[C++11] Use 'nullptr'. StaticAnalyzer edition.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@209642 91177308-0d34-0410-b5e6-96231b3b80d8

lib/StaticAnalyzer/Checkers/AnalyzerStatsChecker.cpp

@@ -41,7 +41,7 @@ public:
 void AnalyzerStatsChecker::checkEndAnalysis(ExplodedGraph &G,
                                             BugReporter &B,
                                             ExprEngine &Eng) const {
-  const CFG *C  = 0;
+  const CFG *C = nullptr;
   const SourceManager &SM = B.getSourceManager();
   llvm::SmallPtrSet<const CFGBlock*, 256> reachable;
 

lib/StaticAnalyzer/Checkers/ArrayBoundCheckerV2.cpp

@@ -45,9 +45,9 @@ class RegionRawOffsetV2 {
 private:
   const SubRegion *baseRegion;
   SVal byteOffset;
-  
+
   RegionRawOffsetV2()
-    : baseRegion(0), byteOffset(UnknownVal()) {}
+    : baseRegion(nullptr), byteOffset(UnknownVal()) {}
 
 public:
   RegionRawOffsetV2(const SubRegion* base, SVal offset)

lib/StaticAnalyzer/Checkers/BasicObjCFoundationChecks.cpp

@@ -346,7 +346,7 @@ class CFNumberCreateChecker : public Checker< check::PreStmt<CallExpr> > {
   mutable std::unique_ptr<APIMisuse> BT;
   mutable IdentifierInfo* II;
 public:
-  CFNumberCreateChecker() : II(0) {}
+  CFNumberCreateChecker() : II(nullptr) {}
 
   void checkPreStmt(const CallExpr *CE, CheckerContext &C) const;
 
@@ -531,7 +531,8 @@ class CFRetainReleaseChecker : public Checker< check::PreStmt<CallExpr> > {
   mutable std::unique_ptr<APIMisuse> BT;
   mutable IdentifierInfo *Retain, *Release, *MakeCollectable;
 public:
-  CFRetainReleaseChecker(): Retain(0), Release(0), MakeCollectable(0) {}
+  CFRetainReleaseChecker()
+      : Retain(nullptr), Release(nullptr), MakeCollectable(nullptr) {}
   void checkPreStmt(const CallExpr *CE, CheckerContext &C) const;
 };
 } // end anonymous namespace
@@ -840,7 +841,7 @@ class ObjCLoopChecker
                                CheckerContext &C) const;
 
 public:
-  ObjCLoopChecker() : CountSelectorII(0) {}
+  ObjCLoopChecker() : CountSelectorII(nullptr) {}
   void checkPostStmt(const ObjCForCollectionStmt *FCS, CheckerContext &C) const;
   void checkPostObjCMessage(const ObjCMethodCall &M, CheckerContext &C) const;
   void checkDeadSymbols(SymbolReaper &SymReaper, CheckerContext &C) const;
@@ -880,7 +881,7 @@ static ProgramStateRef checkCollectionNonNil(CheckerContext &C,
                                              ProgramStateRef State,
                                              const ObjCForCollectionStmt *FCS) {
   if (!State)
-    return NULL;
+    return nullptr;
 
   SVal CollectionVal = C.getSVal(FCS->getCollection());
   Optional<DefinedSVal> KnownCollection = CollectionVal.getAs<DefinedSVal>();
@@ -891,7 +892,7 @@ static ProgramStateRef checkCollectionNonNil(CheckerContext &C,
   std::tie(StNonNil, StNil) = State->assume(*KnownCollection);
   if (StNil && !StNonNil) {
     // The collection is nil. This path is infeasible.
-    return NULL;
+    return nullptr;
   }
 
   return StNonNil;
@@ -905,7 +906,7 @@ static ProgramStateRef checkElementNonNil(CheckerContext &C,
                                           ProgramStateRef State,
                                           const ObjCForCollectionStmt *FCS) {
   if (!State)
-    return NULL;
+    return nullptr;
 
   // See if the collection is one where we /know/ the elements are non-nil.
   if (!isKnownNonNilCollectionType(FCS->getCollection()->getType()))
@@ -918,7 +919,7 @@ static ProgramStateRef checkElementNonNil(CheckerContext &C,
   Optional<Loc> ElementLoc;
   if (const DeclStmt *DS = dyn_cast<DeclStmt>(Element)) {
     const VarDecl *ElemDecl = cast<VarDecl>(DS->getSingleDecl());
-    assert(ElemDecl->getInit() == 0);
+    assert(ElemDecl->getInit() == nullptr);
     ElementLoc = State->getLValue(ElemDecl, LCtx);
   } else {
     ElementLoc = State->getSVal(Element, LCtx).getAs<Loc>();
@@ -945,7 +946,7 @@ assumeCollectionNonEmpty(CheckerContext &C, ProgramStateRef State,
     const bool *KnownNonEmpty = State->get<ContainerNonEmptyMap>(CollectionS);
     if (!KnownNonEmpty)
       return State->set<ContainerNonEmptyMap>(CollectionS, Assumption);
-    return (Assumption == *KnownNonEmpty) ? State : NULL;
+    return (Assumption == *KnownNonEmpty) ? State : nullptr;
   }
 
   SValBuilder &SvalBuilder = C.getSValBuilder();
@@ -970,7 +971,7 @@ assumeCollectionNonEmpty(CheckerContext &C, ProgramStateRef State,
                          const ObjCForCollectionStmt *FCS,
                          bool Assumption) {
   if (!State)
-    return NULL;
+    return nullptr;
 
   SymbolRef CollectionS =
     State->getSVal(FCS->getCollection(), C.getLocationContext()).getAsSymbol();
@@ -1085,11 +1086,11 @@ void ObjCLoopChecker::checkPostObjCMessage(const ObjCMethodCall &M,
 static SymbolRef getMethodReceiverIfKnownImmutable(const CallEvent *Call) {
   const ObjCMethodCall *Message = dyn_cast_or_null<ObjCMethodCall>(Call);
   if (!Message)
-    return 0;
+    return nullptr;
 
   const ObjCMethodDecl *MD = Message->getDecl();
   if (!MD)
-    return 0;
+    return nullptr;
 
   const ObjCInterfaceDecl *StaticClass;
   if (isa<ObjCProtocolDecl>(MD->getDeclContext())) {
@@ -1102,11 +1103,11 @@ static SymbolRef getMethodReceiverIfKnownImmutable(const CallEvent *Call) {
   }
 
   if (!StaticClass)
-    return 0;
+    return nullptr;
 
   switch (findKnownClass(StaticClass, /*IncludeSuper=*/false)) {
   case FC_None:
-    return 0;
+    return nullptr;
   case FC_NSArray:
   case FC_NSDictionary:
   case FC_NSEnumerator:

lib/StaticAnalyzer/Checkers/CStringChecker.cpp

@@ -159,24 +159,24 @@ public:
                                     ProgramStateRef state,
                                     const Expr *S,
                                     SVal l,
-                                    const char *message = NULL) const;
+                                    const char *message = nullptr) const;
   ProgramStateRef CheckBufferAccess(CheckerContext &C,
                                         ProgramStateRef state,
                                         const Expr *Size,
                                         const Expr *FirstBuf,
                                         const Expr *SecondBuf,
-                                        const char *firstMessage = NULL,
-                                        const char *secondMessage = NULL,
+                                        const char *firstMessage = nullptr,
+                                        const char *secondMessage = nullptr,
                                         bool WarnAboutSize = false) const;
 
   ProgramStateRef CheckBufferAccess(CheckerContext &C,
                                         ProgramStateRef state,
                                         const Expr *Size,
                                         const Expr *Buf,
-                                        const char *message = NULL,
+                                        const char *message = nullptr,
                                         bool WarnAboutSize = false) const {
     // This is a convenience override.
-    return CheckBufferAccess(C, state, Size, Buf, NULL, message, NULL,
+    return CheckBufferAccess(C, state, Size, Buf, nullptr, message, nullptr,
                              WarnAboutSize);
   }
   ProgramStateRef CheckOverlap(CheckerContext &C,
@@ -220,18 +220,18 @@ ProgramStateRef CStringChecker::checkNonNull(CheckerContext &C,
                                             const Expr *S, SVal l) const {
   // If a previous check has failed, propagate the failure.
   if (!state)
-    return NULL;
+    return nullptr;
 
   ProgramStateRef stateNull, stateNonNull;
   std::tie(stateNull, stateNonNull) = assumeZero(C, state, l, S->getType());
 
   if (stateNull && !stateNonNull) {
     if (!Filter.CheckCStringNullArg)
-      return NULL;
+      return nullptr;
 
     ExplodedNode *N = C.generateSink(stateNull);
     if (!N)
-      return NULL;
+      return nullptr;
 
     if (!BT_Null)
       BT_Null.reset(new BuiltinBug(
@@ -250,7 +250,7 @@ ProgramStateRef CStringChecker::checkNonNull(CheckerContext &C,
     report->addRange(S->getSourceRange());
     bugreporter::trackNullOrUndefValue(N, S, *report);
     C.emitReport(report);
-    return NULL;
+    return nullptr;
   }
 
   // From here on, assume that the value is non-null.
@@ -265,7 +265,7 @@ ProgramStateRef CStringChecker::CheckLocation(CheckerContext &C,
                                              const char *warningMsg) const {
   // If a previous check has failed, propagate the failure.
   if (!state)
-    return NULL;
+    return nullptr;
 
   // Check for out of bound array element access.
   const MemRegion *R = l.getAsRegion();
@@ -294,7 +294,7 @@ ProgramStateRef CStringChecker::CheckLocation(CheckerContext &C,
   if (StOutBound && !StInBound) {
     ExplodedNode *N = C.generateSink(StOutBound);
     if (!N)
-      return NULL;
+      return nullptr;
 
     if (!BT_Bounds) {
       BT_Bounds.reset(new BuiltinBug(
@@ -325,7 +325,7 @@ ProgramStateRef CStringChecker::CheckLocation(CheckerContext &C,
 
     report->addRange(S->getSourceRange());
     C.emitReport(report);
-    return NULL;
+    return nullptr;
   }
   
   // Array bound check succeeded.  From this point forward the array bound
@@ -343,7 +343,7 @@ ProgramStateRef CStringChecker::CheckBufferAccess(CheckerContext &C,
                                                  bool WarnAboutSize) const {
   // If a previous check has failed, propagate the failure.
   if (!state)
-    return NULL;
+    return nullptr;
 
   SValBuilder &svalBuilder = C.getSValBuilder();
   ASTContext &Ctx = svalBuilder.getContext();
@@ -356,7 +356,7 @@ ProgramStateRef CStringChecker::CheckBufferAccess(CheckerContext &C,
   SVal BufVal = state->getSVal(FirstBuf, LCtx);
   state = checkNonNull(C, state, FirstBuf, BufVal);
   if (!state)
-    return NULL;
+    return nullptr;
 
   // If out-of-bounds checking is turned off, skip the rest.
   if (!Filter.CheckCStringOutOfBounds)
@@ -386,7 +386,7 @@ ProgramStateRef CStringChecker::CheckBufferAccess(CheckerContext &C,
 
     // If the buffer isn't large enough, abort.
     if (!state)
-      return NULL;
+      return nullptr;
   }
 
   // If there's a second buffer, check it as well.
@@ -394,7 +394,7 @@ ProgramStateRef CStringChecker::CheckBufferAccess(CheckerContext &C,
     BufVal = state->getSVal(SecondBuf, LCtx);
     state = checkNonNull(C, state, SecondBuf, BufVal);
     if (!state)
-      return NULL;
+      return nullptr;
 
     BufStart = svalBuilder.evalCast(BufVal, PtrTy, SecondBuf->getType());
     if (Optional<Loc> BufLoc = BufStart.getAs<Loc>()) {
@@ -424,7 +424,7 @@ ProgramStateRef CStringChecker::CheckOverlap(CheckerContext &C,
 
   // If a previous check has failed, propagate the failure.
   if (!state)
-    return NULL;
+    return nullptr;
 
   ProgramStateRef stateTrue, stateFalse;
 
@@ -449,7 +449,7 @@ ProgramStateRef CStringChecker::CheckOverlap(CheckerContext &C,
   if (stateTrue && !stateFalse) {
     // If the values are known to be equal, that's automatically an overlap.
     emitOverlapBug(C, stateTrue, First, Second);
-    return NULL;
+    return nullptr;
   }
 
   // assume the two expressions are not equal.
@@ -515,7 +515,7 @@ ProgramStateRef CStringChecker::CheckOverlap(CheckerContext &C,
   if (stateTrue && !stateFalse) {
     // Overlap!
     emitOverlapBug(C, stateTrue, First, Second);
-    return NULL;
+    return nullptr;
   }
 
   // assume the two expressions don't overlap.
@@ -553,7 +553,7 @@ ProgramStateRef CStringChecker::checkAdditionOverflow(CheckerContext &C,
 
   // If a previous check has failed, propagate the failure.
   if (!state)
-    return NULL;
+    return nullptr;
 
   SValBuilder &svalBuilder = C.getSValBuilder();
   BasicValueFactory &BVF = svalBuilder.getBasicValueFactory();
@@ -588,7 +588,7 @@ ProgramStateRef CStringChecker::checkAdditionOverflow(CheckerContext &C,
       // We have an overflow. Emit a bug report.
       ExplodedNode *N = C.generateSink(stateOverflow);
       if (!N)
-        return NULL;
+        return nullptr;
 
       if (!BT_AdditionOverflow)
         BT_AdditionOverflow.reset(
@@ -606,7 +606,7 @@ ProgramStateRef CStringChecker::checkAdditionOverflow(CheckerContext &C,
       BugReport *report = new BugReport(*BT_AdditionOverflow, warning, N);
       C.emitReport(report);        
 
-      return NULL;
+      return nullptr;
     }
 
     // From now on, assume an overflow didn't occur.
@@ -802,7 +802,7 @@ const StringLiteral *CStringChecker::getCStringLiteral(CheckerContext &C,
   // Get the memory region pointed to by the val.
   const MemRegion *bufRegion = val.getAsRegion();
   if (!bufRegion)
-    return NULL; 
+    return nullptr;
 
   // Strip casts off the memory region.
   bufRegion = bufRegion->StripCasts();
@@ -810,7 +810,7 @@ const StringLiteral *CStringChecker::getCStringLiteral(CheckerContext &C,
   // Cast the memory region to a string region.
   const StringRegion *strRegion= dyn_cast<StringRegion>(bufRegion);
   if (!strRegion)
-    return NULL; 
+    return nullptr;
 
   // Return the actual string in the string region.
   return strRegion->getStringLiteral();
@@ -852,7 +852,8 @@ ProgramStateRef CStringChecker::InvalidateBuffer(CheckerContext &C,
     }
 
     return state->invalidateRegions(R, E, C.blockCount(), LCtx, 
-                                    CausesPointerEscape, 0, 0, &ITraits);
+                                    CausesPointerEscape, nullptr, nullptr,
+                                    &ITraits);
   }
 
   // If we have a non-region value by chance, just remove the binding.
@@ -953,7 +954,7 @@ void CStringChecker::evalCopyCommon(CheckerContext &C,
     const char * const writeWarning =
       "Memory copy function overflows destination buffer";
     state = CheckBufferAccess(C, state, Size, Dest, Source,
-                              writeWarning, /* sourceWarning = */ NULL);
+                              writeWarning, /* sourceWarning = */ nullptr);
     if (Restricted)
       state = CheckOverlap(C, state, Size, Dest, Source);
 
@@ -978,7 +979,7 @@ void CStringChecker::evalCopyCommon(CheckerContext &C,
       } else {
         // If we don't know how much we copied, we can at least
         // conjure a return value for later.
-        SVal result = C.getSValBuilder().conjureSymbolVal(0, CE, LCtx,
+        SVal result = C.getSValBuilder().conjureSymbolVal(nullptr, CE, LCtx,
                                                           C.blockCount());
         state = state->BindExpr(CE, LCtx, result);
       }
@@ -1120,7 +1121,8 @@ void CStringChecker::evalMemcmp(CheckerContext &C, const CallExpr *CE) const {
       state = CheckBufferAccess(C, state, Size, Left, Right);
       if (state) {
         // The return value is the comparison result, which we don't know.
-        SVal CmpV = svalBuilder.conjureSymbolVal(0, CE, LCtx, C.blockCount());
+        SVal CmpV = svalBuilder.conjureSymbolVal(nullptr, CE, LCtx,
+                                                 C.blockCount());
         state = state->BindExpr(CE, LCtx, CmpV);
         C.addTransition(state);
       }
@@ -1230,7 +1232,8 @@ void CStringChecker::evalstrLengthCommon(CheckerContext &C, const CallExpr *CE,
       // no guarantee the full string length will actually be returned.
       // All we know is the return value is the min of the string length
       // and the limit. This is better than nothing.
-      result = C.getSValBuilder().conjureSymbolVal(0, CE, LCtx, C.blockCount());
+      result = C.getSValBuilder().conjureSymbolVal(nullptr, CE, LCtx,
+                                                   C.blockCount());
       NonLoc resultNL = result.castAs<NonLoc>();
 
       if (strLengthNL) {
@@ -1253,7 +1256,8 @@ void CStringChecker::evalstrLengthCommon(CheckerContext &C, const CallExpr *CE,
     // If we don't know the length of the string, conjure a return
     // value, so it can be used in constraints, at least.
     if (result.isUnknown()) {
-      result = C.getSValBuilder().conjureSymbolVal(0, CE, LCtx, C.blockCount());
+      result = C.getSValBuilder().conjureSymbolVal(nullptr, CE, LCtx,
+                                                   C.blockCount());
     }
   }
 
@@ -1356,7 +1360,7 @@ void CStringChecker::evalStrcpyCommon(CheckerContext &C, const CallExpr *CE,
   // - potential overflows caused by a bound that could exceed the destination
   SVal amountCopied = UnknownVal();
   SVal maxLastElementIndex = UnknownVal();
-  const char *boundWarning = NULL;
+  const char *boundWarning = nullptr;
 
   // If the function is strncpy, strncat, etc... it is bounded.
   if (isBounded) {
@@ -1636,7 +1640,7 @@ void CStringChecker::evalStrcpyCommon(CheckerContext &C, const CallExpr *CE,
   // If this is a stpcpy-style copy, but we were unable to check for a buffer
   // overflow, we still need a result. Conjure a return value.
   if (returnEnd && Result.isUnknown()) {
-    Result = svalBuilder.conjureSymbolVal(0, CE, LCtx, C.blockCount());
+    Result = svalBuilder.conjureSymbolVal(nullptr, CE, LCtx, C.blockCount());
   }
 
   // Set the return value.
@@ -1793,7 +1797,8 @@ void CStringChecker::evalStrcmpCommon(CheckerContext &C, const CallExpr *CE,
 
   if (!canComputeResult) {
     // Conjure a symbolic value. It's the best we can do.
-    SVal resultVal = svalBuilder.conjureSymbolVal(0, CE, LCtx, C.blockCount());
+    SVal resultVal = svalBuilder.conjureSymbolVal(nullptr, CE, LCtx,
+                                                  C.blockCount());
     state = state->BindExpr(CE, LCtx, resultVal);
   }
 
@@ -1850,7 +1855,7 @@ void CStringChecker::evalStrsep(CheckerContext &C, const CallExpr *CE) const {
   } else {
     assert(SearchStrVal.isUnknown());
     // Conjure a symbolic value. It's the best we can do.
-    Result = SVB.conjureSymbolVal(0, CE, LCtx, C.blockCount());
+    Result = SVB.conjureSymbolVal(nullptr, CE, LCtx, C.blockCount());
   }
 
   // Set the return value, and finish.
@@ -1870,7 +1875,7 @@ bool CStringChecker::evalCall(const CallExpr *CE, CheckerContext &C) const {
     return false;
 
   // FIXME: Poorly-factored string switches are slow.
-  FnCheck evalFunction = 0;
+  FnCheck evalFunction = nullptr;
   if (C.isCLibraryFunction(FDecl, "memcpy"))
     evalFunction =  &CStringChecker::evalMemcpy;
   else if (C.isCLibraryFunction(FDecl, "mempcpy"))
@@ -1914,7 +1919,7 @@ bool CStringChecker::evalCall(const CallExpr *CE, CheckerContext &C) const {
 
   // Make sure each function sets its own description.
   // (But don't bother in a release build.)
-  assert(!(CurrentFunctionDescription = NULL));
+  assert(!(CurrentFunctionDescription = nullptr));
 
   // Check and evaluate the call.
   (this->*evalFunction)(C, CE);

lib/StaticAnalyzer/Checkers/CallAndMessageChecker.cpp

@@ -419,7 +419,7 @@ void CallAndMessageChecker::checkPreCall(const CallEvent &Call,
     BT = &BT_call_arg;
 
   for (unsigned i = 0, e = Call.getNumArgs(); i != e; ++i) {
-    const ParmVarDecl *ParamDecl = NULL;
+    const ParmVarDecl *ParamDecl = nullptr;
     if(FD && i < FD->getNumParams())
       ParamDecl = FD->getParamDecl(i);
     if (PreVisitProcessArg(C, Call.getArgSVal(i), Call.getArgSourceRange(i),
@@ -437,7 +437,7 @@ void CallAndMessageChecker::checkPreObjCMessage(const ObjCMethodCall &msg,
   SVal recVal = msg.getReceiverSVal();
   if (recVal.isUndef()) {
     if (ExplodedNode *N = C.generateSink()) {
-      BugType *BT = 0;
+      BugType *BT = nullptr;
       switch (msg.getMessageKind()) {
       case OCM_Message:
         if (!BT_msg_undef)
@@ -560,7 +560,7 @@ void CallAndMessageChecker::HandleNilReceiver(CheckerContext &C,
             Ctx.LongDoubleTy == CanRetTy ||
             Ctx.LongLongTy == CanRetTy ||
             Ctx.UnsignedLongLongTy == CanRetTy)))) {
-      if (ExplodedNode *N = C.generateSink(state, 0 , &Tag))
+      if (ExplodedNode *N = C.generateSink(state, nullptr, &Tag))
         emitNilReceiverBug(C, Msg, N);
       return;
     }

lib/StaticAnalyzer/Checkers/CastSizeChecker.cpp

@@ -55,7 +55,7 @@ static bool evenFlexibleArraySize(ASTContext &Ctx, CharUnits RegionSize,
   const RecordDecl *RD = RT->getDecl();
   RecordDecl::field_iterator Iter(RD->field_begin());
   RecordDecl::field_iterator End(RD->field_end());
-  const FieldDecl *Last = 0;
+  const FieldDecl *Last = nullptr;
   for (; Iter != End; ++Iter)
     Last = *Iter;
   assert(Last && "empty structs should already be handled");
@@ -105,11 +105,11 @@ void CastSizeChecker::checkPreStmt(const CastExpr *CE,CheckerContext &C) const {
 
   ProgramStateRef state = C.getState();
   const MemRegion *R = state->getSVal(E, C.getLocationContext()).getAsRegion();
-  if (R == 0)
+  if (!R)
     return;
 
   const SymbolicRegion *SR = dyn_cast<SymbolicRegion>(R);
-  if (SR == 0)
+  if (!SR)
     return;
 
   SValBuilder &svalBuilder = C.getSValBuilder();

lib/StaticAnalyzer/Checkers/CheckObjCDealloc.cpp

@@ -153,7 +153,7 @@ static void checkObjCDealloc(const CheckerBase *Checker,
   // Get the "dealloc" selector.
   IdentifierInfo* II = &Ctx.Idents.get("dealloc");
   Selector S = Ctx.Selectors.getSelector(0, &II);
-  const ObjCMethodDecl *MD = 0;
+  const ObjCMethodDecl *MD = nullptr;
 
