[committed] analyzer: fix ICE merging models containing label pointers (PR 93546)

Message ID 20200203193929.10601-1-dmalcolm@redhat.com
State New
Headers show
Series
  • [committed] analyzer: fix ICE merging models containing label pointers (PR 93546)
Related show

Commit Message

David Malcolm Feb. 3, 2020, 7:39 p.m.
PR analyzer/93546 reports an ICE within region_model::add_region_for_type
when merging two region_models each containing a label pointer.  The
two labels are stored as pointers to symbolic_regions, but these regions
were created with NULL type, leading to an assertion failure when a
merged copy is created.

The labels themselves have void (but not NULL) type.

This patch updates make_region_for_type to use the type of the decl when
creating such regions, rather than implicitly setting the region's type
to NULL, fixing the ICE.

Successfully bootstrapped & regrtested on x86_64-pc-linux-gnu.
Pushed to master as r10-6410-g5e10b9a28be9061b9b0c4aa3cfabe6d478e444e0.

gcc/analyzer/ChangeLog:
	PR analyzer/93546
	* region-model.cc (region_model::on_call_pre): Update for new
	param of symbolic_region ctor.
	(region_model::deref_rvalue): Likewise.
	(region_model::add_new_malloc_region): Likewise.
	(make_region_for_type): Likewise, preserving type.
	* region-model.h (symbolic_region::symbolic_region): Add "type"
	param and pass it to base class ctor.

gcc/testsuite/ChangeLog:
	PR analyzer/93546
	* gcc.dg/analyzer/pr93546.c: New test.
---
 gcc/analyzer/region-model.cc            |  8 ++++----
 gcc/analyzer/region-model.h             |  4 ++--
 gcc/testsuite/gcc.dg/analyzer/pr93546.c | 10 ++++++++++
 3 files changed, 16 insertions(+), 6 deletions(-)
 create mode 100644 gcc/testsuite/gcc.dg/analyzer/pr93546.c

-- 
2.21.0

Patch

diff --git a/gcc/analyzer/region-model.cc b/gcc/analyzer/region-model.cc
index 679479c8b5c..38cf3b93b28 100644
--- a/gcc/analyzer/region-model.cc
+++ b/gcc/analyzer/region-model.cc
@@ -4163,7 +4163,7 @@  region_model::on_call_pre (const gcall *call, region_model_context *ctxt)
 	{
 	  region_id frame_rid = get_current_frame_id ();
 	  region_id new_rid
-	    = add_region (new symbolic_region (frame_rid, false));
+	    = add_region (new symbolic_region (frame_rid, NULL_TREE, false));
 	  if (!lhs_rid.null_p ())
 	    {
 	      svalue_id ptr_sid
@@ -5113,7 +5113,7 @@  region_model::deref_rvalue (svalue_id ptr_sid, region_model_context *ctxt)
 	   We don't know if it on the heap, stack, or a global,
 	   so use the root region as parent.  */
 	region_id new_rid
-	  = add_region (new symbolic_region (m_root_rid, false));
+	  = add_region (new symbolic_region (m_root_rid, NULL_TREE, false));
 
 	/* We need to write the region back into the pointer,
 	   or we'll get a new, different region each time.
@@ -5455,7 +5455,7 @@  region_model::add_new_malloc_region ()
 {
   region_id heap_rid
     = get_root_region ()->ensure_heap_region (this);
-  return add_region (new symbolic_region (heap_rid, true));
+  return add_region (new symbolic_region (heap_rid, NULL_TREE, true));
 }
 
 /* Attempt to return a tree that represents SID, or return NULL_TREE.
@@ -6006,7 +6006,7 @@  make_region_for_type (region_id parent_rid, tree type)
 
   /* If we have a void *, make a new symbolic region.  */
   if (VOID_TYPE_P (type))
-    return new symbolic_region (parent_rid, false);
+    return new symbolic_region (parent_rid, type, false);
 
   gcc_unreachable ();
 }
diff --git a/gcc/analyzer/region-model.h b/gcc/analyzer/region-model.h
index 70e3eb4c716..7768e45134f 100644
--- a/gcc/analyzer/region-model.h
+++ b/gcc/analyzer/region-model.h
@@ -1606,8 +1606,8 @@  namespace ana {
 class symbolic_region : public region
 {
 public:
-  symbolic_region (region_id parent_rid, bool possibly_null)
-  : region (parent_rid, svalue_id::null (), NULL_TREE),
+  symbolic_region (region_id parent_rid, tree type, bool possibly_null)
+  : region (parent_rid, svalue_id::null (), type),
     m_possibly_null (possibly_null)
   {}
   symbolic_region (const symbolic_region &other);
diff --git a/gcc/testsuite/gcc.dg/analyzer/pr93546.c b/gcc/testsuite/gcc.dg/analyzer/pr93546.c
new file mode 100644
index 00000000000..432a6433be5
--- /dev/null
+++ b/gcc/testsuite/gcc.dg/analyzer/pr93546.c
@@ -0,0 +1,10 @@ 
+/* { dg-do compile } */
+
+void
+ch (int x1)
+{
+  ({ bx: &&bx; });
+  while (x1 == 0)
+    {
+    }
+}