Ted Kremenek | cdc3a89 | 2012-08-24 20:39:55 +0000 | [diff] [blame] | 1 | // RUN: %clang_cc1 -analyze -analyzer-checker=core,alpha.deadcode.UnreachableCode,alpha.core.CastSize,unix.Malloc,debug.ExprInspection -analyzer-store=region -verify %s |
NAKAMURA Takumi | 7a29070 | 2012-11-19 10:00:59 +0000 | [diff] [blame] | 2 | |
Chandler Carruth | 1b22cec | 2012-09-12 01:11:10 +0000 | [diff] [blame] | 3 | #include "Inputs/system-header-simulator.h" |
Anna Zaks | 15d0ae1 | 2012-02-11 23:46:36 +0000 | [diff] [blame] | 4 | |
Anna Zaks | adccc3f | 2012-06-08 00:04:40 +0000 | [diff] [blame] | 5 | void clang_analyzer_eval(int); |
| 6 | |
Eli Friedman | 2f00552 | 2009-11-14 04:23:25 +0000 | [diff] [blame] | 7 | typedef __typeof(sizeof(int)) size_t; |
Ted Kremenek | c360775 | 2009-11-13 20:03:22 +0000 | [diff] [blame] | 8 | void *malloc(size_t); |
Pirama Arumuga Nainar | 3ea9e33 | 2015-04-08 08:57:32 -0700 | [diff] [blame] | 9 | void *alloca(size_t); |
Anna Zaks | b16ce45 | 2012-02-15 00:11:22 +0000 | [diff] [blame] | 10 | void *valloc(size_t); |
Ted Kremenek | c360775 | 2009-11-13 20:03:22 +0000 | [diff] [blame] | 11 | void free(void *); |
Zhongxing Xu | d9c84c8 | 2009-12-12 12:29:38 +0000 | [diff] [blame] | 12 | void *realloc(void *ptr, size_t size); |
Anna Zaks | 40add29 | 2012-02-15 00:11:25 +0000 | [diff] [blame] | 13 | void *reallocf(void *ptr, size_t size); |
Zhongxing Xu | d9c84c8 | 2009-12-12 12:29:38 +0000 | [diff] [blame] | 14 | void *calloc(size_t nmemb, size_t size); |
Anna Zaks | 1434518 | 2012-05-18 01:16:10 +0000 | [diff] [blame] | 15 | char *strdup(const char *s); |
| 16 | char *strndup(const char *s, size_t n); |
Anna Zaks | 233e26a | 2013-02-07 23:05:43 +0000 | [diff] [blame] | 17 | int memcmp(const void *s1, const void *s2, size_t n); |
Ted Kremenek | dd0e490 | 2010-07-31 01:52:11 +0000 | [diff] [blame] | 18 | |
Anna Zaks | 91c2a11 | 2012-02-08 23:16:56 +0000 | [diff] [blame] | 19 | void myfoo(int *p); |
| 20 | void myfooint(int p); |
Anna Zaks | ebc1d32 | 2012-02-15 00:11:28 +0000 | [diff] [blame] | 21 | char *fooRetPtr(); |
Zhongxing Xu | fc7ac8f | 2009-11-13 07:48:11 +0000 | [diff] [blame] | 22 | |
| 23 | void f1() { |
Zhongxing Xu | ab28099 | 2010-05-25 04:59:19 +0000 | [diff] [blame] | 24 | int *p = malloc(12); |
Anna Zaks | 68eb4c2 | 2013-04-06 00:41:36 +0000 | [diff] [blame] | 25 | return; // expected-warning{{Potential leak of memory pointed to by 'p'}} |
Zhongxing Xu | fc7ac8f | 2009-11-13 07:48:11 +0000 | [diff] [blame] | 26 | } |
| 27 | |
Zhongxing Xu | fc7ac8f | 2009-11-13 07:48:11 +0000 | [diff] [blame] | 28 | void f2() { |
Zhongxing Xu | ab28099 | 2010-05-25 04:59:19 +0000 | [diff] [blame] | 29 | int *p = malloc(12); |
Zhongxing Xu | fc7ac8f | 2009-11-13 07:48:11 +0000 | [diff] [blame] | 30 | free(p); |
Anna Zaks | febdc32 | 2012-02-16 22:26:12 +0000 | [diff] [blame] | 31 | free(p); // expected-warning{{Attempt to free released memory}} |
Zhongxing Xu | fc7ac8f | 2009-11-13 07:48:11 +0000 | [diff] [blame] | 32 | } |
Ted Kremenek | c764d4b | 2009-11-13 20:00:28 +0000 | [diff] [blame] | 33 | |
Lenny Maiorani | 4d8d803 | 2011-04-27 14:49:29 +0000 | [diff] [blame] | 34 | void f2_realloc_0() { |
| 35 | int *p = malloc(12); |
| 36 | realloc(p,0); |
Anna Zaks | febdc32 | 2012-02-16 22:26:12 +0000 | [diff] [blame] | 37 | realloc(p,0); // expected-warning{{Attempt to free released memory}} |
Lenny Maiorani | 4d8d803 | 2011-04-27 14:49:29 +0000 | [diff] [blame] | 38 | } |
| 39 | |
| 40 | void f2_realloc_1() { |
| 41 | int *p = malloc(12); |
Zhongxing Xu | d56763f | 2011-09-01 04:53:59 +0000 | [diff] [blame] | 42 | int *q = realloc(p,0); // no-warning |
Lenny Maiorani | 4d8d803 | 2011-04-27 14:49:29 +0000 | [diff] [blame] | 43 | } |
| 44 | |
Anna Zaks | c8bb3be | 2012-02-13 18:05:39 +0000 | [diff] [blame] | 45 | void reallocNotNullPtr(unsigned sizeIn) { |
| 46 | unsigned size = 12; |
| 47 | char *p = (char*)malloc(size); |
| 48 | if (p) { |
| 49 | char *q = (char*)realloc(p, sizeIn); |
Anna Zaks | 68eb4c2 | 2013-04-06 00:41:36 +0000 | [diff] [blame] | 50 | char x = *q; // expected-warning {{Potential leak of memory pointed to by 'q'}} |
Anna Zaks | c8bb3be | 2012-02-13 18:05:39 +0000 | [diff] [blame] | 51 | } |
| 52 | } |
| 53 | |
Pirama Arumuga Nainar | 3ea9e33 | 2015-04-08 08:57:32 -0700 | [diff] [blame] | 54 | void allocaTest() { |
| 55 | int *p = alloca(sizeof(int)); |
| 56 | } // no warn |
| 57 | |
| 58 | void allocaBuiltinTest() { |
| 59 | int *p = __builtin_alloca(sizeof(int)); |
| 60 | } // no warn |
| 61 | |
Anna Zaks | c8bb3be | 2012-02-13 18:05:39 +0000 | [diff] [blame] | 62 | int *realloctest1() { |
| 63 | int *q = malloc(12); |
| 64 | q = realloc(q, 20); |
| 65 | return q; // no warning - returning the allocated value |
| 66 | } |
| 67 | |
| 68 | // p should be freed if realloc fails. |
| 69 | void reallocFails() { |
| 70 | char *p = malloc(12); |
| 71 | char *r = realloc(p, 12+1); |
| 72 | if (!r) { |
| 73 | free(p); |
| 74 | } else { |
| 75 | free(r); |
| 76 | } |
| 77 | } |
| 78 | |
Anna Zaks | 30838b9 | 2012-02-13 20:57:07 +0000 | [diff] [blame] | 79 | void reallocSizeZero1() { |
| 80 | char *p = malloc(12); |
| 81 | char *r = realloc(p, 0); |
| 82 | if (!r) { |
Anna Zaks | ede875b | 2012-08-03 18:30:18 +0000 | [diff] [blame] | 83 | free(p); // expected-warning {{Attempt to free released memory}} |
Anna Zaks | 30838b9 | 2012-02-13 20:57:07 +0000 | [diff] [blame] | 84 | } else { |
| 85 | free(r); |
| 86 | } |
| 87 | } |
| 88 | |
| 89 | void reallocSizeZero2() { |
| 90 | char *p = malloc(12); |
| 91 | char *r = realloc(p, 0); |
| 92 | if (!r) { |
Anna Zaks | ede875b | 2012-08-03 18:30:18 +0000 | [diff] [blame] | 93 | free(p); // expected-warning {{Attempt to free released memory}} |
Anna Zaks | 30838b9 | 2012-02-13 20:57:07 +0000 | [diff] [blame] | 94 | } else { |
| 95 | free(r); |
| 96 | } |
Anna Zaks | febdc32 | 2012-02-16 22:26:12 +0000 | [diff] [blame] | 97 | free(p); // expected-warning {{Attempt to free released memory}} |
Anna Zaks | 30838b9 | 2012-02-13 20:57:07 +0000 | [diff] [blame] | 98 | } |
| 99 | |
| 100 | void reallocSizeZero3() { |
| 101 | char *p = malloc(12); |
| 102 | char *r = realloc(p, 0); |
| 103 | free(r); |
| 104 | } |
| 105 | |
| 106 | void reallocSizeZero4() { |
| 107 | char *r = realloc(0, 0); |
| 108 | free(r); |
| 109 | } |
| 110 | |
| 111 | void reallocSizeZero5() { |
| 112 | char *r = realloc(0, 0); |
| 113 | } |
| 114 | |
| 115 | void reallocPtrZero1() { |
Jordan Rose | 63bc186 | 2012-11-15 19:11:43 +0000 | [diff] [blame] | 116 | char *r = realloc(0, 12); |
Anna Zaks | 68eb4c2 | 2013-04-06 00:41:36 +0000 | [diff] [blame] | 117 | } // expected-warning {{Potential leak of memory pointed to by 'r'}} |
Anna Zaks | 30838b9 | 2012-02-13 20:57:07 +0000 | [diff] [blame] | 118 | |
| 119 | void reallocPtrZero2() { |
| 120 | char *r = realloc(0, 12); |
| 121 | if (r) |
| 122 | free(r); |
| 123 | } |
| 124 | |
| 125 | void reallocPtrZero3() { |
| 126 | char *r = realloc(0, 12); |
| 127 | free(r); |
| 128 | } |
| 129 | |
Anna Zaks | b276bd9 | 2012-02-14 00:26:13 +0000 | [diff] [blame] | 130 | void reallocRadar6337483_1() { |
| 131 | char *buf = malloc(100); |
| 132 | buf = (char*)realloc(buf, 0x1000000); |
| 133 | if (!buf) { |
Anna Zaks | 68eb4c2 | 2013-04-06 00:41:36 +0000 | [diff] [blame] | 134 | return;// expected-warning {{Potential leak of memory pointed to by}} |
Anna Zaks | b276bd9 | 2012-02-14 00:26:13 +0000 | [diff] [blame] | 135 | } |
| 136 | free(buf); |
| 137 | } |
| 138 | |
| 139 | void reallocRadar6337483_2() { |
| 140 | char *buf = malloc(100); |
| 141 | char *buf2 = (char*)realloc(buf, 0x1000000); |
Jordan Rose | 63bc186 | 2012-11-15 19:11:43 +0000 | [diff] [blame] | 142 | if (!buf2) { |
Anna Zaks | b276bd9 | 2012-02-14 00:26:13 +0000 | [diff] [blame] | 143 | ; |
| 144 | } else { |
| 145 | free(buf2); |
| 146 | } |
Anna Zaks | 68eb4c2 | 2013-04-06 00:41:36 +0000 | [diff] [blame] | 147 | } // expected-warning {{Potential leak of memory pointed to by}} |
Anna Zaks | b276bd9 | 2012-02-14 00:26:13 +0000 | [diff] [blame] | 148 | |
| 149 | void reallocRadar6337483_3() { |
| 150 | char * buf = malloc(100); |
| 151 | char * tmp; |
| 152 | tmp = (char*)realloc(buf, 0x1000000); |
| 153 | if (!tmp) { |
| 154 | free(buf); |
| 155 | return; |
| 156 | } |
| 157 | buf = tmp; |
| 158 | free(buf); |
| 159 | } |
| 160 | |
| 161 | void reallocRadar6337483_4() { |
| 162 | char *buf = malloc(100); |
| 163 | char *buf2 = (char*)realloc(buf, 0x1000000); |
| 164 | if (!buf2) { |
Anna Zaks | 68eb4c2 | 2013-04-06 00:41:36 +0000 | [diff] [blame] | 165 | return; // expected-warning {{Potential leak of memory pointed to by}} |
Anna Zaks | b276bd9 | 2012-02-14 00:26:13 +0000 | [diff] [blame] | 166 | } else { |
| 167 | free(buf2); |
| 168 | } |
| 169 | } |
| 170 | |
Anna Zaks | 40add29 | 2012-02-15 00:11:25 +0000 | [diff] [blame] | 171 | int *reallocfTest1() { |
