Skip to content

[clang][analyzer] ExprEngineCXX Segfault while trying to analyze valid code. #78810

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
nyyakko opened this issue Jan 19, 2024 · 3 comments · Fixed by #83585
Closed

[clang][analyzer] ExprEngineCXX Segfault while trying to analyze valid code. #78810

nyyakko opened this issue Jan 19, 2024 · 3 comments · Fixed by #83585
Labels
clang:static analyzer crash Prefer [crash-on-valid] or [crash-on-invalid]

Comments

@nyyakko
Copy link

nyyakko commented Jan 19, 2024

Environment: WSL2 with Ubuntu 23.04 @ Windows 10 Pro 21H2

Clang++ Version:

nyyakko@DESKTOP-7N72PNH:/mnt/c/Users/nyako/Git/clangy$ clang++ --version
Ubuntu clang version 18.0.0 (++20240119042255+5f41cef58f72-1~exp1~20240119162419.571)
Target: x86_64-pc-linux-gnu
Thread model: posix
InstalledDir: /usr/bin

Clang-Tidy Version:

nyyakko@DESKTOP-7N72PNH:/mnt/c/Users/nyako/Git/clangy$ clang-tidy --version
Ubuntu LLVM version 18.0.0
  Optimized build.

Snippet to reproduce the crash:

struct S
{
    constexpr auto operator==(this auto, S)
    {
        return true;
    }
};

int main()
{
    return S {} == S {};
}

Backtrace:

