<table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Issue</th>
<td>
<a href=https://github.com/llvm/llvm-project/issues/61960>61960</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>
[ClangSA] APInt::getSExtValue() crash in SValBuilder::evalIntegralCast() with _BitInt of size > 128
</td>
</tr>
<tr>
<th>Labels</th>
<td>
clang:static analyzer,
crash
</td>
</tr>
<tr>
<th>Assignees</th>
<td>
</td>
</tr>
<tr>
<th>Reporter</th>
<td>
AdamMagierFOSS
</td>
</tr>
</table>
<pre>
Observed on most recent main branch as of earlier today, commit `9ef701318b45`
Minimal Reproducer (`test.c`):
```c
_BitInt(129) a;
_BitInt(128) b;
void c() { b = a; }
```
Command:
```bash
clang -cc1 -analyze -analyzer-checker=core up.c
```
Crash Output:
```console
clang: /llvm-project/llvm/include/llvm/ADT/APInt.h:1519: int64_t llvm::APInt::getSExtValue() const: Assertion `getSignificantBits() <= 64 && "Too many bits for int64_t"' failed.
PLEASE submit a bug report to https://github.com/llvm/llvm-project/issues/ and include the crash backtrace, preprocessed source, and associated run script.
Stack dump:
0. Program arguments: /llvm-project/build/bin/clang -cc1 -analyze -analyzer-checker=core test.c
1. <eof> parser at end of file
2. While analyzing stack:
#0 Calling c
3. test.c:3:16: Error evaluating statement
4. test.c:3:16: Error evaluating statement
#0 0x0000000004406f2e llvm::sys::PrintStackTrace(llvm::raw_ostream&, int) /llvm-project/llvm/lib/Support/Unix/Signals.inc:602:22
#1 0x0000000004407328 PrintStackTraceSignalHandler(void*) /llvm-project/llvm/lib/Support/Unix/Signals.inc:676:1
#2 0x0000000004404cfd llvm::sys::RunSignalHandlers() /llvm-project/llvm/lib/Support/Signals.cpp:104:20
#3 0x000000000440695d SignalHandler(int) /llvm-project/llvm/lib/Support/Unix/Signals.inc:413:1
#4 0x00007fbe9677b630 __restore_rt sigaction.c:0:0
#5 0x00007fbe95662387 raise (/lib64/libc.so.6+0x36387)
#6 0x00007fbe95663a78 abort (/lib64/libc.so.6+0x37a78)
#7 0x00007fbe9565b1a6 __assert_fail_base (/lib64/libc.so.6+0x2f1a6)
#8 0x00007fbe9565b252 (/lib64/libc.so.6+0x2f252)
#9 0x0000000000d9d235 llvm::APInt::getSExtValue() const /llvm-project/llvm/include/llvm/ADT/APInt.h:1520:22
#10 0x0000000007b201e6 clang::ento::SValBuilder::evalIntegralCast(llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>, clang::ento::SVal, clang::QualType, clang::QualType) /llvm-project/clang/lib/StaticAnalyzer/Core/SValBuilder.cpp:603:17
#11 0x0000000007a5535d clang::ento::ExprEngine::VisitCast(clang::CastExpr const*, clang::Expr const*, clang::ento::ExplodedNode*, clang::ento::ExplodedNodeSet&) /llvm-project/clang/lib/StaticAnalyzer/Core/ExprEngineC.cpp:423:43
#12 0x0000000007a24999 clang::ento::ExprEngine::Visit(clang::Stmt const*, clang::ento::ExplodedNode*, clang::ento::ExplodedNodeSet&) /llvm-project/clang/lib/StaticAnalyzer/Core/ExprEngine.cpp:2253:24
#13 0x0000000007a1ebef clang::ento::ExprEngine::ProcessStmt(clang::Stmt const*, clang::ento::ExplodedNode*) /llvm-project/clang/lib/StaticAnalyzer/Core/ExprEngine.cpp:1126:15
#14 0x0000000007a1df0c clang::ento::ExprEngine::processCFGElement(clang::CFGElement, clang::ento::ExplodedNode*, unsigned int, clang::ento::NodeBuilderContext*) /llvm-project/clang/lib/StaticAnalyzer/Core/ExprEngine.cpp:972:7
#15 0x00000000079ee9a6 clang::ento::CoreEngine::HandlePostStmt(clang::CFGBlock const*, unsigned int, clang::ento::ExplodedNode*) /llvm-project/clang/lib/StaticAnalyzer/Core/CoreEngine.cpp:498:1
