================
@@ -101,9 +101,17 @@ class SymbolConjured : public SymbolData {
// It might return null.
const Stmt *getStmt() const {
+ if (const auto *Parent = Elem.getParent()) {
+ // Sometimes the CFG element is invalid, avoid dereferencing it.
+ if (Elem.getIndexInBlock() >= Parent->size())
+ return nullptr;
----------------
fangyi-zhou wrote:
> My argument is that the CFG element should be always valid
Unfortunately I don't think this is true. As I mentioned, the CFG contains no
elements, therefore, when a value needs to be conjured, an invalid CFG element
ref is passed on from the expression engine. I didn't have a way to track down
which call is causing the problem, and I agree with you that I don't like this
change --- it's a band-aid instead of a proper fix.
The invalid CFG ref likely comes from the fact that
https://github.com/llvm/llvm-project/blob/4ba8f4e213c97733e3b61e5856b0e85e3d7d6a7f/clang/include/clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h#L229-L232
will use the current statement index. In a case at initialisation, the value
is initialised at 0.
Afaik, the errno checking will try to conjure a symbol, which uses the initial
invalid CFG element. I can't immediately pinpoint where that happens or if
there are better ways to fix. Let me know what you think.
https://github.com/llvm/llvm-project/pull/139980
_______________________________________________
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
