[PATCH] D45564: [analyzer] Fix null deref in AnyFunctionCall::getRuntimeDefinition
Rafael Stahl via Phabricator via cfe-commits
cfe-commits at lists.llvm.org
Fri Apr 13 05:17:47 PDT 2018
r.stahl updated this revision to Diff 142381.
r.stahl edited the summary of this revision.
r.stahl added a comment.
addressed review comments.
I created a new test because certain checkers would cause early exits in the engine (because of undefined func ptr) and not cause the crash.
Since I don't have commit access, please commit for me.
https://reviews.llvm.org/D45564
Files:
lib/StaticAnalyzer/Core/CallEvent.cpp
test/Analysis/undef-call.c
Index: test/Analysis/undef-call.c
===================================================================
--- test/Analysis/undef-call.c
+++ test/Analysis/undef-call.c
@@ -0,0 +1,14 @@
+// RUN: %clang_cc1 -fsyntax-only -analyze -analyzer-checker=debug.ExprInspection -analyzer-config experimental-enable-naive-ctu-analysis=true -analyzer-config ctu-dir=%T/ctudir -verify %s
+// expected-no-diagnostics
+
+struct S {
+ void (*fp)();
+};
+
+int main() {
+ struct S s;
+ // This will cause the analyzer to look for a function definition that has
+ // no FunctionDecl. It used to cause a crash in AnyFunctionCall::getRuntimeDefinition.
+ // It would only occur when CTU analysis is enabled.
+ s.fp();
+}
Index: lib/StaticAnalyzer/Core/CallEvent.cpp
===================================================================
--- lib/StaticAnalyzer/Core/CallEvent.cpp
+++ lib/StaticAnalyzer/Core/CallEvent.cpp
@@ -387,31 +387,32 @@
RuntimeDefinition AnyFunctionCall::getRuntimeDefinition() const {
const FunctionDecl *FD = getDecl();
+ if (!FD)
+ return {};
+
// Note that the AnalysisDeclContext will have the FunctionDecl with
// the definition (if one exists).
- if (FD) {
- AnalysisDeclContext *AD =
- getLocationContext()->getAnalysisDeclContext()->
- getManager()->getContext(FD);
- bool IsAutosynthesized;
- Stmt* Body = AD->getBody(IsAutosynthesized);
- DEBUG({
- if (IsAutosynthesized)
- llvm::dbgs() << "Using autosynthesized body for " << FD->getName()
- << "\n";
- });
- if (Body) {
- const Decl* Decl = AD->getDecl();
- return RuntimeDefinition(Decl);
- }
+ AnalysisDeclContext *AD =
+ getLocationContext()->getAnalysisDeclContext()->
+ getManager()->getContext(FD);
+ bool IsAutosynthesized;
+ Stmt* Body = AD->getBody(IsAutosynthesized);
+ DEBUG({
+ if (IsAutosynthesized)
+ llvm::dbgs() << "Using autosynthesized body for " << FD->getName()
+ << "\n";
+ });
+ if (Body) {
+ const Decl* Decl = AD->getDecl();
+ return RuntimeDefinition(Decl);
}
SubEngine *Engine = getState()->getStateManager().getOwningEngine();
AnalyzerOptions &Opts = Engine->getAnalysisManager().options;
// Try to get CTU definition only if CTUDir is provided.
if (!Opts.naiveCTUEnabled())
- return RuntimeDefinition();
+ return {};
cross_tu::CrossTranslationUnitContext &CTUCtx =
*Engine->getCrossTranslationUnitContext();
-------------- next part --------------
A non-text attachment was scrubbed...
Name: D45564.142381.patch
Type: text/x-patch
Size: 2483 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/cfe-commits/attachments/20180413/a95eb75f/attachment.bin>
More information about the cfe-commits
mailing list