malloc-annotations.c revision 0860cd0646ed40f87085df39563f2c5f7f77750b 
1// RUN: %clang_cc1 -analyze -analyzer-checker=core,experimental.deadcode.UnreachableCode,experimental.core.CastSize,experimental.unix.MallocWithAnnotations -analyzer-store=region -verify %s
2typedef __typeof(sizeof(int)) size_t;
3void *malloc(size_t);
4void free(void *);
5void *realloc(void *ptr, size_t size);
6void *calloc(size_t nmemb, size_t size);
7void __attribute((ownership_returns(malloc))) *my_malloc(size_t);
8void __attribute((ownership_takes(malloc, 1))) my_free(void *);
9void __attribute((ownership_returns(malloc, 1))) *my_malloc2(size_t);
10void __attribute((ownership_holds(malloc, 1))) my_hold(void *);
11
12// Duplicate attributes are silly, but not an error.
13// Duplicate attribute has no extra effect.
14// If two are of different kinds, that is an error and reported as such.
15void __attribute((ownership_holds(malloc, 1)))
16__attribute((ownership_holds(malloc, 1)))
17__attribute((ownership_holds(malloc, 3))) my_hold2(void *, void *, void *);
18void *my_malloc3(size_t);
19void *myglobalpointer;
20struct stuff {
21  void *somefield;
22};
23struct stuff myglobalstuff;
24
25void f1() {
26  int *p = malloc(12);
27  return; // expected-warning{{Allocated memory never released. Potential memory leak.}}
28}
29
30void f2() {
31  int *p = malloc(12);
32  free(p);
33  free(p); // expected-warning{{Try to free a memory block that has been released}}
34}
35
36void f2_realloc_0() {
37  int *p = malloc(12);
38  realloc(p,0);
39  realloc(p,0); // expected-warning{{Try to free a memory block that has been released}}
40}
41
42void f2_realloc_1() {
43  int *p = malloc(12);
44  int *q = realloc(p,0); // no-warning
45}
46
47// ownership attributes tests
48void naf1() {
49  int *p = my_malloc3(12);
50  return; // no-warning
51}
52
53void n2af1() {
54  int *p = my_malloc2(12);
55  return; // expected-warning{{Allocated memory never released. Potential memory leak.}}
56}
57
58void af1() {
59  int *p = my_malloc(12);
60  return; // expected-warning{{Allocated memory never released. Potential memory leak.}}
61}
62
63void af1_b() {
64  int *p = my_malloc(12); // expected-warning{{Allocated memory never released. Potential memory leak.}}
65}
66
67void af1_c() {
68  myglobalpointer = my_malloc(12); // no-warning
69}
70
71void af1_d() {
72  struct stuff mystuff;
73  mystuff.somefield = my_malloc(12); // expected-warning{{Allocated memory never released. Potential memory leak.}}
74}
75
76// Test that we can pass out allocated memory via pointer-to-pointer.
77void af1_e(void **pp) {
78  *pp = my_malloc(42); // no-warning
79}
80
81void af1_f(struct stuff *somestuff) {
82  somestuff->somefield = my_malloc(12); // no-warning
83}
84
85// Allocating memory for a field via multiple indirections to our arguments is OK.
86void af1_g(struct stuff **pps) {
87  *pps = my_malloc(sizeof(struct stuff)); // no-warning
88  (*pps)->somefield = my_malloc(42); // no-warning
89}
90
91void af2() {
92  int *p = my_malloc(12);
93  my_free(p);
94  free(p); // expected-warning{{Try to free a memory block that has been released}}
95}
96
97void af2b() {
98  int *p = my_malloc(12);
99  free(p);
100  my_free(p); // expected-warning{{Try to free a memory block that has been released}}
101}
102
103void af2c() {
104  int *p = my_malloc(12);
105  free(p);
106  my_hold(p); // expected-warning{{Try to free a memory block that has been released}}
107}
108
109void af2d() {
110  int *p = my_malloc(12);
111  free(p);
112  my_hold2(0, 0, p); // expected-warning{{Try to free a memory block that has been released}}
113}
114
115// No leak if malloc returns null.
