[Bug c/98969] New: [11 Regression] ICE: Segmentation fault (in print_mem_ref)

[Bug c/98969] New: [11 Regression] ICE: Segmentation fault (in print_mem_ref)

[asolokha at gmx dot com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=98969

            Bug ID: 98969
           Summary: [11 Regression] ICE: Segmentation fault (in
                    print_mem_ref)
           Product: gcc
           Version: 11.0
            Status: UNCONFIRMED
          Keywords: ice-on-invalid-code
          Severity: normal
          Priority: P3
         Component: c
          Assignee: unassigned at gcc dot gnu.org
          Reporter: asolokha at gmx dot com
  Target Milestone: ---

gcc-11.0.0-alpha20210131 snapshot (g:98342bdd2b7085c9e7e4c9fbb07c3917a0013515)
ICEs when compiling the following snippet by either C or C++ compiler w/
-fanalyzer:

struct TYPE_14__ {
  char *expr;
};

char *
strdup (const char *);

void
_round_2_cb (long int _round_2_cb_n_0)
{
  struct TYPE_14__ *bb = (struct TYPE_14__ *) _round_2_cb_n_0;

  bb->expr = strdup ((const char *) 0);
}

% gcc-11.0.0 -fanalyzer -c e6r6hdiy.c
during IPA pass: analyzer
e6r6hdiy.c:14:1: internal compiler error: Segmentation fault
   14 | }
      | ^
0xe0343f crash_signal
       
/var/tmp/portage/sys-devel/gcc-11.0.0_alpha20210131/work/gcc-11-20210131/gcc/toplev.c:327
0x8dac60 print_mem_ref
       
/var/tmp/portage/sys-devel/gcc-11.0.0_alpha20210131/work/gcc-11-20210131/gcc/c-family/c-pretty-print.c:2006
0x8d7ffc c_pretty_printer::postfix_expression(tree_node*)
       
/var/tmp/portage/sys-devel/gcc-11.0.0_alpha20210131/work/gcc-11-20210131/gcc/c-family/c-pretty-print.c:1696
0x83b34d c_tree_printer
       
/var/tmp/portage/sys-devel/gcc-11.0.0_alpha20210131/work/gcc-11-20210131/gcc/c/c-objc-common.c:317
0x83b34d c_tree_printer
       
/var/tmp/portage/sys-devel/gcc-11.0.0_alpha20210131/work/gcc-11-20210131/gcc/c/c-objc-common.c:254
0x1a01945 pp_format(pretty_printer*, text_info*)
       
/var/tmp/portage/sys-devel/gcc-11.0.0_alpha20210131/work/gcc-11-20210131/gcc/pretty-print.c:1475
0x11ab18b ana::evdesc::event_desc::formatted_print(char const*, ...) const
       
/var/tmp/portage/sys-devel/gcc-11.0.0_alpha20210131/work/gcc-11-20210131/gcc/analyzer/pending-diagnostic.cc:64
0x1998e16 ana::warning_event::get_desc(bool) const
       
/var/tmp/portage/sys-devel/gcc-11.0.0_alpha20210131/work/gcc-11-20210131/gcc/analyzer/checker-path.cc:885
0x1998692 ana::checker_event::prepare_for_emission(ana::checker_path*,
ana::pending_diagnostic*, diagnostic_event_id_t)
       
/var/tmp/portage/sys-devel/gcc-11.0.0_alpha20210131/work/gcc-11-20210131/gcc/analyzer/checker-path.cc:149
0x19a9159 ana::checker_path::prepare_for_emission(ana::pending_diagnostic*)
       
/var/tmp/portage/sys-devel/gcc-11.0.0_alpha20210131/work/gcc-11-20210131/gcc/analyzer/checker-path.h:559
0x19a9159 ana::diagnostic_manager::emit_saved_diagnostic(ana::exploded_graph
const&, ana::saved_diagnostic const&, ana::exploded_path const&, gimple const*,
int)
       
