[llvm-bugs] [Bug 42816] New: Crash in static analyzer when analyzing some code with destructors
via llvm-bugs
llvm-bugs at lists.llvm.org
Mon Jul 29 13:07:38 PDT 2019
https://bugs.llvm.org/show_bug.cgi?id=42816
Bug ID: 42816
Summary: Crash in static analyzer when analyzing some code with
destructors
Product: clang
Version: 8.0
Hardware: Macintosh
OS: MacOS X
Status: NEW
Severity: normal
Priority: P
Component: Static Analyzer
Assignee: dcoughlin at apple.com
Reporter: philip.chimento at gmail.com
CC: dcoughlin at apple.com, llvm-bugs at lists.llvm.org
Created attachment 22312
--> https://bugs.llvm.org/attachment.cgi?id=22312&action=edit
Program that reproduces the problem
I am trying to develop a static analyzer plugin and encountered a crash when
analyzing some particular code. A minimal program that reproduces the crash
(including as well a minimal version of the code being analyzed) is attached.
I am quite sure it's not a bug in my analyzer code since I can reproduce it
with a completely empty analyzer with no code at all.
In the code being analyzed, the crash seems to depend on all of these things
being present:
- A record (B) with a destructor;
- A record member (A) of B with a destructor;
- An explicit call to B's destructor in a path where it's known that the
pointer to B is non-null.
The stack trace of the crash is below:
$ lldb -- ./bug
(lldb) target create "./bug"
Current executable set to './bug' (x86_64).
(lldb) r
Process 26969 launched: '/path/to/bug' (x86_64)
Process 26969 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS
(code=1, address=0x50)
frame #0: 0x0000000100ba4f66 bug`(anonymous
namespace)::RegionStoreManager::invalidateRegions(void const*,
llvm::ArrayRef<clang::ento::SVal>, clang::Expr const*, unsigned int,
clang::LocationContext const*, clang::ento::CallEvent const*,
llvm::DenseSet<clang::ento::SymExpr const*,
llvm::DenseMapInfo<clang::ento::SymExpr const*> >&,
clang::ento::RegionAndSymbolInvalidationTraits&,
llvm::SmallVector<clang::ento::MemRegion const*, 8u>*,
llvm::SmallVector<clang::ento::MemRegion const*, 8u>*) + 3192
bug`(anonymous namespace)::RegionStoreManager::invalidateRegions:
-> 0x100ba4f66 <+3192>: callq *0x50(%rcx)
0x100ba4f69 <+3195>: testb %al, %al
0x100ba4f6b <+3197>: je 0x100ba4f94 ; <+3238>
0x100ba4f6d <+3199>: movq -0x1d8(%rbp), %rdi
Target 0: (bug) stopped.
(lldb) bt
* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS
(code=1, address=0x50)
* frame #0: 0x0000000100ba4f66 bug`(anonymous
namespace)::RegionStoreManager::invalidateRegions(void const*,
llvm::ArrayRef<clang::ento::SVal>, clang::Expr const*, unsigned int,
clang::LocationContext const*, clang::ento::CallEvent const*,
llvm::DenseSet<clang::ento::SymExpr const*,
llvm::DenseMapInfo<clang::ento::SymExpr const*> >&,
clang::ento::RegionAndSymbolInvalidationTraits&,
llvm::SmallVector<clang::ento::MemRegion const*, 8u>*,
llvm::SmallVector<clang::ento::MemRegion const*, 8u>*) + 3192
frame #1: 0x0000000100b92c74
bug`clang::ento::ProgramState::invalidateRegionsImpl(llvm::ArrayRef<clang::ento::SVal>,
clang::Expr const*, unsigned int, clang::LocationContext const*, bool,
llvm::DenseSet<clang::ento::SymExpr const*,
llvm::DenseMapInfo<clang::ento::SymExpr const*> >*,
clang::ento::RegionAndSymbolInvalidationTraits*, clang::ento::CallEvent const*)
const + 258
frame #2: 0x0000000100b92ecb
bug`clang::ento::ProgramState::invalidateRegions(llvm::ArrayRef<clang::ento::SVal>,
clang::Expr const*, unsigned int, clang::LocationContext const*, bool,
llvm::DenseSet<clang::ento::SymExpr const*,
llvm::DenseMapInfo<clang::ento::SymExpr const*> >*, clang::ento::CallEvent
const*, clang::ento::RegionAndSymbolInvalidationTraits*) const + 37
frame #3: 0x0000000100b35f97
bug`clang::ento::CallEvent::invalidateRegions(unsigned int,
llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>) const + 759
frame #4: 0x0000000100b67722
bug`clang::ento::ExprEngine::conservativeEvalCall(clang::ento::CallEvent
const&, clang::ento::NodeBuilder&, clang::ento::ExplodedNode*,
llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>) + 84
frame #5: 0x0000000100b68182
bug`clang::ento::ExprEngine::defaultEvalCall(clang::ento::NodeBuilder&,
clang::ento::ExplodedNode*, clang::ento::CallEvent const&,
clang::ento::ExprEngine::EvalCallOptions const&) + 466
