steakhal added a comment.
Herald added a subscriber: danielkiss.
This patch introduced a crash while I was analyzing the libpressio
<https://github.com/robertu94/libpressio>.
I was using the `CodeChecker` to drive the analysis with the `--enable-all`
flag.
The exact command was the following:
/home/username/git/llvm-project/build/debug/bin/clang-11 --analyze
-Qunused-arguments -Xclang -analyzer-opt-analyze-headers -Xclang
-analyzer-output=plist-multi-file -o
/home/username/git/libpressio/build/results/pressio_options.cc_clangsa_0316a939d2e5f7ba700a67a7cc467d92.plist
-Xclang -analyzer-config -Xclang expand-macros=true -Xclang
-analyzer-checker=apiModeling.StdCLibraryFunctions -Xclang
-analyzer-checker=apiModeling.TrustNonnull -Xclang
-analyzer-checker=apiModeling.google.GTest -Xclang
-analyzer-checker=apiModeling.llvm.CastValue -Xclang
-analyzer-checker=apiModeling.llvm.ReturnValue -Xclang
-analyzer-checker=core.CallAndMessage -Xclang -analyzer-checker=core.DivideZero
-Xclang -analyzer-checker=core.DynamicTypePropagation -Xclang
-analyzer-checker=core.NonNullParamChecker -Xclang
-analyzer-checker=core.NonnilStringConstants -Xclang
-analyzer-checker=core.NullDereference -Xclang
-analyzer-checker=core.StackAddrEscapeBase -Xclang
-analyzer-checker=core.StackAddressEscape -Xclang
-analyzer-checker=core.UndefinedBinaryOperatorResult -Xclang
-analyzer-checker=core.VLASize -Xclang
-analyzer-checker=core.builtin.BuiltinFunctions -Xclang
-analyzer-checker=core.builtin.NoReturnFunctions -Xclang
-analyzer-checker=core.uninitialized.ArraySubscript -Xclang
-analyzer-checker=core.uninitialized.Assign -Xclang
-analyzer-checker=core.uninitialized.Branch -Xclang
-analyzer-checker=core.uninitialized.CapturedBlockVariable -Xclang
-analyzer-checker=core.uninitialized.UndefReturn -Xclang
-analyzer-checker=cplusplus.InnerPointer -Xclang
-analyzer-checker=cplusplus.Move -Xclang -analyzer-checker=cplusplus.NewDelete
-Xclang -analyzer-checker=cplusplus.NewDeleteLeaks -Xclang
-analyzer-checker=cplusplus.PlacementNew -Xclang
-analyzer-checker=cplusplus.PureVirtualCall -Xclang
-analyzer-checker=cplusplus.SelfAssignment -Xclang
-analyzer-checker=cplusplus.SmartPtr -Xclang
-analyzer-checker=cplusplus.VirtualCallModeling -Xclang
-analyzer-checker=deadcode.DeadStores -Xclang
-analyzer-checker=fuchsia.HandleChecker -Xclang
-analyzer-checker=nullability.NullPassedToNonnull -Xclang
-analyzer-checker=nullability.NullReturnedFromNonnull -Xclang
-analyzer-checker=nullability.NullabilityBase -Xclang
-analyzer-checker=nullability.NullableDereferenced -Xclang
-analyzer-checker=nullability.NullablePassedToNonnull -Xclang
-analyzer-checker=nullability.NullableReturnedFromNonnull -Xclang
-analyzer-checker=optin.cplusplus.UninitializedObject -Xclang
-analyzer-checker=optin.cplusplus.VirtualCall -Xclang
-analyzer-checker=optin.mpi.MPI-Checker -Xclang
-analyzer-checker=optin.osx.OSObjectCStyleCast -Xclang
-analyzer-checker=optin.osx.cocoa.localizability.EmptyLocalizationContextChecker
-Xclang
