Anna Zaks | adccc3f | 2012-06-08 00:04:40 +0000 | [diff] [blame] | 1 | // RUN: %clang_cc1 -analyze -analyzer-checker=core,experimental.deadcode.UnreachableCode,experimental.core.CastSize,unix.Malloc,debug.ExprInspection -analyzer-store=region -verify %s |
Anna Zaks | 15d0ae1 | 2012-02-11 23:46:36 +0000 | [diff] [blame] | 2 | #include "system-header-simulator.h" |
| 3 | |
Anna Zaks | adccc3f | 2012-06-08 00:04:40 +0000 | [diff] [blame] | 4 | void clang_analyzer_eval(int); |
| 5 | |
Eli Friedman | 2f00552 | 2009-11-14 04:23:25 +0000 | [diff] [blame] | 6 | typedef __typeof(sizeof(int)) size_t; |
Ted Kremenek | c360775 | 2009-11-13 20:03:22 +0000 | [diff] [blame] | 7 | void *malloc(size_t); |
Anna Zaks | b16ce45 | 2012-02-15 00:11:22 +0000 | [diff] [blame] | 8 | void *valloc(size_t); |
Ted Kremenek | c360775 | 2009-11-13 20:03:22 +0000 | [diff] [blame] | 9 | void free(void *); |
Zhongxing Xu | d9c84c8 | 2009-12-12 12:29:38 +0000 | [diff] [blame] | 10 | void *realloc(void *ptr, size_t size); |
Anna Zaks | 40add29 | 2012-02-15 00:11:25 +0000 | [diff] [blame] | 11 | void *reallocf(void *ptr, size_t size); |
Zhongxing Xu | d9c84c8 | 2009-12-12 12:29:38 +0000 | [diff] [blame] | 12 | void *calloc(size_t nmemb, size_t size); |
Anna Zaks | 1434518 | 2012-05-18 01:16:10 +0000 | [diff] [blame] | 13 | char *strdup(const char *s); |
| 14 | char *strndup(const char *s, size_t n); |
Ted Kremenek | dd0e490 | 2010-07-31 01:52:11 +0000 | [diff] [blame] | 15 | |
Anna Zaks | 91c2a11 | 2012-02-08 23:16:56 +0000 | [diff] [blame] | 16 | void myfoo(int *p); |
| 17 | void myfooint(int p); |
Anna Zaks | ebc1d32 | 2012-02-15 00:11:28 +0000 | [diff] [blame] | 18 | char *fooRetPtr(); |
Zhongxing Xu | fc7ac8f | 2009-11-13 07:48:11 +0000 | [diff] [blame] | 19 | |
| 20 | void f1() { |
Zhongxing Xu | ab28099 | 2010-05-25 04:59:19 +0000 | [diff] [blame] | 21 | int *p = malloc(12); |
Anna Zaks | 3d7c44e | 2012-03-21 19:45:08 +0000 | [diff] [blame] | 22 | return; // expected-warning{{Memory is never released; potential leak}} |
Zhongxing Xu | fc7ac8f | 2009-11-13 07:48:11 +0000 | [diff] [blame] | 23 | } |
| 24 | |
Zhongxing Xu | fc7ac8f | 2009-11-13 07:48:11 +0000 | [diff] [blame] | 25 | void f2() { |
Zhongxing Xu | ab28099 | 2010-05-25 04:59:19 +0000 | [diff] [blame] | 26 | int *p = malloc(12); |
Zhongxing Xu | fc7ac8f | 2009-11-13 07:48:11 +0000 | [diff] [blame] | 27 | free(p); |
Anna Zaks | febdc32 | 2012-02-16 22:26:12 +0000 | [diff] [blame] | 28 | free(p); // expected-warning{{Attempt to free released memory}} |
Zhongxing Xu | fc7ac8f | 2009-11-13 07:48:11 +0000 | [diff] [blame] | 29 | } |
Ted Kremenek | c764d4b | 2009-11-13 20:00:28 +0000 | [diff] [blame] | 30 | |
Lenny Maiorani | 4d8d803 | 2011-04-27 14:49:29 +0000 | [diff] [blame] | 31 | void f2_realloc_0() { |
| 32 | int *p = malloc(12); |
| 33 | realloc(p,0); |
Anna Zaks | febdc32 | 2012-02-16 22:26:12 +0000 | [diff] [blame] | 34 | realloc(p,0); // expected-warning{{Attempt to free released memory}} |
Lenny Maiorani | 4d8d803 | 2011-04-27 14:49:29 +0000 | [diff] [blame] | 35 | } |
| 36 | |
| 37 | void f2_realloc_1() { |
| 38 | int *p = malloc(12); |
Zhongxing Xu | d56763f | 2011-09-01 04:53:59 +0000 | [diff] [blame] | 39 | int *q = realloc(p,0); // no-warning |
Lenny Maiorani | 4d8d803 | 2011-04-27 14:49:29 +0000 | [diff] [blame] | 40 | } |
| 41 | |
Anna Zaks | c8bb3be | 2012-02-13 18:05:39 +0000 | [diff] [blame] | 42 | void reallocNotNullPtr(unsigned sizeIn) { |
| 43 | unsigned size = 12; |
| 44 | char *p = (char*)malloc(size); |
| 45 | if (p) { |
| 46 | char *q = (char*)realloc(p, sizeIn); |
Anna Zaks | 3d7c44e | 2012-03-21 19:45:08 +0000 | [diff] [blame] | 47 | char x = *q; // expected-warning {{Memory is never released; potential leak}} |
Anna Zaks | c8bb3be | 2012-02-13 18:05:39 +0000 | [diff] [blame] | 48 | } |
| 49 | } |
| 50 | |
| 51 | int *realloctest1() { |
| 52 | int *q = malloc(12); |
| 53 | q = realloc(q, 20); |
| 54 | return q; // no warning - returning the allocated value |
| 55 | } |
| 56 | |
| 57 | // p should be freed if realloc fails. |
| 58 | void reallocFails() { |
| 59 | char *p = malloc(12); |
| 60 | char *r = realloc(p, 12+1); |
| 61 | if (!r) { |
| 62 | free(p); |
| 63 | } else { |
| 64 | free(r); |
| 65 | } |
| 66 | } |
| 67 | |
Anna Zaks | 30838b9 | 2012-02-13 20:57:07 +0000 | [diff] [blame] | 68 | void reallocSizeZero1() { |
| 69 | char *p = malloc(12); |
| 70 | char *r = realloc(p, 0); |
| 71 | if (!r) { |
| 72 | free(p); |
| 73 | } else { |
| 74 | free(r); |
| 75 | } |
| 76 | } |
| 77 | |
| 78 | void reallocSizeZero2() { |
| 79 | char *p = malloc(12); |
| 80 | char *r = realloc(p, 0); |
| 81 | if (!r) { |
| 82 | free(p); |
| 83 | } else { |
| 84 | free(r); |
| 85 | } |
Anna Zaks | febdc32 | 2012-02-16 22:26:12 +0000 | [diff] [blame] | 86 | free(p); // expected-warning {{Attempt to free released memory}} |
Anna Zaks | 30838b9 | 2012-02-13 20:57:07 +0000 | [diff] [blame] | 87 | } |
| 88 | |
| 89 | void reallocSizeZero3() { |
| 90 | char *p = malloc(12); |
| 91 | char *r = realloc(p, 0); |
| 92 | free(r); |
| 93 | } |
| 94 | |
| 95 | void reallocSizeZero4() { |
| 96 | char *r = realloc(0, 0); |
| 97 | free(r); |
| 98 | } |
| 99 | |
| 100 | void reallocSizeZero5() { |
| 101 | char *r = realloc(0, 0); |
| 102 | } |
| 103 | |
