Crash in MallocChecker
Devin Coughlin via cfe-commits
cfe-commits at lists.llvm.org
Wed Nov 30 17:54:53 PST 2016
+ Artem and Daniel,
Thanks for the patch! This fix seems reasonable to me, although it would good to add the reproducer as test case! (tests/Analysis/malloc.cpp would be a fine place for it).
Devin
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: patch.txt
URL: <http://lists.llvm.org/pipermail/cfe-commits/attachments/20161130/c99f6501/attachment-0001.txt>
-------------- next part --------------
> On Nov 30, 2016, at 4:10 PM, Abramo Bagnara <abramo.bagnara at gmail.com> wrote:
>
> Please consider to review and apply the attached patch.
>
> This is how to reproduce the bug:
>
> abramo at tester:~$ cat bug.cpp
> void f(int a, int b)
> {
> new char[a * b];
> }
> abramo at tester:~$ ~/llvm-build/bin/clang -cc1 -analyze
> -analyzer-checker=cplusplus.NewDeleteLeaks bug.cpp
> clang:
> /home/abramo/llvm/tools/clang/include/clang/StaticAnalyzer/Core/PathSensitive/SVals.h:76:
> T clang::ento::SVal::castAs() const [with T = clang::ento::NonLoc]:
> Assertion `T::isKind(*this)' failed.
> #0 0x0000000003689a0f llvm::sys::PrintStackTrace(llvm::raw_ostream&)
> /home/abramo/llvm/lib/Support/Unix/Signals.inc:402:0
> #1 0x0000000003689d6a PrintStackTraceSignalHandler(void*)
> /home/abramo/llvm/lib/Support/Unix/Signals.inc:466:0
> #2 0x0000000003687f30 llvm::sys::RunSignalHandlers()
> /home/abramo/llvm/lib/Support/Signals.cpp:44:0
> #3 0x00000000036893a1 SignalHandler(int)
> /home/abramo/llvm/lib/Support/Unix/Signals.inc:256:0
> #4 0x00007f7833b31330 __restore_rt
> (/lib/x86_64-linux-gnu/libpthread.so.0+0x10330)
> #5 0x00007f783291dc37 gsignal
> /build/eglibc-oGUzwX/eglibc-2.19/signal/../nptl/sysdeps/unix/sysv/linux/raise.c:56:0
> #6 0x00007f7832921028 abort
> /build/eglibc-oGUzwX/eglibc-2.19/stdlib/abort.c:91:0
> #7 0x00007f7832916bf6 __assert_fail_base
> /build/eglibc-oGUzwX/eglibc-2.19/assert/assert.c:92:0
> #8 0x00007f7832916ca2 (/lib/x86_64-linux-gnu/libc.so.6+0x2fca2)
> #9 0x0000000005b1769d clang::ento::NonLoc
> clang::ento::SVal::castAs<clang::ento::NonLoc>() const
> /home/abramo/llvm/tools/clang/include/clang/StaticAnalyzer/Core/PathSensitive/SVals.h:77:0
> #10 0x0000000005bf5a20 (anonymous
> namespace)::MallocChecker::addExtentSize(clang::ento::CheckerContext&,
> clang::CXXNewExpr const*,
> llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>)
> /home/abramo/llvm/tools/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp:1036:0
> #11 0x0000000005bf5601 (anonymous
> namespace)::MallocChecker::checkPostStmt(clang::CXXNewExpr const*,
> clang::ento::CheckerContext&) const
> /home/abramo/llvm/tools/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp:991:0
> #12 0x0000000005c0aa29 void
> clang::ento::check::PostStmt<clang::CXXNewExpr>::_checkStmt<(anonymous
> namespace)::MallocChecker>(void*, clang::Stmt const*,
> clang::ento::CheckerContext&)
> /home/abramo/llvm/tools/clang/include/clang/StaticAnalyzer/Core/Checker.h:105:0
> #13 0x0000000005f0d9a8 clang::ento::CheckerFn<void (clang::Stmt const*,
