From: George Karpenkov <ekarpenkov@apple.com>
Date: Thu, 9 Nov 2017 21:49:38 +0000 (+0000)
Subject: [analyzer] do not crash when trying to convert an APSInt to an unexpected type
X-Git-Tag: llvmorg-6.0.0-rc1~3746
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=d860e7a6b842956b5fab2528d80775f991d26c7f;p=platform%2Fupstream%2Fllvm.git

[analyzer] do not crash when trying to convert an APSInt to an unexpected type

This is the issue breaking the postgresql bot, purely by chance exposed
through taint checker, somehow appearing after
https://reviews.llvm.org/D38358 got committed.

The backstory is that the taint checker requests SVal for the value of
the pointer, and analyzer has a "fast path" in the getter to return a
constant when we know that the value is constant.
Unfortunately, the getter requires a cast to get signedness correctly,
and for the pointer `void *` the cast crashes.

This is more of a band-aid patch, as I am not sure what could be done
here "correctly", but it should be applied in any case to avoid the
crash.

Differential Revision: https://reviews.llvm.org/D39862

llvm-svn: 317839
---

diff --git a/clang/lib/StaticAnalyzer/Core/ProgramState.cpp b/clang/lib/StaticAnalyzer/Core/ProgramState.cpp
index 3215c3c..5b6b733 100644
--- a/clang/lib/StaticAnalyzer/Core/ProgramState.cpp
+++ b/clang/lib/StaticAnalyzer/Core/ProgramState.cpp
@@ -260,7 +260,9 @@ SVal ProgramState::getSVal(Loc location, QualType T) const {
   // be a constant value, use that value instead to lessen the burden
   // on later analysis stages (so we have less symbolic values to reason
   // about).
-  if (!T.isNull()) {
+  // We only go into this branch if we can convert the APSInt value we have
+  // to the type of T, which is not always the case (e.g. for void).
+  if (!T.isNull() && (T->isIntegralOrEnumerationType() || Loc::isLocType(T))) {
     if (SymbolRef sym = V.getAsSymbol()) {
       if (const llvm::APSInt *Int = getStateManager()
                                     .getConstraintManager()
diff --git a/clang/test/Analysis/taint-tester.c b/clang/test/Analysis/taint-tester.c
index 1b59e7b..3a8cc18 100644
--- a/clang/test/Analysis/taint-tester.c
+++ b/clang/test/Analysis/taint-tester.c
@@ -189,3 +189,10 @@ void atoiTest() {
 
 }
 
+char *pointer1;
+void *pointer2;
+void noCrashTest() {
+  if (!*pointer1) {
+    __builtin___memcpy_chk(pointer2, pointer1, 0, 0); // no-crash
+  }
+}