3 files changed, 24 insertions, 4 deletions

diff --git a/clang/lib/StaticAnalyzer/Core/ExprEngineC.cpp b/clang/lib/StaticAnalyzer/Core/ExprEngineC.cpp
index 67aeab60033..84872675928 100644
--- a/clang/lib/StaticAnalyzer/Core/ExprEngineC.cpp
+++ b/clang/lib/StaticAnalyzer/Core/ExprEngineC.cpp
@@ -309,7 +309,8 @@ void ExprEngine::VisitCast(const CastExpr *CastE, const Expr *Ex,
       case CK_BlockPointerToObjCPointerCast:
       case CK_AnyPointerToBlockPointerCast:  
       case CK_ObjCObjectLValueCast: 
-      case CK_ZeroToOCLEvent: {
+      case CK_ZeroToOCLEvent:
+      case CK_LValueBitCast: {
         // Delegate to SValBuilder to process.
         SVal V = state->getSVal(Ex, LCtx);
         V = svalBuilder.evalCast(V, T, ExTy);
@@ -381,8 +382,7 @@ void ExprEngine::VisitCast(const CastExpr *CastE, const Expr *Ex,
       case CK_BaseToDerivedMemberPointer:
       case CK_DerivedToBaseMemberPointer:
       case CK_ReinterpretMemberPointer:
-      case CK_VectorSplat:
-      case CK_LValueBitCast: {
+      case CK_VectorSplat: {
         // Recover some path-sensitivty by conjuring a new value.
         QualType resultType = CastE->getType();
         if (CastE->isGLValue())
diff --git a/clang/lib/StaticAnalyzer/Core/RegionStore.cpp b/clang/lib/StaticAnalyzer/Core/RegionStore.cpp
index 88c4eee4bb2..729fc009fe8 100644
--- a/clang/lib/StaticAnalyzer/Core/RegionStore.cpp
+++ b/clang/lib/StaticAnalyzer/Core/RegionStore.cpp
@@ -1262,7 +1262,10 @@ SVal RegionStoreManager::ArrayToPointer(Loc Array) {
 
   // Strip off typedefs from the ArrayRegion's ValueType.
   QualType T = ArrayR->getValueType().getDesugaredType(Ctx);
-  const ArrayType *AT = cast<ArrayType>(T);
+  const ArrayType *AT = dyn_cast<ArrayType>(T);
+  if (!AT)
+    return UnknownVal();
+
   T = AT->getElementType();
 
   NonLoc ZeroIdx = svalBuilder.makeZeroArrayIndex();
diff --git a/clang/test/Analysis/reinterpret-cast.cpp b/clang/test/Analysis/reinterpret-cast.cpp
index 59e6a539a11..cb7cbfd325d 100644
--- a/clang/test/Analysis/reinterpret-cast.cpp
+++ b/clang/test/Analysis/reinterpret-cast.cpp
@@ -86,3 +86,20 @@ namespace PR15345 {
     clang_analyzer_eval(p->x == 42); // expected-warning{{TRUE}}
   };
 }
+
+int trackpointer_std_addressof() {
+  int x;
+  int *p = (int*)&reinterpret_cast<const volatile char&>(x);
+  *p = 6;
+  return x; // no warning
+}
+
+void set_x1(int *&);
+void set_x2(void *&);
+int radar_13146953(void) {
+  int *x = 0, *y = 0;
+
+  set_x1(x);
+  set_x2((void *&)y);
+  return *x + *y; // no warning
+}
\ No newline at end of file