From patchwork Tue Feb 11 18:43:15 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: David Malcolm X-Patchwork-Id: 1236432 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=gcc.gnu.org (client-ip=209.132.180.131; helo=sourceware.org; envelope-from=gcc-patches-return-519364-incoming=patchwork.ozlabs.org@gcc.gnu.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: ozlabs.org; dkim=pass (1024-bit key; unprotected) header.d=gcc.gnu.org header.i=@gcc.gnu.org header.a=rsa-sha1 header.s=default header.b=FuoXI321; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=PYX2INOp; dkim-atps=neutral Received: from sourceware.org (server1.sourceware.org [209.132.180.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 48HBWP0PZ5z9sP7 for ; Wed, 12 Feb 2020 05:44:00 +1100 (AEDT) DomainKey-Signature: a=rsa-sha1; c=nofws; d=gcc.gnu.org; h=list-id :list-unsubscribe:list-archive:list-post:list-help:sender:from :to:cc:subject:date:message-id:mime-version:content-type :content-transfer-encoding; q=dns; s=default; b=LWf9nl/i0J5ADXpr a+HQUP6x1apTVLVKtiZEbGHHdHU53+cQeW2tXpxTgrVgI3QU01OZb7nF3MDDbKrF xX/oLV3fgwb5V8J+PgVcVtE69pvrY/2t6cQGoRlBbV5i08X/N0hcTh7eiCzSFugm n4brjHAva9rhpbMY/kTLrP55rGc= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=gcc.gnu.org; h=list-id :list-unsubscribe:list-archive:list-post:list-help:sender:from :to:cc:subject:date:message-id:mime-version:content-type :content-transfer-encoding; s=default; bh=T7m/EwzQtInZouYOo/fizh QsCRY=; b=FuoXI321Vm2BEhCO90pdjkUKfIMaOdLjJxT9Bo4l64rrbxTrzLhOO2 Fi5UdaBjHOD+1cUd6janZmhDM9sNtJ+KCRouNXFcmHqYnzwbixYKRfK8I+RYntJk xcqx8a4U8CqB+ltjJEEB0beW6Dh3eB7SicQ8Ap9gjoh+Sk0S9rzx8= Received: (qmail 111597 invoked by alias); 11 Feb 2020 18:43:45 -0000 Mailing-List: contact gcc-patches-help@gcc.gnu.org; run by ezmlm Precedence: bulk List-Id: List-Unsubscribe: List-Archive: List-Post: List-Help: Sender: gcc-patches-owner@gcc.gnu.org Delivered-To: mailing list gcc-patches@gcc.gnu.org Received: (qmail 111483 invoked by uid 89); 11 Feb 2020 18:43:44 -0000 Authentication-Results: sourceware.org; auth=none X-Spam-SWARE-Status: No, score=-23.4 required=5.0 tests=AWL, BAYES_00, GIT_PATCH_0, GIT_PATCH_1, GIT_PATCH_2, GIT_PATCH_3, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 spammy=19176, program_point, program_state X-HELO: us-smtp-delivery-1.mimecast.com Received: from us-smtp-1.mimecast.com (HELO us-smtp-delivery-1.mimecast.com) (205.139.110.61) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Tue, 11 Feb 2020 18:43:42 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1581446621; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=XNSeAHjn7vFDTxquinLpXJ7ZNJxKOKb6l2Z9Fp0xQfc=; b=PYX2INOp99a3c4/+i/LwobqzBugTCabv+gK3DKtA2Wwunz3aWIgncw1xTV53YKMeIzOzeZ OiCWMWxuAQSBdhZbfrZv1VzEdWnAUS6V/pRIFtp8g6DJkwps29Jptc4rw+OCHySxeOtyUg dO4fN6iKiUTJBJ6TBWb6vJbdydnI74A= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-274-qOGgSUocOWuLElYvyARjPw-1; Tue, 11 Feb 2020 13:43:17 -0500 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id E6B4F10054E3 for ; Tue, 11 Feb 2020 18:43:16 +0000 (UTC) Received: from t470.redhat.com (ovpn-116-56.phx2.redhat.com [10.3.116.56]) by smtp.corp.redhat.com (Postfix) with ESMTP id 828E99006B; Tue, 11 Feb 2020 18:43:16 +0000 (UTC) From: David Malcolm To: gcc-patches@gcc.gnu.org Cc: David Malcolm Subject: [committed] analyzer: fix ICE due to missing state_change purging (PR 93374) Date: Tue, 11 Feb 2020 13:43:15 -0500 Message-Id: <20200211184315.5538-1-dmalcolm@redhat.com> MIME-Version: 1.0 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com X-IsSubscribed: yes PR analyzer/93374 reports an ICE within