segmentation fault while building dominator tree in clang

Hello,

This is my first post in this list. I am building an analysis tool in ClangTool.I am getting segmentation fault while building a dominator tree in clang. The sample code that I am using to build the dominator tree is the following:

const Decl* D=static_cast<Decl *>(f); // FunctionDecl f

AnalysisDeclContextManager *analDeclCtxMgr=new AnalysisDeclContextManager(context);

if(AnalysisDeclContext *analDeclCtx=analDeclCtxMgr->getContext(D)){

DominatorTree domTree;

domTree.buildDominatorTree(*analDeclCtx);

}

The input function for my tool is the following code from perlbench(CPU 2017)

static bool

S_adjust_index(pTHX_ AV *av, const MAGIC *mg, SSize_t *keyp)

{

bool adjust_index = 1;

if (mg) {

/* Handle negative array indices 20020222 MJD */

SV * const ref = SvTIED_obj(MUTABLE_SV(av), mg);

SvGETMAGIC(ref);

if (SvROK(ref) && SvOBJECT(SvRV(ref))) {

SV * const * const negative_indices_glob =

hv_fetchs(SvSTASH(SvRV(ref)), NEGATIVE_INDICES_VAR, 0);

if (negative_indices_glob && isGV(*negative_indices_glob)

&& SvTRUE(GvSV(*negative_indices_glob)))

adjust_index = 0;

}

}

if (adjust_index) {

*keyp += AvFILL(av) + 1;

if (*keyp < 0)

return FALSE;

}

return TRUE;

}

Would you please let me know where the problem is?

Thanks,

Masud

Hi!

I recently fiddled around this part of the code as well when trying to implement an improvement for my checker in the StaticAnalyzer. For the following invocation:

clang -cc1 -analyze -analyzer-checker=debug.DumpDominators (clang repository)test/Analysis/cxx-uninitialized-object-unguarded-access.cpp

I received a segfault. I eventually figured that Clang’s CFG contains nullpointers, and the following patch on LLVM fixed the issue:

diff --git a/include/llvm/Support/GenericDomTreeConstruction.h b/include/llvm/Support/GenericDomTreeConstruction.h
index ccceba88171…a4a238c310b 100644
— a/include/llvm/Support/GenericDomTreeConstruction.h
+++ b/include/llvm/Support/GenericDomTreeConstruction.h
@@ -235,6 +235,9 @@ struct SemiNCAInfo {
constexpr bool Direction = IsReverse != IsPostDom; // XOR.
for (const NodePtr Succ :
ChildrenGetter::Get(BB, BatchUpdates)) {

  • if (!Succ)
  • continue;
    const auto SIT = NodeToInfo.find(Succ);
    // Don’t visit nodes more than once but remember to collect
    // ReverseChildren.

However, I’m not sure whether the CFG is supposed to have nullpointers – logically, maybe this isn’t where we should fix this issue. An assert wouldn’t hurt though.

Good luck!
Kristóf

However, I’m not sure whether the CFG is supposed to have nullpointers – logically, maybe this isn’t where we should fix this issue

DomTree requires llvm::children and llvm::inverse_children to return valid node pointers.

A proper fix would be not to return nulls from llvm::children. I’m not familiar with the Clang CFG – why do nullptr appear there in the first place?

Best,
Kuba

However, I’m not sure whether the CFG is supposed to have nullpointers – logically, maybe this isn’t where we should fix this issue

DomTree requires llvm::children and llvm::inverse_children to return valid node pointers.

A proper fix would be not to return nulls from llvm::children. I’m not familiar with the Clang CFG – why do nullptr appear there in the first place?

Maybe I’m just wrong, I didn’t investigate that much :slight_smile: