https://github.com/guillem-bartrina-sonarsource created https://github.com/llvm/llvm-project/pull/167341
Although very unusual, the SVal of the argument is not checked for UnknownVal, so we may get a null pointer dereference. >From e6a800f0aa4d040d9618da1ca98cc7a53a951520 Mon Sep 17 00:00:00 2001 From: guillem-bartrina-sonarsource <[email protected]> Date: Mon, 10 Nov 2025 17:35:54 +0100 Subject: [PATCH] StdVariantChecker: fix crash when argument to std::get is UnknownVal --- .../StaticAnalyzer/Checkers/StdVariantChecker.cpp | 10 ++++++---- clang/test/Analysis/std-variant-checker.cpp | 13 ++++++++++++- 2 files changed, 18 insertions(+), 5 deletions(-) diff --git a/clang/lib/StaticAnalyzer/Checkers/StdVariantChecker.cpp b/clang/lib/StaticAnalyzer/Checkers/StdVariantChecker.cpp index db8bbee8761d5..805f64f4804cf 100644 --- a/clang/lib/StaticAnalyzer/Checkers/StdVariantChecker.cpp +++ b/clang/lib/StaticAnalyzer/Checkers/StdVariantChecker.cpp @@ -219,10 +219,12 @@ class StdVariantChecker : public Checker<eval::Call, check::RegionChanges> { bool handleStdGetCall(const CallEvent &Call, CheckerContext &C) const { ProgramStateRef State = C.getState(); - const auto &ArgType = Call.getArgSVal(0) - .getType(C.getASTContext()) - ->getPointeeType() - .getTypePtr(); + SVal ArgSVal = Call.getArgSVal(0); + if (ArgSVal.isUnknown()) + return false; + + const auto &ArgType = + ArgSVal.getType(C.getASTContext())->getPointeeType().getTypePtr(); // We have to make sure that the argument is an std::variant. // There is another std::get with std::pair argument if (!isStdVariant(ArgType)) diff --git a/clang/test/Analysis/std-variant-checker.cpp b/clang/test/Analysis/std-variant-checker.cpp index 7f136c06b19cc..fbb69327e1de5 100644 --- a/clang/test/Analysis/std-variant-checker.cpp +++ b/clang/test/Analysis/std-variant-checker.cpp @@ -355,4 +355,15 @@ void nonInlineFunctionCallPtr() { char c = std::get<char> (v); // no-warning (void)a; (void)c; -} \ No newline at end of file +} + +// ----------------------------------------------------------------------------// +// Misc +// ----------------------------------------------------------------------------// + +using uintptr_t = unsigned long long; + +void unknownVal() { + // force the argument to be UnknownVal + (void)std::get<int>(*(std::variant<int, float>*)(uintptr_t)3.14f); // no crash +} _______________________________________________ cfe-commits mailing list [email protected] https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