| 104 | void reallocPtrZero1() { |
Anna Zaks | 3d7c44e | 2012-03-21 19:45:08 +0000 | [diff] [blame] | 105 | char *r = realloc(0, 12); // expected-warning {{Memory is never released; potential leak}} |
Anna Zaks | 30838b9 | 2012-02-13 20:57:07 +0000 | [diff] [blame] | 106 | } |
| 107 | |
| 108 | void reallocPtrZero2() { |
| 109 | char *r = realloc(0, 12); |
| 110 | if (r) |
| 111 | free(r); |
| 112 | } |
| 113 | |
| 114 | void reallocPtrZero3() { |
| 115 | char *r = realloc(0, 12); |
| 116 | free(r); |
| 117 | } |
| 118 | |
Anna Zaks | b276bd9 | 2012-02-14 00:26:13 +0000 | [diff] [blame] | 119 | void reallocRadar6337483_1() { |
| 120 | char *buf = malloc(100); |
| 121 | buf = (char*)realloc(buf, 0x1000000); |
| 122 | if (!buf) { |
Anna Zaks | 3d7c44e | 2012-03-21 19:45:08 +0000 | [diff] [blame] | 123 | return;// expected-warning {{Memory is never released; potential leak}} |
Anna Zaks | b276bd9 | 2012-02-14 00:26:13 +0000 | [diff] [blame] | 124 | } |
| 125 | free(buf); |
| 126 | } |
| 127 | |
| 128 | void reallocRadar6337483_2() { |
| 129 | char *buf = malloc(100); |
| 130 | char *buf2 = (char*)realloc(buf, 0x1000000); |
Anna Zaks | 3d7c44e | 2012-03-21 19:45:08 +0000 | [diff] [blame] | 131 | if (!buf2) { // expected-warning {{Memory is never released; potential leak}} |
Anna Zaks | b276bd9 | 2012-02-14 00:26:13 +0000 | [diff] [blame] | 132 | ; |
| 133 | } else { |
| 134 | free(buf2); |
| 135 | } |
| 136 | } |
| 137 | |
| 138 | void reallocRadar6337483_3() { |
| 139 | char * buf = malloc(100); |
| 140 | char * tmp; |
| 141 | tmp = (char*)realloc(buf, 0x1000000); |
| 142 | if (!tmp) { |
| 143 | free(buf); |
| 144 | return; |
| 145 | } |
| 146 | buf = tmp; |
| 147 | free(buf); |
| 148 | } |
| 149 | |
| 150 | void reallocRadar6337483_4() { |
| 151 | char *buf = malloc(100); |
| 152 | char *buf2 = (char*)realloc(buf, 0x1000000); |
| 153 | if (!buf2) { |
Anna Zaks | 3d7c44e | 2012-03-21 19:45:08 +0000 | [diff] [blame] | 154 | return; // expected-warning {{Memory is never released; potential leak}} |
Anna Zaks | b276bd9 | 2012-02-14 00:26:13 +0000 | [diff] [blame] | 155 | } else { |
| 156 | free(buf2); |
| 157 | } |
| 158 | } |
| 159 | |
Anna Zaks | 40add29 | 2012-02-15 00:11:25 +0000 | [diff] [blame] | 160 | int *reallocfTest1() { |
| 161 | int *q = malloc(12); |
| 162 | q = reallocf(q, 20); |
| 163 | return q; // no warning - returning the allocated value |
| 164 | } |
| 165 | |
| 166 | void reallocfRadar6337483_4() { |
| 167 | char *buf = malloc(100); |
| 168 | char *buf2 = (char*)reallocf(buf, 0x1000000); |
| 169 | if (!buf2) { |
| 170 | return; // no warning - reallocf frees even on failure |
| 171 | } else { |
| 172 | free(buf2); |
| 173 | } |
| 174 | } |
| 175 | |
| 176 | void reallocfRadar6337483_3() { |
| 177 | char * buf = malloc(100); |
| 178 | char * tmp; |
| 179 | tmp = (char*)reallocf(buf, 0x1000000); |
| 180 | if (!tmp) { |
Anna Zaks | febdc32 | 2012-02-16 22:26:12 +0000 | [diff] [blame] | 181 | free(buf); // expected-warning {{Attempt to free released memory}} |
Anna Zaks | 40add29 | 2012-02-15 00:11:25 +0000 | [diff] [blame] | 182 | return; |
| 183 | } |
| 184 | buf = tmp; |
| 185 | free(buf); |
| 186 | } |
| 187 | |
| 188 | void reallocfPtrZero1() { |
Anna Zaks | 3d7c44e | 2012-03-21 19:45:08 +0000 | [diff] [blame] | 189 | char *r = reallocf(0, 12); // expected-warning {{Memory is never released; potential leak}} |
Anna Zaks | 40add29 | 2012-02-15 00:11:25 +0000 | [diff] [blame] | 190 | } |
| 191 | |
| 192 | |
Zhongxing Xu | 243fde9 | 2009-11-17 07:54:15 +0000 | [diff] [blame] | 193 | // This case tests that storing malloc'ed memory to a static variable which is |
| 194 | // then returned is not leaked. In the absence of known contracts for functions |
| 195 | // or inter-procedural analysis, this is a conservative answer. |
Ted Kremenek | c764d4b | 2009-11-13 20:00:28 +0000 | [diff] [blame] | 196 | int *f3() { |
| 197 | static int *p = 0; |
Zhongxing Xu | ab28099 | 2010-05-25 04:59:19 +0000 | [diff] [blame] | 198 | p = malloc(12); |
Zhongxing Xu | 4985e3e | 2009-11-17 08:58:18 +0000 | [diff] [blame] | 199 | return p; // no-warning |
Ted Kremenek | c764d4b | 2009-11-13 20:00:28 +0000 | [diff] [blame] | 200 | } |
| 201 | |
Zhongxing Xu | 243fde9 | 2009-11-17 07:54:15 +0000 | [diff] [blame] | 202 | // This case tests that storing malloc'ed memory to a static global variable |
| 203 | // which is then returned is not leaked. In the absence of known contracts for |
| 204 | // functions or inter-procedural analysis, this is a conservative answer. |
Ted Kremenek | c764d4b | 2009-11-13 20:00:28 +0000 | [diff] [blame] | 205 | static int *p_f4 = 0; |
| 206 | int *f4() { |
Zhongxing Xu | ab28099 | 2010-05-25 04:59:19 +0000 | [diff] [blame] | 207 | p_f4 = malloc(12); |
Zhongxing Xu | 4985e3e | 2009-11-17 08:58:18 +0000 | [diff] [blame] | 208 | return p_f4; // no-warning |
Ted Kremenek | c764d4b | 2009-11-13 20:00:28 +0000 | [diff] [blame] | 209 | } |
Zhongxing Xu | d9c84c8 | 2009-12-12 12:29:38 +0000 | [diff] [blame] | 210 | |
| 211 | int *f5() { |
Zhongxing Xu | ab28099 | 2010-05-25 04:59:19 +0000 | [diff] [blame] | 212 | int *q = malloc(12); |
Zhongxing Xu | d9c84c8 | 2009-12-12 12:29:38 +0000 | [diff] [blame] | 213 | q = realloc(q, 20); |
| 214 | return q; // no-warning |
