https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110907
Bug ID: 110907 Summary: ICE when using -fanalyzer-verbose-state-changes Product: gcc Version: 14.0 Status: UNCONFIRMED Severity: normal Priority: P3 Component: analyzer Assignee: dmalcolm at gcc dot gnu.org Reporter: vultkayn at gcc dot gnu.org Target Milestone: --- Running the analyzer on testcase gcc.dg/analyzer/pr99193-1.c with line 54 commented out and flag -fanalyzer-verbose-state-changes results in an ICE on gcc versions later than 13.1 (included) and trunk, tested on target x86_64-linux-gnu. x86_64 12.3 on godbolt doesn't reproduce the ICE. Reproducer: /* { dg-additional-options "-Wno-analyzer-too-complex" } */ /* Verify absence of false positive from -Wanalyzer-mismatching-deallocation on realloc(3). Based on https://github.com/libguestfs/libguestfs/blob/f19fd566f6387ce7e4d82409528c9dde374d25e0/daemon/command.c#L115 which is GPLv2 or later. */ typedef __SIZE_TYPE__ size_t; typedef __builtin_va_list va_list; #define NULL ((void *)0) extern void *malloc (size_t __size) __attribute__ ((__nothrow__ , __leaf__)) __attribute__ ((__malloc__)) __attribute__ ((__alloc_size__ (1))); extern void perror (const char *__s); extern void *realloc (void *__ptr, size_t __size) __attribute__ ((__nothrow__ , __leaf__)) __attribute__ ((__warn_unused_result__)) __attribute__ ((__alloc_size__ (2))); extern void guestfs_int_cleanup_free (void *ptr); extern int commandrvf (char **stdoutput, char **stderror, unsigned flags, char const* const *argv); #define CLEANUP_FREE __attribute__((cleanup(guestfs_int_cleanup_free))) int commandrf (char **stdoutput, char **stderror, unsigned flags, const char *name, ...) { va_list args; CLEANUP_FREE const char **argv = NULL; char *s; int i, r; /* Collect the command line arguments into an array. */ i = 2; argv = malloc (sizeof (char *) * i); if (argv == NULL) { perror ("malloc"); return -1; } argv[0] = (char *) name; argv[1] = NULL; __builtin_va_start (args, name); while ((s = __builtin_va_arg (args, char *)) != NULL) { const char **p = realloc (argv, sizeof (char *) * (++i)); /* { dg-bogus "'free'" } */ if (p == NULL) { perror ("realloc"); // __builtin_va_end (args); return -1; } argv = p; argv[i-2] = s; argv[i-1] = NULL; } __builtin_va_end (args); r = commandrvf (stdoutput, stderror, flags, argv); return r; } ----- gcc -fanalyzer -fanalyzer-verbose-state-changes ./pr99193-1.leak.c during IPA pass: analyzer <source>:33:29: internal compiler error: Segmentation fault 33 | CLEANUP_FREE const char **argv = NULL; | ^~~~ 0x216ac2e internal_error(char const*, ...) ???:0 0x218afec pp_format(pretty_printer*, text_info*) ???:0 0x1f7bfb6 make_label_text(bool, char const*, ...) ???:0 0x1f88b0d ana::state_change_event::get_desc(bool) const ???:0 0x1f86c0c ana::checker_event::prepare_for_emission(ana::checker_path*, ana::pending_diagnostic*, diagnostic_event_id_t) ???:0 0x1fa79f5 ana::diagnostic_manager::emit_saved_diagnostic(ana::exploded_graph const&, ana::saved_diagnostic const&) ???:0 0x1fa82a0 ana::diagnostic_manager::emit_saved_diagnostics(ana::exploded_graph const&) ???:0 0x149fc31 ana::impl_run_checkers(ana::logger*) ???:0 0x14a0bdf ana::run_checkers() ???:0 Please submit a full bug report, with preprocessed source (by using -freport-bug). Please include the complete backtrace with any bug report. See <https://gcc.gnu.org/bugs/> for instructions. Compiler returned: 1