Skip to content

[analyzer] Crash on using non-type template arguments #79575

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
steakhal opened this issue Jan 26, 2024 · 1 comment · Fixed by #79764
Closed

[analyzer] Crash on using non-type template arguments #79575

steakhal opened this issue Jan 26, 2024 · 1 comment · Fixed by #79764
Labels
clang:static analyzer crash-on-valid
Milestone
LLVM 18.X Release

Comments

@steakhal
Copy link
Contributor

clang 18.1.0 crashes on the following code snippet, while clang-17 does not.
https://godbolt.org/z/h3sME4Gdz

This is a nullpointer dereference.

constexpr char abc[] = "abc";
void use(const char *fmt);

template <const char* in>
void use_template_param() {
  const char *p = in;
}
void force_instantiate() {
  use_template_param<abc>();
}

Stack trace:

#0  clang::Stmt::getStmtClass (this=0x0) at clang/include/clang/AST/Stmt.h:1357
#1  ignoreTransparentExprs (E=0x0) at Core/Environment.cpp:41
#2  ignoreTransparentExprs (E=0x0) at Core/Environment.cpp:62
#3  ignoreTransparentExprs (E=0x7f2d5418c080) at Core/Environment.cpp:62
#4  ignoreTransparentExprs (E=0x7f2d5418c098) at Core/Environment.cpp:62
#5  ignoreTransparentExprs (S=0x7f2d5418c0f8) at Core/Environment.cpp:67
#6  clang::ento::EnvironmentEntry::EnvironmentEntry () at Core/Environment.cpp:73
#7  clang::ento::ProgramState::getSVal () at Core/PathSensitive/ProgramState.h:807
#8  0x00007f2d68e76926 in clang::ento::ExprEngine::VisitCast () at Core/ExprEngineC.cpp:337
#9  0x00007f2d68e38cdc in clang::ento::ExprEngine::Visit () at Core/ExprEngine.cpp:2280
#10 0x00007f2d68e35039 in clang::ento::ExprEngine::ProcessStmt () at Core/ExprEngine.cpp:1134
#11 0x00007f2d68e34ccd in clang::ento::ExprEngine::processCFGElement () at Core/ExprEngine.cpp:976
#12 0x00007f2d68dfb5ff in clang::ento::CoreEngine::HandlePostStmt () at Core/CoreEngine.cpp:499
#13 0x00007f2d68dfad62 in clang::ento::CoreEngine::dispatchWorkItem () at Core/CoreEngine.cpp:220

In the AST, we have this segment for the const char *p = in; variable declaration:

`-VarDecl <col:3, col:19> col:15 p 'const char *' cinit
  `-SubstNonTypeTemplateParmExpr <col:19> 'const char *'
    |-NonTypeTemplateParmDecl <line:4:11, col:23> col:23 referenced 'const char *' depth 0 index 0 in
    `-ConstantExpr <line:6:19> 'const char *'
      |-value: LValue <todo>
      `-OpaqueValueExpr <col:19> 'const char *'

That dump comes from the TextNodeDumper.cpp:

  case APValue::LValue:
    (void)Context;
    OS << "LValue <todo>";
    return;

So, some APValue must be of kind LValue.

Anyways, bisections blames 5518a9d ([c++20] P1907R1: Support for generalized non-type template arguments of scalar type. (#78041), 2024.01.21.) commit for introducing this crash.

This is a regression, as clang-17 did not crash on the same input.

Notes for myself: CPP-4927
@steakhal steakhal added this to the LLVM 18.X Release milestone Jan 26, 2024
@github-project-automation github-project-automation bot moved this to Needs Triage in LLVM Release Status Jan 26, 2024
@llvmbot
Copy link
Member

llvmbot commented Jan 26, 2024

@llvm/issue-subscribers-clang-static-analyzer

Author: Balazs Benics (steakhal)

clang 18.1.0 crashes on the following code snippet, while clang-17 does not. https://godbolt.org/z/h3sME4Gdz

This is a nullpointer dereference.

constexpr char abc[] = "abc";
void use(const char *fmt);

template &lt;const char* in&gt;
void use_template_param() {
  const char *p = in;
}
void force_instantiate() {
  use_template_param&lt;abc&gt;();
}

Stack trace:

