[cfe-dev] SIGSEGV in call to Sema::PerformPendingInstantiations() in Clang 3.2

Richard Smith richard at metafoo.co.uk
Mon May 6 14:38:28 PDT 2013 

On Mon, May 6, 2013 at 2:07 PM, Tom Honermann <thonermann at coverity.com>wrote:

> This email describes a SIGSEGV I'm experiencing with Clang 3.2 when
> calling Sema::**PerformPendingInstantiations()**.  A patch against latest
> SVN is attached which resolves the SIGSEGV.  However, it appears that the
> call to Sema::**PerformPendingInstantiations() is resulting in a call to
> Sema::getCurScope() which, according to its comments, should never be
> called during template instantiation.  The purpose of this email is to:
>
> 1) Request that the attached patch be applied to SVN.  The patch is
> trivial - it just adds missing initialization of the Sema::CurScope pointer
> within the Sema constructor.
>

Thanks, patch committed as r181251. If you have any way of testing this
without building an additional binary, I'd appreciate it!


> 2) Clarify whether the eventual call into Sema::getCurScope() from within
> Sema::**PerformPendingInstantiations() represents an additional bug which
> should be addressed.
>

Generally, yes, but getScopeForContext is always allowed to call
getCurScope.


> I experienced the SIGSEGV in code that calls ASTUnit::LoadFromASTFile() to
> load an AST file produced with the 'clang -emit-ast' driver option.
> ASTUnit::LoadFromASTFile() creates an instance of the Sema class, but a
> corresponding Parser instance is not created.  AST files may contain
> pending template instantiations.  I have a call to Sema::**PerformPendingInstantiations()
> to complete them.  The SIGSEGV occurs when the Sema::CurScope pointer is
> dereferenced.  I debugged the problem and discovered that the Sema
> constructor (there is only one) is failing to initialize the CurScope
> member.  The comments for CurScope indicate that the Parser maintains this
> pointer.  In my case, there is no Parser instance, hence no initialization
> occurs resulting in a spurious SIGSEGV.  Initializing CurScope to NULL in
> the Sema constructor avoids the SIGSEGV.  CurScope is referenced by
> Sema::getCurScope() which has the following comment:
>
> include/clang/Sema/Sema.h:
> 7547   /// \brief Retrieve the parser's current scope.
> 7548   ///
> 7549   /// This routine must only be used when it is certain that semantic
> analysis
> 7550   /// and the parser are in precisely the same context, which is not
> the case
> 7551   /// when, e.g., we are performing any kind of template
> instantiation.
> 7552   /// Therefore, the only safe places to use this scope are in the
> parser
> 7553   /// itself and in routines directly invoked from the parser and
> *never* from
> 7554   /// template substitution or instantiation.
> 7555   Scope *getCurScope() const { return CurScope; }
>
> The following stack trace demonstrates that calls to Sema::**PerformPendingInstantiations()
> eventually call into Sema::getCurScope().  The stack trace corresponds to
> the occurrence of the SIGSEGV.  The call to Sema::getCurScope() occurs in
> Sema::getScopeForContext().  Note that the 'this' pointer provided for the
> call to Scope::getFlags() is invalid.
>
> #0  0x000000000118ffaa in clang::Scope::getFlags (this=0x2f) at
> .../llvm-3.2/tools/clang/**include/clang/Sema/Scope.h:170
> #1  0x000000000120c411 in clang::Sema::**getScopeForContext
> (this=0x2af0cb0, Ctx=0x2b2b1c0) at .../llvm-3.2/tools/clang/lib/**
> Sema/Sema.cpp:955
> #2  0x0000000001310891 in clang::Sema::**DeclareImplicitCopyConstructor
> (this=0x2af0cb0, ClassDecl=0x2b2b188) at .../llvm-3.2/tools/clang/lib/**
> Sema/SemaDeclCXX.cpp:8836
> #3  0x0000000001456552 in clang::Sema::**LookupConstructors
> (this=0x2af0cb0, Class=0x2b2b188) at .../llvm-3.2/tools/clang/lib/**
> Sema/SemaLookup.cpp:2458
> #4  0x000000000143b557 in TryConstructorInitialization (S=..., Entity=...,
> Kind=..., Args=0x2b2b120, NumArgs=2, DestType=..., Sequence=...,
> InitListSyntax=false)
>     at .../llvm-3.2/tools/clang/lib/**Sema/SemaInit.cpp:2846
> #5  0x000000000143f4a4 in clang::InitializationSequence:**:InitializationSequence
> (this=0x7fffffff9b20, S=..., Entity=..., Kind=..., Args=0x2b2b120,
> NumArgs=2)
>     at .../llvm-3.2/tools/clang/lib/**Sema/SemaInit.cpp:4138
> #6  0x00000000012f5e1a in clang::Sema::**BuildMemberInitializer
> (this=0x2af0cb0, Member=0x2b2b138, Init=0x2b2b0f8, IdLoc=...)
>     at .../llvm-3.2/tools/clang/lib/**Sema/SemaDeclCXX.cpp:2345
> #7  0x00000000015ad440 in clang::Sema::**InstantiateMemInitializers
> (this=0x2af0cb0, New=0x2ad5af0, Tmpl=0x2af5fc8, TemplateArgs=...)
>     at .../llvm-3.2/tools/clang/lib/**Sema/**SemaTemplateInstantiateDecl.*
> *cpp:3116
> #8  0x00000000015ac3a7 in clang::Sema::**InstantiateFunctionDefinition
> (this=0x2af0cb0, PointOfInstantiation=..., Function=0x2ad5af0,
> Recursive=true, DefinitionRequired=false)
>     at .../llvm-3.2/tools/clang/lib/**Sema/**SemaTemplateInstantiateDecl.*
> *cpp:2823
> #9  0x00000000015aee72 in clang::Sema::**PerformPendingInstantiations
> (this=0x2af0cb0, LocalOnly=false)
>     at .../llvm-3.2/tools/clang/lib/**Sema/**SemaTemplateInstantiateDecl.*
> *cpp:3630
> ...
>
> Here is a simple test case that seems to reliably reproduce a SIGSEGV for
> me.  This is what was used to produce the above back trace.
>   #include <string>
>   void f() {
>     std::string s;
>   }
>
> So, anyone know if this call chain does represent an additional bug?  Or
> are the comments provided for Sema::getCurScope() perhaps a little too
> strong?
>
> Tom.
>
> _______________________________________________
> cfe-dev mailing list
> cfe-dev at cs.uiuc.edu
> http://lists.cs.uiuc.edu/mailman/listinfo/cfe-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20130506/f5df287f/attachment.html>

More information about the cfe-dev mailing list