[analyzer] Crash on using non-type template arguments

[steakhal]

clang 18.1.0 crashes on the following code snippet, while clang-17 does not.
https://godbolt.org/z/h3sME4Gdz

This is a nullpointer dereference.

constexpr char abc[] = "abc";
void use(const char *fmt);

template <const char* in>
void use_template_param() {
  const char *p = in;
}
void force_instantiate() {
  use_template_param<abc>();
}

Stack trace:

#0  clang::Stmt::getStmtClass (this=0x0) at clang/include/clang/AST/Stmt.h:1357
#1  ignoreTransparentExprs (E=0x0) at Core/Environment.cpp:41
#2  ignoreTransparentExprs (E=0x0) at Core/Environment.cpp:62
#3  ignoreTransparentExprs (E=0x7f2d5418c080) at Core/Environment.cpp:62
#4  ignoreTransparentExprs (E=0x7f2d5418c098) at Core/Environment.cpp:62
#5  ignoreTransparentExprs (S=0x7f2d5418c0f8) at Core/Environment.cpp:67
#6  clang::ento::EnvironmentEntry::EnvironmentEntry () at Core/Environment.cpp:73
#7  clang::ento::ProgramState::getSVal () at Core/PathSensitive/ProgramState.h:807
#8  0x00007f2d68e76926 in clang::ento::ExprEngine::VisitCast () at Core/ExprEngineC.cpp:337
#9  0x00007f2d68e38cdc in clang::ento::ExprEngine::Visit () at Core/ExprEngine.cpp:2280
#10 0x00007f2d68e35039 in clang::ento::ExprEngine::ProcessStmt () at Core/ExprEngine.cpp:1134
#11 0x00007f2d68e34ccd in clang::ento::ExprEngine::processCFGElement () at Core/ExprEngine.cpp:976
#12 0x00007f2d68dfb5ff in clang::ento::CoreEngine::HandlePostStmt () at Core/CoreEngine.cpp:499
#13 0x00007f2d68dfad62 in clang::ento::CoreEngine::dispatchWorkItem () at Core/CoreEngine.cpp:220

In the AST, we have this segment for the const char *p = in; variable declaration:

`-VarDecl <col:3, col:19> col:15 p 'const char *' cinit
  `-SubstNonTypeTemplateParmExpr <col:19> 'const char *'
    |-NonTypeTemplateParmDecl <line:4:11, col:23> col:23 referenced 'const char *' depth 0 index 0 in
    `-ConstantExpr <line:6:19> 'const char *'
      |-value: LValue <todo>
      `-OpaqueValueExpr <col:19> 'const char *'

That dump comes from the TextNodeDumper.cpp:

  case APValue::LValue:
    (void)Context;
    OS << "LValue <todo>";
    return;

So, some APValue must be of kind LValue.

Anyways, bisections blames 5518a9d ([c++20] P1907R1: Support for generalized non-type template arguments of scalar type. (#78041), 2024.01.21.) commit for introducing this crash.

This is a regression, as clang-17 did not crash on the same input.

Notes for myself: CPP-4927

[llvmbot]

@llvm/issue-subscribers-clang-static-analyzer

Author: Balazs Benics (steakhal)

clang 18.1.0 crashes on the following code snippet, while clang-17 does not. https://godbolt.org/z/h3sME4Gdz

This is a nullpointer dereference.

constexpr char abc[] = "abc";
void use(const char *fmt);

template <const char* in>
void use_template_param() {
  const char *p = in;
}
void force_instantiate() {
  use_template_param<abc>();
}

Stack trace:

#<!-- -->0  clang::Stmt::getStmtClass (this=0x0) at clang/include/clang/AST/Stmt.h:1357
#<!-- -->1  ignoreTransparentExprs (E=0x0) at Core/Environment.cpp:41
#<!-- -->2  ignoreTransparentExprs (E=0x0) at Core/Environment.cpp:62
#<!-- -->3  ignoreTransparentExprs (E=0x7f2d5418c080) at Core/Environment.cpp:62
#<!-- -->4  ignoreTransparentExprs (E=0x7f2d5418c098) at Core/Environment.cpp:62
#<!-- -->5  ignoreTransparentExprs (S=0x7f2d5418c0f8) at Core/Environment.cpp:67
#<!-- -->6  clang::ento::EnvironmentEntry::EnvironmentEntry () at Core/Environment.cpp:73
#<!-- -->7  clang::ento::ProgramState::getSVal () at Core/PathSensitive/ProgramState.h:807
#<!-- -->8  0x00007f2d68e76926 in clang::ento::ExprEngine::VisitCast () at Core/ExprEngineC.cpp:337
#<!-- -->9  0x00007f2d68e38cdc in clang::ento::ExprEngine::Visit () at Core/ExprEngine.cpp:2280
#<!-- -->10 0x00007f2d68e35039 in clang::ento::ExprEngine::ProcessStmt () at Core/ExprEngine.cpp:1134
#<!-- -->11 0x00007f2d68e34ccd in clang::ento::ExprEngine::processCFGElement () at Core/ExprEngine.cpp:976
#<!-- -->12 0x00007f2d68dfb5ff in clang::ento::CoreEngine::HandlePostStmt () at Core/CoreEngine.cpp:499
#<!-- -->13 0x00007f2d68dfad62 in clang::ento::CoreEngine::dispatchWorkItem () at Core/CoreEngine.cpp:220

In the AST, we have this segment for the const char *p = in; variable declaration:

`-VarDecl <col:3, col:19> col:15 p 'const char *' cinit
  `-SubstNonTypeTemplateParmExpr <col:19> 'const char *'
    |-NonTypeTemplateParmDecl <line:4:11, col:23> col:23 referenced 'const char *' depth 0 index 0 in
    `-ConstantExpr <line:6:19> 'const char *'
      |-value: LValue <todo>
      `-OpaqueValueExpr <col:19> 'const char *'

That dump comes from the TextNodeDumper.cpp:

  case APValue::LValue:
    (void)Context;
    OS << "LValue <todo>";
    return;

So, some APValue must be of kind LValue.

Anyways, bisections blames 5518a9d ([c++20] P1907R1: Support for generalized non-type template arguments of scalar type. (#<!-- -->78041), 2024.01.21.) commit for introducing this crash.

This is a regression, as clang-17 did not crash on the same input.

Notes for myself: CPP-4927