From: Artem Dergachev <artem.dergachev@gmail.com>
Date: Mon, 12 Jun 2017 17:59:50 +0000 (+0000)
Subject: [analyzer] Fix a crash when an ObjC object is constructed in AllocaRegion.
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=2b3c4c91a113a8658285c8fd68c296e22df255f0;p=clang

[analyzer] Fix a crash when an ObjC object is constructed in AllocaRegion.

Memory region allocated by alloca() carries no implicit type information.
Don't crash when resolving the init message for an Objective-C object
that is being constructed in such region.

rdar://problem/32517077

Differential Revision: https://reviews.llvm.org/D33828


git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@305211 91177308-0d34-0410-b5e6-96231b3b80d8
---

diff --git a/lib/StaticAnalyzer/Core/CallEvent.cpp b/lib/StaticAnalyzer/Core/CallEvent.cpp
index ee761689f4..1858bfd896 100644
--- a/lib/StaticAnalyzer/Core/CallEvent.cpp
+++ b/lib/StaticAnalyzer/Core/CallEvent.cpp
@@ -957,6 +957,12 @@ RuntimeDefinition ObjCMethodCall::getRuntimeDefinition() const {
         return RuntimeDefinition();
 
       DynamicTypeInfo DTI = getDynamicTypeInfo(getState(), Receiver);
+      if (!DTI.isValid()) {
+        assert(isa<AllocaRegion>(Receiver) &&
+               "Unhandled untyped region class!");
+        return RuntimeDefinition();
+      }
+
       QualType DynType = DTI.getType();
       CanBeSubClassed = DTI.canBeASubClass();
       ReceiverT = dyn_cast<ObjCObjectPointerType>(DynType.getCanonicalType());
diff --git a/test/Analysis/DynamicTypePropagation.m b/test/Analysis/DynamicTypePropagation.m
index 25a0ae35fd..63904b8425 100644
--- a/test/Analysis/DynamicTypePropagation.m
+++ b/test/Analysis/DynamicTypePropagation.m
@@ -4,6 +4,9 @@
 #  error Compiler does not support Objective-C generics?
 #endif
 
+typedef __typeof(sizeof(int)) size_t;
+void *memset(void *, int, size_t);
+
 #define nil 0
 typedef unsigned long NSUInteger;
 typedef int BOOL;
@@ -21,6 +24,7 @@ __attribute__((objc_root_class))
 @end
 
 @interface NSArray<ObjectType> : NSObject
+- (void) init;
 - (BOOL)contains:(ObjectType)obj;
 - (ObjectType)getObjAtIndex:(NSUInteger)idx;
 - (ObjectType)objectAtIndexedSubscript:(NSUInteger)idx;
@@ -55,3 +59,11 @@ void testArgument(NSArray<MyType *> *arr, id element) {
   // MyType!
   [element myFunction:0 myParam:0 ];
 }
+
+// Do not try this at home! The analyzer shouldn't crash though when it
+// tries to figure out the dynamic type behind the alloca's return value.
+void testAlloca(size_t NSArrayClassSizeWeKnowSomehow) {
+  NSArray *arr = __builtin_alloca(NSArrayClassSizeWeKnowSomehow);
+  memset(arr, 0, NSArrayClassSizeWeKnowSomehow);
+  [arr init]; // no-crash
+}