search

llvm / llvm-project

The LLVM Project is a collection of modular and reusable compiler and toolchain technologies.
http://llvm.org
Other
28.3k stars 11.68k forks source link

[analyzer] Crash on structured bindings decomposing multi dimensional user-defined array objects #94526

Open michaelghaben-presto opened 4 months ago

michaelghaben-presto commented 4 months ago

A segfault was encountered while running clang-tidy-18 to build libpqxx. The error requested for a bug report to be submitted at this repo. The stack trace is as follows:


Error running 'clang-tidy-18': PLEASE submit a bug report to https://github.com/llvm/llvm-project/issues/ and include the crash backtrace.
Stack dump:
0.      Program arguments: clang-tidy-18 --extra-arg-before=--driver-mode=g++ /home/michael/workspace/presto2/build/_deps/libpqxx-src/test/unit/test_range.cxx -- /usr/bin/clang++-18 -I/usr/include/postgresql -I/home/michael/workspace/presto2/build/_deps/libpqxx-build/include -I/home/michael/workspace/presto2/build/_deps/libpqxx-src/include -std=c++20 -MD -MT _deps/libpqxx-build/test/CMakeFiles/runner.dir/unit/test_range.cxx.o -MF CMakeFiles/runner.dir/unit/test_range.cxx.o.d -o CMakeFiles/runner.dir/unit/test_range.cxx.o -c /home/michael/workspace/presto2/build/_deps/libpqxx-src/test/unit/test_range.cxx
1.      <eof> parser at end of file
2.      While analyzing stack: 
        #0 Calling (anonymous namespace)::test_range_intersection()
3.      /home/michael/workspace/presto2/build/_deps/libpqxx-src/test/unit/test_range.cxx:513:37: Error evaluating statement
4.      /home/michael/workspace/presto2/build/_deps/libpqxx-src/test/unit/test_range.cxx:513:37: Error evaluating statement
 #0 0x00007ff336b9f8b6 llvm::sys::PrintStackTrace(llvm::raw_ostream&, int) (/usr/lib/llvm-18/bin/../lib/libLLVM.so.18.1+0xd9f8b6)
 #1 0x00007ff336b9d8e0 llvm::sys::RunSignalHandlers() (/usr/lib/llvm-18/bin/../lib/libLLVM.so.18.1+0xd9d8e0)
 #2 0x00007ff336b9ff7b (/usr/lib/llvm-18/bin/../lib/libLLVM.so.18.1+0xd9ff7b)
 #3 0x00007ff335c5b050 (/lib/x86_64-linux-gnu/libc.so.6+0x3c050)
 #4 0x00007ff3402b3de2 clang::ento::MemRegionManager::getVarRegion(clang::VarDecl const*, clang::LocationContext const*) (/usr/lib/llvm-18/bin/../lib/libclang-cpp.so.18.1+0x2cb3de2)
 #5 0x00007ff3402e545a (/usr/lib/llvm-18/bin/../lib/libclang-cpp.so.18.1+0x2ce545a)
 #6 0x00007ff340294859 clang::ento::ExprEngine::handleConstructor(clang::Expr const*, clang::ento::ExplodedNode*, clang::ento::ExplodedNodeSet&) (/usr/lib/llvm-18/bin/../lib/libclang-cpp.so.18.1+0x2c94859)
 #7 0x00007ff340277f8e clang::ento::ExprEngine::Visit(clang::Stmt const*, clang::ento::ExplodedNode*, clang::ento::ExplodedNodeSet&) (/usr/lib/llvm-18/bin/../lib/libclang-cpp.so.18.1+0x2c77f8e)
 #8 0x00007ff340275863 clang::ento::ExprEngine::ProcessStmt(clang::Stmt const*, clang::ento::ExplodedNode*) (/usr/lib/llvm-18/bin/../lib/libclang-cpp.so.18.1+0x2c75863)
