<html>
<head>
<base href="http://llvm.org/bugs/" />
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW --- - clang --analyze segfault on a correct code"
href="http://llvm.org/bugs/show_bug.cgi?id=17249">17249</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>clang --analyze segfault on a correct code
</td>
</tr>
<tr>
<th>Product</th>
<td>clang
</td>
</tr>
<tr>
<th>Version</th>
<td>3.0
</td>
</tr>
<tr>
<th>Hardware</th>
<td>PC
</td>
</tr>
<tr>
<th>OS</th>
<td>Linux
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>normal
</td>
</tr>
<tr>
<th>Priority</th>
<td>P
</td>
</tr>
<tr>
<th>Component</th>
<td>Static Analyzer
</td>
</tr>
<tr>
<th>Assignee</th>
<td>kremenek@apple.com
</td>
</tr>
<tr>
<th>Reporter</th>
<td>nicolas@limare.net
</td>
</tr>
<tr>
<th>CC</th>
<td>llvmbugs@cs.uiuc.edu
</td>
</tr>
<tr>
<th>Classification</th>
<td>Unclassified
</td>
</tr></table>
<p>
<div>
<pre>clang --analyze crashes on this code:
#include <stdlib.h>
int main(int argc, char **argv)
{
int a = atoi(argv[1]);
if (a < 0)
a = 0;
float * b = (float *) malloc(a * sizeof(float));
free(b);
return 0;
}
The critical part seems to be the conditional if section. Crash output is:
$ clang --analyze -v crasher.c
Debian clang version 3.0-6.2 (tags/RELEASE_30/final) (based on LLVM 3.0)
Target: x86_64-pc-linux-gnu
Thread model: posix
"/usr/bin/clang" -cc1 -triple x86_64-pc-linux-gnu -analyze -disable-free
-disable-llvm-verifier -main-file-name crasher.c -analyzer-store=region
-analyzer-opt-analyze-nested-blocks -analyzer-eagerly-assume
-analyzer-checker=core -analyzer-checker=deadcode -analyzer-checker=security
-analyzer-checker=unix -analyzer-output plist -w -mrelocation-model static
-mdisable-fp-elim -masm-verbose -mconstructor-aliases -munwind-tables
-target-cpu x86-64 -target-linker-version 2.22 -momit-leaf-frame-pointer -v
-resource-dir /usr/bin/../lib/clang/3.0 -fmodule-cache-path
/var/tmp/clang-module-cache -internal-isystem /usr/local/include
-internal-isystem /usr/bin/../lib/clang/3.0/include -internal-externc-isystem
/usr/include/x86_64-linux-gnu -internal-externc-isystem /usr/include
-ferror-limit 19 -fmessage-length 238 -fgnu-runtime -fobjc-runtime-has-arc
-fobjc-runtime-has-weak -fobjc-fragile-abi -fdiagnostics-show-option
-fcolor-diagnostics -o crasher.plist -x c crasher.c
clang -cc1 version 3.0 based upon llvm 3.0 hosted on x86_64-pc-linux-gnu
ignoring nonexistent directory "/usr/bin/../lib/clang/3.0/include"
ignoring nonexistent directory "/usr/include/clang/3.0/include/"
ignoring nonexistent directory "/usr/bin/../lib/clang/3.0/include"
ignoring duplicate directory "/usr/local/include"
ignoring duplicate directory "/usr/include/x86_64-linux-gnu"
ignoring duplicate directory "/usr/include"
#include "..." search starts here:
#include <...> search starts here:
/usr/local/include
/usr/include/x86_64-linux-gnu
/usr/include
/usr/lib/gcc/x86_64-linux-gnu/4.6/include/
/usr/lib/gcc/x86_64-linux-gnu/4.6/include-fixed/
End of search list.
0 libLLVM-3.0.so.1 0x00007f3d02dff94f
1 libLLVM-3.0.so.1 0x00007f3d02dffd99
2 libpthread.so.0 0x00007f3d01d7f210
3 clang 0x0000000000b50920
4 clang 0x0000000000b59db2
clang::ento::GRBugReporter::GeneratePathDiagnostic(clang::ento::PathDiagnostic&,
llvm::SmallVectorImpl<clang::ento::BugReport*>&) + 9106
5 clang 0x0000000000b535b2
clang::ento::BugReporter::FlushReport(clang::ento::BugReportEquivClass&) + 3122
6 clang 0x0000000000b5a3a8 clang::ento::BugReporter::FlushReports()
+ 1032
7 clang 0x0000000000aa46b0
8 clang 0x0000000000aa4fb8
9 clang 0x0000000000aa6211
10 clang 0x0000000000aa6aae
11 clang 0x0000000000aa6c4a
12 clang 0x00000000007e80ab clang::ParseAST(clang::Sema&, bool) +
395
13 clang 0x00000000005de983
clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) + 307
14 clang 0x00000000005c9911
clang::ExecuteCompilerInvocation(clang::CompilerInstance*) + 1041
15 clang 0x00000000005c2fc4 cc1_main(char const**, char const**,
char const*, void*) + 804
16 clang 0x00000000005c1f75 main + 6965
17 libc.so.6 0x00007f3d00db8995 __libc_start_main + 245
18 clang 0x00000000005c2b01
Stack dump:
0. Program arguments: /usr/bin/clang -cc1 -triple x86_64-pc-linux-gnu
-analyze -disable-free -disable-llvm-verifier -main-file-name crasher.c
-analyzer-store=region -analyzer-opt-analyze-nested-blocks
-analyzer-eagerly-assume -analyzer-checker=core -analyzer-checker=deadcode
-analyzer-checker=security -analyzer-checker=unix -analyzer-output plist -w
-mrelocation-model static -mdisable-fp-elim -masm-verbose -mconstructor-aliases
-munwind-tables -target-cpu x86-64 -target-linker-version 2.22
-momit-leaf-frame-pointer -v -resource-dir /usr/bin/../lib/clang/3.0
-fmodule-cache-path /var/tmp/clang-module-cache -internal-isystem
/usr/local/include -internal-isystem /usr/bin/../lib/clang/3.0/include
-internal-externc-isystem /usr/include/x86_64-linux-gnu
-internal-externc-isystem /usr/include -ferror-limit 19 -fmessage-length 238
-fgnu-runtime -fobjc-runtime-has-arc -fobjc-runtime-has-weak -fobjc-fragile-abi
-fdiagnostics-show-option -fcolor-diagnostics -o crasher.plist -x c crasher.c
1. <eof> parser at end of file
clang: error: unable to execute command: Segmentation fault
clang: error: clang frontend command failed due to signal 2 (use -v to see
invocation)
clang: note: diagnostic msg: Please submit a bug report to
<a href="http://llvm.org/bugs/">http://llvm.org/bugs/</a> and include command line arguments and all diagnostic
information.
clang: note: diagnostic msg: Preprocessed source(s) are located at:
clang: note: diagnostic msg: /tmp/crasher-SG0aml.i</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are on the CC list for the bug.</li>
</ul>
</body>
</html>