From 73b38668ce738f182a441d8e77be20be9ba7898a Mon Sep 17 00:00:00 2001 From: Artem Dergachev Date: Thu, 30 Aug 2018 18:45:05 +0000 Subject: [PATCH] [analyzer] InnerPointerChecker: Fix a segfault when checking symbolic strings. Return value of dyn_cast_or_null should be checked before use. Otherwise we may put a null pointer into the map as a key and eventually crash in checkDeadSymbols. Differential Revision: https://reviews.llvm.org/D51385 llvm-svn: 341092 --- clang/lib/StaticAnalyzer/Checkers/InnerPointerChecker.cpp | 3 +++ clang/test/Analysis/inner-pointer.cpp | 4 ++++ 2 files changed, 7 insertions(+) diff --git a/clang/lib/StaticAnalyzer/Checkers/InnerPointerChecker.cpp b/clang/lib/StaticAnalyzer/Checkers/InnerPointerChecker.cpp index 91805e4..b3638d0 100644 --- a/clang/lib/StaticAnalyzer/Checkers/InnerPointerChecker.cpp +++ b/clang/lib/StaticAnalyzer/Checkers/InnerPointerChecker.cpp @@ -211,8 +211,11 @@ void InnerPointerChecker::checkPostCall(const CallEvent &Call, ProgramStateRef State = C.getState(); if (const auto *ICall = dyn_cast(&Call)) { + // TODO: Do we need these to be typed? const auto *ObjRegion = dyn_cast_or_null( ICall->getCXXThisVal().getAsRegion()); + if (!ObjRegion) + return; if (Call.isCalled(CStrFn) || Call.isCalled(DataFn)) { SVal RawPtr = Call.getReturnValue(); diff --git a/clang/test/Analysis/inner-pointer.cpp b/clang/test/Analysis/inner-pointer.cpp index 950270b..f8f6c11 100644 --- a/clang/test/Analysis/inner-pointer.cpp +++ b/clang/test/Analysis/inner-pointer.cpp @@ -424,3 +424,7 @@ void no_CXXRecordDecl() { *(void **)&b = c() + 1; *b = a; // no-crash } + +void checkReference(std::string &s) { + const char *c = s.c_str(); +} -- 2.7.4