[clang static analyzer] Crash in printReferrer(const clang::ento::MemRegion*): Assertion `false && "Unexpected referrer region type."' failed. #107852

tianxinghe · 2024-09-09T12:08:59Z

commit 3e47883 (HEAD -> main, origin/main, origin/HEAD)
Author: Giulio Eulisse [email protected]
Date: Thu Sep 5 10:16:51 2024 +0200

Recover performance loss after PagedVector introduction (#67972)

clang --analyze
code.zip

clang: /home/htx/Documents/llvm19/llvm-project/clang/lib/StaticAnalyzer/Checkers/StackAddrEscapeChecker.cpp:341: std::optional<std::__cxx11::basic_string<char> > printReferrer(const clang::ento::MemRegion*): Assertion `false && "Unexpected referrer region type."' failed.
PLEASE submit a bug report to https://github.com/llvm/llvm-project/issues/ and include the crash backtrace, preprocessed source, and associated run script.
Stack dump:
0.	Program arguments: /home/htx/Documents/llvm19/build-clang/bin/clang --analyze 4.c
1.	<eof> parser at end of file
2.	While analyzing stack: 
	#0 Calling func4 at line 1558
	#1 Calling main
 #0 0x000063c6f904aaef llvm::sys::PrintStackTrace(llvm::raw_ostream&, int) (.localalias) (/home/htx/Documents/llvm19/build-clang/bin/clang+0x486caef)
 #1 0x000063c6f9048b3c llvm::sys::CleanupOnSignal(unsigned long) (/home/htx/Documents/llvm19/build-clang/bin/clang+0x486ab3c)
 #2 0x000063c6f8f8f148 CrashRecoverySignalHandler(int) (/home/htx/Documents/llvm19/build-clang/bin/clang+0x47b1148)
 #3 0x0000728d79c42520 (/lib/x86_64-linux-gnu/libc.so.6+0x42520)
 #4 0x0000728d79c969fc pthread_kill (/lib/x86_64-linux-gnu/libc.so.6+0x969fc)
 #5 0x0000728d79c42476 raise (/lib/x86_64-linux-gnu/libc.so.6+0x42476)
 #6 0x0000728d79c287f3 abort (/lib/x86_64-linux-gnu/libc.so.6+0x287f3)
 #7 0x0000728d79c2871b (/lib/x86_64-linux-gnu/libc.so.6+0x2871b)
 #8 0x0000728d79c39e96 (/lib/x86_64-linux-gnu/libc.so.6+0x39e96)
 #9 0x000063c6fc7958ad printReferrer[abi:cxx11](clang::ento::MemRegion const*) (.localalias) /home/htx/Documents/llvm19/llvm-project/clang/lib/StaticAnalyzer/Checkers/StackAddrEscapeChecker.cpp:345:3
#10 0x000063c6fc79634f (anonymous namespace)::StackAddrEscapeChecker::checkEndFunction(clang::ReturnStmt const*, clang::ento::CheckerContext&) const /home/htx/Documents/llvm19/llvm-project/clang/lib/StaticAnalyzer/Checkers/StackAddrEscapeChecker.cpp:517:10
#11 0x000063c6fc796c18 void clang::ento::check::EndFunction::_checkEndFunction<(anonymous namespace)::StackAddrEscapeChecker>(void*, clang::ReturnStmt const*, clang::ento::CheckerContext&) /home/htx/Documents/llvm19/llvm-project/clang/include/clang/StaticAnalyzer/Core/Checker.h:258:3
#12 0x000063c6fcba5996 clang::ento::CheckerFn<void (clang::ReturnStmt const*, clang::ento::CheckerContext&)>::operator()(clang::ReturnStmt const*, clang::ento::CheckerContext&) const /home/htx/Documents/llvm19/llvm-project/clang/include/clang/StaticAnalyzer/Core/CheckerManager.h:72:29
#13 0x000063c6fcb9f69a clang::ento::CheckerManager::runCheckersForEndFunction(clang::ento::NodeBuilderContext&, clang::ento::ExplodedNodeSet&, clang::ento::ExplodedNode*, clang::ento::ExprEngine&, clang::ReturnStmt const*) /home/htx/Documents/llvm19/llvm-project/clang/lib/StaticAnalyzer/Core/CheckerManager.cpp:456:30
#14 0x000063c6fcbfd944 clang::ento::ExprEngine::processEndOfFunction(clang::ento::NodeBuilderContext&, clang::ento::ExplodedNode*, clang::ReturnStmt const*) /home/htx/Documents/llvm19/llvm-project/clang/lib/StaticAnalyzer/Core/ExprEngine.cpp:2986:30
