Index: lib/StaticAnalyzer/Core/Z3ConstraintManager.cpp =================================================================== --- lib/StaticAnalyzer/Core/Z3ConstraintManager.cpp +++ lib/StaticAnalyzer/Core/Z3ConstraintManager.cpp @@ -1414,7 +1414,7 @@ // If the two operands are pointers and the operation is a subtraction, the // result is of type ptrdiff_t, which is signed - if (LTy->isAnyPointerType() && LTy == RTy && Op == BO_Sub) { + if (LTy->isAnyPointerType() && RTy->isAnyPointerType() && Op == BO_Sub) { ASTContext &Ctx = getBasicVals().getContext(); *RetTy = Ctx.getIntTypeForBitwidth(Ctx.getTypeSize(LTy), true); } Index: test/Analysis/PR37855.c =================================================================== --- /dev/null +++ test/Analysis/PR37855.c @@ -0,0 +1,24 @@ +// RUN: %clang_cc1 -analyze -analyzer-eagerly-assume -analyzer-checker=core -w -DNO_CROSSCHECK -verify %s +// RUN: %clang_cc1 -analyze -analyzer-eagerly-assume -analyzer-checker=core -w -analyzer-config crosscheck-with-z3=true -verify %s +// REQUIRES: z3 + +typedef struct o p; +struct o { + struct { + } s; +}; + +void q(*r, p2) { r < p2; } + +void k(l, node) { + struct { + p *node; + } * n, *nodep, path[sizeof(void)]; + path->node = l; + for (n = path; node != l;) { + q(node, n->node); + nodep = n; + } + if (nodep) // expected-warning {{Branch condition evaluates to a garbage value}} + n[1].node->s; // expected-warning {{Dereference of undefined pointer value}} +}