[analyzer] InnerPointerChecker: Fix a segfault when checking symbolic strings.

Return value of dyn_cast_or_null should be checked before use.
Otherwise we may put a null pointer into the map as a key and eventually
crash in checkDeadSymbols.

Differential Revision: https://reviews.llvm.org/D51385

llvm-svn: 341092

clang/lib/StaticAnalyzer/Checkers/InnerPointerChecker.cpp

@@ -211,8 +211,11 @@ void InnerPointerChecker::checkPostCall(const CallEvent &Call,
   ProgramStateRef State = C.getState();
 
   if (const auto *ICall = dyn_cast<CXXInstanceCall>(&Call)) {
+    // TODO: Do we need these to be typed?
     const auto *ObjRegion = dyn_cast_or_null<TypedValueRegion>(
         ICall->getCXXThisVal().getAsRegion());
+    if (!ObjRegion)
+      return;
 
     if (Call.isCalled(CStrFn) || Call.isCalled(DataFn)) {
       SVal RawPtr = Call.getReturnValue();

clang/test/Analysis/inner-pointer.cpp

@@ -424,3 +424,7 @@ void no_CXXRecordDecl() {
   *(void **)&b = c() + 1;
   *b = a; // no-crash
 }
+
+void checkReference(std::string &s) {
+  const char *c = s.c_str();
+}