From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <dmalcolm@redhat.com>
Received: from us-smtp-delivery-1.mimecast.com
 (us-smtp-delivery-1.mimecast.com [205.139.110.120])
 by sourceware.org (Postfix) with ESMTP id 207A1386F011
 for <gcc-patches@gcc.gnu.org>; Fri, 14 Aug 2020 20:59:40 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org 207A1386F011
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
 [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-388-I07nKN6UMJeb1DB8Wari9Q-1; Fri, 14 Aug 2020 16:59:35 -0400
X-MC-Unique: I07nKN6UMJeb1DB8Wari9Q-1
Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com
 [10.5.11.13])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by mimecast-mx01.redhat.com (Postfix) with ESMTPS id E27CA81CAF9
 for <gcc-patches@gcc.gnu.org>; Fri, 14 Aug 2020 20:59:34 +0000 (UTC)
Received: from t470.redhat.com (ovpn-113-239.phx2.redhat.com [10.3.113.239])
 by smtp.corp.redhat.com (Postfix) with ESMTP id 89D5574E12;
 Fri, 14 Aug 2020 20:59:34 +0000 (UTC)
From: David Malcolm <dmalcolm@redhat.com>
To: gcc-patches@gcc.gnu.org
Subject: [committed] analyzer: fix ICE on escaped unknown pointers [PR96611]
Date: Fri, 14 Aug 2020 16:59:33 -0400
Message-Id: <20200814205933.18278-1-dmalcolm@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13
X-Mimecast-Spam-Score: 0.001
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-13.2 required=5.0 tests=BAYES_00, DKIMWL_WL_HIGH,
 DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0,
 RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL, SPF_HELO_NONE,
 SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on
 server2.sourceware.org
X-BeenThere: gcc-patches@gcc.gnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Gcc-patches mailing list <gcc-patches.gcc.gnu.org>
List-Unsubscribe: <https://gcc.gnu.org/mailman/options/gcc-patches>,
 <mailto:gcc-patches-request@gcc.gnu.org?subject=unsubscribe>
List-Archive: <https://gcc.gnu.org/pipermail/gcc-patches/>
List-Post: <mailto:gcc-patches@gcc.gnu.org>
List-Help: <mailto:gcc-patches-request@gcc.gnu.org?subject=help>
List-Subscribe: <https://gcc.gnu.org/mailman/listinfo/gcc-patches>,
 <mailto:gcc-patches-request@gcc.gnu.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Aug 2020 20:59:42 -0000

PR analyzer/96611 reports an ICE within the handling for unknown
functions, when passing a pointer to something accessed via a
global pointer, after an unknown function has already been called.

The first unknown function leads to the store being flagged, so
the access to the global pointer leads to (*unknown_svalue) for
the base region of the argument to the 2nd function, and thus
*unknown_svalue being reachable by the 2nd unknown function,
triggering an assertion failure.

Handle this case by rejecting attempts to get a cluster for
the unknown pointer, fixing the ICE.

Successfully bootstrapped & regrtested on x86_64-pc-linux-gnu.
Pushed to master as r11-2707-gee88b536069db8f870c444c441182a9c76ec5bba.

gcc/analyzer/ChangeLog:
	PR analyzer/96611
	* store.cc (store::mark_as_escaped): Reject attempts to
	get a cluster for an unknown pointer.

gcc/testsuite/ChangeLog:
	PR analyzer/96611
	* gcc.dg/analyzer/pr96611.c: New test.
---
 gcc/analyzer/store.cc                   |  3 +++
 gcc/testsuite/gcc.dg/analyzer/pr96611.c | 14 ++++++++++++++
 2 files changed, 17 insertions(+)
 create mode 100644 gcc/testsuite/gcc.dg/analyzer/pr96611.c

diff --git a/gcc/analyzer/store.cc b/gcc/analyzer/store.cc
index 5fef27c8bd2..950a7784542 100644
--- a/gcc/analyzer/store.cc
+++ b/gcc/analyzer/store.cc
@@ -1691,6 +1691,9 @@ store::mark_as_escaped (const region *base_reg)
   gcc_assert (base_reg);
   gcc_assert (base_reg->get_base_region () == base_reg);
 
+  if (base_reg->symbolic_for_unknown_ptr_p ())
+    return;
+
   binding_cluster *cluster = get_or_create_cluster (base_reg);
   cluster->mark_as_escaped ();
 }
diff --git a/gcc/testsuite/gcc.dg/analyzer/pr96611.c b/gcc/testsuite/gcc.dg/analyzer/pr96611.c
new file mode 100644
index 00000000000..4f7502361cb
--- /dev/null
+++ b/gcc/testsuite/gcc.dg/analyzer/pr96611.c
@@ -0,0 +1,14 @@
+struct s { int a; } *ptr;
+void unknown_int_ptr (int *);
+void unknown_void (void);
+
+void test_1 ()
+{
+  unknown_int_ptr (&ptr->a);
+}
+
+void test_2 ()
+{
+  unknown_void ();
+  unknown_int_ptr (&ptr->a);
+}
-- 
2.26.2