Skip to content

[analyzer] Assertion `Ex && "elem must be a CFGStmt containing an Expr"' failed #152891

New issue
New issue
Open
Bug
Open
[analyzer] Assertion `Ex && "elem must be a CFGStmt containing an Expr"' failed#152891
Bug
Labels
clang:static analyzercrashPrefer [crash-on-valid] or [crash-on-invalid]generated by fuzzer
@k-arrows

Description

@k-arrows
k-arrows
opened on Aug 10, 2025

Reproducer:
https://godbolt.org/z/16Ed5K6cf

void foo (int x)
{
  [[assume (x == 42 ? true : throw 1)]];
}

Backtrace:

clang++: /root/llvm-project/llvm/tools/clang/lib/StaticAnalyzer/Core/SValBuilder.cpp:159: clang::ento::DefinedOrUnknownSVal clang::ento::SValBuilder::conjureSymbolVal(const void*, clang::ConstCFGElementRef, const clang::LocationContext*, unsigned int): Assertion `Ex && "elem must be a CFGStmt containing an Expr"' failed.
PLEASE submit a bug report to https://github.com/llvm/llvm-project/issues/ and include the crash backtrace, preprocessed source, and associated run script.
Stack dump:
0.	Program arguments: /opt/compiler-explorer/clang-assertions-trunk/bin/clang++ -gdwarf-4 -g -o /app/output.s -mllvm --x86-asm-syntax=intel -fno-verbose-asm -S --gcc-toolchain=/opt/compiler-explorer/gcc-snapshot -fcolor-diagnostics -fno-crash-diagnostics --analyze <source>
1.	<eof> parser at end of file
2.	While analyzing stack: 
	#0 Calling foo(int)
3.	<source>:3:3: Error evaluating statement
4.	<source>:3:3: Error evaluating statement
5.	<source>:3:13: Error evaluating statement
 #0 0x0000000003ff1df8 llvm::sys::PrintStackTrace(llvm::raw_ostream&, int) (/opt/compiler-explorer/clang-assertions-trunk/bin/clang+++0x3ff1df8)
 #1 0x0000000003fef224 llvm::sys::CleanupOnSignal(unsigned long) (/opt/compiler-explorer/clang-assertions-trunk/bin/clang+++0x3fef224)
 #2 0x0000000003f33b68 CrashRecoverySignalHandler(int) CrashRecoveryContext.cpp:0:0
 #3 0x000070504e642520 (/lib/x86_64-linux-gnu/libc.so.6+0x42520)
 #4 0x000070504e6969fc pthread_kill (/lib/x86_64-linux-gnu/libc.so.6+0x969fc)
 #5 0x000070504e642476 gsignal (/lib/x86_64-linux-gnu/libc.so.6+0x42476)
 #6 0x000070504e6287f3 abort (/lib/x86_64-linux-gnu/libc.so.6+0x287f3)
 #7 0x000070504e62871b (/lib/x86_64-linux-gnu/libc.so.6+0x2871b)
 #8 0x000070504e639e96 (/lib/x86_64-linux-gnu/libc.so.6+0x39e96)
 #9 0x000000000663dc82 clang::ento::SValBuilder::conjureSymbolVal(void const*, clang::CFGBlock::ElementRefImpl<true>, clang::LocationContext const*, unsigned int) (/opt/compiler-explorer/clang-assertions-trunk/bin/clang+++0x663dc82)
#10 0x000000000657dd30 clang::ento::ExprEngine::VisitGuardedExpr(clang::Expr const*, clang::Expr const*, clang::Expr const*, clang::ento::ExplodedNode*, clang::ento::ExplodedNodeSet&) (/opt/compiler-explorer/clang-assertions-trunk/bin/clang+++0x657dd30)
#11 0x0000000006565d01 clang::ento::ExprEngine::Visit(clang::Stmt const*, clang::ento::ExplodedNode*, clang::ento::ExplodedNodeSet&) (/opt/compiler-explorer/clang-assertions-trunk/bin/clang+++0x6565d01)
#12 0x000000000658363f clang::ento::ExprEngine::VisitAttributedStmt(clang::AttributedStmt const*, clang::ento::ExplodedNode*, clang::ento::ExplodedNodeSet&) (/opt/compiler-explorer/clang-assertions-trunk/bin/clang+++0x658363f)
#13 0x0000000006565a6b clang::ento::ExprEngine::Visit(clang::Stmt const*, clang::ento::ExplodedNode*, clang::ento::ExplodedNodeSet&) (/opt/compiler-explorer/clang-assertions-trunk/bin/clang+++0x6565a6b)
#14 0x0000000006567bbd clang::ento::ExprEngine::ProcessStmt(clang::Stmt const*, clang::ento::ExplodedNode*) (/opt/compiler-explorer/clang-assertions-trunk/bin/clang+++0x6567bbd)
#15 0x000000000651cb0a clang::ento::CoreEngine::HandleBlockEntrance(clang::BlockEntrance const&, clang::ento::ExplodedNode*) (/opt/compiler-explorer/clang-assertions-trunk/bin/clang+++0x651cb0a)
