[llvm-bugs] [Bug 51109] New: Assertion `EquivalenceClass::isClassDataConsistent(State)' failed.
via llvm-bugs
llvm-bugs at lists.llvm.org
Thu Jul 15 12:15:10 PDT 2021
https://bugs.llvm.org/show_bug.cgi?id=51109
Bug ID: 51109
Summary: Assertion
`EquivalenceClass::isClassDataConsistent(State)'
failed.
Product: clang
Version: unspecified
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P
Component: Static Analyzer
Assignee: dcoughlin at apple.com
Reporter: vince.a.bridgers at gmail.com
CC: dcoughlin at apple.com, llvm-bugs at lists.llvm.org
Hitting a new assert from a case generated by a test fuzzer, reduced to the
case described. This appears to be an unexpected inconsistency in program state
detected by this or a related change:
commit b13d9878b8dcef4354ddfc86f382ca9b537e65aa
Author: Valeriy Savchenko <vsavchenko at apple.com>
Date: Wed Jun 24 12:50:56 2020 +0300 [analyzer][solver] Track symbol
equivalence
(pointing at that, since git blame points to that change for the assert firing
at RangeConstraintManager.cpp:2232)
The reproducer ...
clang --analyze reduced.c
#include <stdint.h>
#define a(b, c)
\
({
\
d = b;
\
int32_t e = c;
\
e > 0 < e &&e < INT32_MAX / d ?: d *e;
\
})
#define f(b, c)
\
({
\
int32_t d = b;
\
int32_t e = c;
\
d == INT32_MIN &&e == -1 ?: d % e;
\
})
g = -1l, j;
*i, *k;
main() {
for (;;) {
j = g;
g = f(a(*i, j), *k);
}
}
The crash looks like this ...
clang: ../../clang/lib/StaticAnalyzer/Core/RangeConstraintManager.cpp:2232:
virtual clang::ento::ProgramStateRef (anonymous
namespace)::RangeConstraintManager::removeDeadBindings(clang::ento::ProgramStateRef,
clang::ento::SymbolReaper &): Assertion
`EquivalenceClass::isClassDataConsistent(State)' failed.
Program received signal SIGABRT, Aborted.
(gdb) bt
#0 0x00007ffff5301387 in raise () from /lib64/libc.so.6
#1 0x00007ffff5302a78 in abort () from /lib64/libc.so.6
#2 0x00007ffff52fa1a6 in __assert_fail_base () from /lib64/libc.so.6
#3 0x00007ffff52fa252 in __assert_fail () from /lib64/libc.so.6
#4 0x000000000846ef1d in (anonymous
namespace)::RangeConstraintManager::removeDeadBindings (this=0x10ad38b0,
State=..., SymReaper=...) at
../../clang/lib/StaticAnalyzer/Core/RangeConstraintManager.cpp:2232
#5 0x00000000083e2ec4 in clang::ento::ExprEngine::removeDead
(this=0x7fffffff7bc8, Pred=0x10e394b0, Out=..., ReferenceStmt=0x10ac2db8,
LC=0x10ab6360, DiagnosticStmt=0x10ac2db8,
K=clang::ProgramPoint::PreStmtPurgeDeadSymbolsKind) at
../../clang/lib/StaticAnalyzer/Core/ExprEngine.cpp:752
#6 0x00000000083e1618 in clang::ento::ExprEngine::ProcessStmt
(this=0x7fffffff7bc8, currStmt=0x10ac2db8, Pred=0x10e394b0) at
../../clang/lib/StaticAnalyzer/Core/ExprEngine.cpp:781
#7 0x00000000083e13a9 in clang::ento::ExprEngine::processCFGElement
(this=0x7fffffff7bc8, E=..., Pred=0x10e394b0, StmtIdx=0, Ctx=0x7fffffff7698) at
../../clang/lib/StaticAnalyzer/Core/ExprEngine.cpp:637
...
Just some simple debugging information.
isClassDataConsistent is returning false at line 1988 below from
RangeConstraintManager.cpp.
'Member' and 'State' are dumped just below this. The case described is the
simplest I can coerce creduce to produce (for now).
