Segmentation fault on running clang-analyze checks

[Quuxplusone]

Bugzilla Link	PR35021
Status	NEW
Importance	P release blocker
Reported by	Dhanjit Das (dhanjitdas1@gmail.com)
Reported on	2017-10-21 00:38:30 -0700
Last modified on	2017-10-23 01:58:07 -0700
Version	unspecified
Hardware	PC Linux
CC	alexfh@google.com, dhanjitdas1@gmail.com, djasper@google.com, klimek@google.com, llvm-bugs@lists.llvm.org
Fixed by commit(s)
Attachments	compile_commands.json (2071 bytes, application/json)
Blocks
Blocked by
See also

All checks with clang-tidy work fine except when I run anything regarding analyze. Any check from clang-analyze-* breaks as a segfault.

Version: 5.0

The stacktrace:

#0  0x000000000046a247 in clang::ASTContext::getPointerType(clang::QualType) const ()
#1  0x00000000004bea31 in clang::CXXMethodDecl::getThisType(clang::ASTContext&) const ()
#2  0x00000000014644f8 in clang::ento::SValBuilder::getCXXThis(clang::CXXMethodDecl const*, clang::StackFrameContext const*) ()
#3  0x00000000014174db in clang::ento::ExprEngine::VisitCXXConstructExpr(clang::CXXConstructExpr const*, clang::ento::ExplodedNode*, clang::ento::ExplodedNodeSet&) ()
#4  0x0000000001409e64 in clang::ento::ExprEngine::Visit(clang::Stmt const*, clang::ento::ExplodedNode*, clang::ento::ExplodedNodeSet&) ()
#5  0x000000000140a3ed in clang::ento::ExprEngine::ProcessStmt(clang::CFGStmt, clang::ento::ExplodedNode*) ()
#6  0x000000000140a5b4 in clang::ento::ExprEngine::processCFGElement(clang::CFGElement, clang::ento::ExplodedNode*, unsigned int, clang::ento::NodeBuilderContext*) ()
#7  0x00000000013e5fde in clang::ento::CoreEngine::HandlePostStmt(clang::CFGBlock const*, unsigned int, clang::ento::ExplodedNode*) ()
#8  0x00000000013e7707 in clang::ento::CoreEngine::dispatchWorkItem(clang::ento::ExplodedNode*, clang::ProgramPoint, clang::ento::WorkListUnit const&) ()
#9  0x00000000013e77f3 in clang::ento::CoreEngine::ExecuteWorkList(clang::LocationContext const*, unsigned int, llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>) ()
#10 0x000000000094f38e in (anonymous namespace)::AnalysisConsumer::ActionExprEngine(clang::Decl*, bool, clang::ento::ExprEngine::InliningModes, llvm::DenseSet<clang::Decl const*, llvm::DenseMapInfo<clang::Decl const*> >*) [clone .part.3631] ()
#11 0x000000000094fa59 in (anonymous namespace)::AnalysisConsumer::HandleCode(clang::Decl*, unsigned int, clang::ento::ExprEngine::InliningModes, llvm::DenseSet<clang::Decl const*, llvm::DenseMapInfo<clang::Decl const*> >*) ()
#12 0x0000000000964635 in (anonymous namespace)::AnalysisConsumer::HandleTranslationUnit(clang::ASTContext&) [clone .part.3694] ()
#13 0x00000000009bf638 in clang::MultiplexConsumer::HandleTranslationUnit(clang::ASTContext&) ()
#14 0x0000000000ab81c2 in clang::ParseAST(clang::Sema&, bool, bool) ()
#15 0x00000000009a231e in clang::FrontendAction::Execute() ()
#16 0x0000000000977fbd in clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) ()
#17 0x00000000008d39fc in clang::tooling::FrontendActionFactory::runInvocation(std::shared_ptr<clang::CompilerInvocation>, clang::FileManager*, std::shared_ptr<clang::PCHContainerOperations>, clang::DiagnosticConsumer*) ()
#18 0x00000000008cfe5c in clang::tooling::ToolInvocation::runInvocation(char const*, clang::driver::Compilation*, std::shared_ptr<clang::CompilerInvocation>, std::shared_ptr<clang::PCHContainerOperations>) ()
#19 0x00000000008d21de in clang::tooling::ToolInvocation::run() ()
#20 0x00000000008d2dd5 in clang::tooling::ClangTool::run(clang::tooling::ToolAction*) ()
#21 0x0000000000665219 in clang::tidy::runClangTidy(clang::tidy::ClangTidyContext&, clang::tooling::CompilationDatabase const&, llvm::ArrayRef<std::string>, clang::tidy::ProfileData*) ()
#22 0x0000000000416c3b in clang::tidy::clangTidyMain(int, char const**) ()
#23 0x00007ffff67b4b35 in __libc_start_main () from /lib64/libc.so.6
#24 0x000000000040b8c7 in _start ()

