https://gcc.gnu.org/bugzilla/show_bug.cgi?id=101522
Bug ID: 101522
Summary: ICE: Segmentation fault (in
ana::binding_cluster::purge_state_involving)
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Keywords: ice-on-valid-code
Severity: normal
Priority: P3
Component: analyzer
Assignee: dmalcolm at gcc dot gnu.org
Reporter: asolokha at gmx dot com
Target Milestone: ---
g++-12.0.0-alpha20210718 snapshot (g:6ae8aac19cdbdbd96d90f86e4d8505fe121bdf06)
intermittently ICEs when compiling the following testcase, reduced from
test/std/numerics/rand/rand.dis/rand.dist.norm/rand.dist.norm.f/max.pass.cpp
from the libcxx 12.0.0 test suite, w/ -fanalyzer:
double
sqrt ();
namespace std {
class gamma_distribution {
public:
gamma_distribution () : _M_param () {}
private:
struct param_type {
param_type () : _M_beta () { _M_a2 = 1 / ::sqrt (); }
double _M_beta, _M_a2;
};
param_type _M_param;
int _M_saved_available, _M_saved = 0, _M_param0 = 0;
};
struct fisher_f_distribution {
gamma_distribution _M_gd_x, _M_gd_y;
};
}
int
main ()
{
std::fisher_f_distribution d;
return 0;
}
% MALLOC_PERTURB_=3 MALLOC_CHECK_=3 g++-12.0.0 -fanalyzer -c rxkecadv.cpp
during IPA pass: analyzer
rxkecadv.cpp: In constructor
'std::gamma_distribution::param_type::param_type()':
rxkecadv.cpp:11:55: internal compiler error: Segmentation fault
11 | param_type () : _M_beta () { _M_a2 = 1 / ::sqrt (); }
| ~~~~~~~^~
0x11077df crash_signal
/var/tmp/portage/sys-devel/gcc-12.0.0_alpha20210718/work/gcc-12-20210718/gcc/toplev.c:328
0x150cefc ana::binding_cluster::purge_state_involving(ana::svalue const*,
ana::region_model_manager*)
/var/tmp/portage/sys-devel/gcc-12.0.0_alpha20210718/work/gcc-12-20210718/gcc/analyzer/store.cc:1330
0x150f75f ana::store::purge_state_involving(ana::svalue const*,
ana::region_model_manager*)
/var/tmp/portage/sys-devel/gcc-12.0.0_alpha20210718/work/gcc-12-20210718/gcc/analyzer/store.cc:2497
0x14e0a56 ana::region_model::purge_state_involving(ana::svalue const*,
ana::region_model_context*)
/var/tmp/portage/sys-devel/gcc-12.0.0_alpha20210718/work/gcc-12-20210718/gcc/analyzer/region-model.cc:1309
0x14e0a56 ana::region_model::purge_state_involving(ana::svalue const*,
ana::region_model_context*)
/var/tmp/portage/sys-devel/gcc-12.0.0_alpha20210718/work/gcc-12-20210718/gcc/analyzer/region-model.cc:1304
0x14e0c30 ana::region_model::on_call_pre(gcall const*,
ana::region_model_context*, bool*)
/var/tmp/portage/sys-devel/gcc-12.0.0_alpha20210718/work/gcc-12-20210718/gcc/analyzer/region-model.cc:1074
0x14e39c3 ana::region_model::on_stmt_pre(gimple const*, bool*, bool*,
ana::region_model_context*)
/var/tmp/portage/sys-devel/gcc-12.0.0_alpha20210718/work/gcc-12-20210718/gcc/analyzer/region-model.cc:1027
0x14b42ed ana::exploded_node::on_stmt(ana::exploded_graph&, ana::supernode
const*, gimple const*, ana::program_state*, ana::uncertainty_t*)
/var/tmp/portage/sys-devel/gcc-12.0.0_alpha20210718/work/gcc-12-20210718/gcc/analyzer/engine.cc:1223
0x14b6882 ana::exploded_graph::process_node(ana::exploded_node*)
/var/tmp/portage/sys-devel/gcc-12.0.0_alpha20210718/work/gcc-12-20210718/gcc/analyzer/engine.cc:3098
0x14b73ea ana::exploded_graph::process_worklist()
/var/tmp/portage/sys-devel/gcc-12.0.0_alpha20210718/work/gcc-12-20210718/gcc/analyzer/engine.cc:2684
0x14b9845 ana::impl_run_checkers(ana::logger*)
/var/tmp/portage/sys-devel/gcc-12.0.0_alpha20210718/work/gcc-12-20210718/gcc/analyzer/engine.cc:4972
0x14ba6e0 ana::run_checkers()
/var/tmp/portage/sys-devel/gcc-12.0.0_alpha20210718/work/gcc-12-20210718/gcc/analyzer/engine.cc:5043
0x14ab7a8 execute
