[analyzer] Fix for the crash in #56873

In ExprEngine::bindReturnValue() we cast an SVal to DefinedOrUnknownSVal,
however this SVal can also be Undefined, which leads to an assertion failure.

Fixes: #56873

Differential Revision: https://reviews.llvm.org/D130974

diff --git a/clang/lib/StaticAnalyzer/Core/ExprEngineCallAndReturn.cpp b/clang/lib/StaticAnalyzer/Core/ExprEngineCallAndReturn.cpp
index 8fb2ce9..1e8006c 100644 (file)
--- a/clang/lib/StaticAnalyzer/Core/ExprEngineCallAndReturn.cpp
+++ b/clang/lib/StaticAnalyzer/Core/ExprEngineCallAndReturn.cpp
@@ -762,6 +762,11 @@ ProgramStateRef ExprEngine::bindReturnValue(const CallEvent &Call,
           svalBuilder.evalBinOp(State, BO_Mul, ElementCount, ElementSize,
                                 svalBuilder.getArrayIndexType());
 
+      // FIXME: This line is to prevent a crash. For more details please check
+      // issue #56264.
+      if (Size.isUndef())
+        Size = UnknownVal();
+
       State = setDynamicExtent(State, MR, Size.castAs<DefinedOrUnknownSVal>(),
                                svalBuilder);
     } else {

diff --git a/clang/test/Analysis/Issue56873.cpp b/clang/test/Analysis/Issue56873.cpp
new file mode 100644 (file)
index 0000000..36fe5ff
--- /dev/null
+++ b/clang/test/Analysis/Issue56873.cpp
@@ -0,0 +1,24 @@
+// RUN: %clang_analyze_cc1 -analyzer-checker=core,debug.ExprInspection -verify %s
+
+void clang_analyzer_warnIfReached();
+
+struct S {
+};
+
+void Issue56873_1() {
+    int n;
+
+    // This line used to crash
+    S *arr = new S[n];
+    
+    clang_analyzer_warnIfReached();  // expected-warning{{REACHABLE}}
+}
+
+void Issue56873_2() {
+    int n;
+
+    // This line used to crash
+    int *arr = new int[n];
+    
+    clang_analyzer_warnIfReached();  // expected-warning{{REACHABLE}}
+}