[PATCH] D74735: [analyzer] Add support for CXXInheritedCtorInitExpr.

Balázs Benics via Phabricator via cfe-commits cfe-commits at lists.llvm.org
Fri Mar 6 01:08:01 PST 2020 

steakhal added a comment.
Herald added a subscriber: danielkiss.

This patch introduced a crash while I was analyzing the libpressio <https://github.com/robertu94/libpressio>.
I was using the `CodeChecker` to drive the analysis with the `--enable-all` flag.

The exact command was the following:

  /home/username/git/llvm-project/build/debug/bin/clang-11 --analyze -Qunused-arguments -Xclang -analyzer-opt-analyze-headers -Xclang -analyzer-output=plist-multi-file -o /home/username/git/libpressio/build/results/pressio_options.cc_clangsa_0316a939d2e5f7ba700a67a7cc467d92.plist -Xclang -analyzer-config -Xclang expand-macros=true -Xclang -analyzer-checker=apiModeling.StdCLibraryFunctions -Xclang -analyzer-checker=apiModeling.TrustNonnull -Xclang -analyzer-checker=apiModeling.google.GTest -Xclang -analyzer-checker=apiModeling.llvm.CastValue -Xclang -analyzer-checker=apiModeling.llvm.ReturnValue -Xclang -analyzer-checker=core.CallAndMessage -Xclang -analyzer-checker=core.DivideZero -Xclang -analyzer-checker=core.DynamicTypePropagation -Xclang -analyzer-checker=core.NonNullParamChecker -Xclang -analyzer-checker=core.NonnilStringConstants -Xclang -analyzer-checker=core.NullDereference -Xclang -analyzer-checker=core.StackAddrEscapeBase -Xclang -analyzer-checker=core.StackAddressEscape -Xclang -analyzer-checker=core.UndefinedBinaryOperatorResult -Xclang -analyzer-checker=core.VLASize -Xclang -analyzer-checker=core.builtin.BuiltinFunctions -Xclang -analyzer-checker=core.builtin.NoReturnFunctions -Xclang -analyzer-checker=core.uninitialized.ArraySubscript -Xclang -analyzer-checker=core.uninitialized.Assign -Xclang -analyzer-checker=core.uninitialized.Branch -Xclang -analyzer-checker=core.uninitialized.CapturedBlockVariable -Xclang -analyzer-checker=core.uninitialized.UndefReturn -Xclang -analyzer-checker=cplusplus.InnerPointer -Xclang -analyzer-checker=cplusplus.Move -Xclang -analyzer-checker=cplusplus.NewDelete -Xclang -analyzer-checker=cplusplus.NewDeleteLeaks -Xclang -analyzer-checker=cplusplus.PlacementNew -Xclang -analyzer-checker=cplusplus.PureVirtualCall -Xclang -analyzer-checker=cplusplus.SelfAssignment -Xclang -analyzer-checker=cplusplus.SmartPtr -Xclang -analyzer-checker=cplusplus.VirtualCallModeling -Xclang -analyzer-checker=deadcode.DeadStores -Xclang -analyzer-checker=fuchsia.HandleChecker -Xclang -analyzer-checker=nullability.NullPassedToNonnull -Xclang -analyzer-checker=nullability.NullReturnedFromNonnull -Xclang -analyzer-checker=nullability.NullabilityBase -Xclang -analyzer-checker=nullability.NullableDereferenced -Xclang -analyzer-checker=nullability.NullablePassedToNonnull -Xclang -analyzer-checker=nullability.NullableReturnedFromNonnull -Xclang -analyzer-checker=optin.cplusplus.UninitializedObject -Xclang -analyzer-checker=optin.cplusplus.VirtualCall -Xclang -analyzer-checker=optin.mpi.MPI-Checker -Xclang -analyzer-checker=optin.osx.OSObjectCStyleCast -Xclang -analyzer-checker=optin.osx.cocoa.localizability.EmptyLocalizationContextChecker -Xclang -analyzer-checker=optin.osx.cocoa.localizability.NonLocalizedStringChecker -Xclang -analyzer-checker=optin.performance.GCDAntipattern -Xclang -analyzer-checker=optin.performance.Padding -Xclang -analyzer-checker=optin.portability.UnixAPI -Xclang -analyzer-checker=security.FloatLoopCounter -Xclang -analyzer-checker=security.insecureAPI.DeprecatedOrUnsafeBufferHandling -Xclang -analyzer-checker=security.insecureAPI.SecuritySyntaxChecker -Xclang -analyzer-checker=security.insecureAPI.UncheckedReturn -Xclang -analyzer-checker=security.insecureAPI.bcmp -Xclang -analyzer-checker=security.insecureAPI.bcopy -Xclang -analyzer-checker=security.insecureAPI.bzero -Xclang -analyzer-checker=security.insecureAPI.decodeValueOfObjCType -Xclang -analyzer-checker=security.insecureAPI.getpw -Xclang -analyzer-checker=security.insecureAPI.gets -Xclang -analyzer-checker=security.insecureAPI.mkstemp -Xclang -analyzer-checker=security.insecureAPI.mktemp -Xclang -analyzer-checker=security.insecureAPI.rand -Xclang -analyzer-checker=security.insecureAPI.strcpy -Xclang -analyzer-checker=security.insecureAPI.vfork -Xclang -analyzer-checker=unix.API -Xclang -analyzer-checker=unix.DynamicMemoryModeling -Xclang -analyzer-checker=unix.Malloc -Xclang -analyzer-checker=unix.MallocSizeof -Xclang -analyzer-checker=unix.MismatchedDeallocator -Xclang -analyzer-checker=unix.Vfork -Xclang -analyzer-checker=unix.cstring.BadSizeArg -Xclang -analyzer-checker=unix.cstring.CStringModeling -Xclang -analyzer-checker=unix.cstring.NullArg -Xclang -analyzer-checker=valist.CopyToSelf -Xclang -analyzer-checker=valist.Uninitialized -Xclang -analyzer-checker=valist.Unterminated -Xclang -analyzer-checker=valist.ValistBase -Xclang -analyzer-config -Xclang aggressive-binary-operation-simplification=true -Xclang -analyzer-config -Xclang crosscheck-with-z3=true -x c++ --target=x86_64-linux-gnu -std=gnu++14 -Dlibpressio_EXPORTS -I/home/username/git/libpressio/include -I/home/username/git/libpressio/build/include -O3 -fPIC -std=gnu++17 -isystem /usr/include/c++/9 -isystem /usr/include/x86_64-linux-gnu/c++/9 -isystem /usr/include/c++/9/backward -isystem /usr/local/include -isystem /usr/include/x86_64-linux-gnu -isystem /usr/include /home/username/git/libpressio/src/pressio_options.cc

