analyzer: avoid ICE with missing arguments (PR 93375)

PR analyzer/93375 reports an ICE under certain circumstances involving a call where the number of arguments at the callsite is less than the parameter count of the callee, Specifically, the ICE occurs when pruning a checker_path for a diagnostic, when attempting to maintain which expression is of interest through such a call. The root cause is an assumption that there were enough arguments at the callsite, within callgraph_superedge's methods for mapping expressions between callee and caller. This patch adds checks for this to the relevant methods, fixing the ICE. gcc/analyzer/ChangeLog: PR analyzer/93375 * supergraph.cc (callgraph_superedge::get_arg_for_parm): Fail gracefully is the number of parameters at the callee exceeds the number of arguments at the call stmt. (callgraph_superedge::get_parm_for_arg): Likewise. gcc/testsuite/ChangeLog: PR analyzer/93375 * gcc.dg/analyzer/pr93375.c: New test.
2025-03-23 04:10:26 +08:00 · 2020-01-22 16:26:38 -05:00 · 2020-01-22 16:26:38 -05:00 · 648796dab4
commit 648796dab4
parent 6d00f052ef
4 changed files with 38 additions and 4 deletions
--- a/gcc/analyzer/ChangeLog
+++ b/gcc/analyzer/ChangeLog
@ -1,3 +1,11 @@
+2020-01-23  David Malcolm  <dmalcolm@redhat.com>
+
+	PR analyzer/93375
+	* supergraph.cc (callgraph_superedge::get_arg_for_parm): Fail
+	gracefully is the number of parameters at the callee exceeds the
+	number of arguments at the call stmt.
+	(callgraph_superedge::get_parm_for_arg): Likewise.
+
 2020-01-22  David Malcolm  <dmalcolm@redhat.com>

 	PR analyzer/93382
--- a/gcc/analyzer/supergraph.cc
+++ b/gcc/analyzer/supergraph.cc
@ -879,16 +879,19 @@ callgraph_superedge::get_arg_for_parm (tree parm_to_find,
  gcc_assert  (TREE_CODE (parm_to_find) == PARM_DECL);

  tree callee = get_callee_decl ();
+  const gcall *call_stmt = get_call_stmt ();

-  int i = 0;
+  unsigned i = 0;
  for (tree iter_parm = DECL_ARGUMENTS (callee); iter_parm;
       iter_parm = DECL_CHAIN (iter_parm), ++i)
    {
+      if (i >= gimple_call_num_args (call_stmt))
+	return NULL_TREE;
      if (iter_parm == parm_to_find)
 	{
 	  if (out)
 	    *out = callsite_expr::from_zero_based_param (i);
-	  return gimple_call_arg (get_call_stmt (), i);
+	  return gimple_call_arg (call_stmt, i);
 	}
    }

@ -906,12 +909,15 @@ callgraph_superedge::get_parm_for_arg (tree arg_to_find,
 				       callsite_expr *out) const
 {
  tree callee = get_callee_decl ();
+  const gcall *call_stmt = get_call_stmt ();

-  int i = 0;
+  unsigned i = 0;
  for (tree iter_parm = DECL_ARGUMENTS (callee); iter_parm;
       iter_parm = DECL_CHAIN (iter_parm), ++i)
    {
-      tree param = gimple_call_arg (get_call_stmt (), i);
+      if (i >= gimple_call_num_args (call_stmt))
+	return NULL_TREE;
+      tree param = gimple_call_arg (call_stmt, i);
      if (arg_to_find == param)
 	{
 	  if (out)
--- a/gcc/testsuite/ChangeLog
+++ b/gcc/testsuite/ChangeLog
@ -1,3 +1,8 @@
+2020-01-23  David Malcolm  <dmalcolm@redhat.com>
+
+	PR analyzer/93375
+	* gcc.dg/analyzer/pr93375.c: New test.
+
 2020-01-23  Jason Merrill  <jason@redhat.com>

 	* lib/target-supports.exp (check_effective_target_unsigned_char):
--- a/gcc/testsuite/gcc.dg/analyzer/pr93375.c
+++ b/gcc/testsuite/gcc.dg/analyzer/pr93375.c
@ -0,0 +1,15 @@
+/* { dg-additional-options "-Wno-implicit-int" } */
+
+void
+en (jm)
+{
+}
+
+void
+p2 ()
+{
+  char *rl = 0;
+
+  en ();
+  __builtin_memcpy (rl, 0, sizeof (0)); /* { dg-warning "dereference of NULL" } */
+}