Handle symbolicating a reference in an initializer expression that we don't understand.

llvm-svn: 154084

clang/lib/StaticAnalyzer/Core/ExprEngineC.cpp

@@ -375,7 +375,12 @@ void ExprEngine::VisitDeclStmt(const DeclStmt *DS, ExplodedNode *Pred,
       // Recover some path-sensitivity if a scalar value evaluated to
       // UnknownVal.
       if (InitVal.isUnknown()) {
-        InitVal = svalBuilder.getConjuredSymbolVal(NULL, InitEx, LC,
+	QualType Ty = InitEx->getType();
+	if (InitEx->isLValue()) {
+	  Ty = getContext().getPointerType(Ty);
+	}
+
+        InitVal = svalBuilder.getConjuredSymbolVal(NULL, InitEx, LC, Ty,
                                  currentBuilderContext->getCurrentBlockCount());
       }
       B.takeNodes(N);

clang/test/Analysis/misc-ps-region-store.cpp

@@ -568,3 +568,13 @@ struct PR11146::Entry {
 void PR11146::baz() {
   (void) &Entry::x;
 }
+
+// Test symbolicating a reference.  In this example, the
+// analyzer (originally) didn't know how to handle x[index - index2],
+// returning an UnknownVal.  The conjured symbol wasn't a location,
+// and would result in a crash.
+void rdar10924675(unsigned short x[], int index, int index2) {
+  unsigned short &y = x[index - index2];
+  if (y == 0)
+    return;
+}