]> granicus.if.org Git - clang/commitdiff
projects / clang / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 570e134)
[analyzer] InnerPointerChecker: Fix a segfault when checking symbolic strings.
authorArtem Dergachev <artem.dergachev@gmail.com>
Thu, 30 Aug 2018 18:45:05 +0000 (18:45 +0000)
committerArtem Dergachev <artem.dergachev@gmail.com>
Thu, 30 Aug 2018 18:45:05 +0000 (18:45 +0000)
Return value of dyn_cast_or_null should be checked before use.
Otherwise we may put a null pointer into the map as a key and eventually
crash in checkDeadSymbols.

Differential Revision: https://reviews.llvm.org/D51385

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@341092 91177308-0d34-0410-b5e6-96231b3b80d8

lib/StaticAnalyzer/Checkers/InnerPointerChecker.cpp patch | blob | history
test/Analysis/inner-pointer.cpp patch | blob | history

diff --git a/lib/StaticAnalyzer/Checkers/InnerPointerChecker.cpp b/lib/StaticAnalyzer/Checkers/InnerPointerChecker.cpp
index 91805e40a3dbdff051fc5f4dbe86ff4314c1380a..b3638d0b9cfcf91a4cd1c32a6dc3d0b661a6eb32 100644 (file)
--- a/lib/StaticAnalyzer/Checkers/InnerPointerChecker.cpp
+++ b/lib/StaticAnalyzer/Checkers/InnerPointerChecker.cpp
@@ -211,8 +211,11 @@ void InnerPointerChecker::checkPostCall(const CallEvent &Call,
   ProgramStateRef State = C.getState();
 
   if (const auto *ICall = dyn_cast<CXXInstanceCall>(&Call)) {
+    // TODO: Do we need these to be typed?
     const auto *ObjRegion = dyn_cast_or_null<TypedValueRegion>(
         ICall->getCXXThisVal().getAsRegion());
+    if (!ObjRegion)
+      return;
 
     if (Call.isCalled(CStrFn) || Call.isCalled(DataFn)) {
       SVal RawPtr = Call.getReturnValue();
diff --git a/test/Analysis/inner-pointer.cpp b/test/Analysis/inner-pointer.cpp
index 950270b29629baa569f382dc883d68c58fe32a6b..f8f6c11baef7db76b8ef22a63fcb8b38d436f6a6 100644 (file)
--- a/test/Analysis/inner-pointer.cpp
+++ b/test/Analysis/inner-pointer.cpp
@@ -424,3 +424,7 @@ void no_CXXRecordDecl() {
   *(void **)&b = c() + 1;
   *b = a; // no-crash
 }
+
+void checkReference(std::string &s) {
+  const char *c = s.c_str();
+}
Unnamed repository; edit this file 'description' to name the repository.