/var/tmp/portage/sys-devel/gcc-11.0.0_alpha20210131/work/gcc-11-20210131/gcc/analyzer/diagnostic-manager.cc:668
0x19ab831 ana::dedupe_winners::emit_best(ana::diagnostic_manager*,
ana::exploded_graph const&)
       
/var/tmp/portage/sys-devel/gcc-11.0.0_alpha20210131/work/gcc-11-20210131/gcc/analyzer/diagnostic-manager.cc:569
0x19a956a ana::diagnostic_manager::emit_saved_diagnostics(ana::exploded_graph
const&)
       
/var/tmp/portage/sys-devel/gcc-11.0.0_alpha20210131/work/gcc-11-20210131/gcc/analyzer/diagnostic-manager.cc:622
0x11a1602 ana::impl_run_checkers(ana::logger*)
       
/var/tmp/portage/sys-devel/gcc-11.0.0_alpha20210131/work/gcc-11-20210131/gcc/analyzer/engine.cc:4780
0x11a2426 ana::run_checkers()
       
/var/tmp/portage/sys-devel/gcc-11.0.0_alpha20210131/work/gcc-11-20210131/gcc/analyzer/engine.cc:4837
0x11940f8 execute
       
/var/tmp/portage/sys-devel/gcc-11.0.0_alpha20210131/work/gcc-11-20210131/gcc/analyzer/analyzer-pass.cc:87

[Bug c/98969] [11 Regression] ICE: Segmentation fault (in print_mem_ref)

[msebor at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=98969

Martin Sebor <msebor at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|UNCONFIRMED                 |NEW
     Ever confirmed|0                           |1
                 CC|                            |msebor at gcc dot gnu.org
   Last reconfirmed|                            |2021-02-04

--- Comment #1 from Martin Sebor <msebor at gcc dot gnu.org> ---
Confirmed.  The ICE is in accessing arg_type in the snippet below when it's
null.

  tree arg_type = TREE_TYPE (TREE_TYPE (arg));
  ...
  /* True to include a cast to the accessed type.  */
  const bool access_cast
    = ((op && op != TREE_OPERAND (arg, 0))
       || VOID_TYPE_P (arg_type)
       || !lang_hooks.types_compatible_p (access_type, arg_type));
  const bool has_off = byte_off != 0 || (op && op != TREE_OPERAND (arg, 0));

arg is set to the integer but the arg_type initalizer assumes it's a pointer:

 <ssa_name 0x7fffea802d38
    type <integer_type 0x7fffea810738 long int public DI
        size <integer_cst 0x7fffea7f7cd8 constant 64>
        unit-size <integer_cst 0x7fffea7f7cf0 constant 8>
        align:64 warn_if_not_align:0 symtab:0 alias-set -1 canonical-type
0x7fffea810738 precision:64 min <integer_cst 0x7fffea7f7f60
-9223372036854775808> max <integer_cst 0x7fffea7f7f78 9223372036854775807>
        pointer_to_this <pointer_type 0x7fffea820150>>
    visited var <parm_decl 0x7fffea950080 _round_2_cb_n_0>
    def_stmt GIMPLE_NOP
    version:2>

[Bug c/98969] [11 Regression] ICE: Segmentation fault (in print_mem_ref)

[msebor at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=98969

Martin Sebor <msebor at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Assignee|unassigned at gcc dot gnu.org      |msebor at gcc dot gnu.org
   Target Milestone|---                         |11.0
             Status|NEW                         |ASSIGNED
           Keywords|ice-on-invalid-code         |ice-on-valid-code

