Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[analyzer] loop unrolling crash #121201

Open
shenjunjiekoda opened this issue Dec 27, 2024 · 3 comments · May be fixed by #121203
Open

[analyzer] loop unrolling crash #121201

shenjunjiekoda opened this issue Dec 27, 2024 · 3 comments · May be fixed by #121203
Labels
clang:static analyzer confirmed Verified by a second party crash-on-valid

Comments

@shenjunjiekoda
Copy link
Contributor

Found a crash when using analyzer from project libfmt 's file test/std-test.cc.

After reduce the case:

template <bool, typename T, typename> using conditional_t = T;
class basic_format_arg;
template <typename> struct formatter;

template <typename Context> struct value {
  template <typename T> value(T) {
    using value_type = T;
    format_custom_arg<value_type,
                      typename Context::template formatter_type<value_type>>;
  }

  template <typename, typename Formatter> static void format_custom_arg() {
    Context ctx;
    auto f = Formatter();
    f.format(0, ctx);
  }
};

struct context {
  template <typename T> using formatter_type = formatter<T>;
};

enum { max_packed_args };

template <typename Context, long>
using arg_t = conditional_t<max_packed_args, value<Context>, basic_format_arg>;

template <int NUM_ARGS> struct format_arg_store {
  arg_t<context, NUM_ARGS> args;
};

template <typename... T, long NUM_ARGS = sizeof...(T)>
auto make_format_args(T... args) -> format_arg_store<NUM_ARGS> {
  return {args...};
}

template <typename F> void write_padded(context, F write) { write(0); };

template <typename... T> void format(T... args) { make_format_args(args...); }

template <int> struct bitset {
  bitset(long);
};

template <long N> struct formatter<bitset<N>> {
  struct writer {
    bitset<N> bs;

    template <typename OutputIt> void operator()(OutputIt) {
      for (auto pos = N; pos > 0; --pos)
        ;
    }
  };

  template <typename FormatContext>
  void format(bitset<N> bs, FormatContext ctx) {
    write_padded(ctx, writer{bs});
  }
};

bitset<6> TestBody_bs = (2);

void TestBody() { format(TestBody_bs); }

$ clang-tidy "-checks=-*,clang-analyzer-core.*" "/path/to/file"  "--"  "-Xclang" "-analyzer-config" "-Xclang" "unroll-loops=true"

