optin.mpi.MPI-Checker crashes on MPI_Wait in loop

[Quuxplusone]

Bugzilla Link	PR48675
Status	NEW
Importance	P normal
Reported by	Peter Hill (peter.hill@york.ac.uk)
Reported on	2021-01-06 01:58:35 -0800
Last modified on	2021-01-06 03:36:54 -0800
Version	unspecified
Hardware	PC Linux
CC	alexfh@google.com, dcoughlin@apple.com, djasper@google.com, klimek@google.com, llvm-bugs@lists.llvm.org, N.James93@hotmail.co.uk
Fixed by commit(s)
Attachments	checkUnmatchedWaits_mvce.cpp (453 bytes, text/x-c++src)
Blocks
Blocked by
See also

Created attachment 24355
Minimal crashing example

clang-tidy crashes when using the optin.mpi.MPI-Checker check on the attached
source code.

$ clang-tidy -checks=-*,clang-analyzer-optin.mpi* ./checkUnmatchedWaits_mvce.cpp
PLEASE submit a bug report to https://bugs.llvm.org/ and include the crash
backtrace.
Stack dump:
0.      Program arguments: clang-tidy -checks=-*,clang-analyzer-optin.mpi*
./checkUnmatchedWaits_mvce.cpp
1.      <eof> parser at end of file
2.      While analyzing stack:
        #0 Calling foo
3.      /home/peter/Learning/clang-tidy-
crash/checkUnmatchedWaits_mvce.cpp:20:7: Error evaluating statement
4.      /home/peter/Learning/clang-tidy-
crash/checkUnmatchedWaits_mvce.cpp:20:7: Error evaluating statement
 #0 0x00007fa6e923a76d llvm::sys::PrintStackTrace(llvm::raw_ostream&) (/usr/bin/../lib64/libLLVM.so.11+0xa5076d)
 #1 0x00007fa6e92380e0 llvm::sys::RunSignalHandlers() (/usr/bin/../lib64/libLLVM.so.11+0xa4e0e0)
 #2 0x00007fa6e923ad22 (/usr/bin/../lib64/libLLVM.so.11+0xa50d22)
 #3 0x00007fa6f135f1d0 __restore_rt (/lib64/libpthread.so.0+0x141d0)
 #4 0x00007fa6f098a879 clang::ento::mpi::MPIChecker::checkUnmatchedWaits(clang::ento::CallEvent const&, clang::ento::CheckerContext&) const (/usr/bin/../lib64/libclang-cpp.so.11+0x2ce1879)
 #5 0x00007fa6f098cef4 (/usr/bin/../lib64/libclang-cpp.so.11+0x2ce3ef4)
 #6 0x00007fa6f070dffa clang::ento::CheckerManager::runCheckersForCallEvent(bool, clang::ento::ExplodedNodeSet&, clang::ento::ExplodedNodeSet const&, clang::ento::CallEvent const&, clang::ento::ExprEngine&, bool) (/usr/bin/../lib64/libclang-cpp.so.11+0x2a64ffa)
 #7 0x00007fa6f074f0d6 clang::ento::ExprEngine::evalCall(clang::ento::ExplodedNodeSet&, clang::ento::ExplodedNode*, clang::ento::CallEvent const&) (/usr/bin/../lib64/libclang-cpp.so.11+0x2aa60d6)
 #8 0x00007fa6f074eea4 clang::ento::ExprEngine::VisitCallExpr(clang::CallExpr const*, clang::ento::ExplodedNode*, clang::ento::ExplodedNodeSet&) (/usr/bin/../lib64/libclang-cpp.so.11+0x2aa5ea4)
 #9 0x00007fa6f07324d2 clang::ento::ExprEngine::Visit(clang::Stmt const*, clang::ento::ExplodedNode*, clang::ento::ExplodedNodeSet&) (/usr/bin/../lib64/libclang-cpp.so.11+0x2a894d2)
#10 0x00007fa6f072d8f2 clang::ento::ExprEngine::ProcessStmt(clang::Stmt const*,
clang::ento::ExplodedNode*) (/usr/bin/../lib64/libclang-cpp.so.11+0x2a848f2)
#11 0x00007fa6f072d5ca
clang::ento::ExprEngine::processCFGElement(clang::CFGElement,
clang::ento::ExplodedNode*, unsigned int, clang::ento::NodeBuilderContext*)
(/usr/bin/../lib64/libclang-cpp.so.11+0x2a845ca)
#12 0x00007fa6f07176d4
clang::ento::CoreEngine::dispatchWorkItem(clang::ento::ExplodedNode*,
clang::ProgramPoint, clang::ento::WorkListUnit const&)
(/usr/bin/../lib64/libclang-cpp.so.11+0x2a6e6d4)
#13 0x00007fa6f07172e7
clang::ento::CoreEngine::ExecuteWorkList(clang::LocationContext const*,
unsigned int, llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>)
(/usr/bin/../lib64/libclang-cpp.so.11+0x2a6e2e7)
#14 0x00007fa6f0b3fb43 (/usr/bin/../lib64/libclang-cpp.so.11+0x2e96b43)
#15 0x00007fa6f0b12afa (/usr/bin/../lib64/libclang-cpp.so.11+0x2e69afa)
#16 0x00007fa6f048a3dc
clang::MultiplexConsumer::HandleTranslationUnit(clang::ASTContext&)
(/usr/bin/../lib64/libclang-cpp.so.11+0x27e13dc)
#17 0x00007fa6ee5ee8a5 clang::ParseAST(clang::Sema&, bool, bool)
(/usr/bin/../lib64/libclang-cpp.so.11+0x9458a5)
#18 0x00007fa6f04541a4 clang::FrontendAction::Execute()
(/usr/bin/../lib64/libclang-cpp.so.11+0x27ab1a4)
#19 0x00007fa6f0407fed
clang::CompilerInstance::ExecuteAction(clang::FrontendAction&)
(/usr/bin/../lib64/libclang-cpp.so.11+0x275efed)
#20 0x00007fa6f067d753
clang::tooling::FrontendActionFactory::runInvocation(std::shared_ptr<clang::CompilerInvocation>,
clang::FileManager*, std::shared_ptr<clang::PCHContainerOperations>,
clang::DiagnosticConsumer*) (/usr/bin/../lib64/libclang-cpp.so.11+0x29d4753)
#21 0x00000000008f9771 (/usr/bin/clang-tidy-11.0.0+0x8f9771)
#22 0x00007fa6f067d425 clang::tooling::ToolInvocation::runInvocation(char
const*, clang::driver::Compilation*,
std::shared_ptr<clang::CompilerInvocation>,
std::shared_ptr<clang::PCHContainerOperations>) (/usr/bin/../lib64/libclang-
cpp.so.11+0x29d4425)
#23 0x00007fa6f067c75f clang::tooling::ToolInvocation::run()
(/usr/bin/../lib64/libclang-cpp.so.11+0x29d375f)
#24 0x00007fa6f067ebb0
clang::tooling::ClangTool::run(clang::tooling::ToolAction*)
(/usr/bin/../lib64/libclang-cpp.so.11+0x29d5bb0)
#25 0x00000000008f4fad (/usr/bin/clang-tidy-11.0.0+0x8f4fad)
#26 0x00000000004391dc (/usr/bin/clang-tidy-11.0.0+0x4391dc)
#27 0x00007fa6e8320152 __libc_start_main /usr/src/debug/glibc-2.32-
4.1.x86_64/csu/../csu/libc-start.c:314:16
#28 0x0000000000436e3e (/usr/bin/clang-tidy-11.0.0+0x436e3e)
Segmentation fault (core dumped)

I've reduced the failing code down to a single function:

#include <mpi.h>

extern bool condition();

void foo(int loop, int proc_in, int proc_out) {
  for (int i = 0; i < loop; i++) {
    MPI_Request req;
    double in;
    double out;

    if (condition()) {
      MPI_Irecv(&in, 1, MPI_DOUBLE, proc_in, 0, MPI_COMM_WORLD, &req);
    }

    if (condition()) {
      MPI_Send(&out, 1, MPI_DOUBLE, proc_out, 0, MPI_COMM_WORLD);
    }

    if (condition()) {
      MPI_Wait(&req, MPI_STATUS_IGNORE);  // Line 20, crash
    }
  }
}

The conditionals and loop are both needed to cause the crash. A
compile_commands.json with the MPI include path is needed too.

[Quuxplusone]

Attached checkUnmatchedWaits_mvce.cpp (453 bytes, text/x-c++src): Minimal crashing example

[Quuxplusone]

This appears to be a static analyser bug rather than clang tidy