| 172 | int *q = malloc(12); |
| 173 | q = reallocf(q, 20); |
| 174 | return q; // no warning - returning the allocated value |
| 175 | } |
| 176 | |
| 177 | void reallocfRadar6337483_4() { |
| 178 | char *buf = malloc(100); |
| 179 | char *buf2 = (char*)reallocf(buf, 0x1000000); |
| 180 | if (!buf2) { |
| 181 | return; // no warning - reallocf frees even on failure |
| 182 | } else { |
| 183 | free(buf2); |
| 184 | } |
| 185 | } |
| 186 | |
| 187 | void reallocfRadar6337483_3() { |
| 188 | char * buf = malloc(100); |
| 189 | char * tmp; |
| 190 | tmp = (char*)reallocf(buf, 0x1000000); |
| 191 | if (!tmp) { |
Anna Zaks | febdc32 | 2012-02-16 22:26:12 +0000 | [diff] [blame] | 192 | free(buf); // expected-warning {{Attempt to free released memory}} |
Anna Zaks | 40add29 | 2012-02-15 00:11:25 +0000 | [diff] [blame] | 193 | return; |
| 194 | } |
| 195 | buf = tmp; |
| 196 | free(buf); |
| 197 | } |
| 198 | |
| 199 | void reallocfPtrZero1() { |
Jordan Rose | 63bc186 | 2012-11-15 19:11:43 +0000 | [diff] [blame] | 200 | char *r = reallocf(0, 12); |
Anna Zaks | 68eb4c2 | 2013-04-06 00:41:36 +0000 | [diff] [blame] | 201 | } // expected-warning {{Potential leak of memory pointed to by}} |
Anna Zaks | 40add29 | 2012-02-15 00:11:25 +0000 | [diff] [blame] | 202 | |
Pirama Arumuga Nainar | 33337ca | 2015-05-06 11:48:57 -0700 | [diff] [blame] | 203 | //------------------- Check usage of zero-allocated memory --------------------- |
| 204 | void CheckUseZeroAllocatedNoWarn1() { |
| 205 | int *p = malloc(0); |
| 206 | free(p); // no warning |
| 207 | } |
| 208 | |
| 209 | void CheckUseZeroAllocatedNoWarn2() { |
| 210 | int *p = alloca(0); // no warning |
| 211 | } |
| 212 | |
| 213 | void CheckUseZeroAllocatedNoWarn3() { |
| 214 | int *p = malloc(0); |
| 215 | int *q = realloc(p, 8); // no warning |
| 216 | free(q); |
| 217 | } |
| 218 | |
| 219 | void CheckUseZeroAllocatedNoWarn4() { |
| 220 | int *p = realloc(0, 8); |
| 221 | *p = 1; // no warning |
| 222 | free(p); |
| 223 | } |
| 224 | |
| 225 | void CheckUseZeroAllocated1() { |
| 226 | int *p = malloc(0); |
| 227 | *p = 1; // expected-warning {{Use of zero-allocated memory}} |
| 228 | free(p); |
| 229 | } |
| 230 | |
| 231 | char CheckUseZeroAllocated2() { |
| 232 | char *p = alloca(0); |
| 233 | return *p; // expected-warning {{Use of zero-allocated memory}} |
| 234 | } |
| 235 | |
| 236 | void UseZeroAllocated(int *p) { |
| 237 | if (p) |
| 238 | *p = 7; // expected-warning {{Use of zero-allocated memory}} |
| 239 | } |
| 240 | void CheckUseZeroAllocated3() { |
| 241 | int *p = malloc(0); |
| 242 | UseZeroAllocated(p); |
| 243 | } |
| 244 | |
| 245 | void f(char); |
| 246 | void CheckUseZeroAllocated4() { |
| 247 | char *p = valloc(0); |
| 248 | f(*p); // expected-warning {{Use of zero-allocated memory}} |
| 249 | free(p); |
| 250 | } |
| 251 | |
| 252 | void CheckUseZeroAllocated5() { |
| 253 | int *p = calloc(0, 2); |
| 254 | *p = 1; // expected-warning {{Use of zero-allocated memory}} |
| 255 | free(p); |
| 256 | } |
| 257 | |
| 258 | void CheckUseZeroAllocated6() { |
| 259 | int *p = calloc(2, 0); |
| 260 | *p = 1; // expected-warning {{Use of zero-allocated memory}} |
| 261 | free(p); |
| 262 | } |
| 263 | |
| 264 | void CheckUseZeroAllocated7() { |
| 265 | int *p = realloc(0, 0); |
| 266 | *p = 1; //TODO: warn about use of zero-allocated memory |
| 267 | free(p); |
| 268 | } |
| 269 | |
| 270 | void CheckUseZeroAllocated8() { |
| 271 | int *p = malloc(8); |
| 272 | int *q = realloc(p, 0); |
| 273 | *q = 1; //TODO: warn about use of zero-allocated memory |
| 274 | free(q); |
| 275 | } |
| 276 | |
| 277 | void CheckUseZeroAllocated9() { |
| 278 | int *p = realloc(0, 0); |
| 279 | int *q = realloc(p, 0); |
| 280 | *q = 1; //TODO: warn about use of zero-allocated memory |
| 281 | free(q); |
| 282 | } |
| 283 | |
| 284 | void CheckUseZeroAllocatedPathNoWarn(_Bool b) { |
| 285 | int s = 0; |
| 286 | if (b) |
| 287 | s= 10; |
| 288 | |
| 289 | char *p = malloc(s); |
| 290 | |
| 291 | if (b) |
| 292 | *p = 1; // no warning |
| 293 | |
| 294 | free(p); |
| 295 | } |
| 296 | |
| 297 | void CheckUseZeroAllocatedPathWarn(_Bool b) { |
| 298 | int s = 10; |
| 299 | if (b) |
| 300 | s= 0; |
| 301 | |
| 302 | char *p = malloc(s); |
| 303 | |
| 304 | if (b) |
| 305 | *p = 1; // expected-warning {{Use of zero-allocated memory}} |
| 306 | |
| 307 | free(p); |
| 308 | } |
Anna Zaks | 40add29 | 2012-02-15 00:11:25 +0000 | [diff] [blame] | 309 | |
Zhongxing Xu | 243fde9 | 2009-11-17 07:54:15 +0000 | [diff] [blame] | 310 | // This case tests that storing malloc'ed memory to a static variable which is |
| 311 | // then returned is not leaked. In the absence of known contracts for functions |
| 312 | // or inter-procedural analysis, this is a conservative answer. |
Ted Kremenek | c764d4b | 2009-11-13 20:00:28 +0000 | [diff] [blame] | 313 | int *f3() { |
| 314 | static int *p = 0; |
Zhongxing Xu | ab28099 | 2010-05-25 04:59:19 +0000 | [diff] [blame] | 315 | p = malloc(12); |
Zhongxing Xu | 4985e3e | 2009-11-17 08:58:18 +0000 | [diff] [blame] | 316 | return p; // no-warning |
Ted Kremenek | c764d4b | 2009-11-13 20:00:28 +0000 | [diff] [blame] | 317 | } |
| 318 | |
Zhongxing Xu | 243fde9 | 2009-11-17 07:54:15 +0000 | [diff] [blame] | 319 | // This case tests that storing malloc'ed memory to a static global variable |
| 320 | // which is then returned is not leaked. In the absence of known contracts for |
| 321 | // functions or inter-procedural analysis, this is a conservative answer. |
Ted Kremenek | c764d4b | 2009-11-13 20:00:28 +0000 | [diff] [blame] | 322 | static int *p_f4 = 0; |
| 323 | int *f4() { |
Zhongxing Xu | ab28099 | 2010-05-25 04:59:19 +0000 | [diff] [blame] | 324 | p_f4 = malloc(12); |
Zhongxing Xu | 4985e3e | 2009-11-17 08:58:18 +0000 | [diff] [blame] | 325 | return p_f4; // no-warning |
Ted Kremenek | c764d4b | 2009-11-13 20:00:28 +0000 | [diff] [blame] | 326 | } |
Zhongxing Xu | d9c84c8 | 2009-12-12 12:29:38 +0000 | [diff] [blame] | 327 | |
| 328 | int *f5() { |
Zhongxing Xu | ab28099 | 2010-05-25 04:59:19 +0000 | [diff] [blame] | 329 | int *q = malloc(12); |
Zhongxing Xu | d9c84c8 | 2009-12-12 12:29:38 +0000 | [diff] [blame] | 330 | q = realloc(q, 20); |
| 331 | return q; // no-warning |
| 332 | } |
Zhongxing Xu | b94b81a | 2009-12-31 06:13:07 +0000 | [diff] [blame] | 333 | |
| 334 | void f6() { |
Zhongxing Xu | ab28099 | 2010-05-25 04:59:19 +0000 | [diff] [blame] | 335 | int *p = malloc(12); |
Zhongxing Xu | b94b81a | 2009-12-31 06:13:07 +0000 | [diff] [blame] | 336 | if (!p) |
| 337 | return; // no-warning |
| 338 | else |
| 339 | free(p); |
| 340 | } |
Zhongxing Xu | 425c7ed | 2010-01-18 04:01:40 +0000 | [diff] [blame] | 341 | |
Lenny Maiorani | 4d8d803 | 2011-04-27 14:49:29 +0000 | [diff] [blame] | 342 | void f6_realloc() { |
| 343 | int *p = malloc(12); |
| 344 | if (!p) |
| 345 | return; // no-warning |
| 346 | else |
| 347 | realloc(p,0); |
| 348 | } |
| 349 | |
| 350 | |
Zhongxing Xu | 425c7ed | 2010-01-18 04:01:40 +0000 | [diff] [blame] | 351 | char *doit2(); |
| 352 | void pr6069() { |
| 353 | char *buf = doit2(); |
| 354 | free(buf); |
| 355 | } |
Zhongxing Xu | 181cc3d | 2010-02-14 06:49:48 +0000 | [diff] [blame] | 356 | |
| 357 | void pr6293() { |
| 358 | free(0); |
| 359 | } |
Zhongxing Xu | c802378 | 2010-03-10 04:58:55 +0000 | [diff] [blame] | 360 | |
| 361 | void f7() { |
| 362 | char *x = (char*) malloc(4); |
| 363 | free(x); |
Anna Zaks | febdc32 | 2012-02-16 22:26:12 +0000 | [diff] [blame] | 364 | x[0] = 'a'; // expected-warning{{Use of memory after it is freed}} |
Zhongxing Xu | c802378 | 2010-03-10 04:58:55 +0000 | [diff] [blame] | 365 | } |
Zhongxing Xu | ab28099 | 2010-05-25 04:59:19 +0000 | [diff] [blame] | 366 | |
Anna Zaks | 1434518 | 2012-05-18 01:16:10 +0000 | [diff] [blame] | 367 | void f8() { |
| 368 | char *x = (char*) malloc(4); |
| 369 | free(x); |
| 370 | char *y = strndup(x, 4); // expected-warning{{Use of memory after it is freed}} |
| 371 | } |
| 372 | |
Lenny Maiorani | 4d8d803 | 2011-04-27 14:49:29 +0000 | [diff] [blame] | 373 | void f7_realloc() { |
| 374 | char *x = (char*) malloc(4); |
| 375 | realloc(x,0); |
Anna Zaks | febdc32 | 2012-02-16 22:26:12 +0000 | [diff] [blame] | 376 | x[0] = 'a'; // expected-warning{{Use of memory after it is freed}} |
Lenny Maiorani | 4d8d803 | 2011-04-27 14:49:29 +0000 | [diff] [blame] | 377 | } |
| 378 | |
Zhongxing Xu | ab28099 | 2010-05-25 04:59:19 +0000 | [diff] [blame] | 379 | void PR6123() { |
Ted Kremenek | c4bac8e | 2012-08-16 17:45:23 +0000 | [diff] [blame] | 380 | int *x = malloc(11); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}} |
Zhongxing Xu | ab28099 | 2010-05-25 04:59:19 +0000 | [diff] [blame] | 381 | } |
| 382 | |
| 383 | void PR7217() { |
