Author: Vince Bridgers Date: 2022-06-07T13:34:06-04:00 New Revision: c7fa4e8a8bc41e52cc49a27e0495d67d730fa167
URL: https://github.com/llvm/llvm-project/commit/c7fa4e8a8bc41e52cc49a27e0495d67d730fa167 DIFF: https://github.com/llvm/llvm-project/commit/c7fa4e8a8bc41e52cc49a27e0495d67d730fa167.diff LOG: [analyzer] Fix null pointer deref in CastValueChecker A crash was seen in CastValueChecker due to a null pointer dereference. The fix uses QualType::getAsString to avoid the null dereference when a CXXRecordDecl cannot be obtained. A small reproducer is added, and cast value notes LITs are updated for the new debug messages. Reviewed By: steakhal Differential Revision: https://reviews.llvm.org/D127105 Added: Modified: clang/lib/StaticAnalyzer/Checkers/CastValueChecker.cpp clang/test/Analysis/cast-value-notes.cpp clang/test/Analysis/cast-value-state-dump.cpp Removed: ################################################################################ diff --git a/clang/lib/StaticAnalyzer/Checkers/CastValueChecker.cpp b/clang/lib/StaticAnalyzer/Checkers/CastValueChecker.cpp index e2b99fca7d148..45f9a82a9d0a4 100644 --- a/clang/lib/StaticAnalyzer/Checkers/CastValueChecker.cpp +++ b/clang/lib/StaticAnalyzer/Checkers/CastValueChecker.cpp @@ -108,7 +108,7 @@ static const NoteTag *getNoteTag(CheckerContext &C, bool CastSucceeds, bool IsKnownCast) { std::string CastToName = CastInfo ? CastInfo->to()->getAsCXXRecordDecl()->getNameAsString() - : CastToTy->getPointeeCXXRecordDecl()->getNameAsString(); + : CastToTy.getAsString(); Object = Object->IgnoreParenImpCasts(); return C.getNoteTag( @@ -163,9 +163,9 @@ static const NoteTag *getNoteTag(CheckerContext &C, bool First = true; for (QualType CastToTy: CastToTyVec) { std::string CastToName = - CastToTy->getAsCXXRecordDecl() ? - CastToTy->getAsCXXRecordDecl()->getNameAsString() : - CastToTy->getPointeeCXXRecordDecl()->getNameAsString(); + CastToTy->getAsCXXRecordDecl() + ? CastToTy->getAsCXXRecordDecl()->getNameAsString() + : CastToTy.getAsString(); Out << ' ' << ((CastToTyVec.size() == 1) ? "not" : (First ? "neither" : "nor")) << " a '" << CastToName << '\''; diff --git a/clang/test/Analysis/cast-value-notes.cpp b/clang/test/Analysis/cast-value-notes.cpp index ddfaf07b2a0af..b3d32552e6ec8 100644 --- a/clang/test/Analysis/cast-value-notes.cpp +++ b/clang/test/Analysis/cast-value-notes.cpp @@ -73,7 +73,7 @@ void clang_analyzer_printState(); #if defined(X86) void evalReferences(const Shape &S) { const auto &C = dyn_cast<Circle>(S); - // expected-note@-1 {{Assuming 'S' is not a 'Circle'}} + // expected-note@-1 {{Assuming 'S' is not a 'const class clang::Circle &'}} // expected-note@-2 {{Dereference of null pointer}} // expected-warning@-3 {{Dereference of null pointer}} clang_analyzer_printState(); @@ -93,7 +93,7 @@ void evalReferences_addrspace(const Shape &S) { #if defined(NOT_SUPPRESSED) void evalReferences_addrspace(const Shape &S) { const auto &C = dyn_cast<DEVICE Circle>(S); - // expected-note@-1 {{Assuming 'S' is not a 'Circle'}} + // expected-note@-1 {{Assuming 'S' is not a 'const __attribute__((address_space(3))) class clang::Circle &'}} // expected-note@-2 {{Dereference of null