[ClangSA] APInt::getSExtValue() crash in SValBuilder::evalIntegralCast() with _BitInt of size > 128

[AdamMagierFOSS]

Observed on most recent main branch as of earlier today, commit 9ef7013.

Minimal Reproducer (test.c):

_BitInt(129) a;
_BitInt(128) b;
void c() { b = a; }

Command:

clang -cc1 -analyze -analyzer-checker=core test.c

Crash Output:

clang: /llvm-project/llvm/include/llvm/ADT/APInt.h:1519: int64_t llvm::APInt::getSExtValue() const: Assertion `getSignificantBits() <= 64 && "Too many bits for int64_t"' failed.
PLEASE submit a bug report to https://github.com/llvm/llvm-project/issues/ and include the crash backtrace, preprocessed source, and associated run script.
Stack dump:
0.	Program arguments: /llvm-project/build/bin/clang -cc1 -analyze -analyzer-checker=core test.c
1.	<eof> parser at end of file
2.	While analyzing stack: 
	#0 Calling c
3.	test.c:3:16: Error evaluating statement
4.	test.c:3:16: Error evaluating statement
 #0 0x0000000004406f2e llvm::sys::PrintStackTrace(llvm::raw_ostream&, int) /llvm-project/llvm/lib/Support/Unix/Signals.inc:602:22
 #1 0x0000000004407328 PrintStackTraceSignalHandler(void*) /llvm-project/llvm/lib/Support/Unix/Signals.inc:676:1
 #2 0x0000000004404cfd llvm::sys::RunSignalHandlers() /llvm-project/llvm/lib/Support/Signals.cpp:104:20
 #3 0x000000000440695d SignalHandler(int) /llvm-project/llvm/lib/Support/Unix/Signals.inc:413:1
 #4 0x00007fbe9677b630 __restore_rt sigaction.c:0:0
 #5 0x00007fbe95662387 raise (/lib64/libc.so.6+0x36387)
 #6 0x00007fbe95663a78 abort (/lib64/libc.so.6+0x37a78)
 #7 0x00007fbe9565b1a6 __assert_fail_base (/lib64/libc.so.6+0x2f1a6)
 #8 0x00007fbe9565b252 (/lib64/libc.so.6+0x2f252)
 #9 0x0000000000d9d235 llvm::APInt::getSExtValue() const /llvm-project/llvm/include/llvm/ADT/APInt.h:1520:22
#10 0x0000000007b201e6 clang::ento::SValBuilder::evalIntegralCast(llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>, clang::ento::SVal, clang::QualType, clang::QualType) /llvm-project/clang/lib/StaticAnalyzer/Core/SValBuilder.cpp:603:17
#11 0x0000000007a5535d clang::ento::ExprEngine::VisitCast(clang::CastExpr const*, clang::Expr const*, clang::ento::ExplodedNode*, clang::ento::ExplodedNodeSet&) /llvm-project/clang/lib/StaticAnalyzer/Core/ExprEngineC.cpp:423:43
#12 0x0000000007a24999 clang::ento::ExprEngine::Visit(clang::Stmt const*, clang::ento::ExplodedNode*, clang::ento::ExplodedNodeSet&) /llvm-project/clang/lib/StaticAnalyzer/Core/ExprEngine.cpp:2253:24
#13 0x0000000007a1ebef clang::ento::ExprEngine::ProcessStmt(clang::Stmt const*, clang::ento::ExplodedNode*) /llvm-project/clang/lib/StaticAnalyzer/Core/ExprEngine.cpp:1126:15
#14 0x0000000007a1df0c clang::ento::ExprEngine::processCFGElement(clang::CFGElement, clang::ento::ExplodedNode*, unsigned int, clang::ento::NodeBuilderContext*) /llvm-project/clang/lib/StaticAnalyzer/Core/ExprEngine.cpp:972:7
#15 0x00000000079ee9a6 clang::ento::CoreEngine::HandlePostStmt(clang::CFGBlock const*, unsigned int, clang::ento::ExplodedNode*) /llvm-project/clang/lib/StaticAnalyzer/Core/CoreEngine.cpp:498:1
#16 0x00000000079ed615 clang::ento::CoreEngine::dispatchWorkItem(clang::ento::ExplodedNode*, clang::ProgramPoint, clang::ento::WorkListUnit const&) /llvm-project/clang/lib/StaticAnalyzer/Core/CoreEngine.cpp:221:7
#17 0x00000000079ecd8b clang::ento::CoreEngine::ExecuteWorkList(clang::LocationContext const*, unsigned int, llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>)::'lambda'(unsigned int)::operator()(unsigned int) const /llvm-project/clang/lib/StaticAnalyzer/Core/CoreEngine.cpp:159:23
#18 0x00000000079ed162 clang::ento::CoreEngine::ExecuteWorkList(clang::LocationContext const*, unsigned int, llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>) /llvm-project/clang/lib/StaticAnalyzer/Core/CoreEngine.cpp:163:41
