<table border="1" cellspacing="0" cellpadding="8">
    <tr>
        <th>Issue</th>
        <td>
            <a href=https://github.com/llvm/llvm-project/issues/121201>121201</a>
        </td>
    </tr>

    <tr>
        <th>Summary</th>
        <td>
            [analyzer] loop unrolling crash
        </td>
    </tr>

    <tr>
      <th>Labels</th>
      <td>
            new issue
      </td>
    </tr>

    <tr>
      <th>Assignees</th>
      <td>
      </td>
    </tr>

    <tr>
      <th>Reporter</th>
      <td>
          shenjunjiekoda
      </td>
    </tr>
</table>

<pre>
    Found a crash when using analyzer from  project `libfmt` 's file `test/std-test.cc`.

After reduce the case:
```cpp
template <bool, typename T, typename> using conditional_t = T;
class basic_format_arg;
template <typename> struct formatter;

template <typename Context> struct value {
  template <typename T> value(T) {
    using value_type = T;
 format_custom_arg<value_type,
                      typename Context::template formatter_type<value_type>>;
  }

  template <typename, typename Formatter> static void format_custom_arg() {
    Context ctx;
 auto f = Formatter();
    f.format(0, ctx);
  }
};

struct context {
 template <typename T> using formatter_type = formatter<T>;
};

enum { max_packed_args };

template <typename Context, long>
using arg_t = conditional_t<max_packed_args, value<Context>, basic_format_arg>;

template <int NUM_ARGS> struct format_arg_store {
  arg_t<context, NUM_ARGS> args;
};

template <typename... T, long NUM_ARGS = sizeof...(T)>
auto make_format_args(T... args) -> format_arg_store<NUM_ARGS> {
  return {args...};
}

template <typename F> void write_padded(context, F write) { write(0); };

template <typename... T> void format(T... args) { make_format_args(args...); }

template <int> struct bitset {
 bitset(long);
};

template <long N> struct formatter<bitset<N>> {
 struct writer {
    bitset<N> bs;

    template <typename OutputIt> void operator()(OutputIt) {
      for (auto pos = N; pos > 0; --pos)
        ;
 }
  };

  template <typename FormatContext>
  void format(bitset<N> bs, FormatContext ctx) {
    write_padded(ctx, writer{bs});
 }
};

bitset<6> TestBody_bs = (2);

void TestBody() { format(TestBody_bs); }

```

```shell
$ clang-tidy "-checks=-*,clang-analyzer-core.*" "/path/to/file"  "--"  "-Xclang" "-analyzer-config" "-Xclang" "unroll-loops=true"
```

