[clang] [analyzer] Fix crash on dereference invalid return value of getAdjustedParameterIndex() (PR #83585)
via cfe-commits
cfe-commits at lists.llvm.org
Mon Mar 4 00:27:21 PST 2024
tomasz-kaminski-sonarsource wrote:
Thank you for creating the ticket, and fixing the issue. I am a bit concerned that the fix is hiding the symptoms and not the actual bug. After a bit of checking, I think the issue is caused by the fact that for the explicit object functions, we are creating a `CXXMemberOperatorCall` event, that performs parameter adjustment.
The corresponding code can be [found here](https://github.com/llvm/llvm-project/blob/c7fdd8c11e54585dc9d15d63de9742067e0506b9/clang/lib/StaticAnalyzer/Core/CallEvent.cpp#L1412):
```c++
if (const auto *OpCE = dyn_cast<CXXOperatorCallExpr>(CE)) {
const FunctionDecl *DirectCallee = OpCE->getDirectCallee();
if (const auto *MD = dyn_cast<CXXMethodDecl>(DirectCallee))
if (MD->isInstance()) // <-- The root of the issue
return create<CXXMemberOperatorCall>(OpCE, State, LCtx, ElemRef);
}
```
I think it would be fixed by replacing `MD->isInstance()` with `isImplicitObjectMemberFunction()`. This will make use fallback to `SimpleFunctionCall`.
That would make the behavior consistent with the behavior for other explicit object functions (deducing this).
To illustrate we have the following code, the AST and produce call event are different:
```c++
struct Foo {
void foo();
void bar(this Foo&);
};
void test(Foo f) {
f.foo(); // represented as `CXXMemberCallExpr`, and creates`CXXMemberCall` event
f.bar(); // represented as `CallExpr`, and creates `SimpleFunctionCall` ente
}
```
Live link here: https://godbolt.org/z/sjEbb6rMe.
Would you be willing to adjust PR to implement suggested change?
https://github.com/llvm/llvm-project/pull/83585
More information about the cfe-commits
mailing list