Assert in PthreadLockChecker.cpp `lockFail && lockSucc'

[Quuxplusone]

Bugzilla Link	PR43774
Status	NEW
Importance	P enhancement
Reported by	Ryan Mansfield (rmansfield@gmail.com)
Reported on	2019-10-23 07:28:39 -0700
Last modified on	2019-11-01 07:56:47 -0700
Version	unspecified
Hardware	PC All
CC	dcoughlin@apple.com, kamleshbhalui@gmail.com, llvm-bugs@lists.llvm.org
Fixed by commit(s)
Attachments	lock-64f111.c (113 bytes, text/plain) lock-64f111.sh (3213 bytes, text/plain)
Blocks
Blocked by
See also

Created attachment 22709
reduced test case

$ ./bin/clang --analyze -Xanalyzer -analyzer-checker=alpha.unix.PthreadLock
~/lock.c
clang-10: /home/ryan_mansfield/llvm/llvm-
project/llvm/projects/clang/lib/StaticAnalyzer/Checkers/PthreadLockChecker.cpp:268:
void {anonymous}::PthreadLockChecker::AcquireLock(clang::ento::CheckerContext&,
const clang::CallExpr*, clang::ento::SVal, bool,
{anonymous}::PthreadLockChecker::LockingSemantics) const: Assertion `lockFail
&& lockSucc' failed.
Stack dump:
0.  Program arguments: /home/ryan_mansfield/llvm/llvm-project/build/bin/clang-10
-cc1 -triple x86_64-unknown-linux-gnu -analyze -disable-free -main-file-name
lock.c -analyzer-store=region -analyzer-opt-analyze-nested-blocks -analyzer-
checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-
checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -
analyzer-checker=security.insecureAPI.getpw -analyzer-
checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp
-analyzer-checker=security.insecureAPI.mkstemp -analyzer-
checker=security.insecureAPI.vfork -analyzer-
checker=nullability.NullPassedToNonnull -analyzer-
checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -analyzer-
checker=alpha.unix.PthreadLock -setup-static-analyzer -mrelocation-model static
-mthread-model posix -mframe-pointer=all -fmath-errno -masm-verbose -
mconstructor-aliases -munwind-tables -fuse-init-array -target-cpu x86-64 -dwarf-
column-info -debugger-tuning=gdb -resource-dir /home/ryan_mansfield/llvm/llvm-
project/build/lib/clang/10.0.0 -internal-isystem /usr/local/include -internal-
isystem /home/ryan_mansfield/llvm/llvm-project/build/lib/clang/10.0.0/include -
internal-externc-isystem /usr/include/x86_64-linux-gnu -internal-externc-
isystem /include -internal-externc-isystem /usr/include -fdebug-compilation-dir
/home/ryan_mansfield/llvm/llvm-project/build -ferror-limit 19 -fmessage-length
0 -fgnuc-version=4.2.1 -fobjc-runtime=gcc -fdiagnostics-show-option -fcolor-
diagnostics -faddrsig -o lock.plist -x c /home/ryan_mansfield/lock.c
1.  <eof> parser at end of file
2.  While analyzing stack:
    #0 Calling lck_mtx_try_lock at line 2
    #1 Calling a
 #0 0x000055bd04cc201f llvm::sys::PrintStackTrace(llvm::raw_ostream&) /home/ryan_mansfield/llvm/llvm-project/llvm/lib/Support/Unix/Signals.inc:544:0
 #1 0x000055bd04cc20b2 PrintStackTraceSignalHandler(void*) /home/ryan_mansfield/llvm/llvm-project/llvm/lib/Support/Unix/Signals.inc:605:0
 #2 0x000055bd04cbff15 llvm::sys::RunSignalHandlers() /home/ryan_mansfield/llvm/llvm-project/llvm/lib/Support/Signals.cpp:68:0
 #3 0x000055bd04cc19aa SignalHandler(int) /home/ryan_mansfield/llvm/llvm-project/llvm/lib/Support/Unix/Signals.inc:391:0
 #4 0x00007f8ef548f890 __restore_rt (/lib/x86_64-linux-gnu/libpthread.so.0+0x12890)
 #5 0x00007f8ef435de97 raise /build/glibc-OTsEL5/glibc-2.27/signal/../sysdeps/unix/sysv/linux/raise.c:51:0
 #6 0x00007f8ef435f801 abort /build/glibc-OTsEL5/glibc-2.27/stdlib/abort.c:81:0
 #7 0x00007f8ef434f39a __assert_fail_base /build/glibc-OTsEL5/glibc-2.27/assert/assert.c:89:0
 #8 0x00007f8ef434f412 (/lib/x86_64-linux-gnu/libc.so.6+0x30412)
 #9 0x000055bd074b4577 (anonymous namespace)::PthreadLockChecker::AcquireLock(clang::ento::CheckerContext&, clang::CallExpr const*, clang::ento::SVal, bool, (anonymous namespace)::PthreadLockChecker::LockingSemantics) const /home/ryan_mansfield/llvm/llvm-project/llvm/projects/clang/lib/StaticAnalyzer/Checkers/PthreadLockChecker.cpp:269:0
#10 0x000055bd074b35fb (anonymous
namespace)::PthreadLockChecker::checkPostStmt(clang::CallExpr const*,
clang::ento::CheckerContext&) const /home/ryan_mansfield/llvm/llvm-
project/llvm/projects/clang/lib/StaticAnalyzer/Checkers/PthreadLockChecker.cpp:134:0
#11 0x000055bd074b7be0 void
clang::ento::check::PostStmt<clang::CallExpr>::_checkStmt<(anonymous
namespace)::PthreadLockChecker>(void*, clang::Stmt const*,
clang::ento::CheckerContext&) /home/ryan_mansfield/llvm/llvm-
project/llvm/projects/clang/include/clang/StaticAnalyzer/Core/Checker.h:105:0
#12 0x000055bd075b89aa clang::ento::CheckerFn<void (clang::Stmt const*,
clang::ento::CheckerContext&)>::operator()(clang::Stmt const*,
clang::ento::CheckerContext&) const /home/ryan_mansfield/llvm/llvm-
project/llvm/projects/clang/include/clang/StaticAnalyzer/Core/CheckerManager.h:69:0
#13 0x000055bd075b162f (anonymous
namespace)::CheckStmtContext::runChecker(clang::ento::CheckerFn<void
(clang::Stmt const*, clang::ento::CheckerContext&)>, clang::ento::NodeBuilder&,
clang::ento::ExplodedNode*) /home/ryan_mansfield/llvm/llvm-
project/llvm/projects/clang/lib/StaticAnalyzer/Core/CheckerManager.cpp:178:0
#14 0x000055bd075b4c19 void expandGraphWithCheckers<(anonymous
namespace)::CheckStmtContext>((anonymous namespace)::CheckStmtContext,
