Fix crash with garbage code (#2547)

2020-02-20 23:53:28 -06:00 · 2020-02-20 23:53:28 -06:00 · b25709a492
parent 2708a54c49
commit b25709a492
2 changed files with 13 additions and 1 deletions
--- a/lib/forwardanalyzer.cpp
+++ b/lib/forwardanalyzer.cpp
@ -68,7 +68,7 @@ struct ForwardTraversal {

    template<class T, class F, REQUIRES("T must be a Token class", std::is_convertible<T*, const Token*>)>
    Progress traverseConditional(T* tok, F f, bool traverseUnknown) {
-        if (Token::Match(tok, "?|&&|%oror%")) {
+        if (Token::Match(tok, "?|&&|%oror%") && tok->astOperand1() && tok->astOperand2()) {
            T* condTok = tok->astOperand1();
            if (traverseRecursive(condTok, f, traverseUnknown) == Progress::Break)
                return Progress::Break;
--- a/test/testgarbage.cpp
+++ b/test/testgarbage.cpp
@ -245,6 +245,7 @@ private:
        TEST_CASE(garbageCode211); // #8764
        TEST_CASE(garbageCode212); // #8765
        TEST_CASE(garbageCode213); // #8758
+        TEST_CASE(garbageCode214);

        TEST_CASE(garbageCodeFuzzerClientMode1); // test cases created with the fuzzer client, mode 1

@ -1666,6 +1667,17 @@ private:
        ASSERT_THROW(checkCode("{\"\"[(1||)];}"), InternalError);
    }

+    void garbageCode214() {
+        checkCode("void\n"
+                  "f(a, b, h)\n"
+                  "struct g *a; {\n"
+                  "    long e;\n"
+                  "    if (e) {\n"
+                  "        (void) d((long) !b, c ? FALSE : TRUE);\n"
+                  "    }\n"
+                  "}\n");
+    }
+
    void syntaxErrorFirstToken() {
        ASSERT_THROW(checkCode("&operator(){[]};"), InternalError); // #7818
        ASSERT_THROW(checkCode("*(*const<> (size_t); foo) { } *(*const (size_t)() ; foo) { }"), InternalError); // #6858