alpha.cplusplus.IteratorModeling checker hits assertion

Quuxplusone commented 4 years ago


Bugzilla Link	PR44998
Status	NEW
Importance	P normal
Reported by	Nicolás Alvarez (nicolas.alvarez@gmail.com)
Reported on	2020-02-22 19:39:35 -0800
Last modified on	2020-02-26 06:44:17 -0800
Version	trunk
Hardware	PC Linux
CC	dcoughlin@apple.com, llvm-bugs@lists.llvm.org, noqnoqneo@gmail.com
Fixed by commit(s)
Attachments
Blocks
Blocked by
See also

The alpha.cplusplus.IteratorModeling checker triggers an assertion in the
following code:

struct List {
  struct iterator {
    int c;
    bool operator!=(iterator);
  };

  iterator constEnd();
  void f() {
    iterator i;
    i != constEnd();
  }
};

$ clang++ -cc1 -analyze -analyzer-checker alpha.cplusplus.IteratorModeling
viewmode.cpp

viewmode.cpp:10:7: warning: inequality comparison result unused
    i != constEnd();
    ~~^~~~~~~~~~~~~
viewmode.cpp:10:7: note: use '|=' to turn this inequality comparison into an or-
assignment
    i != constEnd();
      ^~
      |=
clang++:
../llvm/tools/clang/lib/StaticAnalyzer/Checkers/IteratorModeling.cpp:565:
clang::ento::ProgramStateRef (anonymous
namespace)::relateSymbols(clang::ento::ProgramStateRef, clang::ento::SymbolRef,
clang::ento::SymbolRef, bool): Assertion `isa<SymIntExpr>(CompSym) && "Symbol
comparison must be a `SymIntExpr`"' failed.
Stack dump:
0.  Program arguments: /home/nicolas/src/llvm/build/llvm/bin/clang++ -cc1 -
analyze -analyzer-checker alpha.cplusplus.IteratorModeling viewmode.cpp
1.  <eof> parser at end of file
2.  While analyzing stack:
    #0 Calling List::f
3.  viewmode.cpp:10:5: Error evaluating statement
4.  viewmode.cpp:10:5: Error evaluating statement
 #0 0x00007f6359388649 llvm::sys::PrintStackTrace(llvm::raw_ostream&) /home/nicolas/src/llvm/build/../llvm/lib/Support/Unix/Signals.inc:564:11
 #1 0x00007f63593887f9 PrintStackTraceSignalHandler(void*) /home/nicolas/src/llvm/build/../llvm/lib/Support/Unix/Signals.inc:625:1
 #2 0x00007f6359386f86 llvm::sys::RunSignalHandlers() /home/nicolas/src/llvm/build/../llvm/lib/Support/Signals.cpp:67:5
 #3 0x00007f6359388f9b SignalHandler(int) /home/nicolas/src/llvm/build/../llvm/lib/Support/Unix/Signals.inc:406:1
 #4 0x00007f635881a730 __restore_rt (/lib/x86_64-linux-gnu/libpthread.so.0+0x12730)
 #5 0x00007f6355ff37bb raise /build/glibc-vjB4T1/glibc-2.28/signal/../sysdeps/unix/sysv/linux/raise.c:51:1
 #6 0x00007f6355fde535 abort /build/glibc-vjB4T1/glibc-2.28/stdlib/abort.c:81:7
 #7 0x00007f6355fde40f _nl_load_domain /build/glibc-vjB4T1/glibc-2.28/intl/loadmsgcat.c:1177:9
 #8 0x00007f6355fec102 (/lib/x86_64-linux-gnu/libc.so.6+0x30102)
 #9 0x00007f635018088b (anonymous namespace)::relateSymbols(llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>, clang::ento::SymExpr const*, clang::ento::SymExpr const*, bool) /home/nicolas/src/llvm/build/../llvm/tools/clang/lib/StaticAnalyzer/Checkers/IteratorModeling.cpp:566:5
#10 0x00007f63501803a9 (anonymous
namespace)::IteratorModeling::processComparison(clang::ento::CheckerContext&,
llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>, clang::ento::SymExpr
const*, clang::ento::SymExpr const*, clang::ento::SVal const&,
clang::OverloadedOperatorKind) const
/home/nicolas/src/llvm/build/../llvm/tools/clang/lib/StaticAnalyzer/Checkers/IteratorModeling.cpp:385:24
#11 0x00007f635017f419 (anonymous
namespace)::IteratorModeling::handleComparison(clang::ento::CheckerContext&,
clang::Expr const*, clang::ento::SVal, clang::ento::SVal const&,
clang::ento::SVal const&, clang::OverloadedOperatorKind) const
