Dear developers,

I am studying the code of Tensorflow and found a potential null pointer dereference bug in tensorflow/core/grappler/costs/graph_properties.cc

The problem

The function updateEnter() at line 70 of tensorflow/core/grappler/costs/graph_properties.cc calls the getContext() function of the ShapeRefiner class, which could return a null pointer (line 79 of tensorflow/core/common_runtime/shape_refiner.h) and get stored in the variable enter_ctx. At line 73 of the updateEnter() function, enter_ctx is dereferenced in the for loop condition without being checked against null. If the null pointer dereference is triggered, the program might crash.

I noticed that for another call of the getContext() function at line 255 of tensorflow/core/grappler/costs/graph_properties.cc, the function return value, which gets stored in the variable qctx, is checked against null, indicating that getContext() can indeed return null pointer.

Source code

I am analyzing the latest version of Tensorflow as of July 31, 2017, and the two relevant files are:
(1) https://github.com/tensorflow/tensorflow/blob/master/tensorflow/core/grappler/costs/graph_properties.cc (commit 4432623 on 1 July)

(2) https://github.com/tensorflow/tensorflow/blob/master/tensorflow/core/common_runtime/shape_refiner.h (commit e85d3df on 30 June)

Hope my report helps :)