[clang-tidy] fix nullptr dereference in bugprone-forwarding-reference (#106856)

5chmidti · web-flow · commit 6357781e3f9f · 2024-09-17T10:42:07.000+02:00
Previously, when checking if a `TemplateSpecializationType` is either `enable_if` or `enable_if_t`, the AST matcher would call `getTemplateName`, `getASTemplateDecl` and `getTemplatedDecl` in succession to check the `NamedDecl` returned from `getTemplatedDecl` is an `std::enable_if[_t]`. In the linked issue, the pointer returned by `getTemplatedDecl` is a `nullptr` that is unconditionally accessed, resulting in a crash. Instead, the checking is done on the `TemplateDecl` returned by `getASTemplateDecl`. Fixes #106333
diff --git a/clang-tools-extra/clang-tidy/bugprone/ForwardingReferenceOverloadCheck.cpp b/clang-tools-extra/clang-tidy/bugprone/ForwardingReferenceOverloadCheck.cpp
@@ -9,7 +9,6 @@
 #include "ForwardingReferenceOverloadCheck.h"
 #include "clang/AST/ASTContext.h"
 #include "clang/ASTMatchers/ASTMatchFinder.h"
-#include <algorithm>
 
 using namespace clang::ast_matchers;
 
@@ -19,14 +18,14 @@ namespace {
 // Check if the given type is related to std::enable_if.
 AST_MATCHER(QualType, isEnableIf) {
   auto CheckTemplate = [](const TemplateSpecializationType *Spec) {
-    if (!Spec || !Spec->getTemplateName().getAsTemplateDecl()) {
+    if (!Spec)
       return false;
-    }
-    const NamedDecl *TypeDecl =
-        Spec->getTemplateName().getAsTemplateDecl()->getTemplatedDecl();
-    return TypeDecl->isInStdNamespace() &&
-           (TypeDecl->getName() == "enable_if" ||
-            TypeDecl->getName() == "enable_if_t");
+
+    const TemplateDecl *TDecl = Spec->getTemplateName().getAsTemplateDecl();
+
+    return TDecl && TDecl->isInStdNamespace() &&
+           (TDecl->getName() == "enable_if" ||
+            TDecl->getName() == "enable_if_t");
   };
   const Type *BaseType = Node.getTypePtr();
   // Case: pointer or reference to enable_if.
diff --git a/clang-tools-extra/docs/ReleaseNotes.rst b/clang-tools-extra/docs/ReleaseNotes.rst
@@ -111,6 +111,10 @@ Changes in existing checks
   <clang-tidy/checks/bugprone/casting-through-void>` check to suggest replacing
   the offending code with ``reinterpret_cast``, to more clearly express intent.
 
+- Improved :doc:`bugprone-forwarding-reference-overload
+  <clang-tidy/checks/bugprone/forwarding-reference-overload>` check by fixing
+  a crash when determining if an ``enable_if[_t]`` was found.
+
 - Improved :doc:`cert-flp30-c<clang-tidy/checks/cert/flp30-c>` check to 
   fix false positive that floating point variable is only used in increment
   expression.
diff --git a/clang-tools-extra/test/clang-tidy/checkers/bugprone/forwarding-reference-overload.cpp b/clang-tools-extra/test/clang-tidy/checkers/bugprone/forwarding-reference-overload.cpp
@@ -261,3 +261,9 @@ class Test11 {
   Test11(const Test11 &) = default;
   Test11(Test11 &&) = default;
 };
+
+template <template <class> typename T, typename U>
+struct gh106333
+{
+    gh106333(U && arg1, T<int> arg2) {}
+};
