<table border="1" cellspacing="0" cellpadding="8">
    <tr>
        <th>Issue</th>
        <td>
            <a href=https://github.com/llvm/llvm-project/issues/59735>59735</a>
        </td>
    </tr>

    <tr>
        <th>Summary</th>
        <td>
            CSA --Wanalyzer-null-dereference false negative with *p = 42
        </td>
    </tr>

    <tr>
      <th>Labels</th>
      <td>
            new issue
      </td>
    </tr>

    <tr>
      <th>Assignees</th>
      <td>
      </td>
    </tr>

    <tr>
      <th>Reporter</th>
      <td>
          Geoffrey1014
      </td>
    </tr>
</table>

<pre>
    I got a false negative error when compiling the following program with clang(trunk) `-Xanalyzer -analyzer-output=text --analyze -Xanalyzer -analyzer-checker=debug.ExprInspection` in https://godbolt.org/z/vE9E4j96x. 

In this case, the evaluation result for `0 == p` on line 21 is TRUE, so clearly clang static analyzer has known that the pointer p is a null pointer there, but then the analyzer does not generate an NPD warning for the `*p = 42` statement on line 22. I think it's a little odd. Here is the result of the program, please take a look, thank you.
```c
#include "stdio.h"
void clang_analyzer_eval(int);
void clang_analyzer_warnIfReached();
int *f(int *);

int *f(int *p)
{
    p = (int *)0;
    return p;
}

int main()
{
    int a = 42;
    int *p = &a;
 clang_analyzer_eval(0 == p);
    p = f(p);
    clang_analyzer_eval(0 == p);
    if (p == (int *)0)
    {
        clang_analyzer_eval(0 == p);
        *p = 42;
    }
}
```
```
<source>:16:5: warning: FALSE [debug.ExprInspection]
    clang_analyzer_eval(0 == p);
 ^~~~~~~~~~~~~~~~~~~~~~~~~~~
<source>:16:5: note: FALSE
 clang_analyzer_eval(0 == p);
 ^~~~~~~~~~~~~~~~~~~~~~~~~~~
<source>:18:5: warning: TRUE [debug.ExprInspection]
    clang_analyzer_eval(0 == p);
 ^~~~~~~~~~~~~~~~~~~~~~~~~~~
<source>:18:5: note: TRUE
 clang_analyzer_eval(0 == p);
 ^~~~~~~~~~~~~~~~~~~~~~~~~~~
<source>:21:9: warning: TRUE [debug.ExprInspection]
        clang_analyzer_eval(0 == p);
 ^~~~~~~~~~~~~~~~~~~~~~~~~~~
<source>:19:9: note: 'p' is equal to null
 if (p == (int *)0)
        ^
<source>:19:5: note: Taking true branch
    if (p == (int *)0)
    ^
<source>:21:9: note: TRUE
 clang_analyzer_eval(0 == p);
 ^~~~~~~~~~~~~~~~~~~~~~~~~~~
```
</pre>
<img width="1px" height="1px" alt="" src="http://email.email.llvm.org/o/eJzMVs-P6jYQ_muGywiUOD8ghxzYBdqVqqp6r1V7ezLJJPHD2KntLLvv0L-9ckKA5S1qy2HV1QocZjzzfd_Yk-HWiloR5ZA8QLKa8M412uQ_kK4qQ69hEMaTrS5f8yestUOOFZeWUFHNnXgmJGO0wUNDCgu9b4UUqkbXEFZaSn3wT63RteF7PAjXYCG5qoEtnOnUDliGkAbTP7ji8vUbGZyOq6nuXNs5iFaOXhxORwO-61w0VOzIQLQqadvVs_VLa56UbalwQitIAxQKG-daC9ES2AbYptblVks306YGtvkGbPO8ztbx1yx9mSEEKwiWw-eTQtcIiwW3BOyxJ0fPXHbcx0ZDtpMOK208lQAhWkG0wtYn1QqlUIQsRGHx10-_rX0Aq7GQxI18HdRA67gTBZ54NdziTumDT8xdn7DVQjky2PpAHFUn5ek315DpkW273ln1O07RSk0WlXZYkyLDnTfhz7-s8MCN8vXx0P0OSANgy9YzwJh5_B4Y7Um5MxM2wyevh9qhcMDmHo0UzklCXZYz_JEMeYw-4FEaXQ0UhmPggbaSuCV0fEd-u9a7QViudviqu9lR_jQY_ovjM4uEKmRXEgJj1pVCzxpgbLA-a1EOen4ZqX_xZQK2EMoByyB6uO3ptXiqPhEvGiqBLS79hXIIbFkNkfzy0nrLp_VOg8f86IqIOMj7JlRwiuUdDLnOKGzPCear60x7LtQR5PcZvAMfixhdGU4FBpbys_V93S4O8wXhMwvP9jvTfw0lKq9GO9qvlBkZes83LO9J1Qe5OOGXtrPKp8V4_N5_jB6t7kxBEK0hWoYpRMsEouV4q_xys_zp8xoheXi3KSWrO0WDZP3Xzb9_QKe0oxO0e4p_R_LFO9L4Xvi_UGZxrUzfpT9EGBZCtMzuFeYjxMlGgKM4wOYtsLlv8PRnxyU63b-Ljin-_V3ur1yyvp32bU34rh8rTEe4NVwVzV3940a-cx0-4gyMbWRS5lGZRRmfUB6mc8ayOI3DSZNnVZWWES_YPGVlmMQJS-JoW4ZlXPEFL-OJyFnAWMhYFqThnIUzVsVxwpN5QmWUlVUKcUB7LuRMyue9H3AmwtqO8iSbR8lE8i1J2897jCk6YG_079FkNTG53zPddrWFOJDCOnuO4oSTlD9-XuJ0-vtp9vL1n5ZkqCJDqqDrCbEf-y7a7qQzMr-axYRruu2s0HtgG5_u-DVtjf5KhQO26UFaYJuexN8BAAD__8yuN6U">