#15 0x000063c6fcbbea30 clang::ento::CoreEngine::HandleBlockEdge(clang::BlockEdge const&, clang::ento::ExplodedNode*) (.localalias) /home/htx/Documents/llvm19/llvm-project/clang/lib/StaticAnalyzer/Core/CoreEngine.cpp:276:5
#16 0x000063c6fcbbe308 clang::ento::CoreEngine::dispatchWorkItem(clang::ento::ExplodedNode*, clang::ProgramPoint, clang::ento::WorkListUnit const&) (.localalias) /home/htx/Documents/llvm19/llvm-project/clang/lib/StaticAnalyzer/Core/CoreEngine.cpp:188:7
#17 0x000063c6fcbbdcf5 clang::ento::CoreEngine::ExecuteWorkList(clang::LocationContext const*, unsigned int, llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>)::'lambda'(unsigned int)::operator()(unsigned int) const /home/htx/Documents/llvm19/llvm-project/clang/lib/StaticAnalyzer/Core/CoreEngine.cpp:159:23
#18 0x000063c6fcbbe0f2 clang::ento::CoreEngine::ExecuteWorkList(clang::LocationContext const*, unsigned int, llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>) /home/htx/Documents/llvm19/llvm-project/clang/lib/StaticAnalyzer/Core/CoreEngine.cpp:163:41
#19 0x000063c6fc0daf7e clang::ento::ExprEngine::ExecuteWorkList(clang::LocationContext const*, unsigned int) /home/htx/Documents/llvm19/llvm-project/clang/include/clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h:192:34
#20 0x000063c6fc064fd1 (anonymous namespace)::AnalysisConsumer::RunPathSensitiveChecks(clang::Decl*, clang::ento::ExprEngine::InliningModes, llvm::DenseSet<clang::Decl const*, llvm::DenseMapInfo<clang::Decl const*, void> >*) /home/htx/Documents/llvm19/llvm-project/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:731:22
#21 0x000063c6fc064d23 (anonymous namespace)::AnalysisConsumer::HandleCode(clang::Decl*, unsigned int, clang::ento::ExprEngine::InliningModes, llvm::DenseSet<clang::Decl const*, llvm::DenseMapInfo<clang::Decl const*, void> >*) /home/htx/Documents/llvm19/llvm-project/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:700:5
#22 0x000063c6fc063d3c (anonymous namespace)::AnalysisConsumer::HandleDeclsCallGraph(unsigned int) /home/htx/Documents/llvm19/llvm-project/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:490:31
#23 0x000063c6fc0642d8 (anonymous namespace)::AnalysisConsumer::runAnalysisOnTranslationUnit(clang::ASTContext&) /home/htx/Documents/llvm19/llvm-project/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:561:48
#24 0x000063c6fc064648 (anonymous namespace)::AnalysisConsumer::HandleTranslationUnit(clang::ASTContext&) /home/htx/Documents/llvm19/llvm-project/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:616:74
#25 0x000063c6fcdd28ad clang::ParseAST(clang::Sema&, bool, bool) (.localalias) /home/htx/Documents/llvm19/llvm-project/clang/lib/Parse/ParseAST.cpp:191:14
#26 0x000063c6fa2544e6 clang::ASTFrontendAction::ExecuteAction() (.localalias) /home/htx/Documents/llvm19/llvm-project/clang/lib/Frontend/FrontendAction.cpp:1192:11
#27 0x000063c6fa253da0 clang::FrontendAction::Execute() /home/htx/Documents/llvm19/llvm-project/clang/lib/Frontend/FrontendAction.cpp:1082:38
#28 0x000063c6fa159a90 clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) (.localalias) /home/htx/Documents/llvm19/llvm-project/clang/lib/Frontend/CompilerInstance.cpp:1061:42
#29 0x000063c6fa416209 clang::ExecuteCompilerInvocation(clang::CompilerInstance*) /home/htx/Documents/llvm19/llvm-project/clang/lib/FrontendTool/ExecuteCompilerInvocation.cpp:280:38
