[llvm-bugs] [Bug 37622] New: Crash when using Z3 constraint manager
via llvm-bugs
llvm-bugs at lists.llvm.org
Tue May 29 10:05:47 PDT 2018
https://bugs.llvm.org/show_bug.cgi?id=37622
Bug ID: 37622
Summary: Crash when using Z3 constraint manager
Product: clang
Version: trunk
Hardware: PC
OS: Linux
Status: NEW
Severity: enhancement
Priority: P
Component: Static Analyzer
Assignee: dcoughlin at apple.com
Reporter: vlad at tsyrklevich.net
CC: llvm-bugs at lists.llvm.org
The following creduce'd program:
_Bool a() {
!({ a(); });
}
Crashes when analyzed with the following flags against trunk: clang -cc1
-triple x86_64-unknown-linux-gnu -analyze -analyzer-eagerly-assume
-analyzer-constraints=z3 -analyzer-checker core
The crash is due to:
clang-7: llvm/tools/clang/include/clang/AST/Type.h:670: const
clang::ExtQualsTypeCommonBase* clang::QualType::getCommonPtr() const: Assertion
`!isNull() && "Cannot retrieve a NULL type pointer"' failed.
The stack trace is:
#0 0x0000560410ed40da llvm::sys::PrintStackTrace(llvm::raw_ostream&)
llvm/lib/Support/Unix/Signals.inc:492:0
#1 0x0000560410ed2794 llvm::sys::RunSignalHandlers()
llvm/lib/Support/Signals.cpp:67:0
#2 0x0000560410ed28c2 SignalHandler(int)
llvm/lib/Support/Unix/Signals.inc:351:0
#3 0x00007f0fc84390c0 __restore_rt
(/lib/x86_64-linux-gnu/libpthread.so.0+0x110c0)
#4 0x00005604120fd290 clang::QualType::getCommonPtr() const
llvm/tools/clang/include/clang/AST/Type.h:671:0
#5 0x00005604120fd290 clang::QualType::getTypePtr() const
llvm/tools/clang/include/clang/AST/Type.h:5805:0
#6 0x00005604120fd290
llvm::simplify_type<clang::QualType>::getSimplifiedValue(clang::QualType)
llvm/tools/clang/include/clang/AST/Type.h:1253:0
#7 0x00005604120fd290 llvm::simplify_type<clang::QualType
const>::getSimplifiedValue(clang::QualType const&)
llvm/include/llvm/Support/Casting.h:49:0
#8 0x00005604120fd290 llvm::isa_impl_wrap<clang::BuiltinType, clang::QualType
const, clang::Type const*>::doit(clang::QualType const&)
llvm/include/llvm/Support/Casting.h:125:0
#9 0x00005604120fd290 bool llvm::isa<clang::BuiltinType,
clang::QualType>(clang::QualType const&)
llvm/include/llvm/Support/Casting.h:144:0
#10 0x00005604120fd290
std::enable_if<!(llvm::is_simple_type<clang::QualType>::value),
llvm::cast_retty<clang::BuiltinType, llvm::cast_retty const>::ret_type>::type
llvm::dyn_cast<clang::BuiltinType,
clang::QualType>(llvm::cast_retty<clang::BuiltinType, llvm::cast_retty
const>::ret_type&) llvm/include/llvm/Support/Casting.h:324:0
#11 0x00005604120fd290 clang::Type::isIntegralOrEnumerationType() const
llvm/tools/clang/include/clang/AST/Type.h:6312:0
#12 0x00005604120fd290 doTypeConversion
llvm/tools/clang/lib/StaticAnalyzer/Core/Z3ConstraintManager.cpp:1411:0
#13 0x00005604120fd290 (anonymous
namespace)::Z3ConstraintManager::getZ3BinExpr((anonymous namespace)::Z3Expr
const&, clang::QualType, clang::BinaryOperatorKind, (anonymous
namespace)::Z3Expr const&, clang::QualType, clang::QualType*) const
llvm/tools/clang/lib/StaticAnalyzer/Core/Z3ConstraintManager.cpp:1369:0
#14 0x00005604120fda63 ~Z3Expr
llvm/tools/clang/lib/StaticAnalyzer/Core/Z3ConstraintManager.cpp:233:0
#15 0x00005604120fda63 getZ3SymBinExpr
llvm/tools/clang/lib/StaticAnalyzer/Core/Z3ConstraintManager.cpp:1356:0
#16 0x00005604120fda63 (anonymous
namespace)::Z3ConstraintManager::getZ3SymExpr(clang::ento::SymExpr const*,
clang::QualType*, bool*) const
llvm/tools/clang/lib/StaticAnalyzer/Core/Z3ConstraintManager.cpp:1314:0
#17 0x00005604121031d5 (anonymous
namespace)::Z3ConstraintManager::assumeSym(llvm::IntrusiveRefCntPtr<clang::ento::ProgramState
const>, clang::ento::SymExpr const*, bool)
llvm/tools/clang/lib/StaticAnalyzer/Core/Z3ConstraintManager.cpp:1028:0
#18 0x00005604120e7c84 llvm::IntrusiveRefCntPtr<clang::ento::ProgramState
const>::release() llvm/include/llvm/ADT/IntrusiveRefCntPtr.h:189:0
#19 0x00005604120e7c84
_ZN4llvm18IntrusiveRefCntPtrIKN5clang4ento12ProgramStateEED4Ev