/home/nicolas/src/llvm/build/../llvm/tools/clang/lib/StaticAnalyzer/Checkers/IteratorModeling.cpp:363:3
#12 0x00007f635017e2fc (anonymous
namespace)::IteratorModeling::checkPostCall(clang::ento::CallEvent const&,
clang::ento::CheckerContext&) const
/home/nicolas/src/llvm/build/../llvm/tools/clang/lib/StaticAnalyzer/Checkers/IteratorModeling.cpp:146:9
#13 0x00007f635017e180 void clang::ento::check::PostCall::_checkCall<(anonymous
namespace)::IteratorModeling>(void*, clang::ento::CallEvent const&,
clang::ento::CheckerContext&)
/home/nicolas/src/llvm/build/../llvm/tools/clang/include/clang/StaticAnalyzer/Core/Checker.h:184:3
#14 0x00007f634f9a1712 clang::ento::CheckerFn<void (clang::ento::CallEvent
const&, clang::ento::CheckerContext&)>::operator()(clang::ento::CallEvent
const&, clang::ento::CheckerContext&) const
/home/nicolas/src/llvm/build/../llvm/tools/clang/include/clang/StaticAnalyzer/Core/CheckerManager.h:69:5
#15 0x00007f634f993928 (anonymous
namespace)::CheckCallContext::runChecker(clang::ento::CheckerFn<void
(clang::ento::CallEvent const&, clang::ento::CheckerContext&)>,
clang::ento::NodeBuilder&, clang::ento::ExplodedNode*)
/home/nicolas/src/llvm/build/../llvm/tools/clang/lib/StaticAnalyzer/Core/CheckerManager.cpp:291:7
#16 0x00007f634f98fe05 void expandGraphWithCheckers<(anonymous
namespace)::CheckCallContext>((anonymous namespace)::CheckCallContext,
clang::ento::ExplodedNodeSet&, clang::ento::ExplodedNodeSet const&)
/home/nicolas/src/llvm/build/../llvm/tools/clang/lib/StaticAnalyzer/Core/CheckerManager.cpp:138:25
#17 0x00007f634f98fb5b
clang::ento::CheckerManager::runCheckersForCallEvent(bool,
clang::ento::ExplodedNodeSet&, clang::ento::ExplodedNodeSet const&,
clang::ento::CallEvent const&, clang::ento::ExprEngine&, bool)
/home/nicolas/src/llvm/build/../llvm/tools/clang/lib/StaticAnalyzer/Core/CheckerManager.cpp:309:1
#18 0x00007f634fa1a1f8
clang::ento::CheckerManager::runCheckersForPostCall(clang::ento::ExplodedNodeSet&,
clang::ento::ExplodedNodeSet const&, clang::ento::CallEvent const&,
clang::ento::ExprEngine&, bool)
/home/nicolas/src/llvm/build/../llvm/tools/clang/include/clang/StaticAnalyzer/Core/CheckerManager.h:283:3
#19 0x00007f634fa1df2c
clang::ento::ExprEngine::evalCall(clang::ento::ExplodedNodeSet&,
clang::ento::ExplodedNode*, clang::ento::CallEvent const&)
/home/nicolas/src/llvm/build/../llvm/tools/clang/lib/StaticAnalyzer/Core/ExprEngineCallAndReturn.cpp:606:41
#20 0x00007f634fa1dd19 clang::ento::ExprEngine::VisitCallExpr(clang::CallExpr
const*, clang::ento::ExplodedNode*, clang::ento::ExplodedNodeSet&)
/home/nicolas/src/llvm/build/../llvm/tools/clang/lib/StaticAnalyzer/Core/ExprEngineCallAndReturn.cpp:513:16
#21 0x00007f634f9df934 clang::ento::ExprEngine::Visit(clang::Stmt const*,
clang::ento::ExplodedNode*, clang::ento::ExplodedNodeSet&)
/home/nicolas/src/llvm/build/../llvm/tools/clang/lib/StaticAnalyzer/Core/ExprEngine.cpp:1605:7
#22 0x00007f634f9dc4ac clang::ento::ExprEngine::ProcessStmt(clang::Stmt const*,
clang::ento::ExplodedNode*)
/home/nicolas/src/llvm/build/../llvm/tools/clang/lib/StaticAnalyzer/Core/ExprEngine.cpp:792:9
#23 0x00007f634f9dc199
clang::ento::ExprEngine::processCFGElement(clang::CFGElement,
clang::ento::ExplodedNode*, unsigned int, clang::ento::NodeBuilderContext*)
/home/nicolas/src/llvm/build/../llvm/tools/clang/lib/StaticAnalyzer/Core/ExprEngine.cpp:637:7
#24 0x00007f634f9afdaa clang::ento::CoreEngine::HandlePostStmt(clang::CFGBlock
const*, unsigned int, clang::ento::ExplodedNode*)