| 215 | } |
Zhongxing Xu | b94b81a | 2009-12-31 06:13:07 +0000 | [diff] [blame] | 216 | |
| 217 | void f6() { |
Zhongxing Xu | ab28099 | 2010-05-25 04:59:19 +0000 | [diff] [blame] | 218 | int *p = malloc(12); |
Zhongxing Xu | b94b81a | 2009-12-31 06:13:07 +0000 | [diff] [blame] | 219 | if (!p) |
| 220 | return; // no-warning |
| 221 | else |
| 222 | free(p); |
| 223 | } |
Zhongxing Xu | 425c7ed | 2010-01-18 04:01:40 +0000 | [diff] [blame] | 224 | |
Lenny Maiorani | 4d8d803 | 2011-04-27 14:49:29 +0000 | [diff] [blame] | 225 | void f6_realloc() { |
| 226 | int *p = malloc(12); |
| 227 | if (!p) |
| 228 | return; // no-warning |
| 229 | else |
| 230 | realloc(p,0); |
| 231 | } |
| 232 | |
| 233 | |
Zhongxing Xu | 425c7ed | 2010-01-18 04:01:40 +0000 | [diff] [blame] | 234 | char *doit2(); |
| 235 | void pr6069() { |
| 236 | char *buf = doit2(); |
| 237 | free(buf); |
| 238 | } |
Zhongxing Xu | 181cc3d | 2010-02-14 06:49:48 +0000 | [diff] [blame] | 239 | |
| 240 | void pr6293() { |
| 241 | free(0); |
| 242 | } |
Zhongxing Xu | c802378 | 2010-03-10 04:58:55 +0000 | [diff] [blame] | 243 | |
| 244 | void f7() { |
| 245 | char *x = (char*) malloc(4); |
| 246 | free(x); |
Anna Zaks | febdc32 | 2012-02-16 22:26:12 +0000 | [diff] [blame] | 247 | x[0] = 'a'; // expected-warning{{Use of memory after it is freed}} |
Zhongxing Xu | c802378 | 2010-03-10 04:58:55 +0000 | [diff] [blame] | 248 | } |
Zhongxing Xu | ab28099 | 2010-05-25 04:59:19 +0000 | [diff] [blame] | 249 | |
Anna Zaks | 1434518 | 2012-05-18 01:16:10 +0000 | [diff] [blame] | 250 | void f8() { |
| 251 | char *x = (char*) malloc(4); |
| 252 | free(x); |
| 253 | char *y = strndup(x, 4); // expected-warning{{Use of memory after it is freed}} |
| 254 | } |
| 255 | |
Lenny Maiorani | 4d8d803 | 2011-04-27 14:49:29 +0000 | [diff] [blame] | 256 | void f7_realloc() { |
| 257 | char *x = (char*) malloc(4); |
| 258 | realloc(x,0); |
Anna Zaks | febdc32 | 2012-02-16 22:26:12 +0000 | [diff] [blame] | 259 | x[0] = 'a'; // expected-warning{{Use of memory after it is freed}} |
Lenny Maiorani | 4d8d803 | 2011-04-27 14:49:29 +0000 | [diff] [blame] | 260 | } |
| 261 | |
Zhongxing Xu | ab28099 | 2010-05-25 04:59:19 +0000 | [diff] [blame] | 262 | void PR6123() { |
| 263 | int *x = malloc(11); // expected-warning{{Cast a region whose size is not a multiple of the destination type size.}} |
| 264 | } |
| 265 | |
| 266 | void PR7217() { |
| 267 | int *buf = malloc(2); // expected-warning{{Cast a region whose size is not a multiple of the destination type size.}} |
| 268 | buf[1] = 'c'; // not crash |
Zhongxing Xu | ab28099 | 2010-05-25 04:59:19 +0000 | [diff] [blame] | 269 | } |
Jordy Rose | c580f2e | 2010-06-20 04:30:57 +0000 | [diff] [blame] | 270 | |
| 271 | void mallocCastToVoid() { |
| 272 | void *p = malloc(2); |
| 273 | const void *cp = p; // not crash |
| 274 | free(p); |
| 275 | } |
| 276 | |
| 277 | void mallocCastToFP() { |
| 278 | void *p = malloc(2); |
| 279 | void (*fp)() = p; // not crash |
| 280 | free(p); |
| 281 | } |
| 282 | |
Zhongxing Xu | a5ce966 | 2010-06-01 03:01:33 +0000 | [diff] [blame] | 283 | // This tests that malloc() buffers are undefined by default |
| 284 | char mallocGarbage () { |
| 285 | char *buf = malloc(2); |
| 286 | char result = buf[1]; // expected-warning{{undefined}} |
| 287 | free(buf); |
| 288 | return result; |
| 289 | } |
| 290 | |
| 291 | // This tests that calloc() buffers need to be freed |
| 292 | void callocNoFree () { |
| 293 | char *buf = calloc(2,2); |
| 294 | return; // expected-warning{{never released}} |
| 295 | } |
| 296 | |
| 297 | // These test that calloc() buffers are zeroed by default |
| 298 | char callocZeroesGood () { |
| 299 | char *buf = calloc(2,2); |
| 300 | char result = buf[3]; // no-warning |
| 301 | if (buf[1] == 0) { |
| 302 | free(buf); |
| 303 | } |
| 304 | return result; // no-warning |
| 305 | } |
| 306 | |
| 307 | char callocZeroesBad () { |
| 308 | char *buf = calloc(2,2); |
| 309 | char result = buf[3]; // no-warning |
| 310 | if (buf[1] != 0) { |
Tom Care | c4b5bd8 | 2010-07-23 23:04:53 +0000 | [diff] [blame] | 311 | free(buf); // expected-warning{{never executed}} |
Zhongxing Xu | a5ce966 | 2010-06-01 03:01:33 +0000 | [diff] [blame] | 312 | } |
| 313 | return result; // expected-warning{{never released}} |
| 314 | } |
Anna Zaks | 91c2a11 | 2012-02-08 23:16:56 +0000 | [diff] [blame] | 315 | |
| 316 | void nullFree() { |
| 317 | int *p = 0; |
| 318 | free(p); // no warning - a nop |
| 319 | } |
| 320 | |
| 321 | void paramFree(int *p) { |
| 322 | myfoo(p); |
| 323 | free(p); // no warning |
| 324 | myfoo(p); // TODO: This should be a warning. |
| 325 | } |
| 326 | |
| 327 | int* mallocEscapeRet() { |
| 328 | int *p = malloc(12); |
| 329 | return p; // no warning |
| 330 | } |
| 331 | |
| 332 | void mallocEscapeFoo() { |
| 333 | int *p = malloc(12); |
| 334 | myfoo(p); |
| 335 | return; // no warning |
| 336 | } |
| 337 | |
| 338 | void mallocEscapeFree() { |
| 339 | int *p = malloc(12); |
| 340 | myfoo(p); |
| 341 | free(p); |
| 342 | } |
| 343 | |
| 344 | void mallocEscapeFreeFree() { |
| 345 | int *p = malloc(12); |
| 346 | myfoo(p); |
| 347 | free(p); |
Anna Zaks | febdc32 | 2012-02-16 22:26:12 +0000 | [diff] [blame] | 348 | free(p); // expected-warning{{Attempt to free released memory}} |
