LLVM fails when analysing vector

VenoVeno commented 1 year ago

LLVM fails when analysing vector.

0.  Program arguments: ${LLVM_INSTALLED_DIRECTORY}/build/bin/clang --analyze -Qunused-arguments -Xclang -analyzer-opt-analyze-headers -Xclang -analyzer-output=plist-multi-file -o ${TEST_DIRECTORY}/CWE789_Uncontrolled_Mem_Alloc__malloc_char_fgets_72a.cpp_clangsa_eeb399e2229c17947660f5af5e0b6a2a.plist -Xclang -analyzer-config -Xclang expand-macros=true -Xclang -analyzer-config -Xclang alpha.security.taint.TaintPropagation:Config=${TEST_DIRECTORY}/Custom-Taint-Config.yaml -Xclang -analyzer-config -Xclang cfg-conditional-static-initializers=true -Xclang -analyzer-config -Xclang cfg-loopexit=true -Xclang -analyzer-config -Xclang expand-macros=true -Xclang -analyzer-config -Xclang unroll-loops=true -Xclang -analyzer-config -Xclang widen-loops=true -Xclang -analyzer-config -Xclang nullability:NoDiagnoseCallsToSystemHeaders=true -Xclang -analyzer-checker=alpha.security.cert.env.InvalidPtr,alpha.security.cert.pos.34c,alpha.security.taint.TaintPropagation,core.CallAndMessage,core.DivideZero,core.NonNullParamChecker,core.NullDereference,core.StackAddressEscape,core.UndefinedBinaryOperatorResult,core.VLASize,core.uninitialized.ArraySubscript,core.uninitialized.Assign,core.uninitialized.Branch,core.uninitialized.CapturedBlockVariable,core.uninitialized.UndefReturn,cplusplus.InnerPointer,cplusplus.Move,cplusplus.NewDelete,cplusplus.NewDeleteLeaks,cplusplus.PlacementNew,cplusplus.PureVirtualCall,cplusplus.StringChecker,deadcode.DeadStores,nullability.NullPassedToNonnull,nullability.NullReturnedFromNonnull,optin.cplusplus.UninitializedObject,optin.cplusplus.VirtualCall,optin.portability.UnixAPI,security.FloatLoopCounter,security.insecureAPI.UncheckedReturn,security.insecureAPI.getpw,security.insecureAPI.gets,security.insecureAPI.mkstemp,security.insecureAPI.mktemp,security.insecureAPI.rand,security.insecureAPI.vfork,unix.API,unix.Malloc,unix.MallocSizeof,unix.MismatchedDeallocator,unix.Vfork,unix.cstring.BadSizeArg,unix.cstring.NullArg,valist.CopyToSelf,valist.Uninitialized,valist.Unterminated -Xclang -analyzer-config -Xclang aggressive-binary-operation-simplification=true -Xclang -analyzer-constraints=z3 -Xclang -analyzer-config -Xclang experimental-enable-naive-ctu-analysis=true -Xclang -analyzer-config -Xclang ctu-dir=${TEST_DIRECTORY}/ctu-dir/x86_64 -Xclang -analyzer-config -Xclang display-ctu-progress=true -x c++ --target=x86_64-linux-gnu -std=gnu++14 -I ${TEST_DIRECTORY}/testcasesupport -isystem /usr/include/c++/9 -isystem /usr/include/x86_64-linux-gnu/c++/9 -isystem /usr/include/c++/9/backward -isystem /usr/local/include -isystem /usr/include/x86_64-linux-gnu -isystem /usr/include ${TEST_DIRECTORY}/CWE789_Uncontrolled_Mem_Alloc__malloc_char_fgets_72a.cpp
1.  <eof> parser at end of file
2.  While analyzing stack: 
    #0 Calling std::__fill_bvector(_Bit_type *, unsigned int, unsigned int, _Bool) at line /usr/include/c++/9/bits/stl_bvector.h:426:7
    #1 Calling std::fill(_Bit_iterator, _Bit_iterator, const _Bool &)
3.  /usr/include/c++/9/bits/stl_bvector.h:407:7: Error evaluating statement
4.  /usr/include/c++/9/bits/stl_bvector.h:407:7: Error evaluating statement
 #0 0x0000563872986514 PrintStackTraceSignalHandler(void*) Signals.cpp:0:0
 #1 0x000056387298435c llvm::sys::CleanupOnSignal(unsigned long) (${LLVM_INSTALLED_DIRECTORY}/build/bin/clang+0x3a3835c)