1978 bool EquivalenceClass::isClassDataConsistent(ProgramStateRef State) {
1979 ClassMembersTy Members = State->get<ClassMembers>();
1980
1981 for (std::pair<EquivalenceClass, SymbolSet> ClassMembersPair : Members)
{
1982 for (SymbolRef Member : ClassMembersPair.second) {
1983 // Every member of the class should have a mapping back to the
class.
1984 if (find(State, Member) == ClassMembersPair.first) {
1985 continue;
1986 }
1987
1988 return false;
1989 }
1990 }
(gdb) p Member->dump()
(((reg_$1<int Element{SymRegion{reg_$0<int * i>},0 S64b,int}>) * (((reg_$1<int
Element{SymRegion{reg_$0<int * i>},0 S64b,int}>) * -1) % (reg_$3<int
Element{SymRegion{reg_$2<int * k>},0 S64b,int}>))) % (reg_$3<int
Element{SymRegion{reg_$2<int * k>},0 S64b,int}>)) < (2147483647 / (reg_$1<int
Element{SymRegion{reg_$0<int * i>},0 S64b,int}>))$2 = void
(gdb) p State->dump()
"program_state": {
"store": { "pointer": "0x10cc9dc2", "items": [
{ "cluster": "g", "pointer": "0x10ad4640", "items": [
{ "kind": "Direct", "offset": 0, "value": "((reg_$1<int
Element{SymRegion{reg_$0<int * i>},0 S64b,int}>) * (((reg_$1<int
Element{SymRegion{reg_$0<int * i>},0 S64b,int}>) * (((reg_$1<int
Element{SymRegion{reg_$0<int * i>},0 S64b,int}>) * -1) % (reg_$3<int
Element{SymRegion{reg_$2<int * k>},0 S64b,int}>))) % (reg_$3<int
Element{SymRegion{reg_$2<int * k>},0 S64b,int}>))) % (reg_$3<int
Element{SymRegion{reg_$2<int * k>},0 S64b,int}>)" }
]},
{ "cluster": "j", "pointer": "0x10ad4938", "items": [
{ "kind": "Direct", "offset": 0, "value": "((reg_$1<int
Element{SymRegion{reg_$0<int * i>},0 S64b,int}>) * (((reg_$1<int
Element{SymRegion{reg_$0<int * i>},0 S64b,int}>) * (((reg_$1<int
Element{SymRegion{reg_$0<int * i>},0 S64b,int}>) * -1) % (reg_$3<int
Element{SymRegion{reg_$2<int * k>},0 S64b,int}>))) % (reg_$3<int
Element{SymRegion{reg_$2<int * k>},0 S64b,int}>))) % (reg_$3<int
Element{SymRegion{reg_$2<int * k>},0 S64b,int}>)" }
]},
{ "cluster": "d", "pointer": "0x10ad9ce8", "items": [
{ "kind": "Direct", "offset": 0, "value": "reg_$1<int
Element{SymRegion{reg_$0<int * i>},0 S64b,int}>" }
]},
{ "cluster": "e", "pointer": "0x10ae0770", "items": [
{ "kind": "Direct", "offset": 0, "value": "reg_$3<int
Element{SymRegion{reg_$2<int * k>},0 S64b,int}>" }
]}
]},
"environment": { "pointer": "0x10ab6360", "items": [
{ "lctx_id": 1, "location_context": "#0 Call", "calling": "main",
"location": null, "items": [
{ "stmt_id": 1181, "pretty": "e < (2147483647) / d", "value": "0 S32b" },
{ "stmt_id": 1203, "pretty": "d * e", "value": "reg_$1<int
Element{SymRegion{reg_$0<int * i>},0 S64b,int}>" },
{ "stmt_id": 1287, "pretty": "d == (-2147483647 - 1)", "value": "1 S32b"
},
{ "stmt_id": 1291, "pretty": "e", "value": "&e" },
{ "stmt_id": 1299, "pretty": "-1", "value": "-1 S32b" },
{ "stmt_id": 1302, "pretty": "e", "value": "reg_$3<int
