search

Quuxplusone / LLVMBugzillaTest

0 stars 0 forks source link

Analyzer: Repeatable RegionStore.cpp assertion failure "!B.lookup(R, BindingKey::Direct)' #31202

Closed Quuxplusone closed 5 years ago

Quuxplusone commented 7 years ago
Bugzilla Link PR32229
Status RESOLVED FIXED
Importance P enhancement
Reported by Kevin Marshall (marshallk@google.com)
Reported on 2017-03-10 14:04:58 -0800
Last modified on 2019-04-17 13:55:55 -0700
Version unspecified
Hardware PC Linux
CC alexfh@google.com, llvm-bugs@lists.llvm.org
Fixed by commit(s)
Attachments trace_log-76f2bf.tar.bz2 (708916 bytes, application/x-bzip)
Blocks
Blocked by
See also 
Created attachment 18077
Archive of generated trace log .cpp and .sh

Encountered this failure while analyzing base/trace_event/trace_log.cc in the
Chromium codebase. Link:
https://cs.chromium.org/chromium/src/base/trace_event/trace_log.cc?q=base/trace_event/trace_log.cc&dr

clang:
/b/build/slave/linux_upload_clang/build/src/third_party/llvm/tools/clang/lib/StaticAnalyzer/Core/RegionStore.cpp:413:
virtual clang::ento::StoreRef (anonymous
namespace)::RegionStoreManager::BindDefault(Store, const clang::ento::MemRegion
*, clang::ento::SVal): Assertion `!B.lookup(R, BindingKey::Direct)' failed.
#0 0x0000000001b8d584
(/usr/local/google/home/marshallk/chrome/src/third_party/llvm-build/Release+Asserts/bin/clang+0x1b8d584)
#1 0x0000000001b8d8c6
(/usr/local/google/home/marshallk/chrome/src/third_party/llvm-build/Release+Asserts/bin/clang+0x1b8d8c6)
#2 0x00007ff40f6a7330 __restore_rt (/lib/x86_64-linux-
gnu/libpthread.so.0+0x10330)
#3 0x00007ff40e29bc37 gsignal /build/eglibc-oGUzwX/eglibc-
2.19/signal/../nptl/sysdeps/unix/sysv/linux/raise.c:56:0
#4 0x00007ff40e29f028 abort /build/eglibc-oGUzwX/eglibc-2.19/stdlib/abort.c:91:0
#5 0x00007ff40e294bf6 __assert_fail_base /build/eglibc-oGUzwX/eglibc-
2.19/assert/assert.c:92:0
#6 0x00007ff40e294ca2 (/lib/x86_64-linux-gnu/libc.so.6+0x2fca2)
#7 0x00000000032e7348
(/usr/local/google/home/marshallk/chrome/src/third_party/llvm-build/Release+Asserts/bin/clang+0x32e7348)
#8 0x00000000032d862c clang::ento::ProgramState::bindDefault(clang::ento::SVal,
clang::ento::SVal, clang::LocationContext const*) const
(/usr/local/google/home/marshallk/chrome/src/third_party/llvm-build/Release+Asserts/bin/clang+0x32d862c)
#9 0x00000000032b5a3a
clang::ento::ExprEngine::VisitCXXConstructExpr(clang::CXXConstructExpr const*,
clang::ento::ExplodedNode*, clang::ento::ExplodedNodeSet&)
(/usr/local/google/home/marshallk/chrome/src/third_party/llvm-build/Release+Asserts/bin/clang+0x32b5a3a)
#10 0x000000000329a9e6 clang::ento::ExprEngine::Visit(clang::Stmt const*,
clang::ento::ExplodedNode*, clang::ento::ExplodedNodeSet&)
(/usr/local/google/home/marshallk/chrome/src/third_party/llvm-build/Release+Asserts/bin/clang+0x329a9e6)
#11 0x0000000003296d03 clang::ento::ExprEngine::ProcessStmt(clang::CFGStmt,
clang::ento::ExplodedNode*)
(/usr/local/google/home/marshallk/chrome/src/third_party/llvm-build/Release+Asserts/bin/clang+0x3296d03)
#12 0x00000000032969c7
clang::ento::ExprEngine::processCFGElement(clang::CFGElement,
clang::ento::ExplodedNode*, unsigned int, clang::ento::NodeBuilderContext*)
(/usr/local/google/home/marshallk/chrome/src/third_party/llvm-build/Release+Asserts/bin/clang+0x32969c7)
#13 0x000000000328cd6a
clang::ento::CoreEngine::HandleBlockEntrance(clang::BlockEntrance const&,
clang::ento::ExplodedNode*)
(/usr/local/google/home/marshallk/chrome/src/third_party/llvm-build/Release+Asserts/bin/clang+0x328cd6a)
#14 0x000000000328c7b7
clang::ento::CoreEngine::dispatchWorkItem(clang::ento::ExplodedNode*,
clang::ProgramPoint, clang::ento::WorkListUnit const&)
(/usr/local/google/home/marshallk/chrome/src/third_party/llvm-build/Release+Asserts/bin/clang+0x328c7b7)
#15 0x000000000328c03f
clang::ento::CoreEngine::ExecuteWorkList(clang::LocationContext const*,
unsigned int, llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>)
