[PATCH] D47044: Ensure that we only visit a destructor for a reference if type information is available.

Thu, 17 May 2018 17:18:06 -0700 

ormris created this revision.
ormris added reviewers: dcoughlin, NoQ, xazax.hun, george.karpenkov.
Herald added a subscriber: rnkovacs.

Loop widening can invalidate an object reference. If the analyzer attempts to 
visit the destructor to a non-existent object it will crash. This patch ensures 
that type information is available before attempting to visit the object.


Repository:
  rC Clang

https://reviews.llvm.org/D47044

Files:
  lib/StaticAnalyzer/Core/ExprEngine.cpp
  test/Analysis/loop-widening-invalid-type.cpp


Index: test/Analysis/loop-widening-invalid-type.cpp
===================================================================
--- /dev/null
+++ test/Analysis/loop-widening-invalid-type.cpp
@@ -0,0 +1,11 @@
+// RUN: %clang_cc1 -analyze 
-analyzer-checker=core,unix.Malloc,debug.ExprInspection -analyzer-max-loop 4 
-analyzer-config widen-loops=true -verify %s
+
+struct A {
+  ~A() {}
+};
+struct B : public A {};
+
+void invalid_type_region_access() { // expected-no-diagnostics
+  const A &x = B();
+  for(int i = 0; i < 10; ++i) {}
+}
Index: lib/StaticAnalyzer/Core/ExprEngine.cpp
===================================================================
--- lib/StaticAnalyzer/Core/ExprEngine.cpp
+++ lib/StaticAnalyzer/Core/ExprEngine.cpp
@@ -1044,6 +1044,10 @@
       return;
     }
     Region = ValueRegion->getBaseRegion();
+    if (!isa<TypedValueRegion>(Region))
+      // Loop widening will sometimes invalidate typed regions.
+      return;
+ 
     varType = cast<TypedValueRegion>(Region)->getValueType();
   }
 



Index: test/Analysis/loop-widening-invalid-type.cpp
===================================================================
--- /dev/null
+++ test/Analysis/loop-widening-invalid-type.cpp
@@ -0,0 +1,11 @@
+// RUN: %clang_cc1 -analyze -analyzer-checker=core,unix.Malloc,debug.ExprInspection -analyzer-max-loop 4 -analyzer-config widen-loops=true -verify %s
+
+struct A {
+  ~A() {}
+};
+struct B : public A {};
+
+void invalid_type_region_access() { // expected-no-diagnostics
+  const A &x = B();
+  for(int i = 0; i < 10; ++i) {}
+}
Index: lib/StaticAnalyzer/Core/ExprEngine.cpp
===================================================================
--- lib/StaticAnalyzer/Core/ExprEngine.cpp
+++ lib/StaticAnalyzer/Core/ExprEngine.cpp
@@ -1044,6 +1044,10 @@
       return;
     }
     Region = ValueRegion->getBaseRegion();
+    if (!isa<TypedValueRegion>(Region))
+      // Loop widening will sometimes invalidate typed regions.
+      return;
+ 
     varType = cast<TypedValueRegion>(Region)->getValueType();
   }
 

_______________________________________________
cfe-commits mailing list
cfe-commits@lists.llvm.org
http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

Reply via email to