#30 0x000063c6f652a124 cc1_main(llvm::ArrayRef<char const*>, char const*, void*) /home/htx/Documents/llvm19/llvm-project/clang/tools/driver/cc1_main.cpp:285:40
#31 0x000063c6f651c6d8 ExecuteCC1Tool(llvm::SmallVectorImpl<char const*>&, llvm::ToolContext const&) /home/htx/Documents/llvm19/llvm-project/clang/tools/driver/driver.cpp:215:20
#32 0x000063c6f651c8ee clang_main(int, char**, llvm::ToolContext const&)::'lambda'(llvm::SmallVectorImpl<char const*>&)::operator()(llvm::SmallVectorImpl<char const*>&) const /home/htx/Documents/llvm19/llvm-project/clang/tools/driver/driver.cpp:356:5
#33 0x000063c6f651df8b int llvm::function_ref<int (llvm::SmallVectorImpl<char const*>&)>::callback_fn<clang_main(int, char**, llvm::ToolContext const&)::'lambda'(llvm::SmallVectorImpl<char const*>&)>(long, llvm::SmallVectorImpl<char const*>&) /home/htx/Documents/llvm19/install/include/llvm/ADT/STLFunctionalExtras.h:47:3
#34 0x000063c6f9f951dd llvm::function_ref<int (llvm::SmallVectorImpl<char const*>&)>::operator()(llvm::SmallVectorImpl<char const*>&) const /home/htx/Documents/llvm19/install/include/llvm/ADT/STLFunctionalExtras.h:69:3
#35 0x000063c6f9f93ac0 clang::driver::CC1Command::Execute(llvm::ArrayRef<std::optional<llvm::StringRef> >, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >*, bool*) const::'lambda'()::operator()() const /home/htx/Documents/llvm19/llvm-project/clang/lib/Driver/Job.cpp:440:32
#36 0x000063c6f9f93f7d void llvm::function_ref<void ()>::callback_fn<clang::driver::CC1Command::Execute(llvm::ArrayRef<std::optional<llvm::StringRef> >, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >*, bool*) const::'lambda'()>(long) /home/htx/Documents/llvm19/install/include/llvm/ADT/STLFunctionalExtras.h:46:40
#37 0x000063c6f8f8f5c7 llvm::CrashRecoveryContext::RunSafely(llvm::function_ref<void ()>) (.localalias) (/home/htx/Documents/llvm19/build-clang/bin/clang+0x47b15c7)
#38 0x000063c6f9f93cdd clang::driver::CC1Command::Execute(llvm::ArrayRef<std::optional<llvm::StringRef> >, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >*, bool*) const (.localalias) /home/htx/Documents/llvm19/llvm-project/clang/lib/Driver/Job.cpp:440:7
#39 0x000063c6f9f2657e clang::driver::Compilation::ExecuteCommand(clang::driver::Command const&, clang::driver::Command const*&, bool) const (.localalias) /home/htx/Documents/llvm19/llvm-project/clang/lib/Driver/Compilation.cpp:199:22
#40 0x000063c6f9f2690c clang::driver::Compilation::ExecuteJobs(clang::driver::JobList const&, llvm::SmallVectorImpl<std::pair<int, clang::driver::Command const*> >&, bool) const /home/htx/Documents/llvm19/llvm-project/clang/lib/Driver/Compilation.cpp:253:62
#41 0x000063c6f9f3a349 clang::driver::Driver::ExecuteCompilation(clang::driver::Compilation&, llvm::SmallVectorImpl<std::pair<int, clang::driver::Command const*> >&) /home/htx/Documents/llvm19/llvm-project/clang/lib/Driver/Driver.cpp:1946:28
#42 0x000063c6f651daca clang_main(int, char**, llvm::ToolContext const&) /home/htx/Documents/llvm19/llvm-project/clang/tools/driver/driver.cpp:391:39
#43 0x000063c6f6555a1a main /home/htx/Documents/llvm19/build-clang/tools/driver/clang-driver.cpp:17:20
#44 0x0000728d79c29d90 (/lib/x86_64-linux-gnu/libc.so.6+0x29d90)
#45 0x0000728d79c29e40 __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e40)
#46 0x000063c6f651ba95 _start (/home/htx/Documents/llvm19/build-clang/bin/clang+0x1d3da95)
clang: error: clang frontend command failed with exit code 134 (use -v to see invocation)

