[clang] [clang][analyzer] fix crash when modelling 'getline' function in checkers (PR #145229)

Balazs Benics via cfe-commits Tue, 24 Jun 2025 07:27:36 -0700

================
@@ -1518,14 +1518,18 @@ void MallocChecker::checkGetdelim(ProgramStateRef 
State, const CallEvent &Call,
   if (!CE)
     return;
 
-  const auto LinePtr =
-      getPointeeVal(Call.getArgSVal(0), State)->getAs<DefinedSVal>();
-  const auto Size =
-      getPointeeVal(Call.getArgSVal(1), State)->getAs<DefinedSVal>();
-  if (!LinePtr || !Size || !LinePtr->getAsRegion())
+  const auto LinePtrOpt = getPointeeVal(Call.getArgSVal(0), State);
+  const auto SizeOpt = getPointeeVal(Call.getArgSVal(1), State);
+  if (!LinePtrOpt || !SizeOpt)
     return;
 
-  State = setDynamicExtent(State, LinePtr->getAsRegion(), *Size);
+  const auto LinePtr = LinePtrOpt->getAs<DefinedSVal>();
+  const auto Size = SizeOpt->getAs<DefinedSVal>();
+  const MemRegion *LinePtrReg = LinePtr->getAsRegion();
+  if (!LinePtr || !Size || !LinePtrReg)
+    return;
----------------
steakhal wrote:


`LinePtr->getAsRegion()` unconditionally dereferences `LinePtr` before it's 
checked.

BTW you could assume that these DefinedSVals are present if you  had checked 
`isUnknownOrUndef()` in the previous `if`. An `SVal` is-a `DefinedSVal` if and 
only if the SVal is not `isUnknownOrUndef()`.


Alternatively, we can always just use a 
`dyn_cast_or_null<DefinedSVal>(getPointeeVal(...))`.

https://github.com/llvm/llvm-project/pull/145229
_______________________________________________
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

[clang] [clang][analyzer] fix crash when modelling 'getline' function in checkers (PR #145229)

Reply via email to