4 files changed, 102 insertions, 1 deletions
diff --git a/clang/lib/StaticAnalyzer/Checkers/CMakeLists.txt b/clang/lib/StaticAnalyzer/Checkers/CMakeLists.txt
index a377ca9e4d4..92e3278116e 100644
--- a/clang/lib/StaticAnalyzer/Checkers/CMakeLists.txt
+++ b/clang/lib/StaticAnalyzer/Checkers/CMakeLists.txt
@@ -31,6 +31,7 @@ add_clang_library(clangStaticAnalyzerCheckers
   DebugCheckers.cpp
   DereferenceChecker.cpp
   DivZeroChecker.cpp
+  ExprInspectionChecker.cpp
   FixedAddressChecker.cpp
   GenericTaintChecker.cpp
   IdempotentOperationChecker.cpp
diff --git a/clang/lib/StaticAnalyzer/Checkers/Checkers.td b/clang/lib/StaticAnalyzer/Checkers/Checkers.td
index 230bb403a45..fc0eafe758f 100644
--- a/clang/lib/StaticAnalyzer/Checkers/Checkers.td
+++ b/clang/lib/StaticAnalyzer/Checkers/Checkers.td
@@ -483,5 +483,9 @@ def TaintTesterChecker : Checker<"TaintTest">,
   HelpText<"Mark tainted symbols as such.">,
   DescFile<"TaintTesterChecker.cpp">;
 
+def ExprInspectionChecker : Checker<"ExprInspection">,
+  HelpText<"Check the analyzer's understanding of expressions">,
+  DescFile<"ExprInspectionChecker.cpp">;
+
 } // end "debug"
 
diff --git a/clang/lib/StaticAnalyzer/Checkers/ExprInspectionChecker.cpp b/clang/lib/StaticAnalyzer/Checkers/ExprInspectionChecker.cpp
new file mode 100644
index 00000000000..f638dda2d8e
--- /dev/null
+++ b/clang/lib/StaticAnalyzer/Checkers/ExprInspectionChecker.cpp
@@ -0,0 +1,85 @@
+//==- ExprInspectionChecker.cpp - Used for regression tests ------*- C++ -*-==//
+//
+//                     The LLVM Compiler Infrastructure
+//
+// This file is distributed under the University of Illinois Open Source
+// License. See LICENSE.TXT for details.
+//
+//===----------------------------------------------------------------------===//
+
+#include "ClangSACheckers.h"
+#include "clang/StaticAnalyzer/Core/Checker.h"
+#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
+#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
+
+using namespace clang;
+using namespace ento;
+
+namespace {
+class ExprInspectionChecker : public Checker< eval::Call > {
+  mutable OwningPtr<BugType> BT;
+public:
+  bool evalCall(const CallExpr *CE, CheckerContext &C) const;
+};
+}
+
+bool ExprInspectionChecker::evalCall(const CallExpr *CE,
+                                       CheckerContext &C) const {
+  // These checks should have no effect on the surrounding environment
+  // (globals should not be evaluated, etc), hence the use of evalCall.
+  ExplodedNode *N = C.getPredecessor();
+  const LocationContext *LC = N->getLocationContext();
+
+  if (!C.getCalleeName(CE).equals("clang_analyzer_eval"))
+    return false;
+
+  // A specific instantiation of an inlined function may have more constrained
+  // values than can generally be assumed. Skip the check.
+  if (LC->getParent() != 0)
+    return true;
+
+  const char *Msg = 0;
+
+  if (CE->getNumArgs() == 0)
+    Msg = "Missing assertion argument";
+  else {
+    ProgramStateRef State = N->getState();
+    const Expr *Assertion = CE->getArg(0);
+    SVal AssertionVal = State->getSVal(Assertion, LC);
+
+    if (AssertionVal.isUndef())
+      Msg = "UNDEFINED";
+    else {
+      ProgramStateRef StTrue, StFalse;
+      llvm::tie(StTrue, StFalse) =
+        State->assume(cast<DefinedOrUnknownSVal>(AssertionVal));
+
+      if (StTrue) {
+        if (StFalse)
+          Msg = "UNKNOWN";
+        else
+          Msg = "TRUE";
+      } else {
+        if (StFalse)
+          Msg = "FALSE";
+        else
+          llvm_unreachable("Invalid constraint; neither true or false.");
+      }      
+    }
+  }
+
+  assert(Msg);
+
+  if (!BT)
+    BT.reset(new BugType("Checking analyzer assumptions", "debug"));
+
+  BugReport *R = new BugReport(*BT, Msg, N);
+  C.EmitReport(R);
+
+  return true;
+}
+
+void ento::registerExprInspectionChecker(CheckerManager &Mgr) {
+  Mgr.registerChecker<ExprInspectionChecker>();
+}
+
diff --git a/clang/test/Analysis/global-region-invalidation.c b/clang/test/Analysis/global-region-invalidation.c
index 184ffb870fb..71a7285e1f1 100644
--- a/clang/test/Analysis/global-region-invalidation.c
+++ b/clang/test/Analysis/global-region-invalidation.c
@@ -1,4 +1,6 @@
-// RUN: %clang_cc1 -triple x86_64-apple-darwin10 -analyze -disable-free -analyzer-eagerly-assume -analyzer-checker=core,deadcode,experimental.security.taint,debug.TaintTest -verify %s
+// RUN: %clang_cc1 -triple x86_64-apple-darwin10 -analyze -disable-free -analyzer-eagerly-assume -analyzer-checker=core,deadcode,experimental.security.taint,debug.TaintTest,debug.ExprInspection -verify %s
+
+void clang_analyzer_eval(int);
 
 // Note, we do need to include headers here, since the analyzer checks if the function declaration is located in a system header.
 #include "system-header-simulator.h"
@@ -73,3 +75,12 @@ int constIntGlobExtern() {
   }
   return 0;
 }
+
+void testAnalyzerEvalIsPure() {
+  extern int someGlobal;
+  if (someGlobal == 0) {
+    clang_analyzer_eval(someGlobal == 0); // expected-warning{{TRUE}}
+    clang_analyzer_eval(someGlobal == 0); // expected-warning{{TRUE}}
+  }
+}
+