================
@@ -101,9 +101,17 @@ class SymbolConjured : public SymbolData {
// It might return null.
const Stmt *getStmt() const {
+ if (const auto *Parent = Elem.getParent()) {
+ // Sometimes the CFG element is invalid, avoid dereferencing it.
+ if (Elem.getIndexInBlock() >= Parent->size())
+ return nullptr;
----------------
steakhal wrote:
It's `ErrnoModeling::checkBeginFunction()` that conjures for the value of errno
at the very beginning of the analysis, at when we enter the top level function.
That calls ExprEngine::getCFGElementRef, and that is where we get a nullptr
block ptr and also the place when we take the now _stale_ `currStmtIdx` value.
Now that I grepped for, it seems like we set `currStmtIdx` only at a single
place: `ExprEngine::processCFGElement`. This also makes sense.
It seems like `processCFGElement` is called from
`CoreEngine::HandleBlockEntrance` from `CoreEngine::dispatchWorkItem`.
The hunk you linked with the definition of `getCFGElementRef` makes me think
that the invalid CFGElement is denoted by the NULL blockPtr. Consequently, what
we should do in our dump function to first check if this CFG element is valid
by checking the blockPtr against null - and not looking at the
`getIndexInBlock`.
https://github.com/llvm/llvm-project/pull/139980
_______________________________________________
cfe-commits mailing list
[email protected]
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
