analyzer: fix ICE due to sm-state origin being purged (PR 93382)

The ICE in PR analyzer/93382 is a validation error. The global variable "idx" acquires a "tainted" state from local array n1[0]. When the frame is popped, the svalue for n1[0] is purged, but the "taint" sm_state_map's entry for "idx" has a svalue_id referencing the now-purged svalue. This is caught by program_state::validate as an assertion failure. This patch fixes the issue by resetting the origin id within sm_state_map entries for the case where the origin id has been purged. gcc/analyzer/ChangeLog: PR analyzer/93382 * program-state.cc (sm_state_map::on_svalue_purge): If the entry survives, but the origin is being purged, then reset the origin to null. gcc/testsuite/ChangeLog: PR analyzer/93382 * gcc.dg/analyzer/pr93382.c: New test.

analyzer: fix ICE due to sm-state origin being purged (PR 93382)
The ICE in PR analyzer/93382 is a validation error. The global variable "idx" acquires a "tainted" state from local array n1[0]. When the frame is popped, the svalue for n1[0] is purged, but the "taint" sm_state_map's entry for "idx" has a svalue_id referencing the now-purged svalue. This is caught by program_state::validate as an assertion failure. This patch fixes the issue by resetting the origin id within sm_state_map entries for the case where the origin id has been purged. gcc/analyzer/ChangeLog: PR analyzer/93382 * program-state.cc (sm_state_map::on_svalue_purge): If the entry survives, but the origin is being purged, then reset the origin to null. gcc/testsuite/ChangeLog: PR analyzer/93382 * gcc.dg/analyzer/pr93382.c: New test.
591b59eb · David Malcolm · c9c8aef4 · 591b59eb · 591b59eb · 591b59eb
Commit 591b59eb authored Jan 22, 2020 by David Malcolm
Hide whitespace changes
Inline Side-by-side

Showing with 42 additions and 0 deletions

gcc/analyzer/ChangeLog
+7 -0

gcc/analyzer/program-state.cc
+5 -0

gcc/testsuite/ChangeLog
+5 -0

gcc/testsuite/gcc.dg/analyzer/pr93382.c
+25 -0

No files found.
--- a/gcc/analyzer/ChangeLog
+++ b/gcc/analyzer/ChangeLog
 2020-01-22  David Malcolm  <dmalcolm@redhat.com>
+	PR analyzer/93382
+	* program-state.cc (sm_state_map::on_svalue_purge): If the
+	entry survives, but the origin is being purged, then reset the
+	origin to null.
+2020-01-22  David Malcolm  <dmalcolm@redhat.com>
 	* sm-signal.cc: Fix nesting of CHECKING_P and namespace ana.
 2020-01-22  David Malcolm  <dmalcolm@redhat.com>

--- a/gcc/analyzer/program-state.cc
+++ b/gcc/analyzer/program-state.cc
@@ -453,6 +453,11 @@ sm_state_map::on_svalue_purge (const state_machine &sm,
 	  to_remove.safe_push (dst_sid);
 	}
+      else if ((*iter).second.m_origin.as_int () >= first_unused_sid.as_int ())
+	{
+	  /* If the origin svalue is being purged, then reset it to null.  */
+	  (*iter).second.m_origin = svalue_id::null ();
+	}
    }
  int i;

--- a/gcc/testsuite/ChangeLog
+++ b/gcc/testsuite/ChangeLog
+2020-01-22  David Malcolm  <dmalcolm@redhat.com>
+	PR analyzer/93382
+	* gcc.dg/analyzer/pr93382.c: New test.
 2020-01-22  Andrew Pinski  <apinski@marvell.com>
 	* gcc.dg/tree-ssa/pr88497-1.c: Move to ...

--- a/gcc/testsuite/gcc.dg/analyzer/pr93382.c
+++ b/gcc/testsuite/gcc.dg/analyzer/pr93382.c
+typedef __SIZE_TYPE__ size_t;
+int idx;
+void *fp;
+size_t
+fread (void *, size_t, size_t, void *);
+void
+ql (void)
+{
+  int n1[1];
+  fread (n1, sizeof (n1[0]), 1, fp); /* { dg-message "'n1' gets an unchecked value here" } */
+  idx = n1[0]; /* { dg-message "'idx' has an unchecked value here (from 'n1')" */
+}
+int arr[10];
+int
+pl (void)
+{
+  ql ();
+  return arr[idx]; /* { dg-warning "use of tainted value 'idx' in array lookup without bounds checking" } */
+}