<html>
    <head>
      <base href="https://bugs.llvm.org/">
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - unix.Malloc checker fails for dynamic arrays w/expressions for sizes"
   href="https://bugs.llvm.org/show_bug.cgi?id=32050">32050</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>unix.Malloc checker fails for dynamic arrays w/expressions for sizes
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>clang
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>trunk
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>PC
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>Linux
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>enhancement
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>P
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>Static Analyzer
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>kremenek@apple.com
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>marshallk@google.com
          </td>
        </tr>

        <tr>
          <th>CC</th>
          <td>llvm-bugs@lists.llvm.org
          </td>
        </tr></table>
      <p>
        <div>
        <pre>The unix.Malloc checker crashes while analyzing source code which has dynamic
arrays with expressions that are computed from free variables. (A fix with
regression test is impending shortly.)


Repro: run unix.Malloc over this function (w/o any call sites to prevent
inlining/precomputation):


void AllocateExpr(int a, int b) {
  new int[a + b];
}



Expected: no analysis errors, or a warning about a memory leak.

Actual: Clang analyzer crashes with this stack trace.

The unix.Malloc checker crashes while analyzing source code which has dynamic
arrays with expressions that are computed from free variables. (A fix with
regression test is impending shortly.)


Repro: run unix.Malloc over this function (w/o any call sites to prevent
inlining/precomputation):


void AllocateExpr(int a, int b) {
  new int[a + b];
}



Expected: no analysis errors, or a warning about a memory leak.

Actual: Clang analyzer crashes with this stack trace.

