[clang] [analyzer] StdVariantChecker: fix crash when argument to `std::get` is `UnknownVal` (PR #167341)
via cfe-commits
cfe-commits at lists.llvm.org
Mon Nov 10 08:54:46 PST 2025
llvmbot wrote:
<!--LLVM PR SUMMARY COMMENT-->
@llvm/pr-subscribers-clang
Author: None (guillem-bartrina-sonarsource)
<details>
<summary>Changes</summary>
Although very unusual, the SVal of the argument is not checked for UnknownVal, so we may get a null pointer dereference.
---
Full diff: https://github.com/llvm/llvm-project/pull/167341.diff
2 Files Affected:
- (modified) clang/lib/StaticAnalyzer/Checkers/StdVariantChecker.cpp (+6-4)
- (modified) clang/test/Analysis/std-variant-checker.cpp (+12-1)
``````````diff
diff --git a/clang/lib/StaticAnalyzer/Checkers/StdVariantChecker.cpp b/clang/lib/StaticAnalyzer/Checkers/StdVariantChecker.cpp
index db8bbee8761d5..805f64f4804cf 100644
--- a/clang/lib/StaticAnalyzer/Checkers/StdVariantChecker.cpp
+++ b/clang/lib/StaticAnalyzer/Checkers/StdVariantChecker.cpp
@@ -219,10 +219,12 @@ class StdVariantChecker : public Checker<eval::Call, check::RegionChanges> {
bool handleStdGetCall(const CallEvent &Call, CheckerContext &C) const {
ProgramStateRef State = C.getState();
- const auto &ArgType = Call.getArgSVal(0)
- .getType(C.getASTContext())
- ->getPointeeType()
- .getTypePtr();
+ SVal ArgSVal = Call.getArgSVal(0);
+ if (ArgSVal.isUnknown())
+ return false;
+
+ const auto &ArgType =
+ ArgSVal.getType(C.getASTContext())->getPointeeType().getTypePtr();
// We have to make sure that the argument is an std::variant.
// There is another std::get with std::pair argument
if (!isStdVariant(ArgType))
diff --git a/clang/test/Analysis/std-variant-checker.cpp b/clang/test/Analysis/std-variant-checker.cpp
index 7f136c06b19cc..fbb69327e1de5 100644
--- a/clang/test/Analysis/std-variant-checker.cpp
+++ b/clang/test/Analysis/std-variant-checker.cpp
@@ -355,4 +355,15 @@ void nonInlineFunctionCallPtr() {
char c = std::get<char> (v); // no-warning
(void)a;
(void)c;
-}
\ No newline at end of file
+}
+
+// ----------------------------------------------------------------------------//
+// Misc
+// ----------------------------------------------------------------------------//
+
+using uintptr_t = unsigned long long;
+
+void unknownVal() {
+ // force the argument to be UnknownVal
+ (void)std::get<int>(*(std::variant<int, float>*)(uintptr_t)3.14f); // no crash
+}
``````````
</details>
https://github.com/llvm/llvm-project/pull/167341
More information about the cfe-commits
mailing list