[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[creduce-bugs] Two C-reduce segfaults with recent git version

To: creduce-bugs@flux.utah.edu
Subject: [creduce-bugs] Two C-reduce segfaults with recent git version
From: Vegard Nossum <vegard.nossum@gmail.com>
Date: Tue, 13 Mar 2018 20:38:25 +0100
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=cjL9cbB+MSEUug427YFEzJKl1u0M9125LLIYEejIlZw=; b=ZlUyRWQ7iDkiAUZDgxBYDnLZ7to29c+Xzo5WnXiqyfI8Prd1jWgZTW1aI3bgacg+oy 3rh7XIp+4zrYcZCk/4bpEW7u390kIu1v5TQwGGJRWALB7XYCjfra1PtlJ/4A0huT6ELv 8C/YENU1uI6rTFp36xXTdLfGykd/l6QD78Xh5NM9g9h2ItMv9mzSOtGL5V9cx08G9xc2 yAHSURfN2F8NNQuA/yHgUhjQAzR4VYUt6ssMIdrR5uwhChaBVfsjuwvSOAsYYdaZRL6Z b/HnMtMzQjXFibORaPDMN6pUlwS/FGcv2ijzIT+EgMKVtlDLCOPu/EOy2m+2bA34+me9 0FLg==
List-archive: </listarchives/creduce-bugs>
List-help: <mailto:creduce-bugs-request@flux.utah.edu?subject=help>
List-id: C-Reduce Bugs Mailing List <creduce-bugs.flux.utah.edu>
List-post: <mailto:creduce-bugs@flux.utah.edu>
List-subscribe: <http://www.flux.utah.edu/mailman/listinfo/creduce-bugs>, <mailto:creduce-bugs-request@flux.utah.edu?subject=subscribe>
List-unsubscribe: <http://www.flux.utah.edu/mailman/options/creduce-bugs>, <mailto:creduce-bugs-request@flux.utah.edu?subject=unsubscribe>

Hi,

I'm using commit 2597f8ee1d0a19383bbf193b2c37b45d78528e27 with
clang-5.0 from Ubuntu.

I've encountered a couple of crashes, the files seem small enough that
I can just include them verbatim:

$ cat current-8330.c
union {
} f() {
}

$ ~/creduce/clang_delta/clang_delta --transformation=union-to-struct
--counter=1 current-8330.c
Segmentation fault

Second one:

$ cat current-19262.c
void g(int a) {
  return f(a, a);
}

void y();
void x();

struct {
  int x;
  int y;
} xxxxxxxxxxxxxxxxxxxxx = {
  .y = y,
  .x = x,
};

$ ~/creduce/clang_delta/clang_delta
--transformation=remove-unused-field --counter=2 current-19262.c
Segmentation fault

Valgrind has a bit more info, attaching logs for both.

I minimised both examples by hand and ensured the valgrind errors
stayed the same, hope that is okay (otherwise I can resend with the
true originals).


