[analyzer] Fix for the crash in #56873

isuckatcs · isuckatcs · commit 10a7ee0bac21 · 2022-08-03T19:25:02.000+02:00
In ExprEngine::bindReturnValue() we cast an SVal to DefinedOrUnknownSVal, however this SVal can also be Undefined, which leads to an assertion failure. Fixes: #56873 Differential Revision: https://reviews.llvm.org/D130974
diff --git a/clang/lib/StaticAnalyzer/Core/ExprEngineCallAndReturn.cpp b/clang/lib/StaticAnalyzer/Core/ExprEngineCallAndReturn.cpp
@@ -762,6 +762,11 @@ ProgramStateRef ExprEngine::bindReturnValue(const CallEvent &Call,
           svalBuilder.evalBinOp(State, BO_Mul, ElementCount, ElementSize,
                                 svalBuilder.getArrayIndexType());
 
+      // FIXME: This line is to prevent a crash. For more details please check
+      // issue #56264.
+      if (Size.isUndef())
+        Size = UnknownVal();
+
       State = setDynamicExtent(State, MR, Size.castAs<DefinedOrUnknownSVal>(),
                                svalBuilder);
     } else {
diff --git a/clang/test/Analysis/Issue56873.cpp b/clang/test/Analysis/Issue56873.cpp
@@ -0,0 +1,24 @@
+// RUN: %clang_analyze_cc1 -analyzer-checker=core,debug.ExprInspection -verify %s
+
+void clang_analyzer_warnIfReached();
+
+struct S {
+};
+
+void Issue56873_1() {
+    int n;
+
+    // This line used to crash
+    S *arr = new S[n];
+    
+    clang_analyzer_warnIfReached();  // expected-warning{{REACHABLE}}
+}
+
+void Issue56873_2() {
+    int n;
+
+    // This line used to crash
+    int *arr = new int[n];
+    
+    clang_analyzer_warnIfReached();  // expected-warning{{REACHABLE}}
+}