/home/nicolas/src/llvm/build/../llvm/tools/clang/lib/StaticAnalyzer/Core/CoreEngine.cpp:469:1
#25 0x00007f634f9af46c
clang::ento::CoreEngine::dispatchWorkItem(clang::ento::ExplodedNode*,
clang::ProgramPoint, clang::ento::WorkListUnit const&)
/home/nicolas/src/llvm/build/../llvm/tools/clang/lib/StaticAnalyzer/Core/CoreEngine.cpp:195:1
#26 0x00007f634f9af01f
clang::ento::CoreEngine::ExecuteWorkList(clang::LocationContext const*,
unsigned int, llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>)
/home/nicolas/src/llvm/build/../llvm/tools/clang/lib/StaticAnalyzer/Core/CoreEngine.cpp:129:3
#27 0x00007f6350d63564
clang::ento::ExprEngine::ExecuteWorkList(clang::LocationContext const*,
unsigned int)
/home/nicolas/src/llvm/build/../llvm/tools/clang/include/clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h:168:5
#28 0x00007f6350d0e186 (anonymous
namespace)::AnalysisConsumer::RunPathSensitiveChecks(clang::Decl*,
clang::ento::ExprEngine::InliningModes, llvm::DenseSet<clang::Decl const*,
llvm::DenseMapInfo<clang::Decl const*> >*)
/home/nicolas/src/llvm/build/../llvm/tools/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:821:7
#29 0x00007f6350d0dd14 (anonymous
namespace)::AnalysisConsumer::HandleCode(clang::Decl*, unsigned int,
clang::ento::ExprEngine::InliningModes, llvm::DenseSet<clang::Decl const*,
llvm::DenseMapInfo<clang::Decl const*> >*)
/home/nicolas/src/llvm/build/../llvm/tools/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:793:15
#30 0x00007f6350ca7d7e (anonymous
namespace)::AnalysisConsumer::HandleDeclsCallGraph(unsigned int)
/home/nicolas/src/llvm/build/../llvm/tools/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:585:31
#31 0x00007f6350ca68e2 (anonymous
namespace)::AnalysisConsumer::runAnalysisOnTranslationUnit(clang::ASTContext&)
/home/nicolas/src/llvm/build/../llvm/tools/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:635:3
#32 0x00007f6350ca56a2 (anonymous
namespace)::AnalysisConsumer::HandleTranslationUnit(clang::ASTContext&)
/home/nicolas/src/llvm/build/../llvm/tools/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:0:5
#33 0x00007f635271830e clang::ParseAST(clang::Sema&, bool, bool)
/home/nicolas/src/llvm/build/../llvm/tools/clang/lib/Parse/ParseAST.cpp:178:12
#34 0x00007f6356d80db2 clang::ASTFrontendAction::ExecuteAction()
/home/nicolas/src/llvm/build/../llvm/tools/clang/lib/Frontend/FrontendAction.cpp:1049:1
#35 0x00007f6356d80761 clang::FrontendAction::Execute()
/home/nicolas/src/llvm/build/../llvm/tools/clang/lib/Frontend/FrontendAction.cpp:944:7
#36 0x00007f6356cf515e
clang::CompilerInstance::ExecuteAction(clang::FrontendAction&)
/home/nicolas/src/llvm/build/../llvm/tools/clang/lib/Frontend/CompilerInstance.cpp:969:23
#37 0x00007f6356a7ab4f
clang::ExecuteCompilerInvocation(clang::CompilerInstance*)
/home/nicolas/src/llvm/build/../llvm/tools/clang/lib/FrontendTool/ExecuteCompilerInvocation.cpp:292:8
#38 0x0000000000428838 cc1_main(llvm::ArrayRef<char const*>, char const*,
void*)
/home/nicolas/src/llvm/build/../llvm/tools/clang/tools/driver/cc1_main.cpp:240:13
#39 0x000000000041c3c6 ExecuteCC1Tool(llvm::SmallVectorImpl<char const*>&)
/home/nicolas/src/llvm/build/../llvm/tools/clang/tools/driver/driver.cpp:328:5
#40 0x000000000041b61f main
/home/nicolas/src/llvm/build/../llvm/tools/clang/tools/driver/driver.cpp:402:5
#41 0x00007f6355fe009b __libc_start_main /build/glibc-vjB4T1/glibc-
2.28/csu/../csu/libc-start.c:342:3
#42 0x000000000041adca _start
(/home/nicolas/src/llvm/build/llvm/bin/clang+++0x41adca)

