[clang][Interp] Fix null Descriptor dereference in ArrayElemPtrPop

term-est · term-est · commit 7e74074e48cf · 2025-10-14T15:52:49.000+03:00
ByteCode interpretor could deref a null descriptor
when handling typeid (or function pointers) in
ArrayElemPtrPop. We need to treat this case as having no descriptor
diff --git a/clang/lib/AST/ByteCode/Interp.h b/clang/lib/AST/ByteCode/Interp.h
@@ -3126,7 +3126,8 @@ inline bool ArrayElemPtrPop(InterpState &S, CodePtr OpPC) {
   }
 
   if (Offset.isZero()) {
-    if (Ptr.getFieldDesc()->isArray() && Ptr.getIndex() == 0) {
+    if (const Descriptor *Desc = Ptr.getFieldDesc();
+        Desc && Desc->isArray() && Ptr.getIndex() == 0) {
       S.Stk.push<Pointer>(Ptr.atIndex(0).narrow());
       return true;
     }

Original file line number	Diff line number	Diff line change
`@@ -3126,7 +3126,8 @@ inline bool ArrayElemPtrPop(InterpState &S, CodePtr OpPC) {`
`3126`	`3126`	`}`
`3127`	`3127`
`3128`	`3128`	`if (Offset.isZero()) {`
`3129`		`- if (Ptr.getFieldDesc()->isArray() && Ptr.getIndex() == 0) {`
	`3129`	`+ if (const Descriptor *Desc = Ptr.getFieldDesc();`
	`3130`	`+ Desc && Desc->isArray() && Ptr.getIndex() == 0) {`
`3130`	`3131`	`S.Stk.push<Pointer>(Ptr.atIndex(0).narrow());`
`3131`	`3132`	`return true;`
`3132`	`3133`	`}`