LLVM Bugzilla is read-only and represents the historical archive of all LLVM issues filled before November 26, 2021. Use github to submit LLVM bugs

Bug 24184 - BugReporter.cpp:2869: {anonymous}::TrimmedGraph::TrimmedGraph(const clang::ento::ExplodedGraph*, llvm::ArrayRef<const clang::ento::ExplodedNode*>): Assertion `!RemainingNodes.empty() && "No error node found in the trimmed graph"' failed.
Summary: BugReporter.cpp:2869: {anonymous}::TrimmedGraph::TrimmedGraph(const clang::en...
Status: RESOLVED FIXED
Alias: None
Product: clang
Classification: Unclassified
Component: Static Analyzer (show other bugs)
Version: trunk
Hardware: PC Linux
: P normal
Assignee: Ted Kremenek
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-07-19 16:05 PDT by Dmitry G. Dyachenko
Modified: 2015-09-01 05:15 PDT (History)
2 users (show)

See Also:
Fixed By Commit(s):

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Dmitry G. Dyachenko 2015-07-19 16:05:28 PDT 
$ /usr/local/llvm/bin/clang++ --version
clang version 3.8.0 (trunk 242641)
Target: x86_64-unknown-linux-gnu
Thread model: posix


$ /usr/local/llvm/bin/clang++ -cc1 -analyze -analyzer-eagerly-assume -fcxx-exceptions -analyzer-checker=core -analyzer-checker=alpha.core.PointerArithm -analyzer-max-loop 64 x.ii
[...skip warnings...]
clang++: /home/dimhen/src/llvm/tools/clang/lib/StaticAnalyzer/Core/BugReporter.cpp:2869: {anonymous}::TrimmedGraph::TrimmedGraph(const clang::ento::ExplodedGraph*, llvm::ArrayRef<const clang::ento::ExplodedNode*>): Assertion `!RemainingNodes.empty() && "No error node found in the trimmed graph"' failed.
0  clang++         0x0000000002398915 llvm::sys::PrintStackTrace(llvm::raw_ostream&) + 37
1  clang++         0x0000000002397481
2  libpthread.so.0 0x0000003469010430
3  libc.so.6       0x0000003468c349c8 gsignal + 56
4  libc.so.6       0x0000003468c3665a abort + 362
5  libc.so.6       0x0000003468c2d187
6  libc.so.6       0x0000003468c2d232
7  clang++         0x0000000001193153
8  clang++         0x0000000001199ee1 clang::ento::GRBugReporter::generatePathDiagnostic(clang::ento::PathDiagnostic&, clang::ento::PathDiagnosticConsumer&, llvm::ArrayRef<clang::ento::BugReport*>&) + 545
9  clang++         0x000000000119cf35 clang::ento::BugReporter::FlushReport(clang::ento::BugReport*, clang::ento::PathDiagnosticConsumer&, llvm::ArrayRef<clang::ento::BugReport*>) + 1445
10 clang++         0x000000000119d275 clang::ento::BugReporter::FlushReport(clang::ento::BugReportEquivClass&) + 277
11 clang++         0x000000000119eea7 clang::ento::BugReporter::FlushReports() + 3943
12 clang++         0x0000000001037011
13 clang++         0x00000000010377fe
14 clang++         0x000000000103e671
15 clang++         0x0000000000b704a2 clang::ParseAST(clang::Sema&, bool, bool) + 754
16 clang++         0x00000000007cbad6 clang::FrontendAction::Execute() + 486
17 clang++         0x00000000007a47c1 clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) + 353
18 clang++         0x000000000078a25b clang::ExecuteCompilerInvocation(clang::CompilerInstance*) + 2107
19 clang++         0x00000000007817c8 cc1_main(llvm::ArrayRef<char const*>, char const*, void*) + 2104
20 clang++         0x000000000075f339 main + 1321
21 libc.so.6       0x0000003468c20700 __libc_start_main + 240
22 clang++         0x0000000000780749 _start + 41
Stack dump:
0.	Program arguments: /usr/local/llvm/bin/clang++ -cc1 -analyze -analyzer-eagerly-assume -fcxx-exceptions -analyzer-checker=core -analyzer-checker=alpha.core.PointerArithm -analyzer-max-loop 64 x.ii 
1.	<eof> parser at end of file


