analyzer: fix ICE on NULL change.m_expr [PR100244]

Message ID	20210424235757.1364669-1-dmalcolm@redhat.com
State	New
Headers	show Return-Path: <gcc-patches-bounces@gcc.gnu.org> DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org 08AA23857026 To: gcc-patches@gcc.gnu.org, jakub@redhat.com, Richard Biener <rguenther@suse.de> Subject: [PATCH] analyzer: fix ICE on NULL change.m_expr [PR100244] Date: Sat, 24 Apr 2021 19:57:57 -0400 Message-Id: <20210424235757.1364669-1-dmalcolm@redhat.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset="US-ASCII" Precedence: list From: David Malcolm via Gcc-patches <gcc-patches@gcc.gnu.org> Reply-To: David Malcolm <dmalcolm@redhat.com> Errors-To: gcc-patches-bounces@gcc.gnu.org Sender: "Gcc-patches" <gcc-patches-bounces@gcc.gnu.org>
Series	analyzer: fix ICE on NULL change.m_expr [PR100244] \| expand analyzer: fix ICE on NULL change.m_expr [PR100244]

Message ID

20210424235757.1364669-1-dmalcolm@redhat.com

State

New

Headers

DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org 08AA23857026
To: gcc-patches@gcc.gnu.org, jakub@redhat.com,
 Richard Biener <rguenther@suse.de>
Subject: [PATCH] analyzer: fix ICE on NULL change.m_expr [PR100244]
Date: Sat, 24 Apr 2021 19:57:57 -0400
Message-Id: <20210424235757.1364669-1-dmalcolm@redhat.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="US-ASCII"
Precedence: list
From: David Malcolm via Gcc-patches <gcc-patches@gcc.gnu.org>
Reply-To: David Malcolm <dmalcolm@redhat.com>
Errors-To: gcc-patches-bounces@gcc.gnu.org
Sender: "Gcc-patches" <gcc-patches-bounces@gcc.gnu.org>

Series

analyzer: fix ICE on NULL change.m_expr [PR100244] | expand

Commit Message

David Malcolm April 24, 2021, 11:57 p.m. UTC

PR analyzer/100244 reports an ICE on a -Wanalyzer-free-of-non-heap
due to a case where free_of_non_heap::describe_state_change can be
passed a NULL change.m_expr for a suitably complicated symbolic value.

Bulletproof it by checking for change.m_expr being NULL before
dereferencing it.

Successfully bootstrapped & regrtested on x86_64-pc-linux-gnu.
Pushed to trunk for gcc 12 as
r12-108-g61bfff562e3b6091d5a0a412a7d496bd523868a8.

This ICE is technically a regression for gcc 11.
The fix is trivial and confined to the analyzer.

OK to push to gcc 11 branch?

gcc/analyzer/ChangeLog:
	PR analyzer/100244
	* sm-malloc.cc (free_of_non_heap::describe_state_change):
	Bulletproof against change.m_expr being NULL.

gcc/testsuite/ChangeLog:
	PR analyzer/100244
	* g++.dg/analyzer/pr100244.C: New test.
---
 gcc/analyzer/sm-malloc.cc                |  2 +-
 gcc/testsuite/g++.dg/analyzer/pr100244.C | 22 ++++++++++++++++++++++
 2 files changed, 23 insertions(+), 1 deletion(-)
 create mode 100644 gcc/testsuite/g++.dg/analyzer/pr100244.C

Comments

Richard Biener April 26, 2021, 6:49 a.m. UTC | #1

On Sat, 24 Apr 2021, David Malcolm wrote:

> PR analyzer/100244 reports an ICE on a -Wanalyzer-free-of-non-heap
> due to a case where free_of_non_heap::describe_state_change can be
> passed a NULL change.m_expr for a suitably complicated symbolic value.
> 
> Bulletproof it by checking for change.m_expr being NULL before
> dereferencing it.
> 
> Successfully bootstrapped & regrtested on x86_64-pc-linux-gnu.
> Pushed to trunk for gcc 12 as
> r12-108-g61bfff562e3b6091d5a0a412a7d496bd523868a8.
> 
> This ICE is technically a regression for gcc 11.
> The fix is trivial and confined to the analyzer.
> 
> OK to push to gcc 11 branch?

OK after the 11.1 release.

Richard.

