Fix #934: segfault when substituting a SubTree node (#1083)

facontidavide · claude · web-flow · commit 25407adf78eb · 2026-02-01T20:39:06.000+01:00
* Fix #934: prevent segfault when substituting a SubTree node When a substitution rule replaced a SubTree with a TestNode, dynamic_cast<SubTreeNode*> returned nullptr but setSubtreeID was called unconditionally, causing a null pointer dereference. Add a null-check so setSubtreeID is only called on actual SubTree nodes. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * Fix clang-tidy readability-implicit-bool-conversion warnings Use explicit != nullptr comparisons for pointer-to-bool conversions flagged by clang-tidy. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
diff --git a/src/xml_parsing.cpp b/src/xml_parsing.cpp
@@ -867,8 +867,13 @@ TreeNode::Ptr XMLParser::PImpl::createNodeFromXML(const XMLElement* element,
     config.input_ports = port_remap;
     new_node =
         factory->instantiateTreeNode(instance_name, toStr(NodeType::SUBTREE), config);
+    // If a substitution rule replaced the SubTree with a different node
+    // (e.g. a TestNode), the dynamic_cast will return nullptr.
     auto subtree_node = dynamic_cast<SubTreeNode*>(new_node.get());
-    subtree_node->setSubtreeID(type_ID);
+    if(subtree_node != nullptr)
+    {
+      subtree_node->setSubtreeID(type_ID);
+    }
   }
   else
   {
diff --git a/tests/gtest_substitution.cpp b/tests/gtest_substitution.cpp
@@ -50,3 +50,39 @@ TEST(Substitution, Parser)
 
   ASSERT_EQ(*std::get_if<std::string>(&rules.at("actionC")), "NotAConfig");
 }
+
+// Regression test for issue #934: segfault when substituting a SubTree node
+TEST(Substitution, SubTreeNodeSubstitution)
+{
+  static const char* parent_xml = R"(
+  <root BTCPP_format="4">
+    <BehaviorTree ID="Parent">
+      <SubTree ID="Child" name="child" />
+    </BehaviorTree>
+  </root>
+  )";
+
+  static const char* child_xml = R"(
+  <root BTCPP_format="4">
+    <BehaviorTree ID="Child">
+      <AlwaysSuccess />
+    </BehaviorTree>
+  </root>
+  )";
+
+  BehaviorTreeFactory factory;
+  factory.registerBehaviorTreeFromText(parent_xml);
+  factory.registerBehaviorTreeFromText(child_xml);
+
+  BT::TestNodeConfig config;
+  config.return_status = BT::NodeStatus::SUCCESS;
+  factory.addSubstitutionRule("child", config);
+
+  // This should not crash (was a segfault before the fix)
+  Tree tree;
+  ASSERT_NO_THROW(tree = factory.createTree("Parent"));
+
+  // The substituted tree should tick successfully
+  auto status = tree.tickWhileRunning();
+  ASSERT_EQ(status, BT::NodeStatus::SUCCESS);
+}
