Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[analyzer] Clang-19 crash: Assertion `isa<To>(Val) && "cast<Ty>() argument of incompatible type!"' failed. #89185

Closed
iamanonymouscs opened this issue Apr 18, 2024 · 1 comment · Fixed by #89265
Closed

[analyzer] Clang-19 crash: Assertion `isa<To>(Val) && "cast<Ty>() argument of incompatible type!"' failed. #89185

iamanonymouscs opened this issue Apr 18, 2024 · 1 comment · Fixed by #89265
Labels
clang:static analyzer crash Prefer [crash-on-valid] or [crash-on-invalid]

Comments

@iamanonymouscs
Copy link

Clang-19 with --analyze -c crashes on the test case.

Compiler explorer(assertion trunck): https://godbolt.org/z/6158W6bqo

$cat mutant.c
void a() {
  char *b = &&c;
  *b = 0;
c:
}

$clang-19 --analyze -c mutant.c
PLEASE submit a bug report to https://github.com/llvm/llvm-project/issues/ and include the crash backtrace, preprocessed source, and associated run script.
Stack dump:
0.      Program arguments: clang-19 --analyze -c mutant.c
1.      <eof> parser at end of file
2.      While analyzing stack: 
        #0 Calling a
3.      mutant.c:3:3: Error evaluating statement
4.      mutant.c:3:3: Error evaluating statement
 #0 0x00007f071759c216 llvm::sys::PrintStackTrace(llvm::raw_ostream&, int) (/usr/lib/llvm-19/bin/../lib/libLLVM.so.19.0+0xdc1216)
 #1 0x00007f0717599ec0 llvm::sys::RunSignalHandlers() (/usr/lib/llvm-19/bin/../lib/libLLVM.so.19.0+0xdbeec0)
 #2 0x00007f071759b5f4 llvm::sys::CleanupOnSignal(unsigned long) (/usr/lib/llvm-19/bin/../lib/libLLVM.so.19.0+0xdc05f4)
 #3 0x00007f07174e9430 (/usr/lib/llvm-19/bin/../lib/libLLVM.so.19.0+0xd0e430)
 #4 0x00007f0721f8b980 __restore_rt (/lib/x86_64-linux-gnu/libpthread.so.0+0x12980)
 #5 0x00007f0720d006f0 clang::ento::MemRegion::getBaseRegion() const (/usr/lib/llvm-19/bin/../lib/libclang-cpp.so.19.0+0x2dcc6f0)
 #6 0x00007f0720d3bb18 (/usr/lib/llvm-19/bin/../lib/libclang-cpp.so.19.0+0x2e07b18)
 #7 0x00007f0720d3a0ed (/usr/lib/llvm-19/bin/../lib/libclang-cpp.so.19.0+0x2e060ed)
 #8 0x00007f0720d31d88 (/usr/lib/llvm-19/bin/../lib/libclang-cpp.so.19.0+0x2dfdd88)
 #9 0x00007f0720d0cf2f clang::ento::ProgramState::bindLoc(clang::ento::Loc, clang::ento::SVal, clang::LocationContext const*, bool) const (/usr/lib/llvm-19/bin/../lib/libclang-cpp.so.19.0+0x2dd8f2f)
#10 0x00007f0720cc72ac clang::ento::ExprEngine::evalBind(clang::ento::ExplodedNodeSet&, clang::Stmt const*, clang::ento::ExplodedNode*, clang::ento::SVal, clang::ento::SVal, bool, clang::ProgramPoint const*) (/usr/lib/llvm-19/bin/../lib/libclang-cpp.so.19.0+0x2d932ac)
#11 0x00007f0720ccf81f clang::ento::ExprEngine::evalStore(clang::ento::ExplodedNodeSet&, clang::Expr const*, clang::Expr const*, clang::ento::ExplodedNode*, llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>, clang::ento::SVal, clang::ento::SVal, clang::ProgramPointTag const*) (/usr/lib/llvm-19/bin/../lib/libclang-cpp.so.19.0+0x2d9b81f)
#12 0x00007f0720cd8f87 clang::ento::ExprEngine::VisitBinaryOperator(clang::BinaryOperator const*, clang::ento::ExplodedNode*, clang::ento::ExplodedNodeSet&) (/usr/lib/llvm-19/bin/../lib/libclang-cpp.so.19.0+0x2da4f87)
#13 0x00007f0720cc6c53 clang::ento::ExprEngine::Visit(clang::Stmt const*, clang::ento::ExplodedNode*, clang::ento::ExplodedNodeSet&) (/usr/lib/llvm-19/bin/../lib/libclang-cpp.so.19.0+0x2d92c53)