The top 25 frame of the call stack in GDB was:

  #0  __GI_raise (sig=sig at entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
  #1  0x00007fffeeb9e801 in __GI_abort () at abort.c:79
  #2  0x00007fffeeb8e39a in __assert_fail_base (fmt=0x7fffeed157d8 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=assertion at entry=0x7fffe4662d48 "Val && \"isa<> used on a null pointer\"", 
      file=file at entry=0x7fffe465d910 "../../llvm/include/llvm/Support/Casting.h", line=line at entry=104, 
      function=function at entry=0x7fffe4663d90 "static bool llvm::isa_impl_cl<To, const From*>::doit(const From*) [with To = clang::CXXInheritedCtorInitExpr; From = clang::Stmt]") at assert.c:92
  #3  0x00007fffeeb8e412 in __GI___assert_fail (assertion=0x7fffe4662d48 "Val && \"isa<> used on a null pointer\"", file=0x7fffe465d910 "../../llvm/include/llvm/Support/Casting.h", line=104, 
      function=0x7fffe4663d90 "static bool llvm::isa_impl_cl<To, const From*>::doit(const From*) [with To = clang::CXXInheritedCtorInitExpr; From = clang::Stmt]") at assert.c:101
  #4  0x00007fffe493cc5b in llvm::isa_impl_cl<clang::CXXInheritedCtorInitExpr, clang::Stmt const*>::doit (Val=0x0) at ../../llvm/include/llvm/Support/Casting.h:104
  #5  0x00007fffe493b450 in llvm::isa_impl_wrap<clang::CXXInheritedCtorInitExpr, clang::Stmt const*, clang::Stmt const*>::doit (Val=@0x7fffffff7bd0: 0x0) at ../../llvm/include/llvm/Support/Casting.h:131
  #6  0x00007fffe4938d89 in llvm::isa_impl_wrap<clang::CXXInheritedCtorInitExpr, clang::Stmt const* const, clang::Stmt const*>::doit (Val=@0x7fffffff7c28: 0x0)
      at ../../llvm/include/llvm/Support/Casting.h:122
  #7  0x00007fffe4935e6a in llvm::isa<clang::CXXInheritedCtorInitExpr, clang::Stmt const*> (Val=@0x7fffffff7c28: 0x0) at ../../llvm/include/llvm/Support/Casting.h:142
  #8  0x00007fffe492c2f1 in clang::ento::CXXInheritedConstructorCall::getInheritingStackFrame (this=0x55555755dbe8) at ../../clang/lib/StaticAnalyzer/Core/CallEvent.cpp:924
  #9  0x00007fffe4932d70 in clang::ento::CXXInheritedConstructorCall::getInheritingConstructor (this=0x55555755dbe8) at ../../clang/include/clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h:932
  #10 0x00007fffe4932d9a in clang::ento::CXXInheritedConstructorCall::getNumArgs (this=0x55555755dbe8) at ../../clang/include/clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h:936
  #11 0x00007fffe52e06b8 in (anonymous namespace)::CallAndMessageChecker::checkPreCall (this=0x555555684e50, Call=..., C=...) at ../../clang/lib/StaticAnalyzer/Checkers/CallAndMessageChecker.cpp:404
  #12 0x00007fffe52e21c8 in clang::ento::check::PreCall::_checkCall<(anonymous namespace)::CallAndMessageChecker> (checker=0x555555684e50, msg=..., C=...)
      at ../../clang/include/clang/StaticAnalyzer/Core/Checker.h:168