> clang::ento::CheckerContext&)>::operator()(clang::Stmt const*,
> clang::ento::CheckerContext&) const
> /home/abramo/llvm/tools/clang/include/clang/StaticAnalyzer/Core/CheckerManager.h:60:0
> #14 0x0000000005f08002 (anonymous
> namespace)::CheckStmtContext::runChecker(clang::ento::CheckerFn<void
> (clang::Stmt const*, clang::ento::CheckerContext&)>,
> clang::ento::NodeBuilder&, clang::ento::ExplodedNode*)
> /home/abramo/llvm/tools/clang/lib/StaticAnalyzer/Core/CheckerManager.cpp:161:0
> #15 0x0000000005f0a761 void expandGraphWithCheckers<(anonymous
> namespace)::CheckStmtContext>((anonymous namespace)::CheckStmtContext,
> clang::ento::ExplodedNodeSet&, clang::ento::ExplodedNodeSet const&)
> /home/abramo/llvm/tools/clang/lib/StaticAnalyzer/Core/CheckerManager.cpp:121:0
> #16 0x0000000005f080b2
> clang::ento::CheckerManager::runCheckersForStmt(bool,
> clang::ento::ExplodedNodeSet&, clang::ento::ExplodedNodeSet const&,
> clang::Stmt const*, clang::ento::ExprEngine&, bool)
> /home/abramo/llvm/tools/clang/lib/StaticAnalyzer/Core/CheckerManager.cpp:175:0
> #17 0x0000000005f40184
> clang::ento::CheckerManager::runCheckersForPostStmt(clang::ento::ExplodedNodeSet&,
> clang::ento::ExplodedNodeSet const&, clang::Stmt const*,
> clang::ento::ExprEngine&, bool)
> /home/abramo/llvm/tools/clang/include/clang/StaticAnalyzer/Core/CheckerManager.h:206:0
> #18 0x0000000005f3770a clang::ento::ExprEngine::Visit(clang::Stmt
> const*, clang::ento::ExplodedNode*, clang::ento::ExplodedNodeSet&)
> /home/abramo/llvm/tools/clang/lib/StaticAnalyzer/Core/ExprEngine.cpp:1151:0
> #19 0x0000000005f341e4
> clang::ento::ExprEngine::ProcessStmt(clang::CFGStmt,
> clang::ento::ExplodedNode*)
> /home/abramo/llvm/tools/clang/lib/StaticAnalyzer/Core/ExprEngine.cpp:463:0
> #20 0x0000000005f334e4
> clang::ento::ExprEngine::processCFGElement(clang::CFGElement,
> clang::ento::ExplodedNode*, unsigned int,
> clang::ento::NodeBuilderContext*)
> /home/abramo/llvm/tools/clang/lib/StaticAnalyzer/Core/ExprEngine.cpp:311:0
> #21 0x0000000005f228db
> clang::ento::CoreEngine::HandlePostStmt(clang::CFGBlock const*, unsigned
> int, clang::ento::ExplodedNode*)
> /home/abramo/llvm/tools/clang/lib/StaticAnalyzer/Core/CoreEngine.cpp:532:0
> #22 0x0000000005f217ea
> clang::ento::CoreEngine::dispatchWorkItem(clang::ento::ExplodedNode*,
> clang::ProgramPoint, clang::ento::WorkListUnit const&)
> /home/abramo/llvm/tools/clang/lib/StaticAnalyzer/Core/CoreEngine.cpp:279:0
> #23 0x0000000005f213ca
> clang::ento::CoreEngine::ExecuteWorkList(clang::LocationContext const*,
> unsigned int, llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>)
> /home/abramo/llvm/tools/clang/lib/StaticAnalyzer/Core/CoreEngine.cpp:216:0
> #24 0x0000000004e7ee6a
> clang::ento::ExprEngine::ExecuteWorkList(clang::LocationContext const*,
> unsigned int)
> /home/abramo/llvm/tools/clang/include/clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h:109:0
> #25 0x0000000004e388be (anonymous
> namespace)::AnalysisConsumer::ActionExprEngine(clang::Decl*, bool,
