https://gcc.gnu.org/bugzilla/show_bug.cgi?id=104452
Bug ID: 104452 Summary: [12 Regression] ICE: in hashtab_chk_error, at hash-table.cc:137 with -O -fanalyzer Product: gcc Version: 12.0 Status: UNCONFIRMED Keywords: ice-on-valid-code Severity: normal Priority: P3 Component: analyzer Assignee: dmalcolm at gcc dot gnu.org Reporter: zsojka at seznam dot cz Target Milestone: --- Host: x86_64-pc-linux-gnu Target: x86_64-pc-linux-gnu Created attachment 52381 --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=52381&action=edit reduced testcase Compiler output: $ x86_64-pc-linux-gnu-gcc -O -fanalyzer testcase.c hash table checking failed: equal operator returns true for a pair of values with a different hash value during IPA pass: analyzer testcase.c: In function 'foo': testcase.c:6:10: internal compiler error: in hashtab_chk_error, at hash-table.cc:137 6 | if (x[i]) | ~^~~ 0xcf15af hashtab_chk_error() /repo/gcc-trunk/gcc/hash-table.cc:137 0x176ba61 hash_table<hash_map<ana::bit_range_region::key_t, ana::bit_range_region*, simple_hashmap_traits<default_hash_traits<ana::bit_range_region::key_t>, ana::bit_range_region*> >::hash_entry, false, xcallocator>::verify(ana::bit_range_region::key_t const&, unsigned int) /repo/gcc-trunk/gcc/hash-table.h:1036 0x17637eb hash_table<hash_map<ana::bit_range_region::key_t, ana::bit_range_region*, simple_hashmap_traits<default_hash_traits<ana::bit_range_region::key_t>, ana::bit_range_region*> >::hash_entry, false, xcallocator>::find_with_hash(ana::bit_range_region::key_t const&, unsigned int) /repo/gcc-trunk/gcc/hash-table.h:921 0x17637eb hash_map<ana::bit_range_region::key_t, ana::bit_range_region*, simple_hashmap_traits<default_hash_traits<ana::bit_range_region::key_t>, ana::bit_range_region*> >::get(ana::bit_range_region::key_t const&) /repo/gcc-trunk/gcc/hash-map.h:189 0x17637eb consolidation_map<ana::bit_range_region>::get(ana::bit_range_region::key_t const&) const /repo/gcc-trunk/gcc/analyzer/analyzer.h:371 0x17637eb ana::region_model_manager::get_bit_range(ana::region const*, tree_node*, ana::bit_range const&) /repo/gcc-trunk/gcc/analyzer/region-model-manager.cc:1507 0x1740f54 ana::region_model::get_lvalue_1(ana::path_var, ana::region_model_context*) const /repo/gcc-trunk/gcc/analyzer/region-model.cc:1724 0x17410d9 ana::region_model::get_lvalue(ana::path_var, ana::region_model_context*) const /repo/gcc-trunk/gcc/analyzer/region-model.cc:1818 0x17410d9 ana::region_model::get_lvalue(tree_node*, ana::region_model_context*) const /repo/gcc-trunk/gcc/analyzer/region-model.cc:1829 0x17416e0 ana::region_model::get_region_for_poisoned_expr(tree_node*) const /repo/gcc-trunk/gcc/analyzer/region-model.cc:886 0x17416e0 ana::region_model::check_for_poison(ana::svalue const*, tree_node*, ana::region_model_context*) const /repo/gcc-trunk/gcc/analyzer/region-model.cc:855 0x172723b ana::impl_sm_context::is_zero_assignment(gimple const*) /repo/gcc-trunk/gcc/analyzer/engine.cc:485 0x177149c on_stmt /repo/gcc-trunk/gcc/analyzer/sm-malloc.cc:1700 0x171f5c6 ana::exploded_node::on_stmt(ana::exploded_graph&, ana::supernode const*, gimple const*, ana::program_state*, ana::uncertainty_t*, ana::path_context*) /repo/gcc-trunk/gcc/analyzer/engine.cc:1324 0x172269d ana::exploded_graph::process_node(ana::exploded_node*) /repo/gcc-trunk/gcc/analyzer/engine.cc:3694 0x1723682 ana::exploded_graph::process_worklist() /repo/gcc-trunk/gcc/analyzer/engine.cc:3137 0x1725b86 ana::impl_run_checkers(ana::logger*) /repo/gcc-trunk/gcc/analyzer/engine.cc:5716 0x17269fe ana::run_checkers() /repo/gcc-trunk/gcc/analyzer/engine.cc:5787 0x1715f98 execute /repo/gcc-trunk/gcc/analyzer/analyzer-pass.cc:87 Please submit a full bug report, with preprocessed source (by using -freport-bug). Please include the complete backtrace with any bug report. See <https://gcc.gnu.org/bugs/> for instructions. Sometimes the compilation succeeds: $ x86_64-pc-linux-gnu-gcc -O -fanalyzer testcase.c testcase.c: In function 