[analyzer] It's possible to have a non PointerType expression evaluate to a Loc value. When this happens, use the default type.

llvm-svn: 148631

clang/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp

@@ -406,8 +406,8 @@ SymbolRef GenericTaintChecker::getPointedToSymbol(CheckerContext &C,
 
   const PointerType *ArgTy =
     dyn_cast<PointerType>(Arg->getType().getCanonicalType().getTypePtr());
-  assert(ArgTy);
-  SVal Val = State->getSVal(*AddrLoc, ArgTy->getPointeeType());
+  SVal Val = State->getSVal(*AddrLoc,
+                            ArgTy ? ArgTy->getPointeeType(): QualType());
   return Val.getAsSymbol();
 }
 

clang/test/Analysis/taint-tester.m

@@ -0,0 +1,20 @@
+// RUN: %clang_cc1  -analyze -analyzer-checker=experimental.security.taint,debug.TaintTest %s -verify
+
+#import <stdarg.h>
+
+@interface NSString
+- (NSString *)stringByAppendingString:(NSString *)aString;
+@end
+extern void NSLog (NSString *format, ...);
+extern void NSLogv(NSString *format, va_list args);
+
+void TestLog (NSString *format, ...);
+void TestLog (NSString *format, ...) {
+    va_list ap;
+    va_start(ap, format);
+    NSString *string = @"AAA: ";
+    
+    NSLogv([string stringByAppendingString:format], ap);
+    
+    va_end(ap);
+}