[clang] 6bedfaf - [analyzer][MallocChecker] Fix the incorrect retrieval of the from argument in realloc()

Kirstóf Umann via cfe-commits cfe-commits at lists.llvm.org
Mon Jun 1 13:38:49 PDT 2020 

Author: Kirstóf Umann
Date: 2020-06-01T22:38:29+02:00
New Revision: 6bedfaf5200474f9a72b059f0d99dd39ece1c03e

URL: https://github.com/llvm/llvm-project/commit/6bedfaf5200474f9a72b059f0d99dd39ece1c03e
DIFF: https://github.com/llvm/llvm-project/commit/6bedfaf5200474f9a72b059f0d99dd39ece1c03e.diff

LOG: [analyzer][MallocChecker] Fix the incorrect retrieval of the from argument in realloc()

In the added testfile, the from argument was recognized as
&Element{SymRegion{reg_$0<long * global_a>},-1 S64b,long}
instead of
reg_$0<long * global_a>.

Added: 
    

Modified: 
    clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
    clang/test/Analysis/malloc.c

Removed: 
    


################################################################################
diff  --git a/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp b/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
index fa69bc253fbd..fb6d02b9ed60 100644
--- a/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
+++ b/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
@@ -2470,7 +2470,7 @@ MallocChecker::ReallocMemAux(CheckerContext &C, const CallEvent &Call,
       Kind = OAR_DoNotTrackAfterFailure;
 
     // Get the from and to pointer symbols as in toPtr = realloc(fromPtr, size).
-    SymbolRef FromPtr = arg0Val.getAsSymbol();
+    SymbolRef FromPtr = arg0Val.getLocSymbolInBase();
     SVal RetVal = C.getSVal(CE);
     SymbolRef ToPtr = RetVal.getAsSymbol();
     assert(FromPtr && ToPtr &&

diff  --git a/clang/test/Analysis/malloc.c b/clang/test/Analysis/malloc.c
index a8aabf9f9ace..714c73c3c793 100644
--- a/clang/test/Analysis/malloc.c
+++ b/clang/test/Analysis/malloc.c
@@ -1848,6 +1848,13 @@ variable 'buf', which is not memory allocated by malloc() [unix.Malloc]}}
 crash_b() { crash_a(); } // no-crash
 // expected-warning at -1{{type specifier missing}} expected-warning at -1{{non-void}}
 
+long *global_a;
+void realloc_crash() {
+  long *c = global_a;
+  c--;
+  realloc(c, 8); // no-crash
+} // expected-warning{{Potential memory leak [unix.Malloc]}}
+
 // ----------------------------------------------------------------------------
 // False negatives.

More information about the cfe-commits mailing list