pointer}} // expected-warning@-3 {{Dereference of null pointer}} clang_analyzer_printState(); @@ -105,7 +105,7 @@ void evalReferences_addrspace(const Shape &S) { #elif defined(MIPS) void evalReferences(const Shape &S) { const auto &C = dyn_cast<Circle>(S); - // expected-note@-1 {{Assuming 'S' is not a 'Circle'}} + // expected-note@-1 {{Assuming 'S' is not a 'const class clang::Circle &'}} // expected-note@-2 {{Dereference of null pointer}} // expected-warning@-3 {{Dereference of null pointer}} } @@ -122,25 +122,25 @@ void evalNonNullParamNonNullReturnReference(const Shape &S) { // expected-note@-1 {{'C' initialized here}} if (!dyn_cast_or_null<Circle>(C)) { - // expected-note@-1 {{'C' is a 'Circle'}} + // expected-note@-1 {{Assuming 'C' is a 'const class clang::Circle *'}} // expected-note@-2 {{Taking false branch}} return; } if (dyn_cast_or_null<Triangle>(C)) { - // expected-note@-1 {{Assuming 'C' is not a 'Triangle'}} + // expected-note@-1 {{Assuming 'C' is not a 'const class clang::Triangle *'}} // expected-note@-2 {{Taking false branch}} return; } if (dyn_cast_or_null<Rectangle>(C)) { - // expected-note@-1 {{Assuming 'C' is not a 'Rectangle'}} + // expected-note@-1 {{Assuming 'C' is not a 'const class clang::Rectangle *'}} // expected-note@-2 {{Taking false branch}} return; } if (dyn_cast_or_null<Hexagon>(C)) { - // expected-note@-1 {{Assuming 'C' is not a 'Hexagon'}} + // expected-note@-1 {{Assuming 'C' is not a 'const class clang::Hexagon *'}} // expected-note@-2 {{Taking false branch}} return; } @@ -176,29 +176,29 @@ void evalNonNullParamNonNullReturnReference(const Shape &S) { void evalNonNullParamNonNullReturn(const Shape *S) { const auto *C = cast<Circle>(S); - // expected-note@-1 {{'S' is a 'Circle'}} + // expected-note@-1 {{'S' is a 'const class clang::Circle *'}} // expected-note@-2 {{'C' initialized here}} if (!dyn_cast_or_null<Circle>(C)) { - // expected-note@-1 {{'C' is a 'Circle'}} + // expected-note@-1 {{Assuming 'C' is a 'const class clang::Circle *'}} // expected-note@-2 {{Taking false branch}} return; } if (dyn_cast_or_null<Triangle>(C)) { - // expected-note@-1 {{Assuming 'C' is not a 'Triangle'}} + // expected-note@-1 {{Assuming 'C' is not a 'const class clang::Triangle *'}} // expected-note@-2 {{Taking false branch}} return; } if (dyn_cast_or_null<Rectangle>(C)) { - // expected-note@-1 {{Assuming 'C' is not a 'Rectangle'}} + // expected-note@-1 {{Assuming 'C' is not a 'const class clang::Rectangle *'}} // expected-note@-2 {{Taking false branch}} return; } if (dyn_cast_or_null<Hexagon>(C)) { - // expected-note@-1 {{Assuming 'C' is not a 'Hexagon'}} + // expected-note@-1 {{Assuming 'C' is not a 'const class clang::Hexagon *'}} // expected-note@-2 {{Taking false branch}} return; } @@ -234,10 +234,10 @@ void evalNonNullParamNonNullReturn(const Shape *S) { void evalNonNullParamNullReturn(const Shape *S) { const auto *C = dyn_cast_or_null<Circle>(S); - // expected-note@-1 {{Assuming 'S' is not a 'Circle'}} + // expected-note@-1 {{Assuming 'S' is not a 'const class clang::Circle *'}} if (const auto *T = dyn_cast_or_null<Triangle>(S)) { - // expected-note@-1 {{Assuming 'S' is a 'Triangle'}} + // expected-note@-1 {{Assuming 'S' is