Fix a crash in clang::isGetterOfRefCounted by checking nullptr in tryToFindPtrOrigin (llvm#80768)

rniwa · web-flow · commit 93a2a8cb7f6a · 2024-02-06T08:28:15.000-08:00
diff --git a/clang/lib/StaticAnalyzer/Checkers/WebKit/ASTUtils.cpp b/clang/lib/StaticAnalyzer/Checkers/WebKit/ASTUtils.cpp
@@ -34,13 +34,16 @@ tryToFindPtrOrigin(const Expr *E, bool StopAtFirstRefCountedObj) {
     }
     if (auto *call = dyn_cast<CallExpr>(E)) {
       if (auto *memberCall = dyn_cast<CXXMemberCallExpr>(call)) {
-        std::optional<bool> IsGetterOfRefCt = isGetterOfRefCounted(memberCall->getMethodDecl());
-        if (IsGetterOfRefCt && *IsGetterOfRefCt) {
-          E = memberCall->getImplicitObjectArgument();
-          if (StopAtFirstRefCountedObj) {
-            return {E, true};
+        if (auto *decl = memberCall->getMethodDecl()) {
+          std::optional<bool> IsGetterOfRefCt =
+              isGetterOfRefCounted(memberCall->getMethodDecl());
+          if (IsGetterOfRefCt && *IsGetterOfRefCt) {
+            E = memberCall->getImplicitObjectArgument();
+            if (StopAtFirstRefCountedObj) {
+              return {E, true};
+            }
+            continue;
           }
-          continue;
         }
       }
 
diff --git a/clang/test/Analysis/Checkers/WebKit/member-function-pointer-crash.cpp b/clang/test/Analysis/Checkers/WebKit/member-function-pointer-crash.cpp
@@ -0,0 +1,26 @@
+// RUN: %clang_analyze_cc1 -analyzer-checker=alpha.webkit.UncountedLocalVarsChecker -verify %s
+
+#include "mock-types.h"
+
+class RenderStyle;
+
+class FillLayer {
+public:
+    void ref() const;
+    void deref() const;
+};
+
+class FillLayersPropertyWrapper {
+public:
+    typedef const FillLayer& (RenderStyle::*LayersGetter)() const;
+
+private:
+    bool canInterpolate(const RenderStyle& from) const
+    {
+        auto* fromLayer = &(from.*m_layersGetter)();
+        // expected-warning@-1{{Local variable 'fromLayer' is uncounted and unsafe}}
+        return true;
+    }
+
+    LayersGetter m_layersGetter;
+};

Original file line number	Diff line number	Diff line change
`@@ -34,13 +34,16 @@ tryToFindPtrOrigin(const Expr *E, bool StopAtFirstRefCountedObj) {`
`34`	`34`	`}`
`35`	`35`	`if (auto *call = dyn_cast<CallExpr>(E)) {`
`36`	`36`	`if (auto *memberCall = dyn_cast<CXXMemberCallExpr>(call)) {`
`37`		`- std::optional<bool> IsGetterOfRefCt = isGetterOfRefCounted(memberCall->getMethodDecl());`
`38`		`- if (IsGetterOfRefCt && *IsGetterOfRefCt) {`
`39`		`- E = memberCall->getImplicitObjectArgument();`
`40`		`- if (StopAtFirstRefCountedObj) {`
`41`		`- return {E, true};`
	`37`	`+ if (auto *decl = memberCall->getMethodDecl()) {`
	`38`	`+ std::optional<bool> IsGetterOfRefCt =`
	`39`	`+ isGetterOfRefCounted(memberCall->getMethodDecl());`
	`40`	`+ if (IsGetterOfRefCt && *IsGetterOfRefCt) {`
	`41`	`+ E = memberCall->getImplicitObjectArgument();`
	`42`	`+ if (StopAtFirstRefCountedObj) {`
	`43`	`+ return {E, true};`
	`44`	`+ }`
	`45`	`+ continue;`
`42`	`46`	`}`
`43`		`- continue;`
`44`	`47`	`}`
`45`	`48`	`}`
`46`	`49`