Anna Zaks | 91c2a11 | 2012-02-08 23:16:56 +0000 | [diff] [blame] | 349 | } |
| 350 | |
| 351 | void mallocEscapeFreeUse() { |
| 352 | int *p = malloc(12); |
| 353 | myfoo(p); |
| 354 | free(p); |
Anna Zaks | febdc32 | 2012-02-16 22:26:12 +0000 | [diff] [blame] | 355 | myfoo(p); // expected-warning{{Use of memory after it is freed}} |
Anna Zaks | 91c2a11 | 2012-02-08 23:16:56 +0000 | [diff] [blame] | 356 | } |
| 357 | |
| 358 | int *myalloc(); |
| 359 | void myalloc2(int **p); |
| 360 | |
| 361 | void mallocEscapeFreeCustomAlloc() { |
| 362 | int *p = malloc(12); |
| 363 | myfoo(p); |
| 364 | free(p); |
| 365 | p = myalloc(); |
| 366 | free(p); // no warning |
| 367 | } |
| 368 | |
| 369 | void mallocEscapeFreeCustomAlloc2() { |
| 370 | int *p = malloc(12); |
| 371 | myfoo(p); |
| 372 | free(p); |
| 373 | myalloc2(&p); |
| 374 | free(p); // no warning |
| 375 | } |
| 376 | |
| 377 | void mallocBindFreeUse() { |
| 378 | int *x = malloc(12); |
| 379 | int *y = x; |
| 380 | free(y); |
Anna Zaks | febdc32 | 2012-02-16 22:26:12 +0000 | [diff] [blame] | 381 | myfoo(x); // expected-warning{{Use of memory after it is freed}} |
Anna Zaks | 91c2a11 | 2012-02-08 23:16:56 +0000 | [diff] [blame] | 382 | } |
| 383 | |
| 384 | void mallocEscapeMalloc() { |
| 385 | int *p = malloc(12); |
| 386 | myfoo(p); |
Anna Zaks | 3d7c44e | 2012-03-21 19:45:08 +0000 | [diff] [blame] | 387 | p = malloc(12); // expected-warning{{Memory is never released; potential leak}} |
Anna Zaks | 91c2a11 | 2012-02-08 23:16:56 +0000 | [diff] [blame] | 388 | } |
| 389 | |
| 390 | void mallocMalloc() { |
| 391 | int *p = malloc(12); |
Anna Zaks | 3d7c44e | 2012-03-21 19:45:08 +0000 | [diff] [blame] | 392 | p = malloc(12); // expected-warning 2 {{Memory is never released; potential leak}} |
Anna Zaks | 91c2a11 | 2012-02-08 23:16:56 +0000 | [diff] [blame] | 393 | } |
| 394 | |
| 395 | void mallocFreeMalloc() { |
| 396 | int *p = malloc(12); |
| 397 | free(p); |
| 398 | p = malloc(12); |
| 399 | free(p); |
| 400 | } |
| 401 | |
Anna Zaks | cdfec5e | 2012-02-09 06:25:47 +0000 | [diff] [blame] | 402 | void mallocFreeUse_params() { |
Anna Zaks | 91c2a11 | 2012-02-08 23:16:56 +0000 | [diff] [blame] | 403 | int *p = malloc(12); |
| 404 | free(p); |
Anna Zaks | febdc32 | 2012-02-16 22:26:12 +0000 | [diff] [blame] | 405 | myfoo(p); //expected-warning{{Use of memory after it is freed}} |
Anna Zaks | 15d0ae1 | 2012-02-11 23:46:36 +0000 | [diff] [blame] | 406 | } |
| 407 | |
| 408 | void mallocFreeUse_params2() { |
| 409 | int *p = malloc(12); |
| 410 | free(p); |
Anna Zaks | febdc32 | 2012-02-16 22:26:12 +0000 | [diff] [blame] | 411 | myfooint(*p); //expected-warning{{Use of memory after it is freed}} |
Anna Zaks | 91c2a11 | 2012-02-08 23:16:56 +0000 | [diff] [blame] | 412 | } |
| 413 | |
Anna Zaks | ff3b9fd | 2012-02-09 06:25:51 +0000 | [diff] [blame] | 414 | void mallocFailedOrNot() { |
| 415 | int *p = malloc(12); |
| 416 | if (!p) |
| 417 | free(p); |
| 418 | else |
| 419 | free(p); |
| 420 | } |
| 421 | |
Anna Zaks | e9ef562 | 2012-02-10 01:11:00 +0000 | [diff] [blame] | 422 | struct StructWithInt { |
| 423 | int g; |
| 424 | }; |
Anna Zaks | 0860cd0 | 2012-02-11 21:44:39 +0000 | [diff] [blame] | 425 | |
| 426 | int *mallocReturnFreed() { |
| 427 | int *p = malloc(12); |
| 428 | free(p); |
Anna Zaks | febdc32 | 2012-02-16 22:26:12 +0000 | [diff] [blame] | 429 | return p; // expected-warning {{Use of memory after it is freed}} |
Anna Zaks | 0860cd0 | 2012-02-11 21:44:39 +0000 | [diff] [blame] | 430 | } |
| 431 | |
| 432 | int useAfterFreeStruct() { |
| 433 | struct StructWithInt *px= malloc(sizeof(struct StructWithInt)); |
| 434 | px->g = 5; |
| 435 | free(px); |
Anna Zaks | febdc32 | 2012-02-16 22:26:12 +0000 | [diff] [blame] | 436 | return px->g; // expected-warning {{Use of memory after it is freed}} |
Anna Zaks | 0860cd0 | 2012-02-11 21:44:39 +0000 | [diff] [blame] | 437 | } |
| 438 | |
Anna Zaks | e9ef562 | 2012-02-10 01:11:00 +0000 | [diff] [blame] | 439 | void nonSymbolAsFirstArg(int *pp, struct StructWithInt *p); |
| 440 | |
| 441 | void mallocEscapeFooNonSymbolArg() { |
| 442 | struct StructWithInt *p = malloc(sizeof(struct StructWithInt)); |
| 443 | nonSymbolAsFirstArg(&p->g, p); |
| 444 | return; // no warning |
| 445 | } |
| 446 | |
Anna Zaks | 4fb5487 | 2012-02-11 21:02:35 +0000 | [diff] [blame] | 447 | void mallocFailedOrNotLeak() { |
| 448 | int *p = malloc(12); |
| 449 | if (p == 0) |
| 450 | return; // no warning |
| 451 | else |
Anna Zaks | 3d7c44e | 2012-03-21 19:45:08 +0000 | [diff] [blame] | 452 | return; // expected-warning {{Memory is never released; potential leak}} |
Anna Zaks | 4fb5487 | 2012-02-11 21:02:35 +0000 | [diff] [blame] | 453 | } |
Anna Zaks | e9ef562 | 2012-02-10 01:11:00 +0000 | [diff] [blame] | 454 | |
Anna Zaks | ebc1d32 | 2012-02-15 00:11:28 +0000 | [diff] [blame] | 455 | void mallocAssignment() { |
| 456 | char *p = malloc(12); |
| 457 | p = fooRetPtr(); // expected-warning {{leak}} |
| 458 | } |
| 459 | |
Anna Zaks | b16ce45 | 2012-02-15 00:11:22 +0000 | [diff] [blame] | 460 | int vallocTest() { |
| 461 | char *mem = valloc(12); |
Anna Zaks | 3d7c44e | 2012-03-21 19:45:08 +0000 | [diff] [blame] | 462 | return 0; // expected-warning {{Memory is never released; potential leak}} |
