search

Quuxplusone / LLVMBugzillaTest

0 stars 0 forks source link

Crash in static analyzer #28041

Open Quuxplusone opened 8 years ago

Quuxplusone commented 8 years ago
Bugzilla Link PR28042
Status NEW
Importance P normal
Reported by andrew.melo@gmail.com
Reported on 2016-06-07 16:21:52 -0700
Last modified on 2018-02-26 08:33:29 -0800
Version 3.8
Hardware PC Linux
CC alexfh@google.com, llvm-bugs@lists.llvm.org
Fixed by commit(s)
Attachments clang_crash_lio_fuse_core.i (610329 bytes, application/octet-stream)
clang_crash_runner-unix.i (143785 bytes, text/plain)
file_28042.txt (1070 bytes, text/plain)
Blocks
Blocked by
See also 
Created attachment 16487
lio_fuse_core.c preprocessed

Hello,

With "clang version 3.8.0-2ubuntu3 (tags/RELEASE_380/final)" on ubuntu xenial,
I get a two different crashes with my codebase (though one of them appears to
not always occur.

I've posted the stacktrace and command line after this message. The
preprocessed input is attached as an attachment. The "runner-unix" crash
appears to always occur, while the "lio_fuse_core" crash seems to happen
inconsistently.

Thanks!
Andrew

The stacktrace for each file looks the same:

0  libLLVM-3.8.so.1 0x00007f273edecd38
llvm::sys::PrintStackTrace(llvm::raw_ostream&) + 56
1  libLLVM-3.8.so.1 0x00007f273edeafc6 llvm::sys::RunSignalHandlers() + 54
2  libLLVM-3.8.so.1 0x00007f273edeb129
3  libc.so.6        0x00007f273df284a0
4  clang            0x00000000014dc4c5 clang::Stmt::getLocStart() const + 21
5  clang            0x00000000012d5e15
6  clang            0x00000000012d8e49
clang::ento::PathDiagnosticLocation::createBegin(clang::Stmt const*,
clang::SourceManager const&, llvm::PointerUnion<clang::LocationContext const*,
clang::AnalysisDeclContext*>) + 25
7  clang            0x00000000011f7643
8  clang            0x00000000012705f5
clang::ento::CheckerManager::runCheckersForEndAnalysis(clang::ento::ExplodedGraph&,
clang::ento::BugReporter&, clang::ento::ExprEngine&) + 101
9  clang            0x000000000127ba5a
clang::ento::CoreEngine::ExecuteWorkList(clang::LocationContext const*,
unsigned int, llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>) + 234
10 clang            0x0000000000b279af
11 clang            0x0000000000b282fb
12 clang            0x0000000000b321ce
13 clang            0x0000000000b3676a clang::ParseAST(clang::Sema&, bool,
bool) + 938
14 clang            0x000000000099a1fe clang::FrontendAction::Execute() + 302
15 clang            0x000000000096fbf6
clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) + 278
16 clang            0x0000000000a14aa3
clang::ExecuteCompilerInvocation(clang::CompilerInstance*) + 1987
17 clang            0x00000000006b2d18 cc1_main(llvm::ArrayRef<char const*>,
char const*, void*) + 2264
18 clang            0x00000000006af7ac main + 6252
19 libc.so.6        0x00007f273df13830 __libc_start_main + 240
20 clang            0x00000000006b1159 _start + 41
Stack dump:

