[llvm-bugs] [Bug 28042] New: Crash in static analyzer

via llvm-bugs llvm-bugs at lists.llvm.org
Tue Jun 7 14:21:52 PDT 2016 

https://llvm.org/bugs/show_bug.cgi?id=28042

            Bug ID: 28042
           Summary: Crash in static analyzer
           Product: clang
           Version: 3.8
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P
         Component: Static Analyzer
          Assignee: kremenek at apple.com
          Reporter: andrew.melo at gmail.com
                CC: llvm-bugs at lists.llvm.org
    Classification: Unclassified

Created attachment 16487
  --> https://llvm.org/bugs/attachment.cgi?id=16487&action=edit
lio_fuse_core.c preprocessed

Hello,

With "clang version 3.8.0-2ubuntu3 (tags/RELEASE_380/final)" on ubuntu xenial,
I get a two different crashes with my codebase (though one of them appears to
not always occur.

I've posted the stacktrace and command line after this message. The
preprocessed input is attached as an attachment. The "runner-unix" crash
appears to always occur, while the "lio_fuse_core" crash seems to happen
inconsistently.

Thanks!
Andrew

The stacktrace for each file looks the same:

0  libLLVM-3.8.so.1 0x00007f273edecd38
llvm::sys::PrintStackTrace(llvm::raw_ostream&) + 56
1  libLLVM-3.8.so.1 0x00007f273edeafc6 llvm::sys::RunSignalHandlers() + 54
2  libLLVM-3.8.so.1 0x00007f273edeb129
3  libc.so.6        0x00007f273df284a0
4  clang            0x00000000014dc4c5 clang::Stmt::getLocStart() const + 21
5  clang            0x00000000012d5e15
6  clang            0x00000000012d8e49
clang::ento::PathDiagnosticLocation::createBegin(clang::Stmt const*,
clang::SourceManager const&, llvm::PointerUnion<clang::LocationContext const*,
clang::AnalysisDeclContext*>) + 25
7  clang            0x00000000011f7643
8  clang            0x00000000012705f5
clang::ento::CheckerManager::runCheckersForEndAnalysis(clang::ento::ExplodedGraph&,
clang::ento::BugReporter&, clang::ento::ExprEngine&) + 101
9  clang            0x000000000127ba5a
clang::ento::CoreEngine::ExecuteWorkList(clang::LocationContext const*,
unsigned int, llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>) + 234
10 clang            0x0000000000b279af
11 clang            0x0000000000b282fb
12 clang            0x0000000000b321ce
13 clang            0x0000000000b3676a clang::ParseAST(clang::Sema&, bool,
bool) + 938
14 clang            0x000000000099a1fe clang::FrontendAction::Execute() + 302
15 clang            0x000000000096fbf6
clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) + 278
16 clang            0x0000000000a14aa3
clang::ExecuteCompilerInvocation(clang::CompilerInstance*) + 1987
17 clang            0x00000000006b2d18 cc1_main(llvm::ArrayRef<char const*>,
char const*, void*) + 2264
18 clang            0x00000000006af7ac main + 6252
19 libc.so.6        0x00007f273df13830 __libc_start_main + 240
20 clang            0x00000000006b1159 _start + 41
Stack dump:

And the following is the command line for lio_fuse_core.c

/usr/bin/clang -cc1 -triple x86_64-pc-linux-gnu -analyze -disable-free
-disable-llvm-verifier -main-file-name lio_fuse_core.c -analyzer-store=region
-analyzer-opt-analyze-nested-blocks -analyzer-eagerly-assume
-analyzer-checker=core -analyzer-checker=unix -analyzer-checker=deadcode
-analyzer-checker=security.insecureAPI.UncheckedReturn
-analyzer-checker=security.insecureAPI.getpw
-analyzer-checker=security.insecureAPI.gets
-analyzer-checker=security.insecureAPI.mktemp
-analyzer-checker=security.insecureAPI.mkstemp
-analyzer-checker=security.insecureAPI.vfork
-analyzer-checker=nullability.NullPassedToNonnull
-analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w
-mrelocation-model pic -pic-level 2 -mthread-model posix -mdisable-fp-elim
-fmath-errno -masm-verbose -mconstructor-aliases -munwind-tables
-fuse-init-array -target-cpu x86-64 -dwarf-column-info -debugger-tuning=gdb
-resource-dir /usr/lib/llvm-3.8/bin/../lib/clang/3.8.0 -isystem
/tmp/workspace/LStore-Branches/PR-94/build/include -isystem
/tmp/workspace/LStore-Branches/PR-94/build/include/apr-ACCRE-1 -isystem
/tmp/workspace/LStore-Branches/PR-94/build/include/apr-util-ACCRE-1 -D
lio_EXPORTS -I /tmp/workspace/LStore-Branches/PR-94/src/toolbox -I
/tmp/workspace/LStore-Branches/PR-94/src/gop -I
/tmp/workspace/LStore-Branches/PR-94/src/ibp -D _REENTRANT -D _GNU_SOURCE -D
_LARGEFILE64_SOURCE -D _FILE_OFFSET_BITS=64 -D _FILE_OFFSET_BITS=64 -D
LSTORE_HACK_EXPORT -internal-isystem /usr/local/include -internal-isystem
/usr/lib/llvm-3.8/bin/../lib/clang/3.8.0/include -internal-externc-isystem
/usr/include/x86_64-linux-gnu -internal-externc-isystem /include
-internal-externc-isystem /usr/include -Wno-unused-parameter
-Wno-deprecated-declarations -std=c99 -fdebug-compilation-dir
/tmp/workspace/LStore-Branches/PR-94/build/src/lio -ferror-limit 19
-fmessage-length 0 -fvisibility hidden -fobjc-runtime=gcc
-fdiagnostics-show-option -analyzer-display-progress -analyzer-checker
alpha.core.BoolAssignment -analyzer-checker
alpha.core.CallAndMessageUnInitRefArg -analyzer-checker alpha.core.CastSize
-analyzer-checker alpha.core.CastToStruct -analyzer-checker
alpha.core.DynamicTypeChecker -analyzer-checker alpha.core.FixedAddr
-analyzer-checker alpha.core.IdenticalExpr -analyzer-checker
alpha.core.PointerArithm -analyzer-checker alpha.core.PointerSub
-analyzer-checker alpha.core.SizeofPtr -analyzer-checker
alpha.core.TestAfterDivZero -analyzer-checker alpha.cplusplus.VirtualCall
-analyzer-checker alpha.deadcode.UnreachableCode -analyzer-checker
alpha.security.ArrayBound -analyzer-checker alpha.security.ArrayBoundV2
-analyzer-checker alpha.security.MallocOverflow -analyzer-checker
alpha.security.ReturnPtrRange -analyzer-checker
alpha.security.taint.TaintPropagation -analyzer-checker alpha.unix.Chroot
-analyzer-checker alpha.unix.PthreadLock -analyzer-checker
alpha.unix.SimpleStream -analyzer-checker alpha.unix.Stream -analyzer-checker
alpha.unix.cstring.BufferOverlap -analyzer-checker
alpha.unix.cstring.NotNullTerminated -analyzer-checker
alpha.unix.cstring.OutOfBounds -analyzer-checker=debug.Stats -analyzer-max-loop
10 -analyzer-output=html -o
/tmp/workspace/LStore-Branches/PR-94/build/clang-static-analyzer/2016-06-07-064307-13352-1
-x c /tmp/workspace/LStore-Branches/PR-94/src/lio/lio_fuse_core.c

