public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug analyzer/99906] New: [11 Regression] ICE: SIGSEGV in maybe_reconstruct_from_def_stmt with -fanalyzer
@ 2021-04-04 8:40 zsojka at seznam dot cz
2021-04-04 15:21 ` [Bug analyzer/99906] " dmalcolm at gcc dot gnu.org
` (3 more replies)
0 siblings, 4 replies; 5+ messages in thread
From: zsojka at seznam dot cz @ 2021-04-04 8:40 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99906
Bug ID: 99906
Summary: [11 Regression] ICE: SIGSEGV in
maybe_reconstruct_from_def_stmt with -fanalyzer
Product: gcc
Version: 11.0
Status: UNCONFIRMED
Keywords: ice-on-valid-code
Severity: normal
Priority: P3
Component: analyzer
Assignee: dmalcolm at gcc dot gnu.org
Reporter: zsojka at seznam dot cz
Target Milestone: ---
Host: x86_64-pc-linux-gnu
Created attachment 50505
--> https://gcc.gnu.org/bugzilla/attachment.cgi?id=50505&action=edit
reduced testcase
Compiler output:
$ x86_64-pc-linux-gnu-gcc -fanalyzer testcase.c -wrapper valgrind,-q
==16921== Invalid read of size 4
==16921== at 0xA0DEF7: operator[] (vec.h:890)
==16921== by 0xA0DEF7: operator[] (vec.h:1461)
==16921== by 0xA0DEF7: maybe_reconstruct_from_def_stmt (analyzer.cc:151)
==16921== by 0xA0DEF7: ana::fixup_tree_for_diagnostic_1(tree_node*,
hash_set<tree_node*, false, default_hash_traits<tree_node*> >*) [clone .part.0]
[clone .cold] (analyzer.cc:168)
==16921== by 0x1CBE732: fixup_tree_for_diagnostic_1 (analyzer.cc:189)
==16921== by 0x1CBE732: ana::fixup_tree_for_diagnostic(tree_node*)
(analyzer.cc:188)
==16921== by 0x140E497:
ana::region_model::get_representative_tree(ana::svalue const*) const
(region-model.cc:2330)
==16921== by 0x13F7A54:
ana::impl_sm_context::get_diagnostic_tree(tree_node*) (engine.cc:314)
==16921== by 0x1435056: ana::(anonymous
namespace)::malloc_state_machine::on_stmt(ana::sm_context*, ana::supernode
const*, gimple const*) const (sm-malloc.cc:1603)
==16921== by 0x13F1448: ana::exploded_node::on_stmt(ana::exploded_graph&,
ana::supernode const*, gimple const*, ana::program_state*) (engine.cc:1271)
==16921== by 0x13F3729:
ana::exploded_graph::process_node(ana::exploded_node*) (engine.cc:3016)
==16921== by 0x13F40EA: ana::exploded_graph::process_worklist()
(engine.cc:2641)
==16921== by 0x13F6225: ana::impl_run_checkers(ana::logger*)
(engine.cc:4851)
==16921== by 0x13F70B3: ana::run_checkers() (engine.cc:4922)
==16921== by 0x13E8CA8: (anonymous
namespace)::pass_analyzer::execute(function*) (analyzer-pass.cc:87)
==16921== by 0xF62CAC: execute_one_pass(opt_pass*) (passes.c:2567)
==16921== Address 0x4 is not stack'd, malloc'd or (recently) free'd
==16921==
during IPA pass: analyzer
testcase.c: In function 'foo':
testcase.c:3:18: internal compiler error: Segmentation fault
3 | void foo(void) { bar(baz()); }
| ^~~~~~~~~~
0x105dd0f crash_signal
/repo/gcc-trunk/gcc/toplev.c:327
0xa0def7 vec<tree_node*, va_heap, vl_embed>::operator[](unsigned int)
/repo/gcc-trunk/gcc/vec.h:890
0xa0def7 vec<tree_node*, va_heap, vl_ptr>::operator[](unsigned int)
/repo/gcc-trunk/gcc/vec.h:1461
0xa0def7 maybe_reconstruct_from_def_stmt
/repo/gcc-trunk/gcc/analyzer/analyzer.cc:151
