From 15577004c700045530a5dc5e310da1fb630a5931 Mon Sep 17 00:00:00 2001 From: firewave Date: Wed, 21 Feb 2024 23:56:35 +0100 Subject: [PATCH] fixed fuzzing crash exposed by minimized `crash-9ef938bba7d752386e24f2438c73cec66f6b972b` ==58998==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000050 (pc 0x57edaa7f0739 bp 0x7ca98cedfa40 sp 0x7ffc632b1e20 T0) ==58998==The signal is caused by a READ memory access. ==58998==Hint: address points to the zero page. #0 0x57edaa7f0739 in Token::exprId() const lib/token.h:884 #1 0x57edaa7f0739 in programMemoryParseCondition(ProgramMemory&, Token const*, Token const*, Settings const*, bool) build/programmemory.cpp:523 #2 0x57edaa7f0e77 in programMemoryParseCondition(ProgramMemory&, Token const*, Token const*, Settings const*, bool) build/programmemory.cpp:507 #3 0x57edaa7f2f44 in fillProgramMemoryFromConditions build/programmemory.cpp:550 #4 0x57edaa7f7e18 in fillProgramMemoryFromConditions build/programmemory.cpp:556 #5 0x57edaa7f7e18 in ProgramMemoryState::addState(Token const*, std::unordered_map, std::allocator > > const&) build/programmemory.cpp:671 #6 0x57eda9b5575a in ValueFlowAnalyzer::updateState(Token const*) build/valueflow.cpp:4718 #7 0x57edaa62ee68 in valueFlowGenericForward(Token*, Token const*, ValuePtr const&, TokenList const&, ErrorLogger*, Settings const&) build/forwardanalyzer.cpp:1174 #8 0x57eda9a127cc in valueFlowForward build/valueflow.cpp:3791 #9 0x57eda9a29d40 in valueFlowSymbolic build/valueflow.cpp:7185 #10 0x57eda9b53bbb in ValueFlowPassRunner::run(ValuePtr const&) const build/valueflow.cpp:11100 #11 0x57eda99db80b in ValueFlowPassRunner::run_once(std::initializer_list >) const::{lambda(ValuePtr const&)#1}::operator()(ValuePtr const&) const build/valueflow.cpp:11057 #12 0x57eda99db80b in bool __gnu_cxx::__ops::_Iter_pred >) const::{lambda(ValuePtr const&)#1}>::operator() const*>(ValuePtr const*) /usr/include/c++/13.2.1/bits/predefined_ops.h:318 #13 0x57eda99db80b in ValuePtr const* std::__find_if const*, __gnu_cxx::__ops::_Iter_pred >) const::{lambda(ValuePtr const&)#1}> >(ValuePtr const*, ValuePtr const*, __gnu_cxx::__ops::_Iter_pred >) const::{lambda(ValuePtr const&)#1}>, std::random_access_iterator_tag) /usr/include/c++/13.2.1/bits/stl_algobase.h:2080 #14 0x57eda9a456ad in ValuePtr const* std::__find_if const*, __gnu_cxx::__ops::_Iter_pred >) const::{lambda(ValuePtr const&)#1}> >(ValuePtr const*, ValuePtr const*, __gnu_cxx::__ops::_Iter_pred >) const::{lambda(ValuePtr const&)#1}>) /usr/include/c++/13.2.1/bits/stl_algobase.h:2117 #15 0x57eda9a456ad in ValuePtr const* std::find_if const*, ValueFlowPassRunner::run_once(std::initializer_list >) const::{lambda(ValuePtr const&)#1}>(ValuePtr const*, ValuePtr const*, ValueFlowPassRunner::run_once(std::initializer_list >) const::{lambda(ValuePtr const&)#1}) /usr/include/c++/13.2.1/bits/stl_algo.h:3923 #16 0x57eda9a456ad in bool std::none_of const*, ValueFlowPassRunner::run_once(std::initializer_list >) const::{lambda(ValuePtr const&)#1}>(ValuePtr const*, ValuePtr const*, ValueFlowPassRunner::run_once(std::initializer_list >) const::{lambda(ValuePtr const&)#1}) /usr/include/c++/13.2.1/bits/stl_algo.h:477 #17 0x57eda9a456ad in bool std::any_of const*, ValueFlowPassRunner::run_once(std::initializer_list >) const::{lambda(ValuePtr const&)#1}>(ValuePtr const*, ValuePtr const*, ValueFlowPassRunner::run_once(std::initializer_list >) const::{lambda(ValuePtr const&)#1}) /usr/include/c++/13.2.1/bits/stl_algo.h:496 #18 0x57eda9a456ad in ValueFlowPassRunner::run_once(std::initializer_list >) const build/valueflow.cpp:11056 #19 0x57eda9a456ad in ValueFlow::setValues(TokenList&, SymbolDatabase&, ErrorLogger*, Settings const&, TimerResultsIntf*) build/valueflow.cpp:11226 #20 0x57eda9de4bf7 in Tokenizer::simplifyTokens1(std::__cxx11::basic_string, std::allocator > const&) build/tokenize.cpp:10711 #21 0x57edaa593646 in CppCheck::checkFile(std::__cxx11::basic_string, std::allocator > const&, std::__cxx11::basic_string, std::allocator > const&, std::istream*) build/cppcheck.cpp:909 #22 0x57edaa5979c2 in CppCheck::check(std::__cxx11::basic_string, std::allocator > const&) build/cppcheck.cpp:555 #23 0x57edaaa60c73 in SingleExecutor::check() cli/singleexecutor.cpp:53 #24 0x57edaaa28191 in CppCheckExecutor::check_internal(CppCheck&) const cli/cppcheckexecutor.cpp:275 #25 0x57edaaa33f7d in CppCheckExecutor::check_wrapper(CppCheck&) cli/cppcheckexecutor.cpp:217 #26 0x57edaaa33f7d in CppCheckExecutor::check(int, char const* const*) cli/cppcheckexecutor.cpp:201 #27 0x57eda9928926 in main cli/main.cpp:91 #28 0x7ca98f643ccf (/usr/lib/libc.so.6+0x29ccf) (BuildId: 0865c4b9ba13e0094e8b45b78dfc7a2971f536d2) #29 0x7ca98f643d89 in __libc_start_main (/usr/lib/libc.so.6+0x29d89) (BuildId: 0865c4b9ba13e0094e8b45b78dfc7a2971f536d2) #30 0x57eda9929344 in _start (/home/user/CLionProjects/cppcheck-rider/cppcheck+0x1f9344) (BuildId: f47a6a1e6b1bf052078202ec15cb5a1444d5c459) --- lib/programmemory.cpp | 2 ++ 1 file changed, 2 insertions(+) diff --git a/lib/programmemory.cpp b/lib/programmemory.cpp index b5558233206f..0f5d4cec960e 100644 --- a/lib/programmemory.cpp +++ b/lib/programmemory.cpp @@ -274,6 +274,8 @@ static bool isBasicForLoop(const Token* tok) void programMemoryParseCondition(ProgramMemory& pm, const Token* tok, const Token* endTok, const Settings* settings, bool then) { auto eval = [&](const Token* t) -> std::vector { + if (!t) + return std::vector{}; if (t->hasKnownIntValue()) return {t->values().front().intvalue}; MathLib::bigint result = 0;