clang_delta: --transformation=empty-struct-to-int --counter=1 empty-struct6.c segfault

[marxin]

I see a segfault with LLVM9:

/home/marxin/Programming/cvise/objdir/clang_delta/clang_delta --transformation=empty-struct-to-int --counter=1 /home/marxin/Programming/cvise/clang_delta/tests/empty-struct-to-int/empty-struct6.c
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff6d6667a in clang::RopePiece::size (this=<optimized out>) at ../tools/clang/include/clang/Rewrite/Core/RewriteRope.h:75
75      unsigned size() const { return EndOffs-StartOffs; }
Missing separate debuginfos, use: zypper install libLLVM9-debuginfo-9.0.1-10.1.x86_64 libedit0-debuginfo-3.1.snap20180525-2.5.x86_64 libgcc_s1-debuginfo-10.0.1+git175037-1.5.x86_64 libncurses6-debuginfo-6.2.20200404-2.1.x86_64 libstdc++6-debuginfo-10.0.1+git175037-1.5.x86_64
(gdb) bt
#0  0x00007ffff6d6667a in clang::RopePiece::size (this=<optimized out>) at ../tools/clang/include/clang/Rewrite/Core/RewriteRope.h:75
#1  (anonymous namespace)::RopePieceBTreeLeaf::erase (Offset=0, NumBytes=<optimized out>, this=<optimized out>) at ../tools/clang/lib/Rewrite/RewriteRope.cpp:350
#2  (anonymous namespace)::RopePieceBTreeNode::erase (this=0x1c0e390, Offset=0, NumBytes=<optimized out>) at ../tools/clang/lib/Rewrite/RewriteRope.cpp:659
#3  0x00007ffff6d67154 in clang::RopePieceBTree::erase (this=0x1bf0f70, Offset=0, NumBytes=4294967295) at ../tools/clang/lib/Rewrite/RewriteRope.cpp:763
#4  clang::RewriteRope::erase (this=0x1bf0f70, Offset=0, NumBytes=4294967295) at ../tools/clang/include/clang/Rewrite/Core/RewriteRope.h:205
#5  clang::RewriteBuffer::RemoveText (this=0x1bf0f68, OrigOffset=<optimized out>, Size=4294967295, removeLineIfEmpty=false) at ../tools/clang/lib/Rewrite/Rewriter.cpp:70
#6  0x00007ffff6d69071 in clang::Rewriter::RemoveText (this=0x1b7e630, Start=..., Length=4294967295, opts=...) at ../tools/clang/lib/Rewrite/Rewriter.cpp:302
#7  0x0000000000c459f8 in clang::RecursiveASTVisitor<EmptyStructToIntRewriteVisitor>::TraverseElaboratedTypeLoc(clang::ElaboratedTypeLoc) ()
#8  0x0000000000c4222d in clang::RecursiveASTVisitor<EmptyStructToIntRewriteVisitor>::TraverseTypeLoc(clang::TypeLoc) ()
#9  0x0000000000c4c53c in clang::RecursiveASTVisitor<EmptyStructToIntRewriteVisitor>::TraverseDeclaratorHelper(clang::DeclaratorDecl*) ()
#10 0x0000000000c4c842 in clang::RecursiveASTVisitor<EmptyStructToIntRewriteVisitor>::TraverseVarHelper(clang::VarDecl*) ()
#11 0x0000000000c37db8 in clang::RecursiveASTVisitor<EmptyStructToIntRewriteVisitor>::TraverseDecl(clang::Decl*) ()
#12 0x0000000000c38959 in clang::RecursiveASTVisitor<EmptyStructToIntRewriteVisitor>::TraverseDeclContextHelper(clang::DeclContext*) [clone .part.0] ()
#13 0x0000000000c37ff9 in clang::RecursiveASTVisitor<EmptyStructToIntRewriteVisitor>::TraverseDecl(clang::Decl*) ()
#14 0x0000000000c1f567 in EmptyStructToInt::HandleTranslationUnit(clang::ASTContext&) ()
#15 0x00007ffff5b8dc45 in clang::ParseAST (S=..., PrintStats=<optimized out>, SkipFunctionBodies=<optimized out>) at ../tools/clang/lib/Parse/ParseAST.cpp:171
#16 0x000000000171ef28 in TransformationManager::doTransformation(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&, int&) ()
#17 0x0000000000b17800 in main ()

as seen the location Length is 4294967295 with is (int)-1. So an integer underflow.

[chenyang78]

Hmm, I couldn't reproduce the segfault. The test worked for me:

$ ./clang_delta --transformation=empty-struct-to-int --counter=1 /home/marxin/Programming/cvise/clang_delta/tests/empty-struct-to-int/empty-struct6.c
// RUN: %clang_delta --transformation=empty-struct-to-int --counter=1 %s 2>&1 | %remove_lit_checks | FileCheck %s

// CHECK: int a = 0;
int  a = 0;

I am using LLVM 9.0.0 though. I will try 9.0.1 tomorrow. Thanks.

[marxin]

It's quite interesting that it does not happen in valgrind:

$ valgrind --expensive-definedness-checks=yes ./clang_delta/clang_delta --transformation=empty-struct-to-int --counter=1 /home/marxin/Programming/cvise/clang_delta/tests/empty-struct-to-int/empty-struct6.c
==12048== Memcheck, a memory error detector
==12048== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==12048== Using Valgrind-3.15.0 and LibVEX; rerun with -h for copyright info
==12048== Command: ./clang_delta/clang_delta --transformation=empty-struct-to-int --counter=1 /home/marxin/Programming/cvise/clang_delta/tests/empty-struct-to-int/empty-struct6.c
==12048== 
int  a = 0;
==12048== 
==12048== HEAP SUMMARY:
==12048==     in use at exit: 91,534 bytes in 1,532 blocks
==12048==   total heap usage: 2,825 allocs, 1,293 frees, 1,243,630 bytes allocated
==12048== 
==12048== LEAK SUMMARY:
==12048==    definitely lost: 0 bytes in 0 blocks
==12048==    indirectly lost: 0 bytes in 0 blocks
==12048==      possibly lost: 0 bytes in 0 blocks
==12048==    still reachable: 91,534 bytes in 1,532 blocks
==12048==         suppressed: 0 bytes in 0 blocks
==12048== Rerun with --leak-check=full to see details of leaked memory
==12048== 
==12048== For lists of detected and suppressed errors, rerun with: -s
==12048== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)

[chenyang78]

Not sure what's going on. The test also passed with LLVM 9.0.1 on my Ubuntu 18.04.

[marxin]

I bet there's some location offset underflow, but hard to guess.