1// RUN: %clang_cc1 -analyze -analyzer-checker=core,alpha.deadcode.UnreachableCode,alpha.core.CastSize,unix.Malloc,debug.ExprInspection -analyzer-store=region -verify %s 2 3#include "Inputs/system-header-simulator.h" 4 5void clang_analyzer_eval(int); 6 7typedef __typeof(sizeof(int)) size_t; 8void *malloc(size_t); 9void *alloca(size_t); 10void *valloc(size_t); 11void free(void *); 12void *realloc(void *ptr, size_t size); 13void *reallocf(void *ptr, size_t size); 14void *calloc(size_t nmemb, size_t size); 15char *strdup(const char *s); 16char *strndup(const char *s, size_t n); 17int memcmp(const void *s1, const void *s2, size_t n); 18 19void myfoo(int *p); 20void myfooint(int p); 21char *fooRetPtr(); 22 23void f1() { 24 int *p = malloc(12); 25 return; // expected-warning{{Potential leak of memory pointed to by 'p'}} 26} 27 28void f2() { 29 int *p = malloc(12); 30 free(p); 31 free(p); // expected-warning{{Attempt to free released memory}} 32} 33 34void f2_realloc_0() { 35 int *p = malloc(12); 36 realloc(p,0); 37 realloc(p,0); // expected-warning{{Attempt to free released memory}} 38} 39 40void f2_realloc_1() { 41 int *p = malloc(12); 42 int *q = realloc(p,0); // no-warning 43} 44 45void reallocNotNullPtr(unsigned sizeIn) { 46 unsigned size = 12; 47 char *p = (char*)malloc(size); 48 if (p) { 49 char *q = (char*)realloc(p, sizeIn); 50 char x = *q; // expected-warning {{Potential leak of memory pointed to by 'q'}} 51 } 52} 53 54void allocaTest() { 55 int *p = alloca(sizeof(int)); 56} // no warn 57 58void allocaBuiltinTest() { 59 int *p = __builtin_alloca(sizeof(int)); 60} // no warn 61 62int *realloctest1() { 63 int *q = malloc(12); 64 q = realloc(q, 20); 65 return q; // no warning - returning the allocated value 66} 67 68// p should be freed if realloc fails. 69void reallocFails() { 70 char *p = malloc(12); 71 char *r = realloc(p, 12+1); 72 if (!r) { 73 free(p); 74 } else { 75 free(r); 76 } 77} 78 79void reallocSizeZero1() { 80 char *p = malloc(12); 81 char *r = realloc(p, 0); 82 if (!r) { 83 free(p); // expected-warning {{Attempt to free released memory}} 84 } else { 85 free(r); 86 } 87} 88 89void reallocSizeZero2() { 90 char *p = malloc(12); 91 char *r = realloc(p, 0); 92 if (!r) { 93 free(p); // expected-warning {{Attempt to free released memory}} 94 } else { 95 free(r); 96 } 97 free(p); // expected-warning {{Attempt to free released memory}} 98} 99 100void reallocSizeZero3() { 101 char *p = malloc(12); 102 char *r = realloc(p, 0); 103 free(r); 104} 105 106void reallocSizeZero4() { 107 char *r = realloc(0, 0); 108 free(r); 109} 110 111void reallocSizeZero5() { 112 char *r = realloc(0, 0); 113} 114 115void reallocPtrZero1() { 116 char *r = realloc(0, 12); 117} // expected-warning {{Potential leak of memory pointed to by 'r'}} 118 119void reallocPtrZero2() { 120 char *r = realloc(0, 12); 121 if (r) 122 free(r); 123} 124 125void reallocPtrZero3() { 126 char *r = realloc(0, 12); 127 free(r); 128} 129 130void reallocRadar6337483_1() { 131 char *buf = malloc(100); 132 buf = (char*)realloc(buf, 0x1000000); 133 if (!buf) { 134 return;// expected-warning {{Potential leak of memory pointed to by}} 135 } 136 free(buf); 137} 138 139void reallocRadar6337483_2() { 140 char *buf = malloc(100); 141 char *buf2 = (char*)realloc(buf, 0x1000000); 142 if (!buf2) { 143 ; 144 } else { 145 free(buf2); 146 } 147} // expected-warning {{Potential leak of memory pointed to by}} 148 149void reallocRadar6337483_3() { 150 char * buf = malloc(100); 151 char * tmp; 152 tmp = (char*)realloc(buf, 0x1000000); 153 if (!tmp) { 154 free(buf); 155 return; 156 } 157 buf = tmp; 158 free(buf); 159} 160 161void reallocRadar6337483_4() { 162 char *buf = malloc(100); 163 char *buf2 = (char*)realloc(buf, 0x1000000); 164 if (!buf2) { 165 return; // expected-warning {{Potential leak of memory pointed to by}} 166 } else { 167 free(buf2); 168 } 169} 170 171int *reallocfTest1() { 172 int *q = malloc(12); 173 q = reallocf(q, 20); 174 return q; // no warning - returning the allocated value 175} 176 177void reallocfRadar6337483_4() { 178 char *buf = malloc(100); 179 char *buf2 = (char*)reallocf(buf, 0x1000000); 180 if (!buf2) { 181 return; // no warning - reallocf frees even on failure 182 } else { 183 free(buf2); 184 } 185} 186 187void reallocfRadar6337483_3() { 188 char * buf = malloc(100); 189 char * tmp; 190 tmp = (char*)reallocf(buf, 0x1000000); 191 if (!tmp) { 192 free(buf); // expected-warning {{Attempt to free released memory}} 193 return; 194 } 195 buf = tmp; 196 free(buf); 197} 198 199void reallocfPtrZero1() { 200 char *r = reallocf(0, 12); 201} // expected-warning {{Potential leak of memory pointed to by}} 202 203//------------------- Check usage of zero-allocated memory --------------------- 204void CheckUseZeroAllocatedNoWarn1() { 205 int *p = malloc(0); 206 free(p); // no warning 207} 208 209void CheckUseZeroAllocatedNoWarn2() { 210 int *p = alloca(0); // no warning 211} 212 213void CheckUseZeroAllocatedNoWarn3() { 214 int *p = malloc(0); 215 int *q = realloc(p, 8); // no warning 216 free(q); 217} 218 219void CheckUseZeroAllocatedNoWarn4() { 220 int *p = realloc(0, 8); 221 *p = 1; // no warning 222 free(p); 223} 224 225void CheckUseZeroAllocated1() { 226 int *p = malloc(0); 