tomrittervg wrote:
This sounds crazy, but I think I found a bug in this patchset. I applied it on
top of the 17.0.2 tag, and then ran the whole analysis on mozilla-central. I
got segfaults on about 4000 executions, all with the same stack trace:
```
1. <eof> parser at end of file
2. While analyzing stack:
#0 Calling mozilla::FailureLatch::SetFailureFrom(const FailureLatch &)
at line
/home/tom/Documents/moz/static-analysis/mozilla-unified/objdir/dist/include/mozilla/BaseProfileJSONWriter.h:151:5
#1 Calling
mozilla::baseprofiler::ChunkedJSONWriteFunc::ChangeFailureLatchAndForwardState(FailureLatch
&) at line
/home/tom/Documents/moz/static-analysis/mozilla-unified/objdir/dist/include/mozilla/BaseProfileJSONWriter.h:465:12
#2 Calling
mozilla::baseprofiler::SpliceableChunkedJSONWriter::ChangeFailureLatchAndForwardState(FailureLatch
&) at line
/home/tom/Documents/moz/static-analysis/mozilla-unified/objdir/dist/include/mozilla/BaseProfileJSONWriter.h:570:5
#3 Calling
mozilla::baseprofiler::UniqueJSONStrings::ChangeFailureLatchAndForwardState(FailureLatch
&)
3.
/home/tom/Documents/moz/static-analysis/mozilla-unified/objdir/dist/include/mozilla/FailureLatch.h:65:36:
Error evaluating statement
4.
/home/tom/Documents/moz/static-analysis/mozilla-unified/objdir/dist/include/mozilla/FailureLatch.h:65:36:
Error evaluating statement
#0 0x00007f9378f09cb8 llvm::sys::PrintStackTrace(llvm::raw_ostream&, int)
(/home/tom/Documents/moz/static-analysis/clang-17-2023-11-22-patches-from-tc/bin/../lib/libLLVM-17.so+0x2782cb8)
#1 0x00007f9378f09813 llvm::sys::CleanupOnSignal(unsigned long)
(/home/tom/Documents/moz/static-analysis/clang-17-2023-11-22-patches-from-tc/bin/../lib/libLLVM-17.so+0x2782813)
#2 0x00007f9378ea11fe (anonymous
namespace)::CrashRecoveryContextImpl::HandleCrash(int, unsigned long)
CrashRecoveryContext.cpp:0:0
#3 0x00007f9378ea13ae CrashRecoverySignalHandler(int)
CrashRecoveryContext.cpp:0:0
#4 0x00007f937626c520 (/lib/x86_64-linux-gnu/libc.so.6+0x42520)
#5 0x00007f937da6ed08 clang::ento::CXXInstanceCall::getRuntimeDefinition()
const
(/home/tom/Documents/moz/static-analysis/clang-17-2023-11-22-patches-from-tc/bin/../lib/libclang-cpp.so.17+0x2f09d08)
#6 0x00007f937da6f038 clang::ento::CXXMemberCall::getRuntimeDefinition() const
(/home/tom/Documents/moz/static-analysis/clang-17-2023-11-22-patches-from-tc/bin/../lib/libclang-cpp.so.17+0x2f0a038)
#7 0x00007f937daa9796
clang::ento::ExprEngine::defaultEvalCall(clang::ento::NodeBuilder&,
clang::ento::ExplodedNode*, clang::ento::CallEvent const&,
clang::ento::EvalCallOptions const&)
(/home/tom/Documents/moz/static-analysis/clang-17-2023-11-22-patches-from-tc/bin/../lib/libclang-cpp.so.17+0x2f44796)
#8 0x00007f937da776ea
clang::ento::CheckerManager::runCheckersForEvalCall(clang::ento::ExplodedNodeSet&,
clang::ento::ExplodedNodeSet const&, clang::ento::CallEvent const&,
clang::ento::ExprEngine&, clang::ento::EvalCallOptions const&)
(/home/tom/Documents/moz/static-analysis/clang-17-2023-11-22-patches-from-tc/bin/../lib/libclang-cpp.so.17+0x2f126ea)
#9 0x00007f937daa7c64
clang::ento::ExprEngine::evalCall(clang::ento::ExplodedNodeSet&,
clang::ento::ExplodedNode*, clang::ento::CallEvent const&)
(/home/tom/Documents/moz/static-analysis/clang-17-2023-11-22-patches-from-tc/bin/../lib/libclang-cpp.so.17+0x2f42c64)
#10 0x00007f937daa7a67 clang::ento::ExprEngine::VisitCallExpr(clang::CallExpr
const*, clang::ento::ExplodedNode*, clang::ento::ExplodedNodeSet&)