   // Scan the instance methods for "dealloc".
   for (const auto *I : D->instance_methods()) {
@@ -233,7 +233,7 @@ static void checkObjCDealloc(const CheckerBase *Checker,
     bool requiresRelease = PD->getSetterKind() != ObjCPropertyDecl::Assign;
     if (scan_ivar_release(MD->getBody(), ID, PD, RS, SelfII, Ctx)
        != requiresRelease) {
-      const char *name = 0;
+      const char *name = nullptr;
       std::string buf;
       llvm::raw_string_ostream os(buf);
 

lib/StaticAnalyzer/Checkers/CheckObjCInstMethSignature.cpp

@@ -106,12 +106,12 @@ static void CheckObjCInstMethSignature(const ObjCImplementationDecl *ID,
 
       MapTy::iterator MI = IMeths.find(S);
 
-      if (MI == IMeths.end() || MI->second == 0)
+      if (MI == IMeths.end() || MI->second == nullptr)
         continue;
 
       --NumMethods;
       ObjCMethodDecl *MethDerived = MI->second;
-      MI->second = 0;
+      MI->second = nullptr;
 
       CompareReturnTypes(MethDerived, M, BR, Ctx, ID, Checker);
     }

lib/StaticAnalyzer/Checkers/CheckSecuritySyntaxOnly.cpp

@@ -149,7 +149,7 @@ void WalkAST::VisitCallExpr(CallExpr *CE) {
     .Case("rand_r", &WalkAST::checkCall_rand)
     .Case("random", &WalkAST::checkCall_random)
     .Case("vfork", &WalkAST::checkCall_vfork)
-    .Default(NULL);
+    .Default(nullptr);
 
   // If the callee isn't defined, it is not of security concern.
   // Check and evaluate the call.
@@ -189,7 +189,7 @@ getIncrementedVar(const Expr *expr, const VarDecl *x, const VarDecl *y) {
   if (const BinaryOperator *B = dyn_cast<BinaryOperator>(expr)) {
     if (!(B->isAssignmentOp() || B->isCompoundAssignmentOp() ||
           B->getOpcode() == BO_Comma))
-      return NULL;
+      return nullptr;
 
     if (const DeclRefExpr *lhs = getIncrementedVar(B->getLHS(), x, y))
       return lhs;
@@ -197,19 +197,19 @@ getIncrementedVar(const Expr *expr, const VarDecl *x, const VarDecl *y) {
     if (const DeclRefExpr *rhs = getIncrementedVar(B->getRHS(), x, y))
       return rhs;
 
-    return NULL;
+    return nullptr;
   }
 
   if (const DeclRefExpr *DR = dyn_cast<DeclRefExpr>(expr)) {
     const NamedDecl *ND = DR->getDecl();
-    return ND == x || ND == y ? DR : NULL;
+    return ND == x || ND == y ? DR : nullptr;
   }
 
   if (const UnaryOperator *U = dyn_cast<UnaryOperator>(expr))
     return U->isIncrementDecrementOp()
-      ? getIncrementedVar(U->getSubExpr(), x, y) : NULL;
+      ? getIncrementedVar(U->getSubExpr(), x, y) : nullptr;
 
-  return NULL;
+  return nullptr;
 }
 
 /// CheckLoopConditionForFloat - This check looks for 'for' statements that
@@ -253,14 +253,14 @@ void WalkAST::checkLoopConditionForFloat(const ForStmt *FS) {
     dyn_cast<DeclRefExpr>(B->getRHS()->IgnoreParenLValueCasts());
 
   // Does at least one of the variables have a floating point type?
-  drLHS = drLHS && drLHS->getType()->isRealFloatingType() ? drLHS : NULL;
-  drRHS = drRHS && drRHS->getType()->isRealFloatingType() ? drRHS : NULL;
+  drLHS = drLHS && drLHS->getType()->isRealFloatingType() ? drLHS : nullptr;
+  drRHS = drRHS && drRHS->getType()->isRealFloatingType() ? drRHS : nullptr;
 
   if (!drLHS && !drRHS)
     return;
 
-  const VarDecl *vdLHS = drLHS ? dyn_cast<VarDecl>(drLHS->getDecl()) : NULL;
-  const VarDecl *vdRHS = drRHS ? dyn_cast<VarDecl>(drRHS->getDecl()) : NULL;
+  const VarDecl *vdLHS = drLHS ? dyn_cast<VarDecl>(drLHS->getDecl()) : nullptr;
+  const VarDecl *vdRHS = drRHS ? dyn_cast<VarDecl>(drRHS->getDecl()) : nullptr;
 
   if (!vdLHS && !vdRHS)
     return;
@@ -688,7 +688,7 @@ void WalkAST::checkUncheckedReturnValue(CallExpr *CE) {
   if (!FD)
     return;
 
-  if (II_setid[0] == NULL) {
+  if (II_setid[0] == nullptr) {
     static const char * const identifiers[num_setids] = {
       "setuid", "setgid", "seteuid", "setegid",
       "setreuid", "setregid"

lib/StaticAnalyzer/Checkers/ChrootChecker.cpp

@@ -44,8 +44,8 @@ class ChrootChecker : public Checker<eval::Call, check::PreStmt<CallExpr> > {
   mutable std::unique_ptr<BuiltinBug> BT_BreakJail;
 
 public:
-  ChrootChecker() : II_chroot(0), II_chdir(0) {}
-  
+  ChrootChecker() : II_chroot(nullptr), II_chdir(nullptr) {}
+
   static void *getTag() {
     static int x;
     return &x;

lib/StaticAnalyzer/Checkers/DeadStoresChecker.cpp

@@ -140,7 +140,7 @@ public:
                ParentMap &parents,
                llvm::SmallPtrSet<const VarDecl *, 20> &escaped)
       : cfg(cfg), Ctx(ctx), BR(br), Checker(checker), AC(ac), Parents(parents),
-        Escaped(escaped), currentBlock(0) {}
+        Escaped(escaped), currentBlock(nullptr) {}
 
   virtual ~DeadStoreObs() {}
 
@@ -178,7 +178,7 @@ public:
 
     SmallString<64> buf;
     llvm::raw_svector_ostream os(buf);
-    const char *BugType = 0;
+    const char *BugType = nullptr;
 
     switch (dsk) {
       case DeadInit:

lib/StaticAnalyzer/Checkers/DynamicTypePropagation.cpp

@@ -223,7 +223,7 @@ DynamicTypePropagation::getObjectTypeForAllocAndNew(const ObjCMessageExpr *MsgE,
 
   const Expr *RecE = MsgE->getInstanceReceiver();
   if (!RecE)
-    return 0;
+    return nullptr;
 
   RecE= RecE->IgnoreParenImpCasts();
   if (const DeclRefExpr *DRE = dyn_cast<DeclRefExpr>(RecE)) {
@@ -237,7 +237,7 @@ DynamicTypePropagation::getObjectTypeForAllocAndNew(const ObjCMessageExpr *MsgE,
           return ObjTy;
     }
   }
-  return 0;
+  return nullptr;
 }
 
 // Return a better dynamic type if one can be derived from the cast.
@@ -253,7 +253,7 @@ DynamicTypePropagation::getBetterObjCType(const Expr *CastE,
   const ObjCObjectPointerType *NewTy =
       CastE->getType()->getAs<ObjCObjectPointerType>();
   if (!NewTy)
-    return 0;
+    return nullptr;
   QualType OldDTy = C.getState()->getDynamicTypeInfo(ToR).getType();
   if (OldDTy.isNull()) {
     return NewTy;
@@ -261,7 +261,7 @@ DynamicTypePropagation::getBetterObjCType(const Expr *CastE,
   const ObjCObjectPointerType *OldTy =
     OldDTy->getAs<ObjCObjectPointerType>();
   if (!OldTy)
-    return 0;
+    return nullptr;
 
   // Id the old type is 'id', the new one is more precise.
   if (OldTy->isObjCIdType() && !NewTy->isObjCIdType())
@@ -273,7 +273,7 @@ DynamicTypePropagation::getBetterObjCType(const Expr *CastE,
   if (ToI && FromI && FromI->isSuperClassOf(ToI))
     return NewTy;
 
-  return 0;
+  return nullptr;
 }
 
 void ento::registerDynamicTypePropagation(CheckerManager &mgr) {

lib/StaticAnalyzer/Checkers/ExprInspectionChecker.cpp

@@ -43,7 +43,7 @@ bool ExprInspectionChecker::evalCall(const CallExpr *CE,
           &ExprInspectionChecker::analyzerCheckInlined)
     .Case("clang_analyzer_crash", &ExprInspectionChecker::analyzerCrash)
     .Case("clang_analyzer_warnIfReached", &ExprInspectionChecker::analyzerWarnIfReached)
-    .Default(0);
+    .Default(nullptr);
 
   if (!Handler)
     return false;
@@ -91,7 +91,7 @@ void ExprInspectionChecker::analyzerEval(const CallExpr *CE,
 
   // A specific instantiation of an inlined function may have more constrained
   // values than can generally be assumed. Skip the check.
-  if (LC->getCurrentStackFrame()->getParent() != 0)
+  if (LC->getCurrentStackFrame()->getParent() != nullptr)
     return;
 
   if (!BT)
@@ -122,7 +122,7 @@ void ExprInspectionChecker::analyzerCheckInlined(const CallExpr *CE,
   // when we are analyzing it as an inlined function. This means that
   // clang_analyzer_checkInlined(true) should always print TRUE, but
   // clang_analyzer_checkInlined(false) should never actually print anything.
-  if (LC->getCurrentStackFrame()->getParent() == 0)
+  if (LC->getCurrentStackFrame()->getParent() == nullptr)
     return;
 
   if (!BT)

lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp

@@ -291,7 +291,7 @@ void GenericTaintChecker::checkPostStmt(const CallExpr *CE,
 
 void GenericTaintChecker::addSourcesPre(const CallExpr *CE,
                                         CheckerContext &C) const {
-  ProgramStateRef State = 0;
+  ProgramStateRef State = nullptr;
   const FunctionDecl *FDecl = C.getCalleeDecl(CE);
   if (!FDecl || FDecl->getKind() != Decl::Function)
     return;
@@ -314,7 +314,7 @@ void GenericTaintChecker::addSourcesPre(const CallExpr *CE,
   // Otherwise, check if we have custom pre-processing implemented.
   FnCheck evalFunction = llvm::StringSwitch<FnCheck>(Name)
     .Case("fscanf", &GenericTaintChecker::preFscanf)
-    .Default(0);
+    .Default(nullptr);
   // Check and evaluate the call.
   if (evalFunction)
     State = (this->*evalFunction)(CE, C);
@@ -388,11 +388,11 @@ void GenericTaintChecker::addSourcesPost(const CallExpr *CE,
     .Case("getch", &GenericTaintChecker::postRetTaint)
     .Case("wgetch", &GenericTaintChecker::postRetTaint)
     .Case("socket", &GenericTaintChecker::postSocket)
-    .Default(0);
+    .Default(nullptr);
 
   // If the callee isn't defined, it is not of security concern.
   // Check and evaluate the call.
-  ProgramStateRef State = 0;
+  ProgramStateRef State = nullptr;
   if (evalFunction)
     State = (this->*evalFunction)(CE, C);
   if (!State)
@@ -428,11 +428,11 @@ SymbolRef GenericTaintChecker::getPointedToSymbol(CheckerContext &C,
   ProgramStateRef State = C.getState();
   SVal AddrVal = State->getSVal(Arg->IgnoreParens(), C.getLocationContext());
   if (AddrVal.isUnknownOrUndef())
-    return 0;
+    return nullptr;
 
   Optional<Loc> AddrLoc = AddrVal.getAs<Loc>();
   if (!AddrLoc)
-    return 0;
+    return nullptr;
 
   const PointerType *ArgTy =
     dyn_cast<PointerType>(Arg->getType().getCanonicalType().getTypePtr());
@@ -526,7 +526,7 @@ ProgramStateRef GenericTaintChecker::preFscanf(const CallExpr *CE,
     return State;
   }
 
-  return 0;
+  return nullptr;
 }
 
 

lib/StaticAnalyzer/Checkers/IvarInvalidationChecker.cpp

@@ -157,7 +157,7 @@ class IvarInvalidationCheckerImpl {
       PropertySetterToIvarMap(InPropertySetterToIvarMap),
       PropertyGetterToIvarMap(InPropertyGetterToIvarMap),
       PropertyToIvarMap(InPropertyToIvarMap),
-      InvalidationMethod(0),
+      InvalidationMethod(nullptr),
       Ctx(InCtx) {}
 
     void VisitStmt(const Stmt *S) { VisitChildren(S); }
@@ -306,7 +306,7 @@ const ObjCIvarDecl *IvarInvalidationCheckerImpl::findPropertyBackingIvar(
                         const ObjCInterfaceDecl *InterfaceD,
                         IvarSet &TrackedIvars,
                         const ObjCIvarDecl **FirstIvarDecl) {
-  const ObjCIvarDecl *IvarD = 0;
+  const ObjCIvarDecl *IvarD = nullptr;
 
   // Lookup for the synthesized case.
   IvarD = Prop->getPropertyIvarDecl();
@@ -343,7 +343,7 @@ const ObjCIvarDecl *IvarInvalidationCheckerImpl::findPropertyBackingIvar(
   // Note, this is a possible source of false positives. We could look at the
   // getter implementation to find the ivar when its name is not derived from
   // the property name.
-  return 0;
+  return nullptr;
 }
 
 void IvarInvalidationCheckerImpl::printIvar(llvm::raw_svector_ostream &os,
@@ -367,7 +367,7 @@ visit(const ObjCImplementationDecl *ImplD) const {
   // Record the first Ivar needing invalidation; used in reporting when only
   // one ivar is sufficient. Cannot grab the first on the Ivars set to ensure
   // deterministic output.
-  const ObjCIvarDecl *FirstIvarDecl = 0;
+  const ObjCIvarDecl *FirstIvarDecl = nullptr;
   const ObjCInterfaceDecl *InterfaceD = ImplD->getClassInterface();
 
   // Collect ivars declared in this class, its extensions and its implementation
@@ -518,7 +518,7 @@ visit(const ObjCImplementationDecl *ImplD) const {
       // invalidation methods.
       for (IvarSet::const_iterator
            I = Ivars.begin(), E = Ivars.end(); I != E; ++I)
-        reportIvarNeedsInvalidation(I->first, IvarToPopertyMap, 0);
+        reportIvarNeedsInvalidation(I->first, IvarToPopertyMap, nullptr);
     } else {
       // Otherwise, no invalidation methods were implemented.
       reportNoInvalidationMethod(Filter.checkName_InstanceVariableInvalidation,
@@ -717,7 +717,7 @@ void IvarInvalidationCheckerImpl::MethodCrawler::VisitObjCMessageExpr(
   if (Receiver) {
     InvalidationMethod = MD;
     check(Receiver->IgnoreParenCasts());
-    InvalidationMethod = 0;
+    InvalidationMethod = nullptr;
   }
 
   VisitStmt(ME);

lib/StaticAnalyzer/Checkers/MacOSKeychainAPIChecker.cpp

@@ -224,7 +224,7 @@ static SymbolRef getAsPointeeSymbol(const Expr *Expr,
     if (sym)
       return sym;
   }
-  return 0;
+  return nullptr;
 }
 
 // When checking for error code, we need to consider the following cases:
@@ -458,7 +458,7 @@ void MacOSKeychainAPIChecker::checkPostStmt(const CallExpr *CE,
   // If the argument entered as an enclosing function parameter, skip it to
   // avoid false positives.
   if (isEnclosingFunctionParam(ArgExpr) &&
-      C.getLocationContext()->getParent() == 0)
+      C.getLocationContext()->getParent() == nullptr)
     return;
 
   if (SymbolRef V = getAsPointeeSymbol(ArgExpr, C)) {
@@ -503,7 +503,7 @@ MacOSKeychainAPIChecker::getAllocationNode(const ExplodedNode *N,
     // symbol was tracked.
     if (N->getLocationContext() == LeakContext)
       AllocNode = N;
-    N = N->pred_empty() ? NULL : *(N->pred_begin());
+    N = N->pred_empty() ? nullptr : *(N->pred_begin());
   }
 
   return AllocNode;
@@ -525,7 +525,7 @@ BugReport *MacOSKeychainAPIChecker::
   // allocated, and only report a single path.
   PathDiagnosticLocation LocUsedForUniqueing;
   const ExplodedNode *AllocNode = getAllocationNode(N, AP.first, C);
-  const Stmt *AllocStmt = 0;
+  const Stmt *AllocStmt = nullptr;
   ProgramPoint P = AllocNode->getLocation();
   if (Optional<CallExitEnd> Exit = P.getAs<CallExitEnd>())
     AllocStmt = Exit->getCalleeContext()->getCallSite();
@@ -596,10 +596,10 @@ PathDiagnosticPiece *MacOSKeychainAPIChecker::SecKeychainBugVisitor::VisitNode(
                                                       BugReport &BR) {
   const AllocationState *AS = N->getState()->get<AllocatedData>(Sym);
   if (!AS)
-    return 0;
+    return nullptr;
   const AllocationState *ASPrev = PrevN->getState()->get<AllocatedData>(Sym);
   if (ASPrev)
-    return 0;
+    return nullptr;
 
   // (!ASPrev && AS) ~ We started tracking symbol in node N, it must be the
   // allocation site.

lib/StaticAnalyzer/Checkers/MacOSXAPIChecker.cpp

@@ -113,7 +113,7 @@ void MacOSXAPIChecker::checkPreStmt(const CallExpr *CE,
              "_dispatch_once",
              "dispatch_once_f",
              &MacOSXAPIChecker::CheckDispatchOnce)
-      .Default(NULL);
+      .Default(nullptr);
 
   if (SC)
     (this->*SC)(C, CE, Name);

lib/StaticAnalyzer/Checkers/MallocChecker.cpp

@@ -157,9 +157,10 @@ class MallocChecker : public Checker<check::DeadSymbols,
                                      eval::Assume>
 {
 public:
-  MallocChecker() : II_malloc(0), II_free(0), II_realloc(0), II_calloc(0),
-                    II_valloc(0), II_reallocf(0), II_strndup(0), II_strdup(0),
-                    II_kmalloc(0) {}
+  MallocChecker()
+      : II_malloc(nullptr), II_free(nullptr), II_realloc(nullptr),
+        II_calloc(nullptr), II_valloc(nullptr), II_reallocf(nullptr),
+        II_strndup(nullptr), II_strdup(nullptr), II_kmalloc(nullptr) {}
 
   /// In pessimistic mode, the checker assumes that it does not know which
   /// functions might free the memory.
@@ -332,7 +333,7 @@ private:
                                SymbolRef Sym, bool OwnershipTransferred) const;
   void ReportOffsetFree(CheckerContext &C, SVal ArgVal, SourceRange Range, 
                         const Expr *DeallocExpr, 
-                        const Expr *AllocExpr = 0) const;
+                        const Expr *AllocExpr = nullptr) const;
   void ReportUseAfterFree(CheckerContext &C, SourceRange Range,
                           SymbolRef Sym) const;
   void ReportDoubleFree(CheckerContext &C, SourceRange Range, bool Released,
@@ -370,7 +371,7 @@ private:
 
   public:
     MallocBugVisitor(SymbolRef S, bool isLeak = false)
-       : Sym(S), Mode(Normal), FailedReallocSymbol(0), IsLeak(isLeak) {}
+       : Sym(S), Mode(Normal), FailedReallocSymbol(nullptr), IsLeak(isLeak) {}
 
     virtual ~MallocBugVisitor() {}
 
@@ -422,7 +423,7 @@ private:
                                     const ExplodedNode *EndPathNode,
                                     BugReport &BR) override {
       if (!IsLeak)
-        return 0;
+        return nullptr;
 
       PathDiagnosticLocation L =
         PathDiagnosticLocation::createEndOfPath(EndPathNode,
@@ -843,7 +844,7 @@ ProgramStateRef
 MallocChecker::MallocMemReturnsAttr(CheckerContext &C, const CallExpr *CE,
                                     const OwnershipAttr *Att) const {
   if (Att->getModule() != II_malloc)
-    return 0;
+    return nullptr;
 
   OwnershipAttr::args_iterator I = Att->args_begin(), E = Att->args_end();
   if (I != E) {
@@ -870,7 +871,7 @@ ProgramStateRef MallocChecker::MallocMemAux(CheckerContext &C,
 
   // We expect the malloc functions to return a pointer.
   if (!RetVal.getAs<Loc>())
-    return 0;
+    return nullptr;
 
   // Fill the region with the initialization value.
   State = State->bindDefault(RetVal, Init);
@@ -879,7 +880,7 @@ ProgramStateRef MallocChecker::MallocMemAux(CheckerContext &C,
   const SymbolicRegion *R =
       dyn_cast_or_null<SymbolicRegion>(RetVal.getAsRegion());
   if (!R)
-    return 0;
+    return nullptr;
   if (Optional<DefinedOrUnknownSVal> DefinedSize =
           Size.getAs<DefinedOrUnknownSVal>()) {
     SValBuilder &svalBuilder = C.getSValBuilder();
@@ -903,7 +904,7 @@ ProgramStateRef MallocChecker::MallocUpdateRefState(CheckerContext &C,
 
   // We expect the malloc functions to return a pointer.
   if (!retVal.getAs<Loc>())
-    return 0;
+    return nullptr;
 
   SymbolRef Sym = retVal.getAsLocSymbol();
   assert(Sym);
@@ -916,7 +917,7 @@ ProgramStateRef MallocChecker::FreeMemAttr(CheckerContext &C,
                                            const CallExpr *CE,
                                            const OwnershipAttr *Att) const {
   if (Att->getModule() != II_malloc)
-    return 0;
+    return nullptr;
 
   ProgramStateRef State = C.getState();
   bool ReleasedAllocated = false;
@@ -939,7 +940,7 @@ ProgramStateRef MallocChecker::FreeMemAux(CheckerContext &C,
                                           bool &ReleasedAllocated,
                                           bool ReturnsNullOnFailure) const {
   if (CE->getNumArgs() < (Num + 1))
-    return 0;
+    return nullptr;
 
   return FreeMemAux(C, CE->getArg(Num), CE, state, Hold,
                     ReleasedAllocated, ReturnsNullOnFailure);
@@ -1071,23 +1072,23 @@ ProgramStateRef MallocChecker::FreeMemAux(CheckerContext &C,
 
   SVal ArgVal = State->getSVal(ArgExpr, C.getLocationContext());
   if (!ArgVal.getAs<DefinedOrUnknownSVal>())
-    return 0;
+    return nullptr;
   DefinedOrUnknownSVal location = ArgVal.castAs<DefinedOrUnknownSVal>();
 
   // Check for null dereferences.
   if (!location.getAs<Loc>())
-    return 0;
+    return nullptr;
 
   // The explicit NULL case, no operation is performed.
   ProgramStateRef notNullState, nullState;
   std::tie(notNullState, nullState) = State->assume(location);
   if (nullState && !notNullState)
-    return 0;
+    return nullptr;
 
   // Unknown values could easily be okay
   // Undefined values are handled elsewhere
   if (ArgVal.isUnknownOrUndef())
-    return 0;
+    return nullptr;
 
   const MemRegion *R = ArgVal.getAsRegion();
   
@@ -1095,7 +1096,7 @@ ProgramStateRef MallocChecker::FreeMemAux(CheckerContext &C,
   // Non-region locations (labels and fixed addresses) also shouldn't be freed.
   if (!R) {
     ReportBadFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr);
-    return 0;
+    return nullptr;
   }
   
   R = R->StripCasts();
@@ -1103,7 +1104,7 @@ ProgramStateRef MallocChecker::FreeMemAux(CheckerContext &C,
   // Blocks might show up as heap data, but should not be free()d
   if (isa<BlockDataRegion>(R)) {
     ReportBadFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr);
-    return 0;
+    return nullptr;
   }
   
   const MemSpaceRegion *MS = R->getMemorySpace();
@@ -1120,18 +1121,18 @@ ProgramStateRef MallocChecker::FreeMemAux(CheckerContext &C,
     // False negatives are better than false positives.
     
     ReportBadFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr);
-    return 0;
+    return nullptr;
   }
 
   const SymbolicRegion *SrBase = dyn_cast<SymbolicRegion>(R->getBaseRegion());
   // Various cases could lead to non-symbol values here.
   // For now, ignore them.
   if (!SrBase)
-    return 0;
+    return nullptr;
 
   SymbolRef SymBase = SrBase->getSymbol();
   const RefState *RsBase = State->get<RegionState>(SymBase);
-  SymbolRef PreviousRetStatusSymbol = 0;
+  SymbolRef PreviousRetStatusSymbol = nullptr;
 
   if (RsBase) {
 
@@ -1140,7 +1141,7 @@ ProgramStateRef MallocChecker::FreeMemAux(CheckerContext &C,
         !didPreviousFreeFail(State, SymBase, PreviousRetStatusSymbol)) {
       ReportDoubleFree(C, ParentExpr->getSourceRange(), RsBase->isReleased(),
                        SymBase, PreviousRetStatusSymbol);
-      return 0;
+      return nullptr;
 
     // If the pointer is allocated or escaped, but we are now trying to free it,
     // check that the call to free is proper.
@@ -1152,7 +1153,7 @@ ProgramStateRef MallocChecker::FreeMemAux(CheckerContext &C,
       if (!DeallocMatchesAlloc) {
         ReportMismatchedDealloc(C, ArgExpr->getSourceRange(),
                                 ParentExpr, RsBase, SymBase, Hold);
-        return 0;
+        return nullptr;
       }
 
       // Check if the memory location being freed is the actual location
@@ -1164,12 +1165,12 @@ ProgramStateRef MallocChecker::FreeMemAux(CheckerContext &C,
         const Expr *AllocExpr = cast<Expr>(RsBase->getStmt());
         ReportOffsetFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr, 
                          AllocExpr);
-        return 0;
+        return nullptr;
       }
     }
   }
 
-  ReleasedAllocated = (RsBase != 0) && RsBase->isAllocated();
+  ReleasedAllocated = (RsBase != nullptr) && RsBase->isAllocated();
 
   // Clean out the info on previous call to free return info.
   State = State->remove<FreeReturnValue>(SymBase);
@@ -1276,8 +1277,8 @@ bool MallocChecker::SummarizeRegion(raw_ostream &os,
       if (VR)
         VD = VR->getDecl();
       else
-        VD = NULL;
-      
+        VD = nullptr;
+
       if (VD)
         os << "the address of the local variable '" << VD->getName() << "'";
       else
@@ -1291,8 +1292,8 @@ bool MallocChecker::SummarizeRegion(raw_ostream &os,
       if (VR)
         VD = VR->getDecl();
       else
-        VD = NULL;
-      
+        VD = nullptr;
+
       if (VD)
         os << "the address of the parameter '" << VD->getName() << "'";
       else
@@ -1306,8 +1307,8 @@ bool MallocChecker::SummarizeRegion(raw_ostream &os,
       if (VR)
         VD = VR->getDecl();
       else
-        VD = NULL;
-      
+        VD = nullptr;
+
       if (VD) {
         if (VD->isStaticLocal())
           os << "the address of the static variable '" << VD->getName() << "'";
@@ -1444,7 +1445,7 @@ void MallocChecker::ReportOffsetFree(CheckerContext &C, SVal ArgVal,
     return;
 
   ExplodedNode *N = C.generateSink();
-  if (N == NULL)
+  if (!N)
     return;
 
   if (!BT_OffsetFree[*CheckKind])
@@ -1573,14 +1574,14 @@ ProgramStateRef MallocChecker::ReallocMem(CheckerContext &C,
                                           const CallExpr *CE,
                                           bool FreesOnFail) const {
   if (CE->getNumArgs() < 2)
-    return 0;
+    return nullptr;
 
   ProgramStateRef state = C.getState();
   const Expr *arg0Expr = CE->getArg(0);
   const LocationContext *LCtx = C.getLocationContext();
   SVal Arg0Val = state->getSVal(arg0Expr, LCtx);
   if (!Arg0Val.getAs<DefinedOrUnknownSVal>())
-    return 0;
+    return nullptr;
   DefinedOrUnknownSVal arg0Val = Arg0Val.castAs<DefinedOrUnknownSVal>();
 
   SValBuilder &svalBuilder = C.getSValBuilder();
@@ -1591,12 +1592,12 @@ ProgramStateRef MallocChecker::ReallocMem(CheckerContext &C,
   // Get the size argument. If there is no size arg then give up.
   const Expr *Arg1 = CE->getArg(1);
   if (!Arg1)
-    return 0;
+    return nullptr;
 
   // Get the value of the size argument.
   SVal Arg1ValG = state->getSVal(Arg1, LCtx);
   if (!Arg1ValG.getAs<DefinedOrUnknownSVal>())
-    return 0;
+    return nullptr;
   DefinedOrUnknownSVal Arg1Val = Arg1ValG.castAs<DefinedOrUnknownSVal>();
 
   // Compare the size argument to 0.
@@ -1622,7 +1623,7 @@ ProgramStateRef MallocChecker::ReallocMem(CheckerContext &C,
   }
 
   if (PrtIsNull && SizeIsZero)
-    return 0;
+    return nullptr;
 
   // Get the from and to pointer symbols as in toPtr = realloc(fromPtr, size).
   assert(!PrtIsNull);
@@ -1630,7 +1631,7 @@ ProgramStateRef MallocChecker::ReallocMem(CheckerContext &C,
   SVal RetVal = state->getSVal(CE, LCtx);
   SymbolRef ToPtr = RetVal.getAsSymbol();
   if (!FromPtr || !ToPtr)
-    return 0;
+    return nullptr;
 
   bool ReleasedAllocated = false;
 
@@ -1652,7 +1653,7 @@ ProgramStateRef MallocChecker::ReallocMem(CheckerContext &C,
     ProgramStateRef stateRealloc = MallocMemAux(C, CE, CE->getArg(1),
                                                 UnknownVal(), stateFree);
     if (!stateRealloc)
-      return 0;
+      return nullptr;
 
     ReallocPairKind Kind = RPToBeFreedAfterFailure;
     if (FreesOnFail)
@@ -1668,12 +1669,12 @@ ProgramStateRef MallocChecker::ReallocMem(CheckerContext &C,
     C.getSymbolManager().addSymbolDependency(ToPtr, FromPtr);
     return stateRealloc;
   }
-  return 0;
+  return nullptr;
 }
 
 ProgramStateRef MallocChecker::CallocMem(CheckerContext &C, const CallExpr *CE){
   if (CE->getNumArgs() < 2)
-    return 0;
+    return nullptr;
 
   ProgramStateRef state = C.getState();
   SValBuilder &svalBuilder = C.getSValBuilder();
@@ -1694,7 +1695,7 @@ MallocChecker::getAllocationSite(const ExplodedNode *N, SymbolRef Sym,
   // Walk the ExplodedGraph backwards and find the first node that referred to
   // the tracked symbol.
   const ExplodedNode *AllocNode = N;
-  const MemRegion *ReferenceRegion = 0;
+  const MemRegion *ReferenceRegion = nullptr;
 
   while (N) {
     ProgramStateRef State = N->getState();
@@ -1721,7 +1722,7 @@ MallocChecker::getAllocationSite(const ExplodedNode *N, SymbolRef Sym,
     // symbol was tracked.
     if (N->getLocationContext() == LeakContext)
       AllocNode = N;
-    N = N->pred_empty() ? NULL : *(N->pred_begin());
+    N = N->pred_empty() ? nullptr : *(N->pred_begin());
   }
 
   return LeakInfo(AllocNode, ReferenceRegion);
@@ -1764,12 +1765,12 @@ void MallocChecker::reportLeak(SymbolRef Sym, ExplodedNode *N,
   // With leaks, we want to unique them by the location where they were
   // allocated, and only report a single path.
   PathDiagnosticLocation LocUsedForUniqueing;
-  const ExplodedNode *AllocNode = 0;
-  const MemRegion *Region = 0;
+  const ExplodedNode *AllocNode = nullptr;
+  const MemRegion *Region = nullptr;
   std::tie(AllocNode, Region) = getAllocationSite(N, Sym, C);
   
   ProgramPoint P = AllocNode->getLocation();
-  const Stmt *AllocationStmt = 0;
+  const Stmt *AllocationStmt = nullptr;
   if (Optional<CallExitEnd> Exit = P.getAs<CallExitEnd>())
     AllocationStmt = Exit->getCalleeContext()->getCallSite();
   else if (Optional<StmtPoint> SP = P.getAs<StmtPoint>())
@@ -2039,8 +2040,8 @@ bool MallocChecker::mayFreeAnyEscapedMemoryOrIsModeledExplicitly(
                                               ProgramStateRef State,
                                               SymbolRef &EscapingSymbol) const {
   assert(Call);
-  EscapingSymbol = 0;
-  
+  EscapingSymbol = nullptr;
+
   // For now, assume that any C++ or block call can free memory.
   // TODO: If we want to be more optimistic here, we'll need to make sure that
   // regions escape to C++ containers. They seem to do that even now, but for
@@ -2216,7 +2217,7 @@ ProgramStateRef MallocChecker::checkPointerEscapeAux(ProgramStateRef State,
                                   bool(*CheckRefState)(const RefState*)) const {
   // If we know that the call does not free memory, or we want to process the
   // call later, keep tracking the top level arguments.
-  SymbolRef EscapingSymbol = 0;
+  SymbolRef EscapingSymbol = nullptr;
   if (Kind == PSK_DirectEscapeOnCall &&
       !mayFreeAnyEscapedMemoryOrIsModeledExplicitly(Call, State,
                                                     EscapingSymbol) &&
@@ -2254,7 +2255,7 @@ static SymbolRef findFailedReallocSymbol(ProgramStateRef currState,
       return sym;
   }
 
-  return NULL;
+  return nullptr;
 }
 
 PathDiagnosticPiece *
@@ -2268,11 +2269,11 @@ MallocChecker::MallocBugVisitor::VisitNode(const ExplodedNode *N,
   const RefState *RS = state->get<RegionState>(Sym);
   const RefState *RSPrev = statePrev->get<RegionState>(Sym);
   if (!RS)
-    return 0;
+    return nullptr;
 
-  const Stmt *S = 0;
-  const char *Msg = 0;
-  StackHintGeneratorForSymbol *StackHint = 0;
+  const Stmt *S = nullptr;
+  const char *Msg = nullptr;
+  StackHintGeneratorForSymbol *StackHint = nullptr;
 
   // Retrieve the associated statement.
   ProgramPoint ProgLoc = N->getLocation();
@@ -2287,7 +2288,7 @@ MallocChecker::MallocBugVisitor::VisitNode(const ExplodedNode *N,
   }
 
   if (!S)
-    return 0;
+    return nullptr;
 
   // FIXME: We will eventually need to handle non-statement-based events
   // (__attribute__((cleanup))).
@@ -2330,13 +2331,13 @@ MallocChecker::MallocBugVisitor::VisitNode(const ExplodedNode *N,
       Msg = "Attempt to reallocate memory";
       StackHint = new StackHintGeneratorForSymbol(Sym,
                                                  "Returned reallocated memory");
-      FailedReallocSymbol = NULL;
+      FailedReallocSymbol = nullptr;
       Mode = Normal;
     }
   }
 
   if (!Msg)
-    return 0;
+    return nullptr;
   assert(StackHint);
 
   // Generate the extra diagnostic.

lib/StaticAnalyzer/Checkers/MallocOverflowSecurityChecker.cpp

@@ -65,7 +65,7 @@ void MallocOverflowSecurityChecker::CheckMallocArgument(
    conditional expression, an operation that could reduce the range
    of the result, or anything too complicated :-).  */
   const Expr * e = TheArgument;
-  const BinaryOperator * mulop = NULL;
+  const BinaryOperator * mulop = nullptr;
 
   for (;;) {
     e = e->IgnoreParenImpCasts();
@@ -73,7 +73,7 @@ void MallocOverflowSecurityChecker::CheckMallocArgument(
       const BinaryOperator * binop = dyn_cast<BinaryOperator>(e);
       BinaryOperatorKind opc = binop->getOpcode();
       // TODO: ignore multiplications by 1, reject if multiplied by 0.
-      if (mulop == NULL && opc == BO_Mul)
+      if (mulop == nullptr && opc == BO_Mul)
         mulop = binop;
       if (opc != BO_Mul && opc != BO_Add && opc != BO_Sub && opc != BO_Shl)
         return;
@@ -94,7 +94,7 @@ void MallocOverflowSecurityChecker::CheckMallocArgument(
       return;
   }
 
-  if (mulop == NULL)
+  if (mulop == nullptr)
     return;
 
   //  We've found the right structure of malloc argument, now save

lib/StaticAnalyzer/Checkers/MallocSizeofChecker.cpp

@@ -95,7 +95,7 @@ public:
     if (FD) {
       IdentifierInfo *II = FD->getIdentifier();
       if (II == II_malloc || II == II_calloc || II == II_realloc)
-        return TypeCallPair((const TypeSourceInfo *)0, E);
+        return TypeCallPair((const TypeSourceInfo *)nullptr, E);
     }
     return TypeCallPair();
   }
@@ -205,7 +205,7 @@ public:
         if (compatibleWithArrayType(BR.getContext(), PointeeType, SizeofType))
           continue;
 
-        const TypeSourceInfo *TSI = 0;
+        const TypeSourceInfo *TSI = nullptr;
         if (i->CastedExprParent.is<const VarDecl *>()) {
           TSI =
               i->CastedExprParent.get<const VarDecl *>()->getTypeSourceInfo();

lib/StaticAnalyzer/Checkers/NSErrorChecker.cpp

@@ -42,7 +42,7 @@ class NSErrorMethodChecker
   mutable IdentifierInfo *II;
 
 public:
-  NSErrorMethodChecker() : II(0) { }
+  NSErrorMethodChecker() : II(nullptr) {}
 
   void checkASTDecl(const ObjCMethodDecl *D,
                     AnalysisManager &mgr, BugReporter &BR) const;
@@ -89,7 +89,7 @@ class CFErrorFunctionChecker
   mutable IdentifierInfo *II;
 
 public:
-  CFErrorFunctionChecker() : II(0) { }
+  CFErrorFunctionChecker() : II(nullptr) {}
 
   void checkASTDecl(const FunctionDecl *D,
                     AnalysisManager &mgr, BugReporter &BR) const;
@@ -157,7 +157,7 @@ class NSOrCFErrorDerefChecker
   mutable std::unique_ptr<CFErrorDerefBug> CFBT;
 public:
   bool ShouldCheckNSError, ShouldCheckCFError;
-  NSOrCFErrorDerefChecker() : NSErrorII(0), CFErrorII(0),
+  NSOrCFErrorDerefChecker() : NSErrorII(nullptr), CFErrorII(nullptr),
                               ShouldCheckNSError(0), ShouldCheckCFError(0) { }
 
   void checkLocation(SVal loc, bool isLoad, const Stmt *S,
@@ -264,7 +264,7 @@ void NSOrCFErrorDerefChecker::checkEvent(ImplicitNullDerefEvent event) const {
 
   os  << " may be null";
 
-  BugType *bug = 0;
+  BugType *bug = nullptr;
   if (isNSError) {
     if (!NSBT)
       NSBT.reset(new NSErrorDerefBug(this));

lib/StaticAnalyzer/Checkers/NonNullParamChecker.cpp

@@ -130,7 +130,7 @@ void NonNullParamChecker::checkPreCall(const CallEvent &Call,
       // we cache out.
       if (ExplodedNode *errorNode = C.generateSink(stateNull)) {
 
-        BugReport *R = 0;
+        BugReport *R = nullptr;
         if (haveAttrNonNull)
           R = genReportNullAttrNonNull(errorNode, ArgE);
         else if (haveRefTypeParam)
@@ -186,7 +186,7 @@ BugReport *NonNullParamChecker::genReportReferenceToNullPointer(
                                ErrorNode);
   if (ArgE) {
     const Expr *ArgEDeref = bugreporter::getDerefExpr(ArgE);
-    if (ArgEDeref == 0)
+    if (!ArgEDeref)
       ArgEDeref = ArgE;
     bugreporter::trackNullOrUndefValue(ErrorNode,
                                        ArgEDeref,

lib/StaticAnalyzer/Checkers/ObjCContainersASTChecker.cpp

@@ -100,7 +100,7 @@ void WalkAST::VisitCallExpr(CallExpr *CE) {
   if (Name.empty())
     return;
 
-  const Expr *Arg = 0;
+  const Expr *Arg = nullptr;
   unsigned ArgNum;
 
   if (Name.equals("CFArrayCreate") || Name.equals("CFSetCreate")) {

lib/StaticAnalyzer/Checkers/RetainCountChecker.cpp

@@ -451,10 +451,10 @@ public:
     : II(ii), S(s) {}
 
   ObjCSummaryKey(const ObjCInterfaceDecl *d, Selector s)
-    : II(d ? d->getIdentifier() : 0), S(s) {}
+    : II(d ? d->getIdentifier() : nullptr), S(s) {}
 
   ObjCSummaryKey(Selector s)
-    : II(0), S(s) {}
+    : II(nullptr), S(s) {}
 
   IdentifierInfo *getIdentifier() const { return II; }
   Selector getSelector() const { return S; }
@@ -503,7 +503,7 @@ public:
     if (I != M.end())
       return I->second;
     if (!D)
-      return NULL;
+      return nullptr;
 
     // Walk the super chain.  If we find a hit with a parent, we'll end
     // up returning that summary.  We actually allow that key (null,S), as
@@ -516,7 +516,7 @@ public:
         break;
 
       if (!C)
-        return NULL;
+        return nullptr;
     }
 
     // Cache the summary with original key to make the next lookup faster
@@ -534,7 +534,7 @@ public:
     if (I == M.end())
       I = M.find(ObjCSummaryKey(S));
 
-    return I == M.end() ? NULL : I->second;
+    return I == M.end() ? nullptr : I->second;
   }
 
   const RetainSummary *& operator[](ObjCSummaryKey K) {
@@ -723,7 +723,7 @@ public:
   }
 
   const RetainSummary *getSummary(const CallEvent &Call,
-                                  ProgramStateRef State = 0);
+                                  ProgramStateRef State = nullptr);
 
   const RetainSummary *getFunctionSummary(const FunctionDecl *FD);
 
@@ -1006,7 +1006,7 @@ RetainSummaryManager::getFunctionSummary(const FunctionDecl *FD) {
     return I->second;
 
   // No summary?  Generate one.
-  const RetainSummary *S = 0;
+  const RetainSummary *S = nullptr;
   bool AllowAnnotations = true;
 
   do {
@@ -1447,7 +1447,7 @@ RetainSummaryManager::getStandardMethodSummary(const ObjCMethodDecl *MD,
 const RetainSummary *
 RetainSummaryManager::getInstanceMethodSummary(const ObjCMethodCall &Msg,
                                                ProgramStateRef State) {
-  const ObjCInterfaceDecl *ReceiverClass = 0;
+  const ObjCInterfaceDecl *ReceiverClass = nullptr;
 
   // We do better tracking of the type of the object than the core ExprEngine.
   // See if we have its type in our private state.
@@ -1788,7 +1788,7 @@ namespace {
 
 void CFRefReport::addGCModeDescription(const LangOptions &LOpts,
                                        bool GCEnabled) {
-  const char *GCModeDescription = 0;
+  const char *GCModeDescription = nullptr;
 
   switch (LOpts.getGC()) {
   case LangOptions::GCOnly:
@@ -1835,7 +1835,7 @@ PathDiagnosticPiece *CFRefReportVisitor::VisitNode(const ExplodedNode *N,
   // FIXME: We will eventually need to handle non-statement-based events
   // (__attribute__((cleanup))).
   if (!N->getLocation().getAs<StmtPoint>())
-    return NULL;
+    return nullptr;
 
   // Check if the type state has changed.
   ProgramStateRef PrevSt = PrevN->getState();
@@ -1843,7 +1843,7 @@ PathDiagnosticPiece *CFRefReportVisitor::VisitNode(const ExplodedNode *N,
   const LocationContext *LCtx = N->getLocationContext();
 
   const RefVal* CurrT = getRefBinding(CurrSt, Sym);
-  if (!CurrT) return NULL;
+  if (!CurrT) return nullptr;
 
   const RefVal &CurrV = *CurrT;
   const RefVal *PrevT = getRefBinding(PrevSt, Sym);
@@ -1868,7 +1868,7 @@ PathDiagnosticPiece *CFRefReportVisitor::VisitNode(const ExplodedNode *N,
       if (isNumericLiteralExpression(BL->getSubExpr()))
         os << "NSNumber literal is an object with a +0 retain count";
       else {
-        const ObjCInterfaceDecl *BoxClass = 0;
+        const ObjCInterfaceDecl *BoxClass = nullptr;
         if (const ObjCMethodDecl *Method = BL->getBoxingMethod())
           BoxClass = Method->getClassInterface();
 
@@ -2037,7 +2037,7 @@ PathDiagnosticPiece *CFRefReportVisitor::VisitNode(const ExplodedNode *N,
           if (PrevV.getCount() == CurrV.getCount()) {
             // Did an autorelease message get sent?
             if (PrevV.getAutoreleaseCount() == CurrV.getAutoreleaseCount())
-              return 0;
+              return nullptr;
 
             assert(PrevV.getAutoreleaseCount() < CurrV.getAutoreleaseCount());
             os << "Object autoreleased";
@@ -2067,7 +2067,7 @@ PathDiagnosticPiece *CFRefReportVisitor::VisitNode(const ExplodedNode *N,
         case RefVal::ReturnedOwned:
           // Autoreleases can be applied after marking a node ReturnedOwned.
           if (CurrV.getAutoreleaseCount())
-            return NULL;
+            return nullptr;
 
           os << "Object returned to caller as an owning reference (single "
                 "retain count transferred to caller)";
@@ -2078,7 +2078,7 @@ PathDiagnosticPiece *CFRefReportVisitor::VisitNode(const ExplodedNode *N,
           break;
 
         default:
-          return NULL;
+          return nullptr;
       }
 
     // Emit any remaining diagnostics for the argument effects (if any).
@@ -2103,7 +2103,7 @@ PathDiagnosticPiece *CFRefReportVisitor::VisitNode(const ExplodedNode *N,
   } while (0);
 
   if (os.str().empty())
-    return 0; // We have nothing to say!
+    return nullptr; // We have nothing to say!
 
   const Stmt *S = N->getLocation().castAs<StmtPoint>().getStmt();
   PathDiagnosticLocation Pos(S, BRC.getSourceManager(),
@@ -2143,12 +2143,12 @@ GetAllocationSite(ProgramStateManager& StateMgr, const ExplodedNode *N,
                   SymbolRef Sym) {
   const ExplodedNode *AllocationNode = N;
   const ExplodedNode *AllocationNodeInCurrentContext = N;
-  const MemRegion* FirstBinding = 0;
+  const MemRegion *FirstBinding = nullptr;
   const LocationContext *LeakContext = N->getLocationContext();
 
   // The location context of the init method called on the leaked object, if
   // available.
-  const LocationContext *InitMethodContext = 0;
+  const LocationContext *InitMethodContext = nullptr;
 
   while (N) {
     ProgramStateRef St = N->getState();
@@ -2192,12 +2192,12 @@ GetAllocationSite(ProgramStateManager& StateMgr, const ExplodedNode *N,
         }
       }
 
-    N = N->pred_empty() ? NULL : *(N->pred_begin());
+    N = N->pred_empty() ? nullptr : *(N->pred_begin());
   }
 
   // If we are reporting a leak of the object that was allocated with alloc,
   // mark its init method as interesting.
-  const LocationContext *InterestingMethodContext = 0;
+  const LocationContext *InterestingMethodContext = nullptr;
   if (InitMethodContext) {
     const ProgramPoint AllocPP = AllocationNode->getLocation();
     if (Optional<StmtPoint> SP = AllocPP.getAs<StmtPoint>())
@@ -2210,7 +2210,7 @@ GetAllocationSite(ProgramStateManager& StateMgr, const ExplodedNode *N,
   // do not report the binding.
   assert(N && "Could not find allocation node");
   if (N->getLocationContext() != LeakContext) {
-    FirstBinding = 0;
+    FirstBinding = nullptr;
   }
 
   return AllocationInfo(AllocationNodeInCurrentContext,
@@ -2327,7 +2327,7 @@ CFRefLeakReport::CFRefLeakReport(CFRefBug &D, const LangOptions &LOpts,
   // Note that this is *not* the trimmed graph; we are guaranteed, however,
   // that all ancestor nodes that represent the allocation site have the
   // same SourceLocation.
-  const ExplodedNode *AllocNode = 0;
+  const ExplodedNode *AllocNode = nullptr;
 
   const SourceManager& SMgr = Ctx.getSourceManager();
 
