Fix bug in SimpleSValBuilder where '--' pointer arithmetic was treated like '++' pointer arithmetic.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@129348 91177308-0d34-0410-b5e6-96231b3b80d8

2 files changed, 21 insertions, 1 deletions

diff --git a/lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp b/lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp
index d6062eaa90..5d80251151 100644
--- a/lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp
+++ b/lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp
@@ -873,7 +873,8 @@ SVal SimpleSValBuilder::evalBinOpLN(const GRState *state,
     QualType elementType;
 
     if (const ElementRegion *elemReg = dyn_cast<ElementRegion>(region)) {
-      index = evalBinOpNN(state, BO_Add, elemReg->getIndex(), rhs,
+      assert(op == BO_Add || op == BO_Sub);
+      index = evalBinOpNN(state, op, elemReg->getIndex(), rhs,
                           getArrayIndexType());
       superR = elemReg->getSuperRegion();
       elementType = elemReg->getElementType();
diff --git a/test/Analysis/misc-ps-region-store.cpp b/test/Analysis/misc-ps-region-store.cpp
index aaf1381099..1846bdb397 100644
--- a/test/Analysis/misc-ps-region-store.cpp
+++ b/test/Analysis/misc-ps-region-store.cpp
@@ -360,3 +360,22 @@ int test_invalidate_class() {
   return y.x; // no-warning
 }
 
+// Test correct pointer arithmetic using 'p--'.  This is to warn that we
+// were loading beyond the written characters in buf.
+char *RDar9269695(char *dst, unsigned int n)
+{
+  char buff[40], *p;
+
+  p = buff;
+  do
+    *p++ = '0' + n % 10;
+  while (n /= 10);
+
+  do
+    *dst++ = *--p; // no-warning
+  while (p != buff);
+
+  return dst;
+}
+
+