[PATCH] D51385: [analyzer] InnerPointerChecker: Fix a segfault.
Artem Dergachev via Phabricator via cfe-commits
cfe-commits at lists.llvm.org
Tue Aug 28 15:00:31 PDT 2018
NoQ created this revision.
NoQ added reviewers: dcoughlin, xazax.hun, a.sidorin, george.karpenkov, szepet, rnkovacs.
Herald added subscribers: cfe-commits, Szelethus, mikhail.ramalho, baloghadamsoftware.
Return value of `dyn_cast_or_null` should be checked before use. Otherwise we may put a null pointer into the map as a key and eventually crash in `checkDeadSymbols`.
Reka: Why did we restrict ourselves to `TypedValueRegion`s here? While we are mostly interested in local string variables and temporaries, which would of course be typed, i guess there's nothing that prevents us from checking that we don't `delete` or mutate a string in a `SymbolicRegion` somewhere between obtaining and using its inner pointer.
Repository:
rC Clang
https://reviews.llvm.org/D51385
Files:
lib/StaticAnalyzer/Checkers/InnerPointerChecker.cpp
test/Analysis/inner-pointer.cpp
Index: test/Analysis/inner-pointer.cpp
===================================================================
--- test/Analysis/inner-pointer.cpp
+++ test/Analysis/inner-pointer.cpp
@@ -424,3 +424,7 @@
*(void **)&b = c() + 1;
*b = a; // no-crash
}
+
+void checkReference(std::string &s) {
+ const char *c = s.c_str();
+}
Index: lib/StaticAnalyzer/Checkers/InnerPointerChecker.cpp
===================================================================
--- lib/StaticAnalyzer/Checkers/InnerPointerChecker.cpp
+++ lib/StaticAnalyzer/Checkers/InnerPointerChecker.cpp
@@ -213,6 +213,8 @@
if (const auto *ICall = dyn_cast<CXXInstanceCall>(&Call)) {
const auto *ObjRegion = dyn_cast_or_null<TypedValueRegion>(
ICall->getCXXThisVal().getAsRegion());
+ if (!ObjRegion)
+ return;
if (Call.isCalled(CStrFn) || Call.isCalled(DataFn)) {
SVal RawPtr = Call.getReturnValue();
-------------- next part --------------
A non-text attachment was scrubbed...
Name: D51385.162963.patch
Type: text/x-patch
Size: 902 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/cfe-commits/attachments/20180828/8530d70a/attachment.bin>
More information about the cfe-commits
mailing list