2 files changed, 12 insertions, 3 deletions

diff --git a/lib/StaticAnalyzer/Core/ExprEngineCXX.cpp b/lib/StaticAnalyzer/Core/ExprEngineCXX.cpp
index c1dd6b2220..64c361d4d8 100644
--- a/lib/StaticAnalyzer/Core/ExprEngineCXX.cpp
+++ b/lib/StaticAnalyzer/Core/ExprEngineCXX.cpp
@@ -351,15 +351,16 @@ void ExprEngine::VisitCXXNewExpr(const CXXNewExpr *CNE, ExplodedNode *Pred,
     State = State->BindExpr(CNE, LCtx, symVal);
   }
 
-  Bldr.generateNode(CNE, Pred, State);  
+  ExplodedNode *NewN = Bldr.generateNode(CNE, Pred, State);
+  if (!NewN)
+    return;
 
   // If the type is not a record, we won't have a CXXConstructExpr as an
   // initializer. Copy the value over.
   if (const Expr *Init = CNE->getInitializer()) {
     if (!isa<CXXConstructExpr>(Init)) {
       assert(Bldr.getResults().size() == 1);
-      ExplodedNode *TmpN = *Bldr.getResults().begin();
-      Bldr.takeNodes(TmpN);
+      Bldr.takeNodes(NewN);
 
       assert(!CNE->getType()->getPointeeCXXRecordDecl());
 
diff --git a/test/Analysis/new.cpp b/test/Analysis/new.cpp
index 004a05ef94..44ae9802f8 100644
--- a/test/Analysis/new.cpp
+++ b/test/Analysis/new.cpp
@@ -94,6 +94,14 @@ void testNewInvalidationScalarPlacement(int **p) {
   new (p) (int *)(static_cast<int *>(malloc(4))); // no-warning
 }
 
+void testCacheOut(PtrWrapper w) {
+  extern bool coin();
+  if (coin())
+    w.x = 0;
+  new (&w.x) (int*)(0); // we cache out here; don't crash
+}
+
+
 //--------------------------------------------------------------------
 // Check for intersection with other checkers from MallocChecker.cpp 
 // bounded with unix.Malloc