analyzer: fix ICE on escaped unknown pointers [PR96611]

PR analyzer/96611 reports an ICE within the handling for unknown functions, when passing a pointer to something accessed via a global pointer, after an unknown function has already been called. The first unknown function leads to the store being flagged, so the access to the global pointer leads to (*unknown_svalue) for the base region of the argument to the 2nd function, and thus *unknown_svalue being reachable by the 2nd unknown function, triggering an assertion failure. Handle this case by rejecting attempts to get a cluster for the unknown pointer, fixing the ICE. gcc/analyzer/ChangeLog: PR analyzer/96611 * store.cc (store::mark_as_escaped): Reject attempts to get a cluster for an unknown pointer. gcc/testsuite/ChangeLog: PR analyzer/96611 * gcc.dg/analyzer/pr96611.c: New test.
2020-08-14 10:48:30 -04:00 · 2020-08-14 10:48:30 -04:00 · ee88b53606
commit ee88b53606
parent 7e62503862
2 changed files with 17 additions and 0 deletions
--- a/gcc/analyzer/store.cc
+++ b/gcc/analyzer/store.cc
@ -1691,6 +1691,9 @@ store::mark_as_escaped (const region *base_reg)
  gcc_assert (base_reg);
  gcc_assert (base_reg->get_base_region () == base_reg);

+  if (base_reg->symbolic_for_unknown_ptr_p ())
+    return;
+
  binding_cluster *cluster = get_or_create_cluster (base_reg);
  cluster->mark_as_escaped ();
 }
--- a/gcc/testsuite/gcc.dg/analyzer/pr96611.c
+++ b/gcc/testsuite/gcc.dg/analyzer/pr96611.c
@ -0,0 +1,14 @@
+struct s { int a; } *ptr;
+void unknown_int_ptr (int *);
+void unknown_void (void);
+
+void test_1 ()
+{
+  unknown_int_ptr (&ptr->a);
+}
+
+void test_2 ()
+{
+  unknown_void ();
+  unknown_int_ptr (&ptr->a);
+}