[PATCH] D88477: [analyzer] Overwrite cast type in getBinding only if that was null originally

[Balázs Benics via Phabricator via cfe-commits]

steakhal added a comment.

In D88477#2304708 <https://reviews.llvm.org/D88477#2304708>, @NoQ wrote:

> I'm trying to say that the value produced by the load should not be the same as the stored value, because these two values are of different types. When exactly does the first value change into the second value is a different story; the current grand vision around which the code is written says that it changes during load, therefore it's the load code (step #2) that's to blame.

Are you implying that the second dereference of `b` should produce an lvalue of the type `char *`, instead of the type of the SVal `&Element{SymRegion{reg_$0<int * a>},0 S64b,unsigned char}`.
So, I should do this cast when we evaluate the dereference, and produce an lvalue of the static type, aka binding the SVal `&Element{SymRegion{reg_$0<int * a>},0 S64b,char*}` to it.
In the AST, it is the line `@1`:

  `-IfStmt
    -BinaryOperator 'bool' '=='
     |-ImplicitCastExpr 'char *' <LValueToRValue>
  @1:| `-UnaryOperator 'char *' lvalue prefix '*' cannot overflow
     |   `-ImplicitCastExpr 'char **' <LValueToRValue>
     |     `-UnaryOperator 'char **' lvalue prefix '*' cannot overflow
     |       `-ImplicitCastExpr 'char ***' <LValueToRValue>
     |         `-DeclRefExpr 'char ***' lvalue ParmVar 0x55e808fe8188 'b' 'char ***'
     | `-ImplicitCastExpr 'char *' <NullToPointer>
      `-IntegerLiteral 'int' 0

To do this, I would have to modify the `ExprEngine::handleUOExtension` to not just simply lookup the corresponding SVal of the Environment's ExprBindings, but also apply the cast if necessary.
Am I on the right track now?

PS: I tried to implement this, but I failed to reuse the other overloads of `getSVal` to accomplish this.


Repository:
  rG LLVM Github Monorepo

CHANGES SINCE LAST ACTION
  https://reviews.llvm.org/D88477/new/

https://reviews.llvm.org/D88477