[Bug tree-optimization/92868] [10 Regression] ICE: tree check: expected integer_cst, have ssa_name in to_wide, at tree.h:5855
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=92868 Martin Sebor changed: What|Removed |Added Status|ASSIGNED|RESOLVED Resolution|--- |FIXED --- Comment #7 from Martin Sebor --- Fixed by r279392.
[Bug tree-optimization/92868] [10 Regression] ICE: tree check: expected integer_cst, have ssa_name in to_wide, at tree.h:5855
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=92868 --- Comment #6 from Martin Sebor --- Author: msebor Date: Sat Dec 14 00:52:46 2019 New Revision: 279392 URL: https://gcc.gnu.org/viewcvs?rev=279392&root=gcc&view=rev Log: PR middle-end/91582 - missing heap overflow detection for strcpy PR middle-end/92868 - ICE: tree check: expected integer_cst, have ssa_name gcc/ChangeLog: PR middle-end/91582 PR middle-end/92868 * builtins.c (addr_decl_size): New function. (gimple_call_alloc_size): Add arguments. (compute_objsize): Add an argument. Set *PDECL even for allocated objects. Correct checking for negative wide_int. Correct handling of negative outer offsets into unknown regions or with unknown inner offsets. Extend offsets to at most sizetype precision. Only handle constant subobject sizes. * builtins.h (gimple_call_alloc_size): Add arguments. * tree.c (component_ref_size): Always return sizetype. * tree-ssa-strlen.c (strinfo::alloc): New member. (get_addr_stridx): Add argument. (get_stridx): Use ptrdiff_t. Add argument. (new_strinfo): Set new member. (get_string_length): Handle alloca and VLA. (dump_strlen_info): Dump more state. (maybe_invalidate): Print more info. Decrease indentation. (unshare_strinfo): Set new member. (valid_builtin_call): Handle alloca and VLA. (maybe_warn_overflow): Check and set no-warning bit. Improve handling of offsets. Print allocated objects. (handle_builtin_strlen): Handle strinfo records with null lengths. (handle_builtin_strcpy): Add argument. Call maybe_warn_overflow. (is_strlen_related_p): Handle dynamically allocated objects. (get_range): Add argument. (handle_builtin_malloc): Rename... (handle_alloc): ...to this and handle all allocation functions. (handle_builtin_memset): Call maybe_warn_overflow. (count_nonzero_bytes): Handle more MEM_REF forms. (strlen_check_and_optimize_call): Call handle_alloc_call. Pass arguments to more callees. (handle_integral_assign): Add argument. Create strinfo entries for MEM_REF assignments. (check_and_optimize_stmt): Handle more MEM_REF forms. gcc/testsuite/ChangeLog: PR middle-end/91582 * c-c++-common/Wrestrict.c: Adjust expected warnings. * gcc/testsuite/c-c++-common/Wstringop-truncation-4.c: Enable more warnings. * gcc/testsuite/c-c++-common/Wstringop-truncation.c: Remove an xfail. * gcc.dg/Warray-bounds-46.c: Disable -Wstringop-overflow. * gcc.dg/Warray-bounds-47.c: Same. * gcc.dg/Warray-bounds-52.c: New test. * gcc.dg/Wstringop-overflow-27.c: New test. * gcc.dg/Wstringop-overflow-28.c: New test. * gcc.dg/Wstringop-overflow-29.c: New test. * gcc.dg/attr-alloc_size.c (test): Disable -Warray-bounds. * gcc.dg/attr-copy-2.c: Adjust expected warnings. * gcc.dg/builtin-stringop-chk-5.c: Adjust text of expected messages. * gcc.dg/strlenopt-86.c: Relax test. * gcc.target/i386/pr82002-1.c: Prune expected warnings. Added: trunk/gcc/testsuite/gcc.dg/Warray-bounds-52.c trunk/gcc/testsuite/gcc.dg/Wstringop-overflow-27.c trunk/gcc/testsuite/gcc.dg/Wstringop-overflow-28.c trunk/gcc/testsuite/gcc.dg/Wstringop-overflow-29.c Modified: trunk/gcc/ChangeLog trunk/gcc/builtins.c trunk/gcc/builtins.h