Index: lib/StaticAnalyzer/Core/ExprEngineC.cpp =================================================================== --- lib/StaticAnalyzer/Core/ExprEngineC.cpp +++ lib/StaticAnalyzer/Core/ExprEngineC.cpp @@ -760,7 +760,11 @@ for (const ExplodedNode *N = Pred ; N ; N = *N->pred_begin()) { ProgramPoint PP = N->getLocation(); if (PP.getAs() || PP.getAs()) { - assert(N->pred_size() == 1); + // If the state N has multiple predecessors P, it means that successors + // of P are all equivalent. + // In turn, that means that all nodes at P are equivalent in terms + // of observable behavior at N, and we can follow any of them. + // FIXME: a more robust solution which does not walk up the tree. continue; } SrcBlock = PP.castAs().getSrc(); Index: test/Analysis/exploration_order/noexprcrash.c =================================================================== --- /dev/null +++ test/Analysis/exploration_order/noexprcrash.c @@ -0,0 +1,17 @@ +// RUN: %clang_analyze_cc1 -analyzer-checker=core,debug.ExprInspection -verify -analyzer-config exploration_strategy=unexplored_first %s +// RUN: %clang_analyze_cc1 -analyzer-checker=core,debug.ExprInspection -verify -analyzer-config exploration_strategy=dfs %s + +extern void clang_analyzer_eval(int); + +typedef struct { char a; } b; +int c(b* input) { + int x = (input->a ?: input) ? 1 : 0; // expected-warning{{pointer/integer type mismatch}} + if (input->a) { + // FIXME: The value should actually be "TRUE", + // but is incorrect due to a bug. + clang_analyzer_eval(x); // expected-warning{{FALSE}} + } else { + clang_analyzer_eval(x); // expected-warning{{TRUE}} + } + return x; +}