227 *p = 1; // expected-warning {{Use of zero-allocated memory}} 228 free(p); 229} 230 231char CheckUseZeroAllocated2() { 232 char *p = alloca(0); 233 return *p; // expected-warning {{Use of zero-allocated memory}} 234} 235 236void UseZeroAllocated(int *p) { 237 if (p) 238 *p = 7; // expected-warning {{Use of zero-allocated memory}} 239} 240void CheckUseZeroAllocated3() { 241 int *p = malloc(0); 242 UseZeroAllocated(p); 243} 244 245void f(char); 246void CheckUseZeroAllocated4() { 247 char *p = valloc(0); 248 f(*p); // expected-warning {{Use of zero-allocated memory}} 249 free(p); 250} 251 252void CheckUseZeroAllocated5() { 253 int *p = calloc(0, 2); 254 *p = 1; // expected-warning {{Use of zero-allocated memory}} 255 free(p); 256} 257 258void CheckUseZeroAllocated6() { 259 int *p = calloc(2, 0); 260 *p = 1; // expected-warning {{Use of zero-allocated memory}} 261 free(p); 262} 263 264void CheckUseZeroAllocated7() { 265 int *p = realloc(0, 0); 266 *p = 1; //TODO: warn about use of zero-allocated memory 267 free(p); 268} 269 270void CheckUseZeroAllocated8() { 271 int *p = malloc(8); 272 int *q = realloc(p, 0); 273 *q = 1; //TODO: warn about use of zero-allocated memory 274 free(q); 275} 276 277void CheckUseZeroAllocated9() { 278 int *p = realloc(0, 0); 279 int *q = realloc(p, 0); 280 *q = 1; //TODO: warn about use of zero-allocated memory 281 free(q); 282} 283 284void CheckUseZeroAllocatedPathNoWarn(_Bool b) { 285 int s = 0; 286 if (b) 287 s= 10; 288 289 char *p = malloc(s); 290 291 if (b) 292 *p = 1; // no warning 293 294 free(p); 295} 296 297void CheckUseZeroAllocatedPathWarn(_Bool b) { 298 int s = 10; 299 if (b) 300 s= 0; 301 302 char *p = malloc(s); 303 304 if (b) 305 *p = 1; // expected-warning {{Use of zero-allocated memory}} 306 307 free(p); 308} 309 310// This case tests that storing malloc'ed memory to a static variable which is 311// then returned is not leaked. In the absence of known contracts for functions 312// or inter-procedural analysis, this is a conservative answer. 313int *f3() { 314 static int *p = 0; 315 p = malloc(12); 316 return p; // no-warning 317} 318 319// This case tests that storing malloc'ed memory to a static global variable 320// which is then returned is not leaked. In the absence of known contracts for 321// functions or inter-procedural analysis, this is a conservative answer. 322static int *p_f4 = 0; 323int *f4() { 324 p_f4 = malloc(12); 325 return p_f4; // no-warning 326} 327 328int *f5() { 329 int *q = malloc(12); 330 q = realloc(q, 20); 331 return q; // no-warning 332} 333 334void f6() { 335 int *p = malloc(12); 336 if (!p) 337 return; // no-warning 338 else 339 free(p); 340} 341 342void f6_realloc() { 343 int *p = malloc(12); 344 if (!p) 345 return; // no-warning 346 else 347 realloc(p,0); 348} 349 350 351char *doit2(); 352void pr6069() { 353 char *buf = doit2(); 354 free(buf); 355} 356 357void pr6293() { 358 free(0); 359} 360 361void f7() { 362 char *x = (char*) malloc(4); 363 free(x); 364 x[0] = 'a'; // expected-warning{{Use of memory after it is freed}} 365} 366 367void f8() { 368 char *x = (char*) malloc(4); 369 free(x); 370 char *y = strndup(x, 4); // expected-warning{{Use of memory after it is freed}} 371} 372 373void f7_realloc() { 374 char *x = (char*) malloc(4); 375 realloc(x,0); 376 x[0] = 'a'; // expected-warning{{Use of memory after it is freed}} 377} 378 379void PR6123() { 380 int *x = malloc(11); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}} 381} 382 383void PR7217() { 384 int *buf = malloc(2); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}} 385 buf[1] = 'c'; // not crash 386} 387 388void cast_emtpy_struct() { 389 struct st { 390 }; 391 392 struct st *s = malloc(sizeof(struct st)); // no-warning 393 free(s); 394} 395 396void cast_struct_1() { 397 struct st { 398 int i[100]; 399 char j[]; 400 }; 401 402 struct st *s = malloc(sizeof(struct st)); // no-warning 403 free(s); 404} 405 406void cast_struct_2() { 407 struct st { 408 int i[100]; 409 char j[0]; 410 }; 411 412 struct st *s = malloc(sizeof(struct st)); // no-warning 413 free(s); 414} 415 416void cast_struct_3() { 417 struct st { 418 int i[100]; 419 char j[1]; 420 }; 421 422 struct st *s = malloc(sizeof(struct st)); // no-warning 423 free(s); 424} 425 426void cast_struct_4() { 427 struct st { 428 int i[100]; 429 char j[2]; 430 }; 431 432 struct st *s = malloc(sizeof(struct st)); // no-warning 433 free(s); 434} 435 436void cast_struct_5() { 437 struct st { 438 char i[200]; 439 char j[1]; 440 }; 441 442 struct st *s = malloc(sizeof(struct st) - sizeof(char)); // no-warning 443 free(s); 444} 445 446void cast_struct_warn_1() { 447 struct st { 448 int i[100]; 449 char j[2]; 450 }; 451 452 struct st *s = malloc(sizeof(struct st) + 2); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}} 453 free(s); 454} 455 456void cast_struct_warn_2() { 457 struct st { 458 int i[100]; 459 char j[2]; 460 }; 461 462 struct st *s = malloc(2); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}} 463 free(s); 464} 465 466void cast_struct_flex_array_1() { 467 struct st { 468 int i[100]; 469 char j[]; 470 }; 471 472 struct st *s = malloc(sizeof(struct st) + 3); // no-warning 473 free(s); 474} 475 476void cast_struct_flex_array_2() { 