https://gcc.gnu.org/bugzilla/show_bug.cgi?id=117609
Bug ID: 117609
Summary: [14/15 Regression] ICE: SIGSEGV in fold_convert_const
(fold-const.cc:2486) with -fanalyzer -frounding-math
and __builtin_memmove()
Product: gcc
Version: 15.0
Status: UNCONFIRMED
Keywords: ice-on-valid-code
Severity: normal
Priority: P3
Component: analyzer
Assignee: dmalcolm at gcc dot gnu.org
Reporter: zsojka at seznam dot cz
Target Milestone: ---
Host: x86_64-pc-linux-gnu
Target: x86_64-pc-linux-gnu
Created attachment 59603
--> https://gcc.gnu.org/bugzilla/attachment.cgi?id=59603&action=edit
reduced testcase
Compiler output:
$ x86_64-pc-linux-gnu-gcc -fanalyzer -frounding-math testcase.c -wrapper
valgrind,-q,--num-callers=100
==27149== Invalid read of size 2
==27149== at 0x11A97BE: fold_convert_const(tree_code, tree_node*,
tree_node*) (fold-const.cc:2486)
==27149== by 0x11BF592: fold_unary_loc(unsigned int, tree_code, tree_node*,
tree_node*) (fold-const.cc:9634)
==27149== by 0x1A7B68B:
ana::region_model_manager::maybe_fold_unaryop(tree_node*, tree_code,
ana::svalue const*) (region-model-manager.cc:514)
==27149== by 0x1A7BA4A:
ana::region_model_manager::get_or_create_unaryop(tree_node*, tree_code,
ana::svalue const*) (region-model-manager.cc:543)
==27149== by 0x2C2D80E: ana::strip_types(ana::svalue const*,
ana::region_model_manager&) (bounds-checking.cc:1285)
==27149== by 0x2C2DB5D: ana::region_model::check_symbolic_bounds(ana::region
const*, ana::svalue const*, ana::svalue const*, ana::svalue const*,
ana::access_direction, ana::svalue const*, ana::region_model_context*) const
(bounds-checking.cc:1411)
==27149== by 0x2C2DE45: ana::region_model::check_region_bounds(ana::region
const*, ana::access_direction, ana::svalue const*, ana::region_model_context*)
const (bounds-checking.cc:1520)
==27149== by 0x1A510F9: check_region_access (region-model.cc:3348)
==27149== by 0x1A510F9: check_region_access (region-model.cc:3337)
==27149== by 0x1A510F9: check_region_for_read (region-model.cc:3382)
==27149== by 0x1A510F9: check_region_for_read (region-model.cc:3379)
==27149== by 0x1A510F9: ana::region_model::get_store_value(ana::region
const*, ana::region_model_context*) const [clone .part.0]
(region-model.cc:2926)
==27149== by 0x1A58102: get_store_value (region-model.cc:2922)
==27149== by 0x1A58102: read_bytes (region-model.cc:4734)
==27149== by 0x1A58102: ana::region_model::read_bytes(ana::region const*,
tree_node*, ana::svalue const*, ana::region_model_context*) const
(region-model.cc:4725)
==27149== by 0x1A5B104: ana::region_model::copy_bytes(ana::region const*,
ana::region const*, tree_node*, ana::svalue const*, ana::region_model_context*)
(region-model.cc:4753)
==27149== by 0x1A54DD7: ana::region_model::on_call_pre(gcall const*,
ana::region_model_context*) (region-model.cc:1954)
==27149== by 0x1A58CEA: ana::region_model::on_stmt_pre(gimple const*, bool*,
ana::region_model_context*) (region-model.cc:1591)
==27149== by 0x1A1E540: ana::exploded_node::on_stmt(ana::exploded_graph&,
ana::supernode const*, gimple const*, ana::program_state*, ana::uncertainty_t*,
bool*, ana::path_context*) (engine.cc:1538)
==27149== by 0x1A212E1:
ana::exploded_graph::process_node(ana::exploded_node*) (engine.cc:4153)
==27149== by 0x1A2225A: ana::exploded_graph::process_worklist()
(engine.cc:3542)
==27149== by 0x1A24850: ana::impl_run_checkers(ana::logger*)
(engine.cc:6233)
==27149== by 0x1A258B6: ana::run_checkers() (engine.cc:6331)
==27149== by 0x1A141D8: (anonymous
namespace)::pass_analyzer::execute(function*) (analyzer-pass.cc:87)
==27149== by 0x148C7AA: execute_one_pass(opt_pass*) (passes.cc:2660)
==27149== by 0x148DB96: execute_ipa_pass_list(opt_pass*) (passes.cc:3114)
==27149== by 0x10837F1: ipa_passes (cgraphunit.cc:2273)
==27149== by 0x10837F1: symbol_table::compile() [clone .part.0]
(cgraphunit.cc:2338)
==27149== by 0x1085F87: compile (cgraphunit.cc:2316)
==27149== by 0x1085F87: symbol_table::finalize_compilation_unit()
(cgraphunit.cc:2590)
==27149== by 0x15D5891: compile_file() (toplev.cc:480)
==27149== by 0xE8BD7E: do_compile (toplev.cc:2211)
==27149== by 0xE8BD7E: toplev::main(int, char**) (toplev.cc:2371)
==27149== by 0xE8D5EA: main (main.cc:39)
==27149== Address 0x0 is not stack'd, malloc'd or (recently) free'd
==27149==
during IPA pass: analyzer
testcase.c: In function 'foo':
testcase.c:6:3: internal compiler error: Segmentation fault
6 | __builtin_memmove(p, q, (_Decimal64)37459296484904192);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
...
$ x86_64-pc-linux-gnu-gcc -v
Using built-in specs.
COLLECT_GCC=/repo/gcc-trunk/binary-latest-amd64/bin/x86_64-pc-linux-gnu-gcc
COLLECT_LTO_WRAPPER=/repo/gcc-trunk/binary-trunk-r15-5311-20241115090525-ge5050819808-checking-yes-rtl-df-extra-nobootstrap-amd64/bin/../libexec/gcc/x86_64-pc-linux-gnu/15.0.0/lto-wrapper
Target: x86_64-pc-linux-gnu
Configured with: /repo/gcc-trunk//configure --enable-languages=c,c++
--enable-valgrind-annotations --disable-nls --enable-checking=yes,rtl,df,extra
--disable-bootstrap --with-cloog --with-ppl --with-isl
--build=x86_64-pc-linux-gnu --host=x86_64-pc-linux-gnu
--target=x86_64-pc-linux-gnu --with-ld=/usr/bin/x86_64-pc-linux-gnu-ld
--with-as=/usr/bin/x86_64-pc-linux-gnu-as --enable-libsanitizer
--disable-libstdcxx-pch
--prefix=/repo/gcc-trunk//binary-trunk-r15-5311-20241115090525-ge5050819808-checking-yes-rtl-df-extra-nobootstrap-amd64
Thread model: posix
Supported LTO compression algorithms: zlib zstd
gcc version 15.0.0 20241115 (experimental) (GCC)
