Gitiles
Code Review Sign In
gerrit-public.fairphone.software / toolchain / llvm-project / d51574850eb0bd5c930eb42e57222a73beb7d1f7 / . / clang / test / Analysis / malloc.c
blob: dce088e50d979374c7c132caa14a76926ef3a5f0 [file] [log] [blame]
Ted Kremenek3f955e62011-08-03 23:14:55 +0000[diff] [blame]1// RUN: %clang_cc1 -analyze -analyzer-checker=core,experimental.deadcode.UnreachableCode,experimental.core.CastSize,experimental.unix.Malloc -analyzer-store=region -verify %s
Anna Zaks41b84842012-02-11 23:46:36 +0000[diff] [blame]2#include "system-header-simulator.h"
3
Eli Friedmanb7746852009-11-14 04:23:25 +0000[diff] [blame]4typedef __typeof(sizeof(int)) size_t;
Ted Kremenek9430bf22009-11-13 20:03:22 +0000[diff] [blame]5void *malloc(size_t);
Anna Zaksd5157482012-02-15 00:11:22 +0000[diff] [blame^]6void *valloc(size_t);
Ted Kremenek9430bf22009-11-13 20:03:22 +0000[diff] [blame]7void free(void *);
Zhongxing Xuc0484fa2009-12-12 12:29:38 +0000[diff] [blame]8void *realloc(void *ptr, size_t size);
9void *calloc(size_t nmemb, size_t size);
Ted Kremenekd21139a2010-07-31 01:52:11 +0000[diff] [blame]10
Anna Zaksa1b227b2012-02-08 23:16:56 +0000[diff] [blame]11void myfoo(int *p);
12void myfooint(int p);
Zhongxing Xuc7460962009-11-13 07:48:11 +0000[diff] [blame]13
14void f1() {
Zhongxing Xu658dd8b2010-05-25 04:59:19 +0000[diff] [blame]15 int *p = malloc(12);
Zhongxing Xuc7460962009-11-13 07:48:11 +0000[diff] [blame]16 return; // expected-warning{{Allocated memory never released. Potential memory leak.}}
17}
18
Zhongxing Xuc7460962009-11-13 07:48:11 +0000[diff] [blame]19void f2() {
Zhongxing Xu658dd8b2010-05-25 04:59:19 +0000[diff] [blame]20 int *p = malloc(12);
Zhongxing Xuc7460962009-11-13 07:48:11 +0000[diff] [blame]21 free(p);
22 free(p); // expected-warning{{Try to free a memory block that has been released}}
23}
Ted Kremeneke5e977012009-11-13 20:00:28 +0000[diff] [blame]24
Lenny Maiorani005b5c12011-04-27 14:49:29 +0000[diff] [blame]25void f2_realloc_0() {
26 int *p = malloc(12);
27 realloc(p,0);
28 realloc(p,0); // expected-warning{{Try to free a memory block that has been released}}
29}
30
31void f2_realloc_1() {
32 int *p = malloc(12);
Zhongxing Xubfb8e2f2011-09-01 04:53:59 +0000[diff] [blame]33 int *q = realloc(p,0); // no-warning
Lenny Maiorani005b5c12011-04-27 14:49:29 +0000[diff] [blame]34}
35
Anna Zaksd56c8792012-02-13 18:05:39 +0000[diff] [blame]36void reallocNotNullPtr(unsigned sizeIn) {
37 unsigned size = 12;
38 char *p = (char*)malloc(size);
39 if (p) {
40 char *q = (char*)realloc(p, sizeIn);
41 char x = *q; // expected-warning {{Allocated memory never released.}}
42 }
43}
44
45int *realloctest1() {
46 int *q = malloc(12);
47 q = realloc(q, 20);
48 return q; // no warning - returning the allocated value
49}
50
51// p should be freed if realloc fails.