/var/tmp/portage/sys-devel/gcc-12.0.0_alpha20210718/work/gcc-12-20210718/gcc/analyzer/analyzer-pass.cc:87
This is a memory corruption failure, so only happens sporadically. Maybe I've
reduced the testcase too much, but I have to set glibc's MALLOC_PERTURB_=3
MALLOC_CHECK_=3 and also run compilation in a loop to reproduce it at least
several times in a run:
% for i in {1..100}; do MALLOC_PERTURB_=3 MALLOC_CHECK_=3 g++-12.0.0 -fanalyzer
-c rxkecadv.cpp; done
Valgrind gives the following when gcc ICEs:
% MALLOC_PERTURB_=3 MALLOC_CHECK_=3 g++-12.0.0 -fanalyzer -c rxkecadv.cpp
-wrapper valgrind,-q
==924238== Invalid read of size 8
==924238== at 0x150CF40: slide (hash-table.h:1115)
==924238== by 0x150CF40: operator++ (hash-table.h:1130)
==924238== by 0x150CF40: operator++ (hash-map.h:256)
==924238== by 0x150CF40:
ana::binding_cluster::purge_state_involving(ana::svalue const*,
ana::region_model_manager*) (store.cc:1326)
==924238== by 0x150F75F: ana::store::purge_state_involving(ana::svalue
const*, ana::region_model_manager*) (store.cc:2497)
==924238== by 0x14E0A56: purge_state_involving (region-model.cc:1309)
==924238== by 0x14E0A56:
ana::region_model::purge_state_involving(ana::svalue const*,
ana::region_model_context*) (region-model.cc:1304)
==924238== by 0x14E0C30: ana::region_model::on_call_pre(gcall const*,
ana::region_model_context*, bool*) (region-model.cc:1074)
==924238== by 0x14E39C3: ana::region_model::on_stmt_pre(gimple const*,
bool*, bool*, ana::region_model_context*) (region-model.cc:1027)
==924238== by 0x14B42ED: ana::exploded_node::on_stmt(ana::exploded_graph&,
ana::supernode const*, gimple const*, ana::program_state*, ana::uncertainty_t*)
(engine.cc:1223)
==924238== by 0x14B6882:
ana::exploded_graph::process_node(ana::exploded_node*) (engine.cc:3098)
==924238== by 0x14B73EA: ana::exploded_graph::process_worklist()
(engine.cc:2684)
==924238== by 0x14B9845: ana::impl_run_checkers(ana::logger*)
(engine.cc:4972)
==924238== by 0x14BA6E0: ana::run_checkers() (engine.cc:5043)
==924238== by 0x14AB7A8: (anonymous
namespace)::pass_analyzer::execute(function*) (analyzer-pass.cc:87)
==924238== by 0x102EC0C: execute_one_pass(opt_pass*) (passes.c:2567)
==924238== Address 0x5aabf50 is 128 bytes inside a block of size 208 free'd
==924238== at 0x4840DEB: free (in
/usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==924238== by 0x151674E: hash_table<hash_map<ana::binding_key const*,
ana::svalue const*, simple_hashmap_traits<default_hash_traits<ana::binding_key
const*>, ana::svalue const*> >::hash_entry, false,
xcallocator>::find_slot_with_hash(ana::binding_key const* const&, unsigned int,
insert_option) (hash-table.h:964)
==924238== by 0x150D01B: put (hash-map.h:170)
==924238== by 0x150D01B: put (store.h:485)
==924238== by 0x150D01B:
ana::binding_cluster::purge_state_involving(ana::svalue const*,
ana::region_model_manager*) (store.cc:1341)
==924238== by 0x150F75F: ana::store::purge_state_involving(ana::svalue
const*, ana::region_model_manager*) (store.cc:2497)
==924238== by 0x14E0A56: purge_state_involving (region-model.cc:1309)
==924238== by 0x14E0A56:
ana::region_model::purge_state_involving(ana::svalue const*,
ana::region_model_context*) (region-model.cc:1304)
==924238== by 0x14E0C30: ana::region_model::on_call_pre(gcall const*,
ana::region_model_context*, bool*) (region-model.cc:1074)
==924238== by 0x14E39C3: ana::region_model::on_stmt_pre(gimple const*,
bool*, bool*, ana::region_model_context*) (region-model.cc:1027)
==924238== by 0x14B42ED: ana::exploded_node::on_stmt(ana::exploded_graph&,
ana::supernode const*, gimple const*, ana::program_state*, ana::uncertainty_t*)
