1// RUN: %clang_cc1 -analyze -analyzer-checker=core,alpha.deadcode.UnreachableCode,alpha.core.CastSize,unix.Malloc,debug.ExprInspection -analyzer-store=region -verify %s
2#include "system-header-simulator.h"
3
4void clang_analyzer_eval(int);
5
6typedef __typeof(sizeof(int)) size_t;
7void *malloc(size_t);
8void *valloc(size_t);
9void free(void *);
10void *realloc(void *ptr, size_t size);
11void *reallocf(void *ptr, size_t size);
12void *calloc(size_t nmemb, size_t size);
13char *strdup(const char *s);
14char *strndup(const char *s, size_t n);
15
16void myfoo(int *p);
17void myfooint(int p);
18char *fooRetPtr();
19
20void f1() {
21  int *p = malloc(12);
22  return; // expected-warning{{Memory is never released; potential leak of memory pointed to by 'p'}}
23}
24
25void f2() {
26  int *p = malloc(12);
27  free(p);
28  free(p); // expected-warning{{Attempt to free released memory}}
29}
30
31void f2_realloc_0() {
32  int *p = malloc(12);
33  realloc(p,0);
34  realloc(p,0); // expected-warning{{Attempt to free released memory}}
35}
36
37void f2_realloc_1() {
38  int *p = malloc(12);
39  int *q = realloc(p,0); // no-warning
40}
41
42void reallocNotNullPtr(unsigned sizeIn) {
43  unsigned size = 12;
44  char *p = (char*)malloc(size);
45  if (p) {
46    char *q = (char*)realloc(p, sizeIn);
47    char x = *q; // expected-warning {{Memory is never released; potential leak of memory pointed to by 'q'}}
48  }
49}
50
51int *realloctest1() {
52  int *q = malloc(12);
53  q = realloc(q, 20);
54  return q; // no warning - returning the allocated value
55}
56
57// p should be freed if realloc fails.
58void reallocFails() {
59  char *p = malloc(12);
60  char *r = realloc(p, 12+1);
61  if (!r) {
62    free(p);
63  } else {
64    free(r);
65  }
66}
67
68void reallocSizeZero1() {
69  char *p = malloc(12);
70  char *r = realloc(p, 0);
71  if (!r) {
72    free(p); // expected-warning {{Attempt to free released memory}}
73  } else {
74    free(r);
75  }
76}
77
78void reallocSizeZero2() {
79  char *p = malloc(12);
80  char *r = realloc(p, 0);
81  if (!r) {
82    free(p); // expected-warning {{Attempt to free released memory}}
83  } else {
84    free(r);
85  }
86  free(p); // expected-warning {{Attempt to free released memory}}
87}
88
89void reallocSizeZero3() {
90  char *p = malloc(12);
91  char *r = realloc(p, 0);
92  free(r);
93}
94
95void reallocSizeZero4() {
96  char *r = realloc(0, 0);
97  free(r);
98}
99
100void reallocSizeZero5() {
101  char *r = realloc(0, 0);
102}
103
104void reallocPtrZero1() {
105  char *r = realloc(0, 12); // expected-warning {{Memory is never released; potential leak of memory pointed to by 'r'}}
106}
107
108void reallocPtrZero2() {
109  char *r = realloc(0, 12);
110  if (r)
111    free(r);
112}
113
114void reallocPtrZero3() {
115  char *r = realloc(0, 12);
116  free(r);
117}
118
119void reallocRadar6337483_1() {
120    char *buf = malloc(100);
121    buf = (char*)realloc(buf, 0x1000000);
122    if (!buf) {
123        return;// expected-warning {{Memory is never released; potential leak}}
124    }
125    free(buf);
126}
127
128void reallocRadar6337483_2() {
129    char *buf = malloc(100);
130    char *buf2 = (char*)realloc(buf, 0x1000000);
131    if (!buf2) { // expected-warning {{Memory is never released; potential leak}}
132      ;
133    } else {
134      free(buf2);
135    }
136}
137
138void reallocRadar6337483_3() {
139    char * buf = malloc(100);
140    char * tmp;
141    tmp = (char*)realloc(buf, 0x1000000);
142    if (!tmp) {
143        free(buf);
144        return;
145    }
146    buf = tmp;
147    free(buf);
148}
149
150void reallocRadar6337483_4() {
151    char *buf = malloc(100);
152    char *buf2 = (char*)realloc(buf, 0x1000000);
153    if (!buf2) {
154      return;  // expected-warning {{Memory is never released; potential leak}}
155    } else {
156      free(buf2);
157    }
158}
159
160int *reallocfTest1() {
161  int *q = malloc(12);