> clang::ento::ExprEngine::InliningModes, llvm::DenseSet<clang::Decl
> const*, llvm::DenseMapInfo<clang::Decl const*> >*)
> /home/abramo/llvm/tools/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:724:0
> #26 0x0000000004e389d8 (anonymous
> namespace)::AnalysisConsumer::RunPathSensitiveChecks(clang::Decl*,
> clang::ento::ExprEngine::InliningModes, llvm::DenseSet<clang::Decl
> const*, llvm::DenseMapInfo<clang::Decl const*> >*)
> /home/abramo/llvm/tools/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:741:0
> #27 0x0000000004e386a0 (anonymous
> namespace)::AnalysisConsumer::HandleCode(clang::Decl*, unsigned int,
> clang::ento::ExprEngine::InliningModes, llvm::DenseSet<clang::Decl
> const*, llvm::DenseMapInfo<clang::Decl const*> >*)
> /home/abramo/llvm/tools/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:688:0
> #28 0x0000000004e3769d (anonymous
> namespace)::AnalysisConsumer::HandleDeclsCallGraph(unsigned int)
> /home/abramo/llvm/tools/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:502:0
> #29 0x0000000004e37a5f (anonymous
> namespace)::AnalysisConsumer::HandleTranslationUnit(clang::ASTContext&)
> /home/abramo/llvm/tools/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:553:0
> #30 0x0000000004ed2d07 clang::ParseAST(clang::Sema&, bool, bool)
> /home/abramo/llvm/tools/clang/lib/Parse/ParseAST.cpp:161:0
> #31 0x0000000003e9fd28 clang::ASTFrontendAction::ExecuteAction()
> /home/abramo/llvm/tools/clang/lib/Frontend/FrontendAction.cpp:559:0
> #32 0x0000000003e9f7ed clang::FrontendAction::Execute()
> /home/abramo/llvm/tools/clang/lib/Frontend/FrontendAction.cpp:462:0
> #33 0x0000000003e4cc53
> clang::CompilerInstance::ExecuteAction(clang::FrontendAction&)
> /home/abramo/llvm/tools/clang/lib/Frontend/CompilerInstance.cpp:886:0
> #34 0x0000000003fbf578
> clang::ExecuteCompilerInvocation(clang::CompilerInstance*)
> /home/abramo/llvm/tools/clang/lib/FrontendTool/ExecuteCompilerInvocation.cpp:249:0
> #35 0x0000000001c2a827 cc1_main(llvm::ArrayRef<char const*>, char
> const*, void*) /home/abramo/llvm/tools/clang/tools/driver/cc1_main.cpp:221:0
> #36 0x0000000001c20b3f ExecuteCC1Tool(llvm::ArrayRef<char const*>,
> llvm::StringRef) /home/abramo/llvm/tools/clang/tools/driver/driver.cpp:299:0
> #37 0x0000000001c2174b main
> /home/abramo/llvm/tools/clang/tools/driver/driver.cpp:380:0
> #38 0x00007f7832908f45 __libc_start_main
> /build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:321:0
> #39 0x0000000001c1e439 _start (/home/abramo/llvm-build/bin/clang+0x1c1e439)
> Stack dump:
> 0. Program arguments: /home/abramo/llvm-build/bin/clang -cc1 -analyze
> -analyzer-checker=cplusplus.NewDeleteLeaks bug.cpp
> 1. <eof> parser at end of file
> 2. While analyzing stack:
> #0 void f(int a, int b)
> 3. bug.cpp:3:5: Error evaluating statement
> 4. bug.cpp:3:5: Error evaluating statement
> Aborted
>
>
>
>
> --
> Abramo Bagnara
>
> BUGSENG srl - http://bugseng.com
> mailto:abramo.bagnara at bugseng.com
> <patch.txt>
More information about the cfe-commits
mailing list