Author: george.karpenkov Date: Thu Nov 9 13:49:38 2017 New Revision: 317839
URL: http://llvm.org/viewvc/llvm-project?rev=317839&view=rev Log: [analyzer] do not crash when trying to convert an APSInt to an unexpected type This is the issue breaking the postgresql bot, purely by chance exposed through taint checker, somehow appearing after https://reviews.llvm.org/D38358 got committed. The backstory is that the taint checker requests SVal for the value of the pointer, and analyzer has a "fast path" in the getter to return a constant when we know that the value is constant. Unfortunately, the getter requires a cast to get signedness correctly, and for the pointer `void *` the cast crashes. This is more of a band-aid patch, as I am not sure what could be done here "correctly", but it should be applied in any case to avoid the crash. Differential Revision: https://reviews.llvm.org/D39862 Modified: cfe/trunk/lib/StaticAnalyzer/Core/ProgramState.cpp cfe/trunk/test/Analysis/taint-tester.c Modified: cfe/trunk/lib/StaticAnalyzer/Core/ProgramState.cpp URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/Core/ProgramState.cpp?rev=317839&r1=317838&r2=317839&view=diff ============================================================================== --- cfe/trunk/lib/StaticAnalyzer/Core/ProgramState.cpp (original) +++ cfe/trunk/lib/StaticAnalyzer/Core/ProgramState.cpp Thu Nov 9 13:49:38 2017 @@ -260,7 +260,9 @@ SVal ProgramState::getSVal(Loc location, // be a constant value, use that value instead to lessen the burden // on later analysis stages (so we have less symbolic values to reason // about). - if (!T.isNull()) { + // We only go into this branch if we can convert the APSInt value we have + // to the type of T, which is not always the case (e.g. for void). + if (!T.isNull() && (T->isIntegralOrEnumerationType() || Loc::isLocType(T))) { if (SymbolRef sym = V.getAsSymbol()) { if (const llvm::APSInt *Int = getStateManager() .getConstraintManager() Modified: cfe/trunk/test/Analysis/taint-tester.c URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/test/Analysis/taint-tester.c?rev=317839&r1=317838&r2=317839&view=diff ============================================================================== --- cfe/trunk/test/Analysis/taint-tester.c (original) +++ cfe/trunk/test/Analysis/taint-tester.c Thu Nov 9 13:49:38 2017 @@ -189,3 +189,10 @@ void atoiTest() { } +char *pointer1; +void *pointer2; +void noCrashTest() { + if (!*pointer1) { + __builtin___memcpy_chk(pointer2, pointer1, 0, 0); // no-crash + } +} _______________________________________________ cfe-commits mailing list cfe-commits@lists.llvm.org http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
