https://gcc.gnu.org/bugzilla/show_bug.cgi?id=114899
Bug ID: 114899
Summary: Segmentation fault with -fsanitize=undefined and
-fanalyzer since r14-2029-g0e466e978c7
Product: gcc
Version: 14.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: analyzer
Assignee: dmalcolm at gcc dot gnu.org
Reporter: iamanonymous.cs at gmail dot com
Target Milestone: ---
Compiler Explorer: https://godbolt.org/z/v8c4csjTE
Bisected to r14-2029-g0e466e978c7
*******************************************************************************
OS and Platform:
$ uname -a:
Linux ubuntu 4.15.0-213-generic #224-Ubuntu SMP Mon Jun 19 13:30:12 UTC 2023
x86_64 x86_64 x86_64 GNU/Linux
*******************************************************************************
gcc version:
$ gcc -v
Using built-in specs.
COLLECT_GCC=/root/gcc_set/202404101100/bin/gcc
COLLECT_LTO_WRAPPER=/root/gcc_set/202404101100/libexec/gcc/x86_64-pc-linux-gnu/14.0.1/lto-wrapper
Target: x86_64-pc-linux-gnu
Configured with: ../gcc/configure --prefix=/root/gcc_set/202404101100
--with-gmp=/root/build_essential --with-mpfr=/root/build_essential
--with-mpc=/root/build_essential --enable-languages=c,c++ --disable-multilib
--with-sanitizer=address,undefined,thread,leak
Thread model: posix
Supported LTO compression algorithms: zlib
gcc version 14.0.1 20240410 (experimental) (GCC)
git version: 0774240b4df9a9bc48ce33a9625788e402498f5a
*******************************************************************************
Program:
$ cat mutant.c
void a() {
int *b = __builtin_malloc(0);
int *c = b - 1;
++*c;
}
*******************************************************************************
Command Lines:
$ gcc -fsanitize=undefined -fanalyzer -c mutant.c
mutant.c: In function ‘a’:
mutant.c:3:3: warning: heap-based buffer underwrite [CWE-124]
[-Wanalyzer-out-of-bounds]
3 | ++*c;
| ^~~~
‘a’: events 1-2
|
| 2 | int *b = __builtin_malloc(0), *c = b - 1;
| | ^~~~~~~~~~~~~~~~~~~
| | |
| | (1) capacity: 0 bytes
| 3 | ++*c;
| | ~~~~
| | |
| | (2) out-of-bounds write from byte -4 till byte -1 but region
starts at byte 0
|
during IPA pass: analyzer
mutant.c:3:3: internal compiler error: Segmentation fault
3 | ++*c;
| ^~~~
0x1043a4f crash_signal
../../gcc/gcc/toplev.cc:319
0x216f0e6
ana::written_svalue_spatial_item::get_label_string(text_art::style_manager&)
const
../../gcc/gcc/analyzer/access-diagram.cc:1632
0x216f290 ana::written_svalue_spatial_item::make_table(ana::bit_to_table_map
const&, text_art::style_manager&) const
../../gcc/gcc/analyzer/access-diagram.cc:1620
0x2170348 ana::access_diagram_impl::access_diagram_impl(ana::access_operation
const&, diagnostic_event_id_t, text_art::style_manager&, text_art::theme
const&, ana::logger*)
../../gcc/gcc/analyzer/access-diagram.cc:2131
0x2165157 std::enable_if<!std::is_array<ana::access_diagram_impl>::value,
std::unique_ptr<ana::access_diagram_impl,
std::default_delete<ana::access_diagram_impl> > >::type
make_unique<ana::access_diagram_impl, ana::access_operation const&,
diagnostic_event_id_t&, text_art::style_manager&, text_art::theme const&,
ana::logger*&>(ana::access_operation const&, diagnostic_event_id_t&,
text_art::style_manager&, text_art::theme const&, ana::logger*&)
../../gcc/gcc/make-unique.h:41
0x2165157 ana::access_diagram::access_diagram(ana::access_operation const&,
diagnostic_event_id_t, text_art::style_manager&, text_art::theme const&,
ana::logger*)
../../gcc/gcc/analyzer/access-diagram.cc:2679
0x2176727 ana::out_of_bounds::make_access_diagram(ana::access_operation const&,
text_art::style_manager&, text_art::theme const&, ana::logger*) const
../../gcc/gcc/analyzer/bounds-checking.cc:208
0x2176727 ana::out_of_bounds::maybe_show_diagram(ana::logger*) const
../../gcc/gcc/analyzer/bounds-checking.cc:187
0x2176c51
ana::concrete_buffer_underwrite::emit(ana::diagnostic_emission_context&)
../../gcc/gcc/analyzer/bounds-checking.cc:694
0x219c5c1 ana::diagnostic_manager::emit_saved_diagnostic(ana::exploded_graph
const&, ana::saved_diagnostic&)
../../gcc/gcc/analyzer/diagnostic-manager.cc:1617
0x21a02ed ana::dedupe_winners::emit_best(ana::diagnostic_manager*,
ana::exploded_graph const&)
../../gcc/gcc/analyzer/diagnostic-manager.cc:1472
0x219cb35 ana::diagnostic_manager::emit_saved_diagnostics(ana::exploded_graph
const&)
../../gcc/gcc/analyzer/diagnostic-manager.cc:1524
0x1453c7b ana::impl_run_checkers(ana::logger*)
../../gcc/gcc/analyzer/engine.cc:6227
0x1454bb6 ana::run_checkers()
../../gcc/gcc/analyzer/engine.cc:6308
0x1443a98 execute
../../gcc/gcc/analyzer/analyzer-pass.cc:87
Please submit a full bug report, with preprocessed source (by using
-freport-bug).
Please include the complete backtrace with any bug report.
See <https://gcc.gnu.org/bugs/> for instructions.
