From 89f1cd7debd15475b8a9da26aafbca1c5fdbf07e Mon Sep 17 00:00:00 2001 From: Fangyi Zhou Date: Wed, 14 May 2025 01:28:48 +0100 Subject: [PATCH 1/3] [clang][analyzer] Fix a nullptr dereference when `-ftime-trace` is used Fixes #139779. The bug was introduced in #137355 in `SymbolConjured::getStmt`, when trying to obtain a statement for a CFG initializer without an initializer. This commit adds a null check before access. --- .../clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h | 2 ++ clang/test/Analysis/ftime-trace-no-init.cpp | 5 +++++ 2 files changed, 7 insertions(+) create mode 100644 clang/test/Analysis/ftime-trace-no-init.cpp diff --git a/clang/include/clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h b/clang/include/clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h index 9e7c98fdded17..00159971fd7b5 100644 --- a/clang/include/clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h +++ b/clang/include/clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h @@ -103,6 +103,8 @@ class SymbolConjured : public SymbolData { const Stmt *getStmt() const { switch (Elem->getKind()) { case CFGElement::Initializer: + if (Elem->castAs().getInitializer() == nullptr) + return nullptr; return Elem->castAs().getInitializer()->getInit(); case CFGElement::ScopeBegin: return Elem->castAs().getTriggerStmt(); diff --git a/clang/test/Analysis/ftime-trace-no-init.cpp b/clang/test/Analysis/ftime-trace-no-init.cpp new file mode 100644 index 0000000000000..db62aa8a56ed7 --- /dev/null +++ b/clang/test/Analysis/ftime-trace-no-init.cpp @@ -0,0 +1,5 @@ +// RUN: %clang --analyze %s -ftime-trace -Xclang -verify +// expected-no-diagnostics + +// GitHub issue 139779 +struct {} a; // no-crash From f872c3c725b17e7c116cf1a218a10831cdb73ed3 Mon Sep 17 00:00:00 2001 From: Fangyi Zhou Date: Wed, 14 May 2025 15:14:44 +0100 Subject: [PATCH 2/3] minor style fix --- .../StaticAnalyzer/Core/PathSensitive/SymbolManager.h | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/clang/include/clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h b/clang/include/clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h index 00159971fd7b5..2e06e71f7be5f 100644 --- a/clang/include/clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h +++ b/clang/include/clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h @@ -103,9 +103,10 @@ class SymbolConjured : public SymbolData { const Stmt *getStmt() const { switch (Elem->getKind()) { case CFGElement::Initializer: - if (Elem->castAs().getInitializer() == nullptr) - return nullptr; - return Elem->castAs().getInitializer()->getInit(); + if (const auto *Init = Elem->castAs().getInitializer()) { + return Init->getInit(); + } + return nullptr; case CFGElement::ScopeBegin: return Elem->castAs().getTriggerStmt(); case CFGElement::ScopeEnd: From 8b02b3d33861cb1bcae8459d5340a5d0aede8240 Mon Sep 17 00:00:00 2001 From: Fangyi Zhou Date: Wed, 14 May 2025 15:15:13 +0100 Subject: [PATCH 3/3] use clang_analyze_cc1 in test --- clang/test/Analysis/ftime-trace-no-init.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/clang/test/Analysis/ftime-trace-no-init.cpp b/clang/test/Analysis/ftime-trace-no-init.cpp index db62aa8a56ed7..7fb289b19da78 100644 --- a/clang/test/Analysis/ftime-trace-no-init.cpp +++ b/clang/test/Analysis/ftime-trace-no-init.cpp @@ -1,4 +1,4 @@ -// RUN: %clang --analyze %s -ftime-trace -Xclang -verify +// RUN: %clang_analyze_cc1 -analyzer-checker=core,apiModeling %s -ftime-trace=%t.raw.json -verify // expected-no-diagnostics // GitHub issue 139779