
<html>

    <head>

      <base href="https://bugs.llvm.org/">

    </head>

    <body><table border="1" cellspacing="0" cellpadding="8">

        <tr>

          <th>Bug ID</th>

          <td><a class="bz_bug_link 

          bz_status_NEW "

   title="NEW - UBSan failure (signed integer overflow) in clang::ento::ElementRegion::getAsArrayOffset()"

   href="https://bugs.llvm.org/show_bug.cgi?id=37142">37142</a>

          </td>

        </tr>


        <tr>

          <th>Summary</th>

          <td>UBSan failure (signed integer overflow) in clang::ento::ElementRegion::getAsArrayOffset()

          </td>

        </tr>


        <tr>

          <th>Product</th>

          <td>clang

          </td>

        </tr>


        <tr>

          <th>Version</th>

          <td>unspecified

          </td>

        </tr>


        <tr>

          <th>Hardware</th>

          <td>PC

          </td>

        </tr>


        <tr>

          <th>OS</th>

          <td>All

          </td>

        </tr>


        <tr>

          <th>Status</th>

          <td>NEW

          </td>

        </tr>


        <tr>

          <th>Severity</th>

          <td>enhancement

          </td>

        </tr>


        <tr>

          <th>Priority</th>

          <td>P

          </td>

        </tr>


        <tr>

          <th>Component</th>

          <td>Static Analyzer

          </td>

        </tr>


        <tr>

          <th>Assignee</th>

          <td>dcoughlin@apple.com

          </td>

        </tr>


        <tr>

          <th>Reporter</th>

          <td>alexfh@google.com

          </td>

        </tr>


        <tr>

          <th>CC</th>

          <td>llvm-bugs@lists.llvm.org

          </td>

        </tr></table>

      <p>

        <div>

        <pre>$ cat test-ElementRegion__getAsArrayOffset.cc

void c(long long *d) {

  long e, f;

  e = f = d[1];

  for (; d[e];) f-- > 0;

}

$ ./clang-tidy -checks=-*,clang-analyzer*

test-ElementRegion__getAsArrayOffset.cc -- -std=c++11

include/clang/AST/CharUnits.h:143:35: runtime error: signed integer overflow: 8

* -9223372036854775808 cannot be represented in type 'long'

    #0 in operator* include/clang/AST/CharUnits.h:143:35

    #1 in operator* include/clang/AST/CharUnits.h:210

    #2 in clang::ento::ElementRegion::getAsArrayOffset() const

lib/StaticAnalyzer/Core/MemRegion.cpp:1253

    #3 in (anonymous

namespace)::RegionStoreManager::getBindingForElement((anonymous

namespace)::RegionBindingsRef const&, clang::ento::ElementRegion const*)

lib/StaticAnalyzer/Core/RegionStore.cpp:1644:33

    #4 in (anonymous namespace)::RegionStoreManager::getBinding((anonymous

namespace)::RegionBindingsRef const&, clang::ento::Loc, clang::QualType)

lib/StaticAnalyzer/Core/RegionStore.cpp:1457:29

    #5 in (anonymous namespace)::RegionStoreManager::getBinding(void const*,

clang::ento::Loc, clang::QualType)

lib/StaticAnalyzer/Core/RegionStore.cpp:509:12

    #6 in getRawSVal

include/clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h:770:38

    #7 in clang::ento::ProgramState::getSVal(clang::ento::Loc, clang::QualType)

const lib/StaticAnalyzer/Core/ProgramState.cpp:258

    #8 in

clang::ento::ExprEngine::evalLoadCommon(clang::ento::ExplodedNodeSet&,

clang::Expr const*, clang::Expr const*, clang::ento::ExplodedNode*,

llvm::IntrusiveRefCntPtr<clang::ento::Pr

ogramState const>, clang::ento::SVal, clang::ProgramPointTag const*,

clang::QualType) lib/StaticAnalyzer/Core/ExprEngine.cpp:2967:18

    #9 in clang::ento::ExprEngine::evalLoad(clang::ento::ExplodedNodeSet&,

clang::Expr const*, clang::Expr const*, clang::ento::ExplodedNode*,

llvm::IntrusiveRefCntPtr<clang::ento::ProgramS

tate const>, clang::ento::SVal, clang::ProgramPointTag const*, clang::QualType)

lib/StaticAnalyzer/Core/ExprEngine.cpp:2935:3

    #10 in clang::ento::ExprEngine::VisitCast(clang::CastExpr const*,

clang::Expr const*, clang::ento::ExplodedNode*, clang::ento::ExplodedNodeSet&)

lib/StaticAnalyzer/Core/ExprEngineC.cpp:300:7

    #11 in clang::ento::ExprEngine::Visit(clang::Stmt const*,

clang::ento::ExplodedNode*, clang::ento::ExplodedNodeSet&)

lib/StaticAnalyzer/Core/ExprEngine.cpp:1756:7

    #12 in clang::ento::ExprEngine::ProcessStmt(clang::Stmt const*,

clang::ento::ExplodedNode*) lib/StaticAnalyzer/Core/ExprEngine.cpp:868:5

    #13 in clang::ento::ExprEngine::processCFGElement(clang::CFGElement,

clang::ento::ExplodedNode*, unsigned int, clang::ento::NodeBuilderContext*)

lib/StaticAnalyzer/Core/ExprEngine.cpp:698:7

    #14 in clang::ento::CoreEngine::HandlePostStmt(clang::CFGBlock const*,

unsigned int, clang::ento::ExplodedNode*)

lib/StaticAnalyzer/Core/CoreEngine.cpp:433:12

    #15 in

clang::ento::CoreEngine::dispatchWorkItem(clang::ento::ExplodedNode*,

clang::ProgramPoint, clang::ento::WorkListUnit const&)

lib/StaticAnalyzer/Core/CoreEngine.cpp:191:7

    #16 in clang::ento::CoreEngine::ExecuteWorkList(clang::LocationContext

const*, unsigned int, llvm::IntrusiveRefCntPtr<clang::ento::ProgramState

const>) lib/StaticAnalyzer/Core/CoreEngine.cpp:147:5

    #17 in ExecuteWorkList

include/clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h:168:19

    #18 in (anonymous

namespace)::AnalysisConsumer::ActionExprEngine(clang::Decl*, bool,

clang::ento::ExprEngine::InliningModes, llvm::DenseSet<clang::Decl const*,

llvm::DenseMapInfo<clang:

:Decl const*> >*) lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:748

    #19 in (anonymous namespace)::AnalysisConsumer::HandleCode(clang::Decl*,

unsigned int, clang::ento::ExprEngine::InliningModes,

llvm::DenseSet<clang::Decl const*, llvm::DenseMapInfo<clan

g::Decl const*> >*) lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp

    #20 in HandleDeclsCallGraph

lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:506:5

    #21 in runAnalysisOnTranslationUnit

lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:553</pre>

        </div>

      </p>


      <hr>

      <span>You are receiving this mail because:</span>


      <ul>

          <li>You are on the CC list for the bug.</li>

      </ul>

    </body>

</html>