search

llvm / llvm-project

The LLVM Project is a collection of modular and reusable compiler and toolchain technologies.
http://llvm.org
Other
26.71k stars 10.94k forks source link

alpha.cplusplus.IteratorModeling checker hits assertion #44343

Open nicolas17 opened 4 years ago

nicolas17 commented 4 years ago
Bugzilla Link 44998
Version trunk
OS Linux
CC @devincoughlin,@haoNoQ

Extended Description

The alpha.cplusplus.IteratorModeling checker triggers an assertion in the following code:

struct List { struct iterator { int c; bool operator!=(iterator); };

iterator constEnd(); void f() { iterator i; i != constEnd(); } };

$ clang++ -cc1 -analyze -analyzer-checker alpha.cplusplus.IteratorModeling viewmode.cpp

viewmode.cpp:10:7: warning: inequality comparison result unused i != constEnd(); ^~~ viewmode.cpp:10:7: note: use '|=' to turn this inequality comparison into an or-assignment i != constEnd(); ^~ |= clang++: ../llvm/tools/clang/lib/StaticAnalyzer/Checkers/IteratorModeling.cpp:565: clang::ento::ProgramStateRef (anonymous namespace)::relateSymbols(clang::ento::ProgramStateRef, clang::ento::SymbolRef, clang::ento::SymbolRef, bool): Assertion isa<SymIntExpr>(CompSym) && "Symbol comparison must be aSymIntExpr`"' failed. Stack dump:

  1. Program arguments: /home/nicolas/src/llvm/build/llvm/bin/clang++ -cc1 -analyze -analyzer-checker alpha.cplusplus.IteratorModeling viewmode.cpp
  2. parser at end of file
  3. While analyzing stack:

    0 Calling List::f

  4. viewmode.cpp:10:5: Error evaluating statement
  5. viewmode.cpp:10:5: Error evaluating statement

    ​0 0x00007f6359388649 llvm::sys::PrintStackTrace(llvm::raw_ostream&) /home/nicolas/src/llvm/build/../llvm/lib/Support/Unix/Signals.inc:564:11

    ​1 0x00007f63593887f9 PrintStackTraceSignalHandler(void*) /home/nicolas/src/llvm/build/../llvm/lib/Support/Unix/Signals.inc:625:1

    ​2 0x00007f6359386f86 llvm::sys::RunSignalHandlers() /home/nicolas/src/llvm/build/../llvm/lib/Support/Signals.cpp:67:5

    ​3 0x00007f6359388f9b SignalHandler(int) /home/nicolas/src/llvm/build/../llvm/lib/Support/Unix/Signals.inc:406:1

    ​4 0x00007f635881a730 __restore_rt (/lib/x86_64-linux-gnu/libpthread.so.0+0x12730)

    ​5 0x00007f6355ff37bb raise /build/glibc-vjB4T1/glibc-2.28/signal/../sysdeps/unix/sysv/linux/raise.c:51:1

    ​6 0x00007f6355fde535 abort /build/glibc-vjB4T1/glibc-2.28/stdlib/abort.c:81:7

    ​7 0x00007f6355fde40f _nl_load_domain /build/glibc-vjB4T1/glibc-2.28/intl/loadmsgcat.c:1177:9

    ​8 0x00007f6355fec102 (/lib/x86_64-linux-gnu/libc.so.6+0x30102)

    ​9 0x00007f635018088b (anonymous namespace)::relateSymbols(llvm::IntrusiveRefCntPtr, clang::ento::SymExpr const, clang::ento::SymExpr const, bool) /home/nicolas/src/llvm/build/../llvm/tools/clang/lib/StaticAnalyzer/Checkers/IteratorModeling.cpp:566:5

    ​10 0x00007f63501803a9 (anonymous namespace)::IteratorModeling::processComparison(clang::ento::CheckerContext&, llvm::IntrusiveRefCntPtr, clang::ento::SymExpr const, clang::ento::SymExpr const, clang::ento::SVal const&, clang::OverloadedOperatorKind) const /home/nicolas/src/llvm/build/../llvm/tools/clang/lib/StaticAnalyzer/Checkers/IteratorModeling.cpp:385:24

    ​11 0x00007f635017f419 (anonymous namespace)::IteratorModeling::handleComparison(clang::ento::CheckerContext&, clang::Expr const*, clang::ento::SVal, clang::ento::SVal const&, clang::ento::SVal const&, clang::OverloadedOperatorKind) const /home/nicolas/src/llvm/build/../llvm/tools/clang/lib/StaticAnalyzer/Checkers/IteratorModeling.cpp:363:3

    ​12 0x00007f635017e2fc (anonymous namespace)::IteratorModeling::checkPostCall(clang::ento::CallEvent const&, clang::ento::CheckerContext&) const /home/nicolas/src/llvm/build/../llvm/tools/clang/lib/StaticAnalyzer/Checkers/IteratorModeling.cpp:146:9

