public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug analyzer/99064] New: [11 regression] ICE analyzer::print_mem_ref
@ 2021-02-10 17:48 dimhen at gmail dot com
2021-02-10 18:30 ` [Bug analyzer/99064] " dmalcolm at gcc dot gnu.org
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: dimhen at gmail dot com @ 2021-02-10 17:48 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99064
Bug ID: 99064
Summary: [11 regression] ICE analyzer::print_mem_ref
Product: gcc
Version: 11.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: analyzer
Assignee: dmalcolm at gcc dot gnu.org
Reporter: dimhen at gmail dot com
Target Milestone: ---
gcc version 11.0.0 20210104 (experimental) [master revision
7f2b7317566:9da1da01aec:39bd65faee3bafe2dc067e5fedb5079896551a8a] (GCC)
r11-6442 PASS
gcc version 11.0.0 20210108 (experimental) [master revision
bdcde150450:e18dcf9fcae:b407f233d7c18534fbfe8f74af7f0232498fb0c4] (GCC)
r11-6550 FAIL
gcc version 11.0.0 20210210 (experimental) [master revision
bd0e37f68a3:deed5164277:72932511053596091ad291539022b51d9f2ba418] (GCC)
r11-7168 FAIL
$ cat x.ii
template <typename> struct iterator_traits;
template <typename _Tp> struct iterator_traits<_Tp *> {
typedef _Tp &reference;
};
template <typename _Iterator> struct __normal_iterator {
_Iterator _M_current;
__normal_iterator(_Iterator &__i) : _M_current(__i) {}
typename iterator_traits<_Iterator>::reference operator*() {
return *_M_current;
}
};
template <typename> struct allocator;
template <typename> struct allocator_traits;
template <typename _Tp> struct allocator_traits<allocator<_Tp>> {
using pointer = _Tp *;
};
struct TPkcs11Token;
struct __alloc_traits : allocator_traits<allocator<TPkcs11Token>> {};
struct _Vector_base {
typedef __alloc_traits::pointer pointer;
struct {
pointer _M_start;
} _M_impl;
};
struct : _Vector_base {
__normal_iterator<pointer> begin() { return _M_impl._M_start; }
} list_tokens_token_list;
struct TPkcs11Token {
int *add_info;
};
void list_tokens() {
for (__normal_iterator base = list_tokens_token_list.begin();;) {
int *add_info = new int;
(*base).add_info = add_info;
}
}
// cvise'd from private codebase
$ gcc_current/bin/g++ -fpreprocessed -O2 -fanalyzer -c x.ii
during IPA pass: analyzer
x.ii:34:22: internal compiler error: Segmentation fault
34 | (*base).add_info = add_info;
| ~~~~~~~~~~~~~~~~~^~~~~~~~~~
0x12baa3f crash_signal
/home/dimhen/src/gcc_current/gcc/toplev.c:327
0xd7f150 print_mem_ref
/home/dimhen/src/gcc_current/gcc/c-family/c-pretty-print.c:2006
0xb7b035 dump_expr
/home/dimhen/src/gcc_current/gcc/cp/error.c:2367
0xb80640 expr_to_string(tree_node*)
/home/dimhen/src/gcc_current/gcc/cp/error.c:3188
0xb80d7c cp_printer
/home/dimhen/src/gcc_current/gcc/cp/error.c:4356
0x1f28c86 pp_format(pretty_printer*, text_info*)
/home/dimhen/src/gcc_current/gcc/pretty-print.c:1475
0x16533cc ana::evdesc::event_desc::formatted_print(char const*, ...) const
/home/dimhen/src/gcc_current/gcc/analyzer/pending-diagnostic.cc:64
0x1eb67a6 ana::warning_event::get_desc(bool) const
/home/dimhen/src/gcc_current/gcc/analyzer/checker-path.cc:885
0x1eb60f2 ana::checker_event::prepare_for_emission(ana::checker_path*,
ana::pending_diagnostic*, diagnostic_event_id_t)
/home/dimhen/src/gcc_current/gcc/analyzer/checker-path.cc:149
0x1ec64f3 ana::checker_path::prepare_for_emission(ana::pending_diagnostic*)
/home/dimhen/src/gcc_current/gcc/analyzer/checker-path.h:559
0x1ec64f3 ana::diagnostic_manager::emit_saved_diagnostic(ana::exploded_graph
const&, ana::saved_diagnostic const&, ana::exploded_path const&, gimple const*,
int)
/home/dimhen/src/gcc_current/gcc/analyzer/diagnostic-manager.cc:668
0x1ec8a80 ana::dedupe_winners::emit_best(ana::diagnostic_manager*,
ana::exploded_graph const&)
/home/dimhen/src/gcc_current/gcc/analyzer/diagnostic-manager.cc:569
0x1ec68c8 ana::diagnostic_manager::emit_saved_diagnostics(ana::exploded_graph
const&)
/home/dimhen/src/gcc_current/gcc/analyzer/diagnostic-manager.cc:622
0x1649d32 ana::impl_run_checkers(ana::logger*)
/home/dimhen/src/gcc_current/gcc/analyzer/engine.cc:4744
0x164aafe ana::run_checkers()
/home/dimhen/src/gcc_current/gcc/analyzer/engine.cc:4801
0x163d568 execute
/home/dimhen/src/gcc_current/gcc/analyzer/analyzer-pass.cc:87
Please submit a full bug report,
with preprocessed source if appropriate.