#16 0x000000000651d082 clang::ento::CoreEngine::dispatchWorkItem(clang::ento::ExplodedNode*, clang::ProgramPoint, clang::ento::WorkListUnit const&) (/opt/compiler-explorer/clang-assertions-trunk/bin/clang+++0x651d082)
#17 0x000000000651d411 clang::ento::CoreEngine::ExecuteWorkList(clang::LocationContext const*, unsigned int, llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>) (/opt/compiler-explorer/clang-assertions-trunk/bin/clang+++0x651d411)
#18 0x00000000060e5a27 (anonymous namespace)::AnalysisConsumer::HandleCode(clang::Decl*, unsigned int, clang::ento::ExprEngine::InliningModes, llvm::DenseSet<clang::Decl const*, llvm::DenseMapInfo<clang::Decl const*, void>>*) AnalysisConsumer.cpp:0:0
#19 0x00000000060e765e (anonymous namespace)::AnalysisConsumer::HandleDeclsCallGraph(unsigned int) AnalysisConsumer.cpp:0:0
#20 0x00000000060e9063 (anonymous namespace)::AnalysisConsumer::HandleTranslationUnit(clang::ASTContext&) AnalysisConsumer.cpp:0:0
#21 0x00000000066a27bc clang::ParseAST(clang::Sema&, bool, bool) (/opt/compiler-explorer/clang-assertions-trunk/bin/clang+++0x66a27bc)
#22 0x0000000004c8caf5 clang::FrontendAction::Execute() (/opt/compiler-explorer/clang-assertions-trunk/bin/clang+++0x4c8caf5)
#23 0x0000000004c08e2e clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) (/opt/compiler-explorer/clang-assertions-trunk/bin/clang+++0x4c08e2e)
#24 0x0000000004d81611 clang::ExecuteCompilerInvocation(clang::CompilerInstance*) (/opt/compiler-explorer/clang-assertions-trunk/bin/clang+++0x4d81611)
#25 0x0000000000daeb8f cc1_main(llvm::ArrayRef<char const*>, char const*, void*) (/opt/compiler-explorer/clang-assertions-trunk/bin/clang+++0xdaeb8f)
#26 0x0000000000da583a ExecuteCC1Tool(llvm::SmallVectorImpl<char const*>&, llvm::ToolContext const&) driver.cpp:0:0
#27 0x00000000049ffff9 void llvm::function_ref<void ()>::callback_fn<clang::driver::CC1Command::Execute(llvm::ArrayRef<std::optional<llvm::StringRef>>, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>*, bool*) const::'lambda'()>(long) Job.cpp:0:0
#28 0x0000000003f34004 llvm::CrashRecoveryContext::RunSafely(llvm::function_ref<void ()>) (/opt/compiler-explorer/clang-assertions-trunk/bin/clang+++0x3f34004)
#29 0x0000000004a0060f clang::driver::CC1Command::Execute(llvm::ArrayRef<std::optional<llvm::StringRef>>, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>*, bool*) const (.part.0) Job.cpp:0:0
#30 0x00000000049c28ad clang::driver::Compilation::ExecuteCommand(clang::driver::Command const&, clang::driver::Command const*&, bool) const (/opt/compiler-explorer/clang-assertions-trunk/bin/clang+++0x49c28ad)
#31 0x00000000049c393e clang::driver::Compilation::ExecuteJobs(clang::driver::JobList const&, llvm::SmallVectorImpl<std::pair<int, clang::driver::Command const*>>&, bool) const (/opt/compiler-explorer/clang-assertions-trunk/bin/clang+++0x49c393e)
#32 0x00000000049cb385 clang::driver::Driver::ExecuteCompilation(clang::driver::Compilation&, llvm::SmallVectorImpl<std::pair<int, clang::driver::Command const*>>&) (/opt/compiler-explorer/clang-assertions-trunk/bin/clang+++0x49cb385)
#33 0x0000000000dab045 clang_main(int, char**, llvm::ToolContext const&) (/opt/compiler-explorer/clang-assertions-trunk/bin/clang+++0xdab045)
#34 0x0000000000c5f114 main (/opt/compiler-explorer/clang-assertions-trunk/bin/clang+++0xc5f114)
#35 0x000070504e629d90 (/lib/x86_64-linux-gnu/libc.so.6+0x29d90)
#36 0x000070504e629e40 __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e40)
#37 0x0000000000da52e5 _start (/opt/compiler-explorer/clang-assertions-trunk/bin/clang+++0xda52e5)
clang++: error: clang frontend command failed with exit code 134 (use -v to see invocation)
Compiler returned: 134

Metadata

Metadata

Assignees

No one assigned

    Labels

    clang:static analyzercrashPrefer [crash-on-valid] or [crash-on-invalid]generated by fuzzer

    Type

    Bug

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions