Crash in MallocChecker
Abramo Bagnara via cfe-commits
cfe-commits at lists.llvm.org
Wed Nov 30 16:10:40 PST 2016
Please consider to review and apply the attached patch.
This is how to reproduce the bug:
abramo at tester:~$ cat bug.cpp
void f(int a, int b)
{
new char[a * b];
}
abramo at tester:~$ ~/llvm-build/bin/clang -cc1 -analyze
-analyzer-checker=cplusplus.NewDeleteLeaks bug.cpp
clang:
/home/abramo/llvm/tools/clang/include/clang/StaticAnalyzer/Core/PathSensitive/SVals.h:76:
T clang::ento::SVal::castAs() const [with T = clang::ento::NonLoc]:
Assertion `T::isKind(*this)' failed.
#0 0x0000000003689a0f llvm::sys::PrintStackTrace(llvm::raw_ostream&)
/home/abramo/llvm/lib/Support/Unix/Signals.inc:402:0
#1 0x0000000003689d6a PrintStackTraceSignalHandler(void*)
/home/abramo/llvm/lib/Support/Unix/Signals.inc:466:0
#2 0x0000000003687f30 llvm::sys::RunSignalHandlers()
/home/abramo/llvm/lib/Support/Signals.cpp:44:0
#3 0x00000000036893a1 SignalHandler(int)
/home/abramo/llvm/lib/Support/Unix/Signals.inc:256:0
#4 0x00007f7833b31330 __restore_rt
(/lib/x86_64-linux-gnu/libpthread.so.0+0x10330)
#5 0x00007f783291dc37 gsignal
/build/eglibc-oGUzwX/eglibc-2.19/signal/../nptl/sysdeps/unix/sysv/linux/raise.c:56:0
#6 0x00007f7832921028 abort
/build/eglibc-oGUzwX/eglibc-2.19/stdlib/abort.c:91:0
#7 0x00007f7832916bf6 __assert_fail_base
/build/eglibc-oGUzwX/eglibc-2.19/assert/assert.c:92:0
#8 0x00007f7832916ca2 (/lib/x86_64-linux-gnu/libc.so.6+0x2fca2)
#9 0x0000000005b1769d clang::ento::NonLoc
clang::ento::SVal::castAs<clang::ento::NonLoc>() const
/home/abramo/llvm/tools/clang/include/clang/StaticAnalyzer/Core/PathSensitive/SVals.h:77:0
#10 0x0000000005bf5a20 (anonymous
namespace)::MallocChecker::addExtentSize(clang::ento::CheckerContext&,
clang::CXXNewExpr const*,
llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>)
/home/abramo/llvm/tools/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp:1036:0
#11 0x0000000005bf5601 (anonymous
namespace)::MallocChecker::checkPostStmt(clang::CXXNewExpr const*,
clang::ento::CheckerContext&) const
/home/abramo/llvm/tools/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp:991:0
#12 0x0000000005c0aa29 void
clang::ento::check::PostStmt<clang::CXXNewExpr>::_checkStmt<(anonymous
namespace)::MallocChecker>(void*, clang::Stmt const*,
clang::ento::CheckerContext&)
/home/abramo/llvm/tools/clang/include/clang/StaticAnalyzer/Core/Checker.h:105:0
#13 0x0000000005f0d9a8 clang::ento::CheckerFn<void (clang::Stmt const*,
clang::ento::CheckerContext&)>::operator()(clang::Stmt const*,
clang::ento::CheckerContext&) const
/home/abramo/llvm/tools/clang/include/clang/StaticAnalyzer/Core/CheckerManager.h:60:0
#14 0x0000000005f08002 (anonymous
namespace)::CheckStmtContext::runChecker(clang::ento::CheckerFn<void
(clang::Stmt const*, clang::ento::CheckerContext&)>,
clang::ento::NodeBuilder&, clang::ento::ExplodedNode*)
/home/abramo/llvm/tools/clang/lib/StaticAnalyzer/Core/CheckerManager.cpp:161:0
#15 0x0000000005f0a761 void expandGraphWithCheckers<(anonymous
namespace)::CheckStmtContext>((anonymous namespace)::CheckStmtContext,
clang::ento::ExplodedNodeSet&, clang::ento::ExplodedNodeSet const&)
/home/abramo/llvm/tools/clang/lib/StaticAnalyzer/Core/CheckerManager.cpp:121:0
#16 0x0000000005f080b2
clang::ento::CheckerManager::runCheckersForStmt(bool,
clang::ento::ExplodedNodeSet&, clang::ento::ExplodedNodeSet const&,
clang::Stmt const*, clang::ento::ExprEngine&, bool)
/home/abramo/llvm/tools/clang/lib/StaticAnalyzer/Core/CheckerManager.cpp:175:0
#17 0x0000000005f40184
clang::ento::CheckerManager::runCheckersForPostStmt(clang::ento::ExplodedNodeSet&,
clang::ento::ExplodedNodeSet const&, clang::Stmt const*,
clang::ento::ExprEngine&, bool)
/home/abramo/llvm/tools/clang/include/clang/StaticAnalyzer/Core/CheckerManager.h:206:0
#18 0x0000000005f3770a clang::ento::ExprEngine::Visit(clang::Stmt
const*, clang::ento::ExplodedNode*, clang::ento::ExplodedNodeSet&)
/home/abramo/llvm/tools/clang/lib/StaticAnalyzer/Core/ExprEngine.cpp:1151:0
#19 0x0000000005f341e4
clang::ento::ExprEngine::ProcessStmt(clang::CFGStmt,
clang::ento::ExplodedNode*)
/home/abramo/llvm/tools/clang/lib/StaticAnalyzer/Core/ExprEngine.cpp:463:0
#20 0x0000000005f334e4
clang::ento::ExprEngine::processCFGElement(clang::CFGElement,
clang::ento::ExplodedNode*, unsigned int,
clang::ento::NodeBuilderContext*)
/home/abramo/llvm/tools/clang/lib/StaticAnalyzer/Core/ExprEngine.cpp:311:0
#21 0x0000000005f228db
clang::ento::CoreEngine::HandlePostStmt(clang::CFGBlock const*, unsigned
int, clang::ento::ExplodedNode*)
/home/abramo/llvm/tools/clang/lib/StaticAnalyzer/Core/CoreEngine.cpp:532:0
#22 0x0000000005f217ea
clang::ento::CoreEngine::dispatchWorkItem(clang::ento::ExplodedNode*,
clang::ProgramPoint, clang::ento::WorkListUnit const&)
/home/abramo/llvm/tools/clang/lib/StaticAnalyzer/Core/CoreEngine.cpp:279:0
#23 0x0000000005f213ca
clang::ento::CoreEngine::ExecuteWorkList(clang::LocationContext const*,
unsigned int, llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>)
/home/abramo/llvm/tools/clang/lib/StaticAnalyzer/Core/CoreEngine.cpp:216:0
#24 0x0000000004e7ee6a
clang::ento::ExprEngine::ExecuteWorkList(clang::LocationContext const*,
unsigned int)
/home/abramo/llvm/tools/clang/include/clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h:109:0
#25 0x0000000004e388be (anonymous
namespace)::AnalysisConsumer::ActionExprEngine(clang::Decl*, bool,
clang::ento::ExprEngine::InliningModes, llvm::DenseSet<clang::Decl
const*, llvm::DenseMapInfo<clang::Decl const*> >*)
/home/abramo/llvm/tools/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:724:0
#26 0x0000000004e389d8 (anonymous
namespace)::AnalysisConsumer::RunPathSensitiveChecks(clang::Decl*,
clang::ento::ExprEngine::InliningModes, llvm::DenseSet<clang::Decl
const*, llvm::DenseMapInfo<clang::Decl const*> >*)
/home/abramo/llvm/tools/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:741:0
#27 0x0000000004e386a0 (anonymous
namespace)::AnalysisConsumer::HandleCode(clang::Decl*, unsigned int,