And the following is the command line for lio_fuse_core.c

/usr/bin/clang -cc1 -triple x86_64-pc-linux-gnu -analyze -disable-free -disable-
llvm-verifier -main-file-name lio_fuse_core.c -analyzer-store=region -analyzer-
opt-analyze-nested-blocks -analyzer-eagerly-assume -analyzer-checker=core -
analyzer-checker=unix -analyzer-checker=deadcode -analyzer-
checker=security.insecureAPI.UncheckedReturn -analyzer-
checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -
analyzer-checker=security.insecureAPI.mktemp -analyzer-
checker=security.insecureAPI.mkstemp -analyzer-
checker=security.insecureAPI.vfork -analyzer-
checker=nullability.NullPassedToNonnull -analyzer-
checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -
mrelocation-model pic -pic-level 2 -mthread-model posix -mdisable-fp-elim -
fmath-errno -masm-verbose -mconstructor-aliases -munwind-tables -fuse-init-
array -target-cpu x86-64 -dwarf-column-info -debugger-tuning=gdb -resource-dir
/usr/lib/llvm-3.8/bin/../lib/clang/3.8.0 -isystem /tmp/workspace/LStore-
Branches/PR-94/build/include -isystem /tmp/workspace/LStore-Branches/PR-
94/build/include/apr-ACCRE-1 -isystem /tmp/workspace/LStore-Branches/PR-
94/build/include/apr-util-ACCRE-1 -D lio_EXPORTS -I /tmp/workspace/LStore-
Branches/PR-94/src/toolbox -I /tmp/workspace/LStore-Branches/PR-94/src/gop -I
/tmp/workspace/LStore-Branches/PR-94/src/ibp -D _REENTRANT -D _GNU_SOURCE -D
_LARGEFILE64_SOURCE -D _FILE_OFFSET_BITS=64 -D _FILE_OFFSET_BITS=64 -D
LSTORE_HACK_EXPORT -internal-isystem /usr/local/include -internal-isystem
/usr/lib/llvm-3.8/bin/../lib/clang/3.8.0/include -internal-externc-isystem
/usr/include/x86_64-linux-gnu -internal-externc-isystem /include -internal-
externc-isystem /usr/include -Wno-unused-parameter -Wno-deprecated-declarations
-std=c99 -fdebug-compilation-dir /tmp/workspace/LStore-Branches/PR-
94/build/src/lio -ferror-limit 19 -fmessage-length 0 -fvisibility hidden -fobjc-
runtime=gcc -fdiagnostics-show-option -analyzer-display-progress -analyzer-
checker alpha.core.BoolAssignment -analyzer-checker
alpha.core.CallAndMessageUnInitRefArg -analyzer-checker alpha.core.CastSize -
analyzer-checker alpha.core.CastToStruct -analyzer-checker
alpha.core.DynamicTypeChecker -analyzer-checker alpha.core.FixedAddr -analyzer-
checker alpha.core.IdenticalExpr -analyzer-checker alpha.core.PointerArithm -
analyzer-checker alpha.core.PointerSub -analyzer-checker alpha.core.SizeofPtr -
analyzer-checker alpha.core.TestAfterDivZero -analyzer-checker
alpha.cplusplus.VirtualCall -analyzer-checker alpha.deadcode.UnreachableCode -
analyzer-checker alpha.security.ArrayBound -analyzer-checker
alpha.security.ArrayBoundV2 -analyzer-checker alpha.security.MallocOverflow -
analyzer-checker alpha.security.ReturnPtrRange -analyzer-checker
alpha.security.taint.TaintPropagation -analyzer-checker alpha.unix.Chroot -
analyzer-checker alpha.unix.PthreadLock -analyzer-checker
alpha.unix.SimpleStream -analyzer-checker alpha.unix.Stream -analyzer-checker
alpha.unix.cstring.BufferOverlap -analyzer-checker
alpha.unix.cstring.NotNullTerminated -analyzer-checker
alpha.unix.cstring.OutOfBounds -analyzer-checker=debug.Stats -analyzer-max-loop
10 -analyzer-output=html -o /tmp/workspace/LStore-Branches/PR-94/build/clang-
static-analyzer/2016-06-07-064307-13352-1 -x c /tmp/workspace/LStore-
Branches/PR-94/src/lio/lio_fuse_core.c

