[cfe-dev] Anyone working on a checker for realloc?

Jordy Rose jediknil at belkadan.com
Sat Jun 4 13:46:21 PDT 2011 

Sorry to revive an old thread, but I don't know if this is universally true. The (very outdated) OS X man pages include this:

"If size is zero and ptr is not NULL, a new, minimum sized object is allocated and the original object is freed."

So it seems like the actual behavior is dependent on the target. (I think this is because a return value of NULL means failure, but the non-null "minimum size object" is taken from the malloc pool in my simple test.)

Is it worth pulling this back out of the checker?
Jordy


On Apr 21, 2011, at 9:41, Marshall Clow wrote:

> On Apr 19, 2011, at 5:31 PM, Lenny Maiorani wrote:
>> There is a checker for realloc and it does bind the return value properly, if there is a return value. I think this checker is not entirely complete at a quick glance.
>> 
>> It should probably additionally check that the symbol being assigned is not the same as the symbol passed into realloc as arg 1 and make sure that the return value is actually being assigned to something.
> 
> 
> I tried adding some more tests to malloc.c specifically to check realloc (ptr, 0) as a synonym for free(ptr)
> 
> But the checker didn't catch them :-(
> 
> Line 39:
>  Line 39: Allocated memory never released. Potential memory leak.
>  Line 202: Allocated memory never released. Potential memory leak.
>  Line 202: Array access (from variable 'x') results in a null pointer dereference
> 3 errors generated.
> 
> 
> void f2_realloc() {
>  int *p = malloc(12);
>  realloc(p,0);
>  realloc(p,0); // expected-warning{{Try to free a memory block that has been released}} ## line 39
> }
> 
> 
> void f6_realloc() {
>  int *p = malloc(12);
>  if (!p)
>    return; // no-warning
>  else
>    realloc(p,0);		## This one works, btw
> }
> 
> 
> void f7_realloc() {
>  char *x = (char*) malloc(4);
>  realloc(x,0);
>  x[0] = 'a'; // expected-warning{{Use dynamically allocated memory after it is freed.}}  ## line 202
> }
> 
> I see the code in llvm/tools/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp, but it doesn't catch these.
> (And I don't see why it doesn't)
> 
> -- Marshall
> 
> 
> _______________________________________________
> cfe-dev mailing list
> cfe-dev at cs.uiuc.edu
> http://lists.cs.uiuc.edu/mailman/listinfo/cfe-dev

More information about the cfe-dev mailing list