  #13 0x00007fffe494f0da in clang::ento::CheckerFn<void (clang::ento::CallEvent const&, clang::ento::CheckerContext&)>::operator()(clang::ento::CallEvent const&, clang::ento::CheckerContext&) const (
      this=0x7fffffff8020, ps#0=..., ps#1=...) at ../../clang/include/clang/StaticAnalyzer/Core/CheckerManager.h:69
  #14 0x00007fffe4946b30 in (anonymous namespace)::CheckCallContext::runChecker (this=0x7fffffff8260, checkFn=..., Bldr=..., Pred=0x55555755db60)
      at ../../clang/lib/StaticAnalyzer/Core/CheckerManager.cpp:291
  #15 0x00007fffe494a0f9 in expandGraphWithCheckers<(anonymous namespace)::CheckCallContext> (checkCtx=..., Dst=..., Src=...) at ../../clang/lib/StaticAnalyzer/Core/CheckerManager.cpp:139
  #16 0x00007fffe4946c07 in clang::ento::CheckerManager::runCheckersForCallEvent (this=0x555555673eb0, isPreVisit=true, Dst=..., Src=..., Call=..., Eng=..., WasInlined=false)
      at ../../clang/lib/StaticAnalyzer/Core/CheckerManager.cpp:308
  #17 0x00007fffe49ccbcf in clang::ento::CheckerManager::runCheckersForPreCall (this=0x555555673eb0, Dst=..., Src=..., Call=..., Eng=...)
      at ../../clang/include/clang/StaticAnalyzer/Core/CheckerManager.h:274
  #18 0x00007fffe49c9a72 in clang::ento::ExprEngine::handleConstructor (this=0x7fffffff9240, E=0x7fffe187cbb8, Pred=0x55555755db60, destNodes=...)
      at ../../clang/lib/StaticAnalyzer/Core/ExprEngineCXX.cpp:551
  #19 0x00007fffe49ca076 in clang::ento::ExprEngine::VisitCXXInheritedCtorInitExpr (this=0x7fffffff9240, CE=0x7fffe187cbb8, Pred=0x55555755db60, Dst=...)
      at ../../clang/lib/StaticAnalyzer/Core/ExprEngineCXX.cpp:627
  #20 0x00007fffe4997c85 in clang::ento::ExprEngine::Visit (this=0x7fffffff9240, S=0x7fffe187cbb8, Pred=0x55555755db60, DstTop=...) at ../../clang/lib/StaticAnalyzer/Core/ExprEngine.cpp:1623
  #21 0x00007fffe499385c in clang::ento::ExprEngine::ProcessStmt (this=0x7fffffff9240, currStmt=0x7fffe187cbb8, Pred=0x55555755da88) at ../../clang/lib/StaticAnalyzer/Core/ExprEngine.cpp:791
  #22 0x00007fffe4992af2 in clang::ento::ExprEngine::processCFGElement (this=0x7fffffff9240, E=..., Pred=0x55555755da88, StmtIdx=0, Ctx=0x7fffffff8ea0)
      at ../../clang/lib/StaticAnalyzer/Core/ExprEngine.cpp:637
  #23 0x00007fffe496900e in clang::ento::CoreEngine::HandleBlockEntrance (this=0x7fffffff9260, L=..., Pred=0x55555755da88) at ../../clang/lib/StaticAnalyzer/Core/CoreEngine.cpp:290
  #24 0x00007fffe4968523 in clang::ento::CoreEngine::dispatchWorkItem (this=0x7fffffff9260, Pred=0x55555755da88, Loc=..., WU=...) at ../../clang/lib/StaticAnalyzer/Core/CoreEngine.cpp:163
  #25 0x00007fffe49683ed in clang::ento::CoreEngine::ExecuteWorkList (this=0x7fffffff9260, L=0x5555579d0320, Steps=224998, InitState=...) at ../../clang/lib/StaticAnalyzer/Core/CoreEngine.cpp:148

