From a0e4929b0461226722d6d08b1fdc2852b9100b75 Mon Sep 17 00:00:00 2001
From: David Malcolm <dmalcolm@redhat.com>
Date: Tue, 11 Feb 2020 09:45:48 -0500
Subject: [PATCH] analyzer: fix ICE in "__analyzer_dump_exploded_nodes" on
 non-empty worklist (PR 93669)

gcc/analyzer/ChangeLog:
	PR analyzer/93669
	* engine.cc (exploded_graph::dump_exploded_nodes): Handle missing
	case of STATUS_WORKLIST in implementation of
	"__analyzer_dump_exploded_nodes".

gcc/testsuite/ChangeLog:
	PR analyzer/93669
	* gcc.dg/analyzer/pr93669.c: New test.
---
 gcc/analyzer/ChangeLog                  |  7 +++++++
 gcc/analyzer/engine.cc                  | 17 +++++++++++++----
 gcc/testsuite/ChangeLog                 |  5 +++++
 gcc/testsuite/gcc.dg/analyzer/pr93669.c | 25 +++++++++++++++++++++++++
 4 files changed, 50 insertions(+), 4 deletions(-)
 create mode 100644 gcc/testsuite/gcc.dg/analyzer/pr93669.c

diff --git a/gcc/analyzer/ChangeLog b/gcc/analyzer/ChangeLog
index 38afa69da64..0734716a8a8 100644
--- a/gcc/analyzer/ChangeLog
+++ b/gcc/analyzer/ChangeLog
@@ -1,3 +1,10 @@
+2020-02-11  David Malcolm  <dmalcolm@redhat.com>
+
+	PR analyzer/93669
+	* engine.cc (exploded_graph::dump_exploded_nodes): Handle missing
+	case of STATUS_WORKLIST in implementation of
+	"__analyzer_dump_exploded_nodes".
+
 2020-02-11  David Malcolm  <dmalcolm@redhat.com>
 
 	PR analyzer/93649
diff --git a/gcc/analyzer/engine.cc b/gcc/analyzer/engine.cc
index 63579da953a..8d5f9c69724 100644
--- a/gcc/analyzer/engine.cc
+++ b/gcc/analyzer/engine.cc
@@ -3197,15 +3197,15 @@ exploded_graph::dump_exploded_nodes () const
 
   /* Emit a warning at any call to "__analyzer_dump_exploded_nodes",
      giving the number of processed exploded nodes for "before-stmt",
-     and the IDs of processed and merger enodes.
+     and the IDs of processed, merger, and worklist enodes.
 
      We highlight the count of *processed* enodes since this is of most
      interest in DejaGnu tests for ensuring that state merger has
      happened.
 
-     We don't show the count of merger enodes, as this is more of an
-     implementation detail of the merging that we don't want to bake
-     into our expected DejaGnu messages.  */
+     We don't show the count of merger and worklist enodes, as this is
+     more of an implementation detail of the merging/worklist that we
+     don't want to bake into our expected DejaGnu messages.  */
 
   unsigned i;
   exploded_node *enode;
@@ -3225,6 +3225,7 @@ exploded_graph::dump_exploded_nodes () const
 
 	      auto_vec<exploded_node *> processed_enodes;
 	      auto_vec<exploded_node *> merger_enodes;
+	      auto_vec<exploded_node *> worklist_enodes;
 	      /* This is O(N^2).  */
 	      unsigned j;
 	      exploded_node *other_enode;
@@ -3237,6 +3238,9 @@ exploded_graph::dump_exploded_nodes () const
 		      {
 		      default:
 			gcc_unreachable ();
+		      case exploded_node::STATUS_WORKLIST:
+			worklist_enodes.safe_push (other_enode);
+			break;
 		      case exploded_node::STATUS_PROCESSED:
 			processed_enodes.safe_push (other_enode);
 			break;
@@ -3254,6 +3258,11 @@ exploded_graph::dump_exploded_nodes () const
 		  pp_string (&pp, "] merger(s): [");
 		  print_enode_indices (&pp, merger_enodes);
 		}
+	      if (worklist_enodes.length () > 0)
+		{
+		  pp_string (&pp, "] worklist: [");
+		  print_enode_indices (&pp, worklist_enodes);
+		}
 	      pp_character (&pp, ']');
 
 	      warning_n (stmt->location, 0, processed_enodes.length (),
diff --git a/gcc/testsuite/ChangeLog b/gcc/testsuite/ChangeLog
index 2ca519c51c4..f75a6781d6b 100644
--- a/gcc/testsuite/ChangeLog
+++ b/gcc/testsuite/ChangeLog
@@ -1,3 +1,8 @@
+2020-02-11  David Malcolm  <dmalcolm@redhat.com>
+
+	PR analyzer/93669
+	* gcc.dg/analyzer/pr93669.c: New test.
+
 2020-02-11  David Malcolm  <dmalcolm@redhat.com>
 
 	PR analyzer/93649
diff --git a/gcc/testsuite/gcc.dg/analyzer/pr93669.c b/gcc/testsuite/gcc.dg/analyzer/pr93669.c
new file mode 100644
index 00000000000..01e266dd3f2
--- /dev/null
+++ b/gcc/testsuite/gcc.dg/analyzer/pr93669.c
@@ -0,0 +1,25 @@
+/* { dg-additional-options "--param analyzer-max-enodes-per-program-point=2 -Wno-analyzer-too-complex" }  */
+
+#include "analyzer-decls.h"
+
+int test (int a)
+{
+  if (a != 42 && a != 113) {
+    return (-2);
+  }
+
+  __analyzer_dump_exploded_nodes (0); /* { dg-warning "1 processed enode" } */
+
+  return 0;
+}
+
+int test_2 (int a)
+{
+  if (a != 42 && a != 113 && a != 666) {
+    return (-2);
+  }
+
+  __analyzer_dump_exploded_nodes (0); /* { dg-warning "1 processed enode" } */
+
+  return 0;
+}
-- 
2.30.2