crash msg

1.	<eof> parser at end of file
2.	While analyzing stack: 
	#0 Calling formatter<bitset<6>>::writer::operator()(int)
 #0 0x00007f58617c81d8 llvm::sys::PrintStackTrace(llvm::raw_ostream&, int) (/usr/local/bin/../lib/../lib/libLLVMSupport.so.16+0x1ce1d8)
 #1 0x00007f58617c5c2c SignalHandler(int) Signals.cpp:0:0
 #2 0x00007f586580edd0 (/lib/x86_64-linux-gnu/libc.so.6+0x38dd0)
 #3 0x00007f586580ed51 raise (/lib/x86_64-linux-gnu/libc.so.6+0x38d51)
 #4 0x00007f58657f8537 abort (/lib/x86_64-linux-gnu/libc.so.6+0x22537)
 #5 0x00007f58657f840f (/lib/x86_64-linux-gnu/libc.so.6+0x2240f)
 #6 0x00007f58658076d2 (/lib/x86_64-linux-gnu/libc.so.6+0x316d2)
 #7 0x00007f58616766b2 (/usr/local/bin/../lib/../lib/libLLVMSupport.so.16+0x7c6b2)
 #8 0x00007f585b12fa7a clang::ento::shouldCompletelyUnroll(clang::Stmt const*, clang::ASTContext&, clang::ento::ExplodedNode*, unsigned int&) (.part.0) LoopUnrolling.cpp:0:0
 #9 0x00007f585b130ff3 clang::ento::updateLoopStack(clang::Stmt const*, clang::ASTContext&, clang::ento::ExplodedNode*, unsigned int) (/usr/local/bin/../lib/../lib/../lib/../lib/libclangStaticAnalyzerCore.so.16+0x16aff3)
#10 0x00007f585b0dc770 clang::ento::ExprEngine::processCFGBlockEntrance(clang::BlockEdge const&, clang::ento::NodeBuilderWithSinks&, clang::ento::ExplodedNode*) (/usr/local/bin/../lib/../lib/../lib/../lib/libclangStaticAnalyzerCore.so.16+0x116770)
#11 0x00007f585b0abdc6 clang::ento::CoreEngine::HandleBlockEdge(clang::BlockEdge const&, clang::ento::ExplodedNode*) (/usr/local/bin/../lib/../lib/../lib/../lib/libclangStaticAnalyzerCore.so.16+0xe5dc6)
#12 0x00007f585b0ace5a clang::ento::CoreEngine::dispatchWorkItem(clang::ento::ExplodedNode*, clang::ProgramPoint, clang::ento::WorkListUnit const&) (/usr/local/bin/../lib/../lib/../lib/../lib/libclangStaticAnalyzerCore.so.16+0xe6e5a)
#13 0x00007f585b0ad0aa clang::ento::CoreEngine::ExecuteWorkList(clang::LocationContext const*, unsigned int, llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>) (/usr/local/bin/../lib/../lib/../lib/../lib/libclangStaticAnalyzerCore.so.16+0xe70aa)
#14 0x00007f585f7e13a2 (anonymous namespace)::AnalysisConsumer::RunPathSensitiveChecks(clang::Decl*, clang::ento::ExprEngine::InliningModes, llvm::DenseSet<clang::Decl const*, llvm::DenseMapInfo<clang::Decl const*, void>>*) AnalysisConsumer.cpp:0:0
#15 0x00007f585f7fcc3a (anonymous namespace)::AnalysisConsumer::HandleDeclsCallGraph(unsigned int) AnalysisConsumer.cpp:0:0
#16 0x00007f585f7fdd53 (anonymous namespace)::AnalysisConsumer::HandleTranslationUnit(clang::ASTContext&) AnalysisConsumer.cpp:0:0
#17 0x00007f585f5b6468 clang::MultiplexConsumer::HandleTranslationUnit(clang::ASTContext&) (/usr/local/bin/../lib/../lib/../lib/libclangFrontend.so.16+0x15a468)
#18 0x00007f585a3762c5 clang::ParseAST(clang::Sema&, bool, bool) (/usr/local/bin/../lib/../lib/../lib/../lib/libclangParse.so.16+0x352c5)
#19 0x00007f585f57fbb9 clang::FrontendAction::Execute() (/usr/local/bin/../lib/../lib/../lib/libclangFrontend.so.16+0x123bb9)
#20 0x00007f585f4f62c6 clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) (/usr/local/bin/../lib/../lib/../lib/libclangFrontend.so.16+0x9a2c6)
#21 0x00007f586222de7d clang::tooling::FrontendActionFactory::runInvocation(std::shared_ptr<clang::CompilerInvocation>, clang::FileManager*, std::shared_ptr<clang::PCHContainerOperations>, clang::DiagnosticConsumer*) (/usr/local/bin/../lib/../lib/libclangTooling.so.16+0x6fe7d)
#22 0x00007f58622ee1ca clang::tidy::(anonymous namespace)::ActionFactory::runInvocation(std::shared_ptr<clang::CompilerInvocation>, clang::FileManager*, std::shared_ptr<clang::PCHContainerOperations>, clang::DiagnosticConsumer*) ClangTidyStandaloneRunner.cpp:0:0
#23 0x00007f58622248fc clang::tooling::ToolInvocation::runInvocation(char const*, clang::driver::Compilation*, std::shared_ptr<clang::CompilerInvocation>, std::shared_ptr<clang::PCHContainerOperations>) (/usr/local/bin/../lib/../lib/libclangTooling.so.16+0x668fc)
#24 0x00007f5862229de8 clang::tooling::ToolInvocation::run() (/usr/local/bin/../lib/../lib/libclangTooling.so.16+0x6bde8)
#25 0x00007f586222bc71 clang::tooling::ClangTool::runCompileCommands(clang::tooling::ToolAction*) (/usr/local/bin/../lib/../lib/libclangTooling.so.16+0x6dc71)
#26 0x00007f586222ccae clang::tooling::ClangTool::run(clang::tooling::ToolAction*) (/usr/local/bin/../lib/../lib/libclangTooling.so.16+0x6ecae)
#27 0x00007f58622ef2dd clang::tidy::runClangTidy(clang::tidy::ClangTidyContext&, clang::tooling::CompilationDatabase const&, llvm::ArrayRef<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>>, llvm::IntrusiveRefCntPtr<llvm::vfs::OverlayFileSystem>, bool, bool, llvm::StringRef) (/usr/local/bin/../lib/../lib/libclangTidy.so.16+0x9f2dd)
#28 0x00007f58659d850e clang::tidy::clangTidyMain(int, char const**) (/usr/local/bin/../lib/libclangTidyMain.so.16+0x1850e)
#29 0x00007f58657f9d7a __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x23d7a)
#30 0x000055f1e8a4e08a _start (/usr/local/bin/clang-tidy+0x108a)