PLEASE submit a bug report to https://github.com/llvm/llvm-project/issues/ and include the crash backtrace.
Stack dump:
0.      Program arguments: /usr/bin/clang-tidy --extra-arg=-Wno-unknown-warning-option --extra-arg=-Wno-ignored-optimization-argument --extra-arg=-Wno-unused-command-line-a
rgument -warnings-as-errors=* --use-color --p --extra-arg-before=--driver-mode=g++ /mnt/c/Users/nyako/Git/clangy/clangy/source/main.cpp -- /usr/bin/c++ -I/mnt/c/Users/nyako
/Git/clangy/clangy/include -I/mnt/c/Users/nyako/Git/clangy/clangy/include/clangy -g -std=gnu++23 -Werror -Wall -Wextra -Wshadow -Wnon-virtual-dtor -Wold-style-cast -Wcast-a
lign -Wunused -Woverloaded-virtual -Wpedantic -Wconversion -Wsign-conversion -Wnull-dereference -Wdouble-promotion -Wimplicit-fallthrough -MD -MT clangy/CMakeFiles/clangy.d
ir/source/main.cpp.o -MF clangy/CMakeFiles/clangy.dir/source/main.cpp.o.d -o clangy/CMakeFiles/clangy.dir/source/main.cpp.o -c /mnt/c/Users/nyako/Git/clangy/clangy/source/m
ain.cpp
1.      <eof> parser at end of file
2.      While analyzing stack: 
        #0 Calling main()
3.      /mnt/c/Users/nyako/Git/clangy/clangy/source/main.cpp:11:12: Error evaluating statement
4.      /mnt/c/Users/nyako/Git/clangy/clangy/source/main.cpp:11:12: Error evaluating statement
 #0 0x00007f12fc7bbc36 llvm::sys::PrintStackTrace(llvm::raw_ostream&, int) (/usr/lib/llvm-18/bin/../lib/libLLVM-18.so.1+0xd85c36)
 #1 0x00007f12fc7b9c60 llvm::sys::RunSignalHandlers() (/usr/lib/llvm-18/bin/../lib/libLLVM-18.so.1+0xd83c60)
 #2 0x00007f12fc7bc2fb (/usr/lib/llvm-18/bin/../lib/libLLVM-18.so.1+0xd862fb)
 #3 0x00007f12fb4e5460 (/lib/x86_64-linux-gnu/libc.so.6+0x3c460)
 #4 0x00007f1305c925ca clang::ento::ParamVarRegion::getDecl() const (/usr/lib/llvm-18/bin/../lib/libclang-cpp.so.18+0x2ca15ca)
 #5 0x00007f1305c92547 clang::ento::ParamVarRegion::getValueType() const (/usr/lib/llvm-18/bin/../lib/libclang-cpp.so.18+0x2ca1547)
 #6 0x00007f1305ccbb21 (/usr/lib/llvm-18/bin/../lib/libclang-cpp.so.18+0x2cdab21)
 #7 0x00007f1305cc6ea0 (/usr/lib/llvm-18/bin/../lib/libclang-cpp.so.18+0x2cd5ea0)
 #8 0x00007f1305ca2d97 clang::ento::ProgramState::getSVal(clang::ento::Loc, clang::QualType) const (/usr/lib/llvm-18/bin/../lib/libclang-cpp.so.18+0x2cb1d97)
 #9 0x00007f1305c7ce26 clang::ento::ExprEngine::bindReturnValue(clang::ento::CallEvent const&, clang::LocationContext const*, llvm::IntrusiveRefCntPtr<clang::ento::ProgramS
tate const>) (/usr/lib/llvm-18/bin/../lib/libclang-cpp.so.18+0x2c8be26)
#10 0x00007f1305c73b58 clang::ento::ExprEngine::performTrivialCopy(clang::ento::NodeBuilder&, clang::ento::ExplodedNode*, clang::ento::CallEvent const&) (/usr/lib/llvm-18/b
in/../lib/libclang-cpp.so.18+0x2c82b58)
#11 0x00007f1305c76312 clang::ento::ExprEngine::handleConstructor(clang::Expr const*, clang::ento::ExplodedNode*, clang::ento::ExplodedNodeSet&) (/usr/lib/llvm-18/bin/../li
b/libclang-cpp.so.18+0x2c85312)
#12 0x00007f1305c5a2de clang::ento::ExprEngine::Visit(clang::Stmt const*, clang::ento::ExplodedNode*, clang::ento::ExplodedNodeSet&) (/usr/lib/llvm-18/bin/../lib/libclang-c
pp.so.18+0x2c692de)