Ted Kremenek | c4bac8e | 2012-08-16 17:45:23 +0000 | [diff] [blame] | 384 | int *buf = malloc(2); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}} |
Zhongxing Xu | ab28099 | 2010-05-25 04:59:19 +0000 | [diff] [blame] | 385 | buf[1] = 'c'; // not crash |
Zhongxing Xu | ab28099 | 2010-05-25 04:59:19 +0000 | [diff] [blame] | 386 | } |
Jordy Rose | c580f2e | 2010-06-20 04:30:57 +0000 | [diff] [blame] | 387 | |
Stephen Hines | 651f13c | 2014-04-23 16:59:28 -0700 | [diff] [blame] | 388 | void cast_emtpy_struct() { |
| 389 | struct st { |
| 390 | }; |
| 391 | |
| 392 | struct st *s = malloc(sizeof(struct st)); // no-warning |
| 393 | free(s); |
| 394 | } |
| 395 | |
| 396 | void cast_struct_1() { |
| 397 | struct st { |
| 398 | int i[100]; |
| 399 | char j[]; |
| 400 | }; |
| 401 | |
| 402 | struct st *s = malloc(sizeof(struct st)); // no-warning |
| 403 | free(s); |
| 404 | } |
| 405 | |
| 406 | void cast_struct_2() { |
| 407 | struct st { |
| 408 | int i[100]; |
| 409 | char j[0]; |
| 410 | }; |
| 411 | |
| 412 | struct st *s = malloc(sizeof(struct st)); // no-warning |
| 413 | free(s); |
| 414 | } |
| 415 | |
| 416 | void cast_struct_3() { |
| 417 | struct st { |
| 418 | int i[100]; |
| 419 | char j[1]; |
| 420 | }; |
| 421 | |
| 422 | struct st *s = malloc(sizeof(struct st)); // no-warning |
| 423 | free(s); |
| 424 | } |
| 425 | |
| 426 | void cast_struct_4() { |
| 427 | struct st { |
| 428 | int i[100]; |
| 429 | char j[2]; |
| 430 | }; |
| 431 | |
| 432 | struct st *s = malloc(sizeof(struct st)); // no-warning |
| 433 | free(s); |
| 434 | } |
| 435 | |
| 436 | void cast_struct_5() { |
| 437 | struct st { |
| 438 | char i[200]; |
| 439 | char j[1]; |
| 440 | }; |
| 441 | |
| 442 | struct st *s = malloc(sizeof(struct st) - sizeof(char)); // no-warning |
| 443 | free(s); |
| 444 | } |
| 445 | |
| 446 | void cast_struct_warn_1() { |
| 447 | struct st { |
| 448 | int i[100]; |
| 449 | char j[2]; |
| 450 | }; |
| 451 | |
| 452 | struct st *s = malloc(sizeof(struct st) + 2); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}} |
| 453 | free(s); |
| 454 | } |
| 455 | |
| 456 | void cast_struct_warn_2() { |
| 457 | struct st { |
| 458 | int i[100]; |
| 459 | char j[2]; |
| 460 | }; |
| 461 | |
| 462 | struct st *s = malloc(2); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}} |
| 463 | free(s); |
| 464 | } |
| 465 | |
| 466 | void cast_struct_flex_array_1() { |
| 467 | struct st { |
| 468 | int i[100]; |
| 469 | char j[]; |
| 470 | }; |
| 471 | |
| 472 | struct st *s = malloc(sizeof(struct st) + 3); // no-warning |
| 473 | free(s); |
| 474 | } |
| 475 | |
| 476 | void cast_struct_flex_array_2() { |
| 477 | struct st { |
| 478 | int i[100]; |
| 479 | char j[0]; |
| 480 | }; |
| 481 | |
| 482 | struct st *s = malloc(sizeof(struct st) + 3); // no-warning |
| 483 | free(s); |
| 484 | } |
| 485 | |
| 486 | void cast_struct_flex_array_3() { |
| 487 | struct st { |
| 488 | int i[100]; |
| 489 | char j[1]; |
| 490 | }; |
| 491 | |
| 492 | struct st *s = malloc(sizeof(struct st) + 3); // no-warning |
| 493 | free(s); |
| 494 | } |
| 495 | |
| 496 | void cast_struct_flex_array_4() { |
| 497 | struct foo { |
| 498 | char f[32]; |
| 499 | }; |
| 500 | struct st { |
| 501 | char i[100]; |
| 502 | struct foo data[]; |
| 503 | }; |
| 504 | |
| 505 | struct st *s = malloc(sizeof(struct st) + 3 * sizeof(struct foo)); // no-warning |
| 506 | free(s); |
| 507 | } |
| 508 | |
| 509 | void cast_struct_flex_array_5() { |
| 510 | struct foo { |
| 511 | char f[32]; |
| 512 | }; |
| 513 | struct st { |
| 514 | char i[100]; |
| 515 | struct foo data[0]; |
| 516 | }; |
| 517 | |
| 518 | struct st *s = malloc(sizeof(struct st) + 3 * sizeof(struct foo)); // no-warning |
| 519 | free(s); |
| 520 | } |
| 521 | |
| 522 | void cast_struct_flex_array_6() { |
| 523 | struct foo { |
| 524 | char f[32]; |
| 525 | }; |
| 526 | struct st { |
| 527 | char i[100]; |
| 528 | struct foo data[1]; |
| 529 | }; |
| 530 | |
| 531 | struct st *s = malloc(sizeof(struct st) + 3 * sizeof(struct foo)); // no-warning |
| 532 | free(s); |
| 533 | } |
| 534 | |
| 535 | void cast_struct_flex_array_warn_1() { |
| 536 | struct foo { |
| 537 | char f[32]; |
| 538 | }; |
| 539 | struct st { |
| 540 | char i[100]; |
| 541 | struct foo data[]; |
| 542 | }; |
| 543 | |
| 544 | struct st *s = malloc(3 * sizeof(struct st) + 3 * sizeof(struct foo)); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}} |
| 545 | free(s); |
| 546 | } |
| 547 | |
| 548 | void cast_struct_flex_array_warn_2() { |
| 549 | struct foo { |
| 550 | char f[32]; |
| 551 | }; |
| 552 | struct st { |
| 553 | char i[100]; |
| 554 | struct foo data[0]; |
| 555 | }; |
| 556 | |
| 557 | struct st *s = malloc(3 * sizeof(struct st) + 3 * sizeof(struct foo)); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}} |
| 558 | free(s); |
| 559 | } |
| 560 | |
| 561 | void cast_struct_flex_array_warn_3() { |
| 562 | struct foo { |
| 563 | char f[32]; |
| 564 | }; |
| 565 | struct st { |
| 566 | char i[100]; |
| 567 | struct foo data[1]; |
| 568 | }; |
| 569 | |
| 570 | struct st *s = malloc(3 * sizeof(struct st) + 3 * sizeof(struct foo)); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}} |
| 571 | free(s); |
| 572 | } |
| 573 | |
| 574 | void cast_struct_flex_array_warn_4() { |
| 575 | struct st { |
| 576 | int i[100]; |
| 577 | int j[]; |
| 578 | }; |
| 579 | |
| 580 | struct st *s = malloc(sizeof(struct st) + 3); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}} |
| 581 | free(s); |
| 582 | } |
| 583 | |
| 584 | void cast_struct_flex_array_warn_5() { |
| 585 | struct st { |
| 586 | int i[100]; |
| 587 | int j[0]; |
| 588 | }; |
| 589 | |
| 590 | struct st *s = malloc(sizeof(struct st) + 3); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}} |
| 591 | free(s); |
| 592 | } |
| 593 | |
| 594 | void cast_struct_flex_array_warn_6() { |
| 595 | struct st { |
| 596 | int i[100]; |
| 597 | int j[1]; |
| 598 | }; |
| 599 | |
| 600 | struct st *s = malloc(sizeof(struct st) + 3); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}} |
| 601 | free(s); |
| 602 | } |
| 603 | |
Jordy Rose | c580f2e | 2010-06-20 04:30:57 +0000 | [diff] [blame] | 604 | void mallocCastToVoid() { |
| 605 | void *p = malloc(2); |
| 606 | const void *cp = p; // not crash |
| 607 | free(p); |
| 608 | } |
| 609 | |
| 610 | void mallocCastToFP() { |
| 611 | void *p = malloc(2); |
| 612 | void (*fp)() = p; // not crash |
| 613 | free(p); |
| 614 | } |
| 615 | |
Zhongxing Xu | a5ce966 | 2010-06-01 03:01:33 +0000 | [diff] [blame] | 616 | // This tests that malloc() buffers are undefined by default |
| 617 | char mallocGarbage () { |
| 618 | char *buf = malloc(2); |
| 619 | char result = buf[1]; // expected-warning{{undefined}} |
| 620 | free(buf); |
| 621 | return result; |
| 622 | } |
| 623 | |
| 624 | // This tests that calloc() buffers need to be freed |
| 625 | void callocNoFree () { |
| 626 | char *buf = calloc(2,2); |
Anna Zaks | 68eb4c2 | 2013-04-06 00:41:36 +0000 | [diff] [blame] | 627 | return; // expected-warning{{Potential leak of memory pointed to by 'buf'}} |
Zhongxing Xu | a5ce966 | 2010-06-01 03:01:33 +0000 | [diff] [blame] | 628 | } |
| 629 | |
| 630 | // These test that calloc() buffers are zeroed by default |
| 631 | char callocZeroesGood () { |
| 632 | char *buf = calloc(2,2); |
| 633 | char result = buf[3]; // no-warning |
| 634 | if (buf[1] == 0) { |
| 635 | free(buf); |
| 636 | } |
| 637 | return result; // no-warning |
| 638 | } |
| 639 | |
| 640 | char callocZeroesBad () { |
| 641 | char *buf = calloc(2,2); |
| 642 | char result = buf[3]; // no-warning |
| 643 | if (buf[1] != 0) { |
Tom Care | c4b5bd8 | 2010-07-23 23:04:53 +0000 | [diff] [blame] | 644 | free(buf); // expected-warning{{never executed}} |
Zhongxing Xu | a5ce966 | 2010-06-01 03:01:33 +0000 | [diff] [blame] | 645 | } |
Anna Zaks | 68eb4c2 | 2013-04-06 00:41:36 +0000 | [diff] [blame] | 646 | return result; // expected-warning{{Potential leak of memory pointed to by 'buf'}} |
Zhongxing Xu | a5ce966 | 2010-06-01 03:01:33 +0000 | [diff] [blame] | 647 | } |
Anna Zaks | 91c2a11 | 2012-02-08 23:16:56 +0000 | [diff] [blame] | 648 | |
| 649 | void nullFree() { |
| 650 | int *p = 0; |
| 651 | free(p); // no warning - a nop |
| 652 | } |
| 653 | |
| 654 | void paramFree(int *p) { |
| 655 | myfoo(p); |
| 656 | free(p); // no warning |
Anna Zaks | ede875b | 2012-08-03 18:30:18 +0000 | [diff] [blame] | 657 | myfoo(p); // expected-warning {{Use of memory after it is freed}} |
Anna Zaks | 91c2a11 | 2012-02-08 23:16:56 +0000 | [diff] [blame] | 658 | } |
| 659 | |
| 660 | int* mallocEscapeRet() { |
| 661 | int *p = malloc(12); |
| 662 | return p; // no warning |
| 663 | } |
| 664 | |
| 665 | void mallocEscapeFoo() { |
| 666 | int *p = malloc(12); |
| 667 | myfoo(p); |
| 668 | return; // no warning |
| 669 | } |
| 670 | |
| 671 | void mallocEscapeFree() { |
| 672 | int *p = malloc(12); |
| 673 | myfoo(p); |
| 674 | free(p); |
| 675 | } |
| 676 | |
| 677 | void mallocEscapeFreeFree() { |
| 678 | int *p = malloc(12); |
| 679 | myfoo(p); |
| 680 | free(p); |
Anna Zaks | febdc32 | 2012-02-16 22:26:12 +0000 | [diff] [blame] | 681 | free(p); // expected-warning{{Attempt to free released memory}} |
Anna Zaks | 91c2a11 | 2012-02-08 23:16:56 +0000 | [diff] [blame] | 682 | } |
| 683 | |
| 684 | void mallocEscapeFreeUse() { |
| 685 | int *p = malloc(12); |
| 686 | myfoo(p); |
| 687 | free(p); |
Anna Zaks | febdc32 | 2012-02-16 22:26:12 +0000 | [diff] [blame] | 688 | myfoo(p); // expected-warning{{Use of memory after it is freed}} |
Anna Zaks | 91c2a11 | 2012-02-08 23:16:56 +0000 | [diff] [blame] | 689 | } |
| 690 | |
| 691 | int *myalloc(); |
| 692 | void myalloc2(int **p); |
| 693 | |
| 694 | void mallocEscapeFreeCustomAlloc() { |
| 695 | int *p = malloc(12); |
| 696 | myfoo(p); |
| 697 | free(p); |
| 698 | p = myalloc(); |
| 699 | free(p); // no warning |
| 700 | } |
| 701 | |
| 702 | void mallocEscapeFreeCustomAlloc2() { |
| 703 | int *p = malloc(12); |
| 704 | myfoo(p); |
| 705 | free(p); |
| 706 | myalloc2(&p); |
| 707 | free(p); // no warning |
| 708 | } |
| 709 | |
| 710 | void mallocBindFreeUse() { |
| 711 | int *x = malloc(12); |
| 712 | int *y = x; |
| 713 | free(y); |
Anna Zaks | febdc32 | 2012-02-16 22:26:12 +0000 | [diff] [blame] | 714 | myfoo(x); // expected-warning{{Use of memory after it is freed}} |
Anna Zaks | 91c2a11 | 2012-02-08 23:16:56 +0000 | [diff] [blame] | 715 | } |
| 716 | |
| 717 | void mallocEscapeMalloc() { |
| 718 | int *p = malloc(12); |
| 719 | myfoo(p); |
Jordan Rose | 63bc186 | 2012-11-15 19:11:43 +0000 | [diff] [blame] | 720 | p = malloc(12); |
Anna Zaks | 68eb4c2 | 2013-04-06 00:41:36 +0000 | [diff] [blame] | 721 | } // expected-warning{{Potential leak of memory pointed to by}} |
Anna Zaks | 91c2a11 | 2012-02-08 23:16:56 +0000 | [diff] [blame] | 722 | |
| 723 | void mallocMalloc() { |
| 724 | int *p = malloc(12); |
Jordan Rose | 63bc186 | 2012-11-15 19:11:43 +0000 | [diff] [blame] | 725 | p = malloc(12); |
Anna Zaks | 68eb4c2 | 2013-04-06 00:41:36 +0000 | [diff] [blame] | 726 | } // expected-warning {{Potential leak of memory pointed to by}} |
Anna Zaks | 91c2a11 | 2012-02-08 23:16:56 +0000 | [diff] [blame] | 727 | |
| 728 | void mallocFreeMalloc() { |
| 729 | int *p = malloc(12); |
| 730 | free(p); |
| 731 | p = malloc(12); |
| 732 | free(p); |
| 733 | } |
| 734 | |
Anna Zaks | cdfec5e | 2012-02-09 06:25:47 +0000 | [diff] [blame] | 735 | void mallocFreeUse_params() { |
Anna Zaks | 91c2a11 | 2012-02-08 23:16:56 +0000 | [diff] [blame] | 736 | int *p = malloc(12); |
| 737 | free(p); |
Anna Zaks | febdc32 | 2012-02-16 22:26:12 +0000 | [diff] [blame] | 738 | myfoo(p); //expected-warning{{Use of memory after it is freed}} |
Anna Zaks | 15d0ae1 | 2012-02-11 23:46:36 +0000 | [diff] [blame] | 739 | } |
| 740 | |
| 741 | void mallocFreeUse_params2() { |
| 742 | int *p = malloc(12); |
| 743 | free(p); |
Anna Zaks | febdc32 | 2012-02-16 22:26:12 +0000 | [diff] [blame] | 744 | myfooint(*p); //expected-warning{{Use of memory after it is freed}} |
Anna Zaks | 91c2a11 | 2012-02-08 23:16:56 +0000 | [diff] [blame] | 745 | } |
| 746 | |
Anna Zaks | ff3b9fd | 2012-02-09 06:25:51 +0000 | [diff] [blame] | 747 | void mallocFailedOrNot() { |
| 748 | int *p = malloc(12); |
| 749 | if (!p) |
| 750 | free(p); |
| 751 | else |
| 752 | free(p); |
| 753 | } |
| 754 | |
Anna Zaks | e9ef562 | 2012-02-10 01:11:00 +0000 | [diff] [blame] | 755 | struct StructWithInt { |
| 756 | int g; |
| 757 | }; |
Anna Zaks | 0860cd0 | 2012-02-11 21:44:39 +0000 | [diff] [blame] | 758 | |
| 759 | int *mallocReturnFreed() { |
| 760 | int *p = malloc(12); |
| 761 | free(p); |
Anna Zaks | febdc32 | 2012-02-16 22:26:12 +0000 | [diff] [blame] | 762 | return p; // expected-warning {{Use of memory after it is freed}} |
Anna Zaks | 0860cd0 | 2012-02-11 21:44:39 +0000 | [diff] [blame] | 763 | } |
| 764 | |
| 765 | int useAfterFreeStruct() { |
| 766 | struct StructWithInt *px= malloc(sizeof(struct StructWithInt)); |
| 767 | px->g = 5; |
| 768 | free(px); |
Anna Zaks | febdc32 | 2012-02-16 22:26:12 +0000 | [diff] [blame] | 769 | return px->g; // expected-warning {{Use of memory after it is freed}} |
Anna Zaks | 0860cd0 | 2012-02-11 21:44:39 +0000 | [diff] [blame] | 770 | } |
| 771 | |
Anna Zaks | e9ef562 | 2012-02-10 01:11:00 +0000 | [diff] [blame] | 772 | void nonSymbolAsFirstArg(int *pp, struct StructWithInt *p); |
| 773 | |
| 774 | void mallocEscapeFooNonSymbolArg() { |
| 775 | struct StructWithInt *p = malloc(sizeof(struct StructWithInt)); |
| 776 | nonSymbolAsFirstArg(&p->g, p); |
| 777 | return; // no warning |
| 778 | } |
| 779 | |
Anna Zaks | 4fb5487 | 2012-02-11 21:02:35 +0000 | [diff] [blame] | 780 | void mallocFailedOrNotLeak() { |
| 781 | int *p = malloc(12); |
| 782 | if (p == 0) |
| 783 | return; // no warning |
| 784 | else |
Anna Zaks | 68eb4c2 | 2013-04-06 00:41:36 +0000 | [diff] [blame] | 785 | return; // expected-warning {{Potential leak of memory pointed to by}} |
Anna Zaks | 4fb5487 | 2012-02-11 21:02:35 +0000 | [diff] [blame] | 786 | } |
Anna Zaks | e9ef562 | 2012-02-10 01:11:00 +0000 | [diff] [blame] | 787 | |
Anna Zaks | ebc1d32 | 2012-02-15 00:11:28 +0000 | [diff] [blame] | 788 | void mallocAssignment() { |
| 789 | char *p = malloc(12); |
Jordan Rose | 63bc186 | 2012-11-15 19:11:43 +0000 | [diff] [blame] | 790 | p = fooRetPtr(); |
| 791 | } // expected-warning {{leak}} |
Anna Zaks | ebc1d32 | 2012-02-15 00:11:28 +0000 | [diff] [blame] | 792 | |
Anna Zaks | b16ce45 | 2012-02-15 00:11:22 +0000 | [diff] [blame] | 793 | int vallocTest() { |
| 794 | char *mem = valloc(12); |
Anna Zaks | 68eb4c2 | 2013-04-06 00:41:36 +0000 | [diff] [blame] | 795 | return 0; // expected-warning {{Potential leak of memory pointed to by}} |
Anna Zaks | b16ce45 | 2012-02-15 00:11:22 +0000 | [diff] [blame] | 796 | } |
| 797 | |
| 798 | void vallocEscapeFreeUse() { |
| 799 | int *p = valloc(12); |
| 800 | myfoo(p); |
| 801 | free(p); |
Anna Zaks | febdc32 | 2012-02-16 22:26:12 +0000 | [diff] [blame] | 802 | myfoo(p); // expected-warning{{Use of memory after it is freed}} |
Anna Zaks | b16ce45 | 2012-02-15 00:11:22 +0000 | [diff] [blame] | 803 | } |
| 804 | |
Anna Zaks | cdfec5e | 2012-02-09 06:25:47 +0000 | [diff] [blame] | 805 | int *Gl; |
| 806 | struct GlStTy { |
| 807 | int *x; |
| 808 | }; |
| 809 | |
| 810 | struct GlStTy GlS = {0}; |
| 811 | |
| 812 | void GlobalFree() { |
| 813 | free(Gl); |
| 814 | } |
| 815 | |
| 816 | void GlobalMalloc() { |
| 817 | Gl = malloc(12); |
| 818 | } |
| 819 | |
| 820 | void GlobalStructMalloc() { |
| 821 | int *a = malloc(12); |
| 822 | GlS.x = a; |
| 823 | } |
| 824 | |
| 825 | void GlobalStructMallocFree() { |
| 826 | int *a = malloc(12); |
| 827 | GlS.x = a; |
| 828 | free(GlS.x); |
| 829 | } |
Anna Zaks | f8b1c31 | 2012-02-10 01:11:03 +0000 | [diff] [blame] | 830 | |
Anna Zaks | ad901a6 | 2012-02-16 22:26:15 +0000 | [diff] [blame] | 831 | char *ArrayG[12]; |
| 832 | |
| 833 | void globalArrayTest() { |
| 834 | char *p = (char*)malloc(12); |
| 835 | ArrayG[0] = p; |
| 836 | } |
| 837 | |
Anna Zaks | ac59300 | 2012-02-16 03:40:57 +0000 | [diff] [blame] | 838 | // Make sure that we properly handle a pointer stored into a local struct/array. |
| 839 | typedef struct _StructWithPtr { |
| 840 | int *memP; |
| 841 | } StructWithPtr; |
| 842 | |
| 843 | static StructWithPtr arrOfStructs[10]; |
| 844 | |
| 845 | void testMalloc() { |
| 846 | int *x = malloc(12); |
| 847 | StructWithPtr St; |
| 848 | St.memP = x; |
Jordan Rose | 0d53ab4 | 2012-08-08 18:23:31 +0000 | [diff] [blame] | 849 | arrOfStructs[0] = St; // no-warning |
Anna Zaks | ac59300 | 2012-02-16 03:40:57 +0000 | [diff] [blame] | 850 | } |
| 851 | |
| 852 | StructWithPtr testMalloc2() { |
| 853 | int *x = malloc(12); |
| 854 | StructWithPtr St; |
| 855 | St.memP = x; |
Jordan Rose | 0d53ab4 | 2012-08-08 18:23:31 +0000 | [diff] [blame] | 856 | return St; // no-warning |
Anna Zaks | ac59300 | 2012-02-16 03:40:57 +0000 | [diff] [blame] | 857 | } |
| 858 | |
| 859 | int *testMalloc3() { |
| 860 | int *x = malloc(12); |
| 861 | int *y = x; |
Jordan Rose | 0d53ab4 | 2012-08-08 18:23:31 +0000 | [diff] [blame] | 862 | return y; // no-warning |
Anna Zaks | ac59300 | 2012-02-16 03:40:57 +0000 | [diff] [blame] | 863 | } |
| 864 | |
Jordan Rose | 74f6982 | 2013-03-20 20:35:57 +0000 | [diff] [blame] | 865 | void testStructLeak() { |
| 866 | StructWithPtr St; |
| 867 | St.memP = malloc(12); |
Anna Zaks | 68eb4c2 | 2013-04-06 00:41:36 +0000 | [diff] [blame] | 868 | return; // expected-warning {{Potential leak of memory pointed to by 'St.memP'}} |
Jordan Rose | 74f6982 | 2013-03-20 20:35:57 +0000 | [diff] [blame] | 869 | } |
| 870 | |
