[analyzer] Do not believe lazy binding when symbolic region types do not match

This fixes a crash when analyzing LLVM that was exposed by r177220 (modeling of
trivial copy/move assignment operators).

When we look up a lazy binding for “Builder”, we see the direct binding of Loc at offset 0.
Previously, we believed the binding, which led to a crash. Now, we do not believe it as
the types do not match.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@177453 91177308-0d34-0410-b5e6-96231b3b80d8

2 files changed, 30 insertions, 6 deletions

diff --git a/test/Analysis/region-store.cpp b/test/Analysis/region-store.cpp
new file mode 100644
index 0000000000..5ea5c3f82f
--- /dev/null
+++ b/test/Analysis/region-store.cpp
@@ -0,0 +1,28 @@
+// RUN: %clang_cc1 -analyze -analyzer-checker=core,unix -verify %s
+// expected-no-diagnostics
+
+class Loc {
+  int x;
+};
+class P1 {
+public:
+  Loc l;
+  void setLoc(Loc L) {
+    l = L;
+  }
+  
+};
+class P2 {
+public:
+  int m;
+  int accessBase() {
+    return m;
+  }
+};
+class Derived: public P1, public P2 {
+};
+int radar13445834(Derived *Builder, Loc l) {
+  Builder->setLoc(l);
+  return Builder->accessBase();
+  
+}
\ No newline at end of file
diff --git a/test/Analysis/uninit-vals.m b/test/Analysis/uninit-vals.m
index 6813b8ebf8..9f611ade69 100644
--- a/test/Analysis/uninit-vals.m
+++ b/test/Analysis/uninit-vals.m
@@ -80,12 +80,8 @@ void PR14765_incorrectBehavior(Circle *testObj) {
 
   testObj->origin = makePoint(0.0, 0.0);
 
-  // FIXME: Assigning to 'testObj->origin' kills the default binding for the
-  // whole region, meaning that we've forgotten that testObj->size should also
-  // default to 0. Tracked by <rdar://problem/12701038>.
-  // This should be TRUE.
-  clang_analyzer_eval(testObj->size == oldSize); // expected-warning{{UNKNOWN}}
-
+  clang_analyzer_eval(testObj->size == oldSize); // expected-warning{{TRUE}}
+  
   free(testObj);
 }