This is an archive of the discontinued LLVM Phabricator instance.

[analyzer] Fix crash exposed by D140059
ClosedPublic

Authored by vabridgers on Jan 26 2023, 6:36 AM.

Details

Summary

Change https://reviews.llvm.org/D140059 exposed the following crash in
Z3Solver, where bit widths were not checked consistently with that
change. This change makes the check consistent, and fixes the crash.

clang: <root>/llvm/include/llvm/ADT/APSInt.h:99:
  int64_t llvm::APSInt::getExtValue() const: Assertion
  `isRepresentableByInt64() && "Too many bits for int64_t"' failed.
...
Stack dump:
0. Program arguments: clang -cc1 -internal-isystem <root>/lib/clang/16/include
  -nostdsysteminc -analyze -analyzer-checker=core,unix.Malloc,debug.ExprInspection
  -analyzer-config crosscheck-with-z3=true -verify reproducer.c

 #0 0x00000000045b3476 llvm::sys::PrintStackTrace(llvm::raw_ostream&, int)
  <root>/llvm/lib/Support/Unix/Signals.inc:567:22
 #1 0x00000000045b3862 PrintStackTraceSignalHandler(void*)
  <root>/llvm/lib/Support/Unix/Signals.inc:641:1
 #2 0x00000000045b14a5 llvm::sys::RunSignalHandlers()
  <root>/llvm/lib/Support/Signals.cpp:104:20
 #3 0x00000000045b2eb4 SignalHandler(int)
  <root>/llvm/lib/Support/Unix/Signals.inc:412:1
 ...
 #9 0x0000000004be2eb3 llvm::APSInt::getExtValue() const
  <root>/llvm/include/llvm/ADT/APSInt.h:99:5
  <root>/llvm/lib/Support/Z3Solver.cpp:740:53
  clang::ASTContext&, clang::ento::SymExpr const*, llvm::APSInt const&, llvm::APSInt const&, bool)
  <root>/clang/include/clang/StaticAnalyzer/Core/PathSensitive/SMTConv.h:552:61

Diff Detail

Event Timeline

vabridgers created this revision.Jan 26 2023, 6:36 AM
Herald added a project: Restricted Project. · View Herald TranscriptJan 26 2023, 6:36 AM
vabridgers requested review of this revision.Jan 26 2023, 6:36 AM
Herald added projects: Restricted Project, Restricted Project. · View Herald TranscriptJan 26 2023, 6:36 AM
vabridgers edited the summary of this revision. (Show Details)
vabridgers added a subscriber: uabelho.
steakhal accepted this revision.Jan 26 2023, 7:41 AM

I would not mind less artificial-looking test code, but I'll let you decide if you want to make action about it.

Have you thought about the rest of the callsites of getBitWidth()? Are they also vulnerable to similar bugs?

This revision is now accepted and ready to land.Jan 26 2023, 7:41 AM
This revision was landed with ongoing or failed builds.Jan 26 2023, 10:56 AM
This revision was automatically updated to reflect the committed changes.