#14 0x00007f0720cc2e13 clang::ento::ExprEngine::ProcessStmt(clang::Stmt const*, clang::ento::ExplodedNode*) (/usr/lib/llvm-19/bin/../lib/libclang-cpp.so.19.0+0x2d8ee13)
#15 0x00007f0720cc2b3f clang::ento::ExprEngine::processCFGElement(clang::CFGElement, clang::ento::ExplodedNode*, unsigned int, clang::ento::NodeBuilderContext*) (/usr/lib/llvm-19/bin/../lib/libclang-cpp.so.19.0+0x2d8eb3f)
#16 0x00007f0720ca9b32 clang::ento::CoreEngine::dispatchWorkItem(clang::ento::ExplodedNode*, clang::ProgramPoint, clang::ento::WorkListUnit const&) (/usr/lib/llvm-19/bin/../lib/libclang-cpp.so.19.0+0x2d75b32)
#17 0x00007f0720ca96d1 clang::ento::CoreEngine::ExecuteWorkList(clang::LocationContext const*, unsigned int, llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>) (/usr/lib/llvm-19/bin/../lib/libclang-cpp.so.19.0+0x2d756d1)
#18 0x00007f07210ca595 (/usr/lib/llvm-19/bin/../lib/libclang-cpp.so.19.0+0x3196595)
#19 0x00007f07210aa35f (/usr/lib/llvm-19/bin/../lib/libclang-cpp.so.19.0+0x317635f)
#20 0x00007f071eae4076 clang::ParseAST(clang::Sema&, bool, bool) (/usr/lib/llvm-19/bin/../lib/libclang-cpp.so.19.0+0xbb0076)
#21 0x00007f07209e1825 clang::FrontendAction::Execute() (/usr/lib/llvm-19/bin/../lib/libclang-cpp.so.19.0+0x2aad825)
#22 0x00007f072095d0d4 clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) (/usr/lib/llvm-19/bin/../lib/libclang-cpp.so.19.0+0x2a290d4)
#23 0x00007f0720a5af7e clang::ExecuteCompilerInvocation(clang::CompilerInstance*) (/usr/lib/llvm-19/bin/../lib/libclang-cpp.so.19.0+0x2b26f7e)
#24 0x000055be870befad cc1_main(llvm::ArrayRef<char const*>, char const*, void*) (/usr/lib/llvm-19/bin/clang+0x12fad)
#25 0x000055be870bc075 (/usr/lib/llvm-19/bin/clang+0x10075)
#26 0x00007f07205ed439 (/usr/lib/llvm-19/bin/../lib/libclang-cpp.so.19.0+0x26b9439)
#27 0x00007f07174e91dc llvm::CrashRecoveryContext::RunSafely(llvm::function_ref<void ()>) (/usr/lib/llvm-19/bin/../lib/libLLVM.so.19.0+0xd0e1dc)
#28 0x00007f07205ecdfe clang::driver::CC1Command::Execute(llvm::ArrayRef<std::optional<llvm::StringRef>>, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>*, bool*) const (/usr/lib/llvm-19/bin/../lib/libclang-cpp.so.19.0+0x26b8dfe)
#29 0x00007f07205b4901 clang::driver::Compilation::ExecuteCommand(clang::driver::Command const&, clang::driver::Command const*&, bool) const (/usr/lib/llvm-19/bin/../lib/libclang-cpp.so.19.0+0x2680901)
#30 0x00007f07205b4b4e clang::driver::Compilation::ExecuteJobs(clang::driver::JobList const&, llvm::SmallVectorImpl<std::pair<int, clang::driver::Command const*>>&, bool) const (/usr/lib/llvm-19/bin/../lib/libclang-cpp.so.19.0+0x2680b4e)
#31 0x00007f07205d16cc clang::driver::Driver::ExecuteCompilation(clang::driver::Compilation&, llvm::SmallVectorImpl<std::pair<int, clang::driver::Command const*>>&) (/usr/lib/llvm-19/bin/../lib/libclang-cpp.so.19.0+0x269d6cc)
#32 0x000055be870bb9e5 clang_main(int, char**, llvm::ToolContext const&) (/usr/lib/llvm-19/bin/clang+0xf9e5)
#33 0x000055be870c9556 main (/usr/lib/llvm-19/bin/clang+0x1d556)
#34 0x00007f07159d5c87 __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:344:0
#35 0x000055be870b8bfa _start (/usr/lib/llvm-19/bin/clang+0xcbfa)
clang-19: error: clang frontend command failed with exit code 139 (use -v to see invocation)
Ubuntu clang version 19.0.0 (++20240301064251+dd426fa5f931-1~exp1~20240301184412.1845)
Target: x86_64-pc-linux-gnu
Thread model: posix
InstalledDir: /usr/lib/llvm-19/bin
clang-19: note: diagnostic msg: 
********************

