[clang-tools-extra] [clang-tidy] fix nullptr dereference in bugprone-forwarding-reference (PR #106856)

Julian Schmidt via cfe-commits cfe-commits at lists.llvm.org
Mon Sep 16 14:22:48 PDT 2024


https://github.com/5chmidti updated https://github.com/llvm/llvm-project/pull/106856

>From f47b807598ed0e80d3e3bd2c05699f977a2395bf Mon Sep 17 00:00:00 2001
From: Julian Schmidt <git.julian.schmidt at gmail.com>
Date: Sat, 31 Aug 2024 16:56:54 +0200
Subject: [PATCH] [clang-tidy] fix nullptr dereference in
 bugprone-forwarding-reference

Previously, when checking if a `TemplateSpecializationType` is either
`enable_if` or `enable_if_t`, the AST matcher would call
`getTemplateName`, `getASTemplateDecl` and `getTemplatedDecl` in
succession to check the `NamedDecl` returned from `getTemplatedDecl` is
`std::enable_if[_t]`.
In the linked issue, the poitner returned by `getTemplatedDecl` is a
`nullptr` that is unconditionally accessed, resulting in a crash.
Instead, the checking is done on the `TemplateDecl` returned by
`getASTemplateDecl`.

Fixes #106333
---
 .../bugprone/ForwardingReferenceOverloadCheck.cpp | 15 +++++++--------
 clang-tools-extra/docs/ReleaseNotes.rst           |  5 ++++-
 .../bugprone/forwarding-reference-overload.cpp    |  6 ++++++
 3 files changed, 17 insertions(+), 9 deletions(-)

diff --git a/clang-tools-extra/clang-tidy/bugprone/ForwardingReferenceOverloadCheck.cpp b/clang-tools-extra/clang-tidy/bugprone/ForwardingReferenceOverloadCheck.cpp
index c87b3ea7e26163..00e8f7e514368b 100644
--- a/clang-tools-extra/clang-tidy/bugprone/ForwardingReferenceOverloadCheck.cpp
+++ b/clang-tools-extra/clang-tidy/bugprone/ForwardingReferenceOverloadCheck.cpp
@@ -9,7 +9,6 @@
 #include "ForwardingReferenceOverloadCheck.h"
 #include "clang/AST/ASTContext.h"
 #include "clang/ASTMatchers/ASTMatchFinder.h"
-#include <algorithm>
 
 using namespace clang::ast_matchers;
 
@@ -19,14 +18,14 @@ namespace {
 // Check if the given type is related to std::enable_if.
 AST_MATCHER(QualType, isEnableIf) {
   auto CheckTemplate = [](const TemplateSpecializationType *Spec) {
-    if (!Spec || !Spec->getTemplateName().getAsTemplateDecl()) {
+    if (!Spec)
       return false;
-    }
-    const NamedDecl *TypeDecl =
-        Spec->getTemplateName().getAsTemplateDecl()->getTemplatedDecl();
-    return TypeDecl->isInStdNamespace() &&
-           (TypeDecl->getName() == "enable_if" ||
-            TypeDecl->getName() == "enable_if_t");
+
+    const TemplateDecl *TDecl = Spec->getTemplateName().getAsTemplateDecl();
+
+    return TDecl && TDecl->isInStdNamespace() &&
+           (TDecl->getName() == "enable_if" ||
+            TDecl->getName() == "enable_if_t");
   };
   const Type *BaseType = Node.getTypePtr();
   // Case: pointer or reference to enable_if.
diff --git a/clang-tools-extra/docs/ReleaseNotes.rst b/clang-tools-extra/docs/ReleaseNotes.rst
index 8d0c093b312dd5..b71766710ff145 100644
--- a/clang-tools-extra/docs/ReleaseNotes.rst
+++ b/clang-tools-extra/docs/ReleaseNotes.rst
@@ -111,6 +111,10 @@ Changes in existing checks
   <clang-tidy/checks/bugprone/casting-through-void>` check to suggest replacing
   the offending code with ``reinterpret_cast``, to more clearly express intent.
 
+- Improved :doc:`bugprone-forwarding-reference-overload
+  <clang-tidy/checks/bugprone/forwarding-reference-overload>` check by fixing
+  a crash when determining if an ``enable_if[_t]`` was found.
+
 - Improved :doc:`cert-flp30-c<clang-tidy/checks/cert/flp30-c>` check to 
   fix false positive that floating point variable is only used in increment
   expression.
@@ -119,7 +123,6 @@ Changes in existing checks
   <clang-tidy/checks/cppcoreguidelines/prefer-member-initializer>` check to avoid
   false positive when member initialization depends on a structured binging
   variable.
-
 - Improved :doc:`modernize-use-std-format
   <clang-tidy/checks/modernize/use-std-format>` check to support replacing
   member function calls too.
diff --git a/clang-tools-extra/test/clang-tidy/checkers/bugprone/forwarding-reference-overload.cpp b/clang-tools-extra/test/clang-tidy/checkers/bugprone/forwarding-reference-overload.cpp
index 92dfb718bb51b7..27315199c7ebae 100644
--- a/clang-tools-extra/test/clang-tidy/checkers/bugprone/forwarding-reference-overload.cpp
+++ b/clang-tools-extra/test/clang-tidy/checkers/bugprone/forwarding-reference-overload.cpp
@@ -261,3 +261,9 @@ class Test11 {
   Test11(const Test11 &) = default;
   Test11(Test11 &&) = default;
 };
+
+template <template <class> typename T, typename U>
+struct gh106333
+{
+    gh106333(U && arg1, T<int> arg2) {}
+};



More information about the cfe-commits mailing list