I see the reason may be in the clang/lib/StaticAnalyzer/Core/LoopUnrolling.cpp

static bool shouldCompletelyUnroll(const Stmt *LoopStmt, ASTContext &ASTCtx,
                                   ExplodedNode *Pred, unsigned &maxStep) {

  // ....
  if (InitNum.getBitWidth() != BoundNum.getBitWidth()) {
    InitNum = InitNum.zext(BoundNum.getBitWidth());
    BoundNum = BoundNum.zext(InitNum.getBitWidth());
  }
@shenjunjiekoda shenjunjiekoda linked a pull request Dec 27, 2024 that will close this issue
Open
@llvmbot
Copy link
Member

llvmbot commented Dec 27, 2024

@llvm/issue-subscribers-clang-tidy

Author: JOSTAR (shenjunjiekoda)

Found a crash when using analyzer from project `libfmt` 's file `test/std-test.cc`.

After reduce the case:

template &lt;bool, typename T, typename&gt; using conditional_t = T;
class basic_format_arg;
template &lt;typename&gt; struct formatter;

template &lt;typename Context&gt; struct value {
  template &lt;typename T&gt; value(T) {
    using value_type = T;
    format_custom_arg&lt;value_type,
                      typename Context::template formatter_type&lt;value_type&gt;&gt;;
  }

  template &lt;typename, typename Formatter&gt; static void format_custom_arg() {
    Context ctx;
    auto f = Formatter();
    f.format(0, ctx);
  }
};

struct context {
  template &lt;typename T&gt; using formatter_type = formatter&lt;T&gt;;
};

enum { max_packed_args };

template &lt;typename Context, long&gt;
using arg_t = conditional_t&lt;max_packed_args, value&lt;Context&gt;, basic_format_arg&gt;;

template &lt;int NUM_ARGS&gt; struct format_arg_store {
  arg_t&lt;context, NUM_ARGS&gt; args;
};

template &lt;typename... T, long NUM_ARGS = sizeof...(T)&gt;
auto make_format_args(T... args) -&gt; format_arg_store&lt;NUM_ARGS&gt; {
  return {args...};
}

template &lt;typename F&gt; void write_padded(context, F write) { write(0); };

template &lt;typename... T&gt; void format(T... args) { make_format_args(args...); }

template &lt;int&gt; struct bitset {
  bitset(long);
};

template &lt;long N&gt; struct formatter&lt;bitset&lt;N&gt;&gt; {
  struct writer {
    bitset&lt;N&gt; bs;

    template &lt;typename OutputIt&gt; void operator()(OutputIt) {
      for (auto pos = N; pos &gt; 0; --pos)
        ;
    }
  };

  template &lt;typename FormatContext&gt;
  void format(bitset&lt;N&gt; bs, FormatContext ctx) {
    write_padded(ctx, writer{bs});
  }
};

bitset&lt;6&gt; TestBody_bs = (2);

void TestBody() { format(TestBody_bs); }

$ clang-tidy "-checks=-*,clang-analyzer-core.*" "/path/to/file"  "--"  "-Xclang" "-analyzer-config" "-Xclang" "unroll-loops=true"

crash msg

1.	&lt;eof&gt; parser at end of file
2.	While analyzing stack: 
	#<!-- -->0 Calling formatter&lt;bitset&lt;6&gt;&gt;::writer::operator()(int)
 #<!-- -->0 0x00007f58617c81d8 llvm::sys::PrintStackTrace(llvm::raw_ostream&amp;, int) (/usr/local/bin/../lib/../lib/libLLVMSupport.so.16+0x1ce1d8)
 #<!-- -->1 0x00007f58617c5c2c SignalHandler(int) Signals.cpp:0:0
 #<!-- -->2 0x00007f586580edd0 (/lib/x86_64-linux-gnu/libc.so.6+0x38dd0)
 #<!-- -->3 0x00007f586580ed51 raise (/lib/x86_64-linux-gnu/libc.so.6+0x38d51)
 #<!-- -->4 0x00007f58657f8537 abort (/lib/x86_64-linux-gnu/libc.so.6+0x22537)
 #<!-- -->5 0x00007f58657f840f (/lib/x86_64-linux-gnu/libc.so.6+0x2240f)
 #<!-- -->6 0x00007f58658076d2 (/lib/x86_64-linux-gnu/libc.so.6+0x316d2)
 #<!-- -->7 0x00007f58616766b2 (/usr/local/bin/../lib/../lib/libLLVMSupport.so.16+0x7c6b2)
 #<!-- -->8 0x00007f585b12fa7a clang::ento::shouldCompletelyUnroll(clang::Stmt const*, clang::ASTContext&amp;, clang::ento::ExplodedNode*, unsigned int&amp;) (.part.0) LoopUnrolling.cpp:0:0
 #<!-- -->9 0x00007f585b130ff3 clang::ento::updateLoopStack(clang::Stmt const*, clang::ASTContext&amp;, clang::ento::ExplodedNode*, unsigned int) (/usr/local/bin/../lib/../lib/../lib/../lib/libclangStaticAnalyzerCore.so.16+0x16aff3)
#<!-- -->10 0x00007f585b0dc770 clang::ento::ExprEngine::processCFGBlockEntrance(clang::BlockEdge const&amp;, clang::ento::NodeBuilderWithSinks&amp;, clang::ento::ExplodedNode*) (/usr/local/bin/../lib/../lib/../lib/../lib/libclangStaticAnalyzerCore.so.16+0x116770)
#<!-- -->11 0x00007f585b0abdc6 clang::ento::CoreEngine::HandleBlockEdge(clang::BlockEdge const&amp;, clang::ento::ExplodedNode*) (/usr/local/bin/../lib/../lib/../lib/../lib/libclangStaticAnalyzerCore.so.16+0xe5dc6)
#<!-- -->12 0x00007f585b0ace5a clang::ento::CoreEngine::dispatchWorkItem(clang::ento::ExplodedNode*, clang::ProgramPoint, clang::ento::WorkListUnit const&amp;) (/usr/local/bin/../lib/../lib/../lib/../lib/libclangStaticAnalyzerCore.so.16+0xe6e5a)
#<!-- -->13 0x00007f585b0ad0aa clang::ento::CoreEngine::ExecuteWorkList(clang::LocationContext const*, unsigned int, llvm::IntrusiveRefCntPtr&lt;clang::ento::ProgramState const&gt;) (/usr/local/bin/../lib/../lib/../lib/../lib/libclangStaticAnalyzerCore.so.16+0xe70aa)
#<!-- -->14 0x00007f585f7e13a2 (anonymous namespace)::AnalysisConsumer::RunPathSensitiveChecks(clang::Decl*, clang::ento::ExprEngine::InliningModes, llvm::DenseSet&lt;clang::Decl const*, llvm::DenseMapInfo&lt;clang::Decl const*, void&gt;&gt;*) AnalysisConsumer.cpp:0:0
#<!-- -->15 0x00007f585f7fcc3a (anonymous namespace)::AnalysisConsumer::HandleDeclsCallGraph(unsigned int) AnalysisConsumer.cpp:0:0