llvm/include/llvm/ADT/IntrusiveRefCntPtr.h:157:0
#20 0x00005604120e7c84
clang::ento::SimpleConstraintManager::assumeAux(llvm::IntrusiveRefCntPtr<clang::ento::ProgramState
const>, clang::ento::NonLoc, bool)
llvm/tools/clang/lib/StaticAnalyzer/Core/SimpleConstraintManager.cpp:74:0
#21 0x00005604120e8d87 llvm::IntrusiveRefCntPtr<clang::ento::ProgramState
const>::swap(llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>&)
llvm/include/llvm/ADT/IntrusiveRefCntPtr.h:171:0
#22 0x00005604120e8d87 llvm::IntrusiveRefCntPtr<clang::ento::ProgramState
const>::operator=(llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>)
llvm/include/llvm/ADT/IntrusiveRefCntPtr.h:160:0
#23 0x00005604120e8d87
clang::ento::SimpleConstraintManager::assume(llvm::IntrusiveRefCntPtr<clang::ento::ProgramState
const>, clang::ento::NonLoc, bool)
llvm/tools/clang/lib/StaticAnalyzer/Core/SimpleConstraintManager.cpp:47:0
#24 0x00005604120e8ea6 llvm::IntrusiveRefCntPtr<clang::ento::ProgramState
const>::release() llvm/include/llvm/ADT/IntrusiveRefCntPtr.h:189:0
#25 0x00005604120e8ea6
_ZN4llvm18IntrusiveRefCntPtrIKN5clang4ento12ProgramStateEED4Ev
llvm/include/llvm/ADT/IntrusiveRefCntPtr.h:157:0
#26 0x00005604120e8ea6
clang::ento::SimpleConstraintManager::assume(llvm::IntrusiveRefCntPtr<clang::ento::ProgramState
const>, clang::ento::DefinedSVal, bool)
llvm/tools/clang/lib/StaticAnalyzer/Core/SimpleConstraintManager.cpp:42:0
#27 0x000056041204d9f3 llvm::IntrusiveRefCntPtr<clang::ento::ProgramState
const>::release() llvm/include/llvm/ADT/IntrusiveRefCntPtr.h:189:0
#28 0x000056041204d9f3
clang::ento::ConstraintManager::assumeDual(llvm::IntrusiveRefCntPtr<clang::ento::ProgramState
const>, clang::ento::DefinedSVal)
llvm/include/llvm/ADT/IntrusiveRefCntPtr.h:157:0
#29 0x000056041204d9f3
clang::ento::ProgramState::assume(clang::ento::DefinedOrUnknownSVal) const
(.isra.333)
llvm/tools/clang/include/clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h:693:0
#30 0x00005604120546fc
_ZN4llvm18IntrusiveRefCntPtrIKN5clang4ento12ProgramStateEEC4EOS5_
llvm/include/llvm/ADT/IntrusiveRefCntPtr.h:145:0
#31 0x00005604120546fc
std::tuple<llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>&,
llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>&>&
std::tuple<llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>&,
llvm::IntrusiveRefCntPtr<clang::ento::ProgramState
const>&>::operator=<llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>,
llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>
>(std::pair<llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>,
llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const> >&&)
/usr/include/c++/7/tuple:1252:0
#32 0x00005604120546fc
clang::ento::ExprEngine::evalEagerlyAssumeBinOpBifurcation(clang::ento::ExplodedNodeSet&,
clang::ento::ExplodedNodeSet&, clang::Expr const*)
llvm/tools/clang/lib/StaticAnalyzer/Core/ExprEngine.cpp:2998:0
#33 0x000056041206014a
_ZN4llvm14SmallSetVectorIPN5clang4ento12ExplodedNodeELj4EED4Ev
llvm/include/llvm/ADT/SetVector.h:298:0
#34 0x000056041206014a _ZN5clang4ento15ExplodedNodeSetD4Ev
llvm/tools/clang/include/clang/StaticAnalyzer/Core/PathSensitive/ExplodedGraph.h:421:0
#35 0x000056041206014a clang::ento::ExprEngine::Visit(clang::Stmt const*,
clang::ento::ExplodedNode*, clang::ento::ExplodedNodeSet&)
llvm/tools/clang/lib/StaticAnalyzer/Core/ExprEngine.cpp:1871:0
#36 0x000056041206328b clang::ento::ExprEngine::ProcessStmt(clang::Stmt const*,
clang::ento::ExplodedNode*)
llvm/tools/clang/lib/StaticAnalyzer/Core/ExprEngine.cpp:871:0
#37 0x0000560412063412
clang::ento::ExprEngine::processCFGElement(clang::CFGElement,
clang::ento::ExplodedNode*, unsigned int, clang::ento::NodeBuilderContext*)
llvm/tools/clang/lib/StaticAnalyzer/Core/ExprEngine.cpp:700:0
#38 0x000056041202fcde clang::ento::CoreEngine::HandlePostStmt(clang::CFGBlock
const*, unsigned int, clang::ento::ExplodedNode*)
llvm/tools/clang/lib/StaticAnalyzer/Core/CoreEngine.cpp:435:0
