[analyzer] Fix a crash when an ObjC object is constructed in AllocaRegion.

Memory region allocated by alloca() carries no implicit type information.
Don't crash when resolving the init message for an Objective-C object
that is being constructed in such region.

rdar://problem/32517077

Differential Revision: https://reviews.llvm.org/D33828


git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@305211 91177308-0d34-0410-b5e6-96231b3b80d8

lib/StaticAnalyzer/Core/CallEvent.cpp

@@ -957,6 +957,12 @@ RuntimeDefinition ObjCMethodCall::getRuntimeDefinition() const {
         return RuntimeDefinition();
 
       DynamicTypeInfo DTI = getDynamicTypeInfo(getState(), Receiver);
+      if (!DTI.isValid()) {
+        assert(isa<AllocaRegion>(Receiver) &&
+               "Unhandled untyped region class!");
+        return RuntimeDefinition();
+      }
+
       QualType DynType = DTI.getType();
       CanBeSubClassed = DTI.canBeASubClass();
       ReceiverT = dyn_cast<ObjCObjectPointerType>(DynType.getCanonicalType());

test/Analysis/DynamicTypePropagation.m

@@ -4,6 +4,9 @@
 #  error Compiler does not support Objective-C generics?
 #endif
 
+typedef __typeof(sizeof(int)) size_t;
+void *memset(void *, int, size_t);
+
 #define nil 0
 typedef unsigned long NSUInteger;
 typedef int BOOL;
@@ -21,6 +24,7 @@ __attribute__((objc_root_class))
 @end
 
 @interface NSArray<ObjectType> : NSObject
+- (void) init;
 - (BOOL)contains:(ObjectType)obj;
 - (ObjectType)getObjAtIndex:(NSUInteger)idx;
 - (ObjectType)objectAtIndexedSubscript:(NSUInteger)idx;
@@ -55,3 +59,11 @@ void testArgument(NSArray<MyType *> *arr, id element) {
   // MyType!
   [element myFunction:0 myParam:0 ];
 }
+
+// Do not try this at home! The analyzer shouldn't crash though when it
+// tries to figure out the dynamic type behind the alloca's return value.
+void testAlloca(size_t NSArrayClassSizeWeKnowSomehow) {
+  NSArray *arr = __builtin_alloca(NSArrayClassSizeWeKnowSomehow);
+  memset(arr, 0, NSArrayClassSizeWeKnowSomehow);
+  [arr init]; // no-crash
+}