[cfe-commits] r150412 - in /cfe/trunk: lib/StaticAnalyzer/Checkers/MallocChecker.cpp test/Analysis/malloc.c
Anna Zaks
ganna at apple.com
Mon Feb 13 12:57:07 PST 2012
Author: zaks
Date: Mon Feb 13 14:57:07 2012
New Revision: 150412
URL: http://llvm.org/viewvc/llvm-project?rev=150412&view=rev
Log:
[analyzer] Malloc Checker: realloc: correct the way we are handing the
case when size is 0.
Modified:
cfe/trunk/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
cfe/trunk/test/Analysis/malloc.c
Modified: cfe/trunk/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/Checkers/MallocChecker.cpp?rev=150412&r1=150411&r2=150412&view=diff
==============================================================================
--- cfe/trunk/lib/StaticAnalyzer/Checkers/MallocChecker.cpp (original)
+++ cfe/trunk/lib/StaticAnalyzer/Checkers/MallocChecker.cpp Mon Feb 13 14:57:07 2012
@@ -670,18 +670,22 @@
if (PrtIsNull && SizeIsZero)
return;
+ // Get the from and to pointer symbols as in toPtr = realloc(fromPtr, size).
assert(!PrtIsNull);
+ SymbolRef FromPtr = arg0Val.getAsSymbol();
+ SVal RetVal = state->getSVal(CE, LCtx);
+ SymbolRef ToPtr = RetVal.getAsSymbol();
+ if (!FromPtr || !ToPtr)
+ return;
// If the size is 0, free the memory.
if (SizeIsZero)
if (ProgramStateRef stateFree = FreeMemAux(C, CE, StateSizeIsZero,0,false)){
- // Bind the return value to NULL because it is now free.
- // TODO: This is tricky. Does not currently work.
// The semantics of the return value are:
// If size was equal to 0, either NULL or a pointer suitable to be passed
// to free() is returned.
- C.addTransition(stateFree->BindExpr(CE, LCtx,
- svalBuilder.makeNull(), true));
+ stateFree = stateFree->set<ReallocPairs>(ToPtr, FromPtr);
+ C.addTransition(stateFree);
return;
}
@@ -690,10 +694,7 @@
// FIXME: We should copy the content of the original buffer.
ProgramStateRef stateRealloc = MallocMemAux(C, CE, CE->getArg(1),
UnknownVal(), stateFree);
- SymbolRef FromPtr = arg0Val.getAsSymbol();
- SVal RetVal = state->getSVal(CE, LCtx);
- SymbolRef ToPtr = RetVal.getAsSymbol();
- if (!stateRealloc || !FromPtr || !ToPtr)
+ if (!stateRealloc)
return;
stateRealloc = stateRealloc->set<ReallocPairs>(ToPtr, FromPtr);
C.addTransition(stateRealloc);
Modified: cfe/trunk/test/Analysis/malloc.c
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/test/Analysis/malloc.c?rev=150412&r1=150411&r2=150412&view=diff
==============================================================================
--- cfe/trunk/test/Analysis/malloc.c (original)
+++ cfe/trunk/test/Analysis/malloc.c Mon Feb 13 14:57:07 2012
@@ -58,6 +58,57 @@
}
}
+void reallocSizeZero1() {
+ char *p = malloc(12);
+ char *r = realloc(p, 0);
+ if (!r) {
+ free(p);
+ } else {
+ free(r);
+ }
+}
+
+void reallocSizeZero2() {
+ char *p = malloc(12);
+ char *r = realloc(p, 0);
+ if (!r) {
+ free(p);
+ } else {
+ free(r);
+ }
+ free(p); // expected-warning {{Try to free a memory block that has been released}}
+}
+
+void reallocSizeZero3() {
+ char *p = malloc(12);
+ char *r = realloc(p, 0);
+ free(r);
+}
+
+void reallocSizeZero4() {
+ char *r = realloc(0, 0);
+ free(r);
+}
+
+void reallocSizeZero5() {
+ char *r = realloc(0, 0);
+}
+
+void reallocPtrZero1() {
+ char *r = realloc(0, 12); // expected-warning {{Allocated memory never released.}}
+}
+
+void reallocPtrZero2() {
+ char *r = realloc(0, 12);
+ if (r)
+ free(r);
+}
+
+void reallocPtrZero3() {
+ char *r = realloc(0, 12);
+ free(r);
+}
+
// This case tests that storing malloc'ed memory to a static variable which is
// then returned is not leaked. In the absence of known contracts for functions
// or inter-procedural analysis, this is a conservative answer.
More information about the cfe-commits
mailing list