PR analyzer/93352 reports a qsort failure
"comparator not anti-symmetric: -2147483648, -2147483648)"
within the analyzer on code involving an array access of [0x7fffffff + 1].
The issue is that array_region (which uses int for keys into known
values in the array) uses subtraction to implement int_cmp for sorting
the keys, which isn't going to work for boundary values.
Potentially a wider type should be used, but for now this patch fixes
the ICE by using explicit comparisons rather than subtraction to
implement the qsort callback.
Successfully bootstrapped & regrtested on x86_64-pc-linux-gnu;
pushed to master as r10-6127-g4f01e5778689977c9569477947b8062d8d866667.
gcc/analyzer/ChangeLog:
PR analyzer/93352
* region-model.cc (int_cmp): Rename to...
(array_region::key_cmp): ...this, using key_t rather than int.
Rewrite in terms of comparisons rather than subtraction to
ensure qsort is anti-symmetric when handling extreme values.
(array_region::walk_for_canonicalization): Update for above
renaming.
* region-model.h (array_region::key_cmp): New decl.
gcc/testsuite/ChangeLog:
PR analyzer/93352
* gcc.dg/analyzer/pr93352.c: New test.
---
gcc/analyzer/region-model.cc | 19 ++++++++++++-------
gcc/analyzer/region-model.h | 2 ++
gcc/testsuite/gcc.dg/analyzer/pr93352.c | 12 ++++++++++++
3 files changed, 26 insertions(+), 7 deletions(-)
create mode 100644 gcc/testsuite/gcc.dg/analyzer/pr93352.c
diff --git a/gcc/analyzer/region-model.cc b/gcc/analyzer/region-model.cc
index 7e995701dce..0bca5c0fd71 100644
--- a/gcc/analyzer/region-model.cc
+++ b/gcc/analyzer/region-model.cc
@@ -2389,15 +2389,20 @@ array_region::get_key_for_child_region (region_id
child_rid, key_t *out) const
return false;
}
-/* qsort comparator for int. */
+/* qsort comparator for array_region's keys. */
-static int
-int_cmp (const void *p1, const void *p2)
+int
+array_region::key_cmp (const void *p1, const void *p2)
{
- int i1 = *(const int *)p1;
- int i2 = *(const int *)p2;
+ key_t i1 = *(const key_t *)p1;
+ key_t i2 = *(const key_t *)p2;
- return i1 - i2;
+ if (i1 > i2)
+ return 1;
+ else if (i1 < i2)
+ return -1;
+ else
+ return 0;
}
/* Implementation of region::walk_for_canonicalization vfunc for
@@ -2414,7 +2419,7 @@ array_region::walk_for_canonicalization (canonicalization
*c) const
int key_a = (*iter).first;
keys.quick_push (key_a);
}
- keys.qsort (int_cmp);
+ keys.qsort (key_cmp);
unsigned i;
int key;
diff --git a/gcc/analyzer/region-model.h b/gcc/analyzer/region-model.h
index 6a63a9336b8..1090b96bfaa 100644
--- a/gcc/analyzer/region-model.h
+++ b/gcc/analyzer/region-model.h
@@ -1375,6 +1375,8 @@ public:
static key_t key_from_constant (tree cst);
private:
+ static int key_cmp (const void *, const void *);
+
/* Mapping from tree to child region. */
map_t m_map;
};
diff --git a/gcc/testsuite/gcc.dg/analyzer/pr93352.c
b/gcc/testsuite/gcc.dg/analyzer/pr93352.c
new file mode 100644
index 00000000000..ccb96d0eaed
--- /dev/null
+++ b/gcc/testsuite/gcc.dg/analyzer/pr93352.c
@@ -0,0 +1,12 @@
+/* { dg-additional-options "-Wno-overflow" } */
+
+struct yc {
+ int c0;
+ char di[];
+};
+
+void
+qt (struct yc *ab)
+{
+ ab->di[0x7fffffff + 1] = ab->di[0];
+}
--
2.21.0
