[clang] [analyzer] Variant checker bindings (PR #87886)

[Donát Nagy via cfe-commits]

================
@@ -206,23 +221,42 @@ class StdVariantChecker : public Checker<eval::Call, check::RegionChanges> {
     if (!ThisMemRegion)
       return;
 
+    // Get the first type alternative of the std::variant instance.
+    assert((ThisSVal.getType(C.getASTContext())->isPointerType() ||
+            ThisSVal.getType(C.getASTContext())->isReferenceType()) &&
+           "The This SVal must be a pointer!");
+
     std::optional<QualType> DefaultType = getNthTemplateTypeArgFromVariant(
         ThisSVal.getType(C.getASTContext())->getPointeeType().getTypePtr(), 0);
     if (!DefaultType)
       return;
 
+    // We conjure a symbol that represents the value-initialized value held by
+    // the default constructed std::variant. This could be made more precise
+    // if we would actually simulate the value-initialization of the value.
+    //
+    // We are storing pointer/reference typed SVals because when an
+    // std::variant is constructed with a value constructor a reference is
+    // received. The SVal representing this parameter will also have reference
+    // type. We use this SVal to store information about the value held is an
+    // std::variant instance. Here we are conforming to this and also use
+    // reference type. Also if we would not use reference typed SVals
+    // the analyzer would crash when handling the cast expression with the
+    // reason that the SVal is a NonLoc SVal.
+    SVal DefaultConstructedHeldValue = C.getSValBuilder().conjureSymbolVal(
+        ConstructorCall->getOriginExpr(), C.getLocationContext(),
+        C.getASTContext().getLValueReferenceType(*DefaultType), C.blockCount());
----------------
NagyDonat wrote:

It would be good to model running the default constructor of this `DefaultType` at this point.

https://github.com/llvm/llvm-project/pull/87886