[clang] 10a7ee0 - [analyzer] Fix for the crash in #56873

via cfe-commits cfe-commits at lists.llvm.org
Wed Aug 3 10:25:26 PDT 2022 

Author: isuckatcs
Date: 2022-08-03T19:25:02+02:00
New Revision: 10a7ee0bac211810376f29a879a9f73ed2ab15fc

URL: https://github.com/llvm/llvm-project/commit/10a7ee0bac211810376f29a879a9f73ed2ab15fc
DIFF: https://github.com/llvm/llvm-project/commit/10a7ee0bac211810376f29a879a9f73ed2ab15fc.diff

LOG: [analyzer] Fix for the crash in #56873

In ExprEngine::bindReturnValue() we cast an SVal to DefinedOrUnknownSVal,
however this SVal can also be Undefined, which leads to an assertion failure.

Fixes: #56873

Differential Revision: https://reviews.llvm.org/D130974

Added: 
    clang/test/Analysis/Issue56873.cpp

Modified: 
    clang/lib/StaticAnalyzer/Core/ExprEngineCallAndReturn.cpp

Removed: 
    


################################################################################
diff  --git a/clang/lib/StaticAnalyzer/Core/ExprEngineCallAndReturn.cpp b/clang/lib/StaticAnalyzer/Core/ExprEngineCallAndReturn.cpp
index 8fb2ce9cd18f3..1e8006cb9d59b 100644
--- a/clang/lib/StaticAnalyzer/Core/ExprEngineCallAndReturn.cpp
+++ b/clang/lib/StaticAnalyzer/Core/ExprEngineCallAndReturn.cpp
@@ -762,6 +762,11 @@ ProgramStateRef ExprEngine::bindReturnValue(const CallEvent &Call,
           svalBuilder.evalBinOp(State, BO_Mul, ElementCount, ElementSize,
                                 svalBuilder.getArrayIndexType());
 
+      // FIXME: This line is to prevent a crash. For more details please check
+      // issue #56264.
+      if (Size.isUndef())
+        Size = UnknownVal();
+
       State = setDynamicExtent(State, MR, Size.castAs<DefinedOrUnknownSVal>(),
                                svalBuilder);
     } else {

diff  --git a/clang/test/Analysis/Issue56873.cpp b/clang/test/Analysis/Issue56873.cpp
new file mode 100644
index 0000000000000..36fe5ff3fc9d7
--- /dev/null
+++ b/clang/test/Analysis/Issue56873.cpp
@@ -0,0 +1,24 @@
+// RUN: %clang_analyze_cc1 -analyzer-checker=core,debug.ExprInspection -verify %s
+
+void clang_analyzer_warnIfReached();
+
+struct S {
+};
+
+void Issue56873_1() {
+    int n;
+
+    // This line used to crash
+    S *arr = new S[n];
+    
+    clang_analyzer_warnIfReached();  // expected-warning{{REACHABLE}}
+}
+
+void Issue56873_2() {
+    int n;
+
+    // This line used to crash
+    int *arr = new int[n];
+    
+    clang_analyzer_warnIfReached();  // expected-warning{{REACHABLE}}
+}

More information about the cfe-commits mailing list