<table border="1" cellspacing="0" cellpadding="8">
    <tr>
        <th>Issue</th>
        <td>
            <a href=https://github.com/llvm/llvm-project/issues/102908>102908</a>
        </td>
    </tr>

    <tr>
        <th>Summary</th>
        <td>
            [analyzer] Should we trust types of regions based of SymbolicRegions?
        </td>
    </tr>

    <tr>
      <th>Labels</th>
      <td>
            question,
            clang:static analyzer,
            false-positive
      </td>
    </tr>

    <tr>
      <th>Assignees</th>
      <td>
      </td>
    </tr>

    <tr>
      <th>Reporter</th>
      <td>
          steakhal
      </td>
    </tr>
</table>

<pre>
    We had user reports like [this](https://sonarcloud.io/project/issues?id=c-ares_c-ares&issues=AZELfCzXHmoVXF22rrn1&open=AZELfCzXHmoVXF22rrn1&tab=code) one, where we can't see the allocation of an object that is refereed to by a pointer we use.

Example:
```c++
struct MyStruct { int data; };
struct { unsigned char f; } *UChar;
void we_cant_trust_symbolic_pointee_type_uchar(const char *src) {
 memcpy(&UChar->f, src, sizeof(MyStruct)); // we report an issue here for overflowing the destination.
  //     ^^^^^^^^^: FieldRegion{Elem{..., SymbolicRegion}}
}
```

Currently, if we see a `FieldRegion`, `DynamicExtent.cpp:getDynamicExtent()` will query `getStaticSize()`, which will eventually reach the `FieldRegion` handler, which will just take the field type and return `1 S32b` in the example.

However, I'd argue, we could only trust the type for extent information if we have seen the allocation of the pointee object - no matter that offsets or other subregions were formed on top of that symbolic region.

Hence, I propose checking that property first, and return a symbolic extent for symbolic region bases:
```c++
getStaticSize(...) {
  if (isa<SymbolicRegion>(R->getBaseRegion())) {
    return nonloc::SymbolVal(SymMgr.getExtentSymbol(SR));
  }
```

However, this would break a couple of tests, so before I'd look into those or uplift them, I wanted to raise this issue to see if you agree with my reasoning.
@NagyDonat as you may have opinion about OOBs like this one.
</pre>
<img width="1px" height="1px" alt="" src="http://email.email.llvm.org/o/eJyEVt1u2zoSfhr6ZhBDpmzLvvCFHcc4B9izBRpst9ibYESNJDYUqZIju8rTL0jZaZJu9xiEJQyH8_d9MyKGoBtLtBOrg1gdZzhw6_wuMOFzi2ZWumrc_ZugxQqGQB489c5zAKOfCcTqwK0OYnUUctMy90HkeyFPQp6Cs-iVcUM1107IU-_dN1Is5EmHMFAQ-UlXIj-qO_QUnqaHkOvb7nH_n4d_1PcvX__o3JevJym9twsh164n-_tdxjLadBUJuQVnSch7uLTkCS4ECq2QBUMgAm4J0BinkLWz4GpAC66MMQK3yKADeKrJE1XADsoREHqnLZOPtoZAc5EdRbaf_h9-YNcbivlP0nU2LSXkIa4kDewHxfDX-Di9iOIA2jJUyCjyA4jiKPL3ulFlsAmlClSLHuqrJgi5_9d9i_71yNnpCi70pNDyE_sh8FMYu9IZrZ6m2OmJx56ehmhIyI1yNvBkVch98CqWTRRXc9BRp_pRyI2Q6-TpTuQPdaxpUr2HoF_I1UJubhkJuY0rBphoEEs1USbWN4ELCY7aeXBn8rVxF22bhEdFgbVNgFxrCzcz8SdWD79d-R5Omkz1mRrtrCgOD4Y6URzm83mM8_Fahdv2Ma4Jp9eXG2BvUb0fvCfLZoxGdB2zieRBEOvsrb91FhXEOjuOFjutHn4wWZ6rvhf5viF-J0713Ip1BhdtDHwfyI_xbEP8yMhaPeoXelWaGKxVO2nTmSwPaMwInlC1qXC_RAMt2sqQ_3D42xAYGJ8n-tfxCEQ-ANoKPPHgbbS1gMdcltGMtkmTJnK_I_wf7kLnycOfQhYVoG-Gqd8IlBtMBc6aERINk5XkKeJOqQygbe18N_XfVNsWz6nA9n-0Z5RcOXzr0zuwDjrk2JKpZ11dB-IAkVvckocwlD7VJMDlyrqOYmDArp-sIsOtR2DSfZ8mWZWy-hN673oXCFRL6nniLHKSkucRau0DR803xcSftq9Jx_w_-IMSA4W_mRwfyZGI_bZXYwmF3OiAIr__wPf8QcjN59i8DfEBA13lE8fSemsJbuFbZ41TMbJ8P5n8gkbIzePY_dX4eUM8MXraixufXwfAawP_3wZ7w6L4JYFLIk7pCZ8BI416QwknChzSxHFQUu08XVlnnHuOI9QBtxEc52Hoja4T5boJuAtanqa4Rx1o8jTNInapoXUNoxsAG08EF80tdKm_grPaNjdCLLN_YjMenUUGDOlEh-PEWtdrG7HE0g0Mnz4drp_I5MtZms-qXV5t8y3OaLcoZL4spMyWs3a3IpIZYqVosyywLOttXSjcyG2xVMuFwpneyUwus81CLpaL9XI5x812U8htURWYr7JCiWVGHWozN-bczZ1vZim53SKT22wzM1iSCekLL-X3IQ7ZiL0U8l5IqQzaRuT7kNgFaNGMLxGR636NJtBd74JmfaYoXh1nfhdd3ZVDE8QyMzpw-OmcNZt0oXi1tTrCY5uQvdBtIIw9hYjsrT9jE1RR8J678aIwG7zZvb9eNJrboZwr1wl5ip6vj7tf7hnydC3DeSf_GwAA__8bit9S">