[clang] [analyzer] Detect leak of a stack address through output arguments 2/3 (PR #105653)

[Arseniy Zaostrovnykh via cfe-commits]

================
@@ -297,20 +314,29 @@ std::optional<std::string> printReferrer(const MemRegion *Referrer) {
       return "global";
     assert(isa<StackSpaceRegion>(Space));
     return "stack";
-  }(Referrer->getMemorySpace());
-
-  // We should really only have VarRegions here.
-  // Anything else is really surprising, and we should get notified if such
-  // ever happens.
-  const auto *ReferrerVar = dyn_cast<VarRegion>(Referrer);
-  if (!ReferrerVar) {
-    assert(false && "We should have a VarRegion here");
-    return std::nullopt; // Defensively skip this one.
+  }(getStackOrGlobalSpaceRegion(Referrer));
+
+  while (!Referrer->canPrintPretty()) {
+    if (const auto *SymReg = dyn_cast<SymbolicRegion>(Referrer)) {
+      Referrer = SymReg->getSymbol()->getOriginRegion()->getBaseRegion();
----------------
necto wrote:

> Consider adding a testcase which shows this limitation.

Added the test case: f223714

> Be careful with getOriginRegion(), it will return null if the symbol is not a SymbolRegionValue or a SymbolDerived (e.g. a SymbolConjured returned by an opaque function call)!



Added a defensive check: 4afbb63

However, I suspect it would never trigger, because I think a region containing a conjured symbol with no origin region associated would also have no known memory space so it would not reach this point because I discard such region [here](https://github.com/necto/llvm-project/blob/az/CPP-4734-stack-leak-output-arg/clang/lib/StaticAnalyzer/Checkers/StackAddrEscapeChecker.cpp#L302)

https://github.com/llvm/llvm-project/pull/105653