477 struct st { 478 int i[100]; 479 char j[0]; 480 }; 481 482 struct st *s = malloc(sizeof(struct st) + 3); // no-warning 483 free(s); 484} 485 486void cast_struct_flex_array_3() { 487 struct st { 488 int i[100]; 489 char j[1]; 490 }; 491 492 struct st *s = malloc(sizeof(struct st) + 3); // no-warning 493 free(s); 494} 495 496void cast_struct_flex_array_4() { 497 struct foo { 498 char f[32]; 499 }; 500 struct st { 501 char i[100]; 502 struct foo data[]; 503 }; 504 505 struct st *s = malloc(sizeof(struct st) + 3 * sizeof(struct foo)); // no-warning 506 free(s); 507} 508 509void cast_struct_flex_array_5() { 510 struct foo { 511 char f[32]; 512 }; 513 struct st { 514 char i[100]; 515 struct foo data[0]; 516 }; 517 518 struct st *s = malloc(sizeof(struct st) + 3 * sizeof(struct foo)); // no-warning 519 free(s); 520} 521 522void cast_struct_flex_array_6() { 523 struct foo { 524 char f[32]; 525 }; 526 struct st { 527 char i[100]; 528 struct foo data[1]; 529 }; 530 531 struct st *s = malloc(sizeof(struct st) + 3 * sizeof(struct foo)); // no-warning 532 free(s); 533} 534 535void cast_struct_flex_array_warn_1() { 536 struct foo { 537 char f[32]; 538 }; 539 struct st { 540 char i[100]; 541 struct foo data[]; 542 }; 543 544 struct st *s = malloc(3 * sizeof(struct st) + 3 * sizeof(struct foo)); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}} 545 free(s); 546} 547 548void cast_struct_flex_array_warn_2() { 549 struct foo { 550 char f[32]; 551 }; 552 struct st { 553 char i[100]; 554 struct foo data[0]; 555 }; 556 557 struct st *s = malloc(3 * sizeof(struct st) + 3 * sizeof(struct foo)); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}} 558 free(s); 559} 560 561void cast_struct_flex_array_warn_3() { 562 struct foo { 563 char f[32]; 564 }; 565 struct st { 566 char i[100]; 567 struct foo data[1]; 568 }; 569 570 struct st *s = malloc(3 * sizeof(struct st) + 3 * sizeof(struct foo)); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}} 571 free(s); 572} 573 574void cast_struct_flex_array_warn_4() { 575 struct st { 576 int i[100]; 577 int j[]; 578 }; 579 580 struct st *s = malloc(sizeof(struct st) + 3); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}} 581 free(s); 582} 583 584void cast_struct_flex_array_warn_5() { 585 struct st { 586 int i[100]; 587 int j[0]; 588 }; 589 590 struct st *s = malloc(sizeof(struct st) + 3); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}} 591 free(s); 592} 593 594void cast_struct_flex_array_warn_6() { 595 struct st { 596 int i[100]; 597 int j[1]; 598 }; 599 600 struct st *s = malloc(sizeof(struct st) + 3); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}} 601 free(s); 602} 603 604void mallocCastToVoid() { 605 void *p = malloc(2); 606 const void *cp = p; // not crash 607 free(p); 608} 609 610void mallocCastToFP() { 611 void *p = malloc(2); 612 void (*fp)() = p; // not crash 613 free(p); 614} 615 616// This tests that malloc() buffers are undefined by default 617char mallocGarbage () { 618 char *buf = malloc(2); 619 char result = buf[1]; // expected-warning{{undefined}} 620 free(buf); 621 return result; 622} 623 624// This tests that calloc() buffers need to be freed 625void callocNoFree () { 626 char *buf = calloc(2,2); 627 return; // expected-warning{{Potential leak of memory pointed to by 'buf'}} 628} 629 630// These test that calloc() buffers are zeroed by default 631char callocZeroesGood () { 632 char *buf = calloc(2,2); 633 char result = buf[3]; // no-warning 634 if (buf[1] == 0) { 635 free(buf); 636 } 637 return result; // no-warning 638} 639 640char callocZeroesBad () { 641 char *buf = calloc(2,2); 642 char result = buf[3]; // no-warning 643 if (buf[1] != 0) { 644 free(buf); // expected-warning{{never executed}} 645 } 646 return result; // expected-warning{{Potential leak of memory pointed to by 'buf'}} 647} 648 649void nullFree() { 650 int *p = 0; 651 free(p); // no warning - a nop 652} 653 654void paramFree(int *p) { 655 myfoo(p); 656 free(p); // no warning 657 myfoo(p); // expected-warning {{Use of memory after it is freed}} 658} 659 660int* mallocEscapeRet() { 661 int *p = malloc(12); 662 return p; // no warning 663} 664 665void mallocEscapeFoo() { 666 int *p = malloc(12); 667 myfoo(p); 668 return; // no warning 669} 670 671void mallocEscapeFree() { 672 int *p = malloc(12); 673 myfoo(p); 674 free(p); 675} 676 677void mallocEscapeFreeFree() { 678 int *p = malloc(12); 679 myfoo(p); 680 free(p); 681 free(p); // expected-warning{{Attempt to free released memory}} 682} 683 684void mallocEscapeFreeUse() { 685 int *p = malloc(12); 686 myfoo(p); 687 free(p); 688 myfoo(p); // expected-warning{{Use of memory after it is freed}} 689} 690 691int *myalloc(); 692void myalloc2(int **p); 693 694void mallocEscapeFreeCustomAlloc() { 695 int *p = malloc(12); 696 myfoo(p); 697 free(p); 698 p = myalloc(); 699 free(p); // no warning 700} 701 702void mallocEscapeFreeCustomAlloc2() { 703 int *p = malloc(12); 704 myfoo(p); 705 free(p); 706 myalloc2(&p); 707 free(p); // no warning 708} 709 710void mallocBindFreeUse() { 711 int *x = malloc(12); 712 int *y = x; 713 free(y); 714 myfoo(x); // expected-warning{{Use of memory after it is freed}} 715} 716 717void mallocEscapeMalloc() { 718 int *p = malloc(12); 