> gcc/analyzer/ChangeLog:
> 	PR analyzer/100244
> 	* sm-malloc.cc (free_of_non_heap::describe_state_change):
> 	Bulletproof against change.m_expr being NULL.
> 
> gcc/testsuite/ChangeLog:
> 	PR analyzer/100244
> 	* g++.dg/analyzer/pr100244.C: New test.
> ---
>  gcc/analyzer/sm-malloc.cc                |  2 +-
>  gcc/testsuite/g++.dg/analyzer/pr100244.C | 22 ++++++++++++++++++++++
>  2 files changed, 23 insertions(+), 1 deletion(-)
>  create mode 100644 gcc/testsuite/g++.dg/analyzer/pr100244.C
> 
> diff --git a/gcc/analyzer/sm-malloc.cc b/gcc/analyzer/sm-malloc.cc
> index 1d5b8601b1f..f02b73ab90a 100644
> --- a/gcc/analyzer/sm-malloc.cc
> +++ b/gcc/analyzer/sm-malloc.cc
> @@ -1303,7 +1303,7 @@ public:
>    {
>      /* Attempt to reconstruct what kind of pointer it is.
>         (It seems neater for this to be a part of the state, though).  */
> -    if (TREE_CODE (change.m_expr) == SSA_NAME)
> +    if (change.m_expr && TREE_CODE (change.m_expr) == SSA_NAME)
>        {
>  	gimple *def_stmt = SSA_NAME_DEF_STMT (change.m_expr);
>  	if (gcall *call = dyn_cast <gcall *> (def_stmt))
> diff --git a/gcc/testsuite/g++.dg/analyzer/pr100244.C b/gcc/testsuite/g++.dg/analyzer/pr100244.C
> new file mode 100644
> index 00000000000..261b3cfff57
> --- /dev/null
> +++ b/gcc/testsuite/g++.dg/analyzer/pr100244.C
> @@ -0,0 +1,22 @@
> +// { dg-additional-options "-O1 -Wno-free-nonheap-object" }
> +
> +inline void *operator new (__SIZE_TYPE__, void *__p) { return __p; }
> +
> +struct __aligned_buffer {
> +  int _M_storage;
> +  int *_M_addr() { return &_M_storage; }
> +};
> +
> +struct _Hashtable_alloc {
> +  int _M_single_bucket;
> +  int *_M_buckets;
> +  _Hashtable_alloc () { _M_buckets = &_M_single_bucket; }
> +  ~_Hashtable_alloc () { delete _M_buckets; } // { dg-warning "not on the heap" }
> +};
> +
> +void
> +test01 (__aligned_buffer buf)
> +{
> +  _Hashtable_alloc *tmp = new (buf._M_addr ()) _Hashtable_alloc;
> +  tmp->~_Hashtable_alloc ();
> +}
>

diff --git a/gcc/analyzer/sm-malloc.cc b/gcc/analyzer/sm-malloc.cc
index 1d5b8601b1f..f02b73ab90a 100644
--- a/gcc/analyzer/sm-malloc.cc
+++ b/gcc/analyzer/sm-malloc.cc
@@ -1303,7 +1303,7 @@  public:
   {
     /* Attempt to reconstruct what kind of pointer it is.
        (It seems neater for this to be a part of the state, though).  */
-    if (TREE_CODE (change.m_expr) == SSA_NAME)
+    if (change.m_expr && TREE_CODE (change.m_expr) == SSA_NAME)
       {
 	gimple *def_stmt = SSA_NAME_DEF_STMT (change.m_expr);
 	if (gcall *call = dyn_cast <gcall *> (def_stmt))
diff --git a/gcc/testsuite/g++.dg/analyzer/pr100244.C b/gcc/testsuite/g++.dg/analyzer/pr100244.C
new file mode 100644
index 00000000000..261b3cfff57
--- /dev/null
+++ b/gcc/testsuite/g++.dg/analyzer/pr100244.C
@@ -0,0 +1,22 @@ 
+// { dg-additional-options "-O1 -Wno-free-nonheap-object" }
+
+inline void *operator new (__SIZE_TYPE__, void *__p) { return __p; }
+
+struct __aligned_buffer {
+  int _M_storage;
+  int *_M_addr() { return &_M_storage; }
+};
+
+struct _Hashtable_alloc {
+  int _M_single_bucket;
+  int *_M_buckets;
+  _Hashtable_alloc () { _M_buckets = &_M_single_bucket; }
+  ~_Hashtable_alloc () { delete _M_buckets; } // { dg-warning "not on the heap" }
+};
+
+void
+test01 (__aligned_buffer buf)
+{
+  _Hashtable_alloc *tmp = new (buf._M_addr ()) _Hashtable_alloc;
+  tmp->~_Hashtable_alloc ();
+}

analyzer: fix ICE on NULL change.m_expr [PR100244]

Commit Message

Comments

Patch