Index: lib/StaticAnalyzer/Core/Store.cpp =================================================================== --- lib/StaticAnalyzer/Core/Store.cpp +++ lib/StaticAnalyzer/Core/Store.cpp @@ -402,6 +402,16 @@ if (castTy.isNull() || V.isUnknownOrUndef()) return V; + // The dispatchCast() call below would round the int to a float. What we want, + // however, is a bit-by-bit reinterpretation of the int as a float, which + // usually yields nothing garbage. For now skip casts from ints to floats. + // TODO: What other combinations of types are affected? + if (castTy->isFloatingType()) { + SymbolRef Sym = V.getAsSymbol(); + if (Sym && !Sym->getType()->isFloatingType()) + return UnknownVal(); + } + // When retrieving symbolic pointer and expecting a non-void pointer, // wrap them into element regions of the expected type if necessary. // SValBuilder::dispatchCast() doesn't do that, but it is necessary to Index: test/Analysis/casts.c =================================================================== --- test/Analysis/casts.c +++ test/Analysis/casts.c @@ -213,3 +213,35 @@ } #endif + +char no_crash_SymbolCast_of_float_type_aux(int *p) { + *p += 1; + return *p; +} + +void no_crash_SymbolCast_of_float_type() { + extern float x; + char (*f)() = no_crash_SymbolCast_of_float_type_aux; + f(&x); +} + +double no_crash_reinterpret_double_as_int(double a) { + *(int *)&a = 1; + return a * a; +} + +double no_crash_reinterpret_double_as_ptr(double a) { + *(void **)&a = 0; + return a * a; +} + +double no_crash_reinterpret_double_as_sym_int(double a, int b) { + *(int *)&a = b; + return a * a; +} + +double no_crash_reinterpret_double_as_sym_ptr(double a, void * b) { + *(void **)&a = b; + return a * a; +} + Index: test/Analysis/casts.cpp =================================================================== --- test/Analysis/casts.cpp +++ test/Analysis/casts.cpp @@ -102,3 +102,15 @@ castToDerived(reinterpret_cast(ORef))->getNotInt(); } } // namespace base_to_derived_opaque_class + +namespace bool_to_nullptr { +struct S { + int *a[1]; + bool b; +}; +void foo(S s) { + s.b = true; + for (int i = 0; i < 2; ++i) + (void)(s.a[i] != nullptr); // no-crash +} +} // namespace bool_to_nullptr