Anna Zaks | b16ce45 | 2012-02-15 00:11:22 +0000 | [diff] [blame] | 463 | } |
| 464 | |
| 465 | void vallocEscapeFreeUse() { |
| 466 | int *p = valloc(12); |
| 467 | myfoo(p); |
| 468 | free(p); |
Anna Zaks | febdc32 | 2012-02-16 22:26:12 +0000 | [diff] [blame] | 469 | myfoo(p); // expected-warning{{Use of memory after it is freed}} |
Anna Zaks | b16ce45 | 2012-02-15 00:11:22 +0000 | [diff] [blame] | 470 | } |
| 471 | |
Anna Zaks | cdfec5e | 2012-02-09 06:25:47 +0000 | [diff] [blame] | 472 | int *Gl; |
| 473 | struct GlStTy { |
| 474 | int *x; |
| 475 | }; |
| 476 | |
| 477 | struct GlStTy GlS = {0}; |
| 478 | |
| 479 | void GlobalFree() { |
| 480 | free(Gl); |
| 481 | } |
| 482 | |
| 483 | void GlobalMalloc() { |
| 484 | Gl = malloc(12); |
| 485 | } |
| 486 | |
| 487 | void GlobalStructMalloc() { |
| 488 | int *a = malloc(12); |
| 489 | GlS.x = a; |
| 490 | } |
| 491 | |
| 492 | void GlobalStructMallocFree() { |
| 493 | int *a = malloc(12); |
| 494 | GlS.x = a; |
| 495 | free(GlS.x); |
| 496 | } |
Anna Zaks | f8b1c31 | 2012-02-10 01:11:03 +0000 | [diff] [blame] | 497 | |
Anna Zaks | ad901a6 | 2012-02-16 22:26:15 +0000 | [diff] [blame] | 498 | char *ArrayG[12]; |
| 499 | |
| 500 | void globalArrayTest() { |
| 501 | char *p = (char*)malloc(12); |
| 502 | ArrayG[0] = p; |
| 503 | } |
| 504 | |
Anna Zaks | ac59300 | 2012-02-16 03:40:57 +0000 | [diff] [blame] | 505 | // Make sure that we properly handle a pointer stored into a local struct/array. |
| 506 | typedef struct _StructWithPtr { |
| 507 | int *memP; |
| 508 | } StructWithPtr; |
| 509 | |
| 510 | static StructWithPtr arrOfStructs[10]; |
| 511 | |
| 512 | void testMalloc() { |
| 513 | int *x = malloc(12); |
| 514 | StructWithPtr St; |
| 515 | St.memP = x; |
| 516 | arrOfStructs[0] = St; |
| 517 | } |
| 518 | |
| 519 | StructWithPtr testMalloc2() { |
| 520 | int *x = malloc(12); |
| 521 | StructWithPtr St; |
| 522 | St.memP = x; |
| 523 | return St; |
| 524 | } |
| 525 | |
| 526 | int *testMalloc3() { |
| 527 | int *x = malloc(12); |
| 528 | int *y = x; |
| 529 | return y; |
| 530 | } |
| 531 | |
Anna Zaks | d8a8a3b | 2012-02-17 22:35:34 +0000 | [diff] [blame] | 532 | void testElemRegion1() { |
| 533 | char *x = (void*)malloc(2); |
| 534 | int *ix = (int*)x; |
| 535 | free(&(x[0])); |
| 536 | } |
| 537 | |
| 538 | void testElemRegion2(int **pp) { |
| 539 | int *p = malloc(12); |
| 540 | *pp = p; |
| 541 | free(pp[0]); |
| 542 | } |
| 543 | |
| 544 | void testElemRegion3(int **pp) { |
| 545 | int *p = malloc(12); |
| 546 | *pp = p; |
| 547 | free(*pp); |
| 548 | } |
Anna Zaks | 4fb5487 | 2012-02-11 21:02:35 +0000 | [diff] [blame] | 549 | // Region escape testing. |
| 550 | |
| 551 | unsigned takePtrToPtr(int **p); |
| 552 | void PassTheAddrOfAllocatedData(int f) { |
| 553 | int *p = malloc(12); |
| 554 | // We don't know what happens after the call. Should stop tracking here. |
| 555 | if (takePtrToPtr(&p)) |
| 556 | f++; |
| 557 | free(p); // no warning |
| 558 | } |
| 559 | |
| 560 | struct X { |
| 561 | int *p; |
| 562 | }; |
| 563 | unsigned takePtrToStruct(struct X *s); |
| 564 | int ** foo2(int *g, int f) { |
| 565 | int *p = malloc(12); |
| 566 | struct X *px= malloc(sizeof(struct X)); |
| 567 | px->p = p; |
| 568 | // We don't know what happens after this call. Should not track px nor p. |
| 569 | if (takePtrToStruct(px)) |
| 570 | f++; |
| 571 | free(p); |
| 572 | return 0; |
| 573 | } |
| 574 | |
| 575 | struct X* RegInvalidationDetect1(struct X *s2) { |
| 576 | struct X *px= malloc(sizeof(struct X)); |
| 577 | px->p = 0; |
| 578 | px = s2; |
Anna Zaks | 3d7c44e | 2012-03-21 19:45:08 +0000 | [diff] [blame] | 579 | return px; // expected-warning {{Memory is never released; potential leak}} |
Anna Zaks | 4fb5487 | 2012-02-11 21:02:35 +0000 | [diff] [blame] | 580 | } |
| 581 | |
| 582 | struct X* RegInvalidationGiveUp1() { |
| 583 | int *p = malloc(12); |
| 584 | struct X *px= malloc(sizeof(struct X)); |
| 585 | px->p = p; |
| 586 | return px; |
| 587 | } |
| 588 | |
| 589 | int **RegInvalidationDetect2(int **pp) { |
| 590 | int *p = malloc(12); |
| 591 | pp = &p; |
| 592 | pp++; |
Anna Zaks | 3d7c44e | 2012-03-21 19:45:08 +0000 | [diff] [blame] | 593 | return 0;// expected-warning {{Memory is never released; potential leak}} |
Anna Zaks | 4fb5487 | 2012-02-11 21:02:35 +0000 | [diff] [blame] | 594 | } |
Anna Zaks | f8b1c31 | 2012-02-10 01:11:03 +0000 | [diff] [blame] | 595 | |
Anna Zaks | f8b1c31 | 2012-02-10 01:11:03 +0000 | [diff] [blame] | 596 | extern void exit(int) __attribute__ ((__noreturn__)); |
| 597 | void mallocExit(int *g) { |
| 598 | struct xx *p = malloc(12); |
Anna Zaks | da04677 | 2012-02-11 21:02:40 +0000 | [diff] [blame] | 599 | if (g != 0) |
| 600 | exit(1); |
Anna Zaks | f8b1c31 | 2012-02-10 01:11:03 +0000 | [diff] [blame] | 601 | free(p); |
| 602 | return; |
| 603 | } |
| 604 | |
Anna Zaks | f8b1c31 | 2012-02-10 01:11:03 +0000 | [diff] [blame] | 605 | extern void __assert_fail (__const char *__assertion, __const char *__file, |
| 606 | unsigned int __line, __const char *__function) |
| 607 | __attribute__ ((__noreturn__)); |
| 608 | #define assert(expr) \ |
| 609 | ((expr) ? (void)(0) : __assert_fail (#expr, __FILE__, __LINE__, __func__)) |
| 610 | void mallocAssert(int *g) { |