PLEASE ATTACH THE FOLLOWING FILES TO THE BUG REPORT:
Preprocessed source(s) and associated run script(s) are located at:
clang-19: note: diagnostic msg: /tmp/mutant-9d37b7.c
clang-19: note: diagnostic msg: /tmp/mutant-9d37b7.sh
clang-19: note: diagnostic msg: 

********************
@EugeneZelenko EugeneZelenko added clang:static analyzer crash Prefer [crash-on-valid] or [crash-on-invalid] and removed new issue labels Apr 18, 2024
@llvmbot
Copy link
Collaborator

llvmbot commented Apr 18, 2024

@llvm/issue-subscribers-clang-static-analyzer

Author: Anonymous (iamanonymouscs)

Clang-19 with --analyze -c crashes on the test case.

Compiler explorer(assertion trunck): https://godbolt.org/z/6158W6bqo

$cat mutant.c
void a() {
  char *b = &amp;&amp;c;
  *b = 0;
c:
}

$clang-19 --analyze -c mutant.c
PLEASE submit a bug report to https://github.com/llvm/llvm-project/issues/ and include the crash backtrace, preprocessed source, and associated run script.
Stack dump:
0.      Program arguments: clang-19 --analyze -c mutant.c
1.      &lt;eof&gt; parser at end of file
2.      While analyzing stack: 
        #<!-- -->0 Calling a
3.      mutant.c:3:3: Error evaluating statement
4.      mutant.c:3:3: Error evaluating statement
 #<!-- -->0 0x00007f071759c216 llvm::sys::PrintStackTrace(llvm::raw_ostream&amp;, int) (/usr/lib/llvm-19/bin/../lib/libLLVM.so.19.0+0xdc1216)
 #<!-- -->1 0x00007f0717599ec0 llvm::sys::RunSignalHandlers() (/usr/lib/llvm-19/bin/../lib/libLLVM.so.19.0+0xdbeec0)
 #<!-- -->2 0x00007f071759b5f4 llvm::sys::CleanupOnSignal(unsigned long) (/usr/lib/llvm-19/bin/../lib/libLLVM.so.19.0+0xdc05f4)
 #<!-- -->3 0x00007f07174e9430 (/usr/lib/llvm-19/bin/../lib/libLLVM.so.19.0+0xd0e430)
 #<!-- -->4 0x00007f0721f8b980 __restore_rt (/lib/x86_64-linux-gnu/libpthread.so.0+0x12980)
 #<!-- -->5 0x00007f0720d006f0 clang::ento::MemRegion::getBaseRegion() const (/usr/lib/llvm-19/bin/../lib/libclang-cpp.so.19.0+0x2dcc6f0)
 #<!-- -->6 0x00007f0720d3bb18 (/usr/lib/llvm-19/bin/../lib/libclang-cpp.so.19.0+0x2e07b18)
 #<!-- -->7 0x00007f0720d3a0ed (/usr/lib/llvm-19/bin/../lib/libclang-cpp.so.19.0+0x2e060ed)
 #<!-- -->8 0x00007f0720d31d88 (/usr/lib/llvm-19/bin/../lib/libclang-cpp.so.19.0+0x2dfdd88)
 #<!-- -->9 0x00007f0720d0cf2f clang::ento::ProgramState::bindLoc(clang::ento::Loc, clang::ento::SVal, clang::LocationContext const*, bool) const (/usr/lib/llvm-19/bin/../lib/libclang-cpp.so.19.0+0x2dd8f2f)
#<!-- -->10 0x00007f0720cc72ac clang::ento::ExprEngine::evalBind(clang::ento::ExplodedNodeSet&amp;, clang::Stmt const*, clang::ento::ExplodedNode*, clang::ento::SVal, clang::ento::SVal, bool, clang::ProgramPoint const*) (/usr/lib/llvm-19/bin/../lib/libclang-cpp.so.19.0+0x2d932ac)
#<!-- -->11 0x00007f0720ccf81f clang::ento::ExprEngine::evalStore(clang::ento::ExplodedNodeSet&amp;, clang::Expr const*, clang::Expr const*, clang::ento::ExplodedNode*, llvm::IntrusiveRefCntPtr&lt;clang::ento::ProgramState const&gt;, clang::ento::SVal, clang::ento::SVal, clang::ProgramPointTag const*) (/usr/lib/llvm-19/bin/../lib/libclang-cpp.so.19.0+0x2d9b81f)
#<!-- -->12 0x00007f0720cd8f87 clang::ento::ExprEngine::VisitBinaryOperator(clang::BinaryOperator const*, clang::ento::ExplodedNode*, clang::ento::ExplodedNodeSet&amp;) (/usr/lib/llvm-19/bin/../lib/libclang-cpp.so.19.0+0x2da4f87)
#<!-- -->13 0x00007f0720cc6c53 clang::ento::ExprEngine::Visit(clang::Stmt const*, clang::ento::ExplodedNode*, clang::ento::ExplodedNodeSet&amp;) (/usr/lib/llvm-19/bin/../lib/libclang-cpp.so.19.0+0x2d92c53)
#<!-- -->14 0x00007f0720cc2e13 clang::ento::ExprEngine::ProcessStmt(clang::Stmt const*, clang::ento::ExplodedNode*) (/usr/lib/llvm-19/bin/../lib/libclang-cpp.so.19.0+0x2d8ee13)
