[llvm-bugs] [Bug 46128] New: VLASizeChecker assertion failure with VLA size 0

via llvm-bugs llvm-bugs at lists.llvm.org
Thu May 28 15:10:26 PDT 2020 

https://bugs.llvm.org/show_bug.cgi?id=46128

            Bug ID: 46128
           Summary: VLASizeChecker assertion failure with VLA size 0
           Product: clang
           Version: unspecified
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: P
         Component: Static Analyzer
          Assignee: dcoughlin at apple.com
          Reporter: chris.hamilton at ericsson.com
                CC: dcoughlin at apple.com, llvm-bugs at lists.llvm.org

Working in proprietary code, I've found a case that causes VLASizeChecker to
crash with an assertion failure.  I did some work too root-cause the assertion
failure.  This is not my area of expertise; but what I think is happening is
this: the assertion assumes that VLASizeChecker::checkVLAIndexSize() would
catch and warn for all possible cases where the VLA size could be 0 before
reaching the code in question; however, in this case, checkVLAIndexSize() does
not detect the 0-size condition.

A reduced reproducer is also attached and shown here for convenience:

  extern void foo(void);

  int a;
  void b() {
    int c = a + 1;
    for (;;) {
      int d[c];
      for (; 0 < c;)
        foo();
    }
  }

Stacktrace from the assertion failure on this reproducer is:

