search

Quuxplusone / LLVMBugzillaTest

0 stars 0 forks source link

Crash for alpha.cplusplus.IteratorRange (regression) #37344

Open Quuxplusone opened 5 years ago

Quuxplusone commented 5 years ago
Bugzilla Link PR38371
Status NEW
Importance P normal
Reported by Abramo Bagnara (abramo.bagnara@bugseng.com)
Reported on 2018-07-30 08:52:44 -0700
Last modified on 2018-07-31 01:28:32 -0700
Version trunk
Hardware PC Linux
CC adam.balogh@ericsson.com, llvm-bugs@lists.llvm.org, noqnoqneo@gmail.com
Fixed by commit(s)
Attachments
Blocks
Blocked by
See also 
Using svn 338230:

$ cat p.cc
class iterator {
  int current;
  void operator*();
  void operator++();
  void operator++(int);
};
bool operator!=(iterator, iterator);

struct s {
  iterator begin();
  iterator end();
};
void f(s l) {
  iterator i = l.begin();
  iterator e = l.end();
  for (; i != e;)
    ;
}
$ ~/llvm-build/bin/clang -cc1 -triple x86_64-pc-linux-gnu -analyze -analyzer-
checker=alpha.cplusplus.IteratorRange p.cc
Stack dump:
0.  Program arguments: /home/abramo/llvm-build/bin/clang -cc1 -triple x86_64-pc-
linux-gnu -analyze -analyzer-checker=alpha.cplusplus.IteratorRange p.cc
1.  <eof> parser at end of file
2.  While analyzing stack:
    #0 Calling f
3.  p.cc:16:10: Error evaluating branch
#0 0x000055655a94021a llvm::sys::PrintStackTrace(llvm::raw_ostream&)
(/home/abramo/llvm-build/bin/clang+0x212c21a)
#1 0x000055655a93e794 llvm::sys::RunSignalHandlers() (/home/abramo/llvm-
build/bin/clang+0x212a794)
#2 0x000055655a93e8d2 SignalHandler(int) (/home/abramo/llvm-
build/bin/clang+0x212a8d2)
#3 0x00007fad004e1890 __restore_rt (/lib/x86_64-linux-
gnu/libpthread.so.0+0x12890)
#4 0x000055655b92f8aa
assumeNoOverflow(llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>,
clang::ento::SymExpr const*, long) (/home/abramo/llvm-build/bin/clang+0x311b8aa)
#5 0x000055655b9366df (anonymous
namespace)::processComparison(llvm::IntrusiveRefCntPtr<clang::ento::ProgramState
const>, llvm::PointerUnion<clang::ento::MemRegion const*, clang::ento::SymExpr
const*>, llvm::PointerUnion<clang::ento::MemRegion const*, clang::ento::SymExpr
const*>, bool) (/home/abramo/llvm-build/bin/clang+0x31226df)
#6 0x000055655b936f22 llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>
clang::ento::eval::Assume::_evalAssume<(anonymous
namespace)::IteratorChecker>(void*,
llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>, clang::ento::SVal
const&, bool) (/home/abramo/llvm-build/bin/clang+0x3122f22)
#7 0x000055655bb9fa38
clang::ento::CheckerManager::runCheckersForEvalAssume(llvm::IntrusiveRefCntPtr<clang::ento::ProgramState
const>, clang::ento::SVal, bool) (/home/abramo/llvm-build/bin/clang+0x338ba38)
#8 0x000055655bbd0b11
clang::ento::ExprEngine::processAssume(llvm::IntrusiveRefCntPtr<clang::ento::ProgramState
const>, clang::ento::SVal, bool) (/home/abramo/llvm-build/bin/clang+0x33bcb11)
#9 0x000055655bc75e2b
clang::ento::SimpleConstraintManager::assume(llvm::IntrusiveRefCntPtr<clang::ento::ProgramState
const>, clang::ento::NonLoc, bool) (/home/abramo/llvm-build/bin/clang+0x3461e2b)
#10 0x000055655bc75ef6
clang::ento::SimpleConstraintManager::assume(llvm::IntrusiveRefCntPtr<clang::ento::ProgramState
const>, clang::ento::DefinedSVal, bool) (/home/abramo/llvm-
build/bin/clang+0x3461ef6)
#11 0x000055655bbd0ffa
clang::ento::ProgramState::assume(clang::ento::DefinedOrUnknownSVal) const
(.isra.310) (/home/abramo/llvm-build/bin/clang+0x33bcffa)
#12 0x000055655bbd953b clang::ento::ExprEngine::processBranch(clang::Stmt
const*, clang::Stmt const*, clang::ento::NodeBuilderContext&,
clang::ento::ExplodedNode*, clang::ento::ExplodedNodeSet&, clang::CFGBlock
const*, clang::CFGBlock const*) (/home/abramo/llvm-build/bin/clang+0x33c553b)
#13 0x000055655bbb2341 clang::ento::CoreEngine::HandleBranch(clang::Stmt
const*, clang::Stmt const*, clang::CFGBlock const*, clang::ento::ExplodedNode*)
(/home/abramo/llvm-build/bin/clang+0x339e341)
#14 0x000055655bbb2dbd clang::ento::CoreEngine::HandleBlockExit(clang::CFGBlock
const*, clang::ento::ExplodedNode*) (/home/abramo/llvm-
build/bin/clang+0x339edbd)
#15 0x000055655bbb30f8 clang::ento::CoreEngine::HandlePostStmt(clang::CFGBlock
const*, unsigned int, clang::ento::ExplodedNode*) (/home/abramo/llvm-
build/bin/clang+0x339f0f8)
#16 0x000055655bbb6dec
clang::ento::CoreEngine::dispatchWorkItem(clang::ento::ExplodedNode*,
clang::ProgramPoint, clang::ento::WorkListUnit const&) (/home/abramo/llvm-
build/bin/clang+0x33a2dec)
#17 0x000055655bbb6fdb
clang::ento::CoreEngine::ExecuteWorkList(clang::LocationContext const*,
unsigned int, llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>)
(/home/abramo/llvm-build/bin/clang+0x33a2fdb)
#18 0x000055655b860ffc (anonymous
namespace)::AnalysisConsumer::ActionExprEngine(clang::Decl*, bool,
clang::ento::ExprEngine::InliningModes, llvm::DenseSet<clang::Decl const*,
llvm::DenseMapInfo<clang::Decl const*> >*) (.part.3767) (/home/abramo/llvm-
build/bin/clang+0x304cffc)
#19 0x000055655b861a8a (anonymous
namespace)::AnalysisConsumer::HandleCode(clang::Decl*, unsigned int,
clang::ento::ExprEngine::InliningModes, llvm::DenseSet<clang::Decl const*,
llvm::DenseMapInfo<clang::Decl const*> >*) (/home/abramo/llvm-
build/bin/clang+0x304da8a)
#20 0x000055655b87d090 (anonymous
namespace)::AnalysisConsumer::runAnalysisOnTranslationUnit(clang::ASTContext&)
(/home/abramo/llvm-build/bin/clang+0x3069090)
#21 0x000055655b87e3b3 (anonymous
namespace)::AnalysisConsumer::HandleTranslationUnit(clang::ASTContext&)
(/home/abramo/llvm-build/bin/clang+0x306a3b3)
#22 0x000055655bcbea59 clang::ParseAST(clang::Sema&, bool, bool)
(/home/abramo/llvm-build/bin/clang+0x34aaa59)
#23 0x000055655afb10c6 clang::FrontendAction::Execute() (/home/abramo/llvm-
build/bin/clang+0x279d0c6)
#24 0x000055655af76e2c
clang::CompilerInstance::ExecuteAction(clang::FrontendAction&)
(/home/abramo/llvm-build/bin/clang+0x2762e2c)
#25 0x000055655b06c3eb
clang::ExecuteCompilerInvocation(clang::CompilerInstance*) (/home/abramo/llvm-
build/bin/clang+0x28583eb)
#26 0x00005565591b8b48 cc1_main(llvm::ArrayRef<char const*>, char const*,
void*) (/home/abramo/llvm-build/bin/clang+0x9a4b48)
#27 0x00005565591251b9 main (/home/abramo/llvm-build/bin/clang+0x9111b9)
#28 0x00007facff38db97 __libc_start_main (/lib/x86_64-linux-
gnu/libc.so.6+0x21b97)
#29 0x00005565591b5e3a _start (/home/abramo/llvm-build/bin/clang+0x9a1e3a)