a 'const class clang::Triangle *'}} // expected-note@-2 {{'T' initialized here}} // expected-note@-3 {{'T' is non-null}} // expected-note@-4 {{Taking true branch}} @@ -261,7 +261,7 @@ void evalNullParamNullReturn(const Shape *S) { void evalZeroParamNonNullReturnPointer(const Shape *S) { const auto *C = S->castAs<Circle>(); - // expected-note@-1 {{'S' is a 'Circle'}} + // expected-note@-1 {{'S' is a 'const class clang::Circle *'}} // expected-note@-2 {{'C' initialized here}} (void)(1 / !C); @@ -282,12 +282,12 @@ void evalZeroParamNonNullReturn(const Shape &S) { void evalZeroParamNullReturn(const Shape *S) { const auto &C = S->getAs<Circle>(); - // expected-note@-1 {{Assuming 'S' is not a 'Circle'}} + // expected-note@-1 {{Assuming 'S' is not a 'const class clang::Circle *'}} // expected-note@-2 {{Storing null pointer value}} // expected-note@-3 {{'C' initialized here}} if (!dyn_cast_or_null<Triangle>(S)) { - // expected-note@-1 {{Assuming 'S' is a 'Triangle'}} + // expected-note@-1 {{Assuming 'S' is a 'const class clang::Triangle *'}} // expected-note@-2 {{Taking false branch}} return; } @@ -302,3 +302,32 @@ void evalZeroParamNullReturn(const Shape *S) { // expected-note@-1 {{Division by zero}} // expected-warning@-2 {{Division by zero}} } + +// don't crash +// CastValueChecker was using QualType()->getPointeeCXXRecordDecl(), in +// getNoteTag which evaluated to nullptr, then crashed when attempting to +// deref an invocation to getNameAsString(). The fix is to use +// QualType().getAsString(). +// +// Example: +// std::string CastToName = +// CastInfo ? CastInfo->to()->getAsCXXRecordDecl()->getNameAsString() +// : CastToTy->getPointeeCXXRecordDecl()->getNameAsString(); +// Changed to: +// std::string CastToName = +// CastInfo ? CastInfo->to()->getAsCXXRecordDecl()->getNameAsString() +// : CastToTy.getAsString(); +namespace llvm { +template <typename, typename a> void isa(a &); +template <typename> class PointerUnion { +public: + template <typename T> T *getAs() { + (void)isa<int>(*this); + return nullptr; + } +}; +class LLVMContext { + PointerUnion<LLVMContext> c; + void d() { c.getAs<int>(); } +}; +} // namespace llvm diff --git a/clang/test/Analysis/cast-value-state-dump.cpp b/clang/test/Analysis/cast-value-state-dump.cpp index 3e6a40cf1319b..c9d85f0b4460f 100644 --- a/clang/test/Analysis/cast-value-state-dump.cpp +++ b/clang/test/Analysis/cast-value-state-dump.cpp @@ -18,12 +18,12 @@ using namespace clang; void evalNonNullParamNonNullReturn(const Shape *S) { const auto *C = dyn_cast_or_null<Circle>(S); - // expected-note@-1 {{Assuming 'S' is a 'Circle'}} + // expected-note@-1 {{Assuming 'S' is a 'const class clang::Circle *'}} // expected-note@-2 {{'C' initialized here}} // FIXME: We assumed that 'S' is a 'Circle' therefore it is not a 'Square'. if (dyn_cast_or_null<Square>(S)) { - // expected-note@-1 {{Assuming 'S' is not a 'Square'}} + // expected-note@-1 {{Assuming 'S' is not a 'const class clang::Square *'}} // expected-note@-2 {{Taking false branch}} return; } _______________________________________________ cfe-commits mailing list cfe-commits@lists.llvm.org https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
