Bug#675056: clang --analyze crashes

Tim Ruehsen tim.ruehsen at openmediasystem.de
Tue May 29 15:23:00 UTC 2012 

Package: clang
Version: 3.1-3
Severity: important

Dear Maintainer,

clang --analyze crashes reproducibly on several files.

I tried to reduce a C file to the smallest size where the crash still happens:
########## x.c #############
#include <stdlib.h>

#define xfree(a) do { if (a) { free(a); a=NULL; } } while (0);

typedef struct {
        char
                *password,
                *host,
                *port,
                *path,
                *query,
                *fragment;
} IRI;

void iri_free(IRI *iri)
{
        if (iri) {
                xfree(iri->password);
                xfree(iri->host);
                xfree(iri->port);
                xfree(iri->path);
                xfree(iri->query);
                xfree(iri->fragment);
        }
}
##############

Small changes make clang work correctly, e.g. 'if (iri!=NULL)' or removing 'xfree(iri-password)'.

Here is clang's output:

$ clang --analyze x.c
0  libLLVM-3.1.so.1 0x00007f60f73ff8bf
1  libLLVM-3.1.so.1 0x00007f60f73ffd09
2  libpthread.so.0  0x00000039b800f030
3  clang            0x0000000000c456e2 clang::ento::ExplodedGraph::shouldCollect(clang::ento::ExplodedNode const*) + 242
4  clang            0x0000000000c457f7 clang::ento::ExplodedGraph::reclaimRecentlyAllocatedNodes() + 71
5  clang            0x0000000000c4edc1 clang::ento::ExprEngine::ProcessStmt(clang::CFGStmt, clang::ento::ExplodedNode*) + 49
6  clang            0x0000000000c4fd9c clang::ento::ExprEngine::processCFGElement(clang::CFGElement, clang::ento::ExplodedNode*, unsigned int, clang::ento::NodeBuilderContext*) + 172
7  clang            0x0000000000c35bca clang::ento::CoreEngine::HandlePostStmt(clang::CFGBlock const*, unsigned int, clang::ento::ExplodedNode*) + 74
8  clang            0x0000000000c35d2b clang::ento::CoreEngine::dispatchWorkItem(clang::ento::ExplodedNode*, clang::ProgramPoint, clang::ento::WorkListUnit const&) + 91
9  clang            0x0000000000c35f72 clang::ento::CoreEngine::ExecuteWorkList(clang::LocationContext const*, unsigned int, llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>) + 194
10 clang            0x0000000000b16886
11 clang            0x0000000000b17282
12 clang            0x0000000000b1e2b9
13 clang            0x000000000081809d clang::ParseAST(clang::Sema&, bool, bool) + 461
14 clang            0x00000000005c8156 clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) + 262
15 clang            0x00000000005b14a2 clang::ExecuteCompilerInvocation(clang::CompilerInstance*) + 1042
16 clang            0x00000000005aabb5 cc1_main(char const**, char const**, char const*, void*) + 9093
17 clang            0x00000000005a7ca6 main + 7014
18 libc.so.6        0x00000039b741eead __libc_start_main + 253
19 clang            0x00000000005a86b1
Stack dump:
0.      Program arguments: /usr/bin/clang -cc1 -triple x86_64-pc-linux-gnu -analyze -disable-free -disable-llvm-verifier -main-file-name x.c -analyzer-store=region -analyzer-opt-analyze-nested-blocks -analyzer-eagerly-assume -analyzer-ipa=inlining -analyzer-checker=core -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-output plist -w -mrelocation-model static -mdisable-fp-elim -masm-verbose -mconstructor-aliases -munwind-tables -target-cpu x86-64 -target-linker-version 2.22 -momit-leaf-frame-pointer -resource-dir /usr/bin/../lib/clang/3.1 -fmodule-cache-path /var/tmp/clang-module-cache -internal-isystem /usr/local/include -internal-isystem /usr/bin/../lib/clang/3.1/include -internal-isystem /usr/
 include/clang/3.1/include/ -internal-externc-isystem  -internal-externc-isystem /usr/include/x86_64-linux-gnu -internal-externc-isystem /usr/include/x86_64-linux-gnu -internal-externc-isystem /usr/include -fdebug-compilation-dir /usr/oms/src/mget -ferror-limit 19 -fmessage-length 111 -mstackrealign -fgnu-runtime -fobjc-runtime-has-arc -fobjc-runtime-has-weak -fobjc-fragile-abi -fdiagnostics-show-option -fcolor-diagnostics -o x.plist -x c x.c 
1.      <eof> parser at end of file
clang: error: unable to execute command: Segmentation fault
clang: error: clang frontend command failed due to signal (use -v to see invocation)
clang: note: diagnostic msg: Please submit a bug report to http://llvm.org/bugs/ and include command line arguments and all diagnostic information.
clang: note: diagnostic msg: Preprocessed source(s) and associated run script(s) are located at:
clang: note: diagnostic msg: /tmp/x-iE9dac.i
clang: note: diagnostic msg: /tmp/x-iE9dac.sh

Regards, Tim 

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash

Versions of packages clang depends on:
ii  libc6                2.13-32
ii  libclang-common-dev  3.1-3
ii  libffi5              3.0.10-3
ii  libgcc1              1:4.7.0-10
ii  libllvm3.1           3.1-1
ii  libstdc++6           4.7.0-10
ii  libstdc++6-4.6-dev   4.6.3-7

Versions of packages clang recommends:
ii  llvm-3.1-dev  3.1-1
ii  python        2.7.2-10

clang suggests no packages.

-- no debconf information

More information about the Pkg-llvm-team mailing list