-analyzer-checker=optin.osx.cocoa.localizability.NonLocalizedStringChecker
-Xclang -analyzer-checker=optin.performance.GCDAntipattern -Xclang
-analyzer-checker=optin.performance.Padding -Xclang
-analyzer-checker=optin.portability.UnixAPI -Xclang
-analyzer-checker=security.FloatLoopCounter -Xclang
-analyzer-checker=security.insecureAPI.DeprecatedOrUnsafeBufferHandling -Xclang
-analyzer-checker=security.insecureAPI.SecuritySyntaxChecker -Xclang
-analyzer-checker=security.insecureAPI.UncheckedReturn -Xclang
-analyzer-checker=security.insecureAPI.bcmp -Xclang
-analyzer-checker=security.insecureAPI.bcopy -Xclang
-analyzer-checker=security.insecureAPI.bzero -Xclang
-analyzer-checker=security.insecureAPI.decodeValueOfObjCType -Xclang
-analyzer-checker=security.insecureAPI.getpw -Xclang
-analyzer-checker=security.insecureAPI.gets -Xclang
-analyzer-checker=security.insecureAPI.mkstemp -Xclang
-analyzer-checker=security.insecureAPI.mktemp -Xclang
-analyzer-checker=security.insecureAPI.rand -Xclang
-analyzer-checker=security.insecureAPI.strcpy -Xclang
-analyzer-checker=security.insecureAPI.vfork -Xclang -analyzer-checker=unix.API
-Xclang -analyzer-checker=unix.DynamicMemoryModeling -Xclang
-analyzer-checker=unix.Malloc -Xclang -analyzer-checker=unix.MallocSizeof
-Xclang -analyzer-checker=unix.MismatchedDeallocator -Xclang
-analyzer-checker=unix.Vfork -Xclang -analyzer-checker=unix.cstring.BadSizeArg
-Xclang -analyzer-checker=unix.cstring.CStringModeling -Xclang
-analyzer-checker=unix.cstring.NullArg -Xclang
-analyzer-checker=valist.CopyToSelf -Xclang
-analyzer-checker=valist.Uninitialized -Xclang
-analyzer-checker=valist.Unterminated -Xclang
-analyzer-checker=valist.ValistBase -Xclang -analyzer-config -Xclang
aggressive-binary-operation-simplification=true -Xclang -analyzer-config
-Xclang crosscheck-with-z3=true -x c++ --target=x86_64-linux-gnu -std=gnu++14
-Dlibpressio_EXPORTS -I/home/username/git/libpressio/include
-I/home/username/git/libpressio/build/include -O3 -fPIC -std=gnu++17 -isystem
/usr/include/c++/9 -isystem /usr/include/x86_64-linux-gnu/c++/9 -isystem
/usr/include/c++/9/backward -isystem /usr/local/include -isystem
/usr/include/x86_64-linux-gnu -isystem /usr/include
/home/username/git/libpressio/src/pressio_options.cc
The top 25 frame of the call stack in GDB was:
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1 0x00007fffeeb9e801 in __GI_abort () at abort.c:79
#2 0x00007fffeeb8e39a in __assert_fail_base (fmt=0x7fffeed157d8 "%s%s%s:%u:
%s%sAssertion `%s' failed.\n%n", assertion=assertion@entry=0x7fffe4662d48 "Val
&& \"isa<> used on a null pointer\"",
file=file@entry=0x7fffe465d910
"../../llvm/include/llvm/Support/Casting.h", line=line@entry=104,
function=function@entry=0x7fffe4663d90 "static bool llvm::isa_impl_cl<To,
const From*>::doit(const From*) [with To = clang::CXXInheritedCtorInitExpr;
From = clang::Stmt]") at assert.c:92
#3 0x00007fffeeb8e412 in __GI___assert_fail (assertion=0x7fffe4662d48 "Val
&& \"isa<> used on a null pointer\"", file=0x7fffe465d910