(engine.cc:1223)
==924238== by 0x14B6882:
ana::exploded_graph::process_node(ana::exploded_node*) (engine.cc:3098)
==924238== by 0x14B73EA: ana::exploded_graph::process_worklist()
(engine.cc:2684)
==924238== by 0x14B9845: ana::impl_run_checkers(ana::logger*)
(engine.cc:4972)
==924238== by 0x14BA6E0: ana::run_checkers() (engine.cc:5043)
==924238== Block was alloc'd at
==924238== at 0x4843310: calloc (in
/usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==924238== by 0x1DF4624: xcalloc (xmalloc.c:162)
==924238== by 0x1508E9B: data_alloc (hash-table.h:275)
==924238== by 0x1508E9B: alloc_entries (hash-table.h:711)
==924238== by 0x1508E9B: hash_table (hash-table.h:659)
==924238== by 0x1508E9B: hash_map (hash-map.h:151)
==924238== by 0x1508E9B: ana::binding_map::binding_map(ana::binding_map
const&) (store.cc:491)
==924238== by 0x150F107: binding_cluster (store.cc:1039)
==924238== by 0x150F107: ana::store::store(ana::store const&)
(store.cc:1951)
==924238== by 0x14D1B4E: ana::region_model::region_model(ana::region_model
const&) (region-model.cc:255)
==924238== by 0x14C5FB4: ana::program_state::operator=(ana::program_state
const&) (program-state.cc:749)
==924238== by 0x14B69E8:
ana::exploded_graph::process_node(ana::exploded_node*) (engine.cc:3123)
==924238== by 0x14B73EA: ana::exploded_graph::process_worklist()
(engine.cc:2684)
==924238== by 0x14B9845: ana::impl_run_checkers(ana::logger*)
(engine.cc:4972)
==924238== by 0x14BA6E0: ana::run_checkers() (engine.cc:5043)
==924238== by 0x14AB7A8: (anonymous
namespace)::pass_analyzer::execute(function*) (analyzer-pass.cc:87)
==924238== by 0x102EC0C: execute_one_pass(opt_pass*) (passes.c:2567)
==924238==
==924238== Invalid read of size 8
==924238== at 0x150CEF9:
ana::binding_cluster::purge_state_involving(ana::svalue const*,
ana::region_model_manager*) (store.cc:1328)
==924238== by 0x150F75F: ana::store::purge_state_involving(ana::svalue
const*, ana::region_model_manager*) (store.cc:2497)
==924238== by 0x14E0A56: purge_state_involving (region-model.cc:1309)
==924238== by 0x14E0A56:
ana::region_model::purge_state_involving(ana::svalue const*,
ana::region_model_context*) (region-model.cc:1304)
==924238== by 0x14E0C30: ana::region_model::on_call_pre(gcall const*,
ana::region_model_context*, bool*) (region-model.cc:1074)
==924238== by 0x14E39C3: ana::region_model::on_stmt_pre(gimple const*,
bool*, bool*, ana::region_model_context*) (region-model.cc:1027)
==924238== by 0x14B42ED: ana::exploded_node::on_stmt(ana::exploded_graph&,
ana::supernode const*, gimple const*, ana::program_state*, ana::uncertainty_t*)
(engine.cc:1223)
==924238== by 0x14B6882:
ana::exploded_graph::process_node(ana::exploded_node*) (engine.cc:3098)
==924238== by 0x14B73EA: ana::exploded_graph::process_worklist()
(engine.cc:2684)
==924238== by 0x14B9845: ana::impl_run_checkers(ana::logger*)
(engine.cc:4972)
==924238== by 0x14BA6E0: ana::run_checkers() (engine.cc:5043)
==924238== by 0x14AB7A8: (anonymous
namespace)::pass_analyzer::execute(function*) (analyzer-pass.cc:87)
==924238== by 0x102EC0C: execute_one_pass(opt_pass*) (passes.c:2567)
==924238== Address 0x5aabf50 is 128 bytes inside a block of size 208 free'd
==924238== at 0x4840DEB: free (in
/usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==924238== by 0x151674E: hash_table<hash_map<ana::binding_key const*,
ana::svalue const*, simple_hashmap_traits<default_hash_traits<ana::binding_key
const*>, ana::svalue const*> >::hash_entry, false,
xcallocator>::find_slot_with_hash(ana::binding_key const* const&, unsigned int,
insert_option) (hash-table.h:964)
