<table border="1" cellspacing="0" cellpadding="8">
    <tr>
        <th>Issue</th>
        <td>
            <a href=http://email.email.llvm.org/c/eJylV8tu4zgW_RplQ0SwpdiOF144ThWQxXT3TFejMauAkmiLHYpUkZQd5evnXFKyZVdqHhjAifUg7-Pcc8-lC1P1m5eGH6QWzNfSMfHOm1aJJN-y2vvW4SLJvuJzMFVhlE-NPeDuA39W8KP9WB2_J7PnZLZNlrP42SXZE33i0yyXulRdJViS70runLA-yb_Et87brvTsi_a2Z8nqKVk9J_mwU7x7YfX4LtsKXEjhbt9L7Znumtfb14UxitHD_rU0TcutSLLH0mjnLybbJNuxm2ffk2x9NnI0sqKHjWjKtoeB8QGrhPOX3efHzpb0tNNOHrSomDL6wPTUZPx_43QvdfVpeOuAStjC2ABe9tji7RIffGWuNp2qWCGYNvped0rh4dThZN-A0ae7pZZeciU_RPWDgb2xWPxIUEuU8ZnN8DJc7m6wZ7H2kvYPmxmTezY4n9YCEYz7FtiweCbgKOWrvYxZ4TvU-cfll_giQ8HdVpReVPfaeJE8zO7nkVNP_wgmJErRGiQhLLk61bKsGYLxspQt98BFasapohWgMJopTktBSXwGT0MwBHPr7aWo44oJbcpalG-iepV6QP-muoEqV_Ud0ggbKVipj9xKrj11Y5Ktwo4VG2qGJKlurRVOUGE0GljQshEmLPW8UCL9DzChXtkA1DceHO-5coIVluuyvs7_5yZGrLfOdc0EanbkqgO9XADt2lokxkD-iMdV8SPakVbRr7XGEhrSi4ZxBQmq-hGCaQXYBecKoBNnrwg0ZW1Uq_-JUMC2ov5fTduGeQP6UJbXuX-K4FPnWW1OrOSQsFDIAE_-9TqLs_BUUW4GfXHwZ_Z4HLIcYPt5-Cce2D_N4JdpmC0pRAWdYHOAxe2ha4hSyAf-DWAsTduzfafL0BfAr9PyPS0h3zCbkq0txsLieZrq5WIcDNPUXv72axw4-PBIuPvWOIB5FDFDXQp2wlTibyIwm1cV6uyY2YdbFXkFszeyAD_Yz3V1u4tTOdCYpvgLsARGiiOyJ-CHHtl11sKc6oNASAQYu4prrvqPQTcEa0wlFNi5F1iNMJUpOSHjwmLHG0TOe8JzQNgN9l8wGSrc-jG8xiDhsDdE_BL44ETM2IYXXKEVBSKpQBQKoAB1TrXQWE0rOfv6G1PybRjgL-x7h9lEFpveCbVPr2BnhFUVqGElVZlalTKNk8xyGXTy54CDFFezJsaDBRY78OcIU64Y9NQjGyfcwEMyi8kS-uMMHbovG0xyih8kHSyiKU5xNqHJ3_BWQe8oFNh1F_2GbQX9RsmiRxpVFK14l86H4pj9526vcLm_v5_e_llzP-os6l2hsQsT0pTu3KPfqNZUSW4rthdCObTIx0d_tXbLXn7_le3mc2LqMl2keZqx7YAslRx1lVbExjIoCvfGOiJxPsSCwxIjV53mQdCW52Wsl0JV7rZY0ru4RFcpe4nFG-5ZDU76vkXffMmSx1myfjxf0OPxZn25yHaXMAIpheuU_3eGRlVBWT-3mZIs43MTm3RTB6Fhx5y355yv4tFCEvGwDeU6o6IHClxBRUdbIjBGehW9nyVicEhC5GgkFQbdcAJRLo5MI33YuAOxStH66JJ2n9uGUNeXhKiMoIcE7Xjbgp4_uqMJzvXFS-ywlPQ1TVPSsmnnajYerKMIlYGdaHYgFDq_6FnnqMteQ0zoDDvmbOxrlAhq0__mbL-o3le2_svl0flTP7Qb-YVCwUE80wcYguQuA6rhaIqjIc2j5SyKe1RdCgcEDfMje-RvPAWHAAH744mOQXQUWM7aYRO-xiMWHhBy-JaXl7NB5YNQ6OggWhgXcd0HOWFoyzBQRHpIacEcf1et_82wk-VtxLALPwleMNmbUB7XQdJoToPMhysVGLxDgYOX-LPJjUIs2F5C5sEIAUU-SVf_RPuIZ5EIUf6G0P58_uc3CA3DyK65-cX8na4anFXp9wQut78_C92734S35nhXbfJqna_5He98bewGxedvNVd3nVWbm1KjY7oixTEcN0odx6_71hoai7iVOMFRcF8XeZ4_3tWbh0UuZus8L_eLxbIoMlE-zPPVmhfzpSge8tmd4gVg3oC3SKlUHCqe47cdxlc5GZ0ZGH33_8cjN9ksy2bzbD5_yLPFKl1Vy9l-vVznq8VyuSqWgEc0XKqU7BCn7-wmmCy6g8NLhcngLi9x9qHfaiKEjwg9hkm4OUe-eGY7rn84TuhxJIZTxOUEdxcC3oRo_wVXJNml>53338</a>
        </td>
    </tr>

