<html>
    <head>
      <base href="https://bugs.llvm.org/">
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - [MallocChecker] MallocChecker::MallocUpdateRefState(): Assertion `Sym' failed."
   href="https://bugs.llvm.org/show_bug.cgi?id=34144">34144</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>[MallocChecker] MallocChecker::MallocUpdateRefState(): Assertion `Sym' failed.
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>clang
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>4.0
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>PC
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>Linux
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>release blocker
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>P
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>Static Analyzer
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>kremenek@apple.com
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>movietravelcode@outlook.com
          </td>
        </tr>

        <tr>
          <th>CC</th>
          <td>llvm-bugs@lists.llvm.org
          </td>
        </tr></table>
      <p>
        <div>
        <pre>Hi all,
I found an assert failure scene in MallocChecker,
MallocChecker::MallocUpdateRefState () assumes that the pointer returned by
CXXNewExpr can't be null.I don't think this assumption holds in all cases,
especially if I add the option “c++-allocatot-inlining=true”!

#include <new>
void *operator new(std::size_t, const std::nothrow_t&) noexcept
{
    return 0;
}

int main()
{
    int *i = new(std::nothrow) int(1);
    delete i;
    return 0;
}

The above code sample overload the operator new, the nothow version. When I use
the command "clang --analyze -std=c++11 -Xanalyzer
-analyzer-checker=unix.Malloc -Xanalyzer -analyzer-config -Xanalyzer
c++-allocator-inlining=true Bug.cpp" will trigger the assertion failure. The
specific information is as follows.

