analyzer: fix ICE on NULL change.m_expr [PR100244]

PR analyzer/100244 reports an ICE on a -Wanalyzer-free-of-non-heap due to a case where free_of_non_heap::describe_state_change can be passed a NULL change.m_expr for a suitably complicated symbolic value. Bulletproof it by checking for change.m_expr being NULL before dereferencing it. gcc/analyzer/ChangeLog: PR analyzer/100244 * sm-malloc.cc (free_of_non_heap::describe_state_change): Bulletproof against change.m_expr being NULL. gcc/testsuite/ChangeLog: PR analyzer/100244 * g++.dg/analyzer/pr100244.C: New test. Signed-off-by: David Malcolm <dmalcolm@redhat.com>
2021-07-02 15:19:43 -04:00 · 2021-07-02 15:19:43 -04:00 · 1187f297f7
commit 1187f297f7
parent 014e6aa467
2 changed files with 23 additions and 1 deletions
--- a/gcc/analyzer/sm-malloc.cc
+++ b/gcc/analyzer/sm-malloc.cc
@ -1303,7 +1303,7 @@ public:
  {
    /* Attempt to reconstruct what kind of pointer it is.
       (It seems neater for this to be a part of the state, though).  */
-    if (TREE_CODE (change.m_expr) == SSA_NAME)
+    if (change.m_expr && TREE_CODE (change.m_expr) == SSA_NAME)
      {
 	gimple *def_stmt = SSA_NAME_DEF_STMT (change.m_expr);
 	if (gcall *call = dyn_cast <gcall *> (def_stmt))
--- a/gcc/testsuite/g++.dg/analyzer/pr100244.C
+++ b/gcc/testsuite/g++.dg/analyzer/pr100244.C
@ -0,0 +1,22 @@
+// { dg-additional-options "-O1 -Wno-free-nonheap-object" }
+
+inline void *operator new (__SIZE_TYPE__, void *__p) { return __p; }
+
+struct __aligned_buffer {
+  int _M_storage;
+  int *_M_addr() { return &_M_storage; }
+};
+
+struct _Hashtable_alloc {
+  int _M_single_bucket;
+  int *_M_buckets;
+  _Hashtable_alloc () { _M_buckets = &_M_single_bucket; }
+  ~_Hashtable_alloc () { delete _M_buckets; } // { dg-warning "not on the heap" }
+};
+
+void
+test01 (__aligned_buffer buf)
+{
+  _Hashtable_alloc *tmp = new (buf._M_addr ()) _Hashtable_alloc;
+  tmp->~_Hashtable_alloc ();
+}