"../../llvm/include/llvm/Support/Casting.h", line=104,
function=0x7fffe4663d90 "static bool llvm::isa_impl_cl<To, const
From*>::doit(const From*) [with To = clang::CXXInheritedCtorInitExpr; From =
clang::Stmt]") at assert.c:101
#4 0x00007fffe493cc5b in llvm::isa_impl_cl<clang::CXXInheritedCtorInitExpr,
clang::Stmt const*>::doit (Val=0x0) at
../../llvm/include/llvm/Support/Casting.h:104
#5 0x00007fffe493b450 in
llvm::isa_impl_wrap<clang::CXXInheritedCtorInitExpr, clang::Stmt const*,
clang::Stmt const*>::doit (Val=@0x7fffffff7bd0: 0x0) at
../../llvm/include/llvm/Support/Casting.h:131
#6 0x00007fffe4938d89 in
llvm::isa_impl_wrap<clang::CXXInheritedCtorInitExpr, clang::Stmt const* const,
clang::Stmt const*>::doit (Val=@0x7fffffff7c28: 0x0)
at ../../llvm/include/llvm/Support/Casting.h:122
#7 0x00007fffe4935e6a in llvm::isa<clang::CXXInheritedCtorInitExpr,
clang::Stmt const*> (Val=@0x7fffffff7c28: 0x0) at
../../llvm/include/llvm/Support/Casting.h:142
#8 0x00007fffe492c2f1 in
clang::ento::CXXInheritedConstructorCall::getInheritingStackFrame
(this=0x55555755dbe8) at ../../clang/lib/StaticAnalyzer/Core/CallEvent.cpp:924
#9 0x00007fffe4932d70 in
clang::ento::CXXInheritedConstructorCall::getInheritingConstructor
(this=0x55555755dbe8) at
../../clang/include/clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h:932
#10 0x00007fffe4932d9a in
clang::ento::CXXInheritedConstructorCall::getNumArgs (this=0x55555755dbe8) at
../../clang/include/clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h:936
#11 0x00007fffe52e06b8 in (anonymous
namespace)::CallAndMessageChecker::checkPreCall (this=0x555555684e50, Call=...,
C=...) at ../../clang/lib/StaticAnalyzer/Checkers/CallAndMessageChecker.cpp:404
#12 0x00007fffe52e21c8 in clang::ento::check::PreCall::_checkCall<(anonymous
namespace)::CallAndMessageChecker> (checker=0x555555684e50, msg=..., C=...)
at ../../clang/include/clang/StaticAnalyzer/Core/Checker.h:168
#13 0x00007fffe494f0da in clang::ento::CheckerFn<void (clang::ento::CallEvent
const&, clang::ento::CheckerContext&)>::operator()(clang::ento::CallEvent
const&, clang::ento::CheckerContext&) const (
this=0x7fffffff8020, ps#0=..., ps#1=...) at
../../clang/include/clang/StaticAnalyzer/Core/CheckerManager.h:69
#14 0x00007fffe4946b30 in (anonymous namespace)::CheckCallContext::runChecker
(this=0x7fffffff8260, checkFn=..., Bldr=..., Pred=0x55555755db60)
at ../../clang/lib/StaticAnalyzer/Core/CheckerManager.cpp:291
#15 0x00007fffe494a0f9 in expandGraphWithCheckers<(anonymous
namespace)::CheckCallContext> (checkCtx=..., Dst=..., Src=...) at
../../clang/lib/StaticAnalyzer/Core/CheckerManager.cpp:139
#16 0x00007fffe4946c07 in
clang::ento::CheckerManager::runCheckersForCallEvent (this=0x555555673eb0,
isPreVisit=true, Dst=..., Src=..., Call=..., Eng=..., WasInlined=false)
at ../../clang/lib/StaticAnalyzer/Core/CheckerManager.cpp:308
#17 0x00007fffe49ccbcf in clang::ento::CheckerManager::runCheckersForPreCall
(this=0x555555673eb0, Dst=..., Src=..., Call=..., Eng=...)
