[analyzer] Relax the assert used when traversing the node graph.

The assertion gets exposed when changing the exploration order.
This is a quick hacky fix, but the intention is that if the nodes do
merge, it should not matter which predecessor should be traverse.
A proper fix would be not to traverse predecessors at all, as all
information relevant for any decision should be avilable locally.

rdar://37540480

Differential Revision: https://reviews.llvm.org/D42773

llvm-svn: 325977

clang/lib/StaticAnalyzer/Core/ExprEngineC.cpp

@@ -760,7 +760,11 @@ void ExprEngine::VisitGuardedExpr(const Expr *Ex,
   for (const ExplodedNode *N = Pred ; N ; N = *N->pred_begin()) {
     ProgramPoint PP = N->getLocation();
     if (PP.getAs<PreStmtPurgeDeadSymbols>() || PP.getAs<BlockEntrance>()) {
-      assert(N->pred_size() == 1);
+      // If the state N has multiple predecessors P, it means that successors
+      // of P are all equivalent.
+      // In turn, that means that all nodes at P are equivalent in terms
+      // of observable behavior at N, and we can follow any of them.
+      // FIXME: a more robust solution which does not walk up the tree.
       continue;
     }
     SrcBlock = PP.castAs<BlockEdge>().getSrc();

clang/test/Analysis/exploration_order/noexprcrash.c

@@ -0,0 +1,17 @@
+// RUN: %clang_analyze_cc1 -analyzer-checker=core,debug.ExprInspection -verify -analyzer-config exploration_strategy=unexplored_first %s
+// RUN: %clang_analyze_cc1 -analyzer-checker=core,debug.ExprInspection -verify -analyzer-config exploration_strategy=dfs %s
+
+extern void clang_analyzer_eval(int);
+
+typedef struct { char a; } b;
+int c(b* input) {
+    int x = (input->a ?: input) ? 1 : 0; // expected-warning{{pointer/integer type mismatch}}
+    if (input->a) {
+      // FIXME: The value should actually be "TRUE",
+      // but is incorrect due to a bug.
+      clang_analyzer_eval(x); // expected-warning{{FALSE}}
+    } else {
+      clang_analyzer_eval(x); // expected-warning{{TRUE}}
+    }
+    return x;
+}