<table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Issue</th>
<td>
<a href=https://github.com/llvm/llvm-project/issues/57270>57270</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>
[analyzer] Crash using `clang_analyzer_explain()` in the `debug.ExprInspection` checker
</td>
</tr>
<tr>
<th>Labels</th>
<td>
clang:static analyzer,
crash
</td>
</tr>
<tr>
<th>Assignees</th>
<td>
</td>
</tr>
<tr>
<th>Reporter</th>
<td>
isuckatcs
</td>
</tr>
</table>
<pre>
The following snippet causes the Static Analyzer to fail an assertion in debug mode, or crash in release mode.
```c++
struct S {
static int a;
~S(){};
};
int S::a = 0;
void foo() {
S::a = 0;
int x = 3;
memset(&x, 1, sizeof(x));
S *arr = new S[x];
delete[] arr;
clang_analyzer_explain(S::a);
}
```
`memset` sets the value of `S::a` to `derived_$12{conj_$8{int, LC1, no stmt, #1},a}`, and later when `clang_analyzer_explain()` tries to explain the value, it encounters a `nullptr` which it dereferences.
For more information please see [godbolt](https://godbolt.org/z/hMYcs8f8z).
</pre>
<img width="1px" height="1px" alt="" src="http://email.email.llvm.org/o/eJyNVEtvozAQ_jVwsTYCEwg5cEiTVlpp99S97KkyZghuHRvZJkn763fGoY90H1pk_Jrh83zfjGlt99z8GID1Vmt7UmbPvFHjCIFJMXnwLKDxPoigJNsYoZ9fwLFgWS-UZsIw4T24oKxhyrAO2mnPDraDhG-ZdUw64QeyONAgPETbIsl2SbaZ-yq7NJnwG2px1wc3ycDuWbKadxg-_hKGMoGJpPhgSFa39wmvE74m_9XuzfhxTp_dJ8UGm2BJsWPZu1vsj1Z1qIO9IF0f_c8PyYHQz9FaXIV2gIOHECGrM6mSU-fVC9ged88UM7bfAZE73wjnIqaBE4ZQ3pyTcncF36GuAdCCBobefwCSWpj9g5hz9wDnUQtl8OxXTlfno2DXefmUrJlPlTEcLtVxFHoCZnuGu2-Y6IBVgkMHTh2he0j4MueoqbTmkRY1zlE0UuPbNopiLGb4EHcSXuQUCt8KGjAK3BSmY1oErL_TAIaw_0qNKFEETlEFWzZb3sMlPBUYGGkng5CeCQI0k9ZjcPTtaVByIB8kAD2-RoK_Kt07LPCDdYC57607iHgLxkudewCGWdnbrrU6UNZ4PYQwetKH32GbTQvr9rh6wXf4_lP6uq9xvl6k0ORVlWfrMl_XadcU3bpYizSooKFB5FfSlPdtvGWTp9v7H6rMOsTc4H1d3J5H99X4ESQxIA85gHwCl05ON5-iVmGY2oW0B1xofXwdvozOPiIALpX3E3iclCu-ytKhAVFCvyy5XItWdjJvi7wSsl7WVSXbLOepFi1oT6wSzmP0eN582d94cn4pDB7_KbQsd6lqeMZ5VvM8R53K1aLsyjznVQ-1BN63dbLM4IC_qgUFSVqnronxInGPRq188O9G_JupvYGoMOGLKQzWNcpP8kkE6dNIronMfgFws4w_">