And this is the preprocessed runner-unix.c
0.  Program arguments: /usr/bin/clang -cc1 -triple x86_64-pc-linux-gnu -analyze -
disable-free -disable-llvm-verifier -main-file-name runner-unix.c -analyzer-
store=region -analyzer-opt-analyze-nested-blocks -analyzer-eagerly-assume -
analyzer-checker=core -analyzer-checker=unix -analyzer-checker=deadcode -
analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-
checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -
analyzer-checker=security.insecureAPI.mktemp -analyzer-
checker=security.insecureAPI.mkstemp -analyzer-
checker=security.insecureAPI.vfork -analyzer-
checker=nullability.NullPassedToNonnull -analyzer-
checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -
mrelocation-model pic -pic-level 2 -mthread-model posix -mdisable-fp-elim -
fmath-errno -masm-verbose -mconstructor-aliases -munwind-tables -fuse-init-
array -target-cpu x86-64 -dwarf-column-info -debugger-tuning=gdb -resource-dir
/usr/lib/llvm-3.8/bin/../lib/clang/3.8.0 -isystem /tmp/workspace/LStore-
Branches/PR-94/build/include/apr-ACCRE-1 -I /tmp/workspace/LStore-Branches/PR-
94/build/include -I /tmp/workspace/LStore-Branches/PR-94/src/toolbox -I
/tmp/workspace/LStore-Branches/PR-94/src/gop -I /tmp/workspace/LStore-
Branches/PR-94/src/ibp -D _REENTRANT -D _GNU_SOURCE -D _LARGEFILE64_SOURCE -D
_FILE_OFFSET_BITS=64 -D LSTORE_HACK_EXPORT -internal-isystem /usr/local/include
-internal-isystem /usr/lib/llvm-3.8/bin/../lib/clang/3.8.0/include -internal-
externc-isystem /usr/include/x86_64-linux-gnu -internal-externc-isystem
/include -internal-externc-isystem /usr/include -Wno-unused-parameter -Wno-
deprecated-declarations -std=c99 -fdebug-compilation-dir /tmp/workspace/LStore-
Branches/PR-94/build -ferror-limit 19 -fmessage-length 0 -fvisibility hidden -
fobjc-runtime=gcc -fdiagnostics-show-option -analyzer-display-progress -
analyzer-checker alpha.core.BoolAssignment -analyzer-checker
alpha.core.CallAndMessageUnInitRefArg -analyzer-checker alpha.core.CastSize -
analyzer-checker alpha.core.CastToStruct -analyzer-checker
alpha.core.DynamicTypeChecker -analyzer-checker alpha.core.FixedAddr -analyzer-
checker alpha.core.IdenticalExpr -analyzer-checker alpha.core.PointerArithm -
analyzer-checker alpha.core.PointerSub -analyzer-checker alpha.core.SizeofPtr -
analyzer-checker alpha.core.TestAfterDivZero -analyzer-checker
alpha.cplusplus.VirtualCall -analyzer-checker alpha.deadcode.UnreachableCode -
analyzer-checker alpha.security.ArrayBound -analyzer-checker
alpha.security.ArrayBoundV2 -analyzer-checker alpha.security.MallocOverflow -
analyzer-checker alpha.security.ReturnPtrRange -analyzer-checker
alpha.security.taint.TaintPropagation -analyzer-checker alpha.unix.Chroot -
analyzer-checker alpha.unix.PthreadLock -analyzer-checker
alpha.unix.SimpleStream -analyzer-checker alpha.unix.Stream -analyzer-checker
alpha.unix.cstring.BufferOverlap -analyzer-checker
alpha.unix.cstring.NotNullTerminated -analyzer-checker
alpha.unix.cstring.OutOfBounds -analyzer-checker=debug.Stats -analyzer-max-loop
10 -analyzer-output=html -o /tmp/workspace/LStore-Branches/PR-94/build/clang-
static-analyzer/2016-06-07-064307-13352-1 -x c /tmp/workspace/LStore-
Branches/PR-94/test/runner-unix.c
1.  <eof> parser at end of file
Quuxplusone commented 8 years ago

Attached clang_crash_lio_fuse_core.i (610329 bytes, application/octet-stream): lio_fuse_core.c preprocessed

Quuxplusone commented 8 years ago

Attached clang_crash_runner-unix.i (143785 bytes, text/plain): runner-unix.c preprocessed

Quuxplusone commented 8 years ago

Attached file_28042.txt (1070 bytes, text/plain): Dockerfile for slave

Quuxplusone commented 6 years ago

Is the issue still reproducible? Can you try to reduce the test case? See https://bugs.llvm.org/show_bug.cgi?id=32820#c5 for a couple of hints on using creduce.