719 myfoo(p); 720 p = malloc(12); 721} // expected-warning{{Potential leak of memory pointed to by}} 722 723void mallocMalloc() { 724 int *p = malloc(12); 725 p = malloc(12); 726} // expected-warning {{Potential leak of memory pointed to by}} 727 728void mallocFreeMalloc() { 729 int *p = malloc(12); 730 free(p); 731 p = malloc(12); 732 free(p); 733} 734 735void mallocFreeUse_params() { 736 int *p = malloc(12); 737 free(p); 738 myfoo(p); //expected-warning{{Use of memory after it is freed}} 739} 740 741void mallocFreeUse_params2() { 742 int *p = malloc(12); 743 free(p); 744 myfooint(*p); //expected-warning{{Use of memory after it is freed}} 745} 746 747void mallocFailedOrNot() { 748 int *p = malloc(12); 749 if (!p) 750 free(p); 751 else 752 free(p); 753} 754 755struct StructWithInt { 756 int g; 757}; 758 759int *mallocReturnFreed() { 760 int *p = malloc(12); 761 free(p); 762 return p; // expected-warning {{Use of memory after it is freed}} 763} 764 765int useAfterFreeStruct() { 766 struct StructWithInt *px= malloc(sizeof(struct StructWithInt)); 767 px->g = 5; 768 free(px); 769 return px->g; // expected-warning {{Use of memory after it is freed}} 770} 771 772void nonSymbolAsFirstArg(int *pp, struct StructWithInt *p); 773 774void mallocEscapeFooNonSymbolArg() { 775 struct StructWithInt *p = malloc(sizeof(struct StructWithInt)); 776 nonSymbolAsFirstArg(&p->g, p); 777 return; // no warning 778} 779 780void mallocFailedOrNotLeak() { 781 int *p = malloc(12); 782 if (p == 0) 783 return; // no warning 784 else 785 return; // expected-warning {{Potential leak of memory pointed to by}} 786} 787 788void mallocAssignment() { 789 char *p = malloc(12); 790 p = fooRetPtr(); 791} // expected-warning {{leak}} 792 793int vallocTest() { 794 char *mem = valloc(12); 795 return 0; // expected-warning {{Potential leak of memory pointed to by}} 796} 797 798void vallocEscapeFreeUse() { 799 int *p = valloc(12); 800 myfoo(p); 801 free(p); 802 myfoo(p); // expected-warning{{Use of memory after it is freed}} 803} 804 805int *Gl; 806struct GlStTy { 807 int *x; 808}; 809 810struct GlStTy GlS = {0}; 811 812void GlobalFree() { 813 free(Gl); 814} 815 816void GlobalMalloc() { 817 Gl = malloc(12); 818} 819 820void GlobalStructMalloc() { 821 int *a = malloc(12); 822 GlS.x = a; 823} 824 825void GlobalStructMallocFree() { 826 int *a = malloc(12); 827 GlS.x = a; 828 free(GlS.x); 829} 830 831char *ArrayG[12]; 832 833void globalArrayTest() { 834 char *p = (char*)malloc(12); 835 ArrayG[0] = p; 836} 837 838// Make sure that we properly handle a pointer stored into a local struct/array. 839typedef struct _StructWithPtr { 840 int *memP; 841} StructWithPtr; 842 843static StructWithPtr arrOfStructs[10]; 844 845void testMalloc() { 846 int *x = malloc(12); 847 StructWithPtr St; 848 St.memP = x; 849 arrOfStructs[0] = St; // no-warning 850} 851 852StructWithPtr testMalloc2() { 853 int *x = malloc(12); 854 StructWithPtr St; 855 St.memP = x; 856 return St; // no-warning 857} 858 859int *testMalloc3() { 860 int *x = malloc(12); 861 int *y = x; 862 return y; // no-warning 863} 864 865void testStructLeak() { 866 StructWithPtr St; 867 St.memP = malloc(12); 868 return; // expected-warning {{Potential leak of memory pointed to by 'St.memP'}} 869} 870 871void testElemRegion1() { 872 char *x = (void*)malloc(2); 873 int *ix = (int*)x; 874 free(&(x[0])); 875} 876 877void testElemRegion2(int **pp) { 878 int *p = malloc(12); 879 *pp = p; 880 free(pp[0]); 881} 882 883void testElemRegion3(int **pp) { 884 int *p = malloc(12); 885 *pp = p; 886 free(*pp); 887} 888// Region escape testing. 889 890unsigned takePtrToPtr(int **p); 891void PassTheAddrOfAllocatedData(int f) { 892 int *p = malloc(12); 893 // We don't know what happens after the call. Should stop tracking here. 894 if (takePtrToPtr(&p)) 895 f++; 896 free(p); // no warning 897} 898 899struct X { 900 int *p; 901}; 902unsigned takePtrToStruct(struct X *s); 903int ** foo2(int *g, int f) { 904 int *p = malloc(12); 905 struct X *px= malloc(sizeof(struct X)); 906 px->p = p; 907 // We don't know what happens after this call. Should not track px nor p. 908 if (takePtrToStruct(px)) 909 f++; 910 free(p); 911 return 0; 912} 913 914struct X* RegInvalidationDetect1(struct X *s2) { 915 struct X *px= malloc(sizeof(struct X)); 916 px->p = 0; 917 px = s2; 918 return px; // expected-warning {{Potential leak of memory pointed to by}} 919} 920 921struct X* RegInvalidationGiveUp1() { 922 int *p = malloc(12); 923 struct X *px= malloc(sizeof(struct X)); 924 px->p = p; 925 return px; 926} 927 928int **RegInvalidationDetect2(int **pp) { 929 int *p = malloc(12); 930 pp = &p; 931 pp++; 932 return 0;// expected-warning {{Potential leak of memory pointed to by}} 933} 934 935extern void exit(int) __attribute__ ((__noreturn__)); 936void mallocExit(int *g) { 937 struct xx *p = malloc(12); 938 if (g != 0) 939 exit(1); 940 free(p); 941 return; 942} 943 944extern void __assert_fail (__const char *__assertion, __const char *__file, 945 unsigned int __line, __const char *__function) 946 __attribute__ ((__noreturn__)); 947#define assert(expr) \ 948 ((expr) ? (void)(0) : __assert_fail (#expr, __FILE__, __LINE__, __func__)) 949void mallocAssert(int *g) { 950 struct xx *p = malloc(12); 951 952 assert(g != 0); 953 free(p); 954 return; 955} 956 957void doNotInvalidateWhenPassedToSystemCalls(char *s) { 958 char *p = malloc(12); 959 strlen(p); 960 strcpy(p, s); 961 strcpy(s, p); 962 strcpy(p, p); 963 memcpy(p, s, 1); 964 memcpy(s, p, 1); 965 memcpy(p, p, 1); 966} // expected-warning {{leak}} 967 968// Treat source buffer contents as escaped. 