[clang] [clang][analyzer] Fix a nullptr dereference when -ftime-trace is used (Reland) (PR #139980)

[Balazs Benics via cfe-commits]

================
@@ -101,9 +101,17 @@ class SymbolConjured : public SymbolData {
 
   // It might return null.
   const Stmt *getStmt() const {
+    if (const auto *Parent = Elem.getParent()) {
+      // Sometimes the CFG element is invalid, avoid dereferencing it.
+      if (Elem.getIndexInBlock() >= Parent->size())
+        return nullptr;
----------------
steakhal wrote:

It's `ErrnoModeling::checkBeginFunction()` that conjures for the value of errno at the very beginning of the analysis, at when we enter the top level function. That calls ExprEngine::getCFGElementRef, and that is where we get a nullptr block ptr and also the place when we take the now _stale_ `currStmtIdx` value.

Now that I grepped for, it seems like we set `currStmtIdx` only at a single place: `ExprEngine::processCFGElement`. This also makes sense.

It seems like `processCFGElement` is called from `CoreEngine::HandleBlockEntrance` from `CoreEngine::dispatchWorkItem`.

The hunk you linked with the definition of `getCFGElementRef` makes me think that the invalid CFGElement is denoted by the NULL blockPtr. Consequently, what we should do in our dump function to first check if this CFG element is valid by checking the blockPtr against null - and not looking at the `getIndexInBlock`.

https://github.com/llvm/llvm-project/pull/139980