@@ -2602,7 +2602,7 @@ public:
   ExplodedNode *processLeaks(ProgramStateRef state,
                              SmallVectorImpl<SymbolRef> &Leaked,
                              CheckerContext &Ctx,
-                             ExplodedNode *Pred = 0) const;
+                             ExplodedNode *Pred = nullptr) const;
 };
 } // end anonymous namespace
 
@@ -2886,7 +2886,7 @@ void RetainCountChecker::checkSummary(const RetainSummary &Summ,
   // Evaluate the effect of the arguments.
   RefVal::Kind hasErr = (RefVal::Kind) 0;
   SourceRange ErrorRange;
-  SymbolRef ErrorSym = 0;
+  SymbolRef ErrorSym = nullptr;
 
   for (unsigned idx = 0, e = CallOrMsg.getNumArgs(); idx != e; ++idx) {
     SVal V = CallOrMsg.getArgSVal(idx);
@@ -3242,7 +3242,7 @@ bool RetainCountChecker::evalCall(const CallExpr *CE, CheckerContext &C) const {
   if (RetVal.isUnknown()) {
     // If the receiver is unknown, conjure a return value.
     SValBuilder &SVB = C.getSValBuilder();
-    RetVal = SVB.conjureSymbolVal(0, CE, LCtx, ResultTy, C.blockCount());
+    RetVal = SVB.conjureSymbolVal(nullptr, CE, LCtx, ResultTy, C.blockCount());
   }
   state = state->BindExpr(CE, LCtx, RetVal, false);
 
@@ -3251,7 +3251,7 @@ bool RetainCountChecker::evalCall(const CallExpr *CE, CheckerContext &C) const {
   if (const MemRegion *ArgRegion = RetVal.getAsRegion()) {
     // Save the refcount status of the argument.
     SymbolRef Sym = RetVal.getAsLocSymbol();
-    const RefVal *Binding = 0;
+    const RefVal *Binding = nullptr;
     if (Sym)
       Binding = getRefBinding(state, Sym);
 
@@ -3622,7 +3622,7 @@ RetainCountChecker::handleAutoreleaseCounts(ProgramStateRef state,
     Ctx.emitReport(report);
   }
 
-  return 0;
+  return nullptr;
 }
 
 ProgramStateRef 
@@ -3683,7 +3683,7 @@ void RetainCountChecker::checkEndFunction(CheckerContext &Ctx) const {
   }
 
   for (RefBindingsTy::iterator I = B.begin(), E = B.end(); I != E; ++I) {
-    state = handleAutoreleaseCounts(state, Pred, /*Tag=*/0, Ctx,
+    state = handleAutoreleaseCounts(state, Pred, /*Tag=*/nullptr, Ctx,
                                     I->first, I->second);
     if (!state)
       return;

lib/StaticAnalyzer/Checkers/ReturnUndefChecker.cpp

@@ -79,7 +79,7 @@ void ReturnUndefChecker::checkPreStmt(const ReturnStmt *RS,
 }
 
 static void emitBug(CheckerContext &C, BuiltinBug &BT, const Expr *RetE,
-                    const Expr *TrackingE = 0) {
+                    const Expr *TrackingE = nullptr) {
   ExplodedNode *N = C.generateSink();
   if (!N)
     return;

lib/StaticAnalyzer/Checkers/SimpleStreamChecker.cpp

@@ -106,8 +106,8 @@ public:
 };
 } // end anonymous namespace
 
-
-SimpleStreamChecker::SimpleStreamChecker() : IIfopen(0), IIfclose(0) {
+SimpleStreamChecker::SimpleStreamChecker()
+    : IIfopen(nullptr), IIfclose(nullptr) {
   // Initialize the bug types.
   DoubleCloseBugType.reset(
       new BugType(this, "Double fclose", "Unix Stream API Error"));

lib/StaticAnalyzer/Checkers/StreamChecker.cpp

@@ -67,9 +67,11 @@ class StreamChecker : public Checker<eval::Call,
 
 public:
   StreamChecker() 
-    : II_fopen(0), II_tmpfile(0) ,II_fclose(0), II_fread(0), II_fwrite(0), 
-      II_fseek(0), II_ftell(0), II_rewind(0), II_fgetpos(0), II_fsetpos(0), 
-      II_clearerr(0), II_feof(0), II_ferror(0), II_fileno(0) {}
+    : II_fopen(nullptr), II_tmpfile(nullptr), II_fclose(nullptr),
+      II_fread(nullptr), II_fwrite(nullptr), II_fseek(nullptr),
+      II_ftell(nullptr), II_rewind(nullptr), II_fgetpos(nullptr),
+      II_fsetpos(nullptr), II_clearerr(nullptr), II_feof(nullptr),
+      II_ferror(nullptr), II_fileno(nullptr) {}
 
   bool evalCall(const CallExpr *CE, CheckerContext &C) const;
   void checkDeadSymbols(SymbolReaper &SymReaper, CheckerContext &C) const;
@@ -210,7 +212,8 @@ void StreamChecker::OpenFileAux(CheckerContext &C, const CallExpr *CE) const {
   ProgramStateRef state = C.getState();
   SValBuilder &svalBuilder = C.getSValBuilder();
   const LocationContext *LCtx = C.getPredecessor()->getLocationContext();
-  DefinedSVal RetVal = svalBuilder.conjureSymbolVal(0, CE, LCtx, C.blockCount())
+  DefinedSVal RetVal = svalBuilder.conjureSymbolVal(nullptr, CE, LCtx,
+                                                    C.blockCount())
       .castAs<DefinedSVal>();
   state = state->BindExpr(CE, C.getLocationContext(), RetVal);
   
@@ -340,7 +343,7 @@ ProgramStateRef StreamChecker::CheckNullStream(SVal SV, ProgramStateRef state,
                                     CheckerContext &C) const {
   Optional<DefinedSVal> DV = SV.getAs<DefinedSVal>();
   if (!DV)
-    return 0;
+    return nullptr;
 
   ConstraintManager &CM = C.getConstraintManager();
   ProgramStateRef stateNotNull, stateNull;
@@ -354,7 +357,7 @@ ProgramStateRef StreamChecker::CheckNullStream(SVal SV, ProgramStateRef state,
       BugReport *R =new BugReport(*BT_nullfp, BT_nullfp->getDescription(), N);
       C.emitReport(R);
     }
-    return 0;
+    return nullptr;
   }
   return stateNotNull;
 }
@@ -386,7 +389,7 @@ ProgramStateRef StreamChecker::CheckDoubleClose(const CallExpr *CE,
                                    BT_doubleclose->getDescription(), N);
       C.emitReport(R);
     }
-    return NULL;
+    return nullptr;
   }
   
   // Close the File Descriptor.

lib/StaticAnalyzer/Checkers/TraversalChecker.cpp

@@ -72,7 +72,7 @@ public:
 void CallDumper::checkPreCall(const CallEvent &Call, CheckerContext &C) const {
   unsigned Indentation = 0;
   for (const LocationContext *LC = C.getLocationContext()->getParent();
-       LC != 0; LC = LC->getParent())
+       LC != nullptr; LC = LC->getParent())
     ++Indentation;
 
   // It is mildly evil to print directly to llvm::outs() rather than emitting
@@ -89,7 +89,7 @@ void CallDumper::checkPostCall(const CallEvent &Call, CheckerContext &C) const {
 
   unsigned Indentation = 0;
   for (const LocationContext *LC = C.getLocationContext()->getParent();
-       LC != 0; LC = LC->getParent())
+       LC != nullptr; LC = LC->getParent())
     ++Indentation;
 
   // It is mildly evil to print directly to llvm::outs() rather than emitting

lib/StaticAnalyzer/Checkers/UndefBranchChecker.cpp

@@ -35,7 +35,7 @@ class UndefBranchChecker : public Checker<check::BranchCondition> {
 
     const Expr *FindExpr(const Expr *Ex) {
       if (!MatchesCriteria(Ex))
-        return 0;
+        return nullptr;
 
       for (Stmt::const_child_iterator I = Ex->child_begin(), 
                                       E = Ex->child_end();I!=E;++I)

lib/StaticAnalyzer/Checkers/UndefCapturedBlockVarChecker.cpp

@@ -48,7 +48,7 @@ static const DeclRefExpr *FindBlockDeclRefExpr(const Stmt *S,
         return BR;
     }
 
-  return NULL;
+  return nullptr;
 }
 
 void

lib/StaticAnalyzer/Checkers/UndefResultChecker.cpp

@@ -60,7 +60,7 @@ void UndefResultChecker::checkPostStmt(const BinaryOperator *B,
 
     SmallString<256> sbuf;
     llvm::raw_svector_ostream OS(sbuf);
-    const Expr *Ex = NULL;
+    const Expr *Ex = nullptr;
     bool isLeft = true;
     
     if (state->getSVal(B->getLHS(), LCtx).isUndef()) {

lib/StaticAnalyzer/Checkers/UndefinedAssignmentChecker.cpp

@@ -57,7 +57,7 @@ void UndefinedAssignmentChecker::checkBind(SVal location, SVal val,
     BT.reset(new BuiltinBug(this, str));
 
   // Generate a report for this bug.
-  const Expr *ex = 0;
+  const Expr *ex = nullptr;
 
   while (StoreE) {
     if (const BinaryOperator *B = dyn_cast<BinaryOperator>(StoreE)) {

lib/StaticAnalyzer/Checkers/UnixAPIChecker.cpp

@@ -239,7 +239,7 @@ void UnixAPIChecker::BasicAllocationCheck(CheckerContext &C,
 
   // Check if the allocation size is 0.
   ProgramStateRef state = C.getState();
-  ProgramStateRef trueState = NULL, falseState = NULL;
+  ProgramStateRef trueState = nullptr, falseState = nullptr;
   const Expr *arg = CE->getArg(sizeArg);
   SVal argVal = state->getSVal(arg, C.getLocationContext());
 
@@ -264,7 +264,7 @@ void UnixAPIChecker::CheckCallocZero(CheckerContext &C,
     return;
 
   ProgramStateRef state = C.getState();
-  ProgramStateRef trueState = NULL, falseState = NULL;
+  ProgramStateRef trueState = nullptr, falseState = nullptr;
 
   unsigned int i;
   for (i = 0; i < nArgs; i++) {
@@ -343,7 +343,7 @@ void UnixAPIChecker::checkPreStmt(const CallExpr *CE,
       .Case("reallocf", &UnixAPIChecker::CheckReallocfZero)
       .Cases("alloca", "__builtin_alloca", &UnixAPIChecker::CheckAllocaZero)
       .Case("valloc", &UnixAPIChecker::CheckVallocZero)
-      .Default(NULL);
+      .Default(nullptr);
 
   if (SC)
     (this->*SC)(C, CE);

lib/StaticAnalyzer/Checkers/UnreachableCodeChecker.cpp

@@ -58,10 +58,10 @@ void UnreachableCodeChecker::checkEndAnalysis(ExplodedGraph &G,
   if (Eng.hasWorkRemaining())
     return;
 
-  const Decl *D = 0;
-  CFG *C = 0;
-  ParentMap *PM = 0;
-  const LocationContext *LC = 0;
+  const Decl *D = nullptr;
+  CFG *C = nullptr;
+  ParentMap *PM = nullptr;
+  const LocationContext *LC = nullptr;
   // Iterate over ExplodedGraph
   for (ExplodedGraph::node_iterator I = G.nodes_begin(), E = G.nodes_end();
       I != E; ++I) {
@@ -201,7 +201,7 @@ const Stmt *UnreachableCodeChecker::getUnreachableStmt(const CFGBlock *CB) {
   if (const Stmt *S = CB->getTerminator())
     return S;
   else
-    return 0;
+    return nullptr;
 }
 
 // Determines if the path to this CFGBlock contained an element that infers this
@@ -245,7 +245,7 @@ bool UnreachableCodeChecker::isInvalidPath(const CFGBlock *CB,
 
 // Returns true if the given CFGBlock is empty
 bool UnreachableCodeChecker::isEmptyCFGBlock(const CFGBlock *CB) {
-  return CB->getLabel() == 0       // No labels
+  return CB->getLabel() == nullptr // No labels
       && CB->size() == 0           // No statements
       && !CB->getTerminator();     // No terminator
 }

lib/StaticAnalyzer/Checkers/VLASizeChecker.cpp

@@ -106,7 +106,7 @@ void VLASizeChecker::checkPreStmt(const DeclStmt *DS, CheckerContext &C) const {
   
   // Check if the size is tainted.
   if (state->isTainted(sizeV)) {
-    reportBug(VLA_Tainted, SE, 0, C);
+    reportBug(VLA_Tainted, SE, nullptr, C);
     return;
   }
 

lib/StaticAnalyzer/Checkers/VirtualCallChecker.cpp

@@ -61,7 +61,7 @@ class WalkAST : public StmtVisitor<WalkAST> {
 public:
   WalkAST(const CheckerBase *checker, BugReporter &br,
           AnalysisDeclContext *ac)
-      : Checker(checker), BR(br), AC(ac), visitingCallExpr(0) {}
+      : Checker(checker), BR(br), AC(ac), visitingCallExpr(nullptr) {}
 
   bool hasWork() const { return !WList.empty(); }
 

lib/StaticAnalyzer/Core/AnalyzerOptions.cpp

@@ -39,7 +39,7 @@ IPAKind AnalyzerOptions::getIPAMode() {
     // Use the User Mode to set the default IPA value.
     // Note, we have to add the string to the Config map for the ConfigDumper
     // checker to function properly.
-    const char *DefaultIPA = 0;
+    const char *DefaultIPA = nullptr;
     UserModeKind HighLevelMode = getUserMode();
     if (HighLevelMode == UMK_Shallow)
       DefaultIPA = "inlining";

lib/StaticAnalyzer/Core/BasicValueFactory.cpp

@@ -173,12 +173,12 @@ BasicValueFactory::evalAPSInt(BinaryOperator::Opcode Op,
       // FIXME: Expand these checks to include all undefined behavior.
 
       if (V2.isSigned() && V2.isNegative())
-        return NULL;
+        return nullptr;
 
       uint64_t Amt = V2.getZExtValue();
 
       if (Amt >= V1.getBitWidth())
-        return NULL;
+        return nullptr;
 
       return &getValue( V1.operator<<( (unsigned) Amt ));
     }
@@ -191,12 +191,12 @@ BasicValueFactory::evalAPSInt(BinaryOperator::Opcode Op,
       // FIXME: Expand these checks to include all undefined behavior.
 
       if (V2.isSigned() && V2.isNegative())
-        return NULL;
+        return nullptr;
 
       uint64_t Amt = V2.getZExtValue();
 
       if (Amt >= V1.getBitWidth())
-        return NULL;
+        return nullptr;
 
       return &getValue( V1.operator>>( (unsigned) Amt ));
     }

lib/StaticAnalyzer/Core/BugReporter.cpp

@@ -59,7 +59,7 @@ static const Stmt *GetPreviousStmt(const ExplodedNode *N) {
     if (const Stmt *S = PathDiagnosticLocation::getStmt(N))
       return S;
 
-  return 0;
+  return nullptr;
 }
 
 static inline const Stmt*
@@ -83,15 +83,15 @@ eventsDescribeSameCondition(PathDiagnosticEventPiece *X,
   const void *tagLesser = TrackConstraintBRVisitor::getTag();
   
   if (X->getLocation() != Y->getLocation())
-    return 0;
-  
+    return nullptr;
+
   if (X->getTag() == tagPreferred && Y->getTag() == tagLesser)
     return X;
   
   if (Y->getTag() == tagPreferred && X->getTag() == tagLesser)
     return Y;
-  
-  return 0;
+
+  return nullptr;
 }
 
 /// An optimization pass over PathPieces that removes redundant diagnostics
@@ -214,8 +214,9 @@ static bool hasImplicitBody(const Decl *D) {
 
 /// Recursively scan through a path and make sure that all call pieces have
 /// valid locations. 
-static void adjustCallLocations(PathPieces &Pieces,
-                                PathDiagnosticLocation *LastCallLocation = 0) {
+static void
+adjustCallLocations(PathPieces &Pieces,
+                    PathDiagnosticLocation *LastCallLocation = nullptr) {
   for (PathPieces::iterator I = Pieces.begin(), E = Pieces.end(); I != E; ++I) {
     PathDiagnosticCallPiece *Call = dyn_cast<PathDiagnosticCallPiece>(*I);
 
@@ -405,7 +406,7 @@ static const Stmt *getEnclosingParent(const Stmt *S, const ParentMap &PM) {
 
   const Stmt *Parent = PM.getParentIgnoreParens(S);
   if (!Parent)
-    return 0;
+    return nullptr;
 
   switch (Parent->getStmtClass()) {
   case Stmt::ForStmtClass:
@@ -418,7 +419,7 @@ static const Stmt *getEnclosingParent(const Stmt *S, const ParentMap &PM) {
     break;
   }
 
-  return 0;
+  return nullptr;
 }
 
 static PathDiagnosticLocation
@@ -564,7 +565,7 @@ static bool GenerateMinimalPathDiagnostic(PathDiagnostic& PD,
   SourceManager& SMgr = PDB.getSourceManager();
   const LocationContext *LC = PDB.LC;
   const ExplodedNode *NextNode = N->pred_empty()
-                                        ? NULL : *(N->pred_begin());
+                                        ? nullptr : *(N->pred_begin());
 
   StackDiagVector CallStack;
 
@@ -1351,11 +1352,11 @@ static const Stmt *getStmtBeforeCond(ParentMap &PM, const Stmt *Term,
     }
     N = N->getFirstPred();
   }
-  return 0;
+  return nullptr;
 }
 
 static bool isInLoopBody(ParentMap &PM, const Stmt *S, const Stmt *Term) {
-  const Stmt *LoopBody = 0;
+  const Stmt *LoopBody = nullptr;
   switch (Term->getStmtClass()) {
     case Stmt::CXXForRangeStmtClass: {
       const CXXForRangeStmt *FR = cast<CXXForRangeStmt>(Term);
@@ -1401,7 +1402,7 @@ static bool GenerateExtensivePathDiagnostic(PathDiagnostic& PD,
   StackDiagVector CallStack;
   InterestingExprs IE;
 
-  const ExplodedNode *NextNode = N->pred_empty() ? NULL : *(N->pred_begin());
+  const ExplodedNode *NextNode = N->pred_empty() ? nullptr : *(N->pred_begin());
   while (NextNode) {
     N = NextNode;
     NextNode = N->getFirstPred();
@@ -1498,7 +1499,7 @@ static bool GenerateExtensivePathDiagnostic(PathDiagnostic& PD,
         // Are we jumping to the head of a loop?  Add a special diagnostic.
         if (const Stmt *Loop = BE->getSrc()->getLoopTarget()) {
           PathDiagnosticLocation L(Loop, SM, PDB.LC);
-          const CompoundStmt *CS = NULL;
+          const CompoundStmt *CS = nullptr;
 
           if (const ForStmt *FS = dyn_cast<ForStmt>(Loop))
             CS = dyn_cast<CompoundStmt>(FS->getBody());
@@ -1683,11 +1684,11 @@ GenerateAlternateExtensivePathDiagnostic(PathDiagnostic& PD,
           // reset the mapping from active to location context.
           assert(PD.getActivePath().size() == 1 &&
                  PD.getActivePath().front() == C);
-          LCM[&PD.getActivePath()] = 0;
+          LCM[&PD.getActivePath()] = nullptr;
 
           // Record the location context mapping for the path within
           // the call.
-          assert(LCM[&C->path] == 0 ||
+          assert(LCM[&C->path] == nullptr ||
                  LCM[&C->path] == CE->getCalleeContext());
           LCM[&C->path] = CE->getCalleeContext();
 
@@ -1786,7 +1787,7 @@ GenerateAlternateExtensivePathDiagnostic(PathDiagnostic& PD,
         // Are we jumping to the head of a loop?  Add a special diagnostic.
         if (const Stmt *Loop = BE->getSrc()->getLoopTarget()) {
           PathDiagnosticLocation L(Loop, SM, PDB.LC);
-          const Stmt *Body = NULL;
+          const Stmt *Body = nullptr;
 
           if (const ForStmt *FS = dyn_cast<ForStmt>(Loop))
             Body = FS->getBody();
@@ -1827,7 +1828,7 @@ GenerateAlternateExtensivePathDiagnostic(PathDiagnostic& PD,
             bool IsInLoopBody =
               isInLoopBody(PM, getStmtBeforeCond(PM, TermCond, N), Term);
 
-            const char *str = 0;
+            const char *str = nullptr;
 
             if (isJumpToFalseBranch(&*BE)) {
               if (!IsInLoopBody) {
@@ -1890,13 +1891,13 @@ GenerateAlternateExtensivePathDiagnostic(PathDiagnostic& PD,
 
 static const Stmt *getLocStmt(PathDiagnosticLocation L) {
   if (!L.isValid())
-    return 0;
+    return nullptr;
   return L.asStmt();
 }
 
 static const Stmt *getStmtParent(const Stmt *S, const ParentMap &PM) {
   if (!S)
-    return 0;
+    return nullptr;
 
   while (true) {
     S = PM.getParentIgnoreParens(S);
@@ -1988,7 +1989,7 @@ static void addContextEdges(PathPieces &pieces, SourceManager &SM,
     SmallVector<PathDiagnosticLocation, 4> SrcContexts;
 
     PathDiagnosticLocation NextSrcContext = SrcLoc;
-    const Stmt *InnerStmt = 0;
+    const Stmt *InnerStmt = nullptr;
     while (NextSrcContext.isValid() && NextSrcContext.asStmt() != InnerStmt) {
       SrcContexts.push_back(NextSrcContext);
       InnerStmt = NextSrcContext.asStmt();
@@ -2073,7 +2074,7 @@ static void simplifySimpleBranches(PathPieces &pieces) {
     if (NextI == E)
       break;
 
-    PathDiagnosticControlFlowPiece *PieceNextI = 0;
+    PathDiagnosticControlFlowPiece *PieceNextI = nullptr;
 
     while (true) {
       if (NextI == E)
@@ -2579,8 +2580,8 @@ const Decl *BugReport::getDeclWithIssue() const {
   
   const ExplodedNode *N = getErrorNode();
   if (!N)
-    return 0;
-  
+    return nullptr;
+
   const LocationContext *LC = N->getLocationContext();
   return LC->getCurrentStackFrame()->getDecl();
 }
@@ -2703,10 +2704,10 @@ void BugReport::popInterestingSymbolsAndRegions() {
 
 const Stmt *BugReport::getStmt() const {
   if (!ErrorNode)
-    return 0;
+    return nullptr;
 
   ProgramPoint ProgP = ErrorNode->getLocation();
-  const Stmt *S = NULL;
+  const Stmt *S = nullptr;
 
   if (Optional<BlockEntrance> BE = ProgP.getAs<BlockEntrance>()) {
     CFGBlock &Exit = ProgP.getLocationContext()->getCFG()->getExit();
@@ -2943,7 +2944,7 @@ bool TrimmedGraph::popNextReportGraph(ReportGraph &GraphWrapper) {
 
   // Now walk from the error node up the BFS path, always taking the
   // predeccessor with the lowest number.
-  ExplodedNode *Succ = 0;
+  ExplodedNode *Succ = nullptr;
   while (true) {
     // Create the equivalent node in the new graph with the same state
     // and location.
@@ -3091,7 +3092,7 @@ bool GRBugReporter::generatePathDiagnostic(PathDiagnostic& PD,
     } else {
       // Keep the errorNodes list in sync with the bugReports list.
       HasInvalid = true;
-      errorNodes.push_back(0);
+      errorNodes.push_back(nullptr);
     }
   }
 
@@ -3328,7 +3329,7 @@ FindReportInEquivalenceClass(BugReportEquivClass& EQ,
   // DFS traversal of the ExplodedGraph to find a non-sink node.  We could write
   // this as a recursive function, but we don't want to risk blowing out the
   // stack for very long paths.
-  BugReport *exampleReport = 0;
+  BugReport *exampleReport = nullptr;
 
   for (; I != E; ++I) {
     const ExplodedNode *errorNode = I->getErrorNode();

lib/StaticAnalyzer/Core/BugReporterVisitors.cpp

@@ -45,7 +45,7 @@ const Expr *bugreporter::getDerefExpr(const Stmt *S) {
   //   a[0], p->f, *p
   const Expr *E = dyn_cast<Expr>(S);
   if (!E)
-    return 0;
+    return nullptr;
   E = E->IgnoreParenCasts();
 
   while (true) {
@@ -79,21 +79,21 @@ const Expr *bugreporter::getDerefExpr(const Stmt *S) {
     break;
   }
 
-  return NULL;
+  return nullptr;
 }
 
 const Stmt *bugreporter::GetDenomExpr(const ExplodedNode *N) {
   const Stmt *S = N->getLocationAs<PreStmt>()->getStmt();
   if (const BinaryOperator *BE = dyn_cast<BinaryOperator>(S))
     return BE->getRHS();
-  return NULL;
+  return nullptr;
 }
 
 const Stmt *bugreporter::GetRetValExpr(const ExplodedNode *N) {
   const Stmt *S = N->getLocationAs<PostStmt>()->getStmt();
   if (const ReturnStmt *RS = dyn_cast<ReturnStmt>(S))
     return RS->getRetValue();
-  return NULL;
+  return nullptr;
 }
 
 //===----------------------------------------------------------------------===//
@@ -104,7 +104,7 @@ PathDiagnosticPiece*
 BugReporterVisitor::getEndPath(BugReporterContext &BRC,
                                const ExplodedNode *EndPathNode,
                                BugReport &BR) {
-  return 0;
+  return nullptr;
 }
 
 PathDiagnosticPiece*
@@ -237,22 +237,22 @@ public:
                                         BugReport &BR) {
     // Only print a message at the interesting return statement.
     if (N->getLocationContext() != StackFrame)
-      return 0;
+      return nullptr;
 
     Optional<StmtPoint> SP = N->getLocationAs<StmtPoint>();
     if (!SP)
-      return 0;
+      return nullptr;
 
     const ReturnStmt *Ret = dyn_cast<ReturnStmt>(SP->getStmt());
     if (!Ret)
-      return 0;
+      return nullptr;
 
     // Okay, we're at the right return statement, but do we have the return
     // value available?
     ProgramStateRef State = N->getState();
     SVal V = State->getSVal(Ret, StackFrame);
     if (V.isUnknownOrUndef())
-      return 0;
+      return nullptr;
 
     // Don't print any more notes after this one.
     Mode = Satisfied;
@@ -273,7 +273,7 @@ public:
     // Ignore aggregate rvalues.
     if (V.getAs<nonloc::LazyCompoundVal>() ||
         V.getAs<nonloc::CompoundVal>())
-      return 0;
+      return nullptr;
 
     RetE = RetE->IgnoreParenCasts();
 
@@ -283,7 +283,7 @@ public:
       BR.markInteresting(V);
       ReturnVisitor::addVisitorIfNecessary(N, RetE, BR,
                                            EnableNullFPSuppression);
-      return 0;
+      return nullptr;
     }
       
     // If we're returning 0, we should track where that 0 came from.
@@ -343,10 +343,10 @@ public:
     // Are we at the entry node for this call?
     Optional<CallEnter> CE = N->getLocationAs<CallEnter>();
     if (!CE)
-      return 0;
+      return nullptr;
 
     if (CE->getCalleeContext() != StackFrame)
-      return 0;
+      return nullptr;
 
     Mode = Satisfied;
 
@@ -380,7 +380,7 @@ public:
       // (We will still look at the other arguments, though.)
     }
 
-    return 0;
+    return nullptr;
   }
 
   PathDiagnosticPiece *VisitNode(const ExplodedNode *N,
@@ -393,7 +393,7 @@ public:
     case MaybeUnsuppress:
       return visitNodeMaybeUnsuppress(N, PrevN, BRC, BR);
     case Satisfied:
-      return 0;
+      return nullptr;
     }
 
     llvm_unreachable("Invalid visit mode!");
@@ -404,7 +404,7 @@ public:
                                   BugReport &BR) override {
     if (EnableNullFPSuppression)
       BR.markInvalid(ReturnVisitor::getTag(), StackFrame);
-    return 0;
+    return nullptr;
   }
 };
 } // end anonymous namespace
@@ -453,10 +453,10 @@ PathDiagnosticPiece *FindLastStoreBRVisitor::VisitNode(const ExplodedNode *Succ,
                                                        BugReport &BR) {
 
   if (Satisfied)
-    return NULL;
+    return nullptr;
 
-  const ExplodedNode *StoreSite = 0;
-  const Expr *InitE = 0;
+  const ExplodedNode *StoreSite = nullptr;
+  const Expr *InitE = nullptr;
   bool IsParam = false;
 
   // First see if we reached the declaration of the region.
@@ -484,12 +484,12 @@ PathDiagnosticPiece *FindLastStoreBRVisitor::VisitNode(const ExplodedNode *Succ,
   //     the same binding was re-assigned here.
   if (!StoreSite) {
     if (Succ->getState()->getSVal(R) != V)
-      return NULL;
+      return nullptr;
 
     if (Pred->getState()->getSVal(R) == V) {
       Optional<PostStore> PS = Succ->getLocationAs<PostStore>();
       if (!PS || PS->getLocationValue() != R)
-        return NULL;
+        return nullptr;
     }
 
     StoreSite = Succ;
@@ -526,7 +526,7 @@ PathDiagnosticPiece *FindLastStoreBRVisitor::VisitNode(const ExplodedNode *Succ,
   }
 
   if (!StoreSite)
-    return NULL;
+    return nullptr;
   Satisfied = true;
 
   // If we have an expression that provided the value, try to track where it
@@ -550,7 +550,7 @@ PathDiagnosticPiece *FindLastStoreBRVisitor::VisitNode(const ExplodedNode *Succ,
 
   if (Optional<PostStmt> PS = StoreSite->getLocationAs<PostStmt>()) {
     const Stmt *S = PS->getStmt();
-    const char *action = 0;
+    const char *action = nullptr;
     const DeclStmt *DS = dyn_cast<DeclStmt>(S);
     const VarRegion *VR = dyn_cast<VarRegion>(R);
 
@@ -703,7 +703,7 @@ PathDiagnosticPiece *FindLastStoreBRVisitor::VisitNode(const ExplodedNode *Succ,
     L = PathDiagnosticLocation::create(P, BRC.getSourceManager());
 
   if (!L.isValid() || !L.asLocation().isValid())
-    return NULL;
+    return nullptr;
 
   return new PathDiagnosticEventPiece(L, os.str());
 }
@@ -733,7 +733,7 @@ TrackConstraintBRVisitor::VisitNode(const ExplodedNode *N,
                                     BugReporterContext &BRC,
                                     BugReport &BR) {
   if (IsSatisfied)
-    return NULL;
+    return nullptr;
 
   // Start tracking after we see the first state in which the value is
   // constrained.
@@ -741,7 +741,7 @@ TrackConstraintBRVisitor::VisitNode(const ExplodedNode *N,
     if (!isUnderconstrained(N))
       IsTrackingTurnedOn = true;
   if (!IsTrackingTurnedOn)
-    return 0;
+    return nullptr;
 
   // Check if in the previous state it was feasible for this constraint
   // to *not* be true.
@@ -765,21 +765,21 @@ TrackConstraintBRVisitor::VisitNode(const ExplodedNode *N,
     }
 
     if (os.str().empty())
-      return NULL;
+      return nullptr;
 
     // Construct a new PathDiagnosticPiece.
     ProgramPoint P = N->getLocation();
     PathDiagnosticLocation L =
       PathDiagnosticLocation::create(P, BRC.getSourceManager());
     if (!L.isValid())
-      return NULL;
-    
+      return nullptr;
+
     PathDiagnosticEventPiece *X = new PathDiagnosticEventPiece(L, os.str());
     X->setTag(getTag());
     return X;
   }
 
-  return NULL;
+  return nullptr;
 }
 
 SuppressInlineDefensiveChecksVisitor::
@@ -813,14 +813,14 @@ SuppressInlineDefensiveChecksVisitor::VisitNode(const ExplodedNode *Succ,
                                                 BugReporterContext &BRC,
                                                 BugReport &BR) {
   if (IsSatisfied)
-    return 0;
+    return nullptr;
 
   // Start tracking after we see the first state in which the value is null.
   if (!IsTrackingTurnedOn)
     if (Succ->getState()->isNull(V).isConstrainedTrue())
       IsTrackingTurnedOn = true;
   if (!IsTrackingTurnedOn)
-    return 0;
+    return nullptr;
 
   // Check if in the previous state it was feasible for this value
   // to *not* be null.
@@ -835,7 +835,7 @@ SuppressInlineDefensiveChecksVisitor::VisitNode(const ExplodedNode *Succ,
     if (CurLC != ReportLC && !CurLC->isParentOf(ReportLC))
       BR.markInvalid("Suppress IDC", CurLC);
   }
-  return 0;
+  return nullptr;
 }
 
 static const MemRegion *getLocationRegionIfReference(const Expr *E,
@@ -843,7 +843,7 @@ static const MemRegion *getLocationRegionIfReference(const Expr *E,
   if (const DeclRefExpr *DR = dyn_cast<DeclRefExpr>(E)) {
     if (const VarDecl *VD = dyn_cast<VarDecl>(DR->getDecl())) {
       if (!VD->getType()->isReferenceType())
-        return 0;
+        return nullptr;
       ProgramStateManager &StateMgr = N->getState()->getStateManager();
       MemRegionManager &MRMgr = StateMgr.getRegionManager();
       return MRMgr.getVarRegion(VD, N->getLocationContext());
@@ -856,7 +856,7 @@ static const MemRegion *getLocationRegionIfReference(const Expr *E,
   //   Wrapper w = { *(int *)0 };
   //   w.ref = 1;
 
-  return 0;
+  return nullptr;
 }
 
 static const Expr *peelOffOuterExpr(const Expr *Ex,
@@ -906,7 +906,7 @@ bool bugreporter::trackNullOrUndefValue(const ExplodedNode *N,
       S = PeeledEx;
   }
 
-  const Expr *Inner = 0;
+  const Expr *Inner = nullptr;
   if (const Expr *Ex = dyn_cast<Expr>(S)) {
     Ex = Ex->IgnoreParenCasts();
     if (ExplodedGraph::isInterestingLValueExpr(Ex) || CallEvent::isCallStmt(Ex))
@@ -948,7 +948,7 @@ bool bugreporter::trackNullOrUndefValue(const ExplodedNode *N,
   // See if the expression we're interested refers to a variable.
   // If so, we can track both its contents and constraints on its value.
   if (Inner && ExplodedGraph::isInterestingLValueExpr(Inner)) {
-    const MemRegion *R = 0;
+    const MemRegion *R = nullptr;
 
     // Find the ExplodedNode where the lvalue (the value of 'Ex')
     // was computed.  We need this for getting the location value.
@@ -1060,14 +1060,14 @@ const Expr *NilReceiverBRVisitor::getNilReceiver(const Stmt *S,
                                                  const ExplodedNode *N) {
   const ObjCMessageExpr *ME = dyn_cast<ObjCMessageExpr>(S);
   if (!ME)
-    return 0;
+    return nullptr;
   if (const Expr *Receiver = ME->getInstanceReceiver()) {
     ProgramStateRef state = N->getState();
     SVal V = state->getSVal(Receiver, N->getLocationContext());
     if (state->isNull(V).isConstrainedTrue())
       return Receiver;
   }
-  return 0;
+  return nullptr;
 }
 
 PathDiagnosticPiece *NilReceiverBRVisitor::VisitNode(const ExplodedNode *N,
@@ -1076,12 +1076,12 @@ PathDiagnosticPiece *NilReceiverBRVisitor::VisitNode(const ExplodedNode *N,
                                                      BugReport &BR) {
   Optional<PreStmt> P = N->getLocationAs<PreStmt>();
   if (!P)
-    return 0;
+    return nullptr;
 
   const Stmt *S = P->getStmt();
   const Expr *Receiver = getNilReceiver(S, N);
   if (!Receiver)
-    return 0;
+    return nullptr;
 
   llvm::SmallString<256> Buf;
   llvm::raw_svector_ostream OS(Buf);
@@ -1181,15 +1181,15 @@ PathDiagnosticPiece *ConditionBRVisitor::VisitNodeImpl(const ExplodedNode *N,
   // were generated by the analyzer engine proper, not checkers.
   if (CurrentState->getGDM().getRoot() ==
       PrevState->getGDM().getRoot())
-    return 0;
-  
+    return nullptr;
+
   // If an assumption was made on a branch, it should be caught
   // here by looking at the state transition.
   if (Optional<BlockEdge> BE = progPoint.getAs<BlockEdge>()) {
     const CFGBlock *srcBlk = BE->getSrc();    
     if (const Stmt *term = srcBlk->getTerminator())
       return VisitTerminator(term, N, srcBlk, BE->getDst(), BR, BRC);
-    return 0;
+    return nullptr;
   }
   
   if (Optional<PostStmt> PS = progPoint.getAs<PostStmt>()) {
@@ -1206,11 +1206,11 @@ PathDiagnosticPiece *ConditionBRVisitor::VisitNodeImpl(const ExplodedNode *N,
     if (tag == tags.second)
       return VisitTrueTest(cast<Expr>(PS->getStmt()), false,
                            BRC, BR, N);
-                           
-    return 0;
+
+    return nullptr;
   }
-    
-  return 0;
+
+  return nullptr;
 }
 
 PathDiagnosticPiece *
@@ -1220,11 +1220,11 @@ ConditionBRVisitor::VisitTerminator(const Stmt *Term,
                                     const CFGBlock *dstBlk,
                                     BugReport &R,
                                     BugReporterContext &BRC) {
-  const Expr *Cond = 0;
-  
+  const Expr *Cond = nullptr;
+
   switch (Term->getStmtClass()) {
   default:
-    return 0;
+    return nullptr;
   case Stmt::IfStmtClass:
     Cond = cast<IfStmt>(Term)->getCond();
     break;
@@ -1252,7 +1252,7 @@ ConditionBRVisitor::VisitTrueTest(const Expr *Cond,
     Ex = Ex->IgnoreParenCasts();
     switch (Ex->getStmtClass()) {
       default:
-        return 0;
+        return nullptr;
       case Stmt::BinaryOperatorClass:
         return VisitTrueTest(Cond, cast<BinaryOperator>(Ex), tookTrue, BRC,
                              R, N);
@@ -1266,7 +1266,7 @@ ConditionBRVisitor::VisitTrueTest(const Expr *Cond,
           Ex = UO->getSubExpr();
           continue;
         }
-        return 0;
+        return nullptr;
       }
     }
   }
@@ -1361,8 +1361,8 @@ ConditionBRVisitor::VisitTrueTest(const Expr *Cond,
   // both the LHS and RHS.
   if (LhsString.empty() || RhsString.empty() ||
       !BinaryOperator::isComparisonOp(Op))
-    return 0;
-  
+    return nullptr;
+
   // Should we invert the strings if the LHS is not a variable name?
   SmallString<256> buf;
   llvm::raw_svector_ostream Out(buf);
@@ -1387,7 +1387,7 @@ ConditionBRVisitor::VisitTrueTest(const Expr *Cond,
       case BO_LE: Op = BO_GT; break;
       case BO_GE: Op = BO_LT; break;
       default:
-        return 0;
+        return nullptr;
     }
   
   switch (Op) {
@@ -1437,7 +1437,7 @@ ConditionBRVisitor::VisitConditionVariable(StringRef LhsString,
   else if (Ty->isIntegralOrEnumerationType())
     Out << (tookTrue ? "non-zero" : "zero");
   else
-    return 0;
+    return nullptr;
 
   const LocationContext *LCtx = N->getLocationContext();
   PathDiagnosticLocation Loc(CondVarExpr, BRC.getSourceManager(), LCtx);
@@ -1467,8 +1467,8 @@ ConditionBRVisitor::VisitTrueTest(const Expr *Cond,
 
   const VarDecl *VD = dyn_cast<VarDecl>(DR->getDecl());
   if (!VD)
-    return 0;
-  
+    return nullptr;
+
   SmallString<256> Buf;
   llvm::raw_svector_ostream Out(Buf);
     
@@ -1483,8 +1483,8 @@ ConditionBRVisitor::VisitTrueTest(const Expr *Cond,
   else if (VDTy->isScalarType())
     Out << (tookTrue ? "not equal to 0" : "0");
   else
-    return 0;
-  
+    return nullptr;
+
   const LocationContext *LCtx = N->getLocationContext();
   PathDiagnosticLocation Loc(Cond, BRC.getSourceManager(), LCtx);
   PathDiagnosticEventPiece *event =
@@ -1534,8 +1534,8 @@ LikelyFalsePositiveSuppressionBRVisitor::getEndPath(BugReporterContext &BRC,
     // Note that this will not help for any other data structure libraries, like
     // TR1, Boost, or llvm/ADT.
     if (Options.shouldSuppressFromCXXStandardLibrary()) {
-      BR.markInvalid(getTag(), 0);
-      return 0;
+      BR.markInvalid(getTag(), nullptr);
+      return nullptr;
 
     } else {
       // If the the complete 'std' suppression is not enabled, suppress reports
@@ -1547,8 +1547,8 @@ LikelyFalsePositiveSuppressionBRVisitor::getEndPath(BugReporterContext &BRC,
       if (const CXXMethodDecl *MD = dyn_cast<CXXMethodDecl>(D)) {
         const CXXRecordDecl *CD = MD->getParent();
         if (CD->getName() == "list") {
-          BR.markInvalid(getTag(), 0);
-          return 0;
+          BR.markInvalid(getTag(), nullptr);
+          return nullptr;
         }
       }
 
@@ -1566,8 +1566,8 @@ LikelyFalsePositiveSuppressionBRVisitor::getEndPath(BugReporterContext &BRC,
 
         const CXXRecordDecl *CD = MD->getParent();
         if (CD->getName() == "basic_string") {
-          BR.markInvalid(getTag(), 0);
-          return 0;
+          BR.markInvalid(getTag(), nullptr);
+          return nullptr;
         }
       }
     }
@@ -1580,12 +1580,12 @@ LikelyFalsePositiveSuppressionBRVisitor::getEndPath(BugReporterContext &BRC,
   while (Loc.isMacroID()) {
     Loc = Loc.getSpellingLoc();
     if (SM.getFilename(Loc).endswith("sys/queue.h")) {
-      BR.markInvalid(getTag(), 0);
-      return 0;
+      BR.markInvalid(getTag(), nullptr);
+      return nullptr;
     }
   }
 
-  return 0;
+  return nullptr;
 }
 
 PathDiagnosticPiece *
@@ -1600,7 +1600,7 @@ UndefOrNullArgVisitor::VisitNode(const ExplodedNode *N,
   // We are only interested in visiting CallEnter nodes.
   Optional<CallEnter> CEnter = ProgLoc.getAs<CallEnter>();
   if (!CEnter)
-    return 0;
+    return nullptr;
 
   // Check if one of the arguments is the region the visitor is tracking.
   CallEventManager &CEMgr = BRC.getStateManager().getCallEventManager();
@@ -1636,8 +1636,8 @@ UndefOrNullArgVisitor::VisitNode(const ExplodedNode *N,
     SVal BoundVal = State->getSVal(R);
     if (BoundVal.isUndef() || BoundVal.isZeroConstant()) {
       BR.markInteresting(CEnter->getCalleeContext());
-      return 0;
+      return nullptr;
     }
   }
-  return 0;
+  return nullptr;
 }

lib/StaticAnalyzer/Core/CallEvent.cpp

@@ -172,7 +172,7 @@ ProgramStateRef CallEvent::invalidateRegions(unsigned BlockCount,
   return Result->invalidateRegions(ValuesToInvalidate, getOriginExpr(),
                                    BlockCount, getLocationContext(),
                                    /*CausedByPointerEscape*/ true,
-                                   /*Symbols=*/0, this, &ETraits);
+                                   /*Symbols=*/nullptr, this, &ETraits);
 }
 
 ProgramPoint CallEvent::getProgramPoint(bool IsPreVisit,
@@ -218,7 +218,7 @@ LLVM_DUMP_METHOD void CallEvent::dump() const { dump(llvm::errs()); }
 void CallEvent::dump(raw_ostream &Out) const {
   ASTContext &Ctx = getState()->getStateManager().getContext();
   if (const Expr *E = getOriginExpr()) {
-    E->printPretty(Out, 0, Ctx.getPrintingPolicy());
+    E->printPretty(Out, nullptr, Ctx.getPrintingPolicy());
     Out << "\n";
     return;
   }
@@ -476,7 +476,7 @@ RuntimeDefinition CXXInstanceCall::getRuntimeDefinition() const {
   // that ExprEngine can decide what to do with it.
   if (DynType.canBeASubClass())
     return RuntimeDefinition(Definition, R->StripCasts());
-  return RuntimeDefinition(Definition, /*DispatchRegion=*/0);
+  return RuntimeDefinition(Definition, /*DispatchRegion=*/nullptr);
 }
 
 void CXXInstanceCall::getInitialStackFrameContents(
@@ -545,7 +545,7 @@ const BlockDataRegion *BlockCall::getBlockRegion() const {
 ArrayRef<ParmVarDecl*> BlockCall::parameters() const {
   const BlockDecl *D = getDecl();
   if (!D)
-    return 0;
+    return nullptr;
   return D->parameters();
 }
 
@@ -667,13 +667,13 @@ SourceRange ObjCMethodCall::getSourceRange() const {
 typedef llvm::PointerIntPair<const PseudoObjectExpr *, 2> ObjCMessageDataTy;
 
 const PseudoObjectExpr *ObjCMethodCall::getContainingPseudoObjectExpr() const {
-  assert(Data != 0 && "Lazy lookup not yet performed.");
+  assert(Data && "Lazy lookup not yet performed.");
   assert(getMessageKind() != OCM_Message && "Explicit message send.");
   return ObjCMessageDataTy::getFromOpaqueValue(Data).getPointer();
 }
 
 ObjCMessageKind ObjCMethodCall::getMessageKind() const {
-  if (Data == 0) {
+  if (!Data) {
 
     // Find the parent, ignoring implicit casts.
     ParentMap &PM = getLocationContext()->getParentMap();
@@ -711,7 +711,7 @@ ObjCMessageKind ObjCMethodCall::getMessageKind() const {
     }
     
     const_cast<ObjCMethodCall *>(this)->Data
-      = ObjCMessageDataTy(0, 1).getOpaqueValue();
+      = ObjCMessageDataTy(nullptr, 1).getOpaqueValue();
     assert(getMessageKind() == OCM_Message);
     return OCM_Message;
   }
@@ -747,7 +747,7 @@ bool ObjCMethodCall::canBeOverridenInSubclass(ObjCInterfaceDecl *IDecl,
 
   // Find the first declaration in the class hierarchy that declares
   // the selector.
-  ObjCMethodDecl *D = 0;
+  ObjCMethodDecl *D = nullptr;
   while (true) {
     D = IDecl->lookupMethod(Sel, true);
 
@@ -786,10 +786,10 @@ RuntimeDefinition ObjCMethodCall::getRuntimeDefinition() const {
   if (E->isInstanceMessage()) {
 
     // Find the the receiver type.
-    const ObjCObjectPointerType *ReceiverT = 0;
+    const ObjCObjectPointerType *ReceiverT = nullptr;
     bool CanBeSubClassed = false;
     QualType SupersType = E->getSuperType();
-    const MemRegion *Receiver = 0;
+    const MemRegion *Receiver = nullptr;
 
     if (!SupersType.isNull()) {
       // Super always means the type of immediate predecessor to the method
@@ -853,7 +853,7 @@ RuntimeDefinition ObjCMethodCall::getRuntimeDefinition() const {
         if (CanBeSubClassed)
           return RuntimeDefinition(MD, Receiver);
         else
-          return RuntimeDefinition(MD, 0);
+          return RuntimeDefinition(MD, nullptr);
       }
 
   } else {

lib/StaticAnalyzer/Core/CheckerManager.cpp

@@ -58,7 +58,7 @@ void CheckerManager::runCheckersOnASTDecl(const Decl *D, AnalysisManager& mgr,
   assert(D);
 
   unsigned DeclKind = D->getKind();
-  CachedDeclCheckers *checkers = 0;
+  CachedDeclCheckers *checkers = nullptr;
   CachedDeclCheckersMapTy::iterator CCI = CachedDeclCheckersMap.find(DeclKind);
   if (CCI != CachedDeclCheckersMap.end()) {
     checkers = &(CCI->second);
@@ -109,7 +109,7 @@ static void expandGraphWithCheckers(CHECK_CTX checkCtx,
   const ExplodedNodeSet *PrevSet = &Src;
 
   for (; I != E; ++I) {
-    ExplodedNodeSet *CurrSet = 0;
+    ExplodedNodeSet *CurrSet = nullptr;
     if (I+1 == E)
       CurrSet = &Dst;
     else {
@@ -477,7 +477,7 @@ CheckerManager::runCheckersForRegionChanges(ProgramStateRef state,
     // If any checker declares the state infeasible (or if it starts that way),
     // bail out.
     if (!state)
-      return NULL;
+      return nullptr;
     state = RegionChangesCheckers[i].CheckFn(state, invalidated, 
                                              ExplicitRegions, Regions, Call);
   }
@@ -491,7 +491,7 @@ CheckerManager::runCheckersForPointerEscape(ProgramStateRef State,
                                    const CallEvent *Call,
                                    PointerEscapeKind Kind,
                                    RegionAndSymbolInvalidationTraits *ETraits) {
-  assert((Call != NULL ||
+  assert((Call != nullptr ||
           (Kind != PSK_DirectEscapeOnCall &&
            Kind != PSK_IndirectEscapeOnCall)) &&
          "Call must not be NULL when escaping on call");
@@ -499,7 +499,7 @@ CheckerManager::runCheckersForPointerEscape(ProgramStateRef State,
       // If any checker declares the state infeasible (or if it starts that
       //  way), bail out.
       if (!State)
-        return NULL;
+        return nullptr;
       State = PointerEscapeCheckers[i](State, Escaped, Call, Kind, ETraits);
     }
   return State;
@@ -513,7 +513,7 @@ CheckerManager::runCheckersForEvalAssume(ProgramStateRef state,
     // If any checker declares the state infeasible (or if it starts that way),
     // bail out.
     if (!state)
-      return NULL;
+      return nullptr;
     state = EvalAssumeCheckers[i](state, Cond, Assumption);
   }
   return state;

lib/StaticAnalyzer/Core/CheckerRegistry.cpp

@@ -45,7 +45,7 @@ static void collectCheckers(const CheckerRegistry::CheckerInfoList &checkers,
                             const llvm::StringMap<size_t> &packageSizes,
                             CheckerOptInfo &opt, CheckerInfoSet &collected) {
   // Use a binary search to find the possible start of the package.
-  CheckerRegistry::CheckerInfo packageInfo(NULL, opt.getName(), "");
+  CheckerRegistry::CheckerInfo packageInfo(nullptr, opt.getName(), "");
   CheckerRegistry::CheckerInfoList::const_iterator e = checkers.end();
   CheckerRegistry::CheckerInfoList::const_iterator i =
     std::lower_bound(checkers.begin(), e, packageInfo, checkerNameLT);

lib/StaticAnalyzer/Core/CoreEngine.cpp

@@ -192,9 +192,9 @@ bool CoreEngine::ExecuteWorkList(const LocationContext *L, unsigned Steps,
 
     if (!InitState)
       // Generate the root.
-      generateNode(StartLoc, SubEng.getInitialState(L), 0);
+      generateNode(StartLoc, SubEng.getInitialState(L), nullptr);
     else
-      generateNode(StartLoc, InitState, 0);
+      generateNode(StartLoc, InitState, nullptr);
   }
 
   // Check if we have a steps limit
@@ -567,7 +567,7 @@ ExplodedNode *CoreEngine::generateCallExitBeginNode(ExplodedNode *N) {
   bool isNew;
   ExplodedNode *Node = G->getNode(Loc, N->getState(), false, &isNew);
   Node->addPredecessor(N, *G);
-  return isNew ? Node : 0;
+  return isNew ? Node : nullptr;
 }
 
 
@@ -616,7 +616,7 @@ ExplodedNode* NodeBuilder::generateNodeImpl(const ProgramPoint &Loc,
   Frontier.erase(FromN);
 
   if (!IsNew)
-    return 0;
+    return nullptr;
 
   if (!MarkAsSink)
     Frontier.Add(N);
@@ -640,7 +640,7 @@ ExplodedNode *BranchNodeBuilder::generateNode(ProgramStateRef State,
                                               ExplodedNode *NodePred) {
   // If the branch has been marked infeasible we should not generate a node.
   if (!isFeasible(branch))
-    return NULL;
+    return nullptr;
 
   ProgramPoint Loc = BlockEdge(C.Block, branch ? DstT:DstF,
                                NodePred->getLocationContext());
@@ -659,7 +659,7 @@ IndirectGotoNodeBuilder::generateNode(const iterator &I,
   Succ->addPredecessor(Pred, *Eng.G);
 
   if (!IsNew)
-    return 0;
+    return nullptr;
 
   if (!IsSink)
     Eng.WList->enqueue(Succ);
@@ -678,7 +678,7 @@ SwitchNodeBuilder::generateCaseStmtNode(const iterator &I,
                                       false, &IsNew);
   Succ->addPredecessor(Pred, *Eng.G);
   if (!IsNew)
-    return 0;
+    return nullptr;
 
   Eng.WList->enqueue(Succ);
   return Succ;
@@ -695,8 +695,8 @@ SwitchNodeBuilder::generateDefaultCaseNode(ProgramStateRef St,
   // Sanity check for default blocks that are unreachable and not caught
   // by earlier stages.
   if (!DefaultBlock)
-    return NULL;
-  
+    return nullptr;
+
   bool IsNew;
   ExplodedNode *Succ = Eng.G->getNode(BlockEdge(Src, DefaultBlock,
                                       Pred->getLocationContext()), St,
@@ -704,7 +704,7 @@ SwitchNodeBuilder::generateDefaultCaseNode(ProgramStateRef St,
   Succ->addPredecessor(Pred, *Eng.G);
 
   if (!IsNew)
-    return 0;
+    return nullptr;
 
   if (!IsSink)
     Eng.WList->enqueue(Succ);

lib/StaticAnalyzer/Core/Environment.cpp

@@ -54,7 +54,8 @@ static const Stmt *ignoreTransparentExprs(const Stmt *S) {
 EnvironmentEntry::EnvironmentEntry(const Stmt *S, const LocationContext *L)
   : std::pair<const Stmt *,
               const StackFrameContext *>(ignoreTransparentExprs(S),
-                                         L ? L->getCurrentStackFrame() : 0) {}
+                                         L ? L->getCurrentStackFrame()
+                                           : nullptr) {}
 
 SVal Environment::lookupExpr(const EnvironmentEntry &E) const {
   const SVal* X = ExprBindings.lookup(E);
@@ -208,7 +209,7 @@ void Environment::print(raw_ostream &Out, const char *NL,
     Out << " (" << (const void*) En.getLocationContext() << ','
       << (const void*) S << ") ";
     LangOptions LO; // FIXME.
-    S->printPretty(Out, 0, PrintingPolicy(LO));
+    S->printPretty(Out, nullptr, PrintingPolicy(LO));
     Out << " : " << I.getData();
   }
 }

lib/StaticAnalyzer/Core/ExplodedGraph.cpp

@@ -34,7 +34,7 @@ using namespace ento;
 ExplodedNode::Auditor::~Auditor() {}
 
 #ifndef NDEBUG
-static ExplodedNode::Auditor* NodeAuditor = 0;
+static ExplodedNode::Auditor* NodeAuditor = nullptr;
 #endif
 
 void ExplodedNode::SetAuditor(ExplodedNode::Auditor* A) {
@@ -276,11 +276,11 @@ unsigned ExplodedNode::NodeGroup::size() const {
 
 ExplodedNode * const *ExplodedNode::NodeGroup::begin() const {
   if (getFlag())
-    return 0;
+    return nullptr;
 
   const GroupStorage &Storage = reinterpret_cast<const GroupStorage &>(P);
   if (Storage.isNull())
-    return 0;
+    return nullptr;
   if (ExplodedNodeVector *V = Storage.dyn_cast<ExplodedNodeVector *>())
     return V->begin();
   return Storage.getAddrOfPtr1();
@@ -288,11 +288,11 @@ ExplodedNode * const *ExplodedNode::NodeGroup::begin() const {
 
 ExplodedNode * const *ExplodedNode::NodeGroup::end() const {
   if (getFlag())
-    return 0;
+    return nullptr;
 
   const GroupStorage &Storage = reinterpret_cast<const GroupStorage &>(P);
   if (Storage.isNull())
-    return 0;
+    return nullptr;
   if (ExplodedNodeVector *V = Storage.dyn_cast<ExplodedNodeVector *>())
     return V->end();
   return Storage.getAddrOfPtr1() + 1;
@@ -304,7 +304,7 @@ ExplodedNode *ExplodedGraph::getNode(const ProgramPoint &L,
                                      bool* IsNew) {
   // Profile 'State' to determine if we already have an existing node.
   llvm::FoldingSetNodeID profile;
-  void *InsertPos = 0;
+  void *InsertPos = nullptr;
 
   NodeTy::Profile(profile, L, State, IsSink);
   NodeTy* V = Nodes.FindNodeOrInsertPos(profile, InsertPos);
@@ -342,7 +342,7 @@ ExplodedGraph::trim(ArrayRef<const NodeTy *> Sinks,
                     InterExplodedGraphMap *InverseMap) const{
 
   if (Nodes.empty())
-    return 0;
+    return nullptr;
 
   typedef llvm::DenseSet<const ExplodedNode*> Pass1Ty;
   Pass1Ty Pass1;
@@ -385,7 +385,7 @@ ExplodedGraph::trim(ArrayRef<const NodeTy *> Sinks,
 
   // We didn't hit a root? Return with a null pointer for the new graph.
   if (WL2.empty())
-    return 0;
+    return nullptr;
 
   // Create an empty graph.
   ExplodedGraph* G = MakeEmptyGraph();
@@ -400,7 +400,8 @@ ExplodedGraph::trim(ArrayRef<const NodeTy *> Sinks,
 
     // Create the corresponding node in the new graph and record the mapping
     // from the old node to the new node.
-    ExplodedNode *NewN = G->getNode(N->getLocation(), N->State, N->isSink(), 0);
+    ExplodedNode *NewN = G->getNode(N->getLocation(), N->State, N->isSink(),
+                                    nullptr);
     Pass2[N] = NewN;
 
     // Also record the reverse mapping from the new node to the old node.

lib/StaticAnalyzer/Core/ExprEngine.cpp

@@ -70,7 +70,7 @@ ExprEngine::ExprEngine(AnalysisManager &mgr, bool gcEnabled,
              this),
     SymMgr(StateMgr.getSymbolManager()),
     svalBuilder(StateMgr.getSValBuilder()),
-    currStmtIdx(0), currBldrCtx(0),
+    currStmtIdx(0), currBldrCtx(nullptr),
     ObjCNoRet(mgr.getASTContext()),
     ObjCGCEnabled(gcEnabled), BR(mgr, *this),
     VisitedCallees(VisitedCalleesIn),
@@ -155,7 +155,7 @@ ProgramStateRef ExprEngine::getInitialState(const LocationContext *InitLoc) {
       // top-level function.  This is our starting assumption for
       // analyzing an "open" program.
       const StackFrameContext *SFC = InitLoc->getCurrentStackFrame();
-      if (SFC->getParent() == 0) {
+      if (SFC->getParent() == nullptr) {
         loc::MemRegionVal L = svalBuilder.getCXXThis(MD, SFC);
         SVal V = state->getSVal(L);
         if (Optional<Loc> LV = V.getAs<Loc>()) {
@@ -211,7 +211,7 @@ ExprEngine::createTemporaryRegionIfNeeded(ProgramStateRef State,
 
   // Create a temporary object region for the inner expression (which may have
   // a more derived type) and bind the value into it.
-  const TypedValueRegion *TR = NULL;
+  const TypedValueRegion *TR = nullptr;
   if (const MaterializeTemporaryExpr *MT =
           dyn_cast<MaterializeTemporaryExpr>(Result)) {
     StorageDuration SD = MT->getStorageDuration();
@@ -335,7 +335,7 @@ void ExprEngine::removeDead(ExplodedNode *Pred, ExplodedNodeSet &Out,
                             const Stmt *DiagnosticStmt,
                             ProgramPoint::Kind K) {
   assert((K == ProgramPoint::PreStmtPurgeDeadSymbolsKind ||
-          ReferenceStmt == 0 || isa<ReturnStmt>(ReferenceStmt))
+          ReferenceStmt == nullptr || isa<ReturnStmt>(ReferenceStmt))
           && "PostStmt is not generally supported by the SymbolReaper yet");
   assert(LC && "Must pass the current (or expiring) LocationContext");
 
@@ -356,7 +356,7 @@ void ExprEngine::removeDead(ExplodedNode *Pred, ExplodedNodeSet &Out,
     LC = LC->getParent();
   }
 
-  const StackFrameContext *SFC = LC ? LC->getCurrentStackFrame() : 0;
+  const StackFrameContext *SFC = LC ? LC->getCurrentStackFrame() : nullptr;
   SymbolReaper SymReaper(SFC, ReferenceStmt, SymMgr, getStoreManager());
 
   getCheckerManager().runCheckersForLiveSymbols(CleanedState, SymReaper);
@@ -664,7 +664,7 @@ void ExprEngine::ProcessTemporaryDtor(const CFGTemporaryDtor D,
 
   // FIXME: Inlining of temporary destructors is not supported yet anyway, so we
   // just put a NULL region for now. This will need to be changed later.
-  VisitCXXDestructor(varType, NULL, D.getBindTemporaryExpr(),
+  VisitCXXDestructor(varType, nullptr, D.getBindTemporaryExpr(),
                      /*IsBase=*/ false, Pred, Dst);
 }
 
@@ -871,7 +871,8 @@ void ExprEngine::Visit(const Stmt *S, ExplodedNode *Pred,
            it != et; ++it) {      
         ExplodedNode *N = *it;
         const LocationContext *LCtx = N->getLocationContext();
-        SVal result = svalBuilder.conjureSymbolVal(0, Ex, LCtx, resultType,
+        SVal result = svalBuilder.conjureSymbolVal(nullptr, Ex, LCtx,
+                                                   resultType,
                                                    currBldrCtx->blockCount());
         ProgramStateRef state = N->getState()->BindExpr(Ex, LCtx, result);
         Bldr2.generateNode(S, N, state);
@@ -951,7 +952,7 @@ void ExprEngine::Visit(const Stmt *S, ExplodedNode *Pred,
           ProgramStateRef NewState =
             createTemporaryRegionIfNeeded(State, LCtx, OCE->getArg(0));
           if (NewState != State) {
-            Pred = Bldr.generateNode(OCE, Pred, NewState, /*Tag=*/0,
+            Pred = Bldr.generateNode(OCE, Pred, NewState, /*Tag=*/nullptr,
                                      ProgramPoint::PreStmtKind);
             // Did we cache out?
             if (!Pred)
@@ -1210,14 +1211,14 @@ bool ExprEngine::replayWithoutInlining(ExplodedNode *N,
   const StackFrameContext *CalleeSF = CalleeLC->getCurrentStackFrame();
   const StackFrameContext *CallerSF = CalleeSF->getParent()->getCurrentStackFrame();
   assert(CalleeSF && CallerSF);
-  ExplodedNode *BeforeProcessingCall = 0;
+  ExplodedNode *BeforeProcessingCall = nullptr;
   const Stmt *CE = CalleeSF->getCallSite();
 
   // Find the first node before we started processing the call expression.
   while (N) {
     ProgramPoint L = N->getLocation();
     BeforeProcessingCall = N;
-    N = N->pred_empty() ? NULL : *(N->pred_begin());
+    N = N->pred_empty() ? nullptr : *(N->pred_begin());
 
     // Skip the nodes corresponding to the inlined code.
     if (L.getLocationContext()->getCurrentStackFrame() != CallerSF)
@@ -1508,7 +1509,7 @@ void ExprEngine::processBranch(const Stmt *Condition, const Stmt *Term,
         builder.markInfeasible(false);
     }
   }
-  currBldrCtx = 0;
+  currBldrCtx = nullptr;
 }
 
 /// The GDM component containing the set of global variables which have been
@@ -1537,7 +1538,7 @@ void ExprEngine::processStaticInitializer(const DeclStmt *DS,
   builder.generateNode(state, initHasRun, Pred);
   builder.markInfeasible(!initHasRun);
 
-  currBldrCtx = 0;
+  currBldrCtx = nullptr;
 }
 
 /// processIndirectGoto - Called by CoreEngine.  Used to generate successor
@@ -1678,7 +1679,7 @@ void ExprEngine::processSwitch(SwitchNodeBuilder& builder) {
         }
         else {
           defaultIsFeasible = false;
-          DefaultSt = NULL;
+          DefaultSt = nullptr;
         }
       }
 
@@ -1739,7 +1740,7 @@ void ExprEngine::VisitCommonDeclRefExpr(const Expr *Ex, const NamedDecl *D,
         V = UnknownVal();
     }
 
-    Bldr.generateNode(Ex, Pred, state->BindExpr(Ex, LCtx, V), 0,
+    Bldr.generateNode(Ex, Pred, state->BindExpr(Ex, LCtx, V), nullptr,
                       ProgramPoint::PostLValueKind);
     return;
   }
@@ -1751,7 +1752,7 @@ void ExprEngine::VisitCommonDeclRefExpr(const Expr *Ex, const NamedDecl *D,
   }
   if (const FunctionDecl *FD = dyn_cast<FunctionDecl>(D)) {
     SVal V = svalBuilder.getFunctionPointer(FD);
-    Bldr.generateNode(Ex, Pred, state->BindExpr(Ex, LCtx, V), 0,
+    Bldr.generateNode(Ex, Pred, state->BindExpr(Ex, LCtx, V), nullptr,
                       ProgramPoint::PostLValueKind);
     return;
   }
@@ -1762,7 +1763,7 @@ void ExprEngine::VisitCommonDeclRefExpr(const Expr *Ex, const NamedDecl *D,
     SVal V = svalBuilder.conjureSymbolVal(Ex, LCtx, getContext().VoidPtrTy,
                                           currBldrCtx->blockCount());
     state = state->assume(V.castAs<DefinedOrUnknownSVal>(), true);
-    Bldr.generateNode(Ex, Pred, state->BindExpr(Ex, LCtx, V), 0,
+    Bldr.generateNode(Ex, Pred, state->BindExpr(Ex, LCtx, V), nullptr,
 		      ProgramPoint::PostLValueKind);
     return;
   }
@@ -1792,7 +1793,7 @@ void ExprEngine::VisitLvalArraySubscriptExpr(const ArraySubscriptExpr *A,
                               state->getSVal(Idx, LCtx),
                               state->getSVal(Base, LCtx));
     assert(A->isGLValue());
-    Bldr.generateNode(A, *it, state->BindExpr(A, LCtx, V), 0, 
+    Bldr.generateNode(A, *it, state->BindExpr(A, LCtx, V), nullptr,
                       ProgramPoint::PostLValueKind);
   }
 }
@@ -1866,7 +1867,7 @@ void ExprEngine::VisitMemberExpr(const MemberExpr *M, ExplodedNode *Pred,
             L = UnknownVal();
         }
 
-        Bldr.generateNode(M, *I, state->BindExpr(M, LCtx, L), 0,
+        Bldr.generateNode(M, *I, state->BindExpr(M, LCtx, L), nullptr,
                           ProgramPoint::PostLValueKind);
       } else {
         Bldr.takeNodes(*I);
@@ -1932,9 +1933,9 @@ ProgramStateRef ExprEngine::processPointerEscapedOnBind(ProgramStateRef State,
   const InvalidatedSymbols &EscapedSymbols = Scanner.getSymbols();
   State = getCheckerManager().runCheckersForPointerEscape(State,
                                                           EscapedSymbols,
-                                                          /*CallEvent*/ 0,
+                                                          /*CallEvent*/ nullptr,
                                                           PSK_EscapeOnBind,
-                                                          0);
+                                                          nullptr);
 
   return State;
 }
@@ -1953,7 +1954,7 @@ ExprEngine::notifyCheckersOfPointerEscape(ProgramStateRef State,
   if (!Call)
     return getCheckerManager().runCheckersForPointerEscape(State,
                                                            *Invalidated,
-                                                           0,
+                                                           nullptr,
                                                            PSK_EscapeOther,
                                                            &ITraits);
 
@@ -2010,7 +2011,8 @@ void ExprEngine::evalBind(ExplodedNodeSet &Dst, const Stmt *StoreE,
   // If the location is not a 'Loc', it will already be handled by
   // the checkers.  There is nothing left to do.
   if (!location.getAs<Loc>()) {
-    const ProgramPoint L = PostStore(StoreE, LC, /*Loc*/0, /*tag*/0);
+    const ProgramPoint L = PostStore(StoreE, LC, /*Loc*/nullptr,
+                                     /*tag*/nullptr);
     ProgramStateRef state = Pred->getState();
     state = processPointerEscapedOnBind(state, location, Val);
     Bldr.generateNode(L, state, Pred);
@@ -2031,13 +2033,13 @@ void ExprEngine::evalBind(ExplodedNodeSet &Dst, const Stmt *StoreE,
     state = state->bindLoc(location.castAs<Loc>(),
                            Val, /* notifyChanges = */ !atDeclInit);
 
-    const MemRegion *LocReg = 0;
+    const MemRegion *LocReg = nullptr;
     if (Optional<loc::MemRegionVal> LocRegVal =
             location.getAs<loc::MemRegionVal>()) {
       LocReg = LocRegVal->getRegion();
     }
-    
-    const ProgramPoint L = PostStore(StoreE, LC, LocReg, 0);
+
+    const ProgramPoint L = PostStore(StoreE, LC, LocReg, nullptr);
     Bldr.generateNode(L, state, PredI);
   }
 }
@@ -2426,11 +2428,11 @@ struct DOTGraphTraits<ExplodedNode*> :
               if (const CaseStmt *C = dyn_cast<CaseStmt>(Label)) {
                 Out << "\\lcase ";
                 LangOptions LO; // FIXME.
-                C->getLHS()->printPretty(Out, 0, PrintingPolicy(LO));
+                C->getLHS()->printPretty(Out, nullptr, PrintingPolicy(LO));
 
                 if (const Stmt *RHS = C->getRHS()) {
                   Out << " .. ";
-                  RHS->printPretty(Out, 0, PrintingPolicy(LO));
+                  RHS->printPretty(Out, nullptr, PrintingPolicy(LO));
                 }
 
                 Out << ":";
@@ -2472,7 +2474,7 @@ struct DOTGraphTraits<ExplodedNode*> :
 
         Out << S->getStmtClassName() << ' ' << (const void*) S << ' ';
         LangOptions LO; // FIXME.
-        S->printPretty(Out, 0, PrintingPolicy(LO));
+        S->printPretty(Out, nullptr, PrintingPolicy(LO));
         printLocation(Out, S->getLocStart());
 
         if (Loc.getAs<PreStmt>())
@@ -2562,8 +2564,8 @@ void ExprEngine::ViewGraph(bool trim) {
 
     llvm::ViewGraph(*G.roots_begin(), "ExprEngine");
 
-    GraphPrintCheckerState = NULL;
-    GraphPrintSourceManager = NULL;
+    GraphPrintCheckerState = nullptr;
+    GraphPrintSourceManager = nullptr;
   }
 #endif
 }
@@ -2580,7 +2582,7 @@ void ExprEngine::ViewGraph(ArrayRef<const ExplodedNode*> Nodes) {
   else
     llvm::ViewGraph(*TrimmedG->roots_begin(), "TrimmedExprEngine");
 
-  GraphPrintCheckerState = NULL;
-  GraphPrintSourceManager = NULL;
+  GraphPrintCheckerState = nullptr;
+  GraphPrintSourceManager = nullptr;
 #endif
 }

lib/StaticAnalyzer/Core/ExprEngineC.cpp

@@ -47,7 +47,8 @@ void ExprEngine::VisitBinaryOperator(const BinaryOperator* B,
       // FIXME: Handle structs.
       if (RightV.isUnknown()) {
         unsigned Count = currBldrCtx->blockCount();
-        RightV = svalBuilder.conjureSymbolVal(0, B->getRHS(), LCtx, Count);
+        RightV = svalBuilder.conjureSymbolVal(nullptr, B->getRHS(), LCtx,
+                                              Count);
       }
       // Simulate the effects of a "store":  bind the value of the RHS
       // to the L-Value represented by the LHS.
@@ -157,7 +158,7 @@ void ExprEngine::VisitBinaryOperator(const BinaryOperator* B,
         // The symbolic value is actually for the type of the left-hand side
         // expression, not the computation type, as this is the value the
         // LValue on the LHS will bind to.
-        LHSVal = svalBuilder.conjureSymbolVal(0, B->getRHS(), LCtx, LTy,
+        LHSVal = svalBuilder.conjureSymbolVal(nullptr, B->getRHS(), LCtx, LTy,
                                               currBldrCtx->blockCount());
         // However, we need to convert the symbol to the computation type.
         Result = svalBuilder.evalCast(LHSVal, CTy, LTy);
@@ -217,8 +218,8 @@ void ExprEngine::VisitBlockExpr(const BlockExpr *BE, ExplodedNode *Pred,
   StmtNodeBuilder Bldr(Pred, Tmp, *currBldrCtx);
   Bldr.generateNode(BE, Pred,
                     State->BindExpr(BE, Pred->getLocationContext(), V),
-                    0, ProgramPoint::PostLValueKind);
-  
+                    nullptr, ProgramPoint::PostLValueKind);
+
   // FIXME: Move all post/pre visits to ::Visit().
   getCheckerManager().runCheckersForPostStmt(Dst, Tmp, BE, *this);
 }
@@ -367,7 +368,7 @@ void ExprEngine::VisitCast(const CastExpr *CastE, const Expr *Ex,
           // If we don't know if the cast succeeded, conjure a new symbol.
           if (val.isUnknown()) {
             DefinedOrUnknownSVal NewSym =
-              svalBuilder.conjureSymbolVal(0, CastE, LCtx, resultType,
+              svalBuilder.conjureSymbolVal(nullptr, CastE, LCtx, resultType,
                                            currBldrCtx->blockCount());
             state = state->BindExpr(CastE, LCtx, NewSym);
           } else 
@@ -395,7 +396,7 @@ void ExprEngine::VisitCast(const CastExpr *CastE, const Expr *Ex,
         QualType resultType = CastE->getType();
         if (CastE->isGLValue())
           resultType = getContext().getPointerType(resultType);
-        SVal result = svalBuilder.conjureSymbolVal(0, CastE, LCtx,
+        SVal result = svalBuilder.conjureSymbolVal(nullptr, CastE, LCtx,
                                                    resultType,
                                                    currBldrCtx->blockCount());
         state = state->BindExpr(CastE, LCtx, result);
@@ -493,7 +494,7 @@ void ExprEngine::VisitDeclStmt(const DeclStmt *DS, ExplodedNode *Pred,
             Ty = getContext().getPointerType(Ty);
           }
 
-          InitVal = svalBuilder.conjureSymbolVal(0, InitEx, LC, Ty,
+          InitVal = svalBuilder.conjureSymbolVal(nullptr, InitEx, LC, Ty,
                                                  currBldrCtx->blockCount());
         }
 
@@ -640,7 +641,7 @@ void ExprEngine::VisitGuardedExpr(const Expr *Ex,
   StmtNodeBuilder B(Pred, Dst, *currBldrCtx);
   ProgramStateRef state = Pred->getState();
   const LocationContext *LCtx = Pred->getLocationContext();
-  const CFGBlock *SrcBlock = 0;
+  const CFGBlock *SrcBlock = nullptr;
 
   // Find the predecessor block.
   ProgramStateRef SrcState = state;
@@ -685,7 +686,8 @@ void ExprEngine::VisitGuardedExpr(const Expr *Ex,
   }
 
   if (!hasValue)
-    V = svalBuilder.conjureSymbolVal(0, Ex, LCtx, currBldrCtx->blockCount());
+    V = svalBuilder.conjureSymbolVal(nullptr, Ex, LCtx,
+                                     currBldrCtx->blockCount());
 
   // Generate a new node with the binding from the appropriate path.
   B.generateNode(Ex, Pred, state->BindExpr(Ex, LCtx, V, true));
@@ -935,7 +937,8 @@ void ExprEngine::VisitIncrementDecrementOperator(const UnaryOperator* U,
     // Conjure a new symbol if necessary to recover precision.
     if (Result.isUnknown()){
       DefinedOrUnknownSVal SymVal =
-        svalBuilder.conjureSymbolVal(0, Ex, LCtx, currBldrCtx->blockCount());
+        svalBuilder.conjureSymbolVal(nullptr, Ex, LCtx,
+                                     currBldrCtx->blockCount());
       Result = SymVal;
       
       // If the value is a location, ++/-- should always preserve

lib/StaticAnalyzer/Core/ExprEngineCXX.cpp

@@ -180,7 +180,7 @@ void ExprEngine::VisitCXXConstructExpr(const CXXConstructExpr *CE,
   const LocationContext *LCtx = Pred->getLocationContext();
   ProgramStateRef State = Pred->getState();
 
-  const MemRegion *Target = 0;
+  const MemRegion *Target = nullptr;
 
   // FIXME: Handle arrays, which run the same constructor for every element.
   // For now, we just run the first constructor (which should still invalidate
@@ -262,7 +262,8 @@ void ExprEngine::VisitCXXConstructExpr(const CXXConstructExpr *CE,
         // since it's then possible to be initializing one part of a multi-
         // dimensional array.
         State = State->bindDefault(loc::MemRegionVal(Target), ZeroVal);
-        Bldr.generateNode(CE, *I, State, /*tag=*/0, ProgramPoint::PreStmtKind);
+        Bldr.generateNode(CE, *I, State, /*tag=*/nullptr,
+                          ProgramPoint::PreStmtKind);
       }
     }
   }
@@ -397,7 +398,7 @@ void ExprEngine::VisitCXXNewExpr(const CXXNewExpr *CNE, ExplodedNode *Pred,
   if (IsStandardGlobalOpNewFunction)
     symVal = svalBuilder.getConjuredHeapSymbolVal(CNE, LCtx, blockCount);
   else
-    symVal = svalBuilder.conjureSymbolVal(0, CNE, LCtx, CNE->getType(), 
+    symVal = svalBuilder.conjureSymbolVal(nullptr, CNE, LCtx, CNE->getType(),
                                           blockCount);
 
   ProgramStateRef State = Pred->getState();

lib/StaticAnalyzer/Core/ExprEngineCallAndReturn.cpp

@@ -69,8 +69,8 @@ void ExprEngine::processCallEnter(CallEnter CE, ExplodedNode *Pred) {
 // corresponding Block.
 static std::pair<const Stmt*,
                  const CFGBlock*> getLastStmt(const ExplodedNode *Node) {
-  const Stmt *S = 0;
-  const CFGBlock *Blk = 0;
+  const Stmt *S = nullptr;
+  const CFGBlock *Blk = nullptr;
   const StackFrameContext *SF =
           Node->getLocation().getLocationContext()->getCurrentStackFrame();
 
@@ -108,12 +108,12 @@ static std::pair<const Stmt*,
     }
 
     if (Node->pred_empty())
-      return std::pair<const Stmt*, const CFGBlock*>((Stmt*)0, (CFGBlock*)0);
+      return std::make_pair(nullptr, nullptr);
 
     Node = *Node->pred_begin();
   }
 
-  return std::pair<const Stmt*, const CFGBlock*>(S, Blk);
+  return std::make_pair(S, Blk);
 }
 
 /// Adjusts a return value when the called function's return type does not
@@ -160,8 +160,8 @@ void ExprEngine::removeDeadOnEndOfFunction(NodeBuilderContext& BC,
                                            ExplodedNode *Pred,
                                            ExplodedNodeSet &Dst) {
   // Find the last statement in the function and the corresponding basic block.
-  const Stmt *LastSt = 0;
-  const CFGBlock *Blk = 0;
+  const Stmt *LastSt = nullptr;
+  const CFGBlock *Blk = nullptr;
   std::tie(LastSt, Blk) = getLastStmt(Pred);
   if (!Blk || !LastSt) {
     Dst.Add(Pred);
@@ -229,8 +229,8 @@ void ExprEngine::processCallExit(ExplodedNode *CEBNode) {
   const Stmt *CE = calleeCtx->getCallSite();
   ProgramStateRef state = CEBNode->getState();
   // Find the last statement in the function and the corresponding basic block.
-  const Stmt *LastSt = 0;
-  const CFGBlock *Blk = 0;
+  const Stmt *LastSt = nullptr;
+  const CFGBlock *Blk = nullptr;
   std::tie(LastSt, Blk) = getLastStmt(CEBNode);
 
   // Generate a CallEvent /before/ cleaning the state, so that we can get the
@@ -296,10 +296,10 @@ void ExprEngine::processCallExit(ExplodedNode *CEBNode) {
     // context, telling it to clean up everything in the callee's context
     // (and its children). We use the callee's function body as a diagnostic
     // statement, with which the program point will be associated.
-    removeDead(BindedRetNode, CleanedNodes, 0, calleeCtx,
+    removeDead(BindedRetNode, CleanedNodes, nullptr, calleeCtx,
                calleeCtx->getAnalysisDeclContext()->getBody(),
                ProgramPoint::PostStmtPurgeDeadSymbolsKind);
-    currBldrCtx = 0;
+    currBldrCtx = nullptr;
   } else {
     CleanedNodes.Add(CEBNode);
   }
@@ -471,7 +471,7 @@ static ProgramStateRef getInlineFailedState(ProgramStateRef State,
                                             const Stmt *CallE) {
   const void *ReplayState = State->get<ReplayWithoutInlining>();
   if (!ReplayState)
-    return 0;
+    return nullptr;
 
   assert(ReplayState == CallE && "Backtracked to the wrong call.");
   (void)CallE;
@@ -565,7 +565,7 @@ ProgramStateRef ExprEngine::bindReturnValue(const CallEvent &Call,
   QualType ResultTy = Call.getResultType();
   SValBuilder &SVB = getSValBuilder();
   unsigned Count = currBldrCtx->blockCount();
-  SVal R = SVB.conjureSymbolVal(0, E, LCtx, ResultTy, Count);
+  SVal R = SVB.conjureSymbolVal(nullptr, E, LCtx, ResultTy, Count);
   return State->BindExpr(E, LCtx, R);
 }
 

lib/StaticAnalyzer/Core/ExprEngineObjC.cpp

@@ -77,7 +77,7 @@ void ExprEngine::VisitObjCForCollectionStmt(const ObjCForCollectionStmt *S,
   
   if (const DeclStmt *DS = dyn_cast<DeclStmt>(elem)) {
     const VarDecl *elemD = cast<VarDecl>(DS->getSingleDecl());
-    assert(elemD->getInit() == 0);
+    assert(elemD->getInit() == nullptr);
     elementV = state->getLValue(elemD, Pred->getLocationContext());
   }
   else {
@@ -85,7 +85,7 @@ void ExprEngine::VisitObjCForCollectionStmt(const ObjCForCollectionStmt *S,
   }
   
   ExplodedNodeSet dstLocation;
-  evalLocation(dstLocation, S, elem, Pred, state, elementV, NULL, false);
+  evalLocation(dstLocation, S, elem, Pred, state, elementV, nullptr, false);
 
   ExplodedNodeSet Tmp;
   StmtNodeBuilder Bldr(Pred, Tmp, *currBldrCtx);

lib/StaticAnalyzer/Core/HTMLDiagnostics.cpp

@@ -42,7 +42,7 @@ class HTMLDiagnostics : public PathDiagnosticConsumer {
 public:
   HTMLDiagnostics(const std::string& prefix, const Preprocessor &pp);
 
-  virtual ~HTMLDiagnostics() { FlushDiagnostics(NULL); }
+  virtual ~HTMLDiagnostics() { FlushDiagnostics(nullptr); }
 
   void FlushDiagnosticsImpl(std::vector<const PathDiagnostic *> &Diags,
                             FilesMade *filesMade) override;
@@ -307,7 +307,7 @@ void HTMLDiagnostics::HandlePiece(Rewriter& R, FileID BugFileID,
 
   // Create the html for the message.
 
-  const char *Kind = 0;
+  const char *Kind = nullptr;
   switch (P.getKind()) {
   case PathDiagnosticPiece::Call:
       llvm_unreachable("Calls should already be handled");

lib/StaticAnalyzer/Core/MemRegion.cpp

@@ -148,7 +148,7 @@ MemRegionManager::~MemRegionManager() {
 
 bool SubRegion::isSubRegionOf(const MemRegion* R) const {
   const MemRegion* r = getSuperRegion();
-  while (r != 0) {
+  while (r != nullptr) {
     if (r == R)
       return true;
     if (const SubRegion* sr = dyn_cast<SubRegion>(r))
@@ -173,7 +173,7 @@ MemRegionManager* SubRegion::getMemRegionManager() const {
 
 const StackFrameContext *VarRegion::getStackFrame() const {
   const StackSpaceRegion *SSR = dyn_cast<StackSpaceRegion>(getMemorySpace());
-  return SSR ? SSR->getStackFrame() : NULL;
+  return SSR ? SSR->getStackFrame() : nullptr;
 }
 
 //===----------------------------------------------------------------------===//
@@ -508,11 +508,11 @@ void ObjCIvarRegion::dumpToStream(raw_ostream &os) const {
 }
 
 void StringRegion::dumpToStream(raw_ostream &os) const {
-  Str->printPretty(os, 0, PrintingPolicy(getContext().getLangOpts()));
+  Str->printPretty(os, nullptr, PrintingPolicy(getContext().getLangOpts()));
 }
 
 void ObjCStringRegion::dumpToStream(raw_ostream &os) const {
-  Str->printPretty(os, 0, PrintingPolicy(getContext().getLangOpts()));
+  Str->printPretty(os, nullptr, PrintingPolicy(getContext().getLangOpts()));
 }
 
 void SymbolicRegion::dumpToStream(raw_ostream &os) const {
@@ -757,12 +757,12 @@ getStackOrCaptureRegionForDeclContext(const LocationContext *LC,
     
     LC = LC->getParent();
   }
-  return (const StackFrameContext*)0;
+  return (const StackFrameContext *)nullptr;
 }
 
 const VarRegion* MemRegionManager::getVarRegion(const VarDecl *D,
                                                 const LocationContext *LC) {
-  const MemRegion *sReg = 0;
+  const MemRegion *sReg = nullptr;
 
   if (D->hasGlobalStorage() && !D->isStaticLocal()) {
 
@@ -850,7 +850,7 @@ const BlockDataRegion *
 MemRegionManager::getBlockDataRegion(const BlockTextRegion *BC,
                                      const LocationContext *LC,
                                      unsigned blockCount) {
-  const MemRegion *sReg = 0;
+  const MemRegion *sReg = nullptr;
   const BlockDecl *BD = BC->getDecl();
   if (!BD->hasCaptures()) {
     // This handles 'static' blocks.
@@ -877,14 +877,14 @@ MemRegionManager::getBlockDataRegion(const BlockTextRegion *BC,
 const CXXTempObjectRegion *
 MemRegionManager::getCXXStaticTempObjectRegion(const Expr *Ex) {
   return getSubRegion<CXXTempObjectRegion>(
-      Ex, getGlobalsRegion(MemRegion::GlobalInternalSpaceRegionKind, NULL));
+      Ex, getGlobalsRegion(MemRegion::GlobalInternalSpaceRegionKind, nullptr));
 }
 
 const CompoundLiteralRegion*
 MemRegionManager::getCompoundLiteralRegion(const CompoundLiteralExpr *CL,
                                            const LocationContext *LC) {
 
-  const MemRegion *sReg = 0;
+  const MemRegion *sReg = nullptr;
 
   if (CL->isFileScope())
     sReg = getGlobalsRegion();
@@ -1111,7 +1111,7 @@ const SymbolicRegion *MemRegion::getSymbolicBase() const {
       return SymR;
     SubR = dyn_cast<SubRegion>(SubR->getSuperRegion());
   }
-  return 0;
+  return nullptr;
 }
 
 // FIXME: Merge with the implementation of the same method in Store.cpp
@@ -1128,7 +1128,7 @@ static bool IsCompleteType(ASTContext &Ctx, QualType Ty) {
 RegionRawOffset ElementRegion::getAsArrayOffset() const {
   CharUnits offset = CharUnits::Zero();
   const ElementRegion *ER = this;
-  const MemRegion *superR = NULL;
+  const MemRegion *superR = nullptr;
   ASTContext &C = getContext();
 
   // FIXME: Handle multi-dimensional arrays.
@@ -1160,7 +1160,7 @@ RegionRawOffset ElementRegion::getAsArrayOffset() const {
       continue;
     }
 
-    return NULL;
+    return nullptr;
   }
 
   assert(superR && "super region cannot be NULL");
@@ -1184,7 +1184,7 @@ static bool isImmediateBase(const CXXRecordDecl *Child,
 
 RegionOffset MemRegion::getAsOffset() const {
   const MemRegion *R = this;
-  const MemRegion *SymbolicOffsetBase = 0;
+  const MemRegion *SymbolicOffsetBase = nullptr;
   int64_t Offset = 0;
 
   while (1) {
@@ -1356,8 +1356,8 @@ RegionOffset MemRegion::getAsOffset() const {
 std::pair<const VarRegion *, const VarRegion *>
 BlockDataRegion::getCaptureRegions(const VarDecl *VD) {
   MemRegionManager &MemMgr = *getMemRegionManager();
-  const VarRegion *VR = 0;
-  const VarRegion *OriginalVR = 0;
+  const VarRegion *VR = nullptr;
+  const VarRegion *OriginalVR = nullptr;
 
   if (!VD->hasAttr<BlocksAttr>() && VD->hasLocalStorage()) {
     VR = MemMgr.getVarRegion(VD, this);
@@ -1400,8 +1400,8 @@ void BlockDataRegion::LazyInitializeReferencedVars() {
   new (BVOriginal) VarVec(BC, E - I);
 
   for ( ; I != E; ++I) {
-    const VarRegion *VR = 0;
-    const VarRegion *OriginalVR = 0;
+    const VarRegion *VR = nullptr;
+    const VarRegion *OriginalVR = nullptr;
     std::tie(VR, OriginalVR) = getCaptureRegions(*I);
     assert(VR);
     assert(OriginalVR);
@@ -1421,8 +1421,8 @@ BlockDataRegion::referenced_vars_begin() const {
     static_cast<BumpVector<const MemRegion*>*>(ReferencedVars);
 
   if (Vec == (void*) 0x1)
-    return BlockDataRegion::referenced_vars_iterator(0, 0);
-  
+    return BlockDataRegion::referenced_vars_iterator(nullptr, nullptr);
+
   BumpVector<const MemRegion*> *VecOriginal =
     static_cast<BumpVector<const MemRegion*>*>(OriginalVars);
   
@@ -1438,8 +1438,8 @@ BlockDataRegion::referenced_vars_end() const {
     static_cast<BumpVector<const MemRegion*>*>(ReferencedVars);
 
   if (Vec == (void*) 0x1)
-    return BlockDataRegion::referenced_vars_iterator(0, 0);
-  
+    return BlockDataRegion::referenced_vars_iterator(nullptr, nullptr);
+
   BumpVector<const MemRegion*> *VecOriginal =
     static_cast<BumpVector<const MemRegion*>*>(OriginalVars);
 
@@ -1454,7 +1454,7 @@ const VarRegion *BlockDataRegion::getOriginalRegion(const VarRegion *R) const {
     if (I.getCapturedRegion() == R)
       return I.getOriginalRegion();
   }
-  return 0;
+  return nullptr;
 }
 
 //===----------------------------------------------------------------------===//

lib/StaticAnalyzer/Core/PathDiagnostic.cpp

@@ -129,7 +129,7 @@ getFirstStackedCallToHeaderFile(PathDiagnosticCallPiece *CP,
 
   // If the call is within a macro, don't do anything (for now).
   if (CallLoc.isMacroID())
-    return 0;
+    return nullptr;
 
   assert(SMgr.isInMainFile(CallLoc) &&
          "The call piece should be in the main file.");
@@ -140,7 +140,7 @@ getFirstStackedCallToHeaderFile(PathDiagnosticCallPiece *CP,
 
   const PathPieces &Path = CP->path;
   if (Path.empty())
-    return 0;
+    return nullptr;
 
   // Check if the last piece in the callee path is a call to a function outside
   // of the main file.
@@ -150,7 +150,7 @@ getFirstStackedCallToHeaderFile(PathDiagnosticCallPiece *CP,
   }
 
   // Otherwise, the last piece is in the main file.
-  return 0;
+  return nullptr;
 }
 
 void PathDiagnostic::resetDiagnosticLocationToMainFile() {
@@ -260,7 +260,7 @@ void PathDiagnosticConsumer::HandlePathDiagnostic(PathDiagnostic *D) {
   // Profile the node to see if we already have something matching it
   llvm::FoldingSetNodeID profile;
   D->Profile(profile);
-  void *InsertPos = 0;
+  void *InsertPos = nullptr;
 
   if (PathDiagnostic *orig = Diags.FindNodeOrInsertPos(profile, InsertPos)) {
     // Keep the PathDiagnostic with the shorter path.
@@ -486,7 +486,7 @@ PathDiagnosticConsumer::FilesMade::getFiles(const PathDiagnostic &PD) {
   void *InsertPos;
   PDFileEntry *Entry = FindNodeOrInsertPos(NodeID, InsertPos);
   if (!Entry)
-    return 0;
+    return nullptr;
   return &Entry->files;
 }
 
@@ -662,7 +662,7 @@ PathDiagnosticLocation
   PathDiagnosticLocation::create(const ProgramPoint& P,
                                  const SourceManager &SMng) {
 
-  const Stmt* S = 0;
+  const Stmt* S = nullptr;
   if (Optional<BlockEdge> BE = P.getAs<BlockEdge>()) {
     const CFGBlock *BSrc = BE->getSrc();
     S = BSrc->getTerminatorCondition();
@@ -703,7 +703,7 @@ const Stmt *PathDiagnosticLocation::getStmt(const ExplodedNode *N) {
   if (Optional<PostInitializer> PIPP = P.getAs<PostInitializer>())
     return PIPP->getInitializer()->getInit();
 
-  return 0;
+  return nullptr;
 }
 
 const Stmt *PathDiagnosticLocation::getNextStmt(const ExplodedNode *N) {
@@ -730,7 +730,7 @@ const Stmt *PathDiagnosticLocation::getNextStmt(const ExplodedNode *N) {
     }
   }
 
-  return 0;
+  return nullptr;
 }
 
 PathDiagnosticLocation
@@ -865,13 +865,13 @@ PathDiagnosticRange
 void PathDiagnosticLocation::flatten() {
   if (K == StmtK) {
     K = RangeK;
-    S = 0;
-    D = 0;
+    S = nullptr;
+    D = nullptr;
   }
   else if (K == DeclK) {
     K = SingleLocK;
-    S = 0;
-    D = 0;
+    S = nullptr;
+    D = nullptr;
   }
 }
 
@@ -981,7 +981,7 @@ static bool describeCodeDecl(raw_ostream &Out, const Decl *D,
 IntrusiveRefCntPtr<PathDiagnosticEventPiece>
 PathDiagnosticCallPiece::getCallEnterEvent() const {
   if (!Callee)
-    return 0;  
+    return nullptr;
 
   SmallString<256> buf;
   llvm::raw_svector_ostream Out(buf);
@@ -996,12 +996,12 @@ PathDiagnosticCallPiece::getCallEnterEvent() const {
 IntrusiveRefCntPtr<PathDiagnosticEventPiece>
 PathDiagnosticCallPiece::getCallEnterWithinCallerEvent() const {
   if (!callEnterWithin.asLocation().isValid())
-    return 0;
+    return nullptr;
   if (Callee->isImplicit() || !Callee->hasBody())
-    return 0;
+    return nullptr;
   if (const CXXMethodDecl *MD = dyn_cast<CXXMethodDecl>(Callee))
     if (MD->isDefaulted())
-      return 0;
+      return nullptr;
 
   SmallString<256> buf;
   llvm::raw_svector_ostream Out(buf);
@@ -1015,7 +1015,7 @@ PathDiagnosticCallPiece::getCallEnterWithinCallerEvent() const {
 IntrusiveRefCntPtr<PathDiagnosticEventPiece>
 PathDiagnosticCallPiece::getCallExitEvent() const {
   if (NoExit)
-    return 0;
+    return nullptr;
 
   SmallString<256> buf;
   llvm::raw_svector_ostream Out(buf);

lib/StaticAnalyzer/Core/PlistDiagnostics.cpp

@@ -292,7 +292,7 @@ void PlistDiagnostics::FlushDiagnosticsImpl(
   // ranges of the diagnostics.
   FIDMap FM;
   SmallVector<FileID, 10> Fids;
-  const SourceManager* SM = 0;
+  const SourceManager* SM = nullptr;
 
   if (!Diags.empty())
     SM = &(*(*Diags.begin())->path.begin())->getLocation().getManager();

lib/StaticAnalyzer/Core/ProgramState.cpp

@@ -207,7 +207,7 @@ ProgramState::invalidateRegionsImpl(ValueList Values,
 
   const StoreRef &newStore =
   Mgr.StoreMgr->invalidateRegions(getStore(), Values, E, Count, LCtx, Call,
-                                  *IS, *ITraits, NULL, NULL);
+                                  *IS, *ITraits, nullptr, nullptr);
   return makeWithStore(newStore);
 }
 
@@ -387,7 +387,7 @@ ProgramStateRef ProgramStateManager::getPersistentState(ProgramState &State) {
   if (ProgramState *I = StateSet.FindNodeOrInsertPos(ID, InsertPos))
     return I;
 
-  ProgramState *newState = 0;
+  ProgramState *newState = nullptr;
   if (!freeStates.empty()) {
     newState = freeStates.back();
     freeStates.pop_back();    

lib/StaticAnalyzer/Core/RangeConstraintManager.cpp

@@ -45,7 +45,7 @@ public:
     return *second;
   }
   const llvm::APSInt *getConcreteValue() const {
-    return &From() == &To() ? &From() : NULL;
+    return &From() == &To() ? &From() : nullptr;
   }
 
   void Profile(llvm::FoldingSetNodeID &ID) const {
@@ -98,7 +98,7 @@ public:
   ///  constant then this method returns that value.  Otherwise, it returns
   ///  NULL.
   const llvm::APSInt* getConcreteValue() const {
-    return ranges.isSingleton() ? ranges.begin()->getConcreteValue() : 0;
+    return ranges.isSingleton() ? ranges.begin()->getConcreteValue() : nullptr;
   }
 
 private:
@@ -336,7 +336,7 @@ ento::CreateRangeConstraintManager(ProgramStateManager &StMgr, SubEngine *Eng) {
 const llvm::APSInt* RangeConstraintManager::getSymVal(ProgramStateRef St,
                                                       SymbolRef sym) const {
   const ConstraintRangeTy::data_type *T = St->get<ConstraintRange>(sym);
-  return T ? T->getConcreteValue() : NULL;
+  return T ? T->getConcreteValue() : nullptr;
 }
 
 ConditionTruthVal RangeConstraintManager::checkNull(ProgramStateRef State,
@@ -432,7 +432,7 @@ RangeConstraintManager::assumeSymNE(ProgramStateRef St, SymbolRef Sym,
   // [Int-Adjustment+1, Int-Adjustment-1]
   // Notice that the lower bound is greater than the upper bound.
   RangeSet New = GetRange(St, Sym).Intersect(getBasicVals(), F, Upper, Lower);
-  return New.isEmpty() ? NULL : St->set<ConstraintRange>(Sym, New);
+  return New.isEmpty() ? nullptr : St->set<ConstraintRange>(Sym, New);
 }
 
 ProgramStateRef 
@@ -442,12 +442,12 @@ RangeConstraintManager::assumeSymEQ(ProgramStateRef St, SymbolRef Sym,
   // Before we do any real work, see if the value can even show up.
   APSIntType AdjustmentType(Adjustment);
   if (AdjustmentType.testInRange(Int, true) != APSIntType::RTR_Within)
-    return NULL;
+    return nullptr;
 
   // [Int-Adjustment, Int-Adjustment]
   llvm::APSInt AdjInt = AdjustmentType.convert(Int) - Adjustment;
   RangeSet New = GetRange(St, Sym).Intersect(getBasicVals(), F, AdjInt, AdjInt);
-  return New.isEmpty() ? NULL : St->set<ConstraintRange>(Sym, New);
+  return New.isEmpty() ? nullptr : St->set<ConstraintRange>(Sym, New);
 }
 
 ProgramStateRef 
@@ -458,7 +458,7 @@ RangeConstraintManager::assumeSymLT(ProgramStateRef St, SymbolRef Sym,
   APSIntType AdjustmentType(Adjustment);
   switch (AdjustmentType.testInRange(Int, true)) {
   case APSIntType::RTR_Below:
-    return NULL;
+    return nullptr;
   case APSIntType::RTR_Within:
     break;
   case APSIntType::RTR_Above:
@@ -469,14 +469,14 @@ RangeConstraintManager::assumeSymLT(ProgramStateRef St, SymbolRef Sym,
   llvm::APSInt ComparisonVal = AdjustmentType.convert(Int);
   llvm::APSInt Min = AdjustmentType.getMinValue();
   if (ComparisonVal == Min)
-    return NULL;
+    return nullptr;
 
   llvm::APSInt Lower = Min-Adjustment;
   llvm::APSInt Upper = ComparisonVal-Adjustment;
   --Upper;
 
   RangeSet New = GetRange(St, Sym).Intersect(getBasicVals(), F, Lower, Upper);
-  return New.isEmpty() ? NULL : St->set<ConstraintRange>(Sym, New);
+  return New.isEmpty() ? nullptr : St->set<ConstraintRange>(Sym, New);
 }
 
 ProgramStateRef 
@@ -491,21 +491,21 @@ RangeConstraintManager::assumeSymGT(ProgramStateRef St, SymbolRef Sym,
   case APSIntType::RTR_Within:
     break;
   case APSIntType::RTR_Above:
-    return NULL;
+    return nullptr;
   }
 
   // Special case for Int == Max. This is always false.
   llvm::APSInt ComparisonVal = AdjustmentType.convert(Int);
   llvm::APSInt Max = AdjustmentType.getMaxValue();
   if (ComparisonVal == Max)
-    return NULL;
+    return nullptr;
 
   llvm::APSInt Lower = ComparisonVal-Adjustment;
   llvm::APSInt Upper = Max-Adjustment;
   ++Lower;
 
   RangeSet New = GetRange(St, Sym).Intersect(getBasicVals(), F, Lower, Upper);
-  return New.isEmpty() ? NULL : St->set<ConstraintRange>(Sym, New);
+  return New.isEmpty() ? nullptr : St->set<ConstraintRange>(Sym, New);
 }
 
 ProgramStateRef 
@@ -520,7 +520,7 @@ RangeConstraintManager::assumeSymGE(ProgramStateRef St, SymbolRef Sym,
   case APSIntType::RTR_Within:
     break;
   case APSIntType::RTR_Above:
-    return NULL;
+    return nullptr;
   }
 
   // Special case for Int == Min. This is always feasible.
@@ -534,7 +534,7 @@ RangeConstraintManager::assumeSymGE(ProgramStateRef St, SymbolRef Sym,
   llvm::APSInt Upper = Max-Adjustment;
 
   RangeSet New = GetRange(St, Sym).Intersect(getBasicVals(), F, Lower, Upper);
-  return New.isEmpty() ? NULL : St->set<ConstraintRange>(Sym, New);
+  return New.isEmpty() ? nullptr : St->set<ConstraintRange>(Sym, New);
 }
 
 ProgramStateRef 
@@ -545,7 +545,7 @@ RangeConstraintManager::assumeSymLE(ProgramStateRef St, SymbolRef Sym,
   APSIntType AdjustmentType(Adjustment);
   switch (AdjustmentType.testInRange(Int, true)) {
   case APSIntType::RTR_Below:
-    return NULL;
+    return nullptr;
   case APSIntType::RTR_Within:
     break;
   case APSIntType::RTR_Above:
@@ -563,7 +563,7 @@ RangeConstraintManager::assumeSymLE(ProgramStateRef St, SymbolRef Sym,
   llvm::APSInt Upper = ComparisonVal-Adjustment;
 
   RangeSet New = GetRange(St, Sym).Intersect(getBasicVals(), F, Lower, Upper);
-  return New.isEmpty() ? NULL : St->set<ConstraintRange>(Sym, New);
+  return New.isEmpty() ? nullptr : St->set<ConstraintRange>(Sym, New);
 }
 
 //===------------------------------------------------------------------------===

lib/StaticAnalyzer/Core/RegionStore.cpp

@@ -262,7 +262,7 @@ RegionBindingsRef RegionBindingsRef::addBinding(const MemRegion *R,
 const SVal *RegionBindingsRef::lookup(BindingKey K) const {
   const ClusterBindings *Cluster = lookup(K.getBaseRegion());
   if (!Cluster)
-    return 0;
+    return nullptr;
   return Cluster->lookup(K);
 }
 
@@ -1625,8 +1625,8 @@ RegionStoreManager::getBindingForFieldOrElementCommon(RegionBindingsConstRef B,
   // getBindingForField if 'R' has a direct binding.
 
   // Lazy binding?
-  Store lazyBindingStore = NULL;
-  const SubRegion *lazyBindingRegion = NULL;
+  Store lazyBindingStore = nullptr;
+  const SubRegion *lazyBindingRegion = nullptr;
   std::tie(lazyBindingStore, lazyBindingRegion) = findLazyBinding(B, R, R);
   if (lazyBindingRegion)
     return getLazyBinding(lazyBindingRegion,
@@ -2291,7 +2291,7 @@ bool removeDeadBindingsWorker::UpdatePostponed() {
     if (const SymbolicRegion *SR = *I) {
       if (SymReaper.isLive(SR->getSymbol())) {
         changed |= AddToWorkList(SR);
-        *I = NULL;
+        *I = nullptr;
       }
     }
   }

lib/StaticAnalyzer/Core/SVals.cpp

@@ -56,7 +56,7 @@ const FunctionDecl *SVal::getAsFunctionDecl() const {
         return FD;
   }
 
-  return 0;
+  return nullptr;
 }
 
 /// \brief If this SVal is a location (subclasses Loc) and wraps a symbol,
@@ -78,7 +78,7 @@ SymbolRef SVal::getAsLocSymbol(bool IncludeBaseRegions) const {
                                       dyn_cast<SymbolicRegion>(R->StripCasts()))
       return SymR->getSymbol();
   }
-  return 0;
+  return nullptr;
 }
 
 /// Get the symbol in the SVal or its base region.
@@ -86,7 +86,7 @@ SymbolRef SVal::getLocSymbolInBase() const {
   Optional<loc::MemRegionVal> X = getAs<loc::MemRegionVal>();
 
   if (!X)
-    return 0;
+    return nullptr;
 
   const MemRegion *R = X->getRegion();
 
@@ -97,7 +97,7 @@ SymbolRef SVal::getLocSymbolInBase() const {
       R = SR->getSuperRegion();
   }
 
-  return 0;
+  return nullptr;
 }
 
 // TODO: The next 3 functions have to be simplified.
@@ -139,12 +139,12 @@ const MemRegion *SVal::getAsRegion() const {
   if (Optional<nonloc::LocAsInteger> X = getAs<nonloc::LocAsInteger>())
     return X->getLoc().getAsRegion();
 
-  return 0;
+  return nullptr;
 }
 
 const MemRegion *loc::MemRegionVal::stripCasts(bool StripBaseCasts) const {
   const MemRegion *R = getRegion();
-  return R ?  R->StripCasts(StripBaseCasts) : NULL;
+  return R ?  R->StripCasts(StripBaseCasts) : nullptr;
 }
 
 const void *nonloc::LazyCompoundVal::getStore() const {

lib/StaticAnalyzer/Core/SimpleConstraintManager.cpp

@@ -181,7 +181,7 @@ ProgramStateRef SimpleConstraintManager::assumeAux(ProgramStateRef state,
   case nonloc::ConcreteIntKind: {
     bool b = Cond.castAs<nonloc::ConcreteInt>().getValue() != 0;
     bool isFeasible = b ? Assumption : !Assumption;
-    return isFeasible ? state : NULL;
+    return isFeasible ? state : nullptr;
   }
 
   case nonloc::LocAsIntegerKind:

lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp

@@ -817,7 +817,7 @@ SVal SimpleSValBuilder::evalBinOpLL(ProgramStateRef state,
     RegionOffset LeftOffset = LeftMR->getAsOffset();
     RegionOffset RightOffset = RightMR->getAsOffset();
 
-    if (LeftOffset.getRegion() != NULL &&
+    if (LeftOffset.getRegion() != nullptr &&
         LeftOffset.getRegion() == RightOffset.getRegion() &&
         !LeftOffset.hasSymbolicOffset() && !RightOffset.hasSymbolicOffset()) {
       int64_t left = LeftOffset.getOffset();
@@ -900,7 +900,7 @@ SVal SimpleSValBuilder::evalBinOpLN(ProgramStateRef state,
   if (const MemRegion *region = lhs.getAsRegion()) {
     rhs = convertToArrayIndex(rhs).castAs<NonLoc>();
     SVal index = UnknownVal();
-    const MemRegion *superR = 0;
+    const MemRegion *superR = nullptr;
     QualType elementType;
 
     if (const ElementRegion *elemReg = dyn_cast<ElementRegion>(region)) {
@@ -928,7 +928,7 @@ SVal SimpleSValBuilder::evalBinOpLN(ProgramStateRef state,
 const llvm::APSInt *SimpleSValBuilder::getKnownValue(ProgramStateRef state,
                                                    SVal V) {
   if (V.isUnknownOrUndef())
-    return NULL;
+    return nullptr;
 
   if (Optional<loc::ConcreteInt> X = V.getAs<loc::ConcreteInt>())
     return &X->getValue();
@@ -940,5 +940,5 @@ const llvm::APSInt *SimpleSValBuilder::getKnownValue(ProgramStateRef state,
     return state->getConstraintManager().getSymVal(state, Sym);
 
   // FIXME: Add support for SymExprs.
-  return NULL;
+  return nullptr;
 }

lib/StaticAnalyzer/Core/Store.cpp

@@ -88,7 +88,7 @@ const MemRegion *StoreManager::castRegion(const MemRegion *R, QualType CastToTy)
 
     // We don't know what to make of it.  Return a NULL region, which
     // will be interpretted as UnknownVal.
-    return NULL;
+    return nullptr;
   }
 
   // Now assume we are casting from pointer to pointer. Other cases should
@@ -166,7 +166,7 @@ const MemRegion *StoreManager::castRegion(const MemRegion *R, QualType CastToTy)
       // If we cannot compute a raw offset, throw up our hands and return
       // a NULL MemRegion*.
       if (!baseR)
-        return NULL;
+        return nullptr;
 
       CharUnits off = rawOff.getOffset();
 
@@ -193,7 +193,7 @@ const MemRegion *StoreManager::castRegion(const MemRegion *R, QualType CastToTy)
 
       // Compute the index for the new ElementRegion.
       int64_t newIndex = 0;
-      const MemRegion *newSuperR = 0;
+      const MemRegion *newSuperR = nullptr;
 
       // We can only compute sizeof(PointeeTy) if it is a complete type.
       if (IsCompleteType(Ctx, PointeeTy)) {
@@ -300,7 +300,7 @@ static const CXXRecordDecl *getCXXRecordType(const MemRegion *MR) {
     return TVR->getValueType()->getAsCXXRecordDecl();
   if (const SymbolicRegion *SR = dyn_cast<SymbolicRegion>(MR))
     return SR->getSymbol()->getType()->getPointeeCXXRecordDecl();
-  return 0;
+  return nullptr;
 }
 
 SVal StoreManager::evalDynamicCast(SVal Base, QualType TargetType,
@@ -401,7 +401,7 @@ SVal StoreManager::getLValueFieldOrIvar(const Decl *D, SVal Base) {
     return Base;
 
   Loc BaseL = Base.castAs<Loc>();
-  const MemRegion* BaseR = 0;
+  const MemRegion* BaseR = nullptr;
 
   switch (BaseL.getSubKind()) {
   case loc::MemRegionKind:

lib/StaticAnalyzer/Core/SymbolManager.cpp

@@ -347,7 +347,7 @@ bool SymbolManager::canSymbolicate(QualType T) {
 void SymbolManager::addSymbolDependency(const SymbolRef Primary,
                                         const SymbolRef Dependent) {
   SymbolDependTy::iterator I = SymbolDependencies.find(Primary);
-  SymbolRefSmallVectorTy *dependencies = 0;
+  SymbolRefSmallVectorTy *dependencies = nullptr;
   if (I == SymbolDependencies.end()) {
     dependencies = new SymbolRefSmallVectorTy();
     SymbolDependencies[Primary] = dependencies;
@@ -361,7 +361,7 @@ const SymbolRefSmallVectorTy *SymbolManager::getDependentSymbols(
                                                      const SymbolRef Primary) {
   SymbolDependTy::const_iterator I = SymbolDependencies.find(Primary);
   if (I == SymbolDependencies.end())
-    return 0;
+    return nullptr;
   return I->second;
 }
 
@@ -487,7 +487,7 @@ bool SymbolReaper::isLive(SymbolRef sym) {
 
 bool
 SymbolReaper::isLive(const Stmt *ExprVal, const LocationContext *ELCtx) const {
-  if (LCtx == 0)
+  if (LCtx == nullptr)
     return false;
 
   if (LCtx != ELCtx) {

lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp

@@ -185,8 +185,8 @@ public:
                    const std::string& outdir,
                    AnalyzerOptionsRef opts,
                    ArrayRef<std::string> plugins)
-    : RecVisitorMode(0), RecVisitorBR(0),
-      Ctx(0), PP(pp), OutDir(outdir), Opts(opts), Plugins(plugins) {
+    : RecVisitorMode(0), RecVisitorBR(nullptr),
+      Ctx(nullptr), PP(pp), OutDir(outdir), Opts(opts), Plugins(plugins) {
     DigestAnalyzerOptions();
     if (Opts->PrintStats) {
       llvm::EnableStatistics();
@@ -321,7 +321,7 @@ public:
   /// given root function.
   void HandleCode(Decl *D, AnalysisMode Mode,
                   ExprEngine::InliningModes IMode = ExprEngine::Inline_Minimal,
-                  SetOfConstDecls *VisitedCallees = 0);
+                  SetOfConstDecls *VisitedCallees = nullptr);
 
   void RunPathSensitiveChecks(Decl *D,
                               ExprEngine::InliningModes IMode,
@@ -390,7 +390,7 @@ private:
 //===----------------------------------------------------------------------===//
 // AnalysisConsumer implementation.
 //===----------------------------------------------------------------------===//
-llvm::Timer* AnalysisConsumer::TUTotalTimer = 0;
+llvm::Timer* AnalysisConsumer::TUTotalTimer = nullptr;
 
 bool AnalysisConsumer::HandleTopLevelDecl(DeclGroupRef DG) {
   storeTopLevelDecls(DG);
@@ -489,7 +489,7 @@ void AnalysisConsumer::HandleDeclsCallGraph(const unsigned LocalTUDeclsSize) {
     SetOfConstDecls VisitedCallees;
 
     HandleCode(D, AM_Path, getInliningModeForFunction(D, Visited),
-               (Mgr->options.InliningMode == All ? 0 : &VisitedCallees));
+               (Mgr->options.InliningMode == All ? nullptr : &VisitedCallees));
 
     // Add the visited callees to the global visited set.
     for (SetOfConstDecls::iterator I = VisitedCallees.begin(),
@@ -539,14 +539,14 @@ void AnalysisConsumer::HandleTranslationUnit(ASTContext &C) {
     // After all decls handled, run checkers on the entire TranslationUnit.
     checkerMgr->runCheckersOnEndOfTranslationUnit(TU, *Mgr, BR);
 
-    RecVisitorBR = 0;
+    RecVisitorBR = nullptr;
   }
 
   // Explicitly destroy the PathDiagnosticConsumer.  This will flush its output.
   // FIXME: This should be replaced with something that doesn't rely on
   // side-effects in PathDiagnosticConsumer's destructor. This is required when
   // used with option -disable-free.
-  Mgr.reset(NULL);
+  Mgr.reset(nullptr);
 
   if (TUTotalTimer) TUTotalTimer->stopTimer();
 
@@ -653,7 +653,7 @@ void AnalysisConsumer::ActionExprEngine(Decl *D, bool ObjCGCEnabled,
 
   // Release the auditor (if any) so that it doesn't monitor the graph
   // created BugReporter.
-  ExplodedNode::SetAuditor(0);
+  ExplodedNode::SetAuditor(nullptr);
 
   // Visualize the exploded graph.
   if (Mgr->options.visualizeExplodedGraphWithGraphViz)
@@ -776,16 +776,17 @@ UbigraphViz::UbigraphViz(raw_ostream *Out, StringRef Filename)
 }
 
 UbigraphViz::~UbigraphViz() {
-  Out.reset(0);
+  Out.reset(nullptr);
   llvm::errs() << "Running 'ubiviz' program... ";
   std::string ErrMsg;
   std::string Ubiviz = llvm::sys::FindProgramByName("ubiviz");
   std::vector<const char*> args;
   args.push_back(Ubiviz.c_str());
   args.push_back(Filename.c_str());
-  args.push_back(0);
+  args.push_back(nullptr);
 
-  if (llvm::sys::ExecuteAndWait(Ubiviz, &args[0], 0, 0, 0, 0, &ErrMsg)) {
+  if (llvm::sys::ExecuteAndWait(Ubiviz, &args[0], nullptr, nullptr, 0, 0,
+                                &ErrMsg)) {
     llvm::errs() << "Error viewing graph: " << ErrMsg << "\n";
   }
 

lib/StaticAnalyzer/Frontend/CheckerRegistration.cpp

@@ -40,7 +40,7 @@ class ClangCheckerRegistry : public CheckerRegistry {
 
 public:
   ClangCheckerRegistry(ArrayRef<std::string> plugins,
-                       DiagnosticsEngine *diags = 0);
+                       DiagnosticsEngine *diags = nullptr);
 };
   
 } // end anonymous namespace
@@ -73,7 +73,7 @@ ClangCheckerRegistry::ClangCheckerRegistry(ArrayRef<std::string> plugins,
 
 bool ClangCheckerRegistry::isCompatibleAPIVersion(const char *versionString) {
   // If the version string is null, it's not an analyzer plugin.
-  if (versionString == 0)
+  if (!versionString)
     return false;
 
   // For now, none of the static analyzer API is considered stable.