at ../../clang/include/clang/StaticAnalyzer/Core/CheckerManager.h:274
#18 0x00007fffe49c9a72 in clang::ento::ExprEngine::handleConstructor
(this=0x7fffffff9240, E=0x7fffe187cbb8, Pred=0x55555755db60, destNodes=...)
at ../../clang/lib/StaticAnalyzer/Core/ExprEngineCXX.cpp:551
#19 0x00007fffe49ca076 in
clang::ento::ExprEngine::VisitCXXInheritedCtorInitExpr (this=0x7fffffff9240,
CE=0x7fffe187cbb8, Pred=0x55555755db60, Dst=...)
at ../../clang/lib/StaticAnalyzer/Core/ExprEngineCXX.cpp:627
#20 0x00007fffe4997c85 in clang::ento::ExprEngine::Visit
(this=0x7fffffff9240, S=0x7fffe187cbb8, Pred=0x55555755db60, DstTop=...) at
../../clang/lib/StaticAnalyzer/Core/ExprEngine.cpp:1623
#21 0x00007fffe499385c in clang::ento::ExprEngine::ProcessStmt
(this=0x7fffffff9240, currStmt=0x7fffe187cbb8, Pred=0x55555755da88) at
../../clang/lib/StaticAnalyzer/Core/ExprEngine.cpp:791
#22 0x00007fffe4992af2 in clang::ento::ExprEngine::processCFGElement
(this=0x7fffffff9240, E=..., Pred=0x55555755da88, StmtIdx=0, Ctx=0x7fffffff8ea0)
at ../../clang/lib/StaticAnalyzer/Core/ExprEngine.cpp:637
#23 0x00007fffe496900e in clang::ento::CoreEngine::HandleBlockEntrance
(this=0x7fffffff9260, L=..., Pred=0x55555755da88) at
../../clang/lib/StaticAnalyzer/Core/CoreEngine.cpp:290
#24 0x00007fffe4968523 in clang::ento::CoreEngine::dispatchWorkItem
(this=0x7fffffff9260, Pred=0x55555755da88, Loc=..., WU=...) at
../../clang/lib/StaticAnalyzer/Core/CoreEngine.cpp:163
#25 0x00007fffe49683ed in clang::ento::CoreEngine::ExecuteWorkList
(this=0x7fffffff9260, L=0x5555579d0320, Steps=224998, InitState=...) at
../../clang/lib/StaticAnalyzer/Core/CoreEngine.cpp:148
Which is might caused by a `dyn_cast`.
I'm using the clang of `95a94df5a9c3d7d2aa92b6beb13e82d8d5832e2e` commit hash.
My GCC version is `gcc (Ubuntu 9.2.1-17ubuntu1~18.04.1) 9.2.1 20191102`
Breaking on the `SIGABRT` signal in GDB and examining the source location of
the place:
(gdb) p Call.getSourceRange().dump(C.getSourceManager())
</usr/include/c++/9/variant:580:20>
Where the code was something like this (the full source code available on
github gcc repo
<https://github.com/gcc-mirror/gcc/blob/releases/gcc-9.2.0/libstdc++-v3/include/std/variant#L580>):
template<bool, typename... _Types>
struct _Copy_assign_base : _Move_ctor_alias<_Types...>
{
using _Base = _Move_ctor_alias<_Types...>;
using _Base::_Base;
//^^^^^^^^^^^^^^^^^^
_Copy_assign_base&
operator=(const _Copy_assign_base& __rhs)
noexcept(_Traits<_Types...>::_S_nothrow_copy_assign)
{
[...]
Sorry if this is not the right place for the report. @NoQ
Repository:
rG LLVM Github Monorepo
CHANGES SINCE LAST ACTION
https://reviews.llvm.org/D74735/new/
https://reviews.llvm.org/D74735
_______________________________________________
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
