[analyzer] GenericTaint: Don't expect CallEvent to always have a Decl.

haoNoQ · haoNoQ · commit 878194414107 · 2020-04-20T15:31:43.000+03:00
This isn't the case when the callee is completely unknown,
eg. when it is a symbolic function pointer.
diff --git a/clang/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp b/clang/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp
@@ -110,7 +110,9 @@ class GenericTaintChecker : public Checker<check::PreCall, check::PostCall> {
 
     static Optional<FunctionData> create(const CallEvent &Call,
                                          const CheckerContext &C) {
-      assert(Call.getDecl());
+      if (!Call.getDecl())
+        return None;
+
       const FunctionDecl *FDecl = Call.getDecl()->getAsFunction();
       if (!FDecl || (FDecl->getKind() != Decl::Function &&
                      FDecl->getKind() != Decl::CXXMethod))
diff --git a/clang/test/Analysis/taint-generic.c b/clang/test/Analysis/taint-generic.c
@@ -390,3 +390,7 @@ void testConfigurationSinks() {
   mySink(1, 2, x);
   // expected-warning@-1 {{Untrusted data is passed to a user-defined sink}}
 }
+
+void testUnknownFunction(void (*foo)(void)) {
+  foo(); // no-crash
+}

Original file line number	Diff line number	Diff line change
`@@ -390,3 +390,7 @@ void testConfigurationSinks() {`
`390`	`390`	`mySink(1, 2, x);`
`391`	`391`	`// expected-warning@-1 {{Untrusted data is passed to a user-defined sink}}`
`392`	`392`	`}`
	`393`	`+`
	`394`	`+void testUnknownFunction(void (*foo)(void)) {`
	`395`	`+ foo(); // no-crash`
	`396`	`+}`