    <tr>
        <th>Summary</th>
        <td>
            [analyzer] Can the address of an lvalue ever be null?
        </td>
    </tr>

    <tr>
      <th>Labels</th>
      <td>
            clang:static analyzer
      </td>
    </tr>

    <tr>
      <th>Assignees</th>
      <td>
      </td>
    </tr>

    <tr>
      <th>Reporter</th>
      <td>
          steakhal
      </td>
    </tr>
</table>

<pre>
    Imagine this example: https://godbolt.org/z/reavrz7vq
```C++
#include <cassert>
struct Entry {};
extern Entry *entries;
extern int num_entries;
bool entry_compare(const Entry *p, const Entry *q);
void *memcpy(void * dest, const void * src, unsigned long n);

const Entry *find(const Entry *p) {
  assert(p && "should be non-null");
  assert(entries && "should be initialized");
  for (int i = 0; i < num_entries; ++i)
    if (entry_compare(&entries[i], p))
      return &entries[i];
  // expected-note@-1 {{Returning pointer, which participates in a condition later}}
  return nullptr;
}

void checked_insert(const Entry *src) {
  // checking invariant: 'src' should not be present in the 'entries' table.
  // expected-note@+2 {{Taking false branch}}
  // expected-note@+1 {{Assuming pointer value is null}}
  if (find(src))
    return; // error: item already present

  Entry *dst = &entries[num_entries++];
  // expected-note@-1 {{'dst' initialized to a null pointer value}}
  // But how can it be null?

  memcpy(dst, src, sizeof(Entry));
  // expected-warning@-1 {{Null pointer passed as 1st argument to memory copy function [unix.cstring.NullArg]}}
}
```

IMO this is a false-positive, since we take the address of the lvalue `entries[i]`, and the address of a valid object is never null.
Currently, within the analyzer, we model reference locations the same way as pointers.
I understand the motivation and I can see the rationale behind it, but when I see a FP like this I question myself.

I tried experimenting with constraining the address of the lvalue to be non-null, but there are several test cases expecting "null references" to be a thing, but it would break a lot of tests, which explicitly test for the existence of "null references".

---

What should we do about this?
The standard feels fuzzy about this: ISO C11 `6.5.3.2 Address and indirection operators`:
> The unary & operator yields the address of its operand. If the operand has type ‘‘type’’,
> the result has type ‘‘pointer to type’’. **If the operand is the result of a unary * operator,
> neither that operator nor the & operator is evaluated** and the result is as if both were
> omitted, except that the constraints on the operators still apply and the result is not an
> lvalue. [...]

In C++, we could query this by using _constexpr evaluator_ like here: https://godbolt.org/z/5dx7rhjs3
By which we can conclude that `&*(p + i)` is a valid expression (aka. ha no UB) if `p` is `nullptr` and `i` is `0`, but invalid if `i` is anything else, e.g. `1`.

To wrap this up, I'm not sure how to go about this, but seeing examples like the first one I wish "null references" were not a thing.
WDYT? @haoNoQ @martong @ASDenysPetrov
</pre>
<img width="1px" height="1px" alt="" src="http://email.email.llvm.org/o/eJyVV1tz4jgT_TXOiyousBcIDzwQMlOVh73P1tQ-pYQlY22E5JFkCPn1e1qywTCZ71LlBNu6dPfp06flrRWn1fOe75SRLDTKM_nG962WWblmTQitx01WfMa1s2Jrdcit2-HpHX9O8oN7Xxy-ZZOnbLLO5pN0bbLika70tiiVqXQnJMvKTcW9ly5k5ac06oPrqsA-meBOLFs8ZounrOxXyrcgnRnGirXEjZL-dlyZwEy3f7kd3lqrGb08vVR233Ins-KhssaHy5ZtVmzYzbtvWbE8b3KwStDLvdxX7QkbDC-YkD5cVp9fe1fR2854tTNSMG3Njpnxlun_jdFaGfGhe8uISlzCWA9e8dBidI4LP4VvbKcF20pmrLk3ndZ4OTY4Wtdj9OFqZVRQXKt3Kb7boLYOkx8IaoU0PrEJBuPt5gZ7lnKvaH2_mDFVs974OBfwYFg3w4LZEwFHIV-tZczJ0CHP30-_-JcYCu62sgpS3BsbZPbT5H6aOPX4R9xCIRWtRRDSkaljo6qGwZmgKtXyAFyUYZwyKgCFNUxzmgpK4uot9c4QzG1wl6QOM0a0qRpZvUrxokyP_k12I1Wu8tuHEReSs8ocuFPcBKrGrFjEFQvW5wxBUt5aJ72kxBgUsKRpA0yYGvhWy_y_wIR8FT1QX3g0XHPtJds6bqrmOv4fbzFgvfa-24-gZgeuO9DLR9Cud0vE6Mmf8LhKfkI70SrZdc46QkMFuWdcQ4LEaYBgnAF2wVkAdOLsFYHGrE1q9X8RCtgKqv_FuGxYsKAPRXkd-4cIPnaBNfbIKg4Ji4mM8JSfr6M4C49IctPri4c9W-N1jLKH7cfuH3lk_ziCX8ZutqQQAjrBpgCLu123J0ohHti3gLGy7YnVnaliXQC_zqi3vIJ8Y9uc9lqjLcyexqFebobGMA7t-edfU8PBxRPh7lvrAeZBpghNJdkRXYm_yshsLgTy7Jmt46NOvMK2N7IAO1jPjbhdxSkdKEy7_QewREbKA6In4Psa2XTOYTt9igKh4GCqKm64Pr33uiHZ3gqpwc5aYjbc1LbihIyPkz3fw3N-Ijx7hH2__zM6g8BjGNzbWwQc10aPnyMfvEwRuzjANUpRwhMBopADW1Dn2EiD2TSTs8-_Ma1e-wb-zL516E204_7kpa7zK9gZYSUiNZyiLFOpUqSpkzmuok7-GHCQ4qrXJH8wwWEF_jxhyjWDngZE46XveUjborPE-jhDh-or-i05-Q-S9juiKI6pN6HIXzGqoXfkCvb1F_3G3hr6jZQli9SqyFv5pnyIybH1x2avcLm_vx8_fm14GHQW-RYo7K2NYSp_rtEvlGvKJHeC1VJqjxJ5fz9dzV2z5z9_ZZvplJg6z2d5mRds3SNLKUdelZOpsCySwoN1nkhc9r7gsMTIVGd4FLT5eRo7KamFv02WCj5NMSJnzyl5_TNrwMlwalE3n4rsYZItH8439Hp4WF5uis3FjUhK6Tsd_tNGg6ogrR_vmZMs47rxTfmxgViwQ8zrc8xX_hipiHhYhnSdUTE9Ba6goqMtERgtXSTrZ4noDZIQeWpJW4tqOIIoF0N2r0JcuAGxKtmGZJJWn8uGUDeXgCiNoIcC7Xjbgp7fm6MOzs3FSqqwnPQ1z3PSsnHlGjYcrJMIVZGdKHYgFCt_e2Kdpyp7iT6hMtwQs3UvSSKoTP-Xs_1MvC1c848vk_HHU19uZBcKBQPpTB9hiJI7j6jGoymOhtSP5pMk7kl1yR0QNPaP4oG_8hwcAgTsr0c6BtFRYD5p-0X4GY5YeEHI4VddBie9ykehMMlA2mGYxM0pyglDWcaGIvNdThOm-Lsq_S-WHR1vE4Zd_CR4Rmffx_T4DpJGfRpk3l2pQG8dChytpM8mPwixZLWCzIMREop8VL75gfYRzxIRkvz1rn19-vsLhIahZTfc_mJ_p7s9zqr0PYHb9Z9P0pz8bzI4e7gTq1IsyyW_CxBCuQJ_zg1r9sQ23HzXCs0g57EDXk4fd53TqxtyoMa6bY6DOx60Pgw_962z1EjxqHDmo3A-z8qyfLhrVjNeVIvlsqrresIXYspr-VCLajrb8nouxPJO8y0SQ54ChEpz6H6Jr0E0vGrUbAu4f6dWxaQoJtNiOv2pLGaLfCHmk3o5X5aL2Xy-2M4Bh9xzpXPyijh851bRwW238xjU6AT-MoizDn2bRZhof96FxroVCoa_NlzfxWBWMZJ_AbpJxcY">