SEGV in FormatASTNodeDiagnosticArgument()

[emaste]

Bugzilla Link	35555
Resolution	FIXED
Resolved on	Dec 12, 2017 05:27
Version	trunk
OS	All
Blocks	#34988
Attachments	reproducer
CC	@AaronBallman,@hyp,@DimitryAndric,@pepsiman,@zygoloid

Extended Description

Raw reproducer attached, will try reducing

(lldb) bt

• thread #​1, name = 'c++', stop reason = signal SIGSEGV
  • frame #​0: 0x000000000155c84a c++::FormatASTNodeDiagnosticArgument() at ASTDiagnostic.cpp:396 frame #​1: 0x0000000002516403 c++::FormatDiagnostic() [inlined] ConvertArgToString at Diagnostic.h:701
    frame #​2: 0x00000000025163a8 c++::FormatDiagnostic() at Diagnostic.cpp:895 frame #​3: 0x00000000024e49c2 c++::HandleDiagnostic() at TextDiagnosticPrinter.cpp:118
    frame #​4: 0x0000000001fac1bc c++::ProcessDiag() [inlined] EmitDiag at DiagnosticIDs.cpp:694 frame #​5: 0x0000000001fac19b c++::ProcessDiag() at DiagnosticIDs.cpp:686
    frame #​6: 0x0000000002515ed0 c++::EmitCurrentDiagnostic() [inlined] ProcessDiag at Diagnostic.h:879 frame #​7: 0x0000000002515ec5 c++::EmitCurrentDiagnostic() at Diagnostic.cpp:418
    frame #​8: 0x0000000001633b70 c++::EmitCurrentDiagnostic() at Sema.cpp:1142 frame #​9: 0x0000000001add31e c++::BuildLambdaExpr() at SemaLambda.cpp:1530
    frame #​10: 0x0000000001adcf87 c++::ActOnLambdaExpr() at SemaLambda.cpp:1424 frame #​11: 0x0000000001c536ba c++::ParseLambdaExpressionAfterIntroducer() at ParseExprCXX.cpp:1300
    frame #​12: 0x0000000001c51f36 c++::ParseLambdaExpression() at ParseExprCXX.cpp:685 frame #​13: 0x0000000001c60eaa c++::ParseCastExpression() at ParseExpr.cpp:1411
    frame #​14: 0x0000000001c59f35 c++::ParseAssignmentExpression() [inlined] ParseCastExpression at ParseExpr.cpp:521 frame #​15: 0x0000000001c59f23 c++::ParseAssignmentExpression() at ParseExpr.cpp:168
    frame #​16: 0x0000000001c3b34a c++::ParseDeclarationAfterDeclaratorAndAttributes() [inlined] ParseInitializer at Parser.h:1679 frame #​17: 0x0000000001c3b336 c++::ParseDeclarationAfterDeclaratorAndAttributes() at ParseDecl.cpp:2216
    frame #​18: 0x0000000001c397ca c++::ParseDeclGroup() at ParseDecl.cpp:2006 frame #​19: 0x0000000001c35663 c++::ParseSimpleDeclaration() at ParseDecl.cpp:1738
    frame #​20: 0x0000000001c35247 c++::ParseDeclaration() at Parser.h:0 frame #​21: 0x0000000001c7e6ef c++::ParseStatementOrDeclarationAfterAttributes() at ParseStmt.cpp:214
    frame #​22: 0x0000000001c7e34c c++::ParseStatementOrDeclaration() at ParseStmt.cpp:110 frame #​23: 0x0000000001c85239 c++::ParseCompoundStatementBody() at ParseStmt.cpp:1001
    frame #​24: 0x0000000001c85aff c++::ParseFunctionStatementBody() at ParseStmt.cpp:1967 frame #​25: 0x0000000001be50a4 c++::ParseFunctionDefinition() at Parser.cpp:1212
    frame #​26: 0x0000000001c396d4 c++::ParseDeclGroup() at ParseDecl.cpp:1953 frame #​27: 0x0000000001be4521 c++::ParseDeclOrFunctionDefInternal() at Parser.cpp:979
    frame #​28: 0x0000000001be3e7f c++::ParseDeclarationOrFunctionDefinition() at Parser.cpp:995 frame #​29: 0x0000000001be2eca c++::ParseExternalDeclaration() at Parser.cpp:845
    frame #​30: 0x0000000001c196f7 c++::ParseInnerNamespace() at ParseDeclCXX.cpp:220 frame #​31: 0x0000000001c18fa5 c++::ParseNamespace() at ParseDeclCXX.cpp:195
    frame #​32: 0x0000000001c35112 c++::ParseDeclaration() at ParseDecl.cpp:0 frame #​33: 0x0000000001be248d c++::ParseExternalDeclaration() [inlined] SourceLocation at SourceLocation.h:98
    frame #​34: 0x0000000001be2472 c++::ParseExternalDeclaration() at Parser.cpp:777 frame #​35: 0x0000000001be1c15 c++::ParseTopLevelDecl() at Parser.cpp:613
    frame #​36: 0x0000000001bdd9d5 c++::ParseAST() at ParseAST.cpp:147 frame #​37: 0x000000000162258c c++::Execute() at FrontendAction.cpp:902
    frame #​38: 0x000000000236be01 c++::ExecuteAction() at CompilerInstance.cpp:980 frame #​39: 0x000000000123673e c++::ExecuteCompilerInvocation() at ExecuteCompilerInvocation.cpp:251
    frame #​40: 0x000000000122b763 c++::cc1_main() at cc1_main.cpp:221 frame #​41: 0x0000000001233d68 c++main [inlined] ExecuteCC1Tool at driver.cpp:306
    frame #​42: 0x0000000001233d42 c++main at driver.cpp:387 frame #​43: 0x000000000122b17f c++_start(ap=, cleanup=) at crt1.c:72
    (lldb) frame sel 0
    frame #​0: 0x000000000155c84a c++`::FormatASTNodeDiagnosticArgument() at ASTDiagnostic.cpp:396
    393 Qualified = false;
    394 }
    395 const NamedDecl ND = reinterpret_cast<const NamedDecl>(Val);
    -> 396 ND->getNameForDiagnostic(OS, Context.getPrintingPolicy(), Qualified);
    397 break;
    398 }
    399 case DiagnosticsEngine::ak_nestednamespec: {

