From e8e29276b6864a489bf198c8fa29b1d08c176cc7 Mon Sep 17 00:00:00 2001
From: Artem Dergachev <artem.dergachev@gmail.com>
Date: Sat, 19 Oct 2019 01:50:43 +0000
Subject: [analyzer] Fix a crash on tracking Objective-C 'self' as a control
 dependency.

'self' was previously never tracked, but now it can be tracked
because it may be part of a condition.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@375328 91177308-0d34-0410-b5e6-96231b3b80d8
---
 lib/StaticAnalyzer/Core/BugReporterVisitors.cpp    | 19 ++++++++-----
 .../Analysis/track-control-dependency-conditions.m | 32 ++++++++++++++++++++++
 2 files changed, 44 insertions(+), 7 deletions(-)
 create mode 100644 test/Analysis/track-control-dependency-conditions.m

diff --git a/lib/StaticAnalyzer/Core/BugReporterVisitors.cpp b/lib/StaticAnalyzer/Core/BugReporterVisitors.cpp
index f1592ebff6..28382cd64f 100644
--- a/lib/StaticAnalyzer/Core/BugReporterVisitors.cpp
+++ b/lib/StaticAnalyzer/Core/BugReporterVisitors.cpp
@@ -1418,14 +1418,19 @@ FindLastStoreBRVisitor::VisitNode(const ExplodedNode *Succ,
     if (Optional<CallEnter> CE = Succ->getLocationAs<CallEnter>()) {
       if (const auto *VR = dyn_cast<VarRegion>(R)) {
 
-        const auto *Param = cast<ParmVarDecl>(VR->getDecl());
+        if (const auto *Param = dyn_cast<ParmVarDecl>(VR->getDecl())) {
+          ProgramStateManager &StateMgr = BRC.getStateManager();
+          CallEventManager &CallMgr = StateMgr.getCallEventManager();
 
-        ProgramStateManager &StateMgr = BRC.getStateManager();
-        CallEventManager &CallMgr = StateMgr.getCallEventManager();
-
-        CallEventRef<> Call = CallMgr.getCaller(CE->getCalleeContext(),
-                                                Succ->getState());
-        InitE = Call->getArgExpr(Param->getFunctionScopeIndex());
+          CallEventRef<> Call = CallMgr.getCaller(CE->getCalleeContext(),
+                                                  Succ->getState());
+          InitE = Call->getArgExpr(Param->getFunctionScopeIndex());
+        } else {
+          // Handle Objective-C 'self'.
+          assert(isa<ImplicitParamDecl>(VR->getDecl()));
+          InitE = cast<ObjCMessageExpr>(CE->getCalleeContext()->getCallSite())
+                      ->getInstanceReceiver()->IgnoreParenCasts();
+        }
         IsParam = true;
       }
     }
diff --git a/test/Analysis/track-control-dependency-conditions.m b/test/Analysis/track-control-dependency-conditions.m
new file mode 100644
index 0000000000..05b0638a5e
--- /dev/null
+++ b/test/Analysis/track-control-dependency-conditions.m
@@ -0,0 +1,32 @@
+// RUN: %clang_analyze_cc1 -w -analyzer-checker=core,nullability -verify %s
+
+// expected-no-diagnostics
+
+@class C;
+
+#pragma clang assume_nonnull begin
+@interface I
+- foo:(C *)c;
+@end
+#pragma clang assume_nonnull end
+
+@interface J
+@property C *c;
+@end
+
+J *conjure_J();
+
+@implementation I
+- (void)bar {
+  if (self) { // no-crash
+    J *j = conjure_J();
+    if (j.c)
+      [self bar];
+    // FIXME: Should warn.
+    [self foo:j.c]; // no-warning
+  }
+}
+@end
+
+@implementation J
+@end
-- 
cgit v1.2.1