    ​13 0x00007f635017e180 void clang::ento::check::PostCall::_checkCall<(anonymous namespace)::IteratorModeling>(void*, clang::ento::CallEvent const&, clang::ento::CheckerContext&) /home/nicolas/src/llvm/build/../llvm/tools/clang/include/clang/StaticAnalyzer/Core/Checker.h:184:3

    ​14 0x00007f634f9a1712 clang::ento::CheckerFn<void (clang::ento::CallEvent const&, clang::ento::CheckerContext&)>::operator()(clang::ento::CallEvent const&, clang::ento::CheckerContext&) const /home/nicolas/src/llvm/build/../llvm/tools/clang/include/clang/StaticAnalyzer/Core/CheckerManager.h:69:5

    ​15 0x00007f634f993928 (anonymous namespace)::CheckCallContext::runChecker(clang::ento::CheckerFn<void (clang::ento::CallEvent const&, clang::ento::CheckerContext&)>, clang::ento::NodeBuilder&, clang::ento::ExplodedNode*) /home/nicolas/src/llvm/build/../llvm/tools/clang/lib/StaticAnalyzer/Core/CheckerManager.cpp:291:7

    ​16 0x00007f634f98fe05 void expandGraphWithCheckers<(anonymous namespace)::CheckCallContext>((anonymous namespace)::CheckCallContext, clang::ento::ExplodedNodeSet&, clang::ento::ExplodedNodeSet const&) /home/nicolas/src/llvm/build/../llvm/tools/clang/lib/StaticAnalyzer/Core/CheckerManager.cpp:138:25

    ​17 0x00007f634f98fb5b clang::ento::CheckerManager::runCheckersForCallEvent(bool, clang::ento::ExplodedNodeSet&, clang::ento::ExplodedNodeSet const&, clang::ento::CallEvent const&, clang::ento::ExprEngine&, bool) /home/nicolas/src/llvm/build/../llvm/tools/clang/lib/StaticAnalyzer/Core/CheckerManager.cpp:309:1

    ​18 0x00007f634fa1a1f8 clang::ento::CheckerManager::runCheckersForPostCall(clang::ento::ExplodedNodeSet&, clang::ento::ExplodedNodeSet const&, clang::ento::CallEvent const&, clang::ento::ExprEngine&, bool) /home/nicolas/src/llvm/build/../llvm/tools/clang/include/clang/StaticAnalyzer/Core/CheckerManager.h:283:3

    ​19 0x00007f634fa1df2c clang::ento::ExprEngine::evalCall(clang::ento::ExplodedNodeSet&, clang::ento::ExplodedNode*, clang::ento::CallEvent const&) /home/nicolas/src/llvm/build/../llvm/tools/clang/lib/StaticAnalyzer/Core/ExprEngineCallAndReturn.cpp:606:41

    ​20 0x00007f634fa1dd19 clang::ento::ExprEngine::VisitCallExpr(clang::CallExpr const, clang::ento::ExplodedNode, clang::ento::ExplodedNodeSet&) /home/nicolas/src/llvm/build/../llvm/tools/clang/lib/StaticAnalyzer/Core/ExprEngineCallAndReturn.cpp:513:16

    ​21 0x00007f634f9df934 clang::ento::ExprEngine::Visit(clang::Stmt const, clang::ento::ExplodedNode, clang::ento::ExplodedNodeSet&) /home/nicolas/src/llvm/build/../llvm/tools/clang/lib/StaticAnalyzer/Core/ExprEngine.cpp:1605:7

    ​22 0x00007f634f9dc4ac clang::ento::ExprEngine::ProcessStmt(clang::Stmt const, clang::ento::ExplodedNode) /home/nicolas/src/llvm/build/../llvm/tools/clang/lib/StaticAnalyzer/Core/ExprEngine.cpp:792:9

    ​23 0x00007f634f9dc199 clang::ento::ExprEngine::processCFGElement(clang::CFGElement, clang::ento::ExplodedNode, unsigned int, clang::ento::NodeBuilderContext) /home/nicolas/src/llvm/build/../llvm/tools/clang/lib/StaticAnalyzer/Core/ExprEngine.cpp:637:7

    ​24 0x00007f634f9afdaa clang::ento::CoreEngine::HandlePostStmt(clang::CFGBlock const, unsigned int, clang::ento::ExplodedNode) /home/nicolas/src/llvm/build/../llvm/tools/clang/lib/StaticAnalyzer/Core/CoreEngine.cpp:469:1

    ​25 0x00007f634f9af46c clang::ento::CoreEngine::dispatchWorkItem(clang::ento::ExplodedNode*, clang::ProgramPoint, clang::ento::WorkListUnit const&) /home/nicolas/src/llvm/build/../llvm/tools/clang/lib/StaticAnalyzer/Core/CoreEngine.cpp:195:1

    ​26 0x00007f634f9af01f clang::ento::CoreEngine::ExecuteWorkList(clang::LocationContext const*, unsigned int, llvm::IntrusiveRefCntPtr) /home/nicolas/src/llvm/build/../llvm/tools/clang/lib/StaticAnalyzer/Core/CoreEngine.cpp:129:3