#<!-- -->16 0x00007f585f7fdd53 (anonymous namespace)::AnalysisConsumer::HandleTranslationUnit(clang::ASTContext&amp;) AnalysisConsumer.cpp:0:0
#<!-- -->17 0x00007f585f5b6468 clang::MultiplexConsumer::HandleTranslationUnit(clang::ASTContext&amp;) (/usr/local/bin/../lib/../lib/../lib/libclangFrontend.so.16+0x15a468)
#<!-- -->18 0x00007f585a3762c5 clang::ParseAST(clang::Sema&amp;, bool, bool) (/usr/local/bin/../lib/../lib/../lib/../lib/libclangParse.so.16+0x352c5)
#<!-- -->19 0x00007f585f57fbb9 clang::FrontendAction::Execute() (/usr/local/bin/../lib/../lib/../lib/libclangFrontend.so.16+0x123bb9)
#<!-- -->20 0x00007f585f4f62c6 clang::CompilerInstance::ExecuteAction(clang::FrontendAction&amp;) (/usr/local/bin/../lib/../lib/../lib/libclangFrontend.so.16+0x9a2c6)
#<!-- -->21 0x00007f586222de7d clang::tooling::FrontendActionFactory::runInvocation(std::shared_ptr&lt;clang::CompilerInvocation&gt;, clang::FileManager*, std::shared_ptr&lt;clang::PCHContainerOperations&gt;, clang::DiagnosticConsumer*) (/usr/local/bin/../lib/../lib/libclangTooling.so.16+0x6fe7d)
#<!-- -->22 0x00007f58622ee1ca clang::tidy::(anonymous namespace)::ActionFactory::runInvocation(std::shared_ptr&lt;clang::CompilerInvocation&gt;, clang::FileManager*, std::shared_ptr&lt;clang::PCHContainerOperations&gt;, clang::DiagnosticConsumer*) ClangTidyStandaloneRunner.cpp:0:0
#<!-- -->23 0x00007f58622248fc clang::tooling::ToolInvocation::runInvocation(char const*, clang::driver::Compilation*, std::shared_ptr&lt;clang::CompilerInvocation&gt;, std::shared_ptr&lt;clang::PCHContainerOperations&gt;) (/usr/local/bin/../lib/../lib/libclangTooling.so.16+0x668fc)
#<!-- -->24 0x00007f5862229de8 clang::tooling::ToolInvocation::run() (/usr/local/bin/../lib/../lib/libclangTooling.so.16+0x6bde8)
#<!-- -->25 0x00007f586222bc71 clang::tooling::ClangTool::runCompileCommands(clang::tooling::ToolAction*) (/usr/local/bin/../lib/../lib/libclangTooling.so.16+0x6dc71)
#<!-- -->26 0x00007f586222ccae clang::tooling::ClangTool::run(clang::tooling::ToolAction*) (/usr/local/bin/../lib/../lib/libclangTooling.so.16+0x6ecae)
#<!-- -->27 0x00007f58622ef2dd clang::tidy::runClangTidy(clang::tidy::ClangTidyContext&amp;, clang::tooling::CompilationDatabase const&amp;, llvm::ArrayRef&lt;std::__cxx11::basic_string&lt;char, std::char_traits&lt;char&gt;, std::allocator&lt;char&gt;&gt;&gt;, llvm::IntrusiveRefCntPtr&lt;llvm::vfs::OverlayFileSystem&gt;, bool, bool, llvm::StringRef) (/usr/local/bin/../lib/../lib/libclangTidy.so.16+0x9f2dd)
#<!-- -->28 0x00007f58659d850e clang::tidy::clangTidyMain(int, char const**) (/usr/local/bin/../lib/libclangTidyMain.so.16+0x1850e)
#<!-- -->29 0x00007f58657f9d7a __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x23d7a)
#<!-- -->30 0x000055f1e8a4e08a _start (/usr/local/bin/clang-tidy+0x108a)

