[clang] [clang][analyzer] Fix a nullptr dereference when `-ftime-trace` is used (PR #139820)

Tue May 13 17:47:56 PDT 2025

llvmbot wrote:



@llvm/pr-subscribers-clang-static-analyzer-1

@llvm/pr-subscribers-clang

Author: Fangyi Zhou (fangyi-zhou)

<details>
<summary>Changes</summary>

Fixes #139779.

The bug was introduced in #137355 in `SymbolConjured::getStmt`, when trying to obtain a statement for a CFG initializer without an initializer.  This commit adds a null check before access.

---
Full diff: https://github.com/llvm/llvm-project/pull/139820.diff


2 Files Affected:

- (modified) clang/include/clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h (+2) 
- (added) clang/test/Analysis/ftime-trace-no-init.cpp (+5) 


``````````diff

diff --git a/clang/include/clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h b/clang/include/clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h
index 9e7c98fdded17..00159971fd7b5 100644
--- a/clang/include/clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h
+++ b/clang/include/clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h
@@ -103,6 +103,8 @@ class SymbolConjured : public SymbolData {
   const Stmt *getStmt() const {
     switch (Elem->getKind()) {
     case CFGElement::Initializer:
+      if (Elem->castAs<CFGInitializer>().getInitializer() == nullptr)
+        return nullptr;
       return Elem->castAs<CFGInitializer>().getInitializer()->getInit();
     case CFGElement::ScopeBegin:
       return Elem->castAs<CFGScopeBegin>().getTriggerStmt();
diff --git a/clang/test/Analysis/ftime-trace-no-init.cpp b/clang/test/Analysis/ftime-trace-no-init.cpp
new file mode 100644
index 0000000000000..db62aa8a56ed7
--- /dev/null
+++ b/clang/test/Analysis/ftime-trace-no-init.cpp
@@ -0,0 +1,5 @@
+// RUN: %clang --analyze %s -ftime-trace -Xclang -verify
+// expected-no-diagnostics
+
+// GitHub issue 139779
+struct {} a; // no-crash

``````````

</details>


https://github.com/llvm/llvm-project/pull/139820
