Null pointer derefence on function pointer parameter with bounds

[john-h-kastner]

void (*fn)(_Array_ptr<char> buf : count(l), unsigned int l);

cc@work:~/checkedc-porting/vsftpd-3.0.2/reduce$ 3c netstr.h
 #0 0x0000556701372c2f llvm::sys::PrintStackTrace(llvm::raw_ostream&) /home/cc/checkedc-clang/llvm/build/../lib/Support/Unix/Signals.inc:564:22
 #1 0x0000556701372cc6 PrintStackTraceSignalHandler(void*) /home/cc/checkedc-clang/llvm/build/../lib/Support/Unix/Signals.inc:625:1
 #2 0x0000556701370a19 llvm::sys::RunSignalHandlers() /home/cc/checkedc-clang/llvm/build/../lib/Support/Signals.cpp:68:20
 #3 0x0000556701372577 SignalHandler(int) /home/cc/checkedc-clang/llvm/build/../lib/Support/Unix/Signals.inc:406:1
 #4 0x00007f517e8db420 __restore_rt (/lib/x86_64-linux-gnu/libpthread.so.0+0x15420)
 #5 0x00005567013adb8a ProgramVar::isNumConstant() /home/cc/checkedc-clang/clang/include/clang/3C/ProgramVar.h:409:33
 #6 0x0000556701559c32 ABounds::getBoundsInfo(AVarBoundsInfo*, clang::BoundsExpr*, clang::ASTContext const&) /home/cc/checkedc-clang/clang/lib/3C/ABounds.cpp:34:31
 #7 0x000055670196f37e PointerVariableConstraint::PointerVariableConstraint(clang::QualType const&, clang::DeclaratorDecl*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, ProgramInfo&, clang::ASTContext const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >*, int, bool, clang::TypeSourceInfo*, clang::QualType const&) /home/cc/checkedc-clang/clang/lib/3C/ConstraintVariables.cpp:258:49
 #8 0x0000556701978e10 FVComponentVariable::FVComponentVariable(clang::QualType const&, clang::QualType const&, clang::DeclaratorDecl*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, ProgramInfo&, clang::ASTContext const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >*, bool) /home/cc/checkedc-clang/clang/lib/3C/ConstraintVariables.cpp:2102:56
 #9 0x0000556701973973 FunctionVariableConstraint::FunctionVariableConstraint(clang::Type const*, clang::DeclaratorDecl*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, ProgramInfo&, clang::ASTContext const&, clang::TypeSourceInfo*) /home/cc/checkedc-clang/clang/lib/3C/ConstraintVariables.cpp:1095:83
#10 0x00005567019706a6 PointerVariableConstraint::PointerVariableConstraint(clang::QualType const&, clang::DeclaratorDecl*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, ProgramInfo&, clang::ASTContext const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >*, int, bool, clang::TypeSourceInfo*, clang::QualType const&) /home/cc/checkedc-clang/clang/lib/3C/ConstraintVariables.cpp:515:33
#11 0x000055670196ecca PointerVariableConstraint::PointerVariableConstraint(clang::TypedefDecl*, ProgramInfo&, clang::ASTContext const&) /home/cc/checkedc-clang/clang/lib/3C/ConstraintVariables.cpp:162:60
#12 0x0000556701a79490 ProgramInfo::addTypedef(PersistentSourceLoc, bool, clang::TypedefDecl*, clang::ASTContext&) /home/cc/checkedc-clang/clang/lib/3C/ProgramInfo.cpp:1173:7
#13 0x000055670160e33a VariableAdderVisitor::VisitTypedefDecl(clang::TypedefDecl*) /home/cc/checkedc-clang/clang/lib/3C/ConstraintBuilder.cpp:583:26
#14 0x00005567016a49ea clang::RecursiveASTVisitor<VariableAdderVisitor>::WalkUpFromTypedefDecl(clang::TypedefDecl*) /home/cc/checkedc-clang/llvm/build/tools/clang/include/clang/AST/DeclNodes.inc:315:1
#15 0x0000556701638051 clang::RecursiveASTVisitor<VariableAdderVisitor>::TraverseTypedefDecl(clang::TypedefDecl*) /home/cc/checkedc-clang/clang/include/clang/AST/RecursiveASTVisitor.h:1794:1
#16 0x0000556701613ded clang::RecursiveASTVisitor<VariableAdderVisitor>::TraverseDecl(clang::Decl*) /home/cc/checkedc-clang/llvm/build/tools/clang/include/clang/AST/DeclNodes.inc:315:1
#17 0x00005567015fff76 VariableAdderConsumer::HandleTranslationUnit(clang::ASTContext&) /home/cc/checkedc-clang/clang/lib/3C/ConstraintBuilder.cpp:643:35
#18 0x000055670137af84 _3CInterface::addVariables() /home/cc/checkedc-clang/clang/lib/3C/3C.cpp:361:24
#19 0x0000556700dddcf9 main /home/cc/checkedc-clang/clang/tools/3c/3CStandalone.cpp:340:7
#20 0x00007f517e35c0b3 __libc_start_main /build/glibc-YbNSs7/glibc-2.31/csu/../csu/libc-start.c:342:3
#21 0x0000556700ddd68e _start (/home/cc/checkedc-clang/llvm/build/bin/3c+0x3d4068e)
Segmentation fault (core dumped)

[mattmccutchen-cci]

#523 was another null dereference on a ProgramVar::isNumConstant call. Aravind's fix there was to make the code conditional on the ProgramVar not being null, but I don't know if that's appropriate for all code blocks that are currently conditional on isNumConstant. We should probably try to understand the conditions under which the ProgramVar can be null and then fix all the call sites at once. (Is there a static analysis we can use to help catch these null dereferences?)