#<!-- -->0  clang::Stmt::getStmtClass (this=0x0) at clang/include/clang/AST/Stmt.h:1357
#<!-- -->1  ignoreTransparentExprs (E=0x0) at Core/Environment.cpp:41
#<!-- -->2  ignoreTransparentExprs (E=0x0) at Core/Environment.cpp:62
#<!-- -->3  ignoreTransparentExprs (E=0x7f2d5418c080) at Core/Environment.cpp:62
#<!-- -->4  ignoreTransparentExprs (E=0x7f2d5418c098) at Core/Environment.cpp:62
#<!-- -->5  ignoreTransparentExprs (S=0x7f2d5418c0f8) at Core/Environment.cpp:67
#<!-- -->6  clang::ento::EnvironmentEntry::EnvironmentEntry () at Core/Environment.cpp:73
#<!-- -->7  clang::ento::ProgramState::getSVal () at Core/PathSensitive/ProgramState.h:807
#<!-- -->8  0x00007f2d68e76926 in clang::ento::ExprEngine::VisitCast () at Core/ExprEngineC.cpp:337
#<!-- -->9  0x00007f2d68e38cdc in clang::ento::ExprEngine::Visit () at Core/ExprEngine.cpp:2280
#<!-- -->10 0x00007f2d68e35039 in clang::ento::ExprEngine::ProcessStmt () at Core/ExprEngine.cpp:1134
#<!-- -->11 0x00007f2d68e34ccd in clang::ento::ExprEngine::processCFGElement () at Core/ExprEngine.cpp:976
#<!-- -->12 0x00007f2d68dfb5ff in clang::ento::CoreEngine::HandlePostStmt () at Core/CoreEngine.cpp:499
#<!-- -->13 0x00007f2d68dfad62 in clang::ento::CoreEngine::dispatchWorkItem () at Core/CoreEngine.cpp:220

In the AST, we have this segment for the const char *p = in; variable declaration:

`-VarDecl &lt;col:3, col:19&gt; col:15 p 'const char *' cinit
  `-SubstNonTypeTemplateParmExpr &lt;col:19&gt; 'const char *'
    |-NonTypeTemplateParmDecl &lt;line:4:11, col:23&gt; col:23 referenced 'const char *' depth 0 index 0 in
    `-ConstantExpr &lt;line:6:19&gt; 'const char *'
      |-value: LValue &lt;todo&gt;
      `-OpaqueValueExpr &lt;col:19&gt; 'const char *'

That dump comes from the TextNodeDumper.cpp:

  case APValue::LValue:
    (void)Context;
    OS &lt;&lt; "LValue &lt;todo&gt;";
    return;

So, some APValue must be of kind LValue.

Anyways, bisections blames 5518a9d ([c++20] P1907R1: Support for generalized non-type template arguments of scalar type. (#<!-- -->78041), 2024.01.21.) commit for introducing this crash.

This is a regression, as clang-17 did not crash on the same input.

Notes for myself: CPP-4927

@steakhal steakhal mentioned this issue Jan 26, 2024
Merged
@nikic nikic moved this from Needs Triage to Needs Fix in LLVM Release Status Jan 26, 2024
@bolshakov-a bolshakov-a mentioned this issue Jan 28, 2024
Merged
bolshakov-a added a commit to bolshakov-a/llvm-project that referenced this issue Jan 29, 2024
@bolshakov-a
Fix crashes on 'StructuralValue'
474f866 
`OpaqueValueExpr` doesn't necessarily contain a source expression.
Particularly, after llvm#78041, it is used to carry the type and the value
kind of a non-type template argument of floating-point type or referring
to a subobject (those are so called `StructuralValue` arguments).

This fixes llvm#79575.
llvm-git-migration pushed a commit to llvm-git-migration/llvm-project that referenced this issue Jan 29, 2024
@bolshakov-a
Fix analyzer crash on 'StructuralValue'
2a0a46f 
`OpaqueValueExpr` doesn't necessarily contain a source expression.
Particularly, after llvm#78041, it is used to carry the type and the value
kind of a non-type template argument of floating-point type or referring
to a subobject (those are so called `StructuralValue` arguments).

This fixes llvm#79575.
bolshakov-a added a commit to bolshakov-a/llvm-project that referenced this issue Jan 29, 2024
@bolshakov-a
Fix crashes on 'StructuralValue'
b3debeb 
`OpaqueValueExpr` doesn't necessarily contain a source expression.
Particularly, after llvm#78041, it is used to carry the type and the value
kind of a non-type template argument of floating-point type or referring
to a subobject (those are so called `StructuralValue` arguments).