'foo': testcase.c:6:10: warning: use of uninitialized value '((int*)&x)[0]' [CWE-457] [-Wanalyzer-use-of-uninitialized-value] 6 | if (x[i]) | ~^~~ 'foo': event 1 | | 6 | if (x[i]) | | ~^~~ | | | | | (1) use of uninitialized value '((int*)&x)[0]' here | testcase.c:6:10: warning: use of uninitialized value '((int*)&x)[0]' [CWE-457] [-Wanalyzer-use-of-uninitialized-value] 'foo': event 1 | | 6 | if (x[i]) | | ~^~~ | | | | | (1) use of uninitialized value '((int*)&x)[0]' here | /usr/bin/x86_64-pc-linux-gnu-ld: /usr/lib/../lib64/crt1.o: in function `_start': (.text+0x20): undefined reference to `main' collect2: error: ld returned 1 exit status Valgrind reports several "uninitialised" uses: $ x86_64-pc-linux-gnu-gcc -O -fanalyzer testcase.c -wrapper valgrind,-q,--track-origins=yes ==30624== Use of uninitialised value of size 8 ==30624== at 0x17634FE: is_empty<hash_map<ana::bit_range_region::key_t, ana::bit_range_region*, simple_hashmap_traits<default_hash_traits<ana::bit_range_region::key_t>, ana::bit_range_region*> >::hash_entry> (hash-map-traits.h:73) ==30624== by 0x17634FE: is_empty (hash-map.h:71) ==30624== by 0x17634FE: is_empty (hash-table.h:541) ==30624== by 0x17634FE: find_with_hash (hash-table.h:925) ==30624== by 0x17634FE: get (hash-map.h:189) ==30624== by 0x17634FE: get (analyzer.h:371) ==30624== by 0x17634FE: ana::region_model_manager::get_bit_range(ana::region const*, tree_node*, ana::bit_range const&) (region-model-manager.cc:1507) ==30624== by 0x1740F54: ana::region_model::get_lvalue_1(ana::path_var, ana::region_model_context*) const (region-model.cc:1724) ==30624== by 0x17410D9: get_lvalue (region-model.cc:1818) ==30624== by 0x17410D9: ana::region_model::get_lvalue(tree_node*, ana::region_model_context*) const (region-model.cc:1829) ==30624== by 0x17416E0: get_region_for_poisoned_expr (region-model.cc:886) ==30624== by 0x17416E0: ana::region_model::check_for_poison(ana::svalue const*, tree_node*, ana::region_model_context*) const (region-model.cc:855) ==30624== by 0x1746B5C: ana::region_model::on_assignment(gassign const*, ana::region_model_context*) (region-model.cc:903) ==30624== by 0x171F498: ana::exploded_node::on_stmt(ana::exploded_graph&, ana::supernode const*, gimple const*, ana::program_state*, ana::uncertainty_t*, ana::path_context*) (engine.cc:1305) ==30624== by 0x172269D: ana::exploded_graph::process_node(ana::exploded_node*) (engine.cc:3694) ==30624== by 0x1723682: ana::exploded_graph::process_worklist() (engine.cc:3137) ==30624== by 0x1725B86: ana::impl_run_checkers(ana::logger*) (engine.cc:5716) ==30624== by 0x17269FE: ana::run_checkers() (engine.cc:5787) ==30624== by 0x1715F98: (anonymous namespace)::pass_analyzer::execute(function*) (analyzer-pass.cc:87) ==30624== by 0x127E0DA: execute_one_pass(opt_pass*) (passes.cc:2637) ==30624== Uninitialised value was created by a stack allocation ==30624== at 0x1740A89: ana::region_model::get_lvalue_1(ana::path_var, ana::region_model_context*) const (region-model.cc:1690) ==30624== ==30624== Use of uninitialised value of size 8 ... $ x86_64-pc-linux-gnu-gcc -v Using built-in specs. COLLECT_GCC=/repo/gcc-trunk/binary-latest-amd64/bin/x86_64-pc-linux-gnu-gcc COLLECT_LTO_WRAPPER=/repo/gcc-trunk/binary-trunk-r12-7089-20220208123931-g0103c2e4082-checking-yes-rtl-df-extra-amd64/bin/../libexec/gcc/x86_64-pc-linux-gnu/12.0.1/lto-wrapper Target: x86_64-pc-linux-gnu Configured with: /repo/gcc-trunk//configure --enable-languages=c,c++ --enable-valgrind-annotations --disable-nls --enable-checking=yes,rtl,df,extra --with-cloog --with-ppl --with-isl --build=x86_64-pc-linux-gnu --host=x86_64-pc-linux-gnu --target=x86_64-pc-linux-gnu --with-ld=/usr/bin/x86_64-pc-linux-gnu-ld --with-as=/usr/bin/x86_64-pc-linux-gnu-as --disable-libstdcxx-pch --prefix=/repo/gcc-trunk//binary-trunk-r12-7089-20220208123931-g0103c2e4082-checking-yes-rtl-df-extra-amd64 Thread model: posix Supported LTO compression algorithms: zlib zstd gcc version 12.0.1 20220208 (experimental) (GCC)