[analyzer] Fix crash when analyzing C++ code.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@126025 91177308-0d34-0410-b5e6-96231b3b80d8

3 files changed, 18 insertions, 2 deletions

diff --git a/lib/StaticAnalyzer/Core/SValBuilder.cpp b/lib/StaticAnalyzer/Core/SValBuilder.cpp
index 796613383b..b0fd497e57 100644
--- a/lib/StaticAnalyzer/Core/SValBuilder.cpp
+++ b/lib/StaticAnalyzer/Core/SValBuilder.cpp
@@ -292,7 +292,7 @@ SVal SValBuilder::evalCast(SVal val, QualType castTy, QualType originalTy) {
     //  }
 
     assert(Loc::isLocType(originalTy) || originalTy->isFunctionType() ||
-           originalTy->isBlockPointerType());
+           originalTy->isBlockPointerType() || castTy->isReferenceType());
 
     StoreManager &storeMgr = StateMgr.getStoreManager();
 
diff --git a/lib/StaticAnalyzer/Core/Store.cpp b/lib/StaticAnalyzer/Core/Store.cpp
index 379327fbb5..722517097c 100644
--- a/lib/StaticAnalyzer/Core/Store.cpp
+++ b/lib/StaticAnalyzer/Core/Store.cpp
@@ -78,7 +78,7 @@ const MemRegion *StoreManager::castRegion(const MemRegion *R, QualType CastToTy)
 
   // Now assume we are casting from pointer to pointer. Other cases should
   // already be handled.
-  QualType PointeeTy = CastToTy->getAs<PointerType>()->getPointeeType();
+  QualType PointeeTy = CastToTy->getPointeeType();
   QualType CanonPointeeTy = Ctx.getCanonicalType(PointeeTy);
 
   // Handle casts to void*.  We just pass the region through.
diff --git a/test/Analysis/cxx-crashes.cpp b/test/Analysis/cxx-crashes.cpp
index ae2f3cb5eb..c9775df7e2 100644
--- a/test/Analysis/cxx-crashes.cpp
+++ b/test/Analysis/cxx-crashes.cpp
@@ -14,6 +14,10 @@ bool f3() {
   return !false;
 }
 
+void *f4(int* w) {
+  return reinterpret_cast<void*&>(w);
+}
+
 namespace {
 
 struct A { };
@@ -27,3 +31,15 @@ A f(char *dst) {
 }
 
 }
+
+namespace {
+
+struct S {
+    void *p;
+};
+
+void *f(S* w) {
+    return &reinterpret_cast<void*&>(*w);
+}
+
+}