Quuxplusone commented 4 years ago

git-bisect in progress.

Quuxplusone commented 4 years ago

+Adam!

Also a regular reminder that alpha checkers are expected to be somewhat crashy and aren't supposed to be actually used until they're finished. Like, think of them as unmerged feature branches, but for historical reasons we use runtime flags for this purpose instead.

Quuxplusone commented 4 years ago

Bisection ended here:

[Analyzer] Split container modeling from iterator modeling
https://github.com/llvm/llvm-project/commit/9a08a3fab9993f9b93167de5c783dfed6dd7efc0

Quuxplusone commented 4 years ago

Hello,

Did you use -analyzer-config aggressive-binary-operation-simplification=true when invoking clang? Such crashes are typical if this option is not used. I will create a fix which warns and does not allow the checker to be enabled if this option is not used. All iterator-related checkers depend on this option. Anyway, I tried your code and I did not get assertion with the option, but I got it without.

Quuxplusone commented 4 years ago

Fix to prevent usage of the checker without the appropriate option enabled: https://reviews.llvm.org/D75171

Quuxplusone commented 4 years ago

(In reply to Ádám Balogh from comment #4)

Did you use -analyzer-config aggressive-binary-operation-simplification=true when invoking clang? Such crashes are typical if this option is not used. All iterator-related checkers depend on this option.

No I didn't. Where is this documented? :)

Quuxplusone / LLVMBugzillaTest

alpha.cplusplus.IteratorModeling checker hits assertion #43968