[clang] [clang][analyzer] Fix a nullptr dereference when -ftime-trace is used (Reland) (PR #139980)
Fangyi Zhou via cfe-commits
cfe-commits at lists.llvm.org
Thu May 15 02:24:09 PDT 2025
================
@@ -101,9 +101,17 @@ class SymbolConjured : public SymbolData {
// It might return null.
const Stmt *getStmt() const {
+ if (const auto *Parent = Elem.getParent()) {
+ // Sometimes the CFG element is invalid, avoid dereferencing it.
+ if (Elem.getIndexInBlock() >= Parent->size())
+ return nullptr;
----------------
fangyi-zhou wrote:
> My argument is that the CFG element should be always valid
Unfortunately I don't think this is true. As I mentioned, the CFG contains no elements, therefore, when a value needs to be conjured, an invalid CFG element ref is passed on from the expression engine. I didn't have a way to track down which call is causing the problem, and I agree with you that I don't like this change --- it's a band-aid instead of a proper fix.
The invalid CFG ref likely comes from the fact that https://github.com/llvm/llvm-project/blob/4ba8f4e213c97733e3b61e5856b0e85e3d7d6a7f/clang/include/clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h#L229-L232 will use the current statement index. In a case at initialisation, the value is initialised at 0.
Afaik, the errno checking will try to conjure a symbol, which uses the initial invalid CFG element. I can't immediately pinpoint where that happens or if there are better ways to fix. Let me know what you think.
https://github.com/llvm/llvm-project/pull/139980
More information about the cfe-commits
mailing list