search

llvm / llvm-project

The LLVM Project is a collection of modular and reusable compiler and toolchain technologies.
http://llvm.org
Other
28.48k stars 11.77k forks source link

Analyzer: Repeatable RegionStore.cpp assertion failure "!B.lookup(R, BindingKey::Direct)' #31577

Closed llvmbot closed 2 years ago

llvmbot commented 7 years ago
Bugzilla Link 32229
Resolution FIXED
Resolved on Apr 17, 2019 13:55
Version unspecified
OS Linux
Attachments Archive of generated trace log .cpp and .sh
Reporter LLVM Bugzilla Contributor

Extended Description

Encountered this failure while analyzing base/trace_event/trace_log.cc in the Chromium codebase. Link: https://cs.chromium.org/chromium/src/base/trace_event/trace_log.cc?q=base/trace_event/trace_log.cc&dr

clang: /b/build/slave/linux_upload_clang/build/src/third_party/llvm/tools/clang/lib/StaticAnalyzer/Core/RegionStore.cpp:413: virtual clang::ento::StoreRef (anonymous namespace)::RegionStoreManager::BindDefault(Store, const clang::ento::MemRegion *, clang::ento::SVal): Assertion `!B.lookup(R, BindingKey::Direct)' failed.
#​0 0x0000000001b8d584 (/usr/local/google/home/marshallk/chrome/src/third_party/llvm-build/Release+Asserts/bin/clang+0x1b8d584)
#​1 0x0000000001b8d8c6 (/usr/local/google/home/marshallk/chrome/src/third_party/llvm-build/Release+Asserts/bin/clang+0x1b8d8c6)
#​2 0x00007ff40f6a7330 __restore_rt (/lib/x86_64-linux-gnu/libpthread.so.0+0x10330)
#​3 0x00007ff40e29bc37 gsignal /build/eglibc-oGUzwX/eglibc-2.19/signal/../nptl/sysdeps/unix/sysv/linux/raise.c:56:0
#​4 0x00007ff40e29f028 abort /build/eglibc-oGUzwX/eglibc-2.19/stdlib/abort.c:91:0
#​5 0x00007ff40e294bf6 __assert_fail_base /build/eglibc-oGUzwX/eglibc-2.19/assert/assert.c:92:0
#​6 0x00007ff40e294ca2 (/lib/x86_64-linux-gnu/libc.so.6+0x2fca2)
#​7 0x00000000032e7348 (/usr/local/google/home/marshallk/chrome/src/third_party/llvm-build/Release+Asserts/bin/clang+0x32e7348)
#​8 0x00000000032d862c clang::ento::ProgramState::bindDefault(clang::ento::SVal, clang::ento::SVal, clang::LocationContext const*) const (/usr/local/google/home/marshallk/chrome/src/third_party/llvm-build/Release+Asserts/bin/clang+0x32d862c)
#​9 0x00000000032b5a3a clang::ento::ExprEngine::VisitCXXConstructExpr(clang::CXXConstructExpr const*, clang::ento::ExplodedNode*, clang::ento::ExplodedNodeSet&) (/usr/local/google/home/marshallk/chrome/src/third_party/llvm-build/Release+Asserts/bin/clang+0x32b5a3a)
#​10 0x000000000329a9e6 clang::ento::ExprEngine::Visit(clang::Stmt const*, clang::ento::ExplodedNode*, clang::ento::ExplodedNodeSet&) (/usr/local/google/home/marshallk/chrome/src/third_party/llvm-build/Release+Asserts/bin/clang+0x329a9e6)
#​11 0x0000000003296d03 clang::ento::ExprEngine::ProcessStmt(clang::CFGStmt, clang::ento::ExplodedNode*) (/usr/local/google/home/marshallk/chrome/src/third_party/llvm-build/Release+Asserts/bin/clang+0x3296d03)
#​12 0x00000000032969c7 clang::ento::ExprEngine::processCFGElement(clang::CFGElement, clang::ento::ExplodedNode*, unsigned int, clang::ento::NodeBuilderContext*) (/usr/local/google/home/marshallk/chrome/src/third_party/llvm-build/Release+Asserts/bin/clang+0x32969c7)
#​13 0x000000000328cd6a clang::ento::CoreEngine::HandleBlockEntrance(clang::BlockEntrance const&, clang::ento::ExplodedNode*) (/usr/local/google/home/marshallk/chrome/src/third_party/llvm-build/Release+Asserts/bin/clang+0x328cd6a)
#​14 0x000000000328c7b7 clang::ento::CoreEngine::dispatchWorkItem(clang::ento::ExplodedNode*, clang::ProgramPoint, clang::ento::WorkListUnit const&) (/usr/local/google/home/marshallk/chrome/src/third_party/llvm-build/Release+Asserts/bin/clang+0x328c7b7)
#&#8203;15 0x000000000328c03f clang::ento::CoreEngine::ExecuteWorkList(clang::LocationContext const*, unsigned int, llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>) (/usr/local/google/home/marshallk/chrome/src/third_party/llvm-build/Release+Asserts/bin/clang+0x328c03f)
#&#8203;16 0x00000000028082ad (/usr/local/google/home/marshallk/chrome/src/third_party/llvm-build/Release+Asserts/bin/clang+0x28082ad)
#&#8203;17 0x0000000002807e5e (/usr/local/google/home/marshallk/chrome/src/third_party/llvm-build/Release+Asserts/bin/clang+0x2807e5e)
#&#8203;18 0x00000000028013ea (/usr/local/google/home/marshallk/chrome/src/third_party/llvm-build/Release+Asserts/bin/clang+0x28013ea)
#&#8203;19 0x00000000020e739c clang::MultiplexConsumer::HandleTranslationUnit(clang::ASTContext&) (/usr/local/google/home/marshallk/chrome/src/third_party/llvm-build/Release+Asserts/bin/clang+0x20e739c)
#&#8203;20 0x0000000002834d56 clang::ParseAST(clang::Sema&, bool, bool) (/usr/local/google/home/marshallk/chrome/src/third_party/llvm-build/Release+Asserts/bin/clang+0x2834d56)
#&#8203;21 0x00000000020c1ea8 clang::FrontendAction::Execute() (/usr/local/google/home/marshallk/chrome/src/third_party/llvm-build/Release+Asserts/bin/clang+0x20c1ea8)
#&#8203;22 0x0000000002088e31 clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) (/usr/local/google/home/marshallk/chrome/src/third_party/llvm-build/Release+Asserts/bin/clang+0x2088e31)
#&#8203;23 0x0000000002146dc5 clang::ExecuteCompilerInvocation(clang::CompilerInstance*) (/usr/local/google/home/marshallk/chrome/src/third_party/llvm-build/Release+Asserts/bin/clang+0x2146dc5)
#&#8203;24 0x00000000008272f8 cc1_main(llvm::ArrayRef<char const*>, char const*, void*) (/usr/local/google/home/marshallk/chrome/src/third_party/llvm-build/Release+Asserts/bin/clang+0x8272f8)
#&#8203;25 0x0000000000825226 main (/usr/local/google/home/marshallk/chrome/src/third_party/llvm-build/Release+Asserts/bin/clang+0x825226)
#&#8203;26 0x00007ff40e286f45 __libc_start_main /build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:321:0
#&#8203;27 0x00000000008223da _start (/usr/local/google/home/marshallk/chrome/src/third_party/llvm-build/Release+Asserts/bin/clang+0x8223da)
Stack dump:
0.  Program arguments: /usr/local/google/home/marshallk/chrome/src/third_party/llvm-build/Release+Asserts/bin/clang -cc1 -triple x86_64-unknown-linux-gnu -analyze -disable-free -main-file-name trace_log.cc -analyzer-store=region -analyzer-opt-analyze-nested-blocks -analyzer-eagerly-assume -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=cplusplus -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -analyzer-checker=cplusplus -analyzer-opt-analyze-nested-blocks -analyzer-eagerly-assume -analyzer-output=text -analyzer-config suppress-c++-stdlib=true -analyzer-checker=core -analyzer-checker=unix -analyzer-checker=deadcode -mrelocation-model pic -pic-level 2 -mthread-model posix -mdisable-fp-elim -relaxed-aliasing -fmath-errno -masm-verbose -mconstructor-aliases -munwind-tables -target-cpu x86-64 -dwarf-column-info -backend-option -split-dwarf=Enable -debug-info-kind=limited -debugger-tuning=gdb -coverage-notes-file /usr/local/google/home/marshallk/chrome/src/out/ClangLint/obj/base/base/trace_log.gcno -resource-dir /usr/local/google/home/marshallk/chrome/src/third_party/llvm-build/Release+Asserts/lib/clang/5.0.0 -dependency-file obj/base/base/trace_log.o.d -MT obj/base/base/trace_log.o -D USE_SYMBOLIZE -D V8_DEPRECATION_WARNINGS -D USE_UDEV -D UI_COMPOSITOR_IMAGE_TRANSPORT -D USE_AURA=1 -D USE_PANGO=1 -D USE_CAIRO=1 -D USE_GLIB=1 -D USE_NSS_CERTS=1 -D USE_X11=1 -D FULL_SAFE_BROWSING -D SAFE_BROWSING_CSD -D SAFE_BROWSING_DB_LOCAL -D CHROMIUM_BUILD -D ENABLE_MEDIA_ROUTER=1 -D FIELDTRIAL_TESTING_ENABLED -D CR_CLANG_REVISION="296321-1" -D _FILE_OFFSET_BITS=64 -D _LARGEFILE_SOURCE -D _LARGEFILE64_SOURCE -D __STDC_CONSTANT_MACROS -D __STDC_FORMAT_MACROS -D COMPONENT_BUILD -D _DEBUG -D DYNAMIC_ANNOTATIONS_ENABLED=1 -D WTF_USE_DYNAMIC_ANNOTATIONS=1 -D _GLIBCXX_DEBUG=1 -D