[clang] [analyzer] Fix crash when modelling 'getline' function in checkers (PR #145229)

Baranov Victor via cfe-commits Tue, 24 Jun 2025 10:56:58 -0700

================
@@ -1518,14 +1518,19 @@ void MallocChecker::checkGetdelim(ProgramStateRef 
State, const CallEvent &Call,
   if (!CE)
     return;
 
-  const auto LinePtr =
-      getPointeeVal(Call.getArgSVal(0), State)->getAs<DefinedSVal>();
-  const auto Size =
-      getPointeeVal(Call.getArgSVal(1), State)->getAs<DefinedSVal>();
-  if (!LinePtr || !Size || !LinePtr->getAsRegion())
+  const auto LinePtrOpt = getPointeeVal(Call.getArgSVal(0), State);
+  const auto SizeOpt = getPointeeVal(Call.getArgSVal(1), State);
+  if (!LinePtrOpt || !SizeOpt || LinePtrOpt->isUnknownOrUndef() ||
+      SizeOpt->isUnknownOrUndef())
----------------
vbvictor wrote:


Looking at `CallEvent::getArgSVal` we have `Call::getArgExpr()` that may return 
`nullptr` if there is no argument.
```cpp
SVal CallEvent::getArgSVal(unsigned Index) const {
  const Expr *ArgE = getArgExpr(Index);
  if (!ArgE)
    return UnknownVal();
  return getSVal(ArgE);
}
```
`getPointee` would accept it and return `std::nullopt`:
```cpp
std::optional<SVal> getPointeeVal(SVal PtrSVal, ProgramStateRef State) {
  if (const auto *Ptr = PtrSVal.getAsRegion()) {
    return State->getSVal(Ptr);
  }
  return std::nullopt;
}
```
In outer code, we called `Call.getArgExpr()` directly and passed potential 
`nullptr`'s into `EnsurePtrNotNull` and `EnsureGetdelimBufferAndSizeCorrect` 
methods that don't have handling of `nullptr`.
Another approach would be to remove `Call.getNumArgs() < 2` and add null 
handling in `Ensure-` method family.

https://github.com/llvm/llvm-project/pull/145229
_______________________________________________
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

[clang] [analyzer] Fix crash when modelling 'getline' function in checkers (PR #145229)

Reply via email to