diff options
| author | David Malcolm <dmalcolm@redhat.com> | 2020-02-11 10:52:40 -0500 |
|---|---|---|
| committer | David Malcolm <dmalcolm@redhat.com> | 2020-02-11 13:37:09 -0500 |
| commit | a60d98890bba58649c26c2fc0c6f28cd6073aaaf (patch) | |
| tree | 4190ab686737a81d48cae59ee72740f5d0abcffa /gcc/analyzer/program-state.cc | |
| parent | a0e4929b0461226722d6d08b1fdc2852b9100b75 (diff) | |
| download | gcc-a60d98890bba58649c26c2fc0c6f28cd6073aaaf.zip gcc-a60d98890bba58649c26c2fc0c6f28cd6073aaaf.tar.gz gcc-a60d98890bba58649c26c2fc0c6f28cd6073aaaf.tar.bz2 | |
analyzer: fix ICE due to missing state_change purging (PR 93374)
PR analyzer/93374 reports an ICE within state_change::validate due to an
m_new_sid in a recorded state-change being out of range of the svalues
of the region_model of the new state.
During get_or_create_node we attempt to merge the new state with the
state of each of the existing enodes at the program point (in the
absence of sm-state differences), simplifying the state at each
attempt, and potentially reusing a node if we get a match.
This state-merging invalidates any svalue_ids within any state_change
object.
The root cause is that, although the code was purging any such
svalue_ids for the case where no match was found during merging, it was
failing to purge them for the case where a matching enode *was* found
for the merged state, leading to an invalid state_change along the
exploded_edge to the reused enode.
This patch moves the invalidation code to cover both cases, fixing the
ICE. It also extends state_change validation so that states are also
checked.
gcc/analyzer/ChangeLog:
PR analyzer/93374
* engine.cc (exploded_edge::exploded_edge): Add ext_state param
and pass it to change.validate.
(exploded_graph::get_or_create_node): Move purging of change
svalues to also cover the case of reusing an existing enode.
(exploded_graph::add_edge): Pass m_ext_state to exploded_edge's
ctor.
* exploded-graph.h (exploded_edge::exploded_edge): Add ext_state
param.
* program-state.cc (state_change::sm_change::validate): Likewise.
Assert that m_sm_idx is sane. Use ext_state to validate
m_old_state and m_new_state.
(state_change::validate): Add ext_state param and pass it to
the sm_change validate calls.
* program-state.h (state_change::sm_change::validate): Add
ext_state param.
(state_change::validate): Likewise.
gcc/testsuite/ChangeLog:
PR analyzer/93374
* gcc.dg/analyzer/torture/pr93374.c: New test.
Diffstat (limited to 'gcc/analyzer/program-state.cc')
| -rw-r--r-- | gcc/analyzer/program-state.cc | 12 |
1 files changed, 9 insertions, 3 deletions
diff --git a/gcc/analyzer/program-state.cc b/gcc/analyzer/program-state.cc index 4c0b9a8..82b921e 100644 --- a/gcc/analyzer/program-state.cc +++ b/gcc/analyzer/program-state.cc @@ -1083,8 +1083,13 @@ state_change::sm_change::on_svalue_purge (svalue_id first_unused_sid) /* Assert that this object is sane. */ void -state_change::sm_change::validate (const program_state &new_state) const +state_change::sm_change::validate (const program_state &new_state, + const extrinsic_state &ext_state) const { + gcc_assert ((unsigned)m_sm_idx < ext_state.get_num_checkers ()); + const state_machine &sm = ext_state.get_sm (m_sm_idx); + sm.validate (m_old_state); + sm.validate (m_new_state); m_new_sid.validate (*new_state.m_region_model); } @@ -1191,7 +1196,8 @@ state_change::on_svalue_purge (svalue_id first_unused_sid) /* Assert that this object is sane. */ void -state_change::validate (const program_state &new_state) const +state_change::validate (const program_state &new_state, + const extrinsic_state &ext_state) const { /* Skip this in a release build. */ #if !CHECKING_P @@ -1200,7 +1206,7 @@ state_change::validate (const program_state &new_state) const unsigned i; sm_change *change; FOR_EACH_VEC_ELT (m_sm_changes, i, change) - change->validate (new_state); + change->validate (new_state, ext_state); } #if CHECKING_P |