Debugging Clang Static Analyzer segfault (clang 3.2)

I have debugged clang 3.2 static analyzer using following steps, someone might know a better approach. These are the steps I have used for a c++ checker.

  1. built with CC=gcc & CXX=g++, might work with CC=clang and CXX=clang++ also I think

  2. used following command from inside gdb, I remember getting these args either using -v or ### option

r “/home/camel/osa/bin/clang++” “-cc1” “-analyze” “-analyzer-checker” “Mychecker” “-internal-isystem” “/usr/lib/gcc/i686-linux-gnu/4.5/…/…/…/…/include/c++/4.5” “-internal-isystem” “/usr/lib/gcc/i686-linux-gnu/4.5/…/…/…/…/include/c++/4.5/i686-linux-gnu” “-internal-isystem” “/usr/lib/gcc/i686-linux-gnu/4.5/…/…/…/…/include/c++/4.5/backward” “-internal-isystem” “/usr/local/include” “-internal-isystem” “/usr/local/bin/…/lib/clang/3.1/include” “-internal-isystem” “/usr/lib/gcc/i686-linux-gnu/4.5/…/…/…/gcc/i686-linux-gnu/4.5/include” “-internal-isystem” “/usr/lib/gcc/i686-linux-gnu/4.5/…/…/…/gcc/i686-linux-gnu/4.5/include-fixed” “-internal-externc-isystem” “/include” “-internal-externc-isystem” “/usr/include” testfile.cpp

backtrace in gdb always showed segfaults for me incase of checker segfaults.


Senthil Kumar

I wrote a custom checker based on SimpleStreamChecker for the Clang Static Analyzer. I’m using clang version 3.2.

Upon running /…/llvm-3.2/build/bin/clang++ testfile.cpp -std=c++11 -Xclang -analyze -Xclang -analyzer-checker=mychecker, I get the following:

0 clang-3.2 0x0000000001b8a52c
1 clang-3.2 0x0000000001b8a21c
2 0x00007f577ad715d0
3 clang-3.2 0x000000000291903c
4 clang-3.2 0x00000000029193f1
5 clang-3.2 0x000000000291ada1
6 clang-3.2 0x000000000298b9dc
7 clang-3.2 0x0000000002987223
8 clang-3.2 0x00000000029894b9
9 clang-3.2 0x00000000029872dd clang::ento::CheckerManager::runCheckersForCallEvent(bool, clang::ento::ExplodedNodeSet&, clang::ento::ExplodedNodeSet const&, clang::ento::CallEvent const&, clang::ento::ExprEngine&, bool) + 159
10 clang-3.2 0x00000000029c8736
11 clang-3.2 0x00000000029cb0db clang::ento::ExprEngine::evalCall(clang::ento::ExplodedNodeSet&, clang::ento::ExplodedNode*, clang::ento::CallEvent const&) + 127
12 clang-3.2 0x00000000029cafbd clang::ento::ExprEngine::VisitCallExpr(clang::CallExpr const*, clang::ento::ExplodedNode*, clang::ento::ExplodedNodeSet&) + 397
13 clang-3.2 0x00000000029b1163 clang::ento::ExprEngine::Visit(clang::Stmt const*, clang::ento::ExplodedNode*, clang::ento::ExplodedNodeSet&) + 3785
14 clang-3.2 0x00000000029af477 clang::ento::ExprEngine::ProcessStmt(clang::CFGStmt, clang::ento::ExplodedNode*) + 523
15 clang-3.2 0x00000000029ae9b7 clang::ento::ExprEngine::processCFGElement(clang::CFGElement, clang::ento::ExplodedNode*, unsigned int, clang::ento::NodeBuilderContext*) + 205
16 clang-3.2 0x000000000299d85c clang::ento::CoreEngine::HandlePostStmt(clang::CFGBlock const*, unsigned int, clang::ento::ExplodedNode*) + 282
17 clang-3.2 0x000000000299cb40 clang::ento::CoreEngine::dispatchWorkItem(clang::ento::ExplodedNode*, clang::ProgramPoint, clang::ento::WorkListUnit const&) + 630
18 clang-3.2 0x000000000299c838 clang::ento::CoreEngine::ExecuteWorkList(clang::LocationContext const*, unsigned int, llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>) + 918
19 clang-3.2 0x00000000027fa752
20 clang-3.2 0x00000000027d9bd1
21 clang-3.2 0x00000000027d9ce2
22 clang-3.2 0x00000000027d99c9
23 clang-3.2 0x00000000027d8f9a
24 clang-3.2 0x00000000027d92b7
25 clang-3.2 0x0000000001f08c21 clang::ParseAST(clang::Sema&, bool, bool) + 786
26 clang-3.2 0x0000000001e2427c clang::ASTFrontendAction::ExecuteAction() + 298
27 clang-3.2 0x0000000001e23e97 clang::FrontendAction::Execute() + 197
28 clang-3.2 0x0000000001e00bbb clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) + 717
29 clang-3.2 0x0000000001b8f09d clang::ExecuteCompilerInvocation(clang::CompilerInstance*) + 1054
30 clang-3.2 0x0000000000d0138c cc1_main(char const**, char const**, char const*, void*) + 678
31 clang-3.2 0x0000000000cfb1d3 main + 508
32 0x00007f577a2a9bc6 __libc_start_main + 230
33 clang-3.2 0x0000000000cf9879
Stack dump:
0. Program arguments: /home/ekozgbo/work/dev/llvm-3.2/build/bin/clang-3.2 -cc1 -triple x86_64-unknown-linux-gnu -emit-obj -mrelax-all -disable-free -main-file-name t2.cpp -mrelocation-model static -mdisable-fp-elim -fmath-errno -masm-verbose -mconstructor-aliases -munwind-tables -target-cpu x86-64 -momit-leaf-frame-pointer -resource-dir /home/ekozgbo/work/dev/llvm-3.2/build/bin/…/lib/clang/3.2 -fmodule-cache-path /var/tmp/clang-module-cache -internal-isystem /usr/lib64/gcc/x86_64-suse-linux/4.3/…/…/…/…/include/c++/4.3 -internal-isystem /usr/lib64/gcc/x86_64-suse-linux/4.3/…/…/…/…/include/c++/4.3/x86_64-suse-linux -internal-isystem /usr/lib64/gcc/x86_64-suse-linux/4.3/…/…/…/…/include/c++/4.3/backward -internal-isystem /usr/local/include -internal-isystem /home/ekozgbo/work/dev/llvm-3.2/build/bin/…/lib/clang/3.2/include -internal-externc-isystem /include -internal-externc-isystem /usr/include -std=c++11 -fdeprecated-macro -fdebug-compilation-dir /home/ekozgbo/work/dev/test -ferror-limit 19 -fmessage-length 237 -mstackrealign -fobjc-runtime=gcc -fcxx-exceptions -fexceptions -fdiagnostics-show-option -fcolor-diagnostics -analyze -analyzer-checker=mychecker -o /tmp/t2-lNeYsr.o -x c++ testfile.cpp

