2 files changed, 35 insertions, 0 deletions

diff --git a/lib/Checker/RegionStore.cpp b/lib/Checker/RegionStore.cpp
index 1a3eded7cb..8c3763778d 100644
--- a/lib/Checker/RegionStore.cpp
+++ b/lib/Checker/RegionStore.cpp
@@ -745,6 +745,14 @@ DefinedOrUnknownSVal RegionStoreManager::getSizeInElements(const GRState *state,
     return UnknownVal();
 
   CharUnits RegionSize = CharUnits::fromQuantity(SizeInt->getSExtValue());
+
+  if (Ctx.getAsVariableArrayType(EleTy)) {
+    // FIXME: We need to track extra state to properly record the size
+    // of VLAs.  Returning UnknownVal here, however, is a stop-gap so that
+    // we don't have a divide-by-zero below.
+    return UnknownVal();
+  }
+
   CharUnits EleSize = Ctx.getTypeSizeInChars(EleTy);
 
   // If a variable is reinterpreted as a type that doesn't fit into a larger
diff --git a/test/Analysis/misc-ps-region-store.m b/test/Analysis/misc-ps-region-store.m
index a0a443ab69..4378e06536 100644
--- a/test/Analysis/misc-ps-region-store.m
+++ b/test/Analysis/misc-ps-region-store.m
@@ -1156,3 +1156,30 @@ pr8141 (void) {
     {
     }
 }
+
+// <rdar://problem/8424269> - Handle looking at the size of a VLA in
+// ArrayBoundChecker.  Nothing intelligent (yet); just don't crash.
+typedef struct RDar8424269_A {
+  int RDar8424269_C;
+} RDar8424269_A;
+static void RDar8424269_B(RDar8424269_A *p, unsigned char *RDar8424269_D,
+                          const unsigned char *RDar8424269_E, int RDar8424269_F,
+    int b_w, int b_h, int dx, int dy) {
+  int x, y, b, r, l;
+  unsigned char tmp2t[3][RDar8424269_F * (32 + 8)];
+  unsigned char *tmp2 = tmp2t[0];
+  if (p && !p->RDar8424269_C)
+    b = 15;
+  tmp2 = tmp2t[1];
+  if (b & 2) { // expected-warning{{The left operand of '&' is a garbage value}}
+    for (y = 0; y < b_h; y++) {
+      for (x = 0; x < b_w + 1; x++) {
+        int am = 0;
+        tmp2[x] = am;
+      }
+    }
+  }
+  tmp2 = tmp2t[2];
+}
+
+