(/home/tom/Documents/moz/static-analysis/clang-17-2023-11-22-patches-from-tc/bin/../lib/libclang-cpp.so.17+0x2f42a67)
#11 0x00007f937da8d503 clang::ento::ExprEngine::Visit(clang::Stmt const*,
clang::ento::ExplodedNode*, clang::ento::ExplodedNodeSet&)
(/home/tom/Documents/moz/static-analysis/clang-17-2023-11-22-patches-from-tc/bin/../lib/libclang-cpp.so.17+0x2f28503)
#12 0x00007f937da8abec clang::ento::ExprEngine::ProcessStmt(clang::Stmt const*,
clang::ento::ExplodedNode*)
(/home/tom/Documents/moz/static-analysis/clang-17-2023-11-22-patches-from-tc/bin/../lib/libclang-cpp.so.17+0x2f25bec)
#13 0x00007f937da8a9bd
clang::ento::ExprEngine::processCFGElement(clang::CFGElement,
clang::ento::ExplodedNode*, unsigned int, clang::ento::NodeBuilderContext*)
(/home/tom/Documents/moz/static-analysis/clang-17-2023-11-22-patches-from-tc/bin/../lib/libclang-cpp.so.17+0x2f259bd)
#14 0x00007f937da7bb7c clang::ento::CoreEngine::HandlePostStmt(clang::CFGBlock
const*, unsigned int, clang::ento::ExplodedNode*)
(/home/tom/Documents/moz/static-analysis/clang-17-2023-11-22-patches-from-tc/bin/../lib/libclang-cpp.so.17+0x2f16b7c)
#15 0x00007f937da7ae62
clang::ento::CoreEngine::ExecuteWorkList(clang::LocationContext const*,
unsigned int, llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>)
(/home/tom/Documents/moz/static-analysis/clang-17-2023-11-22-patches-from-tc/bin/../lib/libclang-cpp.so.17+0x2f15e62)
#16 0x00007f937dcf3206 (anonymous
namespace)::AnalysisConsumer::HandleCode(clang::Decl*, unsigned int,
clang::ento::ExprEngine::InliningModes, llvm::DenseSet<clang::Decl const*,
llvm::DenseMapInfo<clang::Decl const*, void>>*) AnalysisConsumer.cpp:0:0
#17 0x00007f937dce8e5d (anonymous
namespace)::AnalysisConsumer::HandleTranslationUnit(clang::ASTContext&)
AnalysisConsumer.cpp:0:0
#18 0x00007f937d8e19d1
clang::MultiplexConsumer::HandleTranslationUnit(clang::ASTContext&)
(/home/tom/Documents/moz/static-analysis/clang-17-2023-11-22-patches-from-tc/bin/../lib/libclang-cpp.so.17+0x2d7c9d1)
#19 0x00007f937c420920 clang::ParseAST(clang::Sema&, bool, bool)
(/home/tom/Documents/moz/static-analysis/clang-17-2023-11-22-patches-from-tc/bin/../lib/libclang-cpp.so.17+0x18bb920)
#20 0x00007f937c43431c clang::FrontendAction::Execute()
(/home/tom/Documents/moz/static-analysis/clang-17-2023-11-22-patches-from-tc/bin/../lib/libclang-cpp.so.17+0x18cf31c)
#21 0x00007f937c433e51
clang::CompilerInstance::ExecuteAction(clang::FrontendAction&)
(/home/tom/Documents/moz/static-analysis/clang-17-2023-11-22-patches-from-tc/bin/../lib/libclang-cpp.so.17+0x18cee51)
#22 0x00007f937d902e8d
clang::ExecuteCompilerInvocation(clang::CompilerInstance*)
(/home/tom/Documents/moz/static-analysis/clang-17-2023-11-22-patches-from-tc/bin/../lib/libclang-cpp.so.17+0x2d9de8d)
#23 0x0000560e18adb1fe cc1_main(llvm::ArrayRef<char const*>, char const*,
void*)
(/home/tom/Documents/moz/static-analysis/clang-17-2023-11-22-patches-from-tc/bin/clang-17+0x121fe)
#24 0x0000560e18ad418e ExecuteCC1Tool(llvm::SmallVectorImpl<char const*>&,
llvm::ToolContext const&) driver.cpp:0:0
#25 0x00007f937d542299 void llvm::function_ref<void
()>::callback_fn<clang::driver::CC1Command::Execute(llvm::ArrayRef<std::optional<llvm::StringRef>>,
std::__cxx11::basic_string<char, std::char_traits<char>,
std::allocator<char>>*, bool*) const::$_0>(long) Job.cpp:0:0
#26 0x00007f9378ea1197
llvm::CrashRecoveryContext::RunSafely(llvm::function_ref<void ()>)
