15 Regression] ICE: SIGSEGV in tree_class_check (tree.h:4085) with -fanalyzer

zsojka at seznam dot cz via Gcc-bugs Thu, 07 Nov 2024 21:53:24 -0800

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=117491


            Bug ID: 117491
           Summary: [14/15 Regression] ICE: SIGSEGV in tree_class_check
                    (tree.h:4085) with -fanalyzer
           Product: gcc
           Version: 15.0
            Status: UNCONFIRMED
          Keywords: ice-on-valid-code
          Severity: normal
          Priority: P3
         Component: analyzer
          Assignee: dmalcolm at gcc dot gnu.org
          Reporter: zsojka at seznam dot cz
  Target Milestone: ---
              Host: x86_64-pc-linux-gnu
            Target: x86_64-pc-linux-gnu

Created attachment 59561
  --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=59561&action=edit
reduced testcase

Compiler output:
$ x86_64-pc-linux-gnu-gcc -fanalyzer testcase.c -wrapper
valgrind,-q,--num-callers=40
==24355== Invalid read of size 2
==24355==    at 0x1920CB1: tree_class_check (tree.h:4085)
==24355==    by 0x1920CB1: int_size_in_bytes(tree_node const*) [clone .part.0]
(tree.cc:3629)
==24355==    by 0x1A798A8:
ana::region_model_manager::maybe_fold_repeated_svalue(tree_node*, ana::svalue
const*, ana::svalue const*) (region-model-manager.cc:1073)
==24355==    by 0x1A7B9DE:
ana::region_model_manager::get_or_create_repeated_svalue(tree_node*,
ana::svalue const*, ana::svalue const*) (region-model-manager.cc:1103)
==24355==    by 0x2BEB37D: ana::region_model::check_symbolic_bounds(ana::region
const*, ana::svalue const*, ana::svalue const*, ana::svalue const*,
ana::access_direction, ana::svalue const*, ana::region_model_context*) const
(bounds-checking.cc:1411)
==24355==    by 0x2BEB665: ana::region_model::check_region_bounds(ana::region
const*, ana::access_direction, ana::svalue const*, ana::region_model_context*)
const (bounds-checking.cc:1520)
==24355==    by 0x1A4EDD9: check_region_access (region-model.cc:3348)
==24355==    by 0x1A4EDD9: check_region_access (region-model.cc:3337)
==24355==    by 0x1A4EDD9: check_region_for_read (region-model.cc:3382)
==24355==    by 0x1A4EDD9: check_region_for_read (region-model.cc:3379)
==24355==    by 0x1A4EDD9: ana::region_model::get_store_value(ana::region
const*, ana::region_model_context*) const [clone .part.0]
(region-model.cc:2926)
==24355==    by 0x1A55DE2: get_store_value (region-model.cc:2922)
==24355==    by 0x1A55DE2: read_bytes (region-model.cc:4734)
==24355==    by 0x1A55DE2: ana::region_model::read_bytes(ana::region const*,
tree_node*, ana::svalue const*, ana::region_model_context*) const
(region-model.cc:4725)
==24355==    by 0x1A58DE4: ana::region_model::copy_bytes(ana::region const*,
ana::region const*, tree_node*, ana::svalue const*, ana::region_model_context*)
(region-model.cc:4753)
==24355==    by 0x1A52AB7: ana::region_model::on_call_pre(gcall const*,
ana::region_model_context*) (region-model.cc:1954)
==24355==    by 0x1A569CA: ana::region_model::on_stmt_pre(gimple const*, bool*,
ana::region_model_context*) (region-model.cc:1591)
==24355==    by 0x1A1C220: ana::exploded_node::on_stmt(ana::exploded_graph&,
ana::supernode const*, gimple const*, ana::program_state*, ana::uncertainty_t*,
bool*, ana::path_context*) (engine.cc:1538)
==24355==    by 0x1A1EFC1:
ana::exploded_graph::process_node(ana::exploded_node*) (engine.cc:4153)
==24355==    by 0x1A1FF3A: ana::exploded_graph::process_worklist()
(engine.cc:3542)
==24355==    by 0x1A22530: ana::impl_run_checkers(ana::logger*)
(engine.cc:6233)
==24355==    by 0x1A23596: ana::run_checkers() (engine.cc:6331)
==24355==    by 0x1A11EB8: (anonymous
namespace)::pass_analyzer::execute(function*) (analyzer-pass.cc:87)
==24355==    by 0x148B0FA: execute_one_pass(opt_pass*) (passes.cc:2660)
==24355==    by 0x148C4E6: execute_ipa_pass_list(opt_pass*) (passes.cc:3114)
==24355==    by 0x10820A1: ipa_passes (cgraphunit.cc:2273)
==24355==    by 0x10820A1: symbol_table::compile() [clone .part.0]
(cgraphunit.cc:2338)
==24355==    by 0x1084837: compile (cgraphunit.cc:2316)
==24355==    by 0x1084837: symbol_table::finalize_compilation_unit()
(cgraphunit.cc:2590)
==24355==    by 0x15D42F1: compile_file() (toplev.cc:480)
==24355==    by 0xE8B23E: do_compile (toplev.cc:2211)
==24355==    by 0xE8B23E: toplev::main(int, char**) (toplev.cc:2371)
==24355==    by 0xE8CAAA: main (main.cc:39)
==24355==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==24355== 
...


$ x86_64-pc-linux-gnu-gcc -v
Using built-in specs.
COLLECT_GCC=/repo/gcc-trunk/binary-latest-amd64/bin/x86_64-pc-linux-gnu-gcc
COLLECT_LTO_WRAPPER=/repo/gcc-trunk/binary-trunk-r15-5029-20241107203450f536d54b-checking-yes-rtl-df-extra-nobootstrap-amd64/bin/../libexec/gcc/x86_64-pc-linux-gnu/15.0.0/lto-wrapper
Target: x86_64-pc-linux-gnu
Configured with: /repo/gcc-trunk//configure --enable-languages=c,c++
--enable-valgrind-annotations --disable-nls --enable-checking=yes,rtl,df,extra
--disable-bootstrap --with-cloog --with-ppl --with-isl
--build=x86_64-pc-linux-gnu --host=x86_64-pc-linux-gnu
--target=x86_64-pc-linux-gnu --with-ld=/usr/bin/x86_64-pc-linux-gnu-ld
--with-as=/usr/bin/x86_64-pc-linux-gnu-as --enable-libsanitizer
--disable-libstdcxx-pch
--prefix=/repo/gcc-trunk//binary-trunk-r15-5029-20241107203450f536d54b-checking-yes-rtl-df-extra-nobootstrap-amd64
Thread model: posix
Supported LTO compression algorithms: zlib zstd
gcc version 15.0.0 20241107 (experimental) (GCC)

[Bug analyzer/117491] New: [14/15 Regression] ICE: SIGSEGV in tree_class_check (tree.h:4085) with -fanalyzer

Reply via email to