--- Comment #2 from Martin Sebor <msebor at gcc dot gnu.org> ---
The following avoids the ICE:

diff --git a/gcc/c-family/c-pretty-print.c b/gcc/c-family/c-pretty-print.c
index 2095d4badf7..da4a8b5defd 100644
--- a/gcc/c-family/c-pretty-print.c
+++ b/gcc/c-family/c-pretty-print.c
@@ -1989,7 +1989,9 @@ print_mem_ref (c_pretty_printer *pp, tree e)
     }

   tree access_type = TREE_TYPE (e);
-  tree arg_type = TREE_TYPE (TREE_TYPE (arg));
+  tree arg_type = TREE_TYPE (arg);
+  if (POINTER_TYPE_P (arg))
+    arg_type = TREE_TYPE (arg_type);
   if (tree access_size = TYPE_SIZE_UNIT (access_type))
     if (byte_off != 0
        && TREE_CODE (access_size) == INTEGER_CST

and results in:

pr98969.c: In function ‘_round_2_cb’:
pr98969.c:14:14: warning: argument 1 null where non-null expected [-Wnonnull]
   14 |   bb->expr = strdup ((const char *) 0);
      |              ^~~~~~
pr98969.c:7:1: note: in a call to function ‘strdup’ declared ‘nonnull’
    7 | strdup (const char *);
      | ^~~~~~
pr98969.c:15:1: warning: leak of ‘*(struct TYPE_14__ *)_round_2_cb_n_0.expr’
[CWE-401] [-Wanalyzer-malloc-leak]
   15 | }
      | ^
  ‘_round_2_cb’: events 1-2
    |
    |   14 |   bb->expr = strdup ((const char *) 0);
    |      |              ^~~~~~~~~~~~~~~~~~~~~~~~~
    |      |              |
    |      |              (1) allocated here
    |   15 | }
    |      | ~             
    |      | |
    |      | (2) ‘*(struct TYPE_14__ *)_round_2_cb_n_0.expr’ leaks here; was
allocated at (1)
    |


The test case is undefined but syntactically valid thus ice-on-valid-code.

[Bug c/98969] [11 Regression] ICE: Segmentation fault (in print_mem_ref)

[jakub at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=98969

Jakub Jelinek <jakub at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |jakub at gcc dot gnu.org

--- Comment #3 from Jakub Jelinek <jakub at gcc dot gnu.org> ---
This programming style is always wrong, please stop doing that.

[Bug analyzer/98969] [11 Regression] ICE: Segmentation fault (in print_mem_ref)

[rguenth at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=98969

Richard Biener <rguenth at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dmalcolm at gcc dot gnu.org
          Component|c                           |analyzer

--- Comment #4 from Richard Biener <rguenth at gcc dot gnu.org> ---
The bug is in the analyzer which builds a MEM_REF with non-pointer argument
zero here:

#0  0x000000000194ce94 in build2 (code=MEM_REF, 
    tt=<record_type 0x7ffff669ed20 TYPE_14__>, 
    arg0=<ssa_name 0x7ffff6575d38 2>, arg1=<integer_cst 0x7ffff66b0138>)
    at /home/rguenther/src/gcc3/gcc/tree.c:4876
#1  0x0000000001ac2f7e in ana::region_model::get_representative_path_var (
    this=0x3b27a30, reg=0x3b237c0, visited=0x7fffffffc6c0)
    at /home/rguenther/src/gcc3/gcc/analyzer/region-model.cc:2319
#2  0x0000000001ac303d in ana::region_model::get_representative_path_var (
    this=0x3b27a30, reg=0x3b23800, visited=0x7fffffffc6c0)
    at /home/rguenther/src/gcc3/gcc/analyzer/region-model.cc:2334

(gdb) l
2314            const svalue *pointer = symbolic_reg->get_pointer ();
2315            path_var pointer_pv = get_representative_path_var (pointer,
visited);
2316            if (!pointer_pv)
2317              return path_var (NULL_TREE, 0);
2318            tree offset = build_int_cst (pointer->get_type (), 0);
2319            return path_var (build2 (MEM_REF,
2320                                     reg->get_type (),
2321                                     pointer_pv.m_tree,
2322                                     offset),
2323                             pointer_pv.m_stack_depth);

[Bug analyzer/98969] [11 Regression] ICE: Segmentation fault (in print_mem_ref)

[jakub at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=98969

--- Comment #5 from Jakub Jelinek <jakub at gcc dot gnu.org> ---
Yeah, seems the analyzer looked through the cast, so either it shouldn't, or it
needs to readd the cast in there.

