Fixed #5939 (fp: Possible null pointer dereference, after check against NULL in for loop)

2014-06-30 07:26:48 +02:00 · 2014-06-30 07:26:48 +02:00 · f1762f9ed6
parent df799f97c5
commit f1762f9ed6
2 changed files with 30 additions and 0 deletions
--- a/lib/valueflow.cpp
+++ b/lib/valueflow.cpp
@ -1095,6 +1095,22 @@ static bool valueFlowForLoop2(const Token *tok,
    if (error)
        return false;
    execute(secondExpression, &programMemory, &result, &error);
+    if (error) {
+        // If a variable is reassigned in second expression, return false
+        std::stack<const Token *> tokens;
+        tokens.push(secondExpression);
+        while (!tokens.empty()) {
+            const Token *t = tokens.top();
+            tokens.pop();
+            if (!t)
+                continue;
+            if (t->str() == "=" && programMemory.find(t->astOperand1()->varId()) != programMemory.end())
+                // TODO: investigate what variable is assigned.
+                return false;
+            tokens.push(t->astOperand1());
+            tokens.push(t->astOperand2());
+        }
+    }

    std::map<unsigned int, MathLib::bigint> startMemory(programMemory);
    std::map<unsigned int, MathLib::bigint> endMemory;
--- a/test/testvalueflow.cpp
+++ b/test/testvalueflow.cpp
@ -898,6 +898,20 @@ private:
               "        x;\n"
               "}";
        ASSERT_EQUALS(false, testValueOfX(code, 4U, 0));
+
+        code = "void f() {\n" // #5939
+               "    int x;\n"
+               "    for (int x = 0; (x = do_something()) != 0;)\n"
+               "        x;\n"
+               "}";
+        ASSERT_EQUALS(false, testValueOfX(code, 4U, 0));
+
+        code = "void f() {\n"
+               "    int x;\n"
+               "    for (int x = 0; x < 10 && y = do_something();)\n"
+               "        x;\n"
+               "}";
+        ASSERT_EQUALS(true, testValueOfX(code, 4U, 0));
    }

    void valueFlowSubFunction() {