r330009 - [analyzer] Fix null deref in AnyFunctionCall::getRuntimeDefinition
Gabor Horvath via cfe-commits
cfe-commits at lists.llvm.org
Fri Apr 13 05:36:08 PDT 2018
Author: xazax
Date: Fri Apr 13 05:36:08 2018
New Revision: 330009
URL: http://llvm.org/viewvc/llvm-project?rev=330009&view=rev
Log:
[analyzer] Fix null deref in AnyFunctionCall::getRuntimeDefinition
Patch by: Rafael Stahl!
Differential Revision: https://reviews.llvm.org/D45564
Added:
cfe/trunk/test/Analysis/undef-call.c
Modified:
cfe/trunk/lib/StaticAnalyzer/Core/CallEvent.cpp
Modified: cfe/trunk/lib/StaticAnalyzer/Core/CallEvent.cpp
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/Core/CallEvent.cpp?rev=330009&r1=330008&r2=330009&view=diff
==============================================================================
--- cfe/trunk/lib/StaticAnalyzer/Core/CallEvent.cpp (original)
+++ cfe/trunk/lib/StaticAnalyzer/Core/CallEvent.cpp Fri Apr 13 05:36:08 2018
@@ -389,23 +389,24 @@ ArrayRef<ParmVarDecl*> AnyFunctionCall::
RuntimeDefinition AnyFunctionCall::getRuntimeDefinition() const {
const FunctionDecl *FD = getDecl();
+ if (!FD)
+ return {};
+
// Note that the AnalysisDeclContext will have the FunctionDecl with
// the definition (if one exists).
- if (FD) {
- AnalysisDeclContext *AD =
- getLocationContext()->getAnalysisDeclContext()->
- getManager()->getContext(FD);
- bool IsAutosynthesized;
- Stmt* Body = AD->getBody(IsAutosynthesized);
- DEBUG({
- if (IsAutosynthesized)
- llvm::dbgs() << "Using autosynthesized body for " << FD->getName()
- << "\n";
- });
- if (Body) {
- const Decl* Decl = AD->getDecl();
- return RuntimeDefinition(Decl);
- }
+ AnalysisDeclContext *AD =
+ getLocationContext()->getAnalysisDeclContext()->
+ getManager()->getContext(FD);
+ bool IsAutosynthesized;
+ Stmt* Body = AD->getBody(IsAutosynthesized);
+ DEBUG({
+ if (IsAutosynthesized)
+ llvm::dbgs() << "Using autosynthesized body for " << FD->getName()
+ << "\n";
+ });
+ if (Body) {
+ const Decl* Decl = AD->getDecl();
+ return RuntimeDefinition(Decl);
}
SubEngine *Engine = getState()->getStateManager().getOwningEngine();
@@ -413,7 +414,7 @@ RuntimeDefinition AnyFunctionCall::getRu
// Try to get CTU definition only if CTUDir is provided.
if (!Opts.naiveCTUEnabled())
- return RuntimeDefinition();
+ return {};
cross_tu::CrossTranslationUnitContext &CTUCtx =
*Engine->getCrossTranslationUnitContext();
Added: cfe/trunk/test/Analysis/undef-call.c
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/test/Analysis/undef-call.c?rev=330009&view=auto
==============================================================================
--- cfe/trunk/test/Analysis/undef-call.c (added)
+++ cfe/trunk/test/Analysis/undef-call.c Fri Apr 13 05:36:08 2018
@@ -0,0 +1,14 @@
+// RUN: %clang_cc1 -fsyntax-only -analyze -analyzer-checker=debug.ExprInspection -analyzer-config experimental-enable-naive-ctu-analysis=true -analyzer-config ctu-dir=%T/ctudir -verify %s
+// expected-no-diagnostics
+
+struct S {
+ void (*fp)();
+};
+
+int main() {
+ struct S s;
+ // This will cause the analyzer to look for a function definition that has
+ // no FunctionDecl. It used to cause a crash in AnyFunctionCall::getRuntimeDefinition.
+ // It would only occur when CTU analysis is enabled.
+ s.fp();
+}
More information about the cfe-commits
mailing list