BASE_IMPLEMENTATION -D GLIB_VERSION_MAX_ALLOWED=GLIB_VERSION_2_32 -D GLIB_VERSION_MIN_REQUIRED=GLIB_VERSION_2_26 -I ../.. -I gen -I ../../build/linux/debian_wheezy_amd64-sysroot/usr/include/glib-2.0 -I ../../build/linux/debian_wheezy_amd64-sysroot/usr/lib/x86_64-linux-gnu/glib-2.0/include -D __DATE__= -D __TIME__= -D __TIMESTAMP__= -isysroot ../../build/linux/debian_wheezy_amd64-sysroot -internal-isystem ../../build/linux/debian_wheezy_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6 -internal-isystem ../../build/linux/debian_wheezy_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/x86_64-linux-gnu -internal-isystem ../../build/linux/debian_wheezy_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/backward -internal-isystem ../../build/linux/debian_wheezy_amd64-sysroot/usr/local/include -internal-isystem /usr/local/google/home/marshallk/chrome/src/third_party/llvm-build/Release+Asserts/lib/clang/5.0.0/include -internal-externc-isystem ../../build/linux/debian_wheezy_amd64-sysroot/usr/include/x86_64-linux-gnu -internal-externc-isystem ../../build/linux/debian_wheezy_amd64-sysroot/include -internal-externc-isystem ../../build/linux/debian_wheezy_amd64-sysroot/usr/include -O0 -Wno-builtin-macro-redefined -Wall -Werror -Wextra -Wno-missing-field-initializers -Wno-unused-parameter -Wno-c++11-narrowing -Wno-covered-switch-default -Wno-deprecated-register -Wno-unneeded-internal-declaration -Wno-inconsistent-missing-override -Wno-shift-negative-value -Wno-undefined-var-template -Wno-nonportable-include-path -Wno-address-of-packed-member -Wno-unused-lambda-capture -Wno-user-defined-warnings -Wheader-hygiene -Wstring-conversion -Wtautological-overlap-compare -Wno-char-subscripts -Wexit-time-destructors -Wexit-time-destructors -Wno-undefined-bool-conversion -Wno-tautological-undefined-compare -std=gnu++11 -fdeprecated-macro -fdebug-compilation-dir /usr/local/google/home/marshallk/chrome/src/out/ClangLint -ferror-limit 19 -fmessage-length 0 -fvisibility hidden -fvisibility-inlines-hidden -pthread -stack-protector 1 -stack-protector-buffer-size 4 -fno-rtti -fobjc-runtime=gcc -fdiagnostics-show-option -fcolor-diagnostics -load ../../third_party/llvm-build/Release+Asserts/lib/libFindBadConstructs.so -add-plugin find-bad-constructs -plugin-arg-find-bad-constructs check-auto-raw-pointer -plugin-arg-find-bad-constructs check-ipc -o obj/base/base/trace_log.o -x c++ ../../base/trace_event/trace_log.cc 
1.  <eof> parser at end of file
2.  While analyzing stack: 
    #0 constexpr _Tuple_impl() : _Inherited(), _Base() {}
    llvm/llvm-project#373 constexpr _Tuple_impl() : _Inherited(), _Base() {}
    llvm/llvm-project#374 constexpr tuple() : _Inherited() {}
    llvm/llvm-project#375 constexpr unique_ptr() : _M_t() {}
    llvm/llvm-project#376 void CreateFiltersForTraceConfig()
    llvm/llvm-project#377 void UpdateCategoryRegistry()
    llvm/llvm-project#378 void SetEnabled(const base::trace_event::TraceConfig &trace_config, uint8_t modes_to_enable)
3.  ../../build/linux/debian_wheezy_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/tuple:158:9: Error evaluating statement
4.  ../../build/linux/debian_wheezy_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/tuple:158:9: Error evaluating statement
clang: error: unable to execute command: Aborted (core dumped)
clang: error: clang frontend command failed due to signal (use -v to see invocation)
clang version 5.0.0 (trunk 296321)
Target: x86_64-unknown-linux-gnu
Thread model: posix
InstalledDir: /usr/local/google/home/marshallk/chrome/src/out/ClangLint/../../third_party/llvm-build/Release+Asserts/bin
clang: note: diagnostic msg: PLEASE submit a bug report to http://llvm.org/bugs/ and include the crash backtrace, preprocessed source, and associated run script.
clang: note: diagnostic msg: 
********************

