Re: [PATCH] D66325: [analyzer] CastValueChecker: Store the dynamic types and casts

Nico Weber via cfe-commits Wed, 21 Aug 2019 20:09:54 -0700

No worries. If it takes a while to analyze, please revert while you you
investigate, to keep trunk green.


On Wed, Aug 21, 2019 at 10:29 PM Csaba Dabis via Phabricator via
cfe-commits <cfe-commits@lists.llvm.org> wrote:

> Charusso added a comment.
>
>      return C.getNoteTag(
>   -      [=] {
>   +      [=]() -> std::string {
>            SmallString<128> Msg;
>
> That was the fix by rL369609 <https://reviews.llvm.org/rL369609>. Somehow
> it converted to a temporary object therefore that was an issue:
>
>   [175/176] Running the Clang regression tests
>   llvm-lit:
> /b/sanitizer-x86_64-linux-fast/build/llvm/utils/lit/lit/llvm/config.py:340:
> note: using clang:
> /b/sanitizer-x86_64-linux-fast/build/llvm_build_asan/bin/clang
>   -- Testing: 15399 tests, 64 threads --
>   Testing: 0
>   FAIL: Clang :: Analysis/cast-value-notes.cpp (355 of 15399)
>   ******************** TEST 'Clang :: Analysis/cast-value-notes.cpp'
> FAILED ********************
>   Script:
>   --
>   : 'RUN: at line 1';
>  /b/sanitizer-x86_64-linux-fast/build/llvm_build_asan/bin/clang -cc1
> -internal-isystem
> /b/sanitizer-x86_64-linux-fast/build/llvm_build_asan/lib/clang/10.0.0/include
> -nostdsysteminc -analyze -analyzer-constraints=range
>  -analyzer-checker=core,apiModeling.llvm.CastValue   -analyzer-output=text
> -verify
> /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/test/Analysis/cast-value-notes.cpp
>   --
>   Exit Code: 1
>
>   Command Output (stderr):
>   --
>   =================================================================
>   ==43337==ERROR: AddressSanitizer: stack-use-after-scope on address
> 0x7fa639ecfa30 at pc 0x000000c7ac85 bp 0x7fff83887490 sp 0x7fff83886c40
>   READ of size 19 at 0x7fa639ecfa30 thread T0
>       #0 0xc7ac84 in __asan_memcpy
> /b/sanitizer-x86_64-linux-fast/build/llvm/projects/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cc:22
>       #1 0xa328415 in copy
> /b/sanitizer-x86_64-linux-fast/build/libcxx_build_asan/include/c++/v1/__string:225:50
>       #2 0xa328415 in __init
> /b/sanitizer-x86_64-linux-fast/build/libcxx_build_asan/include/c++/v1/string:1792
>       #3 0xa328415 in basic_string
> /b/sanitizer-x86_64-linux-fast/build/libcxx_build_asan/include/c++/v1/string:1813
>       #4 0xa328415 in str
> /b/sanitizer-x86_64-linux-fast/build/llvm/include/llvm/ADT/StringRef.h:220
>       #5 0xa328415 in operator basic_string
> /b/sanitizer-x86_64-linux-fast/build/llvm/include/llvm/ADT/StringRef.h:247
>       #6 0xa328415 in __call<(lambda at
> /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/lib/StaticAnalyzer/Checkers/CastValueChecker.cpp:113:7)
> &>
> /b/sanitizer-x86_64-linux-fast/build/libcxx_build_asan/include/c++/v1/__functional_base:317
>       #7 0xa328415 in operator()
> /b/sanitizer-x86_64-linux-fast/build/libcxx_build_asan/include/c++/v1/functional:1540
>       #8 0xa328415 in
> std::__1::__function::__func<getNoteTag(clang::ento::CheckerContext&,
> clang::ento::DynamicCastInfo const*, clang::QualType, clang::Expr const*,
> bool, bool)::$_0,
> std::__1::allocator<getNoteTag(clang::ento::CheckerContext&,
> clang::ento::DynamicCastInfo const*, clang::QualType, clang::Expr const*,
> bool, bool)::$_0>, std::__1::basic_string<char,
> std::__1::char_traits<char>, std::__1::allocator<char> > ()>::operator()()
> /b/sanitizer-x86_64-linux-fast/build/libcxx_build_asan/include/c++/v1/functional:1714
>       #9 0xa32751d in operator()
> /b/sanitizer-x86_64-linux-fast/build/libcxx_build_asan/include/c++/v1/functional:1867:16
>       #10 0xa32751d in operator()
> /b/sanitizer-x86_64-linux-fast/build/libcxx_build_asan/include/c++/v1/functional:2473
>       #11 0xa32751d in operator()
> /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/include/clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h:259
>       #12 0xa32751d in __invoke<(lambda at
> /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/include/clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h:259:23)
> &, clang::ento::BugReporterContext &, clang::ento::BugReport &>
> /b/sanitizer-x86_64-linux-fast/build/libcxx_build_asan/include/c++/v1/type_traits:3501
>       #13 0xa32751d in __call<(lambda at
> /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/include/clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h:259:23)
