[PATCH] analyzer: fix ICE on NULL change.m_expr [PR100244]

[PATCH] analyzer: fix ICE on NULL change.m_expr [PR100244]

[David Malcolm]

PR analyzer/100244 reports an ICE on a -Wanalyzer-free-of-non-heap
due to a case where free_of_non_heap::describe_state_change can be
passed a NULL change.m_expr for a suitably complicated symbolic value.

Bulletproof it by checking for change.m_expr being NULL before
dereferencing it.

Successfully bootstrapped & regrtested on x86_64-pc-linux-gnu.
Pushed to trunk for gcc 12 as
r12-108-g61bfff562e3b6091d5a0a412a7d496bd523868a8.

This ICE is technically a regression for gcc 11.
The fix is trivial and confined to the analyzer.

OK to push to gcc 11 branch?

gcc/analyzer/ChangeLog:
	PR analyzer/100244
	* sm-malloc.cc (free_of_non_heap::describe_state_change):
	Bulletproof against change.m_expr being NULL.

gcc/testsuite/ChangeLog:
	PR analyzer/100244
	* g++.dg/analyzer/pr100244.C: New test.
---
 gcc/analyzer/sm-malloc.cc                |  2 +-
 gcc/testsuite/g++.dg/analyzer/pr100244.C | 22 ++++++++++++++++++++++
 2 files changed, 23 insertions(+), 1 deletion(-)
 create mode 100644 gcc/testsuite/g++.dg/analyzer/pr100244.C

diff --git a/gcc/analyzer/sm-malloc.cc b/gcc/analyzer/sm-malloc.cc
index 1d5b8601b1f..f02b73ab90a 100644
--- a/gcc/analyzer/sm-malloc.cc
+++ b/gcc/analyzer/sm-malloc.cc
@@ -1303,7 +1303,7 @@ public:
   {
     /* Attempt to reconstruct what kind of pointer it is.
        (It seems neater for this to be a part of the state, though).  */
-    if (TREE_CODE (change.m_expr) == SSA_NAME)
+    if (change.m_expr && TREE_CODE (change.m_expr) == SSA_NAME)
       {
 	gimple *def_stmt = SSA_NAME_DEF_STMT (change.m_expr);
 	if (gcall *call = dyn_cast <gcall *> (def_stmt))
diff --git a/gcc/testsuite/g++.dg/analyzer/pr100244.C b/gcc/testsuite/g++.dg/analyzer/pr100244.C
new file mode 100644
index 00000000000..261b3cfff57
--- /dev/null
+++ b/gcc/testsuite/g++.dg/analyzer/pr100244.C
@@ -0,0 +1,22 @@
+// { dg-additional-options "-O1 -Wno-free-nonheap-object" }
+
+inline void *operator new (__SIZE_TYPE__, void *__p) { return __p; }
+
+struct __aligned_buffer {
+  int _M_storage;
+  int *_M_addr() { return &_M_storage; }
+};
+
+struct _Hashtable_alloc {
+  int _M_single_bucket;
+  int *_M_buckets;
+  _Hashtable_alloc () { _M_buckets = &_M_single_bucket; }
+  ~_Hashtable_alloc () { delete _M_buckets; } // { dg-warning "not on the heap" }
+};
+
+void
+test01 (__aligned_buffer buf)
+{
+  _Hashtable_alloc *tmp = new (buf._M_addr ()) _Hashtable_alloc;
+  tmp->~_Hashtable_alloc ();
+}
-- 
2.26.3

Re: [PATCH] analyzer: fix ICE on NULL change.m_expr [PR100244]

[Richard Biener]

On Sat, 24 Apr 2021, David Malcolm wrote:

> PR analyzer/100244 reports an ICE on a -Wanalyzer-free-of-non-heap
> due to a case where free_of_non_heap::describe_state_change can be
> passed a NULL change.m_expr for a suitably complicated symbolic value.
> 
> Bulletproof it by checking for change.m_expr being NULL before
> dereferencing it.
> 
> Successfully bootstrapped & regrtested on x86_64-pc-linux-gnu.
> Pushed to trunk for gcc 12 as
> r12-108-g61bfff562e3b6091d5a0a412a7d496bd523868a8.
> 
> This ICE is technically a regression for gcc 11.
> The fix is trivial and confined to the analyzer.
> 
> OK to push to gcc 11 branch?

OK after the 11.1 release.

Richard.

> gcc/analyzer/ChangeLog:
> 	PR analyzer/100244
> 	* sm-malloc.cc (free_of_non_heap::describe_state_change):
> 	Bulletproof against change.m_expr being NULL.
> 
> gcc/testsuite/ChangeLog:
> 	PR analyzer/100244
> 	* g++.dg/analyzer/pr100244.C: New test.
> ---
>  gcc/analyzer/sm-malloc.cc                |  2 +-
>  gcc/testsuite/g++.dg/analyzer/pr100244.C | 22 ++++++++++++++++++++++
>  2 files changed, 23 insertions(+), 1 deletion(-)
>  create mode 100644 gcc/testsuite/g++.dg/analyzer/pr100244.C
> 
> diff --git a/gcc/analyzer/sm-malloc.cc b/gcc/analyzer/sm-malloc.cc
> index 1d5b8601b1f..f02b73ab90a 100644
> --- a/gcc/analyzer/sm-malloc.cc
> +++ b/gcc/analyzer/sm-malloc.cc
> @@ -1303,7 +1303,7 @@ public:
>    {
>      /* Attempt to reconstruct what kind of pointer it is.
>         (It seems neater for this to be a part of the state, though).  */
> -    if (TREE_CODE (change.m_expr) == SSA_NAME)
> +    if (change.m_expr && TREE_CODE (change.m_expr) == SSA_NAME)
>        {
>  	gimple *def_stmt = SSA_NAME_DEF_STMT (change.m_expr);
>  	if (gcall *call = dyn_cast <gcall *> (def_stmt))
> diff --git a/gcc/testsuite/g++.dg/analyzer/pr100244.C b/gcc/testsuite/g++.dg/analyzer/pr100244.C
> new file mode 100644
> index 00000000000..261b3cfff57
> --- /dev/null
> +++ b/gcc/testsuite/g++.dg/analyzer/pr100244.C
> @@ -0,0 +1,22 @@
> +// { dg-additional-options "-O1 -Wno-free-nonheap-object" }
> +
> +inline void *operator new (__SIZE_TYPE__, void *__p) { return __p; }
> +
> +struct __aligned_buffer {
> +  int _M_storage;
> +  int *_M_addr() { return &_M_storage; }
> +};
> +
> +struct _Hashtable_alloc {
> +  int _M_single_bucket;
> +  int *_M_buckets;
> +  _Hashtable_alloc () { _M_buckets = &_M_single_bucket; }
> +  ~_Hashtable_alloc () { delete _M_buckets; } // { dg-warning "not on the heap" }
> +};
> +
> +void
> +test01 (__aligned_buffer buf)
> +{
> +  _Hashtable_alloc *tmp = new (buf._M_addr ()) _Hashtable_alloc;
> +  tmp->~_Hashtable_alloc ();
> +}
> 

-- 
Richard Biener <rguenther@suse.de>
SUSE Software Solutions Germany GmbH, Maxfeldstrasse 5, 90409 Nuernberg,
Germany; GF: Felix Imendörffer; HRB 36809 (AG Nuernberg)