https://gcc.gnu.org/bugzilla/show_bug.cgi?id=93438
--- Comment #2 from CVS Commits <cvs-commit at gcc dot gnu.org> --- The master branch has been updated by David Malcolm <dmalc...@gcc.gnu.org>: https://gcc.gnu.org/g:455f58ec50465aed9d92dc31d68708a05e499388 commit r10-6382-g455f58ec50465aed9d92dc31d68708a05e499388 Author: David Malcolm <dmalc...@redhat.com> Date: Fri Jan 31 09:20:38 2020 -0500 analyzer: fix ICE with pointers between stack frames (PR 93438) PR analyzer/93438 reports an ICE when merging two region_models in which an older stack frame has a local pointing to a local in a more recent stack frame. stack older frame int *: "ow" --+ | newer frame | int: "pk" <---+ The root cause is that the state-merging code assumes that all frame regions in the merged model have already been created. stack_region::can_merge_p iterates through the frames, creating and populating each merged frame in turn, so when it attempts to populate the older frame, it attempts to reference the newer frame in the merged model, which doesn't exist yet. This patch reworks stack_region::can_merge_p to use a two-pass approach in which all frames in the merged model are created first, and then are all populated, fixing the bug. gcc/analyzer/ChangeLog: PR analyzer/93438 * region-model.cc (stack_region::can_merge_p): Split into a two pass approach, creating all stack regions first, then populating them. (selftest::test_state_merging): Add test coverage for (a) the case of self-merging a model in which a local in an older stack frame points to a local in a more recent stack frame (which previously would ICE), and (b) the case of self-merging a model in which a local points to a global (which previously worked OK). gcc/testsuite/ChangeLog: PR analyzer/93438 * gcc.dg/analyzer/torture/pr93438.c: New test. * gcc.dg/analyzer/torture/pr93438-2.c: New test.