969void escapeSourceContents(char *s) { 970 char *p = malloc(12); 971 memcpy(s, &p, 12); // no warning 972 973 void *p1 = malloc(7); 974 char *a; 975 memcpy(&a, &p1, sizeof a); 976 // FIXME: No warning due to limitations imposed by current modelling of 977 // 'memcpy' (regions metadata is not copied). 978 979 int *ptrs[2]; 980 int *allocated = (int *)malloc(4); 981 memcpy(&ptrs[0], &allocated, sizeof(int *)); 982 // FIXME: No warning due to limitations imposed by current modelling of 983 // 'memcpy' (regions metadata is not copied). 984} 985 986void invalidateDestinationContents() { 987 int *null = 0; 988 int *p = (int *)malloc(4); 989 memcpy(&p, &null, sizeof(int *)); 990 991 int *ptrs1[2]; // expected-warning {{Potential leak of memory pointed to by}} 992 ptrs1[0] = (int *)malloc(4); 993 memcpy(ptrs1, &null, sizeof(int *)); 994 995 int *ptrs2[2]; // expected-warning {{Potential memory leak}} 996 ptrs2[0] = (int *)malloc(4); 997 memcpy(&ptrs2[1], &null, sizeof(int *)); 998 999 int *ptrs3[2]; // expected-warning {{Potential memory leak}} 1000 ptrs3[0] = (int *)malloc(4); 1001 memcpy(&ptrs3[0], &null, sizeof(int *)); 1002} // expected-warning {{Potential memory leak}} 1003 1004// Rely on the CString checker evaluation of the strcpy API to convey that the result of strcpy is equal to p. 1005void symbolLostWithStrcpy(char *s) { 1006 char *p = malloc(12); 1007 p = strcpy(p, s); 1008 free(p); 1009} 1010 1011 1012// The same test as the one above, but with what is actually generated on a mac. 1013static __inline char * 1014__inline_strcpy_chk (char *restrict __dest, const char *restrict __src) 1015{ 1016 return __builtin___strcpy_chk (__dest, __src, __builtin_object_size (__dest, 2 > 1)); 1017} 1018 1019void symbolLostWithStrcpy_InlineStrcpyVersion(char *s) { 1020 char *p = malloc(12); 1021 p = ((__builtin_object_size (p, 0) != (size_t) -1) ? __builtin___strcpy_chk (p, s, __builtin_object_size (p, 2 > 1)) : __inline_strcpy_chk (p, s)); 1022 free(p); 1023} 1024 1025// Here we are returning a pointer one past the allocated value. An idiom which 1026// can be used for implementing special malloc. The correct uses of this might 1027// be rare enough so that we could keep this as a warning. 1028static void *specialMalloc(int n){ 1029 int *p; 1030 p = malloc( n+8 ); 1031 if( p ){ 1032 p[0] = n; 1033 p++; 1034 } 1035 return p; 1036} 1037 1038// Potentially, the user could free the struct by performing pointer arithmetic on the return value. 1039// This is a variation of the specialMalloc issue, though probably would be more rare in correct code. 1040int *specialMallocWithStruct() { 1041 struct StructWithInt *px= malloc(sizeof(struct StructWithInt)); 1042 return &(px->g); 1043} 1044 1045// Test various allocation/deallocation functions. 1046void testStrdup(const char *s, unsigned validIndex) { 1047 char *s2 = strdup(s); 1048 s2[validIndex + 1] = 'b'; 1049} // expected-warning {{Potential leak of memory pointed to by}} 1050 1051int testStrndup(const char *s, unsigned validIndex, unsigned size) { 1052 char *s2 = strndup(s, size); 1053 s2 [validIndex + 1] = 'b'; 1054 if (s2[validIndex] != 'a') 1055 return 0; 1056 else 1057 return 1;// expected-warning {{Potential leak of memory pointed to by}} 1058} 1059 1060void testStrdupContentIsDefined(const char *s, unsigned validIndex) { 1061 char *s2 = strdup(s); 1062 char result = s2[1];// no warning 1063 free(s2); 1064} 1065 1066// ---------------------------------------------------------------------------- 1067// Test the system library functions to which the pointer can escape. 1068// This tests false positive suppression. 1069 1070// For now, we assume memory passed to pthread_specific escapes. 1071// TODO: We could check that if a new pthread binding is set, the existing 1072// binding must be freed; otherwise, a memory leak can occur. 1073void testPthereadSpecificEscape(pthread_key_t key) { 1074 void *buf = malloc(12); 1075 pthread_setspecific(key, buf); // no warning 1076} 1077 1078// PR12101: Test funopen(). 1079static int releasePtr(void *_ctx) { 1080 free(_ctx); 1081 return 0; 1082} 1083FILE *useFunOpen() { 1084 void *ctx = malloc(sizeof(int)); 1085 FILE *f = funopen(ctx, 0, 0, 0, releasePtr); // no warning 1086 if (f == 0) { 1087 free(ctx); 1088 } 1089 return f; 1090} 1091FILE *useFunOpenNoReleaseFunction() { 1092 void *ctx = malloc(sizeof(int)); 1093 FILE *f = funopen(ctx, 0, 0, 0, 0); 1094 if (f == 0) { 1095 free(ctx); 1096 } 1097 return f; // expected-warning{{leak}} 1098} 1099 1100static int readNothing(void *_ctx, char *buf, int size) { 1101 return 0; 1102} 1103FILE *useFunOpenReadNoRelease() { 1104 void *ctx = malloc(sizeof(int)); 1105 FILE *f = funopen(ctx, readNothing, 0, 0, 0); 1106 if (f == 0) { 1107 free(ctx); 1108 } 1109 return f; // expected-warning{{leak}} 1110} 1111 1112// Test setbuf, setvbuf. 