162  q = reallocf(q, 20);
163  return q; // no warning - returning the allocated value
164}
165
166void reallocfRadar6337483_4() {
167    char *buf = malloc(100);
168    char *buf2 = (char*)reallocf(buf, 0x1000000);
169    if (!buf2) {
170      return;  // no warning - reallocf frees even on failure
171    } else {
172      free(buf2);
173    }
174}
175
176void reallocfRadar6337483_3() {
177    char * buf = malloc(100);
178    char * tmp;
179    tmp = (char*)reallocf(buf, 0x1000000);
180    if (!tmp) {
181        free(buf); // expected-warning {{Attempt to free released memory}}
182        return;
183    }
184    buf = tmp;
185    free(buf);
186}
187
188void reallocfPtrZero1() {
189  char *r = reallocf(0, 12); // expected-warning {{Memory is never released; potential leak}}
190}
191
192
193// This case tests that storing malloc'ed memory to a static variable which is
194// then returned is not leaked.  In the absence of known contracts for functions
195// or inter-procedural analysis, this is a conservative answer.
196int *f3() {
197  static int *p = 0;
198  p = malloc(12);
199  return p; // no-warning
200}
201
202// This case tests that storing malloc'ed memory to a static global variable
203// which is then returned is not leaked.  In the absence of known contracts for
204// functions or inter-procedural analysis, this is a conservative answer.
205static int *p_f4 = 0;
206int *f4() {
207  p_f4 = malloc(12);
208  return p_f4; // no-warning
209}
210
211int *f5() {
212  int *q = malloc(12);
213  q = realloc(q, 20);
214  return q; // no-warning
215}
216
217void f6() {
218  int *p = malloc(12);
219  if (!p)
220    return; // no-warning
221  else
222    free(p);
223}
224
225void f6_realloc() {
226  int *p = malloc(12);
227  if (!p)
228    return; // no-warning
229  else
230    realloc(p,0);
231}
232
233
234char *doit2();
235void pr6069() {
236  char *buf = doit2();
237  free(buf);
238}
239
240void pr6293() {
241  free(0);
242}
243
244void f7() {
245  char *x = (char*) malloc(4);
246  free(x);
247  x[0] = 'a'; // expected-warning{{Use of memory after it is freed}}
248}
249
250void f8() {
251  char *x = (char*) malloc(4);
252  free(x);
253  char *y = strndup(x, 4); // expected-warning{{Use of memory after it is freed}}
254}
255
256void f7_realloc() {
257  char *x = (char*) malloc(4);
258  realloc(x,0);
259  x[0] = 'a'; // expected-warning{{Use of memory after it is freed}}
260}
261
262void PR6123() {
263  int *x = malloc(11); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}}
264}
265
266void PR7217() {
267  int *buf = malloc(2); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}}
268  buf[1] = 'c'; // not crash
269}
270
271void mallocCastToVoid() {
272  void *p = malloc(2);
273  const void *cp = p; // not crash
274  free(p);
275}
276
277void mallocCastToFP() {
278  void *p = malloc(2);
279  void (*fp)() = p; // not crash
280  free(p);
281}
282
283// This tests that malloc() buffers are undefined by default
284char mallocGarbage () {
285	char *buf = malloc(2);
286	char result = buf[1]; // expected-warning{{undefined}}
287	free(buf);
288	return result;
289}
290
291// This tests that calloc() buffers need to be freed
292void callocNoFree () {
293  char *buf = calloc(2,2);
294  return; // expected-warning{{never released}}
295}
296
297// These test that calloc() buffers are zeroed by default
298char callocZeroesGood () {
299	char *buf = calloc(2,2);
300	char result = buf[3]; // no-warning
301	if (buf[1] == 0) {
302	  free(buf);
303	}
304	return result; // no-warning
305}
306
307char callocZeroesBad () {
308	char *buf = calloc(2,2);
309	char result = buf[3]; // no-warning
310	if (buf[1] != 0) {
311	  free(buf); // expected-warning{{never executed}}
312	}
313	return result; // expected-warning{{never released}}
314}
315
316void nullFree() {
317  int *p = 0;
318  free(p); // no warning - a nop
319}
320
321void paramFree(int *p) {
322  myfoo(p);
323  free(p); // no warning
