<table border="1" cellspacing="0" cellpadding="8">
    <tr>
        <th>Issue</th>
        <td>
            <a href=https://github.com/llvm/llvm-project/issues/71174>71174</a>
        </td>
    </tr>

    <tr>
        <th>Summary</th>
        <td>
            Clang static analysis assert in SimpleSValBuilder::evalBinOpLN: op == BO_Add || op == BO_Sub
        </td>
    </tr>

    <tr>
      <th>Labels</th>
      <td>
            clang
      </td>
    </tr>

    <tr>
      <th>Assignees</th>
      <td>
      </td>
    </tr>

    <tr>
      <th>Reporter</th>
      <td>
          AndrewScheidecker
      </td>
    </tr>
</table>

<pre>
    While working with a build of clang that has assertions enabled, I found a simple repro for an assertion failure with tip of tree clang:
https://github.com/llvm/llvm-project/blob/d49a893cdbea0dd6f8fde7dc9f321b2e0d169bba/clang/lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp#L1159

Repro command-line:
```
clang -cc1 -analyze -analyzer-checker=core -x c++ repro.cpp
```

Contents of `repro.cpp`:
```
static void a() { __builtin_bit_cast(unsigned long long, &a) | 1; }
```

While this repro is very similar to #69922, the proposed fix for that bug (#70837) doesn't fix this bug.