Anna Zaks | d8a8a3b | 2012-02-17 22:35:34 +0000 | [diff] [blame] | 871 | void testElemRegion1() { |
| 872 | char *x = (void*)malloc(2); |
| 873 | int *ix = (int*)x; |
| 874 | free(&(x[0])); |
| 875 | } |
| 876 | |
| 877 | void testElemRegion2(int **pp) { |
| 878 | int *p = malloc(12); |
| 879 | *pp = p; |
| 880 | free(pp[0]); |
| 881 | } |
| 882 | |
| 883 | void testElemRegion3(int **pp) { |
| 884 | int *p = malloc(12); |
| 885 | *pp = p; |
| 886 | free(*pp); |
| 887 | } |
Anna Zaks | 4fb5487 | 2012-02-11 21:02:35 +0000 | [diff] [blame] | 888 | // Region escape testing. |
| 889 | |
| 890 | unsigned takePtrToPtr(int **p); |
| 891 | void PassTheAddrOfAllocatedData(int f) { |
| 892 | int *p = malloc(12); |
| 893 | // We don't know what happens after the call. Should stop tracking here. |
| 894 | if (takePtrToPtr(&p)) |
| 895 | f++; |
| 896 | free(p); // no warning |
| 897 | } |
| 898 | |
| 899 | struct X { |
| 900 | int *p; |
| 901 | }; |
| 902 | unsigned takePtrToStruct(struct X *s); |
| 903 | int ** foo2(int *g, int f) { |
| 904 | int *p = malloc(12); |
| 905 | struct X *px= malloc(sizeof(struct X)); |
| 906 | px->p = p; |
| 907 | // We don't know what happens after this call. Should not track px nor p. |
| 908 | if (takePtrToStruct(px)) |
| 909 | f++; |
| 910 | free(p); |
| 911 | return 0; |
| 912 | } |
| 913 | |
| 914 | struct X* RegInvalidationDetect1(struct X *s2) { |
| 915 | struct X *px= malloc(sizeof(struct X)); |
| 916 | px->p = 0; |
| 917 | px = s2; |
Anna Zaks | 68eb4c2 | 2013-04-06 00:41:36 +0000 | [diff] [blame] | 918 | return px; // expected-warning {{Potential leak of memory pointed to by}} |
Anna Zaks | 4fb5487 | 2012-02-11 21:02:35 +0000 | [diff] [blame] | 919 | } |
| 920 | |
| 921 | struct X* RegInvalidationGiveUp1() { |
| 922 | int *p = malloc(12); |
| 923 | struct X *px= malloc(sizeof(struct X)); |
| 924 | px->p = p; |
| 925 | return px; |
| 926 | } |
| 927 | |
| 928 | int **RegInvalidationDetect2(int **pp) { |
| 929 | int *p = malloc(12); |
| 930 | pp = &p; |
| 931 | pp++; |
Anna Zaks | 68eb4c2 | 2013-04-06 00:41:36 +0000 | [diff] [blame] | 932 | return 0;// expected-warning {{Potential leak of memory pointed to by}} |
Anna Zaks | 4fb5487 | 2012-02-11 21:02:35 +0000 | [diff] [blame] | 933 | } |
Anna Zaks | f8b1c31 | 2012-02-10 01:11:03 +0000 | [diff] [blame] | 934 | |
Anna Zaks | f8b1c31 | 2012-02-10 01:11:03 +0000 | [diff] [blame] | 935 | extern void exit(int) __attribute__ ((__noreturn__)); |
| 936 | void mallocExit(int *g) { |
| 937 | struct xx *p = malloc(12); |
Anna Zaks | da04677 | 2012-02-11 21:02:40 +0000 | [diff] [blame] | 938 | if (g != 0) |
| 939 | exit(1); |
Anna Zaks | f8b1c31 | 2012-02-10 01:11:03 +0000 | [diff] [blame] | 940 | free(p); |
| 941 | return; |
| 942 | } |
| 943 | |
Anna Zaks | f8b1c31 | 2012-02-10 01:11:03 +0000 | [diff] [blame] | 944 | extern void __assert_fail (__const char *__assertion, __const char *__file, |
| 945 | unsigned int __line, __const char *__function) |
| 946 | __attribute__ ((__noreturn__)); |
| 947 | #define assert(expr) \ |
| 948 | ((expr) ? (void)(0) : __assert_fail (#expr, __FILE__, __LINE__, __func__)) |
| 949 | void mallocAssert(int *g) { |
| 950 | struct xx *p = malloc(12); |
| 951 | |
Anna Zaks | da04677 | 2012-02-11 21:02:40 +0000 | [diff] [blame] | 952 | assert(g != 0); |
Anna Zaks | f8b1c31 | 2012-02-10 01:11:03 +0000 | [diff] [blame] | 953 | free(p); |
| 954 | return; |
| 955 | } |
| 956 | |
Anna Zaks | 15d0ae1 | 2012-02-11 23:46:36 +0000 | [diff] [blame] | 957 | void doNotInvalidateWhenPassedToSystemCalls(char *s) { |
| 958 | char *p = malloc(12); |
| 959 | strlen(p); |
Jordan Rose | 63bc186 | 2012-11-15 19:11:43 +0000 | [diff] [blame] | 960 | strcpy(p, s); |
Anton Yartsev | b7a747b | 2013-11-17 09:18:48 +0000 | [diff] [blame] | 961 | strcpy(s, p); |
| 962 | strcpy(p, p); |
| 963 | memcpy(p, s, 1); |
| 964 | memcpy(s, p, 1); |
| 965 | memcpy(p, p, 1); |
Jordan Rose | 63bc186 | 2012-11-15 19:11:43 +0000 | [diff] [blame] | 966 | } // expected-warning {{leak}} |
Anna Zaks | 15d0ae1 | 2012-02-11 23:46:36 +0000 | [diff] [blame] | 967 | |
Anton Yartsev | b7a747b | 2013-11-17 09:18:48 +0000 | [diff] [blame] | 968 | // Treat source buffer contents as escaped. |
| 969 | void escapeSourceContents(char *s) { |
| 970 | char *p = malloc(12); |
| 971 | memcpy(s, &p, 12); // no warning |
| 972 | |
| 973 | void *p1 = malloc(7); |
| 974 | char *a; |
| 975 | memcpy(&a, &p1, sizeof a); |
| 976 | // FIXME: No warning due to limitations imposed by current modelling of |
| 977 | // 'memcpy' (regions metadata is not copied). |
| 978 | |
| 979 | int *ptrs[2]; |
| 980 | int *allocated = (int *)malloc(4); |
| 981 | memcpy(&ptrs[0], &allocated, sizeof(int *)); |
| 982 | // FIXME: No warning due to limitations imposed by current modelling of |
| 983 | // 'memcpy' (regions metadata is not copied). |
| 984 | } |
| 985 | |
| 986 | void invalidateDestinationContents() { |
| 987 | int *null = 0; |
| 988 | int *p = (int *)malloc(4); |
| 989 | memcpy(&p, &null, sizeof(int *)); |
| 990 | |
| 991 | int *ptrs1[2]; // expected-warning {{Potential leak of memory pointed to by}} |
| 992 | ptrs1[0] = (int *)malloc(4); |
| 993 | memcpy(ptrs1, &null, sizeof(int *)); |
| 994 | |
| 995 | int *ptrs2[2]; // expected-warning {{Potential memory leak}} |
| 996 | ptrs2[0] = (int *)malloc(4); |
| 997 | memcpy(&ptrs2[1], &null, sizeof(int *)); |
| 998 | |
| 999 | int *ptrs3[2]; // expected-warning {{Potential memory leak}} |
| 1000 | ptrs3[0] = (int *)malloc(4); |
| 1001 | memcpy(&ptrs3[0], &null, sizeof(int *)); |
| 1002 | } // expected-warning {{Potential memory leak}} |
| 1003 | |
Anna Zaks | f0dfc9c | 2012-02-17 22:35:31 +0000 | [diff] [blame] | 1004 | // Rely on the CString checker evaluation of the strcpy API to convey that the result of strcpy is equal to p. |
| 1005 | void symbolLostWithStrcpy(char *s) { |
| 1006 | char *p = malloc(12); |
| 1007 | p = strcpy(p, s); |
| 1008 | free(p); |
| 1009 | } |
| 1010 | |
| 1011 | |
| 1012 | // The same test as the one above, but with what is actually generated on a mac. |
| 1013 | static __inline char * |
| 1014 | __inline_strcpy_chk (char *restrict __dest, const char *restrict __src) |
| 1015 | { |
| 1016 | return __builtin___strcpy_chk (__dest, __src, __builtin_object_size (__dest, 2 > 1)); |
| 1017 | } |
| 1018 | |
| 1019 | void symbolLostWithStrcpy_InlineStrcpyVersion(char *s) { |
| 1020 | char *p = malloc(12); |
| 1021 | p = ((__builtin_object_size (p, 0) != (size_t) -1) ? __builtin___strcpy_chk (p, s, __builtin_object_size (p, 2 > 1)) : __inline_strcpy_chk (p, s)); |
| 1022 | free(p); |
| 1023 | } |
Anna Zaks | d9ab7bb | 2012-02-22 02:36:01 +0000 | [diff] [blame] | 1024 | |
| 1025 | // Here we are returning a pointer one past the allocated value. An idiom which |
| 1026 | // can be used for implementing special malloc. The correct uses of this might |
| 1027 | // be rare enough so that we could keep this as a warning. |
| 1028 | static void *specialMalloc(int n){ |
| 1029 | int *p; |
| 1030 | p = malloc( n+8 ); |
| 1031 | if( p ){ |
| 1032 | p[0] = n; |
| 1033 | p++; |
| 1034 | } |
| 1035 | return p; |
| 1036 | } |
| 1037 | |
| 1038 | // Potentially, the user could free the struct by performing pointer arithmetic on the return value. |
| 1039 | // This is a variation of the specialMalloc issue, though probably would be more rare in correct code. |
| 1040 | int *specialMallocWithStruct() { |
| 1041 | struct StructWithInt *px= malloc(sizeof(struct StructWithInt)); |
| 1042 | return &(px->g); |
| 1043 | } |
| 1044 | |
Anna Zaks | 60a1fa4 | 2012-02-22 03:14:20 +0000 | [diff] [blame] | 1045 | // Test various allocation/deallocation functions. |
Anna Zaks | 60a1fa4 | 2012-02-22 03:14:20 +0000 | [diff] [blame] | 1046 | void testStrdup(const char *s, unsigned validIndex) { |
| 1047 | char *s2 = strdup(s); |
Jordan Rose | 63bc186 | 2012-11-15 19:11:43 +0000 | [diff] [blame] | 1048 | s2[validIndex + 1] = 'b'; |
Anna Zaks | 68eb4c2 | 2013-04-06 00:41:36 +0000 | [diff] [blame] | 1049 | } // expected-warning {{Potential leak of memory pointed to by}} |
Anna Zaks | 60a1fa4 | 2012-02-22 03:14:20 +0000 | [diff] [blame] | 1050 | |
| 1051 | int testStrndup(const char *s, unsigned validIndex, unsigned size) { |
| 1052 | char *s2 = strndup(s, size); |
| 1053 | s2 [validIndex + 1] = 'b'; |
| 1054 | if (s2[validIndex] != 'a') |
Anna Zaks | ca8e36e | 2012-02-23 21:38:21 +0000 | [diff] [blame] | 1055 | return 0; |
Anna Zaks | 60a1fa4 | 2012-02-22 03:14:20 +0000 | [diff] [blame] | 1056 | else |
Anna Zaks | 68eb4c2 | 2013-04-06 00:41:36 +0000 | [diff] [blame] | 1057 | return 1;// expected-warning {{Potential leak of memory pointed to by}} |
Anna Zaks | 60a1fa4 | 2012-02-22 03:14:20 +0000 | [diff] [blame] | 1058 | } |
| 1059 | |
Anna Zaks | 87cb5be | 2012-02-22 19:24:52 +0000 | [diff] [blame] | 1060 | void testStrdupContentIsDefined(const char *s, unsigned validIndex) { |
