I have seen we are producing tons of Unknowns and I am still not sure where they go, but even if I remove that condition these Unknowns will not shown up in the ExplodedGraph. I believe that should be the correct behavior.

How about the following test case in which not Bar but &Bar gets bitwise-operated upon?

C **test() {
  C *Bar = new C;
  C **Baz = &Bar;
  Baz = reinterpret_cast<C **>(reinterpret_cast<uintptr_t>(Baz) | 0x1);
  Baz = reinterpret_cast<C **>(reinterpret_cast<uintptr_t>(Baz) & ~static_cast<uintptr_t>(0x1));
  delete *Baz;
}

The difference is that in this case the escaping region doesn't have a symbolic base. And i believe that symbolic regions aren't special here in any way.

I suggest doing an escape when the resulting value is unknown after evalBinOp but regardless of any other conditions that you mentioned. Simply because there's a loss of information.

Pls include core as well, just in case, because running path-sensitive analysis without core checkers is unsupported.

I think something went wrong while uploading the patch. This diff should add this whole test file, not update it.

Relying on everybody's system headers is super flaky, don't do this in tests.

Please define stuff that you use directly like other tests do:

typedef unsigned __INTPTR_TYPE__ uintptr_t;

Bar is reduced to one bit here. It's a legit leak. I think you meant to swap Foo and Bar.

In any case, passing a pointer to delete that wasn't obtained from new is undefined behavior. In order to produce a test that's also a correct code, i think we should either undo our bitwise operations, or perform an escape in a different manner (say, return the pointer to the caller).

That is a great idea! I wanted to make it more generic. Thanks you!

I have made it fail on master.

This is a test-driven-development-driven patch, first make the test fail, then make it pass.

It is a predefined header in Modules so Windows will not break.

Please note that only one of the test files (malloc.c) use that definition, most of them using that I have used in D62926, so I believe this header is the correct one as it is in four tests and Windows-approved by D62926.

I assumed that we are doing our low-bits magic, where we have two identical objects. The SymRegion sets up the HeapSymRegion's property, where no leak happen. We just could change the first low-bit and set up some crazy flag, like isChecked(), so we do not lost the tracking. Also we have four bits to change, so there is no edge case going on.

Whoops! I really wanted to make the test look great.

Unknowns don't show up in the Environment, but they do show up in the Store.

Let's make fancier names, like, dunno, test_escape_into_bitwise_ops and test_indirect_escape_into_bitwise_ops.

Sounds nice in your local git but for phabricator it's definitely better to upload the exact thing that you're going to commit. It is assumed that the tests would fail without the patch and will pass with the patch, and the information on how exactly did the tests fail previously would look nice in the description. Sometimes some (but usually not all) of the tests are added just because they were discovered to be nice tests related to the patch but not because they failed before the patch, which is also fine and should ideally be mentioned in the description.

Mmm, ok, if it's an internal file then i guess it might be non-flaky. But even then, if it's something more complicated than the definition of uintptr_t, then your test will be affected by the contents of this file, which may change. I'd slightly prefer to reduce the amount of such stuff in our tests simply for keeping them minimal.

I guess just flip a single bit like i did in my test?