frame #6: 0x0000000100b62b84
bug`clang::ento::ExprEngine::VisitCXXDestructor(clang::QualType,
clang::ento::MemRegion const*, clang::Stmt const*, bool,
clang::ento::ExplodedNode*, clang::ento::ExplodedNodeSet&,
clang::ento::ExprEngine::EvalCallOptions const&) + 706
frame #7: 0x0000000100b50350
bug`clang::ento::ExprEngine::ProcessMemberDtor(clang::CFGMemberDtor,
clang::ento::ExplodedNode*, clang::ento::ExplodedNodeSet&) + 262
frame #8: 0x0000000100b4c035
bug`clang::ento::ExprEngine::ProcessImplicitDtor(clang::CFGImplicitDtor,
clang::ento::ExplodedNode*) + 237
frame #9: 0x0000000100b4ae93
bug`clang::ento::ExprEngine::processCFGElement(clang::CFGElement,
clang::ento::ExplodedNode*, unsigned int, clang::ento::NodeBuilderContext*) +
155
frame #10: 0x0000000100b42fb3
bug`clang::ento::CoreEngine::HandleBlockEntrance(clang::BlockEntrance const&,
clang::ento::ExplodedNode*) + 155
frame #11: 0x0000000100b42b0b
bug`clang::ento::CoreEngine::dispatchWorkItem(clang::ento::ExplodedNode*,
clang::ProgramPoint, clang::ento::WorkListUnit const&) + 235
frame #12: 0x0000000100b42890
bug`clang::ento::CoreEngine::ExecuteWorkList(clang::LocationContext const*,
unsigned int, llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>) + 754
frame #13: 0x0000000100bd2130
bug`clang::ento::ExprEngine::ExecuteWorkList(clang::LocationContext const*,
unsigned int) + 26
frame #14: 0x0000000100bd1ff4 bug`(anonymous
namespace)::AnalysisConsumer::HandleCode(clang::Decl*, unsigned int,
clang::ento::ExprEngine::InliningModes, llvm::DenseSet<clang::Decl const*,
llvm::DenseMapInfo<clang::Decl const*> >*) + 1122
frame #15: 0x0000000100bcd404 bug`(anonymous
namespace)::AnalysisConsumer::HandleTranslationUnit(clang::ASTContext&) + 754
frame #16: 0x000000010045d1a6 bug`clang::ParseAST(clang::Sema&, bool, bool)
+ 457
frame #17: 0x00000001003c909d bug`clang::FrontendAction::Execute() + 71
frame #18: 0x0000000100394e90
bug`clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) + 734
frame #19: 0x0000000100bf3061
bug`clang::tooling::FrontendActionFactory::runInvocation(std::__1::shared_ptr<clang::CompilerInvocation>,
clang::FileManager*, std::__1::shared_ptr<clang::PCHContainerOperations>,
clang::DiagnosticConsumer*) + 267
frame #20: 0x0000000100bf2de0
bug`clang::tooling::ToolInvocation::runInvocation(char const*,
clang::driver::Compilation*, std::__1::shared_ptr<clang::CompilerInvocation>,
std::__1::shared_ptr<clang::PCHContainerOperations>) + 186
frame #21: 0x0000000100bf210a bug`clang::tooling::ToolInvocation::run() +
1908
frame #22: 0x0000000100bf169e
bug`clang::tooling::runToolOnCodeWithArgs(clang::FrontendAction*, llvm::Twine
const&, llvm::IntrusiveRefCntPtr<llvm::vfs::FileSystem>,
std::__1::vector<std::__1::basic_string<char, std::__1::char_traits<char>,
std::__1::allocator<char> >, std::__1::allocator<std::__1::basic_string<char,
std::__1::char_traits<char>, std::__1::allocator<char> > > > const&,
llvm::Twine const&, llvm::Twine const&,
std::__1::shared_ptr<clang::PCHContainerOperations>) + 443
frame #23: 0x0000000100bf128e
bug`clang::tooling::runToolOnCodeWithArgs(clang::FrontendAction*, llvm::Twine
const&, std::__1::vector<std::__1::basic_string<char,
std::__1::char_traits<char>, std::__1::allocator<char> >,
std::__1::allocator<std::__1::basic_string<char, std::__1::char_traits<char>,
std::__1::allocator<char> > > > const&, llvm::Twine const&, llvm::Twine const&,
std::__1::shared_ptr<clang::PCHContainerOperations>,
std::__1::vector<std::__1::pair<std::__1::basic_string<char,
std::__1::char_traits<char>, std::__1::allocator<char> >,
std::__1::basic_string<char, std::__1::char_traits<char>,
std::__1::allocator<char> > >,
std::__1::allocator<std::__1::pair<std::__1::basic_string<char,
std::__1::char_traits<char>, std::__1::allocator<char> >,
std::__1::basic_string<char, std::__1::char_traits<char>,
std::__1::allocator<char> > > > > const&) + 744
frame #24: 0x0000000100bf0f14
bug`clang::tooling::runToolOnCode(clang::FrontendAction*, llvm::Twine const&,
llvm::Twine const&, std::__1::shared_ptr<clang::PCHContainerOperations>) + 83
frame #25: 0x00000001000026d8 bug`main + 136
frame #26: 0x00007fff7c07e3d5 libdyld.dylib`start + 1
--
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20190729/64d17bec/attachment-0001.html>
More information about the llvm-bugs
mailing list