[analyzer] It's possible to have a non PointerType expression evaluate to a Loc value. When this happens, use the default type.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@148631 91177308-0d34-0410-b5e6-96231b3b80d8

2 files changed, 22 insertions, 2 deletions

diff --git a/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp b/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp
index 4ddb7d3a1e..83656716cb 100644
--- a/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp
+++ b/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp
@@ -406,8 +406,8 @@ SymbolRef GenericTaintChecker::getPointedToSymbol(CheckerContext &C,
 
   const PointerType *ArgTy =
     dyn_cast<PointerType>(Arg->getType().getCanonicalType().getTypePtr());
-  assert(ArgTy);
-  SVal Val = State->getSVal(*AddrLoc, ArgTy->getPointeeType());
+  SVal Val = State->getSVal(*AddrLoc,
+                            ArgTy ? ArgTy->getPointeeType(): QualType());
   return Val.getAsSymbol();
 }
 
diff --git a/test/Analysis/taint-tester.m b/test/Analysis/taint-tester.m
new file mode 100644
index 0000000000..ae55c6618d
--- /dev/null
+++ b/test/Analysis/taint-tester.m
@@ -0,0 +1,20 @@
+// RUN: %clang_cc1  -analyze -analyzer-checker=experimental.security.taint,debug.TaintTest %s -verify
+
+#import <stdarg.h>
+
+@interface NSString
+- (NSString *)stringByAppendingString:(NSString *)aString;
+@end
+extern void NSLog (NSString *format, ...);
+extern void NSLogv(NSString *format, va_list args);
+
+void TestLog (NSString *format, ...);
+void TestLog (NSString *format, ...) {
+    va_list ap;
+    va_start(ap, format);
+    NSString *string = @"AAA: ";
+    
+    NSLogv([string stringByAppendingString:format], ap);
+    
+    va_end(ap);
+}
\ No newline at end of file