clang:
/home/marshallk/chrome/src/third_party/llvm/tools/clang/include/clang/StaticAnalyzer/Core/PathSensitive/SVals.h:77:
T clang::ento::SVal::castAs() const [with T = clang::ento::NonLoc]: Assertion
`T::isKind(*this)' failed.
#0 0x0000000001d381f5 llvm::sys::PrintStackTrace(llvm::raw_ostream&)
(/home/marshallk/chrome/src/third_party/llvm-build/Release+Asserts/./bin/clang+0x1d381f5)
#1 0x0000000001d3626e llvm::sys::RunSignalHandlers()
(/home/marshallk/chrome/src/third_party/llvm-build/Release+Asserts/./bin/clang+0x1d3626e)
#2 0x0000000001d363d2 SignalHandler(int)
(/home/marshallk/chrome/src/third_party/llvm-build/Release+Asserts/./bin/clang+0x1d363d2)
#3 0x00007f8d9b960330 __restore_rt
(/lib/x86_64-linux-gnu/libpthread.so.0+0x10330)
#4 0x00007f8d9a554c37 gsignal
/build/eglibc-oGUzwX/eglibc-2.19/signal/../nptl/sysdeps/unix/sysv/linux/raise.c:56:0
#5 0x00007f8d9a558028 abort
/build/eglibc-oGUzwX/eglibc-2.19/stdlib/abort.c:91:0
#6 0x00007f8d9a54dbf6 __assert_fail_base
/build/eglibc-oGUzwX/eglibc-2.19/assert/assert.c:92:0
#7 0x00007f8d9a54dca2 (/lib/x86_64-linux-gnu/libc.so.6+0x2fca2)
#8 0x0000000000a099c8 clang::ento::DefinedOrUnknownSVal
clang::ento::SVal::castAs<clang::ento::DefinedOrUnknownSVal>() const [clone
.part.271]
(/home/marshallk/chrome/src/third_party/llvm-build/Release+Asserts/./bin/clang+0xa099c8)
#9 0x0000000002fc93b9 void
clang::ento::check::PostStmt<clang::CXXNewExpr>::_checkStmt<(anonymous
namespace)::MallocChecker>(void*, clang::Stmt const*,
clang::ento::CheckerContext&)
(/home/marshallk/chrome/src/third_party/llvm-build/Release+Asserts/./bin/clang+0x2fc93b9)
#10 0x0000000003142837 clang::ento::CheckerManager::runCheckersForStmt(bool,
clang::ento::ExplodedNodeSet&, clang::ento::ExplodedNodeSet const&, clang::Stmt
const*, clang::ento::ExprEngine&, bool)
(/home/marshallk/chrome/src/third_party/llvm-build/Release+Asserts/./bin/clang+0x3142837)
#11 0x000000000316c036 clang::ento::ExprEngine::Visit(clang::Stmt const*,
clang::ento::ExplodedNode*, clang::ento::ExplodedNodeSet&)
(/home/marshallk/chrome/src/third_party/llvm-build/Release+Asserts/./bin/clang+0x316c036)
#12 0x000000000316d616 clang::ento::ExprEngine::ProcessStmt(clang::CFGStmt,
clang::ento::ExplodedNode*)
(/home/marshallk/chrome/src/third_party/llvm-build/Release+Asserts/./bin/clang+0x316d616)
#13 0x000000000316d8a5
clang::ento::ExprEngine::processCFGElement(clang::CFGElement,
clang::ento::ExplodedNode*, unsigned int, clang::ento::NodeBuilderContext*)
(/home/marshallk/chrome/src/third_party/llvm-build/Release+Asserts/./bin/clang+0x316d8a5)
#14 0x00000000031479f4 clang::ento::CoreEngine::HandlePostStmt(clang::CFGBlock
const*, unsigned int, clang::ento::ExplodedNode*)
(/home/marshallk/chrome/src/third_party/llvm-build/Release+Asserts/./bin/clang+0x31479f4)
#15 0x00000000031493f4
clang::ento::CoreEngine::dispatchWorkItem(clang::ento::ExplodedNode*,
clang::ProgramPoint, clang::ento::WorkListUnit const&)
(/home/marshallk/chrome/src/third_party/llvm-build/Release+Asserts/./bin/clang+0x31493f4)
#16 0x00000000031495a6
clang::ento::CoreEngine::ExecuteWorkList(clang::LocationContext const*,
unsigned int, llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>)
(/home/marshallk/chrome/src/third_party/llvm-build/Release+Asserts/./bin/clang+0x31495a6)
#17 0x00000000028805bc (anonymous
namespace)::AnalysisConsumer::ActionExprEngine(clang::Decl*, bool,
clang::ento::ExprEngine::InliningModes, llvm::DenseSet<clang::Decl const*,
llvm::DenseMapInfo<clang::Decl const*> >*) [clone .part.4582]
(/home/marshallk/chrome/src/third_party/llvm-build/Release+Asserts/./bin/clang+0x28805bc)
#18 0x0000000002880f7b (anonymous
namespace)::AnalysisConsumer::HandleCode(clang::Decl*, unsigned int,
clang::ento::ExprEngine::InliningModes, llvm::DenseSet<clang::Decl const*,
llvm::DenseMapInfo<clang::Decl const*> >*)
(/home/marshallk/chrome/src/third_party/llvm-build/Release+Asserts/./bin/clang+0x2880f7b)
#19 0x000000000288d257 (anonymous
namespace)::AnalysisConsumer::HandleTranslationUnit(clang::ASTContext&) [clone
.part.4633]
(/home/marshallk/chrome/src/third_party/llvm-build/Release+Asserts/./bin/clang+0x288d257)
#20 0x00000000028b48b2 clang::ParseAST(clang::Sema&, bool, bool)
(/home/marshallk/chrome/src/third_party/llvm-build/Release+Asserts/./bin/clang+0x28b48b2)
#21 0x00000000021d5666 clang::FrontendAction::Execute()
(/home/marshallk/chrome/src/third_party/llvm-build/Release+Asserts/./bin/clang+0x21d5666)
#22 0x00000000021af5a6
clang::CompilerInstance::ExecuteAction(clang::FrontendAction&)
(/home/marshallk/chrome/src/third_party/llvm-build/Release+Asserts/./bin/clang+0x21af5a6)
#23 0x000000000225e30a
clang::ExecuteCompilerInvocation(clang::CompilerInstance*)
(/home/marshallk/chrome/src/third_party/llvm-build/Release+Asserts/./bin/clang+0x225e30a)
#24 0x0000000000abeb18 cc1_main(llvm::ArrayRef<char const*>, char const*,
void*)
(/home/marshallk/chrome/src/third_party/llvm-build/Release+Asserts/./bin/clang+0xabeb18)
#25 0x0000000000a5fb36 main
(/home/marshallk/chrome/src/third_party/llvm-build/Release+Asserts/./bin/clang+0xa5fb36)
#26 0x00007f8d9a53ff45 __libc_start_main
/build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:321:0
#27 0x0000000000abacae _start
(/home/marshallk/chrome/src/third_party/llvm-build/Release+Asserts/./bin/clang+0xabacae)
Stack dump:
0.      Program arguments:
/home/marshallk/chrome/src/third_party/llvm-build/Release+Asserts/./bin/clang
-cc1 -internal-isystem
/home/marshallk/chrome/src/third_party/llvm-build/Release+Asserts/bin/../lib/clang/4.0.0/include
-nostdsysteminc -analyze -analyzer-checker=unix.Malloc -verify
/home/marshallk/chrome/src/third_party/llvm/tools/clang/test/Analysis/Malloc+NewDynamicArray.cpp 
1.      <eof> parser at end of file
2.      While analyzing stack: 
        #0 void AllocateExpr(int a, int b)
3.     
/home/marshallk/chrome/src/third_party/llvm/tools/clang/test/Analysis/Malloc+NewDynamicArray.cpp:13:3:
Error evaluating statement
4.     
/home/marshallk/chrome/src/third_party/llvm/tools/clang/test/Analysis/Malloc+NewDynamicArray.cpp:13:3:
Error evaluating statement
/home/marshallk/chrome/src/third_party/llvm-build/Release+Asserts/tools/clang/test/Analysis/Output/Malloc+NewDynamicArray.cpp.script:
line 1: 24463 Aborted                 (core dumped)
/home/marshallk/chrome/src/third_party/llvm-build/Release+Asserts/./bin/clang
-cc1 -internal-isystem
/home/marshallk/chrome/src/third_party/llvm-build/Release+Asserts/bin/../lib/clang/4.0.0/include
-nostdsysteminc -analyze -analyzer-checker=unix.Malloc -verify
/home/marshallk/chrome/src/third_party/llvm/tools/clang/test/Analysis/Malloc+NewDynamicArray.cpp</pre>
        </div>
      </p>


      <hr>
      <span>You are receiving this mail because:</span>

      <ul>
          <li>You are on the CC list for the bug.</li>
      </ul>
    </body>
</html>