https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99906
Bug ID: 99906 Summary: [11 Regression] ICE: SIGSEGV in maybe_reconstruct_from_def_stmt with -fanalyzer Product: gcc Version: 11.0 Status: UNCONFIRMED Keywords: ice-on-valid-code Severity: normal Priority: P3 Component: analyzer Assignee: dmalcolm at gcc dot gnu.org Reporter: zsojka at seznam dot cz Target Milestone: --- Host: x86_64-pc-linux-gnu Created attachment 50505 --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=50505&action=edit reduced testcase Compiler output: $ x86_64-pc-linux-gnu-gcc -fanalyzer testcase.c -wrapper valgrind,-q ==16921== Invalid read of size 4 ==16921== at 0xA0DEF7: operator[] (vec.h:890) ==16921== by 0xA0DEF7: operator[] (vec.h:1461) ==16921== by 0xA0DEF7: maybe_reconstruct_from_def_stmt (analyzer.cc:151) ==16921== by 0xA0DEF7: ana::fixup_tree_for_diagnostic_1(tree_node*, hash_set<tree_node*, false, default_hash_traits<tree_node*> >*) [clone .part.0] [clone .cold] (analyzer.cc:168) ==16921== by 0x1CBE732: fixup_tree_for_diagnostic_1 (analyzer.cc:189) ==16921== by 0x1CBE732: ana::fixup_tree_for_diagnostic(tree_node*) (analyzer.cc:188) ==16921== by 0x140E497: ana::region_model::get_representative_tree(ana::svalue const*) const (region-model.cc:2330) ==16921== by 0x13F7A54: ana::impl_sm_context::get_diagnostic_tree(tree_node*) (engine.cc:314) ==16921== by 0x1435056: ana::(anonymous namespace)::malloc_state_machine::on_stmt(ana::sm_context*, ana::supernode const*, gimple const*) const (sm-malloc.cc:1603) ==16921== by 0x13F1448: ana::exploded_node::on_stmt(ana::exploded_graph&, ana::supernode const*, gimple const*, ana::program_state*) (engine.cc:1271) ==16921== by 0x13F3729: ana::exploded_graph::process_node(ana::exploded_node*) (engine.cc:3016) ==16921== by 0x13F40EA: ana::exploded_graph::process_worklist() (engine.cc:2641) ==16921== by 0x13F6225: ana::impl_run_checkers(ana::logger*) (engine.cc:4851) ==16921== by 0x13F70B3: ana::run_checkers() (engine.cc:4922) ==16921== by 0x13E8CA8: (anonymous namespace)::pass_analyzer::execute(function*) (analyzer-pass.cc:87) ==16921== by 0xF62CAC: execute_one_pass(opt_pass*) (passes.c:2567) ==16921== Address 0x4 is not stack'd, malloc'd or (recently) free'd ==16921== during IPA pass: analyzer testcase.c: In function 'foo': testcase.c:3:18: internal compiler error: Segmentation fault 3 | void foo(void) { bar(baz()); } | ^~~~~~~~~~ 0x105dd0f crash_signal /repo/gcc-trunk/gcc/toplev.c:327 0xa0def7 vec<tree_node*, va_heap, vl_embed>::operator[](unsigned int) /repo/gcc-trunk/gcc/vec.h:890 0xa0def7 vec<tree_node*, va_heap, vl_ptr>::operator[](unsigned int) /repo/gcc-trunk/gcc/vec.h:1461 0xa0def7 maybe_reconstruct_from_def_stmt /repo/gcc-trunk/gcc/analyzer/analyzer.cc:151 0xa0def7 fixup_tree_for_diagnostic_1 /repo/gcc-trunk/gcc/analyzer/analyzer.cc:168 0x1cbe732 fixup_tree_for_diagnostic_1 /repo/gcc-trunk/gcc/analyzer/analyzer.cc:189 0x1cbe732 ana::fixup_tree_for_diagnostic(tree_node*) /repo/gcc-trunk/gcc/analyzer/analyzer.cc:188 0x140e497 ana::region_model::get_representative_tree(ana::svalue const*) const /repo/gcc-trunk/gcc/analyzer/region-model.cc:2330 0x13f7a54 ana::impl_sm_context::get_diagnostic_tree(tree_node*) /repo/gcc-trunk/gcc/analyzer/engine.cc:314 0x1435056 on_stmt /repo/gcc-trunk/gcc/analyzer/sm-malloc.cc:1603 0x13f1448 ana::exploded_node::on_stmt(ana::exploded_graph&, ana::supernode const*, gimple const*, ana::program_state*) /repo/gcc-trunk/gcc/analyzer/engine.cc:1271 0x13f3729 ana::exploded_graph::process_node(ana::exploded_node*) /repo/gcc-trunk/gcc/analyzer/engine.cc:3016 0x13f40ea ana::exploded_graph::process_worklist() /repo/gcc-trunk/gcc/analyzer/engine.cc:2641 0x13f6225 ana::impl_run_checkers(ana::logger*) /repo/gcc-trunk/gcc/analyzer/engine.cc:4851 0x13f70b3 ana::run_checkers() /repo/gcc-trunk/gcc/analyzer/engine.cc:4922 0x13e8ca8 execute /repo/gcc-trunk/gcc/analyzer/analyzer-pass.cc:87 Please submit a full bug report, with preprocessed source if appropriate. Please include the complete backtrace with any bug report. See <https://gcc.gnu.org/bugs/> for instructions. $ x86_64-pc-linux-gnu-gcc -v Using built-in specs. COLLECT_GCC=/repo/gcc-trunk/binary-latest/bin/x86_64-pc-linux-gnu-gcc COLLECT_LTO_WRAPPER=/repo/gcc-trunk/binary-trunk-r11-7980-20210403205900-gc3d3bb0f03d-checking-yes-rtl-df-extra-amd64/bin/../libexec/gcc/x86_64-pc-linux-gnu/11.0.1/lto-wrapper Target: x86_64-pc-linux-gnu Configured with: /repo/gcc-trunk//configure --enable-languages=c,c++ --enable-valgrind-annotations --disable-nls --enable-checking=yes,rtl,df,extra --with-cloog --with-ppl --with-isl --build=x86_64-pc-linux-gnu --host=x86_64-pc-linux-gnu --target=x86_64-pc-linux-gnu --with-ld=/usr/bin/x86_64-pc-linux-gnu-ld --with-as=/usr/bin/x86_64-pc-linux-gnu-as --disable-libstdcxx-pch --prefix=/repo/gcc-trunk//binary-trunk-r11-7980-20210403205900-gc3d3bb0f03d-checking-yes-rtl-df-extra-amd64 Thread model: posix Supported LTO compression algorithms: zlib zstd gcc version 11.0.1 20210404 (experimental) (GCC)