[analyzer] Fix null deref in AnyFunctionCall::getRuntimeDefinition

Patch by: Rafael Stahl!

Differential Revision: https://reviews.llvm.org/D45564

llvm-svn: 330009

clang/lib/StaticAnalyzer/Core/CallEvent.cpp

@@ -389,9 +389,11 @@ ArrayRef<ParmVarDecl*> AnyFunctionCall::parameters() const {
 
 RuntimeDefinition AnyFunctionCall::getRuntimeDefinition() const {
   const FunctionDecl *FD = getDecl();
+  if (!FD)
+    return {};
+
   // Note that the AnalysisDeclContext will have the FunctionDecl with
   // the definition (if one exists).
-  if (FD) {
   AnalysisDeclContext *AD =
     getLocationContext()->getAnalysisDeclContext()->
     getManager()->getContext(FD);
@@ -406,14 +408,13 @@ RuntimeDefinition AnyFunctionCall::getRuntimeDefinition() const {
     const Decl* Decl = AD->getDecl();
     return RuntimeDefinition(Decl);
   }
-  }
 
   SubEngine *Engine = getState()->getStateManager().getOwningEngine();
   AnalyzerOptions &Opts = Engine->getAnalysisManager().options;
 
   // Try to get CTU definition only if CTUDir is provided.
   if (!Opts.naiveCTUEnabled())
-    return RuntimeDefinition();
+    return {};
 
   cross_tu::CrossTranslationUnitContext &CTUCtx =
       *Engine->getCrossTranslationUnitContext();

clang/test/Analysis/undef-call.c

@@ -0,0 +1,14 @@
+// RUN: %clang_cc1 -fsyntax-only -analyze -analyzer-checker=debug.ExprInspection -analyzer-config experimental-enable-naive-ctu-analysis=true -analyzer-config ctu-dir=%T/ctudir -verify %s
+// expected-no-diagnostics
+
+struct S {
+  void (*fp)();
+};
+
+int main() {
+  struct S s;
+  // This will cause the analyzer to look for a function definition that has
+  // no FunctionDecl. It used to cause a crash in AnyFunctionCall::getRuntimeDefinition.
+  // It would only occur when CTU analysis is enabled.
+  s.fp();
+}