(/usr/local/google/home/marshallk/chrome/src/third_party/llvm-build/Release+Asserts/bin/clang+0x328c03f)
#16 0x00000000028082ad
(/usr/local/google/home/marshallk/chrome/src/third_party/llvm-build/Release+Asserts/bin/clang+0x28082ad)
#17 0x0000000002807e5e
(/usr/local/google/home/marshallk/chrome/src/third_party/llvm-build/Release+Asserts/bin/clang+0x2807e5e)
#18 0x00000000028013ea
(/usr/local/google/home/marshallk/chrome/src/third_party/llvm-build/Release+Asserts/bin/clang+0x28013ea)
#19 0x00000000020e739c
clang::MultiplexConsumer::HandleTranslationUnit(clang::ASTContext&)
(/usr/local/google/home/marshallk/chrome/src/third_party/llvm-build/Release+Asserts/bin/clang+0x20e739c)
#20 0x0000000002834d56 clang::ParseAST(clang::Sema&, bool, bool)
(/usr/local/google/home/marshallk/chrome/src/third_party/llvm-build/Release+Asserts/bin/clang+0x2834d56)
#21 0x00000000020c1ea8 clang::FrontendAction::Execute()
(/usr/local/google/home/marshallk/chrome/src/third_party/llvm-build/Release+Asserts/bin/clang+0x20c1ea8)
#22 0x0000000002088e31
clang::CompilerInstance::ExecuteAction(clang::FrontendAction&)
(/usr/local/google/home/marshallk/chrome/src/third_party/llvm-build/Release+Asserts/bin/clang+0x2088e31)
#23 0x0000000002146dc5
clang::ExecuteCompilerInvocation(clang::CompilerInstance*)
(/usr/local/google/home/marshallk/chrome/src/third_party/llvm-build/Release+Asserts/bin/clang+0x2146dc5)
#24 0x00000000008272f8 cc1_main(llvm::ArrayRef<char const*>, char const*,
void*) (/usr/local/google/home/marshallk/chrome/src/third_party/llvm-
build/Release+Asserts/bin/clang+0x8272f8)
#25 0x0000000000825226 main
(/usr/local/google/home/marshallk/chrome/src/third_party/llvm-build/Release+Asserts/bin/clang+0x825226)
#26 0x00007ff40e286f45 __libc_start_main /build/eglibc-oGUzwX/eglibc-
2.19/csu/libc-start.c:321:0
#27 0x00000000008223da _start
(/usr/local/google/home/marshallk/chrome/src/third_party/llvm-build/Release+Asserts/bin/clang+0x8223da)
Stack dump:
0.  Program arguments:
/usr/local/google/home/marshallk/chrome/src/third_party/llvm-
build/Release+Asserts/bin/clang -cc1 -triple x86_64-unknown-linux-gnu -analyze -
disable-free -main-file-name trace_log.cc -analyzer-store=region -analyzer-opt-
analyze-nested-blocks -analyzer-eagerly-assume -analyzer-checker=core -analyzer-
checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-
checker=cplusplus -analyzer-checker=security.insecureAPI.UncheckedReturn -
analyzer-checker=security.insecureAPI.getpw -analyzer-
checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp
-analyzer-checker=security.insecureAPI.mkstemp -analyzer-
checker=security.insecureAPI.vfork -analyzer-
checker=nullability.NullPassedToNonnull -analyzer-
checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -analyzer-
checker=cplusplus -analyzer-opt-analyze-nested-blocks -analyzer-eagerly-assume -
analyzer-output=text -analyzer-config suppress-c++-stdlib=true -analyzer-
checker=core -analyzer-checker=unix -analyzer-checker=deadcode -mrelocation-
model pic -pic-level 2 -mthread-model posix -mdisable-fp-elim -relaxed-aliasing
-fmath-errno -masm-verbose -mconstructor-aliases -munwind-tables -target-cpu
x86-64 -dwarf-column-info -backend-option -split-dwarf=Enable -debug-info-
kind=limited -debugger-tuning=gdb -coverage-notes-file
/usr/local/google/home/marshallk/chrome/src/out/ClangLint/obj/base/base/trace_log.gcno
-resource-dir /usr/local/google/home/marshallk/chrome/src/third_party/llvm-
build/Release+Asserts/lib/clang/5.0.0 -dependency-file
obj/base/base/trace_log.o.d -MT obj/base/base/trace_log.o -D USE_SYMBOLIZE -D
V8_DEPRECATION_WARNINGS -D USE_UDEV -D UI_COMPOSITOR_IMAGE_TRANSPORT -D
USE_AURA=1 -D USE_PANGO=1 -D USE_CAIRO=1 -D USE_GLIB=1 -D USE_NSS_CERTS=1 -D
USE_X11=1 -D FULL_SAFE_BROWSING -D SAFE_BROWSING_CSD -D SAFE_BROWSING_DB_LOCAL -
D CHROMIUM_BUILD -D ENABLE_MEDIA_ROUTER=1 -D FIELDTRIAL_TESTING_ENABLED -D
CR_CLANG_REVISION="296321-1" -D _FILE_OFFSET_BITS=64 -D _LARGEFILE_SOURCE -D
_LARGEFILE64_SOURCE -D __STDC_CONSTANT_MACROS -D __STDC_FORMAT_MACROS -D
