diff options
| author | David Malcolm <dmalcolm@redhat.com> | 2020-01-22 09:37:18 -0500 |
|---|---|---|
| committer | David Malcolm <dmalcolm@redhat.com> | 2020-01-22 21:06:45 -0500 |
| commit | 591b59ebfcd48319452ebbd954267c9a05ba4b78 (patch) | |
| tree | d88634f931c2c79ee54704f59c8f9e86e6ef82f1 | |
| parent | c9c8aef474f4030e9d11d7fb81ad77de2eb5bf3b (diff) | |
| download | gcc-591b59ebfcd48319452ebbd954267c9a05ba4b78.zip gcc-591b59ebfcd48319452ebbd954267c9a05ba4b78.tar.gz gcc-591b59ebfcd48319452ebbd954267c9a05ba4b78.tar.bz2 | |
analyzer: fix ICE due to sm-state origin being purged (PR 93382)
The ICE in PR analyzer/93382 is a validation error.
The global variable "idx" acquires a "tainted" state from local array
n1[0]. When the frame is popped, the svalue for n1[0] is purged, but
the "taint" sm_state_map's entry for "idx" has a svalue_id referencing
the now-purged svalue. This is caught by program_state::validate as an
assertion failure.
This patch fixes the issue by resetting the origin id within
sm_state_map entries for the case where the origin id has been purged.
gcc/analyzer/ChangeLog:
PR analyzer/93382
* program-state.cc (sm_state_map::on_svalue_purge): If the
entry survives, but the origin is being purged, then reset the
origin to null.
gcc/testsuite/ChangeLog:
PR analyzer/93382
* gcc.dg/analyzer/pr93382.c: New test.
| -rw-r--r-- | gcc/analyzer/ChangeLog | 7 | ||||
| -rw-r--r-- | gcc/analyzer/program-state.cc | 5 | ||||
| -rw-r--r-- | gcc/testsuite/ChangeLog | 5 | ||||
| -rw-r--r-- | gcc/testsuite/gcc.dg/analyzer/pr93382.c | 25 |
4 files changed, 42 insertions, 0 deletions
diff --git a/gcc/analyzer/ChangeLog b/gcc/analyzer/ChangeLog index 52d959d2..16613e4 100644 --- a/gcc/analyzer/ChangeLog +++ b/gcc/analyzer/ChangeLog @@ -1,5 +1,12 @@ 2020-01-22 David Malcolm <dmalcolm@redhat.com> + PR analyzer/93382 + * program-state.cc (sm_state_map::on_svalue_purge): If the + entry survives, but the origin is being purged, then reset the + origin to null. + +2020-01-22 David Malcolm <dmalcolm@redhat.com> + * sm-signal.cc: Fix nesting of CHECKING_P and namespace ana. 2020-01-22 David Malcolm <dmalcolm@redhat.com> diff --git a/gcc/analyzer/program-state.cc b/gcc/analyzer/program-state.cc index 72daee6..ba19ad1 100644 --- a/gcc/analyzer/program-state.cc +++ b/gcc/analyzer/program-state.cc @@ -453,6 +453,11 @@ sm_state_map::on_svalue_purge (const state_machine &sm, to_remove.safe_push (dst_sid); } + else if ((*iter).second.m_origin.as_int () >= first_unused_sid.as_int ()) + { + /* If the origin svalue is being purged, then reset it to null. */ + (*iter).second.m_origin = svalue_id::null (); + } } int i; diff --git a/gcc/testsuite/ChangeLog b/gcc/testsuite/ChangeLog index 5160e86..eeeb120 100644 --- a/gcc/testsuite/ChangeLog +++ b/gcc/testsuite/ChangeLog @@ -1,3 +1,8 @@ +2020-01-22 David Malcolm <dmalcolm@redhat.com> + + PR analyzer/93382 + * gcc.dg/analyzer/pr93382.c: New test. + 2020-01-22 Andrew Pinski <apinski@marvell.com> * gcc.dg/tree-ssa/pr88497-1.c: Move to ... diff --git a/gcc/testsuite/gcc.dg/analyzer/pr93382.c b/gcc/testsuite/gcc.dg/analyzer/pr93382.c new file mode 100644 index 0000000..7d18d16 --- /dev/null +++ b/gcc/testsuite/gcc.dg/analyzer/pr93382.c @@ -0,0 +1,25 @@ +typedef __SIZE_TYPE__ size_t; + +int idx; +void *fp; + +size_t +fread (void *, size_t, size_t, void *); + +void +ql (void) +{ + int n1[1]; + + fread (n1, sizeof (n1[0]), 1, fp); /* { dg-message "'n1' gets an unchecked value here" } */ + idx = n1[0]; /* { dg-message "'idx' has an unchecked value here (from 'n1')" */ +} + +int arr[10]; + +int +pl (void) +{ + ql (); + return arr[idx]; /* { dg-warning "use of tainted value 'idx' in array lookup without bounds checking" } */ +} |