#13 0x00007f1305c57bb3 clang::ento::ExprEngine::ProcessStmt(clang::Stmt const*, clang::ento::ExplodedNode*) (/usr/lib/llvm-18/bin/../lib/libclang-cpp.so.18+0x2c66bb3)
#14 0x00007f1305c578df clang::ento::ExprEngine::processCFGElement(clang::CFGElement, clang::ento::ExplodedNode*, unsigned int, clang::ento::NodeBuilderContext*) (/usr/lib/l
lvm-18/bin/../lib/libclang-cpp.so.18+0x2c668df)
#15 0x00007f1305c3e9b7 clang::ento::CoreEngine::dispatchWorkItem(clang::ento::ExplodedNode*, clang::ProgramPoint, clang::ento::WorkListUnit const&) (/usr/lib/llvm-18/bin/..
/lib/libclang-cpp.so.18+0x2c4d9b7)
#16 0x00007f1305c3e521 clang::ento::CoreEngine::ExecuteWorkList(clang::LocationContext const*, unsigned int, llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>) (/us
r/lib/llvm-18/bin/../lib/libclang-cpp.so.18+0x2c4d521)
#17 0x00007f130605f5c5 (/usr/lib/llvm-18/bin/../lib/libclang-cpp.so.18+0x306e5c5)
#18 0x00007f130603f634 (/usr/lib/llvm-18/bin/../lib/libclang-cpp.so.18+0x304e634)
#19 0x00007f13059d2bac clang::MultiplexConsumer::HandleTranslationUnit(clang::ASTContext&) (/usr/lib/llvm-18/bin/../lib/libclang-cpp.so.18+0x29e1bac)
#20 0x00007f1303b71496 clang::ParseAST(clang::Sema&, bool, bool) (/usr/lib/llvm-18/bin/../lib/libclang-cpp.so.18+0xb80496)
#21 0x00007f1305996b05 clang::FrontendAction::Execute() (/usr/lib/llvm-18/bin/../lib/libclang-cpp.so.18+0x29a5b05)
#22 0x00007f130590dc74 clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) (/usr/lib/llvm-18/bin/../lib/libclang-cpp.so.18+0x291cc74)
#23 0x00007f1305b85aa1 clang::tooling::FrontendActionFactory::runInvocation(std::shared_ptr<clang::CompilerInvocation>, clang::FileManager*, std::shared_ptr<clang::PCHConta
inerOperations>, clang::DiagnosticConsumer*) (/usr/lib/llvm-18/bin/../lib/libclang-cpp.so.18+0x2b94aa1)
#24 0x0000556863258601 (/usr/bin/clang-tidy+0x1356601)
#25 0x00007f1305b8581f clang::tooling::ToolInvocation::runInvocation(char const*, clang::driver::Compilation*, std::shared_ptr<clang::CompilerInvocation>, std::shared_ptr<c
lang::PCHContainerOperations>) (/usr/lib/llvm-18/bin/../lib/libclang-cpp.so.18+0x2b9481f)
#26 0x00007f1305b846b4 clang::tooling::ToolInvocation::run() (/usr/lib/llvm-18/bin/../lib/libclang-cpp.so.18+0x2b936b4)
#27 0x00007f1305b876e5 clang::tooling::ClangTool::run(clang::tooling::ToolAction*) (/usr/lib/llvm-18/bin/../lib/libclang-cpp.so.18+0x2b966e5)
#28 0x0000556863254797 clang::tidy::runClangTidy(clang::tidy::ClangTidyContext&, clang::tooling::CompilationDatabase const&, llvm::ArrayRef<std::__cxx11::basic_string<char,
 std::char_traits<char>, std::allocator<char>>>, llvm::IntrusiveRefCntPtr<llvm::vfs::OverlayFileSystem>, bool, bool, llvm::StringRef) (/usr/bin/clang-tidy+0x1352797)
#29 0x00005568625fae3f clang::tidy::clangTidyMain(int, char const**) (/usr/bin/clang-tidy+0x6f8e3f)
#30 0x00007f12fb4cca90 (/lib/x86_64-linux-gnu/libc.so.6+0x23a90)
#31 0x00007f12fb4ccb49 __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x23b49)
#32 0x00005568625f6205 _start (/usr/bin/clang-tidy+0x6f4205)
Segmentation fault
@EugeneZelenko EugeneZelenko added clang:static analyzer crash Prefer [crash-on-valid] or [crash-on-invalid] and removed clang-tidy labels Jan 19, 2024
@llvmbot
Copy link
Member