$ cat x.ii
typedef struct {
  int cbData;
  unsigned pbData;
} CRYPT_DATA_BLOB;
typedef enum { DT_NONCE_FIXED } DATA_TYPE;
int a;
typedef int *vcreate_t(int *, DATA_TYPE, int, int);
void fn1(unsigned, unsigned) {
  char b = 0;
  for (; 1; a++, &b + a * 0)
    ;
}

vcreate_t fn2;
struct A {
  CRYPT_DATA_BLOB value;
  int m_fn1() {
    int c;
    value.pbData == 0;
    fn1(0, 0);
  }
};
struct B {
  A IkeHashAlg;
  A IkeGType;
  A NoncePhase1_r;
};
class C {
  int m_fn2(B *);
  void m_fn3(B *, int, int, int);
};
int C::m_fn2(B *p1) {
  int *d;
  int e = p1->IkeHashAlg.m_fn1();
  unsigned f = p1->IkeGType.m_fn1(), h;
  int g;
  d = fn2(0, DT_NONCE_FIXED, (char)0, p1->NoncePhase1_r.value.cbData);
  h = 0 | 0;
  m_fn3(p1, 0, 0, 0);
}
Comment 1 Dmitry G. Dyachenko 2015-08-11 05:12:55 PDT 
One more similiar testcase
-analyzer-max-loop 62 PASS
-analyzer-max-loop 63 FAIL
-analyzer-max-loop 64 PASS

clang++ -cc1 -analyze -analyzer-checker=core -analyzer-checker=cplusplus -fcxx-exceptions -analyzer-checker alpha.core.PointerArithm -analyzer-max-loop {62,63,64} x.ii

$ cat x.ii 
typedef struct {
  int cbData;
  unsigned char *pbData;
} CRYPT_DATA_BLOB;
typedef unsigned uint32_t;
void fn1(void *p1, const void *p2) { p1 != p2; }

void fn2(uint32_t *p1, unsigned char *p2, uint32_t p3) {
  unsigned i = 0;
  for (0; i < p3; i++)
    fn1(p1 + i, p2 + i * 0);
}

struct A {
  CRYPT_DATA_BLOB value;
  uint32_t m_fn1() {
    uint32_t a;
    if (value.pbData)
      fn2(&a, value.pbData, value.cbData);
    return 0;
  }
};
struct {
  A HashAlgId;
} *b;
void fn3() {
  uint32_t c, d;
  d = b->HashAlgId.m_fn1();
  d << 0 | 0 | 0;
  c = 0;
  0 | 1 << 0 | 0 && b;
}



$ /usr/local/llvm/bin/clang++ -v
clang version 3.8.0 (trunk 244577)
Target: x86_64-unknown-linux-gnu
Thread model: posix
InstalledDir: /usr/local/llvm/bin
Found candidate GCC installation: /usr/lib/gcc/x86_64-redhat-linux/5.1.1
Selected GCC installation: /usr/lib/gcc/x86_64-redhat-linux/5.1.1
Candidate multilib: .;@m64
Candidate multilib: 32;@m32
Selected multilib: .;@m64
Comment 2 Ying Yi 2015-08-19 13:15:36 PDT 
Thanks Dmitry for reporting the issue, a patch is currently under review at http://reviews.llvm.org/D12163.

Regards,
Ying Yi
Comment 3 Ying Yi 2015-09-01 03:14:23 PDT 
The patch passed the code review
http://reviews.llvm.org/D12163.

Committed in http://reviews.llvm.org/rL246188
Comment 4 Dmitry G. Dyachenko 2015-09-01 05:15:48 PDT 
PASS for me.

Thanks!