> &, clang::ento::BugReporterContext &, clang::ento::BugReport &>
> /b/sanitizer-x86_64-linux-fast/build/libcxx_build_asan/include/c++/v1/__functional_base:317
>       #14 0xa32751d in operator()
> /b/sanitizer-x86_64-linux-fast/build/libcxx_build_asan/include/c++/v1/functional:1540
>       #15 0xa32751d in
> std::__1::__function::__func<clang::ento::CheckerContext::getNoteTag(std::__1::function<std::__1::basic_string<char,
> std::__1::char_traits<char>, std::__1::allocator<char> > ()>&&,
> bool)::'lambda'(clang::ento::BugReporterContext&, clang::ento::BugReport&),
> std::__1::allocator<clang::ento::CheckerContext::getNoteTag(std::__1::function<std::__1::basic_string<char,
> std::__1::char_traits<char>, std::__1::allocator<char> > ()>&&,
> bool)::'lambda'(clang::ento::BugReporterContext&,
> clang::ento::BugReport&)>, std::__1::basic_string<char,
> std::__1::char_traits<char>, std::__1::allocator<char> >
> (clang::ento::BugReporterContext&,
> clang::ento::BugReport&)>::operator()(clang::ento::BugReporterContext&,
> clang::ento::BugReport&)
> /b/sanitizer-x86_64-linux-fast/build/libcxx_build_asan/include/c++/v1/functional:1714
>       #16 0xa990926 in operator()
> /b/sanitizer-x86_64-linux-fast/build/libcxx_build_asan/include/c++/v1/functional:1867:16
>       #17 0xa990926 in operator()
> /b/sanitizer-x86_64-linux-fast/build/libcxx_build_asan/include/c++/v1/functional:2473
>       #18 0xa990926 in generateMessage
> /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/include/clang/StaticAnalyzer/Core/BugReporter/BugReporter.h:572
>       #19 0xa990926 in
> clang::ento::TagVisitor::VisitNode(clang::ento::ExplodedNode const*,
> clang::ento::BugReporterContext&, clang::ento::BugReport&)
> /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/lib/StaticAnalyzer/Core/BugReporterVisitors.cpp:2879
>       #20 0xa94b59f in
> generateVisitorsDiagnostics(clang::ento::BugReport*,
> clang::ento::ExplodedNode const*, clang::ento::BugReporterContext&)
> /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/lib/StaticAnalyzer/Core/BugReporter.cpp:2634:19
>       #21 0xa9417b3 in findValidReport
> /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/lib/StaticAnalyzer/Core/BugReporter.cpp:2674:9
>       #22 0xa9417b3 in
> clang::ento::PathSensitiveBugReporter::generatePathDiagnostics(llvm::ArrayRef<clang::ento::PathDiagnosticConsumer*>,
> llvm::ArrayRef<clang::ento::BugReport*>&)
> /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/lib/StaticAnalyzer/Core/BugReporter.cpp:2708
>       #23 0xa948006 in
> clang::ento::BugReporter::generateDiagnosticForConsumerMap(clang::ento::BugReport*,
> llvm::ArrayRef<clang::ento::PathDiagnosticConsumer*>,
> llvm::ArrayRef<clang::ento::BugReport*>)
> /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/lib/StaticAnalyzer/Core/BugReporter.cpp:3032:5
>       #24 0xa93c090 in
> clang::ento::BugReporter::FlushReport(clang::ento::BugReportEquivClass&)
> /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/lib/StaticAnalyzer/Core/BugReporter.cpp:2893:7
>       #25 0xa93a72e in clang::ento::BugReporter::FlushReports()
> /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/lib/StaticAnalyzer/Core/BugReporter.cpp:2308:5
>       #26 0xa23ec21 in RunPathSensitiveChecks
> /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:816:24
>       #27 0xa23ec21 in (anonymous
> namespace)::AnalysisConsumer::HandleCode(clang::Decl*, unsigned int,
> clang::ento::ExprEngine::InliningModes, llvm::DenseSet<clang::Decl const*,
> llvm::DenseMapInfo<clang::Decl const*> >*)
> /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:774
>       #28 0xa1f6203 in HandleDeclsCallGraph
> /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:556:5
>       #29 0xa1f6203 in runAnalysisOnTranslationUnit
> /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:607
>       #30 0xa1f6203 in (anonymous
> namespace)::AnalysisConsumer::HandleTranslationUnit(clang::ASTContext&)
> /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:637
>       #31 0xad37ae0 in clang::ParseAST(clang::Sema&, bool, bool)
> /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/lib/Parse/ParseAST.cpp:171:13
>       #32 0x7ad09b9 in clang::FrontendAction::Execute()
> /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/lib/Frontend/FrontendAction.cpp:935:8
>       #33 0x79ae417 in
