From: Ted Kremenek <kremenek@apple.com>
Date: Wed, 7 Apr 2010 00:46:49 +0000 (+0000)
Subject: Fix crash in StoreManager::CastRegion() when the base region is a type with 0 size.
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=974d97b251aaf5a735af83367cd3a930f3eb4333;p=clang

Fix crash in StoreManager::CastRegion() when the base region is a type with 0 size.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@100594 91177308-0d34-0410-b5e6-96231b3b80d8
---

diff --git a/lib/Checker/Store.cpp b/lib/Checker/Store.cpp
index e524cb3d7c..80b6586b8b 100644
--- a/lib/Checker/Store.cpp
+++ b/lib/Checker/Store.cpp
@@ -170,13 +170,14 @@ const MemRegion *StoreManager::CastRegion(const MemRegion *R, QualType CastToTy)
       if (IsCompleteType(Ctx, PointeeTy)) {
         // Compute the size in **bytes**.
         CharUnits pointeeTySize = Ctx.getTypeSizeInChars(PointeeTy);
-
-        // Is the offset a multiple of the size?  If so, we can layer the
-        // ElementRegion (with elementType == PointeeTy) directly on top of
-        // the base region.
-        if (off % pointeeTySize == 0) {
-          newIndex = off / pointeeTySize;
-          newSuperR = baseR;
+        if (!pointeeTySize.isZero()) {
+          // Is the offset a multiple of the size?  If so, we can layer the
+          // ElementRegion (with elementType == PointeeTy) directly on top of
+          // the base region.
+          if (off % pointeeTySize == 0) {
+            newIndex = off / pointeeTySize;
+            newSuperR = baseR;
+          }
         }
       }
 
diff --git a/test/Analysis/misc-ps-region-store.m b/test/Analysis/misc-ps-region-store.m
index 0e305bf1df..3f64a085c8 100644
--- a/test/Analysis/misc-ps-region-store.m
+++ b/test/Analysis/misc-ps-region-store.m
@@ -976,3 +976,11 @@ void rdar7817800_qux(void*);
 }
 @end
 
+// PR 6036 - This test case triggered a crash inside StoreManager::CastRegion because the size
+// of 'unsigned long (*)[0]' is 0.
+struct pr6036_a { int pr6036_b; };
+struct pr6036_c;
+void u132monitk (struct pr6036_c *pr6036_d) {
+  (void) ((struct pr6036_a *) (unsigned long (*)[0]) ((char *) pr6036_d - 1))->pr6036_b; // expected-warning{{Casting a non-structure type to a structure type and accessing a field can lead to memory access errors or data corruption}}
+}
+