324  myfoo(p); // expected-warning {{Use of memory after it is freed}}
325}
326
327int* mallocEscapeRet() {
328  int *p = malloc(12);
329  return p; // no warning
330}
331
332void mallocEscapeFoo() {
333  int *p = malloc(12);
334  myfoo(p);
335  return; // no warning
336}
337
338void mallocEscapeFree() {
339  int *p = malloc(12);
340  myfoo(p);
341  free(p);
342}
343
344void mallocEscapeFreeFree() {
345  int *p = malloc(12);
346  myfoo(p);
347  free(p);
348  free(p); // expected-warning{{Attempt to free released memory}}
349}
350
351void mallocEscapeFreeUse() {
352  int *p = malloc(12);
353  myfoo(p);
354  free(p);
355  myfoo(p); // expected-warning{{Use of memory after it is freed}}
356}
357
358int *myalloc();
359void myalloc2(int **p);
360
361void mallocEscapeFreeCustomAlloc() {
362  int *p = malloc(12);
363  myfoo(p);
364  free(p);
365  p = myalloc();
366  free(p); // no warning
367}
368
369void mallocEscapeFreeCustomAlloc2() {
370  int *p = malloc(12);
371  myfoo(p);
372  free(p);
373  myalloc2(&p);
374  free(p); // no warning
375}
376
377void mallocBindFreeUse() {
378  int *x = malloc(12);
379  int *y = x;
380  free(y);
381  myfoo(x); // expected-warning{{Use of memory after it is freed}}
382}
383
384void mallocEscapeMalloc() {
385  int *p = malloc(12);
386  myfoo(p);
387  p = malloc(12); // expected-warning{{Memory is never released; potential leak}}
388}
389
390void mallocMalloc() {
391  int *p = malloc(12);
392  p = malloc(12); // expected-warning {{Memory is never released; potential leak}}
393}
394
395void mallocFreeMalloc() {
396  int *p = malloc(12);
397  free(p);
398  p = malloc(12);
399  free(p);
400}
401
402void mallocFreeUse_params() {
403  int *p = malloc(12);
404  free(p);
405  myfoo(p); //expected-warning{{Use of memory after it is freed}}
406}
407
408void mallocFreeUse_params2() {
409  int *p = malloc(12);
410  free(p);
411  myfooint(*p); //expected-warning{{Use of memory after it is freed}}
412}
413
414void mallocFailedOrNot() {
415  int *p = malloc(12);
416  if (!p)
417    free(p);
418  else
419    free(p);
420}
421
422struct StructWithInt {
423  int g;
424};
425
426int *mallocReturnFreed() {
427  int *p = malloc(12);
428  free(p);
429  return p; // expected-warning {{Use of memory after it is freed}}
430}
431
432int useAfterFreeStruct() {
433  struct StructWithInt *px= malloc(sizeof(struct StructWithInt));
434  px->g = 5;
435  free(px);
436  return px->g; // expected-warning {{Use of memory after it is freed}}
437}
438
439void nonSymbolAsFirstArg(int *pp, struct StructWithInt *p);
440
441void mallocEscapeFooNonSymbolArg() {
442  struct StructWithInt *p = malloc(sizeof(struct StructWithInt));
443  nonSymbolAsFirstArg(&p->g, p);
444  return; // no warning
445}
446
447void mallocFailedOrNotLeak() {
448  int *p = malloc(12);
449  if (p == 0)
450    return; // no warning
451  else
452    return; // expected-warning {{Memory is never released; potential leak}}
453}
454
455void mallocAssignment() {
456  char *p = malloc(12);
457  p = fooRetPtr(); // expected-warning {{leak}}
458}
459
460int vallocTest() {
461  char *mem = valloc(12);
462  return 0; // expected-warning {{Memory is never released; potential leak}}
463}
464
465void vallocEscapeFreeUse() {
466  int *p = valloc(12);
467  myfoo(p);
468  free(p);
469  myfoo(p); // expected-warning{{Use of memory after it is freed}}
470}
471
472int *Gl;
473struct GlStTy {
474  int *x;
475};
476
477struct GlStTy GlS = {0};
478
479void GlobalFree() {
480  free(Gl);
481}
482
483void GlobalMalloc() {
484  Gl = malloc(12);
485}
486
487void GlobalStructMalloc() {
488  int *a = malloc(12);
489  GlS.x = a;
490}
491
492void GlobalStructMallocFree() {
493  int *a = malloc(12);
494  GlS.x = a;
495  free(GlS.x);
496}
497
498char *ArrayG[12];
499
500void globalArrayTest() {
501  char *p = (char*)malloc(12);
502  ArrayG[0] = p;
503}
504
505// Make sure that we properly handle a pointer stored into a local struct/array.
