Handle symbolicating a reference in an initializer expression that we don't understand.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@154084 91177308-0d34-0410-b5e6-96231b3b80d8

diff --git a/lib/StaticAnalyzer/Core/ExprEngineC.cpp b/lib/StaticAnalyzer/Core/ExprEngineC.cpp
index f277a2eaacb9a4ef658d95336f5d8c3c8bb6963d..ee2d052f281f3af1252f7e4ee2bbfda9881fbad8 100644 (file)
--- a/lib/StaticAnalyzer/Core/ExprEngineC.cpp
+++ b/lib/StaticAnalyzer/Core/ExprEngineC.cpp
@@ -375,7 +375,12 @@ void ExprEngine::VisitDeclStmt(const DeclStmt *DS, ExplodedNode *Pred,
       // Recover some path-sensitivity if a scalar value evaluated to
       // UnknownVal.
       if (InitVal.isUnknown()) {
-        InitVal = svalBuilder.getConjuredSymbolVal(NULL, InitEx, LC,
+       QualType Ty = InitEx->getType();
+       if (InitEx->isLValue()) {
+         Ty = getContext().getPointerType(Ty);
+       }
+
+        InitVal = svalBuilder.getConjuredSymbolVal(NULL, InitEx, LC, Ty,
                                  currentBuilderContext->getCurrentBlockCount());
       }
       B.takeNodes(N);

diff --git a/test/Analysis/misc-ps-region-store.cpp b/test/Analysis/misc-ps-region-store.cpp
index e0cedcce9351ae6b8d262fd6d77230266fc94052..8d75fb8ef350007d853b4c3595c2f8240a1111f0 100644 (file)
--- a/test/Analysis/misc-ps-region-store.cpp
+++ b/test/Analysis/misc-ps-region-store.cpp
@@ -568,3 +568,13 @@ struct PR11146::Entry {
 void PR11146::baz() {
   (void) &Entry::x;
 }
+
+// Test symbolicating a reference.  In this example, the
+// analyzer (originally) didn't know how to handle x[index - index2],
+// returning an UnknownVal.  The conjured symbol wasn't a location,
+// and would result in a crash.
+void rdar10924675(unsigned short x[], int index, int index2) {
+  unsigned short &y = x[index - index2];
+  if (y == 0)
+    return;
+}