[clang] [Webkit Checkers] Introduce a Webkit checker for memory unsafe casts (PR #114606)

Ryosuke Niwa via cfe-commits cfe-commits at lists.llvm.org
Thu Nov 7 10:27:20 PST 2024 

rniwa wrote:

Hm... I'm still hitting a crash. In debug builds, we hit this assertion:
```
Assertion failed: (DD && "queried property of class with no definition"), function data, file DeclCXX.h, line 452.
PLEASE submit a bug report to https://github.com/llvm/llvm-project/issues/ and include the crash backtrace, preprocessed source, and associated run script.
Stack dump:
0.	Program arguments: /Volumes/Data/llvm-project/build-debug/bin/clang-17 -x c++ -target x86_64-apple-macos14.0 -fmessage-length=0 -fdiagnostics-show-note-include-stack -fmacro-backtrace-limit=0 -std=c++2b -stdlib=libc++ -Wno-trigraphs -fno-exceptions -fno-rtti -fno-sanitize=vptr -fpascal-strings -O0 -fno-common -Werror -Wno-missing-field-initializers -Wno-missing-prototypes -Wno-non-virtual-dtor -Wno-overloaded-virtual -Wno-exit-time-destructors -Wno-missing-braces -Wparentheses -Wswitch -Wno-unused-function -Wno-unused-label -Wno-unused-parameter -Wunused-variable -Wunused-value -Wempty-body -Wuninitialized -Wno-unknown-pragmas -Wno-shadow -Wno-four-char-constants -Wno-conversion -Wconstant-conversion -Wint-conversion -Wbool-conversion -Wenum-conversion -Wno-float-conversion -Wnon-literal-null-conversion -Wobjc-literal-conversion -Wno-shorten-64-to-32 -Wnewline-eof -Wno-c++11-extensions -Wno-implicit-fallthrough -DCLANG_WEBKIT_BRANCH=1 -DOPENSSL_NO_ASM -DABSL_ALLOCATOR_NOTHROW -DWEBRTC_WEBKIT_BUILD -isysroot /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX14.0.sdk -fasm-blocks -fstrict-aliasing -Wdeprecated-declarations -Winvalid-offsetof -g -fvisibility=hidden -fvisibility-inlines-hidden -Wno-sign-conversion -Winfinite-recursion -Wmove -Wno-comma -Wblock-capture-autoreleasing -Wstrict-prototypes -Wno-range-loop-analysis -Wno-semicolon-before-method-body -D__clang_analyzer__ -Xclang -analyzer-output=html -Xclang -analyzer-config -Xclang report-in-main-source-file=true -Xclang -analyzer-config -Xclang nullability:NoDiagnoseCallsToSystemHeaders=true -Xclang -analyzer-checker -Xclang optin.osx.cocoa.localizability.NonLocalizedStringChecker -Xclang -analyzer-checker -Xclang security.insecureAPI.UncheckedReturn -Xclang -analyzer-checker -Xclang security.insecureAPI.getpw -Xclang -analyzer-checker -Xclang security.insecureAPI.gets -Xclang -analyzer-checker -Xclang security.insecureAPI.mkstemp -Xclang -analyzer-checker -Xclang security.insecureAPI.mktemp -Xclang -analyzer-disable-checker -Xclang security.insecureAPI.rand -Xclang -analyzer-disable-checker -Xclang security.insecureAPI.strcpy -Xclang -analyzer-checker -Xclang security.insecureAPI.vfork -Xclang -analyzer-disable-checker -Xclang alpha,apiModeling,core,cplusplus,deadcode,debug,fuchsia,nullability,optin,osx,security,unix,webkit -Xclang -analyzer-checker -Xclang alpha.webkit.MemoryUnsafeCastChecker,alpha.webkit.NoUncheckedPtrMemberChecker,alpha.webkit.UncountedCallArgsChecker,alpha.webkit.UncountedLocalVarsChecker,webkit.NoUncountedMemberChecker,webkit.RefCntblBaseVirtualDtor -Xclang -analyzer-config -Xclang max-nodes=10000000 -Xclang -analyzer-config -Xclang verbose-report-filename=true -I/Volumes/Data/safari-4/OpenSource/WebKitBuild/Debug/include -ISource/third_party/boringssl/src/include -I/Volumes/Data/safari-4/OpenSource/WebKitBuild/libwebrtc.build/Debug/boringssl.build/DerivedSources-normal/x86_64 -I/Volumes/Data/safari-4/OpenSource/WebKitBuild/libwebrtc.build/Debug/boringssl.build/DerivedSources/x86_64 -I/Volumes/Data/safari-4/OpenSource/WebKitBuild/libwebrtc.build/Debug/boringssl.build/DerivedSources -Wall -Wc99-designator -Wconditional-uninitialized -Wextra -Wdeprecated-enum-enum-conversion -Wdeprecated-enum-float-conversion -Wenum-float-conversion -Wfinal-dtor-non-final-class -Wformat=2 -Wmisleading-indentation -Wreorder-init-list -Wundef -Wvla -Wno-elaborated-enum-base -Wthread-safety -Wno-conditional-uninitialized -Wno-missing-field-initializers -Wno-sign-compare -Wno-undef -Wno-unknown-warning-option -Wno-unused-but-set-parameter -Wno-unused-parameter -Wno-array-parameter -Wno-unused-but-set-variable -Wno-thread-safety-reference-return -Wno-vla -Wexit-time-destructors -Wglobal-constructors -F/Volumes/Data/safari-4/OpenSource/WebKitBuild/Debug -fvisibility=default -D_LIBCPP_ENABLE_ASSERTIONS=1 -isystem /Volumes/Data/safari-4/OpenSource/WebKitLibraries/SDKs/macosx14.0-additions.sdk/usr/local/include -MMD -MT dependencies -MF /Volumes/Data/safari-4/analyzer-output/StaticAnalyzer/libwebrtc/boringssl/normal/x86_64/tls_record.d --analyze /Volumes/Data/safari-4/OpenSource/Source/ThirdParty/libwebrtc/Source/third_party/boringssl/src/ssl/tls_record.cc -o /Volumes/Data/safari-4/analyzer-output/StaticAnalyzer/libwebrtc/boringssl/normal/x86_64/tls_record.plist
1.	<eof> parser at end of file
Stack dump without symbol names (ensure you have llvm-symbolizer in your PATH or set the environment var `LLVM_SYMBOLIZER_PATH` to point to it):
0  clang-17                 0x00000001139060dd llvm::sys::PrintStackTrace(llvm::raw_ostream&, int) + 61
1  clang-17                 0x000000011390668b PrintStackTraceSignalHandler(void*) + 27
2  clang-17                 0x0000000113904436 llvm::sys::RunSignalHandlers() + 134
3  clang-17                 0x000000011390595e llvm::sys::CleanupOnSignal(unsigned long) + 110
4  clang-17                 0x00000001137b7697 (anonymous namespace)::CrashRecoveryContextImpl::HandleCrash(int, unsigned long) + 183
5  clang-17                 0x00000001137b7a3b CrashRecoverySignalHandler(int) + 187
6  libsystem_platform.dylib 0x00007ff802bc637d _sigtramp + 29
7  libsystem_platform.dylib 0x0000000000000021 _sigtramp + 18446603370535034049
8  libsystem_c.dylib        0x00007ff802ab7a4d abort + 126
9  libsystem_c.dylib        0x00007ff802ab6d60 err + 0
10 clang-17                 0x0000000114b64b24 clang::CXXRecordDecl::data() const + 100
11 clang-17                 0x0000000119e1b4b5 clang::CXXRecordDecl::bases_begin() const + 21
12 clang-17                 0x0000000119d9ae29 clang::CXXRecordDecl::bases() const + 25
13 clang-17                 0x000000011a18ceda clang::CXXBasePaths::lookupInBases(clang::ASTContext&, clang::CXXRecordDecl const*, llvm::function_ref<bool (clang::CXXBaseSpecifier const*, clang::CXXBasePath&)>, bool) + 106
14 clang-17                 0x000000011a18c7b6 clang::CXXRecordDecl::lookupInBases(llvm::function_ref<bool (clang::CXXBaseSpecifier const*, clang::CXXBasePath&)>, clang::CXXBasePaths&, bool) const + 102
15 clang-17                 0x000000011a18c735 clang::CXXRecordDecl::isDerivedFrom(clang::CXXRecordDecl const*, clang::CXXBasePaths&) const + 149
16 clang-17                 0x000000011a18c651 clang::CXXRecordDecl::isDerivedFrom(clang::CXXRecordDecl const*) const + 97
17 clang-17                 0x00000001177d165f (anonymous namespace)::WalkAST::VisitCastExpr(clang::CastExpr*) + 607
18 clang-17                 0x00000001177d13ed clang::StmtVisitorBase<std::__1::add_pointer, (anonymous namespace)::WalkAST, void>::VisitExplicitCastExpr(clang::ExplicitCastExpr*) + 29
19 clang-17                 0x00000001177d016d clang::StmtVisitorBase<std::__1::add_pointer, (anonymous namespace)::WalkAST, void>::VisitCStyleCastExpr(clang::CStyleCastExpr*) + 29
20 clang-17                 0x00000001177cd20a clang::StmtVisitorBase<std::__1::add_pointer, (anonymous namespace)::WalkAST, void>::Visit(clang::Stmt*) + 3770
21 clang-17                 0x00000001177d1232 (anonymous namespace)::WalkAST::VisitChildren(clang::Stmt*) + 146
22 clang-17                 0x00000001177d118d (anonymous namespace)::WalkAST::VisitStmt(clang::Stmt*) + 29