With a different build I've obtained the following failed assertion:

tools/clang/lib/StaticAnalyzer/Checkers/IteratorChecker.cpp:1181:
clang::ento::ProgramStateRef
{anonymous}::relateIteratorPositions(clang::ento::ProgramStateRef, const
{anonymous}::IteratorPosition&, const {anonymous}::IteratorPosition&, bool):
Assertion failed: isa<SymIntExpr>(CompSym) && "Symbol comparison must be a
`SymIntExpr`"
Quuxplusone commented 5 years ago

I've bisected the regression to this originating commit:

commit d7888b0fe44112d6620ef66f5d75d859cbace18d (HEAD) Author: Adam Balogh adam.balogh@ericsson.com Date: Mon Jul 16 09:27:27 2018 +0000

[Analyzer] Mark `SymbolData` parts of iterator position as live in program state maps

Marking a symbolic expression as live is non-recursive. In our checkers we
either use conjured symbols or conjured symbols plus/minus integers to
represent abstract position of iterators, so in this latter case we also
must mark the `SymbolData` part of these symbolic expressions as live to
prevent them from getting reaped.

Differential Revision: https://reviews.llvm.org/D48764

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@337151 91177308-0d34-0410-b5e6-96231b3b80d8

The violated assertion is:

clang: /home/abramo/llvm/tools/clang/lib/StaticAnalyzer/Checkers/IteratorChecker.cpp:1176: clang::ento::ProgramStateRef {anonymous}::relateIteratorPositions(clang::ento::ProgramStateRef, const {anonymous}::IteratorPosition&, const {anonymous}::IteratorPosition&, bool): Assertion comparison.getAs<DefinedSVal>() && "Symbol comparison must be aDefinedSVal`"' failed.

(the message changes in later commits)