[cfe-dev] Anyone working on a checker for realloc?
Marshall Clow
mclow.lists at gmail.com
Thu Apr 21 09:41:56 PDT 2011
On Apr 19, 2011, at 5:31 PM, Lenny Maiorani wrote:
> There is a checker for realloc and it does bind the return value properly, if there is a return value. I think this checker is not entirely complete at a quick glance.
>
> It should probably additionally check that the symbol being assigned is not the same as the symbol passed into realloc as arg 1 and make sure that the return value is actually being assigned to something.
I tried adding some more tests to malloc.c specifically to check realloc (ptr, 0) as a synonym for free(ptr)
But the checker didn't catch them :-(
Line 39:
Line 39: Allocated memory never released. Potential memory leak.
Line 202: Allocated memory never released. Potential memory leak.
Line 202: Array access (from variable 'x') results in a null pointer dereference
3 errors generated.
void f2_realloc() {
int *p = malloc(12);
realloc(p,0);
realloc(p,0); // expected-warning{{Try to free a memory block that has been released}} ## line 39
}
void f6_realloc() {
int *p = malloc(12);
if (!p)
return; // no-warning
else
realloc(p,0); ## This one works, btw
}
void f7_realloc() {
char *x = (char*) malloc(4);
realloc(x,0);
x[0] = 'a'; // expected-warning{{Use dynamically allocated memory after it is freed.}} ## line 202
}
I see the code in llvm/tools/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp, but it doesn't catch these.
(And I don't see why it doesn't)
-- Marshall
More information about the cfe-dev
mailing list