Please include the complete backtrace with any bug report.
See <https://gcc.gnu.org/bugs/> for instructions.
$ gcc_current/bin/g++ -v
Using built-in specs.
COLLECT_GCC=/home/dimhen/arch-gcc/gcc_current/bin/g++
COLLECT_LTO_WRAPPER=/home/dimhen/arch-gcc/gcc_current/libexec/gcc/x86_64-pc-linux-gnu/11.0.0/lto-wrapper
OFFLOAD_TARGET_NAMES=nvptx-none
Target: x86_64-pc-linux-gnu
Configured with: /home/dimhen/src/gcc_current/configure
--prefix=/home/dimhen/arch-gcc/gcc_current
--enable-checking=yes,df,fold,rtl,extra --enable-languages=c,c++,lto
--disable-multilib --enable-shared --enable-threads=posix --enable-__cxa_atexit
--enable-gnu-unique-object --enable-linker-build-id
--with-linker-hash-style=gnu --enable-plugin --enable-initfini-array --with-isl
--enable-offload-targets=nvptx-none --without-cuda-driver
--enable-gnu-indirect-function --enable-cet --with-tune=native
Thread model: posix
Supported LTO compression algorithms: zlib zstd
gcc version 11.0.0 20210210 (experimental) [master revision
bd0e37f68a3:deed5164277:72932511053596091ad291539022b51d9f2ba418] (GCC)
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Bug analyzer/99064] [11 regression] ICE analyzer::print_mem_ref
2021-02-10 17:48 [Bug analyzer/99064] New: [11 regression] ICE analyzer::print_mem_ref dimhen at gmail dot com
@ 2021-02-10 18:30 ` dmalcolm at gcc dot gnu.org
2021-02-11 1:59 ` dmalcolm at gcc dot gnu.org
2021-02-12 1:32 ` cvs-commit at gcc dot gnu.org
2 siblings, 0 replies; 4+ messages in thread
From: dmalcolm at gcc dot gnu.org @ 2021-02-10 18:30 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99064
David Malcolm <dmalcolm at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Ever confirmed|0 |1
Status|UNCONFIRMED |ASSIGNED
Last reconfirmed| |2021-02-10
--- Comment #1 from David Malcolm <dmalcolm at gcc dot gnu.org> ---
Thanks for filing this.
Confirmed. Seems similar to PR analyzer/98969; not sure if a dup yet.
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Bug analyzer/99064] [11 regression] ICE analyzer::print_mem_ref
2021-02-10 17:48 [Bug analyzer/99064] New: [11 regression] ICE analyzer::print_mem_ref dimhen at gmail dot com
2021-02-10 18:30 ` [Bug analyzer/99064] " dmalcolm at gcc dot gnu.org
@ 2021-02-11 1:59 ` dmalcolm at gcc dot gnu.org
2021-02-12 1:32 ` cvs-commit at gcc dot gnu.org
2 siblings, 0 replies; 4+ messages in thread
From: dmalcolm at gcc dot gnu.org @ 2021-02-11 1:59 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99064
David Malcolm <dmalcolm at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |DUPLICATE
Status|ASSIGNED |RESOLVED
--- Comment #2 from David Malcolm <dmalcolm at gcc dot gnu.org> ---
It is indeed a dup of bug 98969; am working on a fix for both.