[Quuxplusone]

Attached compile_commands.json (2071 bytes, application/json): CMAKE compile commands

[Quuxplusone]

Changed the compiler to clang++ and it does work.
Also I am using C++17.

[Quuxplusone]

(In reply to Dhanjit Das from comment #2)
> Changed the compiler to clang++ and it does work.
By work I meant, it compiles fine with clang++ (as well as gcc 7.1 which I use).

Also, I do not have a debug release of clang because of insanely high memory
requirement at link time required by llvm source.

[Quuxplusone]

I did clang++ --analyze -Xanalyzer and it also breaks.

The function it breaks on:

template <typename T, typename... Args>
static inline T* Allocate(Args&&... args) {
    return new T{std::forward<Args>(args)...};
}

The call is:

auto new_symbol_ptr = static_cast<Strategy *>(this)->template
Allocate<Symbol>();

If I change the above line to:

auto new_symbol_ptr = new Symbol()

it works. Both clang-tidy and clang++ --analyze works with the above command.

[Quuxplusone]

Add the invocation of clang++ --analyze:

/opt/llvm-5.0/bin/clang++ --analyze -Xanalyzer   -
DTemplateStrategyVersion=1.2.234-g5e75a8d.M -DVERSION_STRING=\\\"\\\" -
D_ASYNC_LOGGER_ -D_GLIBCXX_USE_CXX11_ABI=0 -D_LOGGER_SETUP_MQSC_ -
D_LOGGER_SETUP_MULTIPLE_RECV_ -D_QLOG_DEBUG_ -D_QLOG_INFO_ -
D_TSTRAT_QLOG_DEBUG_ -D_TSTRAT_QLOG_INFO_ -Dcommon_helpersVersion=1.2.20-
gfc60ded -DqlogVersion=1.6.18-ga680501 -
I/home/dhanjit.d/.conan/data/LighteningCore/3.20.4775/demo/test/package/d64ae9998eeee5d76152fe56443d56b946727a60/include
-I/usr/local/include -I/usr/local/include/boost -
I/home/dhanjit.d/.conan/data/TemplateStrategy/1.2.234-
g5e75a8d.M/demo/test/package/b35b9d43d8e97c0dd660ffa2913f93ea7c2e9db6/include -
I/home/dhanjit.d/.conan/data/qlog/1.6.18-
ga680501/demo/test/package/717a4e06061e7169676769dfaaddb08875640a10/include -
I/home/dhanjit.d/.conan/data/PracticalSocket/1.2.1-
g924db98/demo/test/package/f810e0df2d6f7ebf38bdc8f5679f5ff1359ffbd1/include -
I/home/dhanjit.d/.conan/data/common_helpers/1.2.20-
gfc60ded/demo/test/package/5ab84d6acfe1f23c4fae0ab88f26e3a396351ac9/include -
I/home/dhanjit.d/.conan/data/irz_helper/1.4.2-
g2575615/demo/test/package/5ab84d6acfe1f23c4fae0ab88f26e3a396351ac9/include -
I/home/dhanjit.d/.conan/data/toolchain/1.0.2-
g02d7317/demo/test/package/f19202bf2b58180a472055778cb88b221a0b4198/include -
I/home/dhanjit.d/dev/templatestrategy/test_package/include -
I/home/dhanjit.d/dev/templatestrategy/test_package/build/66192a54597e70578d14620f6814750bb76e1df3
-ftemplate-backtrace-limit=0 -std=c++1z -L/usr/gcc-7.1/lib64/ -static-libstdc++
-static-libgcc -std=c++11 -O3 -g  -std=c++1z -g -Wall -Wextra -Wno-unused-
parameter -Wno-unused-variable -L/usr/gcc-7.1/lib64/ -D__FILENAME__='\"$(subst
/home/dhanjit.d/dev/templatestrategy/test_package/,,$(abspath $<))\"' -O0 -g   -
o CMakeFiles/templatestrategy_build_default.dir/src/main.cpp.o -c
