PR analyzer/93374 reports an ICE within state_change::validate due to an
m_new_sid in a recorded state-change being out of range of the svalues
of the region_model of the new state.
During get_or_create_node we attempt to merge the new state with the
state of each of the existing enodes at the program point (in the
absence of sm-state differences), simplifying the state at each
attempt, and potentially reusing a node if we get a match.
This state-merging invalidates any svalue_ids within any state_change
object.
The root cause is that, although the code was purging any such
svalue_ids for the case where no match was found during merging, it was
failing to purge them for the case where a matching enode *was* found
for the merged state, leading to an invalid state_change along the
exploded_edge to the reused enode.
This patch moves the invalidation code to cover both cases, fixing the
ICE. It also extends state_change validation so that states are also
checked.
gcc/analyzer/ChangeLog:
PR analyzer/93374
* engine.cc (exploded_edge::exploded_edge): Add ext_state param
and pass it to change.validate.
(exploded_graph::get_or_create_node): Move purging of change
svalues to also cover the case of reusing an existing enode.
(exploded_graph::add_edge): Pass m_ext_state to exploded_edge's
ctor.
* exploded-graph.h (exploded_edge::exploded_edge): Add ext_state
param.
* program-state.cc (state_change::sm_change::validate): Likewise.
Assert that m_sm_idx is sane. Use ext_state to validate
m_old_state and m_new_state.
(state_change::validate): Add ext_state param and pass it to
the sm_change validate calls.
* program-state.h (state_change::sm_change::validate): Add
ext_state param.
(state_change::validate): Likewise.
gcc/testsuite/ChangeLog:
PR analyzer/93374
* gcc.dg/analyzer/torture/pr93374.c: New test.
