<html>
<head>
<base href="https://llvm.org/bugs/" />
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW --- - Assertion failed `!RegionType.isNull() && "DynamicTypeInfo should always be a pointer."'"
href="https://llvm.org/bugs/show_bug.cgi?id=25414">25414</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>Assertion failed `!RegionType.isNull() && "DynamicTypeInfo should always be a pointer."'
</td>
</tr>
<tr>
<th>Product</th>
<td>clang
</td>
</tr>
<tr>
<th>Version</th>
<td>trunk
</td>
</tr>
<tr>
<th>Hardware</th>
<td>PC
</td>
</tr>
<tr>
<th>OS</th>
<td>Linux
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>normal
</td>
</tr>
<tr>
<th>Priority</th>
<td>P
</td>
</tr>
<tr>
<th>Component</th>
<td>Static Analyzer
</td>
</tr>
<tr>
<th>Assignee</th>
<td>kremenek@apple.com
</td>
</tr>
<tr>
<th>Reporter</th>
<td>alexfh@google.com
</td>
</tr>
<tr>
<th>CC</th>
<td>llvm-bugs@lists.llvm.org
</td>
</tr>
<tr>
<th>Classification</th>
<td>Unclassified
</td>
</tr></table>
<p>
<div>
<pre>Static analyzer crashes on a number of translation units in our code base.
Reduced test case:
$ cat sa3.cc
struct x0 {
void x1() { x2(); }
virtual int x2();
};
class x3 {
public:
class x4 {
public:
x4(int *, int, x0 *x5) : x6(x5) {}
x0 *x7() { return x6; }
x0 *x6;
};
};
namespace x8 {
namespace x9 {
template <typename x10> void x11(const x10 &, int *);
template <typename x10> class x12 {
public:
static void x13(x10 x14, int *x15) { x16(x14, x15); }
};
class x17 {
public:
static void x18(x3::x4 x14) {
int x19;
x11(x14, &x19);
}
};
template <typename x10> void x11(const x10 &x14, int *x15) {
x12<x10>::x13(x14, x15);
}
}
void x20(x3::x4 x14) { x9::x17::x18(x14); }
template <typename> class x21 {};
template <typename, typename x22> x21<int> x23(x22 x14) { return x14; }
namespace x9 {
template <typename x22> class x24 {
public:
template <typename x10> void operator()(char *, x10) { x23<x10>(x25); }
x22 x25;
};
template <typename x22> x24<x22> x26(x22);
}
}
using x8::x20;
template <typename x27, typename x28> class x29 {
public:
class x30 {
public:
x30(x27, int, x28) { x31(false); }
x27 x32;
int x33;
x28 x34;
void x31(bool) { x20(x3::x4(x32, x33, x34)); }
};
template <typename x35> operator x8::x21<x35>() { x30(x32, x33, x34); }
x27 x32;
int x33;
x28 x34;
};
template <typename x27, typename x36, typename x28>
x29<x27, x28> x37(x27, x36, x28);
void x16(x3::x4 x14, int *) { x14.x7()->x1(); }
void x38() {
x3 x39;
int *x40;
x8::x9::x26(x37(x40, 1, nullptr))("", x39);
}
$ clang-tidy -checks=-*,clang-analyzer*,-clang-analyzer-alpha* sa3.cc --
-std=c++11
clang-tidy: llvm/tools/clang/lib/StaticAnalyzer/Core/CallEvent.cpp:482: virtual
clang::ento::RuntimeDefinition
clang::ento::CXXInstanceCall::getRuntimeDefinition() const: Assertion
`!RegionType.isNull() && "DynamicTypeInfo should always be a pointer."' failed.
Aborted (core dumped)
Here's the stack trace:
PC: @ 0x13892e6 (unknown)
clang::ento::CXXInstanceCall::getRuntimeDefinition()
@ 0x19f930d 928 FailureSignalHandler()
@ 0x7f1136987390 1520 __restore_rt
@ 0x1389678 32
clang::ento::CXXMemberCall::getRuntimeDefinition()
@ 0x13b3374 144 clang::ento::ExprEngine::defaultEvalCall()
@ 0x13a4abd 352
clang::ento::CheckerManager::runCheckersForEvalCall()
@ 0x13b25aa 368 clang::ento::ExprEngine::evalCall()
@ 0x13b2297 384 clang::ento::ExprEngine::VisitCallExpr()
@ 0x1391138 1248 clang::ento::ExprEngine::Visit()
@ 0x138d877 400 clang::ento::ExprEngine::ProcessStmt()
@ 0x138d50c 96
clang::ento::ExprEngine::processCFGElement()
@ 0x139e89e 160
clang::ento::CoreEngine::dispatchWorkItem()
@ 0x139e49a 192 clang::ento::CoreEngine::ExecuteWorkList()
@ 0xb45452 1120 (anonymous
namespace)::AnalysisConsumer::ActionExprEngine()
@ 0xb44f61 288 (anonymous
namespace)::AnalysisConsumer::HandleCode()
@ 0xb38274 480 (anonymous
namespace)::AnalysisConsumer::HandleTranslationUnit()
@ 0xd3b24c 48
clang::MultiplexConsumer::HandleTranslationUnit()
@ 0xe43f82 144 clang::ParseAST()
@ 0xd3eeff 48 clang::FrontendAction::Execute()
@ 0xc7e282 96 clang::CompilerInstance::ExecuteAction()
@ 0xc36da5 352
clang::tooling::FrontendActionFactory::runInvocation()
@ 0xc36bee 64
clang::tooling::ToolInvocation::runInvocation()
@ 0xc366fa 1440 clang::tooling::ToolInvocation::run()
@ 0xc37c9a 1040 clang::tooling::ClangTool::run()
@ 0xa1a355 1952 clang::tidy::runClangTidy()
@ 0x435aa0 1344 main
@ 0x7f11363dace8 208 __libc_start_main
@ 0x434a69 (unknown) _start
Segmentation fault (core dumped)</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are on the CC list for the bug.</li>
</ul>
</body>
</html>