Here's the full output of the crash trace:
```
repro.cpp:1:62: warning: expression result unused [-Wunused-value]
    1 | static void a() { __builtin_bit_cast(unsigned long long, &a) | 1; }
      | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ^ ~
clang: /home/andrew/llvm-project/clang/lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp:1159: virtual clang::ento::SVal {anonymous}::SimpleSValBuilder::evalBinOpLN(clang::ento::ProgramStateRef, clang::BinaryOperator::Opcode, clang::ento::Loc, clang::ento::NonLoc, clang::QualType): Assertion `op == BO_Add || op == BO_Sub' failed.
PLEASE submit a bug report to https://github.com/llvm/llvm-project/issues/ and include the crash backtrace, preprocessed source, and associated run script.
Stack dump:
0.      Program arguments: /home/andrew/build/llvm/bin/clang -cc1 -analyze -analyzer-checker=core -x c++ repro.cpp
1.      <eof> parser at end of file
2.      While analyzing stack:
        #0 Calling a()
3.      repro.cpp:1:19: Error evaluating statement
4.      repro.cpp:1:19: Error evaluating statement
 #0 0x000055bd6390498f llvm::sys::PrintStackTrace(llvm::raw_ostream&, int) /home/andrew/llvm-project/llvm/lib/Support/Unix/Signals.inc:727:3
 #1 0x000055bd6390225f llvm::sys::RunSignalHandlers() /home/andrew/llvm-project/llvm/lib/Support/Signals.cpp:105:20
 #2 0x000055bd639025b6 SignalHandler(int) /home/andrew/llvm-project/llvm/lib/Support/Unix/Signals.inc:413:1
 #3 0x00007f04ccf88520 (/lib/x86_64-linux-gnu/libc.so.6+0x42520)
 #4 0x00007f04ccfdc9fc pthread_kill (/lib/x86_64-linux-gnu/libc.so.6+0x969fc)
 #5 0x00007f04ccf88476 gsignal (/lib/x86_64-linux-gnu/libc.so.6+0x42476)
 #6 0x00007f04ccf6e7f3 abort (/lib/x86_64-linux-gnu/libc.so.6+0x287f3)
 #7 0x00007f04ccf6e71b (/lib/x86_64-linux-gnu/libc.so.6+0x2871b)
 #8 0x00007f04ccf7fe96 (/lib/x86_64-linux-gnu/libc.so.6+0x39e96)
 #9 0x000055bd659f500c decltype(auto) llvm::cast<clang::ento::SubRegion, clang::ento::MemRegion const>(clang::ento::MemRegion const*) /home/andrew/llvm-project/clang/lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp:1159:7
#10 0x000055bd659f500c (anonymous namespace)::SimpleSValBuilder::evalBinOpLN(llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>, clang::BinaryOperatorKind, clang::ento::Loc, clang::ento::NonLoc, clang::QualType) /home/andrew/llvm-project/clang/lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp:1155:31
#11 0x000055bd65a017e2 llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>::release() /home/andrew/llvm-project/llvm/include/llvm/ADT/IntrusiveRefCntPtr.h:232:9
#12 0x000055bd65a017e2 llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>::~IntrusiveRefCntPtr() /home/andrew/llvm-project/llvm/include/llvm/ADT/IntrusiveRefCntPtr.h:196:34
#13 0x000055bd65a017e2 clang::ento::SValBuilder::evalBinOp(llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>, clang::BinaryOperatorKind, clang::ento::SVal, clang::ento::SVal, clang::QualType) /home/andrew/llvm-project/clang/lib/StaticAnalyzer/Core/SValBuilder.cpp:509:23
#14 0x000055bd6595405e llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>::release() /home/andrew/llvm-project/llvm/include/llvm/ADT/IntrusiveRefCntPtr.h:232:9
#15 0x000055bd6595405e llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>::~IntrusiveRefCntPtr() /home/andrew/llvm-project/llvm/include/llvm/ADT/IntrusiveRefCntPtr.h:196:34
#16 0x000055bd6595405e clang::ento::ExprEngine::evalBinOp(llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>, clang::BinaryOperatorKind, clang::ento::SVal, clang::ento::SVal, clang::QualType) /home/andrew/llvm-project/clang/include/clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h:611:33