[emaste]

assigned to @pepsiman

[emaste]

-Wall is sufficient to trigger the crash - e.g.,
c++ -std=c++11 -Wall -c PADnoteParameters-b670fe.cpp

[DimitryAndric]

Reduced test case:

// clang -cc1 -triple x86_64-- -S -Wall -std=c++11 pr35555-reduced.cpp
int a;
void b() {
int c[a];
[&c] {};
}

I have not yet determined which specific warning is causing this, or when it was introduced.

[DimitryAndric]

Bisection shows this segfault has been introduced with https://reviews.llvm.org/rL291905, which added a warning for unused lambda captures. I have added the committer and reviewers of the original review, https://reviews.llvm.org/D28467.

[DimitryAndric]

What happens in this case is that DiagnoseUnusedLambdaCapture(), on line 1488, gets nullptr as a result from From.getVariable:

1480 void Sema::DiagnoseUnusedLambdaCapture(const LambdaScopeInfo::Capture &From) {
1481 if (CaptureHasSideEffects(From))
1482 return;
1483
1484 auto diag = Diag(From.getLocation(), diag::warn_unused_lambda_capture);
1485 if (From.isThisCapture())
1486 diag << "'this'";
1487 else
1488 diag << From.getVariable();
1489 diag << From.isNonODRUsed();
1490 }

If I add a check for getVariable() returning nullptr, and then output a string "(nullptr)", like this:

void Sema::DiagnoseUnusedLambdaCapture(const LambdaScopeInfo::Capture &From) {
if (CaptureHasSideEffects(From))
return;

auto diag = Diag(From.getLocation(), diag::warn_unused_lambda_capture);
if (From.isThisCapture())
diag << "'this'";
else {
VarDecl *Var = From.getVariable();
if (Var == nullptr)
diag << "(nullptr)";
else
diag << Var;
}
diag << From.isNonODRUsed();
}

the resulting stdout becomes:

pr35555-reduced.cpp:4:9: warning: lambda capture (nullptr) is not used
int c[a];
^
pr35555-reduced.cpp:5:5: warning: lambda capture 'c' is not used
[&c] {};
^
pr35555-reduced.cpp:5:3: warning: expression result unused
[&c] {};
^~~~~~~
3 warnings generated.

So apparently it gets confused by either the VLA or the external 'a', maybe this requires some special cases for printing diagnostics?

[pepsiman]

pr35555-reduced.cpp:4:9: warning: lambda capture (nullptr) is not used
int c[a];
^

This doesn't look useful, let's suppress it:

void Sema::DiagnoseUnusedLambdaCapture(const LambdaScopeInfo::Capture &From) {
if (CaptureHasSideEffects(From))
return;

if (From.isVLATypeCapture))
return;
...

[pepsiman]

void Sema::DiagnoseUnusedLambdaCapture(const LambdaScopeInfo::Capture &From)
{
if (CaptureHasSideEffects(From))
return;

if (From.isVLATypeCapture())

return;

...

[emaste]

if (From.isVLATypeCapture())

return;

Confirmed that this fixes the crash (and I've successfully built the project that demonstrated this).

[DimitryAndric]

*** Bug llvm/llvm-bugzilla-archive#35620 has been marked as a duplicate of this bug. ***

[pepsiman]

Fixed in r320396.

How do I get this merged into 5.0.1?

[AaronBallman]

Fixed in r320396.

How do I get this merged into 5.0.1?

Reply to the commit thread asking for it to be merged to 5.0.1 and CC Tom Stellard (tstellar@redhat.com).

[DimitryAndric]

mentioned in issue llvm/llvm-bugzilla-archive#35620

[pepsiman]

mentioned in issue #34988