* [PATCH] analyzer: fix ICE on NULL change.m_expr [PR100244]
@ 2021-04-24 23:57 David Malcolm
2021-04-26 6:49 ` Richard Biener
0 siblings, 1 reply; 2+ messages in thread
From: David Malcolm @ 2021-04-24 23:57 UTC (permalink / raw)
To: gcc-patches, jakub, Richard Biener
PR analyzer/100244 reports an ICE on a -Wanalyzer-free-of-non-heap
due to a case where free_of_non_heap::describe_state_change can be
passed a NULL change.m_expr for a suitably complicated symbolic value.
Bulletproof it by checking for change.m_expr being NULL before
dereferencing it.
Successfully bootstrapped & regrtested on x86_64-pc-linux-gnu.
Pushed to trunk for gcc 12 as
r12-108-g61bfff562e3b6091d5a0a412a7d496bd523868a8.
This ICE is technically a regression for gcc 11.
The fix is trivial and confined to the analyzer.
OK to push to gcc 11 branch?
gcc/analyzer/ChangeLog:
PR analyzer/100244
* sm-malloc.cc (free_of_non_heap::describe_state_change):
Bulletproof against change.m_expr being NULL.
gcc/testsuite/ChangeLog:
PR analyzer/100244
* g++.dg/analyzer/pr100244.C: New test.
---
gcc/analyzer/sm-malloc.cc | 2 +-
gcc/testsuite/g++.dg/analyzer/pr100244.C | 22 ++++++++++++++++++++++
2 files changed, 23 insertions(+), 1 deletion(-)
create mode 100644 gcc/testsuite/g++.dg/analyzer/pr100244.C
diff --git a/gcc/analyzer/sm-malloc.cc b/gcc/analyzer/sm-malloc.cc
index 1d5b8601b1f..f02b73ab90a 100644
--- a/gcc/analyzer/sm-malloc.cc
+++ b/gcc/analyzer/sm-malloc.cc
@@ -1303,7 +1303,7 @@ public:
{
/* Attempt to reconstruct what kind of pointer it is.
(It seems neater for this to be a part of the state, though). */
- if (TREE_CODE (change.m_expr) == SSA_NAME)
+ if (change.m_expr && TREE_CODE (change.m_expr) == SSA_NAME)
{
gimple *def_stmt = SSA_NAME_DEF_STMT (change.m_expr);
if (gcall *call = dyn_cast <gcall *> (def_stmt))
diff --git a/gcc/testsuite/g++.dg/analyzer/pr100244.C b/gcc/testsuite/g++.dg/analyzer/pr100244.C
new file mode 100644
index 00000000000..261b3cfff57
--- /dev/null
+++ b/gcc/testsuite/g++.dg/analyzer/pr100244.C
@@ -0,0 +1,22 @@
+// { dg-additional-options "-O1 -Wno-free-nonheap-object" }
+
+inline void *operator new (__SIZE_TYPE__, void *__p) { return __p; }
+
+struct __aligned_buffer {
+ int _M_storage;
+ int *_M_addr() { return &_M_storage; }
+};
+
+struct _Hashtable_alloc {
+ int _M_single_bucket;
+ int *_M_buckets;
+ _Hashtable_alloc () { _M_buckets = &_M_single_bucket; }
+ ~_Hashtable_alloc () { delete _M_buckets; } // { dg-warning "not on the heap" }
+};
+
+void
+test01 (__aligned_buffer buf)
+{
+ _Hashtable_alloc *tmp = new (buf._M_addr ()) _Hashtable_alloc;
+ tmp->~_Hashtable_alloc ();
+}
--
2.26.3
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [PATCH] analyzer: fix ICE on NULL change.m_expr [PR100244]
2021-04-24 23:57 [PATCH] analyzer: fix ICE on NULL change.m_expr [PR100244] David Malcolm
@ 2021-04-26 6:49 ` Richard Biener
0 siblings, 0 replies; 2+ messages in thread
From: Richard Biener @ 2021-04-26 6:49 UTC (permalink / raw)
To: David Malcolm; +Cc: gcc-patches, jakub
On Sat, 24 Apr 2021, David Malcolm wrote:
> PR analyzer/100244 reports an ICE on a -Wanalyzer-free-of-non-heap
> due to a case where free_of_non_heap::describe_state_change can be
> passed a NULL change.m_expr for a suitably complicated symbolic value.
>
> Bulletproof it by checking for change.m_expr being NULL before
> dereferencing it.
>
> Successfully bootstrapped & regrtested on x86_64-pc-linux-gnu.
> Pushed to trunk for gcc 12 as
> r12-108-g61bfff562e3b6091d5a0a412a7d496bd523868a8.
>
> This ICE is technically a regression for gcc 11.
> The fix is trivial and confined to the analyzer.
>
> OK to push to gcc 11 branch?
OK after the 11.1 release.
Richard.
> gcc/analyzer/ChangeLog:
> PR analyzer/100244
> * sm-malloc.cc (free_of_non_heap::describe_state_change):
> Bulletproof against change.m_expr being NULL.
>
> gcc/testsuite/ChangeLog:
> PR analyzer/100244
> * g++.dg/analyzer/pr100244.C: New test.
> ---
> gcc/analyzer/sm-malloc.cc | 2 +-
> gcc/testsuite/g++.dg/analyzer/pr100244.C | 22 ++++++++++++++++++++++
> 2 files changed, 23 insertions(+), 1 deletion(-)
> create mode 100644 gcc/testsuite/g++.dg/analyzer/pr100244.C
>
> diff --git a/gcc/analyzer/sm-malloc.cc b/gcc/analyzer/sm-malloc.cc
> index 1d5b8601b1f..f02b73ab90a 100644
> --- a/gcc/analyzer/sm-malloc.cc
> +++ b/gcc/analyzer/sm-malloc.cc
> @@ -1303,7 +1303,7 @@ public:
> {
> /* Attempt to reconstruct what kind of pointer it is.
> (It seems neater for this to be a part of the state, though). */
> - if (TREE_CODE (change.m_expr) == SSA_NAME)
> + if (change.m_expr && TREE_CODE (change.m_expr) == SSA_NAME)
> {
> gimple *def_stmt = SSA_NAME_DEF_STMT (change.m_expr);
> if (gcall *call = dyn_cast <gcall *> (def_stmt))
> diff --git a/gcc/testsuite/g++.dg/analyzer/pr100244.C b/gcc/testsuite/g++.dg/analyzer/pr100244.C
> new file mode 100644
> index 00000000000..261b3cfff57
> --- /dev/null
> +++ b/gcc/testsuite/g++.dg/analyzer/pr100244.C
> @@ -0,0 +1,22 @@
> +// { dg-additional-options "-O1 -Wno-free-nonheap-object" }
> +
> +inline void *operator new (__SIZE_TYPE__, void *__p) { return __p; }
> +
> +struct __aligned_buffer {
> + int _M_storage;
> + int *_M_addr() { return &_M_storage; }
> +};
> +
> +struct _Hashtable_alloc {
> + int _M_single_bucket;
> + int *_M_buckets;
> + _Hashtable_alloc () { _M_buckets = &_M_single_bucket; }
> + ~_Hashtable_alloc () { delete _M_buckets; } // { dg-warning "not on the heap" }
> +};
> +
> +void
> +test01 (__aligned_buffer buf)
> +{
> + _Hashtable_alloc *tmp = new (buf._M_addr ()) _Hashtable_alloc;
> + tmp->~_Hashtable_alloc ();
> +}
>
--
Richard Biener <rguenther@suse.de>
SUSE Software Solutions Germany GmbH, Maxfeldstrasse 5, 90409 Nuernberg,
Germany; GF: Felix Imendörffer; HRB 36809 (AG Nuernberg)
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-04-26 6:49 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-04-24 23:57 [PATCH] analyzer: fix ICE on NULL change.m_expr [PR100244] David Malcolm
2021-04-26 6:49 ` Richard Biener
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).