[analyzer] Fix the 'ptr = ptr' false negative in the Malloc checker.

llvm-svn: 155963

clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp

@@ -137,6 +137,9 @@ public:
     return true;
   }
 
+  void printState(raw_ostream &Out, ProgramStateRef State,
+                  const char *NL, const char *Sep) const;
+
 private:
   void initIdentifierInfo(ASTContext &C) const;
 
@@ -1118,7 +1121,11 @@ void MallocChecker::checkBind(SVal loc, SVal val, const Stmt *S,
       // To test (3), generate a new state with the binding added.  If it is
       // the same state, then it escapes (since the store cannot represent
       // the binding).
-      escapes = (state == (state->bindLoc(*regionLoc, val)));
+      // Do this only if we know that the store is not supposed to generate the
+      // same state.
+      SVal StoredVal = state->getSVal(regionLoc->getRegion());
+      if (StoredVal != val)
+        escapes = (state == (state->bindLoc(*regionLoc, val)));
     }
     if (!escapes) {
       // Case 4: We do not currently model what happens when a symbol is
@@ -1452,6 +1459,14 @@ MallocChecker::MallocBugVisitor::VisitNode(const ExplodedNode *N,
   return new PathDiagnosticEventPiece(Pos, Msg, true, StackHint);
 }
 
+void MallocChecker::printState(raw_ostream &Out, ProgramStateRef State,
+                               const char *NL, const char *Sep) const {
+
+  RegionStateTy RS = State->get<RegionState>();
+
+  if (!RS.isEmpty())
+    Out << "Has Malloc data" << NL;
+}
 
 #define REGISTER_CHECKER(name) \
 void ento::register##name(CheckerManager &mgr) {\

clang/test/Analysis/malloc.c

@@ -792,6 +792,12 @@ void radar11270219(void) {
   strcmp(x, y); // no warning
 }
 
+void radar_11358224_test_double_assign_ints_positive_2()
+{
+  void *ptr = malloc(16);
+  ptr = ptr; // expected-warning {{leak}}
+}
+
 // ----------------------------------------------------------------------------
 // Below are the known false positives.