https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110907
Bug ID: 110907
Summary: ICE when using -fanalyzer-verbose-state-changes
Product: gcc
Version: 14.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: analyzer
Assignee: dmalcolm at gcc dot gnu.org
Reporter: vultkayn at gcc dot gnu.org
Target Milestone: ---
Running the analyzer on testcase gcc.dg/analyzer/pr99193-1.c with line 54
commented out and flag -fanalyzer-verbose-state-changes results in an ICE on
gcc versions later than 13.1 (included) and trunk, tested on target
x86_64-linux-gnu.
x86_64 12.3 on godbolt doesn't reproduce the ICE.
Reproducer:
/* { dg-additional-options "-Wno-analyzer-too-complex" } */
/* Verify absence of false positive from -Wanalyzer-mismatching-deallocation
on realloc(3).
Based on
https://github.com/libguestfs/libguestfs/blob/f19fd566f6387ce7e4d82409528c9dde374d25e0/daemon/command.c#L115
which is GPLv2 or later. */
typedef __SIZE_TYPE__ size_t;
typedef __builtin_va_list va_list;
#define NULL ((void *)0)
extern void *malloc (size_t __size)
__attribute__ ((__nothrow__ , __leaf__))
__attribute__ ((__malloc__))
__attribute__ ((__alloc_size__ (1)));
extern void perror (const char *__s);
extern void *realloc (void *__ptr, size_t __size)
__attribute__ ((__nothrow__ , __leaf__))
__attribute__ ((__warn_unused_result__))
__attribute__ ((__alloc_size__ (2)));
extern void guestfs_int_cleanup_free (void *ptr);
extern int commandrvf (char **stdoutput, char **stderror, unsigned flags,
char const* const *argv);
#define CLEANUP_FREE __attribute__((cleanup(guestfs_int_cleanup_free)))
int
commandrf (char **stdoutput, char **stderror, unsigned flags,
const char *name, ...)
{
va_list args;
CLEANUP_FREE const char **argv = NULL;
char *s;
int i, r;
/* Collect the command line arguments into an array. */
i = 2;
argv = malloc (sizeof (char *) * i);
if (argv == NULL) {
perror ("malloc");
return -1;
}
argv[0] = (char *) name;
argv[1] = NULL;
__builtin_va_start (args, name);
while ((s = __builtin_va_arg (args, char *)) != NULL) {
const char **p = realloc (argv, sizeof (char *) * (++i)); /* { dg-bogus
"'free'" } */
if (p == NULL) {
perror ("realloc");
// __builtin_va_end (args);
return -1;
}
argv = p;
argv[i-2] = s;
argv[i-1] = NULL;
}
__builtin_va_end (args);
r = commandrvf (stdoutput, stderror, flags, argv);
return r;
}
-----
gcc -fanalyzer -fanalyzer-verbose-state-changes ./pr99193-1.leak.c
during IPA pass: analyzer
<source>:33:29: internal compiler error: Segmentation fault
33 | CLEANUP_FREE const char **argv = NULL;
| ^~~~
0x216ac2e internal_error(char const*, ...)
???:0
0x218afec pp_format(pretty_printer*, text_info*)
???:0
0x1f7bfb6 make_label_text(bool, char const*, ...)
???:0
0x1f88b0d ana::state_change_event::get_desc(bool) const
???:0
0x1f86c0c ana::checker_event::prepare_for_emission(ana::checker_path*,
ana::pending_diagnostic*, diagnostic_event_id_t)
???:0
0x1fa79f5 ana::diagnostic_manager::emit_saved_diagnostic(ana::exploded_graph
const&, ana::saved_diagnostic const&)
???:0
0x1fa82a0 ana::diagnostic_manager::emit_saved_diagnostics(ana::exploded_graph
const&)
???:0
0x149fc31 ana::impl_run_checkers(ana::logger*)
???:0
0x14a0bdf ana::run_checkers()
???:0
Please submit a full bug report, with preprocessed source (by using
-freport-bug).
Please include the complete backtrace with any bug report.
See <https://gcc.gnu.org/bugs/> for instructions.
Compiler returned: 1
