4 files changed, 20 insertions, 23 deletions
diff --git a/lib/StaticAnalyzer/Checkers/Checkers.td b/lib/StaticAnalyzer/Checkers/Checkers.td
index 1dc7486664..df959b85c2 100644
--- a/lib/StaticAnalyzer/Checkers/Checkers.td
+++ b/lib/StaticAnalyzer/Checkers/Checkers.td
@@ -174,6 +174,11 @@ def SecuritySyntaxChecker : Checker<"SecuritySyntactic">,
   HelpText<"Perform quick security checks that require no data flow">,
   DescFile<"CheckSecuritySyntaxOnly.cpp">;
 
+def ReturnPointerRangeChecker : Checker<"ReturnPtrRange">,
+  InPackage<CoreExperimental>,
+  HelpText<"Check for an out-of-bound pointer being returned to callers">,
+  DescFile<"ReturnPointerRangeChecker.cpp">;
+
 def ObjCDeallocChecker : Checker<"Dealloc">,
   InPackage<CocoaExperimental>,
   HelpText<"Warn about Objective-C classes that lack a correct implementation of -dealloc">,
diff --git a/lib/StaticAnalyzer/Checkers/ExperimentalChecks.cpp b/lib/StaticAnalyzer/Checkers/ExperimentalChecks.cpp
index d9bb4801c3..bcae801e29 100644
--- a/lib/StaticAnalyzer/Checkers/ExperimentalChecks.cpp
+++ b/lib/StaticAnalyzer/Checkers/ExperimentalChecks.cpp
@@ -29,9 +29,6 @@ void ento::RegisterExperimentalInternalChecks(ExprEngine &Eng) {
   // These are internal checks that should eventually migrate to
   // RegisterInternalChecks() once they have been further tested.
   
-  // Note that this must be registered after ReturnStackAddresEngsChecker.
-  RegisterReturnPointerRangeChecker(Eng);
-  
   RegisterArrayBoundChecker(Eng);
   RegisterCastSizeChecker(Eng);
 }
diff --git a/lib/StaticAnalyzer/Checkers/InternalChecks.h b/lib/StaticAnalyzer/Checkers/InternalChecks.h
index e855386fff..f6246f4fb1 100644
--- a/lib/StaticAnalyzer/Checkers/InternalChecks.h
+++ b/lib/StaticAnalyzer/Checkers/InternalChecks.h
@@ -32,7 +32,6 @@ void RegisterCastSizeChecker(ExprEngine &Eng);
 void RegisterDereferenceChecker(ExprEngine &Eng);
 void RegisterDivZeroChecker(ExprEngine &Eng);
 void RegisterNoReturnFunctionChecker(ExprEngine &Eng);
-void RegisterReturnPointerRangeChecker(ExprEngine &Eng);
 void RegisterReturnUndefChecker(ExprEngine &Eng);
 void RegisterUndefBranchChecker(ExprEngine &Eng);
 void RegisterUndefCapturedBlockVarChecker(ExprEngine &Eng);
diff --git a/lib/StaticAnalyzer/Checkers/ReturnPointerRangeChecker.cpp b/lib/StaticAnalyzer/Checkers/ReturnPointerRangeChecker.cpp
index 838a00f187..298515609c 100644
--- a/lib/StaticAnalyzer/Checkers/ReturnPointerRangeChecker.cpp
+++ b/lib/StaticAnalyzer/Checkers/ReturnPointerRangeChecker.cpp
@@ -12,9 +12,11 @@
 //
 //===----------------------------------------------------------------------===//
 
-#include "InternalChecks.h"
+#include "ClangSACheckers.h"
+#include "clang/StaticAnalyzer/Core/CheckerV2.h"
+#include "clang/StaticAnalyzer/Core/CheckerManager.h"
+#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
 #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
-#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerVisitor.h"
 #include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h"
 
 using namespace clang;
@@ -22,25 +24,15 @@ using namespace ento;
 
 namespace {
 class ReturnPointerRangeChecker : 
-    public CheckerVisitor<ReturnPointerRangeChecker> {      
-  BuiltinBug *BT;
+    public CheckerV2< check::PreStmt<ReturnStmt> > {
+  mutable llvm::OwningPtr<BuiltinBug> BT;
 public:
-    ReturnPointerRangeChecker() : BT(0) {}
-    static void *getTag();
-    void PreVisitReturnStmt(CheckerContext &C, const ReturnStmt *RS);
+    void checkPreStmt(const ReturnStmt *RS, CheckerContext &C) const;
 };
 }
 
-void ento::RegisterReturnPointerRangeChecker(ExprEngine &Eng) {
-  Eng.registerCheck(new ReturnPointerRangeChecker());
-}
-
-void *ReturnPointerRangeChecker::getTag() {
-  static int x = 0; return &x;
-}
-
-void ReturnPointerRangeChecker::PreVisitReturnStmt(CheckerContext &C,
-                                                   const ReturnStmt *RS) {
+void ReturnPointerRangeChecker::checkPreStmt(const ReturnStmt *RS,
+                                             CheckerContext &C) const {
   const GRState *state = C.getState();
 
   const Expr *RetE = RS->getRetValue();
@@ -77,9 +69,9 @@ void ReturnPointerRangeChecker::PreVisitReturnStmt(CheckerContext &C,
     // FIXME: This bug correspond to CWE-466.  Eventually we should have bug
     // types explicitly reference such exploit categories (when applicable).
     if (!BT)
-      BT = new BuiltinBug("Return of pointer value outside of expected range",
+      BT.reset(new BuiltinBug("Return of pointer value outside of expected range",
            "Returned pointer value points outside the original object "
-           "(potential buffer overflow)");
+           "(potential buffer overflow)"));
 
     // FIXME: It would be nice to eventually make this diagnostic more clear,
     // e.g., by referencing the original declaration or by saying *why* this
@@ -93,3 +85,7 @@ void ReturnPointerRangeChecker::PreVisitReturnStmt(CheckerContext &C,
     C.EmitReport(report);
   }
 }
+
+void ento::registerReturnPointerRangeChecker(CheckerManager &mgr) {
+  mgr.registerChecker<ReturnPointerRangeChecker>();
+}