16 Regression] ICE: SIGSEGV in ana::region_model::scan_for_null_terminator (region-model.cc:4863) with -O -fanalyzer -fdump-analyzer -frounding-math

zsojka at seznam dot cz via Gcc-bugs Tue, 10 Feb 2026 03:15:05 -0800

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=124055


            Bug ID: 124055
           Summary: [14/15/16 Regression] ICE: SIGSEGV in
                    ana::region_model::scan_for_null_terminator
                    (region-model.cc:4863) with -O -fanalyzer
                    -fdump-analyzer -frounding-math
           Product: gcc
           Version: 16.0
            Status: UNCONFIRMED
          Keywords: ice-on-valid-code
          Severity: normal
          Priority: P3
         Component: analyzer
          Assignee: dmalcolm at gcc dot gnu.org
          Reporter: zsojka at seznam dot cz
  Target Milestone: ---
              Host: x86_64-pc-linux-gnu
            Target: x86_64-pc-linux-gnu

Created attachment 63639
  --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=63639&action=edit
reduced testcase

Compiler output:
$ x86_64-pc-linux-gnu-gcc -O -fanalyzer -fdump-analyzer -frounding-math
testcase.c -wrapper valgrind,-q,--track-origins=yes,--num-callers=40
==22074== Conditional jump or move depends on uninitialised value(s)
==22074==    at 0x1B1EFBE:
ana::region_model::scan_for_null_terminator(ana::region const*, tree_node*,
ana::svalue const**, ana::region_model_context*) const (region-model.cc:4862)
==22074==    by 0x1B1F0E4:
ana::region_model::check_for_null_terminated_string_arg(ana::call_details
const&, unsigned int, bool, ana::svalue const**) const (region-model.cc:5026)
==22074==    by 0x1AEFDD9: ana::kf_strcpy::impl_call_pre(ana::call_details
const&) const (kf.cc:1404)
==22074==    by 0x1B1C5E1: ana::region_model::on_call_pre(gcall const&,
ana::region_model_context*) (region-model.cc:2352)
==22074==    by 0x1B2040C: ana::region_model::on_stmt_pre(gimple const*, bool*,
ana::region_model_context*) (region-model.cc:1755)
==22074==    by 0x1AFCB8E:
ana::gimple_stmt_op::execute_on_state(ana::operation_context&,
ana::program_state) const (ops.cc:378)
==22074==    by 0x1AFD722:
ana::call_and_return_op::execute(ana::operation_context&) const (ops.cc:853)
==22074==    by 0x1ADED6B:
ana::exploded_graph::process_node(ana::exploded_node*) (engine.cc:3780)
==22074==    by 0x1ADF3FA: ana::exploded_graph::process_worklist()
(engine.cc:3409)
==22074==    by 0x1AE1E7B: ana::impl_run_checkers(ana::logger*)
(engine.cc:5269)
==22074==    by 0x1AE2C5E: ana::run_checkers() (engine.cc:5360)
==22074==    by 0x1AD3618: (anonymous
namespace)::pass_analyzer::execute(function*) (analyzer-pass.cc:81)
==22074==    by 0x14E0FAF: execute_one_pass(opt_pass*) (passes.cc:2656)
==22074==    by 0x14E2496: execute_ipa_pass_list(opt_pass*) (passes.cc:3118)
==22074==    by 0x105C474: ipa_passes (cgraphunit.cc:2302)
==22074==    by 0x105C474: symbol_table::compile() [clone .part.0]
(cgraphunit.cc:2367)
==22074==    by 0x105F9C2: compile (cgraphunit.cc:2345)
==22074==    by 0x105F9C2: symbol_table::finalize_compilation_unit()
(cgraphunit.cc:2626)
==22074==    by 0x1642922: compile_file() (toplev.cc:482)
==22074==    by 0xE3481F: do_compile (toplev.cc:2225)
==22074==    by 0xE3481F: toplev::main(int, char**) (toplev.cc:2389)
==22074==    by 0xE360FA: main (main.cc:39)
==22074==  Uninitialised value was created by a stack allocation
==22074==    at 0x1AEFD70: ana::kf_strcpy::impl_call_pre(ana::call_details
const&) const (kf.cc:1392)
==22074== 

...