| 611 | struct xx *p = malloc(12); |
| 612 | |
Anna Zaks | da04677 | 2012-02-11 21:02:40 +0000 | [diff] [blame] | 613 | assert(g != 0); |
Anna Zaks | f8b1c31 | 2012-02-10 01:11:03 +0000 | [diff] [blame] | 614 | free(p); |
| 615 | return; |
| 616 | } |
| 617 | |
Anna Zaks | 15d0ae1 | 2012-02-11 23:46:36 +0000 | [diff] [blame] | 618 | void doNotInvalidateWhenPassedToSystemCalls(char *s) { |
| 619 | char *p = malloc(12); |
| 620 | strlen(p); |
| 621 | strcpy(p, s); // expected-warning {{leak}} |
| 622 | } |
| 623 | |
Anna Zaks | f0dfc9c | 2012-02-17 22:35:31 +0000 | [diff] [blame] | 624 | // Rely on the CString checker evaluation of the strcpy API to convey that the result of strcpy is equal to p. |
| 625 | void symbolLostWithStrcpy(char *s) { |
| 626 | char *p = malloc(12); |
| 627 | p = strcpy(p, s); |
| 628 | free(p); |
| 629 | } |
| 630 | |
| 631 | |
| 632 | // The same test as the one above, but with what is actually generated on a mac. |
| 633 | static __inline char * |
| 634 | __inline_strcpy_chk (char *restrict __dest, const char *restrict __src) |
| 635 | { |
| 636 | return __builtin___strcpy_chk (__dest, __src, __builtin_object_size (__dest, 2 > 1)); |
| 637 | } |
| 638 | |
| 639 | void symbolLostWithStrcpy_InlineStrcpyVersion(char *s) { |
| 640 | char *p = malloc(12); |
| 641 | p = ((__builtin_object_size (p, 0) != (size_t) -1) ? __builtin___strcpy_chk (p, s, __builtin_object_size (p, 2 > 1)) : __inline_strcpy_chk (p, s)); |
| 642 | free(p); |
| 643 | } |
Anna Zaks | d9ab7bb | 2012-02-22 02:36:01 +0000 | [diff] [blame] | 644 | |
| 645 | // Here we are returning a pointer one past the allocated value. An idiom which |
| 646 | // can be used for implementing special malloc. The correct uses of this might |
| 647 | // be rare enough so that we could keep this as a warning. |
| 648 | static void *specialMalloc(int n){ |
| 649 | int *p; |
| 650 | p = malloc( n+8 ); |
| 651 | if( p ){ |
| 652 | p[0] = n; |
| 653 | p++; |
| 654 | } |
| 655 | return p; |
| 656 | } |
| 657 | |
| 658 | // Potentially, the user could free the struct by performing pointer arithmetic on the return value. |
| 659 | // This is a variation of the specialMalloc issue, though probably would be more rare in correct code. |
| 660 | int *specialMallocWithStruct() { |
| 661 | struct StructWithInt *px= malloc(sizeof(struct StructWithInt)); |
| 662 | return &(px->g); |
| 663 | } |
| 664 | |
Anna Zaks | 60a1fa4 | 2012-02-22 03:14:20 +0000 | [diff] [blame] | 665 | // Test various allocation/deallocation functions. |
Anna Zaks | 60a1fa4 | 2012-02-22 03:14:20 +0000 | [diff] [blame] | 666 | void testStrdup(const char *s, unsigned validIndex) { |
| 667 | char *s2 = strdup(s); |
Anna Zaks | 3d7c44e | 2012-03-21 19:45:08 +0000 | [diff] [blame] | 668 | s2[validIndex + 1] = 'b';// expected-warning {{Memory is never released; potential leak}} |
Anna Zaks | 60a1fa4 | 2012-02-22 03:14:20 +0000 | [diff] [blame] | 669 | } |
| 670 | |
| 671 | int testStrndup(const char *s, unsigned validIndex, unsigned size) { |
| 672 | char *s2 = strndup(s, size); |
| 673 | s2 [validIndex + 1] = 'b'; |
| 674 | if (s2[validIndex] != 'a') |
Anna Zaks | ca8e36e | 2012-02-23 21:38:21 +0000 | [diff] [blame] | 675 | return 0; |
Anna Zaks | 60a1fa4 | 2012-02-22 03:14:20 +0000 | [diff] [blame] | 676 | else |
Anna Zaks | 3d7c44e | 2012-03-21 19:45:08 +0000 | [diff] [blame] | 677 | return 1;// expected-warning {{Memory is never released; potential leak}} |
Anna Zaks | 60a1fa4 | 2012-02-22 03:14:20 +0000 | [diff] [blame] | 678 | } |
| 679 | |
Anna Zaks | 87cb5be | 2012-02-22 19:24:52 +0000 | [diff] [blame] | 680 | void testStrdupContentIsDefined(const char *s, unsigned validIndex) { |
| 681 | char *s2 = strdup(s); |
| 682 | char result = s2[1];// no warning |
| 683 | free(s2); |
| 684 | } |
| 685 | |
Anna Zaks | ca23eb2 | 2012-02-29 18:42:47 +0000 | [diff] [blame] | 686 | // ---------------------------------------------------------------------------- |
Anna Zaks | 0d389b8 | 2012-02-23 01:05:27 +0000 | [diff] [blame] | 687 | // Test the system library functions to which the pointer can escape. |
Anna Zaks | ca23eb2 | 2012-02-29 18:42:47 +0000 | [diff] [blame] | 688 | // This tests false positive suppression. |
Anna Zaks | 0d389b8 | 2012-02-23 01:05:27 +0000 | [diff] [blame] | 689 | |
| 690 | // For now, we assume memory passed to pthread_specific escapes. |
| 691 | // TODO: We could check that if a new pthread binding is set, the existing |
| 692 | // binding must be freed; otherwise, a memory leak can occur. |
| 693 | void testPthereadSpecificEscape(pthread_key_t key) { |
| 694 | void *buf = malloc(12); |
| 695 | pthread_setspecific(key, buf); // no warning |
| 696 | } |
| 697 | |
Anna Zaks | ca23eb2 | 2012-02-29 18:42:47 +0000 | [diff] [blame] | 698 | // PR12101: Test funopen(). |
| 699 | static int releasePtr(void *_ctx) { |
| 700 | free(_ctx); |
| 701 | return 0; |
| 702 | } |
| 703 | FILE *useFunOpen() { |
| 704 | void *ctx = malloc(sizeof(int)); |
| 705 | FILE *f = funopen(ctx, 0, 0, 0, releasePtr); // no warning |
| 706 | if (f == 0) { |
| 707 | free(ctx); |
| 708 | } |
| 709 | return f; |
| 710 | } |
| 711 | FILE *useFunOpenNoReleaseFunction() { |
| 712 | void *ctx = malloc(sizeof(int)); |
| 713 | FILE *f = funopen(ctx, 0, 0, 0, 0); |