Vegard

==3957== Memcheck, a memory error detector
==3957== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==3957== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==3957== Command: /home/vegard/gcc/creduce/clang_delta/clang_delta --transformation=union-to-struct --counter=1 current-8330.c
==3957== 
==3957== Invalid read of size 8
==3957==    at 0xCA8D1C: UnionToStruct::addOneDeclarator(clang::DeclaratorDecl const*, clang::Type const*) (UnionToStruct.cpp:415)
==3957==    by 0xCA8EA5: UnionToStructCollectionVisitor::VisitFunctionDecl(clang::FunctionDecl*) (UnionToStruct.cpp:70)
==3957==    by 0xCA9A4F: WalkUpFromFunctionDecl (DeclNodes.inc:389)
==3957==    by 0xCA9A4F: TraverseFunctionDecl (RecursiveASTVisitor.h:1961)
==3957==    by 0xCA9A4F: clang::RecursiveASTVisitor<UnionToStructCollectionVisitor>::TraverseDecl(clang::Decl*) (DeclNodes.inc:389)
==3957==    by 0xCA9CC6: UnionToStruct::HandleTopLevelDecl(clang::DeclGroupRef) (UnionToStruct.cpp:118)
==3957==    by 0xF50B05: clang::ParseAST(clang::Sema&, bool, bool) (in /home/vegard/gcc/creduce/clang_delta/clang_delta)
==3957==    by 0xCA3C62: TransformationManager::doTransformation(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&, int&) (TransformationManager.cpp:260)
==3957==    by 0x4E72B6: main (ClangDelta.cpp:228)
==3957==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==3957== 
==3957== 
==3957== Process terminating with default action of signal 11 (SIGSEGV)
==3957==  Access not within mapped region at address 0x0
==3957==    at 0xCA8D1C: UnionToStruct::addOneDeclarator(clang::DeclaratorDecl const*, clang::Type const*) (UnionToStruct.cpp:415)
==3957==    by 0xCA8EA5: UnionToStructCollectionVisitor::VisitFunctionDecl(clang::FunctionDecl*) (UnionToStruct.cpp:70)
==3957==    by 0xCA9A4F: WalkUpFromFunctionDecl (DeclNodes.inc:389)
==3957==    by 0xCA9A4F: TraverseFunctionDecl (RecursiveASTVisitor.h:1961)
==3957==    by 0xCA9A4F: clang::RecursiveASTVisitor<UnionToStructCollectionVisitor>::TraverseDecl(clang::Decl*) (DeclNodes.inc:389)
==3957==    by 0xCA9CC6: UnionToStruct::HandleTopLevelDecl(clang::DeclGroupRef) (UnionToStruct.cpp:118)
==3957==    by 0xF50B05: clang::ParseAST(clang::Sema&, bool, bool) (in /home/vegard/gcc/creduce/clang_delta/clang_delta)
==3957==    by 0xCA3C62: TransformationManager::doTransformation(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&, int&) (TransformationManager.cpp:260)
==3957==    by 0x4E72B6: main (ClangDelta.cpp:228)
==3957==  If you believe this happened as a result of a stack
==3957==  overflow in your program's main thread (unlikely but
==3957==  possible), you can try to increase the size of the
==3957==  main thread stack using the --main-stacksize= flag.
==3957==  The main thread stack size used in this run was 8388608.
==3957== 
==3957== HEAP SUMMARY:
==3957==     in use at exit: 916,219 bytes in 1,929 blocks
==3957==   total heap usage: 2,028 allocs, 99 frees, 1,183,977 bytes allocated
==3957== 
==3957== LEAK SUMMARY:
==3957==    definitely lost: 0 bytes in 0 blocks
==3957==    indirectly lost: 0 bytes in 0 blocks
==3957==      possibly lost: 0 bytes in 0 blocks
==3957==    still reachable: 916,219 bytes in 1,929 blocks
==3957==         suppressed: 0 bytes in 0 blocks
==3957== Rerun with --leak-check=full to see details of leaked memory
==3957== 
==3957== For counts of detected and suppressed errors, rerun with: -v
==3957== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)

==11760== Memcheck, a memory error detector
==11760== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==11760== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==11760== Command: /home/vegard/gcc/creduce/clang_delta/clang_delta --transformation=remove-unused-field --counter=2 current-19262.c
==11760== 
==11760== Invalid read of size 4
==11760==    at 0x14F5CDB: (anonymous namespace)::RopePieceBTreeNode::split(unsigned int) (in /home/vegard/gcc/creduce/clang_delta/clang_delta)
==11760==    by 0x14F61D8: clang::RopePieceBTree::erase(unsigned int, unsigned int) (in /home/vegard/gcc/creduce/clang_delta/clang_delta)
==11760==    by 0x14F6574: clang::RewriteBuffer::RemoveText(unsigned int, unsigned int, bool) (in /home/vegard/gcc/creduce/clang_delta/clang_delta)
==11760==    by 0x14F8273: clang::Rewriter::RemoveText(clang::SourceLocation, unsigned int, clang::Rewriter::RewriteOptions) (in /home/vegard/gcc/creduce/clang_delta/clang_delta)
==11760==    by 0xB09986: RemoveText (Rewriter.h:131)
==11760==    by 0xB09986: RewriteUtils::removeFieldDecl(clang::FieldDecl const*) (RewriteUtils.cpp:1498)
==11760==    by 0x903896: RemoveUnusedStructField::HandleTranslationUnit(clang::ASTContext&) (RemoveUnusedStructField.cpp:144)
==11760==    by 0xF50C77: clang::ParseAST(clang::Sema&, bool, bool) (in /home/vegard/gcc/creduce/clang_delta/clang_delta)
==11760==    by 0xCA3C62: TransformationManager::doTransformation(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&, int&) (TransformationManager.cpp:260)
==11760==    by 0x4E72B6: main (ClangDelta.cpp:228)
==11760==  Address 0xa069930 is 8 bytes after a block of size 280 alloc'd
==11760==    at 0x4C2E0EF: operator new(unsigned long) (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==11760==    by 0x14F5F9D: clang::RopePieceBTree::RopePieceBTree(clang::RopePieceBTree const&) (in /home/vegard/gcc/creduce/clang_delta/clang_delta)
==11760==    by 0x14F7BAB: clang::Rewriter::getEditBuffer(clang::FileID) (in /home/vegard/gcc/creduce/clang_delta/clang_delta)
==11760==    by 0x14F8263: clang::Rewriter::RemoveText(clang::SourceLocation, unsigned int, clang::Rewriter::RewriteOptions) (in /home/vegard/gcc/creduce/clang_delta/clang_delta)
==11760==    by 0x8E3553: RemoveText (Rewriter.h:131)
==11760==    by 0x8E3553: RemoveUnusedStructField::removeOneInitExpr(clang::Expr const*) (RemoveUnusedStructField.cpp:329)
==11760==    by 0x8E3D1F: RemoveUnusedStructField::handleOneVarDecl(clang::VarDecl const*) (RemoveUnusedStructField.cpp:213)
==11760==    by 0x8E3E63: RemoveUnusedStructFieldRewriteVisitor::VisitVarDecl(clang::VarDecl*) (RemoveUnusedStructField.cpp:115)
==11760==    by 0x8F4A08: WalkUpFromVarDecl (DeclNodes.inc:441)
==11760==    by 0x8F4A08: WalkUpFromOMPCapturedExprDecl (DeclNodes.inc:457)
==11760==    by 0x8F4A08: TraverseOMPCapturedExprDecl (RecursiveASTVisitor.h:1564)
==11760==    by 0x8F4A08: clang::RecursiveASTVisitor<RemoveUnusedStructFieldRewriteVisitor>::TraverseDecl(clang::Decl*) (DeclNodes.inc:457)
==11760==    by 0x8F5069: clang::RecursiveASTVisitor<RemoveUnusedStructFieldRewriteVisitor>::TraverseDeclContextHelper(clang::DeclContext*) (RecursiveASTVisitor.h:1350)
==11760==    by 0x8F4920: TraverseTranslationUnitDecl (RecursiveASTVisitor.h:1442)
==11760==    by 0x8F4920: clang::RecursiveASTVisitor<RemoveUnusedStructFieldRewriteVisitor>::TraverseDecl(clang::Decl*) (DeclNodes.inc:553)
==11760==    by 0x90388E: RemoveUnusedStructField::HandleTranslationUnit(clang::ASTContext&) (RemoveUnusedStructField.cpp:143)
==11760==    by 0xF50C77: clang::ParseAST(clang::Sema&, bool, bool) (in /home/vegard/gcc/creduce/clang_delta/clang_delta)
==11760== 
==11760== Invalid read of size 4
==11760==    at 0x14F5CDE: (anonymous namespace)::RopePieceBTreeNode::split(unsigned int) (in /home/vegard/gcc/creduce/clang_delta/clang_delta)
