[clang] d462aa5 - [clang] Fix a nullptr dereference bug on invalid code

Adam Czachorowski via cfe-commits cfe-commits at lists.llvm.org
Mon Jan 25 06:02:39 PST 2021 

Author: Adam Czachorowski
Date: 2021-01-25T15:02:25+01:00
New Revision: d462aa5a619ab9fdf8b024e48c19bc8820fe8781

URL: https://github.com/llvm/llvm-project/commit/d462aa5a619ab9fdf8b024e48c19bc8820fe8781
DIFF: https://github.com/llvm/llvm-project/commit/d462aa5a619ab9fdf8b024e48c19bc8820fe8781.diff

LOG: [clang] Fix a nullptr dereference bug on invalid code

When working with invalid code, we would try to dereference a nullptr
while deducing template arguments in some dependend code operating on a
lambda with invalid return type.

Differential Revision: https://reviews.llvm.org/D95145

Added: 
    clang/test/SemaCXX/subst-func-type-invalid-ret-type.cpp

Modified: 
    clang/lib/Sema/SemaTemplateInstantiateDecl.cpp

Removed: 
    


################################################################################
diff  --git a/clang/lib/Sema/SemaTemplateInstantiateDecl.cpp b/clang/lib/Sema/SemaTemplateInstantiateDecl.cpp
index d3d6df5e0064..dc1e0ef60cac 100644
--- a/clang/lib/Sema/SemaTemplateInstantiateDecl.cpp
+++ b/clang/lib/Sema/SemaTemplateInstantiateDecl.cpp
@@ -4189,6 +4189,9 @@ TemplateDeclInstantiator::SubstFunctionType(FunctionDecl *D,
       for (unsigned OldIdx = 0, NumOldParams = OldProtoLoc.getNumParams();
            OldIdx != NumOldParams; ++OldIdx) {
         ParmVarDecl *OldParam = OldProtoLoc.getParam(OldIdx);
+        if (!OldParam)
+          return nullptr;
+
         LocalInstantiationScope *Scope = SemaRef.CurrentInstantiationScope;
 
         Optional<unsigned> NumArgumentsInExpansion;

diff  --git a/clang/test/SemaCXX/subst-func-type-invalid-ret-type.cpp b/clang/test/SemaCXX/subst-func-type-invalid-ret-type.cpp
new file mode 100644
index 000000000000..c78ffff3ff50
--- /dev/null
+++ b/clang/test/SemaCXX/subst-func-type-invalid-ret-type.cpp
@@ -0,0 +1,16 @@
+// RUN: %clang -fsyntax-only -std=c++17 %s -Xclang -verify
+
+// The important part is that we do not crash.
+
+template<typename T> T declval();
+
+template <typename T>
+auto Call(T x) -> decltype(declval<T>()(0)) {} // expected-note{{candidate template ignored}}
+
+class Status {};
+
+void fun() {
+  // The Status() (instead of Status) here used to cause a crash.
+  Call([](auto x) -> Status() {}); // expected-error{{function cannot return function type 'Status ()}}
+  // expected-error at -1{{no matching function for call to 'Call'}}
+}

More information about the cfe-commits mailing list