I see the reason may be in the clang/lib/StaticAnalyzer/Core/LoopUnrolling.cpp

static bool shouldCompletelyUnroll(const Stmt *LoopStmt, ASTContext &amp;ASTCtx,
                                   ExplodedNode *Pred, unsigned &amp;maxStep) {

  // ....
  if (InitNum.getBitWidth() != BoundNum.getBitWidth()) {
    InitNum = InitNum.zext(BoundNum.getBitWidth());
    BoundNum = BoundNum.zext(InitNum.getBitWidth());
  }

@llvmbot
Copy link
Member

llvmbot commented Dec 27, 2024

@llvm/issue-subscribers-clang-static-analyzer

Author: JOSTAR (shenjunjiekoda)

Found a crash when using analyzer from project `libfmt` 's file `test/std-test.cc`.

After reduce the case:

template &lt;bool, typename T, typename&gt; using conditional_t = T;
class basic_format_arg;
template &lt;typename&gt; struct formatter;

template &lt;typename Context&gt; struct value {
  template &lt;typename T&gt; value(T) {
    using value_type = T;
    format_custom_arg&lt;value_type,
                      typename Context::template formatter_type&lt;value_type&gt;&gt;;
  }

  template &lt;typename, typename Formatter&gt; static void format_custom_arg() {
    Context ctx;
    auto f = Formatter();
    f.format(0, ctx);
  }
};

struct context {
  template &lt;typename T&gt; using formatter_type = formatter&lt;T&gt;;
};

enum { max_packed_args };

template &lt;typename Context, long&gt;
using arg_t = conditional_t&lt;max_packed_args, value&lt;Context&gt;, basic_format_arg&gt;;

template &lt;int NUM_ARGS&gt; struct format_arg_store {
  arg_t&lt;context, NUM_ARGS&gt; args;
};

template &lt;typename... T, long NUM_ARGS = sizeof...(T)&gt;
auto make_format_args(T... args) -&gt; format_arg_store&lt;NUM_ARGS&gt; {
  return {args...};
}

template &lt;typename F&gt; void write_padded(context, F write) { write(0); };

template &lt;typename... T&gt; void format(T... args) { make_format_args(args...); }

template &lt;int&gt; struct bitset {
  bitset(long);
};

template &lt;long N&gt; struct formatter&lt;bitset&lt;N&gt;&gt; {
  struct writer {
    bitset&lt;N&gt; bs;

    template &lt;typename OutputIt&gt; void operator()(OutputIt) {
      for (auto pos = N; pos &gt; 0; --pos)
        ;
    }
  };

  template &lt;typename FormatContext&gt;
  void format(bitset&lt;N&gt; bs, FormatContext ctx) {
    write_padded(ctx, writer{bs});
  }
};

bitset&lt;6&gt; TestBody_bs = (2);

void TestBody() { format(TestBody_bs); }

$ clang-tidy "-checks=-*,clang-analyzer-core.*" "/path/to/file"  "--"  "-Xclang" "-analyzer-config" "-Xclang" "unroll-loops=true"