==924238== by 0x150D01B: put (hash-map.h:170)
==924238== by 0x150D01B: put (store.h:485)
==924238== by 0x150D01B:
ana::binding_cluster::purge_state_involving(ana::svalue const*,
ana::region_model_manager*) (store.cc:1341)
==924238== by 0x150F75F: ana::store::purge_state_involving(ana::svalue
const*, ana::region_model_manager*) (store.cc:2497)
==924238== by 0x14E0A56: purge_state_involving (region-model.cc:1309)
==924238== by 0x14E0A56:
ana::region_model::purge_state_involving(ana::svalue const*,
ana::region_model_context*) (region-model.cc:1304)
==924238== by 0x14E0C30: ana::region_model::on_call_pre(gcall const*,
ana::region_model_context*, bool*) (region-model.cc:1074)
==924238== by 0x14E39C3: ana::region_model::on_stmt_pre(gimple const*,
bool*, bool*, ana::region_model_context*) (region-model.cc:1027)
==924238== by 0x14B42ED: ana::exploded_node::on_stmt(ana::exploded_graph&,
ana::supernode const*, gimple const*, ana::program_state*, ana::uncertainty_t*)
(engine.cc:1223)
==924238== by 0x14B6882:
ana::exploded_graph::process_node(ana::exploded_node*) (engine.cc:3098)
==924238== by 0x14B73EA: ana::exploded_graph::process_worklist()
(engine.cc:2684)
==924238== by 0x14B9845: ana::impl_run_checkers(ana::logger*)
(engine.cc:4972)
==924238== by 0x14BA6E0: ana::run_checkers() (engine.cc:5043)
==924238== Block was alloc'd at
==924238== at 0x4843310: calloc (in
/usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==924238== by 0x1DF4624: xcalloc (xmalloc.c:162)
==924238== by 0x1508E9B: data_alloc (hash-table.h:275)
==924238== by 0x1508E9B: alloc_entries (hash-table.h:711)
==924238== by 0x1508E9B: hash_table (hash-table.h:659)
==924238== by 0x1508E9B: hash_map (hash-map.h:151)
==924238== by 0x1508E9B: ana::binding_map::binding_map(ana::binding_map
const&) (store.cc:491)
==924238== by 0x150F107: binding_cluster (store.cc:1039)
==924238== by 0x150F107: ana::store::store(ana::store const&)
(store.cc:1951)
==924238== by 0x14D1B4E: ana::region_model::region_model(ana::region_model
const&) (region-model.cc:255)
==924238== by 0x14C5FB4: ana::program_state::operator=(ana::program_state
const&) (program-state.cc:749)
==924238== by 0x14B69E8:
ana::exploded_graph::process_node(ana::exploded_node*) (engine.cc:3123)
==924238== by 0x14B73EA: ana::exploded_graph::process_worklist()
(engine.cc:2684)
==924238== by 0x14B9845: ana::impl_run_checkers(ana::logger*)
(engine.cc:4972)
==924238== by 0x14BA6E0: ana::run_checkers() (engine.cc:5043)
==924238== by 0x14AB7A8: (anonymous
namespace)::pass_analyzer::execute(function*) (analyzer-pass.cc:87)
==924238== by 0x102EC0C: execute_one_pass(opt_pass*) (passes.c:2567)
==924238==
==924238== Invalid read of size 8
==924238== at 0x150CF1F:
ana::binding_cluster::purge_state_involving(ana::svalue const*,
ana::region_model_manager*) (store.cc:1336)
==924238== by 0x150F75F: ana::store::purge_state_involving(ana::svalue
const*, ana::region_model_manager*) (store.cc:2497)
==924238== by 0x14E0A56: purge_state_involving (region-model.cc:1309)
==924238== by 0x14E0A56:
ana::region_model::purge_state_involving(ana::svalue const*,
ana::region_model_context*) (region-model.cc:1304)
==924238== by 0x14E0C30: ana::region_model::on_call_pre(gcall const*,
ana::region_model_context*, bool*) (region-model.cc:1074)
==924238== by 0x14E39C3: ana::region_model::on_stmt_pre(gimple const*,
bool*, bool*, ana::region_model_context*) (region-model.cc:1027)
==924238== by 0x14B42ED: ana::exploded_node::on_stmt(ana::exploded_graph&,
ana::supernode const*, gimple const*, ana::program_state*, ana::uncertainty_t*)
(engine.cc:1223)
==924238== by 0x14B6882:
ana::exploded_graph::process_node(ana::exploded_node*) (engine.cc:3098)
==924238== by 0x14B73EA: ana::exploded_graph::process_worklist()
(engine.cc:2684)
==924238== by 0x14B9845: ana::impl_run_checkers(ana::logger*)
(engine.cc:4972)
==924238== by 0x14BA6E0: ana::run_checkers() (engine.cc:5043)
==924238== by 0x14AB7A8: (anonymous
namespace)::pass_analyzer::execute(function*) (analyzer-pass.cc:87)
==924238== by 0x102EC0C: execute_one_pass(opt_pass*) (passes.c:2567)
==924238== Address 0x5aabf58 is 136 bytes inside a block of size 208 free'd
==924238== at 0x4840DEB: free (in
/usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==924238== by 0x151674E: hash_table<hash_map<ana::binding_key const*,
ana::svalue const*, simple_hashmap_traits<default_hash_traits<ana::binding_key
const*>, ana::svalue const*> >::hash_entry, false,
xcallocator>::find_slot_with_hash(ana::binding_key const* const&, unsigned int,
insert_option) (hash-table.h:964)
==924238== by 0x150D01B: put (hash-map.h:170)
==924238== by 0x150D01B: put (store.h:485)
==924238== by 0x150D01B:
ana::binding_cluster::purge_state_involving(ana::svalue const*,
ana::region_model_manager*) (store.cc:1341)
==924238== by 0x150F75F: ana::store::purge_state_involving(ana::svalue
const*, ana::region_model_manager*) (store.cc:2497)
==924238== by 0x14E0A56: purge_state_involving (region-model.cc:1309)
==924238== by 0x14E0A56:
ana::region_model::purge_state_involving(ana::svalue const*,
ana::region_model_context*) (region-model.cc:1304)
==924238== by 0x14E0C30: ana::region_model::on_call_pre(gcall const*,
ana::region_model_context*, bool*) (region-model.cc:1074)
==924238== by 0x14E39C3: ana::region_model::on_stmt_pre(gimple const*,
bool*, bool*, ana::region_model_context*) (region-model.cc:1027)
==924238== by 0x14B42ED: ana::exploded_node::on_stmt(ana::exploded_graph&,
ana::supernode const*, gimple const*, ana::program_state*, ana::uncertainty_t*)
(engine.cc:1223)
==924238== by 0x14B6882:
ana::exploded_graph::process_node(ana::exploded_node*) (engine.cc:3098)
==924238== by 0x14B73EA: ana::exploded_graph::process_worklist()
(engine.cc:2684)
==924238== by 0x14B9845: ana::impl_run_checkers(ana::logger*)
(engine.cc:4972)
==924238== by 0x14BA6E0: ana::run_checkers() (engine.cc:5043)
==924238== Block was alloc'd at
==924238== at 0x4843310: calloc (in
/usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==924238== by 0x1DF4624: xcalloc (xmalloc.c:162)
==924238== by 0x1508E9B: data_alloc (hash-table.h:275)
==924238== by 0x1508E9B: alloc_entries (hash-table.h:711)
==924238== by 0x1508E9B: hash_table (hash-table.h:659)
==924238== by 0x1508E9B: hash_map (hash-map.h:151)
==924238== by 0x1508E9B: ana::binding_map::binding_map(ana::binding_map
const&) (store.cc:491)
==924238== by 0x150F107: binding_cluster (store.cc:1039)
==924238== by 0x150F107: ana::store::store(ana::store const&)
(store.cc:1951)
==924238== by 0x14D1B4E: ana::region_model::region_model(ana::region_model
const&) (region-model.cc:255)
==924238== by 0x14C5FB4: ana::program_state::operator=(ana::program_state
const&) (program-state.cc:749)
==924238== by 0x14B69E8:
ana::exploded_graph::process_node(ana::exploded_node*) (engine.cc:3123)
==924238== by 0x14B73EA: ana::exploded_graph::process_worklist()
(engine.cc:2684)
==924238== by 0x14B9845: ana::impl_run_checkers(ana::logger*)
(engine.cc:4972)
==924238== by 0x14BA6E0: ana::run_checkers() (engine.cc:5043)
==924238== by 0x14AB7A8: (anonymous
namespace)::pass_analyzer::execute(function*) (analyzer-pass.cc:87)
==924238== by 0x102EC0C: execute_one_pass(opt_pass*) (passes.c:2567)
==924238==
