[LLVMbugs] [Bug 13934] New: Clang static code analyser crashes on simple C source files

bugzilla-daemon at llvm.org bugzilla-daemon at llvm.org
Wed Sep 26 12:15:54 PDT 2012


             Bug #: 13934
           Summary: Clang static code analyser crashes on simple C source
           Product: clang
           Version: 3.1
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P
         Component: Static Analyzer
        AssignedTo: kremenek at apple.com
        ReportedBy: agentzh at gmail.com
                CC: llvmbugs at cs.uiuc.edu
    Classification: Unclassified

Created attachment 9268
  --> http://llvm.org/bugs/attachment.cgi?id=9268

I've found a crash in clang 3.1's static code analyser.

I'm using clang 3.1 from the release tarball built by myself on Fedora 17
x86_64 with gcc-c++ 4.7.2.

The following minimized C source file can trigger it:

    #define NULL (void *)0

    typedef struct lua_State lua_State;
    typedef const char * (*lua_Reader) (lua_State *L, void *ud, int *sz);

    typedef struct {
        int a;
    } my_ctx_t;

    static const char *
    get(lua_State *L, void *ud, int *size)
        return NULL;

    extern int lua_load(lua_State *L, lua_Reader reader, void *data,
                         const char *chunkname);

    foo() {
        lua_State   *L;
        my_ctx_t     ctx;

        return lua_load(L, get, &ctx, NULL);

And running clang like this:

    $ clang --analyze a.c

I'm getting the following output:

a.c:24:16: warning: Function call argument is an uninitialized value
        return lua_load(L, get, &ctx, NULL);
               ^        ~
clang::FileID clang::SourceManager::getFileIDLoaded(unsigned int) const:
Assertion `0 && "Invalid SLocOffset or bad function choice"' failed.
0  clang           0x0000000001d9960f
1  clang           0x0000000001d99af9
2  libpthread.so.0 0x0000003db6a0efe0
3  libc.so.6       0x0000003db6235925 gsignal + 53
4  libc.so.6       0x0000003db62370d8 abort + 328
5  libc.so.6       0x0000003db622e6a2
6  libc.so.6       0x0000003db622e752
7  clang           0x00000000011a9a20
clang::SourceManager::getFileIDSlow(unsigned int) const + 0
8  clang           0x00000000011a9a35
clang::SourceManager::getFileIDSlow(unsigned int) const + 21
9  clang           0x0000000000e4b76a
+ 2522
10 clang           0x0000000000deac6f
clang::ento::BugReporter::FlushReport(clang::ento::BugReportEquivClass&) + 4415
11 clang           0x0000000000df0018 clang::ento::BugReporter::FlushReports()
+ 696
12 clang           0x0000000000cd63e6
13 clang           0x0000000000ce05b7
14 clang           0x00000000009aa3ed clang::ParseAST(clang::Sema&, bool, bool)
+ 461
15 clang           0x0000000000730831
clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) + 337
16 clang           0x0000000000717a1a
clang::ExecuteCompilerInvocation(clang::CompilerInstance*) + 1098
17 clang           0x0000000000710f4d cc1_main(char const**, char const**, char
const*, void*) + 8973
18 clang           0x0000000000701272 main + 7634
19 libc.so.6       0x0000003db6221735 __libc_start_main + 245
20 clang           0x000000000070e09d
Stack dump:
0.    Program arguments: /opt/llvm/bin/clang -cc1 -triple
x86_64-unknown-linux-gnu -analyze -disable-free -main-file-name a.c
-analyzer-store=region -analyzer-opt-analyze-nested-blocks
-analyzer-eagerly-assume -analyzer-ipa=inlining -analyzer-checker=core
-analyzer-checker=unix -analyzer-checker=deadcode
-analyzer-checker=security.insecureAPI.vfork -analyzer-output plist -w
-mrelocation-model static -mdisable-fp-elim -masm-verbose -mconstructor-aliases
-munwind-tables -target-cpu x86-64 -target-linker-version
-momit-leaf-frame-pointer -resource-dir /opt/llvm/bin/../lib/clang/3.1
-fmodule-cache-path /var/tmp/clang-module-cache -internal-isystem
/usr/local/include -internal-isystem /opt/llvm/bin/../lib/clang/3.1/include
-internal-externc-isystem /include -internal-externc-isystem /usr/include
-fdebug-compilation-dir /home/agentzh/work -ferror-limit 19 -fmessage-length
127 -mstackrealign -fgnu-runtime -fobjc-runtime-has-arc -fobjc-runtime-has-weak
-fobjc-fragile-abi -fdiagnostics-show-option -fcolor-diagnostics -o a.plist -x
c a.c 
1.    <eof> parser at end of file
clang: error: unable to execute command: Aborted (core dumped)
clang: error: clang frontend command failed due to signal (use -v to see
clang: note: diagnostic msg: Please submit a bug report to
http://llvm.org/bugs/ and include command line arguments and all diagnostic
clang: note: diagnostic msg: Preprocessed source(s) and associated run
script(s) are located at:
clang: note: diagnostic msg: /tmp/a-8PnUvT.i
clang: note: diagnostic msg: /tmp/a-8PnUvT.sh

Below is more information regarding my system:

$ clang -v
clang version 3.1 (branches/release_31)
Target: x86_64-unknown-linux-gnu
Thread model: posix

$ uname -a
Linux w530 3.5.4-1.fc17.x86_64 #1 SMP Mon Sep 17 15:03:59 UTC 2012 x86_64
x86_64 x86_64 GNU/Linux

$ g++ -v
Using built-in specs.
Target: x86_64-redhat-linux
Configured with: ../configure --prefix=/usr --mandir=/usr/share/man
--infodir=/usr/share/info --with-bugurl=http://bugzilla.redhat.com/bugzilla
--enable-bootstrap --enable-shared --enable-threads=posix
--enable-checking=release --disable-build-with-cxx
--disable-build-poststage1-with-cxx --with-system-zlib --enable-__cxa_atexit
--disable-libunwind-exceptions --enable-gnu-unique-object
--enable-linker-build-id --with-linker-hash-style=gnu
--enable-languages=c,c++,objc,obj-c++,java,fortran,ada,go,lto --enable-plugin
--enable-initfini-array --enable-java-awt=gtk --disable-dssi
--enable-libgcj-multifile --enable-java-maintainer-mode
--with-ecj-jar=/usr/share/java/eclipse-ecj.jar --disable-libjava-multilib
--with-ppl --with-cloog --with-tune=generic --with-arch_32=i686
Thread model: posix
gcc version 4.7.2 20120921 (Red Hat 4.7.2-2) (GCC)

Configure bugmail: http://llvm.org/bugs/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

More information about the llvm-bugs mailing list