    ​27 0x00007f6350d63564 clang::ento::ExprEngine::ExecuteWorkList(clang::LocationContext const*, unsigned int) /home/nicolas/src/llvm/build/../llvm/tools/clang/include/clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h:168:5

    ​28 0x00007f6350d0e186 (anonymous namespace)::AnalysisConsumer::RunPathSensitiveChecks(clang::Decl, clang::ento::ExprEngine::InliningModes, llvm::DenseSet<clang::Decl const, llvm::DenseMapInfo<clang::Decl const> >) /home/nicolas/src/llvm/build/../llvm/tools/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:821:7

    ​29 0x00007f6350d0dd14 (anonymous namespace)::AnalysisConsumer::HandleCode(clang::Decl, unsigned int, clang::ento::ExprEngine::InliningModes, llvm::DenseSet<clang::Decl const, llvm::DenseMapInfo<clang::Decl const> >) /home/nicolas/src/llvm/build/../llvm/tools/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:793:15

    ​30 0x00007f6350ca7d7e (anonymous namespace)::AnalysisConsumer::HandleDeclsCallGraph(unsigned int) /home/nicolas/src/llvm/build/../llvm/tools/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:585:31

    ​31 0x00007f6350ca68e2 (anonymous namespace)::AnalysisConsumer::runAnalysisOnTranslationUnit(clang::ASTContext&) /home/nicolas/src/llvm/build/../llvm/tools/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:635:3

    ​32 0x00007f6350ca56a2 (anonymous namespace)::AnalysisConsumer::HandleTranslationUnit(clang::ASTContext&) /home/nicolas/src/llvm/build/../llvm/tools/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:0:5

    ​33 0x00007f635271830e clang::ParseAST(clang::Sema&, bool, bool) /home/nicolas/src/llvm/build/../llvm/tools/clang/lib/Parse/ParseAST.cpp:178:12

    ​34 0x00007f6356d80db2 clang::ASTFrontendAction::ExecuteAction() /home/nicolas/src/llvm/build/../llvm/tools/clang/lib/Frontend/FrontendAction.cpp:1049:1

    ​35 0x00007f6356d80761 clang::FrontendAction::Execute() /home/nicolas/src/llvm/build/../llvm/tools/clang/lib/Frontend/FrontendAction.cpp:944:7

    ​36 0x00007f6356cf515e clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) /home/nicolas/src/llvm/build/../llvm/tools/clang/lib/Frontend/CompilerInstance.cpp:969:23

    ​37 0x00007f6356a7ab4f clang::ExecuteCompilerInvocation(clang::CompilerInstance*) /home/nicolas/src/llvm/build/../llvm/tools/clang/lib/FrontendTool/ExecuteCompilerInvocation.cpp:292:8

    ​38 0x0000000000428838 cc1_main(llvm::ArrayRef<char const>, char const, void*) /home/nicolas/src/llvm/build/../llvm/tools/clang/tools/driver/cc1_main.cpp:240:13

    ​39 0x000000000041c3c6 ExecuteCC1Tool(llvm::SmallVectorImpl<char const*>&) /home/nicolas/src/llvm/build/../llvm/tools/clang/tools/driver/driver.cpp:328:5

    ​40 0x000000000041b61f main /home/nicolas/src/llvm/build/../llvm/tools/clang/tools/driver/driver.cpp:402:5

    ​41 0x00007f6355fe009b __libc_start_main /build/glibc-vjB4T1/glibc-2.28/csu/../csu/libc-start.c:342:3

    ​42 0x000000000041adca _start (/home/nicolas/src/llvm/build/llvm/bin/clang+++0x41adca)

nicolas17 commented 4 years ago

Did you use -analyzer-config aggressive-binary-operation-simplification=true when invoking clang? Such crashes are typical if this option is not used. All iterator-related checkers depend on this option.

No I didn't. Where is this documented? :)

llvmbot commented 4 years ago

Fix to prevent usage of the checker without the appropriate option enabled: https://reviews.llvm.org/D75171

llvmbot commented 4 years ago

Hello,

Did you use -analyzer-config aggressive-binary-operation-simplification=true when invoking clang? Such crashes are typical if this option is not used. I will create a fix which warns and does not allow the checker to be enabled if this option is not used. All iterator-related checkers depend on this option. Anyway, I tried your code and I did not get assertion with the option, but I got it without.

nicolas17 commented 4 years ago

Bisection ended here:

[Analyzer] Split container modeling from iterator modeling https://github.com/llvm/llvm-project/commit/9a08a3fab9993f9b93167de5c783dfed6dd7efc0

haoNoQ commented 4 years ago

+Adam!

Also a regular reminder that alpha checkers are expected to be somewhat crashy and aren't supposed to be actually used until they're finished. Like, think of them as unmerged feature branches, but for historical reasons we use runtime flags for this purpose instead.

nicolas17 commented 4 years ago

git-bisect in progress.