52void reallocFails() {
53 char *p = malloc(12);
54 char *r = realloc(p, 12+1);
55 if (!r) {
56 free(p);
57 } else {
58 free(r);
59 }
60}
61
Anna Zaks8fd0f2a2012-02-13 20:57:07 +0000[diff] [blame]62void reallocSizeZero1() {
63 char *p = malloc(12);
64 char *r = realloc(p, 0);
65 if (!r) {
66 free(p);
67 } else {
68 free(r);
69 }
70}
71
72void reallocSizeZero2() {
73 char *p = malloc(12);
74 char *r = realloc(p, 0);
75 if (!r) {
76 free(p);
77 } else {
78 free(r);
79 }
80 free(p); // expected-warning {{Try to free a memory block that has been released}}
81}
82
83void reallocSizeZero3() {
84 char *p = malloc(12);
85 char *r = realloc(p, 0);
86 free(r);
87}
88
89void reallocSizeZero4() {
90 char *r = realloc(0, 0);
91 free(r);
92}
93
94void reallocSizeZero5() {
95 char *r = realloc(0, 0);
96}
97
98void reallocPtrZero1() {
99 char *r = realloc(0, 12); // expected-warning {{Allocated memory never released.}}
100}
101
102void reallocPtrZero2() {
103 char *r = realloc(0, 12);
104 if (r)
105 free(r);
106}
107
108void reallocPtrZero3() {
109 char *r = realloc(0, 12);
110 free(r);
111}
112
Anna Zaksad01ef52012-02-14 00:26:13 +0000[diff] [blame]113void reallocRadar6337483_1() {
114 char *buf = malloc(100);
115 buf = (char*)realloc(buf, 0x1000000);
116 if (!buf) {
117 return;// expected-warning {{Allocated memory never released.}}
118 }
119 free(buf);
120}
121
122void reallocRadar6337483_2() {
123 char *buf = malloc(100);
124 char *buf2 = (char*)realloc(buf, 0x1000000);
125 if (!buf2) { // expected-warning {{Allocated memory never released.}}
126 ;
127 } else {
128 free(buf2);
129 }
130}
131
132void reallocRadar6337483_3() {
133 char * buf = malloc(100);
134 char * tmp;
135 tmp = (char*)realloc(buf, 0x1000000);
136 if (!tmp) {
137 free(buf);
138 return;
139 }
140 buf = tmp;
141 free(buf);
142}
143
144void reallocRadar6337483_4() {
145 char *buf = malloc(100);
146 char *buf2 = (char*)realloc(buf, 0x1000000);
147 if (!buf2) {
148 return; // expected-warning {{Allocated memory never released.}}
149 } else {
150 free(buf2);
151 }
152}
153
Zhongxing Xu4668c7e2009-11-17 07:54:15 +0000[diff] [blame]154// This case tests that storing malloc'ed memory to a static variable which is
155// then returned is not leaked. In the absence of known contracts for functions
156// or inter-procedural analysis, this is a conservative answer.
Ted Kremeneke5e977012009-11-13 20:00:28 +0000[diff] [blame]157int *f3() {
158 static int *p = 0;
Zhongxing Xu658dd8b2010-05-25 04:59:19 +0000[diff] [blame]159 p = malloc(12);
Zhongxing Xu23baa012009-11-17 08:58:18 +0000[diff] [blame]160 return p; // no-warning
Ted Kremeneke5e977012009-11-13 20:00:28 +0000[diff] [blame]161}
162
Zhongxing Xu4668c7e2009-11-17 07:54:15 +0000[diff] [blame]163// This case tests that storing malloc'ed memory to a static global variable
164// which is then returned is not leaked. In the absence of known contracts for
165// functions or inter-procedural analysis, this is a conservative answer.