Element{SymRegion{reg_$2<int * k>},0 S64b,int}>" },
{ "stmt_id": 1305, "pretty": "e == -1", "value": "1 S32b" },
{ "stmt_id": 1327, "pretty": "d % e", "value": "((reg_$1<int
Element{SymRegion{reg_$0<int * i>},0 S64b,int}>) * (((reg_$1<int
Element{SymRegion{reg_$0<int * i>},0 S64b,int}>) * (((reg_$1<int
Element{SymRegion{reg_$0<int * i>},0 S64b,int}>) * -1) % (reg_$3<int
Element{SymRegion{reg_$2<int * k>},0 S64b,int}>))) % (reg_$3<int
Element{SymRegion{reg_$2<int * k>},0 S64b,int}>))) % (reg_$3<int
Element{SymRegion{reg_$2<int * k>},0 S64b,int}>)" }
]}
]},
"constraints": [
{ "symbol": "reg_$0<int * i>", "range": "{ [1, 18446744073709551615] }" },
{ "symbol": "reg_$1<int Element{SymRegion{reg_$0<int * i>},0 S64b,int}>",
"range": "{ [-2147483648, -2147483648] }" },
{ "symbol": "(reg_$1<int Element{SymRegion{reg_$0<int * i>},0 S64b,int}>) *
-1", "range": "{ [-2147483647, 2147483647] }" },
{ "symbol": "reg_$2<int * k>", "range": "{ [1, 18446744073709551615] }" },
{ "symbol": "reg_$3<int Element{SymRegion{reg_$2<int * k>},0 S64b,int}>",
"range": "{ [-1, -1] }" },
{ "symbol": "((reg_$1<int Element{SymRegion{reg_$0<int * i>},0 S64b,int}>)
* -1) % (reg_$3<int Element{SymRegion{reg_$2<int * k>},0 S64b,int}>)", "range":
"{ [2, 2147483646] }" },
{ "symbol": "-2147483648 % (reg_$3<int Element{SymRegion{reg_$2<int * k>},0
S64b,int}>)", "range": "{ [2, 2147483646] }" },
{ "symbol": "(((reg_$1<int Element{SymRegion{reg_$0<int * i>},0 S64b,int}>)
* -1) % (reg_$3<int Element{SymRegion{reg_$2<int * k>},0 S64b,int}>)) <
(2147483647 / (reg_$1<int Element{SymRegion{reg_$0<int * i>},0 S64b,int}>))",
"range": "{ [0, 0] }" },
{ "symbol": "(-2147483648 % (reg_$3<int Element{SymRegion{reg_$2<int *
k>},0 S64b,int}>)) < (2147483647 / (reg_$1<int Element{SymRegion{reg_$0<int *
i>},0 S64b,int}>))", "range": "{ [0, 0] }" },
{ "symbol": "(((reg_$1<int Element{SymRegion{reg_$0<int * i>},0 S64b,int}>)
* (((reg_$1<int Element{SymRegion{reg_$0<int * i>},0 S64b,int}>) * -1) %
(reg_$3<int Element{SymRegion{reg_$2<int * k>},0 S64b,int}>))) % (reg_$3<int
Element{SymRegion{reg_$2<int * k>},0 S64b,int}>)) < (2147483647 / (reg_$1<int
Element{SymRegion{reg_$0<int * i>},0 S64b,int}>))", "range": "{ [0, 0] }" },
{ "symbol": "(2147483647 / (reg_$1<int Element{SymRegion{reg_$0<int * i>},0
S64b,int}>)) > 0", "range": "{ [0, 0] }" },
{ "symbol": "(((-2147483648 % (reg_$3<int Element{SymRegion{reg_$2<int *
k>},0 S64b,int}>)) * -2147483648) % (reg_$3<int Element{SymRegion{reg_$2<int *
k>},0 S64b,int}>)) < (2147483647 / (reg_$1<int Element{SymRegion{reg_$0<int *
i>},0 S64b,int}>))", "range": "{ [0, 0] }" },
{ "symbol": "((reg_$1<int Element{SymRegion{reg_$0<int * i>},0 S64b,int}>)
* (((reg_$1<int Element{SymRegion{reg_$0<int * i>},0 S64b,int}>) * -1) %
