[llvm] Reland "[Support] Assert that DomTree nodes share parent"" (PR #102782)
Alexis Engelke via llvm-commits
llvm-commits at lists.llvm.org
Thu Aug 15 05:07:00 PDT 2024
aengelke wrote:
That looks like a use-after-free of `ExplodedNode`s, which get reallocated while a visitor still holds a reference. When replacing the free list and allocator with standard new/delete, Valgrind complains:
```
==197546== Invalid read of size 8
==197546== at 0x8BFCA75: getLocation (llvm-project/clang/include/clang/StaticAnalyzer/Core/PathSensitive/ExplodedGraph.h:145)
==197546== by 0x8BFCA75: getStackFrame (llvm-project/clang/include/clang/StaticAnalyzer/Core/PathSensitive/ExplodedGraph.h:152)
==197546== by 0x8BFCA75: (anonymous namespace)::TrackControlDependencyCondBRVisitor::VisitNode(clang::ento::ExplodedNode const*, clang::ento::BugReporterContext&, clang::ento::PathSensitiveBugReport&) (llvm-project/clang/lib/StaticAnalyzer/Core/BugReporterVisitors.cpp:2081)
==197546== by 0x8BE90E2: generateVisitorsDiagnostics(clang::ento::PathSensitiveBugReport*, clang::ento::ExplodedNode const*, clang::ento::BugReporterContext&) (llvm-project/clang/lib/StaticAnalyzer/Core/BugReporter.cpp:2829)
==197546== by 0x8BE529B: findValidReport (llvm-project/clang/lib/StaticAnalyzer/Core/BugReporter.cpp:2870)
==197546== by 0x8BE529B: clang::ento::PathSensitiveBugReporter::generatePathDiagnostics(llvm::ArrayRef<clang::ento::PathDiagnosticConsumer*>, llvm::ArrayRef<clang::ento::PathSensitiveBugReport*>&) (llvm-project/clang/lib/StaticAnalyzer/Core/BugReporter.cpp:2918)
==197546== by 0x8BE7AE3: clang::ento::PathSensitiveBugReporter::generateDiagnosticForConsumerMap(clang::ento::BugReport*, llvm::ArrayRef<clang::ento::PathDiagnosticConsumer*>, llvm::ArrayRef<clang::ento::BugReport*>) (llvm-project/clang/lib/StaticAnalyzer/Core/BugReporter.cpp:3344)
==197546== by 0x8BE3878: clang::ento::BugReporter::FlushReport(clang::ento::BugReportEquivClass&) (llvm-project/clang/lib/StaticAnalyzer/Core/BugReporter.cpp:3116)
==197546== by 0x8BE36BA: clang::ento::BugReporter::FlushReports() (llvm-project/clang/lib/StaticAnalyzer/Core/BugReporter.cpp:2501)
==197546== by 0x90E3034: RunPathSensitiveChecks (llvm-project/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:748)
==197546== by 0x90E3034: (anonymous namespace)::AnalysisConsumer::HandleCode(clang::Decl*, unsigned int, clang::ento::ExprEngine::InliningModes, llvm::DenseSet<clang::Decl const*, llvm::DenseMapInfo<clang::Decl const*, void> >*) (llvm-project/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:699)
==197546== by 0x90BECB6: HandleDeclsCallGraph (llvm-project/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:486)
==197546== by 0x90BECB6: runAnalysisOnTranslationUnit (llvm-project/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:558)
==197546== by 0x90BECB6: (anonymous namespace)::AnalysisConsumer::HandleTranslationUnit(clang::ASTContext&) (llvm-project/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:613)
==197546== by 0x6358CB8: clang::ParseAST(clang::Sema&, bool, bool) (llvm-project/clang/lib/Parse/ParseAST.cpp:184)
==197546== by 0x8903A93: clang::FrontendAction::Execute() (llvm-project/clang/lib/Frontend/FrontendAction.cpp:1078)
==197546== by 0x8878A4C: clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) (llvm-project/clang/lib/Frontend/CompilerInstance.cpp:1061)
==197546== by 0x898E5D1: clang::ExecuteCompilerInvocation(clang::CompilerInstance*) (llvm-project/clang/lib/FrontendTool/ExecuteCompilerInvocation.cpp:280)
==197546== Address 0x150a4698 is 24 bytes inside a block of size 88 free'd
==197546== at 0x484A164: operator delete(void*) (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==197546== by 0x8C5DA12: clang::ento::ExplodedGraph::reclaimRecentlyAllocatedNodes() (llvm-project/clang/lib/StaticAnalyzer/Core/ExplodedGraph.cpp:184)
==197546== by 0x8C672E8: clang::ento::ExprEngine::ProcessStmt(clang::Stmt const*, clang::ento::ExplodedNode*) (llvm-project/clang/lib/StaticAnalyzer/Core/ExprEngine.cpp:1111)
==197546== by 0x8C6724B: clang::ento::ExprEngine::processCFGElement(clang::CFGElement, clang::ento::ExplodedNode*, unsigned int, clang::ento::NodeBuilderContext*) (llvm-project/clang/lib/StaticAnalyzer/Core/ExprEngine.cpp:976)
==197546== by 0x8C4B122: clang::ento::CoreEngine::HandlePostStmt(clang::CFGBlock const*, unsigned int, clang::ento::ExplodedNode*) (llvm-project/clang/lib/StaticAnalyzer/Core/CoreEngine.cpp:484)
==197546== by 0x8C4A0FB: operator() (llvm-project/clang/lib/StaticAnalyzer/Core/CoreEngine.cpp:159)
==197546== by 0x8C4A0FB: clang::ento::CoreEngine::ExecuteWorkList(clang::LocationContext const*, unsigned int, llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>) (llvm-project/clang/lib/StaticAnalyzer/Core/CoreEngine.cpp:163)
==197546== by 0x90E2F21: ExecuteWorkList (llvm-project/clang/include/clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h:192)
==197546== by 0x90E2F21: RunPathSensitiveChecks (llvm-project/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:729)
==197546== by 0x90E2F21: (anonymous namespace)::AnalysisConsumer::HandleCode(clang::Decl*, unsigned int, clang::ento::ExprEngine::InliningModes, llvm::DenseSet<clang::Decl const*, llvm::DenseMapInfo<clang::Decl const*, void> >*) (llvm-project/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:699)
==197546== by 0x90BECB6: HandleDeclsCallGraph (llvm-project/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:486)
==197546== by 0x90BECB6: runAnalysisOnTranslationUnit (llvm-project/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:558)
==197546== by 0x90BECB6: (anonymous namespace)::AnalysisConsumer::HandleTranslationUnit(clang::ASTContext&) (llvm-project/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:613)
==197546== by 0x6358CB8: clang::ParseAST(clang::Sema&, bool, bool) (llvm-project/clang/lib/Parse/ParseAST.cpp:184)
==197546== by 0x8903A93: clang::FrontendAction::Execute() (llvm-project/clang/lib/Frontend/FrontendAction.cpp:1078)
==197546== by 0x8878A4C: clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) (llvm-project/clang/lib/Frontend/CompilerInstance.cpp:1061)
==197546== by 0x898E5D1: clang::ExecuteCompilerInvocation(clang::CompilerInstance*) (llvm-project/clang/lib/FrontendTool/ExecuteCompilerInvocation.cpp:280)
```
I have absolutely no idea of when nodes should be freed (or what the code does). Tagging some people who show up in git blame -- @cheshire @tkremenek how to fix?
https://github.com/llvm/llvm-project/pull/102782
More information about the llvm-commits
mailing list