PLEASE ATTACH THE FOLLOWING FILES TO THE BUG REPORT:
Preprocessed source(s) and associated run script(s) are located at:
clang: note: diagnostic msg: /tmp/trace_log-76f2bf.cpp
clang: note: diagnostic msg: /tmp/trace_log-76f2bf.sh
clang: note: diagnostic msg: 

********************
llvmbot commented 2 years ago

changed the description

llvmbot commented 5 years ago

This doesn't crash any more. May have been fixed as a part of llvm/llvm-project#19327 .

$ ./trace_log-76f2bf.sh ../../base/trace_event/trace_log.cc:815:29: warning: Dereference of null smart pointer 'thread_sharedchunk' of type 'std::unique_ptr' TraceEvent trace_event = thread_sharedchunk->AddTraceEvent(&event_index); ^ ../../base/trace_event/trace_log.cc:1115:10: note: Calling 'TraceLog::AddTraceEventWithThreadIdAndTimestamp' return AddTraceEventWithThreadIdAndTimestamp( ^~~~~~~~~~ ../../base/trace_event/trace_log.cc:1181:7: note: Assuming the condition is false if (!category_group_enabled) ^~~~~~~~ ../../base/trace_event/trace_log.cc:1181:3: note: Taking false branch if (!*category_group_enabled) ^ ../../base/trace_event/trace_log.cc:1187:3: note: Taking false branch if (thread_is_in_traceevent.Get()) ^ ../../base/trace_event/trace_log.cc:1192:3: note: Assuming 'name' is non-null DCHECK(name); ^~~~ ../../base/logging.h:814:36: note: expanded from macro 'DCHECK' LAZY_STREAM(LOG_STREAM(DCHECK), !ANALYZER_ASSUME_TRUE(condition)) \


