[PATCH] D51385: [analyzer] InnerPointerChecker: Fix a segfault.

Tue, 28 Aug 2018 15:01:18 -0700 

NoQ created this revision.
NoQ added reviewers: dcoughlin, xazax.hun, a.sidorin, george.karpenkov, szepet, 
rnkovacs.
Herald added subscribers: cfe-commits, Szelethus, mikhail.ramalho, 
baloghadamsoftware.

Return value of `dyn_cast_or_null` should be checked before use. Otherwise we 
may put a null pointer into the map as a key and eventually crash in 
`checkDeadSymbols`.

Reka: Why did we restrict ourselves to `TypedValueRegion`s here? While we are 
mostly interested in local string variables and temporaries, which would of 
course be typed, i guess there's nothing that prevents us from checking that we 
don't `delete` or mutate a string in a `SymbolicRegion` somewhere between 
obtaining and using its inner pointer.


Repository:
  rC Clang

https://reviews.llvm.org/D51385

Files:
  lib/StaticAnalyzer/Checkers/InnerPointerChecker.cpp
  test/Analysis/inner-pointer.cpp


Index: test/Analysis/inner-pointer.cpp
===================================================================
--- test/Analysis/inner-pointer.cpp
+++ test/Analysis/inner-pointer.cpp
@@ -424,3 +424,7 @@
   *(void **)&b = c() + 1;
   *b = a; // no-crash
 }
+
+void checkReference(std::string &s) {
+  const char *c = s.c_str();
+}
Index: lib/StaticAnalyzer/Checkers/InnerPointerChecker.cpp
===================================================================
--- lib/StaticAnalyzer/Checkers/InnerPointerChecker.cpp
+++ lib/StaticAnalyzer/Checkers/InnerPointerChecker.cpp
@@ -213,6 +213,8 @@
   if (const auto *ICall = dyn_cast<CXXInstanceCall>(&Call)) {
     const auto *ObjRegion = dyn_cast_or_null<TypedValueRegion>(
         ICall->getCXXThisVal().getAsRegion());
+    if (!ObjRegion)
+      return;
 
     if (Call.isCalled(CStrFn) || Call.isCalled(DataFn)) {
       SVal RawPtr = Call.getReturnValue();



Index: test/Analysis/inner-pointer.cpp
===================================================================
--- test/Analysis/inner-pointer.cpp
+++ test/Analysis/inner-pointer.cpp
@@ -424,3 +424,7 @@
   *(void **)&b = c() + 1;
   *b = a; // no-crash
 }
+
+void checkReference(std::string &s) {
+  const char *c = s.c_str();
+}
Index: lib/StaticAnalyzer/Checkers/InnerPointerChecker.cpp
===================================================================
--- lib/StaticAnalyzer/Checkers/InnerPointerChecker.cpp
+++ lib/StaticAnalyzer/Checkers/InnerPointerChecker.cpp
@@ -213,6 +213,8 @@
   if (const auto *ICall = dyn_cast<CXXInstanceCall>(&Call)) {
     const auto *ObjRegion = dyn_cast_or_null<TypedValueRegion>(
         ICall->getCXXThisVal().getAsRegion());
+    if (!ObjRegion)
+      return;
 
     if (Call.isCalled(CStrFn) || Call.isCalled(DataFn)) {
       SVal RawPtr = Call.getReturnValue();

_______________________________________________
cfe-commits mailing list
cfe-commits@lists.llvm.org
http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

Reply via email to