 #2 0x00005638728c5f58 CrashRecoverySignalHandler(int) CrashRecoveryContext.cpp:0:0
 #3 0x00007fc7dd319420 __restore_rt (/lib/x86_64-linux-gnu/libpthread.so.0+0x14420)
 #4 0x0000563874a18acc clang::ento::SMTConstraintManager::getSymVal(llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>, clang::ento::SymExpr const*) const (${`LLVM`_INSTALLED_DIRECTORY}/build/bin/clang+0x5accacc)
 #5 0x0000563874a19188 clang::ento::SMTConstraintManager::getSymVal(llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>, clang::ento::SymExpr const*) const (${LLVM_INSTALLED_DIRECTORY}/build/bin/clang+0x5acd188)
 #6 0x0000563874a19188 clang::ento::SMTConstraintManager::getSymVal(llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>, clang::ento::SymExpr const*) const (${LLVM_INSTALLED_DIRECTORY}/build/bin/clang+0x5acd188)
 #7 0x0000563874a19188 clang::ento::SMTConstraintManager::getSymVal(llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>, clang::ento::SymExpr const*) const (${LLVM_INSTALLED_DIRECTORY}/build/bin/clang+0x5acd188)
 #8 0x0000563874a0db2d (anonymous namespace)::SimpleSValBuilder::getConstValue(llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>, clang::ento::SVal) (.isra.0) SimpleSValBuilder.cpp:0:0
 #9 0x0000563874a153d1 (anonymous namespace)::SimpleSValBuilder::evalBinOpNN(llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>, clang::BinaryOperatorKind, clang::ento::NonLoc, clang::ento::NonLoc, clang::QualType) SimpleSValBuilder.cpp:0:0
#10 0x0000563874a29685 clang::ento::SValBuilder::evalBinOp(llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>, clang::BinaryOperatorKind, clang::ento::SVal, clang::ento::SVal, clang::QualType) (${LLVM_INSTALLED_DIRECTORY}/build/bin/clang+0x5add685)
#11 0x0000563874958c7d clang::ento::ExprEngine::VisitBinaryOperator(clang::BinaryOperator const*, clang::ento::ExplodedNode*, clang::ento::ExplodedNodeSet&) (${LLVM_INSTALLED_DIRECTORY}/build/bin/clang+0x5a0cc7d)
#12 0x00005638749399fb clang::ento::ExprEngine::Visit(clang::Stmt const*, clang::ento::ExplodedNode*, clang::ento::ExplodedNodeSet&) (${LLVM_INSTALLED_DIRECTORY}/build/bin/clang+0x59ed9fb)
#13 0x000056387493b23e clang::ento::ExprEngine::ProcessStmt(clang::Stmt const*, clang::ento::ExplodedNode*) (${LLVM_INSTALLED_DIRECTORY}/build/bin/clang+0x59ef23e)
#14 0x0000563874949222 clang::ento::ExprEngine::processCFGElement(clang::CFGElement, clang::ento::ExplodedNode*, unsigned int, clang::ento::NodeBuilderContext*) (${LLVM_INSTALLED_DIRECTORY}/build/bin/clang+0x59fd222)
#15 0x00005638748f2627 clang::ento::CoreEngine::dispatchWorkItem(clang::ento::ExplodedNode*, clang::ProgramPoint, clang::ento::WorkListUnit const&) (${LLVM_INSTALLED_DIRECTORY}/build/bin/clang+0x59a6627)
#16 0x00005638748f2825 clang::ento::CoreEngine::ExecuteWorkList(clang::LocationContext const*, unsigned int, llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>) (${LLVM_INSTALLED_DIRECTORY}/build/bin/clang+0x59a6825)
#17 0x000056387436095a (anonymous namespace)::AnalysisConsumer::HandleCode(clang::Decl*, unsigned int, clang::ento::ExprEngine::InliningModes, llvm::DenseSet<clang::Decl const*, llvm::DenseMapInfo<clang::Decl const*, void>>*) AnalysisConsumer.cpp:0:0
#18 0x000056387438693c (anonymous namespace)::AnalysisConsumer::HandleTranslationUnit(clang::ASTContext&) AnalysisConsumer.cpp:0:0
#19 0x0000563874a78e15 clang::ParseAST(clang::Sema&, bool, bool) (${LLVM_INSTALLED_DIRECTORY}/build/bin/clang+0x5b2ce15)
