From 2dd6c75b35d8782500f054318add945d2330e378 Mon Sep 17 00:00:00 2001
From: chrchr-github <78114321+chrchr-github@users.noreply.github.com>
Date: Thu, 3 Mar 2022 17:08:23 +0100
Subject: [PATCH] Fix #10838 Crash/nullptr deref in getEndOfExprScope() (#3870)

* Fix #10838 Crash/nullptr deref in getEndOfExprScope()

* Format
---
 lib/valueflow.cpp      |  2 ++
 test/testvalueflow.cpp | 13 +++++++++++++
 2 files changed, 15 insertions(+)

diff --git a/lib/valueflow.cpp b/lib/valueflow.cpp
index 3ac241912..5e899695a 100644
--- a/lib/valueflow.cpp
+++ b/lib/valueflow.cpp
@@ -3522,6 +3522,8 @@ static void valueFlowForwardLifetime(Token * tok, TokenList *tokenlist, ErrorLog
             return;
 
         const Token* expr = getLHSVariableToken(parent);
+        if (!expr)
+            return;
 
         const Token* endOfVarScope = getEndOfExprScope(expr);
 
diff --git a/test/testvalueflow.cpp b/test/testvalueflow.cpp
index 3e2669979..4c17858ec 100644
--- a/test/testvalueflow.cpp
+++ b/test/testvalueflow.cpp
@@ -700,6 +700,19 @@ private:
                 "};\n";
         lifetimes = lifetimeValues(code, "=");
         ASSERT_EQUALS(true, lifetimes.empty());
+
+        code  = "struct T {\n" // #10838
+                "     void f();\n"
+                "     double d[4][4];\n"
+                "};\n"
+                "void T::f() {\n"
+                "    auto g = [this]() -> double(&)[4] {\n"
+                "        double(&q)[4] = d[0];\n"
+                "        return q;\n"
+                "    };\n"
+                "}\n";
+        lifetimes = lifetimeValues(code, "return"); // don't crash
+        ASSERT_EQUALS(true, lifetimes.empty());
     }
 
     void valueFlowArrayElement() {