The text was updated successfully, but these errors were encountered:

llvmbot · 2024-09-09T16:25:39Z

@llvm/issue-subscribers-clang-static-analyzer

Author: Tianxing He (tianxinghe)

commit 3e47883 (HEAD -> main, origin/main, origin/HEAD) Author: Giulio Eulisse <[email protected]> Date: Thu Sep 5 10:16:51 2024 +0200

Recover performance loss after PagedVector introduction (#<!-- -->67972)

clang --analyze
code.zip

clang: /home/htx/Documents/llvm19/llvm-project/clang/lib/StaticAnalyzer/Checkers/StackAddrEscapeChecker.cpp:341: std::optional<std::__cxx11::basic_string<char> > printReferrer(const clang::ento::MemRegion*): Assertion `false && "Unexpected referrer region type."' failed.
PLEASE submit a bug report to https://github.com/llvm/llvm-project/issues/ and include the crash backtrace, preprocessed source, and associated run script.
Stack dump:
0. Program arguments: /home/htx/Documents/llvm19/build-clang/bin/clang --analyze 4.c

<eof> parser at end of file
While analyzing stack:
#0 Calling func4 at line 1558
#1 Calling main
#0 0x000063c6f904aaef llvm::sys::PrintStackTrace(llvm::raw_ostream&, int) (.localalias) (/home/htx/Documents/llvm19/build-clang/bin/clang+0x486caef)
#1 0x000063c6f9048b3c llvm::sys::CleanupOnSignal(unsigned long) (/home/htx/Documents/llvm19/build-clang/bin/clang+0x486ab3c)
#2 0x000063c6f8f8f148 CrashRecoverySignalHandler(int) (/home/htx/Documents/llvm19/build-clang/bin/clang+0x47b1148)
#3 0x0000728d79c42520 (/lib/x86_64-linux-gnu/libc.so.6+0x42520)
#4 0x0000728d79c969fc pthread_kill (/lib/x86_64-linux-gnu/libc.so.6+0x969fc)
#5 0x0000728d79c42476 raise (/lib/x86_64-linux-gnu/libc.so.6+0x42476)
#6 0x0000728d79c287f3 abort (/lib/x86_64-linux-gnu/libc.so.6+0x287f3)
#7 0x0000728d79c2871b (/lib/x86_64-linux-gnu/libc.so.6+0x2871b)
#8 0x0000728d79c39e96 (/lib/x86_64-linux-gnu/libc.so.6+0x39e96)
#9 0x000063c6fc7958ad printReferrer[abi:cxx11](clang::ento::MemRegion const*) (.localalias) /home/htx/Documents/llvm19/llvm-project/clang/lib/StaticAnalyzer/Checkers/StackAddrEscapeChecker.cpp:345:3
#10 0x000063c6fc79634f (anonymous namespace)::StackAddrEscapeChecker::checkEndFunction(clang::ReturnStmt const*, clang::ento::CheckerContext&) const /home/htx/Documents/llvm19/llvm-project/clang/lib/StaticAnalyzer/Checkers/StackAddrEscapeChecker.cpp:517:10
#11 0x000063c6fc796c18 void clang::ento::check::EndFunction::_checkEndFunction<(anonymous namespace)::StackAddrEscapeChecker>(void*, clang::ReturnStmt const*, clang::ento::CheckerContext&) /home/htx/Documents/llvm19/llvm-project/clang/include/clang/StaticAnalyzer/Core/Checker.h:258:3
#12 0x000063c6fcba5996 clang::ento::CheckerFn<void (clang::ReturnStmt const*, clang::ento::CheckerContext&)>::operator()(clang::ReturnStmt const*, clang::ento::CheckerContext&) const /home/htx/Documents/llvm19/llvm-project/clang/include/clang/StaticAnalyzer/Core/CheckerManager.h:72:29
#13 0x000063c6fcb9f69a clang::ento::CheckerManager::runCheckersForEndFunction(clang::ento::NodeBuilderContext&, clang::ento::ExplodedNodeSet&, clang::ento::ExplodedNode*, clang::ento::ExprEngine&, clang::ReturnStmt const*) /home/htx/Documents/llvm19/llvm-project/clang/lib/StaticAnalyzer/Core/CheckerManager.cpp:456:30
#14 0x000063c6fcbfd944 clang::ento::ExprEngine::processEndOfFunction(clang::ento::NodeBuilderContext&, clang::ento::ExplodedNode*, clang::ReturnStmt const*) /home/htx/Documents/llvm19/llvm-project/clang/lib/StaticAnalyzer/Core/ExprEngine.cpp:2986:30
