cppcheck / Discussion / General Discussion: Crash with --clang cppcheck 2.8 ubuntu linux focal fossa

Crash with --clang cppcheck 2.8 ubuntu linux focal fossa

Created: 2022-06-30

Updated: 2022-07-07

Neil Matthews - 2022-06-30

#include <regex> static std::string s = std::regex_replace("<dev>", std::regex("<dev>"), "<dev>");

$ cppcheck --clang crash_cppcheck.cpp
Checking crash_cppcheck.cpp...
Segmentation fault (core dumped)
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Would you be able to run this with a debugger attached?
After fixing some other issue, I get

Checking bar.cpp...
clang.exe -fsyntax-only -Xclang -ast-dump -fno-color-diagnostics -x c++ bar.cpp
bar.cpp:0:0: information: Bailing out from checking bar.cpp since there was an internal error: ClangImport: AstNodePtr::getChild(0) out of bounds. children.size=0 CXXThrowExpr 0x2318e3012d8 <C:\Program Files\Microsoft Visual Studio\2022\Professional\VC\Tools\MSVC\14.32.31326\include\yvals.h:487:19> 'void' [internalError]

^

But I'm on Windows, so who knows.

Daniel Marjamäki - 2022-07-05

I fail to reproduce.

Could you please save the output from this command:

clang -fsyntax-only -Xclang -ast-dump -fno-color-diagnostics -x c++ crash_cppcheck.cpp

And attach it here.

Last edit: Daniel Marjamäki 2022-07-05
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Ok, so I tried on Ubuntu Focal Fossa.
Looks like it might be a g++ compiler issue -- if I remove -O2, and use -g3 instead I get a clean result. When I added -O2 (or -O1) back as well as -g3 I see the crash the same as I reported originally.

I've just compiled on Jammy Jellyfish and I get similar behavior with g++ on there.

(gdb) bt
#0  Token::tokAt (this=this@entry=0x0, index=index@entry=1) at lib/token.cpp:365
#1  0x000055555579bbb5 in isUnknownType (start=0x0, end=end@entry=0x5555578a6960) at lib/symboldatabase.cpp:2808
#2  0x000055555579f17b in Function::returnsReference (function=function@entry=0x5555578a6b60, unknown=unknown@entry=false) at lib/symboldatabase.cpp:2841
#3  0x000055555587953b in valueFlowLifetimeFunction (tok=0x55555a0c7980, tokenlist=0x7fffffffc4f0, errorLogger=0x7fffffffcc80, settings=0x7fffffffcea0) at lib/valueflow.cpp:4058
#4  0x00005555558840ce in valueFlowLifetime (tokenlist=<optimised out>, errorLogger=<optimised out>, settings=<optimised out>) at lib/valueflow.cpp:4582
#5  0x0000555555884d77 in ValueFlow::setValues (tokenlist=0x7fffffffc4f0, symboldatabase=0x555555af1bc0, errorLogger=0x7fffffffcc80, settings=0x7fffffffcea0) at lib/valueflow.cpp:8481
#6  0x00005555557150e9 in CppCheck::check (this=this@entry=0x7fffffffcc80, path="crash_cppcheck.cpp") at lib/tokenize.h:866
#7  0x00005555558aca07 in CppCheckExecutor::check_internal (this=0x7fffffffdbe0, cppcheck=...) at cli/cppcheckexecutor.cpp:939
#8  0x00005555558aec42 in CppCheckExecutor::check (this=this@entry=0x7fffffffdbe0, argc=argc@entry=3, argv=argv@entry=0x7fffffffdf98) at cli/cppcheckexecutor.cpp:251
#9  0x0000555555601242 in main (argc=3, argv=0x7fffffffdf98) at cli/main.cpp:113
(gdb)

Similarly, with santize=address

AddressSanitizer:DEADLYSIGNAL
=================================================================
==13180==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000028 (pc 0x55a2ab76a827 bp 0x000000000000 sp 0x7fffdb1d08d0 T0)
==13180==The signal is caused by a READ memory access.
==13180==Hint: address points to the zero page.
    #0 0x55a2ab76a827 in Token::next() const lib/token.h:816
    #1 0x55a2ab76a827 in Token::tokAt(int) const lib/token.cpp:365
    #2 0x55a2ab65419c in isUnknownType lib/symboldatabase.cpp:2808
    #3 0x55a2ab65fbca in Function::returnsReference(Function const*, bool) lib/symboldatabase.cpp:2841
    #4 0x55a2ab98fced in valueFlowLifetimeFunction lib/valueflow.cpp:4058
    #5 0x55a2ab9bdd4c in valueFlowLifetime lib/valueflow.cpp:4582
    #6 0x55a2ab9c4aa3 in ValueFlow::setValues(TokenList*, SymbolDatabase*, ErrorLogger*, Settings const*) lib/valueflow.cpp:8481
    #7 0x55a2ab42da79 in CppCheck::check(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) lib/cppcheck.cpp:515
    #8 0x55a2aba6ec0b in CppCheckExecutor::check_internal(CppCheck&) cli/cppcheckexecutor.cpp:939
    #9 0x55a2aba7777b in CppCheckExecutor::check(int, char const* const*) cli/cppcheckexecutor.cpp:251
    #10 0x55a2aafe2953 in main cli/main.cpp:113
    #11 0x7f4901f89d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #12 0x7f4901f89e3f in __libc_start_main_impl ../csu/libc-start.c:392
    #13 0x55a2aafe3744 in _start (/home/ndm/cppcheck2_8_O2_g3_santize/bin/cppcheck+0x1fa744)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV lib/token.h:816 in Token::next() const
==13180==ABORTING

Last edit: Neil Matthews 2022-07-06

Neil Matthews - 2022-07-06

I attach the output on Focal Fossa from clang -fsyntax-only -Xclang -ast-dump -fno-color-diagnostics -x c++ crash_cppcheck.cpp

Last edit: Neil Matthews 2022-07-06

clang_dump.log.bz2

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

CHR - 2022-07-07

See https://sourceforge.net/p/cppcheck/discussion/development/thread/964c9efc46/
Looks like a nullptr dereference in isUnknownType(), but I can't reprodce it on Windows.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Crash with --clang cppcheck 2.8 ubuntu linux focal fossa

Static source code analysis tool for C and C++ code

Forums

Help

Crash with --clang cppcheck 2.8 ubuntu linux focal fossa

Crash with --clang cppcheck 2.8 ubuntu linux focal fossa

Static source code analysis tool for C and C++ code

Forums

Help

Crash with --clang cppcheck 2.8 ubuntu linux focal fossa document.SUBSCRIPTION_OPTIONS = { "thing": "topic", "subscribed": false, "url": "subscribe", "icon": { "css": "fa fa-envelope-o" } };

Crash with --clang cppcheck 2.8 ubuntu linux focal fossa