[clang] [analyzer] CStringChecker: fix crash in `CheckOverlap` when arguments are not pointers (PR #160511)
via cfe-commits
cfe-commits at lists.llvm.org
Wed Sep 24 05:09:59 PDT 2025
llvmbot wrote:
<!--LLVM PR SUMMARY COMMENT-->
@llvm/pr-subscribers-clang
Author: None (guillem-bartrina-sonarsource)
<details>
<summary>Changes</summary>
https://github.com/llvm/llvm-project/blob/main/clang/lib/StaticAnalyzer/Checkers/CStringChecker.cpp#L675-L678 mistakenly assumes that target expressions are of pointer type. `CheckOverlap` has multiple call sites, most of which do not verify this assumption. Therefore, the simplest solution is to verify it just before that point.
---
Full diff: https://github.com/llvm/llvm-project/pull/160511.diff
2 Files Affected:
- (modified) clang/lib/StaticAnalyzer/Checkers/CStringChecker.cpp (+4)
- (modified) clang/test/Analysis/buffer-overlap.c (+16)
``````````diff
diff --git a/clang/lib/StaticAnalyzer/Checkers/CStringChecker.cpp b/clang/lib/StaticAnalyzer/Checkers/CStringChecker.cpp
index 36f316df0c3ff..0ae784c000f60 100644
--- a/clang/lib/StaticAnalyzer/Checkers/CStringChecker.cpp
+++ b/clang/lib/StaticAnalyzer/Checkers/CStringChecker.cpp
@@ -672,6 +672,10 @@ ProgramStateRef CStringChecker::CheckOverlap(CheckerContext &C,
ProgramStateRef stateTrue, stateFalse;
+ if (!First.Expression->getType()->isAnyPointerType() ||
+ !Second.Expression->getType()->isAnyPointerType())
+ return state;
+
// Assume different address spaces cannot overlap.
if (First.Expression->getType()->getPointeeType().getAddressSpace() !=
Second.Expression->getType()->getPointeeType().getAddressSpace())
diff --git a/clang/test/Analysis/buffer-overlap.c b/clang/test/Analysis/buffer-overlap.c
index 8414a764541e2..f3bd49b8b9ca0 100644
--- a/clang/test/Analysis/buffer-overlap.c
+++ b/clang/test/Analysis/buffer-overlap.c
@@ -96,3 +96,19 @@ void test_snprintf6() {
char b[4] = {0};
snprintf(a, sizeof(a), "%s", b); // no-warning
}
+
+
+void memcpy(int dst, int src, size_t size); // expected-warning{{incompatible redeclaration of library function 'memcpy'}} expected-note{{'memcpy' is a builtin with type 'void *(void *, const void *, __size_t)' (aka 'void *(void *, const void *, unsigned long)')}}
+void test_memcpy_proxy() {
+ memcpy(42, 42, 42);
+}
+
+void strcpy(int dst, char *src); // expected-warning{{incompatible redeclaration of library function 'strcpy'}} expected-note{{'strcpy' is a builtin with type 'char *(char *, const char *)'}}
+void test_strcpy_proxy() {
+ strcpy(42, (char *)42);
+}
+
+void strxfrm(int dst, char *src, size_t size); // expected-warning{{incompatible redeclaration of library function 'strxfrm'}} expected-note{{'strxfrm' is a builtin with type '__size_t (char *, const char *, __size_t)' (aka 'unsigned long (char *, const char *, unsigned long)')}}
+void test_strxfrm_proxy() {
+ strxfrm(42, (char *)42, 42);
+}
``````````
</details>
https://github.com/llvm/llvm-project/pull/160511
More information about the cfe-commits
mailing list