#17 0x000055bd6595405e clang::ento::ExprEngine::VisitBinaryOperator(clang::BinaryOperator const*, clang::ento::ExplodedNode*, clang::ento::ExplodedNodeSet&) /home/andrew/llvm-project/clang/lib/StaticAnalyzer/Core/ExprEngineC.cpp:100:30
#18 0x000055bd6594204e clang::ento::NodeBuilder::addNodes(clang::ento::ExplodedNodeSet const&) /home/andrew/llvm-project/clang/include/clang/StaticAnalyzer/Core/PathSensitive/CoreEngine.h:339:45
#19 0x000055bd6594204e clang::ento::ExprEngine::Visit(clang::Stmt const*, clang::ento::ExplodedNode*, clang::ento::ExplodedNodeSet&) /home/andrew/llvm-project/clang/lib/StaticAnalyzer/Core/ExprEngine.cpp:2106:20
#20 0x000055bd65942aba clang::ento::ExprEngine::ProcessStmt(clang::Stmt const*, clang::ento::ExplodedNode*) /home/andrew/llvm-project/clang/lib/StaticAnalyzer/Core/ExprEngine.cpp:1132:15
#21 0x000055bd6594ab3f clang::ento::ExprEngine::processCFGElement(clang::CFGElement, clang::ento::ExplodedNode*, unsigned int, clang::ento::NodeBuilderContext*) /home/andrew/llvm-project/clang/lib/StaticAnalyzer/Core/ExprEngine.cpp:977:7
#22 0x000055bd6590b34d clang::ento::CoreEngine::HandlePostStmt(clang::CFGBlock const*, unsigned int, clang::ento::ExplodedNode*) /home/andrew/llvm-project/clang/lib/StaticAnalyzer/Core/CoreEngine.cpp:498:1
#23 0x000055bd6590b8c4 clang::ento::CoreEngine::ExecuteWorkList(clang::LocationContext const*, unsigned int, llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>)::'lambda'(unsigned int)::operator()(unsigned int) const /home/andrew/llvm-project/clang/lib/StaticAnalyzer/Core/CoreEngine.cpp:159:23
#24 0x000055bd6590b9a4 clang::ento::CoreEngine::ExecuteWorkList(clang::LocationContext const*, unsigned int, llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>) /home/andrew/llvm-project/clang/lib/StaticAnalyzer/Core/CoreEngine.cpp:163:41
#25 0x000055bd6546ee2e llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>::release() /home/andrew/llvm-project/llvm/include/llvm/ADT/IntrusiveRefCntPtr.h:232:9
#26 0x000055bd6546ee2e llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>::~IntrusiveRefCntPtr() /home/andrew/llvm-project/llvm/include/llvm/ADT/IntrusiveRefCntPtr.h:196:34
#27 0x000055bd6546ee2e clang::ento::ExprEngine::ExecuteWorkList(clang::LocationContext const*, unsigned int) /home/andrew/llvm-project/clang/include/clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h:190:34
#28 0x000055bd6546ee2e RunPathSensitiveChecks /home/andrew/llvm-project/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:727:22
#29 0x000055bd6546ee2e (anonymous namespace)::AnalysisConsumer::HandleCode(clang::Decl*, unsigned int, clang::ento::ExprEngine::InliningModes, llvm::DenseSet<clang::Decl const*, llvm::DenseMapInfo<clang::Decl const*, void>>*) /home/andrew/llvm-project/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:697:27
#30 0x000055bd6548311f llvm::DenseMapBase<llvm::DenseMap<clang::Decl const*, llvm::detail::DenseSetEmpty, llvm::DenseMapInfo<clang::Decl const*, void>, llvm::detail::DenseSetPair<clang::Decl const*>>, clang::Decl const*, llvm::detail::DenseSetEmpty, llvm::DenseMapInfo<clang::Decl const*, void>, llvm::detail::DenseSetPair<clang::Decl const*>>::begin() /home/andrew/llvm-project/llvm/include/llvm/ADT/DenseMap.h:78:5