clang::ento::ExprEngine::InliningModes, llvm::DenseSet<clang::Decl
const*, llvm::DenseMapInfo<clang::Decl const*> >*)
/home/abramo/llvm/tools/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:688:0
#28 0x0000000004e3769d (anonymous
namespace)::AnalysisConsumer::HandleDeclsCallGraph(unsigned int)
/home/abramo/llvm/tools/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:502:0
#29 0x0000000004e37a5f (anonymous
namespace)::AnalysisConsumer::HandleTranslationUnit(clang::ASTContext&)
/home/abramo/llvm/tools/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:553:0
#30 0x0000000004ed2d07 clang::ParseAST(clang::Sema&, bool, bool)
/home/abramo/llvm/tools/clang/lib/Parse/ParseAST.cpp:161:0
#31 0x0000000003e9fd28 clang::ASTFrontendAction::ExecuteAction()
/home/abramo/llvm/tools/clang/lib/Frontend/FrontendAction.cpp:559:0
#32 0x0000000003e9f7ed clang::FrontendAction::Execute()
/home/abramo/llvm/tools/clang/lib/Frontend/FrontendAction.cpp:462:0
#33 0x0000000003e4cc53
clang::CompilerInstance::ExecuteAction(clang::FrontendAction&)
/home/abramo/llvm/tools/clang/lib/Frontend/CompilerInstance.cpp:886:0
#34 0x0000000003fbf578
clang::ExecuteCompilerInvocation(clang::CompilerInstance*)
/home/abramo/llvm/tools/clang/lib/FrontendTool/ExecuteCompilerInvocation.cpp:249:0
#35 0x0000000001c2a827 cc1_main(llvm::ArrayRef<char const*>, char
const*, void*) /home/abramo/llvm/tools/clang/tools/driver/cc1_main.cpp:221:0
#36 0x0000000001c20b3f ExecuteCC1Tool(llvm::ArrayRef<char const*>,
llvm::StringRef) /home/abramo/llvm/tools/clang/tools/driver/driver.cpp:299:0
#37 0x0000000001c2174b main
/home/abramo/llvm/tools/clang/tools/driver/driver.cpp:380:0
#38 0x00007f7832908f45 __libc_start_main
/build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:321:0
#39 0x0000000001c1e439 _start (/home/abramo/llvm-build/bin/clang+0x1c1e439)
Stack dump:
0. Program arguments: /home/abramo/llvm-build/bin/clang -cc1 -analyze
-analyzer-checker=cplusplus.NewDeleteLeaks bug.cpp
1. <eof> parser at end of file
2. While analyzing stack:
#0 void f(int a, int b)
3. bug.cpp:3:5: Error evaluating statement
4. bug.cpp:3:5: Error evaluating statement
Aborted
--
Abramo Bagnara
BUGSENG srl - http://bugseng.com
mailto:abramo.bagnara at bugseng.com
-------------- next part --------------
Index: lib/StaticAnalyzer/Checkers/MallocChecker.cpp
===================================================================
--- lib/StaticAnalyzer/Checkers/MallocChecker.cpp (revisione 285953)
+++ lib/StaticAnalyzer/Checkers/MallocChecker.cpp (copia locale)
@@ -1026,8 +1026,7 @@
ASTContext &AstContext = C.getASTContext();
CharUnits TypeSize = AstContext.getTypeSizeInChars(ElementType);
- if (Optional<DefinedOrUnknownSVal> DefinedSize =
- ElementCount.getAs<DefinedOrUnknownSVal>()) {
+ if (ElementCount.getAs<NonLoc>()) {
DefinedOrUnknownSVal Extent = Region->getExtent(svalBuilder);
// size in Bytes = ElementCount*TypeSize
SVal SizeInBytes = svalBuilder.evalBinOpNN(
More information about the cfe-commits
mailing list