#20 0x000056387350f1d1 clang::FrontendAction::Execute() (${LLVM_INSTALLED_DIRECTORY}/build/bin/clang+0x45c31d1)
#21 0x00005638734940a3 clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) (${LLVM_INSTALLED_DIRECTORY}/build/bin/clang+0x45480a3)
#22 0x00005638735f2abb clang::ExecuteCompilerInvocation(clang::CompilerInstance*) (${LLVM_INSTALLED_DIRECTORY}/build/bin/clang+0x46a6abb)
#23 0x000056387019d54c cc1_main(llvm::ArrayRef<char const*>, char const*, void*) (${LLVM_INSTALLED_DIRECTORY}/build/bin/clang+0x125154c)
#24 0x000056387019890c ExecuteCC1Tool(llvm::SmallVectorImpl<char const*>&) driver.cpp:0:0
#25 0x00005638732fbe19 void llvm::function_ref<void ()>::callback_fn<clang::driver::CC1Command::Execute(llvm::ArrayRef<llvm::Optional<llvm::StringRef>>, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>*, bool*) const::'lambda'()>(long) Job.cpp:0:0
#26 0x00005638728c66c7 llvm::CrashRecoveryContext::RunSafely(llvm::function_ref<void ()>) (${LLVM_INSTALLED_DIRECTORY}/build/bin/clang+0x397a6c7)
#27 0x00005638732fc04c clang::driver::CC1Command::Execute(llvm::ArrayRef<llvm::Optional<llvm::StringRef>>, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>*, bool*) const (.part.0) Job.cpp:0:0
#28 0x00005638732c6569 clang::driver::Compilation::ExecuteCommand(clang::driver::Command const&, clang::driver::Command const*&, bool) const (${LLVM_INSTALLED_DIRECTORY}/build/bin/clang+0x437a569)
#29 0x00005638732c6f5d clang::driver::Compilation::ExecuteJobs(clang::driver::JobList const&, llvm::SmallVectorImpl<std::pair<int, clang::driver::Command const*>>&, bool) const (${LLVM_INSTALLED_DIRECTORY}/build/bin/clang+0x437af5d)
#30 0x00005638732d14dc clang::driver::Driver::ExecuteCompilation(clang::driver::Compilation&, llvm::SmallVectorImpl<std::pair<int, clang::driver::Command const*>>&) (${LLVM_INSTALLED_DIRECTORY}/build/bin/clang+0x43854dc)
#31 0x000056387019b3af clang_main(int, char**) (${LLVM_INSTALLED_DIRECTORY}/build/bin/clang+0x124f3af)
#32 0x00007fc7db380083 __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:342:3
#33 0x000056387019558e _start (${LLVM_INSTALLED_DIRECTORY}/build/bin/clang+0x124958e)
clang-16: error: clang frontend command failed with exit code 139 (use -v to see invocation)
clang version 16.0.0 (https://github.com/llvm/llvm-project.git 4db687155bc12f31b5ed122ba1086c5f04838a24)
Target: x86_64-unknown-linux-gnu
Thread model: posix
InstalledDir: ${LLVM_INSTALLED_DIRECTORY}/build/bin
clang-16: note: diagnostic msg:

Clang version: 16.0.0 Ubuntu version: 20.04.5 LTS CWE789_Uncontrolled_Mem_Alloc__malloc_char_fgets_72a-df9157.cpp.pdf CWE789_Uncontrolled_Mem_Alloc__malloc_char_fgets_72a-df9157.sh.pdf

llvmbot commented 1 year ago

@llvm/issue-subscribers-clang-static-analyzer

steakhal commented 1 year ago

Please upload the cpp file as text file. Basically, I want to pass it to clang, so it should accept it. The arguments shows that it's for a CTU analysis, so it could refer to other translation units, which are not dumped here. There is also a custom taint yaml, which is also not included. The issue most likely could be reproduced without custom taint config, and CTU, so I'd recommend you trying that.

That being said, you also use the z3 solver, which is an experimental flag, hence not advertised. We likely won't prioritize fixing this.

VenoVeno commented 1 year ago

Thanks, removing the z3 solver clears the issue.

llvm / llvm-project

LLVM fails when analysing vector #59154