#15 0x000063c6fcbbea30 clang::ento::CoreEngine::HandleBlockEdge(clang::BlockEdge const&, clang::ento::ExplodedNode*) (.localalias) /home/htx/Documents/llvm19/llvm-project/clang/lib/StaticAnalyzer/Core/CoreEngine.cpp:276:5
#16 0x000063c6fcbbe308 clang::ento::CoreEngine::dispatchWorkItem(clang::ento::ExplodedNode*, clang::ProgramPoint, clang::ento::WorkListUnit const&) (.localalias) /home/htx/Documents/llvm19/llvm-project/clang/lib/StaticAnalyzer/Core/CoreEngine.cpp:188:7
#17 0x000063c6fcbbdcf5 clang::ento::CoreEngine::ExecuteWorkList(clang::LocationContext const*, unsigned int, llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>)::'lambda'(unsigned int)::operator()(unsigned int) const /home/htx/Documents/llvm19/llvm-project/clang/lib/StaticAnalyzer/Core/CoreEngine.cpp:159:23
#18 0x000063c6fcbbe0f2 clang::ento::CoreEngine::ExecuteWorkList(clang::LocationContext const*, unsigned int, llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>) /home/htx/Documents/llvm19/llvm-project/clang/lib/StaticAnalyzer/Core/CoreEngine.cpp:163:41
#19 0x000063c6fc0daf7e clang::ento::ExprEngine::ExecuteWorkList(clang::LocationContext const*, unsigned int) /home/htx/Documents/llvm19/llvm-project/clang/include/clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h:192:34
#20 0x000063c6fc064fd1 (anonymous namespace)::AnalysisConsumer::RunPathSensitiveChecks(clang::Decl*, clang::ento::ExprEngine::InliningModes, llvm::DenseSet<clang::Decl const*, llvm::DenseMapInfo<clang::Decl const*, void> >) /home/htx/Documents/llvm19/llvm-project/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:731:22
#21 0x000063c6fc064d23 (anonymous namespace)::AnalysisConsumer::HandleCode(clang::Decl, unsigned int, clang::ento::ExprEngine::InliningModes, llvm::DenseSet<clang::Decl const*, llvm::DenseMapInfo<clang::Decl const*, void> >) /home/htx/Documents/llvm19/llvm-project/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:700:5
#22 0x000063c6fc063d3c (anonymous namespace)::AnalysisConsumer::HandleDeclsCallGraph(unsigned int) /home/htx/Documents/llvm19/llvm-project/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:490:31
#23 0x000063c6fc0642d8 (anonymous namespace)::AnalysisConsumer::runAnalysisOnTranslationUnit(clang::ASTContext&) /home/htx/Documents/llvm19/llvm-project/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:561:48
#24 0x000063c6fc064648 (anonymous namespace)::AnalysisConsumer::HandleTranslationUnit(clang::ASTContext&) /home/htx/Documents/llvm19/llvm-project/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:616:74
#25 0x000063c6fcdd28ad clang::ParseAST(clang::Sema&, bool, bool) (.localalias) /home/htx/Documents/llvm19/llvm-project/clang/lib/Parse/ParseAST.cpp:191:14
#26 0x000063c6fa2544e6 clang::ASTFrontendAction::ExecuteAction() (.localalias) /home/htx/Documents/llvm19/llvm-project/clang/lib/Frontend/FrontendAction.cpp:1192:11
#27 0x000063c6fa253da0 clang::FrontendAction::Execute() /home/htx/Documents/llvm19/llvm-project/clang/lib/Frontend/FrontendAction.cpp:1082:38
#28 0x000063c6fa159a90 clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) (.localalias) /home/htx/Documents/llvm19/llvm-project/clang/lib/Frontend/CompilerInstance.cpp:1061:42
#29 0x000063c6fa416209 clang::ExecuteCompilerInvocation(clang::CompilerInstance) /home/htx/Documents/llvm19/llvm-project/clang/lib/FrontendTool/ExecuteCompilerInvocation.cpp:280:38
