Fix issue 9751: Wrong lifetime caused by std::function (#2676)

pfultz2 · web-flow · commit 06ed088bd075 · 2020-06-13T10:26:54.000+02:00
diff --git a/lib/forwardanalyzer.cpp b/lib/forwardanalyzer.cpp
@@ -47,7 +47,7 @@ struct ForwardTraversal {
             if (checkScope(lambdaEndToken).isModified())
                 return Progress::Break;
             if (out)
-                *out = lambdaEndToken;
+                *out = lambdaEndToken->next();
             // Skip class scope
         } else if (tok->str() == "{" && tok->scope() && tok->scope()->isClassOrStruct()) {
             if (out)
@@ -291,6 +291,9 @@ struct ForwardTraversal {
                 if (!analyzer->lowerToPossible())
                     return Progress::Break;
             } else if (tok->link() && tok->str() == "}") {
+                const Scope* scope = tok->scope();
+                if(!scope)
+                    return Progress::Break;
                 if (Token::Match(tok->link()->previous(), ")|else {")) {
                     const bool inElse = Token::simpleMatch(tok->link()->previous(), "else {");
                     const Token* condTok = getCondTokFromEnd(tok);
@@ -305,9 +308,11 @@ struct ForwardTraversal {
                     analyzer->assume(condTok, !inElse, tok);
                     if (Token::simpleMatch(tok, "} else {"))
                         tok = tok->linkAt(2);
-                } else if (Token::simpleMatch(tok->link()->previous(), "try {")) {
+                } else if (scope->type == Scope::eTry) {
                     if (!analyzer->lowerToPossible())
                         return Progress::Break;
+                } else if (scope->type == Scope::eLambda) {
+                    return Progress::Break;
                 } else if (Token::simpleMatch(tok->next(), "else {")) {
                     tok = tok->linkAt(2);
                 }
diff --git a/test/testnullpointer.cpp b/test/testnullpointer.cpp
@@ -97,6 +97,7 @@ class TestNullPointer : public TestFixture {
         TEST_CASE(nullpointer54); // #9573
         TEST_CASE(nullpointer55); // #8144
         TEST_CASE(nullpointer56); // #9701
+        TEST_CASE(nullpointer57); // #9751
         TEST_CASE(nullpointer_addressOf); // address of
         TEST_CASE(nullpointerSwitch); // #2626
         TEST_CASE(nullpointer_cast); // #4692
@@ -1824,6 +1825,21 @@ class TestNullPointer : public TestFixture {
         ASSERT_EQUALS("", errout.str());
     }
 
+    void nullpointer57() {
+        check("void f() {\n"
+              "    FILE* fptr = fopen(\"test\", \"r\");\n"
+              "    if (fptr != nullptr) {\n"
+              "        std::function<void()> fn([&] {\n"
+              "            fclose(fptr);\n"
+              "            fptr = NULL;\n"
+              "        });\n"
+              "        fgetc(fptr);\n"
+              "        fn();\n"
+              "    }\n"
+              "}\n");
+        ASSERT_EQUALS("", errout.str());
+    }
+
     void nullpointer_addressOf() { // address of
         check("void f() {\n"
               "  struct X *x = 0;\n"