crash msg

1.	&lt;eof&gt; parser at end of file
2.	While analyzing stack: 
	#<!-- -->0 Calling formatter&lt;bitset&lt;6&gt;&gt;::writer::operator()(int)
 #<!-- -->0 0x00007f58617c81d8 llvm::sys::PrintStackTrace(llvm::raw_ostream&amp;, int) (/usr/local/bin/../lib/../lib/libLLVMSupport.so.16+0x1ce1d8)
 #<!-- -->1 0x00007f58617c5c2c SignalHandler(int) Signals.cpp:0:0
 #<!-- -->2 0x00007f586580edd0 (/lib/x86_64-linux-gnu/libc.so.6+0x38dd0)
 #<!-- -->3 0x00007f586580ed51 raise (/lib/x86_64-linux-gnu/libc.so.6+0x38d51)
 #<!-- -->4 0x00007f58657f8537 abort (/lib/x86_64-linux-gnu/libc.so.6+0x22537)
 #<!-- -->5 0x00007f58657f840f (/lib/x86_64-linux-gnu/libc.so.6+0x2240f)
 #<!-- -->6 0x00007f58658076d2 (/lib/x86_64-linux-gnu/libc.so.6+0x316d2)
 #<!-- -->7 0x00007f58616766b2 (/usr/local/bin/../lib/../lib/libLLVMSupport.so.16+0x7c6b2)
 #<!-- -->8 0x00007f585b12fa7a clang::ento::shouldCompletelyUnroll(clang::Stmt const*, clang::ASTContext&amp;, clang::ento::ExplodedNode*, unsigned int&amp;) (.part.0) LoopUnrolling.cpp:0:0
 #<!-- -->9 0x00007f585b130ff3 clang::ento::updateLoopStack(clang::Stmt const*, clang::ASTContext&amp;, clang::ento::ExplodedNode*, unsigned int) (/usr/local/bin/../lib/../lib/../lib/../lib/libclangStaticAnalyzerCore.so.16+0x16aff3)
#<!-- -->10 0x00007f585b0dc770 clang::ento::ExprEngine::processCFGBlockEntrance(clang::BlockEdge const&amp;, clang::ento::NodeBuilderWithSinks&amp;, clang::ento::ExplodedNode*) (/usr/local/bin/../lib/../lib/../lib/../lib/libclangStaticAnalyzerCore.so.16+0x116770)
#<!-- -->11 0x00007f585b0abdc6 clang::ento::CoreEngine::HandleBlockEdge(clang::BlockEdge const&amp;, clang::ento::ExplodedNode*) (/usr/local/bin/../lib/../lib/../lib/../lib/libclangStaticAnalyzerCore.so.16+0xe5dc6)
#<!-- -->12 0x00007f585b0ace5a clang::ento::CoreEngine::dispatchWorkItem(clang::ento::ExplodedNode*, clang::ProgramPoint, clang::ento::WorkListUnit const&amp;) (/usr/local/bin/../lib/../lib/../lib/../lib/libclangStaticAnalyzerCore.so.16+0xe6e5a)
#<!-- -->13 0x00007f585b0ad0aa clang::ento::CoreEngine::ExecuteWorkList(clang::LocationContext const*, unsigned int, llvm::IntrusiveRefCntPtr&lt;clang::ento::ProgramState const&gt;) (/usr/local/bin/../lib/../lib/../lib/../lib/libclangStaticAnalyzerCore.so.16+0xe70aa)
#<!-- -->14 0x00007f585f7e13a2 (anonymous namespace)::AnalysisConsumer::RunPathSensitiveChecks(clang::Decl*, clang::ento::ExprEngine::InliningModes, llvm::DenseSet&lt;clang::Decl const*, llvm::DenseMapInfo&lt;clang::Decl const*, void&gt;&gt;*) AnalysisConsumer.cpp:0:0
#<!-- -->15 0x00007f585f7fcc3a (anonymous namespace)::AnalysisConsumer::HandleDeclsCallGraph(unsigned int) AnalysisConsumer.cpp:0:0
#<!-- -->16 0x00007f585f7fdd53 (anonymous namespace)::AnalysisConsumer::HandleTranslationUnit(clang::ASTContext&amp;) AnalysisConsumer.cpp:0:0
#<!-- -->17 0x00007f585f5b6468 clang::MultiplexConsumer::HandleTranslationUnit(clang::ASTContext&amp;) (/usr/local/bin/../lib/../lib/../lib/libclangFrontend.so.16+0x15a468)
#<!-- -->18 0x00007f585a3762c5 clang::ParseAST(clang::Sema&amp;, bool, bool) (/usr/local/bin/../lib/../lib/../lib/../lib/libclangParse.so.16+0x352c5)
#<!-- -->19 0x00007f585f57fbb9 clang::FrontendAction::Execute() (/usr/local/bin/../lib/../lib/../lib/libclangFrontend.so.16+0x123bb9)
