[clang] [analyzer] Do not reason about locations passed as inline asm input (PR #103714)

[Pavel Skripkin via cfe-commits]

pskrgag wrote:

This is tricky one. 

So crash happens in `getElementRegion`, since we try to bind to first element of the symbolic region with type `void`. 

 Why did inline asm input become symbolic? Since on input there is a Lvalue -> Rvalue cast, CSA invokes `evalCast`  and then inside `RegionStoreManager::getBindingForVar`:

````c
  // This must come after the check for constants because closure-captured
  // constant variables may appear in UnknownSpaceRegion.
  if (isa<UnknownSpaceRegion>(MS))
    return svalBuilder.getRegionValueSymbolVal(R);

  if (isa<GlobalsSpaceRegion>(MS)) {
    QualType T = VD->getType();

    // If we're in main(), then global initializers have not become stale yet.
    if (B.isMainAnalysis())
    ...
    return svalBuilder.getRegionValueSymbolVal(R); <-- symbolic region created here
  }
```

Not sure about the fix right now...  I can only come up with dirty hack like

```diff
diff --git a/clang/lib/StaticAnalyzer/Core/RegionStore.cpp b/clang/lib/StaticAnalyzer/Core/RegionStore.cpp
index ba29c1231390..d6488065843d 100644
--- a/clang/lib/StaticAnalyzer/Core/RegionStore.cpp
+++ b/clang/lib/StaticAnalyzer/Core/RegionStore.cpp
@@ -2380,8 +2380,14 @@ RegionStoreManager::bind(RegionBindingsConstRef B, Loc L, SVal V) {
 
   // Binding directly to a symbolic region should be treated as binding
   // to element 0.
-  if (const SymbolicRegion *SR = dyn_cast<SymbolicRegion>(R))
+  if (const SymbolicRegion *SR = dyn_cast<SymbolicRegion>(R)) {
+    QualType PT = SR->getPointeeStaticType();
+
+    if (PT.isVoidType())
+      PT = StateMgr.getContext().CharTy;
+
     R = GetElementZeroRegion(SR, SR->getPointeeStaticType());
+  }
 
   assert((!isa<CXXThisRegion>(R) || !B.lookup(R)) &&
          "'this' pointer is not an l-value and is not assignable");
```


https://github.com/llvm/llvm-project/pull/103714