Which is might caused by a `dyn_cast`.

I'm using the clang of `95a94df5a9c3d7d2aa92b6beb13e82d8d5832e2e` commit hash.
My GCC version is `gcc (Ubuntu 9.2.1-17ubuntu1~18.04.1) 9.2.1 20191102`

Breaking on the `SIGABRT` signal in GDB and examining the source location of the place:

  (gdb) p Call.getSourceRange().dump(C.getSourceManager())
  </usr/include/c++/9/variant:580:20>

Where the code was something like this (the full source code available on github gcc repo <https://github.com/gcc-mirror/gcc/blob/releases/gcc-9.2.0/libstdc++-v3/include/std/variant#L580>):

  template<bool, typename... _Types>
  struct _Copy_assign_base : _Move_ctor_alias<_Types...>
  {
    using _Base = _Move_ctor_alias<_Types...>;
    using _Base::_Base;
  //^^^^^^^^^^^^^^^^^^
  
    _Copy_assign_base&
    operator=(const _Copy_assign_base& __rhs) noexcept(_Traits<_Types...>::_S_nothrow_copy_assign)
    {
  [...]

Sorry if this is not the right place for the report. @NoQ


Repository:
  rG LLVM Github Monorepo

CHANGES SINCE LAST ACTION
  https://reviews.llvm.org/D74735/new/

https://reviews.llvm.org/D74735

More information about the cfe-commits mailing list