#<!-- -->20 0x00007f585f4f62c6 clang::CompilerInstance::ExecuteAction(clang::FrontendAction&amp;) (/usr/local/bin/../lib/../lib/../lib/libclangFrontend.so.16+0x9a2c6)
#<!-- -->21 0x00007f586222de7d clang::tooling::FrontendActionFactory::runInvocation(std::shared_ptr&lt;clang::CompilerInvocation&gt;, clang::FileManager*, std::shared_ptr&lt;clang::PCHContainerOperations&gt;, clang::DiagnosticConsumer*) (/usr/local/bin/../lib/../lib/libclangTooling.so.16+0x6fe7d)
#<!-- -->22 0x00007f58622ee1ca clang::tidy::(anonymous namespace)::ActionFactory::runInvocation(std::shared_ptr&lt;clang::CompilerInvocation&gt;, clang::FileManager*, std::shared_ptr&lt;clang::PCHContainerOperations&gt;, clang::DiagnosticConsumer*) ClangTidyStandaloneRunner.cpp:0:0
#<!-- -->23 0x00007f58622248fc clang::tooling::ToolInvocation::runInvocation(char const*, clang::driver::Compilation*, std::shared_ptr&lt;clang::CompilerInvocation&gt;, std::shared_ptr&lt;clang::PCHContainerOperations&gt;) (/usr/local/bin/../lib/../lib/libclangTooling.so.16+0x668fc)
#<!-- -->24 0x00007f5862229de8 clang::tooling::ToolInvocation::run() (/usr/local/bin/../lib/../lib/libclangTooling.so.16+0x6bde8)
#<!-- -->25 0x00007f586222bc71 clang::tooling::ClangTool::runCompileCommands(clang::tooling::ToolAction*) (/usr/local/bin/../lib/../lib/libclangTooling.so.16+0x6dc71)
#<!-- -->26 0x00007f586222ccae clang::tooling::ClangTool::run(clang::tooling::ToolAction*) (/usr/local/bin/../lib/../lib/libclangTooling.so.16+0x6ecae)
#<!-- -->27 0x00007f58622ef2dd clang::tidy::runClangTidy(clang::tidy::ClangTidyContext&amp;, clang::tooling::CompilationDatabase const&amp;, llvm::ArrayRef&lt;std::__cxx11::basic_string&lt;char, std::char_traits&lt;char&gt;, std::allocator&lt;char&gt;&gt;&gt;, llvm::IntrusiveRefCntPtr&lt;llvm::vfs::OverlayFileSystem&gt;, bool, bool, llvm::StringRef) (/usr/local/bin/../lib/../lib/libclangTidy.so.16+0x9f2dd)
#<!-- -->28 0x00007f58659d850e clang::tidy::clangTidyMain(int, char const**) (/usr/local/bin/../lib/libclangTidyMain.so.16+0x1850e)
#<!-- -->29 0x00007f58657f9d7a __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x23d7a)
#<!-- -->30 0x000055f1e8a4e08a _start (/usr/local/bin/clang-tidy+0x108a)

I see the reason may be in the clang/lib/StaticAnalyzer/Core/LoopUnrolling.cpp

static bool shouldCompletelyUnroll(const Stmt *LoopStmt, ASTContext &amp;ASTCtx,
                                   ExplodedNode *Pred, unsigned &amp;maxStep) {

  // ....
  if (InitNum.getBitWidth() != BoundNum.getBitWidth()) {
    InitNum = InitNum.zext(BoundNum.getBitWidth());
    BoundNum = BoundNum.zext(InitNum.getBitWidth());
  }

@steakhal
Copy link
Contributor

Confirmed that it crashes currently on main: https://godbolt.org/z/sdnea1qv6

@steakhal steakhal added the confirmed Verified by a second party label Dec 27, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
clang:static analyzer confirmed Verified by a second party crash-on-valid
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[analyzer] Fix zext assertion failure in loop unrolling shenjunjiekoda/llvm-project
4 participants
@steakhal @dtcxzyw @shenjunjiekoda @llvmbot