#<!-- -->15 0x00007f0720cc2b3f clang::ento::ExprEngine::processCFGElement(clang::CFGElement, clang::ento::ExplodedNode*, unsigned int, clang::ento::NodeBuilderContext*) (/usr/lib/llvm-19/bin/../lib/libclang-cpp.so.19.0+0x2d8eb3f)
#<!-- -->16 0x00007f0720ca9b32 clang::ento::CoreEngine::dispatchWorkItem(clang::ento::ExplodedNode*, clang::ProgramPoint, clang::ento::WorkListUnit const&amp;) (/usr/lib/llvm-19/bin/../lib/libclang-cpp.so.19.0+0x2d75b32)
#<!-- -->17 0x00007f0720ca96d1 clang::ento::CoreEngine::ExecuteWorkList(clang::LocationContext const*, unsigned int, llvm::IntrusiveRefCntPtr&lt;clang::ento::ProgramState const&gt;) (/usr/lib/llvm-19/bin/../lib/libclang-cpp.so.19.0+0x2d756d1)
#<!-- -->18 0x00007f07210ca595 (/usr/lib/llvm-19/bin/../lib/libclang-cpp.so.19.0+0x3196595)
#<!-- -->19 0x00007f07210aa35f (/usr/lib/llvm-19/bin/../lib/libclang-cpp.so.19.0+0x317635f)
#<!-- -->20 0x00007f071eae4076 clang::ParseAST(clang::Sema&amp;, bool, bool) (/usr/lib/llvm-19/bin/../lib/libclang-cpp.so.19.0+0xbb0076)
#<!-- -->21 0x00007f07209e1825 clang::FrontendAction::Execute() (/usr/lib/llvm-19/bin/../lib/libclang-cpp.so.19.0+0x2aad825)
#<!-- -->22 0x00007f072095d0d4 clang::CompilerInstance::ExecuteAction(clang::FrontendAction&amp;) (/usr/lib/llvm-19/bin/../lib/libclang-cpp.so.19.0+0x2a290d4)
#<!-- -->23 0x00007f0720a5af7e clang::ExecuteCompilerInvocation(clang::CompilerInstance*) (/usr/lib/llvm-19/bin/../lib/libclang-cpp.so.19.0+0x2b26f7e)
#<!-- -->24 0x000055be870befad cc1_main(llvm::ArrayRef&lt;char const*&gt;, char const*, void*) (/usr/lib/llvm-19/bin/clang+0x12fad)
#<!-- -->25 0x000055be870bc075 (/usr/lib/llvm-19/bin/clang+0x10075)
#<!-- -->26 0x00007f07205ed439 (/usr/lib/llvm-19/bin/../lib/libclang-cpp.so.19.0+0x26b9439)
#<!-- -->27 0x00007f07174e91dc llvm::CrashRecoveryContext::RunSafely(llvm::function_ref&lt;void ()&gt;) (/usr/lib/llvm-19/bin/../lib/libLLVM.so.19.0+0xd0e1dc)
#<!-- -->28 0x00007f07205ecdfe clang::driver::CC1Command::Execute(llvm::ArrayRef&lt;std::optional&lt;llvm::StringRef&gt;&gt;, std::__cxx11::basic_string&lt;char, std::char_traits&lt;char&gt;, std::allocator&lt;char&gt;&gt;*, bool*) const (/usr/lib/llvm-19/bin/../lib/libclang-cpp.so.19.0+0x26b8dfe)
#<!-- -->29 0x00007f07205b4901 clang::driver::Compilation::ExecuteCommand(clang::driver::Command const&amp;, clang::driver::Command const*&amp;, bool) const (/usr/lib/llvm-19/bin/../lib/libclang-cpp.so.19.0+0x2680901)
#<!-- -->30 0x00007f07205b4b4e clang::driver::Compilation::ExecuteJobs(clang::driver::JobList const&amp;, llvm::SmallVectorImpl&lt;std::pair&lt;int, clang::driver::Command const*&gt;&gt;&amp;, bool) const (/usr/lib/llvm-19/bin/../lib/libclang-cpp.so.19.0+0x2680b4e)
#<!-- -->31 0x00007f07205d16cc clang::driver::Driver::ExecuteCompilation(clang::driver::Compilation&amp;, llvm::SmallVectorImpl&lt;std::pair&lt;int, clang::driver::Command const*&gt;&gt;&amp;) (/usr/lib/llvm-19/bin/../lib/libclang-cpp.so.19.0+0x269d6cc)
#<!-- -->32 0x000055be870bb9e5 clang_main(int, char**, llvm::ToolContext const&amp;) (/usr/lib/llvm-19/bin/clang+0xf9e5)
#<!-- -->33 0x000055be870c9556 main (/usr/lib/llvm-19/bin/clang+0x1d556)
#<!-- -->34 0x00007f07159d5c87 __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:344:0
#<!-- -->35 0x000055be870b8bfa _start (/usr/lib/llvm-19/bin/clang+0xcbfa)
clang-19: error: clang frontend command failed with exit code 139 (use -v to see invocation)
Ubuntu clang version 19.0.0 (++20240301064251+dd426fa5f931-1~exp1~20240301184412.1845)
Target: x86_64-pc-linux-gnu
Thread model: posix
InstalledDir: /usr/lib/llvm-19/bin
clang-19: note: diagnostic msg: 
********************