llvmbot commented Jan 19, 2024

@llvm/issue-subscribers-clang-static-analyzer

Author: nyako (nyyakko)

Environment: `WSL2 with Ubuntu 23.04 @ Windows 10 Pro 21H2`

Clang++ Version:

nyyakko@<!-- -->DESKTOP-7N72PNH:/mnt/c/Users/nyako/Git/clangy$ clang++ --version
Ubuntu clang version 18.0.0 (++20240119042255+5f41cef58f72-1~exp1~20240119162419.571)
Target: x86_64-pc-linux-gnu
Thread model: posix
InstalledDir: /usr/bin

Clang-Tidy Version:

nyyakko@<!-- -->DESKTOP-7N72PNH:/mnt/c/Users/nyako/Git/clangy$ clang-tidy --version
Ubuntu LLVM version 18.0.0
  Optimized build.

Snippet to reproduce the crash:

struct S
{
    constexpr auto operator==(this auto, S)
    {
        return true;
    }
};

int main()
{
    return S {} == S {};
}

Backtrace:

PLEASE submit a bug report to https://github.com/llvm/llvm-project/issues/ and include the crash backtrace.
Stack dump:
0.      Program arguments: /usr/bin/clang-tidy --extra-arg=-Wno-unknown-warning-option --extra-arg=-Wno-ignored-optimization-argument --extra-arg=-Wno-unused-command-line-a
rgument -warnings-as-errors=* --use-color --p --extra-arg-before=--driver-mode=g++ /mnt/c/Users/nyako/Git/clangy/clangy/source/main.cpp -- /usr/bin/c++ -I/mnt/c/Users/nyako
/Git/clangy/clangy/include -I/mnt/c/Users/nyako/Git/clangy/clangy/include/clangy -g -std=gnu++23 -Werror -Wall -Wextra -Wshadow -Wnon-virtual-dtor -Wold-style-cast -Wcast-a
lign -Wunused -Woverloaded-virtual -Wpedantic -Wconversion -Wsign-conversion -Wnull-dereference -Wdouble-promotion -Wimplicit-fallthrough -MD -MT clangy/CMakeFiles/clangy.d
ir/source/main.cpp.o -MF clangy/CMakeFiles/clangy.dir/source/main.cpp.o.d -o clangy/CMakeFiles/clangy.dir/source/main.cpp.o -c /mnt/c/Users/nyako/Git/clangy/clangy/source/m
ain.cpp
1.      &lt;eof&gt; parser at end of file
2.      While analyzing stack: 
        #<!-- -->0 Calling main()
3.      /mnt/c/Users/nyako/Git/clangy/clangy/source/main.cpp:11:12: Error evaluating statement
4.      /mnt/c/Users/nyako/Git/clangy/clangy/source/main.cpp:11:12: Error evaluating statement
 #<!-- -->0 0x00007f12fc7bbc36 llvm::sys::PrintStackTrace(llvm::raw_ostream&amp;, int) (/usr/lib/llvm-18/bin/../lib/libLLVM-18.so.1+0xd85c36)
 #<!-- -->1 0x00007f12fc7b9c60 llvm::sys::RunSignalHandlers() (/usr/lib/llvm-18/bin/../lib/libLLVM-18.so.1+0xd83c60)
 #<!-- -->2 0x00007f12fc7bc2fb (/usr/lib/llvm-18/bin/../lib/libLLVM-18.so.1+0xd862fb)
 #<!-- -->3 0x00007f12fb4e5460 (/lib/x86_64-linux-gnu/libc.so.6+0x3c460)
 #<!-- -->4 0x00007f1305c925ca clang::ento::ParamVarRegion::getDecl() const (/usr/lib/llvm-18/bin/../lib/libclang-cpp.so.18+0x2ca15ca)
 #<!-- -->5 0x00007f1305c92547 clang::ento::ParamVarRegion::getValueType() const (/usr/lib/llvm-18/bin/../lib/libclang-cpp.so.18+0x2ca1547)
 #<!-- -->6 0x00007f1305ccbb21 (/usr/lib/llvm-18/bin/../lib/libclang-cpp.so.18+0x2cdab21)
 #<!-- -->7 0x00007f1305cc6ea0 (/usr/lib/llvm-18/bin/../lib/libclang-cpp.so.18+0x2cd5ea0)
 #<!-- -->8 0x00007f1305ca2d97 clang::ento::ProgramState::getSVal(clang::ento::Loc, clang::QualType) const (/usr/lib/llvm-18/bin/../lib/libclang-cpp.so.18+0x2cb1d97)
 #<!-- -->9 0x00007f1305c7ce26 clang::ento::ExprEngine::bindReturnValue(clang::ento::CallEvent const&amp;, clang::LocationContext const*, llvm::IntrusiveRefCntPtr&lt;clang::ento::ProgramS
tate const&gt;) (/usr/lib/llvm-18/bin/../lib/libclang-cpp.so.18+0x2c8be26)
#<!-- -->10 0x00007f1305c73b58 clang::ento::ExprEngine::performTrivialCopy(clang::ento::NodeBuilder&amp;, clang::ento::ExplodedNode*, clang::ento::CallEvent const&amp;) (/usr/lib/llvm-18/b
in/../lib/libclang-cpp.so.18+0x2c82b58)