==22074== 
==22074== Invalid read of size 8
==22074==    at 0x1B1EFCF:
ana::region_model::scan_for_null_terminator(ana::region const*, tree_node*,
ana::svalue const**, ana::region_model_context*) const (region-model.cc:4863)
==22074==    by 0x1B1F0E4:
ana::region_model::check_for_null_terminated_string_arg(ana::call_details
const&, unsigned int, bool, ana::svalue const**) const (region-model.cc:5026)
==22074==    by 0x1AEFDD9: ana::kf_strcpy::impl_call_pre(ana::call_details
const&) const (kf.cc:1404)
==22074==    by 0x1B1C5E1: ana::region_model::on_call_pre(gcall const&,
ana::region_model_context*) (region-model.cc:2352)
==22074==    by 0x1B2040C: ana::region_model::on_stmt_pre(gimple const*, bool*,
ana::region_model_context*) (region-model.cc:1755)
==22074==    by 0x1AFCB8E:
ana::gimple_stmt_op::execute_on_state(ana::operation_context&,
ana::program_state) const (ops.cc:378)
==22074==    by 0x1AFD722:
ana::call_and_return_op::execute(ana::operation_context&) const (ops.cc:853)
==22074==    by 0x1ADED6B:
ana::exploded_graph::process_node(ana::exploded_node*) (engine.cc:3780)
==22074==    by 0x1ADF3FA: ana::exploded_graph::process_worklist()
(engine.cc:3409)
==22074==    by 0x1AE1E7B: ana::impl_run_checkers(ana::logger*)
(engine.cc:5269)
==22074==    by 0x1AE2C5E: ana::run_checkers() (engine.cc:5360)
==22074==    by 0x1AD3618: (anonymous
namespace)::pass_analyzer::execute(function*) (analyzer-pass.cc:81)
==22074==    by 0x14E0FAF: execute_one_pass(opt_pass*) (passes.cc:2656)
==22074==    by 0x14E2496: execute_ipa_pass_list(opt_pass*) (passes.cc:3118)
==22074==    by 0x105C474: ipa_passes (cgraphunit.cc:2302)
==22074==    by 0x105C474: symbol_table::compile() [clone .part.0]
(cgraphunit.cc:2367)
==22074==    by 0x105F9C2: compile (cgraphunit.cc:2345)
==22074==    by 0x105F9C2: symbol_table::finalize_compilation_unit()
(cgraphunit.cc:2626)
==22074==    by 0x1642922: compile_file() (toplev.cc:482)
==22074==    by 0xE3481F: do_compile (toplev.cc:2225)
==22074==    by 0xE3481F: toplev::main(int, char**) (toplev.cc:2389)
==22074==    by 0xE360FA: main (main.cc:39)
==22074==  Address 0x19 is not stack'd, malloc'd or (recently) free'd
==22074== 
during IPA pass: analyzer
In function 'bar',
    inlined from 'foo' at testcase.c:12:3:
testcase.c:6:3: internal compiler error: Segmentation fault
    6 |   __builtin_strcpy(p, (void *)&f);

...


$ x86_64-pc-linux-gnu-gcc -v
Using built-in specs.
COLLECT_GCC=/repo/gcc-trunk/binary-latest-amd64/bin/x86_64-pc-linux-gnu-gcc
COLLECT_LTO_WRAPPER=/repo/gcc-trunk/binary-trunk-20260210051422-r16-7428-gc4c747adc8959d-checking-yes-rtl-df-extra-nobootstrap-amd64/bin/../libexec/gcc/x86_64-pc-linux-gnu/16.0.1/lto-wrapper
Target: x86_64-pc-linux-gnu
Configured with: /repo/gcc-trunk//configure --enable-languages=c,c++
--enable-valgrind-annotations --disable-nls --enable-checking=yes,rtl,df,extra
--disable-bootstrap --enable-libsanitizer --build=x86_64-pc-linux-gnu
--host=x86_64-pc-linux-gnu --target=x86_64-pc-linux-gnu
--with-ld=/usr/bin/x86_64-pc-linux-gnu-ld
--with-as=/usr/bin/x86_64-pc-linux-gnu-as --disable-libstdcxx-pch
--prefix=/repo/gcc-trunk//binary-trunk-20260210051422-r16-7428-gc4c747adc8959d-checking-yes-rtl-df-extra-nobootstrap-amd64
Thread model: posix
Supported LTO compression algorithms: zlib zstd
gcc version 16.0.1 20260210 (experimental) (GCC) 


It might help to initialize "bytes_to_copy" to NULL in
kf_strcpy::impl_call_pre().

[Bug analyzer/124055] New: [14/15/16 Regression] ICE: SIGSEGV in ana::region_model::scan_for_null_terminator (region-model.cc:4863) with -O -fanalyzer -fdump-analyzer -frounding-math

Reply via email to