[clang] [analyzer] Detect leak of a stack address through output arguments 2/3 (PR #105653)

[Donát Nagy via cfe-commits]

================
@@ -297,20 +314,29 @@ std::optional<std::string> printReferrer(const MemRegion *Referrer) {
       return "global";
     assert(isa<StackSpaceRegion>(Space));
     return "stack";
-  }(Referrer->getMemorySpace());
-
-  // We should really only have VarRegions here.
-  // Anything else is really surprising, and we should get notified if such
-  // ever happens.
-  const auto *ReferrerVar = dyn_cast<VarRegion>(Referrer);
-  if (!ReferrerVar) {
-    assert(false && "We should have a VarRegion here");
-    return std::nullopt; // Defensively skip this one.
+  }(getStackOrGlobalSpaceRegion(Referrer));
+
+  while (!Referrer->canPrintPretty()) {
+    if (const auto *SymReg = dyn_cast<SymbolicRegion>(Referrer)) {
+      Referrer = SymReg->getSymbol()->getOriginRegion()->getBaseRegion();
----------------
NagyDonat wrote:

> a region containing a conjured symbol with no origin region associated would also have no known memory space so it would not reach this point because I discard such region [here](https://github.com/necto/llvm-project/blob/az/CPP-4734-stack-leak-output-arg/clang/lib/StaticAnalyzer/Checkers/StackAddrEscapeChecker.cpp#L302)

You're right that you wouldn't reach this point with a conjured symbol that has no origin region, because the immediately invoked lambda that defines `ReferrerMemorySpace` triggers the assertion `assert(isa<StackSpaceRegion>(Space));` if it cannot trace back the value to either the static globals, the globals or the stack.

However, that's still a hard assertion in a situation that is reachable during normal operation of the analyzer, so you need to replace it with a no-op early return or something. (That would probably involve eliminating the immediately invoked lambda, because it cannot `return` from the function that surrounds it.)


https://github.com/llvm/llvm-project/pull/105653