[clang] 440e510 - [clang][analyzer] Fix a nullptr dereference when `-ftime-trace` is used (#139820)

via cfe-commits cfe-commits at lists.llvm.org
Wed May 14 07:36:01 PDT 2025 

Author: Fangyi Zhou
Date: 2025-05-14T16:35:57+02:00
New Revision: 440e510b896be2ef4a4f0730b8201378beee55b3

URL: https://github.com/llvm/llvm-project/commit/440e510b896be2ef4a4f0730b8201378beee55b3
DIFF: https://github.com/llvm/llvm-project/commit/440e510b896be2ef4a4f0730b8201378beee55b3.diff

LOG: [clang][analyzer] Fix a nullptr dereference when `-ftime-trace` is used (#139820)

Fixes #139779.

The bug was introduced in #137355 in `SymbolConjured::getStmt`, when
trying to obtain a statement for a CFG initializer without an
initializer. This commit adds a null check before access.

Added: 
    clang/test/Analysis/ftime-trace-no-init.cpp

Modified: 
    clang/include/clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h

Removed: 
    


################################################################################
diff  --git a/clang/include/clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h b/clang/include/clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h
index 9e7c98fdded17..2e06e71f7be5f 100644
--- a/clang/include/clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h
+++ b/clang/include/clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h
@@ -103,7 +103,10 @@ class SymbolConjured : public SymbolData {
   const Stmt *getStmt() const {
     switch (Elem->getKind()) {
     case CFGElement::Initializer:
-      return Elem->castAs<CFGInitializer>().getInitializer()->getInit();
+      if (const auto *Init = Elem->castAs<CFGInitializer>().getInitializer()) {
+        return Init->getInit();
+      }
+      return nullptr;
     case CFGElement::ScopeBegin:
       return Elem->castAs<CFGScopeBegin>().getTriggerStmt();
     case CFGElement::ScopeEnd:

diff  --git a/clang/test/Analysis/ftime-trace-no-init.cpp b/clang/test/Analysis/ftime-trace-no-init.cpp
new file mode 100644
index 0000000000000..7fb289b19da78
--- /dev/null
+++ b/clang/test/Analysis/ftime-trace-no-init.cpp
@@ -0,0 +1,5 @@
+// RUN: %clang_analyze_cc1 -analyzer-checker=core,apiModeling %s -ftime-trace=%t.raw.json -verify
+// expected-no-diagnostics
+
+// GitHub issue 139779
+struct {} a; // no-crash

More information about the cfe-commits mailing list