506typedef struct _StructWithPtr {
507  int *memP;
508} StructWithPtr;
509
510static StructWithPtr arrOfStructs[10];
511
512void testMalloc() {
513  int *x = malloc(12);
514  StructWithPtr St;
515  St.memP = x;
516  arrOfStructs[0] = St; // no-warning
517}
518
519StructWithPtr testMalloc2() {
520  int *x = malloc(12);
521  StructWithPtr St;
522  St.memP = x;
523  return St; // no-warning
524}
525
526int *testMalloc3() {
527  int *x = malloc(12);
528  int *y = x;
529  return y; // no-warning
530}
531
532void testStructLeak() {
533  StructWithPtr St;
534  St.memP = malloc(12);
535  return; // expected-warning {{Memory is never released; potential leak of memory pointed to by 'St.memP'}}
536}
537
538void testElemRegion1() {
539  char *x = (void*)malloc(2);
540  int *ix = (int*)x;
541  free(&(x[0]));
542}
543
544void testElemRegion2(int **pp) {
545  int *p = malloc(12);
546  *pp = p;
547  free(pp[0]);
548}
549
550void testElemRegion3(int **pp) {
551  int *p = malloc(12);
552  *pp = p;
553  free(*pp);
554}
555// Region escape testing.
556
557unsigned takePtrToPtr(int **p);
558void PassTheAddrOfAllocatedData(int f) {
559  int *p = malloc(12);
560  // We don't know what happens after the call. Should stop tracking here.
561  if (takePtrToPtr(&p))
562    f++;
563  free(p); // no warning
564}
565
566struct X {
567  int *p;
568};
569unsigned takePtrToStruct(struct X *s);
570int ** foo2(int *g, int f) {
571  int *p = malloc(12);
572  struct X *px= malloc(sizeof(struct X));
573  px->p = p;
574  // We don't know what happens after this call. Should not track px nor p.
575  if (takePtrToStruct(px))
576    f++;
577  free(p);
578  return 0;
579}
580
581struct X* RegInvalidationDetect1(struct X *s2) {
582  struct X *px= malloc(sizeof(struct X));
583  px->p = 0;
584  px = s2;
585  return px; // expected-warning {{Memory is never released; potential leak}}
586}
587
588struct X* RegInvalidationGiveUp1() {
589  int *p = malloc(12);
590  struct X *px= malloc(sizeof(struct X));
591  px->p = p;
592  return px;
593}
594
595int **RegInvalidationDetect2(int **pp) {
596  int *p = malloc(12);
597  pp = &p;
598  pp++;
599  return 0;// expected-warning {{Memory is never released; potential leak}}
600}
601
602extern void exit(int) __attribute__ ((__noreturn__));
603void mallocExit(int *g) {
604  struct xx *p = malloc(12);
605  if (g != 0)
606    exit(1);
607  free(p);
608  return;
609}
610
611extern void __assert_fail (__const char *__assertion, __const char *__file,
612    unsigned int __line, __const char *__function)
613     __attribute__ ((__noreturn__));
614#define assert(expr) \
615  ((expr)  ? (void)(0)  : __assert_fail (#expr, __FILE__, __LINE__, __func__))
616void mallocAssert(int *g) {
617  struct xx *p = malloc(12);
618
619  assert(g != 0);
620  free(p);
621  return;
622}
623
624void doNotInvalidateWhenPassedToSystemCalls(char *s) {
625  char *p = malloc(12);
626  strlen(p);
627  strcpy(p, s); // expected-warning {{leak}}
628}
629
630// Rely on the CString checker evaluation of the strcpy API to convey that the result of strcpy is equal to p.
631void symbolLostWithStrcpy(char *s) {
632  char *p = malloc(12);
633  p = strcpy(p, s);
634  free(p);
635}
636
637
638// The same test as the one above, but with what is actually generated on a mac.