As for print_mem_ref, if we wanted to protect it from bogus MEM_REF creation
(not sure about if we want to), the right change IMHO would be to set
access_type to
NULL_TREE if TREE_TYPE (arg) doesn't have POINTER_TYPE_P, and in the spots that
use access_type treat access_type NULL as unknown access type, e.g. access_cast
should be true if access_type is NULL, and char_cast should be true too.

[Bug analyzer/98969] [11 Regression] ICE: Segmentation fault (in print_mem_ref)

[dmalcolm at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=98969

David Malcolm <dmalcolm at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Assignee|msebor at gcc dot gnu.org          |dmalcolm at gcc dot gnu.org

--- Comment #6 from David Malcolm <dmalcolm at gcc dot gnu.org> ---
Mine; the analyzer shouldn't ICE by constructing malformed trees.

Also, the leak diagnostic is arguably a false positive in that
  (struct TYPE_14__ *) _round_2_cb_n_0
is still effectively reachable by the caller after the function returns.

[Bug analyzer/98969] [11 Regression] ICE: Segmentation fault (in print_mem_ref)

[msebor at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=98969

--- Comment #7 from Martin Sebor <msebor at gcc dot gnu.org> ---
I had already dealt with this problem in the pretty printer in r11-6621 (the
same way as in comment #2) but it regressed with Jakub's subsequent changes in
r11-6729.  It's also not the only regression that Jakub's change seems to have
caused.  Instrumenting GCC to print every MEM_REF it sees in
maybe_warn_operand() in tree-ssa-uninit.c causes the ICE below that I didn't
get when testing r11-6621.

I agree the pretty printer should as much as possible try to behave robustly
for bad MEM_REfs, if only to make debugging easier.

...
during GIMPLE pass: *early_warn_uninitialized
In function ‘void selftest::verify_clear_bit_region()’:
canonical types differ for identical types ‘unsigned char [3]’ and ‘unsigned
char [3]’
 5499 | } // namespace selftest
      | ^
0xe61a0a comptypes(tree_node*, tree_node*, int)
        /src/gcc/master/gcc/cp/typeck.c:1540
0xe61c07 same_type_ignoring_top_level_qualifiers_p(tree_node*, tree_node*)
        /src/gcc/master/gcc/cp/typeck.c:1576
0xaf4fe0 cxx_types_compatible_p(tree_node*, tree_node*)
        /src/gcc/master/gcc/cp/cp-objcp-common.c:123
0xf4f98e c_fold_indirect_ref_for_warn
        /src/gcc/master/gcc/c-family/c-pretty-print.c:1829
0xf50695 print_mem_ref
        /src/gcc/master/gcc/c-family/c-pretty-print.c:1953
0xf515bd c_pretty_printer::unary_expression(tree_node*)
        /src/gcc/master/gcc/c-family/c-pretty-print.c:2171
0xbad752 dump_expr
        /src/gcc/master/gcc/cp/error.c:2422
0xbb0ed8 expr_to_string(tree_node*)
        /src/gcc/master/gcc/cp/error.c:3188
0xbb4ffd cp_printer
        /src/gcc/master/gcc/cp/error.c:4356
0x2cba14f pp_format(pretty_printer*, text_info*)
        /src/gcc/master/gcc/pretty-print.c:1475
0x2c8ffd5 diagnostic_report_diagnostic(diagnostic_context*, diagnostic_info*)
        /src/gcc/master/gcc/diagnostic.c:1244
0x2c90675 diagnostic_impl
        /src/gcc/master/gcc/diagnostic.c:1406
0x2c90ad3 inform(unsigned int, char const*, ...)
        /src/gcc/master/gcc/diagnostic.c:1485
0x1c107c7 maybe_warn_operand
        /src/gcc/master/gcc/tree-ssa-uninit.c:255
0x1c11bf1 warn_uninitialized_vars
        /src/gcc/master/gcc/tree-ssa-uninit.c:660
0x1c17374 execute_early_warn_uninitialized
        /src/gcc/master/gcc/tree-ssa-uninit.c:3092
0x1c173f2 execute
        /src/gcc/master/gcc/tree-ssa-uninit.c:3127
...