==11760==    by 0x14F61D8: clang::RopePieceBTree::erase(unsigned int, unsigned int) (in /home/vegard/gcc/creduce/clang_delta/clang_delta)
==11760==    by 0x14F6574: clang::RewriteBuffer::RemoveText(unsigned int, unsigned int, bool) (in /home/vegard/gcc/creduce/clang_delta/clang_delta)
==11760==    by 0x14F8273: clang::Rewriter::RemoveText(clang::SourceLocation, unsigned int, clang::Rewriter::RewriteOptions) (in /home/vegard/gcc/creduce/clang_delta/clang_delta)
==11760==    by 0xB09986: RemoveText (Rewriter.h:131)
==11760==    by 0xB09986: RewriteUtils::removeFieldDecl(clang::FieldDecl const*) (RewriteUtils.cpp:1498)
==11760==    by 0x903896: RemoveUnusedStructField::HandleTranslationUnit(clang::ASTContext&) (RemoveUnusedStructField.cpp:144)
==11760==    by 0xF50C77: clang::ParseAST(clang::Sema&, bool, bool) (in /home/vegard/gcc/creduce/clang_delta/clang_delta)
==11760==    by 0xCA3C62: TransformationManager::doTransformation(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&, int&) (TransformationManager.cpp:260)
==11760==    by 0x4E72B6: main (ClangDelta.cpp:228)
==11760==  Address 0xa069934 is 12 bytes after a block of size 280 alloc'd
==11760==    at 0x4C2E0EF: operator new(unsigned long) (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==11760==    by 0x14F5F9D: clang::RopePieceBTree::RopePieceBTree(clang::RopePieceBTree const&) (in /home/vegard/gcc/creduce/clang_delta/clang_delta)
==11760==    by 0x14F7BAB: clang::Rewriter::getEditBuffer(clang::FileID) (in /home/vegard/gcc/creduce/clang_delta/clang_delta)
==11760==    by 0x14F8263: clang::Rewriter::RemoveText(clang::SourceLocation, unsigned int, clang::Rewriter::RewriteOptions) (in /home/vegard/gcc/creduce/clang_delta/clang_delta)
==11760==    by 0x8E3553: RemoveText (Rewriter.h:131)
==11760==    by 0x8E3553: RemoveUnusedStructField::removeOneInitExpr(clang::Expr const*) (RemoveUnusedStructField.cpp:329)
==11760==    by 0x8E3D1F: RemoveUnusedStructField::handleOneVarDecl(clang::VarDecl const*) (RemoveUnusedStructField.cpp:213)
==11760==    by 0x8E3E63: RemoveUnusedStructFieldRewriteVisitor::VisitVarDecl(clang::VarDecl*) (RemoveUnusedStructField.cpp:115)
==11760==    by 0x8F4A08: WalkUpFromVarDecl (DeclNodes.inc:441)
==11760==    by 0x8F4A08: WalkUpFromOMPCapturedExprDecl (DeclNodes.inc:457)
==11760==    by 0x8F4A08: TraverseOMPCapturedExprDecl (RecursiveASTVisitor.h:1564)
==11760==    by 0x8F4A08: clang::RecursiveASTVisitor<RemoveUnusedStructFieldRewriteVisitor>::TraverseDecl(clang::Decl*) (DeclNodes.inc:457)
==11760==    by 0x8F5069: clang::RecursiveASTVisitor<RemoveUnusedStructFieldRewriteVisitor>::TraverseDeclContextHelper(clang::DeclContext*) (RecursiveASTVisitor.h:1350)
==11760==    by 0x8F4920: TraverseTranslationUnitDecl (RecursiveASTVisitor.h:1442)
==11760==    by 0x8F4920: clang::RecursiveASTVisitor<RemoveUnusedStructFieldRewriteVisitor>::TraverseDecl(clang::Decl*) (DeclNodes.inc:553)
==11760==    by 0x90388E: RemoveUnusedStructField::HandleTranslationUnit(clang::ASTContext&) (RemoveUnusedStructField.cpp:143)
==11760==    by 0xF50C77: clang::ParseAST(clang::Sema&, bool, bool) (in /home/vegard/gcc/creduce/clang_delta/clang_delta)
==11760== 
==11760== Conditional jump or move depends on uninitialised value(s)
==11760==    at 0x14F5CE3: (anonymous namespace)::RopePieceBTreeNode::split(unsigned int) (in /home/vegard/gcc/creduce/clang_delta/clang_delta)
==11760==    by 0x14F61D8: clang::RopePieceBTree::erase(unsigned int, unsigned int) (in /home/vegard/gcc/creduce/clang_delta/clang_delta)
==11760==    by 0x14F6574: clang::RewriteBuffer::RemoveText(unsigned int, unsigned int, bool) (in /home/vegard/gcc/creduce/clang_delta/clang_delta)
==11760==    by 0x14F8273: clang::Rewriter::RemoveText(clang::SourceLocation, unsigned int, clang::Rewriter::RewriteOptions) (in /home/vegard/gcc/creduce/clang_delta/clang_delta)
==11760==    by 0xB09986: RemoveText (Rewriter.h:131)
==11760==    by 0xB09986: RewriteUtils::removeFieldDecl(clang::FieldDecl const*) (RewriteUtils.cpp:1498)
==11760==    by 0x903896: RemoveUnusedStructField::HandleTranslationUnit(clang::ASTContext&) (RemoveUnusedStructField.cpp:144)
==11760==    by 0xF50C77: clang::ParseAST(clang::Sema&, bool, bool) (in /home/vegard/gcc/creduce/clang_delta/clang_delta)
==11760==    by 0xCA3C62: TransformationManager::doTransformation(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&, int&) (TransformationManager.cpp:260)
==11760==    by 0x4E72B6: main (ClangDelta.cpp:228)
==11760== 
==11760== 
==11760== Process terminating with default action of signal 11 (SIGSEGV)
==11760==  Access not within mapped region at address 0xA31F000
==11760==    at 0x14F5CDB: (anonymous namespace)::RopePieceBTreeNode::split(unsigned int) (in /home/vegard/gcc/creduce/clang_delta/clang_delta)
==11760==    by 0x14F61D8: clang::RopePieceBTree::erase(unsigned int, unsigned int) (in /home/vegard/gcc/creduce/clang_delta/clang_delta)
==11760==    by 0x14F6574: clang::RewriteBuffer::RemoveText(unsigned int, unsigned int, bool) (in /home/vegard/gcc/creduce/clang_delta/clang_delta)
==11760==    by 0x14F8273: clang::Rewriter::RemoveText(clang::SourceLocation, unsigned int, clang::Rewriter::RewriteOptions) (in /home/vegard/gcc/creduce/clang_delta/clang_delta)
==11760==    by 0xB09986: RemoveText (Rewriter.h:131)
==11760==    by 0xB09986: RewriteUtils::removeFieldDecl(clang::FieldDecl const*) (RewriteUtils.cpp:1498)
==11760==    by 0x903896: RemoveUnusedStructField::HandleTranslationUnit(clang::ASTContext&) (RemoveUnusedStructField.cpp:144)
==11760==    by 0xF50C77: clang::ParseAST(clang::Sema&, bool, bool) (in /home/vegard/gcc/creduce/clang_delta/clang_delta)
==11760==    by 0xCA3C62: TransformationManager::doTransformation(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&, int&) (TransformationManager.cpp:260)
==11760==    by 0x4E72B6: main (ClangDelta.cpp:228)
==11760==  If you believe this happened as a result of a stack
==11760==  overflow in your program's main thread (unlikely but
==11760==  possible), you can try to increase the size of the
==11760==  main thread stack using the --main-stacksize= flag.
==11760==  The main thread stack size used in this run was 8388608.
==11760== 
==11760== HEAP SUMMARY:
==11760==     in use at exit: 942,581 bytes in 1,938 blocks
==11760==   total heap usage: 2,051 allocs, 113 frees, 1,212,593 bytes allocated
==11760== 
==11760== LEAK SUMMARY:
==11760==    definitely lost: 0 bytes in 0 blocks
==11760==    indirectly lost: 0 bytes in 0 blocks
==11760==      possibly lost: 0 bytes in 0 blocks
==11760==    still reachable: 942,581 bytes in 1,938 blocks
==11760==         suppressed: 0 bytes in 0 blocks
==11760== Rerun with --leak-check=full to see details of leaked memory
==11760== 
==11760== For counts of detected and suppressed errors, rerun with: -v
==11760== Use --track-origins=yes to see where uninitialised values come from
==11760== ERROR SUMMARY: 532028 errors from 3 contexts (suppressed: 0 from 0)

Follow-Ups:
- Re: [creduce-bugs] Two C-reduce segfaults with recent git version
  - From: Vegard Nossum <vegard.nossum@gmail.com>
- Re: [creduce-bugs] Two C-reduce segfaults with recent git version
  - From: Vegard Nossum <vegard.nossum@gmail.com>
- Re: [creduce-bugs] Two C-reduce segfaults with recent git version
  - From: Yang Chen <chenyang@cs.utah.edu>

Prev by Date: Re: [creduce-bugs] C-Reduce bug
Next by Date: Re: [creduce-bugs] Two C-reduce segfaults with recent git version
Previous by thread: Re: [creduce-bugs] C-Reduce bug
Next by thread: Re: [creduce-bugs] Two C-reduce segfaults with recent git version
Index(es):
- Date
- Thread