 #9 0x00007ff34027558f clang::ento::ExprEngine::processCFGElement(clang::CFGElement, clang::ento::ExplodedNode*, unsigned int, clang::ento::NodeBuilderContext*) (/usr/lib/llvm-18/bin/../lib/libclang-cpp.so.18.1+0x2c7558f)
#10 0x00007ff34025c617 clang::ento::CoreEngine::dispatchWorkItem(clang::ento::ExplodedNode*, clang::ProgramPoint, clang::ento::WorkListUnit const&) (/usr/lib/llvm-18/bin/../lib/libclang-cpp.so.18.1+0x2c5c617)
#11 0x00007ff34025c181 clang::ento::CoreEngine::ExecuteWorkList(clang::LocationContext const*, unsigned int, llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>) (/usr/lib/llvm-18/bin/../lib/libclang-cpp.so.18.1+0x2c5c181)
#12 0x00007ff34067e355 (/usr/lib/llvm-18/bin/../lib/libclang-cpp.so.18.1+0x307e355)
#13 0x00007ff34065e3b4 (/usr/lib/llvm-18/bin/../lib/libclang-cpp.so.18.1+0x305e3b4)
#14 0x00007ff33fff030c clang::MultiplexConsumer::HandleTranslationUnit(clang::ASTContext&) (/usr/lib/llvm-18/bin/../lib/libclang-cpp.so.18.1+0x29f030c)
#15 0x00007ff33e183636 clang::ParseAST(clang::Sema&, bool, bool) (/usr/lib/llvm-18/bin/../lib/libclang-cpp.so.18.1+0xb83636)
#16 0x00007ff33ffb42f5 clang::FrontendAction::Execute() (/usr/lib/llvm-18/bin/../lib/libclang-cpp.so.18.1+0x29b42f5)
#17 0x00007ff33ff2b044 clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) (/usr/lib/llvm-18/bin/../lib/libclang-cpp.so.18.1+0x292b044)
#18 0x00007ff3401a3561 clang::tooling::FrontendActionFactory::runInvocation(std::shared_ptr<clang::CompilerInvocation>, clang::FileManager*, std::shared_ptr<clang::PCHContainerOperations>, clang::DiagnosticConsumer*) (/usr/lib/llvm-18/bin/../lib/libclang-cpp.so.18.1+0x2ba3561)
#19 0x0000556b1f820301 (/usr/lib/llvm-18/bin/clang-tidy+0x1363301)
#20 0x00007ff3401a32df clang::tooling::ToolInvocation::runInvocation(char const*, clang::driver::Compilation*, std::shared_ptr<clang::CompilerInvocation>, std::shared_ptr<clang::PCHContainerOperations>) (/usr/lib/llvm-18/bin/../lib/libclang-cpp.so.18.1+0x2ba32df)
#21 0x00007ff3401a2174 clang::tooling::ToolInvocation::run() (/usr/lib/llvm-18/bin/../lib/libclang-cpp.so.18.1+0x2ba2174)
#22 0x00007ff3401a51a5 clang::tooling::ClangTool::run(clang::tooling::ToolAction*) (/usr/lib/llvm-18/bin/../lib/libclang-cpp.so.18.1+0x2ba51a5)
#23 0x0000556b1f81c497 clang::tidy::runClangTidy(clang::tidy::ClangTidyContext&, clang::tooling::CompilationDatabase const&, llvm::ArrayRef<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>>, llvm::IntrusiveRefCntPtr<llvm::vfs::OverlayFileSystem>, bool, bool, llvm::StringRef) (/usr/lib/llvm-18/bin/clang-tidy+0x135f497)
#24 0x0000556b1ebb8eaf clang::tidy::clangTidyMain(int, char const**) (/usr/lib/llvm-18/bin/clang-tidy+0x6fbeaf)
#25 0x00007ff335c4624a __libc_start_call_main ./csu/../sysdeps/nptl/libc_start_call_main.h:74:3
#26 0x00007ff335c46305 call_init ./csu/../csu/libc-start.c:128:20
#27 0x00007ff335c46305 __libc_start_main ./csu/../csu/libc-start.c:347:5
#28 0x0000556b1ebb4271 _start (/usr/lib/llvm-18/bin/clang-tidy+0x6f7271)
Segmentation fault
llvmbot commented 4 months ago

@llvm/issue-subscribers-clang-static-analyzer

Author: None (michaelghaben-presto)

A segfault was encountered while running `clang-tidy-18` to build [`libpqxx`](https://github.com/jtv/libpqxx). The error requested for a bug report to be submitted at this repo. The stack trace is as follows: ``` Error running 'clang-tidy-18': PLEASE submit a bug report to https://github.com/llvm/llvm-project/issues/ and include the crash backtrace. Stack dump: 0. Program arguments: clang-tidy-18 --extra-arg-before=--driver-mode=g++ /home/michael/workspace/presto2/build/_deps/libpqxx-src/test/unit/test_range.cxx -- /usr/bin/clang++-18 -I/usr/include/postgresql -I/home/michael/workspace/presto2/build/_deps/libpqxx-build/include -I/home/michael/workspace/presto2/build/_deps/libpqxx-src/include -std=c++20 -MD -MT _deps/libpqxx-build/test/CMakeFiles/runner.dir/unit/test_range.cxx.o -MF CMakeFiles/runner.dir/unit/test_range.cxx.o.d -o CMakeFiles/runner.dir/unit/test_range.cxx.o -c /home/michael/workspace/presto2/build/_deps/libpqxx-src/test/unit/test_range.cxx 1. <eof> parser at end of file 2. While analyzing stack: #0 Calling (anonymous namespace)::test_range_intersection() 3. /home/michael/workspace/presto2/build/_deps/libpqxx-src/test/unit/test_range.cxx:513:37: Error evaluating statement 4. /home/michael/workspace/presto2/build/_deps/libpqxx-src/test/unit/test_range.cxx:513:37: Error evaluating statement #0 0x00007ff336b9f8b6 llvm::sys::PrintStackTrace(llvm::raw_ostream&, int) (/usr/lib/llvm-18/bin/../lib/libLLVM.so.18.1+0xd9f8b6) #1 0x00007ff336b9d8e0 llvm::sys::RunSignalHandlers() (/usr/lib/llvm-18/bin/../lib/libLLVM.so.18.1+0xd9d8e0) #2 0x00007ff336b9ff7b (/usr/lib/llvm-18/bin/../lib/libLLVM.so.18.1+0xd9ff7b) #3 0x00007ff335c5b050 (/lib/x86_64-linux-gnu/libc.so.6+0x3c050) #4 0x00007ff3402b3de2 clang::ento::MemRegionManager::getVarRegion(clang::VarDecl const*, clang::LocationContext const*) (/usr/lib/llvm-18/bin/../lib/libclang-cpp.so.18.1+0x2cb3de2) #5 0x00007ff3402e545a (/usr/lib/llvm-18/bin/../lib/libclang-cpp.so.18.1+0x2ce545a) #6 0x00007ff340294859 clang::ento::ExprEngine::handleConstructor(clang::Expr const*, clang::ento::ExplodedNode*, clang::ento::ExplodedNodeSet&) (/usr/lib/llvm-18/bin/../lib/libclang-cpp.so.18.1+0x2c94859) #7 0x00007ff340277f8e clang::ento::ExprEngine::Visit(clang::Stmt const*, clang::ento::ExplodedNode*, clang::ento::ExplodedNodeSet&) (/usr/lib/llvm-18/bin/../lib/libclang-cpp.so.18.1+0x2c77f8e) #8 0x00007ff340275863 clang::ento::ExprEngine::ProcessStmt(clang::Stmt const*, clang::ento::ExplodedNode*) (/usr/lib/llvm-18/bin/../lib/libclang-cpp.so.18.1+0x2c75863) #9 0x00007ff34027558f clang::ento::ExprEngine::processCFGElement(clang::CFGElement, clang::ento::ExplodedNode*, unsigned int, clang::ento::NodeBuilderContext*) (/usr/lib/llvm-18/bin/../lib/libclang-cpp.so.18.1+0x2c7558f) #10 0x00007ff34025c617 clang::ento::CoreEngine::dispatchWorkItem(clang::ento::ExplodedNode*, clang::ProgramPoint, clang::ento::WorkListUnit const&) (/usr/lib/llvm-18/bin/../lib/libclang-cpp.so.18.1+0x2c5c617) #11 0x00007ff34025c181 clang::ento::CoreEngine::ExecuteWorkList(clang::LocationContext const*, unsigned int, llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>) (/usr/lib/llvm-18/bin/../lib/libclang-cpp.so.18.1+0x2c5c181) #12 0x00007ff34067e355 (/usr/lib/llvm-18/bin/../lib/libclang-cpp.so.18.1+0x307e355) #13 0x00007ff34065e3b4 (/usr/lib/llvm-18/bin/../lib/libclang-cpp.so.18.1+0x305e3b4) #14 0x00007ff33fff030c clang::MultiplexConsumer::HandleTranslationUnit(clang::ASTContext&) (/usr/lib/llvm-18/bin/../lib/libclang-cpp.so.18.1+0x29f030c) #15 0x00007ff33e183636 clang::ParseAST(clang::Sema&, bool, bool) (/usr/lib/llvm-18/bin/../lib/libclang-cpp.so.18.1+0xb83636) #16 0x00007ff33ffb42f5 clang::FrontendAction::Execute() (/usr/lib/llvm-18/bin/../lib/libclang-cpp.so.18.1+0x29b42f5) #17 0x00007ff33ff2b044 clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) (/usr/lib/llvm-18/bin/../lib/libclang-cpp.so.18.1+0x292b044) #18 0x00007ff3401a3561 clang::tooling::FrontendActionFactory::runInvocation(std::shared_ptr<clang::CompilerInvocation>, clang::FileManager*, std::shared_ptr<clang::PCHContainerOperations>, clang::DiagnosticConsumer*) (/usr/lib/llvm-18/bin/../lib/libclang-cpp.so.18.1+0x2ba3561) #19 0x0000556b1f820301 (/usr/lib/llvm-18/bin/clang-tidy+0x1363301) #20 0x00007ff3401a32df clang::tooling::ToolInvocation::runInvocation(char const*, clang::driver::Compilation*, std::shared_ptr<clang::CompilerInvocation>, std::shared_ptr<clang::PCHContainerOperations>) (/usr/lib/llvm-18/bin/../lib/libclang-cpp.so.18.1+0x2ba32df) #21 0x00007ff3401a2174 clang::tooling::ToolInvocation::run() (/usr/lib/llvm-18/bin/../lib/libclang-cpp.so.18.1+0x2ba2174) #22 0x00007ff3401a51a5 clang::tooling::ClangTool::run(clang::tooling::ToolAction*) (/usr/lib/llvm-18/bin/../lib/libclang-cpp.so.18.1+0x2ba51a5) #23 0x0000556b1f81c497 clang::tidy::runClangTidy(clang::tidy::ClangTidyContext&, clang::tooling::CompilationDatabase const&, llvm::ArrayRef<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>>, llvm::IntrusiveRefCntPtr<llvm::vfs::OverlayFileSystem>, bool, bool, llvm::StringRef) (/usr/lib/llvm-18/bin/clang-tidy+0x135f497) #24 0x0000556b1ebb8eaf clang::tidy::clangTidyMain(int, char const**) (/usr/lib/llvm-18/bin/clang-tidy+0x6fbeaf) #25 0x00007ff335c4624a __libc_start_call_main ./csu/../sysdeps/nptl/libc_start_call_main.h:74:3 #26 0x00007ff335c46305 call_init ./csu/../csu/libc-start.c:128:20 #27 0x00007ff335c46305 __libc_start_main ./csu/../csu/libc-start.c:347:5 #28 0x0000556b1ebb4271 _start (/usr/lib/llvm-18/bin/clang-tidy+0x6f7271) Segmentation fault ```
steakhal commented 3 months ago

Thanks for the report.

Reduces into this:

class a {};
a obj[1][2];

void top() {
  for (auto [a, b] : obj) {
    // empty
  }
}

Crashes inside ExprEngineCXX:bindRequiredArrayElementToEnvironment(), by hitting the llvm unreachable with message: ArrayInitLoopExpr contains unexpected source expression.

We hit that because OVESrc is this:

UnaryOperator 'a[2]' lvalue prefix '*' cannot overflow
`-ImplicitCastExpr 'a (*)[2]' <LValueToRValue>
  `-DeclRefExpr 'a (*)[2]' lvalue Var '__begin1' 'a (*)[2]'

Which is neither a MemberExpr nor a DeclRefExpr.