crash msg
```
1.      <eof> parser at end of file
2.      While analyzing stack: 
        #0 Calling formatter<bitset<6>>::writer::operator()(int)
 #0 0x00007f58617c81d8 llvm::sys::PrintStackTrace(llvm::raw_ostream&, int) (/usr/local/bin/../lib/../lib/libLLVMSupport.so.16+0x1ce1d8)
 #1 0x00007f58617c5c2c SignalHandler(int) Signals.cpp:0:0
 #2 0x00007f586580edd0 (/lib/x86_64-linux-gnu/libc.so.6+0x38dd0)
 #3 0x00007f586580ed51 raise (/lib/x86_64-linux-gnu/libc.so.6+0x38d51)
 #4 0x00007f58657f8537 abort (/lib/x86_64-linux-gnu/libc.so.6+0x22537)
 #5 0x00007f58657f840f (/lib/x86_64-linux-gnu/libc.so.6+0x2240f)
 #6 0x00007f58658076d2 (/lib/x86_64-linux-gnu/libc.so.6+0x316d2)
 #7 0x00007f58616766b2 (/usr/local/bin/../lib/../lib/libLLVMSupport.so.16+0x7c6b2)
 #8 0x00007f585b12fa7a clang::ento::shouldCompletelyUnroll(clang::Stmt const*, clang::ASTContext&, clang::ento::ExplodedNode*, unsigned int&) (.part.0) LoopUnrolling.cpp:0:0
 #9 0x00007f585b130ff3 clang::ento::updateLoopStack(clang::Stmt const*, clang::ASTContext&, clang::ento::ExplodedNode*, unsigned int) (/usr/local/bin/../lib/../lib/../lib/../lib/libclangStaticAnalyzerCore.so.16+0x16aff3)
#10 0x00007f585b0dc770 clang::ento::ExprEngine::processCFGBlockEntrance(clang::BlockEdge const&, clang::ento::NodeBuilderWithSinks&, clang::ento::ExplodedNode*) (/usr/local/bin/../lib/../lib/../lib/../lib/libclangStaticAnalyzerCore.so.16+0x116770)
#11 0x00007f585b0abdc6 clang::ento::CoreEngine::HandleBlockEdge(clang::BlockEdge const&, clang::ento::ExplodedNode*) (/usr/local/bin/../lib/../lib/../lib/../lib/libclangStaticAnalyzerCore.so.16+0xe5dc6)
#12 0x00007f585b0ace5a clang::ento::CoreEngine::dispatchWorkItem(clang::ento::ExplodedNode*, clang::ProgramPoint, clang::ento::WorkListUnit const&) (/usr/local/bin/../lib/../lib/../lib/../lib/libclangStaticAnalyzerCore.so.16+0xe6e5a)
#13 0x00007f585b0ad0aa clang::ento::CoreEngine::ExecuteWorkList(clang::LocationContext const*, unsigned int, llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>) (/usr/local/bin/../lib/../lib/../lib/../lib/libclangStaticAnalyzerCore.so.16+0xe70aa)
#14 0x00007f585f7e13a2 (anonymous namespace)::AnalysisConsumer::RunPathSensitiveChecks(clang::Decl*, clang::ento::ExprEngine::InliningModes, llvm::DenseSet<clang::Decl const*, llvm::DenseMapInfo<clang::Decl const*, void>>*) AnalysisConsumer.cpp:0:0
#15 0x00007f585f7fcc3a (anonymous namespace)::AnalysisConsumer::HandleDeclsCallGraph(unsigned int) AnalysisConsumer.cpp:0:0
#16 0x00007f585f7fdd53 (anonymous namespace)::AnalysisConsumer::HandleTranslationUnit(clang::ASTContext&) AnalysisConsumer.cpp:0:0
#17 0x00007f585f5b6468 clang::MultiplexConsumer::HandleTranslationUnit(clang::ASTContext&) (/usr/local/bin/../lib/../lib/../lib/libclangFrontend.so.16+0x15a468)
#18 0x00007f585a3762c5 clang::ParseAST(clang::Sema&, bool, bool) (/usr/local/bin/../lib/../lib/../lib/../lib/libclangParse.so.16+0x352c5)
#19 0x00007f585f57fbb9 clang::FrontendAction::Execute() (/usr/local/bin/../lib/../lib/../lib/libclangFrontend.so.16+0x123bb9)
#20 0x00007f585f4f62c6 clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) (/usr/local/bin/../lib/../lib/../lib/libclangFrontend.so.16+0x9a2c6)
#21 0x00007f586222de7d clang::tooling::FrontendActionFactory::runInvocation(std::shared_ptr<clang::CompilerInvocation>, clang::FileManager*, std::shared_ptr<clang::PCHContainerOperations>, clang::DiagnosticConsumer*) (/usr/local/bin/../lib/../lib/libclangTooling.so.16+0x6fe7d)
#22 0x00007f58622ee1ca clang::tidy::(anonymous namespace)::ActionFactory::runInvocation(std::shared_ptr<clang::CompilerInvocation>, clang::FileManager*, std::shared_ptr<clang::PCHContainerOperations>, clang::DiagnosticConsumer*) ClangTidyStandaloneRunner.cpp:0:0
#23 0x00007f58622248fc clang::tooling::ToolInvocation::runInvocation(char const*, clang::driver::Compilation*, std::shared_ptr<clang::CompilerInvocation>, std::shared_ptr<clang::PCHContainerOperations>) (/usr/local/bin/../lib/../lib/libclangTooling.so.16+0x668fc)
#24 0x00007f5862229de8 clang::tooling::ToolInvocation::run() (/usr/local/bin/../lib/../lib/libclangTooling.so.16+0x6bde8)
#25 0x00007f586222bc71 clang::tooling::ClangTool::runCompileCommands(clang::tooling::ToolAction*) (/usr/local/bin/../lib/../lib/libclangTooling.so.16+0x6dc71)
#26 0x00007f586222ccae clang::tooling::ClangTool::run(clang::tooling::ToolAction*) (/usr/local/bin/../lib/../lib/libclangTooling.so.16+0x6ecae)
#27 0x00007f58622ef2dd clang::tidy::runClangTidy(clang::tidy::ClangTidyContext&, clang::tooling::CompilationDatabase const&, llvm::ArrayRef<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>>, llvm::IntrusiveRefCntPtr<llvm::vfs::OverlayFileSystem>, bool, bool, llvm::StringRef) (/usr/local/bin/../lib/../lib/libclangTidy.so.16+0x9f2dd)
#28 0x00007f58659d850e clang::tidy::clangTidyMain(int, char const**) (/usr/local/bin/../lib/libclangTidyMain.so.16+0x1850e)
#29 0x00007f58657f9d7a __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x23d7a)
#30 0x000055f1e8a4e08a _start (/usr/local/bin/clang-tidy+0x108a)

