[cfe-commits] r113282 - in /cfe/trunk: lib/Checker/StreamChecker.cpp test/Analysis/stream.c

Ted Kremenek kremenek at apple.com
Tue Sep 7 13:45:26 PDT 2010 

Author: kremenek
Date: Tue Sep  7 15:45:26 2010
New Revision: 113282

URL: http://llvm.org/viewvc/llvm-project?rev=113282&view=rev
Log:
Fix null pointer dereference in StreamChecker::Fseek (reported in PR 8081) and simplify surrounding checking logic.

Modified:
    cfe/trunk/lib/Checker/StreamChecker.cpp
    cfe/trunk/test/Analysis/stream.c

Modified: cfe/trunk/lib/Checker/StreamChecker.cpp
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/Checker/StreamChecker.cpp?rev=113282&r1=113281&r2=113282&view=diff
==============================================================================
--- cfe/trunk/lib/Checker/StreamChecker.cpp (original)
+++ cfe/trunk/lib/Checker/StreamChecker.cpp Tue Sep  7 15:45:26 2010
@@ -271,29 +271,24 @@
     return;
   // Check the legality of the 'whence' argument of 'fseek'.
   SVal Whence = state->getSVal(CE->getArg(2));
-  bool WhenceIsLegal = true;
   const nonloc::ConcreteInt *CI = dyn_cast<nonloc::ConcreteInt>(&Whence);
+
   if (!CI)
-    WhenceIsLegal = false;
+    return;
 
   int64_t x = CI->getValue().getSExtValue();
-  if (!(x == 0 || x == 1 || x == 2))
-    WhenceIsLegal = false;
-
-  if (!WhenceIsLegal) {
-    if (ExplodedNode *N = C.GenerateSink(state)) {
-      if (!BT_illegalwhence)
-        BT_illegalwhence = new BuiltinBug("Illegal whence argument",
-                                     "The whence argument to fseek() should be "
-                                          "SEEK_SET, SEEK_END, or SEEK_CUR.");
-      BugReport *R = new BugReport(*BT_illegalwhence, 
-                                   BT_illegalwhence->getDescription(), N);
-      C.EmitReport(R);
-    }
+  if (x >= 0 && x <= 2)
     return;
-  }
 
-  C.addTransition(state);
+  if (ExplodedNode *N = C.GenerateNode(state)) {
+    if (!BT_illegalwhence)
+      BT_illegalwhence = new BuiltinBug("Illegal whence argument",
+					"The whence argument to fseek() should be "
+					"SEEK_SET, SEEK_END, or SEEK_CUR.");
+    BugReport *R = new BugReport(*BT_illegalwhence, 
+				 BT_illegalwhence->getDescription(), N);
+    C.EmitReport(R);
+  }
 }
 
 void StreamChecker::Ftell(CheckerContext &C, const CallExpr *CE) {

Modified: cfe/trunk/test/Analysis/stream.c
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/test/Analysis/stream.c?rev=113282&r1=113281&r2=113282&view=diff
==============================================================================
--- cfe/trunk/test/Analysis/stream.c (original)
+++ cfe/trunk/test/Analysis/stream.c Tue Sep  7 15:45:26 2010
@@ -77,3 +77,9 @@
 void pr7831(FILE *fp) {
   fclose(fp); // no-warning
 }
+
+// PR 8081 - null pointer crash when 'whence' is not an integer constant
+void pr8081(FILE *stream, long offset, int whence) {
+  fseek(stream, offset, whence);
+}
+

More information about the cfe-commits mailing list