[Bug analyzer/106845] [13 Regression] ICE in exceeds_p, at analyzer/store.cc:464 since r13-2029-g7e3b45befdbbf1a1
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106845 Tim Lange changed: What|Removed |Added Resolution|--- |FIXED Status|ASSIGNED|RESOLVED --- Comment #6 from Tim Lange --- (In reply to CVS Commits from comment #5) > The master branch has been updated by Tim Lange : > > https://gcc.gnu.org/g:0ea5e3f4542832b8da016b152695e64a2a386309 > > commit r13-2582-g0ea5e3f4542832b8da016b152695e64a2a386309 Fixed the ICE with the commit above.
[Bug analyzer/106845] [13 Regression] ICE in exceeds_p, at analyzer/store.cc:464 since r13-2029-g7e3b45befdbbf1a1
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106845 --- Comment #5 from CVS Commits --- The master branch has been updated by Tim Lange : https://gcc.gnu.org/g:0ea5e3f4542832b8da016b152695e64a2a386309 commit r13-2582-g0ea5e3f4542832b8da016b152695e64a2a386309 Author: Tim Lange Date: Sat Sep 10 23:53:48 2022 +0200 analyzer: consider empty ranges and zero byte accesses [PR106845] This patch adds handling of empty ranges in bit_range and byte_range and adds an assertion to member functions that assume a positive size. Further, the patch fixes an ICE caused by an empty byte_range passed to byte_range::exceeds_p. Regression-tested on Linux x86_64. 2022-09-10 Tim Lange gcc/analyzer/ChangeLog: PR analyzer/106845 * region-model.cc (region_model::check_region_bounds): Bail out if 0 bytes were accessed. * store.cc (byte_range::dump_to_pp): Add special case for empty ranges. (byte_range::exceeds_p): Restrict to non-empty ranges. (byte_range::falls_short_of_p): Restrict to non-empty ranges. * store.h (bit_range::empty_p): New function. (bit_range::get_last_byte_offset): Restrict to non-empty ranges. (byte_range::empty_p): New function. (byte_range::get_last_byte_offset): Restrict to non-empty ranges. gcc/testsuite/ChangeLog: PR analyzer/106845 * gcc.dg/analyzer/out-of-bounds-zero.c: New test. * gcc.dg/analyzer/pr106845.c: New test.
[Bug analyzer/106845] [13 Regression] ICE in exceeds_p, at analyzer/store.cc:464 since r13-2029-g7e3b45befdbbf1a1
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106845 Tim Lange changed: What|Removed |Added Assignee|dmalcolm at gcc dot gnu.org|tlange at gcc dot gnu.org Status|NEW |ASSIGNED
[Bug analyzer/106845] [13 Regression] ICE in exceeds_p, at analyzer/store.cc:464 since r13-2029-g7e3b45befdbbf1a1
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106845 --- Comment #4 from David Malcolm --- (In reply to Tim Lange from comment #3) > It seems to me that the implementations of byte_range/bit_range > get_last_byte_offset () already assume that m_size_in_bytes should be > greater than zero. So I think the first one should the preferred fix. Sounds right to me; do you want to assign yourself this one?
[Bug analyzer/106845] [13 Regression] ICE in exceeds_p, at analyzer/store.cc:464 since r13-2029-g7e3b45befdbbf1a1
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106845 --- Comment #3 from Tim Lange --- Thanks for the report! (In reply to David Malcolm from comment #2) > (gdb) call this->dump() > bytes 1-0 This should be the read_bytes in region_model::check_region_bounds, with the start being the offset and the last byte being the offset + num_bytes - 1. So the number of accessed bytes seems to return 0. I do use get_byte_size_sval () to retrieve the num_bytes. For the sized_region, the m_byte_size_sval is returned, which is set to buf_size aka 0 inside impl_call_memset. So the bug is that the caller proceeds to check for overflows even if no bytes are accessed. Solutions would be: 1. Bail out in the region_model::check_region_bounds if (tree_int_cst_equal (num_bytes_tree, integer_zero_node)). Maybe also add an assertion to the constructor of byte_range that m_size_in_bytes > 0. 2. Returning false if either THIS or OTHER has a size == 0 in byte_range::exceeds_p and byte_range::falls_short_p. It seems to me that the implementations of byte_range/bit_range get_last_byte_offset () already assume that m_size_in_bytes should be greater than zero. So I think the first one should the preferred fix.
[Bug analyzer/106845] [13 Regression] ICE in exceeds_p, at analyzer/store.cc:464 since r13-2029-g7e3b45befdbbf1a1
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106845
--- Comment #2 from David Malcolm ---
Failing assertion here:
#1 0x014df116 in ana::byte_range::exceeds_p (this=0x7fffbf80,
other=..., out_overhanging_byte_range=0x7fffbfc0)
at ../../src/gcc/analyzer/store.cc:464
464 gcc_assert (size > 0);
(gdb) list
459 {
460 /* THIS definitely exceeds OTHER. */
461 byte_offset_t start = MAX (get_start_byte_offset (),
462 other.get_next_byte_offset ());
463 byte_offset_t size = get_next_byte_offset () - start;
464 gcc_assert (size > 0);
465 out_overhanging_byte_range->m_start_byte_offset = start;
466 out_overhanging_byte_range->m_size_in_bytes = size;
467 return true;
468 }
where "this" and "other" are both empty, having 0 size:
(gdb) call this->dump()
bytes 1-0
(gdb) call other.dump()
bytes 0--1
due to the cst_capacity_tree in the region_model::check_region_bounds caller is
zero.
[Bug analyzer/106845] [13 Regression] ICE in exceeds_p, at analyzer/store.cc:464 since r13-2029-g7e3b45befdbbf1a1
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106845 Richard Biener changed: What|Removed |Added Target Milestone|--- |13.0
[Bug analyzer/106845] [13 Regression] ICE in exceeds_p, at analyzer/store.cc:464 since r13-2029-g7e3b45befdbbf1a1
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106845 Martin Liška changed: What|Removed |Added Last reconfirmed||2022-09-06 CC||marxin at gcc dot gnu.org Ever confirmed|0 |1 Status|UNCONFIRMED |NEW Summary|[13 Regression] ICE in |[13 Regression] ICE in |exceeds_p, at |exceeds_p, at |analyzer/store.cc:464 |analyzer/store.cc:464 since ||r13-2029-g7e3b45befdbbf1a1 --- Comment #1 from Martin Liška --- Started with r13-2029-g7e3b45befdbbf1a1.
