Clang static analysis assert in SimpleSValBuilder::evalBinOpLN: op == BO_Add || op == BO_Sub

While working with a build of clang that has assertions enabled, I found a simple repro for an assertion failure with tip of tree clang:
https://github.com/llvm/llvm-project/blob/d49a893cdbea0dd6f8fde7dc9f321b2e0d169bba/clang/lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp#L1159

Repro command-line:
```
clang -cc1 -analyze -analyzer-checker=core -x c++ repro.cpp
```

Contents of `repro.cpp`:
```
static void a() { __builtin_bit_cast(unsigned long long, &a) | 1; }
```

While this repro is very similar to #69922, the proposed fix for that bug (#70837) doesn't fix this bug.

Here's the full output of the crash trace:
```
repro.cpp:1:62: warning: expression result unused [-Wunused-value]
    1 | static void a() { __builtin_bit_cast(unsigned long long, &a) | 1; }
      |                   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ^ ~
clang: /home/andrew/llvm-project/clang/lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp:1159: virtual clang::ento::SVal {anonymous}::SimpleSValBuilder::evalBinOpLN(clang::ento::ProgramStateRef, clang::BinaryOperator::Opcode, clang::ento::Loc, clang::ento::NonLoc, clang::QualType): Assertion `op == BO_Add || op == BO_Sub' failed.
PLEASE submit a bug report to https://github.com/llvm/llvm-project/issues/ and include the crash backtrace, preprocessed source, and associated run script.
Stack dump:
0.      Program arguments: /home/andrew/build/llvm/bin/clang -cc1 -analyze -analyzer-checker=core -x c++ repro.cpp
1.      <eof> parser at end of file
2.      While analyzing stack:
        #0 Calling a()
3.      repro.cpp:1:19: Error evaluating statement
4.      repro.cpp:1:19: Error evaluating statement
 #0 0x000055bd6390498f llvm::sys::PrintStackTrace(llvm::raw_ostream&, int) /home/andrew/llvm-project/llvm/lib/Support/Unix/Signals.inc:727:3
 #1 0x000055bd6390225f llvm::sys::RunSignalHandlers() /home/andrew/llvm-project/llvm/lib/Support/Signals.cpp:105:20
 #2 0x000055bd639025b6 SignalHandler(int) /home/andrew/llvm-project/llvm/lib/Support/Unix/Signals.inc:413:1
 #3 0x00007f04ccf88520 (/lib/x86_64-linux-gnu/libc.so.6+0x42520)
 #4 0x00007f04ccfdc9fc pthread_kill (/lib/x86_64-linux-gnu/libc.so.6+0x969fc)
 #5 0x00007f04ccf88476 gsignal (/lib/x86_64-linux-gnu/libc.so.6+0x42476)
 #6 0x00007f04ccf6e7f3 abort (/lib/x86_64-linux-gnu/libc.so.6+0x287f3)
 #7 0x00007f04ccf6e71b (/lib/x86_64-linux-gnu/libc.so.6+0x2871b)
 #8 0x00007f04ccf7fe96 (/lib/x86_64-linux-gnu/libc.so.6+0x39e96)
 #9 0x000055bd659f500c decltype(auto) llvm::cast<clang::ento::SubRegion, clang::ento::MemRegion const>(clang::ento::MemRegion const*) /home/andrew/llvm-project/clang/lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp:1159:7
#10 0x000055bd659f500c (anonymous namespace)::SimpleSValBuilder::evalBinOpLN(llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>, clang::BinaryOperatorKind, clang::ento::Loc, clang::ento::NonLoc, clang::QualType) /home/andrew/llvm-project/clang/lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp:1155:31
#11 0x000055bd65a017e2 llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>::release() /home/andrew/llvm-project/llvm/include/llvm/ADT/IntrusiveRefCntPtr.h:232:9
#12 0x000055bd65a017e2 llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>::~IntrusiveRefCntPtr() /home/andrew/llvm-project/llvm/include/llvm/ADT/IntrusiveRefCntPtr.h:196:34
#13 0x000055bd65a017e2 clang::ento::SValBuilder::evalBinOp(llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>, clang::BinaryOperatorKind, clang::ento::SVal, clang::ento::SVal, clang::QualType) /home/andrew/llvm-project/clang/lib/StaticAnalyzer/Core/SValBuilder.cpp:509:23
