malloc-annotations.c revision b98c6fe8877b809d4da3020692c9b38f972b92cf 
1// RUN: %clang_cc1 -analyze -analyzer-checker=core,alpha.deadcode.UnreachableCode,alpha.core.CastSize,alpha.unix.MallocWithAnnotations -analyzer-store=region -verify %s
2typedef __typeof(sizeof(int)) size_t;
3void *malloc(size_t);
4void free(void *);
5void *realloc(void *ptr, size_t size);
6void *calloc(size_t nmemb, size_t size);
7void __attribute((ownership_returns(malloc))) *my_malloc(size_t);
8void __attribute((ownership_takes(malloc, 1))) my_free(void *);
9void my_freeBoth(void *, void *)
10       __attribute((ownership_holds(malloc, 1, 2)));
11void __attribute((ownership_returns(malloc, 1))) *my_malloc2(size_t);
12void __attribute((ownership_holds(malloc, 1))) my_hold(void *);
13
14// Duplicate attributes are silly, but not an error.
15// Duplicate attribute has no extra effect.
16// If two are of different kinds, that is an error and reported as such.
17void __attribute((ownership_holds(malloc, 1)))
18__attribute((ownership_holds(malloc, 1)))
19__attribute((ownership_holds(malloc, 3))) my_hold2(void *, void *, void *);
20void *my_malloc3(size_t);
21void *myglobalpointer;
22struct stuff {
23  void *somefield;
24};
25struct stuff myglobalstuff;
26
27void f1() {
28  int *p = malloc(12);
29  return; // expected-warning{{Memory is never released; potential leak}}
30}
31
32void f2() {
33  int *p = malloc(12);
34  free(p);
35  free(p); // expected-warning{{Attempt to free released memory}}
36}
37
38void f2_realloc_0() {
39  int *p = malloc(12);
40  realloc(p,0);
41  realloc(p,0); // expected-warning{{Attempt to free released memory}}
42}
43
44void f2_realloc_1() {
45  int *p = malloc(12);
46  int *q = realloc(p,0); // no-warning
47}
48
49// ownership attributes tests
50void naf1() {
51  int *p = my_malloc3(12);
52  return; // no-warning
53}
54
55void n2af1() {
56  int *p = my_malloc2(12);
57  return; // expected-warning{{Memory is never released; potential leak}}
58}
59
60void af1() {
61  int *p = my_malloc(12);
62  return; // expected-warning{{Memory is never released; potential leak}}
63}
64
65void af1_b() {
66  int *p = my_malloc(12);
67} // expected-warning{{Memory is never released; potential leak}}
68
69void af1_c() {
70  myglobalpointer = my_malloc(12); // no-warning
71}
72
73// Test that we can pass out allocated memory via pointer-to-pointer.
74void af1_e(void **pp) {
75  *pp = my_malloc(42); // no-warning
76}
77
78void af1_f(struct stuff *somestuff) {
79  somestuff->somefield = my_malloc(12); // no-warning
80}
81
82// Allocating memory for a field via multiple indirections to our arguments is OK.
83void af1_g(struct stuff **pps) {
84  *pps = my_malloc(sizeof(struct stuff)); // no-warning
85  (*pps)->somefield = my_malloc(42); // no-warning
86}
87
88void af2() {
89  int *p = my_malloc(12);
90  my_free(p);
91  free(p); // expected-warning{{Attempt to free released memory}}
92}
93
94void af2b() {
95  int *p = my_malloc(12);
96  free(p);
97  my_free(p); // expected-warning{{Attempt to free released memory}}
98}
99
100void af2c() {
101  int *p = my_malloc(12);
102  free(p);
103  my_hold(p); // expected-warning{{Attempt to free released memory}}
104}
105
106void af2d() {
107  int *p = my_malloc(12);
108  free(p);
109  my_hold2(0, 0, p); // expected-warning{{Attempt to free released memory}}
110}
111
112// No leak if malloc returns null.