639static __inline char *
640__inline_strcpy_chk (char *restrict __dest, const char *restrict __src)
641{
642  return __builtin___strcpy_chk (__dest, __src, __builtin_object_size (__dest, 2 > 1));
643}
644
645void symbolLostWithStrcpy_InlineStrcpyVersion(char *s) {
646  char *p = malloc(12);
647  p = ((__builtin_object_size (p, 0) != (size_t) -1) ? __builtin___strcpy_chk (p, s, __builtin_object_size (p, 2 > 1)) : __inline_strcpy_chk (p, s));
648  free(p);
649}
650
651// Here we are returning a pointer one past the allocated value. An idiom which
652// can be used for implementing special malloc. The correct uses of this might
653// be rare enough so that we could keep this as a warning.
654static void *specialMalloc(int n){
655  int *p;
656  p = malloc( n+8 );
657  if( p ){
658    p[0] = n;
659    p++;
660  }
661  return p;
662}
663
664// Potentially, the user could free the struct by performing pointer arithmetic on the return value.
665// This is a variation of the specialMalloc issue, though probably would be more rare in correct code.
666int *specialMallocWithStruct() {
667  struct StructWithInt *px= malloc(sizeof(struct StructWithInt));
668  return &(px->g);
669}
670
671// Test various allocation/deallocation functions.
672void testStrdup(const char *s, unsigned validIndex) {
673  char *s2 = strdup(s);
674  s2[validIndex + 1] = 'b';// expected-warning {{Memory is never released; potential leak}}
675}
676
677int testStrndup(const char *s, unsigned validIndex, unsigned size) {
678  char *s2 = strndup(s, size);
679  s2 [validIndex + 1] = 'b';
680  if (s2[validIndex] != 'a')
681    return 0;
682  else
683    return 1;// expected-warning {{Memory is never released; potential leak}}
684}
685
686void testStrdupContentIsDefined(const char *s, unsigned validIndex) {
687  char *s2 = strdup(s);
688  char result = s2[1];// no warning
689  free(s2);
690}
691
692// ----------------------------------------------------------------------------
693// Test the system library functions to which the pointer can escape.
694// This tests false positive suppression.
695
696// For now, we assume memory passed to pthread_specific escapes.
697// TODO: We could check that if a new pthread binding is set, the existing
698// binding must be freed; otherwise, a memory leak can occur.
699void testPthereadSpecificEscape(pthread_key_t key) {
700  void *buf = malloc(12);
701  pthread_setspecific(key, buf); // no warning
702}
703
704// PR12101: Test funopen().
705static int releasePtr(void *_ctx) {
706    free(_ctx);
707    return 0;
708}
709FILE *useFunOpen() {
710    void *ctx = malloc(sizeof(int));
711    FILE *f = funopen(ctx, 0, 0, 0, releasePtr); // no warning
712    if (f == 0) {
713        free(ctx);
714    }
715    return f;
716}
717FILE *useFunOpenNoReleaseFunction() {
718    void *ctx = malloc(sizeof(int));
719    FILE *f = funopen(ctx, 0, 0, 0, 0);
720    if (f == 0) {
721        free(ctx);
722    }
723    return f; // expected-warning{{leak}}
724}
725
726static int readNothing(void *_ctx, char *buf, int size) {
727  return 0;
728}
729FILE *useFunOpenReadNoRelease() {
730  void *ctx = malloc(sizeof(int));
731  FILE *f = funopen(ctx, readNothing, 0, 0, 0);
732  if (f == 0) {
733    free(ctx);
734  }
735  return f; // expected-warning{{leak}}
736}
737
738// Test setbuf, setvbuf.
739int my_main_no_warning() {
740    char *p = malloc(100);
741    setvbuf(stdout, p, 0, 100);
742    return 0;
743}
744int my_main_no_warning2() {
745    char *p = malloc(100);
746    setbuf(__stdoutp, p);
747    return 0;
748}
749int my_main_warn(FILE *f) {
750    char *p = malloc(100);
751    setvbuf(f, p, 0, 100);
752    return 0;// expected-warning {{leak}}
753}
754
755// <rdar://problem/10978247>.
756// some people use stack allocated memory as an optimization to avoid
757// a heap allocation for small work sizes.  This tests the analyzer's
758// understanding that the malloc'ed memory is not the same as stackBuffer.