#14 0x000055bd6595405e llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>::release() /home/andrew/llvm-project/llvm/include/llvm/ADT/IntrusiveRefCntPtr.h:232:9
#15 0x000055bd6595405e llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>::~IntrusiveRefCntPtr() /home/andrew/llvm-project/llvm/include/llvm/ADT/IntrusiveRefCntPtr.h:196:34
#16 0x000055bd6595405e clang::ento::ExprEngine::evalBinOp(llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>, clang::BinaryOperatorKind, clang::ento::SVal, clang::ento::SVal, clang::QualType) /home/andrew/llvm-project/clang/include/clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h:611:33
#17 0x000055bd6595405e clang::ento::ExprEngine::VisitBinaryOperator(clang::BinaryOperator const*, clang::ento::ExplodedNode*, clang::ento::ExplodedNodeSet&) /home/andrew/llvm-project/clang/lib/StaticAnalyzer/Core/ExprEngineC.cpp:100:30
#18 0x000055bd6594204e clang::ento::NodeBuilder::addNodes(clang::ento::ExplodedNodeSet const&) /home/andrew/llvm-project/clang/include/clang/StaticAnalyzer/Core/PathSensitive/CoreEngine.h:339:45
#19 0x000055bd6594204e clang::ento::ExprEngine::Visit(clang::Stmt const*, clang::ento::ExplodedNode*, clang::ento::ExplodedNodeSet&) /home/andrew/llvm-project/clang/lib/StaticAnalyzer/Core/ExprEngine.cpp:2106:20
#20 0x000055bd65942aba clang::ento::ExprEngine::ProcessStmt(clang::Stmt const*, clang::ento::ExplodedNode*) /home/andrew/llvm-project/clang/lib/StaticAnalyzer/Core/ExprEngine.cpp:1132:15
#21 0x000055bd6594ab3f clang::ento::ExprEngine::processCFGElement(clang::CFGElement, clang::ento::ExplodedNode*, unsigned int, clang::ento::NodeBuilderContext*) /home/andrew/llvm-project/clang/lib/StaticAnalyzer/Core/ExprEngine.cpp:977:7
#22 0x000055bd6590b34d clang::ento::CoreEngine::HandlePostStmt(clang::CFGBlock const*, unsigned int, clang::ento::ExplodedNode*) /home/andrew/llvm-project/clang/lib/StaticAnalyzer/Core/CoreEngine.cpp:498:1
#23 0x000055bd6590b8c4 clang::ento::CoreEngine::ExecuteWorkList(clang::LocationContext const*, unsigned int, llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>)::'lambda'(unsigned int)::operator()(unsigned int) const /home/andrew/llvm-project/clang/lib/StaticAnalyzer/Core/CoreEngine.cpp:159:23
#24 0x000055bd6590b9a4 clang::ento::CoreEngine::ExecuteWorkList(clang::LocationContext const*, unsigned int, llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>) /home/andrew/llvm-project/clang/lib/StaticAnalyzer/Core/CoreEngine.cpp:163:41
#25 0x000055bd6546ee2e llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>::release() /home/andrew/llvm-project/llvm/include/llvm/ADT/IntrusiveRefCntPtr.h:232:9
#26 0x000055bd6546ee2e llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>::~IntrusiveRefCntPtr() /home/andrew/llvm-project/llvm/include/llvm/ADT/IntrusiveRefCntPtr.h:196:34
#27 0x000055bd6546ee2e clang::ento::ExprEngine::ExecuteWorkList(clang::LocationContext const*, unsigned int) /home/andrew/llvm-project/clang/include/clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h:190:34
#28 0x000055bd6546ee2e RunPathSensitiveChecks /home/andrew/llvm-project/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:727:22
#29 0x000055bd6546ee2e (anonymous namespace)::AnalysisConsumer::HandleCode(clang::Decl*, unsigned int, clang::ento::ExprEngine::InliningModes, llvm::DenseSet<clang::Decl const*, llvm::DenseMapInfo<clang::Decl const*, void>>*) /home/andrew/llvm-project/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:697:27
#30 0x000055bd6548311f llvm::DenseMapBase<llvm::DenseMap<clang::Decl const*, llvm::detail::DenseSetEmpty, llvm::DenseMapInfo<clang::Decl const*, void>, llvm::detail::DenseSetPair<clang::Decl const*>>, clang::Decl const*, llvm::detail::DenseSetEmpty, llvm::DenseMapInfo<clang::Decl const*, void>, llvm::detail::DenseSetPair<clang::Decl const*>>::begin() /home/andrew/llvm-project/llvm/include/llvm/ADT/DenseMap.h:78:5