#19 0x00000000070b18ab clang::ento::ExprEngine::ExecuteWorkList(clang::LocationContext const*, unsigned int) /llvm-project/clang/include/clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h:190:34
#20 0x0000000007047341 (anonymous namespace)::AnalysisConsumer::RunPathSensitiveChecks(clang::Decl*, clang::ento::ExprEngine::InliningModes, llvm::DenseSet<clang::Decl const*, llvm::DenseMapInfo<clang::Decl const*, void>>*) /llvm-project/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:729:7
#21 0x00000000070470e9 (anonymous namespace)::AnalysisConsumer::HandleCode(clang::Decl*, unsigned int, clang::ento::ExprEngine::InliningModes, llvm::DenseSet<clang::Decl const*, llvm::DenseMapInfo<clang::Decl const*, void>>*) /llvm-project/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:698:5
#22 0x00000000070461d3 (anonymous namespace)::AnalysisConsumer::HandleDeclsCallGraph(unsigned int) /llvm-project/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:490:31
#23 0x00000000070466ec (anonymous namespace)::AnalysisConsumer::runAnalysisOnTranslationUnit(clang::ASTContext&) /llvm-project/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:560:48
#24 0x0000000007046a9b (anonymous namespace)::AnalysisConsumer::HandleTranslationUnit(clang::ASTContext&) /llvm-project/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:615:74
#25 0x0000000007bca2cb clang::ParseAST(clang::Sema&, bool, bool) /llvm-project/clang/lib/Parse/ParseAST.cpp:182:14
#26 0x000000000529dd23 clang::ASTFrontendAction::ExecuteAction() /llvm-project/clang/lib/Frontend/FrontendAction.cpp:1168:11
#27 0x000000000529d679 clang::FrontendAction::Execute() /llvm-project/clang/lib/Frontend/FrontendAction.cpp:1062:38
#28 0x00000000051d378c clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) /llvm-project/clang/lib/Frontend/CompilerInstance.cpp:1048:42
#29 0x000000000542cb22 clang::ExecuteCompilerInvocation(clang::CompilerInstance*) /llvm-project/clang/lib/FrontendTool/ExecuteCompilerInvocation.cpp:264:38
#30 0x0000000000d409ab cc1_main(llvm::ArrayRef<char const*>, char const*, void*) /llvm-project/clang/tools/driver/cc1_main.cpp:251:40
#31 0x0000000000d2dcd7 ExecuteCC1Tool(llvm::SmallVectorImpl<char const*>&, llvm::ToolContext const&) /llvm-project/clang/tools/driver/driver.cpp:366:20
#32 0x0000000000d2e1eb clang_main(int, char**, llvm::ToolContext const&) /llvm-project/clang/tools/driver/driver.cpp:407:26
#33 0x0000000000d63468 main /llvm-project/build/tools/clang/tools/driver/clang-driver.cpp:15:58
#34 0x00007fbe9564e555 __libc_start_main (/lib64/libc.so.6+0x22555)
#35 0x0000000000d2c2a9 _start (/llvm-project/build/bin/clang+0xd2c2a9)
Aborted (core dumped)

The same crash occurs when using unsigned _BitInt, but the assert fires on getZExtValue() instead of getSExtValue().

[llvmbot]

@llvm/issue-subscribers-clang-static-analyzer

[steakhal]

@vabridgers Could you please link the PR here?
I'm still quite new to GH workflow and I couldn't see the review.
I might need to work on how I subscribe to such notifications.

[steakhal]

Ah, now I see. It wasn't even on llvm/llvm-project; It was on your fork.
It's soo annoying to see that a commit/PR to a fork can auto-close an issue in the parent repo.
WDYT?

[vabridgers]

Hi @steakhal! I agree, my first time using this new workflow. I'm probably making mistakes, but only way to learn :) haha!

Here are links to three pull requests I created related to _BitInt impact on tidy and csa.

#65887 - for this github issue created by @AdamMagierFOSS

#65888 - a tidy issue, for now, just proposing we skip the in magic numbers for _BitInt()

#65889 - a tidy issue - BitIntType has no getKind() issue, so this exposed a crash in VisitIntegerLiteral. The "fix" is to detect a _BitInt() and use an ID derived from the _BitInt() value.