state_change::validate due to an m_new_sid in a recorded state-change being out of range of the svalues of the region_model of the new state. During get_or_create_node we attempt to merge the new state with the state of each of the existing enodes at the program point (in the absence of sm-state differences), simplifying the state at each attempt, and potentially reusing a node if we get a match. This state-merging invalidates any svalue_ids within any state_change object. The root cause is that, although the code was purging any such svalue_ids for the case where no match was found during merging, it was failing to purge them for the case where a matching enode *was* found for the merged state, leading to an invalid state_change along the exploded_edge to the reused enode. This patch moves the invalidation code to cover both cases, fixing the ICE. It also extends state_change validation so that states are also checked. Successfully bootstrapped & regrtested on x86_64-pc-linux-gnu. Pushed to master as r10-6582-ga60d98890bba58649c26c2fc0c6f28cd6073aaaf. gcc/analyzer/ChangeLog: PR analyzer/93374 * engine.cc (exploded_edge::exploded_edge): Add ext_state param and pass it to change.validate. (exploded_graph::get_or_create_node): Move purging of change svalues to also cover the case of reusing an existing enode. (exploded_graph::add_edge): Pass m_ext_state to exploded_edge's ctor. * exploded-graph.h (exploded_edge::exploded_edge): Add ext_state param. * program-state.cc (state_change::sm_change::validate): Likewise. Assert that m_sm_idx is sane. Use ext_state to validate m_old_state and m_new_state. (state_change::validate): Add ext_state param and pass it to the sm_change validate calls. * program-state.h (state_change::sm_change::validate): Add ext_state param. (state_change::validate): Likewise. gcc/testsuite/ChangeLog: PR analyzer/93374 * gcc.dg/analyzer/torture/pr93374.c: New test. --- gcc/analyzer/engine.cc | 21 ++++++++++--------- gcc/analyzer/exploded-graph.h | 1 + gcc/analyzer/program-state.cc | 12 ++++++++--- gcc/analyzer/program-state.h | 6 ++++-- .../gcc.dg/analyzer/torture/pr93374.c | 2 ++ 5 files changed, 27 insertions(+), 15 deletions(-) create mode 100644 gcc/testsuite/gcc.dg/analyzer/torture/pr93374.c diff --git a/gcc/analyzer/engine.cc b/gcc/analyzer/engine.cc index 837f3feabfe..7860da0572a 100644 --- a/gcc/analyzer/engine.cc +++ b/gcc/analyzer/engine.cc @@ -1398,13 +1398,14 @@ rewind_info_t::add_events_to_path (checker_path *emission_path, /* exploded_edge's ctor. */ exploded_edge::exploded_edge (exploded_node *src, exploded_node *dest, + const extrinsic_state &ext_state, const superedge *sedge, const state_change &change, custom_info_t *custom_info) : dedge (src, dest), m_sedge (sedge), m_change (change), m_custom_info (custom_info) { - change.validate (dest->get_state ()); + change.validate (dest->get_state (), ext_state); } /* exploded_edge's dtor. */ @@ -1898,8 +1899,14 @@ exploded_graph::get_or_create_node (const program_point &point, logger->log ("merging new state with that of EN: %i", existing_enode->m_index); - /* Try again for a cache hit. */ + /* Try again for a cache hit. + Whether we get one or not, merged_state's value_ids have no + relationship to those of the input state, and thus to those + of CHANGE, so we must purge any svalue_ids from *CHANGE. */ ps.set_state (merged_state); + if (change) + change->on_svalue_purge (svalue_id::from_int (0)); + if (exploded_node **slot = m_point_and_state_to_node.get (&ps)) { /* An exploded_node for PS already exists. */ @@ -1910,13 +1917,6 @@ exploded_graph::get_or_create_node (const program_point &point, per_cs_stats->m_node_reuse_after_merge_count++; return *slot; } - - /* Otherwise, continue, using the merged state in "ps". - Given that merged_state's svalue_ids have no relationship - to those of the input state, and thus to those of CHANGE, - purge any svalue_ids from *CHANGE. */ - if (change) - change->on_svalue_purge (svalue_id::from_int (0)); } else if (logger) @@ -1986,7 +1986,8 @@ exploded_graph::add_edge (exploded_node *src, exploded_node *dest, const state_change &change, exploded_edge::custom_info_t *custom_info) { - exploded_edge *e = new exploded_edge (src, dest, sedge, change, custom_info); + exploded_edge *e = new exploded_edge (src, dest, m_ext_state, + sedge, change, custom_info); digraph::add_edge (e); return e; } diff --git a/gcc/analyzer/exploded-graph.h b/gcc/analyzer/exploded-graph.h index e47816a5b6e..5d69bffdddd 100644 --- a/gcc/analyzer/exploded-graph.h +++ b/gcc/analyzer/exploded-graph.h @@ -306,6 +306,7 @@ class exploded_edge : public dedge }; exploded_edge (exploded_node *src, exploded_node *dest, + const extrinsic_state &ext_state, const superedge *sedge, const state_change &change, custom_info_t *custom_info); diff --git a/gcc/analyzer/program-state.cc b/gcc/analyzer/program-state.cc index 4c0b9a8bfa0..82b921eb969 100644 --- a/gcc/analyzer/program-state.cc +++ b/gcc/analyzer/program-state.cc @@ -1083,8 +1083,13 @@ state_change::sm_change::on_svalue_purge (svalue_id first_unused_sid) /* Assert that this object is sane. */ void -state_change::sm_change::validate (const program_state &new_state) const +state_change::sm_change::validate (const program_state &new_state, + const extrinsic_state &ext_state) const { + gcc_assert ((unsigned)m_sm_idx < ext_state.get_num_checkers ()); + const state_machine &sm = ext_state.get_sm (m_sm_idx); + sm.validate (m_old_state); + sm.validate (m_new_state); m_new_sid.validate (*new_state.m_region_model); } @@ -1191,7 +1196,8 @@ state_change::on_svalue_purge (svalue_id first_unused_sid) /* Assert that this object is sane. */ void -state_change::validate (const program_state &new_state) const +state_change::validate (const program_state &new_state, + const extrinsic_state &ext_state) const { /* Skip this in a release build. */ #if !CHECKING_P @@ -1200,7 +1206,7 @@ state_change::validate (const program_state &new_state) const unsigned i; sm_change *change; FOR_EACH_VEC_ELT (m_sm_changes, i, change) - change->validate (new_state); + change->validate (new_state, ext_state); } #if CHECKING_P diff --git a/gcc/analyzer/program-state.h b/gcc/analyzer/program-state.h index d2badb1a2ed..a4608c7498d 100644 --- a/gcc/analyzer/program-state.h +++ b/gcc/analyzer/program-state.h @@ -343,7 +343,8 @@ class state_change void remap_svalue_ids (const svalue_id_map &map); int on_svalue_purge (svalue_id first_unused_sid); - void validate (const program_state &new_state) const; + void validate (const program_state &new_state, + const extrinsic_state &ext_state) const; int m_sm_idx; svalue_id m_new_sid; @@ -367,7 +368,8 @@ class state_change void remap_svalue_ids (const svalue_id_map &map); int on_svalue_purge (svalue_id first_unused_sid); - void validate (const program_state &new_state) const; + void validate (const program_state &new_state, + const extrinsic_state &ext_state) const; private: auto_vec m_sm_changes; diff --git a/gcc/testsuite/gcc.dg/analyzer/torture/pr93374.c b/gcc/testsuite/gcc.dg/analyzer/torture/pr93374.c new file mode 100644 index 00000000000..a7adecdc872 --- /dev/null +++ b/gcc/testsuite/gcc.dg/analyzer/torture/pr93374.c @@ -0,0 +1,2 @@ +#include +#include "../../../gcc.c-torture/execute/pr27073.c"