When wt_realloc is called with bytes_allocated_ret set to NULL, then it assumes that the bytes previous allocated is 0.  But this value is used to determine how much memory to clear if the "clear_memory" flag is on.  The effect is that if we call:

__wt_realloc(session, NULL, 10, &p);
strncpy(p, "hello", 6);
__wt_realloc(session, NULL, 20, &p);

then the bytes stored at "p" will be cleared.  __wt_realloc is a macro that calls __wt_realloc_func with clear_memory set to true.

Currently _wt_realloc is hardly used directly, most often it is called via _wt_realloc_def, which requires the previous size to be stored.

We should probably raise an error if bytes_allocated is NULL and clear_memory is on as an unsupported combination: the caller should either use __wt_realloc_noclear or pass the current size.

There are a couple spots that this should trigger, that will need to be fixed:

src/cursor/cur_json.c:    WT_RET(__wt_realloc(session, NULL, needed + 1, json_bufp));
src/cursor/cur_stat.c:    WT_RET(__wt_realloc(session, NULL, len, &cst->desc_buf)); 

I think these are the only places that call __wt_realloc directly with a NULL second argument.