23 clang-17                 0x00000001177cf80d clang::StmtVisitorBase<std::__1::add_pointer, (anonymous namespace)::WalkAST, void>::VisitReturnStmt(clang::ReturnStmt*) + 29
24 clang-17                 0x00000001177cce86 clang::StmtVisitorBase<std::__1::add_pointer, (anonymous namespace)::WalkAST, void>::Visit(clang::Stmt*) + 2870
25 clang-17                 0x00000001177d1232 (anonymous namespace)::WalkAST::VisitChildren(clang::Stmt*) + 146
26 clang-17                 0x00000001177d118d (anonymous namespace)::WalkAST::VisitStmt(clang::Stmt*) + 29
27 clang-17                 0x00000001177ce6fd clang::StmtVisitorBase<std::__1::add_pointer, (anonymous namespace)::WalkAST, void>::VisitCompoundStmt(clang::CompoundStmt*) + 29
28 clang-17                 0x00000001177cc820 clang::StmtVisitorBase<std::__1::add_pointer, (anonymous namespace)::WalkAST, void>::Visit(clang::Stmt*) + 1232
29 clang-17                 0x00000001177cc2ff (anonymous namespace)::MemoryUnsafeCastChecker::checkASTCodeBody(clang::Decl const*, clang::ento::AnalysisManager&, clang::ento::BugReporter&) const + 95
30 clang-17                 0x00000001177cc28d void clang::ento::check::ASTCodeBody::_checkBody<(anonymous namespace)::MemoryUnsafeCastChecker>(void*, clang::Decl const*, clang::ento::AnalysisManager&, clang::ento::BugReporter&) + 45
31 clang-17                 0x0000000117b8c8d1 clang::ento::CheckerFn<void (clang::Decl const*, clang::ento::AnalysisManager&, clang::ento::BugReporter&)>::operator()(clang::Decl const*, clang::ento::AnalysisManager&, clang::ento::BugReporter&) const + 49
32 clang-17                 0x0000000117b8c9b7 clang::ento::CheckerManager::runCheckersOnASTBody(clang::Decl const*, clang::ento::AnalysisManager&, clang::ento::BugReporter&) + 215
33 clang-17                 0x0000000116f9037c (anonymous namespace)::AnalysisConsumer::HandleCode(clang::Decl*, unsigned int, clang::ento::ExprEngine::InliningModes, llvm::DenseSet<clang::Decl const*, llvm::DenseMapInfo<clang::Decl const*, void>>*) + 540
34 clang-17                 0x0000000116f96517 (anonymous namespace)::AnalysisConsumer::VisitFunctionDecl(clang::FunctionDecl*) + 311
35 clang-17                 0x0000000116f95c6d clang::RecursiveASTVisitor<(anonymous namespace)::AnalysisConsumer>::WalkUpFromFunctionDecl(clang::FunctionDecl*) + 93
36 clang-17                 0x0000000116f1c94f clang::RecursiveASTVisitor<(anonymous namespace)::AnalysisConsumer>::TraverseFunctionDecl(clang::FunctionDecl*) + 79
37 clang-17                 0x0000000116f13766 clang::RecursiveASTVisitor<(anonymous namespace)::AnalysisConsumer>::TraverseDecl(clang::Decl*) + 2534
38 clang-17                 0x0000000116f7aa98 clang::RecursiveASTVisitor<(anonymous namespace)::AnalysisConsumer>::TraverseDeclContextHelper(clang::DeclContext*) + 200
39 clang-17                 0x0000000116f16415 clang::RecursiveASTVisitor<(anonymous namespace)::AnalysisConsumer>::TraverseLinkageSpecDecl(clang::LinkageSpecDecl*) + 165
40 clang-17                 0x0000000116f13083 clang::RecursiveASTVisitor<(anonymous namespace)::AnalysisConsumer>::TraverseDecl(clang::Decl*) + 771
41 clang-17                 0x0000000116f12b8b (anonymous namespace)::AnalysisConsumer::runAnalysisOnTranslationUnit(clang::ASTContext&) + 443
42 clang-17                 0x0000000116f0d67e (anonymous namespace)::AnalysisConsumer::HandleTranslationUnit(clang::ASTContext&) + 446
43 clang-17                 0x0000000117f7b706 clang::ParseAST(clang::Sema&, bool, bool) + 870
44 clang-17                 0x00000001150b8831 clang::ASTFrontendAction::ExecuteAction() + 305
45 clang-17                 0x00000001150b7f0c clang::FrontendAction::Execute() + 124
```

https://github.com/llvm/llvm-project/pull/114606

More information about the cfe-commits mailing list