Index: lib/StaticAnalyzer/Core/SValBuilder.cpp =================================================================== --- lib/StaticAnalyzer/Core/SValBuilder.cpp +++ lib/StaticAnalyzer/Core/SValBuilder.cpp @@ -218,6 +218,18 @@ } DefinedSVal SValBuilder::getMemberPointer(const DeclaratorDecl* DD) { + assert(!DD || isa(DD) || isa(DD)); + + if (auto *MD = dyn_cast_or_null(DD)) { + // Sema treats pointers to static member functions as have function pointer + // type, so return a function pointer for the method. + // We don't need to play a similar trick for static member fields + // because these are represented as plain VarDecls and not FieldDecls + // in the AST. + if (MD->isStatic()) + return getFunctionPointer(MD); + } + return nonloc::PointerToMember(DD); } Index: test/Analysis/pointer-to-member.cpp =================================================================== --- test/Analysis/pointer-to-member.cpp +++ test/Analysis/pointer-to-member.cpp @@ -78,6 +78,7 @@ struct A { virtual int foo() { return 1; } int bar() { return 2; } + int static staticMemberFunction(int p) { return p + 1; }; }; struct B : public A { @@ -111,11 +112,19 @@ clang_analyzer_eval((APtr->*AFP)() == 3); // expected-warning{{TRUE}} } + + void testPointerToStaticMemberCall() { + int (*fPtr)(int) = &A::staticMemberFunction; + if (fPtr != 0) { // no-crash + clang_analyzer_eval(fPtr(2) == 3); // expected-warning{{TRUE}} + } + } } // end of testPointerToMemberFunction namespace namespace testPointerToMemberData { struct A { int i; + static int j; }; void testPointerToMemberData() { @@ -126,6 +135,13 @@ a.*AMdPointer += 1; clang_analyzer_eval(a.i == 43); // expected-warning{{TRUE}} + + int *ptrToStaticField = &A::j; + if (ptrToStaticField != 0) { + *ptrToStaticField = 7; + clang_analyzer_eval(*ptrToStaticField == 7); // expected-warning{{TRUE}} + clang_analyzer_eval(A::j == 7); // expected-warning{{TRUE}} + } } } // end of testPointerToMemberData namespace