<table border="1" cellspacing="0" cellpadding="8">
    <tr>
        <th>Issue</th>
        <td>
            <a href=https://github.com/llvm/llvm-project/issues/54272>54272</a>
        </td>
    </tr>

    <tr>
        <th>Summary</th>
        <td>
            Infeasible state causing crash with alpha.unix.cstring.UninitializedRead
        </td>
    </tr>

    <tr>
      <th>Labels</th>
      <td>
            clang:static analyzer,
            crash
      </td>
    </tr>

    <tr>
      <th>Assignees</th>
      <td>
            martong,
            steakhal
      </td>
    </tr>

    <tr>
      <th>Reporter</th>
      <td>
          martong
      </td>
    </tr>
</table>

<pre>
    Here is the minimal reproducer on d5106c8f973b 

```
// RUN: %clang_analyze_cc1 %s \
// RUN:   -analyzer-checker=core \
// RUN:   -analyzer-checker=alpha.unix.cstring.OutOfBounds,alpha.unix.cstring.UninitializedRead \
// RUN:   -analyzer-checker=debug.ExprInspection \
// RUN:   -analyzer-config eagerly-assume=false \
// RUN:   -verify

typedef struct {
  char a[1024];
} b;
int c;
b *invalidate();
int d() {
  b *a = invalidate();
  if (c < 1024)
    return 0;
  int f = c & ~3, g = f;
  g--;
  if (g)
    return 0;
  // Parent state is already infeasible.
  // clang_analyzer_printState();
  // "constraints": [
  //   { "symbol": "(derived_$3{conj_$0{int, LC1, S728, #1},c}) & -4", "range": "{ [1, 1] }" },
  //   { "symbol": "derived_$3{conj_$0{int, LC1, S728, #1},c}", "range": "{ [1024, 2147483647] }" }
  // ],
  memmove(a->a, &a->a[f], c - f); // CRASH, both true and false states are nullptr!
  return 0;
}
```

This bug is yet another manifestation of an underlying API issue: We should have an API for the checkers where only `assumeDual` like functions are allowed. In that case we could return a nonnull state for at least one of the true/false cases. Besides that we should mark and handle the infeasible state in `addTransition`.
</pre>
<img width="1px" height="1px" alt="" src="http://email.email.llvm.org/o/eJylVV1v2zoM_TXOCxHDke04echDk3RYgeFuaDfssVAs2tYqy4Ekp8t-_aVkJ82y3rsOAwzLkvhxSB7Su04cV-_RIEgLrkFopZYtV2BwbzrRl2ig0yDyWTIvF9WySHcQJdsouRnf82R8hi17Rw_cf_knSm8gYnmpuK4fuebq-AMfy3LmDy1E-eY1BYDpKGqmZYPlE5oo3ZYdwfsjDa72DY97Lb_HpXVG6jr-2LuP1brrtbAR27wi8EVT5E5yJX-guEcu_sylwF1fx7ff9-ZO2z2WTlLa3mKh05WsAXmNRh2n3Nq-RbJXcWX_L-oDGlkdL0vhjnsUWAHF05cOomI9nAOUDTfAo3w9S1gW5dsoHa-iYgu7805qB-V5R3VmdHSghAjuMGKLiC1_khXD2aWnoMSB8MN_qgLIisQWJYltIECi2_EKiHiuNxqSS3lyVgWjpMPm5PA2pSJCHc6qC8l6Ov3FT_0782NuP3GD5Mg6guy7gStDLDiS9wq5lTuF8ZXGT-Q2j3vikXtwr0U8KkSMUb2pQJwkiYcsdEl-LQY-pV7YHttdp05ytLCFoLofUDxGLEtJisx9898JfZNNn5UPm5lfHgoPYkNq6YzqTJ9lWJYhhdMsmPPXzFAUeOHE-yau-NsZsQWCGhuWzVuh_jXO36ALtNkAm2VFtkjnWXGF9Crx-SX2Ftu2O_gqcaLLLR88zcdNvq4GcWLblNgVCnkytLm_eXjv73ada4A6DYFrAUO3BuoQcWhc6V6pvTMRm52c_kK8M8rrGRrenxuiII0Uz8QjOvJCDmkYt1zLCr0nP2C6ii6AhpofHjTF4ObTHWnYHn26vhKkpuuVgIYfPNBwXXUmTPpxdll4bvz877Q6AoEYJtC254o2oOQTQtXrMM-G0LhS3TOKGO402eE0MzjF_kwGg6sxTg660z4LY0N5rySrqJUc-UIP3aPwKaTEDgn0lmwMa7RSoB2sP5-DaLl5Ctlu6KUwqL8056lxdQhCiM9EHCs9bNrHE7FKxTJd8omTTuHq7lqv5L31CSwNtw08S6ruW34Sk96oVePc3lLCB47UpNvv4rJraaPU4bRM6Yf6jX4MtA0Vov5_l2esYJNmlc9FulhmST7PcTnPc84KXM5EkZVpmieL5UTxHSq78rOCZoifO-QvsKCE0wB66ZkQhN_m24lcsYSxJE0WM5Yv8zymb1bs6HCOKWd5FWUJtlyq2IOMO1NPzCrgJfZZulTSOvtySfyQtUYcsVBRXEdozr6tQ_7UcDW6571rOrMaxSYh8lUI-1-jB3jF">