113void af2e() {
114  int *p = my_malloc(12);
115  if (!p)
116    return; // no-warning
117  free(p); // no-warning
118}
119
120// This case inflicts a possible double-free.
121void af3() {
122  int *p = my_malloc(12);
123  my_hold(p);
124  free(p); // expected-warning{{Attempt to free non-owned memory}}
125}
126
127int * af4() {
128  int *p = my_malloc(12);
129  my_free(p);
130  return p; // expected-warning{{Use of memory after it is freed}}
131}
132
133// This case is (possibly) ok, be conservative
134int * af5() {
135  int *p = my_malloc(12);
136  my_hold(p);
137  return p; // no-warning
138}
139
140
141
142// This case tests that storing malloc'ed memory to a static variable which is
143// then returned is not leaked.  In the absence of known contracts for functions
144// or inter-procedural analysis, this is a conservative answer.
145int *f3() {
146  static int *p = 0;
147  p = malloc(12);
148  return p; // no-warning
149}
150
151// This case tests that storing malloc'ed memory to a static global variable
152// which is then returned is not leaked.  In the absence of known contracts for
153// functions or inter-procedural analysis, this is a conservative answer.
154static int *p_f4 = 0;
155int *f4() {
156  p_f4 = malloc(12);
157  return p_f4; // no-warning
158}
159
160int *f5() {
161  int *q = malloc(12);
162  q = realloc(q, 20);
163  return q; // no-warning
164}
165
166void f6() {
167  int *p = malloc(12);
168  if (!p)
169    return; // no-warning
170  else
171    free(p);
172}
173
174void f6_realloc() {
175  int *p = malloc(12);
176  if (!p)
177    return; // no-warning
178  else
179    realloc(p,0);
180}
181
182
183char *doit2();
184void pr6069() {
185  char *buf = doit2();
186  free(buf);
187}
188
189void pr6293() {
190  free(0);
191}
192
193void f7() {
194  char *x = (char*) malloc(4);
195  free(x);
196  x[0] = 'a'; // expected-warning{{Use of memory after it is freed}}
197}
198
199void f7_realloc() {
200  char *x = (char*) malloc(4);
201  realloc(x,0);
202  x[0] = 'a'; // expected-warning{{Use of memory after it is freed}}
203}
204
205void PR6123() {
206  int *x = malloc(11); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}}
207}
208
209void PR7217() {
210  int *buf = malloc(2); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}}
211  buf[1] = 'c'; // not crash
212}
213
214void mallocCastToVoid() {
215  void *p = malloc(2);
216  const void *cp = p; // not crash
217  free(p);
218}
219
220void mallocCastToFP() {
221  void *p = malloc(2);
222  void (*fp)() = p; // not crash
223  free(p);
224}
225
226// This tests that malloc() buffers are undefined by default
227char mallocGarbage () {
228  char *buf = malloc(2);
229  char result = buf[1]; // expected-warning{{undefined}}
230  free(buf);
231  return result;
232}
233
234// This tests that calloc() buffers need to be freed
235void callocNoFree () {
236  char *buf = calloc(2,2);
237  return; // expected-warning{{never released}}
238}
239
240// These test that calloc() buffers are zeroed by default
241char callocZeroesGood () {
242  char *buf = calloc(2,2);
243  char result = buf[3]; // no-warning
244  if (buf[1] == 0) {
245    free(buf);
246  }
247  return result; // no-warning
248}
249
250char callocZeroesBad () {
251  char *buf = calloc(2,2);
252  char result = buf[3]; // no-warning
253  if (buf[1] != 0) {
254    free(buf); // expected-warning{{never executed}}
255  }
256  return result; // expected-warning{{never released}}
257}
258
259void testMultipleFreeAnnotations() {
260  int *p = malloc(12);
261  int *q = malloc(12);
262  my_freeBoth(p, q);
263}
264
265// ----------------------------------------------------------------------------
266
267// False negatives.
268
269// Pending on removal of the escaping on assignment to struct fields.
270void af1_d() {
271  struct stuff mystuff;
272  mystuff.somefield = my_malloc(12);
273} // missing warning
274
275
276