| 1061 | char *s2 = strdup(s); |
| 1062 | char result = s2[1];// no warning |
| 1063 | free(s2); |
| 1064 | } |
| 1065 | |
Anna Zaks | ca23eb2 | 2012-02-29 18:42:47 +0000 | [diff] [blame] | 1066 | // ---------------------------------------------------------------------------- |
Anna Zaks | 0d389b8 | 2012-02-23 01:05:27 +0000 | [diff] [blame] | 1067 | // Test the system library functions to which the pointer can escape. |
Anna Zaks | ca23eb2 | 2012-02-29 18:42:47 +0000 | [diff] [blame] | 1068 | // This tests false positive suppression. |
Anna Zaks | 0d389b8 | 2012-02-23 01:05:27 +0000 | [diff] [blame] | 1069 | |
| 1070 | // For now, we assume memory passed to pthread_specific escapes. |
| 1071 | // TODO: We could check that if a new pthread binding is set, the existing |
| 1072 | // binding must be freed; otherwise, a memory leak can occur. |
| 1073 | void testPthereadSpecificEscape(pthread_key_t key) { |
| 1074 | void *buf = malloc(12); |
| 1075 | pthread_setspecific(key, buf); // no warning |
| 1076 | } |
| 1077 | |
Anna Zaks | ca23eb2 | 2012-02-29 18:42:47 +0000 | [diff] [blame] | 1078 | // PR12101: Test funopen(). |
| 1079 | static int releasePtr(void *_ctx) { |
| 1080 | free(_ctx); |
| 1081 | return 0; |
| 1082 | } |
| 1083 | FILE *useFunOpen() { |
| 1084 | void *ctx = malloc(sizeof(int)); |
| 1085 | FILE *f = funopen(ctx, 0, 0, 0, releasePtr); // no warning |
| 1086 | if (f == 0) { |
| 1087 | free(ctx); |
| 1088 | } |
| 1089 | return f; |
| 1090 | } |
| 1091 | FILE *useFunOpenNoReleaseFunction() { |
| 1092 | void *ctx = malloc(sizeof(int)); |
| 1093 | FILE *f = funopen(ctx, 0, 0, 0, 0); |
| 1094 | if (f == 0) { |
| 1095 | free(ctx); |
| 1096 | } |
| 1097 | return f; // expected-warning{{leak}} |
| 1098 | } |
| 1099 | |
Jordan Rose | 85d7e01 | 2012-07-02 19:27:51 +0000 | [diff] [blame] | 1100 | static int readNothing(void *_ctx, char *buf, int size) { |
| 1101 | return 0; |
| 1102 | } |
| 1103 | FILE *useFunOpenReadNoRelease() { |
| 1104 | void *ctx = malloc(sizeof(int)); |
| 1105 | FILE *f = funopen(ctx, readNothing, 0, 0, 0); |
| 1106 | if (f == 0) { |
| 1107 | free(ctx); |
| 1108 | } |
| 1109 | return f; // expected-warning{{leak}} |
| 1110 | } |
| 1111 | |
Anna Zaks | ca23eb2 | 2012-02-29 18:42:47 +0000 | [diff] [blame] | 1112 | // Test setbuf, setvbuf. |
| 1113 | int my_main_no_warning() { |
| 1114 | char *p = malloc(100); |
| 1115 | setvbuf(stdout, p, 0, 100); |
| 1116 | return 0; |
| 1117 | } |
| 1118 | int my_main_no_warning2() { |
| 1119 | char *p = malloc(100); |
| 1120 | setbuf(__stdoutp, p); |
| 1121 | return 0; |
| 1122 | } |
| 1123 | int my_main_warn(FILE *f) { |
| 1124 | char *p = malloc(100); |
| 1125 | setvbuf(f, p, 0, 100); |
| 1126 | return 0;// expected-warning {{leak}} |
| 1127 | } |
| 1128 | |
Ted Kremenek | a99f874 | 2012-03-05 23:06:19 +0000 | [diff] [blame] | 1129 | // <rdar://problem/10978247>. |
| 1130 | // some people use stack allocated memory as an optimization to avoid |
| 1131 | // a heap allocation for small work sizes. This tests the analyzer's |
| 1132 | // understanding that the malloc'ed memory is not the same as stackBuffer. |
| 1133 | void radar10978247(int myValueSize) { |
| 1134 | char stackBuffer[128]; |
| 1135 | char *buffer; |
| 1136 | |
| 1137 | if (myValueSize <= sizeof(stackBuffer)) |
| 1138 | buffer = stackBuffer; |
| 1139 | else |
| 1140 | buffer = malloc(myValueSize); |
| 1141 | |
| 1142 | // do stuff with the buffer |
| 1143 | if (buffer != stackBuffer) |
| 1144 | free(buffer); |
| 1145 | } |
| 1146 | |
| 1147 | void radar10978247_positive(int myValueSize) { |
| 1148 | char stackBuffer[128]; |
| 1149 | char *buffer; |
| 1150 | |
| 1151 | if (myValueSize <= sizeof(stackBuffer)) |
| 1152 | buffer = stackBuffer; |
| 1153 | else |
| 1154 | buffer = malloc(myValueSize); |
| 1155 | |
| 1156 | // do stuff with the buffer |
Jordan Rose | 63bc186 | 2012-11-15 19:11:43 +0000 | [diff] [blame] | 1157 | if (buffer == stackBuffer) |
Ted Kremenek | a99f874 | 2012-03-05 23:06:19 +0000 | [diff] [blame] | 1158 | return; |
Jordan Rose | 63bc186 | 2012-11-15 19:11:43 +0000 | [diff] [blame] | 1159 | else |
| 1160 | return; // expected-warning {{leak}} |
| 1161 | } |
Ted Kremenek | 8f40afb | 2012-04-26 05:08:26 +0000 | [diff] [blame] | 1162 | // <rdar://problem/11269741> Previously this triggered a false positive |
| 1163 | // because malloc() is known to return uninitialized memory and the binding |
| 1164 | // of 'o' to 'p->n' was not getting propertly handled. Now we report a leak. |
| 1165 | struct rdar11269741_a_t { |
| 1166 | struct rdar11269741_b_t { |
| 1167 | int m; |
| 1168 | } n; |
| 1169 | }; |
| 1170 | |
| 1171 | int rdar11269741(struct rdar11269741_b_t o) |
| 1172 | { |
| 1173 | struct rdar11269741_a_t *p = (struct rdar11269741_a_t *) malloc(sizeof(*p)); |
| 1174 | p->n = o; |
| 1175 | return p->n.m; // expected-warning {{leak}} |
| 1176 | } |
| 1177 | |
Anna Zaks | e55a14a | 2012-05-03 02:13:56 +0000 | [diff] [blame] | 1178 | // Pointer arithmetic, returning an ElementRegion. |
| 1179 | void *radar11329382(unsigned bl) { |
| 1180 | void *ptr = malloc (16); |
| 1181 | ptr = ptr + (2 - bl); |
| 1182 | return ptr; // no warning |
| 1183 | } |
| 1184 | |
Anna Zaks | 33e4a1d | 2012-05-01 21:10:29 +0000 | [diff] [blame] | 1185 | void __assert_rtn(const char *, const char *, int, const char *) __attribute__((__noreturn__)); |
| 1186 | int strcmp(const char *, const char *); |
| 1187 | char *a (void); |
| 1188 | void radar11270219(void) { |
| 1189 | char *x = a(), *y = a(); |
| 1190 | (__builtin_expect(!(x && y), 0) ? __assert_rtn(__func__, "/Users/zaks/tmp/ex.c", 24, "x && y") : (void)0); |
| 1191 | strcmp(x, y); // no warning |
| 1192 | } |
| 1193 | |
Anna Zaks | 93c5a24 | 2012-05-02 00:05:20 +0000 | [diff] [blame] | 1194 | void radar_11358224_test_double_assign_ints_positive_2() |
| 1195 | { |
| 1196 | void *ptr = malloc(16); |
Jordan Rose | 63bc186 | 2012-11-15 19:11:43 +0000 | [diff] [blame] | 1197 | ptr = ptr; |
| 1198 | } // expected-warning {{leak}} |
Anna Zaks | 93c5a24 | 2012-05-02 00:05:20 +0000 | [diff] [blame] | 1199 | |
Anna Zaks | aca0ac5 | 2012-05-03 23:50:28 +0000 | [diff] [blame] | 1200 | // Assume that functions which take a function pointer can free memory even if |
| 1201 | // they are defined in system headers and take the const pointer to the |
| 1202 | // allocated memory. (radar://11160612) |
| 1203 | int const_ptr_and_callback(int, const char*, int n, void(*)(void*)); |
| 1204 | void r11160612_1() { |
| 1205 | char *x = malloc(12); |
| 1206 | const_ptr_and_callback(0, x, 12, free); // no - warning |
| 1207 | } |
| 1208 | |
| 1209 | // Null is passed as callback. |
| 1210 | void r11160612_2() { |
| 1211 | char *x = malloc(12); |
Jordan Rose | 63bc186 | 2012-11-15 19:11:43 +0000 | [diff] [blame] | 1212 | const_ptr_and_callback(0, x, 12, 0); |
| 1213 | } // expected-warning {{leak}} |
Anna Zaks | aca0ac5 | 2012-05-03 23:50:28 +0000 | [diff] [blame] | 1214 | |
| 1215 | // Callback is passed to a function defined in a system header. |
| 1216 | void r11160612_4() { |
| 1217 | char *x = malloc(12); |
| 1218 | sqlite3_bind_text_my(0, x, 12, free); // no - warning |
| 1219 | } |
| 1220 | |
Anna Zaks | b79d862 | 2012-05-03 23:50:33 +0000 | [diff] [blame] | 1221 | // Passing callbacks in a struct. |
| 1222 | void r11160612_5(StWithCallback St) { |
| 1223 | void *x = malloc(12); |
| 1224 | dealocateMemWhenDoneByVal(x, St); |
| 1225 | } |
| 1226 | void r11160612_6(StWithCallback St) { |
| 1227 | void *x = malloc(12); |
| 1228 | dealocateMemWhenDoneByRef(&St, x); |
| 1229 | } |
| 1230 | |
Anna Zaks | 84d4384 | 2012-05-04 17:37:16 +0000 | [diff] [blame] | 1231 | int mySub(int, int); |
| 1232 | int myAdd(int, int); |
| 1233 | int fPtr(unsigned cond, int x) { |
| 1234 | return (cond ? mySub : myAdd)(x, x); |
| 1235 | } |
| 1236 | |
Anna Zaks | e17fdb2 | 2012-06-07 03:57:32 +0000 | [diff] [blame] | 1237 | // Test anti-aliasing. |
Anna Zaks | da04677 | 2012-02-11 21:02:40 +0000 | [diff] [blame] | 1238 | |
Anna Zaks | f8b1c31 | 2012-02-10 01:11:03 +0000 | [diff] [blame] | 1239 | void dependsOnValueOfPtr(int *g, unsigned f) { |
| 1240 | int *p; |
| 1241 | |
| 1242 | if (f) { |
| 1243 | p = g; |
| 1244 | } else { |
| 1245 | p = malloc(12); |
| 1246 | } |
| 1247 | |
| 1248 | if (p != g) |
| 1249 | free(p); |
| 1250 | else |
Anna Zaks | e17fdb2 | 2012-06-07 03:57:32 +0000 | [diff] [blame] | 1251 | return; // no warning |
Anna Zaks | f8b1c31 | 2012-02-10 01:11:03 +0000 | [diff] [blame] | 1252 | return; |
| 1253 | } |
| 1254 | |
Anna Zaks | e17fdb2 | 2012-06-07 03:57:32 +0000 | [diff] [blame] | 1255 | int CMPRegionHeapToStack() { |
| 1256 | int x = 0; |
| 1257 | int *x1 = malloc(8); |
| 1258 | int *x2 = &x; |
