[clang-tidy] fix nullptr dereference in bugprone-forwarding-reference (#106856)

Previously, when checking if a `TemplateSpecializationType` is either `enable_if` or `enable_if_t`, the AST matcher would call `getTemplateName`, `getASTemplateDecl` and `getTemplatedDecl` in succession to check the `NamedDecl` returned from `getTemplatedDecl` is an `std::enable_if[_t]`. In the linked issue, the pointer returned by `getTemplatedDecl` is a `nullptr` that is unconditionally accessed, resulting in a crash. Instead, the checking is done on the `TemplateDecl` returned by `getASTemplateDecl`. Fixes #106333
2024-09-17 10:42:07 +02:00
parent 3e32e45591
commit 6357781e3f
3 changed files with 17 additions and 8 deletions
--- a/clang-tools-extra/clang-tidy/bugprone/ForwardingReferenceOverloadCheck.cpp
+++ b/clang-tools-extra/clang-tidy/bugprone/ForwardingReferenceOverloadCheck.cpp
@@ -9,7 +9,6 @@
 #include "ForwardingReferenceOverloadCheck.h"
 #include "clang/AST/ASTContext.h"
 #include "clang/ASTMatchers/ASTMatchFinder.h"
-#include <algorithm>

 using namespace clang::ast_matchers;

@@ -19,14 +18,14 @@ namespace {
 // Check if the given type is related to std::enable_if.
 AST_MATCHER(QualType, isEnableIf) {
  auto CheckTemplate = [](const TemplateSpecializationType *Spec) {
-    if (!Spec || !Spec->getTemplateName().getAsTemplateDecl()) {
+    if (!Spec)
      return false;
-    }
-    const NamedDecl *TypeDecl =
-        Spec->getTemplateName().getAsTemplateDecl()->getTemplatedDecl();
-    return TypeDecl->isInStdNamespace() &&
-           (TypeDecl->getName() == "enable_if" ||
-            TypeDecl->getName() == "enable_if_t");
+
+    const TemplateDecl *TDecl = Spec->getTemplateName().getAsTemplateDecl();
+
+    return TDecl && TDecl->isInStdNamespace() &&
+           (TDecl->getName() == "enable_if" ||
+            TDecl->getName() == "enable_if_t");
  };
  const Type *BaseType = Node.getTypePtr();
  // Case: pointer or reference to enable_if.
--- a/clang-tools-extra/docs/ReleaseNotes.rst
+++ b/clang-tools-extra/docs/ReleaseNotes.rst
@@ -111,6 +111,10 @@ Changes in existing checks
  <clang-tidy/checks/bugprone/casting-through-void>` check to suggest replacing
  the offending code with ``reinterpret_cast``, to more clearly express intent.

+- Improved :doc:`bugprone-forwarding-reference-overload
+  <clang-tidy/checks/bugprone/forwarding-reference-overload>` check by fixing
+  a crash when determining if an ``enable_if[_t]`` was found.
+
 - Improved :doc:`cert-flp30-c<clang-tidy/checks/cert/flp30-c>` check to 
  fix false positive that floating point variable is only used in increment
  expression.
--- a/clang-tools-extra/test/clang-tidy/checkers/bugprone/forwarding-reference-overload.cpp
+++ b/clang-tools-extra/test/clang-tidy/checkers/bugprone/forwarding-reference-overload.cpp
@@ -261,3 +261,9 @@ public:
  Test11(const Test11 &) = default;
  Test11(Test11 &&) = default;
 };
+
+template <template <class> typename T, typename U>
+struct gh106333
+{
+    gh106333(U && arg1, T<int> arg2) {}
+};