The ICE is for this statement

  MEM <unsigned char[3]> [(char * {ref-all})&in] = MEM <unsigned char[3]>
[(char * {ref-all})&orig];

and the following value of e in print_mem_ref:

 <mem_ref 0x7fffe88d5a78
    type <array_type 0x7fffe74c9e70
        type <integer_type 0x7fffea815348 unsigned char sizes-gimplified public
unsigned type_6 QI
            size <integer_cst 0x7fffea7f7fa8 constant 8>
            unit-size <integer_cst 0x7fffea7f7fc0 constant 1>
            align:8 warn_if_not_align:0 symtab:0 alias-set -1 canonical-type
0x7fffea815348 precision:8 min <integer_cst 0x7fffea7f7fd8 0> max <integer_cst
0x7fffea7f7f78 255>
            pointer_to_this <pointer_type 0x7fffe902a690>>
        BLK
        size <integer_cst 0x7fffea818360 constant 24>
        unit-size <integer_cst 0x7fffe9198048 constant 3>
        align:8 warn_if_not_align:0 symtab:0 alias-set -1 canonical-type
0x7fffe74c9e70
        domain <integer_type 0x7fffe8f7ad20 type <integer_type 0x7fffea815000
sizetype>
            sizes-gimplified type_6 DI
            size <integer_cst 0x7fffea7f7eb8 constant 64>
            unit-size <integer_cst 0x7fffea7f7ed0 constant 8>
            align:64 warn_if_not_align:0 symtab:0 alias-set -1 canonical-type
0x7fffe8f7ad20 precision:64 min <integer_cst 0x7fffea7f7ee8 0> max <integer_cst
0x7fffea818090 2>>>

    arg:0 <addr_expr 0x7fffe6e09360
        type <pointer_type 0x7fffe6e01540 type <array_type 0x7fffe6e015e8>
            unsigned DI size <integer_cst 0x7fffea7f7eb8 64> unit-size
<integer_cst 0x7fffea7f7ed0 8>
            align:64 warn_if_not_align:0 symtab:0 alias-set -1 canonical-type
0x7fffe6e01540>

        arg:0 <var_decl 0x7fffe6e02510 orig type <array_type 0x7fffe6e015e8>
            used tree_1 tree_2 tree_6 read decl_5 BLK
/src/gcc/master/gcc/gimple-ssa-store-merging.c:5442:17 size <integer_cst
0x7fffea818360 24> unit-size <integer_cst 0x7fffe9198048 3>
            align:8 warn_if_not_align:0 context <function_decl 0x7fffe6e03700
verify_clear_bit_region> chain <var_decl 0x7fffe6e025a0 in>>
        /src/gcc/master/gcc/gimple-ssa-store-merging.c:5445:15 start:
/src/gcc/master/gcc/gimple-ssa-store-merging.c:5445:15 finish:
/src/gcc/master/gcc/gimple-ssa-store-merging.c:5445:18>
    arg:1 <integer_cst 0x7fffe7590cf0 type <pointer_type 0x7fffe74291f8>
constant 0>>

[Bug analyzer/98969] [11 Regression] ICE: Segmentation fault (in print_mem_ref)

[msebor at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=98969

--- Comment #8 from Martin Sebor <msebor at gcc dot gnu.org> ---
For reference, this is the change I used to test the MEM_REF formatting:

diff --git a/gcc/tree-ssa-uninit.c b/gcc/tree-ssa-uninit.c
index 0800f596ab1..0f47c0c286d 100644
--- a/gcc/tree-ssa-uninit.c
+++ b/gcc/tree-ssa-uninit.c
@@ -251,6 +251,9 @@ maybe_warn_operand (ao_ref &ref, gimple *stmt, tree lhs,
tree rhs,
   if (TREE_NO_WARNING (rhs))
     return NULL_TREE;