Anna Zaks | adccc3f | 2012-06-08 00:04:40 +0000 | [diff] [blame] | 1259 | clang_analyzer_eval(x1 == x2); // expected-warning{{FALSE}} |
Anna Zaks | e17fdb2 | 2012-06-07 03:57:32 +0000 | [diff] [blame] | 1260 | free(x1); |
| 1261 | return x; |
| 1262 | } |
| 1263 | |
| 1264 | int CMPRegionHeapToHeap2() { |
| 1265 | int x = 0; |
| 1266 | int *x1 = malloc(8); |
| 1267 | int *x2 = malloc(8); |
| 1268 | int *x4 = x1; |
| 1269 | int *x5 = x2; |
Anna Zaks | adccc3f | 2012-06-08 00:04:40 +0000 | [diff] [blame] | 1270 | clang_analyzer_eval(x4 == x5); // expected-warning{{FALSE}} |
Anna Zaks | e17fdb2 | 2012-06-07 03:57:32 +0000 | [diff] [blame] | 1271 | free(x1); |
| 1272 | free(x2); |
| 1273 | return x; |
| 1274 | } |
| 1275 | |
| 1276 | int CMPRegionHeapToHeap() { |
| 1277 | int x = 0; |
| 1278 | int *x1 = malloc(8); |
| 1279 | int *x4 = x1; |
| 1280 | if (x1 == x4) { |
| 1281 | free(x1); |
| 1282 | return 5/x; // expected-warning{{Division by zero}} |
| 1283 | } |
| 1284 | return x;// expected-warning{{This statement is never executed}} |
| 1285 | } |
| 1286 | |
| 1287 | int HeapAssignment() { |
| 1288 | int m = 0; |
| 1289 | int *x = malloc(4); |
| 1290 | int *y = x; |
| 1291 | *x = 5; |
Anna Zaks | adccc3f | 2012-06-08 00:04:40 +0000 | [diff] [blame] | 1292 | clang_analyzer_eval(*x != *y); // expected-warning{{FALSE}} |
Anna Zaks | e17fdb2 | 2012-06-07 03:57:32 +0000 | [diff] [blame] | 1293 | free(x); |
| 1294 | return 0; |
| 1295 | } |
| 1296 | |
Anna Zaks | 783f008 | 2012-06-07 20:18:08 +0000 | [diff] [blame] | 1297 | int *retPtr(); |
| 1298 | int *retPtrMightAlias(int *x); |
| 1299 | int cmpHeapAllocationToUnknown() { |
| 1300 | int zero = 0; |
| 1301 | int *yBefore = retPtr(); |
| 1302 | int *m = malloc(8); |
| 1303 | int *yAfter = retPtrMightAlias(m); |
Anna Zaks | adccc3f | 2012-06-08 00:04:40 +0000 | [diff] [blame] | 1304 | clang_analyzer_eval(yBefore == m); // expected-warning{{FALSE}} |
| 1305 | clang_analyzer_eval(yAfter == m); // expected-warning{{FALSE}} |
Anna Zaks | 783f008 | 2012-06-07 20:18:08 +0000 | [diff] [blame] | 1306 | free(m); |
| 1307 | return 0; |
| 1308 | } |
| 1309 | |
Jordan Rose | 74f6982 | 2013-03-20 20:35:57 +0000 | [diff] [blame] | 1310 | void localArrayTest() { |
| 1311 | char *p = (char*)malloc(12); |
| 1312 | char *ArrayL[12]; |
| 1313 | ArrayL[0] = p; |
| 1314 | } // expected-warning {{leak}} |
| 1315 | |
| 1316 | void localStructTest() { |
| 1317 | StructWithPtr St; |
| 1318 | StructWithPtr *pSt = &St; |
| 1319 | pSt->memP = malloc(12); |
Anna Zaks | 68eb4c2 | 2013-04-06 00:41:36 +0000 | [diff] [blame] | 1320 | } // expected-warning{{Potential leak of memory pointed to by}} |
Jordan Rose | 74f6982 | 2013-03-20 20:35:57 +0000 | [diff] [blame] | 1321 | |
Jordan Rose | 6e99f9f | 2012-11-27 02:37:49 +0000 | [diff] [blame] | 1322 | #ifdef __INTPTR_TYPE__ |
Ted Kremenek | 140d0c6 | 2012-05-01 21:58:29 +0000 | [diff] [blame] | 1323 | // Test double assignment through integers. |
Jordan Rose | 6e99f9f | 2012-11-27 02:37:49 +0000 | [diff] [blame] | 1324 | typedef __INTPTR_TYPE__ intptr_t; |
| 1325 | typedef unsigned __INTPTR_TYPE__ uintptr_t; |
| 1326 | |
| 1327 | static intptr_t glob; |
Ted Kremenek | 140d0c6 | 2012-05-01 21:58:29 +0000 | [diff] [blame] | 1328 | void test_double_assign_ints() |
| 1329 | { |
| 1330 | void *ptr = malloc (16); // no-warning |
Jordan Rose | 6e99f9f | 2012-11-27 02:37:49 +0000 | [diff] [blame] | 1331 | glob = (intptr_t)(uintptr_t)ptr; |
Ted Kremenek | 140d0c6 | 2012-05-01 21:58:29 +0000 | [diff] [blame] | 1332 | } |
| 1333 | |
| 1334 | void test_double_assign_ints_positive() |
| 1335 | { |
| 1336 | void *ptr = malloc(16); |
Jordan Rose | 6e99f9f | 2012-11-27 02:37:49 +0000 | [diff] [blame] | 1337 | (void*)(intptr_t)(uintptr_t)ptr; // expected-warning {{unused}} |
Jordan Rose | 63bc186 | 2012-11-15 19:11:43 +0000 | [diff] [blame] | 1338 | } // expected-warning {{leak}} |
Jordan Rose | 6e99f9f | 2012-11-27 02:37:49 +0000 | [diff] [blame] | 1339 | #endif |
Jordan Rose | 1bf908d | 2012-06-16 00:09:20 +0000 | [diff] [blame] | 1340 | |
| 1341 | void testCGContextNoLeak() |
| 1342 | { |
| 1343 | void *ptr = malloc(16); |
| 1344 | CGContextRef context = CGBitmapContextCreate(ptr); |
| 1345 | |
| 1346 | // Because you can get the data back out like this, even much later, |
| 1347 | // CGBitmapContextCreate is one of our "stop-tracking" exceptions. |
| 1348 | free(CGBitmapContextGetData(context)); |
| 1349 | } |
| 1350 | |
| 1351 | void testCGContextLeak() |
| 1352 | { |
| 1353 | void *ptr = malloc(16); |
| 1354 | CGContextRef context = CGBitmapContextCreate(ptr); |
| 1355 | // However, this time we're just leaking the data, because the context |
| 1356 | // object doesn't escape and it hasn't been freed in this function. |
| 1357 | } |
| 1358 | |
Anna Zaks | 52a0481 | 2012-06-20 23:35:57 +0000 | [diff] [blame] | 1359 | // Allow xpc context to escape. radar://11635258 |
| 1360 | // TODO: Would be great if we checked that the finalize_connection_context actually releases it. |
| 1361 | static void finalize_connection_context(void *ctx) { |
| 1362 | int *context = ctx; |
| 1363 | free(context); |
| 1364 | } |
| 1365 | void foo (xpc_connection_t peer) { |
| 1366 | int *ctx = calloc(1, sizeof(int)); |
| 1367 | xpc_connection_set_context(peer, ctx); |
| 1368 | xpc_connection_set_finalizer_f(peer, finalize_connection_context); |
| 1369 | xpc_connection_resume(peer); |
| 1370 | } |
| 1371 | |
Anna Zaks | ede875b | 2012-08-03 18:30:18 +0000 | [diff] [blame] | 1372 | // Make sure we catch errors when we free in a function which does not allocate memory. |
| 1373 | void freeButNoMalloc(int *p, int x){ |
| 1374 | if (x) { |
| 1375 | free(p); |
| 1376 | //user forgot a return here. |
| 1377 | } |
| 1378 | free(p); // expected-warning {{Attempt to free released memory}} |
| 1379 | } |
Anna Zaks | 4d33286 | 2012-08-04 02:04:27 +0000 | [diff] [blame] | 1380 | |
| 1381 | struct HasPtr { |
Anna Zaks | 55dd956 | 2012-08-24 02:28:20 +0000 | [diff] [blame] | 1382 | char *p; |
Anna Zaks | 4d33286 | 2012-08-04 02:04:27 +0000 | [diff] [blame] | 1383 | }; |
| 1384 | |
Anna Zaks | 55dd956 | 2012-08-24 02:28:20 +0000 | [diff] [blame] | 1385 | char* reallocButNoMalloc(struct HasPtr *a, int c, int size) { |
Anna Zaks | 4d33286 | 2012-08-04 02:04:27 +0000 | [diff] [blame] | 1386 | int *s; |
Anna Zaks | 55dd956 | 2012-08-24 02:28:20 +0000 | [diff] [blame] | 1387 | char *b = realloc(a->p, size); |
| 1388 | char *m = realloc(a->p, size); // expected-warning {{Attempt to free released memory}} |
Anna Zaks | 4d33286 | 2012-08-04 02:04:27 +0000 | [diff] [blame] | 1389 | return a->p; |
| 1390 | } |
Jordan Rose | 0d53ab4 | 2012-08-08 18:23:31 +0000 | [diff] [blame] | 1391 | |
Anna Zaks | 55dd956 | 2012-08-24 02:28:20 +0000 | [diff] [blame] | 1392 | // We should not warn in this case since the caller will presumably free a->p in all cases. |
| 1393 | int reallocButNoMallocPR13674(struct HasPtr *a, int c, int size) { |
| 1394 | int *s; |
| 1395 | char *b = realloc(a->p, size); |
| 1396 | if (b == 0) |
| 1397 | return -1; |
| 1398 | a->p = b; |
| 1399 | return 0; |
| 1400 | } |
| 1401 | |
Anna Zaks | 9dc298b | 2012-09-12 22:57:34 +0000 | [diff] [blame] | 1402 | // Test realloc with no visible malloc. |
| 1403 | void *test(void *ptr) { |
| 1404 | void *newPtr = realloc(ptr, 4); |
| 1405 | if (newPtr == 0) { |
| 1406 | if (ptr) |
| 1407 | free(ptr); // no-warning |
| 1408 | } |
| 1409 | return newPtr; |
| 1410 | } |
| 1411 | |
Jordan Rose | 84c4845 | 2012-11-15 19:11:27 +0000 | [diff] [blame] | 1412 | |
| 1413 | char *testLeakWithinReturn(char *str) { |
| 1414 | return strdup(strdup(str)); // expected-warning{{leak}} |
| 1415 | } |
| 1416 | |
Anna Zaks | 233e26a | 2013-02-07 23:05:43 +0000 | [diff] [blame] | 1417 | void passConstPtr(const char * ptr); |
| 1418 | |
| 1419 | void testPassConstPointer() { |
| 1420 | char * string = malloc(sizeof(char)*10); |
| 1421 | passConstPtr(string); |
| 1422 | return; // expected-warning {{leak}} |
| 1423 | } |
| 1424 | |
| 1425 | void testPassConstPointerIndirectly() { |
| 1426 | char *p = malloc(1); |
| 1427 | p++; |
| 1428 | memcmp(p, p, sizeof(&p)); |
| 1429 | return; // expected-warning {{leak}} |
| 1430 | } |
| 1431 | |
Anna Zaks | 233e26a | 2013-02-07 23:05:43 +0000 | [diff] [blame] | 1432 | void testPassConstPointerIndirectlyStruct() { |
| 1433 | struct HasPtr hp; |
| 1434 | hp.p = malloc(10); |
| 1435 | memcmp(&hp, &hp, sizeof(hp)); |
Anna Zaks | 68eb4c2 | 2013-04-06 00:41:36 +0000 | [diff] [blame] | 1436 | return; // expected-warning {{Potential leak of memory pointed to by 'hp.p'}} |
Anna Zaks | 233e26a | 2013-02-07 23:05:43 +0000 | [diff] [blame] | 1437 | } |
| 1438 | |
| 1439 | void testPassToSystemHeaderFunctionIndirectlyStruct() { |
| 1440 | SomeStruct ss; |
| 1441 | ss.p = malloc(1); |