/home/dhanjit.d/dev/templatestrategy/test_package/src/main.cpp
clang-5.0: warning: argument unused during compilation: '-L/usr/gcc-7.1/lib64/'
[-Wunused-command-line-argument]
clang-5.0: warning: argument unused during compilation: '-static-libstdc++' [-
Wunused-command-line-argument]
clang-5.0: warning: argument unused during compilation: '-static-libgcc' [-
Wunused-command-line-argument]
clang-5.0: warning: argument unused during compilation: '-L/usr/gcc-7.1/lib64/'
[-Wunused-command-line-argument]
#0 0x0000000001b4fa7a llvm::sys::PrintStackTrace(llvm::raw_ostream&) (/opt/llvm-
5.0/bin/clang-5.0+0x1b4fa7a)
#1 0x0000000001b4dd5e llvm::sys::RunSignalHandlers() (/opt/llvm-5.0/bin/clang-
5.0+0x1b4dd5e)
#2 0x0000000001b4de9a SignalHandler(int) (/opt/llvm-5.0/bin/clang-5.0+0x1b4de9a)
#3 0x00007f895e554370 __restore_rt (/lib64/libpthread.so.0+0xf370)
#4 0x000000000319a887 clang::ASTContext::getPointerType(clang::QualType) const
(/opt/llvm-5.0/bin/clang-5.0+0x319a887)
#5 0x0000000003255e81 clang::CXXMethodDecl::getThisType(clang::ASTContext&)
const (/opt/llvm-5.0/bin/clang-5.0+0x3255e81)
#6 0x00000000031170d8 clang::ento::SValBuilder::getCXXThis(clang::CXXMethodDecl
const*, clang::StackFrameContext const*) (/opt/llvm-5.0/bin/clang-5.0+0x31170d8)
#7 0x00000000030c923b
clang::ento::ExprEngine::VisitCXXConstructExpr(clang::CXXConstructExpr const*,
clang::ento::ExplodedNode*, clang::ento::ExplodedNodeSet&) (/opt/llvm-
5.0/bin/clang-5.0+0x30c923b)
#8 0x00000000030bbbc4 clang::ento::ExprEngine::Visit(clang::Stmt const*,
clang::ento::ExplodedNode*, clang::ento::ExplodedNodeSet&) (/opt/llvm-
5.0/bin/clang-5.0+0x30bbbc4)
#9 0x00000000030bc14d clang::ento::ExprEngine::ProcessStmt(clang::CFGStmt,
clang::ento::ExplodedNode*) (/opt/llvm-5.0/bin/clang-5.0+0x30bc14d)
#10 0x00000000030bc314
clang::ento::ExprEngine::processCFGElement(clang::CFGElement,
clang::ento::ExplodedNode*, unsigned int, clang::ento::NodeBuilderContext*)
(/opt/llvm-5.0/bin/clang-5.0+0x30bc314)
#11 0x000000000309788e clang::ento::CoreEngine::HandlePostStmt(clang::CFGBlock
const*, unsigned int, clang::ento::ExplodedNode*) (/opt/llvm-5.0/bin/clang-
5.0+0x309788e)
#12 0x00000000030992c7
clang::ento::CoreEngine::dispatchWorkItem(clang::ento::ExplodedNode*,
clang::ProgramPoint, clang::ento::WorkListUnit const&) (/opt/llvm-5.0/bin/clang-
5.0+0x30992c7)
#13 0x00000000030993b3
clang::ento::CoreEngine::ExecuteWorkList(clang::LocationContext const*,
unsigned int, llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>)
(/opt/llvm-5.0/bin/clang-5.0+0x30993b3)
#14 0x0000000002715e2e (anonymous
namespace)::AnalysisConsumer::ActionExprEngine(clang::Decl*, bool,
clang::ento::ExprEngine::InliningModes, llvm::DenseSet<clang::Decl const*,
llvm::DenseMapInfo<clang::Decl const*> >*) [clone .part.3631] (/opt/llvm-
5.0/bin/clang-5.0+0x2715e2e)
#15 0x00000000027164f9 (anonymous
