[clang] [clang][analyzer] fix crash when modelling 'getline' function in checkers (PR #145229)
Balazs Benics via cfe-commits
cfe-commits at lists.llvm.org
Tue Jun 24 07:10:00 PDT 2025
================
@@ -1518,14 +1518,18 @@ void MallocChecker::checkGetdelim(ProgramStateRef State, const CallEvent &Call,
if (!CE)
return;
- const auto LinePtr =
- getPointeeVal(Call.getArgSVal(0), State)->getAs<DefinedSVal>();
- const auto Size =
- getPointeeVal(Call.getArgSVal(1), State)->getAs<DefinedSVal>();
- if (!LinePtr || !Size || !LinePtr->getAsRegion())
+ const auto LinePtrOpt = getPointeeVal(Call.getArgSVal(0), State);
+ const auto SizeOpt = getPointeeVal(Call.getArgSVal(1), State);
+ if (!LinePtrOpt || !SizeOpt)
return;
- State = setDynamicExtent(State, LinePtr->getAsRegion(), *Size);
+ const auto LinePtr = LinePtrOpt->getAs<DefinedSVal>();
+ const auto Size = SizeOpt->getAs<DefinedSVal>();
+ const MemRegion *LinePtrReg = LinePtr->getAsRegion();
+ if (!LinePtr || !Size || !LinePtrReg)
+ return;
----------------
steakhal wrote:
`LinePtr->getAsRegion()` unconditionally dereferences `LinePtr` before it's checked.
BTW you could assume that these DefinedSVals are present if you had checked `isUnknownOrUndef()` in the previous `if`. An `SVal` is-a `DefinedSVal` if and only if the SVal is not `isUnknownOrUndef()`.
Alternatively, we can always just use a `dyn_cast_or_null<DefinedSVal>(getPointeeVal(...))`.
https://github.com/llvm/llvm-project/pull/145229
More information about the cfe-commits
mailing list