#<!-- -->11 0x00007f1305c76312 clang::ento::ExprEngine::handleConstructor(clang::Expr const*, clang::ento::ExplodedNode*, clang::ento::ExplodedNodeSet&amp;) (/usr/lib/llvm-18/bin/../li
b/libclang-cpp.so.18+0x2c85312)
#<!-- -->12 0x00007f1305c5a2de clang::ento::ExprEngine::Visit(clang::Stmt const*, clang::ento::ExplodedNode*, clang::ento::ExplodedNodeSet&amp;) (/usr/lib/llvm-18/bin/../lib/libclang-c
pp.so.18+0x2c692de)
#<!-- -->13 0x00007f1305c57bb3 clang::ento::ExprEngine::ProcessStmt(clang::Stmt const*, clang::ento::ExplodedNode*) (/usr/lib/llvm-18/bin/../lib/libclang-cpp.so.18+0x2c66bb3)
#<!-- -->14 0x00007f1305c578df clang::ento::ExprEngine::processCFGElement(clang::CFGElement, clang::ento::ExplodedNode*, unsigned int, clang::ento::NodeBuilderContext*) (/usr/lib/l
lvm-18/bin/../lib/libclang-cpp.so.18+0x2c668df)
#<!-- -->15 0x00007f1305c3e9b7 clang::ento::CoreEngine::dispatchWorkItem(clang::ento::ExplodedNode*, clang::ProgramPoint, clang::ento::WorkListUnit const&amp;) (/usr/lib/llvm-18/bin/..
/lib/libclang-cpp.so.18+0x2c4d9b7)
#<!-- -->16 0x00007f1305c3e521 clang::ento::CoreEngine::ExecuteWorkList(clang::LocationContext const*, unsigned int, llvm::IntrusiveRefCntPtr&lt;clang::ento::ProgramState const&gt;) (/us
r/lib/llvm-18/bin/../lib/libclang-cpp.so.18+0x2c4d521)
#<!-- -->17 0x00007f130605f5c5 (/usr/lib/llvm-18/bin/../lib/libclang-cpp.so.18+0x306e5c5)
#<!-- -->18 0x00007f130603f634 (/usr/lib/llvm-18/bin/../lib/libclang-cpp.so.18+0x304e634)
#<!-- -->19 0x00007f13059d2bac clang::MultiplexConsumer::HandleTranslationUnit(clang::ASTContext&amp;) (/usr/lib/llvm-18/bin/../lib/libclang-cpp.so.18+0x29e1bac)
#<!-- -->20 0x00007f1303b71496 clang::ParseAST(clang::Sema&amp;, bool, bool) (/usr/lib/llvm-18/bin/../lib/libclang-cpp.so.18+0xb80496)
#<!-- -->21 0x00007f1305996b05 clang::FrontendAction::Execute() (/usr/lib/llvm-18/bin/../lib/libclang-cpp.so.18+0x29a5b05)
#<!-- -->22 0x00007f130590dc74 clang::CompilerInstance::ExecuteAction(clang::FrontendAction&amp;) (/usr/lib/llvm-18/bin/../lib/libclang-cpp.so.18+0x291cc74)
#<!-- -->23 0x00007f1305b85aa1 clang::tooling::FrontendActionFactory::runInvocation(std::shared_ptr&lt;clang::CompilerInvocation&gt;, clang::FileManager*, std::shared_ptr&lt;clang::PCHConta
inerOperations&gt;, clang::DiagnosticConsumer*) (/usr/lib/llvm-18/bin/../lib/libclang-cpp.so.18+0x2b94aa1)
#<!-- -->24 0x0000556863258601 (/usr/bin/clang-tidy+0x1356601)
#<!-- -->25 0x00007f1305b8581f clang::tooling::ToolInvocation::runInvocation(char const*, clang::driver::Compilation*, std::shared_ptr&lt;clang::CompilerInvocation&gt;, std::shared_ptr&lt;c
lang::PCHContainerOperations&gt;) (/usr/lib/llvm-18/bin/../lib/libclang-cpp.so.18+0x2b9481f)
#<!-- -->26 0x00007f1305b846b4 clang::tooling::ToolInvocation::run() (/usr/lib/llvm-18/bin/../lib/libclang-cpp.so.18+0x2b936b4)
#<!-- -->27 0x00007f1305b876e5 clang::tooling::ClangTool::run(clang::tooling::ToolAction*) (/usr/lib/llvm-18/bin/../lib/libclang-cpp.so.18+0x2b966e5)
#<!-- -->28 0x0000556863254797 clang::tidy::runClangTidy(clang::tidy::ClangTidyContext&amp;, clang::tooling::CompilationDatabase const&amp;, llvm::ArrayRef&lt;std::__cxx11::basic_string&lt;char,
 std::char_traits&lt;char&gt;, std::allocator&lt;char&gt;&gt;&gt;, llvm::IntrusiveRefCntPtr&lt;llvm::vfs::OverlayFileSystem&gt;, bool, bool, llvm::StringRef) (/usr/bin/clang-tidy+0x1352797)
#<!-- -->29 0x00005568625fae3f clang::tidy::clangTidyMain(int, char const**) (/usr/bin/clang-tidy+0x6f8e3f)
#<!-- -->30 0x00007f12fb4cca90 (/lib/x86_64-linux-gnu/libc.so.6+0x23a90)
#<!-- -->31 0x00007f12fb4ccb49 __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x23b49)
#<!-- -->32 0x00005568625f6205 _start (/usr/bin/clang-tidy+0x6f4205)
Segmentation fault

