=98721

Jakub Jelinek <jakub at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
  Attachment #50001|0                           |1
        is obsolete|                            |

--- Comment #3 from Jakub Jelinek <jakub at gcc dot gnu.org> ---
Created attachment 50002
  --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=50002&action=edit
gcc11-pr98721.patch

But I can add a different test on which we ICEd the same and now warn and the
warning is desirable.

[Bug tree-optimization/98721] [11 Regression] ICE in c_tree_printer at /gcc/c/c-objc-common.c:314 since r11-5523-geafe8ee7af13c398

[cvs-commit at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=98721

--- Comment #4 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by Jakub Jelinek <jakub@gcc.gnu.org>:

https://gcc.gnu.org/g:4d2ecd960a0c0e7656043b9c162fcac6d7e5ac3f

commit r11-6812-g4d2ecd960a0c0e7656043b9c162fcac6d7e5ac3f
Author: Jakub Jelinek <jakub@redhat.com>
Date:   Wed Jan 20 09:49:24 2021 +0100

    builtins: Fix up two bugs in access_ref::inform_access [PR98721]

    The following patch fixes two bugs in the access_ref::inform_access
function
    (plus some formatting nits).

    The first problem is that ref can be various things, e.g. *_DECL, or
    SSA_NAME, or IDENTIFIER_NODE.  And allocfn is non-NULL only if ref is
    (at least originally) an SSA_NAME initialized to the result of some
    allocator function (but not e.g. __builtin_alloca_with_align which is
    handled differently).

    A few lines above the last hunk of this patch in builtins.c, the code uses
      if (mode == access_read_write || mode == access_write_only)
        {
          if (allocfn == NULL_TREE)
            {
              if (*offstr)
                inform (loc, "at offset %s into destination object %qE of size
%s",
                        offstr, ref, sizestr);
              else
                inform (loc, "destination object %qE of size %s", ref,
sizestr);
              return;
            }

          if (*offstr)
            inform (loc,
                    "at offset %s into destination object of size %s "
                    "allocated by %qE", offstr, sizestr, allocfn);
          else
            inform (loc, "destination object of size %s allocated by %qE",
                    sizestr, allocfn);
          return;
        }
    so if allocfn is NULL, it prints whatever ref is, if it is non-NULL,
    it prints instead the allocation function.  But strangely the hunk
    a few lines below wasn't consistent with that and instead printed the
    first form only if DECL_P (ref) and would ICE if ref wasn't a decl but
    still allocfn was NULL.  Fixed by making it consistent what the code does
    earlier.

    Another bug is that the code earlier contains an ugly hack for VLAs and was
    assuming that SSA_NAME_IDENTIFIER must be non-NULL on the lhs of
    __builtin_alloca_with_align.  While that is likely true for the cases where
    the compiler emits this builtin for VLAs (and it will also be true that
    the name of the VLA in that case can be taken from that identifier up to
the
    first .), the builtin is user accessible as the testcase shows, so one can
    have any other SSA_NAME in there.  I think it would be better to add some
    more reliable way how to identify VLA names corresponding to
    __builtin_alloca_with_align allocations, perhaps internal fn or whatever,
    but that is beyond the scope of this patch.

    2021-01-20  Jakub Jelinek  <jakub@redhat.com>

            PR tree-optimization/98721
            * builtins.c (access_ref::inform_access): Don't assume
            SSA_NAME_IDENTIFIER must be non-NULL.  Print messages about
            object whenever allocfn is NULL, rather than only when DECL_P
            is true.  Use %qE instead of %qD for that.  Formatting fixes.

            * gcc.dg/pr98721-1.c: New test.
            * gcc.dg/pr98721-2.c: New test.

[Bug tree-optimization/98721] [11 Regression] ICE in c_tree_printer at /gcc/c/c-objc-common.c:314 since r11-5523-geafe8ee7af13c398

[jakub at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=98721

Jakub Jelinek <jakub at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|ASSIGNED                    |RESOLVED
         Resolution|---                         |FIXED

--- Comment #5 from Jakub Jelinek <jakub at gcc dot gnu.org> ---
Fixed.