#31 0x000055bd6548311f llvm::detail::DenseSetImpl<clang::Decl const*, llvm::DenseMap<clang::Decl const*, llvm::detail::DenseSetEmpty, llvm::DenseMapInfo<clang::Decl const*, void>, llvm::detail::DenseSetPair<clang::Decl const*>>, llvm::DenseMapInfo<clang::Decl const*, void>>::begin() /home/andrew/llvm-project/llvm/include/llvm/ADT/DenseSet.h:173:50
#32 0x000055bd6548311f HandleDeclsCallGraph /home/andrew/llvm-project/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:490:31
#33 0x000055bd6548311f runAnalysisOnTranslationUnit /home/andrew/llvm-project/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:557:25
#34 0x000055bd6548311f (anonymous namespace)::AnalysisConsumer::HandleTranslationUnit(clang::ASTContext&) /home/andrew/llvm-project/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:612:31
#35 0x000055bd65a49289 clang::ParseAST(clang::Sema&, bool, bool) /home/andrew/llvm-project/clang/lib/Parse/ParseAST.cpp:176:34
#36 0x000055bd6430a3a9 clang::FrontendAction::Execute() /home/andrew/llvm-project/clang/lib/Frontend/FrontendAction.cpp:1070:21
#37 0x000055bd64299815 llvm::Error::setChecked(bool) /home/andrew/llvm-project/llvm/include/llvm/Support/Error.h:307:22
#38 0x000055bd64299815 llvm::Error::operator bool() /home/andrew/llvm-project/llvm/include/llvm/Support/Error.h:239:15
#39 0x000055bd64299815 clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) /home/andrew/llvm-project/clang/lib/Frontend/CompilerInstance.cpp:1045:42
#40 0x000055bd643cc3f5 std::__shared_ptr<clang::FrontendOptions, (__gnu_cxx::_Lock_policy)2>::get() const /usr/include/c++/11/bits/shared_ptr_base.h:1296:16
#41 0x000055bd643cc3f5 std::__shared_ptr_access<clang::FrontendOptions, (__gnu_cxx::_Lock_policy)2, false, false>::_M_get() const /usr/include/c++/11/bits/shared_ptr_base.h:993:69
#42 0x000055bd643cc3f5 std::__shared_ptr_access<clang::FrontendOptions, (__gnu_cxx::_Lock_policy)2, false, false>::operator*() const /usr/include/c++/11/bits/shared_ptr_base.h:979:2
#43 0x000055bd643cc3f5 clang::CompilerInvocation::getFrontendOpts() /home/andrew/llvm-project/clang/include/clang/Frontend/CompilerInvocation.h:247:48
#44 0x000055bd643cc3f5 clang::CompilerInstance::getFrontendOpts() /home/andrew/llvm-project/clang/include/clang/Frontend/CompilerInstance.h:291:39
#45 0x000055bd643cc3f5 clang::ExecuteCompilerInvocation(clang::CompilerInstance*) /home/andrew/llvm-project/clang/lib/FrontendTool/ExecuteCompilerInvocation.cpp:273:29
#46 0x000055bd626d00f9 cc1_main(llvm::ArrayRef<char const*>, char const*, void*) /home/andrew/llvm-project/clang/tools/driver/cc1_main.cpp:294:40
#47 0x000055bd626c8213 ExecuteCC1Tool(llvm::SmallVectorImpl<char const*>&, llvm::ToolContext const&) /home/andrew/llvm-project/clang/tools/driver/driver.cpp:366:20
#48 0x000055bd626cc617 clang_main(int, char**, llvm::ToolContext const&) /home/andrew/llvm-project/clang/tools/driver/driver.cpp:407:26
#49 0x000055bd62619f13 main /home/andrew/build/llvm/tools/clang/tools/driver/clang-driver.cpp:16:1
#50 0x00007f04ccf6fd90 (/lib/x86_64-linux-gnu/libc.so.6+0x29d90)
#51 0x00007f04ccf6fe40 __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e40)
#52 0x000055bd626c6ad5 _start (/home/andrew/build/llvm/bin/clang+0xcd7ad5)
```
</pre>
