
<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">

<head>

<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">

<meta name="Generator" content="Microsoft Word 15 (filtered medium)">

<style><!--

/* Font Definitions */

@font-face

        {font-family:"Cambria Math";

        panose-1:2 4 5 3 5 4 6 3 2 4;}

@font-face

        {font-family:Calibri;

        panose-1:2 15 5 2 2 2 4 3 2 4;}

/* Style Definitions */

p.MsoNormal, li.MsoNormal, div.MsoNormal

        {margin:0cm;

        margin-bottom:.0001pt;

        font-size:12.0pt;

        font-family:"Times New Roman",serif;}

a:link, span.MsoHyperlink

        {mso-style-priority:99;

        color:blue;

        text-decoration:underline;}

a:visited, span.MsoHyperlinkFollowed

        {mso-style-priority:99;

        color:purple;

        text-decoration:underline;}

p.msonormal0, li.msonormal0, div.msonormal0

        {mso-style-name:msonormal;

        mso-margin-top-alt:auto;

        margin-right:0cm;

        mso-margin-bottom-alt:auto;

        margin-left:0cm;

        font-size:12.0pt;

        font-family:"Times New Roman",serif;}

span.EmailStyle18

        {mso-style-type:personal-reply;

        font-family:"Calibri",sans-serif;

        color:windowtext;}

.MsoChpDefault

        {mso-style-type:export-only;

        font-size:10.0pt;}

@page WordSection1

        {size:612.0pt 792.0pt;

        margin:72.0pt 72.0pt 72.0pt 72.0pt;}

div.WordSection1

        {page:WordSection1;}

--></style><!--[if gte mso 9]><xml>

<o:shapedefaults v:ext="edit" spidmax="1026" />

</xml><![endif]--><!--[if gte mso 9]><xml>

<o:shapelayout v:ext="edit">

<o:idmap v:ext="edit" data="1" />

</o:shapelayout></xml><![endif]-->

</head>

<body lang="HU" link="blue" vlink="purple">

<div class="WordSection1">

<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US">the fix seems fine. The new operator related test cases were placed in test/Analysis/out-of-bounds-new.cpp<o:p></o:p></span></p>

<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US">You may consider that as well for the test case.<o:p></o:p></span></p>

<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US"><o:p> </o:p></span></p>

<div>

<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm">

<p class="MsoNormal"><b><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri",sans-serif"> dcoughlin@apple.com [mailto:dcoughlin@apple.com]

<br>

<b>Sent:</b> 2016. december 1. 2:55<br>

<b>To:</b> Abramo Bagnara <abramo.bagnara@gmail.com><br>

<b>Cc:</b> cfe-commits <cfe-commits@lists.llvm.org>; Anna Zaks <ganna@apple.com>; Dániel Krupp <daniel.krupp@ericsson.com>; haoNoQ <noqnoqneo@gmail.com><br>

<b>Subject:</b> Re: Crash in MallocChecker<o:p></o:p></span></p>

</div>

</div>

<p class="MsoNormal"><o:p> </o:p></p>

<div>

<div>

<p class="MsoNormal" style="margin-bottom:12.0pt"><span style="font-size:10.0pt">+ Artem and Daniel,<br>

<br>

Thanks for the patch! This fix seems reasonable to me, although it would good to add the reproducer as test case! (tests/Analysis/malloc.cpp would be a fine place for it).<br>

<br>

Devin<o:p></o:p></span></p>

</div>

</div>

<div>

<div>

<p class="MsoNormal" style="margin-bottom:12.0pt"><span style="font-size:10.0pt"><br>

<br>

> On Nov 30, 2016, at 4:10 PM, Abramo Bagnara <<a href="mailto:abramo.bagnara@gmail.com">abramo.bagnara@gmail.com</a>> wrote:<br>

> <br>

> Please consider to review and apply the attached patch.<br>

> <br>

> This is how to reproduce the bug:<br>

> <br>

> abramo@tester:~$ cat bug.cpp<br>

> void f(int a, int b)<br>

> {<br>

>    new char[a * b];<br>

> }<br>

> abramo@tester:~$ ~/llvm-build/bin/clang -cc1 -analyze<br>

> -analyzer-checker=cplusplus.NewDeleteLeaks bug.cpp<br>

> clang:<br>

> /home/abramo/llvm/tools/clang/include/clang/StaticAnalyzer/Core/PathSensitive/SVals.h:76:<br>

> T clang::ento::SVal::castAs() const [with T = clang::ento::NonLoc]:<br>

> Assertion `T::isKind(*this)' failed.<br>

> #0 0x0000000003689a0f llvm::sys::PrintStackTrace(llvm::raw_ostream&)<br>

> /home/abramo/llvm/lib/Support/Unix/Signals.inc:402:0<br>

> #1 0x0000000003689d6a PrintStackTraceSignalHandler(void*)<br>

> /home/abramo/llvm/lib/Support/Unix/Signals.inc:466:0<br>

> #2 0x0000000003687f30 llvm::sys::RunSignalHandlers()<br>

> /home/abramo/llvm/lib/Support/Signals.cpp:44:0<br>

> #3 0x00000000036893a1 SignalHandler(int)<br>

> /home/abramo/llvm/lib/Support/Unix/Signals.inc:256:0<br>

> #4 0x00007f7833b31330 __restore_rt<br>

> (/lib/x86_64-linux-gnu/libpthread.so.0+0x10330)<br>

> #5 0x00007f783291dc37 gsignal<br>

> /build/eglibc-oGUzwX/eglibc-2.19/signal/../nptl/sysdeps/unix/sysv/linux/raise.c:56:0<br>

> #6 0x00007f7832921028 abort<br>

> /build/eglibc-oGUzwX/eglibc-2.19/stdlib/abort.c:91:0<br>

> #7 0x00007f7832916bf6 __assert_fail_base<br>

> /build/eglibc-oGUzwX/eglibc-2.19/assert/assert.c:92:0<br>

> #8 0x00007f7832916ca2 (/lib/x86_64-linux-gnu/libc.so.6+0x2fca2)<br>

> #9 0x0000000005b1769d clang::ento::NonLoc<br>

> clang::ento::SVal::castAs<clang::ento::NonLoc>() const<br>

> /home/abramo/llvm/tools/clang/include/clang/StaticAnalyzer/Core/PathSensitive/SVals.h:77:0<br>

> #10 0x0000000005bf5a20 (anonymous<br>

> namespace)::MallocChecker::addExtentSize(clang::ento::CheckerContext&,<br>

> clang::CXXNewExpr const*,<br>

> llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>)<br>

> /home/abramo/llvm/tools/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp:1036:0<br>

> #11 0x0000000005bf5601 (anonymous<br>

> namespace)::MallocChecker::checkPostStmt(clang::CXXNewExpr const*,<br>

> clang::ento::CheckerContext&) const<br>

> /home/abramo/llvm/tools/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp:991:0<br>

> #12 0x0000000005c0aa29 void<br>

> clang::ento::check::PostStmt<clang::CXXNewExpr>::_checkStmt<(anonymous<br>

> namespace)::MallocChecker>(void*, clang::Stmt const*,<br>

> clang::ento::CheckerContext&)<br>

> /home/abramo/llvm/tools/clang/include/clang/StaticAnalyzer/Core/Checker.h:105:0<br>

> #13 0x0000000005f0d9a8 clang::ento::CheckerFn<void (clang::Stmt const*,<br>

> clang::ento::CheckerContext&)>::operator()(clang::Stmt const*,<br>

> clang::ento::CheckerContext&) const<br>

> /home/abramo/llvm/tools/clang/include/clang/StaticAnalyzer/Core/CheckerManager.h:60:0<br>

> #14 0x0000000005f08002 (anonymous<br>

> namespace)::CheckStmtContext::runChecker(clang::ento::CheckerFn<void<br>

> (clang::Stmt const*, clang::ento::CheckerContext&)>,<br>

> clang::ento::NodeBuilder&, clang::ento::ExplodedNode*)<br>

> /home/abramo/llvm/tools/clang/lib/StaticAnalyzer/Core/CheckerManager.cpp:161:0<br>

> #15 0x0000000005f0a761 void expandGraphWithCheckers<(anonymous<br>

> namespace)::CheckStmtContext>((anonymous namespace)::CheckStmtContext,<br>

> clang::ento::ExplodedNodeSet&, clang::ento::ExplodedNodeSet const&)<br>

> /home/abramo/llvm/tools/clang/lib/StaticAnalyzer/Core/CheckerManager.cpp:121:0<br>

> #16 0x0000000005f080b2<br>

> clang::ento::CheckerManager::runCheckersForStmt(bool,<br>

> clang::ento::ExplodedNodeSet&, clang::ento::ExplodedNodeSet const&,<br>

> clang::Stmt const*, clang::ento::ExprEngine&, bool)<br>

> /home/abramo/llvm/tools/clang/lib/StaticAnalyzer/Core/CheckerManager.cpp:175:0<br>

> #17 0x0000000005f40184<br>

> clang::ento::CheckerManager::runCheckersForPostStmt(clang::ento::ExplodedNodeSet&,<br>

> clang::ento::ExplodedNodeSet const&, clang::Stmt const*,<br>

> clang::ento::ExprEngine&, bool)<br>

> /home/abramo/llvm/tools/clang/include/clang/StaticAnalyzer/Core/CheckerManager.h:206:0<br>

> #18 0x0000000005f3770a clang::ento::ExprEngine::Visit(clang::Stmt<br>

> const*, clang::ento::ExplodedNode*, clang::ento::ExplodedNodeSet&)<br>

> /home/abramo/llvm/tools/clang/lib/StaticAnalyzer/Core/ExprEngine.cpp:1151:0<br>

> #19 0x0000000005f341e4<br>

> clang::ento::ExprEngine::ProcessStmt(clang::CFGStmt,<br>

> clang::ento::ExplodedNode*)<br>

> /home/abramo/llvm/tools/clang/lib/StaticAnalyzer/Core/ExprEngine.cpp:463:0<br>

> #20 0x0000000005f334e4<br>

> clang::ento::ExprEngine::processCFGElement(clang::CFGElement,<br>

> clang::ento::ExplodedNode*, unsigned int,<br>

> clang::ento::NodeBuilderContext*)<br>

> /home/abramo/llvm/tools/clang/lib/StaticAnalyzer/Core/ExprEngine.cpp:311:0<br>

> #21 0x0000000005f228db<br>

> clang::ento::CoreEngine::HandlePostStmt(clang::CFGBlock const*, unsigned<br>

> int, clang::ento::ExplodedNode*)<br>

> /home/abramo/llvm/tools/clang/lib/StaticAnalyzer/Core/CoreEngine.cpp:532:0<br>

> #22 0x0000000005f217ea<br>

> clang::ento::CoreEngine::dispatchWorkItem(clang::ento::ExplodedNode*,<br>

> clang::ProgramPoint, clang::ento::WorkListUnit const&)<br>

> /home/abramo/llvm/tools/clang/lib/StaticAnalyzer/Core/CoreEngine.cpp:279:0<br>

> #23 0x0000000005f213ca<br>

> clang::ento::CoreEngine::ExecuteWorkList(clang::LocationContext const*,<br>

> unsigned int, llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>)<br>

> /home/abramo/llvm/tools/clang/lib/StaticAnalyzer/Core/CoreEngine.cpp:216:0<br>

> #24 0x0000000004e7ee6a<br>

> clang::ento::ExprEngine::ExecuteWorkList(clang::LocationContext const*,<br>

> unsigned int)<br>

> /home/abramo/llvm/tools/clang/include/clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h:109:0<br>

> #25 0x0000000004e388be (anonymous<br>

> namespace)::AnalysisConsumer::ActionExprEngine(clang::Decl*, bool,<br>

> clang::ento::ExprEngine::InliningModes, llvm::DenseSet<clang::Decl<br>

> const*, llvm::DenseMapInfo<clang::Decl const*> >*)<br>

> /home/abramo/llvm/tools/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:724:0<br>

> #26 0x0000000004e389d8 (anonymous<br>

> namespace)::AnalysisConsumer::RunPathSensitiveChecks(clang::Decl*,<br>

> clang::ento::ExprEngine::InliningModes, llvm::DenseSet<clang::Decl<br>

> const*, llvm::DenseMapInfo<clang::Decl const*> >*)<br>

> /home/abramo/llvm/tools/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:741:0<br>

> #27 0x0000000004e386a0 (anonymous<br>

> namespace)::AnalysisConsumer::HandleCode(clang::Decl*, unsigned int,<br>

> clang::ento::ExprEngine::InliningModes, llvm::DenseSet<clang::Decl<br>

> const*, llvm::DenseMapInfo<clang::Decl const*> >*)<br>

> /home/abramo/llvm/tools/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:688:0<br>

> #28 0x0000000004e3769d (anonymous<br>

> namespace)::AnalysisConsumer::HandleDeclsCallGraph(unsigned int)<br>

> /home/abramo/llvm/tools/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:502:0<br>

> #29 0x0000000004e37a5f (anonymous<br>

> namespace)::AnalysisConsumer::HandleTranslationUnit(clang::ASTContext&)<br>

> /home/abramo/llvm/tools/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:553:0<br>

> #30 0x0000000004ed2d07 clang::ParseAST(clang::Sema&, bool, bool)<br>

> /home/abramo/llvm/tools/clang/lib/Parse/ParseAST.cpp:161:0<br>

> #31 0x0000000003e9fd28 clang::ASTFrontendAction::ExecuteAction()<br>

> /home/abramo/llvm/tools/clang/lib/Frontend/FrontendAction.cpp:559:0<br>

> #32 0x0000000003e9f7ed clang::FrontendAction::Execute()<br>

> /home/abramo/llvm/tools/clang/lib/Frontend/FrontendAction.cpp:462:0<br>

> #33 0x0000000003e4cc53<br>

> clang::CompilerInstance::ExecuteAction(clang::FrontendAction&)<br>

> /home/abramo/llvm/tools/clang/lib/Frontend/CompilerInstance.cpp:886:0<br>

> #34 0x0000000003fbf578<br>

> clang::ExecuteCompilerInvocation(clang::CompilerInstance*)<br>

> /home/abramo/llvm/tools/clang/lib/FrontendTool/ExecuteCompilerInvocation.cpp:249:0<br>

> #35 0x0000000001c2a827 cc1_main(llvm::ArrayRef<char const*>, char<br>

> const*, void*) /home/abramo/llvm/tools/clang/tools/driver/cc1_main.cpp:221:0<br>

> #36 0x0000000001c20b3f ExecuteCC1Tool(llvm::ArrayRef<char const*>,<br>

> llvm::StringRef) /home/abramo/llvm/tools/clang/tools/driver/driver.cpp:299:0<br>

> #37 0x0000000001c2174b main<br>

> /home/abramo/llvm/tools/clang/tools/driver/driver.cpp:380:0<br>

> #38 0x00007f7832908f45 __libc_start_main<br>

> /build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:321:0<br>

> #39 0x0000000001c1e439 _start (/home/abramo/llvm-build/bin/clang+0x1c1e439)<br>

> Stack dump:<br>

> 0.    Program arguments: /home/abramo/llvm-build/bin/clang -cc1 -analyze<br>

> -analyzer-checker=cplusplus.NewDeleteLeaks bug.cpp<br>

> 1.    <eof> parser at end of file<br>

> 2.    While analyzing stack:<br>

>        #0 void f(int a, int b)<br>

> 3.    bug.cpp:3:5: Error evaluating statement<br>

> 4.    bug.cpp:3:5: Error evaluating statement<br>

> Aborted<br>

> <br>

> <br>

> <br>

> <br>

> -- <br>

> Abramo Bagnara<br>

> <br>

> BUGSENG srl - <a href="http://bugseng.com">http://bugseng.com</a><br>

> <a href="mailto:abramo.bagnara@bugseng.com">mailto:abramo.bagnara@bugseng.com</a><br>

> <patch.txt><o:p></o:p></span></p>

</div>

</div>

</div>

</body>

</html>