<html>
    <head>
      <base href="https://bugs.llvm.org/">
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - [analyzer] macro expansion causes crash for certain macro expressions"
   href="https://bugs.llvm.org/show_bug.cgi?id=48588">48588</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>[analyzer] macro expansion causes crash for certain macro expressions
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>clang
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>trunk
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>PC
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>All
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>release blocker
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>P
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>Static Analyzer
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>dcoughlin@apple.com
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>vince.a.bridgers@gmail.com
          </td>
        </tr>

        <tr>
          <th>CC</th>
          <td>dcoughlin@apple.com, llvm-bugs@lists.llvm.org
          </td>
        </tr></table>
      <p>
        <div>
        <pre>We came across another macro expansion issue lately, and I think I have this
debugged. 

The simple reproducer is below. The crash is causes is edited for brevity, and
pasted in below. I believe this was introduced by the refactoring change
be0d79f32930fe780dc89ba96dac0ba163f7ec50.

In summary, I think the
"TStream.injectRange(PrevParamMap.at(VariadicParamII));" needs to be guarded by
at least a check for the key present in the map PrevParamMap. I prototyped a
change, LITS pass and the crash is avoided. 

Could someone check my analysis? I'll cross post a Phabricator review for this
issue soon. 


clang -cc1 -std=c++14 -analyzer-checker=core  macro-crash.cpp -analyzer-config
expand-macros=true

const char *traceid(const char *);
int trace(int, const char *, int, ...);
#define TRACE_CALL(tracelevel, ...)  { __VA_ARGS__; }                           

#define TRACE(tracelevel, str, ...) \
  TRACE_CALL((tracelevel), trace((0), traceid("formatstr " str), 0, tracelevel,
__VA_ARGS__))

#define TRACE_WRAPPER TRACE

void funcXXX(
    void* Context_p)
{
  int localvar;
  TRACE_WRAPPER(
          localvar,
          "localvar=%u ",
          0);
}

The crash ... 
    terminate called after throwing an instance of 'std::out_of_range'
      what():  map::at

      #0 llvm::sys::PrintStackTrace(llvm::raw_ostream&, int)
          <base>/llvm/lib/Support/Unix/Signals.inc:563:22
     ...

     #11 std::__throw_out_of_range(char const*)
          <base>/libstdc++-v3/src/c++11/functexcept.cc:82:5
     #12 std::map<clang::IdentifierInfo const*,
            llvm::SmallVector<clang::Token, 2u>,
std::less<clang::IdentifierInfo
            const*>, std::allocator<std::pair<clang::IdentifierInfo const*
const,
            llvm::SmallVector<clang::Token, 2u> > > >::at(clang::IdentifierInfo
            const* const&) const
          <base>/gcc/9.3.0/include/c++/9.3.0/bits/stl_map.h:549:10
     #13 getMacroExpansionInfo((anonymous namespace)::MacroParamMap const&,
            clang::SourceLocation, clang::Preprocessor const&)
          <base>/clang/lib/StaticAnalyzer/Core/PlistDiagnostics.cpp:1242:66
     ...</pre>
        </div>
      </p>


      <hr>
      <span>You are receiving this mail because:</span>

      <ul>
          <li>You are on the CC list for the bug.</li>
      </ul>
    </body>
</html>