#30 0x000063c6f652a124 cc1_main(llvm::ArrayRef<char const*>, char const*, void*) /home/htx/Documents/llvm19/llvm-project/clang/tools/driver/cc1_main.cpp:285:40
#31 0x000063c6f651c6d8 ExecuteCC1Tool(llvm::SmallVectorImpl<char const*>&, llvm::ToolContext const&) /home/htx/Documents/llvm19/llvm-project/clang/tools/driver/driver.cpp:215:20
#32 0x000063c6f651c8ee clang_main(int, char**, llvm::ToolContext const&)::'lambda'(llvm::SmallVectorImpl<char const*>&)::operator()(llvm::SmallVectorImpl<char const*>&) const /home/htx/Documents/llvm19/llvm-project/clang/tools/driver/driver.cpp:356:5
#33 0x000063c6f651df8b int llvm::function_ref<int (llvm::SmallVectorImpl<char const*>&)>::callback_fn<clang_main(int, char**, llvm::ToolContext const&)::'lambda'(llvm::SmallVectorImpl<char const*>&)>(long, llvm::SmallVectorImpl<char const*>&) /home/htx/Documents/llvm19/install/include/llvm/ADT/STLFunctionalExtras.h:47:3
#34 0x000063c6f9f951dd llvm::function_ref<int (llvm::SmallVectorImpl<char const*>&)>::operator()(llvm::SmallVectorImpl<char const*>&) const /home/htx/Documents/llvm19/install/include/llvm/ADT/STLFunctionalExtras.h:69:3
#35 0x000063c6f9f93ac0 clang::driver::CC1Command::Execute(llvm::ArrayRef<std::optional<llvm::StringRef> >, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, bool) const::'lambda'()::operator()() const /home/htx/Documents/llvm19/llvm-project/clang/lib/Driver/Job.cpp:440:32
#36 0x000063c6f9f93f7d void llvm::function_ref<void ()>::callback_fn<clang::driver::CC1Command::Execute(llvm::ArrayRef<std::optional<llvm::StringRef> >, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, bool) const::'lambda'()>(long) /home/htx/Documents/llvm19/install/include/llvm/ADT/STLFunctionalExtras.h:46:40
#37 0x000063c6f8f8f5c7 llvm::CrashRecoveryContext::RunSafely(llvm::function_ref<void ()>) (.localalias) (/home/htx/Documents/llvm19/build-clang/bin/clang+0x47b15c7)
#38 0x000063c6f9f93cdd clang::driver::CC1Command::Execute(llvm::ArrayRef<std::optional<llvm::StringRef> >, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, bool) const (.localalias) /home/htx/Documents/llvm19/llvm-project/clang/lib/Driver/Job.cpp:440:7
#39 0x000063c6f9f2657e clang::driver::Compilation::ExecuteCommand(clang::driver::Command const&, clang::driver::Command const*&, bool) const (.localalias) /home/htx/Documents/llvm19/llvm-project/clang/lib/Driver/Compilation.cpp:199:22
#40 0x000063c6f9f2690c clang::driver::Compilation::ExecuteJobs(clang::driver::JobList const&, llvm::SmallVectorImpl<std::pair<int, clang::driver::Command const*> >&, bool) const /home/htx/Documents/llvm19/llvm-project/clang/lib/Driver/Compilation.cpp:253:62
#41 0x000063c6f9f3a349 clang::driver::Driver::ExecuteCompilation(clang::driver::Compilation&, llvm::SmallVectorImpl<std::pair<int, clang::driver::Command const*> >&) /home/htx/Documents/llvm19/llvm-project/clang/lib/Driver/Driver.cpp:1946:28
#42 0x000063c6f651daca clang_main(int, char**, llvm::ToolContext const&) /home/htx/Documents/llvm19/llvm-project/clang/tools/driver/driver.cpp:391:39
#43 0x000063c6f6555a1a main /home/htx/Documents/llvm19/build-clang/tools/driver/clang-driver.cpp:17:20
#44 0x0000728d79c29d90 (/lib/x86_64-linux-gnu/libc.so.6+0x29d90)
#45 0x0000728d79c29e40 __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e40)
#46 0x000063c6f651ba95 _start (/home/htx/Documents/llvm19/build-clang/bin/clang+0x1d3da95)
clang: error: clang frontend command failed with exit code 134 (use -v to see invocation)

