[analyzer] Treat LValueBitCasts like regular pointer bit casts.

These casts only appear in very well-defined circumstances, in which the
target of a reinterpret_cast or a function formal parameter is an lvalue
reference. According to the C++ standard, the following are equivalent:

 reinterpret_cast<T&>( x)
*reinterpret_cast<T*>(&x)

[expr.reinterpret.cast]p11

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@158338 91177308-0d34-0410-b5e6-96231b3b80d8

1 files changed, 9 insertions, 4 deletions

diff --git a/lib/StaticAnalyzer/Core/RegionStore.cpp b/lib/StaticAnalyzer/Core/RegionStore.cpp
index 9c00d96343..86a68a6b3a 100644
--- a/lib/StaticAnalyzer/Core/RegionStore.cpp
+++ b/lib/StaticAnalyzer/Core/RegionStore.cpp
@@ -878,10 +878,15 @@ SVal RegionStoreManager::ArrayToPointer(Loc Array) {
   if (!ArrayR)
     return UnknownVal();
 
-  // Strip off typedefs from the ArrayRegion's ValueType.
-  QualType T = ArrayR->getValueType().getDesugaredType(Ctx);
-  const ArrayType *AT = cast<ArrayType>(T);
-  T = AT->getElementType();
+  // Extract the element type from the array region's ValueType.
+  // Be careful about weird things happening due to user-written casts.
+  QualType T = ArrayR->getValueType();
+  if (const ArrayType *AT = Ctx.getAsArrayType(T))
+    T = AT->getElementType();
+  else if (const PointerType *PT = T->getAs<PointerType>())
+    T = PT->getPointeeType();
+  else
+    return UnknownVal();
 
   NonLoc ZeroIdx = svalBuilder.makeZeroArrayIndex();
   return loc::MemRegionVal(MRMgr.getElementRegion(T, ZeroIdx, ArrayR, Ctx));