[analyzer] If realloc fails on an escaped region, that region doesn't…

… leak. When a region is realloc()ed, MallocChecker records whether it was known to be allocated or not. If it is, and the reallocation fails, the original region has to be freed. Previously, when an allocated region escaped, MallocChecker completely stopped tracking it, so a failed reallocation still (correctly) wouldn't require freeing the original region. Recently, however, MallocChecker started tracking escaped symbols, so that if it were freed we could check that the deallocator matched the allocator. This broke the reallocation model for whether or not a symbol was allocated. Now, MallocChecker will actually check if a symbol is owned, and only require freeing after a failed reallocation if it was owned before. PR16730 llvm-svn: 188468
llvm · Aug 15, 2013 · 2f8b022 · 2f8b022
1 parent f661988
commit 2f8b022
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 1 deletion.
diff --git a/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp b/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
@@ -1060,7 +1060,7 @@ ProgramStateRef MallocChecker::FreeMemAux(CheckerContext &C,
     }
   }
 
-  ReleasedAllocated = (RsBase != 0);
+  ReleasedAllocated = (RsBase != 0) && RsBase->isAllocated();
 
   // Clean out the info on previous call to free return info.
   State = State->remove<FreeReturnValue>(SymBase);

diff --git a/clang/test/Analysis/malloc.c b/clang/test/Analysis/malloc.c
@@ -1207,6 +1207,16 @@ void freeMemory() {
   }
 }
 
+// PR16730
+void testReallocEscaped(void **memory) {
+  *memory = malloc(47);
+  char *new_memory = realloc(*memory, 47);
+  if (new_memory != 0) {
+    *memory = new_memory;
+  }
+}
+
+
 // ----------------------------------------------------------------------------
 // False negatives.