Author: Arseniy Zaostrovnykh Date: 2024-08-29T21:59:03+02:00 New Revision: 0141a3cde4d8f2c8ff9e957f981f37e65a69a325
URL: https://github.com/llvm/llvm-project/commit/0141a3cde4d8f2c8ff9e957f981f37e65a69a325 DIFF: https://github.com/llvm/llvm-project/commit/0141a3cde4d8f2c8ff9e957f981f37e65a69a325.diff LOG: [analyzer] Fix nullptr dereference for symbols from pointer invalidation (#106568) As reported in https://github.com/llvm/llvm-project/pull/105648#issuecomment-2317144635 commit 08ad8dc7154bf3ab79f750e6d5fb7df597c7601a introduced a nullptr dereference in the case when store contains a binding to a symbol that has no origin region associated with it, such as the symbol generated when a pointer is passed to an opaque function. Added: Modified: clang/lib/StaticAnalyzer/Checkers/StackAddrEscapeChecker.cpp clang/test/Analysis/stack-addr-ps.c Removed: ################################################################################ diff --git a/clang/lib/StaticAnalyzer/Checkers/StackAddrEscapeChecker.cpp b/clang/lib/StaticAnalyzer/Checkers/StackAddrEscapeChecker.cpp index 20232405d572d2..ec577c36188e6c 100644 --- a/clang/lib/StaticAnalyzer/Checkers/StackAddrEscapeChecker.cpp +++ b/clang/lib/StaticAnalyzer/Checkers/StackAddrEscapeChecker.cpp @@ -308,7 +308,10 @@ static const MemSpaceRegion *getStackOrGlobalSpaceRegion(const MemRegion *R) { const MemRegion *getOriginBaseRegion(const MemRegion *Reg) { Reg = Reg->getBaseRegion(); while (const auto *SymReg = dyn_cast<SymbolicRegion>(Reg)) { - Reg = SymReg->getSymbol()->getOriginRegion()->getBaseRegion(); + const auto *OriginReg = SymReg->getSymbol()->getOriginRegion(); + if (!OriginReg) + break; + Reg = OriginReg->getBaseRegion(); } return Reg; } diff --git a/clang/test/Analysis/stack-addr-ps.c b/clang/test/Analysis/stack-addr-ps.c index 138b8c16b02bde..7d7294455f1dbe 100644 --- a/clang/test/Analysis/stack-addr-ps.c +++ b/clang/test/Analysis/stack-addr-ps.c @@ -126,3 +126,21 @@ void caller_for_nested_leaking() { int *ptr = 0; caller_mid_for_nested_leaking(&ptr); } + +// This used to crash StackAddrEscapeChecker because +// it features a symbol conj_$1{struct c *, LC1, S763, #1} +// that has no origin region. +struct a { + int member; +}; + +struct c { + struct a *nested_ptr; +}; +void opaque(struct c*); +struct c* get_c(void); +void no_crash_for_symbol_without_origin_region(void) { + struct c *ptr = get_c(); + opaque(ptr); + ptr->nested_ptr->member++; +} // No crash at the end of the function _______________________________________________ cfe-commits mailing list cfe-commits@lists.llvm.org https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
