Message ID | 20210424235757.1364669-1-dmalcolm@redhat.com |
---|---|
State | New |
Headers | show |
Series | analyzer: fix ICE on NULL change.m_expr [PR100244] | expand |
On Sat, 24 Apr 2021, David Malcolm wrote: > PR analyzer/100244 reports an ICE on a -Wanalyzer-free-of-non-heap > due to a case where free_of_non_heap::describe_state_change can be > passed a NULL change.m_expr for a suitably complicated symbolic value. > > Bulletproof it by checking for change.m_expr being NULL before > dereferencing it. > > Successfully bootstrapped & regrtested on x86_64-pc-linux-gnu. > Pushed to trunk for gcc 12 as > r12-108-g61bfff562e3b6091d5a0a412a7d496bd523868a8. > > This ICE is technically a regression for gcc 11. > The fix is trivial and confined to the analyzer. > > OK to push to gcc 11 branch? OK after the 11.1 release. Richard. > gcc/analyzer/ChangeLog: > PR analyzer/100244 > * sm-malloc.cc (free_of_non_heap::describe_state_change): > Bulletproof against change.m_expr being NULL. > > gcc/testsuite/ChangeLog: > PR analyzer/100244 > * g++.dg/analyzer/pr100244.C: New test. > --- > gcc/analyzer/sm-malloc.cc | 2 +- > gcc/testsuite/g++.dg/analyzer/pr100244.C | 22 ++++++++++++++++++++++ > 2 files changed, 23 insertions(+), 1 deletion(-) > create mode 100644 gcc/testsuite/g++.dg/analyzer/pr100244.C > > diff --git a/gcc/analyzer/sm-malloc.cc b/gcc/analyzer/sm-malloc.cc > index 1d5b8601b1f..f02b73ab90a 100644 > --- a/gcc/analyzer/sm-malloc.cc > +++ b/gcc/analyzer/sm-malloc.cc > @@ -1303,7 +1303,7 @@ public: > { > /* Attempt to reconstruct what kind of pointer it is. > (It seems neater for this to be a part of the state, though). */ > - if (TREE_CODE (change.m_expr) == SSA_NAME) > + if (change.m_expr && TREE_CODE (change.m_expr) == SSA_NAME) > { > gimple *def_stmt = SSA_NAME_DEF_STMT (change.m_expr); > if (gcall *call = dyn_cast <gcall *> (def_stmt)) > diff --git a/gcc/testsuite/g++.dg/analyzer/pr100244.C b/gcc/testsuite/g++.dg/analyzer/pr100244.C > new file mode 100644 > index 00000000000..261b3cfff57 > --- /dev/null > +++ b/gcc/testsuite/g++.dg/analyzer/pr100244.C > @@ -0,0 +1,22 @@ > +// { dg-additional-options "-O1 -Wno-free-nonheap-object" } > + > +inline void *operator new (__SIZE_TYPE__, void *__p) { return __p; } > + > +struct __aligned_buffer { > + int _M_storage; > + int *_M_addr() { return &_M_storage; } > +}; > + > +struct _Hashtable_alloc { > + int _M_single_bucket; > + int *_M_buckets; > + _Hashtable_alloc () { _M_buckets = &_M_single_bucket; } > + ~_Hashtable_alloc () { delete _M_buckets; } // { dg-warning "not on the heap" } > +}; > + > +void > +test01 (__aligned_buffer buf) > +{ > + _Hashtable_alloc *tmp = new (buf._M_addr ()) _Hashtable_alloc; > + tmp->~_Hashtable_alloc (); > +} >
diff --git a/gcc/analyzer/sm-malloc.cc b/gcc/analyzer/sm-malloc.cc index 1d5b8601b1f..f02b73ab90a 100644 --- a/gcc/analyzer/sm-malloc.cc +++ b/gcc/analyzer/sm-malloc.cc @@ -1303,7 +1303,7 @@ public: { /* Attempt to reconstruct what kind of pointer it is. (It seems neater for this to be a part of the state, though). */ - if (TREE_CODE (change.m_expr) == SSA_NAME) + if (change.m_expr && TREE_CODE (change.m_expr) == SSA_NAME) { gimple *def_stmt = SSA_NAME_DEF_STMT (change.m_expr); if (gcall *call = dyn_cast <gcall *> (def_stmt)) diff --git a/gcc/testsuite/g++.dg/analyzer/pr100244.C b/gcc/testsuite/g++.dg/analyzer/pr100244.C new file mode 100644 index 00000000000..261b3cfff57 --- /dev/null +++ b/gcc/testsuite/g++.dg/analyzer/pr100244.C @@ -0,0 +1,22 @@ +// { dg-additional-options "-O1 -Wno-free-nonheap-object" } + +inline void *operator new (__SIZE_TYPE__, void *__p) { return __p; } + +struct __aligned_buffer { + int _M_storage; + int *_M_addr() { return &_M_storage; } +}; + +struct _Hashtable_alloc { + int _M_single_bucket; + int *_M_buckets; + _Hashtable_alloc () { _M_buckets = &_M_single_bucket; } + ~_Hashtable_alloc () { delete _M_buckets; } // { dg-warning "not on the heap" } +}; + +void +test01 (__aligned_buffer buf) +{ + _Hashtable_alloc *tmp = new (buf._M_addr ()) _Hashtable_alloc; + tmp->~_Hashtable_alloc (); +}