[Bug analyzer/113923] Segfault in gcc/gcc/tree-diagnostic.cc:265
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=113923 --- Comment #9 from Antoni --- Created attachment 57810 --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=57810&action=edit Patch to fix the issue I was unable to create a reproducer in C for the tests. It seems the problem was actually in libgccjit because it was not setting BLOCK_SUPERCONTEXT. I'm not sure how best to test it, though. The only idea I have would be to attempt to create a libgccjit test that adds -fanalyzer to its arguments. Do you have a better idea?
[Bug analyzer/113923] Segfault in gcc/gcc/tree-diagnostic.cc:265
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=113923 --- Comment #8 from Antoni --- (In reply to David Malcolm from comment #2) > inlined_call_event's ctor should probably assert that params > tree apparent_callee_fndecl, > tree apparent_caller_fndecl, > are both non-NULL, which might catch the issue slightly early. I added an assert and here's the stacktrace: during IPA pass: analyzer libgccjit.so: internal compiler error: : in inlined_call_event, at analyzer/checker-event.h:578 0x73d4eafbf076 ana::inlined_call_event::inlined_call_event(unsigned int, tree_node*, tree_node*, int, int) ../../../gcc/gcc/analyzer/checker-event.h:578 0x73d4eafbe7dd ana::checker_path::inject_any_inlined_call_events(ana::logger*) ../../../gcc/gcc/analyzer/checker-path.cc:319 0x73d4eafd415f ana::diagnostic_manager::emit_saved_diagnostic(ana::exploded_graph const&, ana::saved_diagnostic&) ../../../gcc/gcc/analyzer/diagnostic-manager.cc:1599 0x73d4eafd981d ana::dedupe_winners::emit_best(ana::diagnostic_manager*, ana::exploded_graph const&) ../../../gcc/gcc/analyzer/diagnostic-manager.cc:1472 0x73d4eafd3dcb ana::diagnostic_manager::emit_saved_diagnostics(ana::exploded_graph const&) ../../../gcc/gcc/analyzer/diagnostic-manager.cc:1524 0x73d4e9a0327a ana::impl_run_checkers(ana::logger*) ../../../gcc/gcc/analyzer/engine.cc:6226 0x73d4e9a03613 ana::run_checkers() ../../../gcc/gcc/analyzer/engine.cc:6300 0x73d4e99f484c execute ../../../gcc/gcc/analyzer/analyzer-pass.cc:87 I can also confirm that this is related to always_inline as there are no segfaults when removing the #[inline(always)] in the following example (see comment): #![no_std] #![allow(internal_features)] #![feature(core_intrinsics, lang_items, start)] #![feature(transparent_unions)] use core::mem::ManuallyDrop; #[panic_handler] fn panic_handler(_: &core::panic::PanicInfo<'_>) -> ! { core::intrinsics::abort(); } #[lang="eh_personality"] fn eh_personality(){} #[derive(Clone, Copy)] #[repr(transparent)] pub union MaybeUninit { uninit: (), value: ManuallyDrop, } impl MaybeUninit { // NOTE: there are no segfaults when removing the next line. #[inline(always)] pub const fn uninit() -> MaybeUninit { MaybeUninit { uninit: () } } } #[start] fn main(_argc: isize, _argv: *const *const u8) -> isize { let mut x = MaybeUninit::<&i32>::uninit(); 0 }
[Bug analyzer/113923] Segfault in gcc/gcc/tree-diagnostic.cc:265
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=113923 --- Comment #7 from Antoni --- I don't know if this helps, but I added a small Rust reproducer that can trigger the segfault when compiled with rustc_codegen_gcc and the corresponding GIMPLE for this Rust reproducer.
[Bug analyzer/113923] Segfault in gcc/gcc/tree-diagnostic.cc:265
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=113923 --- Comment #6 from Antoni --- Created attachment 57439 --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=57439&action=edit Rust reproducer
[Bug analyzer/113923] Segfault in gcc/gcc/tree-diagnostic.cc:265
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=113923 --- Comment #5 from Antoni --- Created attachment 57438 --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=57438&action=edit GIMPLE for the Rust reproducer
[Bug analyzer/113923] Segfault in gcc/gcc/tree-diagnostic.cc:265
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=113923 --- Comment #4 from Antoni --- I might be able to soon create a reproducer, but for now, I can say it might be related to __attribute__ ((always_inline)).
[Bug analyzer/113923] Segfault in gcc/gcc/tree-diagnostic.cc:265
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=113923 --- Comment #3 from David Malcolm --- (In reply to David Malcolm from comment #2) > are both non-NULL, which might catch the issue slightly early. ^ earlier
[Bug analyzer/113923] Segfault in gcc/gcc/tree-diagnostic.cc:265
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=113923 --- Comment #2 from David Malcolm --- inlined_call_event's ctor should probably assert that params tree apparent_callee_fndecl, tree apparent_caller_fndecl, are both non-NULL, which might catch the issue slightly early.
[Bug analyzer/113923] Segfault in gcc/gcc/tree-diagnostic.cc:265
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=113923 --- Comment #1 from David Malcolm --- Reproducing that is going to be a challenge. FWIW you can probably work around it via -fno-analyzer-undo-inlining. For an inlined_call_event's m_apparent_caller_fndecl to be NULL, then when it was created in checker_path::inject_any_inlined_call_events, cd.m_fndecl would have to be NULL here: 310const chain_element &ce = elements[element_idx]; 311int stack_depth_adjustment 312 = (blocks_in_curr_event.elements () - element_idx) - 1; 313if (location_t callsite = BLOCK_SOURCE_LOCATION (ce.m_block)) 314 updated_events.safe_push 315(new inlined_call_event (callsite, 316 elements[element_idx - 1].m_fndecl, 317 ce.m_fndecl, 318 orig_stack_depth, 319 stack_depth_adjustment)); which comes from iter.get_fndecl () earlier in that function: 292for (inlining_iterator iter (curr_loc); !iter.done_p (); iter.next ()) 293 { 294chain_element ce; 295ce.m_block = iter.get_block (); 296ce.m_fndecl = iter.get_fndecl (); 297 298if (!blocks_in_prev_event.contains (ce.m_block)) 299 elements.safe_push (ce); 300blocks_in_curr_event.add (ce.m_block); 301 } inlining-iterator.h looks at FUNCTION_DECL, so maybe if you're using a different code that could confuse it. But this is from libgccjit, so I'm not sure.