diff --git a/clang/lib/StaticAnalyzer/Core/RegionStore.cpp b/clang/lib/StaticAnalyzer/Core/RegionStore.cpp
index 9c00d963432b..7f6aa9f935a8 100644
--- a/clang/lib/StaticAnalyzer/Core/RegionStore.cpp
+++ b/clang/lib/StaticAnalyzer/Core/RegionStore.cpp
@@ -1055,8 +1055,12 @@ SVal RegionStoreManager::getBinding(Store store, Loc L, QualType T) {
   if (RTy->isUnionType())
     return UnknownVal();
 
-  if (RTy->isArrayType())
-    return getBindingForArray(store, R);
+  if (RTy->isArrayType()) {
+    if (RTy->isConstantArrayType())
+      return getBindingForArray(store, R);
+    else
+      return UnknownVal();
+  }
 
   // FIXME: handle Vector types.
   if (RTy->isVectorType())
diff --git a/clang/test/Analysis/cxx-crashes.cpp b/clang/test/Analysis/cxx-crashes.cpp
index 17fc74d06f46..1ee81a20235e 100644
--- a/clang/test/Analysis/cxx-crashes.cpp
+++ b/clang/test/Analysis/cxx-crashes.cpp
@@ -1,4 +1,6 @@
-// RUN: %clang_cc1 -analyze -analyzer-checker=core -verify %s
+// RUN: %clang_cc1 -analyze -analyzer-checker=core,unix.Malloc,debug.ExprInspection -verify %s
+
+void clang_analyzer_eval(bool);
 
 int f1(char *dst) {
   char *p = dst + 4;
@@ -54,3 +56,17 @@ struct C {
 void C::f() { }
 
 }
+
+
+void vla(int n) {
+  int nums[n];
+  nums[0] = 1;
+  clang_analyzer_eval(nums[0] == 1); // expected-warning{{TRUE}}
+  
+  // This used to fail with MallocChecker on, and /only/ in C++ mode.
+  // This struct is POD, though, so it should be fine to put it in a VLA.
+  struct { int x; } structs[n];
+  structs[0].x = 1;
+  clang_analyzer_eval(structs[0].x == 1); // expected-warning{{TRUE}}
+}
+