| 714 | if (f == 0) { |
| 715 | free(ctx); |
| 716 | } |
| 717 | return f; // expected-warning{{leak}} |
| 718 | } |
| 719 | |
| 720 | // Test setbuf, setvbuf. |
| 721 | int my_main_no_warning() { |
| 722 | char *p = malloc(100); |
| 723 | setvbuf(stdout, p, 0, 100); |
| 724 | return 0; |
| 725 | } |
| 726 | int my_main_no_warning2() { |
| 727 | char *p = malloc(100); |
| 728 | setbuf(__stdoutp, p); |
| 729 | return 0; |
| 730 | } |
| 731 | int my_main_warn(FILE *f) { |
| 732 | char *p = malloc(100); |
| 733 | setvbuf(f, p, 0, 100); |
| 734 | return 0;// expected-warning {{leak}} |
| 735 | } |
| 736 | |
Ted Kremenek | a99f874 | 2012-03-05 23:06:19 +0000 | [diff] [blame] | 737 | // <rdar://problem/10978247>. |
| 738 | // some people use stack allocated memory as an optimization to avoid |
| 739 | // a heap allocation for small work sizes. This tests the analyzer's |
| 740 | // understanding that the malloc'ed memory is not the same as stackBuffer. |
| 741 | void radar10978247(int myValueSize) { |
| 742 | char stackBuffer[128]; |
| 743 | char *buffer; |
| 744 | |
| 745 | if (myValueSize <= sizeof(stackBuffer)) |
| 746 | buffer = stackBuffer; |
| 747 | else |
| 748 | buffer = malloc(myValueSize); |
| 749 | |
| 750 | // do stuff with the buffer |
| 751 | if (buffer != stackBuffer) |
| 752 | free(buffer); |
| 753 | } |
| 754 | |
| 755 | void radar10978247_positive(int myValueSize) { |
| 756 | char stackBuffer[128]; |
| 757 | char *buffer; |
| 758 | |
| 759 | if (myValueSize <= sizeof(stackBuffer)) |
| 760 | buffer = stackBuffer; |
| 761 | else |
| 762 | buffer = malloc(myValueSize); |
| 763 | |
| 764 | // do stuff with the buffer |
| 765 | if (buffer == stackBuffer) // expected-warning {{leak}} |
| 766 | return; |
| 767 | } |
| 768 | |
Ted Kremenek | 8f40afb | 2012-04-26 05:08:26 +0000 | [diff] [blame] | 769 | // <rdar://problem/11269741> Previously this triggered a false positive |
| 770 | // because malloc() is known to return uninitialized memory and the binding |
| 771 | // of 'o' to 'p->n' was not getting propertly handled. Now we report a leak. |
| 772 | struct rdar11269741_a_t { |
| 773 | struct rdar11269741_b_t { |
| 774 | int m; |
| 775 | } n; |
| 776 | }; |
| 777 | |
| 778 | int rdar11269741(struct rdar11269741_b_t o) |
| 779 | { |
| 780 | struct rdar11269741_a_t *p = (struct rdar11269741_a_t *) malloc(sizeof(*p)); |
| 781 | p->n = o; |
| 782 | return p->n.m; // expected-warning {{leak}} |
| 783 | } |
| 784 | |
Anna Zaks | e55a14a | 2012-05-03 02:13:56 +0000 | [diff] [blame] | 785 | // Pointer arithmetic, returning an ElementRegion. |
| 786 | void *radar11329382(unsigned bl) { |
| 787 | void *ptr = malloc (16); |
| 788 | ptr = ptr + (2 - bl); |
| 789 | return ptr; // no warning |
| 790 | } |
| 791 | |
Anna Zaks | 33e4a1d | 2012-05-01 21:10:29 +0000 | [diff] [blame] | 792 | void __assert_rtn(const char *, const char *, int, const char *) __attribute__((__noreturn__)); |
| 793 | int strcmp(const char *, const char *); |
| 794 | char *a (void); |
| 795 | void radar11270219(void) { |
| 796 | char *x = a(), *y = a(); |
| 797 | (__builtin_expect(!(x && y), 0) ? __assert_rtn(__func__, "/Users/zaks/tmp/ex.c", 24, "x && y") : (void)0); |
| 798 | strcmp(x, y); // no warning |
| 799 | } |
| 800 | |
Anna Zaks | 93c5a24 | 2012-05-02 00:05:20 +0000 | [diff] [blame] | 801 | void radar_11358224_test_double_assign_ints_positive_2() |
| 802 | { |
| 803 | void *ptr = malloc(16); |
| 804 | ptr = ptr; // expected-warning {{leak}} |
| 805 | } |
| 806 | |
Anna Zaks | aca0ac5 | 2012-05-03 23:50:28 +0000 | [diff] [blame] | 807 | // Assume that functions which take a function pointer can free memory even if |
| 808 | // they are defined in system headers and take the const pointer to the |
| 809 | // allocated memory. (radar://11160612) |
| 810 | int const_ptr_and_callback(int, const char*, int n, void(*)(void*)); |
| 811 | void r11160612_1() { |
| 812 | char *x = malloc(12); |
| 813 | const_ptr_and_callback(0, x, 12, free); // no - warning |
| 814 | } |
| 815 | |
| 816 | // Null is passed as callback. |
| 817 | void r11160612_2() { |
| 818 | char *x = malloc(12); |
| 819 | const_ptr_and_callback(0, x, 12, 0); // expected-warning {{leak}} |
| 820 | } |
| 821 | |
| 822 | // Callback is passed to a function defined in a system header. |
| 823 | void r11160612_4() { |
| 824 | char *x = malloc(12); |
| 825 | sqlite3_bind_text_my(0, x, 12, free); // no - warning |
| 826 | } |
| 827 | |
Anna Zaks | b79d862 | 2012-05-03 23:50:33 +0000 | [diff] [blame] | 828 | // Passing callbacks in a struct. |
| 829 | void r11160612_5(StWithCallback St) { |
| 830 | void *x = malloc(12); |
| 831 | dealocateMemWhenDoneByVal(x, St); |
| 832 | } |
| 833 | void r11160612_6(StWithCallback St) { |
| 834 | void *x = malloc(12); |
| 835 | dealocateMemWhenDoneByRef(&St, x); |
| 836 | } |
| 837 | |
Anna Zaks | 84d4384 | 2012-05-04 17:37:16 +0000 | [diff] [blame] | 838 | int mySub(int, int); |
| 839 | int myAdd(int, int); |
| 840 | int fPtr(unsigned cond, int x) { |
| 841 | return (cond ? mySub : myAdd)(x, x); |
| 842 | } |
| 843 | |
Anna Zaks | e17fdb2 | 2012-06-07 03:57:32 +0000 | [diff] [blame] | 844 | // Test anti-aliasing. |
Anna Zaks | da04677 | 2012-02-11 21:02:40 +0000 | [diff] [blame] | 845 | |