+  if (TREE_CODE (rhs) == MEM_REF)
+    inform (gimple_location (stmt), "MEM_REF = %qE", rhs);
+
   /* Do not warn if the base was marked so or this is a
      hard register var.  */
   tree base = ao_ref_base (&ref);

And the reduced test case (doesn't ICE with xgcc):

$ cat a.c && g++ -O2 -S -Wall a.c
void clear_bit_region (unsigned char*, unsigned, unsigned);

void verify_clear_bit_region (void)
{
  unsigned char orig[3] = { 1, 1, 1 }, in[3];
  __builtin_memcpy (in, orig, sizeof in);
  clear_bit_region (in, 0, 3 * (8));
}
‘
during GIMPLE pass: *early_warn_uninitialized
In function ‘void verify_clear_bit_region()’:
canonical types differ for identical types ‘unsigned char [3]’ and ‘unsigned
char [3]’
    8 | }
      | ^
0xe61a0a comptypes(tree_node*, tree_node*, int)
        /src/gcc/master/gcc/cp/typeck.c:1540
0xe61c07 same_type_ignoring_top_level_qualifiers_p(tree_node*, tree_node*)
        /src/gcc/master/gcc/cp/typeck.c:1576
0xaf4fe0 cxx_types_compatible_p(tree_node*, tree_node*)
        /src/gcc/master/gcc/cp/cp-objcp-common.c:123
0xf4f98e c_fold_indirect_ref_for_warn
        /src/gcc/master/gcc/c-family/c-pretty-print.c:1829
0xf50695 print_mem_ref
        /src/gcc/master/gcc/c-family/c-pretty-print.c:1953
0xf515bd c_pretty_printer::unary_expression(tree_node*)
        /src/gcc/master/gcc/c-family/c-pretty-print.c:2171
0xbad752 dump_expr
        /src/gcc/master/gcc/cp/error.c:2422
0xbb0ed8 expr_to_string(tree_node*)
        /src/gcc/master/gcc/cp/error.c:3188
0xbb4ffd cp_printer
        /src/gcc/master/gcc/cp/error.c:4356
0x2cba14f pp_format(pretty_printer*, text_info*)
        /src/gcc/master/gcc/pretty-print.c:1475
0x2c8ffd5 diagnostic_report_diagnostic(diagnostic_context*, diagnostic_info*)
        /src/gcc/master/gcc/diagnostic.c:1244
0x2c90675 diagnostic_impl
        /src/gcc/master/gcc/diagnostic.c:1406
0x2c90ad3 inform(unsigned int, char const*, ...)
        /src/gcc/master/gcc/diagnostic.c:1485
0x1c107c7 maybe_warn_operand
        /src/gcc/master/gcc/tree-ssa-uninit.c:255
0x1c11bf1 warn_uninitialized_vars
        /src/gcc/master/gcc/tree-ssa-uninit.c:660
0x1c17374 execute_early_warn_uninitialized
        /src/gcc/master/gcc/tree-ssa-uninit.c:3092
0x1c173f2 execute
        /src/gcc/master/gcc/tree-ssa-uninit.c:3127
Please submit a full bug report,
with preprocessed source if appropriate.
Please include the complete backtrace with any bug report.
See <https://gcc.gnu.org/bugs/> for instructions.

[Bug analyzer/98969] [11 Regression] ICE: Segmentation fault (in print_mem_ref)

[dmalcolm at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=98969

--- Comment #9 from David Malcolm <dmalcolm at gcc dot gnu.org> ---
*** Bug 99064 has been marked as a duplicate of this bug. ***

[Bug analyzer/98969] [11 Regression] ICE: Segmentation fault (in print_mem_ref)

[cvs-commit at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=98969

--- Comment #10 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by David Malcolm <dmalcolm@gcc.gnu.org>:

https://gcc.gnu.org/g:467a48205279cab368dbeb02879bbbbe4b721516

commit r11-7202-g467a48205279cab368dbeb02879bbbbe4b721516
Author: David Malcolm <dmalcolm@redhat.com>
Date:   Thu Feb 11 20:31:28 2021 -0500

    analyzer: fix ICE in print_mem_ref [PR98969]

    PR analyzer/98969 and PR analyzer/99064 describes ICEs, in both cases
    within print_mem_ref, when falsely reporting memory leaks - though it
    is possible to generate the ICE on other diagnostics (which I added
    in one of the test cases).