COMPONENT_BUILD -D _DEBUG -D DYNAMIC_ANNOTATIONS_ENABLED=1 -D
WTF_USE_DYNAMIC_ANNOTATIONS=1 -D _GLIBCXX_DEBUG=1 -D BASE_IMPLEMENTATION -D
GLIB_VERSION_MAX_ALLOWED=GLIB_VERSION_2_32 -D
GLIB_VERSION_MIN_REQUIRED=GLIB_VERSION_2_26 -I ../.. -I gen -I
../../build/linux/debian_wheezy_amd64-sysroot/usr/include/glib-2.0 -I
../../build/linux/debian_wheezy_amd64-sysroot/usr/lib/x86_64-linux-gnu/glib-
2.0/include -D __DATE__= -D __TIME__= -D __TIMESTAMP__= -isysroot
../../build/linux/debian_wheezy_amd64-sysroot -internal-isystem
../../build/linux/debian_wheezy_amd64-sysroot/usr/lib/gcc/x86_64-linux-
gnu/4.6/../../../../include/c++/4.6 -internal-isystem
../../build/linux/debian_wheezy_amd64-sysroot/usr/lib/gcc/x86_64-linux-
gnu/4.6/../../../../include/c++/4.6/x86_64-linux-gnu -internal-isystem
../../build/linux/debian_wheezy_amd64-sysroot/usr/lib/gcc/x86_64-linux-
gnu/4.6/../../../../include/c++/4.6/backward -internal-isystem
../../build/linux/debian_wheezy_amd64-sysroot/usr/local/include -internal-
isystem /usr/local/google/home/marshallk/chrome/src/third_party/llvm-
build/Release+Asserts/lib/clang/5.0.0/include -internal-externc-isystem
../../build/linux/debian_wheezy_amd64-sysroot/usr/include/x86_64-linux-gnu -
internal-externc-isystem ../../build/linux/debian_wheezy_amd64-sysroot/include -
internal-externc-isystem ../../build/linux/debian_wheezy_amd64-
sysroot/usr/include -O0 -Wno-builtin-macro-redefined -Wall -Werror -Wextra -Wno-
missing-field-initializers -Wno-unused-parameter -Wno-c++11-narrowing -Wno-
covered-switch-default -Wno-deprecated-register -Wno-unneeded-internal-
declaration -Wno-inconsistent-missing-override -Wno-shift-negative-value -Wno-
undefined-var-template -Wno-nonportable-include-path -Wno-address-of-packed-
member -Wno-unused-lambda-capture -Wno-user-defined-warnings -Wheader-hygiene -
Wstring-conversion -Wtautological-overlap-compare -Wno-char-subscripts -Wexit-
time-destructors -Wexit-time-destructors -Wno-undefined-bool-conversion -Wno-
tautological-undefined-compare -std=gnu++11 -fdeprecated-macro -fdebug-
compilation-dir /usr/local/google/home/marshallk/chrome/src/out/ClangLint -
ferror-limit 19 -fmessage-length 0 -fvisibility hidden -fvisibility-inlines-
hidden -pthread -stack-protector 1 -stack-protector-buffer-size 4 -fno-rtti -
fobjc-runtime=gcc -fdiagnostics-show-option -fcolor-diagnostics -load
../../third_party/llvm-build/Release+Asserts/lib/libFindBadConstructs.so -add-
plugin find-bad-constructs -plugin-arg-find-bad-constructs check-auto-raw-
pointer -plugin-arg-find-bad-constructs check-ipc -o obj/base/base/trace_log.o -
x c++ ../../base/trace_event/trace_log.cc
1.  <eof> parser at end of file
2.  While analyzing stack:
    #0 constexpr _Tuple_impl() : _Inherited(), _Base() {}
    #1 constexpr _Tuple_impl() : _Inherited(), _Base() {}
    #2 constexpr tuple() : _Inherited() {}
    #3 constexpr unique_ptr() : _M_t() {}
    #4 void CreateFiltersForTraceConfig()
    #5 void UpdateCategoryRegistry()
    #6 void SetEnabled(const base::trace_event::TraceConfig &trace_config, uint8_t
modes_to_enable)
3.  ../../build/linux/debian_wheezy_amd64-sysroot/usr/lib/gcc/x86_64-linux-
gnu/4.6/../../../../include/c++/4.6/tuple:158:9: Error evaluating statement
4.  ../../build/linux/debian_wheezy_amd64-sysroot/usr/lib/gcc/x86_64-linux-
gnu/4.6/../../../../include/c++/4.6/tuple:158:9: Error evaluating statement
clang: error: unable to execute command: Aborted (core dumped)
clang: error: clang frontend command failed due to signal (use -v to see
invocation)
clang version 5.0.0 (trunk 296321)
Target: x86_64-unknown-linux-gnu
Thread model: posix
InstalledDir:
/usr/local/google/home/marshallk/chrome/src/out/ClangLint/../../third_party/llvm-build/Release+Asserts/bin
clang: note: diagnostic msg: PLEASE submit a bug report to
http://llvm.org/bugs/ and include the crash backtrace, preprocessed source, and
associated run script.
clang: note: diagnostic msg:
********************