-------------------------------------------------------------------------------

clang-4.0:
/home/mtc/file/llvm-4.0.0/tools/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp:1193:
static clang::ento::ProgramStateRef
{anonymous}::MallocChecker::MallocUpdateRefState(clang::ento::CheckerContext&,
const clang::Expr*, clang::ento::ProgramStateRef,
{anonymous}::AllocationFamily): Assertion `Sym' failed.
#0 0x0000000001e09f68 llvm::sys::PrintStackTrace(llvm::raw_ostream&)
(/usr/local/bin/clang-4.0+0x1e09f68)
#1 0x0000000001e07bfe llvm::sys::RunSignalHandlers()
(/usr/local/bin/clang-4.0+0x1e07bfe)
#2 0x0000000001e07d72 SignalHandler(int) (/usr/local/bin/clang-4.0+0x1e07d72)
#3 0x00007fdd522f9390 __restore_rt
(/lib/x86_64-linux-gnu/libpthread.so.0+0x11390)
#4 0x00007fdd514ae428 gsignal (/lib/x86_64-linux-gnu/libc.so.6+0x35428)
#5 0x00007fdd514b002a abort (/lib/x86_64-linux-gnu/libc.so.6+0x3702a)
#6 0x00007fdd514a6bd7 (/lib/x86_64-linux-gnu/libc.so.6+0x2dbd7)
#7 0x00007fdd514a6c82 (/lib/x86_64-linux-gnu/libc.so.6+0x2dc82)
#8 0x0000000003145061 (anonymous
namespace)::MallocChecker::MallocUpdateRefState(clang::ento::CheckerContext&,
clang::Expr const*, llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>,
(anonymous namespace)::AllocationFamily) (/usr/local/bin/clang-4.0+0x3145061)
#9 0x00000000031503e4 void
clang::ento::check::PostStmt<clang::CXXNewExpr>::_checkStmt<(anonymous
namespace)::MallocChecker>(void*, clang::Stmt const*,
clang::ento::CheckerContext&) (/usr/local/bin/clang-4.0+0x31503e4)
#10 0x00000000033119df clang::ento::CheckerManager::runCheckersForStmt(bool,
clang::ento::ExplodedNodeSet&, clang::ento::ExplodedNodeSet const&, clang::Stmt
const*, clang::ento::ExprEngine&, bool) (/usr/local/bin/clang-4.0+0x33119df)
#11 0x0000000003358e89
clang::ento::ExprEngine::processCallExit(clang::ento::ExplodedNode*)
(/usr/local/bin/clang-4.0+0x3358e89)
#12 0x000000000331905c
clang::ento::CoreEngine::dispatchWorkItem(clang::ento::ExplodedNode*,
clang::ProgramPoint, clang::ento::WorkListUnit const&)
(/usr/local/bin/clang-4.0+0x331905c)
#13 0x000000000331931e
clang::ento::CoreEngine::ExecuteWorkList(clang::LocationContext const*,
unsigned int, llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>)
(/usr/local/bin/clang-4.0+0x331931e)
#14 0x00000000029bb62f (anonymous
namespace)::AnalysisConsumer::ActionExprEngine(clang::Decl*, bool,
clang::ento::ExprEngine::InliningModes, llvm::DenseSet<clang::Decl const*,
llvm::DenseMapInfo<clang::Decl const*> >*) [clone .part.4300] [clone
.constprop.4417] (/usr/local/bin/clang-4.0+0x29bb62f)
#15 0x00000000029bbe22 (anonymous
namespace)::AnalysisConsumer::HandleCode(clang::Decl*, unsigned int,
clang::ento::ExprEngine::InliningModes, llvm::DenseSet<clang::Decl const*,
llvm::DenseMapInfo<clang::Decl const*> >*) [clone .constprop.4412]
(/usr/local/bin/clang-4.0+0x29bbe22)
#16 0x00000000029cb59e (anonymous
namespace)::AnalysisConsumer::HandleTranslationUnit(clang::ASTContext&) [clone
.part.4350] [clone .constprop.4392] (/usr/local/bin/clang-4.0+0x29cb59e)
#17 0x00000000029f0b48 clang::ParseAST(clang::Sema&, bool, bool)
(/usr/local/bin/clang-4.0+0x29f0b48)
#18 0x0000000002303ed6 clang::FrontendAction::Execute()
(/usr/local/bin/clang-4.0+0x2303ed6)
#19 0x00000000022d6146
clang::CompilerInstance::ExecuteAction(clang::FrontendAction&)
(/usr/local/bin/clang-4.0+0x22d6146)
#20 0x000000000238b462
clang::ExecuteCompilerInvocation(clang::CompilerInstance*)
(/usr/local/bin/clang-4.0+0x238b462)
#21 0x0000000000a45928 cc1_main(llvm::ArrayRef<char const*>, char const*,
void*) (/usr/local/bin/clang-4.0+0xa45928)
#22 0x00000000009d804c main (/usr/local/bin/clang-4.0+0x9d804c)
#23 0x00007fdd51499830 __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x20830)
#24 0x0000000000a422d9 _start (/usr/local/bin/clang-4.0+0xa422d9)
Stack dump:
0.      Program arguments: /usr/local/bin/clang-4.0 -cc1 -triple
x86_64-unknown-linux-gnu -analyze -disable-free -main-file-name Bug.cpp
-analyzer-store=region -analyzer-opt-analyze-nested-blocks
-analyzer-eagerly-assume -analyzer-checker=core -analyzer-checker=apiModeling
-analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=cplusplus
-analyzer-checker=security.insecureAPI.UncheckedReturn
-analyzer-checker=security.insecureAPI.getpw
-analyzer-checker=security.insecureAPI.gets
-analyzer-checker=security.insecureAPI.mktemp
-analyzer-checker=security.insecureAPI.mkstemp
-analyzer-checker=security.insecureAPI.vfork
-analyzer-checker=nullability.NullPassedToNonnull
-analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w
-analyzer-checker=unix.Malloc -analyzer-config c++-allocator-inlining=true
-mrelocation-model static -mthread-model posix -mdisable-fp-elim -fmath-errno
-masm-verbose -mconstructor-aliases -munwind-tables -fuse-init-array
-target-cpu x86-64 -dwarf-column-info -debugger-tuning=gdb -resource-dir
/usr/local/bin/../lib/clang/4.0.0 -internal-isystem
/usr/lib/gcc/x86_64-linux-gnu/5.4.0/../../../../include/c++/5.4.0
-internal-isystem
/usr/lib/gcc/x86_64-linux-gnu/5.4.0/../../../../include/x86_64-linux-gnu/c++/5.4.0
-internal-isystem
/usr/lib/gcc/x86_64-linux-gnu/5.4.0/../../../../include/x86_64-linux-gnu/c++/5.4.0
-internal-isystem
/usr/lib/gcc/x86_64-linux-gnu/5.4.0/../../../../include/c++/5.4.0/backward
-internal-isystem /usr/local/include -internal-isystem
/usr/local/bin/../lib/clang/4.0.0/include -internal-externc-isystem
/usr/include/x86_64-linux-gnu -internal-externc-isystem /include
-internal-externc-isystem /usr/include -std=c++11 -fdeprecated-macro
-fdebug-compilation-dir /home/mtc/file/workspace/test -ferror-limit 19
-fmessage-length 283 -fobjc-runtime=gcc -fcxx-exceptions -fexceptions
-fdiagnostics-show-option -o Bug.plist -x c++ Bug.cpp 
1.      <eof> parser at end of file
2.      While analyzing stack: 
        #0 void *operator new(std::size_t, const std::nothrow_t &) noexcept
__attribute__((visibility("default")))
        #1 int main()
clang-4.0: error: unable to execute command: Aborted (core dumped)
clang-4.0: error: clang frontend command failed due to signal (use -v to see
invocation)
clang version 4.0.0 (tags/RELEASE_400/final)
Target: x86_64-unknown-linux-gnu
Thread model: posix
InstalledDir: /usr/local/bin
clang-4.0: note: diagnostic msg: PLEASE submit a bug report to
<a href="http://llvm.org/bugs/">http://llvm.org/bugs/</a> and include the crash backtrace, preprocessed source, and
associated run script.
clang-4.0: note: diagnostic msg: 
********************

PLEASE ATTACH THE FOLLOWING FILES TO THE BUG REPORT:
Preprocessed source(s) and associated run script(s) are located at:
clang-4.0: note: diagnostic msg: /tmp/Bug-80de81.cpp
clang-4.0: note: diagnostic msg: /tmp/Bug-80de81.sh
clang-4.0: note: diagnostic msg: 

********************

-----------------------------------------------------------------------------

The execute path is VisitCXXNewAllocator() -> Inline "operator new" -> Get the
retur value 0 -> Execute ProcessCallExit() and bing 0 to CXXNewExpr ->
runCheckersForPostStmt -> MallocChecker::checkPostStmt(const CXXNewExpr*, ) ->
MallocChecker::MallocUpdateRefState() -> Assertion failure.</pre>
        </div>
      </p>


      <hr>
      <span>You are receiving this mail because:</span>

      <ul>
          <li>You are on the CC list for the bug.</li>
      </ul>
    </body>
</html>