```

I see the reason may be in the `clang/lib/StaticAnalyzer/Core/LoopUnrolling.cpp`

```cpp
static bool shouldCompletelyUnroll(const Stmt *LoopStmt, ASTContext &ASTCtx,
 ExplodedNode *Pred, unsigned &maxStep) {

  // ....
  if (InitNum.getBitWidth() != BoundNum.getBitWidth()) {
    InitNum = InitNum.zext(BoundNum.getBitWidth());
    BoundNum = BoundNum.zext(InitNum.getBitWidth());
  }
```


</pre>
<img width="1" height="1" alt="" src="http://email.email.llvm.org/o/eJzcWt1z26gW_2vICxOPhKwPP-TBUeLdzLTdTJ29vW8eBMhmI4MGUBrvX38HkKwP223Tdrszd6c7sQQcfud3PjiAsNZ8Kxi7AfEtiO-ucGN2Ut3oHRN_NeIvzp4lxVeFpIeblWwEhRgShfUOft4xARvNxRZigavD30zBUsk9hLWSfzFiIEiCihfl3oAkgAClGpa8Yva1YdoAtNKGXtufM0JAEsxAsATBclkapqBitCEMmh2DBGsGItsEksD_I3UNgqVh-7rChkEQ5YWUFUA5NIeaCbxn8Gn4BKL7FiqRgnLDpcDVxkAQ3cEnEN2CYEkqrDUssOZkU0q1x2aD1da3DScaitRGNcRA390w5XtfGABzKQx7NYOBL7hqGASpHQXh2UFPtrvrB1D2BNDi2B22GrnGjR0wVKcFtSGNNnLvVcn7rgDlrZDT_04BL0HUq3TU1gsaSY3u3T8PEKR3no3zqo2steoptOxgwwl8kZyeUQNlYxZalJCY13Zm3BgJS8dGL9cN66BBWM68ZICywCKxo_v2Fnp6d7RoazHSTtZOf9lk3jZjrhyigbPkT0e2hlMx0eztBHCPXzc1Js-MWsU1HHb6ooehHFZSbK30YNmGqNq2_j6KABDlk1nsYO9vUd57rH17Ghv3Z-FwYeCHP99vlh9_W59EiR240Uaq3u8dNBDlpEc_HO5AnZB0Tv_ZbObD3ip_lOGU1vxvJsvZbNZGkafGOcoeP7OBVtr2sJL87wW8tiCm4EGUDzF2qihmGiXsox1tpztC7oLhrOFWLsqtv39W3LBNjSllFKBswMnKt7XO3z1Y77Vu-1Xn8OR00xydf6Sqd7oTOjpd-onO2Xxg6oIbzY5B4p8AypxPdkF2Ca-33fnsmreiovyDTzXdFG1Xx4ka5IZRf1jo44wuz52zxB-NqRvzYI5MyZopbGSXQFB27DHKQtDihJYs61O11M7tPljC_MM9DOzD9XUtLdeD7NsmHc8rHBnyAkif1QbRaXuO7XqiufWg4bA24w1UmLqebc9bTkF6W2iL7JgjT1PkccrETvnEtLmV9LApPBUAZag3frB0cLtOfVIfeGYvYOp5xzpg8qh3rKrsCzSHpMJie204PUCA0DXZMfKsQXR3DdASoNw3d4XLNZGKzVwLst0BWtXY7ABaGQnQypYttsVJuj7--q8T0g4ZyhIlP74edWqEklV1XUlZWyxG2WUdnWrkK6y93k6awhkIFiDKmSwtxzVWmimIDWSCQlm6-goES2S7fdrZYsujsiuANpg8g2gJ3RQLgKIA5riqRuvUMMaSbjm3y3_rBu73SUjY6Pcu7aQGr0EQBGkZZ0mYkiykGayql70frA_a_3hUXJi1BfWkMLGprO-k8OeN1EYxvAcosW7op4BuylWjFUCrShJcAbQquABoZfPTquLF-GfFi3fv_vN-3dS1VGam5SxMALoNXkPCQpr1qMMJ6pggAtd8K3D1Oxa0chVEC8K_1jNbhUbLwP3vpaChlDgLGKVBi9njec2STTK_rrhoXq-3ovENxALzuKKM0qCHFZ0IjEOoMNfszWLjsBc7H4lNyyyOUogLqczbxCIUR2kvNp6KnQflWwXOg7IXmEzUTxOK3qh4mFDUC0xHZk7SJCnQz3OqlCTFYLJsMFlchKjEKfZ5yXs5E0a2QbGTTUVzua8rZlh1-NPlCZuE-95rs3f1p905LV3J2rct10_H2i-ZtPWz3L_WlaSMfpCUtTIa4XZ_1MdX0obYrMbKzKwbwndS1h4NF9szHr8Y6xgFZRmdn72pKTbMynNB_8uVe3vyuGh9B2DtdinLNuvndgEZpJcEl2XkXcFml2BEU0BJmgYX9VD3YssF88-1koRpna9-u60keb4XRmHh0uVguG-iW9ZxeJkny89twyvK1CdudmsunvWbeP21PIZJmgY9j-GYR1xQkpzHbQUNefRZ_EjUd_P37_LBYkqSng40oYOw-EKGmdJBua6xIbtPUj0_GLYf8_HFsBr0e1Ryq_D-UboIu8CYneId1-ZPwc2A31_LW8Ji3PMWTXijAf5G3u5fGWkM63Qa0_ZOEmx31scSe5DQxskoH1RED8KoRvMX9pGVuTCPxlZhZ8G0dFtNO0-1W_Nfy2Qa4AGTw0oiLlMWRtgtqFhIcdjLRkO7Y9G1q_AWbUK3kjXXuRS62XdV5cdGPGKzWzOhueEvLPcV-4jgO0aqUy-8nDwfRMUFF9v3kjI9Zv2OCc3WrtCdTDAy22TAe1w_iFJ-ZZDd27TFs88QU40nC6klMh4TWRIS4e8j0mc6C0rb-v43hesdQNl0NfwGTMkEE6Vx9COYnhQWunIhYpPB2LaTZf6bAKYjgHGRzJNs6Bnvm8rwumKvP47mB0Ksi6uVshIFHa5vMZ4nWR9Oo5IRR2mCSDxKuHbHt1w_TaontsftmtWdg_u_PzszuOkH8KMYkbhHvxibIy2LYjFE3xGwJJb0UULtTgD-GZZRVBSLI040qsbKeZmgcRVhC3FeMfUgtHHF1hBpC35kgIli_6THLDAaVABotG9FCFGW0qEqRkpbuZ-DucLESHVod9yNeBAv7foFUKYN7bYmWDG6qaerUs_RcZQ_Jh7Swiv2Hgu8tbtnlxm_KvYx_93GHeaCqT_cOQOXQp-KvuN4K6Q2nBxD-_uKsY7qJ0_UgOmkZCntmUZjphkLyahmMJy2XH4tQ_4fs587Kjk9rA0WFFdSsI-NEOeSN4omrjvPSnLRda15hsqeY43ssLq0iaSKv3Tp35PXjvo2Yi7y_SOU_lRnTbKS9M46n3C7oCx7K7ffmZK_gLGgrF_rUDzBWJA0vIgx70Qe4bUmyeV-jwWdFIon-nWZ-WfnCErSsFcpmahECGZvUOlf0oERzHod0kmeKxGl5_OcNUIX7xPoxz7HDhePcMac9KF5hw0usB5vyftyfKkUPnxkJYjyYwxuNuT1NQz9g7-u1EY54blNDqOAtS82RmFudNc8CWlcWWKNVIP2tqr_6v6tb34p2wPvP16YqvDBpuX1Qds9d3uvOirZhpLXDrxV8kcMzulhWD9Ye_bWzkYnrAuaxQE7b-2jsPfYzpp1W_5x0v123xzisyKH9ZpF0WNcTI6VFzTFcLOxAjbaYGU2e8zFGw-aI5r229jjpUUclyHL8JwFGYZe-Be06e-YPOwg60Se3Og8QM385yyKYS0F3OMDLBjkwr0ESdDeE7UKjPfgAK3sNhyg1el57MktmP84pv2IwjoVvHy8bO0G3eErQEt_Nrt3Zu33PxCgxD6560AQLOHwSMgOe1SMjk44AEr2-HVtWN1fMPqrTbQCaAVns9nMPXN3O_AguPnQ7GdbZm65-cSp2R2XnhBEd_BWNoKe7TG-wGwFuevGTujfLudkXxTRfxXSdYOjaVsZF3Gefjgytv0VvYnoIlrgK3YTplGMFkmcJle7m6yMgmIxj9IkTEuGaYgDFjMS4jmap4sCX_EbFKB5iFAaBvNFlMyidEHCoojCophH8zQC84DtMa9mNmnMpNpeca0bdhOiEAXhVYULVmn3aRdCgn2GrhUgBOK7K3VjB10XzVaDeVBxbXQvxnBTuW_CumtNEN_BSsoaNp33-e_ArhpV3eyMqV2WcwbecrNrihmRe-vONpv5P9fth2EArRwODdCqBfpyg_4XAAD__zimqO4">