759void radar10978247(int myValueSize) {
760  char stackBuffer[128];
761  char *buffer;
762
763  if (myValueSize <= sizeof(stackBuffer))
764    buffer = stackBuffer;
765  else
766    buffer = malloc(myValueSize);
767
768  // do stuff with the buffer
769  if (buffer != stackBuffer)
770    free(buffer);
771}
772
773void radar10978247_positive(int myValueSize) {
774  char stackBuffer[128];
775  char *buffer;
776
777  if (myValueSize <= sizeof(stackBuffer))
778    buffer = stackBuffer;
779  else
780    buffer = malloc(myValueSize);
781
782  // do stuff with the buffer
783  if (buffer == stackBuffer) // expected-warning {{leak}}
784    return;
785}
786
787// <rdar://problem/11269741> Previously this triggered a false positive
788// because malloc() is known to return uninitialized memory and the binding
789// of 'o' to 'p->n' was not getting propertly handled.  Now we report a leak.
790struct rdar11269741_a_t {
791  struct rdar11269741_b_t {
792    int m;
793  } n;
794};
795
796int rdar11269741(struct rdar11269741_b_t o)
797{
798  struct rdar11269741_a_t *p = (struct rdar11269741_a_t *) malloc(sizeof(*p));
799  p->n = o;
800  return p->n.m; // expected-warning {{leak}}
801}
802
803// Pointer arithmetic, returning an ElementRegion.
804void *radar11329382(unsigned bl) {
805  void *ptr = malloc (16);
806  ptr = ptr + (2 - bl);
807  return ptr; // no warning
808}
809
810void __assert_rtn(const char *, const char *, int, const char *) __attribute__((__noreturn__));
811int strcmp(const char *, const char *);
812char *a (void);
813void radar11270219(void) {
814  char *x = a(), *y = a();
815  (__builtin_expect(!(x && y), 0) ? __assert_rtn(__func__, "/Users/zaks/tmp/ex.c", 24, "x && y") : (void)0);
816  strcmp(x, y); // no warning
817}
818
819void radar_11358224_test_double_assign_ints_positive_2()
820{
821  void *ptr = malloc(16);
822  ptr = ptr; // expected-warning {{leak}}
823}
824
825// Assume that functions which take a function pointer can free memory even if
826// they are defined in system headers and take the const pointer to the
827// allocated memory. (radar://11160612)
828int const_ptr_and_callback(int, const char*, int n, void(*)(void*));
829void r11160612_1() {
830  char *x = malloc(12);
831  const_ptr_and_callback(0, x, 12, free); // no - warning
832}
833
834// Null is passed as callback.
835void r11160612_2() {
836  char *x = malloc(12);
837  const_ptr_and_callback(0, x, 12, 0); // expected-warning {{leak}}
838}
839
840// Callback is passed to a function defined in a system header.
841void r11160612_4() {
842  char *x = malloc(12);
843  sqlite3_bind_text_my(0, x, 12, free); // no - warning
844}
845
846// Passing callbacks in a struct.
847void r11160612_5(StWithCallback St) {
848  void *x = malloc(12);
849  dealocateMemWhenDoneByVal(x, St);
850}
851void r11160612_6(StWithCallback St) {
852  void *x = malloc(12);
853  dealocateMemWhenDoneByRef(&St, x);
854}
855
856int mySub(int, int);
857int myAdd(int, int);
858int fPtr(unsigned cond, int x) {
859  return (cond ? mySub : myAdd)(x, x);
860}
861
862// Test anti-aliasing.