    This patch fixes the ICE, leaving the fix for the leak false positives
    as followup work.

    The analyzer uses region_model::get_representative_path_var and
    region_model::get_representative_tree to map back from its svalue
    and region classes to the tree type used by the rest of the compiler,
    and, in particular, for diagnostics.

    The root cause of the ICE is sloppiness about types within those
    functions; specifically when casts were stripped off svalues.  To
    track these down I added wrapper functions that verify that the
    types of the results are correct, and in doing so found various
    other type-safety issues, which the patch also fixes.

    Doing so led to various changes in diagnostics messages due to
    more accurate types, but I felt that these changes weren't
    desirable.
    For example, the warning at CVE-2005-1689-minimal.c line 48
    which expects:
      double-'free' of 'inbuf.data'
    changed fo
      double-'free' of '(char *)inbuf.data'

    So I added stripping of top-level casts where necessary to avoid
    cluttering diagnostics.

    Finally, the more accurate types led to worse results from
    readability_comparator, where e.g. the event message at line 50
    of sensitive-1.c regressed from the precise:
      passing sensitive value 'password' in call to 'called_by_test_5' from
'test_5'
    to the vaguer:
      calling 'called_by_test_5' from 'test_5'
    This was due to erroneously picking the initial value of "password"
    in the caller frame as the best value within the *callee* frame, due to
    "char *" vs "const char *", which confuses the logic for tracking values
    that pass along callgraph edges.  The patch fixes this by combining the
    readability tests for tree and stack depth, rather than performing
    them in sequence, so that it favors the value in the deepest frame.

    As noted above, the patch fixes the ICEs, but does not fix the
    leak false positives.

    gcc/analyzer/ChangeLog:
            PR analyzer/98969
            * engine.cc (readability): Add names for the various arbitrary
            values.  Handle NOP_EXPR and INTEGER_CST.
            (readability_comparator): Combine the readability tests for
            tree and stack depth, rather than performing them sequentially.
            (impl_region_model_context::on_state_leak): Strip off top-level
            casts.
            * region-model.cc (region_model::get_representative_path_var): Add
            type-checking, moving the bulk of the implementation to...
            (region_model::get_representative_path_var_1): ...here.  Respect
            types in casts by recursing and re-adding the cast, rather than
            merely stripping them off.  Use the correct type when handling
            region_svalue.
            (region_model::get_representative_tree): Strip off any top-level
            cast.
            (region_model::get_representative_path_var): Add type-checking,
            moving the bulk of the implementation to...
            (region_model::get_representative_path_var_1): ...here.
            * region-model.h (region_model::get_representative_path_var_1):
            New decl
            (region_model::get_representative_path_var_1): New decl.
            * store.cc (append_pathvar_with_type): New.
            (binding_cluster::get_representative_path_vars): Cast path_vars
            to the correct type when adding them to *OUT_PVS.

    gcc/testsuite/ChangeLog:
            PR analyzer/98969
            * g++.dg/analyzer/pr99064.C: New test.
            * gcc.dg/analyzer/pr98969.c: New test.

[Bug analyzer/98969] [11 Regression] ICE: Segmentation fault (in print_mem_ref)

[dmalcolm at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=98969

--- Comment #11 from David Malcolm <dmalcolm at gcc dot gnu.org> ---
As noted above, the ICE is fixed, but the leak false positive is not yet fixed.