trunk/gcc/testsuite/ChangeLog trunk/gcc/testsuite/c-c++-common/Wrestrict.c trunk/gcc/testsuite/c-c++-common/Wstringop-truncation-4.c trunk/gcc/testsuite/c-c++-common/Wstringop-truncation.c trunk/gcc/testsuite/g++.dg/warn/Wstringop-overflow-3.C trunk/gcc/testsuite/gcc.dg/Warray-bounds-46.c trunk/gcc/testsuite/gcc.dg/Warray-bounds-47.c trunk/gcc/testsuite/gcc.dg/attr-alloc_size.c trunk/gcc/testsuite/gcc.dg/attr-copy-2.c trunk/gcc/testsuite/gcc.dg/builtin-stringop-chk-5.c trunk/gcc/testsuite/gcc.dg/strlenopt-86.c trunk/gcc/testsuite/gcc.target/i386/pr82002-1.c trunk/gcc/tree-ssa-strlen.c trunk/gcc/tree-ssa-strlen.h trunk/gcc/tree.c
[Bug tree-optimization/92868] [10 Regression] ICE: tree check: expected integer_cst, have ssa_name in to_wide, at tree.h:5855
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=92868 --- Comment #5 from Jakub Jelinek --- (In reply to Martin Sebor from comment #4) > The problem is fixed by the patch for PR 91582: > https://gcc.gnu.org/ml/gcc-patches/2019-12/msg00478.html That patch doesn't even mention the compute_objsize changes that matter most for this in the ChangeLog entry. The sign_mask > 0 case which is never possible is still in there etc.
[Bug tree-optimization/92868] [10 Regression] ICE: tree check: expected integer_cst, have ssa_name in to_wide, at tree.h:5855
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=92868 Martin Sebor changed: What|Removed |Added Keywords||patch --- Comment #4 from Martin Sebor --- The problem is fixed by the patch for PR 91582: https://gcc.gnu.org/ml/gcc-patches/2019-12/msg00478.html
[Bug tree-optimization/92868] [10 Regression] ICE: tree check: expected integer_cst, have ssa_name in to_wide, at tree.h:5855
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=92868 --- Comment #3 from Martin Sebor --- Martin, thanks for CC'ing me on bugs I cause, but please leave assigning them to me or whoever might choose to come up with a fix before I get to it.
[Bug tree-optimization/92868] [10 Regression] ICE: tree check: expected integer_cst, have ssa_name in to_wide, at tree.h:5855
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=92868 Jakub Jelinek changed: What|Removed |Added CC||jakub at gcc dot gnu.org --- Comment #2 from Jakub Jelinek --- That code has lots of issues. Some in patch form as I was going through them: gimple_call_alloc_size: for the case when size is INTEGER_CST and it is the one argument alloc_size, I don't see a reason not to return size earlier, there is no need to wi::to_wide. I don't see a point in computing rng1[0] and rng2[0] when nothing really uses it (write-only element). Some formatting and typo in comment. I don't understand why you are using wi::sign_mask, the normal test for negative wide_int when it is treated as signed integer of the corresponding precision is wi::neg_p, that is more readable and descriptive. If something is tested on the wide ints with extra precision and the ::from was UNSIGNED, that is of course not possible, but sign_mask will not work in that case either. And if it is ::from with SIGNED, neg_p should work fine too. There is a weird: wide_int declsize = wi::to_wide (size); if (wi::sign_mask (dstoffrng[0]) > 0) declsize += dstoffrng[0]; that condition is never true, sign_mask will only ever return 0 or -1: return (HOST_WIDE_INT) (high) < 0 ? -1 : 0; None of this fixes the ICE. How exactly to fix that depends on whether *poff can be something other than INTEGER_CST or not. If it can be only INTEGER_CST, then whatever code is setting *poff to non-INTEGER_CST should instead punt or set to some