863
864void dependsOnValueOfPtr(int *g, unsigned f) {
865  int *p;
866
867  if (f) {
868    p = g;
869  } else {
870    p = malloc(12);
871  }
872
873  if (p != g)
874    free(p);
875  else
876    return; // no warning
877  return;
878}
879
880int CMPRegionHeapToStack() {
881  int x = 0;
882  int *x1 = malloc(8);
883  int *x2 = &x;
884  clang_analyzer_eval(x1 == x2); // expected-warning{{FALSE}}
885  free(x1);
886  return x;
887}
888
889int CMPRegionHeapToHeap2() {
890  int x = 0;
891  int *x1 = malloc(8);
892  int *x2 = malloc(8);
893  int *x4 = x1;
894  int *x5 = x2;
895  clang_analyzer_eval(x4 == x5); // expected-warning{{FALSE}}
896  free(x1);
897  free(x2);
898  return x;
899}
900
901int CMPRegionHeapToHeap() {
902  int x = 0;
903  int *x1 = malloc(8);
904  int *x4 = x1;
905  if (x1 == x4) {
906    free(x1);
907    return 5/x; // expected-warning{{Division by zero}}
908  }
909  return x;// expected-warning{{This statement is never executed}}
910}
911
912int HeapAssignment() {
913  int m = 0;
914  int *x = malloc(4);
915  int *y = x;
916  *x = 5;
917  clang_analyzer_eval(*x != *y); // expected-warning{{FALSE}}
918  free(x);
919  return 0;
920}
921
922int *retPtr();
923int *retPtrMightAlias(int *x);
924int cmpHeapAllocationToUnknown() {
925  int zero = 0;
926  int *yBefore = retPtr();
927  int *m = malloc(8);
928  int *yAfter = retPtrMightAlias(m);
929  clang_analyzer_eval(yBefore == m); // expected-warning{{FALSE}}
930  clang_analyzer_eval(yAfter == m); // expected-warning{{FALSE}}
931  free(m);
932  return 0;
933}
934
935void localArrayTest() {
936  char *p = (char*)malloc(12);
937  char *ArrayL[12];
938  ArrayL[0] = p; // expected-warning {{leak}}
939}
940
941void localStructTest() {
942  StructWithPtr St;
943  StructWithPtr *pSt = &St;
944  pSt->memP = malloc(12); // expected-warning{{Memory is never released; potential leak}}
945}
946
947// Test double assignment through integers.
948static long glob;
949void test_double_assign_ints()
950{
951  void *ptr = malloc (16);  // no-warning
952  glob = (long)(unsigned long)ptr;
953}
954
955void test_double_assign_ints_positive()
956{
957  void *ptr = malloc(16);
958  (void*)(long)(unsigned long)ptr; // expected-warning {{unused}} expected-warning {{leak}}
959}
960
961
962void testCGContextNoLeak()
963{
964  void *ptr = malloc(16);
965  CGContextRef context = CGBitmapContextCreate(ptr);
966
967  // Because you can get the data back out like this, even much later,
968  // CGBitmapContextCreate is one of our "stop-tracking" exceptions.
969  free(CGBitmapContextGetData(context));
970}
971
972void testCGContextLeak()
973{
974  void *ptr = malloc(16);
975  CGContextRef context = CGBitmapContextCreate(ptr);
976  // However, this time we're just leaking the data, because the context
977  // object doesn't escape and it hasn't been freed in this function.
978}
979
980// Allow xpc context to escape. radar://11635258
981// TODO: Would be great if we checked that the finalize_connection_context actually releases it.
982static void finalize_connection_context(void *ctx) {
983  int *context = ctx;
984  free(context);
985}
986void foo (xpc_connection_t peer) {
987  int *ctx = calloc(1, sizeof(int));
988  xpc_connection_set_context(peer, ctx);
989  xpc_connection_set_finalizer_f(peer, finalize_connection_context);
990  xpc_connection_resume(peer);
991}
992
993// Make sure we catch errors when we free in a function which does not allocate memory.
994void freeButNoMalloc(int *p, int x){
995  if (x) {
996    free(p);
997    //user forgot a return here.
998  }
999  free(p); // expected-warning {{Attempt to free released memory}}
1000}
1001
1002struct HasPtr {
1003  char *p;
1004};
1005
1006char* reallocButNoMalloc(struct HasPtr *a, int c, int size) {
1007  int *s;
1008  char *b = realloc(a->p, size);
1009  char *m = realloc(a->p, size); // expected-warning {{Attempt to free released memory}}
1010  return a->p;
1011}
1012
1013// We should not warn in this case since the caller will presumably free a->p in all cases.
1014int reallocButNoMallocPR13674(struct HasPtr *a, int c, int size) {
1015  int *s;
1016  char *b = realloc(a->p, size);
1017  if (b == 0)
1018    return -1;
1019  a->p = b;
1020  return 0;
1021}
1022
1023// ----------------------------------------------------------------------------
1024// False negatives.
1025
1026// TODO: This is another false negative.
1027void testMallocWithParam(int **p) {
1028  *p = (int*) malloc(sizeof(int));
1029  *p = 0;
1030}
1031
1032void testMallocWithParam_2(int **p) {
1033  *p = (int*) malloc(sizeof(int));
1034}
1035