[clang] [StaticAnalyzer] Handle `__builtin_bit_cast` (PR #139188)

DonĂ¡t Nagy via cfe-commits cfe-commits at lists.llvm.org
Fri May 9 07:36:22 PDT 2025 

================
@@ -285,15 +285,43 @@ void ExprEngine::VisitCast(const CastExpr *CastE, const Expr *Ex,
   ExplodedNodeSet dstPreStmt;
   getCheckerManager().runCheckersForPreStmt(dstPreStmt, Pred, CastE, *this);
 
-  if (CastE->getCastKind() == CK_LValueToRValue ||
-      CastE->getCastKind() == CK_LValueToRValueBitCast) {
+  if (CastE->getCastKind() == CK_LValueToRValue) {
     for (ExplodedNode *subExprNode : dstPreStmt) {
       ProgramStateRef state = subExprNode->getState();
       const LocationContext *LCtx = subExprNode->getLocationContext();
       evalLoad(Dst, CastE, CastE, subExprNode, state, state->getSVal(Ex, LCtx));
     }
     return;
   }
+  if (CastE->getCastKind() == CK_LValueToRValueBitCast) {
+    // Handle `__builtin_bit_cast`:
+    ExplodedNodeSet dstEvalLoad;
+
+    // Simulate the lvalue-to-rvalue conversion on `Ex`:
+    for (ExplodedNode *subExprNode : dstPreStmt) {
+      ProgramStateRef state = subExprNode->getState();
+      const LocationContext *LCtx = subExprNode->getLocationContext();
+      evalLocation(dstEvalLoad, CastE, Ex, subExprNode, state,
+                   state->getSVal(Ex, LCtx), true);
+    }
+    // Simulate the operation that actually casts the original value to a new
+    // value of the destination type :
+    StmtNodeBuilder Bldr(dstEvalLoad, Dst, *currBldrCtx);
+
+    for (ExplodedNode *Node : dstEvalLoad) {
+      ProgramStateRef state = Node->getState();
+      const LocationContext *LCtx = Node->getLocationContext();
+      // getAsRegion should always be successful since Ex is an lvalue:
----------------
NagyDonat wrote:

The `getAsRegion` call would fail on a `loc::ConcreteInt`, which could be a valid lvalue in some low-level environments, so perhaps add a test which checks that we do not crash on `__builtin_bit_cast(unsigned, *(static_cast<int*>(0xdeadbeef)))`. (However, this is mostly paranoia: I don't expect a crash, because I'd guess that the analyzer "gives up" this unusual case in some earlier step.)


https://github.com/llvm/llvm-project/pull/139188

More information about the cfe-commits mailing list