<html>

    <head>

      <base href="https://bugs.llvm.org/">

    </head>

    <body><table border="1" cellspacing="0" cellpadding="8">

        <tr>

          <th>Bug ID</th>

          <td><a class="bz_bug_link 

          bz_status_NEW "

   title="NEW - Crash in CStringChecker"

   href="https://bugs.llvm.org/show_bug.cgi?id=41812">41812</a>

          </td>

        </tr>

        <tr>

          <th>Summary</th>

          <td>Crash in CStringChecker

          </td>

        </tr>

        <tr>

          <th>Product</th>

          <td>clang

          </td>

        </tr>

        <tr>

          <th>Version</th>

          <td>trunk

          </td>

        </tr>

        <tr>

          <th>Hardware</th>

          <td>All

          </td>

        </tr>

        <tr>

          <th>OS</th>

          <td>All

          </td>

        </tr>

        <tr>

          <th>Status</th>

          <td>NEW

          </td>

        </tr>

        <tr>

          <th>Severity</th>

          <td>release blocker

          </td>

        </tr>

        <tr>

          <th>Priority</th>

          <td>P

          </td>

        </tr>

        <tr>

          <th>Component</th>

          <td>Static Analyzer

          </td>

        </tr>

        <tr>

          <th>Assignee</th>

          <td>dcoughlin@apple.com

          </td>

        </tr>

        <tr>

          <th>Reporter</th>

          <td>adam.balogh@ericsson.com

          </td>

        </tr>

        <tr>

          <th>CC</th>

          <td>dcoughlin@apple.com, llvm-bugs@lists.llvm.org

          </td>

        </tr></table>

      <p>

        <div>

        <pre>Given the following faulty C code (the programmer forgot that taking address of

an array is the same as the array itself which is handled as an address):

```

char dest[255], **dest_p = &dest;

char src[255];

memcmp((const void*) *dest_p, (const void *) src, sizeof(dest));

```

Analyzing this code with any C-String checker enabled results in an assertion

failure:

```

clang:

llvm/tools/clang/include/clang/StaticAnalyzer/Core/PathSensitive/SVals.h:104: T

clang::ento::SVal::castAs() const [with T = clang::ento::DefinedOrUnknownSVal]:

Assertion `T::isKind(*this)' failed.

#0 0x00007fa514b947dd llvm::sys::PrintStackTrace(llvm::raw_ostream&)

llvm/lib/Support/Unix/Signals.inc:494:0

 #1 0x00007fa514b94870 PrintStackTraceSignalHandler(void*)

llvm/lib/Support/Unix/Signals.inc:558:0

 #2 0x00007fa514b92870 llvm::sys::RunSignalHandlers()

llvm/lib/Support/Signals.cpp:68:0

 #3 0x00007fa514b94230 SignalHandler(int)

llvm/lib/Support/Unix/Signals.inc:357:0

 #4 0x00007fa510428f20 (/lib/x86_64-linux-gnu/libc.so.6+0x3ef20)

 #5 0x00007fa510428e97 raise

/build/glibc-OTsEL5/glibc-2.27/signal/../sysdeps/unix/sysv/linux/raise.c:51:0

 #6 0x00007fa51042a801 abort /build/glibc-OTsEL5/glibc-2.27/stdlib/abort.c:81:0

 #7 0x00007fa51041a39a __assert_fail_base

/build/glibc-OTsEL5/glibc-2.27/assert/assert.c:89:0

 #8 0x00007fa51041a412 (/lib/x86_64-linux-gnu/libc.so.6+0x30412)

 #9 0x00007fa503f28a6f clang::ento::DefinedOrUnknownSVal

clang::ento::SVal::castAs<clang::ento::DefinedOrUnknownSVal>() const

llvm/tools/clang/include/clang/StaticAnalyzer/Core/PathSensitive/SVals.h:105:0

#10 0x00007fa503f58630 (anonymous

namespace)::CStringChecker::evalMemcmp(clang::ento::CheckerContext&,

clang::CallExpr const*) const

llvm/tools/clang/lib/StaticAnalyzer/Checkers/CStringChecker.cpp:1286:0

#11 0x00007fa503f5e5cc (anonymous

namespace)::CStringChecker::evalCall(clang::CallExpr const*,

clang::ento::CheckerContext&) const

llvm/tools/clang/lib/StaticAnalyzer/Checkers/CStringChecker.cpp:2354:0

```</pre>

        </div>

      </p>

      <hr>

      <span>You are receiving this mail because:</span>

      <ul>

          <li>You are on the CC list for the bug.</li>

      </ul>

    </body>

</html>