*** This bug has been marked as a duplicate of bug 98969 ***
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Bug analyzer/99064] [11 regression] ICE analyzer::print_mem_ref
2021-02-10 17:48 [Bug analyzer/99064] New: [11 regression] ICE analyzer::print_mem_ref dimhen at gmail dot com
2021-02-10 18:30 ` [Bug analyzer/99064] " dmalcolm at gcc dot gnu.org
2021-02-11 1:59 ` dmalcolm at gcc dot gnu.org
@ 2021-02-12 1:32 ` cvs-commit at gcc dot gnu.org
2 siblings, 0 replies; 4+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2021-02-12 1:32 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99064
--- Comment #3 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by David Malcolm <dmalcolm@gcc.gnu.org>:
https://gcc.gnu.org/g:467a48205279cab368dbeb02879bbbbe4b721516
commit r11-7202-g467a48205279cab368dbeb02879bbbbe4b721516
Author: David Malcolm <dmalcolm@redhat.com>
Date: Thu Feb 11 20:31:28 2021 -0500
analyzer: fix ICE in print_mem_ref [PR98969]
PR analyzer/98969 and PR analyzer/99064 describes ICEs, in both cases
within print_mem_ref, when falsely reporting memory leaks - though it
is possible to generate the ICE on other diagnostics (which I added
in one of the test cases).
This patch fixes the ICE, leaving the fix for the leak false positives
as followup work.
The analyzer uses region_model::get_representative_path_var and
region_model::get_representative_tree to map back from its svalue
and region classes to the tree type used by the rest of the compiler,
and, in particular, for diagnostics.
The root cause of the ICE is sloppiness about types within those
functions; specifically when casts were stripped off svalues. To
track these down I added wrapper functions that verify that the
types of the results are correct, and in doing so found various
other type-safety issues, which the patch also fixes.
Doing so led to various changes in diagnostics messages due to
more accurate types, but I felt that these changes weren't
desirable.
For example, the warning at CVE-2005-1689-minimal.c line 48
which expects:
double-'free' of 'inbuf.data'
changed fo
double-'free' of '(char *)inbuf.data'
So I added stripping of top-level casts where necessary to avoid
cluttering diagnostics.
Finally, the more accurate types led to worse results from
readability_comparator, where e.g. the event message at line 50
of sensitive-1.c regressed from the precise:
passing sensitive value 'password' in call to 'called_by_test_5' from
'test_5'
to the vaguer:
calling 'called_by_test_5' from 'test_5'
This was due to erroneously picking the initial value of "password"
in the caller frame as the best value within the *callee* frame, due to
"char *" vs "const char *", which confuses the logic for tracking values
that pass along callgraph edges. The patch fixes this by combining the
readability tests for tree and stack depth, rather than performing
them in sequence, so that it favors the value in the deepest frame.
As noted above, the patch fixes the ICEs, but does not fix the
leak false positives.
gcc/analyzer/ChangeLog:
PR analyzer/98969
* engine.cc (readability): Add names for the various arbitrary
values. Handle NOP_EXPR and INTEGER_CST.
(readability_comparator): Combine the readability tests for
tree and stack depth, rather than performing them sequentially.
(impl_region_model_context::on_state_leak): Strip off top-level
casts.
* region-model.cc (region_model::get_representative_path_var): Add
type-checking, moving the bulk of the implementation to...
(region_model::get_representative_path_var_1): ...here. Respect
types in casts by recursing and re-adding the cast, rather than
merely stripping them off. Use the correct type when handling
region_svalue.
(region_model::get_representative_tree): Strip off any top-level
cast.
(region_model::get_representative_path_var): Add type-checking,
moving the bulk of the implementation to...
(region_model::get_representative_path_var_1): ...here.
* region-model.h (region_model::get_representative_path_var_1):
New decl
(region_model::get_representative_path_var_1): New decl.
* store.cc (append_pathvar_with_type): New.
(binding_cluster::get_representative_path_vars): Cast path_vars
to the correct type when adding them to *OUT_PVS.
gcc/testsuite/ChangeLog:
PR analyzer/98969
* g++.dg/analyzer/pr99064.C: New test.
* gcc.dg/analyzer/pr98969.c: New test.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-02-12 1:32 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-02-10 17:48 [Bug analyzer/99064] New: [11 regression] ICE analyzer::print_mem_ref dimhen at gmail dot com
2021-02-10 18:30 ` [Bug analyzer/99064] " dmalcolm at gcc dot gnu.org
2021-02-11 1:59 ` dmalcolm at gcc dot gnu.org
2021-02-12 1:32 ` cvs-commit at gcc dot gnu.org
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).