steakhal · 2024-09-09T16:56:22Z

I'll have a look tomorrow.

tianxinghe · 2024-09-09T17:43:13Z

I am trying to minimize it and will put it up tomorrow. （may be 12 hours later）

…

---Original---  From: "Balazs ***@***.***> Date: Tue, Sep 10, 2024 00:56 AM To: ***@***.***>; Cc: "Tianxing ***@***.******@***.***>; Subject: Re: [llvm/llvm-project] [clang static analyzer] Crash inprintReferrer(const clang::ento::MemRegion*): Assertion `false && "Unexpectedreferrer region type."' failed. (Issue #107852) I'll have a look tomorrow. — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you authored the thread.Message ID: ***@***.***>

tianxinghe · 2024-09-10T06:38:58Z

I'll have a look tomorrow.

command : clang --analyze
What confuses me is that the checker did not crash when executing the following command :
clang --analyze --analyzer-no-default-checks -Xanalyzer -analyzer-checker=core.NullDereference -Xanalyzer -analyzer-config -Xanalyzer -mode=deep -Xanalyzer -analyzer-output=text

Meanwhile, in version 18.1.0, when executing -- analyze, the null pointer dereference bug can be correctly detected:
https://godbolt.org/z/MaEvnjaKe

But when performing the dereference check alone, the bug cannot be detected normally
https://godbolt.org/z/c7Gc1dbds

minimal version:

#include <alloca.h>

void func(int**);

int main(int argc, char ** argv) {
  int** v1;
  int*** v2;
  int** v3;

  v1 = (int**) alloca(sizeof(int*));
  v2 = (int***) alloca(sizeof(int**));
  *v2 = v1;
  v3 = *v2;
  func(v3);
  return 0;
}

void func(int** a1) {
  int* v1;
  int v2; 
  int* v3;

  v1 = (&v2);
  v3 = v1;
  *v3 = 1;
  *a1 = v3;
  return;
}

tianxinghe · 2024-09-12T09:38:11Z

I'll have a look tomorrow.

I would like to inquire about a few things:

Will the analyzer stop checking if there are too many variables related to input values?
Is the analyzer currently capable of solving constraints related to floating-point values?
Does the analyzer now support checking union and VectorType?

necto · 2024-09-23T09:26:59Z

Hi @tianxinghe

I confirm that I could reproduce the crash you reported. I'll look into it be cause it crashes on the as I introduced the failing assertion.

Will the analyzer stop checking if there are too many variables related to input values?

Could you, please, reformulate your question? I did not understand what "too many variables related to input values" means.

Is the analyzer currently capable of solving constraints related to floating-point values?

Clang Static Analyzer currently ignores floating-point values.

Does the analyzer now support checking union and VectorType?

AFAIK, the analyzer can work with a union as long as you access the same field. Once you access a different field, it forgets all it knows about the union.
What do you mean by VectorType?

Fixes llvm#107852 Make it explicit that the checker skips alloca regions to avoid the risc of producing false positives for code that has advnaced memory management. StackAddrEscapeChecker already used this strategy when it comes to malloc'ed regions, so this change relaxes the assertion and explicitly silents the issues related to memory regions generated with alloca.

tianxinghe · 2024-09-24T03:05:09Z

Hi @tianxinghe

I confirm that I could reproduce the crash you reported. I'll look into it be cause it crashes on the as I introduced the failing assertion.

Will the analyzer stop checking if there are too many variables related to input values?

Could you, please, reformulate your question? I did not understand what "too many variables related to input values" means.

Is the analyzer currently capable of solving constraints related to floating-point values?

Clang Static Analyzer currently ignores floating-point values.

Does the analyzer now support checking union and VectorType?

AFAIK, the analyzer can work with a union as long as you access the same field. Once you access a different field, it forgets all it knows about the union. What do you mean by VectorType?

Hi! @necto
too many variables related to input values
For this test case, it seems that removing some dead code related to the input value will allow the checker to run normally, but not vice versa.
#108520

VectorType is
https://llvm.org/doxygen/classllvm_1_1VectorType.html

I would like to know if there is code like this in the source code:

typedef int vec1 __attribute__((__vector_size__(16)));
vec1 v1 = (vec1){1, 2, 3, 4};
v1[1];

Will the checker stop checking?

Thank you very much for your help and answers!

necto · 2024-09-24T15:01:30Z

Hi! @necto too many variables related to input values For this test case, it seems that removing some dead code related to the input value will allow the checker to run normally, but not vice versa. #108520

I did not understand the part about "not vice versa". In any case, I think this discussion belongs to #108520

VectorType is https://llvm.org/doxygen/classllvm_1_1VectorType.html

I would like to know if there is code like this in the source code:
typedef int vec1 __attribute__((__vector_size__(16)));
vec1 v1 = (vec1){1, 2, 3, 4};
v1[1];
Will the checker stop checking?