safe value, whatever, if it can be anything, then while it is fine to call functions like integer_zerop etc. on that, tree_int_cst_sgn requires the argument to be INTEGER_CST only, so there needs to be TREE_CODE (*poff) == INTEGER_CST && tree_int_csgn (*poff) < 0 instead. Or perhaps you want !tree_expr_nonnegative_p (*poff) instead? --- gcc/builtins.c.jj 2019-12-05 09:47:23.178710510 +0100 +++ gcc/builtins.c 2019-12-09 15:52:55.951404452 +0100 @@ -3746,36 +3746,33 @@ gimple_call_alloc_size (gimple *stmt) } tree size = gimple_call_arg (stmt, argidx1); + if (argidx2 > nargs && TREE_CODE (size) == INTEGER_CST) +return size; wide_int rng1[2]; if (TREE_CODE (size) == INTEGER_CST) -rng1[0] = rng1[1] = wi::to_wide (size); +rng1[1] = wi::to_wide (size); else if (TREE_CODE (size) != SSA_NAME || get_range_info (size, rng1, rng1 + 1) != VR_RANGE) return NULL_TREE; - if (argidx2 > nargs && TREE_CODE (size) == INTEGER_CST) -return size; - /* To handle ranges do the math in wide_int and return the product of the upper bounds as a constant. Ignore anti-ranges. */ - tree n = argidx2 < nargs ? gimple_call_arg (stmt, argidx2) : integer_one_node; + tree n += argidx2 < nargs ? gimple_call_arg (stmt, argidx2) : integer_one_node; wide_int rng2[2]; if (TREE_CODE (n) == INTEGER_CST) -rng2[0] = rng2[1] = wi::to_wide (n); +rng2[1] = wi::to_wide (n); else if (TREE_CODE (n) != SSA_NAME || get_range_info (n, rng2, rng2 + 1) != VR_RANGE) return NULL_TREE; - /* Extend to the maximum precsion to avoid overflow. */ + /* Extend to the maximum precision to avoid overflow. */ const int prec = ADDR_MAX_PRECISION; - rng1[0] = wide_int::from (rng1[0], prec, UNSIGNED); rng1[1] = wide_int::from (rng1[1], prec, UNSIGNED); - rng2[0] = wide_int::from (rng2[0], prec, UNSIGNED); rng2[1] = wide_int::from (rng2[1], prec, UNSIGNED); /* Return the lesser of SIZE_MAX and the product of the upper bounds. */ - rng1[0] = rng1[0] * rng2[0]; rng1[1] = rng1[1] * rng2[1]; tree size_max = TYPE_MAX_VALUE (sizetype); if (wi::gtu_p (rng1[1], wi::to_wide (size_max, prec))) @@ -3853,7 +3850,7 @@ compute_objsize (tree dest, int ostype, /* Ignore negative offsets for now. For others, use the lower bound as the most optimistic estimate of the (remaining) size. */ - if (wi::sign_mask (wioff)) + if (wi::neg_p (wioff)) ; else if (wi::ltu_p (wioff, wisiz)) { @@ -3882,9 +3879,8 @@ compute_objsize (tree dest, int ostype, /* Ignore negative offsets for now. For others, use the lower bound as the most optimistic -estimate of the (remaining)size. */ - if (wi::sign_mask (min) - || wi::sign_mask (max)) +estimate of the (remaining) size. */ + if (wi::neg_p (min) || wi::neg_p (max)) ; else if (wi::ltu_p (min, wisiz)) { @@ -3912,8 +3908,7 @@ compute_objsize (tree dest, int ostype, if (!ostype) return
[Bug tree-optimization/92868] [10 Regression] ICE: tree check: expected integer_cst, have ssa_name in to_wide, at tree.h:5855
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=92868 Martin Liška changed: What|Removed |Added Status|UNCONFIRMED |ASSIGNED Last reconfirmed||2019-12-09 CC||marxin at gcc dot gnu.org Known to work||9.2.0 Assignee|unassigned at gcc dot gnu.org |msebor at gcc dot gnu.org Ever confirmed|0 |1 Known to fail||10.0 --- Comment #1 from Martin Liška --- Confirmed, started with r278983.
[Bug tree-optimization/92868] [10 Regression] ICE: tree check: expected integer_cst, have ssa_name in to_wide, at tree.h:5855
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=92868 Richard Biener changed: What|Removed |Added CC||msebor at gcc dot gnu.org Target Milestone|--- |10.0