The ICE in PR analyzer/93382 is a validation error.
The global variable "idx" acquires a "tainted" state from local array
n1[0]. When the frame is popped, the svalue for n1[0] is purged, but
the "taint" sm_state_map's entry for "idx" has a svalue_id referencing
the now-purged svalue. This is caught by program_state::validate as an
assertion failure.
This patch fixes the issue by resetting the origin id within
sm_state_map entries for the case where the origin id has been purged.
gcc/analyzer/ChangeLog:
PR analyzer/93382
* program-state.cc (sm_state_map::on_svalue_purge): If the
entry survives, but the origin is being purged, then reset the
origin to null.
gcc/testsuite/ChangeLog:
PR analyzer/93382
* gcc.dg/analyzer/pr93382.c: New test.
+2020-01-22 David Malcolm <dmalcolm@redhat.com>
+
+ PR analyzer/93382
+ * program-state.cc (sm_state_map::on_svalue_purge): If the
+ entry survives, but the origin is being purged, then reset the
+ origin to null.
+
2020-01-22 David Malcolm <dmalcolm@redhat.com>
* sm-signal.cc: Fix nesting of CHECKING_P and namespace ana.
to_remove.safe_push (dst_sid);
}
+ else if ((*iter).second.m_origin.as_int () >= first_unused_sid.as_int ())
+ {
+ /* If the origin svalue is being purged, then reset it to null. */
+ (*iter).second.m_origin = svalue_id::null ();
+ }
}
int i;
+2020-01-22 David Malcolm <dmalcolm@redhat.com>
+
+ PR analyzer/93382
+ * gcc.dg/analyzer/pr93382.c: New test.
+
2020-01-22 Andrew Pinski <apinski@marvell.com>
* gcc.dg/tree-ssa/pr88497-1.c: Move to ...
--- /dev/null
+typedef __SIZE_TYPE__ size_t;
+
+int idx;
+void *fp;
+
+size_t
+fread (void *, size_t, size_t, void *);
+
+void
+ql (void)
+{
+ int n1[1];
+
+ fread (n1, sizeof (n1[0]), 1, fp); /* { dg-message "'n1' gets an unchecked value here" } */
+ idx = n1[0]; /* { dg-message "'idx' has an unchecked value here (from 'n1')" */
+}
+
+int arr[10];
+
+int
+pl (void)
+{
+ ql ();
+ return arr[idx]; /* { dg-warning "use of tainted value 'idx' in array lookup without bounds checking" } */
+}
projects / gcc.git / commitdiff