[clang] [clang][dataflow] Fix crash on base-to-derived cast of unmodeled pointer value. (PR #179060)

Artem Dergachev via cfe-commits Sat, 31 Jan 2026 10:40:31 -0800

https://github.com/haoNoQ created 
https://github.com/llvm/llvm-project/pull/179060


Some values aren't modeled yet and that's ok.

Conjure a value in case we need it later.

>From 8c03581691e90eef4d9879a3b168bda891c2e1af Mon Sep 17 00:00:00 2001
From: Artem Dergachev <[email protected]>
Date: Sat, 31 Jan 2026 13:14:18 -0500
Subject: [PATCH] [clang][dataflow] Fix crash on base-to-derived cast of
 unmodeled pointer value.

Some values aren't modeled yet and that's ok.

Conjure a value in case we need it later.
---
 clang/lib/Analysis/FlowSensitive/Transfer.cpp |  4 +--
 .../Analysis/FlowSensitive/TransferTest.cpp   | 27 +++++++++++++++++++
 2 files changed, 29 insertions(+), 2 deletions(-)

diff --git a/clang/lib/Analysis/FlowSensitive/Transfer.cpp 
b/clang/lib/Analysis/FlowSensitive/Transfer.cpp
index 51cc1f9bc26ab..29b07848841ad 100644
--- a/clang/lib/Analysis/FlowSensitive/Transfer.cpp
+++ b/clang/lib/Analysis/FlowSensitive/Transfer.cpp
@@ -328,9 +328,9 @@ class TransferVisitor : public 
ConstStmtVisitor<TransferVisitor> {
       RecordStorageLocation *Loc = nullptr;
       if (S->getType()->isPointerType()) {
         auto *PV = Env.get<PointerValue>(*SubExpr);
-        assert(PV != nullptr);
         if (PV == nullptr)
-          break;
+          PV = cast<PointerValue>(Env.createValue(S->getType()));
+
         Loc = cast<RecordStorageLocation>(&PV->getPointeeLoc());
       } else {
         assert(S->getType()->isRecordType());
diff --git a/clang/unittests/Analysis/FlowSensitive/TransferTest.cpp 
b/clang/unittests/Analysis/FlowSensitive/TransferTest.cpp
index e528ca2221ad1..142beb2f150ba 100644
--- a/clang/unittests/Analysis/FlowSensitive/TransferTest.cpp
+++ b/clang/unittests/Analysis/FlowSensitive/TransferTest.cpp
@@ -3786,6 +3786,33 @@ TEST(TransferTest, StaticCastBaseToDerived) {
       });
 }
 
+TEST(TransferTest, StaticCastBaseToDerivedUnknown) {
+  std::string Code = R"(
+    struct Base {};
+    struct Derived: Base {};
+
+    Base *unknown();
+    void target() {
+      Derived *DPtr = static_cast<Derived *>(unknown());
+      // [[p]]
+    }
+  )";
+  runDataflow(
+      Code,
+      [](const llvm::StringMap<DataflowAnalysisState<NoopLattice>> &Results,
+         ASTContext &ASTCtx) {
+        ASSERT_THAT(Results.keys(), UnorderedElementsAre("p"));
+        const Environment &Env = getEnvironmentAtAnnotation(Results, "p");
+
+        const ValueDecl *DPtrDecl = findValueDecl(ASTCtx, "DPtr");
+        ASSERT_THAT(DPtrDecl, NotNull());
+
+        const auto *DPtrVal =
+            dyn_cast_or_null<PointerValue>(Env.getValue(*DPtrDecl));
+        EXPECT_THAT(DPtrVal, NotNull());
+      });
+}
+
 TEST(TransferTest, MultipleConstructionsFromStaticCastsBaseToDerived) {
   std::string Code = R"cc(
  struct Base {};

_______________________________________________
cfe-commits mailing list
[email protected]
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

[clang] [clang][dataflow] Fix crash on base-to-derived cast of unmodeled pointer value. (PR #179060)

Reply via email to