[committed] analyzer: fix ICE due to sm-state origin being purged (PR 93382)

Message ID 20200123021015.11408-1-dmalcolm@redhat.com
State New
Headers show
Series
  • [committed] analyzer: fix ICE due to sm-state origin being purged (PR 93382)
Related show

Commit Message

David Malcolm Jan. 23, 2020, 2:10 a.m.
The ICE in PR analyzer/93382 is a validation error.

The global variable "idx" acquires a "tainted" state from local array
n1[0].  When the frame is popped, the svalue for n1[0] is purged, but
the "taint" sm_state_map's entry for "idx" has a svalue_id referencing
the now-purged svalue.  This is caught by program_state::validate as an
assertion failure.

This patch fixes the issue by resetting the origin id within
sm_state_map entries for the case where the origin id has been purged.

Successfully bootstrapped & regrtested on x86_64-pc-linux-gnu;
pushed to master as  r10-6164-g591b59ebfcd48319452ebbd954267c9a05ba4b78.

gcc/analyzer/ChangeLog:
	PR analyzer/93382
	* program-state.cc (sm_state_map::on_svalue_purge): If the
	entry survives, but the origin is being purged, then reset the
	origin to null.

gcc/testsuite/ChangeLog:
	PR analyzer/93382
	* gcc.dg/analyzer/pr93382.c: New test.
---
 gcc/analyzer/program-state.cc           |  5 +++++
 gcc/testsuite/gcc.dg/analyzer/pr93382.c | 25 +++++++++++++++++++++++++
 2 files changed, 30 insertions(+)
 create mode 100644 gcc/testsuite/gcc.dg/analyzer/pr93382.c

-- 
2.21.0

Patch

diff --git a/gcc/analyzer/program-state.cc b/gcc/analyzer/program-state.cc
index 72daee6428e..ba19ad1490e 100644
--- a/gcc/analyzer/program-state.cc
+++ b/gcc/analyzer/program-state.cc
@@ -453,6 +453,11 @@  sm_state_map::on_svalue_purge (const state_machine &sm,
 
 	  to_remove.safe_push (dst_sid);
 	}
+      else if ((*iter).second.m_origin.as_int () >= first_unused_sid.as_int ())
+	{
+	  /* If the origin svalue is being purged, then reset it to null.  */
+	  (*iter).second.m_origin = svalue_id::null ();
+	}
     }
 
   int i;
diff --git a/gcc/testsuite/gcc.dg/analyzer/pr93382.c b/gcc/testsuite/gcc.dg/analyzer/pr93382.c
new file mode 100644
index 00000000000..7d18d16e444
--- /dev/null
+++ b/gcc/testsuite/gcc.dg/analyzer/pr93382.c
@@ -0,0 +1,25 @@ 
+typedef __SIZE_TYPE__ size_t;
+
+int idx;
+void *fp;
+
+size_t
+fread (void *, size_t, size_t, void *);
+
+void
+ql (void)
+{
+  int n1[1];
+
+  fread (n1, sizeof (n1[0]), 1, fp); /* { dg-message "'n1' gets an unchecked value here" } */
+  idx = n1[0]; /* { dg-message "'idx' has an unchecked value here (from 'n1')" */
+}
+
+int arr[10];
+	
+int
+pl (void)
+{
+  ql ();
+  return arr[idx]; /* { dg-warning "use of tainted value 'idx' in array lookup without bounds checking" } */
+}