Ted Kremeneke5e977012009-11-13 20:00:28 +0000[diff] [blame]166static int *p_f4 = 0;
167int *f4() {
Zhongxing Xu658dd8b2010-05-25 04:59:19 +0000[diff] [blame]168 p_f4 = malloc(12);
Zhongxing Xu23baa012009-11-17 08:58:18 +0000[diff] [blame]169 return p_f4; // no-warning
Ted Kremeneke5e977012009-11-13 20:00:28 +0000[diff] [blame]170}
Zhongxing Xuc0484fa2009-12-12 12:29:38 +0000[diff] [blame]171
172int *f5() {
Zhongxing Xu658dd8b2010-05-25 04:59:19 +0000[diff] [blame]173 int *q = malloc(12);
Zhongxing Xuc0484fa2009-12-12 12:29:38 +0000[diff] [blame]174 q = realloc(q, 20);
175 return q; // no-warning
176}
Zhongxing Xub0e15df2009-12-31 06:13:07 +0000[diff] [blame]177
178void f6() {
Zhongxing Xu658dd8b2010-05-25 04:59:19 +0000[diff] [blame]179 int *p = malloc(12);
Zhongxing Xub0e15df2009-12-31 06:13:07 +0000[diff] [blame]180 if (!p)
181 return; // no-warning
182 else
183 free(p);
184}
Zhongxing Xu5fcd99b2010-01-18 04:01:40 +0000[diff] [blame]185
Lenny Maiorani005b5c12011-04-27 14:49:29 +0000[diff] [blame]186void f6_realloc() {
187 int *p = malloc(12);
188 if (!p)
189 return; // no-warning
190 else
191 realloc(p,0);
192}
193
194
Zhongxing Xu5fcd99b2010-01-18 04:01:40 +0000[diff] [blame]195char *doit2();
196void pr6069() {
197 char *buf = doit2();
198 free(buf);
199}
Zhongxing Xube36ecb2010-02-14 06:49:48 +0000[diff] [blame]200
201void pr6293() {
202 free(0);
203}
Zhongxing Xu1bb6a1a2010-03-10 04:58:55 +0000[diff] [blame]204
205void f7() {
206 char *x = (char*) malloc(4);
207 free(x);
Anna Zaks31886862012-02-10 01:11:00 +0000[diff] [blame]208 x[0] = 'a'; // expected-warning{{Use of dynamically allocated memory after it is freed.}}
Zhongxing Xu1bb6a1a2010-03-10 04:58:55 +0000[diff] [blame]209}
Zhongxing Xu658dd8b2010-05-25 04:59:19 +0000[diff] [blame]210
Lenny Maiorani005b5c12011-04-27 14:49:29 +0000[diff] [blame]211void f7_realloc() {
212 char *x = (char*) malloc(4);
213 realloc(x,0);
Anna Zaks31886862012-02-10 01:11:00 +0000[diff] [blame]214 x[0] = 'a'; // expected-warning{{Use of dynamically allocated memory after it is freed.}}
Lenny Maiorani005b5c12011-04-27 14:49:29 +0000[diff] [blame]215}
216
Zhongxing Xu658dd8b2010-05-25 04:59:19 +0000[diff] [blame]217void PR6123() {
218 int *x = malloc(11); // expected-warning{{Cast a region whose size is not a multiple of the destination type size.}}
219}
220
221void PR7217() {
222 int *buf = malloc(2); // expected-warning{{Cast a region whose size is not a multiple of the destination type size.}}
223 buf[1] = 'c'; // not crash
Zhongxing Xu658dd8b2010-05-25 04:59:19 +0000[diff] [blame]224}
Jordy Rose2dd9b022010-06-20 04:30:57 +0000[diff] [blame]225
226void mallocCastToVoid() {
227 void *p = malloc(2);
228 const void *cp = p; // not crash
229 free(p);
230}
231
232void mallocCastToFP() {
233 void *p = malloc(2);
234 void (*fp)() = p; // not crash
235 free(p);
236}
237
Zhongxing Xu527ff6d2010-06-01 03:01:33 +0000[diff] [blame]238// This tests that malloc() buffers are undefined by default
239char mallocGarbage () {
240 char *buf = malloc(2);