  1. parser at end of file
  2. testfile.cpp:32:2: Error evaluating statement
  3. testfile.cpp:32:2: Error evaluating statement
    clang-3: error: unable to execute command: Segmentation fault
    clang-3: error: clang frontend command failed due to signal (use -v to see invocation)
    clang version 3.2 (tags/RELEASE_32/final 180012)
    Target: x86_64-unknown-linux-gnu
    Thread model: posix
    clang-3: note: diagnostic msg: PLEASE submit a bug report to and include the crash backtrace, preprocessed source, and associated run script.
    clang-3: error: unable to execute command: Segmentation fault
    clang-3: note: diagnostic msg: Error generating preprocessed source(s).

I’m fairly certain the issue is in my checker code, but I have no idea how to debug it. Clang seems to handle the segfault on its own, so I can’t really do much with gdb.
So how can I debug this issue? (Apart from the llvm::errs() or std::cout solution.)

The only changes I made to clang 3.2 is that I compile it with C++11, and of course I added two custom checkers. Oh and I’m also linking the static analyzer with libASTMatchers. So far I haven’t had any issues, although the previous checker was much simpler.

Any help would be greatly appreciated.



Hi, Gabor. Yes, Senthil has the right idea here—the trick is that the clang executable is divided into two parts: the “driver” and the compiler proper (sometimes known as “cc1”). The driver’s in charge of invoking all the separate steps involved in a compliation command (compile, assemble, compile, assemble, link), whereas “cc1” just does Clang’s own work for compiling a single file.

As Senthil said, you can get the driver to spit out a cc1 invocation line by appending -### to your usual run command. You can then use this output line (which will start with “path/to/clang” and then “-cc1”) to launch the cc1-clang in your debugger and catch the assertions.

It’s a good question. I’ll try to make sure this ends up in the Checker Developer Manual once Sam has finished revising it.



Thank you both!

It works as expected now (i.e. it crashes with segfault but at least I can debug it).