<div dir="ltr">Hi all, I thought I'd look at this problem <a href="https://bugs.llvm.org/show_bug.cgi?id=43364">https://bugs.llvm.org/show_bug.cgi?id=43364</a> (Pointer cast representation problems). maybe use it as an opportunity to dig into the inner workings of the analyzer and maybe even solve a concrete problem :)   But it seems I need guidance about possible paths to pursue. <div><br></div><div>Starting with a concrete case, a simple reproducer is below. I debugged this down to SimpleSValBuilder.cpp:evalCastFromLoc(). val is an SVal and castTy is a Loc, and this code path attempts to extract a concrete integer from the SVal (did I get this right?). So I think a solution to this specific case would be to dig into the SVal to see if casted data is concrete, and extract that data. Seems to me this would be the location for that (evalCastFromLoc seems appropropriate enough). If that's true, can someone point me to an example that's similar? I'll keep digging, but thought I'd ask in case this is easy for someone to drop a few helpful hints. </div><div><br></div><div>I've included some select dumps, state and a bt below in case this is helpful. </div><div><br></div><div>Best</div><div><br></div><div>(gdb) p val.dump()<br>&Element{myvar,0 S64b,char}$2 = void<br></div><div><br></div><div>(gdb) p castTy.dump()<br>PointerType 0xf931740 'char *'<br>`-BuiltinType 0xf930b50 'char'<br>$3 = void<br></div><div><br></div><div><br></div><div>Invocation: clang -cc1 -analyze -analyzer-checker=core case.c <br></div><div><br></div><div>struct mystruct {<br></div><div>  unsigned short _u16;<br>};<br><br>int main(void) {<br>  struct mystruct myvar = { 0x1122 };<br><br>  char *p = &myvar;<br>  int x = 0;<br>  if (p[0])<br>    x+=1;<br>  if (p[1]) // Branch condition evaluates to a garbage value [core.uninitialized.Branch]<br>    x+=1;<br>  return x;<br>}<br></div><div><br></div><div>(gdb) p state<br>$4 = {Obj = 0xf9b81b8}<br>(gdb) p state->dump()<br>"program_state": {<br>  "store": { "pointer": "0xf9b6fa2", "items": [<br>    { "cluster": "myvar", "pointer": "0xf9b2250", "items": [<br>      { "kind": "Direct", "offset": 0, "value": "4386 U16b" }<br>    ]},<br>    { "cluster": "p", "pointer": "0xf9b2aa8", "items": [<br>      { "kind": "Direct", "offset": 0, "value": "&Element{myvar,0 S64b,char}" }<br>    ]},<br>    { "cluster": "x", "pointer": "0xf9b6ed0", "items": [<br>      { "kind": "Direct", "offset": 0, "value": "1 S32b" }<br>    ]}<br>  ]},<br>  "environment": { "pointer": "0xf9b16e0", "items": [<br>    { "lctx_id": 1, "location_context": "#0 Call", "calling": "main", "location": null, "items": [<br>      { "stmt_id": 898, "pretty": "p", "value": "&p" }<br>    ]}<br>  ]},<br>  "constraints": null,<br>  "dynamic_types": null,<br>  "dynamic_casts": null,<br>  "constructing_objects": null,<br>  "checker_messages": null<br>}$5 = void<br></div><div><br></div><div><br></div><div>(gdb) bt<br>#0  (anonymous namespace)::SimpleSValBuilder::evalCastFromLoc (this=0xf9aedf0, val=..., castTy=...) at ../../clang/lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp:136<br>#1  0x0000000007ec6ecb in (anonymous namespace)::SimpleSValBuilder::dispatchCast (this=0xf9aedf0, Val=..., CastTy=...) at ../../clang/lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp:70<br>#2  0x0000000007edd75e in clang::ento::StoreManager::CastRetrievedVal (this=0xf9b02a0, V=..., R=0xf9b2aa8, castTy=...) at ../../clang/lib/StaticAnalyzer/Core/Store.cpp:438<br>#3  0x0000000007ea0480 in (anonymous namespace)::RegionStoreManager::getBinding (this=0xf9b02a0, B=..., L=..., T=...) at ../../clang/lib/StaticAnalyzer/Core/RegionStore.cpp:1511<br>#4  0x0000000007e9d059 in (anonymous namespace)::RegionStoreManager::getBinding (this=0xf9b02a0, S=0xf9b6fa2, L=..., T=...) at ../../clang/lib/StaticAnalyzer/Core/RegionStore.cpp:551<br>#5  0x0000000007753856 in clang::ento::ProgramState::getRawSVal (this=0xf9b81b8, LV=..., T=...) at ../../clang/include/clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h:785<br>#6  0x0000000007e64d61 in clang::ento::ProgramState::getSVal (this=0xf9b81b8, location=..., T=...) at ../../clang/lib/StaticAnalyzer/Core/ProgramState.cpp:267<br>#7  0x0000000007df0d77 in clang::ento::ExprEngine::evalLoad (this=0x7fffffffa828, Dst=..., NodeEx=0xf985e00, BoundEx=0xf985e00, Pred=0xf9b8230, state=..., location=..., tag=0x0, LoadTy=...)<br>    at ../../clang/lib/StaticAnalyzer/Core/ExprEngine.cpp:2982<br>#8  0x0000000007e10402 in clang::ento::ExprEngine::VisitCast (this=0x7fffffffa828, CastE=0xf985e00, Ex=0xf985dc0, Pred=0xf9b8230, Dst=...) at ../../clang/lib/StaticAnalyzer/Core/ExprEngineC.cpp:313<br>#9  0x0000000007de88a8 in clang::ento::ExprEngine::Visit (this=0x7fffffffa828, S=0xf985e00, Pred=0xf9b8230, DstTop=...) at ../../clang/lib/StaticAnalyzer/Core/ExprEngine.cpp:1729<br>#10 0x0000000007de4d9c in clang::ento::ExprEngine::ProcessStmt (this=0x7fffffffa828, currStmt=0xf985e00, Pred=0xf9b8230) at ../../clang/lib/StaticAnalyzer/Core/ExprEngine.cpp:791<br>#11 0x0000000007de4a89 in clang::ento::ExprEngine::processCFGElement (this=0x7fffffffa828, E=..., Pred=0xf9b8230, StmtIdx=1, Ctx=0x7fffffffa338) at ../../clang/lib/StaticAnalyzer/Core/ExprEngine.cpp:637<br>#12 0x0000000007db6fa9 in clang::ento::CoreEngine::HandlePostStmt (this=0x7fffffffa848, B=0xf9a8860, StmtIdx=1, Pred=0xf9b8230) at ../../clang/lib/StaticAnalyzer/Core/CoreEngine.cpp:466<br>#13 0x0000000007db6717 in clang::ento::CoreEngine::dispatchWorkItem (this=0x7fffffffa848, Pred=0xf9b8230, Loc=..., WU=...) at ../../clang/lib/StaticAnalyzer/Core/CoreEngine.cpp:191<br>#14 0x0000000007db6323 in clang::ento::CoreEngine::ExecuteWorkList (this=0x7fffffffa848, L=0xf9b16e0, Steps=224975, InitState=...) at ../../clang/lib/StaticAnalyzer/Core/CoreEngine.cpp:147<br>#15 0x000000000734dc74 in clang::ento::ExprEngine::ExecuteWorkList (this=0x7fffffffa828, L=0xf9b16e0, Steps=225000) at ../../clang/include/clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h:192<br></div></div>