(reg_$3<int Element{SymRegion{reg_$2<int * k>},0 S64b,int}>))) % (reg_$3<int
Element{SymRegion{reg_$2<int * k>},0 S64b,int}>)", "range": "{ [2, 2147483646]
}" },
{ "symbol": "((-2147483648 % (reg_$3<int Element{SymRegion{reg_$2<int *
k>},0 S64b,int}>)) * -2147483648) % (reg_$3<int Element{SymRegion{reg_$2<int *
k>},0 S64b,int}>)", "range": "{ [2, 2147483646] }" },
{ "symbol": "((-2147483648 % (reg_$3<int Element{SymRegion{reg_$2<int *
k>},0 S64b,int}>)) * -2147483648) % -1", "range": "{ [2, 2147483646] }" },
{ "symbol": "(reg_$1<int Element{SymRegion{reg_$0<int * i>},0 S64b,int}>) *
(((reg_$1<int Element{SymRegion{reg_$0<int * i>},0 S64b,int}>) * -1) %
(reg_$3<int Element{SymRegion{reg_$2<int * k>},0 S64b,int}>))", "range": "{
[-2147483647, 2147483647] }" },
{ "symbol": "(-2147483648 % (reg_$3<int Element{SymRegion{reg_$2<int *
k>},0 S64b,int}>)) * -2147483648", "range": "{ [-2147483647, 2147483647] }" },
{ "symbol": "(reg_$1<int Element{SymRegion{reg_$0<int * i>},0 S64b,int}>) *
(((reg_$1<int Element{SymRegion{reg_$0<int * i>},0 S64b,int}>) * (((reg_$1<int
Element{SymRegion{reg_$0<int * i>},0 S64b,int}>) * -1) % (reg_$3<int
Element{SymRegion{reg_$2<int * k>},0 S64b,int}>))) % (reg_$3<int
Element{SymRegion{reg_$2<int * k>},0 S64b,int}>))", "range": "{ [-2147483647,
2147483647] }" },
{ "symbol": "(((-2147483648 % (reg_$3<int Element{SymRegion{reg_$2<int *
k>},0 S64b,int}>)) * -2147483648) % (reg_$3<int Element{SymRegion{reg_$2<int *
k>},0 S64b,int}>)) * -2147483648", "range": "{ [-2147483647, 2147483647] }" },
{ "symbol": "(((-2147483648 % (reg_$3<int Element{SymRegion{reg_$2<int *
k>},0 S64b,int}>)) * -2147483648) % -1) * -2147483648", "range": "{
[-2147483647, 2147483647] }" },
{ "symbol": "((reg_$1<int Element{SymRegion{reg_$0<int * i>},0 S64b,int}>)
* (((reg_$1<int Element{SymRegion{reg_$0<int * i>},0 S64b,int}>) *
(((reg_$1<int Element{SymRegion{reg_$0<int * i>},0 S64b,int}>) * -1) %
(reg_$3<int Element{SymRegion{reg_$2<int * k>},0 S64b,int}>))) % (reg_$3<int
Element{SymRegion{reg_$2<int * k>},0 S64b,int}>))) % (reg_$3<int
Element{SymRegion{reg_$2<int * k>},0 S64b,int}>)", "range": "{ [1, 1] }" },
{ "symbol": "((((-2147483648 % (reg_$3<int Element{SymRegion{reg_$2<int *
k>},0 S64b,int}>)) * -2147483648) % (reg_$3<int Element{SymRegion{reg_$2<int *
k>},0 S64b,int}>)) * -2147483648) % (reg_$3<int Element{SymRegion{reg_$2<int *
k>},0 S64b,int}>)", "range": "{ [1, 1] }" },
{ "symbol": "((((-2147483648 % (reg_$3<int Element{SymRegion{reg_$2<int *
k>},0 S64b,int}>)) * -2147483648) % -1) * -2147483648) % -1", "range": "{ [1,
1] }" }
],
"dynamic_types": null,
"dynamic_casts": null,
"constructing_objects": null,
"checker_messages": null
}$3 = void
--
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20210715/fc9bfdbb/attachment-0001.html>
More information about the llvm-bugs
mailing list