analyzer: fix ICE with -Wanalyzer-null-dereference [PR 93950]

PR analyzer/93950 reports an ICE when pruning the path of a
-Wanalyzer-null-dereference diagnostic.

The root cause is a bug in the state-tracking code, in which the
variable of interest is tracked from the callee to a "nullptr" param
at the caller, whereupon we have an INTEGER_CST "variable", and
the attempt to look up its lvalue fails.

This code could use a rewrite; in the meantime this patch extends
the bulletproofing from g:8525d1f5f57b11fe04a97674cc2fc2b7727621d0
for PR analyzer/93544 to all of the various places where var can
be updated, fixing the ICE.

gcc/analyzer/ChangeLog:
	PR analyzer/93950
	* diagnostic-manager.cc
	(diagnostic_manager::prune_for_sm_diagnostic): Assert that var is
	either NULL or not a constant.  When updating var, bulletproof
	against constant values.

gcc/testsuite/ChangeLog:
	PR analyzer/93950
	* g++.dg/analyzer/pr93950.C: New test.

diff --git a/gcc/analyzer/ChangeLog b/gcc/analyzer/ChangeLog
index 92377be49929263c728fb5e081193717560683c4..5fbaec389aa98bba4516788b945f1271ef4e9181 100644 (file)
--- a/gcc/analyzer/ChangeLog
+++ b/gcc/analyzer/ChangeLog
@@ -1,3 +1,11 @@
+2020-02-26  David Malcolm  <dmalcolm@redhat.com>
+
+       PR analyzer/93950
+       * diagnostic-manager.cc
+       (diagnostic_manager::prune_for_sm_diagnostic): Assert that var is
+       either NULL or not a constant.  When updating var, bulletproof
+       against constant values.
+
 2020-02-26  David Malcolm  <dmalcolm@redhat.com>
 
        PR analyzer/93947

diff --git a/gcc/analyzer/diagnostic-manager.cc b/gcc/analyzer/diagnostic-manager.cc
index 78c5890054f3b47fcff98e38d5290fe672c9f5e6..b8e5933437495b1bc050762609219962daf190ba 100644 (file)
--- a/gcc/analyzer/diagnostic-manager.cc
+++ b/gcc/analyzer/diagnostic-manager.cc
@@ -1105,6 +1105,7 @@ diagnostic_manager::prune_for_sm_diagnostic (checker_path *path,
          else
            log ("considering event %i", idx);
        }
+      gcc_assert (var == NULL || !CONSTANT_CLASS_P (var));
       switch (base_event->m_kind)
        {
        default:
@@ -1164,6 +1165,11 @@ diagnostic_manager::prune_for_sm_diagnostic (checker_path *path,
                    log ("event %i: switching var of interest from %qE to %qE",
                         idx, var, state_change->m_origin);
                    var = state_change->m_origin;
+                   if (var && CONSTANT_CLASS_P (var))
+                     {
+                       log ("new var is a constant; setting var to NULL");
+                       var = NULL_TREE;
+                     }
                  }
                log ("event %i: switching state of interest from %qs to %qs",
                     idx, sm->get_state_name (state_change->m_to),
@@ -1260,6 +1266,11 @@ diagnostic_manager::prune_for_sm_diagnostic (checker_path *path,
                var = caller_var;
                if (expr.param_p ())
                  event->record_critical_state (var, state);
+               if (var && CONSTANT_CLASS_P (var))
+                 {
+                   log ("new var is a constant; setting var to NULL");
+                   var = NULL_TREE;
+                 }
              }
          }
          break;
@@ -1285,6 +1296,11 @@ diagnostic_manager::prune_for_sm_diagnostic (checker_path *path,
                    var = callee_var;
                    if (expr.return_value_p ())
                      event->record_critical_state (var, state);
+                   if (var && CONSTANT_CLASS_P (var))
+                     {
+                       log ("new var is a constant; setting var to NULL");
+                       var = NULL_TREE;
+                     }
                  }
              }
          }

diff --git a/gcc/testsuite/ChangeLog b/gcc/testsuite/ChangeLog
index c6158b38ca07909b306f4c1ed3d15f9eeb6a5b8f..d8a403e5139dd236f05c017d859eecdf9a0ede1b 100644 (file)
--- a/gcc/testsuite/ChangeLog
+++ b/gcc/testsuite/ChangeLog
@@ -1,3 +1,8 @@
+2020-02-26  David Malcolm  <dmalcolm@redhat.com>
+
+       PR analyzer/93950
+       * g++.dg/analyzer/pr93950.C: New test.
+
 2020-02-26  David Malcolm  <dmalcolm@redhat.com>
 
        PR analyzer/93947

diff --git a/gcc/testsuite/g++.dg/analyzer/pr93950.C b/gcc/testsuite/g++.dg/analyzer/pr93950.C
new file mode 100644 (file)
index 0000000..e280817
--- /dev/null
+++ b/gcc/testsuite/g++.dg/analyzer/pr93950.C
@@ -0,0 +1,28 @@
+// { dg-do compile { target c++11 } }
+
+struct d
+{
+  struct e
+  {
+    int f;
+    int *g;
+  };
+  void h (e * i)
+  {
+    void *j = nullptr; // { dg-bogus "NULL" "" { xfail *-*-* } }
+    // TODO(xfail): we report "'i' is NULL" above, which is the wrong location
+    
+    i->f = *i->g; // { dg-warning "dereference of NULL 'i'" }
+  }
+  virtual void c (int, int)
+  {
+    int *j = nullptr;
+    h (nullptr);
+  }
+};
+
+void
+foo ()
+{
+  d ();
+}