namespace)::AnalysisConsumer::HandleCode(clang::Decl*, unsigned int,
clang::ento::ExprEngine::InliningModes, llvm::DenseSet<clang::Decl const*,
llvm::DenseMapInfo<clang::Decl const*> >*) (/opt/llvm-5.0/bin/clang-
5.0+0x27164f9)
#16 0x000000000272b0d5 (anonymous
namespace)::AnalysisConsumer::HandleTranslationUnit(clang::ASTContext&) [clone
.part.3694] (/opt/llvm-5.0/bin/clang-5.0+0x272b0d5)
#17 0x000000000274e6f2 clang::ParseAST(clang::Sema&, bool, bool) (/opt/llvm-
5.0/bin/clang-5.0+0x274e6f2)
#18 0x0000000002033a3e clang::FrontendAction::Execute() (/opt/llvm-
5.0/bin/clang-5.0+0x2033a3e)
#19 0x000000000200dc9d
clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) (/opt/llvm-
5.0/bin/clang-5.0+0x200dc9d)
#20 0x00000000020c76a4
clang::ExecuteCompilerInvocation(clang::CompilerInstance*) (/opt/llvm-
5.0/bin/clang-5.0+0x20c76a4)
#21 0x0000000000891eb8 cc1_main(llvm::ArrayRef<char const*>, char const*,
void*) (/opt/llvm-5.0/bin/clang-5.0+0x891eb8)
#22 0x0000000000816ec6 main (/opt/llvm-5.0/bin/clang-5.0+0x816ec6)
#23 0x00007f895d138b35 __libc_start_main (/lib64/libc.so.6+0x21b35)
#24 0x000000000088d909 _start (/opt/llvm-5.0/bin/clang-5.0+0x88d909)
Stack dump:
0.  Program arguments: /opt/llvm-5.0/bin/clang-5.0 -cc1 -triple x86_64-unknown-
linux-gnu -analyze -disable-free -disable-llvm-verifier -discard-value-names -
main-file-name main.cpp -analyzer-store=region -analyzer-opt-analyze-nested-
blocks -analyzer-eagerly-assume -analyzer-checker=core -analyzer-
checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-
checker=cplusplus -analyzer-checker=security.insecureAPI.UncheckedReturn -
analyzer-checker=security.insecureAPI.getpw -analyzer-
checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp
-analyzer-checker=security.insecureAPI.mkstemp -analyzer-
checker=security.insecureAPI.vfork -analyzer-
checker=nullability.NullPassedToNonnull -analyzer-
checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -
DTemplateStrategyVersion=1.2.234-g5e75a8d.M -mrelocation-model static -mthread-
model posix -mdisable-fp-elim -fmath-errno -masm-verbose -mconstructor-aliases -
munwind-tables -fuse-init-array -target-cpu x86-64 -dwarf-column-info -debug-
info-kind=limited -dwarf-version=4 -debugger-tuning=gdb -coverage-notes-file
/home/dhanjit.d/dev/templatestrategy/CMakeFiles/templatestrategy_build_default.dir/src/main.cpp.gcno
-resource-dir /opt/llvm-5.0/lib/clang/5.0.0 -D VERSION_STRING=\"\" -D
_ASYNC_LOGGER_ -D _GLIBCXX_USE_CXX11_ABI=0 -D _LOGGER_SETUP_MQSC_ -D
_LOGGER_SETUP_MULTIPLE_RECV_ -D _QLOG_DEBUG_ -D _QLOG_INFO_ -D
_TSTRAT_QLOG_DEBUG_ -D _TSTRAT_QLOG_INFO_ -D common_helpersVersion=1.2.20-
gfc60ded -D qlogVersion=1.6.18-ga680501 -I
/home/dhanjit.d/.conan/data/LighteningCore/3.20.4775/demo/test/package/d64ae9998eeee5d76152fe56443d56b946727a60/include
-I /usr/local/include -I /usr/local/include/boost -I
/home/dhanjit.d/.conan/data/TemplateStrategy/1.2.234-