1113int my_main_no_warning() { 1114 char *p = malloc(100); 1115 setvbuf(stdout, p, 0, 100); 1116 return 0; 1117} 1118int my_main_no_warning2() { 1119 char *p = malloc(100); 1120 setbuf(__stdoutp, p); 1121 return 0; 1122} 1123int my_main_warn(FILE *f) { 1124 char *p = malloc(100); 1125 setvbuf(f, p, 0, 100); 1126 return 0;// expected-warning {{leak}} 1127} 1128 1129// <rdar://problem/10978247>. 1130// some people use stack allocated memory as an optimization to avoid 1131// a heap allocation for small work sizes. This tests the analyzer's 1132// understanding that the malloc'ed memory is not the same as stackBuffer. 1133void radar10978247(int myValueSize) { 1134 char stackBuffer[128]; 1135 char *buffer; 1136 1137 if (myValueSize <= sizeof(stackBuffer)) 1138 buffer = stackBuffer; 1139 else 1140 buffer = malloc(myValueSize); 1141 1142 // do stuff with the buffer 1143 if (buffer != stackBuffer) 1144 free(buffer); 1145} 1146 1147void radar10978247_positive(int myValueSize) { 1148 char stackBuffer[128]; 1149 char *buffer; 1150 1151 if (myValueSize <= sizeof(stackBuffer)) 1152 buffer = stackBuffer; 1153 else 1154 buffer = malloc(myValueSize); 1155 1156 // do stuff with the buffer 1157 if (buffer == stackBuffer) 1158 return; 1159 else 1160 return; // expected-warning {{leak}} 1161} 1162// <rdar://problem/11269741> Previously this triggered a false positive 1163// because malloc() is known to return uninitialized memory and the binding 1164// of 'o' to 'p->n' was not getting propertly handled. Now we report a leak. 1165struct rdar11269741_a_t { 1166 struct rdar11269741_b_t { 1167 int m; 1168 } n; 1169}; 1170 1171int rdar11269741(struct rdar11269741_b_t o) 1172{ 1173 struct rdar11269741_a_t *p = (struct rdar11269741_a_t *) malloc(sizeof(*p)); 1174 p->n = o; 1175 return p->n.m; // expected-warning {{leak}} 1176} 1177 1178// Pointer arithmetic, returning an ElementRegion. 1179void *radar11329382(unsigned bl) { 1180 void *ptr = malloc (16); 1181 ptr = ptr + (2 - bl); 1182 return ptr; // no warning 1183} 1184 1185void __assert_rtn(const char *, const char *, int, const char *) __attribute__((__noreturn__)); 1186int strcmp(const char *, const char *); 1187char *a (void); 1188void radar11270219(void) { 1189 char *x = a(), *y = a(); 1190 (__builtin_expect(!(x && y), 0) ? __assert_rtn(__func__, "/Users/zaks/tmp/ex.c", 24, "x && y") : (void)0); 1191 strcmp(x, y); // no warning 1192} 1193 1194void radar_11358224_test_double_assign_ints_positive_2() 1195{ 1196 void *ptr = malloc(16); 1197 ptr = ptr; 1198} // expected-warning {{leak}} 1199 1200// Assume that functions which take a function pointer can free memory even if 1201// they are defined in system headers and take the const pointer to the 1202// allocated memory. (radar://11160612) 1203int const_ptr_and_callback(int, const char*, int n, void(*)(void*)); 1204void r11160612_1() { 1205 char *x = malloc(12); 1206 const_ptr_and_callback(0, x, 12, free); // no - warning 1207} 1208 1209// Null is passed as callback. 1210void r11160612_2() { 1211 char *x = malloc(12); 1212 const_ptr_and_callback(0, x, 12, 0); 1213} // expected-warning {{leak}} 1214 1215// Callback is passed to a function defined in a system header. 1216void r11160612_4() { 1217 char *x = malloc(12); 1218 sqlite3_bind_text_my(0, x, 12, free); // no - warning 1219} 1220 1221// Passing callbacks in a struct. 1222void r11160612_5(StWithCallback St) { 1223 void *x = malloc(12); 1224 dealocateMemWhenDoneByVal(x, St); 1225} 1226void r11160612_6(StWithCallback St) { 1227 void *x = malloc(12); 1228 dealocateMemWhenDoneByRef(&St, x); 1229} 1230 1231int mySub(int, int); 1232int myAdd(int, int); 1233int fPtr(unsigned cond, int x) { 1234 return (cond ? mySub : myAdd)(x, x); 1235} 1236 1237// Test anti-aliasing. 1238 1239void dependsOnValueOfPtr(int *g, unsigned f) { 1240 int *p; 1241 1242 if (f) { 1243 p = g; 1244 } else { 1245 p = malloc(12); 1246 } 1247 1248 if (p != g) 1249 free(p); 1250 else 1251 return; // no warning 1252 return; 1253} 1254 1255int CMPRegionHeapToStack() { 1256 int x = 0; 1257 int *x1 = malloc(8); 1258 int *x2 = &x; 1259 clang_analyzer_eval(x1 == x2); // expected-warning{{FALSE}} 1260 free(x1); 1261 return x; 1262} 1263 1264int CMPRegionHeapToHeap2() { 1265 int x = 0; 1266 int *x1 = malloc(8); 1267 int *x2 = malloc(8); 1268 int *x4 = x1; 1269 int *x5 = x2; 1270 clang_analyzer_eval(x4 == x5); // expected-warning{{FALSE}} 1271 free(x1); 1272 free(x2); 1273 return x; 1274} 1275 1276int CMPRegionHeapToHeap() { 1277 int x = 0; 1278 int *x1 = malloc(8); 1279 int *x4 = x1; 1280 if (x1 == x4) { 1281 free(x1); 1282 return 5/x; // expected-warning{{Division by zero}} 1283 } 1284 return x;// expected-warning{{This statement is never executed}} 1285} 1286 1287int HeapAssignment() { 1288 int m = 0; 1289 int *x = malloc(4); 1290 int *y = x; 1291 *x = 5; 1292 clang_analyzer_eval(*x != *y); // expected-warning{{FALSE}} 1293 free(x); 1294 return 0; 1295} 1296 1297int *retPtr(); 1298int *retPtrMightAlias(int *x); 1299int cmpHeapAllocationToUnknown() { 1300 int zero = 0; 1301 int *yBefore = retPtr(); 1302 int *m = malloc(8); 1303 int *yAfter = retPtrMightAlias(m); 1304 clang_analyzer_eval(yBefore == m); // expected-warning{{FALSE}} 1305 clang_analyzer_eval(yAfter == m); // expected-warning{{FALSE}} 1306 free(m); 1307 return 0; 1308} 1309 1310void localArrayTest() { 1311 char *p = (char*)malloc(12); 1312 char *ArrayL[12]; 1313 ArrayL[0] = p; 1314} // expected-warning {{leak}} 1315 1316void localStructTest() { 1317 StructWithPtr St; 1318 StructWithPtr *pSt = &St; 1319 pSt->memP = malloc(12); 1320} // expected-warning{{Potential leak of memory pointed to by}} 1321 1322#ifdef __INTPTR_TYPE__ 1323// Test double assignment through integers. 