r341092 - [analyzer] InnerPointerChecker: Fix a segfault when checking symbolic strings.
Artem Dergachev via cfe-commits
cfe-commits at lists.llvm.org
Thu Aug 30 11:45:05 PDT 2018
Author: dergachev
Date: Thu Aug 30 11:45:05 2018
New Revision: 341092
URL: http://llvm.org/viewvc/llvm-project?rev=341092&view=rev
Log:
[analyzer] InnerPointerChecker: Fix a segfault when checking symbolic strings.
Return value of dyn_cast_or_null should be checked before use.
Otherwise we may put a null pointer into the map as a key and eventually
crash in checkDeadSymbols.
Differential Revision: https://reviews.llvm.org/D51385
Modified:
cfe/trunk/lib/StaticAnalyzer/Checkers/InnerPointerChecker.cpp
cfe/trunk/test/Analysis/inner-pointer.cpp
Modified: cfe/trunk/lib/StaticAnalyzer/Checkers/InnerPointerChecker.cpp
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/Checkers/InnerPointerChecker.cpp?rev=341092&r1=341091&r2=341092&view=diff
==============================================================================
--- cfe/trunk/lib/StaticAnalyzer/Checkers/InnerPointerChecker.cpp (original)
+++ cfe/trunk/lib/StaticAnalyzer/Checkers/InnerPointerChecker.cpp Thu Aug 30 11:45:05 2018
@@ -211,8 +211,11 @@ void InnerPointerChecker::checkPostCall(
ProgramStateRef State = C.getState();
if (const auto *ICall = dyn_cast<CXXInstanceCall>(&Call)) {
+ // TODO: Do we need these to be typed?
const auto *ObjRegion = dyn_cast_or_null<TypedValueRegion>(
ICall->getCXXThisVal().getAsRegion());
+ if (!ObjRegion)
+ return;
if (Call.isCalled(CStrFn) || Call.isCalled(DataFn)) {
SVal RawPtr = Call.getReturnValue();
Modified: cfe/trunk/test/Analysis/inner-pointer.cpp
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/test/Analysis/inner-pointer.cpp?rev=341092&r1=341091&r2=341092&view=diff
==============================================================================
--- cfe/trunk/test/Analysis/inner-pointer.cpp (original)
+++ cfe/trunk/test/Analysis/inner-pointer.cpp Thu Aug 30 11:45:05 2018
@@ -424,3 +424,7 @@ void no_CXXRecordDecl() {
*(void **)&b = c() + 1;
*b = a; // no-crash
}
+
+void checkReference(std::string &s) {
+ const char *c = s.c_str();
+}
More information about the cfe-commits
mailing list