[cfe-dev] Anyone working on a checker for realloc?
Lenny Maiorani
lenny at Colorado.EDU
Tue Apr 19 17:31:50 PDT 2011
On Apr 19, 2011, at 3:27 PM, Marshall Clow wrote:
> Having had a discussion with someone about problems with using realloc, I was wondering if anyone has done anything with a security checker (Lenny?) or static analysis module for problems with using realloc.
>
> Sample (bad) code:
>
> p = malloc ( 12 );
> realloc ( p, 24 );
> *p = 123; // realloc can move memory - but usually doesn't
>
> -- Marshall
>
> Marshall Clow Idio Software <mailto:mclow.lists at gmail.com>
>
> A.D. 1517: Martin Luther nails his 95 Theses to the church door and is promptly moderated down to (-1, Flamebait).
> -- Yu Suzuki
>
>
> _______________________________________________
> cfe-dev mailing list
> cfe-dev at cs.uiuc.edu
> http://lists.cs.uiuc.edu/mailman/listinfo/cfe-dev
There is a checker for realloc and it does bind the return value properly, if there is a return value. I think this checker is not entirely complete at a quick glance.
It should probably additionally check that the symbol being assigned is not the same as the symbol passed into realloc as arg 1 and make sure that the return value is actually being assigned to something.
Another sample bad code is this:
p = malloc(120:
p = realloc(p, 24);
The problem here is that realloc might return an error. If it does, the input pointer is still valid and hasn't been free'd. I have seen this too often and it seems to be a common misunderstanding. reallocf doesn't have the same problem.
Marshall, in short, the checker for realloc is not complete, but does exist. It is part of the Malloc checker.
-Lenny
More information about the cfe-dev
mailing list