analyzer: fix ICE with -Wanalyzer-null-dereference [PR 93950]

PR analyzer/93950 reports an ICE when pruning the path of a -Wanalyzer-null-dereference diagnostic. The root cause is a bug in the state-tracking code, in which the variable of interest is tracked from the callee to a "nullptr" param at the caller, whereupon we have an INTEGER_CST "variable", and the attempt to look up its lvalue fails. This code could use a rewrite; in the meantime this patch extends the bulletproofing from g:8525d1f5f57b11fe04a97674cc2fc2b7727621d0 for PR analyzer/93544 to all of the various places where var can be updated, fixing the ICE. gcc/analyzer/ChangeLog: PR analyzer/93950 * diagnostic-manager.cc (diagnostic_manager::prune_for_sm_diagnostic): Assert that var is either NULL or not a constant. When updating var, bulletproof against constant values. gcc/testsuite/ChangeLog: PR analyzer/93950 * g++.dg/analyzer/pr93950.C: New test.
author: David Malcolm <dmalcolm@redhat.com> 2020-02-26 16:32:16 -0500
committer: David Malcolm <dmalcolm@redhat.com> 2020-02-26 21:05:43 -0500
commit: 71b633aaea3aac2d983da7b1b99da8c9a8c80d1a (patch)
tree: e484d6136446da15527183412fc23ab35b0b8e03 /gcc
parent: 0ba70d1b5ae8df6406a880b2d23e4710b393e8c9 (diff)
download: gcc-71b633aaea3aac2d983da7b1b99da8c9a8c80d1a.zip
gcc-71b633aaea3aac2d983da7b1b99da8c9a8c80d1a.tar.gz
gcc-71b633aaea3aac2d983da7b1b99da8c9a8c80d1a.tar.bz2
4 files changed, 57 insertions, 0 deletions
diff --git a/gcc/analyzer/ChangeLog b/gcc/analyzer/ChangeLog
index 92377be..5fbaec3 100644
--- a/gcc/analyzer/ChangeLog
+++ b/gcc/analyzer/ChangeLog
@@ -1,5 +1,13 @@
 2020-02-26  David Malcolm  <dmalcolm@redhat.com>
 
+	PR analyzer/93950
+	* diagnostic-manager.cc
+	(diagnostic_manager::prune_for_sm_diagnostic): Assert that var is
+	either NULL or not a constant.  When updating var, bulletproof
+	against constant values.
+
+2020-02-26  David Malcolm  <dmalcolm@redhat.com>
+
 	PR analyzer/93947
 	* region-model.cc (region_model::get_fndecl_for_call): Gracefully
 	fail for fn_decls that don't have a cgraph_node.
diff --git a/gcc/analyzer/diagnostic-manager.cc b/gcc/analyzer/diagnostic-manager.cc
index 78c5890..b8e5933 100644
--- a/gcc/analyzer/diagnostic-manager.cc
+++ b/gcc/analyzer/diagnostic-manager.cc
@@ -1105,6 +1105,7 @@ diagnostic_manager::prune_for_sm_diagnostic (checker_path *path,
 	  else
 	    log ("considering event %i", idx);
 	}
+      gcc_assert (var == NULL || !CONSTANT_CLASS_P (var));
       switch (base_event->m_kind)
 	{
 	default:
@@ -1164,6 +1165,11 @@ diagnostic_manager::prune_for_sm_diagnostic (checker_path *path,
 		    log ("event %i: switching var of interest from %qE to %qE",
 			 idx, var, state_change->m_origin);
 		    var = state_change->m_origin;
+		    if (var && CONSTANT_CLASS_P (var))
+		      {
+			log ("new var is a constant; setting var to NULL");
+			var = NULL_TREE;
+		      }
 		  }
 		log ("event %i: switching state of interest from %qs to %qs",
 		     idx, sm->get_state_name (state_change->m_to),
@@ -1260,6 +1266,11 @@ diagnostic_manager::prune_for_sm_diagnostic (checker_path *path,
 		var = caller_var;
 		if (expr.param_p ())
 		  event->record_critical_state (var, state);
+		if (var && CONSTANT_CLASS_P (var))
+		  {
+		    log ("new var is a constant; setting var to NULL");
+		    var = NULL_TREE;
+		  }
 	      }
 	  }
 	  break;
@@ -1285,6 +1296,11 @@ diagnostic_manager::prune_for_sm_diagnostic (checker_path *path,
 		    var = callee_var;
 		    if (expr.return_value_p ())
 		      event->record_critical_state (var, state);
+		    if (var && CONSTANT_CLASS_P (var))
+		      {
+			log ("new var is a constant; setting var to NULL");
+			var = NULL_TREE;
+		      }
 		  }
 	      }
 	  }
diff --git a/gcc/testsuite/ChangeLog b/gcc/testsuite/ChangeLog
index c6158b3..d8a403e 100644
--- a/gcc/testsuite/ChangeLog
+++ b/gcc/testsuite/ChangeLog
@@ -1,5 +1,10 @@
 2020-02-26  David Malcolm  <dmalcolm@redhat.com>
 
+	PR analyzer/93950
+	* g++.dg/analyzer/pr93950.C: New test.
+
+2020-02-26  David Malcolm  <dmalcolm@redhat.com>
+
 	PR analyzer/93947
 	* gcc.dg/analyzer/torture/pr93947.c: New test.
 
diff --git a/gcc/testsuite/g++.dg/analyzer/pr93950.C b/gcc/testsuite/g++.dg/analyzer/pr93950.C
new file mode 100644
index 0000000..e280817
--- /dev/null
+++ b/gcc/testsuite/g++.dg/analyzer/pr93950.C
@@ -0,0 +1,28 @@
+// { dg-do compile { target c++11 } }
+
+struct d
+{
+  struct e
+  {
+    int f;
+    int *g;
+  };
+  void h (e * i)
+  {
+    void *j = nullptr; // { dg-bogus "NULL" "" { xfail *-*-* } }
+    // TODO(xfail): we report "'i' is NULL" above, which is the wrong location
+    
+    i->f = *i->g; // { dg-warning "dereference of NULL 'i'" }
+  }
+  virtual void c (int, int)
+  {
+    int *j = nullptr;
+    h (nullptr);
+  }
+};
+
+void
+foo ()
+{
+  d ();
+}
author	David Malcolm <dmalcolm@redhat.com>	2020-02-26 16:32:16 -0500
committer	David Malcolm <dmalcolm@redhat.com>	2020-02-26 21:05:43 -0500
commit	71b633aaea3aac2d983da7b1b99da8c9a8c80d1a (patch)
tree	e484d6136446da15527183412fc23ab35b0b8e03 /gcc
parent	0ba70d1b5ae8df6406a880b2d23e4710b393e8c9 (diff)
download	gcc-71b633aaea3aac2d983da7b1b99da8c9a8c80d1a.zip gcc-71b633aaea3aac2d983da7b1b99da8c9a8c80d1a.tar.gz gcc-71b633aaea3aac2d983da7b1b99da8c9a8c80d1a.tar.bz2