(/home/tom/Documents/moz/static-analysis/clang-17-2023-11-22-patches-from-tc/bin/../lib/libLLVM-17.so+0x271a197)
#27 0x00007f937c42455e
clang::driver::CC1Command::Execute(llvm::ArrayRef<std::optional<llvm::StringRef>>,
std::__cxx11::basic_string<char, std::char_traits<char>,
std::allocator<char>>*, bool*) const
(/home/tom/Documents/moz/static-analysis/clang-17-2023-11-22-patches-from-tc/bin/../lib/libclang-cpp.so.17+0x18bf55e)
#28 0x00007f937c3edca4
clang::driver::Compilation::ExecuteCommand(clang::driver::Command const&,
clang::driver::Command const*&, bool) const
(/home/tom/Documents/moz/static-analysis/clang-17-2023-11-22-patches-from-tc/bin/../lib/libclang-cpp.so.17+0x1888ca4)
#29 0x00007f937c3ed398
clang::driver::Driver::ExecuteCompilation(clang::driver::Compilation&,
llvm::SmallVectorImpl<std::pair<int, clang::driver::Command const*>>&)
(/home/tom/Documents/moz/static-analysis/clang-17-2023-11-22-patches-from-tc/bin/../lib/libclang-cpp.so.17+0x1888398)
#30 0x0000560e18ad7da2 clang_main(int, char**, llvm::ToolContext const&)
(/home/tom/Documents/moz/static-analysis/clang-17-2023-11-22-patches-from-tc/bin/clang-17+0xeda2)
#31 0x0000560e18ad4d9e main
(/home/tom/Documents/moz/static-analysis/clang-17-2023-11-22-patches-from-tc/bin/clang-17+0xbd9e)
#32 0x00007f9376253d90 __libc_start_call_main
./csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#33 0x00007f9376253e40 call_init ./csu/../csu/libc-start.c:128:20
#34 0x00007f9376253e40 __libc_start_main ./csu/../csu/libc-start.c:379:5
#35 0x0000560e18ad95d3 _start
(/home/tom/Documents/moz/static-analysis/clang-17-2023-11-22-patches-from-tc/bin/clang-17+0x105d3)
```
I took the smallest file, minimized it, and came up with this reproduction,
which, admittedly, seems crazy to me. (What does `ObjCGenerics` have to do
with anything - and yet, it seems to be one of a certain combination that
causes the crash...)
```
# 5
"/home/tom/Documents/moz/staticanalysis/mozillaunified/objdir/dist/include/mozilla/FailureLatch.h"
class a {
public:
virtual char b();
};
class c {};
class C {
protected:
c &d();
};
class e : public c, a {
public:
void f() { b(); }
};
class g : C {
void h() { i().f(); }
e &i() { return static_cast<e &>(d()); }
};
```
And the command:
```
#!/bin/sh
"/home/tom/Documents/moz/static-analysis/clang-17-2023-11-22-patches-from-tc/bin/clang-17"
\
"-cc1" \
"-triple" \
"x86_64-unknown-linux-gnu" \
"-analyze" \
"-w" \
"-analyzer-checker=osx.cocoa.ObjCGenerics" \
"-x" \
"c++" \
"ProfileJSONWriter-991aed.cpp"
# Several other checker tests did not cause the error, but
osx.cocoa.ObjCGenerics did.
# Although on the unminified command, removing that one check did not resolve
the issue.
# So maybe it's more like certain checks cause a traversal in a way that causes
the
# crash, and this is one of them...?
```
Again, this is these 4 patches, put atop 17.0.2
(6009708b4367171ccdbf4b5905cb6a803753fe18). You can even download the
compiler
[here](https://treeherder.mozilla.org/jobs?repo=try&revision=da8a9bbfe932fb7f0ed0744728b9bf7b342f4f97&selectedTaskRun=b5i9WgpvTNiEuhIYdqN3eQ.0)
(in the Artifacts tab of the clang-17 job). [This shows the patch
additions](https://hg.mozilla.org/try/rev/ecb5169d852befe0954ef7c45dc39177515a9155).
If I run it using 17.0.2 without the patches, it does not fail.
https://github.com/llvm/llvm-project/pull/69057
_______________________________________________
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