No, it will not stop checking, but it does not model SIMD vectors appropriately leading to both false negatives and false positives.
compiler-explorer

typedef int vec1 __attribute__((__vector_size__(8)));
template<class T>
void clang_analyzer_dump(T);
void top() {
    vec1 v1 = (vec1){1, 2};
    clang_analyzer_dump(v1[0]); // 1 (correct)
    clang_analyzer_dump(v1[1]); // 1 (incorrect)
    v1[0] = 8;
    clang_analyzer_dump(v1[0]); // 8 (correct)
    clang_analyzer_dump(v1[1]); // 1 (incorrect)
}

int false_negative() {
    vec1 v1 = (vec1){1, 0};
    return 1 / v1[1]; // FN
}

int false_positive() {
    vec1 v1 = (vec1){0, 1};
    return 1 / v1[1]; // FP
}

tianxinghe · 2024-09-24T16:50:11Z

Hi! @necto too many variables related to input values For this test case, it seems that removing some dead code related to the input value will allow the checker to run normally, but not vice versa. #108520

I did not understand the part about "not vice versa". In any case, I think this discussion belongs to #108520
VectorType is https://llvm.org/doxygen/classllvm_1_1VectorType.html
I would like to know if there is code like this in the source code:
typedef int vec1 __attribute__((__vector_size__(16)));
vec1 v1 = (vec1){1, 2, 3, 4};
v1[1];
Will the checker stop checking?
No, it will not stop checking, but it does not model SIMD vectors appropriately leading to both false negatives and false positives. compiler-explorer
typedef int vec1 __attribute__((__vector_size__(8)));
template<class T>
void clang_analyzer_dump(T);
void top() {
    vec1 v1 = (vec1){1, 2};
    clang_analyzer_dump(v1[0]); // 1 (correct)
    clang_analyzer_dump(v1[1]); // 1 (incorrect)
    v1[0] = 8;
    clang_analyzer_dump(v1[0]); // 8 (correct)
    clang_analyzer_dump(v1[1]); // 1 (incorrect)
}

int false_negative() {
    vec1 v1 = (vec1){1, 0};
    return 1 / v1[1]; // FN
}

int false_positive() {
    vec1 v1 = (vec1){0, 1};
    return 1 / v1[1]; // FP
}

I totally understand. Very good example. thx！

…ons (llvm#109655) Fixes llvm#107852 Make it explicit that the checker skips `alloca` regions to avoid the risk of producing false positives for code with advanced memory management. StackAddrEscapeChecker already used this strategy when it comes to malloc'ed regions, so this change relaxes the assertion and explicitly silents the issues related to memory regions generated with `alloca`.

github-actions bot added the clang Clang issues not falling into any other category label Sep 9, 2024

shafik added needs-reduction Large reproducer that should be reduced into a simpler form and removed needs-reduction Large reproducer that should be reduced into a simpler form labels Sep 9, 2024

EugeneZelenko added clang:static analyzer crash Prefer [crash-on-valid] or [crash-on-invalid] and removed clang Clang issues not falling into any other category labels Sep 9, 2024

necto mentioned this issue Sep 23, 2024

[analyzer][StackAddrEscapeChecker] Fix assert failure for alloca regions #109655

Merged

steakhal closed this as completed in #109655 Sep 23, 2024

steakhal closed this as completed in be0b114 Sep 23, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[clang static analyzer] Crash in printReferrer(const clang::ento::MemRegion*): Assertion `false && "Unexpected referrer region type."' failed. #107852

[clang static analyzer] Crash in printReferrer(const clang::ento::MemRegion*): Assertion `false && "Unexpected referrer region type."' failed. #107852

tianxinghe commented Sep 9, 2024 •

edited by steakhal

Loading

llvmbot commented Sep 9, 2024

steakhal commented Sep 9, 2024

tianxinghe commented Sep 9, 2024 via email

tianxinghe commented Sep 10, 2024 •

edited

Loading

tianxinghe commented Sep 12, 2024

necto commented Sep 23, 2024 •

edited

Loading

tianxinghe commented Sep 24, 2024

necto commented Sep 24, 2024

tianxinghe commented Sep 24, 2024

[clang static analyzer] Crash in printReferrer(const clang::ento::MemRegion*): Assertion `false && "Unexpected referrer region type."' failed. #107852

[clang static analyzer] Crash in printReferrer(const clang::ento::MemRegion*): Assertion `false && "Unexpected referrer region type."' failed. #107852

Comments

tianxinghe commented Sep 9, 2024 • edited by steakhal Loading

llvmbot commented Sep 9, 2024

steakhal commented Sep 9, 2024

tianxinghe commented Sep 9, 2024 via email

tianxinghe commented Sep 10, 2024 • edited Loading

tianxinghe commented Sep 12, 2024

necto commented Sep 23, 2024 • edited Loading

tianxinghe commented Sep 24, 2024

necto commented Sep 24, 2024

tianxinghe commented Sep 24, 2024

tianxinghe commented Sep 9, 2024 •

edited by steakhal

Loading

tianxinghe commented Sep 10, 2024 •

edited

Loading

necto commented Sep 23, 2024 •

edited

Loading