If size was equal to 0, either NULL or a pointer suitable to be passed to

free() is returned by realloc(). Most code expect NULL.

And we only need to transfer one final ProgramState.

llvm-svn: 138937

2 files changed, 3 insertions, 6 deletions

diff --git a/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp b/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
index 7462ec59842..f0f56efa9e7 100644
--- a/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
+++ b/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
@@ -538,11 +538,8 @@ void MallocChecker::ReallocMem(CheckerContext &C, const CallExpr *CE) const {
       if (const ProgramState *stateFree = 
           FreeMemAux(C, CE, stateSizeZero, 0, false)) {
 
-        // Add the state transition to set input pointer argument to be free.
-        C.addTransition(stateFree);
-
-        // Bind the return value to UndefinedVal because it is now free.
-        C.addTransition(stateFree->BindExpr(CE, UndefinedVal(), true));
+        // Bind the return value to NULL because it is now free.
+        C.addTransition(stateFree->BindExpr(CE, svalBuilder.makeNull(), true));
       }
     if (const ProgramState *stateSizeNotZero = stateNotEqual->assume(SizeZero,false))
       if (const ProgramState *stateFree = FreeMemAux(C, CE, stateSizeNotZero,
diff --git a/clang/test/Analysis/malloc.c b/clang/test/Analysis/malloc.c
index dce9e4b5b2d..d9087ab8309 100644
--- a/clang/test/Analysis/malloc.c
+++ b/clang/test/Analysis/malloc.c
@@ -41,7 +41,7 @@ void f2_realloc_0() {
 
 void f2_realloc_1() {
   int *p = malloc(12);
-  int *q = realloc(p,0); // expected-warning{{Assigned value is garbage or undefined}}
+  int *q = realloc(p,0); // no-warning
 }
 
 // ownership attributes tests