#0  0x00007ffff6738377 in raise () from /lib64/libc.so.6
#1  0x00007ffff6739a68 in abort () from /lib64/libc.so.6
#2  0x00007ffff6731196 in __assert_fail_base () from /lib64/libc.so.6
#3  0x00007ffff6731242 in __assert_fail () from /lib64/libc.so.6
#4  0x00000000014601ba in (anonymous namespace)::VLASizeChecker::checkVLA
(this=0x7e7d730, C=..., State=..., VLA=0x0, ArraySize=...)
    at
/repo/eahcmrh/flextools-llvm/clang/lib/StaticAnalyzer/Checkers/VLASizeChecker.cpp:129
#5  0x0000000001460f45 in (anonymous namespace)::VLASizeChecker::checkPreStmt
(this=0x7e7d730, DS=0x7ec5530, C=...) at
/repo/eahcmrh/flextools-llvm/clang/lib/StaticAnalyzer/Checkers/VLASizeChecker.cpp:272
#6  0x0000000001461695 in
clang::ento::check::PreStmt<clang::DeclStmt>::_checkStmt<(anonymous
namespace)::VLASizeChecker> (checker=0x7e7d730, S=0x7ec5530, C=...)
    at
/repo/eahcmrh/flextools-llvm/clang/include/clang/StaticAnalyzer/Core/Checker.h:85
#7  0x000000000153bd9e in clang::ento::CheckerFn<void (clang::Stmt const*,
clang::ento::CheckerContext&)>::operator()(clang::Stmt const*,
clang::ento::CheckerContext&) const (this=0x7fffffff8f30, ps#0=0x7ec5530, 
    ps#1=...) at
/repo/eahcmrh/flextools-llvm/clang/include/clang/StaticAnalyzer/Core/CheckerManager.h:71
#8  0x0000000001536156 in (anonymous namespace)::CheckStmtContext::runChecker
(this=0x7fffffff9150, checkFn=..., Bldr=..., Pred=0x7eff3b0)
    at
/repo/eahcmrh/flextools-llvm/clang/lib/StaticAnalyzer/Core/CheckerManager.cpp:177
#9  0x0000000001538e5e in expandGraphWithCheckers<(anonymous
namespace)::CheckStmtContext> (checkCtx=..., Dst=..., Src=...) at
/repo/eahcmrh/flextools-llvm/clang/lib/StaticAnalyzer/Core/CheckerManager.cpp:139
#10 0x00000000015361f2 in clang::ento::CheckerManager::runCheckersForStmt
(this=0x7e72810, isPreVisit=true, Dst=..., Src=..., S=0x7ec5530, Eng=...,
WasInlined=false)
    at
/repo/eahcmrh/flextools-llvm/clang/lib/StaticAnalyzer/Core/CheckerManager.cpp:192
#11 0x0000000001589415 in clang::ento::CheckerManager::runCheckersForPreStmt
(this=0x7e72810, Dst=..., Src=..., S=0x7ec5530, Eng=...)
    at
/repo/eahcmrh/flextools-llvm/clang/include/clang/StaticAnalyzer/Core/CheckerManager.h:249
#12 0x000000000159b37a in clang::ento::ExprEngine::VisitDeclStmt
(this=0x7fffffffa550, DS=0x7ec5530, Pred=0x7eff3b0, Dst=...) at
/repo/eahcmrh/flextools-llvm/clang/lib/StaticAnalyzer/Core/ExprEngineC.cpp:615
#13 0x000000000157bc15 in clang::ento::ExprEngine::Visit (this=0x7fffffffa550,
S=0x7ec5530, Pred=0x7eff3b0, DstTop=...) at
/repo/eahcmrh/flextools-llvm/clang/lib/StaticAnalyzer/Core/ExprEngine.cpp:1709
#14 0x0000000001577498 in clang::ento::ExprEngine::ProcessStmt
(this=0x7fffffffa550, currStmt=0x7ec5530, Pred=0x7eff338) at
/repo/eahcmrh/flextools-llvm/clang/lib/StaticAnalyzer/Core/ExprEngine.cpp:791
#15 0x000000000157681a in clang::ento::ExprEngine::processCFGElement
(this=0x7fffffffa550, E=..., Pred=0x7eff338, StmtIdx=2, Ctx=0x7fffffffa130)
    at
/repo/eahcmrh/flextools-llvm/clang/lib/StaticAnalyzer/Core/ExprEngine.cpp:637
#16 0x000000000154df24 in clang::ento::CoreEngine::HandlePostStmt
(this=0x7fffffffa570, B=0x7eece38, StmtIdx=2, Pred=0x7eff338) at
/repo/eahcmrh/flextools-llvm/clang/lib/StaticAnalyzer/Core/CoreEngine.cpp:466
#17 0x000000000154cb6d in clang::ento::CoreEngine::dispatchWorkItem
(this=0x7fffffffa570, Pred=0x7eff338, Loc=..., WU=...) at
/repo/eahcmrh/flextools-llvm/clang/lib/StaticAnalyzer/Core/CoreEngine.cpp:191
#18 0x000000000154c807 in clang::ento::CoreEngine::ExecuteWorkList
(this=0x7fffffffa570, L=0x7ef4b50, Steps=224950, InitState=...) at
/repo/eahcmrh/flextools-llvm/clang/lib/StaticAnalyzer/Core/CoreEngine.cpp:147
#19 0x0000000000f2db3f in clang::ento::ExprEngine::ExecuteWorkList
(this=0x7fffffffa550, L=0x7ef4b50, Steps=225000)
    at
/repo/eahcmrh/flextools-llvm/clang/include/clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h:184
