From: isuckatcs <65320245+isuckatcs@users.noreply.github.com> Date: Tue, 2 Aug 2022 09:28:15 +0000 (+0200) Subject: [analyzer] Fix for the crash in #56873 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=10a7ee0bac211810376f29a879a9f73ed2ab15fc;p=platform%2Fupstream%2Fllvm.git [analyzer] Fix for the crash in #56873 In ExprEngine::bindReturnValue() we cast an SVal to DefinedOrUnknownSVal, however this SVal can also be Undefined, which leads to an assertion failure. Fixes: #56873 Differential Revision: https://reviews.llvm.org/D130974 --- diff --git a/clang/lib/StaticAnalyzer/Core/ExprEngineCallAndReturn.cpp b/clang/lib/StaticAnalyzer/Core/ExprEngineCallAndReturn.cpp index 8fb2ce9..1e8006c 100644 --- a/clang/lib/StaticAnalyzer/Core/ExprEngineCallAndReturn.cpp +++ b/clang/lib/StaticAnalyzer/Core/ExprEngineCallAndReturn.cpp @@ -762,6 +762,11 @@ ProgramStateRef ExprEngine::bindReturnValue(const CallEvent &Call, svalBuilder.evalBinOp(State, BO_Mul, ElementCount, ElementSize, svalBuilder.getArrayIndexType()); + // FIXME: This line is to prevent a crash. For more details please check + // issue #56264. + if (Size.isUndef()) + Size = UnknownVal(); + State = setDynamicExtent(State, MR, Size.castAs(), svalBuilder); } else { diff --git a/clang/test/Analysis/Issue56873.cpp b/clang/test/Analysis/Issue56873.cpp new file mode 100644 index 0000000..36fe5ff --- /dev/null +++ b/clang/test/Analysis/Issue56873.cpp @@ -0,0 +1,24 @@ +// RUN: %clang_analyze_cc1 -analyzer-checker=core,debug.ExprInspection -verify %s + +void clang_analyzer_warnIfReached(); + +struct S { +}; + +void Issue56873_1() { + int n; + + // This line used to crash + S *arr = new S[n]; + + clang_analyzer_warnIfReached(); // expected-warning{{REACHABLE}} +} + +void Issue56873_2() { + int n; + + // This line used to crash + int *arr = new int[n]; + + clang_analyzer_warnIfReached(); // expected-warning{{REACHABLE}} +}