<img width="1px" height="1px" alt="" src="http://email.email.llvm.org/o/eJzkW1tT4zgW_jXiRQVlS74-8BACmena7mm2YWYeU7IsJ1ocySXJNOzD_PYtyXZ8IelOmsBclqIg8eXofOd-jmWiNV8Jxi5BeAXC6zNSm7VUlzORK_b1jq4Zzxl9YOosk_nz5e9rXjL4VaoHLlbwKzdrSGBW8zKHsoC0JGIFzZoYuCYaEq2ZMlwKDZkgWclygObwAyxkLXJIoOabqmRQsUpJWEgFiejvgQXhZa1Ys4jhlV3AKMaaVQCeAe8aeLO1MZW239ACoMWKm3WdXVC5AWhRlo_dv_NKyf8wagBaZKXMAFrkQUqSFNM8Y8TL86hIipzFOU0LjPwMMS_3ozTLCECLZkG0KLm98c4Qw-lMkPL5v0wBtJhLxexxh-buN1JeWXkwdUGrCiD80ffDtOG1-fvF4aVysyEiPy-5YFswIPLaX_e1kec5pT48J82C2w_qnK6dYgC-plIxeP4EKUBXAF01EnXL76La_J1LYZgw2ooVRF5_S-TtY0c75PBR8hwSgBKAUgjiK7hcWgswXCwzbpaUaANQUgtnVzkspVi5P1b5AEWkuW0OfYCvIIivv8FkY25mzXVrJVzDR6aerenwkihoJAQIR2mKkCVv1gxWSlZSsxwW_MlZlbPHrF5BxzKOvQTHlodcMi0Aio270i2S1auL4fo_M6vaWDvCRV2WUNamqo2zxTWDVBG9hkYRuleHvWDxzAd4FiGAZ_ArUYI7K4bsqVJMa2vyium6NLAWteUfhFfnvzefzx9JWTMQtrKCEELfyfBNVQLdjz3-x8E_EIQ38I-B-VqIAC3WcmOdhLiw8tIpX-NieOY8DM_gI1emJmUfIfCMCSObT_Y2KxsipHjeyFpbnM2ZKdn21kdSXnHxufr4C0DJTpq3Sq4U2Vh-2RdWWHEOrrvigqjnzxVTxMiW6OeKypxNLuwJfpR077lfpHh5-t81Ke-fKwaQk8BsGz5B5MkKAnwN8DW8-ryc5blVpdXm6PhdnQEUu2jL8tb4bz_ezO5uoK6zDTcuwK-s_0llrMMdHXG51jXTAC0gETnkgpZ1zgb-kxH60PgQmsPKOQxl2rqAlrVqDts7idaScmJYDlUtoKaKV6Zl-c4Q-gDzelNtHdG7aAy4VRIkalVvbMjbY5IujfUgMi46w3x9CPZbXgCeM1kAfAMrojRTkBjIhEueBS9ZczFqL26iX7OYTbfaYtzCg-0PQNiDc1KW9pI2BjRX4JbONAT5zlRulJIKWiOviWnJG2YF1NwdvOruhi3vyfM8LwyzPMKpF6RJAZ10nenqZ915ERfGKfC-sYKkv0iRr0upjWJkA1BkLYEL48LVd2NKZ4xNSKkra78ALX4V_MnFkpUgpb7gggI8i1EM8Az3vPsT3hEKd_L-pRYNpZ-JyEumdBeEf5S9jq9W4F4I8Ax5PWNoyliYRXDEAkDJm8go8LEzgS0ruGUlLryA0iJJQuQ1SbYl-JREyyiwJU79dL4SdXOCXmh5EQF05T0FKETe1l4tzWBM09ZjFFZmrRjJlw-8LI9bII3Sgo4WCKdMB3EEV9ohPZb5II5GtKMx7YjFBYYks3HzKMooiQs8ohy_oOxnR9P0sxHNZEwzLlgaHUcTpywdSyAdWmeYFqHnUZgzWhqXoxJSG2kts_ckV5vg-e6UXWdf2IpLsTcnfmKb5gpIpbCEbval6umVaHaYh5ykMonb0hBh39slISuZriyBgmyYrlwgTI8oUHqRfhBG1Zo_2pJkLsytUfsEPKxfBhL8RhXzLy7yN6le3kMVNpZiv9fFKMiHxPNjhuDp5NgkMFYyotmxaaGtkvoDs-t7gBYvWbpY2wSBbVeR9sjQOyD7YweVN0Xpp5FVYNDDxLtg7q3-dzvPX8N1LH_HnHwTz3nhM6GXOuvqJR6Mw1cYeCH7Z7hM-A7I_gIuE-2CuRPHzVOlbsSqnU_9n3pML-7uyD7vuSVmfceE5oY_2u-9-JwmIt82T3jgSvEPa-I3rrmZTBdGZc_43KDi2SOum6eqlDnLf3GzicOuu2PGdWSniz89zPm2_fGs0LxeaMlYaAHygj1CszyOIj7JHd96X4U4AddJ7UiIP24w9vDAYDC2sTcIe-zpwdh3GswY953ZmL-fYbR2gXwvGvTFti32psIhGTlMOLfNuMkK5CQiekPcvu-ylt8bBfInuEmGi8Nwt2O2-eKnm7KZ3IzQD48fbh3bGTP_xn0D13SPIZ5O3Y69EFwax6M2DI0L5NTLcJDvZrZ3y-Z7M2W5ldq8tJj54qerUtKHkdUcJJI3tKJBXGmEEaRJP8ixwsBTYSQ0OEwYN0-M1ob9LtXDR64n0vgoKTFcilbH3xTKCQuKtmkGKC7JJssJQPHw4UczG2uukX32tMdeXNVQfTtNNNOBQX2NgqkqUvJ3VsUbii7CbibZi25cwAcRY-if0Zqg6B2Q_fmtCYp3wTwolZ3I9v-UxsBPvYkckl1y-FKLEaH5mtEH_Xr_Wii3ESC36rJHNddzKXS92Q4BmmcjCPUMprsY_M4Mc0p8mEznLukNdXbNaHlk-hwZxAdRcsHF6lNT8A-D2jUT2tWoIx-xC44sY3LDJ1J9EIX8zk2PkufOo25OlcO_r54oderpa5vxc7cwSLDvFzvwXNlAhucvTxwsmZwZwsuxWG82lXl-tQC_u8wt4epbtFoljMzl74zEncjYiosTReUOiotBsS0I-6Zi_PTzpQXtgvFhU5VHu9Q_ytJeGzHeRsV3zDRpJsZuoNsrGe1SchOQLZt6TsryJ0Wq9XtEsaDJgn05h_Eu9lQtOgKfxb0iQpcut_8q-AnK9O-zGYYu2A5cJdjF5ity4QTUOC3O7u63DfNpJiwH5BcfTTQzLrRJkKIkHcbZW6I0m93dT6YpbEPaLRyZlGX__3gUboHu_-zuvmsJ4klFiUeFc4A9gsmI0w79jFp5j2rJg31wzNpAnmPi24lm7LkBVs_kqOwNUJomfjgIJm6nTfNRM-PKPpYDlBwuvH1Rot_v4dZopo7epNjDycHsdd10q9dXxrBd3CE3Ex2Mv8YbDjruhhMZual4ydQHoQ0RdNwvtGofmenEJH7MzQZWMGVgawdBaMNeL-jAGxsrpbgIoTZ5w9dyqddEsXxZTdu7brHPldtr3ezpTJbLlaiX9Ompvf2jpA_LSpacPgOUom3CWTHTqmo766i1Gjc4zZ42gBa-7zbGGQ3QomdnmRHd9jLINXV-1KPyD0a1JJQyrU8BDs1hQUrN-g8d3OWn5UkRpyl2NXgPGP21APcjrtkJUcdubtWDxrtA73TDx7Yb31rfAPDhm-f2d-E7Xa9btAkigQ1xQdJzHxzM_TCIvBPvbdhwnKfuGeLA2MLvcN4Guh3iH8-tpwB_rHvt-L938X-xd_HuKY4rSdEAzihfoyj3vCKFlPrLDXFVcZ92ZkqR5y-ssM6zJmpUjtuub3Ssq7OPRWWkLK0L5Io_umqpY6UDkAbWkvqaOojHAGiCfAw7Ocz9RjADGHcbUpa_MWqk6hqoF2iicXNhaUxGWUfmqBewmg8tKBxNHq0FyQQUjfy4MbJOL91oZk2aODN7X5aDpmgZZJ10zLKfFj6GltkDNn53a-23AnvifMSBH42eqITeZL9mkadHbo1FaZ72W2MtTX9KkwUeXC7tbUttiDLLFuBRq7BgvAqaKDsieQgb-i3pw_fNuyVoHpM87NfoXo85yy9xnuKUnLFLP0pTz_f9KDhbX6LIt9VRlBUR87wUxyRiXpCmGGURyUl8xi-Rh7Dve9j3MQqCC4-kqAi8KPdJQbOQgcBjG8LLC8vShVSrM_cKwmXs-3FwVpKMldq974ZQyycC4fWZunTWl9UrDQKv5NronoLhpmSXc_c6QPvWDWkbpvalNcgFPGCnJp7BQ1_MOKtVefnjr1s4uP8LAAD__1VuUzE">