g5e75a8d.M/demo/test/package/b35b9d43d8e97c0dd660ffa2913f93ea7c2e9db6/include -
I /home/dhanjit.d/.conan/data/qlog/1.6.18-
ga680501/demo/test/package/717a4e06061e7169676769dfaaddb08875640a10/include -I
/home/dhanjit.d/.conan/data/PracticalSocket/1.2.1-
g924db98/demo/test/package/f810e0df2d6f7ebf38bdc8f5679f5ff1359ffbd1/include -I
/home/dhanjit.d/.conan/data/common_helpers/1.2.20-
gfc60ded/demo/test/package/5ab84d6acfe1f23c4fae0ab88f26e3a396351ac9/include -I
/home/dhanjit.d/.conan/data/irz_helper/1.4.2-
g2575615/demo/test/package/5ab84d6acfe1f23c4fae0ab88f26e3a396351ac9/include -I
/home/dhanjit.d/.conan/data/toolchain/1.0.2-
g02d7317/demo/test/package/f19202bf2b58180a472055778cb88b221a0b4198/include -I
/home/dhanjit.d/dev/templatestrategy/test_package/include -I
/home/dhanjit.d/dev/templatestrategy/test_package/build/66192a54597e70578d14620f6814750bb76e1df3
-D __FILENAME__=\"$(subst
/home/dhanjit.d/dev/templatestrategy/test_package/,,$(abspath $<))\" -internal-
isystem /usr/lib/gcc/x86_64-redhat-linux/4.8.5/../../../../include/c++/4.8.5 -
internal-isystem /usr/lib/gcc/x86_64-redhat-
linux/4.8.5/../../../../include/c++/4.8.5/x86_64-redhat-linux -internal-isystem
/usr/lib/gcc/x86_64-redhat-linux/4.8.5/../../../../include/c++/4.8.5/backward -
internal-isystem /usr/local/include -internal-isystem /opt/llvm-
5.0/lib/clang/5.0.0/include -internal-externc-isystem /include -internal-
externc-isystem /usr/include -O0 -Wall -Wextra -Wno-unused-parameter -Wno-
unused-variable -std=c++1z -fdeprecated-macro -fdebug-compilation-dir
/home/dhanjit.d/dev/templatestrategy -ferror-limit 19 -ftemplate-backtrace-
limit 0 -fmessage-length 141 -fobjc-runtime=gcc -fcxx-exceptions -fexceptions -
fdiagnostics-show-option -fcolor-diagnostics -o
CMakeFiles/templatestrategy_build_default.dir/src/main.cpp.o -x c++
/home/dhanjit.d/dev/templatestrategy/test_package/src/main.cpp
1.  <eof> parser at end of file
2.  While analyzing stack:
    #0 template<> static inline irage::strategy::AnyDestSymbol
*Allocate<irage::strategy::AnyDestSymbol, <>>()
    #1 template<> irage::strategy::AnyDestSymbol
*Allocate<irage::strategy::AnyDestSymbol, <>>()
    #2 template<> bool
InitSymbol<irage::strategy::AnyDestSymbol>(Void<irage::strategy::AnyDestSymbol>,
irage::strategy::TemplateStrategy::SymbolTypeId symbol_type_id, const
irage::strategy::TemplateStrategy::PresetManager &preset,
irage::common::types::SymbolId id, irage::common::types::Index leg, const
irage::strategy::TemplateStrategy::SymbolInfo &symbol_info)
    #3 template<> typename std::enable_if<IsValidSymbol<AnyDestSymbol>(),
bool>::type ForEachSymbolType_InitSymbol<irage::strategy::AnyDestSymbol, <const
unsigned long, const common::container::MapReader<std::map<int,
std::basic_string<char>, std::less<int>, std::allocator<std::pair<const int,
std::basic_string<char> > > > >, int, unsigned long, const
