https://gcc.gnu.org/g:a1cb188cb2ca2ad3f4e837dba2967f323669d36e
commit r13-8750-ga1cb188cb2ca2ad3f4e837dba2967f323669d36e Author: David Malcolm <dmalc...@redhat.com> Date: Thu May 9 13:09:29 2024 -0400 analyzer: fix ICE for 2 bits before the start of base region [PR112889] Cncrete bindings were using -1 and -2 in the offset field to signify deleted and empty hash slots, but these are valid values, leading to assertion failures inside hash_map::put on a debug build, and probable bugs in a release build. (gdb) call k.dump(true) start: -2, size: 1, next: -1 (gdb) p k.is_empty() $6 = true Fix by using the size field rather than the offset. Backported from commit r14-6297-g775aeabcb870b7 (moving the testcase from c-c++-common to gcc.dg). gcc/analyzer/ChangeLog: PR analyzer/112889 * store.h (concrete_binding::concrete_binding): Strengthen assertion to require size to be be positive, rather than just non-zero. (concrete_binding::mark_deleted): Use size rather than start bit offset. (concrete_binding::mark_empty): Likewise. (concrete_binding::is_deleted): Likewise. (concrete_binding::is_empty): Likewise. gcc/testsuite/ChangeLog: PR analyzer/112889 * gcc.dg/analyzer/ice-pr112889.c: New test. Signed-off-by: David Malcolm <dmalc...@redhat.com> Diff: --- gcc/analyzer/store.h | 10 +++++----- gcc/testsuite/gcc.dg/analyzer/ice-pr112889.c | 17 +++++++++++++++++ 2 files changed, 22 insertions(+), 5 deletions(-) diff --git a/gcc/analyzer/store.h b/gcc/analyzer/store.h index 7ded650b6088..6b06be29d8f6 100644 --- a/gcc/analyzer/store.h +++ b/gcc/analyzer/store.h @@ -368,7 +368,7 @@ public: concrete_binding (bit_offset_t start_bit_offset, bit_size_t size_in_bits) : m_bit_range (start_bit_offset, size_in_bits) { - gcc_assert (!m_bit_range.empty_p ()); + gcc_assert (m_bit_range.m_size_in_bits > 0); } bool concrete_p () const final override { return true; } @@ -409,10 +409,10 @@ public: static int cmp_ptr_ptr (const void *, const void *); - void mark_deleted () { m_bit_range.m_start_bit_offset = -1; } - void mark_empty () { m_bit_range.m_start_bit_offset = -2; } - bool is_deleted () const { return m_bit_range.m_start_bit_offset == -1; } - bool is_empty () const { return m_bit_range.m_start_bit_offset == -2; } + void mark_deleted () { m_bit_range.m_size_in_bits = -1; } + void mark_empty () { m_bit_range.m_size_in_bits = -2; } + bool is_deleted () const { return m_bit_range.m_size_in_bits == -1; } + bool is_empty () const { return m_bit_range.m_size_in_bits == -2; } private: bit_range m_bit_range; diff --git a/gcc/testsuite/gcc.dg/analyzer/ice-pr112889.c b/gcc/testsuite/gcc.dg/analyzer/ice-pr112889.c new file mode 100644 index 000000000000..e90a53e79baf --- /dev/null +++ b/gcc/testsuite/gcc.dg/analyzer/ice-pr112889.c @@ -0,0 +1,17 @@ +typedef unsigned char __u8; +struct sk_buff +{ + unsigned char *data; +}; +struct cpl_pass_accept_req +{ + __u8 : 6; + __u8 sack : 1; +}; +void build_cpl_pass_accept_req(struct sk_buff* skb) +{ + struct cpl_pass_accept_req* req; + skb->data -= sizeof(*req); + req = (struct cpl_pass_accept_req *)skb->data; + req->sack = 1; +}