[Bug analyzer/98969] [11 Regression] ICE: Segmentation fault (in print_mem_ref)

[cvs-commit at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=98969

--- Comment #12 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by David Malcolm <dmalcolm@gcc.gnu.org>:

https://gcc.gnu.org/g:e0139b2a912585496f23c352f0e2c56895f78fbf

commit r11-7270-ge0139b2a912585496f23c352f0e2c56895f78fbf
Author: David Malcolm <dmalcolm@redhat.com>
Date:   Wed Feb 17 10:37:16 2021 -0500

    analyzer: fix false leak involving params [PR98969]

    This patch updates the svalue liveness code so that the initial value
    of parameters at top-level functions to the analysis are treated as
    live (since the values are presumably still live within the
    outside-of-the-analysis calling code).

    This fixes the false leak in PR analyzer/98969 seen on:

    void
    test (long int i)
    {
      struct foo *f = (struct foo *)i;
      f->expr = __builtin_malloc (1024);
    }

    since the calling code can presumably still access the allocated
    buffer via:
      ((struct foo *)i)->expr

    The patch also removes the expected leak warnings from
    g++.dg/analyzer/pr99064.C and gcc.dg/analyzer/pr96841.c, which now
    appear to me to be false positives.

    gcc/analyzer/ChangeLog:
            PR analyzer/98969
            * constraint-manager.cc (dead_svalue_purger::should_purge_p):
            Update for change to svalue::live_p.
            * program-state.cc (sm_state_map::on_liveness_change): Likewise.
            (program_state::detect_leaks): Likewise.
            * region-model-reachability.cc (reachable_regions::init_cluster):
            When dealing with a symbolic region, if the underlying pointer is
            implicitly live, add the region to the reachable regions.
            * region-model.cc (region_model::compare_initial_and_pointer):
            Move logic for detecting initial values of params to
            initial_svalue::initial_value_of_param_p.
            * svalue.cc (svalue::live_p): Convert "live_svalues" from a
            reference to a pointer; support it being NULL.
            (svalue::implicitly_live_p): Convert first param from a
            refererence to a pointer.
            (region_svalue::implicitly_live_p): Likewise.
            (constant_svalue::implicitly_live_p): Likewise.
            (initial_svalue::implicitly_live_p): Likewise.  Treat the initial
            values of params for the top level frame as still live.
            (initial_svalue::initial_value_of_param_p): New function, taken
            from a test in region_model::compare_initial_and_pointer.
            (unaryop_svalue::implicitly_live_p): Convert first param from a
            refererence to a pointer.
            (binop_svalue::implicitly_live_p): Likewise.
            (sub_svalue::implicitly_live_p): Likewise.
            (unmergeable_svalue::implicitly_live_p): Likewise.
            * svalue.h (svalue::live_p): Likewise.
            (svalue::implicitly_live_p): Likewise.
            (region_svalue::implicitly_live_p): Likewise.
            (constant_svalue::implicitly_live_p): Likewise.
            (initial_svalue::implicitly_live_p): Likewise.
            (initial_svalue::initial_value_of_param_p): New decl.
            (unaryop_svalue::implicitly_live_p): Convert first param from a
            refererence to a pointer.
            (binop_svalue::implicitly_live_p): Likewise.
            (sub_svalue::implicitly_live_p): Likewise.
            (unmergeable_svalue::implicitly_live_p): Likewise.

    gcc/testsuite/ChangeLog:
            PR analyzer/98969
            * g++.dg/analyzer/pr99064.C: Convert dg-bogus to dg-warning.
            * gcc.dg/analyzer/pr96841.c: Add -Wno-analyzer-too-complex to
            options.  Remove false leak directive.
            * gcc.dg/analyzer/pr98969.c (test_1): Remove xfail from leak
            false positive.
            (test_3): New.

[Bug analyzer/98969] [11 Regression] ICE: Segmentation fault (in print_mem_ref)

[dmalcolm at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=98969

David Malcolm <dmalcolm at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
             Status|ASSIGNED                    |RESOLVED

--- Comment #13 from David Malcolm <dmalcolm at gcc dot gnu.org> ---
The above commit fixes the remaining leak false positive.  Marking this as
resolved.