And this is the preprocessed runner-unix.c
0.    Program arguments: /usr/bin/clang -cc1 -triple x86_64-pc-linux-gnu
-analyze -disable-free -disable-llvm-verifier -main-file-name runner-unix.c
-analyzer-store=region -analyzer-opt-analyze-nested-blocks
-analyzer-eagerly-assume -analyzer-checker=core -analyzer-checker=unix
-analyzer-checker=deadcode
-analyzer-checker=security.insecureAPI.UncheckedReturn
-analyzer-checker=security.insecureAPI.getpw
-analyzer-checker=security.insecureAPI.gets
-analyzer-checker=security.insecureAPI.mktemp
-analyzer-checker=security.insecureAPI.mkstemp
-analyzer-checker=security.insecureAPI.vfork
-analyzer-checker=nullability.NullPassedToNonnull
-analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w
-mrelocation-model pic -pic-level 2 -mthread-model posix -mdisable-fp-elim
-fmath-errno -masm-verbose -mconstructor-aliases -munwind-tables
-fuse-init-array -target-cpu x86-64 -dwarf-column-info -debugger-tuning=gdb
-resource-dir /usr/lib/llvm-3.8/bin/../lib/clang/3.8.0 -isystem
/tmp/workspace/LStore-Branches/PR-94/build/include/apr-ACCRE-1 -I
/tmp/workspace/LStore-Branches/PR-94/build/include -I
/tmp/workspace/LStore-Branches/PR-94/src/toolbox -I
/tmp/workspace/LStore-Branches/PR-94/src/gop -I
/tmp/workspace/LStore-Branches/PR-94/src/ibp -D _REENTRANT -D _GNU_SOURCE -D
_LARGEFILE64_SOURCE -D _FILE_OFFSET_BITS=64 -D LSTORE_HACK_EXPORT
-internal-isystem /usr/local/include -internal-isystem
/usr/lib/llvm-3.8/bin/../lib/clang/3.8.0/include -internal-externc-isystem
/usr/include/x86_64-linux-gnu -internal-externc-isystem /include
-internal-externc-isystem /usr/include -Wno-unused-parameter
-Wno-deprecated-declarations -std=c99 -fdebug-compilation-dir
/tmp/workspace/LStore-Branches/PR-94/build -ferror-limit 19 -fmessage-length 0
-fvisibility hidden -fobjc-runtime=gcc -fdiagnostics-show-option
-analyzer-display-progress -analyzer-checker alpha.core.BoolAssignment
-analyzer-checker alpha.core.CallAndMessageUnInitRefArg -analyzer-checker
alpha.core.CastSize -analyzer-checker alpha.core.CastToStruct -analyzer-checker
alpha.core.DynamicTypeChecker -analyzer-checker alpha.core.FixedAddr
-analyzer-checker alpha.core.IdenticalExpr -analyzer-checker
alpha.core.PointerArithm -analyzer-checker alpha.core.PointerSub
-analyzer-checker alpha.core.SizeofPtr -analyzer-checker
alpha.core.TestAfterDivZero -analyzer-checker alpha.cplusplus.VirtualCall
-analyzer-checker alpha.deadcode.UnreachableCode -analyzer-checker
alpha.security.ArrayBound -analyzer-checker alpha.security.ArrayBoundV2
-analyzer-checker alpha.security.MallocOverflow -analyzer-checker
alpha.security.ReturnPtrRange -analyzer-checker
alpha.security.taint.TaintPropagation -analyzer-checker alpha.unix.Chroot
-analyzer-checker alpha.unix.PthreadLock -analyzer-checker
alpha.unix.SimpleStream -analyzer-checker alpha.unix.Stream -analyzer-checker
alpha.unix.cstring.BufferOverlap -analyzer-checker
alpha.unix.cstring.NotNullTerminated -analyzer-checker
alpha.unix.cstring.OutOfBounds -analyzer-checker=debug.Stats -analyzer-max-loop
10 -analyzer-output=html -o
/tmp/workspace/LStore-Branches/PR-94/build/clang-static-analyzer/2016-06-07-064307-13352-1
-x c /tmp/workspace/LStore-Branches/PR-94/test/runner-unix.c 
1.    <eof> parser at end of file

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20160607/baa841ed/attachment-0001.html>

More information about the llvm-bugs mailing list