PLEASE ATTACH THE FOLLOWING FILES TO THE BUG REPORT:
Preprocessed source(s) and associated run script(s) are located at:
clang: note: diagnostic msg: /tmp/trace_log-76f2bf.cpp
clang: note: diagnostic msg: /tmp/trace_log-76f2bf.sh
clang: note: diagnostic msg:

********************
Quuxplusone commented 7 years ago

Attached trace_log-76f2bf.tar.bz2 (708916 bytes, application/x-bzip): Archive of generated trace log .cpp and .sh

Quuxplusone commented 7 years ago 
LLVM version: clang version 5.0.0 (trunk 296321)
Platform: Linux; target: Linux
Quuxplusone commented 5 years ago 
This doesn't crash any more. May have been fixed as a part of
https://bugs.llvm.org/show_bug.cgi?id=18953.

$ ./trace_log-76f2bf.sh
../../base/trace_event/trace_log.cc:815:29: warning: Dereference of null smart
pointer 'thread_shared_chunk_' of type 'std::unique_ptr'
  TraceEvent* trace_event = thread_shared_chunk_->AddTraceEvent(&event_index);
                            ^
../../base/trace_event/trace_log.cc:1115:10: note: Calling
'TraceLog::AddTraceEventWithThreadIdAndTimestamp'
  return AddTraceEventWithThreadIdAndTimestamp(
         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../../base/trace_event/trace_log.cc:1181:7: note: Assuming the condition is
false
  if (!*category_group_enabled)
      ^~~~~~~~~~~~~~~~~~~~~~~~
../../base/trace_event/trace_log.cc:1181:3: note: Taking false branch
  if (!*category_group_enabled)
  ^
../../base/trace_event/trace_log.cc:1187:3: note: Taking false branch
  if (thread_is_in_trace_event_.Get())
  ^
../../base/trace_event/trace_log.cc:1192:3: note: Assuming 'name' is non-null
  DCHECK(name);
  ^~~~~~~~~~~~
../../base/logging.h:814:36: note: expanded from macro 'DCHECK'
  LAZY_STREAM(LOG_STREAM(DCHECK), !ANALYZER_ASSUME_TRUE(condition)) \
  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../../base/logging.h:312:67: note: expanded from macro 'ANALYZER_ASSUME_TRUE'
#define ANALYZER_ASSUME_TRUE(val) (::logging::AnalysisAssumeTrue(!!(val)))
                                                                  ^
../../base/logging.h:402:5: note: expanded from macro 'LAZY_STREAM'
  !(condition) ? (void) 0 : ::logging::LogMessageVoidify() & (stream)
    ^~~~~~~~~
../../base/trace_event/trace_log.cc:1192:3: note: '?' condition is true
../../base/logging.h:814:3: note: expanded from macro 'DCHECK'
  LAZY_STREAM(LOG_STREAM(DCHECK), !ANALYZER_ASSUME_TRUE(condition)) \
  ^
../../base/logging.h:402:3: note: expanded from macro 'LAZY_STREAM'
  !(condition) ? (void) 0 : ::logging::LogMessageVoidify() & (stream)
  ^
../../base/trace_event/trace_log.cc:1193:3: note: '?' condition is true
  DCHECK(!timestamp.is_null());
  ^
../../base/logging.h:814:3: note: expanded from macro 'DCHECK'
  LAZY_STREAM(LOG_STREAM(DCHECK), !ANALYZER_ASSUME_TRUE(condition)) \
  ^
../../base/logging.h:402:3: note: expanded from macro 'LAZY_STREAM'
  !(condition) ? (void) 0 : ::logging::LogMessageVoidify() & (stream)
  ^
../../base/trace_event/trace_log.cc:1195:7: note: Assuming the condition is
false
  if (flags & TRACE_EVENT_FLAG_MANGLE_ID) {
      ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../../base/trace_event/trace_log.cc:1195:3: note: Taking false branch
  if (flags & TRACE_EVENT_FLAG_MANGLE_ID) {
  ^
../../base/trace_event/trace_log.cc:1206:7: note: Assuming the condition is true
  if (*category_group_enabled & RECORDING_MODE) {
      ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../../base/trace_event/trace_log.cc:1206:3: note: Taking true branch
  if (*category_group_enabled & RECORDING_MODE) {
  ^
../../base/trace_event/trace_log.cc:1215:7: note: Assuming the condition is
false
  if (thread_id == static_cast<int>(PlatformThread::CurrentId())) {
      ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../../base/trace_event/trace_log.cc:1215:3: note: Taking false branch
  if (thread_id == static_cast<int>(PlatformThread::CurrentId())) {
  ^
../../base/trace_event/trace_log.cc:1262:7: note: Assuming the condition is
false
  if (*category_group_enabled & TraceCategory::ENABLED_FOR_FILTERING) {
      ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../../base/trace_event/trace_log.cc:1262:3: note: Taking false branch
  if (*category_group_enabled & TraceCategory::ENABLED_FOR_FILTERING) {
  ^
../../base/trace_event/trace_log.cc:1282:7: note: Left side of '&&' is true
  if ((*category_group_enabled & TraceCategory::ENABLED_FOR_RECORDING) &&
      ^
../../base/trace_event/trace_log.cc:1282:3: note: Taking true branch
  if ((*category_group_enabled & TraceCategory::ENABLED_FOR_RECORDING) &&
  ^
../../base/trace_event/trace_log.cc:1287:9: note: Assuming
'thread_local_event_buffer' is null
    if (thread_local_event_buffer) {
        ^~~~~~~~~~~~~~~~~~~~~~~~~
../../base/trace_event/trace_log.cc:1287:5: note: Taking false branch
    if (thread_local_event_buffer) {
    ^
../../base/trace_event/trace_log.cc:1291:21: note: Calling
'TraceLog::AddEventToThreadSharedChunkWhileLocked'
      trace_event = AddEventToThreadSharedChunkWhileLocked(&handle, true);
                    ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../../base/trace_event/trace_log.cc:800:7: note: Left side of '&&' is true
  if (thread_shared_chunk_ && thread_shared_chunk_->IsFull()) {
      ^
../../base/trace_event/trace_log.cc:800:3: note: Taking true branch
  if (thread_shared_chunk_ && thread_shared_chunk_->IsFull()) {
  ^
../../base/trace_event/trace_log.cc:802:33: note: Smart pointer
'thread_shared_chunk_' of type 'std::unique_ptr' is reset to null when moved
from
                                std::move(thread_shared_chunk_));
                                ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../../base/trace_event/trace_log.cc:805:3: note: Taking false branch
  if (!thread_shared_chunk_) {
  ^
../../base/trace_event/trace_log.cc:811:3: note: Taking false branch
  if (!thread_shared_chunk_)
  ^
../../base/trace_event/trace_log.cc:815:29: note: Dereference of null smart
pointer 'thread_shared_chunk_' of type 'std::unique_ptr'
  TraceEvent* trace_event = thread_shared_chunk_->AddTraceEvent(&event_index);
                            ^~~~~~~~~~~~~~~~~~~~
1 warning generated.