24951 – scan-build crash - preprocessor file

LLVM Bugzilla is read-only and represents the historical archive of all LLVM issues filled before November 26, 2021. Use github to submit LLVM bugs

Bug 24951 - scan-build crash - preprocessor file

Summary: scan-build crash - preprocessor file

Status:	RESOLVED FIXED

Alias:	None

Product:	clang
Classification:	Unclassified
Component:	Static Analyzer (show other bugs)
Version:	trunk
Hardware:	PC OpenBSD

Importance:	P normal
Assignee:	Ted Kremenek

URL:
Keywords:

Depends on:
Blocks:

Reported:	2015-09-27 04:39 PDT by programmer
Modified:	2016-02-07 18:28 PST (History)
CC List:	2 users (show)

See Also:
Fixed By Commit(s):

Attachments
preprocessor file (100.05 KB, application/octet-stream) 2015-09-27 04:39 PDT, programmer	Details
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description programmer 2015-09-27 04:39:44 PDT

Created attachment 14940 [details]
preprocessor file

Comment 1 Devin Coughlin 2015-11-29 10:47:08 PST

I get an assertion failure when running the attached with:

./build/clang-ninja/bin/clang -cc1 -analyze -analyzer-checker=core,unix ~/Downloads/clang_crash_UnNL1U.i

Assertion failed: (op == BO_Add), function evalBinOp, file /Volumes/Data/Clangs/OpenSourceGit/clang/lib/StaticAnalyzer/Core/SValBuilder.cpp, line 363.
0  clang                    0x000000010984a0bb llvm::sys::PrintStackTrace(llvm::raw_ostream&) + 43
1  clang                    0x0000000109849336 llvm::sys::RunSignalHandlers() + 70
2  clang                    0x000000010984a762 SignalHandler(int) + 322
3  libsystem_platform.dylib 0x00007fff9bf9852a _sigtramp + 26
4  clang                    0x000000010ce9f444 clang::Stmt::StatisticsEnabled + 62803
5  clang                    0x000000010984a576 abort + 22
6  clang                    0x000000010984a551 __assert_rtn + 81
7  clang                    0x000000010bfcf809 clang::ento::SValBuilder::evalBinOp(llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>, clang::BinaryOperatorKind, clang::ento::SVal, clang::ento::SVal, clang::QualType) + 985
8  clang                    0x000000010bfcfae4 clang::ento::SValBuilder::evalEQ(llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>, clang::ento::DefinedOrUnknownSVal, clang::ento::DefinedOrUnknownSVal) + 148
9  clang                    0x000000010bb358c7 (anonymous namespace)::CStringChecker::assumeZero(clang::ento::CheckerContext&, llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>, clang::ento::SVal, clang::QualType) + 455
10 clang                    0x000000010bb35ba0 (anonymous namespace)::CStringChecker::checkNonNull(clang::ento::CheckerContext&, llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>, clang::Expr const*, clang::ento::SVal) const + 608
11 clang                    0x000000010bb3b0a6 (anonymous namespace)::CStringChecker::evalStrcpyCommon(clang::ento::CheckerContext&, clang::CallExpr const*, bool, bool, bool) const + 662
12 clang                    0x000000010bb33a46 (anonymous namespace)::CStringChecker::evalStrncpy(clang::ento::CheckerContext&, clang::CallExpr const*) const + 86
13 clang                    0x000000010bb32566 (anonymous namespace)::CStringChecker::evalCall(clang::CallExpr const*, clang::ento::CheckerContext&) const + 1974
14 clang                    0x000000010bb31da0 bool clang::ento::eval::Call::_evalCall<(anonymous namespace)::CStringChecker>(void*, clang::CallExpr const*, clang::ento::CheckerContext&) + 48
15 clang                    0x000000010bece7b2 clang::ento::CheckerFn<bool (clang::CallExpr const*, clang::ento::CheckerContext&)>::operator()(clang::CallExpr const*, clang::ento::CheckerContext&) const + 66
16 clang                    0x000000010bec9d3f clang::ento::CheckerManager::runCheckersForEvalCall(clang::ento::ExplodedNodeSet&, clang::ento::ExplodedNodeSet const&, clang::ento::CallEvent const&, clang::ento::ExprEngine&) + 831
17 clang                    0x000000010bf48049 clang::ento::ExprEngine::evalCall(clang::ento::ExplodedNodeSet&, clang::ento::ExplodedNode*, clang::ento::CallEvent const&) + 185
18 clang                    0x000000010bf47f0b clang::ento::ExprEngine::VisitCallExpr(clang::CallExpr const*, clang::ento::ExplodedNode*, clang::ento::ExplodedNodeSet&) + 427
19 clang                    0x000000010bf11f81 clang::ento::ExprEngine::Visit(clang::Stmt const*, clang::ento::ExplodedNode*, clang::ento::ExplodedNodeSet&) + 5665
20 clang                    0x000000010bf0efa4 clang::ento::ExprEngine::ProcessStmt(clang::CFGStmt, clang::ento::ExplodedNode*) + 532
21 clang                    0x000000010bf0ec6a clang::ento::ExprEngine::processCFGElement(clang::CFGElement, clang::ento::ExplodedNode*, unsigned int, clang::ento::NodeBuilderContext*) + 218
22 clang                    0x000000010bef068e clang::ento::CoreEngine::HandlePostStmt(clang::CFGBlock const*, unsigned int, clang::ento::ExplodedNode*) + 302
23 clang                    0x000000010bef0010 clang::ento::CoreEngine::dispatchWorkItem(clang::ento::ExplodedNode*, clang::ProgramPoint, clang::ento::WorkListUnit const&) + 1264
24 clang                    0x000000010beef968 clang::ento::CoreEngine::ExecuteWorkList(clang::LocationContext const*, unsigned int, llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>) + 1240
25 clang                    0x000000010ae4ff28 clang::ento::ExprEngine::ExecuteWorkList(clang::LocationContext const*, unsigned int) + 88
26 clang                    0x000000010ae107ad (anonymous namespace)::AnalysisConsumer::ActionExprEngine(clang::Decl*, bool, clang::ento::ExprEngine::InliningModes, llvm::DenseSet<clang::Decl const*, llvm::DenseMapInfo<clang::Decl const*> >*) + 1501
27 clang                    0x000000010ae10169 (anonymous namespace)::AnalysisConsumer::RunPathSensitiveChecks(clang::Decl*, clang::ento::ExprEngine::InliningModes, llvm::DenseSet<clang::Decl const*, llvm::DenseMapInfo<clang::Decl const*> >*) + 153
28 clang                    0x000000010ae0fc78 (anonymous namespace)::AnalysisConsumer::HandleCode(clang::Decl*, unsigned int, clang::ento::ExprEngine::InliningModes, llvm::DenseSet<clang::Decl const*, llvm::DenseMapInfo<clang::Decl const*> >*) + 696
29 clang                    0x000000010ae073e8 (anonymous namespace)::AnalysisConsumer::HandleDeclsCallGraph(unsigned int) + 920
30 clang                    0x000000010ae0503a (anonymous namespace)::AnalysisConsumer::HandleTranslationUnit(clang::ASTContext&) + 842
31 clang                    0x000000010ae7d41f clang::ParseAST(clang::Sema&, bool, bool) + 1295
32 clang                    0x000000010a293a8f clang::ASTFrontendAction::ExecuteAction() + 511
33 clang                    0x000000010a292ff0 clang::FrontendAction::Execute() + 112
34 clang                    0x000000010a1de8c1 clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) + 1873
35 clang                    0x000000010a3258ba clang::ExecuteCompilerInvocation(clang::CompilerInstance*) + 4410
36 clang                    0x0000000108b9486e cc1_main(llvm::ArrayRef<char const*>, char const*, void*) + 4926
37 clang                    0x0000000108b8445f ExecuteCC1Tool(llvm::ArrayRef<char const*>, llvm::StringRef) + 479
38 clang                    0x0000000108b81fbd main + 3245
39 libdyld.dylib            0x00007fff96c975ad start + 1
40 libdyld.dylib            0x0000000000000005 start + 1765182041

Comment 2 Devin Coughlin 2015-11-29 11:22:25 PST

rdar://problem/23682244

Comment 3 Devin Coughlin 2016-02-07 12:11:36 PST

Here is a reduced reproducer:

int strcmp(const char *s1, const char *s2);

void bar(char **a) {
  strcmp("Hi", *a);
}

union argument {
   char *f;
};

void foo(union argument a) {
  void (*fPtr)(union argument *) = (void (*)(union argument *))bar;

  fPtr(&a);
}

Comment 4 Devin Coughlin 2016-02-07 18:28:55 PST

Fix in r260066.