1324typedef __INTPTR_TYPE__ intptr_t; 1325typedef unsigned __INTPTR_TYPE__ uintptr_t; 1326 1327static intptr_t glob; 1328void test_double_assign_ints() 1329{ 1330 void *ptr = malloc (16); // no-warning 1331 glob = (intptr_t)(uintptr_t)ptr; 1332} 1333 1334void test_double_assign_ints_positive() 1335{ 1336 void *ptr = malloc(16); 1337 (void*)(intptr_t)(uintptr_t)ptr; // expected-warning {{unused}} 1338} // expected-warning {{leak}} 1339#endif 1340 1341void testCGContextNoLeak() 1342{ 1343 void *ptr = malloc(16); 1344 CGContextRef context = CGBitmapContextCreate(ptr); 1345 1346 // Because you can get the data back out like this, even much later, 1347 // CGBitmapContextCreate is one of our "stop-tracking" exceptions. 1348 free(CGBitmapContextGetData(context)); 1349} 1350 1351void testCGContextLeak() 1352{ 1353 void *ptr = malloc(16); 1354 CGContextRef context = CGBitmapContextCreate(ptr); 1355 // However, this time we're just leaking the data, because the context 1356 // object doesn't escape and it hasn't been freed in this function. 1357} 1358 1359// Allow xpc context to escape. radar://11635258 1360// TODO: Would be great if we checked that the finalize_connection_context actually releases it. 1361static void finalize_connection_context(void *ctx) { 1362 int *context = ctx; 1363 free(context); 1364} 1365void foo (xpc_connection_t peer) { 1366 int *ctx = calloc(1, sizeof(int)); 1367 xpc_connection_set_context(peer, ctx); 1368 xpc_connection_set_finalizer_f(peer, finalize_connection_context); 1369 xpc_connection_resume(peer); 1370} 1371 1372// Make sure we catch errors when we free in a function which does not allocate memory. 1373void freeButNoMalloc(int *p, int x){ 1374 if (x) { 1375 free(p); 1376 //user forgot a return here. 1377 } 1378 free(p); // expected-warning {{Attempt to free released memory}} 1379} 1380 1381struct HasPtr { 1382 char *p; 1383}; 1384 1385char* reallocButNoMalloc(struct HasPtr *a, int c, int size) { 1386 int *s; 1387 char *b = realloc(a->p, size); 1388 char *m = realloc(a->p, size); // expected-warning {{Attempt to free released memory}} 1389 return a->p; 1390} 1391 1392// We should not warn in this case since the caller will presumably free a->p in all cases. 1393int reallocButNoMallocPR13674(struct HasPtr *a, int c, int size) { 1394 int *s; 1395 char *b = realloc(a->p, size); 1396 if (b == 0) 1397 return -1; 1398 a->p = b; 1399 return 0; 1400} 1401 1402// Test realloc with no visible malloc. 1403void *test(void *ptr) { 1404 void *newPtr = realloc(ptr, 4); 1405 if (newPtr == 0) { 1406 if (ptr) 1407 free(ptr); // no-warning 1408 } 1409 return newPtr; 1410} 1411 1412 1413char *testLeakWithinReturn(char *str) { 1414 return strdup(strdup(str)); // expected-warning{{leak}} 1415} 1416 1417void passConstPtr(const char * ptr); 1418 1419void testPassConstPointer() { 1420 char * string = malloc(sizeof(char)*10); 1421 passConstPtr(string); 1422 return; // expected-warning {{leak}} 1423} 1424 1425void testPassConstPointerIndirectly() { 1426 char *p = malloc(1); 1427 p++; 1428 memcmp(p, p, sizeof(&p)); 1429 return; // expected-warning {{leak}} 1430} 1431 1432void testPassConstPointerIndirectlyStruct() { 1433 struct HasPtr hp; 1434 hp.p = malloc(10); 1435 memcmp(&hp, &hp, sizeof(hp)); 1436 return; // expected-warning {{Potential leak of memory pointed to by 'hp.p'}} 1437} 1438 1439void testPassToSystemHeaderFunctionIndirectlyStruct() { 1440 SomeStruct ss; 1441 ss.p = malloc(1); 1442 fakeSystemHeaderCall(&ss); // invalidates ss, making ss.p unreachable 1443 // Technically a false negative here -- we know the system function won't free 1444 // ss.p, but nothing else will either! 1445} // no-warning 1446 1447void testPassToSystemHeaderFunctionIndirectlyStructFree() { 1448 SomeStruct ss; 1449 ss.p = malloc(1); 1450 fakeSystemHeaderCall(&ss); // invalidates ss, making ss.p unreachable 1451 free(ss.p); 1452} // no-warning 1453 1454void testPassToSystemHeaderFunctionIndirectlyArray() { 1455 int *p[1]; 1456 p[0] = malloc(sizeof(int)); 1457 fakeSystemHeaderCallIntPtr(p); // invalidates p, making p[0] unreachable 1458 // Technically a false negative here -- we know the system function won't free 1459 // p[0], but nothing else will either! 