#20 0x0000000000ed0fd6 in (anonymous
namespace)::AnalysisConsumer::RunPathSensitiveChecks (this=0x7e71a00,
D=0x7ec5260, IMode=clang::ento::ExprEngine::Inline_Regular,
VisitedCallees=0x7fffffffa960)
    at
/repo/eahcmrh/flextools-llvm/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:701
#21 0x0000000000ed0e00 in (anonymous namespace)::AnalysisConsumer::HandleCode
(this=0x7e71a00, D=0x7ec5260, Mode=2,
IMode=clang::ento::ExprEngine::Inline_Regular, VisitedCallees=0x7fffffffa960)
    at
/repo/eahcmrh/flextools-llvm/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:674
#22 0x0000000000ecfda1 in (anonymous
namespace)::AnalysisConsumer::HandleDeclsCallGraph (this=0x7e71a00,
LocalTUDeclsSize=3)
    at
/repo/eahcmrh/flextools-llvm/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:463
#23 0x0000000000ed019c in (anonymous
namespace)::AnalysisConsumer::runAnalysisOnTranslationUnit (this=0x7e71a00,
C=...) at
/repo/eahcmrh/flextools-llvm/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:514
#24 0x0000000000ed0371 in (anonymous
namespace)::AnalysisConsumer::HandleTranslationUnit (this=0x7e71a00, C=...) at
/repo/eahcmrh/flextools-llvm/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:544
#25 0x00000000017dcc87 in clang::MultiplexConsumer::HandleTranslationUnit
(this=0x7e727a0, Ctx=...) at
/repo/eahcmrh/flextools-llvm/clang/lib/Frontend/MultiplexConsumer.cpp:292
#26 0x0000000001a1afd4 in clang::ParseAST (S=..., PrintStats=false,
SkipFunctionBodies=false) at
/repo/eahcmrh/flextools-llvm/clang/lib/Parse/ParseAST.cpp:171
#27 0x00000000017a4ae3 in clang::ASTFrontendAction::ExecuteAction
(this=0x7e4ed70) at
/repo/eahcmrh/flextools-llvm/clang/lib/Frontend/FrontendAction.cpp:1061
#28 0x00000000017a444b in clang::FrontendAction::Execute (this=0x7e4ed70) at
/repo/eahcmrh/flextools-llvm/clang/lib/Frontend/FrontendAction.cpp:954
#29 0x000000000173fa4f in clang::CompilerInstance::ExecuteAction
(this=0x7fffffffafb0, Act=...) at
/repo/eahcmrh/flextools-llvm/clang/lib/Frontend/CompilerInstance.cpp:973
#30 0x0000000000eb5e6c in clang::tooling::FrontendActionFactory::runInvocation
(this=0x7fffffffbff0, Invocation=..., Files=0x7e47850, PCHContainerOps=...,
DiagConsumer=0x7fffffffc5b0)
    at /repo/eahcmrh/flextools-llvm/clang/lib/Tooling/Tooling.cpp:397
#31 0x0000000000e4c0c4 in clang::tidy::ActionFactory::runInvocation
(this=0x7fffffffbff0, Invocation=..., Files=0x7e47850, PCHContainerOps=...,
DiagConsumer=0x7fffffffc5b0)
    at
/repo/eahcmrh/flextools-llvm/clang-tools-extra/clang-tidy/ClangTidy.cpp:552
#32 0x0000000000eb5cd0 in clang::tooling::ToolInvocation::runInvocation
(this=0x7fffffffbb00, BinaryName=0x7e3e030
"/repo/eahcmrh/flextools-llvm/build-debug/bin/clang-tool",
Compilation=0x7e42e30, Invocation=..., 
    PCHContainerOps=...) at
/repo/eahcmrh/flextools-llvm/clang/lib/Tooling/Tooling.cpp:372
#33 0x0000000000eb5b0e in clang::tooling::ToolInvocation::run
(this=0x7fffffffbb00) at
/repo/eahcmrh/flextools-llvm/clang/lib/Tooling/Tooling.cpp:357
#34 0x0000000000eb71a5 in clang::tooling::ClangTool::run (this=0x7fffffffc620,
Action=0x7fffffffbff0) at
/repo/eahcmrh/flextools-llvm/clang/lib/Tooling/Tooling.cpp:550
#35 0x0000000000e4c44f in clang::tidy::runClangTidy (Context=...,
Compilations=..., InputFiles=..., BaseFS=..., FixResolutions=false,
EnableCheckProfile=false, StoreCheckProfile=...)
    at
/repo/eahcmrh/flextools-llvm/clang-tools-extra/clang-tidy/ClangTidy.cpp:573
#36 0x000000000041a4e4 in clang::tidy::clangTidyMain (argc=3,
argv=0x7fffffffd728) at
/repo/eahcmrh/flextools-llvm/clang-tools-extra/clang-tidy/tool/ClangTidyMain.cpp:449
#37 0x0000000000418e12 in main (argc=6, argv=0x7fffffffd728) at
/repo/eahcmrh/flextools-llvm/clang-tools-extra/clang-tidy/tool/ClangTidyToolMain.cpp:20

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20200528/7f47ac42/attachment-0001.html>

More information about the llvm-bugs mailing list