[llvm-branch-commits] [clang] Backport "Fix crash when copying uninitialized data in function named "swap"" (PR #179445)

via llvm-branch-commits llvm-branch-commits at lists.llvm.org
Tue Feb 3 04:08:17 PST 2026 

llvmbot wrote:


<!--LLVM PR SUMMARY COMMENT-->

@llvm/pr-subscribers-clang

Author: Balázs Benics (steakhal)

<details>
<summary>Changes</summary>

Requested the backport in https://github.com/llvm/llvm-project/pull/178923#issuecomment-3837025990

---
Full diff: https://github.com/llvm/llvm-project/pull/179445.diff


3 Files Affected:

- (modified) clang/docs/ReleaseNotes.rst (+2) 
- (modified) clang/lib/StaticAnalyzer/Core/RegionStore.cpp (+1-4) 
- (modified) clang/test/Analysis/uninit-vals.cpp (+18) 


``````````diff
diff --git a/clang/docs/ReleaseNotes.rst b/clang/docs/ReleaseNotes.rst
index a01339cfb7b57..edefb001cc3b1 100644
--- a/clang/docs/ReleaseNotes.rst
+++ b/clang/docs/ReleaseNotes.rst
@@ -903,6 +903,8 @@ Crash and bug fixes
 - The ``core.builtin.BuiltinFunctions`` checker crashed when passing
   ``_BitInt(N)`` or ``__int128_t`` to ``__builtin_add_overflow`` or similar
   checked arithmetic builtin functions. (#GH173795)
+- Fixed a crash introduced in clang-20 when analyzing some "swap" functions.
+  (#GH178797)
 
 Improvements
 ^^^^^^^^^^^^
diff --git a/clang/lib/StaticAnalyzer/Core/RegionStore.cpp b/clang/lib/StaticAnalyzer/Core/RegionStore.cpp
index 4f4824a3616ce..3bb6247e20612 100644
--- a/clang/lib/StaticAnalyzer/Core/RegionStore.cpp
+++ b/clang/lib/StaticAnalyzer/Core/RegionStore.cpp
@@ -2659,12 +2659,9 @@ RegionStoreManager::bindArray(LimitedRegionBindingsConstRef B,
     return bindAggregate(B, R, Init);
   }
 
-  if (isa<nonloc::SymbolVal>(Init))
+  if (isa<nonloc::SymbolVal, UnknownVal, UndefinedVal>(Init))
     return bindAggregate(B, R, Init);
 
-  if (Init.isUnknown())
-    return bindAggregate(B, R, UnknownVal());
-
   // Remaining case: explicit compound values.
   const nonloc::CompoundVal& CV = Init.castAs<nonloc::CompoundVal>();
   nonloc::CompoundVal::iterator VI = CV.begin(), VE = CV.end();
diff --git a/clang/test/Analysis/uninit-vals.cpp b/clang/test/Analysis/uninit-vals.cpp
index 6ba56f0c4e78b..7775e6a2125d3 100644
--- a/clang/test/Analysis/uninit-vals.cpp
+++ b/clang/test/Analysis/uninit-vals.cpp
@@ -33,3 +33,21 @@ void foo() {
 }
 }
 
+namespace gh_178797 {
+struct SpecialBuffer {
+    SpecialBuffer() : src(defaultBuffer), dst(defaultBuffer) {}
+    int* src;
+    int* dst;
+    int defaultBuffer[2];
+};
+// Not really a swap, but we need an assignment assigning UndefinedVal
+// within a "swap" function to trigger this behavior.
+void swap(int& lhs, int& rhs) {
+    lhs = rhs; // no-crash
+    // Not reporting copying uninitialized data because that is explicitly suppressed in the checker.
+}
+void entry_point() {
+    SpecialBuffer special;
+    swap(*special.dst, *++special.src);
+}
+}  // namespace gh_178797

``````````

</details>


https://github.com/llvm/llvm-project/pull/179445

More information about the llvm-branch-commits mailing list