Fix loop widening element ref

Author: fangyi-zhou

clang/lib/StaticAnalyzer/Core/ExprEngine.cpp

@@ -2556,10 +2556,19 @@ void ExprEngine::processCFGBlockEntrance(const BlockEdge &L,
     const Stmt *Term = nodeBuilder.getContext().getBlock()->getTerminatorStmt();
     if (!isa_and_nonnull<ForStmt, WhileStmt, DoStmt, CXXForRangeStmt>(Term))
       return;
+
+    // FIXME:
+    // We cannot use the CFG element from the via `ExprEngine::getCFGElementRef`
+    // since we are currently at the block entrance and the current reference
+    // would be stale.  Ideally, we should pass on the terminator of the CFG
+    // block, but the terminator cannot be referred as a CFG element.
+    // As a workaround, we pass on the first element of the block that we are
+    // processing.
+    ConstCFGElementRef Elem = *nodeBuilder.getContext().getBlock()->ref_begin();
     // Widen.
     const LocationContext *LCtx = Pred->getLocationContext();
-    ProgramStateRef WidenedState = getWidenedLoopState(
-        Pred->getState(), LCtx, BlockCount, getCFGElementRef());
+    ProgramStateRef WidenedState =
+        getWidenedLoopState(Pred->getState(), LCtx, BlockCount, Elem);
     nodeBuilder.generateNode(WidenedState, Pred);
     return;
   }

clang/lib/StaticAnalyzer/Core/LoopWidening.cpp

@@ -31,6 +31,11 @@ ProgramStateRef getWidenedLoopState(ProgramStateRef PrevState,
                                     const LocationContext *LCtx,
                                     unsigned BlockCount,
                                     ConstCFGElementRef Elem) {
+  if (Elem.getParent()) {
+    const Stmt *TermStmt = Elem.getParent()->getTerminatorStmt();
+    assert((isa<ForStmt, WhileStmt, DoStmt, CXXForRangeStmt>(TermStmt)) &&
+           "Terminator must be a loop statement");
+  }
   // Invalidate values in the current state.
   // TODO Make this more conservative by only invalidating values that might
   //      be modified by the body of the loop.