clang::ento::ExplodedNodeSet&, clang::ento::ExplodedNodeSet const&)
/home/ryan_mansfield/llvm/llvm-project/llvm/projects/clang/lib/StaticAnalyzer/Core/CheckerManager.cpp:138:0
#15 0x000055bd075b16ed clang::ento::CheckerManager::runCheckersForStmt(bool,
clang::ento::ExplodedNodeSet&, clang::ento::ExplodedNodeSet const&, clang::Stmt
const*, clang::ento::ExprEngine&, bool) /home/ryan_mansfield/llvm/llvm-
project/llvm/projects/clang/lib/StaticAnalyzer/Core/CheckerManager.cpp:192:0
#16 0x000055bd076064e4
clang::ento::CheckerManager::runCheckersForPostStmt(clang::ento::ExplodedNodeSet&,
clang::ento::ExplodedNodeSet const&, clang::Stmt const*,
clang::ento::ExprEngine&, bool) /home/ryan_mansfield/llvm/llvm-
project/llvm/projects/clang/include/clang/StaticAnalyzer/Core/CheckerManager.h:223:0
#17 0x000055bd07627149
clang::ento::ExprEngine::processCallExit(clang::ento::ExplodedNode*)
/home/ryan_mansfield/llvm/llvm-project/llvm/projects/clang/lib/StaticAnalyzer/Core/ExprEngineCallAndReturn.cpp:352:0
#18 0x000055bd075cd21d
clang::ento::CoreEngine::dispatchWorkItem(clang::ento::ExplodedNode*,
clang::ProgramPoint, clang::ento::WorkListUnit const&)
/home/ryan_mansfield/llvm/llvm-project/llvm/projects/clang/lib/StaticAnalyzer/Core/CoreEngine.cpp:176:0
#19 0x000055bd075cd062
clang::ento::CoreEngine::ExecuteWorkList(clang::LocationContext const*,
unsigned int, llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>)
/home/ryan_mansfield/llvm/llvm-project/llvm/projects/clang/lib/StaticAnalyzer/Core/CoreEngine.cpp:148:0
#20 0x000055bd070059d8
clang::ento::ExprEngine::ExecuteWorkList(clang::LocationContext const*,
unsigned int) /home/ryan_mansfield/llvm/llvm-
project/llvm/projects/clang/include/clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h:168:0
#21 0x000055bd06fab975 (anonymous
namespace)::AnalysisConsumer::RunPathSensitiveChecks(clang::Decl*,
clang::ento::ExprEngine::InliningModes, llvm::DenseSet<clang::Decl const*,
llvm::DenseMapInfo<clang::Decl const*> >*) /home/ryan_mansfield/llvm/llvm-
project/llvm/projects/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:827:0
#22 0x000055bd06fab77c (anonymous
namespace)::AnalysisConsumer::HandleCode(clang::Decl*, unsigned int,
clang::ento::ExprEngine::InliningModes, llvm::DenseSet<clang::Decl const*,
llvm::DenseMapInfo<clang::Decl const*> >*) /home/ryan_mansfield/llvm/llvm-
project/llvm/projects/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:799:0
#23 0x000055bd06faa458 (anonymous
namespace)::AnalysisConsumer::HandleDeclsCallGraph(unsigned int)
/home/ryan_mansfield/llvm/llvm-project/llvm/projects/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:584:0
#24 0x000055bd06faa8c0 (anonymous
namespace)::AnalysisConsumer::runAnalysisOnTranslationUnit(clang::ASTContext&)
/home/ryan_mansfield/llvm/llvm-project/llvm/projects/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:634:0
#25 0x000055bd06faaaba (anonymous
namespace)::AnalysisConsumer::HandleTranslationUnit(clang::ASTContext&)
/home/ryan_mansfield/llvm/llvm-project/llvm/projects/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:665:0
#26 0x000055bd07784ee4 clang::ParseAST(clang::Sema&, bool, bool)
/home/ryan_mansfield/llvm/llvm-project/llvm/projects/clang/lib/Parse/ParseAST.cpp:178:0
#27 0x000055bd0574c491 clang::ASTFrontendAction::ExecuteAction()
/home/ryan_mansfield/llvm/llvm-project/llvm/projects/clang/lib/Frontend/FrontendAction.cpp:1042:0
#28 0x000055bd0574bdf2 clang::FrontendAction::Execute()
/home/ryan_mansfield/llvm/llvm-project/llvm/projects/clang/lib/Frontend/FrontendAction.cpp:939:0
#29 0x000055bd056e1777
clang::CompilerInstance::ExecuteAction(clang::FrontendAction&)
/home/ryan_mansfield/llvm/llvm-project/llvm/projects/clang/lib/Frontend/CompilerInstance.cpp:964:0
#30 0x000055bd058b4477
clang::ExecuteCompilerInvocation(clang::CompilerInstance*)
/home/ryan_mansfield/llvm/llvm-project/llvm/projects/clang/lib/FrontendTool/ExecuteCompilerInvocation.cpp:290:0
#31 0x000055bd03092d6d cc1_main(llvm::ArrayRef<char const*>, char const*,
void*) /home/ryan_mansfield/llvm/llvm-
project/llvm/projects/clang/tools/driver/cc1_main.cpp:250:0
#32 0x000055bd03088343 ExecuteCC1Tool(llvm::ArrayRef<char const*>,
llvm::StringRef) /home/ryan_mansfield/llvm/llvm-
project/llvm/projects/clang/tools/driver/driver.cpp:309:0
#33 0x000055bd03088a39 main /home/ryan_mansfield/llvm/llvm-
project/llvm/projects/clang/tools/driver/driver.cpp:382:0
#34 0x00007f8ef4340b97 __libc_start_main /build/glibc-OTsEL5/glibc-
2.27/csu/../csu/libc-start.c:344:0
#35 0x000055bd03086b1a _start (/home/ryan_mansfield/llvm/llvm-
project/build/bin/clang-10+0x24a3b1a)
clang-10: error: unable to execute command: Aborted (core dumped)
clang-10: error: clang frontend command failed due to signal (use -v to see
invocation)
clang version 10.0.0 (https://github.com/llvm/llvm-project.git
a9c3c176ad741b9c2b915abc59dd977d0299c53f)
Target: x86_64-unknown-linux-gnu
Thread model: posix
InstalledDir: /home/ryan_mansfield/llvm/llvm-project/build/./bin
clang-10: note: diagnostic msg: PLEASE submit a bug report to
https://bugs.llvm.org/ and include the crash backtrace, preprocessed source,
and associated run script.
clang-10: note: diagnostic msg:
********************