241 char result = buf[1]; // expected-warning{{undefined}}
242 free(buf);
243 return result;
244}
245
246// This tests that calloc() buffers need to be freed
247void callocNoFree () {
248 char *buf = calloc(2,2);
249 return; // expected-warning{{never released}}
250}
251
252// These test that calloc() buffers are zeroed by default
253char callocZeroesGood () {
254 char *buf = calloc(2,2);
255 char result = buf[3]; // no-warning
256 if (buf[1] == 0) {
257 free(buf);
258 }
259 return result; // no-warning
260}
261
262char callocZeroesBad () {
263 char *buf = calloc(2,2);
264 char result = buf[3]; // no-warning
265 if (buf[1] != 0) {
Tom Carecba9f512010-07-23 23:04:53 +0000[diff] [blame]266 free(buf); // expected-warning{{never executed}}
Zhongxing Xu527ff6d2010-06-01 03:01:33 +0000[diff] [blame]267 }
268 return result; // expected-warning{{never released}}
269}
Anna Zaksa1b227b2012-02-08 23:16:56 +0000[diff] [blame]270
271void nullFree() {
272 int *p = 0;
273 free(p); // no warning - a nop
274}
275
276void paramFree(int *p) {
277 myfoo(p);
278 free(p); // no warning
279 myfoo(p); // TODO: This should be a warning.
280}
281
282int* mallocEscapeRet() {
283 int *p = malloc(12);
284 return p; // no warning
285}
286
287void mallocEscapeFoo() {
288 int *p = malloc(12);
289 myfoo(p);
290 return; // no warning
291}
292
293void mallocEscapeFree() {
294 int *p = malloc(12);
295 myfoo(p);
296 free(p);
297}
298
299void mallocEscapeFreeFree() {
300 int *p = malloc(12);
301 myfoo(p);
302 free(p);
303 free(p); // expected-warning{{Try to free a memory block that has been released}}
304}
305
306void mallocEscapeFreeUse() {
307 int *p = malloc(12);
308 myfoo(p);
309 free(p);
Anna Zaks31886862012-02-10 01:11:00 +0000[diff] [blame]310 myfoo(p); // expected-warning{{Use of dynamically allocated memory after it is freed.}}
Anna Zaksa1b227b2012-02-08 23:16:56 +0000[diff] [blame]311}
312
313int *myalloc();
314void myalloc2(int **p);
315
316void mallocEscapeFreeCustomAlloc() {
317 int *p = malloc(12);
318 myfoo(p);
319 free(p);
320 p = myalloc();
321 free(p); // no warning
322}
323
324void mallocEscapeFreeCustomAlloc2() {
325 int *p = malloc(12);
326 myfoo(p);
327 free(p);
328 myalloc2(&p);
329 free(p); // no warning
330}
331
332void mallocBindFreeUse() {
333 int *x = malloc(12);
334 int *y = x;
335 free(y);
Anna Zaks31886862012-02-10 01:11:00 +0000[diff] [blame]336 myfoo(x); // expected-warning{{Use of dynamically allocated memory after it is freed.}}
Anna Zaksa1b227b2012-02-08 23:16:56 +0000[diff] [blame]337}
338
339void mallocEscapeMalloc() {
340 int *p = malloc(12);
341 myfoo(p);
342 p = malloc(12); // expected-warning{{Allocated memory never released. Potential memory leak.}}
343}
344
345void mallocMalloc() {
346 int *p = malloc(12);
347 p = malloc(12); // expected-warning{{Allocated memory never released. Potential memory leak}}
348}
349
350void mallocFreeMalloc() {
351 int *p = malloc(12);
352 free(p);
353 p = malloc(12);
354 free(p);
355}
356
Anna Zaks12259b42012-02-09 06:25:47 +0000[diff] [blame]357void mallocFreeUse_params() {
Anna Zaksa1b227b2012-02-08 23:16:56 +0000[diff] [blame]358 int *p = malloc(12);
359 free(p);
Anna Zaks31886862012-02-10 01:11:00 +0000[diff] [blame]360 myfoo(p); //expected-warning{{Use of dynamically allocated memory after it is freed}}
Anna Zaks41b84842012-02-11 23:46:36 +0000[diff] [blame]361}
362
363void mallocFreeUse_params2() {
364 int *p = malloc(12);
365 free(p);
Anna Zaks31886862012-02-10 01:11:00 +0000[diff] [blame]366 myfooint(*p); //expected-warning{{Use of dynamically allocated memory after it is freed}}
Anna Zaksa1b227b2012-02-08 23:16:56 +0000[diff] [blame]367}
368
Anna Zaks2b5bb972012-02-09 06:25:51 +0000[diff] [blame]369void mallocFailedOrNot() {
370 int *p = malloc(12);
371 if (!p)
372 free(p);
373 else
374 free(p);
375}
376
Anna Zaks31886862012-02-10 01:11:00 +0000[diff] [blame]377struct StructWithInt {
378 int g;
379};
Anna Zaks3aa52252012-02-11 21:44:39 +0000[diff] [blame]380
381int *mallocReturnFreed() {
382 int *p = malloc(12);
383 free(p);
384 return p; // expected-warning {{Use of dynamically allocated}}
385}
386
387int useAfterFreeStruct() {
388 struct StructWithInt *px= malloc(sizeof(struct StructWithInt));
389 px->g = 5;
390 free(px);
391 return px->g; // expected-warning {{Use of dynamically allocated}}
392}
393
Anna Zaks31886862012-02-10 01:11:00 +0000[diff] [blame]394void nonSymbolAsFirstArg(int *pp, struct StructWithInt *p);
395
396void mallocEscapeFooNonSymbolArg() {
397 struct StructWithInt *p = malloc(sizeof(struct StructWithInt));
398 nonSymbolAsFirstArg(&p->g, p);
399 return; // no warning
400}
401
Anna Zaksbb1ef902012-02-11 21:02:35 +0000[diff] [blame]402void mallocFailedOrNotLeak() {
403 int *p = malloc(12);
404 if (p == 0)
405 return; // no warning
406 else
407 return; // expected-warning {{Allocated memory never released. Potential memory leak.}}
408}
Anna Zaks31886862012-02-10 01:11:00 +0000[diff] [blame]409
Anna Zaksd5157482012-02-15 00:11:22 +0000[diff] [blame^]410int vallocTest() {
411 char *mem = valloc(12);
412 return 0; // expected-warning {{Allocated memory never released. Potential memory leak.}}
413}
414
415void vallocEscapeFreeUse() {
416 int *p = valloc(12);
417 myfoo(p);
418 free(p);
419 myfoo(p); // expected-warning{{Use of dynamically allocated memory after it is freed.}}
420}
421
Anna Zaks12259b42012-02-09 06:25:47 +0000[diff] [blame]422int *Gl;
423struct GlStTy {
424 int *x;
425};
426
427struct GlStTy GlS = {0};
428
429void GlobalFree() {
430 free(Gl);
431}
432
433void GlobalMalloc() {
434 Gl = malloc(12);
435}
436
437void GlobalStructMalloc() {
438 int *a = malloc(12);
439 GlS.x = a;
440}
441
442void GlobalStructMallocFree() {
443 int *a = malloc(12);
444 GlS.x = a;
445 free(GlS.x);
446}
Anna Zakse963fd52012-02-10 01:11:03 +0000[diff] [blame]447
Anna Zaksbb1ef902012-02-11 21:02:35 +0000[diff] [blame]448// Region escape testing.
449
450unsigned takePtrToPtr(int **p);
451void PassTheAddrOfAllocatedData(int f) {
452 int *p = malloc(12);
453 // We don't know what happens after the call. Should stop tracking here.