1460} // no-warning 1461 1462void testPassToSystemHeaderFunctionIndirectlyArrayFree() { 1463 int *p[1]; 1464 p[0] = malloc(sizeof(int)); 1465 fakeSystemHeaderCallIntPtr(p); // invalidates p, making p[0] unreachable 1466 free(p[0]); 1467} // no-warning 1468 1469int *testOffsetAllocate(size_t size) { 1470 int *memoryBlock = (int *)malloc(size + sizeof(int)); 1471 return &memoryBlock[1]; // no-warning 1472} 1473 1474void testOffsetDeallocate(int *memoryBlock) { 1475 free(&memoryBlock[-1]); // no-warning 1476} 1477 1478void testOffsetOfRegionFreed() { 1479 __int64_t * array = malloc(sizeof(__int64_t)*2); 1480 array += 1; 1481 free(&array[0]); // expected-warning{{Argument to free() is offset by 8 bytes from the start of memory allocated by malloc()}} 1482} 1483 1484void testOffsetOfRegionFreed2() { 1485 __int64_t *p = malloc(sizeof(__int64_t)*2); 1486 p += 1; 1487 free(p); // expected-warning{{Argument to free() is offset by 8 bytes from the start of memory allocated by malloc()}} 1488} 1489 1490void testOffsetOfRegionFreed3() { 1491 char *r = malloc(sizeof(char)); 1492 r = r - 10; 1493 free(r); // expected-warning {{Argument to free() is offset by -10 bytes from the start of memory allocated by malloc()}} 1494} 1495 1496void testOffsetOfRegionFreedAfterFunctionCall() { 1497 int *p = malloc(sizeof(int)*2); 1498 p += 1; 1499 myfoo(p); 1500 free(p); // expected-warning{{Argument to free() is offset by 4 bytes from the start of memory allocated by malloc()}} 1501} 1502 1503void testFixManipulatedPointerBeforeFree() { 1504 int * array = malloc(sizeof(int)*2); 1505 array += 1; 1506 free(&array[-1]); // no-warning 1507} 1508 1509void testFixManipulatedPointerBeforeFree2() { 1510 char *r = malloc(sizeof(char)); 1511 r = r + 10; 1512 free(r-10); // no-warning 1513} 1514 1515void freeOffsetPointerPassedToFunction() { 1516 __int64_t *p = malloc(sizeof(__int64_t)*2); 1517 p[1] = 0; 1518 p += 1; 1519 myfooint(*p); // not passing the pointer, only a value pointed by pointer 1520 free(p); // expected-warning {{Argument to free() is offset by 8 bytes from the start of memory allocated by malloc()}} 1521} 1522 1523int arbitraryInt(); 1524void freeUnknownOffsetPointer() { 1525 char *r = malloc(sizeof(char)); 1526 r = r + arbitraryInt(); // unable to reason about what the offset might be 1527 free(r); // no-warning 1528} 1529 1530void testFreeNonMallocPointerWithNoOffset() { 1531 char c; 1532 char *r = &c; 1533 r = r + 10; 1534 free(r-10); // expected-warning {{Argument to free() is the address of the local variable 'c', which is not memory allocated by malloc()}} 1535} 1536 1537void testFreeNonMallocPointerWithOffset() { 1538 char c; 1539 char *r = &c; 1540 free(r+1); // expected-warning {{Argument to free() is the address of the local variable 'c', which is not memory allocated by malloc()}} 1541} 1542 1543void testOffsetZeroDoubleFree() { 1544 int *array = malloc(sizeof(int)*2); 1545 int *p = &array[0]; 1546 free(p); 1547 free(&array[0]); // expected-warning{{Attempt to free released memory}} 1548} 1549 1550void testOffsetPassedToStrlen() { 1551 char * string = malloc(sizeof(char)*10); 1552 string += 1; 1553 int length = strlen(string); // expected-warning {{Potential leak of memory pointed to by 'string'}} 1554} 1555 1556void testOffsetPassedToStrlenThenFree() { 1557 char * string = malloc(sizeof(char)*10); 1558 string += 1; 1559 int length = strlen(string); 1560 free(string); // expected-warning {{Argument to free() is offset by 1 byte from the start of memory allocated by malloc()}} 1561} 1562 1563void testOffsetPassedAsConst() { 1564 char * string = malloc(sizeof(char)*10); 1565 string += 1; 1566 passConstPtr(string); 1567 free(string); // expected-warning {{Argument to free() is offset by 1 byte from the start of memory allocated by malloc()}} 1568} 1569 1570char **_vectorSegments; 1571int _nVectorSegments; 1572 1573void poolFreeC(void* s) { 1574 free(s); // no-warning 1575} 1576void freeMemory() { 1577 while (_nVectorSegments) { 1578 poolFreeC(_vectorSegments[_nVectorSegments++]); 1579 } 1580} 1581 1582// PR16730 1583void testReallocEscaped(void **memory) { 1584 *memory = malloc(47); 1585 char *new_memory = realloc(*memory, 47); 1586 if (new_memory != 0) { 1587 *memory = new_memory; 1588 } 1589} 1590 1591// PR16558 1592void *smallocNoWarn(size_t size) { 1593 if (size == 0) { 1594 return malloc(1); // this branch is never called 1595 } 1596 else { 1597 return malloc(size); 1598 } 1599} 1600 1601char *dupstrNoWarn(const char *s) { 1602 const int len = strlen(s); 1603 char *p = (char*) smallocNoWarn(len + 1); 1604 strcpy(p, s); // no-warning 1605 return p; 1606} 1607 1608void *smallocWarn(size_t size) { 1609 if (size == 2) { 1610 return malloc(1); 1611 } 1612 else { 1613 return malloc(size); 1614 } 1615} 1616 1617char *dupstrWarn(const char *s) { 1618 const int len = strlen(s); 1619 char *p = (char*) smallocWarn(len + 1); 1620 strcpy(p, s); // expected-warning{{String copy function overflows destination buffer}} 1621 return p; 1622} 1623 1624int *radar15580979() { 1625 int *data = (int *)malloc(32); 1626 int *p = data ?: (int*)malloc(32); // no warning 1627 return p; 1628} 1629 1630// ---------------------------------------------------------------------------- 1631// False negatives. 1632 1633void testMallocWithParam(int **p) { 1634 *p = (int*) malloc(sizeof(int)); 1635 *p = 0; // FIXME: should warn here 1636} 1637 1638void testMallocWithParam_2(int **p) { 1639 *p = (int*) malloc(sizeof(int)); // no-warning 1640} 1641 1642void testPassToSystemHeaderFunctionIndirectly() { 1643 int *p = malloc(4); 1644 p++; 1645 fakeSystemHeaderCallInt(p); 1646 // FIXME: This is a leak: if we think a system function won't free p, it 1647 // won't free (p-1) either. 1648} 1649