common::container::MapReader<std::unordered_map<std::basic_string<char>,
std::basic_string<char>, std::hash<std::string>,
std::equal_to<std::basic_string<char> >, std::allocator<std::pair<const
std::basic_string<char>, std::basic_string<char> > > > >>>(const unsigned long
&args, const common::container::MapReader<std::map<int,
std::basic_string<char>, std::less<int>, std::allocator<std::pair<const int,
std::basic_string<char> > > > > &args, int &args, unsigned long &args, const
common::container::MapReader<std::unordered_map<std::basic_string<char>,
std::basic_string<char>, std::hash<std::string>,
std::equal_to<std::basic_string<char> >, std::allocator<std::pair<const
std::basic_string<char>, std::basic_string<char> > > > > &args)
__attribute__((always_inline))
    #4 void InitSymbols(const irage::strategy::TemplateStrategy::PresetManager
&preset, irage::common::types::Index number_of_symbols)
    #5 void Init(const irage::strategy::TemplateStrategy::PresetManager &preset)
    #6 template<> static irage::strategy::ManualDummy
*MakeStrategy<irage::strategy::ManualDummy>(const std::string strat_name, const
std::map<int, std::string> &preset_map)
    #7 template<> static inline typename std::enable_if<sizeof...(S) == 0,
std::unique_ptr< ::irage::StrategyBase> >::type
RegisterStrategyToLightening<irage::strategy::ManualDummy, <>>(std::map<int,
std::string> &configMap, std::set<int> &symList)
    #8 std::unique_ptr<StrategyBase> registerStrategy(std::map<int, string>
&configMap, std::set<int> &symList)
3.  /home/dhanjit.d/.conan/data/TemplateStrategy/1.2.234-
g5e75a8d.M/demo/test/package/b35b9d43d8e97c0dd660ffa2913f93ea7c2e9db6/include/common/allocator.hpp:9:45:
Error evaluating statement
4.  /home/dhanjit.d/.conan/data/TemplateStrategy/1.2.234-
g5e75a8d.M/demo/test/package/b35b9d43d8e97c0dd660ffa2913f93ea7c2e9db6/include/common/allocator.hpp:9:45:
Error evaluating statement
clang-5.0: error: unable to execute command: Segmentation fault (core dumped)
clang-5.0: error: clang frontend command failed due to signal (use -v to see
invocation)

Cannot add the preprocessed source due to proprietary limitations.

[Quuxplusone]

It's quite difficult to isolate the

[Quuxplusone]

It's hard to isolate the issue without a self-contained test case. Try constructing a test case manually or using https://embed.cs.utah.edu/creduce/ to reduce your existing test case. Otherwise, I'm afraid, there's little chance this bug gets fixed in a reasonable time.

[Quuxplusone]

(In reply to Alexander Kornienko from comment #7)
> It's hard to isolate the issue without a self-contained test case. Try
> constructing a test case manually or using
> https://embed.cs.utah.edu/creduce/ to reduce your existing test case.
> Otherwise, I'm afraid, there's little chance this bug gets fixed in a
> reasonable time.

I will try to isolate this and revert.