#16 0x00000000079ed615 clang::ento::CoreEngine::dispatchWorkItem(clang::ento::ExplodedNode*, clang::ProgramPoint, clang::ento::WorkListUnit const&) /llvm-project/clang/lib/StaticAnalyzer/Core/CoreEngine.cpp:221:7
#17 0x00000000079ecd8b clang::ento::CoreEngine::ExecuteWorkList(clang::LocationContext const*, unsigned int, llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>)::'lambda'(unsigned int)::operator()(unsigned int) const /llvm-project/clang/lib/StaticAnalyzer/Core/CoreEngine.cpp:159:23
#18 0x00000000079ed162 clang::ento::CoreEngine::ExecuteWorkList(clang::LocationContext const*, unsigned int, llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>) /llvm-project/clang/lib/StaticAnalyzer/Core/CoreEngine.cpp:163:41
#19 0x00000000070b18ab clang::ento::ExprEngine::ExecuteWorkList(clang::LocationContext const*, unsigned int) /llvm-project/clang/include/clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h:190:34
#20 0x0000000007047341 (anonymous namespace)::AnalysisConsumer::RunPathSensitiveChecks(clang::Decl*, clang::ento::ExprEngine::InliningModes, llvm::DenseSet<clang::Decl const*, llvm::DenseMapInfo<clang::Decl const*, void>>*) /llvm-project/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:729:7
#21 0x00000000070470e9 (anonymous namespace)::AnalysisConsumer::HandleCode(clang::Decl*, unsigned int, clang::ento::ExprEngine::InliningModes, llvm::DenseSet<clang::Decl const*, llvm::DenseMapInfo<clang::Decl const*, void>>*) /llvm-project/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:698:5
#22 0x00000000070461d3 (anonymous namespace)::AnalysisConsumer::HandleDeclsCallGraph(unsigned int) /llvm-project/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:490:31
#23 0x00000000070466ec (anonymous namespace)::AnalysisConsumer::runAnalysisOnTranslationUnit(clang::ASTContext&) /llvm-project/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:560:48
#24 0x0000000007046a9b (anonymous namespace)::AnalysisConsumer::HandleTranslationUnit(clang::ASTContext&) /llvm-project/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:615:74
#25 0x0000000007bca2cb clang::ParseAST(clang::Sema&, bool, bool) /llvm-project/clang/lib/Parse/ParseAST.cpp:182:14
#26 0x000000000529dd23 clang::ASTFrontendAction::ExecuteAction() /llvm-project/clang/lib/Frontend/FrontendAction.cpp:1168:11
#27 0x000000000529d679 clang::FrontendAction::Execute() /llvm-project/clang/lib/Frontend/FrontendAction.cpp:1062:38
#28 0x00000000051d378c clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) /llvm-project/clang/lib/Frontend/CompilerInstance.cpp:1048:42
#29 0x000000000542cb22 clang::ExecuteCompilerInvocation(clang::CompilerInstance*) /llvm-project/clang/lib/FrontendTool/ExecuteCompilerInvocation.cpp:264:38
#30 0x0000000000d409ab cc1_main(llvm::ArrayRef<char const*>, char const*, void*) /llvm-project/clang/tools/driver/cc1_main.cpp:251:40
#31 0x0000000000d2dcd7 ExecuteCC1Tool(llvm::SmallVectorImpl<char const*>&, llvm::ToolContext const&) /llvm-project/clang/tools/driver/driver.cpp:366:20
#32 0x0000000000d2e1eb clang_main(int, char**, llvm::ToolContext const&) /llvm-project/clang/tools/driver/driver.cpp:407:26
#33 0x0000000000d63468 main /llvm-project/build/tools/clang/tools/driver/clang-driver.cpp:15:58
#34 0x00007fbe9564e555 __libc_start_main (/lib64/libc.so.6+0x22555)
#35 0x0000000000d2c2a9 _start (/llvm-project/build/bin/clang+0xd2c2a9)
Aborted (core dumped)
```
The same crash occurs when using `unsigned _BitInt`, but the assert fires on getZExtValue() instead of getSExtValue().