116void af2e() {
117  int *p = my_malloc(12);
118  if (!p)
119    return; // no-warning
120  free(p); // no-warning
121}
122
123// This case would inflict a double-free elsewhere.
124// However, this case is considered an analyzer bug since it causes false-positives.
125void af3() {
126  int *p = my_malloc(12);
127  my_hold(p);
128  free(p); // no-warning
129}
130
131int * af4() {
132  int *p = my_malloc(12);
133  my_free(p);
134  return p; // expected-warning{{Use of dynamically allocated}}
135}
136
137// This case is (possibly) ok, be conservative
138int * af5() {
139  int *p = my_malloc(12);
140  my_hold(p);
141  return p; // no-warning
142}
143
144
145
146// This case tests that storing malloc'ed memory to a static variable which is
147// then returned is not leaked.  In the absence of known contracts for functions
148// or inter-procedural analysis, this is a conservative answer.
149int *f3() {
150  static int *p = 0;
151  p = malloc(12);
152  return p; // no-warning
153}
154
155// This case tests that storing malloc'ed memory to a static global variable
156// which is then returned is not leaked.  In the absence of known contracts for
157// functions or inter-procedural analysis, this is a conservative answer.
158static int *p_f4 = 0;
159int *f4() {
160  p_f4 = malloc(12);
161  return p_f4; // no-warning
162}
163
164int *f5() {
165  int *q = malloc(12);
166  q = realloc(q, 20);
167  return q; // no-warning
168}
169
170void f6() {
171  int *p = malloc(12);
172  if (!p)
173    return; // no-warning
174  else
175    free(p);
176}
177
178void f6_realloc() {
179  int *p = malloc(12);
180  if (!p)
181    return; // no-warning
182  else
183    realloc(p,0);
184}
185
186
187char *doit2();
188void pr6069() {
189  char *buf = doit2();
190  free(buf);
191}
192
193void pr6293() {
194  free(0);
195}
196
197void f7() {
198  char *x = (char*) malloc(4);
199  free(x);
200  x[0] = 'a'; // expected-warning{{Use of dynamically allocated memory after it is freed.}}
201}
202
203void f7_realloc() {
204  char *x = (char*) malloc(4);
205  realloc(x,0);
206  x[0] = 'a'; // expected-warning{{Use of dynamically allocated memory after it is freed.}}
207}
208
209void PR6123() {
210  int *x = malloc(11); // expected-warning{{Cast a region whose size is not a multiple of the destination type size.}}
211}
212
213void PR7217() {
214  int *buf = malloc(2); // expected-warning{{Cast a region whose size is not a multiple of the destination type size.}}
215  buf[1] = 'c'; // not crash
216}
217
218void mallocCastToVoid() {
219  void *p = malloc(2);
220  const void *cp = p; // not crash
221  free(p);
222}
223
224void mallocCastToFP() {
225  void *p = malloc(2);
226  void (*fp)() = p; // not crash
227  free(p);
228}
229
230// This tests that malloc() buffers are undefined by default
231char mallocGarbage () {
232  char *buf = malloc(2);
233  char result = buf[1]; // expected-warning{{undefined}}
234  free(buf);
235  return result;
236}
237
238// This tests that calloc() buffers need to be freed
239void callocNoFree () {
240  char *buf = calloc(2,2);
241  return; // expected-warning{{never released}}
242}
243
244// These test that calloc() buffers are zeroed by default
245char callocZeroesGood () {
246  char *buf = calloc(2,2);
247  char result = buf[3]; // no-warning
248  if (buf[1] == 0) {
249    free(buf);
250  }
251  return result; // no-warning
252}
253
254char callocZeroesBad () {
255  char *buf = calloc(2,2);
256  char result = buf[3]; // no-warning
257  if (buf[1] != 0) {
258    free(buf); // expected-warning{{never executed}}
259  }
260  return result; // expected-warning{{never released}}
261}
262