Anna Zaks | f8b1c31 | 2012-02-10 01:11:03 +0000 | [diff] [blame] | 846 | void dependsOnValueOfPtr(int *g, unsigned f) { |
| 847 | int *p; |
| 848 | |
| 849 | if (f) { |
| 850 | p = g; |
| 851 | } else { |
| 852 | p = malloc(12); |
| 853 | } |
| 854 | |
| 855 | if (p != g) |
| 856 | free(p); |
| 857 | else |
Anna Zaks | e17fdb2 | 2012-06-07 03:57:32 +0000 | [diff] [blame] | 858 | return; // no warning |
Anna Zaks | f8b1c31 | 2012-02-10 01:11:03 +0000 | [diff] [blame] | 859 | return; |
| 860 | } |
| 861 | |
Anna Zaks | e17fdb2 | 2012-06-07 03:57:32 +0000 | [diff] [blame] | 862 | int CMPRegionHeapToStack() { |
| 863 | int x = 0; |
| 864 | int *x1 = malloc(8); |
| 865 | int *x2 = &x; |
Anna Zaks | adccc3f | 2012-06-08 00:04:40 +0000 | [diff] [blame] | 866 | clang_analyzer_eval(x1 == x2); // expected-warning{{FALSE}} |
Anna Zaks | e17fdb2 | 2012-06-07 03:57:32 +0000 | [diff] [blame] | 867 | free(x1); |
| 868 | return x; |
| 869 | } |
| 870 | |
| 871 | int CMPRegionHeapToHeap2() { |
| 872 | int x = 0; |
| 873 | int *x1 = malloc(8); |
| 874 | int *x2 = malloc(8); |
| 875 | int *x4 = x1; |
| 876 | int *x5 = x2; |
Anna Zaks | adccc3f | 2012-06-08 00:04:40 +0000 | [diff] [blame] | 877 | clang_analyzer_eval(x4 == x5); // expected-warning{{FALSE}} |
Anna Zaks | e17fdb2 | 2012-06-07 03:57:32 +0000 | [diff] [blame] | 878 | free(x1); |
| 879 | free(x2); |
| 880 | return x; |
| 881 | } |
| 882 | |
| 883 | int CMPRegionHeapToHeap() { |
| 884 | int x = 0; |
| 885 | int *x1 = malloc(8); |
| 886 | int *x4 = x1; |
| 887 | if (x1 == x4) { |
| 888 | free(x1); |
| 889 | return 5/x; // expected-warning{{Division by zero}} |
| 890 | } |
| 891 | return x;// expected-warning{{This statement is never executed}} |
| 892 | } |
| 893 | |
| 894 | int HeapAssignment() { |
| 895 | int m = 0; |
| 896 | int *x = malloc(4); |
| 897 | int *y = x; |
| 898 | *x = 5; |
Anna Zaks | adccc3f | 2012-06-08 00:04:40 +0000 | [diff] [blame] | 899 | clang_analyzer_eval(*x != *y); // expected-warning{{FALSE}} |
Anna Zaks | e17fdb2 | 2012-06-07 03:57:32 +0000 | [diff] [blame] | 900 | free(x); |
| 901 | return 0; |
| 902 | } |
| 903 | |
Anna Zaks | 783f008 | 2012-06-07 20:18:08 +0000 | [diff] [blame] | 904 | int *retPtr(); |
| 905 | int *retPtrMightAlias(int *x); |
| 906 | int cmpHeapAllocationToUnknown() { |
| 907 | int zero = 0; |
| 908 | int *yBefore = retPtr(); |
| 909 | int *m = malloc(8); |
| 910 | int *yAfter = retPtrMightAlias(m); |
Anna Zaks | adccc3f | 2012-06-08 00:04:40 +0000 | [diff] [blame] | 911 | clang_analyzer_eval(yBefore == m); // expected-warning{{FALSE}} |
| 912 | clang_analyzer_eval(yAfter == m); // expected-warning{{FALSE}} |
Anna Zaks | 783f008 | 2012-06-07 20:18:08 +0000 | [diff] [blame] | 913 | free(m); |
| 914 | return 0; |
| 915 | } |
| 916 | |
Anna Zaks | ca23eb2 | 2012-02-29 18:42:47 +0000 | [diff] [blame] | 917 | // ---------------------------------------------------------------------------- |
Anna Zaks | ac59300 | 2012-02-16 03:40:57 +0000 | [diff] [blame] | 918 | // False negatives. |
| 919 | |
| 920 | // TODO: This requires tracking symbols stored inside the structs/arrays. |
| 921 | void testMalloc5() { |
| 922 | StructWithPtr St; |
| 923 | StructWithPtr *pSt = &St; |
| 924 | pSt->memP = malloc(12); |
| 925 | } |
Anna Zaks | ad901a6 | 2012-02-16 22:26:15 +0000 | [diff] [blame] | 926 | |
Anna Zaks | d9ab7bb | 2012-02-22 02:36:01 +0000 | [diff] [blame] | 927 | // TODO: This is another false negative. |
| 928 | void testMallocWithParam(int **p) { |
| 929 | *p = (int*) malloc(sizeof(int)); |
| 930 | *p = 0; |
| 931 | } |
| 932 | |
| 933 | void testMallocWithParam_2(int **p) { |
| 934 | *p = (int*) malloc(sizeof(int)); |
| 935 | } |
| 936 | |
Anna Zaks | ad901a6 | 2012-02-16 22:26:15 +0000 | [diff] [blame] | 937 | // TODO: This should produce a warning, similar to the previous issue. |
| 938 | void localArrayTest() { |
| 939 | char *p = (char*)malloc(12); |
| 940 | char *ArrayL[12]; |
| 941 | ArrayL[0] = p; |
| 942 | } |
| 943 | |
Ted Kremenek | 140d0c6 | 2012-05-01 21:58:29 +0000 | [diff] [blame] | 944 | // Test double assignment through integers. |
| 945 | static long glob; |
| 946 | void test_double_assign_ints() |
| 947 | { |
| 948 | void *ptr = malloc (16); // no-warning |
| 949 | glob = (long)(unsigned long)ptr; |
| 950 | } |
| 951 | |
| 952 | void test_double_assign_ints_positive() |
| 953 | { |
| 954 | void *ptr = malloc(16); |
| 955 | (void*)(long)(unsigned long)ptr; // expected-warning {{unused}} expected-warning {{leak}} |
| 956 | } |
| 957 | |
Jordan Rose | 1bf908d | 2012-06-16 00:09:20 +0000 | [diff] [blame^] | 958 | |
| 959 | void testCGContextNoLeak() |
| 960 | { |
| 961 | void *ptr = malloc(16); |
| 962 | CGContextRef context = CGBitmapContextCreate(ptr); |
| 963 | |
| 964 | // Because you can get the data back out like this, even much later, |
| 965 | // CGBitmapContextCreate is one of our "stop-tracking" exceptions. |
| 966 | free(CGBitmapContextGetData(context)); |
| 967 | } |
| 968 | |
| 969 | void testCGContextLeak() |
| 970 | { |
| 971 | void *ptr = malloc(16); |
| 972 | CGContextRef context = CGBitmapContextCreate(ptr); |
| 973 | // However, this time we're just leaking the data, because the context |
| 974 | // object doesn't escape and it hasn't been freed in this function. |
| 975 | } |
| 976 | |