@mzyKi
Copy link
Contributor

mzyKi commented Mar 1, 2024
edited
Loading

I can't reproduce this crash.Could you give me more details about this? @nyyakko
EDIT: I have reproduced it in the latest version.

@Snape3058
Copy link
Member

Snape3058 commented Mar 1, 2024
edited
Loading

Reproduced in the latest version.

#0  0x00007fffed5bb00b in raise () from /lib/x86_64-linux-gnu/libc.so.6
#1  0x00007fffed59a859 in abort () from /lib/x86_64-linux-gnu/libc.so.6
#2  0x00007fffe2a01399 in std::__replacement_assert (__function=0x7fffe278f700 "_Tp &std::_Optional_base_impl<unsigned int, std::_Optional_base<unsigned int, true, true>>::_M_get() [_Tp = unsigned int, _Dp = std::_Optional_base<unsigned int, true, true>]", __condition=0x7fffe27a2397 "this->_M_is_engaged()")
#3  0x00007fffe2bf97d4 in std::_Optional_base_impl<unsigned int, std::_Optional_base<unsigned int, true, true> >::_M_get (this=0x7fffffff79c8)
#4  0x00007fffe2ccba25 in std::optional<unsigned int>::operator*() && (this=0x7fffffff79c8)
#5  0x00007fffe2cc3d8a in clang::ento::ExprEngine::computeObjectUnderConstruction(clang::Expr const*, llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>, clang::ento::NodeBuilderContext const*, clang::LocationContext const*, clang::ConstructionContext const*, clang::ento::EvalCallOptions&, unsigned int)::$_0::operator()(clang::ento::CallEventRef<clang::ento::CallEvent>) const (this=0x7fffffff7c38, Caller=...)
    at /path/to/llvm-project/clang/lib/StaticAnalyzer/Core/ExprEngineCXX.cpp:358
#6  0x00007fffe2cc38a9 in clang::ento::ExprEngine::computeObjectUnderConstruction (this=0x7fffffffa4e8, E=0x55555570aff8, State=..., BldrCtx=0x7fffffff9e88, LCtx=0x5555556da660, CC=0x55555570e740, CallOpts=..., 
    Idx=0) at /path/to/llvm-project/clang/lib/StaticAnalyzer/Core/ExprEngineCXX.cpp:368
#7  0x00007fffe2cc9f81 in clang::ento::ExprEngine::handleConstructionContext (this=0x7fffffffa4e8, E=0x55555570aff8, State=..., BldrCtx=0x7fffffff9e88, LCtx=0x5555556da660, CC=0x55555570e740, CallOpts=..., Idx=0)
    at /path/to/llvm-project/clang/include/clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h:751
#8  0x00007fffe2cc5445 in clang::ento::ExprEngine::handleConstructor (this=0x7fffffffa4e8, E=0x55555570aff8, Pred=0x555555716998, destNodes=...)
    at /path/to/llvm-project/clang/lib/StaticAnalyzer/Core/ExprEngineCXX.cpp:665
#9  0x00007fffe2cc67bd in clang::ento::ExprEngine::VisitCXXConstructExpr (this=0x7fffffffa4e8, CE=0x55555570aff8, Pred=0x555555716998, Dst=...)
    at /path/to/llvm-project/clang/lib/StaticAnalyzer/Core/ExprEngineCXX.cpp:847
#10 0x00007fffe2c79976 in clang::ento::ExprEngine::Visit (this=0x7fffffffa4e8, S=0x55555570aff8, Pred=0x555555716998, DstTop=...)
    at /path/to/llvm-project/clang/lib/StaticAnalyzer/Core/ExprEngine.cpp:2161
#11 0x00007fffe2c76499 in clang::ento::ExprEngine::ProcessStmt (this=0x7fffffffa4e8, currStmt=0x55555570aff8, Pred=0x555555716860)
    at /path/to/llvm-project/clang/lib/StaticAnalyzer/Core/ExprEngine.cpp:1131
#12 0x00007fffe2c761ad in clang::ento::ExprEngine::processCFGElement (this=0x7fffffffa4e8, E=..., Pred=0x555555716860, StmtIdx=6, Ctx=0x7fffffff9e88)
    at /path/to/llvm-project/clang/lib/StaticAnalyzer/Core/ExprEngine.cpp:976
#13 0x00007fffe2c3b47f in clang::ento::CoreEngine::HandlePostStmt (this=0x7fffffffa510, B=0x55555570e5a0, StmtIdx=6, Pred=0x555555716860)
    at /path/to/llvm-project/clang/lib/StaticAnalyzer/Core/CoreEngine.cpp:496
#14 0x00007fffe2c3ac40 in clang::ento::CoreEngine::dispatchWorkItem (this=0x7fffffffa510, Pred=0x555555716860, Loc=..., WU=...)
    at /path/to/llvm-project/clang/lib/StaticAnalyzer/Core/CoreEngine.cpp:220
#15 0x00007fffe2c3a8b7 in clang::ento::CoreEngine::ExecuteWorkList(clang::LocationContext const*, unsigned int, llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>)::$_0::operator()(unsigned int) const (
    this=0x7fffffffa2c0, MaxSteps=225000) at /path/to/llvm-project/clang/lib/StaticAnalyzer/Core/CoreEngine.cpp:159
#16 0x00007fffe2c3a5b4 in clang::ento::CoreEngine::ExecuteWorkList (this=0x7fffffffa510, L=0x5555556da660, MaxSteps=225000, InitState=...)
    at /path/to/llvm-project/clang/lib/StaticAnalyzer/Core/CoreEngine.cpp:163
#17 0x00007fffebd333fe in clang::ento::ExprEngine::ExecuteWorkList (this=0x7fffffffa4e8, L=0x5555556da660, Steps=225000)
    at /path/to/llvm-project/clang/include/clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h:190
#18 0x00007fffebcc0a43 in (anonymous namespace)::AnalysisConsumer::RunPathSensitiveChecks (this=0x55555564aaf0, D=0x5555556ea850, IMode=clang::ento::ExprEngine::Inline_Regular, VisitedCallees=0x7fffffffaa68)
    at /path/to/llvm-project/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:727
#19 0x00007fffebcc058e in (anonymous namespace)::AnalysisConsumer::HandleCode (this=0x55555564aaf0, D=0x5555556ea850, Mode=2, IMode=clang::ento::ExprEngine::Inline_Regular, VisitedCallees=0x7fffffffaa68)
    at /path/to/llvm-project/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:697
#20 0x00007fffebc43fe8 in (anonymous namespace)::AnalysisConsumer::HandleDeclsCallGraph (this=0x55555564aaf0, LocalTUDeclsSize=3)
    at /path/to/llvm-project/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:486
#21 0x00007fffebc42ce3 in (anonymous namespace)::AnalysisConsumer::runAnalysisOnTranslationUnit (this=0x55555564aaf0, C=...)
    at /path/to/llvm-project/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:557
#22 0x00007fffebc4277e in (anonymous namespace)::AnalysisConsumer::HandleTranslationUnit (this=0x55555564aaf0, C=...)
    at /path/to/llvm-project/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:612

