BUG: static_analyzer crash
void0red opened this issue · 1 comments
void0red commented
There is no check for a null pointer here, so the program will crash afterwards.
Root Cause:
In some versions(at least llvm-14.*), LLVM will optimize some code, e.g. https://elixir.bootlin.com/linux/v5.18-rc1/source/include/linux/device.h#L249
static inline int devm_add_action_or_reset(struct device *dev,
void (*action)(void *), void *data)
{
int ret;
ret = devm_add_action(dev, action, data);
if (ret)
action(data);
return ret;
}
define internal fastcc i32 @devm_add_action_or_reset(%struct.device* noundef %0, i8* noundef %1) unnamed_addr #7 align 64 {
%3 = tail call i32 @devm_add_action(%struct.device* noundef %0, void (i8*)* noundef nonnull @anx7625_runtime_disable, i8* noundef %1) #11
%4 = icmp eq i32 %3, 0
br i1 %4, label %7, label %5
5: ; preds = %2
%6 = bitcast i8* %1 to %struct.device*
tail call void @__pm_runtime_use_autosuspend(%struct.device* noundef %6, i1 noundef zeroext false) #11
tail call void @__pm_runtime_disable(%struct.device* noundef %6, i1 noundef zeroext true) #11
br label %7
7: ; preds = %5, %2
ret i32 %3
}
at call site:
%299 = call fastcc i32 @devm_add_action_or_reset(%struct.device* noundef %6, i8* noundef %298) #14
so, we can't find the func ptr through 1st args at call site.
ZheyuMa commented
Thanks for reporting the bug. This is actually a test function and has no effect on the functionality of PrIntFuzz, I forgot to remove them before the release and some of the code may not have been updated, now I remove them.