454 if (takePtrToPtr(&p))
455 f++;
456 free(p); // no warning
457}
458
459struct X {
460 int *p;
461};
462unsigned takePtrToStruct(struct X *s);
463int ** foo2(int *g, int f) {
464 int *p = malloc(12);
465 struct X *px= malloc(sizeof(struct X));
466 px->p = p;
467 // We don't know what happens after this call. Should not track px nor p.
468 if (takePtrToStruct(px))
469 f++;
470 free(p);
471 return 0;
472}
473
474struct X* RegInvalidationDetect1(struct X *s2) {
475 struct X *px= malloc(sizeof(struct X));
476 px->p = 0;
477 px = s2;
478 return px; // expected-warning {{Allocated memory never released. Potential memory leak.}}
479}
480
481struct X* RegInvalidationGiveUp1() {
482 int *p = malloc(12);
483 struct X *px= malloc(sizeof(struct X));
484 px->p = p;
485 return px;
486}
487
488int **RegInvalidationDetect2(int **pp) {
489 int *p = malloc(12);
490 pp = &p;
491 pp++;
492 return 0;// expected-warning {{Allocated memory never released. Potential memory leak.}}
493}
Anna Zakse963fd52012-02-10 01:11:03 +0000[diff] [blame]494
Anna Zakse963fd52012-02-10 01:11:03 +0000[diff] [blame]495extern void exit(int) __attribute__ ((__noreturn__));
496void mallocExit(int *g) {
497 struct xx *p = malloc(12);
Anna Zaksd3571e5a2012-02-11 21:02:40 +0000[diff] [blame]498 if (g != 0)
499 exit(1);
Anna Zakse963fd52012-02-10 01:11:03 +0000[diff] [blame]500 free(p);
501 return;
502}
503
Anna Zakse963fd52012-02-10 01:11:03 +0000[diff] [blame]504extern void __assert_fail (__const char *__assertion, __const char *__file,
505 unsigned int __line, __const char *__function)
506 __attribute__ ((__noreturn__));
507#define assert(expr) \
508 ((expr) ? (void)(0) : __assert_fail (#expr, __FILE__, __LINE__, __func__))
509void mallocAssert(int *g) {
510 struct xx *p = malloc(12);
511
Anna Zaksd3571e5a2012-02-11 21:02:40 +0000[diff] [blame]512 assert(g != 0);
Anna Zakse963fd52012-02-10 01:11:03 +0000[diff] [blame]513 free(p);
514 return;
515}
516
Anna Zaks41b84842012-02-11 23:46:36 +0000[diff] [blame]517void doNotInvalidateWhenPassedToSystemCalls(char *s) {
518 char *p = malloc(12);
519 strlen(p);
520 strcpy(p, s); // expected-warning {{leak}}
521}
522
Anna Zaksd3571e5a2012-02-11 21:02:40 +0000[diff] [blame]523// Below are the known false positives.
524
Anna Zakse963fd52012-02-10 01:11:03 +0000[diff] [blame]525// TODO: There should be no warning here. This one might be difficult to get rid of.
526void dependsOnValueOfPtr(int *g, unsigned f) {
527 int *p;
528
529 if (f) {
530 p = g;
531 } else {
532 p = malloc(12);
533 }
534
535 if (p != g)
536 free(p);
537 else
538 return; // expected-warning{{Allocated memory never released. Potential memory leak}}
539 return;
540}
541
542// TODO: Should this be a warning?
543// Here we are returning a pointer one past the allocated value. An idiom which
544// can be used for implementing special malloc. The correct uses of this might
545// be rare enough so that we could keep this as a warning.
546static void *specialMalloc(int n){
547 int *p;
548 p = malloc( n+8 );
549 if( p ){
550 p[0] = n;
551 p++;
552 }
553 return p;// expected-warning {{Allocated memory never released. Potential memory leak.}}
554}