#39 0x000056041203352c
clang::ento::CoreEngine::dispatchWorkItem(clang::ento::ExplodedNode*,
clang::ProgramPoint, clang::ento::WorkListUnit const&)
llvm/tools/clang/lib/StaticAnalyzer/Core/CoreEngine.cpp:194:0
#40 0x0000560412033637
clang::ento::CoreEngine::ExecuteWorkList(clang::LocationContext const*,
unsigned int, llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>)
llvm/tools/clang/lib/StaticAnalyzer/Core/CoreEngine.cpp:128:0
#41 0x0000560411d1be84 llvm::IntrusiveRefCntPtr<clang::ento::ProgramState
const>::release() llvm/include/llvm/ADT/IntrusiveRefCntPtr.h:189:0
#42 0x0000560411d1be84
_ZN4llvm18IntrusiveRefCntPtrIKN5clang4ento12ProgramStateEED4Ev
llvm/include/llvm/ADT/IntrusiveRefCntPtr.h:157:0
#43 0x0000560411d1be84
clang::ento::ExprEngine::ExecuteWorkList(clang::LocationContext const*,
unsigned int)
llvm/tools/clang/include/clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h:173:0
#44 0x0000560411d1be84 (anonymous
namespace)::AnalysisConsumer::ActionExprEngine(clang::Decl*, bool,
clang::ento::ExprEngine::InliningModes, llvm::DenseSet<clang::Decl const*,
llvm::DenseMapInfo<clang::Decl const*> >*) (.part.3717)
llvm/tools/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:748:0
#45 0x0000560411d1c81d RunPathSensitiveChecks
llvm/tools/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:769:0
#46 0x0000560411d1c81d (anonymous
namespace)::AnalysisConsumer::HandleCode(clang::Decl*, unsigned int,
clang::ento::ExprEngine::InliningModes, llvm::DenseSet<clang::Decl const*,
llvm::DenseMapInfo<clang::Decl const*> >*)
llvm/tools/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:715:0
#47 0x0000560411d328cd llvm::DenseMapBase<llvm::DenseMap<clang::Decl const*,
llvm::detail::DenseSetEmpty, llvm::DenseMapInfo<clang::Decl const*>,
llvm::detail::DenseSetPair<clang::Decl const*> >, clang::Decl const*,
llvm::detail::DenseSetEmpty, llvm::DenseMapInfo<clang::Decl const*>,
llvm::detail::DenseSetPair<clang::Decl const*> >::begin()
llvm/include/llvm/ADT/DenseMap.h:73:0
#48 0x0000560411d328cd llvm::detail::DenseSetImpl<clang::Decl const*,
llvm::DenseMap<clang::Decl const*, llvm::detail::DenseSetEmpty,
llvm::DenseMapInfo<clang::Decl const*>, llvm::detail::DenseSetPair<clang::Decl
const*> >, llvm::DenseMapInfo<clang::Decl const*> >::begin()
llvm/include/llvm/ADT/DenseSet.h:159:0
#49 0x0000560411d328cd HandleDeclsCallGraph
llvm/tools/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:510:0
#50 0x0000560411d328cd (anonymous
namespace)::AnalysisConsumer::runAnalysisOnTranslationUnit(clang::ASTContext&)
llvm/tools/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:553:0
#51 0x0000560411d33b93 (anonymous
namespace)::AnalysisConsumer::HandleTranslationUnit(clang::ASTContext&)
llvm/tools/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:584:0
#52 0x00005604121292f9 clang::ParseAST(clang::Sema&, bool, bool)
llvm/tools/clang/lib/Parse/ParseAST.cpp:164:0
#53 0x00005604114b3bd6 clang::FrontendAction::Execute()
llvm/tools/clang/lib/Frontend/FrontendAction.cpp:910:0
#54 0x000056041147e4bc
clang::CompilerInstance::ExecuteAction(clang::FrontendAction&)
llvm/tools/clang/lib/Frontend/CompilerInstance.cpp:990:0
#55 0x000056041155c82b
clang::ExecuteCompilerInvocation(clang::CompilerInstance*)
llvm/tools/clang/lib/FrontendTool/ExecuteCompilerInvocation.cpp:256:0
#56 0x00005604100123a0 cc1_main(llvm::ArrayRef<char const*>, char const*,
void*) llvm/tools/clang/tools/driver/cc1_main.cpp:222:0
#57 0x000056040ffad882 ExecuteCC1Tool
llvm/tools/clang/tools/driver/driver.cpp:310:0
#58 0x000056040ffad882 main llvm/tools/clang/tools/driver/driver.cpp:382:0
#59 0x00007f0fc5a762b1 __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x202b1)
#60 0x000056041000ff4a _start (build-debug/bin/clang-7+0x765f4a)
--
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20180529/69009ab2/attachment-0001.html>
More information about the llvm-bugs
mailing list