[analyzer] Malloc Checker: realloc: correct the way we are handing the

case when size is 0. llvm-svn: 150412
author: Anna Zaks <ganna@apple.com> 2012-02-13 20:57:07 +0000
committer: Anna Zaks <ganna@apple.com> 2012-02-13 20:57:07 +0000
commit: 8fd0f2a6cb7fd8ae03033f9a89e9c88ac3360015 (patch)
tree: ef36d02ece8a5a3860b15948b47155b92f82667c /clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
parent: 5188c0020c4c16cc4daab5ef4d2458f6c21322c2 (diff)
download: bcm5719-llvm-8fd0f2a6cb7fd8ae03033f9a89e9c88ac3360015.tar.gz
bcm5719-llvm-8fd0f2a6cb7fd8ae03033f9a89e9c88ac3360015.zip
1 files changed, 9 insertions, 8 deletions
diff --git a/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp b/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
index 98298c850bf..9329d5251f1 100644
--- a/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
+++ b/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
@@ -670,18 +670,22 @@ void MallocChecker::ReallocMem(CheckerContext &C, const CallExpr *CE) const {
   if (PrtIsNull && SizeIsZero)
     return;
 
+  // Get the from and to pointer symbols as in toPtr = realloc(fromPtr, size).
   assert(!PrtIsNull);
+  SymbolRef FromPtr = arg0Val.getAsSymbol();
+  SVal RetVal = state->getSVal(CE, LCtx);
+  SymbolRef ToPtr = RetVal.getAsSymbol();
+  if (!FromPtr || !ToPtr)
+    return;
 
   // If the size is 0, free the memory.
   if (SizeIsZero)
     if (ProgramStateRef stateFree = FreeMemAux(C, CE, StateSizeIsZero,0,false)){
-      // Bind the return value to NULL because it is now free.
-      // TODO: This is tricky. Does not currently work.
       // The semantics of the return value are:
       // If size was equal to 0, either NULL or a pointer suitable to be passed
       // to free() is returned.
-      C.addTransition(stateFree->BindExpr(CE, LCtx,
-          svalBuilder.makeNull(), true));
+      stateFree = stateFree->set<ReallocPairs>(ToPtr, FromPtr);
+      C.addTransition(stateFree);
       return;
     }
 
@@ -690,10 +694,7 @@ void MallocChecker::ReallocMem(CheckerContext &C, const CallExpr *CE) const {
     // FIXME: We should copy the content of the original buffer.
     ProgramStateRef stateRealloc = MallocMemAux(C, CE, CE->getArg(1),
                                                 UnknownVal(), stateFree);
-    SymbolRef FromPtr = arg0Val.getAsSymbol();
-    SVal RetVal = state->getSVal(CE, LCtx);
-    SymbolRef ToPtr = RetVal.getAsSymbol();
-    if (!stateRealloc || !FromPtr || !ToPtr)
+    if (!stateRealloc)
       return;
     stateRealloc = stateRealloc->set<ReallocPairs>(ToPtr, FromPtr);
     C.addTransition(stateRealloc);
author	Anna Zaks <ganna@apple.com>	2012-02-13 20:57:07 +0000
committer	Anna Zaks <ganna@apple.com>	2012-02-13 20:57:07 +0000
commit	8fd0f2a6cb7fd8ae03033f9a89e9c88ac3360015 (patch)
tree	ef36d02ece8a5a3860b15948b47155b92f82667c /clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
parent	5188c0020c4c16cc4daab5ef4d2458f6c21322c2 (diff)
download	bcm5719-llvm-8fd0f2a6cb7fd8ae03033f9a89e9c88ac3360015.tar.gz bcm5719-llvm-8fd0f2a6cb7fd8ae03033f9a89e9c88ac3360015.zip