Jordan Rose | 374ae32 | 2013-05-10 17:07:16 +0000 | [diff] [blame] | 1442 | fakeSystemHeaderCall(&ss); // invalidates ss, making ss.p unreachable |
| 1443 | // Technically a false negative here -- we know the system function won't free |
| 1444 | // ss.p, but nothing else will either! |
| 1445 | } // no-warning |
| 1446 | |
| 1447 | void testPassToSystemHeaderFunctionIndirectlyStructFree() { |
| 1448 | SomeStruct ss; |
| 1449 | ss.p = malloc(1); |
| 1450 | fakeSystemHeaderCall(&ss); // invalidates ss, making ss.p unreachable |
| 1451 | free(ss.p); |
| 1452 | } // no-warning |
| 1453 | |
| 1454 | void testPassToSystemHeaderFunctionIndirectlyArray() { |
| 1455 | int *p[1]; |
| 1456 | p[0] = malloc(sizeof(int)); |
| 1457 | fakeSystemHeaderCallIntPtr(p); // invalidates p, making p[0] unreachable |
| 1458 | // Technically a false negative here -- we know the system function won't free |
| 1459 | // p[0], but nothing else will either! |
| 1460 | } // no-warning |
| 1461 | |
| 1462 | void testPassToSystemHeaderFunctionIndirectlyArrayFree() { |
| 1463 | int *p[1]; |
| 1464 | p[0] = malloc(sizeof(int)); |
| 1465 | fakeSystemHeaderCallIntPtr(p); // invalidates p, making p[0] unreachable |
| 1466 | free(p[0]); |
| 1467 | } // no-warning |
Anna Zaks | b98c6fe | 2013-02-06 00:01:14 +0000 | [diff] [blame] | 1468 | |
Anna Zaks | 118aa75 | 2013-02-07 23:05:47 +0000 | [diff] [blame] | 1469 | int *testOffsetAllocate(size_t size) { |
| 1470 | int *memoryBlock = (int *)malloc(size + sizeof(int)); |
| 1471 | return &memoryBlock[1]; // no-warning |
| 1472 | } |
| 1473 | |
| 1474 | void testOffsetDeallocate(int *memoryBlock) { |
| 1475 | free(&memoryBlock[-1]); // no-warning |
| 1476 | } |
| 1477 | |
| 1478 | void testOffsetOfRegionFreed() { |
| 1479 | __int64_t * array = malloc(sizeof(__int64_t)*2); |
| 1480 | array += 1; |
| 1481 | free(&array[0]); // expected-warning{{Argument to free() is offset by 8 bytes from the start of memory allocated by malloc()}} |
| 1482 | } |
| 1483 | |
| 1484 | void testOffsetOfRegionFreed2() { |
| 1485 | __int64_t *p = malloc(sizeof(__int64_t)*2); |
| 1486 | p += 1; |
| 1487 | free(p); // expected-warning{{Argument to free() is offset by 8 bytes from the start of memory allocated by malloc()}} |
| 1488 | } |
| 1489 | |
| 1490 | void testOffsetOfRegionFreed3() { |
| 1491 | char *r = malloc(sizeof(char)); |
| 1492 | r = r - 10; |
| 1493 | free(r); // expected-warning {{Argument to free() is offset by -10 bytes from the start of memory allocated by malloc()}} |
| 1494 | } |
| 1495 | |
| 1496 | void testOffsetOfRegionFreedAfterFunctionCall() { |
| 1497 | int *p = malloc(sizeof(int)*2); |
| 1498 | p += 1; |
| 1499 | myfoo(p); |
Anna Zaks | 0413023 | 2013-04-09 00:30:28 +0000 | [diff] [blame] | 1500 | free(p); // expected-warning{{Argument to free() is offset by 4 bytes from the start of memory allocated by malloc()}} |
Anna Zaks | 118aa75 | 2013-02-07 23:05:47 +0000 | [diff] [blame] | 1501 | } |
| 1502 | |
| 1503 | void testFixManipulatedPointerBeforeFree() { |
| 1504 | int * array = malloc(sizeof(int)*2); |
| 1505 | array += 1; |
| 1506 | free(&array[-1]); // no-warning |
| 1507 | } |
| 1508 | |
| 1509 | void testFixManipulatedPointerBeforeFree2() { |
| 1510 | char *r = malloc(sizeof(char)); |
| 1511 | r = r + 10; |
| 1512 | free(r-10); // no-warning |
| 1513 | } |
| 1514 | |
| 1515 | void freeOffsetPointerPassedToFunction() { |
| 1516 | __int64_t *p = malloc(sizeof(__int64_t)*2); |
| 1517 | p[1] = 0; |
| 1518 | p += 1; |
| 1519 | myfooint(*p); // not passing the pointer, only a value pointed by pointer |
| 1520 | free(p); // expected-warning {{Argument to free() is offset by 8 bytes from the start of memory allocated by malloc()}} |
| 1521 | } |
| 1522 | |
| 1523 | int arbitraryInt(); |
| 1524 | void freeUnknownOffsetPointer() { |
| 1525 | char *r = malloc(sizeof(char)); |
| 1526 | r = r + arbitraryInt(); // unable to reason about what the offset might be |
| 1527 | free(r); // no-warning |
| 1528 | } |
| 1529 | |
| 1530 | void testFreeNonMallocPointerWithNoOffset() { |
| 1531 | char c; |
| 1532 | char *r = &c; |
| 1533 | r = r + 10; |
| 1534 | free(r-10); // expected-warning {{Argument to free() is the address of the local variable 'c', which is not memory allocated by malloc()}} |
| 1535 | } |
| 1536 | |
| 1537 | void testFreeNonMallocPointerWithOffset() { |
| 1538 | char c; |
| 1539 | char *r = &c; |
| 1540 | free(r+1); // expected-warning {{Argument to free() is the address of the local variable 'c', which is not memory allocated by malloc()}} |
| 1541 | } |
| 1542 | |
| 1543 | void testOffsetZeroDoubleFree() { |
| 1544 | int *array = malloc(sizeof(int)*2); |
| 1545 | int *p = &array[0]; |
| 1546 | free(p); |
| 1547 | free(&array[0]); // expected-warning{{Attempt to free released memory}} |
| 1548 | } |
| 1549 | |
| 1550 | void testOffsetPassedToStrlen() { |
| 1551 | char * string = malloc(sizeof(char)*10); |
| 1552 | string += 1; |
Anna Zaks | 68eb4c2 | 2013-04-06 00:41:36 +0000 | [diff] [blame] | 1553 | int length = strlen(string); // expected-warning {{Potential leak of memory pointed to by 'string'}} |
Anna Zaks | 118aa75 | 2013-02-07 23:05:47 +0000 | [diff] [blame] | 1554 | } |
| 1555 | |
| 1556 | void testOffsetPassedToStrlenThenFree() { |
| 1557 | char * string = malloc(sizeof(char)*10); |
| 1558 | string += 1; |
| 1559 | int length = strlen(string); |
| 1560 | free(string); // expected-warning {{Argument to free() is offset by 1 byte from the start of memory allocated by malloc()}} |
| 1561 | } |
| 1562 | |
| 1563 | void testOffsetPassedAsConst() { |
| 1564 | char * string = malloc(sizeof(char)*10); |
| 1565 | string += 1; |
| 1566 | passConstPtr(string); |
| 1567 | free(string); // expected-warning {{Argument to free() is offset by 1 byte from the start of memory allocated by malloc()}} |
| 1568 | } |
Anna Zaks | b98c6fe | 2013-02-06 00:01:14 +0000 | [diff] [blame] | 1569 | |
Anna Zaks | 74c0d69 | 2013-03-15 23:34:29 +0000 | [diff] [blame] | 1570 | char **_vectorSegments; |
| 1571 | int _nVectorSegments; |
| 1572 | |
| 1573 | void poolFreeC(void* s) { |
| 1574 | free(s); // no-warning |
| 1575 | } |
| 1576 | void freeMemory() { |
| 1577 | while (_nVectorSegments) { |
| 1578 | poolFreeC(_vectorSegments[_nVectorSegments++]); |
| 1579 | } |
| 1580 | } |
Jordan Rose | 74f6982 | 2013-03-20 20:35:57 +0000 | [diff] [blame] | 1581 | |
Jordan Rose | 68502e5 | 2013-08-15 17:22:06 +0000 | [diff] [blame] | 1582 | // PR16730 |
| 1583 | void testReallocEscaped(void **memory) { |
| 1584 | *memory = malloc(47); |
| 1585 | char *new_memory = realloc(*memory, 47); |
| 1586 | if (new_memory != 0) { |
| 1587 | *memory = new_memory; |
| 1588 | } |
| 1589 | } |
| 1590 | |
Jordan Rose | a728e92 | 2013-08-19 16:27:34 +0000 | [diff] [blame] | 1591 | // PR16558 |
| 1592 | void *smallocNoWarn(size_t size) { |
| 1593 | if (size == 0) { |
| 1594 | return malloc(1); // this branch is never called |
| 1595 | } |
| 1596 | else { |
| 1597 | return malloc(size); |
| 1598 | } |
| 1599 | } |
| 1600 | |
| 1601 | char *dupstrNoWarn(const char *s) { |
| 1602 | const int len = strlen(s); |
| 1603 | char *p = (char*) smallocNoWarn(len + 1); |
| 1604 | strcpy(p, s); // no-warning |
| 1605 | return p; |
| 1606 | } |
| 1607 | |
| 1608 | void *smallocWarn(size_t size) { |
| 1609 | if (size == 2) { |
| 1610 | return malloc(1); |
| 1611 | } |
| 1612 | else { |
| 1613 | return malloc(size); |
| 1614 | } |
| 1615 | } |
| 1616 | |
| 1617 | char *dupstrWarn(const char *s) { |
| 1618 | const int len = strlen(s); |
| 1619 | char *p = (char*) smallocWarn(len + 1); |
| 1620 | strcpy(p, s); // expected-warning{{String copy function overflows destination buffer}} |
| 1621 | return p; |
| 1622 | } |
Jordan Rose | 68502e5 | 2013-08-15 17:22:06 +0000 | [diff] [blame] | 1623 | |
Bill Wendling | 6df32e2 | 2013-12-09 18:37:20 +0000 | [diff] [blame] | 1624 | int *radar15580979() { |
| 1625 | int *data = (int *)malloc(32); |
| 1626 | int *p = data ?: (int*)malloc(32); // no warning |
| 1627 | return p; |
| 1628 | } |
| 1629 | |
Jordan Rose | 74f6982 | 2013-03-20 20:35:57 +0000 | [diff] [blame] | 1630 | // ---------------------------------------------------------------------------- |
| 1631 | // False negatives. |
| 1632 | |
| 1633 | void testMallocWithParam(int **p) { |
| 1634 | *p = (int*) malloc(sizeof(int)); |
| 1635 | *p = 0; // FIXME: should warn here |
| 1636 | } |
| 1637 | |
| 1638 | void testMallocWithParam_2(int **p) { |
| 1639 | *p = (int*) malloc(sizeof(int)); // no-warning |
| 1640 | } |
Jordan Rose | 374ae32 | 2013-05-10 17:07:16 +0000 | [diff] [blame] | 1641 | |
| 1642 | void testPassToSystemHeaderFunctionIndirectly() { |
| 1643 | int *p = malloc(4); |
| 1644 | p++; |
| 1645 | fakeSystemHeaderCallInt(p); |
| 1646 | // FIXME: This is a leak: if we think a system function won't free p, it |
| 1647 | // won't free (p-1) either. |
| 1648 | } |