analyzer: fix ICE on bogus decl of memset [PR97130]

Verify that arguments are pointers before calling handling code that calls deref_rvalue on them. gcc/analyzer/ChangeLog: PR analyzer/97130 * region-model-impl-calls.cc (call_details::get_arg_type): New. * region-model.cc (region_model::on_call_pre): Check that the initial arg is a pointer before calling impl_call_memset and impl_call_strlen. * region-model.h (call_details::get_arg_type): New decl. gcc/testsuite/ChangeLog: PR analyzer/97130 * gcc.dg/analyzer/pr97130.c: New test.
2020-09-21 11:59:26 -04:00 · 2020-09-21 11:59:26 -04:00 · 1e19ecd79b
commit 1e19ecd79b
parent 15e7b93ba4
4 changed files with 23 additions and 2 deletions
--- a/gcc/analyzer/region-model-impl-calls.cc
+++ b/gcc/analyzer/region-model-impl-calls.cc
@ -103,6 +103,14 @@ call_details::get_arg_tree (unsigned idx) const
  return gimple_call_arg (m_call, idx);
 }

+/* Get the type of argument IDX.  */
+
+tree
+call_details::get_arg_type (unsigned idx) const
+{
+  return TREE_TYPE (gimple_call_arg (m_call, idx));
+}
+
 /* Get argument IDX at the callsite as an svalue.  */

 const svalue *
--- a/gcc/analyzer/region-model.cc
+++ b/gcc/analyzer/region-model.cc
@ -737,12 +737,14 @@ region_model::on_call_pre (const gcall *call, region_model_context *ctxt)
 	  /* No side-effects (tracking stream state is out-of-scope
 	     for the analyzer).  */
 	}
-      else if (is_named_call_p (callee_fndecl, "memset", call, 3))
+      else if (is_named_call_p (callee_fndecl, "memset", call, 3)
+	       && POINTER_TYPE_P (cd.get_arg_type (0)))
 	{
 	  impl_call_memset (cd);
 	  return false;
 	}
-      else if (is_named_call_p (callee_fndecl, "strlen", call, 1))
+      else if (is_named_call_p (callee_fndecl, "strlen", call, 1)
+	       && POINTER_TYPE_P (cd.get_arg_type (0)))
 	{
 	  if (impl_call_strlen (cd))
 	    return false;
--- a/gcc/analyzer/region-model.h
+++ b/gcc/analyzer/region-model.h
@ -2482,6 +2482,7 @@ public:
  bool maybe_set_lhs (const svalue *result) const;

  tree get_arg_tree (unsigned idx) const;
+  tree get_arg_type (unsigned idx) const;
  const svalue *get_arg_svalue (unsigned idx) const;

  void dump_to_pp (pretty_printer *pp, bool simple) const;
--- a/gcc/testsuite/gcc.dg/analyzer/pr97130.c
+++ b/gcc/testsuite/gcc.dg/analyzer/pr97130.c
@ -0,0 +1,10 @@
+/* { dg-additional-options "-Wno-builtin-declaration-mismatch" } */
+
+void *
+memset (int, int, __SIZE_TYPE__);
+
+void
+mp (int xl)
+{
+  memset (xl, 0, sizeof xl);
+}