#31 0x000055bd6548311f llvm::detail::DenseSetImpl<clang::Decl const*, llvm::DenseMap<clang::Decl const*, llvm::detail::DenseSetEmpty, llvm::DenseMapInfo<clang::Decl const*, void>, llvm::detail::DenseSetPair<clang::Decl const*>>, llvm::DenseMapInfo<clang::Decl const*, void>>::begin() /home/andrew/llvm-project/llvm/include/llvm/ADT/DenseSet.h:173:50
#32 0x000055bd6548311f HandleDeclsCallGraph /home/andrew/llvm-project/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:490:31
#33 0x000055bd6548311f runAnalysisOnTranslationUnit /home/andrew/llvm-project/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:557:25
#34 0x000055bd6548311f (anonymous namespace)::AnalysisConsumer::HandleTranslationUnit(clang::ASTContext&) /home/andrew/llvm-project/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:612:31
#35 0x000055bd65a49289 clang::ParseAST(clang::Sema&, bool, bool) /home/andrew/llvm-project/clang/lib/Parse/ParseAST.cpp:176:34
#36 0x000055bd6430a3a9 clang::FrontendAction::Execute() /home/andrew/llvm-project/clang/lib/Frontend/FrontendAction.cpp:1070:21
#37 0x000055bd64299815 llvm::Error::setChecked(bool) /home/andrew/llvm-project/llvm/include/llvm/Support/Error.h:307:22
#38 0x000055bd64299815 llvm::Error::operator bool() /home/andrew/llvm-project/llvm/include/llvm/Support/Error.h:239:15
#39 0x000055bd64299815 clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) /home/andrew/llvm-project/clang/lib/Frontend/CompilerInstance.cpp:1045:42
#40 0x000055bd643cc3f5 std::__shared_ptr<clang::FrontendOptions, (__gnu_cxx::_Lock_policy)2>::get() const /usr/include/c++/11/bits/shared_ptr_base.h:1296:16
#41 0x000055bd643cc3f5 std::__shared_ptr_access<clang::FrontendOptions, (__gnu_cxx::_Lock_policy)2, false, false>::_M_get() const /usr/include/c++/11/bits/shared_ptr_base.h:993:69
#42 0x000055bd643cc3f5 std::__shared_ptr_access<clang::FrontendOptions, (__gnu_cxx::_Lock_policy)2, false, false>::operator*() const /usr/include/c++/11/bits/shared_ptr_base.h:979:2
#43 0x000055bd643cc3f5 clang::CompilerInvocation::getFrontendOpts() /home/andrew/llvm-project/clang/include/clang/Frontend/CompilerInvocation.h:247:48
#44 0x000055bd643cc3f5 clang::CompilerInstance::getFrontendOpts() /home/andrew/llvm-project/clang/include/clang/Frontend/CompilerInstance.h:291:39
#45 0x000055bd643cc3f5 clang::ExecuteCompilerInvocation(clang::CompilerInstance*) /home/andrew/llvm-project/clang/lib/FrontendTool/ExecuteCompilerInvocation.cpp:273:29
#46 0x000055bd626d00f9 cc1_main(llvm::ArrayRef<char const*>, char const*, void*) /home/andrew/llvm-project/clang/tools/driver/cc1_main.cpp:294:40
#47 0x000055bd626c8213 ExecuteCC1Tool(llvm::SmallVectorImpl<char const*>&, llvm::ToolContext const&) /home/andrew/llvm-project/clang/tools/driver/driver.cpp:366:20
#48 0x000055bd626cc617 clang_main(int, char**, llvm::ToolContext const&) /home/andrew/llvm-project/clang/tools/driver/driver.cpp:407:26
#49 0x000055bd62619f13 main /home/andrew/build/llvm/tools/clang/tools/driver/clang-driver.cpp:16:1
#50 0x00007f04ccf6fd90 (/lib/x86_64-linux-gnu/libc.so.6+0x29d90)
#51 0x00007f04ccf6fe40 __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e40)
#52 0x000055bd626c6ad5 _start (/home/andrew/build/llvm/bin/clang+0xcd7ad5)
```

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Clang static analysis assert in SimpleSValBuilder::evalBinOpLN: op == BO_Add || op == BO_Sub #71174

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Clang static analysis assert in SimpleSValBuilder::evalBinOpLN: op == BO_Add || op == BO_Sub #71174

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions