[clang] 0141a3c - [analyzer] Fix nullptr dereference for symbols from pointer invalidation (#106568)
via cfe-commits
cfe-commits at lists.llvm.org
Thu Aug 29 12:59:09 PDT 2024
Author: Arseniy Zaostrovnykh
Date: 2024-08-29T21:59:03+02:00
New Revision: 0141a3cde4d8f2c8ff9e957f981f37e65a69a325
URL: https://github.com/llvm/llvm-project/commit/0141a3cde4d8f2c8ff9e957f981f37e65a69a325
DIFF: https://github.com/llvm/llvm-project/commit/0141a3cde4d8f2c8ff9e957f981f37e65a69a325.diff
LOG: [analyzer] Fix nullptr dereference for symbols from pointer invalidation (#106568)
As reported in
https://github.com/llvm/llvm-project/pull/105648#issuecomment-2317144635
commit 08ad8dc7154bf3ab79f750e6d5fb7df597c7601a
introduced a nullptr dereference in the case when store contains a
binding to a symbol that has no origin region associated with it, such
as the symbol generated when a pointer is passed to an opaque function.
Added:
Modified:
clang/lib/StaticAnalyzer/Checkers/StackAddrEscapeChecker.cpp
clang/test/Analysis/stack-addr-ps.c
Removed:
################################################################################
diff --git a/clang/lib/StaticAnalyzer/Checkers/StackAddrEscapeChecker.cpp b/clang/lib/StaticAnalyzer/Checkers/StackAddrEscapeChecker.cpp
index 20232405d572d2..ec577c36188e6c 100644
--- a/clang/lib/StaticAnalyzer/Checkers/StackAddrEscapeChecker.cpp
+++ b/clang/lib/StaticAnalyzer/Checkers/StackAddrEscapeChecker.cpp
@@ -308,7 +308,10 @@ static const MemSpaceRegion *getStackOrGlobalSpaceRegion(const MemRegion *R) {
const MemRegion *getOriginBaseRegion(const MemRegion *Reg) {
Reg = Reg->getBaseRegion();
while (const auto *SymReg = dyn_cast<SymbolicRegion>(Reg)) {
- Reg = SymReg->getSymbol()->getOriginRegion()->getBaseRegion();
+ const auto *OriginReg = SymReg->getSymbol()->getOriginRegion();
+ if (!OriginReg)
+ break;
+ Reg = OriginReg->getBaseRegion();
}
return Reg;
}
diff --git a/clang/test/Analysis/stack-addr-ps.c b/clang/test/Analysis/stack-addr-ps.c
index 138b8c16b02bde..7d7294455f1dbe 100644
--- a/clang/test/Analysis/stack-addr-ps.c
+++ b/clang/test/Analysis/stack-addr-ps.c
@@ -126,3 +126,21 @@ void caller_for_nested_leaking() {
int *ptr = 0;
caller_mid_for_nested_leaking(&ptr);
}
+
+// This used to crash StackAddrEscapeChecker because
+// it features a symbol conj_$1{struct c *, LC1, S763, #1}
+// that has no origin region.
+struct a {
+ int member;
+};
+
+struct c {
+ struct a *nested_ptr;
+};
+void opaque(struct c*);
+struct c* get_c(void);
+void no_crash_for_symbol_without_origin_region(void) {
+ struct c *ptr = get_c();
+ opaque(ptr);
+ ptr->nested_ptr->member++;
+} // No crash at the end of the function
More information about the cfe-commits
mailing list