../../base/logging.h:312:67: note: expanded from macro 'ANALYZER_ASSUME_TRUE'
#define ANALYZER_ASSUME_TRUE(val) (::logging::AnalysisAssumeTrue(!!(val)))
                                                                  ^
../../base/logging.h:402:5: note: expanded from macro 'LAZY_STREAM'
  !(condition) ? (void) 0 : ::logging::LogMessageVoidify() & (stream)
    ^~~~~~~~~
../../base/trace_event/trace_log.cc:1192:3: note: '?' condition is true
../../base/logging.h:814:3: note: expanded from macro 'DCHECK'
  LAZY_STREAM(LOG_STREAM(DCHECK), !ANALYZER_ASSUME_TRUE(condition)) \
  ^
../../base/logging.h:402:3: note: expanded from macro 'LAZY_STREAM'
  !(condition) ? (void) 0 : ::logging::LogMessageVoidify() & (stream)
  ^
../../base/trace_event/trace_log.cc:1193:3: note: '?' condition is true
  DCHECK(!timestamp.is_null());
  ^
../../base/logging.h:814:3: note: expanded from macro 'DCHECK'
  LAZY_STREAM(LOG_STREAM(DCHECK), !ANALYZER_ASSUME_TRUE(condition)) \
  ^
../../base/logging.h:402:3: note: expanded from macro 'LAZY_STREAM'
  !(condition) ? (void) 0 : ::logging::LogMessageVoidify() & (stream)
  ^
../../base/trace_event/trace_log.cc:1195:7: note: Assuming the condition is false
  if (flags & TRACE_EVENT_FLAG_MANGLE_ID) {
      ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../../base/trace_event/trace_log.cc:1195:3: note: Taking false branch
  if (flags & TRACE_EVENT_FLAG_MANGLE_ID) {
  ^
../../base/trace_event/trace_log.cc:1206:7: note: Assuming the condition is true
  if (*category_group_enabled & RECORDING_MODE) {
      ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../../base/trace_event/trace_log.cc:1206:3: note: Taking true branch
  if (*category_group_enabled & RECORDING_MODE) {
  ^
../../base/trace_event/trace_log.cc:1215:7: note: Assuming the condition is false
  if (thread_id == static_cast<int>(PlatformThread::CurrentId())) {
      ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../../base/trace_event/trace_log.cc:1215:3: note: Taking false branch
  if (thread_id == static_cast<int>(PlatformThread::CurrentId())) {
  ^
../../base/trace_event/trace_log.cc:1262:7: note: Assuming the condition is false
  if (*category_group_enabled & TraceCategory::ENABLED_FOR_FILTERING) {
      ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../../base/trace_event/trace_log.cc:1262:3: note: Taking false branch
  if (*category_group_enabled & TraceCategory::ENABLED_FOR_FILTERING) {
  ^
../../base/trace_event/trace_log.cc:1282:7: note: Left side of '&&' is true
  if ((*category_group_enabled & TraceCategory::ENABLED_FOR_RECORDING) &&
      ^
../../base/trace_event/trace_log.cc:1282:3: note: Taking true branch
  if ((*category_group_enabled & TraceCategory::ENABLED_FOR_RECORDING) &&
  ^
../../base/trace_event/trace_log.cc:1287:9: note: Assuming 'thread_local_event_buffer' is null
    if (thread_local_event_buffer) {
        ^~~~~~~~~~~~~~~~~~~~~~~~~
../../base/trace_event/trace_log.cc:1287:5: note: Taking false branch
    if (thread_local_event_buffer) {
    ^
../../base/trace_event/trace_log.cc:1291:21: note: Calling 'TraceLog::AddEventToThreadSharedChunkWhileLocked'
      trace_event = AddEventToThreadSharedChunkWhileLocked(&handle, true);
                    ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../../base/trace_event/trace_log.cc:800:7: note: Left side of '&&' is true
  if (thread_shared_chunk_ && thread_shared_chunk_->IsFull()) {
      ^
../../base/trace_event/trace_log.cc:800:3: note: Taking true branch
  if (thread_shared_chunk_ && thread_shared_chunk_->IsFull()) {
  ^
../../base/trace_event/trace_log.cc:802:33: note: Smart pointer 'thread_shared_chunk_' of type 'std::unique_ptr' is reset to null when moved from
                                std::move(thread_shared_chunk_));
                                ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../../base/trace_event/trace_log.cc:805:3: note: Taking false branch
  if (!thread_shared_chunk_) {
  ^
../../base/trace_event/trace_log.cc:811:3: note: Taking false branch
  if (!thread_shared_chunk_)
  ^
../../base/trace_event/trace_log.cc:815:29: note: Dereference of null smart pointer 'thread_shared_chunk_' of type 'std::unique_ptr'
  TraceEvent* trace_event = thread_shared_chunk_->AddTraceEvent(&event_index);
                            ^~~~~~~~~~~~~~~~~~~~
1 warning generated.
llvmbot commented 7 years ago

LLVM version: clang version 5.0.0 (trunk 296321) Platform: Linux; target: Linux

llvmbot commented 7 years ago

assigned to @tkremenek