</pre>
<img width="1px" height="1px" alt="" src="http://email.email.llvm.org/o/eJzkWl9z4ygS_zTkhRqXhCQkPeTBcey9VM3c5MbZ2ap7cSGEbS4SuABlkv30VyDJEkqceDLZuru6rZ3E5k_3r3803Q2EaM13grFLkFyB5PqCNGYv1eW8JPUXsuNMrb6u1xeFLJ8uvxaaqQdWQilgLbWBilEmDKwJF7BQRNA9JBrKLWREVZwpaGRJngBaQCrrmhsIcJCzbRqEUZgVcQJwAIJrEMzbn1-44DWp4Dd2ULJsKFMQoAzgwDBtZtSORjmI5uM5ttH9T9vvmytuboQBKAtRDlAOCYiunndltqs4dj1IXkIK2maQXsECgujazYUgvZ6oGutfyLomojyFqiB63zbRiogd_ERpCD8RQaqnP9nxg_pE94zeMwWiayoVg81hRl9Tqojew6-NOTRm0HxkQgotKzZSC6I5BGhVVQ_1p4OS_2LUdF8BWnFBq6ZkQ8P8-s7-vL0RZrYH0TxMQss65MLgeGOgGxbNQTR3Y9qPO2bWy0fznVQN63i0OGwvnGvNlOFS2PW3A_lO8C2nRJgrbnRPe7SwnOMYAoQBwhAgdCclrIl4ggU3Gm6l6kEAhABK4ZbwipWz1tTbz8v5egl1U1hXI7BodlCxg1QGGgn3xhy0xYpWAK123OybYkZlPdg9oYdr3TAN0AoSUcKOJWj2DFJHf0HovVGEMuvfB2V9ljKtWQm1bFTbbGcSrSXlxLASqkZATRU_mA7y2hB6D8umPhyXMZiBIL9VcqdIDYnaNTUTRr-8gkXDq9L-5gKg1U95WLelnMrQqgTRgsktiJbwQJRmChIDmSjtbt7y3puQHfnHnlcMtoK52EFtjXAAOxfNAYoCuCBVZbs7JZGd2mmN5pH1K2wnLZWSCrIHUjXEdOIMs0a38-J3zoMORPAY9P_FcYC3iI3cVz_p9sOt4sK4tbhrFzQbBinyYyO1UYzUzi8X1gWdv57aUBUvAFqtm4N1PYBWvwv-aBv4TpBKz7iwhuAAgWiO0AA2nIBNI5TBCbJWxt-IKCumAMps3AJo_gFwUktqOKBBEzQx3ZYvUfetER6o424-F06Pgx7sHgiD2NISDECi6RrmSQmnPHzIksRh5HMQd6rTbcFynKYFjgK42SimjVRsowzUfEeojWzOOQP37zg9GU9PMEZRlkJFuGYurTlUOG5_05mWMwzQVfAY4ShLbaI7CsITQRFJM0gKG9heFZSSNPMEpb6gpAgJhpsNcfF5Y4PppiBvwEPbkGBPajaVihL0hgiUIE9EPl7koMxLy95P5Zlfym8oGO1FuxW9wJEWKAgZhn0qBdGcCSPbT-vvpLqyYdiGVtf1QKobYdhOkWpBtPGCyY0wqtH8gX1j24Uwt0aBaPGi3C4DrG1Q6zPp0lVSp1BMOv_RkOru6cBONr-0XdqBx_1iiOF03mUQgFYLqSyPI5u7bYsDt3XSgUEvmqUkSaKkfBn78vGglmLHBWu_f-eam4650QTbYod2ZNig5xn2Wp-nrJIlK_8urUecN27NjIv87ydsMHHRERYjS1gcDYQhnzAU53n-E4T5ZK1Nbf77yei4QCixZKB4ICPyyQhZwbbnkXHbVmGWgA-h5APtDEPkkmwy2BlP7Cy3AT3Pzq7aXKx-W1Zt1ePvllH7-avfCHcWLNsS58Q8O77b_QspDHs0H01UntraaBRMEo-mnLGcnAjHVuSYprZEuJXaPPeIxeq3q0rSe88rzqLgA71kANxHhjwbqhBrPJ4YX-IwOc_4kusDMXT_h1T3N4bVvvnnxoEuE93K1xixKj5zbX4X_LjLfilKPOMFodB3inTCCy2z4jxelo-MNob1mH1aPktKbEXX-farzvGBiT1vewFKK1IXJQEoBSjzFXZj5IEpYqRqy5_no04WRO9kPkysYjTKVdnUJUOM_oep_0CqsEvro93rVbZpUIQZOeGl0wj_QVS9Zt1QGvctpyy9JWa_ZkJzwx8mMduV0LmtoKMhgyO_gg7iNIpDeyggQoqnWjYaClIzfXDH7c6xnVrN9UIK3dR9Qf2tEZ72xZ7Re-3Tcc1o9UZa97i9ERUXXOy-yJJp352umdCuyvGcyCrwSJ5M-EION2Ir35jkjuvR0nnd-7LGStkFF6U9wEzY6lwwdWwOcRKF05UIWP6-lWiT6cJliRPsn5s-_19WA7tsPlR8CE1WA4dl9CurYa3SC1JVvyly2L-QDP4Co-J2tw9RDkVTqzCj77NKNaLv-CruFBG6coHOFha-183Xd8f6832lxtuWJthaGmeDpfHUUpIXv7J-_3ETcZjYeDEK3X61XVCCqJeybonSbL6-m5yvWE26C9JCymr4_TZqJ7D_PV_f9ck0s8eAcITMK4UTlJcliqDPV2_w3F3LeZm0azp1P-ljGhHnizwe5rCr00ebIJ2iw6l3gn8F2keBCrClLBr5q1eqJWEZpZl3wlzI-sArpm6ENkRQ9jJjp604zy9HwKcKh4vfzN2LDNC90imJES0Q8m98HMhB4ENXFE2OeVMLzwv2PeQ758Srk8r64wmOfeb9x4egjIPcVn403NSEC-9WcK4UefrGtjZf7cnoFqu78fPa-sT1lhVGykoDtCoVf3ChoFfdA07seSoOBsChDxiVtExhb_cibIkYwV7XpKq-M2qkuqkP1YvosZ-drYxJyfqG_zwzo_3QGRFhPHousEagiREsZF3w6nnvK5M9UY7E-V8LMQ5S5x4DxMiHiKMYZ-0b-ukXvl7H6dW1HZ88zS6wJyOPjP2L-pglSQI3m4oXdKMNUWbToXjl6h4lSXK8urdCkwnhFJEctuJ6SW8-WjrR7dSj7HkhlWGlleEeLMumPrByUP3Su_jdnkFN6v6FVlLaKA1_7JmAjeZiBwEOjvVR_-cAOHC5qjHubbd9C4FbrpiGUsAdM_-cvDdwoQ0j7mX0-WvE7KK8jMo8yskFuwxxFqQoC5LwYn-JiyLfMhzjiCUkwyRISIDYNszCMkMhQhf8EgUoCuIgQUESh-EsjfMijsuiZFm2xUkA4oDVhFczy-hMqt2Fe6O-xGGOg4uKFKzS7s84EOrjn3YFASTHigABtLD9liD7Lbm-UJduhYpmp0EcVFwbPWgw3FTub0MWVuJ6DpJr-MZzjOOeC3jO04id8IObfb8allTN_2QQREsYouyiUdXl-5_uHTP_DgAA__-Hmq47">