This fixes llvm#79575.
steakhal pushed a commit that referenced this issue Jan 30, 2024
@bolshakov-a
Fix analyzer crash on 'StructuralValue' (#79764)
ef67f63 
`OpaqueValueExpr` doesn't necessarily contain a source expression.
Particularly, after #78041, it is used to carry the type and the value
kind of a non-type template argument of floating-point type or referring
to a subobject (those are so called `StructuralValue` arguments).

This fixes #79575.
@steakhal steakhal mentioned this issue Jan 30, 2024
Closed
llvmbot pushed a commit to llvmbot/llvm-project that referenced this issue Jan 30, 2024
@bolshakov-a @llvmbot
Fix analyzer crash on 'StructuralValue' (llvm#79764)
2437bc0 
`OpaqueValueExpr` doesn't necessarily contain a source expression.
Particularly, after llvm#78041, it is used to carry the type and the value
kind of a non-type template argument of floating-point type or referring
to a subobject (those are so called `StructuralValue` arguments).

This fixes llvm#79575.

(cherry picked from commit ef67f63)
@nikic nikic moved this from Needs Fix to Done in LLVM Release Status Feb 1, 2024
llvmbot pushed a commit to llvmbot/llvm-project that referenced this issue Feb 1, 2024
@bolshakov-a @tstellar
Fix analyzer crash on 'StructuralValue' (llvm#79764)
0eb163c 
`OpaqueValueExpr` doesn't necessarily contain a source expression.
Particularly, after llvm#78041, it is used to carry the type and the value
kind of a non-type template argument of floating-point type or referring
to a subobject (those are so called `StructuralValue` arguments).

This fixes llvm#79575.

(cherry picked from commit ef67f63)
tstellar pushed a commit to tstellar/llvm-project that referenced this issue Feb 14, 2024
@bolshakov-a @tstellar
Fix analyzer crash on 'StructuralValue' (llvm#79764)
df8a3df 
`OpaqueValueExpr` doesn't necessarily contain a source expression.
Particularly, after llvm#78041, it is used to carry the type and the value
kind of a non-type template argument of floating-point type or referring
to a subobject (those are so called `StructuralValue` arguments).

This fixes llvm#79575.

(cherry picked from commit ef67f63)
tstellar pushed a commit to tstellar/llvm-project that referenced this issue Feb 14, 2024
@bolshakov-a @tstellar
Fix analyzer crash on 'StructuralValue' (llvm#79764)
1a42d4c 
`OpaqueValueExpr` doesn't necessarily contain a source expression.
Particularly, after llvm#78041, it is used to carry the type and the value
kind of a non-type template argument of floating-point type or referring
to a subobject (those are so called `StructuralValue` arguments).

This fixes llvm#79575.

(cherry picked from commit ef67f63)
tstellar pushed a commit to tstellar/llvm-project that referenced this issue Feb 14, 2024
@bolshakov-a @tstellar
Fix analyzer crash on 'StructuralValue' (llvm#79764)
9df8378 
`OpaqueValueExpr` doesn't necessarily contain a source expression.
Particularly, after llvm#78041, it is used to carry the type and the value
kind of a non-type template argument of floating-point type or referring
to a subobject (those are so called `StructuralValue` arguments).

This fixes llvm#79575.

(cherry picked from commit ef67f63)
tstellar pushed a commit to tstellar/llvm-project that referenced this issue Feb 14, 2024
@bolshakov-a @tstellar
Fix analyzer crash on 'StructuralValue' (llvm#79764)
8996dcf 
`OpaqueValueExpr` doesn't necessarily contain a source expression.
Particularly, after llvm#78041, it is used to carry the type and the value
kind of a non-type template argument of floating-point type or referring
to a subobject (those are so called `StructuralValue` arguments).

This fixes llvm#79575.

(cherry picked from commit ef67f63)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
clang:static analyzer crash-on-valid
Projects
LLVM Release Status
Status: Done
Milestone
LLVM 18.X Release
Development

Successfully merging a pull request may close this issue.

Fix analyzer crash on 'StructuralValue' bolshakov-a/llvm-project
2 participants
@steakhal @llvmbot