0xa0def7 fixup_tree_for_diagnostic_1
/repo/gcc-trunk/gcc/analyzer/analyzer.cc:168
0x1cbe732 fixup_tree_for_diagnostic_1
/repo/gcc-trunk/gcc/analyzer/analyzer.cc:189
0x1cbe732 ana::fixup_tree_for_diagnostic(tree_node*)
/repo/gcc-trunk/gcc/analyzer/analyzer.cc:188
0x140e497 ana::region_model::get_representative_tree(ana::svalue const*) const
/repo/gcc-trunk/gcc/analyzer/region-model.cc:2330
0x13f7a54 ana::impl_sm_context::get_diagnostic_tree(tree_node*)
/repo/gcc-trunk/gcc/analyzer/engine.cc:314
0x1435056 on_stmt
/repo/gcc-trunk/gcc/analyzer/sm-malloc.cc:1603
0x13f1448 ana::exploded_node::on_stmt(ana::exploded_graph&, ana::supernode
const*, gimple const*, ana::program_state*)
/repo/gcc-trunk/gcc/analyzer/engine.cc:1271
0x13f3729 ana::exploded_graph::process_node(ana::exploded_node*)
/repo/gcc-trunk/gcc/analyzer/engine.cc:3016
0x13f40ea ana::exploded_graph::process_worklist()
/repo/gcc-trunk/gcc/analyzer/engine.cc:2641
0x13f6225 ana::impl_run_checkers(ana::logger*)
/repo/gcc-trunk/gcc/analyzer/engine.cc:4851
0x13f70b3 ana::run_checkers()
/repo/gcc-trunk/gcc/analyzer/engine.cc:4922
0x13e8ca8 execute
/repo/gcc-trunk/gcc/analyzer/analyzer-pass.cc:87
Please submit a full bug report,
with preprocessed source if appropriate.
Please include the complete backtrace with any bug report.
See <https://gcc.gnu.org/bugs/> for instructions.
$ x86_64-pc-linux-gnu-gcc -v
Using built-in specs.
COLLECT_GCC=/repo/gcc-trunk/binary-latest/bin/x86_64-pc-linux-gnu-gcc
COLLECT_LTO_WRAPPER=/repo/gcc-trunk/binary-trunk-r11-7980-20210403205900-gc3d3bb0f03d-checking-yes-rtl-df-extra-amd64/bin/../libexec/gcc/x86_64-pc-linux-gnu/11.0.1/lto-wrapper
Target: x86_64-pc-linux-gnu
Configured with: /repo/gcc-trunk//configure --enable-languages=c,c++
--enable-valgrind-annotations --disable-nls --enable-checking=yes,rtl,df,extra
--with-cloog --with-ppl --with-isl --build=x86_64-pc-linux-gnu
--host=x86_64-pc-linux-gnu --target=x86_64-pc-linux-gnu
--with-ld=/usr/bin/x86_64-pc-linux-gnu-ld
--with-as=/usr/bin/x86_64-pc-linux-gnu-as --disable-libstdcxx-pch
--prefix=/repo/gcc-trunk//binary-trunk-r11-7980-20210403205900-gc3d3bb0f03d-checking-yes-rtl-df-extra-amd64
Thread model: posix
Supported LTO compression algorithms: zlib zstd
gcc version 11.0.1 20210404 (experimental) (GCC)
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug analyzer/99906] [11 Regression] ICE: SIGSEGV in maybe_reconstruct_from_def_stmt with -fanalyzer
2021-04-04 8:40 [Bug analyzer/99906] New: [11 Regression] ICE: SIGSEGV in maybe_reconstruct_from_def_stmt with -fanalyzer zsojka at seznam dot cz
@ 2021-04-04 15:21 ` dmalcolm at gcc dot gnu.org
2021-04-04 16:44 ` dmalcolm at gcc dot gnu.org
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: dmalcolm at gcc dot gnu.org @ 2021-04-04 15:21 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99906
David Malcolm <dmalcolm at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|UNCONFIRMED |ASSIGNED
Ever confirmed|0 |1
Last reconfirmed| |2021-04-04
--- Comment #1 from David Malcolm <dmalcolm at gcc dot gnu.org> ---
Thanks for filing this.
Confirmed. Looks like I didn't consider the case of a function call with no
arguments.
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug analyzer/99906] [11 Regression] ICE: SIGSEGV in maybe_reconstruct_from_def_stmt with -fanalyzer
2021-04-04 8:40 [Bug analyzer/99906] New: [11 Regression] ICE: SIGSEGV in maybe_reconstruct_from_def_stmt with -fanalyzer zsojka at seznam dot cz
2021-04-04 15:21 ` [Bug analyzer/99906] " dmalcolm at gcc dot gnu.org
@ 2021-04-04 16:44 ` dmalcolm at gcc dot gnu.org
2021-04-05 14:52 ` cvs-commit at gcc dot gnu.org
2021-04-05 14:53 ` dmalcolm at gcc dot gnu.org
3 siblings, 0 replies; 5+ messages in thread
From: dmalcolm at gcc dot gnu.org @ 2021-04-04 16:44 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99906
--- Comment #2 from David Malcolm <dmalcolm at gcc dot gnu.org> ---
Testing a fix.
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug analyzer/99906] [11 Regression] ICE: SIGSEGV in maybe_reconstruct_from_def_stmt with -fanalyzer
2021-04-04 8:40 [Bug analyzer/99906] New: [11 Regression] ICE: SIGSEGV in maybe_reconstruct_from_def_stmt with -fanalyzer zsojka at seznam dot cz
2021-04-04 15:21 ` [Bug analyzer/99906] " dmalcolm at gcc dot gnu.org
2021-04-04 16:44 ` dmalcolm at gcc dot gnu.org
@ 2021-04-05 14:52 ` cvs-commit at gcc dot gnu.org
2021-04-05 14:53 ` dmalcolm at gcc dot gnu.org
3 siblings, 0 replies; 5+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2021-04-05 14:52 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99906
--- Comment #3 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by David Malcolm <dmalcolm@gcc.gnu.org>:
https://gcc.gnu.org/g:7d8f4240c94e2e7643ac13cda1fdd0bb6ca3a3fb
commit r11-7988-g7d8f4240c94e2e7643ac13cda1fdd0bb6ca3a3fb
Author: David Malcolm <dmalcolm@redhat.com>
Date: Mon Apr 5 10:51:46 2021 -0400
analyzer: fix ICE on zero-arg calls passed to __attribute__((nonnull)) [PR
99906]
gcc/analyzer/ChangeLog:
PR analyzer/99906
* analyzer.cc (maybe_reconstruct_from_def_stmt): Fix NULL
dereference on calls with zero arguments.
* sm-malloc.cc (malloc_state_machine::on_stmt): When handling
__attribute__((nonnull)), only call get_diagnostic_tree if the
result will be used.
gcc/testsuite/ChangeLog:
PR analyzer/99906
* gcc.dg/analyzer/pr99906.c: New test.
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug analyzer/99906] [11 Regression] ICE: SIGSEGV in maybe_reconstruct_from_def_stmt with -fanalyzer
2021-04-04 8:40 [Bug analyzer/99906] New: [11 Regression] ICE: SIGSEGV in maybe_reconstruct_from_def_stmt with -fanalyzer zsojka at seznam dot cz
` (2 preceding siblings ...)
2021-04-05 14:52 ` cvs-commit at gcc dot gnu.org
@ 2021-04-05 14:53 ` dmalcolm at gcc dot gnu.org
3 siblings, 0 replies; 5+ messages in thread
From: dmalcolm at gcc dot gnu.org @ 2021-04-05 14:53 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99906
David Malcolm <dmalcolm at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|ASSIGNED |RESOLVED
Resolution|--- |FIXED
--- Comment #4 from David Malcolm <dmalcolm at gcc dot gnu.org> ---
Should be fixed by the above patch.
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2021-04-05 14:53 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-04-04 8:40 [Bug analyzer/99906] New: [11 Regression] ICE: SIGSEGV in maybe_reconstruct_from_def_stmt with -fanalyzer zsojka at seznam dot cz
2021-04-04 15:21 ` [Bug analyzer/99906] " dmalcolm at gcc dot gnu.org
2021-04-04 16:44 ` dmalcolm at gcc dot gnu.org
2021-04-05 14:52 ` cvs-commit at gcc dot gnu.org
2021-04-05 14:53 ` dmalcolm at gcc dot gnu.org
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).