llvm-project/clang/lib/StaticAnalyzer/Core/ExprEngineCXX.cpp

Lines 357 to 358 in 8171f6d

const TypedValueRegion *TVR = Caller->getParameterLocation(
*Caller->getAdjustedParameterIndex(Idx), BldrCtx->blockCount());

Call to Caller->getAdjustedParameterIndex(Idx) returns an empty std::optional.
If assertions are enabled, the dereference operator call will trigger an assertion failure.

Otherwise, the dereference will return an invalid value and continue. The call to Caller->getParameterLocation then will return a parameter region with the invalid index. The execution will continue normally until the invalid value is used in performTrivialCopy->bindReturnValue later.

@mzyKi mzyKi self-assigned this Mar 1, 2024
@mzyKi mzyKi mentioned this issue Mar 1, 2024
Merged
@mzyKi mzyKi removed their assignment Mar 1, 2024
@whisperity whisperity changed the title LLVM18/Clang-Tidy: Segfault while trying to analyze valid code. [clang][analyzer] ExprEngineCXX Segfault while trying to analyze valid code. Mar 1, 2024
steakhal pushed a commit that referenced this issue Mar 6, 2024
@mzyKi
[analyzer] Fix crash on dereference invalid return value of getAdjust…
d4687fe 
…edParameterIndex() (#83585)

Fixes #78810 
Thanks for Snape3058 's comment

---------

Co-authored-by: miaozhiyuan <[email protected]>
@steakhal steakhal mentioned this issue Mar 6, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
clang:static analyzer crash Prefer [crash-on-valid] or [crash-on-invalid]
Projects
None yet
Milestone
No milestone
5 participants
@Snape3058 @EugeneZelenko @mzyKi @nyyakko @llvmbot