1// RUN: %clang_cc1 -analyze -analyzer-checker=unix.Malloc -analyzer-inline-max-stack-depth=5 -verify %s 2 3#include "Inputs/system-header-simulator.h" 4 5void *malloc(size_t); 6void *valloc(size_t); 7void free(void *); 8void *realloc(void *ptr, size_t size); 9void *reallocf(void *ptr, size_t size); 10void *calloc(size_t nmemb, size_t size); 11 12void exit(int) __attribute__ ((__noreturn__)); 13void *memcpy(void * restrict s1, const void * restrict s2, size_t n); 14size_t strlen(const char *); 15 16static void my_malloc1(void **d, size_t size) { 17 *d = malloc(size); 18} 19 20static void *my_malloc2(int elevel, size_t size) { 21 void *data; 22 data = malloc(size); 23 if (data == 0) 24 exit(0); 25 return data; 26} 27 28static void my_free1(void *p) { 29 free(p); 30} 31 32static void test1() { 33 void *data = 0; 34 my_malloc1(&data, 4); 35} // expected-warning {{Potential leak of memory pointed to by 'data'}} 36 37static void test11() { 38 void *data = 0; 39 my_malloc1(&data, 4); 40 my_free1(data); 41} 42 43static void testUniqueingByallocationSiteInTopLevelFunction() { 44 void *data = my_malloc2(1, 4); 45 data = 0; 46 int x = 5;// expected-warning {{Potential leak of memory pointed to by 'data'}} 47 data = my_malloc2(1, 4); 48} // expected-warning {{Potential leak of memory pointed to by 'data'}} 49 50static void test3() { 51 void *data = my_malloc2(1, 4); 52 free(data); 53 data = my_malloc2(1, 4); 54 free(data); 55} 56 57int test4() { 58 int *data = (int*)my_malloc2(1, 4); 59 my_free1(data); 60 data = (int *)my_malloc2(1, 4); 61 my_free1(data); 62 return *data; // expected-warning {{Use of memory after it is freed}} 63} 64 65void test6() { 66 int *data = (int *)my_malloc2(1, 4); 67 my_free1((int*)data); 68 my_free1((int*)data); // expected-warning{{Use of memory after it is freed}} 69} 70 71// TODO: We should warn here. 72void test5() { 73 int *data; 74 my_free1((int*)data); 75} 76 77static char *reshape(char *in) { 78 return 0; 79} 80 81void testThatRemoveDeadBindingsRunBeforeEachCall() { 82 char *v = malloc(12); 83 v = reshape(v); 84 v = reshape(v);// expected-warning {{Potential leak of memory pointed to by 'v'}} 85} 86 87// Test that we keep processing after 'return;' 88void fooWithEmptyReturn(int x) { 89 if (x) 90 return; 91 x++; 92 return; 93} 94 95int uafAndCallsFooWithEmptyReturn() { 96 int *x = (int*)malloc(12); 97 free(x); 98 fooWithEmptyReturn(12); 99 return *x; // expected-warning {{Use of memory after it is freed}} 100} 101 102 103// If we inline any of the malloc-family functions, the checker shouldn't also 104// try to do additional modeling. <rdar://problem/12317671> 105char *strndup(const char *str, size_t n) { 106 if (!str) 107 return 0; 108 109 // DO NOT FIX. This is to test that we are actually using the inlined 110 // behavior! 111 if (n < 5) 112 return 0; 113 114 size_t length = strlen(str); 115 if (length < n) 116 n = length; 117 118 char *result = malloc(n + 1); 119 memcpy(result, str, n); 120 result[n] = '\0'; 121 return result; 122} 123 124void useStrndup(size_t n) { 125 if (n == 0) { 126 (void)strndup(0, 20); // no-warning 127 return; 128 } else if (n < 5) { 129 (void)strndup("hi there", n); // no-warning 130 return; 131 } else { 132 (void)strndup("hi there", n); 133 return; // expected-warning{{leak}} 134 } 135} 136