PLEASE ATTACH THE FOLLOWING FILES TO THE BUG REPORT:
Preprocessed source(s) and associated run script(s) are located at:
clang-19: note: diagnostic msg: /tmp/mutant-9d37b7.c
clang-19: note: diagnostic msg: /tmp/mutant-9d37b7.sh
clang-19: note: diagnostic msg: 

********************

This was referenced Apr 18, 2024
Closed
Merged
steakhal added a commit that referenced this issue Apr 19, 2024
@steakhal
[analyzer] Fix stores through label locations (#89265)
7d8616e 
Interestingly, this case crashed from the very beginning of the project,
at least starting by clang-3.

As a "fix" I just do the same thing as we do for concrete integers. It
might not be the best we could do, but arguably, it's still better than
crashing.

Fixes #89185
aniplcc pushed a commit to aniplcc/llvm-project that referenced this issue Apr 21, 2024
@steakhal @aniplcc
[analyzer] Fix stores through label locations (llvm#89265)
8fed2c3 
Interestingly, this case crashed from the very beginning of the project,
at least starting by clang-3.

As a "fix" I just do the same thing as we do for concrete integers. It
might not be the best we could do, but arguably, it's still better than
crashing.

Fixes llvm#89185
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
clang:static analyzer crash Prefer [crash-on-valid] or [crash-on-invalid]
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[analyzer] Fix stores through label locations steakhal/llvm-project
3 participants
@EugeneZelenko @iamanonymouscs @llvmbot