> clang::CompilerInstance::ExecuteAction(clang::FrontendAction&)
> /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/lib/Frontend/CompilerInstance.cpp:946:33
>       #34 0x7d27c53 in
> clang::ExecuteCompilerInvocation(clang::CompilerInstance*)
> /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/lib/FrontendTool/ExecuteCompilerInvocation.cpp:291:25
>       #35 0xcc5084 in cc1_main(llvm::ArrayRef<char const*>, char const*,
> void*)
> /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/tools/driver/cc1_main.cpp:250:15
>       #36 0xcbcadc in ExecuteCC1Tool
> /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/tools/driver/driver.cpp:309:12
>       #37 0xcbcadc in main
> /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/tools/driver/driver.cpp:381
>       #38 0x7fa63d18f2e0 in __libc_start_main
> (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
>       #39 0xbed7c9 in _start
> (/b/sanitizer-x86_64-linux-fast/build/llvm_build_asan/bin/clang-10+0xbed7c9)
>
>   Address 0x7fa639ecfa30 is located in stack of thread T0 at offset 48 in
> frame
>       #0 0xa32780f in
> std::__1::__function::__func<getNoteTag(clang::ento::CheckerContext&,
> clang::ento::DynamicCastInfo const*, clang::QualType, clang::Expr const*,
> bool, bool)::$_0,
> std::__1::allocator<getNoteTag(clang::ento::CheckerContext&,
> clang::ento::DynamicCastInfo const*, clang::QualType, clang::Expr const*,
> bool, bool)::$_0>, std::__1::basic_string<char,
> std::__1::char_traits<char>, std::__1::allocator<char> > ()>::operator()()
> /b/sanitizer-x86_64-linux-fast/build/libcxx_build_asan/include/c++/v1/functional:1713
>
>     This frame has 4 object(s):
>       [32, 176) 'Msg.i.i.i.i' <== Memory access at offset 48 is inside
> this variable
>       [240, 288) 'Out.i.i.i.i'
>       [320, 344) 'ref.tmp.i.i.i.i'
>       [384, 408) 'ref.tmp14.i.i.i.i'
>   HINT: this may be a false positive if your program uses some custom
> stack unwind mechanism, swapcontext or vfork
>         (longjmp and C++ exceptions *are* supported)
>   SUMMARY: AddressSanitizer: stack-use-after-scope
> /b/sanitizer-x86_64-linux-fast/build/llvm/projects/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cc:22
> in __asan_memcpy
>   Shadow bytes around the buggy address:
>     0x0ff5473d1ef0: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
>     0x0ff5473d1f00: f1 f1 f1 f1 00 00 00 f2 f2 f2 f2 f2 00 00 00 00
>     0x0ff5473d1f10: f2 f2 f2 f2 00 00 00 00 f2 f2 f2 f2 f8 f8 f8 f8
>     0x0ff5473d1f20: f8 f8 f8 f8 f3 f3 f3 f3 00 00 00 00 00 00 00 00
>     0x0ff5473d1f30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   =>0x0ff5473d1f40: f1 f1 f1 f1 f8 f8[f8]f8 f8 f8 f8 f8 f8 f8 f8 f8
>     0x0ff5473d1f50: f8 f8 f8 f8 f8 f8 f2 f2 f2 f2 f2 f2 f2 f2 f8 f8
>     0x0ff5473d1f60: f8 f8 f8 f8 f2 f2 f2 f2 f8 f8 f8 f2 f2 f2 f2 f2
>     0x0ff5473d1f70: f8 f8 f8 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00
>     0x0ff5473d1f80: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
>     0x0ff5473d1f90: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
>   Shadow byte legend (one shadow byte represents 8 application bytes):
>     Addressable:           00
>     Partially addressable: 01 02 03 04 05 06 07
>     Heap left redzone:       fa
>     Freed heap region:       fd
>     Stack left redzone:      f1
>     Stack mid redzone:       f2
>     Stack right redzone:     f3
>     Stack after return:      f5
>     Stack use after scope:   f8
>     Global redzone:          f9
>     Global init order:       f6
>     Poisoned by user:        f7
>     Container overflow:      fc
>     Array cookie:            ac
>     Intra object redzone:    bb
>     ASan internal:           fe
>     Left alloca redzone:     ca
>     Right alloca redzone:    cb
>     Shadow gap:              cc
>   ==43337==ABORTING
>
>   --
>
> Thanks for your notes! Also @xazax.hun may you are interested in this
> lifetime issue.
>
>
> Repository:
>   rL LLVM
>
> CHANGES SINCE LAST ACTION
>   https://reviews.llvm.org/D66325/new/
>
> https://reviews.llvm.org/D66325
>
>
>
> _______________________________________________
> cfe-commits mailing list
> cfe-commits@lists.llvm.org
> https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
>

_______________________________________________
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

Re: [PATCH] D66325: [analyzer] CastValueChecker: Store the dynamic types and casts

Reply via email to