From 3e4e598ffcd331d5d5fb2a16f3add247773b2537 Mon Sep 17 00:00:00 2001
From: Jordan Rose <jordan_rose@apple.com>
Date: Fri, 5 Sep 2014 16:33:51 +0000
Subject: [PATCH] [analyzer] Don't crash if malloc() has an unexpected function
 prototype.

Patch by Daniel Fahlgren!

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@217258 91177308-0d34-0410-b5e6-96231b3b80d8
---
 lib/StaticAnalyzer/Checkers/MallocChecker.cpp |  8 ++++----
 test/Analysis/malloc-protoype.c               | 17 +++++++++++++++++
 2 files changed, 21 insertions(+), 4 deletions(-)
 create mode 100644 test/Analysis/malloc-protoype.c

diff --git a/lib/StaticAnalyzer/Checkers/MallocChecker.cpp b/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
index 7dd18d56651..31c30dcf283 100644
--- a/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
+++ b/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
@@ -901,6 +901,10 @@ ProgramStateRef MallocChecker::MallocMemAux(CheckerContext &C,
                                            ProgramStateRef State,
                                            AllocationFamily Family) {
 
+  // We expect the malloc functions to return a pointer.
+  if (!Loc::isLocType(CE->getType()))
+    return nullptr;
+
   // Bind the return value to the symbolic value from the heap region.
   // TODO: We could rewrite post visit to eval call; 'malloc' does not have
   // side effects other than what we model here.
@@ -911,10 +915,6 @@ ProgramStateRef MallocChecker::MallocMemAux(CheckerContext &C,
       .castAs<DefinedSVal>();
   State = State->BindExpr(CE, C.getLocationContext(), RetVal);
 
-  // We expect the malloc functions to return a pointer.
-  if (!RetVal.getAs<Loc>())
-    return nullptr;
-
   // Fill the region with the initialization value.
   State = State->bindDefault(RetVal, Init);
 
diff --git a/test/Analysis/malloc-protoype.c b/test/Analysis/malloc-protoype.c
new file mode 100644
index 00000000000..f056f0f2855
--- /dev/null
+++ b/test/Analysis/malloc-protoype.c
@@ -0,0 +1,17 @@
+// RUN: %clang_cc1 -w -analyze -analyzer-checker=core,unix.Malloc -verify %s
+// expected-no-diagnostics
+
+// Test that strange prototypes doesn't crash the analyzer
+
+void malloc(int i);
+void valloc(int i);
+
+void test1()
+{
+  malloc(1);
+}
+
+void test2()
+{
+  valloc(1);
+}
-- 
GitLab