analyzer: fix ICE due to sm-state origin being purged (PR 93382)

The ICE in PR analyzer/93382 is a validation error. The global variable "idx" acquires a "tainted" state from local array n1[0]. When the frame is popped, the svalue for n1[0] is purged, but the "taint" sm_state_map's entry for "idx" has a svalue_id referencing the now-purged svalue. This is caught by program_state::validate as an assertion failure. This patch fixes the issue by resetting the origin id within sm_state_map entries for the case where the origin id has been purged. gcc/analyzer/ChangeLog: PR analyzer/93382 * program-state.cc (sm_state_map::on_svalue_purge): If the entry survives, but the origin is being purged, then reset the origin to null. gcc/testsuite/ChangeLog: PR analyzer/93382 * gcc.dg/analyzer/pr93382.c: New test.
2020-01-22 09:37:18 -05:00 · 2020-01-22 09:37:18 -05:00 · 591b59ebfc
commit 591b59ebfc
parent c9c8aef474
4 changed files with 42 additions and 0 deletions
--- a/gcc/analyzer/ChangeLog
+++ b/gcc/analyzer/ChangeLog
@ -1,3 +1,10 @@
+2020-01-22  David Malcolm  <dmalcolm@redhat.com>
+
+	PR analyzer/93382
+	* program-state.cc (sm_state_map::on_svalue_purge): If the
+	entry survives, but the origin is being purged, then reset the
+	origin to null.
+
 2020-01-22  David Malcolm  <dmalcolm@redhat.com>

 	* sm-signal.cc: Fix nesting of CHECKING_P and namespace ana.
--- a/gcc/analyzer/program-state.cc
+++ b/gcc/analyzer/program-state.cc
@ -453,6 +453,11 @@ sm_state_map::on_svalue_purge (const state_machine &sm,

 	  to_remove.safe_push (dst_sid);
 	}
+      else if ((*iter).second.m_origin.as_int () >= first_unused_sid.as_int ())
+	{
+	  /* If the origin svalue is being purged, then reset it to null.  */
+	  (*iter).second.m_origin = svalue_id::null ();
+	}
    }

  int i;
--- a/gcc/testsuite/ChangeLog
+++ b/gcc/testsuite/ChangeLog
@ -1,3 +1,8 @@
+2020-01-22  David Malcolm  <dmalcolm@redhat.com>
+
+	PR analyzer/93382
+	* gcc.dg/analyzer/pr93382.c: New test.
+
 2020-01-22  Andrew Pinski  <apinski@marvell.com>

 	* gcc.dg/tree-ssa/pr88497-1.c: Move to ...
--- a/gcc/testsuite/gcc.dg/analyzer/pr93382.c
+++ b/gcc/testsuite/gcc.dg/analyzer/pr93382.c
@ -0,0 +1,25 @@
+typedef __SIZE_TYPE__ size_t;
+
+int idx;
+void *fp;
+
+size_t
+fread (void *, size_t, size_t, void *);
+
+void
+ql (void)
+{
+  int n1[1];
+
+  fread (n1, sizeof (n1[0]), 1, fp); /* { dg-message "'n1' gets an unchecked value here" } */
+  idx = n1[0]; /* { dg-message "'idx' has an unchecked value here (from 'n1')" */
+}
+
+int arr[10];
+	
+int
+pl (void)
+{
+  ql ();
+  return arr[idx]; /* { dg-warning "use of tainted value 'idx' in array lookup without bounds checking" } */
+}