[clang] [analyzer] Fix crash when modelling 'getline' function in checkers (PR #145229)
Baranov Victor via cfe-commits
cfe-commits at lists.llvm.org
Tue Jun 24 10:50:28 PDT 2025
================
@@ -1518,14 +1518,19 @@ void MallocChecker::checkGetdelim(ProgramStateRef State, const CallEvent &Call,
if (!CE)
return;
- const auto LinePtr =
- getPointeeVal(Call.getArgSVal(0), State)->getAs<DefinedSVal>();
- const auto Size =
- getPointeeVal(Call.getArgSVal(1), State)->getAs<DefinedSVal>();
- if (!LinePtr || !Size || !LinePtr->getAsRegion())
+ const auto LinePtrOpt = getPointeeVal(Call.getArgSVal(0), State);
+ const auto SizeOpt = getPointeeVal(Call.getArgSVal(1), State);
+ if (!LinePtrOpt || !SizeOpt || LinePtrOpt->isUnknownOrUndef() ||
+ SizeOpt->isUnknownOrUndef())
----------------
vbvictor wrote:
Looking at `CallEvent::getArgSVal` we have `Call::getArgExpr()` that may return `nullptr` if there is no argument.
```cpp
SVal CallEvent::getArgSVal(unsigned Index) const {
const Expr *ArgE = getArgExpr(Index);
if (!ArgE)
return UnknownVal();
return getSVal(ArgE);
}
```
`getPointee` would accept it and return `std::nullopt`:
```cpp
std::optional<SVal> getPointeeVal(SVal PtrSVal, ProgramStateRef State) {
if (const auto *Ptr = PtrSVal.getAsRegion()) {
return State->getSVal(Ptr);
}
return std::nullopt;
}
```
In outer code, we called `Call.getArgExpr()` directly and passed potential `nullptr`'s into `EnsurePtrNotNull` and `EnsureGetdelimBufferAndSizeCorrect` methods that don't have handling of `nullptr`.
Another approach would be to remove `Call.getNumArgs() < 2` and add null handling in `Ensure-` method family.
https://github.com/llvm/llvm-project/pull/145229
More information about the cfe-commits
mailing list