ASDenysPetrov added a comment. @Szelethus, @NoQ I've investigated graph.dot of the sample. F11723129: t37503.dot <https://reviews.llvm.org/F11723129> Here is a simplification:
1. SA thinks that `ptr` is a pointer with a structure `MemRegion->MemRegion->MemRegion->Element` 2. Then `*(unsigned char **)ptr = (unsigned char *)(func());` occures. Symbolic substitution happens to `ptr`. 3. After that SA thinks that `ptr` holds a symbolic value `MemRegion->MemRegion->Element` because of casts. 4. `**ptr` should lead us to `MemRegion->MemRegion->MemRegion` from C++ point of view, but dereferencing applies to substituted symbolic value from SA point of view and we finally get `MemRegion->MemRegion->Element` As I see, this is not //treating the symptom//. This is exactly handling this particular case which is legal and may take place. Another solution could be to check the first argument of `strcpy` for being actially a `char*` and show a warning otherwise. Please, explain, what I could miss in my suggestions, because I'm less expertise than you, guys. CHANGES SINCE LAST ACTION https://reviews.llvm.org/D77062/new/ https://reviews.llvm.org/D77062 _______________________________________________ cfe-commits mailing list cfe-commits@lists.llvm.org https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