PLEASE ATTACH THE FOLLOWING FILES TO THE BUG REPORT:
Preprocessed source(s) and associated run script(s) are located at:
clang-10: note: diagnostic msg: /tmp/lock-64f111.c
clang-10: note: diagnostic msg: /tmp/lock-64f111.sh
clang-10: note: diagnostic msg:

********************

[Quuxplusone]

Attached lock-64f111.c (113 bytes, text/plain): reduced test case

[Quuxplusone]

Attached lock-64f111.sh (3213 bytes, text/plain): shell script

[Quuxplusone]

This fixes it.

diff --git a/clang/lib/StaticAnalyzer/Checkers/PthreadLockChecker.cpp
b/clang/lib/StaticAnalyzer/Checkers/PthreadLockChecker.cpp
index 8649b8b96dd..6fb92e0c77a 100644
--- a/clang/lib/StaticAnalyzer/Checkers/PthreadLockChecker.cpp
+++ b/clang/lib/StaticAnalyzer/Checkers/PthreadLockChecker.cpp
@@ -260,12 +260,12 @@ void PthreadLockChecker::AcquireLock(CheckerContext &C,
const CallExpr *CE,
       std::tie(lockFail, lockSucc) = state->assume(retVal);
       break;
     case XNUSemantics:
-      std::tie(lockSucc, lockFail) = state->assume(retVal);
+      std::tie(lockFail, lockSucc) = state->assume(retVal);
       break;
     default:
       llvm_unreachable("Unknown tryLock locking semantics");
     }
-    assert(lockFail && lockSucc);
+    assert(lockFail || lockSucc);
     C.addTransition(lockFail);

   } else if (semantics == PthreadSemantics) {

[Quuxplusone]

Please ignore the above comment.