<html>
<head>
<base href="https://bugs.llvm.org/">
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - UBSan failure (signed integer overflow) in NonnullGlobalConstantsChecker"
href="https://bugs.llvm.org/show_bug.cgi?id=36206">36206</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>UBSan failure (signed integer overflow) in NonnullGlobalConstantsChecker
</td>
</tr>
<tr>
<th>Product</th>
<td>clang
</td>
</tr>
<tr>
<th>Version</th>
<td>unspecified
</td>
</tr>
<tr>
<th>Hardware</th>
<td>PC
</td>
</tr>
<tr>
<th>OS</th>
<td>All
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>enhancement
</td>
</tr>
<tr>
<th>Priority</th>
<td>P
</td>
</tr>
<tr>
<th>Component</th>
<td>Static Analyzer
</td>
</tr>
<tr>
<th>Assignee</th>
<td>dcoughlin@apple.com
</td>
</tr>
<tr>
<th>Reporter</th>
<td>alexfh@google.com
</td>
</tr>
<tr>
<th>CC</th>
<td>ekarpenkov@apple.com, llvm-bugs@lists.llvm.org
</td>
</tr></table>
<p>
<div>
<pre>Test case:
template <typename a, typename b>
void c(a d, b e, char *) {
d >= e;
}
template <typename f>
class g {
public:
const f &operator()(long, long) const;
f **h;
};
template <class f>
const f &g<f>::operator()(long d, long e) const {
c(d, 0, "");
h[d][e];
}
g<int> i;
long j;
void k() {
for (int l = 0;; ++l) i(j - l, 0);
}
UBSan report:
llvm/tools/clang/include/clang/AST/CharUnits.h:143:35: runtime error: signed
integer overflow: 8 * 9223372036854775806 cannot be represented in type 'long'
#0 0x558a63f54525 in operator*
llvm/tools/clang/include/clang/AST/CharUnits.h:143:35
#1 0x558a63f54525 in operator*
llvm/tools/clang/include/clang/AST/CharUnits.h:210
#2 0x558a63f54525 in clang::ento::ElementRegion::getAsArrayOffset() const
llvm/tools/clang/lib/StaticAnalyzer/Core/MemRegion.cpp:1179
#3 0x558a63e4cb89 in (anonymous
namespace)::RegionStoreManager::getBindingForElement((anonymous
namespace)::RegionBindingsRef const&, clang::ento::ElementRegion const*)
llvm/tools/cla
ng/lib/StaticAnalyzer/Core/RegionStore.cpp:1644:33
#4 0x558a63e4a001 in (anonymous
namespace)::RegionStoreManager::getBinding((anonymous
namespace)::RegionBindingsRef const&, clang::ento::Loc, clang::QualType)
llvm/tools/clang/lib/Sta
ticAnalyzer/Core/RegionStore.cpp:1457:29
#5 0x558a63e3e8f1 in (anonymous
namespace)::RegionStoreManager::getBinding(void const*, clang::ento::Loc,
clang::QualType) llvm/tools/clang/lib/StaticAnalyzer/Core/RegionStore.cpp:509
:12
#6 0x558a63ef19cb in clang::ento::ProgramState::getSVal(clang::ento::Loc,
clang::QualType) const
llvm/tools/clang/lib/StaticAnalyzer/Core/ProgramState.cpp:257:12
#7 0x558a621e73e0 in checkLocation
llvm/tools/clang/lib/StaticAnalyzer/Checkers/NonnullGlobalConstantsChecker.cpp:76:19
#8 0x558a621e73e0 in void
clang::ento::check::Location::_checkLocation<(anonymous
namespace)::NonnullGlobalConstantsChecker>(void*, clang::ento::SVal const&,
bool, clang::Stmt const*, clang::ento::Che
ckerContext&) llvm/tools/clang/include/clang/StaticAnalyzer/Core/Checker.h:199
#9 0x558a63fbc64f in runChecker
llvm/tools/clang/lib/StaticAnalyzer/Core/CheckerManager.cpp:317:7
#10 0x558a63fbc64f in void expandGraphWithCheckers<(anonymous
namespace)::CheckLocationContext>((anonymous namespace)::CheckLocationContext,
clang::ento::ExplodedNodeSet&, clang::ento::ExplodedNodeSet
const&) llvm/tools/clang/lib/StaticAnalyzer/Core/CheckerManager.cpp:123
...
(happens with just the core.* checkers enabled).</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are on the CC list for the bug.</li>
</ul>
</body>
</html>