Add handling for Loc::ConcreteInt

Author: ziqingluo-90

clang/lib/StaticAnalyzer/Core/ExprEngineC.cpp

@@ -311,12 +311,17 @@ void ExprEngine::VisitCast(const CastExpr *CastE, const Expr *Ex,
     for (ExplodedNode *Node : DstEvalLoc) {
       ProgramStateRef State = Node->getState();
       const LocationContext *LCtx = Node->getLocationContext();
-      // getAsRegion should always be successful since Ex is an lvalue:
-      SVal OrigV = State->getSVal(State->getSVal(Ex, LCtx).getAsRegion());
-      SVal CastedV =
-          svalBuilder.evalCast(svalBuilder.simplifySVal(State, OrigV),
-                               CastE->getType(), Ex->getType());
-
+      // Although `Ex` is an lvalue, it could have `Loc::ConcreteInt` kind
+      // (e.g., `(int *)123456`).  In such cases, there is no MemRegion
+      // available and we can't get the value to be casted.
+      const MemRegion *MR = State->getSVal(Ex, LCtx).getAsRegion();
+      SVal CastedV = UnknownVal();
+
+      if (MR) {
+        SVal OrigV = State->getSVal(MR);
+        CastedV = svalBuilder.evalCast(svalBuilder.simplifySVal(State, OrigV),
+                                       CastE->getType(), Ex->getType());
+      }
       State = State->BindExpr(CastE, LCtx, CastedV);
       Bldr.generateNode(CastE, Node, State);
     }

clang/test/Analysis/builtin_bitcast.cpp

@@ -1,5 +1,5 @@
 // RUN: %clang_analyze_cc1 -triple x86_64-unknown-unknown -verify %s \
-// RUN:   -analyzer-checker=core,debug.ExprInspection
+// RUN:   -analyzer-checker=debug.ExprInspection -analyzer-disable-checker=core
 
 template <typename T> void clang_analyzer_dump(T);
 using size_t = decltype(sizeof(int));
@@ -60,4 +60,9 @@ namespace {
     // expected-warning-re@-1 {{{{[0-9]+}} (Loc)}}
     return ptr == __builtin_bit_cast(void*, static_cast<uintptr_t>(-1));
   }
+
+  void check_loc_concreteInt() {
+    clang_analyzer_dump(__builtin_bit_cast(unsigned, *(reinterpret_cast<int*>(0xdeadbeef))));
+    // expected-warning@-1 {{Unknown}}
+  }
 }