From 8b27f1c216f99d45a019811e430a2479767c4c17 Mon Sep 17 00:00:00 2001
From: Paul Fultz II <pfultz2@yahoo.com>
Date: Sat, 11 Apr 2020 06:56:53 -0500
Subject: [PATCH] Fix issue 9667: crash: crash in valueflow for weird code
 where label address is returned (#2602)

---
 lib/forwardanalyzer.cpp |  2 +-
 test/testvalueflow.cpp  | 10 ++++++++++
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/lib/forwardanalyzer.cpp b/lib/forwardanalyzer.cpp
index 383cfb053..49bc5aeed 100644
--- a/lib/forwardanalyzer.cpp
+++ b/lib/forwardanalyzer.cpp
@@ -34,7 +34,7 @@ struct ForwardTraversal {
             if (out)
                 *out = tok->link();
             return Progress::Skip;
-        } else if (Token::Match(tok, "?|&&|%oror%")) {
+        } else if (Token::Match(tok, "?|&&|%oror%") && tok->astOperand1() && tok->astOperand2()) {
             if (traverseConditional(tok, f, traverseUnknown) == Progress::Break)
                 return Progress::Break;
             if (out)
diff --git a/test/testvalueflow.cpp b/test/testvalueflow.cpp
index ce3a30995..23d1dde0b 100644
--- a/test/testvalueflow.cpp
+++ b/test/testvalueflow.cpp
@@ -4488,6 +4488,16 @@ private:
                "  };\n"
                "}\n";
         valueOfTok(code, "x");
+
+        code = "void *foo(void *x);\n"
+               "void *foo(void *x)\n"
+               "{\n"
+               "    if (!x)\n"
+               "yes:\n"
+               "        return &&yes;\n"
+               "    return x;\n"
+               "}\n";
+        valueOfTok(code, "x");
     }
 
     void valueFlowHang() {